cipher-cast5.c

海思KEY驱动

	  0xa842eedf, 0xfdba60b4, 0xf1907b75, 0x20e3030f,
	  0x24d8c29e, 0xe139673b, 0xefa63fb8, 0x71873054,
	  0xb6f2cf3b, 0x9f326442, 0xcb15a4cc, 0xb01a4504,
	  0xf1e47d8d, 0x844a1be5, 0xbae7dfdc, 0x42cbda70,
	  0xcd7dae0a, 0x57e85b7a, 0xd53f5af6, 0x20cf4d8c,
	  0xcea4d428, 0x79d130a4, 0x3486ebfb, 0x33d3cddc,
	  0x77853b53, 0x37effcb5, 0xc5068778, 0xe580b3e6,
	  0x4e68b8f4, 0xc5c8b37e, 0x0d809ea2, 0x398feb7c,
	  0x132a4f94, 0x43b7950e, 0x2fee7d1c, 0x223613bd,
	  0xdd06caa2, 0x37df932b, 0xc4248289, 0xacf3ebc3,
	  0x5715f6b7, 0xef3478dd, 0xf267616f, 0xc148cbe4,
	  0x9052815e, 0x5e410fab, 0xb48a2465, 0x2eda7fa4,
	  0xe87b40e4, 0xe98ea084, 0x5889e9e1, 0xefd390fc,
	  0xdd07d35b, 0xdb485694, 0x38d7e5b2, 0x57720101,
	  0x730edebc, 0x5b643113, 0x94917e4f, 0x503c2fba,
	  0x646f1282, 0x7523d24a, 0xe0779695, 0xf9c17a8f,
	  0x7a5b2121, 0xd187b896, 0x29263a4d, 0xba510cdf,
	  0x81f47c9f, 0xad1163ed, 0xea7b5965, 0x1a00726e,
	  0x11403092, 0x00da6d77, 0x4a0cdd61, 0xad1f4603,
	  0x605bdfb0, 0x9eedc364, 0x22ebe6a8, 0xcee7d28a,
	  0xa0e736a0, 0x5564a6b9, 0x10853209, 0xc7eb8f37,
	  0x2de705ca, 0x8951570f, 0xdf09822b, 0xbd691a6c,
	  0xaa12e4f2, 0x87451c0f, 0xe0f6a27a, 0x3ada4819,
	  0x4cf1764f, 0x0d771c2b, 0x67cdb156, 0x350d8384,
	  0x5938fa0f, 0x42399ef3, 0x36997b07, 0x0e84093d,
	  0x4aa93e61, 0x8360d87b, 0x1fa98b0c, 0x1149382c,
	  0xe97625a5, 0x0614d1b7, 0x0e25244b, 0x0c768347,
	  0x589e8d82, 0x0d2059d1, 0xa466bb1e, 0xf8da0a82,
	  0x04f19130, 0xba6e4ec0, 0x99265164, 0x1ee7230d,
	  0x50b2ad80, 0xeaee6801, 0x8db2a283, 0xea8bf59e }};

#define rotl(n,x) ( ((x) << (n)) | ((x) >> (32-(n))) )

#define F1(D,m,r)  (  (I = ((m) + (D))), (I = rotl((r),I)),   \
                   (((sbox[0][I >> 24] ^ sbox[1][(I>>16) & 0xff]) - \
                      sbox[2][(I >> 8) & 0xff]) + sbox[3][I & 0xff]) )

#define F2(D,m,r)  (  (I = ((m) ^ (D))), (I = rotl((r),I)),   \
                   (((sbox[0][I >> 24] - sbox[1][(I>>16) & 0xff]) + \
                      sbox[2][(I >> 8) & 0xff]) ^ sbox[3][I & 0xff]) )

#define F3(D,m,r)  (  (I = ((m) - (D))), (I = rotl((r),I)),   \
                   (((sbox[0][I >> 24] + sbox[1][(I>>16) & 0xff]) ^ \
                      sbox[2][(I >> 8) & 0xff]) - sbox[3][I & 0xff]) )

static int cast5_encrypt(struct cipher_context *cx,
                         const u8 *in, u8 *out, int size, int atomic)
{
        CAST5_context *ctx = (CAST5_context *)cx->keyinfo;

        u8 *Kr;
        u32 *Km, I;
        u32 l, r, t;
        
        Km = ctx->Km;
        Kr = ctx->Kr;

        /* (L0,R0) <-- (m1...m64)    (Split the plaintext into left and
         * right 32-bit halves L0 = m1...m32 and R0 = m33...m64.)
         */
        l = in[0] << 24 | in[1] << 16 | in[2] << 8 | in[3];
        r = in[4] << 24 | in[5] << 16 | in[6] << 8 | in[7];
    
        /* (16 rounds) for i from 1 to 16, compute Li and Ri as follows:
         *   Li = Ri-1;
         *   Ri = Li-1 ^ f(Ri-1,Kmi,Kri), where f is defined in Section 2.2
         * Rounds 1, 4, 7, 10, 13, and 16 use f function Type 1.
         * Rounds 2, 5, 8, 11, and 14 use f function Type 2.
         * Rounds 3, 6, 9, 12, and 15 use f function Type 3.
         */
        t = l; l = r; r = t ^ F1(r, Km[ 0], Kr[ 0]);
        t = l; l = r; r = t ^ F2(r, Km[ 1], Kr[ 1]);
        t = l; l = r; r = t ^ F3(r, Km[ 2], Kr[ 2]);
        t = l; l = r; r = t ^ F1(r, Km[ 3], Kr[ 3]);
        t = l; l = r; r = t ^ F2(r, Km[ 4], Kr[ 4]);
        t = l; l = r; r = t ^ F3(r, Km[ 5], Kr[ 5]);
        t = l; l = r; r = t ^ F1(r, Km[ 6], Kr[ 6]);
        t = l; l = r; r = t ^ F2(r, Km[ 7], Kr[ 7]);
        t = l; l = r; r = t ^ F3(r, Km[ 8], Kr[ 8]);
        t = l; l = r; r = t ^ F1(r, Km[ 9], Kr[ 9]);
        t = l; l = r; r = t ^ F2(r, Km[10], Kr[10]);
        t = l; l = r; r = t ^ F3(r, Km[11], Kr[11]);
	if (cx->key_length > 10) { /* 16 rounds if key length > 80 bits */
		t = l; l = r; r = t ^ F1(r, Km[12], Kr[12]);
		t = l; l = r; r = t ^ F2(r, Km[13], Kr[13]);
		t = l; l = r; r = t ^ F3(r, Km[14], Kr[14]);
		t = l; l = r; r = t ^ F1(r, Km[15], Kr[15]);
	}

        /* c1...c64 <-- (R16,L16)    (Exchange final blocks L16, R16 and
         *    concatenate to form the ciphertext.) */
        out[0] = (r >> 24) & 0xff;
        out[1] = (r >> 16) & 0xff;
        out[2] = (r >>  8) & 0xff;
        out[3] =  r & 0xff;
        out[4] = (l >> 24) & 0xff;
        out[5] = (l >> 16) & 0xff;
        out[6] = (l >>  8) & 0xff;
        out[7] =  l & 0xff;

	return 0;
}

static int cast5_decrypt(struct cipher_context *cx, 
                          const u8 *in, u8 *out, int size, int atomic)
{
        CAST5_context *ctx = (CAST5_context *)cx->keyinfo;

        u8 *Kr;
        u32 *Km, I;
        u32 l, r, t;
        
        Km = ctx->Km;
        Kr = ctx->Kr;
        
        l = in[0] << 24 | in[1] << 16 | in[2] << 8 | in[3];
        r = in[4] << 24 | in[5] << 16 | in[6] << 8 | in[7];
        
	if (cx->key_length > 10) { /* 16 rounds if key length > 80 */
		t = l; l = r; r = t ^ F1(r, Km[15], Kr[15]);
		t = l; l = r; r = t ^ F3(r, Km[14], Kr[14]);
		t = l; l = r; r = t ^ F2(r, Km[13], Kr[13]);
		t = l; l = r; r = t ^ F1(r, Km[12], Kr[12]);
	}
        t = l; l = r; r = t ^ F3(r, Km[11], Kr[11]);
        t = l; l = r; r = t ^ F2(r, Km[10], Kr[10]);
        t = l; l = r; r = t ^ F1(r, Km[ 9], Kr[ 9]);
        t = l; l = r; r = t ^ F3(r, Km[ 8], Kr[ 8]);
        t = l; l = r; r = t ^ F2(r, Km[ 7], Kr[ 7]);
        t = l; l = r; r = t ^ F1(r, Km[ 6], Kr[ 6]);
        t = l; l = r; r = t ^ F3(r, Km[ 5], Kr[ 5]);
        t = l; l = r; r = t ^ F2(r, Km[ 4], Kr[ 4]);
        t = l; l = r; r = t ^ F1(r, Km[ 3], Kr[ 3]);
        t = l; l = r; r = t ^ F3(r, Km[ 2], Kr[ 2]);
        t = l; l = r; r = t ^ F2(r, Km[ 1], Kr[ 1]);
        t = l; l = r; r = t ^ F1(r, Km[ 0], Kr[ 0]);
        
        out[0] = (r >> 24) & 0xff;
        out[1] = (r >> 16) & 0xff;
        out[2] = (r >>  8) & 0xff;
        out[3] =  r & 0xff;
        out[4] = (l >> 24) & 0xff;
        out[5] = (l >> 16) & 0xff;
        out[6] = (l >>  8) & 0xff;
        out[7] =  l & 0xff;

	return 0;
}

#define xi(i)   ( (x[(i)/4] >> (8*(3-((i)%4)))) & 0xff )
#define zi(i)   ( (z[(i)/4] >> (8*(3-((i)%4)))) & 0xff )
static void cast5_key_schedule( u32 *x, u32 *z, u32 *k )
{
        z[0] = x[0] ^ sbox[4][xi(13)] ^ sbox[5][xi(15)] ^ \
                sbox[6][xi(12)] ^ sbox[7][xi(14)] ^ sbox[6][xi( 8)];
        z[1] = x[2] ^ sbox[4][zi( 0)] ^ sbox[5][zi( 2)] ^ \
                sbox[6][zi( 1)] ^ sbox[7][zi( 3)] ^ sbox[7][xi(10)];
        z[2] = x[3] ^ sbox[4][zi( 7)] ^ sbox[5][zi( 6)] ^ \
                sbox[6][zi( 5)] ^ sbox[7][zi( 4)] ^ sbox[4][xi( 9)];
        z[3] = x[1] ^ sbox[4][zi(10)] ^ sbox[5][zi( 9)] ^ \
                sbox[6][zi(11)] ^ sbox[7][zi( 8)] ^ sbox[5][xi(11)];
        k[0] = sbox[4][zi( 8)] ^ sbox[5][zi( 9)] ^ sbox[6][zi( 7)] ^ \
                sbox[7][zi( 6)] ^ sbox[4][zi( 2)];
        k[1] = sbox[4][zi(10)] ^ sbox[5][zi(11)] ^ sbox[6][zi( 5)] ^ \
                sbox[7][zi( 4)] ^ sbox[5][zi( 6)];
        k[2] = sbox[4][zi(12)] ^ sbox[5][zi(13)] ^ sbox[6][zi( 3)] ^ \
                sbox[7][zi( 2)] ^ sbox[6][zi( 9)];
        k[3] = sbox[4][zi(14)] ^ sbox[5][zi(15)] ^ sbox[6][zi( 1)] ^ \
                sbox[7][zi( 0)] ^ sbox[7][zi(12)];
        
        x[0] = z[2] ^ sbox[4][zi( 5)] ^ sbox[5][zi( 7)] ^ \
                sbox[6][zi( 4)] ^ sbox[7][zi( 6)] ^ sbox[6][zi( 0)];
        x[1] = z[0] ^ sbox[4][xi( 0)] ^ sbox[5][xi( 2)] ^ \
                sbox[6][xi( 1)] ^ sbox[7][xi( 3)] ^ sbox[7][zi( 2)];
        x[2] = z[1] ^ sbox[4][xi( 7)] ^ sbox[5][xi( 6)] ^ \
                sbox[6][xi( 5)] ^ sbox[7][xi( 4)] ^ sbox[4][zi( 1)];
        x[3] = z[3] ^ sbox[4][xi(10)] ^ sbox[5][xi( 9)] ^ \
                sbox[6][xi(11)] ^ sbox[7][xi( 8)] ^ sbox[5][zi( 3)];
        k[4] = sbox[4][xi( 3)] ^ sbox[5][xi( 2)] ^ sbox[6][xi(12)] ^ \
                sbox[7][xi(13)] ^ sbox[4][xi( 8)];
        k[5] = sbox[4][xi( 1)] ^ sbox[5][xi( 0)] ^ sbox[6][xi(14)] ^ \
                sbox[7][xi(15)] ^ sbox[5][xi(13)];
        k[6] = sbox[4][xi( 7)] ^ sbox[5][xi( 6)] ^ sbox[6][xi( 8)] ^ \
                sbox[7][xi( 9)] ^ sbox[6][xi( 3)];
        k[7] = sbox[4][xi( 5)] ^ sbox[5][xi( 4)] ^ sbox[6][xi(10)] ^ \
                sbox[7][xi(11)] ^ sbox[7][xi( 7)];
        
        z[0] = x[0] ^ sbox[4][xi(13)] ^ sbox[5][xi(15)] ^ \
                sbox[6][xi(12)] ^ sbox[7][xi(14)] ^ sbox[6][xi( 8)];
        z[1] = x[2] ^ sbox[4][zi( 0)] ^ sbox[5][zi( 2)] ^ \
                sbox[6][zi( 1)] ^ sbox[7][zi( 3)] ^ sbox[7][xi(10)];
        z[2] = x[3] ^ sbox[4][zi( 7)] ^ sbox[5][zi( 6)] ^ \
                sbox[6][zi( 5)] ^ sbox[7][zi( 4)] ^ sbox[4][xi( 9)];
        z[3] = x[1] ^ sbox[4][zi(10)] ^ sbox[5][zi( 9)] ^ \
                sbox[6][zi(11)] ^ sbox[7][zi( 8)] ^ sbox[5][xi(11)];
        k[8] = sbox[4][zi( 3)] ^ sbox[5][zi( 2)] ^ sbox[6][zi(12)] ^ \
                sbox[7][zi(13)] ^ sbox[4][zi( 9)];
        k[9] = sbox[4][zi( 1)] ^ sbox[5][zi( 0)] ^ sbox[6][zi(14)] ^ \
                sbox[7][zi(15)] ^ sbox[5][zi(12)];
        k[10]= sbox[4][zi( 7)] ^ sbox[5][zi( 6)] ^ sbox[6][zi( 8)] ^ \
                sbox[7][zi( 9)] ^ sbox[6][zi( 2)];
        k[11]= sbox[4][zi( 5)] ^ sbox[5][zi( 4)] ^ sbox[6][zi(10)] ^ \
                sbox[7][zi(11)] ^ sbox[7][zi( 6)];
        
        x[0] = z[2] ^ sbox[4][zi( 5)] ^ sbox[5][zi( 7)] ^ \
                sbox[6][zi( 4)] ^ sbox[7][zi( 6)] ^ sbox[6][zi( 0)];
        x[1] = z[0] ^ sbox[4][xi( 0)] ^ sbox[5][xi( 2)] ^ \
                sbox[6][xi( 1)] ^ sbox[7][xi( 3)] ^ sbox[7][zi( 2)];
        x[2] = z[1] ^ sbox[4][xi( 7)] ^ sbox[5][xi( 6)] ^ \
                sbox[6][xi( 5)] ^ sbox[7][xi( 4)] ^ sbox[4][zi( 1)];
        x[3] = z[3] ^ sbox[4][xi(10)] ^ sbox[5][xi( 9)] ^ \
                sbox[6][xi(11)] ^ sbox[7][xi( 8)] ^ sbox[5][zi( 3)];
        k[12]= sbox[4][xi( 8)] ^ sbox[5][xi( 9)] ^ sbox[6][xi( 7)] ^ \
                sbox[7][xi( 6)] ^ sbox[4][xi( 3)];
        k[13]= sbox[4][xi(10)] ^ sbox[5][xi(11)] ^ sbox[6][xi( 5)] ^ \
                sbox[7][xi( 4)] ^ sbox[5][xi( 7)];
        k[14]= sbox[4][xi(12)] ^ sbox[5][xi(13)] ^ sbox[6][xi( 3)] ^ \
                sbox[7][xi( 2)] ^ sbox[6][xi( 8)];
        k[15]= sbox[4][xi(14)] ^ sbox[5][xi(15)] ^ sbox[6][xi( 1)] ^ \
                sbox[7][xi( 0)] ^ sbox[7][xi(13)];
}
#undef xi
#undef zi

static int cast5_set_key(struct cipher_context *cx,
                         const u8 *key, int key_len, int atomic)
{
        CAST5_context *ctx = (CAST5_context *)cx->keyinfo;

        u32 i, x[4], z[4], k[16];

        if((key_len != 16) && (key_len != 10) && (key_len != 5))
                return 1;

	cx->key_length = key_len;

        x[0] = key[0]  << 24 | key[1]  << 16 | key[2]  << 8 | key[3];
        x[1] = key[4]  << 24 | key[5]  << 16 | key[6]  << 8 | key[7];
        x[2] = key[8]  << 24 | key[9]  << 16 | key[10] << 8 | key[11];
        x[3] = key[12] << 24 | key[13] << 16 | key[14] << 8 | key[15];
        
        cast5_key_schedule(x, z, k);
        for(i = 0; i < 16; i++)
                ctx->Km[i] = k[i];
        cast5_key_schedule(x, z, k);
        for(i = 0; i < 16; i++)
                ctx->Kr[i] = k[i] & 0x1f;

        return 0;
}

#define CIPHER_ID                 cast5
#define CIPHER_BLOCKSIZE          64
#define CIPHER_KEY_SIZE_MASK      CIPHER_KEYSIZE_40 | CIPHER_KEYSIZE_80 | \
                                  CIPHER_KEYSIZE_128
#define CIPHER_KEY_SCHEDULE_SIZE  sizeof(CAST5_context) 

#include "gen-cipher.h"

EXPORT_NO_SYMBOLS;

/* eof */