1 //========================================================================
2 //
3 // Decrypt.cc
4 //
5 // Copyright 1996-2003 Glyph & Cog, LLC
6 //
7 //========================================================================
8
9 #include <aconf.h>
10
11 #ifdef USE_GCC_PRAGMAS
12 #pragma implementation
13 #endif
14
15 #include <string.h>
16 #include "gmem.h"
17 #include "Decrypt.h"
18
19 static void aes256KeyExpansion(DecryptAES256State *s,
20 Guchar *objKey, int objKeyLen);
21 static void aes256DecryptBlock(DecryptAES256State *s, Guchar *in, GBool last);
22 static void sha256(Guchar *msg, int msgLen, Guchar *hash);
23 static void sha384(Guchar *msg, int msgLen, Guchar *hash);
24 static void sha512(Guchar *msg, int msgLen, Guchar *hash);
25
26 static Guchar passwordPad[32] = {
27 0x28, 0xbf, 0x4e, 0x5e, 0x4e, 0x75, 0x8a, 0x41,
28 0x64, 0x00, 0x4e, 0x56, 0xff, 0xfa, 0x01, 0x08,
29 0x2e, 0x2e, 0x00, 0xb6, 0xd0, 0x68, 0x3e, 0x80,
30 0x2f, 0x0c, 0xa9, 0xfe, 0x64, 0x53, 0x69, 0x7a
31 };
32
33 //------------------------------------------------------------------------
34 // Decrypt
35 //------------------------------------------------------------------------
36
makeFileKey(int encVersion,int encRevision,int keyLength,GString * ownerKey,GString * userKey,GString * ownerEnc,GString * userEnc,int permissions,GString * fileID,GString * ownerPassword,GString * userPassword,Guchar * fileKey,GBool encryptMetadata,GBool * ownerPasswordOk)37 GBool Decrypt::makeFileKey(int encVersion, int encRevision, int keyLength,
38 GString *ownerKey, GString *userKey,
39 GString *ownerEnc, GString *userEnc,
40 int permissions, GString *fileID,
41 GString *ownerPassword, GString *userPassword,
42 Guchar *fileKey, GBool encryptMetadata,
43 GBool *ownerPasswordOk) {
44 DecryptAES256State state;
45 Guchar test[127 + 56], test2[32];
46 GString *userPassword2;
47 const char *userPW;
48 Guchar fState[256];
49 Guchar tmpKey[16];
50 Guchar fx, fy;
51 int len, i, j;
52
53 *ownerPasswordOk = gFalse;
54
55 if (encRevision == 5 || encRevision == 6) {
56
57 // check the owner password
58 if (ownerPassword) {
59 //~ this is supposed to convert the password to UTF-8 using "SASLprep"
60 len = ownerPassword->getLength();
61 if (len > 127) {
62 len = 127;
63 }
64 memcpy(test, ownerPassword->getCString(), len);
65 memcpy(test + len, ownerKey->getCString() + 32, 8);
66 memcpy(test + len + 8, userKey->getCString(), 48);
67 sha256(test, len + 56, test);
68 if (encRevision == 6) {
69 r6Hash(test, 32, ownerPassword->getCString(), len,
70 userKey->getCString());
71 }
72 if (!memcmp(test, ownerKey->getCString(), 32)) {
73
74 // compute the file key from the owner password
75 memcpy(test, ownerPassword->getCString(), len);
76 memcpy(test + len, ownerKey->getCString() + 40, 8);
77 memcpy(test + len + 8, userKey->getCString(), 48);
78 sha256(test, len + 56, test);
79 if (encRevision == 6) {
80 r6Hash(test, 32, ownerPassword->getCString(), len,
81 userKey->getCString());
82 }
83 aes256KeyExpansion(&state, test, 32);
84 for (i = 0; i < 16; ++i) {
85 state.cbc[i] = 0;
86 }
87 aes256DecryptBlock(&state, (Guchar *)ownerEnc->getCString(), gFalse);
88 memcpy(fileKey, state.buf, 16);
89 aes256DecryptBlock(&state, (Guchar *)ownerEnc->getCString() + 16,
90 gFalse);
91 memcpy(fileKey + 16, state.buf, 16);
92
93 *ownerPasswordOk = gTrue;
94 return gTrue;
95 }
96 }
97
98 // check the user password
99 if (userPassword) {
100 //~ this is supposed to convert the password to UTF-8 using "SASLprep"
101 userPW = userPassword->getCString();
102 len = userPassword->getLength();
103 if (len > 127) {
104 len = 127;
105 }
106 } else {
107 userPW = "";
108 len = 0;
109 }
110 memcpy(test, userPW, len);
111 memcpy(test + len, userKey->getCString() + 32, 8);
112 sha256(test, len + 8, test);
113 if (encRevision == 6) {
114 r6Hash(test, 32, userPW, len, NULL);
115 }
116 if (!memcmp(test, userKey->getCString(), 32)) {
117
118 // compute the file key from the user password
119 memcpy(test, userPW, len);
120 memcpy(test + len, userKey->getCString() + 40, 8);
121 sha256(test, len + 8, test);
122 if (encRevision == 6) {
123 r6Hash(test, 32, userPW, len, NULL);
124 }
125 aes256KeyExpansion(&state, test, 32);
126 for (i = 0; i < 16; ++i) {
127 state.cbc[i] = 0;
128 }
129 aes256DecryptBlock(&state, (Guchar *)userEnc->getCString(), gFalse);
130 memcpy(fileKey, state.buf, 16);
131 aes256DecryptBlock(&state, (Guchar *)userEnc->getCString() + 16,
132 gFalse);
133 memcpy(fileKey + 16, state.buf, 16);
134
135 return gTrue;
136 }
137
138 return gFalse;
139
140 } else {
141
142 // try using the supplied owner password to generate the user password
143 if (ownerPassword) {
144 len = ownerPassword->getLength();
145 if (len < 32) {
146 memcpy(test, ownerPassword->getCString(), len);
147 memcpy(test + len, passwordPad, 32 - len);
148 } else {
149 memcpy(test, ownerPassword->getCString(), 32);
150 }
151 md5(test, 32, test);
152 if (encRevision == 3) {
153 for (i = 0; i < 50; ++i) {
154 md5(test, keyLength, test);
155 }
156 }
157 if (encRevision == 2) {
158 rc4InitKey(test, keyLength, fState);
159 fx = fy = 0;
160 for (i = 0; i < 32; ++i) {
161 test2[i] = rc4DecryptByte(fState, &fx, &fy, ownerKey->getChar(i));
162 }
163 } else {
164 memcpy(test2, ownerKey->getCString(), 32);
165 for (i = 19; i >= 0; --i) {
166 for (j = 0; j < keyLength; ++j) {
167 tmpKey[j] = test[j] ^ i;
168 }
169 rc4InitKey(tmpKey, keyLength, fState);
170 fx = fy = 0;
171 for (j = 0; j < 32; ++j) {
172 test2[j] = rc4DecryptByte(fState, &fx, &fy, test2[j]);
173 }
174 }
175 }
176 userPassword2 = new GString((char *)test2, 32);
177 if (makeFileKey2(encVersion, encRevision, keyLength, ownerKey, userKey,
178 permissions, fileID, userPassword2, fileKey,
179 encryptMetadata)) {
180 *ownerPasswordOk = gTrue;
181 delete userPassword2;
182 return gTrue;
183 }
184 delete userPassword2;
185 }
186
187 // try using the supplied user password
188 return makeFileKey2(encVersion, encRevision, keyLength, ownerKey, userKey,
189 permissions, fileID, userPassword, fileKey,
190 encryptMetadata);
191 }
192 }
193
r6Hash(Guchar * key,int keyLen,const char * pwd,int pwdLen,char * userKey)194 void Decrypt::r6Hash(Guchar *key, int keyLen, const char *pwd, int pwdLen,
195 char *userKey) {
196 Guchar key1[64*(127+64+48)];
197 DecryptAESState state128;
198 int n, i, j, k;
199
200 i = 0;
201 while (1) {
202 memcpy(key1, pwd, pwdLen);
203 memcpy(key1 + pwdLen, key, keyLen);
204 n = pwdLen + keyLen;
205 if (userKey) {
206 memcpy(key1 + pwdLen + keyLen, userKey, 48);
207 n += 48;
208 }
209 for (j = 1; j < 64; ++j) {
210 memcpy(key1 + j * n, key1, n);
211 }
212 n *= 64;
213 aesKeyExpansion(&state128, key, 16, gFalse);
214 for (j = 0; j < 16; ++j) {
215 state128.cbc[j] = key[16+j];
216 }
217 for (j = 0; j < n; j += 16) {
218 aesEncryptBlock(&state128, key1 + j);
219 memcpy(key1 + j, state128.buf, 16);
220 }
221 k = 0;
222 for (j = 0; j < 16; ++j) {
223 k += key1[j] % 3;
224 }
225 k %= 3;
226 switch (k) {
227 case 0:
228 sha256(key1, n, key);
229 keyLen = 32;
230 break;
231 case 1:
232 sha384(key1, n, key);
233 keyLen = 48;
234 break;
235 case 2:
236 sha512(key1, n, key);
237 keyLen = 64;
238 break;
239 }
240 // from the spec, it appears that i should be incremented after
241 // the test, but that doesn't match what Adobe does
242 ++i;
243 if (i >= 64 && key1[n - 1] <= i - 32) {
244 break;
245 }
246 }
247 }
248
makeFileKey2(int encVersion,int encRevision,int keyLength,GString * ownerKey,GString * userKey,int permissions,GString * fileID,GString * userPassword,Guchar * fileKey,GBool encryptMetadata)249 GBool Decrypt::makeFileKey2(int encVersion, int encRevision, int keyLength,
250 GString *ownerKey, GString *userKey,
251 int permissions, GString *fileID,
252 GString *userPassword, Guchar *fileKey,
253 GBool encryptMetadata) {
254 Guchar *buf;
255 Guchar test[32];
256 Guchar fState[256];
257 Guchar tmpKey[16];
258 Guchar fx, fy;
259 int len, i, j;
260 GBool ok;
261
262 // generate file key
263 buf = (Guchar *)gmalloc(72 + fileID->getLength());
264 if (userPassword) {
265 len = userPassword->getLength();
266 if (len < 32) {
267 memcpy(buf, userPassword->getCString(), len);
268 memcpy(buf + len, passwordPad, 32 - len);
269 } else {
270 memcpy(buf, userPassword->getCString(), 32);
271 }
272 } else {
273 memcpy(buf, passwordPad, 32);
274 }
275 memcpy(buf + 32, ownerKey->getCString(), 32);
276 buf[64] = permissions & 0xff;
277 buf[65] = (permissions >> 8) & 0xff;
278 buf[66] = (permissions >> 16) & 0xff;
279 buf[67] = (permissions >> 24) & 0xff;
280 memcpy(buf + 68, fileID->getCString(), fileID->getLength());
281 len = 68 + fileID->getLength();
282 if (!encryptMetadata) {
283 buf[len++] = 0xff;
284 buf[len++] = 0xff;
285 buf[len++] = 0xff;
286 buf[len++] = 0xff;
287 }
288 md5(buf, len, fileKey);
289 if (encRevision == 3) {
290 for (i = 0; i < 50; ++i) {
291 md5(fileKey, keyLength, fileKey);
292 }
293 }
294
295 // test user password
296 if (encRevision == 2) {
297 rc4InitKey(fileKey, keyLength, fState);
298 fx = fy = 0;
299 for (i = 0; i < 32; ++i) {
300 test[i] = rc4DecryptByte(fState, &fx, &fy, userKey->getChar(i));
301 }
302 ok = memcmp(test, passwordPad, 32) == 0;
303 } else if (encRevision == 3) {
304 memcpy(test, userKey->getCString(), 32);
305 for (i = 19; i >= 0; --i) {
306 for (j = 0; j < keyLength; ++j) {
307 tmpKey[j] = fileKey[j] ^ i;
308 }
309 rc4InitKey(tmpKey, keyLength, fState);
310 fx = fy = 0;
311 for (j = 0; j < 32; ++j) {
312 test[j] = rc4DecryptByte(fState, &fx, &fy, test[j]);
313 }
314 }
315 memcpy(buf, passwordPad, 32);
316 memcpy(buf + 32, fileID->getCString(), fileID->getLength());
317 md5(buf, 32 + fileID->getLength(), buf);
318 ok = memcmp(test, buf, 16) == 0;
319 } else {
320 ok = gFalse;
321 }
322
323 gfree(buf);
324 return ok;
325 }
326
327 //------------------------------------------------------------------------
328 // DecryptStream
329 //------------------------------------------------------------------------
330
DecryptStream(Stream * strA,Guchar * fileKey,CryptAlgorithm algoA,int keyLength,int objNum,int objGen)331 DecryptStream::DecryptStream(Stream *strA, Guchar *fileKey,
332 CryptAlgorithm algoA, int keyLength,
333 int objNum, int objGen):
334 FilterStream(strA)
335 {
336 int i;
337
338 algo = algoA;
339
340 // construct object key
341 for (i = 0; i < keyLength; ++i) {
342 objKey[i] = fileKey[i];
343 }
344 switch (algo) {
345 case cryptRC4:
346 objKey[keyLength] = objNum & 0xff;
347 objKey[keyLength + 1] = (objNum >> 8) & 0xff;
348 objKey[keyLength + 2] = (objNum >> 16) & 0xff;
349 objKey[keyLength + 3] = objGen & 0xff;
350 objKey[keyLength + 4] = (objGen >> 8) & 0xff;
351 md5(objKey, keyLength + 5, objKey);
352 if ((objKeyLength = keyLength + 5) > 16) {
353 objKeyLength = 16;
354 }
355 break;
356 case cryptAES:
357 objKey[keyLength] = objNum & 0xff;
358 objKey[keyLength + 1] = (objNum >> 8) & 0xff;
359 objKey[keyLength + 2] = (objNum >> 16) & 0xff;
360 objKey[keyLength + 3] = objGen & 0xff;
361 objKey[keyLength + 4] = (objGen >> 8) & 0xff;
362 objKey[keyLength + 5] = 0x73; // 's'
363 objKey[keyLength + 6] = 0x41; // 'A'
364 objKey[keyLength + 7] = 0x6c; // 'l'
365 objKey[keyLength + 8] = 0x54; // 'T'
366 md5(objKey, keyLength + 9, objKey);
367 if ((objKeyLength = keyLength + 5) > 16) {
368 objKeyLength = 16;
369 }
370 break;
371 case cryptAES256:
372 objKeyLength = keyLength;
373 break;
374 }
375 }
376
~DecryptStream()377 DecryptStream::~DecryptStream() {
378 delete str;
379 }
380
reset()381 void DecryptStream::reset() {
382 str->reset();
383 switch (algo) {
384 case cryptRC4:
385 state.rc4.x = state.rc4.y = 0;
386 rc4InitKey(objKey, objKeyLength, state.rc4.state);
387 state.rc4.buf = EOF;
388 break;
389 case cryptAES:
390 aesKeyExpansion(&state.aes, objKey, objKeyLength, gTrue);
391 str->getBlock((char *)state.aes.cbc, 16);
392 state.aes.bufIdx = 16;
393 break;
394 case cryptAES256:
395 aes256KeyExpansion(&state.aes256, objKey, objKeyLength);
396 str->getBlock((char *)state.aes256.cbc, 16);
397 state.aes256.bufIdx = 16;
398 break;
399 }
400 }
401
getChar()402 int DecryptStream::getChar() {
403 Guchar in[16];
404 int c;
405
406 c = EOF; // make gcc happy
407 switch (algo) {
408 case cryptRC4:
409 if (state.rc4.buf == EOF) {
410 c = str->getChar();
411 if (c != EOF) {
412 state.rc4.buf = rc4DecryptByte(state.rc4.state, &state.rc4.x,
413 &state.rc4.y, (Guchar)c);
414 }
415 }
416 c = state.rc4.buf;
417 state.rc4.buf = EOF;
418 break;
419 case cryptAES:
420 if (state.aes.bufIdx == 16) {
421 if (str->getBlock((char *)in, 16) != 16) {
422 return EOF;
423 }
424 aesDecryptBlock(&state.aes, in, str->lookChar() == EOF);
425 }
426 if (state.aes.bufIdx == 16) {
427 c = EOF;
428 } else {
429 c = state.aes.buf[state.aes.bufIdx++];
430 }
431 break;
432 case cryptAES256:
433 if (state.aes256.bufIdx == 16) {
434 if (str->getBlock((char *)in, 16) != 16) {
435 return EOF;
436 }
437 aes256DecryptBlock(&state.aes256, in, str->lookChar() == EOF);
438 }
439 if (state.aes256.bufIdx == 16) {
440 c = EOF;
441 } else {
442 c = state.aes256.buf[state.aes256.bufIdx++];
443 }
444 break;
445 }
446 return c;
447 }
448
lookChar()449 int DecryptStream::lookChar() {
450 Guchar in[16];
451 int c;
452
453 c = EOF; // make gcc happy
454 switch (algo) {
455 case cryptRC4:
456 if (state.rc4.buf == EOF) {
457 c = str->getChar();
458 if (c != EOF) {
459 state.rc4.buf = rc4DecryptByte(state.rc4.state, &state.rc4.x,
460 &state.rc4.y, (Guchar)c);
461 }
462 }
463 c = state.rc4.buf;
464 break;
465 case cryptAES:
466 if (state.aes.bufIdx == 16) {
467 if (str->getBlock((char *)in, 16) != 16) {
468 return EOF;
469 }
470 aesDecryptBlock(&state.aes, in, str->lookChar() == EOF);
471 }
472 if (state.aes.bufIdx == 16) {
473 c = EOF;
474 } else {
475 c = state.aes.buf[state.aes.bufIdx];
476 }
477 break;
478 case cryptAES256:
479 if (state.aes256.bufIdx == 16) {
480 if (str->getBlock((char *)in, 16) != 16) {
481 return EOF;
482 }
483 aes256DecryptBlock(&state.aes256, in, str->lookChar() == EOF);
484 }
485 if (state.aes256.bufIdx == 16) {
486 c = EOF;
487 } else {
488 c = state.aes256.buf[state.aes256.bufIdx];
489 }
490 break;
491 }
492 return c;
493 }
494
isBinary(GBool last)495 GBool DecryptStream::isBinary(GBool last) {
496 return str->isBinary(last);
497 }
498
499 //------------------------------------------------------------------------
500 // RC4-compatible decryption
501 //------------------------------------------------------------------------
502
rc4InitKey(Guchar * key,int keyLen,Guchar * state)503 void rc4InitKey(Guchar *key, int keyLen, Guchar *state) {
504 Guchar index1, index2;
505 Guchar t;
506 int i;
507
508 for (i = 0; i < 256; ++i)
509 state[i] = i;
510 index1 = index2 = 0;
511 for (i = 0; i < 256; ++i) {
512 index2 = (key[index1] + state[i] + index2) % 256;
513 t = state[i];
514 state[i] = state[index2];
515 state[index2] = t;
516 index1 = (index1 + 1) % keyLen;
517 }
518 }
519
rc4DecryptByte(Guchar * state,Guchar * x,Guchar * y,Guchar c)520 Guchar rc4DecryptByte(Guchar *state, Guchar *x, Guchar *y, Guchar c) {
521 Guchar x1, y1, tx, ty;
522
523 x1 = *x = (*x + 1) % 256;
524 y1 = *y = (state[*x] + *y) % 256;
525 tx = state[x1];
526 ty = state[y1];
527 state[x1] = ty;
528 state[y1] = tx;
529 return c ^ state[(tx + ty) % 256];
530 }
531
532 //------------------------------------------------------------------------
533 // AES decryption
534 //------------------------------------------------------------------------
535
536 static Guchar sbox[256] = {
537 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76,
538 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0, 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0,
539 0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc, 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15,
540 0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a, 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75,
541 0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0, 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84,
542 0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b, 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf,
543 0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85, 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8,
544 0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5, 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2,
545 0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17, 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73,
546 0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88, 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb,
547 0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c, 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79,
548 0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9, 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08,
549 0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6, 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a,
550 0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e, 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e,
551 0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94, 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf,
552 0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68, 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16
553 };
554
555 static Guchar invSbox[256] = {
556 0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38, 0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb,
557 0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87, 0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb,
558 0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d, 0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e,
559 0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2, 0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25,
560 0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16, 0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92,
561 0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda, 0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84,
562 0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a, 0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3, 0x45, 0x06,
563 0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02, 0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b,
564 0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea, 0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73,
565 0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85, 0xe2, 0xf9, 0x37, 0xe8, 0x1c, 0x75, 0xdf, 0x6e,
566 0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89, 0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b,
567 0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20, 0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4,
568 0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31, 0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f,
569 0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d, 0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef,
570 0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0, 0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61,
571 0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26, 0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d
572 };
573
574 static Guint rcon[11] = {
575 0x00000000, // unused
576 0x01000000,
577 0x02000000,
578 0x04000000,
579 0x08000000,
580 0x10000000,
581 0x20000000,
582 0x40000000,
583 0x80000000,
584 0x1b000000,
585 0x36000000
586 };
587
subWord(Guint x)588 static inline Guint subWord(Guint x) {
589 return (sbox[x >> 24] << 24)
590 | (sbox[(x >> 16) & 0xff] << 16)
591 | (sbox[(x >> 8) & 0xff] << 8)
592 | sbox[x & 0xff];
593 }
594
rotWord(Guint x)595 static inline Guint rotWord(Guint x) {
596 return ((x << 8) & 0xffffffff) | (x >> 24);
597 }
598
subBytes(Guchar * state)599 static inline void subBytes(Guchar *state) {
600 int i;
601
602 for (i = 0; i < 16; ++i) {
603 state[i] = sbox[state[i]];
604 }
605 }
606
invSubBytes(Guchar * state)607 static inline void invSubBytes(Guchar *state) {
608 int i;
609
610 for (i = 0; i < 16; ++i) {
611 state[i] = invSbox[state[i]];
612 }
613 }
614
shiftRows(Guchar * state)615 static inline void shiftRows(Guchar *state) {
616 Guchar t;
617
618 t = state[4];
619 state[4] = state[5];
620 state[5] = state[6];
621 state[6] = state[7];
622 state[7] = t;
623
624 t = state[8];
625 state[8] = state[10];
626 state[10] = t;
627 t = state[9];
628 state[9] = state[11];
629 state[11] = t;
630
631 t = state[15];
632 state[15] = state[14];
633 state[14] = state[13];
634 state[13] = state[12];
635 state[12] = t;
636 }
637
invShiftRows(Guchar * state)638 static inline void invShiftRows(Guchar *state) {
639 Guchar t;
640
641 t = state[7];
642 state[7] = state[6];
643 state[6] = state[5];
644 state[5] = state[4];
645 state[4] = t;
646
647 t = state[8];
648 state[8] = state[10];
649 state[10] = t;
650 t = state[9];
651 state[9] = state[11];
652 state[11] = t;
653
654 t = state[12];
655 state[12] = state[13];
656 state[13] = state[14];
657 state[14] = state[15];
658 state[15] = t;
659 }
660
661 // {02} \cdot s
mul02(Guchar s)662 static inline Guchar mul02(Guchar s) {
663 Guchar s2;
664
665 s2 = (s & 0x80) ? ((s << 1) ^ 0x1b) : (s << 1);
666 return s2;
667 }
668
669 // {03} \cdot s
mul03(Guchar s)670 static inline Guchar mul03(Guchar s) {
671 Guchar s2;
672
673 s2 = (s & 0x80) ? ((s << 1) ^ 0x1b) : (s << 1);
674 return s ^ s2;
675 }
676
677 // {09} \cdot s
mul09(Guchar s)678 static inline Guchar mul09(Guchar s) {
679 Guchar s2, s4, s8;
680
681 s2 = (s & 0x80) ? ((s << 1) ^ 0x1b) : (s << 1);
682 s4 = (s2 & 0x80) ? ((s2 << 1) ^ 0x1b) : (s2 << 1);
683 s8 = (s4 & 0x80) ? ((s4 << 1) ^ 0x1b) : (s4 << 1);
684 return s ^ s8;
685 }
686
687 // {0b} \cdot s
mul0b(Guchar s)688 static inline Guchar mul0b(Guchar s) {
689 Guchar s2, s4, s8;
690
691 s2 = (s & 0x80) ? ((s << 1) ^ 0x1b) : (s << 1);
692 s4 = (s2 & 0x80) ? ((s2 << 1) ^ 0x1b) : (s2 << 1);
693 s8 = (s4 & 0x80) ? ((s4 << 1) ^ 0x1b) : (s4 << 1);
694 return s ^ s2 ^ s8;
695 }
696
697 // {0d} \cdot s
mul0d(Guchar s)698 static inline Guchar mul0d(Guchar s) {
699 Guchar s2, s4, s8;
700
701 s2 = (s & 0x80) ? ((s << 1) ^ 0x1b) : (s << 1);
702 s4 = (s2 & 0x80) ? ((s2 << 1) ^ 0x1b) : (s2 << 1);
703 s8 = (s4 & 0x80) ? ((s4 << 1) ^ 0x1b) : (s4 << 1);
704 return s ^ s4 ^ s8;
705 }
706
707 // {0e} \cdot s
mul0e(Guchar s)708 static inline Guchar mul0e(Guchar s) {
709 Guchar s2, s4, s8;
710
711 s2 = (s & 0x80) ? ((s << 1) ^ 0x1b) : (s << 1);
712 s4 = (s2 & 0x80) ? ((s2 << 1) ^ 0x1b) : (s2 << 1);
713 s8 = (s4 & 0x80) ? ((s4 << 1) ^ 0x1b) : (s4 << 1);
714 return s2 ^ s4 ^ s8;
715 }
716
mixColumns(Guchar * state)717 static inline void mixColumns(Guchar *state) {
718 int c;
719 Guchar s0, s1, s2, s3;
720
721 for (c = 0; c < 4; ++c) {
722 s0 = state[c];
723 s1 = state[4+c];
724 s2 = state[8+c];
725 s3 = state[12+c];
726 state[c] = mul02(s0) ^ mul03(s1) ^ s2 ^ s3;
727 state[4+c] = s0 ^ mul02(s1) ^ mul03(s2) ^ s3;
728 state[8+c] = s0 ^ s1 ^ mul02(s2) ^ mul03(s3);
729 state[12+c] = mul03(s0) ^ s1 ^ s2 ^ mul02(s3);
730 }
731 }
732
invMixColumns(Guchar * state)733 static inline void invMixColumns(Guchar *state) {
734 int c;
735 Guchar s0, s1, s2, s3;
736
737 for (c = 0; c < 4; ++c) {
738 s0 = state[c];
739 s1 = state[4+c];
740 s2 = state[8+c];
741 s3 = state[12+c];
742 state[c] = mul0e(s0) ^ mul0b(s1) ^ mul0d(s2) ^ mul09(s3);
743 state[4+c] = mul09(s0) ^ mul0e(s1) ^ mul0b(s2) ^ mul0d(s3);
744 state[8+c] = mul0d(s0) ^ mul09(s1) ^ mul0e(s2) ^ mul0b(s3);
745 state[12+c] = mul0b(s0) ^ mul0d(s1) ^ mul09(s2) ^ mul0e(s3);
746 }
747 }
748
invMixColumnsW(Guint * w)749 static inline void invMixColumnsW(Guint *w) {
750 int c;
751 Guchar s0, s1, s2, s3;
752
753 for (c = 0; c < 4; ++c) {
754 s0 = w[c] >> 24;
755 s1 = w[c] >> 16;
756 s2 = w[c] >> 8;
757 s3 = w[c];
758 w[c] = ((mul0e(s0) ^ mul0b(s1) ^ mul0d(s2) ^ mul09(s3)) << 24)
759 | ((mul09(s0) ^ mul0e(s1) ^ mul0b(s2) ^ mul0d(s3)) << 16)
760 | ((mul0d(s0) ^ mul09(s1) ^ mul0e(s2) ^ mul0b(s3)) << 8)
761 | (mul0b(s0) ^ mul0d(s1) ^ mul09(s2) ^ mul0e(s3));
762 }
763 }
764
addRoundKey(Guchar * state,Guint * w)765 static inline void addRoundKey(Guchar *state, Guint *w) {
766 int c;
767
768 for (c = 0; c < 4; ++c) {
769 state[c] ^= w[c] >> 24;
770 state[4+c] ^= w[c] >> 16;
771 state[8+c] ^= w[c] >> 8;
772 state[12+c] ^= w[c];
773 }
774 }
775
aesKeyExpansion(DecryptAESState * s,Guchar * objKey,int objKeyLen,GBool decrypt)776 void aesKeyExpansion(DecryptAESState *s,
777 Guchar *objKey, int objKeyLen,
778 GBool decrypt) {
779 Guint temp;
780 int i, round;
781
782 //~ this assumes objKeyLen == 16
783
784 for (i = 0; i < 4; ++i) {
785 s->w[i] = (objKey[4*i] << 24) + (objKey[4*i+1] << 16) +
786 (objKey[4*i+2] << 8) + objKey[4*i+3];
787 }
788 for (i = 4; i < 44; ++i) {
789 temp = s->w[i-1];
790 if (!(i & 3)) {
791 temp = subWord(rotWord(temp)) ^ rcon[i/4];
792 }
793 s->w[i] = s->w[i-4] ^ temp;
794 }
795 if (decrypt) {
796 for (round = 1; round <= 9; ++round) {
797 invMixColumnsW(&s->w[round * 4]);
798 }
799 }
800 }
801
aesEncryptBlock(DecryptAESState * s,Guchar * in)802 void aesEncryptBlock(DecryptAESState *s, Guchar *in) {
803 int c, round;
804
805 // initial state + CBC
806 for (c = 0; c < 4; ++c) {
807 s->state[c] = in[4*c] ^ s->cbc[4*c];
808 s->state[4+c] = in[4*c+1] ^ s->cbc[4*c+1];
809 s->state[8+c] = in[4*c+2] ^ s->cbc[4*c+2];
810 s->state[12+c] = in[4*c+3] ^ s->cbc[4*c+3];
811 }
812
813 // round 0
814 addRoundKey(s->state, &s->w[0]);
815
816 // rounds 1 .. 9
817 for (round = 1; round <= 9; ++round) {
818 subBytes(s->state);
819 shiftRows(s->state);
820 mixColumns(s->state);
821 addRoundKey(s->state, &s->w[round * 4]);
822 }
823
824 // round 10
825 subBytes(s->state);
826 shiftRows(s->state);
827 addRoundKey(s->state, &s->w[10 * 4]);
828
829 // output + save for next CBC
830 for (c = 0; c < 4; ++c) {
831 s->buf[4*c] = s->cbc[4*c] = s->state[c];
832 s->buf[4*c+1] = s->cbc[4*c+1] = s->state[4+c];
833 s->buf[4*c+2] = s->cbc[4*c+2] = s->state[8+c];
834 s->buf[4*c+3] = s->cbc[4*c+3] = s->state[12+c];
835 }
836 }
837
aesDecryptBlock(DecryptAESState * s,Guchar * in,GBool last)838 void aesDecryptBlock(DecryptAESState *s, Guchar *in, GBool last) {
839 int c, round, n, i;
840
841 // initial state
842 for (c = 0; c < 4; ++c) {
843 s->state[c] = in[4*c];
844 s->state[4+c] = in[4*c+1];
845 s->state[8+c] = in[4*c+2];
846 s->state[12+c] = in[4*c+3];
847 }
848
849 // round 0
850 addRoundKey(s->state, &s->w[10 * 4]);
851
852 // rounds 1-9
853 for (round = 9; round >= 1; --round) {
854 invSubBytes(s->state);
855 invShiftRows(s->state);
856 invMixColumns(s->state);
857 addRoundKey(s->state, &s->w[round * 4]);
858 }
859
860 // round 10
861 invSubBytes(s->state);
862 invShiftRows(s->state);
863 addRoundKey(s->state, &s->w[0]);
864
865 // CBC
866 for (c = 0; c < 4; ++c) {
867 s->buf[4*c] = s->state[c] ^ s->cbc[4*c];
868 s->buf[4*c+1] = s->state[4+c] ^ s->cbc[4*c+1];
869 s->buf[4*c+2] = s->state[8+c] ^ s->cbc[4*c+2];
870 s->buf[4*c+3] = s->state[12+c] ^ s->cbc[4*c+3];
871 }
872
873 // save the input block for the next CBC
874 for (i = 0; i < 16; ++i) {
875 s->cbc[i] = in[i];
876 }
877
878 // remove padding
879 s->bufIdx = 0;
880 if (last) {
881 n = s->buf[15];
882 if (n < 1 || n > 16) { // this should never happen
883 n = 16;
884 }
885 for (i = 15; i >= n; --i) {
886 s->buf[i] = s->buf[i-n];
887 }
888 s->bufIdx = n;
889 }
890 }
891
892 //------------------------------------------------------------------------
893 // AES-256 decryption
894 //------------------------------------------------------------------------
895
aes256KeyExpansion(DecryptAES256State * s,Guchar * objKey,int objKeyLen)896 static void aes256KeyExpansion(DecryptAES256State *s,
897 Guchar *objKey, int objKeyLen) {
898 Guint temp;
899 int i, round;
900
901 //~ this assumes objKeyLen == 32
902
903 for (i = 0; i < 8; ++i) {
904 s->w[i] = (objKey[4*i] << 24) + (objKey[4*i+1] << 16) +
905 (objKey[4*i+2] << 8) + objKey[4*i+3];
906 }
907 for (i = 8; i < 60; ++i) {
908 temp = s->w[i-1];
909 if ((i & 7) == 0) {
910 temp = subWord(rotWord(temp)) ^ rcon[i/8];
911 } else if ((i & 7) == 4) {
912 temp = subWord(temp);
913 }
914 s->w[i] = s->w[i-8] ^ temp;
915 }
916 for (round = 1; round <= 13; ++round) {
917 invMixColumnsW(&s->w[round * 4]);
918 }
919 }
920
aes256DecryptBlock(DecryptAES256State * s,Guchar * in,GBool last)921 static void aes256DecryptBlock(DecryptAES256State *s, Guchar *in, GBool last) {
922 int c, round, n, i;
923
924 // initial state
925 for (c = 0; c < 4; ++c) {
926 s->state[c] = in[4*c];
927 s->state[4+c] = in[4*c+1];
928 s->state[8+c] = in[4*c+2];
929 s->state[12+c] = in[4*c+3];
930 }
931
932 // round 0
933 addRoundKey(s->state, &s->w[14 * 4]);
934
935 // rounds 13-1
936 for (round = 13; round >= 1; --round) {
937 invSubBytes(s->state);
938 invShiftRows(s->state);
939 invMixColumns(s->state);
940 addRoundKey(s->state, &s->w[round * 4]);
941 }
942
943 // round 14
944 invSubBytes(s->state);
945 invShiftRows(s->state);
946 addRoundKey(s->state, &s->w[0]);
947
948 // CBC
949 for (c = 0; c < 4; ++c) {
950 s->buf[4*c] = s->state[c] ^ s->cbc[4*c];
951 s->buf[4*c+1] = s->state[4+c] ^ s->cbc[4*c+1];
952 s->buf[4*c+2] = s->state[8+c] ^ s->cbc[4*c+2];
953 s->buf[4*c+3] = s->state[12+c] ^ s->cbc[4*c+3];
954 }
955
956 // save the input block for the next CBC
957 for (i = 0; i < 16; ++i) {
958 s->cbc[i] = in[i];
959 }
960
961 // remove padding
962 s->bufIdx = 0;
963 if (last) {
964 n = s->buf[15];
965 if (n < 1 || n > 16) { // this should never happen
966 n = 16;
967 }
968 for (i = 15; i >= n; --i) {
969 s->buf[i] = s->buf[i-n];
970 }
971 s->bufIdx = n;
972 }
973 }
974
975 //------------------------------------------------------------------------
976 // MD5 message digest
977 //------------------------------------------------------------------------
978
979 // this works around a bug in older Sun compilers
rotateLeft(Gulong x,int r)980 static inline Gulong rotateLeft(Gulong x, int r) {
981 x &= 0xffffffff;
982 return ((x << r) | (x >> (32 - r))) & 0xffffffff;
983 }
984
md5Round1(Gulong a,Gulong b,Gulong c,Gulong d,Gulong Xk,Gulong s,Gulong Ti)985 static inline Gulong md5Round1(Gulong a, Gulong b, Gulong c, Gulong d,
986 Gulong Xk, Gulong s, Gulong Ti) {
987 return b + rotateLeft((a + ((b & c) | (~b & d)) + Xk + Ti), s);
988 }
989
md5Round2(Gulong a,Gulong b,Gulong c,Gulong d,Gulong Xk,Gulong s,Gulong Ti)990 static inline Gulong md5Round2(Gulong a, Gulong b, Gulong c, Gulong d,
991 Gulong Xk, Gulong s, Gulong Ti) {
992 return b + rotateLeft((a + ((b & d) | (c & ~d)) + Xk + Ti), s);
993 }
994
md5Round3(Gulong a,Gulong b,Gulong c,Gulong d,Gulong Xk,Gulong s,Gulong Ti)995 static inline Gulong md5Round3(Gulong a, Gulong b, Gulong c, Gulong d,
996 Gulong Xk, Gulong s, Gulong Ti) {
997 return b + rotateLeft((a + (b ^ c ^ d) + Xk + Ti), s);
998 }
999
md5Round4(Gulong a,Gulong b,Gulong c,Gulong d,Gulong Xk,Gulong s,Gulong Ti)1000 static inline Gulong md5Round4(Gulong a, Gulong b, Gulong c, Gulong d,
1001 Gulong Xk, Gulong s, Gulong Ti) {
1002 return b + rotateLeft((a + (c ^ (b | ~d)) + Xk + Ti), s);
1003 }
1004
md5Start(MD5State * state)1005 void md5Start(MD5State *state) {
1006 state->a = 0x67452301;
1007 state->b = 0xefcdab89;
1008 state->c = 0x98badcfe;
1009 state->d = 0x10325476;
1010 state->bufLen = 0;
1011 state->msgLen = 0;
1012 }
1013
md5ProcessBlock(MD5State * state)1014 static void md5ProcessBlock(MD5State *state) {
1015 Gulong x[16];
1016 Gulong a, b, c, d;
1017 int i;
1018
1019 for (i = 0; i < 16; ++i) {
1020 x[i] = state->buf[4*i] | (state->buf[4*i+1] << 8) |
1021 (state->buf[4*i+2] << 16) | (state->buf[4*i+3] << 24);
1022 }
1023
1024 a = state->a;
1025 b = state->b;
1026 c = state->c;
1027 d = state->d;
1028
1029 // round 1
1030 a = md5Round1(a, b, c, d, x[0], 7, 0xd76aa478);
1031 d = md5Round1(d, a, b, c, x[1], 12, 0xe8c7b756);
1032 c = md5Round1(c, d, a, b, x[2], 17, 0x242070db);
1033 b = md5Round1(b, c, d, a, x[3], 22, 0xc1bdceee);
1034 a = md5Round1(a, b, c, d, x[4], 7, 0xf57c0faf);
1035 d = md5Round1(d, a, b, c, x[5], 12, 0x4787c62a);
1036 c = md5Round1(c, d, a, b, x[6], 17, 0xa8304613);
1037 b = md5Round1(b, c, d, a, x[7], 22, 0xfd469501);
1038 a = md5Round1(a, b, c, d, x[8], 7, 0x698098d8);
1039 d = md5Round1(d, a, b, c, x[9], 12, 0x8b44f7af);
1040 c = md5Round1(c, d, a, b, x[10], 17, 0xffff5bb1);
1041 b = md5Round1(b, c, d, a, x[11], 22, 0x895cd7be);
1042 a = md5Round1(a, b, c, d, x[12], 7, 0x6b901122);
1043 d = md5Round1(d, a, b, c, x[13], 12, 0xfd987193);
1044 c = md5Round1(c, d, a, b, x[14], 17, 0xa679438e);
1045 b = md5Round1(b, c, d, a, x[15], 22, 0x49b40821);
1046
1047 // round 2
1048 a = md5Round2(a, b, c, d, x[1], 5, 0xf61e2562);
1049 d = md5Round2(d, a, b, c, x[6], 9, 0xc040b340);
1050 c = md5Round2(c, d, a, b, x[11], 14, 0x265e5a51);
1051 b = md5Round2(b, c, d, a, x[0], 20, 0xe9b6c7aa);
1052 a = md5Round2(a, b, c, d, x[5], 5, 0xd62f105d);
1053 d = md5Round2(d, a, b, c, x[10], 9, 0x02441453);
1054 c = md5Round2(c, d, a, b, x[15], 14, 0xd8a1e681);
1055 b = md5Round2(b, c, d, a, x[4], 20, 0xe7d3fbc8);
1056 a = md5Round2(a, b, c, d, x[9], 5, 0x21e1cde6);
1057 d = md5Round2(d, a, b, c, x[14], 9, 0xc33707d6);
1058 c = md5Round2(c, d, a, b, x[3], 14, 0xf4d50d87);
1059 b = md5Round2(b, c, d, a, x[8], 20, 0x455a14ed);
1060 a = md5Round2(a, b, c, d, x[13], 5, 0xa9e3e905);
1061 d = md5Round2(d, a, b, c, x[2], 9, 0xfcefa3f8);
1062 c = md5Round2(c, d, a, b, x[7], 14, 0x676f02d9);
1063 b = md5Round2(b, c, d, a, x[12], 20, 0x8d2a4c8a);
1064
1065 // round 3
1066 a = md5Round3(a, b, c, d, x[5], 4, 0xfffa3942);
1067 d = md5Round3(d, a, b, c, x[8], 11, 0x8771f681);
1068 c = md5Round3(c, d, a, b, x[11], 16, 0x6d9d6122);
1069 b = md5Round3(b, c, d, a, x[14], 23, 0xfde5380c);
1070 a = md5Round3(a, b, c, d, x[1], 4, 0xa4beea44);
1071 d = md5Round3(d, a, b, c, x[4], 11, 0x4bdecfa9);
1072 c = md5Round3(c, d, a, b, x[7], 16, 0xf6bb4b60);
1073 b = md5Round3(b, c, d, a, x[10], 23, 0xbebfbc70);
1074 a = md5Round3(a, b, c, d, x[13], 4, 0x289b7ec6);
1075 d = md5Round3(d, a, b, c, x[0], 11, 0xeaa127fa);
1076 c = md5Round3(c, d, a, b, x[3], 16, 0xd4ef3085);
1077 b = md5Round3(b, c, d, a, x[6], 23, 0x04881d05);
1078 a = md5Round3(a, b, c, d, x[9], 4, 0xd9d4d039);
1079 d = md5Round3(d, a, b, c, x[12], 11, 0xe6db99e5);
1080 c = md5Round3(c, d, a, b, x[15], 16, 0x1fa27cf8);
1081 b = md5Round3(b, c, d, a, x[2], 23, 0xc4ac5665);
1082
1083 // round 4
1084 a = md5Round4(a, b, c, d, x[0], 6, 0xf4292244);
1085 d = md5Round4(d, a, b, c, x[7], 10, 0x432aff97);
1086 c = md5Round4(c, d, a, b, x[14], 15, 0xab9423a7);
1087 b = md5Round4(b, c, d, a, x[5], 21, 0xfc93a039);
1088 a = md5Round4(a, b, c, d, x[12], 6, 0x655b59c3);
1089 d = md5Round4(d, a, b, c, x[3], 10, 0x8f0ccc92);
1090 c = md5Round4(c, d, a, b, x[10], 15, 0xffeff47d);
1091 b = md5Round4(b, c, d, a, x[1], 21, 0x85845dd1);
1092 a = md5Round4(a, b, c, d, x[8], 6, 0x6fa87e4f);
1093 d = md5Round4(d, a, b, c, x[15], 10, 0xfe2ce6e0);
1094 c = md5Round4(c, d, a, b, x[6], 15, 0xa3014314);
1095 b = md5Round4(b, c, d, a, x[13], 21, 0x4e0811a1);
1096 a = md5Round4(a, b, c, d, x[4], 6, 0xf7537e82);
1097 d = md5Round4(d, a, b, c, x[11], 10, 0xbd3af235);
1098 c = md5Round4(c, d, a, b, x[2], 15, 0x2ad7d2bb);
1099 b = md5Round4(b, c, d, a, x[9], 21, 0xeb86d391);
1100
1101 // increment a, b, c, d
1102 state->a += a;
1103 state->b += b;
1104 state->c += c;
1105 state->d += d;
1106
1107 state->bufLen = 0;
1108 }
1109
md5Append(MD5State * state,Guchar * data,int dataLen)1110 void md5Append(MD5State *state, Guchar *data, int dataLen) {
1111 Guchar *p;
1112 int remain, k;
1113
1114 p = data;
1115 remain = dataLen;
1116 while (state->bufLen + remain >= 64) {
1117 k = 64 - state->bufLen;
1118 memcpy(state->buf + state->bufLen, p, k);
1119 state->bufLen = 64;
1120 md5ProcessBlock(state);
1121 p += k;
1122 remain -= k;
1123 }
1124 if (remain > 0) {
1125 memcpy(state->buf + state->bufLen, p, remain);
1126 state->bufLen += remain;
1127 }
1128 state->msgLen += dataLen;
1129 }
1130
md5Finish(MD5State * state)1131 void md5Finish(MD5State *state) {
1132 // padding and length
1133 state->buf[state->bufLen++] = 0x80;
1134 if (state->bufLen > 56) {
1135 while (state->bufLen < 64) {
1136 state->buf[state->bufLen++] = 0x00;
1137 }
1138 md5ProcessBlock(state);
1139 }
1140 while (state->bufLen < 56) {
1141 state->buf[state->bufLen++] = 0x00;
1142 }
1143 state->buf[56] = (Guchar)(state->msgLen << 3);
1144 state->buf[57] = (Guchar)(state->msgLen >> 5);
1145 state->buf[58] = (Guchar)(state->msgLen >> 13);
1146 state->buf[59] = (Guchar)(state->msgLen >> 21);
1147 state->buf[60] = (Guchar)(state->msgLen >> 29);
1148 state->buf[61] = (Guchar)0;
1149 state->buf[62] = (Guchar)0;
1150 state->buf[63] = (Guchar)0;
1151 state->bufLen = 64;
1152 md5ProcessBlock(state);
1153
1154 // break digest into bytes
1155 state->digest[0] = (Guchar)state->a;
1156 state->digest[1] = (Guchar)(state->a >> 8);
1157 state->digest[2] = (Guchar)(state->a >> 16);
1158 state->digest[3] = (Guchar)(state->a >> 24);
1159 state->digest[4] = (Guchar)state->b;
1160 state->digest[5] = (Guchar)(state->b >> 8);
1161 state->digest[6] = (Guchar)(state->b >> 16);
1162 state->digest[7] = (Guchar)(state->b >> 24);
1163 state->digest[8] = (Guchar)state->c;
1164 state->digest[9] = (Guchar)(state->c >> 8);
1165 state->digest[10] = (Guchar)(state->c >> 16);
1166 state->digest[11] = (Guchar)(state->c >> 24);
1167 state->digest[12] = (Guchar)state->d;
1168 state->digest[13] = (Guchar)(state->d >> 8);
1169 state->digest[14] = (Guchar)(state->d >> 16);
1170 state->digest[15] = (Guchar)(state->d >> 24);
1171 }
1172
md5(Guchar * msg,int msgLen,Guchar * digest)1173 void md5(Guchar *msg, int msgLen, Guchar *digest) {
1174 MD5State state;
1175 int i;
1176
1177 if (msgLen < 0) {
1178 return;
1179 }
1180 md5Start(&state);
1181 md5Append(&state, msg, msgLen);
1182 md5Finish(&state);
1183 for (i = 0; i < 16; ++i) {
1184 digest[i] = state.digest[i];
1185 }
1186 }
1187
1188 //------------------------------------------------------------------------
1189 // SHA-256 hash
1190 //------------------------------------------------------------------------
1191
1192 static Guint sha256K[64] = {
1193 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
1194 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
1195 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
1196 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
1197 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
1198 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
1199 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
1200 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
1201 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
1202 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
1203 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
1204 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
1205 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
1206 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
1207 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
1208 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
1209 };
1210
rotr(Guint x,Guint n)1211 static inline Guint rotr(Guint x, Guint n) {
1212 return (x >> n) | (x << (32 - n));
1213 }
1214
sha256Ch(Guint x,Guint y,Guint z)1215 static inline Guint sha256Ch(Guint x, Guint y, Guint z) {
1216 return (x & y) ^ (~x & z);
1217 }
1218
sha256Maj(Guint x,Guint y,Guint z)1219 static inline Guint sha256Maj(Guint x, Guint y, Guint z) {
1220 return (x & y) ^ (x & z) ^ (y & z);
1221 }
1222
sha256Sigma0(Guint x)1223 static inline Guint sha256Sigma0(Guint x) {
1224 return rotr(x, 2) ^ rotr(x, 13) ^ rotr(x, 22);
1225 }
1226
sha256Sigma1(Guint x)1227 static inline Guint sha256Sigma1(Guint x) {
1228 return rotr(x, 6) ^ rotr(x, 11) ^ rotr(x, 25);
1229 }
1230
sha256sigma0(Guint x)1231 static inline Guint sha256sigma0(Guint x) {
1232 return rotr(x, 7) ^ rotr(x, 18) ^ (x >> 3);
1233 }
1234
sha256sigma1(Guint x)1235 static inline Guint sha256sigma1(Guint x) {
1236 return rotr(x, 17) ^ rotr(x, 19) ^ (x >> 10);
1237 }
1238
sha256HashBlock(Guchar * blk,Guint * H)1239 static void sha256HashBlock(Guchar *blk, Guint *H) {
1240 Guint W[64];
1241 Guint a, b, c, d, e, f, g, h;
1242 Guint T1, T2;
1243 Guint t;
1244
1245 // 1. prepare the message schedule
1246 for (t = 0; t < 16; ++t) {
1247 W[t] = (blk[t*4] << 24) |
1248 (blk[t*4 + 1] << 16) |
1249 (blk[t*4 + 2] << 8) |
1250 blk[t*4 + 3];
1251 }
1252 for (t = 16; t < 64; ++t) {
1253 W[t] = sha256sigma1(W[t-2]) + W[t-7] + sha256sigma0(W[t-15]) + W[t-16];
1254 }
1255
1256 // 2. initialize the eight working variables
1257 a = H[0];
1258 b = H[1];
1259 c = H[2];
1260 d = H[3];
1261 e = H[4];
1262 f = H[5];
1263 g = H[6];
1264 h = H[7];
1265
1266 // 3.
1267 for (t = 0; t < 64; ++t) {
1268 T1 = h + sha256Sigma1(e) + sha256Ch(e,f,g) + sha256K[t] + W[t];
1269 T2 = sha256Sigma0(a) + sha256Maj(a,b,c);
1270 h = g;
1271 g = f;
1272 f = e;
1273 e = d + T1;
1274 d = c;
1275 c = b;
1276 b = a;
1277 a = T1 + T2;
1278 }
1279
1280 // 4. compute the intermediate hash value
1281 H[0] += a;
1282 H[1] += b;
1283 H[2] += c;
1284 H[3] += d;
1285 H[4] += e;
1286 H[5] += f;
1287 H[6] += g;
1288 H[7] += h;
1289 }
1290
sha256(Guchar * msg,int msgLen,Guchar * hash)1291 static void sha256(Guchar *msg, int msgLen, Guchar *hash) {
1292 Guchar blk[64];
1293 Guint H[8];
1294 int blkLen, i;
1295
1296 H[0] = 0x6a09e667;
1297 H[1] = 0xbb67ae85;
1298 H[2] = 0x3c6ef372;
1299 H[3] = 0xa54ff53a;
1300 H[4] = 0x510e527f;
1301 H[5] = 0x9b05688c;
1302 H[6] = 0x1f83d9ab;
1303 H[7] = 0x5be0cd19;
1304
1305 blkLen = 0;
1306 for (i = 0; i + 64 <= msgLen; i += 64) {
1307 sha256HashBlock(msg + i, H);
1308 }
1309 blkLen = msgLen - i;
1310 if (blkLen > 0) {
1311 memcpy(blk, msg + i, blkLen);
1312 }
1313
1314 // pad the message
1315 blk[blkLen++] = 0x80;
1316 if (blkLen > 56) {
1317 while (blkLen < 64) {
1318 blk[blkLen++] = 0;
1319 }
1320 sha256HashBlock(blk, H);
1321 blkLen = 0;
1322 }
1323 while (blkLen < 56) {
1324 blk[blkLen++] = 0;
1325 }
1326 blk[56] = 0;
1327 blk[57] = 0;
1328 blk[58] = 0;
1329 blk[59] = 0;
1330 blk[60] = (Guchar)(msgLen >> 21);
1331 blk[61] = (Guchar)(msgLen >> 13);
1332 blk[62] = (Guchar)(msgLen >> 5);
1333 blk[63] = (Guchar)(msgLen << 3);
1334 sha256HashBlock(blk, H);
1335
1336 // copy the output into the buffer (convert words to bytes)
1337 for (i = 0; i < 8; ++i) {
1338 hash[i*4] = (Guchar)(H[i] >> 24);
1339 hash[i*4 + 1] = (Guchar)(H[i] >> 16);
1340 hash[i*4 + 2] = (Guchar)(H[i] >> 8);
1341 hash[i*4 + 3] = (Guchar)H[i];
1342 }
1343 }
1344
1345 //------------------------------------------------------------------------
1346 // SHA-384 and SHA-512 hashes
1347 //------------------------------------------------------------------------
1348
1349 typedef unsigned long long SHA512Uint64;
1350
1351 static SHA512Uint64 sha512K[80] = {
1352 0x428a2f98d728ae22LL, 0x7137449123ef65cdLL,
1353 0xb5c0fbcfec4d3b2fLL, 0xe9b5dba58189dbbcLL,
1354 0x3956c25bf348b538LL, 0x59f111f1b605d019LL,
1355 0x923f82a4af194f9bLL, 0xab1c5ed5da6d8118LL,
1356 0xd807aa98a3030242LL, 0x12835b0145706fbeLL,
1357 0x243185be4ee4b28cLL, 0x550c7dc3d5ffb4e2LL,
1358 0x72be5d74f27b896fLL, 0x80deb1fe3b1696b1LL,
1359 0x9bdc06a725c71235LL, 0xc19bf174cf692694LL,
1360 0xe49b69c19ef14ad2LL, 0xefbe4786384f25e3LL,
1361 0x0fc19dc68b8cd5b5LL, 0x240ca1cc77ac9c65LL,
1362 0x2de92c6f592b0275LL, 0x4a7484aa6ea6e483LL,
1363 0x5cb0a9dcbd41fbd4LL, 0x76f988da831153b5LL,
1364 0x983e5152ee66dfabLL, 0xa831c66d2db43210LL,
1365 0xb00327c898fb213fLL, 0xbf597fc7beef0ee4LL,
1366 0xc6e00bf33da88fc2LL, 0xd5a79147930aa725LL,
1367 0x06ca6351e003826fLL, 0x142929670a0e6e70LL,
1368 0x27b70a8546d22ffcLL, 0x2e1b21385c26c926LL,
1369 0x4d2c6dfc5ac42aedLL, 0x53380d139d95b3dfLL,
1370 0x650a73548baf63deLL, 0x766a0abb3c77b2a8LL,
1371 0x81c2c92e47edaee6LL, 0x92722c851482353bLL,
1372 0xa2bfe8a14cf10364LL, 0xa81a664bbc423001LL,
1373 0xc24b8b70d0f89791LL, 0xc76c51a30654be30LL,
1374 0xd192e819d6ef5218LL, 0xd69906245565a910LL,
1375 0xf40e35855771202aLL, 0x106aa07032bbd1b8LL,
1376 0x19a4c116b8d2d0c8LL, 0x1e376c085141ab53LL,
1377 0x2748774cdf8eeb99LL, 0x34b0bcb5e19b48a8LL,
1378 0x391c0cb3c5c95a63LL, 0x4ed8aa4ae3418acbLL,
1379 0x5b9cca4f7763e373LL, 0x682e6ff3d6b2b8a3LL,
1380 0x748f82ee5defb2fcLL, 0x78a5636f43172f60LL,
1381 0x84c87814a1f0ab72LL, 0x8cc702081a6439ecLL,
1382 0x90befffa23631e28LL, 0xa4506cebde82bde9LL,
1383 0xbef9a3f7b2c67915LL, 0xc67178f2e372532bLL,
1384 0xca273eceea26619cLL, 0xd186b8c721c0c207LL,
1385 0xeada7dd6cde0eb1eLL, 0xf57d4f7fee6ed178LL,
1386 0x06f067aa72176fbaLL, 0x0a637dc5a2c898a6LL,
1387 0x113f9804bef90daeLL, 0x1b710b35131c471bLL,
1388 0x28db77f523047d84LL, 0x32caab7b40c72493LL,
1389 0x3c9ebe0a15c9bebcLL, 0x431d67c49c100d4cLL,
1390 0x4cc5d4becb3e42b6LL, 0x597f299cfc657e2aLL,
1391 0x5fcb6fab3ad6faecLL, 0x6c44198c4a475817LL
1392 };
1393
rotr64(SHA512Uint64 x,Guint n)1394 static inline SHA512Uint64 rotr64(SHA512Uint64 x, Guint n) {
1395 return (x >> n) | (x << (64 - n));
1396 }
1397
sha512Ch(SHA512Uint64 x,SHA512Uint64 y,SHA512Uint64 z)1398 static inline SHA512Uint64 sha512Ch(SHA512Uint64 x, SHA512Uint64 y,
1399 SHA512Uint64 z) {
1400 return (x & y) ^ (~x & z);
1401 }
1402
sha512Maj(SHA512Uint64 x,SHA512Uint64 y,SHA512Uint64 z)1403 static inline SHA512Uint64 sha512Maj(SHA512Uint64 x, SHA512Uint64 y,
1404 SHA512Uint64 z) {
1405 return (x & y) ^ (x & z) ^ (y & z);
1406 }
1407
sha512Sigma0(SHA512Uint64 x)1408 static inline SHA512Uint64 sha512Sigma0(SHA512Uint64 x) {
1409 return rotr64(x, 28) ^ rotr64(x, 34) ^ rotr64(x, 39);
1410 }
1411
sha512Sigma1(SHA512Uint64 x)1412 static inline SHA512Uint64 sha512Sigma1(SHA512Uint64 x) {
1413 return rotr64(x, 14) ^ rotr64(x, 18) ^ rotr64(x, 41);
1414 }
1415
sha512sigma0(SHA512Uint64 x)1416 static inline SHA512Uint64 sha512sigma0(SHA512Uint64 x) {
1417 return rotr64(x, 1) ^ rotr64(x, 8) ^ (x >> 7);
1418 }
1419
sha512sigma1(SHA512Uint64 x)1420 static inline SHA512Uint64 sha512sigma1(SHA512Uint64 x) {
1421 return rotr64(x, 19) ^ rotr64(x, 61) ^ (x >> 6);
1422 }
1423
sha512HashBlock(Guchar * blk,SHA512Uint64 * H)1424 static void sha512HashBlock(Guchar *blk, SHA512Uint64 *H) {
1425 SHA512Uint64 W[80];
1426 SHA512Uint64 a, b, c, d, e, f, g, h;
1427 SHA512Uint64 T1, T2;
1428 Guint t;
1429
1430 // 1. prepare the message schedule
1431 for (t = 0; t < 16; ++t) {
1432 W[t] = ((SHA512Uint64)blk[t*8] << 56) |
1433 ((SHA512Uint64)blk[t*8 + 1] << 48) |
1434 ((SHA512Uint64)blk[t*8 + 2] << 40) |
1435 ((SHA512Uint64)blk[t*8 + 3] << 32) |
1436 ((SHA512Uint64)blk[t*8 + 4] << 24) |
1437 ((SHA512Uint64)blk[t*8 + 5] << 16) |
1438 ((SHA512Uint64)blk[t*8 + 6] << 8) |
1439 (SHA512Uint64)blk[t*8 + 7];
1440 }
1441 for (t = 16; t < 80; ++t) {
1442 W[t] = sha512sigma1(W[t-2]) + W[t-7] + sha512sigma0(W[t-15]) + W[t-16];
1443 }
1444
1445 // 2. initialize the eight working variables
1446 a = H[0];
1447 b = H[1];
1448 c = H[2];
1449 d = H[3];
1450 e = H[4];
1451 f = H[5];
1452 g = H[6];
1453 h = H[7];
1454
1455 // 3.
1456 for (t = 0; t < 80; ++t) {
1457 T1 = h + sha512Sigma1(e) + sha512Ch(e,f,g) + sha512K[t] + W[t];
1458 T2 = sha512Sigma0(a) + sha512Maj(a,b,c);
1459 h = g;
1460 g = f;
1461 f = e;
1462 e = d + T1;
1463 d = c;
1464 c = b;
1465 b = a;
1466 a = T1 + T2;
1467 }
1468
1469 // 4. compute the intermediate hash value
1470 H[0] += a;
1471 H[1] += b;
1472 H[2] += c;
1473 H[3] += d;
1474 H[4] += e;
1475 H[5] += f;
1476 H[6] += g;
1477 H[7] += h;
1478 }
1479
sha512(Guchar * msg,int msgLen,Guchar * hash)1480 static void sha512(Guchar *msg, int msgLen, Guchar *hash) {
1481 Guchar blk[128];
1482 SHA512Uint64 H[8];
1483 int blkLen, i;
1484
1485 H[0] = 0x6a09e667f3bcc908LL;
1486 H[1] = 0xbb67ae8584caa73bLL;
1487 H[2] = 0x3c6ef372fe94f82bLL;
1488 H[3] = 0xa54ff53a5f1d36f1LL;
1489 H[4] = 0x510e527fade682d1LL;
1490 H[5] = 0x9b05688c2b3e6c1fLL;
1491 H[6] = 0x1f83d9abfb41bd6bLL;
1492 H[7] = 0x5be0cd19137e2179LL;
1493
1494 blkLen = 0;
1495 for (i = 0; i + 128 <= msgLen; i += 128) {
1496 sha512HashBlock(msg + i, H);
1497 }
1498 blkLen = msgLen - i;
1499 if (blkLen > 0) {
1500 memcpy(blk, msg + i, blkLen);
1501 }
1502
1503 // pad the message
1504 blk[blkLen++] = 0x80;
1505 if (blkLen > 112) {
1506 while (blkLen < 128) {
1507 blk[blkLen++] = 0;
1508 }
1509 sha512HashBlock(blk, H);
1510 blkLen = 0;
1511 }
1512 while (blkLen < 112) {
1513 blk[blkLen++] = 0;
1514 }
1515 blk[112] = 0;
1516 blk[113] = 0;
1517 blk[114] = 0;
1518 blk[115] = 0;
1519 blk[116] = 0;
1520 blk[117] = 0;
1521 blk[118] = 0;
1522 blk[119] = 0;
1523 blk[120] = 0;
1524 blk[121] = 0;
1525 blk[122] = 0;
1526 blk[123] = 0;
1527 blk[124] = (Guchar)(msgLen >> 21);
1528 blk[125] = (Guchar)(msgLen >> 13);
1529 blk[126] = (Guchar)(msgLen >> 5);
1530 blk[127] = (Guchar)(msgLen << 3);
1531 sha512HashBlock(blk, H);
1532
1533 // copy the output into the buffer (convert words to bytes)
1534 for (i = 0; i < 8; ++i) {
1535 hash[i*8] = (Guchar)(H[i] >> 56);
1536 hash[i*8 + 1] = (Guchar)(H[i] >> 48);
1537 hash[i*8 + 2] = (Guchar)(H[i] >> 40);
1538 hash[i*8 + 3] = (Guchar)(H[i] >> 32);
1539 hash[i*8 + 4] = (Guchar)(H[i] >> 24);
1540 hash[i*8 + 5] = (Guchar)(H[i] >> 16);
1541 hash[i*8 + 6] = (Guchar)(H[i] >> 8);
1542 hash[i*8 + 7] = (Guchar)H[i];
1543 }
1544 }
1545
sha384(Guchar * msg,int msgLen,Guchar * hash)1546 static void sha384(Guchar *msg, int msgLen, Guchar *hash) {
1547 Guchar blk[128];
1548 SHA512Uint64 H[8];
1549 int blkLen, i;
1550
1551 H[0] = 0xcbbb9d5dc1059ed8LL;
1552 H[1] = 0x629a292a367cd507LL;
1553 H[2] = 0x9159015a3070dd17LL;
1554 H[3] = 0x152fecd8f70e5939LL;
1555 H[4] = 0x67332667ffc00b31LL;
1556 H[5] = 0x8eb44a8768581511LL;
1557 H[6] = 0xdb0c2e0d64f98fa7LL;
1558 H[7] = 0x47b5481dbefa4fa4LL;
1559
1560 blkLen = 0;
1561 for (i = 0; i + 128 <= msgLen; i += 128) {
1562 sha512HashBlock(msg + i, H);
1563 }
1564 blkLen = msgLen - i;
1565 if (blkLen > 0) {
1566 memcpy(blk, msg + i, blkLen);
1567 }
1568
1569 // pad the message
1570 blk[blkLen++] = 0x80;
1571 if (blkLen > 112) {
1572 while (blkLen < 128) {
1573 blk[blkLen++] = 0;
1574 }
1575 sha512HashBlock(blk, H);
1576 blkLen = 0;
1577 }
1578 while (blkLen < 112) {
1579 blk[blkLen++] = 0;
1580 }
1581 blk[112] = 0;
1582 blk[113] = 0;
1583 blk[114] = 0;
1584 blk[115] = 0;
1585 blk[116] = 0;
1586 blk[117] = 0;
1587 blk[118] = 0;
1588 blk[119] = 0;
1589 blk[120] = 0;
1590 blk[121] = 0;
1591 blk[122] = 0;
1592 blk[123] = 0;
1593 blk[124] = (Guchar)(msgLen >> 21);
1594 blk[125] = (Guchar)(msgLen >> 13);
1595 blk[126] = (Guchar)(msgLen >> 5);
1596 blk[127] = (Guchar)(msgLen << 3);
1597 sha512HashBlock(blk, H);
1598
1599 // copy the output into the buffer (convert words to bytes)
1600 for (i = 0; i < 6; ++i) {
1601 hash[i*8] = (Guchar)(H[i] >> 56);
1602 hash[i*8 + 1] = (Guchar)(H[i] >> 48);
1603 hash[i*8 + 2] = (Guchar)(H[i] >> 40);
1604 hash[i*8 + 3] = (Guchar)(H[i] >> 32);
1605 hash[i*8 + 4] = (Guchar)(H[i] >> 24);
1606 hash[i*8 + 5] = (Guchar)(H[i] >> 16);
1607 hash[i*8 + 6] = (Guchar)(H[i] >> 8);
1608 hash[i*8 + 7] = (Guchar)H[i];
1609 }
1610 }
1611