/src/ghostpdl/pdf/pdf_sec.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* Copyright (C) 2020-2022 Artifex Software, Inc. |
2 | | All Rights Reserved. |
3 | | |
4 | | This software is provided AS-IS with no warranty, either express or |
5 | | implied. |
6 | | |
7 | | This software is distributed under license and may not be copied, |
8 | | modified or distributed except as expressly authorized under the terms |
9 | | of the license contained in the file LICENSE in this distribution. |
10 | | |
11 | | Refer to licensing information at http://www.artifex.com or contact |
12 | | Artifex Software, Inc., 1305 Grant Avenue - Suite 200, Novato, |
13 | | CA 94945, U.S.A., +1(415)492-9861, for further information. |
14 | | */ |
15 | | |
16 | | /* PDF decryption routines */ |
17 | | |
18 | | #include "pdf_stack.h" |
19 | | #include "pdf_file.h" |
20 | | #include "pdf_dict.h" |
21 | | #include "pdf_array.h" |
22 | | #include "pdf_sec.h" |
23 | | #include "pdf_misc.h" |
24 | | #include "strmio.h" |
25 | | #include "smd5.h" |
26 | | #include "sarc4.h" |
27 | | #include "aes.h" |
28 | | #include "sha2.h" |
29 | | #include "pdf_utf8.h" |
30 | | #include "pdf_deref.h" |
31 | | |
32 | | /* The padding string as defined in step 1 of Algorithm 3.2 */ |
33 | | static char PadString[32] = { |
34 | | 0x28, 0xbf, 0x4e, 0x5e, 0x4e, 0x75, 0x8a, 0x41, 0x64, 0x00, 0x4e, 0x56, 0xff, 0xfa, 0x01, 0x08, |
35 | | 0x2e, 0x2e, 0x00, 0xb6, 0xd0, 0x68, 0x3e, 0x80, 0x2f, 0x0c, 0xa9, 0xfe, 0x64, 0x53, 0x69, 0x7a |
36 | | }; |
37 | | |
38 | | /* If EncryptMetadata is true we need to add 4 bytes of 0xFF to the MD5 hash |
39 | | * when computing an encryption key (Algorithm 3.2, step 6 when R is 4 or more) |
40 | | */ |
41 | | static char R4String[4] = { |
42 | | 0xFF, 0xFF, 0xFF, 0xFF |
43 | | }; |
44 | | |
45 | | /* If using the AES filter, we need to add this to the encryption |
46 | | * key when creating the key for decrypting objects (streams or strings) |
47 | | */ |
48 | | static char sAlTString[4] = { |
49 | | 0x73, 0x41, 0x6c, 0x54 |
50 | | }; |
51 | | |
52 | | static int pdf_compute_encryption_key_preR5(pdf_context *ctx, char *Password, int PasswordLen, int KeyLen, pdf_string **EKey, int R) |
53 | 124 | { |
54 | 124 | char Key[32]; |
55 | 124 | int code = 0, KeyLenBytes = KeyLen / 8, i; |
56 | 124 | char P[4]; |
57 | 124 | gs_md5_state_t md5; |
58 | 124 | pdf_array *a = NULL; |
59 | 124 | pdf_string *s = NULL; |
60 | 124 | pdf_dict *d = NULL; |
61 | | |
62 | 124 | *EKey = NULL; |
63 | | /* Algorithm 3.2 */ |
64 | | /* Step 1. Pad or truncate the password string to exactly 32 bytes |
65 | | * using the defined padding string. |
66 | | */ |
67 | 124 | if (PasswordLen > 32) |
68 | 0 | PasswordLen = 32; |
69 | | |
70 | 124 | memcpy(Key, Password, PasswordLen); |
71 | | |
72 | 124 | if (PasswordLen < 32) |
73 | 119 | memcpy(&Key[PasswordLen], PadString, 32 - PasswordLen); |
74 | | |
75 | | /* 2. Initialise the MD5 hash function and pass the result of step 1 to this function */ |
76 | 124 | gs_md5_init(&md5); |
77 | 124 | gs_md5_append(&md5, (gs_md5_byte_t *)&Key, 32); |
78 | | |
79 | | /* 3. Pass the value of the encryption dictionary's O entry to the MD5 hash */ |
80 | 124 | gs_md5_append(&md5, (gs_md5_byte_t *)ctx->encryption.O, 32); |
81 | | |
82 | | /* 4. Treat the value of P as an unsigned 4 byte integer and pass those bytes to the MD5 */ |
83 | 124 | P[3] = ((uint32_t)ctx->encryption.P) >> 24; |
84 | 124 | P[2] = ((uint32_t)ctx->encryption.P & 0x00ff0000) >> 16; |
85 | 124 | P[1] = ((uint32_t)ctx->encryption.P & 0x0000ff00) >> 8; |
86 | 124 | P[0] = ((uint32_t)ctx->encryption.P & 0xff); |
87 | 124 | gs_md5_append(&md5, (gs_md5_byte_t *)P, 4); |
88 | | |
89 | | /* 5. Pass the first element of the file's file identifier array */ |
90 | | /* See comment in pdfi_read_Root() for details of why we indirect through 'd' */ |
91 | 124 | d = ctx->Trailer; |
92 | 124 | pdfi_countup(d); |
93 | 124 | code = pdfi_dict_get_type(ctx, d, "ID", PDF_ARRAY, (pdf_obj **)&a); |
94 | 124 | pdfi_countdown(d); |
95 | 124 | if (code < 0) { |
96 | 0 | if (code == gs_error_undefined) { |
97 | 0 | emprintf(ctx->memory, "\n **** Error: ID key in the trailer is required for encrypted files.\n"); |
98 | 0 | emprintf(ctx->memory, " File may not be possible to decrypt.\n"); |
99 | 0 | } else |
100 | 0 | return code; |
101 | 0 | } |
102 | | /* If the file ID was missing, just ignore the error */ |
103 | 124 | if (code == 0) { |
104 | 124 | code = pdfi_array_get_type(ctx, a, (uint64_t)0, PDF_STRING, (pdf_obj **)&s); |
105 | 124 | if (code < 0) |
106 | 0 | goto done; |
107 | 124 | gs_md5_append(&md5, s->data, s->length); |
108 | 124 | } |
109 | | |
110 | | /* Step 6 |
111 | | * (revision 4 or greater) If document Metadata is not being encrypted |
112 | | * pass 4 bytes with the value 0xFFFFFFFF to the MD5 hash function. |
113 | | */ |
114 | 124 | if (R > 3 && !ctx->encryption.EncryptMetadata) { |
115 | 2 | gs_md5_append(&md5, (const gs_md5_byte_t *)R4String, 4); |
116 | 2 | } |
117 | | |
118 | | /* 7. Finish the hash */ |
119 | 124 | gs_md5_finish(&md5, (gs_md5_byte_t *)&Key); |
120 | | |
121 | 124 | code = pdfi_object_alloc(ctx, PDF_STRING, KeyLenBytes, (pdf_obj **)EKey); |
122 | 124 | if (code < 0) |
123 | 0 | goto done; |
124 | 124 | pdfi_countup((pdf_obj *)*EKey); |
125 | | |
126 | | /* Step 8 |
127 | | * (revision 3 or greater) Do the following 50 times. Take the output from the |
128 | | * previous MD5 hash and pass hte first n bytes of the output as input to a new |
129 | | * MD5 hash, where n is the number of bytes of the encryption key as defined by |
130 | | * the value of the encryption dictionary's Length entry. (NB Length is in bits) |
131 | | */ |
132 | 124 | if (R > 2) { |
133 | 4.08k | for (i=0;i < 50; i++) { |
134 | 4.00k | memcpy((*EKey)->data, Key, KeyLenBytes); |
135 | 4.00k | gs_md5_init(&md5); |
136 | 4.00k | gs_md5_append(&md5, (gs_md5_byte_t *)(*EKey)->data, KeyLenBytes); |
137 | 4.00k | gs_md5_finish(&md5, (gs_md5_byte_t *)&Key); |
138 | 4.00k | } |
139 | 80 | } |
140 | | |
141 | | /* Step 9 |
142 | | * Set the encryption key to the first n bytes of the output from the final MD5 hash |
143 | | * where n is always 5 for revision 2 but, for revision 3 or greater, depends on the |
144 | | * value of the encryption dictionary's Length entry. |
145 | | */ |
146 | 124 | memcpy((*EKey)->data, Key, KeyLenBytes); |
147 | | |
148 | 124 | done: |
149 | 124 | pdfi_countdown(s); |
150 | 124 | pdfi_countdown(a); |
151 | 124 | return code; |
152 | 124 | } |
153 | | |
154 | | #ifdef HAVE_LIBIDN |
155 | | # include <stringprep.h> |
156 | | |
157 | | static int apply_sasl(pdf_context *ctx, char *Password, int Len, char **NewPassword, int *NewLen) |
158 | | { |
159 | | byte *buffer; |
160 | | uint buffer_size; |
161 | | Stringprep_rc err; |
162 | | |
163 | | buffer_size = Len * 11 + 1; |
164 | | buffer = (byte *)gs_alloc_bytes(ctx->memory, buffer_size, "saslprep result"); |
165 | | if (buffer == NULL) |
166 | | return_error(gs_error_VMerror); |
167 | | |
168 | | err = stringprep((char *)buffer, buffer_size, 0, stringprep_saslprep); |
169 | | if (err != STRINGPREP_OK) { |
170 | | gs_free_object(ctx->memory, buffer, "saslprep result"); |
171 | | |
172 | | /* Since we're just verifying the password to an existing |
173 | | * document here, we don't care about "invalid input" errors |
174 | | * like STRINGPREP_CONTAINS_PROHIBITED. In these cases, we |
175 | | * ignore the error and return the original string unchanged -- |
176 | | * chances are it's not the right password anyway, and if it |
177 | | * is we shouldn't gratuitously fail to decrypt the document. |
178 | | * |
179 | | * On the other hand, errors like STRINGPREP_NFKC_FAILED are |
180 | | * real errors, and should be returned to the user. |
181 | | * |
182 | | * Fortunately, the stringprep error codes are sorted to make |
183 | | * this easy: the errors we want to ignore are the ones with |
184 | | * codes less than 100. */ |
185 | | if ((int)err < 100) |
186 | | return 0; |
187 | | |
188 | | return_error(gs_error_ioerror); |
189 | | } |
190 | | |
191 | | *NewLen = strlen((char *)buffer); |
192 | | *NewPassword = (char *)buffer; |
193 | | |
194 | | return 0; |
195 | | |
196 | | } |
197 | | #endif |
198 | | |
199 | | static int check_user_password_R5(pdf_context *ctx, char *Password, int Len, int KeyLen) |
200 | 0 | { |
201 | 0 | char *UTF8_Password, *Test = NULL, Buffer[32], UEPadded[48]; |
202 | 0 | int NewLen; |
203 | 0 | int code = 0; |
204 | 0 | pdf_c_stream *stream = NULL, *filter_stream = NULL; |
205 | 0 | pdf_string *Key = NULL; |
206 | 0 | SHA256_CTX sha256; |
207 | | |
208 | | /* Algorithm 3.11 from the Adobe extensions to the ISO 32000 specification (Extension Level 3) */ |
209 | | /* Step 1 convert the password to UTF-8 */ |
210 | | |
211 | | /* From the original code in Resource/Init/pdf_sec.ps: |
212 | | * Step 1. |
213 | | * If the .saslprep operator isn't available (because ghostscript |
214 | | * wasn't built with libidn support), just skip this step. ASCII |
215 | | * passwords will still work fine, and even most non-ASCII passwords |
216 | | * will be okay; any non-ASCII passwords that fail will produce a |
217 | | * warning from pdf_process_Encrypt. |
218 | | */ |
219 | | #ifdef HAVE_LIBIDN |
220 | | code = apply_sasl(ctx, Password, Len, &UTF8_Password, &NewLen); |
221 | | if (code < 0) |
222 | | return code; |
223 | | #else |
224 | 0 | UTF8_Password = Password; |
225 | 0 | NewLen = Len; |
226 | 0 | #endif |
227 | 0 | if (NewLen > 127) |
228 | 0 | NewLen = 127; |
229 | |
|
230 | 0 | Test = (char *)gs_alloc_bytes(ctx->memory, NewLen + 8, "R5 password test"); |
231 | 0 | if (Test == NULL) { |
232 | 0 | code = gs_note_error(gs_error_VMerror); |
233 | 0 | goto error; |
234 | 0 | } |
235 | | |
236 | | /* Try to validate the password as the user password */ |
237 | | /* concatenate the password */ |
238 | 0 | memcpy(Test, UTF8_Password, NewLen); |
239 | | /* With the 'User Validation Salt' (stored as part of the /O string */ |
240 | 0 | memcpy(&Test[NewLen], &ctx->encryption.U[32], 8); |
241 | |
|
242 | 0 | pSHA256_Init(&sha256); |
243 | 0 | pSHA256_Update(&sha256, (uint8_t *)Test, NewLen + 8); |
244 | 0 | pSHA256_Final((uint8_t *)Buffer, &sha256); |
245 | |
|
246 | 0 | if (memcmp(Buffer, ctx->encryption.U, 32) != 0) { |
247 | 0 | code = gs_note_error(gs_error_unknownerror); |
248 | 0 | goto error; |
249 | 0 | } |
250 | | |
251 | | /* Password matched */ |
252 | | /* Finally calculate the decryption key */ |
253 | 0 | gs_free_object(ctx->memory, Test, "R5 password test"); |
254 | | |
255 | | /* Password + last 8 bytes of /U */ |
256 | 0 | Test = (char *)gs_alloc_bytes(ctx->memory, NewLen + 8, "R5 password test"); |
257 | 0 | if (Test == NULL) { |
258 | 0 | code = gs_note_error(gs_error_VMerror); |
259 | 0 | goto error; |
260 | 0 | } |
261 | | |
262 | 0 | memcpy(Test, UTF8_Password, NewLen); |
263 | | /* The 'User Key Salt' (stored as part of the /O string */ |
264 | 0 | memcpy(&Test[NewLen], &ctx->encryption.U[40], 8); |
265 | |
|
266 | 0 | pSHA256_Init(&sha256); |
267 | 0 | pSHA256_Update(&sha256, (uint8_t *)Test, NewLen + 8); |
268 | 0 | pSHA256_Final((uint8_t *)Buffer, &sha256); |
269 | |
|
270 | 0 | memset(UEPadded, 0x00, 16); |
271 | 0 | memcpy(&UEPadded[16], ctx->encryption.UE, 32); |
272 | |
|
273 | 0 | code = pdfi_object_alloc(ctx, PDF_STRING, 32, (pdf_obj **)&Key); |
274 | 0 | if (code < 0) |
275 | 0 | goto error; |
276 | | /* pdfi_object_alloc() creates objects with a refrence count of 0 */ |
277 | 0 | pdfi_countup(Key); |
278 | 0 | memcpy(Key->data, Buffer, 32); |
279 | | |
280 | | /* Now apply AESDecode to the padded UE string, using the SHA from above as the key */ |
281 | 0 | code = pdfi_open_memory_stream_from_memory(ctx, 48, (byte *)UEPadded, &stream, true); |
282 | 0 | if (code < 0) |
283 | 0 | goto error; |
284 | | |
285 | 0 | code = pdfi_apply_AES_filter(ctx, Key, false, stream, &filter_stream); |
286 | 0 | if (code < 0) { |
287 | 0 | pdfi_close_memory_stream(ctx, NULL, stream); |
288 | 0 | goto error; |
289 | 0 | } |
290 | | |
291 | 0 | sfread(Buffer, 1, 32, filter_stream->s); |
292 | 0 | pdfi_close_file(ctx, filter_stream); |
293 | 0 | pdfi_close_memory_stream(ctx, NULL, stream); |
294 | 0 | pdfi_object_alloc(ctx, PDF_STRING, 32, (pdf_obj **)&ctx->encryption.EKey); |
295 | 0 | if (ctx->encryption.EKey == NULL) |
296 | 0 | goto error; |
297 | 0 | memcpy(ctx->encryption.EKey->data, Buffer, 32); |
298 | 0 | pdfi_countup(ctx->encryption.EKey); |
299 | |
|
300 | 0 | error: |
301 | 0 | pdfi_countdown(Key); |
302 | 0 | gs_free_object(ctx->memory, Test, "R5 password test"); |
303 | | #ifdef HAVE_LIBIDN |
304 | | gs_free_object(ctx->memory, UTF8_Password, "free sasl result"); |
305 | | #endif |
306 | 0 | return code; |
307 | 0 | } |
308 | | |
309 | | /* Implementation of the PDF security handler revision6 (PDF 1.7 ExtensionLevel 8 algorithm) |
310 | | * |
311 | | * Adobe/ISO has not yet released the details, so the algorithm reference is: |
312 | | * http://esec-lab.sogeti.com/post/The-undocumented-password-validation-algorithm-of-Adobe-Reader-X |
313 | | * |
314 | | * The code below is the same as (and copied from) the MuPDF implementation. And copied from the |
315 | | * Ghostscript implementation in zpdf_r6.c. The ISO specification is now released and the algorithms |
316 | | * used here are documented in the PDF 2.0 specification ISO 32000-2:2017 |
317 | | */ |
318 | | |
319 | | static void |
320 | | pdf_compute_hardened_hash_r6(unsigned char *password, int pwlen, unsigned char salt[16], unsigned char *ownerkey, unsigned char hash[32]) |
321 | 338 | { |
322 | 338 | unsigned char data[(128 + 64 + 48) * 64]; |
323 | 338 | unsigned char block[64]; |
324 | 338 | int block_size = 32; |
325 | 338 | int data_len = 0; |
326 | 338 | int i, j, sum; |
327 | | |
328 | 338 | SHA256_CTX sha256; |
329 | 338 | SHA384_CTX sha384; |
330 | 338 | SHA512_CTX sha512; |
331 | 338 | aes_context aes; |
332 | | |
333 | 338 | pSHA256_Init(&sha256); |
334 | 338 | pSHA256_Update(&sha256, password, pwlen); |
335 | 338 | pSHA256_Update(&sha256, salt, 8); |
336 | 338 | if (ownerkey) |
337 | 128 | pSHA256_Update(&sha256, ownerkey, 48); |
338 | 338 | pSHA256_Final((uint8_t *)block, &sha256); |
339 | | |
340 | 23.2k | for (i = 0; i < 64 || i < data[data_len * 64 - 1] + 32; i++) |
341 | 22.9k | { |
342 | | /* Step 2: repeat password and data block 64 times */ |
343 | 22.9k | memcpy(data, password, pwlen); |
344 | 22.9k | memcpy(data + pwlen, block, block_size); |
345 | 22.9k | if (ownerkey) |
346 | 8.54k | memcpy(data + pwlen + block_size, ownerkey, 48); |
347 | 22.9k | data_len = pwlen + block_size + (ownerkey ? 48 : 0); |
348 | 1.46M | for (j = 1; j < 64; j++) |
349 | 1.44M | memcpy(data + j * data_len, data, data_len); |
350 | | |
351 | | /* Step 3: encrypt data using data block as key and iv */ |
352 | 22.9k | aes_setkey_enc(&aes, block, 128); |
353 | 22.9k | aes_crypt_cbc(&aes, AES_ENCRYPT, data_len * 64, block + 16, data, data); |
354 | | |
355 | | /* Step 4: determine SHA-2 hash size for this round */ |
356 | 390k | for (j = 0, sum = 0; j < 16; j++) |
357 | 367k | sum += data[j]; |
358 | | |
359 | | /* Step 5: calculate data block for next round */ |
360 | 22.9k | block_size = 32 + (sum % 3) * 16; |
361 | 22.9k | switch (block_size) |
362 | 22.9k | { |
363 | 8.01k | case 32: |
364 | 8.01k | pSHA256_Init(&sha256); |
365 | 8.01k | pSHA256_Update(&sha256, data, data_len * 64); |
366 | 8.01k | pSHA256_Final((uint8_t *)block, &sha256); |
367 | 8.01k | break; |
368 | 7.24k | case 48: |
369 | 7.24k | pSHA384_Init(&sha384); |
370 | 7.24k | pSHA384_Update(&sha384, data, data_len * 64); |
371 | 7.24k | pSHA384_Final((uint8_t *)block, &sha384); |
372 | 7.24k | break; |
373 | 7.68k | case 64: |
374 | 7.68k | pSHA512_Init(&sha512); |
375 | 7.68k | pSHA512_Update(&sha512, data, data_len * 64); |
376 | 7.68k | pSHA512_Final((uint8_t *)block, &sha512); |
377 | 7.68k | break; |
378 | 22.9k | } |
379 | 22.9k | } |
380 | | |
381 | 338 | memset(data, 0, sizeof(data)); |
382 | 338 | memcpy(hash, block, 32); |
383 | 338 | } |
384 | | |
385 | | static void |
386 | | pdf_compute_encryption_key_r6(unsigned char *password, int pwlen, unsigned char *O, unsigned char *OE, unsigned char *U, unsigned char *UE, int ownerkey, unsigned char *validationkey, unsigned char *output) |
387 | 169 | { |
388 | 169 | unsigned char hash[32]; |
389 | 169 | unsigned char iv[16]; |
390 | 169 | aes_context aes; |
391 | | |
392 | 169 | if (pwlen > 127) |
393 | 0 | pwlen = 127; |
394 | | |
395 | 169 | pdf_compute_hardened_hash_r6(password, pwlen, |
396 | 169 | (ownerkey ? O : U) + 32, |
397 | 169 | ownerkey ? U : NULL, validationkey); |
398 | 169 | pdf_compute_hardened_hash_r6(password, pwlen, |
399 | 169 | (ownerkey ? O : U) + 40, |
400 | 169 | (ownerkey ? U : NULL), hash); |
401 | | |
402 | 169 | memset(iv, 0, sizeof(iv)); |
403 | 169 | aes_setkey_dec(&aes, hash, 256); |
404 | 169 | aes_crypt_cbc(&aes, AES_DECRYPT, 32, iv, |
405 | 169 | ownerkey ? OE : UE, output); |
406 | 169 | } |
407 | | |
408 | | static int check_user_password_R6(pdf_context *ctx, char *Password, int Len, int KeyLen) |
409 | 105 | { |
410 | 105 | unsigned char validation[32]; |
411 | 105 | unsigned char output[32]; |
412 | | |
413 | 105 | pdf_compute_encryption_key_r6((unsigned char *)Password, Len, (unsigned char *)ctx->encryption.O, (unsigned char *)ctx->encryption.OE, |
414 | 105 | (unsigned char *)ctx->encryption.U, (unsigned char *)ctx->encryption.UE, 0, validation, output); |
415 | | |
416 | 105 | if (memcmp(validation, ctx->encryption.U, 32) != 0) |
417 | 64 | return_error(gs_error_unknownerror); |
418 | | |
419 | 41 | pdfi_object_alloc(ctx, PDF_STRING, 32, (pdf_obj **)&ctx->encryption.EKey); |
420 | 41 | if (ctx->encryption.EKey == NULL) |
421 | 41 | return_error(gs_error_VMerror);; |
422 | 41 | memcpy(ctx->encryption.EKey->data, output, 32); |
423 | 41 | pdfi_countup(ctx->encryption.EKey); |
424 | | |
425 | 41 | return 0; |
426 | 41 | } |
427 | | |
428 | | static int check_user_password_preR5(pdf_context *ctx, char *Password, int Len, int KeyLen, int R) |
429 | 124 | { |
430 | 124 | pdf_string *Key = NULL, *XORKey = NULL; |
431 | 124 | int code = 0, i, j, KeyLenBytes = KeyLen / 8; |
432 | 124 | pdf_c_stream *stream, *arc4_stream; |
433 | 124 | char Buffer[32]; |
434 | 124 | char Hash[16]; |
435 | 124 | gs_md5_state_t md5; |
436 | 124 | pdf_string *s = NULL; |
437 | 124 | pdf_array *a = NULL; |
438 | 124 | pdf_dict *d = NULL; |
439 | | |
440 | | /* Algorithm 3.6, step 1 |
441 | | * perform all but the last step of Algorithm 3,4 (Revision 2) |
442 | | * or Algorithm 3.5 (revision 3 or greater). |
443 | | */ |
444 | | |
445 | | /* Algorithm 3.4 step 1 |
446 | | * Create an encryption key based on the user password string as described in Algorithm 3.2 |
447 | | */ |
448 | 124 | code = pdf_compute_encryption_key_preR5(ctx, Password, Len, KeyLen, &Key, R); |
449 | 124 | if (code < 0) |
450 | 0 | return code; |
451 | | |
452 | 124 | switch (R) { |
453 | 44 | case 2: |
454 | | /* Algorithm 3.4, step 2 |
455 | | * Encrypt the 32 byte padding string from step 1 of Algorithm 3.2, with an RC4 |
456 | | * encryption function, using the key from the preceding step. |
457 | | */ |
458 | | |
459 | 44 | code = pdfi_open_memory_stream_from_memory(ctx, 32, (byte *)PadString, &stream, true); |
460 | 44 | if (code < 0) |
461 | 0 | goto error; |
462 | | |
463 | 44 | code = pdfi_apply_Arc4_filter(ctx, Key, stream, &arc4_stream); |
464 | 44 | if (code < 0) { |
465 | 0 | pdfi_close_memory_stream(ctx, NULL, stream); |
466 | 0 | goto error; |
467 | 0 | } |
468 | | |
469 | 44 | sfread(Buffer, 1, 32, arc4_stream->s); |
470 | 44 | pdfi_close_file(ctx, arc4_stream); |
471 | 44 | pdfi_close_memory_stream(ctx, NULL, stream); |
472 | | |
473 | | /* Algorithm 3.6 step 2 |
474 | | * If the result of the step above is equal to the value of the encryption dictionary |
475 | | * U entry the password supplied is the correct user password. |
476 | | */ |
477 | 44 | if (memcmp(Buffer, ctx->encryption.U, 32) != 0) { |
478 | 4 | code = gs_error_unknownerror; |
479 | 4 | goto error; |
480 | 40 | } else { |
481 | | /* Password authenticated, we can now use the calculated encryption key to decrypt the file */ |
482 | 40 | ctx->encryption.EKey = Key; |
483 | 40 | } |
484 | 40 | break; |
485 | 40 | case 3: |
486 | 80 | case 4: |
487 | | /* Algorithm 3.5 step 2 |
488 | | * Pass the 32 byte padding string from step 1 of Algorithm 3.2 to an MD5 hash */ |
489 | 80 | gs_md5_init(&md5); |
490 | 80 | gs_md5_append(&md5, (gs_md5_byte_t *)PadString, 32); |
491 | | /* See comment in pdfi_read_Root() for details of why we indirect through 'd' */ |
492 | 80 | d = ctx->Trailer; |
493 | 80 | pdfi_countup(d); |
494 | 80 | code = pdfi_dict_get_type(ctx, d, "ID", PDF_ARRAY, (pdf_obj **)&a); |
495 | 80 | pdfi_countdown(d); |
496 | 80 | if (code < 0) { |
497 | 0 | if (code == gs_error_undefined) { |
498 | 0 | emprintf(ctx->memory, "\n **** Error: ID key in the trailer is required for encrypted files.\n"); |
499 | 0 | emprintf(ctx->memory, " File may not be possible to decrypt.\n"); |
500 | 0 | } else |
501 | 0 | return code; |
502 | 0 | } |
503 | 80 | if (code == 0) { |
504 | | /* Step 3 |
505 | | * Pass the first element of the file's file identifier array to the hash function |
506 | | * and finish the hash |
507 | | */ |
508 | 80 | code = pdfi_array_get_type(ctx, a, (uint64_t)0, PDF_STRING, (pdf_obj **)&s); |
509 | 80 | if (code < 0) |
510 | 0 | goto error; |
511 | 80 | gs_md5_append(&md5, s->data, s->length); |
512 | 80 | } |
513 | 80 | gs_md5_finish(&md5, (gs_md5_byte_t *)&Hash); |
514 | | |
515 | | /* Step 4 |
516 | | * Encrypt the 16-byte result of the hash using an RC4 encryption function with |
517 | | * the encryption key from step 1 (of Algorithm 3.5). |
518 | | */ |
519 | 80 | code = pdfi_open_memory_stream_from_memory(ctx, 16, (byte *)Hash, &stream, true); |
520 | 80 | if (code < 0) |
521 | 0 | goto error; |
522 | | |
523 | 80 | code = pdfi_apply_Arc4_filter(ctx, Key, stream, &arc4_stream); |
524 | 80 | if (code < 0) { |
525 | 0 | pdfi_close_memory_stream(ctx, NULL, stream); |
526 | 0 | goto error; |
527 | 0 | } |
528 | | |
529 | 80 | sfread(Buffer, 1, 16, arc4_stream->s); |
530 | 80 | pdfi_close_file(ctx, arc4_stream); |
531 | 80 | pdfi_close_memory_stream(ctx, NULL, stream); |
532 | | |
533 | 80 | code = pdfi_object_alloc(ctx, PDF_STRING, KeyLenBytes, (pdf_obj **)&XORKey); |
534 | 80 | if (code < 0) |
535 | 0 | goto error; |
536 | | /* pdfi_object_alloc() creates objects with a reference count of 0 */ |
537 | 80 | pdfi_countup(XORKey); |
538 | | |
539 | | /* Step 5 |
540 | | * Do the following 19 times. Take the output from the previous invocation of the RC4 |
541 | | * function and pas it as input to a new invocation of the function; use an encryption key |
542 | | * generated by taking each byte of the original encyption key (obtained in step 1 of |
543 | | * algorithm 3.5) and performing an XOR operation between that byte and the single byte |
544 | | * value of the iteration counter (from 1 to 19). |
545 | | */ |
546 | 1.60k | for (i=1;i < 20;i++) { |
547 | 1.52k | memcpy(Hash, Buffer, 16); |
548 | 1.52k | code = pdfi_open_memory_stream_from_memory(ctx, 16, (byte *)Hash, &stream, true); |
549 | 1.52k | if (code < 0) |
550 | 0 | goto error; |
551 | | |
552 | 25.2k | for (j=0;j < KeyLenBytes;j++) { |
553 | 23.7k | XORKey->data[j] = Key->data[j] ^ i; |
554 | 23.7k | } |
555 | | |
556 | 1.52k | code = pdfi_apply_Arc4_filter(ctx, XORKey, stream, &arc4_stream); |
557 | 1.52k | if (code < 0) { |
558 | 0 | pdfi_close_memory_stream(ctx, NULL, stream); |
559 | 0 | goto error; |
560 | 0 | } |
561 | 1.52k | sfread(Buffer, 1, 16, arc4_stream->s); |
562 | 1.52k | pdfi_close_file(ctx, arc4_stream); |
563 | 1.52k | pdfi_close_memory_stream(ctx, NULL, stream); |
564 | 1.52k | } |
565 | | |
566 | | /* Algorithm 3.6 step 2 |
567 | | * If the result of the step above is equal to the value of the encryption dictionary U entry |
568 | | * (comparing on the first 16 bytes in the case of revision 3 of greater) |
569 | | * the password supplied is the correct user password. |
570 | | */ |
571 | 80 | if (memcmp(Buffer, ctx->encryption.U, 16) != 0) { |
572 | 6 | code = gs_error_unknownerror; |
573 | 6 | goto error; |
574 | 74 | } else { |
575 | | /* Password authenticated, we can now use the calculated encryption key to decrypt the file */ |
576 | 74 | ctx->encryption.EKey = Key; |
577 | 74 | } |
578 | 74 | break; |
579 | 74 | default: |
580 | 0 | code = gs_note_error(gs_error_rangecheck); |
581 | 0 | goto error; |
582 | 0 | break; |
583 | 124 | } |
584 | | |
585 | | /* We deliberately don't countdown Key here, if we created it and there were no |
586 | | * errors then we will have stored it in the global context for future use. It |
587 | | * will be counted down when the context is destroyed. |
588 | | */ |
589 | 114 | pdfi_countdown(XORKey); |
590 | 114 | pdfi_countdown(s); |
591 | 114 | pdfi_countdown(a); |
592 | 114 | return 0; |
593 | | |
594 | 10 | error: |
595 | 10 | pdfi_countdown(XORKey); |
596 | 10 | pdfi_countdown(Key); |
597 | 10 | pdfi_countdown(s); |
598 | 10 | pdfi_countdown(a); |
599 | 10 | return code; |
600 | 124 | } |
601 | | |
602 | | static int check_owner_password_R5(pdf_context *ctx, char *Password, int Len, int KeyLen) |
603 | 0 | { |
604 | 0 | char *UTF8_Password, *Test = NULL, Buffer[32], OEPadded[48]; |
605 | 0 | int NewLen; |
606 | 0 | int code = 0; |
607 | 0 | pdf_c_stream *stream = NULL, *filter_stream = NULL; |
608 | 0 | pdf_string *Key = NULL; |
609 | 0 | SHA256_CTX sha256; |
610 | | |
611 | | /* From the original code in Resource/Init/pdf_sec.ps: |
612 | | * Step 1. |
613 | | * If the .saslprep operator isn't available (because ghostscript |
614 | | * wasn't built with libidn support), just skip this step. ASCII |
615 | | * passwords will still work fine, and even most non-ASCII passwords |
616 | | * will be okay; any non-ASCII passwords that fail will produce a |
617 | | * warning from pdf_process_Encrypt. |
618 | | */ |
619 | | #ifdef HAVE_LIBIDN |
620 | | code = apply_sasl(ctx, Password, Len, &UTF8_Password, &NewLen); |
621 | | if (code < 0) |
622 | | return code; |
623 | | #else |
624 | 0 | UTF8_Password = Password; |
625 | 0 | NewLen = Len; |
626 | 0 | #endif |
627 | 0 | if (NewLen > 127) |
628 | 0 | NewLen = 127; |
629 | |
|
630 | 0 | Test = (char *)gs_alloc_bytes(ctx->memory, NewLen + 8 + 48, "r5 password test"); |
631 | 0 | if (Test == NULL) { |
632 | 0 | code = gs_note_error(gs_error_VMerror); |
633 | 0 | goto error; |
634 | 0 | } |
635 | | |
636 | | /* concatenate the password */ |
637 | 0 | memcpy(Test, UTF8_Password, NewLen); |
638 | | /* With the 'Owner Validation Salt' (stored as part of the /O string */ |
639 | 0 | memcpy(&Test[NewLen], &ctx->encryption.O[32], 8); |
640 | | /* and also concatenated with the /U string, which is defined to be 48 bytes for revision 5 */ |
641 | 0 | memcpy(&Test[NewLen + 8], &ctx->encryption.U, 48); |
642 | | |
643 | | /* Now calculate the SHA256 hash */ |
644 | 0 | pSHA256_Init(&sha256); |
645 | 0 | pSHA256_Update(&sha256, (const uint8_t *)Test, NewLen + 8 + 48); |
646 | 0 | pSHA256_Final((uint8_t *)Buffer, &sha256); |
647 | |
|
648 | 0 | if (memcmp(Buffer, ctx->encryption.O, 32) != 0) { |
649 | 0 | code = gs_note_error(gs_error_unknownerror); |
650 | 0 | goto error; |
651 | 0 | } |
652 | | |
653 | | /* Password matched */ |
654 | | /* Finally calculate the decryption key */ |
655 | 0 | gs_free_object(ctx->memory, Test, "R5 password test"); |
656 | | |
657 | | /* Password + last 8 bytes of /O */ |
658 | 0 | Test = (char *)gs_alloc_bytes(ctx->memory, NewLen + 8 + 48, "R5 password test"); |
659 | 0 | if (Test == NULL) { |
660 | 0 | code = gs_note_error(gs_error_VMerror); |
661 | 0 | goto error; |
662 | 0 | } |
663 | | |
664 | 0 | memcpy(Test, UTF8_Password, NewLen); |
665 | | /* The 'User Key Salt' (stored as part of the /O string */ |
666 | 0 | memcpy(&Test[NewLen], &ctx->encryption.O[40], 8); |
667 | 0 | memcpy(&Test[NewLen + 8], ctx->encryption.U, 48); |
668 | | |
669 | | /* Now calculate the SHA256 hash */ |
670 | 0 | pSHA256_Init(&sha256); |
671 | 0 | pSHA256_Update(&sha256, (const uint8_t *)Test, NewLen + 8 + 48); |
672 | 0 | pSHA256_Final((uint8_t *)Buffer, &sha256); |
673 | |
|
674 | 0 | memset(OEPadded, 0x00, 16); |
675 | 0 | memcpy(&OEPadded[16], ctx->encryption.OE, 32); |
676 | |
|
677 | 0 | code = pdfi_object_alloc(ctx, PDF_STRING, 32, (pdf_obj **)&Key); |
678 | 0 | if (code < 0) |
679 | 0 | goto error; |
680 | | /* pdfi_object_alloc() creates objects with a refrence count of 0 */ |
681 | 0 | pdfi_countup(Key); |
682 | 0 | memcpy(Key->data, Buffer, 32); |
683 | | |
684 | | /* Now apply AESDecode to the padded UE string, using the SHA from above as the key */ |
685 | 0 | code = pdfi_open_memory_stream_from_memory(ctx, 48, (byte *)OEPadded, &stream, true); |
686 | 0 | if (code < 0) |
687 | 0 | goto error; |
688 | | |
689 | 0 | code = pdfi_apply_AES_filter(ctx, Key, false, stream, &filter_stream); |
690 | 0 | if (code < 0) { |
691 | 0 | pdfi_close_memory_stream(ctx, NULL, stream); |
692 | 0 | goto error; |
693 | 0 | } |
694 | | |
695 | 0 | sfread(Buffer, 1, 32, filter_stream->s); |
696 | 0 | pdfi_close_file(ctx, filter_stream); |
697 | 0 | pdfi_close_memory_stream(ctx, NULL, stream); |
698 | 0 | pdfi_object_alloc(ctx, PDF_STRING, 32, (pdf_obj **)&ctx->encryption.EKey); |
699 | 0 | if (ctx->encryption.EKey == NULL) |
700 | 0 | goto error; |
701 | 0 | memcpy(ctx->encryption.EKey->data, Buffer, 32); |
702 | 0 | pdfi_countup(ctx->encryption.EKey); |
703 | |
|
704 | 0 | error: |
705 | 0 | pdfi_countdown(Key); |
706 | 0 | gs_free_object(ctx->memory, Test, "R5 password test"); |
707 | | #ifdef HAVE_LIBIDN |
708 | | gs_free_object(ctx->memory, UTF8_Password, "free sasl result"); |
709 | | #endif |
710 | 0 | return code; |
711 | 0 | } |
712 | | |
713 | | static int check_owner_password_R6(pdf_context *ctx, char *Password, int Len, int KeyLen) |
714 | 64 | { |
715 | 64 | unsigned char validation[32]; |
716 | 64 | unsigned char output[32]; |
717 | | |
718 | 64 | pdf_compute_encryption_key_r6((unsigned char *)Password, Len, (unsigned char *)ctx->encryption.O, (unsigned char *)ctx->encryption.OE, |
719 | 64 | (unsigned char *)ctx->encryption.U, (unsigned char *)ctx->encryption.UE, 1, validation, output); |
720 | | |
721 | 64 | if (memcmp(validation, ctx->encryption.O, 32) != 0) |
722 | 22 | return_error(gs_error_unknownerror); |
723 | | |
724 | 42 | pdfi_object_alloc(ctx, PDF_STRING, 32, (pdf_obj **)&ctx->encryption.EKey); |
725 | 42 | if (ctx->encryption.EKey == NULL) |
726 | 42 | return_error(gs_error_VMerror);; |
727 | 42 | memcpy(ctx->encryption.EKey->data, output, 32); |
728 | 42 | pdfi_countup(ctx->encryption.EKey); |
729 | | |
730 | 42 | return 0; |
731 | 42 | } |
732 | | |
733 | | static int check_owner_password_preR5(pdf_context *ctx, char *Password, int Len, int KeyLen, int R) |
734 | 5 | { |
735 | 5 | char Key[32]; |
736 | 5 | int code = 0, i, j, KeyLenBytes = KeyLen / 8; |
737 | 5 | pdf_string *EKey = NULL; |
738 | 5 | gs_md5_state_t md5; |
739 | 5 | pdf_c_stream *stream, *arc4_stream; |
740 | 5 | char Buffer[32], Arc4Source[32]; |
741 | | |
742 | | /* Algorithm 3.7 */ |
743 | | /* Step 1, Compute an encryption key from steps 1-4 of Algorithm 3.3 */ |
744 | | |
745 | | /* Algorithm 3.3, step 1. Pad or truncate the password string to exactly 32 bytes */ |
746 | 5 | if (Len > 32) |
747 | 0 | Len = 32; |
748 | | |
749 | 5 | memcpy(Key, Password, Len); |
750 | | |
751 | 5 | if (Len < 32) |
752 | 5 | memcpy(&Key[Len], PadString, 32 - Len); |
753 | | |
754 | | /* Algorithm 3.3, step 2. Initialise the MD5 hash function and pass the result of step 1 to this function */ |
755 | 5 | gs_md5_init(&md5); |
756 | 5 | gs_md5_append(&md5, (gs_md5_byte_t *)&Key, 32); |
757 | 5 | gs_md5_finish(&md5, (gs_md5_byte_t *)&Key); |
758 | | |
759 | | /* Algorithm 3.3, step 3. Only for R3 or greater */ |
760 | 5 | if (R > 2) { |
761 | 3 | code = pdfi_object_alloc(ctx, PDF_STRING, KeyLenBytes, (pdf_obj **)&EKey); |
762 | 3 | if (code < 0) |
763 | 0 | goto error; |
764 | | /* pdfi_object_alloc() creates objects with a refrence count of 0 */ |
765 | 3 | pdfi_countup(EKey); |
766 | | |
767 | 153 | for (i = 0; i < 50; i++) { |
768 | 150 | gs_md5_init(&md5); |
769 | 150 | gs_md5_append(&md5, (gs_md5_byte_t *)&Key, KeyLenBytes); |
770 | 150 | gs_md5_finish(&md5, (gs_md5_byte_t *)&Key); |
771 | 150 | } |
772 | | /* Algorithm 3.3, step 4. Use KeyLen bytes of the final hash as an RC$ key */ |
773 | | /* Algorithm 3.7, step 2 (R >= 3) */ |
774 | 3 | memcpy(Buffer, ctx->encryption.O, 32); |
775 | | |
776 | | /* Algorithm 3.7 states (at the end): |
777 | | * "performing an XOR (exclusive or) operation between each byte of the key and the single-byte value of the iteration counter (from 19 to 0)." |
778 | | * which implies that the loop should run 20 times couting down from 19 to 0. For decryption at least this is completely |
779 | | * incorrect. Doing that results in completely garbage output. |
780 | | * By using 0 as the first index we get the correct Key when XOR'ing that with the |
781 | | * key computed above, and continuing until the loop counter reaches 19 gives us the correct |
782 | | * result. |
783 | | */ |
784 | 63 | for (i=0; i<20; i++) { |
785 | 60 | memcpy(Arc4Source, Buffer, 32); |
786 | 60 | code = pdfi_open_memory_stream_from_memory(ctx, 32, (byte *)Arc4Source, &stream, true); |
787 | 60 | if (code < 0) |
788 | 0 | goto error; |
789 | 700 | for(j=0;j< KeyLenBytes;j++){ |
790 | 640 | EKey->data[j] = Key[j] ^ i; |
791 | 640 | } |
792 | 60 | code = pdfi_apply_Arc4_filter(ctx, EKey, stream, &arc4_stream); |
793 | 60 | sfread(Buffer, 1, 32, arc4_stream->s); |
794 | 60 | pdfi_close_file(ctx, arc4_stream); |
795 | 60 | pdfi_close_memory_stream(ctx, NULL, stream); |
796 | 60 | } |
797 | | |
798 | 3 | } else { |
799 | | /* Algorithm 3.3, step 4. For revision 2 always use 5 bytes of the final hash as an RC4 key */ |
800 | 2 | code = pdfi_object_alloc(ctx, PDF_STRING, 5, (pdf_obj **)&EKey); |
801 | 2 | if (code < 0) |
802 | 0 | goto error; |
803 | 2 | pdfi_countup(EKey); |
804 | 2 | memcpy(EKey->data, Key, 5); |
805 | | |
806 | | /* Algorithm 3.7, step 2 (R == 2) Use RC4 with the computed key to decrypt the O entry of the crypt dict */ |
807 | 2 | code = pdfi_open_memory_stream_from_memory(ctx, 32, (byte *)ctx->encryption.O, &stream, true); |
808 | 2 | if (code < 0) |
809 | 0 | goto error; |
810 | | |
811 | 2 | code = pdfi_apply_Arc4_filter(ctx, EKey, stream, &arc4_stream); |
812 | 2 | pdfi_countdown(EKey); |
813 | 2 | EKey = NULL; |
814 | | |
815 | 2 | sfread(Buffer, 1, 32, arc4_stream->s); |
816 | | |
817 | 2 | pdfi_close_file(ctx, arc4_stream); |
818 | 2 | pdfi_close_memory_stream(ctx, NULL, stream); |
819 | 2 | } |
820 | | |
821 | | /* Algorithm 3.7, step 3, the result of step 2 purports to be the user password, check it */ |
822 | 5 | code = check_user_password_preR5(ctx, Buffer, 32, KeyLen, R); |
823 | | |
824 | 5 | error: |
825 | 5 | pdfi_countdown(EKey); |
826 | 5 | return code; |
827 | 5 | } |
828 | | |
829 | | /* Compute a decryption key for an 'object'. The decryption key for a string or stream is |
830 | | * calculated by algorithm 3.1. |
831 | | */ |
832 | | int pdfi_compute_objkey(pdf_context *ctx, pdf_obj *obj, pdf_string **Key) |
833 | 5.16k | { |
834 | 5.16k | char *Buffer; |
835 | 5.16k | int idx, ELength, code = 0, md5_length = 0; |
836 | 5.16k | gs_md5_state_t md5; |
837 | 5.16k | int64_t object_num; |
838 | 5.16k | uint32_t generation_num; |
839 | | |
840 | 5.16k | if (ctx->encryption.R < 5) { |
841 | 4.39k | if (obj->object_num == 0) { |
842 | | /* The object is a direct object, use the object number of the container instead */ |
843 | 2.79k | object_num = obj->indirect_num; |
844 | 2.79k | generation_num = obj->indirect_gen; |
845 | 2.79k | } else { |
846 | 1.60k | object_num = obj->object_num; |
847 | 1.60k | generation_num = obj->generation_num; |
848 | 1.60k | } |
849 | | |
850 | | /* Step 1, obtain the object and generation numbers (see arguments). If the string is |
851 | | * a direct object, use the identifier of the indirect object containing it. |
852 | | * Buffer length is a maximum of the Encryption key + 3 bytes from the object number |
853 | | * + 2 bytes from the generation number and (for AES filters) 4 bytes of sALT. |
854 | | * But... We must make sure the buffer is large enough for the 128 bits of an MD5 hash. |
855 | | */ |
856 | 4.39k | md5_length = ctx->encryption.EKey->length + 9; |
857 | 4.39k | if (md5_length < 16) |
858 | 983 | md5_length = 16; |
859 | | |
860 | 4.39k | Buffer = (char *)gs_alloc_bytes(ctx->memory, md5_length, ""); |
861 | 4.39k | if (Buffer == NULL) |
862 | 0 | return gs_note_error(gs_error_VMerror); |
863 | | |
864 | | /* Step 2, Treating the object number and generation number as binary integers, extend |
865 | | * the original n-byte encryption key (calculated in pdfi_read_Encryption) to n+5 bytes |
866 | | * by appending the low order 3 bytes of the object number and the low order 2 bytes of |
867 | | * the generation number in that order, low-order byte first. (n is 5 unless the value |
868 | | * of V in the encryption dictionary is greater than 1 in which case n is the value of |
869 | | * Length divided by 8). Because we store the encryption key is as a PDF string object, |
870 | | * we can just use the length of the string data, we calculated the length as part of |
871 | | * creating the key. |
872 | | */ |
873 | 4.39k | memcpy(Buffer, ctx->encryption.EKey->data, ctx->encryption.EKey->length); |
874 | 4.39k | idx = ctx->encryption.EKey->length; |
875 | 4.39k | Buffer[idx] = object_num & 0xff; |
876 | 4.39k | Buffer[++idx] = (object_num & 0xff00) >> 8; |
877 | 4.39k | Buffer[++idx] = (object_num & 0xff0000) >> 16; |
878 | 4.39k | Buffer[++idx] = generation_num & 0xff; |
879 | 4.39k | Buffer[++idx] = (generation_num & 0xff00) >> 8; |
880 | | |
881 | 4.39k | md5_length = ctx->encryption.EKey->length + 5; |
882 | | |
883 | | /* If using the AES algorithm, extend the encryption key an additional 4 bytes |
884 | | * by adding the value "sAlT" which corresponds to the hexadecimal 0x73416c54 |
885 | | * (This addition is done for backward compatibility and is not intended to |
886 | | * provide addtional security). |
887 | | */ |
888 | 4.39k | if (ctx->encryption.StmF == CRYPT_AESV2 || ctx->encryption.StmF == CRYPT_AESV3){ |
889 | 3.41k | memcpy(&Buffer[++idx], sAlTString, 4); |
890 | 3.41k | md5_length += 4; |
891 | 3.41k | } |
892 | | |
893 | | /* Step 3 |
894 | | * Initialise the MD5 function and pass the result of step 2 as input to this function |
895 | | */ |
896 | 4.39k | gs_md5_init(&md5); |
897 | 4.39k | gs_md5_append(&md5, (gs_md5_byte_t *)Buffer, md5_length); |
898 | 4.39k | gs_md5_finish(&md5, (gs_md5_byte_t *)Buffer); |
899 | | |
900 | | /* Step 4 |
901 | | * Use the first n+5 bytes, up to a maximum of 16, of the output from the MD5 |
902 | | * hash as the key for the RC4 or AES symmetric key algorithms, along with the |
903 | | * string or stream data to be encrypted. |
904 | | */ |
905 | 4.39k | ELength = ctx->encryption.EKey->length + 5; |
906 | 4.39k | if (ELength > 16) |
907 | 3.41k | ELength = 16; |
908 | | |
909 | 4.39k | code = pdfi_object_alloc(ctx, PDF_STRING, (uint64_t)ELength, (pdf_obj **)Key); |
910 | 4.39k | if (code >= 0) |
911 | 4.39k | memcpy((*Key)->data, Buffer, ELength); |
912 | | /* pdfi_object_alloc() creates objects with a refrence count of 0 */ |
913 | 4.39k | pdfi_countup(*Key); |
914 | | |
915 | 4.39k | gs_free_object(ctx->memory, Buffer, ""); |
916 | 4.39k | } else { |
917 | | /* Revision 5 & 6 don't use the object number and generation, just return the pre-calculated key */ |
918 | 767 | *Key = ctx->encryption.EKey; |
919 | 767 | pdfi_countup(*Key); |
920 | 767 | } |
921 | 5.16k | return code; |
922 | 5.16k | } |
923 | | |
924 | | int pdfi_decrypt_string(pdf_context *ctx, pdf_string *string) |
925 | 3.42k | { |
926 | 3.42k | int code = 0; |
927 | 3.42k | pdf_c_stream *stream = NULL, *crypt_stream = NULL; |
928 | 3.42k | pdf_string *EKey = NULL; |
929 | 3.42k | char *Buffer = NULL; |
930 | | |
931 | 3.42k | if (ctx->encryption.StrF == CRYPT_IDENTITY) |
932 | 0 | return 0; |
933 | | |
934 | 3.42k | if (!is_compressed_object(ctx, string->indirect_num, string->indirect_gen)) { |
935 | 3.42k | Buffer = (char *)gs_alloc_bytes(ctx->memory, string->length, "pdfi_decrypt_string"); |
936 | 3.42k | if (Buffer == NULL) |
937 | 0 | return_error(gs_error_VMerror); |
938 | | |
939 | 3.42k | code = pdfi_compute_objkey(ctx, (pdf_obj *)string, &EKey); |
940 | 3.42k | if (code < 0) |
941 | 0 | goto error; |
942 | | |
943 | 3.42k | code = pdfi_open_memory_stream_from_memory(ctx, string->length, (byte *)string->data, &stream, true); |
944 | 3.42k | if (code < 0) |
945 | 0 | goto error; |
946 | | |
947 | 3.42k | switch(ctx->encryption.StrF) { |
948 | | /* There are only two possible filters, RC4 or AES, we take care |
949 | | * of the number of bits in the key by using ctx->Length. |
950 | | */ |
951 | 0 | case CRYPT_IDENTITY: |
952 | 0 | pdfi_close_memory_stream(ctx, NULL, stream); |
953 | 0 | code = 0; |
954 | 0 | goto error; |
955 | 0 | break; |
956 | 629 | case CRYPT_V1: |
957 | 629 | case CRYPT_V2: |
958 | 629 | code = pdfi_apply_Arc4_filter(ctx, EKey, stream, &crypt_stream); |
959 | 629 | break; |
960 | 2.16k | case CRYPT_AESV2: |
961 | 2.79k | case CRYPT_AESV3: |
962 | 2.79k | code = pdfi_apply_AES_filter(ctx, EKey, 1, stream, &crypt_stream); |
963 | 2.79k | break; |
964 | 0 | default: |
965 | 0 | code = gs_error_rangecheck; |
966 | 3.42k | } |
967 | 3.42k | if (code < 0) { |
968 | 0 | pdfi_close_memory_stream(ctx, NULL, stream); |
969 | 0 | goto error; |
970 | 0 | } |
971 | | |
972 | 3.42k | sfread(Buffer, 1, string->length, crypt_stream->s); |
973 | | |
974 | 3.42k | pdfi_close_file(ctx, crypt_stream); |
975 | 3.42k | pdfi_close_memory_stream(ctx, NULL, stream); |
976 | | |
977 | 3.42k | memcpy(string->data, Buffer, string->length); |
978 | 3.42k | } |
979 | | |
980 | 3.42k | error: |
981 | 3.42k | gs_free_object(ctx->memory, Buffer, "pdfi_decrypt_string"); |
982 | 3.42k | pdfi_countdown(EKey); |
983 | 3.42k | return code; |
984 | 3.42k | } |
985 | | |
986 | | /* Read the Encrypt dictionary entries and store the relevant ones |
987 | | * in the PDF context for easy access. Return < 0 = error, 0 = encrypted |
988 | | * and read the encryption details, 1 = not encrypted. |
989 | | */ |
990 | | static int pdfi_read_Encrypt_dict(pdf_context *ctx, int *KeyLen) |
991 | 238 | { |
992 | 238 | int code = 0; |
993 | 238 | pdf_dict *CF_dict = NULL, *StdCF_dict = NULL; |
994 | 238 | pdf_dict *d = NULL, *d1 = NULL; |
995 | 238 | pdf_obj *o = NULL; |
996 | 238 | bool b; |
997 | 238 | pdf_string *s = NULL; |
998 | 238 | int64_t i64; |
999 | 238 | double f; |
1000 | | |
1001 | 238 | if (ctx->args.pdfdebug) |
1002 | 238 | dmprintf(ctx->memory, "%% Checking for Encrypt dictionary\n"); |
1003 | | |
1004 | | /* See comment in pdfi_read_Root() for details of why we indirect through 'd' */ |
1005 | 238 | d1 = ctx->Trailer; |
1006 | 238 | pdfi_countup(d1); |
1007 | 238 | code = pdfi_dict_get(ctx, d1, "Encrypt", (pdf_obj **)&d); |
1008 | 238 | pdfi_countdown(d1); |
1009 | 238 | d1 = NULL; |
1010 | | |
1011 | | /* Undefined is acceptable here, it just means the PDF file is not ostensibly encrypted */ |
1012 | | /* NB pdfi_process_pdf_file() always checks for the Encrypt dictionary before we |
1013 | | * get here, so there shouldn't be a problem..... |
1014 | | */ |
1015 | 238 | if (code == gs_error_undefined) |
1016 | 0 | return 1; |
1017 | 238 | else |
1018 | 238 | if (code < 0) |
1019 | 0 | goto done; |
1020 | | |
1021 | 238 | code = pdfi_dict_get_type(ctx, d, "Filter", PDF_NAME, &o); |
1022 | 238 | if (code < 0) |
1023 | 1 | goto done; |
1024 | | |
1025 | 237 | if (!pdfi_name_is((pdf_name *)o, "Standard")) { |
1026 | 0 | char *Str = NULL; |
1027 | |
|
1028 | 0 | Str = (char *)gs_alloc_bytes(ctx->memory, ((pdf_name *)o)->length + 1, "temp string for warning"); |
1029 | 0 | if (Str == NULL) { |
1030 | 0 | code = gs_note_error(gs_error_VMerror); |
1031 | 0 | goto done; |
1032 | 0 | } |
1033 | 0 | memset(Str, 0x00, ((pdf_name *)o)->length + 1); |
1034 | 0 | memcpy(Str, ((pdf_name *)o)->data, ((pdf_name *)o)->length); |
1035 | 0 | emprintf1(ctx->memory, "\n **** Warning: This file uses an unknown security handler %s\n", Str); |
1036 | 0 | gs_free_object(ctx->memory, Str, "temp string for warning"); |
1037 | 0 | code = gs_note_error(gs_error_typecheck); |
1038 | 0 | goto done; |
1039 | 0 | } |
1040 | 237 | pdfi_countdown(o); |
1041 | 237 | o = NULL; |
1042 | | |
1043 | 237 | *KeyLen = 0; |
1044 | 237 | ctx->encryption.V = -1; |
1045 | | |
1046 | 237 | code = pdfi_dict_get_int(ctx, d, "R", &i64); |
1047 | 237 | if (code < 0) |
1048 | 0 | goto done; |
1049 | 237 | ctx->encryption.R = (int)i64; |
1050 | | |
1051 | | /* V is required for PDF 2.0 but only strongly recommended for earlier versions */ |
1052 | 237 | code = pdfi_dict_known(ctx, d, "V", &b); |
1053 | 237 | if (code < 0) |
1054 | 0 | goto done; |
1055 | | |
1056 | 237 | if (b) { |
1057 | 237 | code = pdfi_dict_get_int(ctx, d, "V", &i64); |
1058 | 237 | if (code < 0) |
1059 | 0 | goto done; |
1060 | | |
1061 | 237 | if (i64 < 1 || i64 > 5) { |
1062 | 0 | code = gs_error_rangecheck; |
1063 | 0 | goto done; |
1064 | 0 | } |
1065 | | |
1066 | 237 | ctx->encryption.V = (int)i64; |
1067 | | |
1068 | 237 | if (ctx->encryption.V == 2 || ctx->encryption.V == 3) { |
1069 | 0 | code = pdfi_dict_knownget_number(ctx, d, "Length", &f); |
1070 | 0 | if (code < 0) |
1071 | 0 | goto done; |
1072 | | |
1073 | 0 | if (code > 0) |
1074 | 0 | *KeyLen = (int)f; |
1075 | 0 | } |
1076 | 237 | } |
1077 | | |
1078 | 237 | code = pdfi_dict_get_int(ctx, d, "P", &i64); |
1079 | 237 | if (code < 0) |
1080 | 0 | goto done; |
1081 | 237 | ctx->encryption.P = (int)i64; |
1082 | | |
1083 | 237 | code = pdfi_dict_get_type(ctx, d, "O", PDF_STRING, (pdf_obj **)&s); |
1084 | 237 | if (code < 0) |
1085 | 0 | goto done; |
1086 | | |
1087 | 237 | if (ctx->encryption.R < 5) { |
1088 | 125 | if (s->length < 32) { |
1089 | 2 | code = gs_note_error(gs_error_rangecheck); |
1090 | 2 | goto done; |
1091 | 2 | } |
1092 | 123 | memcpy(ctx->encryption.O, s->data, 32); |
1093 | 123 | } else { |
1094 | 112 | if (s->length < 48) { |
1095 | 1 | code = gs_note_error(gs_error_rangecheck); |
1096 | 1 | goto done; |
1097 | 1 | } |
1098 | 111 | memcpy(ctx->encryption.O, s->data, 48); |
1099 | 111 | } |
1100 | 234 | pdfi_countdown(s); |
1101 | 234 | s = NULL; |
1102 | | |
1103 | 234 | code = pdfi_dict_get_type(ctx, d, "U", PDF_STRING, (pdf_obj **)&s); |
1104 | 234 | if (code < 0) |
1105 | 0 | goto done; |
1106 | | |
1107 | 234 | if (ctx->encryption.R < 5) { |
1108 | 123 | if (s->length < 32) { |
1109 | 1 | code = gs_note_error(gs_error_rangecheck); |
1110 | 1 | goto done; |
1111 | 1 | } |
1112 | 122 | memcpy(ctx->encryption.U, s->data, 32); |
1113 | 122 | } else { |
1114 | 111 | if (s->length < 48) { |
1115 | 0 | code = gs_note_error(gs_error_rangecheck); |
1116 | 0 | goto done; |
1117 | 0 | } |
1118 | 111 | memcpy(ctx->encryption.U, s->data, 48); |
1119 | 111 | } |
1120 | 233 | pdfi_countdown(s); |
1121 | 233 | s = NULL; |
1122 | | |
1123 | 233 | code = pdfi_dict_knownget_bool(ctx, d, "EncryptMetadata", &b); |
1124 | 233 | if (code < 0) |
1125 | 0 | goto done; |
1126 | 233 | if (code > 0) { |
1127 | 18 | ctx->encryption.EncryptMetadata = b; |
1128 | 18 | code = 0; |
1129 | 18 | } |
1130 | 215 | else |
1131 | 215 | ctx->encryption.EncryptMetadata = true; |
1132 | | |
1133 | 233 | if (ctx->encryption.R > 3) { |
1134 | | /* Check the Encrypt dictionary has default values for Stmf and StrF |
1135 | | * and that they have the names /StdCF. We don't support anything else. |
1136 | | */ |
1137 | 190 | code = pdfi_dict_get_type(ctx, d, "StmF", PDF_NAME, &o); |
1138 | 190 | if (code < 0) |
1139 | 2 | goto done; |
1140 | 188 | if (!pdfi_name_is((pdf_name *)o, "StdCF")) { |
1141 | 0 | if (pdfi_name_is((pdf_name *)o, "Identity")) { |
1142 | 0 | ctx->encryption.StmF = CRYPT_IDENTITY; |
1143 | 0 | } else { |
1144 | 0 | code = gs_note_error(gs_error_undefined); |
1145 | 0 | goto done; |
1146 | 0 | } |
1147 | 0 | } |
1148 | 188 | pdfi_countdown(o); |
1149 | 188 | o = NULL; |
1150 | | |
1151 | 188 | code = pdfi_dict_knownget_type(ctx, d, "StrF", PDF_NAME, &o); |
1152 | 188 | if (code < 0) |
1153 | 0 | goto done; |
1154 | 188 | if (code == 0) { |
1155 | 3 | code = gs_note_error(gs_error_undefined); |
1156 | 3 | goto done; |
1157 | 3 | } |
1158 | 185 | if (!pdfi_name_is((pdf_name *)o, "StdCF")) { |
1159 | 1 | if (pdfi_name_is((pdf_name *)o, "Identity")) { |
1160 | 1 | ctx->encryption.StrF = CRYPT_IDENTITY; |
1161 | 1 | } else { |
1162 | 0 | code = gs_note_error(gs_error_undefined); |
1163 | 0 | goto done; |
1164 | 0 | } |
1165 | 1 | } |
1166 | 185 | pdfi_countdown(o); |
1167 | 185 | o = NULL; |
1168 | | |
1169 | | /* Validated StmF and StrF, now check the Encrypt dictionary for the definition of |
1170 | | * the Crypt Filter dictionary and ensure it has a /StdCF dictionary. |
1171 | | */ |
1172 | 185 | code = pdfi_dict_get_type(ctx, d, "CF", PDF_DICT, (pdf_obj **)&CF_dict); |
1173 | 185 | if (code < 0) |
1174 | 0 | goto done; |
1175 | | |
1176 | 185 | code = pdfi_dict_get_type(ctx, CF_dict, "StdCF", PDF_DICT, (pdf_obj **)&StdCF_dict); |
1177 | 185 | if (code < 0) |
1178 | 2 | goto done; |
1179 | | |
1180 | 183 | code = pdfi_dict_get_type(ctx, StdCF_dict, "CFM", PDF_NAME, &o); |
1181 | 183 | if (code < 0) |
1182 | 0 | goto done; |
1183 | | |
1184 | 183 | if (pdfi_name_is((pdf_name *)o, "V2")) { |
1185 | 0 | if (ctx->encryption.StmF == CRYPT_NONE) |
1186 | 0 | ctx->encryption.StmF = CRYPT_V2; |
1187 | 0 | if (ctx->encryption.StrF == CRYPT_NONE) |
1188 | 0 | ctx->encryption.StrF = CRYPT_V2; |
1189 | 183 | } else { |
1190 | 183 | if (pdfi_name_is((pdf_name *)o, "AESV2")) { |
1191 | 76 | if (ctx->encryption.StmF == CRYPT_NONE) |
1192 | 76 | ctx->encryption.StmF = CRYPT_AESV2; |
1193 | 76 | if (ctx->encryption.StrF == CRYPT_NONE) |
1194 | 75 | ctx->encryption.StrF = CRYPT_AESV2; |
1195 | 107 | } else { |
1196 | 107 | if (pdfi_name_is((pdf_name *)o, "AESV3")) { |
1197 | 107 | if (ctx->encryption.StmF == CRYPT_NONE) |
1198 | 107 | ctx->encryption.StmF = CRYPT_AESV3; |
1199 | 107 | if (ctx->encryption.StrF == CRYPT_NONE) |
1200 | 107 | ctx->encryption.StrF = CRYPT_AESV3; |
1201 | 107 | } else { |
1202 | 0 | emprintf(ctx->memory, "\n **** Error: Unknown default encryption method in crypt filter.\n"); |
1203 | 0 | code = gs_error_rangecheck; |
1204 | 0 | goto done; |
1205 | 0 | } |
1206 | 107 | } |
1207 | 183 | } |
1208 | 183 | pdfi_countdown(o); |
1209 | 183 | o = NULL; |
1210 | | |
1211 | 183 | if (ctx->encryption.R > 4) { |
1212 | 107 | code = pdfi_dict_get_type(ctx, d, "OE", PDF_STRING, (pdf_obj **)&s); |
1213 | 107 | if (code < 0) |
1214 | 0 | goto done; |
1215 | | |
1216 | 107 | if (s->length != 32) { |
1217 | 2 | code = gs_note_error(gs_error_rangecheck); |
1218 | 2 | goto done; |
1219 | 2 | } |
1220 | 105 | memcpy(ctx->encryption.OE, s->data, 32); |
1221 | 105 | pdfi_countdown(s); |
1222 | 105 | s = NULL; |
1223 | | |
1224 | 105 | code = pdfi_dict_get_type(ctx, d, "UE", PDF_STRING, (pdf_obj **)&s); |
1225 | 105 | if (code < 0) |
1226 | 0 | goto done; |
1227 | | |
1228 | 105 | if (s->length != 32) { |
1229 | 0 | code = gs_note_error(gs_error_rangecheck); |
1230 | 0 | goto done; |
1231 | 0 | } |
1232 | 105 | memcpy(ctx->encryption.UE, s->data, 32); |
1233 | 105 | pdfi_countdown(s); |
1234 | 105 | s = NULL; |
1235 | 105 | } |
1236 | 183 | } |
1237 | | |
1238 | 238 | done: |
1239 | 238 | pdfi_countdown(StdCF_dict); |
1240 | 238 | pdfi_countdown(CF_dict); |
1241 | 238 | pdfi_countdown(s); |
1242 | 238 | pdfi_countdown(o); |
1243 | 238 | pdfi_countdown(d); |
1244 | 238 | return code; |
1245 | 233 | } |
1246 | | |
1247 | | static int check_password_preR5(pdf_context *ctx, char *Password, int PasswordLen, int KeyLen, int Revision) |
1248 | 119 | { |
1249 | 119 | int code; |
1250 | | |
1251 | 119 | if (PasswordLen != 0) { |
1252 | 0 | code = check_user_password_preR5(ctx, Password, PasswordLen, KeyLen, Revision); |
1253 | 0 | if (code >= 0) |
1254 | 0 | return 0; |
1255 | | |
1256 | 0 | code = check_owner_password_preR5(ctx, Password, PasswordLen, KeyLen, Revision); |
1257 | 0 | if (code >= 0) |
1258 | 0 | return 0; |
1259 | 0 | } |
1260 | 119 | code = check_user_password_preR5(ctx, (char *)"", 0, KeyLen, Revision); |
1261 | 119 | if (code >= 0) |
1262 | 114 | return 0; |
1263 | | |
1264 | 5 | return check_owner_password_preR5(ctx, (char *)"", 0, KeyLen, Revision); |
1265 | 119 | } |
1266 | | |
1267 | | static int check_password_R5(pdf_context *ctx, char *Password, int PasswordLen, int KeyLen) |
1268 | 0 | { |
1269 | 0 | int code; |
1270 | |
|
1271 | 0 | if (PasswordLen != 0) { |
1272 | 0 | pdf_string *P = NULL, *P_UTF8 = NULL; |
1273 | |
|
1274 | 0 | code = check_user_password_R5(ctx, Password, PasswordLen, KeyLen); |
1275 | 0 | if (code >= 0) |
1276 | 0 | return 0; |
1277 | | |
1278 | 0 | code = check_owner_password_R5(ctx, Password, PasswordLen, KeyLen); |
1279 | 0 | if (code >= 0) |
1280 | 0 | return 0; |
1281 | | |
1282 | | /* If the supplied Password fails as the user *and* owner password, maybe its in |
1283 | | * the locale, not UTF-8, try converting to UTF-8 |
1284 | | */ |
1285 | 0 | code = pdfi_object_alloc(ctx, PDF_STRING, strlen(ctx->encryption.Password), (pdf_obj **)&P); |
1286 | 0 | if (code < 0) |
1287 | 0 | return code; |
1288 | 0 | memcpy(P->data, Password, PasswordLen); |
1289 | 0 | pdfi_countup(P); |
1290 | 0 | code = locale_to_utf8(ctx, P, &P_UTF8); |
1291 | 0 | if (code < 0) { |
1292 | 0 | pdfi_countdown(P); |
1293 | 0 | return code; |
1294 | 0 | } |
1295 | 0 | code = check_user_password_R5(ctx, (char *)P_UTF8->data, P_UTF8->length, KeyLen); |
1296 | 0 | if (code >= 0) { |
1297 | 0 | pdfi_countdown(P); |
1298 | 0 | pdfi_countdown(P_UTF8); |
1299 | 0 | return code; |
1300 | 0 | } |
1301 | | |
1302 | 0 | code = check_owner_password_R5(ctx, (char *)P_UTF8->data, P_UTF8->length, KeyLen); |
1303 | 0 | pdfi_countdown(P); |
1304 | 0 | pdfi_countdown(P_UTF8); |
1305 | 0 | if (code >= 0) |
1306 | 0 | return code; |
1307 | 0 | } |
1308 | 0 | code = check_user_password_R5(ctx, (char *)"", 0, KeyLen); |
1309 | 0 | if (code >= 0) |
1310 | 0 | return 0; |
1311 | | |
1312 | 0 | return check_owner_password_R5(ctx, (char *)"", 0, KeyLen); |
1313 | 0 | } |
1314 | | |
1315 | | static int check_password_R6(pdf_context *ctx, char *Password, int PasswordLen, int KeyLen) |
1316 | 105 | { |
1317 | 105 | int code; |
1318 | | |
1319 | 105 | if (PasswordLen != 0) { |
1320 | 0 | pdf_string *P = NULL, *P_UTF8 = NULL; |
1321 | |
|
1322 | 0 | code = check_user_password_R6(ctx, Password, PasswordLen, KeyLen); |
1323 | 0 | if (code >= 0) |
1324 | 0 | return 0; |
1325 | | |
1326 | 0 | code = check_owner_password_R6(ctx, Password, PasswordLen, KeyLen); |
1327 | 0 | if (code >= 0) |
1328 | 0 | return 0; |
1329 | | /* If the supplied Password fails as the user *and* owner password, maybe its in |
1330 | | * the locale, not UTF-8, try converting to UTF-8 |
1331 | | */ |
1332 | 0 | code = pdfi_object_alloc(ctx, PDF_STRING, strlen(ctx->encryption.Password), (pdf_obj **)&P); |
1333 | 0 | if (code < 0) |
1334 | 0 | return code; |
1335 | 0 | memcpy(P->data, Password, PasswordLen); |
1336 | 0 | pdfi_countup(P); |
1337 | 0 | code = locale_to_utf8(ctx, P, &P_UTF8); |
1338 | 0 | if (code < 0) { |
1339 | 0 | pdfi_countdown(P); |
1340 | 0 | return code; |
1341 | 0 | } |
1342 | 0 | code = check_user_password_R5(ctx, (char *)P_UTF8->data, P_UTF8->length, KeyLen); |
1343 | 0 | if (code >= 0) { |
1344 | 0 | pdfi_countdown(P); |
1345 | 0 | pdfi_countdown(P_UTF8); |
1346 | 0 | return code; |
1347 | 0 | } |
1348 | | |
1349 | 0 | code = check_owner_password_R5(ctx, (char *)P_UTF8->data, P_UTF8->length, KeyLen); |
1350 | 0 | pdfi_countdown(P); |
1351 | 0 | pdfi_countdown(P_UTF8); |
1352 | 0 | if (code >= 0) |
1353 | 0 | return code; |
1354 | 0 | } |
1355 | 105 | code = check_user_password_R6(ctx, (char *)"", 0, KeyLen); |
1356 | 105 | if (code >= 0) |
1357 | 41 | return 0; |
1358 | | |
1359 | 64 | return check_owner_password_R6(ctx, (char *)"", 0, KeyLen); |
1360 | 105 | } |
1361 | | |
1362 | | /* Read the Encrypt dictionary entries and store the relevant ones |
1363 | | * in the PDF context for easy access. Check whether the file is |
1364 | | * readable without a password and if not, check to see if we've been |
1365 | | * supplied a password. If we have try the password as the user password |
1366 | | * and if that fails as the owner password. Store the calculated decryption key |
1367 | | * for later use decrypting objects. |
1368 | | */ |
1369 | | int pdfi_initialise_Decryption(pdf_context *ctx) |
1370 | 238 | { |
1371 | 238 | int code = 0, KeyLen = 0; |
1372 | | |
1373 | 238 | code = pdfi_read_Encrypt_dict(ctx, &KeyLen); |
1374 | 238 | if (code > 0) |
1375 | 0 | return 0; |
1376 | 238 | if (code < 0) |
1377 | 14 | return code; |
1378 | | |
1379 | 224 | switch(ctx->encryption.R) { |
1380 | 42 | case 2: |
1381 | | /* Set up the defaults if not already set */ |
1382 | | /* R of 2 means V < 2 which is either algorithm 3.1 with a 40-bit key |
1383 | | * or an undocumented and unsupported algorithm. |
1384 | | */ |
1385 | 42 | if (ctx->encryption.V >= 0) { |
1386 | 42 | if (ctx->encryption.V == 0) { |
1387 | 0 | code = gs_note_error(gs_error_undefined); |
1388 | 0 | goto done; |
1389 | 0 | } |
1390 | 42 | } |
1391 | | /* Revision 2 is always 40-bit RC4 */ |
1392 | 42 | if (KeyLen != 0 && KeyLen != 40) |
1393 | 0 | pdfi_set_error(ctx, 0, NULL, E_PDF_INVALID_DECRYPT_LEN, "pdfi_initialise_Decryption", NULL); |
1394 | 42 | KeyLen = 40; |
1395 | 42 | if (ctx->encryption.StmF == CRYPT_NONE) |
1396 | 42 | ctx->encryption.StmF = CRYPT_V1; |
1397 | 42 | if (ctx->encryption.StrF == CRYPT_NONE) |
1398 | 42 | ctx->encryption.StrF = CRYPT_V1; |
1399 | 42 | code = check_password_preR5(ctx, ctx->encryption.Password, ctx->encryption.PasswordLen, KeyLen, 2); |
1400 | 42 | break; |
1401 | 1 | case 3: |
1402 | | /* Set up the defaults if not already set */ |
1403 | 1 | if (ctx->encryption.V >= 0) { |
1404 | 1 | if (ctx->encryption.V == 3) { |
1405 | 0 | code = gs_note_error(gs_error_undefined); |
1406 | 0 | goto done; |
1407 | 0 | } |
1408 | 1 | } |
1409 | | /* Revision 3 *may* be more than 40 bits of RC4 */ |
1410 | 1 | if (KeyLen != 0 && (KeyLen < 40 || KeyLen > 128 || KeyLen % 8 != 0)) { |
1411 | 0 | pdfi_set_warning(ctx, 0, NULL, W_PDF_INVALID_DECRYPT_LEN, "pdfi_initialise_Decryption", NULL); |
1412 | 0 | KeyLen = 128; |
1413 | 0 | } |
1414 | 1 | if (ctx->encryption.StmF == CRYPT_NONE) |
1415 | 1 | ctx->encryption.StmF = CRYPT_V2; |
1416 | 1 | if (ctx->encryption.StrF == CRYPT_NONE) |
1417 | 1 | ctx->encryption.StrF = CRYPT_V2; |
1418 | 1 | code = check_password_preR5(ctx, ctx->encryption.Password, ctx->encryption.PasswordLen, KeyLen, 3); |
1419 | 1 | break; |
1420 | 76 | case 4: |
1421 | 76 | if (ctx->encryption.StrF != CRYPT_IDENTITY || ctx->encryption.StmF != CRYPT_IDENTITY) { |
1422 | | /* Revision 4 is either AES or RC4, but its always 128-bits */ |
1423 | 76 | if (KeyLen != 0) |
1424 | 0 | pdfi_set_warning(ctx, 0, NULL, W_PDF_INVALID_DECRYPT_LEN, "pdfi_initialise_Decryption", NULL); |
1425 | 76 | KeyLen = 128; |
1426 | | /* We can't set the encryption filter, so we have to hope the PDF file did */ |
1427 | 76 | code = check_password_preR5(ctx, ctx->encryption.Password, ctx->encryption.PasswordLen, KeyLen, 4); |
1428 | 76 | } |
1429 | 76 | break; |
1430 | 0 | case 5: |
1431 | | /* Set up the defaults if not already set */ |
1432 | 0 | if (KeyLen != 0) |
1433 | 0 | pdfi_set_warning(ctx, 0, NULL, W_PDF_INVALID_DECRYPT_LEN, "pdfi_initialise_Decryption", NULL); |
1434 | 0 | KeyLen = 256; |
1435 | 0 | if (ctx->encryption.StmF == CRYPT_NONE) |
1436 | 0 | ctx->encryption.StmF = CRYPT_AESV2; |
1437 | 0 | if (ctx->encryption.StrF == CRYPT_NONE) |
1438 | 0 | ctx->encryption.StrF = CRYPT_AESV2; |
1439 | 0 | code = check_password_R5(ctx, ctx->encryption.Password, ctx->encryption.PasswordLen, KeyLen); |
1440 | 0 | break; |
1441 | 105 | case 6: |
1442 | | /* Set up the defaults if not already set */ |
1443 | | /* Revision 6 is always 256-bit AES */ |
1444 | 105 | if (KeyLen != 0) |
1445 | 0 | pdfi_set_warning(ctx, 0, NULL, W_PDF_INVALID_DECRYPT_LEN, "pdfi_initialise_Decryption", NULL); |
1446 | 105 | KeyLen = 256; |
1447 | 105 | if (ctx->encryption.StmF == CRYPT_NONE) |
1448 | 0 | ctx->encryption.StmF = CRYPT_AESV3; |
1449 | 105 | if (ctx->encryption.StrF == CRYPT_NONE) |
1450 | 0 | ctx->encryption.StrF = CRYPT_AESV3; |
1451 | 105 | code = check_password_R6(ctx, ctx->encryption.Password, ctx->encryption.PasswordLen, KeyLen); |
1452 | 105 | break; |
1453 | 0 | default: |
1454 | 0 | emprintf1(ctx->memory, "\n **** Warning: This file uses an unknown standard security handler revision: %d\n", ctx->encryption.R); |
1455 | 0 | code = gs_error_rangecheck; |
1456 | 0 | goto done; |
1457 | 224 | } |
1458 | 224 | if (code < 0) { |
1459 | 27 | if(ctx->encryption.Password) { |
1460 | 0 | emprintf(ctx->memory, "\n **** Error: Password did not work.\n"); |
1461 | 0 | emprintf(ctx->memory, " Cannot decrypt PDF file.\n"); |
1462 | 0 | } else |
1463 | 27 | emprintf(ctx->memory, "\n **** This file requires a password for access.\n"); |
1464 | 27 | } else |
1465 | 197 | ctx->encryption.is_encrypted = true; |
1466 | | |
1467 | 224 | done: |
1468 | 224 | return code; |
1469 | 224 | } |