diff --git a/Doxyfile b/Doxyfile index 9a556c3..c2b7cce 100644 --- a/Doxyfile +++ b/Doxyfile @@ -23,7 +23,7 @@ PROJECT_NAME = LibTomCrypt # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 1.14 +PROJECT_NUMBER = 1.15 # The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) # base path where the generated documentation will be put. diff --git a/TODO b/TODO index 429aa2e..6967f5c 100644 --- a/TODO +++ b/TODO @@ -1,4 +1,8 @@ -- long term, start moving macros like CTR over to LTC_CTR to make LTC a bit more "drop-in-able". -- F8 mode could use some LTC_FAST love - +- document makefile flags [INSTALL_* for instance] +- document PK build flags +- merge PKCS #1 v1.5 back in, document changes to rsa_encrypt and rsa_sign +for v1.16 +- Add ECC double-mult-add to plugin and make optional accelerator for baseline and MECC_FP [two goals] +- add X9.63 IES +- add CPP macros like OpenSSL has for ASN1 (e.g. encode/decode functions, etc) shameless ripoff :-) diff --git a/changes b/changes index 51ff77c..434a10a 100644 --- a/changes +++ b/changes @@ -1,3 +1,44 @@ +November 17th, 2006 +v1.15 -- Andreas Lange found that if sha256_init DID fail in fortuna it wouldn't clean up the state correctly. Thanks. + Fortunately sha256_init cannot fail (as of v1.14) :-) + -- Andreas Lange contributed RMD-256 and RMD-320 code. + -- Removed mutex locks from fortuna_import as they create a deadlock and aren't required anyways [Avi Zelmanovich] + -- Added LTC_NO_PROTOTYPES to avoid prototyping functions like memset/memcpy. Required for fans of GCC 3.3.x + -- David Eder caught a off by one overrun bug in pmac_done() which can be exploited if your output tag buffer is + smaller than the block size of the cipher, e.g. if you have a 4-byte buffer and you tell pmac_done that you want + a 4-byte TAG it will store 4 bytes but return an outlen of 5. + -- Added signatures to the ECC and RSA benchmarks + -- Added LTC_PROFILE to run the PK tests only once in the timing demo (so you can capture events properly) + -- Andreas contributed PKCS #1 v1.5 code that merged cleanly with the existing PKCS code. w00t. + (update: I had to fix it to include the digestInfo and what not. Bad Andreas, bad! hehehe) + -- Fixed a signed variable error in gcm_process() (hard to trigger bug fortunately) + -- Removed all memcmp/memset/memcpy from the source (replaced with X macros) + -- Renamed macros HMAC/OMAC/PMAC to have a LTC_ prefix. If you pass these on the command line please update your makefiles + -- Added XCBC-MAC support [RFC 3566] + -- fixed LOAD32H and LOAD64H to stop putting out that darn warning :-) + -- Added the Korean SEED block cipher [RFC 4269] + -- Added LTC_VALGRIND define which makes SOBER-128 and RC4 a pure PRNG (and not a stream cipher). Useful if you use + Valgrind to debug your code (reported by Andreas Lange) + -- Made SOBER-128 more portable by removing the ASCII key in the test function (my bad, sorry). + -- Martin Mocko pointed out that if you have no PRNGs defined the lib won't build. Fixed, also fixed for if you have no + hashes defined. + -- Sped up F8 mode with LTC_FAST + -- Made CTR mode RFC 3686 compliant (increment counter first), to enable, OR the value LTC_CTR_RFC3686 to the "mode" + parameter you pass to ctr_start(), otherwise it will be LTC compliant (e.g. encrypt then increment) + -- Added ctr_test() to test CTR mode against RFC 3686 + -- Added crypt_fsa() ... O_o + -- Fixed LTC_ECC_TIMING_RESISTANT so it once again builds properly (pt add/dbl are through the plugin now) + -- Added ANSI X9.63 (sec 4.3.6) import/export of public keys (cannot export to compressed formats but will import + hybrid compressed) + -- Added SECP curves for 112, 128, and 160 bits (only the 'r1' curves) + -- Added 3GPP-F9 MAC (thanks to Greg Rose for the test vectors) + -- Added the KASUMI block cipher + -- Added F9/XCBC/OMAC callbacks to the cipher plugin + -- Added RSA PKCS #1 v1.5 signature/encrypt tests to rsa_test.c + -- Fix to yarrow_test() to not call yarrow_done() which is invalid in that context (thanks Valgrind) + -- Christophe Devine pointed out that Anubis would fail on various 64-bit UNIX boxes when "x>>24" was used as an index, we needed + to mask it with 0xFF. Thanks. Fixed. + August 0x1E, 0x07D6 v1.14 -- Renamed the chaining mode macros from XXX to LTC_XXX_MODE. Should help avoid polluting the macro name space. -- clean up of SHA-256 @@ -18,7 +59,7 @@ v1.14 -- Renamed the chaining mode macros from XXX to LTC_XXX_MODE. Should help -- Minor updates to the technotes. -June 17th, 2005 +June 17th, 2006 v1.13 -- Fixed to fortuna_start() to clean up state if an error occurs. Not really useful at this stage (sha256 can't fail) but useful if I ever make fortuna pluggable -- Mike Marin submitted a whole bunch of patches for fixing up the libs on traditional UNIX platforms. Go AIX! Thanks! @@ -1484,6 +1525,6 @@ v0.02 -- Changed RC5 to only allow 12 to 24 rounds v0.01 -- We will call this the first version. /* $Source: /cvs/libtom/libtomcrypt/changes,v $ */ -/* $Revision: 1.224 $ */ -/* $Date: 2006/08/30 23:23:20 $ */ +/* $Revision: 1.257 $ */ +/* $Date: 2006/11/17 15:18:44 $ */ diff --git a/crypt.lof b/crypt.lof new file mode 100644 index 0000000..d3e95ad --- /dev/null +++ b/crypt.lof @@ -0,0 +1,22 @@ +\addvspace {10\p@ } +\addvspace {10\p@ } +\contentsline {figure}{\numberline {2.1}{\ignorespaces Load And Store Macros}}{9}{figure.2.1} +\contentsline {figure}{\numberline {2.2}{\ignorespaces Rotate Macros}}{9}{figure.2.2} +\addvspace {10\p@ } +\contentsline {figure}{\numberline {3.1}{\ignorespaces Built--In Software Ciphers}}{25}{figure.3.1} +\contentsline {figure}{\numberline {3.2}{\ignorespaces Twofish Build Options}}{27}{figure.3.2} +\addvspace {10\p@ } +\contentsline {figure}{\numberline {4.1}{\ignorespaces Built--In Software Hashes}}{63}{figure.4.1} +\addvspace {10\p@ } +\addvspace {10\p@ } +\contentsline {figure}{\numberline {6.1}{\ignorespaces List of Provided PRNGs}}{83}{figure.6.1} +\addvspace {10\p@ } +\addvspace {10\p@ } +\addvspace {10\p@ } +\contentsline {figure}{\numberline {9.1}{\ignorespaces DSA Key Sizes}}{111}{figure.9.1} +\addvspace {10\p@ } +\contentsline {figure}{\numberline {10.1}{\ignorespaces List of ASN.1 Supported Types}}{119}{figure.10.1} +\addvspace {10\p@ } +\addvspace {10\p@ } +\addvspace {10\p@ } +\addvspace {10\p@ } diff --git a/crypt.tex b/crypt.tex index f6f3f91..ed457e7 100644 --- a/crypt.tex +++ b/crypt.tex @@ -1,4 +1,5 @@ -\documentclass[a4paper]{book} +\documentclass[synpaper]{book} +\usepackage[dvips]{geometry} \usepackage{hyperref} \usepackage{makeidx} \usepackage{amssymb} @@ -6,6 +7,7 @@ \usepackage{alltt} \usepackage{graphicx} \usepackage{layout} +\usepackage{fancyhdr} \def\union{\cup} \def\intersect{\cap} \def\getsrandom{\stackrel{\rm R}{\gets}} @@ -29,7 +31,7 @@ \def\And{{\rm\ and\ }} \def\iff{\hspace{1em}\Longleftrightarrow\hspace{1em}} \def\implies{\Rightarrow} -\def\undefined{{\rm ``undefined"}} +\def\undefined{{\rm \textit{undefined}}} \def\Proof{\vspace{1ex}\noindent {\bf Proof:}\hspace{1em}} \let\oldphi\phi \def\phi{\varphi} @@ -41,63 +43,77 @@ \def\R{{\mathbb R}} \def\C{{\mathbb C}} \def\Q{{\mathbb Q}} - +\definecolor{DGray}{gray}{0.5} +\newcommand{\emailaddr}[1]{\mbox{$<${#1}$>$}} \def\twiddle{\raisebox{0.3ex}{\mbox{\tiny $\sim$}}} - \def\gap{\vspace{0.5ex}} \makeindex +\newcommand{\mysection}[1] % Re-define the chaptering command to use + { % THESE headers. + \section{#1} + \markboth{\textsf{www.libtomcrypt.com}}{\thesection ~ {#1}} + } + +\newcommand{\mystarsection}[1] % Re-define the chaptering command to use + { % THESE headers. + \section*{#1} + \markboth{\textsf{www.libtomcrypt.com}}{{#1}} + } +\pagestyle{empty} \begin{document} -\title{LibTomCrypt \\ Version 1.14} -\author{Tom St Denis \\ -\\ -tomstdenis@gmail.com \\ -http://libtomcrypt.com -} -\maketitle -This text and source code library are both hereby placed in the public domain. This book has been -formatted for A4 paper using the \LaTeX{} {\em book} macro package. +\frontmatter +\pagestyle{empty} -\vspace{15cm} +~ -\begin{flushright}Open Source. Open Academia. Open Minds. +\vspace{2in} -\mbox{ } +~ -Tom St Denis, +\begin{center} +\begin{Huge}LibTomCrypt\end{Huge} -Phone: (647)401-8220 +~ -3330 South Millway, Unit 20 +\begin{large}Developer Manual\end{large} -Mississauga, Ontario +~ -L5L 3H4 +\vspace{15mm} -Canada -\end{flushright} -\newpage + +\begin{tabular}{c} +Tom St Denis \\ +LibTom Projects +\end{tabular} +\end{center} +\vfil + +%\pagestyle{plain} \tableofcontents +\listoffigures +\pagestyle{myheadings} +\mainmatter \chapter{Introduction} -\section{What is the LibTomCrypt?} -LibTomCrypt is a portable ISO C cryptographic library that is meant to be a toolset for cryptographers who are -designing a cryptosystem. It supports symmetric ciphers, one-way hashes, pseudo-random number generators, -public key cryptography (via PKCS \#1 RSA, DH or ECCDH) and a plethora of support -routines. +\mysection{What is the LibTomCrypt?} +LibTomCrypt is a portable ISO C cryptographic library meant to be a tool set for cryptographers who are +designing cryptosystems. It supports symmetric ciphers, one-way hashes, pseudo-random number generators, +public key cryptography (via PKCS \#1 RSA, DH or ECCDH), and a plethora of support routines. -The library was designed such that new ciphers/hashes/PRNGs can be added at runtime and the existing API +The library was designed such that new ciphers/hashes/PRNGs can be added at run-time and the existing API (and helper API functions) are able to use the new designs automatically. There exists self-check functions for each block cipher and hash function to ensure that they compile and execute to the published design specifications. The library -also performs extensive parameter error checking to prevent any number of runtime exploits or errors. +also performs extensive parameter error checking to prevent any number of run-time exploits or errors. \subsection{What the library IS for?} The library serves as a toolkit for developers who have to solve cryptographic problems. Out of the box LibTomCrypt -does not process SSL or OpenPGP messages, it doesn't read x.591 certificates or write PEM encoded data. It does, however, +does not process SSL or OpenPGP messages, it doesn't read X.591 certificates, or write PEM encoded data. It does, however, provide all of the tools required to build such functionality. LibTomCrypt was designed to be a flexible library that was not tied to any particular cryptographic problem. -\section{Why did I write it?} -You may be wondering, ``Tom, why did you write a crypto library. I already have one.''. Well the reason falls into +\mysection{Why did I write it?} +You may be wondering, \textit{Tom, why did you write a crypto library. I already have one.} Well the reason falls into two categories: \begin{enumerate} \item I am too lazy to figure out someone else's API. I'd rather invent my own simpler API and use that. @@ -107,27 +123,27 @@ two categories: The idea is that I am not striving to replace OpenSSL or Crypto++ or Cryptlib or etc. I'm trying to write my {\bf own} crypto library and hopefully along the way others will appreciate the work. -With this library all core functions (ciphers, hashes, prngs) have the {\bf exact} same prototype definition. They all load +With this library all core functions (ciphers, hashes, prngs, and bignum) have the same prototype definition. They all load and store data in a format independent of the platform. This means if you encrypt with Blowfish on a PPC it should decrypt -on an x86 with zero problems. The consistent API also means that if you learn how to use Blowfish with my library you -know how to use Safer+ or RC6 or Serpent or ... as well. With all of the core functions there are central descriptor tables -that can be used to make a program automatically pick between ciphers, hashes and PRNGs at runtime. That means your -application can support all ciphers/hashes/prngs without changing the source code. +on an x86 with zero problems. The consistent API also means that if you learn how to use Blowfish with the library you +know how to use Safer+, RC6, or Serpent as well. With all of the core functions there are central descriptor tables +that can be used to make a program automatically pick between ciphers, hashes and PRNGs at run-time. That means your +application can support all ciphers/hashes/prngs/bignum without changing the source code. -Not only did I strive to make a consistent and simple API to work with but I also strived to make the library +Not only did I strive to make a consistent and simple API to work with but I also attempted to make the library configurable in terms of its build options. Out of the box the library will build with any modern version of GCC without having to use configure scripts. This means that the library will work with platforms where development tools may be limited (e.g. no autoconf). -On top of making the build simple and the API approachable I've also strived for a reasonably high level of +On top of making the build simple and the API approachable I've also attempted for a reasonably high level of robustness and efficiency. LibTomCrypt traps and returns a series of errors ranging from invalid arguments to buffer overflows/overruns. It is mostly thread safe and has been clocked on various platforms -with ``cycles per byte'' timings that are comparable (and often favourable) to other libraries such as OpenSSL and +with \textit{cycles per byte} timings that are comparable (and often favourable) to other libraries such as OpenSSL and Crypto++. \subsection{Modular} -The LibTomCrypt package has also been written to be very modular. The block ciphers, one--way hashes and -pseudo--random number generators (PRNG) are all used within the API through ``descriptor'' tables which +The LibTomCrypt package has also been written to be very modular. The block ciphers, one--way hashes, +pseudo--random number generators (PRNG), and bignum math routines are all used within the API through \textit{descriptor} tables which are essentially structures with pointers to functions. While you can still call particular functions directly (\textit{e.g. sha256\_process()}) this descriptor interface allows the developer to customize their usage of the library. @@ -135,7 +151,7 @@ usage of the library. For example, consider a hardware platform with a specialized RNG device. Obviously one would like to tap that for the PRNG needs within the library (\textit{e.g. making a RSA key}). All the developer has to do is write a descriptor and the few support routines required for the device. After that the rest of the -API can make use of it without change. Similiarly imagine a few years down the road when AES2 +API can make use of it without change. Similarly imagine a few years down the road when AES2 (\textit{or whatever they call it}) has been invented. It can be added to the library and used within applications with zero modifications to the end applications provided they are written properly. @@ -147,33 +163,21 @@ are not directly tied to the ciphers. That is a new cipher can be added to the the key setup, ECB decrypt and encrypt and test vector routines. After that all five chaining mode routines can make use of the cipher right away. -\section{License} - -All of the source code except for the following files have been written by the author or donated to the project -under a public domain license: - -\begin{enumerate} - \item rc2.c -\end{enumerate} - -`mpi.c'' was originally written by Michael Fromberger (sting@linguist.dartmouth.edu) but has since been replaced with -my LibTomMath library which is public domain. - -``rc2.c'' is based on publicly available code that is not attributed to a person from the given source. +\mysection{License} The project is hereby released as public domain. -\section{Patent Disclosure} +\mysection{Patent Disclosure} The author (Tom St Denis) is not a patent lawyer so this section is not to be treated as legal advice. To the best of the authors knowledge the only patent related issues within the library are the RC5 and RC6 symmetric block ciphers. -They can be removed from a build by simply commenting out the two appropriate lines in ``tomcrypt\_custom.h''. The rest +They can be removed from a build by simply commenting out the two appropriate lines in \textit{tomcrypt\_custom.h}. The rest of the ciphers and hashes are patent free or under patents that have since expired. The RC2 and RC4 symmetric ciphers are not under patents but are under trademark regulations. This means you can use the ciphers you just can't advertise that you are doing so. -\section{Thanks} +\mysection{Thanks} I would like to give thanks to the following people (in no particular order) for helping me develop this project from early on: \begin{enumerate} @@ -196,11 +200,11 @@ There have been quite a few other people as well. Please check the change log t time to time. \chapter{The Application Programming Interface (API)} -\section{Introduction} +\mysection{Introduction} \index{CRYPT\_ERROR} \index{CRYPT\_OK} In general the API is very simple to memorize and use. Most of the functions return either {\bf void} or {\bf int}. Functions -that return {\bf int} will return {\bf CRYPT\_OK} if the function was successful or one of the many error codes +that return {\bf int} will return {\bf CRYPT\_OK} if the function was successful, or one of the many error codes if it failed. Certain functions that return int will return $-1$ to indicate an error. These functions will be explicitly commented upon. When a function does return a CRYPT error code it can be translated into a string with @@ -210,6 +214,7 @@ const char *error_to_string(int err); \end{verbatim} An example of handling an error is: +\begin{small} \begin{verbatim} void somefunc(void) { @@ -217,33 +222,38 @@ void somefunc(void) /* call a cryptographic function */ if ((err = some_crypto_function(...)) != CRYPT_OK) { - printf("A crypto error occured, %s\n", error_to_string(err)); + printf("A crypto error occurred, %s\n", error_to_string(err)); /* perform error handling */ } - /* continue on if no error occured */ + /* continue on if no error occurred */ } \end{verbatim} +\end{small} There is no initialization routine for the library and for the most part the code is thread safe. The only thread related issue is if you use the same symmetric cipher, hash or public key state data in multiple threads. Normally that is not an issue. -To include the prototypes for ``LibTomCrypt.a'' into your own program simply include ``tomcrypt.h'' like so: +To include the prototypes for \textit{LibTomCrypt.a} into your own program simply include \textit{tomcrypt.h} like so: +\begin{small} \begin{verbatim} #include int main(void) { return 0; } \end{verbatim} +\end{small} -The header file ``tomcrypt.h'' also includes ``stdio.h'', ``string.h'', ``stdlib.h'', ``time.h'' and ``ctype.h''. +The header file \textit{tomcrypt.h} also includes \textit{stdio.h}, \textit{string.h}, \textit{stdlib.h}, \textit{time.h} and \textit{ctype.h}. -\section{Macros} +\mysection{Macros} There are a few helper macros to make the coding process a bit easier. The first set are related to loading and storing 32/64-bit words in little/big endian format. The macros are: \index{STORE32L} \index{STORE64L} \index{LOAD32L} \index{LOAD64L} \index{STORE32H} \index{STORE64H} \index{LOAD32H} \index{LOAD64H} \index{BSWAP} +\newpage +\begin{figure}[hpbt] \begin{small} \begin{center} \begin{tabular}{|c|c|c|} @@ -255,14 +265,18 @@ There are a few helper macros to make the coding process a bit easier. The firs \hline STORE64H(x, y) & {\bf unsigned long long} x, {\bf unsigned char} *y & $x \to y[7 \ldots 0]$ \\ \hline LOAD32H(x, y) & {\bf unsigned long} x, {\bf unsigned char} *y & $y[3 \ldots 0] \to x$ \\ \hline LOAD64H(x, y) & {\bf unsigned long long} x, {\bf unsigned char} *y & $y[7 \ldots 0] \to x$ \\ - \hline BSWAP(x) & {\bf unsigned long} x & Swaps byte order (32--bits only) \\ + \hline BSWAP(x) & {\bf unsigned long} x & Swap bytes \\ \hline \end{tabular} +\caption{Load And Store Macros} \end{center} \end{small} +\end{figure} There are 32 and 64-bit cyclic rotations as well: \index{ROL} \index{ROR} \index{ROL64} \index{ROR64} \index{ROLc} \index{RORc} \index{ROL64c} \index{ROR64c} +\begin{figure}[hpbt] +\begin{small} \begin{center} \begin{tabular}{|c|c|c|} \hline ROL(x, y) & {\bf unsigned long} x, {\bf unsigned long} y & $x << y, 0 \le y \le 31$ \\ @@ -276,11 +290,17 @@ There are 32 and 64-bit cyclic rotations as well: \hline ROR64c(x, y) & {\bf unsigned long} x, {\bf const unsigned long} y & $x >> y, 0 \le y \le 63$ \\ \hline \end{tabular} +\caption{Rotate Macros} \end{center} +\end{small} +\end{figure} -\section{Functions with Variable Length Output} -Certain functions such as (for example) ``rsa\_export()'' give an output that is variable length. To prevent buffer overflows you +\mysection{Functions with Variable Length Output} +Certain functions such as (for example) \textit{rsa\_export()} give an output that is variable length. To prevent buffer overflows you must pass it the length of the buffer where the output will be stored. For example: +\index{rsa\_export()} +\index{error\_to\_string()} +\index{variable length output} \begin{small} \begin{verbatim} #include @@ -292,14 +312,16 @@ int main(void) { /* ... Make up the RSA key somehow ... */ - /* lets export the key, set x to the size of the output buffer */ + /* lets export the key, set x to the size of the + * output buffer */ x = sizeof(buffer); if ((err = rsa_export(buffer, &x, PK_PUBLIC, &key)) != CRYPT_OK) { printf("Export error: %s\n", error_to_string(err)); return -1; } - /* if rsa_export() was successful then x will have the size of the output */ + /* if rsa_export() was successful then x will have + * the size of the output */ printf("RSA exported key takes %d bytes\n", x); /* ... do something with the buffer */ @@ -309,43 +331,72 @@ int main(void) { \end{verbatim} \end{small} In the above example if the size of the RSA public key was more than 1024 bytes this function would return an error code -indicating a buffer overflow would have occurred. If the function succeeds it stores the length of the output -back into ``x'' so that the calling application will know how many bytes were used. +indicating a buffer overflow would have occurred. If the function succeeds, it stores the length of the output back into +\textit{x} so that the calling application will know how many bytes were used. As of v1.13, most functions will update your length on failure to indicate the size required by the function. Not all functions support this so please check the source before you rely on it doing that. -\section{Functions that need a PRNG} +\mysection{Functions that need a PRNG} \index{Pseudo Random Number Generator} \index{PRNG} -Certain functions such as ``rsa\_make\_key()'' require a Pseudo Random Number Generator (PRNG). These functions do not setup +Certain functions such as \textit{rsa\_make\_key()} require a Pseudo Random Number Generator (PRNG). These functions do not setup the PRNG themselves so it is the responsibility of the calling function to initialize the PRNG before calling them. -Certain PRNG algorithms do not require a ``prng\_state'' argument (sprng for example). The ``prng\_state'' argument +Certain PRNG algorithms do not require a \textit{prng\_state} argument (sprng for example). The \textit{prng\_state} argument may be passed as \textbf{NULL} in such situations. -\section{Functions that use Arrays of Octets} -Most functions require inputs that are arrays of the data type ``unsigned char''. Whether it is a symmetric key, IV -for a chaining mode or public key packet it is assumed that regardless of the actual size of ``unsigned char'' only the -lower eight bits contain data. For example, if you want to pass a 256 bit key to a symmetric ciphers setup routine -you must pass it in (a pointer to) an array of 32 ``unsigned char'' variables. Certain routines -(such as SAFER+) take special care to work properly on platforms where an ``unsigned char'' is not eight bits. +\index{register\_prng()} +\index{rsa\_make\_key()} +\begin{small} +\begin{verbatim} +#include +int main(void) { + rsa_key key; + int err; + + /* register the system RNG */ + register_prng(&sprng_desc) + + /* make a 1024-bit RSA key with the system RNG */ + if ((err = rsa_make_key(NULL, find_prng("sprng"), 1024/8, 65537, &key)) + != CRYPT_OK) { + printf("make_key error: %s\n", error_to_string(err)); + return -1; + } + + /* use the key ... */ + + return 0; +} +\end{verbatim} +\end{small} + +\mysection{Functions that use Arrays of Octets} +Most functions require inputs that are arrays of the data type \textit{unsigned char}. Whether it is a symmetric key, IV +for a chaining mode or public key packet it is assumed that regardless of the actual size of \textit{unsigned char} only the +lower eight bits contain data. For example, if you want to pass a 256 bit key to a symmetric ciphers setup routine, you +must pass in (a pointer to) an array of 32 \textit{unsigned char} variables. Certain routines (such as SAFER+) take +special care to work properly on platforms where an \textit{unsigned char} is not eight bits. + +For the purposes of this library, the term \textit{byte} will refer to an octet or eight bit word. Typically an array of +type \textit{byte} will be synonymous with an array of type \textit{unsigned char.} + + + -For the purposes of this library the term ``byte'' will refer to an octet or eight bit word. Typically an array of -type ``byte'' will be synonymous with an array of type ``unsigned char''. \chapter{Symmetric Block Ciphers} -\section{Core Functions} - -LibTomCrypt provides several block ciphers with an ECB block mode interface. It's important to first note that you -should never use the ECB modes directly to encrypt data. Instead you should use the ECB functions to make a chaining mode +\mysection{Core Functions} +LibTomCrypt provides several block ciphers with an ECB block mode interface. It is important to first note that you +should never use the ECB modes directly to encrypt data. Instead you should use the ECB functions to make a chaining mode, or use one of the provided chaining modes. All of the ciphers are written as ECB interfaces since it allows the rest of the API to grow in a modular fashion. \subsection{Key Scheduling} -All ciphers store their scheduled keys in a single data type called ``symmetric\_key''. This allows all ciphers to +All ciphers store their scheduled keys in a single data type called \textit{symmetric\_key}. This allows all ciphers to have the same prototype and store their keys as naturally as possible. This also removes the need for dynamic memory -allocation and allows you to allocate a fixed sized buffer for storing scheduled keys. All ciphers provide five visible -functions which are (given that XXX is the name of the cipher): +allocation, and allows you to allocate a fixed sized buffer for storing scheduled keys. All ciphers must provide six visible +functions which are (given that XXX is the name of the cipher) the following: \index{Cipher Setup} \begin{verbatim} int XXX_setup(const unsigned char *key, int keylen, int rounds, @@ -355,13 +406,15 @@ int XXX_setup(const unsigned char *key, int keylen, int rounds, The XXX\_setup() routine will setup the cipher to be used with a given number of rounds and a given key length (in bytes). The number of rounds can be set to zero to use the default, which is generally a good idea. -If the function returns successfully the variable ``skey'' will have a scheduled key stored in it. It's important to note -that you should only used this scheduled key with the intended cipher. For example, if you call ``blowfish\_setup()'' do not -pass the scheduled key onto ``rc5\_ecb\_encrypt()''. All setup functions do not allocate memory off the heap so when you are -done with a key you can simply discard it (e.g. they can be on the stack). +If the function returns successfully the variable \textit{skey} will have a scheduled key stored in it. It's important to note +that you should only used this scheduled key with the intended cipher. For example, if you call \textit{blowfish\_setup()} do not +pass the scheduled key onto \textit{rc5\_ecb\_encrypt()}. All built--in setup functions do not allocate memory off the heap so +when you are done with a key you can simply discard it (e.g. they can be on the stack). However, to maintain proper coding +practices you should always call the respective XXX\_done() function. This allows for quicker porting to applications with +externally supplied plugins. \subsection{ECB Encryption and Decryption} -To encrypt or decrypt a block in ECB mode there are these two function classes +To encrypt or decrypt a block in ECB mode there are these two functions per cipher: \index{Cipher Encrypt} \index{Cipher Decrypt} \begin{verbatim} int XXX_ecb_encrypt(const unsigned char *pt, unsigned char *ct, @@ -371,11 +424,11 @@ int XXX_ecb_decrypt(const unsigned char *ct, unsigned char *pt, symmetric_key *skey); \end{verbatim} These two functions will encrypt or decrypt (respectively) a single block of text\footnote{The size of which depends on -which cipher you are using.} and store the result where you want it. It is possible that the input and output buffer are -the same buffer. For the encrypt function ``pt''\footnote{pt stands for plaintext.} is the input and -``ct''\footnote{ct stands for ciphertext.} is the output. For the decryption function it's the opposite. They both -return \textbf{CRYPT\_OK} on success. To test a particular -cipher against test vectors\footnote{As published in their design papers.} call the self-test function +which cipher you are using.}, storing the result in the \textit{ct} buffer (\textit{pt} resp.). It is possible that the input and output buffer are +the same buffer. For the encrypt function \textit{pt}\footnote{pt stands for plaintext.} is the input and +\textit{ct}\footnote{ct stands for ciphertext.} is the output. For the decryption function it's the opposite. They both +return \textbf{CRYPT\_OK} on success. To test a particular cipher against test vectors\footnote{As published in their design papers.} +call the following self-test function. \subsection{Self--Testing} \index{Cipher Testing} @@ -386,12 +439,12 @@ This function will return {\bf CRYPT\_OK} if the cipher matches the test vectors based upon. \subsection{Key Sizing} -For each cipher there is a function which will help find a desired key size: +For each cipher there is a function which will help find a desired key size. It is specified as follows: \begin{verbatim} int XXX_keysize(int *keysize); \end{verbatim} -Essentially it will round the input keysize in ``keysize'' down to the next appropriate key size. This function -return {\bf CRYPT\_OK} if the key size specified is acceptable. For example: +Essentially, it will round the input keysize in \textit{keysize} down to the next appropriate key size. This function +will return {\bf CRYPT\_OK} if the key size specified is acceptable. For example: \begin{small} \begin{verbatim} #include @@ -410,19 +463,19 @@ int main(void) } \end{verbatim} \end{small} -This should indicate a keysize of sixteen bytes is suggested. +This should indicate a keysize of sixteen bytes is suggested by storing 16 in \textit{keysize.} \subsection{Cipher Termination} When you are finished with a cipher you can de--initialize it with the done function. \begin{verbatim} void XXX_done(symmetric_key *skey); \end{verbatim} -For the software based ciphers within LibTomCrypt this function will not do anything. However, user supplied -cipher descriptors may require calls to it for resource management. To be compliant all functions which call a cipher +For the software based ciphers within LibTomCrypt, these functions will not do anything. However, user supplied +cipher descriptors may require to be called for resource management purposes. To be compliant, all functions which call a cipher setup function must also call the respective cipher done function when finished. \subsection{Simple Encryption Demonstration} -An example snippet that encodes a block with Blowfish in ECB mode is below. +An example snippet that encodes a block with Blowfish in ECB mode. \begin{small} \begin{verbatim} @@ -433,30 +486,30 @@ int main(void) symmetric_key skey; int err; - /* ... key is loaded appropriately in ``key'' ... */ - /* ... load a block of plaintext in ``pt'' ... */ + /* ... key is loaded appropriately in key ... */ + /* ... load a block of plaintext in pt ... */ /* schedule the key */ - if ((err = blowfish_setup(key, /* the key we will use */ - 8, /* key is 8 bytes (64-bits) long */ - 0, /* 0 == use default # of rounds */ - &skey) /* where to put the scheduled key */ + if ((err = blowfish_setup(key, /* the key we will use */ + 8, /* key is 8 bytes (64-bits) long */ + 0, /* 0 == use default # of rounds */ + &skey) /* where to put the scheduled key */ ) != CRYPT_OK) { printf("Setup error: %s\n", error_to_string(err)); return -1; } /* encrypt the block */ - blowfish_ecb_encrypt(pt, /* encrypt this 8-byte array */ - ct, /* store encrypted data here */ - &skey); /* our previously scheduled key */ + blowfish_ecb_encrypt(pt, /* encrypt this 8-byte array */ + ct, /* store encrypted data here */ + &skey); /* our previously scheduled key */ /* now ct holds the encrypted version of pt */ /* decrypt the block */ - blowfish_ecb_decrypt(ct, /* decrypt this 8-byte array */ - pt, /* store decrypted data here */ - &skey); /* our previously scheduled key */ + blowfish_ecb_decrypt(ct, /* decrypt this 8-byte array */ + pt, /* store decrypted data here */ + &skey); /* our previously scheduled key */ /* now we have decrypted ct to the original plaintext in pt */ @@ -468,11 +521,11 @@ int main(void) \end{verbatim} \end{small} -\section{Key Sizes and Number of Rounds} +\mysection{Key Sizes and Number of Rounds} \index{Symmetric Keys} -As a general rule of thumb do not use symmetric keys under 80 bits if you can. Only a few of the ciphers support smaller -keys (mainly for test vectors anyways). Ideally your application should be making at least 256 bit keys. This is not -because you're supposed to be paranoid. It's because if your PRNG has a bias of any sort the more bits the better. For +As a general rule of thumb, do not use symmetric keys under 80 bits if you can help it. Only a few of the ciphers support smaller +keys (mainly for test vectors anyways). Ideally, your application should be making at least 256 bit keys. This is not +because you are to be paranoid. It is because if your PRNG has a bias of any sort the more bits the better. For example, if you have $\mbox{Pr}\left[X = 1\right] = {1 \over 2} \pm \gamma$ where $\vert \gamma \vert > 0$ then the total amount of entropy in N bits is $N \cdot -log_2\left ({1 \over 2} + \vert \gamma \vert \right)$. So if $\gamma$ were $0.25$ (a severe bias) a 256-bit string would have about 106 bits of entropy whereas a 128-bit string would have @@ -483,57 +536,198 @@ rounds. By passing zero as the number of rounds all ciphers will use their defa ciphers are configured such that the default number of rounds provide adequate security for the given block and key size. -\section{The Cipher Descriptors} +\mysection{The Cipher Descriptors} \index{Cipher Descriptor} -To facilitate automatic routines an array of cipher descriptors is provided in the array ``cipher\_descriptor''. An element +To facilitate automatic routines an array of cipher descriptors is provided in the array \textit{cipher\_descriptor}. An element of this array has the following format: \begin{small} \begin{verbatim} struct _cipher_descriptor { + /** name of cipher */ char *name; + + /** internal ID */ unsigned char ID; + + /** min keysize (octets) */ int min_key_length, + + /** max keysize (octets) */ max_key_length, + + /** block size (octets) */ block_length, + + /** default number of rounds */ default_rounds; - int (*setup)(const unsigned char *key, int keylen, int num_rounds, symmetric_key *skey); - int (*ecb_encrypt)(const unsigned char *pt, unsigned char *ct, symmetric_key *skey); - int (*ecb_decrypt)(const unsigned char *ct, unsigned char *pt, symmetric_key *skey); - int (*test)(void); + + /** Setup the cipher + @param key The input symmetric key + @param keylen The length of the input key (octets) + @param num_rounds The requested number of rounds (0==default) + @param skey [out] The destination of the scheduled key + @return CRYPT_OK if successful + */ + int (*setup)(const unsigned char *key, + int keylen, + int num_rounds, + symmetric_key *skey); + + /** Encrypt a block + @param pt The plaintext + @param ct [out] The ciphertext + @param skey The scheduled key + @return CRYPT_OK if successful + */ + int (*ecb_encrypt)(const unsigned char *pt, + unsigned char *ct, + symmetric_key *skey); + + /** Decrypt a block + @param ct The ciphertext + @param pt [out] The plaintext + @param skey The scheduled key + @return CRYPT_OK if successful + */ + int (*ecb_decrypt)(const unsigned char *ct, + unsigned char *pt, + symmetric_key *skey); + + /** Test the block cipher + @return CRYPT_OK if successful + CRYPT_NOP if self-testing has been disabled + */ + int (*test)(void); + + /** Terminate the context + @param skey The scheduled key + */ void (*done)(symmetric_key *skey); + + /** Determine a key size + @param keysize [in/out] The size of the key desired + @return CRYPT_OK if successful + */ int (*keysize)(int *keysize); +/** Accelerators **/ + /** Accelerated ECB encryption + @param pt Plaintext + @param ct Ciphertext + @param blocks The number of complete blocks to process + @param skey The scheduled key context + @return CRYPT_OK if successful + */ int (*accel_ecb_encrypt)(const unsigned char *pt, - unsigned char *ct, - unsigned long blocks, symmetric_key *skey); + unsigned char *ct, + unsigned long blocks, + symmetric_key *skey); + + /** Accelerated ECB decryption + @param pt Plaintext + @param ct Ciphertext + @param blocks The number of complete blocks to process + @param skey The scheduled key context + @return CRYPT_OK if successful + */ int (*accel_ecb_decrypt)(const unsigned char *ct, - unsigned char *pt, - unsigned long blocks, symmetric_key *skey); + unsigned char *pt, + unsigned long blocks, + symmetric_key *skey); + + /** Accelerated CBC encryption + @param pt Plaintext + @param ct Ciphertext + @param blocks The number of complete blocks to process + @param IV The initial value (input/output) + @param skey The scheduled key context + @return CRYPT_OK if successful + */ int (*accel_cbc_encrypt)(const unsigned char *pt, - unsigned char *ct, - unsigned long blocks, unsigned char *IV, - symmetric_key *skey); + unsigned char *ct, + unsigned long blocks, + unsigned char *IV, + symmetric_key *skey); + + /** Accelerated CBC decryption + @param pt Plaintext + @param ct Ciphertext + @param blocks The number of complete blocks to process + @param IV The initial value (input/output) + @param skey The scheduled key context + @return CRYPT_OK if successful + */ int (*accel_cbc_decrypt)(const unsigned char *ct, - unsigned char *pt, - unsigned long blocks, unsigned char *IV, - symmetric_key *skey); + unsigned char *pt, + unsigned long blocks, + unsigned char *IV, + symmetric_key *skey); + + /** Accelerated CTR encryption + @param pt Plaintext + @param ct Ciphertext + @param blocks The number of complete blocks to process + @param IV The initial value (input/output) + @param mode little or big endian counter (mode=0 or mode=1) + @param skey The scheduled key context + @return CRYPT_OK if successful + */ int (*accel_ctr_encrypt)(const unsigned char *pt, - unsigned char *ct, - unsigned long blocks, unsigned char *IV, - int mode, symmetric_key *skey); + unsigned char *ct, + unsigned long blocks, + unsigned char *IV, + int mode, + symmetric_key *skey); + + /** Accelerated LRW + @param pt Plaintext + @param ct Ciphertext + @param blocks The number of complete blocks to process + @param IV The initial value (input/output) + @param tweak The LRW tweak + @param skey The scheduled key context + @return CRYPT_OK if successful + */ int (*accel_lrw_encrypt)(const unsigned char *pt, unsigned char *ct, - unsigned long blocks, + unsigned long blocks, unsigned char *IV, const unsigned char *tweak, symmetric_key *skey); + + /** Accelerated LRW + @param ct Ciphertext + @param pt Plaintext + @param blocks The number of complete blocks to process + @param IV The initial value (input/output) + @param tweak The LRW tweak + @param skey The scheduled key context + @return CRYPT_OK if successful + */ int (*accel_lrw_decrypt)(const unsigned char *ct, unsigned char *pt, - unsigned long blocks, + unsigned long blocks, unsigned char *IV, const unsigned char *tweak, symmetric_key *skey); + + /** Accelerated CCM packet (one-shot) + @param key The secret key to use + @param keylen The length of the secret key (octets) + @param uskey A previously scheduled key [optional can be NULL] + @param nonce The session nonce [use once] + @param noncelen The length of the nonce + @param header The header for the session + @param headerlen The length of the header (octets) + @param pt [out] The plaintext + @param ptlen The length of the plaintext (octets) + @param ct [out] The ciphertext + @param tag [out] The destination tag + @param taglen [in/out] Initial and final size of the tag + @param direction CCM_ENCRYPT or CCM_DECRYPT + @return CRYPT_OK if successful + */ int (*accel_ccm_memory)( const unsigned char *key, unsigned long keylen, symmetric_key *uskey, @@ -543,34 +737,97 @@ struct _cipher_descriptor { unsigned char *ct, unsigned char *tag, unsigned long *taglen, int direction); + + /** Accelerated GCM packet (one shot) + @param key The secret key + @param keylen The length of the secret key + @param IV The initial vector + @param IVlen The length of the initial vector + @param adata The additional authentication data (header) + @param adatalen The length of the adata + @param pt The plaintext + @param ptlen The length of the plaintext + @param ct The ciphertext + @param tag [out] The MAC tag + @param taglen [in/out] The MAC tag length + @param direction GCM_ENCRYPT or GCM_DECRYPT + @return CRYPT_OK on success + */ int (*accel_gcm_memory)( const unsigned char *key, unsigned long keylen, const unsigned char *IV, unsigned long IVlen, const unsigned char *adata, unsigned long adatalen, unsigned char *pt, unsigned long ptlen, - unsigned char *ct, + unsigned char *ct, unsigned char *tag, unsigned long *taglen, int direction); + + /** Accelerated one shot OMAC + @param key The secret key + @param keylen The key length (octets) + @param in The message + @param inlen Length of message (octets) + @param out [out] Destination for tag + @param outlen [in/out] Initial and final size of out + @return CRYPT_OK on success + */ + int (*omac_memory)( + const unsigned char *key, unsigned long keylen, + const unsigned char *in, unsigned long inlen, + unsigned char *out, unsigned long *outlen); + + /** Accelerated one shot XCBC + @param key The secret key + @param keylen The key length (octets) + @param in The message + @param inlen Length of message (octets) + @param out [out] Destination for tag + @param outlen [in/out] Initial and final size of out + @return CRYPT_OK on success + */ + int (*xcbc_memory)( + const unsigned char *key, unsigned long keylen, + const unsigned char *in, unsigned long inlen, + unsigned char *out, unsigned long *outlen); + + /** Accelerated one shot F9 + @param key The secret key + @param keylen The key length (octets) + @param in The message + @param inlen Length of message (octets) + @param out [out] Destination for tag + @param outlen [in/out] Initial and final size of out + @return CRYPT_OK on success + @remark Requires manual padding + */ + int (*f9_memory)( + const unsigned char *key, unsigned long keylen, + const unsigned char *in, unsigned long inlen, + unsigned char *out, unsigned long *outlen); }; \end{verbatim} \end{small} -Where ``name'' is the lower case ASCII version of the name. The fields ``min\_key\_length'' and ``max\_key\_length'' -are the minimum and maximum key sizes in bytes. The ``block\_length'' member is the block size of the cipher +Where \textit{name} is the lower case ASCII version of the name. The fields \textit{min\_key\_length} and \textit{max\_key\_length} +are the minimum and maximum key sizes in bytes. The \textit{block\_length} member is the block size of the cipher in bytes. As a good rule of thumb it is assumed that the cipher supports -the min and max key lengths but not always everything in between. The ``default\_rounds'' field is the default number +the min and max key lengths but not always everything in between. The \textit{default\_rounds} field is the default number of rounds that will be used. +For a plugin to be compliant it must provide at least each function listed before the accelerators begin. Accelerators are optional, +and if missing will be emulated in software. + The remaining fields are all pointers to the core functions for each cipher. The end of the cipher\_descriptor array is -marked when ``name'' equals {\bf NULL}. - -As of this release the current cipher\_descriptors elements are +marked when \textit{name} equals {\bf NULL}. +As of this release the current cipher\_descriptors elements are the following: +\vfil \index{Cipher descriptor table} +\begin{figure}[hpbt] \begin{small} \begin{center} \begin{tabular}{|c|c|c|c|c|c|} - \hline Name & Descriptor Name & Block Size & Key Range & Rounds \\ + \hline \textbf{Name} & \textbf{Descriptor Name} & \textbf{Block Size} & \textbf{Key Range} & \textbf{Rounds} \\ \hline Blowfish & blowfish\_desc & 8 & 8 $\ldots$ 56 & 16 \\ \hline X-Tea & xtea\_desc & 8 & 16 & 32 \\ \hline RC2 & rc2\_desc & 8 & 8 $\ldots$ 128 & 16 \\ @@ -587,56 +844,63 @@ As of this release the current cipher\_descriptors elements are \hline Skipjack & skipjack\_desc & 8 & 10 & 32 \\ \hline Anubis & anubis\_desc & 16 & 16 $\ldots$ 40 & 12 $\ldots$ 18 \\ \hline Khazad & khazad\_desc & 8 & 16 & 8 \\ + \hline SEED & kseed\_desc & 16 & 16 & 16 \\ + \hline KASUMI & kasumi\_desc & 8 & 16 & 8 \\ \hline \end{tabular} \end{center} \end{small} +\caption{Built--In Software Ciphers} +\end{figure} \subsection{Notes} \begin{small} \begin{enumerate} \item -For AES (also known as Rijndael) there are four descriptors which complicate issues a little. The descriptors -rijndael\_desc and rijndael\_enc\_desc provide the cipher named ``rijndael''. The descriptors aes\_desc and -aes\_enc\_desc provide the cipher name ``aes''. Functionally both ``rijndael'' and ``aes'' are the same cipher. The -only difference is when you call find\_cipher() you have to pass the correct name. The cipher descriptors with ``enc'' +For AES, (also known as Rijndael) there are four descriptors which complicate issues a little. The descriptors +rijndael\_desc and rijndael\_enc\_desc provide the cipher named \textit{rijndael}. The descriptors aes\_desc and +aes\_enc\_desc provide the cipher name \textit{aes}. Functionally both \textit{rijndael} and \textit{aes} are the same cipher. The +only difference is when you call find\_cipher() you have to pass the correct name. The cipher descriptors with \textit{enc} in the middle (e.g. rijndael\_enc\_desc) are related to an implementation of Rijndael with only the encryption routine -and tables. The decryption and self--test function pointers of both ``encrypt only'' descriptors are set to \textbf{NULL} and +and tables. The decryption and self--test function pointers of both \textit{encrypt only} descriptors are set to \textbf{NULL} and should not be called. -The ``encrypt only'' descriptors are useful for applications that only use the encryption function of the cipher. Algorithms such -as EAX, PMAC and OMAC only require the encryption function. So far this ``encrypt only'' functionality has only been implemented for +The \textit{encrypt only} descriptors are useful for applications that only use the encryption function of the cipher. Algorithms such +as EAX, PMAC and OMAC only require the encryption function. So far this \textit{encrypt only} functionality has only been implemented for Rijndael as it makes the most sense for this cipher. \item -Note that for ``DES'' and ``3DES'' they use 8 and 24 byte keys but only 7 and 21 [respectively] bytes of the keys are in +Note that for \textit{DES} and \textit{3DES} they use 8 and 24 byte keys but only 7 and 21 [respectively] bytes of the keys are in fact used for the purposes of encryption. My suggestion is just to use random 8/24 byte keys instead of trying to make a 8/24 byte string from the real 7/21 byte key. \item -Note that ``Twofish'' has additional configuration options that take place at build time. These options are found in -the file ``tomcrypt\_cfg.h''. The first option is ``TWOFISH\_SMALL'' which when defined will force the Twofish code -to not pre-compute the Twofish ``$g(X)$'' function as a set of four $8 \times 32$ s-boxes. This means that a scheduled -key will require less ram but the resulting cipher will be slower. The second option is ``TWOFISH\_TABLES'' which when +Note that \textit{Twofish} has additional configuration options (Figure \ref{fig:twofishopts}) that take place at build time. These options are found in +the file \textit{tomcrypt\_cfg.h}. The first option is \textit{TWOFISH\_SMALL} which when defined will force the Twofish code +to not pre-compute the Twofish \textit{$g(X)$} function as a set of four $8 \times 32$ s-boxes. This means that a scheduled +key will require less ram but the resulting cipher will be slower. The second option is \textit{TWOFISH\_TABLES} which when defined will force the Twofish code to use pre-computed tables for the two s-boxes $q_0, q_1$ as well as the multiplication by the polynomials 5B and EF used in the MDS multiplication. As a result the code is faster and slightly larger. The -speed increase is useful when ``TWOFISH\_SMALL'' is defined since the s-boxes and MDS multiply form the heart of the +speed increase is useful when \textit{TWOFISH\_SMALL} is defined since the s-boxes and MDS multiply form the heart of the Twofish round function. \index{Twofish build options} +\begin{figure}[hpbt] \begin{small} \begin{center} \begin{tabular}{|l|l|l|} -\hline TWOFISH\_SMALL & TWOFISH\_TABLES & Speed and Memory (per key) \\ +\hline \textbf{TWOFISH\_SMALL} & \textbf{TWOFISH\_TABLES} & \textbf{Speed and Memory (per key)} \\ \hline undefined & undefined & Very fast, 4.2KB of ram. \\ -\hline undefined & defined & Faster keysetup, larger code. \\ +\hline undefined & defined & Faster key setup, larger code. \\ \hline defined & undefined & Very slow, 0.2KB of ram. \\ \hline defined & defined & Faster, 0.2KB of ram, larger code. \\ \hline \end{tabular} \end{center} \end{small} - +\caption{Twofish Build Options} +\label{fig:twofishopts} +\end{figure} \end{enumerate} \end{small} @@ -645,9 +909,10 @@ To work with the cipher\_descriptor array there is a function: \begin{verbatim} int find_cipher(char *name) \end{verbatim} -Which will search for a given name in the array. It returns negative one if the cipher is not found, otherwise it returns +Which will search for a given name in the array. It returns $-1$ if the cipher is not found, otherwise it returns the location in the array where the cipher was found. For example, to indirectly setup Blowfish you can also use: \begin{small} +\index{register\_cipher()} \begin{verbatim} #include int main(void) @@ -662,9 +927,11 @@ int main(void) return -1; } - /* generic call to function (assuming the key in key[] was already setup) */ - if ((err = cipher_descriptor[find_cipher("blowfish")].setup(key, 8, 0, &skey)) != - CRYPT_OK) { + /* generic call to function (assuming the key + * in key[] was already setup) */ + if ((err = + cipher_descriptor[find_cipher("blowfish")]. + setup(key, 8, 0, &skey)) != CRYPT_OK) { printf("Error setting up Blowfish: %s\n", error_to_string(err)); return -1; } @@ -674,7 +941,7 @@ int main(void) \end{verbatim} \end{small} -A good safety would be to check the return value of ``find\_cipher()'' before accessing the desired function. In order +A good safety would be to check the return value of \textit{find\_cipher()} before accessing the desired function. In order to use a cipher with the descriptor table you must register it first using: \index{register\_cipher()} \begin{verbatim} @@ -687,7 +954,7 @@ than once it will just return the index of the first copy. To remove a cipher c \begin{verbatim} int unregister_cipher(const struct _cipher_descriptor *cipher); \end{verbatim} -Which returns {\bf CRYPT\_OK} if it removes it otherwise it returns {\bf CRYPT\_ERROR}. Consider: +Which returns {\bf CRYPT\_OK} if it removes the cipher, otherwise it returns {\bf CRYPT\_ERROR}. \begin{small} \begin{verbatim} #include @@ -713,9 +980,9 @@ int main(void) } \end{verbatim} \end{small} -This snippet is a small program that registers only Rijndael only. +This snippet is a small program that registers Rijndael. -\section{Symmetric Modes of Operations} +\mysection{Symmetric Modes of Operations} \subsection{Background} A typical symmetric block cipher can be used in chaining modes to effectively encrypt messages larger than the block size of the cipher. Given a key $k$, a plaintext $P$ and a cipher $E$ we shall denote the encryption of the block @@ -785,84 +1052,114 @@ The CTR, CFB and OFB routines provided allow you to encrypt block sizes that dif accomplish this by buffering the data required to complete a block. This allows you to encrypt or decrypt any size block of memory with either of the three modes. -The ECB and CBC modes process blocks of the same size as the cipher at a time. Therefore they are less flexible than the +The ECB and CBC modes process blocks of the same size as the cipher at a time. Therefore, they are less flexible than the other modes. +\subsection{Ciphertext Stealing} +\index{Ciphertext stealing} +Ciphertext stealing is a method of dealing with messages in CBC mode which are not a multiple of the block length. This is accomplished +by encrypting the last ciphertext block in ECB mode, and XOR'ing the output against the last partial block of plaintext. LibTomCrypt does not +support this mode directly but it is fairly easy to emulate with a call to the cipher's ecb\_encrypt() callback function. + +The more sane way to deal with partial blocks is to pad them with zeroes, and then use CBC normally. + \subsection{Initialization} \index{CBC Mode} \index{CTR Mode} \index{OFB Mode} \index{CFB Mode} The library provides simple support routines for handling CBC, CTR, CFB, OFB and ECB encoded messages. Assuming the mode -you want is XXX there is a structure called ``symmetric\_XXX'' that will contain the information required to +you want is XXX there is a structure called \textit{symmetric\_XXX} that will contain the information required to use that mode. They have identical setup routines (except CTR and ECB mode): \index{ecb\_start()} \index{cfb\_start()} \index{cbc\_start()} \index{ofb\_start()} \index{ctr\_start()} \begin{verbatim} -int XXX_start(int cipher, const unsigned char *IV, - const unsigned char *key, int keylen, - int num_rounds, symmetric_XXX *XXX); +int XXX_start( int cipher, + const unsigned char *IV, + const unsigned char *key, + int keylen, + int num_rounds, + symmetric_XXX *XXX); -int ctr_start( int cipher, +int ctr_start( int cipher, const unsigned char *IV, - const unsigned char *key, int keylen, - int num_rounds, int ctr_mode, - symmetric_CTR *ctr); + const unsigned char *key, + int keylen, + int num_rounds, + int ctr_mode, + symmetric_CTR *ctr); -int ecb_start(int cipher, const unsigned char *key, int keylen, - int num_rounds, symmetric_ECB *ecb); +int ecb_start( int cipher, + const unsigned char *key, + int keylen, + int num_rounds, + symmetric_ECB *ecb); \end{verbatim} -In each case ``cipher'' is the index into the cipher\_descriptor array of the cipher you want to use. The ``IV'' value is +In each case, \textit{cipher} is the index into the cipher\_descriptor array of the cipher you want to use. The \textit{IV} value is the initialization vector to be used with the cipher. You must fill the IV yourself and it is assumed they are the same -length as the block size\footnote{In otherwords the size of a block of plaintext for the cipher, e.g. 8 for DES, 16 for AES, etc.} +length as the block size\footnote{In other words the size of a block of plaintext for the cipher, e.g. 8 for DES, 16 for AES, etc.} of the cipher you choose. It is important that the IV be random for each unique message you want to encrypt. The -parameters ``key'', ``keylen'' and ``num\_rounds'' are the same as in the XXX\_setup() function call. The final parameter +parameters \textit{key}, \textit{keylen} and \textit{num\_rounds} are the same as in the XXX\_setup() function call. The final parameter is a pointer to the structure you want to hold the information for the mode of operation. -In the case of CTR mode there is an additional parameter ``ctr\_mode'' which specifies the mode that the counter is to be used in. -If \textbf{CTR\_COUNTER\_LITTLE\_ENDIAN} was specified then the counter will be treated as a little endian value. Otherwise, if -\textbf{CTR\_COUNTER\_BIG\_ENDIAN} was specified the counter will be treated as a big endian value. +In the case of CTR mode there is an additional parameter \textit{ctr\_mode} which specifies the mode that the counter is to be used in. +If \textbf{CTR\_COUNTER\_ LITTLE\_ENDIAN} was specified then the counter will be treated as a little endian value. Otherwise, if +\textbf{CTR\_COUNTER\_BIG\_ENDIAN} was specified the counter will be treated as a big endian value. As of v1.15 the RFC 3686 style of +increment then encrypt is also supported. By OR'ing \textbf{LTC\_CTR\_RFC3686} with the CTR \textit{mode} value, ctr\_start() will increment +the counter before encrypting it for the first time. -The routines return {\bf CRYPT\_OK} if the cipher initialized correctly, otherwise they return an error code. +The routines return {\bf CRYPT\_OK} if the cipher initialized correctly, otherwise, they return an error code. \subsection{Encryption and Decryption} To actually encrypt or decrypt the following routines are provided: \index{ecb\_encrypt()} \index{ecb\_decrypt()} \index{cfb\_encrypt()} \index{cfb\_decrypt()} \index{cbc\_encrypt()} \index{cbc\_decrypt()} \index{ofb\_encrypt()} \index{ofb\_decrypt()} \index{ctr\_encrypt()} \index{ctr\_decrypt()} \begin{verbatim} -int XXX_encrypt(const unsigned char *pt, unsigned char *ct, - unsigned long len, symmetric_YYY *YYY); -int XXX_decrypt(const unsigned char *ct, unsigned char *pt, - unsigned long len, symmetric_YYY *YYY); -\end{verbatim} -Where ``XXX'' is one of $\lbrace ecb, cbc, ctr, cfb, ofb \rbrace$. +int XXX_encrypt(const unsigned char *pt, + unsigned char *ct, + unsigned long len, + symmetric_YYY *YYY); -In all cases ``len'' is the size of the buffer (as number of octets) to encrypt or decrypt. The CTR, OFB and CFB modes are order sensitive but not -chunk sensitive. That is you can encrypt ``ABCDEF'' in three calls like ``AB'', ``CD'', ``EF'' or two like ``ABCDE'' and ``F'' -and end up with the same ciphertext. However, encrypting ``ABC'' and ``DABC'' will result in different ciphertexts. All +int XXX_decrypt(const unsigned char *ct, + unsigned char *pt, + unsigned long len, + symmetric_YYY *YYY); +\end{verbatim} +Where \textit{XXX} is one of $\lbrace ecb, cbc, ctr, cfb, ofb \rbrace$. + +In all cases, \textit{len} is the size of the buffer (as number of octets) to encrypt or decrypt. The CTR, OFB and CFB modes are order sensitive but not +chunk sensitive. That is you can encrypt \textit{ABCDEF} in three calls like \textit{AB}, \textit{CD}, \textit{EF} or two like \textit{ABCDE} and \textit{F} +and end up with the same ciphertext. However, encrypting \textit{ABC} and \textit{DABC} will result in different ciphertexts. All five of the modes will return {\bf CRYPT\_OK} on success from the encrypt or decrypt functions. -In the ECB and CBC cases ``len'' must be a multiple of the ciphers block size. In the CBC case you must manually pad the end of your message (either with +In the ECB and CBC cases, \textit{len} must be a multiple of the ciphers block size. In the CBC case, you must manually pad the end of your message (either with zeroes or with whatever your protocol requires). -To decrypt in either mode you simply perform the setup like before (recall you have to fetch the IV value you used) -and use the decrypt routine on all of the blocks. +To decrypt in either mode, perform the setup like before (recall you have to fetch the IV value you used), and use the decrypt routine on all of the blocks. \subsection{IV Manipulation} To change or read the IV of a previously initialized chaining mode use the following two functions. - \index{cbc\_setiv()} \index{cbc\_getiv()} \index{ofb\_setiv()} \index{ofb\_getiv()} \index{cfb\_setiv()} \index{cfb\_getiv()} \index{ctr\_setiv()} \index{ctr\_getiv()} \begin{verbatim} -int XXX_getiv(unsigned char *IV, unsigned long *len, symmetric_XXX *XXX); -int XXX_setiv(const unsigned char *IV, unsigned long len, symmetric_XXX *XXX); +int XXX_getiv(unsigned char *IV, unsigned long *len, + symmetric_XXX *XXX); + +int XXX_setiv(const unsigned char *IV, unsigned long len, + symmetric_XXX *XXX); \end{verbatim} -The XXX\_getiv() functions will read the IV out of the chaining mode and store it into ``IV'' along with the length of the IV -stored in ``len''. The XXX\_setiv will initialize the chaining mode state as if the original IV were the new IV specified. The length +The XXX\_getiv() functions will read the IV out of the chaining mode and store it into \textit{IV} along with the length of the IV +stored in \textit{len}. The XXX\_setiv will initialize the chaining mode state as if the original IV were the new IV specified. The length of the IV passed in must be the size of the ciphers block size. The XXX\_setiv() functions are handy if you wish to change the IV without re--keying the cipher. +What the \textit{setiv} function will do depends on the mode being changed. In CBC mode, the new IV replaces the existing IV as if it +were the last ciphertext block. In CFB mode, the IV is encrypted as if it were the prior encrypted pad. In CTR mode, the IV is encrypted without +first incrementing it (regardless of the LTC\_RFC\_3686 flag presence). In F8 mode, the IV is encrypted and becomes the new pad. It does not change +the salted IV, and is only meant to allow seeking within a session. In LRW, it changes the tweak, forcing a computation of the tweak pad, allowing for +seeking within the session. In OFB mode, the IV is encrypted and becomes the new pad. + \subsection{Stream Termination} To terminate an open stream call the done function. @@ -873,9 +1170,8 @@ int XXX_done(symmetric_XXX *XXX); This will terminate the stream (by terminating the cipher) and return \textbf{CRYPT\_OK} if successful. -\subsection{Examples} - \newpage +\subsection{Examples} \begin{small} \begin{verbatim} #include @@ -898,10 +1194,10 @@ int main(void) find_cipher("twofish"), /* index of desired cipher */ IV, /* the initial vector */ key, /* the secret key */ - 16, /* length of secret key (16 bytes, 128 bits) */ + 16, /* length of secret key (16 bytes) */ 0, /* 0 == default # of rounds */ CTR_COUNTER_LITTLE_ENDIAN, /* Little endian counter */ - &ctr) /* where to store initialized CTR state */ + &ctr) /* where to store the CTR state */ ) != CRYPT_OK) { printf("ctr_start error: %s\n", error_to_string(err)); return -1; @@ -910,8 +1206,8 @@ int main(void) /* somehow fill buffer than encrypt it */ if ((err = ctr_encrypt( buffer, /* plaintext */ buffer, /* ciphertext */ - sizeof(buffer), /* length of data to encrypt */ - &ctr) /* previously initialized CTR state */ + sizeof(buffer), /* length of plaintext pt */ + &ctr) /* CTR state */ ) != CRYPT_OK) { printf("ctr_encrypt error: %s\n", error_to_string(err)); return -1; @@ -930,8 +1226,8 @@ int main(void) if ((err = ctr_decrypt( buffer, /* ciphertext */ buffer, /* plaintext */ - sizeof(buffer), /* length of data to encrypt */ - &ctr) /* previously initialized CTR state */ + sizeof(buffer), /* length of plaintext */ + &ctr) /* CTR state */ ) != CRYPT_OK) { printf("ctr_decrypt error: %s\n", error_to_string(err)); return -1; @@ -953,51 +1249,60 @@ int main(void) \end{small} \subsection{LRW Mode} - LRW mode is a cipher mode which is meant for indexed encryption like used to handle storage media. It is meant to have efficient seeking and overcome the security problems of ECB mode while not increasing the storage requirements. It is used much like any other chaining mode except with two key differences. The key is specified as two strings the first key $K_1$ is the (normally AES) key and can be any length (typically 16, 24 or 32 octets long). The second key -$K_2$ is the ``tweak'' key and is always 16 octets long. The tweak value is \textbf{NOT} a nonce or IV value it must be random and secret. +$K_2$ is the \textit{tweak} key and is always 16 octets long. The tweak value is \textbf{NOT} a nonce or IV value it must be random and secret. To initialize LRW mode use: \index{lrw\_start()} \begin{verbatim} -int lrw_start( int cipher, +int lrw_start( int cipher, const unsigned char *IV, - const unsigned char *key, int keylen, + const unsigned char *key, + int keylen, const unsigned char *tweak, - int num_rounds, - symmetric_LRW *lrw); + int num_rounds, + symmetric_LRW *lrw); \end{verbatim} -This will initialize the LRW context with the given (16 octet) ``IV'', cipher $K_1$ ``key'' of length ``keylen'' octets and the (16 octet) $K_2$ ``tweak''. -While LRW was specified to be used only with AES, LibTomCrypt will allow any 128--bit block cipher to be specified as indexed by ``cipher''. The -number of rounds for the block cipher ``num\_rounds'' can be 0 to use the default number of rounds for the given cipher. +This will initialize the LRW context with the given (16 octet) \textit{IV}, cipher $K_1$ \textit{key} of length \textit{keylen} octets and the (16 octet) $K_2$ \textit{tweak}. +While LRW was specified to be used only with AES, LibTomCrypt will allow any 128--bit block cipher to be specified as indexed by \textit{cipher}. The +number of rounds for the block cipher \textit{num\_rounds} can be 0 to use the default number of rounds for the given cipher. To process data use the following functions: \index{lrw\_encrypt()} \index{lrw\_decrypt()} \begin{verbatim} -int lrw_encrypt(const unsigned char *pt, unsigned char *ct, - unsigned long len, symmetric_LRW *lrw); -int lrw_decrypt(const unsigned char *ct, unsigned char *pt, - unsigned long len, symmetric_LRW *lrw); +int lrw_encrypt(const unsigned char *pt, + unsigned char *ct, + unsigned long len, + symmetric_LRW *lrw); + +int lrw_decrypt(const unsigned char *ct, + unsigned char *pt, + unsigned long len, + symmetric_LRW *lrw); \end{verbatim} -These will encrypt (or decrypt) the plaintext to the ciphertext buffer (or vice versa). The length is specified by ``len'' in octets but must be a multiple -of 16. +These will encrypt (or decrypt) the plaintext to the ciphertext buffer (or vice versa). The length is specified by \textit{len} in octets but must be a multiple +of 16. The LRW code uses a fast tweak update such that consecutive blocks are encrypted faster than if random seeking where used. To manipulate the IV use the following functions: \index{lrw\_getiv()} \index{lrw\_setiv()} \begin{verbatim} -int lrw_getiv(unsigned char *IV, unsigned long *len, symmetric_LRW *lrw); -int lrw_setiv(const unsigned char *IV, unsigned long len, symmetric_LRW *lrw); -\end{verbatim} +int lrw_getiv(unsigned char *IV, + unsigned long *len, + symmetric_LRW *lrw); -These will get or set the 16--octet IV. Note that setting the IV is the same as ``seeking'' and unlike other modes is not a free operation. It requires +int lrw_setiv(const unsigned char *IV, + unsigned long len, + symmetric_LRW *lrw); +\end{verbatim} +These will get or set the 16--octet IV. Note that setting the IV is the same as \textit{seeking} and unlike other modes is not a free operation. It requires updating the entire tweak which is slower than sequential use. Avoid seeking excessively in performance constrained code. To terminate the LRW state use the following: @@ -1011,40 +1316,51 @@ int lrw_done(symmetric_LRW *lrw); \index{F8 Mode} The F8 Chaining mode (see RFC 3711 for instance) is yet another chaining mode for block ciphers. It behaves much like CTR mode in that it XORs a keystream against the plaintext to encrypt. F8 mode comes with the additional twist that the counter value is secret, encrypted by a \textit{salt key}. We -initialize F8 mode with the fuollowing function call: +initialize F8 mode with the following function call: \index{f8\_start()} \begin{verbatim} -int f8_start( int cipher, const unsigned char *IV, - const unsigned char *key, int keylen, - const unsigned char *salt_key, int skeylen, - int num_rounds, symmetric_F8 *f8); +int f8_start( int cipher, + const unsigned char *IV, + const unsigned char *key, + int keylen, + const unsigned char *salt_key, + int skeylen, + int num_rounds, + symmetric_F8 *f8); \end{verbatim} -This will start the F8 mode state using ``key'' as the secret key, ``IV'' as the counter. It uses the ``salt\_key`` as IV encryption key (``m'' in the RFC 3711). -The salt\_key can be shorter than the secret key but it should not be longer. +This will start the F8 mode state using \textit{key} as the secret key, \textit{IV} as the counter. It uses the \textit{salt\_key} as IV encryption key +(\textit{m} in the RFC 3711). The salt\_key can be shorter than the secret key but it should not be longer. To encrypt or decrypt data we use the following two functions: \index{f8\_encrypt()} \index{f8\_decrypt()} \begin{verbatim} -int f8_encrypt(const unsigned char *pt, unsigned char *ct, - unsigned long len, symmetric_F8 *f8); +int f8_encrypt(const unsigned char *pt, + unsigned char *ct, + unsigned long len, + symmetric_F8 *f8); -int f8_decrypt(const unsigned char *ct, unsigned char *pt, - unsigned long len, symmetric_F8 *f8); +int f8_decrypt(const unsigned char *ct, + unsigned char *pt, + unsigned long len, + symmetric_F8 *f8); \end{verbatim} These will encrypt or decrypt a variable length array of bytes using the F8 mode state specified. The length is specified in bytes and does not have to be a multiple of the ciphers block size. To change or retrieve the current counter IV value use the following functions: - -\index{f8\_getiv()} -\index{f8\_setiv()} +\index{f8\_getiv()} \index{f8\_setiv()} \begin{verbatim} -int f8_getiv(unsigned char *IV, unsigned long *len, symmetric_F8 *f8); -int f8_setiv(const unsigned char *IV, unsigned long len, symmetric_F8 *f8); +int f8_getiv(unsigned char *IV, + unsigned long *len, + symmetric_F8 *f8); + +int f8_setiv(const unsigned char *IV, + unsigned long len, + symmetric_F8 *f8); \end{verbatim} -These work with the current IV value only and not the encrypted IV value specifed during the call to f8\_start(). The purpose of these two functions is to be +These work with the current IV value only and not the encrypted IV value specified during the call to f8\_start(). The purpose of these two functions is to be able to seek within a current session only. If you want to change the session IV you will have to call f8\_done() and then start a new state with f8\_start(). @@ -1055,83 +1371,90 @@ To terminate an F8 state call the following function: int f8_done(symmetric_F8 *f8); \end{verbatim} -\vbox{} -\section{Encrypt and Authenticate Modes} +\vfil +\mysection{Encrypt and Authenticate Modes} \subsection{EAX Mode} LibTomCrypt provides support for a mode called EAX\footnote{See -M. Bellare, P. Rogaway, D. Wagner, A Conventional Authenticated-Encryption Mode.} in a manner similar to the -way it was intended to be used by the designers. First a short description of what EAX mode is before I explain how to use it. -EAX is a mode that requires a cipher, CTR and OMAC support and provides encryption and authentication\footnote{Note that since EAX only requires OMAC and CTR you may use ``encrypt only'' cipher descriptors with this mode.}. -It is initialized with a random ``nonce'' that can be shared publicly as well as a ``header'' which can be fixed and public as well as a random -secret symmetric key. +M. Bellare, P. Rogaway, D. Wagner, A Conventional Authenticated-Encryption Mode.} in a manner similar to the way it was intended to be used +by the designers. First, a short description of what EAX mode is before we explain how to use it. EAX is a mode that requires a cipher, +CTR and OMAC support and provides encryption and +authentication\footnote{Note that since EAX only requires OMAC and CTR you may use \textit{encrypt only} cipher descriptors with this mode.}. +It is initialized with a random \textit{nonce} that can be shared publicly, a \textit{header} which can be fixed and public, and a random secret symmetric key. -The ``header'' data is meant to be meta-data associated with a stream that isn't private (e.g. protocol messages). It can -be added at anytime during an EAX stream and is part of the authentication tag. That is, changes in the meta-data can -be detected by changes in the output tag. +The \textit{header} data is meant to be meta--data associated with a stream that isn't private (e.g., protocol messages). It can +be added at anytime during an EAX stream, and is part of the authentication tag. That is, changes in the meta-data can be detected by changes in the output tag. The mode can then process plaintext producing ciphertext as well as compute a partial checksum. The actual checksum -called a ``tag'' is only emitted when the message is finished. In the interim though the user can process any arbitrary +called a \textit{tag} is only emitted when the message is finished. In the interim, the user can process any arbitrary sized message block to send to the recipient as ciphertext. This makes the EAX mode especially suited for streaming modes of operation. The mode is initialized with the following function. \index{eax\_init()} \begin{verbatim} -int eax_init(eax_state *eax, int cipher, - const unsigned char *key, unsigned long keylen, - const unsigned char *nonce, unsigned long noncelen, - const unsigned char *header, unsigned long headerlen); +int eax_init( eax_state *eax, + int cipher, + const unsigned char *key, + unsigned long keylen, + const unsigned char *nonce, + unsigned long noncelen, + const unsigned char *header, + unsigned long headerlen); \end{verbatim} -Where ``eax'' is the EAX state. ``cipher'' is the index of the desired cipher in the descriptor table. -``key'' is the shared secret symmetric key of length ``keylen''. ``nonce'' is the random public string of -length ``noncelen''. ``header'' is the random (or fixed or \textbf{NULL}) header for the message of length -``headerlen''. +Where \textit{eax} is the EAX state. The \textit{cipher} parameter is the index of the desired cipher in the descriptor table. +The \textit{key} parameter is the shared secret symmetric key of length \textit{keylen} octets. The \textit{nonce} parameter is the +random public string of length \textit{noncelen} octets. The \textit{header} parameter is the random (or fixed or \textbf{NULL}) header for the +message of length \textit{headerlen} octets. -When this function completes ``eax'' will be initialized such that you can now either have data decrypted or -encrypted in EAX mode. Note that if ``headerlen'' is zero you may pass ``header'' as \textbf{NULL} to indicate -there is no initial header data. +When this function completes, the \textit{eax} state will be initialized such that you can now either have data decrypted or +encrypted in EAX mode. Note: if \textit{headerlen} is zero you may pass \textit{header} as \textbf{NULL} to indicate there is no initial header data. To encrypt or decrypt data in a streaming mode use the following. \index{eax\_encrypt()} \index{eax\_decrypt()} \begin{verbatim} -int eax_encrypt(eax_state *eax, const unsigned char *pt, - unsigned char *ct, unsigned long length); +int eax_encrypt( eax_state *eax, + const unsigned char *pt, + unsigned char *ct, + unsigned long length); -int eax_decrypt(eax_state *eax, const unsigned char *ct, - unsigned char *pt, unsigned long length); +int eax_decrypt( eax_state *eax, + const unsigned char *ct, + unsigned char *pt, + unsigned long length); \end{verbatim} -The function ``eax\_encrypt'' will encrypt the bytes in ``pt'' of ``length'' bytes and store the ciphertext in -``ct''. Note that ``ct'' and ``pt'' may be the same region in memory. This function will also send the ciphertext -through the OMAC function. The function ``eax\_decrypt'' decrypts ``ct'' and stores it in ``pt''. This also allows -``pt'' and ``ct'' to be the same region in memory. +The function \textit{eax\_encrypt} will encrypt the bytes in \textit{pt} of \textit{length} octets, and store the ciphertext in +\textit{ct}. Note: \textit{ct} and \textit{pt} may be the same region in memory. This function will also send the ciphertext +through the OMAC function. The function \textit{eax\_decrypt} decrypts \textit{ct}, and stores it in \textit{pt}. This also allows +\textit{pt} and \textit{ct} to be the same region in memory. -You cannot both encrypt or decrypt with the same ``eax'' context. For bi-directional communication you -will need to initialize two EAX contexts (preferably with different headers and nonces). +You cannot both encrypt or decrypt with the same \textit{eax} context. For bi--directional communication you will need to initialize +two EAX contexts (preferably with different headers and nonces). -Note that both of these functions allow you to send the data in any granularity but the order is important. While +Note: both of these functions allow you to send the data in any granularity but the order is important. While the eax\_init() function allows you to add initial header data to the stream you can also add header data during the EAX stream with the following. \index{eax\_addheader()} \begin{verbatim} -int eax_addheader(eax_state *eax, - const unsigned char *header, unsigned long length); +int eax_addheader( eax_state *eax, + const unsigned char *header, + unsigned long length); \end{verbatim} - -This will add the ``length'' bytes from ``header'' to the given ``eax'' stream. Once the message is finished the -``tag'' (checksum) may be computed with the following function. +This will add the \textit{length} octet from \textit{header} to the given \textit{eax} header. Once the message is finished, the +\textit{tag} (checksum) may be computed with the following function: \index{eax\_done()} \begin{verbatim} -int eax_done(eax_state *eax, - unsigned char *tag, unsigned long *taglen); +int eax_done( eax_state *eax, + unsigned char *tag, + unsigned long *taglen); \end{verbatim} -This will terminate the EAX state ``eax'' and store upto ``taglen'' bytes of the message tag in ``tag''. The function -then stores how many bytes of the tag were written out back into ``taglen''. +This will terminate the EAX state \textit{eax}, and store up to \textit{taglen} bytes of the message tag in \textit{tag}. The function +then stores how many bytes of the tag were written out back in to \textit{taglen}. -The EAX mode code can be tested to ensure it matches the test vectors by calling the following function. +The EAX mode code can be tested to ensure it matches the test vectors by calling the following function: \index{eax\_test()} \begin{verbatim} int eax_test(void); @@ -1155,22 +1478,22 @@ int main(void) /* ... make up random nonce and key ... */ /* initialize context */ - if ((err = eax_init( &eax, /* the context */ - find_cipher("rijndael"), /* cipher we want to use */ - nonce, /* our state nonce */ - 16, /* none is 16 bytes */ - "TestApp", /* example header, identifies this program */ - 7) /* length of the header */ + if ((err = eax_init( &eax, /* context */ + find_cipher("rijndael"), /* cipher id */ + nonce, /* the nonce */ + 16, /* nonce is 16 bytes */ + "TestApp", /* example header */ + 7) /* header length */ ) != CRYPT_OK) { printf("Error eax_init: %s", error_to_string(err)); return EXIT_FAILURE; } /* now encrypt data, say in a loop or whatever */ - if ((err = eax_encrypt( &eax, /* eax context */ - pt, /* plaintext (source) */ - ct, /* ciphertext (destination) */ - sizeof(pt) /* size of plaintext */ + if ((err = eax_encrypt( &eax, /* eax context */ + pt, /* plaintext (source) */ + ct, /* ciphertext (destination) */ + sizeof(pt) /* size of plaintext */ ) != CRYPT_OK) { printf("Error eax_encrypt: %s", error_to_string(err)); return EXIT_FAILURE; @@ -1178,16 +1501,16 @@ int main(void) /* finish message and get authentication tag */ taglen = sizeof(tag); - if ((err = eax_done( &eax, /* eax context */ - tag, /* where to put tag */ - &taglen /* length of tag space */ + if ((err = eax_done( &eax, /* eax context */ + tag, /* where to put tag */ + &taglen /* length of tag space */ ) != CRYPT_OK) { printf("Error eax_done: %s", error_to_string(err)); return EXIT_FAILURE; } - /* now we have the authentication tag in "tag" and it's taglen bytes long */ - + /* now we have the authentication tag in "tag" and + * it's taglen bytes long */ } \end{verbatim} @@ -1197,7 +1520,8 @@ following functions. \index{eax\_encrypt\_authenticate\_memory} \index{eax\_decrypt\_verify\_memory} \begin{verbatim} -int eax_encrypt_authenticate_memory(int cipher, +int eax_encrypt_authenticate_memory( + int cipher, const unsigned char *key, unsigned long keylen, const unsigned char *nonce, unsigned long noncelen, const unsigned char *header, unsigned long headerlen, @@ -1205,7 +1529,8 @@ int eax_encrypt_authenticate_memory(int cipher, unsigned char *ct, unsigned char *tag, unsigned long *taglen); -int eax_decrypt_verify_memory(int cipher, +int eax_decrypt_verify_memory( + int cipher, const unsigned char *key, unsigned long keylen, const unsigned char *nonce, unsigned long noncelen, const unsigned char *header, unsigned long headerlen, @@ -1219,38 +1544,45 @@ Both essentially just call eax\_init() followed by eax\_encrypt() (or eax\_decry have the same meaning as with those respective functions. The only difference is eax\_decrypt\_verify\_memory() does not emit a tag. Instead you pass it a tag as input and it compares it against -the tag it computed while decrypting the message. If the tags match then it stores a $1$ in ``res'', otherwise it stores a $0$. +the tag it computed while decrypting the message. If the tags match then it stores a $1$ in \textit{res}, otherwise it stores a $0$. \subsection{OCB Mode} LibTomCrypt provides support for a mode called OCB\footnote{See -P. Rogaway, M. Bellare, J. Black, T. Krovetz, ``OCB: A Block Cipher Mode of Operation for Efficient Authenticated Encryption''.} +P. Rogaway, M. Bellare, J. Black, T. Krovetz, \textit{OCB: A Block Cipher Mode of Operation for Efficient Authenticated Encryption}.} . OCB is an encryption protocol that simultaneously provides authentication. It is slightly faster to use than EAX mode but is less flexible. Let's review how to initialize an OCB context. \index{ocb\_init()} \begin{verbatim} -int ocb_init(ocb_state *ocb, int cipher, - const unsigned char *key, unsigned long keylen, +int ocb_init( ocb_state *ocb, + int cipher, + const unsigned char *key, + unsigned long keylen, const unsigned char *nonce); \end{verbatim} -This will initialize the ``ocb'' context using cipher descriptor ``cipher''. It will use a ``key'' of length ``keylen'' -and the random ``nonce''. Note that ``nonce'' must be a random (public) string the same length as the block ciphers +This will initialize the \textit{ocb} context using cipher descriptor \textit{cipher}. It will use a \textit{key} of length \textit{keylen} +and the random \textit{nonce}. Note that \textit{nonce} must be a random (public) string the same length as the block ciphers block size (e.g. 16 bytes for AES). -This mode has no ``Associated Data'' like EAX mode does which means you cannot authenticate metadata along with the stream. +This mode has no \textit{Associated Data} like EAX mode does which means you cannot authenticate metadata along with the stream. To encrypt or decrypt data use the following. \index{ocb\_encrypt()} \index{ocb\_decrypt()} \begin{verbatim} -int ocb_encrypt(ocb_state *ocb, const unsigned char *pt, unsigned char *ct); -int ocb_decrypt(ocb_state *ocb, const unsigned char *ct, unsigned char *pt); +int ocb_encrypt( ocb_state *ocb, + const unsigned char *pt, + unsigned char *ct); + +int ocb_decrypt( ocb_state *ocb, + const unsigned char *ct, + unsigned char *pt); \end{verbatim} -This will encrypt (or decrypt for the latter) a fixed length of data from ``pt'' to ``ct'' (vice versa for the latter). -They assume that ``pt'' and ``ct'' are the same size as the block cipher's block size. Note that you cannot call -both functions given a single ``ocb'' state. For bi-directional communication you will have to initialize two ``ocb'' -states (with different nonces). Also ``pt'' and ``ct'' may point to the same location in memory. +This will encrypt (or decrypt for the latter) a fixed length of data from \textit{pt} to \textit{ct} (vice versa for the latter). +They assume that \textit{pt} and \textit{ct} are the same size as the block cipher's block size. Note that you cannot call +both functions given a single \textit{ocb} state. For bi-directional communication you will have to initialize two \textit{ocb} +states (with different nonces). Also \textit{pt} and \textit{ct} may point to the same location in memory. \subsubsection{State Termination} @@ -1258,33 +1590,36 @@ When you are finished encrypting the message you call the following function to \index{ocb\_done\_encrypt()} \begin{verbatim} -int ocb_done_encrypt(ocb_state *ocb, - const unsigned char *pt, unsigned long ptlen, +int ocb_done_encrypt( ocb_state *ocb, + const unsigned char *pt, + unsigned long ptlen, unsigned char *ct, - unsigned char *tag, unsigned long *taglen); + unsigned char *tag, + unsigned long *taglen); \end{verbatim} -This will terminate an encrypt stream ``ocb''. If you have trailing bytes of plaintext that will not complete a block -you can pass them here. This will also encrypt the ``ptlen'' bytes in ``pt'' and store them in ``ct''. It will also -store upto ``taglen'' bytes of the tag into ``tag''. +This will terminate an encrypt stream \textit{ocb}. If you have trailing bytes of plaintext that will not complete a block +you can pass them here. This will also encrypt the \textit{ptlen} bytes in \textit{pt} and store them in \textit{ct}. It will also +store up to \textit{taglen} bytes of the tag into \textit{tag}. -Note that ``ptlen'' must be less than or equal to the block size of block cipher chosen. Also note that if you have +Note that \textit{ptlen} must be less than or equal to the block size of block cipher chosen. Also note that if you have an input message equal to the length of the block size then you pass the data here (not to ocb\_encrypt()) only. To terminate a decrypt stream and compared the tag you call the following. \index{ocb\_done\_decrypt()} \begin{verbatim} -int ocb_done_decrypt(ocb_state *ocb, - const unsigned char *ct, unsigned long ctlen, +int ocb_done_decrypt( ocb_state *ocb, + const unsigned char *ct, + unsigned long ctlen, unsigned char *pt, - const unsigned char *tag, unsigned long taglen, - int *res); + const unsigned char *tag, + unsigned long taglen, + int *res); \end{verbatim} - Similarly to the previous function you can pass trailing message bytes into this function. This will compute the -tag of the message (internally) and then compare it against the ``taglen'' bytes of ``tag'' provided. By default -``res'' is set to zero. If all ``taglen'' bytes of ``tag'' can be verified then ``res'' is set to one (authenticated +tag of the message (internally) and then compare it against the \textit{taglen} bytes of \textit{tag} provided. By default +\textit{res} is set to zero. If all \textit{taglen} bytes of \textit{tag} can be verified then \textit{res} is set to one (authenticated message). \subsubsection{Packet Functions} @@ -1292,7 +1627,8 @@ To make life simpler the following two functions are provided for memory bound O \index{ocb\_encrypt\_authenticate\_memory()} \begin{verbatim} -int ocb_encrypt_authenticate_memory(int cipher, +int ocb_encrypt_authenticate_memory( + int cipher, const unsigned char *key, unsigned long keylen, const unsigned char *nonce, const unsigned char *pt, unsigned long ptlen, @@ -1300,12 +1636,13 @@ int ocb_encrypt_authenticate_memory(int cipher, unsigned char *tag, unsigned long *taglen); \end{verbatim} -This will OCB encrypt the message ``pt'' of length ``ptlen'' and store the ciphertext in ``ct''. The length ``ptlen'' +This will OCB encrypt the message \textit{pt} of length \textit{ptlen}, and store the ciphertext in \textit{ct}. The length \textit{ptlen} can be any arbitrary length. \index{ocb\_decrypt\_verify\_memory()} \begin{verbatim} -int ocb_decrypt_verify_memory(int cipher, +int ocb_decrypt_verify_memory( + int cipher, const unsigned char *key, unsigned long keylen, const unsigned char *nonce, const unsigned char *ct, unsigned long ctlen, @@ -1314,17 +1651,18 @@ int ocb_decrypt_verify_memory(int cipher, int *res); \end{verbatim} -Similarly this will OCB decrypt and compare the internally computed tag against the tag provided. ``res'' is set +Similarly, this will OCB decrypt, and compare the internally computed tag against the tag provided. \textit{res} is set appropriately. \subsection{CCM Mode} -CCM is a NIST proposal for Encrypt+Authenticate that is centered around using AES (or any 16--byte cipher) as a primitive. Unlike EAX and OCB mode -it is only meant for ``packet'' mode where the length of the input is known in advance. Since it is a packet mode function CCM only has one +CCM is a NIST proposal for encrypt + authenticate that is centered around using AES (or any 16--byte cipher) as a primitive. Unlike EAX and OCB mode, +it is only meant for \textit{packet} mode where the length of the input is known in advance. Since it is a packet mode function, CCM only has one function that performs the protocol. \index{ccm\_memory()} \begin{verbatim} -int ccm_memory(int cipher, +int ccm_memory( + int cipher, const unsigned char *key, unsigned long keylen, symmetric_key *uskey, const unsigned char *nonce, unsigned long noncelen, @@ -1335,19 +1673,19 @@ int ccm_memory(int cipher, int direction); \end{verbatim} -This performs the ``CCM'' operation on the data. The ``cipher'' variable indicates which cipher in the descriptor table to use. It must have a +This performs the \textit{CCM} operation on the data. The \textit{cipher} variable indicates which cipher in the descriptor table to use. It must have a 16--byte block size for CCM. -The key can be specified in one of two fashions. First it can be passed as an array of octets in ``key'' of length ``keylen''. Alternatively, -it can be passed in as a previously scheduled key in ``uskey''. The latter fashion saves time when the same key is used for multiple packets. If -``uskey'' is not \textbf{NULL} then ``key'' may be \textbf{NULL} (and vice-versa). +The key can be specified in one of two fashions. First, it can be passed as an array of octets in \textit{key} of length \textit{keylen}. Alternatively, +it can be passed in as a previously scheduled key in \textit{uskey}. The latter fashion saves time when the same key is used for multiple packets. If +\textit{uskey} is not \textbf{NULL}, then \textit{key} may be \textbf{NULL} (and vice-versa). -The nonce or salt is ``nonce'' of length ``noncelen'' octets. The header is meta--data you want to send with the message but not have -encrypted, it is stored in ``header'' of length ``headerlen'' octets. The header can be zero octets long (if $headerlen = 0$ then -you can pass ``header'' as \textbf{NULL}). +The nonce or salt is \textit{nonce} of length \textit{noncelen} octets. The header is meta--data you want to send with the message but not have +encrypted, it is stored in \textit{header} of length \textit{headerlen} octets. The header can be zero octets long (if $headerlen = 0$ then +you can pass \textit{header} as \textbf{NULL}). -The plaintext is stored in ``pt'' and the ciphertext in ``ct''. The length of both are expected to be equal and is passed in as ``ptlen''. It is -allowable that $pt = ct$. The ``direction'' variable indicates whether encryption (direction $=$ \textbf{CCM\_ENCRYPT}) or +The plaintext is stored in \textit{pt}, and the ciphertext in \textit{ct}. The length of both are expected to be equal and is passed in as \textit{ptlen}. It is +allowable that $pt = ct$. The \textit{direction} variable indicates whether encryption (direction $=$ \textbf{CCM\_ENCRYPT}) or decryption (direction $=$ \textbf{CCM\_DECRYPT}) is to be performed. As implemented this copy of CCM cannot handle a header or plaintext longer than $2^{32} - 1$ octets long. @@ -1361,100 +1699,163 @@ int ccm_test(void); This will return \textbf{CRYPT\_OK} if the CCM routine passes known test vectors. -\subsection{GCM Mode} -Galois counter mode is an IEEE proposal for authenticated encryption. Like EAX and OCB it can be used in a streaming capacity however, unlike EAX it cannot -accept ``additional authentication data'' (meta--data) after plaintext has been processed. This mode also only works with block ciphers with a sixteen -byte block. +\subsubsection{CCM Example} +The following is a sample of how to call CCM. -A GCM stream is meant to be processed in three modes each one sequential serial. First the initial vector (per session) data is processed. This should be -unique to every session. Next the the optional additional authentication data is processed and finally the plaintext. +\begin{small} +\begin{verbatim} +#include +int main(void) +{ + unsigned char key[16], nonce[12], pt[32], ct[32], tag[16], tagcp[16]; + unsigned long taglen; + int err; + + /* register cipher */ + register_cipher(&aes_desc); + + /* somehow fill key, nonce, pt */ + + /* encrypt it */ + taglen = sizeof(tag); + if ((err = + ccm_memory(find_cipher("aes"), + key, 16, /* 128-bit key */ + NULL, /* not prescheduled */ + nonce, 12, /* 96-bit nonce */ + NULL, 0, /* no header */ + pt, 32, /* 32-byte plaintext */ + ct, /* ciphertext */ + tag, &taglen, + CCM_ENCRYPT)) != CRYPT_OK) { + printf("ccm_memory error %s\n", error_to_string(err)); + return -1; + } + /* ct[0..31] and tag[0..15] now hold the output */ + + /* decrypt it */ + taglen = sizeof(tagcp); + if ((err = + ccm_memory(find_cipher("aes"), + key, 16, /* 128-bit key */ + NULL, /* not prescheduled */ + nonce, 12, /* 96-bit nonce */ + NULL, 0, /* no header */ + ct, 32, /* 32-byte ciphertext */ + pt, /* plaintext */ + tagcp, &taglen, + CCM_DECRYPT)) != CRYPT_OK) { + printf("ccm_memory error %s\n", error_to_string(err)); + return -1; + } + + /* now pt[0..31] should hold the original plaintext, + tagcp[0..15] and tag[0..15] should have the same contents */ +} +\end{verbatim} +\end{small} + +\subsection{GCM Mode} +Galois counter mode is an IEEE proposal for authenticated encryption (also it is a planned NIST standard). Like EAX and OCB mode, it can be used in a streaming capacity +however, unlike EAX it cannot accept \textit{additional authentication data} (meta--data) after plaintext has been processed. This mode also only works with +block ciphers with a 16--byte block. + +A GCM stream is meant to be processed in three modes, one after another. First, the initial vector (per session) data is processed. This should be +unique to every session. Next, the the optional additional authentication data is processed, and finally the plaintext (or ciphertext depending on the direction). \subsubsection{Initialization} To initialize the GCM context with a secret key call the following function. \index{gcm\_init()} \begin{verbatim} -int gcm_init(gcm_state *gcm, int cipher, - const unsigned char *key, int keylen); +int gcm_init( gcm_state *gcm, + int cipher, + const unsigned char *key, + int keylen); \end{verbatim} -This initializes the GCM state ``gcm'' for the given cipher indexed by ``cipher'' with a secret key ``key'' of length ``keylen'' octets. The cipher chosen -must have a 16--byte block size (e.g. AES). +This initializes the GCM state \textit{gcm} for the given cipher indexed by \textit{cipher}, with a secret key \textit{key} of length \textit{keylen} octets. The cipher +chosen must have a 16--byte block size (e.g., AES). \subsubsection{Initial Vector} After the state has been initialized (or reset) the next step is to add the session (or packet) initial vector. It should be unique per packet encrypted. \index{gcm\_add\_iv()} \begin{verbatim} -int gcm_add_iv(gcm_state *gcm, - const unsigned char *IV, unsigned long IVlen); +int gcm_add_iv( gcm_state *gcm, + const unsigned char *IV, + unsigned long IVlen); \end{verbatim} - -This adds the initial vector octets from ``IV'' of length ``IVlen'' to the GCM state ``gcm''. You can call this function as many times as required +This adds the initial vector octets from \textit{IV} of length \textit{IVlen} to the GCM state \textit{gcm}. You can call this function as many times as required to process the entire IV. -Note that the GCM protocols provides a ``shortcut'' for 12--byte IVs where no preprocessing is to be done. If you want to minimize per packet latency it's ideal -to only use 12--byte IVs. You can just increment it like a counter for each packet and the CTR [privacy] will be ensured. +Note: the GCM protocols provides a \textit{shortcut} for 12--byte IVs where no pre-processing is to be done. If you want to minimize per packet latency it is ideal +to only use 12--byte IVs. You can just increment it like a counter for each packet. \subsubsection{Additional Authentication Data} -After the entire IV has been processed the additional authentication data can be processed. Unlike the IV a packet/session does not require additional -authentication data (AAD) for security. The AAD is meant to be used as side--channel data you want to be authenticated with the packet. Note that once -you begin adding AAD to the GCM state you cannot return to adding IV data until the state is reset. +After the entire IV has been processed, the additional authentication data can be processed. Unlike the IV, a packet/session does not require additional +authentication data (AAD) for security. The AAD is meant to be used as side--channel data you want to be authenticated with the packet. Note: once +you begin adding AAD to the GCM state you cannot return to adding IV data until the state has been reset. \index{gcm\_add\_aad()} \begin{verbatim} -int gcm_add_aad(gcm_state *gcm, - const unsigned char *adata, unsigned long adatalen); +int gcm_add_aad( gcm_state *gcm, + const unsigned char *adata, + unsigned long adatalen); \end{verbatim} -This adds the additional authentication data ``adata'' of length ``adatalen'' to the GCM state ``gcm''. +This adds the additional authentication data \textit{adata} of length \textit{adatalen} to the GCM state \textit{gcm}. \subsubsection{Plaintext Processing} -After the AAD has been processed the plaintext (or ciphertext depending on the direction) can be processed. +After the AAD has been processed, the plaintext (or ciphertext depending on the direction) can be processed. \index{gcm\_process()} \begin{verbatim} -int gcm_process(gcm_state *gcm, - unsigned char *pt, unsigned long ptlen, - unsigned char *ct, - int direction); +int gcm_process( gcm_state *gcm, + unsigned char *pt, + unsigned long ptlen, + unsigned char *ct, + int direction); \end{verbatim} -This processes message data where ``pt'' is the plaintext and ``ct'' is the ciphertext. The length of both are equal and stored in ``ptlen''. Depending on the -mode ``pt'' is the input and ``ct'' is the output (or vice versa). When ``direction'' equals \textbf{GCM\_ENCRYPT} the plaintext is read, encrypted and stored -in the ciphertext buffer. When ``direction'' equals \textbf{GCM\_DECRYPT} the opposite occurs. +This processes message data where \textit{pt} is the plaintext and \textit{ct} is the ciphertext. The length of both are equal and stored in \textit{ptlen}. Depending on +the mode \textit{pt} is the input and \textit{ct} is the output (or vice versa). When \textit{direction} equals \textbf{GCM\_ENCRYPT} the plaintext is read, +encrypted and stored in the ciphertext buffer. When \textit{direction} equals \textbf{GCM\_DECRYPT} the opposite occurs. \subsubsection{State Termination} To terminate a GCM state and retrieve the message authentication tag call the following function. \index{gcm\_done()} \begin{verbatim} -int gcm_done(gcm_state *gcm, - unsigned char *tag, unsigned long *taglen); +int gcm_done( gcm_state *gcm, + unsigned char *tag, + unsigned long *taglen); \end{verbatim} -This terminates the GCM state ``gcm'' and stores the tag in ``tag'' of length ``taglen'' octets. +This terminates the GCM state \textit{gcm} and stores the tag in \textit{tag} of length \textit{taglen} octets. \subsubsection{State Reset} The call to gcm\_init() will perform considerable pre--computation (when \textbf{GCM\_TABLES} is defined) and if you're going to be dealing with a lot of packets -it is very costly to have to call it repeatedly. To aid in this endeavour the reset function has been provided. +it is very costly to have to call it repeatedly. To aid in this endeavour, the reset function has been provided. \index{gcm\_reset()} \begin{verbatim} int gcm_reset(gcm_state *gcm); \end{verbatim} -This will reset the GCM state ``gcm'' to the state that gcm\_init() left it. The user would then call gcm\_add\_iv(), gcm\_add\_aad(), etc. +This will reset the GCM state \textit{gcm} to the state that gcm\_init() left it. The user would then call gcm\_add\_iv(), gcm\_add\_aad(), etc. \subsubsection{One--Shot Packet} To process a single packet under any given key the following helper function can be used. \index{gcm\_memory()} \begin{verbatim} -int gcm_memory( int cipher, - const unsigned char *key, unsigned long keylen, - const unsigned char *IV, unsigned long IVlen, - const unsigned char *adata, unsigned long adatalen, - unsigned char *pt, unsigned long ptlen, - unsigned char *ct, - unsigned char *tag, unsigned long *taglen, - int direction); +int gcm_memory( + int cipher, + const unsigned char *key, + unsigned long keylen, + const unsigned char *IV, unsigned long IVlen, + const unsigned char *adata, unsigned long adatalen, + unsigned char *pt, unsigned long ptlen, + unsigned char *ct, + unsigned char *tag, unsigned long *taglen, + int direction); \end{verbatim} This will initialize the GCM state with the given key, IV and AAD value then proceed to encrypt or decrypt the message text and store the final @@ -1506,7 +1907,8 @@ int send_packet(const unsigned char *pt, unsigned long ptlen, /* ... send a header describing the lengths ... */ - /* depending on the protocol and how IV is generated you may have to send it too... */ + /* depending on the protocol and how IV is + * generated you may have to send it too... */ send(socket, iv, ivlen, 0); /* send the aad */ @@ -1549,7 +1951,8 @@ int main(void) } } - if ((err = send_packet(pt, ptlen, iv, 12, NULL, 0, &gcm)) != CRYPT_OK) { + if ((err = send_packet(pt, ptlen, iv, 12, NULL, 0, &gcm)) + != CRYPT_OK) { whine_and_pout(err); } } @@ -1559,24 +1962,23 @@ int main(void) \end{small} \chapter{One-Way Cryptographic Hash Functions} -\section{Core Functions} - -Like the ciphers there are hash core functions and a universal data type to hold the hash state called ``hash\_state''. -To initialize hash XXX (where XXX is the name) call: +\mysection{Core Functions} +Like the ciphers, there are hash core functions and a universal data type to hold the hash state called \textit{hash\_state}. To initialize hash +XXX (where XXX is the name) call: \index{Hash Functions} \begin{verbatim} void XXX_init(hash_state *md); \end{verbatim} -This simply sets up the hash to the default state governed by the specifications of the hash. To add data to the -message being hashed call: +This simply sets up the hash to the default state governed by the specifications of the hash. To add data to the message being hashed call: \begin{verbatim} -int XXX_process(hash_state *md, const unsigned char *in, unsigned long inlen); +int XXX_process( hash_state *md, + const unsigned char *in, + unsigned long inlen); \end{verbatim} - Essentially all hash messages are virtually infinitely\footnote{Most hashes are limited to $2^{64}$ bits or 2,305,843,009,213,693,952 bytes.} long message which -are buffered. The data can be passed in any sized chunks as long as the order of the bytes are the same the message digest -(hash output) will be the same. For example, this means that: +are buffered. The data can be passed in any sized chunks as long as the order of the bytes are the same the message digest (hash output) will be the same. For example, +this means that: \begin{verbatim} md5_process(&md, "hello ", 6); md5_process(&md, "world", 5); @@ -1589,13 +1991,13 @@ md5_process(&md, "hello world", 11); To finally get the message digest (the hash) call: \begin{verbatim} -int XXX_done(hash_state *md, - unsigned char *out); +int XXX_done( hash_state *md, + unsigned char *out); \end{verbatim} -This function will finish up the hash and store the result in the ``out'' array. You must ensure that ``out'' is long -enough for the hash in question. Often hashes are used to get keys for symmetric ciphers so the ``XXX\_done()'' functions -will wipe the ``md'' variable before returning automatically. +This function will finish up the hash and store the result in the \textit{out} array. You must ensure that \textit{out} is long +enough for the hash in question. Often hashes are used to get keys for symmetric ciphers so the \textit{XXX\_done()} functions +will wipe the \textit{md} variable before returning automatically. To test a hash function call: \begin{verbatim} @@ -1626,35 +2028,46 @@ int main(void) \end{verbatim} \end{small} -\section{Hash Descriptors} -Like the set of ciphers the set of hashes have descriptors too. They are stored in an array called ``hash\_descriptor'' and +\mysection{Hash Descriptors} +Like the set of ciphers, the set of hashes have descriptors as well. They are stored in an array called \textit{hash\_descriptor} and are defined by: \begin{verbatim} struct _hash_descriptor { char *name; + unsigned long hashsize; /* digest output size in bytes */ unsigned long blocksize; /* the block size the hash uses */ + void (*init) (hash_state *hash); - int (*process)(hash_state *hash, - const unsigned char *in, unsigned long inlen); + + int (*process)( hash_state *hash, + const unsigned char *in, + unsigned long inlen); + int (*done) (hash_state *hash, unsigned char *out); + int (*test) (void); }; \end{verbatim} \index{find\_hash()} -Similarly ``name'' is the name of the hash function in ASCII (all lowercase). ``hashsize'' is the size of the digest output -in bytes. The remaining fields are pointers to the functions that do the respective tasks. There is a function to -search the array as well called ``int find\_hash(char *name)''. It returns -1 if the hash is not found, otherwise the +The \textit{name} member is the name of the hash function (all lowercase). The \textit{hashsize} member is the size of the digest output +in bytes, while \textit{blocksize} is the size of blocks the hash expects to the compression function. Technically, this detail is not important +for high level developers but is useful to know for performance reasons. + +The \textit{init} member initializes the hash, \textit{process} passes data through the hash, \textit{done} terminates the hash and retrieves the +digest. The \textit{test} member tests the hash against the specified test vectors. + +There is a function to search the array as well called \textit{int find\_hash(char *name)}. It returns -1 if the hash is not found, otherwise, the position in the descriptor table of the hash. -In addition to find\_hash() there is also find\_hash\_oid() which finds a hash by the ASN.1 OBJECT IDENTIFIER string. -\index {find\_hash\_oid()} +In addition, there is also find\_hash\_oid() which finds a hash by the ASN.1 OBJECT IDENTIFIER string. +\index{find\_hash\_oid()} \begin{verbatim} int find_hash_oid(const unsigned long *ID, unsigned long IDlen); \end{verbatim} -You can use the table to indirectly call a hash function that is chosen at runtime. For example: +You can use the table to indirectly call a hash function that is chosen at run-time. For example: \begin{small} \begin{verbatim} #include @@ -1699,27 +2112,33 @@ int main(void) \end{verbatim} \end{small} -Note the usage of ``MAXBLOCKSIZE''. In Libtomcrypt no symmetric block, key or hash digest is larger than MAXBLOCKSIZE in +Note the usage of \textbf{MAXBLOCKSIZE}. In LibTomCrypt, no symmetric block, key or hash digest is larger than \textbf{MAXBLOCKSIZE} in length. This provides a simple size you can set your automatic arrays to that will not get overrun. There are three helper functions as well: \index{hash\_memory()} \index{hash\_file()} \begin{verbatim} -int hash_memory(int hash, - const unsigned char *in, unsigned long inlen, - unsigned char *out, unsigned long *outlen); +int hash_memory( int hash, + const unsigned char *in, + unsigned long inlen, + unsigned char *out, + unsigned long *outlen); -int hash_file(int hash, const char *fname, - unsigned char *out, unsigned long *outlen); +int hash_file( int hash, + const char *fname, + unsigned char *out, + unsigned long *outlen); -int hash_filehandle(int hash, FILE *in, - unsigned char *out, unsigned long *outlen); +int hash_filehandle( int hash, + FILE *in, + unsigned char *out, + unsigned long *outlen); \end{verbatim} -The ``hash'' parameter is the location in the descriptor table of the hash (\textit{e.g. the return of find\_hash()}). -The ``*outlen'' variable is used to keep track of the output size. You must set it to the size of your output buffer before -calling the functions. When they complete succesfully they store the length of the message digest back in it. The functions -are otherwise straightforward. The ``hash\_filehandle'' function assumes that ``in'' is an file handle opened in binary mode. +The \textit{hash} parameter is the location in the descriptor table of the hash (\textit{e.g. the return of find\_hash()}). +The \textit{*outlen} variable is used to keep track of the output size. You must set it to the size of your output buffer before +calling the functions. When they complete successfully, they store the length of the message digest back in it. The functions +are otherwise straightforward. The \textit{hash\_filehandle} function assumes that \textit{in} is an file handle opened in binary mode. It will hash to the end of file and not reset the file position when finished. To perform the above hash with md5 the following code could be used: @@ -1743,7 +2162,8 @@ int main(void) /* call the hash */ len = sizeof(out); - if ((err = hash_memory(idx, "hello world", 11, out, &len)) != CRYPT_OK) { + if ((err = + hash_memory(idx, "hello world", 11, out, &len)) != CRYPT_OK) { printf("Error hashing data: %s\n", error_to_string(err)); return -1; } @@ -1752,15 +2172,29 @@ int main(void) \end{verbatim} \end{small} -The following hashes are provided as of this release: +\subsection{Hash Registration} +Similar to the cipher descriptor table you must register your hash algorithms before you can use them. These functions +work exactly like those of the cipher registration code. The functions are: +\index{register\_hash()} \index{unregister\_hash()} +\begin{verbatim} +int register_hash(const struct _hash_descriptor *hash); + +int unregister_hash(const struct _hash_descriptor *hash); +\end{verbatim} + +The following hashes are provided as of this release within the LibTomCrypt library: \index{Hash descriptor table} + +\begin{figure}[here] \begin{center} \begin{tabular}{|c|c|c|} - \hline Name & Descriptor Name & Size of Message Digest (bytes) \\ + \hline \textbf{Name} & \textbf{Descriptor Name} & \textbf{Size of Message Digest (bytes)} \\ \hline WHIRLPOOL & whirlpool\_desc & 64 \\ \hline SHA-512 & sha512\_desc & 64 \\ \hline SHA-384 & sha384\_desc & 48 \\ + \hline RIPEMD-320 & rmd160\_desc & 40 \\ \hline SHA-256 & sha256\_desc & 32 \\ + \hline RIPEMD-256 & rmd160\_desc & 32 \\ \hline SHA-224 & sha224\_desc & 28 \\ \hline TIGER-192 & tiger\_desc & 24 \\ \hline SHA-1 & sha1\_desc & 20 \\ @@ -1772,22 +2206,17 @@ The following hashes are provided as of this release: \hline \end{tabular} \end{center} +\caption{Built--In Software Hashes} +\end{figure} +\vfil -Similar to the cipher descriptor table you must register your hash algorithms before you can use them. These functions -work exactly like those of the cipher registration code. The functions are: -\index{register\_hash()} \index{unregister\_hash()} -\begin{verbatim} -int register_hash(const struct _hash_descriptor *hash); -int unregister_hash(const struct _hash_descriptor *hash); -\end{verbatim} - -\section{Cipher Hash Construction} +\mysection{Cipher Hash Construction} \index{Cipher Hash Construction} -An addition to the suite of hash functions is the ``Cipher Hash Construction'' or ``CHC'' mode. In this mode +An addition to the suite of hash functions is the \textit{Cipher Hash Construction} or \textit{CHC} mode. In this mode applicable block ciphers (such as AES) can be turned into hash functions that other LTC functions can use. In particular this allows a cryptosystem to be designed using very few moving parts. -In order to use the CHC system the developer will have to take a few extra steps. First the ``chc\_desc'' hash +In order to use the CHC system the developer will have to take a few extra steps. First the \textit{chc\_desc} hash descriptor must be registered with register\_hash(). At this point the CHC hash cannot be used to hash data. While it is in the hash system you still have to tell the CHC code which cipher to use. This is accomplished via the chc\_register() function. @@ -1826,15 +2255,17 @@ int main(void) /* start chc with AES */ if ((err = chc_register(find_cipher("aes"))) != CRYPT_OK) { - printf("Error binding AES to CHC: %s\n", error_to_string(err)); + printf("Error binding AES to CHC: %s\n", + error_to_string(err)); } - /* now you can use chc_hash in any LTC function [aside from pkcs...] */ - /* ... */ + /* now you can use chc_hash in any LTC function + * [aside from pkcs...] */ +} \end{verbatim} -\section{Notice} +\mysection{Notice} It is highly recommended that you \textbf{not} use the MD4 or MD5 hashes for the purposes of digital signatures or authentication codes. These hashes are provided for completeness and they still can be used for the purposes of password hashing or one-way accumulators (e.g. Yarrow). @@ -1843,64 +2274,71 @@ The other hashes such as the SHA-1, SHA-2 (that includes SHA-512, SHA-384 and SH for all purposes you would normally use a hash for. \chapter{Message Authentication Codes} -\section{HMAC Protocol} -Thanks to Dobes Vandermeer the library now includes support for hash based message authenication codes or HMAC for short. An HMAC -of a message is a keyed authenication code that only the owner of a private symmetric key will be able to verify. The purpose is +\mysection{HMAC Protocol} +Thanks to Dobes Vandermeer, the library now includes support for hash based message authentication codes, or HMAC for short. An HMAC +of a message is a keyed authentication code that only the owner of a private symmetric key will be able to verify. The purpose is to allow an owner of a private symmetric key to produce an HMAC on a message then later verify if it is correct. Any impostor or eavesdropper will not be able to verify the authenticity of a message. The HMAC support works much like the normal hash functions except that the initialization routine requires you to pass a key and its length. The key is much like a key you would pass to a cipher. That is, it is simply an array of octets stored in -chars. The initialization routine is: +unsigned characters. The initialization routine is: \index{hmac\_init()} \begin{verbatim} -int hmac_init(hmac_state *hmac, int hash, - const unsigned char *key, unsigned long keylen); +int hmac_init( hmac_state *hmac, + int hash, + const unsigned char *key, + unsigned long keylen); \end{verbatim} -The ``hmac'' parameter is the state for the HMAC code. ``hash'' is the index into the descriptor table of the hash you want -to use to authenticate the message. ``key'' is the pointer to the array of chars that make up the key. ``keylen'' is the +The \textit{hmac} parameter is the state for the HMAC code. The \textit{hash} parameter is the index into the descriptor table of the hash you want +to use to authenticate the message. The \textit{key} parameter is the pointer to the array of chars that make up the key. The \textit{keylen} parameter is the length (in octets) of the key you want to use to authenticate the message. To send octets of a message through the HMAC system you must use the following function: \index{hmac\_process()} \begin{verbatim} -int hmac_process(hmac_state *hmac, - const unsigned char *in, unsigned long inlen); +int hmac_process( hmac_state *hmac, + const unsigned char *in, + unsigned long inlen); \end{verbatim} -``hmac'' is the HMAC state you are working with. ``buf'' is the array of octets to send into the HMAC process. ``len'' is the -number of octets to process. Like the hash process routines you can send the data in arbitrarly sized chunks. When you +\textit{hmac} is the HMAC state you are working with. \textit{buf} is the array of octets to send into the HMAC process. \textit{len} is the +number of octets to process. Like the hash process routines you can send the data in arbitrarily sized chunks. When you are finished with the HMAC process you must call the following function to get the HMAC code: \index{hmac\_done()} \begin{verbatim} -int hmac_done(hmac_state *hmac, - unsigned char *out, unsigned long *outlen); +int hmac_done( hmac_state *hmac, + unsigned char *out, + unsigned long *outlen); \end{verbatim} -``hmac'' is the HMAC state you are working with. ``out'' is the array of octets where the HMAC code should be stored. You must -set ``outlen'' to the size of the destination buffer before calling this function. It is updated with the length of the HMAC code -produced (depending on which hash was picked). If ``outlen'' is less than the size of the message digest (and ultimately -the HMAC code) then the HMAC code is truncated as per FIPS-198 specifications (e.g. take the first ``outlen'' bytes). +The \textit{hmac} parameter is the HMAC state you are working with. The \textit{out} parameter is the array of octets where the HMAC code should be stored. +You must set \textit{outlen} to the size of the destination buffer before calling this function. It is updated with the length of the HMAC code +produced (depending on which hash was picked). If \textit{outlen} is less than the size of the message digest (and ultimately +the HMAC code) then the HMAC code is truncated as per FIPS-198 specifications (e.g. take the first \textit{outlen} bytes). -There are two utility functions provided to make using HMACs easier todo. They accept the key and information about the -message (file pointer, address in memory) and produce the HMAC result in one shot. These are useful if you want to avoid +There are two utility functions provided to make using HMACs easier to do. They accept the key and information about the +message (file pointer, address in memory), and produce the HMAC result in one shot. These are useful if you want to avoid calling the three step process yourself. \index{hmac\_memory()} \begin{verbatim} -int hmac_memory(int hash, - const unsigned char *key, unsigned long keylen, - const unsigned char *in, unsigned long inlen, - unsigned char *out, unsigned long *outlen); +int hmac_memory( + int hash, + const unsigned char *key, unsigned long keylen, + const unsigned char *in, unsigned long inlen, + unsigned char *out, unsigned long *outlen); \end{verbatim} -This will produce an HMAC code for the array of octets in ``in'' of length ``inlen''. The index into the hash descriptor -table must be provided in ``hash''. It uses the key from ``key'' with a key length of ``keylen''. -The result is stored in the array of octets ``out'' and the length in ``outlen''. The value of ``outlen'' must be set +This will produce an HMAC code for the array of octets in \textit{in} of length \textit{inlen}. The index into the hash descriptor +table must be provided in \textit{hash}. It uses the key from \textit{key} with a key length of \textit{keylen}. +The result is stored in the array of octets \textit{out} and the length in \textit{outlen}. The value of \textit{outlen} must be set to the size of the destination buffer before calling this function. Similarly for files there is the following function: \index{hmac\_file()} \begin{verbatim} -int hmac_file(int hash, const char *fname, - const unsigned char *key, unsigned long keylen, - unsigned char *out, unsigned long *outlen); +int hmac_file( + int hash, + const char *fname, + const unsigned char *key, unsigned long keylen, + unsigned char *out, unsigned long *outlen); \end{verbatim} -``hash'' is the index into the hash descriptor table of the hash you want to use. ``fname'' is the filename to process. -``key'' is the array of octets to use as the key of length ``keylen''. ``out'' is the array of octets where the +\textit{hash} is the index into the hash descriptor table of the hash you want to use. \textit{fname} is the filename to process. +\textit{key} is the array of octets to use as the key of length \textit{keylen}. \textit{out} is the array of octets where the result should be stored. To test if the HMAC code is working there is the following function: @@ -1958,28 +2396,33 @@ int main(void) \end{verbatim} \end{small} -\section{OMAC Support} +\mysection{OMAC Support} +\index{OMAC} \index{CMAC} OMAC\footnote{\url{http://crypt.cis.ibaraki.ac.jp/omac/omac.html}}, which stands for \textit{One-Key CBC MAC} is an -algorithm which produces a Message Authentication Code (MAC) using only a block cipher such as AES. From an API -standpoint the OMAC routines work much like the HMAC routines do. Instead in this case a cipher is used instead of a hash. +algorithm which produces a Message Authentication Code (MAC) using only a block cipher such as AES. Note: OMAC has been standardized as +CMAC within NIST, for the purposes of this library OMAC and CMAC are synonymous. From an API standpoint, the OMAC routines work much like the +HMAC routines. Instead, in this case a cipher is used instead of a hash. To start an OMAC state you call \index{omac\_init()} \begin{verbatim} -int omac_init(omac_state *omac, int cipher, - const unsigned char *key, unsigned long keylen); +int omac_init( omac_state *omac, + int cipher, + const unsigned char *key, + unsigned long keylen); \end{verbatim} -The ``omac'' variable is the state for the OMAC algorithm. ``cipher'' is the index into the cipher\_descriptor table +The \textit{omac} parameter is the state for the OMAC algorithm. The \textit{cipher} parameter is the index into the cipher\_descriptor table of the cipher\footnote{The cipher must have a 64 or 128 bit block size. Such as CAST5, Blowfish, DES, AES, Twofish, etc.} you -wish to use. ``key'' and ``keylen'' are the keys used to authenticate the data. +wish to use. The \textit{key} and \textit{keylen} parameters are the keys used to authenticate the data. To send data through the algorithm call \index{omac\_process()} \begin{verbatim} -int omac_process(omac_state *state, - const unsigned char *in, unsigned long inlen); +int omac_process( omac_state *state, + const unsigned char *in, + unsigned long inlen); \end{verbatim} -This will send ``inlen'' bytes from ``in'' through the active OMAC state ``state''. Returns \textbf{CRYPT\_OK} if the +This will send \textit{inlen} bytes from \textit{in} through the active OMAC state \textit{state}. Returns \textbf{CRYPT\_OK} if the function succeeds. The function is not sensitive to the granularity of the data. For example, \begin{verbatim} @@ -1997,13 +2440,14 @@ When you are done processing the message you can call the following to compute t \index{omac\_done()} \begin{verbatim} -int omac_done(omac_state *state, - unsigned char *out, unsigned long *outlen); +int omac_done( omac_state *state, + unsigned char *out, + unsigned long *outlen); \end{verbatim} -Which will terminate the OMAC and output the \textit{tag} (MAC) to ``out''. Note that unlike the HMAC and other code -``outlen'' can be smaller than the default MAC size (for instance AES would make a 16-byte tag). Part of the OMAC +Which will terminate the OMAC and output the \textit{tag} (MAC) to \textit{out}. Note that unlike the HMAC and other code +\textit{outlen} can be smaller than the default MAC size (for instance AES would make a 16-byte tag). Part of the OMAC specification states that the output may be truncated. So if you pass in $outlen = 5$ and use AES as your cipher than -the output MAC code will only be five bytes long. If ``outlen'' is larger than the default size it is set to the default +the output MAC code will only be five bytes long. If \textit{outlen} is larger than the default size it is set to the default size to show how many bytes were actually used. Similar to the HMAC code the file and memory functions are also provided. To OMAC a buffer of memory in one shot use the @@ -2016,8 +2460,8 @@ int omac_memory(int cipher, const unsigned char *in, unsigned long inlen, unsigned char *out, unsigned long *outlen); \end{verbatim} -This will compute the OMAC of ``inlen'' bytes of ``in'' using the key ``key'' of length ``keylen'' bytes and the cipher -specified by the ``cipher'''th entry in the cipher\_descriptor table. It will store the MAC in ``out'' with the same +This will compute the OMAC of \textit{inlen} bytes of \textit{in} using the key \textit{key} of length \textit{keylen} bytes and the cipher +specified by the \textit{cipher}'th entry in the cipher\_descriptor table. It will store the MAC in \textit{out} with the same rules as omac\_done. To OMAC a file use @@ -2029,8 +2473,8 @@ int omac_file(int cipher, unsigned char *out, unsigned long *outlen); \end{verbatim} -Which will OMAC the entire contents of the file specified by ``filename'' using the key ``key'' of length ``keylen'' bytes -and the cipher specified by the ``cipher'''th entry in the cipher\_descriptor table. It will store the MAC in ``out'' with +Which will OMAC the entire contents of the file specified by \textit{filename} using the key \textit{key} of length \textit{keylen} bytes +and the cipher specified by the \textit{cipher}'th entry in the cipher\_descriptor table. It will store the MAC in \textit{out} with the same rules as omac\_done. To test if the OMAC code is working there is the following function: @@ -2088,8 +2532,8 @@ int main(void) \end{verbatim} \end{small} -\section{PMAC Support} -The PMAC\footnote{J.Black, P.Rogaway, ``A Block--Cipher Mode of Operation for Parallelizable Message Authentication''} +\mysection{PMAC Support} +The PMAC\footnote{J.Black, P.Rogaway, \textit{A Block--Cipher Mode of Operation for Parallelizable Message Authentication}} protocol is another MAC algorithm that relies solely on a symmetric-key block cipher. It uses essentially the same API as the provided OMAC code. @@ -2100,7 +2544,7 @@ A PMAC state is initialized with the following. int pmac_init(pmac_state *pmac, int cipher, const unsigned char *key, unsigned long keylen); \end{verbatim} -Which initializes the ``pmac'' state with the given ``cipher'' and ``key'' of length ``keylen'' bytes. The chosen cipher +Which initializes the \textit{pmac} state with the given \textit{cipher} and \textit{key} of length \textit{keylen} bytes. The chosen cipher must have a 64 or 128 bit block size (e.x. AES). To MAC data simply send it through the process function. @@ -2110,7 +2554,7 @@ To MAC data simply send it through the process function. int pmac_process(pmac_state *state, const unsigned char *in, unsigned long inlen); \end{verbatim} -This will process ``inlen'' bytes of ``in'' in the given ``state''. The function is not sensitive to the granularity of the +This will process \textit{inlen} bytes of \textit{in} in the given \textit{state}. The function is not sensitive to the granularity of the data. For example, \begin{verbatim} @@ -2131,8 +2575,8 @@ When a complete message has been processed the following function can be called int pmac_done(pmac_state *state, unsigned char *out, unsigned long *outlen); \end{verbatim} -This will store upto ``outlen'' bytes of the tag for the given ``state'' into ``out''. Note that if ``outlen'' is larger -than the size of the tag it is set to the amount of bytes stored in ``out''. +This will store upto \textit{outlen} bytes of the tag for the given \textit{state} into \textit{out}. Note that if \textit{outlen} is larger +than the size of the tag it is set to the amount of bytes stored in \textit{out}. Similar to the PMAC code the file and memory functions are also provided. To PMAC a buffer of memory in one shot use the following function. @@ -2144,8 +2588,8 @@ int pmac_memory(int cipher, const unsigned char *in, unsigned long inlen, unsigned char *out, unsigned long *outlen); \end{verbatim} -This will compute the PMAC of ``msglen'' bytes of ``msg'' using the key ``key'' of length ``keylen'' bytes and the cipher -specified by the ``cipher'''th entry in the cipher\_descriptor table. It will store the MAC in ``out'' with the same +This will compute the PMAC of \textit{msglen} bytes of \textit{msg} using the key \textit{key} of length \textit{keylen} bytes and the cipher +specified by the \textit{cipher}'th entry in the cipher\_descriptor table. It will store the MAC in \textit{out} with the same rules as omac\_done. To PMAC a file use @@ -2157,8 +2601,8 @@ int pmac_file(int cipher, unsigned char *out, unsigned long *outlen); \end{verbatim} -Which will PMAC the entire contents of the file specified by ``filename'' using the key ``key'' of length ``keylen'' bytes -and the cipher specified by the ``cipher'''th entry in the cipher\_descriptor table. It will store the MAC in ``out'' with +Which will PMAC the entire contents of the file specified by \textit{filename} using the key \textit{key} of length \textit{keylen} bytes +and the cipher specified by the \textit{cipher}'th entry in the cipher\_descriptor table. It will store the MAC in \textit{out} with the same rules as omac\_done. To test if the PMAC code is working there is the following function: @@ -2168,22 +2612,26 @@ int pmac_test(void); \end{verbatim} Which returns {\bf CRYPT\_OK} if the code passes otherwise it returns an error code. -\section{Pelican MAC} -Pelican MAC is a new (experimental) MAC by the AES team that uses four rounds of AES as a ``mixing function''. It achieves a very high +\mysection{Pelican MAC} +Pelican MAC is a new (experimental) MAC by the AES team that uses four rounds of AES as a \textit{mixing function}. It achieves a very high rate of processing and is potentially very secure. It requires AES to be enabled to function. You do not have to register\_cipher() AES first though as it calls AES directly. \index{pelican\_init()} \begin{verbatim} -int pelican_init(pelican_state *pelmac, const unsigned char *key, unsigned long keylen); +int pelican_init( pelican_state *pelmac, + const unsigned char *key, + unsigned long keylen); \end{verbatim} This will initialize the Pelican state with the given AES key. Once this has been done you can begin processing data. \index{pelican\_process()} \begin{verbatim} -int pelican_process(pelican_state *pelmac, const unsigned char *in, unsigned long inlen); +int pelican_process( pelican_state *pelmac, + const unsigned char *in, + unsigned long inlen); \end{verbatim} -This will process ``inlen'' bytes of ``in'' through the Pelican MAC. It's best that you pass in multiples of 16 bytes as it makes the +This will process \textit{inlen} bytes of \textit{in} through the Pelican MAC. It's best that you pass in multiples of 16 bytes as it makes the routine more efficient but you may pass in any length of text. You can call this function as many times as required to process an entire message. @@ -2191,7 +2639,7 @@ an entire message. \begin{verbatim} int pelican_done(pelican_state *pelmac, unsigned char *out); \end{verbatim} -This terminates a Pelican MAC and writes the 16--octet tag to ``out''. +This terminates a Pelican MAC and writes the 16--octet tag to \textit{out}. \subsection{Example} @@ -2206,11 +2654,12 @@ int main(void) /* somehow initialize a key */ /* initialize pelican mac */ - if ((err = pelican_init(&pelstate, /* the state */ - key, /* user key */ - 32 /* key length in octets */ + if ((err = pelican_init(&pelstate, /* the state */ + key, /* user key */ + 32 /* key length in octets */ )) != CRYPT_OK) { - printf("Error initializing Pelican: %s", error_to_string(err)); + printf("Error initializing Pelican: %s", + error_to_string(err)); return EXIT_FAILURE; } @@ -2219,15 +2668,17 @@ int main(void) "hello world", /* data to mac */ 11 /* length of data */ )) != CRYPT_OK) { - printf("Error processing Pelican: %s", error_to_string(err)); + printf("Error processing Pelican: %s", + error_to_string(err)); return EXIT_FAILURE; } /* Terminate the MAC */ - if ((err = pelican_done(&pelstate, /* the state */ - tag /* where to store the tag */ + if ((err = pelican_done(&pelstate,/* the state */ + tag /* where to store the tag */ )) != CRYPT_OK) { - printf("Error terminating Pelican: %s", error_to_string(err)); + printf("Error terminating Pelican: %s", + error_to_string(err)); return EXIT_FAILURE; } @@ -2239,10 +2690,10 @@ int main(void) \chapter{Pseudo-Random Number Generators} -\section{Core Functions} +\mysection{Core Functions} The library provides an array of core functions for Pseudo-Random Number Generators (PRNGs) as well. A cryptographic PRNG is used to expand a shorter bit string into a longer bit string. PRNGs are used wherever random data is required such as Public Key (PK) -key generation. There is a universal structure called ``prng\_state''. To initialize a PRNG call: +key generation. There is a universal structure called \textit{prng\_state}. To initialize a PRNG call: \index{PRNG start} \begin{verbatim} int XXX_start(prng_state *prng); @@ -2287,8 +2738,8 @@ int XXX_export(unsigned char *out, unsigned long *outlen, prng_state *prng); \end{verbatim} -This will write a ``PRNG state'' to the buffer ``out'' of length ``outlen'' bytes. The idea of -the export is meant to be used as a ``seed file''. That is, when the program starts up there will not likely +This will write a \textit{PRNG state} to the buffer \textit{out} of length \textit{outlen} bytes. The idea of +the export is meant to be used as a \textit{seed file}. That is, when the program starts up there will not likely be that much entropy available. To import a state to seed a PRNG call the following function. \index{PRNG import} @@ -2298,10 +2749,10 @@ int XXX_import(const unsigned char *in, unsigned long inlen, \end{verbatim} This will call the start and add\_entropy functions of the given PRNG. It will use the state in -``in'' of length ``inlen'' as the initial seed. You must pass the same seed length as was exported +\textit{in} of length \textit{inlen} as the initial seed. You must pass the same seed length as was exported by the corresponding export function. -Note that importing a state will not ``resume'' the PRNG from where it left off. That is, if you export +Note that importing a state will not \textit{resume} the PRNG from where it left off. That is, if you export a state, emit (say) 8 bytes and then import the previously exported state the next 8 bytes will not specifically equal the 8 bytes you generated previously. @@ -2355,38 +2806,50 @@ int main(void) printf("Start error: %s\n", error_to_string(err)); } /* add entropy */ - if ((err = yarrow_add_entropy("hello world", 11, &prng)) != CRYPT_OK) { + if ((err = yarrow_add_entropy("hello world", 11, &prng)) + != CRYPT_OK) { printf("Add_entropy error: %s\n", error_to_string(err)); } /* ready and read */ if ((err = yarrow_ready(&prng)) != CRYPT_OK) { printf("Ready error: %s\n", error_to_string(err)); } - printf("Read %lu bytes from yarrow\n", yarrow_read(buf, 10, &prng)); + printf("Read %lu bytes from yarrow\n", + yarrow_read(buf, 10, &prng)); return 0; } \end{verbatim} -\section{PRNG Descriptors} +\mysection{PRNG Descriptors} \index{PRNG Descriptor} -PRNGs have descriptors too (surprised?). Stored in the structure ``prng\_descriptor''. The format of an element is: +PRNGs have descriptors too (surprised?). Stored in the structure \textit{prng\_descriptor}. The format of an element is: \begin{verbatim} struct _prng_descriptor { char *name; int export_size; /* size in bytes of exported state */ + int (*start) (prng_state *); - int (*add_entropy)(const unsigned char *, unsigned long, prng_state *); + + int (*add_entropy)(const unsigned char *, unsigned long, + prng_state *); + int (*ready) (prng_state *); - unsigned long (*read)(unsigned char *, unsigned long len, prng_state *); + + unsigned long (*read)(unsigned char *, unsigned long len, + prng_state *); + void (*done)(prng_state *); + int (*export)(unsigned char *, unsigned long *, prng_state *); + int (*import)(const unsigned char *, unsigned long, prng_state *); + int (*test)(void); }; \end{verbatim} \index{find\_prng()} -There is a ``int find\_prng(char *name)'' function as well. Returns -1 if the PRNG is not found, otherwise it returns +There is a \textit{int find\_prng(char *name)} function as well. Returns -1 if the PRNG is not found, otherwise it returns the position in the prng\_descriptor array. Just like the ciphers and hashes you must register your prng before you can use it. The two functions provided work @@ -2440,7 +2903,7 @@ recover from that problem until new entropy is added to the pool and put to use \subsubsection{RC4} -RC4 is an old stream cipher that can also double duty as a PRNG in a pinch. You ``key'' it by +RC4 is an old stream cipher that can also double duty as a PRNG in a pinch. You \textit{key} it by calling add\_entropy() and setup the key by calling ready(). You can only add upto 256 bytes via add\_entropy(). @@ -2452,7 +2915,7 @@ simply that faster alternatives exist. \subsubsection{SOBER-128} -SOBER-128 is a stream cipher designed by the QUALCOMM Australia team. Like RC4 you ``key'' it by +SOBER-128 is a stream cipher designed by the QUALCOMM Australia team. Like RC4 you \textit{key} it by calling add\_entropy(). There is no need to call ready() for this PRNG as it does not do anything. Note that this cipher has several oddities about how it operates. The first time you call @@ -2486,7 +2949,7 @@ int main(void) exit(-1); } - /* use ``key'' as the key */ + /* use \textit{key} as the key */ if ((err = rc4_add_entropy("key", 3, &prng)) != CRYPT_OK) { printf("RC4 add entropy error: %s\n", error_to_string(err)); exit(-1); @@ -2510,7 +2973,7 @@ int main(void) \end{small} To decrypt you have to do the exact same steps. -\section{The Secure RNG} +\mysection{The Secure RNG} \index{Secure RNG} An RNG is related to a PRNG except that it doesn't expand a smaller seed to get the data. They generate their random bits by performing some computation on fresh input bits. Possibly the hardest thing to get correctly in a cryptosystem is the @@ -2524,10 +2987,10 @@ unsigned long rng_get_bytes(unsigned char *buf, unsigned long len, void (*callback)(void)); \end{verbatim} -Which will try one of three methods of getting random data. The first is to open the popular ``/dev/random'' device which -on most *NIX platforms provides cryptographic random bits\footnote{This device is available in Windows through the Cygwin compiler suite. It emulates ``/dev/random'' via the Microsoft CSP.}. +Which will try one of three methods of getting random data. The first is to open the popular \textit{/dev/random} device which +on most *NIX platforms provides cryptographic random bits\footnote{This device is available in Windows through the Cygwin compiler suite. It emulates \textit{/dev/random} via the Microsoft CSP.}. The second method is to try the Microsoft Cryptographic Service Provider and read the RNG. The third method is an ANSI C -clock drift method that is also somewhat popular but gives bits of lower entropy. The ``callback'' parameter is a pointer to a function that returns void. Its used when the slower ANSI C RNG must be +clock drift method that is also somewhat popular but gives bits of lower entropy. The \textit{callback} parameter is a pointer to a function that returns void. Its used when the slower ANSI C RNG must be used so the calling application can still work. This is useful since the ANSI C RNG has a throughput of three bytes a second. The callback pointer may be set to {\bf NULL} to avoid using it if you don't want to. The function returns the number of bytes actually read from any RNG source. There is a function to help setup a PRNG as well: @@ -2536,8 +2999,8 @@ returns the number of bytes actually read from any RNG source. There is a funct int rng_make_prng(int bits, int wprng, prng_state *prng, void (*callback)(void)); \end{verbatim} -This will try to setup the prng with a state of at least ``bits'' of entropy. The ``callback'' parameter works much like -the callback in ``rng\_get\_bytes()''. It is highly recommended that you use this function to setup your PRNGs unless you have a +This will try to setup the prng with a state of at least \textit{bits} of entropy. The \textit{callback} parameter works much like +the callback in \textit{rng\_get\_bytes()}. It is highly recommended that you use this function to setup your PRNGs unless you have a platform where the RNG doesn't work well. Example usage of this function is given below. \begin{small} @@ -2556,13 +3019,15 @@ int main(void) } /* setup the PRNG */ - if ((err = rng_make_prng(128, find_prng("yarrow"), &prng, NULL)) != CRYPT_OK) { + if ((err = rng_make_prng(128, find_prng("yarrow"), &prng, NULL)) + != CRYPT_OK) { printf("Error setting up PRNG, %s\n", error_to_string(err)); return -1; } /* make a 192-bit ECC key */ - if ((err = ecc_make_key(&prng, find_prng("yarrow"), 24, &mykey)) != CRYPT_OK) { + if ((err = ecc_make_key(&prng, find_prng("yarrow"), 24, &mykey)) + != CRYPT_OK) { printf("Error making key: %s\n", error_to_string(err)); return -1; } @@ -2592,7 +3057,8 @@ int main(void) } /* make a 192-bit ECC key */ - if ((err = ecc_make_key(NULL, find_prng("sprng"), 24, &mykey)) != CRYPT_OK) { + if ((err = ecc_make_key(NULL, find_prng("sprng"), 24, &mykey)) + != CRYPT_OK) { printf("Error making key: %s\n", error_to_string(err)); return -1; } @@ -2605,13 +3071,13 @@ int main(void) \chapter{RSA Public Key Cryptography} -\section{Introduction} +\mysection{Introduction} RSA wrote the PKCS \#1 specifications which detail RSA Public Key Cryptography. In the specifications are -padding algorithms for encryption and signatures. The standard includes the ``v2.1'' algorithms. +padding algorithms for encryption and signatures. The standard includes the \textit{v2.1} algorithms. To simplify matters a little the v2.1 encryption and signature padding algorithms are called OAEP and PSS respectively. -\section{PKCS \#1 Encryption} +\mysection{PKCS \#1 Encryption} PKCS \#1 RSA Encryption amounts to OAEP padding of the input message followed by the modular exponentiation. As far as this portion of the library is concerned we are only dealing with th OAEP padding of the message. @@ -2620,24 +3086,29 @@ the library is concerned we are only dealing with th OAEP padding of the message \index{pkcs\_1\_oaep\_encode()} \begin{alltt} -int pkcs_1_oaep_encode(const unsigned char *msg, unsigned long msglen, - const unsigned char *lparam, unsigned long lparamlen, - unsigned long modulus_bitlen, prng_state *prng, - int prng_idx, int hash_idx, - unsigned char *out, unsigned long *outlen); +int pkcs_1_oaep_encode(const unsigned char *msg, + unsigned long msglen, + const unsigned char *lparam, + unsigned long lparamlen, + unsigned long modulus_bitlen, + prng_state *prng, + int prng_idx, + int hash_idx, + unsigned char *out, + unsigned long *outlen); \end{alltt} -This accepts ``msg'' as input of length ``msglen'' which will be OAEP padded. The ``lparam'' variable is an additional system specific +This accepts \textit{msg} as input of length \textit{msglen} which will be OAEP padded. The \textit{lparam} variable is an additional system specific tag that can be applied to the encoding. This is useful to identify which system encoded the message. If no variance is desired then -``lparam'' can be set to \textbf{NULL}. +\textit{lparam} can be set to \textbf{NULL}. OAEP encoding requires the length of the modulus in bits in order to calculate the size of the output. This is passed as the parameter -``modulus\_bitlen''. ``hash\_idx'' is the index into the hash descriptor table of the hash desired. PKCS \#1 allows any hash to be +\textit{modulus\_bitlen}. \textit{hash\_idx} is the index into the hash descriptor table of the hash desired. PKCS \#1 allows any hash to be used but both the encoder and decoder must use the same hash in order for this to succeed. The size of hash output affects the maximum - sized input message. ``prng\_idx'' and ``prng'' are the random number generator arguments required to randomize the padding process. -The padded message is stored in ``out'' along with the length in ``outlen''. + sized input message. \textit{prng\_idx} and \textit{prng} are the random number generator arguments required to randomize the padding process. +The padded message is stored in \textit{out} along with the length in \textit{outlen}. -If $h$ is the length of the hash and $m$ the length of the modulus (both in octets) then the maximum payload for ``msg'' is +If $h$ is the length of the hash and $m$ the length of the modulus (both in octets) then the maximum payload for \textit{msg} is $m - 2h - 2$. For example, with a $1024$--bit RSA key and SHA--1 as the hash the maximum payload is $86$ bytes. Note that when the message is padded it still has not been RSA encrypted. You must pass the output of this function to @@ -2647,43 +3118,51 @@ rsa\_exptmod() to encrypt it. \index{pkcs\_1\_oaep\_decode()} \begin{alltt} -int pkcs_1_oaep_decode(const unsigned char *msg, unsigned long msglen, - const unsigned char *lparam, unsigned long lparamlen, - unsigned long modulus_bitlen, int hash_idx, - unsigned char *out, unsigned long *outlen, - int *res); +int pkcs_1_oaep_decode(const unsigned char *msg, + unsigned long msglen, + const unsigned char *lparam, + unsigned long lparamlen, + unsigned long modulus_bitlen, + int hash_idx, + unsigned char *out, + unsigned long *outlen, + int *res); \end{alltt} -This function decodes an OAEP encoded message and outputs the original message that was passed to the OAEP encoder. ``msg'' is the -output of pkcs\_1\_oaep\_encode() of length ``msglen''. ``lparam'' is the same system variable passed to the OAEP encoder. If it does not -match what was used during encoding this function will not decode the packet. ``modulus\_bitlen'' is the size of the RSA modulus in bits -and must match what was used during encoding. Similarly the ``hash\_idx'' index into the hash descriptor table must match what was used +This function decodes an OAEP encoded message and outputs the original message that was passed to the OAEP encoder. \textit{msg} is the +output of pkcs\_1\_oaep\_encode() of length \textit{msglen}. \textit{lparam} is the same system variable passed to the OAEP encoder. If it does not +match what was used during encoding this function will not decode the packet. \textit{modulus\_bitlen} is the size of the RSA modulus in bits +and must match what was used during encoding. Similarly the \textit{hash\_idx} index into the hash descriptor table must match what was used during encoding. -If the function succeeds it decodes the OAEP encoded message into ``out'' of length ``outlen'' and stores a -$1$ in ``res''. If the packet is invalid it stores $0$ in ``res'' and if the function fails for another reason +If the function succeeds it decodes the OAEP encoded message into \textit{out} of length \textit{outlen} and stores a +$1$ in \textit{res}. If the packet is invalid it stores $0$ in \textit{res} and if the function fails for another reason it returns an error code. -\section{PKCS \#1 Digital Signatures} +\mysection{PKCS \#1 Digital Signatures} \subsection{PSS Encoding} PSS encoding is the second half of the PKCS \#1 standard which is padding to be applied to messages that are signed. \index{pkcs\_1\_pss\_encode()} \begin{alltt} -int pkcs_1_pss_encode(const unsigned char *msghash, unsigned long msghashlen, - unsigned long saltlen, prng_state *prng, - int prng_idx, int hash_idx, - unsigned long modulus_bitlen, - unsigned char *out, unsigned long *outlen); +int pkcs_1_pss_encode(const unsigned char *msghash, + unsigned long msghashlen, + unsigned long saltlen, + prng_state *prng, + int prng_idx, + int hash_idx, + unsigned long modulus_bitlen, + unsigned char *out, + unsigned long *outlen); \end{alltt} -This function assumes the message to be PSS encoded has previously been hashed. The input hash ``msghash'' is of length -``msghashlen''. PSS allows a variable length random salt (it can be zero length) to be introduced in the signature process. -``hash\_idx'' is the index into the hash descriptor table of the hash to use. ``prng\_idx'' and ``prng'' are the random +This function assumes the message to be PSS encoded has previously been hashed. The input hash \textit{msghash} is of length +\textit{msghashlen}. PSS allows a variable length random salt (it can be zero length) to be introduced in the signature process. +\textit{hash\_idx} is the index into the hash descriptor table of the hash to use. \textit{prng\_idx} and \textit{prng} are the random number generator information required for the salt. -Similar to OAEP encoding ``modulus\_bitlen'' is the size of the RSA modulus (in bits). It limits the size of the salt. If $m$ is the length +Similar to OAEP encoding \textit{modulus\_bitlen} is the size of the RSA modulus (in bits). It limits the size of the salt. If $m$ is the length of the modulus $h$ the length of the hash output (in octets) then there can be $m - h - 2$ bytes of salt. This function does not actually sign the data it merely pads the hash of a message so that it can be processed by rsa\_exptmod(). @@ -2694,25 +3173,29 @@ To decode a PSS encoded signature block you have to use the following. \index{pkcs\_1\_pss\_decode()} \begin{alltt} -int pkcs_1_pss_decode(const unsigned char *msghash, unsigned long msghashlen, - const unsigned char *sig, unsigned long siglen, - unsigned long saltlen, int hash_idx, - unsigned long modulus_bitlen, int *res); +int pkcs_1_pss_decode(const unsigned char *msghash, + unsigned long msghashlen, + const unsigned char *sig, + unsigned long siglen, + unsigned long saltlen, + int hash_idx, + unsigned long modulus_bitlen, + int *res); \end{alltt} -This will decode the PSS encoded message in ``sig'' of length ``siglen'' and compare it to values in ``msghash'' of length -``msghashlen''. If the block is a valid PSS block and the decoded hash equals the hash supplied ``res'' is set to non--zero. Otherwise, +This will decode the PSS encoded message in \textit{sig} of length \textit{siglen} and compare it to values in \textit{msghash} of length +\textit{msghashlen}. If the block is a valid PSS block and the decoded hash equals the hash supplied \textit{res} is set to non--zero. Otherwise, it is set to zero. The rest of the parameters are as in the PSS encode call. -It's important to use the same ``saltlen'' and hash for both encoding and decoding as otherwise the procedure will not work. +It's important to use the same \textit{saltlen} and hash for both encoding and decoding as otherwise the procedure will not work. -\section{RSA Operations} +\mysection{RSA Operations} \subsection{Background} -RSA is a public key algorithm that is based on the inability to find the ``e-th'' root modulo a composite of unknown +RSA is a public key algorithm that is based on the inability to find the \textit{e-th} root modulo a composite of unknown factorization. Normally the difficulty of breaking RSA is associated with the integer factoring problem but they are not strictly equivalent. -The system begins with with two primes $p$ and $q$ and their product $N = pq$. The order or ``Euler totient'' of the +The system begins with with two primes $p$ and $q$ and their product $N = pq$. The order or \textit{Euler totient} of the multiplicative sub-group formed modulo $N$ is given as $\phi(N) = (p - 1)(q - 1)$ which can be reduced to $\mbox{lcm}(p - 1, q - 1)$. The public key consists of the composite $N$ and some integer $e$ such that $\mbox{gcd}(e, \phi(N)) = 1$. The private key consists of the composite $N$ and the inverse of $e$ modulo $\phi(N)$ @@ -2722,7 +3205,7 @@ A person who wants to encrypt with your public key simply forms an integer (the $1 < M < N-2$ and computes the ciphertext $C = M^e\mbox{ }(\mbox{mod }N)$. Since finding the inverse exponent $d$ given only $N$ and $e$ appears to be intractable only the owner of the private key can decrypt the ciphertext and compute $C^d \equiv \left (M^e \right)^d \equiv M^1 \equiv M\mbox{ }(\mbox{mod }N)$. Similarly the owner of the private key -can sign a message by ``decrypting'' it. Others can verify it by ``encrypting'' it. +can sign a message by \textit{decrypting} it. Others can verify it by \textit{encrypting} it. Currently RSA is a difficult system to cryptanalyze provided that both primes are large and not close to each other. Ideally $e$ should be larger than $100$ to prevent direct analysis. For example, if $e$ is three and you do not pad @@ -2738,7 +3221,7 @@ the hash of documents only but also to pad the inputs with data to remove such s \subsection{RSA Key Generation} -For RSA routines a single ``rsa\_key'' structure is used. To make a new RSA key call: +For RSA routines a single \textit{rsa\_key} structure is used. To make a new RSA key call: \index{rsa\_make\_key()} \begin{verbatim} int rsa_make_key(prng_state *prng, @@ -2746,13 +3229,13 @@ int rsa_make_key(prng_state *prng, long e, rsa_key *key); \end{verbatim} -Where ``wprng'' is the index into the PRNG descriptor array. ``size'' is the size in bytes of the RSA modulus desired. -``e'' is the encryption exponent desired, typical values are 3, 17, 257 and 65537. I suggest you stick with 65537 since its big -enough to prevent trivial math attacks and not super slow. ``key'' is where the key is placed. All keys must be at +Where \textit{wprng} is the index into the PRNG descriptor array. \textit{size} is the size in bytes of the RSA modulus desired. +\textit{e} is the encryption exponent desired, typical values are 3, 17, 257 and 65537. I suggest you stick with 65537 since its big +enough to prevent trivial math attacks and not super slow. \textit{key} is where the key is placed. All keys must be at least 128 bytes and no more than 512 bytes in size (\textit{that is from 1024 to 4096 bits}). -Note that the ``rsa\_make\_key()'' function allocates memory at runtime when you make the key. Make sure to call -``rsa\_free()'' (see below) when you are finished with the key. If ``rsa\_make\_key()'' fails it will automatically +Note that the \textit{rsa\_make\_key()} function allocates memory at run-time when you make the key. Make sure to call +\textit{rsa\_free()} (see below) when you are finished with the key. If \textit{rsa\_make\_key()} fails it will automatically free the ram allocated itself. \index{PK\_PRIVATE} \index{PK\_PUBLIC} @@ -2770,9 +3253,9 @@ int rsa_exptmod(const unsigned char *in, unsigned long inlen, unsigned char *out, unsigned long *outlen, int which, rsa_key *key); \end{verbatim} -This loads the bignum from ``in'' as a big endian word in the format PKCS specifies, raises it to either ``e'' or ``d'' and stores the result -in ``out'' and the size of the result in ``outlen''. ``which'' is set to {\bf PK\_PUBLIC} to use ``e'' -(i.e. for encryption/verifying) and set to {\bf PK\_PRIVATE} to use ``d'' as the exponent (i.e. for decrypting/signing). +This loads the bignum from \textit{in} as a big endian word in the format PKCS specifies, raises it to either \textit{e} or \textit{d} and stores the result +in \textit{out} and the size of the result in \textit{outlen}. \textit{which} is set to {\bf PK\_PUBLIC} to use \textit{e} +(i.e. for encryption/verifying) and set to {\bf PK\_PRIVATE} to use \textit{d} as the exponent (i.e. for decrypting/signing). Note that the output of his function is zero-padded as per PKCS \#1 specifications. This allows this routine to interoprate with PKCS \#1 padding functions properly. @@ -2783,59 +3266,77 @@ To facilitate encrypting short keys the following functions have been provided. \index{rsa\_encrypt\_key()} \begin{verbatim} -int rsa_encrypt_key(const unsigned char *in, unsigned long inlen, - unsigned char *out, unsigned long *outlen, - const unsigned char *lparam, unsigned long lparamlen, - prng_state *prng, int prng_idx, int hash_idx, rsa_key *key); +int rsa_encrypt_key(const unsigned char *in, + unsigned long inlen, + unsigned char *out, + unsigned long *outlen, + const unsigned char *lparam, + unsigned long lparamlen, + prng_state *prng, + int prng_idx, + int hash_idx, + rsa_key *key); \end{verbatim} -This function will OAEP pad ``in'' of length inlen bytes then RSA encrypt it and store the ciphertext -in ``out'' of length ``outlen''. The ``lparam'' and ``lparamlen'' are the same parameters you would pass +This function will OAEP pad \textit{in} of length inlen bytes then RSA encrypt it and store the ciphertext +in \textit{out} of length \textit{outlen}. The \textit{lparam} and \textit{lparamlen} are the same parameters you would pass to pkcs\_1\_oaep\_encode(). \index{rsa\_decrypt\_key()} \begin{verbatim} -int rsa_decrypt_key(const unsigned char *in, unsigned long inlen, - unsigned char *out, unsigned long *outlen, - const unsigned char *lparam, unsigned long lparamlen, - int hash_idx, int *stat, - rsa_key *key); +int rsa_decrypt_key(const unsigned char *in, + unsigned long inlen, + unsigned char *out, + unsigned long *outlen, + const unsigned char *lparam, + unsigned long lparamlen, + int hash_idx, + int *stat, + rsa_key *key); \end{verbatim} -This function will RSA decrypt ``in'' of length ``inlen'' then OAEP depad the resulting data and store it in -``out'' of length ``outlen''. The ``lparam'' and ``lparamlen'' are the same parameters you would pass +This function will RSA decrypt \textit{in} of length \textit{inlen} then OAEP depad the resulting data and store it in +\textit{out} of length \textit{outlen}. The \textit{lparam} and \textit{lparamlen} are the same parameters you would pass to pkcs\_1\_oaep\_decode(). -If the RSA decrypted data isn't a valid OAEP packet then ``stat'' is set to $0$. Otherwise, it is set to $1$. +If the RSA decrypted data isn't a valid OAEP packet then \textit{stat} is set to $0$. Otherwise, it is set to $1$. \subsection{RSA Hash Signatures} -Similar to RSA key encryption RSA is also used to ``digitally sign'' message digests (hashes). To facilitate this +Similar to RSA key encryption RSA is also used to \textit{digitally sign} message digests (hashes). To facilitate this process the following functions have been provided. \index{rsa\_sign\_hash()} \begin{verbatim} -int rsa_sign_hash(const unsigned char *in, unsigned long inlen, - unsigned char *out, unsigned long *outlen, - prng_state *prng, int prng_idx, - int hash_idx, unsigned long saltlen, - rsa_key *key); +int rsa_sign_hash(const unsigned char *in, + unsigned long inlen, + unsigned char *out, + unsigned long *outlen, + prng_state *prng, + int prng_idx, + int hash_idx, + unsigned long saltlen, + rsa_key *key); \end{verbatim} -This will PSS encode the message hash ``in'' of length ``inlen''. Next the PSS encoded message will be RSA ``signed'' and -the output is stored in ``out'' of length ``outlen''. +This will PSS encode the message hash \textit{in} of length \textit{inlen}. Next the PSS encoded message will be RSA \textit{signed} and +the output is stored in \textit{out} of length \textit{outlen}. \index{rsa\_verify\_hash()} \begin{verbatim} -int rsa_verify_hash(const unsigned char *sig, unsigned long siglen, - const unsigned char *msghash, unsigned long msghashlen, - int hash_idx, unsigned long saltlen, - int *stat, rsa_key *key); +int rsa_verify_hash(const unsigned char *sig, + unsigned long siglen, + const unsigned char *msghash, + unsigned long msghashlen, + int hash_idx, + unsigned long saltlen, + int *stat, + rsa_key *key); \end{verbatim} -This will RSA ``verify'' the signature in ``sig'' of length ``siglen''. Next the RSA decoded data is PSS decoded -and the extracted hash is compared against the message hash ``msghash'' of length ``msghashlen''. +This will RSA \textit{verify} the signature in \textit{sig} of length \textit{siglen}. Next the RSA decoded data is PSS decoded +and the extracted hash is compared against the message hash \textit{msghash} of length \textit{msghashlen}. -If the RSA decoded data is not a valid PSS message or if the PSS decoded hash does not match the ``msghash'' -the value ``res'' is set to $0$. Otherwise, if the function succeeds and signature is valid ``res'' is set +If the RSA decoded data is not a valid PSS message or if the PSS decoded hash does not match the \textit{msghash} +the value \textit{res} is set to $0$. Otherwise, if the function succeeds and signature is valid \textit{res} is set to $1$. \begin{verbatim} @@ -2853,7 +3354,7 @@ int main(void) return EXIT_FAILURE; } - /* register a math library (in this case TomFastMath) + /* register a math library (in this case TomsFastMath) ltc_mp = tfm_desc; if (register_hash(&sha1_desc) == -1) { @@ -2876,16 +3377,16 @@ int main(void) /* fill in pt[] with a key we want to send ... */ l1 = sizeof(out); - if ((err = rsa_encrypt_key(pt, /* data we wish to encrypt */ - 16, /* data is 16 bytes long */ - out, /* where to store ciphertext */ - &l1, /* length of ciphertext */ - "TestApp", /* our lparam for this program */ - 7, /* lparam is 7 bytes long */ - NULL, /* PRNG state */ - prng_idx, /* prng idx */ - hash_idx, /* hash idx */ - &key) /* our RSA key */ + if ((err = rsa_encrypt_key(pt, /* data we wish to encrypt */ + 16, /* data is 16 bytes long */ + out, /* where to store ciphertext */ + &l1, /* length of ciphertext */ + "TestApp", /* our lparam for this program */ + 7, /* lparam is 7 bytes long */ + NULL, /* PRNG state */ + prng_idx, /* prng idx */ + hash_idx, /* hash idx */ + &key) /* our RSA key */ ) != CRYPT_OK) { printf("rsa_encrypt_key %s", error_to_string(err)); return EXIT_FAILURE; @@ -2915,9 +3416,12 @@ To export a RSA key use the following function. \index{rsa\_export()} \begin{verbatim} -int rsa_export(unsigned char *out, unsigned long *outlen, int type, rsa_key *key); +int rsa_export(unsigned char *out, + unsigned long *outlen, + int type, + rsa_key *key); \end{verbatim} -This will export the RSA key in either a RSAPublicKey or RSAPrivateKey (PKCS \#1 types) depending on the value of ``type''. When it is +This will export the RSA key in either a RSAPublicKey or RSAPrivateKey (PKCS \#1 types) depending on the value of \textit{type}. When it is set to \textbf{PK\_PRIVATE} the export format will be RSAPrivateKey and otherwise it will be RSAPublicKey. \subsection{RSA Key Import} @@ -2925,10 +3429,12 @@ To import a RSA key use the following function. \index{rsa\_import()} \begin{verbatim} -int rsa_import(const unsigned char *in, unsigned long inlen, rsa_key *key); +int rsa_import(const unsigned char *in, + unsigned long inlen, + rsa_key *key); \end{verbatim} -This will import the key stored in ``inlen'' and import it to ``key''. If the function fails it will automatically free any allocated memory. This +This will import the key stored in \textit{inlen} and import it to \textit{key}. If the function fails it will automatically free any allocated memory. This function can import both RSAPublicKey and RSAPrivateKey formats. As of v1.06 this function can also import OpenSSL DER formatted public RSA keys. They are essentially encapsulated RSAPublicKeys. LibTomCrypt will @@ -2937,7 +3443,7 @@ there is no function provided to export in this format. \chapter{Elliptic Curve Cryptography} -\section{Background} +\mysection{Background} The library provides a set of core ECC functions as well that are designed to be the Elliptic Curve analogy of all of the Diffie-Hellman routines in the previous chapter. Elliptic curves (of certain forms) have the benefit that they are harder to attack (no sub-exponential attacks exist unlike normal DH crypto) in fact the fastest attack requires the square root @@ -2959,7 +3465,7 @@ provided are very close to $p$ that is $\vert \vert \phi(\beta) \vert \vert \app range in order from $\approx 2^{192}$ points to $\approx 2^{521}$. According to the source document any key size greater than or equal to 256-bits is sufficient for long term security. -\section{Fixed Point Optimizations} +\mysection{Fixed Point Optimizations} \index{Fixed Point ECC} As of v1.12 of LibTomCrypt, support for Fixed Point ECC point multiplication has been added. It is a generic optimization that is supported by any conformant math plugin. It is enabled by defining \textbf{MECC\_FP} during the build, such as @@ -2975,10 +3481,10 @@ safe (by default). It supports the LTC locking macros (such as by enabling LTC\ The optimization works by using a Fixed Point point multiplier on any base point you use twice or more in a short period of time. It has a limited size cache (of FP\_ENTRIES entries) which it uses to hold recent bases passed to ltc\_ecc\_mulmod(). Any base detected to be used twice is sent through the pre--computation phase and then the fixed point algorithm can be used. For example, if you use a NIST base point twice in a row, the 2nd and -all subsequence point multiplications with that point will use the faster algorithm. +all subsequent point multiplications with that point will use the faster algorithm. \index{FP\_LUT} -The optimization uses a window on the multiplicand of FP\_LUT bits (default: 8, min: 2, max: 12) and controls the memory/time tradeoff. The larger the +The optimization uses a window on the multiplicand of FP\_LUT bits (default: 8, min: 2, max: 12) and controls the memory/time trade-off. The larger the value the faster the algorithm will be but the more memory it will take. The memory usage is $3 \cdot 2^{FP\_LUT}$ integers which by default with TFM amounts to about 400kB of memory. Tuning TFM (by changing FP\_SIZE) can decrease the usage by a fair amount. Memory is only used by a cache entry if it is active. Both FP\_ENTRIES and FP\_LUT are definable on the command line if you wish to override them. For instance, @@ -2993,14 +3499,14 @@ to 4096 bits (512 bytes) which is way more than what is required by ECC. At mos ECC--256 you will only need 576 bits, which would reduce the memory usage by 700\%. \end{flushleft} -\section{Key Format} -LibTomCrypt uses it's own format for ECC public and private keys. While ANSI X9.62 partially specifies key formats (it covers public keys) it does it in a less +\mysection{Key Format} +LibTomCrypt uses it's own format for ECC public and private keys. While ANSI X9.63 partially specifies key formats (it covers public keys) it does it in a less than ideally simple manner. In the case of LibTomCrypt it is meant \textbf{solely} for NIST $GF(p)$ curves. The format of the keys is as follows: \begin{small} \begin{verbatim} ECCPublicKey ::= SEQUENCE { - flags BIT STRING(1), -- public/private flag (always zero), + flags BIT STRING(0), -- public/private flag (always zero), keySize INTEGER, -- Curve size (in bits) divided by eight -- and rounded down, e.g. 521 => 65 pubkey.x INTEGER, -- The X co-ordinate of the public key point @@ -3020,17 +3526,17 @@ ECCPrivateKey ::= SEQUENCE { The first flags bit denotes whether the key is public (zero) or private (one). -\section{Core Functions} +\mysection{Core Functions} \subsection{ECC Key Generation} -There is a key structure called ``ecc\_key'' used by the ECC functions. There is a function to make a key: +There is a key structure called \textit{ecc\_key} used by the ECC functions. There is a function to make a key: \index{ecc\_make\_key()} \begin{verbatim} int ecc_make_key(prng_state *prng, int wprng, int keysize, ecc_key *key); \end{verbatim} -The ``keysize'' is the size of the modulus in bytes desired. Currently directly supported values are 24, 28, 32, 48 and 65 bytes which +The \textit{keysize} is the size of the modulus in bytes desired. Currently directly supported values are 24, 28, 32, 48 and 65 bytes which correspond to key sizes of 192, 224, 256, 384 and 521 bits respectively. If you pass a key size that is between any key size it will round the keysize up to the next available one. To free the ram allocated by a ecc\_make\_key() or ecc\_import() call use the following function. @@ -3043,60 +3549,71 @@ void ecc_free(ecc_key *key); To export an ECC key. \index{ecc\_export()} \begin{verbatim} -int ecc_export(unsigned char *out, unsigned long *outlen, - int type, ecc_key *key); +int ecc_export(unsigned char *out, + unsigned long *outlen, + int type, + ecc_key *key); \end{verbatim} -This will export the key with the given ``type'' (\textbf{PK\_PUBLIC} or \textbf{PK\_PRIVATE}) and store it to ``out''. +This will export the key with the given \textit{type} (\textbf{PK\_PUBLIC} or \textbf{PK\_PRIVATE}) and store it to \textit{out}. \subsection{ECC Key Import} \index{ecc\_import()} \begin{verbatim} -int ecc_import(const unsigned char *in, unsigned long inlen, ecc_key *key); +int ecc_import(const unsigned char *in, + unsigned long inlen, + ecc_key *key); \end{verbatim} -This will import the ECC key from ``in'' and store it in the ecc\_key structure ``key''. If the operation fails it will free +This will import the ECC key from \textit{in} and store it in the ecc\_key structure \textit{key}. If the operation fails it will free any allocated memory automatically. \subsection{ECC Shared Secret} Finally when you share your public key you can make a shared secret with the following. \index{ecc\_shared\_secret()} \begin{verbatim} -int ecc_shared_secret(ecc_key *private_key, - ecc_key *public_key, - unsigned char *out, unsigned long *outlen); +int ecc_shared_secret( ecc_key *private_key, + ecc_key *public_key, + unsigned char *out, + unsigned long *outlen); \end{verbatim} -The ``private\_key'' is your own key and ``public\_key'' is the key the other user sent you. Note that this function stores only the +The \textit{private\_key} is your own key and \textit{public\_key} is the key the other user sent you. Note that this function stores only the $x$ co-ordinate of the shared elliptic point as described in ANSI X9.63 ECC--DH. -\section{ECC Diffie-Hellman Encryption} +\mysection{ECC Diffie-Hellman Encryption} Similar to the RSA API there are two functions which encrypt and decrypt symmetric keys using the ECC public key algorithms. \index{ecc\_encrypt\_key()} \begin{verbatim} -int ecc_encrypt_key(const unsigned char *in, unsigned long inlen, - unsigned char *out, unsigned long *outlen, - prng_state *prng, int wprng, int hash, - ecc_key *key); +int ecc_encrypt_key(const unsigned char *in, + unsigned long inlen, + unsigned char *out, + unsigned long *outlen, + prng_state *prng, + int wprng, + int hash, + ecc_key *key); \end{verbatim} -Where ``in'' is an input symmetric key of no more than 64 bytes. This function creates a random public key +Where \textit{in} is an input symmetric key of no more than 64 bytes. This function creates a random public key and computes the hash of the shared secret. The message digest is then XOR'ed against the symmetric key. All of the required -data is placed in ``out'' by ``ecc\_encrypt\_key()''. The hash chosen must produce a message digest at least as large +data is placed in \textit{out} by \textit{ecc\_encrypt\_key()}. The hash chosen must produce a message digest at least as large as the symmetric key you are trying to share. -The data is encrypted to the public ECC ``key'' such that only the holder of the private key can decrypt the payload. If you want +The data is encrypted to the public ECC \textit{key} such that only the holder of the private key can decrypt the payload. If you want to have multiple recipients you will have to call this function for each public ECC key you want to encrypt to. \index{ecc\_decrypt\_key()} \begin{verbatim} -int ecc_decrypt_key(const unsigned char *in, unsigned long inlen, - unsigned char *out, unsigned long *outlen, - ecc_key *key); +int ecc_decrypt_key(const unsigned char *in, + unsigned long inlen, + unsigned char *out, + unsigned long *outlen, + ecc_key *key); \end{verbatim} -This function will decrypt an encrypted payload. The ``key'' provided must be the private key corresponding to the public key +This function will decrypt an encrypted payload. The \textit{key} provided must be the private key corresponding to the public key used during encryption. If the wrong key is provided the function won't specifically return an error code. It is important to use some form of challenge response in that case (e.g. compute a MAC of a known string). @@ -3107,41 +3624,49 @@ The packet format for the encrypted keys is the following ASN.1 SEQUENCE: \begin{verbatim} ECCEncrypt ::= SEQUENCE { hashID OBJECT IDENTIFIER, -- OID of hash used - pubkey OCTET STRING , -- Encapsulated ECCPublicKey (see above) - skey OCTET STRING -- xor of plaintext and "hash of shared secret" + pubkey OCTET STRING , -- Encapsulated ECCPublicKey + skey OCTET STRING -- xor of plaintext and + --"hash of shared secret" } \end{verbatim} -\section{ECC DSA Signatures} +\mysection{ECC DSA Signatures} There are also functions to sign and verify the hash of a message. \index{ecc\_sign\_hash()} \begin{verbatim} -int ecc_sign_hash(const unsigned char *in, unsigned long inlen, - unsigned char *out, unsigned long *outlen, - prng_state *prng, int wprng, ecc_key *key); +int ecc_sign_hash(const unsigned char *in, + unsigned long inlen, + unsigned char *out, + unsigned long *outlen, + prng_state *prng, + int wprng, + ecc_key *key); \end{verbatim} -This function will EC--DSA sign the message digest stored in the buffer ``in'' of length inlen octets. The signature -will be stored in the ``out'' buffer of length ``outlen''. The function requires a properly seeded PRNG and -the ECC ``key'' provided must be a private key. +This function will EC--DSA sign the message digest stored in the buffer \textit{in} of length inlen octets. The signature +will be stored in the \textit{out} buffer of length \textit{outlen}. The function requires a properly seeded PRNG and +the ECC \textit{key} provided must be a private key. \index{ecc\_verify\_hash()} \begin{verbatim} -int ecc_verify_hash(const unsigned char *sig, unsigned long siglen, - const unsigned char *hash, unsigned long hashlen, - int *stat, ecc_key *key); +int ecc_verify_hash(const unsigned char *sig, + unsigned long siglen, + const unsigned char *hash, + unsigned long hashlen, + int *stat, + ecc_key *key); \end{verbatim} -This function will verify the EC-DSA signature in ``sig'' of length ``siglen'' against the message digest ``hash''. -It will store a non--zero value in ``stat'' if the signature is valid. Note that the function will not return -an error if the signature is invalid. It will if the actual signature payload is an invalid format. They ECC ``key'' +This function will verify the EC-DSA signature in \textit{sig} of length \textit{siglen} against the message digest \textit{hash}. +It will store a non--zero value in \textit{stat} if the signature is valid. Note that the function will not return +an error if the signature is invalid. It will if the actual signature payload is an invalid format. They ECC \textit{key} must be the public (or private) ECC key corresponding to the key that performed the signature. \subsection{Signature Format} -The signature code is an implementation of X9.62 EC--DSA and the output is comformant for GF(p) curves. +The signature code is an implementation of X9.62 EC--DSA and the output is conformant for GF(p) curves. -\section{ECC Keysizes} +\mysection{ECC Keysizes} With ECC if you try and sign a hash that is bigger than your ECC key you can run into problems. The math will still work and in effect the signature will still work. With ECC keys the strength of the signature is limited by the size of the hash or the size of they key, whichever is smaller. For example, if you sign with SHA256 and an ECC-192 key in effect @@ -3151,38 +3676,44 @@ The library will not warn you if you make this mistake so it is important to che signatures. \chapter{Digital Signature Algorithm} -\section{Introduction} +\mysection{Introduction} The Digital Signature Algorithm (or DSA) is a variant of the ElGamal Signature scheme which has been modified to -reduce the bandwidth of a signature. For example, to have ``80-bits of security'' with ElGamal you need a group of +reduce the bandwidth of a signature. For example, to have \textit{80-bits of security} with ElGamal you need a group of order at least 1024-bits. With DSA you need a group of order at least 160-bits. By comparison the ElGamal signature would require at least 256 bytes where as the DSA signature would require only at least 40 bytes. The API for the DSA is essentially the same as the other PK algorithms. Except in the case of DSA no encryption or decryption routines are provided. -\section{Key Format} +\mysection{Key Format} Since no useful public standard for DSA key storage was presented to me during the course of this development I made my own ASN.1 SEQUENCE which I document now so that others can interoperate with this library. \begin{verbatim} DSAPublicKey ::= SEQUENCE { - publicFlags BIT STRING(1), -- must be 0 - g INTEGER , -- base generator, check that g^q mod p == 1 + publicFlags BIT STRING(0), -- must be 0 + g INTEGER , -- base generator + -- check that g^q mod p == 1 -- and that 1 < g < p - 1 p INTEGER , -- prime modulus - q INTEGER , -- order of sub-group (must be prime) - y INTEGER , -- public key, specifically, g^x mod p, + q INTEGER , -- order of sub-group + -- (must be prime) + y INTEGER , -- public key, specifically, + -- g^x mod p, -- check that y^q mod p == 1 -- and that 1 < y < p - 1 } DSAPrivateKey ::= SEQUENCE { publicFlags BIT STRING(1), -- must be 1 - g INTEGER , -- base generator, check that g^q mod p == 1 + g INTEGER , -- base generator + -- check that g^q mod p == 1 -- and that 1 < g < p - 1 p INTEGER , -- prime modulus - q INTEGER , -- order of sub-group (must be prime) - y INTEGER , -- public key, specifically, g^x mod p, + q INTEGER , -- order of sub-group + -- (must be prime) + y INTEGER , -- public key, specifically, + -- g^x mod p, -- check that y^q mod p == 1 -- and that 1 < y < p - 1 x INTEGER -- private key @@ -3192,18 +3723,19 @@ DSAPrivateKey ::= SEQUENCE { The leading BIT STRING has a single bit in it which is zero for public keys and one for private keys. This makes the structure uniquely decodable and easy to work with. -\section{Key Generation} +\mysection{Key Generation} To make a DSA key you must call the following function \begin{verbatim} int dsa_make_key(prng_state *prng, int wprng, int group_size, int modulus_size, dsa_key *key); \end{verbatim} -The variable ``prng'' is an active PRNG state and ``wprng'' the index to the descriptor. ``group\_size'' and -``modulus\_size'' control the difficulty of forging a signature. Both parameters are in bytes. The larger the -``group\_size'' the more difficult a forgery becomes upto a limit. The value of $group\_size$ is limited by +The variable \textit{prng} is an active PRNG state and \textit{wprng} the index to the descriptor. \textit{group\_size} and +\textit{modulus\_size} control the difficulty of forging a signature. Both parameters are in bytes. The larger the +\textit{group\_size} the more difficult a forgery becomes upto a limit. The value of $group\_size$ is limited by $15 < group\_size < 1024$ and $modulus\_size - group\_size < 512$. Suggested values for the pairs are as follows. +\begin{figure}[here] \begin{center} \begin{tabular}{|c|c|c|} \hline \textbf{Bits of Security} & \textbf{group\_size} & \textbf{modulus\_size} \\ @@ -3214,6 +3746,8 @@ $15 < group\_size < 1024$ and $modulus\_size - group\_size < 512$. Suggested va \hline \end{tabular} \end{center} +\caption{DSA Key Sizes} +\end{figure} When you are finished with a DSA key you can call the following function to free the memory used. \index{dsa\_free()} @@ -3221,7 +3755,7 @@ When you are finished with a DSA key you can call the following function to free void dsa_free(dsa_key *key); \end{verbatim} -\section{Key Verification} +\mysection{Key Verification} Each DSA key is composed of the following variables. \begin{enumerate} @@ -3260,91 +3794,106 @@ The following function will perform these tests. int dsa_verify_key(dsa_key *key, int *stat); \end{verbatim} -This will test ``key'' and store the result in ``stat''. If the result is $stat = 0$ the DSA key failed one of the tests +This will test \textit{key} and store the result in \textit{stat}. If the result is $stat = 0$ the DSA key failed one of the tests and should not be used at all. If the result is $stat = 1$ the DSA key is valid (as far as valid mathematics are concerned). -\section{Signatures} +\mysection{Signatures} \subsection{Signature Generation} To generate a DSA signature call the following function \index{dsa\_sign\_hash()} \begin{verbatim} -int dsa_sign_hash(const unsigned char *in, unsigned long inlen, - unsigned char *out, unsigned long *outlen, - prng_state *prng, int wprng, dsa_key *key); +int dsa_sign_hash(const unsigned char *in, + unsigned long inlen, + unsigned char *out, + unsigned long *outlen, + prng_state *prng, + int wprng, + dsa_key *key); \end{verbatim} -Which will sign the data in ``in'' of length ``inlen'' bytes. The signature is stored in ``out'' and the size -of the signature in ``outlen''. If the signature is longer than the size you initially specify in ``outlen'' nothing -is stored and the function returns an error code. The DSA ``key'' must be of the \textbf{PK\_PRIVATE} persuasion. +Which will sign the data in \textit{in} of length \textit{inlen} bytes. The signature is stored in \textit{out} and the size +of the signature in \textit{outlen}. If the signature is longer than the size you initially specify in \textit{outlen} nothing +is stored and the function returns an error code. The DSA \textit{key} must be of the \textbf{PK\_PRIVATE} persuasion. \subsection{Signature Verification} To verify a hash created with that function use the following function \index{dsa\_verify\_hash()} \begin{verbatim} -int dsa_verify_hash(const unsigned char *sig, unsigned long siglen, - const unsigned char *hash, unsigned long inlen, - int *stat, dsa_key *key); +int dsa_verify_hash(const unsigned char *sig, + unsigned long siglen, + const unsigned char *hash, + unsigned long inlen, + int *stat, + dsa_key *key); \end{verbatim} -Which will verify the data in ``hash'' of length ``inlen'' against the signature stored in ``sig'' of length ``siglen''. -It will set ``stat'' to $1$ if the signature is valid, otherwise it sets ``stat'' to $0$. +Which will verify the data in \textit{hash} of length \textit{inlen} against the signature stored in \textit{sig} of length \textit{siglen}. +It will set \textit{stat} to $1$ if the signature is valid, otherwise it sets \textit{stat} to $0$. -\section{DSA Encrypt and Decrypt} +\mysection{DSA Encrypt and Decrypt} As of version 1.07 the DSA keys can be used to encrypt and decrypt small payloads. It works similar to the ECC encryption where -a shared key is computed and the hash of the shared key xor'ed against the plaintext forms the ciphertext. +a shared key is computed and the hash of the shared key XOR'ed against the plaintext forms the ciphertext. \subsection{DSA Encryption} This function will encrypt a small payload with a recipients public DSA key. \index{dsa\_encrypt\_key()} \begin{verbatim} -int dsa_encrypt_key(const unsigned char *in, unsigned long inlen, - unsigned char *out, unsigned long *outlen, - prng_state *prng, int wprng, int hash, - dsa_key *key); +int dsa_encrypt_key(const unsigned char *in, + unsigned long inlen, + unsigned char *out, + unsigned long *outlen, + prng_state *prng, + int wprng, + int hash, + dsa_key *key); \end{verbatim} -This will encrypt the payload in ``in'' of length ``inlen'' and store the ciphertext in the output buffer ``out''. The -length of the ciphertext ``outlen'' must be originally set to the length of the output buffer. The DSA ``key'' can be +This will encrypt the payload in \textit{in} of length \textit{inlen} and store the ciphertext in the output buffer \textit{out}. The +length of the ciphertext \textit{outlen} must be originally set to the length of the output buffer. The DSA \textit{key} can be a public key. \subsection{DSA Decryption} \index{dsa\_decrypt\_key()} \begin{verbatim} -int dsa_decrypt_key(const unsigned char *in, unsigned long inlen, - unsigned char *out, unsigned long *outlen, - dsa_key *key); +int dsa_decrypt_key(const unsigned char *in, + unsigned long inlen, + unsigned char *out, + unsigned long *outlen, + dsa_key *key); \end{verbatim} -This will decrypt the ciphertext ``in'' of length ``inlen'' and store the original payload in ``out'' of length ``outlen''. The DSA ``key'' must be a private key. +This will decrypt the ciphertext \textit{in} of length \textit{inlen} and store the original payload in \textit{out} of length \textit{outlen}. The DSA \textit{key} must be a private key. -\section{Import and Export} +\mysection{Import and Export} To export a DSA key so that it can be transported use the following function \index{dsa\_export()} \begin{verbatim} -int dsa_export(unsigned char *out, unsigned long *outlen, - int type, - dsa_key *key); +int dsa_export(unsigned char *out, + unsigned long *outlen, + int type, + dsa_key *key); \end{verbatim} -This will export the DSA ``key'' to the buffer ``out'' and set the length in ``outlen'' (which must have been previously -initialized to the maximum buffer size). The ``type`` variable may be either \textbf{PK\_PRIVATE} or \textbf{PK\_PUBLIC} +This will export the DSA \textit{key} to the buffer \textit{out} and set the length in \textit{outlen} (which must have been previously +initialized to the maximum buffer size). The \textit{type} variable may be either \textbf{PK\_PRIVATE} or \textbf{PK\_PUBLIC} depending on whether you want to export a private or public copy of the DSA key. To import an exported DSA key use the following function \index{dsa\_import()} \begin{verbatim} -int dsa_import(const unsigned char *in, unsigned long inlen, - dsa_key *key); +int dsa_import(const unsigned char *in, + unsigned long inlen, + dsa_key *key); \end{verbatim} -This will import the DSA key from the buffer ``in'' of length ``inlen'' to the ``key''. If the process fails the function +This will import the DSA key from the buffer \textit{in} of length \textit{inlen} to the \textit{key}. If the process fails the function will automatically free all of the heap allocated in the process (you don't have to call dsa\_free()). \chapter{Standards Support} -\section{ASN.1 Formats} +\mysection{ASN.1 Formats} LibTomCrypt supports a variety of ASN.1 data types encoded with the Distinguished Encoding Rules (DER) suitable for various cryptographic protocols. The data types are all provided with three basic functions with \textit{similar} prototypes. One function has been dedicated to calculate the length in octets of a given format and two functions have been dedicated to encoding and decoding the format. @@ -3365,12 +3914,12 @@ typedef struct { \end{verbatim} \index{LTC\_SET\_ASN1 macro} -The ``type'' field is one of the following ASN.1 field definitions. The ``data'' pointer is a void pointer to the data to be encoded (or the destination) and the -``size'' field is specific to what you are encoding (e.g. number of bits in the BIT STRING data type). The ``used'' field is primarily for the CHOICE decoder +The \textit{type} field is one of the following ASN.1 field definitions. The \textit{data} pointer is a void pointer to the data to be encoded (or the destination) and the +\textit{size} field is specific to what you are encoding (e.g. number of bits in the BIT STRING data type). The \textit{used} field is primarily for the CHOICE decoder and reflects if the particular member of a list was the decoded data type. To help build the lists in an orderly fashion the macro -``LTC\_SET\_ASN1(list, index, Type, Data, Size)'' has been provided. +\textit{LTC\_SET\_ASN1(list, index, Type, Data, Size)} has been provided. -It will assign to the ``index''th position in the ``list'' the tripplet (Type, Data, Size). An example usage would be: +It will assign to the \textit{index}th position in the \textit{list} the triplet (Type, Data, Size). An example usage would be: \begin{small} \begin{verbatim} @@ -3410,9 +3959,9 @@ LTC_SET_ASN1(sequence, x++, LTC_ASN1_NULL, NULL, 0); \hline LTC\_ASN1\_BIT\_STRING & BIT STRING (one bit per char) \\ \hline LTC\_ASN1\_OCTET\_STRING & OCTET STRING (one octet per char) \\ \hline LTC\_ASN1\_NULL & NULL \\ -\hline LTC\_ASN1\_OBJECT\_IDENTIFIER & OBJECT IDENTIFIER (words are in unsigned long) \\ +\hline LTC\_ASN1\_OBJECT\_IDENTIFIER & OBJECT IDENTIFIER \\ \hline LTC\_ASN1\_IA5\_STRING & IA5 STRING (one octet per char) \\ -\hline LTC\_ASN1\_PRINTABLE\_STRING & PRINTABLE STIRNG (one octet per char) \\ +\hline LTC\_ASN1\_PRINTABLE\_STRING & PRINTABLE STRING (one octet per char) \\ \hline LTC\_ASN1\_UTCTIME & UTCTIME (see ltc\_utctime structure) \\ \hline LTC\_ASN1\_SEQUENCE & SEQUENCE (and SEQUENCE OF) \\ \hline LTC\_ASN1\_SET & SET \\ @@ -3428,39 +3977,43 @@ LTC_SET_ASN1(sequence, x++, LTC_ASN1_NULL, NULL, 0); \subsection{SEQUENCE Type} The SEQUENCE data type is a collection of other ASN.1 data types encapsulated with a small header which is a useful way of sending multiple data types in one packet. -\subsubsection{SEUQNECE Encoding} +\subsubsection{SEQUENCE Encoding} To encode a sequence a \textbf{ltc\_asn1\_list} array must be initialized with the members of the sequence and their respective pointers. The encoding is performed with the following function. \index{der\_encode\_sequence()} \begin{verbatim} -int der_encode_sequence(ltc_asn1_list *list, unsigned long inlen, - unsigned char *out, unsigned long *outlen); +int der_encode_sequence(ltc_asn1_list *list, + unsigned long inlen, + unsigned char *out, + unsigned long *outlen); \end{verbatim} -This encodes a sequence of items pointed to by ``list'' where the list has ``inlen'' items in it. The SEQUENCE will be encoded to ``out'' and of length ``outlen''. The -function will terminate when it reads all the items out of the list (upto ``inlen'') or it encounters an item in the list with a type of \textbf{LTC\_ASN1\_EOL}. +This encodes a sequence of items pointed to by \textit{list} where the list has \textit{inlen} items in it. The SEQUENCE will be encoded to \textit{out} and of length \textit{outlen}. The +function will terminate when it reads all the items out of the list (upto \textit{inlen}) or it encounters an item in the list with a type of \textbf{LTC\_ASN1\_EOL}. -The ``data'' pointer in the list would be the same pointer you would pass to the respective ASN.1 encoder (e.g. der\_encode\_bit\_string()) and it is simply passed on +The \textit{data} pointer in the list would be the same pointer you would pass to the respective ASN.1 encoder (e.g. der\_encode\_bit\_string()) and it is simply passed on verbatim to the dependent encoder. The list can contain other SEQUENCE or SET types which enables you to have nested SEQUENCE and SET definitions. In these cases -the ``data'' pointer is simply a pointer to another \textbf{ltc\_asn1\_list}. +the \textit{data} pointer is simply a pointer to another \textbf{ltc\_asn1\_list}. \subsubsection{SEQUENCE Decoding} \index{der\_decode\_sequence()} -Decoding a SEQUENCE is similar to encoding. You set up an array of \textbf{ltc\_asn1\_list} where in this case the ``size'' member is the maximum size -(in certain cases). For types such as IA5 STRING, BIT STRING, OCTET STRING (etc) the ``size'' field is updated after successful decoding to reflect how many +Decoding a SEQUENCE is similar to encoding. You set up an array of \textbf{ltc\_asn1\_list} where in this case the \textit{size} member is the maximum size +(in certain cases). For types such as IA5 STRING, BIT STRING, OCTET STRING (etc) the \textit{size} field is updated after successful decoding to reflect how many units of the respective type has been loaded. \begin{verbatim} -int der_decode_sequence(const unsigned char *in, unsigned long inlen, - ltc_asn1_list *list, unsigned long outlen); +int der_decode_sequence(const unsigned char *in, + unsigned long inlen, + ltc_asn1_list *list, + unsigned long outlen); \end{verbatim} -This will decode upto ``outlen'' items from the input buffer ``in'' of length ``inlen'' octets. The function will stop (gracefully) when it runs out of items to decode. -It will fail (for among other reasons) when it runs out of input bytes to read, a data type is invalid or a heap failure occured. +This will decode upto \textit{outlen} items from the input buffer \textit{in} of length \textit{inlen} octets. The function will stop (gracefully) when it runs out of items to decode. +It will fail (for among other reasons) when it runs out of input bytes to read, a data type is invalid or a heap failure occurred. -For the following types the ``size'' field will be updated to reflect the number of units read of the given type. +For the following types the \textit{size} field will be updated to reflect the number of units read of the given type. \begin{enumerate} \item BIT STRING \item OCTET STRING @@ -3475,11 +4028,12 @@ The length of a SEQUENCE can be determined with the following function. \index{der\_length\_sequence()} \begin{verbatim} -int der_length_sequence(ltc_asn1_list *list, unsigned long inlen, +int der_length_sequence(ltc_asn1_list *list, + unsigned long inlen, unsigned long *outlen); \end{verbatim} -This will get the encoding size for the given ``list'' of length ``inlen'' and store it in ``outlen''. +This will get the encoding size for the given \textit{list} of length \textit{inlen} and store it in \textit{outlen}. \subsubsection{SEQUENCE Multiple Argument Lists} @@ -3489,17 +4043,20 @@ For small or simple sequences an encoding or decoding can be performed with one \index{der\_decode\_sequence\_multi()} \begin{verbatim} -int der_encode_sequence_multi(unsigned char *out, unsigned long *outlen, ...); -int der_decode_sequence_multi(const unsigned char *in, unsigned long inlen, ...); +int der_encode_sequence_multi(unsigned char *out, + unsigned long *outlen, ...); + +int der_decode_sequence_multi(const unsigned char *in, + unsigned long inlen, ...); \end{verbatim} These either encode or decode (respectively) a SEQUENCE data type where the items in the sequence are specified after the length parameter. -The list of items are specified as a triple of the form ``(type, size, data)'' where ``type'' is an \textbf{int}, ``size'' is a \textbf{unsigned long} -and ``data'' is \textbf{void} pointer. The list of items must be terminated with an item with the type \textbf{LTC\_ASN1\_EOL}. +The list of items are specified as a triple of the form \textit{(type, size, data)} where \textit{type} is an \textbf{int}, \textit{size} is a \textbf{unsigned long} +and \textit{data} is \textbf{void} pointer. The list of items must be terminated with an item with the type \textbf{LTC\_ASN1\_EOL}. -It's ideal that you cast the ``size'' values to unsigned long to ensure that the proper data type is passed to the function. Constants such as ``1'' without -a cast or prototype are of type \textbf{int} by default. Appending \textit{UL} or prepending \textit{(unsigned long)} is enough to cast it to the correct type. +It's ideal that you cast the \textit{size} values to unsigned long to ensure that the proper data type is passed to the function. Constants such as \textit{1} without +a cast or prototype are of type \textbf{int} by default. Appending \textit{UL} or pre-pending \textit{(unsigned long)} is enough to cast it to the correct type. \subsection{SET and SET OF} @@ -3514,15 +4071,17 @@ SETs use the same array structure of ltc\_asn1\_list that the SEQUENCE functions \index{der\_encode\_set()} \begin{verbatim} -int der_encode_set(ltc_asn1_list *list, unsigned long inlen, - unsigned char *out, unsigned long *outlen); +int der_encode_set(ltc_asn1_list *list, + unsigned long inlen, + unsigned char *out, + unsigned long *outlen); \end{verbatim} -This will encode the list of ASN.1 objects in ``list'' of length ``inlen'' objects and store the output in ``out'' of length ``outlen'' bytes. The function +This will encode the list of ASN.1 objects in \textit{list} of length \textit{inlen} objects and store the output in \textit{out} of length \textit{outlen} bytes. The function will make a copy of the list provided and sort it by the TAG. Objects with identical TAGs are additionally sorted on their original placement in the array (to make the process deterministic). -This function will \textbf{NOT} recognize ``DEFAULT'' objects and it is the responsibility of the caller to remove them as required. +This function will \textbf{NOT} recognize \textit{DEFAULT} objects and it is the responsibility of the caller to remove them as required. \subsubsection{SET Decoding} @@ -3530,11 +4089,13 @@ The SET type can be decoded with the following function. \index{der\_decode\_set()} \begin{verbatim} -int der_decode_set(const unsigned char *in, unsigned long inlen, - ltc_asn1_list *list, unsigned long outlen); +int der_decode_set(const unsigned char *in, + unsigned long inlen, + ltc_asn1_list *list, + unsigned long outlen); \end{verbatim} -This will decode the SET specified by ``list'' of length ``outlen'' objects from the input buffer ``in'' of length ``inlen'' octets. +This will decode the SET specified by \textit{list} of length \textit{outlen} objects from the input buffer \textit{in} of length \textit{inlen} octets. It handles the fact that SETs are not strictly ordered and will make multiple passes (as required) through the list to decode all the objects. @@ -3542,26 +4103,28 @@ It handles the fact that SETs are not strictly ordered and will make multiple pa The length of a SET can be determined by calling der\_length\_sequence() since they have the same encoding length. \subsubsection{SET OF Encoding} -A ``SET OF'' object is an array of identifical objects (e.g. OCTET STRING) sorted in ascending order by the DER encoding of the object. They are +A \textit{SET OF} object is an array of identical objects (e.g. OCTET STRING) sorted in ascending order by the DER encoding of the object. They are used to store objects deterministically based solely on their encoding. It uses the same array structure of ltc\_asn1\_list that the SEQUENCE functions use. They are encoded with the following function. \index{der\_encode\_setof()} \begin{verbatim} -int der_encode_setof(ltc_asn1_list *list, unsigned long inlen, - unsigned char *out, unsigned long *outlen); +int der_encode_setof(ltc_asn1_list *list, + unsigned long inlen, + unsigned char *out, + unsigned long *outlen); \end{verbatim} -This will encode a ``SET OF'' containing the ``list'' of ``inlen'' ASN.1 objects and store the encoding in the output buffer ``out'' of length ``outlen''. +This will encode a \textit{SET OF} containing the \textit{list} of \textit{inlen} ASN.1 objects and store the encoding in the output buffer \textit{out} of length \textit{outlen}. The routine will first encode the SET OF in an unordered fashion (in a temporary buffer) then sort using the XQSORT macro and copy back to the output buffer. This means you need at least enough memory to keep an additional copy of the output on the heap. \subsubsection{SET OF Decoding} -Since the decoding of a ``SET OF'' object is unambiguous it can be decoded with der\_decode\_sequence(). +Since the decoding of a \textit{SET OF} object is unambiguous it can be decoded with der\_decode\_sequence(). \subsubsection{SET OF Length} -Like the SET type the der\_length\_sequence() function can be used to determine the length of a ``SET OF'' object. +Like the SET type the der\_length\_sequence() function can be used to determine the length of a \textit{SET OF} object. \subsection{ASN.1 INTEGER} @@ -3571,25 +4134,35 @@ To encode or decode INTEGER data types use the following functions. \index{der\_decode\_integer()} \index{der\_length\_integer()} \begin{verbatim} -int der_encode_integer(mp_int *num, unsigned char *out, unsigned long *outlen); -int der_decode_integer(const unsigned char *in, unsigned long inlen, mp_int *num); -int der_length_integer(mp_int *num, unsigned long *len); +int der_encode_integer( mp_int *num, + unsigned char *out, + unsigned long *outlen); + +int der_decode_integer(const unsigned char *in, + unsigned long inlen, + mp_int *num); + +int der_length_integer( mp_int *num, + unsigned long *len); \end{verbatim} -These will encode or decode a signed INTEGER data type using the ``mp\_int'' data type to store the large INTEGER. To encode smaller values without allocating -an mp\_int to store the value the ``short'' INTEGER functions were made available. +These will encode or decode a signed INTEGER data type using the \textit{mp\_int} data type to store the large INTEGER. To encode smaller values without allocating +an mp\_int to store the value the \textit{short} INTEGER functions were made available. \index{der\_encode\_short\_integer()} \index{der\_decode\_short\_integer()} \index{der\_length\_short\_integer()} \begin{verbatim} int der_encode_short_integer(unsigned long num, - unsigned char *out, unsigned long *outlen); + unsigned char *out, + unsigned long *outlen); -int der_decode_short_integer(const unsigned char *in, unsigned long inlen, +int der_decode_short_integer(const unsigned char *in, + unsigned long inlen, unsigned long *num); -int der_length_short_integer(unsigned long num, unsigned long *outlen); +int der_length_short_integer(unsigned long num, + unsigned long *outlen); \end{verbatim} These will encode or decode an unsigned \textbf{unsigned long} type (only reads upto 32--bits). For values in the range $0 \dots 2^{32} - 1$ the integer @@ -3601,16 +4174,21 @@ and short integer functions can encode and decode each others outputs. \index{der\_decode\_bit\_string()} \index{der\_length\_bit\_string()} \begin{verbatim} -int der_encode_bit_string(const unsigned char *in, unsigned long inlen, - unsigned char *out, unsigned long *outlen); +int der_encode_bit_string(const unsigned char *in, + unsigned long inlen, + unsigned char *out, + unsigned long *outlen); -int der_decode_bit_string(const unsigned char *in, unsigned long inlen, - unsigned char *out, unsigned long *outlen); +int der_decode_bit_string(const unsigned char *in, + unsigned long inlen, + unsigned char *out, + unsigned long *outlen); -int der_length_bit_string(unsigned long nbits, unsigned long *outlen); +int der_length_bit_string(unsigned long nbits, + unsigned long *outlen); \end{verbatim} -These will encode or decode a BIT STRING data type. The bits are passed in (or read out) using one \textbf{char} per bit. A non--zero value will be interpretted +These will encode or decode a BIT STRING data type. The bits are passed in (or read out) using one \textbf{char} per bit. A non--zero value will be interpreted as a one bit and a zero value a zero bit. \subsection{ASN.1 OCTET STRING} @@ -3619,13 +4197,18 @@ as a one bit and a zero value a zero bit. \index{der\_decode\_octet\_string()} \index{der\_length\_octet\_string()} \begin{verbatim} -int der_encode_octet_string(const unsigned char *in, unsigned long inlen, - unsigned char *out, unsigned long *outlen); +int der_encode_octet_string(const unsigned char *in, + unsigned long inlen, + unsigned char *out, + unsigned long *outlen); -int der_decode_octet_string(const unsigned char *in, unsigned long inlen, - unsigned char *out, unsigned long *outlen); +int der_decode_octet_string(const unsigned char *in, + unsigned long inlen, + unsigned char *out, + unsigned long *outlen); -int der_length_octet_string(unsigned long noctets, unsigned long *outlen); +int der_length_octet_string(unsigned long noctets, + unsigned long *outlen); \end{verbatim} These will encode or decode an OCTET STRING data type. The octets are stored using one \textbf{char} each. @@ -3636,13 +4219,18 @@ These will encode or decode an OCTET STRING data type. The octets are stored us \index{der\_decode\_object\_identifier()} \index{der\_length\_object\_identifier()} \begin{verbatim} -int der_encode_object_identifier(unsigned long *words, unsigned long nwords, - unsigned char *out, unsigned long *outlen); +int der_encode_object_identifier(unsigned long *words, + unsigned long nwords, + unsigned char *out, + unsigned long *outlen); -int der_decode_object_identifier(const unsigned char *in, unsigned long inlen, - unsigned long *words, unsigned long *outlen); +int der_decode_object_identifier(const unsigned char *in, + unsigned long inlen, + unsigned long *words, + unsigned long *outlen); -int der_length_object_identifier(unsigned long *words, unsigned long nwords, +int der_length_object_identifier(unsigned long *words, + unsigned long nwords, unsigned long *outlen); \end{verbatim} @@ -3655,20 +4243,25 @@ $0 \ldots 2^{32} - 1$. \index{der\_decode\_ia5\_string()} \index{der\_length\_ia5\_string()} \begin{verbatim} -int der_encode_ia5_string(const unsigned char *in, unsigned long inlen, - unsigned char *out, unsigned long *outlen); +int der_encode_ia5_string(const unsigned char *in, + unsigned long inlen, + unsigned char *out, + unsigned long *outlen); -int der_decode_ia5_string(const unsigned char *in, unsigned long inlen, - unsigned char *out, unsigned long *outlen); +int der_decode_ia5_string(const unsigned char *in, + unsigned long inlen, + unsigned char *out, + unsigned long *outlen); -int der_length_ia5_string(const unsigned char *octets, unsigned long noctets, +int der_length_ia5_string(const unsigned char *octets, + unsigned long noctets, unsigned long *outlen); \end{verbatim} These will encode or decode an IA5 STRING. The characters are read or stored in individual \textbf{char} elements. This functions performs internal character to numerical conversions based on the conventions of the compiler being used. For instance, on an x86\_32 machine 'A' == 65 but the same may not be true on say a SPARC machine. Internally these functions have a table of literal characters and their numerical ASCII values. This provides a stable conversion provided -that the build platform honours the runtime platforms character conventions. +that the build platform honours the run-time platforms character conventions. If you're worried try building the test suite and running it. It has hard coded test vectors to ensure it is operating properly. @@ -3678,20 +4271,25 @@ If you're worried try building the test suite and running it. It has hard coded \index{der\_decode\_printable\_string()} \index{der\_length\_printable\_string()} \begin{verbatim} -int der_encode_printable_string(const unsigned char *in, unsigned long inlen, - unsigned char *out, unsigned long *outlen); +int der_encode_printable_string(const unsigned char *in, + unsigned long inlen, + unsigned char *out, + unsigned long *outlen); -int der_decode_printable_string(const unsigned char *in, unsigned long inlen, - unsigned char *out, unsigned long *outlen); +int der_decode_printable_string(const unsigned char *in, + unsigned long inlen, + unsigned char *out, + unsigned long *outlen); -int der_length_printable_string(const unsigned char *octets, unsigned long noctets, - unsigned long *outlen); +int der_length_printable_string(const unsigned char *octets, + unsigned long noctets, + unsigned long *outlen); \end{verbatim} These will encode or decode an PRINTABLE STRING. The characters are read or stored in individual \textbf{char} elements. This functions performs internal character to numerical conversions based on the conventions of the compiler being used. For instance, on an x86\_32 machine 'A' == 65 but the same may not be true on say a SPARC machine. Internally these functions have a table of literal characters and their numerical ASCII values. This provides a stable conversion provided -that the build platform honours the runtime platforms character conventions. +that the build platform honours the run-time platforms character conventions. If you're worried try building the test suite and running it. It has hard coded test vectors to ensure it is operating properly. @@ -3713,7 +4311,7 @@ typedef struct { } ltc_utctime; \end{verbatim} -The time can be offset plus or minus a set amount of hours (off\_hh) and minutes (off\_mm). When ``off\_dir'' is zero the time will be added otherwise it +The time can be offset plus or minus a set amount of hours (off\_hh) and minutes (off\_mm). When \textit{off\_dir} is zero the time will be added otherwise it will be subtracted. For instance, the array $\lbrace 5, 6, 20, 22, 4, 00, 0, 5, 0 \rbrace$ represents the current time of 2005, June 20th, 22:04:00 with a time offset of +05h00. @@ -3722,23 +4320,26 @@ For instance, the array $\lbrace 5, 6, 20, 22, 4, 00, 0, 5, 0 \rbrace$ represent \index{der\_decode\_utctime()} \index{der\_length\_utctime()} \begin{verbatim} -int der_encode_utctime(ltc_utctime *utctime, - unsigned char *out, unsigned long *outlen); +int der_encode_utctime( ltc_utctime *utctime, + unsigned char *out, + unsigned long *outlen); -int der_decode_utctime(const unsigned char *in, unsigned long *inlen, - ltc_utctime *out); +int der_decode_utctime(const unsigned char *in, + unsigned long *inlen, + ltc_utctime *out); -int der_length_utctime(ltc_utctime *utctime, unsigned long *outlen); +int der_length_utctime( ltc_utctime *utctime, + unsigned long *outlen); \end{verbatim} -The encoder will store time in one of the two ASN.1 formats, either ``YYMMDDhhmmssZ'' or ``YYMMDDhhmmss$\pm$hhmm'' and perform minimal error checking on the +The encoder will store time in one of the two ASN.1 formats, either \textit{YYMMDDhhmmssZ} or \textit{YYMMDDhhmmss$\pm$hhmm} and perform minimal error checking on the input. The decoder will read all valid ASN.1 formats and perform range checking on the values (not complete but rational) useful for catching packet errors. It is suggested that decoded data be further scrutinized (e.g. days of month in particular). \subsection{ASN.1 CHOICE} -The CHOICE ASN.1 type represents a union of ASN.1 types all of which are stored in a ``ltc\_asn1\_list''. There is no encoder for the CHOICE type, only a +The CHOICE ASN.1 type represents a union of ASN.1 types all of which are stored in a \textit{ltc\_asn1\_list}. There is no encoder for the CHOICE type, only a decoder. The decoder will scan through the provided list attempting to use the appropriate decoder on the input packet. The list can contain any ASN.1 data type\footnote{Except it cannot have LTC\_ASN1\_INTEGER and LTC\_ASN1\_SHORT\_INTEGER simultaneously.} except for other CHOICE types. @@ -3746,42 +4347,45 @@ There is no encoder for the CHOICE type as the actual DER encoding is the encodi \index{der\_decode\_choice()} \begin{verbatim} -int der_decode_choice(const unsigned char *in, unsigned long *inlen, - ltc_asn1_list *list, unsigned long outlen); +int der_decode_choice(const unsigned char *in, + unsigned long *inlen, + ltc_asn1_list *list, + unsigned long outlen); \end{verbatim} -This will decode the input in the ``in'' field of length ``inlen''. It uses the provided ASN.1 list specified in the ``list'' field which has ``outlen'' elements. -The ``inlen'' field will be updated with the length of the decoded data type as well as the respective entry in the ``list'' field will have the ``used'' flag +This will decode the input in the \textit{in} field of length \textit{inlen}. It uses the provided ASN.1 list specified in the \textit{list} field which has \textit{outlen} elements. +The \textit{inlen} field will be updated with the length of the decoded data type as well as the respective entry in the \textit{list} field will have the \textit{used} flag set to non--zero to reflect it was the data type decoded. \subsection{ASN.1 Flexi Decoder} -The ASN.1 ``flexi'' decoder allows the developer to decode arbitrary ASN.1 DER packets (provided they use data types LibTomCrypt supports) without first knowing +The ASN.1 \textit{flexi} decoder allows the developer to decode arbitrary ASN.1 DER packets (provided they use data types LibTomCrypt supports) without first knowing the structure of the data. Where der\_decode\_sequence() requires the developer to specify the data types to decode in advance the flexi decoder is entirely free form. -The flexi decoder uses the same ``ltc\_asn1\_list'' but instead of being stored in an array it uses the linked list pointers ``prev'', ``next'', ``parent'' -and ``child''. The list works as a ``doubly-linked list'' structure where decoded items at the same level are sibblings (using next and prev) and items +The flexi decoder uses the same \textit{ltc\_asn1\_list} but instead of being stored in an array it uses the linked list pointers \textit{prev}, \textit{next}, \textit{parent} +and \textit{child}. The list works as a \textit{doubly-linked list} structure where decoded items at the same level are siblings (using next and prev) and items encoded in a SEQUENCE are stored as a child element. -When a SEQUENCE or SET has been encountered a SEQUENCE (or SET resp.) item will be added as a sibbling (e.g. list.type == LTC\_ASN1\_SEQUENCE) and the child +When a SEQUENCE or SET has been encountered a SEQUENCE (or SET resp.) item will be added as a sibling (e.g. list.type == LTC\_ASN1\_SEQUENCE) and the child pointer points to a new list of items contained within the object. \index{der\_decode\_sequence\_flexi()} \begin{verbatim} -int der_decode_sequence_flexi(const unsigned char *in, unsigned long *inlen, - ltc_asn1_list **out); +int der_decode_sequence_flexi(const unsigned char *in, + unsigned long *inlen, + ltc_asn1_list **out); \end{verbatim} -This will decode items in the ``in'' buffer of max input length ``inlen'' and store the newly created pointer to the list in ``out''. This function allocates -all required memory for the decoding. It stores the number of octets read back into ``inlen''. +This will decode items in the \textit{in} buffer of max input length \textit{inlen} and store the newly created pointer to the list in \textit{out}. This function allocates +all required memory for the decoding. It stores the number of octets read back into \textit{inlen}. -The function will terminate when either it hits an invalid ASN.1 type octet or it reads ``inlen'' octets. An early terminate is a soft error and returns -normally. The decoded list ``out'' will point to the very first element of the list (e.g. both parent and prev pointers will be \textbf{NULL}). +The function will terminate when either it hits an invalid ASN.1 type octet or it reads \textit{inlen} octets. An early terminate is a soft error and returns +normally. The decoded list \textit{out} will point to the very first element of the list (e.g. both parent and prev pointers will be \textbf{NULL}). An invalid decoding will terminate the process and free the allocated memory automatically. \textbf{Note} that the list decoded by this function is \textbf{NOT} in the correct form for der\_encode\_sequence() to use directly. You will have to first -have to convert the list by first storing all of the sibblings in an array then storing all the children as sub-lists of a sequence using the ``.data'' +have to convert the list by first storing all of the siblings in an array then storing all the children as sub-lists of a sequence using the \textit{.data} pointer. Currently no function in LibTomCrypt provides this ability. To free the list use the following function. @@ -3793,7 +4397,7 @@ void der_sequence_free(ltc_asn1_list *in); This will free all of the memory allocated by der\_decode\_sequence\_flexi(). -\section{Password Based Cryptography} +\mysection{Password Based Cryptography} \subsection{PKCS \#5} \index{PKCS \#5} In order to securely handle user passwords for the purposes of creating session keys and chaining IVs the PKCS \#5 was drafted. PKCS \#5 @@ -3807,41 +4411,48 @@ algorithm and produces an output no longer than the output of the hash. \index{pkcs\_5\_alg1()} \begin{alltt} -int pkcs_5_alg1(const unsigned char *password, unsigned long password_len, +int pkcs_5_alg1(const unsigned char *password, + unsigned long password_len, const unsigned char *salt, - int iteration_count, int hash_idx, - unsigned char *out, unsigned long *outlen) + int iteration_count, + int hash_idx, + unsigned char *out, + unsigned long *outlen) \end{alltt} -Where ``password'' is the users password. Since the algorithm allows binary passwords you must also specify the length in ``password\_len''. -The ``salt'' is a fixed size 8--byte array which should be random for each user and session. The ``iteration\_count'' is the delay desired -on the password. The ``hash\_idx'' is the index of the hash you wish to use in the descriptor table. +Where \textit{password} is the users password. Since the algorithm allows binary passwords you must also specify the length in \textit{password\_len}. +The \textit{salt} is a fixed size 8--byte array which should be random for each user and session. The \textit{iteration\_count} is the delay desired +on the password. The \textit{hash\_idx} is the index of the hash you wish to use in the descriptor table. -The output of length upto ``outlen'' is stored in ``out''. If ``outlen'' is initially larger than the size of the hash functions output -it is set to the number of bytes stored. If it is smaller than not all of the hash output is stored in ``out''. +The output of length upto \textit{outlen} is stored in \textit{out}. If \textit{outlen} is initially larger than the size of the hash functions output +it is set to the number of bytes stored. If it is smaller than not all of the hash output is stored in \textit{out}. \subsection{Algorithm Two} Algorithm Two is the recommended algorithm for this task. It allows variable length salts and can produce outputs larger than the hash functions output. As such it can easily be used to derive session keys for ciphers and MACs as well initial vectors as required -from a single password and invokation of this algorithm. +from a single password and invocation of this algorithm. \index{pkcs\_5\_alg2()} \begin{alltt} -int pkcs_5_alg2(const unsigned char *password, unsigned long password_len, - const unsigned char *salt, unsigned long salt_len, - int iteration_count, int hash_idx, - unsigned char *out, unsigned long *outlen) +int pkcs_5_alg2(const unsigned char *password, + unsigned long password_len, + const unsigned char *salt, + unsigned long salt_len, + int iteration_count, + int hash_idx, + unsigned char *out, + unsigned long *outlen) \end{alltt} -Where ``password'' is the users password. Since the algorithm allows binary passwords you must also specify the length in ``password\_len''. -The ``salt'' is an array of size ``salt\_len''. It should be random for each user and session. The ``iteration\_count'' is the delay desired -on the password. The ``hash\_idx'' is the index of the hash you wish to use in the descriptor table. The output of length upto -``outlen'' is stored in ``out''. +Where \textit{password} is the users password. Since the algorithm allows binary passwords you must also specify the length in \textit{password\_len}. +The \textit{salt} is an array of size \textit{salt\_len}. It should be random for each user and session. The \textit{iteration\_count} is the delay desired +on the password. The \textit{hash\_idx} is the index of the hash you wish to use in the descriptor table. The output of length upto +\textit{outlen} is stored in \textit{out}. -\begin{alltt} +\begin{verbatim} /* demo to show how to make session state material from a password */ #include int main(void) -\{ +{ unsigned char password[100], salt[100], cipher_key[16], cipher_iv[16], mac_key[16], outbuf[48]; @@ -3855,9 +4466,10 @@ int main(void) /* create the material (100 iterations in algorithm) */ outlen = sizeof(outbuf); if ((err = pkcs_5_alg2(password, password_len, salt, salt_len, - 100, hash_idx, outbuf, &outlen)) != CRYPT_OK) \{ + 100, hash_idx, outbuf, &outlen)) + != CRYPT_OK) { /* error handle */ - \} + } /* now extract it */ memcpy(cipher_key, outbuf, 16); @@ -3865,11 +4477,11 @@ int main(void) memcpy(mac_key, outbuf+32, 16); /* use material (recall to store the salt in the output) */ -\} -\end{alltt} +} +\end{verbatim} \chapter{Miscellaneous} -\section{Base64 Encoding and Decoding} +\mysection{Base64 Encoding and Decoding} The library provides functions to encode and decode a RFC1521 base64 coding scheme. This means that it can decode what it encodes but the format used does not comply to any known standard. The characters used in the mappings are: \begin{verbatim} @@ -3887,18 +4499,22 @@ break up the first four characters. To encode a binary string in base64 call: \index{base64\_encode()} \index{base64\_decode()} \begin{verbatim} -int base64_encode(const unsigned char *in, unsigned long len, - unsigned char *out, unsigned long *outlen); +int base64_encode(const unsigned char *in, + unsigned long len, + unsigned char *out, + unsigned long *outlen); \end{verbatim} -Where ``in'' is the binary string and ``out'' is where the ASCII output is placed. You must set the value of ``outlen'' prior -to calling this function and it sets the length of the base64 output in ``outlen'' when it is done. To decode a base64 +Where \textit{in} is the binary string and \textit{out} is where the ASCII output is placed. You must set the value of \textit{outlen} prior +to calling this function and it sets the length of the base64 output in \textit{outlen} when it is done. To decode a base64 string call: \begin{verbatim} -int base64_decode(const unsigned char *in, unsigned long len, - unsigned char *out, unsigned long *outlen); +int base64_decode(const unsigned char *in, + unsigned long len, + unsigned char *out, + unsigned long *outlen); \end{verbatim} -\section{Primality Testing} +\mysection{Primality Testing} \index{Primality Testing} The library includes primality testing and random prime functions as well. The primality tester will perform the test in two phases. First it will perform trial division by the first few primes. Second it will perform eight rounds of the @@ -3907,8 +4523,8 @@ composite. No prime number will fail the two phases but composites can. Each r the probability of a pseudo-prime by $1 \over 4$ therefore after sixteen rounds the probability is no more than $\left ( { 1 \over 4 } \right )^{8} = 2^{-16}$. In practice the probability of error is in fact much lower than that. -When making random primes the trial division step is in fact an optimized implementation of ``Implementation of Fast RSA Key Generation on Smart Cards''\footnote{Chenghuai Lu, Andre L. M. dos Santos and Francisco R. Pimentel}. -In essence a table of machine-word sized residues are kept of a candidate modulo a set of primes. When the candiate +When making random primes the trial division step is in fact an optimized implementation of \textit{Implementation of Fast RSA Key Generation on Smart Cards}\footnote{Chenghuai Lu, Andre L. M. dos Santos and Francisco R. Pimentel}. +In essence a table of machine-word sized residues are kept of a candidate modulo a set of primes. When the candidate is rejected and ultimately incremented to test the next number the residues are updated without using multi-word precision math operations. As a result the routine can scan ahead to the next number required for testing with very little work involved. @@ -3921,34 +4537,37 @@ the multi-prime RSA. Suppose $q = rs$ for two primes $r$ and $s$ then $\phi(pq) not equal to $(p - 1)(rs - 1)$. These are not technically part of the LibTomMath library but this is the best place to document them. -To test if a ``mp\_int'' is prime call: +To test if a \textit{mp\_int} is prime call: \begin{verbatim} int is_prime(mp_int *N, int *result); \end{verbatim} -This puts a one in ``result'' if the number is probably prime, otherwise it places a zero in it. It is assumed that if -it returns an error that the value in ``result'' is undefined. To make +This puts a one in \textit{result} if the number is probably prime, otherwise it places a zero in it. It is assumed that if +it returns an error that the value in \textit{result} is undefined. To make a random prime call: \begin{verbatim} -int rand_prime(mp_int *N, unsigned long len, prng_state *prng, int wprng); +int rand_prime( mp_int *N, + unsigned long len, + prng_state *prng, + int wprng); \end{verbatim} -Where ``len'' is the size of the prime in bytes ($2 \le len \le 256$). You can set ``len'' to the negative size you want +Where \textit{len} is the size of the prime in bytes ($2 \le len \le 256$). You can set \textit{len} to the negative size you want to get a prime of the form $p \equiv 3\mbox{ }(\mbox{mod } 4)$. So if you want a 1024-bit prime of this sort pass -``len = -128'' to the function. Upon success it will return {\bf CRYPT\_OK} and ``N'' will contain an integer which +\textit{len = -128} to the function. Upon success it will return {\bf CRYPT\_OK} and \textit{N} will contain an integer which is very likely prime. \chapter{Programming Guidelines} -\section{Secure Pseudo Random Number Generators} -Probably the singal most vulnerable point of any cryptosystem is the PRNG. Without one generating and protecting secrets +\mysection{Secure Pseudo Random Number Generators} +Probably the single most vulnerable point of any cryptosystem is the PRNG. Without one generating and protecting secrets would be impossible. The requirement that one be setup correctly is vitally important and to address this point the library -does provide two RNG sources that will address the largest amount of end users as possible. The ``sprng'' PRNG provided +does provide two RNG sources that will address the largest amount of end users as possible. The \textit{sprng} PRNG provided provides and easy to access source of entropy for any application on a *NIX or Windows computer. However, when the end user is not on one of these platforms the application developer must address the issue of finding entropy. This manual is not designed to be a text on cryptography. I would just like to highlight that when you design a cryptosystem make sure the first problem you solve is getting a fresh source of entropy. -\section{Preventing Trivial Errors} +\mysection{Preventing Trivial Errors} Two simple ways to prevent trivial errors is to prevent overflows and to check the return values. All of the functions which output variable length strings will require you to pass the length of the destination. If the size of your output buffer is smaller than the output it will report an error. Therefore, make sure the size you pass is correct! @@ -3956,8 +4575,8 @@ buffer is smaller than the output it will report an error. Therefore, make sure Also virtually all of the functions return an error code or {\bf CRYPT\_OK}. You should detect all errors as simple typos or such can cause algorithms to fail to work as desired. -\section{Registering Your Algorithms} -To avoid linking and other runtime errors it is important to register the ciphers, hashes and PRNGs you intend to use +\mysection{Registering Your Algorithms} +To avoid linking and other run-time errors it is important to register the ciphers, hashes and PRNGs you intend to use before you try to use them. This includes any function which would use an algorithm indirectly through a descriptor table. A neat bonus to the registry system is that you can add external algorithms that are not part of the library without @@ -3965,13 +4584,13 @@ having to hack the library. For example, suppose you have a hardware specific P write the few functions required plus a descriptor. After registering your PRNG all of the library functions that need a PRNG can instantly take advantage of it. -\section{Key Sizes} +\mysection{Key Sizes} \subsection{Symmetric Ciphers} -For symmetric ciphers use as large as of a key as possible. For the most part ``bits are cheap'' so using a 256-bit key -is not a hard thing todo. +For symmetric ciphers use as large as of a key as possible. For the most part \textit{bits are cheap} so using a 256-bit key +is not a hard thing to do. -\subsection{Assymetric Ciphers} +\subsection{Asymmetric Ciphers} The following chart gives the work factor for solving a DH/RSA public key using the NFS. The work factor for a key of order $n$ is estimated to be \begin{equation} @@ -3995,8 +4614,8 @@ is: \end{tabular} \end{center} -The work factor for ECC keys is much higher since the best attack is still fully exponentional. Given a key of magnitude -$n$ it requires $\sqrt n$ work. The following table sumarizes the work required: +The work factor for ECC keys is much higher since the best attack is still fully exponential. Given a key of magnitude +$n$ it requires $\sqrt n$ work. The following table summarizes the work required: \begin{center} \begin{tabular}{|c|c|} \hline ECC Key Size (bits) & Work Factor ($log_2$) \\ @@ -4020,9 +4639,9 @@ Using the above tables the following suggestions for key sizes seems appropriate \end{tabular} \end{center} -\section{Thread Safety} +\mysection{Thread Safety} The library is not thread safe but several simple precautions can be taken to avoid any problems. The registry functions -such as register\_cipher() are not thread safe no matter what you do. Its best to call them from your programs initializtion +such as register\_cipher() are not thread safe no matter what you do. Its best to call them from your programs initialization code before threads are initiated. The rest of the code uses state variables you must pass it such as hash\_state, hmac\_state, etc. This means that if each @@ -4030,13 +4649,13 @@ thread has its own state variables then they will not affect each other. This i and hashes. However, the keyring and PRNG support is something the threads will want to share. The simplest workaround is create semaphores or mutexes around calls to those functions. -Since C does not have standard semaphores this support is not native to Libtomcrypt. Even a C based semaphore is not entire -possible as some compilers may ignore the ``volatile'' keyword or have multiple processors. Provide your host application +Since C does not have standard semaphores this support is not native to LibTomCrypt. Even a C based semaphore is not entire +possible as some compilers may ignore the \textit{volatile} keyword or have multiple processors. Provide your host application is modular enough putting the locks in the right place should not bloat the code significantly and will solve all thread safety issues within the library. \chapter{Configuring and Building the Library} -\section{Introduction} +\mysection{Introduction} The library is fairly flexible about how it can be built, used and generally distributed. Additions are being made with each new release that will make the library even more flexible. Each of the classes of functions can be disabled during the build process to make a smaller library. This is particularly useful for shared libraries. @@ -4049,7 +4668,7 @@ configured. Note that LibTomCrypt can be built with no internal math descriptor build or run time for the application. LibTomCrypt comes with two math descriptors that provide a standard interface to math libraries. One for LibTomMath and one for TomsFastMath. -\section{Makefile variables} +\mysection{Makefile variables} All GNU driven makefiles (including the makefile for ICC) use a set of common variables to control the build and install process. Most of the settings can be overwritten from the command line which makes custom installation a breeze. @@ -4058,7 +4677,7 @@ settings can be overwritten from the command line which makes custom installatio \index{CC} \index{AR} \subsection{MAKE, CC and AR} -The MAKE, CC and AR flags can all be overwritten. They default to ``make'', ``\$CC'' and ``\$AR'' respectively. +The MAKE, CC and AR flags can all be overwritten. They default to \textit{make}, \textit{\$CC} and \textit{\$AR} respectively. Changing MAKE allows you to change what program will be invoked to handle sub--directories. E.g. @@ -4066,13 +4685,13 @@ Changing MAKE allows you to change what program will be invoked to handle sub--d MAKE=gmake gmake install \end{verbatim} -Will build and install the libraries with the ``gmake'' tool. Similarly +Will build and install the libraries with the \textit{gmake} tool. Similarly \begin{verbatim} CC=arm-gcc AR=arm-ar make \end{verbatim} -Will build the library using ``arm--gcc'' as the compiler and ``arm--ar'' as the archiver. +Will build the library using \textit{arm--gcc} as the compiler and \textit{arm--ar} as the archiver. \subsection{IGNORE\_SPEED} \index{IGNORE\_SPEED} @@ -4083,22 +4702,22 @@ CFLAGS on the command line. E.g. to add debugging CFLAGS="-g3" make IGNORE_SPEED=1 \end{verbatim} -This will turn off optimizations and add ``-g3'' to the CFLAGS which enables debugging. +This will turn off optimizations and add \textit{-g3} to the CFLAGS which enables debugging. \subsection{LIBNAME and LIBNAME\_S} \index{LIBNAME} \index{LIBNAME\_S} -\textbf{LIBNAME} is the name of the output library (archive) to create. It defaults to ``libtomcrypt.a'' for static builds and ``libtomcrypt.la'' for +\textbf{LIBNAME} is the name of the output library (archive) to create. It defaults to \textit{libtomcrypt.a} for static builds and \textit{libtomcrypt.la} for shared. The \textbf{LIBNAME\_S} variable is the static name while doing shared builds. Ideally they should have the same prefix but don't have to. \index{LIBTEST} \index{LIBTEST\_S} -Similarly \textbf{LIBTEST} and \textbf{LIBTEST\_S} are the names for the profiling and testing library. The default is ``libtomcrypt\_prof.a'' for -static and ``libtomcrypt\_prof.la'' for shared. +Similarly \textbf{LIBTEST} and \textbf{LIBTEST\_S} are the names for the profiling and testing library. The default is \textit{libtomcrypt\_prof.a} for +static and \textit{libtomcrypt\_prof.la} for shared. \subsection{Installation Directories} \index{DESTDIR} \index{LIBPATH} \index{INCPATH} \index{DATADIR} \textbf{DESTDIR} is the prefix for the installation directories. It defaults to an empty string. \textbf{LIBPATH} is the prefix for the library -directory which defaults to ``/usr/lib''. \textbf{INCPATH} is the prefix for the header file directory which defaults to ``/usr/include''. -\textbf{DATADIR} is the prefix for the data (documentation) directory which defaults to ``/usr/share/doc/libtomcrypt/pdf''. +directory which defaults to \textit{/usr/lib}. \textbf{INCPATH} is the prefix for the header file directory which defaults to \textit{/usr/include}. +\textbf{DATADIR} is the prefix for the data (documentation) directory which defaults to \textit{/usr/share/doc/libtomcrypt/pdf}. All four can be used to create custom install locations depending on the nature of the OS and file system in use. @@ -4107,7 +4726,7 @@ make LIBPATH=/home/tom/project/lib INCPATH=/home/tom/project/include \ DATAPATH=/home/tom/project/docs install \end{verbatim} -This will build the library and install it to the directories under ``/home/tom/project/''. e.g. +This will build the library and install it to the directories under \textit{/home/tom/project/}. e.g. \begin{small} \begin{verbatim} @@ -4144,7 +4763,7 @@ total 1073 \end{verbatim} \end{small} -\section{Extra libraries} +\mysection{Extra libraries} \index{EXTRALIBS} \textbf{EXTRALIBS} specifies any extra libraries required to link the test programs and shared libraries. They are specified in the notation that GCC expects for global archives. @@ -4153,13 +4772,13 @@ that GCC expects for global archives. CFLAGS="-DTFM_DESC -DUSE_TFM" EXTRALIBS=-ltfm make install test timing \end{verbatim} -This will install the library using the TomsFastMath library and link the ``libtfm.a'' library out of the default library search path. The two +This will install the library using the TomsFastMath library and link the \textit{libtfm.a} library out of the default library search path. The two defines are explained below. You can specify multiple archives (say if you want to support two math libraries, or add on additional code) to the \textbf{EXTRALIBS} variable by separating them by a space. Note that \textbf{EXTRALIBS} is not required if you are only making and installing the static library but none of the test programs. -\section{Building a Static Library} +\mysection{Building a Static Library} Building a static library is fairly trivial as it only requires one invocation of the GNU make command. @@ -4184,13 +4803,13 @@ Note that even if you include the built--in descriptors you must link against th gcc -DTFM_DESC myprogram.c -ltomcrypt -ltfm -o myprogram \end{verbatim} -This will compile ``myprogram'' and link it against the LibTomCrypt library as well as TomsFastMath (which must have been previously installed). Note that +This will compile \textit{myprogram} and link it against the LibTomCrypt library as well as TomsFastMath (which must have been previously installed). Note that we define \textbf{TFM\_DESC} for compilation. This is so that the TFM descriptor symbol will be defined for the client application to make use of without giving warnings. -\section{Building a Shared Library} +\mysection{Building a Shared Library} -LibTomCrypt can also be built as a shared library through the ``makefile.shared'' make script. It is similar to use as the static script except +LibTomCrypt can also be built as a shared library through the \textit{makefile.shared} make script. It is similar to use as the static script except that you \textbf{must} specify the \textbf{EXTRALIBS} variable at install time. \begin{verbatim} @@ -4200,8 +4819,8 @@ CFLAGS="-DTFM_DESC" EXTRALIBS=-ltfm make -f makefile.shared install This will build and install the library and link the shared object against the TomsFastMath library (which must be installed as a shared object as well). The shared build process requires libtool to be installed. -\section{tomcrypt\_cfg.h} -The file ``tomcrypt\_cfg.h'' is what lets you control various high level macros which control the behaviour +\mysection{tomcrypt\_cfg.h} +The file \textit{tomcrypt\_cfg.h} is what lets you control various high level macros which control the behaviour of the library. \subsubsection{ARGTYPE} @@ -4214,14 +4833,14 @@ if you handle signals on your own. When set to 3 it will resolve to a empty mac \subsubsection{Endianess} There are five macros related to endianess issues. For little endian platforms define, \textbf{ENDIAN\_LITTLE}. For big endian -platforms define \textbf{ENDIAN\_BIG}. Similarly when the default word size of an ``unsigned long'' is 32-bits define \textbf{ENDIAN\_32BITWORD} +platforms define \textbf{ENDIAN\_BIG}. Similarly when the default word size of an \textit{unsigned long} is 32-bits define \textbf{ENDIAN\_32BITWORD} or define \textbf{ENDIAN\_64BITWORD} when its 64-bits. If you do not define any of them the library will automatically use \textbf{ENDIAN\_NEUTRAL} which will work on all platforms. Currently LibTomCrypt will detect x86-32, x86-64, MIPS R5900, SPARC and SPARC64 running GCC as well as x86-32 running MSVC. -\section{The Configure Script} -There are also options you can specify from the configure script or ``tomcrypt\_custom.h''. +\mysection{The Configure Script} +There are also options you can specify from the configure script or \textit{tomcrypt\_custom.h}. \subsection{X memory routines} At the top of tomcrypt\_custom.h are four macros denoted as XMALLOC, XCALLOC, XREALLOC and XFREE which resolve to @@ -4256,7 +4875,7 @@ Also see technical note number five for more details. \subsection{TWOFISH\_SMALL and TWOFISH\_TABLES} Twofish is a 128-bit symmetric block cipher that is provided within the library. The cipher itself is flexible enough -to allow some tradeoffs in the implementation. When TWOFISH\_SMALL is defined the scheduled symmetric key for Twofish +to allow some trade-offs in the implementation. When TWOFISH\_SMALL is defined the scheduled symmetric key for Twofish requires only 200 bytes of memory. This is achieved by not pre-computing the substitution boxes. Having this defined will also greatly slow down the cipher. When this macro is not defined Twofish will pre-compute the tables at a cost of 4KB of memory. The cipher will be much faster as a result. @@ -4275,26 +4894,26 @@ When this is defined some of the code such as the Rijndael and SAFER+ ciphers ar These variants are slower but can save quite a bit of code space. \subsection{LTC\_FAST} -This mode (autodetected with x86\_32,x86\_64 platforms with GCC or MSVC) configures various routines such as ctr\_encrypt() or +This mode (auto-detected with x86\_32,x86\_64 platforms with GCC or MSVC) configures various routines such as ctr\_encrypt() or cbc\_encrypt() that it can safely XOR multiple octets in one step by using a larger data type. This has the benefit of cutting down the overhead of the respective functions. This mode does have one downside. It can cause unaligned reads from memory if you are not careful with the functions. This is why it has been enabled by default only for the x86 class of processors where unaligned accesses are allowed. Technically LTC\_FAST -is not ``portable'' since unaligned accesses are not covered by the ISO C specifications. +is not \textit{portable} since unaligned accesses are not covered by the ISO C specifications. In practice however, you can use it on pretty much any platform (even MIPS) with care. -By design the ``fast'' mode functions won't get unaligned on their own. For instance, if you call ctr\_encrypt() right after calling +By design the \textit{fast} mode functions won't get unaligned on their own. For instance, if you call ctr\_encrypt() right after calling ctr\_start() and all the inputs you gave are aligned than ctr\_encrypt() will perform aligned memory operations only. However, if you call ctr\_encrypt() with an odd amount of plaintext then call it again the CTR pad (the IV) will be partially used. This will cause the ctr routine to first use up the remaining pad bytes. Then if there are enough plaintext bytes left it will use whole word XOR operations. These operations will be unaligned. -The simplest precaution is to make sure you process all data in power of two blocks and handle ``remainder'' at the end. e.g. If you are +The simplest precaution is to make sure you process all data in power of two blocks and handle \textit{remainder} at the end. e.g. If you are CTR'ing a long stream process it in blocks of (say) four kilobytes and handle any remaining incomplete blocks at the end of the stream. -If you do plan on using the ``LTC\_FAST'' mode you have to also define a ``LTC\_FAST\_TYPE'' macro which resolves to an optimal sized +If you do plan on using the \textit{LTC\_FAST} mode you have to also define a \textit{LTC\_FAST\_TYPE} macro which resolves to an optimal sized data type you can perform integer operations with. Ideally it should be four or eight bytes since it must properly divide the size of your block cipher (e.g. 16 bytes for AES). This means sadly if you're on a platform with 57--bit words (or something) you can't use this mode. So sad. @@ -4307,14 +4926,14 @@ Generally the rule of thumb is to setup the tables once at startup and then leav the tables safer. \subsection{LTC\_ECC\_TIMING\_RESISTANT} -When this has been defined the ECC point multiplier (built--in to the library) will use a timing resistant point multipication +When this has been defined the ECC point multiplier (built--in to the library) will use a timing resistant point multiplication algorithm which prevents leaking key bits of the private key (scalar). It is a slower algorithm but useful for situations where timing side channels pose a significant threat. \subsection{Math Descriptors} -The library comes with two math descriptors that allow you to interface the public key cryptography api to freely available math +The library comes with two math descriptors that allow you to interface the public key cryptography API to freely available math libraries. In this case LibTomMath and TomsFastMath. When either of \textbf{LTM\_DESC} or \textbf{TFM\_DESC} are defined -descriptors for the respective library are built and included in the library as ``ltm\_desc'' or ``tfm\_desc'' respectively. +descriptors for the respective library are built and included in the library as \textit{ltm\_desc} or \textit{tfm\_desc} respectively. In the test demos that use the libraries the additional flags \textbf{USE\_LTM} and \textbf{USE\_TFM} can be defined to tell the program which library to use. They cannot both be defined at once. @@ -4330,7 +4949,7 @@ CFLAGS="-DLTM_DESC -DTFM_DESC -DUSE_TFM" EXTRALIBS="-ltommath -ltfm" That will build and install the library with both descriptors (and link against both) but then only use TomsFastMath in the timing demo. \chapter{Optimizations} -\section{Introduction} +\mysection{Introduction} The entire API was designed with plug and play in mind at the low level. That is you can swap out any cipher, hash or PRNG and dependent API will not require updating. This has the nice benefit that I can add ciphers not have to re--write large portions of the API. For the most part LibTomCrypt has also been written to be highly portable and easy to build out of the box on pretty much any platform. As such there are no assembler inlines throughout the code, I make no assumptions @@ -4340,11 +4959,11 @@ That works well for most cases but there are times where time is of the essence. portable routines. For instance, hand optimized assembler versions of AES could be provided and any existing function that uses the cipher could automatically use the optimized code without re--writing. This also paves the way for hardware drivers that can access hardware accelerated cryptographic devices. -At the heart of this flexibility is the ``descriptor'' system. A descriptor is essentially just a C ``struct'' which describes the algorithm and provides pointers +At the heart of this flexibility is the \textit{descriptor} system. A descriptor is essentially just a C \textit{struct} which describes the algorithm and provides pointers to functions that do the work. For a given class of operation (e.g. cipher, hash, prng) the functions have identical prototypes which makes development simple. In most dependent routines all a developer has to do is register\_XXX() the descriptor and they're set. -\section{Ciphers} +\mysection{Ciphers} The ciphers in LibTomCrypt are accessed through the ltc\_cipher\_descriptor structure. \begin{small} @@ -4539,36 +5158,36 @@ struct ltc_cipher_descriptor { \subsection{Name} \index{find\_cipher()} -The ``name'' parameter specifies the name of the cipher. This is what a developer would pass to find\_cipher() to find the cipher in the descriptor +The \textit{name} parameter specifies the name of the cipher. This is what a developer would pass to find\_cipher() to find the cipher in the descriptor tables. \subsection{Internal ID} -This is a single byte Internal ID you can use to distingish ciphers from each other. +This is a single byte Internal ID you can use to distinguish ciphers from each other. \subsection{Key Lengths} -The minimum key length is ``min\_key\_length'' and is measured in octets. Similarly the maximum key length is ``max\_key\_length''. They can be equal +The minimum key length is \textit{min\_key\_length} and is measured in octets. Similarly the maximum key length is \textit{max\_key\_length}. They can be equal and both must valid key sizes for the cipher. Values in between are not assumed to be valid though they may be. \subsection{Block Length} -The size of the ciphers plaintext or ciphertext is ``block\_length'' and is measured in octets. +The size of the ciphers plaintext or ciphertext is \textit{block\_length} and is measured in octets. \subsection{Rounds} -Some ciphers allow different number of rounds to be used. Usually you just use the default. The default round count is ``default\_rounds''. +Some ciphers allow different number of rounds to be used. Usually you just use the default. The default round count is \textit{default\_rounds}. \subsection{Setup} -To initialize a cipher (for ECB mode) the function setup() was provided. It accepts an array of key octets ``key'' of length ``keylen'' octets. The user -can specify the number of rounds they want through ``num\_rounds'' where $num\_rounds = 0$ means use the default. The destination of a scheduled key is stored -in ``skey''. +To initialize a cipher (for ECB mode) the function setup() was provided. It accepts an array of key octets \textit{key} of length \textit{keylen} octets. The user +can specify the number of rounds they want through \textit{num\_rounds} where $num\_rounds = 0$ means use the default. The destination of a scheduled key is stored +in \textit{skey}. -Inside the ``symmetric\_key'' union there is a ``void *data'' which you can use to allocate data if you need a data structure that doesn't fit with the existing -ones provided. Just make sure in your ``done()'' function that you free the allocated memory. +Inside the \textit{symmetric\_key} union there is a \textit{void *data} which you can use to allocate data if you need a data structure that doesn't fit with the existing +ones provided. Just make sure in your \textit{done()} function that you free the allocated memory. \subsection{Single block ECB} To process a single block in ECB mode the ecb\_encrypt() and ecb\_decrypt() functions were provided. The plaintext and ciphertext buffers are allowed to overlap so you must make sure you do not overwrite the output before you are finished with the input. \subsection{Testing} -The test() function is used to self--test the ``device''. It takes no arguments and returns \textbf{CRYPT\_OK} if all is working properly. +The test() function is used to self--test the \textit{device}. It takes no arguments and returns \textbf{CRYPT\_OK} if all is working properly. \subsection{Key Sizing} Occasionally a function will want to find a suitable key size to use since the input is oddly sized. The keysize() function is for this case. It accepts a @@ -4578,21 +5197,21 @@ example, if the input is $25$ and $24$ is valid then it stores $24$ back in the \subsection{Acceleration} The next set of functions cover the accelerated functionality of the cipher descriptor. Any combination of these functions may be set to \textbf{NULL} to indicate -it is not supported. In those cases the software fallbacks are used (using the single ECB block routines). +it is not supported. In those cases the software defaults are used (using the single ECB block routines). \subsubsection{Accelerated ECB} These two functions are meant for cases where a user wants to encrypt (in ECB mode no less) an array of blocks. These functions are accessed -through the accel\_ecb\_encrypt and accel\_ecb\_decrypt pointers. The ``blocks'' count is the number of complete blocks to process. +through the accel\_ecb\_encrypt and accel\_ecb\_decrypt pointers. The \textit{blocks} count is the number of complete blocks to process. \subsubsection{Accelerated CBC} These two functions are meant for accelerated CBC encryption. These functions are accessed through the accel\_cbc\_encrypt and accel\_cbc\_decrypt pointers. -The ``blocks'' value is the number of complete blocks to process. The ``IV'' is the CBC initial vector. It is an input upon calling this function and must be +The \textit{blocks} value is the number of complete blocks to process. The \textit{IV} is the CBC initial vector. It is an input upon calling this function and must be updated by the function before returning. \subsubsection{Accelerated CTR} This function is meant for accelerated CTR encryption. It is accessible through the accel\_ctr\_encrypt pointer. -The ``blocks'' value is the number of complete blocks to process. The ``IV'' is the CTR counter vector. It is an input upon calling this function and must be -updated by the function before returning. The ``mode'' value indicates whether the counter is big (mode = CTR\_COUNTER\_BIG\_ENDIAN) or +The \textit{blocks} value is the number of complete blocks to process. The \textit{IV} is the CTR counter vector. It is an input upon calling this function and must be +updated by the function before returning. The \textit{mode} value indicates whether the counter is big (mode = CTR\_COUNTER\_BIG\_ENDIAN) or little (mode = CTR\_COUNTER\_LITTLE\_ENDIAN) endian. This function (and the way it's called) differs from the other two since ctr\_encrypt() allows any size input plaintext. The accelerator will only be @@ -4604,20 +5223,20 @@ called if the following conditions are met. \item The remaining length of the input to process is greater than or equal to the block size. \end{enumerate} -The ``CTR pad'' is empty when a multiple (including zero) blocks of text have been processed. That is, if you pass in seven bytes to AES--CTR mode you would have to +The \textit{CTR pad} is empty when a multiple (including zero) blocks of text have been processed. That is, if you pass in seven bytes to AES--CTR mode you would have to pass in a minimum of nine extra bytes before the accelerator could be called. The CTR accelerator must increment the counter (and store it back into the buffer provided) before encrypting it to create the pad. The accelerator will only be used to encrypt whole blocks. Partial blocks are always handled in software. \subsubsection{Accelerated LRW} -These functions are meant for accelerated LRW. They process blocks of input in lengths of multiples of 16 octets. They must accept the ``IV'' and ``tweak'' -state variables and updated them prior to returning. Note that you may want to disable \textbf{LRW\_TABLES} in ``tomcrypt\_custom.h'' if you intend +These functions are meant for accelerated LRW. They process blocks of input in lengths of multiples of 16 octets. They must accept the \textit{IV} and \textit{tweak} +state variables and updated them prior to returning. Note that you may want to disable \textbf{LRW\_TABLES} in \textit{tomcrypt\_custom.h} if you intend to use accelerators for LRW. While both encrypt and decrypt accelerators are not required it is suggested as it makes lrw\_setiv() more efficient. -Note that calling lrw\_done() will only invoke the cipher\_descriptor[].done() function on the ``symmetric\_key'' parameter of the LRW state. That means +Note that calling lrw\_done() will only invoke the cipher\_descriptor[].done() function on the \textit{symmetric\_key} parameter of the LRW state. That means if your device requires any (LRW specific) resources you should free them in your ciphers() done function. The simplest way to think of it is to write the plugin solely to do LRW with the cipher. That way cipher\_descriptor[].setup() means to init LRW resources and cipher\_descriptor[].done() means to free them. @@ -4644,7 +5263,7 @@ function MUST support both key passing methods. This function is meant for accelerated GCM encryption or decryption. It processes the entire packet in one call. Note that the setup() function will not be called prior to this. This function must handle scheduling the key provided on its own. -\section{One--Way Hashes} +\mysection{One--Way Hashes} The hash functions are accessed through the ltc\_hash\_descriptor structure. \begin{small} @@ -4700,11 +5319,11 @@ This is the name the hash is known by and what find\_hash() will look for. This is the internal ID byte used to distinguish the hash from other hashes. \subsection{Digest Size} -The ``hashsize'' variable indicates the length of the output in octets. +The \textit{hashsize} variable indicates the length of the output in octets. \subsection{Block Size} -The `blocksize'' variable indicates the length of input (in octets) that the hash processes in a given -invokation. +The \textit{blocksize} variable indicates the length of input (in octets) that the hash processes in a given +invocation. \subsection{OID Identifier} This is the universal ASN.1 Object Identifier for the hash. @@ -4726,7 +5345,7 @@ A compatible accelerator must allow processing data in any granularity which may The hmac\_block() callback is meant for single--shot optimized HMAC implementations. It is called directly by hmac\_memory() if present. If you need to be able to process multiple blocks per MAC then you will have to simply provide a process() callback and use hmac\_memory() as provided in LibTomCrypt. -\section{Pseudo--Random Number Generators} +\mysection{Pseudo--Random Number Generators} The pseudo--random number generators are accessible through the ltc\_prng\_descriptor structure. \begin{small} @@ -4811,12 +5430,12 @@ if it does as many protocols do not retry reads and will fail on the first try. Terminate a PRNG state. The behaviour of this function depends on the particular PRNG used. \subsection{Exporting and Importing} -An exported PRNG state is data that the PRNG can later import to resume activity. They're not meant to resume ``the same session'' +An exported PRNG state is data that the PRNG can later import to resume activity. They're not meant to resume \textit{the same session} but should at least maintain the same level of state entropy. -\section{BigNum Math Descriptors} +\mysection{BigNum Math Descriptors} The library also makes use of the math descriptors to access math functions. While bignum math libraries usually differ in implementation -it hasn't proven hard to write ``glue'' to use math libraries so far. The basic descriptor looks like. +it hasn't proven hard to write \textit{glue} to use math libraries so far. The basic descriptor looks like. \begin{small} \begin{verbatim} @@ -4863,7 +5482,7 @@ typedef struct { /** set small constant @param a Number to write to @param n Source upto bits_per_digit (actually meant for very small constants) - @return CRYPT_OK on succcess + @return CRYPT_OK on success */ int (*set_int)(void *a, unsigned long n); @@ -5086,7 +5705,7 @@ typedef struct { /* ---- reduction ---- */ - /** setup montgomery + /** setup Montgomery @param a The modulus @param b The destination for the reduction digit @return CRYPT_OK on success @@ -5203,29 +5822,29 @@ typedef struct { \end{verbatim} \end{small} -Most of the functions are fairly straightfoward and do not need documentation. We'll cover the basic conventions of the API and then explain the accelerated functions. +Most of the functions are fairly straightforward and do not need documentation. We'll cover the basic conventions of the API and then explain the accelerated functions. \subsection{Conventions} -All ``bignums'' are accessed through an opaque ``void *'' data type. You must interally cast the pointer if you need to access members of your bignum structure. During -the init calls a ``void **'' will be passed where you allocate your structure and set the pointer then initialize the number to zero. During the deinit calls you must +All \textit{bignums} are accessed through an opaque \textit{void *} data type. You must internally cast the pointer if you need to access members of your bignum structure. During +the init calls a \textit{void **} will be passed where you allocate your structure and set the pointer then initialize the number to zero. During the deinit calls you must free the bignum as well as the structure you allocated to place it in. All functions except the Montgomery reductions work from left to right with the arguments. For example, mul(a, b, c) computes $c \leftarrow ab$. All functions (except where noted otherwise) return \textbf{CRYPT\_OK} to signify a successful operation. All error codes must be valid LibTomCrypt error codes. -The digit routines (including functions with the ``i'' suffix) use a ``unsigned long'' to represent the digit. If your internal digit is larger than this you must -then partition your digits. Normally this does not matter as ``unsigned long'' will be the same size as your register size. Note that if your digit is smaller -than an ``unsigned long'' that is also acceptable as the ``bits\_per\_digit'' parameter will specify this. +The digit routines (including functions with the \textit{i} suffix) use a \textit{unsigned long} to represent the digit. If your internal digit is larger than this you must +then partition your digits. Normally this does not matter as \textit{unsigned long} will be the same size as your register size. Note that if your digit is smaller +than an \textit{unsigned long} that is also acceptable as the \textit{bits\_per\_digit} parameter will specify this. \subsection{ECC Functions} The ECC system in LibTomCrypt is based off of the NIST recommended curves over $GF(p)$ and is used to implement EC-DSA and EC-DH. The ECC functions work with the \textbf{ecc\_point} structure and assume the points are stored in Jacobian projective format. \begin{verbatim} -/** A point on a ECC curve, stored in Jacbobian format such - that (x,y,z) => (x/z^2, y/z^3, 1) when interpretted as affine */ +/** A point on a ECC curve, stored in Jacobian format such + that (x,y,z) => (x/z^2, y/z^3, 1) when interpreted as affine */ typedef struct { /** The x co-ordinate */ void *x; @@ -5244,7 +5863,7 @@ could point to anything you want. The only further exception is the ecc\_export This will multiply the point $G$ by the scalar $k$ and store the result in the point $R$. The value should be mapped to affine only if $map$ is set to one. \subsubsection{Point Addition} -This will add the point $P$ to the point $Q$ and store it in the point $R$. The $mp$ parameter is the ``b'' value from the montgomery\_setup() call. The input points +This will add the point $P$ to the point $Q$ and store it in the point $R$. The $mp$ parameter is the \textit{b} value from the montgomery\_setup() call. The input points may be in either affine (with $z = 1$) or projective format and the output point is always projective. \subsubsection{Point Mapping} @@ -5278,16 +5897,18 @@ typedef struct Rsa_key { } rsa_key; \end{verbatim} -The call reads the ``in'' buffer as an unsigned char array in big endian format. Then it performs the exponentiation and stores the output in big endian format -to the ``out'' buffer. The output must be zero padded (leading bytes) so that the length of the output matches the length of the modulus (in bytes). For example, +The call reads the \textit{in} buffer as an unsigned char array in big endian format. Then it performs the exponentiation and stores the output in big endian format +to the \textit{out} buffer. The output must be zero padded (leading bytes) so that the length of the output matches the length of the modulus (in bytes). For example, for RSA--1024 the output is always 128 bytes regardless of how small the numerical value of the exponentiation is. Since the function is given the entire RSA key (for private keys only) CRT is possible as prescribed in the PKCS \#1 v2.1 specification. +\newpage +\markboth{Index}{Index} \input{crypt.ind} \end{document} % $Source: /cvs/libtom/libtomcrypt/crypt.tex,v $ -% $Revision: 1.77 $ -% $Date: 2006/08/30 23:23:20 $ +% $Revision: 1.103 $ +% $Date: 2006/11/17 15:03:08 $ diff --git a/demos/timing.c b/demos/timing.c index 8313332..76fd8cd 100644 --- a/demos/timing.c +++ b/demos/timing.c @@ -16,6 +16,7 @@ reg_algs(); extern ltc_math_descriptor EXT_MATH_LIB; ltc_mp = EXT_MATH_LIB; #endif + time_keysched(); time_cipher(); time_cipher2(); diff --git a/doc/crypt.pdf b/doc/crypt.pdf index d1679d8..f22c852 100644 Binary files a/doc/crypt.pdf and b/doc/crypt.pdf differ diff --git a/fixupind.pl b/fixupind.pl new file mode 100644 index 0000000..543ae96 --- /dev/null +++ b/fixupind.pl @@ -0,0 +1,11 @@ +open(IN,"crypt.ind.tmp"); +$a = ; +print OUT "$a\n\\addcontentsline{toc}{chapter}{Index}\n"; +while () { + print OUT $_; +} +close OUT; +close IN; +system("mv -f crypt.ind.tmp crypt.ind"); + diff --git a/makefile b/makefile index d5d5ff8..71f875f 100644 --- a/makefile +++ b/makefile @@ -4,7 +4,7 @@ # Modified by Clay Culver # The version -VERSION=1.14 +VERSION=1.15 # Compiler and Linker Names #CC=gcc @@ -103,40 +103,46 @@ endif #List of objects to compile. #START_INS OBJECTS=src/ciphers/aes/aes_enc.o src/ciphers/aes/aes.o src/ciphers/anubis.o src/ciphers/blowfish.o \ -src/ciphers/cast5.o src/ciphers/des.o src/ciphers/khazad.o src/ciphers/noekeon.o src/ciphers/rc2.o \ -src/ciphers/rc5.o src/ciphers/rc6.o src/ciphers/safer/safer.o src/ciphers/safer/safer_tab.o \ -src/ciphers/safer/saferp.o src/ciphers/skipjack.o src/ciphers/twofish/twofish.o src/ciphers/xtea.o \ -src/encauth/ccm/ccm_memory.o src/encauth/ccm/ccm_test.o src/encauth/eax/eax_addheader.o \ -src/encauth/eax/eax_decrypt.o src/encauth/eax/eax_decrypt_verify_memory.o src/encauth/eax/eax_done.o \ -src/encauth/eax/eax_encrypt.o src/encauth/eax/eax_encrypt_authenticate_memory.o \ -src/encauth/eax/eax_init.o src/encauth/eax/eax_test.o src/encauth/gcm/gcm_add_aad.o \ -src/encauth/gcm/gcm_add_iv.o src/encauth/gcm/gcm_done.o src/encauth/gcm/gcm_gf_mult.o \ -src/encauth/gcm/gcm_init.o src/encauth/gcm/gcm_memory.o src/encauth/gcm/gcm_mult_h.o \ -src/encauth/gcm/gcm_process.o src/encauth/gcm/gcm_reset.o src/encauth/gcm/gcm_test.o \ -src/encauth/ocb/ocb_decrypt.o src/encauth/ocb/ocb_decrypt_verify_memory.o \ -src/encauth/ocb/ocb_done_decrypt.o src/encauth/ocb/ocb_done_encrypt.o src/encauth/ocb/ocb_encrypt.o \ +src/ciphers/cast5.o src/ciphers/des.o src/ciphers/kasumi.o src/ciphers/khazad.o src/ciphers/kseed.o \ +src/ciphers/noekeon.o src/ciphers/rc2.o src/ciphers/rc5.o src/ciphers/rc6.o src/ciphers/safer/safer.o \ +src/ciphers/safer/safer_tab.o src/ciphers/safer/saferp.o src/ciphers/skipjack.o \ +src/ciphers/twofish/twofish.o src/ciphers/xtea.o src/encauth/ccm/ccm_memory.o \ +src/encauth/ccm/ccm_test.o src/encauth/eax/eax_addheader.o src/encauth/eax/eax_decrypt.o \ +src/encauth/eax/eax_decrypt_verify_memory.o src/encauth/eax/eax_done.o src/encauth/eax/eax_encrypt.o \ +src/encauth/eax/eax_encrypt_authenticate_memory.o src/encauth/eax/eax_init.o \ +src/encauth/eax/eax_test.o src/encauth/gcm/gcm_add_aad.o src/encauth/gcm/gcm_add_iv.o \ +src/encauth/gcm/gcm_done.o src/encauth/gcm/gcm_gf_mult.o src/encauth/gcm/gcm_init.o \ +src/encauth/gcm/gcm_memory.o src/encauth/gcm/gcm_mult_h.o src/encauth/gcm/gcm_process.o \ +src/encauth/gcm/gcm_reset.o src/encauth/gcm/gcm_test.o src/encauth/ocb/ocb_decrypt.o \ +src/encauth/ocb/ocb_decrypt_verify_memory.o src/encauth/ocb/ocb_done_decrypt.o \ +src/encauth/ocb/ocb_done_encrypt.o src/encauth/ocb/ocb_encrypt.o \ src/encauth/ocb/ocb_encrypt_authenticate_memory.o src/encauth/ocb/ocb_init.o src/encauth/ocb/ocb_ntz.o \ src/encauth/ocb/ocb_shift_xor.o src/encauth/ocb/ocb_test.o src/encauth/ocb/s_ocb_done.o \ src/hashes/chc/chc.o src/hashes/helper/hash_file.o src/hashes/helper/hash_filehandle.o \ src/hashes/helper/hash_memory.o src/hashes/helper/hash_memory_multi.o src/hashes/md2.o src/hashes/md4.o \ -src/hashes/md5.o src/hashes/rmd128.o src/hashes/rmd160.o src/hashes/sha1.o src/hashes/sha2/sha256.o \ -src/hashes/sha2/sha512.o src/hashes/tiger.o src/hashes/whirl/whirl.o src/mac/hmac/hmac_done.o \ -src/mac/hmac/hmac_file.o src/mac/hmac/hmac_init.o src/mac/hmac/hmac_memory.o \ +src/hashes/md5.o src/hashes/rmd128.o src/hashes/rmd160.o src/hashes/rmd256.o src/hashes/rmd320.o \ +src/hashes/sha1.o src/hashes/sha2/sha256.o src/hashes/sha2/sha512.o src/hashes/tiger.o \ +src/hashes/whirl/whirl.o src/mac/f9/f9_done.o src/mac/f9/f9_file.o src/mac/f9/f9_init.o \ +src/mac/f9/f9_memory.o src/mac/f9/f9_memory_multi.o src/mac/f9/f9_process.o src/mac/f9/f9_test.o \ +src/mac/hmac/hmac_done.o src/mac/hmac/hmac_file.o src/mac/hmac/hmac_init.o src/mac/hmac/hmac_memory.o \ src/mac/hmac/hmac_memory_multi.o src/mac/hmac/hmac_process.o src/mac/hmac/hmac_test.o \ src/mac/omac/omac_done.o src/mac/omac/omac_file.o src/mac/omac/omac_init.o src/mac/omac/omac_memory.o \ src/mac/omac/omac_memory_multi.o src/mac/omac/omac_process.o src/mac/omac/omac_test.o \ src/mac/pelican/pelican.o src/mac/pelican/pelican_memory.o src/mac/pelican/pelican_test.o \ src/mac/pmac/pmac_done.o src/mac/pmac/pmac_file.o src/mac/pmac/pmac_init.o src/mac/pmac/pmac_memory.o \ src/mac/pmac/pmac_memory_multi.o src/mac/pmac/pmac_ntz.o src/mac/pmac/pmac_process.o \ -src/mac/pmac/pmac_shift_xor.o src/mac/pmac/pmac_test.o src/math/fp/ltc_ecc_fp_mulmod.o \ -src/math/gmp_desc.o src/math/ltm_desc.o src/math/multi.o src/math/rand_prime.o src/math/tfm_desc.o \ -src/misc/base64/base64_decode.o src/misc/base64/base64_encode.o src/misc/burn_stack.o \ -src/misc/crypt/crypt.o src/misc/crypt/crypt_argchk.o src/misc/crypt/crypt_cipher_descriptor.o \ +src/mac/pmac/pmac_shift_xor.o src/mac/pmac/pmac_test.o src/mac/xcbc/xcbc_done.o \ +src/mac/xcbc/xcbc_file.o src/mac/xcbc/xcbc_init.o src/mac/xcbc/xcbc_memory.o \ +src/mac/xcbc/xcbc_memory_multi.o src/mac/xcbc/xcbc_process.o src/mac/xcbc/xcbc_test.o \ +src/math/fp/ltc_ecc_fp_mulmod.o src/math/gmp_desc.o src/math/ltm_desc.o src/math/multi.o \ +src/math/rand_prime.o src/math/tfm_desc.o src/misc/base64/base64_decode.o \ +src/misc/base64/base64_encode.o src/misc/burn_stack.o src/misc/crypt/crypt.o \ +src/misc/crypt/crypt_argchk.o src/misc/crypt/crypt_cipher_descriptor.o \ src/misc/crypt/crypt_cipher_is_valid.o src/misc/crypt/crypt_find_cipher.o \ src/misc/crypt/crypt_find_cipher_any.o src/misc/crypt/crypt_find_cipher_id.o \ src/misc/crypt/crypt_find_hash.o src/misc/crypt/crypt_find_hash_any.o \ src/misc/crypt/crypt_find_hash_id.o src/misc/crypt/crypt_find_hash_oid.o \ -src/misc/crypt/crypt_find_prng.o src/misc/crypt/crypt_hash_descriptor.o \ +src/misc/crypt/crypt_find_prng.o src/misc/crypt/crypt_fsa.o src/misc/crypt/crypt_hash_descriptor.o \ src/misc/crypt/crypt_hash_is_valid.o src/misc/crypt/crypt_ltc_mp_descriptor.o \ src/misc/crypt/crypt_prng_descriptor.o src/misc/crypt/crypt_prng_is_valid.o \ src/misc/crypt/crypt_register_cipher.o src/misc/crypt/crypt_register_hash.o \ @@ -148,7 +154,7 @@ src/modes/cbc/cbc_getiv.o src/modes/cbc/cbc_setiv.o src/modes/cbc/cbc_start.o \ src/modes/cfb/cfb_decrypt.o src/modes/cfb/cfb_done.o src/modes/cfb/cfb_encrypt.o \ src/modes/cfb/cfb_getiv.o src/modes/cfb/cfb_setiv.o src/modes/cfb/cfb_start.o \ src/modes/ctr/ctr_decrypt.o src/modes/ctr/ctr_done.o src/modes/ctr/ctr_encrypt.o \ -src/modes/ctr/ctr_getiv.o src/modes/ctr/ctr_setiv.o src/modes/ctr/ctr_start.o \ +src/modes/ctr/ctr_getiv.o src/modes/ctr/ctr_setiv.o src/modes/ctr/ctr_start.o src/modes/ctr/ctr_test.o \ src/modes/ecb/ecb_decrypt.o src/modes/ecb/ecb_done.o src/modes/ecb/ecb_encrypt.o \ src/modes/ecb/ecb_start.o src/modes/f8/f8_decrypt.o src/modes/f8/f8_done.o src/modes/f8/f8_encrypt.o \ src/modes/f8/f8_getiv.o src/modes/f8/f8_setiv.o src/modes/f8/f8_start.o src/modes/f8/f8_test_mode.o \ @@ -184,21 +190,23 @@ src/pk/asn1/der/utctime/der_encode_utctime.o src/pk/asn1/der/utctime/der_length_ src/pk/dsa/dsa_decrypt_key.o src/pk/dsa/dsa_encrypt_key.o src/pk/dsa/dsa_export.o src/pk/dsa/dsa_free.o \ src/pk/dsa/dsa_import.o src/pk/dsa/dsa_make_key.o src/pk/dsa/dsa_shared_secret.o \ src/pk/dsa/dsa_sign_hash.o src/pk/dsa/dsa_verify_hash.o src/pk/dsa/dsa_verify_key.o src/pk/ecc/ecc.o \ -src/pk/ecc/ecc_decrypt_key.o src/pk/ecc/ecc_encrypt_key.o src/pk/ecc/ecc_export.o src/pk/ecc/ecc_free.o \ -src/pk/ecc/ecc_get_size.o src/pk/ecc/ecc_import.o src/pk/ecc/ecc_make_key.o \ -src/pk/ecc/ecc_shared_secret.o src/pk/ecc/ecc_sign_hash.o src/pk/ecc/ecc_sizes.o src/pk/ecc/ecc_test.o \ -src/pk/ecc/ecc_verify_hash.o src/pk/ecc/ltc_ecc_is_valid_idx.o src/pk/ecc/ltc_ecc_map.o \ -src/pk/ecc/ltc_ecc_mulmod.o src/pk/ecc/ltc_ecc_mulmod_timing.o src/pk/ecc/ltc_ecc_points.o \ +src/pk/ecc/ecc_ansi_x963_export.o src/pk/ecc/ecc_ansi_x963_import.o src/pk/ecc/ecc_decrypt_key.o \ +src/pk/ecc/ecc_encrypt_key.o src/pk/ecc/ecc_export.o src/pk/ecc/ecc_free.o src/pk/ecc/ecc_get_size.o \ +src/pk/ecc/ecc_import.o src/pk/ecc/ecc_make_key.o src/pk/ecc/ecc_shared_secret.o \ +src/pk/ecc/ecc_sign_hash.o src/pk/ecc/ecc_sizes.o src/pk/ecc/ecc_test.o src/pk/ecc/ecc_verify_hash.o \ +src/pk/ecc/ltc_ecc_is_valid_idx.o src/pk/ecc/ltc_ecc_map.o src/pk/ecc/ltc_ecc_mulmod.o \ +src/pk/ecc/ltc_ecc_mulmod_timing.o src/pk/ecc/ltc_ecc_points.o \ src/pk/ecc/ltc_ecc_projective_add_point.o src/pk/ecc/ltc_ecc_projective_dbl_point.o \ src/pk/katja/katja_decrypt_key.o src/pk/katja/katja_encrypt_key.o src/pk/katja/katja_export.o \ src/pk/katja/katja_exptmod.o src/pk/katja/katja_free.o src/pk/katja/katja_import.o \ src/pk/katja/katja_make_key.o src/pk/pkcs1/pkcs_1_i2osp.o src/pk/pkcs1/pkcs_1_mgf1.o \ src/pk/pkcs1/pkcs_1_oaep_decode.o src/pk/pkcs1/pkcs_1_oaep_encode.o src/pk/pkcs1/pkcs_1_os2ip.o \ -src/pk/pkcs1/pkcs_1_pss_decode.o src/pk/pkcs1/pkcs_1_pss_encode.o src/pk/rsa/rsa_decrypt_key.o \ -src/pk/rsa/rsa_encrypt_key.o src/pk/rsa/rsa_export.o src/pk/rsa/rsa_exptmod.o src/pk/rsa/rsa_free.o \ -src/pk/rsa/rsa_import.o src/pk/rsa/rsa_make_key.o src/pk/rsa/rsa_sign_hash.o \ -src/pk/rsa/rsa_verify_hash.o src/prngs/fortuna.o src/prngs/rc4.o src/prngs/rng_get_bytes.o \ -src/prngs/rng_make_prng.o src/prngs/sober128.o src/prngs/sprng.o src/prngs/yarrow.o +src/pk/pkcs1/pkcs_1_pss_decode.o src/pk/pkcs1/pkcs_1_pss_encode.o src/pk/pkcs1/pkcs_1_v1_5_decode.o \ +src/pk/pkcs1/pkcs_1_v1_5_encode.o src/pk/rsa/rsa_decrypt_key.o src/pk/rsa/rsa_encrypt_key.o \ +src/pk/rsa/rsa_export.o src/pk/rsa/rsa_exptmod.o src/pk/rsa/rsa_free.o src/pk/rsa/rsa_import.o \ +src/pk/rsa/rsa_make_key.o src/pk/rsa/rsa_sign_hash.o src/pk/rsa/rsa_verify_hash.o src/prngs/fortuna.o \ +src/prngs/rc4.o src/prngs/rng_get_bytes.o src/prngs/rng_make_prng.o src/prngs/sober128.o \ +src/prngs/sprng.o src/prngs/yarrow.o HEADERS=src/headers/tomcrypt_cfg.h src/headers/tomcrypt_mac.h src/headers/tomcrypt_macros.h \ src/headers/tomcrypt_custom.h src/headers/tomcrypt_argchk.h src/headers/tomcrypt_cipher.h \ @@ -338,6 +346,7 @@ docs: crypt.tex latex crypt > /dev/null latex crypt > /dev/null makeindex crypt.idx > /dev/null + perl fixupind.pl latex crypt > /dev/null dvipdf crypt mv -ivf crypt.pdf doc/crypt.pdf @@ -348,6 +357,8 @@ docdvi: crypt.tex latex crypt > /dev/null latex crypt > /dev/null makeindex crypt.idx + perl fixupind.pl + latex crypt > /dev/null latex crypt > /dev/null #zipup the project (take that!) @@ -367,5 +378,5 @@ zipup: no_oops docs # $Source: /cvs/libtom/libtomcrypt/makefile,v $ -# $Revision: 1.127 $ -# $Date: 2006/06/29 01:59:34 $ +# $Revision: 1.142 $ +# $Date: 2006/11/08 22:38:16 $ diff --git a/makefile.icc b/makefile.icc index 9fd0928..8e1d7d2 100644 --- a/makefile.icc +++ b/makefile.icc @@ -95,40 +95,46 @@ endif #List of objects to compile. #START_INS OBJECTS=src/ciphers/aes/aes_enc.o src/ciphers/aes/aes.o src/ciphers/anubis.o src/ciphers/blowfish.o \ -src/ciphers/cast5.o src/ciphers/des.o src/ciphers/khazad.o src/ciphers/noekeon.o src/ciphers/rc2.o \ -src/ciphers/rc5.o src/ciphers/rc6.o src/ciphers/safer/safer.o src/ciphers/safer/safer_tab.o \ -src/ciphers/safer/saferp.o src/ciphers/skipjack.o src/ciphers/twofish/twofish.o src/ciphers/xtea.o \ -src/encauth/ccm/ccm_memory.o src/encauth/ccm/ccm_test.o src/encauth/eax/eax_addheader.o \ -src/encauth/eax/eax_decrypt.o src/encauth/eax/eax_decrypt_verify_memory.o src/encauth/eax/eax_done.o \ -src/encauth/eax/eax_encrypt.o src/encauth/eax/eax_encrypt_authenticate_memory.o \ -src/encauth/eax/eax_init.o src/encauth/eax/eax_test.o src/encauth/gcm/gcm_add_aad.o \ -src/encauth/gcm/gcm_add_iv.o src/encauth/gcm/gcm_done.o src/encauth/gcm/gcm_gf_mult.o \ -src/encauth/gcm/gcm_init.o src/encauth/gcm/gcm_memory.o src/encauth/gcm/gcm_mult_h.o \ -src/encauth/gcm/gcm_process.o src/encauth/gcm/gcm_reset.o src/encauth/gcm/gcm_test.o \ -src/encauth/ocb/ocb_decrypt.o src/encauth/ocb/ocb_decrypt_verify_memory.o \ -src/encauth/ocb/ocb_done_decrypt.o src/encauth/ocb/ocb_done_encrypt.o src/encauth/ocb/ocb_encrypt.o \ +src/ciphers/cast5.o src/ciphers/des.o src/ciphers/kasumi.o src/ciphers/khazad.o src/ciphers/kseed.o \ +src/ciphers/noekeon.o src/ciphers/rc2.o src/ciphers/rc5.o src/ciphers/rc6.o src/ciphers/safer/safer.o \ +src/ciphers/safer/safer_tab.o src/ciphers/safer/saferp.o src/ciphers/skipjack.o \ +src/ciphers/twofish/twofish.o src/ciphers/xtea.o src/encauth/ccm/ccm_memory.o \ +src/encauth/ccm/ccm_test.o src/encauth/eax/eax_addheader.o src/encauth/eax/eax_decrypt.o \ +src/encauth/eax/eax_decrypt_verify_memory.o src/encauth/eax/eax_done.o src/encauth/eax/eax_encrypt.o \ +src/encauth/eax/eax_encrypt_authenticate_memory.o src/encauth/eax/eax_init.o \ +src/encauth/eax/eax_test.o src/encauth/gcm/gcm_add_aad.o src/encauth/gcm/gcm_add_iv.o \ +src/encauth/gcm/gcm_done.o src/encauth/gcm/gcm_gf_mult.o src/encauth/gcm/gcm_init.o \ +src/encauth/gcm/gcm_memory.o src/encauth/gcm/gcm_mult_h.o src/encauth/gcm/gcm_process.o \ +src/encauth/gcm/gcm_reset.o src/encauth/gcm/gcm_test.o src/encauth/ocb/ocb_decrypt.o \ +src/encauth/ocb/ocb_decrypt_verify_memory.o src/encauth/ocb/ocb_done_decrypt.o \ +src/encauth/ocb/ocb_done_encrypt.o src/encauth/ocb/ocb_encrypt.o \ src/encauth/ocb/ocb_encrypt_authenticate_memory.o src/encauth/ocb/ocb_init.o src/encauth/ocb/ocb_ntz.o \ src/encauth/ocb/ocb_shift_xor.o src/encauth/ocb/ocb_test.o src/encauth/ocb/s_ocb_done.o \ src/hashes/chc/chc.o src/hashes/helper/hash_file.o src/hashes/helper/hash_filehandle.o \ src/hashes/helper/hash_memory.o src/hashes/helper/hash_memory_multi.o src/hashes/md2.o src/hashes/md4.o \ -src/hashes/md5.o src/hashes/rmd128.o src/hashes/rmd160.o src/hashes/sha1.o src/hashes/sha2/sha256.o \ -src/hashes/sha2/sha512.o src/hashes/tiger.o src/hashes/whirl/whirl.o src/mac/hmac/hmac_done.o \ -src/mac/hmac/hmac_file.o src/mac/hmac/hmac_init.o src/mac/hmac/hmac_memory.o \ +src/hashes/md5.o src/hashes/rmd128.o src/hashes/rmd160.o src/hashes/rmd256.o src/hashes/rmd320.o \ +src/hashes/sha1.o src/hashes/sha2/sha256.o src/hashes/sha2/sha512.o src/hashes/tiger.o \ +src/hashes/whirl/whirl.o src/mac/f9/f9_done.o src/mac/f9/f9_file.o src/mac/f9/f9_init.o \ +src/mac/f9/f9_memory.o src/mac/f9/f9_memory_multi.o src/mac/f9/f9_process.o src/mac/f9/f9_test.o \ +src/mac/hmac/hmac_done.o src/mac/hmac/hmac_file.o src/mac/hmac/hmac_init.o src/mac/hmac/hmac_memory.o \ src/mac/hmac/hmac_memory_multi.o src/mac/hmac/hmac_process.o src/mac/hmac/hmac_test.o \ src/mac/omac/omac_done.o src/mac/omac/omac_file.o src/mac/omac/omac_init.o src/mac/omac/omac_memory.o \ src/mac/omac/omac_memory_multi.o src/mac/omac/omac_process.o src/mac/omac/omac_test.o \ src/mac/pelican/pelican.o src/mac/pelican/pelican_memory.o src/mac/pelican/pelican_test.o \ src/mac/pmac/pmac_done.o src/mac/pmac/pmac_file.o src/mac/pmac/pmac_init.o src/mac/pmac/pmac_memory.o \ src/mac/pmac/pmac_memory_multi.o src/mac/pmac/pmac_ntz.o src/mac/pmac/pmac_process.o \ -src/mac/pmac/pmac_shift_xor.o src/mac/pmac/pmac_test.o src/math/fp/ltc_ecc_fp_mulmod.o \ -src/math/gmp_desc.o src/math/ltm_desc.o src/math/multi.o src/math/rand_prime.o src/math/tfm_desc.o \ -src/misc/base64/base64_decode.o src/misc/base64/base64_encode.o src/misc/burn_stack.o \ -src/misc/crypt/crypt.o src/misc/crypt/crypt_argchk.o src/misc/crypt/crypt_cipher_descriptor.o \ +src/mac/pmac/pmac_shift_xor.o src/mac/pmac/pmac_test.o src/mac/xcbc/xcbc_done.o \ +src/mac/xcbc/xcbc_file.o src/mac/xcbc/xcbc_init.o src/mac/xcbc/xcbc_memory.o \ +src/mac/xcbc/xcbc_memory_multi.o src/mac/xcbc/xcbc_process.o src/mac/xcbc/xcbc_test.o \ +src/math/fp/ltc_ecc_fp_mulmod.o src/math/gmp_desc.o src/math/ltm_desc.o src/math/multi.o \ +src/math/rand_prime.o src/math/tfm_desc.o src/misc/base64/base64_decode.o \ +src/misc/base64/base64_encode.o src/misc/burn_stack.o src/misc/crypt/crypt.o \ +src/misc/crypt/crypt_argchk.o src/misc/crypt/crypt_cipher_descriptor.o \ src/misc/crypt/crypt_cipher_is_valid.o src/misc/crypt/crypt_find_cipher.o \ src/misc/crypt/crypt_find_cipher_any.o src/misc/crypt/crypt_find_cipher_id.o \ src/misc/crypt/crypt_find_hash.o src/misc/crypt/crypt_find_hash_any.o \ src/misc/crypt/crypt_find_hash_id.o src/misc/crypt/crypt_find_hash_oid.o \ -src/misc/crypt/crypt_find_prng.o src/misc/crypt/crypt_hash_descriptor.o \ +src/misc/crypt/crypt_find_prng.o src/misc/crypt/crypt_fsa.o src/misc/crypt/crypt_hash_descriptor.o \ src/misc/crypt/crypt_hash_is_valid.o src/misc/crypt/crypt_ltc_mp_descriptor.o \ src/misc/crypt/crypt_prng_descriptor.o src/misc/crypt/crypt_prng_is_valid.o \ src/misc/crypt/crypt_register_cipher.o src/misc/crypt/crypt_register_hash.o \ @@ -140,7 +146,7 @@ src/modes/cbc/cbc_getiv.o src/modes/cbc/cbc_setiv.o src/modes/cbc/cbc_start.o \ src/modes/cfb/cfb_decrypt.o src/modes/cfb/cfb_done.o src/modes/cfb/cfb_encrypt.o \ src/modes/cfb/cfb_getiv.o src/modes/cfb/cfb_setiv.o src/modes/cfb/cfb_start.o \ src/modes/ctr/ctr_decrypt.o src/modes/ctr/ctr_done.o src/modes/ctr/ctr_encrypt.o \ -src/modes/ctr/ctr_getiv.o src/modes/ctr/ctr_setiv.o src/modes/ctr/ctr_start.o \ +src/modes/ctr/ctr_getiv.o src/modes/ctr/ctr_setiv.o src/modes/ctr/ctr_start.o src/modes/ctr/ctr_test.o \ src/modes/ecb/ecb_decrypt.o src/modes/ecb/ecb_done.o src/modes/ecb/ecb_encrypt.o \ src/modes/ecb/ecb_start.o src/modes/f8/f8_decrypt.o src/modes/f8/f8_done.o src/modes/f8/f8_encrypt.o \ src/modes/f8/f8_getiv.o src/modes/f8/f8_setiv.o src/modes/f8/f8_start.o src/modes/f8/f8_test_mode.o \ @@ -176,21 +182,23 @@ src/pk/asn1/der/utctime/der_encode_utctime.o src/pk/asn1/der/utctime/der_length_ src/pk/dsa/dsa_decrypt_key.o src/pk/dsa/dsa_encrypt_key.o src/pk/dsa/dsa_export.o src/pk/dsa/dsa_free.o \ src/pk/dsa/dsa_import.o src/pk/dsa/dsa_make_key.o src/pk/dsa/dsa_shared_secret.o \ src/pk/dsa/dsa_sign_hash.o src/pk/dsa/dsa_verify_hash.o src/pk/dsa/dsa_verify_key.o src/pk/ecc/ecc.o \ -src/pk/ecc/ecc_decrypt_key.o src/pk/ecc/ecc_encrypt_key.o src/pk/ecc/ecc_export.o src/pk/ecc/ecc_free.o \ -src/pk/ecc/ecc_get_size.o src/pk/ecc/ecc_import.o src/pk/ecc/ecc_make_key.o \ -src/pk/ecc/ecc_shared_secret.o src/pk/ecc/ecc_sign_hash.o src/pk/ecc/ecc_sizes.o src/pk/ecc/ecc_test.o \ -src/pk/ecc/ecc_verify_hash.o src/pk/ecc/ltc_ecc_is_valid_idx.o src/pk/ecc/ltc_ecc_map.o \ -src/pk/ecc/ltc_ecc_mulmod.o src/pk/ecc/ltc_ecc_mulmod_timing.o src/pk/ecc/ltc_ecc_points.o \ +src/pk/ecc/ecc_ansi_x963_export.o src/pk/ecc/ecc_ansi_x963_import.o src/pk/ecc/ecc_decrypt_key.o \ +src/pk/ecc/ecc_encrypt_key.o src/pk/ecc/ecc_export.o src/pk/ecc/ecc_free.o src/pk/ecc/ecc_get_size.o \ +src/pk/ecc/ecc_import.o src/pk/ecc/ecc_make_key.o src/pk/ecc/ecc_shared_secret.o \ +src/pk/ecc/ecc_sign_hash.o src/pk/ecc/ecc_sizes.o src/pk/ecc/ecc_test.o src/pk/ecc/ecc_verify_hash.o \ +src/pk/ecc/ltc_ecc_is_valid_idx.o src/pk/ecc/ltc_ecc_map.o src/pk/ecc/ltc_ecc_mulmod.o \ +src/pk/ecc/ltc_ecc_mulmod_timing.o src/pk/ecc/ltc_ecc_points.o \ src/pk/ecc/ltc_ecc_projective_add_point.o src/pk/ecc/ltc_ecc_projective_dbl_point.o \ src/pk/katja/katja_decrypt_key.o src/pk/katja/katja_encrypt_key.o src/pk/katja/katja_export.o \ src/pk/katja/katja_exptmod.o src/pk/katja/katja_free.o src/pk/katja/katja_import.o \ src/pk/katja/katja_make_key.o src/pk/pkcs1/pkcs_1_i2osp.o src/pk/pkcs1/pkcs_1_mgf1.o \ src/pk/pkcs1/pkcs_1_oaep_decode.o src/pk/pkcs1/pkcs_1_oaep_encode.o src/pk/pkcs1/pkcs_1_os2ip.o \ -src/pk/pkcs1/pkcs_1_pss_decode.o src/pk/pkcs1/pkcs_1_pss_encode.o src/pk/rsa/rsa_decrypt_key.o \ -src/pk/rsa/rsa_encrypt_key.o src/pk/rsa/rsa_export.o src/pk/rsa/rsa_exptmod.o src/pk/rsa/rsa_free.o \ -src/pk/rsa/rsa_import.o src/pk/rsa/rsa_make_key.o src/pk/rsa/rsa_sign_hash.o \ -src/pk/rsa/rsa_verify_hash.o src/prngs/fortuna.o src/prngs/rc4.o src/prngs/rng_get_bytes.o \ -src/prngs/rng_make_prng.o src/prngs/sober128.o src/prngs/sprng.o src/prngs/yarrow.o +src/pk/pkcs1/pkcs_1_pss_decode.o src/pk/pkcs1/pkcs_1_pss_encode.o src/pk/pkcs1/pkcs_1_v1_5_decode.o \ +src/pk/pkcs1/pkcs_1_v1_5_encode.o src/pk/rsa/rsa_decrypt_key.o src/pk/rsa/rsa_encrypt_key.o \ +src/pk/rsa/rsa_export.o src/pk/rsa/rsa_exptmod.o src/pk/rsa/rsa_free.o src/pk/rsa/rsa_import.o \ +src/pk/rsa/rsa_make_key.o src/pk/rsa/rsa_sign_hash.o src/pk/rsa/rsa_verify_hash.o src/prngs/fortuna.o \ +src/prngs/rc4.o src/prngs/rng_get_bytes.o src/prngs/rng_make_prng.o src/prngs/sober128.o \ +src/prngs/sprng.o src/prngs/yarrow.o HEADERS=src/headers/tomcrypt_cfg.h src/headers/tomcrypt_mac.h src/headers/tomcrypt_macros.h \ src/headers/tomcrypt_custom.h src/headers/tomcrypt_argchk.h src/headers/tomcrypt_cipher.h \ @@ -277,6 +285,6 @@ install: library install -g $(GROUP) -o $(USER) $(HEADERS) $(DESTDIR)$(INCPATH) # $Source: /cvs/libtom/libtomcrypt/makefile.icc,v $ -# $Revision: 1.58 $ -# $Date: 2006/06/16 23:52:08 $ +# $Revision: 1.71 $ +# $Date: 2006/11/08 22:38:16 $ diff --git a/makefile.msvc b/makefile.msvc index fa310e0..85831cf 100644 --- a/makefile.msvc +++ b/makefile.msvc @@ -5,40 +5,46 @@ CFLAGS = /Isrc/headers/ /Itestprof/ /Ox /DWIN32 /DLTC_SOURCE /W3 /Fo$@ $(CF) #START_INS OBJECTS=src/ciphers/aes/aes_enc.obj src/ciphers/aes/aes.obj src/ciphers/anubis.obj src/ciphers/blowfish.obj \ -src/ciphers/cast5.obj src/ciphers/des.obj src/ciphers/khazad.obj src/ciphers/noekeon.obj src/ciphers/rc2.obj \ -src/ciphers/rc5.obj src/ciphers/rc6.obj src/ciphers/safer/safer.obj src/ciphers/safer/safer_tab.obj \ -src/ciphers/safer/saferp.obj src/ciphers/skipjack.obj src/ciphers/twofish/twofish.obj src/ciphers/xtea.obj \ -src/encauth/ccm/ccm_memory.obj src/encauth/ccm/ccm_test.obj src/encauth/eax/eax_addheader.obj \ -src/encauth/eax/eax_decrypt.obj src/encauth/eax/eax_decrypt_verify_memory.obj src/encauth/eax/eax_done.obj \ -src/encauth/eax/eax_encrypt.obj src/encauth/eax/eax_encrypt_authenticate_memory.obj \ -src/encauth/eax/eax_init.obj src/encauth/eax/eax_test.obj src/encauth/gcm/gcm_add_aad.obj \ -src/encauth/gcm/gcm_add_iv.obj src/encauth/gcm/gcm_done.obj src/encauth/gcm/gcm_gf_mult.obj \ -src/encauth/gcm/gcm_init.obj src/encauth/gcm/gcm_memory.obj src/encauth/gcm/gcm_mult_h.obj \ -src/encauth/gcm/gcm_process.obj src/encauth/gcm/gcm_reset.obj src/encauth/gcm/gcm_test.obj \ -src/encauth/ocb/ocb_decrypt.obj src/encauth/ocb/ocb_decrypt_verify_memory.obj \ -src/encauth/ocb/ocb_done_decrypt.obj src/encauth/ocb/ocb_done_encrypt.obj src/encauth/ocb/ocb_encrypt.obj \ +src/ciphers/cast5.obj src/ciphers/des.obj src/ciphers/kasumi.obj src/ciphers/khazad.obj src/ciphers/kseed.obj \ +src/ciphers/noekeon.obj src/ciphers/rc2.obj src/ciphers/rc5.obj src/ciphers/rc6.obj src/ciphers/safer/safer.obj \ +src/ciphers/safer/safer_tab.obj src/ciphers/safer/saferp.obj src/ciphers/skipjack.obj \ +src/ciphers/twofish/twofish.obj src/ciphers/xtea.obj src/encauth/ccm/ccm_memory.obj \ +src/encauth/ccm/ccm_test.obj src/encauth/eax/eax_addheader.obj src/encauth/eax/eax_decrypt.obj \ +src/encauth/eax/eax_decrypt_verify_memory.obj src/encauth/eax/eax_done.obj src/encauth/eax/eax_encrypt.obj \ +src/encauth/eax/eax_encrypt_authenticate_memory.obj src/encauth/eax/eax_init.obj \ +src/encauth/eax/eax_test.obj src/encauth/gcm/gcm_add_aad.obj src/encauth/gcm/gcm_add_iv.obj \ +src/encauth/gcm/gcm_done.obj src/encauth/gcm/gcm_gf_mult.obj src/encauth/gcm/gcm_init.obj \ +src/encauth/gcm/gcm_memory.obj src/encauth/gcm/gcm_mult_h.obj src/encauth/gcm/gcm_process.obj \ +src/encauth/gcm/gcm_reset.obj src/encauth/gcm/gcm_test.obj src/encauth/ocb/ocb_decrypt.obj \ +src/encauth/ocb/ocb_decrypt_verify_memory.obj src/encauth/ocb/ocb_done_decrypt.obj \ +src/encauth/ocb/ocb_done_encrypt.obj src/encauth/ocb/ocb_encrypt.obj \ src/encauth/ocb/ocb_encrypt_authenticate_memory.obj src/encauth/ocb/ocb_init.obj src/encauth/ocb/ocb_ntz.obj \ src/encauth/ocb/ocb_shift_xor.obj src/encauth/ocb/ocb_test.obj src/encauth/ocb/s_ocb_done.obj \ src/hashes/chc/chc.obj src/hashes/helper/hash_file.obj src/hashes/helper/hash_filehandle.obj \ src/hashes/helper/hash_memory.obj src/hashes/helper/hash_memory_multi.obj src/hashes/md2.obj src/hashes/md4.obj \ -src/hashes/md5.obj src/hashes/rmd128.obj src/hashes/rmd160.obj src/hashes/sha1.obj src/hashes/sha2/sha256.obj \ -src/hashes/sha2/sha512.obj src/hashes/tiger.obj src/hashes/whirl/whirl.obj src/mac/hmac/hmac_done.obj \ -src/mac/hmac/hmac_file.obj src/mac/hmac/hmac_init.obj src/mac/hmac/hmac_memory.obj \ +src/hashes/md5.obj src/hashes/rmd128.obj src/hashes/rmd160.obj src/hashes/rmd256.obj src/hashes/rmd320.obj \ +src/hashes/sha1.obj src/hashes/sha2/sha256.obj src/hashes/sha2/sha512.obj src/hashes/tiger.obj \ +src/hashes/whirl/whirl.obj src/mac/f9/f9_done.obj src/mac/f9/f9_file.obj src/mac/f9/f9_init.obj \ +src/mac/f9/f9_memory.obj src/mac/f9/f9_memory_multi.obj src/mac/f9/f9_process.obj src/mac/f9/f9_test.obj \ +src/mac/hmac/hmac_done.obj src/mac/hmac/hmac_file.obj src/mac/hmac/hmac_init.obj src/mac/hmac/hmac_memory.obj \ src/mac/hmac/hmac_memory_multi.obj src/mac/hmac/hmac_process.obj src/mac/hmac/hmac_test.obj \ src/mac/omac/omac_done.obj src/mac/omac/omac_file.obj src/mac/omac/omac_init.obj src/mac/omac/omac_memory.obj \ src/mac/omac/omac_memory_multi.obj src/mac/omac/omac_process.obj src/mac/omac/omac_test.obj \ src/mac/pelican/pelican.obj src/mac/pelican/pelican_memory.obj src/mac/pelican/pelican_test.obj \ src/mac/pmac/pmac_done.obj src/mac/pmac/pmac_file.obj src/mac/pmac/pmac_init.obj src/mac/pmac/pmac_memory.obj \ src/mac/pmac/pmac_memory_multi.obj src/mac/pmac/pmac_ntz.obj src/mac/pmac/pmac_process.obj \ -src/mac/pmac/pmac_shift_xor.obj src/mac/pmac/pmac_test.obj src/math/fp/ltc_ecc_fp_mulmod.obj \ -src/math/gmp_desc.obj src/math/ltm_desc.obj src/math/multi.obj src/math/rand_prime.obj src/math/tfm_desc.obj \ -src/misc/base64/base64_decode.obj src/misc/base64/base64_encode.obj src/misc/burn_stack.obj \ -src/misc/crypt/crypt.obj src/misc/crypt/crypt_argchk.obj src/misc/crypt/crypt_cipher_descriptor.obj \ +src/mac/pmac/pmac_shift_xor.obj src/mac/pmac/pmac_test.obj src/mac/xcbc/xcbc_done.obj \ +src/mac/xcbc/xcbc_file.obj src/mac/xcbc/xcbc_init.obj src/mac/xcbc/xcbc_memory.obj \ +src/mac/xcbc/xcbc_memory_multi.obj src/mac/xcbc/xcbc_process.obj src/mac/xcbc/xcbc_test.obj \ +src/math/fp/ltc_ecc_fp_mulmod.obj src/math/gmp_desc.obj src/math/ltm_desc.obj src/math/multi.obj \ +src/math/rand_prime.obj src/math/tfm_desc.obj src/misc/base64/base64_decode.obj \ +src/misc/base64/base64_encode.obj src/misc/burn_stack.obj src/misc/crypt/crypt.obj \ +src/misc/crypt/crypt_argchk.obj src/misc/crypt/crypt_cipher_descriptor.obj \ src/misc/crypt/crypt_cipher_is_valid.obj src/misc/crypt/crypt_find_cipher.obj \ src/misc/crypt/crypt_find_cipher_any.obj src/misc/crypt/crypt_find_cipher_id.obj \ src/misc/crypt/crypt_find_hash.obj src/misc/crypt/crypt_find_hash_any.obj \ src/misc/crypt/crypt_find_hash_id.obj src/misc/crypt/crypt_find_hash_oid.obj \ -src/misc/crypt/crypt_find_prng.obj src/misc/crypt/crypt_hash_descriptor.obj \ +src/misc/crypt/crypt_find_prng.obj src/misc/crypt/crypt_fsa.obj src/misc/crypt/crypt_hash_descriptor.obj \ src/misc/crypt/crypt_hash_is_valid.obj src/misc/crypt/crypt_ltc_mp_descriptor.obj \ src/misc/crypt/crypt_prng_descriptor.obj src/misc/crypt/crypt_prng_is_valid.obj \ src/misc/crypt/crypt_register_cipher.obj src/misc/crypt/crypt_register_hash.obj \ @@ -50,7 +56,7 @@ src/modes/cbc/cbc_getiv.obj src/modes/cbc/cbc_setiv.obj src/modes/cbc/cbc_start. src/modes/cfb/cfb_decrypt.obj src/modes/cfb/cfb_done.obj src/modes/cfb/cfb_encrypt.obj \ src/modes/cfb/cfb_getiv.obj src/modes/cfb/cfb_setiv.obj src/modes/cfb/cfb_start.obj \ src/modes/ctr/ctr_decrypt.obj src/modes/ctr/ctr_done.obj src/modes/ctr/ctr_encrypt.obj \ -src/modes/ctr/ctr_getiv.obj src/modes/ctr/ctr_setiv.obj src/modes/ctr/ctr_start.obj \ +src/modes/ctr/ctr_getiv.obj src/modes/ctr/ctr_setiv.obj src/modes/ctr/ctr_start.obj src/modes/ctr/ctr_test.obj \ src/modes/ecb/ecb_decrypt.obj src/modes/ecb/ecb_done.obj src/modes/ecb/ecb_encrypt.obj \ src/modes/ecb/ecb_start.obj src/modes/f8/f8_decrypt.obj src/modes/f8/f8_done.obj src/modes/f8/f8_encrypt.obj \ src/modes/f8/f8_getiv.obj src/modes/f8/f8_setiv.obj src/modes/f8/f8_start.obj src/modes/f8/f8_test_mode.obj \ @@ -86,21 +92,23 @@ src/pk/asn1/der/utctime/der_encode_utctime.obj src/pk/asn1/der/utctime/der_lengt src/pk/dsa/dsa_decrypt_key.obj src/pk/dsa/dsa_encrypt_key.obj src/pk/dsa/dsa_export.obj src/pk/dsa/dsa_free.obj \ src/pk/dsa/dsa_import.obj src/pk/dsa/dsa_make_key.obj src/pk/dsa/dsa_shared_secret.obj \ src/pk/dsa/dsa_sign_hash.obj src/pk/dsa/dsa_verify_hash.obj src/pk/dsa/dsa_verify_key.obj src/pk/ecc/ecc.obj \ -src/pk/ecc/ecc_decrypt_key.obj src/pk/ecc/ecc_encrypt_key.obj src/pk/ecc/ecc_export.obj src/pk/ecc/ecc_free.obj \ -src/pk/ecc/ecc_get_size.obj src/pk/ecc/ecc_import.obj src/pk/ecc/ecc_make_key.obj \ -src/pk/ecc/ecc_shared_secret.obj src/pk/ecc/ecc_sign_hash.obj src/pk/ecc/ecc_sizes.obj src/pk/ecc/ecc_test.obj \ -src/pk/ecc/ecc_verify_hash.obj src/pk/ecc/ltc_ecc_is_valid_idx.obj src/pk/ecc/ltc_ecc_map.obj \ -src/pk/ecc/ltc_ecc_mulmod.obj src/pk/ecc/ltc_ecc_mulmod_timing.obj src/pk/ecc/ltc_ecc_points.obj \ +src/pk/ecc/ecc_ansi_x963_export.obj src/pk/ecc/ecc_ansi_x963_import.obj src/pk/ecc/ecc_decrypt_key.obj \ +src/pk/ecc/ecc_encrypt_key.obj src/pk/ecc/ecc_export.obj src/pk/ecc/ecc_free.obj src/pk/ecc/ecc_get_size.obj \ +src/pk/ecc/ecc_import.obj src/pk/ecc/ecc_make_key.obj src/pk/ecc/ecc_shared_secret.obj \ +src/pk/ecc/ecc_sign_hash.obj src/pk/ecc/ecc_sizes.obj src/pk/ecc/ecc_test.obj src/pk/ecc/ecc_verify_hash.obj \ +src/pk/ecc/ltc_ecc_is_valid_idx.obj src/pk/ecc/ltc_ecc_map.obj src/pk/ecc/ltc_ecc_mulmod.obj \ +src/pk/ecc/ltc_ecc_mulmod_timing.obj src/pk/ecc/ltc_ecc_points.obj \ src/pk/ecc/ltc_ecc_projective_add_point.obj src/pk/ecc/ltc_ecc_projective_dbl_point.obj \ src/pk/katja/katja_decrypt_key.obj src/pk/katja/katja_encrypt_key.obj src/pk/katja/katja_export.obj \ src/pk/katja/katja_exptmod.obj src/pk/katja/katja_free.obj src/pk/katja/katja_import.obj \ src/pk/katja/katja_make_key.obj src/pk/pkcs1/pkcs_1_i2osp.obj src/pk/pkcs1/pkcs_1_mgf1.obj \ src/pk/pkcs1/pkcs_1_oaep_decode.obj src/pk/pkcs1/pkcs_1_oaep_encode.obj src/pk/pkcs1/pkcs_1_os2ip.obj \ -src/pk/pkcs1/pkcs_1_pss_decode.obj src/pk/pkcs1/pkcs_1_pss_encode.obj src/pk/rsa/rsa_decrypt_key.obj \ -src/pk/rsa/rsa_encrypt_key.obj src/pk/rsa/rsa_export.obj src/pk/rsa/rsa_exptmod.obj src/pk/rsa/rsa_free.obj \ -src/pk/rsa/rsa_import.obj src/pk/rsa/rsa_make_key.obj src/pk/rsa/rsa_sign_hash.obj \ -src/pk/rsa/rsa_verify_hash.obj src/prngs/fortuna.obj src/prngs/rc4.obj src/prngs/rng_get_bytes.obj \ -src/prngs/rng_make_prng.obj src/prngs/sober128.obj src/prngs/sprng.obj src/prngs/yarrow.obj +src/pk/pkcs1/pkcs_1_pss_decode.obj src/pk/pkcs1/pkcs_1_pss_encode.obj src/pk/pkcs1/pkcs_1_v1_5_decode.obj \ +src/pk/pkcs1/pkcs_1_v1_5_encode.obj src/pk/rsa/rsa_decrypt_key.obj src/pk/rsa/rsa_encrypt_key.obj \ +src/pk/rsa/rsa_export.obj src/pk/rsa/rsa_exptmod.obj src/pk/rsa/rsa_free.obj src/pk/rsa/rsa_import.obj \ +src/pk/rsa/rsa_make_key.obj src/pk/rsa/rsa_sign_hash.obj src/pk/rsa/rsa_verify_hash.obj src/prngs/fortuna.obj \ +src/prngs/rc4.obj src/prngs/rng_get_bytes.obj src/prngs/rng_make_prng.obj src/prngs/sober128.obj \ +src/prngs/sprng.obj src/prngs/yarrow.obj HEADERS=src/headers/tomcrypt_cfg.h src/headers/tomcrypt_mac.h src/headers/tomcrypt_macros.h \ src/headers/tomcrypt_custom.h src/headers/tomcrypt_argchk.h src/headers/tomcrypt_cipher.h \ @@ -135,5 +143,5 @@ timing: demos/timing.c library cl $(CFLAGS) demos/timing.c testprof/tomcrypt_prof.lib tomcrypt.lib advapi32.lib $(EXTRALIBS) # $Source: /cvs/libtom/libtomcrypt/makefile.msvc,v $ -# $Revision: 1.36 $ -# $Date: 2006/06/16 23:52:08 $ +# $Revision: 1.49 $ +# $Date: 2006/11/08 22:38:16 $ diff --git a/makefile.shared b/makefile.shared index 934fd53..1c5a138 100644 --- a/makefile.shared +++ b/makefile.shared @@ -6,7 +6,7 @@ # Tom St Denis # The version -VERSION=0:114 +VERSION=0:115 # Compiler and Linker Names CC=libtool --mode=compile --tag=CC gcc @@ -100,40 +100,46 @@ endif #List of objects to compile. #START_INS OBJECTS=src/ciphers/aes/aes_enc.o src/ciphers/aes/aes.o src/ciphers/anubis.o src/ciphers/blowfish.o \ -src/ciphers/cast5.o src/ciphers/des.o src/ciphers/khazad.o src/ciphers/noekeon.o src/ciphers/rc2.o \ -src/ciphers/rc5.o src/ciphers/rc6.o src/ciphers/safer/safer.o src/ciphers/safer/safer_tab.o \ -src/ciphers/safer/saferp.o src/ciphers/skipjack.o src/ciphers/twofish/twofish.o src/ciphers/xtea.o \ -src/encauth/ccm/ccm_memory.o src/encauth/ccm/ccm_test.o src/encauth/eax/eax_addheader.o \ -src/encauth/eax/eax_decrypt.o src/encauth/eax/eax_decrypt_verify_memory.o src/encauth/eax/eax_done.o \ -src/encauth/eax/eax_encrypt.o src/encauth/eax/eax_encrypt_authenticate_memory.o \ -src/encauth/eax/eax_init.o src/encauth/eax/eax_test.o src/encauth/gcm/gcm_add_aad.o \ -src/encauth/gcm/gcm_add_iv.o src/encauth/gcm/gcm_done.o src/encauth/gcm/gcm_gf_mult.o \ -src/encauth/gcm/gcm_init.o src/encauth/gcm/gcm_memory.o src/encauth/gcm/gcm_mult_h.o \ -src/encauth/gcm/gcm_process.o src/encauth/gcm/gcm_reset.o src/encauth/gcm/gcm_test.o \ -src/encauth/ocb/ocb_decrypt.o src/encauth/ocb/ocb_decrypt_verify_memory.o \ -src/encauth/ocb/ocb_done_decrypt.o src/encauth/ocb/ocb_done_encrypt.o src/encauth/ocb/ocb_encrypt.o \ +src/ciphers/cast5.o src/ciphers/des.o src/ciphers/kasumi.o src/ciphers/khazad.o src/ciphers/kseed.o \ +src/ciphers/noekeon.o src/ciphers/rc2.o src/ciphers/rc5.o src/ciphers/rc6.o src/ciphers/safer/safer.o \ +src/ciphers/safer/safer_tab.o src/ciphers/safer/saferp.o src/ciphers/skipjack.o \ +src/ciphers/twofish/twofish.o src/ciphers/xtea.o src/encauth/ccm/ccm_memory.o \ +src/encauth/ccm/ccm_test.o src/encauth/eax/eax_addheader.o src/encauth/eax/eax_decrypt.o \ +src/encauth/eax/eax_decrypt_verify_memory.o src/encauth/eax/eax_done.o src/encauth/eax/eax_encrypt.o \ +src/encauth/eax/eax_encrypt_authenticate_memory.o src/encauth/eax/eax_init.o \ +src/encauth/eax/eax_test.o src/encauth/gcm/gcm_add_aad.o src/encauth/gcm/gcm_add_iv.o \ +src/encauth/gcm/gcm_done.o src/encauth/gcm/gcm_gf_mult.o src/encauth/gcm/gcm_init.o \ +src/encauth/gcm/gcm_memory.o src/encauth/gcm/gcm_mult_h.o src/encauth/gcm/gcm_process.o \ +src/encauth/gcm/gcm_reset.o src/encauth/gcm/gcm_test.o src/encauth/ocb/ocb_decrypt.o \ +src/encauth/ocb/ocb_decrypt_verify_memory.o src/encauth/ocb/ocb_done_decrypt.o \ +src/encauth/ocb/ocb_done_encrypt.o src/encauth/ocb/ocb_encrypt.o \ src/encauth/ocb/ocb_encrypt_authenticate_memory.o src/encauth/ocb/ocb_init.o src/encauth/ocb/ocb_ntz.o \ src/encauth/ocb/ocb_shift_xor.o src/encauth/ocb/ocb_test.o src/encauth/ocb/s_ocb_done.o \ src/hashes/chc/chc.o src/hashes/helper/hash_file.o src/hashes/helper/hash_filehandle.o \ src/hashes/helper/hash_memory.o src/hashes/helper/hash_memory_multi.o src/hashes/md2.o src/hashes/md4.o \ -src/hashes/md5.o src/hashes/rmd128.o src/hashes/rmd160.o src/hashes/sha1.o src/hashes/sha2/sha256.o \ -src/hashes/sha2/sha512.o src/hashes/tiger.o src/hashes/whirl/whirl.o src/mac/hmac/hmac_done.o \ -src/mac/hmac/hmac_file.o src/mac/hmac/hmac_init.o src/mac/hmac/hmac_memory.o \ +src/hashes/md5.o src/hashes/rmd128.o src/hashes/rmd160.o src/hashes/rmd256.o src/hashes/rmd320.o \ +src/hashes/sha1.o src/hashes/sha2/sha256.o src/hashes/sha2/sha512.o src/hashes/tiger.o \ +src/hashes/whirl/whirl.o src/mac/f9/f9_done.o src/mac/f9/f9_file.o src/mac/f9/f9_init.o \ +src/mac/f9/f9_memory.o src/mac/f9/f9_memory_multi.o src/mac/f9/f9_process.o src/mac/f9/f9_test.o \ +src/mac/hmac/hmac_done.o src/mac/hmac/hmac_file.o src/mac/hmac/hmac_init.o src/mac/hmac/hmac_memory.o \ src/mac/hmac/hmac_memory_multi.o src/mac/hmac/hmac_process.o src/mac/hmac/hmac_test.o \ src/mac/omac/omac_done.o src/mac/omac/omac_file.o src/mac/omac/omac_init.o src/mac/omac/omac_memory.o \ src/mac/omac/omac_memory_multi.o src/mac/omac/omac_process.o src/mac/omac/omac_test.o \ src/mac/pelican/pelican.o src/mac/pelican/pelican_memory.o src/mac/pelican/pelican_test.o \ src/mac/pmac/pmac_done.o src/mac/pmac/pmac_file.o src/mac/pmac/pmac_init.o src/mac/pmac/pmac_memory.o \ src/mac/pmac/pmac_memory_multi.o src/mac/pmac/pmac_ntz.o src/mac/pmac/pmac_process.o \ -src/mac/pmac/pmac_shift_xor.o src/mac/pmac/pmac_test.o src/math/fp/ltc_ecc_fp_mulmod.o \ -src/math/gmp_desc.o src/math/ltm_desc.o src/math/multi.o src/math/rand_prime.o src/math/tfm_desc.o \ -src/misc/base64/base64_decode.o src/misc/base64/base64_encode.o src/misc/burn_stack.o \ -src/misc/crypt/crypt.o src/misc/crypt/crypt_argchk.o src/misc/crypt/crypt_cipher_descriptor.o \ +src/mac/pmac/pmac_shift_xor.o src/mac/pmac/pmac_test.o src/mac/xcbc/xcbc_done.o \ +src/mac/xcbc/xcbc_file.o src/mac/xcbc/xcbc_init.o src/mac/xcbc/xcbc_memory.o \ +src/mac/xcbc/xcbc_memory_multi.o src/mac/xcbc/xcbc_process.o src/mac/xcbc/xcbc_test.o \ +src/math/fp/ltc_ecc_fp_mulmod.o src/math/gmp_desc.o src/math/ltm_desc.o src/math/multi.o \ +src/math/rand_prime.o src/math/tfm_desc.o src/misc/base64/base64_decode.o \ +src/misc/base64/base64_encode.o src/misc/burn_stack.o src/misc/crypt/crypt.o \ +src/misc/crypt/crypt_argchk.o src/misc/crypt/crypt_cipher_descriptor.o \ src/misc/crypt/crypt_cipher_is_valid.o src/misc/crypt/crypt_find_cipher.o \ src/misc/crypt/crypt_find_cipher_any.o src/misc/crypt/crypt_find_cipher_id.o \ src/misc/crypt/crypt_find_hash.o src/misc/crypt/crypt_find_hash_any.o \ src/misc/crypt/crypt_find_hash_id.o src/misc/crypt/crypt_find_hash_oid.o \ -src/misc/crypt/crypt_find_prng.o src/misc/crypt/crypt_hash_descriptor.o \ +src/misc/crypt/crypt_find_prng.o src/misc/crypt/crypt_fsa.o src/misc/crypt/crypt_hash_descriptor.o \ src/misc/crypt/crypt_hash_is_valid.o src/misc/crypt/crypt_ltc_mp_descriptor.o \ src/misc/crypt/crypt_prng_descriptor.o src/misc/crypt/crypt_prng_is_valid.o \ src/misc/crypt/crypt_register_cipher.o src/misc/crypt/crypt_register_hash.o \ @@ -145,7 +151,7 @@ src/modes/cbc/cbc_getiv.o src/modes/cbc/cbc_setiv.o src/modes/cbc/cbc_start.o \ src/modes/cfb/cfb_decrypt.o src/modes/cfb/cfb_done.o src/modes/cfb/cfb_encrypt.o \ src/modes/cfb/cfb_getiv.o src/modes/cfb/cfb_setiv.o src/modes/cfb/cfb_start.o \ src/modes/ctr/ctr_decrypt.o src/modes/ctr/ctr_done.o src/modes/ctr/ctr_encrypt.o \ -src/modes/ctr/ctr_getiv.o src/modes/ctr/ctr_setiv.o src/modes/ctr/ctr_start.o \ +src/modes/ctr/ctr_getiv.o src/modes/ctr/ctr_setiv.o src/modes/ctr/ctr_start.o src/modes/ctr/ctr_test.o \ src/modes/ecb/ecb_decrypt.o src/modes/ecb/ecb_done.o src/modes/ecb/ecb_encrypt.o \ src/modes/ecb/ecb_start.o src/modes/f8/f8_decrypt.o src/modes/f8/f8_done.o src/modes/f8/f8_encrypt.o \ src/modes/f8/f8_getiv.o src/modes/f8/f8_setiv.o src/modes/f8/f8_start.o src/modes/f8/f8_test_mode.o \ @@ -181,21 +187,23 @@ src/pk/asn1/der/utctime/der_encode_utctime.o src/pk/asn1/der/utctime/der_length_ src/pk/dsa/dsa_decrypt_key.o src/pk/dsa/dsa_encrypt_key.o src/pk/dsa/dsa_export.o src/pk/dsa/dsa_free.o \ src/pk/dsa/dsa_import.o src/pk/dsa/dsa_make_key.o src/pk/dsa/dsa_shared_secret.o \ src/pk/dsa/dsa_sign_hash.o src/pk/dsa/dsa_verify_hash.o src/pk/dsa/dsa_verify_key.o src/pk/ecc/ecc.o \ -src/pk/ecc/ecc_decrypt_key.o src/pk/ecc/ecc_encrypt_key.o src/pk/ecc/ecc_export.o src/pk/ecc/ecc_free.o \ -src/pk/ecc/ecc_get_size.o src/pk/ecc/ecc_import.o src/pk/ecc/ecc_make_key.o \ -src/pk/ecc/ecc_shared_secret.o src/pk/ecc/ecc_sign_hash.o src/pk/ecc/ecc_sizes.o src/pk/ecc/ecc_test.o \ -src/pk/ecc/ecc_verify_hash.o src/pk/ecc/ltc_ecc_is_valid_idx.o src/pk/ecc/ltc_ecc_map.o \ -src/pk/ecc/ltc_ecc_mulmod.o src/pk/ecc/ltc_ecc_mulmod_timing.o src/pk/ecc/ltc_ecc_points.o \ +src/pk/ecc/ecc_ansi_x963_export.o src/pk/ecc/ecc_ansi_x963_import.o src/pk/ecc/ecc_decrypt_key.o \ +src/pk/ecc/ecc_encrypt_key.o src/pk/ecc/ecc_export.o src/pk/ecc/ecc_free.o src/pk/ecc/ecc_get_size.o \ +src/pk/ecc/ecc_import.o src/pk/ecc/ecc_make_key.o src/pk/ecc/ecc_shared_secret.o \ +src/pk/ecc/ecc_sign_hash.o src/pk/ecc/ecc_sizes.o src/pk/ecc/ecc_test.o src/pk/ecc/ecc_verify_hash.o \ +src/pk/ecc/ltc_ecc_is_valid_idx.o src/pk/ecc/ltc_ecc_map.o src/pk/ecc/ltc_ecc_mulmod.o \ +src/pk/ecc/ltc_ecc_mulmod_timing.o src/pk/ecc/ltc_ecc_points.o \ src/pk/ecc/ltc_ecc_projective_add_point.o src/pk/ecc/ltc_ecc_projective_dbl_point.o \ src/pk/katja/katja_decrypt_key.o src/pk/katja/katja_encrypt_key.o src/pk/katja/katja_export.o \ src/pk/katja/katja_exptmod.o src/pk/katja/katja_free.o src/pk/katja/katja_import.o \ src/pk/katja/katja_make_key.o src/pk/pkcs1/pkcs_1_i2osp.o src/pk/pkcs1/pkcs_1_mgf1.o \ src/pk/pkcs1/pkcs_1_oaep_decode.o src/pk/pkcs1/pkcs_1_oaep_encode.o src/pk/pkcs1/pkcs_1_os2ip.o \ -src/pk/pkcs1/pkcs_1_pss_decode.o src/pk/pkcs1/pkcs_1_pss_encode.o src/pk/rsa/rsa_decrypt_key.o \ -src/pk/rsa/rsa_encrypt_key.o src/pk/rsa/rsa_export.o src/pk/rsa/rsa_exptmod.o src/pk/rsa/rsa_free.o \ -src/pk/rsa/rsa_import.o src/pk/rsa/rsa_make_key.o src/pk/rsa/rsa_sign_hash.o \ -src/pk/rsa/rsa_verify_hash.o src/prngs/fortuna.o src/prngs/rc4.o src/prngs/rng_get_bytes.o \ -src/prngs/rng_make_prng.o src/prngs/sober128.o src/prngs/sprng.o src/prngs/yarrow.o +src/pk/pkcs1/pkcs_1_pss_decode.o src/pk/pkcs1/pkcs_1_pss_encode.o src/pk/pkcs1/pkcs_1_v1_5_decode.o \ +src/pk/pkcs1/pkcs_1_v1_5_encode.o src/pk/rsa/rsa_decrypt_key.o src/pk/rsa/rsa_encrypt_key.o \ +src/pk/rsa/rsa_export.o src/pk/rsa/rsa_exptmod.o src/pk/rsa/rsa_free.o src/pk/rsa/rsa_import.o \ +src/pk/rsa/rsa_make_key.o src/pk/rsa/rsa_sign_hash.o src/pk/rsa/rsa_verify_hash.o src/prngs/fortuna.o \ +src/prngs/rc4.o src/prngs/rng_get_bytes.o src/prngs/rng_make_prng.o src/prngs/sober128.o \ +src/prngs/sprng.o src/prngs/yarrow.o HEADERS=src/headers/tomcrypt_cfg.h src/headers/tomcrypt_mac.h src/headers/tomcrypt_macros.h \ src/headers/tomcrypt_custom.h src/headers/tomcrypt_argchk.h src/headers/tomcrypt_cipher.h \ @@ -265,5 +273,5 @@ timing: library testprof/$(LIBTEST) $(TIMINGS) gcc -o $(TIMING) $(TIMINGS) -ltomcrypt_prof -ltomcrypt $(EXTRALIBS) # $Source: /cvs/libtom/libtomcrypt/makefile.shared,v $ -# $Revision: 1.59 $ -# $Date: 2006/06/29 01:59:34 $ +# $Revision: 1.73 $ +# $Date: 2006/11/08 22:38:16 $ diff --git a/notes/ecc_tv.txt b/notes/ecc_tv.txt index 1e7a6cd..c61729e 100644 --- a/notes/ecc_tv.txt +++ b/notes/ecc_tv.txt @@ -1,5 +1,261 @@ ecc vectors. These are for kG for k=1,3,9,27,...,3**n until k > order of the curve outputs are triplets +ECC-112 +1, 9487239995A5EE76B55F9C2F098, A89CE5AF8724C0A23E0E0FF77500 +3, CFC1E3447FC33E5C2A7D2BF71298, 5BD6AC32F0A9E7AAB6AF722C3CB7 +9, 3F37CF870B918CD41EE58F58DF14, CEC3FA5A53FF5A372B583CE40F20 +1B, D5E45D28A47A0819F3AA3018E58, B05DB66559FB78876CF830A6ADB4 +51, 869FEFA6DE5F619CA54CA719554B, BB93E27BBC3FAD016BC369766F4A +F3, BF1784B857F668E9459714D80D75, BEE55B564CB923C7018E855A2E05 +2D9, 27067CAB2BC8C9201B1E8F1D54FE, 4A9BCE40D87B0C82EA66D645C931 +88B, 4E9974D7B890442760FE4D05FB8E, 96BF4DDF0043AB6AB78E373DF010 +19A1, 6CCE9122C482A8EDC2DE37142043, BC64E1D358F7293FC9B0C2B81D3A +4CE3, 48268EA8193D8BD0308108411368, 127A6D8E01399DD3F654F713B5AB +E6A9, 46154FB1028BFD86CB29749C1E4C, C4FAD064CA84566739451DC6DEF +2B3FB, 11F16DF4A122B5C99B897921688D, C2CE146C26BB79F7CEA74A40665A +81BF1, 86023D4E9A40252B9943323AC6C2, 98BC7CFD540529771336414B0240 +1853D3, 9FFAADE7C13872809428B28FFEF1, A3383F446BEBF57C93213A70B155 +48FB79, B16EE42EDA484E3E32BFCD300A56, 8D0FEEE47DAAACAA9D8BCF69D2FF +DAF26B, A5B330E8EA36077522FE1C6FB7C3, 88A84BB806A6F5A4BFF3E551AF00 +290D741, 3C586EF3F731E651CA6002C7332F, D059BC68D7BDBD36CFC989CF7BF0 +7B285C3, C2C91FA9E776ED3BA285AB5E107A, C93F41A8A39B2BACBE05E1F93428 +17179149, 354AA3FE191A506359EFE3B9EBC0, 7BEDBBEDEC768086086C474FE9DC +4546B3DB, B0C34C7B4EC509BA7D128D7B880F, D176BF07B375EBE808FB57863382 +CFD41B91, 6752AE66F3D3302EDE020EF64CF5, 7ABCCC45227CE3FBA57F036E5180 +26F7C52B3, C292C0F2205C7DD85C160500C39F, 44704F5CE0FA803B44BA85BD4D26 +74E74F819, 560A5FD4CBEB26EF2C4A81C3AB99, 9A685B6C7F8BD203764B64980068 +15EB5EE84B, BFEC2498A5C662D7CE0EC0795D86, 81EFC44FFFBA1FE5C10EA50E805B +41C21CB8E1, 3EA8636EF746B6A7D42DA2E631DD, D23DB097D9F656B902E5BCAE5923 +C546562AA3, 1189BF2ED2A10F7312F0DC6AC131, 67ACBE20F636DD4B5B342A3C76B9 +24FD3027FE9, 288B4BBDC29EA71196301B8AFE99, 873196BCFCCAED2E2233525917E0 +6EF79077FBB, C89009F3E7A92102202082A4BE35, 84DA334BD6DF4847B23A2204BA5E +14CE6B167F31, 1C3C9F6D15A9B366431579FB48CF, 9AFB81BE81FA8D1A6D067D7CC28 +3E6B41437D93, D96F30DEFAE1F3445067E1BC5126, 5F94C2A388F7F4E7EC9B783DB0CC +BB41C3CA78B9, 5E85D2777031FE74B02214A898E9, 56BDEB0542BC36CC3F6A269667EC +231C54B5F6A2B, 150A2E2416E3AC315569A3820D92, 4DF8FC1F8ACD06B742E611626199 +6954FE21E3E81, 541D5FCCFC84A2C05E8A0145BFC2, 28BFDB73DCF4206857D022AF52FC +13BFEFA65ABB83, A990A2BC3B113A648B9E00D8E750, 3DEB9F5B4AA6913CAB843B8F2BB2 +3B3FCEF3103289, 9A0FC99B826CC66625274DF01B38, A0570619D2047C864B90C0513575 +B1BF6CD930979B, 3BABB8E3761B38E004DB334E568D, 169B474A41D6D0605A39D45C0CE7 +2153E468B91C6D1, B12E873F58C89718B6DD46DA6C05, BDC3684AD8177FFF90861DEF3497 +63FBAD3A2B55473, 6B9B195EA91798FDFEABACC415B7, 40A0693CFF52DE53819A9704DCA8 +12BF307AE81FFD59, 8A0AB24E8E9795B8482FA478A71E, BCC991821FFB5738E066733633F3 +383D9170B85FF80B, 730E403E64D699C16FACD6738B21, 919761D719C12BD2BF229193746A +A8B8B452291FE821, 3333B47B85D23C6D8300F5229461, 48D6FECEA3083B9D31EC469C6B43 +1FA2A1CF67B5FB863, C3F5AE461252F5B26EBC9DF1B5FA, 16DA58A6C565708C13823D1B2E58 +5EE7E56E3721F2929, 6BAEED3E90E849B001207107F7B8, 5E1C7B8EB4B3E367A4CEAF4B73C6 +11CB7B04AA565D7B7B, 3385AC6BBD490AFF201532286DBF, 7B027BFF07B56FDE6F0BCB37752A +3562710DFF03187271, 8146FD74592B1145492D39680AD8, 508AA9E106E7958CF011D8AA71E9 +A0275329FD09495753, B0FE244CAEED9FAEC678BD22CCD2, C97B3257468A23C4F6E883737FBB +1E075F97DF71BDC05F9, 605DCAFF23DDF804CB1CE4FD847D, 68684076591F042B98CDF14148F0 +5A161EC79E5539411EB, B65AA0ACF8A9C8E99A3F64930DF1, 34613D915630023826CAE908918C +10E425C56DAFFABC35C1, 16CFD49EE4D4850F1689FAB0041C, B50DD3663AFA67A306702BB0582E +32AC7150490FF034A143, 4E0EBC80756B99D91663DB7EE498, 6A22D944B1BAECE8B2EAD6AF3F3E +980553F0DB2FD09DE3C9, 603221615965C9EC9E587C34303D, DCB1EE7A0C41E65C08CA8D78983 +1C80FFBD2918F71D9AB5B, AB82F4270F8C35C774344595F48B, 3B4007030E1D65C6F8544508F5F8 +5582FF377B4AE558D0211, BAADF5F7E998465DBFEC5A7A4847, 1282C981EA4D0B8E7C77DE905D5B +10088FDA671E0B00A70633, 6D60A5CD3CA86F79C566F81AE66C, 22587D260CD8D45DAD2E5CE9C2EB +3019AF8F355A2101F51299, 6805F4FC0B350109728B3F56BC41, 63A9870300ED7D0852DA7163A9CC +904D0EADA00E6305DF37CB, 183156FCD56D11B82CE4B689323E, AB6145C5F793442B022B76251767 +1B0E72C08E02B29119DA761, CD59AC87B06C5D8B1EEB8C59B29A, C956728D4A8CF105F2F15B7F128A +512B5841AA0817B34D8F623, 90AA398DA812A180FE8F6C8CCC41, 9EB2C705EC011EC23345E6148DF3 +F38208C4FE184719E8AE269, 2198735C806266C1C47C8AC08161, 5FD1A06C68BE0F8D08A8EE9A2C4E +2DA861A4EFA48D54DBA0A73B, 2F7E0DFD695A6FB3085C4F3E8C91, A51B8EC5C0C1989073E756666E03 +88F924EECEEDA7FE92E1F5B1, 782D992A0601EF4DAFF89C133151, D52680F34F0E03B54F76E4F49F52 +19AEB6ECC6CC8F7FBB8A5E113, BB4C8DC0FE6FD008C8177F0D0C01, 57574AAB071C6338598333210100 +4D0C24C65465AE7F329F1A339, A12F5BBFD3757AD57EBF19FA89AC, B5F12289CFBED9161324EA137009 +E7246E52FD310B7D97DD4E9AB, 6FB82F9A01630129D70A2855DFFB, 32E0E55F5B39C0FD6042126860EA +2B56D4AF8F7932278C797EBD01, 37F034607B71FD0BE1F85ACB818E, 34CC63FF7DC6E54494BE65F82BD8 +82047E0EAE6B9676A56C7C3703, 920ADE8D3AAF24783082AF163FA1, 13A02EC88C9AF237467FAECF980D +1860D7A2C0B42C363F04574A509, D2790CFD605F2D322D213092A58A, 1BD7AF8E6F3710909B7D400F3B51 +492286E8421C84A2BD0D05DEF1B, 7F5E570FE30F7211AF05E245C3FC, 7EED46F891C350470AB27A1CD0F9 +DB6794B8C6558DE83727119CD51, 7541506150DBB1D4C44CBBD8E025, C83F59D03595F97F6FAD1EF00D77 +29236BE2A5300A9B8A57534D67F3, CA36DD2689FC281999437CC412E2, 577E04E806003AAC5A4E27D496B5 +7B6A43A7EF901FD29F05F9E837D9, BA57BDF8F748B946F34F0CE6BA64, 6B9B5A5A98D4D1F0BBA56489B259 +ECC-128 +1, 161FF7528B899B2D0C28607CA52C5B86, CF5AC8395BAFEB13C02DA292DDED7A83 +3, AD632F542942F23AA423B628A304B3B, 7AA67EE421C4E78851E4B4679BCDC41F +9, C732AE957882F6ADEEF94EF4FDFDB5A, 5F832D3A461B9BE0DAB9B6EFBDAAC16A +1B, C3E7FAA2B004CC66DD779D4D4CCC92A3, 898A5F77130726447D7C6A9FF7BB55CA +51, 882E79BE6E2A92F17FCC14EA8F4A004E, 81EFEB830764DE30840441087E0269A7 +F3, FC8786E47911BEB448FC8614FF44F929, 5FE26C7837CAC0E72CC392ABC915BBE9 +2D9, EB3002AF9DE4BCAB7F00CE22E61E638B, BA9555616D61C3DF55F940D9BB9407E6 +88B, AA37332C95651AA27D6C14B1BDC4B9, E062A0B2F0CF02FD0859E2AD452E12CA +19A1, C5364D02273F5AE032FFE5C95BA33FB, 21359BF3D455E8E4FA1B6498CF03C667 +4CE3, 565406637B339CD9E514048D0C1B6669, 33657B7FAE1D43ACB8A52F5D7F0D46F5 +E6A9, F686D8593E675C596913DC20C39196AB, EC3DA164F561288B3BE727ABA99A5BA8 +2B3FB, CBB20B834591ED538A32B71DE5AA1694, 84CC322D35B760E1422B85AB39500CC6 +81BF1, 5768402750F948709BF083D3B43D7062, 7FCB8577F1466DD3B4ADDA5431E601C9 +1853D3, C63158FF3359CE48ABFCC553F4D372B9, B6F020B6798EFB8AAF545D1B9CA83214 +48FB79, C8B1549674C6B1BEEB462953869C1B89, 61EA95C1FBF57EED2FD7443E667D5EF8 +DAF26B, 93D97715A671D51D5901C41772EC79DE, CBC8994EAF9C478A08B6D2E6F95CA1E9 +290D741, 54C38EA59EDE54565FF3B44D0B805C51, 4DF1848B089AB3E49808DC6CFD682BC2 +7B285C3, C51B5FB02D8FF4095E1AFB276A4B7636, E4403921DF02292B81A41CAAD9E2A686 +17179149, 39AF1443D88EBAAFF645D16F7281728B, 79992D9CABB675B1A3067D7CB4C7D2 +4546B3DB, 4B549361136416D85AEB0ED0FCEB3288, 7F1DAD94D1A72737286A3032B6D15639 +CFD41B91, EC268299DEFC5CC003B593F8E9D9D496, F3744002B83FFFC6A545A7EAF0FEFF6A +26F7C52B3, 6710D002065B89EF2277E6CECA7DA7E6, AA5A24DCA5010A0A026F905D357CD35F +74E74F819, 909E50A61A9634AC70A1F36B5EEA62D6, 1EFA89A81D83CC9911CD5E9978878EED +15EB5EE84B, 76AD0DCDA97CE86AFA5578E05BE3EFC4, 7DAAD7E724AE5EB4B3C9D4D0FEB2D30E +41C21CB8E1, 58DB151CE74B0E1242065F332EBC50A2, 8E65CA6336413235C7C1AC14AE2A90C6 +C546562AA3, 8440EBD3BCB98DBD710835CDA523B048, 3B0DA47B14728C63811054EC0F81E8F2 +24FD3027FE9, CDD14651443254E413C608F12C61A7CC, 550272BFD6373BC4FC1831B37BD5ABE0 +6EF79077FBB, 4C192607510F362548461733029B3ED5, B7979006BE6A92F246D7A099F769D35F +14CE6B167F31, DEAB8C0525BF41F5C7B0CBD67C2AAB50, AEBC99F2E54D009E5E2C320F60CAEB7 +3E6B41437D93, 2FD0BB2280BC6C722FE5E80D12D195F, FCA37EAB062A9462C03CA98821509D09 +BB41C3CA78B9, 8A3D3FCCFD5BBFC94D16B9829527ECC8, 7B9FD0406FD2080B8AD0CD3E1783991F +231C54B5F6A2B, 3810114B6C1FE3C3ACD5522AC46AAF97, EC32DBEE521BAA4F82EF77E0619F5C18 +6954FE21E3E81, 405F7016C928A10BF66DA9B03044BB9F, D4698929696E3C37AC7AC9FBBFFA4472 +13BFEFA65ABB83, D67FE4FDD2ECDC8BABAF926A6781F95B, D1D6DC7CCD9136ED7F1A317C32CB21FE +3B3FCEF3103289, 19891D1CCCB0D82DC07E55D8AFD84043, F94A2B60F3612F2F93F089F4C7A7D651 +B1BF6CD930979B, 420D29204148F5C5AE3E01F851DA4999, CED9F97FFBBFD48DC47A73029CCDD177 +2153E468B91C6D1, DAACDE05B55CBF0390619094A2008488, 56EA7F89E84711803150BDB0421763E7 +63FBAD3A2B55473, 6E5E8684280C87E1C00AD9E3D61CDF6, 52874C99CB842257C0B0F379B8BAEC93 +12BF307AE81FFD59, 202E8278E8C3F2C1AF84F5A0F76F2385, 6844CC669644B1AB8EE0FDFD9EB957FB +383D9170B85FF80B, 1076688ADD5CAA1B9DF02110172F23A3, E42D03AE9241C34F9835B58086176E24 +A8B8B452291FE821, 44D019D2CCEAC749E03FED3C21604CFB, FCE1C2B98417DCA06124B3AE6BB791C0 +1FA2A1CF67B5FB863, 127A50F7AB7BEB412F93D71A5CF60EE3, B48160DDAD09C097CB759E77DA097FEC +5EE7E56E3721F2929, B039E3D5C41FCCF03D679CA633E467BB, FD56EF249B88F9F8E94B55531DD41DBA +11CB7B04AA565D7B7B, 604E6D877AEE8F5F9269C930C127D7D8, BE50FC8BE50F050B06110DF717825357 +3562710DFF03187271, E226E23826D762D6F35BC3B3BD3DB950, CFB94DB91B375BF813D12D85245388F7 +A0275329FD09495753, 83501B5274973F7AAC7E3F79952B13EE, C990598F4525E33B280624A451CCAEA4 +1E075F97DF71BDC05F9, DC941F53E570141D154C8A8F6BE9696D, 69E268FD63702FA8EEB92245A64173FD +5A161EC79E5539411EB, 95582E3BA2B92671D1C55968FBFFDADD, B2D2867D6E68519E4972E107222CC2 +10E425C56DAFFABC35C1, 9E55507068B0AA334B61061B55A3FA4C, 76326CA07A608EAF2E44B2850BEEE7D +32AC7150490FF034A143, 645C473D1D29E12DEB103E33788AFC31, 6DBC857B8511CBEE87DBCEE51F1BAFFC +980553F0DB2FD09DE3C9, 972FD74F9090821E1BD8282DAA179367, 31594172934FC8099FE3243C7093A6E7 +1C80FFBD2918F71D9AB5B, 72508D40467FA52802A5E3EAE46A17CB, 6CDBB3294FCC463054987835AA2CF69F +5582FF377B4AE558D0211, F44B0CE30AE8581BF0276E6154BAACF0, 9DEEF0EF522DEB481A57AA528A9EF389 +10088FDA671E0B00A70633, 7CAD62F23B498A629F61C277B78F53DA, 8F848CA28D10758AF2620948FE7FB18D +3019AF8F355A2101F51299, 674D4F80D1E6E600660FE8C745C35137, 8113E9FEFEE67BFA1C5F84DA37B85AC4 +904D0EADA00E6305DF37CB, A2E3298F5B8D5BA408FBD59A0BCF21E7, E19DEA06A7CB2513672EEC09747311A0 +1B0E72C08E02B29119DA761, 82D4054101D260AF59BC6B34D9F7EF0, 44B2678278DB6E19D6D7F679C64E2A83 +512B5841AA0817B34D8F623, 7FF216DEBB005D7D53E8FD83CC0B7399, E326E0E156FF26FE96EB3D139849C187 +F38208C4FE184719E8AE269, 98A614DBD92CAD5D17A0A51BBA6651C, 6168C46592C07BAF794C2018483DF4E0 +2DA861A4EFA48D54DBA0A73B, E15AE151CFFFF7C9BAB06C0C4E02189A, 4FD57A693728B5851B96176BE8A020CA +88F924EECEEDA7FE92E1F5B1, 626AD277498319CEAB580C3DAD611364, D635A54D313CA01AE564D15090E8DDEB +19AEB6ECC6CC8F7FBB8A5E113, FBB841D08716F39105F0C6A0E6B44D34, B23848958CE5573D5E61D77AE65AFBA5 +4D0C24C65465AE7F329F1A339, ED6A4EC608872EDDF0DCCFAB98CAEED0, 380D8EB7DFD27459673189FD0985857C +E7246E52FD310B7D97DD4E9AB, CD713A6FA65C4DECB2E919D81FA26EE3, 7C76DE743916BFD44823F21C97FE6F17 +2B56D4AF8F7932278C797EBD01, 129F5F40B7015CA3182E56DB5BB94527, B547386942DC53B940ABB4D710C573B +82047E0EAE6B9676A56C7C3703, D61FE443E8768B4A7C75C51DFC79B3C1, 3D4EB1AA062D55772A54FA4082629402 +1860D7A2C0B42C363F04574A509, B65B5424B49167FAF49F45D0F95E6BF5, F5B3477C391B4A0DF92B5F54A633225 +492286E8421C84A2BD0D05DEF1B, 9DA44051B7F939BBD5A4D0156AB26975, 9E9A77EA27C4B6281A04C2E8B20C2440 +DB6794B8C6558DE83727119CD51, 4C6F67B418FB5E4E354DCB622F55893, 9CE7E4249148A54EF9F75A23BFF7E163 +29236BE2A5300A9B8A57534D67F3, 84FBDE461ABFB4C47D9F9EF607390113, 2DB9ED91647C0BB98985BFF0BC652C94 +7B6A43A7EF901FD29F05F9E837D9, 111A425699A95CD6E6CFC8B2DE7982A8, DE3C25EB858FF46CFCD755C465EE0EA7 +1723ECAF7CEB05F77DD11EDB8A78B, 418DDDF6455242DC8E3CF706F7357A31, 9874EFD9B781E72D6DEA50907E09F9F5 +456BC60E76C111E679735C929F6A1, 24B1B158EB838752EB7EE82661942D6B, D630B06558D5C804203229D23CB97B1B +D043522B644335B36C5A15B7DE3E3, AA62C51A16D74D572E05D72465A9EAE8, BA546EF43C8432DD112F6F3F33484FA6 +270C9F6822CC9A11A450E41279ABA9, B17D5A63D3E50E0759FACE17139F4C9B, 59F0D096D23A72BCF3990DDDF9B135F +7525DE386865CE34ECF2AC376D02FB, C394A85DDDF3E8DF5A784CC2D94B87B7, 4B812AEC48DCD1A8856522862CE11FED +15F719AA939316A9EC6D804A64708F1, DA54D51C35FBF5D55CE16C5D3551A64F, B5B46E38541FA7D4E8B300F3ECF46299 +41E54CFFBAB943FDC54880DF2D51AD3, D52F7E4371E70669479959E67426F091, AA001B1E7714D0E2B6DE83A839CF3083 +C5AFE6FF302BCBF94FD9829D87F5079, 81C87D44A112676C129F7F0A8AB2FC2E, 734E4D8902E68F34655AD425DE9C4D8F +2510FB4FD908363EBEF8C87D897DF16B, 56CD2AEED77F0DB901402C32DFF4C325, 4AC2237E19DA29D0F281B2B4F18953A0 +6F32F1EF8B18A2BC3CEA59789C79D441, 356212C5077F17620E6A781AF20CD65, D45C73449F6B5F7F271DBDCB09AE90C0 +ECC-160 +1, 4A96B5688EF573284664698968C38BB913CBFC82, 23A628553168947D59DCC912042351377AC5FB32 +3, 7B76FF541EF363F2DF13DE1650BD48DAA958BC59, C915CA790D8C8877B55BE0079D12854FFE9F6F5A +9, 25393E48E2B7B5DF8142CF731E3F00664D93BBB, E75DE5DF76185C0D233F23A2E7B973A954694156 +1B, A3E33AEB16B8B30F28BE00A54ED1D1278EF7E4C3, EA331BABC1F9C850CB6FE00C6E8D595A2F0A526A +51, 734F0EC134FA53E573BE31828ECDCFE969230F18, B39736E2FE9A766947CC8F236627E6551C74F1A3 +F3, B5C70987F380C3A1482499B7E38DE108E49B1B7, DA72E3B069331A4CCCA6C6770C1B0E95BED8F3BB +2D9, A2DCEB63F2DA16B8ACD68B6EFFCC730BC767D400, 23D6DEFF4A0C085D623627D28E991EE25D5AE745 +88B, A33D980E4D1E6EBDE888380645B1F81C28340F61, 47D8D18D8D640105CE735D0570D16B578F7552C4 +19A1, BD52E5C229FA5763E2F048582672D779960952D4, 8EF1779DA5A8AEF223E0AEEC19DC315E19A3402C +4CE3, E7D4964676C3994C0619030152DD1E739166F2E7, 20E6BC678D4C3C0B05147A2DEB123CD659025CC7 +E6A9, 5D0C33FE66FD1DA56FA31E0C1570286875C7A5C3, 917773615CA2E1DE0B6A7E14BC5EFA8AB86947FA +2B3FB, DC7520AE8A604FB5BAFCB40BAB185803F5012D89, 3ACB6E6F454DEEE809D36113FB941A319C004595 +81BF1, 968191992AEA557635F337FA23CD88DA24DEBF4A, E3035E5E5AFFA7019DB899FAF65FAECD2757EA60 +1853D3, 6D278B8467DA43BF84B72675DEC87ED91A6D4893, 2EB55C1C3AD1C98C553CC6B2CB98E6CEFC73C8B5 +48FB79, 31E014D27430CE99E8F8932F36D9FE1321C9AC9, 4EC4FE2EF24BD4244F872AA286ED3BDC182EA410 +DAF26B, 26919D4E3DE999CA8BFA6D00FA8E97C42FAEA85, 2DB843F7603367F4B1F07F6B45403A8F88324BC7 +290D741, 4B7D7FE3FBF73AF19CA0EC13A7F22B8EA31CE7DB, F82DC14B5E53CC35E4275BF639DC21B49F24EBBA +7B285C3, F445903F825EEB5A3BAAD6DD5E7B319B0E9ABC2B, C5BAECCFDEA34B7032BDA2932DF4C9AC10CCB4B4 +17179149, 4183B5F938FBF5F0DC8A95704096DB5931A5D627, 2D7E42949C7703BB0149FF95815F2DFAABB6A73E +4546B3DB, 67EECA2A2448A42FB50F6321F3AB4C06E3D10DA, D2DE1EFE80A29F460F7F7B2DFBDD93A3B87BC1FA +CFD41B91, 306D5FF90BC57AE7B347E8938FBACD5E8C3CB4ED, 3877474EABC5B88D529EA9550A3EB445A4FE01F8 +26F7C52B3, 30DE6E2A4370693BD9FA7D8A600EA5E6D75943C1, C288A48857FA2E8F677DEED44A1DC5B167708287 +74E74F819, 71E796FF669023C714A0A5215D7DE249B96E4CBA, 1D5AE16000FFA8FC848552E930E9D00E2DCFC4CC +15EB5EE84B, F8A8781D8F0844BA0F689184FF56AFD53D876557, 840E775C494738E49D3AE5D0AB7BF6F25F50F385 +41C21CB8E1, 48B5F313F23E31A72D61337E56203892FBD4AE68, BAC7A49986E06088A62FE1AC07CA2B67CBAFBEC7 +C546562AA3, 73CB8D5A5C2941C636B5D7E9EC69C1015982154A, BCB81976F0CF4F9E55887EE4AE7CB5274944F28E +24FD3027FE9, BF90E02AFDA1EBCC34B02D695CB360B150EDE3E9, 7361D6BD46767F2605995A7448154541ABF3A996 +6EF79077FBB, 93F4B601D818A4C11025779BAC80913BA0858801, C31A64DF2E600901674AA123A792168E17AFE90 +14CE6B167F31, D7D857B44C53BBCB5C3C888E15FA2FB31451E28F, 2E0F00931FC5DCB0049FCC78BD2F4B2593FA8F6B +3E6B41437D93, A29B3FFB401FD76A45DCD8F5E87C2133C36FD1ED, 1883EE891DC09A914AB0B456D78876B89F455266 +BB41C3CA78B9, 9FC8C86A7E9F2958C8CD957C89B414A759586954, A76C1576AED305C9491B7EC075D3C7767777C37A +231C54B5F6A2B, 6D348E7C4A319BB00DAA66615C113976AFDBF66, BC6DA4F9545617DD2F800E74B22142EBD2DA2FDA +6954FE21E3E81, DDC68F983A0D9EDA70E0B9E619D71A8F437B6276, 726642668979300161F48BA9696ABC855BB4B795 +13BFEFA65ABB83, F638399A8904AF059B46A6B8B8B8CBDAF598D9C7, 6F267B6C287DF615F54915DC922EE4AE41126D93 +3B3FCEF3103289, FD136674C5A9E5909FF90397A160EB2232983B44, 5143E198C0B9E3F70215E0AF841BC841F7F7F6B3 +B1BF6CD930979B, 483832C21A3569E8F58AD8FCAEA84F7FC4559663, 5CDAA7FC128E85AC5BEFBD9D94AEAAC681F7AC2A +2153E468B91C6D1, 9918DECF01630EEAA5B226AB6AD577A4D9044F8D, F57AD0162569CB722C85DE7CF98466FF4AB0E09F +63FBAD3A2B55473, 56AEDFC9DE5293FA3FA625D6D8F5B54F95754160, 26D366028621815862EC3CDEDCA7BD09654605E2 +12BF307AE81FFD59, D70777E9F2381429250279FFA09A27A1AA7EE866, FDF2FF1D369ED1003C1BB3AEE3F5F6DEAABC0E57 +383D9170B85FF80B, BD3A19DDF16D9281B8F5A35E0458229481ABC2A, B35E3DE71303702A1AA8F9B4845E3B660EF3F4F7 +A8B8B452291FE821, 9D7659C6B17D17DF5104DB2022BC059D85170F82, DEB9A9B784E14ECEA14116443C2FC6D46F723D +1FA2A1CF67B5FB863, C122BBC2034E30588D106375C098006F80DBAAFC, C31567A287D0CF0DF1904CDA7B239EDF4DEF83FD +5EE7E56E3721F2929, 1A1181829744B2D0DBAA23570C1450BDAE6A9388, 23E295A382E8CB2CF6822B7840734712427FBD60 +11CB7B04AA565D7B7B, CCAC921924E4E2CE73B1328BB65D1BEB111D05F9, B6DCF138575699B24E65F8E4509DE3656AB670D +3562710DFF03187271, 46CAE3F8641148620DAC97B2269086E1034508CD, C466FB97D2B63A866079C4EBE5FB6147C4D41C84 +A0275329FD09495753, C3D05A02C096E19F6B823D399F177F33B6661404, 19EB1CE2B123F8AF342A70DBA6BF1B0904DFA277 +1E075F97DF71BDC05F9, 355F10F526DE3DB79A28C4AE4AB83C91F16DE2DA, D93A8F2292847BA20C54E9D4FE376BEC9BDBAED6 +5A161EC79E5539411EB, 69E617B5E403AB15B10932003AA4C754FD585888, 6199B97EB0B634DF4B51987DE8730F7E364CC46B +10E425C56DAFFABC35C1, F230C76976E57CF10DCE884D10713CAF8B46955C, 80C1A15211B1F06919D56CC86360AFF3522AEBFF +32AC7150490FF034A143, 517ABE22245548B18CB7CA541852FB4682C92B54, 7AD5AD7E91F8A28D842F38C1277553D14C1D8EC4 +980553F0DB2FD09DE3C9, 4AD778F7AF703238A93EAA761B305AC36008AAB9, 296C7D40D07C37D5190B9FDB55ABEB8363D598DE +1C80FFBD2918F71D9AB5B, 34589A4F974E2772B581F8B1F9292B4A3221A392, 95F634C03F3461C88C258B6C3496CDF57CA94855 +5582FF377B4AE558D0211, BA1FC48E95584F0881F117C52E9B84D70ADB8CB2, E34B05161D00DE1B9235538B4E6402F8D62DD13E +10088FDA671E0B00A70633, 9EE3D749EA08A4DCF3A7AB51C15A8ECF8F41B016, 3A21E95620AAB5F8B829C494810E9226AA78060F +3019AF8F355A2101F51299, 86135777B50119CEA4C54A768B4D55C14B6EEAFE, E848B2F0072DB1E57BB2BB41FDBEEF6134101918 +904D0EADA00E6305DF37CB, B3EF2035AF9A8FF6A1D541D0F1C6D56F25051C35, 72DF35F50E4540C80E07AD5D49E9F182CEF78AF5 +1B0E72C08E02B29119DA761, 6F8E9E9456805DB0C58ECC6D596766A1A244F60B, 3EDCDBCFACA7A9D5A1319E8AD429A320DF4354C +512B5841AA0817B34D8F623, 93FC2F22165E8A22439C9AC49D0BECE1E2BB8716, 751314404EE1091A09864791FCC91780F94057EF +F38208C4FE184719E8AE269, D341F5018D6AA45C31DEE5341D09E3E04814B56A, 7A3FD8CED82C7DCBD444C2E07691B1711C96C56E +2DA861A4EFA48D54DBA0A73B, 8960BD4CDA88561DA4155542FCE995FBDEEDDF23, 797312B7B2B5E29279A3273192E0A0E148BBCB8E +88F924EECEEDA7FE92E1F5B1, 59396BDCDA965D15F1FC0BF0222F0FC86B2C300D, D4283D03C78C717445AC36328C1A64693FC7BDB4 +19AEB6ECC6CC8F7FBB8A5E113, 40A00776282D3C393BBC1DE7C9D1C1FBBDECF448, 512DF328AAFEE099E889CFB2C6FE9927005FD4EB +4D0C24C65465AE7F329F1A339, DE65CA9A566D89C6788655F1E450324D554B84DF, BF508E8B4FEA2B015E96C03FBE31268A6ED591AF +E7246E52FD310B7D97DD4E9AB, 1F680491EF657A5FC246FBB202A0002923325733, 5553CC698246C9B786179BC5037C9FB01713814F +2B56D4AF8F7932278C797EBD01, F333344C9F419569DEA6CB228D8938CC69FB81E6, 5D193CC5C5A830A12AC4F6C91FA6253E91267B15 +82047E0EAE6B9676A56C7C3703, FD6623768A2373B6BCC6D84569818D332E27B1EC, 72C39291859E0AD1217D23A34B662C4642113024 +1860D7A2C0B42C363F04574A509, 95761AD2BD51DC587A418ACDA16076A4DC844E22, EE5D215DDF7FE9F6EA2774845041EDB2D61C6E85 +492286E8421C84A2BD0D05DEF1B, 4A3C6077D76D09148B0611C8746EC56D0DEDC031, BCA3BC2177F774CF3B15B6E2128986FEB789322C +DB6794B8C6558DE83727119CD51, 2A3C6AD8102997ABB372D9D9C97C4E4EC8BAFF96, E152C4D5C594088B278E2A935EFCABE1E7B1FD6C +29236BE2A5300A9B8A57534D67F3, AB097E5ACB02E4459030895C6E354484EDF251F1, E6FE3BC507244169DC7CAB7DE32B6AE92AA1A6BB +7B6A43A7EF901FD29F05F9E837D9, 129D7BE9C4EC8914B41A2C766D476879D6F76BE4, 587962443B8E295B1CB893E4ED281558A8C8EFBC +1723ECAF7CEB05F77DD11EDB8A78B, 1C96D21218F2851F453D52871557B037B3512E0A, F6B977791E1C83A34B3EDE67CAD7B751CD0C0E92 +456BC60E76C111E679735C929F6A1, EFBF075A3FDCF11C6FC8C3EDAEAB2768A6D30731, 6B729DFA5729476544770F50F915D458B678341C +D043522B644335B36C5A15B7DE3E3, 36BDD9FC45AB77B06CE2173B8B793427D108EF81, B96612AACFB4C44DF74B6E26B12038BFDB7AD69F +270C9F6822CC9A11A450E41279ABA9, FC4D15FEEC11A0EF59622B7D2895970552345A56, 1AB20573F123C149D487E3B1336993D3EF5AD1CC +7525DE386865CE34ECF2AC376D02FB, C4430A83572A1BDC98CB1E457781A43C35050B2A, C3DE096745E831E6CFC7EBB98B747602C96096CB +15F719AA939316A9EC6D804A64708F1, AD78F890515B436B7BAE6A083B2DD5E1C1F7B70E, 4E849C221A61E5D46DA23E3B2F74B8B8EE14E075 +41E54CFFBAB943FDC54880DF2D51AD3, A53BB39DBE63EA5BB49D5D85991666C3490CAD02, 88479ED000F61E28450E1AF1E0F62F5AD1E3F905 +C5AFE6FF302BCBF94FD9829D87F5079, A653F42589F8B26F03067FBA1D3F20082632CF0, 8625B86D912D177E139E4A0FEABB68DB28E8D84A +2510FB4FD908363EBEF8C87D897DF16B, 6A5F2C81A3BA8543858ECC97FBD98BB0990B851B, 20F3777694592F1FFFFC055B716919C1EA625385 +6F32F1EF8B18A2BC3CEA59789C79D441, 1D7A2FAB41A5CF1DB3A235E261C5E3D2B4F92EF4, A1BBC0E673FEBD4D5F409907FBE404B41435395E +14D98D5CEA149E834B6BF0C69D56D7CC3, 2F885A7A345B99E03192A6EED5F969347DA805EC, 623B9D1A9A9012DCDB9BA68958A47ECF4C3CD0AA +3E8CA816BE3DDB89E243D253D80487649, ACA5A382C70ACF6199716A36FB9666F71F8DFF57, 62BA96DCDC4809E71C659228E6CA1FE80597B8AF +BBA5F8443AB9929DA6CB76FB880D962DB, 6ECFE7E695F17D048C516C35458CA3967541651C, 1036FD8DB26A743B7DB499F42C4301F079E5D567 +232F1E8CCB02CB7D8F46264F29828C2891, 44E0AF7A04FE3957C608146CF14B4275C3D7B666, 38A0714252B9B7D3A44EEAE50086DA06A9388999 +698D5BA661086278ADD272ED7C87A479B3, 7088D973680A53E9479DBFFA467A2111BCD3BE0F, 7D5D05994DA529E8E004D671E788FF3BF888CD7C +13CA812F32319276A097758C87596ED6D19, E4A9C3225C1C2EB76CC58CDC6E894973D58D70DD, A7B92C8791C5E5BABAA17466564A7281F9222F36 +3B5F838D9694B763E1C660A5960C4C8474B, 5739713DBD47167D3E32CD79B47A4A6E275AF078, 5DB73EE6DA8D4979FD94A281D633B43AECA6E9D +B21E8AA8C3BE262BA55321F0C224E58D5E1, CF96DC40E4B69CD8C790FBEDC0BB25952C9DE5EC, 366881EDE370510AE1E82532147CD8E01752E8C5 +2165B9FFA4B3A7282EFF965D2466EB0A81A3, CCB043B608DBC63760B564CA50654FB86817EFC5, A0CD38CE52DE2F283CD2A7CA558ED9BA01CB56F3 +64312DFEEE1AF5788CFEC3176D34C11F84E9, 9FA21A21FAEFBFB6E12775F9949ABE24429110FA, EFAE412FD472D2A05ED3F46933B3EDCFB203E723 +12C9389FCCA50E069A6FC4946479E435E8EBB, 5D876339E7170085A3A74848EA70B60B6588BD71, 65A7DA5C09F645BFE10CE52CD00F63B00350388D +385BA9DF65EF2A13CF4F4DBD2D6DACA1BAC31, C7EF4CF57F0BE40146B2D5F6B14443B6D96171E5, C7B0BF0558433FBE1018FA28A80B384596A6B9BE +A912FD9E31CD7E3B6DEDE937884905E530493, 57863906F760EB7472FDBBAA7AB922EDE99A30CD, 470EEE35775797FD7D756306011784D4D1A94B3F +1FB38F8DA95687AB249C9BBA698DB11AF90DB9, 4EE1981D55A77FFFC3844C7DFB87FFEB33D2287F, 411D7A29479A565BEFC56F5FD2952DADBFE3B736 +5F1AAEA8FC0397016DD5D32F3CA91350EB292B, DA706E4409447F41D36634A89DEADD450031EB07, 25E66A476688C499CE354500B69ABF7E54C83CAA +11D500BFAF40AC5044981798DB5FB39F2C17B81, 3B492E0378D8BAC27FCDAFEB53B6DB8E88A678EC, BA3A45947418E51A09B5FB16C808B4A256112E51 +357F023F0DC204F0CDC846CA921F1ADD8447283, 201D6DB45EA1F22E7AFD6D1E226F028123EE9EC9, E69423D5D87FFBF101BA7C85CC3D2F63CD013BB1 +A07D06BD29460ED26958D45FB65D50988CD5789, B23E082FEF3C87F6C431FA42CAB2E70E6B22165A, AAF1370FCD36AFC7EBB188EA3CAC36B6143C4324 +1E17714377BD22C773C0A7D1F2317F1C9A68069B, 2A808829F1789876B2FDE344382EE0B8690C2B00, 3273FA8D18A239DC81FE8294352CD40A408FECA1 +5A4653CA673768565B41F775D6947D55CF3813D1, DFA008B9187788078297F4A9FA02192C4FC0DAE2, ED0614DACFCF34F0125FDA6F9E7AFF7C5DCACCB6 ECC-192 1, 188DA80EB03090F67CBF20EB43A18800F4FF0AFD82FF1012, 7192B95FFC8DA78631011ED6B24CDD573F977A11E794811 3, 76E32A2557599E6EDCD283201FB2B9AADFD0D359CBB263DA, 782C37E372BA4520AA62E0FED121D49EF3B543660CFD05FD @@ -673,7 +929,7 @@ C6EDECE70CA3A73D72E2D4DA6B60ED2141CEDDAED40E47A82B6345319D4512D113BC9546C0D35C4F 14FB17FC5E5542A37B1DEC730953390281F0D161705D818EBC93784C3B9648FC0D14E3BE76564ABC5C38FDDE969FACC1, 4D466DECA0E5F2C664B1C170485D0435CC913B4CEDCB8904E7EC68025C5E24F54250FF8EBD1AADBA575CAE796BA20E32, C1B53467F914F7BE0779A44AFC51735B26B644A1ABAFF7027BF87BE11FD80B816CAEB33C735ADC55DBF4C2118608BA58 3EF147F51AFFC7EA7159C5591BF9AB0785D27424511884AC35BA68E4B2C2DAF4273EAB3B6302E03514AAF99BC3DF0643, 186F34F7D45ACBEF7F7F7F93C57758A2A578981E9939AFA22AAD14879905E3694737867BF73633CF9F7E25C6A598FF24, DD0B1F68005D3588418D13E69D343B10722C96285A12B139049B8D3E1644C2F110D36BB7F919BC40DEB99EAF443D3482 BCD3D7DF50FF57BF540D500B53ED011691775C6CF3498E04A12F3AAE184890DC75BC01B22908A09F3E00ECD34B9D12C9, 8F6F64EA2755FDA51C99A50B57D7F438DA05A117322884A8F7F7928BA92C78310EF578005B1FCC2FFCFFE79C0802B2E4, D32301BC33B7B167EEAB552E05A20AF64E86E65986D5961C9E9EBF56F4D7F05D428EBDACFAA30907C50D18E3E7F7927 -ECC-520 +ECC-528 1, C6858E06B70404E9CD9E3ECB662395B4429C648139053FB521F828AF606B4D3DBAA14B5E77EFE75928FE1DC127A2FFA8DE3348B3C1856A429BF97E7E31C2E5BD66, 11839296A789A3BC0045C8A5FB42C7D1BD998F54449579B446817AFBD17273E662C97EE72995EF42640C550B9013FAD0761353C7086A272C24088BE94769FD16650 3, 1A73D352443DE29195DD91D6A64B5959479B52A6E5B123D9AB9E5AD7A112D7A8DD1AD3F164A3A4832051DA6BD16B59FE21BAEB490862C32EA05A5919D2EDE37AD7D, 13E9B03B97DFA62DDD9979F86C6CAB814F2F1557FA82A9D0317D2F8AB1FA355CEEC2E2DD4CF8DC575B02D5ACED1DEC3C70CF105C9BC93A590425F588CA1EE86C0E5 9, 1585389E359E1E21826A2F5BF157156D488ED34541B988746992C4AB145B8C6B6657429E1396134DA35F3C556DF725A318F4F50BABD85CD28661F45627967CBE207, 2A2E618C9A8AEDF39F0B55557A27AE938E3088A654EE1CEBB6C825BA263DDB446E0D69E5756057AC840FF56ECF4ABFD87D736C2AE928880F343AA0EA86B9AD2A4E diff --git a/notes/tech0005.txt b/notes/tech0005.txt index e29b7bd..ef10a43 100644 --- a/notes/tech0005.txt +++ b/notes/tech0005.txt @@ -13,7 +13,7 @@ The following build with GCC 3.4.4 on an AMD64 box gets you AES, CTR mode, SHA-2 roughly 40KB of code (49KB on the ARMv4) (both excluding the math library). CFLAGS="-DLTC_NO_CIPHERS -DLTC_NO_HASHES -DLTC_NO_PRNGS -DLTC_NO_MACS -DLTC_NO_MODES -DLTC_NO_PK -DRIJNDAEL -DLTC_CTR_MODE -DSHA256 \ --DHMAC -DYARROW -DMRSA -DMPI -DTFM_DESC -DARGTYPE=3 -Os -DLTC_SMALL_CODE -fomit-frame-pointer" make IGNORE_SPEED=1 +-DLTC_HMAC -DYARROW -DMRSA -DMPI -DTFM_DESC -DARGTYPE=3 -Os -DLTC_SMALL_CODE -fomit-frame-pointer" make IGNORE_SPEED=1 Obviously this won't get you performance but if you need to pack a crypto lib in a device with limited means it's more than enough... diff --git a/src/ciphers/aes/aes.c b/src/ciphers/aes/aes.c index 90e19e9..eccbb8a 100644 --- a/src/ciphers/aes/aes.c +++ b/src/ciphers/aes/aes.c @@ -49,7 +49,7 @@ const struct ltc_cipher_descriptor rijndael_desc = 6, 16, 32, 16, 10, SETUP, ECB_ENC, ECB_DEC, ECB_TEST, ECB_DONE, ECB_KS, - NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL + NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL }; const struct ltc_cipher_descriptor aes_desc = @@ -58,7 +58,7 @@ const struct ltc_cipher_descriptor aes_desc = 6, 16, 32, 16, 10, SETUP, ECB_ENC, ECB_DEC, ECB_TEST, ECB_DONE, ECB_KS, - NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL + NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL }; #else @@ -74,7 +74,7 @@ const struct ltc_cipher_descriptor rijndael_enc_desc = 6, 16, 32, 16, 10, SETUP, ECB_ENC, NULL, NULL, ECB_DONE, ECB_KS, - NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL + NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL }; const struct ltc_cipher_descriptor aes_enc_desc = @@ -83,7 +83,7 @@ const struct ltc_cipher_descriptor aes_enc_desc = 6, 16, 32, 16, 10, SETUP, ECB_ENC, NULL, NULL, ECB_DONE, ECB_KS, - NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL + NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL }; #endif @@ -688,10 +688,10 @@ int ECB_TEST(void) rijndael_ecb_encrypt(tests[i].pt, tmp[0], &key); rijndael_ecb_decrypt(tmp[0], tmp[1], &key); - if (memcmp(tmp[0], tests[i].ct, 16) || memcmp(tmp[1], tests[i].pt, 16)) { + if (XMEMCMP(tmp[0], tests[i].ct, 16) || XMEMCMP(tmp[1], tests[i].pt, 16)) { #if 0 printf("\n\nTest %d failed\n", i); - if (memcmp(tmp[0], tests[i].ct, 16)) { + if (XMEMCMP(tmp[0], tests[i].ct, 16)) { printf("CT: "); for (i = 0; i < 16; i++) { printf("%02x ", tmp[0][i]); diff --git a/src/ciphers/anubis.c b/src/ciphers/anubis.c index 3cd8bcf..6531ed1 100644 --- a/src/ciphers/anubis.c +++ b/src/ciphers/anubis.c @@ -29,7 +29,7 @@ const struct ltc_cipher_descriptor anubis_desc = { &anubis_test, &anubis_done, &anubis_keysize, - NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL + NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL }; #define MIN_N 4 @@ -944,28 +944,28 @@ int anubis_setup(const unsigned char *key, int keylen, int num_rounds, symmetri /* * generate r-th round key K^r: */ - K0 = T4[(kappa[N - 1] >> 24) ]; + K0 = T4[(kappa[N - 1] >> 24) & 0xff]; K1 = T4[(kappa[N - 1] >> 16) & 0xff]; K2 = T4[(kappa[N - 1] >> 8) & 0xff]; K3 = T4[(kappa[N - 1] ) & 0xff]; for (i = N - 2; i >= 0; i--) { - K0 = T4[(kappa[i] >> 24) ] ^ - (T5[(K0 >> 24) ] & 0xff000000U) ^ + K0 = T4[(kappa[i] >> 24) & 0xff] ^ + (T5[(K0 >> 24) & 0xff] & 0xff000000U) ^ (T5[(K0 >> 16) & 0xff] & 0x00ff0000U) ^ (T5[(K0 >> 8) & 0xff] & 0x0000ff00U) ^ (T5[(K0 ) & 0xff] & 0x000000ffU); K1 = T4[(kappa[i] >> 16) & 0xff] ^ - (T5[(K1 >> 24) ] & 0xff000000U) ^ + (T5[(K1 >> 24) & 0xff] & 0xff000000U) ^ (T5[(K1 >> 16) & 0xff] & 0x00ff0000U) ^ (T5[(K1 >> 8) & 0xff] & 0x0000ff00U) ^ (T5[(K1 ) & 0xff] & 0x000000ffU); K2 = T4[(kappa[i] >> 8) & 0xff] ^ - (T5[(K2 >> 24) ] & 0xff000000U) ^ + (T5[(K2 >> 24) & 0xff] & 0xff000000U) ^ (T5[(K2 >> 16) & 0xff] & 0x00ff0000U) ^ (T5[(K2 >> 8) & 0xff] & 0x0000ff00U) ^ (T5[(K2 ) & 0xff] & 0x000000ffU); K3 = T4[(kappa[i] ) & 0xff] ^ - (T5[(K3 >> 24) ] & 0xff000000U) ^ + (T5[(K3 >> 24) & 0xff] & 0xff000000U) ^ (T5[(K3 >> 16) & 0xff] & 0x00ff0000U) ^ (T5[(K3 >> 8) & 0xff] & 0x0000ff00U) ^ (T5[(K3 ) & 0xff] & 0x000000ffU); @@ -974,7 +974,7 @@ int anubis_setup(const unsigned char *key, int keylen, int num_rounds, symmetri -- this is the code to use with the large U tables: K0 = K1 = K2 = K3 = 0; for (i = 0; i < N; i++) { - K0 ^= U[i][(kappa[i] >> 24) ]; + K0 ^= U[i][(kappa[i] >> 24) & 0xff]; K1 ^= U[i][(kappa[i] >> 16) & 0xff]; K2 ^= U[i][(kappa[i] >> 8) & 0xff]; K3 ^= U[i][(kappa[i] ) & 0xff]; @@ -993,7 +993,7 @@ int anubis_setup(const unsigned char *key, int keylen, int num_rounds, symmetri } for (i = 0; i < N; i++) { int j = i; - inter[i] = T0[(kappa[j--] >> 24) ]; if (j < 0) j = N - 1; + inter[i] = T0[(kappa[j--] >> 24) & 0xff]; if (j < 0) j = N - 1; inter[i] ^= T1[(kappa[j--] >> 16) & 0xff]; if (j < 0) j = N - 1; inter[i] ^= T2[(kappa[j--] >> 8) & 0xff]; if (j < 0) j = N - 1; inter[i] ^= T3[(kappa[j ] ) & 0xff]; @@ -1015,7 +1015,7 @@ int anubis_setup(const unsigned char *key, int keylen, int num_rounds, symmetri for (i = 0; i < 4; i++) { v = skey->anubis.roundKeyEnc[R - r][i]; skey->anubis.roundKeyDec[r][i] = - T0[T4[(v >> 24) ] & 0xff] ^ + T0[T4[(v >> 24) & 0xff] & 0xff] ^ T1[T4[(v >> 16) & 0xff] & 0xff] ^ T2[T4[(v >> 8) & 0xff] & 0xff] ^ T3[T4[(v ) & 0xff] & 0xff]; @@ -1060,10 +1060,10 @@ static void anubis_crypt(const unsigned char *plaintext, unsigned char *cipherte */ for (r = 1; r < R; r++) { inter[0] = - T0[(state[0] >> 24) ] ^ - T1[(state[1] >> 24) ] ^ - T2[(state[2] >> 24) ] ^ - T3[(state[3] >> 24) ] ^ + T0[(state[0] >> 24) & 0xff] ^ + T1[(state[1] >> 24) & 0xff] ^ + T2[(state[2] >> 24) & 0xff] ^ + T3[(state[3] >> 24) & 0xff] ^ roundKey[r][0]; inter[1] = T0[(state[0] >> 16) & 0xff] ^ @@ -1093,10 +1093,10 @@ static void anubis_crypt(const unsigned char *plaintext, unsigned char *cipherte * last round: */ inter[0] = - (T0[(state[0] >> 24) ] & 0xff000000U) ^ - (T1[(state[1] >> 24) ] & 0x00ff0000U) ^ - (T2[(state[2] >> 24) ] & 0x0000ff00U) ^ - (T3[(state[3] >> 24) ] & 0x000000ffU) ^ + (T0[(state[0] >> 24) & 0xff] & 0xff000000U) ^ + (T1[(state[1] >> 24) & 0xff] & 0x00ff0000U) ^ + (T2[(state[2] >> 24) & 0xff] & 0x0000ff00U) ^ + (T3[(state[3] >> 24) & 0xff] & 0x000000ffU) ^ roundKey[R][0]; inter[1] = (T0[(state[0] >> 16) & 0xff] & 0xff000000U) ^ @@ -1500,13 +1500,13 @@ int anubis_test(void) anubis_setup(tests[x].key, tests[x].keylen, 0, &skey); anubis_ecb_encrypt(tests[x].pt, buf[0], &skey); anubis_ecb_decrypt(buf[0], buf[1], &skey); - if (memcmp(buf[0], tests[x].ct, 16) || memcmp(buf[1], tests[x].pt, 16)) { + if (XMEMCMP(buf[0], tests[x].ct, 16) || XMEMCMP(buf[1], tests[x].pt, 16)) { return CRYPT_FAIL_TESTVECTOR; } for (y = 0; y < 1000; y++) anubis_ecb_encrypt(buf[0], buf[0], &skey); for (y = 0; y < 1000; y++) anubis_ecb_decrypt(buf[0], buf[0], &skey); - if (memcmp(buf[0], tests[x].ct, 16)) { + if (XMEMCMP(buf[0], tests[x].ct, 16)) { return CRYPT_FAIL_TESTVECTOR; } diff --git a/src/ciphers/blowfish.c b/src/ciphers/blowfish.c index 158bba4..349ca65 100644 --- a/src/ciphers/blowfish.c +++ b/src/ciphers/blowfish.c @@ -27,7 +27,7 @@ const struct ltc_cipher_descriptor blowfish_desc = &blowfish_test, &blowfish_done, &blowfish_keysize, - NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL + NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL }; static const ulong32 ORIG_P[16 + 2] = { @@ -548,7 +548,7 @@ int blowfish_test(void) blowfish_ecb_decrypt(tmp[0], tmp[1], &key); /* compare */ - if ((memcmp(tmp[0], tests[x].ct, 8) != 0) || (memcmp(tmp[1], tests[x].pt, 8) != 0)) { + if ((XMEMCMP(tmp[0], tests[x].ct, 8) != 0) || (XMEMCMP(tmp[1], tests[x].pt, 8) != 0)) { return CRYPT_FAIL_TESTVECTOR; } diff --git a/src/ciphers/cast5.c b/src/ciphers/cast5.c index 3daaa4a..ff88322 100644 --- a/src/ciphers/cast5.c +++ b/src/ciphers/cast5.c @@ -27,7 +27,7 @@ const struct ltc_cipher_descriptor cast5_desc = { &cast5_test, &cast5_done, &cast5_keysize, - NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL + NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL }; static const ulong32 S1[256] = { @@ -676,7 +676,7 @@ int cast5_test(void) } cast5_ecb_encrypt(tests[i].pt, tmp[0], &key); cast5_ecb_decrypt(tmp[0], tmp[1], &key); - if ((memcmp(tmp[0], tests[i].ct, 8) != 0) || (memcmp(tmp[1], tests[i].pt, 8) != 0)) { + if ((XMEMCMP(tmp[0], tests[i].ct, 8) != 0) || (XMEMCMP(tmp[1], tests[i].pt, 8) != 0)) { return CRYPT_FAIL_TESTVECTOR; } /* now see if we can encrypt all zero bytes 1000 times, decrypt and come back where we started */ diff --git a/src/ciphers/des.c b/src/ciphers/des.c index 8c9ea12..5b1aac2 100644 --- a/src/ciphers/des.c +++ b/src/ciphers/des.c @@ -31,7 +31,7 @@ const struct ltc_cipher_descriptor des_desc = &des_test, &des_done, &des_keysize, - NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL + NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL }; const struct ltc_cipher_descriptor des3_desc = @@ -45,7 +45,7 @@ const struct ltc_cipher_descriptor des3_desc = &des3_test, &des3_done, &des3_keysize, - NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL + NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL }; static const ulong32 bytebit[8] = @@ -1798,7 +1798,7 @@ int des_test(void) des_ecb_decrypt(cases[i].txt, tmp, &des); } - if (memcmp(cases[i].out, tmp, sizeof(tmp)) != 0) { + if (XMEMCMP(cases[i].out, tmp, sizeof(tmp)) != 0) { return CRYPT_FAIL_TESTVECTOR; } @@ -1841,7 +1841,7 @@ int des3_test(void) des3_ecb_encrypt(pt, ct, &skey); des3_ecb_decrypt(ct, tmp, &skey); - if (memcmp(pt, tmp, 8) != 0) { + if (XMEMCMP(pt, tmp, 8) != 0) { return CRYPT_FAIL_TESTVECTOR; } diff --git a/src/ciphers/kasumi.c b/src/ciphers/kasumi.c new file mode 100644 index 0000000..c02e6d6 --- /dev/null +++ b/src/ciphers/kasumi.c @@ -0,0 +1,318 @@ +/* LibTomCrypt, modular cryptographic library -- Tom St Denis + * + * LibTomCrypt is a library that provides various cryptographic + * algorithms in a highly modular and flexible manner. + * + * The library is free for all purposes without any express + * guarantee it works. + * + * Tom St Denis, tomstdenis@gmail.com, http://libtomcrypt.com + */ + +/** + @file kasumi.c + Implementation of the 3GPP Kasumi block cipher + Derived from the 3GPP standard source code +*/ + +#include "tomcrypt.h" + +#ifdef LTC_KASUMI + +typedef unsigned u16; + +#define ROL16(x, y) ((((x)<<(y)) | ((x)>>(16-(y)))) & 0xFFFF) + +const struct ltc_cipher_descriptor kasumi_desc = { + "kasumi", + 21, + 16, 16, 8, 8, + &kasumi_setup, + &kasumi_ecb_encrypt, + &kasumi_ecb_decrypt, + &kasumi_test, + &kasumi_done, + &kasumi_keysize, + NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL +}; + +static u16 FI( u16 in, u16 subkey ) +{ + u16 nine, seven; + static const u16 S7[128] = { + 54, 50, 62, 56, 22, 34, 94, 96, 38, 6, 63, 93, 2, 18,123, 33, + 55,113, 39,114, 21, 67, 65, 12, 47, 73, 46, 27, 25,111,124, 81, + 53, 9,121, 79, 52, 60, 58, 48,101,127, 40,120,104, 70, 71, 43, + 20,122, 72, 61, 23,109, 13,100, 77, 1, 16, 7, 82, 10,105, 98, + 117,116, 76, 11, 89,106, 0,125,118, 99, 86, 69, 30, 57,126, 87, + 112, 51, 17, 5, 95, 14, 90, 84, 91, 8, 35,103, 32, 97, 28, 66, + 102, 31, 26, 45, 75, 4, 85, 92, 37, 74, 80, 49, 68, 29,115, 44, + 64,107,108, 24,110, 83, 36, 78, 42, 19, 15, 41, 88,119, 59, 3 }; + static const u16 S9[512] = { + 167,239,161,379,391,334, 9,338, 38,226, 48,358,452,385, 90,397, + 183,253,147,331,415,340, 51,362,306,500,262, 82,216,159,356,177, + 175,241,489, 37,206, 17, 0,333, 44,254,378, 58,143,220, 81,400, + 95, 3,315,245, 54,235,218,405,472,264,172,494,371,290,399, 76, + 165,197,395,121,257,480,423,212,240, 28,462,176,406,507,288,223, + 501,407,249,265, 89,186,221,428,164, 74,440,196,458,421,350,163, + 232,158,134,354, 13,250,491,142,191, 69,193,425,152,227,366,135, + 344,300,276,242,437,320,113,278, 11,243, 87,317, 36, 93,496, 27, + 487,446,482, 41, 68,156,457,131,326,403,339, 20, 39,115,442,124, + 475,384,508, 53,112,170,479,151,126,169, 73,268,279,321,168,364, + 363,292, 46,499,393,327,324, 24,456,267,157,460,488,426,309,229, + 439,506,208,271,349,401,434,236, 16,209,359, 52, 56,120,199,277, + 465,416,252,287,246, 6, 83,305,420,345,153,502, 65, 61,244,282, + 173,222,418, 67,386,368,261,101,476,291,195,430, 49, 79,166,330, + 280,383,373,128,382,408,155,495,367,388,274,107,459,417, 62,454, + 132,225,203,316,234, 14,301, 91,503,286,424,211,347,307,140,374, + 35,103,125,427, 19,214,453,146,498,314,444,230,256,329,198,285, + 50,116, 78,410, 10,205,510,171,231, 45,139,467, 29, 86,505, 32, + 72, 26,342,150,313,490,431,238,411,325,149,473, 40,119,174,355, + 185,233,389, 71,448,273,372, 55,110,178,322, 12,469,392,369,190, + 1,109,375,137,181, 88, 75,308,260,484, 98,272,370,275,412,111, + 336,318, 4,504,492,259,304, 77,337,435, 21,357,303,332,483, 18, + 47, 85, 25,497,474,289,100,269,296,478,270,106, 31,104,433, 84, + 414,486,394, 96, 99,154,511,148,413,361,409,255,162,215,302,201, + 266,351,343,144,441,365,108,298,251, 34,182,509,138,210,335,133, + 311,352,328,141,396,346,123,319,450,281,429,228,443,481, 92,404, + 485,422,248,297, 23,213,130,466, 22,217,283, 70,294,360,419,127, + 312,377, 7,468,194, 2,117,295,463,258,224,447,247,187, 80,398, + 284,353,105,390,299,471,470,184, 57,200,348, 63,204,188, 33,451, + 97, 30,310,219, 94,160,129,493, 64,179,263,102,189,207,114,402, + 438,477,387,122,192, 42,381, 5,145,118,180,449,293,323,136,380, + 43, 66, 60,455,341,445,202,432, 8,237, 15,376,436,464, 59,461}; + + /* The sixteen bit input is split into two unequal halves, * + * nine bits and seven bits - as is the subkey */ + + nine = (u16)(in>>7)&0x1FF; + seven = (u16)(in&0x7F); + + /* Now run the various operations */ + nine = (u16)(S9[nine] ^ seven); + seven = (u16)(S7[seven] ^ (nine & 0x7F)); + seven ^= (subkey>>9); + nine ^= (subkey&0x1FF); + nine = (u16)(S9[nine] ^ seven); + seven = (u16)(S7[seven] ^ (nine & 0x7F)); + return (u16)(seven<<9) + nine; +} + +static ulong32 FO( ulong32 in, int round_no, symmetric_key *key) +{ + u16 left, right; + + /* Split the input into two 16-bit words */ + left = (u16)(in>>16); + right = (u16) in&0xFFFF; + + /* Now apply the same basic transformation three times */ + left ^= key->kasumi.KOi1[round_no]; + left = FI( left, key->kasumi.KIi1[round_no] ); + left ^= right; + + right ^= key->kasumi.KOi2[round_no]; + right = FI( right, key->kasumi.KIi2[round_no] ); + right ^= left; + + left ^= key->kasumi.KOi3[round_no]; + left = FI( left, key->kasumi.KIi3[round_no] ); + left ^= right; + + return (((ulong32)right)<<16)+left; +} + +static ulong32 FL( ulong32 in, int round_no, symmetric_key *key ) +{ + u16 l, r, a, b; + /* split out the left and right halves */ + l = (u16)(in>>16); + r = (u16)(in)&0xFFFF; + /* do the FL() operations */ + a = (u16) (l & key->kasumi.KLi1[round_no]); + r ^= ROL16(a,1); + b = (u16)(r | key->kasumi.KLi2[round_no]); + l ^= ROL16(b,1); + /* put the two halves back together */ + + return (((ulong32)l)<<16) + r; +} + +int kasumi_ecb_encrypt(const unsigned char *pt, unsigned char *ct, symmetric_key *skey) +{ + ulong32 left, right, temp; + int n; + + LTC_ARGCHK(pt != NULL); + LTC_ARGCHK(ct != NULL); + LTC_ARGCHK(skey != NULL); + + LOAD32H(left, pt); + LOAD32H(right, pt+4); + + for (n = 0; n <= 7; ) { + temp = FL(left, n, skey); + temp = FO(temp, n++, skey); + right ^= temp; + temp = FO(right, n, skey); + temp = FL(temp, n++, skey); + left ^= temp; + } + + STORE32H(left, ct); + STORE32H(right, ct+4); + + return CRYPT_OK; +} + +int kasumi_ecb_decrypt(const unsigned char *ct, unsigned char *pt, symmetric_key *skey) +{ + ulong32 left, right, temp; + int n; + + LTC_ARGCHK(pt != NULL); + LTC_ARGCHK(ct != NULL); + LTC_ARGCHK(skey != NULL); + + LOAD32H(left, ct); + LOAD32H(right, ct+4); + + for (n = 7; n >= 0; ) { + temp = FO(right, n, skey); + temp = FL(temp, n--, skey); + left ^= temp; + temp = FL(left, n, skey); + temp = FO(temp, n--, skey); + right ^= temp; + } + + STORE32H(left, pt); + STORE32H(right, pt+4); + + return CRYPT_OK; +} + +int kasumi_setup(const unsigned char *key, int keylen, int num_rounds, symmetric_key *skey) +{ + static const u16 C[8] = { 0x0123,0x4567,0x89AB,0xCDEF, 0xFEDC,0xBA98,0x7654,0x3210 }; + u16 ukey[8], Kprime[8]; + int n; + + LTC_ARGCHK(key != NULL); + LTC_ARGCHK(skey != NULL); + + if (keylen != 16) { + return CRYPT_INVALID_KEYSIZE; + } + + if (num_rounds != 0 && num_rounds != 8) { + return CRYPT_INVALID_ROUNDS; + } + + /* Start by ensuring the subkeys are endian correct on a 16-bit basis */ + for (n = 0; n < 8; n++ ) { + ukey[n] = (((u16)key[2*n]) << 8) | key[2*n+1]; + } + + /* Now build the K'[] keys */ + for (n = 0; n < 8; n++) { + Kprime[n] = ukey[n] ^ C[n]; + } + + /* Finally construct the various sub keys */ + for(n = 0; n < 8; n++) { + skey->kasumi.KLi1[n] = ROL16(ukey[n],1); + skey->kasumi.KLi2[n] = Kprime[(n+2)&0x7]; + skey->kasumi.KOi1[n] = ROL16(ukey[(n+1)&0x7],5); + skey->kasumi.KOi2[n] = ROL16(ukey[(n+5)&0x7],8); + skey->kasumi.KOi3[n] = ROL16(ukey[(n+6)&0x7],13); + skey->kasumi.KIi1[n] = Kprime[(n+4)&0x7]; + skey->kasumi.KIi2[n] = Kprime[(n+3)&0x7]; + skey->kasumi.KIi3[n] = Kprime[(n+7)&0x7]; + } + + return CRYPT_OK; +} + +void kasumi_done(symmetric_key *skey) +{ +} + +int kasumi_keysize(int *keysize) +{ + LTC_ARGCHK(keysize != NULL); + if (*keysize >= 16) { + *keysize = 16; + return CRYPT_OK; + } else { + return CRYPT_INVALID_KEYSIZE; + } +} + +int kasumi_test(void) +{ +#ifndef LTC_TEST + return CRYPT_NOP; +#else + static const struct { + unsigned char key[16], pt[8], ct[8]; + } tests[] = { + +{ + { 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, + { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, + { 0x4B, 0x58, 0xA7, 0x71, 0xAF, 0xC7, 0xE5, 0xE8 } +}, + +{ + { 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, + { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, + { 0x7E, 0xEF, 0x11, 0x3C, 0x95, 0xBB, 0x5A, 0x77 } +}, + +{ + { 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, + { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, + { 0x5F, 0x14, 0x06, 0x86, 0xD7, 0xAD, 0x5A, 0x39 }, +}, + +{ + { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 }, + { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, + { 0x2E, 0x14, 0x91, 0xCF, 0x70, 0xAA, 0x46, 0x5D } +}, + +{ + { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00 }, + { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, + { 0xB5, 0x45, 0x86, 0xF4, 0xAB, 0x9A, 0xE5, 0x46 } +}, + +}; + unsigned char buf[2][8]; + symmetric_key key; + int err, x; + + for (x = 0; x < (int)(sizeof(tests)/sizeof(tests[0])); x++) { + if ((err = kasumi_setup(tests[x].key, 16, 0, &key)) != CRYPT_OK) { + return err; + } + if ((err = kasumi_ecb_encrypt(tests[x].pt, buf[0], &key)) != CRYPT_OK) { + return err; + } + if ((err = kasumi_ecb_decrypt(tests[x].ct, buf[1], &key)) != CRYPT_OK) { + return err; + } + if (XMEMCMP(tests[x].pt, buf[1], 8) || XMEMCMP(tests[x].ct, buf[0], 8)) { + return CRYPT_FAIL_TESTVECTOR; + } + } + return CRYPT_OK; +#endif +} + +#endif + +/* $Source$ */ +/* $Revision$ */ +/* $Date$ */ diff --git a/src/ciphers/khazad.c b/src/ciphers/khazad.c index 6eab31f..fc4f0c4 100644 --- a/src/ciphers/khazad.c +++ b/src/ciphers/khazad.c @@ -28,7 +28,7 @@ const struct ltc_cipher_descriptor khazad_desc = { &khazad_test, &khazad_done, &khazad_keysize, - NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL + NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL }; #define R 8 @@ -810,13 +810,13 @@ int khazad_test(void) khazad_setup(tests[x].key, 16, 0, &skey); khazad_ecb_encrypt(tests[x].pt, buf[0], &skey); khazad_ecb_decrypt(buf[0], buf[1], &skey); - if (memcmp(buf[0], tests[x].ct, 8) || memcmp(buf[1], tests[x].pt, 8)) { + if (XMEMCMP(buf[0], tests[x].ct, 8) || XMEMCMP(buf[1], tests[x].pt, 8)) { return CRYPT_FAIL_TESTVECTOR; } for (y = 0; y < 1000; y++) khazad_ecb_encrypt(buf[0], buf[0], &skey); for (y = 0; y < 1000; y++) khazad_ecb_decrypt(buf[0], buf[0], &skey); - if (memcmp(buf[0], tests[x].ct, 8)) { + if (XMEMCMP(buf[0], tests[x].ct, 8)) { return CRYPT_FAIL_TESTVECTOR; } diff --git a/src/ciphers/kseed.c b/src/ciphers/kseed.c new file mode 100644 index 0000000..e82fd19 --- /dev/null +++ b/src/ciphers/kseed.c @@ -0,0 +1,376 @@ +/* LibTomCrypt, modular cryptographic library -- Tom St Denis + * + * LibTomCrypt is a library that provides various cryptographic + * algorithms in a highly modular and flexible manner. + * + * The library is free for all purposes without any express + * guarantee it works. + * + * Tom St Denis, tomstdenis@gmail.com, http://libtomcrypt.com + */ + +/** + @file kseed.c + seed implementation of SEED derived from RFC4269 + Tom St Denis +*/ + +#include "tomcrypt.h" + +#ifdef KSEED + +const struct ltc_cipher_descriptor kseed_desc = { + "seed", + 20, + 16, 16, 16, 16, + &kseed_setup, + &kseed_ecb_encrypt, + &kseed_ecb_decrypt, + &kseed_test, + &kseed_done, + &kseed_keysize, + NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL +}; + +static const ulong32 SS0[256] = { +0x2989A1A8UL,0x05858184UL,0x16C6D2D4UL,0x13C3D3D0UL,0x14445054UL,0x1D0D111CUL,0x2C8CA0ACUL,0x25052124UL, +0x1D4D515CUL,0x03434340UL,0x18081018UL,0x1E0E121CUL,0x11415150UL,0x3CCCF0FCUL,0x0ACAC2C8UL,0x23436360UL, +0x28082028UL,0x04444044UL,0x20002020UL,0x1D8D919CUL,0x20C0E0E0UL,0x22C2E2E0UL,0x08C8C0C8UL,0x17071314UL, +0x2585A1A4UL,0x0F8F838CUL,0x03030300UL,0x3B4B7378UL,0x3B8BB3B8UL,0x13031310UL,0x12C2D2D0UL,0x2ECEE2ECUL, +0x30407070UL,0x0C8C808CUL,0x3F0F333CUL,0x2888A0A8UL,0x32023230UL,0x1DCDD1DCUL,0x36C6F2F4UL,0x34447074UL, +0x2CCCE0ECUL,0x15859194UL,0x0B0B0308UL,0x17475354UL,0x1C4C505CUL,0x1B4B5358UL,0x3D8DB1BCUL,0x01010100UL, +0x24042024UL,0x1C0C101CUL,0x33437370UL,0x18889098UL,0x10001010UL,0x0CCCC0CCUL,0x32C2F2F0UL,0x19C9D1D8UL, +0x2C0C202CUL,0x27C7E3E4UL,0x32427270UL,0x03838380UL,0x1B8B9398UL,0x11C1D1D0UL,0x06868284UL,0x09C9C1C8UL, +0x20406060UL,0x10405050UL,0x2383A3A0UL,0x2BCBE3E8UL,0x0D0D010CUL,0x3686B2B4UL,0x1E8E929CUL,0x0F4F434CUL, +0x3787B3B4UL,0x1A4A5258UL,0x06C6C2C4UL,0x38487078UL,0x2686A2A4UL,0x12021210UL,0x2F8FA3ACUL,0x15C5D1D4UL, +0x21416160UL,0x03C3C3C0UL,0x3484B0B4UL,0x01414140UL,0x12425250UL,0x3D4D717CUL,0x0D8D818CUL,0x08080008UL, +0x1F0F131CUL,0x19899198UL,0x00000000UL,0x19091118UL,0x04040004UL,0x13435350UL,0x37C7F3F4UL,0x21C1E1E0UL, +0x3DCDF1FCUL,0x36467274UL,0x2F0F232CUL,0x27072324UL,0x3080B0B0UL,0x0B8B8388UL,0x0E0E020CUL,0x2B8BA3A8UL, +0x2282A2A0UL,0x2E4E626CUL,0x13839390UL,0x0D4D414CUL,0x29496168UL,0x3C4C707CUL,0x09090108UL,0x0A0A0208UL, +0x3F8FB3BCUL,0x2FCFE3ECUL,0x33C3F3F0UL,0x05C5C1C4UL,0x07878384UL,0x14041014UL,0x3ECEF2FCUL,0x24446064UL, +0x1ECED2DCUL,0x2E0E222CUL,0x0B4B4348UL,0x1A0A1218UL,0x06060204UL,0x21012120UL,0x2B4B6368UL,0x26466264UL, +0x02020200UL,0x35C5F1F4UL,0x12829290UL,0x0A8A8288UL,0x0C0C000CUL,0x3383B3B0UL,0x3E4E727CUL,0x10C0D0D0UL, +0x3A4A7278UL,0x07474344UL,0x16869294UL,0x25C5E1E4UL,0x26062224UL,0x00808080UL,0x2D8DA1ACUL,0x1FCFD3DCUL, +0x2181A1A0UL,0x30003030UL,0x37073334UL,0x2E8EA2ACUL,0x36063234UL,0x15051114UL,0x22022220UL,0x38083038UL, +0x34C4F0F4UL,0x2787A3A4UL,0x05454144UL,0x0C4C404CUL,0x01818180UL,0x29C9E1E8UL,0x04848084UL,0x17879394UL, +0x35053134UL,0x0BCBC3C8UL,0x0ECEC2CCUL,0x3C0C303CUL,0x31417170UL,0x11011110UL,0x07C7C3C4UL,0x09898188UL, +0x35457174UL,0x3BCBF3F8UL,0x1ACAD2D8UL,0x38C8F0F8UL,0x14849094UL,0x19495158UL,0x02828280UL,0x04C4C0C4UL, +0x3FCFF3FCUL,0x09494148UL,0x39093138UL,0x27476364UL,0x00C0C0C0UL,0x0FCFC3CCUL,0x17C7D3D4UL,0x3888B0B8UL, +0x0F0F030CUL,0x0E8E828CUL,0x02424240UL,0x23032320UL,0x11819190UL,0x2C4C606CUL,0x1BCBD3D8UL,0x2484A0A4UL, +0x34043034UL,0x31C1F1F0UL,0x08484048UL,0x02C2C2C0UL,0x2F4F636CUL,0x3D0D313CUL,0x2D0D212CUL,0x00404040UL, +0x3E8EB2BCUL,0x3E0E323CUL,0x3C8CB0BCUL,0x01C1C1C0UL,0x2A8AA2A8UL,0x3A8AB2B8UL,0x0E4E424CUL,0x15455154UL, +0x3B0B3338UL,0x1CCCD0DCUL,0x28486068UL,0x3F4F737CUL,0x1C8C909CUL,0x18C8D0D8UL,0x0A4A4248UL,0x16465254UL, +0x37477374UL,0x2080A0A0UL,0x2DCDE1ECUL,0x06464244UL,0x3585B1B4UL,0x2B0B2328UL,0x25456164UL,0x3ACAF2F8UL, +0x23C3E3E0UL,0x3989B1B8UL,0x3181B1B0UL,0x1F8F939CUL,0x1E4E525CUL,0x39C9F1F8UL,0x26C6E2E4UL,0x3282B2B0UL, +0x31013130UL,0x2ACAE2E8UL,0x2D4D616CUL,0x1F4F535CUL,0x24C4E0E4UL,0x30C0F0F0UL,0x0DCDC1CCUL,0x08888088UL, +0x16061214UL,0x3A0A3238UL,0x18485058UL,0x14C4D0D4UL,0x22426260UL,0x29092128UL,0x07070304UL,0x33033330UL, +0x28C8E0E8UL,0x1B0B1318UL,0x05050104UL,0x39497178UL,0x10809090UL,0x2A4A6268UL,0x2A0A2228UL,0x1A8A9298UL +}; + +static const ulong32 SS1[256] = { +0x38380830UL,0xE828C8E0UL,0x2C2D0D21UL,0xA42686A2UL,0xCC0FCFC3UL,0xDC1ECED2UL,0xB03383B3UL,0xB83888B0UL, +0xAC2F8FA3UL,0x60204060UL,0x54154551UL,0xC407C7C3UL,0x44044440UL,0x6C2F4F63UL,0x682B4B63UL,0x581B4B53UL, +0xC003C3C3UL,0x60224262UL,0x30330333UL,0xB43585B1UL,0x28290921UL,0xA02080A0UL,0xE022C2E2UL,0xA42787A3UL, +0xD013C3D3UL,0x90118191UL,0x10110111UL,0x04060602UL,0x1C1C0C10UL,0xBC3C8CB0UL,0x34360632UL,0x480B4B43UL, +0xEC2FCFE3UL,0x88088880UL,0x6C2C4C60UL,0xA82888A0UL,0x14170713UL,0xC404C4C0UL,0x14160612UL,0xF434C4F0UL, +0xC002C2C2UL,0x44054541UL,0xE021C1E1UL,0xD416C6D2UL,0x3C3F0F33UL,0x3C3D0D31UL,0x8C0E8E82UL,0x98188890UL, +0x28280820UL,0x4C0E4E42UL,0xF436C6F2UL,0x3C3E0E32UL,0xA42585A1UL,0xF839C9F1UL,0x0C0D0D01UL,0xDC1FCFD3UL, +0xD818C8D0UL,0x282B0B23UL,0x64264662UL,0x783A4A72UL,0x24270723UL,0x2C2F0F23UL,0xF031C1F1UL,0x70324272UL, +0x40024242UL,0xD414C4D0UL,0x40014141UL,0xC000C0C0UL,0x70334373UL,0x64274763UL,0xAC2C8CA0UL,0x880B8B83UL, +0xF437C7F3UL,0xAC2D8DA1UL,0x80008080UL,0x1C1F0F13UL,0xC80ACAC2UL,0x2C2C0C20UL,0xA82A8AA2UL,0x34340430UL, +0xD012C2D2UL,0x080B0B03UL,0xEC2ECEE2UL,0xE829C9E1UL,0x5C1D4D51UL,0x94148490UL,0x18180810UL,0xF838C8F0UL, +0x54174753UL,0xAC2E8EA2UL,0x08080800UL,0xC405C5C1UL,0x10130313UL,0xCC0DCDC1UL,0x84068682UL,0xB83989B1UL, +0xFC3FCFF3UL,0x7C3D4D71UL,0xC001C1C1UL,0x30310131UL,0xF435C5F1UL,0x880A8A82UL,0x682A4A62UL,0xB03181B1UL, +0xD011C1D1UL,0x20200020UL,0xD417C7D3UL,0x00020202UL,0x20220222UL,0x04040400UL,0x68284860UL,0x70314171UL, +0x04070703UL,0xD81BCBD3UL,0x9C1D8D91UL,0x98198991UL,0x60214161UL,0xBC3E8EB2UL,0xE426C6E2UL,0x58194951UL, +0xDC1DCDD1UL,0x50114151UL,0x90108090UL,0xDC1CCCD0UL,0x981A8A92UL,0xA02383A3UL,0xA82B8BA3UL,0xD010C0D0UL, +0x80018181UL,0x0C0F0F03UL,0x44074743UL,0x181A0A12UL,0xE023C3E3UL,0xEC2CCCE0UL,0x8C0D8D81UL,0xBC3F8FB3UL, +0x94168692UL,0x783B4B73UL,0x5C1C4C50UL,0xA02282A2UL,0xA02181A1UL,0x60234363UL,0x20230323UL,0x4C0D4D41UL, +0xC808C8C0UL,0x9C1E8E92UL,0x9C1C8C90UL,0x383A0A32UL,0x0C0C0C00UL,0x2C2E0E22UL,0xB83A8AB2UL,0x6C2E4E62UL, +0x9C1F8F93UL,0x581A4A52UL,0xF032C2F2UL,0x90128292UL,0xF033C3F3UL,0x48094941UL,0x78384870UL,0xCC0CCCC0UL, +0x14150511UL,0xF83BCBF3UL,0x70304070UL,0x74354571UL,0x7C3F4F73UL,0x34350531UL,0x10100010UL,0x00030303UL, +0x64244460UL,0x6C2D4D61UL,0xC406C6C2UL,0x74344470UL,0xD415C5D1UL,0xB43484B0UL,0xE82ACAE2UL,0x08090901UL, +0x74364672UL,0x18190911UL,0xFC3ECEF2UL,0x40004040UL,0x10120212UL,0xE020C0E0UL,0xBC3D8DB1UL,0x04050501UL, +0xF83ACAF2UL,0x00010101UL,0xF030C0F0UL,0x282A0A22UL,0x5C1E4E52UL,0xA82989A1UL,0x54164652UL,0x40034343UL, +0x84058581UL,0x14140410UL,0x88098981UL,0x981B8B93UL,0xB03080B0UL,0xE425C5E1UL,0x48084840UL,0x78394971UL, +0x94178793UL,0xFC3CCCF0UL,0x1C1E0E12UL,0x80028282UL,0x20210121UL,0x8C0C8C80UL,0x181B0B13UL,0x5C1F4F53UL, +0x74374773UL,0x54144450UL,0xB03282B2UL,0x1C1D0D11UL,0x24250521UL,0x4C0F4F43UL,0x00000000UL,0x44064642UL, +0xEC2DCDE1UL,0x58184850UL,0x50124252UL,0xE82BCBE3UL,0x7C3E4E72UL,0xD81ACAD2UL,0xC809C9C1UL,0xFC3DCDF1UL, +0x30300030UL,0x94158591UL,0x64254561UL,0x3C3C0C30UL,0xB43686B2UL,0xE424C4E0UL,0xB83B8BB3UL,0x7C3C4C70UL, +0x0C0E0E02UL,0x50104050UL,0x38390931UL,0x24260622UL,0x30320232UL,0x84048480UL,0x68294961UL,0x90138393UL, +0x34370733UL,0xE427C7E3UL,0x24240420UL,0xA42484A0UL,0xC80BCBC3UL,0x50134353UL,0x080A0A02UL,0x84078783UL, +0xD819C9D1UL,0x4C0C4C40UL,0x80038383UL,0x8C0F8F83UL,0xCC0ECEC2UL,0x383B0B33UL,0x480A4A42UL,0xB43787B3UL +}; + +static const ulong32 SS2[256] = { +0xA1A82989UL,0x81840585UL,0xD2D416C6UL,0xD3D013C3UL,0x50541444UL,0x111C1D0DUL,0xA0AC2C8CUL,0x21242505UL, +0x515C1D4DUL,0x43400343UL,0x10181808UL,0x121C1E0EUL,0x51501141UL,0xF0FC3CCCUL,0xC2C80ACAUL,0x63602343UL, +0x20282808UL,0x40440444UL,0x20202000UL,0x919C1D8DUL,0xE0E020C0UL,0xE2E022C2UL,0xC0C808C8UL,0x13141707UL, +0xA1A42585UL,0x838C0F8FUL,0x03000303UL,0x73783B4BUL,0xB3B83B8BUL,0x13101303UL,0xD2D012C2UL,0xE2EC2ECEUL, +0x70703040UL,0x808C0C8CUL,0x333C3F0FUL,0xA0A82888UL,0x32303202UL,0xD1DC1DCDUL,0xF2F436C6UL,0x70743444UL, +0xE0EC2CCCUL,0x91941585UL,0x03080B0BUL,0x53541747UL,0x505C1C4CUL,0x53581B4BUL,0xB1BC3D8DUL,0x01000101UL, +0x20242404UL,0x101C1C0CUL,0x73703343UL,0x90981888UL,0x10101000UL,0xC0CC0CCCUL,0xF2F032C2UL,0xD1D819C9UL, +0x202C2C0CUL,0xE3E427C7UL,0x72703242UL,0x83800383UL,0x93981B8BUL,0xD1D011C1UL,0x82840686UL,0xC1C809C9UL, +0x60602040UL,0x50501040UL,0xA3A02383UL,0xE3E82BCBUL,0x010C0D0DUL,0xB2B43686UL,0x929C1E8EUL,0x434C0F4FUL, +0xB3B43787UL,0x52581A4AUL,0xC2C406C6UL,0x70783848UL,0xA2A42686UL,0x12101202UL,0xA3AC2F8FUL,0xD1D415C5UL, +0x61602141UL,0xC3C003C3UL,0xB0B43484UL,0x41400141UL,0x52501242UL,0x717C3D4DUL,0x818C0D8DUL,0x00080808UL, +0x131C1F0FUL,0x91981989UL,0x00000000UL,0x11181909UL,0x00040404UL,0x53501343UL,0xF3F437C7UL,0xE1E021C1UL, +0xF1FC3DCDUL,0x72743646UL,0x232C2F0FUL,0x23242707UL,0xB0B03080UL,0x83880B8BUL,0x020C0E0EUL,0xA3A82B8BUL, +0xA2A02282UL,0x626C2E4EUL,0x93901383UL,0x414C0D4DUL,0x61682949UL,0x707C3C4CUL,0x01080909UL,0x02080A0AUL, +0xB3BC3F8FUL,0xE3EC2FCFUL,0xF3F033C3UL,0xC1C405C5UL,0x83840787UL,0x10141404UL,0xF2FC3ECEUL,0x60642444UL, +0xD2DC1ECEUL,0x222C2E0EUL,0x43480B4BUL,0x12181A0AUL,0x02040606UL,0x21202101UL,0x63682B4BUL,0x62642646UL, +0x02000202UL,0xF1F435C5UL,0x92901282UL,0x82880A8AUL,0x000C0C0CUL,0xB3B03383UL,0x727C3E4EUL,0xD0D010C0UL, +0x72783A4AUL,0x43440747UL,0x92941686UL,0xE1E425C5UL,0x22242606UL,0x80800080UL,0xA1AC2D8DUL,0xD3DC1FCFUL, +0xA1A02181UL,0x30303000UL,0x33343707UL,0xA2AC2E8EUL,0x32343606UL,0x11141505UL,0x22202202UL,0x30383808UL, +0xF0F434C4UL,0xA3A42787UL,0x41440545UL,0x404C0C4CUL,0x81800181UL,0xE1E829C9UL,0x80840484UL,0x93941787UL, +0x31343505UL,0xC3C80BCBUL,0xC2CC0ECEUL,0x303C3C0CUL,0x71703141UL,0x11101101UL,0xC3C407C7UL,0x81880989UL, +0x71743545UL,0xF3F83BCBUL,0xD2D81ACAUL,0xF0F838C8UL,0x90941484UL,0x51581949UL,0x82800282UL,0xC0C404C4UL, +0xF3FC3FCFUL,0x41480949UL,0x31383909UL,0x63642747UL,0xC0C000C0UL,0xC3CC0FCFUL,0xD3D417C7UL,0xB0B83888UL, +0x030C0F0FUL,0x828C0E8EUL,0x42400242UL,0x23202303UL,0x91901181UL,0x606C2C4CUL,0xD3D81BCBUL,0xA0A42484UL, +0x30343404UL,0xF1F031C1UL,0x40480848UL,0xC2C002C2UL,0x636C2F4FUL,0x313C3D0DUL,0x212C2D0DUL,0x40400040UL, +0xB2BC3E8EUL,0x323C3E0EUL,0xB0BC3C8CUL,0xC1C001C1UL,0xA2A82A8AUL,0xB2B83A8AUL,0x424C0E4EUL,0x51541545UL, +0x33383B0BUL,0xD0DC1CCCUL,0x60682848UL,0x737C3F4FUL,0x909C1C8CUL,0xD0D818C8UL,0x42480A4AUL,0x52541646UL, +0x73743747UL,0xA0A02080UL,0xE1EC2DCDUL,0x42440646UL,0xB1B43585UL,0x23282B0BUL,0x61642545UL,0xF2F83ACAUL, +0xE3E023C3UL,0xB1B83989UL,0xB1B03181UL,0x939C1F8FUL,0x525C1E4EUL,0xF1F839C9UL,0xE2E426C6UL,0xB2B03282UL, +0x31303101UL,0xE2E82ACAUL,0x616C2D4DUL,0x535C1F4FUL,0xE0E424C4UL,0xF0F030C0UL,0xC1CC0DCDUL,0x80880888UL, +0x12141606UL,0x32383A0AUL,0x50581848UL,0xD0D414C4UL,0x62602242UL,0x21282909UL,0x03040707UL,0x33303303UL, +0xE0E828C8UL,0x13181B0BUL,0x01040505UL,0x71783949UL,0x90901080UL,0x62682A4AUL,0x22282A0AUL,0x92981A8AUL +}; + +static const ulong32 SS3[256] = { +0x08303838UL,0xC8E0E828UL,0x0D212C2DUL,0x86A2A426UL,0xCFC3CC0FUL,0xCED2DC1EUL,0x83B3B033UL,0x88B0B838UL, +0x8FA3AC2FUL,0x40606020UL,0x45515415UL,0xC7C3C407UL,0x44404404UL,0x4F636C2FUL,0x4B63682BUL,0x4B53581BUL, +0xC3C3C003UL,0x42626022UL,0x03333033UL,0x85B1B435UL,0x09212829UL,0x80A0A020UL,0xC2E2E022UL,0x87A3A427UL, +0xC3D3D013UL,0x81919011UL,0x01111011UL,0x06020406UL,0x0C101C1CUL,0x8CB0BC3CUL,0x06323436UL,0x4B43480BUL, +0xCFE3EC2FUL,0x88808808UL,0x4C606C2CUL,0x88A0A828UL,0x07131417UL,0xC4C0C404UL,0x06121416UL,0xC4F0F434UL, +0xC2C2C002UL,0x45414405UL,0xC1E1E021UL,0xC6D2D416UL,0x0F333C3FUL,0x0D313C3DUL,0x8E828C0EUL,0x88909818UL, +0x08202828UL,0x4E424C0EUL,0xC6F2F436UL,0x0E323C3EUL,0x85A1A425UL,0xC9F1F839UL,0x0D010C0DUL,0xCFD3DC1FUL, +0xC8D0D818UL,0x0B23282BUL,0x46626426UL,0x4A72783AUL,0x07232427UL,0x0F232C2FUL,0xC1F1F031UL,0x42727032UL, +0x42424002UL,0xC4D0D414UL,0x41414001UL,0xC0C0C000UL,0x43737033UL,0x47636427UL,0x8CA0AC2CUL,0x8B83880BUL, +0xC7F3F437UL,0x8DA1AC2DUL,0x80808000UL,0x0F131C1FUL,0xCAC2C80AUL,0x0C202C2CUL,0x8AA2A82AUL,0x04303434UL, +0xC2D2D012UL,0x0B03080BUL,0xCEE2EC2EUL,0xC9E1E829UL,0x4D515C1DUL,0x84909414UL,0x08101818UL,0xC8F0F838UL, +0x47535417UL,0x8EA2AC2EUL,0x08000808UL,0xC5C1C405UL,0x03131013UL,0xCDC1CC0DUL,0x86828406UL,0x89B1B839UL, +0xCFF3FC3FUL,0x4D717C3DUL,0xC1C1C001UL,0x01313031UL,0xC5F1F435UL,0x8A82880AUL,0x4A62682AUL,0x81B1B031UL, +0xC1D1D011UL,0x00202020UL,0xC7D3D417UL,0x02020002UL,0x02222022UL,0x04000404UL,0x48606828UL,0x41717031UL, +0x07030407UL,0xCBD3D81BUL,0x8D919C1DUL,0x89919819UL,0x41616021UL,0x8EB2BC3EUL,0xC6E2E426UL,0x49515819UL, +0xCDD1DC1DUL,0x41515011UL,0x80909010UL,0xCCD0DC1CUL,0x8A92981AUL,0x83A3A023UL,0x8BA3A82BUL,0xC0D0D010UL, +0x81818001UL,0x0F030C0FUL,0x47434407UL,0x0A12181AUL,0xC3E3E023UL,0xCCE0EC2CUL,0x8D818C0DUL,0x8FB3BC3FUL, +0x86929416UL,0x4B73783BUL,0x4C505C1CUL,0x82A2A022UL,0x81A1A021UL,0x43636023UL,0x03232023UL,0x4D414C0DUL, +0xC8C0C808UL,0x8E929C1EUL,0x8C909C1CUL,0x0A32383AUL,0x0C000C0CUL,0x0E222C2EUL,0x8AB2B83AUL,0x4E626C2EUL, +0x8F939C1FUL,0x4A52581AUL,0xC2F2F032UL,0x82929012UL,0xC3F3F033UL,0x49414809UL,0x48707838UL,0xCCC0CC0CUL, +0x05111415UL,0xCBF3F83BUL,0x40707030UL,0x45717435UL,0x4F737C3FUL,0x05313435UL,0x00101010UL,0x03030003UL, +0x44606424UL,0x4D616C2DUL,0xC6C2C406UL,0x44707434UL,0xC5D1D415UL,0x84B0B434UL,0xCAE2E82AUL,0x09010809UL, +0x46727436UL,0x09111819UL,0xCEF2FC3EUL,0x40404000UL,0x02121012UL,0xC0E0E020UL,0x8DB1BC3DUL,0x05010405UL, +0xCAF2F83AUL,0x01010001UL,0xC0F0F030UL,0x0A22282AUL,0x4E525C1EUL,0x89A1A829UL,0x46525416UL,0x43434003UL, +0x85818405UL,0x04101414UL,0x89818809UL,0x8B93981BUL,0x80B0B030UL,0xC5E1E425UL,0x48404808UL,0x49717839UL, +0x87939417UL,0xCCF0FC3CUL,0x0E121C1EUL,0x82828002UL,0x01212021UL,0x8C808C0CUL,0x0B13181BUL,0x4F535C1FUL, +0x47737437UL,0x44505414UL,0x82B2B032UL,0x0D111C1DUL,0x05212425UL,0x4F434C0FUL,0x00000000UL,0x46424406UL, +0xCDE1EC2DUL,0x48505818UL,0x42525012UL,0xCBE3E82BUL,0x4E727C3EUL,0xCAD2D81AUL,0xC9C1C809UL,0xCDF1FC3DUL, +0x00303030UL,0x85919415UL,0x45616425UL,0x0C303C3CUL,0x86B2B436UL,0xC4E0E424UL,0x8BB3B83BUL,0x4C707C3CUL, +0x0E020C0EUL,0x40505010UL,0x09313839UL,0x06222426UL,0x02323032UL,0x84808404UL,0x49616829UL,0x83939013UL, +0x07333437UL,0xC7E3E427UL,0x04202424UL,0x84A0A424UL,0xCBC3C80BUL,0x43535013UL,0x0A02080AUL,0x87838407UL, +0xC9D1D819UL,0x4C404C0CUL,0x83838003UL,0x8F838C0FUL,0xCEC2CC0EUL,0x0B33383BUL,0x4A42480AUL,0x87B3B437UL +}; + +static const ulong32 KCi[16] = { +0x9E3779B9,0x3C6EF373, +0x78DDE6E6,0xF1BBCDCC, +0xE3779B99,0xC6EF3733, +0x8DDE6E67,0x1BBCDCCF, +0x3779B99E,0x6EF3733C, +0xDDE6E678,0xBBCDCCF1, +0x779B99E3,0xEF3733C6, +0xDE6E678D,0xBCDCCF1B +}; + +#define G(x) (SS3[((x)>>24)&255] ^ SS2[((x)>>16)&255] ^ SS1[((x)>>8)&255] ^ SS0[(x)&255]) + +#define F(L1, L2, R1, R2, K1, K2) \ + T2 = G((R1 ^ K1) ^ (R2 ^ K2)); \ + T = G( G(T2 + (R1 ^ K1)) + T2); \ + L2 ^= T; \ + L1 ^= (T + G(T2 + (R1 ^ K1))); \ + + /** + Initialize the SEED block cipher + @param key The symmetric key you wish to pass + @param keylen The key length in bytes + @param num_rounds The number of rounds desired (0 for default) + @param skey The key in as scheduled by this function. + @return CRYPT_OK if successful + */ +int kseed_setup(const unsigned char *key, int keylen, int num_rounds, symmetric_key *skey) +{ + int i; + ulong32 tmp, k1, k2, k3, k4; + + if (keylen != 16) { + return CRYPT_INVALID_KEYSIZE; + } + + if (num_rounds != 16 && num_rounds != 0) { + return CRYPT_INVALID_ROUNDS; + } + + /* load key */ + LOAD32H(k1, key); + LOAD32H(k2, key+4); + LOAD32H(k3, key+8); + LOAD32H(k4, key+12); + + for (i = 0; i < 16; i++) { + skey->kseed.K[2*i+0] = G(k1 + k3 - KCi[i]); + skey->kseed.K[2*i+1] = G(k2 - k4 + KCi[i]); + if (i&1) { + tmp = k3; + k3 = ((k3 << 8) | (k4 >> 24)) & 0xFFFFFFFF; + k4 = ((k4 << 8) | (tmp >> 24)) & 0xFFFFFFFF; + } else { + tmp = k1; + k1 = ((k1 >> 8) | (k2 << 24)) & 0xFFFFFFFF; + k2 = ((k2 >> 8) | (tmp << 24)) & 0xFFFFFFFF; + } + /* reverse keys for decrypt */ + skey->kseed.dK[2*(15-i)+0] = skey->kseed.K[2*i+0]; + skey->kseed.dK[2*(15-i)+1] = skey->kseed.K[2*i+1]; + } + + return CRYPT_OK; +} + +static void rounds(ulong32 *P, ulong32 *K) +{ + ulong32 T, T2; + int i; + for (i = 0; i < 16; i += 2) { + F(P[0], P[1], P[2], P[3], K[0], K[1]); + F(P[2], P[3], P[0], P[1], K[2], K[3]); + K += 4; + } +} + +/** + Encrypts a block of text with SEED + @param pt The input plaintext (16 bytes) + @param ct The output ciphertext (16 bytes) + @param skey The key as scheduled + @return CRYPT_OK if successful +*/ +int kseed_ecb_encrypt(const unsigned char *pt, unsigned char *ct, symmetric_key *skey) +{ + ulong32 P[4]; + LOAD32H(P[0], pt); + LOAD32H(P[1], pt+4); + LOAD32H(P[2], pt+8); + LOAD32H(P[3], pt+12); + rounds(P, skey->kseed.K); + STORE32H(P[2], ct); + STORE32H(P[3], ct+4); + STORE32H(P[0], ct+8); + STORE32H(P[1], ct+12); + return CRYPT_OK; +} + +/** + Decrypts a block of text with SEED + @param ct The input ciphertext (16 bytes) + @param pt The output plaintext (16 bytes) + @param skey The key as scheduled + @return CRYPT_OK if successful +*/ +int kseed_ecb_decrypt(const unsigned char *ct, unsigned char *pt, symmetric_key *skey) +{ + ulong32 P[4]; + LOAD32H(P[0], ct); + LOAD32H(P[1], ct+4); + LOAD32H(P[2], ct+8); + LOAD32H(P[3], ct+12); + rounds(P, skey->kseed.dK); + STORE32H(P[2], pt); + STORE32H(P[3], pt+4); + STORE32H(P[0], pt+8); + STORE32H(P[1], pt+12); + return CRYPT_OK; +} + +/** Terminate the context + @param skey The scheduled key +*/ +void kseed_done(symmetric_key *skey) +{ +} + +/** + Performs a self-test of the SEED block cipher + @return CRYPT_OK if functional, CRYPT_NOP if self-test has been disabled +*/ +int kseed_test(void) +{ +#if !defined(LTC_TEST) + return CRYPT_NOP; +#else + static const struct test { + unsigned char pt[16], ct[16], key[16]; + } tests[] = { + +{ + { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0A,0x0B,0x0C,0x0D,0x0E,0x0F }, + { 0x5E,0xBA,0xC6,0xE0,0x05,0x4E,0x16,0x68,0x19,0xAF,0xF1,0xCC,0x6D,0x34,0x6C,0xDB }, + { 0 }, +}, + +{ + { 0 }, + { 0xC1,0x1F,0x22,0xF2,0x01,0x40,0x50,0x50,0x84,0x48,0x35,0x97,0xE4,0x37,0x0F,0x43 }, + { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0A,0x0B,0x0C,0x0D,0x0E,0x0F }, +}, + +{ + { 0x83,0xA2,0xF8,0xA2,0x88,0x64,0x1F,0xB9,0xA4,0xE9,0xA5,0xCC,0x2F,0x13,0x1C,0x7D }, + { 0xEE,0x54,0xD1,0x3E,0xBC,0xAE,0x70,0x6D,0x22,0x6B,0xC3,0x14,0x2C,0xD4,0x0D,0x4A }, + { 0x47,0x06,0x48,0x08,0x51,0xE6,0x1B,0xE8,0x5D,0x74,0xBF,0xB3,0xFD,0x95,0x61,0x85 }, +}, + +{ + { 0xB4,0x1E,0x6B,0xE2,0xEB,0xA8,0x4A,0x14,0x8E,0x2E,0xED,0x84,0x59,0x3C,0x5E,0xC7 }, + { 0x9B,0x9B,0x7B,0xFC,0xD1,0x81,0x3C,0xB9,0x5D,0x0B,0x36,0x18,0xF4,0x0F,0x51,0x22 }, + { 0x28,0xDB,0xC3,0xBC,0x49,0xFF,0xD8,0x7D,0xCF,0xA5,0x09,0xB1,0x1D,0x42,0x2B,0xE7 }, +} +}; + int x; + unsigned char buf[2][16]; + symmetric_key skey; + + for (x = 0; x < (int)(sizeof(tests)/sizeof(tests[0])); x++) { + kseed_setup(tests[x].key, 16, 0, &skey); + kseed_ecb_encrypt(tests[x].pt, buf[0], &skey); + kseed_ecb_decrypt(buf[0], buf[1], &skey); + if (XMEMCMP(buf[0], tests[x].ct, 16) || XMEMCMP(buf[1], tests[x].pt, 16)) { + return CRYPT_FAIL_TESTVECTOR; + } + } + return CRYPT_OK; +#endif +} + +/** + Gets suitable key size + @param keysize [in/out] The length of the recommended key (in bytes). This function will store the suitable size back in this variable. + @return CRYPT_OK if the input key size is acceptable. +*/ +int kseed_keysize(int *keysize) +{ + LTC_ARGCHK(keysize != NULL); + if (*keysize >= 16) { + *keysize = 16; + } else { + return CRYPT_INVALID_KEYSIZE; + } + return CRYPT_OK; +} + +#endif + +/* $Source$ */ +/* $Revision$ */ +/* $Date$ */ diff --git a/src/ciphers/noekeon.c b/src/ciphers/noekeon.c index ec28bfa..dc450a0 100644 --- a/src/ciphers/noekeon.c +++ b/src/ciphers/noekeon.c @@ -27,7 +27,7 @@ const struct ltc_cipher_descriptor noekeon_desc = &noekeon_test, &noekeon_done, &noekeon_keysize, - NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL + NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL }; static const ulong32 RC[] = { @@ -242,10 +242,10 @@ int noekeon_test(void) noekeon_ecb_encrypt(tests[i].pt, tmp[0], &key); noekeon_ecb_decrypt(tmp[0], tmp[1], &key); - if (memcmp(tmp[0], tests[i].ct, 16) || memcmp(tmp[1], tests[i].pt, 16)) { + if (XMEMCMP(tmp[0], tests[i].ct, 16) || XMEMCMP(tmp[1], tests[i].pt, 16)) { #if 0 printf("\n\nTest %d failed\n", i); - if (memcmp(tmp[0], tests[i].ct, 16)) { + if (XMEMCMP(tmp[0], tests[i].ct, 16)) { printf("CT: "); for (i = 0; i < 16; i++) { printf("%02x ", tmp[0][i]); diff --git a/src/ciphers/rc2.c b/src/ciphers/rc2.c index 7c307bd..5ee798a 100644 --- a/src/ciphers/rc2.c +++ b/src/ciphers/rc2.c @@ -36,7 +36,7 @@ const struct ltc_cipher_descriptor rc2_desc = { &rc2_test, &rc2_done, &rc2_keysize, - NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL + NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL }; /* 256-entry permutation table, probably derived somehow from pi */ @@ -315,7 +315,7 @@ int rc2_test(void) rc2_ecb_encrypt(tests[x].pt, tmp[0], &skey); rc2_ecb_decrypt(tmp[0], tmp[1], &skey); - if (memcmp(tmp[0], tests[x].ct, 8) != 0 || memcmp(tmp[1], tests[x].pt, 8) != 0) { + if (XMEMCMP(tmp[0], tests[x].ct, 8) != 0 || XMEMCMP(tmp[1], tests[x].pt, 8) != 0) { return CRYPT_FAIL_TESTVECTOR; } diff --git a/src/ciphers/rc5.c b/src/ciphers/rc5.c index 1006873..4948c68 100644 --- a/src/ciphers/rc5.c +++ b/src/ciphers/rc5.c @@ -29,7 +29,7 @@ const struct ltc_cipher_descriptor rc5_desc = &rc5_test, &rc5_done, &rc5_keysize, - NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL + NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL }; static const ulong32 stab[50] = { @@ -275,7 +275,7 @@ int rc5_test(void) rc5_ecb_decrypt(tmp[0], tmp[1], &key); /* compare */ - if (memcmp(tmp[0], tests[x].ct, 8) != 0 || memcmp(tmp[1], tests[x].pt, 8) != 0) { + if (XMEMCMP(tmp[0], tests[x].ct, 8) != 0 || XMEMCMP(tmp[1], tests[x].pt, 8) != 0) { return CRYPT_FAIL_TESTVECTOR; } diff --git a/src/ciphers/rc6.c b/src/ciphers/rc6.c index 1e5f176..71ec0f8 100644 --- a/src/ciphers/rc6.c +++ b/src/ciphers/rc6.c @@ -28,7 +28,7 @@ const struct ltc_cipher_descriptor rc6_desc = &rc6_test, &rc6_done, &rc6_keysize, - NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL + NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL }; static const ulong32 stab[44] = { @@ -285,17 +285,17 @@ int rc6_test(void) rc6_ecb_decrypt(tmp[0], tmp[1], &key); /* compare */ - if (memcmp(tmp[0], tests[x].ct, 16) || memcmp(tmp[1], tests[x].pt, 16)) { + if (XMEMCMP(tmp[0], tests[x].ct, 16) || XMEMCMP(tmp[1], tests[x].pt, 16)) { #if 0 printf("\n\nFailed test %d\n", x); - if (memcmp(tmp[0], tests[x].ct, 16)) { + if (XMEMCMP(tmp[0], tests[x].ct, 16)) { printf("Ciphertext: "); for (y = 0; y < 16; y++) printf("%02x ", tmp[0][y]); printf("\nExpected : "); for (y = 0; y < 16; y++) printf("%02x ", tests[x].ct[y]); printf("\n"); } - if (memcmp(tmp[1], tests[x].pt, 16)) { + if (XMEMCMP(tmp[1], tests[x].pt, 16)) { printf("Plaintext: "); for (y = 0; y < 16; y++) printf("%02x ", tmp[0][y]); printf("\nExpected : "); diff --git a/src/ciphers/safer/safer.c b/src/ciphers/safer/safer.c index ed99b40..f1099c9 100644 --- a/src/ciphers/safer/safer.c +++ b/src/ciphers/safer/safer.c @@ -42,7 +42,7 @@ const struct ltc_cipher_descriptor &safer_k64_test, &safer_done, &safer_64_keysize, - NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL + NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL }, safer_sk64_desc = { @@ -54,7 +54,7 @@ const struct ltc_cipher_descriptor &safer_sk64_test, &safer_done, &safer_64_keysize, - NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL + NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL }, safer_k128_desc = { @@ -66,7 +66,7 @@ const struct ltc_cipher_descriptor &safer_sk128_test, &safer_done, &safer_128_keysize, - NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL + NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL }, safer_sk128_desc = { @@ -78,7 +78,7 @@ const struct ltc_cipher_descriptor &safer_sk128_test, &safer_done, &safer_128_keysize, - NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL + NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL }; /******************* Constants ************************************************/ @@ -396,7 +396,7 @@ int safer_k64_test(void) safer_ecb_encrypt(k64_pt, buf[0], &skey); safer_ecb_decrypt(buf[0], buf[1], &skey); - if (memcmp(buf[0], k64_ct, 8) != 0 || memcmp(buf[1], k64_pt, 8) != 0) { + if (XMEMCMP(buf[0], k64_ct, 8) != 0 || XMEMCMP(buf[1], k64_pt, 8) != 0) { return CRYPT_FAIL_TESTVECTOR; } @@ -426,7 +426,7 @@ int safer_sk64_test(void) safer_ecb_encrypt(sk64_pt, buf[0], &skey); safer_ecb_decrypt(buf[0], buf[1], &skey); - if (memcmp(buf[0], sk64_ct, 8) != 0 || memcmp(buf[1], sk64_pt, 8) != 0) { + if (XMEMCMP(buf[0], sk64_ct, 8) != 0 || XMEMCMP(buf[1], sk64_pt, 8) != 0) { return CRYPT_FAIL_TESTVECTOR; } @@ -468,7 +468,7 @@ int safer_sk128_test(void) safer_ecb_encrypt(sk128_pt, buf[0], &skey); safer_ecb_decrypt(buf[0], buf[1], &skey); - if (memcmp(buf[0], sk128_ct, 8) != 0 || memcmp(buf[1], sk128_pt, 8) != 0) { + if (XMEMCMP(buf[0], sk128_ct, 8) != 0 || XMEMCMP(buf[1], sk128_pt, 8) != 0) { return CRYPT_FAIL_TESTVECTOR; } diff --git a/src/ciphers/safer/saferp.c b/src/ciphers/safer/saferp.c index 4a2e71d..0b4880b 100644 --- a/src/ciphers/safer/saferp.c +++ b/src/ciphers/safer/saferp.c @@ -28,7 +28,7 @@ const struct ltc_cipher_descriptor saferp_desc = &saferp_test, &saferp_done, &saferp_keysize, - NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL + NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL }; /* ROUND(b,i) @@ -507,7 +507,7 @@ int saferp_test(void) saferp_ecb_decrypt(tmp[0], tmp[1], &skey); /* compare */ - if (memcmp(tmp[0], tests[i].ct, 16) || memcmp(tmp[1], tests[i].pt, 16)) { + if (XMEMCMP(tmp[0], tests[i].ct, 16) || XMEMCMP(tmp[1], tests[i].pt, 16)) { return CRYPT_FAIL_TESTVECTOR; } diff --git a/src/ciphers/skipjack.c b/src/ciphers/skipjack.c index a37f167..bcdea90 100644 --- a/src/ciphers/skipjack.c +++ b/src/ciphers/skipjack.c @@ -28,7 +28,7 @@ const struct ltc_cipher_descriptor skipjack_desc = &skipjack_test, &skipjack_done, &skipjack_keysize, - NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL + NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL }; static const unsigned char sbox[256] = { @@ -298,7 +298,7 @@ int skipjack_test(void) skipjack_ecb_decrypt(buf[0], buf[1], &key); /* compare */ - if (memcmp(buf[0], tests[x].ct, 8) != 0 || memcmp(buf[1], tests[x].pt, 8) != 0) { + if (XMEMCMP(buf[0], tests[x].ct, 8) != 0 || XMEMCMP(buf[1], tests[x].pt, 8) != 0) { return CRYPT_FAIL_TESTVECTOR; } diff --git a/src/ciphers/twofish/twofish.c b/src/ciphers/twofish/twofish.c index 9c01998..cf3fb5a 100644 --- a/src/ciphers/twofish/twofish.c +++ b/src/ciphers/twofish/twofish.c @@ -35,7 +35,7 @@ const struct ltc_cipher_descriptor twofish_desc = &twofish_test, &twofish_done, &twofish_keysize, - NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL + NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL }; /* the two polynomials */ @@ -661,7 +661,10 @@ int twofish_test(void) } twofish_ecb_encrypt(tests[i].pt, tmp[0], &key); twofish_ecb_decrypt(tmp[0], tmp[1], &key); - if (memcmp(tmp[0], tests[i].ct, 16) != 0 || memcmp(tmp[1], tests[i].pt, 16) != 0) { + if (XMEMCMP(tmp[0], tests[i].ct, 16) != 0 || XMEMCMP(tmp[1], tests[i].pt, 16) != 0) { +#if 0 + printf("Twofish failed test %d, %d, %d\n", i, XMEMCMP(tmp[0], tests[i].ct, 16), XMEMCMP(tmp[1], tests[i].pt, 16)); +#endif return CRYPT_FAIL_TESTVECTOR; } /* now see if we can encrypt all zero bytes 1000 times, decrypt and come back where we started */ diff --git a/src/ciphers/xtea.c b/src/ciphers/xtea.c index 382555b..cc9d191 100644 --- a/src/ciphers/xtea.c +++ b/src/ciphers/xtea.c @@ -28,7 +28,7 @@ const struct ltc_cipher_descriptor xtea_desc = &xtea_test, &xtea_done, &xtea_keysize, - NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL + NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL }; int xtea_setup(const unsigned char *key, int keylen, int num_rounds, symmetric_key *skey) @@ -164,7 +164,7 @@ int xtea_test(void) xtea_ecb_encrypt(pt, tmp[0], &skey); xtea_ecb_decrypt(tmp[0], tmp[1], &skey); - if (memcmp(tmp[0], ct, 8) != 0 || memcmp(tmp[1], pt, 8) != 0) { + if (XMEMCMP(tmp[0], ct, 8) != 0 || XMEMCMP(tmp[1], pt, 8) != 0) { return CRYPT_FAIL_TESTVECTOR; } diff --git a/src/encauth/ccm/ccm_test.c b/src/encauth/ccm/ccm_test.c index f3d3a8e..0222a5b 100644 --- a/src/encauth/ccm/ccm_test.c +++ b/src/encauth/ccm/ccm_test.c @@ -143,10 +143,10 @@ int ccm_test(void) return err; } - if (memcmp(buf, tests[x].ct, tests[x].ptlen)) { + if (XMEMCMP(buf, tests[x].ct, tests[x].ptlen)) { return CRYPT_FAIL_TESTVECTOR; } - if (memcmp(tag, tests[x].tag, tests[x].taglen)) { + if (XMEMCMP(tag, tests[x].tag, tests[x].taglen)) { return CRYPT_FAIL_TESTVECTOR; } @@ -161,10 +161,10 @@ int ccm_test(void) return err; } - if (memcmp(buf2, tests[x].pt, tests[x].ptlen)) { + if (XMEMCMP(buf2, tests[x].pt, tests[x].ptlen)) { return CRYPT_FAIL_TESTVECTOR; } - if (memcmp(tag2, tests[x].tag, tests[x].taglen)) { + if (XMEMCMP(tag2, tests[x].tag, tests[x].taglen)) { return CRYPT_FAIL_TESTVECTOR; } cipher_descriptor[idx].done(&skey); diff --git a/src/encauth/eax/eax_decrypt_verify_memory.c b/src/encauth/eax/eax_decrypt_verify_memory.c index acf4bf5..b1de421 100644 --- a/src/encauth/eax/eax_decrypt_verify_memory.c +++ b/src/encauth/eax/eax_decrypt_verify_memory.c @@ -84,7 +84,7 @@ int eax_decrypt_verify_memory(int cipher, } /* compare tags */ - if (buflen >= taglen && memcmp(buf, tag, taglen) == 0) { + if (buflen >= taglen && XMEMCMP(buf, tag, taglen) == 0) { *stat = 1; } diff --git a/src/encauth/eax/eax_test.c b/src/encauth/eax/eax_test.c index df9ad4d..a1c992f 100644 --- a/src/encauth/eax/eax_test.c +++ b/src/encauth/eax/eax_test.c @@ -231,7 +231,7 @@ int eax_test(void) tests[x].plaintext, tests[x].msglen, outct, outtag, &len)) != CRYPT_OK) { return err; } - if (memcmp(outct, tests[x].ciphertext, tests[x].msglen) || memcmp(outtag, tests[x].tag, len)) { + if (XMEMCMP(outct, tests[x].ciphertext, tests[x].msglen) || XMEMCMP(outtag, tests[x].tag, len)) { #if 0 unsigned long y; printf("\n\nFailure: \nCT:\n"); @@ -256,7 +256,7 @@ int eax_test(void) outct, tests[x].msglen, outct, outtag, len, &res)) != CRYPT_OK) { return err; } - if ((res != 1) || memcmp(outct, tests[x].plaintext, tests[x].msglen)) { + if ((res != 1) || XMEMCMP(outct, tests[x].plaintext, tests[x].msglen)) { #if 0 unsigned long y; printf("\n\nFailure (res == %d): \nPT:\n", res); diff --git a/src/encauth/gcm/gcm_add_aad.c b/src/encauth/gcm/gcm_add_aad.c index 07b1ef1..c859146 100644 --- a/src/encauth/gcm/gcm_add_aad.c +++ b/src/encauth/gcm/gcm_add_aad.c @@ -57,7 +57,7 @@ int gcm_add_aad(gcm_state *gcm, gcm->totlen += gcm->buflen * CONST64(8); gcm_mult_h(gcm, gcm->X); } - + /* mix in the length */ zeromem(gcm->buf, 8); STORE64H(gcm->totlen, gcm->buf+8); diff --git a/src/encauth/gcm/gcm_process.c b/src/encauth/gcm/gcm_process.c index 7fa34ca..f563180 100644 --- a/src/encauth/gcm/gcm_process.c +++ b/src/encauth/gcm/gcm_process.c @@ -31,9 +31,9 @@ int gcm_process(gcm_state *gcm, unsigned char *ct, int direction) { - unsigned long x, y; + unsigned long x; + int y, err; unsigned char b; - int err; LTC_ARGCHK(gcm != NULL); if (ptlen > 0) { @@ -58,7 +58,7 @@ int gcm_process(gcm_state *gcm, } /* increment counter */ - for (y = 15; y >= 12; y--) { + for (y = 15; y >= 0; y--) { if (++gcm->Y[y] & 255) { break; } } /* encrypt the counter */ @@ -88,7 +88,7 @@ int gcm_process(gcm_state *gcm, gcm->pttotlen += 128; gcm_mult_h(gcm, gcm->X); /* increment counter */ - for (y = 15; y >= 12; y--) { + for (y = 15; y >= 0; y--) { if (++gcm->Y[y] & 255) { break; } } if ((err = cipher_descriptor[gcm->cipher].ecb_encrypt(gcm->Y, gcm->buf, &gcm->K)) != CRYPT_OK) { @@ -106,7 +106,7 @@ int gcm_process(gcm_state *gcm, gcm->pttotlen += 128; gcm_mult_h(gcm, gcm->X); /* increment counter */ - for (y = 15; y >= 12; y--) { + for (y = 15; y >= 0; y--) { if (++gcm->Y[y] & 255) { break; } } if ((err = cipher_descriptor[gcm->cipher].ecb_encrypt(gcm->Y, gcm->buf, &gcm->K)) != CRYPT_OK) { @@ -124,7 +124,7 @@ int gcm_process(gcm_state *gcm, gcm_mult_h(gcm, gcm->X); /* increment counter */ - for (y = 15; y >= 12; y--) { + for (y = 15; y >= 0; y--) { if (++gcm->Y[y] & 255) { break; } } if ((err = cipher_descriptor[gcm->cipher].ecb_encrypt(gcm->Y, gcm->buf, &gcm->K)) != CRYPT_OK) { @@ -145,10 +145,7 @@ int gcm_process(gcm_state *gcm, return CRYPT_OK; } - - #endif - /* $Source$ */ /* $Revision$ */ diff --git a/src/encauth/gcm/gcm_test.c b/src/encauth/gcm/gcm_test.c index 309ab51..52e9915 100644 --- a/src/encauth/gcm/gcm_test.c +++ b/src/encauth/gcm/gcm_test.c @@ -275,8 +275,39 @@ int gcm_test(void) /* TAG */ { 0x61, 0x9c, 0xc5, 0xae, 0xff, 0xfe, 0x0b, 0xfa, 0x46, 0x2a, 0xf4, 0x3c, 0x16, 0x99, 0xd0, 0x50, } +}, + +#if 0 + +/* test case #10 */ +{ + { 0xdb, 0xbc, 0x85, 0x66, 0xd6, 0xf5, 0xb1, 0x58, + 0xda, 0x99, 0xa2, 0xff, 0x2e, 0x01, 0xdd, 0xa6, + 0x29, 0xb8, 0x9c, 0x34, 0xad, 0x1e, 0x5f, 0xeb, + 0xa7, 0x0e, 0x7a, 0xae, 0x43, 0x28, 0x28, 0x9c }, + 32, + + { 0xce, 0x20, 0x27, 0xb4, 0x7a, 0x84, 0x32, 0x52, + 0x01, 0x34, 0x65, 0x83, 0x4d, 0x75, 0xfd, 0x0f }, + 16, + + { 0 }, + 0, + + { 0xcf, 0xc0, 0x6e, 0x72, 0x2b, 0xe9, 0x87, 0xb3, + 0x76, 0x7f, 0x70, 0xa7, 0xb8, 0x56, 0xb7, 0x74 }, + 16, + + { 0x03, 0x30, 0xea, 0x65, 0xb1, 0xf4, 0x8a, 0xd7, + 0x18, 0xc3, 0xf1, 0xf3, 0xdc, 0xef, 0xe4, 0x20 }, + + { 0xe9, 0xef, 0xa9, 0x97, 0xd0, 0xae, 0x82, 0x42, + 0x90, 0xbb, 0x5a, 0x66, 0x95, 0xff, 0x2c, 0x7a } } +#endif + + /* rest of test cases are the same except AES key size changes... ignored... */ }; int idx, err; @@ -302,7 +333,7 @@ int gcm_test(void) return err; } - if (memcmp(out[0], tests[x].C, tests[x].ptlen)) { + if (XMEMCMP(out[0], tests[x].C, tests[x].ptlen)) { #if 0 printf("\nCiphertext wrong %lu\n", x); for (y = 0; y < tests[x].ptlen; y++) { @@ -313,7 +344,7 @@ int gcm_test(void) return CRYPT_FAIL_TESTVECTOR; } - if (memcmp(T[0], tests[x].T, 16)) { + if (XMEMCMP(T[0], tests[x].T, 16)) { #if 0 printf("\nTag on plaintext wrong %lu\n", x); for (y = 0; y < 16; y++) { @@ -333,7 +364,7 @@ int gcm_test(void) return err; } - if (memcmp(out[1], tests[x].P, tests[x].ptlen)) { + if (XMEMCMP(out[1], tests[x].P, tests[x].ptlen)) { #if 0 printf("\nplaintext wrong %lu\n", x); for (y = 0; y < tests[x].ptlen; y++) { @@ -344,7 +375,7 @@ int gcm_test(void) return CRYPT_FAIL_TESTVECTOR; } - if (memcmp(T[1], tests[x].T, 16)) { + if (XMEMCMP(T[1], tests[x].T, 16)) { #if 0 printf("\nTag on ciphertext wrong %lu\n", x); for (y = 0; y < 16; y++) { diff --git a/src/encauth/ocb/ocb_done_decrypt.c b/src/encauth/ocb/ocb_done_decrypt.c index f416ca5..1a0f981 100644 --- a/src/encauth/ocb/ocb_done_decrypt.c +++ b/src/encauth/ocb/ocb_done_decrypt.c @@ -57,7 +57,7 @@ int ocb_done_decrypt(ocb_state *ocb, goto LBL_ERR; } - if (taglen <= tagbuflen && memcmp(tagbuf, tag, taglen) == 0) { + if (taglen <= tagbuflen && XMEMCMP(tagbuf, tag, taglen) == 0) { *stat = 1; } diff --git a/src/encauth/ocb/ocb_test.c b/src/encauth/ocb/ocb_test.c index c74ba0e..cf1eb58 100644 --- a/src/encauth/ocb/ocb_test.c +++ b/src/encauth/ocb/ocb_test.c @@ -182,7 +182,7 @@ int ocb_test(void) return err; } - if (memcmp(outtag, tests[x].tag, len) || memcmp(outct, tests[x].ct, tests[x].ptlen)) { + if (XMEMCMP(outtag, tests[x].tag, len) || XMEMCMP(outct, tests[x].ct, tests[x].ptlen)) { #if 0 unsigned long y; printf("\n\nFailure: \nCT:\n"); @@ -205,7 +205,7 @@ int ocb_test(void) outct, tests[x].tag, len, &res)) != CRYPT_OK) { return err; } - if ((res != 1) || memcmp(tests[x].pt, outct, tests[x].ptlen)) { + if ((res != 1) || XMEMCMP(tests[x].pt, outct, tests[x].ptlen)) { #if 0 unsigned long y; printf("\n\nFailure-decrypt: \nPT:\n"); diff --git a/src/hashes/chc/chc.c b/src/hashes/chc/chc.c index 1ccae03..a2cc3c8 100644 --- a/src/hashes/chc/chc.c +++ b/src/hashes/chc/chc.c @@ -142,7 +142,7 @@ static int chc_compress(hash_state *md, unsigned char *buf) XFREE(key); return err; } - memcpy(T[1], buf, cipher_blocksize); + XMEMCPY(T[1], buf, cipher_blocksize); cipher_descriptor[cipher_idx].ecb_encrypt(buf, T[0], key); for (x = 0; x < cipher_blocksize; x++) { md->chc.state[x] ^= T[0][x] ^ T[1][x]; @@ -280,7 +280,7 @@ int chc_test(void) chc_init(&md); chc_process(&md, tests[x].msg, strlen((char *)tests[x].msg)); chc_done(&md, out); - if (memcmp(out, tests[x].md, tests[x].len)) { + if (XMEMCMP(out, tests[x].md, tests[x].len)) { return CRYPT_FAIL_TESTVECTOR; } } diff --git a/src/hashes/md2.c b/src/hashes/md2.c index 9f33db2..d7d556e 100644 --- a/src/hashes/md2.c +++ b/src/hashes/md2.c @@ -235,7 +235,7 @@ int md2_test(void) md2_init(&md); md2_process(&md, (unsigned char*)tests[i].msg, (unsigned long)strlen(tests[i].msg)); md2_done(&md, buf); - if (memcmp(buf, tests[i].md, 16) != 0) { + if (XMEMCMP(buf, tests[i].md, 16) != 0) { return CRYPT_FAIL_TESTVECTOR; } } diff --git a/src/hashes/md4.c b/src/hashes/md4.c index c451ec8..ad49450 100644 --- a/src/hashes/md4.c +++ b/src/hashes/md4.c @@ -289,7 +289,7 @@ int md4_test(void) md4_init(&md); md4_process(&md, (unsigned char *)cases[i].input, (unsigned long)strlen(cases[i].input)); md4_done(&md, digest); - if (memcmp(digest, cases[i].digest, 16) != 0) { + if (XMEMCMP(digest, cases[i].digest, 16) != 0) { return CRYPT_FAIL_TESTVECTOR; } diff --git a/src/hashes/md5.c b/src/hashes/md5.c index 4861760..4ec21e0 100644 --- a/src/hashes/md5.c +++ b/src/hashes/md5.c @@ -351,7 +351,7 @@ int md5_test(void) md5_init(&md); md5_process(&md, (unsigned char *)tests[i].msg, (unsigned long)strlen(tests[i].msg)); md5_done(&md, tmp); - if (memcmp(tmp, tests[i].hash, 16) != 0) { + if (XMEMCMP(tmp, tests[i].hash, 16) != 0) { return CRYPT_FAIL_TESTVECTOR; } } diff --git a/src/hashes/rmd128.c b/src/hashes/rmd128.c index 40d88a6..9a2ec77 100644 --- a/src/hashes/rmd128.c +++ b/src/hashes/rmd128.c @@ -391,7 +391,7 @@ int rmd128_test(void) rmd128_init(&md); rmd128_process(&md, (unsigned char *)tests[x].msg, strlen(tests[x].msg)); rmd128_done(&md, buf); - if (memcmp(buf, tests[x].md, 16) != 0) { + if (XMEMCMP(buf, tests[x].md, 16) != 0) { #if 0 printf("Failed test %d\n", x); #endif diff --git a/src/hashes/rmd160.c b/src/hashes/rmd160.c index 06b1b42..8b288ee 100644 --- a/src/hashes/rmd160.c +++ b/src/hashes/rmd160.c @@ -450,7 +450,7 @@ int rmd160_test(void) rmd160_init(&md); rmd160_process(&md, (unsigned char *)tests[x].msg, strlen(tests[x].msg)); rmd160_done(&md, buf); - if (memcmp(buf, tests[x].md, 20) != 0) { + if (XMEMCMP(buf, tests[x].md, 20) != 0) { #if 0 printf("Failed test %d\n", x); #endif diff --git a/src/hashes/rmd256.c b/src/hashes/rmd256.c new file mode 100644 index 0000000..4540ef9 --- /dev/null +++ b/src/hashes/rmd256.c @@ -0,0 +1,431 @@ +/* LibTomCrypt, modular cryptographic library -- Tom St Denis + * + * LibTomCrypt is a library that provides various cryptographic + * algorithms in a highly modular and flexible manner. + * + * The library is free for all purposes without any express + * guarantee it works. + * + * Tom St Denis, tomstdenis@gmail.com, http://libtomcrypt.com + */ +#include "tomcrypt.h" + +/** + @param rmd256.c + RMD256 Hash function +*/ + +#ifdef RIPEMD256 + +const struct ltc_hash_descriptor rmd256_desc = +{ + "rmd256", + 8, + 16, + 64, + + /* OID */ + { 1, 3, 36, 3, 2, 3 }, + 6, + + &rmd256_init, + &rmd256_process, + &rmd256_done, + &rmd256_test, + NULL +}; + +/* the four basic functions F(), G() and H() */ +#define F(x, y, z) ((x) ^ (y) ^ (z)) +#define G(x, y, z) (((x) & (y)) | (~(x) & (z))) +#define H(x, y, z) (((x) | ~(y)) ^ (z)) +#define I(x, y, z) (((x) & (z)) | ((y) & ~(z))) + +/* the eight basic operations FF() through III() */ +#define FF(a, b, c, d, x, s) \ + (a) += F((b), (c), (d)) + (x);\ + (a) = ROLc((a), (s)); + +#define GG(a, b, c, d, x, s) \ + (a) += G((b), (c), (d)) + (x) + 0x5a827999UL;\ + (a) = ROLc((a), (s)); + +#define HH(a, b, c, d, x, s) \ + (a) += H((b), (c), (d)) + (x) + 0x6ed9eba1UL;\ + (a) = ROLc((a), (s)); + +#define II(a, b, c, d, x, s) \ + (a) += I((b), (c), (d)) + (x) + 0x8f1bbcdcUL;\ + (a) = ROLc((a), (s)); + +#define FFF(a, b, c, d, x, s) \ + (a) += F((b), (c), (d)) + (x);\ + (a) = ROLc((a), (s)); + +#define GGG(a, b, c, d, x, s) \ + (a) += G((b), (c), (d)) + (x) + 0x6d703ef3UL;\ + (a) = ROLc((a), (s)); + +#define HHH(a, b, c, d, x, s) \ + (a) += H((b), (c), (d)) + (x) + 0x5c4dd124UL;\ + (a) = ROLc((a), (s)); + +#define III(a, b, c, d, x, s) \ + (a) += I((b), (c), (d)) + (x) + 0x50a28be6UL;\ + (a) = ROLc((a), (s)); + +#ifdef LTC_CLEAN_STACK +static int _rmd256_compress(hash_state *md, unsigned char *buf) +#else +static int rmd256_compress(hash_state *md, unsigned char *buf) +#endif +{ + ulong32 aa,bb,cc,dd,aaa,bbb,ccc,ddd,tmp,X[16]; + int i; + + /* load words X */ + for (i = 0; i < 16; i++){ + LOAD32L(X[i], buf + (4 * i)); + } + + /* load state */ + aa = md->rmd256.state[0]; + bb = md->rmd256.state[1]; + cc = md->rmd256.state[2]; + dd = md->rmd256.state[3]; + aaa = md->rmd256.state[4]; + bbb = md->rmd256.state[5]; + ccc = md->rmd256.state[6]; + ddd = md->rmd256.state[7]; + + /* round 1 */ + FF(aa, bb, cc, dd, X[ 0], 11); + FF(dd, aa, bb, cc, X[ 1], 14); + FF(cc, dd, aa, bb, X[ 2], 15); + FF(bb, cc, dd, aa, X[ 3], 12); + FF(aa, bb, cc, dd, X[ 4], 5); + FF(dd, aa, bb, cc, X[ 5], 8); + FF(cc, dd, aa, bb, X[ 6], 7); + FF(bb, cc, dd, aa, X[ 7], 9); + FF(aa, bb, cc, dd, X[ 8], 11); + FF(dd, aa, bb, cc, X[ 9], 13); + FF(cc, dd, aa, bb, X[10], 14); + FF(bb, cc, dd, aa, X[11], 15); + FF(aa, bb, cc, dd, X[12], 6); + FF(dd, aa, bb, cc, X[13], 7); + FF(cc, dd, aa, bb, X[14], 9); + FF(bb, cc, dd, aa, X[15], 8); + + /* parallel round 1 */ + III(aaa, bbb, ccc, ddd, X[ 5], 8); + III(ddd, aaa, bbb, ccc, X[14], 9); + III(ccc, ddd, aaa, bbb, X[ 7], 9); + III(bbb, ccc, ddd, aaa, X[ 0], 11); + III(aaa, bbb, ccc, ddd, X[ 9], 13); + III(ddd, aaa, bbb, ccc, X[ 2], 15); + III(ccc, ddd, aaa, bbb, X[11], 15); + III(bbb, ccc, ddd, aaa, X[ 4], 5); + III(aaa, bbb, ccc, ddd, X[13], 7); + III(ddd, aaa, bbb, ccc, X[ 6], 7); + III(ccc, ddd, aaa, bbb, X[15], 8); + III(bbb, ccc, ddd, aaa, X[ 8], 11); + III(aaa, bbb, ccc, ddd, X[ 1], 14); + III(ddd, aaa, bbb, ccc, X[10], 14); + III(ccc, ddd, aaa, bbb, X[ 3], 12); + III(bbb, ccc, ddd, aaa, X[12], 6); + + tmp = aa; aa = aaa; aaa = tmp; + + /* round 2 */ + GG(aa, bb, cc, dd, X[ 7], 7); + GG(dd, aa, bb, cc, X[ 4], 6); + GG(cc, dd, aa, bb, X[13], 8); + GG(bb, cc, dd, aa, X[ 1], 13); + GG(aa, bb, cc, dd, X[10], 11); + GG(dd, aa, bb, cc, X[ 6], 9); + GG(cc, dd, aa, bb, X[15], 7); + GG(bb, cc, dd, aa, X[ 3], 15); + GG(aa, bb, cc, dd, X[12], 7); + GG(dd, aa, bb, cc, X[ 0], 12); + GG(cc, dd, aa, bb, X[ 9], 15); + GG(bb, cc, dd, aa, X[ 5], 9); + GG(aa, bb, cc, dd, X[ 2], 11); + GG(dd, aa, bb, cc, X[14], 7); + GG(cc, dd, aa, bb, X[11], 13); + GG(bb, cc, dd, aa, X[ 8], 12); + + /* parallel round 2 */ + HHH(aaa, bbb, ccc, ddd, X[ 6], 9); + HHH(ddd, aaa, bbb, ccc, X[11], 13); + HHH(ccc, ddd, aaa, bbb, X[ 3], 15); + HHH(bbb, ccc, ddd, aaa, X[ 7], 7); + HHH(aaa, bbb, ccc, ddd, X[ 0], 12); + HHH(ddd, aaa, bbb, ccc, X[13], 8); + HHH(ccc, ddd, aaa, bbb, X[ 5], 9); + HHH(bbb, ccc, ddd, aaa, X[10], 11); + HHH(aaa, bbb, ccc, ddd, X[14], 7); + HHH(ddd, aaa, bbb, ccc, X[15], 7); + HHH(ccc, ddd, aaa, bbb, X[ 8], 12); + HHH(bbb, ccc, ddd, aaa, X[12], 7); + HHH(aaa, bbb, ccc, ddd, X[ 4], 6); + HHH(ddd, aaa, bbb, ccc, X[ 9], 15); + HHH(ccc, ddd, aaa, bbb, X[ 1], 13); + HHH(bbb, ccc, ddd, aaa, X[ 2], 11); + + tmp = bb; bb = bbb; bbb = tmp; + + /* round 3 */ + HH(aa, bb, cc, dd, X[ 3], 11); + HH(dd, aa, bb, cc, X[10], 13); + HH(cc, dd, aa, bb, X[14], 6); + HH(bb, cc, dd, aa, X[ 4], 7); + HH(aa, bb, cc, dd, X[ 9], 14); + HH(dd, aa, bb, cc, X[15], 9); + HH(cc, dd, aa, bb, X[ 8], 13); + HH(bb, cc, dd, aa, X[ 1], 15); + HH(aa, bb, cc, dd, X[ 2], 14); + HH(dd, aa, bb, cc, X[ 7], 8); + HH(cc, dd, aa, bb, X[ 0], 13); + HH(bb, cc, dd, aa, X[ 6], 6); + HH(aa, bb, cc, dd, X[13], 5); + HH(dd, aa, bb, cc, X[11], 12); + HH(cc, dd, aa, bb, X[ 5], 7); + HH(bb, cc, dd, aa, X[12], 5); + + /* parallel round 3 */ + GGG(aaa, bbb, ccc, ddd, X[15], 9); + GGG(ddd, aaa, bbb, ccc, X[ 5], 7); + GGG(ccc, ddd, aaa, bbb, X[ 1], 15); + GGG(bbb, ccc, ddd, aaa, X[ 3], 11); + GGG(aaa, bbb, ccc, ddd, X[ 7], 8); + GGG(ddd, aaa, bbb, ccc, X[14], 6); + GGG(ccc, ddd, aaa, bbb, X[ 6], 6); + GGG(bbb, ccc, ddd, aaa, X[ 9], 14); + GGG(aaa, bbb, ccc, ddd, X[11], 12); + GGG(ddd, aaa, bbb, ccc, X[ 8], 13); + GGG(ccc, ddd, aaa, bbb, X[12], 5); + GGG(bbb, ccc, ddd, aaa, X[ 2], 14); + GGG(aaa, bbb, ccc, ddd, X[10], 13); + GGG(ddd, aaa, bbb, ccc, X[ 0], 13); + GGG(ccc, ddd, aaa, bbb, X[ 4], 7); + GGG(bbb, ccc, ddd, aaa, X[13], 5); + + tmp = cc; cc = ccc; ccc = tmp; + + /* round 4 */ + II(aa, bb, cc, dd, X[ 1], 11); + II(dd, aa, bb, cc, X[ 9], 12); + II(cc, dd, aa, bb, X[11], 14); + II(bb, cc, dd, aa, X[10], 15); + II(aa, bb, cc, dd, X[ 0], 14); + II(dd, aa, bb, cc, X[ 8], 15); + II(cc, dd, aa, bb, X[12], 9); + II(bb, cc, dd, aa, X[ 4], 8); + II(aa, bb, cc, dd, X[13], 9); + II(dd, aa, bb, cc, X[ 3], 14); + II(cc, dd, aa, bb, X[ 7], 5); + II(bb, cc, dd, aa, X[15], 6); + II(aa, bb, cc, dd, X[14], 8); + II(dd, aa, bb, cc, X[ 5], 6); + II(cc, dd, aa, bb, X[ 6], 5); + II(bb, cc, dd, aa, X[ 2], 12); + + /* parallel round 4 */ + FFF(aaa, bbb, ccc, ddd, X[ 8], 15); + FFF(ddd, aaa, bbb, ccc, X[ 6], 5); + FFF(ccc, ddd, aaa, bbb, X[ 4], 8); + FFF(bbb, ccc, ddd, aaa, X[ 1], 11); + FFF(aaa, bbb, ccc, ddd, X[ 3], 14); + FFF(ddd, aaa, bbb, ccc, X[11], 14); + FFF(ccc, ddd, aaa, bbb, X[15], 6); + FFF(bbb, ccc, ddd, aaa, X[ 0], 14); + FFF(aaa, bbb, ccc, ddd, X[ 5], 6); + FFF(ddd, aaa, bbb, ccc, X[12], 9); + FFF(ccc, ddd, aaa, bbb, X[ 2], 12); + FFF(bbb, ccc, ddd, aaa, X[13], 9); + FFF(aaa, bbb, ccc, ddd, X[ 9], 12); + FFF(ddd, aaa, bbb, ccc, X[ 7], 5); + FFF(ccc, ddd, aaa, bbb, X[10], 15); + FFF(bbb, ccc, ddd, aaa, X[14], 8); + + tmp = dd; dd = ddd; ddd = tmp; + + /* combine results */ + md->rmd256.state[0] += aa; + md->rmd256.state[1] += bb; + md->rmd256.state[2] += cc; + md->rmd256.state[3] += dd; + md->rmd256.state[4] += aaa; + md->rmd256.state[5] += bbb; + md->rmd256.state[6] += ccc; + md->rmd256.state[7] += ddd; + + return CRYPT_OK; +} + +#ifdef LTC_CLEAN_STACK +static int rmd256_compress(hash_state *md, unsigned char *buf) +{ + int err; + err = _rmd256_compress(md, buf); + burn_stack(sizeof(ulong32) * 25 + sizeof(int)); + return err; +} +#endif + +/** + Initialize the hash state + @param md The hash state you wish to initialize + @return CRYPT_OK if successful +*/ +int rmd256_init(hash_state * md) +{ + LTC_ARGCHK(md != NULL); + md->rmd256.state[0] = 0x67452301UL; + md->rmd256.state[1] = 0xefcdab89UL; + md->rmd256.state[2] = 0x98badcfeUL; + md->rmd256.state[3] = 0x10325476UL; + md->rmd256.state[4] = 0x76543210UL; + md->rmd256.state[5] = 0xfedcba98UL; + md->rmd256.state[6] = 0x89abcdefUL; + md->rmd256.state[7] = 0x01234567UL; + md->rmd256.curlen = 0; + md->rmd256.length = 0; + return CRYPT_OK; +} + +/** + Process a block of memory though the hash + @param md The hash state + @param in The data to hash + @param inlen The length of the data (octets) + @return CRYPT_OK if successful +*/ +HASH_PROCESS(rmd256_process, rmd256_compress, rmd256, 64) + +/** + Terminate the hash to get the digest + @param md The hash state + @param out [out] The destination of the hash (16 bytes) + @return CRYPT_OK if successful +*/ +int rmd256_done(hash_state * md, unsigned char *out) +{ + int i; + + LTC_ARGCHK(md != NULL); + LTC_ARGCHK(out != NULL); + + if (md->rmd256.curlen >= sizeof(md->rmd256.buf)) { + return CRYPT_INVALID_ARG; + } + + + /* increase the length of the message */ + md->rmd256.length += md->rmd256.curlen * 8; + + /* append the '1' bit */ + md->rmd256.buf[md->rmd256.curlen++] = (unsigned char)0x80; + + /* if the length is currently above 56 bytes we append zeros + * then compress. Then we can fall back to padding zeros and length + * encoding like normal. + */ + if (md->rmd256.curlen > 56) { + while (md->rmd256.curlen < 64) { + md->rmd256.buf[md->rmd256.curlen++] = (unsigned char)0; + } + rmd256_compress(md, md->rmd256.buf); + md->rmd256.curlen = 0; + } + + /* pad upto 56 bytes of zeroes */ + while (md->rmd256.curlen < 56) { + md->rmd256.buf[md->rmd256.curlen++] = (unsigned char)0; + } + + /* store length */ + STORE64L(md->rmd256.length, md->rmd256.buf+56); + rmd256_compress(md, md->rmd256.buf); + + /* copy output */ + for (i = 0; i < 8; i++) { + STORE32L(md->rmd256.state[i], out+(4*i)); + } +#ifdef LTC_CLEAN_STACK + zeromem(md, sizeof(hash_state)); +#endif + return CRYPT_OK; +} + +/** + Self-test the hash + @return CRYPT_OK if successful, CRYPT_NOP if self-tests have been disabled +*/ +int rmd256_test(void) +{ +#ifndef LTC_TEST + return CRYPT_NOP; +#else + static const struct { + char *msg; + unsigned char md[32]; + } tests[] = { + { "", + { 0x02, 0xba, 0x4c, 0x4e, 0x5f, 0x8e, 0xcd, 0x18, + 0x77, 0xfc, 0x52, 0xd6, 0x4d, 0x30, 0xe3, 0x7a, + 0x2d, 0x97, 0x74, 0xfb, 0x1e, 0x5d, 0x02, 0x63, + 0x80, 0xae, 0x01, 0x68, 0xe3, 0xc5, 0x52, 0x2d } + }, + { "a", + { 0xf9, 0x33, 0x3e, 0x45, 0xd8, 0x57, 0xf5, 0xd9, + 0x0a, 0x91, 0xba, 0xb7, 0x0a, 0x1e, 0xba, 0x0c, + 0xfb, 0x1b, 0xe4, 0xb0, 0x78, 0x3c, 0x9a, 0xcf, + 0xcd, 0x88, 0x3a, 0x91, 0x34, 0x69, 0x29, 0x25 } + }, + { "abc", + { 0xaf, 0xbd, 0x6e, 0x22, 0x8b, 0x9d, 0x8c, 0xbb, + 0xce, 0xf5, 0xca, 0x2d, 0x03, 0xe6, 0xdb, 0xa1, + 0x0a, 0xc0, 0xbc, 0x7d, 0xcb, 0xe4, 0x68, 0x0e, + 0x1e, 0x42, 0xd2, 0xe9, 0x75, 0x45, 0x9b, 0x65 } + }, + { "message digest", + { 0x87, 0xe9, 0x71, 0x75, 0x9a, 0x1c, 0xe4, 0x7a, + 0x51, 0x4d, 0x5c, 0x91, 0x4c, 0x39, 0x2c, 0x90, + 0x18, 0xc7, 0xc4, 0x6b, 0xc1, 0x44, 0x65, 0x55, + 0x4a, 0xfc, 0xdf, 0x54, 0xa5, 0x07, 0x0c, 0x0e } + }, + { "abcdefghijklmnopqrstuvwxyz", + { 0x64, 0x9d, 0x30, 0x34, 0x75, 0x1e, 0xa2, 0x16, + 0x77, 0x6b, 0xf9, 0xa1, 0x8a, 0xcc, 0x81, 0xbc, + 0x78, 0x96, 0x11, 0x8a, 0x51, 0x97, 0x96, 0x87, + 0x82, 0xdd, 0x1f, 0xd9, 0x7d, 0x8d, 0x51, 0x33 } + }, + { "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", + { 0x57, 0x40, 0xa4, 0x08, 0xac, 0x16, 0xb7, 0x20, + 0xb8, 0x44, 0x24, 0xae, 0x93, 0x1c, 0xbb, 0x1f, + 0xe3, 0x63, 0xd1, 0xd0, 0xbf, 0x40, 0x17, 0xf1, + 0xa8, 0x9f, 0x7e, 0xa6, 0xde, 0x77, 0xa0, 0xb8 } + } + }; + int x; + unsigned char buf[32]; + hash_state md; + + for (x = 0; x < (int)(sizeof(tests)/sizeof(tests[0])); x++) { + rmd256_init(&md); + rmd256_process(&md, (unsigned char *)tests[x].msg, strlen(tests[x].msg)); + rmd256_done(&md, buf); + if (XMEMCMP(buf, tests[x].md, 32) != 0) { + #if 0 + printf("Failed test %d\n", x); + #endif + return CRYPT_FAIL_TESTVECTOR; + } + } + return CRYPT_OK; +#endif +} + +#endif + diff --git a/src/hashes/rmd320.c b/src/hashes/rmd320.c new file mode 100644 index 0000000..a11fca4 --- /dev/null +++ b/src/hashes/rmd320.c @@ -0,0 +1,495 @@ +/* LibTomCrypt, modular cryptographic library -- Tom St Denis + * + * LibTomCrypt is a library that provides various cryptographic + * algorithms in a highly modular and flexible manner. + * + * The library is free for all purposes without any express + * guarantee it works. + * + * Tom St Denis, tomstdenis@gmail.com, http://libtomcrypt.com + */ +#include "tomcrypt.h" + +/** + @file rmd320.c + RMD320 hash function +*/ + +#ifdef RIPEMD320 + +const struct ltc_hash_descriptor rmd320_desc = +{ + "rmd320", + 9, + 20, + 64, + + /* OID */ + { 0 }, + 0, + + &rmd320_init, + &rmd320_process, + &rmd320_done, + &rmd320_test, + NULL +}; + +/* the five basic functions F(), G() and H() */ +#define F(x, y, z) ((x) ^ (y) ^ (z)) +#define G(x, y, z) (((x) & (y)) | (~(x) & (z))) +#define H(x, y, z) (((x) | ~(y)) ^ (z)) +#define I(x, y, z) (((x) & (z)) | ((y) & ~(z))) +#define J(x, y, z) ((x) ^ ((y) | ~(z))) + +/* the ten basic operations FF() through III() */ +#define FF(a, b, c, d, e, x, s) \ + (a) += F((b), (c), (d)) + (x);\ + (a) = ROLc((a), (s)) + (e);\ + (c) = ROLc((c), 10); + +#define GG(a, b, c, d, e, x, s) \ + (a) += G((b), (c), (d)) + (x) + 0x5a827999UL;\ + (a) = ROLc((a), (s)) + (e);\ + (c) = ROLc((c), 10); + +#define HH(a, b, c, d, e, x, s) \ + (a) += H((b), (c), (d)) + (x) + 0x6ed9eba1UL;\ + (a) = ROLc((a), (s)) + (e);\ + (c) = ROLc((c), 10); + +#define II(a, b, c, d, e, x, s) \ + (a) += I((b), (c), (d)) + (x) + 0x8f1bbcdcUL;\ + (a) = ROLc((a), (s)) + (e);\ + (c) = ROLc((c), 10); + +#define JJ(a, b, c, d, e, x, s) \ + (a) += J((b), (c), (d)) + (x) + 0xa953fd4eUL;\ + (a) = ROLc((a), (s)) + (e);\ + (c) = ROLc((c), 10); + +#define FFF(a, b, c, d, e, x, s) \ + (a) += F((b), (c), (d)) + (x);\ + (a) = ROLc((a), (s)) + (e);\ + (c) = ROLc((c), 10); + +#define GGG(a, b, c, d, e, x, s) \ + (a) += G((b), (c), (d)) + (x) + 0x7a6d76e9UL;\ + (a) = ROLc((a), (s)) + (e);\ + (c) = ROLc((c), 10); + +#define HHH(a, b, c, d, e, x, s) \ + (a) += H((b), (c), (d)) + (x) + 0x6d703ef3UL;\ + (a) = ROLc((a), (s)) + (e);\ + (c) = ROLc((c), 10); + +#define III(a, b, c, d, e, x, s) \ + (a) += I((b), (c), (d)) + (x) + 0x5c4dd124UL;\ + (a) = ROLc((a), (s)) + (e);\ + (c) = ROLc((c), 10); + +#define JJJ(a, b, c, d, e, x, s) \ + (a) += J((b), (c), (d)) + (x) + 0x50a28be6UL;\ + (a) = ROLc((a), (s)) + (e);\ + (c) = ROLc((c), 10); + + +#ifdef LTC_CLEAN_STACK +static int _rmd320_compress(hash_state *md, unsigned char *buf) +#else +static int rmd320_compress(hash_state *md, unsigned char *buf) +#endif +{ + ulong32 aa,bb,cc,dd,ee,aaa,bbb,ccc,ddd,eee,tmp,X[16]; + int i; + + /* load words X */ + for (i = 0; i < 16; i++){ + LOAD32L(X[i], buf + (4 * i)); + } + + /* load state */ + aa = md->rmd320.state[0]; + bb = md->rmd320.state[1]; + cc = md->rmd320.state[2]; + dd = md->rmd320.state[3]; + ee = md->rmd320.state[4]; + aaa = md->rmd320.state[5]; + bbb = md->rmd320.state[6]; + ccc = md->rmd320.state[7]; + ddd = md->rmd320.state[8]; + eee = md->rmd320.state[9]; + + /* round 1 */ + FF(aa, bb, cc, dd, ee, X[ 0], 11); + FF(ee, aa, bb, cc, dd, X[ 1], 14); + FF(dd, ee, aa, bb, cc, X[ 2], 15); + FF(cc, dd, ee, aa, bb, X[ 3], 12); + FF(bb, cc, dd, ee, aa, X[ 4], 5); + FF(aa, bb, cc, dd, ee, X[ 5], 8); + FF(ee, aa, bb, cc, dd, X[ 6], 7); + FF(dd, ee, aa, bb, cc, X[ 7], 9); + FF(cc, dd, ee, aa, bb, X[ 8], 11); + FF(bb, cc, dd, ee, aa, X[ 9], 13); + FF(aa, bb, cc, dd, ee, X[10], 14); + FF(ee, aa, bb, cc, dd, X[11], 15); + FF(dd, ee, aa, bb, cc, X[12], 6); + FF(cc, dd, ee, aa, bb, X[13], 7); + FF(bb, cc, dd, ee, aa, X[14], 9); + FF(aa, bb, cc, dd, ee, X[15], 8); + + /* parallel round 1 */ + JJJ(aaa, bbb, ccc, ddd, eee, X[ 5], 8); + JJJ(eee, aaa, bbb, ccc, ddd, X[14], 9); + JJJ(ddd, eee, aaa, bbb, ccc, X[ 7], 9); + JJJ(ccc, ddd, eee, aaa, bbb, X[ 0], 11); + JJJ(bbb, ccc, ddd, eee, aaa, X[ 9], 13); + JJJ(aaa, bbb, ccc, ddd, eee, X[ 2], 15); + JJJ(eee, aaa, bbb, ccc, ddd, X[11], 15); + JJJ(ddd, eee, aaa, bbb, ccc, X[ 4], 5); + JJJ(ccc, ddd, eee, aaa, bbb, X[13], 7); + JJJ(bbb, ccc, ddd, eee, aaa, X[ 6], 7); + JJJ(aaa, bbb, ccc, ddd, eee, X[15], 8); + JJJ(eee, aaa, bbb, ccc, ddd, X[ 8], 11); + JJJ(ddd, eee, aaa, bbb, ccc, X[ 1], 14); + JJJ(ccc, ddd, eee, aaa, bbb, X[10], 14); + JJJ(bbb, ccc, ddd, eee, aaa, X[ 3], 12); + JJJ(aaa, bbb, ccc, ddd, eee, X[12], 6); + + tmp = aa; aa = aaa; aaa = tmp; + + /* round 2 */ + GG(ee, aa, bb, cc, dd, X[ 7], 7); + GG(dd, ee, aa, bb, cc, X[ 4], 6); + GG(cc, dd, ee, aa, bb, X[13], 8); + GG(bb, cc, dd, ee, aa, X[ 1], 13); + GG(aa, bb, cc, dd, ee, X[10], 11); + GG(ee, aa, bb, cc, dd, X[ 6], 9); + GG(dd, ee, aa, bb, cc, X[15], 7); + GG(cc, dd, ee, aa, bb, X[ 3], 15); + GG(bb, cc, dd, ee, aa, X[12], 7); + GG(aa, bb, cc, dd, ee, X[ 0], 12); + GG(ee, aa, bb, cc, dd, X[ 9], 15); + GG(dd, ee, aa, bb, cc, X[ 5], 9); + GG(cc, dd, ee, aa, bb, X[ 2], 11); + GG(bb, cc, dd, ee, aa, X[14], 7); + GG(aa, bb, cc, dd, ee, X[11], 13); + GG(ee, aa, bb, cc, dd, X[ 8], 12); + + /* parallel round 2 */ + III(eee, aaa, bbb, ccc, ddd, X[ 6], 9); + III(ddd, eee, aaa, bbb, ccc, X[11], 13); + III(ccc, ddd, eee, aaa, bbb, X[ 3], 15); + III(bbb, ccc, ddd, eee, aaa, X[ 7], 7); + III(aaa, bbb, ccc, ddd, eee, X[ 0], 12); + III(eee, aaa, bbb, ccc, ddd, X[13], 8); + III(ddd, eee, aaa, bbb, ccc, X[ 5], 9); + III(ccc, ddd, eee, aaa, bbb, X[10], 11); + III(bbb, ccc, ddd, eee, aaa, X[14], 7); + III(aaa, bbb, ccc, ddd, eee, X[15], 7); + III(eee, aaa, bbb, ccc, ddd, X[ 8], 12); + III(ddd, eee, aaa, bbb, ccc, X[12], 7); + III(ccc, ddd, eee, aaa, bbb, X[ 4], 6); + III(bbb, ccc, ddd, eee, aaa, X[ 9], 15); + III(aaa, bbb, ccc, ddd, eee, X[ 1], 13); + III(eee, aaa, bbb, ccc, ddd, X[ 2], 11); + + tmp = bb; bb = bbb; bbb = tmp; + + /* round 3 */ + HH(dd, ee, aa, bb, cc, X[ 3], 11); + HH(cc, dd, ee, aa, bb, X[10], 13); + HH(bb, cc, dd, ee, aa, X[14], 6); + HH(aa, bb, cc, dd, ee, X[ 4], 7); + HH(ee, aa, bb, cc, dd, X[ 9], 14); + HH(dd, ee, aa, bb, cc, X[15], 9); + HH(cc, dd, ee, aa, bb, X[ 8], 13); + HH(bb, cc, dd, ee, aa, X[ 1], 15); + HH(aa, bb, cc, dd, ee, X[ 2], 14); + HH(ee, aa, bb, cc, dd, X[ 7], 8); + HH(dd, ee, aa, bb, cc, X[ 0], 13); + HH(cc, dd, ee, aa, bb, X[ 6], 6); + HH(bb, cc, dd, ee, aa, X[13], 5); + HH(aa, bb, cc, dd, ee, X[11], 12); + HH(ee, aa, bb, cc, dd, X[ 5], 7); + HH(dd, ee, aa, bb, cc, X[12], 5); + + /* parallel round 3 */ + HHH(ddd, eee, aaa, bbb, ccc, X[15], 9); + HHH(ccc, ddd, eee, aaa, bbb, X[ 5], 7); + HHH(bbb, ccc, ddd, eee, aaa, X[ 1], 15); + HHH(aaa, bbb, ccc, ddd, eee, X[ 3], 11); + HHH(eee, aaa, bbb, ccc, ddd, X[ 7], 8); + HHH(ddd, eee, aaa, bbb, ccc, X[14], 6); + HHH(ccc, ddd, eee, aaa, bbb, X[ 6], 6); + HHH(bbb, ccc, ddd, eee, aaa, X[ 9], 14); + HHH(aaa, bbb, ccc, ddd, eee, X[11], 12); + HHH(eee, aaa, bbb, ccc, ddd, X[ 8], 13); + HHH(ddd, eee, aaa, bbb, ccc, X[12], 5); + HHH(ccc, ddd, eee, aaa, bbb, X[ 2], 14); + HHH(bbb, ccc, ddd, eee, aaa, X[10], 13); + HHH(aaa, bbb, ccc, ddd, eee, X[ 0], 13); + HHH(eee, aaa, bbb, ccc, ddd, X[ 4], 7); + HHH(ddd, eee, aaa, bbb, ccc, X[13], 5); + + tmp = cc; cc = ccc; ccc = tmp; + + /* round 4 */ + II(cc, dd, ee, aa, bb, X[ 1], 11); + II(bb, cc, dd, ee, aa, X[ 9], 12); + II(aa, bb, cc, dd, ee, X[11], 14); + II(ee, aa, bb, cc, dd, X[10], 15); + II(dd, ee, aa, bb, cc, X[ 0], 14); + II(cc, dd, ee, aa, bb, X[ 8], 15); + II(bb, cc, dd, ee, aa, X[12], 9); + II(aa, bb, cc, dd, ee, X[ 4], 8); + II(ee, aa, bb, cc, dd, X[13], 9); + II(dd, ee, aa, bb, cc, X[ 3], 14); + II(cc, dd, ee, aa, bb, X[ 7], 5); + II(bb, cc, dd, ee, aa, X[15], 6); + II(aa, bb, cc, dd, ee, X[14], 8); + II(ee, aa, bb, cc, dd, X[ 5], 6); + II(dd, ee, aa, bb, cc, X[ 6], 5); + II(cc, dd, ee, aa, bb, X[ 2], 12); + + /* parallel round 4 */ + GGG(ccc, ddd, eee, aaa, bbb, X[ 8], 15); + GGG(bbb, ccc, ddd, eee, aaa, X[ 6], 5); + GGG(aaa, bbb, ccc, ddd, eee, X[ 4], 8); + GGG(eee, aaa, bbb, ccc, ddd, X[ 1], 11); + GGG(ddd, eee, aaa, bbb, ccc, X[ 3], 14); + GGG(ccc, ddd, eee, aaa, bbb, X[11], 14); + GGG(bbb, ccc, ddd, eee, aaa, X[15], 6); + GGG(aaa, bbb, ccc, ddd, eee, X[ 0], 14); + GGG(eee, aaa, bbb, ccc, ddd, X[ 5], 6); + GGG(ddd, eee, aaa, bbb, ccc, X[12], 9); + GGG(ccc, ddd, eee, aaa, bbb, X[ 2], 12); + GGG(bbb, ccc, ddd, eee, aaa, X[13], 9); + GGG(aaa, bbb, ccc, ddd, eee, X[ 9], 12); + GGG(eee, aaa, bbb, ccc, ddd, X[ 7], 5); + GGG(ddd, eee, aaa, bbb, ccc, X[10], 15); + GGG(ccc, ddd, eee, aaa, bbb, X[14], 8); + + tmp = dd; dd = ddd; ddd = tmp; + + /* round 5 */ + JJ(bb, cc, dd, ee, aa, X[ 4], 9); + JJ(aa, bb, cc, dd, ee, X[ 0], 15); + JJ(ee, aa, bb, cc, dd, X[ 5], 5); + JJ(dd, ee, aa, bb, cc, X[ 9], 11); + JJ(cc, dd, ee, aa, bb, X[ 7], 6); + JJ(bb, cc, dd, ee, aa, X[12], 8); + JJ(aa, bb, cc, dd, ee, X[ 2], 13); + JJ(ee, aa, bb, cc, dd, X[10], 12); + JJ(dd, ee, aa, bb, cc, X[14], 5); + JJ(cc, dd, ee, aa, bb, X[ 1], 12); + JJ(bb, cc, dd, ee, aa, X[ 3], 13); + JJ(aa, bb, cc, dd, ee, X[ 8], 14); + JJ(ee, aa, bb, cc, dd, X[11], 11); + JJ(dd, ee, aa, bb, cc, X[ 6], 8); + JJ(cc, dd, ee, aa, bb, X[15], 5); + JJ(bb, cc, dd, ee, aa, X[13], 6); + + /* parallel round 5 */ + FFF(bbb, ccc, ddd, eee, aaa, X[12] , 8); + FFF(aaa, bbb, ccc, ddd, eee, X[15] , 5); + FFF(eee, aaa, bbb, ccc, ddd, X[10] , 12); + FFF(ddd, eee, aaa, bbb, ccc, X[ 4] , 9); + FFF(ccc, ddd, eee, aaa, bbb, X[ 1] , 12); + FFF(bbb, ccc, ddd, eee, aaa, X[ 5] , 5); + FFF(aaa, bbb, ccc, ddd, eee, X[ 8] , 14); + FFF(eee, aaa, bbb, ccc, ddd, X[ 7] , 6); + FFF(ddd, eee, aaa, bbb, ccc, X[ 6] , 8); + FFF(ccc, ddd, eee, aaa, bbb, X[ 2] , 13); + FFF(bbb, ccc, ddd, eee, aaa, X[13] , 6); + FFF(aaa, bbb, ccc, ddd, eee, X[14] , 5); + FFF(eee, aaa, bbb, ccc, ddd, X[ 0] , 15); + FFF(ddd, eee, aaa, bbb, ccc, X[ 3] , 13); + FFF(ccc, ddd, eee, aaa, bbb, X[ 9] , 11); + FFF(bbb, ccc, ddd, eee, aaa, X[11] , 11); + + tmp = ee; ee = eee; eee = tmp; + + /* combine results */ + md->rmd320.state[0] += aa; + md->rmd320.state[1] += bb; + md->rmd320.state[2] += cc; + md->rmd320.state[3] += dd; + md->rmd320.state[4] += ee; + md->rmd320.state[5] += aaa; + md->rmd320.state[6] += bbb; + md->rmd320.state[7] += ccc; + md->rmd320.state[8] += ddd; + md->rmd320.state[9] += eee; + + return CRYPT_OK; +} + +#ifdef LTC_CLEAN_STACK +static int rmd320_compress(hash_state *md, unsigned char *buf) +{ + int err; + err = _rmd320_compress(md, buf); + burn_stack(sizeof(ulong32) * 27 + sizeof(int)); + return err; +} +#endif + +/** + Initialize the hash state + @param md The hash state you wish to initialize + @return CRYPT_OK if successful +*/ +int rmd320_init(hash_state * md) +{ + LTC_ARGCHK(md != NULL); + md->rmd320.state[0] = 0x67452301UL; + md->rmd320.state[1] = 0xefcdab89UL; + md->rmd320.state[2] = 0x98badcfeUL; + md->rmd320.state[3] = 0x10325476UL; + md->rmd320.state[4] = 0xc3d2e1f0UL; + md->rmd320.state[5] = 0x76543210UL; + md->rmd320.state[6] = 0xfedcba98UL; + md->rmd320.state[7] = 0x89abcdefUL; + md->rmd320.state[8] = 0x01234567UL; + md->rmd320.state[9] = 0x3c2d1e0fUL; + md->rmd320.curlen = 0; + md->rmd320.length = 0; + return CRYPT_OK; +} + +/** + Process a block of memory though the hash + @param md The hash state + @param in The data to hash + @param inlen The length of the data (octets) + @return CRYPT_OK if successful +*/ +HASH_PROCESS(rmd320_process, rmd320_compress, rmd320, 64) + +/** + Terminate the hash to get the digest + @param md The hash state + @param out [out] The destination of the hash (20 bytes) + @return CRYPT_OK if successful +*/ +int rmd320_done(hash_state * md, unsigned char *out) +{ + int i; + + LTC_ARGCHK(md != NULL); + LTC_ARGCHK(out != NULL); + + if (md->rmd320.curlen >= sizeof(md->rmd320.buf)) { + return CRYPT_INVALID_ARG; + } + + + /* increase the length of the message */ + md->rmd320.length += md->rmd320.curlen * 8; + + /* append the '1' bit */ + md->rmd320.buf[md->rmd320.curlen++] = (unsigned char)0x80; + + /* if the length is currently above 56 bytes we append zeros + * then compress. Then we can fall back to padding zeros and length + * encoding like normal. + */ + if (md->rmd320.curlen > 56) { + while (md->rmd320.curlen < 64) { + md->rmd320.buf[md->rmd320.curlen++] = (unsigned char)0; + } + rmd320_compress(md, md->rmd320.buf); + md->rmd320.curlen = 0; + } + + /* pad upto 56 bytes of zeroes */ + while (md->rmd320.curlen < 56) { + md->rmd320.buf[md->rmd320.curlen++] = (unsigned char)0; + } + + /* store length */ + STORE64L(md->rmd320.length, md->rmd320.buf+56); + rmd320_compress(md, md->rmd320.buf); + + /* copy output */ + for (i = 0; i < 10; i++) { + STORE32L(md->rmd320.state[i], out+(4*i)); + } +#ifdef LTC_CLEAN_STACK + zeromem(md, sizeof(hash_state)); +#endif + return CRYPT_OK; +} + +/** + Self-test the hash + @return CRYPT_OK if successful, CRYPT_NOP if self-tests have been disabled +*/ +int rmd320_test(void) +{ +#ifndef LTC_TEST + return CRYPT_NOP; +#else + static const struct { + char *msg; + unsigned char md[40]; + } tests[] = { + { "", + { 0x22, 0xd6, 0x5d, 0x56, 0x61, 0x53, 0x6c, 0xdc, 0x75, 0xc1, + 0xfd, 0xf5, 0xc6, 0xde, 0x7b, 0x41, 0xb9, 0xf2, 0x73, 0x25, + 0xeb, 0xc6, 0x1e, 0x85, 0x57, 0x17, 0x7d, 0x70, 0x5a, 0x0e, + 0xc8, 0x80, 0x15, 0x1c, 0x3a, 0x32, 0xa0, 0x08, 0x99, 0xb8 } + }, + { "a", + { 0xce, 0x78, 0x85, 0x06, 0x38, 0xf9, 0x26, 0x58, 0xa5, 0xa5, + 0x85, 0x09, 0x75, 0x79, 0x92, 0x6d, 0xda, 0x66, 0x7a, 0x57, + 0x16, 0x56, 0x2c, 0xfc, 0xf6, 0xfb, 0xe7, 0x7f, 0x63, 0x54, + 0x2f, 0x99, 0xb0, 0x47, 0x05, 0xd6, 0x97, 0x0d, 0xff, 0x5d } + }, + { "abc", + { 0xde, 0x4c, 0x01, 0xb3, 0x05, 0x4f, 0x89, 0x30, 0xa7, 0x9d, + 0x09, 0xae, 0x73, 0x8e, 0x92, 0x30, 0x1e, 0x5a, 0x17, 0x08, + 0x5b, 0xef, 0xfd, 0xc1, 0xb8, 0xd1, 0x16, 0x71, 0x3e, 0x74, + 0xf8, 0x2f, 0xa9, 0x42, 0xd6, 0x4c, 0xdb, 0xc4, 0x68, 0x2d } + }, + { "message digest", + { 0x3a, 0x8e, 0x28, 0x50, 0x2e, 0xd4, 0x5d, 0x42, 0x2f, 0x68, + 0x84, 0x4f, 0x9d, 0xd3, 0x16, 0xe7, 0xb9, 0x85, 0x33, 0xfa, + 0x3f, 0x2a, 0x91, 0xd2, 0x9f, 0x84, 0xd4, 0x25, 0xc8, 0x8d, + 0x6b, 0x4e, 0xff, 0x72, 0x7d, 0xf6, 0x6a, 0x7c, 0x01, 0x97 } + }, + { "abcdefghijklmnopqrstuvwxyz", + { 0xca, 0xbd, 0xb1, 0x81, 0x0b, 0x92, 0x47, 0x0a, 0x20, 0x93, + 0xaa, 0x6b, 0xce, 0x05, 0x95, 0x2c, 0x28, 0x34, 0x8c, 0xf4, + 0x3f, 0xf6, 0x08, 0x41, 0x97, 0x51, 0x66, 0xbb, 0x40, 0xed, + 0x23, 0x40, 0x04, 0xb8, 0x82, 0x44, 0x63, 0xe6, 0xb0, 0x09 } + }, + { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", + { 0xd0, 0x34, 0xa7, 0x95, 0x0c, 0xf7, 0x22, 0x02, 0x1b, 0xa4, + 0xb8, 0x4d, 0xf7, 0x69, 0xa5, 0xde, 0x20, 0x60, 0xe2, 0x59, + 0xdf, 0x4c, 0x9b, 0xb4, 0xa4, 0x26, 0x8c, 0x0e, 0x93, 0x5b, + 0xbc, 0x74, 0x70, 0xa9, 0x69, 0xc9, 0xd0, 0x72, 0xa1, 0xac } + } + }; + int x; + unsigned char buf[40]; + hash_state md; + + for (x = 0; x < (int)(sizeof(tests)/sizeof(tests[0])); x++) { + rmd320_init(&md); + rmd320_process(&md, (unsigned char *)tests[x].msg, strlen(tests[x].msg)); + rmd320_done(&md, buf); + if (XMEMCMP(buf, tests[x].md, 40) != 0) { +#if 0 + printf("Failed test %d\n", x); +#endif + return CRYPT_FAIL_TESTVECTOR; + } + } + return CRYPT_OK; +#endif +} + +#endif + diff --git a/src/hashes/sha1.c b/src/hashes/sha1.c index 86cd3fd..060b9b8 100644 --- a/src/hashes/sha1.c +++ b/src/hashes/sha1.c @@ -271,7 +271,7 @@ int sha1_test(void) sha1_init(&md); sha1_process(&md, (unsigned char*)tests[i].msg, (unsigned long)strlen(tests[i].msg)); sha1_done(&md, tmp); - if (memcmp(tmp, tests[i].hash, 20) != 0) { + if (XMEMCMP(tmp, tests[i].hash, 20) != 0) { return CRYPT_FAIL_TESTVECTOR; } } diff --git a/src/hashes/sha2/sha224.c b/src/hashes/sha2/sha224.c index 804a881..3e9d919 100644 --- a/src/hashes/sha2/sha224.c +++ b/src/hashes/sha2/sha224.c @@ -111,7 +111,7 @@ int sha224_test(void) sha224_init(&md); sha224_process(&md, (unsigned char*)tests[i].msg, (unsigned long)strlen(tests[i].msg)); sha224_done(&md, tmp); - if (memcmp(tmp, tests[i].hash, 28) != 0) { + if (XMEMCMP(tmp, tests[i].hash, 28) != 0) { return CRYPT_FAIL_TESTVECTOR; } } diff --git a/src/hashes/sha2/sha256.c b/src/hashes/sha2/sha256.c index a9bc448..0eea74a 100644 --- a/src/hashes/sha2/sha256.c +++ b/src/hashes/sha2/sha256.c @@ -319,7 +319,7 @@ int sha256_test(void) sha256_init(&md); sha256_process(&md, (unsigned char*)tests[i].msg, (unsigned long)strlen(tests[i].msg)); sha256_done(&md, tmp); - if (memcmp(tmp, tests[i].hash, 32) != 0) { + if (XMEMCMP(tmp, tests[i].hash, 32) != 0) { return CRYPT_FAIL_TESTVECTOR; } } diff --git a/src/hashes/sha2/sha384.c b/src/hashes/sha2/sha384.c index 75a4204..298470f 100644 --- a/src/hashes/sha2/sha384.c +++ b/src/hashes/sha2/sha384.c @@ -117,7 +117,7 @@ int sha384_test(void) sha384_init(&md); sha384_process(&md, (unsigned char*)tests[i].msg, (unsigned long)strlen(tests[i].msg)); sha384_done(&md, tmp); - if (memcmp(tmp, tests[i].hash, 48) != 0) { + if (XMEMCMP(tmp, tests[i].hash, 48) != 0) { return CRYPT_FAIL_TESTVECTOR; } } diff --git a/src/hashes/sha2/sha512.c b/src/hashes/sha2/sha512.c index 4ba0ce8..89e58f7 100644 --- a/src/hashes/sha2/sha512.c +++ b/src/hashes/sha2/sha512.c @@ -297,7 +297,7 @@ int sha512_test(void) sha512_init(&md); sha512_process(&md, (unsigned char *)tests[i].msg, (unsigned long)strlen(tests[i].msg)); sha512_done(&md, tmp); - if (memcmp(tmp, tests[i].hash, 64) != 0) { + if (XMEMCMP(tmp, tests[i].hash, 64) != 0) { return CRYPT_FAIL_TESTVECTOR; } } diff --git a/src/hashes/tiger.c b/src/hashes/tiger.c index f282cc2..6d5bccc 100644 --- a/src/hashes/tiger.c +++ b/src/hashes/tiger.c @@ -775,7 +775,7 @@ int tiger_test(void) tiger_init(&md); tiger_process(&md, (unsigned char *)tests[i].msg, (unsigned long)strlen(tests[i].msg)); tiger_done(&md, tmp); - if (memcmp(tmp, tests[i].hash, 24) != 0) { + if (XMEMCMP(tmp, tests[i].hash, 24) != 0) { return CRYPT_FAIL_TESTVECTOR; } } diff --git a/src/hashes/whirl/whirl.c b/src/hashes/whirl/whirl.c index 1973963..cc1fe5d 100644 --- a/src/hashes/whirl/whirl.c +++ b/src/hashes/whirl/whirl.c @@ -290,7 +290,7 @@ int whirlpool_test(void) whirlpool_init(&md); whirlpool_process(&md, (unsigned char *)tests[i].msg, tests[i].len); whirlpool_done(&md, tmp); - if (memcmp(tmp, tests[i].hash, 64) != 0) { + if (XMEMCMP(tmp, tests[i].hash, 64) != 0) { #if 0 printf("\nFailed test %d\n", i); for (i = 0; i < 64; ) { diff --git a/src/headers/tomcrypt.h b/src/headers/tomcrypt.h index a11e494..68a3287 100644 --- a/src/headers/tomcrypt.h +++ b/src/headers/tomcrypt.h @@ -16,8 +16,8 @@ extern "C" { #endif /* version */ -#define CRYPT 0x0114 -#define SCRYPT "1.14" +#define CRYPT 0x0115 +#define SCRYPT "1.15" /* max size of either a cipher/hash block or symmetric key [largest of the two] */ #define MAXBLOCKSIZE 128 @@ -59,7 +59,8 @@ enum { CRYPT_PK_NOT_FOUND, /* Key not found in keyring */ CRYPT_PK_INVALID_SIZE, /* Invalid size input for PK parameters */ - CRYPT_INVALID_PRIME_SIZE/* Invalid size of prime requested */ + CRYPT_INVALID_PRIME_SIZE,/* Invalid size of prime requested */ + CRYPT_PK_INVALID_PADDING /* Invalid padding on input */ }; #include diff --git a/src/headers/tomcrypt_cfg.h b/src/headers/tomcrypt_cfg.h index 059ab11..7e52e2b 100644 --- a/src/headers/tomcrypt_cfg.h +++ b/src/headers/tomcrypt_cfg.h @@ -19,6 +19,9 @@ #define LTC_EXPORT #endif +/* certain platforms use macros for these, making the prototypes broken */ +#ifndef LTC_NO_PROTOTYPES + /* you can change how memory allocation works ... */ LTC_EXPORT void * LTC_CALL XMALLOC(size_t n); LTC_EXPORT void * LTC_CALL XREALLOC(void *p, size_t n); @@ -36,6 +39,8 @@ LTC_EXPORT void * LTC_CALL XMEMCPY(void *dest, const void *src, size_t n); LTC_EXPORT int LTC_CALL XMEMCMP(const void *s1, const void *s2, size_t n); LTC_EXPORT void * LTC_CALL XMEMSET(void *s, int c, size_t n); +#endif + /* type of argument checking, 0=default, 1=fatal and 2=error+continue, 3=nothing */ #ifndef ARGTYPE #define ARGTYPE 0 diff --git a/src/headers/tomcrypt_cipher.h b/src/headers/tomcrypt_cipher.h index 507c30e..41f62c3 100644 --- a/src/headers/tomcrypt_cipher.h +++ b/src/headers/tomcrypt_cipher.h @@ -37,6 +37,20 @@ struct rijndael_key { }; #endif +#ifdef KSEED +struct kseed_key { + ulong32 K[32], dK[32]; +}; +#endif + +#ifdef LTC_KASUMI +struct kasumi_key { + ulong32 KLi1[8], KLi2[8], + KOi1[8], KOi2[8], KOi3[8], + KIi1[8], KIi2[8], KIi3[8]; +}; +#endif + #ifdef XTEA struct xtea_key { unsigned long A[32], B[32]; @@ -164,6 +178,12 @@ typedef union Symmetric_key { #ifdef ANUBIS struct anubis_key anubis; #endif +#ifdef KSEED + struct kseed_key kseed; +#endif +#ifdef LTC_KASUMI + struct kasumi_key kasumi; +#endif void *data; } symmetric_key; @@ -445,18 +465,18 @@ extern struct ltc_cipher_descriptor { int direction); /** Accelerated GCM packet (one shot) - @param key The secret key - @param keylen The length of the secret key - @param IV The initial vector - @param IVlen The length of the initial vector - @param adata The additional authentication data (header) - @param adatalen The length of the adata - @param pt The plaintext - @param ptlen The length of the plaintext (ciphertext length is the same) - @param ct The ciphertext - @param tag [out] The MAC tag - @param taglen [in/out] The MAC tag length - @param direction Encrypt or Decrypt mode (GCM_ENCRYPT or GCM_DECRYPT) + @param key The secret key + @param keylen The length of the secret key + @param IV The initial vector + @param IVlen The length of the initial vector + @param adata The additional authentication data (header) + @param adatalen The length of the adata + @param pt The plaintext + @param ptlen The length of the plaintext (ciphertext length is the same) + @param ct The ciphertext + @param tag [out] The MAC tag + @param taglen [in/out] The MAC tag length + @param direction Encrypt or Decrypt mode (GCM_ENCRYPT or GCM_DECRYPT) @return CRYPT_OK on success */ int (*accel_gcm_memory)( @@ -467,6 +487,49 @@ extern struct ltc_cipher_descriptor { unsigned char *ct, unsigned char *tag, unsigned long *taglen, int direction); + + /** Accelerated one shot OMAC + @param key The secret key + @param keylen The key length (octets) + @param in The message + @param inlen Length of message (octets) + @param out [out] Destination for tag + @param outlen [in/out] Initial and final size of out + @return CRYPT_OK on success + */ + int (*omac_memory)( + const unsigned char *key, unsigned long keylen, + const unsigned char *in, unsigned long inlen, + unsigned char *out, unsigned long *outlen); + + /** Accelerated one shot XCBC + @param key The secret key + @param keylen The key length (octets) + @param in The message + @param inlen Length of message (octets) + @param out [out] Destination for tag + @param outlen [in/out] Initial and final size of out + @return CRYPT_OK on success + */ + int (*xcbc_memory)( + const unsigned char *key, unsigned long keylen, + const unsigned char *in, unsigned long inlen, + unsigned char *out, unsigned long *outlen); + + /** Accelerated one shot F9 + @param key The secret key + @param keylen The key length (octets) + @param in The message + @param inlen Length of message (octets) + @param out [out] Destination for tag + @param outlen [in/out] Initial and final size of out + @return CRYPT_OK on success + @remark Requires manual padding + */ + int (*f9_memory)( + const unsigned char *key, unsigned long keylen, + const unsigned char *in, unsigned long inlen, + unsigned char *out, unsigned long *outlen); } cipher_descriptor[]; #ifdef BLOWFISH @@ -649,6 +712,26 @@ int anubis_keysize(int *keysize); extern const struct ltc_cipher_descriptor anubis_desc; #endif +#ifdef KSEED +int kseed_setup(const unsigned char *key, int keylen, int num_rounds, symmetric_key *skey); +int kseed_ecb_encrypt(const unsigned char *pt, unsigned char *ct, symmetric_key *skey); +int kseed_ecb_decrypt(const unsigned char *ct, unsigned char *pt, symmetric_key *skey); +int kseed_test(void); +void kseed_done(symmetric_key *skey); +int kseed_keysize(int *keysize); +extern const struct ltc_cipher_descriptor kseed_desc; +#endif + +#ifdef LTC_KASUMI +int kasumi_setup(const unsigned char *key, int keylen, int num_rounds, symmetric_key *skey); +int kasumi_ecb_encrypt(const unsigned char *pt, unsigned char *ct, symmetric_key *skey); +int kasumi_ecb_decrypt(const unsigned char *ct, unsigned char *pt, symmetric_key *skey); +int kasumi_test(void); +void kasumi_done(symmetric_key *skey); +int kasumi_keysize(int *keysize); +extern const struct ltc_cipher_descriptor kasumi_desc; +#endif + #ifdef LTC_ECB_MODE int ecb_start(int cipher, const unsigned char *key, int keylen, int num_rounds, symmetric_ECB *ecb); @@ -691,6 +774,7 @@ int cbc_done(symmetric_CBC *cbc); #define CTR_COUNTER_LITTLE_ENDIAN 0 #define CTR_COUNTER_BIG_ENDIAN 1 +#define LTC_CTR_RFC3686 2 int ctr_start( int cipher, const unsigned char *IV, @@ -702,6 +786,7 @@ int ctr_decrypt(const unsigned char *ct, unsigned char *pt, unsigned long len, s int ctr_getiv(unsigned char *IV, unsigned long *len, symmetric_CTR *ctr); int ctr_setiv(const unsigned char *IV, unsigned long len, symmetric_CTR *ctr); int ctr_done(symmetric_CTR *ctr); +int ctr_test(void); #endif #ifdef LTC_LRW_MODE diff --git a/src/headers/tomcrypt_custom.h b/src/headers/tomcrypt_custom.h index 675bb2d..995c3d4 100644 --- a/src/headers/tomcrypt_custom.h +++ b/src/headers/tomcrypt_custom.h @@ -124,6 +124,8 @@ #define KHAZAD #define ANUBIS #define ANUBIS_TWEAK +#define KSEED +#define LTC_KASUMI #endif /* LTC_NO_CIPHERS */ @@ -167,15 +169,19 @@ #define MD2 #define RIPEMD128 #define RIPEMD160 +#define RIPEMD256 +#define RIPEMD320 #endif /* LTC_NO_HASHES */ /* ---> MAC functions <--- */ #ifndef LTC_NO_MACS -#define HMAC -#define OMAC -#define PMAC +#define LTC_HMAC +#define LTC_OMAC +#define LTC_PMAC +#define LTC_XCBC +#define LTC_F9_MODE #define PELICAN #if defined(PELICAN) && !defined(RIJNDAEL) @@ -185,7 +191,7 @@ /* ---> Encrypt + Authenticate Modes <--- */ #define EAX_MODE -#if defined(EAX_MODE) && !(defined(LTC_CTR_MODE) && defined(OMAC)) +#if defined(EAX_MODE) && !(defined(LTC_CTR_MODE) && defined(LTC_OMAC)) #error EAX_MODE requires CTR and OMAC mode #endif @@ -298,6 +304,9 @@ #ifdef MECC /* Supported ECC Key Sizes */ #ifndef LTC_NO_CURVES + #define ECC112 + #define ECC128 + #define ECC160 #define ECC192 #define ECC224 #define ECC256 @@ -324,7 +333,6 @@ #endif /* THREAD management */ - #ifdef LTC_PTHREAD #include @@ -348,6 +356,11 @@ #endif +/* Debuggers */ + +/* define this if you use Valgrind, note: it CHANGES the way SOBER-128 and RC4 work (see the code) */ +/* #define LTC_VALGRIND */ + #endif diff --git a/src/headers/tomcrypt_hash.h b/src/headers/tomcrypt_hash.h index 9431de5..a00aa4b 100644 --- a/src/headers/tomcrypt_hash.h +++ b/src/headers/tomcrypt_hash.h @@ -70,6 +70,22 @@ struct rmd160_state { }; #endif +#ifdef RIPEMD256 +struct rmd256_state { + ulong64 length; + unsigned char buf[64]; + ulong32 curlen, state[8]; +}; +#endif + +#ifdef RIPEMD320 +struct rmd320_state { + ulong64 length; + unsigned char buf[64]; + ulong32 curlen, state[10]; +}; +#endif + #ifdef WHIRLPOOL struct whirlpool_state { ulong64 length, state[8]; @@ -87,6 +103,7 @@ struct chc_state { #endif typedef union Hash_state { + char dummy[1]; #ifdef CHC_HASH struct chc_state chc; #endif @@ -119,6 +136,12 @@ typedef union Hash_state { #endif #ifdef RIPEMD160 struct rmd160_state rmd160; +#endif +#ifdef RIPEMD256 + struct rmd256_state rmd256; +#endif +#ifdef RIPEMD320 + struct rmd320_state rmd320; #endif void *data; } hash_state; @@ -279,6 +302,23 @@ int rmd160_test(void); extern const struct ltc_hash_descriptor rmd160_desc; #endif +#ifdef RIPEMD256 +int rmd256_init(hash_state * md); +int rmd256_process(hash_state * md, const unsigned char *in, unsigned long inlen); +int rmd256_done(hash_state * md, unsigned char *hash); +int rmd256_test(void); +extern const struct ltc_hash_descriptor rmd256_desc; +#endif + +#ifdef RIPEMD320 +int rmd320_init(hash_state * md); +int rmd320_process(hash_state * md, const unsigned char *in, unsigned long inlen); +int rmd320_done(hash_state * md, unsigned char *hash); +int rmd320_test(void); +extern const struct ltc_hash_descriptor rmd320_desc; +#endif + + int find_hash(const char *name); int find_hash_id(unsigned char ID); int find_hash_oid(const unsigned long *ID, unsigned long IDlen); diff --git a/src/headers/tomcrypt_mac.h b/src/headers/tomcrypt_mac.h index f726ce1..172c0d4 100644 --- a/src/headers/tomcrypt_mac.h +++ b/src/headers/tomcrypt_mac.h @@ -1,4 +1,4 @@ -#ifdef HMAC +#ifdef LTC_HMAC typedef struct Hmac_state { hash_state md; int hash; @@ -23,7 +23,7 @@ int hmac_file(int hash, const char *fname, const unsigned char *key, unsigned char *dst, unsigned long *dstlen); #endif -#ifdef OMAC +#ifdef LTC_OMAC typedef struct { int cipher_idx, @@ -53,7 +53,7 @@ int omac_file(int cipher, int omac_test(void); #endif /* OMAC */ -#ifdef PMAC +#ifdef LTC_PMAC typedef struct { unsigned char Ls[32][MAXBLOCKSIZE], /* L shifted by i bits to the left */ @@ -98,7 +98,7 @@ void pmac_shift_xor(pmac_state *pmac); #ifdef EAX_MODE -#if !(defined(OMAC) && defined(LTC_CTR_MODE)) +#if !(defined(LTC_OMAC) && defined(LTC_CTR_MODE)) #error EAX_MODE requires OMAC and CTR #endif @@ -309,6 +309,73 @@ int pelican_memory(const unsigned char *key, unsigned long keylen, #endif +#ifdef LTC_XCBC + +typedef struct { + unsigned char K[3][MAXBLOCKSIZE], + IV[MAXBLOCKSIZE]; + + symmetric_key key; + + int cipher, + buflen, + blocksize; +} xcbc_state; + +int xcbc_init(xcbc_state *xcbc, int cipher, const unsigned char *key, unsigned long keylen); +int xcbc_process(xcbc_state *xcbc, const unsigned char *in, unsigned long inlen); +int xcbc_done(xcbc_state *xcbc, unsigned char *out, unsigned long *outlen); +int xcbc_memory(int cipher, + const unsigned char *key, unsigned long keylen, + const unsigned char *in, unsigned long inlen, + unsigned char *out, unsigned long *outlen); +int xcbc_memory_multi(int cipher, + const unsigned char *key, unsigned long keylen, + unsigned char *out, unsigned long *outlen, + const unsigned char *in, unsigned long inlen, ...); +int xcbc_file(int cipher, + const unsigned char *key, unsigned long keylen, + const char *filename, + unsigned char *out, unsigned long *outlen); +int xcbc_test(void); + +#endif + +#ifdef LTC_F9_MODE + +typedef struct { + unsigned char akey[MAXBLOCKSIZE], + ACC[MAXBLOCKSIZE], + IV[MAXBLOCKSIZE]; + + symmetric_key key; + + int cipher, + buflen, + keylen, + blocksize; +} f9_state; + +int f9_init(f9_state *f9, int cipher, const unsigned char *key, unsigned long keylen); +int f9_process(f9_state *f9, const unsigned char *in, unsigned long inlen); +int f9_done(f9_state *f9, unsigned char *out, unsigned long *outlen); +int f9_memory(int cipher, + const unsigned char *key, unsigned long keylen, + const unsigned char *in, unsigned long inlen, + unsigned char *out, unsigned long *outlen); +int f9_memory_multi(int cipher, + const unsigned char *key, unsigned long keylen, + unsigned char *out, unsigned long *outlen, + const unsigned char *in, unsigned long inlen, ...); +int f9_file(int cipher, + const unsigned char *key, unsigned long keylen, + const char *filename, + unsigned char *out, unsigned long *outlen); +int f9_test(void); + +#endif + + /* $Source$ */ /* $Revision$ */ /* $Date$ */ diff --git a/src/headers/tomcrypt_macros.h b/src/headers/tomcrypt_macros.h index 02c0187..69574a9 100644 --- a/src/headers/tomcrypt_macros.h +++ b/src/headers/tomcrypt_macros.h @@ -78,9 +78,9 @@ asm __volatile__ ( \ #define LOAD32H(x, y) \ asm __volatile__ ( \ - "movl (%2),%0\n\t" \ + "movl (%1),%0\n\t" \ "bswapl %0\n\t" \ - :"=r"(x): "0"(x), "r"(y)); + :"=r"(x): "r"(y)); #else @@ -109,9 +109,9 @@ asm __volatile__ ( \ #define LOAD64H(x, y) \ asm __volatile__ ( \ - "movq (%2),%0\n\t" \ + "movq (%1),%0\n\t" \ "bswapq %0\n\t" \ - :"=r"(x): "0"(x), "r"(y)); + :"=r"(x): "r"(y)); #else diff --git a/src/headers/tomcrypt_misc.h b/src/headers/tomcrypt_misc.h index b2546e7..ec0e655 100644 --- a/src/headers/tomcrypt_misc.h +++ b/src/headers/tomcrypt_misc.h @@ -15,6 +15,9 @@ const char *error_to_string(int err); extern const char *crypt_build_settings; +/* ---- HMM ---- */ +int crypt_fsa(void *mp, ...); + /* $Source$ */ /* $Revision$ */ /* $Date$ */ diff --git a/src/headers/tomcrypt_pk.h b/src/headers/tomcrypt_pk.h index 9803f83..bf3b6ea 100644 --- a/src/headers/tomcrypt_pk.h +++ b/src/headers/tomcrypt_pk.h @@ -45,27 +45,42 @@ int rsa_exptmod(const unsigned char *in, unsigned long inlen, void rsa_free(rsa_key *key); /* These use PKCS #1 v2.0 padding */ -int rsa_encrypt_key(const unsigned char *in, unsigned long inlen, - unsigned char *out, unsigned long *outlen, - const unsigned char *lparam, unsigned long lparamlen, - prng_state *prng, int prng_idx, int hash_idx, rsa_key *key); - -int rsa_decrypt_key(const unsigned char *in, unsigned long inlen, - unsigned char *out, unsigned long *outlen, - const unsigned char *lparam, unsigned long lparamlen, - int hash_idx, int *stat, - rsa_key *key); +#define rsa_encrypt_key(_in, _inlen, _out, _outlen, _lparam, _lparamlen, _prng, _prng_idx, _hash_idx, _key) \ + rsa_encrypt_key_ex(_in, _inlen, _out, _outlen, _lparam, _lparamlen, _prng, _prng_idx, _hash_idx, LTC_PKCS_1_OAEP, _key) -int rsa_sign_hash(const unsigned char *in, unsigned long inlen, - unsigned char *out, unsigned long *outlen, - prng_state *prng, int prng_idx, - int hash_idx, unsigned long saltlen, - rsa_key *key); +#define rsa_decrypt_key(_in, _inlen, _out, _outlen, _lparam, _lparamlen, _hash_idx, _stat, _key) \ + rsa_decrypt_key_ex(_in, _inlen, _out, _outlen, _lparam, _lparamlen, _hash_idx, LTC_PKCS_1_OAEP, _stat, _key) -int rsa_verify_hash(const unsigned char *sig, unsigned long siglen, - const unsigned char *hash, unsigned long hashlen, - int hash_idx, unsigned long saltlen, - int *stat, rsa_key *key); +#define rsa_sign_hash(_in, _inlen, _out, _outlen, _prng, _prng_idx, _hash_idx, _saltlen, _key) \ + rsa_sign_hash_ex(_in, _inlen, _out, _outlen, LTC_PKCS_1_PSS, _prng, _prng_idx, _hash_idx, _saltlen, _key) + +#define rsa_verify_hash(_sig, _siglen, _hash, _hashlen, _hash_idx, _saltlen, _stat, _key) \ + rsa_verify_hash_ex(_sig, _siglen, _hash, _hashlen, LTC_PKCS_1_PSS, _hash_idx, _saltlen, _stat, _key) + +/* These can be switched between PKCS #1 v2.x and PKCS #1 v1.5 paddings */ +int rsa_encrypt_key_ex(const unsigned char *in, unsigned long inlen, + unsigned char *out, unsigned long *outlen, + const unsigned char *lparam, unsigned long lparamlen, + prng_state *prng, int prng_idx, int hash_idx, int padding, rsa_key *key); + +int rsa_decrypt_key_ex(const unsigned char *in, unsigned long inlen, + unsigned char *out, unsigned long *outlen, + const unsigned char *lparam, unsigned long lparamlen, + int hash_idx, int padding, + int *stat, rsa_key *key); + +int rsa_sign_hash_ex(const unsigned char *in, unsigned long inlen, + unsigned char *out, unsigned long *outlen, + int padding, + prng_state *prng, int prng_idx, + int hash_idx, unsigned long saltlen, + rsa_key *key); + +int rsa_verify_hash_ex(const unsigned char *sig, unsigned long siglen, + const unsigned char *hash, unsigned long hashlen, + int padding, + int hash_idx, unsigned long saltlen, + int *stat, rsa_key *key); /* PKCS #1 import/export */ int rsa_export(unsigned char *out, unsigned long *outlen, int type, rsa_key *key); @@ -201,6 +216,9 @@ void ecc_free(ecc_key *key); int ecc_export(unsigned char *out, unsigned long *outlen, int type, ecc_key *key); int ecc_import(const unsigned char *in, unsigned long inlen, ecc_key *key); +int ecc_ansi_x963_export(ecc_key *key, unsigned char *out, unsigned long *outlen); +int ecc_ansi_x963_import(const unsigned char *in, unsigned long inlen, ecc_key *key); + int ecc_shared_secret(ecc_key *private_key, ecc_key *public_key, unsigned char *out, unsigned long *outlen); diff --git a/src/headers/tomcrypt_pkcs.h b/src/headers/tomcrypt_pkcs.h index 6ba6054..2d7ebf2 100644 --- a/src/headers/tomcrypt_pkcs.h +++ b/src/headers/tomcrypt_pkcs.h @@ -3,6 +3,19 @@ /* ===> PKCS #1 -- RSA Cryptography <=== */ #ifdef PKCS_1 +enum ltc_pkcs_1_v1_5_blocks +{ + LTC_PKCS_1_EMSA = 1, /* Block type 1 (PKCS #1 v1.5 signature padding) */ + LTC_PKCS_1_EME = 2 /* Block type 2 (PKCS #1 v1.5 encryption padding) */ +}; + +enum ltc_pkcs_1_paddings +{ + LTC_PKCS_1_V1_5 = 1, /* PKCS #1 v1.5 padding (\sa ltc_pkcs_1_v1_5_blocks) */ + LTC_PKCS_1_OAEP = 2, /* PKCS #1 v2.0 encryption padding */ + LTC_PKCS_1_PSS = 3 /* PKCS #1 v2.1 signature padding */ +}; + int pkcs_1_mgf1( int hash_idx, const unsigned char *seed, unsigned long seedlen, unsigned char *mask, unsigned long masklen); @@ -10,6 +23,24 @@ int pkcs_1_mgf1( int hash_idx, int pkcs_1_i2osp(void *n, unsigned long modulus_len, unsigned char *out); int pkcs_1_os2ip(void *n, unsigned char *in, unsigned long inlen); +/* *** v1.5 padding */ +int pkcs_1_v1_5_encode(const unsigned char *msg, + unsigned long msglen, + int block_type, + unsigned long modulus_bitlen, + prng_state *prng, + int prng_idx, + unsigned char *out, + unsigned long *outlen); + +int pkcs_1_v1_5_decode(const unsigned char *msg, + unsigned long msglen, + int block_type, + unsigned long modulus_bitlen, + unsigned char *out, + unsigned long *outlen, + int *is_valid); + /* *** v2.1 padding */ int pkcs_1_oaep_encode(const unsigned char *msg, unsigned long msglen, const unsigned char *lparam, unsigned long lparamlen, diff --git a/src/headers/tomcrypt_prng.h b/src/headers/tomcrypt_prng.h index 62f2029..01382c9 100644 --- a/src/headers/tomcrypt_prng.h +++ b/src/headers/tomcrypt_prng.h @@ -48,6 +48,7 @@ struct sober128_prng { #endif typedef union Prng_state { + char dummy[1]; #ifdef YARROW struct yarrow_prng yarrow; #endif diff --git a/src/mac/f9/f9_done.c b/src/mac/f9/f9_done.c new file mode 100644 index 0000000..68e77be --- /dev/null +++ b/src/mac/f9/f9_done.c @@ -0,0 +1,77 @@ +/* LibTomCrypt, modular cryptographic library -- Tom St Denis + * + * LibTomCrypt is a library that provides various cryptographic + * algorithms in a highly modular and flexible manner. + * + * The library is free for all purposes without any express + * guarantee it works. + * + * Tom St Denis, tomstdenis@gmail.com, http://libtomcrypt.com + */ +#include "tomcrypt.h" + +/** + @file f9_done.c + f9 Support, terminate the state +*/ + +#ifdef LTC_F9_MODE + +/** Terminate the f9-MAC state + @param f9 f9 state to terminate + @param out [out] Destination for the MAC tag + @param outlen [in/out] Destination size and final tag size + Return CRYPT_OK on success +*/ +int f9_done(f9_state *f9, unsigned char *out, unsigned long *outlen) +{ + int err, x; + LTC_ARGCHK(f9 != NULL); + LTC_ARGCHK(out != NULL); + + /* check structure */ + if ((err = cipher_is_valid(f9->cipher)) != CRYPT_OK) { + return err; + } + + if ((f9->blocksize > cipher_descriptor[f9->cipher].block_length) || (f9->blocksize < 0) || + (f9->buflen > f9->blocksize) || (f9->buflen < 0)) { + return CRYPT_INVALID_ARG; + } + + if (f9->buflen != 0) { + /* encrypt */ + cipher_descriptor[f9->cipher].ecb_encrypt(f9->IV, f9->IV, &f9->key); + f9->buflen = 0; + for (x = 0; x < f9->blocksize; x++) { + f9->ACC[x] ^= f9->IV[x]; + } + } + + /* schedule modified key */ + if ((err = cipher_descriptor[f9->cipher].setup(f9->akey, f9->keylen, 0, &f9->key)) != CRYPT_OK) { + return err; + } + + /* encrypt the ACC */ + cipher_descriptor[f9->cipher].ecb_encrypt(f9->ACC, f9->ACC, &f9->key); + cipher_descriptor[f9->cipher].done(&f9->key); + + /* extract tag */ + for (x = 0; x < f9->blocksize && (unsigned long)x < *outlen; x++) { + out[x] = f9->ACC[x]; + } + *outlen = x; + +#ifdef LTC_CLEAN_STACK + zeromem(f9, sizeof(*f9)); +#endif + return CRYPT_OK; +} + +#endif + +/* $Source$ */ +/* $Revision$ */ +/* $Date$ */ + diff --git a/src/mac/f9/f9_file.c b/src/mac/f9/f9_file.c new file mode 100644 index 0000000..11055d8 --- /dev/null +++ b/src/mac/f9/f9_file.c @@ -0,0 +1,83 @@ +/* LibTomCrypt, modular cryptographic library -- Tom St Denis + * + * LibTomCrypt is a library that provides various cryptographic + * algorithms in a highly modular and flexible manner. + * + * The library is free for all purposes without any express + * guarantee it works. + * + * Tom St Denis, tomstdenis@gmail.com, http://libtomcrypt.com + */ +#include "tomcrypt.h" + +/** + @file f9_file.c + f9 support, process a file, Tom St Denis +*/ + +#ifdef LTC_F9_MODE + +/** + f9 a file + @param cipher The index of the cipher desired + @param key The secret key + @param keylen The length of the secret key (octets) + @param filename The name of the file you wish to f9 + @param out [out] Where the authentication tag is to be stored + @param outlen [in/out] The max size and resulting size of the authentication tag + @return CRYPT_OK if successful, CRYPT_NOP if file support has been disabled +*/ +int f9_file(int cipher, + const unsigned char *key, unsigned long keylen, + const char *filename, + unsigned char *out, unsigned long *outlen) +{ +#ifdef LTC_NO_FILE + return CRYPT_NOP; +#else + int err, x; + f9_state f9; + FILE *in; + unsigned char buf[512]; + + LTC_ARGCHK(key != NULL); + LTC_ARGCHK(filename != NULL); + LTC_ARGCHK(out != NULL); + LTC_ARGCHK(outlen != NULL); + + in = fopen(filename, "rb"); + if (in == NULL) { + return CRYPT_FILE_NOTFOUND; + } + + if ((err = f9_init(&f9, cipher, key, keylen)) != CRYPT_OK) { + fclose(in); + return err; + } + + do { + x = fread(buf, 1, sizeof(buf), in); + if ((err = f9_process(&f9, buf, x)) != CRYPT_OK) { + fclose(in); + return err; + } + } while (x == sizeof(buf)); + fclose(in); + + if ((err = f9_done(&f9, out, outlen)) != CRYPT_OK) { + return err; + } + +#ifdef LTC_CLEAN_STACK + zeromem(buf, sizeof(buf)); +#endif + + return CRYPT_OK; +#endif +} + +#endif + +/* $Source$ */ +/* $Revision$ */ +/* $Date$ */ diff --git a/src/mac/f9/f9_init.c b/src/mac/f9/f9_init.c new file mode 100644 index 0000000..15cf41c --- /dev/null +++ b/src/mac/f9/f9_init.c @@ -0,0 +1,70 @@ +/* LibTomCrypt, modular cryptographic library -- Tom St Denis + * + * LibTomCrypt is a library that provides various cryptographic + * algorithms in a highly modular and flexible manner. + * + * The library is free for all purposes without any express + * guarantee it works. + * + * Tom St Denis, tomstdenis@gmail.com, http://libtomcrypt.com + */ +#include "tomcrypt.h" + +/** + @file f9_init.c + F9 Support, start an F9 state +*/ + +#ifdef LTC_F9_MODE + +/** Initialize F9-MAC state + @param f9 [out] f9 state to initialize + @param cipher Index of cipher to use + @param key [in] Secret key + @param keylen Length of secret key in octets + Return CRYPT_OK on success +*/ +int f9_init(f9_state *f9, int cipher, const unsigned char *key, unsigned long keylen) +{ + int x, err; + + LTC_ARGCHK(f9 != NULL); + LTC_ARGCHK(key != NULL); + + /* schedule the key */ + if ((err = cipher_is_valid(cipher)) != CRYPT_OK) { + return err; + } + +#ifdef LTC_FAST + if (cipher_descriptor[cipher].block_length % sizeof(LTC_FAST_TYPE)) { + return CRYPT_INVALID_ARG; + } +#endif + + if ((err = cipher_descriptor[cipher].setup(key, keylen, 0, &f9->key)) != CRYPT_OK) { + goto done; + } + + /* make the second key */ + for (x = 0; (unsigned)x < keylen; x++) { + f9->akey[x] = key[x] ^ 0xAA; + } + + /* setup struct */ + zeromem(f9->IV, cipher_descriptor[cipher].block_length); + zeromem(f9->ACC, cipher_descriptor[cipher].block_length); + f9->blocksize = cipher_descriptor[cipher].block_length; + f9->cipher = cipher; + f9->buflen = 0; + f9->keylen = keylen; +done: + return err; +} + +#endif + +/* $Source$ */ +/* $Revision$ */ +/* $Date$ */ + diff --git a/src/mac/f9/f9_memory.c b/src/mac/f9/f9_memory.c new file mode 100644 index 0000000..aacf424 --- /dev/null +++ b/src/mac/f9/f9_memory.c @@ -0,0 +1,71 @@ +/* LibTomCrypt, modular cryptographic library -- Tom St Denis + * + * LibTomCrypt is a library that provides various cryptographic + * algorithms in a highly modular and flexible manner. + * + * The library is free for all purposes without any express + * guarantee it works. + * + * Tom St Denis, tomstdenis@gmail.com, http://libtomcrypt.com + */ +#include "tomcrypt.h" + +/** + @file f9_process.c + f9 Support, terminate the state +*/ + +#ifdef LTC_F9_MODE + +/** f9-MAC a block of memory + @param cipher Index of cipher to use + @param key [in] Secret key + @param keylen Length of key in octets + @param in [in] Message to MAC + @param inlen Length of input in octets + @param out [out] Destination for the MAC tag + @param outlen [in/out] Output size and final tag size + Return CRYPT_OK on success. +*/ +int f9_memory(int cipher, + const unsigned char *key, unsigned long keylen, + const unsigned char *in, unsigned long inlen, + unsigned char *out, unsigned long *outlen) +{ + f9_state *f9; + int err; + + /* is the cipher valid? */ + if ((err = cipher_is_valid(cipher)) != CRYPT_OK) { + return err; + } + + /* Use accelerator if found */ + if (cipher_descriptor[cipher].f9_memory != NULL) { + return cipher_descriptor[cipher].f9_memory(key, keylen, in, inlen, out, outlen); + } + + f9 = XCALLOC(1, sizeof(*f9)); + if (f9 == NULL) { + return CRYPT_MEM; + } + + if ((err = f9_init(f9, cipher, key, keylen)) != CRYPT_OK) { + goto done; + } + + if ((err = f9_process(f9, in, inlen)) != CRYPT_OK) { + goto done; + } + + err = f9_done(f9, out, outlen); +done: + XFREE(f9); + return err; +} + +#endif + +/* $Source$ */ +/* $Revision$ */ +/* $Date$ */ diff --git a/src/mac/f9/f9_memory_multi.c b/src/mac/f9/f9_memory_multi.c new file mode 100644 index 0000000..cab6a24 --- /dev/null +++ b/src/mac/f9/f9_memory_multi.c @@ -0,0 +1,90 @@ +/* LibTomCrypt, modular cryptographic library -- Tom St Denis + * + * LibTomCrypt is a library that provides various cryptographic + * algorithms in a highly modular and flexible manner. + * + * The library is free for all purposes without any express + * guarantee it works. + * + * Tom St Denis, tomstdenis@gmail.com, http://libtomcrypt.com + */ +#include "tomcrypt.h" +#include + +/** + @file f9_memory_multi.c + f9 support, process multiple blocks of memory, Tom St Denis +*/ + +#ifdef LTC_F9_MODE + +/** + f9 multiple blocks of memory + @param cipher The index of the desired cipher + @param key The secret key + @param keylen The length of the secret key (octets) + @param out [out] The destination of the authentication tag + @param outlen [in/out] The max size and resulting size of the authentication tag (octets) + @param in The data to send through f9 + @param inlen The length of the data to send through f9 (octets) + @param ... tuples of (data,len) pairs to f9, terminated with a (NULL,x) (x=don't care) + @return CRYPT_OK if successful +*/ +int f9_memory_multi(int cipher, + const unsigned char *key, unsigned long keylen, + unsigned char *out, unsigned long *outlen, + const unsigned char *in, unsigned long inlen, ...) +{ + int err; + f9_state *f9; + va_list args; + const unsigned char *curptr; + unsigned long curlen; + + LTC_ARGCHK(key != NULL); + LTC_ARGCHK(in != NULL); + LTC_ARGCHK(out != NULL); + LTC_ARGCHK(outlen != NULL); + + /* allocate ram for f9 state */ + f9 = XMALLOC(sizeof(f9_state)); + if (f9 == NULL) { + return CRYPT_MEM; + } + + /* f9 process the message */ + if ((err = f9_init(f9, cipher, key, keylen)) != CRYPT_OK) { + goto LBL_ERR; + } + va_start(args, inlen); + curptr = in; + curlen = inlen; + for (;;) { + /* process buf */ + if ((err = f9_process(f9, curptr, curlen)) != CRYPT_OK) { + goto LBL_ERR; + } + /* step to next */ + curptr = va_arg(args, const unsigned char*); + if (curptr == NULL) { + break; + } + curlen = va_arg(args, unsigned long); + } + if ((err = f9_done(f9, out, outlen)) != CRYPT_OK) { + goto LBL_ERR; + } +LBL_ERR: +#ifdef LTC_CLEAN_STACK + zeromem(f9, sizeof(f9_state)); +#endif + XFREE(f9); + va_end(args); + return err; +} + +#endif + +/* $Source$ */ +/* $Revision$ */ +/* $Date$ */ diff --git a/src/mac/f9/f9_process.c b/src/mac/f9/f9_process.c new file mode 100644 index 0000000..f4f088f --- /dev/null +++ b/src/mac/f9/f9_process.c @@ -0,0 +1,78 @@ +/* LibTomCrypt, modular cryptographic library -- Tom St Denis + * + * LibTomCrypt is a library that provides various cryptographic + * algorithms in a highly modular and flexible manner. + * + * The library is free for all purposes without any express + * guarantee it works. + * + * Tom St Denis, tomstdenis@gmail.com, http://libtomcrypt.com + */ +#include "tomcrypt.h" + +/** + @file f9_process.c + f9 Support, process blocks with f9 +*/ + +#ifdef LTC_F9_MODE + +/** Process data through f9-MAC + @param f9 The f9-MAC state + @param in Input data to process + @param inlen Length of input in octets + Return CRYPT_OK on success +*/ +int f9_process(f9_state *f9, const unsigned char *in, unsigned long inlen) +{ + int err, x; + + LTC_ARGCHK(f9 != NULL); + LTC_ARGCHK(in != NULL); + + /* check structure */ + if ((err = cipher_is_valid(f9->cipher)) != CRYPT_OK) { + return err; + } + + if ((f9->blocksize > cipher_descriptor[f9->cipher].block_length) || (f9->blocksize < 0) || + (f9->buflen > f9->blocksize) || (f9->buflen < 0)) { + return CRYPT_INVALID_ARG; + } + +#ifdef LTC_FAST + if (f9->buflen == 0) { + while (inlen >= (unsigned long)f9->blocksize) { + for (x = 0; x < f9->blocksize; x += sizeof(LTC_FAST_TYPE)) { + *((LTC_FAST_TYPE*)&(f9->IV[x])) ^= *((LTC_FAST_TYPE*)&(in[x])); + } + cipher_descriptor[f9->cipher].ecb_encrypt(f9->IV, f9->IV, &f9->key); + for (x = 0; x < f9->blocksize; x += sizeof(LTC_FAST_TYPE)) { + *((LTC_FAST_TYPE*)&(f9->ACC[x])) ^= *((LTC_FAST_TYPE*)&(f9->IV[x])); + } + in += f9->blocksize; + inlen -= f9->blocksize; + } + } +#endif + + while (inlen) { + if (f9->buflen == f9->blocksize) { + cipher_descriptor[f9->cipher].ecb_encrypt(f9->IV, f9->IV, &f9->key); + for (x = 0; x < f9->blocksize; x++) { + f9->ACC[x] ^= f9->IV[x]; + } + f9->buflen = 0; + } + f9->IV[f9->buflen++] ^= *in++; + --inlen; + } + return CRYPT_OK; +} + +#endif + +/* $Source$ */ +/* $Revision$ */ +/* $Date$ */ + diff --git a/src/mac/f9/f9_test.c b/src/mac/f9/f9_test.c new file mode 100644 index 0000000..a3f9080 --- /dev/null +++ b/src/mac/f9/f9_test.c @@ -0,0 +1,78 @@ +/* LibTomCrypt, modular cryptographic library -- Tom St Denis + * + * LibTomCrypt is a library that provides various cryptographic + * algorithms in a highly modular and flexible manner. + * + * The library is free for all purposes without any express + * guarantee it works. + * + * Tom St Denis, tomstdenis@gmail.com, http://libtomcrypt.com + */ +#include "tomcrypt.h" + +/** + @file f9_test.c + f9 Support, terminate the state +*/ + +#ifdef LTC_F9_MODE + +/** Test f9-MAC mode + Return CRYPT_OK on succes +*/ +int f9_test(void) +{ +#ifdef LTC_NO_TEST + return CRYPT_NOP; +#else + static const struct { + int msglen; + unsigned char K[16], M[128], T[4]; + } tests[] = { +{ + 20, + { 0x2B, 0xD6, 0x45, 0x9F, 0x82, 0xC5, 0xB3, 0x00, 0x95, 0x2C, 0x49, 0x10, 0x48, 0x81, 0xFF, 0x48 }, + { 0x38, 0xA6, 0xF0, 0x56, 0xB8, 0xAE, 0xFD, 0xA9, 0x33, 0x32, 0x34, 0x62, 0x63, 0x39, 0x38, 0x61, 0x37, 0x34, 0x79, 0x40 }, + { 0x46, 0xE0, 0x0D, 0x4B } +}, + +{ + 105, + { 0x83, 0xFD, 0x23, 0xA2, 0x44, 0xA7, 0x4C, 0xF3, 0x58, 0xDA, 0x30, 0x19, 0xF1, 0x72, 0x26, 0x35 }, + { 0x36, 0xAF, 0x61, 0x44, 0x4F, 0x30, 0x2A, 0xD2, + 0x35, 0xC6, 0x87, 0x16, 0x63, 0x3C, 0x66, 0xFB, 0x75, 0x0C, 0x26, 0x68, 0x65, 0xD5, 0x3C, 0x11, 0xEA, 0x05, 0xB1, 0xE9, 0xFA, 0x49, 0xC8, 0x39, 0x8D, 0x48, 0xE1, 0xEF, 0xA5, 0x90, 0x9D, 0x39, + 0x47, 0x90, 0x28, 0x37, 0xF5, 0xAE, 0x96, 0xD5, 0xA0, 0x5B, 0xC8, 0xD6, 0x1C, 0xA8, 0xDB, 0xEF, 0x1B, 0x13, 0xA4, 0xB4, 0xAB, 0xFE, 0x4F, 0xB1, 0x00, 0x60, 0x45, 0xB6, 0x74, 0xBB, 0x54, 0x72, + 0x93, 0x04, 0xC3, 0x82, 0xBE, 0x53, 0xA5, 0xAF, 0x05, 0x55, 0x61, 0x76, 0xF6, 0xEA, 0xA2, 0xEF, 0x1D, 0x05, 0xE4, 0xB0, 0x83, 0x18, 0x1E, 0xE6, 0x74, 0xCD, 0xA5, 0xA4, 0x85, 0xF7, 0x4D, 0x7A, + 0x40|0x80 }, + { 0x95, 0xAE, 0x41, 0xBA }, +} +}; + unsigned char T[16]; + unsigned long taglen; + int err, x, idx; + + /* find kasumi */ + if ((idx = find_cipher("kasumi")) == -1) { + return CRYPT_NOP; + } + + for (x = 0; x < (int)(sizeof(tests)/sizeof(tests[0])); x++) { + taglen = 4; + if ((err = f9_memory(idx, tests[x].K, 16, tests[x].M, tests[x].msglen, T, &taglen)) != CRYPT_OK) { + return err; + } + if (taglen != 4 || XMEMCMP(T, tests[x].T, 4)) { + return CRYPT_FAIL_TESTVECTOR; + } + } + + return CRYPT_OK; +#endif +} + +#endif + +/* $Source$ */ +/* $Revision$ */ +/* $Date$ */ + diff --git a/src/mac/hmac/hmac_done.c b/src/mac/hmac/hmac_done.c index 0c52f11..a0f8161 100644 --- a/src/mac/hmac/hmac_done.c +++ b/src/mac/hmac/hmac_done.c @@ -15,7 +15,7 @@ HMAC support, terminate stream, Tom St Denis/Dobes Vandermeer */ -#ifdef HMAC +#ifdef LTC_HMAC #define HMAC_BLOCKSIZE hash_descriptor[hash].blocksize diff --git a/src/mac/hmac/hmac_file.c b/src/mac/hmac/hmac_file.c index 0599962..2d397c9 100644 --- a/src/mac/hmac/hmac_file.c +++ b/src/mac/hmac/hmac_file.c @@ -15,7 +15,7 @@ HMAC support, process a file, Tom St Denis/Dobes Vandermeer */ -#ifdef HMAC +#ifdef LTC_HMAC /** HMAC a file diff --git a/src/mac/hmac/hmac_init.c b/src/mac/hmac/hmac_init.c index ee78504..05e067b 100644 --- a/src/mac/hmac/hmac_init.c +++ b/src/mac/hmac/hmac_init.c @@ -15,7 +15,7 @@ HMAC support, initialize state, Tom St Denis/Dobes Vandermeer */ -#ifdef HMAC +#ifdef LTC_HMAC #define HMAC_BLOCKSIZE hash_descriptor[hash].blocksize diff --git a/src/mac/hmac/hmac_memory.c b/src/mac/hmac/hmac_memory.c index d868a32..994e5db 100644 --- a/src/mac/hmac/hmac_memory.c +++ b/src/mac/hmac/hmac_memory.c @@ -15,7 +15,7 @@ HMAC support, process a block of memory, Tom St Denis/Dobes Vandermeer */ -#ifdef HMAC +#ifdef LTC_HMAC /** HMAC a block of memory to produce the authentication tag diff --git a/src/mac/hmac/hmac_memory_multi.c b/src/mac/hmac/hmac_memory_multi.c index 06c0398..f393c0b 100644 --- a/src/mac/hmac/hmac_memory_multi.c +++ b/src/mac/hmac/hmac_memory_multi.c @@ -16,7 +16,7 @@ HMAC support, process multiple blocks of memory, Tom St Denis/Dobes Vandermeer */ -#ifdef HMAC +#ifdef LTC_HMAC /** HMAC multiple blocks of memory to produce the authentication tag diff --git a/src/mac/hmac/hmac_process.c b/src/mac/hmac/hmac_process.c index 7c55255..ebe6471 100644 --- a/src/mac/hmac/hmac_process.c +++ b/src/mac/hmac/hmac_process.c @@ -15,7 +15,7 @@ HMAC support, process data, Tom St Denis/Dobes Vandermeer */ -#ifdef HMAC +#ifdef LTC_HMAC /** Process data through HMAC diff --git a/src/mac/hmac/hmac_test.c b/src/mac/hmac/hmac_test.c index b22e746..1c588ce 100644 --- a/src/mac/hmac/hmac_test.c +++ b/src/mac/hmac/hmac_test.c @@ -15,7 +15,7 @@ HMAC support, self-test, Tom St Denis/Dobes Vandermeer */ -#ifdef HMAC +#ifdef LTC_HMAC #define HMAC_BLOCKSIZE hash_descriptor[hash].blocksize @@ -277,7 +277,7 @@ Key First" return err; } - if(memcmp(digest, cases[i].digest, (size_t)hash_descriptor[hash].hashsize) != 0) { + if(XMEMCMP(digest, cases[i].digest, (size_t)hash_descriptor[hash].hashsize) != 0) { failed++; #if 0 unsigned int j; diff --git a/src/mac/omac/omac_done.c b/src/mac/omac/omac_done.c index c6e3c51..6f3c41b 100644 --- a/src/mac/omac/omac_done.c +++ b/src/mac/omac/omac_done.c @@ -15,7 +15,7 @@ OMAC1 support, terminate a stream, Tom St Denis */ -#ifdef OMAC +#ifdef LTC_OMAC /** Terminate an OMAC stream diff --git a/src/mac/omac/omac_file.c b/src/mac/omac/omac_file.c index 59888da..4752488 100644 --- a/src/mac/omac/omac_file.c +++ b/src/mac/omac/omac_file.c @@ -15,7 +15,7 @@ OMAC1 support, process a file, Tom St Denis */ -#ifdef OMAC +#ifdef LTC_OMAC /** OMAC a file diff --git a/src/mac/omac/omac_init.c b/src/mac/omac/omac_init.c index 79c8f3f..8d1d245 100644 --- a/src/mac/omac/omac_init.c +++ b/src/mac/omac/omac_init.c @@ -16,7 +16,7 @@ */ -#ifdef OMAC +#ifdef LTC_OMAC /** Initialize an OMAC state diff --git a/src/mac/omac/omac_memory.c b/src/mac/omac/omac_memory.c index 1d0697f..c60d3be 100644 --- a/src/mac/omac/omac_memory.c +++ b/src/mac/omac/omac_memory.c @@ -15,7 +15,7 @@ OMAC1 support, process a block of memory, Tom St Denis */ -#ifdef OMAC +#ifdef LTC_OMAC /** OMAC a block of memory @@ -41,6 +41,16 @@ int omac_memory(int cipher, LTC_ARGCHK(out != NULL); LTC_ARGCHK(outlen != NULL); + /* is the cipher valid? */ + if ((err = cipher_is_valid(cipher)) != CRYPT_OK) { + return err; + } + + /* Use accelerator if found */ + if (cipher_descriptor[cipher].omac_memory != NULL) { + return cipher_descriptor[cipher].omac_memory(key, keylen, in, inlen, out, outlen); + } + /* allocate ram for omac state */ omac = XMALLOC(sizeof(omac_state)); if (omac == NULL) { diff --git a/src/mac/omac/omac_memory_multi.c b/src/mac/omac/omac_memory_multi.c index b744015..bb03ca6 100644 --- a/src/mac/omac/omac_memory_multi.c +++ b/src/mac/omac/omac_memory_multi.c @@ -16,7 +16,7 @@ OMAC1 support, process multiple blocks of memory, Tom St Denis */ -#ifdef OMAC +#ifdef LTC_OMAC /** OMAC multiple blocks of memory diff --git a/src/mac/omac/omac_process.c b/src/mac/omac/omac_process.c index 02a4240..b8e2fed 100644 --- a/src/mac/omac/omac_process.c +++ b/src/mac/omac/omac_process.c @@ -16,7 +16,7 @@ */ -#ifdef OMAC +#ifdef LTC_OMAC /** Process data through OMAC diff --git a/src/mac/omac/omac_test.c b/src/mac/omac/omac_test.c index b6a60d4..df3f317 100644 --- a/src/mac/omac/omac_test.c +++ b/src/mac/omac/omac_test.c @@ -15,7 +15,7 @@ OMAC1 support, self-test, by Tom St Denis */ -#ifdef OMAC +#ifdef LTC_OMAC /** Test the OMAC setup @@ -90,7 +90,7 @@ int omac_test(void) return err; } - if (memcmp(out, tests[x].tag, 16) != 0) { + if (XMEMCMP(out, tests[x].tag, 16) != 0) { #if 0 int y; printf("\n\nTag: "); diff --git a/src/mac/pelican/pelican_test.c b/src/mac/pelican/pelican_test.c index fde4fc0..84b76b9 100644 --- a/src/mac/pelican/pelican_test.c +++ b/src/mac/pelican/pelican_test.c @@ -99,7 +99,7 @@ int pelican_test(void) return err; } - if (memcmp(out, tests[x].T, 16)) { + if (XMEMCMP(out, tests[x].T, 16)) { #if 0 int y; printf("\nFailed test %d\n", x); diff --git a/src/mac/pmac/pmac_done.c b/src/mac/pmac/pmac_done.c index 308897b..7f8002f 100644 --- a/src/mac/pmac/pmac_done.c +++ b/src/mac/pmac/pmac_done.c @@ -15,7 +15,7 @@ PMAC implementation, terminate a session, by Tom St Denis */ -#ifdef PMAC +#ifdef LTC_PMAC int pmac_done(pmac_state *state, unsigned char *out, unsigned long *outlen) { @@ -55,7 +55,7 @@ int pmac_done(pmac_state *state, unsigned char *out, unsigned long *outlen) cipher_descriptor[state->cipher_idx].done(&state->key); /* store it */ - for (x = 0; x < state->block_len && x <= (int)*outlen; x++) { + for (x = 0; x < state->block_len && x < (int)*outlen; x++) { out[x] = state->checksum[x]; } *outlen = x; diff --git a/src/mac/pmac/pmac_file.c b/src/mac/pmac/pmac_file.c index c641b37..8513734 100644 --- a/src/mac/pmac/pmac_file.c +++ b/src/mac/pmac/pmac_file.c @@ -15,7 +15,7 @@ PMAC implementation, process a file, by Tom St Denis */ -#ifdef PMAC +#ifdef LTC_PMAC /** PMAC a file diff --git a/src/mac/pmac/pmac_init.c b/src/mac/pmac/pmac_init.c index 7fda1b6..c39b20d 100644 --- a/src/mac/pmac/pmac_init.c +++ b/src/mac/pmac/pmac_init.c @@ -15,7 +15,7 @@ PMAC implementation, initialize state, by Tom St Denis */ -#ifdef PMAC +#ifdef LTC_PMAC static const struct { int len; diff --git a/src/mac/pmac/pmac_memory.c b/src/mac/pmac/pmac_memory.c index b920631..5bcc3c6 100644 --- a/src/mac/pmac/pmac_memory.c +++ b/src/mac/pmac/pmac_memory.c @@ -15,7 +15,7 @@ PMAC implementation, process a block of memory, by Tom St Denis */ -#ifdef PMAC +#ifdef LTC_PMAC /** PMAC a block of memory diff --git a/src/mac/pmac/pmac_memory_multi.c b/src/mac/pmac/pmac_memory_multi.c index cbd94b9..cb73d1a 100644 --- a/src/mac/pmac/pmac_memory_multi.c +++ b/src/mac/pmac/pmac_memory_multi.c @@ -16,7 +16,7 @@ PMAC implementation, process multiple blocks of memory, by Tom St Denis */ -#ifdef PMAC +#ifdef LTC_PMAC /** PMAC multiple blocks of memory diff --git a/src/mac/pmac/pmac_ntz.c b/src/mac/pmac/pmac_ntz.c index 84cde69..e0dfd81 100644 --- a/src/mac/pmac/pmac_ntz.c +++ b/src/mac/pmac/pmac_ntz.c @@ -15,7 +15,7 @@ PMAC implementation, internal function, by Tom St Denis */ -#ifdef PMAC +#ifdef LTC_PMAC /** Internal PMAC function diff --git a/src/mac/pmac/pmac_process.c b/src/mac/pmac/pmac_process.c index 0b98d2d..686a7ce 100644 --- a/src/mac/pmac/pmac_process.c +++ b/src/mac/pmac/pmac_process.c @@ -16,7 +16,7 @@ */ -#ifdef PMAC +#ifdef LTC_PMAC /** Process data in a PMAC stream diff --git a/src/mac/pmac/pmac_shift_xor.c b/src/mac/pmac/pmac_shift_xor.c index e5622cf..5d33d7d 100644 --- a/src/mac/pmac/pmac_shift_xor.c +++ b/src/mac/pmac/pmac_shift_xor.c @@ -15,7 +15,7 @@ PMAC implementation, internal function, by Tom St Denis */ -#ifdef PMAC +#ifdef LTC_PMAC /** Internal function. Performs the state update (adding correct multiple) diff --git a/src/mac/pmac/pmac_test.c b/src/mac/pmac/pmac_test.c index 8d09127..ac7c87b 100644 --- a/src/mac/pmac/pmac_test.c +++ b/src/mac/pmac/pmac_test.c @@ -16,7 +16,7 @@ */ -#ifdef PMAC +#ifdef LTC_PMAC /** Test the OMAC implementation @@ -138,7 +138,7 @@ int pmac_test(void) return err; } - if (memcmp(outtag, tests[x].tag, len)) { + if (XMEMCMP(outtag, tests[x].tag, len)) { #if 0 unsigned long y; printf("\nTAG:\n"); diff --git a/src/mac/xcbc/xcbc_done.c b/src/mac/xcbc/xcbc_done.c new file mode 100644 index 0000000..81e6c47 --- /dev/null +++ b/src/mac/xcbc/xcbc_done.c @@ -0,0 +1,77 @@ +/* LibTomCrypt, modular cryptographic library -- Tom St Denis + * + * LibTomCrypt is a library that provides various cryptographic + * algorithms in a highly modular and flexible manner. + * + * The library is free for all purposes without any express + * guarantee it works. + * + * Tom St Denis, tomstdenis@gmail.com, http://libtomcrypt.com + */ +#include "tomcrypt.h" + +/** + @file xcbc_done.c + XCBC Support, terminate the state +*/ + +#ifdef LTC_XCBC + +/** Terminate the XCBC-MAC state + @param xcbc XCBC state to terminate + @param out [out] Destination for the MAC tag + @param outlen [in/out] Destination size and final tag size + Return CRYPT_OK on success +*/ +int xcbc_done(xcbc_state *xcbc, unsigned char *out, unsigned long *outlen) +{ + int err, x; + LTC_ARGCHK(xcbc != NULL); + LTC_ARGCHK(out != NULL); + + /* check structure */ + if ((err = cipher_is_valid(xcbc->cipher)) != CRYPT_OK) { + return err; + } + + if ((xcbc->blocksize > cipher_descriptor[xcbc->cipher].block_length) || (xcbc->blocksize < 0) || + (xcbc->buflen > xcbc->blocksize) || (xcbc->buflen < 0)) { + return CRYPT_INVALID_ARG; + } + + /* which key do we use? */ + if (xcbc->buflen == xcbc->blocksize) { + /* k2 */ + for (x = 0; x < xcbc->blocksize; x++) { + xcbc->IV[x] ^= xcbc->K[1][x]; + } + } else { + xcbc->IV[xcbc->buflen] ^= 0x80; + /* k3 */ + for (x = 0; x < xcbc->blocksize; x++) { + xcbc->IV[x] ^= xcbc->K[2][x]; + } + } + + /* encrypt */ + cipher_descriptor[xcbc->cipher].ecb_encrypt(xcbc->IV, xcbc->IV, &xcbc->key); + cipher_descriptor[xcbc->cipher].done(&xcbc->key); + + /* extract tag */ + for (x = 0; x < xcbc->blocksize && (unsigned long)x < *outlen; x++) { + out[x] = xcbc->IV[x]; + } + *outlen = x; + +#ifdef LTC_CLEAN_STACK + zeromem(xcbc, sizeof(*xcbc)); +#endif + return CRYPT_OK; +} + +#endif + +/* $Source$ */ +/* $Revision$ */ +/* $Date$ */ + diff --git a/src/mac/xcbc/xcbc_file.c b/src/mac/xcbc/xcbc_file.c new file mode 100644 index 0000000..6c6dcbe --- /dev/null +++ b/src/mac/xcbc/xcbc_file.c @@ -0,0 +1,83 @@ +/* LibTomCrypt, modular cryptographic library -- Tom St Denis + * + * LibTomCrypt is a library that provides various cryptographic + * algorithms in a highly modular and flexible manner. + * + * The library is free for all purposes without any express + * guarantee it works. + * + * Tom St Denis, tomstdenis@gmail.com, http://libtomcrypt.com + */ +#include "tomcrypt.h" + +/** + @file xcbc_file.c + XCBC support, process a file, Tom St Denis +*/ + +#ifdef LTC_XCBC + +/** + XCBC a file + @param cipher The index of the cipher desired + @param key The secret key + @param keylen The length of the secret key (octets) + @param filename The name of the file you wish to XCBC + @param out [out] Where the authentication tag is to be stored + @param outlen [in/out] The max size and resulting size of the authentication tag + @return CRYPT_OK if successful, CRYPT_NOP if file support has been disabled +*/ +int xcbc_file(int cipher, + const unsigned char *key, unsigned long keylen, + const char *filename, + unsigned char *out, unsigned long *outlen) +{ +#ifdef LTC_NO_FILE + return CRYPT_NOP; +#else + int err, x; + xcbc_state xcbc; + FILE *in; + unsigned char buf[512]; + + LTC_ARGCHK(key != NULL); + LTC_ARGCHK(filename != NULL); + LTC_ARGCHK(out != NULL); + LTC_ARGCHK(outlen != NULL); + + in = fopen(filename, "rb"); + if (in == NULL) { + return CRYPT_FILE_NOTFOUND; + } + + if ((err = xcbc_init(&xcbc, cipher, key, keylen)) != CRYPT_OK) { + fclose(in); + return err; + } + + do { + x = fread(buf, 1, sizeof(buf), in); + if ((err = xcbc_process(&xcbc, buf, x)) != CRYPT_OK) { + fclose(in); + return err; + } + } while (x == sizeof(buf)); + fclose(in); + + if ((err = xcbc_done(&xcbc, out, outlen)) != CRYPT_OK) { + return err; + } + +#ifdef LTC_CLEAN_STACK + zeromem(buf, sizeof(buf)); +#endif + + return CRYPT_OK; +#endif +} + +#endif + +/* $Source$ */ +/* $Revision$ */ +/* $Date$ */ diff --git a/src/mac/xcbc/xcbc_init.c b/src/mac/xcbc/xcbc_init.c new file mode 100644 index 0000000..93eaf1d --- /dev/null +++ b/src/mac/xcbc/xcbc_init.c @@ -0,0 +1,86 @@ +/* LibTomCrypt, modular cryptographic library -- Tom St Denis + * + * LibTomCrypt is a library that provides various cryptographic + * algorithms in a highly modular and flexible manner. + * + * The library is free for all purposes without any express + * guarantee it works. + * + * Tom St Denis, tomstdenis@gmail.com, http://libtomcrypt.com + */ +#include "tomcrypt.h" + +/** + @file xcbc_init.c + XCBC Support, start an XCBC state +*/ + +#ifdef LTC_XCBC + +/** Initialize XCBC-MAC state + @param xcbc [out] XCBC state to initialize + @param cipher Index of cipher to use + @param key [in] Secret key + @param keylen Length of secret key in octets + Return CRYPT_OK on success +*/ +int xcbc_init(xcbc_state *xcbc, int cipher, const unsigned char *key, unsigned long keylen) +{ + int x, y, err; + symmetric_key *skey; + + LTC_ARGCHK(xcbc != NULL); + LTC_ARGCHK(key != NULL); + + /* schedule the key */ + if ((err = cipher_is_valid(cipher)) != CRYPT_OK) { + return err; + } + +#ifdef LTC_FAST + if (cipher_descriptor[cipher].block_length % sizeof(LTC_FAST_TYPE)) { + return CRYPT_INVALID_ARG; + } +#endif + + /* schedule the user key */ + skey = XCALLOC(1, sizeof(*skey)); + if (skey == NULL) { + return CRYPT_MEM; + } + + if ((err = cipher_descriptor[cipher].setup(key, keylen, 0, skey)) != CRYPT_OK) { + goto done; + } + + /* make the three keys */ + for (y = 0; y < 3; y++) { + for (x = 0; x < cipher_descriptor[cipher].block_length; x++) { + xcbc->K[y][x] = y + 1; + } + cipher_descriptor[cipher].ecb_encrypt(xcbc->K[y], xcbc->K[y], skey); + } + + /* setup K1 */ + err = cipher_descriptor[cipher].setup(xcbc->K[0], cipher_descriptor[cipher].block_length, 0, &xcbc->key); + + /* setup struct */ + zeromem(xcbc->IV, cipher_descriptor[cipher].block_length); + xcbc->blocksize = cipher_descriptor[cipher].block_length; + xcbc->cipher = cipher; + xcbc->buflen = 0; +done: + cipher_descriptor[cipher].done(skey); +#ifdef LTC_CLEAN_STACK + zeromem(skey, sizeof(*skey)); +#endif + XFREE(skey); + return err; +} + +#endif + +/* $Source$ */ +/* $Revision$ */ +/* $Date$ */ + diff --git a/src/mac/xcbc/xcbc_memory.c b/src/mac/xcbc/xcbc_memory.c new file mode 100644 index 0000000..89debfe --- /dev/null +++ b/src/mac/xcbc/xcbc_memory.c @@ -0,0 +1,71 @@ +/* LibTomCrypt, modular cryptographic library -- Tom St Denis + * + * LibTomCrypt is a library that provides various cryptographic + * algorithms in a highly modular and flexible manner. + * + * The library is free for all purposes without any express + * guarantee it works. + * + * Tom St Denis, tomstdenis@gmail.com, http://libtomcrypt.com + */ +#include "tomcrypt.h" + +/** + @file xcbc_process.c + XCBC Support, terminate the state +*/ + +#ifdef LTC_XCBC + +/** XCBC-MAC a block of memory + @param cipher Index of cipher to use + @param key [in] Secret key + @param keylen Length of key in octets + @param in [in] Message to MAC + @param inlen Length of input in octets + @param out [out] Destination for the MAC tag + @param outlen [in/out] Output size and final tag size + Return CRYPT_OK on success. +*/ +int xcbc_memory(int cipher, + const unsigned char *key, unsigned long keylen, + const unsigned char *in, unsigned long inlen, + unsigned char *out, unsigned long *outlen) +{ + xcbc_state *xcbc; + int err; + + /* is the cipher valid? */ + if ((err = cipher_is_valid(cipher)) != CRYPT_OK) { + return err; + } + + /* Use accelerator if found */ + if (cipher_descriptor[cipher].xcbc_memory != NULL) { + return cipher_descriptor[cipher].xcbc_memory(key, keylen, in, inlen, out, outlen); + } + + xcbc = XCALLOC(1, sizeof(*xcbc)); + if (xcbc == NULL) { + return CRYPT_MEM; + } + + if ((err = xcbc_init(xcbc, cipher, key, keylen)) != CRYPT_OK) { + goto done; + } + + if ((err = xcbc_process(xcbc, in, inlen)) != CRYPT_OK) { + goto done; + } + + err = xcbc_done(xcbc, out, outlen); +done: + XFREE(xcbc); + return err; +} + +#endif + +/* $Source$ */ +/* $Revision$ */ +/* $Date$ */ diff --git a/src/mac/xcbc/xcbc_memory_multi.c b/src/mac/xcbc/xcbc_memory_multi.c new file mode 100644 index 0000000..695996e --- /dev/null +++ b/src/mac/xcbc/xcbc_memory_multi.c @@ -0,0 +1,90 @@ +/* LibTomCrypt, modular cryptographic library -- Tom St Denis + * + * LibTomCrypt is a library that provides various cryptographic + * algorithms in a highly modular and flexible manner. + * + * The library is free for all purposes without any express + * guarantee it works. + * + * Tom St Denis, tomstdenis@gmail.com, http://libtomcrypt.com + */ +#include "tomcrypt.h" +#include + +/** + @file xcbc_memory_multi.c + XCBC support, process multiple blocks of memory, Tom St Denis +*/ + +#ifdef LTC_XCBC + +/** + XCBC multiple blocks of memory + @param cipher The index of the desired cipher + @param key The secret key + @param keylen The length of the secret key (octets) + @param out [out] The destination of the authentication tag + @param outlen [in/out] The max size and resulting size of the authentication tag (octets) + @param in The data to send through XCBC + @param inlen The length of the data to send through XCBC (octets) + @param ... tuples of (data,len) pairs to XCBC, terminated with a (NULL,x) (x=don't care) + @return CRYPT_OK if successful +*/ +int xcbc_memory_multi(int cipher, + const unsigned char *key, unsigned long keylen, + unsigned char *out, unsigned long *outlen, + const unsigned char *in, unsigned long inlen, ...) +{ + int err; + xcbc_state *xcbc; + va_list args; + const unsigned char *curptr; + unsigned long curlen; + + LTC_ARGCHK(key != NULL); + LTC_ARGCHK(in != NULL); + LTC_ARGCHK(out != NULL); + LTC_ARGCHK(outlen != NULL); + + /* allocate ram for xcbc state */ + xcbc = XMALLOC(sizeof(xcbc_state)); + if (xcbc == NULL) { + return CRYPT_MEM; + } + + /* xcbc process the message */ + if ((err = xcbc_init(xcbc, cipher, key, keylen)) != CRYPT_OK) { + goto LBL_ERR; + } + va_start(args, inlen); + curptr = in; + curlen = inlen; + for (;;) { + /* process buf */ + if ((err = xcbc_process(xcbc, curptr, curlen)) != CRYPT_OK) { + goto LBL_ERR; + } + /* step to next */ + curptr = va_arg(args, const unsigned char*); + if (curptr == NULL) { + break; + } + curlen = va_arg(args, unsigned long); + } + if ((err = xcbc_done(xcbc, out, outlen)) != CRYPT_OK) { + goto LBL_ERR; + } +LBL_ERR: +#ifdef LTC_CLEAN_STACK + zeromem(xcbc, sizeof(xcbc_state)); +#endif + XFREE(xcbc); + va_end(args); + return err; +} + +#endif + +/* $Source$ */ +/* $Revision$ */ +/* $Date$ */ diff --git a/src/mac/xcbc/xcbc_process.c b/src/mac/xcbc/xcbc_process.c new file mode 100644 index 0000000..a5a8f38 --- /dev/null +++ b/src/mac/xcbc/xcbc_process.c @@ -0,0 +1,75 @@ +/* LibTomCrypt, modular cryptographic library -- Tom St Denis + * + * LibTomCrypt is a library that provides various cryptographic + * algorithms in a highly modular and flexible manner. + * + * The library is free for all purposes without any express + * guarantee it works. + * + * Tom St Denis, tomstdenis@gmail.com, http://libtomcrypt.com + */ +#include "tomcrypt.h" + +/** + @file xcbc_process.c + XCBC Support, process blocks with XCBC +*/ + +#ifdef LTC_XCBC + +/** Process data through XCBC-MAC + @param xcbc The XCBC-MAC state + @param in Input data to process + @param inlen Length of input in octets + Return CRYPT_OK on success +*/ +int xcbc_process(xcbc_state *xcbc, const unsigned char *in, unsigned long inlen) +{ + int err; +#ifdef LTC_FAST + int x; +#endif + + LTC_ARGCHK(xcbc != NULL); + LTC_ARGCHK(in != NULL); + + /* check structure */ + if ((err = cipher_is_valid(xcbc->cipher)) != CRYPT_OK) { + return err; + } + + if ((xcbc->blocksize > cipher_descriptor[xcbc->cipher].block_length) || (xcbc->blocksize < 0) || + (xcbc->buflen > xcbc->blocksize) || (xcbc->buflen < 0)) { + return CRYPT_INVALID_ARG; + } + +#ifdef LTC_FAST + if (xcbc->buflen == 0) { + while (inlen > (unsigned long)xcbc->blocksize) { + for (x = 0; x < xcbc->blocksize; x += sizeof(LTC_FAST_TYPE)) { + *((LTC_FAST_TYPE*)&(xcbc->IV[x])) ^= *((LTC_FAST_TYPE*)&(in[x])); + } + cipher_descriptor[xcbc->cipher].ecb_encrypt(xcbc->IV, xcbc->IV, &xcbc->key); + in += xcbc->blocksize; + inlen -= xcbc->blocksize; + } + } +#endif + + while (inlen) { + if (xcbc->buflen == xcbc->blocksize) { + cipher_descriptor[xcbc->cipher].ecb_encrypt(xcbc->IV, xcbc->IV, &xcbc->key); + xcbc->buflen = 0; + } + xcbc->IV[xcbc->buflen++] ^= *in++; + --inlen; + } + return CRYPT_OK; +} + +#endif + +/* $Source$ */ +/* $Revision$ */ +/* $Date$ */ + diff --git a/src/mac/xcbc/xcbc_test.c b/src/mac/xcbc/xcbc_test.c new file mode 100644 index 0000000..aeebc78 --- /dev/null +++ b/src/mac/xcbc/xcbc_test.c @@ -0,0 +1,128 @@ +/* LibTomCrypt, modular cryptographic library -- Tom St Denis + * + * LibTomCrypt is a library that provides various cryptographic + * algorithms in a highly modular and flexible manner. + * + * The library is free for all purposes without any express + * guarantee it works. + * + * Tom St Denis, tomstdenis@gmail.com, http://libtomcrypt.com + */ +#include "tomcrypt.h" + +/** + @file xcbc_test.c + XCBC Support, terminate the state +*/ + +#ifdef LTC_XCBC + +/** Test XCBC-MAC mode + Return CRYPT_OK on succes +*/ +int xcbc_test(void) +{ +#ifdef LTC_NO_TEST + return CRYPT_NOP; +#else + static const struct { + int msglen; + unsigned char K[16], M[34], T[16]; + } tests[] = { +{ + 0, + { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f }, + + { 0 }, + + { 0x75, 0xf0, 0x25, 0x1d, 0x52, 0x8a, 0xc0, 0x1c, + 0x45, 0x73, 0xdf, 0xd5, 0x84, 0xd7, 0x9f, 0x29 } +}, + +{ + 3, + { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f }, + + { 0x00, 0x01, 0x02 }, + + { 0x5b, 0x37, 0x65, 0x80, 0xae, 0x2f, 0x19, 0xaf, + 0xe7, 0x21, 0x9c, 0xee, 0xf1, 0x72, 0x75, 0x6f } +}, + +{ + 16, + { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f }, + + { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f }, + + { 0xd2, 0xa2, 0x46, 0xfa, 0x34, 0x9b, 0x68, 0xa7, + 0x99, 0x98, 0xa4, 0x39, 0x4f, 0xf7, 0xa2, 0x63 } +}, + +{ + 32, + { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f }, + + { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, + 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, + 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f }, + + { 0xf5, 0x4f, 0x0e, 0xc8, 0xd2, 0xb9, 0xf3, 0xd3, + 0x68, 0x07, 0x73, 0x4b, 0xd5, 0x28, 0x3f, 0xd4 } +}, + +{ + 34, + { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f }, + + { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, + 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, + 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, + 0x20, 0x21 }, + + { 0xbe, 0xcb, 0xb3, 0xbc, 0xcd, 0xb5, 0x18, 0xa3, + 0x06, 0x77, 0xd5, 0x48, 0x1f, 0xb6, 0xb4, 0xd8 }, +}, + + + +}; + unsigned char T[16]; + unsigned long taglen; + int err, x, idx; + + /* AES can be under rijndael or aes... try to find it */ + if ((idx = find_cipher("aes")) == -1) { + if ((idx = find_cipher("rijndael")) == -1) { + return CRYPT_NOP; + } + } + + for (x = 0; x < (int)(sizeof(tests)/sizeof(tests[0])); x++) { + taglen = 16; + if ((err = xcbc_memory(idx, tests[x].K, 16, tests[x].M, tests[x].msglen, T, &taglen)) != CRYPT_OK) { + return err; + } + if (taglen != 16 || XMEMCMP(T, tests[x].T, 16)) { + return CRYPT_FAIL_TESTVECTOR; + } + } + + return CRYPT_OK; +#endif +} + +#endif + +/* $Source$ */ +/* $Revision$ */ +/* $Date$ */ + diff --git a/src/misc/crypt/crypt.c b/src/misc/crypt/crypt.c index b67a6eb..64f1940 100644 --- a/src/misc/crypt/crypt.c +++ b/src/misc/crypt/crypt.c @@ -110,6 +110,12 @@ const char *crypt_build_settings = " (tweaked)" #endif "\n" +#if defined(KSEED) + " KSEED\n" +#endif +#if defined(LTC_KASUMI) + " KASUMI\n" +#endif "\nHashes built-in:\n" #if defined(SHA512) @@ -166,8 +172,12 @@ const char *crypt_build_settings = " CBC\n" #endif #if defined(LTC_CTR_MODE) - " CTR\n" + " CTR " #endif +#if defined(LTC_CTR_OLD) + " (CTR_OLD) " +#endif + "\n" #if defined(LRW_MODE) " LRW_MODE" #if defined(LRW_TABLES) @@ -180,18 +190,24 @@ const char *crypt_build_settings = #endif "\nMACs:\n" -#if defined(HMAC) +#if defined(LTC_HMAC) " HMAC\n" #endif -#if defined(OMAC) +#if defined(LTC_OMAC) " OMAC\n" #endif -#if defined(PMAC) +#if defined(LTC_PMAC) " PMAC\n" #endif #if defined(PELICAN) " PELICAN\n" #endif +#if defined(LTC_XCBC) + " XCBC-MAC\n" +#endif +#if defined(LTC_F9_MODE) + " F9-MAC\n" +#endif "\nENC + AUTH modes:\n" #if defined(EAX_MODE) @@ -211,7 +227,6 @@ const char *crypt_build_settings = #endif "\n" - "\nPRNG:\n" #if defined(YARROW) " Yarrow\n" diff --git a/src/misc/crypt/crypt_cipher_descriptor.c b/src/misc/crypt/crypt_cipher_descriptor.c index 9f34480..767d461 100644 --- a/src/misc/crypt/crypt_cipher_descriptor.c +++ b/src/misc/crypt/crypt_cipher_descriptor.c @@ -16,7 +16,7 @@ */ struct ltc_cipher_descriptor cipher_descriptor[TAB_SIZE] = { -{ NULL, 0, 0, 0, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL } +{ NULL, 0, 0, 0, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL } }; LTC_MUTEX_GLOBAL(ltc_cipher_mutex) diff --git a/src/misc/crypt/crypt_find_hash_oid.c b/src/misc/crypt/crypt_find_hash_oid.c index 9c7c602..57489a8 100644 --- a/src/misc/crypt/crypt_find_hash_oid.c +++ b/src/misc/crypt/crypt_find_hash_oid.c @@ -21,7 +21,7 @@ int find_hash_oid(const unsigned long *ID, unsigned long IDlen) LTC_ARGCHK(ID != NULL); LTC_MUTEX_LOCK(<c_hash_mutex); for (x = 0; x < TAB_SIZE; x++) { - if (hash_descriptor[x].name != NULL && hash_descriptor[x].OIDlen == IDlen && !memcmp(hash_descriptor[x].OID, ID, sizeof(unsigned long) * IDlen)) { + if (hash_descriptor[x].name != NULL && hash_descriptor[x].OIDlen == IDlen && !XMEMCMP(hash_descriptor[x].OID, ID, sizeof(unsigned long) * IDlen)) { LTC_MUTEX_UNLOCK(<c_hash_mutex); return x; } diff --git a/src/misc/crypt/crypt_fsa.c b/src/misc/crypt/crypt_fsa.c new file mode 100644 index 0000000..620659a --- /dev/null +++ b/src/misc/crypt/crypt_fsa.c @@ -0,0 +1,59 @@ +/* LibTomCrypt, modular cryptographic library -- Tom St Denis + * + * LibTomCrypt is a library that provides various cryptographic + * algorithms in a highly modular and flexible manner. + * + * The library is free for all purposes without any express + * guarantee it works. + * + * Tom St Denis, tomstdenis@gmail.com, http://libtomcrypt.com + */ +#include "tomcrypt.h" +#include + +/** + @file crypt_fsa.c + LibTomCrypt FULL SPEED AHEAD!, Tom St Denis +*/ + +/* format is ltc_mp, cipher_desc, [cipher_desc], NULL, hash_desc, [hash_desc], NULL, prng_desc, [prng_desc], NULL */ +int crypt_fsa(void *mp, ...) +{ + int err; + va_list args; + void *p; + + va_start(args, mp); + if (mp != NULL) { + XMEMCPY(<c_mp, mp, sizeof(ltc_mp)); + } + + while ((p = va_arg(args, void*)) != NULL) { + if ((err = register_cipher(p)) != CRYPT_OK) { + va_end(args); + return err; + } + } + + while ((p = va_arg(args, void*)) != NULL) { + if ((err = register_hash(p)) != CRYPT_OK) { + va_end(args); + return err; + } + } + + while ((p = va_arg(args, void*)) != NULL) { + if ((err = register_prng(p)) != CRYPT_OK) { + va_end(args); + return err; + } + } + + va_end(args); + return CRYPT_OK; +} + + +/* $Source$ */ +/* $Revision$ */ +/* $Date$ */ diff --git a/src/misc/crypt/crypt_register_hash.c b/src/misc/crypt/crypt_register_hash.c index c96bae7..cfe35ef 100644 --- a/src/misc/crypt/crypt_register_hash.c +++ b/src/misc/crypt/crypt_register_hash.c @@ -29,7 +29,7 @@ int register_hash(const struct ltc_hash_descriptor *hash) /* is it already registered? */ LTC_MUTEX_LOCK(<c_hash_mutex); for (x = 0; x < TAB_SIZE; x++) { - if (memcmp(&hash_descriptor[x], hash, sizeof(struct ltc_hash_descriptor)) == 0) { + if (XMEMCMP(&hash_descriptor[x], hash, sizeof(struct ltc_hash_descriptor)) == 0) { LTC_MUTEX_UNLOCK(<c_hash_mutex); return x; } diff --git a/src/misc/crypt/crypt_register_prng.c b/src/misc/crypt/crypt_register_prng.c index cee4512..679e257 100644 --- a/src/misc/crypt/crypt_register_prng.c +++ b/src/misc/crypt/crypt_register_prng.c @@ -29,7 +29,7 @@ int register_prng(const struct ltc_prng_descriptor *prng) /* is it already registered? */ LTC_MUTEX_LOCK(<c_prng_mutex); for (x = 0; x < TAB_SIZE; x++) { - if (memcmp(&prng_descriptor[x], prng, sizeof(struct ltc_prng_descriptor)) == 0) { + if (XMEMCMP(&prng_descriptor[x], prng, sizeof(struct ltc_prng_descriptor)) == 0) { LTC_MUTEX_UNLOCK(<c_prng_mutex); return x; } diff --git a/src/misc/crypt/crypt_unregister_cipher.c b/src/misc/crypt/crypt_unregister_cipher.c index 242f5cb..1f85d76 100644 --- a/src/misc/crypt/crypt_unregister_cipher.c +++ b/src/misc/crypt/crypt_unregister_cipher.c @@ -29,7 +29,7 @@ int unregister_cipher(const struct ltc_cipher_descriptor *cipher) /* is it already registered? */ LTC_MUTEX_LOCK(<c_cipher_mutex); for (x = 0; x < TAB_SIZE; x++) { - if (memcmp(&cipher_descriptor[x], cipher, sizeof(struct ltc_cipher_descriptor)) == 0) { + if (XMEMCMP(&cipher_descriptor[x], cipher, sizeof(struct ltc_cipher_descriptor)) == 0) { cipher_descriptor[x].name = NULL; cipher_descriptor[x].ID = 255; LTC_MUTEX_UNLOCK(<c_cipher_mutex); diff --git a/src/misc/crypt/crypt_unregister_hash.c b/src/misc/crypt/crypt_unregister_hash.c index 5936215..09caf5a 100644 --- a/src/misc/crypt/crypt_unregister_hash.c +++ b/src/misc/crypt/crypt_unregister_hash.c @@ -29,7 +29,7 @@ int unregister_hash(const struct ltc_hash_descriptor *hash) /* is it already registered? */ LTC_MUTEX_LOCK(<c_hash_mutex); for (x = 0; x < TAB_SIZE; x++) { - if (memcmp(&hash_descriptor[x], hash, sizeof(struct ltc_hash_descriptor)) == 0) { + if (XMEMCMP(&hash_descriptor[x], hash, sizeof(struct ltc_hash_descriptor)) == 0) { hash_descriptor[x].name = NULL; LTC_MUTEX_UNLOCK(<c_hash_mutex); return CRYPT_OK; diff --git a/src/misc/crypt/crypt_unregister_prng.c b/src/misc/crypt/crypt_unregister_prng.c index ef43d61..fcc23dc 100644 --- a/src/misc/crypt/crypt_unregister_prng.c +++ b/src/misc/crypt/crypt_unregister_prng.c @@ -29,7 +29,7 @@ int unregister_prng(const struct ltc_prng_descriptor *prng) /* is it already registered? */ LTC_MUTEX_LOCK(<c_prng_mutex); for (x = 0; x < TAB_SIZE; x++) { - if (memcmp(&prng_descriptor[x], prng, sizeof(struct ltc_prng_descriptor)) != 0) { + if (XMEMCMP(&prng_descriptor[x], prng, sizeof(struct ltc_prng_descriptor)) != 0) { prng_descriptor[x].name = NULL; LTC_MUTEX_UNLOCK(<c_prng_mutex); return CRYPT_OK; diff --git a/src/modes/ctr/ctr_encrypt.c b/src/modes/ctr/ctr_encrypt.c index bab386a..509819e 100644 --- a/src/modes/ctr/ctr_encrypt.c +++ b/src/modes/ctr/ctr_encrypt.c @@ -97,10 +97,10 @@ int ctr_encrypt(const unsigned char *pt, unsigned char *ct, unsigned long len, s len -= ctr->blocklen; ctr->padlen = ctr->blocklen; continue; - } + } #endif - *ct++ = *pt++ ^ ctr->pad[ctr->padlen++]; - --len; + *ct++ = *pt++ ^ ctr->pad[ctr->padlen++]; + --len; } return CRYPT_OK; } diff --git a/src/modes/ctr/ctr_start.c b/src/modes/ctr/ctr_start.c index f6c45cb..5e0a326 100644 --- a/src/modes/ctr/ctr_start.c +++ b/src/modes/ctr/ctr_start.c @@ -55,11 +55,33 @@ int ctr_start( int cipher, ctr->blocklen = cipher_descriptor[cipher].block_length; ctr->cipher = cipher; ctr->padlen = 0; - ctr->mode = ctr_mode; + ctr->mode = ctr_mode & 1; for (x = 0; x < ctr->blocklen; x++) { ctr->ctr[x] = IV[x]; } - return cipher_descriptor[ctr->cipher].ecb_encrypt(ctr->ctr, ctr->pad, &ctr->key); + + if (ctr_mode & LTC_CTR_RFC3686) { + /* increment the IV as per RFC 3686 */ + if (ctr->mode == CTR_COUNTER_LITTLE_ENDIAN) { + /* little-endian */ + for (x = 0; x < ctr->blocklen; x++) { + ctr->ctr[x] = (ctr->ctr[x] + (unsigned char)1) & (unsigned char)255; + if (ctr->ctr[x] != (unsigned char)0) { + break; + } + } + } else { + /* big-endian */ + for (x = ctr->blocklen-1; x >= 0; x--) { + ctr->ctr[x] = (ctr->ctr[x] + (unsigned char)1) & (unsigned char)255; + if (ctr->ctr[x] != (unsigned char)0) { + break; + } + } + } + } + + return cipher_descriptor[ctr->cipher].ecb_encrypt(ctr->ctr, ctr->pad, &ctr->key); } #endif diff --git a/src/modes/ctr/ctr_test.c b/src/modes/ctr/ctr_test.c new file mode 100644 index 0000000..5cf447d --- /dev/null +++ b/src/modes/ctr/ctr_test.c @@ -0,0 +1,85 @@ +/* LibTomCrypt, modular cryptographic library -- Tom St Denis + * + * LibTomCrypt is a library that provides various cryptographic + * algorithms in a highly modular and flexible manner. + * + * The library is free for all purposes without any express + * guarantee it works. + * + * Tom St Denis, tomstdenis@gmail.com, http://libtomcrypt.com + */ +#include "tomcrypt.h" + +/** + @file ctr_test.c + CTR implementation, Tests again RFC 3686, Tom St Denis +*/ + +#ifdef LTC_CTR_MODE + +int ctr_test(void) +{ +#ifdef LTC_NO_TEST + return CRYPT_NOP; +#else + static const struct { + int keylen, msglen; + unsigned char key[32], IV[16], pt[64], ct[64]; + } tests[] = { +/* 128-bit key, 16-byte pt */ +{ + 16, 16, + {0xAE,0x68,0x52,0xF8,0x12,0x10,0x67,0xCC,0x4B,0xF7,0xA5,0x76,0x55,0x77,0xF3,0x9E }, + {0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 }, + {0x53,0x69,0x6E,0x67,0x6C,0x65,0x20,0x62,0x6C,0x6F,0x63,0x6B,0x20,0x6D,0x73,0x67 }, + {0xE4,0x09,0x5D,0x4F,0xB7,0xA7,0xB3,0x79,0x2D,0x61,0x75,0xA3,0x26,0x13,0x11,0xB8 }, +}, + +/* 128-bit key, 36-byte pt */ +{ + 16, 36, + {0x76,0x91,0xBE,0x03,0x5E,0x50,0x20,0xA8,0xAC,0x6E,0x61,0x85,0x29,0xF9,0xA0,0xDC }, + {0x00,0xE0,0x01,0x7B,0x27,0x77,0x7F,0x3F,0x4A,0x17,0x86,0xF0,0x00,0x00,0x00,0x00 }, + {0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0A,0x0B,0x0C,0x0D,0x0E,0x0F, + 0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,0x18,0x19,0x1A,0x1B,0x1C,0x1D,0x1E,0x1F, + 0x20,0x21,0x22,0x23}, + {0xC1,0xCF,0x48,0xA8,0x9F,0x2F,0xFD,0xD9,0xCF,0x46,0x52,0xE9,0xEF,0xDB,0x72,0xD7, + 0x45,0x40,0xA4,0x2B,0xDE,0x6D,0x78,0x36,0xD5,0x9A,0x5C,0xEA,0xAE,0xF3,0x10,0x53, + 0x25,0xB2,0x07,0x2F }, +}, +}; + int idx, err, x; + unsigned char buf[64]; + symmetric_CTR ctr; + + /* AES can be under rijndael or aes... try to find it */ + if ((idx = find_cipher("aes")) == -1) { + if ((idx = find_cipher("rijndael")) == -1) { + return CRYPT_NOP; + } + } + + for (x = 0; x < (int)(sizeof(tests)/sizeof(tests[0])); x++) { + if ((err = ctr_start(idx, tests[x].IV, tests[x].key, tests[x].keylen, 0, CTR_COUNTER_BIG_ENDIAN|LTC_CTR_RFC3686, &ctr)) != CRYPT_OK) { + return err; + } + if ((err = ctr_encrypt(tests[x].pt, buf, tests[x].msglen, &ctr)) != CRYPT_OK) { + return err; + } + ctr_done(&ctr); + if (XMEMCMP(buf, tests[x].ct, tests[x].msglen)) { + return CRYPT_FAIL_TESTVECTOR; + } + } + return CRYPT_OK; +#endif +} + +#endif + +/* $Source$ */ +/* $Revision$ */ +/* $Date$ */ + + + diff --git a/src/modes/f8/f8_encrypt.c b/src/modes/f8/f8_encrypt.c index 6fd9950..b447312 100644 --- a/src/modes/f8/f8_encrypt.c +++ b/src/modes/f8/f8_encrypt.c @@ -43,7 +43,41 @@ int f8_encrypt(const unsigned char *pt, unsigned char *ct, unsigned long len, sy } zeromem(buf, sizeof(buf)); - while (len-- > 0) { + + /* make sure the pad is empty */ + if (f8->padlen == f8->blocklen) { + /* xor of IV, MIV and blockcnt == what goes into cipher */ + STORE32H(f8->blockcnt, (buf+(f8->blocklen-4))); + ++(f8->blockcnt); + for (x = 0; x < f8->blocklen; x++) { + f8->IV[x] ^= f8->MIV[x] ^ buf[x]; + } + if ((err = cipher_descriptor[f8->cipher].ecb_encrypt(f8->IV, f8->IV, &f8->key)) != CRYPT_OK) { + return err; + } + f8->padlen = 0; + } + +#ifdef LTC_FAST + if (f8->padlen == 0) { + while (len >= (unsigned long)f8->blocklen) { + STORE32H(f8->blockcnt, (buf+(f8->blocklen-4))); + ++(f8->blockcnt); + for (x = 0; x < f8->blocklen; x += sizeof(LTC_FAST_TYPE)) { + *((LTC_FAST_TYPE*)(&ct[x])) = *((LTC_FAST_TYPE*)(&pt[x])) ^ *((LTC_FAST_TYPE*)(&f8->IV[x])); + *((LTC_FAST_TYPE*)(&f8->IV[x])) ^= *((LTC_FAST_TYPE*)(&f8->MIV[x])) ^ *((LTC_FAST_TYPE*)(&buf[x])); + } + if ((err = cipher_descriptor[f8->cipher].ecb_encrypt(f8->IV, f8->IV, &f8->key)) != CRYPT_OK) { + return err; + } + len -= x; + pt += x; + ct += x; + } + } +#endif + + while (len > 0) { if (f8->padlen == f8->blocklen) { /* xor of IV, MIV and blockcnt == what goes into cipher */ STORE32H(f8->blockcnt, (buf+(f8->blocklen-4))); @@ -57,6 +91,7 @@ int f8_encrypt(const unsigned char *pt, unsigned char *ct, unsigned long len, sy f8->padlen = 0; } *ct++ = *pt++ ^ f8->IV[f8->padlen++]; + --len; } return CRYPT_OK; } diff --git a/src/modes/f8/f8_start.c b/src/modes/f8/f8_start.c index 1a96a76..7e0d6f4 100644 --- a/src/modes/f8/f8_start.c +++ b/src/modes/f8/f8_start.c @@ -47,6 +47,12 @@ int f8_start( int cipher, const unsigned char *IV, return err; } +#ifdef LTC_FAST + if (cipher_descriptor[cipher].block_length % sizeof(LTC_FAST_TYPE)) { + return CRYPT_INVALID_ARG; + } +#endif + /* copy details */ f8->blockcnt = 0; f8->cipher = cipher; diff --git a/src/modes/f8/f8_test_mode.c b/src/modes/f8/f8_test_mode.c index d343e5b..48da1f5 100644 --- a/src/modes/f8/f8_test_mode.c +++ b/src/modes/f8/f8_test_mode.c @@ -23,21 +23,21 @@ int f8_test_mode(void) #ifndef LTC_TEST return CRYPT_NOP; #else - const unsigned char key[16] = { 0x23, 0x48, 0x29, 0x00, 0x84, 0x67, 0xbe, 0x18, - 0x6c, 0x3d, 0xe1, 0x4a, 0xae, 0x72, 0xd6, 0x2c }; - const unsigned char salt[4] = { 0x32, 0xf2, 0x87, 0x0d }; - const unsigned char IV[16] = { 0x00, 0x6e, 0x5c, 0xba, 0x50, 0x68, 0x1d, 0xe5, - 0x5c, 0x62, 0x15, 0x99, 0xd4, 0x62, 0x56, 0x4a }; - const unsigned char pt[39] = { 0x70, 0x73, 0x65, 0x75, 0x64, 0x6f, 0x72, 0x61, - 0x6e, 0x64, 0x6f, 0x6d, 0x6e, 0x65, 0x73, 0x73, - 0x20, 0x69, 0x73, 0x20, 0x74, 0x68, 0x65, 0x20, - 0x6e, 0x65, 0x78, 0x74, 0x20, 0x62, 0x65, 0x73, - 0x74, 0x20, 0x74, 0x68, 0x69, 0x6e, 0x67 }; - const unsigned char ct[39] = { 0x01, 0x9c, 0xe7, 0xa2, 0x6e, 0x78, 0x54, 0x01, - 0x4a, 0x63, 0x66, 0xaa, 0x95, 0xd4, 0xee, 0xfd, - 0x1a, 0xd4, 0x17, 0x2a, 0x14, 0xf9, 0xfa, 0xf4, - 0x55, 0xb7, 0xf1, 0xd4, 0xb6, 0x2b, 0xd0, 0x8f, - 0x56, 0x2c, 0x0e, 0xef, 0x7c, 0x48, 0x02 }; + static const unsigned char key[16] = { 0x23, 0x48, 0x29, 0x00, 0x84, 0x67, 0xbe, 0x18, + 0x6c, 0x3d, 0xe1, 0x4a, 0xae, 0x72, 0xd6, 0x2c }; + static const unsigned char salt[4] = { 0x32, 0xf2, 0x87, 0x0d }; + static const unsigned char IV[16] = { 0x00, 0x6e, 0x5c, 0xba, 0x50, 0x68, 0x1d, 0xe5, + 0x5c, 0x62, 0x15, 0x99, 0xd4, 0x62, 0x56, 0x4a }; + static const unsigned char pt[39] = { 0x70, 0x73, 0x65, 0x75, 0x64, 0x6f, 0x72, 0x61, + 0x6e, 0x64, 0x6f, 0x6d, 0x6e, 0x65, 0x73, 0x73, + 0x20, 0x69, 0x73, 0x20, 0x74, 0x68, 0x65, 0x20, + 0x6e, 0x65, 0x78, 0x74, 0x20, 0x62, 0x65, 0x73, + 0x74, 0x20, 0x74, 0x68, 0x69, 0x6e, 0x67 }; + static const unsigned char ct[39] = { 0x01, 0x9c, 0xe7, 0xa2, 0x6e, 0x78, 0x54, 0x01, + 0x4a, 0x63, 0x66, 0xaa, 0x95, 0xd4, 0xee, 0xfd, + 0x1a, 0xd4, 0x17, 0x2a, 0x14, 0xf9, 0xfa, 0xf4, + 0x55, 0xb7, 0xf1, 0xd4, 0xb6, 0x2b, 0xd0, 0x8f, + 0x56, 0x2c, 0x0e, 0xef, 0x7c, 0x48, 0x02 }; unsigned char buf[39]; symmetric_F8 f8; int err, idx; @@ -52,13 +52,14 @@ int f8_test_mode(void) if ((err = f8_start(idx, IV, key, sizeof(key), salt, sizeof(salt), 0, &f8)) != CRYPT_OK) { return err; } - f8_done(&f8); /* encrypt block */ if ((err = f8_encrypt(pt, buf, sizeof(pt), &f8)) != CRYPT_OK) { + f8_done(&f8); return err; } - + f8_done(&f8); + /* compare */ if (XMEMCMP(buf, ct, sizeof(ct))) { return CRYPT_FAIL_TESTVECTOR; diff --git a/src/pk/ecc/ecc.c b/src/pk/ecc/ecc.c index c6ccefc..2b213ce 100644 --- a/src/pk/ecc/ecc.c +++ b/src/pk/ecc/ecc.c @@ -25,6 +25,39 @@ /* This holds the key settings. ***MUST*** be organized by size from smallest to largest. */ const ltc_ecc_set_type ltc_ecc_sets[] = { +#ifdef ECC112 +{ + 14, + "SECP112R1", + "DB7C2ABF62E35E668076BEAD208B", + "659EF8BA043916EEDE8911702B22", + "DB7C2ABF62E35E7628DFAC6561C5", + "09487239995A5EE76B55F9C2F098", + "A89CE5AF8724C0A23E0E0FF77500" +}, +#endif +#ifdef ECC128 +{ + 16, + "SECP128R1", + "FFFFFFFDFFFFFFFFFFFFFFFFFFFFFFFF", + "E87579C11079F43DD824993C2CEE5ED3", + "FFFFFFFE0000000075A30D1B9038A115", + "161FF7528B899B2D0C28607CA52C5B86", + "CF5AC8395BAFEB13C02DA292DDED7A83", +}, +#endif +#ifdef ECC160 +{ + 20, + "SECP160R1", + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFF", + "1C97BEFC54BD7A8B65ACF89F81D4D4ADC565FA45", + "0100000000000000000001F4C8F927AED3CA752257", + "4A96B5688EF573284664698968C38BB913CBFC82", + "23A628553168947D59DCC912042351377AC5FB32", +}, +#endif #ifdef ECC192 { 24, @@ -71,7 +104,7 @@ const ltc_ecc_set_type ltc_ecc_sets[] = { #endif #ifdef ECC521 { - 65, + 66, "ECC-521", "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", "51953EB9618E1C9A1F929A21A0B68540EEA2DA725B99B315F3B8B489918EF109E156193951EC7E937B1652C0BD3BB1BF073573DF883D2C34F1EF451FD46B503F00", @@ -88,8 +121,6 @@ const ltc_ecc_set_type ltc_ecc_sets[] = { #endif - - /* $Source$ */ /* $Revision$ */ /* $Date$ */ diff --git a/src/pk/ecc/ecc_ansi_x963_export.c b/src/pk/ecc/ecc_ansi_x963_export.c new file mode 100644 index 0000000..e3fac2b --- /dev/null +++ b/src/pk/ecc/ecc_ansi_x963_export.c @@ -0,0 +1,72 @@ +/* LibTomCrypt, modular cryptographic library -- Tom St Denis + * + * LibTomCrypt is a library that provides various cryptographic + * algorithms in a highly modular and flexible manner. + * + * The library is free for all purposes without any express + * guarantee it works. + * + * Tom St Denis, tomstdenis@gmail.com, http://libtomcrypt.com + */ + +/* Implements ECC over Z/pZ for curve y^2 = x^3 - 3x + b + * + * All curves taken from NIST recommendation paper of July 1999 + * Available at http://csrc.nist.gov/cryptval/dss.htm + */ +#include "tomcrypt.h" + +/** + @file ecc_ansi_x963_export.c + ECC Crypto, Tom St Denis +*/ + +#ifdef MECC + +/** ECC X9.63 (Sec. 4.3.6) uncompressed export + @param key Key to export + @param out [out] destination of export + @param outlen [in/out] Length of destination and final output size + Return CRYPT_OK on success +*/ +int ecc_ansi_x963_export(ecc_key *key, unsigned char *out, unsigned long *outlen) +{ + unsigned char buf[128]; + unsigned long numlen; + + LTC_ARGCHK(key != NULL); + LTC_ARGCHK(out != NULL); + LTC_ARGCHK(outlen != NULL); + + if (ltc_ecc_is_valid_idx(key->idx) == 0) { + return CRYPT_INVALID_ARG; + } + numlen = ltc_ecc_sets[key->idx].size; + + if (*outlen < (1 + 2*numlen)) { + *outlen = 1 + 2*numlen; + return CRYPT_BUFFER_OVERFLOW; + } + + /* store byte 0x04 */ + out[0] = 0x04; + + /* pad and store x */ + zeromem(buf, sizeof(buf)); + mp_to_unsigned_bin(key->pubkey.x, buf + (numlen - mp_unsigned_bin_size(key->pubkey.x))); + XMEMCPY(out+1, buf, numlen); + + /* pad and store y */ + zeromem(buf, sizeof(buf)); + mp_to_unsigned_bin(key->pubkey.y, buf + (numlen - mp_unsigned_bin_size(key->pubkey.y))); + XMEMCPY(out+1+numlen, buf, numlen); + + *outlen = 1 + 2*numlen; + return CRYPT_OK; +} + +#endif + +/* $Source$ */ +/* $Revision$ */ +/* $Date$ */ diff --git a/src/pk/ecc/ecc_ansi_x963_import.c b/src/pk/ecc/ecc_ansi_x963_import.c new file mode 100644 index 0000000..9f85453 --- /dev/null +++ b/src/pk/ecc/ecc_ansi_x963_import.c @@ -0,0 +1,90 @@ +/* LibTomCrypt, modular cryptographic library -- Tom St Denis + * + * LibTomCrypt is a library that provides various cryptographic + * algorithms in a highly modular and flexible manner. + * + * The library is free for all purposes without any express + * guarantee it works. + * + * Tom St Denis, tomstdenis@gmail.com, http://libtomcrypt.com + */ + +/* Implements ECC over Z/pZ for curve y^2 = x^3 - 3x + b + * + * All curves taken from NIST recommendation paper of July 1999 + * Available at http://csrc.nist.gov/cryptval/dss.htm + */ +#include "tomcrypt.h" + +/** + @file ecc_ansi_x963_import.c + ECC Crypto, Tom St Denis +*/ + +#ifdef MECC + +/** Import an ANSI X9.63 format public key + @param in The input data to read + @param inlen The length of the input data + @param key [out] destination to store imported key \ +*/ +int ecc_ansi_x963_import(const unsigned char *in, unsigned long inlen, ecc_key *key) +{ + int x, err; + + LTC_ARGCHK(in != NULL); + LTC_ARGCHK(key != NULL); + + /* must be odd */ + if ((inlen & 1) == 0) { + return CRYPT_INVALID_ARG; + } + + /* init key */ + if (mp_init_multi(&key->pubkey.x, &key->pubkey.y, &key->pubkey.z, &key->k, NULL) != CRYPT_OK) { + return CRYPT_MEM; + } + + /* check for 4, 6 or 7 */ + if (in[0] != 4 && in[0] != 6 && in[0] != 7) { + err = CRYPT_INVALID_PACKET; + goto error; + } + + /* read data */ + if ((err = mp_read_unsigned_bin(key->pubkey.x, (unsigned char *)in+1, (inlen-1)>>1)) != CRYPT_OK) { + goto error; + } + + if ((err = mp_read_unsigned_bin(key->pubkey.y, (unsigned char *)in+1+((inlen-1)>>1), (inlen-1)>>1)) != CRYPT_OK) { + goto error; + } + mp_set(key->pubkey.z, 1); + + /* determine the idx */ + for (x = 0; ltc_ecc_sets[x].size != 0; x++) { + if ((unsigned)ltc_ecc_sets[x].size >= ((inlen-1)>>1)) { + break; + } + } + if (ltc_ecc_sets[x].size == 0) { + err = CRYPT_INVALID_PACKET; + goto error; + } + + /* set the idx */ + key->idx = x; + key->type = PK_PUBLIC; + + /* we're done */ + return CRYPT_OK; +error: + mp_clear_multi(key->pubkey.x, key->pubkey.y, key->pubkey.z, key->k, NULL); + return err; +} + +#endif + +/* $Source$ */ +/* $Revision$ */ +/* $Date$ */ diff --git a/src/pk/ecc/ltc_ecc_mulmod_timing.c b/src/pk/ecc/ltc_ecc_mulmod_timing.c index 648b938..1169c1b 100644 --- a/src/pk/ecc/ltc_ecc_mulmod_timing.c +++ b/src/pk/ecc/ltc_ecc_mulmod_timing.c @@ -83,13 +83,13 @@ int ltc_ecc_mulmod(void *k, ecc_point *G, ecc_point *R, void *modulus, int map) if ((err = mp_mulmod(G->z, mu, modulus, tG->z)) != CRYPT_OK) { goto done; } mp_clear(mu); - /* calc the M tab, which holds kG for k==8..15 */ + /* calc the M tab */ /* M[0] == G */ - if ((err = mp_copy(tG->x, M[0]->x)) != CRYPT_OK) { goto done; } - if ((err = mp_copy(tG->y, M[0]->y)) != CRYPT_OK) { goto done; } - if ((err = mp_copy(tG->z, M[0]->z)) != CRYPT_OK) { goto done; } + if ((err = mp_copy(tG->x, M[0]->x)) != CRYPT_OK) { goto done; } + if ((err = mp_copy(tG->y, M[0]->y)) != CRYPT_OK) { goto done; } + if ((err = mp_copy(tG->z, M[0]->z)) != CRYPT_OK) { goto done; } /* M[1] == 2G */ - if ((err = ltc_ecc_projective_dbl_point(tG, M[1], modulus, mp)) != CRYPT_OK) { goto done; } + if ((err = ltc_mp.ecc_ptdbl(tG, M[1], modulus, mp)) != CRYPT_OK) { goto done; } /* setup sliding window */ mode = 0; @@ -117,21 +117,21 @@ int ltc_ecc_mulmod(void *k, ecc_point *G, ecc_point *R, void *modulus, int map) if (mode == 0 && i == 0) { /* dummy operations */ - if ((err = ltc_ecc_projective_add_point(M[0], M[1], M[2], modulus, mp)) != CRYPT_OK) { goto done; } - if ((err = ltc_ecc_projective_dbl_point(M[1], M[2], modulus, mp)) != CRYPT_OK) { goto done; } + if ((err = ltc_mp.ecc_ptadd(M[0], M[1], M[2], modulus, mp)) != CRYPT_OK) { goto done; } + if ((err = ltc_mp.ecc_ptdbl(M[1], M[2], modulus, mp)) != CRYPT_OK) { goto done; } continue; } if (mode == 0 && i == 1) { mode = 1; /* dummy operations */ - if ((err = ltc_ecc_projective_add_point(M[0], M[1], M[2], modulus, mp)) != CRYPT_OK) { goto done; } - if ((err = ltc_ecc_projective_dbl_point(M[1], M[2], modulus, mp)) != CRYPT_OK) { goto done; } + if ((err = ltc_mp.ecc_ptadd(M[0], M[1], M[2], modulus, mp)) != CRYPT_OK) { goto done; } + if ((err = ltc_mp.ecc_ptdbl(M[1], M[2], modulus, mp)) != CRYPT_OK) { goto done; } continue; } - if ((err = ltc_ecc_projective_add_point(M[0], M[1], M[i^1], modulus, mp)) != CRYPT_OK) { goto done; } - if ((err = ltc_ecc_projective_dbl_point(M[i], M[i], modulus, mp)) != CRYPT_OK) { goto done; } + if ((err = ltc_mp.ecc_ptadd(M[0], M[1], M[i^1], modulus, mp)) != CRYPT_OK) { goto done; } + if ((err = ltc_mp.ecc_ptdbl(M[i], M[i], modulus, mp)) != CRYPT_OK) { goto done; } } /* copy result out */ diff --git a/src/pk/pkcs1/pkcs_1_oaep_decode.c b/src/pk/pkcs1/pkcs_1_oaep_decode.c index 81bff41..6abf02f 100644 --- a/src/pk/pkcs1/pkcs_1_oaep_decode.c +++ b/src/pk/pkcs1/pkcs_1_oaep_decode.c @@ -136,7 +136,7 @@ int pkcs_1_oaep_decode(const unsigned char *msg, unsigned long msglen, } /* compare the lhash'es */ - if (memcmp(seed, DB, hLen) != 0) { + if (XMEMCMP(seed, DB, hLen) != 0) { err = CRYPT_OK; goto LBL_ERR; } diff --git a/src/pk/pkcs1/pkcs_1_pss_decode.c b/src/pk/pkcs1/pkcs_1_pss_decode.c index 2f86551..34ccc11 100644 --- a/src/pk/pkcs1/pkcs_1_pss_decode.c +++ b/src/pk/pkcs1/pkcs_1_pss_decode.c @@ -149,7 +149,7 @@ int pkcs_1_pss_decode(const unsigned char *msghash, unsigned long msghashlen, } /* mask == hash means valid signature */ - if (memcmp(mask, hash, hLen) == 0) { + if (XMEMCMP(mask, hash, hLen) == 0) { *res = 1; } diff --git a/src/pk/pkcs1/pkcs_1_v1_5_decode.c b/src/pk/pkcs1/pkcs_1_v1_5_decode.c new file mode 100644 index 0000000..f8bd629 --- /dev/null +++ b/src/pk/pkcs1/pkcs_1_v1_5_decode.c @@ -0,0 +1,109 @@ +/* LibTomCrypt, modular cryptographic library -- Tom St Denis + * + * LibTomCrypt is a library that provides various cryptographic + * algorithms in a highly modular and flexible manner. + * + * The library is free for all purposes without any express + * guarantee it works. + * + * Tom St Denis, tomstdenis@gmail.com, http://libtomcrypt.com + */ +#include "tomcrypt.h" + +/*! \file pkcs_1_v1_5_decode.c + * + * PKCS #1 v1.5 Padding. (Andreas Lange) + */ + +#ifdef PKCS_1 + +/*! \brief PKCS #1 v1.5 decode. + * + * \param msg The encoded data to decode + * \param msglen The length of the encoded data (octets) + * \param block_type Block type to use in padding (\sa ltc_pkcs_1_v1_5_blocks) + * \param modulus_bitlen The bit length of the RSA modulus + * \param out [out] Destination of decoding + * \param outlen [in/out] The max size and resulting size of the decoding + * + * \return CRYPT_OK if successful (even if invalid) + */ +int pkcs_1_v1_5_decode(const unsigned char *msg, + unsigned long msglen, + int block_type, + unsigned long modulus_bitlen, + unsigned char *out, + unsigned long *outlen, + int *is_valid) +{ + unsigned long modulus_len, ps_len, i; + int result; + + /* default to invalid packet */ + *is_valid = 0; + + modulus_len = (modulus_bitlen >> 3) + (modulus_bitlen & 7 ? 1 : 0); + + /* test message size */ + + if ((msglen > modulus_len) || (modulus_len < 11)) { + return CRYPT_PK_INVALID_SIZE; + } + + /* separate encoded message */ + + if ((msg[0] != 0x00) || (msg[1] != (unsigned char)block_type)) { + result = CRYPT_INVALID_PACKET; + goto bail; + } + + if (block_type == LTC_PKCS_1_EME) { + for (i = 2; i < modulus_len; i++) { + /* separator */ + if (msg[i] == 0x00) { break; } + } + ps_len = i++ - 2; + + if ((i >= modulus_len) || (ps_len < 8)) { + /* There was no octet with hexadecimal value 0x00 to separate ps from m, + * or the length of ps is less than 8 octets. + */ + result = CRYPT_INVALID_PACKET; + goto bail; + } + } else { + for (i = 2; i < modulus_len - 1; i++) { + if (msg[i] != 0xFF) { break; } + } + + /* separator check */ + if (msg[i] != 0) { + /* There was no octet with hexadecimal value 0x00 to separate ps from m. */ + result = CRYPT_INVALID_PACKET; + goto bail; + } + + ps_len = i - 2; + } + + if (*outlen < (msglen - (2 + ps_len + 1))) { + *outlen = msglen - (2 + ps_len + 1); + result = CRYPT_BUFFER_OVERFLOW; + goto bail; + } + + *outlen = (msglen - (2 + ps_len + 1)); + XMEMCPY(out, &msg[2 + ps_len + 1], *outlen); + + /* valid packet */ + *is_valid = 1; + result = CRYPT_OK; +bail: + return result; +} /* pkcs_1_v1_5_decode */ + +#endif /* #ifdef PKCS_1 */ + +/* $Source$ */ +/* $Revision$ */ +/* $Date$ */ diff --git a/src/pk/pkcs1/pkcs_1_v1_5_encode.c b/src/pk/pkcs1/pkcs_1_v1_5_encode.c new file mode 100644 index 0000000..d63608b --- /dev/null +++ b/src/pk/pkcs1/pkcs_1_v1_5_encode.c @@ -0,0 +1,111 @@ +/* LibTomCrypt, modular cryptographic library -- Tom St Denis + * + * LibTomCrypt is a library that provides various cryptographic + * algorithms in a highly modular and flexible manner. + * + * The library is free for all purposes without any express + * guarantee it works. + * + * Tom St Denis, tomstdenis@gmail.com, http://libtomcrypt.com + */ +#include "tomcrypt.h" + +/*! \file pkcs_1_v1_5_encode.c + * + * PKCS #1 v1.5 Padding (Andreas Lange) + */ + +#ifdef PKCS_1 + +/*! \brief PKCS #1 v1.5 encode. + * + * \param msg The data to encode + * \param msglen The length of the data to encode (octets) + * \param block_type Block type to use in padding (\sa ltc_pkcs_1_v1_5_blocks) + * \param modulus_bitlen The bit length of the RSA modulus + * \param prng An active PRNG state (only for LTC_PKCS_1_EME) + * \param prng_idx The index of the PRNG desired (only for LTC_PKCS_1_EME) + * \param out [out] The destination for the encoded data + * \param outlen [in/out] The max size and resulting size of the encoded data + * + * \return CRYPT_OK if successful + */ +int pkcs_1_v1_5_encode(const unsigned char *msg, + unsigned long msglen, + int block_type, + unsigned long modulus_bitlen, + prng_state *prng, + int prng_idx, + unsigned char *out, + unsigned long *outlen) +{ + unsigned long modulus_len, ps_len, i; + unsigned char *ps; + int result; + + /* valid block_type? */ + if ((block_type != LTC_PKCS_1_EMSA) && + (block_type != LTC_PKCS_1_EME)) { + return CRYPT_PK_INVALID_PADDING; + } + + if (block_type == LTC_PKCS_1_EME) { /* encryption padding, we need a valid PRNG */ + if ((result = prng_is_valid(prng_idx)) != CRYPT_OK) { + return result; + } + } + + modulus_len = (modulus_bitlen >> 3) + (modulus_bitlen & 7 ? 1 : 0); + + /* test message size */ + if ((msglen + 11) > modulus_len) { + return CRYPT_PK_INVALID_SIZE; + } + + if (*outlen < modulus_len) { + *outlen = modulus_len; + result = CRYPT_BUFFER_OVERFLOW; + goto bail; + } + + /* generate an octets string PS */ + ps = &out[2]; + ps_len = modulus_len - msglen - 3; + + if (block_type == LTC_PKCS_1_EME) { + /* now choose a random ps */ + if (prng_descriptor[prng_idx].read(ps, ps_len, prng) != ps_len) { + result = CRYPT_ERROR_READPRNG; + goto bail; + } + + /* transform zero bytes (if any) to non-zero random bytes */ + for (i = 0; i < ps_len; i++) { + while (ps[i] == 0) { + if (prng_descriptor[prng_idx].read(&ps[i], 1, prng) != 1) { + result = CRYPT_ERROR_READPRNG; + goto bail; + } + } + } + } else { + XMEMSET(ps, 0xFF, ps_len); + } + + /* create string of length modulus_len */ + out[0] = 0x00; + out[1] = (unsigned char)block_type; /* block_type 1 or 2 */ + out[2 + ps_len] = 0x00; + XMEMCPY(&out[2 + ps_len + 1], msg, msglen); + *outlen = modulus_len; + + result = CRYPT_OK; +bail: + return result; +} /* pkcs_1_v1_5_encode */ + +#endif /* #ifdef PKCS_1 */ + +/* $Source$ */ +/* $Revision$ */ +/* $Date$ */ diff --git a/src/pk/rsa/rsa_decrypt_key.c b/src/pk/rsa/rsa_decrypt_key.c index 47e56cd..b31538f 100644 --- a/src/pk/rsa/rsa_decrypt_key.c +++ b/src/pk/rsa/rsa_decrypt_key.c @@ -12,13 +12,13 @@ /** @file rsa_decrypt_key.c - RSA PKCS #1 OAEP Decryption, Tom St Denis -*/ + RSA PKCS #1 Decryption, Tom St Denis and Andreas Lange +*/ #ifdef MRSA /** - (PKCS #1 v2.0) decrypt then OAEP depad + PKCS #1 decrypt then v1.5 or OAEP depad @param in The ciphertext @param inlen The length of the ciphertext (octets) @param out [out] The plaintext @@ -26,20 +26,21 @@ @param lparam The system "lparam" value @param lparamlen The length of the lparam value (octets) @param hash_idx The index of the hash desired + @param padding Type of padding (LTC_PKCS_1_OAEP or LTC_PKCS_1_V1_5) @param stat [out] Result of the decryption, 1==valid, 0==invalid @param key The corresponding private RSA key @return CRYPT_OK if succcessul (even if invalid) */ -int rsa_decrypt_key(const unsigned char *in, unsigned long inlen, - unsigned char *out, unsigned long *outlen, - const unsigned char *lparam, unsigned long lparamlen, - int hash_idx, int *stat, - rsa_key *key) +int rsa_decrypt_key_ex(const unsigned char *in, unsigned long inlen, + unsigned char *out, unsigned long *outlen, + const unsigned char *lparam, unsigned long lparamlen, + int hash_idx, int padding, + int *stat, rsa_key *key) { unsigned long modulus_bitlen, modulus_bytelen, x; int err; unsigned char *tmp; - + LTC_ARGCHK(out != NULL); LTC_ARGCHK(outlen != NULL); LTC_ARGCHK(key != NULL); @@ -48,11 +49,20 @@ int rsa_decrypt_key(const unsigned char *in, unsigned long inlen, /* default to invalid */ *stat = 0; - /* valid hash ? */ - if ((err = hash_is_valid(hash_idx)) != CRYPT_OK) { - return err; + /* valid padding? */ + + if ((padding != LTC_PKCS_1_V1_5) && + (padding != LTC_PKCS_1_OAEP)) { + return CRYPT_PK_INVALID_PADDING; } - + + if (padding == LTC_PKCS_1_OAEP) { + /* valid hash ? */ + if ((err = hash_is_valid(hash_idx)) != CRYPT_OK) { + return err; + } + } + /* get modulus len in bits */ modulus_bitlen = mp_count_bits( (key->N)); @@ -75,19 +85,21 @@ int rsa_decrypt_key(const unsigned char *in, unsigned long inlen, return err; } - /* now OAEP decode the packet */ - err = pkcs_1_oaep_decode(tmp, x, lparam, lparamlen, modulus_bitlen, hash_idx, - out, outlen, stat); + if (padding == LTC_PKCS_1_OAEP) { + /* now OAEP decode the packet */ + err = pkcs_1_oaep_decode(tmp, x, lparam, lparamlen, modulus_bitlen, hash_idx, + out, outlen, stat); + } else { + /* now PKCS #1 v1.5 depad the packet */ + err = pkcs_1_v1_5_decode(tmp, x, LTC_PKCS_1_EME, modulus_bitlen, out, outlen, stat); + } + XFREE(tmp); return err; } #endif /* MRSA */ - - - - /* $Source$ */ /* $Revision$ */ /* $Date$ */ diff --git a/src/pk/rsa/rsa_encrypt_key.c b/src/pk/rsa/rsa_encrypt_key.c index 91bac09..3bc2109 100644 --- a/src/pk/rsa/rsa_encrypt_key.c +++ b/src/pk/rsa/rsa_encrypt_key.c @@ -12,8 +12,8 @@ /** @file rsa_encrypt_key.c - RSA PKCS OAEP encryption, Tom St Denis -*/ + RSA PKCS #1 encryption, Tom St Denis and Andreas Lange +*/ #ifdef MRSA @@ -28,30 +28,41 @@ @param prng An active PRNG @param prng_idx The index of the desired prng @param hash_idx The index of the desired hash + @param padding Type of padding (LTC_PKCS_1_OAEP or LTC_PKCS_1_V1_5) @param key The RSA key to encrypt to @return CRYPT_OK if successful -*/ -int rsa_encrypt_key(const unsigned char *in, unsigned long inlen, - unsigned char *out, unsigned long *outlen, - const unsigned char *lparam, unsigned long lparamlen, - prng_state *prng, int prng_idx, int hash_idx, rsa_key *key) +*/ +int rsa_encrypt_key_ex(const unsigned char *in, unsigned long inlen, + unsigned char *out, unsigned long *outlen, + const unsigned char *lparam, unsigned long lparamlen, + prng_state *prng, int prng_idx, int hash_idx, int padding, rsa_key *key) { unsigned long modulus_bitlen, modulus_bytelen, x; int err; - + LTC_ARGCHK(in != NULL); LTC_ARGCHK(out != NULL); LTC_ARGCHK(outlen != NULL); LTC_ARGCHK(key != NULL); - - /* valid prng and hash ? */ + + /* valid padding? */ + if ((padding != LTC_PKCS_1_V1_5) && + (padding != LTC_PKCS_1_OAEP)) { + return CRYPT_PK_INVALID_PADDING; + } + + /* valid prng? */ if ((err = prng_is_valid(prng_idx)) != CRYPT_OK) { return err; } - if ((err = hash_is_valid(hash_idx)) != CRYPT_OK) { - return err; + + if (padding == LTC_PKCS_1_OAEP) { + /* valid hash? */ + if ((err = hash_is_valid(hash_idx)) != CRYPT_OK) { + return err; + } } - + /* get modulus len in bits */ modulus_bitlen = mp_count_bits( (key->N)); @@ -61,16 +72,26 @@ int rsa_encrypt_key(const unsigned char *in, unsigned long inlen, *outlen = modulus_bytelen; return CRYPT_BUFFER_OVERFLOW; } - - /* OAEP pad the key */ - x = *outlen; - if ((err = pkcs_1_oaep_encode(in, inlen, lparam, - lparamlen, modulus_bitlen, prng, prng_idx, hash_idx, - out, &x)) != CRYPT_OK) { - return err; - } - /* rsa exptmod the OAEP pad */ + if (padding == LTC_PKCS_1_OAEP) { + /* OAEP pad the key */ + x = *outlen; + if ((err = pkcs_1_oaep_encode(in, inlen, lparam, + lparamlen, modulus_bitlen, prng, prng_idx, hash_idx, + out, &x)) != CRYPT_OK) { + return err; + } + } else { + /* PKCS #1 v1.5 pad the key */ + x = *outlen; + if ((err = pkcs_1_v1_5_encode(in, inlen, LTC_PKCS_1_EME, + modulus_bitlen, prng, prng_idx, + out, &x)) != CRYPT_OK) { + return err; + } + } + + /* rsa exptmod the OAEP or PKCS #1 v1.5 pad */ return ltc_mp.rsa_me(out, x, out, outlen, PK_PUBLIC, key); } diff --git a/src/pk/rsa/rsa_sign_hash.c b/src/pk/rsa/rsa_sign_hash.c index dcaf4ed..ba59de4 100644 --- a/src/pk/rsa/rsa_sign_hash.c +++ b/src/pk/rsa/rsa_sign_hash.c @@ -12,17 +12,18 @@ /** @file rsa_sign_hash.c - RSA PKCS v2 PSS sign hash, Tom St Denis -*/ + RSA PKCS #1 v1.5 and v2 PSS sign hash, Tom St Denis and Andreas Lange +*/ #ifdef MRSA /** - (PKCS #1, v2.0) PSS pad then sign + PKCS #1 pad then sign @param in The hash to sign @param inlen The length of the hash to sign (octets) @param out [out] The signature - @param outlen [in/out] The max size and resulting size of the signature + @param outlen [in/out] The max size and resulting size of the signature + @param padding Type of padding (LTC_PKCS_1_PSS or LTC_PKCS_1_V1_5) @param prng An active PRNG state @param prng_idx The index of the PRNG desired @param hash_idx The index of the hash desired @@ -30,43 +31,96 @@ @param key The private RSA key to use @return CRYPT_OK if successful */ -int rsa_sign_hash(const unsigned char *in, unsigned long inlen, - unsigned char *out, unsigned long *outlen, - prng_state *prng, int prng_idx, - int hash_idx, unsigned long saltlen, - rsa_key *key) +int rsa_sign_hash_ex(const unsigned char *in, unsigned long inlen, + unsigned char *out, unsigned long *outlen, + int padding, + prng_state *prng, int prng_idx, + int hash_idx, unsigned long saltlen, + rsa_key *key) { - unsigned long modulus_bitlen, modulus_bytelen, x; + unsigned long modulus_bitlen, modulus_bytelen, x, y; int err; - - LTC_ARGCHK(in != NULL); - LTC_ARGCHK(out != NULL); - LTC_ARGCHK(outlen != NULL); - LTC_ARGCHK(key != NULL); - - /* valid prng and hash ? */ - if ((err = prng_is_valid(prng_idx)) != CRYPT_OK) { - return err; - } - if ((err = hash_is_valid(hash_idx)) != CRYPT_OK) { - return err; - } - - /* get modulus len in bits */ - modulus_bitlen = mp_count_bits( (key->N)); + + LTC_ARGCHK(in != NULL); + LTC_ARGCHK(out != NULL); + LTC_ARGCHK(outlen != NULL); + LTC_ARGCHK(key != NULL); + + /* valid padding? */ + if ((padding != LTC_PKCS_1_V1_5) && (padding != LTC_PKCS_1_PSS)) { + return CRYPT_PK_INVALID_PADDING; + } + + if (padding == LTC_PKCS_1_PSS) { + /* valid prng and hash ? */ + if ((err = prng_is_valid(prng_idx)) != CRYPT_OK) { + return err; + } + if ((err = hash_is_valid(hash_idx)) != CRYPT_OK) { + return err; + } + } + + /* get modulus len in bits */ + modulus_bitlen = mp_count_bits((key->N)); /* outlen must be at least the size of the modulus */ - modulus_bytelen = mp_unsigned_bin_size( (key->N)); + modulus_bytelen = mp_unsigned_bin_size((key->N)); if (modulus_bytelen > *outlen) { *outlen = modulus_bytelen; return CRYPT_BUFFER_OVERFLOW; } - - /* PSS pad the key */ - x = *outlen; - if ((err = pkcs_1_pss_encode(in, inlen, saltlen, prng, prng_idx, - hash_idx, modulus_bitlen, out, &x)) != CRYPT_OK) { - return err; + + if (padding == LTC_PKCS_1_PSS) { + /* PSS pad the key */ + x = *outlen; + if ((err = pkcs_1_pss_encode(in, inlen, saltlen, prng, prng_idx, + hash_idx, modulus_bitlen, out, &x)) != CRYPT_OK) { + return err; + } + } else { + /* PKCS #1 v1.5 pad the hash */ + unsigned char *tmpin; + ltc_asn1_list digestinfo[2], siginfo[2]; + + /* not all hashes have OIDs... so sad */ + if (hash_descriptor[hash_idx].OIDlen == 0) { + return CRYPT_INVALID_ARG; + } + + /* construct the SEQUENCE + SEQUENCE { + SEQUENCE {hashoid OID + blah NULL + } + hash OCTET STRING + } + */ + LTC_SET_ASN1(digestinfo, 0, LTC_ASN1_OBJECT_IDENTIFIER, hash_descriptor[hash_idx].OID, hash_descriptor[hash_idx].OIDlen); + LTC_SET_ASN1(digestinfo, 1, LTC_ASN1_NULL, NULL, 0); + LTC_SET_ASN1(siginfo, 0, LTC_ASN1_SEQUENCE, digestinfo, 2); + LTC_SET_ASN1(siginfo, 1, LTC_ASN1_OCTET_STRING, in, inlen); + + /* allocate memory for the encoding */ + y = mp_unsigned_bin_size(key->N); + tmpin = XMALLOC(y); + if (tmpin == NULL) { + return CRYPT_MEM; + } + + if ((err = der_encode_sequence(siginfo, 2, tmpin, &y)) != CRYPT_OK) { + XFREE(tmpin); + return err; + } + + x = *outlen; + if ((err = pkcs_1_v1_5_encode(tmpin, y, LTC_PKCS_1_EMSA, + modulus_bitlen, NULL, 0, + out, &x)) != CRYPT_OK) { + XFREE(tmpin); + return err; + } + XFREE(tmpin); } /* RSA encode it */ diff --git a/src/pk/rsa/rsa_verify_hash.c b/src/pk/rsa/rsa_verify_hash.c index aeb352b..115bf4e 100644 --- a/src/pk/rsa/rsa_verify_hash.c +++ b/src/pk/rsa/rsa_verify_hash.c @@ -12,45 +12,56 @@ /** @file rsa_verify_hash.c - RSA PKCS v2 PSS signature verification, Tom St Denis -*/ + RSA PKCS #1 v1.5 or v2 PSS signature verification, Tom St Denis and Andreas Lange +*/ #ifdef MRSA /** - (PKCS #1, v2.0) de-sign then PSS depad + PKCS #1 de-sign then v1.5 or PSS depad @param sig The signature data @param siglen The length of the signature data (octets) @param hash The hash of the message that was signed @param hashlen The length of the hash of the message that was signed (octets) + @param padding Type of padding (LTC_PKCS_1_PSS or LTC_PKCS_1_V1_5) @param hash_idx The index of the desired hash @param saltlen The length of the salt used during signature @param stat [out] The result of the signature comparison, 1==valid, 0==invalid @param key The public RSA key corresponding to the key that performed the signature @return CRYPT_OK on success (even if the signature is invalid) */ -int rsa_verify_hash(const unsigned char *sig, unsigned long siglen, - const unsigned char *hash, unsigned long hashlen, - int hash_idx, unsigned long saltlen, - int *stat, rsa_key *key) +int rsa_verify_hash_ex(const unsigned char *sig, unsigned long siglen, + const unsigned char *hash, unsigned long hashlen, + int padding, + int hash_idx, unsigned long saltlen, + int *stat, rsa_key *key) { - unsigned long modulus_bitlen, modulus_bytelen, x; - int err; - unsigned char *tmpbuf; - + unsigned long modulus_bitlen, modulus_bytelen, x; + int err; + unsigned char *tmpbuf; + LTC_ARGCHK(hash != NULL); - LTC_ARGCHK(sig != NULL); - LTC_ARGCHK(stat != NULL); - LTC_ARGCHK(key != NULL); + LTC_ARGCHK(sig != NULL); + LTC_ARGCHK(stat != NULL); + LTC_ARGCHK(key != NULL); /* default to invalid */ *stat = 0; - - /* valid hash ? */ - if ((err = hash_is_valid(hash_idx)) != CRYPT_OK) { - return err; + + /* valid padding? */ + + if ((padding != LTC_PKCS_1_V1_5) && + (padding != LTC_PKCS_1_PSS)) { + return CRYPT_PK_INVALID_PADDING; } - + + if (padding == LTC_PKCS_1_PSS) { + /* valid hash ? */ + if ((err = hash_is_valid(hash_idx)) != CRYPT_OK) { + return err; + } + } + /* get modulus len in bits */ modulus_bitlen = mp_count_bits( (key->N)); @@ -59,22 +70,91 @@ int rsa_verify_hash(const unsigned char *sig, unsigned long siglen, if (modulus_bytelen != siglen) { return CRYPT_INVALID_PACKET; } - + /* allocate temp buffer for decoded sig */ tmpbuf = XMALLOC(siglen); if (tmpbuf == NULL) { return CRYPT_MEM; } - + /* RSA decode it */ x = siglen; if ((err = ltc_mp.rsa_me(sig, siglen, tmpbuf, &x, PK_PUBLIC, key)) != CRYPT_OK) { XFREE(tmpbuf); return err; } - - /* PSS decode it */ - err = pkcs_1_pss_decode(hash, hashlen, tmpbuf, x, saltlen, hash_idx, modulus_bitlen, stat); + + /* make sure the output is the right size */ + if (x != siglen) { + return CRYPT_INVALID_PACKET; + } + + if (padding == LTC_PKCS_1_PSS) { + /* PSS decode and verify it */ + err = pkcs_1_pss_decode(hash, hashlen, tmpbuf, x, saltlen, hash_idx, modulus_bitlen, stat); + } else { + /* PKCS #1 v1.5 decode it */ + unsigned char *out; + unsigned long outlen, loid[16]; + int decoded; + ltc_asn1_list digestinfo[2], siginfo[2]; + + /* not all hashes have OIDs... so sad */ + if (hash_descriptor[hash_idx].OIDlen == 0) { + err = CRYPT_INVALID_ARG; + goto bail_2; + } + + /* allocate temp buffer for decoded hash */ + outlen = ((modulus_bitlen >> 3) + (modulus_bitlen & 7 ? 1 : 0)) - 3; + out = XMALLOC(outlen); + if (out == NULL) { + err = CRYPT_MEM; + goto bail_2; + } + + if ((err = pkcs_1_v1_5_decode(tmpbuf, x, LTC_PKCS_1_EMSA, modulus_bitlen, out, &outlen, &decoded)) != CRYPT_OK) { + XFREE(out); + goto bail_2; + } + + /* now we must decode out[0...outlen-1] using ASN.1, test the OID and then test the hash */ + /* construct the SEQUENCE + SEQUENCE { + SEQUENCE {hashoid OID + blah NULL + } + hash OCTET STRING + } + */ + LTC_SET_ASN1(digestinfo, 0, LTC_ASN1_OBJECT_IDENTIFIER, loid, sizeof(loid)/sizeof(loid[0])); + LTC_SET_ASN1(digestinfo, 1, LTC_ASN1_NULL, NULL, 0); + LTC_SET_ASN1(siginfo, 0, LTC_ASN1_SEQUENCE, digestinfo, 2); + LTC_SET_ASN1(siginfo, 1, LTC_ASN1_OCTET_STRING, tmpbuf, siglen); + + if ((err = der_decode_sequence(out, outlen, siginfo, 2)) != CRYPT_OK) { + XFREE(out); + goto bail_2; + } + + /* test OID */ + if ((digestinfo[0].size == hash_descriptor[hash_idx].OIDlen) && + (XMEMCMP(digestinfo[0].data, hash_descriptor[hash_idx].OID, sizeof(unsigned long) * hash_descriptor[hash_idx].OIDlen) == 0) && + (siginfo[1].size == hashlen) && + (XMEMCMP(siginfo[1].data, hash, hashlen) == 0)) { + *stat = 1; + } + +#ifdef LTC_CLEAN_STACK + zeromem(out, outlen); +#endif + XFREE(out); + } + +bail_2: +#ifdef LTC_CLEAN_STACK + zeromem(tmpbuf, siglen); +#endif XFREE(tmpbuf); return err; } diff --git a/src/prngs/fortuna.c b/src/prngs/fortuna.c index 72055c9..6aaa0d9 100644 --- a/src/prngs/fortuna.c +++ b/src/prngs/fortuna.c @@ -138,7 +138,7 @@ int fortuna_start(prng_state *prng) for (x = 0; x < FORTUNA_POOLS; x++) { if ((err = sha256_init(&prng->fortuna.pool[x])) != CRYPT_OK) { for (y = 0; y < x; y++) { - sha256_done(&prng->fortuna.pool[x], tmp); + sha256_done(&prng->fortuna.pool[y], tmp); } return err; } @@ -245,7 +245,7 @@ unsigned long fortuna_read(unsigned char *out, unsigned long outlen, prng_state /* now generate the blocks required */ tlen = outlen; - /* handle whole blocks without the extra memcpy */ + /* handle whole blocks without the extra XMEMCPY */ while (outlen >= 16) { /* encrypt the IV and store it */ rijndael_ecb_encrypt(prng->fortuna.IV, out, &prng->fortuna.skey); @@ -386,23 +386,18 @@ int fortuna_import(const unsigned char *in, unsigned long inlen, prng_state *prn LTC_ARGCHK(in != NULL); LTC_ARGCHK(prng != NULL); - LTC_MUTEX_LOCK(&prng->fortuna.prng_lock); if (inlen != 32*FORTUNA_POOLS) { - LTC_MUTEX_UNLOCK(&prng->fortuna.prng_lock); return CRYPT_INVALID_ARG; } if ((err = fortuna_start(prng)) != CRYPT_OK) { - LTC_MUTEX_UNLOCK(&prng->fortuna.prng_lock); return err; } for (x = 0; x < FORTUNA_POOLS; x++) { if ((err = fortuna_add_entropy(in+x*32, 32, prng)) != CRYPT_OK) { - LTC_MUTEX_UNLOCK(&prng->fortuna.prng_lock); return err; } } - LTC_MUTEX_UNLOCK(&prng->fortuna.prng_lock); return err; } diff --git a/src/prngs/rc4.c b/src/prngs/rc4.c index da52cb6..8336220 100644 --- a/src/prngs/rc4.c +++ b/src/prngs/rc4.c @@ -130,6 +130,10 @@ unsigned long rc4_read(unsigned char *out, unsigned long outlen, prng_state *prn LTC_ARGCHK(out != NULL); LTC_ARGCHK(prng != NULL); +#ifdef LTC_VALGRIND + zeromem(out, outlen); +#endif + n = outlen; x = prng->rc4.x; y = prng->rc4.y; @@ -212,7 +216,7 @@ int rc4_import(const unsigned char *in, unsigned long inlen, prng_state *prng) */ int rc4_test(void) { -#ifndef LTC_TEST +#if !defined(LTC_TEST) || defined(LTC_VALGRIND) return CRYPT_NOP; #else static const struct { @@ -243,7 +247,7 @@ int rc4_test(void) return CRYPT_ERROR_READPRNG; } rc4_done(&prng); - if (memcmp(dst, tests[x].ct, 8)) { + if (XMEMCMP(dst, tests[x].ct, 8)) { #if 0 int y; printf("\n\nRC4 failed, I got:\n"); diff --git a/src/prngs/sober128.c b/src/prngs/sober128.c index 34c0b51..4bd8de2 100644 --- a/src/prngs/sober128.c +++ b/src/prngs/sober128.c @@ -294,6 +294,10 @@ unsigned long sober128_read(unsigned char *out, unsigned long outlen, prng_state LTC_ARGCHK(out != NULL); LTC_ARGCHK(prng != NULL); +#ifdef LTC_VALGRIND + zeromem(out, outlen); +#endif + c = &(prng->sober128); t = 0; tlen = outlen; @@ -437,11 +441,11 @@ int sober128_test(void) 16, 4, 20, /* key */ - { 't', 'e', 's', 't', ' ', 'k', 'e', 'y', - ' ', '1', '2', '8', 'b', 'i', 't', 's' }, + { 0x74, 0x65, 0x73, 0x74, 0x20, 0x6b, 0x65, 0x79, + 0x20, 0x31, 0x32, 0x38, 0x62, 0x69, 0x74, 0x73 }, /* IV */ - { 0x00, 0x00, 0x00, 0x0 }, + { 0x00, 0x00, 0x00, 0x00 }, /* expected output */ { 0x43, 0x50, 0x0c, 0xcf, 0x89, 0x91, 0x9f, 0x1d, @@ -470,12 +474,12 @@ int sober128_test(void) if ((err = sober128_ready(&prng)) != CRYPT_OK) { return err; } - memset(dst, 0, tests[x].len); + XMEMSET(dst, 0, tests[x].len); if (sober128_read(dst, tests[x].len, &prng) != (unsigned long)tests[x].len) { return CRYPT_ERROR_READPRNG; } sober128_done(&prng); - if (memcmp(dst, tests[x].out, tests[x].len)) { + if (XMEMCMP(dst, tests[x].out, tests[x].len)) { #if 0 printf("\n\nSOBER128 failed, I got:\n"); for (y = 0; y < tests[x].len; y++) printf("%02x ", dst[y]); diff --git a/src/prngs/yarrow.c b/src/prngs/yarrow.c index 298ec5e..b485421 100644 --- a/src/prngs/yarrow.c +++ b/src/prngs/yarrow.c @@ -66,6 +66,12 @@ int yarrow_start(prng_state *prng) prng->yarrow.cipher = register_cipher(&rc2_desc); #elif defined(NOEKEON) prng->yarrow.cipher = register_cipher(&noekeon_desc); +#elif defined(ANUBIS) + prng->yarrow.cipher = register_cipher(&anubis_desc); +#elif defined(KSEED) + prng->yarrow.cipher = register_cipher(&kseed_desc); +#elif defined(KHAZAD) + prng->yarrow.cipher = register_cipher(&khazad_desc); #elif defined(CAST5) prng->yarrow.cipher = register_cipher(&cast5_desc); #elif defined(XTEA) @@ -89,6 +95,10 @@ int yarrow_start(prng_state *prng) prng->yarrow.hash = register_hash(&tiger_desc); #elif defined(SHA1) prng->yarrow.hash = register_hash(&sha1_desc); +#elif defined(RIPEMD320) + prng->yarrow.hash = register_hash(&rmd320_desc); +#elif defined(RIPEMD256) + prng->yarrow.hash = register_hash(&rmd256_desc); #elif defined(RIPEMD160) prng->yarrow.hash = register_hash(&rmd160_desc); #elif defined(RIPEMD128) @@ -340,7 +350,6 @@ int yarrow_test(void) return err; } - yarrow_done(&prng); return CRYPT_OK; #endif } diff --git a/testprof/ecc_test.c b/testprof/ecc_test.c index d42d1fd..579cf6e 100644 --- a/testprof/ecc_test.c +++ b/testprof/ecc_test.c @@ -3,6 +3,15 @@ #ifdef MECC static int sizes[] = { +#ifdef ECC112 +14, +#endif +#ifdef ECC128 +16, +#endif +#ifdef ECC160 +20, +#endif #ifdef ECC192 24, #endif @@ -39,10 +48,10 @@ int ecc_tests (void) DO(ecc_make_key (&yarrow_prng, find_prng ("yarrow"), sizes[s], &userb)); /* make the shared secret */ - x = 4096; + x = sizeof(buf[0]); DO(ecc_shared_secret (&usera, &userb, buf[0], &x)); - y = 4096; + y = sizeof(buf[1]); DO(ecc_shared_secret (&userb, &usera, buf[1], &y)); if (y != x) { @@ -56,14 +65,14 @@ int ecc_tests (void) } /* now export userb */ - y = 4096; + y = sizeof(buf[0]); DO(ecc_export (buf[1], &y, PK_PUBLIC, &userb)); ecc_free (&userb); /* import and make the shared secret again */ DO(ecc_import (buf[1], y, &userb)); - z = 4096; + z = sizeof(buf[0]); DO(ecc_shared_secret (&usera, &userb, buf[2], &z)); if (z != x) { @@ -74,6 +83,28 @@ int ecc_tests (void) fprintf(stderr, "Failed. Contents didn't match."); return 1; } + + /* export with ANSI X9.63 */ + y = sizeof(buf[1]); + DO(ecc_ansi_x963_export(&userb, buf[1], &y)); + ecc_free (&userb); + + /* now import the ANSI key */ + DO(ecc_ansi_x963_import(buf[1], y, &userb)); + + /* shared secret */ + z = sizeof(buf[0]); + DO(ecc_shared_secret (&usera, &userb, buf[2], &z)); + + if (z != x) { + fprintf(stderr, "failed. Size don't match?"); + return 1; + } + if (memcmp (buf[0], buf[2], x)) { + fprintf(stderr, "Failed. Contents didn't match."); + return 1; + } + ecc_free (&usera); ecc_free (&userb); diff --git a/testprof/mac_test.c b/testprof/mac_test.c index e22a72a..908deca 100644 --- a/testprof/mac_test.c +++ b/testprof/mac_test.c @@ -3,15 +3,21 @@ int mac_test(void) { -#ifdef HMAC +#ifdef LTC_HMAC DO(hmac_test()); #endif -#ifdef PMAC +#ifdef LTC_PMAC DO(pmac_test()); #endif -#ifdef OMAC +#ifdef LTC_OMAC DO(omac_test()); #endif +#ifdef LTC_XCBC + DO(xcbc_test()); +#endif +#ifdef LTC_F9_MODE + DO(f9_test()); +#endif #ifdef EAX_MODE DO(eax_test()); #endif diff --git a/testprof/modes_test.c b/testprof/modes_test.c index ae97b2c..6d307c5 100644 --- a/testprof/modes_test.c +++ b/testprof/modes_test.c @@ -13,9 +13,6 @@ int modes_test(void) #endif #ifdef LTC_OFB_MODE symmetric_OFB ofb; -#endif -#ifdef LTC_CTR_MODE - symmetric_CTR ctr; #endif unsigned long l; @@ -107,25 +104,7 @@ int modes_test(void) #endif #ifdef LTC_CTR_MODE - /* test CTR mode */ - /* encode the block */ - DO(ctr_start(cipher_idx, iv, key, 16, 0, CTR_COUNTER_LITTLE_ENDIAN, &ctr)); - l = sizeof(iv2); - DO(ctr_getiv(iv2, &l, &ctr)); - if (l != 16 || memcmp(iv2, iv, 16)) { - fprintf(stderr, "ctr_getiv failed"); - return 1; - } - DO(ctr_encrypt(pt, ct, 57, &ctr)); - - /* decode the block */ - DO(ctr_setiv(iv2, l, &ctr)); - zeromem(tmp, sizeof(tmp)); - DO(ctr_decrypt(ct, tmp, 57, &ctr)); - if (memcmp(tmp, pt, 57) != 0) { - fprintf(stderr, "CTR failed"); - return 1; - } + DO(ctr_test()); #endif return 0; diff --git a/testprof/rsa_test.c b/testprof/rsa_test.c index 5f6ce9a..aa3f0c3 100644 --- a/testprof/rsa_test.c +++ b/testprof/rsa_test.c @@ -126,7 +126,7 @@ int rsa_test(void) { unsigned char in[1024], out[1024], tmp[1024]; rsa_key key, privKey, pubKey; - int hash_idx, prng_idx, stat, stat2; + int hash_idx, prng_idx, stat, stat2, err; unsigned long rsa_msgsize, len, len2, cnt; static unsigned char lparam[] = { 0x01, 0x02, 0x03, 0x04 }; @@ -257,6 +257,24 @@ for (cnt = 0; cnt < len; ) { } } + /* encrypt the key PKCS #1 v1.5 (payload from 1 to 117 bytes) */ + for (rsa_msgsize = 1; rsa_msgsize <= 117; rsa_msgsize++) { + len = sizeof(out); + len2 = rsa_msgsize; + DO(rsa_encrypt_key_ex(in, rsa_msgsize, out, &len, NULL, 0, &yarrow_prng, prng_idx, 0, LTC_PKCS_1_V1_5, &key)); + + len2 = rsa_msgsize; + DO(rsa_decrypt_key_ex(out, len, tmp, &len2, NULL, 0, 0, LTC_PKCS_1_V1_5, &stat, &key)); + if (!(stat == 1 && stat2 == 0)) { + fprintf(stderr, "rsa_decrypt_key_ex failed, %d, %d", stat, stat2); + return 1; + } + if (len2 != rsa_msgsize || memcmp(tmp, in, rsa_msgsize)) { + fprintf(stderr, "rsa_decrypt_key_ex mismatch len %lu", len2); + return 1; + } + } + /* sign a message (unsalted, lower cholestorol and Atkins approved) now */ len = sizeof(out); DO(rsa_sign_hash(in, 20, out, &len, &yarrow_prng, prng_idx, hash_idx, 0, &key)); @@ -331,6 +349,22 @@ for (cnt = 0; cnt < len; ) { return 1; } + /* sign a message with PKCS #1 v1.5 */ + len = sizeof(out); + DO(rsa_sign_hash_ex(in, 20, out, &len, LTC_PKCS_1_V1_5, &yarrow_prng, prng_idx, hash_idx, 8, &privKey)); + DO(rsa_verify_hash_ex(out, len, in, 20, LTC_PKCS_1_V1_5, hash_idx, 8, &stat, &pubKey)); + /* change a byte */ + in[0] ^= 1; + DO(rsa_verify_hash_ex(out, len, in, 20, LTC_PKCS_1_V1_5, hash_idx, 8, &stat2, &pubKey)); + + if (!(stat == 1 && stat2 == 0)) { + fprintf(stderr, "rsa_verify_hash_ex failed, %d, %d", stat, stat2); + rsa_free(&key); + rsa_free(&pubKey); + rsa_free(&privKey); + return 1; + } + /* free the key and return */ rsa_free(&key); rsa_free(&pubKey); diff --git a/testprof/test_driver.c b/testprof/test_driver.c index 721a992..6e54668 100644 --- a/testprof/test_driver.c +++ b/testprof/test_driver.c @@ -4,7 +4,9 @@ void run_cmd(int res, int line, char *file, char *cmd) { if (res != CRYPT_OK) { fprintf(stderr, "%s (%d)\n%s:%d:%s\n", error_to_string(res), res, file, line, cmd); - exit(EXIT_FAILURE); + if (res != CRYPT_NOP) { + exit(EXIT_FAILURE); + } } } diff --git a/testprof/tomcrypt_test.h b/testprof/tomcrypt_test.h index 4779383..4ac0a97 100644 --- a/testprof/tomcrypt_test.h +++ b/testprof/tomcrypt_test.h @@ -67,6 +67,7 @@ void time_mult(void); void time_sqr(void); void time_prng(void); void time_rsa(void); +void time_dsa(void); void time_katja(void); void time_ecc(void); void time_macs_(unsigned long MAC_SIZE); diff --git a/testprof/x86_prof.c b/testprof/x86_prof.c index 18816c6..30c9226 100644 --- a/testprof/x86_prof.c +++ b/testprof/x86_prof.c @@ -173,6 +173,12 @@ void reg_algs(void) #ifdef ANUBIS register_cipher (&anubis_desc); #endif +#ifdef KSEED + register_cipher (&kseed_desc); +#endif +#ifdef LTC_KASUMI + register_cipher (&kasumi_desc); +#endif #ifdef TIGER register_hash (&tiger_desc); @@ -207,6 +213,12 @@ void reg_algs(void) #ifdef RIPEMD160 register_hash (&rmd160_desc); #endif +#ifdef RIPEMD256 + register_hash (&rmd256_desc); +#endif +#ifdef RIPEMD320 + register_hash (&rmd320_desc); +#endif #ifdef WHIRLPOOL register_hash (&whirlpool_desc); #endif @@ -747,15 +759,61 @@ void time_prng(void) } } +#ifdef MDSA +/* time various DSA operations */ +void time_dsa(void) +{ + dsa_key key; + ulong64 t1, t2; + unsigned char buf[2][2048]; + unsigned long x, y, z, zzz; + int err, zz, stat, i; +static const struct { + int group, modulus; +} groups[] = { +{ 20, 96 }, +{ 20, 128 }, +{ 24, 192 }, +{ 28, 256 }, +{ 32, 512 } +}; + + for (x = 0; x < (sizeof(groups)/sizeof(groups[0])); x++) { + t2 = 0; + for (y = 0; y < 4; y++) { + t_start(); + t1 = t_read(); + if ((err = dsa_make_key(&yarrow_prng, find_prng("yarrow"), groups[x].group, groups[x].modulus, &key)) != CRYPT_OK) { + fprintf(stderr, "\n\ndsa_make_key says %s, wait...no it should say %s...damn you!\n", error_to_string(err), error_to_string(CRYPT_OK)); + exit(EXIT_FAILURE); + } + t1 = t_read() - t1; + t2 += t1; + +#ifdef LTC_PROFILE + t2 <<= 2; + break; +#endif + if (y < 3) { + dsa_free(&key); + } + } + t2 >>= 2; + fprintf(stderr, "DSA-(%lu, %lu) make_key took %15llu cycles\n", groups[x].group*8, groups[x].modulus*8, t2); + } +} +#endif + + #ifdef MRSA /* time various RSA operations */ void time_rsa(void) { - rsa_key key; - ulong64 t1, t2; - unsigned char buf[2][4096]; + rsa_key key; + ulong64 t1, t2; + unsigned char buf[2][2048]; unsigned long x, y, z, zzz; - int err, zz; + int err, zz, stat; for (x = 1024; x <= 2048; x += 256) { t2 = 0; @@ -769,6 +827,11 @@ void time_rsa(void) t1 = t_read() - t1; t2 += t1; +#ifdef LTC_PROFILE + t2 <<= 2; + break; +#endif + if (y < 3) { rsa_free(&key); } @@ -789,6 +852,10 @@ void time_rsa(void) } t1 = t_read() - t1; t2 += t1; +#ifdef LTC_PROFILE + t2 <<= 4; + break; +#endif } t2 >>= 4; fprintf(stderr, "RSA-%lu encrypt_key took %15llu cycles\n", x, t2); @@ -805,11 +872,56 @@ void time_rsa(void) } t1 = t_read() - t1; t2 += t1; +#ifdef LTC_PROFILE + t2 <<= 11; + break; +#endif } t2 >>= 11; fprintf(stderr, "RSA-%lu decrypt_key took %15llu cycles\n", x, t2); + t2 = 0; + for (y = 0; y < 256; y++) { + t_start(); + t1 = t_read(); + z = sizeof(buf[1]); + if ((err = rsa_sign_hash(buf[0], 20, buf[1], &z, &yarrow_prng, + find_prng("yarrow"), find_hash("sha1"), 8, &key)) != CRYPT_OK) { + fprintf(stderr, "\n\nrsa_sign_hash says %s, wait...no it should say %s...damn you!\n", error_to_string(err), error_to_string(CRYPT_OK)); + exit(EXIT_FAILURE); + } + t1 = t_read() - t1; + t2 += t1; +#ifdef LTC_PROFILE + t2 <<= 8; + break; +#endif + } + t2 >>= 8; + fprintf(stderr, "RSA-%lu sign_hash took %15llu cycles\n", x, t2); + t2 = 0; + for (y = 0; y < 2048; y++) { + t_start(); + t1 = t_read(); + if ((err = rsa_verify_hash(buf[1], z, buf[0], 20, find_hash("sha1"), 8, &stat, &key)) != CRYPT_OK) { + fprintf(stderr, "\n\nrsa_verify_hash says %s, wait...no it should say %s...damn you!\n", error_to_string(err), error_to_string(CRYPT_OK)); + exit(EXIT_FAILURE); + } + if (stat == 0) { + fprintf(stderr, "\n\nrsa_verify_hash for RSA-%lu failed to verify signature(%lu)\n", x, y); + exit(EXIT_FAILURE); + } + t1 = t_read() - t1; + t2 += t1; +#ifdef LTC_PROFILE + t2 <<= 11; + break; +#endif + } + t2 >>= 11; + fprintf(stderr, "RSA-%lu verify_hash took %15llu cycles\n", x, t2); + fprintf(stderr, "\n\n"); rsa_free(&key); } } @@ -840,7 +952,7 @@ void time_katja(void) t2 += t1; if (y < 3) { - rsa_free(&key); + katja_free(&key); } } t2 >>= 2; @@ -893,10 +1005,19 @@ void time_ecc(void) { ecc_key key; ulong64 t1, t2; - unsigned char buf[2][4096]; - unsigned long i, x, y, z; - int err; + unsigned char buf[2][256]; + unsigned long i, w, x, y, z; + int err, stat; static unsigned long sizes[] = { +#ifdef ECC112 +112/8, +#endif +#ifdef ECC128 +128/8, +#endif +#ifdef ECC160 +160/8, +#endif #ifdef ECC192 192/8, #endif @@ -926,6 +1047,11 @@ void time_ecc(void) t1 = t_read() - t1; t2 += t1; +#ifdef LTC_PROFILE + t2 <<= 8; + break; +#endif + if (y < 255) { ecc_free(&key); } @@ -945,9 +1071,76 @@ void time_ecc(void) } t1 = t_read() - t1; t2 += t1; +#ifdef LTC_PROFILE + t2 <<= 8; + break; +#endif } t2 >>= 8; fprintf(stderr, "ECC-%lu encrypt_key took %15llu cycles\n", x*8, t2); + + t2 = 0; + for (y = 0; y < 256; y++) { + t_start(); + t1 = t_read(); + w = 20; + if ((err = ecc_decrypt_key(buf[1], z, buf[0], &w, &key)) != CRYPT_OK) { + fprintf(stderr, "\n\necc_decrypt_key says %s, wait...no it should say %s...damn you!\n", error_to_string(err), error_to_string(CRYPT_OK)); + exit(EXIT_FAILURE); + } + t1 = t_read() - t1; + t2 += t1; +#ifdef LTC_PROFILE + t2 <<= 8; + break; +#endif + } + t2 >>= 8; + fprintf(stderr, "ECC-%lu decrypt_key took %15llu cycles\n", x*8, t2); + + t2 = 0; + for (y = 0; y < 256; y++) { + t_start(); + t1 = t_read(); + z = sizeof(buf[1]); + if ((err = ecc_sign_hash(buf[0], 20, buf[1], &z, &yarrow_prng, + find_prng("yarrow"), &key)) != CRYPT_OK) { + fprintf(stderr, "\n\necc_sign_hash says %s, wait...no it should say %s...damn you!\n", error_to_string(err), error_to_string(CRYPT_OK)); + exit(EXIT_FAILURE); + } + t1 = t_read() - t1; + t2 += t1; +#ifdef LTC_PROFILE + t2 <<= 8; + break; +#endif + } + t2 >>= 8; + fprintf(stderr, "ECC-%lu sign_hash took %15llu cycles\n", x*8, t2); + + t2 = 0; + for (y = 0; y < 256; y++) { + t_start(); + t1 = t_read(); + if ((err = ecc_verify_hash(buf[1], z, buf[0], 20, &stat, &key)) != CRYPT_OK) { + fprintf(stderr, "\n\necc_verify_hash says %s, wait...no it should say %s...damn you!\n", error_to_string(err), error_to_string(CRYPT_OK)); + exit(EXIT_FAILURE); + } + if (stat == 0) { + fprintf(stderr, "\n\necc_verify_hash for ECC-%lu failed to verify signature(%lu)\n", x*8, y); + exit(EXIT_FAILURE); + } + t1 = t_read() - t1; + t2 += t1; +#ifdef LTC_PROFILE + t2 <<= 8; + break; +#endif + } + t2 >>= 8; + fprintf(stderr, "ECC-%lu verify_hash took %15llu cycles\n", x*8, t2); + + fprintf(stderr, "\n\n"); ecc_free(&key); } } @@ -981,7 +1174,7 @@ void time_macs_(unsigned long MAC_SIZE) yarrow_read(buf, MAC_SIZE*1024, &yarrow_prng); yarrow_read(key, 16, &yarrow_prng); -#ifdef OMAC +#ifdef LTC_OMAC t2 = -1; for (x = 0; x < 10000; x++) { t_start(); @@ -997,7 +1190,39 @@ void time_macs_(unsigned long MAC_SIZE) fprintf(stderr, "OMAC-%s\t\t%9llu\n", cipher_descriptor[cipher_idx].name, t2/(ulong64)(MAC_SIZE*1024)); #endif -#ifdef PMAC +#ifdef LTC_XCBC + t2 = -1; + for (x = 0; x < 10000; x++) { + t_start(); + t1 = t_read(); + z = 16; + if ((err = xcbc_memory(cipher_idx, key, 16, buf, MAC_SIZE*1024, tag, &z)) != CRYPT_OK) { + fprintf(stderr, "\n\nxcbc error... %s\n", error_to_string(err)); + exit(EXIT_FAILURE); + } + t1 = t_read() - t1; + if (t1 < t2) t2 = t1; + } + fprintf(stderr, "XCBC-%s\t\t%9llu\n", cipher_descriptor[cipher_idx].name, t2/(ulong64)(MAC_SIZE*1024)); +#endif + +#ifdef LTC_F9_MODE + t2 = -1; + for (x = 0; x < 10000; x++) { + t_start(); + t1 = t_read(); + z = 16; + if ((err = f9_memory(cipher_idx, key, 16, buf, MAC_SIZE*1024, tag, &z)) != CRYPT_OK) { + fprintf(stderr, "\n\nF9 error... %s\n", error_to_string(err)); + exit(EXIT_FAILURE); + } + t1 = t_read() - t1; + if (t1 < t2) t2 = t1; + } + fprintf(stderr, "F9-%s\t\t\t%9llu\n", cipher_descriptor[cipher_idx].name, t2/(ulong64)(MAC_SIZE*1024)); +#endif + +#ifdef LTC_PMAC t2 = -1; for (x = 0; x < 10000; x++) { t_start(); @@ -1029,7 +1254,7 @@ void time_macs_(unsigned long MAC_SIZE) fprintf(stderr, "PELICAN \t\t%9llu\n", t2/(ulong64)(MAC_SIZE*1024)); #endif -#ifdef HMAC +#ifdef LTC_HMAC t2 = -1; for (x = 0; x < 10000; x++) { t_start();