1 // Copyright 2014 The PDFium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com
6
7 #include "core/fpdfapi/parser/cpdf_security_handler.h"
8
9 #include <stdint.h>
10 #include <time.h>
11
12 #include <algorithm>
13 #include <utility>
14
15 #include "core/fdrm/fx_crypt.h"
16 #include "core/fpdfapi/parser/cpdf_array.h"
17 #include "core/fpdfapi/parser/cpdf_crypto_handler.h"
18 #include "core/fpdfapi/parser/cpdf_dictionary.h"
19 #include "core/fpdfapi/parser/cpdf_object.h"
20 #include "core/fpdfapi/parser/cpdf_string.h"
21 #include "core/fxcrt/data_vector.h"
22 #include "core/fxcrt/fx_random.h"
23 #include "third_party/base/check.h"
24 #include "third_party/base/check_op.h"
25 #include "third_party/base/notreached.h"
26
27 namespace {
28
29 const uint8_t kDefaultPasscode[32] = {
30 0x28, 0xbf, 0x4e, 0x5e, 0x4e, 0x75, 0x8a, 0x41, 0x64, 0x00, 0x4e,
31 0x56, 0xff, 0xfa, 0x01, 0x08, 0x2e, 0x2e, 0x00, 0xb6, 0xd0, 0x68,
32 0x3e, 0x80, 0x2f, 0x0c, 0xa9, 0xfe, 0x64, 0x53, 0x69, 0x7a};
33
GetPassCode(const ByteString & password,pdfium::span<uint8_t> output)34 void GetPassCode(const ByteString& password, pdfium::span<uint8_t> output) {
35 DCHECK_EQ(sizeof(kDefaultPasscode), output.size());
36 size_t len = std::min(password.GetLength(), output.size());
37 size_t remaining = output.size() - len;
38 memcpy(output.data(), password.raw_str(), len);
39 if (remaining)
40 memcpy(&output[len], kDefaultPasscode, remaining);
41 }
42
CalcEncryptKey(const CPDF_Dictionary * pEncrypt,const ByteString & password,uint8_t * key,size_t keylen,bool ignore_metadata,const ByteString & file_id)43 void CalcEncryptKey(const CPDF_Dictionary* pEncrypt,
44 const ByteString& password,
45 uint8_t* key,
46 size_t keylen,
47 bool ignore_metadata,
48 const ByteString& file_id) {
49 uint8_t passcode[32];
50 GetPassCode(password, passcode);
51 CRYPT_md5_context md5 = CRYPT_MD5Start();
52 CRYPT_MD5Update(&md5, passcode);
53 ByteString okey = pEncrypt->GetByteStringFor("O");
54 CRYPT_MD5Update(&md5, okey.raw_span());
55 uint32_t perm = pEncrypt->GetIntegerFor("P");
56 CRYPT_MD5Update(&md5, pdfium::as_bytes(pdfium::make_span(&perm, 1)));
57 if (!file_id.IsEmpty())
58 CRYPT_MD5Update(&md5, file_id.raw_span());
59 const bool is_revision_3_or_greater = pEncrypt->GetIntegerFor("R") >= 3;
60 if (!ignore_metadata && is_revision_3_or_greater &&
61 !pEncrypt->GetBooleanFor("EncryptMetadata", true)) {
62 constexpr uint32_t tag = 0xFFFFFFFF;
63 CRYPT_MD5Update(&md5, pdfium::as_bytes(pdfium::make_span(&tag, 1)));
64 }
65 uint8_t digest[16];
66 CRYPT_MD5Finish(&md5, digest);
67 size_t copy_len = std::min(keylen, sizeof(digest));
68 if (is_revision_3_or_greater) {
69 for (int i = 0; i < 50; i++)
70 CRYPT_MD5Generate({digest, copy_len}, digest);
71 }
72 memset(key, 0, keylen);
73 memcpy(key, digest, copy_len);
74 }
75
IsValidKeyLengthForCipher(CPDF_CryptoHandler::Cipher cipher,size_t keylen)76 bool IsValidKeyLengthForCipher(CPDF_CryptoHandler::Cipher cipher,
77 size_t keylen) {
78 switch (cipher) {
79 case CPDF_CryptoHandler::Cipher::kAES:
80 return keylen == 16 || keylen == 24 || keylen == 32;
81 case CPDF_CryptoHandler::Cipher::kAES2:
82 return keylen == 32;
83 case CPDF_CryptoHandler::Cipher::kRC4:
84 return keylen >= 5 && keylen <= 16;
85 case CPDF_CryptoHandler::Cipher::kNone:
86 return true;
87 }
88 }
89
90 #define FX_GET_32WORD(n, b, i) \
91 { \
92 (n) = (uint32_t)( \
93 ((uint64_t)(b)[(i)] << 24) | ((uint64_t)(b)[(i) + 1] << 16) | \
94 ((uint64_t)(b)[(i) + 2] << 8) | ((uint64_t)(b)[(i) + 3])); \
95 }
BigOrder64BitsMod3(uint8_t * data)96 int BigOrder64BitsMod3(uint8_t* data) {
97 uint64_t ret = 0;
98 for (int i = 0; i < 4; ++i) {
99 uint32_t value;
100 FX_GET_32WORD(value, data, 4 * i);
101 ret <<= 32;
102 ret |= value;
103 ret %= 3;
104 }
105 return (int)ret;
106 }
107
Revision6_Hash(const ByteString & password,const uint8_t * salt,const uint8_t * vector,uint8_t * hash)108 void Revision6_Hash(const ByteString& password,
109 const uint8_t* salt,
110 const uint8_t* vector,
111 uint8_t* hash) {
112 CRYPT_sha2_context sha;
113 CRYPT_SHA256Start(&sha);
114 CRYPT_SHA256Update(&sha, password.raw_str(), password.GetLength());
115 CRYPT_SHA256Update(&sha, salt, 8);
116 if (vector)
117 CRYPT_SHA256Update(&sha, vector, 48);
118
119 uint8_t digest[32];
120 CRYPT_SHA256Finish(&sha, digest);
121
122 DataVector<uint8_t> buf;
123 uint8_t* input = digest;
124 uint8_t* key = input;
125 uint8_t* iv = input + 16;
126 uint8_t* E = nullptr;
127 int iBufLen = 0;
128 DataVector<uint8_t> interDigest;
129 int i = 0;
130 int iBlockSize = 32;
131 CRYPT_aes_context aes = {};
132 while (i < 64 || i < E[iBufLen - 1] + 32) {
133 int iRoundSize = password.GetLength() + iBlockSize;
134 if (vector) {
135 iRoundSize += 48;
136 }
137 iBufLen = iRoundSize * 64;
138 buf.resize(iBufLen);
139 E = buf.data();
140 DataVector<uint8_t> content;
141 for (int j = 0; j < 64; ++j) {
142 content.insert(std::end(content), password.raw_str(),
143 password.raw_str() + password.GetLength());
144 content.insert(std::end(content), input, input + iBlockSize);
145 if (vector) {
146 content.insert(std::end(content), vector, vector + 48);
147 }
148 }
149 CRYPT_AESSetKey(&aes, key, 16);
150 CRYPT_AESSetIV(&aes, iv);
151 CRYPT_AESEncrypt(&aes, E, content.data(), iBufLen);
152 int iHash = 0;
153 switch (BigOrder64BitsMod3(E)) {
154 case 0:
155 iHash = 0;
156 iBlockSize = 32;
157 break;
158 case 1:
159 iHash = 1;
160 iBlockSize = 48;
161 break;
162 default:
163 iHash = 2;
164 iBlockSize = 64;
165 break;
166 }
167 interDigest.resize(iBlockSize);
168 input = interDigest.data();
169 if (iHash == 0) {
170 CRYPT_SHA256Generate(E, iBufLen, input);
171 } else if (iHash == 1) {
172 CRYPT_SHA384Generate(E, iBufLen, input);
173 } else if (iHash == 2) {
174 CRYPT_SHA512Generate(E, iBufLen, input);
175 }
176 key = input;
177 iv = input + 16;
178 ++i;
179 }
180 if (hash) {
181 memcpy(hash, input, 32);
182 }
183 }
184
185 } // namespace
186
187 CPDF_SecurityHandler::CPDF_SecurityHandler() = default;
188
189 CPDF_SecurityHandler::~CPDF_SecurityHandler() = default;
190
OnInit(const CPDF_Dictionary * pEncryptDict,RetainPtr<const CPDF_Array> pIdArray,const ByteString & password)191 bool CPDF_SecurityHandler::OnInit(const CPDF_Dictionary* pEncryptDict,
192 RetainPtr<const CPDF_Array> pIdArray,
193 const ByteString& password) {
194 if (pIdArray)
195 m_FileId = pIdArray->GetByteStringAt(0);
196 else
197 m_FileId.clear();
198 if (!LoadDict(pEncryptDict))
199 return false;
200 if (m_Cipher == CPDF_CryptoHandler::Cipher::kNone)
201 return true;
202 if (!CheckSecurity(password))
203 return false;
204
205 InitCryptoHandler();
206 return true;
207 }
208
CheckSecurity(const ByteString & password)209 bool CPDF_SecurityHandler::CheckSecurity(const ByteString& password) {
210 if (!password.IsEmpty() && CheckPassword(password, true)) {
211 m_bOwnerUnlocked = true;
212 return true;
213 }
214 return CheckPassword(password, false);
215 }
216
GetPermissions() const217 uint32_t CPDF_SecurityHandler::GetPermissions() const {
218 uint32_t dwPermission = m_bOwnerUnlocked ? 0xFFFFFFFF : m_Permissions;
219 if (m_pEncryptDict &&
220 m_pEncryptDict->GetByteStringFor("Filter") == "Standard") {
221 // See PDF Reference 1.7, page 123, table 3.20.
222 dwPermission &= 0xFFFFFFFC;
223 dwPermission |= 0xFFFFF0C0;
224 }
225 return dwPermission;
226 }
227
LoadCryptInfo(const CPDF_Dictionary * pEncryptDict,const ByteString & name,CPDF_CryptoHandler::Cipher * cipher,size_t * keylen_out)228 static bool LoadCryptInfo(const CPDF_Dictionary* pEncryptDict,
229 const ByteString& name,
230 CPDF_CryptoHandler::Cipher* cipher,
231 size_t* keylen_out) {
232 int Version = pEncryptDict->GetIntegerFor("V");
233 *cipher = CPDF_CryptoHandler::Cipher::kRC4;
234 *keylen_out = 0;
235 int keylen = 0;
236 if (Version >= 4) {
237 RetainPtr<const CPDF_Dictionary> pCryptFilters =
238 pEncryptDict->GetDictFor("CF");
239 if (!pCryptFilters)
240 return false;
241
242 if (name == "Identity") {
243 *cipher = CPDF_CryptoHandler::Cipher::kNone;
244 } else {
245 RetainPtr<const CPDF_Dictionary> pDefFilter =
246 pCryptFilters->GetDictFor(name);
247 if (!pDefFilter)
248 return false;
249
250 int nKeyBits = 0;
251 if (Version == 4) {
252 nKeyBits = pDefFilter->GetIntegerFor("Length", 0);
253 if (nKeyBits == 0) {
254 nKeyBits = pEncryptDict->GetIntegerFor("Length", 128);
255 }
256 } else {
257 nKeyBits = pEncryptDict->GetIntegerFor("Length", 256);
258 }
259 if (nKeyBits < 0)
260 return false;
261
262 if (nKeyBits < 40) {
263 nKeyBits *= 8;
264 }
265 keylen = nKeyBits / 8;
266 ByteString cipher_name = pDefFilter->GetByteStringFor("CFM");
267 if (cipher_name == "AESV2" || cipher_name == "AESV3")
268 *cipher = CPDF_CryptoHandler::Cipher::kAES;
269 }
270 } else {
271 keylen = Version > 1 ? pEncryptDict->GetIntegerFor("Length", 40) / 8 : 5;
272 }
273
274 if (keylen < 0 || keylen > 32)
275 return false;
276 if (!IsValidKeyLengthForCipher(*cipher, keylen))
277 return false;
278
279 *keylen_out = keylen;
280 return true;
281 }
282
LoadDict(const CPDF_Dictionary * pEncryptDict)283 bool CPDF_SecurityHandler::LoadDict(const CPDF_Dictionary* pEncryptDict) {
284 m_pEncryptDict.Reset(pEncryptDict);
285 m_Version = pEncryptDict->GetIntegerFor("V");
286 m_Revision = pEncryptDict->GetIntegerFor("R");
287 m_Permissions = pEncryptDict->GetIntegerFor("P", -1);
288 if (m_Version < 4)
289 return LoadCryptInfo(pEncryptDict, ByteString(), &m_Cipher, &m_KeyLen);
290
291 ByteString stmf_name = pEncryptDict->GetByteStringFor("StmF");
292 ByteString strf_name = pEncryptDict->GetByteStringFor("StrF");
293 if (stmf_name != strf_name)
294 return false;
295
296 return LoadCryptInfo(pEncryptDict, strf_name, &m_Cipher, &m_KeyLen);
297 }
298
LoadDict(const CPDF_Dictionary * pEncryptDict,CPDF_CryptoHandler::Cipher * cipher,size_t * key_len)299 bool CPDF_SecurityHandler::LoadDict(const CPDF_Dictionary* pEncryptDict,
300 CPDF_CryptoHandler::Cipher* cipher,
301 size_t* key_len) {
302 m_pEncryptDict.Reset(pEncryptDict);
303 m_Version = pEncryptDict->GetIntegerFor("V");
304 m_Revision = pEncryptDict->GetIntegerFor("R");
305 m_Permissions = pEncryptDict->GetIntegerFor("P", -1);
306
307 ByteString strf_name;
308 ByteString stmf_name;
309 if (m_Version >= 4) {
310 stmf_name = pEncryptDict->GetByteStringFor("StmF");
311 strf_name = pEncryptDict->GetByteStringFor("StrF");
312 if (stmf_name != strf_name)
313 return false;
314 }
315 if (!LoadCryptInfo(pEncryptDict, strf_name, cipher, key_len))
316 return false;
317
318 m_Cipher = *cipher;
319 m_KeyLen = *key_len;
320 return true;
321 }
322
AES256_CheckPassword(const ByteString & password,bool bOwner)323 bool CPDF_SecurityHandler::AES256_CheckPassword(const ByteString& password,
324 bool bOwner) {
325 DCHECK(m_pEncryptDict);
326 DCHECK(m_Revision >= 5);
327
328 ByteString okey = m_pEncryptDict->GetByteStringFor("O");
329 if (okey.GetLength() < 48)
330 return false;
331
332 ByteString ukey = m_pEncryptDict->GetByteStringFor("U");
333 if (ukey.GetLength() < 48)
334 return false;
335
336 const uint8_t* pkey = bOwner ? okey.raw_str() : ukey.raw_str();
337 CRYPT_sha2_context sha;
338 uint8_t digest[32];
339 if (m_Revision >= 6) {
340 Revision6_Hash(password, (const uint8_t*)pkey + 32,
341 bOwner ? ukey.raw_str() : nullptr, digest);
342 } else {
343 CRYPT_SHA256Start(&sha);
344 CRYPT_SHA256Update(&sha, password.raw_str(), password.GetLength());
345 CRYPT_SHA256Update(&sha, pkey + 32, 8);
346 if (bOwner)
347 CRYPT_SHA256Update(&sha, ukey.raw_str(), 48);
348 CRYPT_SHA256Finish(&sha, digest);
349 }
350 if (memcmp(digest, pkey, 32) != 0)
351 return false;
352
353 if (m_Revision >= 6) {
354 Revision6_Hash(password, (const uint8_t*)pkey + 40,
355 bOwner ? ukey.raw_str() : nullptr, digest);
356 } else {
357 CRYPT_SHA256Start(&sha);
358 CRYPT_SHA256Update(&sha, password.raw_str(), password.GetLength());
359 CRYPT_SHA256Update(&sha, pkey + 40, 8);
360 if (bOwner)
361 CRYPT_SHA256Update(&sha, ukey.raw_str(), 48);
362 CRYPT_SHA256Finish(&sha, digest);
363 }
364 ByteString ekey = m_pEncryptDict->GetByteStringFor(bOwner ? "OE" : "UE");
365 if (ekey.GetLength() < 32)
366 return false;
367
368 CRYPT_aes_context aes = {};
369 CRYPT_AESSetKey(&aes, digest, sizeof(digest));
370 uint8_t iv[16] = {};
371 CRYPT_AESSetIV(&aes, iv);
372 CRYPT_AESDecrypt(&aes, m_EncryptKey, ekey.raw_str(), 32);
373 CRYPT_AESSetKey(&aes, m_EncryptKey, sizeof(m_EncryptKey));
374 CRYPT_AESSetIV(&aes, iv);
375 ByteString perms = m_pEncryptDict->GetByteStringFor("Perms");
376 if (perms.IsEmpty())
377 return false;
378
379 uint8_t perms_buf[16] = {};
380 size_t copy_len =
381 std::min(sizeof(perms_buf), static_cast<size_t>(perms.GetLength()));
382 memcpy(perms_buf, perms.raw_str(), copy_len);
383 uint8_t buf[16];
384 CRYPT_AESDecrypt(&aes, buf, perms_buf, 16);
385 if (buf[9] != 'a' || buf[10] != 'd' || buf[11] != 'b')
386 return false;
387
388 if (FXSYS_UINT32_GET_LSBFIRST(buf) != m_Permissions)
389 return false;
390
391 // Relax this check as there appear to be some non-conforming documents
392 // in the wild. The value in the buffer is the truth; if it requires us
393 // to encrypt metadata, but the dictionary says otherwise, then we may
394 // have a tampered doc. Otherwise, give it a pass.
395 return buf[8] == 'F' || IsMetadataEncrypted();
396 }
397
CheckPassword(const ByteString & password,bool bOwner)398 bool CPDF_SecurityHandler::CheckPassword(const ByteString& password,
399 bool bOwner) {
400 DCHECK_EQ(kUnknown, m_PasswordEncodingConversion);
401 if (CheckPasswordImpl(password, bOwner)) {
402 m_PasswordEncodingConversion = kNone;
403 return true;
404 }
405
406 ByteStringView password_view = password.AsStringView();
407 if (password_view.IsASCII())
408 return false;
409
410 if (m_Revision >= 5) {
411 ByteString utf8_password = WideString::FromLatin1(password_view).ToUTF8();
412 if (!CheckPasswordImpl(utf8_password, bOwner))
413 return false;
414
415 m_PasswordEncodingConversion = kLatin1ToUtf8;
416 return true;
417 }
418
419 ByteString latin1_password = WideString::FromUTF8(password_view).ToLatin1();
420 if (!CheckPasswordImpl(latin1_password, bOwner))
421 return false;
422
423 m_PasswordEncodingConversion = kUtf8toLatin1;
424 return true;
425 }
426
CheckPasswordImpl(const ByteString & password,bool bOwner)427 bool CPDF_SecurityHandler::CheckPasswordImpl(const ByteString& password,
428 bool bOwner) {
429 if (m_Revision >= 5)
430 return AES256_CheckPassword(password, bOwner);
431
432 if (bOwner)
433 return CheckOwnerPassword(password);
434
435 return CheckUserPassword(password, false) ||
436 CheckUserPassword(password, true);
437 }
438
CheckUserPassword(const ByteString & password,bool bIgnoreEncryptMeta)439 bool CPDF_SecurityHandler::CheckUserPassword(const ByteString& password,
440 bool bIgnoreEncryptMeta) {
441 CalcEncryptKey(m_pEncryptDict.Get(), password, m_EncryptKey, m_KeyLen,
442 bIgnoreEncryptMeta, m_FileId);
443 ByteString ukey =
444 m_pEncryptDict ? m_pEncryptDict->GetByteStringFor("U") : ByteString();
445 if (ukey.GetLength() < 16) {
446 return false;
447 }
448
449 uint8_t ukeybuf[32];
450 if (m_Revision == 2) {
451 memcpy(ukeybuf, kDefaultPasscode, sizeof(kDefaultPasscode));
452 CRYPT_ArcFourCryptBlock(ukeybuf, {m_EncryptKey, m_KeyLen});
453 return memcmp(ukey.c_str(), ukeybuf, 16) == 0;
454 }
455
456 uint8_t test[32] = {};
457 uint8_t tmpkey[32] = {};
458 uint32_t copy_len = std::min(sizeof(test), ukey.GetLength());
459
460 memcpy(test, ukey.c_str(), copy_len);
461 for (int32_t i = 19; i >= 0; i--) {
462 for (size_t j = 0; j < m_KeyLen; j++)
463 tmpkey[j] = m_EncryptKey[j] ^ static_cast<uint8_t>(i);
464 CRYPT_ArcFourCryptBlock(test, {tmpkey, m_KeyLen});
465 }
466 CRYPT_md5_context md5 = CRYPT_MD5Start();
467 CRYPT_MD5Update(&md5, kDefaultPasscode);
468 if (!m_FileId.IsEmpty())
469 CRYPT_MD5Update(&md5, m_FileId.raw_span());
470 CRYPT_MD5Finish(&md5, ukeybuf);
471 return memcmp(test, ukeybuf, 16) == 0;
472 }
473
GetUserPassword(const ByteString & owner_password) const474 ByteString CPDF_SecurityHandler::GetUserPassword(
475 const ByteString& owner_password) const {
476 constexpr size_t kRequiredOkeyLength = 32;
477 ByteString okey = m_pEncryptDict->GetByteStringFor("O");
478 size_t okeylen = std::min<size_t>(okey.GetLength(), kRequiredOkeyLength);
479 if (okeylen < kRequiredOkeyLength)
480 return ByteString();
481
482 DCHECK_EQ(kRequiredOkeyLength, okeylen);
483 uint8_t passcode[32];
484 GetPassCode(owner_password, passcode);
485 uint8_t digest[16];
486 CRYPT_MD5Generate(passcode, digest);
487 if (m_Revision >= 3) {
488 for (uint32_t i = 0; i < 50; i++)
489 CRYPT_MD5Generate(digest, digest);
490 }
491 uint8_t enckey[32] = {};
492 size_t copy_len = std::min(m_KeyLen, sizeof(digest));
493
494 memcpy(enckey, digest, copy_len);
495 uint8_t okeybuf[32] = {};
496 memcpy(okeybuf, okey.c_str(), okeylen);
497 pdfium::span<uint8_t> okey_span(okeybuf, okeylen);
498 if (m_Revision == 2) {
499 CRYPT_ArcFourCryptBlock(okey_span, {enckey, m_KeyLen});
500 } else {
501 for (int32_t i = 19; i >= 0; i--) {
502 uint8_t tempkey[32] = {};
503 for (size_t j = 0; j < m_KeyLen; j++)
504 tempkey[j] = enckey[j] ^ static_cast<uint8_t>(i);
505 CRYPT_ArcFourCryptBlock(okey_span, {tempkey, m_KeyLen});
506 }
507 }
508 size_t len = kRequiredOkeyLength;
509 while (len && kDefaultPasscode[len - 1] == okey_span[len - 1])
510 len--;
511
512 return ByteString(okeybuf, len);
513 }
514
CheckOwnerPassword(const ByteString & password)515 bool CPDF_SecurityHandler::CheckOwnerPassword(const ByteString& password) {
516 ByteString user_pass = GetUserPassword(password);
517 return CheckUserPassword(user_pass, false) ||
518 CheckUserPassword(user_pass, true);
519 }
520
IsMetadataEncrypted() const521 bool CPDF_SecurityHandler::IsMetadataEncrypted() const {
522 return m_pEncryptDict->GetBooleanFor("EncryptMetadata", true);
523 }
524
GetEncodedPassword(ByteStringView password) const525 ByteString CPDF_SecurityHandler::GetEncodedPassword(
526 ByteStringView password) const {
527 switch (m_PasswordEncodingConversion) {
528 case kNone:
529 // Do nothing.
530 return ByteString(password);
531 case kLatin1ToUtf8:
532 return WideString::FromLatin1(password).ToUTF8();
533 case kUtf8toLatin1:
534 return WideString::FromUTF8(password).ToLatin1();
535 default:
536 NOTREACHED();
537 return ByteString(password);
538 }
539 }
540
OnCreateInternal(CPDF_Dictionary * pEncryptDict,const CPDF_Array * pIdArray,const ByteString & user_password,const ByteString & owner_password,bool bDefault)541 void CPDF_SecurityHandler::OnCreateInternal(CPDF_Dictionary* pEncryptDict,
542 const CPDF_Array* pIdArray,
543 const ByteString& user_password,
544 const ByteString& owner_password,
545 bool bDefault) {
546 DCHECK(pEncryptDict);
547
548 CPDF_CryptoHandler::Cipher cipher = CPDF_CryptoHandler::Cipher::kNone;
549 size_t key_len = 0;
550 if (!LoadDict(pEncryptDict, &cipher, &key_len)) {
551 return;
552 }
553 ByteString owner_password_copy = owner_password;
554 if (bDefault && owner_password.IsEmpty())
555 owner_password_copy = user_password;
556
557 if (m_Revision >= 5) {
558 uint32_t random[4];
559 FX_Random_GenerateMT(random, std::size(random));
560 CRYPT_sha2_context sha;
561 CRYPT_SHA256Start(&sha);
562 CRYPT_SHA256Update(&sha, reinterpret_cast<uint8_t*>(random),
563 sizeof(random));
564 CRYPT_SHA256Finish(&sha, m_EncryptKey);
565 AES256_SetPassword(pEncryptDict, user_password, false);
566 if (bDefault)
567 AES256_SetPassword(pEncryptDict, owner_password_copy, true);
568 AES256_SetPerms(pEncryptDict);
569 return;
570 }
571 if (bDefault) {
572 uint8_t passcode[32];
573 GetPassCode(owner_password_copy, passcode);
574 uint8_t digest[16];
575 CRYPT_MD5Generate(passcode, digest);
576 if (m_Revision >= 3) {
577 for (uint32_t i = 0; i < 50; i++)
578 CRYPT_MD5Generate(digest, digest);
579 }
580 uint8_t enckey[32];
581 memcpy(enckey, digest, key_len);
582 GetPassCode(user_password, passcode);
583 CRYPT_ArcFourCryptBlock(passcode, {enckey, key_len});
584 uint8_t tempkey[32];
585 if (m_Revision >= 3) {
586 for (uint8_t i = 1; i <= 19; i++) {
587 for (size_t j = 0; j < key_len; j++)
588 tempkey[j] = enckey[j] ^ i;
589 CRYPT_ArcFourCryptBlock(passcode, {tempkey, key_len});
590 }
591 }
592 pEncryptDict->SetNewFor<CPDF_String>("O", ByteString(passcode, 32), false);
593 }
594
595 ByteString file_id;
596 if (pIdArray)
597 file_id = pIdArray->GetByteStringAt(0);
598
599 CalcEncryptKey(m_pEncryptDict.Get(), user_password, m_EncryptKey, key_len,
600 false, file_id);
601 if (m_Revision < 3) {
602 uint8_t tempbuf[32];
603 memcpy(tempbuf, kDefaultPasscode, sizeof(kDefaultPasscode));
604 CRYPT_ArcFourCryptBlock(tempbuf, {m_EncryptKey, key_len});
605 pEncryptDict->SetNewFor<CPDF_String>("U", ByteString(tempbuf, 32), false);
606 } else {
607 CRYPT_md5_context md5 = CRYPT_MD5Start();
608 CRYPT_MD5Update(&md5, kDefaultPasscode);
609 if (!file_id.IsEmpty())
610 CRYPT_MD5Update(&md5, file_id.raw_span());
611
612 uint8_t digest[32];
613 CRYPT_MD5Finish(&md5, digest);
614 pdfium::span<uint8_t> partial_digest_span(digest, 16);
615 CRYPT_ArcFourCryptBlock(partial_digest_span, {m_EncryptKey, key_len});
616 uint8_t tempkey[32];
617 for (uint8_t i = 1; i <= 19; i++) {
618 for (size_t j = 0; j < key_len; j++)
619 tempkey[j] = m_EncryptKey[j] ^ i;
620 CRYPT_ArcFourCryptBlock(partial_digest_span, {tempkey, key_len});
621 }
622 CRYPT_MD5Generate({digest, 16}, digest + 16);
623 pEncryptDict->SetNewFor<CPDF_String>("U", ByteString(digest, 32), false);
624 }
625 }
626
OnCreate(CPDF_Dictionary * pEncryptDict,const CPDF_Array * pIdArray,const ByteString & user_password,const ByteString & owner_password)627 void CPDF_SecurityHandler::OnCreate(CPDF_Dictionary* pEncryptDict,
628 const CPDF_Array* pIdArray,
629 const ByteString& user_password,
630 const ByteString& owner_password) {
631 OnCreateInternal(pEncryptDict, pIdArray, user_password, owner_password, true);
632 InitCryptoHandler();
633 }
634
OnCreate(CPDF_Dictionary * pEncryptDict,const CPDF_Array * pIdArray,const ByteString & user_password)635 void CPDF_SecurityHandler::OnCreate(CPDF_Dictionary* pEncryptDict,
636 const CPDF_Array* pIdArray,
637 const ByteString& user_password) {
638 OnCreateInternal(pEncryptDict, pIdArray, user_password, ByteString(), false);
639 InitCryptoHandler();
640 }
641
AES256_SetPassword(CPDF_Dictionary * pEncryptDict,const ByteString & password,bool bOwner)642 void CPDF_SecurityHandler::AES256_SetPassword(CPDF_Dictionary* pEncryptDict,
643 const ByteString& password,
644 bool bOwner) {
645 CRYPT_sha1_context sha;
646 CRYPT_SHA1Start(&sha);
647 CRYPT_SHA1Update(&sha, m_EncryptKey, sizeof(m_EncryptKey));
648 CRYPT_SHA1Update(&sha, (uint8_t*)"hello", 5);
649
650 uint8_t digest[20];
651 CRYPT_SHA1Finish(&sha, digest);
652
653 ByteString ukey = pEncryptDict->GetByteStringFor("U");
654 CRYPT_sha2_context sha2;
655 uint8_t digest1[48];
656 if (m_Revision >= 6) {
657 Revision6_Hash(password, digest, bOwner ? ukey.raw_str() : nullptr,
658 digest1);
659 } else {
660 CRYPT_SHA256Start(&sha2);
661 CRYPT_SHA256Update(&sha2, password.raw_str(), password.GetLength());
662 CRYPT_SHA256Update(&sha2, digest, 8);
663 if (bOwner) {
664 CRYPT_SHA256Update(&sha2, ukey.raw_str(), ukey.GetLength());
665 }
666 CRYPT_SHA256Finish(&sha2, digest1);
667 }
668 memcpy(digest1 + 32, digest, 16);
669 pEncryptDict->SetNewFor<CPDF_String>(bOwner ? "O" : "U",
670 ByteString(digest1, 48), false);
671 if (m_Revision >= 6) {
672 Revision6_Hash(password, digest + 8, bOwner ? ukey.raw_str() : nullptr,
673 digest1);
674 } else {
675 CRYPT_SHA256Start(&sha2);
676 CRYPT_SHA256Update(&sha2, password.raw_str(), password.GetLength());
677 CRYPT_SHA256Update(&sha2, digest + 8, 8);
678 if (bOwner) {
679 CRYPT_SHA256Update(&sha2, ukey.raw_str(), ukey.GetLength());
680 }
681 CRYPT_SHA256Finish(&sha2, digest1);
682 }
683 CRYPT_aes_context aes = {};
684 CRYPT_AESSetKey(&aes, digest1, 32);
685 uint8_t iv[16] = {};
686 CRYPT_AESSetIV(&aes, iv);
687 CRYPT_AESEncrypt(&aes, digest1, m_EncryptKey, sizeof(m_EncryptKey));
688 pEncryptDict->SetNewFor<CPDF_String>(bOwner ? "OE" : "UE",
689 ByteString(digest1, 32), false);
690 }
691
AES256_SetPerms(CPDF_Dictionary * pEncryptDict)692 void CPDF_SecurityHandler::AES256_SetPerms(CPDF_Dictionary* pEncryptDict) {
693 uint8_t buf[16];
694 buf[0] = static_cast<uint8_t>(m_Permissions);
695 buf[1] = static_cast<uint8_t>(m_Permissions >> 8);
696 buf[2] = static_cast<uint8_t>(m_Permissions >> 16);
697 buf[3] = static_cast<uint8_t>(m_Permissions >> 24);
698 buf[4] = 0xff;
699 buf[5] = 0xff;
700 buf[6] = 0xff;
701 buf[7] = 0xff;
702 buf[8] = pEncryptDict->GetBooleanFor("EncryptMetadata", true) ? 'T' : 'F';
703 buf[9] = 'a';
704 buf[10] = 'd';
705 buf[11] = 'b';
706
707 // In ISO 32000 Supplement for ExtensionLevel 3, Algorithm 3.10 says bytes 12
708 // to 15 should be random data.
709 uint32_t* buf_random = reinterpret_cast<uint32_t*>(&buf[12]);
710 FX_Random_GenerateMT(buf_random, 1);
711
712 CRYPT_aes_context aes = {};
713 CRYPT_AESSetKey(&aes, m_EncryptKey, sizeof(m_EncryptKey));
714
715 uint8_t iv[16] = {};
716 CRYPT_AESSetIV(&aes, iv);
717
718 uint8_t buf1[16];
719 CRYPT_AESEncrypt(&aes, buf1, buf, 16);
720 pEncryptDict->SetNewFor<CPDF_String>("Perms", ByteString(buf1, 16), false);
721 }
722
InitCryptoHandler()723 void CPDF_SecurityHandler::InitCryptoHandler() {
724 m_pCryptoHandler =
725 std::make_unique<CPDF_CryptoHandler>(m_Cipher, m_EncryptKey, m_KeyLen);
726 }
727