--- /dev/null
+/* -*-c-*-
+ *
+ * Implementation of the Twofish cipher
+ *
+ * (c) 2000 Straylight/Edgeware
+ */
+
+/*----- Licensing notice --------------------------------------------------*
+ *
+ * This file is part of Catacomb.
+ *
+ * Catacomb is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Library General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * Catacomb is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Library General Public License for more details.
+ *
+ * You should have received a copy of the GNU Library General Public
+ * License along with Catacomb; if not, write to the Free
+ * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
+ * MA 02111-1307, USA.
+ */
+
+/*----- Header files ------------------------------------------------------*/
+
+#include <assert.h>
+
+#include <mLib/bits.h>
+
+#include "blkc.h"
+#include "gcipher.h"
+#include "twofish.h"
+#include "twofish-tab.h"
+#include "paranoia.h"
+
+/*----- Global variables --------------------------------------------------*/
+
+const octet twofish_keysz[] = { KSZ_RANGE, TWOFISH_KEYSZ, 0, 32, 1 };
+
+/*----- Important tables --------------------------------------------------*/
+
+static const octet q0[256] = TWOFISH_Q0, q1[256] = TWOFISH_Q1;
+static const uint32 qmds[4][256] = TWOFISH_QMDS;
+static const octet rslog[] = TWOFISH_RSLOG, rsexp[] = TWOFISH_RSEXP;
+static const octet rs[32] = TWOFISH_RS;
+
+/*----- Key initialization ------------------------------------------------*/
+
+/* --- @h@ --- *
+ *
+ * Arguments: @uint32 x@ = input to the function
+ * @const uint32 *l@ = key values to mix in
+ * @unsigned k@ = number of key values there are
+ *
+ * Returns: The output of the function @h@.
+ *
+ * Use: Implements the Twofish function @h@.
+ */
+
+static uint32 h(uint32 x, const uint32 *l, unsigned k)
+{
+ /* --- Apply a series of @q@ tables to an integer --- */
+
+# define Q(x, qa, qb, qc, qd) \
+ ((qa[((x) >> 0) & 0xff] << 0) | \
+ (qb[((x) >> 8) & 0xff] << 8) | \
+ (qc[((x) >> 16) & 0xff] << 16) | \
+ (qd[((x) >> 24) & 0xff] << 24))
+
+ /* --- Grind through the tables --- */
+
+ switch (k) {
+ case 4: x = Q(x, q1, q0, q0, q1) ^ l[3];
+ case 3: x = Q(x, q1, q1, q0, q0) ^ l[2];
+ case 2: x = Q(x, q0, q1, q0, q1) ^ l[1];
+ x = Q(x, q0, q0, q1, q1) ^ l[0];
+ break;
+ }
+
+#undef Q
+
+ /* --- Apply the MDS matrix --- */
+
+ return (qmds[0][U8(x >> 0)] ^ qmds[1][U8(x >> 8)] ^
+ qmds[2][U8(x >> 16)] ^ qmds[3][U8(x >> 24)]);
+}
+
+/* --- @twofish_initfk@ --- *
+ *
+ * Arguments: @twofish_ctx *k@ = pointer to key block to fill in
+ * @const void *buf@ = pointer to buffer of key material
+ * @size_t sz@ = size of key material
+ * @const twofish_fk *fk@ = family-key information
+ *
+ * Returns: ---
+ *
+ * Use: Does the underlying Twofish key initialization with family
+ * key. Pass in a family-key structure initialized to
+ * all-bits-zero for a standard key schedule.
+ */
+
+void twofish_initfk(twofish_ctx *k, const void *buf, size_t sz,
+ const twofish_fk *fk)
+{
+# define KMAX 4
+
+ uint32 mo[KMAX], me[KMAX];
+ octet s[4][KMAX];
+
+ /* --- Expand the key into the three word arrays --- */
+
+ {
+ size_t ssz;
+ const octet *p, *q;
+ octet b[32];
+ int i;
+
+ /* --- Sort out the key size --- */
+
+ KSZ_ASSERT(twofish, sz);
+ if (sz <= 16)
+ ssz = 16;
+ else if (sz <= 24)
+ ssz = 24;
+ else if (sz <= 32)
+ ssz = 32;
+ else
+ assert(((void)"This can't happen (bad key size in twofish_init)", 0));
+
+ /* --- Extend the key if necessary --- */
+
+ if (sz == ssz)
+ p = buf;
+ else {
+ memcpy(b, buf, sz);
+ memset(b + sz, 0, ssz - sz);
+ p = b;
+ }
+
+ /* --- Finally get the word count --- */
+
+ sz = ssz / 8;
+
+ /* --- Extract words from the key --- *
+ *
+ * The @s@ table, constructed using the Reed-Solomon matrix, is cut into
+ * sequences of bytes, since this is actually more useful for computing
+ * the S-boxes.
+ */
+
+ q = p;
+ for (i = 0; i < sz; i++) {
+ octet ss[4];
+ const octet *r = rs;
+ int j;
+
+ /* --- Extract the easy subkeys --- */
+
+ me[i] = LOAD32_L(q) ^ fk->t0[2 * i];
+ mo[i] = LOAD32_L(q + 4) ^ fk->t0[2 * i + 1];
+
+ /* --- Now do the Reed-Solomon thing --- */
+
+ for (j = 0; j < 4; j++) {
+ const octet *qq = q;
+ unsigned a = 0;
+ int k;
+
+ for (k = 0; k < 8; k++) {
+ unsigned char x = *qq ^ fk->t1[i * 8 + k];
+ if (x) a ^= rsexp[rslog[x] + *r];
+ qq++;
+ r++;
+ }
+
+ s[j][sz - 1 - i] = ss[j] = a;
+ }
+ q += 8;
+ }
+
+ /* --- Clear away the temporary buffer --- */
+
+ if (p == b)
+ BURN(b);
+ }
+
+ /* --- Construct the expanded key --- */
+
+ {
+ uint32 p = 0x01010101;
+ uint32 ip = 0;
+ int i;
+
+ for (i = 0; i < 40; i += 2) {
+ uint32 a, b;
+ a = h(ip, me, sz);
+ b = h(ip + p, mo, sz);
+ b = ROL32(b, 8);
+ a += b; b += a;
+ k->k[i] = U32(a);
+ k->k[i + 1] = ROL32(b, 9);
+ ip += 2 * p;
+ }
+
+ for (i = 0; i < 8; i++)
+ k->k[i] ^= fk->t23[i];
+ for (i = 8; i < 40; i += 2) {
+ k->k[i] ^= fk->t4[0];
+ k->k[i + 1] ^= fk->t4[1];
+ }
+ }
+
+ /* --- Construct the S-box tables --- */
+
+ {
+ unsigned i;
+ static const octet *q[4][KMAX + 1] = {
+ { q1, q0, q0, q1, q1 },
+ { q0, q0, q1, q1, q0 },
+ { q1, q1, q0, q0, q0 },
+ { q0, q1, q1, q0, q1 }
+ };
+
+ for (i = 0; i < 4; i++) {
+ unsigned j;
+ uint32 x;
+
+ for (j = 0; j < 256; j++) {
+ x = j;
+
+ /* --- Push the byte through the q tables --- */
+
+ switch (sz) {
+ case 4: x = q[i][4][x] ^ s[i][3];
+ case 3: x = q[i][3][x] ^ s[i][2];
+ case 2: x = q[i][2][x] ^ s[i][1];
+ x = q[i][1][x] ^ s[i][0];
+ break;
+ }
+
+ /* --- Write it in the key schedule --- */
+
+ k->g[i][j] = qmds[i][x];
+ }
+ }
+ }
+
+ /* --- Clear everything away --- */
+
+ BURN(me);
+ BURN(mo);
+ BURN(s);
+}
+
+/* --- @twofish_init@ --- *
+ *
+ * Arguments: @twofish_ctx *k@ = pointer to key block to fill in
+ * @const void *buf@ = pointer to buffer of key material
+ * @size_t sz@ = size of key material
+ *
+ * Returns: ---
+ *
+ * Use: Initializes a Twofish key buffer. Twofish accepts key sizes
+ * of up to 256 bits (32 bytes).
+ */
+
+void twofish_init(twofish_ctx *k, const void *buf, size_t sz)
+{
+ static const twofish_fk fk = { { 0 } };
+ twofish_initfk(k, buf, sz, &fk);
+}
+
+/* --- @twofish_fkinit@ --- *
+ *
+ * Arguments: @twofish_fk *fk@ = pointer to family key block
+ * @const void *buf@ = pointer to buffer of key material
+ * @size_t sz@ = size of key material
+ *
+ * Returns: ---
+ *
+ * Use: Initializes a family-key buffer. This implementation allows
+ * family keys of any size acceptable to the Twofish algorithm.
+ */
+
+void twofish_fkinit(twofish_fk *fk, const void *buf, size_t sz)
+{
+ twofish_ctx k;
+ uint32 pt[4], ct[4];
+ const octet *kk;
+ unsigned i;
+
+ twofish_init(&k, buf, sz);
+
+ for (i = 0; i < 4; i++) pt[i] = (uint32)-1;
+ twofish_eblk(&k, pt, fk->t0 + 4);
+
+ kk = buf; sz /= 4;
+ for (i = 0; i < sz; i++) { fk->t0[i] = LOAD32_L(kk); kk += 4; }
+
+ for (i = 0; i < 4; i++) pt[i] = 0; twofish_eblk(&k, pt, ct);
+ for (i = 0; i < 4; i++) STORE32_L(fk->t1 + i * 4, ct[i]);
+ pt[0] = 1; twofish_eblk(&k, pt, ct);
+ for (i = 0; i < 4; i++) STORE32_L(fk->t1 + 4 + i * 4, ct[i]);
+
+ pt[0] = 2; twofish_eblk(&k, pt, fk->t23 + 0);
+ pt[0] = 3; twofish_eblk(&k, pt, fk->t23 + 4);
+ pt[0] = 4; twofish_eblk(&k, pt, ct);
+ fk->t4[0] = ct[0]; fk->t4[1] = ct[1];
+
+ BURN(k);
+}
+
+/*----- Main encryption ---------------------------------------------------*/
+
+/* --- Feistel function --- */
+
+#define GG(k, t0, t1, x, y, kk) do { \
+ t0 = (k->g[0][U8(x >> 0)] ^ \
+ k->g[1][U8(x >> 8)] ^ \
+ k->g[2][U8(x >> 16)] ^ \
+ k->g[3][U8(x >> 24)]); \
+ t1 = (k->g[1][U8(y >> 0)] ^ \
+ k->g[2][U8(y >> 8)] ^ \
+ k->g[3][U8(y >> 16)] ^ \
+ k->g[0][U8(y >> 24)]); \
+ t0 += t1; \
+ t1 += t0; \
+ t0 += kk[0]; \
+ t1 += kk[1]; \
+} while (0)
+
+/* --- Round operations --- */
+
+#define EROUND(k, w, x, y, z, kk) do { \
+ uint32 _t0, _t1; \
+ GG(k, _t0, _t1, w, x, kk); \
+ kk += 2; \
+ y ^= _t0; y = ROR32(y, 1); \
+ z = ROL32(z, 1); z ^= _t1; \
+} while (0)
+
+#define DROUND(k, w, x, y, z, kk) do { \
+ uint32 _t0, _t1; \
+ kk -= 2; \
+ GG(k, _t0, _t1, w, x, kk); \
+ y = ROL32(y, 1); y ^= _t0; \
+ z ^= _t1; z = ROR32(z, 1); \
+} while (0)
+
+/* --- Complete encryption functions --- */
+
+#define EBLK(k, a, b, c, d, w, x, y, z) do { \
+ const uint32 *_kk = k->k + 8; \
+ uint32 _a = a, _b = b, _c = c, _d = d; \
+ _a ^= k->k[0]; _b ^= k->k[1]; _c ^= k->k[2]; _d ^= k->k[3]; \
+ EROUND(k, _a, _b, _c, _d, _kk); \
+ EROUND(k, _c, _d, _a, _b, _kk); \
+ EROUND(k, _a, _b, _c, _d, _kk); \
+ EROUND(k, _c, _d, _a, _b, _kk); \
+ EROUND(k, _a, _b, _c, _d, _kk); \
+ EROUND(k, _c, _d, _a, _b, _kk); \
+ EROUND(k, _a, _b, _c, _d, _kk); \
+ EROUND(k, _c, _d, _a, _b, _kk); \
+ EROUND(k, _a, _b, _c, _d, _kk); \
+ EROUND(k, _c, _d, _a, _b, _kk); \
+ EROUND(k, _a, _b, _c, _d, _kk); \
+ EROUND(k, _c, _d, _a, _b, _kk); \
+ EROUND(k, _a, _b, _c, _d, _kk); \
+ EROUND(k, _c, _d, _a, _b, _kk); \
+ EROUND(k, _a, _b, _c, _d, _kk); \
+ EROUND(k, _c, _d, _a, _b, _kk); \
+ _c ^= k->k[4]; _d ^= k->k[5]; _a ^= k->k[6]; _b ^= k->k[7]; \
+ w = U32(_c); x = U32(_d); y = U32(_a); z = U32(_b); \
+} while (0)
+
+#define DBLK(k, a, b, c, d, w, x, y, z) do { \
+ const uint32 *_kk = k->k + 40; \
+ uint32 _a = a, _b = b, _c = c, _d = d; \
+ _a ^= k->k[4]; _b ^= k->k[5]; _c ^= k->k[6]; _d ^= k->k[7]; \
+ DROUND(k, _a, _b, _c, _d, _kk); \
+ DROUND(k, _c, _d, _a, _b, _kk); \
+ DROUND(k, _a, _b, _c, _d, _kk); \
+ DROUND(k, _c, _d, _a, _b, _kk); \
+ DROUND(k, _a, _b, _c, _d, _kk); \
+ DROUND(k, _c, _d, _a, _b, _kk); \
+ DROUND(k, _a, _b, _c, _d, _kk); \
+ DROUND(k, _c, _d, _a, _b, _kk); \
+ DROUND(k, _a, _b, _c, _d, _kk); \
+ DROUND(k, _c, _d, _a, _b, _kk); \
+ DROUND(k, _a, _b, _c, _d, _kk); \
+ DROUND(k, _c, _d, _a, _b, _kk); \
+ DROUND(k, _a, _b, _c, _d, _kk); \
+ DROUND(k, _c, _d, _a, _b, _kk); \
+ DROUND(k, _a, _b, _c, _d, _kk); \
+ DROUND(k, _c, _d, _a, _b, _kk); \
+ _c ^= k->k[0]; _d ^= k->k[1]; _a ^= k->k[2]; _b ^= k->k[3]; \
+ w = U32(_c); x = U32(_d); y = U32(_a); z = U32(_b); \
+} while (0)
+
+/* --- @twofish_eblk@, @twofish_dblk@ --- *
+ *
+ * Arguments: @const twofish_ctx *k@ = pointer to key block
+ * @const uint32 s[4]@ = pointer to source block
+ * @uint32 d[4]@ = pointer to destination block
+ *
+ * Returns: ---
+ *
+ * Use: Low-level block encryption and decryption.
+ */
+
+void twofish_eblk(const twofish_ctx *k, const uint32 *s, uint32 *d)
+{
+ EBLK(k, s[0], s[1], s[2], s[3], d[0], d[1], d[2], d[3]);
+}
+
+void twofish_dblk(const twofish_ctx *k, const uint32 *s, uint32 *d)
+{
+ DBLK(k, s[0], s[1], s[2], s[3], d[0], d[1], d[2], d[3]);
+}
+
+BLKC_TEST(TWOFISH, twofish)
+
+/*----- That's all, folks -------------------------------------------------*/