Skip to content
Snippets Groups Projects

Compare revisions

Changes are shown as if the source revision was being merged into the target revision. Learn more about comparing revisions.

Source

Select target project
No results found

Target

Select target project
  • nettle/nettle
  • briansmith/nettle
  • ajlawrence/nettle
  • mhoffmann/nettle
  • devnexen/nettle
  • wiml/nettle
  • lumag/nettle
  • michaelweiser/nettle
  • aberaud/nettle
  • mamonet/nettle
  • npocs/nettle
  • babelouest/nettle
  • ueno/nettle
  • rth/nettle
14 results
Show changes
Hide whitespace changes
Inline Side-by-side
Showing
with 2726 additions and 467 deletions
block-internal.h 0 → 100644
View file @ 99a9c929
/* block-internal.h
Internal implementations of nettle_blockZ-related functions.
Copyright (C) 2011 Katholieke Universiteit Leuven
Copyright (C) 2011, 2013, 2018 Niels Möller
Copyright (C) 2018 Red Hat, Inc.
Copyright (C) 2019 Dmitry Eremin-Solenikov
This file is part of GNU Nettle.
GNU Nettle is free software: you can redistribute it and/or
modify it under the terms of either:
* the GNU Lesser General Public License as published by the Free
Software Foundation; either version 3 of the License, or (at your
option) any later version.
or
* the GNU General Public License as published by the Free
Software Foundation; either version 2 of the License, or (at your
option) any later version.
or both in parallel, as here.
GNU Nettle is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received copies of the GNU General Public License and
the GNU Lesser General Public License along with this program. If
not, see http://www.gnu.org/licenses/.
*/
#ifndef NETTLE_BLOCK_INTERNAL_H_INCLUDED
#define NETTLE_BLOCK_INTERNAL_H_INCLUDED
#include <assert.h>
#include "nettle-types.h"
#include "bswap-internal.h"
#include "memxor.h"
static inline void
block16_zero (union nettle_block16 *r)
{
static const union nettle_block16 zero_block;
*r = zero_block;
}
static inline void
block16_set (union nettle_block16 *r,
const union nettle_block16 *x)
{
r->u64[0] = x->u64[0];
r->u64[1] = x->u64[1];
}
static inline void
block16_xor (union nettle_block16 *r,
const union nettle_block16 *x)
{
r->u64[0] ^= x->u64[0];
r->u64[1] ^= x->u64[1];
}
static inline void
block16_xor3 (union nettle_block16 *r,
const union nettle_block16 *x,
const union nettle_block16 *y)
{
r->u64[0] = x->u64[0] ^ y->u64[0];
r->u64[1] = x->u64[1] ^ y->u64[1];
}
static inline void
block16_xor_bytes (union nettle_block16 *r,
const union nettle_block16 *x,
const uint8_t *bytes)
{
memxor3 (r->b, x->b, bytes, 16);
}
static inline void
block8_xor (union nettle_block8 *r,
const union nettle_block8 *x)
{
r->u64 ^= x->u64;
}
static inline void
block8_xor3 (union nettle_block8 *r,
const union nettle_block8 *x,
const union nettle_block8 *y)
{
r->u64 = x->u64 ^ y->u64;
}
static inline void
block8_xor_bytes (union nettle_block8 *r,
const union nettle_block8 *x,
const uint8_t *bytes)
{
memxor3 (r->b, x->b, bytes, 8);
}
/* Do a foreign-endianness shift of data */
#define LSHIFT_ALIEN_UINT64(x) \
((((x) & UINT64_C(0x7f7f7f7f7f7f7f7f)) << 1) | \
(((x) & UINT64_C(0x8080808080808080)) >> 15))
#define RSHIFT_ALIEN_UINT64(x) \
((((x) & UINT64_C(0xfefefefefefefefe)) >> 1) | \
(((x) & UINT64_C(0x0001010101010101)) << 15))
/* Two typical defining polynoms */
#define BLOCK16_POLY (UINT64_C(0x87))
#define BLOCK8_POLY (UINT64_C(0x1b))
#define GHASH_POLY (UINT64_C(0xE1))
/* Galois multiplications by 2:
* functions differ in shifting right or left, big- or little- endianness
* and by defining polynom.
* r == x is allowed. */
#if WORDS_BIGENDIAN
static inline void
block16_mulx_be (union nettle_block16 *dst,
const union nettle_block16 *src)
{
uint64_t carry = src->u64[0] >> 63;
dst->u64[0] = (src->u64[0] << 1) | (src->u64[1] >> 63);
dst->u64[1] = (src->u64[1] << 1) ^ (BLOCK16_POLY & -carry);
}
static inline void
block16_mulx_le (union nettle_block16 *dst,
const union nettle_block16 *src)
{
uint64_t carry = (src->u64[1] & 0x80) >> 7;
dst->u64[1] = LSHIFT_ALIEN_UINT64(src->u64[1]) | ((src->u64[0] & 0x80) << 49);
dst->u64[0] = LSHIFT_ALIEN_UINT64(src->u64[0]) ^ ((BLOCK16_POLY << 56) & -carry);
}
static inline void
block8_mulx_be (union nettle_block8 *dst,
const union nettle_block8 *src)
{
uint64_t carry = src->u64 >> 63;
dst->u64 = (src->u64 << 1) ^ (BLOCK8_POLY & -carry);
}
static inline void
block16_mulx_ghash (union nettle_block16 *r,
const union nettle_block16 *x)
{
uint64_t mask;
/* Shift uses big-endian representation. */
mask = - (x->u64[1] & 1);
r->u64[1] = (x->u64[1] >> 1) | ((x->u64[0] & 1) << 63);
r->u64[0] = (x->u64[0] >> 1) ^ (mask & (GHASH_POLY << 56));
}
#else /* !WORDS_BIGENDIAN */
static inline void
block16_mulx_be (union nettle_block16 *dst,
const union nettle_block16 *src)
{
uint64_t carry = (src->u64[0] & 0x80) >> 7;
dst->u64[0] = LSHIFT_ALIEN_UINT64(src->u64[0]) | ((src->u64[1] & 0x80) << 49);
dst->u64[1] = LSHIFT_ALIEN_UINT64(src->u64[1]) ^ ((BLOCK16_POLY << 56) & -carry);
}
static inline void
block16_mulx_le (union nettle_block16 *dst,
const union nettle_block16 *src)
{
uint64_t carry = src->u64[1] >> 63;
dst->u64[1] = (src->u64[1] << 1) | (src->u64[0] >> 63);
dst->u64[0] = (src->u64[0] << 1) ^ (BLOCK16_POLY & -carry);
}
static inline void
block8_mulx_be (union nettle_block8 *dst,
const union nettle_block8 *src)
{
uint64_t carry = (src->u64 & 0x80) >> 7;
dst->u64 = LSHIFT_ALIEN_UINT64(src->u64) ^ ((BLOCK8_POLY << 56) & -carry);
}
static inline void
block16_mulx_ghash (union nettle_block16 *r,
const union nettle_block16 *x)
{
uint64_t mask;
/* Shift uses big-endian representation. */
mask = - ((x->u64[1] >> 56) & 1);
r->u64[1] = RSHIFT_ALIEN_UINT64(x->u64[1]) | ((x->u64[0] >> 49) & 0x80);
r->u64[0] = RSHIFT_ALIEN_UINT64(x->u64[0]) ^ (mask & GHASH_POLY);
}
#endif /* ! WORDS_BIGENDIAN */
/* Reverse bytes in X and store the result in R. This supports
in-place operation (R and X can overlap). */
static inline void
block16_bswap (union nettle_block16 *r,
const union nettle_block16 *x)
{
uint64_t t = nettle_bswap64 (x->u64[0]);
r->u64[0] = nettle_bswap64 (x->u64[1]);
r->u64[1] = t;
}
#endif /* NETTLE_BLOCK_INTERNAL_H_INCLUDED */
blowfish-bcrypt.c 0 → 100644
View file @ 99a9c929
/* blowfish-bcrypt.c
The blowfish bcrypt implementation.
Copyright (c) 2020 Stephen R. van den Berg
This file is part of GNU Nettle.
GNU Nettle is free software: you can redistribute it and/or
modify it under the terms of either:
* the GNU Lesser General Public License as published by the Free
Software Foundation; either version 3 of the License, or (at your
option) any later version.
or
* the GNU General Public License as published by the Free
Software Foundation; either version 2 of the License, or (at your
option) any later version.
or both in parallel, as here.
GNU Nettle is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received copies of the GNU General Public License and
the GNU Lesser General Public License along with this program. If
not, see http://www.gnu.org/licenses/.
*/
#if HAVE_CONFIG_H
#include "config.h"
#endif
#include <assert.h>
#include <string.h>
#include <stdlib.h>
#include "blowfish.h"
#include "blowfish-internal.h"
#include "base64.h"
#include "bswap-internal.h"
#include "macros.h"
#define CRYPTPLEN 7
#define SALTLEN ((BLOWFISH_BCRYPT_BINSALT_SIZE*8+5) / 6)
#define HASHOFFSET (CRYPTPLEN + SALTLEN)
static const signed char radix64_decode_table[0x100] = {
/* White space is HT, VT, FF, CR, LF and SPC */
-1, -1, -1, -1, -1, -1, -1, -1, -1, -2, -2, -2, -2, -2, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-2, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 0, 1,
54, 55, 56, 57, 58, 59, 60, 61, 62, 63, -1, -1, -1, -3, -1, -1,
-1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16,
17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, -1, -1, -1, -1, -1,
-1, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42,
43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
};
static const char radix64_encode_table[64] =
"./ABCDEFGHIJKLMNOPQRSTUVWXYZ"
"abcdefghijklmnopqrstuvwxyz"
"0123456789";
int
blowfish_bcrypt_verify(size_t lenkey, const uint8_t *key,
size_t lenhashed, const uint8_t *hashed)
{
uint8_t newhash[BLOWFISH_BCRYPT_HASH_SIZE];
return blowfish_bcrypt_hash(newhash,
lenkey, key, lenhashed, hashed,
-1, (void*)0)
&& !strcmp((const char*)newhash, (const char*)hashed);
}
static char *encode_radix64(char *dst, size_t len, const uint8_t *src)
{
struct base64_encode_ctx ctx;
base64_encode_init(&ctx);
ctx.alphabet = radix64_encode_table;
dst += base64_encode_update(&ctx, dst, len, src);
dst += base64_encode_final(&ctx, dst);
*--dst = '\0'; /* Strip the trailing = */
return dst;
}
/*
* Large parts of the code below are based on public domain sources.
* The comments and copyright notices have been preserved.
* Any code added or modified by me is licensed under the
* licenses listed above. -- Stephen R. van den Berg
*/
/*
* This code comes from John the Ripper password cracker, with reentrant
* and crypt(3) interfaces added, but optimizations specific to password
* cracking removed.
*
* Written by Solar Designer <solar at openwall.com> in 1998-2015.
* No copyright is claimed, and the software is hereby placed in the public
* domain. In case this attempt to disclaim copyright and place the software
* in the public domain is deemed null and void, then the software is
* Copyright (c) 1998-2015 Solar Designer and it is hereby released to the
* general public under the following terms:
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted.
*
* There's ABSOLUTELY NO WARRANTY, express or implied.
*
* It is my intent that you should be able to use this on your system,
* as part of a software package, or anywhere else to improve security,
* ensure compatibility, or for any other purpose. I would appreciate
* it if you give credit where it is due and keep your modifications in
* the public domain as well, but I don't require that in order to let
* you place this code and any modifications you make under a license
* of your choice.
*
* This implementation is fully compatible with OpenBSD's bcrypt.c for prefix
* "$2b$", originally by Niels Provos <provos at citi.umich.edu>, and it uses
* some of his ideas. The password hashing algorithm was designed by David
* Mazieres <dm at lcs.mit.edu>. For information on the level of
* compatibility for bcrypt hash prefixes other than "$2b$", please refer to
* the comments in set_key() below and to the included crypt(3) man page.
*/
typedef uint32_t bf_key[_BLOWFISH_ROUNDS + 2];
/*
* Magic IV for 64 Blowfish encryptions that we do at the end.
* The string is "OrpheanBeholderScryDoubt" on big-endian.
*/
static uint32_t magic_w[6] = {
0x4F727068, 0x65616E42, 0x65686F6C,
0x64657253, 0x63727944, 0x6F756274
};
static void set_xkey(size_t lenkey, const uint8_t *key,
bf_key expanded, bf_key initial,
unsigned bug, uint32_t safety)
{
const uint8_t *ptr = key;
size_t n = lenkey;
unsigned i, j;
uint32_t sign, diff, tmp[2];
/*
* There was a sign extension bug in older revisions of this function. While
* we would have liked to simply fix the bug and move on, we have to provide
* a backwards compatibility feature (essentially the bug) for some systems and
* a safety measure for some others. The latter is needed because for certain
* multiple inputs to the buggy algorithm there exist easily found inputs to
* the correct algorithm that produce the same hash. Thus, we optionally
* deviate from the correct algorithm just enough to avoid such collisions.
* While the bug itself affected the majority of passwords containing
* characters with the 8th bit set (although only a percentage of those in a
* collision-producing way), the anti-collision safety measure affects
* only a subset of passwords containing the '\xff' character (not even all of
* those passwords, just some of them). This character is not found in valid
* UTF-8 sequences and is rarely used in popular 8-bit character encodings.
* Thus, the safety measure is unlikely to cause much annoyance, and is a
* reasonable tradeoff to use when authenticating against existing hashes that
* are not reliably known to have been computed with the correct algorithm.
*
* We use an approach that tries to minimize side-channel leaks of password
* information - that is, we mostly use fixed-cost bitwise operations instead
* of branches or table lookups. (One conditional branch based on password
* length remains. It is not part of the bug aftermath, though, and is
* difficult and possibly unreasonable to avoid given the use of C strings by
* the caller, which results in similar timing leaks anyway.)
*
* For actual implementation, we set an array index in the variable "bug"
* (0 means no bug, 1 means sign extension bug emulation) and a flag in the
* variable "safety" (bit 16 is set when the safety measure is requested).
* Valid combinations of settings are:
*
* Prefix "$2a$": bug = 0, safety = 0x10000
* Prefix "$2b$": bug = 0, safety = 0
* Prefix "$2x$": bug = 1, safety = 0
* Prefix "$2y$": bug = 0, safety = 0
*/
sign = diff = 0;
for (i = 0; i < _BLOWFISH_ROUNDS + 2; i++) {
tmp[0] = tmp[1] = 0;
for (j = 0; j < 4; j++) {
tmp[0] <<= 8;
tmp[0] |= (unsigned char)*ptr; /* correct */
tmp[1] <<= 8;
tmp[1] |= (signed char)*ptr; /* bug */
/*
* Sign extension in the first char has no effect - nothing to overwrite yet,
* and those extra 24 bits will be fully shifted out of the 32-bit word. For
* chars 2, 3, 4 in each four-char block, we set bit 7 of "sign" if sign
* extension in tmp[1] occurs. Once this flag is set, it remains set.
*/
if (j)
sign |= tmp[1] & 0x80;
if (n--)
ptr++;
else
ptr = key, n = lenkey;
}
diff |= tmp[0] ^ tmp[1]; /* Non-zero on any differences */
expanded[i] = tmp[bug];
initial[i] = _nettle_blowfish_initial_ctx.p[i] ^ tmp[bug];
}
/*
* At this point, "diff" is zero if the correct and buggy algorithms produced
* exactly the same result. If so and if "sign" is non-zero, which indicates
* that there was a non-benign sign extension, this means that we have a
* collision between the correctly computed hash for this password and a set of
* passwords that could be supplied to the buggy algorithm. Our safety measure
* is meant to protect from such many-buggy to one-correct collisions, by
* deviating from the correct algorithm in such cases. Let's check for this.
*/
diff |= diff >> 16; /* still zero if exact match */
diff &= 0xffff; /* ditto */
diff += 0xffff; /* bit 16 set if "diff" was non-zero (on non-match) */
sign <<= 9; /* move the non-benign sign extension flag to bit 16 */
sign &= ~diff & safety; /* action needed? */
/*
* If we have determined that we need to deviate from the correct algorithm,
* flip bit 16 in initial expanded key. (The choice of 16 is arbitrary, but
* let's stick to it now. It came out of the approach we used above, and it's
* not any worse than any other choice we could make.)
*
* It is crucial that we don't do the same to the expanded key used in the main
* Eksblowfish loop. By doing it to only one of these two, we deviate from a
* state that could be directly specified by a password to the buggy algorithm
* (and to the fully correct one as well, but that's a side-effect).
*/
initial[0] ^= sign;
}
static int ibcrypt(uint8_t *dst,
size_t lenkey, const uint8_t *key,
size_t lenscheme, const uint8_t *scheme,
int minlog2rounds,
int log2rounds, const uint8_t *salt)
{
struct {
struct blowfish_ctx ctx;
bf_key expanded_key;
union {
uint32_t salt[4];
uint32_t output[6];
} binary;
} data;
uint8_t psalt[BLOWFISH_BCRYPT_BINSALT_SIZE];
uint32_t L, R;
uint32_t *ptr;
uint32_t count;
int i;
unsigned cscheme;
unsigned bug = 0;
uint32_t safety = 0;
if (lenscheme < 2)
return 0;
if (lenscheme >= 3 && *scheme++ != '$')
return 0;
if (*scheme++ != '2')
return 0;
switch (cscheme = *scheme++) {
default:
return 0;
case 'a': safety = 0x10000;
break;
case 'x': bug = 1;
break;
case 'b': case 'y':
break;
}
if (lenscheme >= 4) {
if (*scheme++ != '$')
return 0;
if (lenscheme >= 6) {
if (log2rounds < 0) {
unsigned c = *scheme++ - '0';
if (c > 9)
return 0;
log2rounds = c * 10;
c = *scheme++ - '0';
if (c > 9)
return 0;
log2rounds += c;
} else
scheme += 2;
if (lenscheme >= CRYPTPLEN && *scheme++ != '$')
return 0;
if (lenscheme >= HASHOFFSET && !salt) {
struct base64_decode_ctx ctx;
size_t saltlen = BLOWFISH_BCRYPT_BINSALT_SIZE;
base64_decode_init(&ctx);
ctx.table = radix64_decode_table;
if (!base64_decode_update(&ctx, &saltlen, (uint8_t *) data.binary.salt,
SALTLEN, (const char*) scheme)
|| saltlen != BLOWFISH_BCRYPT_BINSALT_SIZE)
return 0;
}
}
}
if (salt)
memcpy(data.binary.salt, salt, BLOWFISH_BCRYPT_BINSALT_SIZE);
else if (lenscheme < HASHOFFSET)
return 0;
memcpy(psalt, data.binary.salt, BLOWFISH_BCRYPT_BINSALT_SIZE);
bswap32_n_if_le (4, data.binary.salt);
if (log2rounds < minlog2rounds || log2rounds > 31)
return 0;
count = (uint32_t)1 << log2rounds;
set_xkey(lenkey, key, data.expanded_key, data.ctx.p, bug, safety);
memcpy(data.ctx.s, _nettle_blowfish_initial_ctx.s, sizeof(data.ctx.s));
L = R = 0;
for (i = 0; i < _BLOWFISH_ROUNDS + 2; i += 2) {
L ^= data.binary.salt[i & 2];
R ^= data.binary.salt[(i & 2) + 1];
_nettle_blowfish_encround(&data.ctx, &L, &R);
data.ctx.p[i] = L;
data.ctx.p[i + 1] = R;
}
ptr = data.ctx.s[0];
do {
ptr += 4;
L ^= data.binary.salt[(_BLOWFISH_ROUNDS + 2) & 3];
R ^= data.binary.salt[(_BLOWFISH_ROUNDS + 3) & 3];
_nettle_blowfish_encround(&data.ctx, &L, &R);
*(ptr - 4) = L;
*(ptr - 3) = R;
L ^= data.binary.salt[(_BLOWFISH_ROUNDS + 4) & 3];
R ^= data.binary.salt[(_BLOWFISH_ROUNDS + 5) & 3];
_nettle_blowfish_encround(&data.ctx, &L, &R);
*(ptr - 2) = L;
*(ptr - 1) = R;
} while (ptr < &data.ctx.s[3][0xFF]);
do {
int done;
for (i = 0; i < _BLOWFISH_ROUNDS + 2; i += 2) {
data.ctx.p[i] ^= data.expanded_key[i];
data.ctx.p[i + 1] ^= data.expanded_key[i + 1];
}
done = 0;
do {
uint32_t tmp1, tmp2, tmp3, tmp4;
L = R = 0;
ptr = data.ctx.p;
do {
ptr += 2;
_nettle_blowfish_encround(&data.ctx, &L, &R);
*(ptr - 2) = L;
*(ptr - 1) = R;
} while (ptr < &data.ctx.p[_BLOWFISH_ROUNDS + 2]);
ptr = data.ctx.s[0];
do {
ptr += 2;
_nettle_blowfish_encround(&data.ctx, &L, &R);
*(ptr - 2) = L;
*(ptr - 1) = R;
} while (ptr < &data.ctx.s[3][0xFF]);
if (done)
break;
done = 1;
tmp1 = data.binary.salt[0];
tmp2 = data.binary.salt[1];
tmp3 = data.binary.salt[2];
tmp4 = data.binary.salt[3];
for (i = 0; i < _BLOWFISH_ROUNDS; i += 4) {
data.ctx.p[i] ^= tmp1;
data.ctx.p[i + 1] ^= tmp2;
data.ctx.p[i + 2] ^= tmp3;
data.ctx.p[i + 3] ^= tmp4;
}
data.ctx.p[16] ^= tmp1;
data.ctx.p[17] ^= tmp2;
} while (1);
} while (--count);
for (i = 0; i < 6; i += 2) {
L = magic_w[i];
R = magic_w[i + 1];
count = 64;
do
_nettle_blowfish_encround(&data.ctx, &L, &R);
while (--count);
data.binary.output[i] = L;
data.binary.output[i + 1] = R;
}
*dst++ = '$';
*dst++ = '2';
*dst++ = cscheme;
*dst++ = '$';
*dst++ = '0' + log2rounds / 10;
*dst++ = '0' + log2rounds % 10;
*dst++ = '$';
dst = (uint8_t*)
encode_radix64((char*) dst, BLOWFISH_BCRYPT_BINSALT_SIZE, psalt) - 1;
bswap32_n_if_le (6, data.binary.output);
/* This has to be bug-compatible with the original implementation, so
only encode 23 of the 24 bytes. */
encode_radix64((char*) dst, 23, (uint8_t *) data.binary.output);
return cscheme;
}
/*
* Please preserve the runtime self-test. It serves two purposes at once:
*
* 1. We really can't afford the risk of producing incompatible hashes e.g.
* when there's something like gcc bug 26587 again, whereas an application or
* library integrating this code might not also integrate our external tests or
* it might not run them after every build. Even if it does, the miscompile
* might only occur on the production build, but not on a testing build (such
* as because of different optimization settings). It is painful to recover
* from incorrectly-computed hashes - merely fixing whatever broke is not
* enough. Thus, a proactive measure like this self-test is needed.
*
* 2. We don't want to leave sensitive data from our actual password hash
* computation on the stack or in registers. Previous revisions of the code
* would do explicit cleanups, but simply running the self-test after hash
* computation is more reliable.
*
* The performance cost of this quick self-test is around 0.6% at the "$2a$08"
* setting.
*/
int blowfish_bcrypt_hash(uint8_t *dst,
size_t lenkey, const uint8_t *key,
size_t lenscheme, const uint8_t *scheme,
int log2rounds, const uint8_t *salt)
{
const uint8_t test_pw[] = "8b \xd0\xc1\xd2\xcf\xcc\xd8";
const uint8_t test_scheme[] = "$2a$00$abcdefghijklmnopqrstuu";
static const char * const test_hashes[2] =
{"i1D709vfamulimlGcq0qq3UvuUasvEa\0\x55", /* 'a', 'b', 'y' */
"VUrPmXD6q/nVSSp7pNDhCR9071IfIRe\0\x55"}; /* 'x' */
const char *test_hash = test_hashes[0];
int cscheme;
int ok;
uint8_t bufs[sizeof(test_scheme) - 1];
uint8_t bufo[BLOWFISH_BCRYPT_HASH_SIZE];
*dst = '\0';
/* Hash the supplied password */
cscheme = ibcrypt(dst, lenkey, key, lenscheme, scheme, 4, log2rounds, salt);
/*
* Do a quick self-test. It is important that we make both calls to ibcrypt()
* from the same scope such that they likely use the same stack locations,
* which makes the second call overwrite the first call's sensitive data on the
* stack and makes it more likely that any alignment related issues would be
* detected by the self-test.
*/
memcpy(bufs, test_scheme, sizeof(test_scheme) - 1);
if (cscheme)
test_hash = test_hashes[(bufs[2] = cscheme) == 'x'];
*bufo = 0;
ok = ibcrypt(bufo, sizeof(test_pw) - 1, test_pw,
sizeof(bufs), bufs, 0, -1, (void*)0);
ok = (ok &&
!memcmp(bufo, bufs, sizeof(bufs)) &&
!memcmp(bufo + HASHOFFSET, test_hash, sizeof(test_hash) - 1));
{
const uint8_t k[] = "\xff\xa3" "34" "\xff\xff\xff\xa3" "345";
bf_key ae, ai, ye, yi;
set_xkey(sizeof(k) - 1, k, ae, ai, 0, 0x10000); /* $2a$ */
set_xkey(sizeof(k) - 1, k, ye, yi, 0, 0); /* $2y$ */
ai[0] ^= 0x10000; /* undo the safety (for comparison) */
ok = ok && ai[0] == 0xdb9c59bc && ye[17] == 0x33343500 &&
!memcmp(ae, ye, sizeof(ae)) &&
!memcmp(ai, yi, sizeof(ai));
}
return ok && !!cscheme;
}
blowfish-internal.h 0 → 100644
View file @ 99a9c929
/* blowfish-internal.h
Blowfish block cipher.
Copyright (C) 2014 Niels Möller
Copyright (C) 1998, 2001 FSF, Ray Dassen, Niels Möller
This file is part of GNU Nettle.
GNU Nettle is free software: you can redistribute it and/or
modify it under the terms of either:
* the GNU Lesser General Public License as published by the Free
Software Foundation; either version 3 of the License, or (at your
option) any later version.
or
* the GNU General Public License as published by the Free
Software Foundation; either version 2 of the License, or (at your
option) any later version.
or both in parallel, as here.
GNU Nettle is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received copies of the GNU General Public License and
the GNU Lesser General Public License along with this program. If
not, see http://www.gnu.org/licenses/.
*/
#ifndef NETTLE_BLOWFISH_INTERNAL_H_INCLUDED
#define NETTLE_BLOWFISH_INTERNAL_H_INCLUDED
#include "nettle-types.h"
#ifdef __cplusplus
extern "C" {
#endif
extern const struct blowfish_ctx _nettle_blowfish_initial_ctx;
extern void _nettle_blowfish_encround (const struct blowfish_ctx *ctx,
uint32_t * ret_xl, uint32_t * ret_xr);
#ifdef __cplusplus
}
#endif
#endif /* NETTLE_BLOWFISH_INTERNAL_H_INCLUDED */
blowfish.c
View file @ 99a9c929
/* blowfish.c
*
* The blowfish block cipher.
*
* For a description of the algorithm, see:
The blowfish block cipher.
Copyright (C) 2014 Niels Möller
Copyright (C) 2010 Simon Josefsson
Copyright (C) 1998, 2001, 2002, 2003 Free Software Foundation, Inc.
This file is part of GNU Nettle.
GNU Nettle is free software: you can redistribute it and/or
modify it under the terms of either:
* the GNU Lesser General Public License as published by the Free
Software Foundation; either version 3 of the License, or (at your
option) any later version.
or
* the GNU General Public License as published by the Free
Software Foundation; either version 2 of the License, or (at your
option) any later version.
or both in parallel, as here.
GNU Nettle is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received copies of the GNU General Public License and
the GNU Lesser General Public License along with this program. If
not, see http://www.gnu.org/licenses/.
*/
/* For a description of the algorithm, see:
* Bruce Schneier: Applied Cryptography. John Wiley & Sons, 1996.
* ISBN 0-471-11709-9. Pages 336 ff.
*/
/* NOTE: This file is distributed under the GPL, not the LGPL. */
/* nettle, low-level cryptographics library
*
* Copyright (C) 1998, 2001
* Free Software Foundation, Inc, Ray Dassen, Niels Mller
*
* This file is part of GNUPG.
*
* GNUPG is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* GNUPG is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
*/
/* This file is derived from cipher/blowfish.c in Libgcrypt v1.4.6.
The adaption to Nettle was made by Simon Josefsson on 2010-11-23.
Changes include removing the selftest, renaming u32/byte types to
uint32_t/uint8_t, renaming BLOWFISH_ROUNDS to _BLOWFISH_ROUNDS
(from Nettle's blowfish.h), dropping the libgcrypt wrapper
functions, fixing #include's, remove support for non-16 rounds
(there are no test vectors), adding FOR_BLOCK iterations, and
running indent on the code. */
#if HAVE_CONFIG_H
# include "config.h"
#include "config.h"
#endif
#include <assert.h>
#include "blowfish.h"
#include "blowfish-internal.h"
#include "macros.h"
/* Initial keysetup state */
static const struct blowfish_ctx
initial_ctx =
{ /* precomputed S boxes */
/* precomputed S boxes */
const struct blowfish_ctx
_nettle_blowfish_initial_ctx = {
{
{
0xD1310BA6,0x98DFB5AC,0x2FFD72DB,0xD01ADFB7,0xB8E1AFED,0x6A267E96,
0xBA7C9045,0xF12C7F99,0x24A19947,0xB3916CF7,0x0801F2E2,0x858EFC16,
0x636920D8,0x71574E69,0xA458FEA3,0xF4933D7E,0x0D95748F,0x728EB658,
0x718BCD58,0x82154AEE,0x7B54A41D,0xC25A59B5,0x9C30D539,0x2AF26013,
0xC5D1B023,0x286085F0,0xCA417918,0xB8DB38EF,0x8E79DCB0,0x603A180E,
0x6C9E0E8B,0xB01E8A3E,0xD71577C1,0xBD314B27,0x78AF2FDA,0x55605C60,
0xE65525F3,0xAA55AB94,0x57489862,0x63E81440,0x55CA396A,0x2AAB10B6,
0xB4CC5C34,0x1141E8CE,0xA15486AF,0x7C72E993,0xB3EE1411,0x636FBC2A,
0x2BA9C55D,0x741831F6,0xCE5C3E16,0x9B87931E,0xAFD6BA33,0x6C24CF5C,
0x7A325381,0x28958677,0x3B8F4898,0x6B4BB9AF,0xC4BFE81B,0x66282193,
0x61D809CC,0xFB21A991,0x487CAC60,0x5DEC8032,0xEF845D5D,0xE98575B1,
0xDC262302,0xEB651B88,0x23893E81,0xD396ACC5,0x0F6D6FF3,0x83F44239,
0x2E0B4482,0xA4842004,0x69C8F04A,0x9E1F9B5E,0x21C66842,0xF6E96C9A,
0x670C9C61,0xABD388F0,0x6A51A0D2,0xD8542F68,0x960FA728,0xAB5133A3,
0x6EEF0B6C,0x137A3BE4,0xBA3BF050,0x7EFB2A98,0xA1F1651D,0x39AF0176,
0x66CA593E,0x82430E88,0x8CEE8619,0x456F9FB4,0x7D84A5C3,0x3B8B5EBE,
0xE06F75D8,0x85C12073,0x401A449F,0x56C16AA6,0x4ED3AA62,0x363F7706,
0x1BFEDF72,0x429B023D,0x37D0D724,0xD00A1248,0xDB0FEAD3,0x49F1C09B,
0x075372C9,0x80991B7B,0x25D479D8,0xF6E8DEF7,0xE3FE501A,0xB6794C3B,
0x976CE0BD,0x04C006BA,0xC1A94FB6,0x409F60C4,0x5E5C9EC2,0x196A2463,
0x68FB6FAF,0x3E6C53B5,0x1339B2EB,0x3B52EC6F,0x6DFC511F,0x9B30952C,
0xCC814544,0xAF5EBD09,0xBEE3D004,0xDE334AFD,0x660F2807,0x192E4BB3,
0xC0CBA857,0x45C8740F,0xD20B5F39,0xB9D3FBDB,0x5579C0BD,0x1A60320A,
0xD6A100C6,0x402C7279,0x679F25FE,0xFB1FA3CC,0x8EA5E9F8,0xDB3222F8,
0x3C7516DF,0xFD616B15,0x2F501EC8,0xAD0552AB,0x323DB5FA,0xFD238760,
0x53317B48,0x3E00DF82,0x9E5C57BB,0xCA6F8CA0,0x1A87562E,0xDF1769DB,
0xD542A8F6,0x287EFFC3,0xAC6732C6,0x8C4F5573,0x695B27B0,0xBBCA58C8,
0xE1FFA35D,0xB8F011A0,0x10FA3D98,0xFD2183B8,0x4AFCB56C,0x2DD1D35B,
0x9A53E479,0xB6F84565,0xD28E49BC,0x4BFB9790,0xE1DDF2DA,0xA4CB7E33,
0x62FB1341,0xCEE4C6E8,0xEF20CADA,0x36774C01,0xD07E9EFE,0x2BF11FB4,
0x95DBDA4D,0xAE909198,0xEAAD8E71,0x6B93D5A0,0xD08ED1D0,0xAFC725E0,
0x8E3C5B2F,0x8E7594B7,0x8FF6E2FB,0xF2122B64,0x8888B812,0x900DF01C,
0x4FAD5EA0,0x688FC31C,0xD1CFF191,0xB3A8C1AD,0x2F2F2218,0xBE0E1777,
0xEA752DFE,0x8B021FA1,0xE5A0CC0F,0xB56F74E8,0x18ACF3D6,0xCE89E299,
0xB4A84FE0,0xFD13E0B7,0x7CC43B81,0xD2ADA8D9,0x165FA266,0x80957705,
0x93CC7314,0x211A1477,0xE6AD2065,0x77B5FA86,0xC75442F5,0xFB9D35CF,
0xEBCDAF0C,0x7B3E89A0,0xD6411BD3,0xAE1E7E49,0x00250E2D,0x2071B35E,
0x226800BB,0x57B8E0AF,0x2464369B,0xF009B91E,0x5563911D,0x59DFA6AA,
0x78C14389,0xD95A537F,0x207D5BA2,0x02E5B9C5,0x83260376,0x6295CFA9,
0x11C81968,0x4E734A41,0xB3472DCA,0x7B14A94A,0x1B510052,0x9A532915,
0xD60F573F,0xBC9BC6E4,0x2B60A476,0x81E67400,0x08BA6FB5,0x571BE91F,
0xF296EC6B,0x2A0DD915,0xB6636521,0xE7B9F9B6,0xFF34052E,0xC5855664,
0x53B02D5D,0xA99F8FA1,0x08BA4799,0x6E85076A
}, {
0x4B7A70E9,0xB5B32944,0xDB75092E,0xC4192623,0xAD6EA6B0,0x49A7DF7D,
0x9CEE60B8,0x8FEDB266,0xECAA8C71,0x699A17FF,0x5664526C,0xC2B19EE1,
0x193602A5,0x75094C29,0xA0591340,0xE4183A3E,0x3F54989A,0x5B429D65,
0x6B8FE4D6,0x99F73FD6,0xA1D29C07,0xEFE830F5,0x4D2D38E6,0xF0255DC1,
0x4CDD2086,0x8470EB26,0x6382E9C6,0x021ECC5E,0x09686B3F,0x3EBAEFC9,
0x3C971814,0x6B6A70A1,0x687F3584,0x52A0E286,0xB79C5305,0xAA500737,
0x3E07841C,0x7FDEAE5C,0x8E7D44EC,0x5716F2B8,0xB03ADA37,0xF0500C0D,
0xF01C1F04,0x0200B3FF,0xAE0CF51A,0x3CB574B2,0x25837A58,0xDC0921BD,
0xD19113F9,0x7CA92FF6,0x94324773,0x22F54701,0x3AE5E581,0x37C2DADC,
0xC8B57634,0x9AF3DDA7,0xA9446146,0x0FD0030E,0xECC8C73E,0xA4751E41,
0xE238CD99,0x3BEA0E2F,0x3280BBA1,0x183EB331,0x4E548B38,0x4F6DB908,
0x6F420D03,0xF60A04BF,0x2CB81290,0x24977C79,0x5679B072,0xBCAF89AF,
0xDE9A771F,0xD9930810,0xB38BAE12,0xDCCF3F2E,0x5512721F,0x2E6B7124,
0x501ADDE6,0x9F84CD87,0x7A584718,0x7408DA17,0xBC9F9ABC,0xE94B7D8C,
0xEC7AEC3A,0xDB851DFA,0x63094366,0xC464C3D2,0xEF1C1847,0x3215D908,
0xDD433B37,0x24C2BA16,0x12A14D43,0x2A65C451,0x50940002,0x133AE4DD,
0x71DFF89E,0x10314E55,0x81AC77D6,0x5F11199B,0x043556F1,0xD7A3C76B,
0x3C11183B,0x5924A509,0xF28FE6ED,0x97F1FBFA,0x9EBABF2C,0x1E153C6E,
0x86E34570,0xEAE96FB1,0x860E5E0A,0x5A3E2AB3,0x771FE71C,0x4E3D06FA,
0x2965DCB9,0x99E71D0F,0x803E89D6,0x5266C825,0x2E4CC978,0x9C10B36A,
0xC6150EBA,0x94E2EA78,0xA5FC3C53,0x1E0A2DF4,0xF2F74EA7,0x361D2B3D,
0x1939260F,0x19C27960,0x5223A708,0xF71312B6,0xEBADFE6E,0xEAC31F66,
0xE3BC4595,0xA67BC883,0xB17F37D1,0x018CFF28,0xC332DDEF,0xBE6C5AA5,
0x65582185,0x68AB9802,0xEECEA50F,0xDB2F953B,0x2AEF7DAD,0x5B6E2F84,
0x1521B628,0x29076170,0xECDD4775,0x619F1510,0x13CCA830,0xEB61BD96,
0x0334FE1E,0xAA0363CF,0xB5735C90,0x4C70A239,0xD59E9E0B,0xCBAADE14,
0xEECC86BC,0x60622CA7,0x9CAB5CAB,0xB2F3846E,0x648B1EAF,0x19BDF0CA,
0xA02369B9,0x655ABB50,0x40685A32,0x3C2AB4B3,0x319EE9D5,0xC021B8F7,
0x9B540B19,0x875FA099,0x95F7997E,0x623D7DA8,0xF837889A,0x97E32D77,
0x11ED935F,0x16681281,0x0E358829,0xC7E61FD6,0x96DEDFA1,0x7858BA99,
0x57F584A5,0x1B227263,0x9B83C3FF,0x1AC24696,0xCDB30AEB,0x532E3054,
0x8FD948E4,0x6DBC3128,0x58EBF2EF,0x34C6FFEA,0xFE28ED61,0xEE7C3C73,
0x5D4A14D9,0xE864B7E3,0x42105D14,0x203E13E0,0x45EEE2B6,0xA3AAABEA,
0xDB6C4F15,0xFACB4FD0,0xC742F442,0xEF6ABBB5,0x654F3B1D,0x41CD2105,
0xD81E799E,0x86854DC7,0xE44B476A,0x3D816250,0xCF62A1F2,0x5B8D2646,
0xFC8883A0,0xC1C7B6A3,0x7F1524C3,0x69CB7492,0x47848A0B,0x5692B285,
0x095BBF00,0xAD19489D,0x1462B174,0x23820E00,0x58428D2A,0x0C55F5EA,
0x1DADF43E,0x233F7061,0x3372F092,0x8D937E41,0xD65FECF1,0x6C223BDB,
0x7CDE3759,0xCBEE7460,0x4085F2A7,0xCE77326E,0xA6078084,0x19F8509E,
0xE8EFD855,0x61D99735,0xA969A7AA,0xC50C06C2,0x5A04ABFC,0x800BCADC,
0x9E447A2E,0xC3453484,0xFDD56705,0x0E1E9EC9,0xDB73DBD3,0x105588CD,
0x675FDA79,0xE3674340,0xC5C43465,0x713E38D8,0x3D28F89E,0xF16DFF20,
0x153E21E7,0x8FB03D4A,0xE6E39F2B,0xDB83ADF7
}, {
0xE93D5A68,0x948140F7,0xF64C261C,0x94692934,0x411520F7,0x7602D4F7,
0xBCF46B2E,0xD4A20068,0xD4082471,0x3320F46A,0x43B7D4B7,0x500061AF,
0x1E39F62E,0x97244546,0x14214F74,0xBF8B8840,0x4D95FC1D,0x96B591AF,
0x70F4DDD3,0x66A02F45,0xBFBC09EC,0x03BD9785,0x7FAC6DD0,0x31CB8504,
0x96EB27B3,0x55FD3941,0xDA2547E6,0xABCA0A9A,0x28507825,0x530429F4,
0x0A2C86DA,0xE9B66DFB,0x68DC1462,0xD7486900,0x680EC0A4,0x27A18DEE,
0x4F3FFEA2,0xE887AD8C,0xB58CE006,0x7AF4D6B6,0xAACE1E7C,0xD3375FEC,
0xCE78A399,0x406B2A42,0x20FE9E35,0xD9F385B9,0xEE39D7AB,0x3B124E8B,
0x1DC9FAF7,0x4B6D1856,0x26A36631,0xEAE397B2,0x3A6EFA74,0xDD5B4332,
0x6841E7F7,0xCA7820FB,0xFB0AF54E,0xD8FEB397,0x454056AC,0xBA489527,
0x55533A3A,0x20838D87,0xFE6BA9B7,0xD096954B,0x55A867BC,0xA1159A58,
0xCCA92963,0x99E1DB33,0xA62A4A56,0x3F3125F9,0x5EF47E1C,0x9029317C,
0xFDF8E802,0x04272F70,0x80BB155C,0x05282CE3,0x95C11548,0xE4C66D22,
0x48C1133F,0xC70F86DC,0x07F9C9EE,0x41041F0F,0x404779A4,0x5D886E17,
0x325F51EB,0xD59BC0D1,0xF2BCC18F,0x41113564,0x257B7834,0x602A9C60,
0xDFF8E8A3,0x1F636C1B,0x0E12B4C2,0x02E1329E,0xAF664FD1,0xCAD18115,
0x6B2395E0,0x333E92E1,0x3B240B62,0xEEBEB922,0x85B2A20E,0xE6BA0D99,
0xDE720C8C,0x2DA2F728,0xD0127845,0x95B794FD,0x647D0862,0xE7CCF5F0,
0x5449A36F,0x877D48FA,0xC39DFD27,0xF33E8D1E,0x0A476341,0x992EFF74,
0x3A6F6EAB,0xF4F8FD37,0xA812DC60,0xA1EBDDF8,0x991BE14C,0xDB6E6B0D,
0xC67B5510,0x6D672C37,0x2765D43B,0xDCD0E804,0xF1290DC7,0xCC00FFA3,
0xB5390F92,0x690FED0B,0x667B9FFB,0xCEDB7D9C,0xA091CF0B,0xD9155EA3,
0xBB132F88,0x515BAD24,0x7B9479BF,0x763BD6EB,0x37392EB3,0xCC115979,
0x8026E297,0xF42E312D,0x6842ADA7,0xC66A2B3B,0x12754CCC,0x782EF11C,
0x6A124237,0xB79251E7,0x06A1BBE6,0x4BFB6350,0x1A6B1018,0x11CAEDFA,
0x3D25BDD8,0xE2E1C3C9,0x44421659,0x0A121386,0xD90CEC6E,0xD5ABEA2A,
0x64AF674E,0xDA86A85F,0xBEBFE988,0x64E4C3FE,0x9DBC8057,0xF0F7C086,
0x60787BF8,0x6003604D,0xD1FD8346,0xF6381FB0,0x7745AE04,0xD736FCCC,
0x83426B33,0xF01EAB71,0xB0804187,0x3C005E5F,0x77A057BE,0xBDE8AE24,
0x55464299,0xBF582E61,0x4E58F48F,0xF2DDFDA2,0xF474EF38,0x8789BDC2,
0x5366F9C3,0xC8B38E74,0xB475F255,0x46FCD9B9,0x7AEB2661,0x8B1DDF84,
0x846A0E79,0x915F95E2,0x466E598E,0x20B45770,0x8CD55591,0xC902DE4C,
0xB90BACE1,0xBB8205D0,0x11A86248,0x7574A99E,0xB77F19B6,0xE0A9DC09,
0x662D09A1,0xC4324633,0xE85A1F02,0x09F0BE8C,0x4A99A025,0x1D6EFE10,
0x1AB93D1D,0x0BA5A4DF,0xA186F20F,0x2868F169,0xDCB7DA83,0x573906FE,
0xA1E2CE9B,0x4FCD7F52,0x50115E01,0xA70683FA,0xA002B5C4,0x0DE6D027,
0x9AF88C27,0x773F8641,0xC3604C06,0x61A806B5,0xF0177A28,0xC0F586E0,
0x006058AA,0x30DC7D62,0x11E69ED7,0x2338EA63,0x53C2DD94,0xC2C21634,
0xBBCBEE56,0x90BCB6DE,0xEBFC7DA1,0xCE591D76,0x6F05E409,0x4B7C0188,
0x39720A3D,0x7C927C24,0x86E3725F,0x724D9DB9,0x1AC15BB4,0xD39EB8FC,
0xED545578,0x08FCA5B5,0xD83D7CD3,0x4DAD0FC4,0x1E50EF5E,0xB161E6F8,
0xA28514D9,0x6C51133C,0x6FD5C7E7,0x56E14EC4,0x362ABFCE,0xDDC6C837,
0xD79A3234,0x92638212,0x670EFA8E,0x406000E0
}, {
0x3A39CE37,0xD3FAF5CF,0xABC27737,0x5AC52D1B,0x5CB0679E,0x4FA33742,
0xD3822740,0x99BC9BBE,0xD5118E9D,0xBF0F7315,0xD62D1C7E,0xC700C47B,
0xB78C1B6B,0x21A19045,0xB26EB1BE,0x6A366EB4,0x5748AB2F,0xBC946E79,
0xC6A376D2,0x6549C2C8,0x530FF8EE,0x468DDE7D,0xD5730A1D,0x4CD04DC6,
0x2939BBDB,0xA9BA4650,0xAC9526E8,0xBE5EE304,0xA1FAD5F0,0x6A2D519A,
0x63EF8CE2,0x9A86EE22,0xC089C2B8,0x43242EF6,0xA51E03AA,0x9CF2D0A4,
0x83C061BA,0x9BE96A4D,0x8FE51550,0xBA645BD6,0x2826A2F9,0xA73A3AE1,
0x4BA99586,0xEF5562E9,0xC72FEFD3,0xF752F7DA,0x3F046F69,0x77FA0A59,
0x80E4A915,0x87B08601,0x9B09E6AD,0x3B3EE593,0xE990FD5A,0x9E34D797,
0x2CF0B7D9,0x022B8B51,0x96D5AC3A,0x017DA67D,0xD1CF3ED6,0x7C7D2D28,
0x1F9F25CF,0xADF2B89B,0x5AD6B472,0x5A88F54C,0xE029AC71,0xE019A5E6,
0x47B0ACFD,0xED93FA9B,0xE8D3C48D,0x283B57CC,0xF8D56629,0x79132E28,
0x785F0191,0xED756055,0xF7960E44,0xE3D35E8C,0x15056DD4,0x88F46DBA,
0x03A16125,0x0564F0BD,0xC3EB9E15,0x3C9057A2,0x97271AEC,0xA93A072A,
0x1B3F6D9B,0x1E6321F5,0xF59C66FB,0x26DCF319,0x7533D928,0xB155FDF5,
0x03563482,0x8ABA3CBB,0x28517711,0xC20AD9F8,0xABCC5167,0xCCAD925F,
0x4DE81751,0x3830DC8E,0x379D5862,0x9320F991,0xEA7A90C2,0xFB3E7BCE,
0x5121CE64,0x774FBE32,0xA8B6E37E,0xC3293D46,0x48DE5369,0x6413E680,
0xA2AE0810,0xDD6DB224,0x69852DFD,0x09072166,0xB39A460A,0x6445C0DD,
0x586CDECF,0x1C20C8AE,0x5BBEF7DD,0x1B588D40,0xCCD2017F,0x6BB4E3BB,
0xDDA26A7E,0x3A59FF45,0x3E350A44,0xBCB4CDD5,0x72EACEA8,0xFA6484BB,
0x8D6612AE,0xBF3C6F47,0xD29BE463,0x542F5D9E,0xAEC2771B,0xF64E6370,
0x740E0D8D,0xE75B1357,0xF8721671,0xAF537D5D,0x4040CB08,0x4EB4E2CC,
0x34D2466A,0x0115AF84,0xE1B00428,0x95983A1D,0x06B89FB4,0xCE6EA048,
0x6F3F3B82,0x3520AB82,0x011A1D4B,0x277227F8,0x611560B1,0xE7933FDC,
0xBB3A792B,0x344525BD,0xA08839E1,0x51CE794B,0x2F32C9B7,0xA01FBAC9,
0xE01CC87E,0xBCC7D1F6,0xCF0111C3,0xA1E8AAC7,0x1A908749,0xD44FBD9A,
0xD0DADECB,0xD50ADA38,0x0339C32A,0xC6913667,0x8DF9317C,0xE0B12B4F,
0xF79E59B7,0x43F5BB3A,0xF2D519FF,0x27D9459C,0xBF97222C,0x15E6FC2A,
0x0F91FC71,0x9B941525,0xFAE59361,0xCEB69CEB,0xC2A86459,0x12BAA8D1,
0xB6C1075E,0xE3056A0C,0x10D25065,0xCB03A442,0xE0EC6E0E,0x1698DB3B,
0x4C98A0BE,0x3278E964,0x9F1F9532,0xE0D392DF,0xD3A0342B,0x8971F21E,
0x1B0A7441,0x4BA3348C,0xC5BE7120,0xC37632D8,0xDF359F8D,0x9B992F2E,
0xE60B6F47,0x0FE3F11D,0xE54CDA54,0x1EDAD891,0xCE6279CF,0xCD3E7E6F,
0x1618B166,0xFD2C1D05,0x848FD2C5,0xF6FB2299,0xF523F357,0xA6327623,
0x93A83531,0x56CCCD02,0xACF08162,0x5A75EBB5,0x6E163697,0x88D273CC,
0xDE966292,0x81B949D0,0x4C50901B,0x71C65614,0xE6C6C7BD,0x327A140A,
0x45E1D006,0xC3F27B9A,0xC9AA53FD,0x62A80F00,0xBB25BFE2,0x35BDD2F6,
0x71126905,0xB2040222,0xB6CBCF7C,0xCD769C2B,0x53113EC0,0x1640E3D3,
0x38ABBD60,0x2547ADF0,0xBA38209C,0xF746CE76,0x77AFA1C5,0x20756060,
0x85CBFE4E,0x8AE88DD8,0x7AAAF9B0,0x4CF9AA7E,0x1948C25C,0x02FB8A8C,
0x01C36AE4,0xD6EBE1F9,0x90D4F869,0xA65CDEA0,0x3F09252D,0xC208E69F,
0xB74E6132,0xCE77E25B,0x578FDFE3,0x3AC372E6
{ /* ks0 */
0xD1310BA6, 0x98DFB5AC, 0x2FFD72DB, 0xD01ADFB7, 0xB8E1AFED, 0x6A267E96,
0xBA7C9045, 0xF12C7F99, 0x24A19947, 0xB3916CF7, 0x0801F2E2, 0x858EFC16,
0x636920D8, 0x71574E69, 0xA458FEA3, 0xF4933D7E, 0x0D95748F, 0x728EB658,
0x718BCD58, 0x82154AEE, 0x7B54A41D, 0xC25A59B5, 0x9C30D539, 0x2AF26013,
0xC5D1B023, 0x286085F0, 0xCA417918, 0xB8DB38EF, 0x8E79DCB0, 0x603A180E,
0x6C9E0E8B, 0xB01E8A3E, 0xD71577C1, 0xBD314B27, 0x78AF2FDA, 0x55605C60,
0xE65525F3, 0xAA55AB94, 0x57489862, 0x63E81440, 0x55CA396A, 0x2AAB10B6,
0xB4CC5C34, 0x1141E8CE, 0xA15486AF, 0x7C72E993, 0xB3EE1411, 0x636FBC2A,
0x2BA9C55D, 0x741831F6, 0xCE5C3E16, 0x9B87931E, 0xAFD6BA33, 0x6C24CF5C,
0x7A325381, 0x28958677, 0x3B8F4898, 0x6B4BB9AF, 0xC4BFE81B, 0x66282193,
0x61D809CC, 0xFB21A991, 0x487CAC60, 0x5DEC8032, 0xEF845D5D, 0xE98575B1,
0xDC262302, 0xEB651B88, 0x23893E81, 0xD396ACC5, 0x0F6D6FF3, 0x83F44239,
0x2E0B4482, 0xA4842004, 0x69C8F04A, 0x9E1F9B5E, 0x21C66842, 0xF6E96C9A,
0x670C9C61, 0xABD388F0, 0x6A51A0D2, 0xD8542F68, 0x960FA728, 0xAB5133A3,
0x6EEF0B6C, 0x137A3BE4, 0xBA3BF050, 0x7EFB2A98, 0xA1F1651D, 0x39AF0176,
0x66CA593E, 0x82430E88, 0x8CEE8619, 0x456F9FB4, 0x7D84A5C3, 0x3B8B5EBE,
0xE06F75D8, 0x85C12073, 0x401A449F, 0x56C16AA6, 0x4ED3AA62, 0x363F7706,
0x1BFEDF72, 0x429B023D, 0x37D0D724, 0xD00A1248, 0xDB0FEAD3, 0x49F1C09B,
0x075372C9, 0x80991B7B, 0x25D479D8, 0xF6E8DEF7, 0xE3FE501A, 0xB6794C3B,
0x976CE0BD, 0x04C006BA, 0xC1A94FB6, 0x409F60C4, 0x5E5C9EC2, 0x196A2463,
0x68FB6FAF, 0x3E6C53B5, 0x1339B2EB, 0x3B52EC6F, 0x6DFC511F, 0x9B30952C,
0xCC814544, 0xAF5EBD09, 0xBEE3D004, 0xDE334AFD, 0x660F2807, 0x192E4BB3,
0xC0CBA857, 0x45C8740F, 0xD20B5F39, 0xB9D3FBDB, 0x5579C0BD, 0x1A60320A,
0xD6A100C6, 0x402C7279, 0x679F25FE, 0xFB1FA3CC, 0x8EA5E9F8, 0xDB3222F8,
0x3C7516DF, 0xFD616B15, 0x2F501EC8, 0xAD0552AB, 0x323DB5FA, 0xFD238760,
0x53317B48, 0x3E00DF82, 0x9E5C57BB, 0xCA6F8CA0, 0x1A87562E, 0xDF1769DB,
0xD542A8F6, 0x287EFFC3, 0xAC6732C6, 0x8C4F5573, 0x695B27B0, 0xBBCA58C8,
0xE1FFA35D, 0xB8F011A0, 0x10FA3D98, 0xFD2183B8, 0x4AFCB56C, 0x2DD1D35B,
0x9A53E479, 0xB6F84565, 0xD28E49BC, 0x4BFB9790, 0xE1DDF2DA, 0xA4CB7E33,
0x62FB1341, 0xCEE4C6E8, 0xEF20CADA, 0x36774C01, 0xD07E9EFE, 0x2BF11FB4,
0x95DBDA4D, 0xAE909198, 0xEAAD8E71, 0x6B93D5A0, 0xD08ED1D0, 0xAFC725E0,
0x8E3C5B2F, 0x8E7594B7, 0x8FF6E2FB, 0xF2122B64, 0x8888B812, 0x900DF01C,
0x4FAD5EA0, 0x688FC31C, 0xD1CFF191, 0xB3A8C1AD, 0x2F2F2218, 0xBE0E1777,
0xEA752DFE, 0x8B021FA1, 0xE5A0CC0F, 0xB56F74E8, 0x18ACF3D6, 0xCE89E299,
0xB4A84FE0, 0xFD13E0B7, 0x7CC43B81, 0xD2ADA8D9, 0x165FA266, 0x80957705,
0x93CC7314, 0x211A1477, 0xE6AD2065, 0x77B5FA86, 0xC75442F5, 0xFB9D35CF,
0xEBCDAF0C, 0x7B3E89A0, 0xD6411BD3, 0xAE1E7E49, 0x00250E2D, 0x2071B35E,
0x226800BB, 0x57B8E0AF, 0x2464369B, 0xF009B91E, 0x5563911D, 0x59DFA6AA,
0x78C14389, 0xD95A537F, 0x207D5BA2, 0x02E5B9C5, 0x83260376, 0x6295CFA9,
0x11C81968, 0x4E734A41, 0xB3472DCA, 0x7B14A94A, 0x1B510052, 0x9A532915,
0xD60F573F, 0xBC9BC6E4, 0x2B60A476, 0x81E67400, 0x08BA6FB5, 0x571BE91F,
0xF296EC6B, 0x2A0DD915, 0xB6636521, 0xE7B9F9B6, 0xFF34052E, 0xC5855664,
0x53B02D5D, 0xA99F8FA1, 0x08BA4799, 0x6E85076A
},
{ /* ks1 */
0x4B7A70E9, 0xB5B32944, 0xDB75092E, 0xC4192623, 0xAD6EA6B0, 0x49A7DF7D,
0x9CEE60B8, 0x8FEDB266, 0xECAA8C71, 0x699A17FF, 0x5664526C, 0xC2B19EE1,
0x193602A5, 0x75094C29, 0xA0591340, 0xE4183A3E, 0x3F54989A, 0x5B429D65,
0x6B8FE4D6, 0x99F73FD6, 0xA1D29C07, 0xEFE830F5, 0x4D2D38E6, 0xF0255DC1,
0x4CDD2086, 0x8470EB26, 0x6382E9C6, 0x021ECC5E, 0x09686B3F, 0x3EBAEFC9,
0x3C971814, 0x6B6A70A1, 0x687F3584, 0x52A0E286, 0xB79C5305, 0xAA500737,
0x3E07841C, 0x7FDEAE5C, 0x8E7D44EC, 0x5716F2B8, 0xB03ADA37, 0xF0500C0D,
0xF01C1F04, 0x0200B3FF, 0xAE0CF51A, 0x3CB574B2, 0x25837A58, 0xDC0921BD,
0xD19113F9, 0x7CA92FF6, 0x94324773, 0x22F54701, 0x3AE5E581, 0x37C2DADC,
0xC8B57634, 0x9AF3DDA7, 0xA9446146, 0x0FD0030E, 0xECC8C73E, 0xA4751E41,
0xE238CD99, 0x3BEA0E2F, 0x3280BBA1, 0x183EB331, 0x4E548B38, 0x4F6DB908,
0x6F420D03, 0xF60A04BF, 0x2CB81290, 0x24977C79, 0x5679B072, 0xBCAF89AF,
0xDE9A771F, 0xD9930810, 0xB38BAE12, 0xDCCF3F2E, 0x5512721F, 0x2E6B7124,
0x501ADDE6, 0x9F84CD87, 0x7A584718, 0x7408DA17, 0xBC9F9ABC, 0xE94B7D8C,
0xEC7AEC3A, 0xDB851DFA, 0x63094366, 0xC464C3D2, 0xEF1C1847, 0x3215D908,
0xDD433B37, 0x24C2BA16, 0x12A14D43, 0x2A65C451, 0x50940002, 0x133AE4DD,
0x71DFF89E, 0x10314E55, 0x81AC77D6, 0x5F11199B, 0x043556F1, 0xD7A3C76B,
0x3C11183B, 0x5924A509, 0xF28FE6ED, 0x97F1FBFA, 0x9EBABF2C, 0x1E153C6E,
0x86E34570, 0xEAE96FB1, 0x860E5E0A, 0x5A3E2AB3, 0x771FE71C, 0x4E3D06FA,
0x2965DCB9, 0x99E71D0F, 0x803E89D6, 0x5266C825, 0x2E4CC978, 0x9C10B36A,
0xC6150EBA, 0x94E2EA78, 0xA5FC3C53, 0x1E0A2DF4, 0xF2F74EA7, 0x361D2B3D,
0x1939260F, 0x19C27960, 0x5223A708, 0xF71312B6, 0xEBADFE6E, 0xEAC31F66,
0xE3BC4595, 0xA67BC883, 0xB17F37D1, 0x018CFF28, 0xC332DDEF, 0xBE6C5AA5,
0x65582185, 0x68AB9802, 0xEECEA50F, 0xDB2F953B, 0x2AEF7DAD, 0x5B6E2F84,
0x1521B628, 0x29076170, 0xECDD4775, 0x619F1510, 0x13CCA830, 0xEB61BD96,
0x0334FE1E, 0xAA0363CF, 0xB5735C90, 0x4C70A239, 0xD59E9E0B, 0xCBAADE14,
0xEECC86BC, 0x60622CA7, 0x9CAB5CAB, 0xB2F3846E, 0x648B1EAF, 0x19BDF0CA,
0xA02369B9, 0x655ABB50, 0x40685A32, 0x3C2AB4B3, 0x319EE9D5, 0xC021B8F7,
0x9B540B19, 0x875FA099, 0x95F7997E, 0x623D7DA8, 0xF837889A, 0x97E32D77,
0x11ED935F, 0x16681281, 0x0E358829, 0xC7E61FD6, 0x96DEDFA1, 0x7858BA99,
0x57F584A5, 0x1B227263, 0x9B83C3FF, 0x1AC24696, 0xCDB30AEB, 0x532E3054,
0x8FD948E4, 0x6DBC3128, 0x58EBF2EF, 0x34C6FFEA, 0xFE28ED61, 0xEE7C3C73,
0x5D4A14D9, 0xE864B7E3, 0x42105D14, 0x203E13E0, 0x45EEE2B6, 0xA3AAABEA,
0xDB6C4F15, 0xFACB4FD0, 0xC742F442, 0xEF6ABBB5, 0x654F3B1D, 0x41CD2105,
0xD81E799E, 0x86854DC7, 0xE44B476A, 0x3D816250, 0xCF62A1F2, 0x5B8D2646,
0xFC8883A0, 0xC1C7B6A3, 0x7F1524C3, 0x69CB7492, 0x47848A0B, 0x5692B285,
0x095BBF00, 0xAD19489D, 0x1462B174, 0x23820E00, 0x58428D2A, 0x0C55F5EA,
0x1DADF43E, 0x233F7061, 0x3372F092, 0x8D937E41, 0xD65FECF1, 0x6C223BDB,
0x7CDE3759, 0xCBEE7460, 0x4085F2A7, 0xCE77326E, 0xA6078084, 0x19F8509E,
0xE8EFD855, 0x61D99735, 0xA969A7AA, 0xC50C06C2, 0x5A04ABFC, 0x800BCADC,
0x9E447A2E, 0xC3453484, 0xFDD56705, 0x0E1E9EC9, 0xDB73DBD3, 0x105588CD,
0x675FDA79, 0xE3674340, 0xC5C43465, 0x713E38D8, 0x3D28F89E, 0xF16DFF20,
0x153E21E7, 0x8FB03D4A, 0xE6E39F2B, 0xDB83ADF7
},
{ /* ks2 */
0xE93D5A68, 0x948140F7, 0xF64C261C, 0x94692934, 0x411520F7, 0x7602D4F7,
0xBCF46B2E, 0xD4A20068, 0xD4082471, 0x3320F46A, 0x43B7D4B7, 0x500061AF,
0x1E39F62E, 0x97244546, 0x14214F74, 0xBF8B8840, 0x4D95FC1D, 0x96B591AF,
0x70F4DDD3, 0x66A02F45, 0xBFBC09EC, 0x03BD9785, 0x7FAC6DD0, 0x31CB8504,
0x96EB27B3, 0x55FD3941, 0xDA2547E6, 0xABCA0A9A, 0x28507825, 0x530429F4,
0x0A2C86DA, 0xE9B66DFB, 0x68DC1462, 0xD7486900, 0x680EC0A4, 0x27A18DEE,
0x4F3FFEA2, 0xE887AD8C, 0xB58CE006, 0x7AF4D6B6, 0xAACE1E7C, 0xD3375FEC,
0xCE78A399, 0x406B2A42, 0x20FE9E35, 0xD9F385B9, 0xEE39D7AB, 0x3B124E8B,
0x1DC9FAF7, 0x4B6D1856, 0x26A36631, 0xEAE397B2, 0x3A6EFA74, 0xDD5B4332,
0x6841E7F7, 0xCA7820FB, 0xFB0AF54E, 0xD8FEB397, 0x454056AC, 0xBA489527,
0x55533A3A, 0x20838D87, 0xFE6BA9B7, 0xD096954B, 0x55A867BC, 0xA1159A58,
0xCCA92963, 0x99E1DB33, 0xA62A4A56, 0x3F3125F9, 0x5EF47E1C, 0x9029317C,
0xFDF8E802, 0x04272F70, 0x80BB155C, 0x05282CE3, 0x95C11548, 0xE4C66D22,
0x48C1133F, 0xC70F86DC, 0x07F9C9EE, 0x41041F0F, 0x404779A4, 0x5D886E17,
0x325F51EB, 0xD59BC0D1, 0xF2BCC18F, 0x41113564, 0x257B7834, 0x602A9C60,
0xDFF8E8A3, 0x1F636C1B, 0x0E12B4C2, 0x02E1329E, 0xAF664FD1, 0xCAD18115,
0x6B2395E0, 0x333E92E1, 0x3B240B62, 0xEEBEB922, 0x85B2A20E, 0xE6BA0D99,
0xDE720C8C, 0x2DA2F728, 0xD0127845, 0x95B794FD, 0x647D0862, 0xE7CCF5F0,
0x5449A36F, 0x877D48FA, 0xC39DFD27, 0xF33E8D1E, 0x0A476341, 0x992EFF74,
0x3A6F6EAB, 0xF4F8FD37, 0xA812DC60, 0xA1EBDDF8, 0x991BE14C, 0xDB6E6B0D,
0xC67B5510, 0x6D672C37, 0x2765D43B, 0xDCD0E804, 0xF1290DC7, 0xCC00FFA3,
0xB5390F92, 0x690FED0B, 0x667B9FFB, 0xCEDB7D9C, 0xA091CF0B, 0xD9155EA3,
0xBB132F88, 0x515BAD24, 0x7B9479BF, 0x763BD6EB, 0x37392EB3, 0xCC115979,
0x8026E297, 0xF42E312D, 0x6842ADA7, 0xC66A2B3B, 0x12754CCC, 0x782EF11C,
0x6A124237, 0xB79251E7, 0x06A1BBE6, 0x4BFB6350, 0x1A6B1018, 0x11CAEDFA,
0x3D25BDD8, 0xE2E1C3C9, 0x44421659, 0x0A121386, 0xD90CEC6E, 0xD5ABEA2A,
0x64AF674E, 0xDA86A85F, 0xBEBFE988, 0x64E4C3FE, 0x9DBC8057, 0xF0F7C086,
0x60787BF8, 0x6003604D, 0xD1FD8346, 0xF6381FB0, 0x7745AE04, 0xD736FCCC,
0x83426B33, 0xF01EAB71, 0xB0804187, 0x3C005E5F, 0x77A057BE, 0xBDE8AE24,
0x55464299, 0xBF582E61, 0x4E58F48F, 0xF2DDFDA2, 0xF474EF38, 0x8789BDC2,
0x5366F9C3, 0xC8B38E74, 0xB475F255, 0x46FCD9B9, 0x7AEB2661, 0x8B1DDF84,
0x846A0E79, 0x915F95E2, 0x466E598E, 0x20B45770, 0x8CD55591, 0xC902DE4C,
0xB90BACE1, 0xBB8205D0, 0x11A86248, 0x7574A99E, 0xB77F19B6, 0xE0A9DC09,
0x662D09A1, 0xC4324633, 0xE85A1F02, 0x09F0BE8C, 0x4A99A025, 0x1D6EFE10,
0x1AB93D1D, 0x0BA5A4DF, 0xA186F20F, 0x2868F169, 0xDCB7DA83, 0x573906FE,
0xA1E2CE9B, 0x4FCD7F52, 0x50115E01, 0xA70683FA, 0xA002B5C4, 0x0DE6D027,
0x9AF88C27, 0x773F8641, 0xC3604C06, 0x61A806B5, 0xF0177A28, 0xC0F586E0,
0x006058AA, 0x30DC7D62, 0x11E69ED7, 0x2338EA63, 0x53C2DD94, 0xC2C21634,
0xBBCBEE56, 0x90BCB6DE, 0xEBFC7DA1, 0xCE591D76, 0x6F05E409, 0x4B7C0188,
0x39720A3D, 0x7C927C24, 0x86E3725F, 0x724D9DB9, 0x1AC15BB4, 0xD39EB8FC,
0xED545578, 0x08FCA5B5, 0xD83D7CD3, 0x4DAD0FC4, 0x1E50EF5E, 0xB161E6F8,
0xA28514D9, 0x6C51133C, 0x6FD5C7E7, 0x56E14EC4, 0x362ABFCE, 0xDDC6C837,
0xD79A3234, 0x92638212, 0x670EFA8E, 0x406000E0
},
{ /* ks3 */
0x3A39CE37, 0xD3FAF5CF, 0xABC27737, 0x5AC52D1B, 0x5CB0679E, 0x4FA33742,
0xD3822740, 0x99BC9BBE, 0xD5118E9D, 0xBF0F7315, 0xD62D1C7E, 0xC700C47B,
0xB78C1B6B, 0x21A19045, 0xB26EB1BE, 0x6A366EB4, 0x5748AB2F, 0xBC946E79,
0xC6A376D2, 0x6549C2C8, 0x530FF8EE, 0x468DDE7D, 0xD5730A1D, 0x4CD04DC6,
0x2939BBDB, 0xA9BA4650, 0xAC9526E8, 0xBE5EE304, 0xA1FAD5F0, 0x6A2D519A,
0x63EF8CE2, 0x9A86EE22, 0xC089C2B8, 0x43242EF6, 0xA51E03AA, 0x9CF2D0A4,
0x83C061BA, 0x9BE96A4D, 0x8FE51550, 0xBA645BD6, 0x2826A2F9, 0xA73A3AE1,
0x4BA99586, 0xEF5562E9, 0xC72FEFD3, 0xF752F7DA, 0x3F046F69, 0x77FA0A59,
0x80E4A915, 0x87B08601, 0x9B09E6AD, 0x3B3EE593, 0xE990FD5A, 0x9E34D797,
0x2CF0B7D9, 0x022B8B51, 0x96D5AC3A, 0x017DA67D, 0xD1CF3ED6, 0x7C7D2D28,
0x1F9F25CF, 0xADF2B89B, 0x5AD6B472, 0x5A88F54C, 0xE029AC71, 0xE019A5E6,
0x47B0ACFD, 0xED93FA9B, 0xE8D3C48D, 0x283B57CC, 0xF8D56629, 0x79132E28,
0x785F0191, 0xED756055, 0xF7960E44, 0xE3D35E8C, 0x15056DD4, 0x88F46DBA,
0x03A16125, 0x0564F0BD, 0xC3EB9E15, 0x3C9057A2, 0x97271AEC, 0xA93A072A,
0x1B3F6D9B, 0x1E6321F5, 0xF59C66FB, 0x26DCF319, 0x7533D928, 0xB155FDF5,
0x03563482, 0x8ABA3CBB, 0x28517711, 0xC20AD9F8, 0xABCC5167, 0xCCAD925F,
0x4DE81751, 0x3830DC8E, 0x379D5862, 0x9320F991, 0xEA7A90C2, 0xFB3E7BCE,
0x5121CE64, 0x774FBE32, 0xA8B6E37E, 0xC3293D46, 0x48DE5369, 0x6413E680,
0xA2AE0810, 0xDD6DB224, 0x69852DFD, 0x09072166, 0xB39A460A, 0x6445C0DD,
0x586CDECF, 0x1C20C8AE, 0x5BBEF7DD, 0x1B588D40, 0xCCD2017F, 0x6BB4E3BB,
0xDDA26A7E, 0x3A59FF45, 0x3E350A44, 0xBCB4CDD5, 0x72EACEA8, 0xFA6484BB,
0x8D6612AE, 0xBF3C6F47, 0xD29BE463, 0x542F5D9E, 0xAEC2771B, 0xF64E6370,
0x740E0D8D, 0xE75B1357, 0xF8721671, 0xAF537D5D, 0x4040CB08, 0x4EB4E2CC,
0x34D2466A, 0x0115AF84, 0xE1B00428, 0x95983A1D, 0x06B89FB4, 0xCE6EA048,
0x6F3F3B82, 0x3520AB82, 0x011A1D4B, 0x277227F8, 0x611560B1, 0xE7933FDC,
0xBB3A792B, 0x344525BD, 0xA08839E1, 0x51CE794B, 0x2F32C9B7, 0xA01FBAC9,
0xE01CC87E, 0xBCC7D1F6, 0xCF0111C3, 0xA1E8AAC7, 0x1A908749, 0xD44FBD9A,
0xD0DADECB, 0xD50ADA38, 0x0339C32A, 0xC6913667, 0x8DF9317C, 0xE0B12B4F,
0xF79E59B7, 0x43F5BB3A, 0xF2D519FF, 0x27D9459C, 0xBF97222C, 0x15E6FC2A,
0x0F91FC71, 0x9B941525, 0xFAE59361, 0xCEB69CEB, 0xC2A86459, 0x12BAA8D1,
0xB6C1075E, 0xE3056A0C, 0x10D25065, 0xCB03A442, 0xE0EC6E0E, 0x1698DB3B,
0x4C98A0BE, 0x3278E964, 0x9F1F9532, 0xE0D392DF, 0xD3A0342B, 0x8971F21E,
0x1B0A7441, 0x4BA3348C, 0xC5BE7120, 0xC37632D8, 0xDF359F8D, 0x9B992F2E,
0xE60B6F47, 0x0FE3F11D, 0xE54CDA54, 0x1EDAD891, 0xCE6279CF, 0xCD3E7E6F,
0x1618B166, 0xFD2C1D05, 0x848FD2C5, 0xF6FB2299, 0xF523F357, 0xA6327623,
0x93A83531, 0x56CCCD02, 0xACF08162, 0x5A75EBB5, 0x6E163697, 0x88D273CC,
0xDE966292, 0x81B949D0, 0x4C50901B, 0x71C65614, 0xE6C6C7BD, 0x327A140A,
0x45E1D006, 0xC3F27B9A, 0xC9AA53FD, 0x62A80F00, 0xBB25BFE2, 0x35BDD2F6,
0x71126905, 0xB2040222, 0xB6CBCF7C, 0xCD769C2B, 0x53113EC0, 0x1640E3D3,
0x38ABBD60, 0x2547ADF0, 0xBA38209C, 0xF746CE76, 0x77AFA1C5, 0x20756060,
0x85CBFE4E, 0x8AE88DD8, 0x7AAAF9B0, 0x4CF9AA7E, 0x1948C25C, 0x02FB8A8C,
0x01C36AE4, 0xD6EBE1F9, 0x90D4F869, 0xA65CDEA0, 0x3F09252D, 0xC208E69F,
0xB74E6132, 0xCE77E25B, 0x578FDFE3, 0x3AC372E6
}
},
/* p constants */
{
0x243F6A88,0x85A308D3,0x13198A2E,0x03707344,0xA4093822,0x299F31D0,
0x082EFA98,0xEC4E6C89,0x452821E6,0x38D01377,0xBE5466CF,0x34E90C6C,
0xC0AC29B7,0xC97C50DD,0x3F84D5B5,0xB5470917,0x9216D5D9,0x8979FB1B
},
/* Initial value, reset after key is checked. */
BLOWFISH_WEAK_KEY
{ /* ps */
0x243F6A88, 0x85A308D3, 0x13198A2E, 0x03707344, 0xA4093822, 0x299F31D0,
0x082EFA98, 0xEC4E6C89, 0x452821E6, 0x38D01377, 0xBE5466CF, 0x34E90C6C,
0xC0AC29B7, 0xC97C50DD, 0x3F84D5B5, 0xB5470917, 0x9216D5D9, 0x8979FB1B
}
};
/* It's unfortunate to have to pick the bytes apart in the round
* function. Werner's GNUPG code stored took the address of x, and
* then read the individual bytes depending on the endianness. But xr
* and xl ought to live in registers, so I'm not sure that really is a
* good way to do it. */
* function. Werner's gnupg/libgcrypt code took the address of x, and
* then read the individual bytes depending on the endianness. But
* since xr and xl ought to live in registers, copying via memory is a
* bad idea. */
#define F(c, x) \
((( (c->s[0][(x>>24) &0xff] + c->s[1][(x>>16) & 0xff]) \
^ c->s[2][(x>>8) & 0xff]) + c->s[3][x & 0xff]) & 0xffffffff)
#define R(c, l, r, i) do { l ^= c->p[i]; r ^= F(c, l); } while(0)
#define R(c, l,r,i) do { l ^= c->p[i]; r ^= F(c,l); } while(0)
static void
encrypt(struct blowfish_ctx *bc, uint32_t *ret_xl, uint32_t *ret_xr)
void
_nettle_blowfish_encround (const struct blowfish_ctx *ctx, uint32_t * ret_xl,
uint32_t * ret_xr)
{
uint32_t xl, xr;
xl = *ret_xl;
xr = *ret_xr;
R(bc, xl, xr, 0);
R(bc, xr, xl, 1);
R(bc, xl, xr, 2);
R(bc, xr, xl, 3);
R(bc, xl, xr, 4);
R(bc, xr, xl, 5);
R(bc, xl, xr, 6);
R(bc, xr, xl, 7);
R(bc, xl, xr, 8);
R(bc, xr, xl, 9);
R(bc, xl, xr, 10);
R(bc, xr, xl, 11);
R(bc, xl, xr, 12);
R(bc, xr, xl, 13);
R(bc, xl, xr, 14);
R(bc, xr, xl, 15);
xl ^= bc->p[_BLOWFISH_ROUNDS];
xr ^= bc->p[_BLOWFISH_ROUNDS+1];
R (ctx, xl, xr, 0);
R (ctx, xr, xl, 1);
R (ctx, xl, xr, 2);
R (ctx, xr, xl, 3);
R (ctx, xl, xr, 4);
R (ctx, xr, xl, 5);
R (ctx, xl, xr, 6);
R (ctx, xr, xl, 7);
R (ctx, xl, xr, 8);
R (ctx, xr, xl, 9);
R (ctx, xl, xr, 10);
R (ctx, xr, xl, 11);
R (ctx, xl, xr, 12);
R (ctx, xr, xl, 13);
R (ctx, xl, xr, 14);
R (ctx, xr, xl, 15);
xl ^= ctx->p[_BLOWFISH_ROUNDS];
xr ^= ctx->p[_BLOWFISH_ROUNDS + 1];
*ret_xl = xr;
*ret_xr = xl;
}
static void
decrypt(struct blowfish_ctx *bc, uint32_t *ret_xl, uint32_t *ret_xr )
decround (const struct blowfish_ctx *ctx, uint32_t * ret_xl, uint32_t * ret_xr)
{
uint32_t xl, xr;
xl = *ret_xl;
xr = *ret_xr;
R(bc, xl, xr, 17);
R(bc, xr, xl, 16);
R(bc, xl, xr, 15);
R(bc, xr, xl, 14);
R(bc, xl, xr, 13);
R(bc, xr, xl, 12);
R(bc, xl, xr, 11);
R(bc, xr, xl, 10);
R(bc, xl, xr, 9);
R(bc, xr, xl, 8);
R(bc, xl, xr, 7);
R(bc, xr, xl, 6);
R(bc, xl, xr, 5);
R(bc, xr, xl, 4);
R(bc, xl, xr, 3);
R(bc, xr, xl, 2);
xl ^= bc->p[1];
xr ^= bc->p[0];
R (ctx, xl, xr, 17);
R (ctx, xr, xl, 16);
R (ctx, xl, xr, 15);
R (ctx, xr, xl, 14);
R (ctx, xl, xr, 13);
R (ctx, xr, xl, 12);
R (ctx, xl, xr, 11);
R (ctx, xr, xl, 10);
R (ctx, xl, xr, 9);
R (ctx, xr, xl, 8);
R (ctx, xl, xr, 7);
R (ctx, xr, xl, 6);
R (ctx, xl, xr, 5);
R (ctx, xr, xl, 4);
R (ctx, xl, xr, 3);
R (ctx, xr, xl, 2);
xl ^= ctx->p[1];
xr ^= ctx->p[0];
*ret_xl = xr;
*ret_xr = xl;
......@@ -313,113 +331,103 @@ decrypt(struct blowfish_ctx *bc, uint32_t *ret_xl, uint32_t *ret_xr )
#undef R
void
blowfish_encrypt(struct blowfish_ctx *bc, unsigned length,
uint8_t *outbuf, const uint8_t *inbuf)
blowfish_encrypt (const struct blowfish_ctx *ctx,
size_t length, uint8_t * dst, const uint8_t * src)
{
uint32_t d1, d2;
assert(!bc->status);
FOR_BLOCKS(length, outbuf, inbuf, BLOWFISH_BLOCK_SIZE)
{
d1 = READ_UINT32(inbuf);
d2 = READ_UINT32(inbuf+ 4);
encrypt( bc, &d1, &d2 );
WRITE_UINT32(outbuf, d1);
WRITE_UINT32(outbuf + 4, d2);
}
FOR_BLOCKS (length, dst, src, BLOWFISH_BLOCK_SIZE)
{
uint32_t d1, d2;
d1 = READ_UINT32(src);
d2 = READ_UINT32(src+4);
_nettle_blowfish_encround (ctx, &d1, &d2);
dst[0] = (d1 >> 24) & 0xff;
dst[1] = (d1 >> 16) & 0xff;
dst[2] = (d1 >> 8) & 0xff;
dst[3] = d1 & 0xff;
dst[4] = (d2 >> 24) & 0xff;
dst[5] = (d2 >> 16) & 0xff;
dst[6] = (d2 >> 8) & 0xff;
dst[7] = d2 & 0xff;
}
}
void
blowfish_decrypt(struct blowfish_ctx *bc, unsigned length,
uint8_t *outbuf, const uint8_t *inbuf )
blowfish_decrypt (const struct blowfish_ctx *ctx,
size_t length, uint8_t * dst, const uint8_t * src)
{
uint32_t d1, d2;
assert(!bc->status);
FOR_BLOCKS(length, outbuf, inbuf, BLOWFISH_BLOCK_SIZE)
{
d1 = READ_UINT32(inbuf);
d2 = READ_UINT32(inbuf+ 4);
decrypt( bc, &d1, &d2 );
WRITE_UINT32(outbuf, d1);
WRITE_UINT32(outbuf + 4, d2);
}
FOR_BLOCKS (length, dst, src, BLOWFISH_BLOCK_SIZE)
{
uint32_t d1, d2;
d1 = READ_UINT32(src);
d2 = READ_UINT32(src+4);
decround (ctx, &d1, &d2);
dst[0] = (d1 >> 24) & 0xff;
dst[1] = (d1 >> 16) & 0xff;
dst[2] = (d1 >> 8) & 0xff;
dst[3] = d1 & 0xff;
dst[4] = (d2 >> 24) & 0xff;
dst[5] = (d2 >> 16) & 0xff;
dst[6] = (d2 >> 8) & 0xff;
dst[7] = d2 & 0xff;
}
}
int
blowfish_set_key(struct blowfish_ctx *ctx,
unsigned keylen, const uint8_t *key)
blowfish_set_key (struct blowfish_ctx *ctx,
size_t length, const uint8_t * key)
{
int i, j;
uint32_t data, datal, datar;
int i, j;
uint32_t data, datal, datar;
#if 0
static int initialized = 0;
*ctx = _nettle_blowfish_initial_ctx;
if( !initialized ) {
initialized = 1;
assert(selftest());
for (i = j = 0; i < _BLOWFISH_ROUNDS + 2; i++)
{
data = ((uint32_t) key[j] << 24)
| ((uint32_t) key[(j+1) % length] << 16)
| ((uint32_t) key[(j+2) % length] << 8)
| (uint32_t) key[(j+3) % length];
ctx->p[i] ^= data;
j = (j + 4) % length;
}
#endif
*ctx = initial_ctx;
datal = datar = 0;
for (i = 0; i < _BLOWFISH_ROUNDS + 2; i += 2)
{
_nettle_blowfish_encround (ctx, &datal, &datar);
ctx->p[i] = datal;
ctx->p[i + 1] = datar;
}
for(i=j=0; i < _BLOWFISH_ROUNDS+2; i++ )
for (j = 0; j < 4; j++)
for (i = 0; i < 256; i += 2)
{
data = key[j] << 24 | key[(j+1) % keylen] <<16
| key[(j+2)%keylen] << 8 | key[(j+3)%keylen];
_nettle_blowfish_encround (ctx, &datal, &datar);
ctx->s[j][i] = datal;
ctx->s[j][i + 1] = datar;
}
ctx->p[i] ^= data;
j = (j+4) % keylen;
}
/* Check for weak key. A weak key is a key in which a value in
the P-array (here c) occurs more than once per table. */
for (i = 0; i < 255; i++)
{
for (j = i + 1; j < 256; j++)
{
if ((ctx->s[0][i] == ctx->s[0][j])
|| (ctx->s[1][i] == ctx->s[1][j])
|| (ctx->s[2][i] == ctx->s[2][j])
|| (ctx->s[3][i] == ctx->s[3][j]))
return 0;
}
}
datal = datar = 0;
for(i=0; i < _BLOWFISH_ROUNDS+2; i += 2 )
{
encrypt( ctx, &datal, &datar );
ctx->p[i] = datal;
ctx->p[i+1] = datar;
}
for(i=0; i < 256; i += 2 )
{
encrypt( ctx, &datal, &datar );
ctx->s[0][i] = datal;
ctx->s[0][i+1] = datar;
}
for(i=0; i < 256; i += 2 )
{
encrypt( ctx, &datal, &datar );
ctx->s[1][i] = datal;
ctx->s[1][i+1] = datar;
}
for(i=0; i < 256; i += 2 )
{
encrypt( ctx, &datal, &datar );
ctx->s[2][i] = datal;
ctx->s[2][i+1] = datar;
}
for(i=0; i < 256; i += 2 )
{
encrypt( ctx, &datal, &datar );
ctx->s[3][i] = datal;
ctx->s[3][i+1] = datar;
}
/* Check for weak key. A weak key is a key in which a value in */
/* the P-array (here c) occurs more than once per table. */
for(i=0; i < 255; i++ )
for( j=i+1; j < 256; j++)
if( (ctx->s[0][i] == ctx->s[0][j]) || (ctx->s[1][i] == ctx->s[1][j]) ||
(ctx->s[2][i] == ctx->s[2][j]) || (ctx->s[3][i] == ctx->s[3][j]) )
return 0;
ctx->status = BLOWFISH_OK;
return 1;
return 1;
}
int
blowfish128_set_key(struct blowfish_ctx *ctx, const uint8_t *key)
{
return blowfish_set_key (ctx, BLOWFISH128_KEY_SIZE, key);
}
blowfish.h
View file @ 99a9c929
/* blowfish.h
*
* Blowfish block cipher.
*/
/* nettle, low-level cryptographics library
*
* Copyright (C) 1998, 2001 FSF, Ray Dassen, Niels Mller
*
* The nettle library is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 2.1 of the License, or (at your
* option) any later version.
*
* The nettle library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public
* License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with the nettle library; see the file COPYING.LIB. If not, write to
* the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
* MA 02111-1307, USA.
*/
Blowfish block cipher.
Copyright (C) 2014 Niels Möller
Copyright (C) 1998, 2001 FSF, Ray Dassen, Niels Möller
This file is part of GNU Nettle.
GNU Nettle is free software: you can redistribute it and/or
modify it under the terms of either:
* the GNU Lesser General Public License as published by the Free
Software Foundation; either version 3 of the License, or (at your
option) any later version.
or
* the GNU General Public License as published by the Free
Software Foundation; either version 2 of the License, or (at your
option) any later version.
or both in parallel, as here.
GNU Nettle is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received copies of the GNU General Public License and
the GNU Lesser General Public License along with this program. If
not, see http://www.gnu.org/licenses/.
*/
#ifndef NETTLE_BLOWFISH_H_INCLUDED
#define NETTLE_BLOWFISH_H_INCLUDED
#include "nettle-types.h"
#ifdef __cplusplus
extern "C" {
#endif
/* Name mangling */
#define blowfish_set_key nettle_blowfish_set_key
#define blowfish128_set_key nettle_blowfish128_set_key
#define blowfish_encrypt nettle_blowfish_encrypt
#define blowfish_decrypt nettle_blowfish_decrypt
#define blowfish_bcrypt_hash nettle_blowfish_bcrypt_hash
#define blowfish_bcrypt_verify nettle_blowfish_bcrypt_verify
#define BLOWFISH_BLOCK_SIZE 8
......@@ -42,30 +58,49 @@
/* Default to 128 bits */
#define BLOWFISH_KEY_SIZE 16
#define BLOWFISH128_KEY_SIZE 16
#define _BLOWFISH_ROUNDS 16
enum blowfish_error { BLOWFISH_OK, BLOWFISH_WEAK_KEY };
#define BLOWFISH_BCRYPT_HASH_SIZE (60 + 1) /* Including null-terminator */
#define BLOWFISH_BCRYPT_BINSALT_SIZE 16 /* Binary string size */
struct blowfish_ctx
{
uint32_t s[4][256];
uint32_t p[_BLOWFISH_ROUNDS+2];
enum blowfish_error status;
};
/* On success, returns 1 and sets ctx->status to BLOWFISH_OK (zero).
* On error, returns 0 and sets ctx->status to BLOWFISH_WEAK_KEY. */
/* Returns 0 for weak keys, otherwise 1. */
int
blowfish_set_key(struct blowfish_ctx *ctx,
unsigned length, const uint8_t *key);
size_t length, const uint8_t *key);
int
blowfish128_set_key(struct blowfish_ctx *ctx, const uint8_t *key);
void
blowfish_encrypt(struct blowfish_ctx *ctx,
unsigned length, uint8_t *dst,
blowfish_encrypt(const struct blowfish_ctx *ctx,
size_t length, uint8_t *dst,
const uint8_t *src);
void
blowfish_decrypt(struct blowfish_ctx *ctx,
unsigned length, uint8_t *dst,
blowfish_decrypt(const struct blowfish_ctx *ctx,
size_t length, uint8_t *dst,
const uint8_t *src);
/* dst parameter must point to a buffer of minimally
* BLOWFISH_BCRYPT_HASH_SIZE bytes */
int
blowfish_bcrypt_hash(uint8_t *dst,
size_t lenkey, const uint8_t *key,
size_t lenscheme, const uint8_t *scheme,
int log2rounds,
const uint8_t *salt);
int
blowfish_bcrypt_verify(size_t lenkey, const uint8_t *key,
size_t lenhashed, const uint8_t *hashed);
#ifdef __cplusplus
}
#endif
#endif /* NETTLE_BLOWFISH_H_INCLUDED */
bswap-internal.h 0 → 100644
View file @ 99a9c929
/* bswap-internal.h
Copyright (C) 2022 Niels Möller
This file is part of GNU Nettle.
GNU Nettle is free software: you can redistribute it and/or
modify it under the terms of either:
* the GNU Lesser General Public License as published by the Free
Software Foundation; either version 3 of the License, or (at your
option) any later version.
or
* the GNU General Public License as published by the Free
Software Foundation; either version 2 of the License, or (at your
option) any later version.
or both in parallel, as here.
GNU Nettle is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received copies of the GNU General Public License and
the GNU Lesser General Public License along with this program. If
not, see http://www.gnu.org/licenses/.
*/
#ifndef NETTLE_BSWAP_INTERNAL_H_INCLUDED
#define NETTLE_BSWAP_INTERNAL_H_INCLUDED
#include "nettle-types.h"
/* Note that these definitions depend config.h, which should be
included first. */
#if HAVE_BUILTIN_BSWAP64
#define nettle_bswap64 __builtin_bswap64
/* Assume bswap32 is also available. */
#define nettle_bswap32 __builtin_bswap32
#else
static inline uint64_t
nettle_bswap64 (uint64_t x)
{
x = (x >> 32) | (x << 32);
x = ((x >> 16) & UINT64_C (0xffff0000ffff))
| ((x & UINT64_C (0xffff0000ffff)) << 16);
x = ((x >> 8) & UINT64_C (0xff00ff00ff00ff))
| ((x & UINT64_C (0xff00ff00ff00ff)) << 8);
return x;
}
static inline uint32_t
nettle_bswap32 (uint32_t x)
{
x = (x << 16) | (x >> 16);
x = ((x & 0x00FF00FF) << 8) | ((x >> 8) & 0x00FF00FF);
return x;
}
#endif
static inline void
nettle_bswap32_n (unsigned n, uint32_t *x)
{
unsigned i;
for (i = 0; i < n; i++)
x[i] = nettle_bswap32 (x[i]);
}
#if WORDS_BIGENDIAN
#define bswap64_if_be nettle_bswap64
#define bswap32_if_be nettle_bswap32
#define bswap64_if_le(x) (x)
#define bswap32_if_le(x) (x)
#define bswap32_n_if_le(n, x)
#else
#define bswap64_if_be(x) (x)
#define bswap32_if_be(x) (x)
#define bswap64_if_le nettle_bswap64
#define bswap32_if_le nettle_bswap32
#define bswap32_n_if_le nettle_bswap32_n
#endif
#endif /* NETTLE_BSWAP_INTERNAL_H_INCLUDED */
buffer-init.c
View file @ 99a9c929
/* buffer-init.c
*
*/
/* nettle, low-level cryptographics library
*
* Copyright (C) 2002 Niels Möller
*
* The nettle library is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 2.1 of the License, or (at your
* option) any later version.
*
* The nettle library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public
* License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with the nettle library; see the file COPYING.LIB. If not, write to
* the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
* MA 02111-1307, USA.
*/
Copyright (C) 2002 Niels Möller
This file is part of GNU Nettle.
GNU Nettle is free software: you can redistribute it and/or
modify it under the terms of either:
* the GNU Lesser General Public License as published by the Free
Software Foundation; either version 3 of the License, or (at your
option) any later version.
or
* the GNU General Public License as published by the Free
Software Foundation; either version 2 of the License, or (at your
option) any later version.
or both in parallel, as here.
GNU Nettle is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received copies of the GNU General Public License and
the GNU Lesser General Public License along with this program. If
not, see http://www.gnu.org/licenses/.
*/
#if HAVE_CONFIG_H
# include "config.h"
......
buffer.c
View file @ 99a9c929
/* buffer.c
*
* A bare-bones string stream.
*/
/* nettle, low-level cryptographics library
*
* Copyright (C) 2002 Niels Mller
*
* The nettle library is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 2.1 of the License, or (at your
* option) any later version.
*
* The nettle library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public
* License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with the nettle library; see the file COPYING.LIB. If not, write to
* the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
* MA 02111-1307, USA.
*/
A bare-bones string stream.
Copyright (C) 2002 Niels Möller
This file is part of GNU Nettle.
GNU Nettle is free software: you can redistribute it and/or
modify it under the terms of either:
* the GNU Lesser General Public License as published by the Free
Software Foundation; either version 3 of the License, or (at your
option) any later version.
or
* the GNU General Public License as published by the Free
Software Foundation; either version 2 of the License, or (at your
option) any later version.
or both in parallel, as here.
GNU Nettle is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received copies of the GNU General Public License and
the GNU Lesser General Public License along with this program. If
not, see http://www.gnu.org/licenses/.
*/
#if HAVE_CONFIG_H
# include "config.h"
......@@ -35,13 +43,13 @@
int
nettle_buffer_grow(struct nettle_buffer *buffer,
unsigned length)
size_t length)
{
assert(buffer->size <= buffer->alloc);
if (buffer->size + length > buffer->alloc)
{
unsigned alloc;
size_t alloc;
uint8_t *p;
if (!buffer->realloc)
......@@ -61,7 +69,7 @@ nettle_buffer_grow(struct nettle_buffer *buffer,
void
nettle_buffer_init_realloc(struct nettle_buffer *buffer,
void *realloc_ctx,
nettle_realloc_func realloc)
nettle_realloc_func *realloc)
{
buffer->contents = NULL;
buffer->alloc = 0;
......@@ -72,7 +80,7 @@ nettle_buffer_init_realloc(struct nettle_buffer *buffer,
void
nettle_buffer_init_size(struct nettle_buffer *buffer,
unsigned length, uint8_t *space)
size_t length, uint8_t *space)
{
buffer->contents = space;
buffer->alloc = length;
......@@ -100,7 +108,7 @@ nettle_buffer_reset(struct nettle_buffer *buffer)
uint8_t *
nettle_buffer_space(struct nettle_buffer *buffer,
unsigned length)
size_t length)
{
uint8_t *p;
......@@ -114,7 +122,7 @@ nettle_buffer_space(struct nettle_buffer *buffer,
int
nettle_buffer_write(struct nettle_buffer *buffer,
unsigned length, const uint8_t *data)
size_t length, const uint8_t *data)
{
uint8_t *p = nettle_buffer_space(buffer, length);
if (p)
......
buffer.h
View file @ 99a9c929
/* buffer.h
*
* A bare-bones string stream.
*/
/* nettle, low-level cryptographics library
*
* Copyright (C) 2002 Niels Möller
*
* The nettle library is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 2.1 of the License, or (at your
* option) any later version.
*
* The nettle library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public
* License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with the nettle library; see the file COPYING.LIB. If not, write to
* the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
* MA 02111-1307, USA.
*/
A bare-bones string stream.
Copyright (C) 2002 Niels Möller
This file is part of GNU Nettle.
GNU Nettle is free software: you can redistribute it and/or
modify it under the terms of either:
* the GNU Lesser General Public License as published by the Free
Software Foundation; either version 3 of the License, or (at your
option) any later version.
or
* the GNU General Public License as published by the Free
Software Foundation; either version 2 of the License, or (at your
option) any later version.
or both in parallel, as here.
GNU Nettle is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received copies of the GNU General Public License and
the GNU Lesser General Public License along with this program. If
not, see http://www.gnu.org/licenses/.
*/
#ifndef NETTLE_BUFFER_H_INCLUDED
#define NETTLE_BUFFER_H_INCLUDED
#include "realloc.h"
#ifdef __cplusplus
extern "C" {
#endif
struct nettle_buffer
{
uint8_t *contents;
/* Allocated size */
unsigned alloc;
size_t alloc;
void *realloc_ctx;
nettle_realloc_func *realloc;
/* Current size */
unsigned size;
size_t size;
};
/* Initializes a buffer that uses plain realloc */
......@@ -48,12 +60,12 @@ nettle_buffer_init(struct nettle_buffer *buffer);
void
nettle_buffer_init_realloc(struct nettle_buffer *buffer,
void *realloc_ctx,
nettle_realloc_func realloc);
nettle_realloc_func *realloc);
/* Initializes a buffer of fix size */
void
nettle_buffer_init_size(struct nettle_buffer *buffer,
unsigned length, uint8_t *space);
size_t length, uint8_t *space);
void
nettle_buffer_clear(struct nettle_buffer *buffer);
......@@ -64,7 +76,7 @@ nettle_buffer_reset(struct nettle_buffer *buffer);
int
nettle_buffer_grow(struct nettle_buffer *buffer,
unsigned length);
size_t length);
#define NETTLE_BUFFER_PUTC(buffer, c) \
( (((buffer)->size < (buffer)->alloc) || nettle_buffer_grow((buffer), 1)) \
......@@ -72,7 +84,7 @@ nettle_buffer_grow(struct nettle_buffer *buffer,
int
nettle_buffer_write(struct nettle_buffer *buffer,
unsigned length, const uint8_t *data);
size_t length, const uint8_t *data);
/* Like nettle_buffer_write, but instead of copying data to the
* buffer, it returns a pointer to the area where the caller can copy
......@@ -80,11 +92,15 @@ nettle_buffer_write(struct nettle_buffer *buffer,
* reallocate the buffer. */
uint8_t *
nettle_buffer_space(struct nettle_buffer *buffer,
unsigned length);
size_t length);
/* Copy the contents of SRC to the end of DST. */
int
nettle_buffer_copy(struct nettle_buffer *dst,
const struct nettle_buffer *src);
#ifdef __cplusplus
}
#endif
#endif /* NETTLE_BUFFER_H_INCLUDED */
camellia-absorb.c 0 → 100644
View file @ 99a9c929
/* camellia-absorb.c
Final key setup processing for the camellia block cipher.
Copyright (C) 2006,2007 NTT
(Nippon Telegraph and Telephone Corporation).
Copyright (C) 2010 Niels Möller
This file is part of GNU Nettle.
GNU Nettle is free software: you can redistribute it and/or
modify it under the terms of either:
* the GNU Lesser General Public License as published by the Free
Software Foundation; either version 3 of the License, or (at your
option) any later version.
or
* the GNU General Public License as published by the Free
Software Foundation; either version 2 of the License, or (at your
option) any later version.
or both in parallel, as here.
GNU Nettle is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received copies of the GNU General Public License and
the GNU Lesser General Public License along with this program. If
not, see http://www.gnu.org/licenses/.
*/
/*
* Algorithm Specification
* http://info.isl.ntt.co.jp/crypt/eng/camellia/specifications.html
*/
/* Based on camellia.c ver 1.2.0, see
http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/camellia-LGPL-1.2.0.tar.gz.
*/
#if HAVE_CONFIG_H
# include "config.h"
#endif
/* For CHAR_BIT, needed by HAVE_NATIVE_64_BIT */
#include <limits.h>
#include "camellia-internal.h"
#include "macros.h"
void
_nettle_camellia_absorb(unsigned nkeys, uint64_t *dst, uint64_t *subkey)
{
uint64_t kw2, kw4;
uint32_t dw, tl, tr;
unsigned i;
/* At this point, the subkey array contains the subkeys as described
in the spec, 26 for short keys and 34 for large keys. */
/* absorb kw2 to other subkeys */
kw2 = subkey[1];
subkey[3] ^= kw2;
subkey[5] ^= kw2;
subkey[7] ^= kw2;
for (i = 8; i < nkeys; i += 8)
{
/* FIXME: gcc for x86_32 is smart enough to fetch the 32 low bits
and xor the result into the 32 high bits, but it still generates
worse code than for explicit 32-bit operations. */
kw2 ^= (kw2 & ~subkey[i+1]) << 32;
dw = (kw2 & subkey[i+1]) >> 32; kw2 ^= ROTL32(1, dw);
subkey[i+3] ^= kw2;
subkey[i+5] ^= kw2;
subkey[i+7] ^= kw2;
}
subkey[i] ^= kw2;
/* absorb kw4 to other subkeys */
kw4 = subkey[nkeys + 1];
for (i = nkeys - 8; i > 0; i -= 8)
{
subkey[i+6] ^= kw4;
subkey[i+4] ^= kw4;
subkey[i+2] ^= kw4;
kw4 ^= (kw4 & ~subkey[i]) << 32;
dw = (kw4 & subkey[i]) >> 32; kw4 ^= ROTL32(1, dw);
}
subkey[6] ^= kw4;
subkey[4] ^= kw4;
subkey[2] ^= kw4;
subkey[0] ^= kw4;
/* key XOR is end of F-function */
dst[0] = subkey[0] ^ subkey[2];
dst[1] = subkey[3];
dst[2] = subkey[2] ^ subkey[4];
dst[3] = subkey[3] ^ subkey[5];
dst[4] = subkey[4] ^ subkey[6];
dst[5] = subkey[5] ^ subkey[7];
for (i = 8; i < nkeys; i += 8)
{
tl = (subkey[i+2] >> 32) ^ (subkey[i+2] & ~subkey[i]);
dw = tl & (subkey[i] >> 32);
tr = subkey[i+2] ^ ROTL32(1, dw);
dst[i-2] = subkey[i-2] ^ ( ((uint64_t) tl << 32) | tr);
dst[i-1] = subkey[i];
dst[i] = subkey[i+1];
tl = (subkey[i-1] >> 32) ^ (subkey[i-1] & ~subkey[i+1]);
dw = tl & (subkey[i+1] >> 32);
tr = subkey[i-1] ^ ROTL32(1, dw);
dst[i+1] = subkey[i+3] ^ ( ((uint64_t) tl << 32) | tr);
dst[i+2] = subkey[i+2] ^ subkey[i+4];
dst[i+3] = subkey[i+3] ^ subkey[i+5];
dst[i+4] = subkey[i+4] ^ subkey[i+6];
dst[i+5] = subkey[i+5] ^ subkey[i+7];
}
dst[i-2] = subkey[i-2];
dst[i-1] = subkey[i] ^ subkey[i-1];
#if !HAVE_NATIVE_64_BIT
for (i = 0; i < nkeys; i += 8)
{
/* apply the inverse of the last half of F-function */
CAMELLIA_F_HALF_INV(dst[i+1]);
CAMELLIA_F_HALF_INV(dst[i+2]);
CAMELLIA_F_HALF_INV(dst[i+3]);
CAMELLIA_F_HALF_INV(dst[i+4]);
CAMELLIA_F_HALF_INV(dst[i+5]);
CAMELLIA_F_HALF_INV(dst[i+6]);
}
#endif
}
camellia-crypt-internal.c 0 → 100644
View file @ 99a9c929
/* camellia-crypt-internal.c
Copyright (C) 2006,2007 NTT
(Nippon Telegraph and Telephone Corporation).
Copyright (C) 2010 Niels Möller
This file is part of GNU Nettle.
GNU Nettle is free software: you can redistribute it and/or
modify it under the terms of either:
* the GNU Lesser General Public License as published by the Free
Software Foundation; either version 3 of the License, or (at your
option) any later version.
or
* the GNU General Public License as published by the Free
Software Foundation; either version 2 of the License, or (at your
option) any later version.
or both in parallel, as here.
GNU Nettle is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received copies of the GNU General Public License and
the GNU Lesser General Public License along with this program. If
not, see http://www.gnu.org/licenses/.
*/
/*
* Algorithm Specification
* http://info.isl.ntt.co.jp/crypt/eng/camellia/specifications.html
*/
/* Based on camellia.c ver 1.2.0, see
http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/camellia-LGPL-1.2.0.tar.gz.
*/
#if HAVE_CONFIG_H
# include "config.h"
#endif
#include <assert.h>
#include <limits.h>
#include "camellia-internal.h"
#include "macros.h"
#define CAMELLIA_FL(x, k) do { \
uint32_t __xl, __xr, __kl, __kr, __t; \
__xl = (x) >> 32; \
__xr = (x) & 0xffffffff; \
__kl = (k) >> 32; \
__kr = (k) & 0xffffffff; \
__t = __xl & __kl; \
__xr ^= ROTL32(1, __t); \
__xl ^= (__xr | __kr); \
(x) = ((uint64_t) __xl << 32) | __xr; \
} while (0)
#define CAMELLIA_FLINV(x, k) do { \
uint32_t __xl, __xr, __kl, __kr, __t; \
__xl = (x) >> 32; \
__xr = (x) & 0xffffffff; \
__kl = (k) >> 32; \
__kr = (k) & 0xffffffff; \
__xl ^= (__xr | __kr); \
__t = __xl & __kl; \
__xr ^= ROTL32(1, __t); \
(x) = ((uint64_t) __xl << 32) | __xr; \
} while (0)
#if HAVE_NATIVE_64_BIT
#define CAMELLIA_ROUNDSM(T, x, k, y) do { \
uint32_t __il, __ir; \
__ir \
= T->sp1110[(x) & 0xff] \
^ T->sp0222[((x) >> 24) & 0xff] \
^ T->sp3033[((x) >> 16) & 0xff] \
^ T->sp4404[((x) >> 8) & 0xff]; \
/* ir == (t6^t7^t8),(t5^t7^t8),(t5^t6^t8),(t5^t6^t7) */ \
__il \
= T->sp1110[ (x) >> 56] \
^ T->sp0222[((x) >> 48) & 0xff] \
^ T->sp3033[((x) >> 40) & 0xff] \
^ T->sp4404[((x) >> 32) & 0xff]; \
/* il == (t1^t3^t4),(t1^t2^t4),(t1^t2^t3),(t2^t3^t4) */ \
__ir ^= __il; \
/* ir == (t1^t3^t4^t6^t7^t8),(t1^t2^t4^t5^t7^t8), \
(t1^t2^t3^t5^t6^t8),(t2^t3^t4^t5^t6^t7) \
== y1,y2,y3,y4 */ \
__il = ROTL32(24, __il); \
/* il == (t2^t3^t4),(t1^t3^t4),(t1^t2^t4),(t1^t2^t3) */ \
__il ^= __ir; \
/* il == (t1^t2^t6^t7^t8),(t2^t3^t5^t7^t8), \
(t3^t4^t5^t6^t8),(t1^t4^t5^t6^t7) \
== y5,y6,y7,y8 */ \
y ^= (k); \
y ^= ((uint64_t) __ir << 32) | __il; \
} while (0)
#else /* !HAVE_NATIVE_64_BIT */
#define CAMELLIA_ROUNDSM(T, x, k, y) do { \
uint32_t __il, __ir; \
__ir \
= T->sp1110[(x) & 0xff] \
^ T->sp0222[((x) >> 24) & 0xff] \
^ T->sp3033[((x) >> 16) & 0xff] \
^ T->sp4404[((x) >> 8) & 0xff]; \
/* ir == (t6^t7^t8),(t5^t7^t8),(t5^t6^t8),(t5^t6^t7) */ \
__il \
= T->sp1110[ (x) >> 56] \
^ T->sp0222[((x) >> 48) & 0xff] \
^ T->sp3033[((x) >> 40) & 0xff] \
^ T->sp4404[((x) >> 32) & 0xff]; \
/* il == (t1^t3^t4),(t1^t2^t4),(t1^t2^t3),(t2^t3^t4) */ \
__il ^= (k) >> 32; \
__ir ^= (k) & 0xffffffff; \
__ir ^= __il; \
/* ir == (t1^t3^t4^t6^t7^t8),(t1^t2^t4^t5^t7^t8), \
(t1^t2^t3^t5^t6^t8),(t2^t3^t4^t5^t6^t7) \
== y1,y2,y3,y4 */ \
__il = ROTL32(24, __il); \
/* il == (t2^t3^t4),(t1^t3^t4),(t1^t2^t4),(t1^t2^t3) */ \
__il ^= __ir; \
/* il == (t1^t2^t6^t7^t8),(t2^t3^t5^t7^t8), \
(t3^t4^t5^t6^t8),(t1^t4^t5^t6^t7) \
== y5,y6,y7,y8 */ \
y ^= ((uint64_t) __ir << 32) | __il; \
} while (0)
#endif
void
_nettle_camellia_crypt(unsigned nkeys,
const uint64_t *keys,
const struct camellia_table *T,
size_t length, uint8_t *dst,
const uint8_t *src)
{
FOR_BLOCKS(length, dst, src, CAMELLIA_BLOCK_SIZE)
{
uint64_t i0,i1;
unsigned i;
i0 = READ_UINT64(src);
i1 = READ_UINT64(src + 8);
/* pre whitening but absorb kw2*/
i0 ^= keys[0];
/* main iteration */
CAMELLIA_ROUNDSM(T, i0, keys[1], i1);
CAMELLIA_ROUNDSM(T, i1, keys[2], i0);
CAMELLIA_ROUNDSM(T, i0, keys[3], i1);
CAMELLIA_ROUNDSM(T, i1, keys[4], i0);
CAMELLIA_ROUNDSM(T, i0, keys[5], i1);
CAMELLIA_ROUNDSM(T, i1, keys[6], i0);
for (i = 0; i < nkeys - 8; i+= 8)
{
CAMELLIA_FL(i0, keys[i+7]);
CAMELLIA_FLINV(i1, keys[i+8]);
CAMELLIA_ROUNDSM(T, i0, keys[i+9], i1);
CAMELLIA_ROUNDSM(T, i1, keys[i+10], i0);
CAMELLIA_ROUNDSM(T, i0, keys[i+11], i1);
CAMELLIA_ROUNDSM(T, i1, keys[i+12], i0);
CAMELLIA_ROUNDSM(T, i0, keys[i+13], i1);
CAMELLIA_ROUNDSM(T, i1, keys[i+14], i0);
}
/* post whitening but kw4 */
i1 ^= keys[i+7];
WRITE_UINT64(dst , i1);
WRITE_UINT64(dst + 8, i0);
}
}
camellia-internal.h 0 → 100644
View file @ 99a9c929
/* camellia-internal.h
The camellia block cipher.
Copyright (C) 2006,2007 NTT
(Nippon Telegraph and Telephone Corporation).
Copyright (C) 2010 Niels Möller
This file is part of GNU Nettle.
GNU Nettle is free software: you can redistribute it and/or
modify it under the terms of either:
* the GNU Lesser General Public License as published by the Free
Software Foundation; either version 3 of the License, or (at your
option) any later version.
or
* the GNU General Public License as published by the Free
Software Foundation; either version 2 of the License, or (at your
option) any later version.
or both in parallel, as here.
GNU Nettle is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received copies of the GNU General Public License and
the GNU Lesser General Public License along with this program. If
not, see http://www.gnu.org/licenses/.
*/
/*
* Algorithm Specification
* http://info.isl.ntt.co.jp/crypt/eng/camellia/specifications.html
*/
/* Based on camellia.c ver 1.2.0, see
http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/camellia-LGPL-1.2.0.tar.gz.
*/
#ifndef NETTLE_CAMELLIA_INTERNAL_H_INCLUDED
#define NETTLE_CAMELLIA_INTERNAL_H_INCLUDED
#include "camellia.h"
/*
* macros
*/
/* Destructive rotation of 128 bit values. */
#define ROTL128(bits, xl, xr) do { \
uint64_t __rol128_t = (xl); \
(xl) = ((xl) << (bits)) | ((xr) >> (64 - (bits))); \
(xr) = ((xr) << (bits)) | (__rol128_t >> (64 - (bits))); \
} while (0)
struct camellia_table
{
uint32_t sp1110[256];
uint32_t sp0222[256];
uint32_t sp3033[256];
uint32_t sp4404[256];
};
/* key constants */
#define SIGMA1 0xA09E667F3BCC908BULL
#define SIGMA2 0xB67AE8584CAA73B2ULL
#define SIGMA3 0xC6EF372FE94F82BEULL
#define SIGMA4 0x54FF53A5F1D36F1CULL
#define SIGMA5 0x10E527FADE682D1DULL
#define SIGMA6 0xB05688C2B3E6C1FDULL
#define CAMELLIA_SP1110(INDEX) (_nettle_camellia_table.sp1110[(int)(INDEX)])
#define CAMELLIA_SP0222(INDEX) (_nettle_camellia_table.sp0222[(int)(INDEX)])
#define CAMELLIA_SP3033(INDEX) (_nettle_camellia_table.sp3033[(int)(INDEX)])
#define CAMELLIA_SP4404(INDEX) (_nettle_camellia_table.sp4404[(int)(INDEX)])
#define CAMELLIA_F(x, k, y) do { \
uint32_t __yl, __yr; \
uint64_t __i = (x) ^ (k); \
__yl \
= CAMELLIA_SP1110( __i & 0xff) \
^ CAMELLIA_SP0222((__i >> 24) & 0xff) \
^ CAMELLIA_SP3033((__i >> 16) & 0xff) \
^ CAMELLIA_SP4404((__i >> 8) & 0xff); \
__yr \
= CAMELLIA_SP1110( __i >> 56) \
^ CAMELLIA_SP0222((__i >> 48) & 0xff) \
^ CAMELLIA_SP3033((__i >> 40) & 0xff) \
^ CAMELLIA_SP4404((__i >> 32) & 0xff); \
__yl ^= __yr; \
__yr = ROTL32(24, __yr); \
__yr ^= __yl; \
(y) = ((uint64_t) __yl << 32) | __yr; \
} while (0)
#if ! HAVE_NATIVE_64_BIT
#define CAMELLIA_F_HALF_INV(x) do { \
uint32_t __t, __w; \
__t = (x) >> 32; \
__w = __t ^(x); \
__w = ROTL32(8, __w); \
(x) = ((uint64_t) __w << 32) | (__t ^ __w); \
} while (0)
#endif
void
_nettle_camellia_crypt(unsigned nkeys, const uint64_t *keys,
const struct camellia_table *T,
size_t length, uint8_t *dst,
const uint8_t *src);
/* The initial NKEYS + 2 subkeys in SUBKEY are reduced to the final
NKEYS subkeys stored in DST. SUBKEY data is modified in the
process. */
void
_nettle_camellia_absorb(unsigned nkeys, uint64_t *dst, uint64_t *subkey);
void
_nettle_camellia_invert_key(unsigned nkeys,
uint64_t *dst, const uint64_t *src);
extern const struct camellia_table _nettle_camellia_table;
#endif /* NETTLE_CAMELLIA_INTERNAL_H_INCLUDED */
camellia-invert-key.c 0 → 100644
View file @ 99a9c929
/* camellia-invert-key.c
Inverting a key means reversing order of subkeys.
Copyright (C) 2010 Niels Möller
This file is part of GNU Nettle.
GNU Nettle is free software: you can redistribute it and/or
modify it under the terms of either:
* the GNU Lesser General Public License as published by the Free
Software Foundation; either version 3 of the License, or (at your
option) any later version.
or
* the GNU General Public License as published by the Free
Software Foundation; either version 2 of the License, or (at your
option) any later version.
or both in parallel, as here.
GNU Nettle is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received copies of the GNU General Public License and
the GNU Lesser General Public License along with this program. If
not, see http://www.gnu.org/licenses/.
*/
#if HAVE_CONFIG_H
# include "config.h"
#endif
#include "camellia-internal.h"
#define SWAP(a, b) \
do { uint64_t t_swap = (a); (a) = (b); (b) = t_swap; } while(0)
void
_nettle_camellia_invert_key(unsigned nkeys,
uint64_t *dst, const uint64_t *src)
{
unsigned i;
if (dst == src)
for (i = 0; i < nkeys - 1 - i; i++)
SWAP (dst[i], dst[nkeys - 1- i]);
else
for (i = 0; i < nkeys; i++)
dst[i] = src[nkeys - 1 - i];
}
camellia-table.c 0 → 100644
View file @ 99a9c929
/* camellia-table.c
SBOX tables used by both encryption and key setup.
Copyright (C) 2006,2007 NTT
(Nippon Telegraph and Telephone Corporation).
Copyright (C) 2010 Niels Möller
This file is part of GNU Nettle.
GNU Nettle is free software: you can redistribute it and/or
modify it under the terms of either:
* the GNU Lesser General Public License as published by the Free
Software Foundation; either version 3 of the License, or (at your
option) any later version.
or
* the GNU General Public License as published by the Free
Software Foundation; either version 2 of the License, or (at your
option) any later version.
or both in parallel, as here.
GNU Nettle is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received copies of the GNU General Public License and
the GNU Lesser General Public License along with this program. If
not, see http://www.gnu.org/licenses/.
*/
/*
* Algorithm Specification
* http://info.isl.ntt.co.jp/crypt/eng/camellia/specifications.html
*/
/* Based on camellia.c ver 1.2.0, see
http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/camellia-LGPL-1.2.0.tar.gz.
*/
#if HAVE_CONFIG_H
# include "config.h"
#endif
#include "camellia-internal.h"
const struct camellia_table _nettle_camellia_table = {
/* sp1110 */
{
0x70707000,0x82828200,0x2c2c2c00,0xececec00,
0xb3b3b300,0x27272700,0xc0c0c000,0xe5e5e500,
0xe4e4e400,0x85858500,0x57575700,0x35353500,
0xeaeaea00,0x0c0c0c00,0xaeaeae00,0x41414100,
0x23232300,0xefefef00,0x6b6b6b00,0x93939300,
0x45454500,0x19191900,0xa5a5a500,0x21212100,
0xededed00,0x0e0e0e00,0x4f4f4f00,0x4e4e4e00,
0x1d1d1d00,0x65656500,0x92929200,0xbdbdbd00,
0x86868600,0xb8b8b800,0xafafaf00,0x8f8f8f00,
0x7c7c7c00,0xebebeb00,0x1f1f1f00,0xcecece00,
0x3e3e3e00,0x30303000,0xdcdcdc00,0x5f5f5f00,
0x5e5e5e00,0xc5c5c500,0x0b0b0b00,0x1a1a1a00,
0xa6a6a600,0xe1e1e100,0x39393900,0xcacaca00,
0xd5d5d500,0x47474700,0x5d5d5d00,0x3d3d3d00,
0xd9d9d900,0x01010100,0x5a5a5a00,0xd6d6d600,
0x51515100,0x56565600,0x6c6c6c00,0x4d4d4d00,
0x8b8b8b00,0x0d0d0d00,0x9a9a9a00,0x66666600,
0xfbfbfb00,0xcccccc00,0xb0b0b000,0x2d2d2d00,
0x74747400,0x12121200,0x2b2b2b00,0x20202000,
0xf0f0f000,0xb1b1b100,0x84848400,0x99999900,
0xdfdfdf00,0x4c4c4c00,0xcbcbcb00,0xc2c2c200,
0x34343400,0x7e7e7e00,0x76767600,0x05050500,
0x6d6d6d00,0xb7b7b700,0xa9a9a900,0x31313100,
0xd1d1d100,0x17171700,0x04040400,0xd7d7d700,
0x14141400,0x58585800,0x3a3a3a00,0x61616100,
0xdedede00,0x1b1b1b00,0x11111100,0x1c1c1c00,
0x32323200,0x0f0f0f00,0x9c9c9c00,0x16161600,
0x53535300,0x18181800,0xf2f2f200,0x22222200,
0xfefefe00,0x44444400,0xcfcfcf00,0xb2b2b200,
0xc3c3c300,0xb5b5b500,0x7a7a7a00,0x91919100,
0x24242400,0x08080800,0xe8e8e800,0xa8a8a800,
0x60606000,0xfcfcfc00,0x69696900,0x50505000,
0xaaaaaa00,0xd0d0d000,0xa0a0a000,0x7d7d7d00,
0xa1a1a100,0x89898900,0x62626200,0x97979700,
0x54545400,0x5b5b5b00,0x1e1e1e00,0x95959500,
0xe0e0e000,0xffffff00,0x64646400,0xd2d2d200,
0x10101000,0xc4c4c400,0x00000000,0x48484800,
0xa3a3a300,0xf7f7f700,0x75757500,0xdbdbdb00,
0x8a8a8a00,0x03030300,0xe6e6e600,0xdadada00,
0x09090900,0x3f3f3f00,0xdddddd00,0x94949400,
0x87878700,0x5c5c5c00,0x83838300,0x02020200,
0xcdcdcd00,0x4a4a4a00,0x90909000,0x33333300,
0x73737300,0x67676700,0xf6f6f600,0xf3f3f300,
0x9d9d9d00,0x7f7f7f00,0xbfbfbf00,0xe2e2e200,
0x52525200,0x9b9b9b00,0xd8d8d800,0x26262600,
0xc8c8c800,0x37373700,0xc6c6c600,0x3b3b3b00,
0x81818100,0x96969600,0x6f6f6f00,0x4b4b4b00,
0x13131300,0xbebebe00,0x63636300,0x2e2e2e00,
0xe9e9e900,0x79797900,0xa7a7a700,0x8c8c8c00,
0x9f9f9f00,0x6e6e6e00,0xbcbcbc00,0x8e8e8e00,
0x29292900,0xf5f5f500,0xf9f9f900,0xb6b6b600,
0x2f2f2f00,0xfdfdfd00,0xb4b4b400,0x59595900,
0x78787800,0x98989800,0x06060600,0x6a6a6a00,
0xe7e7e700,0x46464600,0x71717100,0xbababa00,
0xd4d4d400,0x25252500,0xababab00,0x42424200,
0x88888800,0xa2a2a200,0x8d8d8d00,0xfafafa00,
0x72727200,0x07070700,0xb9b9b900,0x55555500,
0xf8f8f800,0xeeeeee00,0xacacac00,0x0a0a0a00,
0x36363600,0x49494900,0x2a2a2a00,0x68686800,
0x3c3c3c00,0x38383800,0xf1f1f100,0xa4a4a400,
0x40404000,0x28282800,0xd3d3d300,0x7b7b7b00,
0xbbbbbb00,0xc9c9c900,0x43434300,0xc1c1c100,
0x15151500,0xe3e3e300,0xadadad00,0xf4f4f400,
0x77777700,0xc7c7c700,0x80808000,0x9e9e9e00,
},
/* sp0222 */
{
0x00e0e0e0,0x00050505,0x00585858,0x00d9d9d9,
0x00676767,0x004e4e4e,0x00818181,0x00cbcbcb,
0x00c9c9c9,0x000b0b0b,0x00aeaeae,0x006a6a6a,
0x00d5d5d5,0x00181818,0x005d5d5d,0x00828282,
0x00464646,0x00dfdfdf,0x00d6d6d6,0x00272727,
0x008a8a8a,0x00323232,0x004b4b4b,0x00424242,
0x00dbdbdb,0x001c1c1c,0x009e9e9e,0x009c9c9c,
0x003a3a3a,0x00cacaca,0x00252525,0x007b7b7b,
0x000d0d0d,0x00717171,0x005f5f5f,0x001f1f1f,
0x00f8f8f8,0x00d7d7d7,0x003e3e3e,0x009d9d9d,
0x007c7c7c,0x00606060,0x00b9b9b9,0x00bebebe,
0x00bcbcbc,0x008b8b8b,0x00161616,0x00343434,
0x004d4d4d,0x00c3c3c3,0x00727272,0x00959595,
0x00ababab,0x008e8e8e,0x00bababa,0x007a7a7a,
0x00b3b3b3,0x00020202,0x00b4b4b4,0x00adadad,
0x00a2a2a2,0x00acacac,0x00d8d8d8,0x009a9a9a,
0x00171717,0x001a1a1a,0x00353535,0x00cccccc,
0x00f7f7f7,0x00999999,0x00616161,0x005a5a5a,
0x00e8e8e8,0x00242424,0x00565656,0x00404040,
0x00e1e1e1,0x00636363,0x00090909,0x00333333,
0x00bfbfbf,0x00989898,0x00979797,0x00858585,
0x00686868,0x00fcfcfc,0x00ececec,0x000a0a0a,
0x00dadada,0x006f6f6f,0x00535353,0x00626262,
0x00a3a3a3,0x002e2e2e,0x00080808,0x00afafaf,
0x00282828,0x00b0b0b0,0x00747474,0x00c2c2c2,
0x00bdbdbd,0x00363636,0x00222222,0x00383838,
0x00646464,0x001e1e1e,0x00393939,0x002c2c2c,
0x00a6a6a6,0x00303030,0x00e5e5e5,0x00444444,
0x00fdfdfd,0x00888888,0x009f9f9f,0x00656565,
0x00878787,0x006b6b6b,0x00f4f4f4,0x00232323,
0x00484848,0x00101010,0x00d1d1d1,0x00515151,
0x00c0c0c0,0x00f9f9f9,0x00d2d2d2,0x00a0a0a0,
0x00555555,0x00a1a1a1,0x00414141,0x00fafafa,
0x00434343,0x00131313,0x00c4c4c4,0x002f2f2f,
0x00a8a8a8,0x00b6b6b6,0x003c3c3c,0x002b2b2b,
0x00c1c1c1,0x00ffffff,0x00c8c8c8,0x00a5a5a5,
0x00202020,0x00898989,0x00000000,0x00909090,
0x00474747,0x00efefef,0x00eaeaea,0x00b7b7b7,
0x00151515,0x00060606,0x00cdcdcd,0x00b5b5b5,
0x00121212,0x007e7e7e,0x00bbbbbb,0x00292929,
0x000f0f0f,0x00b8b8b8,0x00070707,0x00040404,
0x009b9b9b,0x00949494,0x00212121,0x00666666,
0x00e6e6e6,0x00cecece,0x00ededed,0x00e7e7e7,
0x003b3b3b,0x00fefefe,0x007f7f7f,0x00c5c5c5,
0x00a4a4a4,0x00373737,0x00b1b1b1,0x004c4c4c,
0x00919191,0x006e6e6e,0x008d8d8d,0x00767676,
0x00030303,0x002d2d2d,0x00dedede,0x00969696,
0x00262626,0x007d7d7d,0x00c6c6c6,0x005c5c5c,
0x00d3d3d3,0x00f2f2f2,0x004f4f4f,0x00191919,
0x003f3f3f,0x00dcdcdc,0x00797979,0x001d1d1d,
0x00525252,0x00ebebeb,0x00f3f3f3,0x006d6d6d,
0x005e5e5e,0x00fbfbfb,0x00696969,0x00b2b2b2,
0x00f0f0f0,0x00313131,0x000c0c0c,0x00d4d4d4,
0x00cfcfcf,0x008c8c8c,0x00e2e2e2,0x00757575,
0x00a9a9a9,0x004a4a4a,0x00575757,0x00848484,
0x00111111,0x00454545,0x001b1b1b,0x00f5f5f5,
0x00e4e4e4,0x000e0e0e,0x00737373,0x00aaaaaa,
0x00f1f1f1,0x00dddddd,0x00595959,0x00141414,
0x006c6c6c,0x00929292,0x00545454,0x00d0d0d0,
0x00787878,0x00707070,0x00e3e3e3,0x00494949,
0x00808080,0x00505050,0x00a7a7a7,0x00f6f6f6,
0x00777777,0x00939393,0x00868686,0x00838383,
0x002a2a2a,0x00c7c7c7,0x005b5b5b,0x00e9e9e9,
0x00eeeeee,0x008f8f8f,0x00010101,0x003d3d3d,
},
/* sp3033 */
{
0x38003838,0x41004141,0x16001616,0x76007676,
0xd900d9d9,0x93009393,0x60006060,0xf200f2f2,
0x72007272,0xc200c2c2,0xab00abab,0x9a009a9a,
0x75007575,0x06000606,0x57005757,0xa000a0a0,
0x91009191,0xf700f7f7,0xb500b5b5,0xc900c9c9,
0xa200a2a2,0x8c008c8c,0xd200d2d2,0x90009090,
0xf600f6f6,0x07000707,0xa700a7a7,0x27002727,
0x8e008e8e,0xb200b2b2,0x49004949,0xde00dede,
0x43004343,0x5c005c5c,0xd700d7d7,0xc700c7c7,
0x3e003e3e,0xf500f5f5,0x8f008f8f,0x67006767,
0x1f001f1f,0x18001818,0x6e006e6e,0xaf00afaf,
0x2f002f2f,0xe200e2e2,0x85008585,0x0d000d0d,
0x53005353,0xf000f0f0,0x9c009c9c,0x65006565,
0xea00eaea,0xa300a3a3,0xae00aeae,0x9e009e9e,
0xec00ecec,0x80008080,0x2d002d2d,0x6b006b6b,
0xa800a8a8,0x2b002b2b,0x36003636,0xa600a6a6,
0xc500c5c5,0x86008686,0x4d004d4d,0x33003333,
0xfd00fdfd,0x66006666,0x58005858,0x96009696,
0x3a003a3a,0x09000909,0x95009595,0x10001010,
0x78007878,0xd800d8d8,0x42004242,0xcc00cccc,
0xef00efef,0x26002626,0xe500e5e5,0x61006161,
0x1a001a1a,0x3f003f3f,0x3b003b3b,0x82008282,
0xb600b6b6,0xdb00dbdb,0xd400d4d4,0x98009898,
0xe800e8e8,0x8b008b8b,0x02000202,0xeb00ebeb,
0x0a000a0a,0x2c002c2c,0x1d001d1d,0xb000b0b0,
0x6f006f6f,0x8d008d8d,0x88008888,0x0e000e0e,
0x19001919,0x87008787,0x4e004e4e,0x0b000b0b,
0xa900a9a9,0x0c000c0c,0x79007979,0x11001111,
0x7f007f7f,0x22002222,0xe700e7e7,0x59005959,
0xe100e1e1,0xda00dada,0x3d003d3d,0xc800c8c8,
0x12001212,0x04000404,0x74007474,0x54005454,
0x30003030,0x7e007e7e,0xb400b4b4,0x28002828,
0x55005555,0x68006868,0x50005050,0xbe00bebe,
0xd000d0d0,0xc400c4c4,0x31003131,0xcb00cbcb,
0x2a002a2a,0xad00adad,0x0f000f0f,0xca00caca,
0x70007070,0xff00ffff,0x32003232,0x69006969,
0x08000808,0x62006262,0x00000000,0x24002424,
0xd100d1d1,0xfb00fbfb,0xba00baba,0xed00eded,
0x45004545,0x81008181,0x73007373,0x6d006d6d,
0x84008484,0x9f009f9f,0xee00eeee,0x4a004a4a,
0xc300c3c3,0x2e002e2e,0xc100c1c1,0x01000101,
0xe600e6e6,0x25002525,0x48004848,0x99009999,
0xb900b9b9,0xb300b3b3,0x7b007b7b,0xf900f9f9,
0xce00cece,0xbf00bfbf,0xdf00dfdf,0x71007171,
0x29002929,0xcd00cdcd,0x6c006c6c,0x13001313,
0x64006464,0x9b009b9b,0x63006363,0x9d009d9d,
0xc000c0c0,0x4b004b4b,0xb700b7b7,0xa500a5a5,
0x89008989,0x5f005f5f,0xb100b1b1,0x17001717,
0xf400f4f4,0xbc00bcbc,0xd300d3d3,0x46004646,
0xcf00cfcf,0x37003737,0x5e005e5e,0x47004747,
0x94009494,0xfa00fafa,0xfc00fcfc,0x5b005b5b,
0x97009797,0xfe00fefe,0x5a005a5a,0xac00acac,
0x3c003c3c,0x4c004c4c,0x03000303,0x35003535,
0xf300f3f3,0x23002323,0xb800b8b8,0x5d005d5d,
0x6a006a6a,0x92009292,0xd500d5d5,0x21002121,
0x44004444,0x51005151,0xc600c6c6,0x7d007d7d,
0x39003939,0x83008383,0xdc00dcdc,0xaa00aaaa,
0x7c007c7c,0x77007777,0x56005656,0x05000505,
0x1b001b1b,0xa400a4a4,0x15001515,0x34003434,
0x1e001e1e,0x1c001c1c,0xf800f8f8,0x52005252,
0x20002020,0x14001414,0xe900e9e9,0xbd00bdbd,
0xdd00dddd,0xe400e4e4,0xa100a1a1,0xe000e0e0,
0x8a008a8a,0xf100f1f1,0xd600d6d6,0x7a007a7a,
0xbb00bbbb,0xe300e3e3,0x40004040,0x4f004f4f,
},
/* sp4404 */
{
0x70700070,0x2c2c002c,0xb3b300b3,0xc0c000c0,
0xe4e400e4,0x57570057,0xeaea00ea,0xaeae00ae,
0x23230023,0x6b6b006b,0x45450045,0xa5a500a5,
0xeded00ed,0x4f4f004f,0x1d1d001d,0x92920092,
0x86860086,0xafaf00af,0x7c7c007c,0x1f1f001f,
0x3e3e003e,0xdcdc00dc,0x5e5e005e,0x0b0b000b,
0xa6a600a6,0x39390039,0xd5d500d5,0x5d5d005d,
0xd9d900d9,0x5a5a005a,0x51510051,0x6c6c006c,
0x8b8b008b,0x9a9a009a,0xfbfb00fb,0xb0b000b0,
0x74740074,0x2b2b002b,0xf0f000f0,0x84840084,
0xdfdf00df,0xcbcb00cb,0x34340034,0x76760076,
0x6d6d006d,0xa9a900a9,0xd1d100d1,0x04040004,
0x14140014,0x3a3a003a,0xdede00de,0x11110011,
0x32320032,0x9c9c009c,0x53530053,0xf2f200f2,
0xfefe00fe,0xcfcf00cf,0xc3c300c3,0x7a7a007a,
0x24240024,0xe8e800e8,0x60600060,0x69690069,
0xaaaa00aa,0xa0a000a0,0xa1a100a1,0x62620062,
0x54540054,0x1e1e001e,0xe0e000e0,0x64640064,
0x10100010,0x00000000,0xa3a300a3,0x75750075,
0x8a8a008a,0xe6e600e6,0x09090009,0xdddd00dd,
0x87870087,0x83830083,0xcdcd00cd,0x90900090,
0x73730073,0xf6f600f6,0x9d9d009d,0xbfbf00bf,
0x52520052,0xd8d800d8,0xc8c800c8,0xc6c600c6,
0x81810081,0x6f6f006f,0x13130013,0x63630063,
0xe9e900e9,0xa7a700a7,0x9f9f009f,0xbcbc00bc,
0x29290029,0xf9f900f9,0x2f2f002f,0xb4b400b4,
0x78780078,0x06060006,0xe7e700e7,0x71710071,
0xd4d400d4,0xabab00ab,0x88880088,0x8d8d008d,
0x72720072,0xb9b900b9,0xf8f800f8,0xacac00ac,
0x36360036,0x2a2a002a,0x3c3c003c,0xf1f100f1,
0x40400040,0xd3d300d3,0xbbbb00bb,0x43430043,
0x15150015,0xadad00ad,0x77770077,0x80800080,
0x82820082,0xecec00ec,0x27270027,0xe5e500e5,
0x85850085,0x35350035,0x0c0c000c,0x41410041,
0xefef00ef,0x93930093,0x19190019,0x21210021,
0x0e0e000e,0x4e4e004e,0x65650065,0xbdbd00bd,
0xb8b800b8,0x8f8f008f,0xebeb00eb,0xcece00ce,
0x30300030,0x5f5f005f,0xc5c500c5,0x1a1a001a,
0xe1e100e1,0xcaca00ca,0x47470047,0x3d3d003d,
0x01010001,0xd6d600d6,0x56560056,0x4d4d004d,
0x0d0d000d,0x66660066,0xcccc00cc,0x2d2d002d,
0x12120012,0x20200020,0xb1b100b1,0x99990099,
0x4c4c004c,0xc2c200c2,0x7e7e007e,0x05050005,
0xb7b700b7,0x31310031,0x17170017,0xd7d700d7,
0x58580058,0x61610061,0x1b1b001b,0x1c1c001c,
0x0f0f000f,0x16160016,0x18180018,0x22220022,
0x44440044,0xb2b200b2,0xb5b500b5,0x91910091,
0x08080008,0xa8a800a8,0xfcfc00fc,0x50500050,
0xd0d000d0,0x7d7d007d,0x89890089,0x97970097,
0x5b5b005b,0x95950095,0xffff00ff,0xd2d200d2,
0xc4c400c4,0x48480048,0xf7f700f7,0xdbdb00db,
0x03030003,0xdada00da,0x3f3f003f,0x94940094,
0x5c5c005c,0x02020002,0x4a4a004a,0x33330033,
0x67670067,0xf3f300f3,0x7f7f007f,0xe2e200e2,
0x9b9b009b,0x26260026,0x37370037,0x3b3b003b,
0x96960096,0x4b4b004b,0xbebe00be,0x2e2e002e,
0x79790079,0x8c8c008c,0x6e6e006e,0x8e8e008e,
0xf5f500f5,0xb6b600b6,0xfdfd00fd,0x59590059,
0x98980098,0x6a6a006a,0x46460046,0xbaba00ba,
0x25250025,0x42420042,0xa2a200a2,0xfafa00fa,
0x07070007,0x55550055,0xeeee00ee,0x0a0a000a,
0x49490049,0x68680068,0x38380038,0xa4a400a4,
0x28280028,0x7b7b007b,0xc9c900c9,0xc1c100c1,
0xe3e300e3,0xf4f400f4,0xc7c700c7,0x9e9e009e,
}
};
camellia.h 0 → 100644
View file @ 99a9c929
/* camellia.h
Copyright (C) 2006,2007 NTT
(Nippon Telegraph and Telephone Corporation).
Copyright (C) 2010, 2013 Niels Möller
This file is part of GNU Nettle.
GNU Nettle is free software: you can redistribute it and/or
modify it under the terms of either:
* the GNU Lesser General Public License as published by the Free
Software Foundation; either version 3 of the License, or (at your
option) any later version.
or
* the GNU General Public License as published by the Free
Software Foundation; either version 2 of the License, or (at your
option) any later version.
or both in parallel, as here.
GNU Nettle is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received copies of the GNU General Public License and
the GNU Lesser General Public License along with this program. If
not, see http://www.gnu.org/licenses/.
*/
#ifndef NETTLE_CAMELLIA_H_INCLUDED
#define NETTLE_CAMELLIA_H_INCLUDED
#include "nettle-types.h"
#ifdef __cplusplus
extern "C" {
#endif
/* Name mangling */
#define camellia128_set_encrypt_key nettle_camellia128_set_encrypt_key
#define camellia128_set_decrypt_key nettle_camellia_set_decrypt_key
#define camellia128_invert_key nettle_camellia128_invert_key
#define camellia128_crypt nettle_camellia128_crypt
#define camellia192_set_encrypt_key nettle_camellia192_set_encrypt_key
#define camellia192_set_decrypt_key nettle_camellia192_set_decrypt_key
#define camellia256_set_encrypt_key nettle_camellia256_set_encrypt_key
#define camellia256_set_decrypt_key nettle_camellia256_set_decrypt_key
#define camellia256_invert_key nettle_camellia256_invert_key
#define camellia256_crypt nettle_camellia256_crypt
#define CAMELLIA_BLOCK_SIZE 16
/* Valid key sizes are 128, 192 or 256 bits (16, 24 or 32 bytes) */
#define CAMELLIA128_KEY_SIZE 16
#define CAMELLIA192_KEY_SIZE 24
#define CAMELLIA256_KEY_SIZE 32
/* For 128-bit keys, there are 18 regular rounds, pre- and
post-whitening, and two FL and FLINV rounds, using a total of 26
subkeys, each of 64 bit. For 192- and 256-bit keys, there are 6
additional regular rounds and one additional FL and FLINV, using a
total of 34 subkeys. */
/* The clever combination of subkeys imply one of the pre- and
post-whitening keys is folded with the round keys, so that subkey
#1 and the last one (#25 or #33) is not used. The result is that we
have only 24 or 32 subkeys at the end of key setup. */
#define _CAMELLIA128_NKEYS 24
#define _CAMELLIA256_NKEYS 32
struct camellia128_ctx
{
uint64_t keys[_CAMELLIA128_NKEYS];
};
void
camellia128_set_encrypt_key(struct camellia128_ctx *ctx,
const uint8_t *key);
void
camellia128_set_decrypt_key(struct camellia128_ctx *ctx,
const uint8_t *key);
void
camellia128_invert_key(struct camellia128_ctx *dst,
const struct camellia128_ctx *src);
void
camellia128_crypt(const struct camellia128_ctx *ctx,
size_t length, uint8_t *dst,
const uint8_t *src);
struct camellia256_ctx
{
uint64_t keys[_CAMELLIA256_NKEYS];
};
void
camellia256_set_encrypt_key(struct camellia256_ctx *ctx,
const uint8_t *key);
void
camellia256_set_decrypt_key(struct camellia256_ctx *ctx,
const uint8_t *key);
void
camellia256_invert_key(struct camellia256_ctx *dst,
const struct camellia256_ctx *src);
void
camellia256_crypt(const struct camellia256_ctx *ctx,
size_t length, uint8_t *dst,
const uint8_t *src);
/* camellia192 is the same as camellia256, except for the key
schedule. */
/* Slightly ugly with a #define on a struct tag, since it might cause
surprises if also used as a name of a variable. */
#define camellia192_ctx camellia256_ctx
void
camellia192_set_encrypt_key(struct camellia256_ctx *ctx,
const uint8_t *key);
void
camellia192_set_decrypt_key(struct camellia256_ctx *ctx,
const uint8_t *key);
#define camellia192_invert_key camellia256_invert_key
#define camellia192_crypt camellia256_crypt
#ifdef __cplusplus
}
#endif
#endif /* NETTLE_CAMELLIA_H_INCLUDED */
camellia128-crypt.c 0 → 100644
View file @ 99a9c929
/* camellia128-crypt.c
Crypt function for the camellia block cipher.
Copyright (C) 2010, 2013 Niels Möller
This file is part of GNU Nettle.
GNU Nettle is free software: you can redistribute it and/or
modify it under the terms of either:
* the GNU Lesser General Public License as published by the Free
Software Foundation; either version 3 of the License, or (at your
option) any later version.
or
* the GNU General Public License as published by the Free
Software Foundation; either version 2 of the License, or (at your
option) any later version.
or both in parallel, as here.
GNU Nettle is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received copies of the GNU General Public License and
the GNU Lesser General Public License along with this program. If
not, see http://www.gnu.org/licenses/.
*/
#if HAVE_CONFIG_H
# include "config.h"
#endif
#include <assert.h>
#include "camellia-internal.h"
/* The main point on this function is to help the assembler
implementations of _nettle_camellia_crypt to get the table pointer.
For PIC code, the details can be complex and system dependent. */
void
camellia128_crypt(const struct camellia128_ctx *ctx,
size_t length, uint8_t *dst,
const uint8_t *src)
{
assert(!(length % CAMELLIA_BLOCK_SIZE) );
_nettle_camellia_crypt(_CAMELLIA128_NKEYS, ctx->keys,
&_nettle_camellia_table,
length, dst, src);
}
camellia128-meta.c 0 → 100644
View file @ 99a9c929
/* camellia128-meta.c
Copyright (C) 2010, 2013, 2014 Niels Möller
This file is part of GNU Nettle.
GNU Nettle is free software: you can redistribute it and/or
modify it under the terms of either:
* the GNU Lesser General Public License as published by the Free
Software Foundation; either version 3 of the License, or (at your
option) any later version.
or
* the GNU General Public License as published by the Free
Software Foundation; either version 2 of the License, or (at your
option) any later version.
or both in parallel, as here.
GNU Nettle is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received copies of the GNU General Public License and
the GNU Lesser General Public License along with this program. If
not, see http://www.gnu.org/licenses/.
*/
#if HAVE_CONFIG_H
# include "config.h"
#endif
#include <assert.h>
#include "nettle-meta.h"
#include "camellia.h"
const struct nettle_cipher nettle_camellia128 =
{ "camellia128", sizeof(struct camellia128_ctx),
CAMELLIA_BLOCK_SIZE, CAMELLIA128_KEY_SIZE,
(nettle_set_key_func *) camellia128_set_encrypt_key,
(nettle_set_key_func *) camellia128_set_decrypt_key,
(nettle_cipher_func *) camellia128_crypt,
(nettle_cipher_func *) camellia128_crypt
};
camellia128-set-decrypt-key.c 0 → 100644
View file @ 99a9c929
/* camellia128-set-decrypt-key.c
Inverse key setup for the camellia block cipher.
Copyright (C) 2010, 2013 Niels Möller
This file is part of GNU Nettle.
GNU Nettle is free software: you can redistribute it and/or
modify it under the terms of either:
* the GNU Lesser General Public License as published by the Free
Software Foundation; either version 3 of the License, or (at your
option) any later version.
or
* the GNU General Public License as published by the Free
Software Foundation; either version 2 of the License, or (at your
option) any later version.
or both in parallel, as here.
GNU Nettle is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received copies of the GNU General Public License and
the GNU Lesser General Public License along with this program. If
not, see http://www.gnu.org/licenses/.
*/
#if HAVE_CONFIG_H
# include "config.h"
#endif
#include "camellia-internal.h"
void
camellia128_invert_key(struct camellia128_ctx *dst,
const struct camellia128_ctx *src)
{
_nettle_camellia_invert_key (_CAMELLIA128_NKEYS, dst->keys, src->keys);
}
void
camellia128_set_decrypt_key(struct camellia128_ctx *ctx,
const uint8_t *key)
{
camellia128_set_encrypt_key(ctx, key);
camellia128_invert_key(ctx, ctx);
}
camellia128-set-encrypt-key.c 0 → 100644
View file @ 99a9c929
/* camellia128-set-encrypt-key.c
Key setup for the camellia block cipher.
Copyright (C) 2006,2007 NTT
(Nippon Telegraph and Telephone Corporation).
Copyright (C) 2010, 2013 Niels Möller
This file is part of GNU Nettle.
GNU Nettle is free software: you can redistribute it and/or
modify it under the terms of either:
* the GNU Lesser General Public License as published by the Free
Software Foundation; either version 3 of the License, or (at your
option) any later version.
or
* the GNU General Public License as published by the Free
Software Foundation; either version 2 of the License, or (at your
option) any later version.
or both in parallel, as here.
GNU Nettle is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received copies of the GNU General Public License and
the GNU Lesser General Public License along with this program. If
not, see http://www.gnu.org/licenses/.
*/
/*
* Algorithm Specification
* http://info.isl.ntt.co.jp/crypt/eng/camellia/specifications.html
*/
/* Based on camellia.c ver 1.2.0, see
http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/camellia-LGPL-1.2.0.tar.gz.
*/
#if HAVE_CONFIG_H
# include "config.h"
#endif
#include <assert.h>
#include <limits.h>
#include "camellia-internal.h"
#include "macros.h"
void
camellia128_set_encrypt_key (struct camellia128_ctx *ctx,
const uint8_t *key)
{
uint64_t k0, k1;
uint64_t subkey[_CAMELLIA128_NKEYS + 2];
uint64_t w;
k0 = READ_UINT64(key);
k1 = READ_UINT64(key + 8);
/**
* generate KL dependent subkeys
*/
subkey[0] = k0; subkey[1] = k1;
ROTL128(15, k0, k1);
subkey[4] = k0; subkey[5] = k1;
ROTL128(30, k0, k1);
subkey[10] = k0; subkey[11] = k1;
ROTL128(15, k0, k1);
subkey[13] = k1;
ROTL128(17, k0, k1);
subkey[16] = k0; subkey[17] = k1;
ROTL128(17, k0, k1);
subkey[18] = k0; subkey[19] = k1;
ROTL128(17, k0, k1);
subkey[22] = k0; subkey[23] = k1;
/* generate KA. D1 is k0, d2 is k1. */
/* FIXME: Make notation match the spec better. */
/* For the 128-bit case, KR = 0, the construction of KA reduces to:
D1 = KL >> 64;
W = KL & MASK64;
D2 = F(D1, Sigma1);
W = D2 ^ W
D1 = F(W, Sigma2)
D2 = D2 ^ F(D1, Sigma3);
D1 = D1 ^ F(D2, Sigma4);
KA = (D1 << 64) | D2;
*/
k0 = subkey[0]; w = subkey[1];
CAMELLIA_F(k0, SIGMA1, k1);
w ^= k1;
CAMELLIA_F(w, SIGMA2, k0);
CAMELLIA_F(k0, SIGMA3, w);
k1 ^= w;
CAMELLIA_F(k1, SIGMA4, w);
k0 ^= w;
/* generate KA dependent subkeys */
subkey[2] = k0; subkey[3] = k1;
ROTL128(15, k0, k1);
subkey[6] = k0; subkey[7] = k1;
ROTL128(15, k0, k1);
subkey[8] = k0; subkey[9] = k1;
ROTL128(15, k0, k1);
subkey[12] = k0;
ROTL128(15, k0, k1);
subkey[14] = k0; subkey[15] = k1;
ROTL128(34, k0, k1);
subkey[20] = k0; subkey[21] = k1;
ROTL128(17, k0, k1);
subkey[24] = k0; subkey[25] = k1;
/* Common final processing */
_nettle_camellia_absorb (_CAMELLIA128_NKEYS, ctx->keys, subkey);
}
camellia192-meta.c 0 → 100644
View file @ 99a9c929
/* camellia192-meta.c
Copyright (C) 2010, 2013, 2014 Niels Möller
This file is part of GNU Nettle.
GNU Nettle is free software: you can redistribute it and/or
modify it under the terms of either:
* the GNU Lesser General Public License as published by the Free
Software Foundation; either version 3 of the License, or (at your
option) any later version.
or
* the GNU General Public License as published by the Free
Software Foundation; either version 2 of the License, or (at your
option) any later version.
or both in parallel, as here.
GNU Nettle is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received copies of the GNU General Public License and
the GNU Lesser General Public License along with this program. If
not, see http://www.gnu.org/licenses/.
*/
#if HAVE_CONFIG_H
# include "config.h"
#endif
#include <assert.h>
#include "nettle-meta.h"
#include "camellia.h"
const struct nettle_cipher nettle_camellia192 =
{ "camellia192", sizeof(struct camellia256_ctx),
CAMELLIA_BLOCK_SIZE, CAMELLIA192_KEY_SIZE,
(nettle_set_key_func *) camellia192_set_encrypt_key,
(nettle_set_key_func *) camellia192_set_decrypt_key,
(nettle_cipher_func *) camellia256_crypt,
(nettle_cipher_func *) camellia256_crypt
};