/src/mupdf/source/pdf/pdf-crypt.c
Line | Count | Source (jump to first uncovered line) |
1 | | // Copyright (C) 2004-2021 Artifex Software, Inc. |
2 | | // |
3 | | // This file is part of MuPDF. |
4 | | // |
5 | | // MuPDF is free software: you can redistribute it and/or modify it under the |
6 | | // terms of the GNU Affero General Public License as published by the Free |
7 | | // Software Foundation, either version 3 of the License, or (at your option) |
8 | | // any later version. |
9 | | // |
10 | | // MuPDF is distributed in the hope that it will be useful, but WITHOUT ANY |
11 | | // WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS |
12 | | // FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more |
13 | | // details. |
14 | | // |
15 | | // You should have received a copy of the GNU Affero General Public License |
16 | | // along with MuPDF. If not, see <https://www.gnu.org/licenses/agpl-3.0.en.html> |
17 | | // |
18 | | // Alternative licensing terms are available from the licensor. |
19 | | // For commercial licensing, see <https://www.artifex.com/> or contact |
20 | | // Artifex Software, Inc., 39 Mesa Street, Suite 108A, San Francisco, |
21 | | // CA 94129, USA, for further information. |
22 | | |
23 | | #include "mupdf/fitz.h" |
24 | | #include "mupdf/pdf.h" |
25 | | |
26 | | #include <string.h> |
27 | | |
28 | | enum |
29 | | { |
30 | | PDF_CRYPT_NONE, |
31 | | PDF_CRYPT_RC4, |
32 | | PDF_CRYPT_AESV2, |
33 | | PDF_CRYPT_AESV3, |
34 | | PDF_CRYPT_UNKNOWN, |
35 | | }; |
36 | | |
37 | | typedef struct |
38 | | { |
39 | | int method; |
40 | | int length; |
41 | | } pdf_crypt_filter; |
42 | | |
43 | | struct pdf_crypt |
44 | | { |
45 | | pdf_obj *id; |
46 | | |
47 | | int v; |
48 | | int length; |
49 | | pdf_obj *cf; |
50 | | pdf_crypt_filter stmf; |
51 | | pdf_crypt_filter strf; |
52 | | |
53 | | int r; |
54 | | unsigned char o[48]; |
55 | | unsigned char u[48]; |
56 | | unsigned char oe[32]; |
57 | | unsigned char ue[32]; |
58 | | unsigned char perms[16]; |
59 | | int p; |
60 | | int encrypt_metadata; |
61 | | |
62 | | unsigned char key[32]; /* decryption key generated from password */ |
63 | | }; |
64 | | |
65 | | static void pdf_parse_crypt_filter(fz_context *ctx, pdf_crypt_filter *cf, pdf_crypt *crypt, pdf_obj *name); |
66 | | |
67 | | pdf_crypt * |
68 | | pdf_new_crypt(fz_context *ctx, pdf_obj *dict, pdf_obj *id) |
69 | 115 | { |
70 | 115 | pdf_crypt *crypt; |
71 | 115 | pdf_obj *obj; |
72 | | |
73 | 115 | crypt = fz_malloc_struct(ctx, pdf_crypt); |
74 | | |
75 | | /* Common to all security handlers (PDF 1.7 table 3.18) */ |
76 | | |
77 | 115 | obj = pdf_dict_get(ctx, dict, PDF_NAME(Filter)); |
78 | 115 | if (!pdf_is_name(ctx, obj)) |
79 | 0 | { |
80 | 0 | pdf_drop_crypt(ctx, crypt); |
81 | 0 | fz_throw(ctx, FZ_ERROR_FORMAT, "unspecified encryption handler"); |
82 | 0 | } |
83 | 115 | if (!pdf_name_eq(ctx, PDF_NAME(Standard), obj)) |
84 | 0 | { |
85 | 0 | pdf_drop_crypt(ctx, crypt); |
86 | 0 | fz_throw(ctx, FZ_ERROR_FORMAT, "unknown encryption handler: '%s'", pdf_to_name(ctx, obj)); |
87 | 0 | } |
88 | | |
89 | 115 | crypt->v = pdf_dict_get_int_default(ctx, dict, PDF_NAME(V), 0); |
90 | 115 | if (crypt->v != 0 && crypt->v != 1 && crypt->v != 2 && crypt->v != 4 && crypt->v != 5) |
91 | 0 | { |
92 | 0 | pdf_drop_crypt(ctx, crypt); |
93 | 0 | fz_throw(ctx, FZ_ERROR_FORMAT, "unknown encryption version"); |
94 | 0 | } |
95 | | |
96 | | /* Standard security handler (PDF 1.7 table 3.19) */ |
97 | | |
98 | 115 | obj = pdf_dict_get(ctx, dict, PDF_NAME(R)); |
99 | 115 | if (pdf_is_int(ctx, obj)) |
100 | 111 | crypt->r = pdf_to_int(ctx, obj); |
101 | 4 | else if (crypt->v <= 4) |
102 | 3 | { |
103 | 3 | fz_warn(ctx, "encryption dictionary missing revision value, guessing..."); |
104 | 3 | if (crypt->v < 2) |
105 | 1 | crypt->r = 2; |
106 | 2 | else if (crypt->v == 2) |
107 | 0 | crypt->r = 3; |
108 | 2 | else if (crypt->v == 4) |
109 | 2 | crypt->r = 4; |
110 | 3 | } |
111 | 1 | else |
112 | 1 | { |
113 | 1 | pdf_drop_crypt(ctx, crypt); |
114 | 1 | fz_throw(ctx, FZ_ERROR_FORMAT, "encryption dictionary missing version and revision value"); |
115 | 1 | } |
116 | 114 | if (crypt->r < 1 || crypt->r > 6) |
117 | 0 | { |
118 | 0 | int r = crypt->r; |
119 | 0 | pdf_drop_crypt(ctx, crypt); |
120 | 0 | fz_throw(ctx, FZ_ERROR_FORMAT, "unknown crypt revision %d", r); |
121 | 0 | } |
122 | | |
123 | 114 | obj = pdf_dict_get(ctx, dict, PDF_NAME(O)); |
124 | 114 | if (pdf_is_string(ctx, obj) && pdf_to_str_len(ctx, obj) == 32) |
125 | 51 | memcpy(crypt->o, pdf_to_str_buf(ctx, obj), 32); |
126 | | /* /O and /U are supposed to be 48 bytes long for revision 5 and 6, they're often longer, though */ |
127 | 63 | else if (crypt->r >= 5 && pdf_is_string(ctx, obj) && pdf_to_str_len(ctx, obj) >= 48) |
128 | 62 | memcpy(crypt->o, pdf_to_str_buf(ctx, obj), 48); |
129 | 1 | else |
130 | 1 | { |
131 | 1 | pdf_drop_crypt(ctx, crypt); |
132 | 1 | fz_throw(ctx, FZ_ERROR_FORMAT, "encryption dictionary missing owner password"); |
133 | 1 | } |
134 | | |
135 | 113 | obj = pdf_dict_get(ctx, dict, PDF_NAME(U)); |
136 | 113 | if (pdf_is_string(ctx, obj) && pdf_to_str_len(ctx, obj) == 32) |
137 | 50 | memcpy(crypt->u, pdf_to_str_buf(ctx, obj), 32); |
138 | | /* /O and /U are supposed to be 48 bytes long for revision 5 and 6, they're often longer, though */ |
139 | 63 | else if (crypt->r >= 5 && pdf_is_string(ctx, obj) && pdf_to_str_len(ctx, obj) >= 48) |
140 | 61 | memcpy(crypt->u, pdf_to_str_buf(ctx, obj), 48); |
141 | 2 | else if (pdf_is_string(ctx, obj) && pdf_to_str_len(ctx, obj) < 32) |
142 | 1 | { |
143 | 1 | fz_warn(ctx, "encryption password key too short (%zu)", pdf_to_str_len(ctx, obj)); |
144 | 1 | memcpy(crypt->u, pdf_to_str_buf(ctx, obj), pdf_to_str_len(ctx, obj)); |
145 | 1 | } |
146 | 1 | else |
147 | 1 | { |
148 | 1 | pdf_drop_crypt(ctx, crypt); |
149 | 1 | fz_throw(ctx, FZ_ERROR_FORMAT, "encryption dictionary missing user password"); |
150 | 1 | } |
151 | | |
152 | 112 | obj = pdf_dict_get(ctx, dict, PDF_NAME(P)); |
153 | 112 | if (pdf_is_int(ctx, obj)) |
154 | 109 | crypt->p = pdf_to_int(ctx, obj); |
155 | 3 | else |
156 | 3 | { |
157 | 3 | fz_warn(ctx, "encryption dictionary missing permissions"); |
158 | 3 | crypt->p = 0xfffffffc; |
159 | 3 | } |
160 | | |
161 | 112 | if (crypt->r == 5 || crypt->r == 6) |
162 | 62 | { |
163 | 62 | obj = pdf_dict_get(ctx, dict, PDF_NAME(OE)); |
164 | 62 | if (!pdf_is_string(ctx, obj) || pdf_to_str_len(ctx, obj) != 32) |
165 | 1 | { |
166 | 1 | pdf_drop_crypt(ctx, crypt); |
167 | 1 | fz_throw(ctx, FZ_ERROR_FORMAT, "encryption dictionary missing owner encryption key"); |
168 | 1 | } |
169 | 61 | memcpy(crypt->oe, pdf_to_str_buf(ctx, obj), 32); |
170 | | |
171 | 61 | obj = pdf_dict_get(ctx, dict, PDF_NAME(UE)); |
172 | 61 | if (!pdf_is_string(ctx, obj) || pdf_to_str_len(ctx, obj) != 32) |
173 | 1 | { |
174 | 1 | pdf_drop_crypt(ctx, crypt); |
175 | 1 | fz_throw(ctx, FZ_ERROR_FORMAT, "encryption dictionary missing user encryption key"); |
176 | 1 | } |
177 | 60 | memcpy(crypt->ue, pdf_to_str_buf(ctx, obj), 32); |
178 | 60 | } |
179 | | |
180 | 110 | crypt->encrypt_metadata = pdf_dict_get_bool_default(ctx, dict, PDF_NAME(EncryptMetadata), 1); |
181 | | |
182 | | /* Extract file identifier string */ |
183 | | |
184 | 110 | if (pdf_is_array(ctx, id) && pdf_array_len(ctx, id) == 2) |
185 | 104 | { |
186 | 104 | obj = pdf_array_get(ctx, id, 0); |
187 | 104 | if (pdf_is_string(ctx, obj)) |
188 | 103 | crypt->id = pdf_keep_obj(ctx, obj); |
189 | 104 | } |
190 | 6 | else |
191 | 6 | fz_warn(ctx, "missing file identifier, may not be able to do decryption"); |
192 | | |
193 | | /* Determine encryption key length */ |
194 | | |
195 | 110 | crypt->length = 40; |
196 | 110 | if (crypt->v == 2 || crypt->v == 4) |
197 | 49 | { |
198 | 49 | crypt->length = pdf_dict_get_int_default(ctx, dict, PDF_NAME(Length), crypt->length); |
199 | | |
200 | | /* work-around for pdf generators that assume length is in bytes */ |
201 | 49 | if (crypt->length < 40) |
202 | 1 | crypt->length = crypt->length * 8; |
203 | | |
204 | 49 | if (crypt->length % 8 != 0) |
205 | 0 | { |
206 | 0 | pdf_drop_crypt(ctx, crypt); |
207 | 0 | fz_throw(ctx, FZ_ERROR_FORMAT, "invalid encryption key length"); |
208 | 0 | } |
209 | 49 | if (crypt->length < 40 || crypt->length > 128) |
210 | 1 | { |
211 | 1 | pdf_drop_crypt(ctx, crypt); |
212 | 1 | fz_throw(ctx, FZ_ERROR_FORMAT, "invalid encryption key length"); |
213 | 1 | } |
214 | 49 | } |
215 | | |
216 | 109 | if (crypt->v == 5) |
217 | 51 | crypt->length = 256; |
218 | | |
219 | 109 | if (crypt->v == 0 || crypt->v == 1 || crypt->v == 2) |
220 | 12 | { |
221 | 12 | crypt->stmf.method = PDF_CRYPT_RC4; |
222 | 12 | crypt->stmf.length = crypt->length; |
223 | | |
224 | 12 | crypt->strf.method = PDF_CRYPT_RC4; |
225 | 12 | crypt->strf.length = crypt->length; |
226 | 12 | } |
227 | | |
228 | 109 | if (crypt->v == 4 || crypt->v == 5) |
229 | 97 | { |
230 | 97 | crypt->stmf.method = PDF_CRYPT_NONE; |
231 | 97 | crypt->stmf.length = crypt->length; |
232 | | |
233 | 97 | crypt->strf.method = PDF_CRYPT_NONE; |
234 | 97 | crypt->strf.length = crypt->length; |
235 | | |
236 | 97 | obj = pdf_dict_get(ctx, dict, PDF_NAME(CF)); |
237 | 97 | if (pdf_is_dict(ctx, obj)) |
238 | 96 | { |
239 | 96 | crypt->cf = pdf_keep_obj(ctx, obj); |
240 | 96 | } |
241 | 1 | else |
242 | 1 | { |
243 | 1 | crypt->cf = NULL; |
244 | 1 | } |
245 | | |
246 | 194 | fz_try(ctx) |
247 | 194 | { |
248 | 97 | obj = pdf_dict_get(ctx, dict, PDF_NAME(StmF)); |
249 | 97 | if (pdf_is_name(ctx, obj)) |
250 | 95 | pdf_parse_crypt_filter(ctx, &crypt->stmf, crypt, obj); |
251 | | |
252 | 97 | obj = pdf_dict_get(ctx, dict, PDF_NAME(StrF)); |
253 | 97 | if (pdf_is_name(ctx, obj)) |
254 | 92 | pdf_parse_crypt_filter(ctx, &crypt->strf, crypt, obj); |
255 | 97 | } |
256 | 194 | fz_catch(ctx) |
257 | 3 | { |
258 | 3 | pdf_drop_crypt(ctx, crypt); |
259 | 3 | fz_rethrow(ctx); |
260 | 3 | } |
261 | | |
262 | | /* in crypt revision 4, the crypt filter determines the key length */ |
263 | 94 | if (crypt->strf.method != PDF_CRYPT_NONE) |
264 | 83 | crypt->length = crypt->stmf.length; |
265 | 94 | } |
266 | | |
267 | 106 | return crypt; |
268 | 109 | } |
269 | | |
270 | | void |
271 | | pdf_drop_crypt(fz_context *ctx, pdf_crypt *crypt) |
272 | 6.64k | { |
273 | 6.64k | if (!crypt) |
274 | 6.53k | return; |
275 | | |
276 | 115 | pdf_drop_obj(ctx, crypt->id); |
277 | 115 | pdf_drop_obj(ctx, crypt->cf); |
278 | 115 | fz_free(ctx, crypt); |
279 | 115 | } |
280 | | |
281 | | /* |
282 | | * Parse a CF dictionary entry (PDF 1.7 table 3.22) |
283 | | */ |
284 | | |
285 | | static void |
286 | | pdf_parse_crypt_filter(fz_context *ctx, pdf_crypt_filter *cf, pdf_crypt *crypt, pdf_obj *name) |
287 | 187 | { |
288 | 187 | pdf_obj *obj; |
289 | 187 | pdf_obj *dict; |
290 | 187 | int is_identity = (pdf_name_eq(ctx, name, PDF_NAME(Identity))); |
291 | 187 | int is_stdcf = (!is_identity && pdf_name_eq(ctx, name, PDF_NAME(StdCF))); |
292 | | |
293 | 187 | if (!is_identity && !is_stdcf) |
294 | 1 | fz_throw(ctx, FZ_ERROR_FORMAT, "Crypt Filter not Identity or StdCF (%d 0 R)", pdf_to_num(ctx, crypt->cf)); |
295 | | |
296 | 186 | cf->method = PDF_CRYPT_NONE; |
297 | 186 | cf->length = crypt->length; |
298 | | |
299 | 186 | if (!crypt->cf) |
300 | 2 | { |
301 | 2 | cf->method = (is_identity ? PDF_CRYPT_NONE : PDF_CRYPT_RC4); |
302 | 2 | return; |
303 | 2 | } |
304 | | |
305 | 184 | dict = pdf_dict_get(ctx, crypt->cf, name); |
306 | 184 | if (pdf_is_dict(ctx, dict)) |
307 | 180 | { |
308 | 180 | obj = pdf_dict_get(ctx, dict, PDF_NAME(CFM)); |
309 | 180 | if (pdf_is_name(ctx, obj)) |
310 | 177 | { |
311 | 177 | if (pdf_name_eq(ctx, PDF_NAME(None), obj)) |
312 | 0 | cf->method = PDF_CRYPT_NONE; |
313 | 177 | else if (pdf_name_eq(ctx, PDF_NAME(V2), obj)) |
314 | 0 | cf->method = PDF_CRYPT_RC4; |
315 | 177 | else if (pdf_name_eq(ctx, PDF_NAME(AESV2), obj)) |
316 | 76 | cf->method = PDF_CRYPT_AESV2; |
317 | 101 | else if (pdf_name_eq(ctx, PDF_NAME(AESV3), obj)) |
318 | 93 | cf->method = PDF_CRYPT_AESV3; |
319 | 8 | else |
320 | 8 | fz_warn(ctx, "unknown encryption method: %s", pdf_to_name(ctx, obj)); |
321 | 177 | } |
322 | | |
323 | 180 | cf->length = pdf_dict_get_int_default(ctx, dict, PDF_NAME(Length), cf->length); |
324 | 180 | } |
325 | 4 | else if (!is_identity) |
326 | 1 | fz_throw(ctx, FZ_ERROR_FORMAT, "cannot parse crypt filter (%d 0 R)", pdf_to_num(ctx, crypt->cf)); |
327 | | |
328 | 183 | if (cf->method != PDF_CRYPT_NONE) |
329 | 169 | { |
330 | 169 | if (crypt->r == 4 && cf->method != PDF_CRYPT_RC4 && cf->method != PDF_CRYPT_AESV2) |
331 | 0 | fz_warn(ctx, "unexpected encryption method for revision 4 crypto: %s", pdf_crypt_method(ctx, crypt)); |
332 | 169 | else if (crypt->r >= 5 && cf->method != PDF_CRYPT_AESV3) |
333 | 0 | { |
334 | 0 | fz_warn(ctx, "illegal encryption method for revision 5/6, assuming AESV3"); |
335 | 0 | cf->method = PDF_CRYPT_AESV3; |
336 | 0 | } |
337 | 169 | } |
338 | | |
339 | | /* the length for crypt filters is supposed to be in bytes not bits */ |
340 | 183 | if (cf->length < 40) |
341 | 163 | cf->length = cf->length * 8; |
342 | | |
343 | 183 | if ((cf->length % 8) != 0) |
344 | 1 | fz_throw(ctx, FZ_ERROR_FORMAT, "invalid key length: %d", cf->length); |
345 | | |
346 | 182 | if ((crypt->r == 1 || crypt->r == 2 || crypt->r == 3 || crypt->r == 4) && |
347 | 182 | (cf->length < 40 || cf->length > 128)) |
348 | 0 | fz_throw(ctx, FZ_ERROR_FORMAT, "invalid key length: %d", cf->length); |
349 | 182 | if ((crypt->r == 5 || crypt->r == 6) && cf->length != 256) |
350 | 2 | { |
351 | 2 | fz_warn(ctx, "illegal key length for revision 5/6, assuming 256 bits"); |
352 | 2 | cf->length = 256; |
353 | 2 | } |
354 | 182 | } |
355 | | |
356 | | /* |
357 | | * Compute an encryption key (PDF 1.7 algorithm 3.2) |
358 | | */ |
359 | | |
360 | | static const unsigned char padding[32] = |
361 | | { |
362 | | 0x28, 0xbf, 0x4e, 0x5e, 0x4e, 0x75, 0x8a, 0x41, |
363 | | 0x64, 0x00, 0x4e, 0x56, 0xff, 0xfa, 0x01, 0x08, |
364 | | 0x2e, 0x2e, 0x00, 0xb6, 0xd0, 0x68, 0x3e, 0x80, |
365 | | 0x2f, 0x0c, 0xa9, 0xfe, 0x64, 0x53, 0x69, 0x7a |
366 | | }; |
367 | | |
368 | | static void |
369 | | pdf_compute_encryption_key(fz_context *ctx, pdf_crypt *crypt, unsigned char *password, size_t pwlen, unsigned char *key) |
370 | 132 | { |
371 | 132 | unsigned char buf[32]; |
372 | 132 | unsigned int p; |
373 | 132 | int i, n; |
374 | 132 | fz_md5 md5; |
375 | | |
376 | 132 | n = fz_clampi(crypt->length / 8, 0, 16); |
377 | | |
378 | | /* Step 1 - copy and pad password string */ |
379 | 132 | if (pwlen > 32) |
380 | 0 | pwlen = 32; |
381 | 132 | memcpy(buf, password, pwlen); |
382 | 132 | if (pwlen < 32) |
383 | 84 | memcpy(buf + pwlen, padding, 32 - pwlen); |
384 | | |
385 | | /* Step 2 - init md5 and pass value of step 1 */ |
386 | 132 | fz_md5_init(&md5); |
387 | 132 | fz_md5_update(&md5, buf, 32); |
388 | | |
389 | | /* Step 3 - pass O value */ |
390 | 132 | fz_md5_update(&md5, crypt->o, 32); |
391 | | |
392 | | /* Step 4 - pass P value as unsigned int, low-order byte first */ |
393 | 132 | p = (unsigned int) crypt->p; |
394 | 132 | buf[0] = (p) & 0xFF; |
395 | 132 | buf[1] = (p >> 8) & 0xFF; |
396 | 132 | buf[2] = (p >> 16) & 0xFF; |
397 | 132 | buf[3] = (p >> 24) & 0xFF; |
398 | 132 | fz_md5_update(&md5, buf, 4); |
399 | | |
400 | | /* Step 5 - pass first element of ID array */ |
401 | 132 | fz_md5_update(&md5, (unsigned char *)pdf_to_str_buf(ctx, crypt->id), pdf_to_str_len(ctx, crypt->id)); |
402 | | |
403 | | /* Step 6 (revision 4 or greater) - if metadata is not encrypted pass 0xFFFFFFFF */ |
404 | 132 | if (crypt->r >= 4) |
405 | 117 | { |
406 | 117 | if (!crypt->encrypt_metadata) |
407 | 6 | { |
408 | 6 | buf[0] = 0xFF; |
409 | 6 | buf[1] = 0xFF; |
410 | 6 | buf[2] = 0xFF; |
411 | 6 | buf[3] = 0xFF; |
412 | 6 | fz_md5_update(&md5, buf, 4); |
413 | 6 | } |
414 | 117 | } |
415 | | |
416 | | /* Step 7 - finish the hash */ |
417 | 132 | fz_md5_final(&md5, buf); |
418 | | |
419 | | /* Step 8 (revision 3 or greater) - do some voodoo 50 times */ |
420 | 132 | if (crypt->r >= 3) |
421 | 122 | { |
422 | 6.22k | for (i = 0; i < 50; i++) |
423 | 6.10k | { |
424 | 6.10k | fz_md5_init(&md5); |
425 | 6.10k | fz_md5_update(&md5, buf, n); |
426 | 6.10k | fz_md5_final(&md5, buf); |
427 | 6.10k | } |
428 | 122 | } |
429 | | |
430 | | /* Step 9 - the key is the first 'n' bytes of the result */ |
431 | 132 | memcpy(key, buf, n); |
432 | 132 | } |
433 | | |
434 | | /* |
435 | | * Compute an encryption key (PDF 1.7 ExtensionLevel 3 algorithm 3.2a) |
436 | | */ |
437 | | |
438 | | static void |
439 | | pdf_compute_encryption_key_r5(fz_context *ctx, pdf_crypt *crypt, unsigned char *password, size_t pwlen, int ownerkey, unsigned char *validationkey) |
440 | 0 | { |
441 | 0 | unsigned char buffer[128 + 8 + 48]; |
442 | 0 | fz_sha256 sha256; |
443 | 0 | fz_aes aes; |
444 | | |
445 | | /* Step 2 - truncate UTF-8 password to 127 characters */ |
446 | |
|
447 | 0 | if (pwlen > 127) |
448 | 0 | pwlen = 127; |
449 | | |
450 | | /* Step 3/4 - test password against owner/user key and compute encryption key */ |
451 | |
|
452 | 0 | memcpy(buffer, password, pwlen); |
453 | 0 | if (ownerkey) |
454 | 0 | { |
455 | 0 | memcpy(buffer + pwlen, crypt->o + 32, 8); |
456 | 0 | memcpy(buffer + pwlen + 8, crypt->u, 48); |
457 | 0 | } |
458 | 0 | else |
459 | 0 | memcpy(buffer + pwlen, crypt->u + 32, 8); |
460 | |
|
461 | 0 | fz_sha256_init(&sha256); |
462 | 0 | fz_sha256_update(&sha256, buffer, pwlen + 8 + (ownerkey ? 48 : 0)); |
463 | 0 | fz_sha256_final(&sha256, validationkey); |
464 | | |
465 | | /* Step 3.5/4.5 - compute file encryption key from OE/UE */ |
466 | |
|
467 | 0 | if (ownerkey) |
468 | 0 | { |
469 | 0 | memcpy(buffer + pwlen, crypt->o + 40, 8); |
470 | 0 | memcpy(buffer + pwlen + 8, crypt->u, 48); |
471 | 0 | } |
472 | 0 | else |
473 | 0 | memcpy(buffer + pwlen, crypt->u + 40, 8); |
474 | |
|
475 | 0 | fz_sha256_init(&sha256); |
476 | 0 | fz_sha256_update(&sha256, buffer, pwlen + 8 + (ownerkey ? 48 : 0)); |
477 | 0 | fz_sha256_final(&sha256, buffer); |
478 | | |
479 | | /* clear password buffer and use it as iv */ |
480 | 0 | memset(buffer + 32, 0, sizeof(buffer) - 32); |
481 | 0 | if (fz_aes_setkey_dec(&aes, buffer, crypt->length)) |
482 | 0 | fz_throw(ctx, FZ_ERROR_FORMAT, "aes invalid key size (%d)", crypt->length); |
483 | 0 | fz_aes_crypt_cbc(&aes, FZ_AES_DECRYPT, 32, buffer + 32, ownerkey ? crypt->oe : crypt->ue, crypt->key); |
484 | 0 | } |
485 | | |
486 | | /* |
487 | | * Compute an encryption key (PDF 1.7 ExtensionLevel 8 algorithm) |
488 | | * |
489 | | * Adobe has not yet released the details, so the algorithm reference is: |
490 | | * http://esec-lab.sogeti.com/post/The-undocumented-password-validation-algorithm-of-Adobe-Reader-X |
491 | | */ |
492 | | |
493 | | static void |
494 | | pdf_compute_hardened_hash_r6(fz_context *ctx, unsigned char *password, size_t pwlen, unsigned char salt[8], unsigned char *ownerkey, unsigned char hash[32]) |
495 | 262 | { |
496 | 262 | unsigned char data[(128 + 64 + 48) * 64]; |
497 | 262 | unsigned char block[64]; |
498 | 262 | int block_size = 32; |
499 | 262 | size_t data_len = 0; |
500 | 262 | int i, j, sum; |
501 | | |
502 | 262 | fz_sha256 sha256; |
503 | 262 | fz_sha384 sha384; |
504 | 262 | fz_sha512 sha512; |
505 | 262 | fz_aes aes; |
506 | | |
507 | | /* Step 1: calculate initial data block */ |
508 | 262 | fz_sha256_init(&sha256); |
509 | 262 | fz_sha256_update(&sha256, password, pwlen); |
510 | 262 | fz_sha256_update(&sha256, salt, 8); |
511 | 262 | if (ownerkey) |
512 | 116 | fz_sha256_update(&sha256, ownerkey, 48); |
513 | 262 | fz_sha256_final(&sha256, block); |
514 | | |
515 | 18.4k | for (i = 0; i < 64 || i < data[data_len * 64 - 1] + 32; i++) |
516 | 18.1k | { |
517 | | /* Step 2: repeat password and data block 64 times */ |
518 | 18.1k | memcpy(data, password, pwlen); |
519 | 18.1k | memcpy(data + pwlen, block, block_size); |
520 | 18.1k | if (ownerkey) |
521 | 8.10k | memcpy(data + pwlen + block_size, ownerkey, 48); |
522 | 18.1k | data_len = pwlen + block_size + (ownerkey ? 48 : 0); |
523 | 1.16M | for (j = 1; j < 64; j++) |
524 | 1.14M | memcpy(data + j * data_len, data, data_len); |
525 | | |
526 | | /* Step 3: encrypt data using data block as key and iv */ |
527 | 18.1k | (void)fz_aes_setkey_enc(&aes, block, 128); |
528 | 18.1k | fz_aes_crypt_cbc(&aes, FZ_AES_ENCRYPT, data_len * 64, block + 16, data, data); |
529 | | |
530 | | /* Step 4: determine SHA-2 hash size for this round */ |
531 | 308k | for (j = 0, sum = 0; j < 16; j++) |
532 | 290k | sum += data[j]; |
533 | | |
534 | | /* Step 5: calculate data block for next round */ |
535 | 18.1k | block_size = 32 + (sum % 3) * 16; |
536 | 18.1k | switch (block_size) |
537 | 18.1k | { |
538 | 6.24k | case 32: |
539 | 6.24k | fz_sha256_init(&sha256); |
540 | 6.24k | fz_sha256_update(&sha256, data, data_len * 64); |
541 | 6.24k | fz_sha256_final(&sha256, block); |
542 | 6.24k | break; |
543 | 5.77k | case 48: |
544 | 5.77k | fz_sha384_init(&sha384); |
545 | 5.77k | fz_sha384_update(&sha384, data, data_len * 64); |
546 | 5.77k | fz_sha384_final(&sha384, block); |
547 | 5.77k | break; |
548 | 6.13k | case 64: |
549 | 6.13k | fz_sha512_init(&sha512); |
550 | 6.13k | fz_sha512_update(&sha512, data, data_len * 64); |
551 | 6.13k | fz_sha512_final(&sha512, block); |
552 | 6.13k | break; |
553 | 18.1k | } |
554 | 18.1k | } |
555 | | |
556 | 262 | memset(data, 0, sizeof(data)); |
557 | 262 | memcpy(hash, block, 32); |
558 | 262 | } |
559 | | |
560 | | static void |
561 | | pdf_compute_encryption_key_r6(fz_context *ctx, pdf_crypt *crypt, unsigned char *password, size_t pwlen, int ownerkey, unsigned char *validationkey) |
562 | 131 | { |
563 | 131 | unsigned char hash[32]; |
564 | 131 | unsigned char iv[16]; |
565 | 131 | fz_aes aes; |
566 | | |
567 | 131 | if (pwlen > 127) |
568 | 0 | pwlen = 127; |
569 | | |
570 | 131 | pdf_compute_hardened_hash_r6(ctx, password, pwlen, |
571 | 131 | (ownerkey ? crypt->o : crypt->u) + 32, |
572 | 131 | ownerkey ? crypt->u : NULL, validationkey); |
573 | 131 | pdf_compute_hardened_hash_r6(ctx, password, pwlen, |
574 | 131 | (ownerkey ? crypt->o : crypt->u) + 40, |
575 | 131 | (ownerkey ? crypt->u : NULL), |
576 | 131 | hash); |
577 | | |
578 | 131 | memset(iv, 0, sizeof(iv)); |
579 | 131 | (void)fz_aes_setkey_dec(&aes, hash, 256); |
580 | 131 | fz_aes_crypt_cbc(&aes, FZ_AES_DECRYPT, 32, iv, ownerkey ? crypt->oe : crypt->ue, crypt->key); |
581 | 131 | } |
582 | | |
583 | | /* |
584 | | * Computing the user password (PDF 1.7 algorithm 3.4 and 3.5) |
585 | | * Also save the generated key for decrypting objects and streams in crypt->key. |
586 | | */ |
587 | | |
588 | | static void |
589 | | pdf_compute_user_password(fz_context *ctx, pdf_crypt *crypt, unsigned char *password, size_t pwlen, unsigned char *output) |
590 | 205 | { |
591 | 205 | int n = fz_clampi(crypt->length / 8, 0, 16); |
592 | | |
593 | 205 | if (crypt->r == 2) |
594 | 10 | { |
595 | 10 | fz_arc4 arc4; |
596 | | |
597 | 10 | pdf_compute_encryption_key(ctx, crypt, password, pwlen, crypt->key); |
598 | 10 | fz_arc4_init(&arc4, crypt->key, n); |
599 | 10 | fz_arc4_encrypt(&arc4, output, padding, 32); |
600 | 10 | } |
601 | | |
602 | 205 | if (crypt->r == 3 || crypt->r == 4) |
603 | 122 | { |
604 | 122 | unsigned char xor[32]; |
605 | 122 | unsigned char digest[16]; |
606 | 122 | fz_md5 md5; |
607 | 122 | fz_arc4 arc4; |
608 | 122 | int i, x; |
609 | | |
610 | 122 | pdf_compute_encryption_key(ctx, crypt, password, pwlen, crypt->key); |
611 | | |
612 | 122 | fz_md5_init(&md5); |
613 | 122 | fz_md5_update(&md5, padding, 32); |
614 | 122 | fz_md5_update(&md5, (unsigned char*)pdf_to_str_buf(ctx, crypt->id), pdf_to_str_len(ctx, crypt->id)); |
615 | 122 | fz_md5_final(&md5, digest); |
616 | | |
617 | 122 | fz_arc4_init(&arc4, crypt->key, n); |
618 | 122 | fz_arc4_encrypt(&arc4, output, digest, 16); |
619 | | |
620 | 2.44k | for (x = 1; x <= 19; x++) |
621 | 2.31k | { |
622 | 38.1k | for (i = 0; i < n; i++) |
623 | 35.8k | xor[i] = crypt->key[i] ^ x; |
624 | 2.31k | fz_arc4_init(&arc4, xor, n); |
625 | 2.31k | fz_arc4_encrypt(&arc4, output, output, 16); |
626 | 2.31k | } |
627 | | |
628 | 122 | memcpy(output + 16, padding, 16); |
629 | 122 | } |
630 | | |
631 | 205 | if (crypt->r == 5) |
632 | 0 | { |
633 | 0 | pdf_compute_encryption_key_r5(ctx, crypt, password, pwlen, 0, output); |
634 | 0 | } |
635 | | |
636 | 205 | if (crypt->r == 6) |
637 | 73 | { |
638 | 73 | pdf_compute_encryption_key_r6(ctx, crypt, password, pwlen, 0, output); |
639 | 73 | } |
640 | 205 | } |
641 | | |
642 | | /* |
643 | | * Authenticating the user password (PDF 1.7 algorithm 3.6 |
644 | | * and ExtensionLevel 3 algorithm 3.11) |
645 | | * This also has the side effect of saving a key generated |
646 | | * from the password for decrypting objects and streams. |
647 | | */ |
648 | | |
649 | | static int |
650 | | pdf_authenticate_user_password(fz_context *ctx, pdf_crypt *crypt, unsigned char *password, size_t pwlen) |
651 | 205 | { |
652 | 205 | unsigned char output[32]; |
653 | 205 | pdf_compute_user_password(ctx, crypt, password, pwlen, output); |
654 | 205 | if (crypt->r == 2 || crypt->r == 5 || crypt->r == 6) |
655 | 83 | return memcmp(output, crypt->u, 32) == 0; |
656 | 122 | if (crypt->r == 3 || crypt->r == 4) |
657 | 122 | return memcmp(output, crypt->u, 16) == 0; |
658 | 0 | return 0; |
659 | 122 | } |
660 | | |
661 | | /* |
662 | | * Authenticating the owner password (PDF 1.7 algorithm 3.7, |
663 | | * ExtensionLevel 3 algorithm 3.12, ExtensionLevel 8 algorithm) |
664 | | * Generates the user password from the owner password |
665 | | * and calls pdf_authenticate_user_password. |
666 | | */ |
667 | | |
668 | | static int |
669 | | pdf_authenticate_owner_password(fz_context *ctx, pdf_crypt *crypt, unsigned char *ownerpass, size_t pwlen) |
670 | 106 | { |
671 | 106 | int n = fz_clampi(crypt->length / 8, 0, 16); |
672 | | |
673 | 106 | if (crypt->r == 2) |
674 | 4 | { |
675 | 4 | unsigned char pwbuf[32]; |
676 | 4 | unsigned char key[16]; |
677 | 4 | unsigned char userpass[32]; |
678 | 4 | fz_md5 md5; |
679 | 4 | fz_arc4 arc4; |
680 | | |
681 | 4 | if (pwlen > 32) |
682 | 0 | pwlen = 32; |
683 | 4 | memcpy(pwbuf, ownerpass, pwlen); |
684 | 4 | if (pwlen < 32) |
685 | 4 | memcpy(pwbuf + pwlen, padding, 32 - pwlen); |
686 | | |
687 | 4 | fz_md5_init(&md5); |
688 | 4 | fz_md5_update(&md5, pwbuf, 32); |
689 | 4 | fz_md5_final(&md5, key); |
690 | | |
691 | 4 | fz_arc4_init(&arc4, key, n); |
692 | 4 | fz_arc4_encrypt(&arc4, userpass, crypt->o, 32); |
693 | | |
694 | 4 | return pdf_authenticate_user_password(ctx, crypt, userpass, 32); |
695 | 4 | } |
696 | | |
697 | 102 | if (crypt->r == 3 || crypt->r == 4) |
698 | 44 | { |
699 | 44 | unsigned char pwbuf[32]; |
700 | 44 | unsigned char key[16]; |
701 | 44 | unsigned char xor[32]; |
702 | 44 | unsigned char userpass[32]; |
703 | 44 | int i, x; |
704 | 44 | fz_md5 md5; |
705 | 44 | fz_arc4 arc4; |
706 | | |
707 | 44 | if (pwlen > 32) |
708 | 0 | pwlen = 32; |
709 | 44 | memcpy(pwbuf, ownerpass, pwlen); |
710 | 44 | if (pwlen < 32) |
711 | 44 | memcpy(pwbuf + pwlen, padding, 32 - pwlen); |
712 | | |
713 | 44 | fz_md5_init(&md5); |
714 | 44 | fz_md5_update(&md5, pwbuf, 32); |
715 | 44 | fz_md5_final(&md5, key); |
716 | | |
717 | 2.24k | for (i = 0; i < 50; i++) |
718 | 2.20k | { |
719 | 2.20k | fz_md5_init(&md5); |
720 | 2.20k | fz_md5_update(&md5, key, n); |
721 | 2.20k | fz_md5_final(&md5, key); |
722 | 2.20k | } |
723 | | |
724 | 44 | memcpy(userpass, crypt->o, 32); |
725 | 924 | for (x = 0; x < 20; x++) |
726 | 880 | { |
727 | 14.3k | for (i = 0; i < n; i++) |
728 | 13.4k | xor[i] = key[i] ^ (19 - x); |
729 | 880 | fz_arc4_init(&arc4, xor, n); |
730 | 880 | fz_arc4_encrypt(&arc4, userpass, userpass, 32); |
731 | 880 | } |
732 | | |
733 | 44 | return pdf_authenticate_user_password(ctx, crypt, userpass, 32); |
734 | 44 | } |
735 | | |
736 | 58 | if (crypt->r == 5) |
737 | 0 | { |
738 | 0 | unsigned char key[32]; |
739 | 0 | pdf_compute_encryption_key_r5(ctx, crypt, ownerpass, pwlen, 1, key); |
740 | 0 | return !memcmp(key, crypt->o, 32); |
741 | 0 | } |
742 | | |
743 | 58 | if (crypt->r == 6) |
744 | 58 | { |
745 | 58 | unsigned char key[32]; |
746 | 58 | pdf_compute_encryption_key_r6(ctx, crypt, ownerpass, pwlen, 1, key); |
747 | 58 | return !memcmp(key, crypt->o, 32); |
748 | 58 | } |
749 | | |
750 | 0 | return 0; |
751 | 58 | } |
752 | | |
753 | | static void pdf_docenc_from_utf8(char *password, const char *utf8, int n) |
754 | 48 | { |
755 | 48 | int i = 0, k, c; |
756 | 48 | while (*utf8 && i + 1 < n) |
757 | 0 | { |
758 | 0 | utf8 += fz_chartorune(&c, utf8); |
759 | 0 | for (k = 0; k < 256; k++) |
760 | 0 | { |
761 | 0 | if (c == fz_unicode_from_pdf_doc_encoding[k]) |
762 | 0 | { |
763 | 0 | password[i++] = k; |
764 | 0 | break; |
765 | 0 | } |
766 | 0 | } |
767 | | /* FIXME: drop characters that can't be encoded or return an error? */ |
768 | 0 | } |
769 | 48 | password[i] = 0; |
770 | 48 | } |
771 | | |
772 | | static void pdf_saslprep_from_utf8(char *password, const char *utf8, int n) |
773 | 58 | { |
774 | | /* TODO: stringprep with SALSprep profile */ |
775 | 58 | fz_strlcpy(password, utf8, n); |
776 | 58 | } |
777 | | |
778 | | int |
779 | | pdf_authenticate_password(fz_context *ctx, pdf_document *doc, const char *pwd_utf8) |
780 | 6.39k | { |
781 | 6.39k | char password[2048]; |
782 | 6.39k | int auth; |
783 | | |
784 | 6.39k | if (!doc->crypt) |
785 | 6.28k | return 1; /* No password required */ |
786 | | |
787 | 106 | password[0] = 0; |
788 | 106 | if (pwd_utf8) |
789 | 106 | { |
790 | 106 | if (doc->crypt->r <= 4) |
791 | 48 | pdf_docenc_from_utf8(password, pwd_utf8, sizeof password); |
792 | 58 | else |
793 | 58 | pdf_saslprep_from_utf8(password, pwd_utf8, sizeof password); |
794 | 106 | } |
795 | | |
796 | 106 | auth = 0; |
797 | 106 | if (pdf_authenticate_user_password(ctx, doc->crypt, (unsigned char *)password, strlen(password))) |
798 | 51 | auth = 2; |
799 | 106 | if (pdf_authenticate_owner_password(ctx, doc->crypt, (unsigned char *)password, strlen(password))) |
800 | 5 | auth |= 4; |
801 | 101 | else if (auth & 2) |
802 | 51 | { |
803 | | /* We need to reauthenticate the user password, |
804 | | * because the failed attempt to authenticate |
805 | | * the owner password will have invalidated the |
806 | | * stored keys. */ |
807 | 51 | (void)pdf_authenticate_user_password(ctx, doc->crypt, (unsigned char *)password, strlen(password)); |
808 | 51 | } |
809 | | |
810 | | /* To match Acrobat, we choose not to allow an empty owner |
811 | | * password, unless the user password is also the empty one. */ |
812 | 106 | if (*password == 0 && auth == 4) |
813 | 5 | return 0; |
814 | | |
815 | 101 | return auth; |
816 | 106 | } |
817 | | |
818 | | int |
819 | | pdf_needs_password(fz_context *ctx, pdf_document *doc) |
820 | 0 | { |
821 | 0 | if (!doc->crypt) |
822 | 0 | return 0; |
823 | 0 | if (pdf_authenticate_password(ctx, doc, "")) |
824 | 0 | return 0; |
825 | 0 | return 1; |
826 | 0 | } |
827 | | |
828 | | int |
829 | | pdf_has_permission(fz_context *ctx, pdf_document *doc, fz_permission p) |
830 | 0 | { |
831 | 0 | if (!doc->crypt) |
832 | 0 | return 1; |
833 | 0 | switch (p) |
834 | 0 | { |
835 | 0 | case FZ_PERMISSION_PRINT: return doc->crypt->p & PDF_PERM_PRINT; |
836 | 0 | case FZ_PERMISSION_EDIT: return doc->crypt->p & PDF_PERM_MODIFY; |
837 | 0 | case FZ_PERMISSION_COPY: return doc->crypt->p & PDF_PERM_COPY; |
838 | 0 | case FZ_PERMISSION_ANNOTATE: return doc->crypt->p & PDF_PERM_ANNOTATE; |
839 | 0 | case FZ_PERMISSION_FORM: return doc->crypt->p & PDF_PERM_FORM; |
840 | 0 | case FZ_PERMISSION_ACCESSIBILITY: return doc->crypt->p & PDF_PERM_ACCESSIBILITY; |
841 | 0 | case FZ_PERMISSION_ASSEMBLE: return doc->crypt->p & PDF_PERM_ASSEMBLE; |
842 | 0 | case FZ_PERMISSION_PRINT_HQ: return doc->crypt->p & PDF_PERM_PRINT_HQ; |
843 | 0 | } |
844 | 0 | return 1; |
845 | 0 | } |
846 | | |
847 | | int |
848 | | pdf_document_permissions(fz_context *ctx, pdf_document *doc) |
849 | 0 | { |
850 | 0 | if (doc->crypt) |
851 | 0 | return doc->crypt->p; |
852 | | /* all permissions granted, reserved bits set appropriately */ |
853 | 0 | return (int)0xFFFFFFFC; |
854 | 0 | } |
855 | | |
856 | | /* |
857 | | * Compute the owner password (PDF 1.7 algorithm 3.3) |
858 | | */ |
859 | | |
860 | | static void |
861 | | pdf_compute_owner_password(fz_context *ctx, pdf_crypt *crypt, unsigned char *opassword, size_t opwlen, unsigned char *upassword, size_t upwlen, unsigned char *output) |
862 | 0 | { |
863 | 0 | unsigned char obuf[32]; |
864 | 0 | unsigned char ubuf[32]; |
865 | 0 | unsigned char digest[32]; |
866 | 0 | int i, n; |
867 | 0 | fz_md5 md5; |
868 | 0 | fz_arc4 arc4; |
869 | |
|
870 | 0 | n = fz_clampi(crypt->length / 8, 0, 16); |
871 | | |
872 | | /* Step 1 - copy and pad owner password string */ |
873 | 0 | if (opwlen > 32) |
874 | 0 | opwlen = 32; |
875 | 0 | memcpy(obuf, opassword, opwlen); |
876 | 0 | if (opwlen < 32) |
877 | 0 | memcpy(obuf + opwlen, padding, 32 - opwlen); |
878 | | |
879 | | /* Step 2 - init md5 and pass value of step 1 */ |
880 | 0 | fz_md5_init(&md5); |
881 | 0 | fz_md5_update(&md5, obuf, 32); |
882 | 0 | fz_md5_final(&md5, obuf); |
883 | | |
884 | | /* Step 3 (revision 3 or greater) - do some voodoo 50 times */ |
885 | 0 | if (crypt->r >= 3) |
886 | 0 | { |
887 | 0 | for (i = 0; i < 50; i++) |
888 | 0 | { |
889 | 0 | fz_md5_init(&md5); |
890 | 0 | fz_md5_update(&md5, obuf, n); |
891 | 0 | fz_md5_final(&md5, obuf); |
892 | 0 | } |
893 | 0 | } |
894 | | |
895 | | /* Step 4 - encrypt owner password md5 hash */ |
896 | 0 | fz_arc4_init(&arc4, obuf, n); |
897 | | |
898 | | /* Step 5 - copy and pad user password string */ |
899 | 0 | if (upwlen > 32) |
900 | 0 | upwlen = 32; |
901 | 0 | memcpy(ubuf, upassword, upwlen); |
902 | 0 | if (upwlen < 32) |
903 | 0 | memcpy(ubuf + upwlen, padding, 32 - upwlen); |
904 | | |
905 | | /* Step 6 - encrypt user password md5 hash */ |
906 | 0 | fz_arc4_encrypt(&arc4, digest, ubuf, 32); |
907 | | |
908 | | /* Step 7 - */ |
909 | 0 | if (crypt->r >= 3) |
910 | 0 | { |
911 | 0 | unsigned char xor[32]; |
912 | 0 | int x; |
913 | |
|
914 | 0 | for (x = 1; x <= 19; x++) |
915 | 0 | { |
916 | 0 | for (i = 0; i < n; i++) |
917 | 0 | xor[i] = obuf[i] ^ x; |
918 | 0 | fz_arc4_init(&arc4, xor, n); |
919 | 0 | fz_arc4_encrypt(&arc4, digest, digest, 32); |
920 | 0 | } |
921 | 0 | } |
922 | | |
923 | | /* Step 8 - the owner password is the first 16 bytes of the result */ |
924 | 0 | memcpy(output, digest, 32); |
925 | 0 | } |
926 | | |
927 | | unsigned char * |
928 | | pdf_crypt_key(fz_context *ctx, pdf_crypt *crypt) |
929 | 0 | { |
930 | 0 | if (crypt) |
931 | 0 | return crypt->key; |
932 | 0 | return NULL; |
933 | 0 | } |
934 | | |
935 | | int |
936 | | pdf_crypt_version(fz_context *ctx, pdf_crypt *crypt) |
937 | 0 | { |
938 | 0 | if (crypt) |
939 | 0 | return crypt->v; |
940 | 0 | return 0; |
941 | 0 | } |
942 | | |
943 | | int pdf_crypt_revision(fz_context *ctx, pdf_crypt *crypt) |
944 | 0 | { |
945 | 0 | if (crypt) |
946 | 0 | return crypt->r; |
947 | 0 | return 0; |
948 | 0 | } |
949 | | |
950 | | static char * |
951 | | crypt_method(fz_context *ctx, int method) |
952 | 0 | { |
953 | 0 | switch (method) |
954 | 0 | { |
955 | 0 | default: |
956 | 0 | case PDF_CRYPT_UNKNOWN: return "Unknown"; |
957 | 0 | case PDF_CRYPT_NONE: return "None"; |
958 | 0 | case PDF_CRYPT_RC4: return "RC4"; |
959 | 0 | case PDF_CRYPT_AESV2: return "AES"; |
960 | 0 | case PDF_CRYPT_AESV3: return "AES"; |
961 | 0 | } |
962 | 0 | } |
963 | | |
964 | | const char * |
965 | | pdf_crypt_string_method(fz_context *ctx, pdf_crypt *crypt) |
966 | 0 | { |
967 | 0 | if (crypt) |
968 | 0 | return crypt_method(ctx, crypt->strf.method); |
969 | 0 | return "None"; |
970 | 0 | } |
971 | | |
972 | | const char * |
973 | | pdf_crypt_stream_method(fz_context *ctx, pdf_crypt *crypt) |
974 | 0 | { |
975 | 0 | if (crypt) |
976 | 0 | return crypt_method(ctx, crypt->stmf.method); |
977 | 0 | return "None"; |
978 | 0 | } |
979 | | |
980 | | const char * |
981 | | pdf_crypt_method(fz_context *ctx, pdf_crypt *crypt) |
982 | 0 | { |
983 | 0 | return pdf_crypt_string_method(ctx, crypt); |
984 | 0 | } |
985 | | |
986 | | int |
987 | | pdf_crypt_length(fz_context *ctx, pdf_crypt *crypt) |
988 | 0 | { |
989 | 0 | if (crypt) |
990 | 0 | return crypt->length; |
991 | 0 | return 0; |
992 | 0 | } |
993 | | |
994 | | int |
995 | | pdf_crypt_permissions(fz_context *ctx, pdf_crypt *crypt) |
996 | 0 | { |
997 | 0 | if (crypt) |
998 | 0 | return crypt->p; |
999 | 0 | return 0; |
1000 | 0 | } |
1001 | | |
1002 | | int |
1003 | | pdf_crypt_encrypt_metadata(fz_context *ctx, pdf_crypt *crypt) |
1004 | 0 | { |
1005 | 0 | if (crypt) |
1006 | 0 | return crypt->encrypt_metadata; |
1007 | 0 | return 0; |
1008 | 0 | } |
1009 | | |
1010 | | unsigned char * |
1011 | | pdf_crypt_owner_password(fz_context *ctx, pdf_crypt *crypt) |
1012 | 0 | { |
1013 | 0 | if (crypt) |
1014 | 0 | return crypt->o; |
1015 | 0 | return NULL; |
1016 | 0 | } |
1017 | | |
1018 | | unsigned char * |
1019 | | pdf_crypt_user_password(fz_context *ctx, pdf_crypt *crypt) |
1020 | 0 | { |
1021 | 0 | if (crypt) |
1022 | 0 | return crypt->u; |
1023 | 0 | return NULL; |
1024 | 0 | } |
1025 | | |
1026 | | unsigned char * |
1027 | | pdf_crypt_owner_encryption(fz_context *ctx, pdf_crypt *crypt) |
1028 | 0 | { |
1029 | 0 | if (crypt) |
1030 | 0 | return crypt->oe; |
1031 | 0 | return NULL; |
1032 | 0 | } |
1033 | | |
1034 | | unsigned char * |
1035 | | pdf_crypt_user_encryption(fz_context *ctx, pdf_crypt *crypt) |
1036 | 0 | { |
1037 | 0 | if (crypt) |
1038 | 0 | return crypt->ue; |
1039 | 0 | return NULL; |
1040 | 0 | } |
1041 | | |
1042 | | unsigned char * |
1043 | | pdf_crypt_permissions_encryption(fz_context *ctx, pdf_crypt *crypt) |
1044 | 0 | { |
1045 | 0 | if (crypt) |
1046 | 0 | return crypt->perms; |
1047 | 0 | return 0; |
1048 | 0 | } |
1049 | | |
1050 | | /* |
1051 | | * PDF 1.7 algorithm 3.1 and ExtensionLevel 3 algorithm 3.1a |
1052 | | * |
1053 | | * Using the global encryption key that was generated from the |
1054 | | * password, create a new key that is used to decrypt individual |
1055 | | * objects and streams. This key is based on the object and |
1056 | | * generation numbers. |
1057 | | */ |
1058 | | |
1059 | | static int |
1060 | | pdf_compute_object_key(pdf_crypt *crypt, pdf_crypt_filter *cf, int num, int gen, unsigned char *key, int max_len) |
1061 | 3.63k | { |
1062 | 3.63k | fz_md5 md5; |
1063 | 3.63k | unsigned char message[5]; |
1064 | 3.63k | int key_len = crypt->length / 8; |
1065 | | |
1066 | 3.63k | if (key_len > max_len) |
1067 | 0 | key_len = max_len; |
1068 | | |
1069 | | /* Encryption method version 0 is undocumented, but a lucky |
1070 | | guess revealed that all streams/strings in those PDFs are |
1071 | | encrypted using the same 40 bit file enryption key using RC4. */ |
1072 | 3.63k | if (crypt->v == 0 || cf->method == PDF_CRYPT_AESV3) |
1073 | 517 | { |
1074 | 517 | memcpy(key, crypt->key, key_len); |
1075 | 517 | return key_len; |
1076 | 517 | } |
1077 | | |
1078 | 3.11k | fz_md5_init(&md5); |
1079 | 3.11k | fz_md5_update(&md5, crypt->key, key_len); |
1080 | 3.11k | message[0] = (num) & 0xFF; |
1081 | 3.11k | message[1] = (num >> 8) & 0xFF; |
1082 | 3.11k | message[2] = (num >> 16) & 0xFF; |
1083 | 3.11k | message[3] = (gen) & 0xFF; |
1084 | 3.11k | message[4] = (gen >> 8) & 0xFF; |
1085 | 3.11k | fz_md5_update(&md5, message, 5); |
1086 | | |
1087 | 3.11k | if (cf->method == PDF_CRYPT_AESV2) |
1088 | 2.84k | fz_md5_update(&md5, (unsigned char *)"sAlT", 4); |
1089 | | |
1090 | 3.11k | fz_md5_final(&md5, key); |
1091 | | |
1092 | 3.11k | if (key_len + 5 > 16) |
1093 | 2.98k | return 16; |
1094 | 133 | return key_len + 5; |
1095 | 3.11k | } |
1096 | | |
1097 | | /* |
1098 | | * PDF 1.7 algorithm 3.1 and ExtensionLevel 3 algorithm 3.1a |
1099 | | * |
1100 | | * Decrypt all strings in obj modifying the data in-place. |
1101 | | * Recurse through arrays and dictionaries, but do not follow |
1102 | | * indirect references. |
1103 | | */ |
1104 | | |
1105 | | static int is_signature(fz_context *ctx, pdf_obj *obj) |
1106 | 94 | { |
1107 | 94 | if (pdf_dict_get(ctx, obj, PDF_NAME(Type)) == PDF_NAME(Sig)) |
1108 | 0 | if (pdf_dict_get(ctx, obj, PDF_NAME(Contents)) && pdf_dict_get(ctx, obj, PDF_NAME(ByteRange)) && pdf_dict_get(ctx, obj, PDF_NAME(Filter))) |
1109 | 0 | return 1; |
1110 | 94 | return 0; |
1111 | 94 | } |
1112 | | |
1113 | | static void |
1114 | | pdf_crypt_obj_imp(fz_context *ctx, pdf_crypt *crypt, pdf_obj *obj, unsigned char *key, int keylen) |
1115 | 32.5k | { |
1116 | 32.5k | unsigned char *s; |
1117 | 32.5k | int i; |
1118 | | |
1119 | 32.5k | if (pdf_is_indirect(ctx, obj)) |
1120 | 4.30k | return; |
1121 | | |
1122 | 28.2k | if (pdf_is_string(ctx, obj)) |
1123 | 909 | { |
1124 | 909 | size_t n = pdf_to_str_len(ctx, obj); |
1125 | 909 | s = (unsigned char *)pdf_to_str_buf(ctx, obj); |
1126 | | |
1127 | 909 | if (crypt->strf.method == PDF_CRYPT_RC4) |
1128 | 28 | { |
1129 | 28 | fz_arc4 arc4; |
1130 | 28 | fz_arc4_init(&arc4, key, keylen); |
1131 | 28 | fz_arc4_encrypt(&arc4, s, s, n); |
1132 | 28 | } |
1133 | | |
1134 | 909 | if (crypt->strf.method == PDF_CRYPT_AESV2 || crypt->strf.method == PDF_CRYPT_AESV3) |
1135 | 855 | { |
1136 | 855 | if (n == 0) |
1137 | 0 | { |
1138 | | /* Empty strings are permissible */ |
1139 | 0 | } |
1140 | 855 | else if (n & 15 || n < 32) |
1141 | 178 | fz_warn(ctx, "invalid string length for aes encryption"); |
1142 | 677 | else |
1143 | 677 | { |
1144 | 677 | unsigned char iv[16]; |
1145 | 677 | fz_aes aes; |
1146 | 677 | memcpy(iv, s, 16); |
1147 | 677 | if (fz_aes_setkey_dec(&aes, key, keylen * 8)) |
1148 | 0 | fz_throw(ctx, FZ_ERROR_FORMAT, "AES key init failed (keylen=%d)", keylen * 8); |
1149 | 677 | fz_aes_crypt_cbc(&aes, FZ_AES_DECRYPT, n - 16, iv, s + 16, s); |
1150 | | /* delete space used for iv and padding bytes at end */ |
1151 | 677 | if (s[n - 17] < 1 || s[n - 17] > 16) |
1152 | 54 | fz_warn(ctx, "aes padding out of range"); |
1153 | 623 | else |
1154 | 623 | pdf_set_str_len(ctx, obj, n - 16 - s[n - 17]); |
1155 | 677 | } |
1156 | 855 | } |
1157 | 909 | } |
1158 | | |
1159 | 27.2k | else if (pdf_is_array(ctx, obj)) |
1160 | 2.12k | { |
1161 | 2.12k | int n = pdf_array_len(ctx, obj); |
1162 | 16.5k | for (i = 0; i < n; i++) |
1163 | 14.4k | { |
1164 | 14.4k | pdf_crypt_obj_imp(ctx, crypt, pdf_array_get(ctx, obj, i), key, keylen); |
1165 | 14.4k | } |
1166 | 2.12k | } |
1167 | | |
1168 | 25.1k | else if (pdf_is_dict(ctx, obj)) |
1169 | 3.61k | { |
1170 | 3.61k | int n = pdf_dict_len(ctx, obj); |
1171 | 19.1k | for (i = 0; i < n; i++) |
1172 | 15.5k | { |
1173 | 15.5k | if (pdf_dict_get_key(ctx, obj, i) == PDF_NAME(Contents) && is_signature(ctx, obj)) |
1174 | 0 | continue; |
1175 | | |
1176 | 15.5k | pdf_crypt_obj_imp(ctx, crypt, pdf_dict_get_val(ctx, obj, i), key, keylen); |
1177 | 15.5k | } |
1178 | 3.61k | } |
1179 | 28.2k | } |
1180 | | |
1181 | | void |
1182 | | pdf_crypt_obj(fz_context *ctx, pdf_crypt *crypt, pdf_obj *obj, int num, int gen) |
1183 | 2.51k | { |
1184 | 2.51k | unsigned char key[32]; |
1185 | 2.51k | int len; |
1186 | | |
1187 | 2.51k | len = pdf_compute_object_key(crypt, &crypt->strf, num, gen, key, 32); |
1188 | | |
1189 | 2.51k | pdf_crypt_obj_imp(ctx, crypt, obj, key, len); |
1190 | 2.51k | } |
1191 | | |
1192 | | /* |
1193 | | * PDF 1.7 algorithm 3.1 and ExtensionLevel 3 algorithm 3.1a |
1194 | | * |
1195 | | * Create filter suitable for de/encrypting a stream. |
1196 | | */ |
1197 | | static fz_stream * |
1198 | | pdf_open_crypt_imp(fz_context *ctx, fz_stream *chain, pdf_crypt *crypt, pdf_crypt_filter *stmf, int num, int gen) |
1199 | 1.12k | { |
1200 | 1.12k | unsigned char key[32]; |
1201 | 1.12k | int len; |
1202 | | |
1203 | 1.12k | len = pdf_compute_object_key(crypt, stmf, num, gen, key, 32); |
1204 | | |
1205 | 1.12k | if (stmf->method == PDF_CRYPT_RC4) |
1206 | 33 | return fz_open_arc4(ctx, chain, key, len); |
1207 | | |
1208 | 1.08k | if (stmf->method == PDF_CRYPT_AESV2 || stmf->method == PDF_CRYPT_AESV3) |
1209 | 1.08k | return fz_open_aesd(ctx, chain, key, len); |
1210 | | |
1211 | 5 | return fz_keep_stream(ctx, chain); |
1212 | 1.08k | } |
1213 | | |
1214 | | fz_stream * |
1215 | | pdf_open_crypt(fz_context *ctx, fz_stream *chain, pdf_crypt *crypt, int num, int gen) |
1216 | 1.12k | { |
1217 | 1.12k | return pdf_open_crypt_imp(ctx, chain, crypt, &crypt->stmf, num, gen); |
1218 | 1.12k | } |
1219 | | |
1220 | | fz_stream * |
1221 | | pdf_open_crypt_with_filter(fz_context *ctx, fz_stream *chain, pdf_crypt *crypt, pdf_obj *name, int num, int gen) |
1222 | 0 | { |
1223 | 0 | if (!pdf_name_eq(ctx, name, PDF_NAME(Identity))) |
1224 | 0 | { |
1225 | 0 | pdf_crypt_filter cf; |
1226 | 0 | pdf_parse_crypt_filter(ctx, &cf, crypt, name); |
1227 | 0 | return pdf_open_crypt_imp(ctx, chain, crypt, &cf, num, gen); |
1228 | 0 | } |
1229 | 0 | return fz_keep_stream(ctx, chain); |
1230 | 0 | } |
1231 | | |
1232 | | void |
1233 | | pdf_print_crypt(fz_context *ctx, fz_output *out, pdf_crypt *crypt) |
1234 | 0 | { |
1235 | 0 | int i; |
1236 | |
|
1237 | 0 | fz_write_printf(ctx, out, "crypt {\n"); |
1238 | |
|
1239 | 0 | fz_write_printf(ctx, out, "\tv=%d length=%d\n", crypt->v, crypt->length); |
1240 | 0 | fz_write_printf(ctx, out, "\tstmf method=%d length=%d\n", crypt->stmf.method, crypt->stmf.length); |
1241 | 0 | fz_write_printf(ctx, out, "\tstrf method=%d length=%d\n", crypt->strf.method, crypt->strf.length); |
1242 | 0 | fz_write_printf(ctx, out, "\tr=%d\n", crypt->r); |
1243 | |
|
1244 | 0 | fz_write_printf(ctx, out, "\to=<"); |
1245 | 0 | for (i = 0; i < 32; i++) |
1246 | 0 | fz_write_printf(ctx, out, "%02X", crypt->o[i]); |
1247 | 0 | fz_write_printf(ctx, out, ">\n"); |
1248 | |
|
1249 | 0 | fz_write_printf(ctx, out, "\tu=<"); |
1250 | 0 | for (i = 0; i < 32; i++) |
1251 | 0 | fz_write_printf(ctx, out, "%02X", crypt->u[i]); |
1252 | 0 | fz_write_printf(ctx, out, ">\n"); |
1253 | |
|
1254 | 0 | fz_write_printf(ctx, out, "}\n"); |
1255 | 0 | } |
1256 | | |
1257 | | void pdf_encrypt_data(fz_context *ctx, pdf_crypt *crypt, int num, int gen, void (*write_data)(fz_context *ctx, void *, const unsigned char *, size_t), void *arg, const unsigned char *s, size_t n) |
1258 | 0 | { |
1259 | 0 | unsigned char buffer[256]; |
1260 | 0 | unsigned char key[32]; |
1261 | 0 | int keylen; |
1262 | |
|
1263 | 0 | if (crypt == NULL) |
1264 | 0 | { |
1265 | 0 | write_data(ctx, arg, s, n); |
1266 | 0 | return; |
1267 | 0 | } |
1268 | | |
1269 | 0 | keylen = pdf_compute_object_key(crypt, &crypt->strf, num, gen, key, 32); |
1270 | |
|
1271 | 0 | if (crypt->strf.method == PDF_CRYPT_RC4) |
1272 | 0 | { |
1273 | 0 | fz_arc4 arc4; |
1274 | 0 | fz_arc4_init(&arc4, key, keylen); |
1275 | 0 | while (n > 0) |
1276 | 0 | { |
1277 | 0 | size_t len = n; |
1278 | 0 | if (len > (int)sizeof(buffer)) |
1279 | 0 | len = sizeof(buffer); |
1280 | 0 | fz_arc4_encrypt(&arc4, buffer, s, len); |
1281 | 0 | write_data(ctx, arg, buffer, len); |
1282 | 0 | s += len; |
1283 | 0 | n -= len; |
1284 | 0 | } |
1285 | 0 | return; |
1286 | 0 | } |
1287 | | |
1288 | 0 | if (crypt->strf.method == PDF_CRYPT_AESV2 || crypt->strf.method == PDF_CRYPT_AESV3) |
1289 | 0 | { |
1290 | 0 | size_t len = 0; |
1291 | 0 | fz_aes aes; |
1292 | 0 | unsigned char iv[16]; |
1293 | | |
1294 | | /* Empty strings can be represented by empty strings */ |
1295 | 0 | if (n == 0) |
1296 | 0 | return; |
1297 | | |
1298 | 0 | if (fz_aes_setkey_enc(&aes, key, keylen * 8)) |
1299 | 0 | fz_throw(ctx, FZ_ERROR_FORMAT, "AES key init failed (keylen=%d)", keylen * 8); |
1300 | | |
1301 | 0 | fz_memrnd(ctx, iv, 16); |
1302 | 0 | write_data(ctx, arg, iv, 16); |
1303 | |
|
1304 | 0 | while (n > 0) |
1305 | 0 | { |
1306 | 0 | len = n; |
1307 | 0 | if (len > 16) |
1308 | 0 | len = 16; |
1309 | 0 | memcpy(buffer, s, len); |
1310 | 0 | if (len != 16) |
1311 | 0 | memset(&buffer[len], 16-(int)len, 16-len); |
1312 | 0 | fz_aes_crypt_cbc(&aes, FZ_AES_ENCRYPT, 16, iv, buffer, buffer+16); |
1313 | 0 | write_data(ctx, arg, buffer+16, 16); |
1314 | 0 | s += len; |
1315 | 0 | n -= len; |
1316 | 0 | } |
1317 | 0 | if (len == 16) { |
1318 | 0 | memset(buffer, 16, 16); |
1319 | 0 | fz_aes_crypt_cbc(&aes, FZ_AES_ENCRYPT, 16, iv, buffer, buffer+16); |
1320 | 0 | write_data(ctx, arg, buffer+16, 16); |
1321 | 0 | } |
1322 | 0 | return; |
1323 | 0 | } |
1324 | | |
1325 | | /* Should never happen, but... */ |
1326 | 0 | write_data(ctx, arg, s, n); |
1327 | 0 | } |
1328 | | |
1329 | | size_t pdf_encrypted_len(fz_context *ctx, pdf_crypt *crypt, int num, int gen, size_t len) |
1330 | 0 | { |
1331 | 0 | if (crypt == NULL) |
1332 | 0 | return len; |
1333 | | |
1334 | 0 | if (crypt->strf.method == PDF_CRYPT_AESV2 || crypt->strf.method == PDF_CRYPT_AESV3) |
1335 | 0 | { |
1336 | 0 | len += 16; /* 16 for IV */ |
1337 | 0 | if ((len & 15) == 0) |
1338 | 0 | len += 16; /* Another 16 if our last block is full anyway */ |
1339 | 0 | len = (len + 15) & ~15; /* And pad to the block */ |
1340 | 0 | } |
1341 | |
|
1342 | 0 | return len; |
1343 | 0 | } |
1344 | | |
1345 | | /* PDF 2.0 algorithm 8 */ |
1346 | | static void |
1347 | | pdf_compute_user_password_r6(fz_context *ctx, pdf_crypt *crypt, unsigned char *password, size_t pwlen, unsigned char *outputpw, unsigned char *outputencryption) |
1348 | 0 | { |
1349 | 0 | unsigned char validationsalt[8]; |
1350 | 0 | unsigned char keysalt[8]; |
1351 | 0 | unsigned char hash[32]; |
1352 | 0 | unsigned char iv[16]; |
1353 | 0 | fz_aes aes; |
1354 | | |
1355 | | /* Step a) - Generate random salts. */ |
1356 | 0 | fz_memrnd(ctx, validationsalt, nelem(validationsalt)); |
1357 | 0 | fz_memrnd(ctx, keysalt, nelem(keysalt)); |
1358 | | |
1359 | | /* Step a) - Compute 32 byte hash given password and validation salt. */ |
1360 | 0 | pdf_compute_hardened_hash_r6(ctx, password, pwlen, validationsalt, NULL, outputpw); |
1361 | 0 | memcpy(outputpw + 32, validationsalt, nelem(validationsalt)); |
1362 | 0 | memcpy(outputpw + 40, keysalt, nelem(keysalt)); |
1363 | | |
1364 | | /* Step b) - Compute 32 byte hash given password and user salt. */ |
1365 | 0 | pdf_compute_hardened_hash_r6(ctx, password, pwlen, keysalt, NULL, hash); |
1366 | | |
1367 | | /* Step b) - Use hash as AES-key when encrypting the file encryption key. */ |
1368 | 0 | memset(iv, 0, sizeof(iv)); |
1369 | 0 | (void)fz_aes_setkey_enc(&aes, hash, 256); |
1370 | 0 | fz_aes_crypt_cbc(&aes, FZ_AES_ENCRYPT, 32, iv, crypt->key, outputencryption); |
1371 | 0 | } |
1372 | | |
1373 | | /* PDF 2.0 algorithm 9 */ |
1374 | | static void |
1375 | | pdf_compute_owner_password_r6(fz_context *ctx, pdf_crypt *crypt, unsigned char *password, size_t pwlen, unsigned char *outputpw, unsigned char *outputencryption) |
1376 | 0 | { |
1377 | 0 | unsigned char validationsalt[8]; |
1378 | 0 | unsigned char keysalt[8]; |
1379 | 0 | unsigned char hash[32]; |
1380 | 0 | unsigned char iv[16]; |
1381 | 0 | fz_aes aes; |
1382 | | |
1383 | | /* Step a) - Generate random salts. */ |
1384 | 0 | fz_memrnd(ctx, validationsalt, nelem(validationsalt)); |
1385 | 0 | fz_memrnd(ctx, keysalt, nelem(keysalt)); |
1386 | | |
1387 | | /* Step a) - Compute 32 byte hash given owner password, validation salt and user password. */ |
1388 | 0 | pdf_compute_hardened_hash_r6(ctx, password, pwlen, validationsalt, crypt->u, outputpw); |
1389 | 0 | memcpy(outputpw + 32, validationsalt, nelem(validationsalt)); |
1390 | 0 | memcpy(outputpw + 40, keysalt, nelem(keysalt)); |
1391 | | |
1392 | | /* Step b) - Compute 32 byte hash given owner password, user salt and user password. */ |
1393 | 0 | pdf_compute_hardened_hash_r6(ctx, password, pwlen, keysalt, crypt->u, hash); |
1394 | | |
1395 | | /* Step b) - Use hash as AES-key when encrypting the file encryption key. */ |
1396 | 0 | memset(iv, 0, sizeof(iv)); |
1397 | 0 | (void)fz_aes_setkey_enc(&aes, hash, 256); |
1398 | 0 | fz_aes_crypt_cbc(&aes, FZ_AES_ENCRYPT, 32, iv, crypt->key, outputencryption); |
1399 | 0 | } |
1400 | | |
1401 | | /* PDF 2.0 algorithm 10 */ |
1402 | | static void |
1403 | | pdf_compute_permissions_r6(fz_context *ctx, pdf_crypt *crypt, unsigned char *output) |
1404 | 0 | { |
1405 | 0 | unsigned char buf[16]; |
1406 | 0 | unsigned char iv[16]; |
1407 | 0 | fz_aes aes; |
1408 | | |
1409 | | /* Steps a) and b) - Extend permissions field and put into lower order bytes. */ |
1410 | 0 | memcpy(buf, (unsigned char *) &crypt->p, 4); |
1411 | 0 | memset(&buf[4], 0xff, 4); |
1412 | | |
1413 | | /* Step c) - Encode EncryptMetadata as T/F. */ |
1414 | 0 | buf[8] = crypt->encrypt_metadata ? 'T' : 'F'; |
1415 | | |
1416 | | /* Step d) - Encode ASCII characters "adb". */ |
1417 | 0 | buf[9] = 'a'; |
1418 | 0 | buf[10] = 'd'; |
1419 | 0 | buf[11] = 'b'; |
1420 | | |
1421 | | /* Step e) - Encode 4 random bytes. */ |
1422 | 0 | fz_memrnd(ctx, &buf[12], 4); |
1423 | | |
1424 | | /* Step f) - Use file encryption key as AES-key when encrypting buffer. */ |
1425 | 0 | memset(iv, 0, sizeof(iv)); |
1426 | 0 | (void)fz_aes_setkey_enc(&aes, crypt->key, 256); |
1427 | 0 | fz_aes_crypt_cbc(&aes, FZ_AES_ENCRYPT, 16, iv, buf, output); |
1428 | 0 | } |
1429 | | |
1430 | | pdf_crypt * |
1431 | | pdf_new_encrypt(fz_context *ctx, const char *opwd_utf8, const char *upwd_utf8, pdf_obj *id, int permissions, int algorithm) |
1432 | 0 | { |
1433 | 0 | pdf_crypt *crypt; |
1434 | 0 | int v, r, method, length; |
1435 | 0 | unsigned char opwd[2048]; |
1436 | 0 | unsigned char upwd[2048]; |
1437 | 0 | size_t opwdlen, upwdlen; |
1438 | |
|
1439 | 0 | crypt = fz_malloc_struct(ctx, pdf_crypt); |
1440 | | |
1441 | | /* Extract file identifier string */ |
1442 | |
|
1443 | 0 | if (pdf_is_string(ctx, id)) |
1444 | 0 | crypt->id = pdf_keep_obj(ctx, id); |
1445 | 0 | else |
1446 | 0 | fz_warn(ctx, "missing file identifier, may not be able to do decryption"); |
1447 | |
|
1448 | 0 | switch (algorithm) |
1449 | 0 | { |
1450 | 0 | case PDF_ENCRYPT_RC4_40: |
1451 | 0 | v = 1; r = 2; method = PDF_CRYPT_RC4; length = 40; break; |
1452 | 0 | case PDF_ENCRYPT_RC4_128: |
1453 | 0 | v = 2; r = 3; method = PDF_CRYPT_RC4; length = 128; break; |
1454 | 0 | case PDF_ENCRYPT_AES_128: |
1455 | 0 | v = 4; r = 4; method = PDF_CRYPT_AESV2; length = 128; break; |
1456 | 0 | case PDF_ENCRYPT_AES_256: |
1457 | 0 | v = 5; r = 6; method = PDF_CRYPT_AESV3; length = 256; break; |
1458 | 0 | default: |
1459 | 0 | fz_throw(ctx, FZ_ERROR_FORMAT, "invalid encryption method"); |
1460 | 0 | } |
1461 | | |
1462 | 0 | crypt->v = v; |
1463 | 0 | crypt->r = r; |
1464 | 0 | crypt->length = length; |
1465 | 0 | crypt->cf = NULL; |
1466 | 0 | crypt->stmf.method = method; |
1467 | 0 | crypt->stmf.length = length; |
1468 | 0 | crypt->strf.method = method; |
1469 | 0 | crypt->strf.length = length; |
1470 | 0 | crypt->encrypt_metadata = 1; |
1471 | 0 | crypt->p = (permissions & 0xf3c) | 0xfffff0c0; |
1472 | 0 | memset(crypt->o, 0, sizeof (crypt->o)); |
1473 | 0 | memset(crypt->u, 0, sizeof (crypt->u)); |
1474 | 0 | memset(crypt->oe, 0, sizeof (crypt->oe)); |
1475 | 0 | memset(crypt->ue, 0, sizeof (crypt->ue)); |
1476 | |
|
1477 | 0 | if (crypt->r <= 4) |
1478 | 0 | { |
1479 | 0 | pdf_docenc_from_utf8((char *) opwd, opwd_utf8, sizeof opwd); |
1480 | 0 | pdf_docenc_from_utf8((char *) upwd, upwd_utf8, sizeof upwd); |
1481 | 0 | } |
1482 | 0 | else |
1483 | 0 | { |
1484 | 0 | pdf_saslprep_from_utf8((char *) opwd, opwd_utf8, sizeof opwd); |
1485 | 0 | pdf_saslprep_from_utf8((char *) upwd, upwd_utf8, sizeof upwd); |
1486 | 0 | } |
1487 | |
|
1488 | 0 | opwdlen = strlen((char *) opwd); |
1489 | 0 | upwdlen = strlen((char *) upwd); |
1490 | |
|
1491 | 0 | if (crypt->r <= 4) |
1492 | 0 | { |
1493 | 0 | pdf_compute_owner_password(ctx, crypt, opwd, opwdlen, upwd, upwdlen, crypt->o); |
1494 | 0 | pdf_compute_user_password(ctx, crypt, upwd, upwdlen, crypt->u); |
1495 | 0 | } |
1496 | 0 | else if (crypt->r == 6) |
1497 | 0 | { |
1498 | | /* 7.6.4.4.1 states that the file encryption key are 256 random bits. */ |
1499 | 0 | fz_memrnd(ctx, crypt->key, nelem(crypt->key)); |
1500 | |
|
1501 | 0 | pdf_compute_user_password_r6(ctx, crypt, upwd, upwdlen, crypt->u, crypt->ue); |
1502 | 0 | pdf_compute_owner_password_r6(ctx, crypt, opwd, opwdlen, crypt->o, crypt->oe); |
1503 | 0 | pdf_compute_permissions_r6(ctx, crypt, crypt->perms); |
1504 | 0 | } |
1505 | |
|
1506 | 0 | return crypt; |
1507 | 0 | } |