Mercurial > dropbear
comparison src/ciphers/safer/safer.c @ 192:9cc34777b479 libtomcrypt
propagate from branch 'au.asn.ucc.matt.ltc-orig' (head 9ba8f01f44320e9cb9f19881105ae84f84a43ea9)
to branch 'au.asn.ucc.matt.dropbear.ltc' (head dbf51c569bc34956ad948e4cc87a0eeb2170b768)
author | Matt Johnston <matt@ucc.asn.au> |
---|---|
date | Sun, 08 May 2005 06:36:47 +0000 |
parents | 1c15b283127b |
children | 39d5d58461d6 |
comparison
equal
deleted
inserted
replaced
164:cd1143579f00 | 192:9cc34777b479 |
---|---|
1 /* LibTomCrypt, modular cryptographic library -- Tom St Denis | |
2 * | |
3 * LibTomCrypt is a library that provides various cryptographic | |
4 * algorithms in a highly modular and flexible manner. | |
5 * | |
6 * The library is free for all purposes without any express | |
7 * guarantee it works. | |
8 * | |
9 * Tom St Denis, [email protected], http://libtomcrypt.org | |
10 */ | |
11 | |
12 /******************************************************************************* | |
13 * | |
14 * FILE: safer.c | |
15 * | |
16 * DESCRIPTION: block-cipher algorithm SAFER (Secure And Fast Encryption | |
17 * Routine) in its four versions: SAFER K-64, SAFER K-128, | |
18 * SAFER SK-64 and SAFER SK-128. | |
19 * | |
20 * AUTHOR: Richard De Moliner ([email protected]) | |
21 * Signal and Information Processing Laboratory | |
22 * Swiss Federal Institute of Technology | |
23 * CH-8092 Zuerich, Switzerland | |
24 * | |
25 * DATE: September 9, 1995 | |
26 * | |
27 * CHANGE HISTORY: | |
28 * | |
29 *******************************************************************************/ | |
30 | |
31 #include <tomcrypt.h> | |
32 | |
33 #ifdef SAFER | |
34 | |
35 const struct ltc_cipher_descriptor | |
36 safer_k64_desc = { | |
37 "safer-k64", | |
38 8, 8, 8, 8, SAFER_K64_DEFAULT_NOF_ROUNDS, | |
39 &safer_k64_setup, | |
40 &safer_ecb_encrypt, | |
41 &safer_ecb_decrypt, | |
42 &safer_k64_test, | |
43 &safer_done, | |
44 &safer_64_keysize, | |
45 NULL, NULL, NULL, NULL, NULL, NULL, NULL | |
46 }, | |
47 | |
48 safer_sk64_desc = { | |
49 "safer-sk64", | |
50 9, 8, 8, 8, SAFER_SK64_DEFAULT_NOF_ROUNDS, | |
51 &safer_sk64_setup, | |
52 &safer_ecb_encrypt, | |
53 &safer_ecb_decrypt, | |
54 &safer_sk64_test, | |
55 &safer_done, | |
56 &safer_64_keysize, | |
57 NULL, NULL, NULL, NULL, NULL, NULL, NULL | |
58 }, | |
59 | |
60 safer_k128_desc = { | |
61 "safer-k128", | |
62 10, 16, 16, 8, SAFER_K128_DEFAULT_NOF_ROUNDS, | |
63 &safer_k128_setup, | |
64 &safer_ecb_encrypt, | |
65 &safer_ecb_decrypt, | |
66 &safer_sk128_test, | |
67 &safer_done, | |
68 &safer_128_keysize, | |
69 NULL, NULL, NULL, NULL, NULL, NULL, NULL | |
70 }, | |
71 | |
72 safer_sk128_desc = { | |
73 "safer-sk128", | |
74 11, 16, 16, 8, SAFER_SK128_DEFAULT_NOF_ROUNDS, | |
75 &safer_sk128_setup, | |
76 &safer_ecb_encrypt, | |
77 &safer_ecb_decrypt, | |
78 &safer_sk128_test, | |
79 &safer_done, | |
80 &safer_128_keysize, | |
81 NULL, NULL, NULL, NULL, NULL, NULL, NULL | |
82 }; | |
83 | |
84 /******************* Constants ************************************************/ | |
85 /* #define TAB_LEN 256 */ | |
86 | |
87 /******************* Assertions ***********************************************/ | |
88 | |
89 /******************* Macros ***************************************************/ | |
90 #define ROL8(x, n) ((unsigned char)((unsigned int)(x) << (n)\ | |
91 |(unsigned int)((x) & 0xFF) >> (8 - (n)))) | |
92 #define EXP(x) safer_ebox[(x) & 0xFF] | |
93 #define LOG(x) safer_lbox[(x) & 0xFF] | |
94 #define PHT(x, y) { y += x; x += y; } | |
95 #define IPHT(x, y) { x -= y; y -= x; } | |
96 | |
97 /******************* Types ****************************************************/ | |
98 extern const unsigned char safer_ebox[], safer_lbox[]; | |
99 | |
100 #ifdef LTC_CLEAN_STACK | |
101 static void _Safer_Expand_Userkey(const unsigned char *userkey_1, | |
102 const unsigned char *userkey_2, | |
103 unsigned int nof_rounds, | |
104 int strengthened, | |
105 safer_key_t key) | |
106 #else | |
107 static void Safer_Expand_Userkey(const unsigned char *userkey_1, | |
108 const unsigned char *userkey_2, | |
109 unsigned int nof_rounds, | |
110 int strengthened, | |
111 safer_key_t key) | |
112 #endif | |
113 { unsigned int i, j, k; | |
114 unsigned char ka[SAFER_BLOCK_LEN + 1]; | |
115 unsigned char kb[SAFER_BLOCK_LEN + 1]; | |
116 | |
117 if (SAFER_MAX_NOF_ROUNDS < nof_rounds) | |
118 nof_rounds = SAFER_MAX_NOF_ROUNDS; | |
119 *key++ = (unsigned char)nof_rounds; | |
120 ka[SAFER_BLOCK_LEN] = (unsigned char)0; | |
121 kb[SAFER_BLOCK_LEN] = (unsigned char)0; | |
122 k = 0; | |
123 for (j = 0; j < SAFER_BLOCK_LEN; j++) { | |
124 ka[j] = ROL8(userkey_1[j], 5); | |
125 ka[SAFER_BLOCK_LEN] ^= ka[j]; | |
126 kb[j] = *key++ = userkey_2[j]; | |
127 kb[SAFER_BLOCK_LEN] ^= kb[j]; | |
128 } | |
129 for (i = 1; i <= nof_rounds; i++) { | |
130 for (j = 0; j < SAFER_BLOCK_LEN + 1; j++) { | |
131 ka[j] = ROL8(ka[j], 6); | |
132 kb[j] = ROL8(kb[j], 6); | |
133 } | |
134 if (strengthened) { | |
135 k = 2 * i - 1; | |
136 while (k >= (SAFER_BLOCK_LEN + 1)) { k -= SAFER_BLOCK_LEN + 1; } | |
137 } | |
138 for (j = 0; j < SAFER_BLOCK_LEN; j++) { | |
139 if (strengthened) { | |
140 *key++ = (ka[k] | |
141 + safer_ebox[(int)safer_ebox[(int)((18 * i + j + 1)&0xFF)]]) & 0xFF; | |
142 if (++k == (SAFER_BLOCK_LEN + 1)) { k = 0; } | |
143 } else { | |
144 *key++ = (ka[j] + safer_ebox[(int)safer_ebox[(int)((18 * i + j + 1)&0xFF)]]) & 0xFF; | |
145 } | |
146 } | |
147 if (strengthened) { | |
148 k = 2 * i; | |
149 while (k >= (SAFER_BLOCK_LEN + 1)) { k -= SAFER_BLOCK_LEN + 1; } | |
150 } | |
151 for (j = 0; j < SAFER_BLOCK_LEN; j++) { | |
152 if (strengthened) { | |
153 *key++ = (kb[k] | |
154 + safer_ebox[(int)safer_ebox[(int)((18 * i + j + 10)&0xFF)]]) & 0xFF; | |
155 if (++k == (SAFER_BLOCK_LEN + 1)) { k = 0; } | |
156 } else { | |
157 *key++ = (kb[j] + safer_ebox[(int)safer_ebox[(int)((18 * i + j + 10)&0xFF)]]) & 0xFF; | |
158 } | |
159 } | |
160 } | |
161 | |
162 #ifdef LTC_CLEAN_STACK | |
163 zeromem(ka, sizeof(ka)); | |
164 zeromem(kb, sizeof(kb)); | |
165 #endif | |
166 } | |
167 | |
168 #ifdef LTC_CLEAN_STACK | |
169 static void Safer_Expand_Userkey(const unsigned char *userkey_1, | |
170 const unsigned char *userkey_2, | |
171 unsigned int nof_rounds, | |
172 int strengthened, | |
173 safer_key_t key) | |
174 { | |
175 _Safer_Expand_Userkey(userkey_1, userkey_2, nof_rounds, strengthened, key); | |
176 burn_stack(sizeof(unsigned char) * (2 * (SAFER_BLOCK_LEN + 1)) + sizeof(unsigned int)*2); | |
177 } | |
178 #endif | |
179 | |
180 int safer_k64_setup(const unsigned char *key, int keylen, int numrounds, symmetric_key *skey) | |
181 { | |
182 LTC_ARGCHK(key != NULL); | |
183 LTC_ARGCHK(skey != NULL); | |
184 | |
185 if (numrounds != 0 && (numrounds < 6 || numrounds > SAFER_MAX_NOF_ROUNDS)) { | |
186 return CRYPT_INVALID_ROUNDS; | |
187 } | |
188 | |
189 if (keylen != 8) { | |
190 return CRYPT_INVALID_KEYSIZE; | |
191 } | |
192 | |
193 Safer_Expand_Userkey(key, key, (unsigned int)(numrounds != 0 ?numrounds:SAFER_K64_DEFAULT_NOF_ROUNDS), 0, skey->safer.key); | |
194 return CRYPT_OK; | |
195 } | |
196 | |
197 int safer_sk64_setup(const unsigned char *key, int keylen, int numrounds, symmetric_key *skey) | |
198 { | |
199 LTC_ARGCHK(key != NULL); | |
200 LTC_ARGCHK(skey != NULL); | |
201 | |
202 if (numrounds != 0 && (numrounds < 6 || numrounds > SAFER_MAX_NOF_ROUNDS)) { | |
203 return CRYPT_INVALID_ROUNDS; | |
204 } | |
205 | |
206 if (keylen != 8) { | |
207 return CRYPT_INVALID_KEYSIZE; | |
208 } | |
209 | |
210 Safer_Expand_Userkey(key, key, (unsigned int)(numrounds != 0 ?numrounds:SAFER_SK64_DEFAULT_NOF_ROUNDS), 1, skey->safer.key); | |
211 return CRYPT_OK; | |
212 } | |
213 | |
214 int safer_k128_setup(const unsigned char *key, int keylen, int numrounds, symmetric_key *skey) | |
215 { | |
216 LTC_ARGCHK(key != NULL); | |
217 LTC_ARGCHK(skey != NULL); | |
218 | |
219 if (numrounds != 0 && (numrounds < 6 || numrounds > SAFER_MAX_NOF_ROUNDS)) { | |
220 return CRYPT_INVALID_ROUNDS; | |
221 } | |
222 | |
223 if (keylen != 16) { | |
224 return CRYPT_INVALID_KEYSIZE; | |
225 } | |
226 | |
227 Safer_Expand_Userkey(key, key+8, (unsigned int)(numrounds != 0 ?numrounds:SAFER_K128_DEFAULT_NOF_ROUNDS), 0, skey->safer.key); | |
228 return CRYPT_OK; | |
229 } | |
230 | |
231 int safer_sk128_setup(const unsigned char *key, int keylen, int numrounds, symmetric_key *skey) | |
232 { | |
233 LTC_ARGCHK(key != NULL); | |
234 LTC_ARGCHK(skey != NULL); | |
235 | |
236 if (numrounds != 0 && (numrounds < 6 || numrounds > SAFER_MAX_NOF_ROUNDS)) { | |
237 return CRYPT_INVALID_ROUNDS; | |
238 } | |
239 | |
240 if (keylen != 16) { | |
241 return CRYPT_INVALID_KEYSIZE; | |
242 } | |
243 | |
244 Safer_Expand_Userkey(key, key+8, (unsigned int)(numrounds != 0?numrounds:SAFER_SK128_DEFAULT_NOF_ROUNDS), 1, skey->safer.key); | |
245 return CRYPT_OK; | |
246 } | |
247 | |
248 #ifdef LTC_CLEAN_STACK | |
249 static void _safer_ecb_encrypt(const unsigned char *block_in, | |
250 unsigned char *block_out, | |
251 symmetric_key *skey) | |
252 #else | |
253 void safer_ecb_encrypt(const unsigned char *block_in, | |
254 unsigned char *block_out, | |
255 symmetric_key *skey) | |
256 #endif | |
257 { unsigned char a, b, c, d, e, f, g, h, t; | |
258 unsigned int round; | |
259 unsigned char *key; | |
260 | |
261 LTC_ARGCHK(block_in != NULL); | |
262 LTC_ARGCHK(block_out != NULL); | |
263 LTC_ARGCHK(skey != NULL); | |
264 | |
265 key = skey->safer.key; | |
266 a = block_in[0]; b = block_in[1]; c = block_in[2]; d = block_in[3]; | |
267 e = block_in[4]; f = block_in[5]; g = block_in[6]; h = block_in[7]; | |
268 if (SAFER_MAX_NOF_ROUNDS < (round = *key)) round = SAFER_MAX_NOF_ROUNDS; | |
269 while(round-- > 0) | |
270 { | |
271 a ^= *++key; b += *++key; c += *++key; d ^= *++key; | |
272 e ^= *++key; f += *++key; g += *++key; h ^= *++key; | |
273 a = EXP(a) + *++key; b = LOG(b) ^ *++key; | |
274 c = LOG(c) ^ *++key; d = EXP(d) + *++key; | |
275 e = EXP(e) + *++key; f = LOG(f) ^ *++key; | |
276 g = LOG(g) ^ *++key; h = EXP(h) + *++key; | |
277 PHT(a, b); PHT(c, d); PHT(e, f); PHT(g, h); | |
278 PHT(a, c); PHT(e, g); PHT(b, d); PHT(f, h); | |
279 PHT(a, e); PHT(b, f); PHT(c, g); PHT(d, h); | |
280 t = b; b = e; e = c; c = t; t = d; d = f; f = g; g = t; | |
281 } | |
282 a ^= *++key; b += *++key; c += *++key; d ^= *++key; | |
283 e ^= *++key; f += *++key; g += *++key; h ^= *++key; | |
284 block_out[0] = a & 0xFF; block_out[1] = b & 0xFF; | |
285 block_out[2] = c & 0xFF; block_out[3] = d & 0xFF; | |
286 block_out[4] = e & 0xFF; block_out[5] = f & 0xFF; | |
287 block_out[6] = g & 0xFF; block_out[7] = h & 0xFF; | |
288 } | |
289 | |
290 #ifdef LTC_CLEAN_STACK | |
291 void safer_ecb_encrypt(const unsigned char *block_in, | |
292 unsigned char *block_out, | |
293 symmetric_key *skey) | |
294 { | |
295 _safer_ecb_encrypt(block_in, block_out, skey); | |
296 burn_stack(sizeof(unsigned char) * 9 + sizeof(unsigned int) + sizeof(unsigned char *)); | |
297 } | |
298 #endif | |
299 | |
300 #ifdef LTC_CLEAN_STACK | |
301 static void _safer_ecb_decrypt(const unsigned char *block_in, | |
302 unsigned char *block_out, | |
303 symmetric_key *skey) | |
304 #else | |
305 void safer_ecb_decrypt(const unsigned char *block_in, | |
306 unsigned char *block_out, | |
307 symmetric_key *skey) | |
308 #endif | |
309 { unsigned char a, b, c, d, e, f, g, h, t; | |
310 unsigned int round; | |
311 unsigned char *key; | |
312 | |
313 LTC_ARGCHK(block_in != NULL); | |
314 LTC_ARGCHK(block_out != NULL); | |
315 LTC_ARGCHK(skey != NULL); | |
316 | |
317 key = skey->safer.key; | |
318 a = block_in[0]; b = block_in[1]; c = block_in[2]; d = block_in[3]; | |
319 e = block_in[4]; f = block_in[5]; g = block_in[6]; h = block_in[7]; | |
320 if (SAFER_MAX_NOF_ROUNDS < (round = *key)) round = SAFER_MAX_NOF_ROUNDS; | |
321 key += SAFER_BLOCK_LEN * (1 + 2 * round); | |
322 h ^= *key; g -= *--key; f -= *--key; e ^= *--key; | |
323 d ^= *--key; c -= *--key; b -= *--key; a ^= *--key; | |
324 while (round--) | |
325 { | |
326 t = e; e = b; b = c; c = t; t = f; f = d; d = g; g = t; | |
327 IPHT(a, e); IPHT(b, f); IPHT(c, g); IPHT(d, h); | |
328 IPHT(a, c); IPHT(e, g); IPHT(b, d); IPHT(f, h); | |
329 IPHT(a, b); IPHT(c, d); IPHT(e, f); IPHT(g, h); | |
330 h -= *--key; g ^= *--key; f ^= *--key; e -= *--key; | |
331 d -= *--key; c ^= *--key; b ^= *--key; a -= *--key; | |
332 h = LOG(h) ^ *--key; g = EXP(g) - *--key; | |
333 f = EXP(f) - *--key; e = LOG(e) ^ *--key; | |
334 d = LOG(d) ^ *--key; c = EXP(c) - *--key; | |
335 b = EXP(b) - *--key; a = LOG(a) ^ *--key; | |
336 } | |
337 block_out[0] = a & 0xFF; block_out[1] = b & 0xFF; | |
338 block_out[2] = c & 0xFF; block_out[3] = d & 0xFF; | |
339 block_out[4] = e & 0xFF; block_out[5] = f & 0xFF; | |
340 block_out[6] = g & 0xFF; block_out[7] = h & 0xFF; | |
341 } | |
342 | |
343 #ifdef LTC_CLEAN_STACK | |
344 void safer_ecb_decrypt(const unsigned char *block_in, | |
345 unsigned char *block_out, | |
346 symmetric_key *skey) | |
347 { | |
348 _safer_ecb_decrypt(block_in, block_out, skey); | |
349 burn_stack(sizeof(unsigned char) * 9 + sizeof(unsigned int) + sizeof(unsigned char *)); | |
350 } | |
351 #endif | |
352 | |
353 int safer_64_keysize(int *keysize) | |
354 { | |
355 LTC_ARGCHK(keysize != NULL); | |
356 if (*keysize < 8) { | |
357 return CRYPT_INVALID_KEYSIZE; | |
358 } else { | |
359 *keysize = 8; | |
360 return CRYPT_OK; | |
361 } | |
362 } | |
363 | |
364 int safer_128_keysize(int *keysize) | |
365 { | |
366 LTC_ARGCHK(keysize != NULL); | |
367 if (*keysize < 16) { | |
368 return CRYPT_INVALID_KEYSIZE; | |
369 } else { | |
370 *keysize = 16; | |
371 return CRYPT_OK; | |
372 } | |
373 } | |
374 | |
375 int safer_k64_test(void) | |
376 { | |
377 #ifndef LTC_TEST | |
378 return CRYPT_NOP; | |
379 #else | |
380 static const unsigned char k64_pt[] = { 1, 2, 3, 4, 5, 6, 7, 8 }, | |
381 k64_key[] = { 8, 7, 6, 5, 4, 3, 2, 1 }, | |
382 k64_ct[] = { 200, 242, 156, 221, 135, 120, 62, 217 }; | |
383 | |
384 symmetric_key skey; | |
385 unsigned char buf[2][8]; | |
386 int err; | |
387 | |
388 /* test K64 */ | |
389 if ((err = safer_k64_setup(k64_key, 8, 6, &skey)) != CRYPT_OK) { | |
390 return err; | |
391 } | |
392 safer_ecb_encrypt(k64_pt, buf[0], &skey); | |
393 safer_ecb_decrypt(buf[0], buf[1], &skey); | |
394 | |
395 if (memcmp(buf[0], k64_ct, 8) != 0 || memcmp(buf[1], k64_pt, 8) != 0) { | |
396 return CRYPT_FAIL_TESTVECTOR; | |
397 } | |
398 | |
399 return CRYPT_OK; | |
400 #endif | |
401 } | |
402 | |
403 | |
404 int safer_sk64_test(void) | |
405 { | |
406 #ifndef LTC_TEST | |
407 return CRYPT_NOP; | |
408 #else | |
409 static const unsigned char sk64_pt[] = { 1, 2, 3, 4, 5, 6, 7, 8 }, | |
410 sk64_key[] = { 1, 2, 3, 4, 5, 6, 7, 8 }, | |
411 sk64_ct[] = { 95, 206, 155, 162, 5, 132, 56, 199 }; | |
412 | |
413 symmetric_key skey; | |
414 unsigned char buf[2][8]; | |
415 int err, y; | |
416 | |
417 /* test SK64 */ | |
418 if ((err = safer_sk64_setup(sk64_key, 8, 6, &skey)) != CRYPT_OK) { | |
419 return err; | |
420 } | |
421 | |
422 safer_ecb_encrypt(sk64_pt, buf[0], &skey); | |
423 safer_ecb_decrypt(buf[0], buf[1], &skey); | |
424 | |
425 if (memcmp(buf[0], sk64_ct, 8) != 0 || memcmp(buf[1], sk64_pt, 8) != 0) { | |
426 return CRYPT_FAIL_TESTVECTOR; | |
427 } | |
428 | |
429 /* now see if we can encrypt all zero bytes 1000 times, decrypt and come back where we started */ | |
430 for (y = 0; y < 8; y++) buf[0][y] = 0; | |
431 for (y = 0; y < 1000; y++) safer_ecb_encrypt(buf[0], buf[0], &skey); | |
432 for (y = 0; y < 1000; y++) safer_ecb_decrypt(buf[0], buf[0], &skey); | |
433 for (y = 0; y < 8; y++) if (buf[0][y] != 0) return CRYPT_FAIL_TESTVECTOR; | |
434 | |
435 return CRYPT_OK; | |
436 #endif | |
437 } | |
438 | |
439 /** Terminate the context | |
440 @param skey The scheduled key | |
441 */ | |
442 void safer_done(symmetric_key *skey) | |
443 { | |
444 } | |
445 | |
446 int safer_sk128_test(void) | |
447 { | |
448 #ifndef LTC_TEST | |
449 return CRYPT_NOP; | |
450 #else | |
451 static const unsigned char sk128_pt[] = { 1, 2, 3, 4, 5, 6, 7, 8 }, | |
452 sk128_key[] = { 1, 2, 3, 4, 5, 6, 7, 8, | |
453 0, 0, 0, 0, 0, 0, 0, 0 }, | |
454 sk128_ct[] = { 255, 120, 17, 228, 179, 167, 46, 113 }; | |
455 | |
456 symmetric_key skey; | |
457 unsigned char buf[2][8]; | |
458 int err, y; | |
459 | |
460 /* test SK128 */ | |
461 if ((err = safer_sk128_setup(sk128_key, 16, 0, &skey)) != CRYPT_OK) { | |
462 return err; | |
463 } | |
464 safer_ecb_encrypt(sk128_pt, buf[0], &skey); | |
465 safer_ecb_decrypt(buf[0], buf[1], &skey); | |
466 | |
467 if (memcmp(buf[0], sk128_ct, 8) != 0 || memcmp(buf[1], sk128_pt, 8) != 0) { | |
468 return CRYPT_FAIL_TESTVECTOR; | |
469 } | |
470 | |
471 /* now see if we can encrypt all zero bytes 1000 times, decrypt and come back where we started */ | |
472 for (y = 0; y < 8; y++) buf[0][y] = 0; | |
473 for (y = 0; y < 1000; y++) safer_ecb_encrypt(buf[0], buf[0], &skey); | |
474 for (y = 0; y < 1000; y++) safer_ecb_decrypt(buf[0], buf[0], &skey); | |
475 for (y = 0; y < 8; y++) if (buf[0][y] != 0) return CRYPT_FAIL_TESTVECTOR; | |
476 return CRYPT_OK; | |
477 #endif | |
478 } | |
479 | |
480 #endif | |
481 | |
482 | |
483 |