This closes #2328, correct Agile EncryptedPackage 4096-byte chunk boundary handling during decryption (#2329)

- Fix an issue where workbooks protected by ECMA-376 agile encryption with SHA512 hash algorithm failed to open in some cases
- Add a test workbook with the SHA512 hash algorithm
- Updated unit tests

Author: WaterRRabbit

crypt.go

@@ -510,7 +510,13 @@ func decrypt(key, iv, input []byte) (packageKey []byte, err error) {
 // decryptPackage decrypt package by given packageKey and encryption
 // info.
 func decryptPackage(packageKey, input []byte, encryption Encryption) (outputChunks []byte, err error) {
-	encryptedKey, offset := encryption.KeyData, packageOffset
+	encryptedKey := encryption.KeyData
+	if len(input) < packageOffset {
+		err = ErrWorkbookFileFormat
+		return
+	}
+	packageSize := binary.LittleEndian.Uint64(input[:packageOffset])
+	input = input[packageOffset:]
 	var i, start, end int
 	var iv, outputChunk []byte
 	for end < len(input) {
@@ -521,12 +527,7 @@ func decryptPackage(packageKey, input []byte, encryption Encryption) (outputChun
 			end = len(input)
 		}
 		// Grab the next chunk
-		var inputChunk []byte
-		if (end + offset) < len(input) {
-			inputChunk = input[start+offset : end+offset]
-		} else {
-			inputChunk = input[start+offset : end]
-		}
+		inputChunk := input[start:end]
 
 		// Pad the chunk if it is not an integer multiple of the block size
 		remainder := len(inputChunk) % encryptedKey.BlockSize
@@ -546,6 +547,9 @@ func decryptPackage(packageKey, input []byte, encryption Encryption) (outputChun
 		outputChunks = append(outputChunks, outputChunk...)
 		i++
 	}
+	if uint64(len(outputChunks)) > packageSize {
+		outputChunks = outputChunks[:int(packageSize)]
+	}
 	return
 }
 

crypt_test.go

@@ -35,6 +35,12 @@ func TestEncrypt(t *testing.T) {
 	assert.NoError(t, err)
 	assert.Equal(t, "SECRET", cell)
 	assert.NoError(t, f.Close())
+	f, err = OpenFile(filepath.Join("test", "encryptSHA512.xlsx"), Options{Password: "password"})
+	assert.NoError(t, err)
+	cell, err = f.GetCellValue("Sheet1", "A1")
+	assert.NoError(t, err)
+	assert.Equal(t, "SECRET", cell)
+	assert.NoError(t, f.Close())
 	// Test decrypt spreadsheet with unsupported encrypt mechanism
 	raw, err := os.ReadFile(filepath.Join("test", "encryptAES.xlsx"))
 	assert.NoError(t, err)
@@ -138,6 +144,8 @@ func TestEncrypt(t *testing.T) {
 		},
 	})
 	assert.Error(t, err)
+	_, err = decryptPackage(make([]byte, 32), input[:packageOffset-1], Encryption{})
+	assert.Equal(t, ErrWorkbookFileFormat, err)
 	// Test put with path that is a prefix of name
 	compoundFile = &cfb{
 		paths:   []string{"Root Entry/"},