package Crypt::CBC; use strict; use Carp 'croak','carp'; use Crypt::CBC::PBKDF; use bytes; use vars qw($VERSION); no warnings 'uninitialized'; $VERSION = '3.04'; use constant RANDOM_DEVICE => '/dev/urandom'; use constant DEFAULT_PBKDF => 'opensslv1'; use constant DEFAULT_ITER => 10_000; # same as OpenSSL default my @valid_options = qw( pass key cipher keysize chain_mode pbkdf nodeprecate iter hasher header iv salt padding literal_key pcbc add_header generate_key prepend_iv ); sub new { my $class = shift; # the _get_*() methods move a lot of the ugliness/legacy logic # out of new(). But the ugliness is still there! my $options = $class->_get_options(@_); eval {$class->_validate_options($options)} or croak $@; my $cipher = $class->_get_cipher_obj($options); my $header_mode = $class->_get_header_mode($options); my ($ks,$bs) = $class->_get_key_and_block_sizes($cipher,$options); my ($pass,$iv,$salt,$key, $random_salt,$random_iv) = $class->_get_key_materials($options); my $padding = $class->_get_padding_mode($bs,$options); my ($pbkdf,$iter, $hc,$nodeprecate) = $class->_get_key_derivation_options($options,$header_mode); my $chain_mode = $class->_get_chain_mode($options); ### CONSISTENCY CHECKS #### # set literal key flag if a key was passed in or the key derivation algorithm is none $key ||= $pass if $pbkdf eq 'none'; # just in case my $literal_key = defined $key; # check length of initialization vector croak "Initialization vector must be exactly $bs bytes long when using the $cipher cipher" if defined $iv and length($iv) != $bs; # chaining mode check croak "invalid cipher block chain mode: $chain_mode" unless $class->can("_${chain_mode}_encrypt"); # KEYSIZE consistency if (defined $key && length($key) != $ks) { croak "If specified by -literal_key, then the key length must be equal to the chosen cipher's key length of $ks bytes"; } # HEADER consistency if ($header_mode eq 'salt') { croak "Cannot use salt-based key generation if literal key is specified" if $literal_key; } elsif ($header_mode eq 'randomiv') { croak "Cannot encrypt using a non-8 byte blocksize cipher when using randomiv header mode" unless $bs == 8 } croak "If a key derivation function (-pbkdf) of 'none' is provided, a literal key and iv must be provided" if $pbkdf eq 'none' && (!defined $key || !defined $iv); croak "If a -header mode of 'randomiv' is provided, then the -pbkdf key derivation function must be 'randomiv' or undefined" if $header_mode eq 'randomiv' and $pbkdf ne 'randomiv'; return bless { 'cipher' => $cipher, 'passphrase' => $pass, 'key' => $key, 'iv' => $iv, 'salt' => $salt, 'padding' => $padding, 'blocksize' => $bs, 'keysize' => $ks, 'header_mode' => $header_mode, 'literal_key' => $literal_key, 'literal_iv' => defined $iv, 'chain_mode' => $chain_mode, 'make_random_salt' => $random_salt, 'make_random_iv' => $random_iv, 'pbkdf' => $pbkdf, 'iter' => $iter, 'hasher' => $hc, 'nodeprecate' => $nodeprecate, },$class; } sub filehandle { my $self = shift; $self->_load_module('Crypt::FileHandle') or croak "Optional Crypt::FileHandle module must be installed to use the filehandle() method"; if (ref $self) { # already initialized return Crypt::FileHandle->new($self); } else { # create object return Crypt::FileHandle->new($self->new(@_)); } } sub encrypt (\$$) { my ($self,$data) = @_; $self->start('encrypting'); my $result = $self->crypt($data); $result .= $self->finish; $result; } sub decrypt (\$$){ my ($self,$data) = @_; $self->start('decrypting'); my $result = $self->crypt($data); $result .= $self->finish; $result; } sub encrypt_hex (\$$) { my ($self,$data) = @_; return join('',unpack 'H*',$self->encrypt($data)); } sub decrypt_hex (\$$) { my ($self,$data) = @_; return $self->decrypt(pack 'H*',$data); } # call to start a series of encryption/decryption operations sub start (\$$) { my $self = shift; my $operation = shift; croak "Specify ncryption or ecryption" unless $operation=~/^[ed]/i; delete $self->{'civ'}; $self->{'buffer'} = ''; $self->{'decrypt'} = $operation=~/^d/i; $self->_deprecation_warning; } sub chain_mode { shift->{chain_mode} || 'cbc' } sub chaining_method { my $self = shift; my $decrypt = shift; # memoize this result return $self->{chaining_method}{$decrypt} if exists $self->{chaining_method}{$decrypt}; my $cm = $self->chain_mode; my $code = $self->can($decrypt ? "_${cm}_decrypt" : "_${cm}_encrypt"); croak "Chain mode $cm not supported" unless $code; return $self->{chaining_method}{$decrypt} = $code; } # call to encrypt/decrypt a bit of data sub crypt (\$$){ my $self = shift; my $data = shift; my $result; croak "crypt() called without a preceding start()" unless exists $self->{'buffer'}; my $d = $self->{'decrypt'}; unless ($self->{civ}) { # block cipher has not yet been initialized $result = $self->_generate_iv_and_cipher_from_datastream(\$data) if $d; $result = $self->_generate_iv_and_cipher_from_options() unless $d; } my $iv = $self->{'civ'}; $self->{'buffer'} .= $data; my $bs = $self->{'blocksize'}; croak "When using no padding, plaintext size must be a multiple of $bs" if $self->_needs_padding and $self->{'padding'} eq \&_no_padding and length($data) % $bs; croak "When using rijndael_compat padding, plaintext size must be a multiple of $bs" if $self->_needs_padding and $self->{'padding'} eq \&_rijndael_compat and length($data) % $bs; return $result unless (length($self->{'buffer'}) >= $bs); my @blocks = unpack("(a$bs)*",$self->{buffer}); $self->{buffer} = ''; # if decrypting, leave the last block in the buffer for padding if ($d) { $self->{buffer} = pop @blocks; } else { $self->{buffer} = pop @blocks if length $blocks[-1] < $bs; } my $code = $self->chaining_method($d); # $self->$code($self->{crypt},\$iv,\$result,\@blocks); # calling the code sub directly is slightly faster for some reason $code->($self,$self->{crypt},\$iv,\$result,\@blocks); $self->{'civ'} = $iv; # remember the iv return $result; } # this is called at the end to flush whatever's left sub finish (\$) { my $self = shift; my $bs = $self->{'blocksize'}; my $block = $self->{buffer}; # what's left # Special case hack for backward compatibility with Crypt::Rijndael's CBC_MODE. if (length $block == 0 && $self->{padding} eq \&_rijndael_compat) { delete $self->{'civ'}; delete $self->{'buffer'}; return ''; } $self->{civ} ||= ''; my $iv = $self->{civ}; my $code = $self->chaining_method($self->{decrypt}); my $result = ''; if ($self->{decrypt}) { $self->$code($self->{crypt},\$iv,\$result,[$block]); $result = $self->{padding}->($result,$bs,'d') if $self->_needs_padding; } else { $block = $self->{padding}->($block,$bs,'e') if $self->_needs_padding; $self->$code($self->{crypt},\$iv,\$result,[$block]) unless length $block==0 && !$self->_needs_padding } delete $self->{'civ'}; delete $self->{'buffer'}; return $result; } ############# Move the boring new() argument processing here ####### sub _get_options { my $class = shift; my $options = {}; # hashref arguments if (ref $_[0] eq 'HASH') { $options = shift; } # CGI style arguments elsif ($_[0] =~ /^-[a-zA-Z_]{1,20}$/) { my %tmp = @_; while ( my($key,$value) = each %tmp) { $key =~ s/^-//; $options->{lc $key} = $value; } } else { $options->{key} = shift; $options->{cipher} = shift; } return $options; } sub _get_cipher_obj { my $class = shift; my $options = shift; my $cipher = $options->{cipher}; $cipher = 'Crypt::Cipher::AES' unless $cipher; unless (ref $cipher) { # munge the class name if no object passed $cipher = $cipher=~/^Crypt::/ ? $cipher : "Crypt::$cipher"; $cipher->can('encrypt') or eval "require $cipher; 1" or croak "Couldn't load $cipher: $@"; # some crypt modules use the class Crypt::, and others don't $cipher =~ s/^Crypt::// unless $cipher->can('keysize'); } return $cipher; } sub _validate_options { my $self = shift; my $options = shift; my %valid_options = map {$_=>1} @valid_options; for my $o (keys %$options) { die "'$o' is not a recognized argument" unless $valid_options{$o}; } return 1; } sub _get_header_mode { my $class = shift; my $options = shift; # header mode checking my %valid_modes = map {$_=>1} qw(none salt randomiv); my $header_mode = $options->{header}; $header_mode ||= 'none' if exists $options->{prepend_iv} && !$options->{prepend_iv}; $header_mode ||= 'none' if exists $options->{add_header} && !$options->{add_header}; $header_mode ||= 'none' if $options->{literal_key} || (exists $options->{pbkdf} && $options->{pbkdf} eq 'none'); $header_mode ||= 'salt'; # default croak "Invalid -header mode '$header_mode'" unless $valid_modes{$header_mode}; return $header_mode; } sub _get_padding_mode { my $class = shift; my ($bs,$options) = @_; my $padding = $options->{padding} || 'standard'; if ($padding && ref($padding) eq 'CODE') { # check to see that this code does its padding correctly for my $i (1..$bs-1) { my $rbs = length($padding->(" "x$i,$bs,'e')); croak "padding method callback does not behave properly: expected $bs bytes back, got $rbs bytes back." unless ($rbs == $bs); } } else { $padding = $padding eq 'none' ? \&_no_padding :$padding eq 'null' ? \&_null_padding :$padding eq 'space' ? \&_space_padding :$padding eq 'oneandzeroes' ? \&_oneandzeroes_padding :$padding eq 'rijndael_compat'? \&_rijndael_compat :$padding eq 'standard' ? \&_standard_padding :croak "'$padding' padding not supported. See perldoc Crypt::CBC for instructions on creating your own."; } return $padding; } sub _get_key_and_block_sizes { my $class = shift; my $cipher = shift; my $options = shift; # allow user to override the keysize value my $ks = $options->{keysize} || eval {$cipher->keysize} || eval {$cipher->max_keysize} or croak "Cannot derive keysize from $cipher"; my $bs = eval {$cipher->blocksize} or croak "$cipher did not provide a blocksize"; return ($ks,$bs); } sub _get_key_materials { my $self = shift; my $options = shift; # "key" is a misnomer here, because it is actually usually a passphrase that is used # to derive the true key my $pass = $options->{pass} || $options->{key}; my $cipher_object_provided = $options->{cipher} && ref $options->{cipher}; if ($cipher_object_provided) { carp "Both a key and a pre-initialized Crypt::* object were passed. The key will be ignored" if defined $pass; $pass ||= ''; } croak "Please provide an encryption/decryption passphrase using -pass or -key" unless defined $pass; # Default behavior is to treat -key as a passphrase. # But if the literal_key option is true, then use key as is croak "The options -literal_key and -regenerate_key are incompatible with each other" if exists $options->{literal_key} && exists $options->{regenerate_key}; my $key = $pass if $options->{literal_key}; $key = $pass if exists $options->{regenerate_key} && !$options->{regenerate_key}; # Get the salt. my $salt = $options->{salt}; my $random_salt = 1 unless defined $salt && $salt ne '1'; croak "Argument to -salt must be exactly 8 bytes long" if defined $salt && length $salt != 8 && $salt ne '1'; # note: iv will be autogenerated by start() if not specified in options my $iv = $options->{iv}; my $random_iv = 1 unless defined $iv; my $literal_key = $options->{literal_key} || (exists $options->{regenerate_key} && !$options->{regenerate_key}); undef $pass if $literal_key; return ($pass,$iv,$salt,$key,$random_salt,$random_iv); } sub _get_key_derivation_options { my $self = shift; my ($options,$header_mode) = @_; # KEY DERIVATION PARAMETERS # Some special cases here # 1. literal key has been requested - use algorithm 'none' # 2. headerless mode - use algorithm 'none' # 3. randomiv header - use algorithm 'nosalt' my $pbkdf = $options->{pbkdf} || ($options->{literal_key} ? 'none' :$header_mode eq 'randomiv' ? 'randomiv' :DEFAULT_PBKDF); # iterations my $iter = $options->{iter} || DEFAULT_ITER; $iter =~ /[\d_]+/ && $iter >= 1 or croak "-iterations argument must be greater than or equal to 1"; $iter =~ /[\d_]+/ && $iter >= 1 or croak "-iterations argument must be greater than or equal to 1"; # hasher my $hc = $options->{hasher}; my $nodeprecate = $options->{nodeprecate}; return ($pbkdf,$iter,$hc,$nodeprecate); } sub _get_chain_mode { my $self = shift; my $options = shift; return $options->{chain_mode} ? $options->{chain_mode} :$options->{pcbc} ? 'pcbc' :'cbc'; } sub _load_module { my $self = shift; my ($module,$args) = @_; my $result = eval "use $module $args; 1;"; warn $@ if $@; return $result; } sub _deprecation_warning { my $self = shift; return if $self->nodeprecate; return if $self->{decrypt}; my $pbkdf = $self->pbkdf; carp <'pbkdf2' would be better. Pass -nodeprecate=>1 to inhibit this message. END } ######################################### chaining mode methods ################################3 sub _needs_padding { my $self = shift; $self->chain_mode =~ /^p?cbc$/ && $self->padding ne \&_no_padding; } sub _cbc_encrypt { my $self = shift; my ($crypt,$iv,$result,$blocks) = @_; # the copying looks silly, but it is slightly faster than dereferencing the # variables each time my ($i,$r) = ($$iv,$$result); foreach (@$blocks) { $r .= $i = $crypt->encrypt($i ^ $_); } ($$iv,$$result) = ($i,$r); } sub _cbc_decrypt { my $self = shift; my ($crypt,$iv,$result,$blocks) = @_; # the copying looks silly, but it is slightly faster than dereferencing the # variables each time my ($i,$r) = ($$iv,$$result); foreach (@$blocks) { $r .= $i ^ $crypt->decrypt($_); $i = $_; } ($$iv,$$result) = ($i,$r); } sub _pcbc_encrypt { my $self = shift; my ($crypt,$iv,$result,$blocks) = @_; foreach my $plaintext (@$blocks) { $$result .= $$iv = $crypt->encrypt($$iv ^ $plaintext); $$iv ^= $plaintext; } } sub _pcbc_decrypt { my $self = shift; my ($crypt,$iv,$result,$blocks) = @_; foreach my $ciphertext (@$blocks) { $$result .= $$iv = $$iv ^ $crypt->decrypt($ciphertext); $$iv ^= $ciphertext; } } sub _cfb_encrypt { my $self = shift; my ($crypt,$iv,$result,$blocks) = @_; my ($i,$r) = ($$iv,$$result); foreach my $plaintext (@$blocks) { $r .= $i = $plaintext ^ $crypt->encrypt($i) } ($$iv,$$result) = ($i,$r); } sub _cfb_decrypt { my $self = shift; my ($crypt,$iv,$result,$blocks) = @_; my ($i,$r) = ($$iv,$$result); foreach my $ciphertext (@$blocks) { $r .= $ciphertext ^ $crypt->encrypt($i); $i = $ciphertext; } ($$iv,$$result) = ($i,$r); } sub _ofb_encrypt { my $self = shift; my ($crypt,$iv,$result,$blocks) = @_; my ($i,$r) = ($$iv,$$result); foreach my $plaintext (@$blocks) { my $ciphertext = $plaintext ^ ($i = $crypt->encrypt($i)); substr($ciphertext,length $plaintext) = ''; # truncate $r .= $ciphertext; } ($$iv,$$result) = ($i,$r); } *_ofb_decrypt = \&_ofb_encrypt; # same code # According to RFC3686, the counter is 128 bits (16 bytes) # The first 32 bits (4 bytes) is the nonce # The next 64 bits (8 bytes) is the IV # The final 32 bits (4 bytes) is the counter, starting at 1 # BUT, the way that openssl v1.1.1 does it is to generate a random # IV, treat the whole thing as a blocksize-sized integer, and then # increment. sub _ctr_encrypt { my $self = shift; my ($crypt,$iv,$result,$blocks) = @_; my $bs = $self->blocksize; $self->_upgrade_iv_to_ctr($iv); my ($i,$r) = ($$iv,$$result); foreach my $plaintext (@$blocks) { my $bytes = int128_to_net($i++); # pad with leading nulls if there are insufficient bytes # (there's gotta be a better way to do this) if ($bs > length $bytes) { substr($bytes,0,0) = "\000"x($bs-length $bytes) ; } my $ciphertext = $plaintext ^ ($crypt->encrypt($bytes)); substr($ciphertext,length $plaintext) = ''; # truncate $r .= $ciphertext; } ($$iv,$$result) = ($i,$r); } *_ctr_decrypt = \&_ctr_encrypt; # same code # upgrades instance vector to a CTR counter # returns 1 if upgrade performed sub _upgrade_iv_to_ctr { my $self = shift; my $iv = shift; # this is a scalar reference return if ref $$iv; # already upgraded to an object $self->_load_module("Math::Int128" => "'net_to_int128','int128_to_net'") or croak "Optional Math::Int128 module must be installed to use the CTR chaining method"; $$iv = net_to_int128($$iv); return 1; } ######################################### chaining mode methods ################################3 sub pbkdf { shift->{pbkdf} } # get the initialized PBKDF object sub pbkdf_obj { my $self = shift; my $pbkdf = $self->pbkdf; my $iter = $self->{iter}; my $hc = $self->{hasher}; my @hash_args = $hc ? ref ($hc) ? (hasher => $hc) : (hash_class => $hc) : (); return Crypt::CBC::PBKDF->new($pbkdf => { key_len => $self->{keysize}, iv_len => $self->{blocksize}, iterations => $iter, @hash_args, } ); } ############################# generating key, iv and salt ######################## # hopefully a replacement for mess below sub set_key_and_iv { my $self = shift; if (!$self->{literal_key}) { my ($key,$iv) = $self->pbkdf_obj->key_and_iv($self->{salt},$self->{passphrase}); $self->{key} = $key; $self->{iv} = $iv if $self->{make_random_iv}; } else { $self->{iv} = $self->_get_random_bytes($self->blocksize) if $self->{make_random_iv}; } length $self->{salt} == 8 or croak "Salt must be exactly 8 bytes long"; length $self->{iv} == $self->{blocksize} or croak "IV must be exactly $self->{blocksize} bytes long"; } # derive the salt, iv and key from the datastream header + passphrase sub _read_key_and_iv { my $self = shift; my $input_stream = shift; my $bs = $self->blocksize; # use our header mode to figure out what to do with the data stream my $header_mode = $self->header_mode; if ($header_mode eq 'none') { $self->{salt} ||= $self->_get_random_bytes(8); return $self->set_key_and_iv; } elsif ($header_mode eq 'salt') { ($self->{salt}) = $$input_stream =~ /^Salted__(.{8})/s; croak "Ciphertext does not begin with a valid header for 'salt' header mode" unless defined $self->{salt}; substr($$input_stream,0,16) = ''; my ($k,$i) = $self->pbkdf_obj->key_and_iv($self->{salt},$self->{passphrase}); $self->{key} = $k unless $self->{literal_key}; $self->{iv} = $i unless $self->{literal_iv}; } elsif ($header_mode eq 'randomiv') { ($self->{iv}) = $$input_stream =~ /^RandomIV(.{8})/s; croak "Ciphertext does not begin with a valid header for 'randomiv' header mode" unless defined $self->{iv}; croak "randomiv header mode cannot be used securely when decrypting with a >8 byte block cipher.\n" unless $self->blocksize == 8; (undef,$self->{key}) = $self->pbkdf_obj->key_and_iv(undef,$self->{passphrase}); substr($$input_stream,0,16) = ''; # truncate } else { croak "Invalid header mode '$header_mode'"; } } # this subroutine will generate the actual {en,de}cryption key, the iv # and the block cipher object. This is called when reading from a datastream # and so it uses previous values of salt or iv if they are encoded in datastream # header sub _generate_iv_and_cipher_from_datastream { my $self = shift; my $input_stream = shift; $self->_read_key_and_iv($input_stream); $self->{civ} = $self->{iv}; # we should have the key and iv now, or we are dead in the water croak "Could not derive key or iv from cipher stream, and you did not specify these values in new()" unless $self->{key} && $self->{civ}; # now we can generate the crypt object itself $self->{crypt} = ref $self->{cipher} ? $self->{cipher} : $self->{cipher}->new($self->{key}) or croak "Could not create $self->{cipher} object: $@"; return ''; } sub _generate_iv_and_cipher_from_options { my $self = shift; $self->{salt} = $self->_get_random_bytes(8) if $self->{make_random_salt}; $self->set_key_and_iv; $self->{civ} = $self->{iv}; my $result = ''; my $header_mode = $self->header_mode; if ($header_mode eq 'salt') { $result = "Salted__$self->{salt}"; } elsif ($header_mode eq 'randomiv') { $result = "RandomIV$self->{iv}"; undef $self->{salt}; # shouldn't be there! } croak "key and/or iv are missing" unless defined $self->{key} && defined $self->{civ}; $self->_taintcheck($self->{key}); $self->{crypt} = ref $self->{cipher} ? $self->{cipher} : $self->{cipher}->new($self->{key}) or croak "Could not create $self->{cipher} object: $@"; return $result; } sub _taintcheck { my $self = shift; my $key = shift; return unless ${^TAINT}; my $has_scalar_util = eval "require Scalar::Util; 1"; my $tainted; if ($has_scalar_util) { $tainted = Scalar::Util::tainted($key); } else { local($@, $SIG{__DIE__}, $SIG{__WARN__}); local $^W = 0; eval { kill 0 * $key }; $tainted = $@ =~ /^Insecure/; } croak "Taint checks are turned on and your key is tainted. Please untaint the key and try again" if $tainted; } sub _digest_obj { my $self = shift; if ($self->{digest_obj}) { $self->{digest_obj}->reset(); return $self->{digest_obj}; } my $alg = $self->{digest_alg}; return $alg if ref $alg && $alg->can('digest'); my $obj = eval {Digest->new($alg)}; croak "Unable to instantiate '$alg' digest object: $@" if $@; return $self->{digest_obj} = $obj; } sub random_bytes { my $self = shift; my $bytes = shift or croak "usage: random_bytes(\$byte_length)"; $self->_get_random_bytes($bytes); } sub _get_random_bytes { my $self = shift; my $length = shift; my $result; if (-r RANDOM_DEVICE && open(F,RANDOM_DEVICE)) { read(F,$result,$length); close F; } else { $result = pack("C*",map {rand(256)} 1..$length); } # Clear taint and check length $result =~ /^(.+)$/s; length($1) == $length or croak "Invalid length while gathering $length random bytes"; return $1; } sub _standard_padding ($$$) { my ($b,$bs,$decrypt) = @_; if ($decrypt eq 'd') { my $pad_length = unpack("C",substr($b,-1)); return substr($b,0,$bs-$pad_length); } my $pad = $bs - length($b); return $b . pack("C*",($pad)x$pad); } sub _space_padding ($$$) { my ($b,$bs,$decrypt) = @_; if ($decrypt eq 'd') { $b=~ s/ *\z//s; } else { $b .= pack("C*", (32) x ($bs-length($b))); } return $b; } sub _no_padding ($$$) { my ($b,$bs,$decrypt) = @_; return $b; } sub _null_padding ($$$) { my ($b,$bs,$decrypt) = @_; return unless length $b; $b = length $b ? $b : ''; if ($decrypt eq 'd') { $b=~ s/\0*\z//s; return $b; } return $b . pack("C*", (0) x ($bs - length($b) % $bs)); } sub _oneandzeroes_padding ($$$) { my ($b,$bs,$decrypt) = @_; if ($decrypt eq 'd') { $b=~ s/\x80\0*\z//s; return $b; } return $b . pack("C*", 128, (0) x ($bs - length($b) - 1) ); } sub _rijndael_compat ($$$) { my ($b,$bs,$decrypt) = @_; return unless length $b; if ($decrypt eq 'd') { $b=~ s/\x80\0*\z//s; return $b; } return $b . pack("C*", 128, (0) x ($bs - length($b) % $bs - 1) ); } sub get_initialization_vector (\$) { my $self = shift; $self->iv(); } sub set_initialization_vector (\$$) { my $self = shift; my $iv = shift; my $bs = $self->blocksize; croak "Initialization vector must be $bs bytes in length" unless length($iv) == $bs; $self->iv($iv); } sub salt { my $self = shift; my $d = $self->{salt}; $self->{salt} = shift if @_; $d; } sub iv { my $self = shift; my $d = $self->{iv}; $self->{iv} = shift if @_; $d; } sub key { my $self = shift; my $d = $self->{key}; $self->{key} = shift if @_; $d; } sub passphrase { my $self = shift; my $d = $self->{passphrase}; if (@_) { undef $self->{key}; undef $self->{iv}; $self->{passphrase} = shift; } $d; } sub keysize { my $self = shift; $self->{keysize} = shift if @_; $self->{keysize}; } sub cipher { shift->{cipher} } sub padding { shift->{padding} } sub blocksize { shift->{blocksize} } sub pcbc { shift->{pcbc} } sub header_mode {shift->{header_mode} } sub literal_key {shift->{literal_key}} sub nodeprecate {shift->{nodeprecate}} 1; __END__ =head1 NAME Crypt::CBC - Encrypt Data with Cipher Block Chaining Mode =head1 SYNOPSIS use Crypt::CBC; $cipher = Crypt::CBC->new( -pass => 'my secret password', -cipher => 'Cipher::AES' ); # one shot mode $ciphertext = $cipher->encrypt("This data is hush hush"); $plaintext = $cipher->decrypt($ciphertext); # stream mode $cipher->start('encrypting'); open(F,"./BIG_FILE"); while (read(F,$buffer,1024)) { print $cipher->crypt($buffer); } print $cipher->finish; # do-it-yourself mode -- specify key && initialization vector yourself $key = Crypt::CBC->random_bytes(8); # assuming a 8-byte block cipher $iv = Crypt::CBC->random_bytes(8); $cipher = Crypt::CBC->new(-pbkdf => 'none', -key => $key, -iv => $iv); $ciphertext = $cipher->encrypt("This data is hush hush"); $plaintext = $cipher->decrypt($ciphertext); # encrypting via a filehandle (requires Crypt::FileHandle> $fh = Crypt::CBC->filehandle(-pass => 'secret'); open $fh,'>','encrypted.txt" or die $! print $fh "This will be encrypted\n"; close $fh; =head1 DESCRIPTION This module is a Perl-only implementation of the cryptographic cipher block chaining mode (CBC). In combination with a block cipher such as AES or Blowfish, you can encrypt and decrypt messages of arbitrarily long length. The encrypted messages are compatible with the encryption format used by the B package. To use this module, you will first create a Crypt::CBC cipher object with new(). At the time of cipher creation, you specify an encryption key to use and, optionally, a block encryption algorithm. You will then call the start() method to initialize the encryption or decryption process, crypt() to encrypt or decrypt one or more blocks of data, and lastly finish(), to pad and encrypt the final block. For your convenience, you can call the encrypt() and decrypt() methods to operate on a whole data value at once. =head2 new() $cipher = Crypt::CBC->new( -pass => 'my secret key', -cipher => 'Cipher::AES', ); # or (for compatibility with versions prior to 2.0) $cipher = new Crypt::CBC('my secret key' => 'Cipher::AES'); The new() method creates a new Crypt::CBC object. It accepts a list of -argument => value pairs selected from the following list: Argument Description -------- ----------- -pass,-key The encryption/decryption passphrase. These arguments are interchangeable, but -pass is preferred ("key" is a misnomer, as it is not the literal encryption key). -cipher The cipher algorithm (defaults to Crypt::Cipher:AES), or a previously created cipher object reference. For convenience, you may omit the initial "Crypt::" part of the classname and use the basename, e.g. "Blowfish" instead of "Crypt::Blowfish". -keysize Force the cipher keysize to the indicated number of bytes. This can be used to set the keysize for variable keylength ciphers such as AES. -chain_mode The block chaining mode to use. Current options are: 'cbc' -- cipher-block chaining mode [default] 'pcbc' -- plaintext cipher-block chaining mode 'cfb' -- cipher feedback mode 'ofb' -- output feedback mode 'ctr' -- counter mode -pbkdf The passphrase-based key derivation function used to derive the encryption key and initialization vector from the provided passphrase. For backward compatibility, Crypt::CBC will default to "opensslv1", but it is recommended to use the standard "pbkdf2"algorithm instead. If you wish to interoperate with OpenSSL, be aware that different versions of the software support a series of derivation functions. 'none' -- The value provided in -pass/-key is used directly. This is the same as passing true to -literal_key. You must also manually specify the IV with -iv. The key and the IV must match the keylength and blocklength of the chosen cipher. 'randomiv' -- Use insecure key derivation method found in prehistoric versions of OpenSSL (dangerous) 'opensslv1' -- [default] Use the salted MD5 method that was default in versions of OpenSSL through v1.0.2. 'opensslv2' -- [better] Use the salted SHA-256 method that was the default in versions of OpenSSL through v1.1.0. 'pbkdf2' -- [best] Use the PBKDF2 method that was first introduced in OpenSSL v1.1.1. More derivation functions may be added in the future. To see the supported list, use the command perl -MCrypt::CBC::PBKDF -e 'print join "\n",Crypt::CBC::PBKDF->list' -iter If the 'pbkdf2' key derivation algorithm is used, this specifies the number of hashing cycles to be applied to the passphrase+salt (longer is more secure). [default 10,000] -hasher If the 'pbkdf2' key derivation algorithm is chosen, you can use this to provide an initialized Crypt::PBKDF2::Hash object. [default HMACSHA2 for OpenSSL compatability] -header What type of header to prepend to the ciphertext. One of 'salt' -- use OpenSSL-compatible salted header (default) 'randomiv' -- Randomiv-compatible "RandomIV" header 'none' -- prepend no header at all (compatible with prehistoric versions of OpenSSL) -iv The initialization vector (IV). If not provided, it will be generated by the key derivation function. -salt The salt passed to the key derivation function. If not provided, will be generated randomly (recommended). -padding The padding method, one of "standard" (default), "space", "oneandzeroes", "rijndael_compat", "null", or "none" (default "standard"). -literal_key [deprected, use -pbkdf=>'none'] If true, the key provided by "-key" or "-pass" is used directly for encryption/decryption without salting or hashing. The key must be the right length for the chosen cipher. [default false) -pcbc [deprecated, use -chaining_mode=>'pcbc'] Whether to use the PCBC chaining algorithm rather than the standard CBC algorithm (default false). -add_header [deprecated; use -header instead] Whether to add the salt and IV to the header of the output cipher text. -regenerate_key [deprecated; use -literal_key instead] Whether to use a hash of the provided key to generate the actual encryption key (default true) -prepend_iv [deprecated; use -header instead] Whether to prepend the IV to the beginning of the encrypted stream (default true) Crypt::CBC requires three pieces of information to do its job. First it needs the name of the block cipher algorithm that will encrypt or decrypt the data in blocks of fixed length known as the cipher's "blocksize." Second, it needs an encryption/decryption key to pass to the block cipher. Third, it needs an initialization vector (IV) that will be used to propagate information from one encrypted block to the next. Both the key and the IV must be exactly the same length as the chosen cipher's blocksize. Crypt::CBC can derive the key and the IV from a passphrase that you provide, or can let you specify the true key and IV manually. In addition, you have the option of embedding enough information to regenerate the IV in a short header that is emitted at the start of the encrypted stream, or outputting a headerless encryption stream. In the first case, Crypt::CBC will be able to decrypt the stream given just the original key or passphrase. In the second case, you will have to provide the original IV as well as the key/passphrase. The B<-cipher> option specifies which block cipher algorithm to use to encode each section of the message. This argument is optional and will default to the secure Crypt::Cipher::AES algorithm. You may use any compatible block encryption algorithm that you have installed. Currently, this includes Crypt::Cipher::AES, Crypt::DES, Crypt::DES_EDE3, Crypt::IDEA, Crypt::Blowfish, Crypt::CAST5 and Crypt::Rijndael. You may refer to them using their full names ("Crypt::IDEA") or in abbreviated form ("IDEA"). Instead of passing the name of a cipher class, you may pass an already-created block cipher object. This allows you to take advantage of cipher algorithms that have parameterized new() methods, such as Crypt::Eksblowfish: my $eksblowfish = Crypt::Eksblowfish->new(8,$salt,$key); my $cbc = Crypt::CBC->new(-cipher=>$eksblowfish); The B<-pass> argument provides a passphrase to use to generate the encryption key or the literal value of the block cipher key. If used in passphrase mode (which is the default), B<-pass> can be any number of characters; the actual key will be derived by passing the passphrase through a series of hashing operations. To take full advantage of a given block cipher, the length of the passphrase should be at least equal to the cipher's blocksize. For backward compatibility, you may also refer to this argument using B<-key>. To skip this hashing operation and specify the key directly, provide the actual key as a string to B<-key> and specify a key derivation function of "none" to the B<-pbkdf> argument. Alternatively, you may pass a true value to the B<-literal_key> argument. When you manually specify the key in this way, should choose a key of length exactly equal to the cipher's key length. You will also have to specify an IV equal in length to the cipher's blocksize. These choices imply a header mode of "none." If you pass an existing Crypt::* object to new(), then the B<-pass>/B<-key> argument is ignored and the module will generate a warning. The B<-pbkdf> argument specifies the algorithm used to derive the true key and IV from the provided passphrase (PBKDF stands for "passphrase-based key derivation function"). Valid values are: "opensslv1" -- [default] A fast algorithm that derives the key by combining a random salt values with the passphrase via a series of MD5 hashes. "opensslv2" -- an improved version that uses SHA-256 rather than MD5, and has been OpenSSL's default since v1.1.0. However, it has been deprecated in favor of pbkdf2 since OpenSSL v1.1.1. "pbkdf2" -- a better algorithm implemented in OpenSSL v1.1.1, described in RFC 2898 L "none" -- don't use a derivation function, but treat the passphrase as the literal key. This is the same as B<-literal_key> true. "nosalt" -- an insecure key derivation method used by prehistoric versions of OpenSSL, provided for backward compatibility. Don't use. "opensslv1" was OpenSSL's default key derivation algorithm through version 1.0.2, but is susceptible to dictionary attacks and is no longer supported. It remains the default for Crypt::CBC in order to avoid breaking compatibility with previously-encrypted messages. Using this option will issue a deprecation warning when initiating encryption. You can suppress the warning by passing a true value to the B<-nodeprecate> option. It is recommended to specify the "pbkdf2" key derivation algorithm when compatibility with older versions of Crypt::CBC is not needed. This algorithm is deliberately computationally expensive in order to make dictionary-based attacks harder. As a result, it introduces a slight delay before an encryption or decryption operation starts. The B<-iter> argument is used in conjunction with the "pbkdf2" key derivation option. Its value indicates the number of hashing cycles used to derive the key. Larger values are more secure, but impose a longer delay before encryption/decryption starts. The default is 10,000 for compatibility with OpenSSL's default. The B<-hasher> argument is used in conjunction with the "pbkdf2" key derivation option to pass the reference to an initialized Crypt::PBKDF2::Hash object. If not provided, it defaults to the OpenSSL-compatible hash function HMACSHA2 initialized with its default options (SHA-256 hash). The B<-header> argument specifies what type of header, if any, to prepend to the beginning of the encrypted data stream. The header allows Crypt::CBC to regenerate the original IV and correctly decrypt the data without your having to provide the same IV used to encrypt the data. Valid values for the B<-header> are: "salt" -- Combine the passphrase with an 8-byte random value to generate both the block cipher key and the IV from the provided passphrase. The salt will be appended to the beginning of the data stream allowing decryption to regenerate both the key and IV given the correct passphrase. This method is compatible with current versions of OpenSSL. "randomiv" -- Generate the block cipher key from the passphrase, and choose a random 8-byte value to use as the IV. The IV will be prepended to the data stream. This method is compatible with ciphertext produced by versions of the library prior to 2.17, but is incompatible with block ciphers that have non 8-byte block sizes, such as Rijndael. Crypt::CBC will exit with a fatal error if you try to use this header mode with a non 8-byte cipher. This header type is NOT secure and NOT recommended. "none" -- Do not generate a header. To decrypt a stream encrypted in this way, you will have to provide the true key and IV manually. B When using a "salt" header, you may specify your own value of the salt, by passing the desired 8-byte character string to the B<-salt> argument. Otherwise, the module will generate a random salt for you. Crypt::CBC will generate a fatal error if you specify a salt value that isn't exactly 8 bytes long. For backward compatibility reasons, passing a value of "1" will generate a random salt, the same as if no B<-salt> argument was provided. The B<-padding> argument controls how the last few bytes of the encrypted stream are dealt with when they not an exact multiple of the cipher block length. The default is "standard", the method specified in PKCS#5. The B<-chaining_mode> argument will select among several different block chaining modes. Values are: 'cbc' -- [default] traditional Cipher-Block Chaining mode. It has the property that if one block in the ciphertext message is damaged, only that block and the next one will be rendered un-decryptable. 'pcbc' -- Plaintext Cipher-Block Chaining mode. This has the property that one damaged ciphertext block will render the remainder of the message unreadable 'cfb' -- Cipher Feedback Mode. In this mode, both encryption and decryption are performed using the block cipher's "encrypt" algorithm. The error propagation behaviour is similar to CBC's. 'ofb' -- Output Feedback Mode. Similar to CFB, the block cipher's encrypt algorithm is used for both encryption and decryption. If one bit of the plaintext or ciphertext message is damaged, the damage is confined to a single block of the corresponding ciphertext or plaintext, and error correction algorithms can be used to reconstruct the damaged part. 'ctr' -- Counter Mode. This mode uses a one-time "nonce" instead of an IV. The nonce is incremented by one for each block of plain or ciphertext, encrypted using the chosen algorithm, and then applied to the block of text. If one bit of the input text is damaged, it only affects 1 bit of the output text. To use CTR mode you will need to install the Perl Math::Int128 module. This chaining method is roughly half the speed of the others due to integer arithmetic. Passing a B<-pcbc> argument of true will have the same effect as -chaining_mode=>'pcbc', and is included for backward compatibility. [deprecated]. For more information on chaining modes, see L. The B<-keysize> argument can be used to force the cipher's keysize. This is useful for several of the newer algorithms, including AES, ARIA, Blowfish, and CAMELLIA. If -keysize is not specified, then Crypt::CBC will use the value returned by the cipher's max_keylength() method. Note that versions of CBC::Crypt prior to 2.36 could also allow you to set the blocksie, but this was never supported by any ciphers and has been removed. For compatibility with earlier versions of this module, you can provide new() with a hashref containing key/value pairs. The key names are the same as the arguments described earlier, but without the initial hyphen. You may also call new() with one or two positional arguments, in which case the first argument is taken to be the key and the second to be the optional block cipher algorithm. =head2 start() $cipher->start('encrypting'); $cipher->start('decrypting'); The start() method prepares the cipher for a series of encryption or decryption steps, resetting the internal state of the cipher if necessary. You must provide a string indicating whether you wish to encrypt or decrypt. "E" or any word that begins with an "e" indicates encryption. "D" or any word that begins with a "d" indicates decryption. =head2 crypt() $ciphertext = $cipher->crypt($plaintext); After calling start(), you should call crypt() as many times as necessary to encrypt the desired data. =head2 finish() $ciphertext = $cipher->finish(); The CBC algorithm must buffer data blocks internally until they are even multiples of the encryption algorithm's blocksize (typically 8 bytes). After the last call to crypt() you should call finish(). This flushes the internal buffer and returns any leftover ciphertext. In a typical application you will read the plaintext from a file or input stream and write the result to standard output in a loop that might look like this: $cipher = new Crypt::CBC('hey jude!'); $cipher->start('encrypting'); print $cipher->crypt($_) while <>; print $cipher->finish(); =head2 encrypt() $ciphertext = $cipher->encrypt($plaintext) This convenience function runs the entire sequence of start(), crypt() and finish() for you, processing the provided plaintext and returning the corresponding ciphertext. =head2 decrypt() $plaintext = $cipher->decrypt($ciphertext) This convenience function runs the entire sequence of start(), crypt() and finish() for you, processing the provided ciphertext and returning the corresponding plaintext. =head2 encrypt_hex(), decrypt_hex() $ciphertext = $cipher->encrypt_hex($plaintext) $plaintext = $cipher->decrypt_hex($ciphertext) These are convenience functions that operate on ciphertext in a hexadecimal representation. B is exactly equivalent to B. These functions can be useful if, for example, you wish to place the encrypted in an email message. =head2 filehandle() This method returns a filehandle for transparent encryption or decryption using Christopher Dunkle's excellent L module. This module must be installed in order to use this method. filehandle() can be called as a class method using the same arguments as new(): $fh = Crypt::CBC->filehandle(-cipher=> 'Blowfish', -pass => "You'll never guess"); or on a previously-created Crypt::CBC object: $cbc = Crypt::CBC->new(-cipher=> 'Blowfish', -pass => "You'll never guess"); $fh = $cbc->filehandle; The filehandle can then be opened using the familiar open() syntax. Printing to a filehandle opened for writing will encrypt the data. Filehandles opened for input will be decrypted. Here is an example: # transparent encryption open $fh,'>','encrypted.out' or die $!; print $fh "You won't be able to read me!\n"; close $fh; # transparent decryption open $fh,'<','encrypted.out' or die $!; while (<$fh>) { print $_ } close $fh; =head2 get_initialization_vector() $iv = $cipher->get_initialization_vector() This function will return the IV used in encryption and or decryption. The IV is not guaranteed to be set when encrypting until start() is called, and when decrypting until crypt() is called the first time. Unless the IV was manually specified in the new() call, the IV will change with every complete encryption operation. =head2 set_initialization_vector() $cipher->set_initialization_vector('76543210') This function sets the IV used in encryption and/or decryption. This function may be useful if the IV is not contained within the ciphertext string being decrypted, or if a particular IV is desired for encryption. Note that the IV must match the chosen cipher's blocksize bytes in length. =head2 iv() $iv = $cipher->iv(); $cipher->iv($new_iv); As above, but using a single method call. =head2 key() $key = $cipher->key(); $cipher->key($new_key); Get or set the block cipher key used for encryption/decryption. When encrypting, the key is not guaranteed to exist until start() is called, and when decrypting, the key is not guaranteed to exist until after the first call to crypt(). The key must match the length required by the underlying block cipher. When salted headers are used, the block cipher key will change after each complete sequence of encryption operations. =head2 salt() $salt = $cipher->salt(); $cipher->salt($new_salt); Get or set the salt used for deriving the encryption key and IV when in OpenSSL compatibility mode. =head2 passphrase() $passphrase = $cipher->passphrase(); $cipher->passphrase($new_passphrase); This gets or sets the value of the B passed to new() when B is false. =head2 $data = random_bytes($numbytes) Return $numbytes worth of random data. On systems that support the "/dev/urandom" device file, this data will be read from the device. Otherwise, it will be generated by repeated calls to the Perl rand() function. =head2 cipher(), pbkdf(), padding(), keysize(), blocksize(), chain_mode() These read-only methods return the identity of the chosen block cipher algorithm, the key derivation function (e.g. "opensslv1"), padding method, key and block size of the chosen block cipher, and what chaining mode ("cbc", "ofb" ,etc) is being used. =head2 Padding methods Use the 'padding' option to change the padding method. When the last block of plaintext is shorter than the block size, it must be padded. Padding methods include: "standard" (i.e., PKCS#5), "oneandzeroes", "space", "rijndael_compat", "null", and "none". standard: (default) Binary safe pads with the number of bytes that should be truncated. So, if blocksize is 8, then "0A0B0C" will be padded with "05", resulting in "0A0B0C0505050505". If the final block is a full block of 8 bytes, then a whole block of "0808080808080808" is appended. oneandzeroes: Binary safe pads with "80" followed by as many "00" necessary to fill the block. If the last block is a full block and blocksize is 8, a block of "8000000000000000" will be appended. rijndael_compat: Binary safe, with caveats similar to oneandzeroes, except that no padding is performed if the last block is a full block. This is provided for compatibility with Crypt::Rijndael's buit-in MODE_CBC. Note that Crypt::Rijndael's implementation of CBC only works with messages that are even multiples of 16 bytes. null: text only pads with as many "00" necessary to fill the block. If the last block is a full block and blocksize is 8, a block of "0000000000000000" will be appended. space: text only same as "null", but with "20". none: no padding added. Useful for special-purpose applications where you wish to add custom padding to the message. Both the standard and oneandzeroes paddings are binary safe. The space and null paddings are recommended only for text data. Which type of padding you use depends on whether you wish to communicate with an external (non Crypt::CBC library). If this is the case, use whatever padding method is compatible. You can also pass in a custom padding function. To do this, create a function that takes the arguments: $padded_block = function($block,$blocksize,$direction); where $block is the current block of data, $blocksize is the size to pad it to, $direction is "e" for encrypting and "d" for decrypting, and $padded_block is the result after padding or depadding. When encrypting, the function should always return a string of length, and when decrypting, can expect the string coming in to always be that length. See _standard_padding(), _space_padding(), _null_padding(), or _oneandzeroes_padding() in the source for examples. Standard and oneandzeroes padding are recommended, as both space and null padding can potentially truncate more characters than they should. =head1 Comparison to Crypt::Mode::CBC The L modules L, L, L, and L provide fast implementations of the respective cipherblock chaining modes (roughly 5x the speed of Crypt::CBC). Crypt::CBC was designed to encrypt and decrypt messages in a manner compatible with OpenSSL's "enc" function. Hence it handles the derivation of the key and IV from a passphrase using the same conventions as OpenSSL, and it writes out an OpenSSL-compatible header in the encrypted message in a manner that allows the key and IV to be regenerated during decryption. In contrast, the CryptX modules do not automatically derive the key and IV from a passphrase or write out an encrypted header. You will need to derive and store the key and IV by other means (e.g. with CryptX's Crypt::KeyDerivation module, or with Crypt::PBKDF2). =head1 EXAMPLES Three examples, aes.pl, des.pl and idea.pl can be found in the eg/ subdirectory of the Crypt-CBC distribution. These implement command-line DES and IDEA encryption algorithms using default parameters, and should be compatible with recent versions of OpenSSL. Note that aes.pl uses the "pbkdf2" key derivation function to generate its keys. The other two were distributed with pre-PBKDF2 versions of Crypt::CBC, and use the older "opensslv1" algorithm. =head1 LIMITATIONS The encryption and decryption process is about a tenth the speed of the equivalent OpenSSL tool and about a fifth of the Crypt::Mode::CBC module (both which use compiled C). =head1 BUGS Please report them. =head1 AUTHOR Lincoln Stein, lstein@cshl.org This module is distributed under the ARTISTIC LICENSE v2 using the same terms as Perl itself. =head1 SEE ALSO perl(1), CryptX, Crypt::FileHandle, Crypt::Cipher::AES, Crypt::Blowfish, Crypt::CAST5, Crypt::DES, Crypt::IDEA, Crypt::Rijndael =cut