1
#include "mupdf/pdf.h"
2

3
enum
4
{
5
	PDF_CRYPT_NONE,
6
	PDF_CRYPT_RC4,
7
	PDF_CRYPT_AESV2,
8
	PDF_CRYPT_AESV3,
9
	PDF_CRYPT_UNKNOWN,
10
};
11

12
enum
13
{
14
	PDF_PERM_PRINT = 1 << 2,
15
	PDF_PERM_CHANGE = 1 << 3,
16
	PDF_PERM_COPY = 1 << 4,
17
	PDF_PERM_NOTES = 1 << 5,
18
	PDF_PERM_FILL_FORM = 1 << 8,
19
	PDF_PERM_ACCESSIBILITY = 1 << 9,
20
	PDF_PERM_ASSEMBLE = 1 << 10,
21
	PDF_PERM_HIGH_RES_PRINT = 1 << 11,
22
	PDF_DEFAULT_PERM_FLAGS = 0xfffc
23
};
24

25
typedef struct pdf_crypt_filter_s pdf_crypt_filter;
26

27
struct pdf_crypt_filter_s
28
{
29
	int method;
30
	int length;
31
};
32

33
struct pdf_crypt_s
34
{
35
	pdf_obj *id;
36

37
	int v;
38
	int length;
39
	pdf_obj *cf;
40
	pdf_crypt_filter stmf;
41
	pdf_crypt_filter strf;
42

43
	int r;
44
	unsigned char o[48];
45
	unsigned char u[48];
46
	unsigned char oe[32];
47
	unsigned char ue[32];
48
	int p;
49
	int encrypt_metadata;
50

51
	unsigned char key[32]; /* decryption key generated from password */
52
};
53

54
static void pdf_parse_crypt_filter(fz_context *ctx, pdf_crypt_filter *cf, pdf_crypt *crypt, pdf_obj *name);
55

56
/*
57
 * Create crypt object for decrypting strings and streams
58
 * given the Encryption and ID objects.
59
 */
60

61
pdf_crypt *
62
pdf_new_crypt(fz_context *ctx, pdf_obj *dict, pdf_obj *id)
63
{
64
	pdf_crypt *crypt;
65
	pdf_obj *obj;
66

67
	crypt = fz_malloc_struct(ctx, pdf_crypt);
68

69
	/* Common to all security handlers (PDF 1.7 table 3.18) */
70

71
	obj = pdf_dict_get(ctx, dict, PDF_NAME_Filter);
72
	if (!pdf_is_name(ctx, obj))
73
	{
74
		pdf_drop_crypt(ctx, crypt);
75
		fz_throw(ctx, FZ_ERROR_GENERIC, "unspecified encryption handler");
76
	}
77
	if (!pdf_name_eq(ctx, PDF_NAME_Standard, obj) != 0)
78
	{
79
		pdf_drop_crypt(ctx, crypt);
80
		fz_throw(ctx, FZ_ERROR_GENERIC, "unknown encryption handler: '%s'", pdf_to_name(ctx, obj));
81
	}
82

83
	crypt->v = 0;
84
	obj = pdf_dict_get(ctx, dict, PDF_NAME_V);
85
	if (pdf_is_int(ctx, obj))
86
		crypt->v = pdf_to_int(ctx, obj);
87
	if (crypt->v != 1 && crypt->v != 2 && crypt->v != 4 && crypt->v != 5)
88
	{
89
		pdf_drop_crypt(ctx, crypt);
90
		fz_throw(ctx, FZ_ERROR_GENERIC, "unknown encryption version");
91
	}
92

93
	/* Standard security handler (PDF 1.7 table 3.19) */
94

95
	obj = pdf_dict_get(ctx, dict, PDF_NAME_R);
96
	if (pdf_is_int(ctx, obj))
97
		crypt->r = pdf_to_int(ctx, obj);
98
	else if (crypt->v <= 4)
99
	{
100
		fz_warn(ctx, "encryption dictionary missing revision value, guessing...");
101
		if (crypt->v < 2)
102
			crypt->r = 2;
103
		else if (crypt->v == 2)
104
			crypt->r = 3;
105
		else if (crypt->v == 4)
106
			crypt->r = 4;
107
	}
108
	else
109
	{
110
		pdf_drop_crypt(ctx, crypt);
111
		fz_throw(ctx, FZ_ERROR_GENERIC, "encryption dictionary missing version and revision value");
112
	}
113
	if (crypt->r < 1 || crypt->r > 6)
114
	{
115
		int r = crypt->r;
116
		pdf_drop_crypt(ctx, crypt);
117
		fz_throw(ctx, FZ_ERROR_GENERIC, "unknown crypt revision %d", r);
118
	}
119

120
	obj = pdf_dict_get(ctx, dict, PDF_NAME_O);
121
	if (pdf_is_string(ctx, obj) && pdf_to_str_len(ctx, obj) == 32)
122
		memcpy(crypt->o, pdf_to_str_buf(ctx, obj), 32);
123
	/* /O and /U are supposed to be 48 bytes long for revision 5 and 6, they're often longer, though */
124
	else if (crypt->r >= 5 && pdf_is_string(ctx, obj) && pdf_to_str_len(ctx, obj) >= 48)
125
		memcpy(crypt->o, pdf_to_str_buf(ctx, obj), 48);
126
	else
127
	{
128
		pdf_drop_crypt(ctx, crypt);
129
		fz_throw(ctx, FZ_ERROR_GENERIC, "encryption dictionary missing owner password");
130
	}
131

132
	obj = pdf_dict_get(ctx, dict, PDF_NAME_U);
133
	if (pdf_is_string(ctx, obj) && pdf_to_str_len(ctx, obj) == 32)
134
		memcpy(crypt->u, pdf_to_str_buf(ctx, obj), 32);
135
	/* /O and /U are supposed to be 48 bytes long for revision 5 and 6, they're often longer, though */
136
	else if (crypt->r >= 5 && pdf_is_string(ctx, obj) && pdf_to_str_len(ctx, obj) >= 48)
137
		memcpy(crypt->u, pdf_to_str_buf(ctx, obj), 48);
138
	else if (pdf_is_string(ctx, obj) && pdf_to_str_len(ctx, obj) < 32)
139
	{
140
		fz_warn(ctx, "encryption password key too short (%d)", pdf_to_str_len(ctx, obj));
141
		memcpy(crypt->u, pdf_to_str_buf(ctx, obj), pdf_to_str_len(ctx, obj));
142
	}
143
	else
144
	{
145
		pdf_drop_crypt(ctx, crypt);
146
		fz_throw(ctx, FZ_ERROR_GENERIC, "encryption dictionary missing user password");
147
	}
148

149
	obj = pdf_dict_get(ctx, dict, PDF_NAME_P);
150
	if (pdf_is_int(ctx, obj))
151
		crypt->p = pdf_to_int(ctx, obj);
152
	else
153
	{
154
		fz_warn(ctx, "encryption dictionary missing permissions");
155
		crypt->p = 0xfffffffc;
156
	}
157

158
	if (crypt->r == 5 || crypt->r == 6)
159
	{
160
		obj = pdf_dict_get(ctx, dict, PDF_NAME_OE);
161
		if (!pdf_is_string(ctx, obj) || pdf_to_str_len(ctx, obj) != 32)
162
		{
163
			pdf_drop_crypt(ctx, crypt);
164
			fz_throw(ctx, FZ_ERROR_GENERIC, "encryption dictionary missing owner encryption key");
165
		}
166
		memcpy(crypt->oe, pdf_to_str_buf(ctx, obj), 32);
167

168
		obj = pdf_dict_get(ctx, dict, PDF_NAME_UE);
169
		if (!pdf_is_string(ctx, obj) || pdf_to_str_len(ctx, obj) != 32)
170
		{
171
			pdf_drop_crypt(ctx, crypt);
172
			fz_throw(ctx, FZ_ERROR_GENERIC, "encryption dictionary missing user encryption key");
173
		}
174
		memcpy(crypt->ue, pdf_to_str_buf(ctx, obj), 32);
175
	}
176

177
	crypt->encrypt_metadata = 1;
178
	obj = pdf_dict_get(ctx, dict, PDF_NAME_EncryptMetadata);
179
	if (pdf_is_bool(ctx, obj))
180
		crypt->encrypt_metadata = pdf_to_bool(ctx, obj);
181

182
	/* Extract file identifier string */
183

184
	if (pdf_is_array(ctx, id) && pdf_array_len(ctx, id) == 2)
185
	{
186
		obj = pdf_array_get(ctx, id, 0);
187
		if (pdf_is_string(ctx, obj))
188
			crypt->id = pdf_keep_obj(ctx, obj);
189
	}
190
	else
191
		fz_warn(ctx, "missing file identifier, may not be able to do decryption");
192

193
	/* Determine encryption key length */
194

195
	crypt->length = 40;
196
	if (crypt->v == 2 || crypt->v == 4)
197
	{
198
		obj = pdf_dict_get(ctx, dict, PDF_NAME_Length);
199
		if (pdf_is_int(ctx, obj))
200
			crypt->length = pdf_to_int(ctx, obj);
201

202
		/* work-around for pdf generators that assume length is in bytes */
203
		if (crypt->length < 40)
204
			crypt->length = crypt->length * 8;
205

206
		if (crypt->length % 8 != 0)
207
		{
208
			pdf_drop_crypt(ctx, crypt);
209
			fz_throw(ctx, FZ_ERROR_GENERIC, "invalid encryption key length");
210
		}
211
		if (crypt->length < 40 || crypt->length > 128)
212
		{
213
			pdf_drop_crypt(ctx, crypt);
214
			fz_throw(ctx, FZ_ERROR_GENERIC, "invalid encryption key length");
215
		}
216
	}
217

218
	if (crypt->v == 5)
219
		crypt->length = 256;
220

221
	if (crypt->v == 1 || crypt->v == 2)
222
	{
223
		crypt->stmf.method = PDF_CRYPT_RC4;
224
		crypt->stmf.length = crypt->length;
225

226
		crypt->strf.method = PDF_CRYPT_RC4;
227
		crypt->strf.length = crypt->length;
228
	}
229

230
	if (crypt->v == 4 || crypt->v == 5)
231
	{
232
		crypt->stmf.method = PDF_CRYPT_NONE;
233
		crypt->stmf.length = crypt->length;
234

235
		crypt->strf.method = PDF_CRYPT_NONE;
236
		crypt->strf.length = crypt->length;
237

238
		obj = pdf_dict_get(ctx, dict, PDF_NAME_CF);
239
		if (pdf_is_dict(ctx, obj))
240
		{
241
			crypt->cf = pdf_keep_obj(ctx, obj);
242
		}
243
		else
244
		{
245
			crypt->cf = NULL;
246
		}
247

248
		fz_try(ctx)
249
		{
250
			obj = pdf_dict_get(ctx, dict, PDF_NAME_StmF);
251
			if (pdf_is_name(ctx, obj))
252
				pdf_parse_crypt_filter(ctx, &crypt->stmf, crypt, obj);
253

254
			obj = pdf_dict_get(ctx, dict, PDF_NAME_StrF);
255
			if (pdf_is_name(ctx, obj))
256
				pdf_parse_crypt_filter(ctx, &crypt->strf, crypt, obj);
257
		}
258
		fz_catch(ctx)
259
		{
260
			pdf_drop_crypt(ctx, crypt);
261
			fz_rethrow_message(ctx, "cannot parse string crypt filter (%d %d R)", pdf_to_num(ctx, obj), pdf_to_gen(ctx, obj));
262
		}
263

264
		/* in crypt revision 4, the crypt filter determines the key length */
265
		if (crypt->strf.method != PDF_CRYPT_NONE)
266
			crypt->length = crypt->stmf.length;
267
	}
268

269
	return crypt;
270
}
271

272
void
273
pdf_drop_crypt(fz_context *ctx, pdf_crypt *crypt)
274
{
275
	pdf_drop_obj(ctx, crypt->id);
276
	pdf_drop_obj(ctx, crypt->cf);
277
	fz_free(ctx, crypt);
278
}
279

280
/*
281
 * Parse a CF dictionary entry (PDF 1.7 table 3.22)
282
 */
283

284
static void
285
pdf_parse_crypt_filter(fz_context *ctx, pdf_crypt_filter *cf, pdf_crypt *crypt, pdf_obj *name)
286
{
287
	pdf_obj *obj;
288
	pdf_obj *dict;
289
	int is_identity = (pdf_name_eq(ctx, name, PDF_NAME_Identity));
290
	int is_stdcf = (!is_identity && pdf_name_eq(ctx, name, PDF_NAME_StdCF));
291

292
	if (!is_identity && !is_stdcf)
293
		fz_throw(ctx, FZ_ERROR_GENERIC, "Crypt Filter not Identity or StdCF (%d %d R)", pdf_to_num(ctx, crypt->cf), pdf_to_gen(ctx, crypt->cf));
294

295
	cf->method = PDF_CRYPT_NONE;
296
	cf->length = crypt->length;
297

298
	if (!crypt->cf)
299
	{
300
		cf->method = (is_identity ? PDF_CRYPT_NONE : PDF_CRYPT_RC4);
301
		return;
302
	}
303

304
	dict = pdf_dict_get(ctx, crypt->cf, name);
305
	if (!pdf_is_dict(ctx, dict))
306
		fz_throw(ctx, FZ_ERROR_GENERIC, "cannot parse crypt filter (%d %d R)", pdf_to_num(ctx, crypt->cf), pdf_to_gen(ctx, crypt->cf));
307

308
	obj = pdf_dict_get(ctx, dict, PDF_NAME_CFM);
309
	if (pdf_is_name(ctx, obj))
310
	{
311
		if (pdf_name_eq(ctx, PDF_NAME_None, obj))
312
			cf->method = PDF_CRYPT_NONE;
313
		else if (pdf_name_eq(ctx, PDF_NAME_V2, obj))
314
			cf->method = PDF_CRYPT_RC4;
315
		else if (pdf_name_eq(ctx, PDF_NAME_AESV2, obj))
316
			cf->method = PDF_CRYPT_AESV2;
317
		else if (pdf_name_eq(ctx, PDF_NAME_AESV3, obj))
318
			cf->method = PDF_CRYPT_AESV3;
319
		else
320
			fz_warn(ctx, "unknown encryption method: %s", pdf_to_name(ctx, obj));
321
	}
322

323
	obj = pdf_dict_get(ctx, dict, PDF_NAME_Length);
324
	if (pdf_is_int(ctx, obj))
325
		cf->length = pdf_to_int(ctx, obj);
326

327
	/* the length for crypt filters is supposed to be in bytes not bits */
328
	if (cf->length < 40)
329
		cf->length = cf->length * 8;
330

331
	if ((cf->length % 8) != 0)
332
		fz_throw(ctx, FZ_ERROR_GENERIC, "invalid key length: %d", cf->length);
333

334
	if ((crypt->r == 1 || crypt->r == 2 || crypt->r == 3 || crypt->r == 4) &&
335
		(cf->length < 0 || cf->length > 128))
336
		fz_throw(ctx, FZ_ERROR_GENERIC, "invalid key length: %d", cf->length);
337
	if ((crypt->r == 5 || crypt->r == 6) && cf->length != 256)
338
		fz_throw(ctx, FZ_ERROR_GENERIC, "invalid key length: %d", cf->length);
339
}
340

341
/*
342
 * Compute an encryption key (PDF 1.7 algorithm 3.2)
343
 */
344

345
static const unsigned char padding[32] =
346
{
347
	0x28, 0xbf, 0x4e, 0x5e, 0x4e, 0x75, 0x8a, 0x41,
348
	0x64, 0x00, 0x4e, 0x56, 0xff, 0xfa, 0x01, 0x08,
349
	0x2e, 0x2e, 0x00, 0xb6, 0xd0, 0x68, 0x3e, 0x80,
350
	0x2f, 0x0c, 0xa9, 0xfe, 0x64, 0x53, 0x69, 0x7a
351
};
352

353
static void
354
pdf_compute_encryption_key(fz_context *ctx, pdf_crypt *crypt, unsigned char *password, int pwlen, unsigned char *key)
355
{
356
	unsigned char buf[32];
357
	unsigned int p;
358
	int i, n;
359
	fz_md5 md5;
360

361
	n = crypt->length / 8;
362

363
	/* Step 1 - copy and pad password string */
364
	if (pwlen > 32)
365
		pwlen = 32;
366
	memcpy(buf, password, pwlen);
367
	memcpy(buf + pwlen, padding, 32 - pwlen);
368

369
	/* Step 2 - init md5 and pass value of step 1 */
370
	fz_md5_init(&md5);
371
	fz_md5_update(&md5, buf, 32);
372

373
	/* Step 3 - pass O value */
374
	fz_md5_update(&md5, crypt->o, 32);
375

376
	/* Step 4 - pass P value as unsigned int, low-order byte first */
377
	p = (unsigned int) crypt->p;
378
	buf[0] = (p) & 0xFF;
379
	buf[1] = (p >> 8) & 0xFF;
380
	buf[2] = (p >> 16) & 0xFF;
381
	buf[3] = (p >> 24) & 0xFF;
382
	fz_md5_update(&md5, buf, 4);
383

384
	/* Step 5 - pass first element of ID array */
385
	fz_md5_update(&md5, (unsigned char *)pdf_to_str_buf(ctx, crypt->id), pdf_to_str_len(ctx, crypt->id));
386

387
	/* Step 6 (revision 4 or greater) - if metadata is not encrypted pass 0xFFFFFFFF */
388
	if (crypt->r >= 4)
389
	{
390
		if (!crypt->encrypt_metadata)
391
		{
392
			buf[0] = 0xFF;
393
			buf[1] = 0xFF;
394
			buf[2] = 0xFF;
395
			buf[3] = 0xFF;
396
			fz_md5_update(&md5, buf, 4);
397
		}
398
	}
399

400
	/* Step 7 - finish the hash */
401
	fz_md5_final(&md5, buf);
402

403
	/* Step 8 (revision 3 or greater) - do some voodoo 50 times */
404
	if (crypt->r >= 3)
405
	{
406
		for (i = 0; i < 50; i++)
407
		{
408
			fz_md5_init(&md5);
409
			fz_md5_update(&md5, buf, n);
410
			fz_md5_final(&md5, buf);
411
		}
412
	}
413

414
	/* Step 9 - the key is the first 'n' bytes of the result */
415
	memcpy(key, buf, n);
416
}
417

418
/*
419
 * Compute an encryption key (PDF 1.7 ExtensionLevel 3 algorithm 3.2a)
420
 */
421

422
static void
423
pdf_compute_encryption_key_r5(fz_context *ctx, pdf_crypt *crypt, unsigned char *password, int pwlen, int ownerkey, unsigned char *validationkey)
424
{
425
	unsigned char buffer[128 + 8 + 48];
426
	fz_sha256 sha256;
427
	fz_aes aes;
428

429
	/* Step 2 - truncate UTF-8 password to 127 characters */
430

431
	if (pwlen > 127)
432
		pwlen = 127;
433

434
	/* Step 3/4 - test password against owner/user key and compute encryption key */
435

436
	memcpy(buffer, password, pwlen);
437
	if (ownerkey)
438
	{
439
		memcpy(buffer + pwlen, crypt->o + 32, 8);
440
		memcpy(buffer + pwlen + 8, crypt->u, 48);
441
	}
442
	else
443
		memcpy(buffer + pwlen, crypt->u + 32, 8);
444

445
	fz_sha256_init(&sha256);
446
	fz_sha256_update(&sha256, buffer, pwlen + 8 + (ownerkey ? 48 : 0));
447
	fz_sha256_final(&sha256, validationkey);
448

449
	/* Step 3.5/4.5 - compute file encryption key from OE/UE */
450

451
	memcpy(buffer + pwlen, crypt->u + 40, 8);
452

453
	fz_sha256_init(&sha256);
454
	fz_sha256_update(&sha256, buffer, pwlen + 8);
455
	fz_sha256_final(&sha256, buffer);
456

457
	/* clear password buffer and use it as iv */
458
	memset(buffer + 32, 0, sizeof(buffer) - 32);
459
	if (aes_setkey_dec(&aes, buffer, crypt->length))
460
		fz_throw(ctx, FZ_ERROR_GENERIC, "AES key init failed (keylen=%d)", crypt->length);
461
	aes_crypt_cbc(&aes, AES_DECRYPT, 32, buffer + 32, ownerkey ? crypt->oe : crypt->ue, crypt->key);
462
}
463

464
/*
465
 * Compute an encryption key (PDF 1.7 ExtensionLevel 8 algorithm)
466
 *
467
 * Adobe has not yet released the details, so the algorithm reference is:
468
 * http://esec-lab.sogeti.com/post/The-undocumented-password-validation-algorithm-of-Adobe-Reader-X
469
 */
470

471
static void
472
pdf_compute_hardened_hash_r6(fz_context *ctx, unsigned char *password, int pwlen, unsigned char salt[16], unsigned char *ownerkey, unsigned char hash[32])
473
{
474
	unsigned char data[(128 + 64 + 48) * 64];
475
	unsigned char block[64];
476
	int block_size = 32;
477
	int data_len = 0;
478
	int i, j, sum;
479

480
	fz_sha256 sha256;
481
	fz_sha384 sha384;
482
	fz_sha512 sha512;
483
	fz_aes aes;
484

485
	/* Step 1: calculate initial data block */
486
	fz_sha256_init(&sha256);
487
	fz_sha256_update(&sha256, password, pwlen);
488
	fz_sha256_update(&sha256, salt, 8);
489
	if (ownerkey)
490
		fz_sha256_update(&sha256, ownerkey, 48);
491
	fz_sha256_final(&sha256, block);
492

493
	for (i = 0; i < 64 || i < data[data_len * 64 - 1] + 32; i++)
494
	{
495
		/* Step 2: repeat password and data block 64 times */
496
		memcpy(data, password, pwlen);
497
		memcpy(data + pwlen, block, block_size);
498
		if (ownerkey)
499
			memcpy(data + pwlen + block_size, ownerkey, 48);
500
		data_len = pwlen + block_size + (ownerkey ? 48 : 0);
501
		for (j = 1; j < 64; j++)
502
			memcpy(data + j * data_len, data, data_len);
503

504
		/* Step 3: encrypt data using data block as key and iv */
505
		if (aes_setkey_enc(&aes, block, 128))
506
			fz_throw(ctx, FZ_ERROR_GENERIC, "AES key init failed (keylen=%d)", 128);
507
		aes_crypt_cbc(&aes, AES_ENCRYPT, data_len * 64, block + 16, data, data);
508

509
		/* Step 4: determine SHA-2 hash size for this round */
510
		for (j = 0, sum = 0; j < 16; j++)
511
			sum += data[j];
512

513
		/* Step 5: calculate data block for next round */
514
		block_size = 32 + (sum % 3) * 16;
515
		switch (block_size)
516
		{
517
		case 32:
518
			fz_sha256_init(&sha256);
519
			fz_sha256_update(&sha256, data, data_len * 64);
520
			fz_sha256_final(&sha256, block);
521
			break;
522
		case 48:
523
			fz_sha384_init(&sha384);
524
			fz_sha384_update(&sha384, data, data_len * 64);
525
			fz_sha384_final(&sha384, block);
526
			break;
527
		case 64:
528
			fz_sha512_init(&sha512);
529
			fz_sha512_update(&sha512, data, data_len * 64);
530
			fz_sha512_final(&sha512, block);
531
			break;
532
		}
533
	}
534

535
	memset(data, 0, sizeof(data));
536
	memcpy(hash, block, 32);
537
}
538

539
static void
540
pdf_compute_encryption_key_r6(fz_context *ctx, pdf_crypt *crypt, unsigned char *password, int pwlen, int ownerkey, unsigned char *validationkey)
541
{
542
	unsigned char hash[32];
543
	unsigned char iv[16];
544
	fz_aes aes;
545

546
	if (pwlen > 127)
547
		pwlen = 127;
548

549
	pdf_compute_hardened_hash_r6(ctx, password, pwlen,
550
		(ownerkey ? crypt->o : crypt->u) + 32,
551
		ownerkey ? crypt->u : NULL, validationkey);
552
	pdf_compute_hardened_hash_r6(ctx, password, pwlen,
553
		crypt->u + 40, NULL, hash);
554

555
	memset(iv, 0, sizeof(iv));
556
	if (aes_setkey_dec(&aes, hash, 256))
557
		fz_throw(ctx, FZ_ERROR_GENERIC, "AES key init failed (keylen=256)");
558
	aes_crypt_cbc(&aes, AES_DECRYPT, 32, iv,
559
		ownerkey ? crypt->oe : crypt->ue, crypt->key);
560
}
561

562
/*
563
 * Computing the user password (PDF 1.7 algorithm 3.4 and 3.5)
564
 * Also save the generated key for decrypting objects and streams in crypt->key.
565
 */
566

567
static void
568
pdf_compute_user_password(fz_context *ctx, pdf_crypt *crypt, unsigned char *password, int pwlen, unsigned char *output)
569
{
570
	if (crypt->r == 2)
571
	{
572
		fz_arc4 arc4;
573

574
		pdf_compute_encryption_key(ctx, crypt, password, pwlen, crypt->key);
575
		fz_arc4_init(&arc4, crypt->key, crypt->length / 8);
576
		fz_arc4_encrypt(&arc4, output, padding, 32);
577
	}
578

579
	if (crypt->r == 3 || crypt->r == 4)
580
	{
581
		unsigned char xor[32];
582
		unsigned char digest[16];
583
		fz_md5 md5;
584
		fz_arc4 arc4;
585
		int i, x, n;
586

587
		n = crypt->length / 8;
588

589
		pdf_compute_encryption_key(ctx, crypt, password, pwlen, crypt->key);
590

591
		fz_md5_init(&md5);
592
		fz_md5_update(&md5, padding, 32);
593
		fz_md5_update(&md5, (unsigned char*)pdf_to_str_buf(ctx, crypt->id), pdf_to_str_len(ctx, crypt->id));
594
		fz_md5_final(&md5, digest);
595

596
		fz_arc4_init(&arc4, crypt->key, n);
597
		fz_arc4_encrypt(&arc4, output, digest, 16);
598

599
		for (x = 1; x <= 19; x++)
600
		{
601
			for (i = 0; i < n; i++)
602
				xor[i] = crypt->key[i] ^ x;
603
			fz_arc4_init(&arc4, xor, n);
604
			fz_arc4_encrypt(&arc4, output, output, 16);
605
		}
606

607
		memcpy(output + 16, padding, 16);
608
	}
609

610
	if (crypt->r == 5)
611
	{
612
		pdf_compute_encryption_key_r5(ctx, crypt, password, pwlen, 0, output);
613
	}
614

615
	if (crypt->r == 6)
616
	{
617
		pdf_compute_encryption_key_r6(ctx, crypt, password, pwlen, 0, output);
618
	}
619
}
620

621
/*
622
 * Authenticating the user password (PDF 1.7 algorithm 3.6
623
 * and ExtensionLevel 3 algorithm 3.11)
624
 * This also has the side effect of saving a key generated
625
 * from the password for decrypting objects and streams.
626
 */
627

628
static int
629
pdf_authenticate_user_password(fz_context *ctx, pdf_crypt *crypt, unsigned char *password, int pwlen)
630
{
631
	unsigned char output[32];
632
	pdf_compute_user_password(ctx, crypt, password, pwlen, output);
633
	if (crypt->r == 2 || crypt->r == 5 || crypt->r == 6)
634
		return memcmp(output, crypt->u, 32) == 0;
635
	if (crypt->r == 3 || crypt->r == 4)
636
		return memcmp(output, crypt->u, 16) == 0;
637
	return 0;
638
}
639

640
/*
641
 * Authenticating the owner password (PDF 1.7 algorithm 3.7
642
 * and ExtensionLevel 3 algorithm 3.12)
643
 * Generates the user password from the owner password
644
 * and calls pdf_authenticate_user_password.
645
 */
646

647
static int
648
pdf_authenticate_owner_password(fz_context *ctx, pdf_crypt *crypt, unsigned char *ownerpass, int pwlen)
649
{
650
	unsigned char pwbuf[32];
651
	unsigned char key[32];
652
	unsigned char xor[32];
653
	unsigned char userpass[32];
654
	int i, n, x;
655
	fz_md5 md5;
656
	fz_arc4 arc4;
657

658
	if (crypt->r == 5)
659
	{
660
		/* PDF 1.7 ExtensionLevel 3 algorithm 3.12 */
661
		pdf_compute_encryption_key_r5(ctx, crypt, ownerpass, pwlen, 1, key);
662
		return !memcmp(key, crypt->o, 32);
663
	}
664
	else if (crypt->r == 6)
665
	{
666
		/* PDF 1.7 ExtensionLevel 8 algorithm */
667
		pdf_compute_encryption_key_r6(ctx, crypt, ownerpass, pwlen, 1, key);
668
		return !memcmp(key, crypt->o, 32);
669
	}
670

671
	n = crypt->length / 8;
672

673
	/* Step 1 -- steps 1 to 4 of PDF 1.7 algorithm 3.3 */
674

675
	/* copy and pad password string */
676
	if (pwlen > 32)
677
		pwlen = 32;
678
	memcpy(pwbuf, ownerpass, pwlen);
679
	memcpy(pwbuf + pwlen, padding, 32 - pwlen);
680

681
	/* take md5 hash of padded password */
682
	fz_md5_init(&md5);
683
	fz_md5_update(&md5, pwbuf, 32);
684
	fz_md5_final(&md5, key);
685

686
	/* do some voodoo 50 times (Revision 3 or greater) */
687
	if (crypt->r >= 3)
688
	{
689
		for (i = 0; i < 50; i++)
690
		{
691
			fz_md5_init(&md5);
692
			fz_md5_update(&md5, key, 16);
693
			fz_md5_final(&md5, key);
694
		}
695
	}
696

697
	/* Step 2 (Revision 2) */
698
	if (crypt->r == 2)
699
	{
700
		fz_arc4_init(&arc4, key, n);
701
		fz_arc4_encrypt(&arc4, userpass, crypt->o, 32);
702
	}
703

704
	/* Step 2 (Revision 3 or greater) */
705
	if (crypt->r >= 3)
706
	{
707
		memcpy(userpass, crypt->o, 32);
708
		for (x = 0; x < 20; x++)
709
		{
710
			for (i = 0; i < n; i++)
711
				xor[i] = key[i] ^ (19 - x);
712
			fz_arc4_init(&arc4, xor, n);
713
			fz_arc4_encrypt(&arc4, userpass, userpass, 32);
714
		}
715
	}
716

717
	return pdf_authenticate_user_password(ctx, crypt, userpass, 32);
718
}
719

720
static void pdf_docenc_from_utf8(char *password, const char *utf8, int n)
721
{
722
	int i = 0, k, c;
723
	while (*utf8 && i + 1 < n)
724
	{
725
		utf8 += fz_chartorune(&c, utf8);
726
		for (k = 0; k < 256; k++)
727
		{
728
			if (c == pdf_doc_encoding[k])
729
			{
730
				password[i++] = k;
731
				break;
732
			}
733
		}
734
		/* FIXME: drop characters that can't be encoded or return an error? */
735
	}
736
	password[i] = 0;
737
}
738

739
static void pdf_saslprep_from_utf8(char *password, const char *utf8, int n)
740
{
741
	/* TODO: stringprep with SALSprep profile */
742
	fz_strlcpy(password, utf8, n);
743
}
744

745
int
746
pdf_authenticate_password(fz_context *ctx, pdf_document *doc, const char *pwd_utf8)
747
{
748
	char password[2048];
749

750
	if (doc->crypt)
751
	{
752
		password[0] = 0;
753
		if (pwd_utf8)
754
		{
755
			if (doc->crypt->r <= 4)
756
				pdf_docenc_from_utf8(password, pwd_utf8, sizeof password);
757
			else
758
				pdf_saslprep_from_utf8(password, pwd_utf8, sizeof password);
759
		}
760

761
		if (pdf_authenticate_user_password(ctx, doc->crypt, (unsigned char *)password, strlen(password)))
762
			return 1;
763
		if (pdf_authenticate_owner_password(ctx, doc->crypt, (unsigned char *)password, strlen(password)))
764
			return 1;
765
		return 0;
766
	}
767
	return 1;
768
}
769

770
int
771
pdf_needs_password(fz_context *ctx, pdf_document *doc)
772
{
773
	if (!doc->crypt)
774
		return 0;
775
	if (pdf_authenticate_password(ctx, doc, ""))
776
		return 0;
777
	return 1;
778
}
779

780
int
781
pdf_has_permission(fz_context *ctx, pdf_document *doc, fz_permission p)
782
{
783
	if (!doc->crypt)
784
		return 1;
785
	switch (p)
786
	{
787
	case FZ_PERMISSION_PRINT: return doc->crypt->p & PDF_PERM_PRINT;
788
	case FZ_PERMISSION_COPY: return doc->crypt->p & PDF_PERM_COPY;
789
	case FZ_PERMISSION_EDIT: return doc->crypt->p & PDF_PERM_CHANGE;
790
	case FZ_PERMISSION_ANNOTATE: return doc->crypt->p & PDF_PERM_NOTES;
791
	}
792
	return 1;
793
}
794

795
unsigned char *
796
pdf_crypt_key(fz_context *ctx, pdf_document *doc)
797
{
798
	if (doc->crypt)
799
		return doc->crypt->key;
800
	return NULL;
801
}
802

803
int
804
pdf_crypt_version(fz_context *ctx, pdf_document *doc)
805
{
806
	if (doc->crypt)
807
		return doc->crypt->v;
808
	return 0;
809
}
810

811
int pdf_crypt_revision(fz_context *ctx, pdf_document *doc)
812
{
813
	if (doc->crypt)
814
		return doc->crypt->r;
815
	return 0;
816
}
817

818
char *
819
pdf_crypt_method(fz_context *ctx, pdf_document *doc)
820
{
821
	if (doc->crypt)
822
	{
823
		switch (doc->crypt->strf.method)
824
		{
825
		case PDF_CRYPT_NONE: return "None";
826
		case PDF_CRYPT_RC4: return "RC4";
827
		case PDF_CRYPT_AESV2: return "AES";
828
		case PDF_CRYPT_AESV3: return "AES";
829
		case PDF_CRYPT_UNKNOWN: return "Unknown";
830
		}
831
	}
832
	return "None";
833
}
834

835
int
836
pdf_crypt_length(fz_context *ctx, pdf_document *doc)
837
{
838
	if (doc->crypt)
839
		return doc->crypt->length;
840
	return 0;
841
}
842

843
/*
844
 * PDF 1.7 algorithm 3.1 and ExtensionLevel 3 algorithm 3.1a
845
 *
846
 * Using the global encryption key that was generated from the
847
 * password, create a new key that is used to decrypt individual
848
 * objects and streams. This key is based on the object and
849
 * generation numbers.
850
 */
851

852
static int
853
pdf_compute_object_key(pdf_crypt *crypt, pdf_crypt_filter *cf, int num, int gen, unsigned char *key, int max_len)
854
{
855
	fz_md5 md5;
856
	unsigned char message[5];
857
	int key_len = crypt->length / 8;
858

859
	if (key_len > max_len)
860
		key_len = max_len;
861

862
	if (cf->method == PDF_CRYPT_AESV3)
863
	{
864
		memcpy(key, crypt->key, key_len);
865
		return key_len;
866
	}
867

868
	fz_md5_init(&md5);
869
	fz_md5_update(&md5, crypt->key, key_len);
870
	message[0] = (num) & 0xFF;
871
	message[1] = (num >> 8) & 0xFF;
872
	message[2] = (num >> 16) & 0xFF;
873
	message[3] = (gen) & 0xFF;
874
	message[4] = (gen >> 8) & 0xFF;
875
	fz_md5_update(&md5, message, 5);
876

877
	if (cf->method == PDF_CRYPT_AESV2)
878
		fz_md5_update(&md5, (unsigned char *)"sAlT", 4);
879

880
	fz_md5_final(&md5, key);
881

882
	if (key_len + 5 > 16)
883
		return 16;
884
	return key_len + 5;
885
}
886

887
/*
888
 * PDF 1.7 algorithm 3.1 and ExtensionLevel 3 algorithm 3.1a
889
 *
890
 * Decrypt all strings in obj modifying the data in-place.
891
 * Recurse through arrays and dictionaries, but do not follow
892
 * indirect references.
893
 */
894

895
static void
896
pdf_crypt_obj_imp(fz_context *ctx, pdf_crypt *crypt, pdf_obj *obj, unsigned char *key, int keylen)
897
{
898
	unsigned char *s;
899
	int i, n;
900

901
	if (pdf_is_indirect(ctx, obj))
902
		return;
903

904
	if (pdf_is_string(ctx, obj))
905
	{
906
		s = (unsigned char *)pdf_to_str_buf(ctx, obj);
907
		n = pdf_to_str_len(ctx, obj);
908

909
		if (crypt->strf.method == PDF_CRYPT_RC4)
910
		{
911
			fz_arc4 arc4;
912
			fz_arc4_init(&arc4, key, keylen);
913
			fz_arc4_encrypt(&arc4, s, s, n);
914
		}
915

916
		if (crypt->strf.method == PDF_CRYPT_AESV2 || crypt->strf.method == PDF_CRYPT_AESV3)
917
		{
918
			if (n == 0)
919
			{
920
				/* Empty strings are permissible */
921
			}
922
			else if (n & 15 || n < 32)
923
				fz_warn(ctx, "invalid string length for aes encryption");
924
			else
925
			{
926
				unsigned char iv[16];
927
				fz_aes aes;
928
				memcpy(iv, s, 16);
929
				if (aes_setkey_dec(&aes, key, keylen * 8))
930
					fz_throw(ctx, FZ_ERROR_GENERIC, "AES key init failed (keylen=%d)", keylen * 8);
931
				aes_crypt_cbc(&aes, AES_DECRYPT, n - 16, iv, s + 16, s);
932
				/* delete space used for iv and padding bytes at end */
933
				if (s[n - 17] < 1 || s[n - 17] > 16)
934
					fz_warn(ctx, "aes padding out of range");
935
				else
936
					pdf_set_str_len(ctx, obj, n - 16 - s[n - 17]);
937
			}
938
		}
939
	}
940

941
	else if (pdf_is_array(ctx, obj))
942
	{
943
		n = pdf_array_len(ctx, obj);
944
		for (i = 0; i < n; i++)
945
		{
946
			pdf_crypt_obj_imp(ctx, crypt, pdf_array_get(ctx, obj, i), key, keylen);
947
		}
948
	}
949

950
	else if (pdf_is_dict(ctx, obj))
951
	{
952
		n = pdf_dict_len(ctx, obj);
953
		for (i = 0; i < n; i++)
954
		{
955
			pdf_crypt_obj_imp(ctx, crypt, pdf_dict_get_val(ctx, obj, i), key, keylen);
956
		}
957
	}
958
}
959

960
void
961
pdf_crypt_obj(fz_context *ctx, pdf_crypt *crypt, pdf_obj *obj, int num, int gen)
962
{
963
	unsigned char key[32];
964
	int len;
965

966
	len = pdf_compute_object_key(crypt, &crypt->strf, num, gen, key, 32);
967

968
	pdf_crypt_obj_imp(ctx, crypt, obj, key, len);
969
}
970

971
/*
972
 * PDF 1.7 algorithm 3.1 and ExtensionLevel 3 algorithm 3.1a
973
 *
974
 * Create filter suitable for de/encrypting a stream.
975
 */
976
static fz_stream *
977
pdf_open_crypt_imp(fz_context *ctx, fz_stream *chain, pdf_crypt *crypt, pdf_crypt_filter *stmf, int num, int gen)
978
{
979
	unsigned char key[32];
980
	int len;
981

982
	len = pdf_compute_object_key(crypt, stmf, num, gen, key, 32);
983

984
	if (stmf->method == PDF_CRYPT_RC4)
985
		return fz_open_arc4(ctx, chain, key, len);
986

987
	if (stmf->method == PDF_CRYPT_AESV2 || stmf->method == PDF_CRYPT_AESV3)
988
		return fz_open_aesd(ctx, chain, key, len);
989

990
	return fz_open_copy(ctx, chain);
991
}
992

993
fz_stream *
994
pdf_open_crypt(fz_context *ctx, fz_stream *chain, pdf_crypt *crypt, int num, int gen)
995
{
996
	return pdf_open_crypt_imp(ctx, chain, crypt, &crypt->stmf, num, gen);
997
}
998

999
fz_stream *
1000
pdf_open_crypt_with_filter(fz_context *ctx, fz_stream *chain, pdf_crypt *crypt, pdf_obj *name, int num, int gen)
1001
{
1002
	if (!pdf_name_eq(ctx, name, PDF_NAME_Identity))
1003
	{
1004
		pdf_crypt_filter cf;
1005
		pdf_parse_crypt_filter(ctx, &cf, crypt, name);
1006
		return pdf_open_crypt_imp(ctx, chain, crypt, &cf, num, gen);
1007
	}
1008
	return chain;
1009
}
1010

1011
#ifndef NDEBUG
1012
void pdf_print_crypt(fz_context *ctx, pdf_crypt *crypt)
1013
{
1014
	int i;
1015

1016
	printf("crypt {\n");
1017

1018
	printf("\tv=%d length=%d\n", crypt->v, crypt->length);
1019
	printf("\tstmf method=%d length=%d\n", crypt->stmf.method, crypt->stmf.length);
1020
	printf("\tstrf method=%d length=%d\n", crypt->strf.method, crypt->strf.length);
1021
	printf("\tr=%d\n", crypt->r);
1022

1023
	printf("\to=<");
1024
	for (i = 0; i < 32; i++)
1025
		printf("%02X", crypt->o[i]);
1026
	printf(">\n");
1027

1028
	printf("\tu=<");
1029
	for (i = 0; i < 32; i++)
1030
		printf("%02X", crypt->u[i]);
1031
	printf(">\n");
1032

1033
	printf("}\n");
1034
}
1035
#endif
1036

1037