From 19571d00f2dfa14e1a73328301a2fd3ccace0821 Mon Sep 17 00:00:00 2001
From: Michael R Sweet <michael.r.sweet@gmail.com>
Date: Sat, 23 Oct 2021 00:07:13 -0400
Subject: [PATCH] Fix AES cipher implementation.

Update test program to validate the key expansion using the FIPS-197 example.

Add password-protected RC4 test output.

Add no-password AES-128 test output.
---
 pdfio-aes.c | 31 +++++++++---------------
 testpdfio.c | 68 +++++++++++++++++++++++++++++++++++++++++++++++++----
 2 files changed, 75 insertions(+), 24 deletions(-)

diff --git a/pdfio-aes.c b/pdfio-aes.c
index 7abef74..9c91e5b 100644
--- a/pdfio-aes.c
+++ b/pdfio-aes.c
@@ -110,7 +110,7 @@ _pdfioCryptoAESInit(
 		*rkptr,			// Current round_key values
 		*rkend,			// End of round_key values
 		tempa[4];		// Used for the column/row operations
-  size_t	roundlen = keylen + 24;	// Length of round_key
+//  size_t	roundlen = keylen + 24;	// Length of round_key
   size_t	nwords = keylen / 4;	// Number of 32-bit words in key
 
 
@@ -122,24 +122,16 @@ _pdfioCryptoAESInit(
   memcpy(ctx->round_key, key, keylen);
 
   // All other round keys are found from the previous round keys.
-  for (rkptr0 = ctx->round_key, rkptr = rkptr0 + keylen, rkend = rkptr + roundlen, i = nwords; rkptr < rkend; i ++)
+  for (rkptr0 = ctx->round_key, rkptr = rkptr0 + keylen, rkend = rkptr + 16 * ctx->round_size, i = nwords; rkptr < rkend; i ++)
   {
     if ((i % nwords) == 0)
     {
-      // TODO: Optimize to shift and lookup S box in one step
-      // Shifts word left once - [a0,a1,a2,a3] becomes [a1,a2,a3,a0]
-      tempa[0] = rkptr[-3];
-      tempa[1] = rkptr[-2];
-      tempa[2] = rkptr[-1];
-      tempa[3] = rkptr[-4];
-
-      // Apply the S-box to each of the four bytes to produce an output word.
-      tempa[0] = sbox[tempa[0]];
-      tempa[1] = sbox[tempa[1]];
-      tempa[2] = sbox[tempa[2]];
-      tempa[3] = sbox[tempa[3]];
-
-      tempa[0] = tempa[0] ^ Rcon[i / nwords];
+      // Shifts word left once - [a0,a1,a2,a3] becomes [a1,a2,a3,a0], then
+      // apply the S-box to each of the four bytes to produce an output word.
+      tempa[0] = sbox[rkptr[-3]] ^ Rcon[i / nwords];
+      tempa[1] = sbox[rkptr[-2]];
+      tempa[2] = sbox[rkptr[-1]];
+      tempa[3] = sbox[rkptr[-4]];
     }
     else if (keylen == 32 && (i % nwords) == 4)
     {
@@ -456,17 +448,16 @@ Cipher(state_t *state, const _pdfio_aes_t *ctx)
   // The first Nr-1 rounds are identical.
   // These Nr rounds are executed in the loop below.
   // Last one without MixColumns()
-  for (round = 1; ; ++round)
+  for (round = 1; round < ctx->round_size; round ++)
   {
     SubBytes(state);
     ShiftRows(state);
-    if (round == ctx->round_size)
-      break;
-
     MixColumns(state);
     AddRoundKey(round, state, ctx->round_key);
   }
   // Add round key to last round
+  SubBytes(state);
+  ShiftRows(state);
   AddRoundKey(ctx->round_size, state, ctx->round_key);
 }
 
diff --git a/testpdfio.c b/testpdfio.c
index 4799bc4..70eeaa9 100644
--- a/testpdfio.c
+++ b/testpdfio.c
@@ -132,6 +132,9 @@ do_crypto_tests(void)
   const char	*prefix, *suffix;	// Prefix/suffix strings
   static const char *text = "Hello, World! Now is the time for all good men to come to the aid of their country.\n";
 					// Test text
+  static uint8_t aes128key[] = { 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c };
+  static uint8_t aes128rounds[] = { 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c, 0xa0, 0xfa, 0xfe, 0x17, 0x88, 0x54, 0x2c, 0xb1, 0x23, 0xa3, 0x39, 0x39, 0x2a, 0x6c, 0x76, 0x05, 0xf2, 0xc2, 0x95, 0xf2, 0x7a, 0x96, 0xb9, 0x43, 0x59, 0x35, 0x80, 0x7a, 0x73, 0x59, 0xf6, 0x7f, 0x3d, 0x80, 0x47, 0x7d, 0x47, 0x16, 0xfe, 0x3e, 0x1e, 0x23, 0x7e, 0x44, 0x6d, 0x7a, 0x88, 0x3b, 0xef, 0x44, 0xa5, 0x41, 0xa8, 0x52, 0x5b, 0x7f, 0xb6, 0x71, 0x25, 0x3b, 0xdb, 0x0b, 0xad, 0x00, 0xd4, 0xd1, 0xc6, 0xf8, 0x7c, 0x83, 0x9d, 0x87, 0xca, 0xf2, 0xb8, 0xbc, 0x11, 0xf9, 0x15, 0xbc, 0x6d, 0x88, 0xa3, 0x7a, 0x11, 0x0b, 0x3e, 0xfd, 0xdb, 0xf9, 0x86, 0x41, 0xca, 0x00, 0x93, 0xfd, 0x4e, 0x54, 0xf7, 0x0e, 0x5f, 0x5f, 0xc9, 0xf3, 0x84, 0xa6, 0x4f, 0xb2, 0x4e, 0xa6, 0xdc, 0x4f, 0xea, 0xd2, 0x73, 0x21, 0xb5, 0x8d, 0xba, 0xd2, 0x31, 0x2b, 0xf5, 0x60, 0x7f, 0x8d, 0x29, 0x2f, 0xac, 0x77, 0x66, 0xf3, 0x19, 0xfa, 0xdc, 0x21, 0x28, 0xd1, 0x29, 0x41, 0x57, 0x5c, 0x00, 0x6e, 0xd0, 0x14, 0xf9, 0xa8, 0xc9, 0xee, 0x25, 0x89, 0xe1, 0x3f, 0x0c, 0xc8, 0xb6, 0x63, 0x0c, 0xa6 };
+					// FIPS-197 example key expansion
   static uint8_t aes128text[] =  { 0xfb, 0x77, 0xac, 0xce, 0x3c, 0x95, 0x40, 0xcf, 0xca, 0xc8, 0x26, 0xbf, 0xc0, 0x69, 0x73, 0x3c, 0x01, 0xfd, 0x72, 0x01, 0xeb, 0x4d, 0x6f, 0xf7, 0xb4, 0x72, 0x6d, 0x84, 0x69, 0x9f, 0x89, 0xab, 0xe6, 0x2b, 0x9a, 0x9a, 0x6e, 0xc1, 0x61, 0xd7, 0x9d, 0x83, 0x2d, 0x58, 0x55, 0xa7, 0x58, 0x50, 0x00, 0xad, 0x19, 0x7b, 0xee, 0x6a, 0x36, 0x6f, 0xd1, 0xa7, 0xa4, 0x6b, 0xc5, 0x78, 0x9a, 0x18, 0x05, 0xf0, 0x2c, 0xd4, 0x60, 0x25, 0xe0, 0xa7, 0xb1, 0x36, 0xdb, 0x18, 0xd3, 0xf7, 0x59, 0x29, 0x22, 0xec, 0x25, 0x77, 0x0d, 0x9e, 0x5a, 0x01, 0xcc, 0xf6, 0x29, 0xc2, 0x08, 0xc2, 0xfc, 0x4f };
 					// Expected AES-128 CBC result
   static uint8_t aes256text[] =  { 0x2b, 0x94, 0x45, 0x9e, 0xed, 0xa0, 0x89, 0x7b, 0x35, 0x4e, 0xde, 0x06, 0x00, 0x4d, 0xda, 0x6b, 0x61, 0x2f, 0xb9, 0x06, 0xd5, 0x0f, 0x22, 0xed, 0xd2, 0xe3, 0x6b, 0x39, 0x5a, 0xa1, 0xe3, 0x7d, 0xa1, 0xcc, 0xd4, 0x0b, 0x6b, 0xa4, 0xff, 0xe9, 0x9c, 0x89, 0x0c, 0xc7, 0x95, 0x47, 0x19, 0x9b, 0x06, 0xdc, 0xc8, 0x7c, 0x5c, 0x5d, 0x56, 0x99, 0x1e, 0x90, 0x7d, 0x99, 0xc5, 0x7b, 0xc4, 0xe4, 0xfb, 0x02, 0x15, 0x50, 0x23, 0x2a, 0xe4, 0xc1, 0x20, 0xfd, 0xf4, 0x03, 0xfe, 0x6f, 0x15, 0x48, 0xd8, 0x62, 0x36, 0x98, 0x2a, 0x62, 0xf5, 0x2c, 0xa6, 0xfa, 0x7a, 0x43, 0x53, 0xcd, 0xad, 0x18 };
@@ -144,6 +147,27 @@ do_crypto_tests(void)
 					// Expected SHA-256 hash result
 
 
+  fputs("_pdfioAESInit(128-bit sample key): ", stdout);
+  _pdfioCryptoAESInit(&aes, aes128key, sizeof(aes128key), NULL);
+  if (!memcmp(aes128rounds, aes.round_key, sizeof(aes128rounds)))
+  {
+    puts("PASS");
+  }
+  else
+  {
+    for (i = 0; i < (sizeof(aes128rounds) - 4); i ++)
+    {
+      if (aes.round_key[i] != aes128rounds[i])
+        break;
+    }
+
+    prefix = i > 0 ? "..." : "";
+    suffix = i < (sizeof(aes128rounds) - 4) ? "..." : "";
+
+    printf("FAIL (got '%s%02X%02X%02X%02X%s', expected '%s%02X%02X%02X%02X%s')\n", prefix, aes.round_key[i], aes.round_key[i + 1], aes.round_key[i + 2], aes.round_key[i + 3], suffix, prefix, aes128rounds[i], aes128rounds[i + 1], aes128rounds[i + 2], aes128rounds[i + 3], suffix);
+    ret = 1;
+  }
+
   fputs("_pdfioAESInit/Encrypt(128-bit CBC): ", stdout);
   for (i = 0; i < 16; i ++)
   {
@@ -175,7 +199,7 @@ do_crypto_tests(void)
 
   fputs("_pdfioAESInit/Decrypt(128-bit CBC): ", stdout);
   _pdfioCryptoAESInit(&aes, key, 16, iv);
-  _pdfioCryptoAESDecrypt(&aes, buffer2, buffer, strlen(text));
+  _pdfioCryptoAESDecrypt(&aes, buffer2, buffer, sizeof(aes128text));
 
   if (!memcmp(buffer2, text, strlen(text)))
   {
@@ -227,7 +251,7 @@ do_crypto_tests(void)
 
   fputs("_pdfioAESInit/Decrypt(256-bit CBC): ", stdout);
   _pdfioCryptoAESInit(&aes, key, 32, iv);
-  _pdfioCryptoAESDecrypt(&aes, buffer2, buffer, strlen(text));
+  _pdfioCryptoAESDecrypt(&aes, buffer2, buffer, sizeof(aes256text));
 
   if (!memcmp(buffer2, text, strlen(text)))
   {
@@ -1025,6 +1049,25 @@ do_unit_tests(void)
     return (1);
 
 //  if (read_unit_file("testpdfio-rc4.pdf", num_pages, first_image, false))
+//    return (1);
+
+  // Create new encrypted PDF files...
+  fputs("pdfioFileCreate(\"testpdfio-rc4p.pdf\", ...): ", stdout);
+  if ((outpdf = pdfioFileCreate("testpdfio-rc4p.pdf", NULL, NULL, NULL, (pdfio_error_cb_t)error_cb, &error)) != NULL)
+    puts("PASS");
+  else
+    return (1);
+
+  fputs("pdfioFileSetPermissions(no-print, RC4-128, passwords='owner' and 'user'): ", stdout);
+  if (pdfioFileSetPermissions(outpdf, PDFIO_PERMISSION_ALL ^ PDFIO_PERMISSION_PRINT, PDFIO_ENCRYPTION_RC4_128, "owner", "user"))
+    puts("PASS");
+  else
+    return (1);
+
+  if (write_unit_file(inpdf, outpdf, &num_pages, &first_image))
+    return (1);
+
+//  if (read_unit_file("testpdfio-rc4p.pdf", num_pages, first_image, false))
 //    return (1);
 
   fputs("pdfioFileCreate(\"testpdfio-aes.pdf\", ...): ", stdout);
@@ -1033,6 +1076,24 @@ do_unit_tests(void)
   else
     return (1);
 
+  fputs("pdfioFileSetPermissions(all, AES-128, no passwords): ", stdout);
+  if (pdfioFileSetPermissions(outpdf, PDFIO_PERMISSION_ALL, PDFIO_ENCRYPTION_AES_128, NULL, NULL))
+    puts("PASS");
+  else
+    return (1);
+
+  if (write_unit_file(inpdf, outpdf, &num_pages, &first_image))
+    return (1);
+
+//  if (read_unit_file("testpdfio-aes.pdf", num_pages, first_image, false))
+//    return (1);
+
+  fputs("pdfioFileCreate(\"testpdfio-aesp.pdf\", ...): ", stdout);
+  if ((outpdf = pdfioFileCreate("testpdfio-aesp.pdf", NULL, NULL, NULL, (pdfio_error_cb_t)error_cb, &error)) != NULL)
+    puts("PASS");
+  else
+    return (1);
+
   fputs("pdfioFileSetPermissions(no-print, AES-128, passwords='owner' and 'user'): ", stdout);
   if (pdfioFileSetPermissions(outpdf, PDFIO_PERMISSION_ALL ^ PDFIO_PERMISSION_PRINT, PDFIO_ENCRYPTION_AES_128, "owner", "user"))
     puts("PASS");
@@ -1042,10 +1103,9 @@ do_unit_tests(void)
   if (write_unit_file(inpdf, outpdf, &num_pages, &first_image))
     return (1);
 
-//  if (read_unit_file("testpdfio-aes.pdf", num_pages, first_image, false))
+//  if (read_unit_file("testpdfio-aesp.pdf", num_pages, first_image, false))
 //    return (1);
 
-
   return (0);
 }