package Crypt::CAST5_PP; require 5.004; use strict; use AutoLoader qw( AUTOLOAD ); use Carp; use integer; use vars qw( @s1 @s2 @s3 @s4 @s5 @s6 @s7 @s8 $VERSION ); $VERSION = "1.04"; sub new { my ($class, $key) = @_; my $cast5 = { }; bless $cast5 => $class; $cast5->init($key) if defined $key; return $cast5; } # new sub blocksize { return 8 } sub keysize { return 16 } 1 # end module __END__ =head1 NAME Crypt::CAST5_PP - CAST5 block cipher in pure Perl =head1 SYNOPSIS use Crypt::CBC; my $crypt = Crypt::CBC->new({ key => "secret key", cipher => "CAST5_PP", }); my $message = "All mimsy were the borogoves"; my $ciphertext = $crypt->encrypt($message); print unpack("H*", $ciphertext), "\n"; my $plaintext = $crypt->decrypt($ciphertext); print $plaintext, "\n"; =head1 DESCRIPTION This module provides a pure Perl implementation of the CAST5 block cipher. CAST5 is also known as CAST-128. It is a product of the CAST design procedure developed by C. Adams and S. Tavares. The CAST5 cipher is available royalty-free. =head1 FUNCTIONS =head2 blocksize Returns the CAST5 block size, which is 8 bytes. This function exists so that Crypt::CAST5_PP can work with Crypt::CBC. =head2 keysize Returns the maximum CAST5 key size, 16 bytes. =head2 new $cast5 = Crypt::CAST5_PP->new($key); Create a new encryption object. If the optional key parameter is given, it will be passed to the init() function. =head2 init $cast5->init($key); Set or change the encryption key to be used. The key must be from 40 bits (5 bytes) to 128 bits (16 bytes) in length. Note that if the key used is 80 bits or less, encryption and decryption will be somewhat faster. It is best for the key to be random binary data, not something printable like a password. A message digest function may be useful for converting a password to an encryption key; see L or L. Note that Crypt::CBC runs the given "key" through MD5 to get the actual encryption key. =head2 encrypt $ciphertext = $cast5->encrypt($plaintext); Encrypt a block of plaintext using the current encryption key, and return the corresponding ciphertext. The input must be 8 bytes long, and the output has the same length. Note that the encryption is in ECB mode, which means that it encrypts each block independently. That can leave you vulnerable to dictionary attacks, so it is generally best to use some form of chaining between blocks; see L. =head2 decrypt $plaintext = $cast5->decrypt($ciphertext); Decrypt the ciphertext and return the corresponding plaintext. =head1 LIMITATIONS Always produces untainted output, even if the input is tainted, because that's what perl's pack() function does. =head1 SEE ALSO RFC 2144, "The CAST-128 Encryption Algorithm", C. Adams, May 1997 L =head1 AUTHOR Bob Mathews, =head1 COPYRIGHT Copyright (c) 2006 Bob Mathews. All rights reserved. This program is free software; you can redistribute it and/or modify it under the same terms as Perl itself. =cut sub init { use strict; use integer; my ($cast5, $key) = @_; croak "Key length must be 40 to 128 bits" if length($key) < 5 || length($key) > 16; require Crypt::CAST5_PP::Tables; # untaint the key. this keeps the evals from blowing up later. # arguably, a tainted key should result in tainted output. oh well. $key =~ /^(.*)$/s and $key = $1; # null-pad the key to 16 bytes, and then split it into 32-bit chunks my ($s, $t, $u, $v) = unpack "N4", pack "a16", $key; # compute the key schedule # don't try to read this -- it's generated by mkschedule my ($w, $x, $y, $z, @k); for (1..2) { $w=$s^$s5[$v>>16&255]^$s6[$v&255]^$s7[$v>>24&255]^$s8[$v>>8&255]^$s7[$u>>24&255]; $x=$u^$s5[$w>>24&255]^$s6[$w>>8&255]^$s7[$w>>16&255]^$s8[$w&255]^$s8[$u>>8&255]; $y=$v^$s5[$x&255]^$s6[$x>>8&255]^$s7[$x>>16&255]^$s8[$x>>24&255]^$s5[$u>>16&255]; $z=$t^$s5[$y>>8&255]^$s6[$y>>16&255]^$s7[$y&255]^$s8[$y>>24&255]^$s6[$u&255]; push@k,$s5[$y>>24&255]^$s6[$y>>16&255]^$s7[$x&255]^$s8[$x>>8&255]^$s5[$w>>8&255]; push@k,$s5[$y>>8&255]^$s6[$y&255]^$s7[$x>>16&255]^$s8[$x>>24&255]^$s6[$x>>8&255]; push@k,$s5[$z>>24&255]^$s6[$z>>16&255]^$s7[$w&255]^$s8[$w>>8&255]^$s7[$y>>16&255]; push@k,$s5[$z>>8&255]^$s6[$z&255]^$s7[$w>>16&255]^$s8[$w>>24&255]^$s8[$z>>24&255]; $s=$y^$s5[$x>>16&255]^$s6[$x&255]^$s7[$x>>24&255]^$s8[$x>>8&255]^$s7[$w>>24&255]; $t=$w^$s5[$s>>24&255]^$s6[$s>>8&255]^$s7[$s>>16&255]^$s8[$s&255]^$s8[$w>>8&255]; $u=$x^$s5[$t&255]^$s6[$t>>8&255]^$s7[$t>>16&255]^$s8[$t>>24&255]^$s5[$w>>16&255]; $v=$z^$s5[$u>>8&255]^$s6[$u>>16&255]^$s7[$u&255]^$s8[$u>>24&255]^$s6[$w&255]; push@k,$s5[$s&255]^$s6[$s>>8&255]^$s7[$v>>24&255]^$s8[$v>>16&255]^$s5[$u>>24&255]; push@k,$s5[$s>>16&255]^$s6[$s>>24&255]^$s7[$v>>8&255]^$s8[$v&255]^$s6[$v>>16&255]; push@k,$s5[$t&255]^$s6[$t>>8&255]^$s7[$u>>24&255]^$s8[$u>>16&255]^$s7[$s&255]; push@k,$s5[$t>>16&255]^$s6[$t>>24&255]^$s7[$u>>8&255]^$s8[$u&255]^$s8[$t&255]; $w=$s^$s5[$v>>16&255]^$s6[$v&255]^$s7[$v>>24&255]^$s8[$v>>8&255]^$s7[$u>>24&255]; $x=$u^$s5[$w>>24&255]^$s6[$w>>8&255]^$s7[$w>>16&255]^$s8[$w&255]^$s8[$u>>8&255]; $y=$v^$s5[$x&255]^$s6[$x>>8&255]^$s7[$x>>16&255]^$s8[$x>>24&255]^$s5[$u>>16&255]; $z=$t^$s5[$y>>8&255]^$s6[$y>>16&255]^$s7[$y&255]^$s8[$y>>24&255]^$s6[$u&255]; push@k,$s5[$w&255]^$s6[$w>>8&255]^$s7[$z>>24&255]^$s8[$z>>16&255]^$s5[$y>>16&255]; push@k,$s5[$w>>16&255]^$s6[$w>>24&255]^$s7[$z>>8&255]^$s8[$z&255]^$s6[$z>>24&255]; push@k,$s5[$x&255]^$s6[$x>>8&255]^$s7[$y>>24&255]^$s8[$y>>16&255]^$s7[$w>>8&255]; push@k,$s5[$x>>16&255]^$s6[$x>>24&255]^$s7[$y>>8&255]^$s8[$y&255]^$s8[$x>>8&255]; $s=$y^$s5[$x>>16&255]^$s6[$x&255]^$s7[$x>>24&255]^$s8[$x>>8&255]^$s7[$w>>24&255]; $t=$w^$s5[$s>>24&255]^$s6[$s>>8&255]^$s7[$s>>16&255]^$s8[$s&255]^$s8[$w>>8&255]; $u=$x^$s5[$t&255]^$s6[$t>>8&255]^$s7[$t>>16&255]^$s8[$t>>24&255]^$s5[$w>>16&255]; $v=$z^$s5[$u>>8&255]^$s6[$u>>16&255]^$s7[$u&255]^$s8[$u>>24&255]^$s6[$w&255]; push@k,$s5[$u>>24&255]^$s6[$u>>16&255]^$s7[$t&255]^$s8[$t>>8&255]^$s5[$s&255]; push@k,$s5[$u>>8&255]^$s6[$u&255]^$s7[$t>>16&255]^$s8[$t>>24&255]^$s6[$t&255]; push@k,$s5[$v>>24&255]^$s6[$v>>16&255]^$s7[$s&255]^$s8[$s>>8&255]^$s7[$u>>24&255]; push@k,$s5[$v>>8&255]^$s6[$v&255]^$s7[$s>>16&255]^$s8[$s>>24&255]^$s8[$v>>16&255]; } for (16..31) { $k[$_] &= 31 } delete $cast5->{encrypt}; delete $cast5->{decrypt}; $cast5->{rounds} = length($key) <= 10 ? 12 : 16; $cast5->{key} = \@k; return $cast5; } # init sub encrypt { use strict; use integer; my ($cast5, $block) = @_; croak "Block size must be 8" if length($block) != 8; my $encrypt = $cast5->{encrypt}; unless ($encrypt) { my $key = $cast5->{key} or croak "Call init() first"; my $f = 'sub{my($l,$r,$i)=unpack"N2",$_[0];'; my ($l, $r) = qw( $l $r ); my ($op1, $op2, $op3) = qw( + ^ - ); foreach my $round (0 .. $cast5->{rounds}-1) { my $km = $key->[$round]; my $kr = $key->[$round+16]; my $rot = ""; if ($kr) { my $mask = ~(~0<<$kr) & 0xffffffff; my $kr2 = 32-$kr; $rot = "\$i=\$i<<$kr|\$i>>$kr2&$mask;" } $f .= "\$i=$km$op1$r;$rot$l^=((\$s1[\$i>>24&255]$op2\$s2[\$i>>16&255])$op3\$s3[\$i>>8&255])$op1\$s4[\$i&255];"; ($l, $r) = ($r, $l); ($op1, $op2, $op3) = ($op2, $op3, $op1); } $f .= 'pack"N2",$r&0xffffffff,$l&0xffffffff}'; $cast5->{encrypt} = $encrypt = eval $f; } return $encrypt->($block); } # encrypt sub decrypt { use strict; use integer; my ($cast5, $block) = @_; croak "Block size must be 8" if length($block) != 8; my $decrypt = $cast5->{decrypt}; unless ($decrypt) { my $key = $cast5->{key} or croak "Call init() first"; my $rounds = $cast5->{rounds}; my $f = 'sub{my($r,$l,$i)=unpack"N2",$_[0];'; my ($l, $r) = qw( $r $l ); my ($op1, $op2, $op3) = qw( - + ^ ); foreach (1 .. $rounds%3) { ($op1, $op2, $op3) = ($op2, $op3, $op1) } foreach my $round (1 .. $rounds) { my $km = $key->[$rounds-$round]; my $kr = $key->[$rounds-$round+16]; my $rot = ""; if ($kr) { my $mask = ~(~0<<$kr) & 0xffffffff; my $kr2 = 32-$kr; $rot = "\$i=\$i<<$kr|\$i>>$kr2&$mask;" } $f .= "\$i=$km$op1$r;$rot$l^=((\$s1[\$i>>24&255]$op2\$s2[\$i>>16&255])$op3\$s3[\$i>>8&255])$op1\$s4[\$i&255];"; ($l, $r) = ($r, $l); ($op1, $op2, $op3) = ($op3, $op1, $op2); } $f .= 'pack"N2",$l&0xffffffff,$r&0xffffffff}'; $cast5->{decrypt} = $decrypt = eval $f; } return $decrypt->($block); } # decrypt # end CAST5_PP.pm