cyberchef 9.36.1 → 9.37.2

package/CHANGELOG.md

@@ -13,6 +13,10 @@ All major and minor version changes will be documented in this file. Details of
 
 ## Details
 
+### [9.37.0] - 2022-03-29
+- 'SM4 Encrypt' and 'SM4 Decrypt' operations added [@swesven] | [#1189]
+- NoPadding options added for CBC and ECB modes in AES, DES and Triple DES Decrypt operations [@swesven] | [#1189]
+
 ### [9.36.0] - 2022-03-29
 - 'SIGABA' operation added [@hettysymes] | [#934]
 
@@ -284,6 +288,7 @@ All major and minor version changes will be documented in this file. Details of
 
 
 
+[9.37.0]: https://github.com/gchq/CyberChef/releases/tag/v9.37.0
 [9.36.0]: https://github.com/gchq/CyberChef/releases/tag/v9.36.0
 [9.35.0]: https://github.com/gchq/CyberChef/releases/tag/v9.35.0
 [9.34.0]: https://github.com/gchq/CyberChef/releases/tag/v9.34.0
@@ -404,6 +409,7 @@ All major and minor version changes will be documented in this file. Details of
 [@john19696]: https://github.com/john19696
 [@t-8ch]: https://github.com/t-8ch
 [@hettysymes]: https://github.com/hettysymes
+[@swesven]: https://github.com/swesven
 
 [8ad18b]: https://github.com/gchq/CyberChef/commit/8ad18bc7db6d9ff184ba3518686293a7685bf7b7
 [9a33498]: https://github.com/gchq/CyberChef/commit/9a33498fed26a8df9c9f35f39a78a174bf50a513
@@ -492,6 +498,7 @@ All major and minor version changes will be documented in this file. Details of
 [#1049]: https://github.com/gchq/CyberChef/pull/1049
 [#1065]: https://github.com/gchq/CyberChef/pull/1065
 [#1083]: https://github.com/gchq/CyberChef/pull/1083
+[#1189]: https://github.com/gchq/CyberChef/pull/1189
 [#1242]: https://github.com/gchq/CyberChef/pull/1242
 [#1244]: https://github.com/gchq/CyberChef/pull/1244
 [#1313]: https://github.com/gchq/CyberChef/pull/1313

package/nightwatch.json

@@ -10,11 +10,12 @@
         "start_process": true,
         "server_path": "./node_modules/.bin/chromedriver",
         "port": 9515,
-        "log_path": false
+        "log_path": "tests/browser/output"
       },
       "desiredCapabilities": {
         "browserName": "chrome"
-      }
+      },
+      "enable_fail_fast": true
     },
 
     "dev": {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cyberchef",
-  "version": "9.36.1",
+  "version": "9.37.2",
   "description": "The Cyber Swiss Army Knife for encryption, encoding, compression and data analysis.",
   "author": "n1474335 <n1474335@gmail.com>",
   "homepage": "https://gchq.github.io/CyberChef",

package/src/core/Utils.mjs

@@ -723,8 +723,8 @@ class Utils {
         }
 
         if (removeScriptAndStyle) {
-            htmlStr = recursiveRemove(/<script[^>]*>.*?<\/script>/gi, htmlStr);
-            htmlStr = recursiveRemove(/<style[^>]*>.*?<\/style>/gi, htmlStr);
+            htmlStr = recursiveRemove(/<script[^>]*>.*?<\/script[^>]*>/gi, htmlStr);
+            htmlStr = recursiveRemove(/<style[^>]*>.*?<\/style[^>]*>/gi, htmlStr);
         }
         return htmlStr.replace(/<[^>]+>/g, "");
     }

package/src/core/config/Categories.json

@@ -83,6 +83,8 @@
             "RC2 Decrypt",
             "RC4",
             "RC4 Drop",
+            "SM4 Encrypt",
+            "SM4 Decrypt",
             "ROT13",
             "ROT47",
             "XOR",

package/src/core/config/OperationConfig.json

@@ -115,7 +115,7 @@
     },
     "AES Decrypt": {
         "module": "Ciphers",
-        "description": "Advanced Encryption Standard (AES) is a U.S. Federal Information Processing Standard (FIPS). It was selected after a 5-year process where 15 competing designs were evaluated.<br><br><b>Key:</b> The following algorithms will be used based on the size of the key:<ul><li>16 bytes = AES-128</li><li>24 bytes = AES-192</li><li>32 bytes = AES-256</li></ul><br><br><b>IV:</b> The Initialization Vector should be 16 bytes long. If not entered, it will default to 16 null bytes.<br><br><b>Padding:</b> In CBC and ECB mode, PKCS#7 padding will be used.<br><br><b>GCM Tag:</b> This field is ignored unless 'GCM' mode is used.",
+        "description": "Advanced Encryption Standard (AES) is a U.S. Federal Information Processing Standard (FIPS). It was selected after a 5-year process where 15 competing designs were evaluated.<br><br><b>Key:</b> The following algorithms will be used based on the size of the key:<ul><li>16 bytes = AES-128</li><li>24 bytes = AES-192</li><li>32 bytes = AES-256</li></ul><br><br><b>IV:</b> The Initialization Vector should be 16 bytes long. If not entered, it will default to 16 null bytes.<br><br><b>Padding:</b> In CBC and ECB mode, PKCS#7 padding will be used as a default.<br><br><b>GCM Tag:</b> This field is ignored unless 'GCM' mode is used.",
         "infoURL": "https://wikipedia.org/wiki/Advanced_Encryption_Standard",
         "inputType": "string",
         "outputType": "string",
@@ -189,6 +189,20 @@
                             5,
                             6
                         ]
+                    },
+                    {
+                        "name": "CBC/NoPadding",
+                        "off": [
+                            5,
+                            6
+                        ]
+                    },
+                    {
+                        "name": "ECB/NoPadding",
+                        "off": [
+                            5,
+                            6
+                        ]
                     }
                 ]
             },
@@ -3378,7 +3392,7 @@
     },
     "DES Decrypt": {
         "module": "Ciphers",
-        "description": "DES is a previously dominant algorithm for encryption, and was published as an official U.S. Federal Information Processing Standard (FIPS). It is now considered to be insecure due to its small key size.<br><br><b>Key:</b> DES uses a key length of 8 bytes (64 bits).<br>Triple DES uses a key length of 24 bytes (192 bits).<br><br><b>IV:</b> The Initialization Vector should be 8 bytes long. If not entered, it will default to 8 null bytes.<br><br><b>Padding:</b> In CBC and ECB mode, PKCS#7 padding will be used.",
+        "description": "DES is a previously dominant algorithm for encryption, and was published as an official U.S. Federal Information Processing Standard (FIPS). It is now considered to be insecure due to its small key size.<br><br><b>Key:</b> DES uses a key length of 8 bytes (64 bits).<br>Triple DES uses a key length of 24 bytes (192 bits).<br><br><b>IV:</b> The Initialization Vector should be 8 bytes long. If not entered, it will default to 8 null bytes.<br><br><b>Padding:</b> In CBC and ECB mode, PKCS#7 padding will be used as a default.",
         "infoURL": "https://wikipedia.org/wiki/Data_Encryption_Standard",
         "inputType": "string",
         "outputType": "string",
@@ -3415,7 +3429,9 @@
                     "CFB",
                     "OFB",
                     "CTR",
-                    "ECB"
+                    "ECB",
+                    "CBC/NoPadding",
+                    "ECB/NoPadding"
                 ]
             },
             {
@@ -9859,9 +9875,9 @@
                 ]
             },
             {
-                "name": "Number of bytes to drop",
+                "name": "Number of dwords to drop",
                 "type": "number",
-                "value": 768
+                "value": 192
             }
         ]
     },
@@ -11874,6 +11890,128 @@
             }
         ]
     },
+    "SM4 Decrypt": {
+        "module": "Ciphers",
+        "description": "SM4 is a 128-bit block cipher, currently established as a national standard (GB/T 32907-2016) of China.",
+        "infoURL": "https://wikipedia.org/wiki/SM4_(cipher)",
+        "inputType": "string",
+        "outputType": "string",
+        "flowControl": false,
+        "manualBake": false,
+        "args": [
+            {
+                "name": "Key",
+                "type": "toggleString",
+                "value": "",
+                "toggleValues": [
+                    "Hex",
+                    "UTF8",
+                    "Latin1",
+                    "Base64"
+                ]
+            },
+            {
+                "name": "IV",
+                "type": "toggleString",
+                "value": "",
+                "toggleValues": [
+                    "Hex",
+                    "UTF8",
+                    "Latin1",
+                    "Base64"
+                ]
+            },
+            {
+                "name": "Mode",
+                "type": "option",
+                "value": [
+                    "CBC",
+                    "CFB",
+                    "OFB",
+                    "CTR",
+                    "ECB",
+                    "CBC/NoPadding",
+                    "ECB/NoPadding"
+                ]
+            },
+            {
+                "name": "Input",
+                "type": "option",
+                "value": [
+                    "Raw",
+                    "Hex"
+                ]
+            },
+            {
+                "name": "Output",
+                "type": "option",
+                "value": [
+                    "Hex",
+                    "Raw"
+                ]
+            }
+        ]
+    },
+    "SM4 Encrypt": {
+        "module": "Ciphers",
+        "description": "SM4 is a 128-bit block cipher, currently established as a national standard (GB/T 32907-2016) of China. Multiple block cipher modes are supported. When using CBC or ECB mode, the PKCS#7 padding scheme is used.",
+        "infoURL": "https://wikipedia.org/wiki/SM4_(cipher)",
+        "inputType": "string",
+        "outputType": "string",
+        "flowControl": false,
+        "manualBake": false,
+        "args": [
+            {
+                "name": "Key",
+                "type": "toggleString",
+                "value": "",
+                "toggleValues": [
+                    "Hex",
+                    "UTF8",
+                    "Latin1",
+                    "Base64"
+                ]
+            },
+            {
+                "name": "IV",
+                "type": "toggleString",
+                "value": "",
+                "toggleValues": [
+                    "Hex",
+                    "UTF8",
+                    "Latin1",
+                    "Base64"
+                ]
+            },
+            {
+                "name": "Mode",
+                "type": "option",
+                "value": [
+                    "CBC",
+                    "CFB",
+                    "OFB",
+                    "CTR",
+                    "ECB"
+                ]
+            },
+            {
+                "name": "Input",
+                "type": "option",
+                "value": [
+                    "Raw",
+                    "Hex"
+                ]
+            },
+            {
+                "name": "Output",
+                "type": "option",
+                "value": [
+                    "Hex",
+                    "Raw"
+                ]
+            }
+        ]
+    },
     "SQL Beautify": {
         "module": "Code",
         "description": "Indents and prettifies Structured Query Language (SQL) code.",
@@ -15066,7 +15204,7 @@
     },
     "Triple DES Decrypt": {
         "module": "Ciphers",
-        "description": "Triple DES applies DES three times to each block to increase key size.<br><br><b>Key:</b> Triple DES uses a key length of 24 bytes (192 bits).<br>DES uses a key length of 8 bytes (64 bits).<br><br><b>IV:</b> The Initialization Vector should be 8 bytes long. If not entered, it will default to 8 null bytes.<br><br><b>Padding:</b> In CBC and ECB mode, PKCS#7 padding will be used.",
+        "description": "Triple DES applies DES three times to each block to increase key size.<br><br><b>Key:</b> Triple DES uses a key length of 24 bytes (192 bits).<br>DES uses a key length of 8 bytes (64 bits).<br><br><b>IV:</b> The Initialization Vector should be 8 bytes long. If not entered, it will default to 8 null bytes.<br><br><b>Padding:</b> In CBC and ECB mode, PKCS#7 padding will be used as a default.",
         "infoURL": "https://wikipedia.org/wiki/Triple_DES",
         "inputType": "string",
         "outputType": "string",
@@ -15103,7 +15241,9 @@
                     "CFB",
                     "OFB",
                     "CTR",
-                    "ECB"
+                    "ECB",
+                    "CBC/NoPadding",
+                    "ECB/NoPadding"
                 ]
             },
             {

package/src/core/config/modules/Ciphers.mjs

@@ -32,6 +32,8 @@ import RSASign from "../../operations/RSASign.mjs";
 import RSAVerify from "../../operations/RSAVerify.mjs";
 import RailFenceCipherDecode from "../../operations/RailFenceCipherDecode.mjs";
 import RailFenceCipherEncode from "../../operations/RailFenceCipherEncode.mjs";
+import SM4Decrypt from "../../operations/SM4Decrypt.mjs";
+import SM4Encrypt from "../../operations/SM4Encrypt.mjs";
 import TripleDESDecrypt from "../../operations/TripleDESDecrypt.mjs";
 import TripleDESEncrypt from "../../operations/TripleDESEncrypt.mjs";
 import VigenèreDecode from "../../operations/VigenèreDecode.mjs";
@@ -67,6 +69,8 @@ OpModules.Ciphers = {
     "RSA Verify": RSAVerify,
     "Rail Fence Cipher Decode": RailFenceCipherDecode,
     "Rail Fence Cipher Encode": RailFenceCipherEncode,
+    "SM4 Decrypt": SM4Decrypt,
+    "SM4 Encrypt": SM4Encrypt,
     "Triple DES Decrypt": TripleDESDecrypt,
     "Triple DES Encrypt": TripleDESEncrypt,
     "Vigenère Decode": VigenèreDecode,

package/src/core/lib/SM4.mjs

@@ -0,0 +1,331 @@
+/**
+ * Complete implementation of SM4 cipher encryption/decryption with
+ * ECB, CBC, CFB, OFB, CTR block modes.
+ * These modes are specified in IETF draft-ribose-cfrg-sm4-09, see:
+ * https://tools.ietf.org/id/draft-ribose-cfrg-sm4-09.html
+ * for details.
+ *
+ * Follows spec from Cryptography Standardization Technical Comittee:
+ * http://www.gmbz.org.cn/upload/2018-04-04/1522788048733065051.pdf
+ *
+ * @author swesven
+ * @copyright 2021
+ * @license Apache-2.0
+ */
+
+import OperationError from "../errors/OperationError.mjs";
+
+/** Number of rounds */
+const NROUNDS = 32;
+
+/** block size in bytes */
+const BLOCKSIZE = 16;
+
+/** The S box, 256 8-bit values */
+const Sbox = [
+    0xd6, 0x90, 0xe9, 0xfe, 0xcc, 0xe1, 0x3d, 0xb7, 0x16, 0xb6, 0x14, 0xc2, 0x28, 0xfb, 0x2c, 0x05,
+    0x2b, 0x67, 0x9a, 0x76, 0x2a, 0xbe, 0x04, 0xc3, 0xaa, 0x44, 0x13, 0x26, 0x49, 0x86, 0x06, 0x99,
+    0x9c, 0x42, 0x50, 0xf4, 0x91, 0xef, 0x98, 0x7a, 0x33, 0x54, 0x0b, 0x43, 0xed, 0xcf, 0xac, 0x62,
+    0xe4, 0xb3, 0x1c, 0xa9, 0xc9, 0x08, 0xe8, 0x95, 0x80, 0xdf, 0x94, 0xfa, 0x75, 0x8f, 0x3f, 0xa6,
+    0x47, 0x07, 0xa7, 0xfc, 0xf3, 0x73, 0x17, 0xba, 0x83, 0x59, 0x3c, 0x19, 0xe6, 0x85, 0x4f, 0xa8,
+    0x68, 0x6b, 0x81, 0xb2, 0x71, 0x64, 0xda, 0x8b, 0xf8, 0xeb, 0x0f, 0x4b, 0x70, 0x56, 0x9d, 0x35,
+    0x1e, 0x24, 0x0e, 0x5e, 0x63, 0x58, 0xd1, 0xa2, 0x25, 0x22, 0x7c, 0x3b, 0x01, 0x21, 0x78, 0x87,
+    0xd4, 0x00, 0x46, 0x57, 0x9f, 0xd3, 0x27, 0x52, 0x4c, 0x36, 0x02, 0xe7, 0xa0, 0xc4, 0xc8, 0x9e,
+    0xea, 0xbf, 0x8a, 0xd2, 0x40, 0xc7, 0x38, 0xb5, 0xa3, 0xf7, 0xf2, 0xce, 0xf9, 0x61, 0x15, 0xa1,
+    0xe0, 0xae, 0x5d, 0xa4, 0x9b, 0x34, 0x1a, 0x55, 0xad, 0x93, 0x32, 0x30, 0xf5, 0x8c, 0xb1, 0xe3,
+    0x1d, 0xf6, 0xe2, 0x2e, 0x82, 0x66, 0xca, 0x60, 0xc0, 0x29, 0x23, 0xab, 0x0d, 0x53, 0x4e, 0x6f,
+    0xd5, 0xdb, 0x37, 0x45, 0xde, 0xfd, 0x8e, 0x2f, 0x03, 0xff, 0x6a, 0x72, 0x6d, 0x6c, 0x5b, 0x51,
+    0x8d, 0x1b, 0xaf, 0x92, 0xbb, 0xdd, 0xbc, 0x7f, 0x11, 0xd9, 0x5c, 0x41, 0x1f, 0x10, 0x5a, 0xd8,
+    0x0a, 0xc1, 0x31, 0x88, 0xa5, 0xcd, 0x7b, 0xbd, 0x2d, 0x74, 0xd0, 0x12, 0xb8, 0xe5, 0xb4, 0xb0,
+    0x89, 0x69, 0x97, 0x4a, 0x0c, 0x96, 0x77, 0x7e, 0x65, 0xb9, 0xf1, 0x09, 0xc5, 0x6e, 0xc6, 0x84,
+    0x18, 0xf0, 0x7d, 0xec, 0x3a, 0xdc, 0x4d, 0x20, 0x79, 0xee, 0x5f, 0x3e, 0xd7, 0xcb, 0x39, 0x48
+];
+
+/** "Fixed parameter CK" used in key expansion */
+const CK = [
+    0x00070e15, 0x1c232a31, 0x383f464d, 0x545b6269,
+    0x70777e85, 0x8c939aa1, 0xa8afb6bd, 0xc4cbd2d9,
+    0xe0e7eef5, 0xfc030a11, 0x181f262d, 0x343b4249,
+    0x50575e65, 0x6c737a81, 0x888f969d, 0xa4abb2b9,
+    0xc0c7ced5, 0xdce3eaf1, 0xf8ff060d, 0x141b2229,
+    0x30373e45, 0x4c535a61, 0x686f767d, 0x848b9299,
+    0xa0a7aeb5, 0xbcc3cad1, 0xd8dfe6ed, 0xf4fb0209,
+    0x10171e25, 0x2c333a41, 0x484f565d, 0x646b7279
+];
+
+/** "System parameter FK" */
+const FK = [0xa3b1bac6, 0x56aa3350, 0x677d9197, 0xb27022dc];
+
+/**
+ * Rotating 32-bit shift left
+ *
+ * (Note that although JS integers are stored in doubles and thus have 53 bits,
+ * the JS bitwise operations are 32-bit)
+ */
+function ROL(i, n) {
+    return (i << n) | (i >>> (32 - n));
+}
+
+/**
+ * Linear transformation L
+ *
+ * @param {integer} b - a 32 bit integer
+ */
+function transformL(b) {
+    /* Replace each of the 4 bytes in b with the value at its offset in the Sbox */
+    b = (Sbox[(b >>> 24) & 0xFF] << 24) | (Sbox[(b >>> 16) & 0xFF] << 16) |
+        (Sbox[(b >>> 8) & 0xFF] << 8) | Sbox[b & 0xFF];
+    /* circular rotate and xor */
+    return b ^ ROL(b, 2) ^ ROL(b, 10) ^ ROL(b, 18) ^ ROL(b, 24);
+}
+
+/**
+ * Linear transformation L'
+ *
+ * @param {integer} b - a 32 bit integer
+ */
+function transformLprime(b) {
+    /* Replace each of the 4 bytes in b with the value at its offset in the Sbox */
+    b = (Sbox[(b >>> 24) & 0xFF] << 24) | (Sbox[(b >>> 16) & 0xFF] << 16) |
+        (Sbox[(b >>> 8) & 0xFF] << 8) | Sbox[b & 0xFF];
+    return b ^ ROL(b, 13) ^ ROL(b, 23); /* circular rotate and XOR */
+}
+
+/**
+ * Initialize the round key
+ */
+function initSM4RoundKey(rawkey) {
+    const K = rawkey.map((a, i) => a ^ FK[i]);    /* K = rawkey ^ FK */
+    const roundKey = [];
+    for (let i = 0; i < 32; i++)
+        roundKey[i] = K[i + 4] = K[i] ^ transformLprime(K[i + 1] ^ K[i + 2] ^ K[i + 3] ^ CK[i]);
+    return roundKey;
+}
+
+/**
+ * Encrypts/decrypts a single block X (4 32-bit values) with a prepared round key.
+ *
+ * @param {intArray} X - A cleartext block.
+ * @param {intArray} roundKey - The round key from initSMRoundKey for encrypting (reversed for decrypting).
+ * @returns {byteArray} - The cipher text.
+ */
+function encryptBlockSM4(X, roundKey) {
+    for (let i = 0; i < NROUNDS; i++)
+        X[i + 4] = X[i] ^ transformL(X[i + 1] ^ X[i + 2] ^ X[i + 3] ^ roundKey[i]);
+    return [X[35], X[34], X[33], X[32]];
+}
+
+/**
+ * Takes 16 bytes from an offset in an array and returns an array of 4 32-bit Big-Endian values.
+ * (DataView won't work portably here as we need Big-Endian)
+ *
+ * @param {byteArray} bArray - the array of bytes
+ * @param {integer} offset - starting offset in the array; 15 bytes must follow it.
+ */
+function bytesToInts(bArray, offs=0) {
+    let offset = offs;
+    const A = (bArray[offset] << 24) | (bArray[offset + 1] << 16) | (bArray[offset + 2] << 8) | bArray[offset + 3];
+    offset += 4;
+    const B = (bArray[offset] << 24) | (bArray[offset + 1] << 16) | (bArray[offset + 2] << 8) | bArray[offset + 3];
+    offset += 4;
+    const C = (bArray[offset] << 24) | (bArray[offset + 1] << 16) | (bArray[offset + 2] << 8) | bArray[offset + 3];
+    offset += 4;
+    const D = (bArray[offset] << 24) | (bArray[offset + 1] << 16) | (bArray[offset + 2] << 8) | bArray[offset + 3];
+    return [A, B, C, D];
+}
+
+/**
+ * Inverse of bytesToInts above; takes an array of 32-bit integers and turns it into an array of bytes.
+ * Again, Big-Endian order.
+ */
+function intsToBytes(ints) {
+    const bArr = [];
+    for (let i = 0; i < ints.length; i++) {
+        bArr.push((ints[i] >> 24) & 0xFF);
+        bArr.push((ints[i] >> 16) & 0xFF);
+        bArr.push((ints[i] >> 8) & 0xFF);
+        bArr.push(ints[i] & 0xFF);
+    }
+    return bArr;
+}
+
+/**
+ * Encrypt using SM4 using a given block cipher mode.
+ *
+ * @param {byteArray} message - The clear text message; any length under 32 Gb or so.
+ * @param {byteArray} key - The cipher key, 16 bytes.
+ * @param {byteArray} iv - The IV or nonce, 16 bytes (not used with ECB mode)
+ * @param {string} mode - The block cipher mode "CBC", "ECB", "CFB", "OFB", "CTR".
+ * @param {boolean} noPadding - Don't add PKCS#7 padding if set.
+ * @returns {byteArray} - The cipher text.
+ */
+export function encryptSM4(message, key, iv, mode="ECB", noPadding=false) {
+    const messageLength = message.length;
+    if (messageLength === 0)
+        return [];
+    const roundKey = initSM4RoundKey(bytesToInts(key, 0));
+
+    /* Pad with PKCS#7 if requested for ECB/CBC else add zeroes (which are sliced off at the end) */
+    let padByte = 0;
+    let nPadding = 16 - (message.length & 0xF);
+    if (mode === "ECB" || mode === "CBC") {
+        if (noPadding) {
+            if (nPadding !== 16)
+                throw new OperationError(`No padding requested in ${mode} mode but input is not a 16-byte multiple.`);
+            nPadding = 0;
+        } else
+            padByte = nPadding;
+    }
+    for (let i = 0; i < nPadding; i++)
+        message.push(padByte);
+
+    const cipherText = [];
+    switch (mode) {
+        case "ECB":
+            for (let i = 0; i < message.length; i += BLOCKSIZE)
+                Array.prototype.push.apply(cipherText, intsToBytes(encryptBlockSM4(bytesToInts(message, i), roundKey)));
+            break;
+        case "CBC":
+            iv = bytesToInts(iv, 0);
+            for (let i = 0; i < message.length; i += BLOCKSIZE) {
+                const block = bytesToInts(message, i);
+                block[0] ^= iv[0]; block[1] ^= iv[1];
+                block[2] ^= iv[2]; block[3] ^= iv[3];
+                iv = encryptBlockSM4(block, roundKey);
+                Array.prototype.push.apply(cipherText, intsToBytes(iv));
+            }
+            break;
+        case "CFB":
+            iv = bytesToInts(iv, 0);
+            for (let i = 0; i < message.length; i += BLOCKSIZE) {
+                iv = encryptBlockSM4(iv, roundKey);
+                const block = bytesToInts(message, i);
+                block[0] ^= iv[0]; block[1] ^= iv[1];
+                block[2] ^= iv[2]; block[3] ^= iv[3];
+                Array.prototype.push.apply(cipherText, intsToBytes(block));
+                iv = block;
+            }
+            break;
+        case "OFB":
+            iv = bytesToInts(iv, 0);
+            for (let i = 0; i < message.length; i += BLOCKSIZE) {
+                iv = encryptBlockSM4(iv, roundKey);
+                const block = bytesToInts(message, i);
+                block[0] ^= iv[0]; block[1] ^= iv[1];
+                block[2] ^= iv[2]; block[3] ^= iv[3];
+                Array.prototype.push.apply(cipherText, intsToBytes(block));
+            }
+            break;
+        case "CTR":
+            iv = bytesToInts(iv, 0);
+            for (let i = 0; i < message.length; i += BLOCKSIZE) {
+                let iv2 = [...iv]; /* containing the IV + counter */
+                iv2[3] += (i >> 4);/* Using a 32 bit counter here. 64 Gb encrypts should be enough for everyone. */
+                iv2 = encryptBlockSM4(iv2, roundKey);
+                const block = bytesToInts(message, i);
+                block[0] ^= iv2[0]; block[1] ^= iv2[1];
+                block[2] ^= iv2[2]; block[3] ^= iv2[3];
+                Array.prototype.push.apply(cipherText, intsToBytes(block));
+            }
+            break;
+        default:
+            throw new OperationError("Invalid block cipher mode: "+mode);
+    }
+    if (mode !== "ECB" && mode !== "CBC")
+        return cipherText.slice(0, messageLength);
+    return cipherText;
+}
+
+/**
+ * Decrypt using SM4 using a given block cipher mode.
+ *
+ * @param {byteArray} cipherText - The ciphertext
+ * @param {byteArray} key - The cipher key, 16 bytes.
+ * @param {byteArray} iv - The IV or nonce, 16 bytes (not used with ECB mode)
+ * @param {string} mode - The block cipher mode "CBC", "ECB", "CFB", "OFB", "CTR"
+ * @param {boolean] ignorePadding - If true, ignore padding issues in ECB/CBC mode.
+ * @returns {byteArray} - The cipher text.
+ */
+export function decryptSM4(cipherText, key, iv, mode="ECB", ignorePadding=false) {
+    const originalLength = cipherText.length;
+    if (originalLength === 0)
+        return [];
+    let roundKey = initSM4RoundKey(bytesToInts(key, 0));
+
+    if (mode === "ECB" || mode === "CBC") {
+        /* Init decryption key */
+        roundKey = roundKey.reverse();
+        if ((originalLength & 0xF) !== 0 && !ignorePadding)
+            throw new OperationError(`With ECB or CBC modes, the input must be divisible into 16 byte blocks. (${cipherText.length & 0xF} bytes extra)`);
+    } else { /* Pad dummy bytes for other modes, chop them off at the end */
+        while ((cipherText.length & 0xF) !== 0)
+            cipherText.push(0);
+    }
+
+    const clearText = [];
+    switch (mode) {
+        case "ECB":
+            for (let i = 0; i < cipherText.length; i += BLOCKSIZE)
+                Array.prototype.push.apply(clearText, intsToBytes(encryptBlockSM4(bytesToInts(cipherText, i), roundKey)));
+            break;
+        case "CBC":
+            iv = bytesToInts(iv, 0);
+            for (let i = 0; i < cipherText.length; i += BLOCKSIZE) {
+                const block = encryptBlockSM4(bytesToInts(cipherText, i), roundKey);
+                block[0] ^= iv[0]; block[1] ^= iv[1];
+                block[2] ^= iv[2]; block[3] ^= iv[3];
+                Array.prototype.push.apply(clearText, intsToBytes(block));
+                iv = bytesToInts(cipherText, i);
+            }
+            break;
+        case "CFB":
+            iv = bytesToInts(iv, 0);
+            for (let i = 0; i < cipherText.length; i += BLOCKSIZE) {
+                iv = encryptBlockSM4(iv, roundKey);
+                const block = bytesToInts(cipherText, i);
+                block[0] ^= iv[0]; block[1] ^= iv[1];
+                block[2] ^= iv[2]; block[3] ^= iv[3];
+                Array.prototype.push.apply(clearText, intsToBytes(block));
+                iv = bytesToInts(cipherText, i);
+            }
+            break;
+        case "OFB":
+            iv = bytesToInts(iv, 0);
+            for (let i = 0; i < cipherText.length; i += BLOCKSIZE) {
+                iv = encryptBlockSM4(iv, roundKey);
+                const block = bytesToInts(cipherText, i);
+                block[0] ^= iv[0]; block[1] ^= iv[1];
+                block[2] ^= iv[2]; block[3] ^= iv[3];
+                Array.prototype.push.apply(clearText, intsToBytes(block));
+            }
+            break;
+        case "CTR":
+            iv = bytesToInts(iv, 0);
+            for (let i = 0; i < cipherText.length; i += BLOCKSIZE) {
+                let iv2 = [...iv]; /* containing the IV + counter */
+                iv2[3] += (i >> 4);/* Using a 32 bit counter here. 64 Gb encrypts should be enough for everyone. */
+                iv2 = encryptBlockSM4(iv2, roundKey);
+                const block = bytesToInts(cipherText, i);
+                block[0] ^= iv2[0]; block[1] ^= iv2[1];
+                block[2] ^= iv2[2]; block[3] ^= iv2[3];
+                Array.prototype.push.apply(clearText, intsToBytes(block));
+            }
+            break;
+        default:
+            throw new OperationError(`Invalid block cipher mode: ${mode}`);
+    }
+    /* Check PKCS#7 padding */
+    if (mode === "ECB" || mode === "CBC") {
+        if (ignorePadding)
+            return clearText;
+        const padByte = clearText[clearText.length - 1];
+        if (padByte > 16)
+            throw new OperationError("Invalid PKCS#7 padding.");
+        for (let i = 0; i < padByte; i++)
+            if (clearText[clearText.length -i - 1] !== padByte)
+                throw new OperationError("Invalid PKCS#7 padding.");
+        return clearText.slice(0, clearText.length - padByte);
+    }
+    return clearText.slice(0, originalLength);
+}
+