1 |
|
2 |
/* This is an independent implementation of the encryption algorithm: */ |
3 |
/* */ |
4 |
/* Twofish by Bruce Schneier and colleagues */ |
5 |
/* */ |
6 |
/* which is a candidate algorithm in the Advanced Encryption Standard */ |
7 |
/* programme of the US National Institute of Standards and Technology. */ |
8 |
/* */ |
9 |
/* Copyright in this implementation is held by Dr B R Gladman but I */ |
10 |
/* hereby give permission for its free direct or derivative use subject */ |
11 |
/* to acknowledgment of its origin and compliance with any conditions */ |
12 |
/* that the originators of t he algorithm place on its exploitation. */ |
13 |
/* */ |
14 |
/* My thanks to Doug Whiting and Niels Ferguson for comments that led */ |
15 |
/* to improvements in this implementation. */ |
16 |
/* */ |
17 |
/* Dr Brian Gladman (gladman@seven77.demon.co.uk) 14th January 1999 */ |
18 |
|
19 |
/* $Id: twofish.c,v 1.1.1.1 1999/10/15 22:49:23 nmav Exp $ */ |
20 |
|
21 |
/* Timing data for Twofish (twofish.c) |
22 |
|
23 |
128 bit key: |
24 |
Key Setup: 8414 cycles |
25 |
Encrypt: 376 cycles = 68.1 mbits/sec |
26 |
Decrypt: 374 cycles = 68.4 mbits/sec |
27 |
Mean: 375 cycles = 68.3 mbits/sec |
28 |
|
29 |
192 bit key: |
30 |
Key Setup: 11628 cycles |
31 |
Encrypt: 376 cycles = 68.1 mbits/sec |
32 |
Decrypt: 374 cycles = 68.4 mbits/sec |
33 |
Mean: 375 cycles = 68.3 mbits/sec |
34 |
|
35 |
256 bit key: |
36 |
Key Setup: 15457 cycles |
37 |
Encrypt: 381 cycles = 67.2 mbits/sec |
38 |
Decrypt: 374 cycles = 68.4 mbits/sec |
39 |
Mean: 378 cycles = 67.8 mbits/sec |
40 |
|
41 |
*/ |
42 |
|
43 |
#include "libdefs.h" |
44 |
#include "swap.h" |
45 |
#include "twofish.h" |
46 |
|
47 |
/* word32 k_len; |
48 |
* word32 l_key[40]; |
49 |
* word32 s_key[4]; |
50 |
*/ |
51 |
|
52 |
/* Extract byte from a 32 bit quantity (little endian notation) */ |
53 |
#define byte(x,n) ((word8)((x) >> (8 * n))) |
54 |
|
55 |
/* finite field arithmetic for GF(2**8) with the modular */ |
56 |
/* polynomial x^8 + x^6 + x^5 + x^3 + 1 (0x169) */ |
57 |
|
58 |
#define G_M 0x0169 |
59 |
|
60 |
word8 tab_5b[4] = { 0, G_M >> 2, G_M >> 1, (G_M >> 1) ^ (G_M >> 2) }; |
61 |
word8 tab_ef[4] = { 0, (G_M >> 1) ^ (G_M >> 2), G_M >> 1, G_M >> 2 }; |
62 |
|
63 |
#define ffm_01(x) (x) |
64 |
#define ffm_5b(x) ((x) ^ ((x) >> 2) ^ tab_5b[(x) & 3]) |
65 |
#define ffm_ef(x) ((x) ^ ((x) >> 1) ^ ((x) >> 2) ^ tab_ef[(x) & 3]) |
66 |
|
67 |
word8 ror4[16] = { 0, 8, 1, 9, 2, 10, 3, 11, 4, 12, 5, 13, 6, 14, 7, 15 }; |
68 |
word8 ashx[16] = { 0, 9, 2, 11, 4, 13, 6, 15, 8, 1, 10, 3, 12, 5, 14, 7 }; |
69 |
|
70 |
word8 qt0[2][16] = { |
71 |
{8, 1, 7, 13, 6, 15, 3, 2, 0, 11, 5, 9, 14, 12, 10, 4}, |
72 |
{2, 8, 11, 13, 15, 7, 6, 14, 3, 1, 9, 4, 0, 10, 12, 5} |
73 |
}; |
74 |
|
75 |
word8 qt1[2][16] = { |
76 |
{14, 12, 11, 8, 1, 2, 3, 5, 15, 4, 10, 6, 7, 0, 9, 13}, |
77 |
{1, 14, 2, 11, 4, 12, 3, 7, 6, 13, 10, 5, 15, 9, 0, 8} |
78 |
}; |
79 |
|
80 |
word8 qt2[2][16] = { |
81 |
{11, 10, 5, 14, 6, 13, 9, 0, 12, 8, 15, 3, 2, 4, 7, 1}, |
82 |
{4, 12, 7, 5, 1, 6, 9, 10, 0, 14, 13, 8, 2, 11, 3, 15} |
83 |
}; |
84 |
|
85 |
word8 qt3[2][16] = { |
86 |
{13, 7, 15, 4, 1, 2, 6, 14, 9, 11, 3, 0, 8, 5, 12, 10}, |
87 |
{11, 9, 5, 1, 12, 3, 13, 14, 6, 4, 7, 15, 2, 0, 8, 10} |
88 |
}; |
89 |
|
90 |
word8 qp(const word32 n, const word8 x) |
91 |
{ |
92 |
word8 a0, a1, a2, a3, a4, b0, b1, b2, b3, b4; |
93 |
|
94 |
a0 = x >> 4; |
95 |
b0 = x & 15; |
96 |
a1 = a0 ^ b0; |
97 |
b1 = ror4[b0] ^ ashx[a0]; |
98 |
a2 = qt0[n][a1]; |
99 |
b2 = qt1[n][b1]; |
100 |
a3 = a2 ^ b2; |
101 |
b3 = ror4[b2] ^ ashx[a2]; |
102 |
a4 = qt2[n][a3]; |
103 |
b4 = qt3[n][b3]; |
104 |
return (b4 << 4) | a4; |
105 |
} |
106 |
|
107 |
#ifdef Q_TABLES |
108 |
|
109 |
#define q(n,x) pkey->q_tab[n][x] |
110 |
|
111 |
void gen_qtab(TWI * pkey) |
112 |
{ |
113 |
word32 i; |
114 |
|
115 |
for (i = 0; i < 256; ++i) { |
116 |
q(0, i) = qp(0, (word8) i); |
117 |
q(1, i) = qp(1, (word8) i); |
118 |
} |
119 |
} |
120 |
|
121 |
#else |
122 |
|
123 |
#define q(n,x) qp(n, x) |
124 |
|
125 |
#endif |
126 |
|
127 |
#ifdef M_TABLE |
128 |
|
129 |
void gen_mtab(TWI * pkey) |
130 |
{ |
131 |
word32 i, f01, f5b, fef; |
132 |
|
133 |
for (i = 0; i < 256; ++i) { |
134 |
f01 = q(1, i); |
135 |
f5b = ffm_5b(f01); |
136 |
fef = ffm_ef(f01); |
137 |
pkey->m_tab[0][i] = |
138 |
f01 + (f5b << 8) + (fef << 16) + (fef << 24); |
139 |
pkey->m_tab[2][i] = |
140 |
f5b + (fef << 8) + (f01 << 16) + (fef << 24); |
141 |
|
142 |
f01 = q(0, i); |
143 |
f5b = ffm_5b(f01); |
144 |
fef = ffm_ef(f01); |
145 |
pkey->m_tab[1][i] = |
146 |
fef + (fef << 8) + (f5b << 16) + (f01 << 24); |
147 |
pkey->m_tab[3][i] = |
148 |
f5b + (f01 << 8) + (fef << 16) + (f5b << 24); |
149 |
} |
150 |
} |
151 |
|
152 |
#define mds(n,x) pkey->m_tab[n][x] |
153 |
|
154 |
#else |
155 |
|
156 |
#define fm_00 ffm_01 |
157 |
#define fm_10 ffm_5b |
158 |
#define fm_20 ffm_ef |
159 |
#define fm_30 ffm_ef |
160 |
#define q_0(x) q(1,x) |
161 |
|
162 |
#define fm_01 ffm_ef |
163 |
#define fm_11 ffm_ef |
164 |
#define fm_21 ffm_5b |
165 |
#define fm_31 ffm_01 |
166 |
#define q_1(x) q(0,x) |
167 |
|
168 |
#define fm_02 ffm_5b |
169 |
#define fm_12 ffm_ef |
170 |
#define fm_22 ffm_01 |
171 |
#define fm_32 ffm_ef |
172 |
#define q_2(x) q(1,x) |
173 |
|
174 |
#define fm_03 ffm_5b |
175 |
#define fm_13 ffm_01 |
176 |
#define fm_23 ffm_ef |
177 |
#define fm_33 ffm_5b |
178 |
#define q_3(x) q(0,x) |
179 |
|
180 |
#define f_0(n,x) ((word32)fm_0##n(x)) |
181 |
#define f_1(n,x) ((word32)fm_1##n(x) << 8) |
182 |
#define f_2(n,x) ((word32)fm_2##n(x) << 16) |
183 |
#define f_3(n,x) ((word32)fm_3##n(x) << 24) |
184 |
|
185 |
#define mds(n,x) f_0(n,q_##n(x)) ^ f_1(n,q_##n(x)) ^ f_2(n,q_##n(x)) ^ f_3(n,q_##n(x)) |
186 |
|
187 |
#endif |
188 |
|
189 |
word32 h_fun(TWI * pkey, const word32 x, const word32 key[]) |
190 |
{ |
191 |
word32 b0, b1, b2, b3; |
192 |
|
193 |
#ifndef M_TABLE |
194 |
word32 m5b_b0, m5b_b1, m5b_b2, m5b_b3; |
195 |
word32 mef_b0, mef_b1, mef_b2, mef_b3; |
196 |
#endif |
197 |
|
198 |
b0 = byte(x, 0); |
199 |
b1 = byte(x, 1); |
200 |
b2 = byte(x, 2); |
201 |
b3 = byte(x, 3); |
202 |
|
203 |
switch (pkey->k_len) { |
204 |
case 4: |
205 |
b0 = q(1, b0) ^ byte(key[3], 0); |
206 |
b1 = q(0, b1) ^ byte(key[3], 1); |
207 |
b2 = q(0, b2) ^ byte(key[3], 2); |
208 |
b3 = q(1, b3) ^ byte(key[3], 3); |
209 |
case 3: |
210 |
b0 = q(1, b0) ^ byte(key[2], 0); |
211 |
b1 = q(1, b1) ^ byte(key[2], 1); |
212 |
b2 = q(0, b2) ^ byte(key[2], 2); |
213 |
b3 = q(0, b3) ^ byte(key[2], 3); |
214 |
case 2: |
215 |
b0 = q(0, q(0, b0) ^ byte(key[1], 0)) ^ byte(key[0], 0); |
216 |
b1 = q(0, q(1, b1) ^ byte(key[1], 1)) ^ byte(key[0], 1); |
217 |
b2 = q(1, q(0, b2) ^ byte(key[1], 2)) ^ byte(key[0], 2); |
218 |
b3 = q(1, q(1, b3) ^ byte(key[1], 3)) ^ byte(key[0], 3); |
219 |
} |
220 |
#ifdef M_TABLE |
221 |
|
222 |
return mds(0, b0) ^ mds(1, b1) ^ mds(2, b2) ^ mds(3, b3); |
223 |
|
224 |
#else |
225 |
|
226 |
b0 = q(1, b0); |
227 |
b1 = q(0, b1); |
228 |
b2 = q(1, b2); |
229 |
b3 = q(0, b3); |
230 |
m5b_b0 = ffm_5b(b0); |
231 |
m5b_b1 = ffm_5b(b1); |
232 |
m5b_b2 = ffm_5b(b2); |
233 |
m5b_b3 = ffm_5b(b3); |
234 |
mef_b0 = ffm_ef(b0); |
235 |
mef_b1 = ffm_ef(b1); |
236 |
mef_b2 = ffm_ef(b2); |
237 |
mef_b3 = ffm_ef(b3); |
238 |
b0 ^= mef_b1 ^ m5b_b2 ^ m5b_b3; |
239 |
b3 ^= m5b_b0 ^ mef_b1 ^ mef_b2; |
240 |
b2 ^= mef_b0 ^ m5b_b1 ^ mef_b3; |
241 |
b1 ^= mef_b0 ^ mef_b2 ^ m5b_b3; |
242 |
|
243 |
return b0 | (b3 << 8) | (b2 << 16) | (b1 << 24); |
244 |
|
245 |
#endif |
246 |
} |
247 |
|
248 |
#ifdef MK_TABLE |
249 |
|
250 |
#define q20(x) q(0,q(0,x) ^ byte(key[1],0)) ^ byte(key[0],0) |
251 |
#define q21(x) q(0,q(1,x) ^ byte(key[1],1)) ^ byte(key[0],1) |
252 |
#define q22(x) q(1,q(0,x) ^ byte(key[1],2)) ^ byte(key[0],2) |
253 |
#define q23(x) q(1,q(1,x) ^ byte(key[1],3)) ^ byte(key[0],3) |
254 |
|
255 |
#define q30(x) q(0,q(0,q(1, x) ^ byte(key[2],0)) ^ byte(key[1],0)) ^ byte(key[0],0) |
256 |
#define q31(x) q(0,q(1,q(1, x) ^ byte(key[2],1)) ^ byte(key[1],1)) ^ byte(key[0],1) |
257 |
#define q32(x) q(1,q(0,q(0, x) ^ byte(key[2],2)) ^ byte(key[1],2)) ^ byte(key[0],2) |
258 |
#define q33(x) q(1,q(1,q(0, x) ^ byte(key[2],3)) ^ byte(key[1],3)) ^ byte(key[0],3) |
259 |
|
260 |
#define q40(x) q(0,q(0,q(1, q(1, x) ^ byte(key[3],0)) ^ byte(key[2],0)) ^ byte(key[1],0)) ^ byte(key[0],0) |
261 |
#define q41(x) q(0,q(1,q(1, q(0, x) ^ byte(key[3],1)) ^ byte(key[2],1)) ^ byte(key[1],1)) ^ byte(key[0],1) |
262 |
#define q42(x) q(1,q(0,q(0, q(0, x) ^ byte(key[3],2)) ^ byte(key[2],2)) ^ byte(key[1],2)) ^ byte(key[0],2) |
263 |
#define q43(x) q(1,q(1,q(0, q(1, x) ^ byte(key[3],3)) ^ byte(key[2],3)) ^ byte(key[1],3)) ^ byte(key[0],3) |
264 |
|
265 |
void gen_mk_tab(TWI * pkey, word32 key[]) |
266 |
{ |
267 |
word32 i; |
268 |
word8 by; |
269 |
|
270 |
switch (pkey->k_len) { |
271 |
case 2: |
272 |
for (i = 0; i < 256; ++i) { |
273 |
by = (word8) i; |
274 |
#ifdef ONE_STEP |
275 |
pkey->mk_tab[0][i] = mds(0, q20(by)); |
276 |
pkey->mk_tab[1][i] = mds(1, q21(by)); |
277 |
pkey->mk_tab[2][i] = mds(2, q22(by)); |
278 |
pkey->mk_tab[3][i] = mds(3, q23(by)); |
279 |
#else |
280 |
pkey->sb[0][i] = q20(by); |
281 |
pkey->sb[1][i] = q21(by); |
282 |
pkey->sb[2][i] = q22(by); |
283 |
pkey->sb[3][i] = q23(by); |
284 |
#endif |
285 |
} |
286 |
break; |
287 |
|
288 |
case 3: |
289 |
for (i = 0; i < 256; ++i) { |
290 |
by = (word8) i; |
291 |
#ifdef ONE_STEP |
292 |
pkey->mk_tab[0][i] = mds(0, q30(by)); |
293 |
pkey->mk_tab[1][i] = mds(1, q31(by)); |
294 |
pkey->mk_tab[2][i] = mds(2, q32(by)); |
295 |
pkey->mk_tab[3][i] = mds(3, q33(by)); |
296 |
#else |
297 |
pkey->sb[0][i] = q30(by); |
298 |
pkey->sb[1][i] = q31(by); |
299 |
pkey->sb[2][i] = q32(by); |
300 |
pkey->sb[3][i] = q33(by); |
301 |
#endif |
302 |
} |
303 |
break; |
304 |
|
305 |
case 4: |
306 |
for (i = 0; i < 256; ++i) { |
307 |
by = (word8) i; |
308 |
#ifdef ONE_STEP |
309 |
pkey->mk_tab[0][i] = mds(0, q40(by)); |
310 |
pkey->mk_tab[1][i] = mds(1, q41(by)); |
311 |
pkey->mk_tab[2][i] = mds(2, q42(by)); |
312 |
pkey->mk_tab[3][i] = mds(3, q43(by)); |
313 |
#else |
314 |
pkey->sb[0][i] = q40(by); |
315 |
pkey->sb[1][i] = q41(by); |
316 |
pkey->sb[2][i] = q42(by); |
317 |
pkey->sb[3][i] = q43(by); |
318 |
#endif |
319 |
} |
320 |
} |
321 |
} |
322 |
|
323 |
#ifdef ONE_STEP |
324 |
#define g0_fun(x) ( pkey->mk_tab[0][byte(x,0)] ^ pkey->mk_tab[1][byte(x,1)] \ |
325 |
^ pkey->mk_tab[2][byte(x,2)] ^ pkey->mk_tab[3][byte(x,3)] ) |
326 |
#define g1_fun(x) ( pkey->mk_tab[0][byte(x,3)] ^ pkey->mk_tab[1][byte(x,0)] \ |
327 |
^ pkey->mk_tab[2][byte(x,1)] ^ pkey->mk_tab[3][byte(x,2)] ) |
328 |
#else |
329 |
#define g0_fun(x) ( mds(0, pkey->sb[0][byte(x,0)]) ^ mds(1, pkey->sb[1][byte(x,1)]) \ |
330 |
^ mds(2, pkey->sb[2][byte(x,2)]) ^ mds(3, pkey->sb[3][byte(x,3)]) ) |
331 |
#define g1_fun(x) ( mds(0, pkey->sb[0][byte(x,3)]) ^ mds(1, pkey->sb[1][byte(x,0)]) \ |
332 |
^ mds(2, pkey->sb[2][byte(x,1)]) ^ mds(3, pkey->sb[3][byte(x,2)]) ) |
333 |
#endif |
334 |
|
335 |
#else |
336 |
|
337 |
#define g0_fun(x) h_fun(pkey, x,pkey->s_key) |
338 |
#define g1_fun(x) h_fun(pkey, rotl(x,8),pkey->s_key) |
339 |
|
340 |
#endif |
341 |
|
342 |
/* The (12,8) Reed Soloman code has the generator polynomial |
343 |
|
344 |
g(x) = x^4 + (a + 1/a) * x^3 + a * x^2 + (a + 1/a) * x + 1 |
345 |
|
346 |
where the coefficients are in the finite field GF(2^8) with a |
347 |
modular polynomial a^8 + a^6 + a^3 + a^2 + 1. To generate the |
348 |
remainder we have to start with a 12th order polynomial with our |
349 |
eight input bytes as the coefficients of the 4th to 11th terms. |
350 |
That is: |
351 |
|
352 |
m[7] * x^11 + m[6] * x^10 ... + m[0] * x^4 + 0 * x^3 +... + 0 |
353 |
|
354 |
We then multiply the generator polynomial by m[7] * x^7 and subtract |
355 |
it - xor in GF(2^8) - from the above to eliminate the x^7 term (the |
356 |
artihmetic on the coefficients is done in GF(2^8). We then multiply |
357 |
the generator polynomial by x^6 * coeff(x^10) and use this to remove |
358 |
the x^10 term. We carry on in this way until the x^4 term is removed |
359 |
so that we are left with: |
360 |
|
361 |
r[3] * x^3 + r[2] * x^2 + r[1] 8 x^1 + r[0] |
362 |
|
363 |
which give the resulting 4 bytes of the remainder. This is equivalent |
364 |
to the matrix multiplication in the Twofish description but much faster |
365 |
to implement. |
366 |
|
367 |
*/ |
368 |
|
369 |
#define G_MOD 0x0000014d |
370 |
|
371 |
word32 mds_rem(word32 p0, word32 p1) |
372 |
{ |
373 |
word32 i, t, u; |
374 |
|
375 |
for (i = 0; i < 8; ++i) { |
376 |
t = p1 >> 24; /* get most significant coefficient */ |
377 |
|
378 |
p1 = (p1 << 8) | (p0 >> 24); |
379 |
p0 <<= 8; /* shift others up */ |
380 |
|
381 |
/* multiply t by a (the primitive element - i.e. left shift) */ |
382 |
|
383 |
u = (t << 1); |
384 |
|
385 |
if (t & 0x80) |
386 |
/* subtract modular polynomial on overflow */ |
387 |
u ^= G_MOD; |
388 |
|
389 |
p1 ^= t ^ (u << 16); /* remove t * (a * x^2 + 1) */ |
390 |
|
391 |
u ^= (t >> 1); /* form u = a * t + t / a = t * (a + 1 / a); */ |
392 |
|
393 |
if (t & 0x01) |
394 |
/* add the modular polynomial on underflow */ |
395 |
u ^= G_MOD >> 1; |
396 |
|
397 |
p1 ^= (u << 24) | (u << 8); /* remove t * (a + 1/a) * (x^3 + x) */ |
398 |
|
399 |
} |
400 |
|
401 |
return p1; |
402 |
} |
403 |
|
404 |
/* initialise the key schedule from the user supplied key */ |
405 |
|
406 |
void _mcrypt_twofish_set_key(TWI * pkey, const word32 in_key[], |
407 |
const word32 key_len) |
408 |
{ |
409 |
word32 i, a, b, me_key[4], mo_key[4]; |
410 |
|
411 |
#ifdef Q_TABLES |
412 |
pkey->qt_gen = 0; |
413 |
|
414 |
if (!pkey->qt_gen) { |
415 |
gen_qtab(pkey); |
416 |
pkey->qt_gen = 1; |
417 |
} |
418 |
#endif |
419 |
|
420 |
#ifdef M_TABLE |
421 |
pkey->mt_gen = 0; |
422 |
if (!pkey->mt_gen) { |
423 |
gen_mtab(pkey); |
424 |
pkey->mt_gen = 1; |
425 |
} |
426 |
#endif |
427 |
|
428 |
pkey->k_len = (key_len * 8) / 64; /* 2, 3 or 4 */ |
429 |
|
430 |
for (i = 0; i < pkey->k_len; ++i) { |
431 |
#ifdef WORDS_BIGENDIAN |
432 |
a = byteswap(in_key[i + i]); |
433 |
me_key[i] = a; |
434 |
b = byteswap(in_key[i + i + 1]); |
435 |
#else |
436 |
a = in_key[i + i]; |
437 |
me_key[i] = a; |
438 |
b = in_key[i + i + 1]; |
439 |
#endif |
440 |
mo_key[i] = b; |
441 |
pkey->s_key[pkey->k_len - i - 1] = mds_rem(a, b); |
442 |
} |
443 |
|
444 |
for (i = 0; i < 40; i += 2) { |
445 |
a = 0x01010101 * i; |
446 |
b = a + 0x01010101; |
447 |
a = h_fun(pkey, a, me_key); |
448 |
b = rotl(h_fun(pkey, b, mo_key), 8); |
449 |
pkey->l_key[i] = a + b; |
450 |
pkey->l_key[i + 1] = rotl(a + 2 * b, 9); |
451 |
} |
452 |
|
453 |
#ifdef MK_TABLE |
454 |
gen_mk_tab(pkey, pkey->s_key); |
455 |
#endif |
456 |
|
457 |
} |
458 |
|
459 |
/* encrypt a block of text */ |
460 |
|
461 |
#define f_rnd(i) \ |
462 |
t1 = g1_fun(blk[1]); t0 = g0_fun(blk[0]); \ |
463 |
blk[2] = rotr(blk[2] ^ (t0 + t1 + pkey->l_key[4 * (i) + 8]), 1); \ |
464 |
blk[3] = rotl(blk[3], 1) ^ (t0 + 2 * t1 + pkey->l_key[4 * (i) + 9]); \ |
465 |
t1 = g1_fun(blk[3]); t0 = g0_fun(blk[2]); \ |
466 |
blk[0] = rotr(blk[0] ^ (t0 + t1 + pkey->l_key[4 * (i) + 10]), 1); \ |
467 |
blk[1] = rotl(blk[1], 1) ^ (t0 + 2 * t1 + pkey->l_key[4 * (i) + 11]) |
468 |
|
469 |
void _mcrypt_twofish_encrypt(TWI * pkey, word32 * in_blk) |
470 |
{ |
471 |
word32 t0, t1, blk[4]; |
472 |
|
473 |
#ifndef WORDS_BIGENDIAN |
474 |
blk[0] = in_blk[0] ^ pkey->l_key[0]; |
475 |
blk[1] = in_blk[1] ^ pkey->l_key[1]; |
476 |
blk[2] = in_blk[2] ^ pkey->l_key[2]; |
477 |
blk[3] = in_blk[3] ^ pkey->l_key[3]; |
478 |
#else |
479 |
blk[0] = byteswap(in_blk[0]) ^ pkey->l_key[0]; |
480 |
blk[1] = byteswap(in_blk[1]) ^ pkey->l_key[1]; |
481 |
blk[2] = byteswap(in_blk[2]) ^ pkey->l_key[2]; |
482 |
blk[3] = byteswap(in_blk[3]) ^ pkey->l_key[3]; |
483 |
#endif |
484 |
|
485 |
f_rnd(0); |
486 |
f_rnd(1); |
487 |
f_rnd(2); |
488 |
f_rnd(3); |
489 |
f_rnd(4); |
490 |
f_rnd(5); |
491 |
f_rnd(6); |
492 |
f_rnd(7); |
493 |
|
494 |
#ifndef WORDS_BIGENDIAN |
495 |
in_blk[0] = blk[2] ^ pkey->l_key[4]; |
496 |
in_blk[1] = blk[3] ^ pkey->l_key[5]; |
497 |
in_blk[2] = blk[0] ^ pkey->l_key[6]; |
498 |
in_blk[3] = blk[1] ^ pkey->l_key[7]; |
499 |
#else |
500 |
in_blk[0] = byteswap(blk[2] ^ pkey->l_key[4]); |
501 |
in_blk[1] = byteswap(blk[3] ^ pkey->l_key[5]); |
502 |
in_blk[2] = byteswap(blk[0] ^ pkey->l_key[6]); |
503 |
in_blk[3] = byteswap(blk[1] ^ pkey->l_key[7]); |
504 |
#endif |
505 |
} |
506 |
|
507 |
/* decrypt a block of text */ |
508 |
|
509 |
#define i_rnd(i) \ |
510 |
t1 = g1_fun(blk[1]); t0 = g0_fun(blk[0]); \ |
511 |
blk[2] = rotl(blk[2], 1) ^ (t0 + t1 + pkey->l_key[4 * (i) + 10]); \ |
512 |
blk[3] = rotr(blk[3] ^ (t0 + 2 * t1 + pkey->l_key[4 * (i) + 11]), 1); \ |
513 |
t1 = g1_fun(blk[3]); t0 = g0_fun(blk[2]); \ |
514 |
blk[0] = rotl(blk[0], 1) ^ (t0 + t1 + pkey->l_key[4 * (i) + 8]); \ |
515 |
blk[1] = rotr(blk[1] ^ (t0 + 2 * t1 + pkey->l_key[4 * (i) + 9]), 1) |
516 |
|
517 |
void _mcrypt_twofish_decrypt(TWI * pkey, word32 * in_blk) |
518 |
{ |
519 |
word32 t0, t1, blk[4]; |
520 |
|
521 |
#ifdef WORDS_BIGENDIAN |
522 |
blk[0] = byteswap(in_blk[0]) ^ pkey->l_key[4]; |
523 |
blk[1] = byteswap(in_blk[1]) ^ pkey->l_key[5]; |
524 |
blk[2] = byteswap(in_blk[2]) ^ pkey->l_key[6]; |
525 |
blk[3] = byteswap(in_blk[3]) ^ pkey->l_key[7]; |
526 |
#else |
527 |
blk[0] = in_blk[0] ^ pkey->l_key[4]; |
528 |
blk[1] = in_blk[1] ^ pkey->l_key[5]; |
529 |
blk[2] = in_blk[2] ^ pkey->l_key[6]; |
530 |
blk[3] = in_blk[3] ^ pkey->l_key[7]; |
531 |
#endif |
532 |
|
533 |
i_rnd(7); |
534 |
i_rnd(6); |
535 |
i_rnd(5); |
536 |
i_rnd(4); |
537 |
i_rnd(3); |
538 |
i_rnd(2); |
539 |
i_rnd(1); |
540 |
i_rnd(0); |
541 |
|
542 |
#ifdef WORDS_BIGENDIAN |
543 |
in_blk[0] = byteswap(blk[2] ^ pkey->l_key[0]); |
544 |
in_blk[1] = byteswap(blk[3] ^ pkey->l_key[1]); |
545 |
in_blk[2] = byteswap(blk[0] ^ pkey->l_key[2]); |
546 |
in_blk[3] = byteswap(blk[1] ^ pkey->l_key[3]); |
547 |
#else |
548 |
in_blk[0] = blk[2] ^ pkey->l_key[0]; |
549 |
in_blk[1] = blk[3] ^ pkey->l_key[1]; |
550 |
in_blk[2] = blk[0] ^ pkey->l_key[2]; |
551 |
in_blk[3] = blk[1] ^ pkey->l_key[3]; |
552 |
#endif |
553 |
|
554 |
} |