1 #include "mupdf/fitz.h"
2 #include "mupdf/pdf.h"
3
4 #include <string.h>
5
6 enum
7 {
8 PDF_CRYPT_NONE,
9 PDF_CRYPT_RC4,
10 PDF_CRYPT_AESV2,
11 PDF_CRYPT_AESV3,
12 PDF_CRYPT_UNKNOWN,
13 };
14
15 typedef struct
16 {
17 int method;
18 int length;
19 } pdf_crypt_filter;
20
21 struct pdf_crypt
22 {
23 pdf_obj *id;
24
25 int v;
26 int length;
27 pdf_obj *cf;
28 pdf_crypt_filter stmf;
29 pdf_crypt_filter strf;
30
31 int r;
32 unsigned char o[48];
33 unsigned char u[48];
34 unsigned char oe[32];
35 unsigned char ue[32];
36 unsigned char perms[16];
37 int p;
38 int encrypt_metadata;
39
40 unsigned char key[32]; /* decryption key generated from password */
41 };
42
43 static void pdf_parse_crypt_filter(fz_context *ctx, pdf_crypt_filter *cf, pdf_crypt *crypt, pdf_obj *name);
44
45 pdf_crypt *
pdf_new_crypt(fz_context * ctx,pdf_obj * dict,pdf_obj * id)46 pdf_new_crypt(fz_context *ctx, pdf_obj *dict, pdf_obj *id)
47 {
48 pdf_crypt *crypt;
49 pdf_obj *obj;
50
51 crypt = fz_malloc_struct(ctx, pdf_crypt);
52
53 /* Common to all security handlers (PDF 1.7 table 3.18) */
54
55 obj = pdf_dict_get(ctx, dict, PDF_NAME(Filter));
56 if (!pdf_is_name(ctx, obj))
57 {
58 pdf_drop_crypt(ctx, crypt);
59 fz_throw(ctx, FZ_ERROR_GENERIC, "unspecified encryption handler");
60 }
61 if (!pdf_name_eq(ctx, PDF_NAME(Standard), obj))
62 {
63 pdf_drop_crypt(ctx, crypt);
64 fz_throw(ctx, FZ_ERROR_GENERIC, "unknown encryption handler: '%s'", pdf_to_name(ctx, obj));
65 }
66
67 crypt->v = 0;
68 obj = pdf_dict_get(ctx, dict, PDF_NAME(V));
69 if (pdf_is_int(ctx, obj))
70 crypt->v = pdf_to_int(ctx, obj);
71 if (crypt->v != 0 && crypt->v != 1 && crypt->v != 2 && crypt->v != 4 && crypt->v != 5)
72 {
73 pdf_drop_crypt(ctx, crypt);
74 fz_throw(ctx, FZ_ERROR_GENERIC, "unknown encryption version");
75 }
76
77 /* Standard security handler (PDF 1.7 table 3.19) */
78
79 obj = pdf_dict_get(ctx, dict, PDF_NAME(R));
80 if (pdf_is_int(ctx, obj))
81 crypt->r = pdf_to_int(ctx, obj);
82 else if (crypt->v <= 4)
83 {
84 fz_warn(ctx, "encryption dictionary missing revision value, guessing...");
85 if (crypt->v < 2)
86 crypt->r = 2;
87 else if (crypt->v == 2)
88 crypt->r = 3;
89 else if (crypt->v == 4)
90 crypt->r = 4;
91 }
92 else
93 {
94 pdf_drop_crypt(ctx, crypt);
95 fz_throw(ctx, FZ_ERROR_GENERIC, "encryption dictionary missing version and revision value");
96 }
97 if (crypt->r < 1 || crypt->r > 6)
98 {
99 int r = crypt->r;
100 pdf_drop_crypt(ctx, crypt);
101 fz_throw(ctx, FZ_ERROR_GENERIC, "unknown crypt revision %d", r);
102 }
103
104 obj = pdf_dict_get(ctx, dict, PDF_NAME(O));
105 if (pdf_is_string(ctx, obj) && pdf_to_str_len(ctx, obj) == 32)
106 memcpy(crypt->o, pdf_to_str_buf(ctx, obj), 32);
107 /* /O and /U are supposed to be 48 bytes long for revision 5 and 6, they're often longer, though */
108 else if (crypt->r >= 5 && pdf_is_string(ctx, obj) && pdf_to_str_len(ctx, obj) >= 48)
109 memcpy(crypt->o, pdf_to_str_buf(ctx, obj), 48);
110 else
111 {
112 pdf_drop_crypt(ctx, crypt);
113 fz_throw(ctx, FZ_ERROR_GENERIC, "encryption dictionary missing owner password");
114 }
115
116 obj = pdf_dict_get(ctx, dict, PDF_NAME(U));
117 if (pdf_is_string(ctx, obj) && pdf_to_str_len(ctx, obj) == 32)
118 memcpy(crypt->u, pdf_to_str_buf(ctx, obj), 32);
119 /* /O and /U are supposed to be 48 bytes long for revision 5 and 6, they're often longer, though */
120 else if (crypt->r >= 5 && pdf_is_string(ctx, obj) && pdf_to_str_len(ctx, obj) >= 48)
121 memcpy(crypt->u, pdf_to_str_buf(ctx, obj), 48);
122 else if (pdf_is_string(ctx, obj) && pdf_to_str_len(ctx, obj) < 32)
123 {
124 fz_warn(ctx, "encryption password key too short (%zu)", pdf_to_str_len(ctx, obj));
125 memcpy(crypt->u, pdf_to_str_buf(ctx, obj), pdf_to_str_len(ctx, obj));
126 }
127 else
128 {
129 pdf_drop_crypt(ctx, crypt);
130 fz_throw(ctx, FZ_ERROR_GENERIC, "encryption dictionary missing user password");
131 }
132
133 obj = pdf_dict_get(ctx, dict, PDF_NAME(P));
134 if (pdf_is_int(ctx, obj))
135 crypt->p = pdf_to_int(ctx, obj);
136 else
137 {
138 fz_warn(ctx, "encryption dictionary missing permissions");
139 crypt->p = 0xfffffffc;
140 }
141
142 if (crypt->r == 5 || crypt->r == 6)
143 {
144 obj = pdf_dict_get(ctx, dict, PDF_NAME(OE));
145 if (!pdf_is_string(ctx, obj) || pdf_to_str_len(ctx, obj) != 32)
146 {
147 pdf_drop_crypt(ctx, crypt);
148 fz_throw(ctx, FZ_ERROR_GENERIC, "encryption dictionary missing owner encryption key");
149 }
150 memcpy(crypt->oe, pdf_to_str_buf(ctx, obj), 32);
151
152 obj = pdf_dict_get(ctx, dict, PDF_NAME(UE));
153 if (!pdf_is_string(ctx, obj) || pdf_to_str_len(ctx, obj) != 32)
154 {
155 pdf_drop_crypt(ctx, crypt);
156 fz_throw(ctx, FZ_ERROR_GENERIC, "encryption dictionary missing user encryption key");
157 }
158 memcpy(crypt->ue, pdf_to_str_buf(ctx, obj), 32);
159 }
160
161 crypt->encrypt_metadata = 1;
162 obj = pdf_dict_get(ctx, dict, PDF_NAME(EncryptMetadata));
163 if (pdf_is_bool(ctx, obj))
164 crypt->encrypt_metadata = pdf_to_bool(ctx, obj);
165
166 /* Extract file identifier string */
167
168 if (pdf_is_array(ctx, id) && pdf_array_len(ctx, id) == 2)
169 {
170 obj = pdf_array_get(ctx, id, 0);
171 if (pdf_is_string(ctx, obj))
172 crypt->id = pdf_keep_obj(ctx, obj);
173 }
174 else
175 fz_warn(ctx, "missing file identifier, may not be able to do decryption");
176
177 /* Determine encryption key length */
178
179 crypt->length = 40;
180 if (crypt->v == 2 || crypt->v == 4)
181 {
182 obj = pdf_dict_get(ctx, dict, PDF_NAME(Length));
183 if (pdf_is_int(ctx, obj))
184 crypt->length = pdf_to_int(ctx, obj);
185
186 /* work-around for pdf generators that assume length is in bytes */
187 if (crypt->length < 40)
188 crypt->length = crypt->length * 8;
189
190 if (crypt->length % 8 != 0)
191 {
192 pdf_drop_crypt(ctx, crypt);
193 fz_throw(ctx, FZ_ERROR_GENERIC, "invalid encryption key length");
194 }
195 if (crypt->length < 40 || crypt->length > 128)
196 {
197 pdf_drop_crypt(ctx, crypt);
198 fz_throw(ctx, FZ_ERROR_GENERIC, "invalid encryption key length");
199 }
200 }
201
202 if (crypt->v == 5)
203 crypt->length = 256;
204
205 if (crypt->v == 0 || crypt->v == 1 || crypt->v == 2)
206 {
207 crypt->stmf.method = PDF_CRYPT_RC4;
208 crypt->stmf.length = crypt->length;
209
210 crypt->strf.method = PDF_CRYPT_RC4;
211 crypt->strf.length = crypt->length;
212 }
213
214 if (crypt->v == 4 || crypt->v == 5)
215 {
216 crypt->stmf.method = PDF_CRYPT_NONE;
217 crypt->stmf.length = crypt->length;
218
219 crypt->strf.method = PDF_CRYPT_NONE;
220 crypt->strf.length = crypt->length;
221
222 obj = pdf_dict_get(ctx, dict, PDF_NAME(CF));
223 if (pdf_is_dict(ctx, obj))
224 {
225 crypt->cf = pdf_keep_obj(ctx, obj);
226 }
227 else
228 {
229 crypt->cf = NULL;
230 }
231
232 fz_try(ctx)
233 {
234 obj = pdf_dict_get(ctx, dict, PDF_NAME(StmF));
235 if (pdf_is_name(ctx, obj))
236 pdf_parse_crypt_filter(ctx, &crypt->stmf, crypt, obj);
237
238 obj = pdf_dict_get(ctx, dict, PDF_NAME(StrF));
239 if (pdf_is_name(ctx, obj))
240 pdf_parse_crypt_filter(ctx, &crypt->strf, crypt, obj);
241 }
242 fz_catch(ctx)
243 {
244 pdf_drop_crypt(ctx, crypt);
245 fz_rethrow(ctx);
246 }
247
248 /* in crypt revision 4, the crypt filter determines the key length */
249 if (crypt->strf.method != PDF_CRYPT_NONE)
250 crypt->length = crypt->stmf.length;
251 }
252
253 return crypt;
254 }
255
256 void
pdf_drop_crypt(fz_context * ctx,pdf_crypt * crypt)257 pdf_drop_crypt(fz_context *ctx, pdf_crypt *crypt)
258 {
259 if (!crypt)
260 return;
261
262 pdf_drop_obj(ctx, crypt->id);
263 pdf_drop_obj(ctx, crypt->cf);
264 fz_free(ctx, crypt);
265 }
266
267 /*
268 * Parse a CF dictionary entry (PDF 1.7 table 3.22)
269 */
270
271 static void
pdf_parse_crypt_filter(fz_context * ctx,pdf_crypt_filter * cf,pdf_crypt * crypt,pdf_obj * name)272 pdf_parse_crypt_filter(fz_context *ctx, pdf_crypt_filter *cf, pdf_crypt *crypt, pdf_obj *name)
273 {
274 pdf_obj *obj;
275 pdf_obj *dict;
276 int is_identity = (pdf_name_eq(ctx, name, PDF_NAME(Identity)));
277 int is_stdcf = (!is_identity && pdf_name_eq(ctx, name, PDF_NAME(StdCF)));
278
279 if (!is_identity && !is_stdcf)
280 fz_throw(ctx, FZ_ERROR_GENERIC, "Crypt Filter not Identity or StdCF (%d 0 R)", pdf_to_num(ctx, crypt->cf));
281
282 cf->method = PDF_CRYPT_NONE;
283 cf->length = crypt->length;
284
285 if (!crypt->cf)
286 {
287 cf->method = (is_identity ? PDF_CRYPT_NONE : PDF_CRYPT_RC4);
288 return;
289 }
290
291 dict = pdf_dict_get(ctx, crypt->cf, name);
292 if (pdf_is_dict(ctx, dict))
293 {
294 obj = pdf_dict_get(ctx, dict, PDF_NAME(CFM));
295 if (pdf_is_name(ctx, obj))
296 {
297 if (pdf_name_eq(ctx, PDF_NAME(None), obj))
298 cf->method = PDF_CRYPT_NONE;
299 else if (pdf_name_eq(ctx, PDF_NAME(V2), obj))
300 cf->method = PDF_CRYPT_RC4;
301 else if (pdf_name_eq(ctx, PDF_NAME(AESV2), obj))
302 cf->method = PDF_CRYPT_AESV2;
303 else if (pdf_name_eq(ctx, PDF_NAME(AESV3), obj))
304 cf->method = PDF_CRYPT_AESV3;
305 else
306 fz_warn(ctx, "unknown encryption method: %s", pdf_to_name(ctx, obj));
307 }
308
309 obj = pdf_dict_get(ctx, dict, PDF_NAME(Length));
310 if (pdf_is_int(ctx, obj))
311 cf->length = pdf_to_int(ctx, obj);
312 }
313 else if (!is_identity)
314 fz_throw(ctx, FZ_ERROR_GENERIC, "cannot parse crypt filter (%d 0 R)", pdf_to_num(ctx, crypt->cf));
315
316 /* the length for crypt filters is supposed to be in bytes not bits */
317 if (cf->length < 40)
318 cf->length = cf->length * 8;
319
320 if ((cf->length % 8) != 0)
321 fz_throw(ctx, FZ_ERROR_GENERIC, "invalid key length: %d", cf->length);
322
323 if ((crypt->r == 1 || crypt->r == 2 || crypt->r == 3 || crypt->r == 4) &&
324 (cf->length < 40 || cf->length > 128))
325 fz_throw(ctx, FZ_ERROR_GENERIC, "invalid key length: %d", cf->length);
326 if ((crypt->r == 5 || crypt->r == 6) && cf->length != 256)
327 fz_throw(ctx, FZ_ERROR_GENERIC, "invalid key length: %d", cf->length);
328 }
329
330 /*
331 * Compute an encryption key (PDF 1.7 algorithm 3.2)
332 */
333
334 static const unsigned char padding[32] =
335 {
336 0x28, 0xbf, 0x4e, 0x5e, 0x4e, 0x75, 0x8a, 0x41,
337 0x64, 0x00, 0x4e, 0x56, 0xff, 0xfa, 0x01, 0x08,
338 0x2e, 0x2e, 0x00, 0xb6, 0xd0, 0x68, 0x3e, 0x80,
339 0x2f, 0x0c, 0xa9, 0xfe, 0x64, 0x53, 0x69, 0x7a
340 };
341
342 static void
pdf_compute_encryption_key(fz_context * ctx,pdf_crypt * crypt,unsigned char * password,size_t pwlen,unsigned char * key)343 pdf_compute_encryption_key(fz_context *ctx, pdf_crypt *crypt, unsigned char *password, size_t pwlen, unsigned char *key)
344 {
345 unsigned char buf[32];
346 unsigned int p;
347 int i, n;
348 fz_md5 md5;
349
350 n = fz_clampi(crypt->length / 8, 0, 16);
351
352 /* Step 1 - copy and pad password string */
353 if (pwlen > 32)
354 pwlen = 32;
355 memcpy(buf, password, pwlen);
356 memcpy(buf + pwlen, padding, 32 - pwlen);
357
358 /* Step 2 - init md5 and pass value of step 1 */
359 fz_md5_init(&md5);
360 fz_md5_update(&md5, buf, 32);
361
362 /* Step 3 - pass O value */
363 fz_md5_update(&md5, crypt->o, 32);
364
365 /* Step 4 - pass P value as unsigned int, low-order byte first */
366 p = (unsigned int) crypt->p;
367 buf[0] = (p) & 0xFF;
368 buf[1] = (p >> 8) & 0xFF;
369 buf[2] = (p >> 16) & 0xFF;
370 buf[3] = (p >> 24) & 0xFF;
371 fz_md5_update(&md5, buf, 4);
372
373 /* Step 5 - pass first element of ID array */
374 fz_md5_update(&md5, (unsigned char *)pdf_to_str_buf(ctx, crypt->id), pdf_to_str_len(ctx, crypt->id));
375
376 /* Step 6 (revision 4 or greater) - if metadata is not encrypted pass 0xFFFFFFFF */
377 if (crypt->r >= 4)
378 {
379 if (!crypt->encrypt_metadata)
380 {
381 buf[0] = 0xFF;
382 buf[1] = 0xFF;
383 buf[2] = 0xFF;
384 buf[3] = 0xFF;
385 fz_md5_update(&md5, buf, 4);
386 }
387 }
388
389 /* Step 7 - finish the hash */
390 fz_md5_final(&md5, buf);
391
392 /* Step 8 (revision 3 or greater) - do some voodoo 50 times */
393 if (crypt->r >= 3)
394 {
395 for (i = 0; i < 50; i++)
396 {
397 fz_md5_init(&md5);
398 fz_md5_update(&md5, buf, n);
399 fz_md5_final(&md5, buf);
400 }
401 }
402
403 /* Step 9 - the key is the first 'n' bytes of the result */
404 memcpy(key, buf, n);
405 }
406
407 /*
408 * Compute an encryption key (PDF 1.7 ExtensionLevel 3 algorithm 3.2a)
409 */
410
411 static void
pdf_compute_encryption_key_r5(fz_context * ctx,pdf_crypt * crypt,unsigned char * password,size_t pwlen,int ownerkey,unsigned char * validationkey)412 pdf_compute_encryption_key_r5(fz_context *ctx, pdf_crypt *crypt, unsigned char *password, size_t pwlen, int ownerkey, unsigned char *validationkey)
413 {
414 unsigned char buffer[128 + 8 + 48];
415 fz_sha256 sha256;
416 fz_aes aes;
417
418 /* Step 2 - truncate UTF-8 password to 127 characters */
419
420 if (pwlen > 127)
421 pwlen = 127;
422
423 /* Step 3/4 - test password against owner/user key and compute encryption key */
424
425 memcpy(buffer, password, pwlen);
426 if (ownerkey)
427 {
428 memcpy(buffer + pwlen, crypt->o + 32, 8);
429 memcpy(buffer + pwlen + 8, crypt->u, 48);
430 }
431 else
432 memcpy(buffer + pwlen, crypt->u + 32, 8);
433
434 fz_sha256_init(&sha256);
435 fz_sha256_update(&sha256, buffer, pwlen + 8 + (ownerkey ? 48 : 0));
436 fz_sha256_final(&sha256, validationkey);
437
438 /* Step 3.5/4.5 - compute file encryption key from OE/UE */
439
440 if (ownerkey)
441 {
442 memcpy(buffer + pwlen, crypt->o + 40, 8);
443 memcpy(buffer + pwlen + 8, crypt->u, 48);
444 }
445 else
446 memcpy(buffer + pwlen, crypt->u + 40, 8);
447
448 fz_sha256_init(&sha256);
449 fz_sha256_update(&sha256, buffer, pwlen + 8 + (ownerkey ? 48 : 0));
450 fz_sha256_final(&sha256, buffer);
451
452 /* clear password buffer and use it as iv */
453 memset(buffer + 32, 0, sizeof(buffer) - 32);
454 if (fz_aes_setkey_dec(&aes, buffer, crypt->length))
455 fz_throw(ctx, FZ_ERROR_GENERIC, "AES key init failed (keylen=%d)", crypt->length);
456 fz_aes_crypt_cbc(&aes, FZ_AES_DECRYPT, 32, buffer + 32, ownerkey ? crypt->oe : crypt->ue, crypt->key);
457 }
458
459 /*
460 * Compute an encryption key (PDF 1.7 ExtensionLevel 8 algorithm)
461 *
462 * Adobe has not yet released the details, so the algorithm reference is:
463 * http://esec-lab.sogeti.com/post/The-undocumented-password-validation-algorithm-of-Adobe-Reader-X
464 */
465
466 static void
pdf_compute_hardened_hash_r6(fz_context * ctx,unsigned char * password,size_t pwlen,unsigned char salt[8],unsigned char * ownerkey,unsigned char hash[32])467 pdf_compute_hardened_hash_r6(fz_context *ctx, unsigned char *password, size_t pwlen, unsigned char salt[8], unsigned char *ownerkey, unsigned char hash[32])
468 {
469 unsigned char data[(128 + 64 + 48) * 64];
470 unsigned char block[64];
471 int block_size = 32;
472 size_t data_len = 0;
473 int i, j, sum;
474
475 fz_sha256 sha256;
476 fz_sha384 sha384;
477 fz_sha512 sha512;
478 fz_aes aes;
479
480 /* Step 1: calculate initial data block */
481 fz_sha256_init(&sha256);
482 fz_sha256_update(&sha256, password, pwlen);
483 fz_sha256_update(&sha256, salt, 8);
484 if (ownerkey)
485 fz_sha256_update(&sha256, ownerkey, 48);
486 fz_sha256_final(&sha256, block);
487
488 for (i = 0; i < 64 || i < data[data_len * 64 - 1] + 32; i++)
489 {
490 /* Step 2: repeat password and data block 64 times */
491 memcpy(data, password, pwlen);
492 memcpy(data + pwlen, block, block_size);
493 if (ownerkey)
494 memcpy(data + pwlen + block_size, ownerkey, 48);
495 data_len = pwlen + block_size + (ownerkey ? 48 : 0);
496 for (j = 1; j < 64; j++)
497 memcpy(data + j * data_len, data, data_len);
498
499 /* Step 3: encrypt data using data block as key and iv */
500 if (fz_aes_setkey_enc(&aes, block, 128))
501 fz_throw(ctx, FZ_ERROR_GENERIC, "AES key init failed (keylen=%d)", 128);
502 fz_aes_crypt_cbc(&aes, FZ_AES_ENCRYPT, data_len * 64, block + 16, data, data);
503
504 /* Step 4: determine SHA-2 hash size for this round */
505 for (j = 0, sum = 0; j < 16; j++)
506 sum += data[j];
507
508 /* Step 5: calculate data block for next round */
509 block_size = 32 + (sum % 3) * 16;
510 switch (block_size)
511 {
512 case 32:
513 fz_sha256_init(&sha256);
514 fz_sha256_update(&sha256, data, data_len * 64);
515 fz_sha256_final(&sha256, block);
516 break;
517 case 48:
518 fz_sha384_init(&sha384);
519 fz_sha384_update(&sha384, data, data_len * 64);
520 fz_sha384_final(&sha384, block);
521 break;
522 case 64:
523 fz_sha512_init(&sha512);
524 fz_sha512_update(&sha512, data, data_len * 64);
525 fz_sha512_final(&sha512, block);
526 break;
527 }
528 }
529
530 memset(data, 0, sizeof(data));
531 memcpy(hash, block, 32);
532 }
533
534 static void
pdf_compute_encryption_key_r6(fz_context * ctx,pdf_crypt * crypt,unsigned char * password,size_t pwlen,int ownerkey,unsigned char * validationkey)535 pdf_compute_encryption_key_r6(fz_context *ctx, pdf_crypt *crypt, unsigned char *password, size_t pwlen, int ownerkey, unsigned char *validationkey)
536 {
537 unsigned char hash[32];
538 unsigned char iv[16];
539 fz_aes aes;
540
541 if (pwlen > 127)
542 pwlen = 127;
543
544 pdf_compute_hardened_hash_r6(ctx, password, pwlen,
545 (ownerkey ? crypt->o : crypt->u) + 32,
546 ownerkey ? crypt->u : NULL, validationkey);
547 pdf_compute_hardened_hash_r6(ctx, password, pwlen,
548 (ownerkey ? crypt->o : crypt->u) + 40,
549 (ownerkey ? crypt->u : NULL),
550 hash);
551
552 memset(iv, 0, sizeof(iv));
553 if (fz_aes_setkey_dec(&aes, hash, 256))
554 fz_throw(ctx, FZ_ERROR_GENERIC, "AES key init failed (keylen=256)");
555 fz_aes_crypt_cbc(&aes, FZ_AES_DECRYPT, 32, iv, ownerkey ? crypt->oe : crypt->ue, crypt->key);
556 }
557
558 /*
559 * Computing the user password (PDF 1.7 algorithm 3.4 and 3.5)
560 * Also save the generated key for decrypting objects and streams in crypt->key.
561 */
562
563 static void
pdf_compute_user_password(fz_context * ctx,pdf_crypt * crypt,unsigned char * password,size_t pwlen,unsigned char * output)564 pdf_compute_user_password(fz_context *ctx, pdf_crypt *crypt, unsigned char *password, size_t pwlen, unsigned char *output)
565 {
566 int n = fz_clampi(crypt->length / 8, 0, 16);
567
568 if (crypt->r == 2)
569 {
570 fz_arc4 arc4;
571
572 pdf_compute_encryption_key(ctx, crypt, password, pwlen, crypt->key);
573 fz_arc4_init(&arc4, crypt->key, n);
574 fz_arc4_encrypt(&arc4, output, padding, 32);
575 }
576
577 if (crypt->r == 3 || crypt->r == 4)
578 {
579 unsigned char xor[32];
580 unsigned char digest[16];
581 fz_md5 md5;
582 fz_arc4 arc4;
583 int i, x;
584
585 pdf_compute_encryption_key(ctx, crypt, password, pwlen, crypt->key);
586
587 fz_md5_init(&md5);
588 fz_md5_update(&md5, padding, 32);
589 fz_md5_update(&md5, (unsigned char*)pdf_to_str_buf(ctx, crypt->id), pdf_to_str_len(ctx, crypt->id));
590 fz_md5_final(&md5, digest);
591
592 fz_arc4_init(&arc4, crypt->key, n);
593 fz_arc4_encrypt(&arc4, output, digest, 16);
594
595 for (x = 1; x <= 19; x++)
596 {
597 for (i = 0; i < n; i++)
598 xor[i] = crypt->key[i] ^ x;
599 fz_arc4_init(&arc4, xor, n);
600 fz_arc4_encrypt(&arc4, output, output, 16);
601 }
602
603 memcpy(output + 16, padding, 16);
604 }
605
606 if (crypt->r == 5)
607 {
608 pdf_compute_encryption_key_r5(ctx, crypt, password, pwlen, 0, output);
609 }
610
611 if (crypt->r == 6)
612 {
613 pdf_compute_encryption_key_r6(ctx, crypt, password, pwlen, 0, output);
614 }
615 }
616
617 /*
618 * Authenticating the user password (PDF 1.7 algorithm 3.6
619 * and ExtensionLevel 3 algorithm 3.11)
620 * This also has the side effect of saving a key generated
621 * from the password for decrypting objects and streams.
622 */
623
624 static int
pdf_authenticate_user_password(fz_context * ctx,pdf_crypt * crypt,unsigned char * password,size_t pwlen)625 pdf_authenticate_user_password(fz_context *ctx, pdf_crypt *crypt, unsigned char *password, size_t pwlen)
626 {
627 unsigned char output[32];
628 pdf_compute_user_password(ctx, crypt, password, pwlen, output);
629 if (crypt->r == 2 || crypt->r == 5 || crypt->r == 6)
630 return memcmp(output, crypt->u, 32) == 0;
631 if (crypt->r == 3 || crypt->r == 4)
632 return memcmp(output, crypt->u, 16) == 0;
633 return 0;
634 }
635
636 /*
637 * Authenticating the owner password (PDF 1.7 algorithm 3.7,
638 * ExtensionLevel 3 algorithm 3.12, ExtensionLevel 8 algorithm)
639 * Generates the user password from the owner password
640 * and calls pdf_authenticate_user_password.
641 */
642
643 static int
pdf_authenticate_owner_password(fz_context * ctx,pdf_crypt * crypt,unsigned char * ownerpass,size_t pwlen)644 pdf_authenticate_owner_password(fz_context *ctx, pdf_crypt *crypt, unsigned char *ownerpass, size_t pwlen)
645 {
646 int n = fz_clampi(crypt->length / 8, 0, 16);
647
648 if (crypt->r == 2)
649 {
650 unsigned char pwbuf[32];
651 unsigned char key[16];
652 unsigned char userpass[32];
653 fz_md5 md5;
654 fz_arc4 arc4;
655
656 if (pwlen > 32)
657 pwlen = 32;
658 memcpy(pwbuf, ownerpass, pwlen);
659 memcpy(pwbuf + pwlen, padding, 32 - pwlen);
660
661 fz_md5_init(&md5);
662 fz_md5_update(&md5, pwbuf, 32);
663 fz_md5_final(&md5, key);
664
665 fz_arc4_init(&arc4, key, n);
666 fz_arc4_encrypt(&arc4, userpass, crypt->o, 32);
667
668 return pdf_authenticate_user_password(ctx, crypt, userpass, 32);
669 }
670
671 if (crypt->r == 3 || crypt->r == 4)
672 {
673 unsigned char pwbuf[32];
674 unsigned char key[16];
675 unsigned char xor[32];
676 unsigned char userpass[32];
677 int i, x;
678 fz_md5 md5;
679 fz_arc4 arc4;
680
681 if (pwlen > 32)
682 pwlen = 32;
683 memcpy(pwbuf, ownerpass, pwlen);
684 memcpy(pwbuf + pwlen, padding, 32 - pwlen);
685
686 fz_md5_init(&md5);
687 fz_md5_update(&md5, pwbuf, 32);
688 fz_md5_final(&md5, key);
689
690 for (i = 0; i < 50; i++)
691 {
692 fz_md5_init(&md5);
693 fz_md5_update(&md5, key, n);
694 fz_md5_final(&md5, key);
695 }
696
697 memcpy(userpass, crypt->o, 32);
698 for (x = 0; x < 20; x++)
699 {
700 for (i = 0; i < n; i++)
701 xor[i] = key[i] ^ (19 - x);
702 fz_arc4_init(&arc4, xor, n);
703 fz_arc4_encrypt(&arc4, userpass, userpass, 32);
704 }
705
706 return pdf_authenticate_user_password(ctx, crypt, userpass, 32);
707 }
708
709 if (crypt->r == 5)
710 {
711 unsigned char key[32];
712 pdf_compute_encryption_key_r5(ctx, crypt, ownerpass, pwlen, 1, key);
713 return !memcmp(key, crypt->o, 32);
714 }
715
716 if (crypt->r == 6)
717 {
718 unsigned char key[32];
719 pdf_compute_encryption_key_r6(ctx, crypt, ownerpass, pwlen, 1, key);
720 return !memcmp(key, crypt->o, 32);
721 }
722
723 return 0;
724 }
725
pdf_docenc_from_utf8(char * password,const char * utf8,int n)726 static void pdf_docenc_from_utf8(char *password, const char *utf8, int n)
727 {
728 int i = 0, k, c;
729 while (*utf8 && i + 1 < n)
730 {
731 utf8 += fz_chartorune(&c, utf8);
732 for (k = 0; k < 256; k++)
733 {
734 if (c == fz_unicode_from_pdf_doc_encoding[k])
735 {
736 password[i++] = k;
737 break;
738 }
739 }
740 /* FIXME: drop characters that can't be encoded or return an error? */
741 }
742 password[i] = 0;
743 }
744
pdf_saslprep_from_utf8(char * password,const char * utf8,int n)745 static void pdf_saslprep_from_utf8(char *password, const char *utf8, int n)
746 {
747 /* TODO: stringprep with SALSprep profile */
748 fz_strlcpy(password, utf8, n);
749 }
750
751 int
pdf_authenticate_password(fz_context * ctx,pdf_document * doc,const char * pwd_utf8)752 pdf_authenticate_password(fz_context *ctx, pdf_document *doc, const char *pwd_utf8)
753 {
754 char password[2048];
755 int auth;
756
757 if (!doc->crypt)
758 return 1; /* No password required */
759
760 password[0] = 0;
761 if (pwd_utf8)
762 {
763 if (doc->crypt->r <= 4)
764 pdf_docenc_from_utf8(password, pwd_utf8, sizeof password);
765 else
766 pdf_saslprep_from_utf8(password, pwd_utf8, sizeof password);
767 }
768
769 auth = 0;
770 if (pdf_authenticate_user_password(ctx, doc->crypt, (unsigned char *)password, strlen(password)))
771 auth = 2;
772 if (pdf_authenticate_owner_password(ctx, doc->crypt, (unsigned char *)password, strlen(password)))
773 auth |= 4;
774 else if (auth & 2)
775 {
776 /* We need to reauthenticate the user password,
777 * because the failed attempt to authenticate
778 * the owner password will have invalidated the
779 * stored keys. */
780 (void)pdf_authenticate_user_password(ctx, doc->crypt, (unsigned char *)password, strlen(password));
781 }
782
783 /* To match Acrobat, we choose not to allow an empty owner
784 * password, unless the user password is also the empty one. */
785 if (*password == 0 && auth == 4)
786 return 0;
787
788 return auth;
789 }
790
791 int
pdf_needs_password(fz_context * ctx,pdf_document * doc)792 pdf_needs_password(fz_context *ctx, pdf_document *doc)
793 {
794 if (!doc->crypt)
795 return 0;
796 if (pdf_authenticate_password(ctx, doc, ""))
797 return 0;
798 return 1;
799 }
800
801 int
pdf_has_permission(fz_context * ctx,pdf_document * doc,fz_permission p)802 pdf_has_permission(fz_context *ctx, pdf_document *doc, fz_permission p)
803 {
804 if (!doc->crypt)
805 return 1;
806 switch (p)
807 {
808 case FZ_PERMISSION_PRINT: return doc->crypt->p & PDF_PERM_PRINT;
809 case FZ_PERMISSION_COPY: return doc->crypt->p & PDF_PERM_COPY;
810 case FZ_PERMISSION_EDIT: return doc->crypt->p & PDF_PERM_MODIFY;
811 case FZ_PERMISSION_ANNOTATE: return doc->crypt->p & PDF_PERM_ANNOTATE;
812 }
813 return 1;
814 }
815
816 int
pdf_document_permissions(fz_context * ctx,pdf_document * doc)817 pdf_document_permissions(fz_context *ctx, pdf_document *doc)
818 {
819 if (doc->crypt)
820 return doc->crypt->p;
821 /* all permissions granted, reserved bits set appropriately */
822 return (int)0xFFFFFFFC;
823 }
824
825 /*
826 * Compute the owner password (PDF 1.7 algorithm 3.3)
827 */
828
829 static void
pdf_compute_owner_password(fz_context * ctx,pdf_crypt * crypt,unsigned char * opassword,size_t opwlen,unsigned char * upassword,size_t upwlen,unsigned char * output)830 pdf_compute_owner_password(fz_context *ctx, pdf_crypt *crypt, unsigned char *opassword, size_t opwlen, unsigned char *upassword, size_t upwlen, unsigned char *output)
831 {
832 unsigned char obuf[32];
833 unsigned char ubuf[32];
834 unsigned char digest[32];
835 int i, n;
836 fz_md5 md5;
837 fz_arc4 arc4;
838
839 n = fz_clampi(crypt->length / 8, 0, 16);
840
841 /* Step 1 - copy and pad owner password string */
842 if (opwlen > 32)
843 opwlen = 32;
844 memcpy(obuf, opassword, opwlen);
845 memcpy(obuf + opwlen, padding, 32 - opwlen);
846
847 /* Step 2 - init md5 and pass value of step 1 */
848 fz_md5_init(&md5);
849 fz_md5_update(&md5, obuf, 32);
850 fz_md5_final(&md5, obuf);
851
852 /* Step 3 (revision 3 or greater) - do some voodoo 50 times */
853 if (crypt->r >= 3)
854 {
855 for (i = 0; i < 50; i++)
856 {
857 fz_md5_init(&md5);
858 fz_md5_update(&md5, obuf, n);
859 fz_md5_final(&md5, obuf);
860 }
861 }
862
863 /* Step 4 - encrypt owner password md5 hash */
864 fz_arc4_init(&arc4, obuf, n);
865
866 /* Step 5 - copy and pad user password string */
867 if (upwlen > 32)
868 upwlen = 32;
869 memcpy(ubuf, upassword, upwlen);
870 memcpy(ubuf + upwlen, padding, 32 - upwlen);
871
872 /* Step 6 - encrypt user password md5 hash */
873 fz_arc4_encrypt(&arc4, digest, ubuf, 32);
874
875 /* Step 7 - */
876 if (crypt->r >= 3)
877 {
878 unsigned char xor[32];
879 int x;
880
881 for (x = 1; x <= 19; x++)
882 {
883 for (i = 0; i < n; i++)
884 xor[i] = obuf[i] ^ x;
885 fz_arc4_init(&arc4, xor, n);
886 fz_arc4_encrypt(&arc4, digest, digest, 32);
887 }
888 }
889
890 /* Step 8 - the owner password is the first 16 bytes of the result */
891 memcpy(output, digest, 32);
892 }
893
894 unsigned char *
pdf_crypt_key(fz_context * ctx,pdf_crypt * crypt)895 pdf_crypt_key(fz_context *ctx, pdf_crypt *crypt)
896 {
897 if (crypt)
898 return crypt->key;
899 return NULL;
900 }
901
902 int
pdf_crypt_version(fz_context * ctx,pdf_crypt * crypt)903 pdf_crypt_version(fz_context *ctx, pdf_crypt *crypt)
904 {
905 if (crypt)
906 return crypt->v;
907 return 0;
908 }
909
pdf_crypt_revision(fz_context * ctx,pdf_crypt * crypt)910 int pdf_crypt_revision(fz_context *ctx, pdf_crypt *crypt)
911 {
912 if (crypt)
913 return crypt->r;
914 return 0;
915 }
916
917 char *
pdf_crypt_method(fz_context * ctx,pdf_crypt * crypt)918 pdf_crypt_method(fz_context *ctx, pdf_crypt *crypt)
919 {
920 if (crypt)
921 {
922 switch (crypt->strf.method)
923 {
924 case PDF_CRYPT_NONE: return "None";
925 case PDF_CRYPT_RC4: return "RC4";
926 case PDF_CRYPT_AESV2: return "AES";
927 case PDF_CRYPT_AESV3: return "AES";
928 case PDF_CRYPT_UNKNOWN: return "Unknown";
929 }
930 }
931 return "None";
932 }
933
934 int
pdf_crypt_length(fz_context * ctx,pdf_crypt * crypt)935 pdf_crypt_length(fz_context *ctx, pdf_crypt *crypt)
936 {
937 if (crypt)
938 return crypt->length;
939 return 0;
940 }
941
942 int
pdf_crypt_permissions(fz_context * ctx,pdf_crypt * crypt)943 pdf_crypt_permissions(fz_context *ctx, pdf_crypt *crypt)
944 {
945 if (crypt)
946 return crypt->p;
947 return 0;
948 }
949
950 int
pdf_crypt_encrypt_metadata(fz_context * ctx,pdf_crypt * crypt)951 pdf_crypt_encrypt_metadata(fz_context *ctx, pdf_crypt *crypt)
952 {
953 if (crypt)
954 return crypt->encrypt_metadata;
955 return 0;
956 }
957
958 unsigned char *
pdf_crypt_owner_password(fz_context * ctx,pdf_crypt * crypt)959 pdf_crypt_owner_password(fz_context *ctx, pdf_crypt *crypt)
960 {
961 if (crypt)
962 return crypt->o;
963 return NULL;
964 }
965
966 unsigned char *
pdf_crypt_user_password(fz_context * ctx,pdf_crypt * crypt)967 pdf_crypt_user_password(fz_context *ctx, pdf_crypt *crypt)
968 {
969 if (crypt)
970 return crypt->u;
971 return NULL;
972 }
973
974 unsigned char *
pdf_crypt_owner_encryption(fz_context * ctx,pdf_crypt * crypt)975 pdf_crypt_owner_encryption(fz_context *ctx, pdf_crypt *crypt)
976 {
977 if (crypt)
978 return crypt->oe;
979 return NULL;
980 }
981
982 unsigned char *
pdf_crypt_user_encryption(fz_context * ctx,pdf_crypt * crypt)983 pdf_crypt_user_encryption(fz_context *ctx, pdf_crypt *crypt)
984 {
985 if (crypt)
986 return crypt->ue;
987 return NULL;
988 }
989
990 unsigned char *
pdf_crypt_permissions_encryption(fz_context * ctx,pdf_crypt * crypt)991 pdf_crypt_permissions_encryption(fz_context *ctx, pdf_crypt *crypt)
992 {
993 if (crypt)
994 return crypt->perms;
995 return 0;
996 }
997
998 /*
999 * PDF 1.7 algorithm 3.1 and ExtensionLevel 3 algorithm 3.1a
1000 *
1001 * Using the global encryption key that was generated from the
1002 * password, create a new key that is used to decrypt individual
1003 * objects and streams. This key is based on the object and
1004 * generation numbers.
1005 */
1006
1007 static int
pdf_compute_object_key(pdf_crypt * crypt,pdf_crypt_filter * cf,int num,int gen,unsigned char * key,int max_len)1008 pdf_compute_object_key(pdf_crypt *crypt, pdf_crypt_filter *cf, int num, int gen, unsigned char *key, int max_len)
1009 {
1010 fz_md5 md5;
1011 unsigned char message[5];
1012 int key_len = crypt->length / 8;
1013
1014 if (key_len > max_len)
1015 key_len = max_len;
1016
1017 /* Encryption method version 0 is undocumented, but a lucky
1018 guess revealed that all streams/strings in those PDFs are
1019 encrypted using the same 40 bit file enryption key using RC4. */
1020 if (crypt->v == 0 || cf->method == PDF_CRYPT_AESV3)
1021 {
1022 memcpy(key, crypt->key, key_len);
1023 return key_len;
1024 }
1025
1026 fz_md5_init(&md5);
1027 fz_md5_update(&md5, crypt->key, key_len);
1028 message[0] = (num) & 0xFF;
1029 message[1] = (num >> 8) & 0xFF;
1030 message[2] = (num >> 16) & 0xFF;
1031 message[3] = (gen) & 0xFF;
1032 message[4] = (gen >> 8) & 0xFF;
1033 fz_md5_update(&md5, message, 5);
1034
1035 if (cf->method == PDF_CRYPT_AESV2)
1036 fz_md5_update(&md5, (unsigned char *)"sAlT", 4);
1037
1038 fz_md5_final(&md5, key);
1039
1040 if (key_len + 5 > 16)
1041 return 16;
1042 return key_len + 5;
1043 }
1044
1045 /*
1046 * PDF 1.7 algorithm 3.1 and ExtensionLevel 3 algorithm 3.1a
1047 *
1048 * Decrypt all strings in obj modifying the data in-place.
1049 * Recurse through arrays and dictionaries, but do not follow
1050 * indirect references.
1051 */
1052
1053 static void
pdf_crypt_obj_imp(fz_context * ctx,pdf_crypt * crypt,pdf_obj * obj,unsigned char * key,int keylen)1054 pdf_crypt_obj_imp(fz_context *ctx, pdf_crypt *crypt, pdf_obj *obj, unsigned char *key, int keylen)
1055 {
1056 unsigned char *s;
1057 int i;
1058
1059 if (pdf_is_indirect(ctx, obj))
1060 return;
1061
1062 if (pdf_is_string(ctx, obj))
1063 {
1064 size_t n = pdf_to_str_len(ctx, obj);
1065 s = (unsigned char *)pdf_to_str_buf(ctx, obj);
1066
1067 if (crypt->strf.method == PDF_CRYPT_RC4)
1068 {
1069 fz_arc4 arc4;
1070 fz_arc4_init(&arc4, key, keylen);
1071 fz_arc4_encrypt(&arc4, s, s, n);
1072 }
1073
1074 if (crypt->strf.method == PDF_CRYPT_AESV2 || crypt->strf.method == PDF_CRYPT_AESV3)
1075 {
1076 if (n == 0)
1077 {
1078 /* Empty strings are permissible */
1079 }
1080 else if (n & 15 || n < 32)
1081 fz_warn(ctx, "invalid string length for aes encryption");
1082 else
1083 {
1084 unsigned char iv[16];
1085 fz_aes aes;
1086 memcpy(iv, s, 16);
1087 if (fz_aes_setkey_dec(&aes, key, keylen * 8))
1088 fz_throw(ctx, FZ_ERROR_GENERIC, "AES key init failed (keylen=%d)", keylen * 8);
1089 fz_aes_crypt_cbc(&aes, FZ_AES_DECRYPT, n - 16, iv, s + 16, s);
1090 /* delete space used for iv and padding bytes at end */
1091 if (s[n - 17] < 1 || s[n - 17] > 16)
1092 fz_warn(ctx, "aes padding out of range");
1093 else
1094 pdf_set_str_len(ctx, obj, n - 16 - s[n - 17]);
1095 }
1096 }
1097 }
1098
1099 else if (pdf_is_array(ctx, obj))
1100 {
1101 int n = pdf_array_len(ctx, obj);
1102 for (i = 0; i < n; i++)
1103 {
1104 pdf_crypt_obj_imp(ctx, crypt, pdf_array_get(ctx, obj, i), key, keylen);
1105 }
1106 }
1107
1108 else if (pdf_is_dict(ctx, obj))
1109 {
1110 int n = pdf_dict_len(ctx, obj);
1111 for (i = 0; i < n; i++)
1112 {
1113 pdf_crypt_obj_imp(ctx, crypt, pdf_dict_get_val(ctx, obj, i), key, keylen);
1114 }
1115 }
1116 }
1117
1118 void
pdf_crypt_obj(fz_context * ctx,pdf_crypt * crypt,pdf_obj * obj,int num,int gen)1119 pdf_crypt_obj(fz_context *ctx, pdf_crypt *crypt, pdf_obj *obj, int num, int gen)
1120 {
1121 unsigned char key[32];
1122 int len;
1123
1124 len = pdf_compute_object_key(crypt, &crypt->strf, num, gen, key, 32);
1125
1126 pdf_crypt_obj_imp(ctx, crypt, obj, key, len);
1127 }
1128
1129 /*
1130 * PDF 1.7 algorithm 3.1 and ExtensionLevel 3 algorithm 3.1a
1131 *
1132 * Create filter suitable for de/encrypting a stream.
1133 */
1134 static fz_stream *
pdf_open_crypt_imp(fz_context * ctx,fz_stream * chain,pdf_crypt * crypt,pdf_crypt_filter * stmf,int num,int gen)1135 pdf_open_crypt_imp(fz_context *ctx, fz_stream *chain, pdf_crypt *crypt, pdf_crypt_filter *stmf, int num, int gen)
1136 {
1137 unsigned char key[32];
1138 int len;
1139
1140 len = pdf_compute_object_key(crypt, stmf, num, gen, key, 32);
1141
1142 if (stmf->method == PDF_CRYPT_RC4)
1143 return fz_open_arc4(ctx, chain, key, len);
1144
1145 if (stmf->method == PDF_CRYPT_AESV2 || stmf->method == PDF_CRYPT_AESV3)
1146 return fz_open_aesd(ctx, chain, key, len);
1147
1148 return fz_keep_stream(ctx, chain);
1149 }
1150
1151 fz_stream *
pdf_open_crypt(fz_context * ctx,fz_stream * chain,pdf_crypt * crypt,int num,int gen)1152 pdf_open_crypt(fz_context *ctx, fz_stream *chain, pdf_crypt *crypt, int num, int gen)
1153 {
1154 return pdf_open_crypt_imp(ctx, chain, crypt, &crypt->stmf, num, gen);
1155 }
1156
1157 fz_stream *
pdf_open_crypt_with_filter(fz_context * ctx,fz_stream * chain,pdf_crypt * crypt,pdf_obj * name,int num,int gen)1158 pdf_open_crypt_with_filter(fz_context *ctx, fz_stream *chain, pdf_crypt *crypt, pdf_obj *name, int num, int gen)
1159 {
1160 if (!pdf_name_eq(ctx, name, PDF_NAME(Identity)))
1161 {
1162 pdf_crypt_filter cf;
1163 pdf_parse_crypt_filter(ctx, &cf, crypt, name);
1164 return pdf_open_crypt_imp(ctx, chain, crypt, &cf, num, gen);
1165 }
1166 return fz_keep_stream(ctx, chain);
1167 }
1168
1169 void
pdf_print_crypt(fz_context * ctx,fz_output * out,pdf_crypt * crypt)1170 pdf_print_crypt(fz_context *ctx, fz_output *out, pdf_crypt *crypt)
1171 {
1172 int i;
1173
1174 fz_write_printf(ctx, out, "crypt {\n");
1175
1176 fz_write_printf(ctx, out, "\tv=%d length=%d\n", crypt->v, crypt->length);
1177 fz_write_printf(ctx, out, "\tstmf method=%d length=%d\n", crypt->stmf.method, crypt->stmf.length);
1178 fz_write_printf(ctx, out, "\tstrf method=%d length=%d\n", crypt->strf.method, crypt->strf.length);
1179 fz_write_printf(ctx, out, "\tr=%d\n", crypt->r);
1180
1181 fz_write_printf(ctx, out, "\to=<");
1182 for (i = 0; i < 32; i++)
1183 fz_write_printf(ctx, out, "%02X", crypt->o[i]);
1184 fz_write_printf(ctx, out, ">\n");
1185
1186 fz_write_printf(ctx, out, "\tu=<");
1187 for (i = 0; i < 32; i++)
1188 fz_write_printf(ctx, out, "%02X", crypt->u[i]);
1189 fz_write_printf(ctx, out, ">\n");
1190
1191 fz_write_printf(ctx, out, "}\n");
1192 }
1193
pdf_encrypt_data(fz_context * ctx,pdf_crypt * crypt,int num,int gen,void (* write_data)(fz_context * ctx,void *,const unsigned char *,size_t),void * arg,const unsigned char * s,size_t n)1194 void pdf_encrypt_data(fz_context *ctx, pdf_crypt *crypt, int num, int gen, void (*write_data)(fz_context *ctx, void *, const unsigned char *, size_t), void *arg, const unsigned char *s, size_t n)
1195 {
1196 unsigned char buffer[256];
1197 unsigned char key[32];
1198 int keylen;
1199
1200 if (crypt == NULL)
1201 {
1202 write_data(ctx, arg, s, n);
1203 return;
1204 }
1205
1206 keylen = pdf_compute_object_key(crypt, &crypt->strf, num, gen, key, 32);
1207
1208 if (crypt->strf.method == PDF_CRYPT_RC4)
1209 {
1210 fz_arc4 arc4;
1211 fz_arc4_init(&arc4, key, keylen);
1212 while (n > 0)
1213 {
1214 size_t len = n;
1215 if (len > (int)sizeof(buffer))
1216 len = sizeof(buffer);
1217 fz_arc4_encrypt(&arc4, buffer, s, len);
1218 write_data(ctx, arg, buffer, len);
1219 s += len;
1220 n -= len;
1221 }
1222 return;
1223 }
1224
1225 if (crypt->strf.method == PDF_CRYPT_AESV2 || crypt->strf.method == PDF_CRYPT_AESV3)
1226 {
1227 size_t len = 0;
1228 fz_aes aes;
1229 unsigned char iv[16];
1230
1231 /* Empty strings can be represented by empty strings */
1232 if (n == 0)
1233 return;
1234
1235 if (fz_aes_setkey_enc(&aes, key, keylen * 8))
1236 fz_throw(ctx, FZ_ERROR_GENERIC, "AES key init failed (keylen=%d)", keylen * 8);
1237
1238 fz_memrnd(ctx, iv, 16);
1239 write_data(ctx, arg, iv, 16);
1240
1241 while (n > 0)
1242 {
1243 len = n;
1244 if (len > 16)
1245 len = 16;
1246 memcpy(buffer, s, len);
1247 if (len != 16)
1248 memset(&buffer[len], 16-(int)len, 16-len);
1249 fz_aes_crypt_cbc(&aes, FZ_AES_ENCRYPT, 16, iv, buffer, buffer+16);
1250 write_data(ctx, arg, buffer+16, 16);
1251 s += len;
1252 n -= len;
1253 }
1254 if (len == 16) {
1255 memset(buffer, 16, 16);
1256 fz_aes_crypt_cbc(&aes, FZ_AES_ENCRYPT, 16, iv, buffer, buffer+16);
1257 write_data(ctx, arg, buffer+16, 16);
1258 }
1259 return;
1260 }
1261
1262 /* Should never happen, but... */
1263 write_data(ctx, arg, s, n);
1264 }
1265
pdf_encrypted_len(fz_context * ctx,pdf_crypt * crypt,int num,int gen,size_t len)1266 size_t pdf_encrypted_len(fz_context *ctx, pdf_crypt *crypt, int num, int gen, size_t len)
1267 {
1268 if (crypt == NULL)
1269 return len;
1270
1271 if (crypt->strf.method == PDF_CRYPT_AESV2 || crypt->strf.method == PDF_CRYPT_AESV3)
1272 {
1273 len += 16; /* 16 for IV */
1274 if ((len & 15) == 0)
1275 len += 16; /* Another 16 if our last block is full anyway */
1276 len = (len + 15) & ~15; /* And pad to the block */
1277 }
1278
1279 return len;
1280 }
1281
1282 /* PDF 2.0 algorithm 8 */
1283 static void
pdf_compute_user_password_r6(fz_context * ctx,pdf_crypt * crypt,unsigned char * password,size_t pwlen,unsigned char * outputpw,unsigned char * outputencryption)1284 pdf_compute_user_password_r6(fz_context *ctx, pdf_crypt *crypt, unsigned char *password, size_t pwlen, unsigned char *outputpw, unsigned char *outputencryption)
1285 {
1286 unsigned char validationsalt[8];
1287 unsigned char keysalt[8];
1288 unsigned char hash[32];
1289 unsigned char iv[16];
1290 fz_aes aes;
1291
1292 /* Step a) - Generate random salts. */
1293 fz_memrnd(ctx, validationsalt, nelem(validationsalt));
1294 fz_memrnd(ctx, keysalt, nelem(keysalt));
1295
1296 /* Step a) - Compute 32 byte hash given password and validation salt. */
1297 pdf_compute_hardened_hash_r6(ctx, password, pwlen, validationsalt, NULL, outputpw);
1298 memcpy(outputpw + 32, validationsalt, nelem(validationsalt));
1299 memcpy(outputpw + 40, keysalt, nelem(keysalt));
1300
1301 /* Step b) - Compute 32 byte hash given password and user salt. */
1302 pdf_compute_hardened_hash_r6(ctx, password, pwlen, keysalt, NULL, hash);
1303
1304 /* Step b) - Use hash as AES-key when encrypting the file encryption key. */
1305 memset(iv, 0, sizeof(iv));
1306 if (fz_aes_setkey_enc(&aes, hash, 256))
1307 fz_throw(ctx, FZ_ERROR_GENERIC, "AES key init failed (keylen=256)");
1308 fz_aes_crypt_cbc(&aes, FZ_AES_ENCRYPT, 32, iv, crypt->key, outputencryption);
1309 }
1310
1311 /* PDF 2.0 algorithm 9 */
1312 static void
pdf_compute_owner_password_r6(fz_context * ctx,pdf_crypt * crypt,unsigned char * password,size_t pwlen,unsigned char * outputpw,unsigned char * outputencryption)1313 pdf_compute_owner_password_r6(fz_context *ctx, pdf_crypt *crypt, unsigned char *password, size_t pwlen, unsigned char *outputpw, unsigned char *outputencryption)
1314 {
1315 unsigned char validationsalt[8];
1316 unsigned char keysalt[8];
1317 unsigned char hash[32];
1318 unsigned char iv[16];
1319 fz_aes aes;
1320
1321 /* Step a) - Generate random salts. */
1322 fz_memrnd(ctx, validationsalt, nelem(validationsalt));
1323 fz_memrnd(ctx, keysalt, nelem(keysalt));
1324
1325 /* Step a) - Compute 32 byte hash given owner password, validation salt and user password. */
1326 pdf_compute_hardened_hash_r6(ctx, password, pwlen, validationsalt, crypt->u, outputpw);
1327 memcpy(outputpw + 32, validationsalt, nelem(validationsalt));
1328 memcpy(outputpw + 40, keysalt, nelem(keysalt));
1329
1330 /* Step b) - Compute 32 byte hash given owner password, user salt and user password. */
1331 pdf_compute_hardened_hash_r6(ctx, password, pwlen, keysalt, crypt->u, hash);
1332
1333 /* Step b) - Use hash as AES-key when encrypting the file encryption key. */
1334 memset(iv, 0, sizeof(iv));
1335 if (fz_aes_setkey_enc(&aes, hash, 256))
1336 fz_throw(ctx, FZ_ERROR_GENERIC, "AES key init failed (keylen=256)");
1337 fz_aes_crypt_cbc(&aes, FZ_AES_ENCRYPT, 32, iv, crypt->key, outputencryption);
1338 }
1339
1340 /* PDF 2.0 algorithm 10 */
1341 static void
pdf_compute_permissions_r6(fz_context * ctx,pdf_crypt * crypt,unsigned char * output)1342 pdf_compute_permissions_r6(fz_context *ctx, pdf_crypt *crypt, unsigned char *output)
1343 {
1344 unsigned char buf[16];
1345 unsigned char iv[16];
1346 fz_aes aes;
1347
1348 /* Steps a) and b) - Extend permissions field and put into lower order bytes. */
1349 memcpy(buf, (unsigned char *) &crypt->p, 4);
1350 memset(&buf[4], 0xff, 4);
1351
1352 /* Step c) - Encode EncryptMetadata as T/F. */
1353 buf[8] = crypt->encrypt_metadata ? 'T' : 'F';
1354
1355 /* Step d) - Encode ASCII characters "adb". */
1356 buf[9] = 'a';
1357 buf[10] = 'd';
1358 buf[11] = 'b';
1359
1360 /* Step e) - Encode 4 random bytes. */
1361 fz_memrnd(ctx, &buf[12], 4);
1362
1363 /* Step f) - Use file encryption key as AES-key when encrypting buffer. */
1364 memset(iv, 0, sizeof(iv));
1365 if (fz_aes_setkey_enc(&aes, crypt->key, 256))
1366 fz_throw(ctx, FZ_ERROR_GENERIC, "AES key init failed (keylen=256)");
1367 fz_aes_crypt_cbc(&aes, FZ_AES_ENCRYPT, 16, iv, buf, output);
1368 }
1369
1370 pdf_crypt *
pdf_new_encrypt(fz_context * ctx,const char * opwd_utf8,const char * upwd_utf8,pdf_obj * id,int permissions,int algorithm)1371 pdf_new_encrypt(fz_context *ctx, const char *opwd_utf8, const char *upwd_utf8, pdf_obj *id, int permissions, int algorithm)
1372 {
1373 pdf_crypt *crypt;
1374 int v, r, method, length;
1375 unsigned char opwd[2048];
1376 unsigned char upwd[2048];
1377 size_t opwdlen, upwdlen;
1378
1379 crypt = fz_malloc_struct(ctx, pdf_crypt);
1380
1381 /* Extract file identifier string */
1382
1383 if (pdf_is_string(ctx, id))
1384 crypt->id = pdf_keep_obj(ctx, id);
1385 else
1386 fz_warn(ctx, "missing file identifier, may not be able to do decryption");
1387
1388 switch (algorithm)
1389 {
1390 case PDF_ENCRYPT_RC4_40:
1391 v = 1; r = 2; method = PDF_CRYPT_RC4; length = 40; break;
1392 case PDF_ENCRYPT_RC4_128:
1393 v = 2; r = 3; method = PDF_CRYPT_RC4; length = 128; break;
1394 case PDF_ENCRYPT_AES_128:
1395 v = 4; r = 4; method = PDF_CRYPT_AESV2; length = 128; break;
1396 case PDF_ENCRYPT_AES_256:
1397 v = 5; r = 6; method = PDF_CRYPT_AESV3; length = 256; break;
1398 default:
1399 fz_throw(ctx, FZ_ERROR_GENERIC, "invalid encryption method");
1400 }
1401
1402 crypt->v = v;
1403 crypt->r = r;
1404 crypt->length = length;
1405 crypt->cf = NULL;
1406 crypt->stmf.method = method;
1407 crypt->stmf.length = length;
1408 crypt->strf.method = method;
1409 crypt->strf.length = length;
1410 crypt->encrypt_metadata = 1;
1411 crypt->p = (permissions & 0xf3c) | 0xfffff0c0;
1412 memset(crypt->o, 0, sizeof (crypt->o));
1413 memset(crypt->u, 0, sizeof (crypt->u));
1414 memset(crypt->oe, 0, sizeof (crypt->oe));
1415 memset(crypt->ue, 0, sizeof (crypt->ue));
1416
1417 if (crypt->r <= 4)
1418 {
1419 pdf_docenc_from_utf8((char *) opwd, opwd_utf8, sizeof opwd);
1420 pdf_docenc_from_utf8((char *) upwd, upwd_utf8, sizeof upwd);
1421 }
1422 else
1423 {
1424 pdf_saslprep_from_utf8((char *) opwd, opwd_utf8, sizeof opwd);
1425 pdf_saslprep_from_utf8((char *) upwd, upwd_utf8, sizeof upwd);
1426 }
1427
1428 opwdlen = strlen((char *) opwd);
1429 upwdlen = strlen((char *) upwd);
1430
1431 if (crypt->r <= 4)
1432 {
1433 pdf_compute_owner_password(ctx, crypt, opwd, opwdlen, upwd, upwdlen, crypt->o);
1434 pdf_compute_user_password(ctx, crypt, upwd, upwdlen, crypt->u);
1435 }
1436 else if (crypt->r == 6)
1437 {
1438 /* 7.6.4.4.1 states that the file encryption key are 256 random bits. */
1439 fz_memrnd(ctx, crypt->key, nelem(crypt->key));
1440
1441 pdf_compute_user_password_r6(ctx, crypt, upwd, upwdlen, crypt->u, crypt->ue);
1442 pdf_compute_owner_password_r6(ctx, crypt, opwd, opwdlen, crypt->o, crypt->oe);
1443 pdf_compute_permissions_r6(ctx, crypt, crypt->perms);
1444 }
1445
1446 return crypt;
1447 }
1448