1 /* blowfish.c - Blowfish encryption
2 * Copyright (C) 1998, 2001, 2002, 2003 Free Software Foundation, Inc.
3 *
4 * This file is part of Libgcrypt.
5 *
6 * Libgcrypt is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU Lesser general Public License as
8 * published by the Free Software Foundation; either version 2.1 of
9 * the License, or (at your option) any later version.
10 *
11 * Libgcrypt is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU Lesser General Public License for more details.
15 *
16 * You should have received a copy of the GNU Lesser General Public
17 * License along with this program; if not, write to the Free Software
18 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
19 *
20 * For a description of the algorithm, see:
21 * Bruce Schneier: Applied Cryptography. John Wiley & Sons, 1996.
22 * ISBN 0-471-11709-9. Pages 336 ff.
23 */
24
25 /* Test values:
26 * key "abcdefghijklmnopqrstuvwxyz";
27 * plain "BLOWFISH"
28 * cipher 32 4E D0 FE F4 13 A2 03
29 *
30 */
31
32 #include <config.h>
33 #include <stdio.h>
34 #include <stdlib.h>
35 #include <string.h>
36 #include "types.h"
37 #include "g10lib.h"
38 #include "cipher.h"
39 #include "bufhelp.h"
40 #include "cipher-internal.h"
41 #include "cipher-selftest.h"
42
43 #define BLOWFISH_BLOCKSIZE 8
44 #define BLOWFISH_KEY_MIN_BITS 8
45 #define BLOWFISH_KEY_MAX_BITS 576
46
47
48 /* USE_AMD64_ASM indicates whether to use AMD64 assembly code. */
49 #undef USE_AMD64_ASM
50 #if defined(__x86_64__) && (defined(HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS) || \
51 defined(HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS))
52 # define USE_AMD64_ASM 1
53 #endif
54
55 /* USE_ARM_ASM indicates whether to use ARM assembly code. */
56 #undef USE_ARM_ASM
57 #if defined(__ARMEL__)
58 # if defined(HAVE_COMPATIBLE_GCC_ARM_PLATFORM_AS)
59 # define USE_ARM_ASM 1
60 # endif
61 #endif
62
63 typedef struct {
64 u32 s0[256];
65 u32 s1[256];
66 u32 s2[256];
67 u32 s3[256];
68 u32 p[16+2];
69 } BLOWFISH_context;
70
71 static gcry_err_code_t bf_setkey (void *c, const byte *key, unsigned keylen,
72 cipher_bulk_ops_t *bulk_ops);
73 static unsigned int encrypt_block (void *bc, byte *outbuf, const byte *inbuf);
74 static unsigned int decrypt_block (void *bc, byte *outbuf, const byte *inbuf);
75
76
77 /* precomputed S boxes */
78 static const u32 ks0[256] = {
79 0xD1310BA6,0x98DFB5AC,0x2FFD72DB,0xD01ADFB7,0xB8E1AFED,0x6A267E96,
80 0xBA7C9045,0xF12C7F99,0x24A19947,0xB3916CF7,0x0801F2E2,0x858EFC16,
81 0x636920D8,0x71574E69,0xA458FEA3,0xF4933D7E,0x0D95748F,0x728EB658,
82 0x718BCD58,0x82154AEE,0x7B54A41D,0xC25A59B5,0x9C30D539,0x2AF26013,
83 0xC5D1B023,0x286085F0,0xCA417918,0xB8DB38EF,0x8E79DCB0,0x603A180E,
84 0x6C9E0E8B,0xB01E8A3E,0xD71577C1,0xBD314B27,0x78AF2FDA,0x55605C60,
85 0xE65525F3,0xAA55AB94,0x57489862,0x63E81440,0x55CA396A,0x2AAB10B6,
86 0xB4CC5C34,0x1141E8CE,0xA15486AF,0x7C72E993,0xB3EE1411,0x636FBC2A,
87 0x2BA9C55D,0x741831F6,0xCE5C3E16,0x9B87931E,0xAFD6BA33,0x6C24CF5C,
88 0x7A325381,0x28958677,0x3B8F4898,0x6B4BB9AF,0xC4BFE81B,0x66282193,
89 0x61D809CC,0xFB21A991,0x487CAC60,0x5DEC8032,0xEF845D5D,0xE98575B1,
90 0xDC262302,0xEB651B88,0x23893E81,0xD396ACC5,0x0F6D6FF3,0x83F44239,
91 0x2E0B4482,0xA4842004,0x69C8F04A,0x9E1F9B5E,0x21C66842,0xF6E96C9A,
92 0x670C9C61,0xABD388F0,0x6A51A0D2,0xD8542F68,0x960FA728,0xAB5133A3,
93 0x6EEF0B6C,0x137A3BE4,0xBA3BF050,0x7EFB2A98,0xA1F1651D,0x39AF0176,
94 0x66CA593E,0x82430E88,0x8CEE8619,0x456F9FB4,0x7D84A5C3,0x3B8B5EBE,
95 0xE06F75D8,0x85C12073,0x401A449F,0x56C16AA6,0x4ED3AA62,0x363F7706,
96 0x1BFEDF72,0x429B023D,0x37D0D724,0xD00A1248,0xDB0FEAD3,0x49F1C09B,
97 0x075372C9,0x80991B7B,0x25D479D8,0xF6E8DEF7,0xE3FE501A,0xB6794C3B,
98 0x976CE0BD,0x04C006BA,0xC1A94FB6,0x409F60C4,0x5E5C9EC2,0x196A2463,
99 0x68FB6FAF,0x3E6C53B5,0x1339B2EB,0x3B52EC6F,0x6DFC511F,0x9B30952C,
100 0xCC814544,0xAF5EBD09,0xBEE3D004,0xDE334AFD,0x660F2807,0x192E4BB3,
101 0xC0CBA857,0x45C8740F,0xD20B5F39,0xB9D3FBDB,0x5579C0BD,0x1A60320A,
102 0xD6A100C6,0x402C7279,0x679F25FE,0xFB1FA3CC,0x8EA5E9F8,0xDB3222F8,
103 0x3C7516DF,0xFD616B15,0x2F501EC8,0xAD0552AB,0x323DB5FA,0xFD238760,
104 0x53317B48,0x3E00DF82,0x9E5C57BB,0xCA6F8CA0,0x1A87562E,0xDF1769DB,
105 0xD542A8F6,0x287EFFC3,0xAC6732C6,0x8C4F5573,0x695B27B0,0xBBCA58C8,
106 0xE1FFA35D,0xB8F011A0,0x10FA3D98,0xFD2183B8,0x4AFCB56C,0x2DD1D35B,
107 0x9A53E479,0xB6F84565,0xD28E49BC,0x4BFB9790,0xE1DDF2DA,0xA4CB7E33,
108 0x62FB1341,0xCEE4C6E8,0xEF20CADA,0x36774C01,0xD07E9EFE,0x2BF11FB4,
109 0x95DBDA4D,0xAE909198,0xEAAD8E71,0x6B93D5A0,0xD08ED1D0,0xAFC725E0,
110 0x8E3C5B2F,0x8E7594B7,0x8FF6E2FB,0xF2122B64,0x8888B812,0x900DF01C,
111 0x4FAD5EA0,0x688FC31C,0xD1CFF191,0xB3A8C1AD,0x2F2F2218,0xBE0E1777,
112 0xEA752DFE,0x8B021FA1,0xE5A0CC0F,0xB56F74E8,0x18ACF3D6,0xCE89E299,
113 0xB4A84FE0,0xFD13E0B7,0x7CC43B81,0xD2ADA8D9,0x165FA266,0x80957705,
114 0x93CC7314,0x211A1477,0xE6AD2065,0x77B5FA86,0xC75442F5,0xFB9D35CF,
115 0xEBCDAF0C,0x7B3E89A0,0xD6411BD3,0xAE1E7E49,0x00250E2D,0x2071B35E,
116 0x226800BB,0x57B8E0AF,0x2464369B,0xF009B91E,0x5563911D,0x59DFA6AA,
117 0x78C14389,0xD95A537F,0x207D5BA2,0x02E5B9C5,0x83260376,0x6295CFA9,
118 0x11C81968,0x4E734A41,0xB3472DCA,0x7B14A94A,0x1B510052,0x9A532915,
119 0xD60F573F,0xBC9BC6E4,0x2B60A476,0x81E67400,0x08BA6FB5,0x571BE91F,
120 0xF296EC6B,0x2A0DD915,0xB6636521,0xE7B9F9B6,0xFF34052E,0xC5855664,
121 0x53B02D5D,0xA99F8FA1,0x08BA4799,0x6E85076A };
122
123 static const u32 ks1[256] = {
124 0x4B7A70E9,0xB5B32944,0xDB75092E,0xC4192623,0xAD6EA6B0,0x49A7DF7D,
125 0x9CEE60B8,0x8FEDB266,0xECAA8C71,0x699A17FF,0x5664526C,0xC2B19EE1,
126 0x193602A5,0x75094C29,0xA0591340,0xE4183A3E,0x3F54989A,0x5B429D65,
127 0x6B8FE4D6,0x99F73FD6,0xA1D29C07,0xEFE830F5,0x4D2D38E6,0xF0255DC1,
128 0x4CDD2086,0x8470EB26,0x6382E9C6,0x021ECC5E,0x09686B3F,0x3EBAEFC9,
129 0x3C971814,0x6B6A70A1,0x687F3584,0x52A0E286,0xB79C5305,0xAA500737,
130 0x3E07841C,0x7FDEAE5C,0x8E7D44EC,0x5716F2B8,0xB03ADA37,0xF0500C0D,
131 0xF01C1F04,0x0200B3FF,0xAE0CF51A,0x3CB574B2,0x25837A58,0xDC0921BD,
132 0xD19113F9,0x7CA92FF6,0x94324773,0x22F54701,0x3AE5E581,0x37C2DADC,
133 0xC8B57634,0x9AF3DDA7,0xA9446146,0x0FD0030E,0xECC8C73E,0xA4751E41,
134 0xE238CD99,0x3BEA0E2F,0x3280BBA1,0x183EB331,0x4E548B38,0x4F6DB908,
135 0x6F420D03,0xF60A04BF,0x2CB81290,0x24977C79,0x5679B072,0xBCAF89AF,
136 0xDE9A771F,0xD9930810,0xB38BAE12,0xDCCF3F2E,0x5512721F,0x2E6B7124,
137 0x501ADDE6,0x9F84CD87,0x7A584718,0x7408DA17,0xBC9F9ABC,0xE94B7D8C,
138 0xEC7AEC3A,0xDB851DFA,0x63094366,0xC464C3D2,0xEF1C1847,0x3215D908,
139 0xDD433B37,0x24C2BA16,0x12A14D43,0x2A65C451,0x50940002,0x133AE4DD,
140 0x71DFF89E,0x10314E55,0x81AC77D6,0x5F11199B,0x043556F1,0xD7A3C76B,
141 0x3C11183B,0x5924A509,0xF28FE6ED,0x97F1FBFA,0x9EBABF2C,0x1E153C6E,
142 0x86E34570,0xEAE96FB1,0x860E5E0A,0x5A3E2AB3,0x771FE71C,0x4E3D06FA,
143 0x2965DCB9,0x99E71D0F,0x803E89D6,0x5266C825,0x2E4CC978,0x9C10B36A,
144 0xC6150EBA,0x94E2EA78,0xA5FC3C53,0x1E0A2DF4,0xF2F74EA7,0x361D2B3D,
145 0x1939260F,0x19C27960,0x5223A708,0xF71312B6,0xEBADFE6E,0xEAC31F66,
146 0xE3BC4595,0xA67BC883,0xB17F37D1,0x018CFF28,0xC332DDEF,0xBE6C5AA5,
147 0x65582185,0x68AB9802,0xEECEA50F,0xDB2F953B,0x2AEF7DAD,0x5B6E2F84,
148 0x1521B628,0x29076170,0xECDD4775,0x619F1510,0x13CCA830,0xEB61BD96,
149 0x0334FE1E,0xAA0363CF,0xB5735C90,0x4C70A239,0xD59E9E0B,0xCBAADE14,
150 0xEECC86BC,0x60622CA7,0x9CAB5CAB,0xB2F3846E,0x648B1EAF,0x19BDF0CA,
151 0xA02369B9,0x655ABB50,0x40685A32,0x3C2AB4B3,0x319EE9D5,0xC021B8F7,
152 0x9B540B19,0x875FA099,0x95F7997E,0x623D7DA8,0xF837889A,0x97E32D77,
153 0x11ED935F,0x16681281,0x0E358829,0xC7E61FD6,0x96DEDFA1,0x7858BA99,
154 0x57F584A5,0x1B227263,0x9B83C3FF,0x1AC24696,0xCDB30AEB,0x532E3054,
155 0x8FD948E4,0x6DBC3128,0x58EBF2EF,0x34C6FFEA,0xFE28ED61,0xEE7C3C73,
156 0x5D4A14D9,0xE864B7E3,0x42105D14,0x203E13E0,0x45EEE2B6,0xA3AAABEA,
157 0xDB6C4F15,0xFACB4FD0,0xC742F442,0xEF6ABBB5,0x654F3B1D,0x41CD2105,
158 0xD81E799E,0x86854DC7,0xE44B476A,0x3D816250,0xCF62A1F2,0x5B8D2646,
159 0xFC8883A0,0xC1C7B6A3,0x7F1524C3,0x69CB7492,0x47848A0B,0x5692B285,
160 0x095BBF00,0xAD19489D,0x1462B174,0x23820E00,0x58428D2A,0x0C55F5EA,
161 0x1DADF43E,0x233F7061,0x3372F092,0x8D937E41,0xD65FECF1,0x6C223BDB,
162 0x7CDE3759,0xCBEE7460,0x4085F2A7,0xCE77326E,0xA6078084,0x19F8509E,
163 0xE8EFD855,0x61D99735,0xA969A7AA,0xC50C06C2,0x5A04ABFC,0x800BCADC,
164 0x9E447A2E,0xC3453484,0xFDD56705,0x0E1E9EC9,0xDB73DBD3,0x105588CD,
165 0x675FDA79,0xE3674340,0xC5C43465,0x713E38D8,0x3D28F89E,0xF16DFF20,
166 0x153E21E7,0x8FB03D4A,0xE6E39F2B,0xDB83ADF7 };
167
168 static const u32 ks2[256] = {
169 0xE93D5A68,0x948140F7,0xF64C261C,0x94692934,0x411520F7,0x7602D4F7,
170 0xBCF46B2E,0xD4A20068,0xD4082471,0x3320F46A,0x43B7D4B7,0x500061AF,
171 0x1E39F62E,0x97244546,0x14214F74,0xBF8B8840,0x4D95FC1D,0x96B591AF,
172 0x70F4DDD3,0x66A02F45,0xBFBC09EC,0x03BD9785,0x7FAC6DD0,0x31CB8504,
173 0x96EB27B3,0x55FD3941,0xDA2547E6,0xABCA0A9A,0x28507825,0x530429F4,
174 0x0A2C86DA,0xE9B66DFB,0x68DC1462,0xD7486900,0x680EC0A4,0x27A18DEE,
175 0x4F3FFEA2,0xE887AD8C,0xB58CE006,0x7AF4D6B6,0xAACE1E7C,0xD3375FEC,
176 0xCE78A399,0x406B2A42,0x20FE9E35,0xD9F385B9,0xEE39D7AB,0x3B124E8B,
177 0x1DC9FAF7,0x4B6D1856,0x26A36631,0xEAE397B2,0x3A6EFA74,0xDD5B4332,
178 0x6841E7F7,0xCA7820FB,0xFB0AF54E,0xD8FEB397,0x454056AC,0xBA489527,
179 0x55533A3A,0x20838D87,0xFE6BA9B7,0xD096954B,0x55A867BC,0xA1159A58,
180 0xCCA92963,0x99E1DB33,0xA62A4A56,0x3F3125F9,0x5EF47E1C,0x9029317C,
181 0xFDF8E802,0x04272F70,0x80BB155C,0x05282CE3,0x95C11548,0xE4C66D22,
182 0x48C1133F,0xC70F86DC,0x07F9C9EE,0x41041F0F,0x404779A4,0x5D886E17,
183 0x325F51EB,0xD59BC0D1,0xF2BCC18F,0x41113564,0x257B7834,0x602A9C60,
184 0xDFF8E8A3,0x1F636C1B,0x0E12B4C2,0x02E1329E,0xAF664FD1,0xCAD18115,
185 0x6B2395E0,0x333E92E1,0x3B240B62,0xEEBEB922,0x85B2A20E,0xE6BA0D99,
186 0xDE720C8C,0x2DA2F728,0xD0127845,0x95B794FD,0x647D0862,0xE7CCF5F0,
187 0x5449A36F,0x877D48FA,0xC39DFD27,0xF33E8D1E,0x0A476341,0x992EFF74,
188 0x3A6F6EAB,0xF4F8FD37,0xA812DC60,0xA1EBDDF8,0x991BE14C,0xDB6E6B0D,
189 0xC67B5510,0x6D672C37,0x2765D43B,0xDCD0E804,0xF1290DC7,0xCC00FFA3,
190 0xB5390F92,0x690FED0B,0x667B9FFB,0xCEDB7D9C,0xA091CF0B,0xD9155EA3,
191 0xBB132F88,0x515BAD24,0x7B9479BF,0x763BD6EB,0x37392EB3,0xCC115979,
192 0x8026E297,0xF42E312D,0x6842ADA7,0xC66A2B3B,0x12754CCC,0x782EF11C,
193 0x6A124237,0xB79251E7,0x06A1BBE6,0x4BFB6350,0x1A6B1018,0x11CAEDFA,
194 0x3D25BDD8,0xE2E1C3C9,0x44421659,0x0A121386,0xD90CEC6E,0xD5ABEA2A,
195 0x64AF674E,0xDA86A85F,0xBEBFE988,0x64E4C3FE,0x9DBC8057,0xF0F7C086,
196 0x60787BF8,0x6003604D,0xD1FD8346,0xF6381FB0,0x7745AE04,0xD736FCCC,
197 0x83426B33,0xF01EAB71,0xB0804187,0x3C005E5F,0x77A057BE,0xBDE8AE24,
198 0x55464299,0xBF582E61,0x4E58F48F,0xF2DDFDA2,0xF474EF38,0x8789BDC2,
199 0x5366F9C3,0xC8B38E74,0xB475F255,0x46FCD9B9,0x7AEB2661,0x8B1DDF84,
200 0x846A0E79,0x915F95E2,0x466E598E,0x20B45770,0x8CD55591,0xC902DE4C,
201 0xB90BACE1,0xBB8205D0,0x11A86248,0x7574A99E,0xB77F19B6,0xE0A9DC09,
202 0x662D09A1,0xC4324633,0xE85A1F02,0x09F0BE8C,0x4A99A025,0x1D6EFE10,
203 0x1AB93D1D,0x0BA5A4DF,0xA186F20F,0x2868F169,0xDCB7DA83,0x573906FE,
204 0xA1E2CE9B,0x4FCD7F52,0x50115E01,0xA70683FA,0xA002B5C4,0x0DE6D027,
205 0x9AF88C27,0x773F8641,0xC3604C06,0x61A806B5,0xF0177A28,0xC0F586E0,
206 0x006058AA,0x30DC7D62,0x11E69ED7,0x2338EA63,0x53C2DD94,0xC2C21634,
207 0xBBCBEE56,0x90BCB6DE,0xEBFC7DA1,0xCE591D76,0x6F05E409,0x4B7C0188,
208 0x39720A3D,0x7C927C24,0x86E3725F,0x724D9DB9,0x1AC15BB4,0xD39EB8FC,
209 0xED545578,0x08FCA5B5,0xD83D7CD3,0x4DAD0FC4,0x1E50EF5E,0xB161E6F8,
210 0xA28514D9,0x6C51133C,0x6FD5C7E7,0x56E14EC4,0x362ABFCE,0xDDC6C837,
211 0xD79A3234,0x92638212,0x670EFA8E,0x406000E0 };
212
213 static const u32 ks3[256] = {
214 0x3A39CE37,0xD3FAF5CF,0xABC27737,0x5AC52D1B,0x5CB0679E,0x4FA33742,
215 0xD3822740,0x99BC9BBE,0xD5118E9D,0xBF0F7315,0xD62D1C7E,0xC700C47B,
216 0xB78C1B6B,0x21A19045,0xB26EB1BE,0x6A366EB4,0x5748AB2F,0xBC946E79,
217 0xC6A376D2,0x6549C2C8,0x530FF8EE,0x468DDE7D,0xD5730A1D,0x4CD04DC6,
218 0x2939BBDB,0xA9BA4650,0xAC9526E8,0xBE5EE304,0xA1FAD5F0,0x6A2D519A,
219 0x63EF8CE2,0x9A86EE22,0xC089C2B8,0x43242EF6,0xA51E03AA,0x9CF2D0A4,
220 0x83C061BA,0x9BE96A4D,0x8FE51550,0xBA645BD6,0x2826A2F9,0xA73A3AE1,
221 0x4BA99586,0xEF5562E9,0xC72FEFD3,0xF752F7DA,0x3F046F69,0x77FA0A59,
222 0x80E4A915,0x87B08601,0x9B09E6AD,0x3B3EE593,0xE990FD5A,0x9E34D797,
223 0x2CF0B7D9,0x022B8B51,0x96D5AC3A,0x017DA67D,0xD1CF3ED6,0x7C7D2D28,
224 0x1F9F25CF,0xADF2B89B,0x5AD6B472,0x5A88F54C,0xE029AC71,0xE019A5E6,
225 0x47B0ACFD,0xED93FA9B,0xE8D3C48D,0x283B57CC,0xF8D56629,0x79132E28,
226 0x785F0191,0xED756055,0xF7960E44,0xE3D35E8C,0x15056DD4,0x88F46DBA,
227 0x03A16125,0x0564F0BD,0xC3EB9E15,0x3C9057A2,0x97271AEC,0xA93A072A,
228 0x1B3F6D9B,0x1E6321F5,0xF59C66FB,0x26DCF319,0x7533D928,0xB155FDF5,
229 0x03563482,0x8ABA3CBB,0x28517711,0xC20AD9F8,0xABCC5167,0xCCAD925F,
230 0x4DE81751,0x3830DC8E,0x379D5862,0x9320F991,0xEA7A90C2,0xFB3E7BCE,
231 0x5121CE64,0x774FBE32,0xA8B6E37E,0xC3293D46,0x48DE5369,0x6413E680,
232 0xA2AE0810,0xDD6DB224,0x69852DFD,0x09072166,0xB39A460A,0x6445C0DD,
233 0x586CDECF,0x1C20C8AE,0x5BBEF7DD,0x1B588D40,0xCCD2017F,0x6BB4E3BB,
234 0xDDA26A7E,0x3A59FF45,0x3E350A44,0xBCB4CDD5,0x72EACEA8,0xFA6484BB,
235 0x8D6612AE,0xBF3C6F47,0xD29BE463,0x542F5D9E,0xAEC2771B,0xF64E6370,
236 0x740E0D8D,0xE75B1357,0xF8721671,0xAF537D5D,0x4040CB08,0x4EB4E2CC,
237 0x34D2466A,0x0115AF84,0xE1B00428,0x95983A1D,0x06B89FB4,0xCE6EA048,
238 0x6F3F3B82,0x3520AB82,0x011A1D4B,0x277227F8,0x611560B1,0xE7933FDC,
239 0xBB3A792B,0x344525BD,0xA08839E1,0x51CE794B,0x2F32C9B7,0xA01FBAC9,
240 0xE01CC87E,0xBCC7D1F6,0xCF0111C3,0xA1E8AAC7,0x1A908749,0xD44FBD9A,
241 0xD0DADECB,0xD50ADA38,0x0339C32A,0xC6913667,0x8DF9317C,0xE0B12B4F,
242 0xF79E59B7,0x43F5BB3A,0xF2D519FF,0x27D9459C,0xBF97222C,0x15E6FC2A,
243 0x0F91FC71,0x9B941525,0xFAE59361,0xCEB69CEB,0xC2A86459,0x12BAA8D1,
244 0xB6C1075E,0xE3056A0C,0x10D25065,0xCB03A442,0xE0EC6E0E,0x1698DB3B,
245 0x4C98A0BE,0x3278E964,0x9F1F9532,0xE0D392DF,0xD3A0342B,0x8971F21E,
246 0x1B0A7441,0x4BA3348C,0xC5BE7120,0xC37632D8,0xDF359F8D,0x9B992F2E,
247 0xE60B6F47,0x0FE3F11D,0xE54CDA54,0x1EDAD891,0xCE6279CF,0xCD3E7E6F,
248 0x1618B166,0xFD2C1D05,0x848FD2C5,0xF6FB2299,0xF523F357,0xA6327623,
249 0x93A83531,0x56CCCD02,0xACF08162,0x5A75EBB5,0x6E163697,0x88D273CC,
250 0xDE966292,0x81B949D0,0x4C50901B,0x71C65614,0xE6C6C7BD,0x327A140A,
251 0x45E1D006,0xC3F27B9A,0xC9AA53FD,0x62A80F00,0xBB25BFE2,0x35BDD2F6,
252 0x71126905,0xB2040222,0xB6CBCF7C,0xCD769C2B,0x53113EC0,0x1640E3D3,
253 0x38ABBD60,0x2547ADF0,0xBA38209C,0xF746CE76,0x77AFA1C5,0x20756060,
254 0x85CBFE4E,0x8AE88DD8,0x7AAAF9B0,0x4CF9AA7E,0x1948C25C,0x02FB8A8C,
255 0x01C36AE4,0xD6EBE1F9,0x90D4F869,0xA65CDEA0,0x3F09252D,0xC208E69F,
256 0xB74E6132,0xCE77E25B,0x578FDFE3,0x3AC372E6 };
257
258 static const u32 ps[16+2] = {
259 0x243F6A88,0x85A308D3,0x13198A2E,0x03707344,0xA4093822,0x299F31D0,
260 0x082EFA98,0xEC4E6C89,0x452821E6,0x38D01377,0xBE5466CF,0x34E90C6C,
261 0xC0AC29B7,0xC97C50DD,0x3F84D5B5,0xB5470917,0x9216D5D9,0x8979FB1B };
262
263
264 #ifdef USE_AMD64_ASM
265
266 /* Assembly implementations of Blowfish. */
267 extern void _gcry_blowfish_amd64_do_encrypt(BLOWFISH_context *c, u32 *ret_xl,
268 u32 *ret_xr);
269
270 extern void _gcry_blowfish_amd64_encrypt_block(BLOWFISH_context *c, byte *out,
271 const byte *in);
272
273 extern void _gcry_blowfish_amd64_decrypt_block(BLOWFISH_context *c, byte *out,
274 const byte *in);
275
276 /* These assembly implementations process four blocks in parallel. */
277 extern void _gcry_blowfish_amd64_ctr_enc(BLOWFISH_context *ctx, byte *out,
278 const byte *in, byte *ctr);
279
280 extern void _gcry_blowfish_amd64_cbc_dec(BLOWFISH_context *ctx, byte *out,
281 const byte *in, byte *iv);
282
283 extern void _gcry_blowfish_amd64_cfb_dec(BLOWFISH_context *ctx, byte *out,
284 const byte *in, byte *iv);
285
286 static void
do_encrypt(BLOWFISH_context * bc,u32 * ret_xl,u32 * ret_xr)287 do_encrypt ( BLOWFISH_context *bc, u32 *ret_xl, u32 *ret_xr )
288 {
289 _gcry_blowfish_amd64_do_encrypt (bc, ret_xl, ret_xr);
290 }
291
292 static void
do_encrypt_block(BLOWFISH_context * context,byte * outbuf,const byte * inbuf)293 do_encrypt_block (BLOWFISH_context *context, byte *outbuf, const byte *inbuf)
294 {
295 _gcry_blowfish_amd64_encrypt_block (context, outbuf, inbuf);
296 }
297
298 static void
do_decrypt_block(BLOWFISH_context * context,byte * outbuf,const byte * inbuf)299 do_decrypt_block (BLOWFISH_context *context, byte *outbuf, const byte *inbuf)
300 {
301 _gcry_blowfish_amd64_decrypt_block (context, outbuf, inbuf);
302 }
303
304 static inline void
blowfish_amd64_ctr_enc(BLOWFISH_context * ctx,byte * out,const byte * in,byte * ctr)305 blowfish_amd64_ctr_enc(BLOWFISH_context *ctx, byte *out, const byte *in,
306 byte *ctr)
307 {
308 _gcry_blowfish_amd64_ctr_enc(ctx, out, in, ctr);
309 }
310
311 static inline void
blowfish_amd64_cbc_dec(BLOWFISH_context * ctx,byte * out,const byte * in,byte * iv)312 blowfish_amd64_cbc_dec(BLOWFISH_context *ctx, byte *out, const byte *in,
313 byte *iv)
314 {
315 _gcry_blowfish_amd64_cbc_dec(ctx, out, in, iv);
316 }
317
318 static inline void
blowfish_amd64_cfb_dec(BLOWFISH_context * ctx,byte * out,const byte * in,byte * iv)319 blowfish_amd64_cfb_dec(BLOWFISH_context *ctx, byte *out, const byte *in,
320 byte *iv)
321 {
322 _gcry_blowfish_amd64_cfb_dec(ctx, out, in, iv);
323 }
324
325 static unsigned int
encrypt_block(void * context,byte * outbuf,const byte * inbuf)326 encrypt_block (void *context , byte *outbuf, const byte *inbuf)
327 {
328 BLOWFISH_context *c = (BLOWFISH_context *) context;
329 do_encrypt_block (c, outbuf, inbuf);
330 return /*burn_stack*/ (2*8);
331 }
332
333 static unsigned int
decrypt_block(void * context,byte * outbuf,const byte * inbuf)334 decrypt_block (void *context, byte *outbuf, const byte *inbuf)
335 {
336 BLOWFISH_context *c = (BLOWFISH_context *) context;
337 do_decrypt_block (c, outbuf, inbuf);
338 return /*burn_stack*/ (2*8);
339 }
340
341 #elif defined(USE_ARM_ASM)
342
343 /* Assembly implementations of Blowfish. */
344 extern void _gcry_blowfish_arm_do_encrypt(BLOWFISH_context *c, u32 *ret_xl,
345 u32 *ret_xr);
346
347 extern void _gcry_blowfish_arm_encrypt_block(BLOWFISH_context *c, byte *out,
348 const byte *in);
349
350 extern void _gcry_blowfish_arm_decrypt_block(BLOWFISH_context *c, byte *out,
351 const byte *in);
352
353 /* These assembly implementations process two blocks in parallel. */
354 extern void _gcry_blowfish_arm_ctr_enc(BLOWFISH_context *ctx, byte *out,
355 const byte *in, byte *ctr);
356
357 extern void _gcry_blowfish_arm_cbc_dec(BLOWFISH_context *ctx, byte *out,
358 const byte *in, byte *iv);
359
360 extern void _gcry_blowfish_arm_cfb_dec(BLOWFISH_context *ctx, byte *out,
361 const byte *in, byte *iv);
362
363 static void
do_encrypt(BLOWFISH_context * bc,u32 * ret_xl,u32 * ret_xr)364 do_encrypt ( BLOWFISH_context *bc, u32 *ret_xl, u32 *ret_xr )
365 {
366 _gcry_blowfish_arm_do_encrypt (bc, ret_xl, ret_xr);
367 }
368
369 static void
do_encrypt_block(BLOWFISH_context * context,byte * outbuf,const byte * inbuf)370 do_encrypt_block (BLOWFISH_context *context, byte *outbuf, const byte *inbuf)
371 {
372 _gcry_blowfish_arm_encrypt_block (context, outbuf, inbuf);
373 }
374
375 static void
do_decrypt_block(BLOWFISH_context * context,byte * outbuf,const byte * inbuf)376 do_decrypt_block (BLOWFISH_context *context, byte *outbuf, const byte *inbuf)
377 {
378 _gcry_blowfish_arm_decrypt_block (context, outbuf, inbuf);
379 }
380
381 static unsigned int
encrypt_block(void * context,byte * outbuf,const byte * inbuf)382 encrypt_block (void *context , byte *outbuf, const byte *inbuf)
383 {
384 BLOWFISH_context *c = (BLOWFISH_context *) context;
385 do_encrypt_block (c, outbuf, inbuf);
386 return /*burn_stack*/ (10*4);
387 }
388
389 static unsigned int
decrypt_block(void * context,byte * outbuf,const byte * inbuf)390 decrypt_block (void *context, byte *outbuf, const byte *inbuf)
391 {
392 BLOWFISH_context *c = (BLOWFISH_context *) context;
393 do_decrypt_block (c, outbuf, inbuf);
394 return /*burn_stack*/ (10*4);
395 }
396
397 #else /*USE_ARM_ASM*/
398
399
400 #define F(x) ((( s0[(x)>>24] + s1[((x)>>16)&0xff]) \
401 ^ s2[((x)>>8)&0xff]) + s3[(x)&0xff] )
402 #define R(l,r,i) do { l ^= p[i]; r ^= F(l); } while(0)
403 #define R3(l,r,i) do { R(l##0,r##0,i);R(l##1,r##1,i);R(l##2,r##2,i);} while(0)
404
405
406 static void
do_encrypt(BLOWFISH_context * bc,u32 * ret_xl,u32 * ret_xr)407 do_encrypt ( BLOWFISH_context *bc, u32 *ret_xl, u32 *ret_xr )
408 {
409 u32 xl, xr, *s0, *s1, *s2, *s3, *p;
410
411 xl = *ret_xl;
412 xr = *ret_xr;
413 p = bc->p;
414 s0 = bc->s0;
415 s1 = bc->s1;
416 s2 = bc->s2;
417 s3 = bc->s3;
418
419 R( xl, xr, 0);
420 R( xr, xl, 1);
421 R( xl, xr, 2);
422 R( xr, xl, 3);
423 R( xl, xr, 4);
424 R( xr, xl, 5);
425 R( xl, xr, 6);
426 R( xr, xl, 7);
427 R( xl, xr, 8);
428 R( xr, xl, 9);
429 R( xl, xr, 10);
430 R( xr, xl, 11);
431 R( xl, xr, 12);
432 R( xr, xl, 13);
433 R( xl, xr, 14);
434 R( xr, xl, 15);
435
436 xl ^= p[16];
437 xr ^= p[16+1];
438
439 *ret_xl = xr;
440 *ret_xr = xl;
441 }
442
443
444 static void
do_encrypt_3(BLOWFISH_context * bc,byte * dst,const byte * src)445 do_encrypt_3 ( BLOWFISH_context *bc, byte *dst, const byte *src )
446 {
447 u32 xl0, xr0, xl1, xr1, xl2, xr2, *s0, *s1, *s2, *s3, *p;
448
449 xl0 = buf_get_be32(src + 0);
450 xr0 = buf_get_be32(src + 4);
451 xl1 = buf_get_be32(src + 8);
452 xr1 = buf_get_be32(src + 12);
453 xl2 = buf_get_be32(src + 16);
454 xr2 = buf_get_be32(src + 20);
455 p = bc->p;
456 s0 = bc->s0;
457 s1 = bc->s1;
458 s2 = bc->s2;
459 s3 = bc->s3;
460
461 R3( xl, xr, 0);
462 R3( xr, xl, 1);
463 R3( xl, xr, 2);
464 R3( xr, xl, 3);
465 R3( xl, xr, 4);
466 R3( xr, xl, 5);
467 R3( xl, xr, 6);
468 R3( xr, xl, 7);
469 R3( xl, xr, 8);
470 R3( xr, xl, 9);
471 R3( xl, xr, 10);
472 R3( xr, xl, 11);
473 R3( xl, xr, 12);
474 R3( xr, xl, 13);
475 R3( xl, xr, 14);
476 R3( xr, xl, 15);
477
478 xl0 ^= p[16];
479 xr0 ^= p[16+1];
480 xl1 ^= p[16];
481 xr1 ^= p[16+1];
482 xl2 ^= p[16];
483 xr2 ^= p[16+1];
484
485 buf_put_be32(dst + 0, xr0);
486 buf_put_be32(dst + 4, xl0);
487 buf_put_be32(dst + 8, xr1);
488 buf_put_be32(dst + 12, xl1);
489 buf_put_be32(dst + 16, xr2);
490 buf_put_be32(dst + 20, xl2);
491 }
492
493
494 static void
decrypt(BLOWFISH_context * bc,u32 * ret_xl,u32 * ret_xr)495 decrypt ( BLOWFISH_context *bc, u32 *ret_xl, u32 *ret_xr )
496 {
497 u32 xl, xr, *s0, *s1, *s2, *s3, *p;
498
499 xl = *ret_xl;
500 xr = *ret_xr;
501 p = bc->p;
502 s0 = bc->s0;
503 s1 = bc->s1;
504 s2 = bc->s2;
505 s3 = bc->s3;
506
507 R( xl, xr, 17);
508 R( xr, xl, 16);
509 R( xl, xr, 15);
510 R( xr, xl, 14);
511 R( xl, xr, 13);
512 R( xr, xl, 12);
513 R( xl, xr, 11);
514 R( xr, xl, 10);
515 R( xl, xr, 9);
516 R( xr, xl, 8);
517 R( xl, xr, 7);
518 R( xr, xl, 6);
519 R( xl, xr, 5);
520 R( xr, xl, 4);
521 R( xl, xr, 3);
522 R( xr, xl, 2);
523
524 xl ^= p[1];
525 xr ^= p[0];
526
527 *ret_xl = xr;
528 *ret_xr = xl;
529 }
530
531
532 static void
do_decrypt_3(BLOWFISH_context * bc,byte * dst,const byte * src)533 do_decrypt_3 ( BLOWFISH_context *bc, byte *dst, const byte *src )
534 {
535 u32 xl0, xr0, xl1, xr1, xl2, xr2, *s0, *s1, *s2, *s3, *p;
536
537 xl0 = buf_get_be32(src + 0);
538 xr0 = buf_get_be32(src + 4);
539 xl1 = buf_get_be32(src + 8);
540 xr1 = buf_get_be32(src + 12);
541 xl2 = buf_get_be32(src + 16);
542 xr2 = buf_get_be32(src + 20);
543 p = bc->p;
544 s0 = bc->s0;
545 s1 = bc->s1;
546 s2 = bc->s2;
547 s3 = bc->s3;
548
549 R3( xl, xr, 17);
550 R3( xr, xl, 16);
551 R3( xl, xr, 15);
552 R3( xr, xl, 14);
553 R3( xl, xr, 13);
554 R3( xr, xl, 12);
555 R3( xl, xr, 11);
556 R3( xr, xl, 10);
557 R3( xl, xr, 9);
558 R3( xr, xl, 8);
559 R3( xl, xr, 7);
560 R3( xr, xl, 6);
561 R3( xl, xr, 5);
562 R3( xr, xl, 4);
563 R3( xl, xr, 3);
564 R3( xr, xl, 2);
565
566 xl0 ^= p[1];
567 xr0 ^= p[0];
568 xl1 ^= p[1];
569 xr1 ^= p[0];
570 xl2 ^= p[1];
571 xr2 ^= p[0];
572
573 buf_put_be32(dst + 0, xr0);
574 buf_put_be32(dst + 4, xl0);
575 buf_put_be32(dst + 8, xr1);
576 buf_put_be32(dst + 12, xl1);
577 buf_put_be32(dst + 16, xr2);
578 buf_put_be32(dst + 20, xl2);
579 }
580
581 #undef F
582 #undef R
583 #undef R3
584
585 static void
do_encrypt_block(BLOWFISH_context * bc,byte * outbuf,const byte * inbuf)586 do_encrypt_block ( BLOWFISH_context *bc, byte *outbuf, const byte *inbuf )
587 {
588 u32 d1, d2;
589
590 d1 = buf_get_be32(inbuf);
591 d2 = buf_get_be32(inbuf + 4);
592 do_encrypt( bc, &d1, &d2 );
593 buf_put_be32(outbuf, d1);
594 buf_put_be32(outbuf + 4, d2);
595 }
596
597 static unsigned int
encrypt_block(void * context,byte * outbuf,const byte * inbuf)598 encrypt_block (void *context, byte *outbuf, const byte *inbuf)
599 {
600 BLOWFISH_context *bc = (BLOWFISH_context *) context;
601 do_encrypt_block (bc, outbuf, inbuf);
602 return /*burn_stack*/ (64);
603 }
604
605
606 static void
do_decrypt_block(BLOWFISH_context * bc,byte * outbuf,const byte * inbuf)607 do_decrypt_block (BLOWFISH_context *bc, byte *outbuf, const byte *inbuf)
608 {
609 u32 d1, d2;
610
611 d1 = buf_get_be32(inbuf);
612 d2 = buf_get_be32(inbuf + 4);
613 decrypt( bc, &d1, &d2 );
614 buf_put_be32(outbuf, d1);
615 buf_put_be32(outbuf + 4, d2);
616 }
617
618 static unsigned int
decrypt_block(void * context,byte * outbuf,const byte * inbuf)619 decrypt_block (void *context, byte *outbuf, const byte *inbuf)
620 {
621 BLOWFISH_context *bc = (BLOWFISH_context *) context;
622 do_decrypt_block (bc, outbuf, inbuf);
623 return /*burn_stack*/ (64);
624 }
625
626 #endif /*!USE_AMD64_ASM&&!USE_ARM_ASM*/
627
628
629 /* Bulk encryption of complete blocks in CTR mode. This function is only
630 intended for the bulk encryption feature of cipher.c. CTR is expected to be
631 of size BLOWFISH_BLOCKSIZE. */
632 static void
_gcry_blowfish_ctr_enc(void * context,unsigned char * ctr,void * outbuf_arg,const void * inbuf_arg,size_t nblocks)633 _gcry_blowfish_ctr_enc(void *context, unsigned char *ctr, void *outbuf_arg,
634 const void *inbuf_arg, size_t nblocks)
635 {
636 BLOWFISH_context *ctx = context;
637 unsigned char *outbuf = outbuf_arg;
638 const unsigned char *inbuf = inbuf_arg;
639 unsigned char tmpbuf[BLOWFISH_BLOCKSIZE * 3];
640 int burn_stack_depth = (64) + 4 * BLOWFISH_BLOCKSIZE;
641
642 #ifdef USE_AMD64_ASM
643 {
644 if (nblocks >= 4)
645 burn_stack_depth += 5 * sizeof(void*);
646
647 /* Process data in 4 block chunks. */
648 while (nblocks >= 4)
649 {
650 blowfish_amd64_ctr_enc(ctx, outbuf, inbuf, ctr);
651
652 nblocks -= 4;
653 outbuf += 4 * BLOWFISH_BLOCKSIZE;
654 inbuf += 4 * BLOWFISH_BLOCKSIZE;
655 }
656
657 /* Use generic code to handle smaller chunks... */
658 }
659 #elif defined(USE_ARM_ASM)
660 {
661 /* Process data in 2 block chunks. */
662 while (nblocks >= 2)
663 {
664 _gcry_blowfish_arm_ctr_enc(ctx, outbuf, inbuf, ctr);
665
666 nblocks -= 2;
667 outbuf += 2 * BLOWFISH_BLOCKSIZE;
668 inbuf += 2 * BLOWFISH_BLOCKSIZE;
669 }
670
671 /* Use generic code to handle smaller chunks... */
672 }
673 #endif
674
675 #if !defined(USE_AMD64_ASM) && !defined(USE_ARM_ASM)
676 for ( ;nblocks >= 3; nblocks -= 3)
677 {
678 /* Prepare the counter blocks. */
679 cipher_block_cpy (tmpbuf + 0, ctr, BLOWFISH_BLOCKSIZE);
680 cipher_block_cpy (tmpbuf + 8, ctr, BLOWFISH_BLOCKSIZE);
681 cipher_block_cpy (tmpbuf + 16, ctr, BLOWFISH_BLOCKSIZE);
682 cipher_block_add (tmpbuf + 8, 1, BLOWFISH_BLOCKSIZE);
683 cipher_block_add (tmpbuf + 16, 2, BLOWFISH_BLOCKSIZE);
684 cipher_block_add (ctr, 3, BLOWFISH_BLOCKSIZE);
685 /* Encrypt the counter. */
686 do_encrypt_3(ctx, tmpbuf, tmpbuf);
687 /* XOR the input with the encrypted counter and store in output. */
688 buf_xor(outbuf, tmpbuf, inbuf, BLOWFISH_BLOCKSIZE * 3);
689 outbuf += BLOWFISH_BLOCKSIZE * 3;
690 inbuf += BLOWFISH_BLOCKSIZE * 3;
691 }
692 #endif
693
694 for ( ;nblocks; nblocks-- )
695 {
696 /* Encrypt the counter. */
697 do_encrypt_block(ctx, tmpbuf, ctr);
698 /* XOR the input with the encrypted counter and store in output. */
699 cipher_block_xor(outbuf, tmpbuf, inbuf, BLOWFISH_BLOCKSIZE);
700 outbuf += BLOWFISH_BLOCKSIZE;
701 inbuf += BLOWFISH_BLOCKSIZE;
702 /* Increment the counter. */
703 cipher_block_add (ctr, 1, BLOWFISH_BLOCKSIZE);
704 }
705
706 wipememory(tmpbuf, sizeof(tmpbuf));
707 _gcry_burn_stack(burn_stack_depth);
708 }
709
710
711 /* Bulk decryption of complete blocks in CBC mode. This function is only
712 intended for the bulk encryption feature of cipher.c. */
713 static void
_gcry_blowfish_cbc_dec(void * context,unsigned char * iv,void * outbuf_arg,const void * inbuf_arg,size_t nblocks)714 _gcry_blowfish_cbc_dec(void *context, unsigned char *iv, void *outbuf_arg,
715 const void *inbuf_arg, size_t nblocks)
716 {
717 BLOWFISH_context *ctx = context;
718 unsigned char *outbuf = outbuf_arg;
719 const unsigned char *inbuf = inbuf_arg;
720 unsigned char savebuf[BLOWFISH_BLOCKSIZE * 3];
721 int burn_stack_depth = (64) + 4 * BLOWFISH_BLOCKSIZE;
722
723 #ifdef USE_AMD64_ASM
724 {
725 if (nblocks >= 4)
726 burn_stack_depth += 5 * sizeof(void*);
727
728 /* Process data in 4 block chunks. */
729 while (nblocks >= 4)
730 {
731 blowfish_amd64_cbc_dec(ctx, outbuf, inbuf, iv);
732
733 nblocks -= 4;
734 outbuf += 4 * BLOWFISH_BLOCKSIZE;
735 inbuf += 4 * BLOWFISH_BLOCKSIZE;
736 }
737
738 /* Use generic code to handle smaller chunks... */
739 }
740 #elif defined(USE_ARM_ASM)
741 {
742 /* Process data in 2 block chunks. */
743 while (nblocks >= 2)
744 {
745 _gcry_blowfish_arm_cbc_dec(ctx, outbuf, inbuf, iv);
746
747 nblocks -= 2;
748 outbuf += 2 * BLOWFISH_BLOCKSIZE;
749 inbuf += 2 * BLOWFISH_BLOCKSIZE;
750 }
751
752 /* Use generic code to handle smaller chunks... */
753 }
754 #endif
755
756 #if !defined(USE_AMD64_ASM) && !defined(USE_ARM_ASM)
757 for ( ;nblocks >= 3; nblocks -= 3)
758 {
759 /* INBUF is needed later and it may be identical to OUTBUF, so store
760 the intermediate result to SAVEBUF. */
761 do_decrypt_3 (ctx, savebuf, inbuf);
762
763 cipher_block_xor_1 (savebuf + 0, iv, BLOWFISH_BLOCKSIZE);
764 cipher_block_xor_1 (savebuf + 8, inbuf, BLOWFISH_BLOCKSIZE * 2);
765 cipher_block_cpy (iv, inbuf + 16, BLOWFISH_BLOCKSIZE);
766 buf_cpy (outbuf, savebuf, BLOWFISH_BLOCKSIZE * 3);
767 inbuf += BLOWFISH_BLOCKSIZE * 3;
768 outbuf += BLOWFISH_BLOCKSIZE * 3;
769 }
770 #endif
771
772 for ( ;nblocks; nblocks-- )
773 {
774 /* INBUF is needed later and it may be identical to OUTBUF, so store
775 the intermediate result to SAVEBUF. */
776 do_decrypt_block (ctx, savebuf, inbuf);
777
778 cipher_block_xor_n_copy_2(outbuf, savebuf, iv, inbuf, BLOWFISH_BLOCKSIZE);
779 inbuf += BLOWFISH_BLOCKSIZE;
780 outbuf += BLOWFISH_BLOCKSIZE;
781 }
782
783 wipememory(savebuf, sizeof(savebuf));
784 _gcry_burn_stack(burn_stack_depth);
785 }
786
787
788 /* Bulk decryption of complete blocks in CFB mode. This function is only
789 intended for the bulk encryption feature of cipher.c. */
790 static void
_gcry_blowfish_cfb_dec(void * context,unsigned char * iv,void * outbuf_arg,const void * inbuf_arg,size_t nblocks)791 _gcry_blowfish_cfb_dec(void *context, unsigned char *iv, void *outbuf_arg,
792 const void *inbuf_arg, size_t nblocks)
793 {
794 BLOWFISH_context *ctx = context;
795 unsigned char *outbuf = outbuf_arg;
796 const unsigned char *inbuf = inbuf_arg;
797 unsigned char tmpbuf[BLOWFISH_BLOCKSIZE * 3];
798 int burn_stack_depth = (64) + 4 * BLOWFISH_BLOCKSIZE;
799
800 #ifdef USE_AMD64_ASM
801 {
802 if (nblocks >= 4)
803 burn_stack_depth += 5 * sizeof(void*);
804
805 /* Process data in 4 block chunks. */
806 while (nblocks >= 4)
807 {
808 blowfish_amd64_cfb_dec(ctx, outbuf, inbuf, iv);
809
810 nblocks -= 4;
811 outbuf += 4 * BLOWFISH_BLOCKSIZE;
812 inbuf += 4 * BLOWFISH_BLOCKSIZE;
813 }
814
815 /* Use generic code to handle smaller chunks... */
816 }
817 #elif defined(USE_ARM_ASM)
818 {
819 /* Process data in 2 block chunks. */
820 while (nblocks >= 2)
821 {
822 _gcry_blowfish_arm_cfb_dec(ctx, outbuf, inbuf, iv);
823
824 nblocks -= 2;
825 outbuf += 2 * BLOWFISH_BLOCKSIZE;
826 inbuf += 2 * BLOWFISH_BLOCKSIZE;
827 }
828
829 /* Use generic code to handle smaller chunks... */
830 }
831 #endif
832
833 #if !defined(USE_AMD64_ASM) && !defined(USE_ARM_ASM)
834 for ( ;nblocks >= 3; nblocks -= 3 )
835 {
836 cipher_block_cpy (tmpbuf + 0, iv, BLOWFISH_BLOCKSIZE);
837 cipher_block_cpy (tmpbuf + 8, inbuf + 0, BLOWFISH_BLOCKSIZE * 2);
838 cipher_block_cpy (iv, inbuf + 16, BLOWFISH_BLOCKSIZE);
839 do_encrypt_3 (ctx, tmpbuf, tmpbuf);
840 buf_xor (outbuf, inbuf, tmpbuf, BLOWFISH_BLOCKSIZE * 3);
841 outbuf += BLOWFISH_BLOCKSIZE * 3;
842 inbuf += BLOWFISH_BLOCKSIZE * 3;
843 }
844 #endif
845
846 for ( ;nblocks; nblocks-- )
847 {
848 do_encrypt_block(ctx, iv, iv);
849 cipher_block_xor_n_copy(outbuf, iv, inbuf, BLOWFISH_BLOCKSIZE);
850 outbuf += BLOWFISH_BLOCKSIZE;
851 inbuf += BLOWFISH_BLOCKSIZE;
852 }
853
854 wipememory(tmpbuf, sizeof(tmpbuf));
855 _gcry_burn_stack(burn_stack_depth);
856 }
857
858
859 /* Run the self-tests for BLOWFISH-CTR, tests IV increment of bulk CTR
860 encryption. Returns NULL on success. */
861 static const char *
selftest_ctr(void)862 selftest_ctr (void)
863 {
864 const int nblocks = 4+1;
865 const int blocksize = BLOWFISH_BLOCKSIZE;
866 const int context_size = sizeof(BLOWFISH_context);
867
868 return _gcry_selftest_helper_ctr("BLOWFISH", &bf_setkey,
869 &encrypt_block, nblocks, blocksize, context_size);
870 }
871
872
873 /* Run the self-tests for BLOWFISH-CBC, tests bulk CBC decryption.
874 Returns NULL on success. */
875 static const char *
selftest_cbc(void)876 selftest_cbc (void)
877 {
878 const int nblocks = 4+2;
879 const int blocksize = BLOWFISH_BLOCKSIZE;
880 const int context_size = sizeof(BLOWFISH_context);
881
882 return _gcry_selftest_helper_cbc("BLOWFISH", &bf_setkey,
883 &encrypt_block, nblocks, blocksize, context_size);
884 }
885
886
887 /* Run the self-tests for BLOWFISH-CFB, tests bulk CBC decryption.
888 Returns NULL on success. */
889 static const char *
selftest_cfb(void)890 selftest_cfb (void)
891 {
892 const int nblocks = 4+2;
893 const int blocksize = BLOWFISH_BLOCKSIZE;
894 const int context_size = sizeof(BLOWFISH_context);
895
896 return _gcry_selftest_helper_cfb("BLOWFISH", &bf_setkey,
897 &encrypt_block, nblocks, blocksize, context_size);
898 }
899
900
901 static const char*
selftest(void)902 selftest(void)
903 {
904 BLOWFISH_context c;
905 cipher_bulk_ops_t bulk_ops;
906 byte plain[] = "BLOWFISH";
907 byte buffer[8];
908 static const byte plain3[] =
909 { 0xFE, 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10 };
910 static const byte key3[] =
911 { 0x41, 0x79, 0x6E, 0xA0, 0x52, 0x61, 0x6E, 0xE4 };
912 static const byte cipher3[] =
913 { 0xE1, 0x13, 0xF4, 0x10, 0x2C, 0xFC, 0xCE, 0x43 };
914 const char *r;
915
916 bf_setkey( (void *) &c,
917 (const unsigned char*)"abcdefghijklmnopqrstuvwxyz", 26,
918 &bulk_ops );
919 encrypt_block( (void *) &c, buffer, plain );
920 if( memcmp( buffer, "\x32\x4E\xD0\xFE\xF4\x13\xA2\x03", 8 ) )
921 return "Blowfish selftest failed (1).";
922 decrypt_block( (void *) &c, buffer, buffer );
923 if( memcmp( buffer, plain, 8 ) )
924 return "Blowfish selftest failed (2).";
925
926 bf_setkey( (void *) &c, key3, 8, &bulk_ops );
927 encrypt_block( (void *) &c, buffer, plain3 );
928 if( memcmp( buffer, cipher3, 8 ) )
929 return "Blowfish selftest failed (3).";
930 decrypt_block( (void *) &c, buffer, buffer );
931 if( memcmp( buffer, plain3, 8 ) )
932 return "Blowfish selftest failed (4).";
933
934 if ( (r = selftest_cbc ()) )
935 return r;
936
937 if ( (r = selftest_cfb ()) )
938 return r;
939
940 if ( (r = selftest_ctr ()) )
941 return r;
942
943 return NULL;
944 }
945
946
947 struct hashset_elem {
948 u32 val;
949 short nidx;
950 char used;
951 };
952
953 static inline byte
val_to_hidx(u32 val)954 val_to_hidx(u32 val)
955 {
956 /* bf sboxes are quite random already. */
957 return (val >> 24) ^ (val >> 16) ^ (val >> 8) ^ val;
958 }
959
960 static inline int
add_val(struct hashset_elem hset[256],u32 val,int * midx,struct hashset_elem * mpool)961 add_val(struct hashset_elem hset[256], u32 val, int *midx,
962 struct hashset_elem *mpool)
963 {
964 struct hashset_elem *elem;
965 byte hidx;
966
967 hidx = val_to_hidx(val);
968 elem = &hset[hidx];
969
970 /* Check if first is in use. */
971 if (elem->used == 0)
972 {
973 elem->val = val;
974 elem->nidx = -1;
975 elem->used = 1;
976 return 0;
977 }
978
979 /* Check if first matches. */
980 if (elem->val == val)
981 return 1;
982
983 for (; elem->nidx >= 0; elem = &mpool[elem->nidx])
984 {
985 /* Check if elem matches. */
986 if (elem->val == val)
987 return 1;
988 }
989
990 elem->nidx = (*midx)++;
991 elem = &mpool[elem->nidx];
992
993 elem->val = val;
994 elem->nidx = -1;
995 elem->used = 1;
996
997 return 0;
998 }
999
1000 static gcry_err_code_t
do_bf_setkey(BLOWFISH_context * c,const byte * key,unsigned keylen)1001 do_bf_setkey (BLOWFISH_context *c, const byte *key, unsigned keylen)
1002 {
1003 struct hashset_elem mempool[4 * 255]; /* Enough entries for the worst case. */
1004 struct hashset_elem hset[4][256];
1005 int memidx = 0;
1006 int weak = 0;
1007 int i, j, ret;
1008 u32 data, datal, datar;
1009 static int initialized;
1010 static const char *selftest_failed;
1011
1012 if( !initialized )
1013 {
1014 initialized = 1;
1015 selftest_failed = selftest();
1016 if( selftest_failed )
1017 log_error ("%s\n", selftest_failed );
1018 }
1019 if( selftest_failed )
1020 return GPG_ERR_SELFTEST_FAILED;
1021
1022 if (keylen < BLOWFISH_KEY_MIN_BITS / 8 ||
1023 keylen > BLOWFISH_KEY_MAX_BITS / 8)
1024 return GPG_ERR_INV_KEYLEN;
1025
1026 memset(hset, 0, sizeof(hset));
1027
1028 for(i=0; i < 16+2; i++ )
1029 c->p[i] = ps[i];
1030 for(i=0; i < 256; i++ )
1031 {
1032 c->s0[i] = ks0[i];
1033 c->s1[i] = ks1[i];
1034 c->s2[i] = ks2[i];
1035 c->s3[i] = ks3[i];
1036 }
1037
1038 for(i=j=0; i < 16+2; i++ )
1039 {
1040 data = ((u32)key[j] << 24) |
1041 ((u32)key[(j+1)%keylen] << 16) |
1042 ((u32)key[(j+2)%keylen] << 8) |
1043 ((u32)key[(j+3)%keylen]);
1044 c->p[i] ^= data;
1045 j = (j+4) % keylen;
1046 }
1047
1048 datal = datar = 0;
1049 for(i=0; i < 16+2; i += 2 )
1050 {
1051 do_encrypt( c, &datal, &datar );
1052 c->p[i] = datal;
1053 c->p[i+1] = datar;
1054 }
1055 for(i=0; i < 256; i += 2 )
1056 {
1057 do_encrypt( c, &datal, &datar );
1058 c->s0[i] = datal;
1059 c->s0[i+1] = datar;
1060
1061 /* Add values to hashset, detect duplicates (weak keys). */
1062 ret = add_val (hset[0], datal, &memidx, mempool);
1063 weak = ret ? 1 : weak;
1064 ret = add_val (hset[0], datar, &memidx, mempool);
1065 weak = ret ? 1 : weak;
1066 }
1067 for(i=0; i < 256; i += 2 )
1068 {
1069 do_encrypt( c, &datal, &datar );
1070 c->s1[i] = datal;
1071 c->s1[i+1] = datar;
1072
1073 /* Add values to hashset, detect duplicates (weak keys). */
1074 ret = add_val (hset[1], datal, &memidx, mempool);
1075 weak = ret ? 1 : weak;
1076 ret = add_val (hset[1], datar, &memidx, mempool);
1077 weak = ret ? 1 : weak;
1078 }
1079 for(i=0; i < 256; i += 2 )
1080 {
1081 do_encrypt( c, &datal, &datar );
1082 c->s2[i] = datal;
1083 c->s2[i+1] = datar;
1084
1085 /* Add values to hashset, detect duplicates (weak keys). */
1086 ret = add_val (hset[2], datal, &memidx, mempool);
1087 weak = ret ? 1 : weak;
1088 ret = add_val (hset[2], datar, &memidx, mempool);
1089 weak = ret ? 1 : weak;
1090 }
1091 for(i=0; i < 256; i += 2 )
1092 {
1093 do_encrypt( c, &datal, &datar );
1094 c->s3[i] = datal;
1095 c->s3[i+1] = datar;
1096
1097 /* Add values to hashset, detect duplicates (weak keys). */
1098 ret = add_val (hset[3], datal, &memidx, mempool);
1099 weak = ret ? 1 : weak;
1100 ret = add_val (hset[3], datar, &memidx, mempool);
1101 weak = ret ? 1 : weak;
1102 }
1103
1104 /* Clear stack. */
1105 wipememory(hset, sizeof(hset));
1106 wipememory(mempool, sizeof(mempool[0]) * memidx);
1107
1108 _gcry_burn_stack (64);
1109
1110 /* Check for weak key. A weak key is a key in which a value in
1111 the P-array (here c) occurs more than once per table. */
1112 if (weak)
1113 return GPG_ERR_WEAK_KEY;
1114
1115 return GPG_ERR_NO_ERROR;
1116 }
1117
1118
1119 static gcry_err_code_t
bf_setkey(void * context,const byte * key,unsigned keylen,cipher_bulk_ops_t * bulk_ops)1120 bf_setkey (void *context, const byte *key, unsigned keylen,
1121 cipher_bulk_ops_t *bulk_ops)
1122 {
1123 BLOWFISH_context *c = (BLOWFISH_context *) context;
1124 gcry_err_code_t rc = do_bf_setkey (c, key, keylen);
1125
1126 /* Setup bulk encryption routines. */
1127 memset (bulk_ops, 0, sizeof(*bulk_ops));
1128 bulk_ops->cfb_dec = _gcry_blowfish_cfb_dec;
1129 bulk_ops->cbc_dec = _gcry_blowfish_cbc_dec;
1130 bulk_ops->ctr_enc = _gcry_blowfish_ctr_enc;
1131
1132 return rc;
1133 }
1134
1135
1136 gcry_cipher_spec_t _gcry_cipher_spec_blowfish =
1137 {
1138 GCRY_CIPHER_BLOWFISH, {0, 0},
1139 "BLOWFISH", NULL, NULL, BLOWFISH_BLOCKSIZE, 128,
1140 sizeof (BLOWFISH_context),
1141 bf_setkey, encrypt_block, decrypt_block
1142 };
1143