added libtomcrypt-1.10

This commit is contained in:
Tom St Denis 2006-02-11 08:19:10 +00:00 committed by Steffen Jaeckel
parent a3ce807bae
commit 99b6d03203
23 changed files with 289 additions and 1386 deletions

View File

@ -23,7 +23,7 @@ PROJECT_NAME = LibTomCrypt
# This could be handy for archiving the generated documentation or
# if some version control system is used.
PROJECT_NUMBER = 1.09
PROJECT_NUMBER = 1.10
# The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute)
# base path where the generated documentation will be put.

12
changes
View File

@ -1,3 +1,11 @@
February 11th, 2006
v1.10 -- Free ecb/cbc/ctr/lrw structures in timing code by calling the "done" function
-- fixed bug in lrw_process() which would always use the slow update ...
-- vastly sped up gcm_gf_mult() when LTC_FAST is defined. This speeds up LRW and GCM state creation, useful for servers with GCM
-- Removed NLS since there are some attacks against it.
-- fixed memory leak in rsa_import reported by John Kuhns
++ re-released as the rsa fix was incorrect (bad John bad ... hehehe) and I missed some NULLs in the static descriptor entry for ciphers
January 26th, 2006
v1.09 -- Added missing doxygen comments to some of the ASN.1 routines
-- Added "easy button" define LTC_EASY and LTC will build with a subset of all the algos. Reduces build times for typical
@ -1405,6 +1413,6 @@ v0.02 -- Changed RC5 to only allow 12 to 24 rounds
v0.01 -- We will call this the first version.
/* $Source: /cvs/libtom/libtomcrypt/changes,v $ */
/* $Revision: 1.168 $ */
/* $Date: 2006/01/26 18:15:51 $ */
/* $Revision: 1.173 $ */
/* $Date: 2006/02/11 09:18:11 $ */

View File

@ -47,7 +47,7 @@
\def\gap{\vspace{0.5ex}}
\makeindex
\begin{document}
\title{LibTomCrypt \\ Version 1.09}
\title{LibTomCrypt \\ Version 1.10}
\author{Tom St Denis \\
\\
tomstdenis@gmail.com \\
@ -5181,5 +5181,5 @@ Since the function is given the entire RSA key (for private keys only) CRT is po
\end{document}
% $Source: /cvs/libtom/libtomcrypt/crypt.tex,v $
% $Revision: 1.62 $
% $Date: 2006/01/26 18:29:02 $
% $Revision: 1.63 $
% $Date: 2006/01/26 19:20:46 $

View File

@ -18,6 +18,7 @@ time_keysched();
time_cipher();
time_cipher2();
time_cipher3();
time_cipher4();
time_hash();
time_macs();
time_encmacs();

Binary file not shown.

View File

@ -4,7 +4,7 @@
# Modified by Clay Culver
# The version
VERSION=1.09
VERSION=1.10
# Compiler and Linker Names
#CC=gcc
@ -113,9 +113,8 @@ src/encauth/eax/eax_init.o src/encauth/eax/eax_test.o src/encauth/gcm/gcm_add_aa
src/encauth/gcm/gcm_add_iv.o src/encauth/gcm/gcm_done.o src/encauth/gcm/gcm_gf_mult.o \
src/encauth/gcm/gcm_init.o src/encauth/gcm/gcm_memory.o src/encauth/gcm/gcm_mult_h.o \
src/encauth/gcm/gcm_process.o src/encauth/gcm/gcm_reset.o src/encauth/gcm/gcm_test.o \
src/encauth/nls/nls_memory.o src/encauth/nls/nlsfast.o src/encauth/ocb/ocb_decrypt.o \
src/encauth/ocb/ocb_decrypt_verify_memory.o src/encauth/ocb/ocb_done_decrypt.o \
src/encauth/ocb/ocb_done_encrypt.o src/encauth/ocb/ocb_encrypt.o \
src/encauth/ocb/ocb_decrypt.o src/encauth/ocb/ocb_decrypt_verify_memory.o \
src/encauth/ocb/ocb_done_decrypt.o src/encauth/ocb/ocb_done_encrypt.o src/encauth/ocb/ocb_encrypt.o \
src/encauth/ocb/ocb_encrypt_authenticate_memory.o src/encauth/ocb/ocb_init.o src/encauth/ocb/ocb_ntz.o \
src/encauth/ocb/ocb_shift_xor.o src/encauth/ocb/ocb_test.o src/encauth/ocb/s_ocb_done.o \
src/hashes/chc/chc.o src/hashes/helper/hash_file.o src/hashes/helper/hash_filehandle.o \
@ -365,5 +364,5 @@ zipup: no_oops docs
# $Source: /cvs/libtom/libtomcrypt/makefile,v $
# $Revision: 1.114 $
# $Date: 2006/01/26 06:12:31 $
# $Revision: 1.116 $
# $Date: 2006/01/29 15:53:38 $

View File

@ -100,9 +100,8 @@ src/encauth/eax/eax_init.o src/encauth/eax/eax_test.o src/encauth/gcm/gcm_add_aa
src/encauth/gcm/gcm_add_iv.o src/encauth/gcm/gcm_done.o src/encauth/gcm/gcm_gf_mult.o \
src/encauth/gcm/gcm_init.o src/encauth/gcm/gcm_memory.o src/encauth/gcm/gcm_mult_h.o \
src/encauth/gcm/gcm_process.o src/encauth/gcm/gcm_reset.o src/encauth/gcm/gcm_test.o \
src/encauth/nls/nls_memory.o src/encauth/nls/nlsfast.o src/encauth/ocb/ocb_decrypt.o \
src/encauth/ocb/ocb_decrypt_verify_memory.o src/encauth/ocb/ocb_done_decrypt.o \
src/encauth/ocb/ocb_done_encrypt.o src/encauth/ocb/ocb_encrypt.o \
src/encauth/ocb/ocb_decrypt.o src/encauth/ocb/ocb_decrypt_verify_memory.o \
src/encauth/ocb/ocb_done_decrypt.o src/encauth/ocb/ocb_done_encrypt.o src/encauth/ocb/ocb_encrypt.o \
src/encauth/ocb/ocb_encrypt_authenticate_memory.o src/encauth/ocb/ocb_init.o src/encauth/ocb/ocb_ntz.o \
src/encauth/ocb/ocb_shift_xor.o src/encauth/ocb/ocb_test.o src/encauth/ocb/s_ocb_done.o \
src/hashes/chc/chc.o src/hashes/helper/hash_file.o src/hashes/helper/hash_filehandle.o \
@ -270,6 +269,6 @@ install: library
install -g $(GROUP) -o $(USER) $(HEADERS) $(DESTDIR)$(INCPATH)
# $Source: /cvs/libtom/libtomcrypt/makefile.icc,v $
# $Revision: 1.49 $
# $Date: 2006/01/26 06:12:31 $
# $Revision: 1.50 $
# $Date: 2006/01/29 15:53:38 $

View File

@ -15,9 +15,8 @@ src/encauth/eax/eax_init.obj src/encauth/eax/eax_test.obj src/encauth/gcm/gcm_ad
src/encauth/gcm/gcm_add_iv.obj src/encauth/gcm/gcm_done.obj src/encauth/gcm/gcm_gf_mult.obj \
src/encauth/gcm/gcm_init.obj src/encauth/gcm/gcm_memory.obj src/encauth/gcm/gcm_mult_h.obj \
src/encauth/gcm/gcm_process.obj src/encauth/gcm/gcm_reset.obj src/encauth/gcm/gcm_test.obj \
src/encauth/nls/nls_memory.obj src/encauth/nls/nlsfast.obj src/encauth/ocb/ocb_decrypt.obj \
src/encauth/ocb/ocb_decrypt_verify_memory.obj src/encauth/ocb/ocb_done_decrypt.obj \
src/encauth/ocb/ocb_done_encrypt.obj src/encauth/ocb/ocb_encrypt.obj \
src/encauth/ocb/ocb_decrypt.obj src/encauth/ocb/ocb_decrypt_verify_memory.obj \
src/encauth/ocb/ocb_done_decrypt.obj src/encauth/ocb/ocb_done_encrypt.obj src/encauth/ocb/ocb_encrypt.obj \
src/encauth/ocb/ocb_encrypt_authenticate_memory.obj src/encauth/ocb/ocb_init.obj src/encauth/ocb/ocb_ntz.obj \
src/encauth/ocb/ocb_shift_xor.obj src/encauth/ocb/ocb_test.obj src/encauth/ocb/s_ocb_done.obj \
src/hashes/chc/chc.obj src/hashes/helper/hash_file.obj src/hashes/helper/hash_filehandle.obj \
@ -133,5 +132,5 @@ timing: demos/timing.c library
cl $(CFLAGS) demos/timing.c testprof/tomcrypt_prof.lib tomcrypt.lib advapi32.lib $(EXTRALIBS)
# $Source: /cvs/libtom/libtomcrypt/makefile.msvc,v $
# $Revision: 1.29 $
# $Date: 2006/01/26 06:12:31 $
# $Revision: 1.30 $
# $Date: 2006/01/29 15:53:38 $

View File

@ -6,7 +6,7 @@
# Tom St Denis
# The version
VERSION=0:109
VERSION=0:110
# Compiler and Linker Names
CC=libtool --mode=compile gcc
@ -107,9 +107,8 @@ src/encauth/eax/eax_init.o src/encauth/eax/eax_test.o src/encauth/gcm/gcm_add_aa
src/encauth/gcm/gcm_add_iv.o src/encauth/gcm/gcm_done.o src/encauth/gcm/gcm_gf_mult.o \
src/encauth/gcm/gcm_init.o src/encauth/gcm/gcm_memory.o src/encauth/gcm/gcm_mult_h.o \
src/encauth/gcm/gcm_process.o src/encauth/gcm/gcm_reset.o src/encauth/gcm/gcm_test.o \
src/encauth/nls/nls_memory.o src/encauth/nls/nlsfast.o src/encauth/ocb/ocb_decrypt.o \
src/encauth/ocb/ocb_decrypt_verify_memory.o src/encauth/ocb/ocb_done_decrypt.o \
src/encauth/ocb/ocb_done_encrypt.o src/encauth/ocb/ocb_encrypt.o \
src/encauth/ocb/ocb_decrypt.o src/encauth/ocb/ocb_decrypt_verify_memory.o \
src/encauth/ocb/ocb_done_decrypt.o src/encauth/ocb/ocb_done_encrypt.o src/encauth/ocb/ocb_encrypt.o \
src/encauth/ocb/ocb_encrypt_authenticate_memory.o src/encauth/ocb/ocb_init.o src/encauth/ocb/ocb_ntz.o \
src/encauth/ocb/ocb_shift_xor.o src/encauth/ocb/ocb_test.o src/encauth/ocb/s_ocb_done.o \
src/hashes/chc/chc.o src/hashes/helper/hash_file.o src/hashes/helper/hash_filehandle.o \
@ -259,5 +258,5 @@ timing: library testprof/$(LIBTEST) $(TIMINGS)
gcc -o $(TIMING) $(TIMINGS) -ltomcrypt_prof -ltomcrypt $(EXTRALIBS)
# $Source: /cvs/libtom/libtomcrypt/makefile.shared,v $
# $Revision: 1.43 $
# $Date: 2006/01/26 06:12:31 $
# $Revision: 1.45 $
# $Date: 2006/01/29 15:53:38 $

View File

@ -15,8 +15,50 @@
*/
#include "tomcrypt.h"
#if defined(GCM_TABLES) || defined(LRW_TABLES) || ((defined(GCM_MODE) || defined(GCM_MODE)) && defined(LTC_FAST))
/* this is x*2^128 mod p(x) ... the results are 16 bytes each stored in a packed format. Since only the
* lower 16 bits are not zero'ed I removed the upper 14 bytes */
const unsigned char gcm_shift_table[256*2] = {
0x00, 0x00, 0x01, 0xc2, 0x03, 0x84, 0x02, 0x46, 0x07, 0x08, 0x06, 0xca, 0x04, 0x8c, 0x05, 0x4e,
0x0e, 0x10, 0x0f, 0xd2, 0x0d, 0x94, 0x0c, 0x56, 0x09, 0x18, 0x08, 0xda, 0x0a, 0x9c, 0x0b, 0x5e,
0x1c, 0x20, 0x1d, 0xe2, 0x1f, 0xa4, 0x1e, 0x66, 0x1b, 0x28, 0x1a, 0xea, 0x18, 0xac, 0x19, 0x6e,
0x12, 0x30, 0x13, 0xf2, 0x11, 0xb4, 0x10, 0x76, 0x15, 0x38, 0x14, 0xfa, 0x16, 0xbc, 0x17, 0x7e,
0x38, 0x40, 0x39, 0x82, 0x3b, 0xc4, 0x3a, 0x06, 0x3f, 0x48, 0x3e, 0x8a, 0x3c, 0xcc, 0x3d, 0x0e,
0x36, 0x50, 0x37, 0x92, 0x35, 0xd4, 0x34, 0x16, 0x31, 0x58, 0x30, 0x9a, 0x32, 0xdc, 0x33, 0x1e,
0x24, 0x60, 0x25, 0xa2, 0x27, 0xe4, 0x26, 0x26, 0x23, 0x68, 0x22, 0xaa, 0x20, 0xec, 0x21, 0x2e,
0x2a, 0x70, 0x2b, 0xb2, 0x29, 0xf4, 0x28, 0x36, 0x2d, 0x78, 0x2c, 0xba, 0x2e, 0xfc, 0x2f, 0x3e,
0x70, 0x80, 0x71, 0x42, 0x73, 0x04, 0x72, 0xc6, 0x77, 0x88, 0x76, 0x4a, 0x74, 0x0c, 0x75, 0xce,
0x7e, 0x90, 0x7f, 0x52, 0x7d, 0x14, 0x7c, 0xd6, 0x79, 0x98, 0x78, 0x5a, 0x7a, 0x1c, 0x7b, 0xde,
0x6c, 0xa0, 0x6d, 0x62, 0x6f, 0x24, 0x6e, 0xe6, 0x6b, 0xa8, 0x6a, 0x6a, 0x68, 0x2c, 0x69, 0xee,
0x62, 0xb0, 0x63, 0x72, 0x61, 0x34, 0x60, 0xf6, 0x65, 0xb8, 0x64, 0x7a, 0x66, 0x3c, 0x67, 0xfe,
0x48, 0xc0, 0x49, 0x02, 0x4b, 0x44, 0x4a, 0x86, 0x4f, 0xc8, 0x4e, 0x0a, 0x4c, 0x4c, 0x4d, 0x8e,
0x46, 0xd0, 0x47, 0x12, 0x45, 0x54, 0x44, 0x96, 0x41, 0xd8, 0x40, 0x1a, 0x42, 0x5c, 0x43, 0x9e,
0x54, 0xe0, 0x55, 0x22, 0x57, 0x64, 0x56, 0xa6, 0x53, 0xe8, 0x52, 0x2a, 0x50, 0x6c, 0x51, 0xae,
0x5a, 0xf0, 0x5b, 0x32, 0x59, 0x74, 0x58, 0xb6, 0x5d, 0xf8, 0x5c, 0x3a, 0x5e, 0x7c, 0x5f, 0xbe,
0xe1, 0x00, 0xe0, 0xc2, 0xe2, 0x84, 0xe3, 0x46, 0xe6, 0x08, 0xe7, 0xca, 0xe5, 0x8c, 0xe4, 0x4e,
0xef, 0x10, 0xee, 0xd2, 0xec, 0x94, 0xed, 0x56, 0xe8, 0x18, 0xe9, 0xda, 0xeb, 0x9c, 0xea, 0x5e,
0xfd, 0x20, 0xfc, 0xe2, 0xfe, 0xa4, 0xff, 0x66, 0xfa, 0x28, 0xfb, 0xea, 0xf9, 0xac, 0xf8, 0x6e,
0xf3, 0x30, 0xf2, 0xf2, 0xf0, 0xb4, 0xf1, 0x76, 0xf4, 0x38, 0xf5, 0xfa, 0xf7, 0xbc, 0xf6, 0x7e,
0xd9, 0x40, 0xd8, 0x82, 0xda, 0xc4, 0xdb, 0x06, 0xde, 0x48, 0xdf, 0x8a, 0xdd, 0xcc, 0xdc, 0x0e,
0xd7, 0x50, 0xd6, 0x92, 0xd4, 0xd4, 0xd5, 0x16, 0xd0, 0x58, 0xd1, 0x9a, 0xd3, 0xdc, 0xd2, 0x1e,
0xc5, 0x60, 0xc4, 0xa2, 0xc6, 0xe4, 0xc7, 0x26, 0xc2, 0x68, 0xc3, 0xaa, 0xc1, 0xec, 0xc0, 0x2e,
0xcb, 0x70, 0xca, 0xb2, 0xc8, 0xf4, 0xc9, 0x36, 0xcc, 0x78, 0xcd, 0xba, 0xcf, 0xfc, 0xce, 0x3e,
0x91, 0x80, 0x90, 0x42, 0x92, 0x04, 0x93, 0xc6, 0x96, 0x88, 0x97, 0x4a, 0x95, 0x0c, 0x94, 0xce,
0x9f, 0x90, 0x9e, 0x52, 0x9c, 0x14, 0x9d, 0xd6, 0x98, 0x98, 0x99, 0x5a, 0x9b, 0x1c, 0x9a, 0xde,
0x8d, 0xa0, 0x8c, 0x62, 0x8e, 0x24, 0x8f, 0xe6, 0x8a, 0xa8, 0x8b, 0x6a, 0x89, 0x2c, 0x88, 0xee,
0x83, 0xb0, 0x82, 0x72, 0x80, 0x34, 0x81, 0xf6, 0x84, 0xb8, 0x85, 0x7a, 0x87, 0x3c, 0x86, 0xfe,
0xa9, 0xc0, 0xa8, 0x02, 0xaa, 0x44, 0xab, 0x86, 0xae, 0xc8, 0xaf, 0x0a, 0xad, 0x4c, 0xac, 0x8e,
0xa7, 0xd0, 0xa6, 0x12, 0xa4, 0x54, 0xa5, 0x96, 0xa0, 0xd8, 0xa1, 0x1a, 0xa3, 0x5c, 0xa2, 0x9e,
0xb5, 0xe0, 0xb4, 0x22, 0xb6, 0x64, 0xb7, 0xa6, 0xb2, 0xe8, 0xb3, 0x2a, 0xb1, 0x6c, 0xb0, 0xae,
0xbb, 0xf0, 0xba, 0x32, 0xb8, 0x74, 0xb9, 0xb6, 0xbc, 0xf8, 0xbd, 0x3a, 0xbf, 0x7c, 0xbe, 0xbe };
#endif
#if defined(GCM_MODE) || defined(LRW_MODE)
#ifndef LTC_FAST
/* right shift */
static void gcm_rightshift(unsigned char *a)
{
@ -33,7 +75,7 @@ static const unsigned char poly[] = { 0x00, 0xE1 };
/**
GCM GF multiplier (internal use only)
GCM GF multiplier (internal use only) bitserial
@param a First value
@param b Second value
@param c Destination for a * b
@ -57,8 +99,123 @@ void gcm_gf_mult(const unsigned char *a, const unsigned char *b, unsigned char *
}
XMEMCPY(c, Z, 16);
}
#else
/* map normal numbers to "ieee" way ... e.g. bit reversed */
#define M(x) ( ((x&8)>>3) | ((x&4)>>1) | ((x&2)<<1) | ((x&1)<<3) )
#define BPD (sizeof(LTC_FAST_TYPE) * 8)
#define WPV (1 + (16 / sizeof(LTC_FAST_TYPE)))
/**
GCM GF multiplier (internal use only) word oriented
@param a First value
@param b Second value
@param c Destination for a * b
*/
void gcm_gf_mult(const unsigned char *a, const unsigned char *b, unsigned char *c)
{
int i, j, k, u;
LTC_FAST_TYPE B[16][WPV], tmp[32 / sizeof(LTC_FAST_TYPE)], pB[16 / sizeof(LTC_FAST_TYPE)], zz, z;
unsigned char pTmp[32];
/* create simple tables */
zeromem(B[0], sizeof(B[0]));
zeromem(B[M(1)], sizeof(B[M(1)]));
#ifdef ENDIAN_32BITWORD
for (i = 0; i < 4; i++) {
LOAD32H(B[M(1)][i], a + (i<<2));
LOAD32L(pB[i], b + (i<<2));
}
#else
for (i = 0; i < 2; i++) {
LOAD64H(B[M(1)][i], a + (i<<3));
LOAD64L(pB[i], b + (i<<3));
}
#endif
/* now create 2, 4 and 8 */
B[M(2)][0] = B[M(1)][0] >> 1;
B[M(4)][0] = B[M(1)][0] >> 2;
B[M(8)][0] = B[M(1)][0] >> 3;
for (i = 1; i < (int)WPV; i++) {
B[M(2)][i] = (B[M(1)][i-1] << (BPD-1)) | (B[M(1)][i] >> 1);
B[M(4)][i] = (B[M(1)][i-1] << (BPD-2)) | (B[M(1)][i] >> 2);
B[M(8)][i] = (B[M(1)][i-1] << (BPD-3)) | (B[M(1)][i] >> 3);
}
/* now all values with two bits which are 3, 5, 6, 9, 10, 12 */
for (i = 0; i < (int)WPV; i++) {
B[M(3)][i] = B[M(1)][i] ^ B[M(2)][i];
B[M(5)][i] = B[M(1)][i] ^ B[M(4)][i];
B[M(6)][i] = B[M(2)][i] ^ B[M(4)][i];
B[M(9)][i] = B[M(1)][i] ^ B[M(8)][i];
B[M(10)][i] = B[M(2)][i] ^ B[M(8)][i];
B[M(12)][i] = B[M(8)][i] ^ B[M(4)][i];
/* now all 3 bit values and the only 4 bit value: 7, 11, 13, 14, 15 */
B[M(7)][i] = B[M(3)][i] ^ B[M(4)][i];
B[M(11)][i] = B[M(3)][i] ^ B[M(8)][i];
B[M(13)][i] = B[M(1)][i] ^ B[M(12)][i];
B[M(14)][i] = B[M(6)][i] ^ B[M(8)][i];
B[M(15)][i] = B[M(7)][i] ^ B[M(8)][i];
}
zeromem(tmp, sizeof(tmp));
/* compute product four bits of each word at a time */
/* for each nibble */
for (i = (BPD/4)-1; i >= 0; i--) {
/* for each word */
for (j = 0; j < (int)(WPV-1); j++) {
/* grab the 4 bits recall the nibbles are backwards so it's a shift by (i^1)*4 */
u = (pB[j] >> ((i^1)<<2)) & 15;
/* add offset by the word count the table looked up value to the result */
for (k = 0; k < (int)WPV; k++) {
tmp[k+j] ^= B[u][k];
}
}
/* shift result up by 4 bits */
if (i != 0) {
for (z = j = 0; j < (int)(32 / sizeof(LTC_FAST_TYPE)); j++) {
zz = tmp[j] << (BPD-4);
tmp[j] = (tmp[j] >> 4) | z;
z = zz;
}
}
}
/* store product */
#ifdef ENDIAN_32BITWORD
for (i = 0; i < 8; i++) {
STORE32H(tmp[i], pTmp + (i<<2));
}
#else
for (i = 0; i < 4; i++) {
STORE64H(tmp[i], pTmp + (i<<3));
}
#endif
/* reduce by taking most significant byte and adding the appropriate two byte sequence 16 bytes down */
for (i = 31; i >= 16; i--) {
pTmp[i-16] ^= gcm_shift_table[((unsigned)pTmp[i]<<1)];
pTmp[i-15] ^= gcm_shift_table[((unsigned)pTmp[i]<<1)+1];
}
for (i = 0; i < 16; i++) {
c[i] = pTmp[i];
}
}
#endif
#endif
/* $Source$ */
/* $Revision$ */
/* $Date$ */

View File

@ -17,46 +17,6 @@
#ifdef GCM_MODE
#ifdef GCM_TABLES
/* this is x*2^128 mod p(x) ... the results are 16 bytes each stored in a packed format. Since only the
* lower 16 bits are not zero'ed I removed the upper 14 bytes */
static const unsigned char gcm_shift_table[256*2] = {
0x00, 0x00, 0x01, 0xc2, 0x03, 0x84, 0x02, 0x46, 0x07, 0x08, 0x06, 0xca, 0x04, 0x8c, 0x05, 0x4e,
0x0e, 0x10, 0x0f, 0xd2, 0x0d, 0x94, 0x0c, 0x56, 0x09, 0x18, 0x08, 0xda, 0x0a, 0x9c, 0x0b, 0x5e,
0x1c, 0x20, 0x1d, 0xe2, 0x1f, 0xa4, 0x1e, 0x66, 0x1b, 0x28, 0x1a, 0xea, 0x18, 0xac, 0x19, 0x6e,
0x12, 0x30, 0x13, 0xf2, 0x11, 0xb4, 0x10, 0x76, 0x15, 0x38, 0x14, 0xfa, 0x16, 0xbc, 0x17, 0x7e,
0x38, 0x40, 0x39, 0x82, 0x3b, 0xc4, 0x3a, 0x06, 0x3f, 0x48, 0x3e, 0x8a, 0x3c, 0xcc, 0x3d, 0x0e,
0x36, 0x50, 0x37, 0x92, 0x35, 0xd4, 0x34, 0x16, 0x31, 0x58, 0x30, 0x9a, 0x32, 0xdc, 0x33, 0x1e,
0x24, 0x60, 0x25, 0xa2, 0x27, 0xe4, 0x26, 0x26, 0x23, 0x68, 0x22, 0xaa, 0x20, 0xec, 0x21, 0x2e,
0x2a, 0x70, 0x2b, 0xb2, 0x29, 0xf4, 0x28, 0x36, 0x2d, 0x78, 0x2c, 0xba, 0x2e, 0xfc, 0x2f, 0x3e,
0x70, 0x80, 0x71, 0x42, 0x73, 0x04, 0x72, 0xc6, 0x77, 0x88, 0x76, 0x4a, 0x74, 0x0c, 0x75, 0xce,
0x7e, 0x90, 0x7f, 0x52, 0x7d, 0x14, 0x7c, 0xd6, 0x79, 0x98, 0x78, 0x5a, 0x7a, 0x1c, 0x7b, 0xde,
0x6c, 0xa0, 0x6d, 0x62, 0x6f, 0x24, 0x6e, 0xe6, 0x6b, 0xa8, 0x6a, 0x6a, 0x68, 0x2c, 0x69, 0xee,
0x62, 0xb0, 0x63, 0x72, 0x61, 0x34, 0x60, 0xf6, 0x65, 0xb8, 0x64, 0x7a, 0x66, 0x3c, 0x67, 0xfe,
0x48, 0xc0, 0x49, 0x02, 0x4b, 0x44, 0x4a, 0x86, 0x4f, 0xc8, 0x4e, 0x0a, 0x4c, 0x4c, 0x4d, 0x8e,
0x46, 0xd0, 0x47, 0x12, 0x45, 0x54, 0x44, 0x96, 0x41, 0xd8, 0x40, 0x1a, 0x42, 0x5c, 0x43, 0x9e,
0x54, 0xe0, 0x55, 0x22, 0x57, 0x64, 0x56, 0xa6, 0x53, 0xe8, 0x52, 0x2a, 0x50, 0x6c, 0x51, 0xae,
0x5a, 0xf0, 0x5b, 0x32, 0x59, 0x74, 0x58, 0xb6, 0x5d, 0xf8, 0x5c, 0x3a, 0x5e, 0x7c, 0x5f, 0xbe,
0xe1, 0x00, 0xe0, 0xc2, 0xe2, 0x84, 0xe3, 0x46, 0xe6, 0x08, 0xe7, 0xca, 0xe5, 0x8c, 0xe4, 0x4e,
0xef, 0x10, 0xee, 0xd2, 0xec, 0x94, 0xed, 0x56, 0xe8, 0x18, 0xe9, 0xda, 0xeb, 0x9c, 0xea, 0x5e,
0xfd, 0x20, 0xfc, 0xe2, 0xfe, 0xa4, 0xff, 0x66, 0xfa, 0x28, 0xfb, 0xea, 0xf9, 0xac, 0xf8, 0x6e,
0xf3, 0x30, 0xf2, 0xf2, 0xf0, 0xb4, 0xf1, 0x76, 0xf4, 0x38, 0xf5, 0xfa, 0xf7, 0xbc, 0xf6, 0x7e,
0xd9, 0x40, 0xd8, 0x82, 0xda, 0xc4, 0xdb, 0x06, 0xde, 0x48, 0xdf, 0x8a, 0xdd, 0xcc, 0xdc, 0x0e,
0xd7, 0x50, 0xd6, 0x92, 0xd4, 0xd4, 0xd5, 0x16, 0xd0, 0x58, 0xd1, 0x9a, 0xd3, 0xdc, 0xd2, 0x1e,
0xc5, 0x60, 0xc4, 0xa2, 0xc6, 0xe4, 0xc7, 0x26, 0xc2, 0x68, 0xc3, 0xaa, 0xc1, 0xec, 0xc0, 0x2e,
0xcb, 0x70, 0xca, 0xb2, 0xc8, 0xf4, 0xc9, 0x36, 0xcc, 0x78, 0xcd, 0xba, 0xcf, 0xfc, 0xce, 0x3e,
0x91, 0x80, 0x90, 0x42, 0x92, 0x04, 0x93, 0xc6, 0x96, 0x88, 0x97, 0x4a, 0x95, 0x0c, 0x94, 0xce,
0x9f, 0x90, 0x9e, 0x52, 0x9c, 0x14, 0x9d, 0xd6, 0x98, 0x98, 0x99, 0x5a, 0x9b, 0x1c, 0x9a, 0xde,
0x8d, 0xa0, 0x8c, 0x62, 0x8e, 0x24, 0x8f, 0xe6, 0x8a, 0xa8, 0x8b, 0x6a, 0x89, 0x2c, 0x88, 0xee,
0x83, 0xb0, 0x82, 0x72, 0x80, 0x34, 0x81, 0xf6, 0x84, 0xb8, 0x85, 0x7a, 0x87, 0x3c, 0x86, 0xfe,
0xa9, 0xc0, 0xa8, 0x02, 0xaa, 0x44, 0xab, 0x86, 0xae, 0xc8, 0xaf, 0x0a, 0xad, 0x4c, 0xac, 0x8e,
0xa7, 0xd0, 0xa6, 0x12, 0xa4, 0x54, 0xa5, 0x96, 0xa0, 0xd8, 0xa1, 0x1a, 0xa3, 0x5c, 0xa2, 0x9e,
0xb5, 0xe0, 0xb4, 0x22, 0xb6, 0x64, 0xb7, 0xa6, 0xb2, 0xe8, 0xb3, 0x2a, 0xb1, 0x6c, 0xb0, 0xae,
0xbb, 0xf0, 0xba, 0x32, 0xb8, 0x74, 0xb9, 0xb6, 0xbc, 0xf8, 0xbd, 0x3a, 0xbf, 0x7c, 0xbe, 0xbe };
#endif
/**
Initialize a GCM state
@param gcm The GCM state to initialize

View File

@ -1,94 +0,0 @@
/* LibTomCrypt, modular cryptographic library -- Tom St Denis
*
* LibTomCrypt is a library that provides various cryptographic
* algorithms in a highly modular and flexible manner.
*
* The library is free for all purposes without any express
* guarantee it works.
*
* Tom St Denis, tomstdenis@gmail.com, http://libtomcrypt.org
*/
/**
@file nls_memory.c
NLS support, process a block of memory, Tom St Denis
*/
#ifdef NLS_MODE
int nls_memory(const unsigned char *key, unsigned long keylen,
const unsigned char *IV, unsigned long IVlen,
const unsigned char *adata, unsigned long adatalen,
unsigned char *pt, unsigned long ptlen,
unsigned char *ct,
unsigned char *tag, unsigned long taglen,
int direction)
{
nls_state *nls;
int err;
LTC_ARGCHK(key != NULL);
LTC_ARGCHK(IV != NULL);
if (adatalen > 0) {
LTC_ARGCHK(adata != NULL);
}
LTC_ARGCHK(pt != NULL);
LTC_ARGCHK(ct != NULL);
if (taglen > 0) {
LTC_ARGCHK(tag != NULL);
}
/* alloc NLS state */
nls = XCALLOC(1, sizeof(*nls));
if (nls == NULL) {
return CRYPT_MEM;
}
/* init key and IV */
if ((err = nls_key(nls, key, keylen)) != CRYPT_OK) {
goto done;
}
if ((err = nls_nonce(nls, IV, IVlen)) != CRYPT_OK) {
goto done;
}
/* process adata */
if (adatalen > 0) {
if ((err = nls_maconly(nls, adata, adatalen)) != CRYPT_OK) {
goto done;
}
}
/* process msg */
if (direction == NLS_ENCRYPT) {
if ((err = nls_encrypt(nls, pt, nbytes, ct)) != CRYPT_OK) {
goto done;
}
} else {
if ((err = nls_decrypt(nls, ct, nbytes, pt)) != CRYPT_OK) {
goto done;
}
}
/* grab tag */
if (taglen > 0) {
if ((err = nls_finish(nls, tag, taglen)) != CRYPT_OK) {
goto done;
}
}
err = CRYPT_OK;
done:
#ifdef LTC_CLEAN_STACK
zeromem(nls, sizeof(*nls));
#endif
XFREE(nls);
return err;
}
#endif
/* $Source$ */
/* $Revision$ */
/* $Date$ */

View File

@ -1,981 +0,0 @@
/* LibTomCrypt, modular cryptographic library -- Tom St Denis
*
* LibTomCrypt is a library that provides various cryptographic
* algorithms in a highly modular and flexible manner.
*
* The library is free for all purposes without any express
* guarantee it works.
*
* Tom St Denis, tomstdenis@gmail.com, http://libtomcrypt.org
*/
/**
@file nlsfast.c
NLS support, entire suite, Tom St Denis
*/
/* Id: nlsfast.c 346 2005-04-22 18:36:12Z mwp */
/* nlsfast: NLS stream cipher and Mundja MAC -- fast implementation */
/*
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND AGAINST
INFRINGEMENT ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/* This source has been modified from the original source for the LibTomCrypt project
* by Tom St Denis. (Warnings fixed and code GNU indented)
*/
#include "tomcrypt.h"
#ifdef NLS_MODE
#define NLS_LONG_OUTPUT 1
#define N 17
#define NMAC 8
#define WORDSIZE 32
#define F16 0x10001ul
#define MACKONST 8
/* interface, multiplication table and SBox */
#include "nlssbox.inc"
#include "nlsmultab.inc"
/*
* FOLD is how many register cycles need to be performed after combining the
* last byte of key and non-linear feedback, before every byte depends on every
* byte of the key. This depends on the feedback and nonlinear functions, and
* on where they are combined into the register.
*/
#define FOLD N /* how many iterations of folding to do */
#define INITKONST 0x6996c53a /* value of KONST to use during key loading */
#define KEYP 15 /* where to insert key words */
#define FOLDP 4 /* where to insert non-linear feedback */
#if NLS_LONG_OUTPUT
#define CTRP 2 /* where to insert counter to avoid small cycles */
#endif /*NLS_LONG_OUTPUT */
#define Byte(x,i) ((unsigned char)(((x) >> (8*i)) & 0xFF))
/* define IS_LITTLE_ENDIAN for faster operation when appropriate */
#if defined(ENDIAN_LITTLE) && defined(ENDIAN_32BITWORD)
/* Useful macros -- little endian words on a little endian machine */
#define BYTE2WORD(b) (*(ulong32 *)(b))
#define WORD2BYTE(w, b) ((*(ulong32 *)(b)) = w)
#define XORWORD(w, b) ((*(ulong32 *)(b)) ^= w)
#else
/* Useful macros -- machine independent little-endian version */
#define BYTE2WORD(b) ( \
(((ulong32)(b)[3] & 0xFF)<<24) | \
(((ulong32)(b)[2] & 0xFF)<<16) | \
(((ulong32)(b)[1] & 0xFF)<<8) | \
(((ulong32)(b)[0] & 0xFF)) \
)
#define WORD2BYTE(w, b) { \
(b)[3] = Byte(w,3); \
(b)[2] = Byte(w,2); \
(b)[1] = Byte(w,1); \
(b)[0] = Byte(w,0); \
}
#define XORWORD(w, b) { \
(b)[3] ^= Byte(w,3); \
(b)[2] ^= Byte(w,2); \
(b)[1] ^= Byte(w,1); \
(b)[0] ^= Byte(w,0); \
}
#endif
#if NLS_LONG_OUTPUT
#define ZEROCOUNTER(c) c->CtrModF16 = c->CtrMod232 = 0
#else
#define ZEROCOUNTER(c) /* nothing */
#endif /*NLS_LONG_OUTPUT */
/* give correct offset for the current position of the register,
* where logically R[0] is at position "zero".
*/
#define OFF(zero, i) (((zero)+(i)) % N)
#if NLS_LONG_OUTPUT
/* Increment counter and mix into register every so often */
#define FIXCTR(c,z) \
{ \
if (++c->CtrModF16 == F16) { \
c->CtrMod232 += c->CtrModF16; \
c->R[OFF(z,CTRP)] += c->CtrMod232; \
c->CtrMod232 = 0; \
} \
}
#endif /*NLS_LONG_OUTPUT */
/* step the shift register */
/* After stepping, "zero" moves right one place */
#define STEP(c,z) \
{ register ulong32 tt; \
tt = ROL(c->R[OFF(z,0)],19) + ROL(c->R[OFF(z,15)],9) + c->konst; \
tt ^= Sbox[(tt >> 24) & 0xFF]; \
c->R[OFF(z,0)] = tt ^ c->R[OFF(z,4)]; \
}
static void cycle(nls_state * c)
{
ulong32 t;
int i;
/* nonlinear feedback function */
STEP(c, 0);
/* shift register */
t = c->R[0];
for (i = 1; i < N; ++i)
c->R[i - 1] = c->R[i];
c->R[N - 1] = t;
#if NLS_LONG_OUTPUT
FIXCTR(c, 0);
#endif /*NLS_LONG_OUTPUT */
}
/* Return a non-linear function of some parts of the register.
*/
#define NLFUNC(c,z) \
(c->R[OFF(z,0)] + c->R[OFF(z,16)]) \
^ (c->R[OFF(z,1)] + c->konst) \
^ (c->R[OFF(z,6)] + c->R[OFF(z,13)])
static ulong32 nltap(nls_state * c)
{
return NLFUNC(c, 0);
}
/* The Mundja MAC function is modelled after the round function of SHA-256.
* The following lines establish aliases for the MAC accumulator, just
* so that the definition of that function looks more like FIPS-180-2.
*/
#define A c->M[0]
#define B c->M[1]
#define C c->M[2]
#define D c->M[3]
#define E c->M[4]
#define F c->M[5]
#define G c->M[6]
#define H c->M[7]
#define SIGMA0(x) (ROR((x), 2) ^ ROR((x), 13) ^ ROR((x), 22))
#define SIGMA1(x) (ROR((x), 6) ^ ROR((x), 11) ^ ROR((x), 25))
#define CHOOSE(x,y,z) (z ^ (x & (y ^ z)))
#define MAJORITY(x,y,z) ((x & y) | (z & (x | y)))
/* Accumulate a nonlinear function of a register word and an input word for MAC.
* Except for the added S-Box and SOBER LFSR input instead of constants,
* this is exactly a round of SHA-256.
*/
#define SHAFUNC(c,i,k,A,B,C,D,E,F,G,H) \
{ \
ulong32 t1; \
t1 = H + k + i; \
t1 ^= Sbox[(t1 >> 24) & 0xFF]; \
t1 += SIGMA1(E) + CHOOSE(E, F, G); \
D += t1; \
t1 += SIGMA0(A) + MAJORITY(A, B, C); \
H = t1; \
}
static void shafunc(nls_state * c, ulong32 i)
{
ulong32 t;
SHAFUNC(c, i, c->R[MACKONST], A, B, C, D, E, F, G, H);
/* now correct alignment of MAC accumulator */
t = c->M[NMAC - 1];
for (i = NMAC - 1; i > 0; --i)
c->M[i] = c->M[i - 1];
c->M[0] = t;
}
/* Accumulate a CRC of input words, later to be fed into MAC.
*/
#define CRCFUNC(c,i,zero,five) \
{ \
ulong32 t1; \
t1 = (c->CRC[zero] << 8) ^ Multab[(c->CRC[zero] >> 24) & 0xFF] \
^ c->CRC[five] ^ i; \
c->CRC[zero] = t1; \
}
static void crcfunc(nls_state * c, ulong32 i)
{
ulong32 t;
CRCFUNC(c, i, 0, 5);
/* now correct alignment of CRC accumulator */
t = c->CRC[0];
for (i = 1; i < NMAC; ++i)
c->CRC[i - 1] = c->CRC[i];
c->CRC[NMAC - 1] = t;
}
/* Normal MAC word processing: do both SHA and CRC.
*/
static void macfunc(nls_state * c, ulong32 i)
{
crcfunc(c, i);
shafunc(c, i);
}
/* initialise to known state
*/
static void nls_initstate(nls_state * c)
{
int i;
/* Register initialised to Fibonacci numbers */
c->R[0] = 1;
c->R[1] = 1;
for (i = 2; i < N; ++i)
c->R[i] = c->R[i - 1] + c->R[i - 2];
c->konst = INITKONST;
ZEROCOUNTER(c);
}
/* Save the current register state
*/
static void nls_savestate(nls_state * c)
{
int i;
for (i = 0; i < N; ++i)
c->initR[i] = c->R[i];
}
/* initialise to previously saved register state
*/
static void nls_reloadstate(nls_state * c)
{
int i;
for (i = 0; i < N; ++i)
c->R[i] = c->initR[i];
ZEROCOUNTER(c);
}
/* Initialise "konst"
*/
static void nls_genkonst(nls_state * c)
{
ulong32 newkonst;
do {
cycle(c);
newkonst = nltap(c);
}
while ((newkonst & 0xFF000000) == 0);
c->konst = newkonst;
}
/* Load key material into the register
*/
#define ADDKEY(k) \
c->R[KEYP] += (k);
#define XORNL(nl) \
c->R[FOLDP] ^= (nl);
/* nonlinear diffusion of register for key and MAC */
#define DROUND(z) STEP(c,z); c->R[OFF((z+1),FOLDP)] ^= NLFUNC(c,(z+1));
static void nls_diffuse(nls_state * c)
{
/* relies on FOLD == N! */
DROUND(0);
DROUND(1);
DROUND(2);
DROUND(3);
DROUND(4);
DROUND(5);
DROUND(6);
DROUND(7);
DROUND(8);
DROUND(9);
DROUND(10);
DROUND(11);
DROUND(12);
DROUND(13);
DROUND(14);
DROUND(15);
DROUND(16);
}
/* common actions for loading key material */
static void
nls_loadkey(nls_state * c, const unsigned char *key, unsigned long keylen)
{
ulong32 i, k;
/* start folding in key, reject odd sized keys */
if ((keylen & 3) != 0)
abort();
for (i = 0; i < keylen; i += 4) {
k = BYTE2WORD(&key[i]);
ADDKEY(k);
cycle(c);
XORNL(nltap(c));
}
/* also fold in the length of the key */
ADDKEY(keylen);
/* now diffuse */
nls_diffuse(c);
}
/* initialise MAC related registers
*/
static void nls_macinit(nls_state * c)
{
int i;
for (i = 0; i < NMAC; ++i) {
c->M[i] = c->R[i];
c->CRC[i] = c->R[i + NMAC];
}
}
/* Published "key" interface
*/
int nls_key(nls_state * c, const unsigned char *key, unsigned long keylen)
{
LTC_ARGCHK(c != NULL);
LTC_ARGCHK(key != NULL);
if (keylen == 0) {
return CRYPT_INVALID_ARG;
}
nls_initstate(c);
nls_loadkey(c, key, keylen);
nls_genkonst(c);
nls_savestate(c);
nls_macinit(c);
c->nbuf = 0;
ZEROCOUNTER(c);
return CRYPT_OK;
}
/* Published "nonce" interface
*/
int
nls_nonce(nls_state * c, const unsigned char *nonce, unsigned long noncelen)
{
LTC_ARGCHK(c != NULL);
LTC_ARGCHK(nonce != NULL);
if (noncelen == 0) {
return CRYPT_INVALID_ARG;
}
nls_reloadstate(c);
nls_loadkey(c, nonce, noncelen);
nls_macinit(c);
c->nbuf = 0;
ZEROCOUNTER(c);
return CRYPT_OK;
}
#if 0
/* XOR pseudo-random bytes into buffer
* Note: doesn't play well with MAC functions.
*/
#define SROUND(z) STEP(c,z); t = NLFUNC(c,(z+1)); XORWORD(t, buf+(z*4));
static void
nls_stream(nls_state * c, unsigned char *buf, unsigned long nbytes)
{
ulong32 t = 0;
/* handle any previously buffered bytes */
while (c->nbuf != 0 && nbytes != 0) {
*buf++ ^= c->sbuf & 0xFF;
c->sbuf >>= 8;
c->nbuf -= 8;
--nbytes;
}
/* do lots at a time, if there's enough to do */
while (nbytes >= N * 4) {
#if NLS_LONG_OUTPUT
if (c->CtrModF16 < (F16 - 17)) {
#endif /*NLS_LONG_OUTPUT */
SROUND(0);
SROUND(1);
SROUND(2);
SROUND(3);
SROUND(4);
SROUND(5);
SROUND(6);
SROUND(7);
SROUND(8);
SROUND(9);
SROUND(10);
SROUND(11);
SROUND(12);
SROUND(13);
SROUND(14);
SROUND(15);
SROUND(16);
#if NLS_LONG_OUTPUT
c->CtrModF16 += 17;
} else {
SROUND(0);
FIXCTR(c, 1);
SROUND(1);
FIXCTR(c, 2);
SROUND(2);
FIXCTR(c, 3);
SROUND(3);
FIXCTR(c, 4);
SROUND(4);
FIXCTR(c, 5);
SROUND(5);
FIXCTR(c, 6);
SROUND(6);
FIXCTR(c, 7);
SROUND(7);
FIXCTR(c, 8);
SROUND(8);
FIXCTR(c, 9);
SROUND(9);
FIXCTR(c, 10);
SROUND(10);
FIXCTR(c, 11);
SROUND(11);
FIXCTR(c, 12);
SROUND(12);
FIXCTR(c, 13);
SROUND(13);
FIXCTR(c, 14);
SROUND(14);
FIXCTR(c, 15);
SROUND(15);
FIXCTR(c, 16);
SROUND(16);
FIXCTR(c, 0);
}
#endif /*NLS_LONG_OUTPUT */
buf += 4 * N;
nbytes -= N * 4;
}
/* do small or odd size buffers the slow way */
while (4 <= nbytes) {
cycle(c);
t = nltap(c);
XORWORD(t, buf);
buf += 4;
nbytes -= 4;
}
/* handle any trailing bytes */
if (nbytes != 0) {
cycle(c);
c->sbuf = nltap(c);
c->nbuf = 32;
while (c->nbuf != 0 && nbytes != 0) {
*buf++ ^= c->sbuf & 0xFF;
c->sbuf >>= 8;
c->nbuf -= 8;
--nbytes;
}
}
}
#endif
/* accumulate words into MAC without encryption
* Note that plaintext is accumulated for MAC.
*/
#define MROUND(z,A,B,C,D,E,F,G,H) \
t = BYTE2WORD(buf+(z*4)); \
STEP(c,z); \
CRCFUNC(c,t,((z)&0x7),(((z)+5)&0x7)); \
SHAFUNC(c,t,c->R[OFF(z+1,MACKONST)],A,B,C,D,E,F,G,H);
int nls_maconly(nls_state * c, const unsigned char *buf, unsigned long nbytes)
{
int i;
ulong32 t = 0;
LTC_ARGCHK(c != NULL);
LTC_ARGCHK(buf != NULL);
/* handle any previously buffered bytes */
if (c->nbuf != 0) {
while (c->nbuf != 0 && nbytes != 0) {
c->mbuf ^= (*buf++) << (32 - c->nbuf);
c->nbuf -= 8;
--nbytes;
}
if (c->nbuf != 0) { /* not a whole word yet */
return CRYPT_OK;
}
/* LFSR already cycled */
macfunc(c, c->mbuf);
}
/* do lots at a time, if there's enough to do */
while (4 * N <= nbytes) {
#if NLS_LONG_OUTPUT
if (c->CtrModF16 < (F16 - 17)) {
#endif /*NLS_LONG_OUTPUT */
MROUND(0, A, B, C, D, E, F, G, H);
MROUND(1, H, A, B, C, D, E, F, G);
MROUND(2, G, H, A, B, C, D, E, F);
MROUND(3, F, G, H, A, B, C, D, E);
MROUND(4, E, F, G, H, A, B, C, D);
MROUND(5, D, E, F, G, H, A, B, C);
MROUND(6, C, D, E, F, G, H, A, B);
MROUND(7, B, C, D, E, F, G, H, A);
MROUND(8, A, B, C, D, E, F, G, H);
MROUND(9, H, A, B, C, D, E, F, G);
MROUND(10, G, H, A, B, C, D, E, F);
MROUND(11, F, G, H, A, B, C, D, E);
MROUND(12, E, F, G, H, A, B, C, D);
MROUND(13, D, E, F, G, H, A, B, C);
MROUND(14, C, D, E, F, G, H, A, B);
MROUND(15, B, C, D, E, F, G, H, A);
MROUND(16, A, B, C, D, E, F, G, H);
#if NLS_LONG_OUTPUT
c->CtrModF16 += 17;
} else {
MROUND(0, A, B, C, D, E, F, G, H);
FIXCTR(c, 1);
MROUND(1, H, A, B, C, D, E, F, G);
FIXCTR(c, 2);
MROUND(2, G, H, A, B, C, D, E, F);
FIXCTR(c, 3);
MROUND(3, F, G, H, A, B, C, D, E);
FIXCTR(c, 4);
MROUND(4, E, F, G, H, A, B, C, D);
FIXCTR(c, 5);
MROUND(5, D, E, F, G, H, A, B, C);
FIXCTR(c, 6);
MROUND(6, C, D, E, F, G, H, A, B);
FIXCTR(c, 7);
MROUND(7, B, C, D, E, F, G, H, A);
FIXCTR(c, 8);
MROUND(8, A, B, C, D, E, F, G, H);
FIXCTR(c, 9);
MROUND(9, H, A, B, C, D, E, F, G);
FIXCTR(c, 10);
MROUND(10, G, H, A, B, C, D, E, F);
FIXCTR(c, 11);
MROUND(11, F, G, H, A, B, C, D, E);
FIXCTR(c, 12);
MROUND(12, E, F, G, H, A, B, C, D);
FIXCTR(c, 13);
MROUND(13, D, E, F, G, H, A, B, C);
FIXCTR(c, 14);
MROUND(14, C, D, E, F, G, H, A, B);
FIXCTR(c, 15);
MROUND(15, B, C, D, E, F, G, H, A);
FIXCTR(c, 16);
MROUND(16, A, B, C, D, E, F, G, H);
FIXCTR(c, 0);
}
#endif /*NLS_LONG_OUTPUT */
buf += 4 * N;
nbytes -= 4 * N;
/* fix alignment of MAC buffer */
t = c->M[NMAC - 1];
for (i = NMAC - 1; i > 0; --i)
c->M[i] = c->M[i - 1];
c->M[0] = t;
/* fix alignment of CRC buffer */
t = c->CRC[0];
for (i = 1; i < NMAC; ++i)
c->CRC[i - 1] = c->CRC[i];
c->CRC[NMAC - 1] = t;
}
/* do small or odd size buffers the slow way */
while (4 <= nbytes) {
cycle(c);
macfunc(c, BYTE2WORD(buf));
buf += 4;
nbytes -= 4;
}
/* handle any trailing bytes */
if (nbytes != 0) {
cycle(c);
c->sbuf = nltap(c);
c->mbuf = 0;
c->nbuf = 32;
while (nbytes != 0) {
c->mbuf ^= (*buf++) << (32 - c->nbuf);
c->nbuf -= 8;
--nbytes;
}
}
return CRYPT_OK;
}
/* Combined MAC and encryption.
* Note that plaintext is accumulated for MAC.
*/
#define EROUND(z,A,B,C,D,E,F,G,H) \
STEP(c,z); \
t3 = BYTE2WORD(buf+(z*4)); \
CRCFUNC(c,t3,((z)&0x7),(((z)+5)&0x7)); \
SHAFUNC(c,t3,c->R[OFF(z+1,MACKONST)],A,B,C,D,E,F,G,H); \
t = NLFUNC(c,(z+1)); \
t ^= t3; \
WORD2BYTE(t,buf+(z*4));
int nls_encrypt(nls_state * c,
const unsigned char *pt, unsigned long nbytes,
unsigned char *ct)
{
ulong32 t = 0, t3 = 0;
int i;
LTC_ARGCHK(c != NULL);
LTC_ARGCHK(pt != NULL);
LTC_ARGCHK(ct != NULL);
#define buf ct
/* do copy as required */
if (pt != ct) {
XMEMCPY(ct, pt, nbytes);
}
/* handle any previously buffered bytes */
if (c->nbuf != 0) {
while (c->nbuf != 0 && nbytes != 0) {
c->mbuf ^= *buf << (32 - c->nbuf);
*buf ^= (c->sbuf >> (32 - c->nbuf)) & 0xFF;
++buf;
c->nbuf -= 8;
--nbytes;
}
if (c->nbuf != 0) /* not a whole word yet */
return CRYPT_OK;
/* LFSR already cycled */
macfunc(c, c->mbuf);
}
/* do lots at a time, if there's enough to do */
while (4 * N <= nbytes) {
#if NLS_LONG_OUTPUT
if (c->CtrModF16 < (F16 - 17)) {
#endif /*NLS_LONG_OUTPUT */
EROUND(0, A, B, C, D, E, F, G, H);
EROUND(1, H, A, B, C, D, E, F, G);
EROUND(2, G, H, A, B, C, D, E, F);
EROUND(3, F, G, H, A, B, C, D, E);
EROUND(4, E, F, G, H, A, B, C, D);
EROUND(5, D, E, F, G, H, A, B, C);
EROUND(6, C, D, E, F, G, H, A, B);
EROUND(7, B, C, D, E, F, G, H, A);
EROUND(8, A, B, C, D, E, F, G, H);
EROUND(9, H, A, B, C, D, E, F, G);
EROUND(10, G, H, A, B, C, D, E, F);
EROUND(11, F, G, H, A, B, C, D, E);
EROUND(12, E, F, G, H, A, B, C, D);
EROUND(13, D, E, F, G, H, A, B, C);
EROUND(14, C, D, E, F, G, H, A, B);
EROUND(15, B, C, D, E, F, G, H, A);
EROUND(16, A, B, C, D, E, F, G, H);
#if NLS_LONG_OUTPUT
c->CtrModF16 += 17;
} else {
EROUND(0, A, B, C, D, E, F, G, H);
FIXCTR(c, 1);
EROUND(1, H, A, B, C, D, E, F, G);
FIXCTR(c, 2);
EROUND(2, G, H, A, B, C, D, E, F);
FIXCTR(c, 3);
EROUND(3, F, G, H, A, B, C, D, E);
FIXCTR(c, 4);
EROUND(4, E, F, G, H, A, B, C, D);
FIXCTR(c, 5);
EROUND(5, D, E, F, G, H, A, B, C);
FIXCTR(c, 6);
EROUND(6, C, D, E, F, G, H, A, B);
FIXCTR(c, 7);
EROUND(7, B, C, D, E, F, G, H, A);
FIXCTR(c, 8);
EROUND(8, A, B, C, D, E, F, G, H);
FIXCTR(c, 9);
EROUND(9, H, A, B, C, D, E, F, G);
FIXCTR(c, 10);
EROUND(10, G, H, A, B, C, D, E, F);
FIXCTR(c, 11);
EROUND(11, F, G, H, A, B, C, D, E);
FIXCTR(c, 12);
EROUND(12, E, F, G, H, A, B, C, D);
FIXCTR(c, 13);
EROUND(13, D, E, F, G, H, A, B, C);
FIXCTR(c, 14);
EROUND(14, C, D, E, F, G, H, A, B);
FIXCTR(c, 15);
EROUND(15, B, C, D, E, F, G, H, A);
FIXCTR(c, 16);
EROUND(16, A, B, C, D, E, F, G, H);
FIXCTR(c, 0);
}
#endif /*NLS_LONG_OUTPUT */
buf += 4 * N;
nbytes -= 4 * N;
/* fix alignment of MAC buffer */
t = c->M[7];
for (i = NMAC - 1; i > 0; --i)
c->M[i] = c->M[i - 1];
c->M[0] = t;
/* fix alignment of CRC buffer */
t = c->CRC[0];
for (i = 1; i < NMAC; ++i)
c->CRC[i - 1] = c->CRC[i];
c->CRC[NMAC - 1] = t;
}
/* do small or odd size buffers the slow way */
while (4 <= nbytes) {
cycle(c);
t = BYTE2WORD(buf);
macfunc(c, t);
t ^= nltap(c);
WORD2BYTE(t, buf);
nbytes -= 4;
buf += 4;
}
/* handle any trailing bytes */
if (nbytes != 0) {
cycle(c);
c->sbuf = nltap(c);
c->mbuf = 0;
c->nbuf = 32;
while (c->nbuf != 0 && nbytes != 0) {
c->mbuf ^= *buf << (32 - c->nbuf);
*buf ^= (c->sbuf >> (32 - c->nbuf)) & 0xFF;
++buf;
c->nbuf -= 8;
--nbytes;
}
}
#undef buf
return CRYPT_OK;
}
/* Combined MAC and decryption.
* Note that plaintext is accumulated for MAC.
*/
#undef DROUND
#define DROUND(z,A,B,C,D,E,F,G,H) \
STEP(c,z); \
t = NLFUNC(c,(z+1)); \
t3 = BYTE2WORD(buf+(z*4)); \
t ^= t3; \
CRCFUNC(c,t,((z)&0x7),(((z)+5)&0x7)); \
SHAFUNC(c,t,c->R[OFF(z+1,MACKONST)],A,B,C,D,E,F,G,H); \
WORD2BYTE(t, buf+(z*4));
int nls_decrypt(nls_state * c,
const unsigned char *ct, unsigned long nbytes,
unsigned char *pt)
{
ulong32 t = 0, t3 = 0;
int i;
LTC_ARGCHK(c != NULL);
LTC_ARGCHK(pt != NULL);
LTC_ARGCHK(ct != NULL);
#define buf pt
if (pt != ct) {
XMEMCPY(pt, ct, nbytes);
}
/* handle any previously buffered bytes */
if (c->nbuf != 0) {
while (c->nbuf != 0 && nbytes != 0) {
*buf ^= (c->sbuf >> (32 - c->nbuf)) & 0xFF;
c->mbuf ^= *buf << (32 - c->nbuf);
++buf;
c->nbuf -= 8;
--nbytes;
}
if (c->nbuf != 0) /* not a whole word yet */
return CRYPT_OK;
/* LFSR already cycled */
macfunc(c, c->mbuf);
}
/* now do lots at a time, if there's enough */
while (4 * N <= nbytes) {
#if NLS_LONG_OUTPUT
if (c->CtrModF16 < (F16 - 17)) {
#endif /*NLS_LONG_OUTPUT */
DROUND(0, A, B, C, D, E, F, G, H);
DROUND(1, H, A, B, C, D, E, F, G);
DROUND(2, G, H, A, B, C, D, E, F);
DROUND(3, F, G, H, A, B, C, D, E);
DROUND(4, E, F, G, H, A, B, C, D);
DROUND(5, D, E, F, G, H, A, B, C);
DROUND(6, C, D, E, F, G, H, A, B);
DROUND(7, B, C, D, E, F, G, H, A);
DROUND(8, A, B, C, D, E, F, G, H);
DROUND(9, H, A, B, C, D, E, F, G);
DROUND(10, G, H, A, B, C, D, E, F);
DROUND(11, F, G, H, A, B, C, D, E);
DROUND(12, E, F, G, H, A, B, C, D);
DROUND(13, D, E, F, G, H, A, B, C);
DROUND(14, C, D, E, F, G, H, A, B);
DROUND(15, B, C, D, E, F, G, H, A);
DROUND(16, A, B, C, D, E, F, G, H);
#if NLS_LONG_OUTPUT
c->CtrModF16 += 17;
} else {
DROUND(0, A, B, C, D, E, F, G, H);
FIXCTR(c, 1);
DROUND(1, H, A, B, C, D, E, F, G);
FIXCTR(c, 2);
DROUND(2, G, H, A, B, C, D, E, F);
FIXCTR(c, 3);
DROUND(3, F, G, H, A, B, C, D, E);
FIXCTR(c, 4);
DROUND(4, E, F, G, H, A, B, C, D);
FIXCTR(c, 5);
DROUND(5, D, E, F, G, H, A, B, C);
FIXCTR(c, 6);
DROUND(6, C, D, E, F, G, H, A, B);
FIXCTR(c, 7);
DROUND(7, B, C, D, E, F, G, H, A);
FIXCTR(c, 8);
DROUND(8, A, B, C, D, E, F, G, H);
FIXCTR(c, 9);
DROUND(9, H, A, B, C, D, E, F, G);
FIXCTR(c, 10);
DROUND(10, G, H, A, B, C, D, E, F);
FIXCTR(c, 11);
DROUND(11, F, G, H, A, B, C, D, E);
FIXCTR(c, 12);
DROUND(12, E, F, G, H, A, B, C, D);
FIXCTR(c, 13);
DROUND(13, D, E, F, G, H, A, B, C);
FIXCTR(c, 14);
DROUND(14, C, D, E, F, G, H, A, B);
FIXCTR(c, 15);
DROUND(15, B, C, D, E, F, G, H, A);
FIXCTR(c, 16);
DROUND(16, A, B, C, D, E, F, G, H);
FIXCTR(c, 0);
}
#endif /*NLS_LONG_OUTPUT */
buf += 4 * N;
nbytes -= 4 * N;
/* fix alignment of MAC buffer */
t = c->M[7];
for (i = NMAC - 1; i > 0; --i)
c->M[i] = c->M[i - 1];
c->M[0] = t;
/* fix alignment of CRC buffer */
t = c->CRC[0];
for (i = 1; i < NMAC; ++i)
c->CRC[i - 1] = c->CRC[i];
c->CRC[NMAC - 1] = t;
}
/* do small or odd size buffers the slow way */
while (4 <= nbytes) {
cycle(c);
t = nltap(c);
t3 = BYTE2WORD(buf);
t ^= t3;
macfunc(c, t);
WORD2BYTE(t, buf);
nbytes -= 4;
buf += 4;
}
/* handle any trailing bytes */
if (nbytes != 0) {
cycle(c);
c->sbuf = nltap(c);
c->mbuf = 0;
c->nbuf = 32;
while (c->nbuf != 0 && nbytes != 0) {
*buf ^= (c->sbuf >> (32 - c->nbuf)) & 0xFF;
c->mbuf ^= *buf << (32 - c->nbuf);
++buf;
c->nbuf -= 8;
--nbytes;
}
}
return CRYPT_OK;
#undef buf
}
/* Having accumulated a MAC, finish processing and return it.
* Note that any unprocessed bytes are treated as if
* they were encrypted zero bytes, so plaintext (zero) is accumulated.
*/
int nls_finish(nls_state * c, unsigned char *buf, unsigned long nbytes)
{
ulong32 i;
LTC_ARGCHK(c != NULL);
LTC_ARGCHK(buf != NULL);
/* handle any previously buffered bytes */
if (c->nbuf != 0) {
/* LFSR already cycled */
macfunc(c, c->mbuf);
}
/* perturb the MAC to mark end of input.
* Note that only the SHA part is updated, not the CRC. This is an
* action that can't be duplicated by passing in plaintext, hence
* defeating any kind of extension attack.
*/
cycle(c);
shafunc(c, INITKONST + (c->nbuf << 24));
c->nbuf = 0;
/* now add the CRC to the MAC like input material */
for (i = 0; i < NMAC; ++i) {
cycle(c);
crcfunc(c, 0);
shafunc(c, c->CRC[7]);
}
/* continue that process, producing output from the MAC buffer */
while (nbytes > 0) {
cycle(c);
crcfunc(c, 0);
shafunc(c, c->CRC[7]);
if (nbytes >= 4) {
WORD2BYTE(A, buf);
nbytes -= 4;
buf += 4;
} else {
for (i = 0; i < nbytes; ++i)
buf[i] = Byte(A, i);
break;
}
}
return CRYPT_OK;
}
#endif
/* $Source$ */
/* $Revision$ */
/* $Date$ */

View File

@ -1,68 +0,0 @@
/* Id: nlsmultab.h 333 2005-04-13 05:35:54Z mwp */
/* Multiplication table for Mundja using 0xD02B4367 */
static const ulong32 Multab[256] = {
0x00000000, 0xD02B4367, 0xED5686CE, 0x3D7DC5A9,
0x97AC41D1, 0x478702B6, 0x7AFAC71F, 0xAAD18478,
0x631582EF, 0xB33EC188, 0x8E430421, 0x5E684746,
0xF4B9C33E, 0x24928059, 0x19EF45F0, 0xC9C40697,
0xC62A4993, 0x16010AF4, 0x2B7CCF5D, 0xFB578C3A,
0x51860842, 0x81AD4B25, 0xBCD08E8C, 0x6CFBCDEB,
0xA53FCB7C, 0x7514881B, 0x48694DB2, 0x98420ED5,
0x32938AAD, 0xE2B8C9CA, 0xDFC50C63, 0x0FEE4F04,
0xC154926B, 0x117FD10C, 0x2C0214A5, 0xFC2957C2,
0x56F8D3BA, 0x86D390DD, 0xBBAE5574, 0x6B851613,
0xA2411084, 0x726A53E3, 0x4F17964A, 0x9F3CD52D,
0x35ED5155, 0xE5C61232, 0xD8BBD79B, 0x089094FC,
0x077EDBF8, 0xD755989F, 0xEA285D36, 0x3A031E51,
0x90D29A29, 0x40F9D94E, 0x7D841CE7, 0xADAF5F80,
0x646B5917, 0xB4401A70, 0x893DDFD9, 0x59169CBE,
0xF3C718C6, 0x23EC5BA1, 0x1E919E08, 0xCEBADD6F,
0xCFA869D6, 0x1F832AB1, 0x22FEEF18, 0xF2D5AC7F,
0x58042807, 0x882F6B60, 0xB552AEC9, 0x6579EDAE,
0xACBDEB39, 0x7C96A85E, 0x41EB6DF7, 0x91C02E90,
0x3B11AAE8, 0xEB3AE98F, 0xD6472C26, 0x066C6F41,
0x09822045, 0xD9A96322, 0xE4D4A68B, 0x34FFE5EC,
0x9E2E6194, 0x4E0522F3, 0x7378E75A, 0xA353A43D,
0x6A97A2AA, 0xBABCE1CD, 0x87C12464, 0x57EA6703,
0xFD3BE37B, 0x2D10A01C, 0x106D65B5, 0xC04626D2,
0x0EFCFBBD, 0xDED7B8DA, 0xE3AA7D73, 0x33813E14,
0x9950BA6C, 0x497BF90B, 0x74063CA2, 0xA42D7FC5,
0x6DE97952, 0xBDC23A35, 0x80BFFF9C, 0x5094BCFB,
0xFA453883, 0x2A6E7BE4, 0x1713BE4D, 0xC738FD2A,
0xC8D6B22E, 0x18FDF149, 0x258034E0, 0xF5AB7787,
0x5F7AF3FF, 0x8F51B098, 0xB22C7531, 0x62073656,
0xABC330C1, 0x7BE873A6, 0x4695B60F, 0x96BEF568,
0x3C6F7110, 0xEC443277, 0xD139F7DE, 0x0112B4B9,
0xD31DD2E1, 0x03369186, 0x3E4B542F, 0xEE601748,
0x44B19330, 0x949AD057, 0xA9E715FE, 0x79CC5699,
0xB008500E, 0x60231369, 0x5D5ED6C0, 0x8D7595A7,
0x27A411DF, 0xF78F52B8, 0xCAF29711, 0x1AD9D476,
0x15379B72, 0xC51CD815, 0xF8611DBC, 0x284A5EDB,
0x829BDAA3, 0x52B099C4, 0x6FCD5C6D, 0xBFE61F0A,
0x7622199D, 0xA6095AFA, 0x9B749F53, 0x4B5FDC34,
0xE18E584C, 0x31A51B2B, 0x0CD8DE82, 0xDCF39DE5,
0x1249408A, 0xC26203ED, 0xFF1FC644, 0x2F348523,
0x85E5015B, 0x55CE423C, 0x68B38795, 0xB898C4F2,
0x715CC265, 0xA1778102, 0x9C0A44AB, 0x4C2107CC,
0xE6F083B4, 0x36DBC0D3, 0x0BA6057A, 0xDB8D461D,
0xD4630919, 0x04484A7E, 0x39358FD7, 0xE91ECCB0,
0x43CF48C8, 0x93E40BAF, 0xAE99CE06, 0x7EB28D61,
0xB7768BF6, 0x675DC891, 0x5A200D38, 0x8A0B4E5F,
0x20DACA27, 0xF0F18940, 0xCD8C4CE9, 0x1DA70F8E,
0x1CB5BB37, 0xCC9EF850, 0xF1E33DF9, 0x21C87E9E,
0x8B19FAE6, 0x5B32B981, 0x664F7C28, 0xB6643F4F,
0x7FA039D8, 0xAF8B7ABF, 0x92F6BF16, 0x42DDFC71,
0xE80C7809, 0x38273B6E, 0x055AFEC7, 0xD571BDA0,
0xDA9FF2A4, 0x0AB4B1C3, 0x37C9746A, 0xE7E2370D,
0x4D33B375, 0x9D18F012, 0xA06535BB, 0x704E76DC,
0xB98A704B, 0x69A1332C, 0x54DCF685, 0x84F7B5E2,
0x2E26319A, 0xFE0D72FD, 0xC370B754, 0x135BF433,
0xDDE1295C, 0x0DCA6A3B, 0x30B7AF92, 0xE09CECF5,
0x4A4D688D, 0x9A662BEA, 0xA71BEE43, 0x7730AD24,
0xBEF4ABB3, 0x6EDFE8D4, 0x53A22D7D, 0x83896E1A,
0x2958EA62, 0xF973A905, 0xC40E6CAC, 0x14252FCB,
0x1BCB60CF, 0xCBE023A8, 0xF69DE601, 0x26B6A566,
0x8C67211E, 0x5C4C6279, 0x6131A7D0, 0xB11AE4B7,
0x78DEE220, 0xA8F5A147, 0x958864EE, 0x45A32789,
0xEF72A3F1, 0x3F59E096, 0x0224253F, 0xD20F6658,
};

View File

@ -1,84 +0,0 @@
/* Id: nlssbox.h 333 2005-04-13 05:35:54Z mwp */
/* Sbox for NLS */
/*
* This is really the combination of two SBoxes; the least significant
* 24 bits comes from:
* 8->32 Sbox generated by Millan et. al. at Queensland University of
* Technology. See: E. Dawson, W. Millan, L. Burnett, G. Carter,
* "On the Design of 8*32 S-boxes". Unpublished report, by the
* Information Systems Research Centre,
* Queensland University of Technology, 1999.
*
* The most significant 8 bits are the Skipjack "F table", which can be
* found at http://csrc.nist.gov/CryptoToolkit/skipjack/skipjack.pdf .
* In this optimised table, though, the intent is to XOR the word from
* the table selected by the high byte with the input word. Thus, the
* high byte is actually the Skipjack F-table entry XORED with its
* table index.
*/
static const ulong32 Sbox[256] = {
0xa3aa1887, 0xd65e435c, 0x0b65c042, 0x800e6ef4,
0xfc57ee20, 0x4d84fed3, 0xf066c502, 0xf354e8ae,
0xbb2ee9d9, 0x281f38d4, 0x1f829b5d, 0x735cdf3c,
0x95864249, 0xbc2e3963, 0xa1f4429f, 0xf6432c35,
0xf7f40325, 0x3cc0dd70, 0x5f973ded, 0x9902dc5e,
0xda175b42, 0x590012bf, 0xdc94d78c, 0x39aab26b,
0x4ac11b9a, 0x8c168146, 0xc3ea8ec5, 0x058ac28f,
0x52ed5c0f, 0x25b4101c, 0x5a2db082, 0x370929e1,
0x2a1843de, 0xfe8299fc, 0x202fbc4b, 0x833915dd,
0x33a803fa, 0xd446b2de, 0x46233342, 0x4fcee7c3,
0x3ad607ef, 0x9e97ebab, 0x507f859b, 0xe81f2e2f,
0xc55b71da, 0xd7e2269a, 0x1339c3d1, 0x7ca56b36,
0xa6c9def2, 0xb5c9fc5f, 0x5927b3a3, 0x89a56ddf,
0xc625b510, 0x560f85a7, 0xace82e71, 0x2ecb8816,
0x44951e2a, 0x97f5f6af, 0xdfcbc2b3, 0xce4ff55d,
0xcb6b6214, 0x2b0b83e3, 0x549ea6f5, 0x9de041af,
0x792f1f17, 0xf73b99ee, 0x39a65ec0, 0x4c7016c6,
0x857709a4, 0xd6326e01, 0xc7b280d9, 0x5cfb1418,
0xa6aff227, 0xfd548203, 0x506b9d96, 0xa117a8c0,
0x9cd5bf6e, 0xdcee7888, 0x61fcfe64, 0xf7a193cd,
0x050d0184, 0xe8ae4930, 0x88014f36, 0xd6a87088,
0x6bad6c2a, 0x1422c678, 0xe9204de7, 0xb7c2e759,
0x0200248e, 0x013b446b, 0xda0d9fc2, 0x0414a895,
0x3a6cc3a1, 0x56fef170, 0x86c19155, 0xcf7b8a66,
0x551b5e69, 0xb4a8623e, 0xa2bdfa35, 0xc4f068cc,
0x573a6acd, 0x6355e936, 0x03602db9, 0x0edf13c1,
0x2d0bb16d, 0x6980b83c, 0xfeb23763, 0x3dd8a911,
0x01b6bc13, 0xf55579d7, 0xf55c2fa8, 0x19f4196e,
0xe7db5476, 0x8d64a866, 0xc06e16ad, 0xb17fc515,
0xc46feb3c, 0x8bc8a306, 0xad6799d9, 0x571a9133,
0x992466dd, 0x92eb5dcd, 0xac118f50, 0x9fafb226,
0xa1b9cef3, 0x3ab36189, 0x347a19b1, 0x62c73084,
0xc27ded5c, 0x6c8bc58f, 0x1cdde421, 0xed1e47fb,
0xcdcc715e, 0xb9c0ff99, 0x4b122f0f, 0xc4d25184,
0xaf7a5e6c, 0x5bbf18bc, 0x8dd7c6e0, 0x5fb7e420,
0x521f523f, 0x4ad9b8a2, 0xe9da1a6b, 0x97888c02,
0x19d1e354, 0x5aba7d79, 0xa2cc7753, 0x8c2d9655,
0x19829da1, 0x531590a7, 0x19c1c149, 0x3d537f1c,
0x50779b69, 0xed71f2b7, 0x463c58fa, 0x52dc4418,
0xc18c8c76, 0xc120d9f0, 0xafa80d4d, 0x3b74c473,
0xd09410e9, 0x290e4211, 0xc3c8082b, 0x8f6b334a,
0x3bf68ed2, 0xa843cc1b, 0x8d3c0ff3, 0x20e564a0,
0xf8f55a4f, 0x2b40f8e7, 0xfea7f15f, 0xcf00fe21,
0x8a6d37d6, 0xd0d506f1, 0xade00973, 0xefbbde36,
0x84670fa8, 0xfa31ab9e, 0xaedab618, 0xc01f52f5,
0x6558eb4f, 0x71b9e343, 0x4b8d77dd, 0x8cb93da6,
0x740fd52d, 0x425412f8, 0xc5a63360, 0x10e53ad0,
0x5a700f1c, 0x8324ed0b, 0xe53dc1ec, 0x1a366795,
0x6d549d15, 0xc5ce46d7, 0xe17abe76, 0x5f48e0a0,
0xd0f07c02, 0x941249b7, 0xe49ed6ba, 0x37a47f78,
0xe1cfffbd, 0xb007ca84, 0xbb65f4da, 0xb59f35da,
0x33d2aa44, 0x417452ac, 0xc0d674a7, 0x2d61a46a,
0xdc63152a, 0x3e12b7aa, 0x6e615927, 0xa14fb118,
0xa151758d, 0xba81687b, 0xe152f0b3, 0x764254ed,
0x34c77271, 0x0a31acab, 0x54f94aec, 0xb9e994cd,
0x574d9e81, 0x5b623730, 0xce8a21e8, 0x37917f0b,
0xe8a9b5d6, 0x9697adf8, 0xf3d30431, 0x5dcac921,
0x76b35d46, 0xaa430a36, 0xc2194022, 0x22bca65e,
0xdaec70ba, 0xdfaea8cc, 0x777bae8b, 0x242924d5,
0x1f098a5a, 0x4b396b81, 0x55de2522, 0x435c1cb8,
0xaeb8fe1d, 0x9db3c697, 0x5b164f83, 0xe0c16376,
0xa319224c, 0xd0203b35, 0x433ac0fe, 0x1466a19a,
0x45f0b24f, 0x51fda998, 0xc0d52d71, 0xfa0896a8,
0xf9e6053f, 0xa4b0d300, 0xd499cbcc, 0xb95e3d40,
};

View File

@ -16,8 +16,8 @@ extern "C" {
#endif
/* version */
#define CRYPT 0x0109
#define SCRYPT "1.09"
#define CRYPT 0x0110
#define SCRYPT "1.10"
/* max size of either a cipher/hash block or symmetric key [largest of the two] */
#define MAXBLOCKSIZE 128

View File

@ -192,8 +192,6 @@
#define OCB_MODE
#define CCM_MODE
#define GCM_MODE
/* disabled waiting on test vectors */
/* #define NLS_MODE */
/* Use 64KiB tables */
#ifndef LTC_NO_TABLES

View File

@ -216,6 +216,12 @@ int ccm_test(void);
void gcm_gf_mult(const unsigned char *a, const unsigned char *b, unsigned char *c);
#endif
/* table shared between GCM and LRW */
#if defined(GCM_TABLES) || defined(LRW_TABLES) || ((defined(GCM_MODE) || defined(GCM_MODE)) && defined(LTC_FAST))
extern const unsigned char gcm_shift_table[];
#endif
#ifdef GCM_MODE
#define GCM_ENCRYPT 0
@ -300,48 +306,6 @@ int pelican_memory(const unsigned char *key, unsigned long keylen,
#endif
#ifdef NLS_MODE
#define NLS_ENCRYPT 0
#define NLS_DECRYPT 1
typedef struct {
ulong32 R[17]; /* Working storage for the shift register */
ulong32 M[8]; /* Working storage for MAC accumulation */
ulong32 CRC[8]; /* Working storage for CRC accumulation */
ulong32 initR[17]; /* saved register contents */
ulong32 konst; /* key dependent constant */
ulong32 sbuf; /* partial ulong32 encryption buffer */
ulong32 mbuf; /* partial ulong32 MAC buffer */
int nbuf; /* number of part-ulong32 stream bits buffered */
ulong32 CtrModF16; /* Multiprecision counter, modulo F16 */
ulong32 CtrMod232; /* Multiprecision counter, LSW */
} nls_state;
/* interface definitions */
int nls_key(nls_state *c, const unsigned char *key, unsigned long keylen); /* set key */
int nls_nonce(nls_state *c, const unsigned char *nonce, unsigned long noncelen); /* set IV */
int nls_maconly(nls_state *c, const unsigned char *buf, unsigned long nbytes); /* accumulate MAC */
int nls_encrypt(nls_state * c,
const unsigned char *pt, unsigned long nbytes,
unsigned char *ct); /* enc+MAC */
int nls_decrypt(nls_state * c,
const unsigned char *ct, unsigned long nbytes,
unsigned char *pt); /* dec+MAC */
int nls_finish(nls_state *c, unsigned char *buf, unsigned long nbytes); /* finalize MAC */
int nls_memory(const unsigned char *key, unsigned long keylen,
const unsigned char *IV, unsigned long IVlen,
const unsigned char *adata, unsigned long adatalen,
unsigned char *pt, unsigned long ptlen,
unsigned char *ct,
unsigned char *tag, unsigned long taglen,
int direction);
#endif
/* $Source$ */
/* $Revision$ */
/* $Date$ */

View File

@ -16,7 +16,7 @@
*/
struct ltc_cipher_descriptor cipher_descriptor[TAB_SIZE] = {
{ NULL, 0, 0, 0, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL }
{ NULL, 0, 0, 0, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL }
};
LTC_MUTEX_GLOBAL(ltc_cipher_mutex)

View File

@ -55,7 +55,7 @@ int lrw_process(const unsigned char *pt, unsigned char *ct, unsigned long len, i
}
/* update pad */
#ifdef LRW_2TABLES
#ifdef LRW_TABLES
/* for each byte changed we undo it's affect on the pad then add the new product */
for (; x < 16; x++) {
#ifdef LTC_FAST

View File

@ -17,46 +17,6 @@
#ifdef LRW_MODE
#ifdef LRW_TABLES
/* this is x*2^128 mod p(x) ... the results are 16 bytes each stored in a packed format. Since only the
* lower 16 bits are not zero'ed I removed the upper 14 bytes */
static const unsigned char gcm_shift_table[256*2] = {
0x00, 0x00, 0x01, 0xc2, 0x03, 0x84, 0x02, 0x46, 0x07, 0x08, 0x06, 0xca, 0x04, 0x8c, 0x05, 0x4e,
0x0e, 0x10, 0x0f, 0xd2, 0x0d, 0x94, 0x0c, 0x56, 0x09, 0x18, 0x08, 0xda, 0x0a, 0x9c, 0x0b, 0x5e,
0x1c, 0x20, 0x1d, 0xe2, 0x1f, 0xa4, 0x1e, 0x66, 0x1b, 0x28, 0x1a, 0xea, 0x18, 0xac, 0x19, 0x6e,
0x12, 0x30, 0x13, 0xf2, 0x11, 0xb4, 0x10, 0x76, 0x15, 0x38, 0x14, 0xfa, 0x16, 0xbc, 0x17, 0x7e,
0x38, 0x40, 0x39, 0x82, 0x3b, 0xc4, 0x3a, 0x06, 0x3f, 0x48, 0x3e, 0x8a, 0x3c, 0xcc, 0x3d, 0x0e,
0x36, 0x50, 0x37, 0x92, 0x35, 0xd4, 0x34, 0x16, 0x31, 0x58, 0x30, 0x9a, 0x32, 0xdc, 0x33, 0x1e,
0x24, 0x60, 0x25, 0xa2, 0x27, 0xe4, 0x26, 0x26, 0x23, 0x68, 0x22, 0xaa, 0x20, 0xec, 0x21, 0x2e,
0x2a, 0x70, 0x2b, 0xb2, 0x29, 0xf4, 0x28, 0x36, 0x2d, 0x78, 0x2c, 0xba, 0x2e, 0xfc, 0x2f, 0x3e,
0x70, 0x80, 0x71, 0x42, 0x73, 0x04, 0x72, 0xc6, 0x77, 0x88, 0x76, 0x4a, 0x74, 0x0c, 0x75, 0xce,
0x7e, 0x90, 0x7f, 0x52, 0x7d, 0x14, 0x7c, 0xd6, 0x79, 0x98, 0x78, 0x5a, 0x7a, 0x1c, 0x7b, 0xde,
0x6c, 0xa0, 0x6d, 0x62, 0x6f, 0x24, 0x6e, 0xe6, 0x6b, 0xa8, 0x6a, 0x6a, 0x68, 0x2c, 0x69, 0xee,
0x62, 0xb0, 0x63, 0x72, 0x61, 0x34, 0x60, 0xf6, 0x65, 0xb8, 0x64, 0x7a, 0x66, 0x3c, 0x67, 0xfe,
0x48, 0xc0, 0x49, 0x02, 0x4b, 0x44, 0x4a, 0x86, 0x4f, 0xc8, 0x4e, 0x0a, 0x4c, 0x4c, 0x4d, 0x8e,
0x46, 0xd0, 0x47, 0x12, 0x45, 0x54, 0x44, 0x96, 0x41, 0xd8, 0x40, 0x1a, 0x42, 0x5c, 0x43, 0x9e,
0x54, 0xe0, 0x55, 0x22, 0x57, 0x64, 0x56, 0xa6, 0x53, 0xe8, 0x52, 0x2a, 0x50, 0x6c, 0x51, 0xae,
0x5a, 0xf0, 0x5b, 0x32, 0x59, 0x74, 0x58, 0xb6, 0x5d, 0xf8, 0x5c, 0x3a, 0x5e, 0x7c, 0x5f, 0xbe,
0xe1, 0x00, 0xe0, 0xc2, 0xe2, 0x84, 0xe3, 0x46, 0xe6, 0x08, 0xe7, 0xca, 0xe5, 0x8c, 0xe4, 0x4e,
0xef, 0x10, 0xee, 0xd2, 0xec, 0x94, 0xed, 0x56, 0xe8, 0x18, 0xe9, 0xda, 0xeb, 0x9c, 0xea, 0x5e,
0xfd, 0x20, 0xfc, 0xe2, 0xfe, 0xa4, 0xff, 0x66, 0xfa, 0x28, 0xfb, 0xea, 0xf9, 0xac, 0xf8, 0x6e,
0xf3, 0x30, 0xf2, 0xf2, 0xf0, 0xb4, 0xf1, 0x76, 0xf4, 0x38, 0xf5, 0xfa, 0xf7, 0xbc, 0xf6, 0x7e,
0xd9, 0x40, 0xd8, 0x82, 0xda, 0xc4, 0xdb, 0x06, 0xde, 0x48, 0xdf, 0x8a, 0xdd, 0xcc, 0xdc, 0x0e,
0xd7, 0x50, 0xd6, 0x92, 0xd4, 0xd4, 0xd5, 0x16, 0xd0, 0x58, 0xd1, 0x9a, 0xd3, 0xdc, 0xd2, 0x1e,
0xc5, 0x60, 0xc4, 0xa2, 0xc6, 0xe4, 0xc7, 0x26, 0xc2, 0x68, 0xc3, 0xaa, 0xc1, 0xec, 0xc0, 0x2e,
0xcb, 0x70, 0xca, 0xb2, 0xc8, 0xf4, 0xc9, 0x36, 0xcc, 0x78, 0xcd, 0xba, 0xcf, 0xfc, 0xce, 0x3e,
0x91, 0x80, 0x90, 0x42, 0x92, 0x04, 0x93, 0xc6, 0x96, 0x88, 0x97, 0x4a, 0x95, 0x0c, 0x94, 0xce,
0x9f, 0x90, 0x9e, 0x52, 0x9c, 0x14, 0x9d, 0xd6, 0x98, 0x98, 0x99, 0x5a, 0x9b, 0x1c, 0x9a, 0xde,
0x8d, 0xa0, 0x8c, 0x62, 0x8e, 0x24, 0x8f, 0xe6, 0x8a, 0xa8, 0x8b, 0x6a, 0x89, 0x2c, 0x88, 0xee,
0x83, 0xb0, 0x82, 0x72, 0x80, 0x34, 0x81, 0xf6, 0x84, 0xb8, 0x85, 0x7a, 0x87, 0x3c, 0x86, 0xfe,
0xa9, 0xc0, 0xa8, 0x02, 0xaa, 0x44, 0xab, 0x86, 0xae, 0xc8, 0xaf, 0x0a, 0xad, 0x4c, 0xac, 0x8e,
0xa7, 0xd0, 0xa6, 0x12, 0xa4, 0x54, 0xa5, 0x96, 0xa0, 0xd8, 0xa1, 0x1a, 0xa3, 0x5c, 0xa2, 0x9e,
0xb5, 0xe0, 0xb4, 0x22, 0xb6, 0x64, 0xb7, 0xa6, 0xb2, 0xe8, 0xb3, 0x2a, 0xb1, 0x6c, 0xb0, 0xae,
0xbb, 0xf0, 0xba, 0x32, 0xb8, 0x74, 0xb9, 0xb6, 0xbc, 0xf8, 0xbd, 0x3a, 0xbf, 0x7c, 0xbe, 0xbe };
#endif
/**
Initialize the LRW context
@param cipher The cipher desired, must be a 128-bit block cipher

View File

@ -38,7 +38,7 @@ int rsa_import(const unsigned char *in, unsigned long inlen, rsa_key *key)
LTC_ARGCHK(ltc_mp.name != NULL);
/* init key */
if ((err = mp_init_multi(&zero, &key->e, &key->d, &key->N, &key->dQ,
if ((err = mp_init_multi(&key->e, &key->d, &key->N, &key->dQ,
&key->dP, &key->qP, &key->p, &key->q, NULL)) != CRYPT_OK) {
return err;
}
@ -95,6 +95,9 @@ int rsa_import(const unsigned char *in, unsigned long inlen, rsa_key *key)
}
if (mp_cmp_d(key->N, 0) == LTC_MP_EQ) {
if ((err = mp_init(&zero)) != CRYPT_OK) {
goto LBL_ERR;
}
/* it's a private key */
if ((err = der_decode_sequence_multi(in, inlen,
LTC_ASN1_INTEGER, 1UL, zero,
@ -107,8 +110,10 @@ int rsa_import(const unsigned char *in, unsigned long inlen, rsa_key *key)
LTC_ASN1_INTEGER, 1UL, key->dQ,
LTC_ASN1_INTEGER, 1UL, key->qP,
LTC_ASN1_EOL, 0UL, NULL)) != CRYPT_OK) {
mp_clear(zero);
goto LBL_ERR;
}
mp_clear(zero);
key->type = PK_PRIVATE;
} else if (mp_cmp_d(key->N, 1) == LTC_MP_EQ) {
/* we don't support multi-prime RSA */
@ -126,7 +131,7 @@ int rsa_import(const unsigned char *in, unsigned long inlen, rsa_key *key)
}
return CRYPT_OK;
LBL_ERR:
mp_clear_multi(zero, key->d, key->e, key->N, key->dQ, key->dP,
mp_clear_multi(key->d, key->e, key->N, key->dQ, key->dP,
key->qP, key->p, key->q, NULL);
return err;
}

View File

@ -330,6 +330,7 @@ int time_cipher(void)
c2 = (t2 > c2 ? c2 : t2);
}
a2 = c2 - c1 - skew;
ecb_done(&ecb);
results[no_results].id = x;
results[no_results].spd1 = a1/(sizeof(pt)/cipher_descriptor[x].block_length);
@ -401,6 +402,7 @@ int time_cipher2(void)
c2 = (t2 > c2 ? c2 : t2);
}
a2 = c2 - c1 - skew;
cbc_done(&cbc);
results[no_results].id = x;
results[no_results].spd1 = a1/(sizeof(pt)/cipher_descriptor[x].block_length);
@ -475,6 +477,7 @@ int time_cipher3(void)
c2 = (t2 > c2 ? c2 : t2);
}
a2 = c2 - c1 - skew;
ctr_done(&ctr);
results[no_results].id = x;
results[no_results].spd1 = a1/(sizeof(pt)/cipher_descriptor[x].block_length);
@ -494,6 +497,84 @@ int time_cipher3(void)
int time_cipher3(void) { fprintf(stderr, "NO CTR\n"); return 0; }
#endif
#ifdef LRW_MODE
int time_cipher4(void)
{
unsigned long x, y1;
ulong64 t1, t2, c1, c2, a1, a2;
symmetric_LRW lrw;
unsigned char key[MAXBLOCKSIZE], pt[4096];
int err;
fprintf(stderr, "\n\nLRW Time Trials for the Symmetric Ciphers:\n");
no_results = 0;
for (x = 0; cipher_descriptor[x].name != NULL; x++) {
if (cipher_descriptor[x].block_length != 16) continue;
lrw_start(x, pt, key, cipher_descriptor[x].min_key_length, key, 0, &lrw);
/* sanity check on cipher */
if ((err = cipher_descriptor[x].test()) != CRYPT_OK) {
fprintf(stderr, "\n\nERROR: Cipher %s failed self-test %s\n", cipher_descriptor[x].name, error_to_string(err));
exit(EXIT_FAILURE);
}
#define DO1 lrw_encrypt(pt, pt, sizeof(pt), &lrw);
#define DO2 DO1 DO1
c1 = c2 = (ulong64)-1;
for (y1 = 0; y1 < 100; y1++) {
t_start();
DO1;
t1 = t_read();
DO2;
t2 = t_read();
t2 -= t1;
c1 = (t1 > c1 ? c1 : t1);
c2 = (t2 > c2 ? c2 : t2);
}
a1 = c2 - c1 - skew;
#undef DO1
#undef DO2
#define DO1 lrw_decrypt(pt, pt, sizeof(pt), &lrw);
#define DO2 DO1 DO1
c1 = c2 = (ulong64)-1;
for (y1 = 0; y1 < 100; y1++) {
t_start();
DO1;
t1 = t_read();
DO2;
t2 = t_read();
t2 -= t1;
c1 = (t1 > c1 ? c1 : t1);
c2 = (t2 > c2 ? c2 : t2);
}
a2 = c2 - c1 - skew;
lrw_done(&lrw);
results[no_results].id = x;
results[no_results].spd1 = a1/(sizeof(pt)/cipher_descriptor[x].block_length);
results[no_results].spd2 = a2/(sizeof(pt)/cipher_descriptor[x].block_length);
results[no_results].avg = (results[no_results].spd1 + results[no_results].spd2+1)/2;
++no_results;
fprintf(stderr, "."); fflush(stdout);
#undef DO2
#undef DO1
}
tally_results(1);
return 0;
}
#else
int time_cipher4(void) { fprintf(stderr, "NO LRW\n"); return 0; }
#endif
int time_hash(void)
{
unsigned long x, y1, len;