12 typedef struct pdf_crypt_filter_s pdf_crypt_filter;
14 struct pdf_crypt_filter_s
27 pdf_crypt_filter stmf;
28 pdf_crypt_filter strf;
38 unsigned char key[32]; /* decryption key generated from password */
41 static void pdf_parse_crypt_filter(fz_context *ctx, pdf_crypt_filter *cf, pdf_crypt *crypt, char *name);
44 * Create crypt object for decrypting strings and streams
45 * given the Encryption and ID objects.
49 pdf_new_crypt(fz_context *ctx, pdf_obj *dict, pdf_obj *id)
54 crypt = fz_malloc_struct(ctx, pdf_crypt);
56 /* Common to all security handlers (PDF 1.7 table 3.18) */
58 obj = pdf_dict_gets(dict, "Filter");
59 if (!pdf_is_name(obj))
61 pdf_free_crypt(ctx, crypt);
62 fz_throw(ctx, FZ_ERROR_GENERIC, "unspecified encryption handler");
64 if (strcmp(pdf_to_name(obj), "Standard") != 0)
66 pdf_free_crypt(ctx, crypt);
67 fz_throw(ctx, FZ_ERROR_GENERIC, "unknown encryption handler: '%s'", pdf_to_name(obj));
71 obj = pdf_dict_gets(dict, "V");
73 crypt->v = pdf_to_int(obj);
74 if (crypt->v != 1 && crypt->v != 2 && crypt->v != 4 && crypt->v != 5)
76 pdf_free_crypt(ctx, crypt);
77 fz_throw(ctx, FZ_ERROR_GENERIC, "unknown encryption version");
80 /* Standard security handler (PDF 1.7 table 3.19) */
82 obj = pdf_dict_gets(dict, "R");
84 crypt->r = pdf_to_int(obj);
85 else if (crypt->v <= 4)
87 fz_warn(ctx, "encryption dictionary missing revision value, guessing...");
90 else if (crypt->v == 2)
92 else if (crypt->v == 4)
97 pdf_free_crypt(ctx, crypt);
98 fz_throw(ctx, FZ_ERROR_GENERIC, "encryption dictionary missing version and revision value");
100 if (crypt->r < 1 || crypt->r > 6)
103 pdf_free_crypt(ctx, crypt);
104 fz_throw(ctx, FZ_ERROR_GENERIC, "unknown crypt revision %d", r);
107 obj = pdf_dict_gets(dict, "O");
108 if (pdf_is_string(obj) && pdf_to_str_len(obj) == 32)
109 memcpy(crypt->o, pdf_to_str_buf(obj), 32);
110 /* /O and /U are supposed to be 48 bytes long for revision 5 and 6, they're often longer, though */
111 else if (crypt->r >= 5 && pdf_is_string(obj) && pdf_to_str_len(obj) >= 48)
112 memcpy(crypt->o, pdf_to_str_buf(obj), 48);
115 pdf_free_crypt(ctx, crypt);
116 fz_throw(ctx, FZ_ERROR_GENERIC, "encryption dictionary missing owner password");
119 obj = pdf_dict_gets(dict, "U");
120 if (pdf_is_string(obj) && pdf_to_str_len(obj) == 32)
121 memcpy(crypt->u, pdf_to_str_buf(obj), 32);
122 /* /O and /U are supposed to be 48 bytes long for revision 5 and 6, they're often longer, though */
123 else if (crypt->r >= 5 && pdf_is_string(obj) && pdf_to_str_len(obj) >= 48)
124 memcpy(crypt->u, pdf_to_str_buf(obj), 48);
125 else if (pdf_is_string(obj) && pdf_to_str_len(obj) < 32)
127 fz_warn(ctx, "encryption password key too short (%d)", pdf_to_str_len(obj));
128 memcpy(crypt->u, pdf_to_str_buf(obj), pdf_to_str_len(obj));
132 pdf_free_crypt(ctx, crypt);
133 fz_throw(ctx, FZ_ERROR_GENERIC, "encryption dictionary missing user password");
136 obj = pdf_dict_gets(dict, "P");
138 crypt->p = pdf_to_int(obj);
141 fz_warn(ctx, "encryption dictionary missing permissions");
142 crypt->p = 0xfffffffc;
145 if (crypt->r == 5 || crypt->r == 6)
147 obj = pdf_dict_gets(dict, "OE");
148 if (!pdf_is_string(obj) || pdf_to_str_len(obj) != 32)
150 pdf_free_crypt(ctx, crypt);
151 fz_throw(ctx, FZ_ERROR_GENERIC, "encryption dictionary missing owner encryption key");
153 memcpy(crypt->oe, pdf_to_str_buf(obj), 32);
155 obj = pdf_dict_gets(dict, "UE");
156 if (!pdf_is_string(obj) || pdf_to_str_len(obj) != 32)
158 pdf_free_crypt(ctx, crypt);
159 fz_throw(ctx, FZ_ERROR_GENERIC, "encryption dictionary missing user encryption key");
161 memcpy(crypt->ue, pdf_to_str_buf(obj), 32);
164 crypt->encrypt_metadata = 1;
165 obj = pdf_dict_gets(dict, "EncryptMetadata");
166 if (pdf_is_bool(obj))
167 crypt->encrypt_metadata = pdf_to_bool(obj);
169 /* Extract file identifier string */
171 if (pdf_is_array(id) && pdf_array_len(id) == 2)
173 obj = pdf_array_get(id, 0);
174 if (pdf_is_string(obj))
175 crypt->id = pdf_keep_obj(obj);
178 fz_warn(ctx, "missing file identifier, may not be able to do decryption");
180 /* Determine encryption key length */
183 if (crypt->v == 2 || crypt->v == 4)
185 obj = pdf_dict_gets(dict, "Length");
187 crypt->length = pdf_to_int(obj);
189 /* work-around for pdf generators that assume length is in bytes */
190 if (crypt->length < 40)
191 crypt->length = crypt->length * 8;
193 if (crypt->length % 8 != 0)
195 pdf_free_crypt(ctx, crypt);
196 fz_throw(ctx, FZ_ERROR_GENERIC, "invalid encryption key length");
198 if (crypt->length < 40 || crypt->length > 128)
200 pdf_free_crypt(ctx, crypt);
201 fz_throw(ctx, FZ_ERROR_GENERIC, "invalid encryption key length");
208 if (crypt->v == 1 || crypt->v == 2)
210 crypt->stmf.method = PDF_CRYPT_RC4;
211 crypt->stmf.length = crypt->length;
213 crypt->strf.method = PDF_CRYPT_RC4;
214 crypt->strf.length = crypt->length;
217 if (crypt->v == 4 || crypt->v == 5)
219 crypt->stmf.method = PDF_CRYPT_NONE;
220 crypt->stmf.length = crypt->length;
222 crypt->strf.method = PDF_CRYPT_NONE;
223 crypt->strf.length = crypt->length;
225 obj = pdf_dict_gets(dict, "CF");
226 if (pdf_is_dict(obj))
228 crypt->cf = pdf_keep_obj(obj);
237 obj = pdf_dict_gets(dict, "StmF");
238 if (pdf_is_name(obj))
239 pdf_parse_crypt_filter(ctx, &crypt->stmf, crypt, pdf_to_name(obj));
241 obj = pdf_dict_gets(dict, "StrF");
242 if (pdf_is_name(obj))
243 pdf_parse_crypt_filter(ctx, &crypt->strf, crypt, pdf_to_name(obj));
247 pdf_free_crypt(ctx, crypt);
248 fz_rethrow_message(ctx, "cannot parse string crypt filter (%d %d R)", pdf_to_num(obj), pdf_to_gen(obj));
251 /* in crypt revision 4, the crypt filter determines the key length */
252 if (crypt->strf.method != PDF_CRYPT_NONE)
253 crypt->length = crypt->stmf.length;
260 pdf_free_crypt(fz_context *ctx, pdf_crypt *crypt)
262 pdf_drop_obj(crypt->id);
263 pdf_drop_obj(crypt->cf);
268 * Parse a CF dictionary entry (PDF 1.7 table 3.22)
272 pdf_parse_crypt_filter(fz_context *ctx, pdf_crypt_filter *cf, pdf_crypt *crypt, char *name)
276 int is_identity = (strcmp(name, "Identity") == 0);
277 int is_stdcf = (!is_identity && (strcmp(name, "StdCF") == 0));
279 if (!is_identity && !is_stdcf)
280 fz_throw(ctx, FZ_ERROR_GENERIC, "Crypt Filter not Identity or StdCF (%d %d R)", pdf_to_num(crypt->cf), pdf_to_gen(crypt->cf));
282 cf->method = PDF_CRYPT_NONE;
283 cf->length = crypt->length;
287 cf->method = (is_identity ? PDF_CRYPT_NONE : PDF_CRYPT_RC4);
291 dict = pdf_dict_gets(crypt->cf, name);
292 if (!pdf_is_dict(dict))
293 fz_throw(ctx, FZ_ERROR_GENERIC, "cannot parse crypt filter (%d %d R)", pdf_to_num(crypt->cf), pdf_to_gen(crypt->cf));
295 obj = pdf_dict_gets(dict, "CFM");
296 if (pdf_is_name(obj))
298 if (!strcmp(pdf_to_name(obj), "None"))
299 cf->method = PDF_CRYPT_NONE;
300 else if (!strcmp(pdf_to_name(obj), "V2"))
301 cf->method = PDF_CRYPT_RC4;
302 else if (!strcmp(pdf_to_name(obj), "AESV2"))
303 cf->method = PDF_CRYPT_AESV2;
304 else if (!strcmp(pdf_to_name(obj), "AESV3"))
305 cf->method = PDF_CRYPT_AESV3;
307 fz_warn(ctx, "unknown encryption method: %s", pdf_to_name(obj));
310 obj = pdf_dict_gets(dict, "Length");
312 cf->length = pdf_to_int(obj);
314 /* the length for crypt filters is supposed to be in bytes not bits */
316 cf->length = cf->length * 8;
318 if ((cf->length % 8) != 0)
319 fz_throw(ctx, FZ_ERROR_GENERIC, "invalid key length: %d", cf->length);
321 if ((crypt->r == 1 || crypt->r == 2 || crypt->r == 3 || crypt->r == 4) &&
322 (cf->length < 0 || cf->length > 128))
323 fz_throw(ctx, FZ_ERROR_GENERIC, "invalid key length: %d", cf->length);
324 if ((crypt->r == 5 || crypt->r == 6) && cf->length != 256)
325 fz_throw(ctx, FZ_ERROR_GENERIC, "invalid key length: %d", cf->length);
329 * Compute an encryption key (PDF 1.7 algorithm 3.2)
332 static const unsigned char padding[32] =
334 0x28, 0xbf, 0x4e, 0x5e, 0x4e, 0x75, 0x8a, 0x41,
335 0x64, 0x00, 0x4e, 0x56, 0xff, 0xfa, 0x01, 0x08,
336 0x2e, 0x2e, 0x00, 0xb6, 0xd0, 0x68, 0x3e, 0x80,
337 0x2f, 0x0c, 0xa9, 0xfe, 0x64, 0x53, 0x69, 0x7a
341 pdf_compute_encryption_key(pdf_crypt *crypt, unsigned char *password, int pwlen, unsigned char *key)
343 unsigned char buf[32];
348 n = crypt->length / 8;
350 /* Step 1 - copy and pad password string */
353 memcpy(buf, password, pwlen);
354 memcpy(buf + pwlen, padding, 32 - pwlen);
356 /* Step 2 - init md5 and pass value of step 1 */
358 fz_md5_update(&md5, buf, 32);
360 /* Step 3 - pass O value */
361 fz_md5_update(&md5, crypt->o, 32);
363 /* Step 4 - pass P value as unsigned int, low-order byte first */
364 p = (unsigned int) crypt->p;
366 buf[1] = (p >> 8) & 0xFF;
367 buf[2] = (p >> 16) & 0xFF;
368 buf[3] = (p >> 24) & 0xFF;
369 fz_md5_update(&md5, buf, 4);
371 /* Step 5 - pass first element of ID array */
372 fz_md5_update(&md5, (unsigned char *)pdf_to_str_buf(crypt->id), pdf_to_str_len(crypt->id));
374 /* Step 6 (revision 4 or greater) - if metadata is not encrypted pass 0xFFFFFFFF */
377 if (!crypt->encrypt_metadata)
383 fz_md5_update(&md5, buf, 4);
387 /* Step 7 - finish the hash */
388 fz_md5_final(&md5, buf);
390 /* Step 8 (revision 3 or greater) - do some voodoo 50 times */
393 for (i = 0; i < 50; i++)
396 fz_md5_update(&md5, buf, n);
397 fz_md5_final(&md5, buf);
401 /* Step 9 - the key is the first 'n' bytes of the result */
406 * Compute an encryption key (PDF 1.7 ExtensionLevel 3 algorithm 3.2a)
410 pdf_compute_encryption_key_r5(fz_context *ctx, pdf_crypt *crypt, unsigned char *password, int pwlen, int ownerkey, unsigned char *validationkey)
412 unsigned char buffer[128 + 8 + 48];
416 /* Step 2 - truncate UTF-8 password to 127 characters */
421 /* Step 3/4 - test password against owner/user key and compute encryption key */
423 memcpy(buffer, password, pwlen);
426 memcpy(buffer + pwlen, crypt->o + 32, 8);
427 memcpy(buffer + pwlen + 8, crypt->u, 48);
430 memcpy(buffer + pwlen, crypt->u + 32, 8);
432 fz_sha256_init(&sha256);
433 fz_sha256_update(&sha256, buffer, pwlen + 8 + (ownerkey ? 48 : 0));
434 fz_sha256_final(&sha256, validationkey);
436 /* Step 3.5/4.5 - compute file encryption key from OE/UE */
438 memcpy(buffer + pwlen, crypt->u + 40, 8);
440 fz_sha256_init(&sha256);
441 fz_sha256_update(&sha256, buffer, pwlen + 8);
442 fz_sha256_final(&sha256, buffer);
444 /* clear password buffer and use it as iv */
445 memset(buffer + 32, 0, sizeof(buffer) - 32);
446 if (aes_setkey_dec(&aes, buffer, crypt->length))
447 fz_throw(ctx, FZ_ERROR_GENERIC, "AES key init failed (keylen=%d)", crypt->length);
448 aes_crypt_cbc(&aes, AES_DECRYPT, 32, buffer + 32, ownerkey ? crypt->oe : crypt->ue, crypt->key);
452 * Compute an encryption key (PDF 1.7 ExtensionLevel 8 algorithm)
454 * Adobe has not yet released the details, so the algorithm reference is:
455 * http://esec-lab.sogeti.com/post/The-undocumented-password-validation-algorithm-of-Adobe-Reader-X
459 pdf_compute_hardened_hash_r6(fz_context *ctx, unsigned char *password, int pwlen, unsigned char salt[16], unsigned char *ownerkey, unsigned char hash[32])
461 unsigned char data[(128 + 64 + 48) * 64];
462 unsigned char block[64];
472 /* Step 1: calculate initial data block */
473 fz_sha256_init(&sha256);
474 fz_sha256_update(&sha256, password, pwlen);
475 fz_sha256_update(&sha256, salt, 8);
477 fz_sha256_update(&sha256, ownerkey, 48);
478 fz_sha256_final(&sha256, block);
480 for (i = 0; i < 64 || i < data[data_len * 64 - 1] + 32; i++)
482 /* Step 2: repeat password and data block 64 times */
483 memcpy(data, password, pwlen);
484 memcpy(data + pwlen, block, block_size);
486 memcpy(data + pwlen + block_size, ownerkey, 48);
487 data_len = pwlen + block_size + (ownerkey ? 48 : 0);
488 for (j = 1; j < 64; j++)
489 memcpy(data + j * data_len, data, data_len);
491 /* Step 3: encrypt data using data block as key and iv */
492 if (aes_setkey_enc(&aes, block, 128))
493 fz_throw(ctx, FZ_ERROR_GENERIC, "AES key init failed (keylen=%d)", 128);
494 aes_crypt_cbc(&aes, AES_ENCRYPT, data_len * 64, block + 16, data, data);
496 /* Step 4: determine SHA-2 hash size for this round */
497 for (j = 0, sum = 0; j < 16; j++)
500 /* Step 5: calculate data block for next round */
501 block_size = 32 + (sum % 3) * 16;
505 fz_sha256_init(&sha256);
506 fz_sha256_update(&sha256, data, data_len * 64);
507 fz_sha256_final(&sha256, block);
510 fz_sha384_init(&sha384);
511 fz_sha384_update(&sha384, data, data_len * 64);
512 fz_sha384_final(&sha384, block);
515 fz_sha512_init(&sha512);
516 fz_sha512_update(&sha512, data, data_len * 64);
517 fz_sha512_final(&sha512, block);
522 memset(data, 0, sizeof(data));
523 memcpy(hash, block, 32);
527 pdf_compute_encryption_key_r6(fz_context *ctx, pdf_crypt *crypt, unsigned char *password, int pwlen, int ownerkey, unsigned char *validationkey)
529 unsigned char hash[32];
530 unsigned char iv[16];
536 pdf_compute_hardened_hash_r6(ctx, password, pwlen,
537 (ownerkey ? crypt->o : crypt->u) + 32,
538 ownerkey ? crypt->u : NULL, validationkey);
539 pdf_compute_hardened_hash_r6(ctx, password, pwlen,
540 crypt->u + 40, NULL, hash);
542 memset(iv, 0, sizeof(iv));
543 if (aes_setkey_dec(&aes, hash, 256))
544 fz_throw(ctx, FZ_ERROR_GENERIC, "AES key init failed (keylen=256)");
545 aes_crypt_cbc(&aes, AES_DECRYPT, 32, iv,
546 ownerkey ? crypt->oe : crypt->ue, crypt->key);
550 * Computing the user password (PDF 1.7 algorithm 3.4 and 3.5)
551 * Also save the generated key for decrypting objects and streams in crypt->key.
555 pdf_compute_user_password(fz_context *ctx, pdf_crypt *crypt, unsigned char *password, int pwlen, unsigned char *output)
561 pdf_compute_encryption_key(crypt, password, pwlen, crypt->key);
562 fz_arc4_init(&arc4, crypt->key, crypt->length / 8);
563 fz_arc4_encrypt(&arc4, output, padding, 32);
566 if (crypt->r == 3 || crypt->r == 4)
568 unsigned char xor[32];
569 unsigned char digest[16];
574 n = crypt->length / 8;
576 pdf_compute_encryption_key(crypt, password, pwlen, crypt->key);
579 fz_md5_update(&md5, padding, 32);
580 fz_md5_update(&md5, (unsigned char*)pdf_to_str_buf(crypt->id), pdf_to_str_len(crypt->id));
581 fz_md5_final(&md5, digest);
583 fz_arc4_init(&arc4, crypt->key, n);
584 fz_arc4_encrypt(&arc4, output, digest, 16);
586 for (x = 1; x <= 19; x++)
588 for (i = 0; i < n; i++)
589 xor[i] = crypt->key[i] ^ x;
590 fz_arc4_init(&arc4, xor, n);
591 fz_arc4_encrypt(&arc4, output, output, 16);
594 memcpy(output + 16, padding, 16);
599 pdf_compute_encryption_key_r5(ctx, crypt, password, pwlen, 0, output);
604 pdf_compute_encryption_key_r6(ctx, crypt, password, pwlen, 0, output);
609 * Authenticating the user password (PDF 1.7 algorithm 3.6
610 * and ExtensionLevel 3 algorithm 3.11)
611 * This also has the side effect of saving a key generated
612 * from the password for decrypting objects and streams.
616 pdf_authenticate_user_password(fz_context *ctx, pdf_crypt *crypt, unsigned char *password, int pwlen)
618 unsigned char output[32];
619 pdf_compute_user_password(ctx, crypt, password, pwlen, output);
620 if (crypt->r == 2 || crypt->r == 5 || crypt->r == 6)
621 return memcmp(output, crypt->u, 32) == 0;
622 if (crypt->r == 3 || crypt->r == 4)
623 return memcmp(output, crypt->u, 16) == 0;
628 * Authenticating the owner password (PDF 1.7 algorithm 3.7
629 * and ExtensionLevel 3 algorithm 3.12)
630 * Generates the user password from the owner password
631 * and calls pdf_authenticate_user_password.
635 pdf_authenticate_owner_password(fz_context *ctx, pdf_crypt *crypt, unsigned char *ownerpass, int pwlen)
637 unsigned char pwbuf[32];
638 unsigned char key[32];
639 unsigned char xor[32];
640 unsigned char userpass[32];
647 /* PDF 1.7 ExtensionLevel 3 algorithm 3.12 */
648 pdf_compute_encryption_key_r5(ctx, crypt, ownerpass, pwlen, 1, key);
649 return !memcmp(key, crypt->o, 32);
651 else if (crypt->r == 6)
653 /* PDF 1.7 ExtensionLevel 8 algorithm */
654 pdf_compute_encryption_key_r6(ctx, crypt, ownerpass, pwlen, 1, key);
655 return !memcmp(key, crypt->o, 32);
658 n = crypt->length / 8;
660 /* Step 1 -- steps 1 to 4 of PDF 1.7 algorithm 3.3 */
662 /* copy and pad password string */
665 memcpy(pwbuf, ownerpass, pwlen);
666 memcpy(pwbuf + pwlen, padding, 32 - pwlen);
668 /* take md5 hash of padded password */
670 fz_md5_update(&md5, pwbuf, 32);
671 fz_md5_final(&md5, key);
673 /* do some voodoo 50 times (Revision 3 or greater) */
676 for (i = 0; i < 50; i++)
679 fz_md5_update(&md5, key, 16);
680 fz_md5_final(&md5, key);
684 /* Step 2 (Revision 2) */
687 fz_arc4_init(&arc4, key, n);
688 fz_arc4_encrypt(&arc4, userpass, crypt->o, 32);
691 /* Step 2 (Revision 3 or greater) */
694 memcpy(userpass, crypt->o, 32);
695 for (x = 0; x < 20; x++)
697 for (i = 0; i < n; i++)
698 xor[i] = key[i] ^ (19 - x);
699 fz_arc4_init(&arc4, xor, n);
700 fz_arc4_encrypt(&arc4, userpass, userpass, 32);
704 return pdf_authenticate_user_password(ctx, crypt, userpass, 32);
707 static void pdf_docenc_from_utf8(char *password, const char *utf8, int n)
710 while (*utf8 && i + 1 < n)
712 utf8 += fz_chartorune(&c, utf8);
713 for (k = 0; k < 256; k++)
715 if (c == pdf_doc_encoding[k])
721 /* FIXME: drop characters that can't be encoded or return an error? */
726 static void pdf_saslprep_from_utf8(char *password, const char *utf8, int n)
728 /* TODO: stringprep with SALSprep profile */
729 fz_strlcpy(password, utf8, n);
733 pdf_authenticate_password(pdf_document *doc, const char *pwd_utf8)
742 if (doc->crypt->r <= 4)
743 pdf_docenc_from_utf8(password, pwd_utf8, sizeof password);
745 pdf_saslprep_from_utf8(password, pwd_utf8, sizeof password);
748 if (pdf_authenticate_user_password(doc->ctx, doc->crypt, (unsigned char *)password, strlen(password)))
750 if (pdf_authenticate_owner_password(doc->ctx, doc->crypt, (unsigned char *)password, strlen(password)))
758 pdf_needs_password(pdf_document *doc)
762 if (pdf_authenticate_password(doc, ""))
768 pdf_has_permission(pdf_document *doc, int p)
772 return doc->crypt->p & p;
776 pdf_crypt_key(pdf_document *doc)
779 return doc->crypt->key;
784 pdf_crypt_version(pdf_document *doc)
787 return doc->crypt->v;
791 int pdf_crypt_revision(pdf_document *doc)
794 return doc->crypt->r;
799 pdf_crypt_method(pdf_document *doc)
803 switch (doc->crypt->strf.method)
805 case PDF_CRYPT_NONE: return "None";
806 case PDF_CRYPT_RC4: return "RC4";
807 case PDF_CRYPT_AESV2: return "AES";
808 case PDF_CRYPT_AESV3: return "AES";
809 case PDF_CRYPT_UNKNOWN: return "Unknown";
816 pdf_crypt_length(pdf_document *doc)
819 return doc->crypt->length;
824 * PDF 1.7 algorithm 3.1 and ExtensionLevel 3 algorithm 3.1a
826 * Using the global encryption key that was generated from the
827 * password, create a new key that is used to decrypt individual
828 * objects and streams. This key is based on the object and
829 * generation numbers.
833 pdf_compute_object_key(pdf_crypt *crypt, pdf_crypt_filter *cf, int num, int gen, unsigned char *key, int max_len)
836 unsigned char message[5];
837 int key_len = crypt->length / 8;
839 if (key_len > max_len)
842 if (cf->method == PDF_CRYPT_AESV3)
844 memcpy(key, crypt->key, key_len);
849 fz_md5_update(&md5, crypt->key, key_len);
850 message[0] = (num) & 0xFF;
851 message[1] = (num >> 8) & 0xFF;
852 message[2] = (num >> 16) & 0xFF;
853 message[3] = (gen) & 0xFF;
854 message[4] = (gen >> 8) & 0xFF;
855 fz_md5_update(&md5, message, 5);
857 if (cf->method == PDF_CRYPT_AESV2)
858 fz_md5_update(&md5, (unsigned char *)"sAlT", 4);
860 fz_md5_final(&md5, key);
862 if (key_len + 5 > 16)
868 * PDF 1.7 algorithm 3.1 and ExtensionLevel 3 algorithm 3.1a
870 * Decrypt all strings in obj modifying the data in-place.
871 * Recurse through arrays and dictionaries, but do not follow
872 * indirect references.
876 pdf_crypt_obj_imp(fz_context *ctx, pdf_crypt *crypt, pdf_obj *obj, unsigned char *key, int keylen)
881 if (pdf_is_indirect(obj))
884 if (pdf_is_string(obj))
886 s = (unsigned char *)pdf_to_str_buf(obj);
887 n = pdf_to_str_len(obj);
889 if (crypt->strf.method == PDF_CRYPT_RC4)
892 fz_arc4_init(&arc4, key, keylen);
893 fz_arc4_encrypt(&arc4, s, s, n);
896 if (crypt->strf.method == PDF_CRYPT_AESV2 || crypt->strf.method == PDF_CRYPT_AESV3)
900 /* Empty strings are permissible */
902 else if (n & 15 || n < 32)
903 fz_warn(ctx, "invalid string length for aes encryption");
906 unsigned char iv[16];
909 if (aes_setkey_dec(&aes, key, keylen * 8))
910 fz_throw(ctx, FZ_ERROR_GENERIC, "AES key init failed (keylen=%d)", keylen * 8);
911 aes_crypt_cbc(&aes, AES_DECRYPT, n - 16, iv, s + 16, s);
912 /* delete space used for iv and padding bytes at end */
913 if (s[n - 17] < 1 || s[n - 17] > 16)
914 fz_warn(ctx, "aes padding out of range");
916 pdf_set_str_len(obj, n - 16 - s[n - 17]);
921 else if (pdf_is_array(obj))
923 n = pdf_array_len(obj);
924 for (i = 0; i < n; i++)
926 pdf_crypt_obj_imp(ctx, crypt, pdf_array_get(obj, i), key, keylen);
930 else if (pdf_is_dict(obj))
932 n = pdf_dict_len(obj);
933 for (i = 0; i < n; i++)
935 pdf_crypt_obj_imp(ctx, crypt, pdf_dict_get_val(obj, i), key, keylen);
941 pdf_crypt_obj(fz_context *ctx, pdf_crypt *crypt, pdf_obj *obj, int num, int gen)
943 unsigned char key[32];
946 len = pdf_compute_object_key(crypt, &crypt->strf, num, gen, key, 32);
948 pdf_crypt_obj_imp(ctx, crypt, obj, key, len);
952 * PDF 1.7 algorithm 3.1 and ExtensionLevel 3 algorithm 3.1a
954 * Create filter suitable for de/encrypting a stream.
957 pdf_open_crypt_imp(fz_stream *chain, pdf_crypt *crypt, pdf_crypt_filter *stmf, int num, int gen)
959 unsigned char key[32];
962 len = pdf_compute_object_key(crypt, stmf, num, gen, key, 32);
964 if (stmf->method == PDF_CRYPT_RC4)
965 return fz_open_arc4(chain, key, len);
967 if (stmf->method == PDF_CRYPT_AESV2 || stmf->method == PDF_CRYPT_AESV3)
968 return fz_open_aesd(chain, key, len);
970 return fz_open_copy(chain);
974 pdf_open_crypt(fz_stream *chain, pdf_crypt *crypt, int num, int gen)
976 return pdf_open_crypt_imp(chain, crypt, &crypt->stmf, num, gen);
980 pdf_open_crypt_with_filter(fz_stream *chain, pdf_crypt *crypt, char *name, int num, int gen)
982 if (strcmp(name, "Identity"))
985 pdf_parse_crypt_filter(chain->ctx, &cf, crypt, name);
986 return pdf_open_crypt_imp(chain, crypt, &cf, num, gen);
992 void pdf_print_crypt(pdf_crypt *crypt)
998 printf("\tv=%d length=%d\n", crypt->v, crypt->length);
999 printf("\tstmf method=%d length=%d\n", crypt->stmf.method, crypt->stmf.length);
1000 printf("\tstrf method=%d length=%d\n", crypt->strf.method, crypt->strf.length);
1001 printf("\tr=%d\n", crypt->r);
1004 for (i = 0; i < 32; i++)
1005 printf("%02X", crypt->o[i]);
1009 for (i = 0; i < 32; i++)
1010 printf("%02X", crypt->u[i]);