Fix AttachmentCipherInputStream so that underlying file is reusable

If the Stream length is shortened to remove the MAC the cipherfile will not be usable again. Instead save the MAC before removing it from the file and add it back on before the Stream is disposed. Also ensure we dispose all Streams correctly.

Author: golf1052

libsignal-service-dotnet-tests/crypto/AttachmentCipherTest.cs

@@ -19,29 +19,68 @@ public void Test_Attachment_EncryptDecrypt()
             byte[] plaintextInput = Encoding.UTF8.GetBytes("Peter Parker");
             EncryptResult encryptResult = EncryptData(plaintextInput, key);
             string cipherFile = WriteToFile(encryptResult.ciphertext);
-            Stream inputStream = AttachmentCipherInputStream.CreateForAttachment(File.Open(cipherFile, FileMode.Open), plaintextInput.Length, key, encryptResult.digest);
+            using Stream inputStream = AttachmentCipherInputStream.CreateForAttachment(File.Open(cipherFile, FileMode.Open), plaintextInput.Length, key, encryptResult.digest);
             byte[] plaintextOutput = ReadInputStreamFully(inputStream);
 
             CollectionAssert.AreEqual(plaintextInput, plaintextOutput);
 
             DeleteFile(cipherFile);
         }
 
+        [TestMethod]
+        public void Test_Attachment_EncryptDecryptMultipleTimes()
+        {
+            // Test that the file passed to AttachmentCipherInputStream can be reused.
+            byte[] key = Util.GetSecretBytes(64);
+            byte[] plaintextInput = Encoding.UTF8.GetBytes("Peter Parker");
+            EncryptResult encryptResult = EncryptData(plaintextInput, key);
+            string cipherFile = WriteToFile(encryptResult.ciphertext);
+
+            for (int i = 0; i < 10; i++)
+            {
+                using Stream inputStream = AttachmentCipherInputStream.CreateForAttachment(File.Open(cipherFile, FileMode.Open), plaintextInput.Length, key, encryptResult.digest);
+                byte[] plaintextOutput = ReadInputStreamFully(inputStream);
+
+                CollectionAssert.AreEqual(plaintextInput, plaintextOutput);
+            }
+
+            DeleteFile(cipherFile);
+        }
+
         [TestMethod]
         public void Test_Attachment_EncryptDecryptEmpty()
         {
             byte[] key = Util.GetSecretBytes(64);
             byte[] plaintextInput = Encoding.UTF8.GetBytes(string.Empty);
             EncryptResult encryptResult = EncryptData(plaintextInput, key);
             string cipherFile = WriteToFile(encryptResult.ciphertext);
-            Stream inputStream = AttachmentCipherInputStream.CreateForAttachment(File.Open(cipherFile, FileMode.Open), plaintextInput.Length, key, encryptResult.digest);
+            using Stream inputStream = AttachmentCipherInputStream.CreateForAttachment(File.Open(cipherFile, FileMode.Open), plaintextInput.Length, key, encryptResult.digest);
             byte[] plaintextOutput = ReadInputStreamFully(inputStream);
 
             CollectionAssert.AreEqual(plaintextInput, plaintextOutput);
 
             DeleteFile(cipherFile);
         }
 
+        [TestMethod]
+        public void Test_Attachment_EncryptDecryptEmptyMultipleTimes()
+        {
+            byte[] key = Util.GetSecretBytes(64);
+            byte[] plaintextInput = Encoding.UTF8.GetBytes(string.Empty);
+            EncryptResult encryptResult = EncryptData(plaintextInput, key);
+            string cipherFile = WriteToFile(encryptResult.ciphertext);
+
+            for (int i = 0; i < 10; i++)
+            {
+                using Stream inputStream = AttachmentCipherInputStream.CreateForAttachment(File.Open(cipherFile, FileMode.Open), plaintextInput.Length, key, encryptResult.digest);
+                byte[] plaintextOutput = ReadInputStreamFully(inputStream);
+
+                CollectionAssert.AreEqual(plaintextInput, plaintextOutput);
+            }
+            
+            DeleteFile(cipherFile);
+        }
+
         [TestMethod]
         public void Test_Attachment_DecryptFailOnBadKey()
         {
@@ -57,7 +96,8 @@ public void Test_Attachment_DecryptFailOnBadKey()
 
                 cipherFile = WriteToFile(encryptResult.ciphertext);
 
-                AttachmentCipherInputStream.CreateForAttachment(File.Open(cipherFile, FileMode.Open), plaintextInput.Length, badKey, encryptResult.digest);
+                using FileStream fileStream = File.Open(cipherFile, FileMode.Open);
+                AttachmentCipherInputStream.CreateForAttachment(fileStream, plaintextInput.Length, badKey, encryptResult.digest);
             }
             catch (InvalidMessageException)
             {
@@ -89,7 +129,8 @@ public void Test_Attachmetn_DecryptFailOnBadDigest()
 
                 cipherFile = WriteToFile(encryptResult.ciphertext);
 
-                AttachmentCipherInputStream.CreateForAttachment(File.Open(cipherFile, FileMode.Open), plaintextInput.Length, key, badDigest);
+                using FileStream fileStream = File.Open(cipherFile, FileMode.Open);
+                AttachmentCipherInputStream.CreateForAttachment(fileStream, plaintextInput.Length, key, badDigest);
             }
             catch (InvalidMessageException)
             {
@@ -120,7 +161,8 @@ public void Test_Attachment_DecryptFailOnNullDigest()
 
                 cipherFile = WriteToFile(encryptResult.ciphertext);
 
-                AttachmentCipherInputStream.CreateForAttachment(File.Open(cipherFile, FileMode.Open), plaintextInput.Length, key, null);
+                using FileStream fileStream = File.Open(cipherFile, FileMode.Open);
+                AttachmentCipherInputStream.CreateForAttachment(fileStream, plaintextInput.Length, key, null);
             }
             catch (InvalidMessageException)
             {
@@ -155,7 +197,8 @@ public void Test_Attachment_DecryptFailOnBadMac()
 
                 cipherFile = WriteToFile(badMacCiphertext);
 
-                AttachmentCipherInputStream.CreateForAttachment(File.Open(cipherFile, FileMode.Open), plaintextInput.Length, key, encryptResult.digest);
+                using FileStream fileStream = File.Open(cipherFile, FileMode.Open);
+                AttachmentCipherInputStream.CreateForAttachment(fileStream, plaintextInput.Length, key, encryptResult.digest);
             }
             catch (InvalidMessageException)
             {
@@ -178,7 +221,7 @@ public void Test_Sticker_EncryptDecrypt()
             byte[] packKey = Util.GetSecretBytes(32);
             byte[] plaintextInput = Encoding.UTF8.GetBytes("Peter Parker");
             EncryptResult encryptResult = EncryptData(plaintextInput, ExpandPackKey(packKey));
-            Stream inputStream = AttachmentCipherInputStream.CreateForStickerData(encryptResult.ciphertext, packKey);
+            using Stream inputStream = AttachmentCipherInputStream.CreateForStickerData(encryptResult.ciphertext, packKey);
             byte[] plaintextOutput = ReadInputStreamFully(inputStream);
 
             CollectionAssert.AreEqual(plaintextInput, plaintextOutput);
@@ -190,7 +233,7 @@ public void Test_Sticker_EncryptDecryptEmpty()
             byte[] packKey = Util.GetSecretBytes(32);
             byte[] plaintextInput = Encoding.UTF8.GetBytes(string.Empty);
             EncryptResult encryptResult = EncryptData(plaintextInput, ExpandPackKey(packKey));
-            Stream inputStream = AttachmentCipherInputStream.CreateForStickerData(encryptResult.ciphertext, packKey);
+            using Stream inputStream = AttachmentCipherInputStream.CreateForStickerData(encryptResult.ciphertext, packKey);
             byte[] plaintextOutput = ReadInputStreamFully(inputStream);
 
             CollectionAssert.AreEqual(plaintextInput, plaintextOutput);
@@ -270,14 +313,7 @@ private static void DeleteFile(string path)
         {
             if (File.Exists(path))
             {
-                try
-                {
-                    File.Delete(path);
-                }
-                catch (IOException)
-                {
-                    // for some reason this fails
-                }
+                File.Delete(path);
             }
         }
 

libsignal-service-dotnet/crypto/AttachmentCipherInputStream.cs

@@ -20,6 +20,8 @@ public class AttachmentCipherInputStream : Stream
         private readonly Aes aes;
         private readonly CryptoStream cipher;
         private readonly ICryptoTransform decryptor;
+        private readonly byte[] mac;
+        private bool disposed = false;
 
         private readonly long totalDataSize;
         private long totalRead = 0;
@@ -59,12 +61,8 @@ public static Stream CreateForAttachment(Stream inputStream, long plaintextLengt
 
                 VerifyMac(inputStream, inputStream.Length, mac, digest);
                 inputStream.Seek(0, SeekOrigin.Begin);
-                // We need to truncate the MAC off the end of the input stream or CryptoStream will fail to decrypt
-                // correctly because it will think there's more data to decrypt when the MAC isn't actually part of
-                // what needs to be decrypted.
-                inputStream.SetLength(inputStream.Length - MacLength);
 
-                Stream stream = new AttachmentCipherInputStream(inputStream, parts[0], inputStream.Length - BLOCK_SIZE);
+                Stream stream = new AttachmentCipherInputStream(inputStream, parts[0], inputStream.Length - BLOCK_SIZE - MacLength);
 
                 if (plaintextLength > 0)
                 {
@@ -103,12 +101,8 @@ public static Stream CreateForStickerData(byte[] data, byte[] packKey)
                 MemoryStream inputStream = new MemoryStream(data);
                 VerifyMac(inputStream, data.Length, mac, null);
                 inputStream.Seek(0, SeekOrigin.Begin);
-                // We need to truncate the MAC off the end of the input stream or CryptoStream will fail to decrypt
-                // correctly because it will think there's more data to decrypt when the MAC isn't actually part of
-                // what needs to be decrypted.
-                inputStream.SetLength(inputStream.Length - MacLength);
 
-                return new AttachmentCipherInputStream(inputStream, parts[0], data.Length - BLOCK_SIZE);
+                return new AttachmentCipherInputStream(inputStream, parts[0], data.Length - BLOCK_SIZE - MacLength);
             }
             catch (InvalidMacException ex)
             {
@@ -120,6 +114,14 @@ private AttachmentCipherInputStream(Stream inputStream, byte[] key, long totalDa
         {
             this.inputStream = inputStream;
 
+            // We need to truncate the MAC off the end of the input stream or CryptoStream will fail to decrypt
+            // correctly because it will think there's more data to decrypt when the MAC isn't actually part of
+            // what needs to be decrypted. Truncating the MAC off the end of the stream however will make the
+            // stream not reusable so store the MAC so we can add it back before we dispose the stream.
+            const int MacLength = 32;
+            mac = GetMac(inputStream, MacLength);
+            inputStream.SetLength(inputStream.Length - MacLength);
+
             byte[] iv = new byte[BLOCK_SIZE];
             ReadFully(iv);
 
@@ -135,9 +137,20 @@ private AttachmentCipherInputStream(Stream inputStream, byte[] key, long totalDa
             this.totalDataSize = totalDataSize;
         }
 
+        protected override void Dispose(bool disposing)
+        {
+            if (!disposed)
+            {
+                disposed = true;
+                inputStream.Seek(0, SeekOrigin.End);
+                inputStream.Write(mac, 0, mac.Length);
+            }
+            inputStream.Dispose();
+            base.Dispose(disposing);
+        }
+
         public override void Flush()
         {
-            throw new NotImplementedException();
         }
 
         public override int Read(byte[] buffer, int offset, int count)
@@ -207,6 +220,15 @@ private static void VerifyMac(Stream inputStream, long length, IncrementalHash m
             }
         }
 
+        private byte[] GetMac(Stream inputStream, int macLength)
+        {
+            byte[] mac = new byte[macLength];
+            inputStream.Seek(-macLength, SeekOrigin.End);
+            Util.ReadFully(inputStream, mac);
+            inputStream.Seek(0, SeekOrigin.Begin);
+            return mac;
+        }
+
         private void ReadFully(byte[] buffer)
         {
             int offset = 0;

libsignal-service-dotnet/crypto/DigestingOutputStream.cs

@@ -1,8 +1,6 @@
-using System;
-using System.Collections.Generic;
+using System;
 using System.IO;
 using System.Security.Cryptography;
-using System.Text;
 
 namespace libsignalservice.crypto
 {
@@ -22,6 +20,12 @@ public DigestingOutputStream(Stream outputStream)
             OutputStream = outputStream;
         }
 
+        protected override void Dispose(bool disposing)
+        {
+            OutputStream.Dispose();
+            base.Dispose(disposing);
+        }
+
         public override void Flush()
         {
             OutputStream.Flush();

libsignal-service-dotnet/crypto/PaddingInputStream.cs

@@ -6,36 +6,41 @@ namespace libsignalservice.crypto
 {
     internal class PaddingInputStream : Stream
     {
-        private readonly Stream InputStream;
-        private long PaddingRemaining;
+        private readonly Stream inputStream;
+        private long paddingRemaining;
 
         public override bool CanRead => true;
         public override bool CanSeek => false;
         public override bool CanWrite => false;
-        public override long Length { get => InputStream.Length + Util.ToIntExact(PaddingRemaining); }
+        public override long Length { get => inputStream.Length + Util.ToIntExact(paddingRemaining); }
         public override long Position { get => throw new NotImplementedException(); set => throw new NotImplementedException(); }
 
         public PaddingInputStream(Stream inputStream, long plainTextLength)
         {
-            InputStream = inputStream;
-            PaddingRemaining = GetPaddedSize(plainTextLength) - plainTextLength;
+            this.inputStream = inputStream;
+            paddingRemaining = GetPaddedSize(plainTextLength) - plainTextLength;
+        }
+
+        protected override void Dispose(bool disposing)
+        {
+            inputStream.Dispose();
+            base.Dispose(disposing);
         }
 
         public override void Flush()
         {
-            throw new NotImplementedException();
         }
 
         public override int Read(byte[] buffer, int offset, int count)
         {
-            int result = InputStream.Read(buffer, offset, count);
+            int result = inputStream.Read(buffer, offset, count);
             if (result >= 0)
                 return result;
 
-            if (PaddingRemaining > 0)
+            if (paddingRemaining > 0)
             {
-                count = Math.Min(count, Util.ToIntExact(PaddingRemaining));
-                PaddingRemaining -= count;
+                count = Math.Min(count, Util.ToIntExact(paddingRemaining));
+                paddingRemaining -= count;
                 return count;
             }
             return 0;

libsignal-service-dotnet/crypto/ProfileCipherInputStream.cs

@@ -11,7 +11,7 @@ namespace libsignalservice.crypto
     public class ProfileCipherInputStream : Stream
     {
         private readonly GcmBlockCipher cipher;
-        private readonly Stream InputStream;
+        private readonly Stream inputStream;
 
         private bool finished = false;
 
@@ -28,12 +28,17 @@ public ProfileCipherInputStream(Stream inputStream, byte[] key)
             byte[] nonce = new byte[12];
             Util.ReadFully(inputStream, nonce);
             cipher.Init(false, new AeadParameters(new KeyParameter(key), 128, nonce));
-            InputStream = inputStream;
+            this.inputStream = inputStream;
+        }
+
+        protected override void Dispose(bool disposing)
+        {
+            inputStream.Dispose();
+            base.Dispose(disposing);
         }
 
         public override void Flush()
         {
-            throw new NotImplementedException();
         }
 
         /// <summary>
@@ -50,7 +55,7 @@ public override int Read(byte[] buffer, int offset, int count)
             try
             {
                 byte[] ciphertext = new byte[count / 2];
-                int read = InputStream.Read(ciphertext, 0, ciphertext.Length);
+                int read = inputStream.Read(ciphertext, 0, ciphertext.Length);
 
                 if (read <= 0)
                 {

libsignal-service-dotnet/messages/multidevice/ChunkedInputStream.cs

@@ -70,8 +70,8 @@ public int ReadRawVarint32()// throws IOException
 
         internal class LimitedInputStream : Stream
         {
-            private Stream InputStream;
-            private long Left;
+            private Stream inputStream;
+            private long left;
 
             public override bool CanRead => true;
             public override bool CanSeek => false;
@@ -81,24 +81,29 @@ internal class LimitedInputStream : Stream
 
             internal LimitedInputStream(Stream inputStream, long limit)
             {
-                InputStream = inputStream;
-                Left = limit;
+                this.inputStream = inputStream;
+                left = limit;
+            }
+
+            protected override void Dispose(bool disposing)
+            {
+                inputStream.Dispose();
+                base.Dispose(disposing);
             }
 
             public override void Flush()
             {
-                throw new NotImplementedException();
             }
 
             public override int Read(byte[] buffer, int offset, int count)
             {
-                if (Left == 0)
+                if (left == 0)
                     return 0;
 
-                count = (int) Math.Min(count, Left);
-                int result = InputStream.Read(buffer, offset, count);
+                count = (int) Math.Min(count, left);
+                int result = inputStream.Read(buffer, offset, count);
                 if (result > 0)
-                    Left -= result;
+                    left -= result;
                 return result;
             }