comparison src/ciphers/safer/safer.c @ 192:9cc34777b479 libtomcrypt

propagate from branch 'au.asn.ucc.matt.ltc-orig' (head 9ba8f01f44320e9cb9f19881105ae84f84a43ea9) to branch 'au.asn.ucc.matt.dropbear.ltc' (head dbf51c569bc34956ad948e4cc87a0eeb2170b768)
author Matt Johnston <matt@ucc.asn.au>
date Sun, 08 May 2005 06:36:47 +0000
parents 1c15b283127b
children 39d5d58461d6
comparison
equal deleted inserted replaced
164:cd1143579f00 192:9cc34777b479
1 /* LibTomCrypt, modular cryptographic library -- Tom St Denis
2 *
3 * LibTomCrypt is a library that provides various cryptographic
4 * algorithms in a highly modular and flexible manner.
5 *
6 * The library is free for all purposes without any express
7 * guarantee it works.
8 *
9 * Tom St Denis, [email protected], http://libtomcrypt.org
10 */
11
12 /*******************************************************************************
13 *
14 * FILE: safer.c
15 *
16 * DESCRIPTION: block-cipher algorithm SAFER (Secure And Fast Encryption
17 * Routine) in its four versions: SAFER K-64, SAFER K-128,
18 * SAFER SK-64 and SAFER SK-128.
19 *
20 * AUTHOR: Richard De Moliner ([email protected])
21 * Signal and Information Processing Laboratory
22 * Swiss Federal Institute of Technology
23 * CH-8092 Zuerich, Switzerland
24 *
25 * DATE: September 9, 1995
26 *
27 * CHANGE HISTORY:
28 *
29 *******************************************************************************/
30
31 #include <tomcrypt.h>
32
33 #ifdef SAFER
34
35 const struct ltc_cipher_descriptor
36 safer_k64_desc = {
37 "safer-k64",
38 8, 8, 8, 8, SAFER_K64_DEFAULT_NOF_ROUNDS,
39 &safer_k64_setup,
40 &safer_ecb_encrypt,
41 &safer_ecb_decrypt,
42 &safer_k64_test,
43 &safer_done,
44 &safer_64_keysize,
45 NULL, NULL, NULL, NULL, NULL, NULL, NULL
46 },
47
48 safer_sk64_desc = {
49 "safer-sk64",
50 9, 8, 8, 8, SAFER_SK64_DEFAULT_NOF_ROUNDS,
51 &safer_sk64_setup,
52 &safer_ecb_encrypt,
53 &safer_ecb_decrypt,
54 &safer_sk64_test,
55 &safer_done,
56 &safer_64_keysize,
57 NULL, NULL, NULL, NULL, NULL, NULL, NULL
58 },
59
60 safer_k128_desc = {
61 "safer-k128",
62 10, 16, 16, 8, SAFER_K128_DEFAULT_NOF_ROUNDS,
63 &safer_k128_setup,
64 &safer_ecb_encrypt,
65 &safer_ecb_decrypt,
66 &safer_sk128_test,
67 &safer_done,
68 &safer_128_keysize,
69 NULL, NULL, NULL, NULL, NULL, NULL, NULL
70 },
71
72 safer_sk128_desc = {
73 "safer-sk128",
74 11, 16, 16, 8, SAFER_SK128_DEFAULT_NOF_ROUNDS,
75 &safer_sk128_setup,
76 &safer_ecb_encrypt,
77 &safer_ecb_decrypt,
78 &safer_sk128_test,
79 &safer_done,
80 &safer_128_keysize,
81 NULL, NULL, NULL, NULL, NULL, NULL, NULL
82 };
83
84 /******************* Constants ************************************************/
85 /* #define TAB_LEN 256 */
86
87 /******************* Assertions ***********************************************/
88
89 /******************* Macros ***************************************************/
90 #define ROL8(x, n) ((unsigned char)((unsigned int)(x) << (n)\
91 |(unsigned int)((x) & 0xFF) >> (8 - (n))))
92 #define EXP(x) safer_ebox[(x) & 0xFF]
93 #define LOG(x) safer_lbox[(x) & 0xFF]
94 #define PHT(x, y) { y += x; x += y; }
95 #define IPHT(x, y) { x -= y; y -= x; }
96
97 /******************* Types ****************************************************/
98 extern const unsigned char safer_ebox[], safer_lbox[];
99
100 #ifdef LTC_CLEAN_STACK
101 static void _Safer_Expand_Userkey(const unsigned char *userkey_1,
102 const unsigned char *userkey_2,
103 unsigned int nof_rounds,
104 int strengthened,
105 safer_key_t key)
106 #else
107 static void Safer_Expand_Userkey(const unsigned char *userkey_1,
108 const unsigned char *userkey_2,
109 unsigned int nof_rounds,
110 int strengthened,
111 safer_key_t key)
112 #endif
113 { unsigned int i, j, k;
114 unsigned char ka[SAFER_BLOCK_LEN + 1];
115 unsigned char kb[SAFER_BLOCK_LEN + 1];
116
117 if (SAFER_MAX_NOF_ROUNDS < nof_rounds)
118 nof_rounds = SAFER_MAX_NOF_ROUNDS;
119 *key++ = (unsigned char)nof_rounds;
120 ka[SAFER_BLOCK_LEN] = (unsigned char)0;
121 kb[SAFER_BLOCK_LEN] = (unsigned char)0;
122 k = 0;
123 for (j = 0; j < SAFER_BLOCK_LEN; j++) {
124 ka[j] = ROL8(userkey_1[j], 5);
125 ka[SAFER_BLOCK_LEN] ^= ka[j];
126 kb[j] = *key++ = userkey_2[j];
127 kb[SAFER_BLOCK_LEN] ^= kb[j];
128 }
129 for (i = 1; i <= nof_rounds; i++) {
130 for (j = 0; j < SAFER_BLOCK_LEN + 1; j++) {
131 ka[j] = ROL8(ka[j], 6);
132 kb[j] = ROL8(kb[j], 6);
133 }
134 if (strengthened) {
135 k = 2 * i - 1;
136 while (k >= (SAFER_BLOCK_LEN + 1)) { k -= SAFER_BLOCK_LEN + 1; }
137 }
138 for (j = 0; j < SAFER_BLOCK_LEN; j++) {
139 if (strengthened) {
140 *key++ = (ka[k]
141 + safer_ebox[(int)safer_ebox[(int)((18 * i + j + 1)&0xFF)]]) & 0xFF;
142 if (++k == (SAFER_BLOCK_LEN + 1)) { k = 0; }
143 } else {
144 *key++ = (ka[j] + safer_ebox[(int)safer_ebox[(int)((18 * i + j + 1)&0xFF)]]) & 0xFF;
145 }
146 }
147 if (strengthened) {
148 k = 2 * i;
149 while (k >= (SAFER_BLOCK_LEN + 1)) { k -= SAFER_BLOCK_LEN + 1; }
150 }
151 for (j = 0; j < SAFER_BLOCK_LEN; j++) {
152 if (strengthened) {
153 *key++ = (kb[k]
154 + safer_ebox[(int)safer_ebox[(int)((18 * i + j + 10)&0xFF)]]) & 0xFF;
155 if (++k == (SAFER_BLOCK_LEN + 1)) { k = 0; }
156 } else {
157 *key++ = (kb[j] + safer_ebox[(int)safer_ebox[(int)((18 * i + j + 10)&0xFF)]]) & 0xFF;
158 }
159 }
160 }
161
162 #ifdef LTC_CLEAN_STACK
163 zeromem(ka, sizeof(ka));
164 zeromem(kb, sizeof(kb));
165 #endif
166 }
167
168 #ifdef LTC_CLEAN_STACK
169 static void Safer_Expand_Userkey(const unsigned char *userkey_1,
170 const unsigned char *userkey_2,
171 unsigned int nof_rounds,
172 int strengthened,
173 safer_key_t key)
174 {
175 _Safer_Expand_Userkey(userkey_1, userkey_2, nof_rounds, strengthened, key);
176 burn_stack(sizeof(unsigned char) * (2 * (SAFER_BLOCK_LEN + 1)) + sizeof(unsigned int)*2);
177 }
178 #endif
179
180 int safer_k64_setup(const unsigned char *key, int keylen, int numrounds, symmetric_key *skey)
181 {
182 LTC_ARGCHK(key != NULL);
183 LTC_ARGCHK(skey != NULL);
184
185 if (numrounds != 0 && (numrounds < 6 || numrounds > SAFER_MAX_NOF_ROUNDS)) {
186 return CRYPT_INVALID_ROUNDS;
187 }
188
189 if (keylen != 8) {
190 return CRYPT_INVALID_KEYSIZE;
191 }
192
193 Safer_Expand_Userkey(key, key, (unsigned int)(numrounds != 0 ?numrounds:SAFER_K64_DEFAULT_NOF_ROUNDS), 0, skey->safer.key);
194 return CRYPT_OK;
195 }
196
197 int safer_sk64_setup(const unsigned char *key, int keylen, int numrounds, symmetric_key *skey)
198 {
199 LTC_ARGCHK(key != NULL);
200 LTC_ARGCHK(skey != NULL);
201
202 if (numrounds != 0 && (numrounds < 6 || numrounds > SAFER_MAX_NOF_ROUNDS)) {
203 return CRYPT_INVALID_ROUNDS;
204 }
205
206 if (keylen != 8) {
207 return CRYPT_INVALID_KEYSIZE;
208 }
209
210 Safer_Expand_Userkey(key, key, (unsigned int)(numrounds != 0 ?numrounds:SAFER_SK64_DEFAULT_NOF_ROUNDS), 1, skey->safer.key);
211 return CRYPT_OK;
212 }
213
214 int safer_k128_setup(const unsigned char *key, int keylen, int numrounds, symmetric_key *skey)
215 {
216 LTC_ARGCHK(key != NULL);
217 LTC_ARGCHK(skey != NULL);
218
219 if (numrounds != 0 && (numrounds < 6 || numrounds > SAFER_MAX_NOF_ROUNDS)) {
220 return CRYPT_INVALID_ROUNDS;
221 }
222
223 if (keylen != 16) {
224 return CRYPT_INVALID_KEYSIZE;
225 }
226
227 Safer_Expand_Userkey(key, key+8, (unsigned int)(numrounds != 0 ?numrounds:SAFER_K128_DEFAULT_NOF_ROUNDS), 0, skey->safer.key);
228 return CRYPT_OK;
229 }
230
231 int safer_sk128_setup(const unsigned char *key, int keylen, int numrounds, symmetric_key *skey)
232 {
233 LTC_ARGCHK(key != NULL);
234 LTC_ARGCHK(skey != NULL);
235
236 if (numrounds != 0 && (numrounds < 6 || numrounds > SAFER_MAX_NOF_ROUNDS)) {
237 return CRYPT_INVALID_ROUNDS;
238 }
239
240 if (keylen != 16) {
241 return CRYPT_INVALID_KEYSIZE;
242 }
243
244 Safer_Expand_Userkey(key, key+8, (unsigned int)(numrounds != 0?numrounds:SAFER_SK128_DEFAULT_NOF_ROUNDS), 1, skey->safer.key);
245 return CRYPT_OK;
246 }
247
248 #ifdef LTC_CLEAN_STACK
249 static void _safer_ecb_encrypt(const unsigned char *block_in,
250 unsigned char *block_out,
251 symmetric_key *skey)
252 #else
253 void safer_ecb_encrypt(const unsigned char *block_in,
254 unsigned char *block_out,
255 symmetric_key *skey)
256 #endif
257 { unsigned char a, b, c, d, e, f, g, h, t;
258 unsigned int round;
259 unsigned char *key;
260
261 LTC_ARGCHK(block_in != NULL);
262 LTC_ARGCHK(block_out != NULL);
263 LTC_ARGCHK(skey != NULL);
264
265 key = skey->safer.key;
266 a = block_in[0]; b = block_in[1]; c = block_in[2]; d = block_in[3];
267 e = block_in[4]; f = block_in[5]; g = block_in[6]; h = block_in[7];
268 if (SAFER_MAX_NOF_ROUNDS < (round = *key)) round = SAFER_MAX_NOF_ROUNDS;
269 while(round-- > 0)
270 {
271 a ^= *++key; b += *++key; c += *++key; d ^= *++key;
272 e ^= *++key; f += *++key; g += *++key; h ^= *++key;
273 a = EXP(a) + *++key; b = LOG(b) ^ *++key;
274 c = LOG(c) ^ *++key; d = EXP(d) + *++key;
275 e = EXP(e) + *++key; f = LOG(f) ^ *++key;
276 g = LOG(g) ^ *++key; h = EXP(h) + *++key;
277 PHT(a, b); PHT(c, d); PHT(e, f); PHT(g, h);
278 PHT(a, c); PHT(e, g); PHT(b, d); PHT(f, h);
279 PHT(a, e); PHT(b, f); PHT(c, g); PHT(d, h);
280 t = b; b = e; e = c; c = t; t = d; d = f; f = g; g = t;
281 }
282 a ^= *++key; b += *++key; c += *++key; d ^= *++key;
283 e ^= *++key; f += *++key; g += *++key; h ^= *++key;
284 block_out[0] = a & 0xFF; block_out[1] = b & 0xFF;
285 block_out[2] = c & 0xFF; block_out[3] = d & 0xFF;
286 block_out[4] = e & 0xFF; block_out[5] = f & 0xFF;
287 block_out[6] = g & 0xFF; block_out[7] = h & 0xFF;
288 }
289
290 #ifdef LTC_CLEAN_STACK
291 void safer_ecb_encrypt(const unsigned char *block_in,
292 unsigned char *block_out,
293 symmetric_key *skey)
294 {
295 _safer_ecb_encrypt(block_in, block_out, skey);
296 burn_stack(sizeof(unsigned char) * 9 + sizeof(unsigned int) + sizeof(unsigned char *));
297 }
298 #endif
299
300 #ifdef LTC_CLEAN_STACK
301 static void _safer_ecb_decrypt(const unsigned char *block_in,
302 unsigned char *block_out,
303 symmetric_key *skey)
304 #else
305 void safer_ecb_decrypt(const unsigned char *block_in,
306 unsigned char *block_out,
307 symmetric_key *skey)
308 #endif
309 { unsigned char a, b, c, d, e, f, g, h, t;
310 unsigned int round;
311 unsigned char *key;
312
313 LTC_ARGCHK(block_in != NULL);
314 LTC_ARGCHK(block_out != NULL);
315 LTC_ARGCHK(skey != NULL);
316
317 key = skey->safer.key;
318 a = block_in[0]; b = block_in[1]; c = block_in[2]; d = block_in[3];
319 e = block_in[4]; f = block_in[5]; g = block_in[6]; h = block_in[7];
320 if (SAFER_MAX_NOF_ROUNDS < (round = *key)) round = SAFER_MAX_NOF_ROUNDS;
321 key += SAFER_BLOCK_LEN * (1 + 2 * round);
322 h ^= *key; g -= *--key; f -= *--key; e ^= *--key;
323 d ^= *--key; c -= *--key; b -= *--key; a ^= *--key;
324 while (round--)
325 {
326 t = e; e = b; b = c; c = t; t = f; f = d; d = g; g = t;
327 IPHT(a, e); IPHT(b, f); IPHT(c, g); IPHT(d, h);
328 IPHT(a, c); IPHT(e, g); IPHT(b, d); IPHT(f, h);
329 IPHT(a, b); IPHT(c, d); IPHT(e, f); IPHT(g, h);
330 h -= *--key; g ^= *--key; f ^= *--key; e -= *--key;
331 d -= *--key; c ^= *--key; b ^= *--key; a -= *--key;
332 h = LOG(h) ^ *--key; g = EXP(g) - *--key;
333 f = EXP(f) - *--key; e = LOG(e) ^ *--key;
334 d = LOG(d) ^ *--key; c = EXP(c) - *--key;
335 b = EXP(b) - *--key; a = LOG(a) ^ *--key;
336 }
337 block_out[0] = a & 0xFF; block_out[1] = b & 0xFF;
338 block_out[2] = c & 0xFF; block_out[3] = d & 0xFF;
339 block_out[4] = e & 0xFF; block_out[5] = f & 0xFF;
340 block_out[6] = g & 0xFF; block_out[7] = h & 0xFF;
341 }
342
343 #ifdef LTC_CLEAN_STACK
344 void safer_ecb_decrypt(const unsigned char *block_in,
345 unsigned char *block_out,
346 symmetric_key *skey)
347 {
348 _safer_ecb_decrypt(block_in, block_out, skey);
349 burn_stack(sizeof(unsigned char) * 9 + sizeof(unsigned int) + sizeof(unsigned char *));
350 }
351 #endif
352
353 int safer_64_keysize(int *keysize)
354 {
355 LTC_ARGCHK(keysize != NULL);
356 if (*keysize < 8) {
357 return CRYPT_INVALID_KEYSIZE;
358 } else {
359 *keysize = 8;
360 return CRYPT_OK;
361 }
362 }
363
364 int safer_128_keysize(int *keysize)
365 {
366 LTC_ARGCHK(keysize != NULL);
367 if (*keysize < 16) {
368 return CRYPT_INVALID_KEYSIZE;
369 } else {
370 *keysize = 16;
371 return CRYPT_OK;
372 }
373 }
374
375 int safer_k64_test(void)
376 {
377 #ifndef LTC_TEST
378 return CRYPT_NOP;
379 #else
380 static const unsigned char k64_pt[] = { 1, 2, 3, 4, 5, 6, 7, 8 },
381 k64_key[] = { 8, 7, 6, 5, 4, 3, 2, 1 },
382 k64_ct[] = { 200, 242, 156, 221, 135, 120, 62, 217 };
383
384 symmetric_key skey;
385 unsigned char buf[2][8];
386 int err;
387
388 /* test K64 */
389 if ((err = safer_k64_setup(k64_key, 8, 6, &skey)) != CRYPT_OK) {
390 return err;
391 }
392 safer_ecb_encrypt(k64_pt, buf[0], &skey);
393 safer_ecb_decrypt(buf[0], buf[1], &skey);
394
395 if (memcmp(buf[0], k64_ct, 8) != 0 || memcmp(buf[1], k64_pt, 8) != 0) {
396 return CRYPT_FAIL_TESTVECTOR;
397 }
398
399 return CRYPT_OK;
400 #endif
401 }
402
403
404 int safer_sk64_test(void)
405 {
406 #ifndef LTC_TEST
407 return CRYPT_NOP;
408 #else
409 static const unsigned char sk64_pt[] = { 1, 2, 3, 4, 5, 6, 7, 8 },
410 sk64_key[] = { 1, 2, 3, 4, 5, 6, 7, 8 },
411 sk64_ct[] = { 95, 206, 155, 162, 5, 132, 56, 199 };
412
413 symmetric_key skey;
414 unsigned char buf[2][8];
415 int err, y;
416
417 /* test SK64 */
418 if ((err = safer_sk64_setup(sk64_key, 8, 6, &skey)) != CRYPT_OK) {
419 return err;
420 }
421
422 safer_ecb_encrypt(sk64_pt, buf[0], &skey);
423 safer_ecb_decrypt(buf[0], buf[1], &skey);
424
425 if (memcmp(buf[0], sk64_ct, 8) != 0 || memcmp(buf[1], sk64_pt, 8) != 0) {
426 return CRYPT_FAIL_TESTVECTOR;
427 }
428
429 /* now see if we can encrypt all zero bytes 1000 times, decrypt and come back where we started */
430 for (y = 0; y < 8; y++) buf[0][y] = 0;
431 for (y = 0; y < 1000; y++) safer_ecb_encrypt(buf[0], buf[0], &skey);
432 for (y = 0; y < 1000; y++) safer_ecb_decrypt(buf[0], buf[0], &skey);
433 for (y = 0; y < 8; y++) if (buf[0][y] != 0) return CRYPT_FAIL_TESTVECTOR;
434
435 return CRYPT_OK;
436 #endif
437 }
438
439 /** Terminate the context
440 @param skey The scheduled key
441 */
442 void safer_done(symmetric_key *skey)
443 {
444 }
445
446 int safer_sk128_test(void)
447 {
448 #ifndef LTC_TEST
449 return CRYPT_NOP;
450 #else
451 static const unsigned char sk128_pt[] = { 1, 2, 3, 4, 5, 6, 7, 8 },
452 sk128_key[] = { 1, 2, 3, 4, 5, 6, 7, 8,
453 0, 0, 0, 0, 0, 0, 0, 0 },
454 sk128_ct[] = { 255, 120, 17, 228, 179, 167, 46, 113 };
455
456 symmetric_key skey;
457 unsigned char buf[2][8];
458 int err, y;
459
460 /* test SK128 */
461 if ((err = safer_sk128_setup(sk128_key, 16, 0, &skey)) != CRYPT_OK) {
462 return err;
463 }
464 safer_ecb_encrypt(sk128_pt, buf[0], &skey);
465 safer_ecb_decrypt(buf[0], buf[1], &skey);
466
467 if (memcmp(buf[0], sk128_ct, 8) != 0 || memcmp(buf[1], sk128_pt, 8) != 0) {
468 return CRYPT_FAIL_TESTVECTOR;
469 }
470
471 /* now see if we can encrypt all zero bytes 1000 times, decrypt and come back where we started */
472 for (y = 0; y < 8; y++) buf[0][y] = 0;
473 for (y = 0; y < 1000; y++) safer_ecb_encrypt(buf[0], buf[0], &skey);
474 for (y = 0; y < 1000; y++) safer_ecb_decrypt(buf[0], buf[0], &skey);
475 for (y = 0; y < 8; y++) if (buf[0][y] != 0) return CRYPT_FAIL_TESTVECTOR;
476 return CRYPT_OK;
477 #endif
478 }
479
480 #endif
481
482
483