Mercurial > dropbear
comparison src/ciphers/rc2.c @ 192:9cc34777b479 libtomcrypt
propagate from branch 'au.asn.ucc.matt.ltc-orig' (head 9ba8f01f44320e9cb9f19881105ae84f84a43ea9)
to branch 'au.asn.ucc.matt.dropbear.ltc' (head dbf51c569bc34956ad948e4cc87a0eeb2170b768)
author | Matt Johnston <matt@ucc.asn.au> |
---|---|
date | Sun, 08 May 2005 06:36:47 +0000 |
parents | 1c15b283127b |
children | 39d5d58461d6 |
comparison
equal
deleted
inserted
replaced
164:cd1143579f00 | 192:9cc34777b479 |
---|---|
1 /* LibTomCrypt, modular cryptographic library -- Tom St Denis | |
2 * | |
3 * LibTomCrypt is a library that provides various cryptographic | |
4 * algorithms in a highly modular and flexible manner. | |
5 * | |
6 * The library is free for all purposes without any express | |
7 * guarantee it works. | |
8 * | |
9 * Tom St Denis, [email protected], http://libtomcrypt.org | |
10 */ | |
11 /**********************************************************************\ | |
12 * To commemorate the 1996 RSA Data Security Conference, the following * | |
13 * code is released into the public domain by its author. Prost! * | |
14 * * | |
15 * This cipher uses 16-bit words and little-endian byte ordering. * | |
16 * I wonder which processor it was optimized for? * | |
17 * * | |
18 * Thanks to CodeView, SoftIce, and D86 for helping bring this code to * | |
19 * the public. * | |
20 \**********************************************************************/ | |
21 #include <tomcrypt.h> | |
22 | |
23 /** | |
24 @file rc2.c | |
25 Implementation of RC2 | |
26 */ | |
27 | |
28 #ifdef RC2 | |
29 | |
30 const struct ltc_cipher_descriptor rc2_desc = { | |
31 "rc2", | |
32 12, 8, 128, 8, 16, | |
33 &rc2_setup, | |
34 &rc2_ecb_encrypt, | |
35 &rc2_ecb_decrypt, | |
36 &rc2_test, | |
37 &rc2_done, | |
38 &rc2_keysize, | |
39 NULL, NULL, NULL, NULL, NULL, NULL, NULL | |
40 }; | |
41 | |
42 /* 256-entry permutation table, probably derived somehow from pi */ | |
43 static const unsigned char permute[256] = { | |
44 217,120,249,196, 25,221,181,237, 40,233,253,121, 74,160,216,157, | |
45 198,126, 55,131, 43,118, 83,142, 98, 76,100,136, 68,139,251,162, | |
46 23,154, 89,245,135,179, 79, 19, 97, 69,109,141, 9,129,125, 50, | |
47 189,143, 64,235,134,183,123, 11,240,149, 33, 34, 92,107, 78,130, | |
48 84,214,101,147,206, 96,178, 28,115, 86,192, 20,167,140,241,220, | |
49 18,117,202, 31, 59,190,228,209, 66, 61,212, 48,163, 60,182, 38, | |
50 111,191, 14,218, 70,105, 7, 87, 39,242, 29,155,188,148, 67, 3, | |
51 248, 17,199,246,144,239, 62,231, 6,195,213, 47,200,102, 30,215, | |
52 8,232,234,222,128, 82,238,247,132,170,114,172, 53, 77,106, 42, | |
53 150, 26,210,113, 90, 21, 73,116, 75,159,208, 94, 4, 24,164,236, | |
54 194,224, 65,110, 15, 81,203,204, 36,145,175, 80,161,244,112, 57, | |
55 153,124, 58,133, 35,184,180,122,252, 2, 54, 91, 37, 85,151, 49, | |
56 45, 93,250,152,227,138,146,174, 5,223, 41, 16,103,108,186,201, | |
57 211, 0,230,207,225,158,168, 44, 99, 22, 1, 63, 88,226,137,169, | |
58 13, 56, 52, 27,171, 51,255,176,187, 72, 12, 95,185,177,205, 46, | |
59 197,243,219, 71,229,165,156,119, 10,166, 32,104,254,127,193,173 | |
60 }; | |
61 | |
62 /** | |
63 Initialize the RC2 block cipher | |
64 @param key The symmetric key you wish to pass | |
65 @param keylen The key length in bytes | |
66 @param num_rounds The number of rounds desired (0 for default) | |
67 @param skey The key in as scheduled by this function. | |
68 @return CRYPT_OK if successful | |
69 */ | |
70 int rc2_setup(const unsigned char *key, int keylen, int num_rounds, symmetric_key *skey) | |
71 { | |
72 unsigned *xkey = skey->rc2.xkey; | |
73 unsigned char tmp[128]; | |
74 unsigned T8, TM; | |
75 int i, bits; | |
76 | |
77 LTC_ARGCHK(key != NULL); | |
78 LTC_ARGCHK(skey != NULL); | |
79 | |
80 if (keylen < 8 || keylen > 128) { | |
81 return CRYPT_INVALID_KEYSIZE; | |
82 } | |
83 | |
84 if (num_rounds != 0 && num_rounds != 16) { | |
85 return CRYPT_INVALID_ROUNDS; | |
86 } | |
87 | |
88 for (i = 0; i < keylen; i++) { | |
89 tmp[i] = key[i] & 255; | |
90 } | |
91 | |
92 /* Phase 1: Expand input key to 128 bytes */ | |
93 if (keylen < 128) { | |
94 for (i = keylen; i < 128; i++) { | |
95 tmp[i] = permute[(tmp[i - 1] + tmp[i - keylen]) & 255]; | |
96 } | |
97 } | |
98 | |
99 /* Phase 2 - reduce effective key size to "bits" */ | |
100 bits = keylen<<3; | |
101 T8 = (unsigned)(bits+7)>>3; | |
102 TM = (255 >> (unsigned)(7 & -bits)); | |
103 tmp[128 - T8] = permute[tmp[128 - T8] & TM]; | |
104 for (i = 127 - T8; i >= 0; i--) { | |
105 tmp[i] = permute[tmp[i + 1] ^ tmp[i + T8]]; | |
106 } | |
107 | |
108 /* Phase 3 - copy to xkey in little-endian order */ | |
109 for (i = 0; i < 64; i++) { | |
110 xkey[i] = (unsigned)tmp[2*i] + ((unsigned)tmp[2*i+1] << 8); | |
111 } | |
112 | |
113 #ifdef LTC_CLEAN_STACK | |
114 zeromem(tmp, sizeof(tmp)); | |
115 #endif | |
116 | |
117 return CRYPT_OK; | |
118 } | |
119 | |
120 /**********************************************************************\ | |
121 * Encrypt an 8-byte block of plaintext using the given key. * | |
122 \**********************************************************************/ | |
123 /** | |
124 Encrypts a block of text with RC2 | |
125 @param pt The input plaintext (8 bytes) | |
126 @param ct The output ciphertext (8 bytes) | |
127 @param skey The key as scheduled | |
128 */ | |
129 #ifdef LTC_CLEAN_STACK | |
130 static void _rc2_ecb_encrypt( const unsigned char *pt, | |
131 unsigned char *ct, | |
132 symmetric_key *skey) | |
133 #else | |
134 void rc2_ecb_encrypt( const unsigned char *pt, | |
135 unsigned char *ct, | |
136 symmetric_key *skey) | |
137 #endif | |
138 { | |
139 unsigned *xkey; | |
140 unsigned x76, x54, x32, x10, i; | |
141 | |
142 LTC_ARGCHK(pt != NULL); | |
143 LTC_ARGCHK(ct != NULL); | |
144 LTC_ARGCHK(skey != NULL); | |
145 | |
146 xkey = skey->rc2.xkey; | |
147 | |
148 x76 = ((unsigned)pt[7] << 8) + (unsigned)pt[6]; | |
149 x54 = ((unsigned)pt[5] << 8) + (unsigned)pt[4]; | |
150 x32 = ((unsigned)pt[3] << 8) + (unsigned)pt[2]; | |
151 x10 = ((unsigned)pt[1] << 8) + (unsigned)pt[0]; | |
152 | |
153 for (i = 0; i < 16; i++) { | |
154 x10 = (x10 + (x32 & ~x76) + (x54 & x76) + xkey[4*i+0]) & 0xFFFF; | |
155 x10 = ((x10 << 1) | (x10 >> 15)); | |
156 | |
157 x32 = (x32 + (x54 & ~x10) + (x76 & x10) + xkey[4*i+1]) & 0xFFFF; | |
158 x32 = ((x32 << 2) | (x32 >> 14)); | |
159 | |
160 x54 = (x54 + (x76 & ~x32) + (x10 & x32) + xkey[4*i+2]) & 0xFFFF; | |
161 x54 = ((x54 << 3) | (x54 >> 13)); | |
162 | |
163 x76 = (x76 + (x10 & ~x54) + (x32 & x54) + xkey[4*i+3]) & 0xFFFF; | |
164 x76 = ((x76 << 5) | (x76 >> 11)); | |
165 | |
166 if (i == 4 || i == 10) { | |
167 x10 = (x10 + xkey[x76 & 63]) & 0xFFFF; | |
168 x32 = (x32 + xkey[x10 & 63]) & 0xFFFF; | |
169 x54 = (x54 + xkey[x32 & 63]) & 0xFFFF; | |
170 x76 = (x76 + xkey[x54 & 63]) & 0xFFFF; | |
171 } | |
172 } | |
173 | |
174 ct[0] = (unsigned char)x10; | |
175 ct[1] = (unsigned char)(x10 >> 8); | |
176 ct[2] = (unsigned char)x32; | |
177 ct[3] = (unsigned char)(x32 >> 8); | |
178 ct[4] = (unsigned char)x54; | |
179 ct[5] = (unsigned char)(x54 >> 8); | |
180 ct[6] = (unsigned char)x76; | |
181 ct[7] = (unsigned char)(x76 >> 8); | |
182 } | |
183 | |
184 #ifdef LTC_CLEAN_STACK | |
185 void rc2_ecb_encrypt( const unsigned char *pt, | |
186 unsigned char *ct, | |
187 symmetric_key *skey) | |
188 { | |
189 _rc2_ecb_encrypt(pt, ct, skey); | |
190 burn_stack(sizeof(unsigned *) + sizeof(unsigned) * 5); | |
191 } | |
192 #endif | |
193 | |
194 /**********************************************************************\ | |
195 * Decrypt an 8-byte block of ciphertext using the given key. * | |
196 \**********************************************************************/ | |
197 /** | |
198 Decrypts a block of text with RC2 | |
199 @param ct The input ciphertext (8 bytes) | |
200 @param pt The output plaintext (8 bytes) | |
201 @param skey The key as scheduled | |
202 */ | |
203 #ifdef LTC_CLEAN_STACK | |
204 static void _rc2_ecb_decrypt( const unsigned char *ct, | |
205 unsigned char *pt, | |
206 symmetric_key *skey) | |
207 #else | |
208 void rc2_ecb_decrypt( const unsigned char *ct, | |
209 unsigned char *pt, | |
210 symmetric_key *skey) | |
211 #endif | |
212 { | |
213 unsigned x76, x54, x32, x10; | |
214 unsigned *xkey; | |
215 int i; | |
216 | |
217 LTC_ARGCHK(pt != NULL); | |
218 LTC_ARGCHK(ct != NULL); | |
219 LTC_ARGCHK(skey != NULL); | |
220 | |
221 xkey = skey->rc2.xkey; | |
222 | |
223 x76 = ((unsigned)ct[7] << 8) + (unsigned)ct[6]; | |
224 x54 = ((unsigned)ct[5] << 8) + (unsigned)ct[4]; | |
225 x32 = ((unsigned)ct[3] << 8) + (unsigned)ct[2]; | |
226 x10 = ((unsigned)ct[1] << 8) + (unsigned)ct[0]; | |
227 | |
228 for (i = 15; i >= 0; i--) { | |
229 if (i == 4 || i == 10) { | |
230 x76 = (x76 - xkey[x54 & 63]) & 0xFFFF; | |
231 x54 = (x54 - xkey[x32 & 63]) & 0xFFFF; | |
232 x32 = (x32 - xkey[x10 & 63]) & 0xFFFF; | |
233 x10 = (x10 - xkey[x76 & 63]) & 0xFFFF; | |
234 } | |
235 | |
236 x76 = ((x76 << 11) | (x76 >> 5)); | |
237 x76 = (x76 - ((x10 & ~x54) + (x32 & x54) + xkey[4*i+3])) & 0xFFFF; | |
238 | |
239 x54 = ((x54 << 13) | (x54 >> 3)); | |
240 x54 = (x54 - ((x76 & ~x32) + (x10 & x32) + xkey[4*i+2])) & 0xFFFF; | |
241 | |
242 x32 = ((x32 << 14) | (x32 >> 2)); | |
243 x32 = (x32 - ((x54 & ~x10) + (x76 & x10) + xkey[4*i+1])) & 0xFFFF; | |
244 | |
245 x10 = ((x10 << 15) | (x10 >> 1)); | |
246 x10 = (x10 - ((x32 & ~x76) + (x54 & x76) + xkey[4*i+0])) & 0xFFFF; | |
247 } | |
248 | |
249 pt[0] = (unsigned char)x10; | |
250 pt[1] = (unsigned char)(x10 >> 8); | |
251 pt[2] = (unsigned char)x32; | |
252 pt[3] = (unsigned char)(x32 >> 8); | |
253 pt[4] = (unsigned char)x54; | |
254 pt[5] = (unsigned char)(x54 >> 8); | |
255 pt[6] = (unsigned char)x76; | |
256 pt[7] = (unsigned char)(x76 >> 8); | |
257 } | |
258 | |
259 #ifdef LTC_CLEAN_STACK | |
260 void rc2_ecb_decrypt( const unsigned char *ct, | |
261 unsigned char *pt, | |
262 symmetric_key *skey) | |
263 { | |
264 _rc2_ecb_decrypt(ct, pt, skey); | |
265 burn_stack(sizeof(unsigned *) + sizeof(unsigned) * 4 + sizeof(int)); | |
266 } | |
267 #endif | |
268 | |
269 /** | |
270 Performs a self-test of the RC2 block cipher | |
271 @return CRYPT_OK if functional, CRYPT_NOP if self-test has been disabled | |
272 */ | |
273 int rc2_test(void) | |
274 { | |
275 #ifndef LTC_TEST | |
276 return CRYPT_NOP; | |
277 #else | |
278 static const struct { | |
279 int keylen; | |
280 unsigned char key[16], pt[8], ct[8]; | |
281 } tests[] = { | |
282 | |
283 { 8, | |
284 { 0x30, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
285 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, | |
286 { 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 }, | |
287 { 0x30, 0x64, 0x9e, 0xdf, 0x9b, 0xe7, 0xd2, 0xc2 } | |
288 | |
289 }, | |
290 { 16, | |
291 { 0x88, 0xbc, 0xa9, 0x0e, 0x90, 0x87, 0x5a, 0x7f, | |
292 0x0f, 0x79, 0xc3, 0x84, 0x62, 0x7b, 0xaf, 0xb2 }, | |
293 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, | |
294 { 0x22, 0x69, 0x55, 0x2a, 0xb0, 0xf8, 0x5c, 0xa6 } | |
295 } | |
296 }; | |
297 int x, y, err; | |
298 symmetric_key skey; | |
299 unsigned char tmp[2][8]; | |
300 | |
301 for (x = 0; x < (int)(sizeof(tests) / sizeof(tests[0])); x++) { | |
302 zeromem(tmp, sizeof(tmp)); | |
303 if ((err = rc2_setup(tests[x].key, tests[x].keylen, 0, &skey)) != CRYPT_OK) { | |
304 return err; | |
305 } | |
306 | |
307 rc2_ecb_encrypt(tests[x].pt, tmp[0], &skey); | |
308 rc2_ecb_decrypt(tmp[0], tmp[1], &skey); | |
309 | |
310 if (memcmp(tmp[0], tests[x].ct, 8) != 0 || memcmp(tmp[1], tests[x].pt, 8) != 0) { | |
311 return CRYPT_FAIL_TESTVECTOR; | |
312 } | |
313 | |
314 /* now see if we can encrypt all zero bytes 1000 times, decrypt and come back where we started */ | |
315 for (y = 0; y < 8; y++) tmp[0][y] = 0; | |
316 for (y = 0; y < 1000; y++) rc2_ecb_encrypt(tmp[0], tmp[0], &skey); | |
317 for (y = 0; y < 1000; y++) rc2_ecb_decrypt(tmp[0], tmp[0], &skey); | |
318 for (y = 0; y < 8; y++) if (tmp[0][y] != 0) return CRYPT_FAIL_TESTVECTOR; | |
319 } | |
320 return CRYPT_OK; | |
321 #endif | |
322 } | |
323 | |
324 /** Terminate the context | |
325 @param skey The scheduled key | |
326 */ | |
327 void rc2_done(symmetric_key *skey) | |
328 { | |
329 } | |
330 | |
331 /** | |
332 Gets suitable key size | |
333 @param keysize [in/out] The length of the recommended key (in bytes). This function will store the suitable size back in this variable. | |
334 @return CRYPT_OK if the input key size is acceptable. | |
335 */ | |
336 int rc2_keysize(int *keysize) | |
337 { | |
338 LTC_ARGCHK(keysize != NULL); | |
339 if (*keysize < 8) { | |
340 return CRYPT_INVALID_KEYSIZE; | |
341 } else if (*keysize > 128) { | |
342 *keysize = 128; | |
343 } | |
344 return CRYPT_OK; | |
345 } | |
346 | |
347 #endif | |
348 | |
349 | |
350 |