1 // Copyright 2014 The PDFium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com
6
7 #include "core/fpdfapi/parser/cpdf_security_handler.h"
8
9 #include <stdint.h>
10 #include <time.h>
11
12 #include <algorithm>
13 #include <utility>
14
15 #include "core/fdrm/fx_crypt.h"
16 #include "core/fpdfapi/parser/cpdf_array.h"
17 #include "core/fpdfapi/parser/cpdf_crypto_handler.h"
18 #include "core/fpdfapi/parser/cpdf_dictionary.h"
19 #include "core/fpdfapi/parser/cpdf_object.h"
20 #include "core/fpdfapi/parser/cpdf_string.h"
21 #include "core/fxcrt/data_vector.h"
22 #include "core/fxcrt/fx_memcpy_wrappers.h"
23 #include "core/fxcrt/fx_random.h"
24 #include "third_party/base/check.h"
25 #include "third_party/base/check_op.h"
26 #include "third_party/base/notreached.h"
27
28 namespace {
29
30 const uint8_t kDefaultPasscode[32] = {
31 0x28, 0xbf, 0x4e, 0x5e, 0x4e, 0x75, 0x8a, 0x41, 0x64, 0x00, 0x4e,
32 0x56, 0xff, 0xfa, 0x01, 0x08, 0x2e, 0x2e, 0x00, 0xb6, 0xd0, 0x68,
33 0x3e, 0x80, 0x2f, 0x0c, 0xa9, 0xfe, 0x64, 0x53, 0x69, 0x7a};
34
GetPassCode(const ByteString & password,pdfium::span<uint8_t> output)35 void GetPassCode(const ByteString& password, pdfium::span<uint8_t> output) {
36 DCHECK_EQ(sizeof(kDefaultPasscode), output.size());
37 size_t len = std::min(password.GetLength(), output.size());
38 size_t remaining = output.size() - len;
39 FXSYS_memcpy(output.data(), password.raw_str(), len);
40 if (remaining) {
41 memcpy(&output[len], kDefaultPasscode, remaining);
42 }
43 }
44
CalcEncryptKey(const CPDF_Dictionary * pEncrypt,const ByteString & password,uint8_t * key,size_t keylen,bool ignore_metadata,const ByteString & file_id)45 void CalcEncryptKey(const CPDF_Dictionary* pEncrypt,
46 const ByteString& password,
47 uint8_t* key,
48 size_t keylen,
49 bool ignore_metadata,
50 const ByteString& file_id) {
51 uint8_t passcode[32];
52 GetPassCode(password, passcode);
53 CRYPT_md5_context md5 = CRYPT_MD5Start();
54 CRYPT_MD5Update(&md5, passcode);
55 ByteString okey = pEncrypt->GetByteStringFor("O");
56 CRYPT_MD5Update(&md5, okey.raw_span());
57 uint32_t perm = pEncrypt->GetIntegerFor("P");
58 CRYPT_MD5Update(&md5, pdfium::as_bytes(pdfium::make_span(&perm, 1)));
59 if (!file_id.IsEmpty())
60 CRYPT_MD5Update(&md5, file_id.raw_span());
61 const bool is_revision_3_or_greater = pEncrypt->GetIntegerFor("R") >= 3;
62 if (!ignore_metadata && is_revision_3_or_greater &&
63 !pEncrypt->GetBooleanFor("EncryptMetadata", true)) {
64 constexpr uint32_t tag = 0xFFFFFFFF;
65 CRYPT_MD5Update(&md5, pdfium::as_bytes(pdfium::make_span(&tag, 1)));
66 }
67 uint8_t digest[16];
68 CRYPT_MD5Finish(&md5, digest);
69 size_t copy_len = std::min(keylen, sizeof(digest));
70 if (is_revision_3_or_greater) {
71 for (int i = 0; i < 50; i++)
72 CRYPT_MD5Generate({digest, copy_len}, digest);
73 }
74 memset(key, 0, keylen);
75 memcpy(key, digest, copy_len);
76 }
77
IsValidKeyLengthForCipher(CPDF_CryptoHandler::Cipher cipher,size_t keylen)78 bool IsValidKeyLengthForCipher(CPDF_CryptoHandler::Cipher cipher,
79 size_t keylen) {
80 switch (cipher) {
81 case CPDF_CryptoHandler::Cipher::kAES:
82 return keylen == 16 || keylen == 24 || keylen == 32;
83 case CPDF_CryptoHandler::Cipher::kAES2:
84 return keylen == 32;
85 case CPDF_CryptoHandler::Cipher::kRC4:
86 return keylen >= 5 && keylen <= 16;
87 case CPDF_CryptoHandler::Cipher::kNone:
88 return true;
89 }
90 }
91
92 #define FX_GET_32WORD(n, b, i) \
93 { \
94 (n) = (uint32_t)( \
95 ((uint64_t)(b)[(i)] << 24) | ((uint64_t)(b)[(i) + 1] << 16) | \
96 ((uint64_t)(b)[(i) + 2] << 8) | ((uint64_t)(b)[(i) + 3])); \
97 }
BigOrder64BitsMod3(uint8_t * data)98 int BigOrder64BitsMod3(uint8_t* data) {
99 uint64_t ret = 0;
100 for (int i = 0; i < 4; ++i) {
101 uint32_t value;
102 FX_GET_32WORD(value, data, 4 * i);
103 ret <<= 32;
104 ret |= value;
105 ret %= 3;
106 }
107 return (int)ret;
108 }
109
Revision6_Hash(const ByteString & password,const uint8_t * salt,const uint8_t * vector,uint8_t * hash)110 void Revision6_Hash(const ByteString& password,
111 const uint8_t* salt,
112 const uint8_t* vector,
113 uint8_t* hash) {
114 CRYPT_sha2_context sha;
115 CRYPT_SHA256Start(&sha);
116 CRYPT_SHA256Update(&sha, password.raw_str(), password.GetLength());
117 CRYPT_SHA256Update(&sha, salt, 8);
118 if (vector)
119 CRYPT_SHA256Update(&sha, vector, 48);
120
121 uint8_t digest[32];
122 CRYPT_SHA256Finish(&sha, digest);
123
124 DataVector<uint8_t> buf;
125 uint8_t* input = digest;
126 uint8_t* key = input;
127 uint8_t* iv = input + 16;
128 uint8_t* E = nullptr;
129 int iBufLen = 0;
130 DataVector<uint8_t> interDigest;
131 int i = 0;
132 int iBlockSize = 32;
133 CRYPT_aes_context aes = {};
134 while (i < 64 || i < E[iBufLen - 1] + 32) {
135 int iRoundSize = password.GetLength() + iBlockSize;
136 if (vector) {
137 iRoundSize += 48;
138 }
139 iBufLen = iRoundSize * 64;
140 buf.resize(iBufLen);
141 E = buf.data();
142 DataVector<uint8_t> content;
143 for (int j = 0; j < 64; ++j) {
144 content.insert(std::end(content), password.raw_str(),
145 password.raw_str() + password.GetLength());
146 content.insert(std::end(content), input, input + iBlockSize);
147 if (vector) {
148 content.insert(std::end(content), vector, vector + 48);
149 }
150 }
151 CRYPT_AESSetKey(&aes, key, 16);
152 CRYPT_AESSetIV(&aes, iv);
153 CRYPT_AESEncrypt(&aes, E, content.data(), iBufLen);
154 int iHash = 0;
155 switch (BigOrder64BitsMod3(E)) {
156 case 0:
157 iHash = 0;
158 iBlockSize = 32;
159 break;
160 case 1:
161 iHash = 1;
162 iBlockSize = 48;
163 break;
164 default:
165 iHash = 2;
166 iBlockSize = 64;
167 break;
168 }
169 interDigest.resize(iBlockSize);
170 input = interDigest.data();
171 if (iHash == 0) {
172 CRYPT_SHA256Generate(E, iBufLen, input);
173 } else if (iHash == 1) {
174 CRYPT_SHA384Generate(E, iBufLen, input);
175 } else if (iHash == 2) {
176 CRYPT_SHA512Generate(E, iBufLen, input);
177 }
178 key = input;
179 iv = input + 16;
180 ++i;
181 }
182 if (hash) {
183 memcpy(hash, input, 32);
184 }
185 }
186
187 } // namespace
188
189 CPDF_SecurityHandler::CPDF_SecurityHandler() = default;
190
191 CPDF_SecurityHandler::~CPDF_SecurityHandler() = default;
192
OnInit(const CPDF_Dictionary * pEncryptDict,RetainPtr<const CPDF_Array> pIdArray,const ByteString & password)193 bool CPDF_SecurityHandler::OnInit(const CPDF_Dictionary* pEncryptDict,
194 RetainPtr<const CPDF_Array> pIdArray,
195 const ByteString& password) {
196 if (pIdArray)
197 m_FileId = pIdArray->GetByteStringAt(0);
198 else
199 m_FileId.clear();
200 if (!LoadDict(pEncryptDict))
201 return false;
202 if (m_Cipher == CPDF_CryptoHandler::Cipher::kNone)
203 return true;
204 if (!CheckSecurity(password))
205 return false;
206
207 InitCryptoHandler();
208 return true;
209 }
210
CheckSecurity(const ByteString & password)211 bool CPDF_SecurityHandler::CheckSecurity(const ByteString& password) {
212 if (!password.IsEmpty() && CheckPassword(password, true)) {
213 m_bOwnerUnlocked = true;
214 return true;
215 }
216 return CheckPassword(password, false);
217 }
218
GetPermissions() const219 uint32_t CPDF_SecurityHandler::GetPermissions() const {
220 uint32_t dwPermission = m_bOwnerUnlocked ? 0xFFFFFFFF : m_Permissions;
221 if (m_pEncryptDict &&
222 m_pEncryptDict->GetByteStringFor("Filter") == "Standard") {
223 // See PDF Reference 1.7, page 123, table 3.20.
224 dwPermission &= 0xFFFFFFFC;
225 dwPermission |= 0xFFFFF0C0;
226 }
227 return dwPermission;
228 }
229
LoadCryptInfo(const CPDF_Dictionary * pEncryptDict,const ByteString & name,CPDF_CryptoHandler::Cipher * cipher,size_t * keylen_out)230 static bool LoadCryptInfo(const CPDF_Dictionary* pEncryptDict,
231 const ByteString& name,
232 CPDF_CryptoHandler::Cipher* cipher,
233 size_t* keylen_out) {
234 int Version = pEncryptDict->GetIntegerFor("V");
235 *cipher = CPDF_CryptoHandler::Cipher::kRC4;
236 *keylen_out = 0;
237 int keylen = 0;
238 if (Version >= 4) {
239 RetainPtr<const CPDF_Dictionary> pCryptFilters =
240 pEncryptDict->GetDictFor("CF");
241 if (!pCryptFilters)
242 return false;
243
244 if (name == "Identity") {
245 *cipher = CPDF_CryptoHandler::Cipher::kNone;
246 } else {
247 RetainPtr<const CPDF_Dictionary> pDefFilter =
248 pCryptFilters->GetDictFor(name);
249 if (!pDefFilter)
250 return false;
251
252 int nKeyBits = 0;
253 if (Version == 4) {
254 nKeyBits = pDefFilter->GetIntegerFor("Length", 0);
255 if (nKeyBits == 0) {
256 nKeyBits = pEncryptDict->GetIntegerFor("Length", 128);
257 }
258 } else {
259 nKeyBits = pEncryptDict->GetIntegerFor("Length", 256);
260 }
261 if (nKeyBits < 0)
262 return false;
263
264 if (nKeyBits < 40) {
265 nKeyBits *= 8;
266 }
267 keylen = nKeyBits / 8;
268 ByteString cipher_name = pDefFilter->GetByteStringFor("CFM");
269 if (cipher_name == "AESV2" || cipher_name == "AESV3")
270 *cipher = CPDF_CryptoHandler::Cipher::kAES;
271 }
272 } else {
273 keylen = Version > 1 ? pEncryptDict->GetIntegerFor("Length", 40) / 8 : 5;
274 }
275
276 if (keylen < 0 || keylen > 32)
277 return false;
278 if (!IsValidKeyLengthForCipher(*cipher, keylen))
279 return false;
280
281 *keylen_out = keylen;
282 return true;
283 }
284
LoadDict(const CPDF_Dictionary * pEncryptDict)285 bool CPDF_SecurityHandler::LoadDict(const CPDF_Dictionary* pEncryptDict) {
286 m_pEncryptDict.Reset(pEncryptDict);
287 m_Version = pEncryptDict->GetIntegerFor("V");
288 m_Revision = pEncryptDict->GetIntegerFor("R");
289 m_Permissions = pEncryptDict->GetIntegerFor("P", -1);
290 if (m_Version < 4)
291 return LoadCryptInfo(pEncryptDict, ByteString(), &m_Cipher, &m_KeyLen);
292
293 ByteString stmf_name = pEncryptDict->GetByteStringFor("StmF");
294 ByteString strf_name = pEncryptDict->GetByteStringFor("StrF");
295 if (stmf_name != strf_name)
296 return false;
297
298 return LoadCryptInfo(pEncryptDict, strf_name, &m_Cipher, &m_KeyLen);
299 }
300
LoadDict(const CPDF_Dictionary * pEncryptDict,CPDF_CryptoHandler::Cipher * cipher,size_t * key_len)301 bool CPDF_SecurityHandler::LoadDict(const CPDF_Dictionary* pEncryptDict,
302 CPDF_CryptoHandler::Cipher* cipher,
303 size_t* key_len) {
304 m_pEncryptDict.Reset(pEncryptDict);
305 m_Version = pEncryptDict->GetIntegerFor("V");
306 m_Revision = pEncryptDict->GetIntegerFor("R");
307 m_Permissions = pEncryptDict->GetIntegerFor("P", -1);
308
309 ByteString strf_name;
310 ByteString stmf_name;
311 if (m_Version >= 4) {
312 stmf_name = pEncryptDict->GetByteStringFor("StmF");
313 strf_name = pEncryptDict->GetByteStringFor("StrF");
314 if (stmf_name != strf_name)
315 return false;
316 }
317 if (!LoadCryptInfo(pEncryptDict, strf_name, cipher, key_len))
318 return false;
319
320 m_Cipher = *cipher;
321 m_KeyLen = *key_len;
322 return true;
323 }
324
AES256_CheckPassword(const ByteString & password,bool bOwner)325 bool CPDF_SecurityHandler::AES256_CheckPassword(const ByteString& password,
326 bool bOwner) {
327 DCHECK(m_pEncryptDict);
328 DCHECK(m_Revision >= 5);
329
330 ByteString okey = m_pEncryptDict->GetByteStringFor("O");
331 if (okey.GetLength() < 48)
332 return false;
333
334 ByteString ukey = m_pEncryptDict->GetByteStringFor("U");
335 if (ukey.GetLength() < 48)
336 return false;
337
338 const uint8_t* pkey = bOwner ? okey.raw_str() : ukey.raw_str();
339 CRYPT_sha2_context sha;
340 uint8_t digest[32];
341 if (m_Revision >= 6) {
342 Revision6_Hash(password, (const uint8_t*)pkey + 32,
343 bOwner ? ukey.raw_str() : nullptr, digest);
344 } else {
345 CRYPT_SHA256Start(&sha);
346 CRYPT_SHA256Update(&sha, password.raw_str(), password.GetLength());
347 CRYPT_SHA256Update(&sha, pkey + 32, 8);
348 if (bOwner)
349 CRYPT_SHA256Update(&sha, ukey.raw_str(), 48);
350 CRYPT_SHA256Finish(&sha, digest);
351 }
352 if (memcmp(digest, pkey, 32) != 0)
353 return false;
354
355 if (m_Revision >= 6) {
356 Revision6_Hash(password, (const uint8_t*)pkey + 40,
357 bOwner ? ukey.raw_str() : nullptr, digest);
358 } else {
359 CRYPT_SHA256Start(&sha);
360 CRYPT_SHA256Update(&sha, password.raw_str(), password.GetLength());
361 CRYPT_SHA256Update(&sha, pkey + 40, 8);
362 if (bOwner)
363 CRYPT_SHA256Update(&sha, ukey.raw_str(), 48);
364 CRYPT_SHA256Finish(&sha, digest);
365 }
366 ByteString ekey = m_pEncryptDict->GetByteStringFor(bOwner ? "OE" : "UE");
367 if (ekey.GetLength() < 32)
368 return false;
369
370 CRYPT_aes_context aes = {};
371 CRYPT_AESSetKey(&aes, digest, sizeof(digest));
372 uint8_t iv[16] = {};
373 CRYPT_AESSetIV(&aes, iv);
374 CRYPT_AESDecrypt(&aes, m_EncryptKey, ekey.raw_str(), 32);
375 CRYPT_AESSetKey(&aes, m_EncryptKey, sizeof(m_EncryptKey));
376 CRYPT_AESSetIV(&aes, iv);
377 ByteString perms = m_pEncryptDict->GetByteStringFor("Perms");
378 if (perms.IsEmpty())
379 return false;
380
381 uint8_t perms_buf[16] = {};
382 size_t copy_len =
383 std::min(sizeof(perms_buf), static_cast<size_t>(perms.GetLength()));
384 memcpy(perms_buf, perms.raw_str(), copy_len);
385 uint8_t buf[16];
386 CRYPT_AESDecrypt(&aes, buf, perms_buf, 16);
387 if (buf[9] != 'a' || buf[10] != 'd' || buf[11] != 'b')
388 return false;
389
390 if (FXSYS_UINT32_GET_LSBFIRST(buf) != m_Permissions)
391 return false;
392
393 // Relax this check as there appear to be some non-conforming documents
394 // in the wild. The value in the buffer is the truth; if it requires us
395 // to encrypt metadata, but the dictionary says otherwise, then we may
396 // have a tampered doc. Otherwise, give it a pass.
397 return buf[8] == 'F' || IsMetadataEncrypted();
398 }
399
CheckPassword(const ByteString & password,bool bOwner)400 bool CPDF_SecurityHandler::CheckPassword(const ByteString& password,
401 bool bOwner) {
402 DCHECK_EQ(kUnknown, m_PasswordEncodingConversion);
403 if (CheckPasswordImpl(password, bOwner)) {
404 m_PasswordEncodingConversion = kNone;
405 return true;
406 }
407
408 ByteStringView password_view = password.AsStringView();
409 if (password_view.IsASCII())
410 return false;
411
412 if (m_Revision >= 5) {
413 ByteString utf8_password = WideString::FromLatin1(password_view).ToUTF8();
414 if (!CheckPasswordImpl(utf8_password, bOwner))
415 return false;
416
417 m_PasswordEncodingConversion = kLatin1ToUtf8;
418 return true;
419 }
420
421 ByteString latin1_password = WideString::FromUTF8(password_view).ToLatin1();
422 if (!CheckPasswordImpl(latin1_password, bOwner))
423 return false;
424
425 m_PasswordEncodingConversion = kUtf8toLatin1;
426 return true;
427 }
428
CheckPasswordImpl(const ByteString & password,bool bOwner)429 bool CPDF_SecurityHandler::CheckPasswordImpl(const ByteString& password,
430 bool bOwner) {
431 if (m_Revision >= 5)
432 return AES256_CheckPassword(password, bOwner);
433
434 if (bOwner)
435 return CheckOwnerPassword(password);
436
437 return CheckUserPassword(password, false) ||
438 CheckUserPassword(password, true);
439 }
440
CheckUserPassword(const ByteString & password,bool bIgnoreEncryptMeta)441 bool CPDF_SecurityHandler::CheckUserPassword(const ByteString& password,
442 bool bIgnoreEncryptMeta) {
443 CalcEncryptKey(m_pEncryptDict.Get(), password, m_EncryptKey, m_KeyLen,
444 bIgnoreEncryptMeta, m_FileId);
445 ByteString ukey =
446 m_pEncryptDict ? m_pEncryptDict->GetByteStringFor("U") : ByteString();
447 if (ukey.GetLength() < 16) {
448 return false;
449 }
450
451 uint8_t ukeybuf[32];
452 if (m_Revision == 2) {
453 memcpy(ukeybuf, kDefaultPasscode, sizeof(kDefaultPasscode));
454 CRYPT_ArcFourCryptBlock(ukeybuf, {m_EncryptKey, m_KeyLen});
455 return memcmp(ukey.c_str(), ukeybuf, 16) == 0;
456 }
457
458 uint8_t test[32] = {};
459 uint8_t tmpkey[32] = {};
460 uint32_t copy_len = std::min(sizeof(test), ukey.GetLength());
461
462 memcpy(test, ukey.c_str(), copy_len);
463 for (int32_t i = 19; i >= 0; i--) {
464 for (size_t j = 0; j < m_KeyLen; j++)
465 tmpkey[j] = m_EncryptKey[j] ^ static_cast<uint8_t>(i);
466 CRYPT_ArcFourCryptBlock(test, {tmpkey, m_KeyLen});
467 }
468 CRYPT_md5_context md5 = CRYPT_MD5Start();
469 CRYPT_MD5Update(&md5, kDefaultPasscode);
470 if (!m_FileId.IsEmpty())
471 CRYPT_MD5Update(&md5, m_FileId.raw_span());
472 CRYPT_MD5Finish(&md5, ukeybuf);
473 return memcmp(test, ukeybuf, 16) == 0;
474 }
475
GetUserPassword(const ByteString & owner_password) const476 ByteString CPDF_SecurityHandler::GetUserPassword(
477 const ByteString& owner_password) const {
478 constexpr size_t kRequiredOkeyLength = 32;
479 ByteString okey = m_pEncryptDict->GetByteStringFor("O");
480 size_t okeylen = std::min<size_t>(okey.GetLength(), kRequiredOkeyLength);
481 if (okeylen < kRequiredOkeyLength)
482 return ByteString();
483
484 DCHECK_EQ(kRequiredOkeyLength, okeylen);
485 uint8_t passcode[32];
486 GetPassCode(owner_password, passcode);
487 uint8_t digest[16];
488 CRYPT_MD5Generate(passcode, digest);
489 if (m_Revision >= 3) {
490 for (uint32_t i = 0; i < 50; i++)
491 CRYPT_MD5Generate(digest, digest);
492 }
493 uint8_t enckey[32] = {};
494 size_t copy_len = std::min(m_KeyLen, sizeof(digest));
495
496 memcpy(enckey, digest, copy_len);
497 uint8_t okeybuf[32] = {};
498 memcpy(okeybuf, okey.c_str(), okeylen);
499 pdfium::span<uint8_t> okey_span(okeybuf, okeylen);
500 if (m_Revision == 2) {
501 CRYPT_ArcFourCryptBlock(okey_span, {enckey, m_KeyLen});
502 } else {
503 for (int32_t i = 19; i >= 0; i--) {
504 uint8_t tempkey[32] = {};
505 for (size_t j = 0; j < m_KeyLen; j++)
506 tempkey[j] = enckey[j] ^ static_cast<uint8_t>(i);
507 CRYPT_ArcFourCryptBlock(okey_span, {tempkey, m_KeyLen});
508 }
509 }
510 size_t len = kRequiredOkeyLength;
511 while (len && kDefaultPasscode[len - 1] == okey_span[len - 1])
512 len--;
513
514 return ByteString(okeybuf, len);
515 }
516
CheckOwnerPassword(const ByteString & password)517 bool CPDF_SecurityHandler::CheckOwnerPassword(const ByteString& password) {
518 ByteString user_pass = GetUserPassword(password);
519 return CheckUserPassword(user_pass, false) ||
520 CheckUserPassword(user_pass, true);
521 }
522
IsMetadataEncrypted() const523 bool CPDF_SecurityHandler::IsMetadataEncrypted() const {
524 return m_pEncryptDict->GetBooleanFor("EncryptMetadata", true);
525 }
526
GetEncodedPassword(ByteStringView password) const527 ByteString CPDF_SecurityHandler::GetEncodedPassword(
528 ByteStringView password) const {
529 switch (m_PasswordEncodingConversion) {
530 case kNone:
531 // Do nothing.
532 return ByteString(password);
533 case kLatin1ToUtf8:
534 return WideString::FromLatin1(password).ToUTF8();
535 case kUtf8toLatin1:
536 return WideString::FromUTF8(password).ToLatin1();
537 default:
538 NOTREACHED();
539 return ByteString(password);
540 }
541 }
542
OnCreateInternal(CPDF_Dictionary * pEncryptDict,const CPDF_Array * pIdArray,const ByteString & user_password,const ByteString & owner_password,bool bDefault)543 void CPDF_SecurityHandler::OnCreateInternal(CPDF_Dictionary* pEncryptDict,
544 const CPDF_Array* pIdArray,
545 const ByteString& user_password,
546 const ByteString& owner_password,
547 bool bDefault) {
548 DCHECK(pEncryptDict);
549
550 CPDF_CryptoHandler::Cipher cipher = CPDF_CryptoHandler::Cipher::kNone;
551 size_t key_len = 0;
552 if (!LoadDict(pEncryptDict, &cipher, &key_len)) {
553 return;
554 }
555 ByteString owner_password_copy = owner_password;
556 if (bDefault && owner_password.IsEmpty())
557 owner_password_copy = user_password;
558
559 if (m_Revision >= 5) {
560 uint32_t random[4];
561 FX_Random_GenerateMT(random, std::size(random));
562 CRYPT_sha2_context sha;
563 CRYPT_SHA256Start(&sha);
564 CRYPT_SHA256Update(&sha, reinterpret_cast<uint8_t*>(random),
565 sizeof(random));
566 CRYPT_SHA256Finish(&sha, m_EncryptKey);
567 AES256_SetPassword(pEncryptDict, user_password, false);
568 if (bDefault)
569 AES256_SetPassword(pEncryptDict, owner_password_copy, true);
570 AES256_SetPerms(pEncryptDict);
571 return;
572 }
573 if (bDefault) {
574 uint8_t passcode[32];
575 GetPassCode(owner_password_copy, passcode);
576 uint8_t digest[16];
577 CRYPT_MD5Generate(passcode, digest);
578 if (m_Revision >= 3) {
579 for (uint32_t i = 0; i < 50; i++)
580 CRYPT_MD5Generate(digest, digest);
581 }
582 uint8_t enckey[32];
583 memcpy(enckey, digest, key_len);
584 GetPassCode(user_password, passcode);
585 CRYPT_ArcFourCryptBlock(passcode, {enckey, key_len});
586 uint8_t tempkey[32];
587 if (m_Revision >= 3) {
588 for (uint8_t i = 1; i <= 19; i++) {
589 for (size_t j = 0; j < key_len; j++)
590 tempkey[j] = enckey[j] ^ i;
591 CRYPT_ArcFourCryptBlock(passcode, {tempkey, key_len});
592 }
593 }
594 pEncryptDict->SetNewFor<CPDF_String>("O", ByteString(passcode, 32), false);
595 }
596
597 ByteString file_id;
598 if (pIdArray)
599 file_id = pIdArray->GetByteStringAt(0);
600
601 CalcEncryptKey(m_pEncryptDict.Get(), user_password, m_EncryptKey, key_len,
602 false, file_id);
603 if (m_Revision < 3) {
604 uint8_t tempbuf[32];
605 memcpy(tempbuf, kDefaultPasscode, sizeof(kDefaultPasscode));
606 CRYPT_ArcFourCryptBlock(tempbuf, {m_EncryptKey, key_len});
607 pEncryptDict->SetNewFor<CPDF_String>("U", ByteString(tempbuf, 32), false);
608 } else {
609 CRYPT_md5_context md5 = CRYPT_MD5Start();
610 CRYPT_MD5Update(&md5, kDefaultPasscode);
611 if (!file_id.IsEmpty())
612 CRYPT_MD5Update(&md5, file_id.raw_span());
613
614 uint8_t digest[32];
615 CRYPT_MD5Finish(&md5, digest);
616 pdfium::span<uint8_t> partial_digest_span(digest, 16);
617 CRYPT_ArcFourCryptBlock(partial_digest_span, {m_EncryptKey, key_len});
618 uint8_t tempkey[32];
619 for (uint8_t i = 1; i <= 19; i++) {
620 for (size_t j = 0; j < key_len; j++)
621 tempkey[j] = m_EncryptKey[j] ^ i;
622 CRYPT_ArcFourCryptBlock(partial_digest_span, {tempkey, key_len});
623 }
624 CRYPT_MD5Generate({digest, 16}, digest + 16);
625 pEncryptDict->SetNewFor<CPDF_String>("U", ByteString(digest, 32), false);
626 }
627 }
628
OnCreate(CPDF_Dictionary * pEncryptDict,const CPDF_Array * pIdArray,const ByteString & user_password,const ByteString & owner_password)629 void CPDF_SecurityHandler::OnCreate(CPDF_Dictionary* pEncryptDict,
630 const CPDF_Array* pIdArray,
631 const ByteString& user_password,
632 const ByteString& owner_password) {
633 OnCreateInternal(pEncryptDict, pIdArray, user_password, owner_password, true);
634 InitCryptoHandler();
635 }
636
OnCreate(CPDF_Dictionary * pEncryptDict,const CPDF_Array * pIdArray,const ByteString & user_password)637 void CPDF_SecurityHandler::OnCreate(CPDF_Dictionary* pEncryptDict,
638 const CPDF_Array* pIdArray,
639 const ByteString& user_password) {
640 OnCreateInternal(pEncryptDict, pIdArray, user_password, ByteString(), false);
641 InitCryptoHandler();
642 }
643
AES256_SetPassword(CPDF_Dictionary * pEncryptDict,const ByteString & password,bool bOwner)644 void CPDF_SecurityHandler::AES256_SetPassword(CPDF_Dictionary* pEncryptDict,
645 const ByteString& password,
646 bool bOwner) {
647 CRYPT_sha1_context sha;
648 CRYPT_SHA1Start(&sha);
649 CRYPT_SHA1Update(&sha, m_EncryptKey, sizeof(m_EncryptKey));
650 CRYPT_SHA1Update(&sha, (uint8_t*)"hello", 5);
651
652 uint8_t digest[20];
653 CRYPT_SHA1Finish(&sha, digest);
654
655 ByteString ukey = pEncryptDict->GetByteStringFor("U");
656 CRYPT_sha2_context sha2;
657 uint8_t digest1[48];
658 if (m_Revision >= 6) {
659 Revision6_Hash(password, digest, bOwner ? ukey.raw_str() : nullptr,
660 digest1);
661 } else {
662 CRYPT_SHA256Start(&sha2);
663 CRYPT_SHA256Update(&sha2, password.raw_str(), password.GetLength());
664 CRYPT_SHA256Update(&sha2, digest, 8);
665 if (bOwner) {
666 CRYPT_SHA256Update(&sha2, ukey.raw_str(), ukey.GetLength());
667 }
668 CRYPT_SHA256Finish(&sha2, digest1);
669 }
670 memcpy(digest1 + 32, digest, 16);
671 pEncryptDict->SetNewFor<CPDF_String>(bOwner ? "O" : "U",
672 ByteString(digest1, 48), false);
673 if (m_Revision >= 6) {
674 Revision6_Hash(password, digest + 8, bOwner ? ukey.raw_str() : nullptr,
675 digest1);
676 } else {
677 CRYPT_SHA256Start(&sha2);
678 CRYPT_SHA256Update(&sha2, password.raw_str(), password.GetLength());
679 CRYPT_SHA256Update(&sha2, digest + 8, 8);
680 if (bOwner) {
681 CRYPT_SHA256Update(&sha2, ukey.raw_str(), ukey.GetLength());
682 }
683 CRYPT_SHA256Finish(&sha2, digest1);
684 }
685 CRYPT_aes_context aes = {};
686 CRYPT_AESSetKey(&aes, digest1, 32);
687 uint8_t iv[16] = {};
688 CRYPT_AESSetIV(&aes, iv);
689 CRYPT_AESEncrypt(&aes, digest1, m_EncryptKey, sizeof(m_EncryptKey));
690 pEncryptDict->SetNewFor<CPDF_String>(bOwner ? "OE" : "UE",
691 ByteString(digest1, 32), false);
692 }
693
AES256_SetPerms(CPDF_Dictionary * pEncryptDict)694 void CPDF_SecurityHandler::AES256_SetPerms(CPDF_Dictionary* pEncryptDict) {
695 uint8_t buf[16];
696 buf[0] = static_cast<uint8_t>(m_Permissions);
697 buf[1] = static_cast<uint8_t>(m_Permissions >> 8);
698 buf[2] = static_cast<uint8_t>(m_Permissions >> 16);
699 buf[3] = static_cast<uint8_t>(m_Permissions >> 24);
700 buf[4] = 0xff;
701 buf[5] = 0xff;
702 buf[6] = 0xff;
703 buf[7] = 0xff;
704 buf[8] = pEncryptDict->GetBooleanFor("EncryptMetadata", true) ? 'T' : 'F';
705 buf[9] = 'a';
706 buf[10] = 'd';
707 buf[11] = 'b';
708
709 // In ISO 32000 Supplement for ExtensionLevel 3, Algorithm 3.10 says bytes 12
710 // to 15 should be random data.
711 uint32_t* buf_random = reinterpret_cast<uint32_t*>(&buf[12]);
712 FX_Random_GenerateMT(buf_random, 1);
713
714 CRYPT_aes_context aes = {};
715 CRYPT_AESSetKey(&aes, m_EncryptKey, sizeof(m_EncryptKey));
716
717 uint8_t iv[16] = {};
718 CRYPT_AESSetIV(&aes, iv);
719
720 uint8_t buf1[16];
721 CRYPT_AESEncrypt(&aes, buf1, buf, 16);
722 pEncryptDict->SetNewFor<CPDF_String>("Perms", ByteString(buf1, 16), false);
723 }
724
InitCryptoHandler()725 void CPDF_SecurityHandler::InitCryptoHandler() {
726 m_pCryptoHandler =
727 std::make_unique<CPDF_CryptoHandler>(m_Cipher, m_EncryptKey, m_KeyLen);
728 }
729