Rijndael.php — UpdraftPlus: WP Backup & Migration Plugin 1.1.13

updraftplus / includes / Rijndael.php

updraftplus / includes Last commit date

Rijndael.php 14 years ago S3.php 13 years ago class-gdocs.php 13 years ago ftp.class.php 14 years ago updraft-restorer.php 13 years ago

Rijndael.php

1424 lines

1	<?php
2	/* vim: set expandtab tabstop=4 shiftwidth=4 softtabstop=4: */
3
4	/**
5	* Pure-PHP implementation of Rijndael.
6	*
7	* Does not use mcrypt, even when available, for reasons that are explained below.
8	*
9	* PHP versions 4 and 5
10	*
11	* If {@link Crypt_Rijndael::setBlockLength() setBlockLength()} isn't called, it'll be assumed to be 128 bits. If
12	* {@link Crypt_Rijndael::setKeyLength() setKeyLength()} isn't called, it'll be calculated from
13	* {@link Crypt_Rijndael::setKey() setKey()}. ie. if the key is 128-bits, the key length will be 128-bits. If it's
14	* 136-bits it'll be null-padded to 160-bits and 160 bits will be the key length until
15	* {@link Crypt_Rijndael::setKey() setKey()} is called, again, at which point, it'll be recalculated.
16	*
17	* Not all Rijndael implementations may support 160-bits or 224-bits as the block length / key length. mcrypt, for example,
18	* does not. AES, itself, only supports block lengths of 128 and key lengths of 128, 192, and 256.
19	* {@link http://csrc.nist.gov/archive/aes/rijndael/Rijndael-ammended.pdf#page=10 Rijndael-ammended.pdf#page=10} defines the
20	* algorithm for block lengths of 192 and 256 but not for block lengths / key lengths of 160 and 224. Indeed, 160 and 224
21	* are first defined as valid key / block lengths in
22	* {@link http://csrc.nist.gov/archive/aes/rijndael/Rijndael-ammended.pdf#page=44 Rijndael-ammended.pdf#page=44}:
23	* Extensions: Other block and Cipher Key lengths.
24	*
25	* {@internal The variable names are the same as those in
26	* {@link http://www.csrc.nist.gov/publications/fips/fips197/fips-197.pdf#page=10 fips-197.pdf#page=10}.}}
27	*
28	* Here's a short example of how to use this library:
29	* <code>
30	* <?php
31	* include('Crypt/Rijndael.php');
32	*
33	* $rijndael = new Crypt_Rijndael();
34	*
35	* $rijndael->setKey('abcdefghijklmnop');
36	*
37	* $size = 10 * 1024;
38	* $plaintext = '';
39	* for ($i = 0; $i < $size; $i++) {
40	* $plaintext.= 'a';
41	* }
42	*
43	* echo $rijndael->decrypt($rijndael->encrypt($plaintext));
44	* ?>
45	* </code>
46	*
47	* LICENSE: Permission is hereby granted, free of charge, to any person obtaining a copy
48	* of this software and associated documentation files (the "Software"), to deal
49	* in the Software without restriction, including without limitation the rights
50	* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
51	* copies of the Software, and to permit persons to whom the Software is
52	* furnished to do so, subject to the following conditions:
53	*
54	* The above copyright notice and this permission notice shall be included in
55	* all copies or substantial portions of the Software.
56	*
57	* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
58	* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
59	* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
60	* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
61	* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
62	* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
63	* THE SOFTWARE.
64	*
65	* @category Crypt
66	* @package Crypt_Rijndael
67	* @author Jim Wigginton <terrafrost@php.net>
68	* @copyright MMVIII Jim Wigginton
69	* @license http://www.opensource.org/licenses/mit-license.html MIT License
70	* @version $Id: Rijndael.php,v 1.12 2010/02/09 06:10:26 terrafrost Exp $
71	* @link http://phpseclib.sourceforge.net
72	*/
73
74	/**#@+
75	* @access public
76	* @see Crypt_Rijndael::encrypt()
77	* @see Crypt_Rijndael::decrypt()
78	*/
79	/**
80	* Encrypt / decrypt using the Counter mode.
81	*
82	* Set to -1 since that's what Crypt/Random.php uses to index the CTR mode.
83	*
84	* @link http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Counter_.28CTR.29
85	*/
86	define('CRYPT_RIJNDAEL_MODE_CTR', -1);
87	/**
88	* Encrypt / decrypt using the Electronic Code Book mode.
89	*
90	* @link http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Electronic_codebook_.28ECB.29
91	*/
92	define('CRYPT_RIJNDAEL_MODE_ECB', 1);
93	/**
94	* Encrypt / decrypt using the Code Book Chaining mode.
95	*
96	* @link http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Cipher-block_chaining_.28CBC.29
97	*/
98	define('CRYPT_RIJNDAEL_MODE_CBC', 2);
99	/**
100	* Encrypt / decrypt using the Cipher Feedback mode.
101	*
102	* @link http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Cipher_feedback_.28CFB.29
103	*/
104	define('CRYPT_RIJNDAEL_MODE_CFB', 3);
105	/**
106	* Encrypt / decrypt using the Cipher Feedback mode.
107	*
108	* @link http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Output_feedback_.28OFB.29
109	*/
110	define('CRYPT_RIJNDAEL_MODE_OFB', 4);
111	/*#@-/
112
113	/**#@+
114	* @access private
115	* @see Crypt_Rijndael::Crypt_Rijndael()
116	*/
117	/**
118	* Toggles the internal implementation
119	*/
120	define('CRYPT_RIJNDAEL_MODE_INTERNAL', 1);
121	/**
122	* Toggles the mcrypt implementation
123	*/
124	define('CRYPT_RIJNDAEL_MODE_MCRYPT', 2);
125	/*#@-/
126
127	/**
128	* Pure-PHP implementation of Rijndael.
129	*
130	* @author Jim Wigginton <terrafrost@php.net>
131	* @version 0.1.0
132	* @access public
133	* @package Crypt_Rijndael
134	*/
135	class Crypt_Rijndael {
136	/**
137	* The Encryption Mode
138	*
139	* @see Crypt_Rijndael::Crypt_Rijndael()
140	* @var Integer
141	* @access private
142	*/
143	var $mode;
144
145	/**
146	* The Key
147	*
148	* @see Crypt_Rijndael::setKey()
149	* @var String
150	* @access private
151	*/
152	var $key = "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0";
153
154	/**
155	* The Initialization Vector
156	*
157	* @see Crypt_Rijndael::setIV()
158	* @var String
159	* @access private
160	*/
161	var $iv = '';
162
163	/**
164	* A "sliding" Initialization Vector
165	*
166	* @see Crypt_Rijndael::enableContinuousBuffer()
167	* @var String
168	* @access private
169	*/
170	var $encryptIV = '';
171
172	/**
173	* A "sliding" Initialization Vector
174	*
175	* @see Crypt_Rijndael::enableContinuousBuffer()
176	* @var String
177	* @access private
178	*/
179	var $decryptIV = '';
180
181	/**
182	* Continuous Buffer status
183	*
184	* @see Crypt_Rijndael::enableContinuousBuffer()
185	* @var Boolean
186	* @access private
187	*/
188	var $continuousBuffer = false;
189
190	/**
191	* Padding status
192	*
193	* @see Crypt_Rijndael::enablePadding()
194	* @var Boolean
195	* @access private
196	*/
197	var $padding = true;
198
199	/**
200	* Does the key schedule need to be (re)calculated?
201	*
202	* @see setKey()
203	* @see setBlockLength()
204	* @see setKeyLength()
205	* @var Boolean
206	* @access private
207	*/
208	var $changed = true;
209
210	/**
211	* Has the key length explicitly been set or should it be derived from the key, itself?
212	*
213	* @see setKeyLength()
214	* @var Boolean
215	* @access private
216	*/
217	var $explicit_key_length = false;
218
219	/**
220	* The Key Schedule
221	*
222	* @see _setup()
223	* @var Array
224	* @access private
225	*/
226	var $w;
227
228	/**
229	* The Inverse Key Schedule
230	*
231	* @see _setup()
232	* @var Array
233	* @access private
234	*/
235	var $dw;
236
237	/**
238	* The Block Length
239	*
240	* @see setBlockLength()
241	* @var Integer
242	* @access private
243	* @internal The max value is 32, the min value is 16. All valid values are multiples of 4. Exists in conjunction with
244	* $Nb because we need this value and not $Nb to pad strings appropriately.
245	*/
246	var $block_size = 16;
247
248	/**
249	* The Block Length divided by 32
250	*
251	* @see setBlockLength()
252	* @var Integer
253	* @access private
254	* @internal The max value is 256 / 32 = 8, the min value is 128 / 32 = 4. Exists in conjunction with $block_size
255	* because the encryption / decryption / key schedule creation requires this number and not $block_size. We could
256	* derive this from $block_size or vice versa, but that'd mean we'd have to do multiple shift operations, so in lieu
257	* of that, we'll just precompute it once.
258	*
259	*/
260	var $Nb = 4;
261
262	/**
263	* The Key Length
264	*
265	* @see setKeyLength()
266	* @var Integer
267	* @access private
268	* @internal The max value is 256 / 8 = 32, the min value is 128 / 8 = 16. Exists in conjunction with $key_size
269	* because the encryption / decryption / key schedule creation requires this number and not $key_size. We could
270	* derive this from $key_size or vice versa, but that'd mean we'd have to do multiple shift operations, so in lieu
271	* of that, we'll just precompute it once.
272	*/
273	var $key_size = 16;
274
275	/**
276	* The Key Length divided by 32
277	*
278	* @see setKeyLength()
279	* @var Integer
280	* @access private
281	* @internal The max value is 256 / 32 = 8, the min value is 128 / 32 = 4
282	*/
283	var $Nk = 4;
284
285	/**
286	* The Number of Rounds
287	*
288	* @var Integer
289	* @access private
290	* @internal The max value is 14, the min value is 10.
291	*/
292	var $Nr;
293
294	/**
295	* Shift offsets
296	*
297	* @var Array
298	* @access private
299	*/
300	var $c;
301
302	/**
303	* Precomputed mixColumns table
304	*
305	* @see Crypt_Rijndael()
306	* @var Array
307	* @access private
308	*/
309	var $t0;
310
311	/**
312	* Precomputed mixColumns table
313	*
314	* @see Crypt_Rijndael()
315	* @var Array
316	* @access private
317	*/
318	var $t1;
319
320	/**
321	* Precomputed mixColumns table
322	*
323	* @see Crypt_Rijndael()
324	* @var Array
325	* @access private
326	*/
327	var $t2;
328
329	/**
330	* Precomputed mixColumns table
331	*
332	* @see Crypt_Rijndael()
333	* @var Array
334	* @access private
335	*/
336	var $t3;
337
338	/**
339	* Precomputed invMixColumns table
340	*
341	* @see Crypt_Rijndael()
342	* @var Array
343	* @access private
344	*/
345	var $dt0;
346
347	/**
348	* Precomputed invMixColumns table
349	*
350	* @see Crypt_Rijndael()
351	* @var Array
352	* @access private
353	*/
354	var $dt1;
355
356	/**
357	* Precomputed invMixColumns table
358	*
359	* @see Crypt_Rijndael()
360	* @var Array
361	* @access private
362	*/
363	var $dt2;
364
365	/**
366	* Precomputed invMixColumns table
367	*
368	* @see Crypt_Rijndael()
369	* @var Array
370	* @access private
371	*/
372	var $dt3;
373
374	/**
375	* Is the mode one that is paddable?
376	*
377	* @see Crypt_Rijndael::Crypt_Rijndael()
378	* @var Boolean
379	* @access private
380	*/
381	var $paddable = false;
382
383	/**
384	* Encryption buffer for CTR, OFB and CFB modes
385	*
386	* @see Crypt_Rijndael::encrypt()
387	* @var String
388	* @access private
389	*/
390	var $enbuffer = array('encrypted' => '', 'xor' => '');
391
392	/**
393	* Decryption buffer for CTR, OFB and CFB modes
394	*
395	* @see Crypt_Rijndael::decrypt()
396	* @var String
397	* @access private
398	*/
399	var $debuffer = array('ciphertext' => '');
400
401	/**
402	* Default Constructor.
403	*
404	* Determines whether or not the mcrypt extension should be used. $mode should only, at present, be
405	* CRYPT_RIJNDAEL_MODE_ECB or CRYPT_RIJNDAEL_MODE_CBC. If not explictly set, CRYPT_RIJNDAEL_MODE_CBC will be used.
406	*
407	* @param optional Integer $mode
408	* @return Crypt_Rijndael
409	* @access public
410	*/
411	function Crypt_Rijndael($mode = CRYPT_RIJNDAEL_MODE_CBC)
412	{
413	switch ($mode) {
414	case CRYPT_RIJNDAEL_MODE_ECB:
415	case CRYPT_RIJNDAEL_MODE_CBC:
416	$this->paddable = true;
417	$this->mode = $mode;
418	break;
419	case CRYPT_RIJNDAEL_MODE_CTR:
420	case CRYPT_RIJNDAEL_MODE_CFB:
421	case CRYPT_RIJNDAEL_MODE_OFB:
422	$this->mode = $mode;
423	break;
424	default:
425	$this->paddable = true;
426	$this->mode = CRYPT_RIJNDAEL_MODE_CBC;
427	}
428
429	$t3 = &$this->t3;
430	$t2 = &$this->t2;
431	$t1 = &$this->t1;
432	$t0 = &$this->t0;
433
434	$dt3 = &$this->dt3;
435	$dt2 = &$this->dt2;
436	$dt1 = &$this->dt1;
437	$dt0 = &$this->dt0;
438
439	// according to <http://csrc.nist.gov/archive/aes/rijndael/Rijndael-ammended.pdf#page=19> (section 5.2.1),
440	// precomputed tables can be used in the mixColumns phase. in that example, they're assigned t0...t3, so
441	// those are the names we'll use.
442	$t3 = array(
443	0x6363A5C6, 0x7C7C84F8, 0x777799EE, 0x7B7B8DF6, 0xF2F20DFF, 0x6B6BBDD6, 0x6F6FB1DE, 0xC5C55491,
444	0x30305060, 0x01010302, 0x6767A9CE, 0x2B2B7D56, 0xFEFE19E7, 0xD7D762B5, 0xABABE64D, 0x76769AEC,
445	0xCACA458F, 0x82829D1F, 0xC9C94089, 0x7D7D87FA, 0xFAFA15EF, 0x5959EBB2, 0x4747C98E, 0xF0F00BFB,
446	0xADADEC41, 0xD4D467B3, 0xA2A2FD5F, 0xAFAFEA45, 0x9C9CBF23, 0xA4A4F753, 0x727296E4, 0xC0C05B9B,
447	0xB7B7C275, 0xFDFD1CE1, 0x9393AE3D, 0x26266A4C, 0x36365A6C, 0x3F3F417E, 0xF7F702F5, 0xCCCC4F83,
448	0x34345C68, 0xA5A5F451, 0xE5E534D1, 0xF1F108F9, 0x717193E2, 0xD8D873AB, 0x31315362, 0x15153F2A,
449	0x04040C08, 0xC7C75295, 0x23236546, 0xC3C35E9D, 0x18182830, 0x9696A137, 0x05050F0A, 0x9A9AB52F,
450	0x0707090E, 0x12123624, 0x80809B1B, 0xE2E23DDF, 0xEBEB26CD, 0x2727694E, 0xB2B2CD7F, 0x75759FEA,
451	0x09091B12, 0x83839E1D, 0x2C2C7458, 0x1A1A2E34, 0x1B1B2D36, 0x6E6EB2DC, 0x5A5AEEB4, 0xA0A0FB5B,
452	0x5252F6A4, 0x3B3B4D76, 0xD6D661B7, 0xB3B3CE7D, 0x29297B52, 0xE3E33EDD, 0x2F2F715E, 0x84849713,
453	0x5353F5A6, 0xD1D168B9, 0x00000000, 0xEDED2CC1, 0x20206040, 0xFCFC1FE3, 0xB1B1C879, 0x5B5BEDB6,
454	0x6A6ABED4, 0xCBCB468D, 0xBEBED967, 0x39394B72, 0x4A4ADE94, 0x4C4CD498, 0x5858E8B0, 0xCFCF4A85,
455	0xD0D06BBB, 0xEFEF2AC5, 0xAAAAE54F, 0xFBFB16ED, 0x4343C586, 0x4D4DD79A, 0x33335566, 0x85859411,
456	0x4545CF8A, 0xF9F910E9, 0x02020604, 0x7F7F81FE, 0x5050F0A0, 0x3C3C4478, 0x9F9FBA25, 0xA8A8E34B,
457	0x5151F3A2, 0xA3A3FE5D, 0x4040C080, 0x8F8F8A05, 0x9292AD3F, 0x9D9DBC21, 0x38384870, 0xF5F504F1,
458	0xBCBCDF63, 0xB6B6C177, 0xDADA75AF, 0x21216342, 0x10103020, 0xFFFF1AE5, 0xF3F30EFD, 0xD2D26DBF,
459	0xCDCD4C81, 0x0C0C1418, 0x13133526, 0xECEC2FC3, 0x5F5FE1BE, 0x9797A235, 0x4444CC88, 0x1717392E,
460	0xC4C45793, 0xA7A7F255, 0x7E7E82FC, 0x3D3D477A, 0x6464ACC8, 0x5D5DE7BA, 0x19192B32, 0x737395E6,
461	0x6060A0C0, 0x81819819, 0x4F4FD19E, 0xDCDC7FA3, 0x22226644, 0x2A2A7E54, 0x9090AB3B, 0x8888830B,
462	0x4646CA8C, 0xEEEE29C7, 0xB8B8D36B, 0x14143C28, 0xDEDE79A7, 0x5E5EE2BC, 0x0B0B1D16, 0xDBDB76AD,
463	0xE0E03BDB, 0x32325664, 0x3A3A4E74, 0x0A0A1E14, 0x4949DB92, 0x06060A0C, 0x24246C48, 0x5C5CE4B8,
464	0xC2C25D9F, 0xD3D36EBD, 0xACACEF43, 0x6262A6C4, 0x9191A839, 0x9595A431, 0xE4E437D3, 0x79798BF2,
465	0xE7E732D5, 0xC8C8438B, 0x3737596E, 0x6D6DB7DA, 0x8D8D8C01, 0xD5D564B1, 0x4E4ED29C, 0xA9A9E049,
466	0x6C6CB4D8, 0x5656FAAC, 0xF4F407F3, 0xEAEA25CF, 0x6565AFCA, 0x7A7A8EF4, 0xAEAEE947, 0x08081810,
467	0xBABAD56F, 0x787888F0, 0x25256F4A, 0x2E2E725C, 0x1C1C2438, 0xA6A6F157, 0xB4B4C773, 0xC6C65197,
468	0xE8E823CB, 0xDDDD7CA1, 0x74749CE8, 0x1F1F213E, 0x4B4BDD96, 0xBDBDDC61, 0x8B8B860D, 0x8A8A850F,
469	0x707090E0, 0x3E3E427C, 0xB5B5C471, 0x6666AACC, 0x4848D890, 0x03030506, 0xF6F601F7, 0x0E0E121C,
470	0x6161A3C2, 0x35355F6A, 0x5757F9AE, 0xB9B9D069, 0x86869117, 0xC1C15899, 0x1D1D273A, 0x9E9EB927,
471	0xE1E138D9, 0xF8F813EB, 0x9898B32B, 0x11113322, 0x6969BBD2, 0xD9D970A9, 0x8E8E8907, 0x9494A733,
472	0x9B9BB62D, 0x1E1E223C, 0x87879215, 0xE9E920C9, 0xCECE4987, 0x5555FFAA, 0x28287850, 0xDFDF7AA5,
473	0x8C8C8F03, 0xA1A1F859, 0x89898009, 0x0D0D171A, 0xBFBFDA65, 0xE6E631D7, 0x4242C684, 0x6868B8D0,
474	0x4141C382, 0x9999B029, 0x2D2D775A, 0x0F0F111E, 0xB0B0CB7B, 0x5454FCA8, 0xBBBBD66D, 0x16163A2C
475	);
476
477	$dt3 = array(
478	0xF4A75051, 0x4165537E, 0x17A4C31A, 0x275E963A, 0xAB6BCB3B, 0x9D45F11F, 0xFA58ABAC, 0xE303934B,
479	0x30FA5520, 0x766DF6AD, 0xCC769188, 0x024C25F5, 0xE5D7FC4F, 0x2ACBD7C5, 0x35448026, 0x62A38FB5,
480	0xB15A49DE, 0xBA1B6725, 0xEA0E9845, 0xFEC0E15D, 0x2F7502C3, 0x4CF01281, 0x4697A38D, 0xD3F9C66B,
481	0x8F5FE703, 0x929C9515, 0x6D7AEBBF, 0x5259DA95, 0xBE832DD4, 0x7421D358, 0xE0692949, 0xC9C8448E,
482	0xC2896A75, 0x8E7978F4, 0x583E6B99, 0xB971DD27, 0xE14FB6BE, 0x88AD17F0, 0x20AC66C9, 0xCE3AB47D,
483	0xDF4A1863, 0x1A3182E5, 0x51336097, 0x537F4562, 0x6477E0B1, 0x6BAE84BB, 0x81A01CFE, 0x082B94F9,
484	0x48685870, 0x45FD198F, 0xDE6C8794, 0x7BF8B752, 0x73D323AB, 0x4B02E272, 0x1F8F57E3, 0x55AB2A66,
485	0xEB2807B2, 0xB5C2032F, 0xC57B9A86, 0x3708A5D3, 0x2887F230, 0xBFA5B223, 0x036ABA02, 0x16825CED,
486	0xCF1C2B8A, 0x79B492A7, 0x07F2F0F3, 0x69E2A14E, 0xDAF4CD65, 0x05BED506, 0x34621FD1, 0xA6FE8AC4,
487	0x2E539D34, 0xF355A0A2, 0x8AE13205, 0xF6EB75A4, 0x83EC390B, 0x60EFAA40, 0x719F065E, 0x6E1051BD,
488	0x218AF93E, 0xDD063D96, 0x3E05AEDD, 0xE6BD464D, 0x548DB591, 0xC45D0571, 0x06D46F04, 0x5015FF60,
489	0x98FB2419, 0xBDE997D6, 0x4043CC89, 0xD99E7767, 0xE842BDB0, 0x898B8807, 0x195B38E7, 0xC8EEDB79,
490	0x7C0A47A1, 0x420FE97C, 0x841EC9F8, 0x00000000, 0x80868309, 0x2BED4832, 0x1170AC1E, 0x5A724E6C,
491	0x0EFFFBFD, 0x8538560F, 0xAED51E3D, 0x2D392736, 0x0FD9640A, 0x5CA62168, 0x5B54D19B, 0x362E3A24,
492	0x0A67B10C, 0x57E70F93, 0xEE96D2B4, 0x9B919E1B, 0xC0C54F80, 0xDC20A261, 0x774B695A, 0x121A161C,
493	0x93BA0AE2, 0xA02AE5C0, 0x22E0433C, 0x1B171D12, 0x090D0B0E, 0x8BC7ADF2, 0xB6A8B92D, 0x1EA9C814,
494	0xF1198557, 0x75074CAF, 0x99DDBBEE, 0x7F60FDA3, 0x01269FF7, 0x72F5BC5C, 0x663BC544, 0xFB7E345B,
495	0x4329768B, 0x23C6DCCB, 0xEDFC68B6, 0xE4F163B8, 0x31DCCAD7, 0x63851042, 0x97224013, 0xC6112084,
496	0x4A247D85, 0xBB3DF8D2, 0xF93211AE, 0x29A16DC7, 0x9E2F4B1D, 0xB230F3DC, 0x8652EC0D, 0xC1E3D077,
497	0xB3166C2B, 0x70B999A9, 0x9448FA11, 0xE9642247, 0xFC8CC4A8, 0xF03F1AA0, 0x7D2CD856, 0x3390EF22,
498	0x494EC787, 0x38D1C1D9, 0xCAA2FE8C, 0xD40B3698, 0xF581CFA6, 0x7ADE28A5, 0xB78E26DA, 0xADBFA43F,
499	0x3A9DE42C, 0x78920D50, 0x5FCC9B6A, 0x7E466254, 0x8D13C2F6, 0xD8B8E890, 0x39F75E2E, 0xC3AFF582,
500	0x5D80BE9F, 0xD0937C69, 0xD52DA96F, 0x2512B3CF, 0xAC993BC8, 0x187DA710, 0x9C636EE8, 0x3BBB7BDB,
501	0x267809CD, 0x5918F46E, 0x9AB701EC, 0x4F9AA883, 0x956E65E6, 0xFFE67EAA, 0xBCCF0821, 0x15E8E6EF,
502	0xE79BD9BA, 0x6F36CE4A, 0x9F09D4EA, 0xB07CD629, 0xA4B2AF31, 0x3F23312A, 0xA59430C6, 0xA266C035,
503	0x4EBC3774, 0x82CAA6FC, 0x90D0B0E0, 0xA7D81533, 0x04984AF1, 0xECDAF741, 0xCD500E7F, 0x91F62F17,
504	0x4DD68D76, 0xEFB04D43, 0xAA4D54CC, 0x9604DFE4, 0xD1B5E39E, 0x6A881B4C, 0x2C1FB8C1, 0x65517F46,
505	0x5EEA049D, 0x8C355D01, 0x877473FA, 0x0B412EFB, 0x671D5AB3, 0xDBD25292, 0x105633E9, 0xD647136D,
506	0xD7618C9A, 0xA10C7A37, 0xF8148E59, 0x133C89EB, 0xA927EECE, 0x61C935B7, 0x1CE5EDE1, 0x47B13C7A,
507	0xD2DF599C, 0xF2733F55, 0x14CE7918, 0xC737BF73, 0xF7CDEA53, 0xFDAA5B5F, 0x3D6F14DF, 0x44DB8678,
508	0xAFF381CA, 0x68C43EB9, 0x24342C38, 0xA3405FC2, 0x1DC37216, 0xE2250CBC, 0x3C498B28, 0x0D9541FF,
509	0xA8017139, 0x0CB3DE08, 0xB4E49CD8, 0x56C19064, 0xCB84617B, 0x32B670D5, 0x6C5C7448, 0xB85742D0
510	);
511
512	for ($i = 0; $i < 256; $i++) {
513	$t2[$i << 8] = (($t3[$i] << 8) & 0xFFFFFF00) \| (($t3[$i] >> 24) & 0x000000FF);
514	$t1[$i << 16] = (($t3[$i] << 16) & 0xFFFF0000) \| (($t3[$i] >> 16) & 0x0000FFFF);
515	$t0[$i << 24] = (($t3[$i] << 24) & 0xFF000000) \| (($t3[$i] >> 8) & 0x00FFFFFF);
516
517	$dt2[$i << 8] = (($this->dt3[$i] << 8) & 0xFFFFFF00) \| (($dt3[$i] >> 24) & 0x000000FF);
518	$dt1[$i << 16] = (($this->dt3[$i] << 16) & 0xFFFF0000) \| (($dt3[$i] >> 16) & 0x0000FFFF);
519	$dt0[$i << 24] = (($this->dt3[$i] << 24) & 0xFF000000) \| (($dt3[$i] >> 8) & 0x00FFFFFF);
520	}
521	}
522
523	/**
524	* Sets the key.
525	*
526	* Keys can be of any length. Rijndael, itself, requires the use of a key that's between 128-bits and 256-bits long and
527	* whose length is a multiple of 32. If the key is less than 256-bits and the key length isn't set, we round the length
528	* up to the closest valid key length, padding $key with null bytes. If the key is more than 256-bits, we trim the
529	* excess bits.
530	*
531	* If the key is not explicitly set, it'll be assumed to be all null bytes.
532	*
533	* @access public
534	* @param String $key
535	*/
536	function setKey($key)
537	{
538	$this->key = $key;
539	$this->changed = true;
540	}
541
542	/**
543	* Sets the initialization vector. (optional)
544	*
545	* SetIV is not required when CRYPT_RIJNDAEL_MODE_ECB is being used. If not explictly set, it'll be assumed
546	* to be all zero's.
547	*
548	* @access public
549	* @param String $iv
550	*/
551	function setIV($iv)
552	{
553	$this->encryptIV = $this->decryptIV = $this->iv = str_pad(substr($iv, 0, $this->block_size), $this->block_size, chr(0));;
554	}
555
556	/**
557	* Sets the key length
558	*
559	* Valid key lengths are 128, 160, 192, 224, and 256. If the length is less than 128, it will be rounded up to
560	* 128. If the length is greater then 128 and invalid, it will be rounded down to the closest valid amount.
561	*
562	* @access public
563	* @param Integer $length
564	*/
565	function setKeyLength($length)
566	{
567	$length >>= 5;
568	if ($length > 8) {
569	$length = 8;
570	} else if ($length < 4) {
571	$length = 4;
572	}
573	$this->Nk = $length;
574	$this->key_size = $length << 2;
575
576	$this->explicit_key_length = true;
577	$this->changed = true;
578	}
579
580	/**
581	* Sets the block length
582	*
583	* Valid block lengths are 128, 160, 192, 224, and 256. If the length is less than 128, it will be rounded up to
584	* 128. If the length is greater then 128 and invalid, it will be rounded down to the closest valid amount.
585	*
586	* @access public
587	* @param Integer $length
588	*/
589	function setBlockLength($length)
590	{
591	$length >>= 5;
592	if ($length > 8) {
593	$length = 8;
594	} else if ($length < 4) {
595	$length = 4;
596	}
597	$this->Nb = $length;
598	$this->block_size = $length << 2;
599	$this->changed = true;
600	}
601
602	/**
603	* Generate CTR XOR encryption key
604	*
605	* Encrypt the output of this and XOR it against the ciphertext / plaintext to get the
606	* plaintext / ciphertext in CTR mode.
607	*
608	* @see Crypt_Rijndael::decrypt()
609	* @see Crypt_Rijndael::encrypt()
610	* @access public
611	* @param Integer $length
612	* @param String $iv
613	*/
614	function _generate_xor($length, &$iv)
615	{
616	$xor = '';
617	$block_size = $this->block_size;
618	$num_blocks = floor(($length + ($block_size - 1)) / $block_size);
619	for ($i = 0; $i < $num_blocks; $i++) {
620	$xor.= $iv;
621	for ($j = 4; $j <= $block_size; $j+=4) {
622	$temp = substr($iv, -$j, 4);
623	switch ($temp) {
624	case "\xFF\xFF\xFF\xFF":
625	$iv = substr_replace($iv, "\x00\x00\x00\x00", -$j, 4);
626	break;
627	case "\x7F\xFF\xFF\xFF":
628	$iv = substr_replace($iv, "\x80\x00\x00\x00", -$j, 4);
629	break 2;
630	default:
631	extract(unpack('Ncount', $temp));
632	$iv = substr_replace($iv, pack('N', $count + 1), -$j, 4);
633	break 2;
634	}
635	}
636	}
637
638	return $xor;
639	}
640
641	/**
642	* Encrypts a message.
643	*
644	* $plaintext will be padded with additional bytes such that it's length is a multiple of the block size. Other Rjindael
645	* implementations may or may not pad in the same manner. Other common approaches to padding and the reasons why it's
646	* necessary are discussed in the following
647	* URL:
648	*
649	* {@link http://www.di-mgt.com.au/cryptopad.html http://www.di-mgt.com.au/cryptopad.html}
650	*
651	* An alternative to padding is to, separately, send the length of the file. This is what SSH, in fact, does.
652	* strlen($plaintext) will still need to be a multiple of 8, however, arbitrary values can be added to make it that
653	* length.
654	*
655	* @see Crypt_Rijndael::decrypt()
656	* @access public
657	* @param String $plaintext
658	*/
659	function encrypt($plaintext)
660	{
661	$this->_setup();
662	if ($this->paddable) {
663	$plaintext = $this->_pad($plaintext);
664	}
665
666	$block_size = $this->block_size;
667	$buffer = &$this->enbuffer;
668	$continuousBuffer = $this->continuousBuffer;
669	$ciphertext = '';
670	switch ($this->mode) {
671	case CRYPT_RIJNDAEL_MODE_ECB:
672	for ($i = 0; $i < strlen($plaintext); $i+=$block_size) {
673	$ciphertext.= $this->_encryptBlock(substr($plaintext, $i, $block_size));
674	}
675	break;
676	case CRYPT_RIJNDAEL_MODE_CBC:
677	$xor = $this->encryptIV;
678	for ($i = 0; $i < strlen($plaintext); $i+=$block_size) {
679	$block = substr($plaintext, $i, $block_size);
680	$block = $this->_encryptBlock($block ^ $xor);
681	$xor = $block;
682	$ciphertext.= $block;
683	}
684	if ($this->continuousBuffer) {
685	$this->encryptIV = $xor;
686	}
687	break;
688	case CRYPT_RIJNDAEL_MODE_CTR:
689	$xor = $this->encryptIV;
690	if (!empty($buffer)) {
691	for ($i = 0; $i < strlen($plaintext); $i+=$block_size) {
692	$block = substr($plaintext, $i, $block_size);
693	$buffer.= $this->_encryptBlock($this->_generate_xor($block_size, $xor));
694	$key = $this->_string_shift($buffer, $block_size);
695	$ciphertext.= $block ^ $key;
696	}
697	} else {
698	for ($i = 0; $i < strlen($plaintext); $i+=$block_size) {
699	$block = substr($plaintext, $i, $block_size);
700	$key = $this->_encryptBlock($this->_generate_xor($block_size, $xor));
701	$ciphertext.= $block ^ $key;
702	}
703	}
704	if ($this->continuousBuffer) {
705	$this->encryptIV = $xor;
706	if ($start = strlen($plaintext) % $block_size) {
707	$buffer = substr($key, $start) . $buffer;
708	}
709	}
710	break;
711	case CRYPT_RIJNDAEL_MODE_CFB:
712	if (!empty($buffer['xor'])) {
713	$ciphertext = $plaintext ^ $buffer['xor'];
714	$iv = $buffer['encrypted'] . $ciphertext;
715	$start = strlen($ciphertext);
716	$buffer['encrypted'].= $ciphertext;
717	$buffer['xor'] = substr($buffer['xor'], strlen($ciphertext));
718	} else {
719	$ciphertext = '';
720	$iv = $this->encryptIV;
721	$start = 0;
722	}
723
724	for ($i = $start; $i < strlen($plaintext); $i+=$block_size) {
725	$block = substr($plaintext, $i, $block_size);
726	$xor = $this->_encryptBlock($iv);
727	$iv = $block ^ $xor;
728	if ($continuousBuffer && strlen($iv) != $block_size) {
729	$buffer = array(
730	'encrypted' => $iv,
731	'xor' => substr($xor, strlen($iv))
732	);
733	}
734	$ciphertext.= $iv;
735	}
736
737	if ($this->continuousBuffer) {
738	$this->encryptIV = $iv;
739	}
740	break;
741	case CRYPT_RIJNDAEL_MODE_OFB:
742	$xor = $this->encryptIV;
743	if (strlen($buffer)) {
744	for ($i = 0; $i < strlen($plaintext); $i+=$block_size) {
745	$xor = $this->_encryptBlock($xor);
746	$buffer.= $xor;
747	$key = $this->_string_shift($buffer, $block_size);
748	$ciphertext.= substr($plaintext, $i, $block_size) ^ $key;
749	}
750	} else {
751	for ($i = 0; $i < strlen($plaintext); $i+=$block_size) {
752	$xor = $this->_encryptBlock($xor);
753	$ciphertext.= substr($plaintext, $i, $block_size) ^ $xor;
754	}
755	$key = $xor;
756	}
757	if ($this->continuousBuffer) {
758	$this->encryptIV = $xor;
759	if ($start = strlen($plaintext) % $block_size) {
760	$buffer = substr($key, $start) . $buffer;
761	}
762	}
763	}
764
765	return $ciphertext;
766	}
767
768	/**
769	* Decrypts a message.
770	*
771	* If strlen($ciphertext) is not a multiple of the block size, null bytes will be added to the end of the string until
772	* it is.
773	*
774	* @see Crypt_Rijndael::encrypt()
775	* @access public
776	* @param String $ciphertext
777	*/
778	function decrypt($ciphertext)
779	{
780	$this->_setup();
781
782	if ($this->paddable) {
783	// we pad with chr(0) since that's what mcrypt_generic does. to quote from http://php.net/function.mcrypt-generic :
784	// "The data is padded with "\0" to make sure the length of the data is n * blocksize."
785	$ciphertext = str_pad($ciphertext, strlen($ciphertext) + ($this->block_size - strlen($ciphertext) % $this->block_size) % $this->block_size, chr(0));
786	}
787
788	$block_size = $this->block_size;
789	$buffer = &$this->debuffer;
790	$continuousBuffer = $this->continuousBuffer;
791	$plaintext = '';
792	switch ($this->mode) {
793	case CRYPT_RIJNDAEL_MODE_ECB:
794	for ($i = 0; $i < strlen($ciphertext); $i+=$block_size) {
795	$plaintext.= $this->_decryptBlock(substr($ciphertext, $i, $block_size));
796	}
797	break;
798	case CRYPT_RIJNDAEL_MODE_CBC:
799	$xor = $this->decryptIV;
800	for ($i = 0; $i < strlen($ciphertext); $i+=$block_size) {
801	$block = substr($ciphertext, $i, $block_size);
802	$plaintext.= $this->_decryptBlock($block) ^ $xor;
803	$xor = $block;
804	}
805	if ($this->continuousBuffer) {
806	$this->decryptIV = $xor;
807	}
808	break;
809	case CRYPT_RIJNDAEL_MODE_CTR:
810	$xor = $this->decryptIV;
811	if (strlen($buffer)) {
812	for ($i = 0; $i < strlen($ciphertext); $i+=$block_size) {
813	$block = substr($ciphertext, $i, $block_size);
814	$buffer.= $this->_encryptBlock($this->_generate_xor($block_size, $xor));
815	$key = $this->_string_shift($buffer, $block_size);
816	$plaintext.= $block ^ $key;
817	}
818	} else {
819	for ($i = 0; $i < strlen($ciphertext); $i+=$block_size) {
820	$block = substr($ciphertext, $i, $block_size);
821	$key = $this->_encryptBlock($this->_generate_xor($block_size, $xor));
822	$plaintext.= $block ^ $key;
823	}
824	}
825	if ($this->continuousBuffer) {
826	$this->decryptIV = $xor;
827	if ($start = strlen($ciphertext) % $block_size) {
828	$buffer = substr($key, $start) . $buffer;
829	}
830	}
831	break;
832	case CRYPT_RIJNDAEL_MODE_CFB:
833	if (!empty($buffer['ciphertext'])) {
834	$plaintext = $ciphertext ^ substr($this->decryptIV, strlen($buffer['ciphertext']));
835	$buffer['ciphertext'].= substr($ciphertext, 0, strlen($plaintext));
836	if (strlen($buffer['ciphertext']) == $block_size) {
837	$xor = $this->_encryptBlock($buffer['ciphertext']);
838	$buffer['ciphertext'] = '';
839	}
840	$start = strlen($plaintext);
841	$block = $this->decryptIV;
842	} else {
843	$plaintext = '';
844	$xor = $this->_encryptBlock($this->decryptIV);
845	$start = 0;
846	}
847
848	for ($i = $start; $i < strlen($ciphertext); $i+=$block_size) {
849	$block = substr($ciphertext, $i, $block_size);
850	$plaintext.= $block ^ $xor;
851	if ($continuousBuffer && strlen($block) != $block_size) {
852	$buffer['ciphertext'].= $block;
853	$block = $xor;
854	} else if (strlen($block) == $block_size) {
855	$xor = $this->_encryptBlock($block);
856	}
857	}
858	if ($this->continuousBuffer) {
859	$this->decryptIV = $block;
860	}
861	break;
862	case CRYPT_RIJNDAEL_MODE_OFB:
863	$xor = $this->decryptIV;
864	if (strlen($buffer)) {
865	for ($i = 0; $i < strlen($ciphertext); $i+=$block_size) {
866	$xor = $this->_encryptBlock($xor);
867	$buffer.= $xor;
868	$key = $this->_string_shift($buffer, $block_size);
869	$plaintext.= substr($ciphertext, $i, $block_size) ^ $key;
870	}
871	} else {
872	for ($i = 0; $i < strlen($ciphertext); $i+=$block_size) {
873	$xor = $this->_encryptBlock($xor);
874	$plaintext.= substr($ciphertext, $i, $block_size) ^ $xor;
875	}
876	$key = $xor;
877	}
878	if ($this->continuousBuffer) {
879	$this->decryptIV = $xor;
880	if ($start = strlen($ciphertext) % $block_size) {
881	$buffer = substr($key, $start) . $buffer;
882	}
883	}
884	}
885
886	return $this->paddable ? $this->_unpad($plaintext) : $plaintext;
887	}
888
889	/**
890	* Encrypts a block
891	*
892	* @access private
893	* @param String $in
894	* @return String
895	*/
896	function _encryptBlock($in)
897	{
898	$state = array();
899	$words = unpack('N*word', $in);
900
901	$w = $this->w;
902	$t0 = $this->t0;
903	$t1 = $this->t1;
904	$t2 = $this->t2;
905	$t3 = $this->t3;
906	$Nb = $this->Nb;
907	$Nr = $this->Nr;
908	$c = $this->c;
909
910	// addRoundKey
911	$i = 0;
912	foreach ($words as $word) {
913	$state[] = $word ^ $w[0][$i++];
914	}
915
916	// fips-197.pdf#page=19, "Figure 5. Pseudo Code for the Cipher", states that this loop has four components -
917	// subBytes, shiftRows, mixColumns, and addRoundKey. fips-197.pdf#page=30, "Implementation Suggestions Regarding
918	// Various Platforms" suggests that performs enhanced implementations are described in Rijndael-ammended.pdf.
919	// Rijndael-ammended.pdf#page=20, "Implementation aspects / 32-bit processor", discusses such an optimization.
920	// Unfortunately, the description given there is not quite correct. Per aes.spec.v316.pdf#page=19 [1],
921	// equation (7.4.7) is supposed to use addition instead of subtraction, so we'll do that here, as well.
922
923	// [1] http://fp.gladman.plus.com/cryptography_technology/rijndael/aes.spec.v316.pdf
924	$temp = array();
925	for ($round = 1; $round < $Nr; $round++) {
926	$i = 0; // $c[0] == 0
927	$j = $c[1];
928	$k = $c[2];
929	$l = $c[3];
930
931	while ($i < $this->Nb) {
932	$temp[$i] = $t0[$state[$i] & 0xFF000000] ^
933	$t1[$state[$j] & 0x00FF0000] ^
934	$t2[$state[$k] & 0x0000FF00] ^
935	$t3[$state[$l] & 0x000000FF] ^
936	$w[$round][$i];
937	$i++;
938	$j = ($j + 1) % $Nb;
939	$k = ($k + 1) % $Nb;
940	$l = ($l + 1) % $Nb;
941	}
942
943	for ($i = 0; $i < $Nb; $i++) {
944	$state[$i] = $temp[$i];
945	}
946	}
947
948	// subWord
949	for ($i = 0; $i < $Nb; $i++) {
950	$state[$i] = $this->_subWord($state[$i]);
951	}
952
953	// shiftRows + addRoundKey
954	$i = 0; // $c[0] == 0
955	$j = $c[1];
956	$k = $c[2];
957	$l = $c[3];
958	while ($i < $this->Nb) {
959	$temp[$i] = ($state[$i] & 0xFF000000) ^
960	($state[$j] & 0x00FF0000) ^
961	($state[$k] & 0x0000FF00) ^
962	($state[$l] & 0x000000FF) ^
963	$w[$Nr][$i];
964	$i++;
965	$j = ($j + 1) % $Nb;
966	$k = ($k + 1) % $Nb;
967	$l = ($l + 1) % $Nb;
968	}
969	$state = $temp;
970
971	array_unshift($state, 'N*');
972
973	return call_user_func_array('pack', $state);
974	}
975
976	/**
977	* Decrypts a block
978	*
979	* @access private
980	* @param String $in
981	* @return String
982	*/
983	function _decryptBlock($in)
984	{
985	$state = array();
986	$words = unpack('N*word', $in);
987
988	$num_states = count($state);
989	$dw = $this->dw;
990	$dt0 = $this->dt0;
991	$dt1 = $this->dt1;
992	$dt2 = $this->dt2;
993	$dt3 = $this->dt3;
994	$Nb = $this->Nb;
995	$Nr = $this->Nr;
996	$c = $this->c;
997
998	// addRoundKey
999	$i = 0;
1000	foreach ($words as $word) {
1001	$state[] = $word ^ $dw[$Nr][$i++];
1002	}
1003
1004	$temp = array();
1005	for ($round = $Nr - 1; $round > 0; $round--) {
1006	$i = 0; // $c[0] == 0
1007	$j = $Nb - $c[1];
1008	$k = $Nb - $c[2];
1009	$l = $Nb - $c[3];
1010
1011	while ($i < $Nb) {
1012	$temp[$i] = $dt0[$state[$i] & 0xFF000000] ^
1013	$dt1[$state[$j] & 0x00FF0000] ^
1014	$dt2[$state[$k] & 0x0000FF00] ^
1015	$dt3[$state[$l] & 0x000000FF] ^
1016	$dw[$round][$i];
1017	$i++;
1018	$j = ($j + 1) % $Nb;
1019	$k = ($k + 1) % $Nb;
1020	$l = ($l + 1) % $Nb;
1021	}
1022
1023	for ($i = 0; $i < $Nb; $i++) {
1024	$state[$i] = $temp[$i];
1025	}
1026	}
1027
1028	// invShiftRows + invSubWord + addRoundKey
1029	$i = 0; // $c[0] == 0
1030	$j = $Nb - $c[1];
1031	$k = $Nb - $c[2];
1032	$l = $Nb - $c[3];
1033
1034	while ($i < $Nb) {
1035	$temp[$i] = $dw[0][$i] ^
1036	$this->_invSubWord(($state[$i] & 0xFF000000) \|
1037	($state[$j] & 0x00FF0000) \|
1038	($state[$k] & 0x0000FF00) \|
1039	($state[$l] & 0x000000FF));
1040	$i++;
1041	$j = ($j + 1) % $Nb;
1042	$k = ($k + 1) % $Nb;
1043	$l = ($l + 1) % $Nb;
1044	}
1045
1046	$state = $temp;
1047
1048	array_unshift($state, 'N*');
1049
1050	return call_user_func_array('pack', $state);
1051	}
1052
1053	/**
1054	* Setup Rijndael
1055	*
1056	* Validates all the variables and calculates $Nr - the number of rounds that need to be performed - and $w - the key
1057	* key schedule.
1058	*
1059	* @access private
1060	*/
1061	function _setup()
1062	{
1063	// Each number in $rcon is equal to the previous number multiplied by two in Rijndael's finite field.
1064	// See http://en.wikipedia.org/wiki/Finite_field_arithmetic#Multiplicative_inverse
1065	static $rcon = array(0,
1066	0x01000000, 0x02000000, 0x04000000, 0x08000000, 0x10000000,
1067	0x20000000, 0x40000000, 0x80000000, 0x1B000000, 0x36000000,
1068	0x6C000000, 0xD8000000, 0xAB000000, 0x4D000000, 0x9A000000,
1069	0x2F000000, 0x5E000000, 0xBC000000, 0x63000000, 0xC6000000,
1070	0x97000000, 0x35000000, 0x6A000000, 0xD4000000, 0xB3000000,
1071	0x7D000000, 0xFA000000, 0xEF000000, 0xC5000000, 0x91000000
1072	);
1073
1074	if (!$this->changed) {
1075	return;
1076	}
1077
1078	if (!$this->explicit_key_length) {
1079	// we do >> 2, here, and not >> 5, as we do above, since strlen($this->key) tells us the number of bytes - not bits
1080	$length = strlen($this->key) >> 2;
1081	if ($length > 8) {
1082	$length = 8;
1083	} else if ($length < 4) {
1084	$length = 4;
1085	}
1086	$this->Nk = $length;
1087	$this->key_size = $length << 2;
1088	}
1089
1090	$this->key = str_pad(substr($this->key, 0, $this->key_size), $this->key_size, chr(0));
1091	$this->encryptIV = $this->decryptIV = $this->iv = str_pad(substr($this->iv, 0, $this->block_size), $this->block_size, chr(0));
1092
1093	// see Rijndael-ammended.pdf#page=44
1094	$this->Nr = max($this->Nk, $this->Nb) + 6;
1095
1096	// shift offsets for Nb = 5, 7 are defined in Rijndael-ammended.pdf#page=44,
1097	// "Table 8: Shift offsets in Shiftrow for the alternative block lengths"
1098	// shift offsets for Nb = 4, 6, 8 are defined in Rijndael-ammended.pdf#page=14,
1099	// "Table 2: Shift offsets for different block lengths"
1100	switch ($this->Nb) {
1101	case 4:
1102	case 5:
1103	case 6:
1104	$this->c = array(0, 1, 2, 3);
1105	break;
1106	case 7:
1107	$this->c = array(0, 1, 2, 4);
1108	break;
1109	case 8:
1110	$this->c = array(0, 1, 3, 4);
1111	}
1112
1113	$key = $this->key;
1114
1115	$w = array_values(unpack('N*words', $key));
1116
1117	$length = $this->Nb * ($this->Nr + 1);
1118	for ($i = $this->Nk; $i < $length; $i++) {
1119	$temp = $w[$i - 1];
1120	if ($i % $this->Nk == 0) {
1121	// according to <http://php.net/language.types.integer>, "the size of an integer is platform-dependent".
1122	// on a 32-bit machine, it's 32-bits, and on a 64-bit machine, it's 64-bits. on a 32-bit machine,
1123	// 0xFFFFFFFF << 8 == 0xFFFFFF00, but on a 64-bit machine, it equals 0xFFFFFFFF00. as such, doing 'and'
1124	// with 0xFFFFFFFF (or 0xFFFFFF00) on a 32-bit machine is unnecessary, but on a 64-bit machine, it is.
1125	$temp = (($temp << 8) & 0xFFFFFF00) \| (($temp >> 24) & 0x000000FF); // rotWord
1126	$temp = $this->_subWord($temp) ^ $rcon[$i / $this->Nk];
1127	} else if ($this->Nk > 6 && $i % $this->Nk == 4) {
1128	$temp = $this->_subWord($temp);
1129	}
1130	$w[$i] = $w[$i - $this->Nk] ^ $temp;
1131	}
1132
1133	// convert the key schedule from a vector of $Nb * ($Nr + 1) length to a matrix with $Nr + 1 rows and $Nb columns
1134	// and generate the inverse key schedule. more specifically,
1135	// according to <http://csrc.nist.gov/archive/aes/rijndael/Rijndael-ammended.pdf#page=23> (section 5.3.3),
1136	// "The key expansion for the Inverse Cipher is defined as follows:
1137	// 1. Apply the Key Expansion.
1138	// 2. Apply InvMixColumn to all Round Keys except the first and the last one."
1139	// also, see fips-197.pdf#page=27, "5.3.5 Equivalent Inverse Cipher"
1140	$temp = array();
1141	for ($i = $row = $col = 0; $i < $length; $i++, $col++) {
1142	if ($col == $this->Nb) {
1143	if ($row == 0) {
1144	$this->dw[0] = $this->w[0];
1145	} else {
1146	// subWord + invMixColumn + invSubWord = invMixColumn
1147	$j = 0;
1148	while ($j < $this->Nb) {
1149	$dw = $this->_subWord($this->w[$row][$j]);
1150	$temp[$j] = $this->dt0[$dw & 0xFF000000] ^
1151	$this->dt1[$dw & 0x00FF0000] ^
1152	$this->dt2[$dw & 0x0000FF00] ^
1153	$this->dt3[$dw & 0x000000FF];
1154	$j++;
1155	}
1156	$this->dw[$row] = $temp;
1157	}
1158
1159	$col = 0;
1160	$row++;
1161	}
1162	$this->w[$row][$col] = $w[$i];
1163	}
1164
1165	$this->dw[$row] = $this->w[$row];
1166
1167	$this->changed = false;
1168	}
1169
1170	/**
1171	* Performs S-Box substitutions
1172	*
1173	* @access private
1174	*/
1175	function _subWord($word)
1176	{
1177	static $sbox0, $sbox1, $sbox2, $sbox3;
1178
1179	if (empty($sbox0)) {
1180	$sbox0 = array(
1181	0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
1182	0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
1183	0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
1184	0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
1185	0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
1186	0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
1187	0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
1188	0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
1189	0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
1190	0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
1191	0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
1192	0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
1193	0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
1194	0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
1195	0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
1196	0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
1197	);
1198
1199	$sbox1 = array();
1200	$sbox2 = array();
1201	$sbox3 = array();
1202
1203	for ($i = 0; $i < 256; $i++) {
1204	$sbox1[$i << 8] = $sbox0[$i] << 8;
1205	$sbox2[$i << 16] = $sbox0[$i] << 16;
1206	$sbox3[$i << 24] = $sbox0[$i] << 24;
1207	}
1208	}
1209
1210	return $sbox0[$word & 0x000000FF] \|
1211	$sbox1[$word & 0x0000FF00] \|
1212	$sbox2[$word & 0x00FF0000] \|
1213	$sbox3[$word & 0xFF000000];
1214	}
1215
1216	/**
1217	* Performs inverse S-Box substitutions
1218	*
1219	* @access private
1220	*/
1221	function _invSubWord($word)
1222	{
1223	static $sbox0, $sbox1, $sbox2, $sbox3;
1224
1225	if (empty($sbox0)) {
1226	$sbox0 = array(
1227	0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
1228	0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87, 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
1229	0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
1230	0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
1231	0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16, 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
1232	0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
1233	0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
1234	0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02, 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
1235	0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
1236	0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
1237	0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89, 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
1238	0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
1239	0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
1240	0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D, 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
1241	0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
1242	0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
1243	);
1244
1245	$sbox1 = array();
1246	$sbox2 = array();
1247	$sbox3 = array();
1248
1249	for ($i = 0; $i < 256; $i++) {
1250	$sbox1[$i << 8] = $sbox0[$i] << 8;
1251	$sbox2[$i << 16] = $sbox0[$i] << 16;
1252	$sbox3[$i << 24] = $sbox0[$i] << 24;
1253	}
1254	}
1255
1256	return $sbox0[$word & 0x000000FF] \|
1257	$sbox1[$word & 0x0000FF00] \|
1258	$sbox2[$word & 0x00FF0000] \|
1259	$sbox3[$word & 0xFF000000];
1260	}
1261
1262	/**
1263	* Pad "packets".
1264	*
1265	* Rijndael works by encrypting between sixteen and thirty-two bytes at a time, provided that number is also a multiple
1266	* of four. If you ever need to encrypt or decrypt something that isn't of the proper length, it becomes necessary to
1267	* pad the input so that it is of the proper length.
1268	*
1269	* Padding is enabled by default. Sometimes, however, it is undesirable to pad strings. Such is the case in SSH,
1270	* where "packets" are padded with random bytes before being encrypted. Unpad these packets and you risk stripping
1271	* away characters that shouldn't be stripped away. (SSH knows how many bytes are added because the length is
1272	* transmitted separately)
1273	*
1274	* @see Crypt_Rijndael::disablePadding()
1275	* @access public
1276	*/
1277	function enablePadding()
1278	{
1279	$this->padding = true;
1280	}
1281
1282	/**
1283	* Do not pad packets.
1284	*
1285	* @see Crypt_Rijndael::enablePadding()
1286	* @access public
1287	*/
1288	function disablePadding()
1289	{
1290	$this->padding = false;
1291	}
1292
1293	/**
1294	* Pads a string
1295	*
1296	* Pads a string using the RSA PKCS padding standards so that its length is a multiple of the blocksize.
1297	* $block_size - (strlen($text) % $block_size) bytes are added, each of which is equal to
1298	* chr($block_size - (strlen($text) % $block_size)
1299	*
1300	* If padding is disabled and $text is not a multiple of the blocksize, the string will be padded regardless
1301	* and padding will, hence forth, be enabled.
1302	*
1303	* @see Crypt_Rijndael::_unpad()
1304	* @access private
1305	*/
1306	function _pad($text)
1307	{
1308	$length = strlen($text);
1309
1310	if (!$this->padding) {
1311	if ($length % $this->block_size == 0) {
1312	return $text;
1313	} else {
1314	user_error("The plaintext's length ($length) is not a multiple of the block size ({$this->block_size})", E_USER_NOTICE);
1315	$this->padding = true;
1316	}
1317	}
1318
1319	$pad = $this->block_size - ($length % $this->block_size);
1320
1321	return str_pad($text, $length + $pad, chr($pad));
1322	}
1323
1324	/**
1325	* Unpads a string.
1326	*
1327	* If padding is enabled and the reported padding length is invalid the encryption key will be assumed to be wrong
1328	* and false will be returned.
1329	*
1330	* @see Crypt_Rijndael::_pad()
1331	* @access private
1332	*/
1333	function _unpad($text)
1334	{
1335	if (!$this->padding) {
1336	return $text;
1337	}
1338
1339	$length = ord($text[strlen($text) - 1]);
1340
1341	if (!$length \|\| $length > $this->block_size) {
1342	return false;
1343	}
1344
1345	return substr($text, 0, -$length);
1346	}
1347
1348	/**
1349	* Treat consecutive "packets" as if they are a continuous buffer.
1350	*
1351	* Say you have a 32-byte plaintext $plaintext. Using the default behavior, the two following code snippets
1352	* will yield different outputs:
1353	*
1354	* <code>
1355	* echo $rijndael->encrypt(substr($plaintext, 0, 16));
1356	* echo $rijndael->encrypt(substr($plaintext, 16, 16));
1357	* </code>
1358	* <code>
1359	* echo $rijndael->encrypt($plaintext);
1360	* </code>
1361	*
1362	* The solution is to enable the continuous buffer. Although this will resolve the above discrepancy, it creates
1363	* another, as demonstrated with the following:
1364	*
1365	* <code>
1366	* $rijndael->encrypt(substr($plaintext, 0, 16));
1367	* echo $rijndael->decrypt($des->encrypt(substr($plaintext, 16, 16)));
1368	* </code>
1369	* <code>
1370	* echo $rijndael->decrypt($des->encrypt(substr($plaintext, 16, 16)));
1371	* </code>
1372	*
1373	* With the continuous buffer disabled, these would yield the same output. With it enabled, they yield different
1374	* outputs. The reason is due to the fact that the initialization vector's change after every encryption /
1375	* decryption round when the continuous buffer is enabled. When it's disabled, they remain constant.
1376	*
1377	* Put another way, when the continuous buffer is enabled, the state of the Crypt_Rijndael() object changes after each
1378	* encryption / decryption round, whereas otherwise, it'd remain constant. For this reason, it's recommended that
1379	* continuous buffers not be used. They do offer better security and are, in fact, sometimes required (SSH uses them),
1380	* however, they are also less intuitive and more likely to cause you problems.
1381	*
1382	* @see Crypt_Rijndael::disableContinuousBuffer()
1383	* @access public
1384	*/
1385	function enableContinuousBuffer()
1386	{
1387	$this->continuousBuffer = true;
1388	}
1389
1390	/**
1391	* Treat consecutive packets as if they are a discontinuous buffer.
1392	*
1393	* The default behavior.
1394	*
1395	* @see Crypt_Rijndael::enableContinuousBuffer()
1396	* @access public
1397	*/
1398	function disableContinuousBuffer()
1399	{
1400	$this->continuousBuffer = false;
1401	$this->encryptIV = $this->iv;
1402	$this->decryptIV = $this->iv;
1403	}
1404
1405	/**
1406	* String Shift
1407	*
1408	* Inspired by array_shift
1409	*
1410	* @param String $string
1411	* @param optional Integer $index
1412	* @return String
1413	* @access private
1414	*/
1415	function _string_shift(&$string, $index = 1)
1416	{
1417	$substr = substr($string, 0, $index);
1418	$string = substr($string, $index);
1419	return $substr;
1420	}
1421	}
1422
1423	// vim: ts=4:sw=4:et:
1424	// vim6: fdl=1: