search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Samba Patch - Denial of service - CPU loop and memory allocation.
[tomato.git] / release / src / router / nettle / camellia-set-encrypt-key.c
blob408ed7219b008c1cee958099ac5eed3fd029755b
1 /* camellia-set-encrypt-key.c
2 *
3 * Key setup for the camellia block cipher.
4 */
5 /*
6 * Copyright (C) 2006,2007
7 * NTT (Nippon Telegraph and Telephone Corporation).
8 *
9 * Copyright (C) 2010 Niels Möller
10 *
11 * This library is free software; you can redistribute it and/or
12 * modify it under the terms of the GNU Lesser General Public
13 * License as published by the Free Software Foundation; either
14 * version 2.1 of the License, or (at your option) any later version.
15 *
16 * This library is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
19 * Lesser General Public License for more details.
20 *
21 * You should have received a copy of the GNU Lesser General Public
22 * License along with this library; if not, write to the Free Software
23 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
24 */
25
26 /*
27 * Algorithm Specification
28 * http://info.isl.ntt.co.jp/crypt/eng/camellia/specifications.html
29 */
30
31 /* Based on camellia.c ver 1.2.0, see
32 http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/camellia-LGPL-1.2.0.tar.gz.
33 */
34 #if HAVE_CONFIG_H
35 # include "config.h"
36 #endif
37
38 #include <assert.h>
39 #include <limits.h>
40
41 #include "camellia-internal.h"
42
43 #include "macros.h"
44
45 /* key constants */
46
47 #define SIGMA1 0xA09E667F3BCC908BULL
48 #define SIGMA2 0xB67AE8584CAA73B2ULL
49 #define SIGMA3 0xC6EF372FE94F82BEULL
50 #define SIGMA4 0x54FF53A5F1D36F1CULL
51 #define SIGMA5 0x10E527FADE682D1DULL
52 #define SIGMA6 0xB05688C2B3E6C1FDULL
53
54 #define CAMELLIA_SP1110(INDEX) (_nettle_camellia_table.sp1110[(int)(INDEX)])
55 #define CAMELLIA_SP0222(INDEX) (_nettle_camellia_table.sp0222[(int)(INDEX)])
56 #define CAMELLIA_SP3033(INDEX) (_nettle_camellia_table.sp3033[(int)(INDEX)])
57 #define CAMELLIA_SP4404(INDEX) (_nettle_camellia_table.sp4404[(int)(INDEX)])
58
59 #define CAMELLIA_F(x, k, y) do { \
60 uint32_t __yl, __yr; \
61 uint64_t __i = (x) ^ (k); \
62 __yl \
63 = CAMELLIA_SP1110( __i & 0xff) \
64 ^ CAMELLIA_SP0222((__i >> 24) & 0xff) \
65 ^ CAMELLIA_SP3033((__i >> 16) & 0xff) \
66 ^ CAMELLIA_SP4404((__i >> 8) & 0xff); \
67 __yr \
68 = CAMELLIA_SP1110( __i >> 56) \
69 ^ CAMELLIA_SP0222((__i >> 48) & 0xff) \
70 ^ CAMELLIA_SP3033((__i >> 40) & 0xff) \
71 ^ CAMELLIA_SP4404((__i >> 32) & 0xff); \
72 __yl ^= __yr; \
73 __yr = ROTL32(24, __yr); \
74 __yr ^= __yl; \
75 (y) = ((uint64_t) __yl << 32) | __yr; \
76 } while (0)
77
78 #if ! HAVE_NATIVE_64_BIT
79 #define CAMELLIA_F_HALF_INV(x) do { \
80 uint32_t __t, __w; \
81 __t = (x) >> 32; \
82 __w = __t ^(x); \
83 __w = ROTL32(8, __w); \
84 (x) = ((uint64_t) __w << 32) | (__t ^ __w); \
85 } while (0)
86 #endif
87
88 void
89 camellia_set_encrypt_key(struct camellia_ctx *ctx,
90 unsigned length, const uint8_t *key)
91 {
92 uint64_t k0, k1;
93
94 uint64_t subkey[34];
95 uint64_t w, kw2, kw4;
96
97 uint32_t dw, tl, tr;
98 unsigned i;
99
100 k0 = READ_UINT64(key);
101 k1 = READ_UINT64(key + 8);
102
103 if (length == 16)
104 {
105 ctx->nkeys = 24;
106 /**
107 * generate KL dependent subkeys
108 */
109 subkey[0] = k0; subkey[1] = k1;
110 ROTL128(15, k0, k1);
111 subkey[4] = k0; subkey[5] = k1;
112 ROTL128(30, k0, k1);
113 subkey[10] = k0; subkey[11] = k1;
114 ROTL128(15, k0, k1);
115 subkey[13] = k1;
116 ROTL128(17, k0, k1);
117 subkey[16] = k0; subkey[17] = k1;
118 ROTL128(17, k0, k1);
119 subkey[18] = k0; subkey[19] = k1;
120 ROTL128(17, k0, k1);
121 subkey[22] = k0; subkey[23] = k1;
122
123 /* generate KA. D1 is k0, d2 is k1. */
124 /* FIXME: Make notation match the spec better. */
125 /* For the 128-bit case, KR = 0, the construction of KA reduces to:
126
127 D1 = KL >> 64;
128 W = KL & MASK64;
129 D2 = F(D1, Sigma1);
130 W = D2 ^ W
131 D1 = F(W, Sigma2)
132 D2 = D2 ^ F(D1, Sigma3);
133 D1 = D1 ^ F(D2, Sigma4);
134 KA = (D1 << 64) | D2;
135 */
136 k0 = subkey[0]; w = subkey[1];
137 CAMELLIA_F(k0, SIGMA1, k1);
138 w ^= k1;
139 CAMELLIA_F(w, SIGMA2, k0);
140 CAMELLIA_F(k0, SIGMA3, w);
141 k1 ^= w;
142 CAMELLIA_F(k1, SIGMA4, w);
143 k0 ^= w;
144
145 /* generate KA dependent subkeys */
146 subkey[2] = k0; subkey[3] = k1;
147 ROTL128(15, k0, k1);
148 subkey[6] = k0; subkey[7] = k1;
149 ROTL128(15, k0, k1);
150 subkey[8] = k0; subkey[9] = k1;
151 ROTL128(15, k0, k1);
152 subkey[12] = k0;
153 ROTL128(15, k0, k1);
154 subkey[14] = k0; subkey[15] = k1;
155 ROTL128(34, k0, k1);
156 subkey[20] = k0; subkey[21] = k1;
157 ROTL128(17, k0, k1);
158 subkey[24] = k0; subkey[25] = k1;
159 }
160 else
161 {
162 uint64_t k2, k3;
163
164 ctx->nkeys = 32;
165 k2 = READ_UINT64(key + 16);
166
167 if (length == 24)
168 k3 = ~k2;
169 else
170 {
171 assert (length == 32);
172 k3 = READ_UINT64(key + 24);
173 }
174 /* generate KL dependent subkeys */
175 subkey[0] = k0; subkey[1] = k1;
176 ROTL128(45, k0, k1);
177 subkey[12] = k0; subkey[13] = k1;
178 ROTL128(15, k0, k1);
179 subkey[16] = k0; subkey[17] = k1;
180 ROTL128(17, k0, k1);
181 subkey[22] = k0; subkey[23] = k1;
182 ROTL128(34, k0, k1);
183 subkey[30] = k0; subkey[31] = k1;
184
185 /* generate KR dependent subkeys */
186 ROTL128(15, k2, k3);
187 subkey[4] = k2; subkey[5] = k3;
188 ROTL128(15, k2, k3);
189 subkey[8] = k2; subkey[9] = k3;
190 ROTL128(30, k2, k3);
191 subkey[18] = k2; subkey[19] = k3;
192 ROTL128(34, k2, k3);
193 subkey[26] = k2; subkey[27] = k3;
194 ROTL128(34, k2, k3);
195
196 /* generate KA */
197 /* The construction of KA is done as
198
199 D1 = (KL ^ KR) >> 64
200 D2 = (KL ^ KR) & MASK64
201 W = F(D1, SIGMA1)
202 D2 = D2 ^ W
203 D1 = F(D2, SIGMA2) ^ (KR >> 64)
204 D2 = F(D1, SIGMA3) ^ W ^ (KR & MASK64)
205 D1 = D1 ^ F(W, SIGMA2)
206 D2 = D2 ^ F(D1, SIGMA3)
207 D1 = D1 ^ F(D2, SIGMA4)
208 */
209
210 k0 = subkey[0] ^ k2;
211 k1 = subkey[1] ^ k3;
212
213 CAMELLIA_F(k0, SIGMA1, w);
214 k1 ^= w;
215
216 CAMELLIA_F(k1, SIGMA2, k0);
217 k0 ^= k2;
218
219 CAMELLIA_F(k0, SIGMA3, k1);
220 k1 ^= w ^ k3;
221
222 CAMELLIA_F(k1, SIGMA4, w);
223 k0 ^= w;
224
225 /* generate KB */
226 k2 ^= k0; k3 ^= k1;
227 CAMELLIA_F(k2, SIGMA5, w);
228 k3 ^= w;
229 CAMELLIA_F(k3, SIGMA6, w);
230 k2 ^= w;
231
232 /* generate KA dependent subkeys */
233 ROTL128(15, k0, k1);
234 subkey[6] = k0; subkey[7] = k1;
235 ROTL128(30, k0, k1);
236 subkey[14] = k0; subkey[15] = k1;
237 ROTL128(32, k0, k1);
238 subkey[24] = k0; subkey[25] = k1;
239 ROTL128(17, k0, k1);
240 subkey[28] = k0; subkey[29] = k1;
241
242 /* generate KB dependent subkeys */
243 subkey[2] = k2; subkey[3] = k3;
244 ROTL128(30, k2, k3);
245 subkey[10] = k2; subkey[11] = k3;
246 ROTL128(30, k2, k3);
247 subkey[20] = k2; subkey[21] = k3;
248 ROTL128(51, k2, k3);
249 subkey[32] = k2; subkey[33] = k3;
250 }
251
252 /* At this point, the subkey array contains the subkeys as described
253 in the spec, 26 for short keys and 34 for large keys. */
254
255 /* absorb kw2 to other subkeys */
256 kw2 = subkey[1];
257
258 subkey[3] ^= kw2;
259 subkey[5] ^= kw2;
260 subkey[7] ^= kw2;
261 for (i = 8; i < ctx->nkeys; i += 8)
262 {
263 /* FIXME: gcc for x86_32 is smart enough to fetch the 32 low bits
264 and xor the result into the 32 high bits, but it still generates
265 worse code than for explicit 32-bit operations. */
266 kw2 ^= (kw2 & ~subkey[i+1]) << 32;
267 dw = (kw2 & subkey[i+1]) >> 32; kw2 ^= ROTL32(1, dw);
268
269 subkey[i+3] ^= kw2;
270 subkey[i+5] ^= kw2;
271 subkey[i+7] ^= kw2;
272 }
273 subkey[i] ^= kw2;
274
275 /* absorb kw4 to other subkeys */
276 kw4 = subkey[ctx->nkeys + 1];
277
278 for (i = ctx->nkeys - 8; i > 0; i -= 8)
279 {
280 subkey[i+6] ^= kw4;
281 subkey[i+4] ^= kw4;
282 subkey[i+2] ^= kw4;
283 kw4 ^= (kw4 & ~subkey[i]) << 32;
284 dw = (kw4 & subkey[i]) >> 32; kw4 ^= ROTL32(1, dw);
285 }
286
287 subkey[6] ^= kw4;
288 subkey[4] ^= kw4;
289 subkey[2] ^= kw4;
290 subkey[0] ^= kw4;
291
292 /* key XOR is end of F-function */
293 ctx->keys[0] = subkey[0] ^ subkey[2];
294 ctx->keys[1] = subkey[3];
295
296 ctx->keys[2] = subkey[2] ^ subkey[4];
297 ctx->keys[3] = subkey[3] ^ subkey[5];
298 ctx->keys[4] = subkey[4] ^ subkey[6];
299 ctx->keys[5] = subkey[5] ^ subkey[7];
300
301 for (i = 8; i < ctx->nkeys; i += 8)
302 {
303 tl = (subkey[i+2] >> 32) ^ (subkey[i+2] & ~subkey[i]);
304 dw = tl & (subkey[i] >> 32);
305 tr = subkey[i+2] ^ ROTL32(1, dw);
306 ctx->keys[i-2] = subkey[i-2] ^ ( ((uint64_t) tl << 32) | tr);
307
308 ctx->keys[i-1] = subkey[i];
309 ctx->keys[i] = subkey[i+1];
310
311 tl = (subkey[i-1] >> 32) ^ (subkey[i-1] & ~subkey[i+1]);
312 dw = tl & (subkey[i+1] >> 32);
313 tr = subkey[i-1] ^ ROTL32(1, dw);
314 ctx->keys[i+1] = subkey[i+3] ^ ( ((uint64_t) tl << 32) | tr);
315
316 ctx->keys[i+2] = subkey[i+2] ^ subkey[i+4];
317 ctx->keys[i+3] = subkey[i+3] ^ subkey[i+5];
318 ctx->keys[i+4] = subkey[i+4] ^ subkey[i+6];
319 ctx->keys[i+5] = subkey[i+5] ^ subkey[i+7];
320 }
321 ctx->keys[i-2] = subkey[i-2];
322 ctx->keys[i-1] = subkey[i] ^ subkey[i-1];
323
324 #if !HAVE_NATIVE_64_BIT
325 for (i = 0; i < ctx->nkeys; i += 8)
326 {
327 /* apply the inverse of the last half of F-function */
328 CAMELLIA_F_HALF_INV(ctx->keys[i+1]);
329 CAMELLIA_F_HALF_INV(ctx->keys[i+2]);
330 CAMELLIA_F_HALF_INV(ctx->keys[i+3]);
331 CAMELLIA_F_HALF_INV(ctx->keys[i+4]);
332 CAMELLIA_F_HALF_INV(ctx->keys[i+5]);
333 CAMELLIA_F_HALF_INV(ctx->keys[i+6]);
334 }
335 #endif
336 }
Tomato firmware and modifications.