1 /* $NetBSD: cast128.c,v 1.10 2014/01/01 15:18:57 pgoyette Exp $ */
2 /* $OpenBSD: cast.c,v 1.2 2000/06/06 06:49:47 deraadt Exp $ */
3
4 /*
5 * CAST-128 in C
6 * Written by Steve Reid <sreid@sea-to-sky.net>
7 * 100% Public Domain - no warranty
8 * Released 1997.10.11
9 */
10
11 #include <sys/cdefs.h>
12 __KERNEL_RCSID(0, "$NetBSD: cast128.c,v 1.10 2014/01/01 15:18:57 pgoyette Exp $");
13
14 #include <sys/types.h>
15 #include <sys/errno.h>
16 #include <sys/module.h>
17
18 #include <crypto/cast128/cast128.h>
19 #include <crypto/cast128/cast128sb.h>
20
21 /* Macros to access 8-bit bytes out of a 32-bit word */
22 #define U_INT8_Ta(x) ( (u_int8_t) (x>>24) )
23 #define U_INT8_Tb(x) ( (u_int8_t) ((x>>16)&255) )
24 #define U_INT8_Tc(x) ( (u_int8_t) ((x>>8)&255) )
25 #define U_INT8_Td(x) ( (u_int8_t) ((x)&255) )
26
27 /* Circular left shift */
28 #define ROL(x, n) ( ((x)<<(n)) | ((x)>>(32-(n))) )
29
30 /* CAST-128 uses three different round functions */
31 #define F1(l, r, i) \
32 t = ROL(key->xkey[i] + r, key->xkey[i+16]); \
33 l ^= ((cast_sbox1[U_INT8_Ta(t)] ^ cast_sbox2[U_INT8_Tb(t)]) - \
34 cast_sbox3[U_INT8_Tc(t)]) + cast_sbox4[U_INT8_Td(t)];
35 #define F2(l, r, i) \
36 t = ROL(key->xkey[i] ^ r, key->xkey[i+16]); \
37 l ^= ((cast_sbox1[U_INT8_Ta(t)] - cast_sbox2[U_INT8_Tb(t)]) + \
38 cast_sbox3[U_INT8_Tc(t)]) ^ cast_sbox4[U_INT8_Td(t)];
39 #define F3(l, r, i) \
40 t = ROL(key->xkey[i] - r, key->xkey[i+16]); \
41 l ^= ((cast_sbox1[U_INT8_Ta(t)] + cast_sbox2[U_INT8_Tb(t)]) ^ \
42 cast_sbox3[U_INT8_Tc(t)]) - cast_sbox4[U_INT8_Td(t)];
43
44
45 /***** Encryption Function *****/
46
cast128_encrypt(const cast128_key * key,const u_int8_t * inblock,u_int8_t * outblock)47 void cast128_encrypt(const cast128_key* key, const u_int8_t* inblock,
48 u_int8_t* outblock)
49 {
50 u_int32_t t, l, r;
51
52 /* Get inblock into l,r */
53 l = ((u_int32_t)inblock[0] << 24) | ((u_int32_t)inblock[1] << 16) |
54 ((u_int32_t)inblock[2] << 8) | (u_int32_t)inblock[3];
55 r = ((u_int32_t)inblock[4] << 24) | ((u_int32_t)inblock[5] << 16) |
56 ((u_int32_t)inblock[6] << 8) | (u_int32_t)inblock[7];
57 /* Do the work */
58 F1(l, r, 0);
59 F2(r, l, 1);
60 F3(l, r, 2);
61 F1(r, l, 3);
62 F2(l, r, 4);
63 F3(r, l, 5);
64 F1(l, r, 6);
65 F2(r, l, 7);
66 F3(l, r, 8);
67 F1(r, l, 9);
68 F2(l, r, 10);
69 F3(r, l, 11);
70 /* Only do full 16 rounds if key length > 80 bits */
71 if (key->rounds > 12) {
72 F1(l, r, 12);
73 F2(r, l, 13);
74 F3(l, r, 14);
75 F1(r, l, 15);
76 }
77 /* Put l,r into outblock */
78 outblock[0] = U_INT8_Ta(r);
79 outblock[1] = U_INT8_Tb(r);
80 outblock[2] = U_INT8_Tc(r);
81 outblock[3] = U_INT8_Td(r);
82 outblock[4] = U_INT8_Ta(l);
83 outblock[5] = U_INT8_Tb(l);
84 outblock[6] = U_INT8_Tc(l);
85 outblock[7] = U_INT8_Td(l);
86 /* Wipe clean */
87 t = l = r = 0;
88 }
89
90
91 /***** Decryption Function *****/
92
cast128_decrypt(const cast128_key * key,const u_int8_t * inblock,u_int8_t * outblock)93 void cast128_decrypt(const cast128_key* key, const u_int8_t* inblock,
94 u_int8_t* outblock)
95 {
96 u_int32_t t, l, r;
97
98 /* Get inblock into l,r */
99 r = ((u_int32_t)inblock[0] << 24) | ((u_int32_t)inblock[1] << 16) |
100 ((u_int32_t)inblock[2] << 8) | (u_int32_t)inblock[3];
101 l = ((u_int32_t)inblock[4] << 24) | ((u_int32_t)inblock[5] << 16) |
102 ((u_int32_t)inblock[6] << 8) | (u_int32_t)inblock[7];
103 /* Do the work */
104 /* Only do full 16 rounds if key length > 80 bits */
105 if (key->rounds > 12) {
106 F1(r, l, 15);
107 F3(l, r, 14);
108 F2(r, l, 13);
109 F1(l, r, 12);
110 }
111 F3(r, l, 11);
112 F2(l, r, 10);
113 F1(r, l, 9);
114 F3(l, r, 8);
115 F2(r, l, 7);
116 F1(l, r, 6);
117 F3(r, l, 5);
118 F2(l, r, 4);
119 F1(r, l, 3);
120 F3(l, r, 2);
121 F2(r, l, 1);
122 F1(l, r, 0);
123 /* Put l,r into outblock */
124 outblock[0] = U_INT8_Ta(l);
125 outblock[1] = U_INT8_Tb(l);
126 outblock[2] = U_INT8_Tc(l);
127 outblock[3] = U_INT8_Td(l);
128 outblock[4] = U_INT8_Ta(r);
129 outblock[5] = U_INT8_Tb(r);
130 outblock[6] = U_INT8_Tc(r);
131 outblock[7] = U_INT8_Td(r);
132 /* Wipe clean */
133 t = l = r = 0;
134 }
135
136
137 /***** Key Schedual *****/
138
cast128_setkey(cast128_key * key,const u_int8_t * rawkey,int keybytes)139 void cast128_setkey(cast128_key* key, const u_int8_t* rawkey, int keybytes)
140 {
141 u_int32_t t[4], z[4], x[4];
142 int i;
143
144 /* Set number of rounds to 12 or 16, depending on key length */
145 key->rounds = (keybytes <= 10 ? 12 : 16);
146
147 /* Copy key to workspace x */
148 for (i = 0; i < 4; i++) {
149 x[i] = 0;
150 t[i] = z[i] = 0; /* XXX gcc */
151 if ((i*4+0) < keybytes) x[i] = (u_int32_t)rawkey[i*4+0] << 24;
152 if ((i*4+1) < keybytes) x[i] |= (u_int32_t)rawkey[i*4+1] << 16;
153 if ((i*4+2) < keybytes) x[i] |= (u_int32_t)rawkey[i*4+2] << 8;
154 if ((i*4+3) < keybytes) x[i] |= (u_int32_t)rawkey[i*4+3];
155 }
156 /* Generate 32 subkeys, four at a time */
157 for (i = 0; i < 32; i+=4) {
158 switch (i & 4) {
159 case 0:
160 t[0] = z[0] = x[0] ^ cast_sbox5[U_INT8_Tb(x[3])] ^
161 cast_sbox6[U_INT8_Td(x[3])] ^ cast_sbox7[U_INT8_Ta(x[3])] ^
162 cast_sbox8[U_INT8_Tc(x[3])] ^ cast_sbox7[U_INT8_Ta(x[2])];
163 t[1] = z[1] = x[2] ^ cast_sbox5[U_INT8_Ta(z[0])] ^
164 cast_sbox6[U_INT8_Tc(z[0])] ^ cast_sbox7[U_INT8_Tb(z[0])] ^
165 cast_sbox8[U_INT8_Td(z[0])] ^ cast_sbox8[U_INT8_Tc(x[2])];
166 t[2] = z[2] = x[3] ^ cast_sbox5[U_INT8_Td(z[1])] ^
167 cast_sbox6[U_INT8_Tc(z[1])] ^ cast_sbox7[U_INT8_Tb(z[1])] ^
168 cast_sbox8[U_INT8_Ta(z[1])] ^ cast_sbox5[U_INT8_Tb(x[2])];
169 t[3] = z[3] = x[1] ^ cast_sbox5[U_INT8_Tc(z[2])] ^
170 cast_sbox6[U_INT8_Tb(z[2])] ^ cast_sbox7[U_INT8_Td(z[2])] ^
171 cast_sbox8[U_INT8_Ta(z[2])] ^ cast_sbox6[U_INT8_Td(x[2])];
172 break;
173 case 4:
174 t[0] = x[0] = z[2] ^ cast_sbox5[U_INT8_Tb(z[1])] ^
175 cast_sbox6[U_INT8_Td(z[1])] ^ cast_sbox7[U_INT8_Ta(z[1])] ^
176 cast_sbox8[U_INT8_Tc(z[1])] ^ cast_sbox7[U_INT8_Ta(z[0])];
177 t[1] = x[1] = z[0] ^ cast_sbox5[U_INT8_Ta(x[0])] ^
178 cast_sbox6[U_INT8_Tc(x[0])] ^ cast_sbox7[U_INT8_Tb(x[0])] ^
179 cast_sbox8[U_INT8_Td(x[0])] ^ cast_sbox8[U_INT8_Tc(z[0])];
180 t[2] = x[2] = z[1] ^ cast_sbox5[U_INT8_Td(x[1])] ^
181 cast_sbox6[U_INT8_Tc(x[1])] ^ cast_sbox7[U_INT8_Tb(x[1])] ^
182 cast_sbox8[U_INT8_Ta(x[1])] ^ cast_sbox5[U_INT8_Tb(z[0])];
183 t[3] = x[3] = z[3] ^ cast_sbox5[U_INT8_Tc(x[2])] ^
184 cast_sbox6[U_INT8_Tb(x[2])] ^ cast_sbox7[U_INT8_Td(x[2])] ^
185 cast_sbox8[U_INT8_Ta(x[2])] ^ cast_sbox6[U_INT8_Td(z[0])];
186 break;
187 }
188 switch (i & 12) {
189 case 0:
190 case 12:
191 key->xkey[i+0] = cast_sbox5[U_INT8_Ta(t[2])] ^ cast_sbox6[U_INT8_Tb(t[2])] ^
192 cast_sbox7[U_INT8_Td(t[1])] ^ cast_sbox8[U_INT8_Tc(t[1])];
193 key->xkey[i+1] = cast_sbox5[U_INT8_Tc(t[2])] ^ cast_sbox6[U_INT8_Td(t[2])] ^
194 cast_sbox7[U_INT8_Tb(t[1])] ^ cast_sbox8[U_INT8_Ta(t[1])];
195 key->xkey[i+2] = cast_sbox5[U_INT8_Ta(t[3])] ^ cast_sbox6[U_INT8_Tb(t[3])] ^
196 cast_sbox7[U_INT8_Td(t[0])] ^ cast_sbox8[U_INT8_Tc(t[0])];
197 key->xkey[i+3] = cast_sbox5[U_INT8_Tc(t[3])] ^ cast_sbox6[U_INT8_Td(t[3])] ^
198 cast_sbox7[U_INT8_Tb(t[0])] ^ cast_sbox8[U_INT8_Ta(t[0])];
199 break;
200 case 4:
201 case 8:
202 key->xkey[i+0] = cast_sbox5[U_INT8_Td(t[0])] ^ cast_sbox6[U_INT8_Tc(t[0])] ^
203 cast_sbox7[U_INT8_Ta(t[3])] ^ cast_sbox8[U_INT8_Tb(t[3])];
204 key->xkey[i+1] = cast_sbox5[U_INT8_Tb(t[0])] ^ cast_sbox6[U_INT8_Ta(t[0])] ^
205 cast_sbox7[U_INT8_Tc(t[3])] ^ cast_sbox8[U_INT8_Td(t[3])];
206 key->xkey[i+2] = cast_sbox5[U_INT8_Td(t[1])] ^ cast_sbox6[U_INT8_Tc(t[1])] ^
207 cast_sbox7[U_INT8_Ta(t[2])] ^ cast_sbox8[U_INT8_Tb(t[2])];
208 key->xkey[i+3] = cast_sbox5[U_INT8_Tb(t[1])] ^ cast_sbox6[U_INT8_Ta(t[1])] ^
209 cast_sbox7[U_INT8_Tc(t[2])] ^ cast_sbox8[U_INT8_Td(t[2])];
210 break;
211 }
212 switch (i & 12) {
213 case 0:
214 key->xkey[i+0] ^= cast_sbox5[U_INT8_Tc(z[0])];
215 key->xkey[i+1] ^= cast_sbox6[U_INT8_Tc(z[1])];
216 key->xkey[i+2] ^= cast_sbox7[U_INT8_Tb(z[2])];
217 key->xkey[i+3] ^= cast_sbox8[U_INT8_Ta(z[3])];
218 break;
219 case 4:
220 key->xkey[i+0] ^= cast_sbox5[U_INT8_Ta(x[2])];
221 key->xkey[i+1] ^= cast_sbox6[U_INT8_Tb(x[3])];
222 key->xkey[i+2] ^= cast_sbox7[U_INT8_Td(x[0])];
223 key->xkey[i+3] ^= cast_sbox8[U_INT8_Td(x[1])];
224 break;
225 case 8:
226 key->xkey[i+0] ^= cast_sbox5[U_INT8_Tb(z[2])];
227 key->xkey[i+1] ^= cast_sbox6[U_INT8_Ta(z[3])];
228 key->xkey[i+2] ^= cast_sbox7[U_INT8_Tc(z[0])];
229 key->xkey[i+3] ^= cast_sbox8[U_INT8_Tc(z[1])];
230 break;
231 case 12:
232 key->xkey[i+0] ^= cast_sbox5[U_INT8_Td(x[0])];
233 key->xkey[i+1] ^= cast_sbox6[U_INT8_Td(x[1])];
234 key->xkey[i+2] ^= cast_sbox7[U_INT8_Ta(x[2])];
235 key->xkey[i+3] ^= cast_sbox8[U_INT8_Tb(x[3])];
236 break;
237 }
238 if (i >= 16) {
239 key->xkey[i+0] &= 31;
240 key->xkey[i+1] &= 31;
241 key->xkey[i+2] &= 31;
242 key->xkey[i+3] &= 31;
243 }
244 }
245 /* Wipe clean */
246 for (i = 0; i < 4; i++) {
247 t[i] = x[i] = z[i] = 0;
248 }
249 }
250
251 /* Made in Canada */
252
253 #if defined(_KERNEL)
254
255 MODULE(MODULE_CLASS_MISC, cast128, NULL);
256
257 static int
cast128_modcmd(modcmd_t cmd,void * opaque)258 cast128_modcmd(modcmd_t cmd, void *opaque)
259 {
260
261 switch (cmd) {
262 case MODULE_CMD_INIT:
263 return 0;
264 case MODULE_CMD_FINI:
265 return 0;
266 default:
267 return ENOTTY;
268 }
269 }
270
271 #endif /* defined(KERNEL) */
272