[poppler] [PATCHv2 3/4] Added SHA-384 and SHA-512 hash functions.
Alok Anand
alok4nand at gmail.com
Thu Mar 10 18:34:19 UTC 2016
Section 7.6.3 (Standard security handler) of ISO/DIS 32000-2 describes an Algorithm 2.B in
subsection 7.6.3.3 (Encryption key algorithm).Algorithm 2.B computes hash for documents
with version 5 + revision 6 which is used to check passwords and compute intermediate keys.
It uses SHA-256(already supported in Decrypt.cc) SHA-384 and SHA-512.This commits adds
needed SHA-384 and SHA-512 for Algortihm 2B implementation.
---
poppler/Decrypt.cc | 254 +++++++++++++++++++++++++++++++++++++++++++++++++++--
1 file changed, 249 insertions(+), 5 deletions(-)
diff --git a/poppler/Decrypt.cc b/poppler/Decrypt.cc
index ba44f95..affd1d6 100644
--- a/poppler/Decrypt.cc
+++ b/poppler/Decrypt.cc
@@ -51,11 +51,13 @@ static void aes256EncryptBlock(DecryptAES256State *s, Guchar *in);
static void aes256DecryptBlock(DecryptAES256State *s, Guchar *in, GBool last);
static void sha256(Guchar *msg, int msgLen, Guchar *hash);
+static void sha384(Guchar *msg, int msgLen, Guchar *hash);
+static void sha512(Guchar *msg, int msgLen, Guchar *hash);
static const Guchar passwordPad[32] = {
0x28, 0xbf, 0x4e, 0x5e, 0x4e, 0x75, 0x8a, 0x41,
- 0x64, 0x00, 0x4e, 0x56, 0xff, 0xfa, 0x01, 0x08,
- 0x2e, 0x2e, 0x00, 0xb6, 0xd0, 0x68, 0x3e, 0x80,
+ 0x64, 0x00, 0x4e, 0x56, 0xff, 0xfa, 0x01, 0x08,
+ 0x2e, 0x2e, 0x00, 0xb6, 0xd0, 0x68, 0x3e, 0x80,
0x2f, 0x0c, 0xa9, 0xfe, 0x64, 0x53, 0x69, 0x7a
};
@@ -100,7 +102,7 @@ GBool Decrypt::makeFileKey(int encVersion, int encRevision, int keyLength,
memcpy(test + len, ownerKey->getCString() + 40, 8);
memcpy(test + len + 8, userKey->getCString(), 48);
sha256(test, len + 56, test);
- aes256KeyExpansion(&state, test, 32, gTrue);
+ aes256KeyExpansion(&state, test, 32, gTrue);
for (i = 0; i < 16; ++i) {
state.cbc[i] = 0;
}
@@ -131,7 +133,7 @@ GBool Decrypt::makeFileKey(int encVersion, int encRevision, int keyLength,
memcpy(test, userPassword->getCString(), len);
memcpy(test + len, userKey->getCString() + 40, 8);
sha256(test, len + 8, test);
- aes256KeyExpansion(&state, test, 32, gTrue);
+ aes256KeyExpansion(&state, test, 32, gTrue);
for (i = 0; i < 16; ++i) {
state.cbc[i] = 0;
}
@@ -141,7 +143,7 @@ GBool Decrypt::makeFileKey(int encVersion, int encRevision, int keyLength,
gFalse);
memcpy(fileKey + 16, state.buf, 16);
- return gTrue;
+ return gTrue;
}
}
@@ -1415,3 +1417,245 @@ static void sha256(Guchar *msg, int msgLen, Guchar *hash) {
hash[i*4 + 3] = (Guchar)H[i];
}
}
+//------------------------------------------------------------------------
+// SHA-512 hash (see FIPS 180-4)
+//------------------------------------------------------------------------
+// SHA 384 and SHA 512 use the same sequence of eighty constant 64 bit words.
+static uint64_t K[80]={
+ 0x428a2f98d728ae22, 0x7137449123ef65cd, 0xb5c0fbcfec4d3b2f, 0xe9b5dba58189dbbc, 0x3956c25bf348b538,
+ 0x59f111f1b605d019, 0x923f82a4af194f9b, 0xab1c5ed5da6d8118, 0xd807aa98a3030242, 0x12835b0145706fbe,
+ 0x243185be4ee4b28c, 0x550c7dc3d5ffb4e2, 0x72be5d74f27b896f, 0x80deb1fe3b1696b1, 0x9bdc06a725c71235,
+ 0xc19bf174cf692694, 0xe49b69c19ef14ad2, 0xefbe4786384f25e3, 0x0fc19dc68b8cd5b5, 0x240ca1cc77ac9c65,
+ 0x2de92c6f592b0275, 0x4a7484aa6ea6e483, 0x5cb0a9dcbd41fbd4, 0x76f988da831153b5, 0x983e5152ee66dfab,
+ 0xa831c66d2db43210, 0xb00327c898fb213f, 0xbf597fc7beef0ee4, 0xc6e00bf33da88fc2, 0xd5a79147930aa725,
+ 0x06ca6351e003826f, 0x142929670a0e6e70, 0x27b70a8546d22ffc, 0x2e1b21385c26c926, 0x4d2c6dfc5ac42aed,
+ 0x53380d139d95b3df, 0x650a73548baf63de, 0x766a0abb3c77b2a8, 0x81c2c92e47edaee6, 0x92722c851482353b,
+ 0xa2bfe8a14cf10364, 0xa81a664bbc423001, 0xc24b8b70d0f89791, 0xc76c51a30654be30, 0xd192e819d6ef5218,
+ 0xd69906245565a910, 0xf40e35855771202a, 0x106aa07032bbd1b8, 0x19a4c116b8d2d0c8, 0x1e376c085141ab53,
+ 0x2748774cdf8eeb99, 0x34b0bcb5e19b48a8, 0x391c0cb3c5c95a63, 0x4ed8aa4ae3418acb, 0x5b9cca4f7763e373,
+ 0x682e6ff3d6b2b8a3, 0x748f82ee5defb2fc, 0x78a5636f43172f60, 0x84c87814a1f0ab72, 0x8cc702081a6439ec,
+ 0x90befffa23631e28, 0xa4506cebde82bde9, 0xbef9a3f7b2c67915, 0xc67178f2e372532b, 0xca273eceea26619c,
+ 0xd186b8c721c0c207, 0xeada7dd6cde0eb1e, 0xf57d4f7fee6ed178, 0x06f067aa72176fba, 0x0a637dc5a2c898a6,
+ 0x113f9804bef90dae, 0x1b710b35131c471b, 0x28db77f523047d84, 0x32caab7b40c72493, 0x3c9ebe0a15c9bebc,
+ 0x431d67c49c100d4c, 0x4cc5d4becb3e42b6, 0x597f299cfc657e2a, 0x5fcb6fab3ad6faec, 0x6c44198c4a475817
+};
+
+static inline uint64_t rotr(uint64_t x, uint64_t n) {
+ return (x >> n) | (x << (64 - n));
+}
+static inline uint64_t rotl(uint64_t x, uint64_t n){
+ return (x << n) | (x >> (64 - n));
+}
+static inline uint64_t sha512Ch(uint64_t x, uint64_t y, uint64_t z) {
+ return (x & y) ^ (~x & z);
+}
+static inline uint64_t sha512Maj(uint64_t x, uint64_t y, uint64_t z) {
+ return (x & y) ^ (x & z) ^ (y & z);
+}
+static inline uint64_t sha512Sigma0(uint64_t x) {
+ return rotr(x, 28) ^ rotr(x, 34) ^ rotr(x, 39);
+}
+static inline uint64_t sha512Sigma1(uint64_t x) {
+ return rotr(x, 14) ^ rotr(x, 18) ^ rotr(x, 41);
+}
+static inline uint64_t sha512sigma0(uint64_t x) {
+ return rotr(x, 1) ^ rotr(x, 8) ^ (x >> 7);
+}
+static inline uint64_t sha512sigma1(uint64_t x) {
+ return rotr(x, 19) ^ rotr(x, 61) ^ (x >> 6);
+}
+
+void sha512HashBlock(Guchar *blk, uint64_t *H) {
+ uint64_t W[80];
+ uint64_t a, b, c, d, e, f, g, h;
+ uint64_t T1, T2;
+ Guint t;
+
+ // 1. prepare the message schedule
+ for (t = 0; t < 16; ++t) {
+ W[t] = (((uint64_t)blk[t*8] << 56) |
+ ((uint64_t)blk[t*8 + 1] << 48) |
+ ((uint64_t)blk[t*8 + 2] << 40) |
+ ((uint64_t)blk[t*8 + 3] << 32) |
+ ((uint64_t)blk[t*8 + 4] << 24) |
+ ((uint64_t)blk[t*8 + 5] << 16) |
+ ((uint64_t)blk[t*8 + 6] << 8 ) |
+ ((uint64_t)blk[t*8 + 7]));
+ }
+ for (t = 16; t < 80; ++t) {
+ W[t] = sha512sigma1(W[t-2]) + W[t-7] + sha512sigma0(W[t-15]) + W[t-16];
+ }
+
+ // 2. initialize the eight working variables
+ a = H[0];
+ b = H[1];
+ c = H[2];
+ d = H[3];
+ e = H[4];
+ f = H[5];
+ g = H[6];
+ h = H[7];
+
+ // 3.
+ for (t = 0; t < 80; ++t) {
+ T1 = h + sha512Sigma1(e) + sha512Ch(e,f,g) + K[t] + W[t];
+ T2 = sha512Sigma0(a) + sha512Maj(a,b,c);
+ h = g;
+ g = f;
+ f = e;
+ e = d + T1;
+ d = c;
+ c = b;
+ b = a;
+ a = T1 + T2;
+ }
+
+ // 4. compute the intermediate hash value
+ H[0] += a;
+ H[1] += b;
+ H[2] += c;
+ H[3] += d;
+ H[4] += e;
+ H[5] += f;
+ H[6] += g;
+ H[7] += h;
+}
+
+static void sha512(Guchar *msg, int msgLen, Guchar *hash) {
+ Guchar blk[128];
+ uint64_t H[8];
+ int blkLen = 0, i;
+ // setting the initial hash value.
+ H[0] = 0x6a09e667f3bcc908;
+ H[1] = 0xbb67ae8584caa73b;
+ H[2] = 0x3c6ef372fe94f82b;
+ H[3] = 0xa54ff53a5f1d36f1;
+ H[4] = 0x510e527fade682d1;
+ H[5] = 0x9b05688c2b3e6c1f;
+ H[6] = 0x1f83d9abfb41bd6b;
+ H[7] = 0x5be0cd19137e2179;
+
+ for (i = 0; i + 128 <= msgLen; i += 128) {
+ sha512HashBlock(msg + i, H);
+ }
+ blkLen = msgLen - i;
+ if (blkLen > 0) {
+ memcpy(blk, msg + i, blkLen);
+ }
+
+ // pad the message
+ blk[blkLen++] = 0x80;
+ if (blkLen > 112) {
+ while (blkLen < 128) {
+ blk[blkLen++] = 0;
+ }
+ sha512HashBlock(blk, H);
+ blkLen = 0;
+ }
+ while (blkLen < 112) {
+ blk[blkLen++] = 0;
+ }
+ blk[112] = 0;
+ blk[113] = 0;
+ blk[114] = 0;
+ blk[115] = 0;
+ blk[116] = 0;
+ blk[117] = 0;
+ blk[118] = 0;
+ blk[119] = 0;
+ blk[120] = 0;
+ blk[121] = 0;
+ blk[122] = 0;
+ blk[123] = 0;
+ blk[124] = (Guchar)(msgLen >> 21);
+ blk[125] = (Guchar)(msgLen >> 13);
+ blk[126] = (Guchar)(msgLen >> 5);
+ blk[127] = (Guchar)(msgLen << 3);
+
+ sha512HashBlock(blk, H);
+
+ // copy the output into the buffer (convert words to bytes)
+ for (i = 0; i < 8; ++i) {
+ hash[i*8] = (Guchar)(H[i] >> 56);
+ hash[i*8 + 1] = (Guchar)(H[i] >> 48);
+ hash[i*8 + 2] = (Guchar)(H[i] >> 40);
+ hash[i*8 + 3] = (Guchar)(H[i] >> 32);
+ hash[i*8 + 4] = (Guchar)(H[i] >> 24);
+ hash[i*8 + 5] = (Guchar)(H[i] >> 16);
+ hash[i*8 + 6] = (Guchar)(H[i] >> 8);
+ hash[i*8 + 7] = (Guchar)H[i];
+ }
+ }
+//------------------------------------------------------------------------
+// SHA-384 (see FIPS 180-4)
+//------------------------------------------------------------------------
+//The algorithm is defined in the exact same manner as SHA 512 with 2 exceptions
+//1.Initial hash value is different.
+//2.A 384 bit message digest is obtained by truncating the final hash value.
+static void sha384(Guchar *msg, int msgLen, Guchar *hash) {
+ Guchar blk[128];
+ uint64_t H[8];
+ int blkLen, i;
+//setting initial hash values
+ H[0] = 0xcbbb9d5dc1059ed8;
+ H[1] = 0x629a292a367cd507;
+ H[2] = 0x9159015a3070dd17;
+ H[3] = 0x152fecd8f70e5939;
+ H[4] = 0x67332667ffc00b31;
+ H[5] = 0x8eb44a8768581511;
+ H[6] = 0xdb0c2e0d64f98fa7;
+ H[7] = 0x47b5481dbefa4fa4;
+//SHA 384 will use the same sha512HashBlock function.
+ blkLen = 0;
+ for (i = 0; i + 128 <= msgLen; i += 128) {
+ sha512HashBlock(msg + i, H);
+ }
+ blkLen = msgLen - i;
+ if (blkLen > 0) {
+ memcpy(blk, msg + i, blkLen);
+ }
+
+ // pad the message
+ blk[blkLen++] = 0x80;
+ if (blkLen > 112) {
+ while (blkLen < 128) {
+ blk[blkLen++] = 0;
+ }
+ sha512HashBlock(blk, H);
+ blkLen = 0;
+ }
+ while (blkLen < 112) {
+ blk[blkLen++] = 0;
+ }
+ blk[112] = 0;
+ blk[113] = 0;
+ blk[114] = 0;
+ blk[115] = 0;
+ blk[116] = 0;
+ blk[117] = 0;
+ blk[118] = 0;
+ blk[119] = 0;
+ blk[120] = 0;
+ blk[121] = 0;
+ blk[122] = 0;
+ blk[123] = 0;
+ blk[124] = (Guchar)(msgLen >> 21);
+ blk[125] = (Guchar)(msgLen >> 13);
+ blk[126] = (Guchar)(msgLen >> 5);
+ blk[127] = (Guchar)(msgLen << 3);
+
+ sha512HashBlock(blk, H);
+
+ // copy the output into the buffer (convert words to bytes)
+ // hash is truncated to 384 bits.
+ for (i = 0; i < 6; ++i) {
+ hash[i*8] = (Guchar)(H[i] >> 56);
+ hash[i*8 + 1] = (Guchar)(H[i] >> 48);
+ hash[i*8 + 2] = (Guchar)(H[i] >> 40);
+ hash[i*8 + 3] = (Guchar)(H[i] >> 32);
+ hash[i*8 + 4] = (Guchar)(H[i] >> 24);
+ hash[i*8 + 5] = (Guchar)(H[i] >> 16);
+ hash[i*8 + 6] = (Guchar)(H[i] >> 8);
+ hash[i*8 + 7] = (Guchar)H[i];
+ }
+}
--
2.7.2
More information about the poppler
mailing list