includes/clientside/static/rijndael.js
changeset 1 fe660c52c48f
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/includes/clientside/static/rijndael.js	Wed Jun 13 16:07:17 2007 -0400
@@ -0,0 +1,579 @@
+/* rijndael.js      Rijndael Reference Implementation
+   Copyright (c) 2001 Fritz Schneider
+ 
+ This software is provided as-is, without express or implied warranty.  
+ Permission to use, copy, modify, distribute or sell this software, with or
+ without fee, for any purpose and by any individual or organization, is hereby
+ granted, provided that the above copyright notice and this paragraph appear 
+ in all copies. Distribution as a part of an application or binary must
+ include the above copyright notice in the documentation and/or other materials
+ provided with the application or distribution.
+
+
+   As the above disclaimer notes, you are free to use this code however you
+   want. However, I would request that you send me an email 
+   (fritz /at/ cs /dot/ ucsd /dot/ edu) to say hi if you find this code useful
+   or instructional. Seeing that people are using the code acts as 
+   encouragement for me to continue development. If you *really* want to thank
+   me you can buy the book I wrote with Thomas Powell, _JavaScript:
+   _The_Complete_Reference_ :)
+
+   This code is an UNOPTIMIZED REFERENCE implementation of Rijndael. 
+   If there is sufficient interest I can write an optimized (word-based, 
+   table-driven) version, although you might want to consider using a 
+   compiled language if speed is critical to your application. As it stands,
+   one run of the monte carlo test (10,000 encryptions) can take up to 
+   several minutes, depending upon your processor. You shouldn't expect more
+   than a few kilobytes per second in throughput.
+
+   Also note that there is very little error checking in these functions. 
+   Doing proper error checking is always a good idea, but the ideal 
+   implementation (using the instanceof operator and exceptions) requires
+   IE5+/NS6+, and I've chosen to implement this code so that it is compatible
+   with IE4/NS4. 
+
+   And finally, because JavaScript doesn't have an explicit byte/char data 
+   type (although JavaScript 2.0 most likely will), when I refer to "byte" 
+   in this code I generally mean "32 bit integer with value in the interval 
+   [0,255]" which I treat as a byte.
+
+   See http://www-cse.ucsd.edu/~fritz/rijndael.html for more documentation
+   of the (very simple) API provided by this code.
+
+                                               Fritz Schneider
+                                               fritz at cs.ucsd.edu
+ 
+*/
+
+// Rijndael parameters --  Valid values are 128, 192, or 256
+
+var keySizeInBits =   ( typeof AES_BITS == 'number' ) ? AES_BITS : 128;
+var blockSizeInBits = ( typeof AES_BLOCKSIZE == 'number' ) ? AES_BLOCKSIZE : 128;
+
+///////  You shouldn't have to modify anything below this line except for
+///////  the function getRandomBytes().
+//
+// Note: in the following code the two dimensional arrays are indexed as
+//       you would probably expect, as array[row][column]. The state arrays
+//       are 2d arrays of the form state[4][Nb].
+
+
+// The number of rounds for the cipher, indexed by [Nk][Nb]
+var roundsArray = [ ,,,,[,,,,10,, 12,, 14],, 
+                        [,,,,12,, 12,, 14],, 
+                        [,,,,14,, 14,, 14] ];
+
+// The number of bytes to shift by in shiftRow, indexed by [Nb][row]
+var shiftOffsets = [ ,,,,[,1, 2, 3],,[,1, 2, 3],,[,1, 3, 4] ];
+
+// The round constants used in subkey expansion
+var Rcon = [ 
+0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 
+0x40, 0x80, 0x1b, 0x36, 0x6c, 0xd8, 
+0xab, 0x4d, 0x9a, 0x2f, 0x5e, 0xbc, 
+0x63, 0xc6, 0x97, 0x35, 0x6a, 0xd4, 
+0xb3, 0x7d, 0xfa, 0xef, 0xc5, 0x91 ];
+
+// Precomputed lookup table for the SBox
+var SBox = [
+ 99, 124, 119, 123, 242, 107, 111, 197,  48,   1, 103,  43, 254, 215, 171, 
+118, 202, 130, 201, 125, 250,  89,  71, 240, 173, 212, 162, 175, 156, 164, 
+114, 192, 183, 253, 147,  38,  54,  63, 247, 204,  52, 165, 229, 241, 113, 
+216,  49,  21,   4, 199,  35, 195,  24, 150,   5, 154,   7,  18, 128, 226, 
+235,  39, 178, 117,   9, 131,  44,  26,  27, 110,  90, 160,  82,  59, 214, 
+179,  41, 227,  47, 132,  83, 209,   0, 237,  32, 252, 177,  91, 106, 203, 
+190,  57,  74,  76,  88, 207, 208, 239, 170, 251,  67,  77,  51, 133,  69, 
+249,   2, 127,  80,  60, 159, 168,  81, 163,  64, 143, 146, 157,  56, 245, 
+188, 182, 218,  33,  16, 255, 243, 210, 205,  12,  19, 236,  95, 151,  68,  
+23,  196, 167, 126,  61, 100,  93,  25, 115,  96, 129,  79, 220,  34,  42, 
+144, 136,  70, 238, 184,  20, 222,  94,  11, 219, 224,  50,  58,  10,  73,
+  6,  36,  92, 194, 211, 172,  98, 145, 149, 228, 121, 231, 200,  55, 109, 
+141, 213,  78, 169, 108,  86, 244, 234, 101, 122, 174,   8, 186, 120,  37,  
+ 46,  28, 166, 180, 198, 232, 221, 116,  31,  75, 189, 139, 138, 112,  62, 
+181, 102,  72,   3, 246,  14,  97,  53,  87, 185, 134, 193,  29, 158, 225,
+248, 152,  17, 105, 217, 142, 148, 155,  30, 135, 233, 206,  85,  40, 223,
+140, 161, 137,  13, 191, 230,  66, 104,  65, 153,  45,  15, 176,  84, 187,  
+ 22 ];
+
+// Precomputed lookup table for the inverse SBox
+var SBoxInverse = [
+ 82,   9, 106, 213,  48,  54, 165,  56, 191,  64, 163, 158, 129, 243, 215, 
+251, 124, 227,  57, 130, 155,  47, 255, 135,  52, 142,  67,  68, 196, 222, 
+233, 203,  84, 123, 148,  50, 166, 194,  35,  61, 238,  76, 149,  11,  66, 
+250, 195,  78,   8,  46, 161, 102,  40, 217,  36, 178, 118,  91, 162,  73, 
+109, 139, 209,  37, 114, 248, 246, 100, 134, 104, 152,  22, 212, 164,  92, 
+204,  93, 101, 182, 146, 108, 112,  72,  80, 253, 237, 185, 218,  94,  21,  
+ 70,  87, 167, 141, 157, 132, 144, 216, 171,   0, 140, 188, 211,  10, 247, 
+228,  88,   5, 184, 179,  69,   6, 208,  44,  30, 143, 202,  63,  15,   2, 
+193, 175, 189,   3,   1,  19, 138, 107,  58, 145,  17,  65,  79, 103, 220, 
+234, 151, 242, 207, 206, 240, 180, 230, 115, 150, 172, 116,  34, 231, 173,
+ 53, 133, 226, 249,  55, 232,  28, 117, 223, 110,  71, 241,  26, 113,  29, 
+ 41, 197, 137, 111, 183,  98,  14, 170,  24, 190,  27, 252,  86,  62,  75, 
+198, 210, 121,  32, 154, 219, 192, 254, 120, 205,  90, 244,  31, 221, 168,
+ 51, 136,   7, 199,  49, 177,  18,  16,  89,  39, 128, 236,  95,  96,  81,
+127, 169,  25, 181,  74,  13,  45, 229, 122, 159, 147, 201, 156, 239, 160,
+224,  59,  77, 174,  42, 245, 176, 200, 235, 187,  60, 131,  83, 153,  97, 
+ 23,  43,   4, 126, 186, 119, 214,  38, 225, 105,  20,  99,  85,  33,  12,
+125 ];
+
+function str_split(string, chunklen)
+{
+  if(!chunklen) chunklen = 1;
+  ret = new Array();
+  for ( i = 0; i < string.length; i+=chunklen )
+  {
+    ret[ret.length] = string.slice(i, i+chunklen);
+  }
+  return ret;
+}
+
+// This method circularly shifts the array left by the number of elements
+// given in its parameter. It returns the resulting array and is used for 
+// the ShiftRow step. Note that shift() and push() could be used for a more 
+// elegant solution, but they require IE5.5+, so I chose to do it manually. 
+
+function cyclicShiftLeft(theArray, positions) {
+  var temp = theArray.slice(0, positions);
+  theArray = theArray.slice(positions).concat(temp);
+  return theArray;
+}
+
+// Cipher parameters ... do not change these
+var Nk = keySizeInBits / 32;                   
+var Nb = blockSizeInBits / 32;
+var Nr = roundsArray[Nk][Nb];
+
+// Multiplies the element "poly" of GF(2^8) by x. See the Rijndael spec.
+
+function xtime(poly) {
+  poly <<= 1;
+  return ((poly & 0x100) ? (poly ^ 0x11B) : (poly));
+}
+
+// Multiplies the two elements of GF(2^8) together and returns the result.
+// See the Rijndael spec, but should be straightforward: for each power of
+// the indeterminant that has a 1 coefficient in x, add y times that power
+// to the result. x and y should be bytes representing elements of GF(2^8)
+
+function mult_GF256(x, y) {
+  var bit, result = 0;
+  
+  for (bit = 1; bit < 256; bit *= 2, y = xtime(y)) {
+    if (x & bit) 
+      result ^= y;
+  }
+  return result;
+}
+
+// Performs the substitution step of the cipher. State is the 2d array of
+// state information (see spec) and direction is string indicating whether
+// we are performing the forward substitution ("encrypt") or inverse 
+// substitution (anything else)
+
+function byteSub(state, direction) {
+  var S;
+  if (direction == "encrypt")           // Point S to the SBox we're using
+    S = SBox;
+  else
+    S = SBoxInverse;
+  for (var i = 0; i < 4; i++)           // Substitute for every byte in state
+    for (var j = 0; j < Nb; j++)
+       state[i][j] = S[state[i][j]];
+}
+
+// Performs the row shifting step of the cipher.
+
+function shiftRow(state, direction) {
+  for (var i=1; i<4; i++)               // Row 0 never shifts
+    if (direction == "encrypt")
+       state[i] = cyclicShiftLeft(state[i], shiftOffsets[Nb][i]);
+    else
+       state[i] = cyclicShiftLeft(state[i], Nb - shiftOffsets[Nb][i]);
+
+}
+
+// Performs the column mixing step of the cipher. Most of these steps can
+// be combined into table lookups on 32bit values (at least for encryption)
+// to greatly increase the speed. 
+
+function mixColumn(state, direction) {
+  var b = [];                            // Result of matrix multiplications
+  for (var j = 0; j < Nb; j++) {         // Go through each column...
+    for (var i = 0; i < 4; i++) {        // and for each row in the column...
+      if (direction == "encrypt")
+        b[i] = mult_GF256(state[i][j], 2) ^          // perform mixing
+               mult_GF256(state[(i+1)%4][j], 3) ^ 
+               state[(i+2)%4][j] ^ 
+               state[(i+3)%4][j];
+      else 
+        b[i] = mult_GF256(state[i][j], 0xE) ^ 
+               mult_GF256(state[(i+1)%4][j], 0xB) ^
+               mult_GF256(state[(i+2)%4][j], 0xD) ^
+               mult_GF256(state[(i+3)%4][j], 9);
+    }
+    for (var i = 0; i < 4; i++)          // Place result back into column
+      state[i][j] = b[i];
+  }
+}
+
+// Adds the current round key to the state information. Straightforward.
+
+function addRoundKey(state, roundKey) {
+  for (var j = 0; j < Nb; j++) {                 // Step through columns...
+    state[0][j] ^= (roundKey[j] & 0xFF);         // and XOR
+    state[1][j] ^= ((roundKey[j]>>8) & 0xFF);
+    state[2][j] ^= ((roundKey[j]>>16) & 0xFF);
+    state[3][j] ^= ((roundKey[j]>>24) & 0xFF);
+  }
+}
+
+// This function creates the expanded key from the input (128/192/256-bit)
+// key. The parameter key is an array of bytes holding the value of the key.
+// The returned value is an array whose elements are the 32-bit words that 
+// make up the expanded key.
+
+function keyExpansion(key) {
+  var expandedKey = new Array();
+  var temp;
+
+  // in case the key size or parameters were changed...
+  Nk = keySizeInBits / 32;                   
+  Nb = blockSizeInBits / 32;
+  Nr = roundsArray[Nk][Nb];
+
+  for (var j=0; j < Nk; j++)     // Fill in input key first
+    expandedKey[j] = 
+      (key[4*j]) | (key[4*j+1]<<8) | (key[4*j+2]<<16) | (key[4*j+3]<<24);
+
+  // Now walk down the rest of the array filling in expanded key bytes as
+  // per Rijndael's spec
+  for (j = Nk; j < Nb * (Nr + 1); j++) {    // For each word of expanded key
+    temp = expandedKey[j - 1];
+    if (j % Nk == 0) 
+      temp = ( (SBox[(temp>>8) & 0xFF]) |
+               (SBox[(temp>>16) & 0xFF]<<8) |
+               (SBox[(temp>>24) & 0xFF]<<16) |
+               (SBox[temp & 0xFF]<<24) ) ^ Rcon[Math.floor(j / Nk) - 1];
+    else if (Nk > 6 && j % Nk == 4)
+      temp = (SBox[(temp>>24) & 0xFF]<<24) |
+             (SBox[(temp>>16) & 0xFF]<<16) |
+             (SBox[(temp>>8) & 0xFF]<<8) |
+             (SBox[temp & 0xFF]);
+    expandedKey[j] = expandedKey[j-Nk] ^ temp;
+  }
+  return expandedKey;
+}
+
+// Rijndael's round functions... 
+
+function Round(state, roundKey) {
+  byteSub(state, "encrypt");
+  shiftRow(state, "encrypt");
+  mixColumn(state, "encrypt");
+  addRoundKey(state, roundKey);
+}
+
+function InverseRound(state, roundKey) {
+  addRoundKey(state, roundKey);
+  mixColumn(state, "decrypt");
+  shiftRow(state, "decrypt");
+  byteSub(state, "decrypt");
+}
+
+function FinalRound(state, roundKey) {
+  byteSub(state, "encrypt");
+  shiftRow(state, "encrypt");
+  addRoundKey(state, roundKey);
+}
+
+function InverseFinalRound(state, roundKey){
+  addRoundKey(state, roundKey);
+  shiftRow(state, "decrypt");
+  byteSub(state, "decrypt");  
+}
+
+// encrypt is the basic encryption function. It takes parameters
+// block, an array of bytes representing a plaintext block, and expandedKey,
+// an array of words representing the expanded key previously returned by
+// keyExpansion(). The ciphertext block is returned as an array of bytes.
+
+function encrypt(block, expandedKey) {
+  var i;  
+  if (!block || block.length*8 != blockSizeInBits)
+     return; 
+  if (!expandedKey)
+     return;
+
+  block = packBytes(block);
+  addRoundKey(block, expandedKey);
+  for (i=1; i<Nr; i++) 
+    Round(block, expandedKey.slice(Nb*i, Nb*(i+1)));
+  FinalRound(block, expandedKey.slice(Nb*Nr)); 
+  return unpackBytes(block);
+}
+
+// decrypt is the basic decryption function. It takes parameters
+// block, an array of bytes representing a ciphertext block, and expandedKey,
+// an array of words representing the expanded key previously returned by
+// keyExpansion(). The decrypted block is returned as an array of bytes.
+
+function decrypt(block, expandedKey) {
+  var i;
+  if (!block || block.length*8 != blockSizeInBits)
+     return;
+  if (!expandedKey)
+     return;
+
+  block = packBytes(block);
+  InverseFinalRound(block, expandedKey.slice(Nb*Nr)); 
+  for (i = Nr - 1; i>0; i--) 
+    InverseRound(block, expandedKey.slice(Nb*i, Nb*(i+1)));
+  addRoundKey(block, expandedKey);
+  return unpackBytes(block);
+}
+
+// This method takes a byte array (byteArray) and converts it to a string by
+// applying String.fromCharCode() to each value and concatenating the result.
+// The resulting string is returned. Note that this function SKIPS zero bytes
+// under the assumption that they are padding added in formatPlaintext().
+// Obviously, do not invoke this method on raw data that can contain zero
+// bytes. It is really only appropriate for printable ASCII/Latin-1 
+// values. Roll your own function for more robust functionality :)
+
+function byteArrayToString(byteArray) {
+  var result = "";
+  for(var i=0; i<byteArray.length; i++)
+    if (byteArray[i] != 0) 
+      result += String.fromCharCode(byteArray[i]);
+  return result;
+}
+
+// This function takes an array of bytes (byteArray) and converts them
+// to a hexadecimal string. Array element 0 is found at the beginning of 
+// the resulting string, high nibble first. Consecutive elements follow
+// similarly, for example [16, 255] --> "10ff". The function returns a 
+// string.
+
+function byteArrayToHex(byteArray) {
+  var result = "";
+  if (!byteArray)
+    return;
+  for (var i=0; i<byteArray.length; i++)
+    result += ((byteArray[i]<16) ? "0" : "") + byteArray[i].toString(16);
+
+  return result;
+}
+
+// This function converts a string containing hexadecimal digits to an 
+// array of bytes. The resulting byte array is filled in the order the
+// values occur in the string, for example "10FF" --> [16, 255]. This
+// function returns an array. 
+
+function hexToByteArray(hexString) {
+  /*
+  var byteArray = [];
+  if (hexString.length % 2)             // must have even length
+    return;
+  if (hexString.indexOf("0x") == 0 || hexString.indexOf("0X") == 0)
+    hexString = hexString.substring(2);
+  for (var i = 0; i<hexString.length; i += 2) 
+    byteArray[Math.floor(i/2)] = parseInt(hexString.slice(i, i+2), 16);
+  return byteArray;
+  */
+  var bytes = new Array();
+  hexString = str_split(hexString, 2);
+  //alert(hexString.toString());
+  //return false;
+  for( var i in hexString )
+  {
+    bytes[bytes.length] = parseInt(hexString[i], 16);
+  }
+  //alert(bytes.toString());
+  return bytes;
+}
+
+// This function packs an array of bytes into the four row form defined by
+// Rijndael. It assumes the length of the array of bytes is divisible by
+// four. Bytes are filled in according to the Rijndael spec (starting with
+// column 0, row 0 to 3). This function returns a 2d array.
+
+function packBytes(octets) {
+  var state = new Array();
+  if (!octets || octets.length % 4)
+    return;
+
+  state[0] = new Array();  state[1] = new Array(); 
+  state[2] = new Array();  state[3] = new Array();
+  for (var j=0; j<octets.length; j+= 4) {
+     state[0][j/4] = octets[j];
+     state[1][j/4] = octets[j+1];
+     state[2][j/4] = octets[j+2];
+     state[3][j/4] = octets[j+3];
+  }
+  return state;  
+}
+
+// This function unpacks an array of bytes from the four row format preferred
+// by Rijndael into a single 1d array of bytes. It assumes the input "packed"
+// is a packed array. Bytes are filled in according to the Rijndael spec. 
+// This function returns a 1d array of bytes.
+
+function unpackBytes(packed) {
+  var result = new Array();
+  for (var j=0; j<packed[0].length; j++) {
+    result[result.length] = packed[0][j];
+    result[result.length] = packed[1][j];
+    result[result.length] = packed[2][j];
+    result[result.length] = packed[3][j];
+  }
+  return result;
+}
+
+// This function takes a prospective plaintext (string or array of bytes)
+// and pads it with zero bytes if its length is not a multiple of the block 
+// size. If plaintext is a string, it is converted to an array of bytes
+// in the process. The type checking can be made much nicer using the 
+// instanceof operator, but this operator is not available until IE5.0 so I 
+// chose to use the heuristic below. 
+
+function formatPlaintext(plaintext) {
+  var bpb = blockSizeInBits / 8;               // bytes per block
+  var i;
+
+  // if primitive string or String instance
+  if (typeof plaintext == "string" || plaintext.split) {
+    // alert('AUUGH you idiot it\'s NOT A STRING ITS A '+typeof(plaintext)+'!!!');
+    // return false;
+    plaintext = plaintext.split("");
+    // Unicode issues here (ignoring high byte)
+    for (i=0; i<plaintext.length; i++)
+      plaintext[i] = plaintext[i].charCodeAt(0) & 0xFF;
+  } 
+
+  for (i = bpb - (plaintext.length % bpb); i > 0 && i < bpb; i--) 
+    plaintext[plaintext.length] = 0;
+  
+  return plaintext;
+}
+
+// Returns an array containing "howMany" random bytes. YOU SHOULD CHANGE THIS
+// TO RETURN HIGHER QUALITY RANDOM BYTES IF YOU ARE USING THIS FOR A "REAL"
+// APPLICATION.
+
+function getRandomBytes(howMany) {
+  var i;
+  var bytes = new Array();
+  for (i=0; i<howMany; i++)
+    bytes[i] = Math.round(Math.random()*255);
+  return bytes;
+}
+
+// rijndaelEncrypt(plaintext, key, mode)
+// Encrypts the plaintext using the given key and in the given mode. 
+// The parameter "plaintext" can either be a string or an array of bytes. 
+// The parameter "key" must be an array of key bytes. If you have a hex 
+// string representing the key, invoke hexToByteArray() on it to convert it 
+// to an array of bytes. The third parameter "mode" is a string indicating
+// the encryption mode to use, either "ECB" or "CBC". If the parameter is
+// omitted, ECB is assumed.
+// 
+// An array of bytes representing the cihpertext is returned. To convert 
+// this array to hex, invoke byteArrayToHex() on it. If you are using this 
+// "for real" it is a good idea to change the function getRandomBytes() to 
+// something that returns truly random bits.
+
+function rijndaelEncrypt(plaintext, key, mode) {
+  var expandedKey, i, aBlock;
+  var bpb = blockSizeInBits / 8;          // bytes per block
+  var ct;                                 // ciphertext
+
+  if (typeof plaintext != 'object' || typeof key != 'object')
+  {
+    alert( 'Invalid params\nplaintext: '+typeof(plaintext)+'\nkey: '+typeof(key) );
+    return false;
+  }
+  if (key.length*8 == keySizeInBits+8)
+    key.length = keySizeInBits / 8;
+  if (key.length*8 != keySizeInBits)
+  {
+    alert( 'Key length is bad!\nLength: '+key.length+'\nExpected: '+keySizeInBits / 8 );
+    return false;
+  }
+  if (mode == "CBC")
+    ct = getRandomBytes(bpb);             // get IV
+  else {
+    mode = "ECB";
+    ct = new Array();
+  }
+
+  // convert plaintext to byte array and pad with zeros if necessary. 
+  plaintext = formatPlaintext(plaintext);
+
+  expandedKey = keyExpansion(key);
+  
+  for (var block=0; block<plaintext.length / bpb; block++) {
+    aBlock = plaintext.slice(block*bpb, (block+1)*bpb);
+    if (mode == "CBC")
+      for (var i=0; i<bpb; i++) 
+        aBlock[i] ^= ct[block*bpb + i];
+    ct = ct.concat(encrypt(aBlock, expandedKey));
+  }
+
+  return ct;
+}
+
+// rijndaelDecrypt(ciphertext, key, mode)
+// Decrypts the using the given key and mode. The parameter "ciphertext" 
+// must be an array of bytes. The parameter "key" must be an array of key 
+// bytes. If you have a hex string representing the ciphertext or key, 
+// invoke hexToByteArray() on it to convert it to an array of bytes. The
+// parameter "mode" is a string, either "CBC" or "ECB".
+// 
+// An array of bytes representing the plaintext is returned. To convert 
+// this array to a hex string, invoke byteArrayToHex() on it. To convert it 
+// to a string of characters, you can use byteArrayToString().
+
+function rijndaelDecrypt(ciphertext, key, mode) {
+  var expandedKey;
+  var bpb = blockSizeInBits / 8;          // bytes per block
+  var pt = new Array();                   // plaintext array
+  var aBlock;                             // a decrypted block
+  var block;                              // current block number
+
+  if (!ciphertext || !key || typeof ciphertext == "string")
+    return;
+  if (key.length*8 != keySizeInBits)
+    return; 
+  if (!mode)
+    mode = "ECB";                         // assume ECB if mode omitted
+
+  expandedKey = keyExpansion(key);
+ 
+  // work backwards to accomodate CBC mode 
+  for (block=(ciphertext.length / bpb)-1; block>0; block--) {
+    aBlock = 
+     decrypt(ciphertext.slice(block*bpb,(block+1)*bpb), expandedKey);
+    if (mode == "CBC") 
+      for (var i=0; i<bpb; i++) 
+        pt[(block-1)*bpb + i] = aBlock[i] ^ ciphertext[(block-1)*bpb + i];
+    else 
+      pt = aBlock.concat(pt);
+  }
+
+  // do last block if ECB (skips the IV in CBC)
+  if (mode == "ECB")
+    pt = decrypt(ciphertext.slice(0, bpb), expandedKey).concat(pt);
+
+  return pt;
+}
+
+function stringToByteArray(text)
+{
+  result = new Array();
+  for ( i=0; i<text.length; i++ )
+  {
+    result[result.length] = text.charCodeAt(i);
+  }
+  return result;
+}
+