| //======================================================================== |
| // |
| // Decrypt.cc |
| // |
| // Copyright 1996-2003 Glyph & Cog, LLC |
| // |
| //======================================================================== |
| |
| //======================================================================== |
| // |
| // Modified under the Poppler project - http://poppler.freedesktop.org |
| // |
| // All changes made under the Poppler project to this file are licensed |
| // under GPL version 2 or later |
| // |
| // Copyright (C) 2008 Julien Rebetez <julien@fhtagn.net> |
| // Copyright (C) 2008, 2010 Albert Astals Cid <aacid@kde.org> |
| // Copyright (C) 2009 Matthias Franz <matthias@ktug.or.kr> |
| // Copyright (C) 2009 David Benjamin <davidben@mit.edu> |
| // Copyright (C) 2012 Fabio D'Urso <fabiodurso@hotmail.it> |
| // Copyright (C) 2013 Adrian Johnson <ajohnson@redneon.com> |
| // |
| // To see a description of the changes please see the Changelog file that |
| // came with your tarball or type make ChangeLog if you are building from git |
| // |
| //======================================================================== |
| |
| #include <config.h> |
| |
| #ifdef USE_GCC_PRAGMAS |
| #pragma implementation |
| #endif |
| |
| #include <string.h> |
| #include "goo/gmem.h" |
| #include "goo/grandom.h" |
| #include "Decrypt.h" |
| #include "Error.h" |
| |
| static void rc4InitKey(Guchar *key, int keyLen, Guchar *state); |
| static Guchar rc4DecryptByte(Guchar *state, Guchar *x, Guchar *y, Guchar c); |
| |
| static GBool aesReadBlock(Stream *str, Guchar *in, GBool addPadding); |
| |
| static void aesKeyExpansion(DecryptAESState *s, Guchar *objKey, int objKeyLen, GBool decrypt); |
| static void aesEncryptBlock(DecryptAESState *s, Guchar *in); |
| static void aesDecryptBlock(DecryptAESState *s, Guchar *in, GBool last); |
| |
| static void aes256KeyExpansion(DecryptAES256State *s, Guchar *objKey, int objKeyLen, GBool decrypt); |
| static void aes256EncryptBlock(DecryptAES256State *s, Guchar *in); |
| static void aes256DecryptBlock(DecryptAES256State *s, Guchar *in, GBool last); |
| |
| static void sha256(Guchar *msg, int msgLen, Guchar *hash); |
| |
| static const Guchar passwordPad[32] = { |
| 0x28, 0xbf, 0x4e, 0x5e, 0x4e, 0x75, 0x8a, 0x41, |
| 0x64, 0x00, 0x4e, 0x56, 0xff, 0xfa, 0x01, 0x08, |
| 0x2e, 0x2e, 0x00, 0xb6, 0xd0, 0x68, 0x3e, 0x80, |
| 0x2f, 0x0c, 0xa9, 0xfe, 0x64, 0x53, 0x69, 0x7a |
| }; |
| |
| //------------------------------------------------------------------------ |
| // Decrypt |
| //------------------------------------------------------------------------ |
| |
| GBool Decrypt::makeFileKey(int encVersion, int encRevision, int keyLength, |
| GooString *ownerKey, GooString *userKey, |
| GooString *ownerEnc, GooString *userEnc, |
| int permissions, GooString *fileID, |
| GooString *ownerPassword, GooString *userPassword, |
| Guchar *fileKey, GBool encryptMetadata, |
| GBool *ownerPasswordOk) { |
| DecryptAES256State state; |
| Guchar test[127 + 56], test2[32]; |
| GooString *userPassword2; |
| Guchar fState[256]; |
| Guchar tmpKey[16]; |
| Guchar fx, fy; |
| int len, i, j; |
| |
| *ownerPasswordOk = gFalse; |
| |
| if (encRevision == 5) { |
| |
| // check the owner password |
| if (ownerPassword) { |
| //~ this is supposed to convert the password to UTF-8 using "SASLprep" |
| len = ownerPassword->getLength(); |
| if (len > 127) { |
| len = 127; |
| } |
| memcpy(test, ownerPassword->getCString(), len); |
| memcpy(test + len, ownerKey->getCString() + 32, 8); |
| memcpy(test + len + 8, userKey->getCString(), 48); |
| sha256(test, len + 56, test); |
| if (!memcmp(test, ownerKey->getCString(), 32)) { |
| |
| // compute the file key from the owner password |
| memcpy(test, ownerPassword->getCString(), len); |
| memcpy(test + len, ownerKey->getCString() + 40, 8); |
| memcpy(test + len + 8, userKey->getCString(), 48); |
| sha256(test, len + 56, test); |
| aes256KeyExpansion(&state, test, 32, gTrue); |
| for (i = 0; i < 16; ++i) { |
| state.cbc[i] = 0; |
| } |
| aes256DecryptBlock(&state, (Guchar *)ownerEnc->getCString(), gFalse); |
| memcpy(fileKey, state.buf, 16); |
| aes256DecryptBlock(&state, (Guchar *)ownerEnc->getCString() + 16, |
| gFalse); |
| memcpy(fileKey + 16, state.buf, 16); |
| |
| *ownerPasswordOk = gTrue; |
| return gTrue; |
| } |
| } |
| |
| // check the user password |
| if (userPassword) { |
| //~ this is supposed to convert the password to UTF-8 using "SASLprep" |
| len = userPassword->getLength(); |
| if (len > 127) { |
| len = 127; |
| } |
| memcpy(test, userPassword->getCString(), len); |
| memcpy(test + len, userKey->getCString() + 32, 8); |
| sha256(test, len + 8, test); |
| if (!memcmp(test, userKey->getCString(), 32)) { |
| |
| // compute the file key from the user password |
| memcpy(test, userPassword->getCString(), len); |
| memcpy(test + len, userKey->getCString() + 40, 8); |
| sha256(test, len + 8, test); |
| aes256KeyExpansion(&state, test, 32, gTrue); |
| for (i = 0; i < 16; ++i) { |
| state.cbc[i] = 0; |
| } |
| aes256DecryptBlock(&state, (Guchar *)userEnc->getCString(), gFalse); |
| memcpy(fileKey, state.buf, 16); |
| aes256DecryptBlock(&state, (Guchar *)userEnc->getCString() + 16, |
| gFalse); |
| memcpy(fileKey + 16, state.buf, 16); |
| |
| return gTrue; |
| } |
| } |
| |
| return gFalse; |
| } else { |
| |
| // try using the supplied owner password to generate the user password |
| if (ownerPassword) { |
| len = ownerPassword->getLength(); |
| if (len < 32) { |
| memcpy(test, ownerPassword->getCString(), len); |
| memcpy(test + len, passwordPad, 32 - len); |
| } else { |
| memcpy(test, ownerPassword->getCString(), 32); |
| } |
| md5(test, 32, test); |
| if (encRevision == 3) { |
| for (i = 0; i < 50; ++i) { |
| md5(test, keyLength, test); |
| } |
| } |
| if (encRevision == 2) { |
| rc4InitKey(test, keyLength, fState); |
| fx = fy = 0; |
| for (i = 0; i < 32; ++i) { |
| test2[i] = rc4DecryptByte(fState, &fx, &fy, ownerKey->getChar(i)); |
| } |
| } else { |
| memcpy(test2, ownerKey->getCString(), 32); |
| for (i = 19; i >= 0; --i) { |
| for (j = 0; j < keyLength; ++j) { |
| tmpKey[j] = test[j] ^ i; |
| } |
| rc4InitKey(tmpKey, keyLength, fState); |
| fx = fy = 0; |
| for (j = 0; j < 32; ++j) { |
| test2[j] = rc4DecryptByte(fState, &fx, &fy, test2[j]); |
| } |
| } |
| } |
| userPassword2 = new GooString((char *)test2, 32); |
| if (makeFileKey2(encVersion, encRevision, keyLength, ownerKey, userKey, |
| permissions, fileID, userPassword2, fileKey, |
| encryptMetadata)) { |
| *ownerPasswordOk = gTrue; |
| delete userPassword2; |
| return gTrue; |
| } |
| delete userPassword2; |
| } |
| |
| // try using the supplied user password |
| return makeFileKey2(encVersion, encRevision, keyLength, ownerKey, userKey, |
| permissions, fileID, userPassword, fileKey, |
| encryptMetadata); |
| } |
| } |
| |
| GBool Decrypt::makeFileKey2(int encVersion, int encRevision, int keyLength, |
| GooString *ownerKey, GooString *userKey, |
| int permissions, GooString *fileID, |
| GooString *userPassword, Guchar *fileKey, |
| GBool encryptMetadata) { |
| Guchar *buf; |
| Guchar test[32]; |
| Guchar fState[256]; |
| Guchar tmpKey[16]; |
| Guchar fx, fy; |
| int len, i, j; |
| GBool ok; |
| |
| // generate file key |
| buf = (Guchar *)gmalloc(72 + fileID->getLength()); |
| if (userPassword) { |
| len = userPassword->getLength(); |
| if (len < 32) { |
| memcpy(buf, userPassword->getCString(), len); |
| memcpy(buf + len, passwordPad, 32 - len); |
| } else { |
| memcpy(buf, userPassword->getCString(), 32); |
| } |
| } else { |
| memcpy(buf, passwordPad, 32); |
| } |
| memcpy(buf + 32, ownerKey->getCString(), 32); |
| buf[64] = permissions & 0xff; |
| buf[65] = (permissions >> 8) & 0xff; |
| buf[66] = (permissions >> 16) & 0xff; |
| buf[67] = (permissions >> 24) & 0xff; |
| memcpy(buf + 68, fileID->getCString(), fileID->getLength()); |
| len = 68 + fileID->getLength(); |
| if (!encryptMetadata) { |
| buf[len++] = 0xff; |
| buf[len++] = 0xff; |
| buf[len++] = 0xff; |
| buf[len++] = 0xff; |
| } |
| md5(buf, len, fileKey); |
| if (encRevision == 3) { |
| for (i = 0; i < 50; ++i) { |
| md5(fileKey, keyLength, fileKey); |
| } |
| } |
| |
| // test user password |
| if (encRevision == 2) { |
| rc4InitKey(fileKey, keyLength, fState); |
| fx = fy = 0; |
| for (i = 0; i < 32; ++i) { |
| test[i] = rc4DecryptByte(fState, &fx, &fy, userKey->getChar(i)); |
| } |
| ok = memcmp(test, passwordPad, 32) == 0; |
| } else if (encRevision == 3) { |
| memcpy(test, userKey->getCString(), 32); |
| for (i = 19; i >= 0; --i) { |
| for (j = 0; j < keyLength; ++j) { |
| tmpKey[j] = fileKey[j] ^ i; |
| } |
| rc4InitKey(tmpKey, keyLength, fState); |
| fx = fy = 0; |
| for (j = 0; j < 32; ++j) { |
| test[j] = rc4DecryptByte(fState, &fx, &fy, test[j]); |
| } |
| } |
| memcpy(buf, passwordPad, 32); |
| memcpy(buf + 32, fileID->getCString(), fileID->getLength()); |
| md5(buf, 32 + fileID->getLength(), buf); |
| ok = memcmp(test, buf, 16) == 0; |
| } else { |
| ok = gFalse; |
| } |
| |
| gfree(buf); |
| return ok; |
| } |
| |
| //------------------------------------------------------------------------ |
| // BaseCryptStream |
| //------------------------------------------------------------------------ |
| |
| BaseCryptStream::BaseCryptStream(Stream *strA, Guchar *fileKey, CryptAlgorithm algoA, |
| int keyLength, int objNum, int objGen): |
| FilterStream(strA) |
| { |
| int i; |
| |
| algo = algoA; |
| |
| // construct object key |
| for (i = 0; i < keyLength; ++i) { |
| objKey[i] = fileKey[i]; |
| } |
| switch (algo) { |
| case cryptRC4: |
| objKey[keyLength] = objNum & 0xff; |
| objKey[keyLength + 1] = (objNum >> 8) & 0xff; |
| objKey[keyLength + 2] = (objNum >> 16) & 0xff; |
| objKey[keyLength + 3] = objGen & 0xff; |
| objKey[keyLength + 4] = (objGen >> 8) & 0xff; |
| md5(objKey, keyLength + 5, objKey); |
| if ((objKeyLength = keyLength + 5) > 16) { |
| objKeyLength = 16; |
| } |
| break; |
| case cryptAES: |
| objKey[keyLength] = objNum & 0xff; |
| objKey[keyLength + 1] = (objNum >> 8) & 0xff; |
| objKey[keyLength + 2] = (objNum >> 16) & 0xff; |
| objKey[keyLength + 3] = objGen & 0xff; |
| objKey[keyLength + 4] = (objGen >> 8) & 0xff; |
| objKey[keyLength + 5] = 0x73; // 's' |
| objKey[keyLength + 6] = 0x41; // 'A' |
| objKey[keyLength + 7] = 0x6c; // 'l' |
| objKey[keyLength + 8] = 0x54; // 'T' |
| md5(objKey, keyLength + 9, objKey); |
| if ((objKeyLength = keyLength + 5) > 16) { |
| objKeyLength = 16; |
| } |
| break; |
| case cryptAES256: |
| objKeyLength = keyLength; |
| break; |
| } |
| |
| charactersRead = 0; |
| autoDelete = gTrue; |
| } |
| |
| BaseCryptStream::~BaseCryptStream() { |
| if (autoDelete) { |
| delete str; |
| } |
| } |
| |
| void BaseCryptStream::reset() { |
| charactersRead = 0; |
| nextCharBuff = EOF; |
| str->reset(); |
| } |
| |
| Goffset BaseCryptStream::getPos() { |
| return charactersRead; |
| } |
| |
| int BaseCryptStream::getChar() { |
| // Read next character and empty the buffer, so that a new character will be read next time |
| int c = lookChar(); |
| nextCharBuff = EOF; |
| |
| if (c != EOF) |
| charactersRead++; |
| return c; |
| } |
| |
| GBool BaseCryptStream::isBinary(GBool last) { |
| return str->isBinary(last); |
| } |
| |
| void BaseCryptStream::setAutoDelete(GBool val) { |
| autoDelete = val; |
| } |
| |
| //------------------------------------------------------------------------ |
| // EncryptStream |
| //------------------------------------------------------------------------ |
| |
| EncryptStream::EncryptStream(Stream *strA, Guchar *fileKey, CryptAlgorithm algoA, |
| int keyLength, int objNum, int objGen): |
| BaseCryptStream(strA, fileKey, algoA, keyLength, objNum, objGen) |
| { |
| // Fill the CBC initialization vector for AES and AES-256 |
| switch (algo) { |
| case cryptAES: |
| grandom_fill(state.aes.cbc, 16); |
| break; |
| case cryptAES256: |
| grandom_fill(state.aes256.cbc, 16); |
| break; |
| default: |
| break; |
| } |
| } |
| |
| EncryptStream::~EncryptStream() { |
| } |
| |
| void EncryptStream::reset() { |
| BaseCryptStream::reset(); |
| |
| switch (algo) { |
| case cryptRC4: |
| state.rc4.x = state.rc4.y = 0; |
| rc4InitKey(objKey, objKeyLength, state.rc4.state); |
| break; |
| case cryptAES: |
| aesKeyExpansion(&state.aes, objKey, objKeyLength, gFalse); |
| memcpy(state.aes.buf, state.aes.cbc, 16); // Copy CBC IV to buf |
| state.aes.bufIdx = 0; |
| state.aes.paddingReached = gFalse; |
| break; |
| case cryptAES256: |
| aes256KeyExpansion(&state.aes256, objKey, objKeyLength, gFalse); |
| memcpy(state.aes256.buf, state.aes256.cbc, 16); // Copy CBC IV to buf |
| state.aes256.bufIdx = 0; |
| state.aes256.paddingReached = gFalse; |
| break; |
| } |
| } |
| |
| int EncryptStream::lookChar() { |
| Guchar in[16]; |
| int c; |
| |
| if (nextCharBuff != EOF) |
| return nextCharBuff; |
| |
| c = EOF; // make gcc happy |
| switch (algo) { |
| case cryptRC4: |
| if ((c = str->getChar()) != EOF) { |
| // RC4 is XOR-based: the decryption algorithm works for encryption too |
| c = rc4DecryptByte(state.rc4.state, &state.rc4.x, &state.rc4.y, (Guchar)c); |
| } |
| break; |
| case cryptAES: |
| if (state.aes.bufIdx == 16 && !state.aes.paddingReached) { |
| state.aes.paddingReached = !aesReadBlock(str, in, gTrue); |
| aesEncryptBlock(&state.aes, in); |
| } |
| if (state.aes.bufIdx == 16) { |
| c = EOF; |
| } else { |
| c = state.aes.buf[state.aes.bufIdx++]; |
| } |
| break; |
| case cryptAES256: |
| if (state.aes256.bufIdx == 16 && !state.aes256.paddingReached) { |
| state.aes256.paddingReached = !aesReadBlock(str, in, gTrue); |
| aes256EncryptBlock(&state.aes256, in); |
| } |
| if (state.aes256.bufIdx == 16) { |
| c = EOF; |
| } else { |
| c = state.aes256.buf[state.aes256.bufIdx++]; |
| } |
| break; |
| } |
| return (nextCharBuff = c); |
| } |
| |
| //------------------------------------------------------------------------ |
| // DecryptStream |
| //------------------------------------------------------------------------ |
| |
| DecryptStream::DecryptStream(Stream *strA, Guchar *fileKey, CryptAlgorithm algoA, |
| int keyLength, int objNum, int objGen): |
| BaseCryptStream(strA, fileKey, algoA, keyLength, objNum, objGen) |
| { |
| } |
| |
| DecryptStream::~DecryptStream() { |
| } |
| |
| void DecryptStream::reset() { |
| int i; |
| BaseCryptStream::reset(); |
| |
| switch (algo) { |
| case cryptRC4: |
| state.rc4.x = state.rc4.y = 0; |
| rc4InitKey(objKey, objKeyLength, state.rc4.state); |
| break; |
| case cryptAES: |
| aesKeyExpansion(&state.aes, objKey, objKeyLength, gTrue); |
| for (i = 0; i < 16; ++i) { |
| state.aes.cbc[i] = str->getChar(); |
| } |
| state.aes.bufIdx = 16; |
| break; |
| case cryptAES256: |
| aes256KeyExpansion(&state.aes256, objKey, objKeyLength, gTrue); |
| for (i = 0; i < 16; ++i) { |
| state.aes256.cbc[i] = str->getChar(); |
| } |
| state.aes256.bufIdx = 16; |
| break; |
| } |
| } |
| |
| int DecryptStream::lookChar() { |
| Guchar in[16]; |
| int c; |
| |
| if (nextCharBuff != EOF) |
| return nextCharBuff; |
| |
| c = EOF; // make gcc happy |
| switch (algo) { |
| case cryptRC4: |
| if ((c = str->getChar()) != EOF) { |
| c = rc4DecryptByte(state.rc4.state, &state.rc4.x, &state.rc4.y, (Guchar)c); |
| } |
| break; |
| case cryptAES: |
| if (state.aes.bufIdx == 16) { |
| if (aesReadBlock(str, in, gFalse)) { |
| aesDecryptBlock(&state.aes, in, str->lookChar() == EOF); |
| } |
| } |
| if (state.aes.bufIdx == 16) { |
| c = EOF; |
| } else { |
| c = state.aes.buf[state.aes.bufIdx++]; |
| } |
| break; |
| case cryptAES256: |
| if (state.aes256.bufIdx == 16) { |
| if (aesReadBlock(str, in, gFalse)) { |
| aes256DecryptBlock(&state.aes256, in, str->lookChar() == EOF); |
| } |
| } |
| if (state.aes256.bufIdx == 16) { |
| c = EOF; |
| } else { |
| c = state.aes256.buf[state.aes256.bufIdx++]; |
| } |
| break; |
| } |
| return (nextCharBuff = c); |
| } |
| |
| //------------------------------------------------------------------------ |
| // RC4-compatible decryption |
| //------------------------------------------------------------------------ |
| |
| static void rc4InitKey(Guchar *key, int keyLen, Guchar *state) { |
| Guchar index1, index2; |
| Guchar t; |
| int i; |
| |
| for (i = 0; i < 256; ++i) |
| state[i] = i; |
| |
| if (unlikely(keyLen == 0)) |
| return; |
| |
| index1 = index2 = 0; |
| for (i = 0; i < 256; ++i) { |
| index2 = (key[index1] + state[i] + index2) % 256; |
| t = state[i]; |
| state[i] = state[index2]; |
| state[index2] = t; |
| index1 = (index1 + 1) % keyLen; |
| } |
| } |
| |
| static Guchar rc4DecryptByte(Guchar *state, Guchar *x, Guchar *y, Guchar c) { |
| Guchar x1, y1, tx, ty; |
| |
| x1 = *x = (*x + 1) % 256; |
| y1 = *y = (state[*x] + *y) % 256; |
| tx = state[x1]; |
| ty = state[y1]; |
| state[x1] = ty; |
| state[y1] = tx; |
| return c ^ state[(tx + ty) % 256]; |
| } |
| |
| //------------------------------------------------------------------------ |
| // AES decryption |
| //------------------------------------------------------------------------ |
| |
| // Returns gFalse if EOF was reached, gTrue otherwise |
| static GBool aesReadBlock(Stream *str, Guchar *in, GBool addPadding) |
| { |
| int c, i; |
| |
| for (i = 0; i < 16; ++i) { |
| if ((c = str->getChar()) != EOF) { |
| in[i] = (Guchar)c; |
| } else { |
| break; |
| } |
| } |
| |
| if (i == 16) { |
| return gTrue; |
| } else { |
| if (addPadding) { |
| c = 16 - i; |
| while (i < 16) { |
| in[i++] = (Guchar)c; |
| } |
| } |
| return gFalse; |
| } |
| } |
| |
| static const Guchar sbox[256] = { |
| 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76, |
| 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0, 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0, |
| 0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc, 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15, |
| 0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a, 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75, |
| 0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0, 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84, |
| 0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b, 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf, |
| 0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85, 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8, |
| 0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5, 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2, |
| 0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17, 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73, |
| 0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88, 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb, |
| 0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c, 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79, |
| 0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9, 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08, |
| 0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6, 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a, |
| 0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e, 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e, |
| 0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94, 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf, |
| 0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68, 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16 |
| }; |
| |
| static const Guchar invSbox[256] = { |
| 0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38, 0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb, |
| 0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87, 0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb, |
| 0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d, 0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e, |
| 0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2, 0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25, |
| 0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16, 0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92, |
| 0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda, 0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84, |
| 0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a, 0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3, 0x45, 0x06, |
| 0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02, 0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b, |
| 0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea, 0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73, |
| 0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85, 0xe2, 0xf9, 0x37, 0xe8, 0x1c, 0x75, 0xdf, 0x6e, |
| 0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89, 0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b, |
| 0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20, 0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4, |
| 0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31, 0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f, |
| 0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d, 0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef, |
| 0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0, 0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61, |
| 0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26, 0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d |
| }; |
| |
| static const Guint rcon[11] = { |
| 0x00000000, // unused |
| 0x01000000, |
| 0x02000000, |
| 0x04000000, |
| 0x08000000, |
| 0x10000000, |
| 0x20000000, |
| 0x40000000, |
| 0x80000000, |
| 0x1b000000, |
| 0x36000000 |
| }; |
| |
| static inline Guint subWord(Guint x) { |
| return (sbox[x >> 24] << 24) |
| | (sbox[(x >> 16) & 0xff] << 16) |
| | (sbox[(x >> 8) & 0xff] << 8) |
| | sbox[x & 0xff]; |
| } |
| |
| static inline Guint rotWord(Guint x) { |
| return ((x << 8) & 0xffffffff) | (x >> 24); |
| } |
| |
| static inline void subBytes(Guchar *state) { |
| int i; |
| |
| for (i = 0; i < 16; ++i) { |
| state[i] = sbox[state[i]]; |
| } |
| } |
| |
| static inline void invSubBytes(Guchar *state) { |
| int i; |
| |
| for (i = 0; i < 16; ++i) { |
| state[i] = invSbox[state[i]]; |
| } |
| } |
| |
| static inline void shiftRows(Guchar *state) { |
| Guchar t; |
| |
| t = state[4]; |
| state[4] = state[5]; |
| state[5] = state[6]; |
| state[6] = state[7]; |
| state[7] = t; |
| |
| t = state[8]; |
| state[8] = state[10]; |
| state[10] = t; |
| t = state[9]; |
| state[9] = state[11]; |
| state[11] = t; |
| |
| t = state[15]; |
| state[15] = state[14]; |
| state[14] = state[13]; |
| state[13] = state[12]; |
| state[12] = t; |
| } |
| |
| static inline void invShiftRows(Guchar *state) { |
| Guchar t; |
| |
| t = state[7]; |
| state[7] = state[6]; |
| state[6] = state[5]; |
| state[5] = state[4]; |
| state[4] = t; |
| |
| t = state[8]; |
| state[8] = state[10]; |
| state[10] = t; |
| t = state[9]; |
| state[9] = state[11]; |
| state[11] = t; |
| |
| t = state[12]; |
| state[12] = state[13]; |
| state[13] = state[14]; |
| state[14] = state[15]; |
| state[15] = t; |
| } |
| |
| // {02} \cdot s |
| static inline Guchar mul02(Guchar s) { |
| return (s & 0x80) ? ((s << 1) ^ 0x1b) : (s << 1); |
| } |
| |
| // {03} \cdot s |
| static inline Guchar mul03(Guchar s) { |
| Guchar s2 = (s & 0x80) ? ((s << 1) ^ 0x1b) : (s << 1); |
| return s ^ s2; |
| } |
| |
| // {09} \cdot s |
| static inline Guchar mul09(Guchar s) { |
| Guchar s2, s4, s8; |
| |
| s2 = (s & 0x80) ? ((s << 1) ^ 0x1b) : (s << 1); |
| s4 = (s2 & 0x80) ? ((s2 << 1) ^ 0x1b) : (s2 << 1); |
| s8 = (s4 & 0x80) ? ((s4 << 1) ^ 0x1b) : (s4 << 1); |
| return s ^ s8; |
| } |
| |
| // {0b} \cdot s |
| static inline Guchar mul0b(Guchar s) { |
| Guchar s2, s4, s8; |
| |
| s2 = (s & 0x80) ? ((s << 1) ^ 0x1b) : (s << 1); |
| s4 = (s2 & 0x80) ? ((s2 << 1) ^ 0x1b) : (s2 << 1); |
| s8 = (s4 & 0x80) ? ((s4 << 1) ^ 0x1b) : (s4 << 1); |
| return s ^ s2 ^ s8; |
| } |
| |
| // {0d} \cdot s |
| static inline Guchar mul0d(Guchar s) { |
| Guchar s2, s4, s8; |
| |
| s2 = (s & 0x80) ? ((s << 1) ^ 0x1b) : (s << 1); |
| s4 = (s2 & 0x80) ? ((s2 << 1) ^ 0x1b) : (s2 << 1); |
| s8 = (s4 & 0x80) ? ((s4 << 1) ^ 0x1b) : (s4 << 1); |
| return s ^ s4 ^ s8; |
| } |
| |
| // {0e} \cdot s |
| static inline Guchar mul0e(Guchar s) { |
| Guchar s2, s4, s8; |
| |
| s2 = (s & 0x80) ? ((s << 1) ^ 0x1b) : (s << 1); |
| s4 = (s2 & 0x80) ? ((s2 << 1) ^ 0x1b) : (s2 << 1); |
| s8 = (s4 & 0x80) ? ((s4 << 1) ^ 0x1b) : (s4 << 1); |
| return s2 ^ s4 ^ s8; |
| } |
| |
| static inline void mixColumns(Guchar *state) { |
| int c; |
| Guchar s0, s1, s2, s3; |
| |
| for (c = 0; c < 4; ++c) { |
| s0 = state[c]; |
| s1 = state[4+c]; |
| s2 = state[8+c]; |
| s3 = state[12+c]; |
| state[c] = mul02(s0) ^ mul03(s1) ^ s2 ^ s3; |
| state[4+c] = s0 ^ mul02(s1) ^ mul03(s2) ^ s3; |
| state[8+c] = s0 ^ s1 ^ mul02(s2) ^ mul03(s3); |
| state[12+c] = mul03(s0) ^ s1 ^ s2 ^ mul02(s3); |
| } |
| } |
| |
| static inline void invMixColumns(Guchar *state) { |
| int c; |
| Guchar s0, s1, s2, s3; |
| |
| for (c = 0; c < 4; ++c) { |
| s0 = state[c]; |
| s1 = state[4+c]; |
| s2 = state[8+c]; |
| s3 = state[12+c]; |
| state[c] = mul0e(s0) ^ mul0b(s1) ^ mul0d(s2) ^ mul09(s3); |
| state[4+c] = mul09(s0) ^ mul0e(s1) ^ mul0b(s2) ^ mul0d(s3); |
| state[8+c] = mul0d(s0) ^ mul09(s1) ^ mul0e(s2) ^ mul0b(s3); |
| state[12+c] = mul0b(s0) ^ mul0d(s1) ^ mul09(s2) ^ mul0e(s3); |
| } |
| } |
| |
| static inline void invMixColumnsW(Guint *w) { |
| int c; |
| Guchar s0, s1, s2, s3; |
| |
| for (c = 0; c < 4; ++c) { |
| s0 = w[c] >> 24; |
| s1 = w[c] >> 16; |
| s2 = w[c] >> 8; |
| s3 = w[c]; |
| w[c] = ((mul0e(s0) ^ mul0b(s1) ^ mul0d(s2) ^ mul09(s3)) << 24) |
| | ((mul09(s0) ^ mul0e(s1) ^ mul0b(s2) ^ mul0d(s3)) << 16) |
| | ((mul0d(s0) ^ mul09(s1) ^ mul0e(s2) ^ mul0b(s3)) << 8) |
| | (mul0b(s0) ^ mul0d(s1) ^ mul09(s2) ^ mul0e(s3)); |
| } |
| } |
| |
| static inline void addRoundKey(Guchar *state, Guint *w) { |
| int c; |
| |
| for (c = 0; c < 4; ++c) { |
| state[c] ^= w[c] >> 24; |
| state[4+c] ^= w[c] >> 16; |
| state[8+c] ^= w[c] >> 8; |
| state[12+c] ^= w[c]; |
| } |
| } |
| |
| static void aesKeyExpansion(DecryptAESState *s, |
| Guchar *objKey, int /*objKeyLen*/, GBool decrypt) { |
| Guint temp; |
| int i, round; |
| |
| //~ this assumes objKeyLen == 16 |
| |
| for (i = 0; i < 4; ++i) { |
| s->w[i] = (objKey[4*i] << 24) + (objKey[4*i+1] << 16) + |
| (objKey[4*i+2] << 8) + objKey[4*i+3]; |
| } |
| for (i = 4; i < 44; ++i) { |
| temp = s->w[i-1]; |
| if (!(i & 3)) { |
| temp = subWord(rotWord(temp)) ^ rcon[i/4]; |
| } |
| s->w[i] = s->w[i-4] ^ temp; |
| } |
| |
| /* In case of decryption, adjust the key schedule for the equivalent inverse cipher */ |
| if (decrypt) { |
| for (round = 1; round <= 9; ++round) { |
| invMixColumnsW(&s->w[round * 4]); |
| } |
| } |
| } |
| |
| static void aesEncryptBlock(DecryptAESState *s, Guchar *in) { |
| int c, round; |
| |
| // initial state (input is xor'd with previous output because of CBC) |
| for (c = 0; c < 4; ++c) { |
| s->state[c] = in[4*c] ^ s->buf[4*c]; |
| s->state[4+c] = in[4*c+1] ^ s->buf[4*c+1]; |
| s->state[8+c] = in[4*c+2] ^ s->buf[4*c+2]; |
| s->state[12+c] = in[4*c+3] ^ s->buf[4*c+3]; |
| } |
| |
| // round 0 |
| addRoundKey(s->state, &s->w[0]); |
| |
| // rounds 1-9 |
| for (round = 1; round <= 9; ++round) { |
| subBytes(s->state); |
| shiftRows(s->state); |
| mixColumns(s->state); |
| addRoundKey(s->state, &s->w[round * 4]); |
| } |
| |
| // round 10 |
| subBytes(s->state); |
| shiftRows(s->state); |
| addRoundKey(s->state, &s->w[10 * 4]); |
| |
| for (c = 0; c < 4; ++c) { |
| s->buf[4*c] = s->state[c]; |
| s->buf[4*c+1] = s->state[4+c]; |
| s->buf[4*c+2] = s->state[8+c]; |
| s->buf[4*c+3] = s->state[12+c]; |
| } |
| |
| s->bufIdx = 0; |
| } |
| |
| static void aesDecryptBlock(DecryptAESState *s, Guchar *in, GBool last) { |
| int c, round, n, i; |
| |
| // initial state |
| for (c = 0; c < 4; ++c) { |
| s->state[c] = in[4*c]; |
| s->state[4+c] = in[4*c+1]; |
| s->state[8+c] = in[4*c+2]; |
| s->state[12+c] = in[4*c+3]; |
| } |
| |
| // round 0 |
| addRoundKey(s->state, &s->w[10 * 4]); |
| |
| // rounds 1-9 |
| for (round = 9; round >= 1; --round) { |
| invSubBytes(s->state); |
| invShiftRows(s->state); |
| invMixColumns(s->state); |
| addRoundKey(s->state, &s->w[round * 4]); |
| } |
| |
| // round 10 |
| invSubBytes(s->state); |
| invShiftRows(s->state); |
| addRoundKey(s->state, &s->w[0]); |
| |
| // CBC |
| for (c = 0; c < 4; ++c) { |
| s->buf[4*c] = s->state[c] ^ s->cbc[4*c]; |
| s->buf[4*c+1] = s->state[4+c] ^ s->cbc[4*c+1]; |
| s->buf[4*c+2] = s->state[8+c] ^ s->cbc[4*c+2]; |
| s->buf[4*c+3] = s->state[12+c] ^ s->cbc[4*c+3]; |
| } |
| |
| // save the input block for the next CBC |
| for (i = 0; i < 16; ++i) { |
| s->cbc[i] = in[i]; |
| } |
| |
| // remove padding |
| s->bufIdx = 0; |
| if (last) { |
| n = s->buf[15]; |
| if (n < 1 || n > 16) { // this should never happen |
| n = 16; |
| } |
| for (i = 15; i >= n; --i) { |
| s->buf[i] = s->buf[i-n]; |
| } |
| s->bufIdx = n; |
| } |
| } |
| |
| //------------------------------------------------------------------------ |
| // AES-256 decryption |
| //------------------------------------------------------------------------ |
| |
| static void aes256KeyExpansion(DecryptAES256State *s, |
| Guchar *objKey, int objKeyLen, GBool decrypt) { |
| Guint temp; |
| int i, round; |
| |
| //~ this assumes objKeyLen == 32 |
| |
| for (i = 0; i < 8; ++i) { |
| s->w[i] = (objKey[4*i] << 24) + (objKey[4*i+1] << 16) + |
| (objKey[4*i+2] << 8) + objKey[4*i+3]; |
| } |
| for (i = 8; i < 60; ++i) { |
| temp = s->w[i-1]; |
| if ((i & 7) == 0) { |
| temp = subWord(rotWord(temp)) ^ rcon[i/8]; |
| } else if ((i & 7) == 4) { |
| temp = subWord(temp); |
| } |
| s->w[i] = s->w[i-8] ^ temp; |
| } |
| |
| /* In case of decryption, adjust the key schedule for the equivalent inverse cipher */ |
| if (decrypt) { |
| for (round = 1; round <= 13; ++round) { |
| invMixColumnsW(&s->w[round * 4]); |
| } |
| } |
| } |
| |
| static void aes256EncryptBlock(DecryptAES256State *s, Guchar *in) { |
| int c, round; |
| |
| // initial state (input is xor'd with previous output because of CBC) |
| for (c = 0; c < 4; ++c) { |
| s->state[c] = in[4*c] ^ s->buf[4*c]; |
| s->state[4+c] = in[4*c+1] ^ s->buf[4*c+1]; |
| s->state[8+c] = in[4*c+2] ^ s->buf[4*c+2]; |
| s->state[12+c] = in[4*c+3] ^ s->buf[4*c+3]; |
| } |
| |
| // round 0 |
| addRoundKey(s->state, &s->w[0]); |
| |
| // rounds 1-13 |
| for (round = 1; round <= 13; ++round) { |
| subBytes(s->state); |
| shiftRows(s->state); |
| mixColumns(s->state); |
| addRoundKey(s->state, &s->w[round * 4]); |
| } |
| |
| // round 14 |
| subBytes(s->state); |
| shiftRows(s->state); |
| addRoundKey(s->state, &s->w[14 * 4]); |
| |
| for (c = 0; c < 4; ++c) { |
| s->buf[4*c] = s->state[c]; |
| s->buf[4*c+1] = s->state[4+c]; |
| s->buf[4*c+2] = s->state[8+c]; |
| s->buf[4*c+3] = s->state[12+c]; |
| } |
| |
| s->bufIdx = 0; |
| } |
| |
| static void aes256DecryptBlock(DecryptAES256State *s, Guchar *in, GBool last) { |
| int c, round, n, i; |
| |
| // initial state |
| for (c = 0; c < 4; ++c) { |
| s->state[c] = in[4*c]; |
| s->state[4+c] = in[4*c+1]; |
| s->state[8+c] = in[4*c+2]; |
| s->state[12+c] = in[4*c+3]; |
| } |
| |
| // round 0 |
| addRoundKey(s->state, &s->w[14 * 4]); |
| |
| // rounds 13-1 |
| for (round = 13; round >= 1; --round) { |
| invSubBytes(s->state); |
| invShiftRows(s->state); |
| invMixColumns(s->state); |
| addRoundKey(s->state, &s->w[round * 4]); |
| } |
| |
| // round 14 |
| invSubBytes(s->state); |
| invShiftRows(s->state); |
| addRoundKey(s->state, &s->w[0]); |
| |
| // CBC |
| for (c = 0; c < 4; ++c) { |
| s->buf[4*c] = s->state[c] ^ s->cbc[4*c]; |
| s->buf[4*c+1] = s->state[4+c] ^ s->cbc[4*c+1]; |
| s->buf[4*c+2] = s->state[8+c] ^ s->cbc[4*c+2]; |
| s->buf[4*c+3] = s->state[12+c] ^ s->cbc[4*c+3]; |
| } |
| |
| // save the input block for the next CBC |
| for (i = 0; i < 16; ++i) { |
| s->cbc[i] = in[i]; |
| } |
| |
| // remove padding |
| s->bufIdx = 0; |
| if (last) { |
| n = s->buf[15]; |
| if (n < 1 || n > 16) { // this should never happen |
| n = 16; |
| } |
| for (i = 15; i >= n; --i) { |
| s->buf[i] = s->buf[i-n]; |
| } |
| s->bufIdx = n; |
| if (n > 16) |
| { |
| error(errSyntaxError, -1, "Reducing bufIdx from {0:d} to 16 to not crash", n); |
| s->bufIdx = 16; |
| } |
| } |
| } |
| |
| //------------------------------------------------------------------------ |
| // MD5 message digest |
| //------------------------------------------------------------------------ |
| |
| // this works around a bug in older Sun compilers |
| static inline Gulong rotateLeft(Gulong x, int r) { |
| x &= 0xffffffff; |
| return ((x << r) | (x >> (32 - r))) & 0xffffffff; |
| } |
| |
| static inline Gulong md5Round1(Gulong a, Gulong b, Gulong c, Gulong d, |
| Gulong Xk, Gulong s, Gulong Ti) { |
| return b + rotateLeft((a + ((b & c) | (~b & d)) + Xk + Ti), s); |
| } |
| |
| static inline Gulong md5Round2(Gulong a, Gulong b, Gulong c, Gulong d, |
| Gulong Xk, Gulong s, Gulong Ti) { |
| return b + rotateLeft((a + ((b & d) | (c & ~d)) + Xk + Ti), s); |
| } |
| |
| static inline Gulong md5Round3(Gulong a, Gulong b, Gulong c, Gulong d, |
| Gulong Xk, Gulong s, Gulong Ti) { |
| return b + rotateLeft((a + (b ^ c ^ d) + Xk + Ti), s); |
| } |
| |
| static inline Gulong md5Round4(Gulong a, Gulong b, Gulong c, Gulong d, |
| Gulong Xk, Gulong s, Gulong Ti) { |
| return b + rotateLeft((a + (c ^ (b | ~d)) + Xk + Ti), s); |
| } |
| |
| void md5(Guchar *msg, int msgLen, Guchar *digest) { |
| Gulong x[16]; |
| Gulong a, b, c, d, aa, bb, cc, dd; |
| int n64; |
| int i, j, k; |
| |
| // sanity check |
| if (msgLen < 0) { |
| return; |
| } |
| |
| // compute number of 64-byte blocks |
| // (length + pad byte (0x80) + 8 bytes for length) |
| n64 = (msgLen + 1 + 8 + 63) / 64; |
| |
| // initialize a, b, c, d |
| a = 0x67452301; |
| b = 0xefcdab89; |
| c = 0x98badcfe; |
| d = 0x10325476; |
| |
| // loop through blocks |
| k = 0; |
| for (i = 0; i < n64; ++i) { |
| |
| // grab a 64-byte block |
| for (j = 0; j < 16 && k < msgLen - 3; ++j, k += 4) |
| x[j] = (((((msg[k+3] << 8) + msg[k+2]) << 8) + msg[k+1]) << 8) + msg[k]; |
| if (i == n64 - 1) { |
| if (k == msgLen - 3) |
| x[j] = 0x80000000 + (((msg[k+2] << 8) + msg[k+1]) << 8) + msg[k]; |
| else if (k == msgLen - 2) |
| x[j] = 0x800000 + (msg[k+1] << 8) + msg[k]; |
| else if (k == msgLen - 1) |
| x[j] = 0x8000 + msg[k]; |
| else |
| x[j] = 0x80; |
| ++j; |
| while (j < 16) |
| x[j++] = 0; |
| x[14] = msgLen << 3; |
| } |
| |
| // save a, b, c, d |
| aa = a; |
| bb = b; |
| cc = c; |
| dd = d; |
| |
| // round 1 |
| a = md5Round1(a, b, c, d, x[0], 7, 0xd76aa478); |
| d = md5Round1(d, a, b, c, x[1], 12, 0xe8c7b756); |
| c = md5Round1(c, d, a, b, x[2], 17, 0x242070db); |
| b = md5Round1(b, c, d, a, x[3], 22, 0xc1bdceee); |
| a = md5Round1(a, b, c, d, x[4], 7, 0xf57c0faf); |
| d = md5Round1(d, a, b, c, x[5], 12, 0x4787c62a); |
| c = md5Round1(c, d, a, b, x[6], 17, 0xa8304613); |
| b = md5Round1(b, c, d, a, x[7], 22, 0xfd469501); |
| a = md5Round1(a, b, c, d, x[8], 7, 0x698098d8); |
| d = md5Round1(d, a, b, c, x[9], 12, 0x8b44f7af); |
| c = md5Round1(c, d, a, b, x[10], 17, 0xffff5bb1); |
| b = md5Round1(b, c, d, a, x[11], 22, 0x895cd7be); |
| a = md5Round1(a, b, c, d, x[12], 7, 0x6b901122); |
| d = md5Round1(d, a, b, c, x[13], 12, 0xfd987193); |
| c = md5Round1(c, d, a, b, x[14], 17, 0xa679438e); |
| b = md5Round1(b, c, d, a, x[15], 22, 0x49b40821); |
| |
| // round 2 |
| a = md5Round2(a, b, c, d, x[1], 5, 0xf61e2562); |
| d = md5Round2(d, a, b, c, x[6], 9, 0xc040b340); |
| c = md5Round2(c, d, a, b, x[11], 14, 0x265e5a51); |
| b = md5Round2(b, c, d, a, x[0], 20, 0xe9b6c7aa); |
| a = md5Round2(a, b, c, d, x[5], 5, 0xd62f105d); |
| d = md5Round2(d, a, b, c, x[10], 9, 0x02441453); |
| c = md5Round2(c, d, a, b, x[15], 14, 0xd8a1e681); |
| b = md5Round2(b, c, d, a, x[4], 20, 0xe7d3fbc8); |
| a = md5Round2(a, b, c, d, x[9], 5, 0x21e1cde6); |
| d = md5Round2(d, a, b, c, x[14], 9, 0xc33707d6); |
| c = md5Round2(c, d, a, b, x[3], 14, 0xf4d50d87); |
| b = md5Round2(b, c, d, a, x[8], 20, 0x455a14ed); |
| a = md5Round2(a, b, c, d, x[13], 5, 0xa9e3e905); |
| d = md5Round2(d, a, b, c, x[2], 9, 0xfcefa3f8); |
| c = md5Round2(c, d, a, b, x[7], 14, 0x676f02d9); |
| b = md5Round2(b, c, d, a, x[12], 20, 0x8d2a4c8a); |
| |
| // round 3 |
| a = md5Round3(a, b, c, d, x[5], 4, 0xfffa3942); |
| d = md5Round3(d, a, b, c, x[8], 11, 0x8771f681); |
| c = md5Round3(c, d, a, b, x[11], 16, 0x6d9d6122); |
| b = md5Round3(b, c, d, a, x[14], 23, 0xfde5380c); |
| a = md5Round3(a, b, c, d, x[1], 4, 0xa4beea44); |
| d = md5Round3(d, a, b, c, x[4], 11, 0x4bdecfa9); |
| c = md5Round3(c, d, a, b, x[7], 16, 0xf6bb4b60); |
| b = md5Round3(b, c, d, a, x[10], 23, 0xbebfbc70); |
| a = md5Round3(a, b, c, d, x[13], 4, 0x289b7ec6); |
| d = md5Round3(d, a, b, c, x[0], 11, 0xeaa127fa); |
| c = md5Round3(c, d, a, b, x[3], 16, 0xd4ef3085); |
| b = md5Round3(b, c, d, a, x[6], 23, 0x04881d05); |
| a = md5Round3(a, b, c, d, x[9], 4, 0xd9d4d039); |
| d = md5Round3(d, a, b, c, x[12], 11, 0xe6db99e5); |
| c = md5Round3(c, d, a, b, x[15], 16, 0x1fa27cf8); |
| b = md5Round3(b, c, d, a, x[2], 23, 0xc4ac5665); |
| |
| // round 4 |
| a = md5Round4(a, b, c, d, x[0], 6, 0xf4292244); |
| d = md5Round4(d, a, b, c, x[7], 10, 0x432aff97); |
| c = md5Round4(c, d, a, b, x[14], 15, 0xab9423a7); |
| b = md5Round4(b, c, d, a, x[5], 21, 0xfc93a039); |
| a = md5Round4(a, b, c, d, x[12], 6, 0x655b59c3); |
| d = md5Round4(d, a, b, c, x[3], 10, 0x8f0ccc92); |
| c = md5Round4(c, d, a, b, x[10], 15, 0xffeff47d); |
| b = md5Round4(b, c, d, a, x[1], 21, 0x85845dd1); |
| a = md5Round4(a, b, c, d, x[8], 6, 0x6fa87e4f); |
| d = md5Round4(d, a, b, c, x[15], 10, 0xfe2ce6e0); |
| c = md5Round4(c, d, a, b, x[6], 15, 0xa3014314); |
| b = md5Round4(b, c, d, a, x[13], 21, 0x4e0811a1); |
| a = md5Round4(a, b, c, d, x[4], 6, 0xf7537e82); |
| d = md5Round4(d, a, b, c, x[11], 10, 0xbd3af235); |
| c = md5Round4(c, d, a, b, x[2], 15, 0x2ad7d2bb); |
| b = md5Round4(b, c, d, a, x[9], 21, 0xeb86d391); |
| |
| // increment a, b, c, d |
| a += aa; |
| b += bb; |
| c += cc; |
| d += dd; |
| } |
| |
| // break digest into bytes |
| digest[0] = (Guchar)(a & 0xff); |
| digest[1] = (Guchar)((a >>= 8) & 0xff); |
| digest[2] = (Guchar)((a >>= 8) & 0xff); |
| digest[3] = (Guchar)((a >>= 8) & 0xff); |
| digest[4] = (Guchar)(b & 0xff); |
| digest[5] = (Guchar)((b >>= 8) & 0xff); |
| digest[6] = (Guchar)((b >>= 8) & 0xff); |
| digest[7] = (Guchar)((b >>= 8) & 0xff); |
| digest[8] = (Guchar)(c & 0xff); |
| digest[9] = (Guchar)((c >>= 8) & 0xff); |
| digest[10] = (Guchar)((c >>= 8) & 0xff); |
| digest[11] = (Guchar)((c >>= 8) & 0xff); |
| digest[12] = (Guchar)(d & 0xff); |
| digest[13] = (Guchar)((d >>= 8) & 0xff); |
| digest[14] = (Guchar)((d >>= 8) & 0xff); |
| digest[15] = (Guchar)((d >>= 8) & 0xff); |
| } |
| |
| //------------------------------------------------------------------------ |
| // SHA-256 hash |
| //------------------------------------------------------------------------ |
| |
| static Guint sha256K[64] = { |
| 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, |
| 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5, |
| 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, |
| 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, |
| 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, |
| 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, |
| 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, |
| 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967, |
| 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, |
| 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, |
| 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, |
| 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070, |
| 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, |
| 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3, |
| 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, |
| 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2 |
| }; |
| |
| static inline Guint rotr(Guint x, Guint n) { |
| return (x >> n) | (x << (32 - n)); |
| } |
| |
| static inline Guint sha256Ch(Guint x, Guint y, Guint z) { |
| return (x & y) ^ (~x & z); |
| } |
| |
| static inline Guint sha256Maj(Guint x, Guint y, Guint z) { |
| return (x & y) ^ (x & z) ^ (y & z); |
| } |
| |
| static inline Guint sha256Sigma0(Guint x) { |
| return rotr(x, 2) ^ rotr(x, 13) ^ rotr(x, 22); |
| } |
| |
| static inline Guint sha256Sigma1(Guint x) { |
| return rotr(x, 6) ^ rotr(x, 11) ^ rotr(x, 25); |
| } |
| |
| static inline Guint sha256sigma0(Guint x) { |
| return rotr(x, 7) ^ rotr(x, 18) ^ (x >> 3); |
| } |
| |
| static inline Guint sha256sigma1(Guint x) { |
| return rotr(x, 17) ^ rotr(x, 19) ^ (x >> 10); |
| } |
| |
| void sha256HashBlock(Guchar *blk, Guint *H) { |
| Guint W[64]; |
| Guint a, b, c, d, e, f, g, h; |
| Guint T1, T2; |
| Guint t; |
| |
| // 1. prepare the message schedule |
| for (t = 0; t < 16; ++t) { |
| W[t] = (blk[t*4] << 24) | |
| (blk[t*4 + 1] << 16) | |
| (blk[t*4 + 2] << 8) | |
| blk[t*4 + 3]; |
| } |
| for (t = 16; t < 64; ++t) { |
| W[t] = sha256sigma1(W[t-2]) + W[t-7] + sha256sigma0(W[t-15]) + W[t-16]; |
| } |
| |
| // 2. initialize the eight working variables |
| a = H[0]; |
| b = H[1]; |
| c = H[2]; |
| d = H[3]; |
| e = H[4]; |
| f = H[5]; |
| g = H[6]; |
| h = H[7]; |
| |
| // 3. |
| for (t = 0; t < 64; ++t) { |
| T1 = h + sha256Sigma1(e) + sha256Ch(e,f,g) + sha256K[t] + W[t]; |
| T2 = sha256Sigma0(a) + sha256Maj(a,b,c); |
| h = g; |
| g = f; |
| f = e; |
| e = d + T1; |
| d = c; |
| c = b; |
| b = a; |
| a = T1 + T2; |
| } |
| |
| // 4. compute the intermediate hash value |
| H[0] += a; |
| H[1] += b; |
| H[2] += c; |
| H[3] += d; |
| H[4] += e; |
| H[5] += f; |
| H[6] += g; |
| H[7] += h; |
| } |
| |
| static void sha256(Guchar *msg, int msgLen, Guchar *hash) { |
| Guchar blk[64]; |
| Guint H[8]; |
| int blkLen, i; |
| |
| H[0] = 0x6a09e667; |
| H[1] = 0xbb67ae85; |
| H[2] = 0x3c6ef372; |
| H[3] = 0xa54ff53a; |
| H[4] = 0x510e527f; |
| H[5] = 0x9b05688c; |
| H[6] = 0x1f83d9ab; |
| H[7] = 0x5be0cd19; |
| |
| blkLen = 0; |
| for (i = 0; i + 64 <= msgLen; i += 64) { |
| sha256HashBlock(msg + i, H); |
| } |
| blkLen = msgLen - i; |
| if (blkLen > 0) { |
| memcpy(blk, msg + i, blkLen); |
| } |
| |
| // pad the message |
| blk[blkLen++] = 0x80; |
| if (blkLen > 56) { |
| while (blkLen < 64) { |
| blk[blkLen++] = 0; |
| } |
| sha256HashBlock(blk, H); |
| blkLen = 0; |
| } |
| while (blkLen < 56) { |
| blk[blkLen++] = 0; |
| } |
| blk[56] = 0; |
| blk[57] = 0; |
| blk[58] = 0; |
| blk[59] = 0; |
| blk[60] = (Guchar)(msgLen >> 21); |
| blk[61] = (Guchar)(msgLen >> 13); |
| blk[62] = (Guchar)(msgLen >> 5); |
| blk[63] = (Guchar)(msgLen << 3); |
| sha256HashBlock(blk, H); |
| |
| // copy the output into the buffer (convert words to bytes) |
| for (i = 0; i < 8; ++i) { |
| hash[i*4] = (Guchar)(H[i] >> 24); |
| hash[i*4 + 1] = (Guchar)(H[i] >> 16); |
| hash[i*4 + 2] = (Guchar)(H[i] >> 8); |
| hash[i*4 + 3] = (Guchar)H[i]; |
| } |
| } |