1 // Copyright 2014 PDFium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com
6 
7 #include "core/fpdfapi/parser/cpdf_security_handler.h"
8 
9 #include <time.h>
10 
11 #include <algorithm>
12 #include <utility>
13 #include <vector>
14 
15 #include "core/fdrm/fx_crypt.h"
16 #include "core/fpdfapi/parser/cpdf_array.h"
17 #include "core/fpdfapi/parser/cpdf_crypto_handler.h"
18 #include "core/fpdfapi/parser/cpdf_dictionary.h"
19 #include "core/fpdfapi/parser/cpdf_object.h"
20 #include "core/fpdfapi/parser/cpdf_string.h"
21 #include "core/fxcrt/fx_random.h"
22 #include "third_party/base/ptr_util.h"
23 
24 namespace {
25 
26 const uint8_t kDefaultPasscode[32] = {
27     0x28, 0xbf, 0x4e, 0x5e, 0x4e, 0x75, 0x8a, 0x41, 0x64, 0x00, 0x4e,
28     0x56, 0xff, 0xfa, 0x01, 0x08, 0x2e, 0x2e, 0x00, 0xb6, 0xd0, 0x68,
29     0x3e, 0x80, 0x2f, 0x0c, 0xa9, 0xfe, 0x64, 0x53, 0x69, 0x7a};
30 
GetPassCode(const ByteString & password,pdfium::span<uint8_t> output)31 void GetPassCode(const ByteString& password, pdfium::span<uint8_t> output) {
32   DCHECK_EQ(sizeof(kDefaultPasscode), output.size());
33   size_t len = std::min(password.GetLength(), output.size());
34   size_t remaining = output.size() - len;
35   memcpy(output.data(), password.raw_str(), len);
36   if (remaining)
37     memcpy(&output[len], kDefaultPasscode, remaining);
38 }
39 
CalcEncryptKey(const CPDF_Dictionary * pEncrypt,const ByteString & password,uint8_t * key,size_t keylen,bool ignore_metadata,const ByteString & file_id)40 void CalcEncryptKey(const CPDF_Dictionary* pEncrypt,
41                     const ByteString& password,
42                     uint8_t* key,
43                     size_t keylen,
44                     bool ignore_metadata,
45                     const ByteString& file_id) {
46   uint8_t passcode[32];
47   GetPassCode(password, passcode);
48   CRYPT_md5_context md5 = CRYPT_MD5Start();
49   CRYPT_MD5Update(&md5, passcode);
50   ByteString okey = pEncrypt->GetStringFor("O");
51   CRYPT_MD5Update(&md5, okey.raw_span());
52   uint32_t perm = pEncrypt->GetIntegerFor("P");
53   CRYPT_MD5Update(&md5, pdfium::as_bytes(pdfium::make_span(&perm, 1)));
54   if (!file_id.IsEmpty())
55     CRYPT_MD5Update(&md5, file_id.raw_span());
56   const bool is_revision_3_or_greater = pEncrypt->GetIntegerFor("R") >= 3;
57   if (!ignore_metadata && is_revision_3_or_greater &&
58       !pEncrypt->GetBooleanFor("EncryptMetadata", true)) {
59     constexpr uint32_t tag = 0xFFFFFFFF;
60     CRYPT_MD5Update(&md5, pdfium::as_bytes(pdfium::make_span(&tag, 1)));
61   }
62   uint8_t digest[16];
63   CRYPT_MD5Finish(&md5, digest);
64   size_t copy_len = std::min(keylen, sizeof(digest));
65   if (is_revision_3_or_greater) {
66     for (int i = 0; i < 50; i++)
67       CRYPT_MD5Generate({digest, copy_len}, digest);
68   }
69   memset(key, 0, keylen);
70   memcpy(key, digest, copy_len);
71 }
72 
IsValidKeyLengthForCipher(int cipher,size_t keylen)73 bool IsValidKeyLengthForCipher(int cipher, size_t keylen) {
74   switch (cipher) {
75     case FXCIPHER_AES:
76       return keylen == 16 || keylen == 24 || keylen == 32;
77     case FXCIPHER_AES2:
78       return keylen == 32;
79     case FXCIPHER_RC4:
80       return keylen >= 5 && keylen <= 16;
81     case FXCIPHER_NONE:
82       return true;
83     default:
84       NOTREACHED();
85   }
86   return false;
87 }
88 
89 #define FX_GET_32WORD(n, b, i)                                        \
90   {                                                                   \
91     (n) = (uint32_t)(                                                 \
92         ((uint64_t)(b)[(i)] << 24) | ((uint64_t)(b)[(i) + 1] << 16) | \
93         ((uint64_t)(b)[(i) + 2] << 8) | ((uint64_t)(b)[(i) + 3]));    \
94   }
BigOrder64BitsMod3(uint8_t * data)95 int BigOrder64BitsMod3(uint8_t* data) {
96   uint64_t ret = 0;
97   for (int i = 0; i < 4; ++i) {
98     uint32_t value;
99     FX_GET_32WORD(value, data, 4 * i);
100     ret <<= 32;
101     ret |= value;
102     ret %= 3;
103   }
104   return (int)ret;
105 }
106 
Revision6_Hash(const ByteString & password,const uint8_t * salt,const uint8_t * vector,uint8_t * hash)107 void Revision6_Hash(const ByteString& password,
108                     const uint8_t* salt,
109                     const uint8_t* vector,
110                     uint8_t* hash) {
111   CRYPT_sha2_context sha;
112   CRYPT_SHA256Start(&sha);
113   CRYPT_SHA256Update(&sha, password.raw_str(), password.GetLength());
114   CRYPT_SHA256Update(&sha, salt, 8);
115   if (vector)
116     CRYPT_SHA256Update(&sha, vector, 48);
117 
118   uint8_t digest[32];
119   CRYPT_SHA256Finish(&sha, digest);
120 
121   std::vector<uint8_t> buf;
122   uint8_t* input = digest;
123   uint8_t* key = input;
124   uint8_t* iv = input + 16;
125   uint8_t* E = nullptr;
126   int iBufLen = 0;
127   std::vector<uint8_t> interDigest;
128   int i = 0;
129   int iBlockSize = 32;
130   CRYPT_aes_context aes = {};
131   while (i < 64 || i < E[iBufLen - 1] + 32) {
132     int iRoundSize = password.GetLength() + iBlockSize;
133     if (vector) {
134       iRoundSize += 48;
135     }
136     iBufLen = iRoundSize * 64;
137     buf.resize(iBufLen);
138     E = buf.data();
139     std::vector<uint8_t> content;
140     for (int j = 0; j < 64; ++j) {
141       content.insert(std::end(content), password.raw_str(),
142                      password.raw_str() + password.GetLength());
143       content.insert(std::end(content), input, input + iBlockSize);
144       if (vector) {
145         content.insert(std::end(content), vector, vector + 48);
146       }
147     }
148     CRYPT_AESSetKey(&aes, key, 16, true);
149     CRYPT_AESSetIV(&aes, iv);
150     CRYPT_AESEncrypt(&aes, E, content.data(), iBufLen);
151     int iHash = 0;
152     switch (BigOrder64BitsMod3(E)) {
153       case 0:
154         iHash = 0;
155         iBlockSize = 32;
156         break;
157       case 1:
158         iHash = 1;
159         iBlockSize = 48;
160         break;
161       default:
162         iHash = 2;
163         iBlockSize = 64;
164         break;
165     }
166     interDigest.resize(iBlockSize);
167     input = interDigest.data();
168     if (iHash == 0) {
169       CRYPT_SHA256Generate(E, iBufLen, input);
170     } else if (iHash == 1) {
171       CRYPT_SHA384Generate(E, iBufLen, input);
172     } else if (iHash == 2) {
173       CRYPT_SHA512Generate(E, iBufLen, input);
174     }
175     key = input;
176     iv = input + 16;
177     ++i;
178   }
179   if (hash) {
180     memcpy(hash, input, 32);
181   }
182 }
183 
184 }  // namespace
185 
186 CPDF_SecurityHandler::CPDF_SecurityHandler() = default;
187 
188 CPDF_SecurityHandler::~CPDF_SecurityHandler() = default;
189 
OnInit(const CPDF_Dictionary * pEncryptDict,const CPDF_Array * pIdArray,const ByteString & password)190 bool CPDF_SecurityHandler::OnInit(const CPDF_Dictionary* pEncryptDict,
191                                   const CPDF_Array* pIdArray,
192                                   const ByteString& password) {
193   if (pIdArray)
194     m_FileId = pIdArray->GetStringAt(0);
195   else
196     m_FileId.clear();
197   if (!LoadDict(pEncryptDict))
198     return false;
199   if (m_Cipher == FXCIPHER_NONE)
200     return true;
201   if (!CheckSecurity(password))
202     return false;
203 
204   InitCryptoHandler();
205   return true;
206 }
207 
CheckSecurity(const ByteString & password)208 bool CPDF_SecurityHandler::CheckSecurity(const ByteString& password) {
209   if (!password.IsEmpty() && CheckPassword(password, true)) {
210     m_bOwnerUnlocked = true;
211     return true;
212   }
213   return CheckPassword(password, false);
214 }
215 
GetPermissions() const216 uint32_t CPDF_SecurityHandler::GetPermissions() const {
217   uint32_t dwPermission = m_bOwnerUnlocked ? 0xFFFFFFFF : m_Permissions;
218   if (m_pEncryptDict && m_pEncryptDict->GetStringFor("Filter") == "Standard") {
219     // See PDF Reference 1.7, page 123, table 3.20.
220     dwPermission &= 0xFFFFFFFC;
221     dwPermission |= 0xFFFFF0C0;
222   }
223   return dwPermission;
224 }
225 
LoadCryptInfo(const CPDF_Dictionary * pEncryptDict,const ByteString & name,int * cipher,size_t * keylen_out)226 static bool LoadCryptInfo(const CPDF_Dictionary* pEncryptDict,
227                           const ByteString& name,
228                           int* cipher,
229                           size_t* keylen_out) {
230   int Version = pEncryptDict->GetIntegerFor("V");
231   *cipher = FXCIPHER_RC4;
232   *keylen_out = 0;
233   int keylen = 0;
234   if (Version >= 4) {
235     const CPDF_Dictionary* pCryptFilters = pEncryptDict->GetDictFor("CF");
236     if (!pCryptFilters)
237       return false;
238 
239     if (name == "Identity") {
240       *cipher = FXCIPHER_NONE;
241     } else {
242       const CPDF_Dictionary* pDefFilter = pCryptFilters->GetDictFor(name);
243       if (!pDefFilter)
244         return false;
245 
246       int nKeyBits = 0;
247       if (Version == 4) {
248         nKeyBits = pDefFilter->GetIntegerFor("Length", 0);
249         if (nKeyBits == 0) {
250           nKeyBits = pEncryptDict->GetIntegerFor("Length", 128);
251         }
252       } else {
253         nKeyBits = pEncryptDict->GetIntegerFor("Length", 256);
254       }
255       if (nKeyBits < 0)
256         return false;
257 
258       if (nKeyBits < 40) {
259         nKeyBits *= 8;
260       }
261       keylen = nKeyBits / 8;
262       ByteString cipher_name = pDefFilter->GetStringFor("CFM");
263       if (cipher_name == "AESV2" || cipher_name == "AESV3")
264         *cipher = FXCIPHER_AES;
265     }
266   } else {
267     keylen = Version > 1 ? pEncryptDict->GetIntegerFor("Length", 40) / 8 : 5;
268   }
269 
270   if (keylen < 0 || keylen > 32)
271     return false;
272   if (!IsValidKeyLengthForCipher(*cipher, keylen))
273     return false;
274 
275   *keylen_out = keylen;
276   return true;
277 }
278 
LoadDict(const CPDF_Dictionary * pEncryptDict)279 bool CPDF_SecurityHandler::LoadDict(const CPDF_Dictionary* pEncryptDict) {
280   m_pEncryptDict.Reset(pEncryptDict);
281   m_Version = pEncryptDict->GetIntegerFor("V");
282   m_Revision = pEncryptDict->GetIntegerFor("R");
283   m_Permissions = pEncryptDict->GetIntegerFor("P", -1);
284   if (m_Version < 4)
285     return LoadCryptInfo(pEncryptDict, ByteString(), &m_Cipher, &m_KeyLen);
286 
287   ByteString stmf_name = pEncryptDict->GetStringFor("StmF");
288   ByteString strf_name = pEncryptDict->GetStringFor("StrF");
289   if (stmf_name != strf_name)
290     return false;
291 
292   return LoadCryptInfo(pEncryptDict, strf_name, &m_Cipher, &m_KeyLen);
293 }
294 
LoadDict(const CPDF_Dictionary * pEncryptDict,int * cipher,size_t * key_len)295 bool CPDF_SecurityHandler::LoadDict(const CPDF_Dictionary* pEncryptDict,
296                                     int* cipher,
297                                     size_t* key_len) {
298   m_pEncryptDict.Reset(pEncryptDict);
299   m_Version = pEncryptDict->GetIntegerFor("V");
300   m_Revision = pEncryptDict->GetIntegerFor("R");
301   m_Permissions = pEncryptDict->GetIntegerFor("P", -1);
302 
303   ByteString strf_name;
304   ByteString stmf_name;
305   if (m_Version >= 4) {
306     stmf_name = pEncryptDict->GetStringFor("StmF");
307     strf_name = pEncryptDict->GetStringFor("StrF");
308     if (stmf_name != strf_name)
309       return false;
310   }
311   if (!LoadCryptInfo(pEncryptDict, strf_name, cipher, key_len))
312     return false;
313 
314   m_Cipher = *cipher;
315   m_KeyLen = *key_len;
316   return true;
317 }
318 
AES256_CheckPassword(const ByteString & password,bool bOwner)319 bool CPDF_SecurityHandler::AES256_CheckPassword(const ByteString& password,
320                                                 bool bOwner) {
321   ASSERT(m_pEncryptDict);
322   ASSERT(m_Revision >= 5);
323 
324   ByteString okey = m_pEncryptDict->GetStringFor("O");
325   if (okey.GetLength() < 48)
326     return false;
327 
328   ByteString ukey = m_pEncryptDict->GetStringFor("U");
329   if (ukey.GetLength() < 48)
330     return false;
331 
332   const uint8_t* pkey = bOwner ? okey.raw_str() : ukey.raw_str();
333   CRYPT_sha2_context sha;
334   uint8_t digest[32];
335   if (m_Revision >= 6) {
336     Revision6_Hash(password, (const uint8_t*)pkey + 32,
337                    bOwner ? ukey.raw_str() : nullptr, digest);
338   } else {
339     CRYPT_SHA256Start(&sha);
340     CRYPT_SHA256Update(&sha, password.raw_str(), password.GetLength());
341     CRYPT_SHA256Update(&sha, pkey + 32, 8);
342     if (bOwner)
343       CRYPT_SHA256Update(&sha, ukey.raw_str(), 48);
344     CRYPT_SHA256Finish(&sha, digest);
345   }
346   if (memcmp(digest, pkey, 32) != 0)
347     return false;
348 
349   if (m_Revision >= 6) {
350     Revision6_Hash(password, (const uint8_t*)pkey + 40,
351                    bOwner ? ukey.raw_str() : nullptr, digest);
352   } else {
353     CRYPT_SHA256Start(&sha);
354     CRYPT_SHA256Update(&sha, password.raw_str(), password.GetLength());
355     CRYPT_SHA256Update(&sha, pkey + 40, 8);
356     if (bOwner)
357       CRYPT_SHA256Update(&sha, ukey.raw_str(), 48);
358     CRYPT_SHA256Finish(&sha, digest);
359   }
360   ByteString ekey = m_pEncryptDict->GetStringFor(bOwner ? "OE" : "UE");
361   if (ekey.GetLength() < 32)
362     return false;
363 
364   CRYPT_aes_context aes = {};
365   CRYPT_AESSetKey(&aes, digest, sizeof(digest), false);
366   uint8_t iv[16] = {};
367   CRYPT_AESSetIV(&aes, iv);
368   CRYPT_AESDecrypt(&aes, m_EncryptKey, ekey.raw_str(), 32);
369   CRYPT_AESSetKey(&aes, m_EncryptKey, sizeof(m_EncryptKey), false);
370   CRYPT_AESSetIV(&aes, iv);
371   ByteString perms = m_pEncryptDict->GetStringFor("Perms");
372   if (perms.IsEmpty())
373     return false;
374 
375   uint8_t perms_buf[16] = {};
376   size_t copy_len =
377       std::min(sizeof(perms_buf), static_cast<size_t>(perms.GetLength()));
378   memcpy(perms_buf, perms.raw_str(), copy_len);
379   uint8_t buf[16];
380   CRYPT_AESDecrypt(&aes, buf, perms_buf, 16);
381   if (buf[9] != 'a' || buf[10] != 'd' || buf[11] != 'b')
382     return false;
383 
384   if (FXDWORD_GET_LSBFIRST(buf) != m_Permissions)
385     return false;
386 
387   // Relax this check as there appear to be some non-conforming documents
388   // in the wild. The value in the buffer is the truth; if it requires us
389   // to encrypt metadata, but the dictionary says otherwise, then we may
390   // have a tampered doc.  Otherwise, give it a pass.
391   return buf[8] == 'F' || IsMetadataEncrypted();
392 }
393 
CheckPassword(const ByteString & password,bool bOwner)394 bool CPDF_SecurityHandler::CheckPassword(const ByteString& password,
395                                          bool bOwner) {
396   DCHECK_EQ(kUnknown, m_PasswordEncodingConversion);
397   if (CheckPasswordImpl(password, bOwner)) {
398     m_PasswordEncodingConversion = kNone;
399     return true;
400   }
401 
402   ByteStringView password_view = password.AsStringView();
403   if (password_view.IsASCII())
404     return false;
405 
406   if (m_Revision >= 5) {
407     ByteString utf8_password = WideString::FromLatin1(password_view).ToUTF8();
408     if (!CheckPasswordImpl(utf8_password, bOwner))
409       return false;
410 
411     m_PasswordEncodingConversion = kLatin1ToUtf8;
412     return true;
413   }
414 
415   ByteString latin1_password = WideString::FromUTF8(password_view).ToLatin1();
416   if (!CheckPasswordImpl(latin1_password, bOwner))
417     return false;
418 
419   m_PasswordEncodingConversion = kUtf8toLatin1;
420   return true;
421 }
422 
CheckPasswordImpl(const ByteString & password,bool bOwner)423 bool CPDF_SecurityHandler::CheckPasswordImpl(const ByteString& password,
424                                              bool bOwner) {
425   if (m_Revision >= 5)
426     return AES256_CheckPassword(password, bOwner);
427 
428   if (bOwner)
429     return CheckOwnerPassword(password);
430 
431   return CheckUserPassword(password, false) ||
432          CheckUserPassword(password, true);
433 }
434 
CheckUserPassword(const ByteString & password,bool bIgnoreEncryptMeta)435 bool CPDF_SecurityHandler::CheckUserPassword(const ByteString& password,
436                                              bool bIgnoreEncryptMeta) {
437   CalcEncryptKey(m_pEncryptDict.Get(), password, m_EncryptKey, m_KeyLen,
438                  bIgnoreEncryptMeta, m_FileId);
439   ByteString ukey =
440       m_pEncryptDict ? m_pEncryptDict->GetStringFor("U") : ByteString();
441   if (ukey.GetLength() < 16) {
442     return false;
443   }
444 
445   uint8_t ukeybuf[32];
446   if (m_Revision == 2) {
447     memcpy(ukeybuf, kDefaultPasscode, sizeof(kDefaultPasscode));
448     CRYPT_ArcFourCryptBlock(ukeybuf, {m_EncryptKey, m_KeyLen});
449     return memcmp(ukey.c_str(), ukeybuf, 16) == 0;
450   }
451 
452   uint8_t test[32] = {};
453   uint8_t tmpkey[32] = {};
454   uint32_t copy_len = std::min(sizeof(test), ukey.GetLength());
455 
456   memcpy(test, ukey.c_str(), copy_len);
457   for (int32_t i = 19; i >= 0; i--) {
458     for (size_t j = 0; j < m_KeyLen; j++)
459       tmpkey[j] = m_EncryptKey[j] ^ static_cast<uint8_t>(i);
460     CRYPT_ArcFourCryptBlock(test, {tmpkey, m_KeyLen});
461   }
462   CRYPT_md5_context md5 = CRYPT_MD5Start();
463   CRYPT_MD5Update(&md5, kDefaultPasscode);
464   if (!m_FileId.IsEmpty())
465     CRYPT_MD5Update(&md5, m_FileId.raw_span());
466   CRYPT_MD5Finish(&md5, ukeybuf);
467   return memcmp(test, ukeybuf, 16) == 0;
468 }
469 
GetUserPassword(const ByteString & owner_password) const470 ByteString CPDF_SecurityHandler::GetUserPassword(
471     const ByteString& owner_password) const {
472   constexpr size_t kRequiredOkeyLength = 32;
473   ByteString okey = m_pEncryptDict->GetStringFor("O");
474   size_t okeylen = std::min<size_t>(okey.GetLength(), kRequiredOkeyLength);
475   if (okeylen < kRequiredOkeyLength)
476     return ByteString();
477 
478   DCHECK_EQ(kRequiredOkeyLength, okeylen);
479   uint8_t passcode[32];
480   GetPassCode(owner_password, passcode);
481   uint8_t digest[16];
482   CRYPT_MD5Generate(passcode, digest);
483   if (m_Revision >= 3) {
484     for (uint32_t i = 0; i < 50; i++)
485       CRYPT_MD5Generate(digest, digest);
486   }
487   uint8_t enckey[32] = {};
488   size_t copy_len = std::min(m_KeyLen, sizeof(digest));
489 
490   memcpy(enckey, digest, copy_len);
491   uint8_t okeybuf[32] = {};
492   memcpy(okeybuf, okey.c_str(), okeylen);
493   pdfium::span<uint8_t> okey_span(okeybuf, okeylen);
494   if (m_Revision == 2) {
495     CRYPT_ArcFourCryptBlock(okey_span, {enckey, m_KeyLen});
496   } else {
497     for (int32_t i = 19; i >= 0; i--) {
498       uint8_t tempkey[32] = {};
499       for (size_t j = 0; j < m_KeyLen; j++)
500         tempkey[j] = enckey[j] ^ static_cast<uint8_t>(i);
501       CRYPT_ArcFourCryptBlock(okey_span, {tempkey, m_KeyLen});
502     }
503   }
504   size_t len = kRequiredOkeyLength;
505   while (len && kDefaultPasscode[len - 1] == okey_span[len - 1])
506     len--;
507 
508   return ByteString(okeybuf, len);
509 }
510 
CheckOwnerPassword(const ByteString & password)511 bool CPDF_SecurityHandler::CheckOwnerPassword(const ByteString& password) {
512   ByteString user_pass = GetUserPassword(password);
513   return CheckUserPassword(user_pass, false) ||
514          CheckUserPassword(user_pass, true);
515 }
516 
IsMetadataEncrypted() const517 bool CPDF_SecurityHandler::IsMetadataEncrypted() const {
518   return m_pEncryptDict->GetBooleanFor("EncryptMetadata", true);
519 }
520 
GetEncodedPassword(ByteStringView password) const521 ByteString CPDF_SecurityHandler::GetEncodedPassword(
522     ByteStringView password) const {
523   switch (m_PasswordEncodingConversion) {
524     case kNone:
525       // Do nothing.
526       return ByteString(password);
527     case kLatin1ToUtf8:
528       return WideString::FromLatin1(password).ToUTF8();
529     case kUtf8toLatin1:
530       return WideString::FromUTF8(password).ToLatin1();
531     default:
532       NOTREACHED();
533       return ByteString(password);
534   }
535 }
536 
OnCreateInternal(CPDF_Dictionary * pEncryptDict,const CPDF_Array * pIdArray,const ByteString & user_password,const ByteString & owner_password,bool bDefault)537 void CPDF_SecurityHandler::OnCreateInternal(CPDF_Dictionary* pEncryptDict,
538                                             const CPDF_Array* pIdArray,
539                                             const ByteString& user_password,
540                                             const ByteString& owner_password,
541                                             bool bDefault) {
542   ASSERT(pEncryptDict);
543 
544   int cipher = FXCIPHER_NONE;
545   size_t key_len = 0;
546   if (!LoadDict(pEncryptDict, &cipher, &key_len)) {
547     return;
548   }
549   ByteString owner_password_copy = owner_password;
550   if (bDefault && owner_password.IsEmpty())
551     owner_password_copy = user_password;
552 
553   if (m_Revision >= 5) {
554     uint32_t random[4];
555     FX_Random_GenerateMT(random, FX_ArraySize(random));
556     CRYPT_sha2_context sha;
557     CRYPT_SHA256Start(&sha);
558     CRYPT_SHA256Update(&sha, reinterpret_cast<uint8_t*>(random),
559                        sizeof(random));
560     CRYPT_SHA256Finish(&sha, m_EncryptKey);
561     AES256_SetPassword(pEncryptDict, user_password, false);
562     if (bDefault)
563       AES256_SetPassword(pEncryptDict, owner_password_copy, true);
564     AES256_SetPerms(pEncryptDict);
565     return;
566   }
567   if (bDefault) {
568     uint8_t passcode[32];
569     GetPassCode(owner_password_copy, passcode);
570     uint8_t digest[16];
571     CRYPT_MD5Generate(passcode, digest);
572     if (m_Revision >= 3) {
573       for (uint32_t i = 0; i < 50; i++)
574         CRYPT_MD5Generate(digest, digest);
575     }
576     uint8_t enckey[32];
577     memcpy(enckey, digest, key_len);
578     GetPassCode(user_password, passcode);
579     CRYPT_ArcFourCryptBlock(passcode, {enckey, key_len});
580     uint8_t tempkey[32];
581     if (m_Revision >= 3) {
582       for (uint8_t i = 1; i <= 19; i++) {
583         for (size_t j = 0; j < key_len; j++)
584           tempkey[j] = enckey[j] ^ i;
585         CRYPT_ArcFourCryptBlock(passcode, {tempkey, key_len});
586       }
587     }
588     pEncryptDict->SetNewFor<CPDF_String>("O", ByteString(passcode, 32), false);
589   }
590 
591   ByteString file_id;
592   if (pIdArray)
593     file_id = pIdArray->GetStringAt(0);
594 
595   CalcEncryptKey(m_pEncryptDict.Get(), user_password, m_EncryptKey, key_len,
596                  false, file_id);
597   if (m_Revision < 3) {
598     uint8_t tempbuf[32];
599     memcpy(tempbuf, kDefaultPasscode, sizeof(kDefaultPasscode));
600     CRYPT_ArcFourCryptBlock(tempbuf, {m_EncryptKey, key_len});
601     pEncryptDict->SetNewFor<CPDF_String>("U", ByteString(tempbuf, 32), false);
602   } else {
603     CRYPT_md5_context md5 = CRYPT_MD5Start();
604     CRYPT_MD5Update(&md5, kDefaultPasscode);
605     if (!file_id.IsEmpty())
606       CRYPT_MD5Update(&md5, file_id.raw_span());
607 
608     uint8_t digest[32];
609     CRYPT_MD5Finish(&md5, digest);
610     pdfium::span<uint8_t> partial_digest_span(digest, 16);
611     CRYPT_ArcFourCryptBlock(partial_digest_span, {m_EncryptKey, key_len});
612     uint8_t tempkey[32];
613     for (uint8_t i = 1; i <= 19; i++) {
614       for (size_t j = 0; j < key_len; j++)
615         tempkey[j] = m_EncryptKey[j] ^ i;
616       CRYPT_ArcFourCryptBlock(partial_digest_span, {tempkey, key_len});
617     }
618     CRYPT_MD5Generate({digest, 16}, digest + 16);
619     pEncryptDict->SetNewFor<CPDF_String>("U", ByteString(digest, 32), false);
620   }
621 }
622 
OnCreate(CPDF_Dictionary * pEncryptDict,const CPDF_Array * pIdArray,const ByteString & user_password,const ByteString & owner_password)623 void CPDF_SecurityHandler::OnCreate(CPDF_Dictionary* pEncryptDict,
624                                     const CPDF_Array* pIdArray,
625                                     const ByteString& user_password,
626                                     const ByteString& owner_password) {
627   OnCreateInternal(pEncryptDict, pIdArray, user_password, owner_password, true);
628   InitCryptoHandler();
629 }
630 
OnCreate(CPDF_Dictionary * pEncryptDict,const CPDF_Array * pIdArray,const ByteString & user_password)631 void CPDF_SecurityHandler::OnCreate(CPDF_Dictionary* pEncryptDict,
632                                     const CPDF_Array* pIdArray,
633                                     const ByteString& user_password) {
634   OnCreateInternal(pEncryptDict, pIdArray, user_password, ByteString(), false);
635   InitCryptoHandler();
636 }
637 
AES256_SetPassword(CPDF_Dictionary * pEncryptDict,const ByteString & password,bool bOwner)638 void CPDF_SecurityHandler::AES256_SetPassword(CPDF_Dictionary* pEncryptDict,
639                                               const ByteString& password,
640                                               bool bOwner) {
641   CRYPT_sha1_context sha;
642   CRYPT_SHA1Start(&sha);
643   CRYPT_SHA1Update(&sha, m_EncryptKey, sizeof(m_EncryptKey));
644   CRYPT_SHA1Update(&sha, (uint8_t*)"hello", 5);
645 
646   uint8_t digest[20];
647   CRYPT_SHA1Finish(&sha, digest);
648 
649   ByteString ukey = pEncryptDict->GetStringFor("U");
650   CRYPT_sha2_context sha2;
651   uint8_t digest1[48];
652   if (m_Revision >= 6) {
653     Revision6_Hash(password, digest, bOwner ? ukey.raw_str() : nullptr,
654                    digest1);
655   } else {
656     CRYPT_SHA256Start(&sha2);
657     CRYPT_SHA256Update(&sha2, password.raw_str(), password.GetLength());
658     CRYPT_SHA256Update(&sha2, digest, 8);
659     if (bOwner) {
660       CRYPT_SHA256Update(&sha2, ukey.raw_str(), ukey.GetLength());
661     }
662     CRYPT_SHA256Finish(&sha2, digest1);
663   }
664   memcpy(digest1 + 32, digest, 16);
665   pEncryptDict->SetNewFor<CPDF_String>(bOwner ? "O" : "U",
666                                        ByteString(digest1, 48), false);
667   if (m_Revision >= 6) {
668     Revision6_Hash(password, digest + 8, bOwner ? ukey.raw_str() : nullptr,
669                    digest1);
670   } else {
671     CRYPT_SHA256Start(&sha2);
672     CRYPT_SHA256Update(&sha2, password.raw_str(), password.GetLength());
673     CRYPT_SHA256Update(&sha2, digest + 8, 8);
674     if (bOwner) {
675       CRYPT_SHA256Update(&sha2, ukey.raw_str(), ukey.GetLength());
676     }
677     CRYPT_SHA256Finish(&sha2, digest1);
678   }
679   CRYPT_aes_context aes = {};
680   CRYPT_AESSetKey(&aes, digest1, 32, true);
681   uint8_t iv[16] = {};
682   CRYPT_AESSetIV(&aes, iv);
683   CRYPT_AESEncrypt(&aes, digest1, m_EncryptKey, sizeof(m_EncryptKey));
684   pEncryptDict->SetNewFor<CPDF_String>(bOwner ? "OE" : "UE",
685                                        ByteString(digest1, 32), false);
686 }
687 
AES256_SetPerms(CPDF_Dictionary * pEncryptDict)688 void CPDF_SecurityHandler::AES256_SetPerms(CPDF_Dictionary* pEncryptDict) {
689   uint8_t buf[16];
690   buf[0] = static_cast<uint8_t>(m_Permissions);
691   buf[1] = static_cast<uint8_t>(m_Permissions >> 8);
692   buf[2] = static_cast<uint8_t>(m_Permissions >> 16);
693   buf[3] = static_cast<uint8_t>(m_Permissions >> 24);
694   buf[4] = 0xff;
695   buf[5] = 0xff;
696   buf[6] = 0xff;
697   buf[7] = 0xff;
698   buf[8] = pEncryptDict->GetBooleanFor("EncryptMetadata", true) ? 'T' : 'F';
699   buf[9] = 'a';
700   buf[10] = 'd';
701   buf[11] = 'b';
702 
703   // In ISO 32000 Supplement for ExtensionLevel 3, Algorithm 3.10 says bytes 12
704   // to 15 should be random data.
705   uint32_t* buf_random = reinterpret_cast<uint32_t*>(&buf[12]);
706   FX_Random_GenerateMT(buf_random, 1);
707 
708   CRYPT_aes_context aes = {};
709   CRYPT_AESSetKey(&aes, m_EncryptKey, sizeof(m_EncryptKey), true);
710 
711   uint8_t iv[16] = {};
712   CRYPT_AESSetIV(&aes, iv);
713 
714   uint8_t buf1[16];
715   CRYPT_AESEncrypt(&aes, buf1, buf, 16);
716   pEncryptDict->SetNewFor<CPDF_String>("Perms", ByteString(buf1, 16), false);
717 }
718 
InitCryptoHandler()719 void CPDF_SecurityHandler::InitCryptoHandler() {
720   m_pCryptoHandler =
721       pdfium::MakeUnique<CPDF_CryptoHandler>(m_Cipher, m_EncryptKey, m_KeyLen);
722 }
723