1 | #------------------------------------------------------------------------------
|
---|
2 | # File: AES.pm
|
---|
3 | #
|
---|
4 | # Description: AES encryption with cipher-block chaining
|
---|
5 | #
|
---|
6 | # Revisions: 2010/10/14 - P. Harvey Created
|
---|
7 | #
|
---|
8 | # References: 1) http://www.hoozi.com/Articles/AESEncryption.htm
|
---|
9 | # 2) http://www.csrc.nist.gov/publications/fips/fips197/fips-197.pdf
|
---|
10 | # 3) http://www.faqs.org/rfcs/rfc3602.html
|
---|
11 | #------------------------------------------------------------------------------
|
---|
12 |
|
---|
13 | package Image::ExifTool::AES;
|
---|
14 |
|
---|
15 | use strict;
|
---|
16 | use vars qw($VERSION @ISA @EXPORT_OK);
|
---|
17 | require Exporter;
|
---|
18 |
|
---|
19 | $VERSION = '1.01';
|
---|
20 | @ISA = qw(Exporter);
|
---|
21 | @EXPORT_OK = qw(Crypt);
|
---|
22 |
|
---|
23 | my $seeded; # flag set if we already seeded random number generator
|
---|
24 | my $nr; # number of rounds in AES cipher
|
---|
25 | my @cbc; # cipher-block chaining bytes
|
---|
26 |
|
---|
27 | # arrays (all unsigned character) to hold intermediate results during encryption
|
---|
28 | my @state = ([],[],[],[]); # the 2-dimensional state array
|
---|
29 | my @RoundKey; # round keys
|
---|
30 |
|
---|
31 | my @sbox = (
|
---|
32 | 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76,
|
---|
33 | 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0, 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0,
|
---|
34 | 0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc, 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15,
|
---|
35 | 0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a, 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75,
|
---|
36 | 0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0, 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84,
|
---|
37 | 0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b, 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf,
|
---|
38 | 0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85, 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8,
|
---|
39 | 0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5, 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2,
|
---|
40 | 0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17, 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73,
|
---|
41 | 0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88, 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb,
|
---|
42 | 0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c, 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79,
|
---|
43 | 0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9, 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08,
|
---|
44 | 0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6, 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a,
|
---|
45 | 0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e, 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e,
|
---|
46 | 0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94, 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf,
|
---|
47 | 0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68, 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16,
|
---|
48 | );
|
---|
49 |
|
---|
50 | # reverse sbox
|
---|
51 | my @rsbox = (
|
---|
52 | 0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38, 0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb,
|
---|
53 | 0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87, 0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb,
|
---|
54 | 0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d, 0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e,
|
---|
55 | 0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2, 0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25,
|
---|
56 | 0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16, 0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92,
|
---|
57 | 0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda, 0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84,
|
---|
58 | 0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a, 0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3, 0x45, 0x06,
|
---|
59 | 0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02, 0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b,
|
---|
60 | 0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea, 0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73,
|
---|
61 | 0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85, 0xe2, 0xf9, 0x37, 0xe8, 0x1c, 0x75, 0xdf, 0x6e,
|
---|
62 | 0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89, 0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b,
|
---|
63 | 0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20, 0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4,
|
---|
64 | 0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31, 0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f,
|
---|
65 | 0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d, 0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef,
|
---|
66 | 0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0, 0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61,
|
---|
67 | 0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26, 0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d,
|
---|
68 | );
|
---|
69 |
|
---|
70 | # the round constant word array, $rcon[i], contains the values given by
|
---|
71 | # x to the power (i-1) being powers of x (x is denoted as {02}) in the field GF(2^8)
|
---|
72 | # Note that i starts at 1, not 0).
|
---|
73 | my @rcon = (
|
---|
74 | 0x8d, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36, 0x6c, 0xd8, 0xab, 0x4d, 0x9a,
|
---|
75 | 0x2f, 0x5e, 0xbc, 0x63, 0xc6, 0x97, 0x35, 0x6a, 0xd4, 0xb3, 0x7d, 0xfa, 0xef, 0xc5, 0x91, 0x39,
|
---|
76 | 0x72, 0xe4, 0xd3, 0xbd, 0x61, 0xc2, 0x9f, 0x25, 0x4a, 0x94, 0x33, 0x66, 0xcc, 0x83, 0x1d, 0x3a,
|
---|
77 | 0x74, 0xe8, 0xcb, 0x8d, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36, 0x6c, 0xd8,
|
---|
78 | 0xab, 0x4d, 0x9a, 0x2f, 0x5e, 0xbc, 0x63, 0xc6, 0x97, 0x35, 0x6a, 0xd4, 0xb3, 0x7d, 0xfa, 0xef,
|
---|
79 | 0xc5, 0x91, 0x39, 0x72, 0xe4, 0xd3, 0xbd, 0x61, 0xc2, 0x9f, 0x25, 0x4a, 0x94, 0x33, 0x66, 0xcc,
|
---|
80 | 0x83, 0x1d, 0x3a, 0x74, 0xe8, 0xcb, 0x8d, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b,
|
---|
81 | 0x36, 0x6c, 0xd8, 0xab, 0x4d, 0x9a, 0x2f, 0x5e, 0xbc, 0x63, 0xc6, 0x97, 0x35, 0x6a, 0xd4, 0xb3,
|
---|
82 | 0x7d, 0xfa, 0xef, 0xc5, 0x91, 0x39, 0x72, 0xe4, 0xd3, 0xbd, 0x61, 0xc2, 0x9f, 0x25, 0x4a, 0x94,
|
---|
83 | 0x33, 0x66, 0xcc, 0x83, 0x1d, 0x3a, 0x74, 0xe8, 0xcb, 0x8d, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20,
|
---|
84 | 0x40, 0x80, 0x1b, 0x36, 0x6c, 0xd8, 0xab, 0x4d, 0x9a, 0x2f, 0x5e, 0xbc, 0x63, 0xc6, 0x97, 0x35,
|
---|
85 | 0x6a, 0xd4, 0xb3, 0x7d, 0xfa, 0xef, 0xc5, 0x91, 0x39, 0x72, 0xe4, 0xd3, 0xbd, 0x61, 0xc2, 0x9f,
|
---|
86 | 0x25, 0x4a, 0x94, 0x33, 0x66, 0xcc, 0x83, 0x1d, 0x3a, 0x74, 0xe8, 0xcb, 0x8d, 0x01, 0x02, 0x04,
|
---|
87 | 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36, 0x6c, 0xd8, 0xab, 0x4d, 0x9a, 0x2f, 0x5e, 0xbc, 0x63,
|
---|
88 | 0xc6, 0x97, 0x35, 0x6a, 0xd4, 0xb3, 0x7d, 0xfa, 0xef, 0xc5, 0x91, 0x39, 0x72, 0xe4, 0xd3, 0xbd,
|
---|
89 | 0x61, 0xc2, 0x9f, 0x25, 0x4a, 0x94, 0x33, 0x66, 0xcc, 0x83, 0x1d, 0x3a, 0x74, 0xe8, 0xcb,
|
---|
90 | );
|
---|
91 |
|
---|
92 | #------------------------------------------------------------------------------
|
---|
93 | # This function produces 4*($nr+1) round keys.
|
---|
94 | # The round keys are used in each round to encrypt the states.
|
---|
95 | # Inputs: 0) key string (must be 16, 24 or 32 bytes long)
|
---|
96 | sub KeyExpansion($)
|
---|
97 | {
|
---|
98 | my $key = shift;
|
---|
99 | my @key = unpack 'C*', $key; # convert the key into a byte array
|
---|
100 | my $nk = int(length($key) / 4); # number of 32-bit words in the key
|
---|
101 | $nr = $nk + 6; # number of rounds
|
---|
102 |
|
---|
103 | # temporary variables (all unsigned characters)
|
---|
104 | my ($i,@temp);
|
---|
105 |
|
---|
106 | # The first round key is the key itself.
|
---|
107 | for ($i=0; $i<$nk; ++$i) {
|
---|
108 | @RoundKey[$i*4..$i*4+3] = @key[$i*4..$i*4+3];
|
---|
109 | }
|
---|
110 | # All other round keys are found from the previous round keys.
|
---|
111 | while ($i < (4 * ($nr+1))) {
|
---|
112 |
|
---|
113 | @temp[0..3] = @RoundKey[($i-1)*4..($i-1)*4+3];
|
---|
114 |
|
---|
115 | if ($i % $nk == 0) {
|
---|
116 | # rotate the 4 bytes in a word to the left once
|
---|
117 | # [a0,a1,a2,a3] becomes [a1,a2,a3,a0]
|
---|
118 | @temp[0..3] = @temp[1,2,3,0];
|
---|
119 |
|
---|
120 | # take a four-byte input word and apply the S-box
|
---|
121 | # to each of the four bytes to produce an output word.
|
---|
122 | @temp[0..3] = @sbox[@temp[0..3]];
|
---|
123 |
|
---|
124 | $temp[0] = $temp[0] ^ $rcon[$i/$nk];
|
---|
125 |
|
---|
126 | } elsif ($nk > 6 && $i % $nk == 4) {
|
---|
127 |
|
---|
128 | @temp[0..3] = @sbox[@temp[0..3]];
|
---|
129 | }
|
---|
130 | $RoundKey[$i*4+0] = $RoundKey[($i-$nk)*4+0] ^ $temp[0];
|
---|
131 | $RoundKey[$i*4+1] = $RoundKey[($i-$nk)*4+1] ^ $temp[1];
|
---|
132 | $RoundKey[$i*4+2] = $RoundKey[($i-$nk)*4+2] ^ $temp[2];
|
---|
133 | $RoundKey[$i*4+3] = $RoundKey[($i-$nk)*4+3] ^ $temp[3];
|
---|
134 | ++$i;
|
---|
135 | }
|
---|
136 | }
|
---|
137 |
|
---|
138 | #------------------------------------------------------------------------------
|
---|
139 | # This function adds the round key to state.
|
---|
140 | # The round key is added to the state by an XOR function.
|
---|
141 | sub AddRoundKey($)
|
---|
142 | {
|
---|
143 | my $round = shift;
|
---|
144 | my ($i,$j);
|
---|
145 | for ($i=0; $i<4; ++$i) {
|
---|
146 | my $k = $round*16 + $i*4;
|
---|
147 | for ($j=0; $j<4; ++$j) {
|
---|
148 | $state[$j][$i] ^= $RoundKey[$k + $j];
|
---|
149 | }
|
---|
150 | }
|
---|
151 | }
|
---|
152 |
|
---|
153 | #------------------------------------------------------------------------------
|
---|
154 | # Substitute the values in the state matrix with values in an S-box
|
---|
155 | sub SubBytes()
|
---|
156 | {
|
---|
157 | my $i;
|
---|
158 | for ($i=0; $i<4; ++$i) {
|
---|
159 | @{$state[$i]}[0..3] = @sbox[@{$state[$i]}[0..3]];
|
---|
160 | }
|
---|
161 | }
|
---|
162 |
|
---|
163 | sub InvSubBytes()
|
---|
164 | {
|
---|
165 | my $i;
|
---|
166 | for ($i=0; $i<4; ++$i) {
|
---|
167 | @{$state[$i]}[0..3] = @rsbox[@{$state[$i]}[0..3]];
|
---|
168 | }
|
---|
169 | }
|
---|
170 |
|
---|
171 | #------------------------------------------------------------------------------
|
---|
172 | # Shift the rows in the state to the left.
|
---|
173 | # Each row is shifted with different offset.
|
---|
174 | # Offset = Row number. So the first row is not shifted.
|
---|
175 | sub ShiftRows()
|
---|
176 | {
|
---|
177 | # rotate first row 1 columns to left
|
---|
178 | @{$state[1]}[0,1,2,3] = @{$state[1]}[1,2,3,0];
|
---|
179 |
|
---|
180 | # rotate second row 2 columns to left
|
---|
181 | @{$state[2]}[0,1,2,3] = @{$state[2]}[2,3,0,1];
|
---|
182 |
|
---|
183 | # rotate third row 3 columns to left
|
---|
184 | @{$state[3]}[0,1,2,3] = @{$state[3]}[3,0,1,2];
|
---|
185 | }
|
---|
186 |
|
---|
187 | sub InvShiftRows()
|
---|
188 | {
|
---|
189 | # rotate first row 1 columns to right
|
---|
190 | @{$state[1]}[0,1,2,3] = @{$state[1]}[3,0,1,2];
|
---|
191 |
|
---|
192 | # rotate second row 2 columns to right
|
---|
193 | @{$state[2]}[0,1,2,3] = @{$state[2]}[2,3,0,1];
|
---|
194 |
|
---|
195 | # rotate third row 3 columns to right
|
---|
196 | @{$state[3]}[0,1,2,3] = @{$state[3]}[1,2,3,0];
|
---|
197 | }
|
---|
198 |
|
---|
199 | #------------------------------------------------------------------------------
|
---|
200 | # Find the product of {02} and the argument to xtime modulo 0x1b
|
---|
201 | # Note: returns an integer which may need to be trimmed to 8 bits
|
---|
202 | sub xtime($)
|
---|
203 | {
|
---|
204 | return ($_[0]<<1) ^ ((($_[0]>>7) & 1) * 0x1b);
|
---|
205 | }
|
---|
206 |
|
---|
207 | #------------------------------------------------------------------------------
|
---|
208 | # Multiply numbers in the field GF(2^8)
|
---|
209 | sub Mult($$)
|
---|
210 | {
|
---|
211 | my ($x, $y) = @_;
|
---|
212 | return (($y & 1) * $x) ^
|
---|
213 | (($y>>1 & 1) * xtime($x)) ^
|
---|
214 | (($y>>2 & 1) * xtime(xtime($x))) ^
|
---|
215 | (($y>>3 & 1) * xtime(xtime(xtime($x)))) ^
|
---|
216 | (($y>>4 & 1) * xtime(xtime(xtime(xtime($x)))));
|
---|
217 | }
|
---|
218 |
|
---|
219 | #------------------------------------------------------------------------------
|
---|
220 | # Mix the columns of the state matrix
|
---|
221 | sub MixColumns()
|
---|
222 | {
|
---|
223 | my ($i,$t0,$t1,$t2);
|
---|
224 | for ($i=0; $i<4; ++$i) {
|
---|
225 | $t0 = $state[0][$i];
|
---|
226 | $t2 = $state[0][$i] ^ $state[1][$i] ^ $state[2][$i] ^ $state[3][$i];
|
---|
227 | $t1 = $state[0][$i] ^ $state[1][$i] ; $t1 = xtime($t1) & 0xff; $state[0][$i] ^= $t1 ^ $t2 ;
|
---|
228 | $t1 = $state[1][$i] ^ $state[2][$i] ; $t1 = xtime($t1) & 0xff; $state[1][$i] ^= $t1 ^ $t2 ;
|
---|
229 | $t1 = $state[2][$i] ^ $state[3][$i] ; $t1 = xtime($t1) & 0xff; $state[2][$i] ^= $t1 ^ $t2 ;
|
---|
230 | $t1 = $state[3][$i] ^ $t0 ; $t1 = xtime($t1) & 0xff; $state[3][$i] ^= $t1 ^ $t2 ;
|
---|
231 | }
|
---|
232 | }
|
---|
233 |
|
---|
234 | sub InvMixColumns()
|
---|
235 | {
|
---|
236 | my $i;
|
---|
237 | for ($i=0; $i<4; ++$i) {
|
---|
238 | my $a = $state[0][$i];
|
---|
239 | my $b = $state[1][$i];
|
---|
240 | my $c = $state[2][$i];
|
---|
241 | my $d = $state[3][$i];
|
---|
242 | $state[0][$i] = (Mult($a,0x0e) ^ Mult($b,0x0b) ^ Mult($c,0x0d) ^ Mult($d,0x09)) & 0xff;
|
---|
243 | $state[1][$i] = (Mult($a,0x09) ^ Mult($b,0x0e) ^ Mult($c,0x0b) ^ Mult($d,0x0d)) & 0xff;
|
---|
244 | $state[2][$i] = (Mult($a,0x0d) ^ Mult($b,0x09) ^ Mult($c,0x0e) ^ Mult($d,0x0b)) & 0xff;
|
---|
245 | $state[3][$i] = (Mult($a,0x0b) ^ Mult($b,0x0d) ^ Mult($c,0x09) ^ Mult($d,0x0e)) & 0xff;
|
---|
246 | }
|
---|
247 | }
|
---|
248 |
|
---|
249 | #------------------------------------------------------------------------------
|
---|
250 | # Encrypt (Cipher) or decrypt (InvCipher) a block of data with CBC
|
---|
251 | # Inputs: 0) string to cipher (must be 16 bytes long)
|
---|
252 | # Returns: cipher'd string
|
---|
253 | sub Cipher($)
|
---|
254 | {
|
---|
255 | my @in = unpack 'C*', $_[0]; # unpack input plaintext
|
---|
256 | my ($i, $j, $round);
|
---|
257 |
|
---|
258 | # copy the input PlainText to state array and apply the CBC
|
---|
259 | for ($i=0; $i<4; ++$i) {
|
---|
260 | for ($j=0; $j<4; ++$j) {
|
---|
261 | my $k = $i*4 + $j;
|
---|
262 | $state[$j][$i] = $in[$k] ^ $cbc[$k];
|
---|
263 | }
|
---|
264 | }
|
---|
265 |
|
---|
266 | # add the First round key to the state before starting the rounds
|
---|
267 | AddRoundKey(0);
|
---|
268 |
|
---|
269 | # there will be $nr rounds; the first $nr-1 rounds are identical
|
---|
270 | for ($round=1; ; ++$round) {
|
---|
271 | SubBytes();
|
---|
272 | ShiftRows();
|
---|
273 | if ($round < $nr) {
|
---|
274 | MixColumns();
|
---|
275 | AddRoundKey($round);
|
---|
276 | } else {
|
---|
277 | # MixColumns() is not used in the last round
|
---|
278 | AddRoundKey($nr);
|
---|
279 | last;
|
---|
280 | }
|
---|
281 | }
|
---|
282 |
|
---|
283 | # the encryption process is over
|
---|
284 | # copy the state array to output array (and save for CBC)
|
---|
285 | for ($i=0; $i<4; ++$i) {
|
---|
286 | for ($j=0; $j<4; ++$j) {
|
---|
287 | $cbc[$i*4+$j] = $state[$j][$i];
|
---|
288 | }
|
---|
289 | }
|
---|
290 | return pack 'C*', @cbc; # return packed ciphertext
|
---|
291 | }
|
---|
292 |
|
---|
293 | sub InvCipher($)
|
---|
294 | {
|
---|
295 | my @in = unpack 'C*', $_[0]; # unpack input ciphertext
|
---|
296 | my (@out, $i, $j, $round);
|
---|
297 |
|
---|
298 | # copy the input CipherText to state array
|
---|
299 | for ($i=0; $i<4; ++$i) {
|
---|
300 | for ($j=0; $j<4; ++$j) {
|
---|
301 | $state[$j][$i] = $in[$i*4 + $j];
|
---|
302 | }
|
---|
303 | }
|
---|
304 |
|
---|
305 | # add the First round key to the state before starting the rounds
|
---|
306 | AddRoundKey($nr);
|
---|
307 |
|
---|
308 | # there will be $nr rounds; the first $nr-1 rounds are identical
|
---|
309 | for ($round=$nr-1; ; --$round) {
|
---|
310 | InvShiftRows();
|
---|
311 | InvSubBytes();
|
---|
312 | AddRoundKey($round);
|
---|
313 | # InvMixColumns() is not used in the last round
|
---|
314 | last if $round <= 0;
|
---|
315 | InvMixColumns();
|
---|
316 | }
|
---|
317 |
|
---|
318 | # copy the state array to output array and reverse the CBC
|
---|
319 | for ($i=0; $i<4; ++$i) {
|
---|
320 | for ($j=0; $j<4; ++$j) {
|
---|
321 | my $k = $i*4 + $j;
|
---|
322 | $out[$k] = $state[$j][$i] ^ $cbc[$k];
|
---|
323 | }
|
---|
324 | }
|
---|
325 | @cbc = @in; # update CBC for next block
|
---|
326 | return pack 'C*', @out; # return packed plaintext
|
---|
327 | }
|
---|
328 |
|
---|
329 | #------------------------------------------------------------------------------
|
---|
330 | # Encrypt/Decrypt using AES-CBC algorithm (with fixed 16-byte blocks)
|
---|
331 | # Inputs: 0) data reference (with leading 16-byte initialization vector when decrypting)
|
---|
332 | # 1) encryption key (16, 24 or 32 bytes for AES-128, AES-192 or AES-256)
|
---|
333 | # 2) encrypt flag (false for decryption, true with length 16 bytes to
|
---|
334 | # encrypt using this as the CBC IV, or true with other length to
|
---|
335 | # encrypt with a randomly-generated IV)
|
---|
336 | # 3) flag to disable padding
|
---|
337 | # Returns: error string, or undef on success
|
---|
338 | # Notes: encrypts/decrypts data in place
|
---|
339 | sub Crypt($$;$$)
|
---|
340 | {
|
---|
341 | my ($dataPt, $key, $encrypt, $noPad) = @_;
|
---|
342 |
|
---|
343 | # validate key length
|
---|
344 | my $keyLen = length $key;
|
---|
345 | unless ($keyLen == 16 or $keyLen == 24 or $keyLen == 32) {
|
---|
346 | return "Invalid AES key length ($keyLen)";
|
---|
347 | }
|
---|
348 | my $partLen = length($$dataPt) % 16;
|
---|
349 | my ($pos, $i);
|
---|
350 | if ($encrypt) {
|
---|
351 | if (length($encrypt) == 16) {
|
---|
352 | @cbc = unpack 'C*', $encrypt;
|
---|
353 | } else {
|
---|
354 | # generate a random 16-byte CBC initialization vector
|
---|
355 | unless ($seeded) {
|
---|
356 | srand(time() & ($$ + ($$<<15)));
|
---|
357 | $seeded = 1;
|
---|
358 | }
|
---|
359 | for ($i=0; $i<16; ++$i) {
|
---|
360 | $cbc[$i] = int(rand(256));
|
---|
361 | }
|
---|
362 | $encrypt = pack 'C*', @cbc;
|
---|
363 | }
|
---|
364 | $$dataPt = $encrypt . $$dataPt; # add IV to the start of the data
|
---|
365 | # add required padding so we can recover the
|
---|
366 | # original string length after decryption
|
---|
367 | # (padding bytes have value set to padding length)
|
---|
368 | my $padLen = 16 - $partLen;
|
---|
369 | $$dataPt .= (chr($padLen)) x $padLen unless $padLen == 16 and $noPad;
|
---|
370 | $pos = 16; # start encrypting at byte 16 (after the IV)
|
---|
371 | } elsif ($partLen) {
|
---|
372 | return 'Invalid AES ciphertext length';
|
---|
373 | } elsif (length $$dataPt >= 32) {
|
---|
374 | # take the CBC initialization vector from the start of the data
|
---|
375 | @cbc = unpack 'C16', $$dataPt;
|
---|
376 | $$dataPt = substr($$dataPt, 16);
|
---|
377 | $pos = 0; # start decrypting from byte 0 (now that IV is removed)
|
---|
378 | } else {
|
---|
379 | $$dataPt = ''; # empty text
|
---|
380 | return undef;
|
---|
381 | }
|
---|
382 | # the KeyExpansion routine must be called before encryption
|
---|
383 | KeyExpansion($key);
|
---|
384 |
|
---|
385 | # loop through the data and convert in blocks
|
---|
386 | my $dataLen = length $$dataPt;
|
---|
387 | my $last = $dataLen - 16;
|
---|
388 | my $func = $encrypt ? \&Cipher : \&InvCipher;
|
---|
389 | while ($pos <= $last) {
|
---|
390 | # cipher this block
|
---|
391 | substr($$dataPt, $pos, 16) = &$func(substr($$dataPt, $pos, 16));
|
---|
392 | $pos += 16;
|
---|
393 | }
|
---|
394 | unless ($encrypt or $noPad) {
|
---|
395 | # remove padding if necessary (padding byte value gives length of padding)
|
---|
396 | my $padLen = ord(substr($$dataPt, -1, 1));
|
---|
397 | return 'AES decryption error (invalid pad byte)' if $padLen > 16;
|
---|
398 | $$dataPt = substr($$dataPt, 0, $dataLen - $padLen);
|
---|
399 | }
|
---|
400 | return undef;
|
---|
401 | }
|
---|
402 |
|
---|
403 | 1; # end
|
---|
404 |
|
---|
405 |
|
---|
406 | __END__
|
---|
407 |
|
---|
408 | =head1 NAME
|
---|
409 |
|
---|
410 | Image::ExifTool::AES - AES encryption with cipher-block chaining
|
---|
411 |
|
---|
412 | =head1 SYNOPSIS
|
---|
413 |
|
---|
414 | use Image::ExifTool::AES qw(Crypt);
|
---|
415 |
|
---|
416 | $err = Crypt(\$plaintext, $key, 1); # encryption
|
---|
417 |
|
---|
418 | $err = Crypt(\$ciphertext, $key); # decryption
|
---|
419 |
|
---|
420 | =head1 DESCRIPTION
|
---|
421 |
|
---|
422 | This module contains an implementation of the AES encryption/decryption
|
---|
423 | algorithms with cipher-block chaining (CBC) and RFC 2898 PKCS #5 padding.
|
---|
424 | This is the AESV2 and AESV3 encryption mode used in PDF documents.
|
---|
425 |
|
---|
426 | =head1 EXPORTS
|
---|
427 |
|
---|
428 | Exports nothing by default, but L</Crypt> may be exported.
|
---|
429 |
|
---|
430 | =head1 METHODS
|
---|
431 |
|
---|
432 | =head2 Crypt
|
---|
433 |
|
---|
434 | Implement AES encryption/decryption with cipher-block chaining.
|
---|
435 |
|
---|
436 | =over 4
|
---|
437 |
|
---|
438 | =item Inputs:
|
---|
439 |
|
---|
440 | 0) Scalar reference for data to encrypt/decrypt.
|
---|
441 |
|
---|
442 | 1) Encryption key string (must have length 16, 24 or 32).
|
---|
443 |
|
---|
444 | 2) [optional] Encrypt flag (false to decrypt).
|
---|
445 |
|
---|
446 | 3) [optional] Flag to avoid removing padding after decrypting, or to avoid
|
---|
447 | adding 16 bytes of padding before encrypting when data length is already a
|
---|
448 | multiple of 16 bytes.
|
---|
449 |
|
---|
450 | =item Returns:
|
---|
451 |
|
---|
452 | On success, the return value is undefined and the data is encrypted or
|
---|
453 | decrypted as specified. Otherwise returns an error string and the data is
|
---|
454 | left in an indeterminate state.
|
---|
455 |
|
---|
456 | =item Notes:
|
---|
457 |
|
---|
458 | The length of the encryption key dictates the AES mode, with lengths of 16,
|
---|
459 | 24 and 32 bytes resulting in AES-128, AES-192 and AES-256.
|
---|
460 |
|
---|
461 | When encrypting, the input data may be any length and will be padded to an
|
---|
462 | even 16-byte block size using the specified padding technique. If the
|
---|
463 | encrypt flag has length 16, it is used as the initialization vector for
|
---|
464 | the cipher-block chaining, otherwise a random IV is generated. Upon
|
---|
465 | successful return the data will be encrypted, with the first 16 bytes of
|
---|
466 | the data being the CBC IV.
|
---|
467 |
|
---|
468 | When decrypting, the input data begins with the 16-byte CBC initialization
|
---|
469 | vector.
|
---|
470 |
|
---|
471 | =back
|
---|
472 |
|
---|
473 | =head1 BUGS
|
---|
474 |
|
---|
475 | This code is blindingly slow. But in truth, slowing down processing is the
|
---|
476 | main purpose of encryption, so this really can't be considered a bug.
|
---|
477 |
|
---|
478 | =head1 AUTHOR
|
---|
479 |
|
---|
480 | Copyright 2003-2011, Phil Harvey (phil at owl.phy.queensu.ca)
|
---|
481 |
|
---|
482 | This library is free software; you can redistribute it and/or modify it
|
---|
483 | under the same terms as Perl itself.
|
---|
484 |
|
---|
485 | =head1 REFERENCES
|
---|
486 |
|
---|
487 | =over 4
|
---|
488 |
|
---|
489 | =item L<http://www.hoozi.com/Articles/AESEncryption.htm>
|
---|
490 |
|
---|
491 | =item L<http://www.csrc.nist.gov/publications/fips/fips197/fips-197.pdf>
|
---|
492 |
|
---|
493 | =item L<http://www.faqs.org/rfcs/rfc3602.html>
|
---|
494 |
|
---|
495 | =back
|
---|
496 |
|
---|
497 | =head1 SEE ALSO
|
---|
498 |
|
---|
499 | L<Image::ExifTool(3pm)|Image::ExifTool>
|
---|
500 |
|
---|
501 | =cut
|
---|