mirror of
http://git.whoc.org.uk/git/password-manager.git
synced 2024-11-14 07:59:02 +01:00
07d0357bee
- updated reference dates; - removed reference to Community Edition; - normalized logging using Clipperz.log[Warn|Error|Debug]
1848 lines
61 KiB
JavaScript
1848 lines
61 KiB
JavaScript
/*
|
|
|
|
Copyright 2008-2013 Clipperz Srl
|
|
|
|
This file is part of Clipperz, the online password manager.
|
|
For further information about its features and functionalities please
|
|
refer to http://www.clipperz.com.
|
|
|
|
* Clipperz is free software: you can redistribute it and/or modify it
|
|
under the terms of the GNU Affero General Public License as published
|
|
by the Free Software Foundation, either version 3 of the License, or
|
|
(at your option) any later version.
|
|
|
|
* Clipperz is distributed in the hope that it will be useful, but
|
|
WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
|
See the GNU Affero General Public License for more details.
|
|
|
|
* You should have received a copy of the GNU Affero General Public
|
|
License along with Clipperz. If not, see http://www.gnu.org/licenses/.
|
|
|
|
*/
|
|
|
|
try { if (typeof(Clipperz.Base) == 'undefined') { throw ""; }} catch (e) {
|
|
throw "Clipperz.Crypto.Base depends on Clipperz.Base!";
|
|
}
|
|
|
|
if (typeof(Clipperz.Crypto) == 'undefined') { Clipperz.Crypto = {}; }
|
|
if (typeof(Clipperz.Crypto.Base) == 'undefined') { Clipperz.Crypto.Base = {}; }
|
|
|
|
Clipperz.Crypto.Base.VERSION = "0.1";
|
|
Clipperz.Crypto.Base.NAME = "Clipperz.Crypto.Base";
|
|
|
|
//#############################################################################
|
|
// Downloaded on March 30, 2006 from http://anmar.eu.org/projects/jssha2/files/jssha2-0.3.zip (jsSha2/sha256.js)
|
|
//#############################################################################
|
|
|
|
/* A JavaScript implementation of the Secure Hash Algorithm, SHA-256
|
|
* Version 0.3 Copyright Angel Marin 2003-2004 - http://anmar.eu.org/
|
|
* Distributed under the BSD License
|
|
* Some bits taken from Paul Johnston's SHA-1 implementation
|
|
*/
|
|
var chrsz = 8; /* bits per input character. 8 - ASCII; 16 - Unicode */
|
|
function safe_add (x, y) {
|
|
var lsw = (x & 0xFFFF) + (y & 0xFFFF);
|
|
var msw = (x >> 16) + (y >> 16) + (lsw >> 16);
|
|
return (msw << 16) | (lsw & 0xFFFF);
|
|
}
|
|
function S (X, n) {return ( X >>> n ) | (X << (32 - n));}
|
|
function R (X, n) {return ( X >>> n );}
|
|
function Ch(x, y, z) {return ((x & y) ^ ((~x) & z));}
|
|
function Maj(x, y, z) {return ((x & y) ^ (x & z) ^ (y & z));}
|
|
function Sigma0256(x) {return (S(x, 2) ^ S(x, 13) ^ S(x, 22));}
|
|
function Sigma1256(x) {return (S(x, 6) ^ S(x, 11) ^ S(x, 25));}
|
|
function Gamma0256(x) {return (S(x, 7) ^ S(x, 18) ^ R(x, 3));}
|
|
function Gamma1256(x) {return (S(x, 17) ^ S(x, 19) ^ R(x, 10));}
|
|
function core_sha256 (m, l) {
|
|
var K = new Array(0x428A2F98,0x71374491,0xB5C0FBCF,0xE9B5DBA5,0x3956C25B,0x59F111F1,0x923F82A4,0xAB1C5ED5,0xD807AA98,0x12835B01,0x243185BE,0x550C7DC3,0x72BE5D74,0x80DEB1FE,0x9BDC06A7,0xC19BF174,0xE49B69C1,0xEFBE4786,0xFC19DC6,0x240CA1CC,0x2DE92C6F,0x4A7484AA,0x5CB0A9DC,0x76F988DA,0x983E5152,0xA831C66D,0xB00327C8,0xBF597FC7,0xC6E00BF3,0xD5A79147,0x6CA6351,0x14292967,0x27B70A85,0x2E1B2138,0x4D2C6DFC,0x53380D13,0x650A7354,0x766A0ABB,0x81C2C92E,0x92722C85,0xA2BFE8A1,0xA81A664B,0xC24B8B70,0xC76C51A3,0xD192E819,0xD6990624,0xF40E3585,0x106AA070,0x19A4C116,0x1E376C08,0x2748774C,0x34B0BCB5,0x391C0CB3,0x4ED8AA4A,0x5B9CCA4F,0x682E6FF3,0x748F82EE,0x78A5636F,0x84C87814,0x8CC70208,0x90BEFFFA,0xA4506CEB,0xBEF9A3F7,0xC67178F2);
|
|
var HASH = new Array(0x6A09E667, 0xBB67AE85, 0x3C6EF372, 0xA54FF53A, 0x510E527F, 0x9B05688C, 0x1F83D9AB, 0x5BE0CD19);
|
|
var W = new Array(64);
|
|
var a, b, c, d, e, f, g, h, i, j;
|
|
var T1, T2;
|
|
/* append padding */
|
|
m[l >> 5] |= 0x80 << (24 - l % 32);
|
|
m[((l + 64 >> 9) << 4) + 15] = l;
|
|
for ( var i = 0; i<m.length; i+=16 ) {
|
|
a = HASH[0]; b = HASH[1]; c = HASH[2]; d = HASH[3]; e = HASH[4]; f = HASH[5]; g = HASH[6]; h = HASH[7];
|
|
for ( var j = 0; j<64; j++) {
|
|
if (j < 16) W[j] = m[j + i];
|
|
else W[j] = safe_add(safe_add(safe_add(Gamma1256(W[j - 2]), W[j - 7]), Gamma0256(W[j - 15])), W[j - 16]);
|
|
T1 = safe_add(safe_add(safe_add(safe_add(h, Sigma1256(e)), Ch(e, f, g)), K[j]), W[j]);
|
|
T2 = safe_add(Sigma0256(a), Maj(a, b, c));
|
|
h = g; g = f; f = e; e = safe_add(d, T1); d = c; c = b; b = a; a = safe_add(T1, T2);
|
|
}
|
|
HASH[0] = safe_add(a, HASH[0]); HASH[1] = safe_add(b, HASH[1]); HASH[2] = safe_add(c, HASH[2]); HASH[3] = safe_add(d, HASH[3]); HASH[4] = safe_add(e, HASH[4]); HASH[5] = safe_add(f, HASH[5]); HASH[6] = safe_add(g, HASH[6]); HASH[7] = safe_add(h, HASH[7]);
|
|
}
|
|
return HASH;
|
|
}
|
|
function str2binb (str) {
|
|
var bin = Array();
|
|
var mask = (1 << chrsz) - 1;
|
|
for(var i = 0; i < str.length * chrsz; i += chrsz)
|
|
bin[i>>5] |= (str.charCodeAt(i / chrsz) & mask) << (24 - i%32);
|
|
return bin;
|
|
}
|
|
function binb2hex (binarray) {
|
|
var hexcase = 0; /* hex output format. 0 - lowercase; 1 - uppercase */
|
|
var hex_tab = hexcase ? "0123456789ABCDEF" : "0123456789abcdef";
|
|
var str = "";
|
|
for (var i = 0; i < binarray.length * 4; i++) {
|
|
str += hex_tab.charAt((binarray[i>>2] >> ((3 - i%4)*8+4)) & 0xF) + hex_tab.charAt((binarray[i>>2] >> ((3 - i%4)*8 )) & 0xF);
|
|
}
|
|
return str;
|
|
}
|
|
function hex_sha256(s){return binb2hex(core_sha256(str2binb(s),s.length * chrsz));}
|
|
|
|
|
|
|
|
//#############################################################################
|
|
// Downloaded on March 30, 2006 from http://www.fourmilab.ch/javascrypt/javascrypt.zip (entropy.js)
|
|
//#############################################################################
|
|
|
|
// Entropy collection utilities
|
|
|
|
/* Start by declaring static storage and initialise
|
|
the entropy vector from the time we come through
|
|
here. */
|
|
|
|
var entropyData = new Array(); // Collected entropy data
|
|
var edlen = 0; // Keyboard array data length
|
|
|
|
addEntropyTime(); // Start entropy collection with page load time
|
|
ce(); // Roll milliseconds into initial entropy
|
|
|
|
// Add a byte to the entropy vector
|
|
|
|
function addEntropyByte(b) {
|
|
entropyData[edlen++] = b;
|
|
}
|
|
|
|
/* Capture entropy. When the user presses a key or performs
|
|
various other events for which we can request
|
|
notification, add the time in 255ths of a second to the
|
|
entropyData array. The name of the function is short
|
|
so it doesn't bloat the form object declarations in
|
|
which it appears in various "onXXX" events. */
|
|
|
|
function ce() {
|
|
addEntropyByte(Math.floor((((new Date).getMilliseconds()) * 255) / 999));
|
|
}
|
|
|
|
// Add a 32 bit quantity to the entropy vector
|
|
|
|
function addEntropy32(w) {
|
|
var i;
|
|
|
|
for (i = 0; i < 4; i++) {
|
|
addEntropyByte(w & 0xFF);
|
|
w >>= 8;
|
|
}
|
|
}
|
|
|
|
/* Add the current time and date (milliseconds since the epoch,
|
|
truncated to 32 bits) to the entropy vector. */
|
|
|
|
function addEntropyTime() {
|
|
addEntropy32((new Date()).getTime());
|
|
}
|
|
|
|
/* Start collection of entropy from mouse movements. The
|
|
argument specifies the number of entropy items to be
|
|
obtained from mouse motion, after which mouse motion
|
|
will be ignored. Note that you can re-enable mouse
|
|
motion collection at any time if not already underway. */
|
|
|
|
var mouseMotionCollect = 0;
|
|
var oldMoveHandler; // For saving and restoring mouse move handler in IE4
|
|
|
|
function mouseMotionEntropy(maxsamp) {
|
|
if (mouseMotionCollect <= 0) {
|
|
mouseMotionCollect = maxsamp;
|
|
if ((document.implementation.hasFeature("Events", "2.0")) &&
|
|
document.addEventListener) {
|
|
// Browser supports Document Object Model (DOM) 2 events
|
|
document.addEventListener("mousemove", mouseMoveEntropy, false);
|
|
} else {
|
|
if (document.attachEvent) {
|
|
// Internet Explorer 5 and above event model
|
|
document.attachEvent("onmousemove", mouseMoveEntropy);
|
|
} else {
|
|
// Internet Explorer 4 event model
|
|
oldMoveHandler = document.onmousemove;
|
|
document.onmousemove = mouseMoveEntropy;
|
|
}
|
|
}
|
|
//dump("Mouse enable", mouseMotionCollect);
|
|
}
|
|
}
|
|
|
|
/* Collect entropy from mouse motion events. Note that
|
|
this is craftily coded to work with either DOM2 or Internet
|
|
Explorer style events. Note that we don't use every successive
|
|
mouse movement event. Instead, we XOR the three bytes collected
|
|
from the mouse and use that to determine how many subsequent
|
|
mouse movements we ignore before capturing the next one. */
|
|
|
|
var mouseEntropyTime = 0; // Delay counter for mouse entropy collection
|
|
|
|
function mouseMoveEntropy(e) {
|
|
if (!e) {
|
|
e = window.event; // Internet Explorer event model
|
|
}
|
|
if (mouseMotionCollect > 0) {
|
|
if (mouseEntropyTime-- <= 0) {
|
|
addEntropyByte(e.screenX & 0xFF);
|
|
addEntropyByte(e.screenY & 0xFF);
|
|
ce();
|
|
mouseMotionCollect--;
|
|
mouseEntropyTime = (entropyData[edlen - 3] ^ entropyData[edlen - 2] ^
|
|
entropyData[edlen - 1]) % 19;
|
|
//dump("Mouse Move", byteArrayToHex(entropyData.slice(-3)));
|
|
}
|
|
if (mouseMotionCollect <= 0) {
|
|
if (document.removeEventListener) {
|
|
document.removeEventListener("mousemove", mouseMoveEntropy, false);
|
|
} else if (document.detachEvent) {
|
|
document.detachEvent("onmousemove", mouseMoveEntropy);
|
|
} else {
|
|
document.onmousemove = oldMoveHandler;
|
|
}
|
|
//dump("Spung!", 0);
|
|
}
|
|
}
|
|
}
|
|
|
|
/* Compute a 32 byte key value from the entropy vector.
|
|
We compute the value by taking the MD5 sum of the even
|
|
and odd bytes respectively of the entropy vector, then
|
|
concatenating the two MD5 sums. */
|
|
|
|
function keyFromEntropy() {
|
|
var i, k = new Array(32);
|
|
|
|
if (edlen == 0) {
|
|
alert("Blooie! Entropy vector void at call to keyFromEntropy.");
|
|
}
|
|
//dump("Entropy bytes", edlen);
|
|
|
|
md5_init();
|
|
for (i = 0; i < edlen; i += 2) {
|
|
md5_update(entropyData[i]);
|
|
}
|
|
md5_finish();
|
|
for (i = 0; i < 16; i++) {
|
|
k[i] = digestBits[i];
|
|
}
|
|
|
|
md5_init();
|
|
for (i = 1; i < edlen; i += 2) {
|
|
md5_update(entropyData[i]);
|
|
}
|
|
md5_finish();
|
|
for (i = 0; i < 16; i++) {
|
|
k[i + 16] = digestBits[i];
|
|
}
|
|
|
|
//dump("keyFromEntropy", byteArrayToHex(k));
|
|
return k;
|
|
}
|
|
|
|
//#############################################################################
|
|
// Downloaded on March 30, 2006 from http://www.fourmilab.ch/javascrypt/javascrypt.zip (aesprng.js)
|
|
//#############################################################################
|
|
|
|
|
|
// AES based pseudorandom number generator
|
|
|
|
/* Constructor. Called with an array of 32 byte (0-255) values
|
|
containing the initial seed. */
|
|
|
|
function AESprng(seed) {
|
|
this.key = new Array();
|
|
this.key = seed;
|
|
this.itext = hexToByteArray("9F489613248148F9C27945C6AE62EECA3E3367BB14064E4E6DC67A9F28AB3BD1");
|
|
this.nbytes = 0; // Bytes left in buffer
|
|
|
|
this.next = AESprng_next;
|
|
this.nextbits = AESprng_nextbits;
|
|
this.nextInt = AESprng_nextInt;
|
|
this.round = AESprng_round;
|
|
|
|
/* Encrypt the initial text with the seed key
|
|
three times, feeding the output of the encryption
|
|
back into the key for the next round. */
|
|
|
|
bsb = blockSizeInBits;
|
|
blockSizeInBits = 256;
|
|
var i, ct;
|
|
for (i = 0; i < 3; i++) {
|
|
this.key = rijndaelEncrypt(this.itext, this.key, "ECB");
|
|
}
|
|
|
|
/* Now make between one and four additional
|
|
key-feedback rounds, with the number determined
|
|
by bits from the result of the first three
|
|
rounds. */
|
|
|
|
var n = 1 + (this.key[3] & 2) + (this.key[9] & 1);
|
|
for (i = 0; i < n; i++) {
|
|
this.key = rijndaelEncrypt(this.itext, this.key, "ECB");
|
|
}
|
|
blockSizeInBits = bsb;
|
|
}
|
|
|
|
function AESprng_round() {
|
|
bsb = blockSizeInBits;
|
|
blockSizeInBits = 256;
|
|
this.key = rijndaelEncrypt(this.itext, this.key, "ECB");
|
|
this.nbytes = 32;
|
|
blockSizeInBits = bsb;
|
|
}
|
|
|
|
// Return next byte from the generator
|
|
|
|
function AESprng_next() {
|
|
if (this.nbytes <= 0) {
|
|
this.round();
|
|
}
|
|
return(this.key[--this.nbytes]);
|
|
}
|
|
|
|
// Return n bit integer value (up to maximum integer size)
|
|
|
|
function AESprng_nextbits(n) {
|
|
var i, w = 0, nbytes = Math.floor((n + 7) / 8);
|
|
|
|
for (i = 0; i < nbytes; i++) {
|
|
w = (w << 8) | this.next();
|
|
}
|
|
return w & ((1 << n) - 1);
|
|
}
|
|
|
|
// Return integer between 0 and n inclusive
|
|
|
|
function AESprng_nextInt(n) {
|
|
var p = 1, nb = 0;
|
|
|
|
// Determine smallest p, 2^p > n
|
|
// nb = log_2 p
|
|
|
|
while (n >= p) {
|
|
p <<= 1;
|
|
nb++;
|
|
}
|
|
p--;
|
|
|
|
/* Generate values from 0 through n by first generating
|
|
values v from 0 to (2^p)-1, then discarding any results v > n.
|
|
For the rationale behind this (and why taking
|
|
values mod (n + 1) is biased toward smaller values, see
|
|
Ferguson and Schneier, "Practical Cryptography",
|
|
ISBN 0-471-22357-3, section 10.8). */
|
|
|
|
while (true) {
|
|
var v = this.nextbits(nb) & p;
|
|
|
|
if (v <= n) {
|
|
return v;
|
|
}
|
|
}
|
|
}
|
|
|
|
//#############################################################################
|
|
// Downloaded on March 30, 2006 from http://www.fourmilab.ch/javascrypt/javascrypt.zip (md5.js)
|
|
//#############################################################################
|
|
|
|
/*
|
|
* md5.jvs 1.0b 27/06/96
|
|
*
|
|
* Javascript implementation of the RSA Data Security, Inc. MD5
|
|
* Message-Digest Algorithm.
|
|
*
|
|
* Copyright (c) 1996 Henri Torgemane. All Rights Reserved.
|
|
*
|
|
* Permission to use, copy, modify, and distribute this software
|
|
* and its documentation for any purposes and without
|
|
* fee is hereby granted provided that this copyright notice
|
|
* appears in all copies.
|
|
*
|
|
* Of course, this soft is provided "as is" without express or implied
|
|
* warranty of any kind.
|
|
|
|
This version contains some trivial reformatting modifications
|
|
by John Walker.
|
|
|
|
*/
|
|
|
|
function array(n) {
|
|
for (i = 0; i < n; i++) {
|
|
this[i] = 0;
|
|
}
|
|
this.length = n;
|
|
}
|
|
|
|
/* Some basic logical functions had to be rewritten because of a bug in
|
|
* Javascript.. Just try to compute 0xffffffff >> 4 with it..
|
|
* Of course, these functions are slower than the original would be, but
|
|
* at least, they work!
|
|
*/
|
|
|
|
function integer(n) {
|
|
return n % (0xffffffff + 1);
|
|
}
|
|
|
|
function shr(a, b) {
|
|
a = integer(a);
|
|
b = integer(b);
|
|
if (a - 0x80000000 >= 0) {
|
|
a = a % 0x80000000;
|
|
a >>= b;
|
|
a += 0x40000000 >> (b - 1);
|
|
} else {
|
|
a >>= b;
|
|
}
|
|
return a;
|
|
}
|
|
|
|
function shl1(a) {
|
|
a = a % 0x80000000;
|
|
if (a & 0x40000000 == 0x40000000) {
|
|
a -= 0x40000000;
|
|
a *= 2;
|
|
a += 0x80000000;
|
|
} else {
|
|
a *= 2;
|
|
}
|
|
return a;
|
|
}
|
|
|
|
function shl(a, b) {
|
|
a = integer(a);
|
|
b = integer(b);
|
|
for (var i = 0; i < b; i++) {
|
|
a = shl1(a);
|
|
}
|
|
return a;
|
|
}
|
|
|
|
function and(a, b) {
|
|
a = integer(a);
|
|
b = integer(b);
|
|
var t1 = a - 0x80000000;
|
|
var t2 = b - 0x80000000;
|
|
if (t1 >= 0) {
|
|
if (t2 >= 0) {
|
|
return ((t1 & t2) + 0x80000000);
|
|
} else {
|
|
return (t1 & b);
|
|
}
|
|
} else {
|
|
if (t2 >= 0) {
|
|
return (a & t2);
|
|
} else {
|
|
return (a & b);
|
|
}
|
|
}
|
|
}
|
|
|
|
function or(a, b) {
|
|
a = integer(a);
|
|
b = integer(b);
|
|
var t1 = a - 0x80000000;
|
|
var t2 = b - 0x80000000;
|
|
if (t1 >= 0) {
|
|
if (t2 >= 0) {
|
|
return ((t1 | t2) + 0x80000000);
|
|
} else {
|
|
return ((t1 | b) + 0x80000000);
|
|
}
|
|
} else {
|
|
if (t2 >= 0) {
|
|
return ((a | t2) + 0x80000000);
|
|
} else {
|
|
return (a | b);
|
|
}
|
|
}
|
|
}
|
|
|
|
function xor(a, b) {
|
|
a = integer(a);
|
|
b = integer(b);
|
|
var t1 = a - 0x80000000;
|
|
var t2 = b - 0x80000000;
|
|
if (t1 >= 0) {
|
|
if (t2 >= 0) {
|
|
return (t1 ^ t2);
|
|
} else {
|
|
return ((t1 ^ b) + 0x80000000);
|
|
}
|
|
} else {
|
|
if (t2 >= 0) {
|
|
return ((a ^ t2) + 0x80000000);
|
|
} else {
|
|
return (a ^ b);
|
|
}
|
|
}
|
|
}
|
|
|
|
function not(a) {
|
|
a = integer(a);
|
|
return 0xffffffff - a;
|
|
}
|
|
|
|
/* Here begin the real algorithm */
|
|
|
|
var state = new array(4);
|
|
var count = new array(2);
|
|
count[0] = 0;
|
|
count[1] = 0;
|
|
var buffer = new array(64);
|
|
var transformBuffer = new array(16);
|
|
var digestBits = new array(16);
|
|
|
|
var S11 = 7;
|
|
var S12 = 12;
|
|
var S13 = 17;
|
|
var S14 = 22;
|
|
var S21 = 5;
|
|
var S22 = 9;
|
|
var S23 = 14;
|
|
var S24 = 20;
|
|
var S31 = 4;
|
|
var S32 = 11;
|
|
var S33 = 16;
|
|
var S34 = 23;
|
|
var S41 = 6;
|
|
var S42 = 10;
|
|
var S43 = 15;
|
|
var S44 = 21;
|
|
|
|
function F(x, y, z) {
|
|
return or(and(x, y), and(not(x), z));
|
|
}
|
|
|
|
function G(x, y, z) {
|
|
return or(and(x, z), and(y, not(z)));
|
|
}
|
|
|
|
function H(x, y, z) {
|
|
return xor(xor(x, y), z);
|
|
}
|
|
|
|
function I(x, y, z) {
|
|
return xor(y ,or(x , not(z)));
|
|
}
|
|
|
|
function rotateLeft(a, n) {
|
|
return or(shl(a, n), (shr(a, (32 - n))));
|
|
}
|
|
|
|
function FF(a, b, c, d, x, s, ac) {
|
|
a = a + F(b, c, d) + x + ac;
|
|
a = rotateLeft(a, s);
|
|
a = a + b;
|
|
return a;
|
|
}
|
|
|
|
function GG(a, b, c, d, x, s, ac) {
|
|
a = a + G(b, c, d) + x + ac;
|
|
a = rotateLeft(a, s);
|
|
a = a + b;
|
|
return a;
|
|
}
|
|
|
|
function HH(a, b, c, d, x, s, ac) {
|
|
a = a + H(b, c, d) + x + ac;
|
|
a = rotateLeft(a, s);
|
|
a = a + b;
|
|
return a;
|
|
}
|
|
|
|
function II(a, b, c, d, x, s, ac) {
|
|
a = a + I(b, c, d) + x + ac;
|
|
a = rotateLeft(a, s);
|
|
a = a + b;
|
|
return a;
|
|
}
|
|
|
|
function transform(buf, offset) {
|
|
var a = 0, b = 0, c = 0, d = 0;
|
|
var x = transformBuffer;
|
|
|
|
a = state[0];
|
|
b = state[1];
|
|
c = state[2];
|
|
d = state[3];
|
|
|
|
for (i = 0; i < 16; i++) {
|
|
x[i] = and(buf[i * 4 + offset], 0xFF);
|
|
for (j = 1; j < 4; j++) {
|
|
x[i] += shl(and(buf[i * 4 + j + offset] ,0xFF), j * 8);
|
|
}
|
|
}
|
|
|
|
/* Round 1 */
|
|
a = FF( a, b, c, d, x[ 0], S11, 0xd76aa478); /* 1 */
|
|
d = FF( d, a, b, c, x[ 1], S12, 0xe8c7b756); /* 2 */
|
|
c = FF( c, d, a, b, x[ 2], S13, 0x242070db); /* 3 */
|
|
b = FF( b, c, d, a, x[ 3], S14, 0xc1bdceee); /* 4 */
|
|
a = FF( a, b, c, d, x[ 4], S11, 0xf57c0faf); /* 5 */
|
|
d = FF( d, a, b, c, x[ 5], S12, 0x4787c62a); /* 6 */
|
|
c = FF( c, d, a, b, x[ 6], S13, 0xa8304613); /* 7 */
|
|
b = FF( b, c, d, a, x[ 7], S14, 0xfd469501); /* 8 */
|
|
a = FF( a, b, c, d, x[ 8], S11, 0x698098d8); /* 9 */
|
|
d = FF( d, a, b, c, x[ 9], S12, 0x8b44f7af); /* 10 */
|
|
c = FF( c, d, a, b, x[10], S13, 0xffff5bb1); /* 11 */
|
|
b = FF( b, c, d, a, x[11], S14, 0x895cd7be); /* 12 */
|
|
a = FF( a, b, c, d, x[12], S11, 0x6b901122); /* 13 */
|
|
d = FF( d, a, b, c, x[13], S12, 0xfd987193); /* 14 */
|
|
c = FF( c, d, a, b, x[14], S13, 0xa679438e); /* 15 */
|
|
b = FF( b, c, d, a, x[15], S14, 0x49b40821); /* 16 */
|
|
|
|
/* Round 2 */
|
|
a = GG( a, b, c, d, x[ 1], S21, 0xf61e2562); /* 17 */
|
|
d = GG( d, a, b, c, x[ 6], S22, 0xc040b340); /* 18 */
|
|
c = GG( c, d, a, b, x[11], S23, 0x265e5a51); /* 19 */
|
|
b = GG( b, c, d, a, x[ 0], S24, 0xe9b6c7aa); /* 20 */
|
|
a = GG( a, b, c, d, x[ 5], S21, 0xd62f105d); /* 21 */
|
|
d = GG( d, a, b, c, x[10], S22, 0x2441453); /* 22 */
|
|
c = GG( c, d, a, b, x[15], S23, 0xd8a1e681); /* 23 */
|
|
b = GG( b, c, d, a, x[ 4], S24, 0xe7d3fbc8); /* 24 */
|
|
a = GG( a, b, c, d, x[ 9], S21, 0x21e1cde6); /* 25 */
|
|
d = GG( d, a, b, c, x[14], S22, 0xc33707d6); /* 26 */
|
|
c = GG( c, d, a, b, x[ 3], S23, 0xf4d50d87); /* 27 */
|
|
b = GG( b, c, d, a, x[ 8], S24, 0x455a14ed); /* 28 */
|
|
a = GG( a, b, c, d, x[13], S21, 0xa9e3e905); /* 29 */
|
|
d = GG( d, a, b, c, x[ 2], S22, 0xfcefa3f8); /* 30 */
|
|
c = GG( c, d, a, b, x[ 7], S23, 0x676f02d9); /* 31 */
|
|
b = GG( b, c, d, a, x[12], S24, 0x8d2a4c8a); /* 32 */
|
|
|
|
/* Round 3 */
|
|
a = HH( a, b, c, d, x[ 5], S31, 0xfffa3942); /* 33 */
|
|
d = HH( d, a, b, c, x[ 8], S32, 0x8771f681); /* 34 */
|
|
c = HH( c, d, a, b, x[11], S33, 0x6d9d6122); /* 35 */
|
|
b = HH( b, c, d, a, x[14], S34, 0xfde5380c); /* 36 */
|
|
a = HH( a, b, c, d, x[ 1], S31, 0xa4beea44); /* 37 */
|
|
d = HH( d, a, b, c, x[ 4], S32, 0x4bdecfa9); /* 38 */
|
|
c = HH( c, d, a, b, x[ 7], S33, 0xf6bb4b60); /* 39 */
|
|
b = HH( b, c, d, a, x[10], S34, 0xbebfbc70); /* 40 */
|
|
a = HH( a, b, c, d, x[13], S31, 0x289b7ec6); /* 41 */
|
|
d = HH( d, a, b, c, x[ 0], S32, 0xeaa127fa); /* 42 */
|
|
c = HH( c, d, a, b, x[ 3], S33, 0xd4ef3085); /* 43 */
|
|
b = HH( b, c, d, a, x[ 6], S34, 0x4881d05); /* 44 */
|
|
a = HH( a, b, c, d, x[ 9], S31, 0xd9d4d039); /* 45 */
|
|
d = HH( d, a, b, c, x[12], S32, 0xe6db99e5); /* 46 */
|
|
c = HH( c, d, a, b, x[15], S33, 0x1fa27cf8); /* 47 */
|
|
b = HH( b, c, d, a, x[ 2], S34, 0xc4ac5665); /* 48 */
|
|
|
|
/* Round 4 */
|
|
a = II( a, b, c, d, x[ 0], S41, 0xf4292244); /* 49 */
|
|
d = II( d, a, b, c, x[ 7], S42, 0x432aff97); /* 50 */
|
|
c = II( c, d, a, b, x[14], S43, 0xab9423a7); /* 51 */
|
|
b = II( b, c, d, a, x[ 5], S44, 0xfc93a039); /* 52 */
|
|
a = II( a, b, c, d, x[12], S41, 0x655b59c3); /* 53 */
|
|
d = II( d, a, b, c, x[ 3], S42, 0x8f0ccc92); /* 54 */
|
|
c = II( c, d, a, b, x[10], S43, 0xffeff47d); /* 55 */
|
|
b = II( b, c, d, a, x[ 1], S44, 0x85845dd1); /* 56 */
|
|
a = II( a, b, c, d, x[ 8], S41, 0x6fa87e4f); /* 57 */
|
|
d = II( d, a, b, c, x[15], S42, 0xfe2ce6e0); /* 58 */
|
|
c = II( c, d, a, b, x[ 6], S43, 0xa3014314); /* 59 */
|
|
b = II( b, c, d, a, x[13], S44, 0x4e0811a1); /* 60 */
|
|
a = II( a, b, c, d, x[ 4], S41, 0xf7537e82); /* 61 */
|
|
d = II( d, a, b, c, x[11], S42, 0xbd3af235); /* 62 */
|
|
c = II( c, d, a, b, x[ 2], S43, 0x2ad7d2bb); /* 63 */
|
|
b = II( b, c, d, a, x[ 9], S44, 0xeb86d391); /* 64 */
|
|
|
|
state[0] += a;
|
|
state[1] += b;
|
|
state[2] += c;
|
|
state[3] += d;
|
|
|
|
}
|
|
|
|
function md5_init() {
|
|
count[0] = count[1] = 0;
|
|
state[0] = 0x67452301;
|
|
state[1] = 0xefcdab89;
|
|
state[2] = 0x98badcfe;
|
|
state[3] = 0x10325476;
|
|
for (i = 0; i < digestBits.length; i++) {
|
|
digestBits[i] = 0;
|
|
}
|
|
}
|
|
|
|
function md5_update(b) {
|
|
var index, i;
|
|
|
|
index = and(shr(count[0],3) , 0x3F);
|
|
if (count[0] < 0xFFFFFFFF - 7) {
|
|
count[0] += 8;
|
|
} else {
|
|
count[1]++;
|
|
count[0] -= 0xFFFFFFFF + 1;
|
|
count[0] += 8;
|
|
}
|
|
buffer[index] = and(b, 0xff);
|
|
if (index >= 63) {
|
|
transform(buffer, 0);
|
|
}
|
|
}
|
|
|
|
function md5_finish() {
|
|
var bits = new array(8);
|
|
var padding;
|
|
var i = 0, index = 0, padLen = 0;
|
|
|
|
for (i = 0; i < 4; i++) {
|
|
bits[i] = and(shr(count[0], (i * 8)), 0xFF);
|
|
}
|
|
for (i = 0; i < 4; i++) {
|
|
bits[i + 4] = and(shr(count[1], (i * 8)), 0xFF);
|
|
}
|
|
index = and(shr(count[0], 3), 0x3F);
|
|
padLen = (index < 56) ? (56 - index) : (120 - index);
|
|
padding = new array(64);
|
|
padding[0] = 0x80;
|
|
for (i = 0; i < padLen; i++) {
|
|
md5_update(padding[i]);
|
|
}
|
|
for (i = 0; i < 8; i++) {
|
|
md5_update(bits[i]);
|
|
}
|
|
|
|
for (i = 0; i < 4; i++) {
|
|
for (j = 0; j < 4; j++) {
|
|
digestBits[i * 4 + j] = and(shr(state[i], (j * 8)) , 0xFF);
|
|
}
|
|
}
|
|
}
|
|
|
|
/* End of the MD5 algorithm */
|
|
|
|
//#############################################################################
|
|
// Downloaded on March 30, 2006 from http://www.fourmilab.ch/javascrypt/javascrypt.zip (aes.js)
|
|
//#############################################################################
|
|
|
|
|
|
/* rijndael.js Rijndael Reference Implementation
|
|
|
|
This is a modified version of the software described below,
|
|
produced in September 2003 by John Walker for use in the
|
|
JavsScrypt browser-based encryption package. The principal
|
|
changes are replacing the original getRandomBytes function with
|
|
one which calls our pseudorandom generator (which must
|
|
be instantiated and seeded before the first call on getRandomBytes),
|
|
and changing keySizeInBits to 256. Some code not required by the
|
|
JavsScrypt application has been commented out. Please see
|
|
http://www.fourmilab.ch/javascrypt/ for further information on
|
|
JavaScrypt.
|
|
|
|
The following is the original copyright and application
|
|
information.
|
|
|
|
Copyright (c) 2001 Fritz Schneider
|
|
|
|
This software is provided as-is, without express or implied warranty.
|
|
Permission to use, copy, modify, distribute or sell this software, with or
|
|
without fee, for any purpose and by any individual or organization, is hereby
|
|
granted, provided that the above copyright notice and this paragraph appear
|
|
in all copies. Distribution as a part of an application or binary must
|
|
include the above copyright notice in the documentation and/or other materials
|
|
provided with the application or distribution.
|
|
|
|
As the above disclaimer notes, you are free to use this code however you
|
|
want. However, I would request that you send me an email
|
|
(fritz /at/ cs /dot/ ucsd /dot/ edu) to say hi if you find this code useful
|
|
or instructional. Seeing that people are using the code acts as
|
|
encouragement for me to continue development. If you *really* want to thank
|
|
me you can buy the book I wrote with Thomas Powell, _JavaScript:
|
|
_The_Complete_Reference_ :)
|
|
|
|
This code is an UNOPTIMIZED REFERENCE implementation of Rijndael.
|
|
If there is sufficient interest I can write an optimized (word-based,
|
|
table-driven) version, although you might want to consider using a
|
|
compiled language if speed is critical to your application. As it stands,
|
|
one run of the monte carlo test (10,000 encryptions) can take up to
|
|
several minutes, depending upon your processor. You shouldn't expect more
|
|
than a few kilobytes per second in throughput.
|
|
|
|
Also note that there is very little error checking in these functions.
|
|
Doing proper error checking is always a good idea, but the ideal
|
|
implementation (using the instanceof operator and exceptions) requires
|
|
IE5+/NS6+, and I've chosen to implement this code so that it is compatible
|
|
with IE4/NS4.
|
|
|
|
And finally, because JavaScript doesn't have an explicit byte/char data
|
|
type (although JavaScript 2.0 most likely will), when I refer to "byte"
|
|
in this code I generally mean "32 bit integer with value in the interval
|
|
[0,255]" which I treat as a byte.
|
|
|
|
See http://www-cse.ucsd.edu/~fritz/rijndael.html for more documentation
|
|
of the (very simple) API provided by this code.
|
|
|
|
Fritz Schneider
|
|
fritz at cs.ucsd.edu
|
|
|
|
*/
|
|
|
|
|
|
// Rijndael parameters -- Valid values are 128, 192, or 256
|
|
|
|
var keySizeInBits = 256;
|
|
var blockSizeInBits = 128;
|
|
|
|
//
|
|
// Note: in the following code the two dimensional arrays are indexed as
|
|
// you would probably expect, as array[row][column]. The state arrays
|
|
// are 2d arrays of the form state[4][Nb].
|
|
|
|
|
|
// The number of rounds for the cipher, indexed by [Nk][Nb]
|
|
var roundsArray = [ ,,,,[,,,,10,, 12,, 14],,
|
|
[,,,,12,, 12,, 14],,
|
|
[,,,,14,, 14,, 14] ];
|
|
|
|
// The number of bytes to shift by in shiftRow, indexed by [Nb][row]
|
|
var shiftOffsets = [ ,,,,[,1, 2, 3],,[,1, 2, 3],,[,1, 3, 4] ];
|
|
|
|
// The round constants used in subkey expansion
|
|
var Rcon = [
|
|
0x01, 0x02, 0x04, 0x08, 0x10, 0x20,
|
|
0x40, 0x80, 0x1b, 0x36, 0x6c, 0xd8,
|
|
0xab, 0x4d, 0x9a, 0x2f, 0x5e, 0xbc,
|
|
0x63, 0xc6, 0x97, 0x35, 0x6a, 0xd4,
|
|
0xb3, 0x7d, 0xfa, 0xef, 0xc5, 0x91 ];
|
|
|
|
// Precomputed lookup table for the SBox
|
|
var SBox = [
|
|
99, 124, 119, 123, 242, 107, 111, 197, 48, 1, 103, 43, 254, 215, 171,
|
|
118, 202, 130, 201, 125, 250, 89, 71, 240, 173, 212, 162, 175, 156, 164,
|
|
114, 192, 183, 253, 147, 38, 54, 63, 247, 204, 52, 165, 229, 241, 113,
|
|
216, 49, 21, 4, 199, 35, 195, 24, 150, 5, 154, 7, 18, 128, 226,
|
|
235, 39, 178, 117, 9, 131, 44, 26, 27, 110, 90, 160, 82, 59, 214,
|
|
179, 41, 227, 47, 132, 83, 209, 0, 237, 32, 252, 177, 91, 106, 203,
|
|
190, 57, 74, 76, 88, 207, 208, 239, 170, 251, 67, 77, 51, 133, 69,
|
|
249, 2, 127, 80, 60, 159, 168, 81, 163, 64, 143, 146, 157, 56, 245,
|
|
188, 182, 218, 33, 16, 255, 243, 210, 205, 12, 19, 236, 95, 151, 68,
|
|
23, 196, 167, 126, 61, 100, 93, 25, 115, 96, 129, 79, 220, 34, 42,
|
|
144, 136, 70, 238, 184, 20, 222, 94, 11, 219, 224, 50, 58, 10, 73,
|
|
6, 36, 92, 194, 211, 172, 98, 145, 149, 228, 121, 231, 200, 55, 109,
|
|
141, 213, 78, 169, 108, 86, 244, 234, 101, 122, 174, 8, 186, 120, 37,
|
|
46, 28, 166, 180, 198, 232, 221, 116, 31, 75, 189, 139, 138, 112, 62,
|
|
181, 102, 72, 3, 246, 14, 97, 53, 87, 185, 134, 193, 29, 158, 225,
|
|
248, 152, 17, 105, 217, 142, 148, 155, 30, 135, 233, 206, 85, 40, 223,
|
|
140, 161, 137, 13, 191, 230, 66, 104, 65, 153, 45, 15, 176, 84, 187,
|
|
22 ];
|
|
|
|
// Precomputed lookup table for the inverse SBox
|
|
var SBoxInverse = [
|
|
82, 9, 106, 213, 48, 54, 165, 56, 191, 64, 163, 158, 129, 243, 215,
|
|
251, 124, 227, 57, 130, 155, 47, 255, 135, 52, 142, 67, 68, 196, 222,
|
|
233, 203, 84, 123, 148, 50, 166, 194, 35, 61, 238, 76, 149, 11, 66,
|
|
250, 195, 78, 8, 46, 161, 102, 40, 217, 36, 178, 118, 91, 162, 73,
|
|
109, 139, 209, 37, 114, 248, 246, 100, 134, 104, 152, 22, 212, 164, 92,
|
|
204, 93, 101, 182, 146, 108, 112, 72, 80, 253, 237, 185, 218, 94, 21,
|
|
70, 87, 167, 141, 157, 132, 144, 216, 171, 0, 140, 188, 211, 10, 247,
|
|
228, 88, 5, 184, 179, 69, 6, 208, 44, 30, 143, 202, 63, 15, 2,
|
|
193, 175, 189, 3, 1, 19, 138, 107, 58, 145, 17, 65, 79, 103, 220,
|
|
234, 151, 242, 207, 206, 240, 180, 230, 115, 150, 172, 116, 34, 231, 173,
|
|
53, 133, 226, 249, 55, 232, 28, 117, 223, 110, 71, 241, 26, 113, 29,
|
|
41, 197, 137, 111, 183, 98, 14, 170, 24, 190, 27, 252, 86, 62, 75,
|
|
198, 210, 121, 32, 154, 219, 192, 254, 120, 205, 90, 244, 31, 221, 168,
|
|
51, 136, 7, 199, 49, 177, 18, 16, 89, 39, 128, 236, 95, 96, 81,
|
|
127, 169, 25, 181, 74, 13, 45, 229, 122, 159, 147, 201, 156, 239, 160,
|
|
224, 59, 77, 174, 42, 245, 176, 200, 235, 187, 60, 131, 83, 153, 97,
|
|
23, 43, 4, 126, 186, 119, 214, 38, 225, 105, 20, 99, 85, 33, 12,
|
|
125 ];
|
|
|
|
// This method circularly shifts the array left by the number of elements
|
|
// given in its parameter. It returns the resulting array and is used for
|
|
// the ShiftRow step. Note that shift() and push() could be used for a more
|
|
// elegant solution, but they require IE5.5+, so I chose to do it manually.
|
|
|
|
function cyclicShiftLeft(theArray, positions) {
|
|
var temp = theArray.slice(0, positions);
|
|
theArray = theArray.slice(positions).concat(temp);
|
|
return theArray;
|
|
}
|
|
|
|
// Cipher parameters ... do not change these
|
|
var Nk = keySizeInBits / 32;
|
|
var Nb = blockSizeInBits / 32;
|
|
var Nr = roundsArray[Nk][Nb];
|
|
|
|
// Multiplies the element "poly" of GF(2^8) by x. See the Rijndael spec.
|
|
|
|
function xtime(poly) {
|
|
poly <<= 1;
|
|
return ((poly & 0x100) ? (poly ^ 0x11B) : (poly));
|
|
}
|
|
|
|
// Multiplies the two elements of GF(2^8) together and returns the result.
|
|
// See the Rijndael spec, but should be straightforward: for each power of
|
|
// the indeterminant that has a 1 coefficient in x, add y times that power
|
|
// to the result. x and y should be bytes representing elements of GF(2^8)
|
|
|
|
function mult_GF256(x, y) {
|
|
var bit, result = 0;
|
|
|
|
for (bit = 1; bit < 256; bit *= 2, y = xtime(y)) {
|
|
if (x & bit)
|
|
result ^= y;
|
|
}
|
|
return result;
|
|
}
|
|
|
|
// Performs the substitution step of the cipher. State is the 2d array of
|
|
// state information (see spec) and direction is string indicating whether
|
|
// we are performing the forward substitution ("encrypt") or inverse
|
|
// substitution (anything else)
|
|
|
|
function byteSub(state, direction) {
|
|
var S;
|
|
if (direction == "encrypt") // Point S to the SBox we're using
|
|
S = SBox;
|
|
else
|
|
S = SBoxInverse;
|
|
for (var i = 0; i < 4; i++) // Substitute for every byte in state
|
|
for (var j = 0; j < Nb; j++)
|
|
state[i][j] = S[state[i][j]];
|
|
}
|
|
|
|
// Performs the row shifting step of the cipher.
|
|
|
|
function shiftRow(state, direction) {
|
|
for (var i=1; i<4; i++) // Row 0 never shifts
|
|
if (direction == "encrypt")
|
|
state[i] = cyclicShiftLeft(state[i], shiftOffsets[Nb][i]);
|
|
else
|
|
state[i] = cyclicShiftLeft(state[i], Nb - shiftOffsets[Nb][i]);
|
|
|
|
}
|
|
|
|
// Performs the column mixing step of the cipher. Most of these steps can
|
|
// be combined into table lookups on 32bit values (at least for encryption)
|
|
// to greatly increase the speed.
|
|
|
|
function mixColumn(state, direction) {
|
|
var b = []; // Result of matrix multiplications
|
|
for (var j = 0; j < Nb; j++) { // Go through each column...
|
|
for (var i = 0; i < 4; i++) { // and for each row in the column...
|
|
if (direction == "encrypt")
|
|
b[i] = mult_GF256(state[i][j], 2) ^ // perform mixing
|
|
mult_GF256(state[(i+1)%4][j], 3) ^
|
|
state[(i+2)%4][j] ^
|
|
state[(i+3)%4][j];
|
|
else
|
|
b[i] = mult_GF256(state[i][j], 0xE) ^
|
|
mult_GF256(state[(i+1)%4][j], 0xB) ^
|
|
mult_GF256(state[(i+2)%4][j], 0xD) ^
|
|
mult_GF256(state[(i+3)%4][j], 9);
|
|
}
|
|
for (var i = 0; i < 4; i++) // Place result back into column
|
|
state[i][j] = b[i];
|
|
}
|
|
}
|
|
|
|
// Adds the current round key to the state information. Straightforward.
|
|
|
|
function addRoundKey(state, roundKey) {
|
|
for (var j = 0; j < Nb; j++) { // Step through columns...
|
|
state[0][j] ^= (roundKey[j] & 0xFF); // and XOR
|
|
state[1][j] ^= ((roundKey[j]>>8) & 0xFF);
|
|
state[2][j] ^= ((roundKey[j]>>16) & 0xFF);
|
|
state[3][j] ^= ((roundKey[j]>>24) & 0xFF);
|
|
}
|
|
}
|
|
|
|
// This function creates the expanded key from the input (128/192/256-bit)
|
|
// key. The parameter key is an array of bytes holding the value of the key.
|
|
// The returned value is an array whose elements are the 32-bit words that
|
|
// make up the expanded key.
|
|
|
|
function keyExpansion(key) {
|
|
var expandedKey = new Array();
|
|
var temp;
|
|
|
|
// in case the key size or parameters were changed...
|
|
Nk = keySizeInBits / 32;
|
|
Nb = blockSizeInBits / 32;
|
|
Nr = roundsArray[Nk][Nb];
|
|
|
|
for (var j=0; j < Nk; j++) // Fill in input key first
|
|
expandedKey[j] =
|
|
(key[4*j]) | (key[4*j+1]<<8) | (key[4*j+2]<<16) | (key[4*j+3]<<24);
|
|
|
|
// Now walk down the rest of the array filling in expanded key bytes as
|
|
// per Rijndael's spec
|
|
for (j = Nk; j < Nb * (Nr + 1); j++) { // For each word of expanded key
|
|
temp = expandedKey[j - 1];
|
|
if (j % Nk == 0)
|
|
temp = ( (SBox[(temp>>8) & 0xFF]) |
|
|
(SBox[(temp>>16) & 0xFF]<<8) |
|
|
(SBox[(temp>>24) & 0xFF]<<16) |
|
|
(SBox[temp & 0xFF]<<24) ) ^ Rcon[Math.floor(j / Nk) - 1];
|
|
else if (Nk > 6 && j % Nk == 4)
|
|
temp = (SBox[(temp>>24) & 0xFF]<<24) |
|
|
(SBox[(temp>>16) & 0xFF]<<16) |
|
|
(SBox[(temp>>8) & 0xFF]<<8) |
|
|
(SBox[temp & 0xFF]);
|
|
expandedKey[j] = expandedKey[j-Nk] ^ temp;
|
|
}
|
|
return expandedKey;
|
|
}
|
|
|
|
// Rijndael's round functions...
|
|
|
|
function Round(state, roundKey) {
|
|
byteSub(state, "encrypt");
|
|
shiftRow(state, "encrypt");
|
|
mixColumn(state, "encrypt");
|
|
addRoundKey(state, roundKey);
|
|
}
|
|
|
|
function InverseRound(state, roundKey) {
|
|
addRoundKey(state, roundKey);
|
|
mixColumn(state, "decrypt");
|
|
shiftRow(state, "decrypt");
|
|
byteSub(state, "decrypt");
|
|
}
|
|
|
|
function FinalRound(state, roundKey) {
|
|
byteSub(state, "encrypt");
|
|
shiftRow(state, "encrypt");
|
|
addRoundKey(state, roundKey);
|
|
}
|
|
|
|
function InverseFinalRound(state, roundKey){
|
|
addRoundKey(state, roundKey);
|
|
shiftRow(state, "decrypt");
|
|
byteSub(state, "decrypt");
|
|
}
|
|
|
|
// encrypt is the basic encryption function. It takes parameters
|
|
// block, an array of bytes representing a plaintext block, and expandedKey,
|
|
// an array of words representing the expanded key previously returned by
|
|
// keyExpansion(). The ciphertext block is returned as an array of bytes.
|
|
|
|
function encrypt(block, expandedKey) {
|
|
var i;
|
|
if (!block || block.length*8 != blockSizeInBits)
|
|
return;
|
|
if (!expandedKey)
|
|
return;
|
|
|
|
block = packBytes(block);
|
|
addRoundKey(block, expandedKey);
|
|
for (i=1; i<Nr; i++)
|
|
Round(block, expandedKey.slice(Nb*i, Nb*(i+1)));
|
|
FinalRound(block, expandedKey.slice(Nb*Nr));
|
|
return unpackBytes(block);
|
|
}
|
|
|
|
// decrypt is the basic decryption function. It takes parameters
|
|
// block, an array of bytes representing a ciphertext block, and expandedKey,
|
|
// an array of words representing the expanded key previously returned by
|
|
// keyExpansion(). The decrypted block is returned as an array of bytes.
|
|
|
|
function decrypt(block, expandedKey) {
|
|
var i;
|
|
if (!block || block.length*8 != blockSizeInBits)
|
|
return;
|
|
if (!expandedKey)
|
|
return;
|
|
|
|
block = packBytes(block);
|
|
InverseFinalRound(block, expandedKey.slice(Nb*Nr));
|
|
for (i = Nr - 1; i>0; i--)
|
|
InverseRound(block, expandedKey.slice(Nb*i, Nb*(i+1)));
|
|
addRoundKey(block, expandedKey);
|
|
return unpackBytes(block);
|
|
}
|
|
|
|
/* !NEEDED
|
|
// This method takes a byte array (byteArray) and converts it to a string by
|
|
// applying String.fromCharCode() to each value and concatenating the result.
|
|
// The resulting string is returned. Note that this function SKIPS zero bytes
|
|
// under the assumption that they are padding added in formatPlaintext().
|
|
// Obviously, do not invoke this method on raw data that can contain zero
|
|
// bytes. It is really only appropriate for printable ASCII/Latin-1
|
|
// values. Roll your own function for more robust functionality :)
|
|
|
|
function byteArrayToString(byteArray) {
|
|
var result = "";
|
|
for(var i=0; i<byteArray.length; i++)
|
|
if (byteArray[i] != 0)
|
|
result += String.fromCharCode(byteArray[i]);
|
|
return result;
|
|
}
|
|
*/
|
|
|
|
// This function takes an array of bytes (byteArray) and converts them
|
|
// to a hexadecimal string. Array element 0 is found at the beginning of
|
|
// the resulting string, high nibble first. Consecutive elements follow
|
|
// similarly, for example [16, 255] --> "10ff". The function returns a
|
|
// string.
|
|
|
|
function byteArrayToHex(byteArray) {
|
|
var result = "";
|
|
if (!byteArray)
|
|
return;
|
|
for (var i=0; i<byteArray.length; i++)
|
|
result += ((byteArray[i]<16) ? "0" : "") + byteArray[i].toString(16);
|
|
|
|
return result;
|
|
}
|
|
|
|
// This function converts a string containing hexadecimal digits to an
|
|
// array of bytes. The resulting byte array is filled in the order the
|
|
// values occur in the string, for example "10FF" --> [16, 255]. This
|
|
// function returns an array.
|
|
|
|
function hexToByteArray(hexString) {
|
|
var byteArray = [];
|
|
if (hexString.length % 2) // must have even length
|
|
return;
|
|
if (hexString.indexOf("0x") == 0 || hexString.indexOf("0X") == 0)
|
|
hexString = hexString.substring(2);
|
|
for (var i = 0; i<hexString.length; i += 2)
|
|
byteArray[Math.floor(i/2)] = parseInt(hexString.slice(i, i+2), 16);
|
|
return byteArray;
|
|
}
|
|
|
|
// This function packs an array of bytes into the four row form defined by
|
|
// Rijndael. It assumes the length of the array of bytes is divisible by
|
|
// four. Bytes are filled in according to the Rijndael spec (starting with
|
|
// column 0, row 0 to 3). This function returns a 2d array.
|
|
|
|
function packBytes(octets) {
|
|
var state = new Array();
|
|
if (!octets || octets.length % 4)
|
|
return;
|
|
|
|
state[0] = new Array(); state[1] = new Array();
|
|
state[2] = new Array(); state[3] = new Array();
|
|
for (var j=0; j<octets.length; j+= 4) {
|
|
state[0][j/4] = octets[j];
|
|
state[1][j/4] = octets[j+1];
|
|
state[2][j/4] = octets[j+2];
|
|
state[3][j/4] = octets[j+3];
|
|
}
|
|
return state;
|
|
}
|
|
|
|
// This function unpacks an array of bytes from the four row format preferred
|
|
// by Rijndael into a single 1d array of bytes. It assumes the input "packed"
|
|
// is a packed array. Bytes are filled in according to the Rijndael spec.
|
|
// This function returns a 1d array of bytes.
|
|
|
|
function unpackBytes(packed) {
|
|
var result = new Array();
|
|
for (var j=0; j<packed[0].length; j++) {
|
|
result[result.length] = packed[0][j];
|
|
result[result.length] = packed[1][j];
|
|
result[result.length] = packed[2][j];
|
|
result[result.length] = packed[3][j];
|
|
}
|
|
return result;
|
|
}
|
|
|
|
// This function takes a prospective plaintext (string or array of bytes)
|
|
// and pads it with pseudorandom bytes if its length is not a multiple of the block
|
|
// size. If plaintext is a string, it is converted to an array of bytes
|
|
// in the process. The type checking can be made much nicer using the
|
|
// instanceof operator, but this operator is not available until IE5.0 so I
|
|
// chose to use the heuristic below.
|
|
|
|
function formatPlaintext(plaintext) {
|
|
var bpb = blockSizeInBits / 8; // bytes per block
|
|
var fillWithRandomBits;
|
|
var i;
|
|
|
|
// if primitive string or String instance
|
|
if ((!((typeof plaintext == "object") &&
|
|
((typeof (plaintext[0])) == "number"))) &&
|
|
((typeof plaintext == "string") || plaintext.indexOf))
|
|
{
|
|
plaintext = plaintext.split("");
|
|
// Unicode issues here (ignoring high byte)
|
|
for (i=0; i<plaintext.length; i++) {
|
|
plaintext[i] = plaintext[i].charCodeAt(0) & 0xFF;
|
|
}
|
|
}
|
|
|
|
i = plaintext.length % bpb;
|
|
if (i > 0) {
|
|
//alert("adding " + (bpb - 1) + " bytes");
|
|
// plaintext = plaintext.concat(getRandomBytes(bpb - i));
|
|
{
|
|
var paddingBytes;
|
|
var ii,cc;
|
|
|
|
paddingBytes = new Array();
|
|
cc = bpb - i;
|
|
for (ii=0; ii<cc; ii++) {
|
|
paddingBytes[ii] = cc;
|
|
}
|
|
|
|
//is("cc", cc);
|
|
//is(getRandomBytes(bpb - i) + "", paddingBytes + "");
|
|
plaintext = plaintext.concat(paddingBytes);
|
|
}
|
|
}
|
|
|
|
return plaintext;
|
|
}
|
|
|
|
// Returns an array containing "howMany" random bytes.
|
|
|
|
function getRandomBytes(howMany) {
|
|
var i, bytes = new Array();
|
|
|
|
//alert("getting some random bytes");
|
|
for (i = 0; i < howMany; i++) {
|
|
bytes[i] = prng.nextInt(255);
|
|
}
|
|
return bytes;
|
|
}
|
|
|
|
// rijndaelEncrypt(plaintext, key, mode)
|
|
// Encrypts the plaintext using the given key and in the given mode.
|
|
// The parameter "plaintext" can either be a string or an array of bytes.
|
|
// The parameter "key" must be an array of key bytes. If you have a hex
|
|
// string representing the key, invoke hexToByteArray() on it to convert it
|
|
// to an array of bytes. The third parameter "mode" is a string indicating
|
|
// the encryption mode to use, either "ECB" or "CBC". If the parameter is
|
|
// omitted, ECB is assumed.
|
|
//
|
|
// An array of bytes representing the cihpertext is returned. To convert
|
|
// this array to hex, invoke byteArrayToHex() on it.
|
|
|
|
function rijndaelEncrypt(plaintext, key, mode) {
|
|
var expandedKey, i, aBlock;
|
|
var bpb = blockSizeInBits / 8; // bytes per block
|
|
var ct; // ciphertext
|
|
|
|
if (!plaintext || !key)
|
|
return;
|
|
if (key.length*8 != keySizeInBits)
|
|
return;
|
|
if (mode == "CBC") {
|
|
ct = getRandomBytes(bpb); // get IV
|
|
//dump("IV", byteArrayToHex(ct));
|
|
} else {
|
|
mode = "ECB";
|
|
ct = new Array();
|
|
}
|
|
|
|
// convert plaintext to byte array and pad with zeros if necessary.
|
|
plaintext = formatPlaintext(plaintext);
|
|
|
|
expandedKey = keyExpansion(key);
|
|
|
|
for (var block = 0; block < plaintext.length / bpb; block++) {
|
|
aBlock = plaintext.slice(block * bpb, (block + 1) * bpb);
|
|
if (mode == "CBC") {
|
|
for (var i = 0; i < bpb; i++) {
|
|
aBlock[i] ^= ct[(block * bpb) + i];
|
|
}
|
|
}
|
|
ct = ct.concat(encrypt(aBlock, expandedKey));
|
|
}
|
|
|
|
return ct;
|
|
}
|
|
|
|
// rijndaelDecrypt(ciphertext, key, mode)
|
|
// Decrypts the using the given key and mode. The parameter "ciphertext"
|
|
// must be an array of bytes. The parameter "key" must be an array of key
|
|
// bytes. If you have a hex string representing the ciphertext or key,
|
|
// invoke hexToByteArray() on it to convert it to an array of bytes. The
|
|
// parameter "mode" is a string, either "CBC" or "ECB".
|
|
//
|
|
// An array of bytes representing the plaintext is returned. To convert
|
|
// this array to a hex string, invoke byteArrayToHex() on it. To convert it
|
|
// to a string of characters, you can use byteArrayToString().
|
|
|
|
function rijndaelDecrypt(ciphertext, key, mode) {
|
|
var expandedKey;
|
|
var bpb = blockSizeInBits / 8; // bytes per block
|
|
var pt = new Array(); // plaintext array
|
|
var aBlock; // a decrypted block
|
|
var block; // current block number
|
|
|
|
if (!ciphertext || !key || typeof ciphertext == "string")
|
|
return;
|
|
if (key.length*8 != keySizeInBits)
|
|
return;
|
|
if (!mode) {
|
|
mode = "ECB"; // assume ECB if mode omitted
|
|
}
|
|
|
|
expandedKey = keyExpansion(key);
|
|
|
|
// work backwards to accomodate CBC mode
|
|
for (block=(ciphertext.length / bpb)-1; block>0; block--) {
|
|
aBlock =
|
|
decrypt(ciphertext.slice(block*bpb,(block+1)*bpb), expandedKey);
|
|
if (mode == "CBC")
|
|
for (var i=0; i<bpb; i++)
|
|
pt[(block-1)*bpb + i] = aBlock[i] ^ ciphertext[(block-1)*bpb + i];
|
|
else
|
|
pt = aBlock.concat(pt);
|
|
}
|
|
|
|
// do last block if ECB (skips the IV in CBC)
|
|
if (mode == "ECB")
|
|
pt = decrypt(ciphertext.slice(0, bpb), expandedKey).concat(pt);
|
|
|
|
return pt;
|
|
}
|
|
|
|
//#############################################################################
|
|
// Downloaded on March 30, 2006 from http://www.fourmilab.ch/javascrypt/javascrypt.zip (utf-8.js)
|
|
//#############################################################################
|
|
|
|
|
|
/* Encoding and decoding of Unicode character strings as
|
|
UTF-8 byte streams. */
|
|
|
|
// UNICODE_TO_UTF8 -- Encode Unicode argument string as UTF-8 return value
|
|
|
|
function unicode_to_utf8(s) {
|
|
var utf8 = "";
|
|
|
|
for (var n = 0; n < s.length; n++) {
|
|
var c = s.charCodeAt(n);
|
|
|
|
if (c <= 0x7F) {
|
|
// 0x00 - 0x7F: Emit as single byte, unchanged
|
|
utf8 += String.fromCharCode(c);
|
|
} else if ((c >= 0x80) && (c <= 0x7FF)) {
|
|
// 0x80 - 0x7FF: Output as two byte code, 0xC0 in first byte
|
|
// 0x80 in second byte
|
|
utf8 += String.fromCharCode((c >> 6) | 0xC0);
|
|
utf8 += String.fromCharCode((c & 0x3F) | 0x80);
|
|
} else {
|
|
// 0x800 - 0xFFFF: Output as three bytes, 0xE0 in first byte
|
|
// 0x80 in second byte
|
|
// 0x80 in third byte
|
|
utf8 += String.fromCharCode((c >> 12) | 0xE0);
|
|
utf8 += String.fromCharCode(((c >> 6) & 0x3F) | 0x80);
|
|
utf8 += String.fromCharCode((c & 0x3F) | 0x80);
|
|
}
|
|
}
|
|
return utf8;
|
|
}
|
|
|
|
// UTF8_TO_UNICODE -- Decode UTF-8 argument into Unicode string return value
|
|
|
|
function utf8_to_unicode(utf8) {
|
|
var s = "", i = 0, b1, b2, b2;
|
|
|
|
while (i < utf8.length) {
|
|
b1 = utf8.charCodeAt(i);
|
|
if (b1 < 0x80) { // One byte code: 0x00 0x7F
|
|
s += String.fromCharCode(b1);
|
|
i++;
|
|
} else if((b1 >= 0xC0) && (b1 < 0xE0)) { // Two byte code: 0x80 - 0x7FF
|
|
b2 = utf8.charCodeAt(i + 1);
|
|
s += String.fromCharCode(((b1 & 0x1F) << 6) | (b2 & 0x3F));
|
|
i += 2;
|
|
} else { // Three byte code: 0x800 - 0xFFFF
|
|
b2 = utf8.charCodeAt(i + 1);
|
|
b3 = utf8.charCodeAt(i + 2);
|
|
s += String.fromCharCode(((b1 & 0xF) << 12) |
|
|
((b2 & 0x3F) << 6) |
|
|
(b3 & 0x3F));
|
|
i += 3;
|
|
}
|
|
}
|
|
return s;
|
|
}
|
|
|
|
/* ENCODE_UTF8 -- Encode string as UTF8 only if it contains
|
|
a character of 0x9D (Unicode OPERATING
|
|
SYSTEM COMMAND) or a character greater
|
|
than 0xFF. This permits all strings
|
|
consisting exclusively of 8 bit
|
|
graphic characters to be encoded as
|
|
themselves. We choose 0x9D as the sentinel
|
|
character as opposed to one of the more
|
|
logical PRIVATE USE characters because 0x9D
|
|
is not overloaded by the regrettable
|
|
"Windows-1252" character set. Now such characters
|
|
don't belong in JavaScript strings, but you never
|
|
know what somebody is going to paste into a
|
|
text box, so this choice keeps Windows-encoded
|
|
strings from bloating to UTF-8 encoding. */
|
|
|
|
function encode_utf8(s) {
|
|
var i, necessary = false;
|
|
|
|
for (i = 0; i < s.length; i++) {
|
|
if ((s.charCodeAt(i) == 0x9D) ||
|
|
(s.charCodeAt(i) > 0xFF)) {
|
|
necessary = true;
|
|
break;
|
|
}
|
|
}
|
|
if (!necessary) {
|
|
return s;
|
|
}
|
|
return String.fromCharCode(0x9D) + unicode_to_utf8(s);
|
|
}
|
|
|
|
/* DECODE_UTF8 -- Decode a string encoded with encode_utf8
|
|
above. If the string begins with the
|
|
sentinel character 0x9D (OPERATING
|
|
SYSTEM COMMAND), then we decode the
|
|
balance as a UTF-8 stream. Otherwise,
|
|
the string is output unchanged, as
|
|
it's guaranteed to contain only 8 bit
|
|
characters excluding 0x9D. */
|
|
|
|
function decode_utf8(s) {
|
|
if ((s.length > 0) && (s.charCodeAt(0) == 0x9D)) {
|
|
return utf8_to_unicode(s.substring(1));
|
|
}
|
|
return s;
|
|
}
|
|
|
|
|
|
//#############################################################################
|
|
// Downloaded on April 26, 2006 from http://pajhome.org.uk/crypt/md5/md5.js
|
|
//#############################################################################
|
|
|
|
/*
|
|
* A JavaScript implementation of the RSA Data Security, Inc. MD5 Message
|
|
* Digest Algorithm, as defined in RFC 1321.
|
|
* Version 2.1 Copyright (C) Paul Johnston 1999 - 2002.
|
|
* Other contributors: Greg Holt, Andrew Kepert, Ydnar, Lostinet
|
|
* Distributed under the BSD License
|
|
* See http://pajhome.org.uk/crypt/md5 for more info.
|
|
*/
|
|
|
|
/*
|
|
* Configurable variables. You may need to tweak these to be compatible with
|
|
* the server-side, but the defaults work in most cases.
|
|
*/
|
|
var hexcase = 0; /* hex output format. 0 - lowercase; 1 - uppercase */
|
|
var b64pad = ""; /* base-64 pad character. "=" for strict RFC compliance */
|
|
var chrsz = 8; /* bits per input character. 8 - ASCII; 16 - Unicode */
|
|
|
|
/*
|
|
* These are the functions you'll usually want to call
|
|
* They take string arguments and return either hex or base-64 encoded strings
|
|
*/
|
|
function hex_md5(s){ return binl2hex(core_md5(str2binl(s), s.length * chrsz));}
|
|
function b64_md5(s){ return binl2b64(core_md5(str2binl(s), s.length * chrsz));}
|
|
function str_md5(s){ return binl2str(core_md5(str2binl(s), s.length * chrsz));}
|
|
function hex_hmac_md5(key, data) { return binl2hex(core_hmac_md5(key, data)); }
|
|
function b64_hmac_md5(key, data) { return binl2b64(core_hmac_md5(key, data)); }
|
|
function str_hmac_md5(key, data) { return binl2str(core_hmac_md5(key, data)); }
|
|
|
|
/*
|
|
* Perform a simple self-test to see if the VM is working
|
|
*/
|
|
function md5_vm_test()
|
|
{
|
|
return hex_md5("abc") == "900150983cd24fb0d6963f7d28e17f72";
|
|
}
|
|
|
|
/*
|
|
* Calculate the MD5 of an array of little-endian words, and a bit length
|
|
*/
|
|
function core_md5(x, len)
|
|
{
|
|
/* append padding */
|
|
x[len >> 5] |= 0x80 << ((len) % 32);
|
|
x[(((len + 64) >>> 9) << 4) + 14] = len;
|
|
|
|
var a = 1732584193;
|
|
var b = -271733879;
|
|
var c = -1732584194;
|
|
var d = 271733878;
|
|
|
|
for(var i = 0; i < x.length; i += 16)
|
|
{
|
|
var olda = a;
|
|
var oldb = b;
|
|
var oldc = c;
|
|
var oldd = d;
|
|
|
|
a = md5_ff(a, b, c, d, x[i+ 0], 7 , -680876936);
|
|
d = md5_ff(d, a, b, c, x[i+ 1], 12, -389564586);
|
|
c = md5_ff(c, d, a, b, x[i+ 2], 17, 606105819);
|
|
b = md5_ff(b, c, d, a, x[i+ 3], 22, -1044525330);
|
|
a = md5_ff(a, b, c, d, x[i+ 4], 7 , -176418897);
|
|
d = md5_ff(d, a, b, c, x[i+ 5], 12, 1200080426);
|
|
c = md5_ff(c, d, a, b, x[i+ 6], 17, -1473231341);
|
|
b = md5_ff(b, c, d, a, x[i+ 7], 22, -45705983);
|
|
a = md5_ff(a, b, c, d, x[i+ 8], 7 , 1770035416);
|
|
d = md5_ff(d, a, b, c, x[i+ 9], 12, -1958414417);
|
|
c = md5_ff(c, d, a, b, x[i+10], 17, -42063);
|
|
b = md5_ff(b, c, d, a, x[i+11], 22, -1990404162);
|
|
a = md5_ff(a, b, c, d, x[i+12], 7 , 1804603682);
|
|
d = md5_ff(d, a, b, c, x[i+13], 12, -40341101);
|
|
c = md5_ff(c, d, a, b, x[i+14], 17, -1502002290);
|
|
b = md5_ff(b, c, d, a, x[i+15], 22, 1236535329);
|
|
|
|
a = md5_gg(a, b, c, d, x[i+ 1], 5 , -165796510);
|
|
d = md5_gg(d, a, b, c, x[i+ 6], 9 , -1069501632);
|
|
c = md5_gg(c, d, a, b, x[i+11], 14, 643717713);
|
|
b = md5_gg(b, c, d, a, x[i+ 0], 20, -373897302);
|
|
a = md5_gg(a, b, c, d, x[i+ 5], 5 , -701558691);
|
|
d = md5_gg(d, a, b, c, x[i+10], 9 , 38016083);
|
|
c = md5_gg(c, d, a, b, x[i+15], 14, -660478335);
|
|
b = md5_gg(b, c, d, a, x[i+ 4], 20, -405537848);
|
|
a = md5_gg(a, b, c, d, x[i+ 9], 5 , 568446438);
|
|
d = md5_gg(d, a, b, c, x[i+14], 9 , -1019803690);
|
|
c = md5_gg(c, d, a, b, x[i+ 3], 14, -187363961);
|
|
b = md5_gg(b, c, d, a, x[i+ 8], 20, 1163531501);
|
|
a = md5_gg(a, b, c, d, x[i+13], 5 , -1444681467);
|
|
d = md5_gg(d, a, b, c, x[i+ 2], 9 , -51403784);
|
|
c = md5_gg(c, d, a, b, x[i+ 7], 14, 1735328473);
|
|
b = md5_gg(b, c, d, a, x[i+12], 20, -1926607734);
|
|
|
|
a = md5_hh(a, b, c, d, x[i+ 5], 4 , -378558);
|
|
d = md5_hh(d, a, b, c, x[i+ 8], 11, -2022574463);
|
|
c = md5_hh(c, d, a, b, x[i+11], 16, 1839030562);
|
|
b = md5_hh(b, c, d, a, x[i+14], 23, -35309556);
|
|
a = md5_hh(a, b, c, d, x[i+ 1], 4 , -1530992060);
|
|
d = md5_hh(d, a, b, c, x[i+ 4], 11, 1272893353);
|
|
c = md5_hh(c, d, a, b, x[i+ 7], 16, -155497632);
|
|
b = md5_hh(b, c, d, a, x[i+10], 23, -1094730640);
|
|
a = md5_hh(a, b, c, d, x[i+13], 4 , 681279174);
|
|
d = md5_hh(d, a, b, c, x[i+ 0], 11, -358537222);
|
|
c = md5_hh(c, d, a, b, x[i+ 3], 16, -722521979);
|
|
b = md5_hh(b, c, d, a, x[i+ 6], 23, 76029189);
|
|
a = md5_hh(a, b, c, d, x[i+ 9], 4 , -640364487);
|
|
d = md5_hh(d, a, b, c, x[i+12], 11, -421815835);
|
|
c = md5_hh(c, d, a, b, x[i+15], 16, 530742520);
|
|
b = md5_hh(b, c, d, a, x[i+ 2], 23, -995338651);
|
|
|
|
a = md5_ii(a, b, c, d, x[i+ 0], 6 , -198630844);
|
|
d = md5_ii(d, a, b, c, x[i+ 7], 10, 1126891415);
|
|
c = md5_ii(c, d, a, b, x[i+14], 15, -1416354905);
|
|
b = md5_ii(b, c, d, a, x[i+ 5], 21, -57434055);
|
|
a = md5_ii(a, b, c, d, x[i+12], 6 , 1700485571);
|
|
d = md5_ii(d, a, b, c, x[i+ 3], 10, -1894986606);
|
|
c = md5_ii(c, d, a, b, x[i+10], 15, -1051523);
|
|
b = md5_ii(b, c, d, a, x[i+ 1], 21, -2054922799);
|
|
a = md5_ii(a, b, c, d, x[i+ 8], 6 , 1873313359);
|
|
d = md5_ii(d, a, b, c, x[i+15], 10, -30611744);
|
|
c = md5_ii(c, d, a, b, x[i+ 6], 15, -1560198380);
|
|
b = md5_ii(b, c, d, a, x[i+13], 21, 1309151649);
|
|
a = md5_ii(a, b, c, d, x[i+ 4], 6 , -145523070);
|
|
d = md5_ii(d, a, b, c, x[i+11], 10, -1120210379);
|
|
c = md5_ii(c, d, a, b, x[i+ 2], 15, 718787259);
|
|
b = md5_ii(b, c, d, a, x[i+ 9], 21, -343485551);
|
|
|
|
a = safe_add(a, olda);
|
|
b = safe_add(b, oldb);
|
|
c = safe_add(c, oldc);
|
|
d = safe_add(d, oldd);
|
|
}
|
|
return Array(a, b, c, d);
|
|
|
|
}
|
|
|
|
/*
|
|
* These functions implement the four basic operations the algorithm uses.
|
|
*/
|
|
function md5_cmn(q, a, b, x, s, t)
|
|
{
|
|
return safe_add(bit_rol(safe_add(safe_add(a, q), safe_add(x, t)), s),b);
|
|
}
|
|
function md5_ff(a, b, c, d, x, s, t)
|
|
{
|
|
return md5_cmn((b & c) | ((~b) & d), a, b, x, s, t);
|
|
}
|
|
function md5_gg(a, b, c, d, x, s, t)
|
|
{
|
|
return md5_cmn((b & d) | (c & (~d)), a, b, x, s, t);
|
|
}
|
|
function md5_hh(a, b, c, d, x, s, t)
|
|
{
|
|
return md5_cmn(b ^ c ^ d, a, b, x, s, t);
|
|
}
|
|
function md5_ii(a, b, c, d, x, s, t)
|
|
{
|
|
return md5_cmn(c ^ (b | (~d)), a, b, x, s, t);
|
|
}
|
|
|
|
/*
|
|
* Calculate the HMAC-MD5, of a key and some data
|
|
*/
|
|
function core_hmac_md5(key, data)
|
|
{
|
|
var bkey = str2binl(key);
|
|
if(bkey.length > 16) bkey = core_md5(bkey, key.length * chrsz);
|
|
|
|
var ipad = Array(16), opad = Array(16);
|
|
for(var i = 0; i < 16; i++)
|
|
{
|
|
ipad[i] = bkey[i] ^ 0x36363636;
|
|
opad[i] = bkey[i] ^ 0x5C5C5C5C;
|
|
}
|
|
|
|
var hash = core_md5(ipad.concat(str2binl(data)), 512 + data.length * chrsz);
|
|
return core_md5(opad.concat(hash), 512 + 128);
|
|
}
|
|
|
|
/*
|
|
* Add integers, wrapping at 2^32. This uses 16-bit operations internally
|
|
* to work around bugs in some JS interpreters.
|
|
*/
|
|
function safe_add(x, y)
|
|
{
|
|
var lsw = (x & 0xFFFF) + (y & 0xFFFF);
|
|
var msw = (x >> 16) + (y >> 16) + (lsw >> 16);
|
|
return (msw << 16) | (lsw & 0xFFFF);
|
|
}
|
|
|
|
/*
|
|
* Bitwise rotate a 32-bit number to the left.
|
|
*/
|
|
function bit_rol(num, cnt)
|
|
{
|
|
return (num << cnt) | (num >>> (32 - cnt));
|
|
}
|
|
|
|
/*
|
|
* Convert a string to an array of little-endian words
|
|
* If chrsz is ASCII, characters >255 have their hi-byte silently ignored.
|
|
*/
|
|
function str2binl(str)
|
|
{
|
|
var bin = Array();
|
|
var mask = (1 << chrsz) - 1;
|
|
for(var i = 0; i < str.length * chrsz; i += chrsz)
|
|
bin[i>>5] |= (str.charCodeAt(i / chrsz) & mask) << (i%32);
|
|
return bin;
|
|
}
|
|
|
|
/*
|
|
* Convert an array of little-endian words to a string
|
|
*/
|
|
function binl2str(bin)
|
|
{
|
|
var str = "";
|
|
var mask = (1 << chrsz) - 1;
|
|
for(var i = 0; i < bin.length * 32; i += chrsz)
|
|
str += String.fromCharCode((bin[i>>5] >>> (i % 32)) & mask);
|
|
return str;
|
|
}
|
|
|
|
/*
|
|
* Convert an array of little-endian words to a hex string.
|
|
*/
|
|
function binl2hex(binarray)
|
|
{
|
|
var hex_tab = hexcase ? "0123456789ABCDEF" : "0123456789abcdef";
|
|
var str = "";
|
|
for(var i = 0; i < binarray.length * 4; i++)
|
|
{
|
|
str += hex_tab.charAt((binarray[i>>2] >> ((i%4)*8+4)) & 0xF) +
|
|
hex_tab.charAt((binarray[i>>2] >> ((i%4)*8 )) & 0xF);
|
|
}
|
|
return str;
|
|
}
|
|
|
|
/*
|
|
* Convert an array of little-endian words to a base-64 string
|
|
*/
|
|
function binl2b64(binarray)
|
|
{
|
|
var tab = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
|
|
var str = "";
|
|
for(var i = 0; i < binarray.length * 4; i += 3)
|
|
{
|
|
var triplet = (((binarray[i >> 2] >> 8 * ( i %4)) & 0xFF) << 16)
|
|
| (((binarray[i+1 >> 2] >> 8 * ((i+1)%4)) & 0xFF) << 8 )
|
|
| ((binarray[i+2 >> 2] >> 8 * ((i+2)%4)) & 0xFF);
|
|
for(var j = 0; j < 4; j++)
|
|
{
|
|
if(i * 8 + j * 6 > binarray.length * 32) str += b64pad;
|
|
else str += tab.charAt((triplet >> 6*(3-j)) & 0x3F);
|
|
}
|
|
}
|
|
return str;
|
|
}
|
|
|
|
|
|
//#############################################################################
|
|
//#############################################################################
|
|
//#############################################################################
|
|
|
|
|
|
|
|
MochiKit.Base.update(Clipperz.Crypto.Base, {
|
|
|
|
'__repr__': function () {
|
|
return "[" + this.NAME + " " + this.VERSION + "]";
|
|
},
|
|
|
|
'toString': function () {
|
|
return this.__repr__();
|
|
},
|
|
|
|
//-----------------------------------------------------------------------------
|
|
|
|
'encryptUsingSecretKey': function (aKey, aMessage) {
|
|
//Clipperz.Profile.start("Clipperz.Crypto.Base.encryptUsingSecretKey");
|
|
var result;
|
|
var plaintext;
|
|
var header;
|
|
var key;
|
|
|
|
key = hexToByteArray(Clipperz.Crypto.Base.computeHashValue(aKey));
|
|
|
|
addEntropyTime();
|
|
prng = new AESprng(keyFromEntropy());
|
|
|
|
plaintext = encode_utf8(aMessage);
|
|
|
|
header = Clipperz.Base.byteArrayToString(hexToByteArray(Clipperz.Crypto.Base.computeMD5HashValue(plaintext)));
|
|
|
|
// Add message length in bytes to header
|
|
i = plaintext.length;
|
|
header += String.fromCharCode(i >>> 24);
|
|
header += String.fromCharCode(i >>> 16);
|
|
header += String.fromCharCode(i >>> 8);
|
|
header += String.fromCharCode(i & 0xFF);
|
|
|
|
// The format of the actual message passed to rijndaelEncrypt
|
|
// is:
|
|
//
|
|
// Bytes Content
|
|
// 0-15 MD5 signature of plaintext
|
|
// 16-19 Length of plaintext, big-endian order
|
|
// 20-end Plaintext
|
|
//
|
|
// Note that this message will be padded with zero bytes
|
|
// to an integral number of AES blocks (blockSizeInBits / 8).
|
|
// This does not include the initial vector for CBC
|
|
// encryption, which is added internally by rijndaelEncrypt.
|
|
result = byteArrayToHex(rijndaelEncrypt(header + plaintext, key, "CBC"));
|
|
|
|
delete prng;
|
|
|
|
//Clipperz.Profile.stop("Clipperz.Crypto.Base.encryptUsingSecretKey");
|
|
return result;
|
|
},
|
|
|
|
//.............................................................................
|
|
|
|
'decryptUsingSecretKey': function (aKey, aMessage) {
|
|
//Clipperz.Profile.start("Clipperz.Crypto.Base.decryptUsingSecretKey");
|
|
var key;
|
|
var decryptedText;
|
|
var textLength;
|
|
var header;
|
|
var headerDigest;
|
|
var plaintext;
|
|
var i;
|
|
|
|
key = hexToByteArray(Clipperz.Crypto.Base.computeHashValue(aKey));
|
|
|
|
decryptedText = rijndaelDecrypt(hexToByteArray(aMessage), key, "CBC");
|
|
|
|
header = decryptedText.slice(0, 20);
|
|
decryptedText = decryptedText.slice(20);
|
|
|
|
headerDigest = byteArrayToHex(header.slice(0,16));
|
|
textLength = (header[16] << 24) | (header[17] << 16) | (header[18] << 8) | header[19];
|
|
|
|
if ((textLength < 0) || (textLength > decryptedText.length)) {
|
|
// jslog.warning("Message (length " + decryptedText.length + ") truncated. " + textLength + " characters expected.");
|
|
// Try to sauve qui peut by setting length to entire message
|
|
textLength = decryptedText.length;
|
|
}
|
|
|
|
plainText = "";
|
|
|
|
for (i=0; i<textLength; i++) {
|
|
plainText += String.fromCharCode(decryptedText[i]);
|
|
}
|
|
|
|
if (Clipperz.Crypto.Base.computeMD5HashValue(plainText) != headerDigest) {
|
|
// jslog.warning("Message corrupted. Checksum of decrypted message does not match.");
|
|
throw Clipperz.Crypto.Base.exception.CorruptedMessage;
|
|
// throw new Error("Message corrupted. Checksum of decrypted message does not match. Parsed result: " + decode_utf8(plainText));
|
|
}
|
|
|
|
// That's it; plug plaintext into the result field
|
|
|
|
result = decode_utf8(plainText);
|
|
|
|
//Clipperz.Profile.stop("Clipperz.Crypto.Base.decryptUsingSecretKey");
|
|
return result;
|
|
},
|
|
|
|
//-----------------------------------------------------------------------------
|
|
|
|
'computeHashValue': function (aMessage) {
|
|
//Clipperz.Profile.start("Clipperz.Crypto.Base.computeHashValue");
|
|
var result;
|
|
|
|
result = hex_sha256(aMessage);
|
|
//Clipperz.Profile.stop("Clipperz.Crypto.Base.computeHashValue");
|
|
|
|
return result;
|
|
},
|
|
|
|
//.........................................................................
|
|
|
|
'computeMD5HashValue': function (aMessage) {
|
|
var result;
|
|
//Clipperz.Profile.start("Clipperz.Crypto.Base.computeMD5HashValue");
|
|
result = hex_md5(aMessage);
|
|
//Clipperz.Profile.stop("Clipperz.Crypto.Base.computeMD5HashValue");
|
|
|
|
return result;
|
|
},
|
|
|
|
//-----------------------------------------------------------------------------
|
|
|
|
'generateRandomSeed': function () {
|
|
//Clipperz.Profile.start("Clipperz.Crypto.Base.generateRandomSeed");
|
|
var result;
|
|
var seed;
|
|
var prng;
|
|
var charA;
|
|
var i;
|
|
|
|
addEntropyTime();
|
|
|
|
seed = keyFromEntropy();
|
|
prng = new AESprng(seed);
|
|
|
|
result = "";
|
|
charA = ("A").charCodeAt(0);
|
|
|
|
for (i = 0; i < 64; i++) {
|
|
result += String.fromCharCode(charA + prng.nextInt(25));
|
|
}
|
|
|
|
delete prng;
|
|
|
|
result = Clipperz.Crypto.Base.computeHashValue(result);
|
|
|
|
//Clipperz.Profile.stop("Clipperz.Crypto.Base.generateRandomSeed");
|
|
return result;
|
|
},
|
|
|
|
//-----------------------------------------------------------------------------
|
|
|
|
'exception': {
|
|
'CorruptedMessage': new MochiKit.Base.NamedError("Clipperz.Crypto.Base.exception.CorruptedMessage")
|
|
},
|
|
|
|
//.........................................................................
|
|
__syntaxFix__: "syntax fix"
|
|
});
|
|
|