void noekeon_ecb_encrypt(const unsigned char *pt, unsigned char *ct, symmetric_key *skey)
#endif
{
ulong32 a,b,c,d,temp;
int r;
LTC_ARGCHK(skey != NULL);
LTC_ARGCHK(pt != NULL);
LTC_ARGCHK(ct != NULL);
LOAD32H(a,&pt[0]); LOAD32H(b,&pt[4]);
LOAD32H(c,&pt[8]); LOAD32H(d,&pt[12]);
#define ROUND(i) \
a ^= RC[i]; \
THETA(skey->noekeon.K, a,b,c,d); \
PI1(a,b,c,d); \
GAMMA(a,b,c,d); \
PI2(a,b,c,d);
for (r = 0; r < 16; ++r) {
ROUND(r);
}
#undef ROUND
a ^= RC[16];
THETA(skey->noekeon.K, a, b, c, d);
STORE32H(a,&ct[0]); STORE32H(b,&ct[4]);
STORE32H(c,&ct[8]); STORE32H(d,&ct[12]);
}
int kasumi_ecb_decrypt(const unsigned char *ct, unsigned char *pt, symmetric_key *skey)
{
ulong32 left, right, temp;
int n;
LTC_ARGCHK(pt != NULL);
LTC_ARGCHK(ct != NULL);
LTC_ARGCHK(skey != NULL);
LOAD32H(left, ct);
LOAD32H(right, ct+4);
for (n = 7; n >= 0; ) {
temp = FO(right, n, skey);
temp = FL(temp, n--, skey);
left ^= temp;
temp = FL(left, n, skey);
temp = FO(temp, n--, skey);
right ^= temp;
}
STORE32H(left, pt);
STORE32H(right, pt+4);
return CRYPT_OK;
}
int cast5_ecb_decrypt(const unsigned char *ct, unsigned char *pt, symmetric_key *skey)
#endif
{
ulong32 R, L;
LTC_ARGCHK(pt != NULL);
LTC_ARGCHK(ct != NULL);
LTC_ARGCHK(skey != NULL);
LOAD32H(R,&ct[0]);
LOAD32H(L,&ct[4]);
if (skey->cast5.keylen > 10) {
R ^= FI(L, skey->cast5.K[15], skey->cast5.K[31]);
L ^= FIII(R, skey->cast5.K[14], skey->cast5.K[30]);
R ^= FII(L, skey->cast5.K[13], skey->cast5.K[29]);
L ^= FI(R, skey->cast5.K[12], skey->cast5.K[28]);
}
R ^= FIII(L, skey->cast5.K[11], skey->cast5.K[27]);
L ^= FII(R, skey->cast5.K[10], skey->cast5.K[26]);
R ^= FI(L, skey->cast5.K[9], skey->cast5.K[25]);
L ^= FIII(R, skey->cast5.K[8], skey->cast5.K[24]);
R ^= FII(L, skey->cast5.K[7], skey->cast5.K[23]);
L ^= FI(R, skey->cast5.K[6], skey->cast5.K[22]);
R ^= FIII(L, skey->cast5.K[5], skey->cast5.K[21]);
L ^= FII(R, skey->cast5.K[4], skey->cast5.K[20]);
R ^= FI(L, skey->cast5.K[3], skey->cast5.K[19]);
L ^= FIII(R, skey->cast5.K[2], skey->cast5.K[18]);
R ^= FII(L, skey->cast5.K[1], skey->cast5.K[17]);
L ^= FI(R, skey->cast5.K[0], skey->cast5.K[16]);
STORE32H(L,&pt[0]);
STORE32H(R,&pt[4]);
return CRYPT_OK;
}
int noekeon_ecb_decrypt(const unsigned char *ct, unsigned char *pt, symmetric_key *skey)
#endif
{
ulong32 a,b,c,d, temp;
int r;
LTC_ARGCHK(skey != NULL);
LTC_ARGCHK(pt != NULL);
LTC_ARGCHK(ct != NULL);
LOAD32H(a,&ct[0]); LOAD32H(b,&ct[4]);
LOAD32H(c,&ct[8]); LOAD32H(d,&ct[12]);
#define ROUND(i) \
THETA(skey->noekeon.dK, a,b,c,d); \
a ^= RC[i]; \
PI1(a,b,c,d); \
GAMMA(a,b,c,d); \
PI2(a,b,c,d);
for (r = 16; r > 0; --r) {
ROUND(r);
}
#undef ROUND
THETA(skey->noekeon.dK, a,b,c,d);
a ^= RC[0];
STORE32H(a,&pt[0]); STORE32H(b, &pt[4]);
STORE32H(c,&pt[8]); STORE32H(d, &pt[12]);
return CRYPT_OK;
}
void blowfish_ecb_decrypt(const unsigned char *ct, unsigned char *pt, symmetric_key *key)
#endif
{
unsigned long L, R;
int r;
_ARGCHK(pt != NULL);
_ARGCHK(ct != NULL);
_ARGCHK(key != NULL);
/* load it */
LOAD32H(R, &ct[0]);
LOAD32H(L, &ct[4]);
/* undo last keying */
R ^= key->blowfish.K[17];
L ^= key->blowfish.K[16];
/* do 16 rounds */
for (r = 15; r > 0; ) {
L ^= F(R); R ^= key->blowfish.K[r--];
R ^= F(L); L ^= key->blowfish.K[r--];
L ^= F(R); R ^= key->blowfish.K[r--];
R ^= F(L); L ^= key->blowfish.K[r--];
}
/* store */
STORE32H(L, &pt[0]);
STORE32H(R, &pt[4]);
}
void cast5_ecb_encrypt(const unsigned char *pt, unsigned char *ct, symmetric_key *key)
{
ulong32 R, L;
_ARGCHK(pt != NULL);
_ARGCHK(ct != NULL);
_ARGCHK(key != NULL);
LOAD32H(L,&pt[0]);
LOAD32H(R,&pt[4]);
L ^= FI(R, key->cast5.K[0], key->cast5.K[16]);
R ^= FII(L, key->cast5.K[1], key->cast5.K[17]);
L ^= FIII(R, key->cast5.K[2], key->cast5.K[18]);
R ^= FI(L, key->cast5.K[3], key->cast5.K[19]);
L ^= FII(R, key->cast5.K[4], key->cast5.K[20]);
R ^= FIII(L, key->cast5.K[5], key->cast5.K[21]);
L ^= FI(R, key->cast5.K[6], key->cast5.K[22]);
R ^= FII(L, key->cast5.K[7], key->cast5.K[23]);
L ^= FIII(R, key->cast5.K[8], key->cast5.K[24]);
R ^= FI(L, key->cast5.K[9], key->cast5.K[25]);
L ^= FII(R, key->cast5.K[10], key->cast5.K[26]);
R ^= FIII(L, key->cast5.K[11], key->cast5.K[27]);
if (key->cast5.keylen > 10) {
L ^= FI(R, key->cast5.K[12], key->cast5.K[28]);
R ^= FII(L, key->cast5.K[13], key->cast5.K[29]);
L ^= FIII(R, key->cast5.K[14], key->cast5.K[30]);
R ^= FI(L, key->cast5.K[15], key->cast5.K[31]);
}
STORE32H(R,&ct[0]);
STORE32H(L,&ct[4]);
}
/**
Decrypts a block of text with multi2
@param ct The input ciphertext (8 bytes)
@param pt The output plaintext (8 bytes)
@param skey The key as scheduled
@return CRYPT_OK if successful
*/
int multi2_ecb_decrypt(const unsigned char *ct, unsigned char *pt, symmetric_key *skey)
{
ulong32 p[2];
LTC_ARGCHK(pt != NULL);
LTC_ARGCHK(ct != NULL);
LTC_ARGCHK(skey != NULL);
LOAD32H(p[0], ct);
LOAD32H(p[1], ct+4);
decrypt(p, skey->multi2.N, skey->multi2.uk);
STORE32H(p[0], pt);
STORE32H(p[1], pt+4);
return CRYPT_OK;
}
void csp_sha1_done(csp_sha1_state * sha1, uint8_t * out) {
uint32_t i;
/* Increase the length of the message */
sha1->length += sha1->curlen * 8;
/* Append the '1' bit */
sha1->buf[sha1->curlen++] = 0x80;
/* If the length is currently above 56 bytes we append zeros
* then compress. Then we can fall back to padding zeros and length
* encoding like normal.
*/
if (sha1->curlen > 56) {
while (sha1->curlen < 64)
sha1->buf[sha1->curlen++] = 0;
csp_sha1_compress(sha1, sha1->buf);
sha1->curlen = 0;
}
/* Pad up to 56 bytes of zeroes */
while (sha1->curlen < 56)
sha1->buf[sha1->curlen++] = 0;
/* Store length */
STORE64H(sha1->length, sha1->buf + 56);
csp_sha1_compress(sha1, sha1->buf);
/* Copy output */
for (i = 0; i < 5; i++)
STORE32H(sha1->state[i], out + (4 * i));
}
INT blowfish_ecb_encrypt(const UCHAR *pt, UCHAR *ct, symmetric_key *skey)
#endif
{
ULONG L, R;
INT r;
#ifndef __GNUC__
ULONG *S1, *S2, *S3, *S4;
#endif
LTC_ARGCHK(pt != NULL);
LTC_ARGCHK(ct != NULL);
LTC_ARGCHK(skey != NULL);
#ifndef __GNUC__
S1 = skey->blowfish.S[0];
S2 = skey->blowfish.S[1];
S3 = skey->blowfish.S[2];
S4 = skey->blowfish.S[3];
#endif
/* load it */
LOAD32H(L, &pt[0]);
LOAD32H(R, &pt[4]);
/* do 16 rounds */
for (r = 0; r < 16; ) {
L ^= skey->blowfish.K[r++]; R ^= F(L);
R ^= skey->blowfish.K[r++]; L ^= F(R);
L ^= skey->blowfish.K[r++]; R ^= F(L);
R ^= skey->blowfish.K[r++]; L ^= F(R);
}
/* last keying */
R ^= skey->blowfish.K[17];
L ^= skey->blowfish.K[16];
/* store */
STORE32H(R, &ct[0]);
STORE32H(L, &ct[4]);
return CRYPT_OK;
}
int blowfish_ecb_decrypt(const unsigned char *ct, unsigned char *pt, symmetric_key *skey)
#endif
{
ulong32 L, R;
int r;
#ifndef __GNUC__
ulong32 *S1, *S2, *S3, *S4;
#endif
LTC_ARGCHK(pt != NULL);
LTC_ARGCHK(ct != NULL);
LTC_ARGCHK(skey != NULL);
#ifndef __GNUC__
S1 = skey->blowfish.S[0];
S2 = skey->blowfish.S[1];
S3 = skey->blowfish.S[2];
S4 = skey->blowfish.S[3];
#endif
/* load it */
LOAD32H(R, &ct[0]);
LOAD32H(L, &ct[4]);
/* undo last keying */
R ^= skey->blowfish.K[17];
L ^= skey->blowfish.K[16];
/* do 16 rounds */
for (r = 15; r > 0; ) {
L ^= F(R); R ^= skey->blowfish.K[r--];
R ^= F(L); L ^= skey->blowfish.K[r--];
L ^= F(R); R ^= skey->blowfish.K[r--];
R ^= F(L); L ^= skey->blowfish.K[r--];
}
/* store */
STORE32H(L, &pt[0]);
STORE32H(R, &pt[4]);
return CRYPT_OK;
}
void blowfish_ecb_encrypt(const unsigned char *pt, unsigned char *ct, symmetric_key *key)
#endif
{
ulong32 L, R;
int r;
#ifndef __GNUC__
ulong32 *S1, *S2, *S3, *S4;
#endif
_ARGCHK(pt != NULL);
_ARGCHK(ct != NULL);
_ARGCHK(key != NULL);
#ifndef __GNUC__
S1 = key->blowfish.S[0];
S2 = key->blowfish.S[1];
S3 = key->blowfish.S[2];
S4 = key->blowfish.S[3];
#endif
/* load it */
LOAD32H(L, &pt[0]);
LOAD32H(R, &pt[4]);
/* do 16 rounds */
for (r = 0; r < 16; ) {
L ^= key->blowfish.K[r++]; R ^= F(L);
R ^= key->blowfish.K[r++]; L ^= F(R);
L ^= key->blowfish.K[r++]; R ^= F(L);
R ^= key->blowfish.K[r++]; L ^= F(R);
}
/* last keying */
R ^= key->blowfish.K[17];
L ^= key->blowfish.K[16];
/* store */
STORE32H(R, &ct[0]);
STORE32H(L, &ct[4]);
}
static void four_rounds(pelican_state *pelmac)
{
ulong32 s0, s1, s2, s3, t0, t1, t2, t3;
int r;
LOAD32H(s0, pelmac->state );
LOAD32H(s1, pelmac->state + 4);
LOAD32H(s2, pelmac->state + 8);
LOAD32H(s3, pelmac->state + 12);
for (r = 0; r < 4; r++) {
t0 =
Te0(byte(s0, 3)) ^
Te1(byte(s1, 2)) ^
Te2(byte(s2, 1)) ^
Te3(byte(s3, 0));
t1 =
Te0(byte(s1, 3)) ^
Te1(byte(s2, 2)) ^
Te2(byte(s3, 1)) ^
Te3(byte(s0, 0));
t2 =
Te0(byte(s2, 3)) ^
Te1(byte(s3, 2)) ^
Te2(byte(s0, 1)) ^
Te3(byte(s1, 0));
t3 =
Te0(byte(s3, 3)) ^
Te1(byte(s0, 2)) ^
Te2(byte(s1, 1)) ^
Te3(byte(s2, 0));
s0 = t0; s1 = t1; s2 = t2; s3 = t3;
}
STORE32H(s0, pelmac->state );
STORE32H(s1, pelmac->state + 4);
STORE32H(s2, pelmac->state + 8);
STORE32H(s3, pelmac->state + 12);
}
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// Sha256Finalise
//
// Performs the final calculation of the hash and returns the digest (32 byte buffer containing 256bit hash). After
// calling this, Sha256Initialised must be used to reuse the context.
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
void
Sha256Finalise
(
Sha256Context* Context,
SHA256_HASH* Digest
)
{
int i;
if( Context->curlen >= sizeof(Context->buf) )
{
return;
}
// Increase the length of the message
Context->length += Context->curlen * 8;
// Append the '1' bit
Context->buf[Context->curlen++] = (uint8_t)0x80;
// if the length is currently above 56 bytes we append zeros
// then compress. Then we can fall back to padding zeros and length
// encoding like normal.
if( Context->curlen > 56 )
{
while( Context->curlen < 64 )
{
Context->buf[Context->curlen++] = (uint8_t)0;
}
TransformFunction(Context, Context->buf);
Context->curlen = 0;
}
// Pad up to 56 bytes of zeroes
while( Context->curlen < 56 )
{
Context->buf[Context->curlen++] = (uint8_t)0;
}
// Store length
STORE64H( Context->length, Context->buf+56 );
TransformFunction( Context, Context->buf );
// Copy output
for( i=0; i<8; i++ )
{
STORE32H( Context->state[i], Digest->bytes+(4*i) );
}
}
/**
Terminate the hash to get the digest
@param md The hash state
@param out [out] The destination of the hash (32 bytes)
@return CRYPT_OK if successful
*/
int sha256_done(hash_state * md, unsigned char *out)
{
int i;
LTC_ARGCHK(md != NULL);
LTC_ARGCHK(out != NULL);
if (md->sha256.curlen >= sizeof(md->sha256.buf)) {
return CRYPT_INVALID_ARG;
}
/* increase the length of the message */
md->sha256.length += md->sha256.curlen * 8;
/* append the '1' bit */
md->sha256.buf[md->sha256.curlen++] = (unsigned char)0x80;
/* if the length is currently above 56 bytes we append zeros
* then compress. Then we can fall back to padding zeros and length
* encoding like normal.
*/
if (md->sha256.curlen > 56) {
while (md->sha256.curlen < 64) {
md->sha256.buf[md->sha256.curlen++] = (unsigned char)0;
}
sha256_compress(md, md->sha256.buf);
md->sha256.curlen = 0;
}
/* pad upto 56 bytes of zeroes */
while (md->sha256.curlen < 56) {
md->sha256.buf[md->sha256.curlen++] = (unsigned char)0;
}
/* store length */
STORE64H(md->sha256.length, md->sha256.buf+56);
sha256_compress(md, md->sha256.buf);
/* copy output */
for (i = 0; i < 8; i++) {
STORE32H(md->sha256.state[i], out+(4*i));
}
#ifdef LTC_CLEAN_STACK
zeromem(md, sizeof(hash_state));
#endif
return CRYPT_OK;
}
/* Checks the mac in hashbuf, for the data in readbuf.
* Returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */
static int checkmac(buffer* macbuf, buffer* sourcebuf) {
unsigned char macsize;
hmac_state hmac;
unsigned char tempbuf[MAX_MAC_LEN];
unsigned long hashsize;
int len;
macsize = ses.keys->recv_algo_mac->hashsize;
if (macsize == 0) {
return DROPBEAR_SUCCESS;
}
/* calculate the mac */
if (hmac_init(&hmac,
find_hash(ses.keys->recv_algo_mac->hashdesc->name),
ses.keys->recvmackey,
ses.keys->recv_algo_mac->keysize)
!= CRYPT_OK) {
dropbear_exit("HMAC error");
}
/* sequence number */
STORE32H(ses.recvseq, tempbuf);
if (hmac_process(&hmac, tempbuf, 4) != CRYPT_OK) {
dropbear_exit("HMAC error");
}
buf_setpos(sourcebuf, 0);
len = sourcebuf->len;
if (hmac_process(&hmac, buf_getptr(sourcebuf, len), len) != CRYPT_OK) {
dropbear_exit("HMAC error");
}
hashsize = sizeof(tempbuf);
if (hmac_done(&hmac, tempbuf, &hashsize) != CRYPT_OK) {
dropbear_exit("HMAC error");
}
/* compare the hash */
if (memcmp(tempbuf, buf_getptr(macbuf, macsize), macsize) != 0) {
return DROPBEAR_FAILURE;
} else {
return DROPBEAR_SUCCESS;
}
}
/* Create the packet mac, and append H(seqno|clearbuf) to the output */
static void writemac(buffer * outputbuffer, buffer * clearwritebuf) {
int macsize;
unsigned char seqbuf[4];
unsigned long hashsize;
hmac_state hmac;
TRACE(("enter writemac"));
macsize = ses.keys->trans_algo_mac->hashsize;
if (macsize > 0) {
/* calculate the mac */
if (hmac_init(&hmac,
find_hash(ses.keys->trans_algo_mac->hashdesc->name),
ses.keys->transmackey,
ses.keys->trans_algo_mac->keysize) != CRYPT_OK) {
dropbear_exit("HMAC error");
}
/* sequence number */
STORE32H(ses.transseq, seqbuf);
if (hmac_process(&hmac, seqbuf, 4) != CRYPT_OK) {
dropbear_exit("HMAC error");
}
/* the actual contents */
buf_setpos(clearwritebuf, 0);
if (hmac_process(&hmac,
buf_getptr(clearwritebuf,
clearwritebuf->len),
clearwritebuf->len) != CRYPT_OK) {
dropbear_exit("HMAC error");
}
hashsize = macsize;
if (hmac_done(&hmac, buf_getwriteptr(outputbuffer, macsize), &hashsize)
!= CRYPT_OK) {
dropbear_exit("HMAC error");
}
buf_incrwritepos(outputbuffer, macsize);
}
TRACE(("leave writemac"));
}
/*
Terminate the hash to get the digest
@param digest The destination of the hash (32 bytes)
*/
void SHA256::Final(unsigned char digest[HASHLEN])
{
int i;
ASSERT(digest != NULL);
ASSERT(curlen < sizeof(buf));
/* increase the length of the message */
length += curlen * 8;
/* append the '1' bit */
buf[curlen++] = static_cast<unsigned char>(0x80);
/* if the length is currently above 56 bytes we append zeros
* then compress. Then we can fall back to padding zeros and length
* encoding like normal.
*/
if (curlen > 56) {
while (curlen < 64) {
buf[curlen++] = 0;
}
sha256_compress(state, buf);
curlen = 0;
}
/* pad upto 56 bytes of zeroes */
while (curlen < 56) {
buf[curlen++] = 0;
}
/* store length */
STORE64H(length, buf+56);
sha256_compress(state, buf);
/* copy output */
for (i = 0; i < 8; i++) {
STORE32H(state[i], digest+(4*i));
}
#ifdef LTC_CLEAN_STACK
trashMemory(state, sizeof(state));
trashMemory(buf, sizeof(buf));
#endif
}
/**
Terminate the hash to get the digest
@param md The hash state
@param out [out] The destination of the hash (32 bytes)
@return 0 if successful
*/
int sha256_done(sha256_state * md, unsigned char *out)
{
int i;
if (md == NULL || out == NULL)
return -1;
if (md->curlen >= sizeof(md->buf))
return -1;
/* increase the length of the message */
md->length += md->curlen * 8;
/* append the '1' bit */
md->buf[md->curlen++] = (unsigned char)0x80;
/* if the length is currently above 56 bytes we append zeros
* then compress. Then we can fall back to padding zeros and length
* encoding like normal.
*/
if (md->curlen > 56) {
while (md->curlen < 64) {
md->buf[md->curlen++] = (unsigned char)0;
}
sha256_compress(md, md->buf);
md->curlen = 0;
}
/* pad upto 56 bytes of zeroes */
while (md->curlen < 56) {
md->buf[md->curlen++] = (unsigned char)0;
}
/* store length */
STORE64H(md->length, md->buf+56);
sha256_compress(md, md->buf);
/* copy output */
for (i = 0; i < 8; i++) {
STORE32H(md->state[i], out+(4*i));
}
return 0;
}
void sha1_done(hash_state * md, unsigned char *hash)
{
int i;
_ARGCHK(md != NULL);
_ARGCHK(hash != NULL);
/* increase the length of the message */
md->sha1.length += md->sha1.curlen * 8;
/* append the '1' bit */
md->sha1.buf[md->sha1.curlen++] = (unsigned char)0x80;
/* if the length is currently above 56 bytes we append zeros
* then compress. Then we can fall back to padding zeros and length
* encoding like normal.
*/
if (md->sha1.curlen > 56) {
while (md->sha1.curlen < 64) {
md->sha1.buf[md->sha1.curlen++] = (unsigned char)0;
}
sha1_compress(md);
md->sha1.curlen = 0;
}
/* pad upto 56 bytes of zeroes */
while (md->sha1.curlen < 56) {
md->sha1.buf[md->sha1.curlen++] = (unsigned char)0;
}
/* store length */
STORE64H(md->sha1.length, md->sha1.buf+56);
sha1_compress(md);
/* copy output */
for (i = 0; i < 5; i++) {
STORE32H(md->sha1.state[i], hash+(4*i));
}
#ifdef CLEAN_STACK
zeromem(md, sizeof(hash_state));
#endif
}
/***
Terminate the hash to get the digest
@param sha1 The hash state
@param out [out] The destination of the hash (20 bytes)
*/
void sha1_done(struct sha1_state *sha1, unsigned char *out)
{
int i;
// assert(sha1 != NULL);
// assert(out != NULL);
// assert(sha1->curlen < sizeof(sha1->buf));
/** increase the length of the message */
sha1->length += sha1->curlen * 8;
/** append the '1' bit */
sha1->buf[sha1->curlen++] = (unsigned char)0x80;
/** if the length is currently above 56 bytes we append zeros
* then compress. Then we can fall back to padding zeros and length
* encoding like normal.
*/
if (sha1->curlen > 56) {
while (sha1->curlen < 64) {
sha1->buf[sha1->curlen++] = (unsigned char)0;
}
sha1_compress(sha1, sha1->buf);
sha1->curlen = 0;
}
/** pad upto 56 bytes of zeroes */
while (sha1->curlen < 56) {
sha1->buf[sha1->curlen++] = (unsigned char)0;
}
/** store length */
STORE64H(sha1->length, sha1->buf+56);
sha1_compress(sha1, sha1->buf);
/** copy output */
for (i = 0; i < 5; i++) {
STORE32H(sha1->state[i], out+(4*i));
}
}
/**
Terminate the hash to get the digest
@param state The hash state
@param out [out] The destination of the hash (20 bytes)
@return CRYPT_OK if successful
*/
int sha1_done(sha1_state* state, unsigned char* out) {
int i;
if (state->curlen >= sizeof(state->buf)) {
return CRYPT_INVALID_ARG;
}
/* increase the length of the message */
state->length += state->curlen * 8;
/* append the '1' bit */
state->buf[state->curlen++] = (unsigned char)0x80;
/* if the length is currently above 56 bytes we append zeros
* then compress. Then we can fall back to padding zeros and length
* encoding like normal.
*/
if (state->curlen > 56) {
while (state->curlen < 64) {
state->buf[state->curlen++] = (unsigned char)0;
}
sha1_compress(state, state->buf);
state->curlen = 0;
}
/* pad upto 56 bytes of zeroes */
while (state->curlen < 56) {
state->buf[state->curlen++] = (unsigned char)0;
}
/* store length */
STORE64H(state->length, state->buf + 56);
sha1_compress(state, state->buf);
/* copy output */
for (i = 0; i < 5; i++) {
STORE32H(state->state[i], out + (4 * i));
}
return CRYPT_OK;
}
/***
Terminate the hash to get the digest
@param sha1 The hash state
@param out [out] The destination of the hash (20 bytes)
*/
void __fastcall SHA1_Done(
SHA1_State *sha1,
uint8_t *out)
{
//Increase the length of the message.
sha1->Length += sha1->Curlen * 8;
//Append the '1' bit.
sha1->Buffer[sha1->Curlen++] = (unsigned char)0x80;
/** if the length is currently above 56 bytes we append zeros
* then compress. Then we can fall back to padding zeros and length
* encoding like normal.
*/
if (sha1->Curlen > 56)
{
while (sha1->Curlen < 64)
sha1->Buffer[sha1->Curlen++] = (unsigned char)0;
SHA1_Compress(sha1, sha1->Buffer);
sha1->Curlen = 0;
}
//Pad upto 56 bytes of zeroes.
while (sha1->Curlen < 56)
sha1->Buffer[sha1->Curlen++] = (unsigned char)0;
//Store length.
STORE64H(sha1->Length, sha1->Buffer + 56);
SHA1_Compress(sha1, sha1->Buffer);
//Copy output.
for (size_t Index = 0;Index < 5U;++Index)
STORE32H(sha1->State[Index], out + (4U * Index));
return;
}
/* put a 32bit uint into the buffer, incr bufferlen & pos if required */
void buf_putint(buffer* buf, int unsigned val) {
STORE32H(val, buf_getwriteptr(buf, 4));
buf_incrwritepos(buf, 4);
}
/**
Decrypts a block of text with AES
@param ct The input ciphertext (16 bytes)
@param pt The output plaintext (16 bytes)
@param skey The key as scheduled
@return CRYPT_OK if successful
*/
int rijndael_ecb_decrypt(const unsigned char *ct, unsigned char *pt, rijndael_key *rijndael)
{
unsigned long s0, s1, s2, s3, t0, t1, t2, t3, *rk;
int Nr, r;
LTC_ARGCHK(pt != NULL);
LTC_ARGCHK(ct != NULL);
LTC_ARGCHK(rijndael != NULL);
Nr = rijndael->Nr;
rk = rijndael->dK;
/*
* map byte array block to cipher state
* and add initial round key:
*/
LOAD32H(s0, ct); s0 ^= rk[0];
LOAD32H(s1, ct + 4); s1 ^= rk[1];
LOAD32H(s2, ct + 8); s2 ^= rk[2];
LOAD32H(s3, ct + 12); s3 ^= rk[3];
/*
* Nr - 1 full rounds:
*/
r = Nr >> 1;
for (;;)
{
t0 =
Td0(byte(s0, 3)) ^
Td1(byte(s3, 2)) ^
Td2(byte(s2, 1)) ^
Td3(byte(s1, 0)) ^
rk[4];
t1 =
Td0(byte(s1, 3)) ^
Td1(byte(s0, 2)) ^
Td2(byte(s3, 1)) ^
Td3(byte(s2, 0)) ^
rk[5];
t2 =
Td0(byte(s2, 3)) ^
Td1(byte(s1, 2)) ^
Td2(byte(s0, 1)) ^
Td3(byte(s3, 0)) ^
rk[6];
t3 =
Td0(byte(s3, 3)) ^
Td1(byte(s2, 2)) ^
Td2(byte(s1, 1)) ^
Td3(byte(s0, 0)) ^
rk[7];
rk += 8;
if (--r == 0)
break;
s0 =
Td0(byte(t0, 3)) ^
Td1(byte(t3, 2)) ^
Td2(byte(t2, 1)) ^
Td3(byte(t1, 0)) ^
rk[0];
s1 =
Td0(byte(t1, 3)) ^
Td1(byte(t0, 2)) ^
Td2(byte(t3, 1)) ^
Td3(byte(t2, 0)) ^
rk[1];
s2 =
Td0(byte(t2, 3)) ^
Td1(byte(t1, 2)) ^
Td2(byte(t0, 1)) ^
Td3(byte(t3, 0)) ^
rk[2];
s3 =
Td0(byte(t3, 3)) ^
Td1(byte(t2, 2)) ^
Td2(byte(t1, 1)) ^
Td3(byte(t0, 0)) ^
rk[3];
}
/*
* apply last round and
* map cipher state to byte array block:
*/
s0 =
(Td4[byte(t0, 3)] & 0xff000000) ^
(Td4[byte(t3, 2)] & 0x00ff0000) ^
(Td4[byte(t2, 1)] & 0x0000ff00) ^
(Td4[byte(t1, 0)] & 0x000000ff) ^
rk[0];
STORE32H(s0, pt);
s1 =
(Td4[byte(t1, 3)] & 0xff000000) ^
(Td4[byte(t0, 2)] & 0x00ff0000) ^
(Td4[byte(t3, 1)] & 0x0000ff00) ^
(Td4[byte(t2, 0)] & 0x000000ff) ^
rk[1];
STORE32H(s1, pt + 4);
s2 =
(Td4[byte(t2, 3)] & 0xff000000) ^
(Td4[byte(t1, 2)] & 0x00ff0000) ^
(Td4[byte(t0, 1)] & 0x0000ff00) ^
(Td4[byte(t3, 0)] & 0x000000ff) ^
rk[2];
STORE32H(s2, pt + 8);
s3 =
(Td4[byte(t3, 3)] & 0xff000000) ^
(Td4[byte(t2, 2)] & 0x00ff0000) ^
(Td4[byte(t1, 1)] & 0x0000ff00) ^
(Td4[byte(t0, 0)] & 0x000000ff) ^
rk[3];
STORE32H(s3, pt + 12);
return CRYPT_OK;
}
/* Test store/load macros with offsets */
int store_test(void)
{
unsigned char buf[256];
int y;
ulong32 L, L1;
ulong64 LL, LL1;
#ifdef LTC_FAST
int x, z;
#endif
for (y = 0; y < 4; y++) {
L = 0x12345678UL;
L1 = 0;
STORE32L(L, buf + y);
LOAD32L(L1, buf + y);
if (L1 != L) {
fprintf(stderr, "\n32L failed at offset %d\n", y);
return 1;
}
STORE32H(L, buf + y);
LOAD32H(L1, buf + y);
if (L1 != L) {
fprintf(stderr, "\n32H failed at offset %d\n", y);
return 1;
}
}
for (y = 0; y < 8; y++) {
LL = CONST64 (0x01020304050607);
LL1 = 0;
STORE64L(LL, buf + y);
LOAD64L(LL1, buf + y);
if (LL1 != LL) {
fprintf(stderr, "\n64L failed at offset %d\n", y);
return 1;
}
STORE64H(LL, buf + y);
LOAD64H(LL1, buf + y);
if (LL1 != LL) {
fprintf(stderr, "\n64H failed at offset %d\n", y);
return 1;
}
}
/* test LTC_FAST */
#ifdef LTC_FAST
y = 16;
for (z = 0; z < y; z++) {
/* fill y bytes with random */
yarrow_read(buf+z, y, &yarrow_prng);
yarrow_read(buf+z+y, y, &yarrow_prng);
/* now XOR it byte for byte */
for (x = 0; x < y; x++) {
buf[2*y+z+x] = buf[z+x] ^ buf[z+y+x];
}
/* now XOR it word for word */
for (x = 0; x < y; x += sizeof(LTC_FAST_TYPE)) {
*((LTC_FAST_TYPE*)(&buf[3*y+z+x])) = *((LTC_FAST_TYPE*)(&buf[z+x])) ^ *((LTC_FAST_TYPE*)(&buf[z+y+x]));
}
if (memcmp(&buf[2*y+z], &buf[3*y+z], y)) {
fprintf(stderr, "\nLTC_FAST failed at offset %d\n", z);
return 1;
}
}
#endif
return 0;
}
int pkcs_5_alg2(const unsigned char *password, unsigned long password_len,
const unsigned char *salt, unsigned long salt_len,
int iteration_count, int hash_idx,
unsigned char *out, unsigned long *outlen)
{
int err, itts;
ulong32 blkno;
unsigned long stored, left, x, y;
unsigned char *buf[2];
hmac_state *hmac;
LTC_ARGCHK(password != NULL);
LTC_ARGCHK(salt != NULL);
LTC_ARGCHK(out != NULL);
LTC_ARGCHK(outlen != NULL);
/* test hash IDX */
if ((err = hash_is_valid(hash_idx)) != CRYPT_OK) {
return err;
}
buf[0] = XMALLOC(MAXBLOCKSIZE * 2);
hmac = XMALLOC(sizeof(hmac_state));
if (hmac == NULL || buf[0] == NULL) {
if (hmac != NULL) {
XFREE(hmac);
}
if (buf[0] != NULL) {
XFREE(buf[0]);
}
return CRYPT_MEM;
}
/* buf[1] points to the second block of MAXBLOCKSIZE bytes */
buf[1] = buf[0] + MAXBLOCKSIZE;
left = *outlen;
blkno = 1;
stored = 0;
while (left != 0) {
/* process block number blkno */
zeromem(buf[0], MAXBLOCKSIZE*2);
/* store current block number and increment for next pass */
STORE32H(blkno, buf[1]);
++blkno;
/* get PRF(P, S||int(blkno)) */
if ((err = hmac_init(hmac, hash_idx, password, password_len)) != CRYPT_OK) {
goto LBL_ERR;
}
if ((err = hmac_process(hmac, salt, salt_len)) != CRYPT_OK) {
goto LBL_ERR;
}
if ((err = hmac_process(hmac, buf[1], 4)) != CRYPT_OK) {
goto LBL_ERR;
}
x = MAXBLOCKSIZE;
if ((err = hmac_done(hmac, buf[0], &x)) != CRYPT_OK) {
goto LBL_ERR;
}
/* now compute repeated and XOR it in buf[1] */
XMEMCPY(buf[1], buf[0], x);
for (itts = 1; itts < iteration_count; ++itts) {
if ((err = hmac_memory(hash_idx, password, password_len, buf[0], x, buf[0], &x)) != CRYPT_OK) {
goto LBL_ERR;
}
for (y = 0; y < x; y++) {
buf[1][y] ^= buf[0][y];
}
}
/* now emit upto x bytes of buf[1] to output */
for (y = 0; y < x && left != 0; ++y) {
out[stored++] = buf[1][y];
--left;
}
}
*outlen = stored;
err = CRYPT_OK;
LBL_ERR:
#ifdef LTC_CLEAN_STACK
zeromem(buf[0], MAXBLOCKSIZE*2);
zeromem(hmac, sizeof(hmac_state));
#endif
XFREE(hmac);
XFREE(buf[0]);
return err;
}
int f8_encrypt(const unsigned char *pt, unsigned char *ct, unsigned long len, symmetric_F8 *f8)
{
int err, x;
unsigned char buf[MAXBLOCKSIZE];
LTC_ARGCHK(pt != NULL);
LTC_ARGCHK(ct != NULL);
LTC_ARGCHK(f8 != NULL);
if ((err = cipher_is_valid(f8->cipher)) != CRYPT_OK) {
return err;
}
/* is blocklen/padlen valid? */
if (f8->blocklen < 0 || f8->blocklen > (int)sizeof(f8->IV) ||
f8->padlen < 0 || f8->padlen > (int)sizeof(f8->IV)) {
return CRYPT_INVALID_ARG;
}
zeromem(buf, sizeof(buf));
/* make sure the pad is empty */
if (f8->padlen == f8->blocklen) {
/* xor of IV, MIV and blockcnt == what goes into cipher */
STORE32H(f8->blockcnt, (buf+(f8->blocklen-4)));
++(f8->blockcnt);
for (x = 0; x < f8->blocklen; x++) {
f8->IV[x] ^= f8->MIV[x] ^ buf[x];
}
if ((err = cipher_descriptor[f8->cipher].ecb_encrypt(f8->IV, f8->IV, &f8->key)) != CRYPT_OK) {
return err;
}
f8->padlen = 0;
}
#ifdef LTC_FAST
if (f8->padlen == 0) {
while (len >= (unsigned long)f8->blocklen) {
STORE32H(f8->blockcnt, (buf+(f8->blocklen-4)));
++(f8->blockcnt);
for (x = 0; x < f8->blocklen; x += sizeof(LTC_FAST_TYPE)) {
*((LTC_FAST_TYPE*)(&ct[x])) = *((LTC_FAST_TYPE*)(&pt[x])) ^ *((LTC_FAST_TYPE*)(&f8->IV[x]));
*((LTC_FAST_TYPE*)(&f8->IV[x])) ^= *((LTC_FAST_TYPE*)(&f8->MIV[x])) ^ *((LTC_FAST_TYPE*)(&buf[x]));
}
if ((err = cipher_descriptor[f8->cipher].ecb_encrypt(f8->IV, f8->IV, &f8->key)) != CRYPT_OK) {
return err;
}
len -= x;
pt += x;
ct += x;
}
}
#endif
while (len > 0) {
if (f8->padlen == f8->blocklen) {
/* xor of IV, MIV and blockcnt == what goes into cipher */
STORE32H(f8->blockcnt, (buf+(f8->blocklen-4)));
++(f8->blockcnt);
for (x = 0; x < f8->blocklen; x++) {
f8->IV[x] ^= f8->MIV[x] ^ buf[x];
}
if ((err = cipher_descriptor[f8->cipher].ecb_encrypt(f8->IV, f8->IV, &f8->key)) != CRYPT_OK) {
return err;
}
f8->padlen = 0;
}
*ct++ = *pt++ ^ f8->IV[f8->padlen++];
--len;
}
return CRYPT_OK;
}
int ECB_DEC(const unsigned char *ct, unsigned char *pt, symmetric_key *skey)
#endif
{
ulong32 s0, s1, s2, s3, t0, t1, t2, t3, *rk;
int Nr, r;
LTC_ARGCHK(pt != NULL);
LTC_ARGCHK(ct != NULL);
LTC_ARGCHK(skey != NULL);
Nr = skey->rijndael.Nr;
rk = skey->rijndael.dK;
/*
* map byte array block to cipher state
* and add initial round key:
*/
LOAD32H(s0, ct ); s0 ^= rk[0];
LOAD32H(s1, ct + 4); s1 ^= rk[1];
LOAD32H(s2, ct + 8); s2 ^= rk[2];
LOAD32H(s3, ct + 12); s3 ^= rk[3];
#ifdef LTC_SMALL_CODE
for (r = 0; ; r++) {
rk += 4;
t0 =
Td0(byte(s0, 3)) ^
Td1(byte(s3, 2)) ^
Td2(byte(s2, 1)) ^
Td3(byte(s1, 0)) ^
rk[0];
t1 =
Td0(byte(s1, 3)) ^
Td1(byte(s0, 2)) ^
Td2(byte(s3, 1)) ^
Td3(byte(s2, 0)) ^
rk[1];
t2 =
Td0(byte(s2, 3)) ^
Td1(byte(s1, 2)) ^
Td2(byte(s0, 1)) ^
Td3(byte(s3, 0)) ^
rk[2];
t3 =
Td0(byte(s3, 3)) ^
Td1(byte(s2, 2)) ^
Td2(byte(s1, 1)) ^
Td3(byte(s0, 0)) ^
rk[3];
if (r == Nr-2) {
break;
}
s0 = t0; s1 = t1; s2 = t2; s3 = t3;
}
rk += 4;
#else
/*
* Nr - 1 full rounds:
*/
r = Nr >> 1;
for (;;) {
t0 =
Td0(byte(s0, 3)) ^
Td1(byte(s3, 2)) ^
Td2(byte(s2, 1)) ^
Td3(byte(s1, 0)) ^
rk[4];
t1 =
Td0(byte(s1, 3)) ^
Td1(byte(s0, 2)) ^
Td2(byte(s3, 1)) ^
Td3(byte(s2, 0)) ^
rk[5];
t2 =
Td0(byte(s2, 3)) ^
Td1(byte(s1, 2)) ^
Td2(byte(s0, 1)) ^
Td3(byte(s3, 0)) ^
rk[6];
t3 =
Td0(byte(s3, 3)) ^
Td1(byte(s2, 2)) ^
Td2(byte(s1, 1)) ^
Td3(byte(s0, 0)) ^
rk[7];
rk += 8;
if (--r == 0) {
break;
}
s0 =
Td0(byte(t0, 3)) ^
Td1(byte(t3, 2)) ^
Td2(byte(t2, 1)) ^
Td3(byte(t1, 0)) ^
rk[0];
s1 =
Td0(byte(t1, 3)) ^
Td1(byte(t0, 2)) ^
Td2(byte(t3, 1)) ^
Td3(byte(t2, 0)) ^
rk[1];
s2 =
Td0(byte(t2, 3)) ^
Td1(byte(t1, 2)) ^
Td2(byte(t0, 1)) ^
Td3(byte(t3, 0)) ^
rk[2];
s3 =
Td0(byte(t3, 3)) ^
Td1(byte(t2, 2)) ^
Td2(byte(t1, 1)) ^
Td3(byte(t0, 0)) ^
rk[3];
}
#endif
/*
* apply last round and
* map cipher state to byte array block:
*/
s0 =
(Td4[byte(t0, 3)] & 0xff000000) ^
(Td4[byte(t3, 2)] & 0x00ff0000) ^
(Td4[byte(t2, 1)] & 0x0000ff00) ^
(Td4[byte(t1, 0)] & 0x000000ff) ^
rk[0];
STORE32H(s0, pt);
s1 =
(Td4[byte(t1, 3)] & 0xff000000) ^
(Td4[byte(t0, 2)] & 0x00ff0000) ^
(Td4[byte(t3, 1)] & 0x0000ff00) ^
(Td4[byte(t2, 0)] & 0x000000ff) ^
rk[1];
STORE32H(s1, pt+4);
s2 =
(Td4[byte(t2, 3)] & 0xff000000) ^
(Td4[byte(t1, 2)] & 0x00ff0000) ^
(Td4[byte(t0, 1)] & 0x0000ff00) ^
(Td4[byte(t3, 0)] & 0x000000ff) ^
rk[2];
STORE32H(s2, pt+8);
s3 =
(Td4[byte(t3, 3)] & 0xff000000) ^
(Td4[byte(t2, 2)] & 0x00ff0000) ^
(Td4[byte(t1, 1)] & 0x0000ff00) ^
(Td4[byte(t0, 0)] & 0x000000ff) ^
rk[3];
STORE32H(s3, pt+12);
return CRYPT_OK;
}
/**
Perform PKCS #1 MGF1 (internal)
@param hash_idx The index of the hash desired
@param seed The seed for MGF1
@param seedlen The length of the seed
@param mask [out] The destination
@param masklen The length of the mask desired
@return CRYPT_OK if successful
*/
int pkcs_1_mgf1(int hash_idx,
const unsigned char *seed, unsigned long seedlen,
unsigned char *mask, unsigned long masklen)
{
unsigned long hLen, x;
ulong32 counter;
int err;
hash_state *md;
unsigned char *buf;
LTC_ARGCHK(seed != NULL);
LTC_ARGCHK(mask != NULL);
/* ensure valid hash */
if ((err = hash_is_valid(hash_idx)) != CRYPT_OK) {
return err;
}
/* get hash output size */
hLen = hash_descriptor[hash_idx].hashsize;
/* allocate memory */
md = XMALLOC(sizeof(hash_state));
buf = XMALLOC(hLen);
if (md == NULL || buf == NULL) {
if (md != NULL) {
XFREE(md);
}
if (buf != NULL) {
XFREE(buf);
}
return CRYPT_MEM;
}
/* start counter */
counter = 0;
while (masklen > 0) {
/* handle counter */
STORE32H(counter, buf);
++counter;
/* get hash of seed || counter */
if ((err = hash_descriptor[hash_idx].init(md)) != CRYPT_OK) {
goto LBL_ERR;
}
if ((err = hash_descriptor[hash_idx].process(md, seed, seedlen)) != CRYPT_OK) {
goto LBL_ERR;
}
if ((err = hash_descriptor[hash_idx].process(md, buf, 4)) != CRYPT_OK) {
goto LBL_ERR;
}
if ((err = hash_descriptor[hash_idx].done(md, buf)) != CRYPT_OK) {
goto LBL_ERR;
}
/* store it */
for (x = 0; x < hLen && masklen > 0; x++, masklen--) {
*mask++ = buf[x];
}
}
err = CRYPT_OK;
LBL_ERR:
#ifdef LTC_CLEAN_STACK
zeromem(buf, hLen);
zeromem(md, sizeof(hash_state));
#endif
XFREE(buf);
XFREE(md);
return err;
}
void psSha256Final(psSha256_t *sha256, unsigned char hash[SHA256_HASHLEN])
{
int32 i;
#ifndef HAVE_NATIVE_INT64
uint32 n;
#endif
#ifdef CRYPTO_ASSERT
psAssert(sha256 != NULL);
psAssert(hash != NULL);
if (sha256->curlen >= sizeof(sha256->buf)) {
psTraceCrypto("psSha256Final error\n");
return;
}
#endif
/* increase the length of the message */
#ifdef HAVE_NATIVE_INT64
sha256->length += sha256->curlen << 3;
#else
n = (sha256->lengthLo + (sha256->curlen << 3)) & 0xFFFFFFFFL;
if (n < sha256->lengthLo) {
sha256->lengthHi++;
}
sha256->lengthHi += (sha256->curlen >> 29);
sha256->lengthLo = n;
#endif /* HAVE_NATIVE_INT64 */
/* append the '1' bit */
sha256->buf[sha256->curlen++] = (unsigned char)0x80;
/*
if the length is currently above 56 bytes we append zeros then compress.
Then we can fall back to padding zeros and length encoding like normal.
*/
if (sha256->curlen > 56) {
while (sha256->curlen < 64) {
sha256->buf[sha256->curlen++] = (unsigned char)0;
}
sha256_compress(sha256, sha256->buf);
sha256->curlen = 0;
}
/* pad upto 56 bytes of zeroes */
while (sha256->curlen < 56) {
sha256->buf[sha256->curlen++] = (unsigned char)0;
}
/* store length */
#ifdef HAVE_NATIVE_INT64
STORE64H(sha256->length, sha256->buf+56);
#else
STORE32H(sha256->lengthHi, sha256->buf+56);
STORE32H(sha256->lengthLo, sha256->buf+60);
#endif /* HAVE_NATIVE_INT64 */
sha256_compress(sha256, sha256->buf);
/* copy output */
for (i = 0; i < 8; i++) {
STORE32H(sha256->state[i], hash+(4*i));
}
memset(sha256, 0x0, sizeof(psSha256_t));
}
