poppler/Decrypt.cc | 357 ++++++++++++++++++++++++++++++++++++++++++++- poppler/SecurityHandler.cc | 9 - 2 files changed, 358 insertions(+), 8 deletions(-)
New commits: commit 69ffeb71a79b686d5c79d20832c4666c498098e8 Author: Alok Anand <[email protected]> Date: Mon Mar 14 20:18:32 2016 +0100 Add the support for version 5 + revision 6 documents. Bug #85368 diff --git a/poppler/Decrypt.cc b/poppler/Decrypt.cc index ba44f95..d67cf4e 100644 --- a/poppler/Decrypt.cc +++ b/poppler/Decrypt.cc @@ -19,6 +19,7 @@ // Copyright (C) 2009 David Benjamin <[email protected]> // Copyright (C) 2012 Fabio D'Urso <[email protected]> // Copyright (C) 2013 Adrian Johnson <[email protected]> +// Copyright (C) 2016 Alok Anand <[email protected]> // // To see a description of the changes please see the Changelog file that // came with your tarball or type make ChangeLog if you are building from git @@ -34,6 +35,7 @@ #include <string.h> #include "goo/gmem.h" #include "goo/grandom.h" +#include "goo/gtypes_p.h" #include "Decrypt.h" #include "Error.h" @@ -51,11 +53,15 @@ static void aes256EncryptBlock(DecryptAES256State *s, Guchar *in); static void aes256DecryptBlock(DecryptAES256State *s, Guchar *in, GBool last); static void sha256(Guchar *msg, int msgLen, Guchar *hash); +static void sha384(Guchar *msg, int msgLen, Guchar *hash); +static void sha512(Guchar *msg, int msgLen, Guchar *hash); + +static void revision6Hash(GooString *inputPassword, Guchar *K, char *userKey); static const Guchar passwordPad[32] = { 0x28, 0xbf, 0x4e, 0x5e, 0x4e, 0x75, 0x8a, 0x41, - 0x64, 0x00, 0x4e, 0x56, 0xff, 0xfa, 0x01, 0x08, - 0x2e, 0x2e, 0x00, 0xb6, 0xd0, 0x68, 0x3e, 0x80, + 0x64, 0x00, 0x4e, 0x56, 0xff, 0xfa, 0x01, 0x08, + 0x2e, 0x2e, 0x00, 0xb6, 0xd0, 0x68, 0x3e, 0x80, 0x2f, 0x0c, 0xa9, 0xfe, 0x64, 0x53, 0x69, 0x7a }; @@ -80,7 +86,7 @@ GBool Decrypt::makeFileKey(int encVersion, int encRevision, int keyLength, *ownerPasswordOk = gFalse; - if (encRevision == 5) { + if (encRevision == 5 || encRevision == 6) { // check the owner password if (ownerPassword) { @@ -93,6 +99,10 @@ GBool Decrypt::makeFileKey(int encVersion, int encRevision, int keyLength, memcpy(test + len, ownerKey->getCString() + 32, 8); memcpy(test + len + 8, userKey->getCString(), 48); sha256(test, len + 56, test); + if (encRevision == 6) { + //test contains the initial SHA-256 hash as input K. + revision6Hash(ownerPassword, test, userKey->getCString()); + } if (!memcmp(test, ownerKey->getCString(), 32)) { // compute the file key from the owner password @@ -100,6 +110,10 @@ GBool Decrypt::makeFileKey(int encVersion, int encRevision, int keyLength, memcpy(test + len, ownerKey->getCString() + 40, 8); memcpy(test + len + 8, userKey->getCString(), 48); sha256(test, len + 56, test); + if (encRevision == 6) { + //test contains the initial SHA-256 hash input K. + revision6Hash(ownerPassword, test, userKey->getCString()); + } aes256KeyExpansion(&state, test, 32, gTrue); for (i = 0; i < 16; ++i) { state.cbc[i] = 0; @@ -125,12 +139,22 @@ GBool Decrypt::makeFileKey(int encVersion, int encRevision, int keyLength, memcpy(test, userPassword->getCString(), len); memcpy(test + len, userKey->getCString() + 32, 8); sha256(test, len + 8, test); + if(encRevision == 6) { + // test contains the initial SHA-256 hash input K. + // user key is not used in checking user password. + revision6Hash(userPassword, test, NULL); + } if (!memcmp(test, userKey->getCString(), 32)) { // compute the file key from the user password memcpy(test, userPassword->getCString(), len); memcpy(test + len, userKey->getCString() + 40, 8); sha256(test, len + 8, test); + if(encRevision == 6) { + //test contains the initial SHA-256 hash input K. + //user key is not used in computing intermediate user key. + revision6Hash(userPassword, test, NULL); + } aes256KeyExpansion(&state, test, 32, gTrue); for (i = 0; i < 16; ++i) { state.cbc[i] = 0; @@ -141,7 +165,7 @@ GBool Decrypt::makeFileKey(int encVersion, int encRevision, int keyLength, gFalse); memcpy(fileKey + 16, state.buf, 16); - return gTrue; + return gTrue; } } @@ -1415,3 +1439,328 @@ static void sha256(Guchar *msg, int msgLen, Guchar *hash) { hash[i*4 + 3] = (Guchar)H[i]; } } +//------------------------------------------------------------------------ +// SHA-512 hash (see FIPS 180-4) +//------------------------------------------------------------------------ +// SHA 384 and SHA 512 use the same sequence of eighty constant 64 bit words. +static const uint64_t K[80] = { + 0x428a2f98d728ae22, 0x7137449123ef65cd, 0xb5c0fbcfec4d3b2f, 0xe9b5dba58189dbbc, 0x3956c25bf348b538, + 0x59f111f1b605d019, 0x923f82a4af194f9b, 0xab1c5ed5da6d8118, 0xd807aa98a3030242, 0x12835b0145706fbe, + 0x243185be4ee4b28c, 0x550c7dc3d5ffb4e2, 0x72be5d74f27b896f, 0x80deb1fe3b1696b1, 0x9bdc06a725c71235, + 0xc19bf174cf692694, 0xe49b69c19ef14ad2, 0xefbe4786384f25e3, 0x0fc19dc68b8cd5b5, 0x240ca1cc77ac9c65, + 0x2de92c6f592b0275, 0x4a7484aa6ea6e483, 0x5cb0a9dcbd41fbd4, 0x76f988da831153b5, 0x983e5152ee66dfab, + 0xa831c66d2db43210, 0xb00327c898fb213f, 0xbf597fc7beef0ee4, 0xc6e00bf33da88fc2, 0xd5a79147930aa725, + 0x06ca6351e003826f, 0x142929670a0e6e70, 0x27b70a8546d22ffc, 0x2e1b21385c26c926, 0x4d2c6dfc5ac42aed, + 0x53380d139d95b3df, 0x650a73548baf63de, 0x766a0abb3c77b2a8, 0x81c2c92e47edaee6, 0x92722c851482353b, + 0xa2bfe8a14cf10364, 0xa81a664bbc423001, 0xc24b8b70d0f89791, 0xc76c51a30654be30, 0xd192e819d6ef5218, + 0xd69906245565a910, 0xf40e35855771202a, 0x106aa07032bbd1b8, 0x19a4c116b8d2d0c8, 0x1e376c085141ab53, + 0x2748774cdf8eeb99, 0x34b0bcb5e19b48a8, 0x391c0cb3c5c95a63, 0x4ed8aa4ae3418acb, 0x5b9cca4f7763e373, + 0x682e6ff3d6b2b8a3, 0x748f82ee5defb2fc, 0x78a5636f43172f60, 0x84c87814a1f0ab72, 0x8cc702081a6439ec, + 0x90befffa23631e28, 0xa4506cebde82bde9, 0xbef9a3f7b2c67915, 0xc67178f2e372532b, 0xca273eceea26619c, + 0xd186b8c721c0c207, 0xeada7dd6cde0eb1e, 0xf57d4f7fee6ed178, 0x06f067aa72176fba, 0x0a637dc5a2c898a6, + 0x113f9804bef90dae, 0x1b710b35131c471b, 0x28db77f523047d84, 0x32caab7b40c72493, 0x3c9ebe0a15c9bebc, + 0x431d67c49c100d4c, 0x4cc5d4becb3e42b6, 0x597f299cfc657e2a, 0x5fcb6fab3ad6faec, 0x6c44198c4a475817 +}; + +static inline uint64_t rotr(uint64_t x, uint64_t n) { + return (x >> n) | (x << (64 - n)); +} +static inline uint64_t rotl(uint64_t x, uint64_t n){ + return (x << n) | (x >> (64 - n)); +} +static inline uint64_t sha512Ch(uint64_t x, uint64_t y, uint64_t z) { + return (x & y) ^ (~x & z); +} +static inline uint64_t sha512Maj(uint64_t x, uint64_t y, uint64_t z) { + return (x & y) ^ (x & z) ^ (y & z); +} +static inline uint64_t sha512Sigma0(uint64_t x) { + return rotr(x, 28) ^ rotr(x, 34) ^ rotr(x, 39); +} +static inline uint64_t sha512Sigma1(uint64_t x) { + return rotr(x, 14) ^ rotr(x, 18) ^ rotr(x, 41); +} +static inline uint64_t sha512sigma0(uint64_t x) { + return rotr(x, 1) ^ rotr(x, 8) ^ (x >> 7); +} +static inline uint64_t sha512sigma1(uint64_t x) { + return rotr(x, 19) ^ rotr(x, 61) ^ (x >> 6); +} + +static void sha512HashBlock(Guchar *blk, uint64_t *H) { + uint64_t W[80]; + uint64_t a, b, c, d, e, f, g, h; + uint64_t T1, T2; + Guint t; + + // 1. prepare the message schedule + for (t = 0; t < 16; ++t) { + W[t] = (((uint64_t)blk[t*8] << 56) | + ((uint64_t)blk[t*8 + 1] << 48) | + ((uint64_t)blk[t*8 + 2] << 40) | + ((uint64_t)blk[t*8 + 3] << 32) | + ((uint64_t)blk[t*8 + 4] << 24) | + ((uint64_t)blk[t*8 + 5] << 16) | + ((uint64_t)blk[t*8 + 6] << 8 ) | + ((uint64_t)blk[t*8 + 7])); + } + for (t = 16; t < 80; ++t) { + W[t] = sha512sigma1(W[t-2]) + W[t-7] + sha512sigma0(W[t-15]) + W[t-16]; + } + + // 2. initialize the eight working variables + a = H[0]; + b = H[1]; + c = H[2]; + d = H[3]; + e = H[4]; + f = H[5]; + g = H[6]; + h = H[7]; + + // 3. + for (t = 0; t < 80; ++t) { + T1 = h + sha512Sigma1(e) + sha512Ch(e,f,g) + K[t] + W[t]; + T2 = sha512Sigma0(a) + sha512Maj(a,b,c); + h = g; + g = f; + f = e; + e = d + T1; + d = c; + c = b; + b = a; + a = T1 + T2; + } + + // 4. compute the intermediate hash value + H[0] += a; + H[1] += b; + H[2] += c; + H[3] += d; + H[4] += e; + H[5] += f; + H[6] += g; + H[7] += h; +} + +static void sha512(Guchar *msg, int msgLen, Guchar *hash) { + Guchar blk[128]; + uint64_t H[8]; + int blkLen = 0, i; + // setting the initial hash value. + H[0] = 0x6a09e667f3bcc908; + H[1] = 0xbb67ae8584caa73b; + H[2] = 0x3c6ef372fe94f82b; + H[3] = 0xa54ff53a5f1d36f1; + H[4] = 0x510e527fade682d1; + H[5] = 0x9b05688c2b3e6c1f; + H[6] = 0x1f83d9abfb41bd6b; + H[7] = 0x5be0cd19137e2179; + + for (i = 0; i + 128 <= msgLen; i += 128) { + sha512HashBlock(msg + i, H); + } + blkLen = msgLen - i; + if (blkLen > 0) { + memcpy(blk, msg + i, blkLen); + } + + // pad the message + blk[blkLen++] = 0x80; + if (blkLen > 112) { + while (blkLen < 128) { + blk[blkLen++] = 0; + } + sha512HashBlock(blk, H); + blkLen = 0; + } + while (blkLen < 112) { + blk[blkLen++] = 0; + } + blk[112] = 0; + blk[113] = 0; + blk[114] = 0; + blk[115] = 0; + blk[116] = 0; + blk[117] = 0; + blk[118] = 0; + blk[119] = 0; + blk[120] = 0; + blk[121] = 0; + blk[122] = 0; + blk[123] = 0; + blk[124] = (Guchar)(msgLen >> 21); + blk[125] = (Guchar)(msgLen >> 13); + blk[126] = (Guchar)(msgLen >> 5); + blk[127] = (Guchar)(msgLen << 3); + + sha512HashBlock(blk, H); + + // copy the output into the buffer (convert words to bytes) + for (i = 0; i < 8; ++i) { + hash[i*8] = (Guchar)(H[i] >> 56); + hash[i*8 + 1] = (Guchar)(H[i] >> 48); + hash[i*8 + 2] = (Guchar)(H[i] >> 40); + hash[i*8 + 3] = (Guchar)(H[i] >> 32); + hash[i*8 + 4] = (Guchar)(H[i] >> 24); + hash[i*8 + 5] = (Guchar)(H[i] >> 16); + hash[i*8 + 6] = (Guchar)(H[i] >> 8); + hash[i*8 + 7] = (Guchar)H[i]; + } +} + +//------------------------------------------------------------------------ +// SHA-384 (see FIPS 180-4) +//------------------------------------------------------------------------ +//The algorithm is defined in the exact same manner as SHA 512 with 2 exceptions +//1.Initial hash value is different. +//2.A 384 bit message digest is obtained by truncating the final hash value. +static void sha384(Guchar *msg, int msgLen, Guchar *hash) { + Guchar blk[128]; + uint64_t H[8]; + int blkLen, i; +//setting initial hash values + H[0] = 0xcbbb9d5dc1059ed8; + H[1] = 0x629a292a367cd507; + H[2] = 0x9159015a3070dd17; + H[3] = 0x152fecd8f70e5939; + H[4] = 0x67332667ffc00b31; + H[5] = 0x8eb44a8768581511; + H[6] = 0xdb0c2e0d64f98fa7; + H[7] = 0x47b5481dbefa4fa4; +//SHA 384 will use the same sha512HashBlock function. + blkLen = 0; + for (i = 0; i + 128 <= msgLen; i += 128) { + sha512HashBlock(msg + i, H); + } + blkLen = msgLen - i; + if (blkLen > 0) { + memcpy(blk, msg + i, blkLen); + } + + // pad the message + blk[blkLen++] = 0x80; + if (blkLen > 112) { + while (blkLen < 128) { + blk[blkLen++] = 0; + } + sha512HashBlock(blk, H); + blkLen = 0; + } + while (blkLen < 112) { + blk[blkLen++] = 0; + } + blk[112] = 0; + blk[113] = 0; + blk[114] = 0; + blk[115] = 0; + blk[116] = 0; + blk[117] = 0; + blk[118] = 0; + blk[119] = 0; + blk[120] = 0; + blk[121] = 0; + blk[122] = 0; + blk[123] = 0; + blk[124] = (Guchar)(msgLen >> 21); + blk[125] = (Guchar)(msgLen >> 13); + blk[126] = (Guchar)(msgLen >> 5); + blk[127] = (Guchar)(msgLen << 3); + + sha512HashBlock(blk, H); + + // copy the output into the buffer (convert words to bytes) + // hash is truncated to 384 bits. + for (i = 0; i < 6; ++i) { + hash[i*8] = (Guchar)(H[i] >> 56); + hash[i*8 + 1] = (Guchar)(H[i] >> 48); + hash[i*8 + 2] = (Guchar)(H[i] >> 40); + hash[i*8 + 3] = (Guchar)(H[i] >> 32); + hash[i*8 + 4] = (Guchar)(H[i] >> 24); + hash[i*8 + 5] = (Guchar)(H[i] >> 16); + hash[i*8 + 6] = (Guchar)(H[i] >> 8); + hash[i*8 + 7] = (Guchar)H[i]; + } +} + +//------------------------------------------------------------------------ +// Section 7.6.3.3 (Encryption Key algorithm) of ISO/DIS 32000-2 +// Algorithm 2.B:Computing a hash (for revision 6). +//------------------------------------------------------------------------ +static void revision6Hash(GooString *inputPassword, Guchar *K, char *userKey) { + Guchar K1[64*(127+64+48)]; + Guchar E[64*(127+64+48)]; + DecryptAESState state; + Guchar aesKey[16]; + Guchar BE16byteNumber[16]; + + int inputPasswordLength = inputPassword->getLength(); + int KLength = 32; + int userKeyLength = 0; + if (userKey) { + userKeyLength = 48; + } + int sequenceLength; + int totalLength; + int rounds = 0; + + while(rounds < 64 || rounds < E[totalLength-1] + 32 ) { + sequenceLength = inputPasswordLength + KLength + userKeyLength; + totalLength = 64 * sequenceLength; + //a.make the string K1 + memcpy(K1, inputPassword, inputPasswordLength); + memcpy(K1 + inputPasswordLength, K , KLength); + memcpy(K1 + inputPasswordLength + KLength, userKey, userKeyLength); + for(int i = 1; i < 64 ; ++i) { + memcpy(K1 + (i * sequenceLength),K1,sequenceLength); + } + //b.Encrypt K1 + memcpy(aesKey,K,16); + memcpy(state.cbc,K + 16,16); + memcpy(state.buf, state.cbc, 16); // Copy CBC IV to buf + state.bufIdx = 0; + state.paddingReached = gFalse; + aesKeyExpansion(&state,aesKey,16,gFalse); + + for(int i = 0; i < (4 * sequenceLength); i++) { + aesEncryptBlock(&state,K1 + (16 * i)); + memcpy(E +(16 * i),state.buf,16); + } + memcpy(BE16byteNumber,E,16); + //c.Taking the first 16 Bytes of E as unsigned big-endian integer, + //compute the remainder,modulo 3. + uint64_t N1 = 0,N2 = 0,N3 = 0; + // N1 contains first 8 bytes of BE16byteNumber + N1 = ((uint64_t)BE16byteNumber[0] << 56 | (uint64_t)BE16byteNumber[1] << 48 + |(uint64_t)BE16byteNumber[2] << 40 | (uint64_t)BE16byteNumber[3] << 32 + |(uint64_t)BE16byteNumber[4] << 24 | (uint64_t)BE16byteNumber[5] << 16 + |(uint64_t)BE16byteNumber[6] << 8 | (uint64_t)BE16byteNumber[7] ); + uint64_t rem = N1 % 3 ; + // N2 conatains 0s in higer 4 bytes and 9th to 12 th bytes of BE16byteNumber in lower 4 bytes. + N2 = ((uint64_t)BE16byteNumber[8] << 24 | (uint64_t)BE16byteNumber[9] << 16 + |(uint64_t)BE16byteNumber[10] << 8 | (uint64_t)BE16byteNumber[11] ); + rem = ((rem << 32 ) | N2) % 3 ; + // N3 conatains 0s in higer 4 bytes and 13th to 16th bytes of BE16byteNumber in lower 4 bytes. + N3 = ((uint64_t)BE16byteNumber[12] << 24 | (uint64_t)BE16byteNumber[13] << 16 + |(uint64_t)BE16byteNumber[14] << 8 | (uint64_t)BE16byteNumber[15] ); + rem = ((rem << 32 ) | N3) % 3 ; + + //d.If remainder is 0 perform SHA-256 + if(rem == 0) { + KLength = 32; + sha256(E, totalLength, K); + } + // remainder is 1 perform SHA-384 + else if(rem == 1) { + KLength = 48; + sha384(E, totalLength, K); + } + // remainder is 2 perform SHA-512 + else if(rem == 2) { + KLength = 64; + sha512(E, totalLength, K); + } + rounds++; + } + // the first 32 bytes of the final K are the output of the function. +} diff --git a/poppler/SecurityHandler.cc b/poppler/SecurityHandler.cc old mode 100644 new mode 100755 index 63d8b4e..9e0546e --- a/poppler/SecurityHandler.cc +++ b/poppler/SecurityHandler.cc @@ -16,6 +16,7 @@ // Copyright (C) 2010, 2012, 2015 Albert Astals Cid <[email protected]> // Copyright (C) 2013 Adrian Johnson <[email protected]> // Copyright (C) 2014 Fabio D'Urso <[email protected]> +// Copyright (C) 2016 Alok Anand <[email protected]> // // To see a description of the changes please see the Changelog file that // came with your tarball or type make ChangeLog if you are building from git @@ -186,7 +187,7 @@ StandardSecurityHandler::StandardSecurityHandler(PDFDoc *docA, if ((encRevision <= 4 && ownerKeyObj.getString()->getLength() == 32 && userKeyObj.getString()->getLength() == 32) || - (encRevision == 5 && + ((encRevision == 5 || encRevision == 6) && // the spec says 48 bytes, but Acrobat pads them out longer ownerKeyObj.getString()->getLength() >= 48 && userKeyObj.getString()->getLength() >= 48 && @@ -208,7 +209,7 @@ StandardSecurityHandler::StandardSecurityHandler(PDFDoc *docA, //~ doesn't handle the case where StmF, StrF, and EFF are not all the //~ same) if ((encVersion == 4 || encVersion == 5) && - (encRevision == 4 || encRevision == 5)) { + (encRevision == 4 || encRevision == 5 || encRevision == 6)) { encryptDictA->dictLookup("CF", &cryptFiltersObj); encryptDictA->dictLookup("StmF", &streamFilterObj); encryptDictA->dictLookup("StrF", &stringFilterObj); @@ -244,7 +245,7 @@ StandardSecurityHandler::StandardSecurityHandler(PDFDoc *docA, cfLengthObj.free(); } else if (cfmObj.isName("AESV3")) { encVersion = 5; - encRevision = 5; + // let encRevision be 5 or 6 encAlgorithm = cryptAES256; if (cryptFilterObj.dictLookup("Length", &cfLengthObj)->isInt()) { @@ -286,7 +287,7 @@ StandardSecurityHandler::StandardSecurityHandler(PDFDoc *docA, fileKeyLength = 16; } ok = gTrue; - } else if (encVersion == 5 && encRevision == 5) { + } else if (encVersion == 5 && (encRevision == 5 || encRevision == 6)) { fileID = new GooString(); // unused for V=R=5 if (ownerEncObj.isString() && userEncObj.isString()) { ownerEnc = ownerEncObj.getString()->copy(); _______________________________________________ poppler mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/poppler
