Streaming decryption for CDoc1

metsma · metsma · commit 02eaa16629d7 · 2025-11-13T13:59:09.000+02:00
Signed-off-by: Raul Metsma &lt;raul@metsma.ee&gt;
diff --git a/cdoc/CDoc1Reader.cpp b/cdoc/CDoc1Reader.cpp
@@ -384,6 +384,7 @@ result_t CDoc1Reader::decryptData(const std::vector<uint8_t>& fmk, std::string&
         return result;
     }
 
+    std::vector<unsigned char> b64;
     XMLReader reader(d->dsrc, false);
     int skipKeyInfo = 0;
     while (reader.read()) {
@@ -397,26 +398,30 @@ result_t CDoc1Reader::decryptData(const std::vector<uint8_t>& fmk, std::string&
         // EncryptedData/CipherData/CipherValue
         else if(reader.isElement("CipherValue"))
         {
-            data = libcdoc::Crypto::decrypt(d->method, fmk, reader.readBase64());
+            b64 = reader.readBase64();
             break;
         }
     }
 
-    if(data.empty()) {
+    if(b64.empty()) {
+        setLastError("Failed to decode base64 data");
+        return libcdoc::IO_ERROR;
+    }
+    VectorSource src(b64);
+    libcdoc::DecryptionSource dec(src, d->method, fmk);
+    if(dec.isError()) {
         setLastError("Failed to decrypt data, verify if FMK is correct");
-        return libcdoc::CRYPTO_ERROR;
+        return CRYPTO_ERROR;
     }
+    libcdoc::VectorConsumer out(data);
     setLastError({});
     if (d->mime == MIME_ZLIB) {
-        libcdoc::VectorSource vsrc(data);
-        libcdoc::ZSource zsrc(&vsrc);
-        std::vector<uint8_t> tmp;
-        libcdoc::VectorConsumer vcons(tmp);
-        vcons.writeAll(zsrc);
-        data = std::move(tmp);
+        libcdoc::ZSource zsrc(&dec);
+        out.writeAll(zsrc);
         mime = d->properties["OriginalMimeType"];
     }
     else
         mime = d->mime;
-    return libcdoc::OK;
+    out.writeAll(dec);
+    return dec.close();
 }
diff --git a/cdoc/Crypto.cpp b/cdoc/Crypto.cpp
@@ -141,61 +141,43 @@ const EVP_CIPHER *Crypto::cipher(const std::string &algo)
 std::vector<uint8_t> Crypto::concatKDF(const std::string &hashAlg, uint32_t keyDataLen,
 	const std::vector<uint8_t> &z, const std::vector<uint8_t> &otherInfo)
 {
-	std::vector<uint8_t> key;
-	uint32_t hashLen = SHA384_DIGEST_LENGTH;
-	if(hashAlg == SHA256_MTH) hashLen = SHA256_DIGEST_LENGTH;
-	else if(hashAlg == SHA384_MTH) hashLen = SHA384_DIGEST_LENGTH;
-	else if(hashAlg == SHA512_MTH) hashLen = SHA512_DIGEST_LENGTH;
-	else return key;
-
-	SHA256_CTX sha256;
-	SHA512_CTX sha512;
-    std::vector<uint8_t> hash(hashLen, 0);
-    uint8_t intToFourBytes[4];
+    std::vector<uint8_t> key;
+    const EVP_MD *md {};
+    if(hashAlg == SHA256_MTH) md = EVP_sha256();
+    else if(hashAlg == SHA384_MTH) md = EVP_sha384();
+    else if(hashAlg == SHA512_MTH) md = EVP_sha512();
+    else {
+        LOG_WARN("Usnupported hash algo {}", hashAlg);
+        return key;
+    }
 
+    uint32_t hashLen = EVP_MD_get_size(md);
     uint32_t reps = keyDataLen / hashLen;
     if (keyDataLen % hashLen > 0)
         reps++;
 
-	for(uint32_t i = 1; i <= reps; i++)
-	{
-		intToFourBytes[0] = uint8_t(i >> 24);
-		intToFourBytes[1] = uint8_t(i >> 16);
-		intToFourBytes[2] = uint8_t(i >> 8);
-		intToFourBytes[3] = uint8_t(i >> 0);
-		switch(hashLen)
-		{
-		case SHA256_DIGEST_LENGTH:
-            if (SSL_FAILED(SHA256_Init(&sha256), "SHA256_Init") ||
-                SSL_FAILED(SHA256_Update(&sha256, intToFourBytes, 4), "SHA256_Update") ||
-                SSL_FAILED(SHA256_Update(&sha256, z.data(), z.size()), "SHA256_Update") ||
-                SSL_FAILED(SHA256_Update(&sha256, otherInfo.data(), otherInfo.size()), "SHA256_Update") ||
-                SSL_FAILED(SHA256_Final(hash.data(), &sha256), "SHA256_Final"))
-                return {};
-			break;
-		case SHA384_DIGEST_LENGTH:
-            if (SSL_FAILED(SHA384_Init(&sha512), "SHA384_Init") ||
-                SSL_FAILED(SHA384_Update(&sha512, intToFourBytes, 4), "SHA384_Update") ||
-                SSL_FAILED(SHA384_Update(&sha512, z.data(), z.size()), "SHA384_Update") ||
-                SSL_FAILED(SHA384_Update(&sha512, otherInfo.data(), otherInfo.size()), "SHA384_Update") ||
-                SSL_FAILED(SHA384_Final(hash.data(), &sha512), "SHA384_Final"))
-                return {};
-			break;
-		case SHA512_DIGEST_LENGTH:
-            if (SSL_FAILED(SHA512_Init(&sha512), "SHA512_Init") ||
-                SSL_FAILED(SHA512_Update(&sha512, intToFourBytes, 4), "SHA512_Update") ||
-                SSL_FAILED(SHA512_Update(&sha512, otherInfo.data(), otherInfo.size()), "SHA512_Update") ||
-                SSL_FAILED(SHA512_Final(hash.data(), &sha512), "SHA512_Update"))
-                return {};
-			break;
-        default:
-            LOG_WARN("Usnupported hash length {}", hashLen);
-            return key;
-		}
-		key.insert(key.cend(), hash.cbegin(), hash.cend());
-	}
-	key.resize(size_t(keyDataLen));
-	return key;
+    auto ctx = make_unique_ptr<EVP_MD_CTX_free>(EVP_MD_CTX_new());
+    if(!ctx)
+    {
+        LOG_SSL_ERROR("EVP_MD_CTX_new");
+        return key;
+    }
+
+    std::vector<uint8_t> hash(hashLen, 0);
+    for(uint32_t i = 1; i <= reps; i++)
+    {
+        uint8_t intToFourBytes[4] { uint8_t(i >> 24), uint8_t(i >> 16), uint8_t(i >> 8), uint8_t(i >> 0) };
+        unsigned int size = hashLen;
+        if (SSL_FAILED(EVP_DigestInit(ctx.get(), md), "EVP_DigestInit") ||
+            SSL_FAILED(EVP_DigestUpdate(ctx.get(), intToFourBytes, 4), "EVP_DigestUpdate") ||
+            SSL_FAILED(EVP_DigestUpdate(ctx.get(), z.data(), z.size()), "EVP_DigestUpdate") ||
+            SSL_FAILED(EVP_DigestUpdate(ctx.get(), otherInfo.data(), otherInfo.size()), "EVP_DigestUpdate") ||
+            SSL_FAILED(EVP_DigestFinal(ctx.get(), hash.data(), &size), "EVP_DigestFinal"))
+            return {};
+        key.insert(key.cend(), hash.cbegin(), hash.cend());
+    }
+    key.resize(size_t(keyDataLen));
+    return key;
 }
 
 std::vector<uint8_t> Crypto::concatKDF(const std::string &hashAlg, uint32_t keyDataLen, const std::vector<uint8_t> &z,
@@ -234,56 +216,6 @@ Crypto::encrypt(EVP_PKEY *pub, int padding, const std::vector<uint8_t> &data)
 	return result;
 }
 
-std::vector<uint8_t> Crypto::decrypt(const std::string &method, const std::vector<uint8_t> &key, const std::vector<uint8_t> &data)
-{
-	const EVP_CIPHER *cipher = Crypto::cipher(method);
-	size_t dataSize = data.size();
-	std::vector<uint8_t> iv(data.cbegin(), data.cbegin() + EVP_CIPHER_iv_length(cipher));
-    if(dataSize < iv.size())
-        return {};
-	dataSize -= iv.size();
-
-    LOG_TRACE_KEY("iv {}", iv);
-    LOG_TRACE_KEY("transport {}", key);
-
-    auto ctx = make_unique_ptr<EVP_CIPHER_CTX_free>(EVP_CIPHER_CTX_new());
-    if (!ctx)
-    {
-        LOG_SSL_ERROR("EVP_CIPHER_CTX_new");
-        return {};
-    }
-
-    if (SSL_FAILED(EVP_CipherInit(ctx.get(), cipher, key.data(), iv.data(), 0), "EVP_CipherInit"))
-    {
-        return {};
-    }
-
-	if (EVP_CIPHER_mode(cipher) == EVP_CIPH_GCM_MODE)
-	{
-		std::vector<uint8_t> tag(data.cend() - 16, data.cend());
-        if(dataSize < tag.size())
-            return {};
-        EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_GCM_SET_TAG, int(tag.size()), tag.data());
-		dataSize -= tag.size();
-        LOG_DBG("GCM TAG {}", toHex(tag));
-	}
-
-	int size = 0;
-	std::vector<uint8_t> result(dataSize + size_t(EVP_CIPHER_CTX_block_size(ctx.get())), 0);
-    if (SSL_FAILED(EVP_CipherUpdate(ctx.get(), result.data(), &size, &data[iv.size()], int(dataSize)), "EVP_CipherUpdate"))
-    {
-        return {};
-    }
-
-	int size2 = 0;
-    if (SSL_FAILED(EVP_CipherFinal(ctx.get(), result.data() + size, &size2), "EVP_CipherFinal"))
-    {
-        return {};
-    }
-	result.resize(size_t(size + size2));
-	return result;
-}
-
 std::vector<uint8_t> Crypto::decodeBase64(const uint8_t *data)
 {
 	std::vector<uint8_t> result;
@@ -608,14 +540,109 @@ EncryptionConsumer::close()
         if(SSL_FAILED(EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_GCM_GET_TAG, int(tag.size()), tag.data()), "EVP_CIPHER_CTX_ctrl"))
             return CRYPTO_ERROR;
         LOG_DBG("tag: {}", toHex(tag));
-        return dst.write(tag.data(), tag.size());
+        if (dst.write(tag.data(), tag.size()) != tag.size())
+            return IO_ERROR;
     }
-    if(EVP_CIPHER_CTX_flags(ctx.get()) & EVP_CIPH_FLAG_AEAD_CIPHER)
+    else if(EVP_CIPHER_CTX_flags(ctx.get()) & EVP_CIPH_FLAG_AEAD_CIPHER)
     {
         if(SSL_FAILED(EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_AEAD_GET_TAG, int(tag.size()), tag.data()), "EVP_CIPHER_CTX_ctrl"))
             return CRYPTO_ERROR;
         LOG_DBG("tag: {}", toHex(tag));
-        return dst.write(tag.data(), tag.size());
+        if (dst.write(tag.data(), tag.size()) != tag.size())
+            return IO_ERROR;
+    }
+    return OK;
+}
+
+DecryptionSource::DecryptionSource(DataSource &src, const std::string &method, const std::vector<unsigned char> &key)
+    : DecryptionSource(src, Crypto::cipher(method), key)
+{}
+
+DecryptionSource::DecryptionSource(DataSource &src, const EVP_CIPHER *cipher, const std::vector<unsigned char> &key)
+    : ctx{EVP_CIPHER_CTX_new(), EVP_CIPHER_CTX_free}
+    , src(src)
+{
+    EVP_CIPHER_CTX_set_flags(ctx.get(), EVP_CIPHER_CTX_FLAG_WRAP_ALLOW);
+    int ivLen = EVP_CIPHER_iv_length(cipher);
+    std::vector<unsigned char> iv(ivLen, 0);
+    if(auto rv = src.read(iv.data(), ivLen); size_t(rv) != iv.size())
+        error = rv < 0 ? rv : IO_ERROR;
+    else if(SSL_FAILED(EVP_CipherInit_ex(ctx.get(), cipher, nullptr, key.data(), iv.data(), 0), "EVP_CipherInit_ex"))
+        error = CRYPTO_ERROR;
+    else if(auto rv = src.read(tag.data(), tag.size()); size_t(rv) != tag.size())
+        error = rv < 0 ? rv : IO_ERROR;
+}
+
+result_t DecryptionSource::readAAD(const std::vector<uint8_t> &data)
+{
+    if (error != OK)
+        return error;
+    int len = 0;
+    if(SSL_FAILED(EVP_CipherUpdate(ctx.get(), nullptr, &len, data.data(), int(data.size())), "EVP_CipherUpdate"))
+        return CRYPTO_ERROR;
+    return OK;
+}
+
+result_t DecryptionSource::read(unsigned char *dst, size_t size)
+{
+    if (error != OK)
+        return error;
+    if (!dst || size == 0)
+        return OK;
+    if(size < tag.size())
+        return INPUT_STREAM_ERROR;
+
+    auto r = src.read(dst + tag.size(), size - tag.size());
+    if (r <= 0) {
+        return r;
+    }
+    auto nread = static_cast<size_t>(r);
+
+    std::copy(tag.begin(), tag.end(), dst);
+
+    if (nread < size - tag.size()) {
+        std::copy_n(std::next(dst, nread), tag.size(), tag.begin());
+        size = nread;
+    } else if (auto r = src.read(tag.data(), tag.size()); r < 0) {
+        return r;
+    } else if (auto tagSize = static_cast<size_t>(r); tagSize < tag.size()) {
+        std::move_backward(tag.begin(), std::next(tag.begin(), tagSize), tag.end());
+        size_t more = tag.size() - tagSize;
+        std::copy_n(std::next(dst, size - more), more, tag.data());
+        size -= more;
+    }
+
+    if (int out = 0;
+        SSL_FAILED(EVP_CipherUpdate(ctx.get(), dst, &out, dst, size), "EVP_CipherUpdate") ||
+        size != out) {
+        return error = CRYPTO_ERROR;
+    }
+    return size;
+}
+
+result_t DecryptionSource::close()
+{
+    if (error != OK)
+        return error;
+
+    if (EVP_CIPHER_CTX_mode(ctx.get()) == EVP_CIPH_GCM_MODE) {
+        LOG_DBG("tag: {}", toHex(tag));
+        if (SSL_FAILED(EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_GCM_SET_TAG, int(tag.size()), (void*)tag.data()), "EVP_CIPHER_CTX_ctrl")) {
+            return error = CRYPTO_ERROR;
+        }
+    }
+    else if(EVP_CIPHER_CTX_flags(ctx.get()) & EVP_CIPH_FLAG_AEAD_CIPHER)
+    {
+        LOG_DBG("tag: {}", toHex(tag));
+        if (SSL_FAILED(EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_AEAD_SET_TAG, int(tag.size()), (void*)tag.data()), "EVP_CIPHER_CTX_ctrl")) {
+            return error = CRYPTO_ERROR;
+        }
+    }
+
+    int len = 0;
+    std::vector<uint8_t> buffer(EVP_CIPHER_CTX_block_size(ctx.get()), 0);
+    if (SSL_FAILED(EVP_CipherFinal_ex(ctx.get(), buffer.data(), &len), "EVP_CipherFinal_ex")) {
+        return error = CRYPTO_ERROR;
     }
     return OK;
 }
diff --git a/cdoc/Crypto.h b/cdoc/Crypto.h
@@ -22,6 +22,8 @@
 
 #include "utils/memory.h"
 
+#include <array>
+
 using EVP_CIPHER_CTX = struct evp_cipher_ctx_st;
 using EVP_CIPHER = struct evp_cipher_st;
 using EVP_PKEY = struct evp_pkey_st;
@@ -81,7 +83,6 @@ class Crypto
 	static std::vector<uint8_t> concatKDF(const std::string &hashAlg, uint32_t keyDataLen, const std::vector<uint8_t> &z, const std::vector<uint8_t> &otherInfo);
 	static std::vector<uint8_t> concatKDF(const std::string &hashAlg, uint32_t keyDataLen, const std::vector<uint8_t> &z,
 		const std::vector<uint8_t> &AlgorithmID, const std::vector<uint8_t> &PartyUInfo, const std::vector<uint8_t> &PartyVInfo);
-	static std::vector<uint8_t> decrypt(const std::string &method, const std::vector<uint8_t> &key, const std::vector<uint8_t> &data);
 	static std::vector<uint8_t> encrypt(EVP_PKEY *pub, int padding, const std::vector<uint8_t> &data);
 	static std::vector<uint8_t> decodeBase64(const uint8_t *data);
 	static std::vector<uint8_t> deriveSharedSecret(EVP_PKEY *pkey, EVP_PKEY *peerPKey);
@@ -129,7 +130,7 @@ struct EncryptionConsumer final : public DataConsumer {
     result_t write(const uint8_t *src, size_t size) final;
     result_t writeAAD(const std::vector<uint8_t> &data);
     result_t close() final;
-    bool isError() final { return error != OK; }
+    bool isError() final { return error != OK || dst.isError(); }
 
 private:
     unique_free_t<EVP_CIPHER_CTX> ctx;
@@ -138,4 +139,22 @@ struct EncryptionConsumer final : public DataConsumer {
     std::vector<uint8_t> buf;
 };
 
+struct DecryptionSource final : public DataSource {
+    DecryptionSource(DataSource &src, const std::string &method, const std::vector<unsigned char> &key);
+    DecryptionSource(DataSource &src, const EVP_CIPHER *cipher, const std::vector<unsigned char> &key);
+    CDOC_DISABLE_MOVE_COPY(DecryptionSource)
+
+    result_t read(unsigned char* dst, size_t size) final;
+    result_t readAAD(const std::vector<uint8_t>& data);
+    result_t close();
+    bool isError() final { return error != OK || src.isError(); }
+    bool isEof() final { return src.isEof(); }
+
+private:
+    unique_free_t<EVP_CIPHER_CTX> ctx;
+    DataSource &src;
+    result_t error = OK;
+    std::array<uint8_t, 16> tag {};
+};
+
 }; // namespace libcdoc
diff --git a/cdoc/Io.h b/cdoc/Io.h
@@ -21,6 +21,7 @@
 
 #include <cdoc/CDoc.h>
 
+#include <algorithm>
 #include <filesystem>
 #include <fstream>
 
@@ -311,7 +312,7 @@ struct CDOC_EXPORT VectorSource : public DataSource {
 
     result_t read(uint8_t *dst, size_t size) override {
 		size = std::min<size_t>(size, _data.size() - _ptr);
-		std::copy(_data.cbegin() + _ptr, _data.cbegin() + _ptr + size, dst);
+		std::copy_n(_data.cbegin() + _ptr, size, dst);
 		_ptr += size;
 		return size;
 	}
diff --git a/test/CMakeLists.txt b/test/CMakeLists.txt
@@ -1,4 +1,4 @@
-add_executable(unittests libcdoc_boost.cpp ../cdoc/CDocCipher.cpp)
+add_executable(unittests libcdoc_boost.cpp ../cdoc/CDocCipher.cpp ../cdoc/Crypto.cpp)
 target_compile_definitions(unittests PRIVATE DATA_DIR="${CMAKE_CURRENT_SOURCE_DIR}/data")
 target_link_libraries(unittests OpenSSL::SSL cdoc Boost::unit_test_framework)
 
diff --git a/test/libcdoc_boost.cpp b/test/libcdoc_boost.cpp

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-add_executable(unittests libcdoc_boost.cpp ../cdoc/CDocCipher.cpp)`
	`1`	`+add_executable(unittests libcdoc_boost.cpp ../cdoc/CDocCipher.cpp ../cdoc/Crypto.cpp)`
`2`	`2`	`target_compile_definitions(unittests PRIVATE DATA_DIR="${CMAKE_CURRENT_SOURCE_DIR}/data")`
`3`	`3`	`target_link_libraries(unittests OpenSSL::SSL cdoc Boost::unit_test_framework)`
`4`	`4`