1 #include <string.h>
2 #include <unistd.h>
3
4 /* include param.h for the [__]BYTE_ORDER/ENDIAN definitions */
5 #include <sys/param.h>
6
7 typedef unsigned char BYTE;
8 typedef unsigned long DWORD; /* 32-bit unsigned quantity */
9 /* $Id: twofish2.cc,v 1.3 2004/12/18 04:34:27 jleplast Exp $
10 *
11 * Copyright (C) 1997-2000 The Cryptix Foundation Limited.
12 * All rights reserved.
13 *
14 * Use, modification, copying and distribution of this software is subject
15 * the terms and conditions of the Cryptix General Licence. You should have
16 * received a copy of the Cryptix General Licence along with this library;
17 * if not, you can download a copy from http://www.cryptix.org/ .
18 */
19
20 /** Fixed 8x8 permutation S-boxes */
21 static unsigned char P[2][256] =
22 {
23 { // p0
24 0xA9, 0x67, 0xB3, 0xE8,
25 0x04, 0xFD, 0xA3, 0x76,
26 0x9A, 0x92, 0x80, 0x78,
27 0xE4, 0xDD, 0xD1, 0x38,
28 0x0D, 0xC6, 0x35, 0x98,
29 0x18, 0xF7, 0xEC, 0x6C,
30 0x43, 0x75, 0x37, 0x26,
31 0xFA, 0x13, 0x94, 0x48,
32 0xF2, 0xD0, 0x8B, 0x30,
33 0x84, 0x54, 0xDF, 0x23,
34 0x19, 0x5B, 0x3D, 0x59,
35 0xF3, 0xAE, 0xA2, 0x82,
36 0x63, 0x01, 0x83, 0x2E,
37 0xD9, 0x51, 0x9B, 0x7C,
38 0xA6, 0xEB, 0xA5, 0xBE,
39 0x16, 0x0C, 0xE3, 0x61,
40 0xC0, 0x8C, 0x3A, 0xF5,
41 0x73, 0x2C, 0x25, 0x0B,
42 0xBB, 0x4E, 0x89, 0x6B,
43 0x53, 0x6A, 0xB4, 0xF1,
44 0xE1, 0xE6, 0xBD, 0x45,
45 0xE2, 0xF4, 0xB6, 0x66,
46 0xCC, 0x95, 0x03, 0x56,
47 0xD4, 0x1C, 0x1E, 0xD7,
48 0xFB, 0xC3, 0x8E, 0xB5,
49 0xE9, 0xCF, 0xBF, 0xBA,
50 0xEA, 0x77, 0x39, 0xAF,
51 0x33, 0xC9, 0x62, 0x71,
52 0x81, 0x79, 0x09, 0xAD,
53 0x24, 0xCD, 0xF9, 0xD8,
54 0xE5, 0xC5, 0xB9, 0x4D,
55 0x44, 0x08, 0x86, 0xE7,
56 0xA1, 0x1D, 0xAA, 0xED,
57 0x06, 0x70, 0xB2, 0xD2,
58 0x41, 0x7B, 0xA0, 0x11,
59 0x31, 0xC2, 0x27, 0x90,
60 0x20, 0xF6, 0x60, 0xFF,
61 0x96, 0x5C, 0xB1, 0xAB,
62 0x9E, 0x9C, 0x52, 0x1B,
63 0x5F, 0x93, 0x0A, 0xEF,
64 0x91, 0x85, 0x49, 0xEE,
65 0x2D, 0x4F, 0x8F, 0x3B,
66 0x47, 0x87, 0x6D, 0x46,
67 0xD6, 0x3E, 0x69, 0x64,
68 0x2A, 0xCE, 0xCB, 0x2F,
69 0xFC, 0x97, 0x05, 0x7A,
70 0xAC, 0x7F, 0xD5, 0x1A,
71 0x4B, 0x0E, 0xA7, 0x5A,
72 0x28, 0x14, 0x3F, 0x29,
73 0x88, 0x3C, 0x4C, 0x02,
74 0xB8, 0xDA, 0xB0, 0x17,
75 0x55, 0x1F, 0x8A, 0x7D,
76 0x57, 0xC7, 0x8D, 0x74,
77 0xB7, 0xC4, 0x9F, 0x72,
78 0x7E, 0x15, 0x22, 0x12,
79 0x58, 0x07, 0x99, 0x34,
80 0x6E, 0x50, 0xDE, 0x68,
81 0x65, 0xBC, 0xDB, 0xF8,
82 0xC8, 0xA8, 0x2B, 0x40,
83 0xDC, 0xFE, 0x32, 0xA4,
84 0xCA, 0x10, 0x21, 0xF0,
85 0xD3, 0x5D, 0x0F, 0x00,
86 0x6F, 0x9D, 0x36, 0x42,
87 0x4A, 0x5E, 0xC1, 0xE0
88 },
89 { // p1
90 0x75, 0xF3, 0xC6, 0xF4,
91 0xDB, 0x7B, 0xFB, 0xC8,
92 0x4A, 0xD3, 0xE6, 0x6B,
93 0x45, 0x7D, 0xE8, 0x4B,
94 0xD6, 0x32, 0xD8, 0xFD,
95 0x37, 0x71, 0xF1, 0xE1,
96 0x30, 0x0F, 0xF8, 0x1B,
97 0x87, 0xFA, 0x06, 0x3F,
98 0x5E, 0xBA, 0xAE, 0x5B,
99 0x8A, 0x00, 0xBC, 0x9D,
100 0x6D, 0xC1, 0xB1, 0x0E,
101 0x80, 0x5D, 0xD2, 0xD5,
102 0xA0, 0x84, 0x07, 0x14,
103 0xB5, 0x90, 0x2C, 0xA3,
104 0xB2, 0x73, 0x4C, 0x54,
105 0x92, 0x74, 0x36, 0x51,
106 0x38, 0xB0, 0xBD, 0x5A,
107 0xFC, 0x60, 0x62, 0x96,
108 0x6C, 0x42, 0xF7, 0x10,
109 0x7C, 0x28, 0x27, 0x8C,
110 0x13, 0x95, 0x9C, 0xC7,
111 0x24, 0x46, 0x3B, 0x70,
112 0xCA, 0xE3, 0x85, 0xCB,
113 0x11, 0xD0, 0x93, 0xB8,
114 0xA6, 0x83, 0x20, 0xFF,
115 0x9F, 0x77, 0xC3, 0xCC,
116 0x03, 0x6F, 0x08, 0xBF,
117 0x40, 0xE7, 0x2B, 0xE2,
118 0x79, 0x0C, 0xAA, 0x82,
119 0x41, 0x3A, 0xEA, 0xB9,
120 0xE4, 0x9A, 0xA4, 0x97,
121 0x7E, 0xDA, 0x7A, 0x17,
122 0x66, 0x94, 0xA1, 0x1D,
123 0x3D, 0xF0, 0xDE, 0xB3,
124 0x0B, 0x72, 0xA7, 0x1C,
125 0xEF, 0xD1, 0x53, 0x3E,
126 0x8F, 0x33, 0x26, 0x5F,
127 0xEC, 0x76, 0x2A, 0x49,
128 0x81, 0x88, 0xEE, 0x21,
129 0xC4, 0x1A, 0xEB, 0xD9,
130 0xC5, 0x39, 0x99, 0xCD,
131 0xAD, 0x31, 0x8B, 0x01,
132 0x18, 0x23, 0xDD, 0x1F,
133 0x4E, 0x2D, 0xF9, 0x48,
134 0x4F, 0xF2, 0x65, 0x8E,
135 0x78, 0x5C, 0x58, 0x19,
136 0x8D, 0xE5, 0x98, 0x57,
137 0x67, 0x7F, 0x05, 0x64,
138 0xAF, 0x63, 0xB6, 0xFE,
139 0xF5, 0xB7, 0x3C, 0xA5,
140 0xCE, 0xE9, 0x68, 0x44,
141 0xE0, 0x4D, 0x43, 0x69,
142 0x29, 0x2E, 0xAC, 0x15,
143 0x59, 0xA8, 0x0A, 0x9E,
144 0x6E, 0x47, 0xDF, 0x34,
145 0x35, 0x6A, 0xCF, 0xDC,
146 0x22, 0xC9, 0xC0, 0x9B,
147 0x89, 0xD4, 0xED, 0xAB,
148 0x12, 0xA2, 0x0D, 0x52,
149 0xBB, 0x02, 0x2F, 0xA9,
150 0xD7, 0x61, 0x1E, 0xB4,
151 0x50, 0x04, 0xF6, 0xC2,
152 0x16, 0x25, 0x86, 0x56,
153 0x55, 0x09, 0xBE, 0x91
154 }
155 };
156
157 /** MDS matrix */
158 static int MDS[4][256]; // blank final
159
160 #include "twofish2.h"
161
162 ////////////////////////////////////////////////////////////////////
163 ////////////////////// DEFINES /////////////////////////////////////
164 ////////////////////////////////////////////////////////////////////
165
166 #define LFSR1(x) ( ((x) >> 1) ^ (((x) & 0x01) ? MDS_GF_FDBK/2 : 0))
167 #define LFSR2(x) ( ((x) >> 2) ^ (((x) & 0x02) ? MDS_GF_FDBK/2 : 0) ^ (((x) & 0x01) ? MDS_GF_FDBK/4 : 0))
168
169 #define Mx_1(x) ((DWORD) (x)) /* force result to dword so << will work */
170 #define Mx_X(x) ((DWORD) ((x) ^ LFSR2(x))) /* 5B */
171 #define Mx_Y(x) ((DWORD) ((x) ^ LFSR1(x) ^ LFSR2(x))) /* EF */
172 #define RS_rem(x) { BYTE b = (BYTE) (x >> 24); DWORD g2 = ((b << 1) ^ ((b & 0x80) ? RS_GF_FDBK : 0 )) & 0xFF; DWORD g3 = ((b >> 1) & 0x7F) ^ ((b & 1) ? RS_GF_FDBK >> 1 : 0 ) ^ g2 ; x = (x << 8) ^ (g3 << 24) ^ (g2 << 16) ^ (g3 << 8) ^ b; }
173 //#define _b(x,N) (((BYTE *)&x)[((N) & 3) ^ ADDR_XOR]) /* pick bytes out of a dword */
174 #define _b(x,N) (((BYTE *)&x)[((N) & 3)]) /* pick bytes out of a dword */
175
176
177 /* Initial endian patch provided by Renzo Davoli <renzo@cs.unibo.it> */
178
179 #if defined(__BYTE_ORDER) && !defined(BYTE_ORDER)
180 #define BYTE_ORDER __BYTE_ORDER
181 #define BIG_ENDIAN __BIG_ENDIAN
182 #define LITTLE_ENDIAN __LITTLE_ENDIAN
183 #elif !defined(BYTE_ORDER)
184 #error "BYTE_ORDER (or variants) not defined!"
185 #endif
186
187 #ifdef BYTE_ORDER
188 #if BYTE_ORDER == BIG_ENDIAN
189 #define b0(x) _b(x,3) /* extract LSB of DWORD */
190 #define b1(x) _b(x,2)
191 #define b2(x) _b(x,1)
192 #define b3(x) _b(x,0) /* extract MSB of DWORD */
193 #elif BYTE_ORDER == LITTLE_ENDIAN
194 #define b0(x) _b(x,0) /* extract LSB of DWORD */
195 #define b1(x) _b(x,1)
196 #define b2(x) _b(x,2)
197 #define b3(x) _b(x,3) /* extract MSB of DWORD */
198 #endif
199 #endif
200
201 ////////////////////////////////////////////////////////////////////
202 ////////////////////// METHODS /////////////////////////////////////
203 ////////////////////////////////////////////////////////////////////
204
precomputeMDSmatrix()205 void TwoFish::precomputeMDSmatrix() {
206 // precompute the MDS matrix
207 int m1[2];
208 int mX[2];
209 int mY[2];
210 int i, j;
211 for (i = 0; i < 256; i++) {
212 j = P[0][i] & 0xFF; // compute all the matrix elements
213 m1[0] = j;
214 mX[0] = Mx_X( j ) & 0xFF;
215 mY[0] = Mx_Y( j ) & 0xFF;
216
217 j = P[1][i] & 0xFF;
218 m1[1] = j;
219 mX[1] = Mx_X( j ) & 0xFF;
220 mY[1] = Mx_Y( j ) & 0xFF;
221
222 MDS[0][i] = m1[P_00] << 0 | // fill matrix w/ above elements
223 mX[P_00] << 8 |
224 mY[P_00] << 16 |
225 mY[P_00] << 24;
226 MDS[1][i] = mY[P_10] << 0 |
227 mY[P_10] << 8 |
228 mX[P_10] << 16 |
229 m1[P_10] << 24;
230 MDS[2][i] = mX[P_20] << 0 |
231 mY[P_20] << 8 |
232 m1[P_20] << 16 |
233 mY[P_20] << 24;
234 MDS[3][i] = mX[P_30] << 0 |
235 m1[P_30] << 8 |
236 mY[P_30] << 16 |
237 mX[P_30] << 24;
238 }
239 }
240
241
242 // Constructor
243 //...........................................................................
TwoFish(char * userkey,bool _decrypt,FILE * _fpout,unsigned char * _outputBuffer)244 TwoFish::TwoFish(char* userkey, bool _decrypt, FILE* _fpout, unsigned char* _outputBuffer ) {
245 decrypt = _decrypt;
246 fpout = _fpout;
247 if ( fpout == NULL ) {
248 outputIsFile = false;
249 } else {
250 outputIsFile = true;
251 }
252 outputBuffer = _outputBuffer;
253 if ( outputBuffer == NULL ) {
254 outputIsBuffer = false;
255 } else {
256 outputIsBuffer = true;
257 }
258 precomputeMDSmatrix();
259 makeSubKeys(userkey);
260 qBlockDefined = false;
261 }
262
263
264
265 // Private methods
266 //...........................................................................
267
268 /**
269 * Expand a user-supplied key material into a session key.
270 *
271 * @param key The 64/128/192/256-bit user-key to use.
272 * @return This cipher's round keys.
273 * @exception InvalidKeyException If the key is invalid.
274 */
makeSubKeys(char * k)275 void TwoFish::makeSubKeys( char* k ) {
276 int length = 32;
277 int k64Cnt = length / 8;
278 int k32e[4]; // even 32-bit entities
279 int k32o[4]; // odd 32-bit entities
280 int sBoxKey[4];
281
282 // split user key material into even and odd 32-bit entities and
283 // compute S-box keys using (12, 8) Reed-Solomon code over GF(256)
284 int i, j, offset = 0;
285 for (i = 0, j = k64Cnt-1; i < 4 && offset < length; i++, j--) {
286 k32e[i] = (k[offset] & 0xFF) |
287 (k[offset+1] & 0xFF) << 8 |
288 (k[offset+2] & 0xFF) << 16 |
289 (k[offset+3] & 0xFF) << 24;
290 offset += 4;
291 k32o[i] = (k[offset] & 0xFF) |
292 (k[offset+1] & 0xFF) << 8 |
293 (k[offset+2] & 0xFF) << 16 |
294 (k[offset+3] & 0xFF) << 24;
295 offset += 4;
296 sBoxKey[j] = RS_MDS_Encode( k32e[i], k32o[i] ); // reverse order
297 }
298
299 // compute the round decryption subkeys for PHT. these same subkeys
300 // will be used in encryption but will be applied in reverse order.
301 unsigned int A, B, q=0;
302 i=0;
303 while(i < TOTAL_SUBKEYS) {
304 A = F32( k64Cnt, q, k32e ); // A uses even key entities
305 q += SK_BUMP;
306
307 B = F32( k64Cnt, q, k32o ); // B uses odd key entities
308 q += SK_BUMP;
309
310 B = B << 8 | B >> 24;
311
312 A += B;
313 subKeys[i++] = A; // combine with a PHT
314
315 A += B;
316 subKeys[i++] = A << SK_ROTL | A >> (32-SK_ROTL);
317 }
318
319 // fully expand the table for speed
320 int k0 = sBoxKey[0];
321 int k1 = sBoxKey[1];
322 int k2 = sBoxKey[2];
323 int k3 = sBoxKey[3];
324 int b0, b1, b2, b3;
325 for (i = 0; i < 256; i++) {
326 b0 = b1 = b2 = b3 = i;
327 switch (k64Cnt & 3) {
328 case 1:
329 sBox[ 2*i ] = MDS[0][(P[P_01][b0] & 0xFF) ^ b0(k0)];
330 sBox[ 2*i+1] = MDS[1][(P[P_11][b1] & 0xFF) ^ b1(k0)];
331 sBox[0x200+2*i ] = MDS[2][(P[P_21][b2] & 0xFF) ^ b2(k0)];
332 sBox[0x200+2*i+1] = MDS[3][(P[P_31][b3] & 0xFF) ^ b3(k0)];
333 break;
334 case 0: // same as 4
335 b0 = (P[P_04][b0] & 0xFF) ^ b0(k3);
336 b1 = (P[P_14][b1] & 0xFF) ^ b1(k3);
337 b2 = (P[P_24][b2] & 0xFF) ^ b2(k3);
338 b3 = (P[P_34][b3] & 0xFF) ^ b3(k3);
339 case 3:
340 b0 = (P[P_03][b0] & 0xFF) ^ b0(k2);
341 b1 = (P[P_13][b1] & 0xFF) ^ b1(k2);
342 b2 = (P[P_23][b2] & 0xFF) ^ b2(k2);
343 b3 = (P[P_33][b3] & 0xFF) ^ b3(k2);
344 case 2: // 128-bit keys
345 sBox[ 2*i ] = MDS[0][
346 (P[P_01][(P[P_02][b0] & 0xFF) ^ b0(k1)] & 0xFF) ^ b0(k0)];
347
348 sBox[ 2*i+1] = MDS[1][
349 (P[P_11][(P[P_12][b1] & 0xFF) ^ b1(k1)] & 0xFF) ^ b1(k0)];
350
351 sBox[0x200+2*i ] = MDS[2][
352 (P[P_21][(P[P_22][b2] & 0xFF) ^ b2(k1)] & 0xFF) ^ b2(k0)];
353
354 sBox[0x200+2*i+1] = MDS[3][
355 (P[P_31][(P[P_32][b3] & 0xFF) ^ b3(k1)] & 0xFF) ^ b3(k0)];
356 }
357 }
358
359 // swap input and output whitening keys when decrypting
360 if(decrypt) {
361 for(i=0; i<4; i++) {
362 int t = subKeys[i];
363 subKeys[i] = subKeys[i+4];
364 subKeys[i+4] = t;
365 }
366 }
367 }
368
369
bzero(char * ptr,int size)370 static void bzero( char* ptr, int size ) {
371 for ( int i = 0; i < size; i++ ) {
372 *ptr++ = 0;
373 }
374 }
375
376 //
377 // write output to all active output areas
378 //
flushOutput(char * b,int len)379 void TwoFish::flushOutput( char* b, int len ) {
380 if ( outputIsSocket ) {
381 int wret = write( sockfd, b, len );
382 }
383 for ( int i = 0; i < len; i++, b++ ) {
384 if ( outputIsFile ) {
385 fputc( *b, fpout );
386 }
387 if ( outputIsBuffer ) {
388 *outputBuffer = *b;
389 outputBuffer++;
390 }
391 }
392 }
393
394
395 /**
396 * Encrypt or decrypt exactly one block of plaintext in CBC mode.
397 * Use "ciphertext stealing" technique described on pg. 196
398 * of "Applied Cryptography" to encrypt the final partial
399 * (i.e. <16 byte) block if necessary.
400 *
401 * Note: the "ciphertext stealing" requires we read ahead and have
402 * special handling for the last two blocks. Because of this, the
403 * output from the TwoFish algorithm is handled internally here.
404 * It would be better to have a higher level handle this as well as
405 * CBC mode. Unfortunately, I've mixed the two together, which is
406 * pretty crappy... The Java version separates these out correctly.
407 *
408 * @param in The plaintext.
409 * @param out The ciphertext
410 * @param size how much to encrypt
411 * @return none
412 */
blockCrypt(char * in,char * out,int size)413 void TwoFish::blockCrypt( char* in, char* out, int size ) {
414 // here is where we implement CBC mode and cipher block stealing
415 if ( size == 16 ) {
416 // if we are encrypting, CBC means we XOR the plain text block with the
417 // previous cipher text block before encrypting
418 if ( !decrypt && qBlockDefined ) {
419 char* scanner = in;
420 for ( int i = 0; i < 16; i++, scanner++ ) {
421 *scanner = *scanner ^ qBlockCrypt[i];
422 }
423 }
424
425 // TwoFish block level encryption or decryption
426 blockCrypt16( in, out );
427
428 // if we are decrypting, CBC means we XOR the result of the decryption
429 // with the previous ciper text block to get the resulting plain text
430 if ( decrypt && qBlockDefined ) {
431 char* scanner = out;
432 for ( int i = 0; i < 16; i++, scanner++ ) {
433 *scanner = *scanner ^ qBlockPlain[i];
434 }
435 }
436
437 // save the input and output blocks, since CBC needs these for XOR
438 // operations
439 qBlockPush( in, out );
440 } else {
441 // cipher block stealing, we are at Pn,
442 // but since Cn-1 must now be replaced with CnC'
443 // we pop it off, and recalculate Cn-1
444 //
445 char PnMinusOne[16];
446 char CnMinusOne[16];
447 if ( decrypt ) {
448 // We are on an odd block, and had to do cipher block stealing,
449 // so the PnMinusOne has to be derived differently.
450 qBlockPop( &CnMinusOne[0], &PnMinusOne[0] );
451
452 // First we decrypt it into CBC and C'
453 char CBCplusCprime[16];
454 blockCrypt16( &CnMinusOne[0], &CBCplusCprime[0] );
455
456 // we then xor the first few bytes with the "in" bytes (Cn)
457 // to recover Pn, which we put in out
458 char* scanner = in;
459 char* outScanner = out;
460 for ( int i = 0; i < size; i++, scanner++, outScanner++ ) {
461 *outScanner = *scanner ^ CBCplusCprime[i];
462 }
463
464 // We now recover the original CnMinusOne, which consists of
465 // the first "size" bytes of "in" data, followed by the
466 // "Cprime" portion of CBCplusCprime
467 scanner = in;
468 for ( int i = 0; i < size; i++, scanner++ ) {
469 CnMinusOne[i] = *scanner;
470 }
471 for ( int i = size; i < 16; i++ ) {
472 CnMinusOne[i] = CBCplusCprime[i];
473 }
474 // we now decrypt CnMinusOne to get PnMinusOne xored with Cn-2
475 blockCrypt16( &CnMinusOne[0], &PnMinusOne[0] );
476
477 for ( int i = 0; i < 16; i++ ) {
478 PnMinusOne[i] = PnMinusOne[i] ^ prevCipher[i];
479 }
480
481 // So at this point, out has PnMinusOne
482 qBlockPush( &CnMinusOne[0], &PnMinusOne[0] );
483 qBlockFlush();
484 flushOutput( out, size );
485 } else {
486 qBlockPop( &PnMinusOne[0], &CnMinusOne[0] );
487 char Pn[16];
488 bzero( &Pn[0], 16 );
489 memcpy( &Pn[0], in, size );
490 for ( int i = 0; i < 16; i++ ) {
491 Pn[i] = CnMinusOne[i] ^ Pn[i];
492 }
493 blockCrypt16( &Pn[0], out );
494 qBlockPush( &Pn[0], out ); // now we officially have Cn-1
495 qBlockFlush(); // write them all out
496 flushOutput( &CnMinusOne[0], size ); // old Cn-1 becomes new partial Cn
497 }
498 qBlockDefined = false;
499 }
500 }
501
qBlockPush(char * p,char * c)502 void TwoFish::qBlockPush( char* p, char* c ) {
503 if ( qBlockDefined ) {
504 qBlockFlush();
505 }
506 memcpy( &prevCipher[0], &qBlockPlain[0], 16 );
507 memcpy( &qBlockPlain[0], p, 16 );
508 memcpy( &qBlockCrypt[0], c, 16 );
509 qBlockDefined = true;
510 }
511
qBlockPop(char * p,char * c)512 void TwoFish::qBlockPop( char* p, char* c ) {
513 memcpy( p, &qBlockPlain[0], 16 );
514 memcpy( c, &qBlockCrypt[0], 16 );
515 qBlockDefined = false;
516 }
517
518 //
519 // flush a complete block to all active output areas
520 // this occurs when we know the block does not need to be
521 // re-encrypted or re-decrypted. The redoing of encryption
522 // and decryption is necessary for cipher text stealing technique
523 // and is done on the last complete block.
524 //
qBlockFlush()525 void TwoFish::qBlockFlush() {
526 flushOutput( &qBlockCrypt[0], 16 );
527 }
528
flush()529 void TwoFish::flush() {
530 if ( qBlockDefined ) {
531 qBlockFlush();
532 }
533 }
534
blockCrypt16(char * in,char * out)535 void TwoFish::blockCrypt16( char* in, char* out ) {
536
537 int inOffset = 0;
538 int outOffset = 0;
539 unsigned int x0 = (in[inOffset] & 0xFF) |
540 (in[inOffset+1] & 0xFF) << 8 |
541 (in[inOffset+2] & 0xFF) << 16 |
542 (in[inOffset+3] & 0xFF) << 24;
543 inOffset += 4;
544 unsigned int x1 = (in[inOffset] & 0xFF) |
545 (in[inOffset+1] & 0xFF) << 8 |
546 (in[inOffset+2] & 0xFF) << 16 |
547 (in[inOffset+3] & 0xFF) << 24;
548 inOffset += 4;
549 unsigned int x2 = (in[inOffset] & 0xFF) |
550 (in[inOffset+1] & 0xFF) << 8 |
551 (in[inOffset+2] & 0xFF) << 16 |
552 (in[inOffset+3] & 0xFF) << 24;
553 inOffset += 4;
554 unsigned int x3 = (in[inOffset] & 0xFF) |
555 (in[inOffset+1] & 0xFF) << 8 |
556 (in[inOffset+2] & 0xFF) << 16 |
557 (in[inOffset+3] & 0xFF) << 24;
558
559 /* unsigned int x0;
560 unsigned int x1;
561 unsigned int x2;
562 unsigned int x3;
563 in += inOffset;
564 memcpy( &x0, in, 4 );
565 in += 4;
566 memcpy( &x1, in, 4 );
567 in += 4;
568 memcpy( &x2, in, 4 );
569 in += 4;
570 memcpy( &x3, in, 4 );*/
571 x0 ^= subKeys[0];
572 x1 ^= subKeys[1];
573 x2 ^= subKeys[2];
574 x3 ^= subKeys[3];
575
576 int k, t0, t1;
577 if ( decrypt ) {
578 k = 39;
579 for (int R = 0; R < ROUNDS; R += 2) {
580 t0 = Fe320( sBox, x0 );
581 t1 = Fe323( sBox, x1 );
582 x3 ^= t0 + (t1<<1) + subKeys[k--];
583 x3 = x3 >> 1 | x3 << 31;
584 x2 = x2 << 1 | x2 >> 31;
585 x2 ^= t0 + t1 + subKeys[k--];
586
587 t0 = Fe320( sBox, x2 );
588 t1 = Fe323( sBox, x3 );
589 x1 ^= t0 + (t1<<1) + subKeys[k--];
590 x1 = x1 >> 1 | x1 << 31;
591 x0 = x0 << 1 | x0 >> 31;
592 x0 ^= t0 + t1 + subKeys[k--];
593 }
594 } else {
595 k = 8;
596 for (int R = 0; R < ROUNDS; R += 2) {
597 t0 = Fe320( sBox, x0 );
598 t1 = Fe323( sBox, x1 );
599 x2 ^= t0 + t1 + subKeys[k++];
600 x2 = x2 >> 1 | x2 << 31;
601 x3 = x3 << 1 | x3 >> 31;
602 x3 ^= t0 + (t1<<1) + subKeys[k++];
603
604 t0 = Fe320( sBox, x2 );
605 t1 = Fe323( sBox, x3 );
606 x0 ^= t0 + t1 + subKeys[k++];
607 x0 = x0 >> 1 | x0 << 31;
608 x1 = x1 << 1 | x1 >> 31;
609 x1 ^= t0 + (t1<<1) + subKeys[k++];
610 }
611 }
612
613 x2 ^= subKeys[4];
614 x3 ^= subKeys[5];
615 x0 ^= subKeys[6];
616 x1 ^= subKeys[7];
617
618 out += outOffset;
619 /*memcpy( out, &x2, 4 );
620 out += 4;
621 memcpy( out, &x3, 4 );
622 out += 4;
623 memcpy( out, &x0, 4 );
624 out += 4;
625 memcpy( out, &x1, 4 );*/
626
627 *out++ = (x2 );
628 *out++ = (x2 >> 8);
629 *out++ = (x2 >> 16);
630 *out++ = (x2 >> 24);
631
632 *out++ = (x3 );
633 *out++ = (x3 >> 8);
634 *out++ = (x3 >> 16);
635 *out++ = (x3 >> 24);
636
637 *out++ = (x0 );
638 *out++ = (x0 >> 8);
639 *out++ = (x0 >> 16);
640 *out++ = (x0 >> 24);
641
642 *out++ = (x1 );
643 *out++ = (x1 >> 8);
644 *out++ = (x1 >> 16);
645 *out++ = (x1 >> 24);
646 }
647
648
649 /**
650 * Use (12, 8) Reed-Solomon code over GF(256) to produce a key S-box
651 * 32-bit entity from two key material 32-bit entities.
652 *
653 * @param k0 1st 32-bit entity.
654 * @param k1 2nd 32-bit entity.
655 * @return Remainder polynomial generated using RS code
656 */
RS_MDS_Encode(int k0,int k1)657 int TwoFish::RS_MDS_Encode( int k0, int k1 ) {
658 int r = k1;
659 for (int i = 0; i < 4; i++) // shift 1 byte at a time
660 RS_rem( r );
661
662 r ^= k0;
663 for (int i = 0; i < 4; i++)
664 RS_rem( r );
665
666 return r;
667 }
668
669
F32(int k64Cnt,int x,int * k32)670 int TwoFish::F32( int k64Cnt, int x, int* k32 ) {
671 int b0 = b0(x);
672 int b1 = b1(x);
673 int b2 = b2(x);
674 int b3 = b3(x);
675 int k0 = k32[0];
676 int k1 = k32[1];
677 int k2 = k32[2];
678 int k3 = k32[3];
679
680 int result = 0;
681 switch (k64Cnt & 3) {
682 case 1:
683 result =
684 MDS[0][(P[P_01][b0] & 0xFF) ^ b0(k0)] ^
685 MDS[1][(P[P_11][b1] & 0xFF) ^ b1(k0)] ^
686 MDS[2][(P[P_21][b2] & 0xFF) ^ b2(k0)] ^
687 MDS[3][(P[P_31][b3] & 0xFF) ^ b3(k0)];
688 break;
689 case 0: // same as 4
690 b0 = (P[P_04][b0] & 0xFF) ^ b0(k3);
691 b1 = (P[P_14][b1] & 0xFF) ^ b1(k3);
692 b2 = (P[P_24][b2] & 0xFF) ^ b2(k3);
693 b3 = (P[P_34][b3] & 0xFF) ^ b3(k3);
694
695 case 3:
696 b0 = (P[P_03][b0] & 0xFF) ^ b0(k2);
697 b1 = (P[P_13][b1] & 0xFF) ^ b1(k2);
698 b2 = (P[P_23][b2] & 0xFF) ^ b2(k2);
699 b3 = (P[P_33][b3] & 0xFF) ^ b3(k2);
700 case 2:
701 // 128-bit keys (optimize for this case)
702 result =
703 MDS[0][(P[P_01][(P[P_02][b0] & 0xFF) ^ b0(k1)] & 0xFF) ^ b0(k0)] ^
704 MDS[1][(P[P_11][(P[P_12][b1] & 0xFF) ^ b1(k1)] & 0xFF) ^ b1(k0)] ^
705 MDS[2][(P[P_21][(P[P_22][b2] & 0xFF) ^ b2(k1)] & 0xFF) ^ b2(k0)] ^
706 MDS[3][(P[P_31][(P[P_32][b3] & 0xFF) ^ b3(k1)] & 0xFF) ^ b3(k0)];
707 break;
708 }
709 return result;
710 }
711
Fe320(int * sBox,int x)712 int TwoFish::Fe320( int* sBox, int x ) {
713 return sBox[ b0(x) << 1 ] ^
714 sBox[ (b1(x) << 1) | 1] ^
715 sBox[0x200 + (b2(x) << 1) ] ^
716 sBox[0x200 + (b3(x) << 1) | 1];
717 }
Fe323(int * sBox,int x)718 int TwoFish::Fe323( int* sBox, int x ) {
719 return sBox[ (b3(x) << 1) ] ^
720 sBox[ (b0(x) << 1) | 1] ^
721 sBox[0x200 + (b1(x) << 1) ] ^
722 sBox[0x200 + (b2(x) << 1) | 1];
723 }
Fe32(int * sBox,int x,int R)724 int TwoFish::Fe32( int* sBox, int x, int R ) {
725 return sBox[ 2*_b(x, R ) ] ^
726 sBox[ 2*_b(x, R+1) + 1] ^
727 sBox[0x200 + 2*_b(x, R+2) ] ^
728 sBox[0x200 + 2*_b(x, R+3) + 1];
729 }
730
731
732 static char key[32];
generateKey(char * s)733 char* generateKey( char* s ) {
734 int sIdx = 0;
735 for ( int i = 0; i < 32; i++ ) {
736 char sval = *( s + sIdx );
737 if (( sval >= '0' ) && ( sval <= '9' )) {
738 key[i] = sval;
739 } else if (( sval >= 'a' ) && ( sval <= 'f' )) {
740 key[i] = sval;
741 } else {
742 int q = sval%16;
743 if ( q < 10 ) {
744 key[i] = ('0' + q);
745 } else {
746 key[i] = ('a' + q - 10);
747 }
748 }
749 sIdx++;
750 if ( *( s + sIdx ) == 0 ) {
751 sIdx = 0;
752 }
753 }
754 return( &key[0] );
755 }
756
757
AsciiTwofish(TwoFish * e)758 AsciiTwofish::AsciiTwofish( TwoFish* e ) {
759 engine = e;
760 }
761
encryptAscii(char * in,char * out,int outBufferSize)762 void AsciiTwofish::encryptAscii( char* in, char* out, int outBufferSize ) {
763 engine->setDecrypt( false );
764 engine->resetCBC();
765
766 unsigned char byteBuf[200];
767 char* originalOut = out;
768
769 // encrypt one block at a time with twofish
770 char inList[16];
771 unsigned char outList[16];
772 engine->setOutputBuffer( byteBuf );
773 int remaining = strlen( in );
774 int len = remaining;
775 int bidx = 0;
776 while ( remaining > 0 ) {
777 if ( remaining > 16 ) {
778 memcpy( inList, in + bidx, 16 );
779 engine->blockCrypt( inList, (char*)outList, 16 );
780 } else {
781 memcpy( inList, in + bidx, remaining );
782 engine->blockCrypt( inList, (char*)outList, remaining );
783 }
784 bidx += 16;
785 remaining -= 16;
786 }
787 engine->flush();
788
789 // now do totally stupid ascii encoding of bytes
790 if ( outBufferSize < len*3 ) {
791 printf( "Hey, outBufferSize is %d, but len*3 is %d\n", outBufferSize, len*3 );
792 } else {
793 for ( int i = 0; i < len; i++ ) {
794 sprintf( out, "%03d", byteBuf[i] );
795 out += 3;
796 }
797 }
798 engine->setOutputBuffer( NULL );
799 }
800
decryptAscii(char * in,char * out)801 void AsciiTwofish::decryptAscii( char* in, char* out ) {
802 engine->setDecrypt( true );
803 engine->resetCBC();
804 engine->setOutputBuffer( (unsigned char*)out );
805
806 int inLen = strlen( in );
807 if (( *( in + inLen - 1 ) == '\n' ) ||
808 ( *( in + inLen - 1 ) == '\r' )) {
809 *( in + inLen - 1 ) = 0;
810 inLen = strlen( in );
811 }
812 unsigned char byteBuf[200];
813 int byteBufIdx = 0;
814
815 // first convert ascii to bytes, placing in another buffer
816 for ( int i = 0; i < inLen; i += 3 ) {
817 unsigned int x = 0;
818 x = x * 10 + ( *in++ - '0' );
819 x = x * 10 + ( *in++ - '0' );
820 x = x * 10 + ( *in++ - '0' );
821 byteBuf[ byteBufIdx++ ] = x;
822 byteBuf[ byteBufIdx ] = 0;
823 }
824
825 // then run it through twofish placing result into command buffer
826 char inList[16];
827 unsigned char outList[16];
828 int remaining = byteBufIdx;
829 *( out + byteBufIdx ) = 0;
830 int bidx = 0;
831 while ( remaining > 0 ) {
832 if ( remaining > 16 ) {
833 memcpy( inList, &byteBuf[bidx], 16 );
834 engine->blockCrypt( inList, (char*)outList, 16 );
835 } else {
836 memcpy( inList, &byteBuf[bidx], remaining );
837 engine->blockCrypt( inList, (char*)outList, remaining );
838 }
839 bidx += 16;
840 remaining -= 16;
841 }
842 engine->flush();
843 engine->setOutputBuffer( NULL );
844 *( out + byteBufIdx ) = 0;
845 }
846
847