cast128.c

NetBSD和FreeBSD上实现的Cast128加解密算法

/*	$KAME: cast128.c,v 1.5 2001/11/27 09:47:32 sakane Exp $	*/

/*
 * heavily modified by Tomomi Suzuki <suzuki@grelot.elec.ryukoku.ac.jp>
 */
/*
 * The CAST-128 Encryption Algorithm (RFC 2144)
 *
 * original implementation <Hideo "Sir MaNMOS" Morisita>
 * 1997/08/21
 */
/*
 * Copyright (C) 1997 Hideo "Sir MANMOS" Morishita
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY Hideo "Sir MaNMOS" Morishita ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL Hideo "Sir MaNMOS" Morishita BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */

#include <sys/param.h>
#ifdef _KERNEL
#include <sys/systm.h>
#else
#include <string.h>
#endif
#include <crypto/cast128/cast128.h>
#include <crypto/cast128/cast128_subkey.h>


static u_int32_t S1[];
static u_int32_t S2[];
static u_int32_t S3[];
static u_int32_t S4[];
static u_int32_t S5[];
static u_int32_t S6[];
static u_int32_t S7[];
static u_int32_t S8[];


/*
 * Step 1
 */
void set_cast128_subkey(u_int32_t *subkey, u_int8_t *key0, int keylen)
{
	u_int32_t buf[8]; /* for x0x1x2x3, x4x5x6x7 ..., z0z1z2z3, ... */
	u_int32_t key[16];
	int i;

	/*
	 * the key has to be initilized.  should it be logged when the key
	 * length is more than 16 bytes ?  anyway, ignore it at this moment.
	 */
	if (keylen > 16)
		keylen = 16;
	for (i = 0; i < keylen; i++)
		key[i] = key0[i];
	while (i < 16)
		key[i++] = 0;

	buf[0] = (key[ 0] << 24) | (key[ 1] << 16) | (key[ 2] << 8)
		| key[ 3];
	buf[1] = (key[ 4] << 24) | (key[ 5] << 16) | (key[ 6] << 8)
		| key[ 7];
	buf[2] = (key[ 8] << 24) | (key[ 9] << 16) | (key[10] << 8)
		| key[11];
	buf[3] = (key[12] << 24) | (key[13] << 16) | (key[14] << 8)
		| key[15];

	/* masking subkey */
	z0z1z2z3 = x0x1x2x3 ^ S5[xD] ^ S6[xF] ^ S7[xC] ^ S8[xE] ^ S7[x8];
	z4z5z6z7 = x8x9xAxB ^ S5[z0] ^ S6[z2] ^ S7[z1] ^ S8[z3] ^ S8[xA];
	z8z9zAzB = xCxDxExF ^ S5[z7] ^ S6[z6] ^ S7[z5] ^ S8[z4] ^ S5[x9];
	zCzDzEzF = x4x5x6x7 ^ S5[zA] ^ S6[z9] ^ S7[zB] ^ S8[z8] ^ S6[xB];
	subkey[0]  = S5[z8] ^ S6[z9] ^ S7[z7] ^ S8[z6] ^ S5[z2];
	subkey[1]  = S5[zA] ^ S6[zB] ^ S7[z5] ^ S8[z4] ^ S6[z6];
	subkey[2]  = S5[zC] ^ S6[zD] ^ S7[z3] ^ S8[z2] ^ S7[z9];
	subkey[3]  = S5[zE] ^ S6[zF] ^ S7[z1] ^ S8[z0] ^ S8[zC];

	x0x1x2x3 = z8z9zAzB ^ S5[z5] ^ S6[z7] ^ S7[z4] ^ S8[z6] ^ S7[z0];
	x4x5x6x7 = z0z1z2z3 ^ S5[x0] ^ S6[x2] ^ S7[x1] ^ S8[x3] ^ S8[z2];
	x8x9xAxB = z4z5z6z7 ^ S5[x7] ^ S6[x6] ^ S7[x5] ^ S8[x4] ^ S5[z1];
	xCxDxExF = zCzDzEzF ^ S5[xA] ^ S6[x9] ^ S7[xB] ^ S8[x8] ^ S6[z3];
	subkey[4]  = S5[x3] ^ S6[x2] ^ S7[xC] ^ S8[xD] ^ S5[x8];
	subkey[5]  = S5[x1] ^ S6[x0] ^ S7[xE] ^ S8[xF] ^ S6[xD];
	subkey[6]  = S5[x7] ^ S6[x6] ^ S7[x8] ^ S8[x9] ^ S7[x3];
	subkey[7]  = S5[x5] ^ S6[x4] ^ S7[xA] ^ S8[xB] ^ S8[x7];

	z0z1z2z3 = x0x1x2x3 ^ S5[xD] ^ S6[xF] ^ S7[xC] ^ S8[xE] ^ S7[x8];
	z4z5z6z7 = x8x9xAxB ^ S5[z0] ^ S6[z2] ^ S7[z1] ^ S8[z3] ^ S8[xA];
	z8z9zAzB = xCxDxExF ^ S5[z7] ^ S6[z6] ^ S7[z5] ^ S8[z4] ^ S5[x9];
	zCzDzEzF = x4x5x6x7 ^ S5[zA] ^ S6[z9] ^ S7[zB] ^ S8[z8] ^ S6[xB];
	subkey[8]  = S5[z3] ^ S6[z2] ^ S7[zC] ^ S8[zD] ^ S5[z9];
	subkey[9]  = S5[z1] ^ S6[z0] ^ S7[zE] ^ S8[zF] ^ S6[zC];
	subkey[10] = S5[z7] ^ S6[z6] ^ S7[z8] ^ S8[z9] ^ S7[z2];
	subkey[11] = S5[z5] ^ S6[z4] ^ S7[zA] ^ S8[zB] ^ S8[z6];

	x0x1x2x3 = z8z9zAzB ^ S5[z5] ^ S6[z7] ^ S7[z4] ^ S8[z6] ^ S7[z0];
	x4x5x6x7 = z0z1z2z3 ^ S5[x0] ^ S6[x2] ^ S7[x1] ^ S8[x3] ^ S8[z2];
	x8x9xAxB = z4z5z6z7 ^ S5[x7] ^ S6[x6] ^ S7[x5] ^ S8[x4] ^ S5[z1];
	xCxDxExF = zCzDzEzF ^ S5[xA] ^ S6[x9] ^ S7[xB] ^ S8[x8] ^ S6[z3];
	subkey[12] = S5[x8] ^ S6[x9] ^ S7[x7] ^ S8[x6] ^ S5[x3];
	subkey[13] = S5[xA] ^ S6[xB] ^ S7[x5] ^ S8[x4] ^ S6[x7];
	subkey[14] = S5[xC] ^ S6[xD] ^ S7[x3] ^ S8[x2] ^ S7[x8];
	subkey[15] = S5[xE] ^ S6[xF] ^ S7[x1] ^ S8[x0] ^ S8[xD];

	/* rotate subkey (least significast 5 bits) */
	z0z1z2z3 = x0x1x2x3 ^ S5[xD] ^ S6[xF] ^ S7[xC] ^ S8[xE] ^ S7[x8];
	z4z5z6z7 = x8x9xAxB ^ S5[z0] ^ S6[z2] ^ S7[z1] ^ S8[z3] ^ S8[xA];
	z8z9zAzB = xCxDxExF ^ S5[z7] ^ S6[z6] ^ S7[z5] ^ S8[z4] ^ S5[x9];
	zCzDzEzF = x4x5x6x7 ^ S5[zA] ^ S6[z9] ^ S7[zB] ^ S8[z8] ^ S6[xB];
	subkey[16] = (S5[z8] ^ S6[z9] ^ S7[z7] ^ S8[z6] ^ S5[z2]) & 0x1f;
	subkey[17] = (S5[zA] ^ S6[zB] ^ S7[z5] ^ S8[z4] ^ S6[z6]) & 0x1f;
	subkey[18] = (S5[zC] ^ S6[zD] ^ S7[z3] ^ S8[z2] ^ S7[z9]) & 0x1f;
	subkey[19] = (S5[zE] ^ S6[zF] ^ S7[z1] ^ S8[z0] ^ S8[zC]) & 0x1f;

	x0x1x2x3 = z8z9zAzB ^ S5[z5] ^ S6[z7] ^ S7[z4] ^ S8[z6] ^ S7[z0];
	x4x5x6x7 = z0z1z2z3 ^ S5[x0] ^ S6[x2] ^ S7[x1] ^ S8[x3] ^ S8[z2];
	x8x9xAxB = z4z5z6z7 ^ S5[x7] ^ S6[x6] ^ S7[x5] ^ S8[x4] ^ S5[z1];
	xCxDxExF = zCzDzEzF ^ S5[xA] ^ S6[x9] ^ S7[xB] ^ S8[x8] ^ S6[z3];
	subkey[20] = (S5[x3] ^ S6[x2] ^ S7[xC] ^ S8[xD] ^ S5[x8]) & 0x1f;
	subkey[21] = (S5[x1] ^ S6[x0] ^ S7[xE] ^ S8[xF] ^ S6[xD]) & 0x1f;
	subkey[22] = (S5[x7] ^ S6[x6] ^ S7[x8] ^ S8[x9] ^ S7[x3]) & 0x1f;
	subkey[23] = (S5[x5] ^ S6[x4] ^ S7[xA] ^ S8[xB] ^ S8[x7]) & 0x1f;

	z0z1z2z3 = x0x1x2x3 ^ S5[xD] ^ S6[xF] ^ S7[xC] ^ S8[xE] ^ S7[x8];
	z4z5z6z7 = x8x9xAxB ^ S5[z0] ^ S6[z2] ^ S7[z1] ^ S8[z3] ^ S8[xA];
	z8z9zAzB = xCxDxExF ^ S5[z7] ^ S6[z6] ^ S7[z5] ^ S8[z4] ^ S5[x9];
	zCzDzEzF = x4x5x6x7 ^ S5[zA] ^ S6[z9] ^ S7[zB] ^ S8[z8] ^ S6[xB];
	subkey[24] = (S5[z3] ^ S6[z2] ^ S7[zC] ^ S8[zD] ^ S5[z9]) & 0x1f;
	subkey[25] = (S5[z1] ^ S6[z0] ^ S7[zE] ^ S8[zF] ^ S6[zC]) & 0x1f;
	subkey[26] = (S5[z7] ^ S6[z6] ^ S7[z8] ^ S8[z9] ^ S7[z2]) & 0x1f;
	subkey[27] = (S5[z5] ^ S6[z4] ^ S7[zA] ^ S8[zB] ^ S8[z6]) & 0x1f;

	x0x1x2x3 = z8z9zAzB ^ S5[z5] ^ S6[z7] ^ S7[z4] ^ S8[z6] ^ S7[z0];
	x4x5x6x7 = z0z1z2z3 ^ S5[x0] ^ S6[x2] ^ S7[x1] ^ S8[x3] ^ S8[z2];
	x8x9xAxB = z4z5z6z7 ^ S5[x7] ^ S6[x6] ^ S7[x5] ^ S8[x4] ^ S5[z1];
	xCxDxExF = zCzDzEzF ^ S5[xA] ^ S6[x9] ^ S7[xB] ^ S8[x8] ^ S6[z3];
	subkey[28] = (S5[x8] ^ S6[x9] ^ S7[x7] ^ S8[x6] ^ S5[x3]) & 0x1f;
	subkey[29] = (S5[xA] ^ S6[xB] ^ S7[x5] ^ S8[x4] ^ S6[x7]) & 0x1f;
	subkey[30] = (S5[xC] ^ S6[xD] ^ S7[x3] ^ S8[x2] ^ S7[x8]) & 0x1f;
	subkey[31] = (S5[xE] ^ S6[xF] ^ S7[x1] ^ S8[x0] ^ S8[xD]) & 0x1f;
}


#define	CAST128_TYPE1(rc, d, km, kr) { \
	u_int32_t x = circular_leftshift(((km)+(d)), (kr)); \
	(rc) = ((S1[byte0(x)] ^ S2[byte1(x)]) - S3[byte2(x)]) + S4[byte3(x)]; \
}

#define	CAST128_TYPE2(rc, d, km, kr) { \
	u_int32_t x = circular_leftshift(((km)^(d)), (kr)); \
	(rc) = ((S1[byte0(x)] - S2[byte1(x)]) + S3[byte2(x)]) ^ S4[byte3(x)]; \
}

#define	CAST128_TYPE3(rc, d, km, kr) { \
	u_int32_t x = circular_leftshift(((km)-(d)), (kr)); \
	(rc) = ((S1[byte0(x)] + S2[byte1(x)]) ^ S3[byte2(x)]) - S4[byte3(x)]; \
}


void cast128_encrypt_round16(u_int8_t *c, const u_int8_t *m,
				u_int32_t *subkey)
{
	u_int32_t l;	/* left 32bit */
	u_int32_t r;	/* right 32bit */
	u_int32_t br;	/* backup right 32bit */
	u_int32_t rc;	/* result code of CAST128_TYPE?() */
	u_int32_t *km, *kr;

	/* Step 2 */
	l = (m[0] << 24) | (m[1] << 16) | (m[2] << 8) | m[3];
	r = (m[4] << 24) | (m[5] << 16) | (m[6] << 8) | m[7];

	/* Step 3 */
	km = subkey;
	kr = subkey + 16;

	br = r; CAST128_TYPE1(rc, r, *km, *kr); r = l ^ rc; l = br; km++; kr++;
	br = r; CAST128_TYPE2(rc, r, *km, *kr); r = l ^ rc; l = br; km++; kr++;
	br = r; CAST128_TYPE3(rc, r, *km, *kr); r = l ^ rc; l = br; km++; kr++;
	br = r; CAST128_TYPE1(rc, r, *km, *kr); r = l ^ rc; l = br; km++; kr++;
	br = r; CAST128_TYPE2(rc, r, *km, *kr); r = l ^ rc; l = br; km++; kr++;
	br = r; CAST128_TYPE3(rc, r, *km, *kr); r = l ^ rc; l = br; km++; kr++;
	br = r; CAST128_TYPE1(rc, r, *km, *kr); r = l ^ rc; l = br; km++; kr++;
	br = r; CAST128_TYPE2(rc, r, *km, *kr); r = l ^ rc; l = br; km++; kr++;
	br = r; CAST128_TYPE3(rc, r, *km, *kr); r = l ^ rc; l = br; km++; kr++;
	br = r; CAST128_TYPE1(rc, r, *km, *kr); r = l ^ rc; l = br; km++; kr++;
	br = r; CAST128_TYPE2(rc, r, *km, *kr); r = l ^ rc; l = br; km++; kr++;
	br = r; CAST128_TYPE3(rc, r, *km, *kr); r = l ^ rc; l = br; km++; kr++;
	br = r; CAST128_TYPE1(rc, r, *km, *kr); r = l ^ rc; l = br; km++; kr++;
	br = r; CAST128_TYPE2(rc, r, *km, *kr); r = l ^ rc; l = br; km++; kr++;
	br = r; CAST128_TYPE3(rc, r, *km, *kr); r = l ^ rc; l = br; km++; kr++;
	br = r; CAST128_TYPE1(rc, r, *km, *kr); r = l ^ rc; l = br;

	/* Step 4 */
	c[0] = (r >> 24) & 0xff;
	c[1] = (r >> 16) & 0xff;
	c[2] = (r >> 8) & 0xff;
	c[3] = r & 0xff;
	c[4] = (l >> 24) & 0xff;
	c[5] = (l >> 16) & 0xff;
	c[6] = (l >> 8) & 0xff;
	c[7] = l & 0xff;
}


void cast128_decrypt_round16(u_int8_t *m, const u_int8_t *c,
				u_int32_t *subkey)
{
	u_int32_t l;	/* left 32bit */
	u_int32_t r;	/* right 32bit */
	u_int32_t bl;	/* backup left 32bit */
	u_int32_t rc;	/* result code of CAST128_TYPE?() */
	u_int32_t *km, *kr;

	/* Step 2 */
	r = (c[0] << 24) | (c[1] << 16) | (c[2] << 8) | c[3];
	l = (c[4] << 24) | (c[5] << 16) | (c[6] << 8) | c[7];

	/* Step 3 */
	km = subkey + 15;
	kr = subkey + 31;

	bl = l; CAST128_TYPE1(rc, l, *km, *kr); l = r ^ rc; r = bl; km--; kr--;
	bl = l; CAST128_TYPE3(rc, l, *km, *kr); l = r ^ rc; r = bl; km--; kr--;
	bl = l; CAST128_TYPE2(rc, l, *km, *kr); l = r ^ rc; r = bl; km--; kr--;
	bl = l; CAST128_TYPE1(rc, l, *km, *kr); l = r ^ rc; r = bl; km--; kr--;
	bl = l; CAST128_TYPE3(rc, l, *km, *kr); l = r ^ rc; r = bl; km--; kr--;
	bl = l; CAST128_TYPE2(rc, l, *km, *kr); l = r ^ rc; r = bl; km--; kr--;
	bl = l; CAST128_TYPE1(rc, l, *km, *kr); l = r ^ rc; r = bl; km--; kr--;
	bl = l; CAST128_TYPE3(rc, l, *km, *kr); l = r ^ rc; r = bl; km--; kr--;
	bl = l; CAST128_TYPE2(rc, l, *km, *kr); l = r ^ rc; r = bl; km--; kr--;
	bl = l; CAST128_TYPE1(rc, l, *km, *kr); l = r ^ rc; r = bl; km--; kr--;
	bl = l; CAST128_TYPE3(rc, l, *km, *kr); l = r ^ rc; r = bl; km--; kr--;
	bl = l; CAST128_TYPE2(rc, l, *km, *kr); l = r ^ rc; r = bl; km--; kr--;
	bl = l; CAST128_TYPE1(rc, l, *km, *kr); l = r ^ rc; r = bl; km--; kr--;
	bl = l; CAST128_TYPE3(rc, l, *km, *kr); l = r ^ rc; r = bl; km--; kr--;
	bl = l; CAST128_TYPE2(rc, l, *km, *kr); l = r ^ rc; r = bl; km--; kr--;
	bl = l; CAST128_TYPE1(rc, l, *km, *kr); l = r ^ rc; r = bl;

	/* Step 4 */
	m[0] = (l >> 24) & 0xff;
	m[1] = (l >> 16) & 0xff;
	m[2] = (l >> 8) & 0xff;
	m[3] = l & 0xff;
	m[4] = (r >> 24) & 0xff;
	m[5] = (r >> 16) & 0xff;
	m[6] = (r >> 8) & 0xff;
	m[7] = r & 0xff;
}


void cast128_encrypt_round12(u_int8_t *c, const u_int8_t *m,
				u_int32_t *subkey)
{
	u_int32_t l;	/* left 32bit */
	u_int32_t r;	/* right 32bit */
	u_int32_t br;	/* backup right 32bit */
	u_int32_t rc;	/* result code of CAST128_TYPE?() */
	u_int32_t *km, *kr;

	/* Step 2 */
	l = (m[0] << 24) | (m[1] << 16) | (m[2] << 8) | m[3];
	r = (m[4] << 24) | (m[5] << 16) | (m[6] << 8) | m[7];

	/* Step 3 */
	km = subkey;
	kr = subkey + 16;

	br = r; CAST128_TYPE1(rc, r, *km, *kr); r = l ^ rc; l = br; km++; kr++;
	br = r; CAST128_TYPE2(rc, r, *km, *kr); r = l ^ rc; l = br; km++; kr++;
	br = r; CAST128_TYPE3(rc, r, *km, *kr); r = l ^ rc; l = br; km++; kr++;
	br = r; CAST128_TYPE1(rc, r, *km, *kr); r = l ^ rc; l = br; km++; kr++;
	br = r; CAST128_TYPE2(rc, r, *km, *kr); r = l ^ rc; l = br; km++; kr++;
	br = r; CAST128_TYPE3(rc, r, *km, *kr); r = l ^ rc; l = br; km++; kr++;
	br = r; CAST128_TYPE1(rc, r, *km, *kr); r = l ^ rc; l = br; km++; kr++;
	br = r; CAST128_TYPE2(rc, r, *km, *kr); r = l ^ rc; l = br; km++; kr++;
	br = r; CAST128_TYPE3(rc, r, *km, *kr); r = l ^ rc; l = br; km++; kr++;
	br = r; CAST128_TYPE1(rc, r, *km, *kr); r = l ^ rc; l = br; km++; kr++;