cast5.c

NIST推荐的素域上的椭圆曲线

        skey->cast5.K[i++] = S5[GB(z, 0xC)] ^ S6[GB(z, 0xd)] ^ S7[GB(z, 0x3)] ^ S8[GB(z, 0x2)] ^ S7[GB(z, 0x9)];
        skey->cast5.K[i++] = S5[GB(z, 0xE)] ^ S6[GB(z, 0xF)] ^ S7[GB(z, 0x1)] ^ S8[GB(z, 0x0)] ^ S8[GB(z, 0xc)];

        x[3] = z[1] ^ S5[GB(z, 0x5)] ^ S6[GB(z, 0x7)] ^ S7[GB(z, 0x4)] ^ S8[GB(z, 0x6)] ^ S7[GB(z, 0x0)];
        x[2] = z[3] ^ S5[GB(x, 0x0)] ^ S6[GB(x, 0x2)] ^ S7[GB(x, 0x1)] ^ S8[GB(x, 0x3)] ^ S8[GB(z, 0x2)];
        x[1] = z[2] ^ S5[GB(x, 0x7)] ^ S6[GB(x, 0x6)] ^ S7[GB(x, 0x5)] ^ S8[GB(x, 0x4)] ^ S5[GB(z, 0x1)];
        x[0] = z[0] ^ S5[GB(x, 0xA)] ^ S6[GB(x, 0x9)] ^ S7[GB(x, 0xb)] ^ S8[GB(x, 0x8)] ^ S6[GB(z, 0x3)];
        skey->cast5.K[i++] = S5[GB(x, 0x3)] ^ S6[GB(x, 0x2)] ^ S7[GB(x, 0xc)] ^ S8[GB(x, 0xd)] ^ S5[GB(x, 0x8)];
        skey->cast5.K[i++] = S5[GB(x, 0x1)] ^ S6[GB(x, 0x0)] ^ S7[GB(x, 0xe)] ^ S8[GB(x, 0xf)] ^ S6[GB(x, 0xd)];
        skey->cast5.K[i++] = S5[GB(x, 0x7)] ^ S6[GB(x, 0x6)] ^ S7[GB(x, 0x8)] ^ S8[GB(x, 0x9)] ^ S7[GB(x, 0x3)];
        skey->cast5.K[i++] = S5[GB(x, 0x5)] ^ S6[GB(x, 0x4)] ^ S7[GB(x, 0xa)] ^ S8[GB(x, 0xb)] ^ S8[GB(x, 0x7)];

        /* second half */

        z[3] = x[3] ^ S5[GB(x, 0xD)] ^ S6[GB(x, 0xF)] ^ S7[GB(x, 0xC)] ^ S8[GB(x, 0xE)] ^ S7[GB(x, 0x8)];
        z[2] = x[1] ^ S5[GB(z, 0x0)] ^ S6[GB(z, 0x2)] ^ S7[GB(z, 0x1)] ^ S8[GB(z, 0x3)] ^ S8[GB(x, 0xA)];
        z[1] = x[0] ^ S5[GB(z, 0x7)] ^ S6[GB(z, 0x6)] ^ S7[GB(z, 0x5)] ^ S8[GB(z, 0x4)] ^ S5[GB(x, 0x9)];
        z[0] = x[2] ^ S5[GB(z, 0xA)] ^ S6[GB(z, 0x9)] ^ S7[GB(z, 0xb)] ^ S8[GB(z, 0x8)] ^ S6[GB(x, 0xB)];
        skey->cast5.K[i++] = S5[GB(z, 0x3)] ^ S6[GB(z, 0x2)] ^ S7[GB(z, 0xc)] ^ S8[GB(z, 0xd)] ^ S5[GB(z, 0x9)];
        skey->cast5.K[i++] = S5[GB(z, 0x1)] ^ S6[GB(z, 0x0)] ^ S7[GB(z, 0xe)] ^ S8[GB(z, 0xf)] ^ S6[GB(z, 0xc)];
        skey->cast5.K[i++] = S5[GB(z, 0x7)] ^ S6[GB(z, 0x6)] ^ S7[GB(z, 0x8)] ^ S8[GB(z, 0x9)] ^ S7[GB(z, 0x2)];
        skey->cast5.K[i++] = S5[GB(z, 0x5)] ^ S6[GB(z, 0x4)] ^ S7[GB(z, 0xa)] ^ S8[GB(z, 0xb)] ^ S8[GB(z, 0x6)];

        x[3] = z[1] ^ S5[GB(z, 0x5)] ^ S6[GB(z, 0x7)] ^ S7[GB(z, 0x4)] ^ S8[GB(z, 0x6)] ^ S7[GB(z, 0x0)];
        x[2] = z[3] ^ S5[GB(x, 0x0)] ^ S6[GB(x, 0x2)] ^ S7[GB(x, 0x1)] ^ S8[GB(x, 0x3)] ^ S8[GB(z, 0x2)];
        x[1] = z[2] ^ S5[GB(x, 0x7)] ^ S6[GB(x, 0x6)] ^ S7[GB(x, 0x5)] ^ S8[GB(x, 0x4)] ^ S5[GB(z, 0x1)];
        x[0] = z[0] ^ S5[GB(x, 0xA)] ^ S6[GB(x, 0x9)] ^ S7[GB(x, 0xb)] ^ S8[GB(x, 0x8)] ^ S6[GB(z, 0x3)];
        skey->cast5.K[i++] = S5[GB(x, 0x8)] ^ S6[GB(x, 0x9)] ^ S7[GB(x, 0x7)] ^ S8[GB(x, 0x6)] ^ S5[GB(x, 0x3)];
        skey->cast5.K[i++] = S5[GB(x, 0xa)] ^ S6[GB(x, 0xb)] ^ S7[GB(x, 0x5)] ^ S8[GB(x, 0x4)] ^ S6[GB(x, 0x7)];
        skey->cast5.K[i++] = S5[GB(x, 0xc)] ^ S6[GB(x, 0xd)] ^ S7[GB(x, 0x3)] ^ S8[GB(x, 0x2)] ^ S7[GB(x, 0x8)];
        skey->cast5.K[i++] = S5[GB(x, 0xe)] ^ S6[GB(x, 0xf)] ^ S7[GB(x, 0x1)] ^ S8[GB(x, 0x0)] ^ S8[GB(x, 0xd)];
   }

   skey->cast5.keylen = keylen;

#ifdef CLEAN_STACK
   zeromem(buf, sizeof(buf));
   zeromem(x, sizeof(x));
   zeromem(z, sizeof(z));
#endif  

   return CRYPT_OK;
}

static unsigned long FI(unsigned long R, unsigned long Km, unsigned long Kr)
{
   unsigned long I;
   I = (Km + R);
   I = ROL(I, Kr);
   return ((S1[(I>>24)&255] ^ S2[(I>>16)&255]) - S3[(I>>8)&255]) + S4[I&255];
}
   
static unsigned long FII(unsigned long R, unsigned long Km, unsigned long Kr)
{
   unsigned long I;
   I = (Km ^ R);
   I = ROL(I, Kr);
   return ((S1[(I>>24)&255] - S2[(I>>16)&255]) + S3[(I>>8)&255]) ^ S4[I&255];
}

static unsigned long FIII(unsigned long R, unsigned long Km, unsigned long Kr)
{
   unsigned long I;
   I = (Km - R);
   I = ROL(I, Kr);
   return ((S1[(I>>24)&255] + S2[(I>>16)&255]) ^ S3[(I>>8)&255]) - S4[I&255];
}

void cast5_ecb_encrypt(const unsigned char *pt, unsigned char *ct, symmetric_key *key)
{
   unsigned long R, L;

   _ARGCHK(pt != NULL);
   _ARGCHK(ct != NULL);
   _ARGCHK(key != NULL);

   LOAD32H(L,&pt[0]); 
   LOAD32H(R,&pt[4]);

   L ^= FI(R, key->cast5.K[0], key->cast5.K[16]);
   R ^= FII(L, key->cast5.K[1], key->cast5.K[17]);
   L ^= FIII(R, key->cast5.K[2], key->cast5.K[18]);
   R ^= FI(L, key->cast5.K[3], key->cast5.K[19]);
   L ^= FII(R, key->cast5.K[4], key->cast5.K[20]);
   R ^= FIII(L, key->cast5.K[5], key->cast5.K[21]);
   L ^= FI(R, key->cast5.K[6], key->cast5.K[22]);
   R ^= FII(L, key->cast5.K[7], key->cast5.K[23]);
   L ^= FIII(R, key->cast5.K[8], key->cast5.K[24]);
   R ^= FI(L, key->cast5.K[9], key->cast5.K[25]);
   L ^= FII(R, key->cast5.K[10], key->cast5.K[26]);
   R ^= FIII(L, key->cast5.K[11], key->cast5.K[27]);
   if (key->cast5.keylen > 10) {
      L ^= FI(R, key->cast5.K[12], key->cast5.K[28]);
      R ^= FII(L, key->cast5.K[13], key->cast5.K[29]);
      L ^= FIII(R, key->cast5.K[14], key->cast5.K[30]);
      R ^= FI(L, key->cast5.K[15], key->cast5.K[31]);
   }
   STORE32H(R,&ct[0]);
   STORE32H(L,&ct[4]);
}

void cast5_ecb_decrypt(const unsigned char *ct, unsigned char *pt, symmetric_key *key)
{
   unsigned long R, L;

   _ARGCHK(pt != NULL);
   _ARGCHK(ct != NULL);
   _ARGCHK(key != NULL);

   LOAD32H(R,&ct[0]); 
   LOAD32H(L,&ct[4]);

   if (key->cast5.keylen > 10) {
      R ^= FI(L, key->cast5.K[15], key->cast5.K[31]);
      L ^= FIII(R, key->cast5.K[14], key->cast5.K[30]);
      R ^= FII(L, key->cast5.K[13], key->cast5.K[29]);
      L ^= FI(R, key->cast5.K[12], key->cast5.K[28]);
   }

   R ^= FIII(L, key->cast5.K[11], key->cast5.K[27]);
   L ^= FII(R, key->cast5.K[10], key->cast5.K[26]);
   R ^= FI(L, key->cast5.K[9], key->cast5.K[25]);
   L ^= FIII(R, key->cast5.K[8], key->cast5.K[24]);
   R ^= FII(L, key->cast5.K[7], key->cast5.K[23]);
   L ^= FI(R, key->cast5.K[6], key->cast5.K[22]);
   R ^= FIII(L, key->cast5.K[5], key->cast5.K[21]);
   L ^= FII(R, key->cast5.K[4], key->cast5.K[20]);
   R ^= FI(L, key->cast5.K[3], key->cast5.K[19]);
   L ^= FIII(R, key->cast5.K[2], key->cast5.K[18]);
   R ^= FII(L, key->cast5.K[1], key->cast5.K[17]);
   L ^= FI(R, key->cast5.K[0], key->cast5.K[16]);

   STORE32H(L,&pt[0]);
   STORE32H(R,&pt[4]);
}

int cast5_test(void)
{
   static const struct {
       int keylen;
       unsigned char key[16];
       unsigned char pt[8];
       unsigned char ct[8];
   } tests[] = {
     { 16,
       {0x01, 0x23, 0x45, 0x67, 0x12, 0x34, 0x56, 0x78, 0x23, 0x45, 0x67, 0x89, 0x34, 0x56, 0x78, 0x9A},
       {0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF},
       {0x23, 0x8B, 0x4F, 0xE5, 0x84, 0x7E, 0x44, 0xB2}
     },
     { 10,
       {0x01, 0x23, 0x45, 0x67, 0x12, 0x34, 0x56, 0x78, 0x23, 0x45},
       {0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF},
       {0xEB, 0x6A, 0x71, 0x1A, 0x2C, 0x02, 0x27, 0x1B},
     },
     { 5,
       {0x01, 0x23, 0x45, 0x67, 0x12},
       {0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF},
       {0x7A, 0xC8, 0x16, 0xD1, 0x6E, 0x9B, 0x30, 0x2E}
     }
   };
   int i, errno;
   symmetric_key key;
   unsigned char buf[8], buf2[8];

   for (i = 0; i < (int)(sizeof(tests) / sizeof(tests[0])); i++) {
       if ((errno = cast5_setup(tests[i].key, tests[i].keylen, 0, &key)) != CRYPT_OK) {
          return errno;
       }
       cast5_ecb_encrypt(tests[i].pt, buf, &key);
       if (memcmp(buf, tests[i].ct, 8)) {
#if 0
          int j;
          printf("\n\n\nFailed encrypt test: %d\n", i);
          for (j = 0; j < 8; j++) printf("%02x ", buf[j]);
          printf("\n");
#endif
          return CRYPT_FAIL_TESTVECTOR;
       }
       cast5_ecb_decrypt(buf, buf2, &key);
       if (memcmp(buf2, tests[i].pt, 8)) {
#if 0
          int j;
          printf("\n\n\nFailed decrypt test: %d\n", i);
          for (j = 0; j < 8; j++) printf("%02x ", buf2[j]);
          printf("\n");
#endif
          return CRYPT_FAIL_TESTVECTOR;
       }
   
   }
   return CRYPT_OK;
}

int cast5_keysize(int *desired_keysize)
{
   _ARGCHK(desired_keysize != NULL);
   if (*desired_keysize < 5) {
      return CRYPT_INVALID_KEYSIZE;
   } else if (*desired_keysize > 16) {
      *desired_keysize = 16;
   }
   return CRYPT_OK;
} 

#endif