1// twofish.cpp - modified by Wei Dai from Matthew Skala's twofish.c 2// The original code and all modifications are in the public domain. 3 4#include "pch.h" 5#include "twofish.h" 6#include "misc.h" 7 8NAMESPACE_BEGIN(CryptoPP) 9 10// compute (c * x^4) mod (x^4 + (a + 1/a) * x^3 + a * x^2 + (a + 1/a) * x + 1) 11// over GF(256) 12static inline unsigned int Mod(unsigned int c) 13{ 14 static const unsigned int modulus = 0x14d; 15 unsigned int c2 = (c<<1) ^ ((c & 0x80) ? modulus : 0); 16 unsigned int c1 = c2 ^ (c>>1) ^ ((c & 1) ? (modulus>>1) : 0); 17 return c | (c1 << 8) | (c2 << 16) | (c1 << 24); 18} 19 20// compute RS(12,8) code with the above polynomial as generator 21// this is equivalent to multiplying by the RS matrix 22static word32 ReedSolomon(word32 high, word32 low) 23{ 24 for (unsigned int i=0; i<8; i++) 25 { 26 high = Mod(high>>24) ^ (high<<8) ^ (low>>24); 27 low <<= 8; 28 } 29 return high; 30} 31 32inline word32 Twofish::Base::h0(word32 x, const word32 *key, unsigned int kLen) 33{ 34 x = x | (x<<8) | (x<<16) | (x<<24); 35 switch(kLen) 36 { 37#define Q(a, b, c, d, t) q[a][GETBYTE(t,0)] ^ (q[b][GETBYTE(t,1)] << 8) ^ (q[c][GETBYTE(t,2)] << 16) ^ (q[d][GETBYTE(t,3)] << 24) 38 case 4: x = Q(1, 0, 0, 1, x) ^ key[6]; 39 case 3: x = Q(1, 1, 0, 0, x) ^ key[4]; 40 case 2: x = Q(0, 1, 0, 1, x) ^ key[2]; 41 x = Q(0, 0, 1, 1, x) ^ key[0]; 42 } 43 return x; 44} 45 46inline word32 Twofish::Base::h(word32 x, const word32 *key, unsigned int kLen) 47{ 48 x = h0(x, key, kLen); 49 return mds[0][GETBYTE(x,0)] ^ mds[1][GETBYTE(x,1)] ^ mds[2][GETBYTE(x,2)] ^ mds[3][GETBYTE(x,3)]; 50} 51 52void Twofish::Base::UncheckedSetKey(const byte *userKey, unsigned int keylength, const NameValuePairs &) 53{ 54 AssertValidKeyLength(keylength); 55 56 unsigned int len = (keylength <= 16 ? 2 : (keylength <= 24 ? 3 : 4)); 57 SecBlock<word32> key(len*2); 58 GetUserKey(LITTLE_ENDIAN_ORDER, key.begin(), len*2, userKey, keylength); 59 60 unsigned int i; 61 for (i=0; i<40; i+=2) 62 { 63 word32 a = h(i, key, len); 64 word32 b = rotlFixed(h(i+1, key+1, len), 8); 65 m_k[i] = a+b; 66 m_k[i+1] = rotlFixed(a+2*b, 9); 67 } 68 69 SecBlock<word32> svec(2*len); 70 for (i=0; i<len; i++) 71 svec[2*(len-i-1)] = ReedSolomon(key[2*i+1], key[2*i]); 72 for (i=0; i<256; i++) 73 { 74 word32 t = h0(i, svec, len); 75 m_s[0][i] = mds[0][GETBYTE(t, 0)]; 76 m_s[1][i] = mds[1][GETBYTE(t, 1)]; 77 m_s[2][i] = mds[2][GETBYTE(t, 2)]; 78 m_s[3][i] = mds[3][GETBYTE(t, 3)]; 79 } 80} 81 82#define G1(x) (m_s[0][GETBYTE(x,0)] ^ m_s[1][GETBYTE(x,1)] ^ m_s[2][GETBYTE(x,2)] ^ m_s[3][GETBYTE(x,3)]) 83#define G2(x) (m_s[0][GETBYTE(x,3)] ^ m_s[1][GETBYTE(x,0)] ^ m_s[2][GETBYTE(x,1)] ^ m_s[3][GETBYTE(x,2)]) 84 85#define ENCROUND(n, a, b, c, d) \ 86 x = G1 (a); y = G2 (b); \ 87 x += y; y += x + k[2 * (n) + 1]; \ 88 (c) ^= x + k[2 * (n)]; \ 89 (c) = rotrFixed(c, 1); \ 90 (d) = rotlFixed(d, 1) ^ y 91 92#define ENCCYCLE(n) \ 93 ENCROUND (2 * (n), a, b, c, d); \ 94 ENCROUND (2 * (n) + 1, c, d, a, b) 95 96#define DECROUND(n, a, b, c, d) \ 97 x = G1 (a); y = G2 (b); \ 98 x += y; y += x; \ 99 (d) ^= y + k[2 * (n) + 1]; \ 100 (d) = rotrFixed(d, 1); \ 101 (c) = rotlFixed(c, 1); \ 102 (c) ^= (x + k[2 * (n)]) 103 104#define DECCYCLE(n) \ 105 DECROUND (2 * (n) + 1, c, d, a, b); \ 106 DECROUND (2 * (n), a, b, c, d) 107 108typedef BlockGetAndPut<word32, LittleEndian> Block; 109 110void Twofish::Enc::ProcessAndXorBlock(const byte *inBlock, const byte *xorBlock, byte *outBlock) const 111{ 112 word32 x, y, a, b, c, d; 113 114 Block::Get(inBlock)(a)(b)(c)(d); 115 116 a ^= m_k[0]; 117 b ^= m_k[1]; 118 c ^= m_k[2]; 119 d ^= m_k[3]; 120 121 const word32 *k = m_k+8; 122 ENCCYCLE (0); 123 ENCCYCLE (1); 124 ENCCYCLE (2); 125 ENCCYCLE (3); 126 ENCCYCLE (4); 127 ENCCYCLE (5); 128 ENCCYCLE (6); 129 ENCCYCLE (7); 130 131 c ^= m_k[4]; 132 d ^= m_k[5]; 133 a ^= m_k[6]; 134 b ^= m_k[7]; 135 136 Block::Put(xorBlock, outBlock)(c)(d)(a)(b); 137} 138 139void Twofish::Dec::ProcessAndXorBlock(const byte *inBlock, const byte *xorBlock, byte *outBlock) const 140{ 141 word32 x, y, a, b, c, d; 142 143 Block::Get(inBlock)(c)(d)(a)(b); 144 145 c ^= m_k[4]; 146 d ^= m_k[5]; 147 a ^= m_k[6]; 148 b ^= m_k[7]; 149 150 const word32 *k = m_k+8; 151 DECCYCLE (7); 152 DECCYCLE (6); 153 DECCYCLE (5); 154 DECCYCLE (4); 155 DECCYCLE (3); 156 DECCYCLE (2); 157 DECCYCLE (1); 158 DECCYCLE (0); 159 160 a ^= m_k[0]; 161 b ^= m_k[1]; 162 c ^= m_k[2]; 163 d ^= m_k[3]; 164 165 Block::Put(xorBlock, outBlock)(a)(b)(c)(d); 166} 167 168NAMESPACE_END 169