1 // Copyright 2014 PDFium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com
6
7 #include "core/fpdfapi/parser/cpdf_security_handler.h"
8
9 #include <time.h>
10
11 #include <algorithm>
12 #include <utility>
13 #include <vector>
14
15 #include "core/fdrm/fx_crypt.h"
16 #include "core/fpdfapi/parser/cpdf_array.h"
17 #include "core/fpdfapi/parser/cpdf_crypto_handler.h"
18 #include "core/fpdfapi/parser/cpdf_dictionary.h"
19 #include "core/fpdfapi/parser/cpdf_object.h"
20 #include "core/fpdfapi/parser/cpdf_string.h"
21 #include "core/fxcrt/fx_random.h"
22 #include "third_party/base/ptr_util.h"
23
24 namespace {
25
26 const uint8_t kDefaultPasscode[32] = {
27 0x28, 0xbf, 0x4e, 0x5e, 0x4e, 0x75, 0x8a, 0x41, 0x64, 0x00, 0x4e,
28 0x56, 0xff, 0xfa, 0x01, 0x08, 0x2e, 0x2e, 0x00, 0xb6, 0xd0, 0x68,
29 0x3e, 0x80, 0x2f, 0x0c, 0xa9, 0xfe, 0x64, 0x53, 0x69, 0x7a};
30
GetPassCode(const ByteString & password,pdfium::span<uint8_t> output)31 void GetPassCode(const ByteString& password, pdfium::span<uint8_t> output) {
32 DCHECK_EQ(sizeof(kDefaultPasscode), output.size());
33 size_t len = std::min(password.GetLength(), output.size());
34 size_t remaining = output.size() - len;
35 memcpy(output.data(), password.raw_str(), len);
36 if (remaining)
37 memcpy(&output[len], kDefaultPasscode, remaining);
38 }
39
CalcEncryptKey(const CPDF_Dictionary * pEncrypt,const ByteString & password,uint8_t * key,size_t keylen,bool ignore_metadata,const ByteString & file_id)40 void CalcEncryptKey(const CPDF_Dictionary* pEncrypt,
41 const ByteString& password,
42 uint8_t* key,
43 size_t keylen,
44 bool ignore_metadata,
45 const ByteString& file_id) {
46 uint8_t passcode[32];
47 GetPassCode(password, passcode);
48 CRYPT_md5_context md5 = CRYPT_MD5Start();
49 CRYPT_MD5Update(&md5, passcode);
50 ByteString okey = pEncrypt->GetStringFor("O");
51 CRYPT_MD5Update(&md5, okey.raw_span());
52 uint32_t perm = pEncrypt->GetIntegerFor("P");
53 CRYPT_MD5Update(&md5, pdfium::as_bytes(pdfium::make_span(&perm, 1)));
54 if (!file_id.IsEmpty())
55 CRYPT_MD5Update(&md5, file_id.raw_span());
56 const bool is_revision_3_or_greater = pEncrypt->GetIntegerFor("R") >= 3;
57 if (!ignore_metadata && is_revision_3_or_greater &&
58 !pEncrypt->GetBooleanFor("EncryptMetadata", true)) {
59 constexpr uint32_t tag = 0xFFFFFFFF;
60 CRYPT_MD5Update(&md5, pdfium::as_bytes(pdfium::make_span(&tag, 1)));
61 }
62 uint8_t digest[16];
63 CRYPT_MD5Finish(&md5, digest);
64 size_t copy_len = std::min(keylen, sizeof(digest));
65 if (is_revision_3_or_greater) {
66 for (int i = 0; i < 50; i++)
67 CRYPT_MD5Generate({digest, copy_len}, digest);
68 }
69 memset(key, 0, keylen);
70 memcpy(key, digest, copy_len);
71 }
72
IsValidKeyLengthForCipher(int cipher,size_t keylen)73 bool IsValidKeyLengthForCipher(int cipher, size_t keylen) {
74 switch (cipher) {
75 case FXCIPHER_AES:
76 return keylen == 16 || keylen == 24 || keylen == 32;
77 case FXCIPHER_AES2:
78 return keylen == 32;
79 case FXCIPHER_RC4:
80 return keylen >= 5 && keylen <= 16;
81 case FXCIPHER_NONE:
82 return true;
83 default:
84 NOTREACHED();
85 }
86 return false;
87 }
88
89 #define FX_GET_32WORD(n, b, i) \
90 { \
91 (n) = (uint32_t)( \
92 ((uint64_t)(b)[(i)] << 24) | ((uint64_t)(b)[(i) + 1] << 16) | \
93 ((uint64_t)(b)[(i) + 2] << 8) | ((uint64_t)(b)[(i) + 3])); \
94 }
BigOrder64BitsMod3(uint8_t * data)95 int BigOrder64BitsMod3(uint8_t* data) {
96 uint64_t ret = 0;
97 for (int i = 0; i < 4; ++i) {
98 uint32_t value;
99 FX_GET_32WORD(value, data, 4 * i);
100 ret <<= 32;
101 ret |= value;
102 ret %= 3;
103 }
104 return (int)ret;
105 }
106
Revision6_Hash(const ByteString & password,const uint8_t * salt,const uint8_t * vector,uint8_t * hash)107 void Revision6_Hash(const ByteString& password,
108 const uint8_t* salt,
109 const uint8_t* vector,
110 uint8_t* hash) {
111 CRYPT_sha2_context sha;
112 CRYPT_SHA256Start(&sha);
113 CRYPT_SHA256Update(&sha, password.raw_str(), password.GetLength());
114 CRYPT_SHA256Update(&sha, salt, 8);
115 if (vector)
116 CRYPT_SHA256Update(&sha, vector, 48);
117
118 uint8_t digest[32];
119 CRYPT_SHA256Finish(&sha, digest);
120
121 std::vector<uint8_t> buf;
122 uint8_t* input = digest;
123 uint8_t* key = input;
124 uint8_t* iv = input + 16;
125 uint8_t* E = nullptr;
126 int iBufLen = 0;
127 std::vector<uint8_t> interDigest;
128 int i = 0;
129 int iBlockSize = 32;
130 CRYPT_aes_context aes = {};
131 while (i < 64 || i < E[iBufLen - 1] + 32) {
132 int iRoundSize = password.GetLength() + iBlockSize;
133 if (vector) {
134 iRoundSize += 48;
135 }
136 iBufLen = iRoundSize * 64;
137 buf.resize(iBufLen);
138 E = buf.data();
139 std::vector<uint8_t> content;
140 for (int j = 0; j < 64; ++j) {
141 content.insert(std::end(content), password.raw_str(),
142 password.raw_str() + password.GetLength());
143 content.insert(std::end(content), input, input + iBlockSize);
144 if (vector) {
145 content.insert(std::end(content), vector, vector + 48);
146 }
147 }
148 CRYPT_AESSetKey(&aes, key, 16, true);
149 CRYPT_AESSetIV(&aes, iv);
150 CRYPT_AESEncrypt(&aes, E, content.data(), iBufLen);
151 int iHash = 0;
152 switch (BigOrder64BitsMod3(E)) {
153 case 0:
154 iHash = 0;
155 iBlockSize = 32;
156 break;
157 case 1:
158 iHash = 1;
159 iBlockSize = 48;
160 break;
161 default:
162 iHash = 2;
163 iBlockSize = 64;
164 break;
165 }
166 interDigest.resize(iBlockSize);
167 input = interDigest.data();
168 if (iHash == 0) {
169 CRYPT_SHA256Generate(E, iBufLen, input);
170 } else if (iHash == 1) {
171 CRYPT_SHA384Generate(E, iBufLen, input);
172 } else if (iHash == 2) {
173 CRYPT_SHA512Generate(E, iBufLen, input);
174 }
175 key = input;
176 iv = input + 16;
177 ++i;
178 }
179 if (hash) {
180 memcpy(hash, input, 32);
181 }
182 }
183
184 } // namespace
185
186 CPDF_SecurityHandler::CPDF_SecurityHandler() = default;
187
188 CPDF_SecurityHandler::~CPDF_SecurityHandler() = default;
189
OnInit(const CPDF_Dictionary * pEncryptDict,const CPDF_Array * pIdArray,const ByteString & password)190 bool CPDF_SecurityHandler::OnInit(const CPDF_Dictionary* pEncryptDict,
191 const CPDF_Array* pIdArray,
192 const ByteString& password) {
193 if (pIdArray)
194 m_FileId = pIdArray->GetStringAt(0);
195 else
196 m_FileId.clear();
197 if (!LoadDict(pEncryptDict))
198 return false;
199 if (m_Cipher == FXCIPHER_NONE)
200 return true;
201 if (!CheckSecurity(password))
202 return false;
203
204 InitCryptoHandler();
205 return true;
206 }
207
CheckSecurity(const ByteString & password)208 bool CPDF_SecurityHandler::CheckSecurity(const ByteString& password) {
209 if (!password.IsEmpty() && CheckPassword(password, true)) {
210 m_bOwnerUnlocked = true;
211 return true;
212 }
213 return CheckPassword(password, false);
214 }
215
GetPermissions() const216 uint32_t CPDF_SecurityHandler::GetPermissions() const {
217 uint32_t dwPermission = m_bOwnerUnlocked ? 0xFFFFFFFF : m_Permissions;
218 if (m_pEncryptDict && m_pEncryptDict->GetStringFor("Filter") == "Standard") {
219 // See PDF Reference 1.7, page 123, table 3.20.
220 dwPermission &= 0xFFFFFFFC;
221 dwPermission |= 0xFFFFF0C0;
222 }
223 return dwPermission;
224 }
225
LoadCryptInfo(const CPDF_Dictionary * pEncryptDict,const ByteString & name,int * cipher,size_t * keylen_out)226 static bool LoadCryptInfo(const CPDF_Dictionary* pEncryptDict,
227 const ByteString& name,
228 int* cipher,
229 size_t* keylen_out) {
230 int Version = pEncryptDict->GetIntegerFor("V");
231 *cipher = FXCIPHER_RC4;
232 *keylen_out = 0;
233 int keylen = 0;
234 if (Version >= 4) {
235 const CPDF_Dictionary* pCryptFilters = pEncryptDict->GetDictFor("CF");
236 if (!pCryptFilters)
237 return false;
238
239 if (name == "Identity") {
240 *cipher = FXCIPHER_NONE;
241 } else {
242 const CPDF_Dictionary* pDefFilter = pCryptFilters->GetDictFor(name);
243 if (!pDefFilter)
244 return false;
245
246 int nKeyBits = 0;
247 if (Version == 4) {
248 nKeyBits = pDefFilter->GetIntegerFor("Length", 0);
249 if (nKeyBits == 0) {
250 nKeyBits = pEncryptDict->GetIntegerFor("Length", 128);
251 }
252 } else {
253 nKeyBits = pEncryptDict->GetIntegerFor("Length", 256);
254 }
255 if (nKeyBits < 0)
256 return false;
257
258 if (nKeyBits < 40) {
259 nKeyBits *= 8;
260 }
261 keylen = nKeyBits / 8;
262 ByteString cipher_name = pDefFilter->GetStringFor("CFM");
263 if (cipher_name == "AESV2" || cipher_name == "AESV3")
264 *cipher = FXCIPHER_AES;
265 }
266 } else {
267 keylen = Version > 1 ? pEncryptDict->GetIntegerFor("Length", 40) / 8 : 5;
268 }
269
270 if (keylen < 0 || keylen > 32)
271 return false;
272 if (!IsValidKeyLengthForCipher(*cipher, keylen))
273 return false;
274
275 *keylen_out = keylen;
276 return true;
277 }
278
LoadDict(const CPDF_Dictionary * pEncryptDict)279 bool CPDF_SecurityHandler::LoadDict(const CPDF_Dictionary* pEncryptDict) {
280 m_pEncryptDict.Reset(pEncryptDict);
281 m_Version = pEncryptDict->GetIntegerFor("V");
282 m_Revision = pEncryptDict->GetIntegerFor("R");
283 m_Permissions = pEncryptDict->GetIntegerFor("P", -1);
284 if (m_Version < 4)
285 return LoadCryptInfo(pEncryptDict, ByteString(), &m_Cipher, &m_KeyLen);
286
287 ByteString stmf_name = pEncryptDict->GetStringFor("StmF");
288 ByteString strf_name = pEncryptDict->GetStringFor("StrF");
289 if (stmf_name != strf_name)
290 return false;
291
292 return LoadCryptInfo(pEncryptDict, strf_name, &m_Cipher, &m_KeyLen);
293 }
294
LoadDict(const CPDF_Dictionary * pEncryptDict,int * cipher,size_t * key_len)295 bool CPDF_SecurityHandler::LoadDict(const CPDF_Dictionary* pEncryptDict,
296 int* cipher,
297 size_t* key_len) {
298 m_pEncryptDict.Reset(pEncryptDict);
299 m_Version = pEncryptDict->GetIntegerFor("V");
300 m_Revision = pEncryptDict->GetIntegerFor("R");
301 m_Permissions = pEncryptDict->GetIntegerFor("P", -1);
302
303 ByteString strf_name;
304 ByteString stmf_name;
305 if (m_Version >= 4) {
306 stmf_name = pEncryptDict->GetStringFor("StmF");
307 strf_name = pEncryptDict->GetStringFor("StrF");
308 if (stmf_name != strf_name)
309 return false;
310 }
311 if (!LoadCryptInfo(pEncryptDict, strf_name, cipher, key_len))
312 return false;
313
314 m_Cipher = *cipher;
315 m_KeyLen = *key_len;
316 return true;
317 }
318
AES256_CheckPassword(const ByteString & password,bool bOwner)319 bool CPDF_SecurityHandler::AES256_CheckPassword(const ByteString& password,
320 bool bOwner) {
321 ASSERT(m_pEncryptDict);
322 ASSERT(m_Revision >= 5);
323
324 ByteString okey = m_pEncryptDict->GetStringFor("O");
325 if (okey.GetLength() < 48)
326 return false;
327
328 ByteString ukey = m_pEncryptDict->GetStringFor("U");
329 if (ukey.GetLength() < 48)
330 return false;
331
332 const uint8_t* pkey = bOwner ? okey.raw_str() : ukey.raw_str();
333 CRYPT_sha2_context sha;
334 uint8_t digest[32];
335 if (m_Revision >= 6) {
336 Revision6_Hash(password, (const uint8_t*)pkey + 32,
337 bOwner ? ukey.raw_str() : nullptr, digest);
338 } else {
339 CRYPT_SHA256Start(&sha);
340 CRYPT_SHA256Update(&sha, password.raw_str(), password.GetLength());
341 CRYPT_SHA256Update(&sha, pkey + 32, 8);
342 if (bOwner)
343 CRYPT_SHA256Update(&sha, ukey.raw_str(), 48);
344 CRYPT_SHA256Finish(&sha, digest);
345 }
346 if (memcmp(digest, pkey, 32) != 0)
347 return false;
348
349 if (m_Revision >= 6) {
350 Revision6_Hash(password, (const uint8_t*)pkey + 40,
351 bOwner ? ukey.raw_str() : nullptr, digest);
352 } else {
353 CRYPT_SHA256Start(&sha);
354 CRYPT_SHA256Update(&sha, password.raw_str(), password.GetLength());
355 CRYPT_SHA256Update(&sha, pkey + 40, 8);
356 if (bOwner)
357 CRYPT_SHA256Update(&sha, ukey.raw_str(), 48);
358 CRYPT_SHA256Finish(&sha, digest);
359 }
360 ByteString ekey = m_pEncryptDict->GetStringFor(bOwner ? "OE" : "UE");
361 if (ekey.GetLength() < 32)
362 return false;
363
364 CRYPT_aes_context aes = {};
365 CRYPT_AESSetKey(&aes, digest, sizeof(digest), false);
366 uint8_t iv[16] = {};
367 CRYPT_AESSetIV(&aes, iv);
368 CRYPT_AESDecrypt(&aes, m_EncryptKey, ekey.raw_str(), 32);
369 CRYPT_AESSetKey(&aes, m_EncryptKey, sizeof(m_EncryptKey), false);
370 CRYPT_AESSetIV(&aes, iv);
371 ByteString perms = m_pEncryptDict->GetStringFor("Perms");
372 if (perms.IsEmpty())
373 return false;
374
375 uint8_t perms_buf[16] = {};
376 size_t copy_len =
377 std::min(sizeof(perms_buf), static_cast<size_t>(perms.GetLength()));
378 memcpy(perms_buf, perms.raw_str(), copy_len);
379 uint8_t buf[16];
380 CRYPT_AESDecrypt(&aes, buf, perms_buf, 16);
381 if (buf[9] != 'a' || buf[10] != 'd' || buf[11] != 'b')
382 return false;
383
384 if (FXDWORD_GET_LSBFIRST(buf) != m_Permissions)
385 return false;
386
387 // Relax this check as there appear to be some non-conforming documents
388 // in the wild. The value in the buffer is the truth; if it requires us
389 // to encrypt metadata, but the dictionary says otherwise, then we may
390 // have a tampered doc. Otherwise, give it a pass.
391 return buf[8] == 'F' || IsMetadataEncrypted();
392 }
393
CheckPassword(const ByteString & password,bool bOwner)394 bool CPDF_SecurityHandler::CheckPassword(const ByteString& password,
395 bool bOwner) {
396 DCHECK_EQ(kUnknown, m_PasswordEncodingConversion);
397 if (CheckPasswordImpl(password, bOwner)) {
398 m_PasswordEncodingConversion = kNone;
399 return true;
400 }
401
402 ByteStringView password_view = password.AsStringView();
403 if (password_view.IsASCII())
404 return false;
405
406 if (m_Revision >= 5) {
407 ByteString utf8_password = WideString::FromLatin1(password_view).ToUTF8();
408 if (!CheckPasswordImpl(utf8_password, bOwner))
409 return false;
410
411 m_PasswordEncodingConversion = kLatin1ToUtf8;
412 return true;
413 }
414
415 ByteString latin1_password = WideString::FromUTF8(password_view).ToLatin1();
416 if (!CheckPasswordImpl(latin1_password, bOwner))
417 return false;
418
419 m_PasswordEncodingConversion = kUtf8toLatin1;
420 return true;
421 }
422
CheckPasswordImpl(const ByteString & password,bool bOwner)423 bool CPDF_SecurityHandler::CheckPasswordImpl(const ByteString& password,
424 bool bOwner) {
425 if (m_Revision >= 5)
426 return AES256_CheckPassword(password, bOwner);
427
428 if (bOwner)
429 return CheckOwnerPassword(password);
430
431 return CheckUserPassword(password, false) ||
432 CheckUserPassword(password, true);
433 }
434
CheckUserPassword(const ByteString & password,bool bIgnoreEncryptMeta)435 bool CPDF_SecurityHandler::CheckUserPassword(const ByteString& password,
436 bool bIgnoreEncryptMeta) {
437 CalcEncryptKey(m_pEncryptDict.Get(), password, m_EncryptKey, m_KeyLen,
438 bIgnoreEncryptMeta, m_FileId);
439 ByteString ukey =
440 m_pEncryptDict ? m_pEncryptDict->GetStringFor("U") : ByteString();
441 if (ukey.GetLength() < 16) {
442 return false;
443 }
444
445 uint8_t ukeybuf[32];
446 if (m_Revision == 2) {
447 memcpy(ukeybuf, kDefaultPasscode, sizeof(kDefaultPasscode));
448 CRYPT_ArcFourCryptBlock(ukeybuf, {m_EncryptKey, m_KeyLen});
449 return memcmp(ukey.c_str(), ukeybuf, 16) == 0;
450 }
451
452 uint8_t test[32] = {};
453 uint8_t tmpkey[32] = {};
454 uint32_t copy_len = std::min(sizeof(test), ukey.GetLength());
455
456 memcpy(test, ukey.c_str(), copy_len);
457 for (int32_t i = 19; i >= 0; i--) {
458 for (size_t j = 0; j < m_KeyLen; j++)
459 tmpkey[j] = m_EncryptKey[j] ^ static_cast<uint8_t>(i);
460 CRYPT_ArcFourCryptBlock(test, {tmpkey, m_KeyLen});
461 }
462 CRYPT_md5_context md5 = CRYPT_MD5Start();
463 CRYPT_MD5Update(&md5, kDefaultPasscode);
464 if (!m_FileId.IsEmpty())
465 CRYPT_MD5Update(&md5, m_FileId.raw_span());
466 CRYPT_MD5Finish(&md5, ukeybuf);
467 return memcmp(test, ukeybuf, 16) == 0;
468 }
469
GetUserPassword(const ByteString & owner_password) const470 ByteString CPDF_SecurityHandler::GetUserPassword(
471 const ByteString& owner_password) const {
472 constexpr size_t kRequiredOkeyLength = 32;
473 ByteString okey = m_pEncryptDict->GetStringFor("O");
474 size_t okeylen = std::min<size_t>(okey.GetLength(), kRequiredOkeyLength);
475 if (okeylen < kRequiredOkeyLength)
476 return ByteString();
477
478 DCHECK_EQ(kRequiredOkeyLength, okeylen);
479 uint8_t passcode[32];
480 GetPassCode(owner_password, passcode);
481 uint8_t digest[16];
482 CRYPT_MD5Generate(passcode, digest);
483 if (m_Revision >= 3) {
484 for (uint32_t i = 0; i < 50; i++)
485 CRYPT_MD5Generate(digest, digest);
486 }
487 uint8_t enckey[32] = {};
488 size_t copy_len = std::min(m_KeyLen, sizeof(digest));
489
490 memcpy(enckey, digest, copy_len);
491 uint8_t okeybuf[32] = {};
492 memcpy(okeybuf, okey.c_str(), okeylen);
493 pdfium::span<uint8_t> okey_span(okeybuf, okeylen);
494 if (m_Revision == 2) {
495 CRYPT_ArcFourCryptBlock(okey_span, {enckey, m_KeyLen});
496 } else {
497 for (int32_t i = 19; i >= 0; i--) {
498 uint8_t tempkey[32] = {};
499 for (size_t j = 0; j < m_KeyLen; j++)
500 tempkey[j] = enckey[j] ^ static_cast<uint8_t>(i);
501 CRYPT_ArcFourCryptBlock(okey_span, {tempkey, m_KeyLen});
502 }
503 }
504 size_t len = kRequiredOkeyLength;
505 while (len && kDefaultPasscode[len - 1] == okey_span[len - 1])
506 len--;
507
508 return ByteString(okeybuf, len);
509 }
510
CheckOwnerPassword(const ByteString & password)511 bool CPDF_SecurityHandler::CheckOwnerPassword(const ByteString& password) {
512 ByteString user_pass = GetUserPassword(password);
513 return CheckUserPassword(user_pass, false) ||
514 CheckUserPassword(user_pass, true);
515 }
516
IsMetadataEncrypted() const517 bool CPDF_SecurityHandler::IsMetadataEncrypted() const {
518 return m_pEncryptDict->GetBooleanFor("EncryptMetadata", true);
519 }
520
GetEncodedPassword(ByteStringView password) const521 ByteString CPDF_SecurityHandler::GetEncodedPassword(
522 ByteStringView password) const {
523 switch (m_PasswordEncodingConversion) {
524 case kNone:
525 // Do nothing.
526 return ByteString(password);
527 case kLatin1ToUtf8:
528 return WideString::FromLatin1(password).ToUTF8();
529 case kUtf8toLatin1:
530 return WideString::FromUTF8(password).ToLatin1();
531 default:
532 NOTREACHED();
533 return ByteString(password);
534 }
535 }
536
OnCreateInternal(CPDF_Dictionary * pEncryptDict,const CPDF_Array * pIdArray,const ByteString & user_password,const ByteString & owner_password,bool bDefault)537 void CPDF_SecurityHandler::OnCreateInternal(CPDF_Dictionary* pEncryptDict,
538 const CPDF_Array* pIdArray,
539 const ByteString& user_password,
540 const ByteString& owner_password,
541 bool bDefault) {
542 ASSERT(pEncryptDict);
543
544 int cipher = FXCIPHER_NONE;
545 size_t key_len = 0;
546 if (!LoadDict(pEncryptDict, &cipher, &key_len)) {
547 return;
548 }
549 ByteString owner_password_copy = owner_password;
550 if (bDefault && owner_password.IsEmpty())
551 owner_password_copy = user_password;
552
553 if (m_Revision >= 5) {
554 uint32_t random[4];
555 FX_Random_GenerateMT(random, FX_ArraySize(random));
556 CRYPT_sha2_context sha;
557 CRYPT_SHA256Start(&sha);
558 CRYPT_SHA256Update(&sha, reinterpret_cast<uint8_t*>(random),
559 sizeof(random));
560 CRYPT_SHA256Finish(&sha, m_EncryptKey);
561 AES256_SetPassword(pEncryptDict, user_password, false);
562 if (bDefault)
563 AES256_SetPassword(pEncryptDict, owner_password_copy, true);
564 AES256_SetPerms(pEncryptDict);
565 return;
566 }
567 if (bDefault) {
568 uint8_t passcode[32];
569 GetPassCode(owner_password_copy, passcode);
570 uint8_t digest[16];
571 CRYPT_MD5Generate(passcode, digest);
572 if (m_Revision >= 3) {
573 for (uint32_t i = 0; i < 50; i++)
574 CRYPT_MD5Generate(digest, digest);
575 }
576 uint8_t enckey[32];
577 memcpy(enckey, digest, key_len);
578 GetPassCode(user_password, passcode);
579 CRYPT_ArcFourCryptBlock(passcode, {enckey, key_len});
580 uint8_t tempkey[32];
581 if (m_Revision >= 3) {
582 for (uint8_t i = 1; i <= 19; i++) {
583 for (size_t j = 0; j < key_len; j++)
584 tempkey[j] = enckey[j] ^ i;
585 CRYPT_ArcFourCryptBlock(passcode, {tempkey, key_len});
586 }
587 }
588 pEncryptDict->SetNewFor<CPDF_String>("O", ByteString(passcode, 32), false);
589 }
590
591 ByteString file_id;
592 if (pIdArray)
593 file_id = pIdArray->GetStringAt(0);
594
595 CalcEncryptKey(m_pEncryptDict.Get(), user_password, m_EncryptKey, key_len,
596 false, file_id);
597 if (m_Revision < 3) {
598 uint8_t tempbuf[32];
599 memcpy(tempbuf, kDefaultPasscode, sizeof(kDefaultPasscode));
600 CRYPT_ArcFourCryptBlock(tempbuf, {m_EncryptKey, key_len});
601 pEncryptDict->SetNewFor<CPDF_String>("U", ByteString(tempbuf, 32), false);
602 } else {
603 CRYPT_md5_context md5 = CRYPT_MD5Start();
604 CRYPT_MD5Update(&md5, kDefaultPasscode);
605 if (!file_id.IsEmpty())
606 CRYPT_MD5Update(&md5, file_id.raw_span());
607
608 uint8_t digest[32];
609 CRYPT_MD5Finish(&md5, digest);
610 pdfium::span<uint8_t> partial_digest_span(digest, 16);
611 CRYPT_ArcFourCryptBlock(partial_digest_span, {m_EncryptKey, key_len});
612 uint8_t tempkey[32];
613 for (uint8_t i = 1; i <= 19; i++) {
614 for (size_t j = 0; j < key_len; j++)
615 tempkey[j] = m_EncryptKey[j] ^ i;
616 CRYPT_ArcFourCryptBlock(partial_digest_span, {tempkey, key_len});
617 }
618 CRYPT_MD5Generate({digest, 16}, digest + 16);
619 pEncryptDict->SetNewFor<CPDF_String>("U", ByteString(digest, 32), false);
620 }
621 }
622
OnCreate(CPDF_Dictionary * pEncryptDict,const CPDF_Array * pIdArray,const ByteString & user_password,const ByteString & owner_password)623 void CPDF_SecurityHandler::OnCreate(CPDF_Dictionary* pEncryptDict,
624 const CPDF_Array* pIdArray,
625 const ByteString& user_password,
626 const ByteString& owner_password) {
627 OnCreateInternal(pEncryptDict, pIdArray, user_password, owner_password, true);
628 InitCryptoHandler();
629 }
630
OnCreate(CPDF_Dictionary * pEncryptDict,const CPDF_Array * pIdArray,const ByteString & user_password)631 void CPDF_SecurityHandler::OnCreate(CPDF_Dictionary* pEncryptDict,
632 const CPDF_Array* pIdArray,
633 const ByteString& user_password) {
634 OnCreateInternal(pEncryptDict, pIdArray, user_password, ByteString(), false);
635 InitCryptoHandler();
636 }
637
AES256_SetPassword(CPDF_Dictionary * pEncryptDict,const ByteString & password,bool bOwner)638 void CPDF_SecurityHandler::AES256_SetPassword(CPDF_Dictionary* pEncryptDict,
639 const ByteString& password,
640 bool bOwner) {
641 CRYPT_sha1_context sha;
642 CRYPT_SHA1Start(&sha);
643 CRYPT_SHA1Update(&sha, m_EncryptKey, sizeof(m_EncryptKey));
644 CRYPT_SHA1Update(&sha, (uint8_t*)"hello", 5);
645
646 uint8_t digest[20];
647 CRYPT_SHA1Finish(&sha, digest);
648
649 ByteString ukey = pEncryptDict->GetStringFor("U");
650 CRYPT_sha2_context sha2;
651 uint8_t digest1[48];
652 if (m_Revision >= 6) {
653 Revision6_Hash(password, digest, bOwner ? ukey.raw_str() : nullptr,
654 digest1);
655 } else {
656 CRYPT_SHA256Start(&sha2);
657 CRYPT_SHA256Update(&sha2, password.raw_str(), password.GetLength());
658 CRYPT_SHA256Update(&sha2, digest, 8);
659 if (bOwner) {
660 CRYPT_SHA256Update(&sha2, ukey.raw_str(), ukey.GetLength());
661 }
662 CRYPT_SHA256Finish(&sha2, digest1);
663 }
664 memcpy(digest1 + 32, digest, 16);
665 pEncryptDict->SetNewFor<CPDF_String>(bOwner ? "O" : "U",
666 ByteString(digest1, 48), false);
667 if (m_Revision >= 6) {
668 Revision6_Hash(password, digest + 8, bOwner ? ukey.raw_str() : nullptr,
669 digest1);
670 } else {
671 CRYPT_SHA256Start(&sha2);
672 CRYPT_SHA256Update(&sha2, password.raw_str(), password.GetLength());
673 CRYPT_SHA256Update(&sha2, digest + 8, 8);
674 if (bOwner) {
675 CRYPT_SHA256Update(&sha2, ukey.raw_str(), ukey.GetLength());
676 }
677 CRYPT_SHA256Finish(&sha2, digest1);
678 }
679 CRYPT_aes_context aes = {};
680 CRYPT_AESSetKey(&aes, digest1, 32, true);
681 uint8_t iv[16] = {};
682 CRYPT_AESSetIV(&aes, iv);
683 CRYPT_AESEncrypt(&aes, digest1, m_EncryptKey, sizeof(m_EncryptKey));
684 pEncryptDict->SetNewFor<CPDF_String>(bOwner ? "OE" : "UE",
685 ByteString(digest1, 32), false);
686 }
687
AES256_SetPerms(CPDF_Dictionary * pEncryptDict)688 void CPDF_SecurityHandler::AES256_SetPerms(CPDF_Dictionary* pEncryptDict) {
689 uint8_t buf[16];
690 buf[0] = static_cast<uint8_t>(m_Permissions);
691 buf[1] = static_cast<uint8_t>(m_Permissions >> 8);
692 buf[2] = static_cast<uint8_t>(m_Permissions >> 16);
693 buf[3] = static_cast<uint8_t>(m_Permissions >> 24);
694 buf[4] = 0xff;
695 buf[5] = 0xff;
696 buf[6] = 0xff;
697 buf[7] = 0xff;
698 buf[8] = pEncryptDict->GetBooleanFor("EncryptMetadata", true) ? 'T' : 'F';
699 buf[9] = 'a';
700 buf[10] = 'd';
701 buf[11] = 'b';
702
703 // In ISO 32000 Supplement for ExtensionLevel 3, Algorithm 3.10 says bytes 12
704 // to 15 should be random data.
705 uint32_t* buf_random = reinterpret_cast<uint32_t*>(&buf[12]);
706 FX_Random_GenerateMT(buf_random, 1);
707
708 CRYPT_aes_context aes = {};
709 CRYPT_AESSetKey(&aes, m_EncryptKey, sizeof(m_EncryptKey), true);
710
711 uint8_t iv[16] = {};
712 CRYPT_AESSetIV(&aes, iv);
713
714 uint8_t buf1[16];
715 CRYPT_AESEncrypt(&aes, buf1, buf, 16);
716 pEncryptDict->SetNewFor<CPDF_String>("Perms", ByteString(buf1, 16), false);
717 }
718
InitCryptoHandler()719 void CPDF_SecurityHandler::InitCryptoHandler() {
720 m_pCryptoHandler =
721 pdfium::MakeUnique<CPDF_CryptoHandler>(m_Cipher, m_EncryptKey, m_KeyLen);
722 }
723