source: grub-pc/trunk/fuentes/grub-core/lib/libgcrypt-grub/cipher/twofish.c @ 22

Last change on this file since 22 was 22, checked in by mabarracus, 4 years ago

updated version and apply net.ifnames=0 into debian/rules

File size: 48.3 KB
Line 
1/* This file was automatically imported with
2   import_gcry.py. Please don't modify it */
3#include <grub/dl.h>
4GRUB_MOD_LICENSE ("GPLv3+");
5/* Twofish for GPG
6 * Copyright (C) 1998, 2002, 2003 Free Software Foundation, Inc.
7 * Written by Matthew Skala <mskala@ansuz.sooke.bc.ca>, July 26, 1998
8 * 256-bit key length added March 20, 1999
9 * Some modifications to reduce the text size by Werner Koch, April, 1998
10 *
11 * This file is part of Libgcrypt.
12 *
13 * Libgcrypt is free software; you can redistribute it and/or modify
14 * it under the terms of the GNU Lesser General Public License as
15 * published by the Free Software Foundation; either version 2.1 of
16 * the License, or (at your option) any later version.
17 *
18 * Libgcrypt is distributed in the hope that it will be useful,
19 * but WITHOUT ANY WARRANTY; without even the implied warranty of
20 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
21 * GNU Lesser General Public License for more details.
22 *
23 * You should have received a copy of the GNU Lesser General Public
24 * License along with this program; if not, write to the Free Software
25 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
26 ********************************************************************
27 *
28 * This code is a "clean room" implementation, written from the paper
29 * _Twofish: A 128-Bit Block Cipher_ by Bruce Schneier, John Kelsey,
30 * Doug Whiting, David Wagner, Chris Hall, and Niels Ferguson, available
31 * through http://www.counterpane.com/twofish.html
32 *
33 * For background information on multiplication in finite fields, used for
34 * the matrix operations in the key schedule, see the book _Contemporary
35 * Abstract Algebra_ by Joseph A. Gallian, especially chapter 22 in the
36 * Third Edition.
37 *
38 * Only the 128- and 256-bit key sizes are supported.  This code is intended
39 * for GNU C on a 32-bit system, but it should work almost anywhere.  Loops
40 * are unrolled, precomputation tables are used, etc., for maximum speed at
41 * some cost in memory consumption. */
42
43
44#include "types.h"  /* for byte and u32 typedefs */
45#include "g10lib.h"
46#include "cipher.h"
47
48/* Prototype for the self-test function. */
49
50/* Structure for an expanded Twofish key.  s contains the key-dependent
51 * S-boxes composed with the MDS matrix; w contains the eight "whitening"
52 * subkeys, K[0] through K[7].  k holds the remaining, "round" subkeys.  Note
53 * that k[i] corresponds to what the Twofish paper calls K[i+8]. */
54typedef struct {
55   u32 s[4][256], w[8], k[32];
56} TWOFISH_context;
57
58/* These two tables are the q0 and q1 permutations, exactly as described in
59 * the Twofish paper. */
60
61static const byte q0[256] = {
62   0xA9, 0x67, 0xB3, 0xE8, 0x04, 0xFD, 0xA3, 0x76, 0x9A, 0x92, 0x80, 0x78,
63   0xE4, 0xDD, 0xD1, 0x38, 0x0D, 0xC6, 0x35, 0x98, 0x18, 0xF7, 0xEC, 0x6C,
64   0x43, 0x75, 0x37, 0x26, 0xFA, 0x13, 0x94, 0x48, 0xF2, 0xD0, 0x8B, 0x30,
65   0x84, 0x54, 0xDF, 0x23, 0x19, 0x5B, 0x3D, 0x59, 0xF3, 0xAE, 0xA2, 0x82,
66   0x63, 0x01, 0x83, 0x2E, 0xD9, 0x51, 0x9B, 0x7C, 0xA6, 0xEB, 0xA5, 0xBE,
67   0x16, 0x0C, 0xE3, 0x61, 0xC0, 0x8C, 0x3A, 0xF5, 0x73, 0x2C, 0x25, 0x0B,
68   0xBB, 0x4E, 0x89, 0x6B, 0x53, 0x6A, 0xB4, 0xF1, 0xE1, 0xE6, 0xBD, 0x45,
69   0xE2, 0xF4, 0xB6, 0x66, 0xCC, 0x95, 0x03, 0x56, 0xD4, 0x1C, 0x1E, 0xD7,
70   0xFB, 0xC3, 0x8E, 0xB5, 0xE9, 0xCF, 0xBF, 0xBA, 0xEA, 0x77, 0x39, 0xAF,
71   0x33, 0xC9, 0x62, 0x71, 0x81, 0x79, 0x09, 0xAD, 0x24, 0xCD, 0xF9, 0xD8,
72   0xE5, 0xC5, 0xB9, 0x4D, 0x44, 0x08, 0x86, 0xE7, 0xA1, 0x1D, 0xAA, 0xED,
73   0x06, 0x70, 0xB2, 0xD2, 0x41, 0x7B, 0xA0, 0x11, 0x31, 0xC2, 0x27, 0x90,
74   0x20, 0xF6, 0x60, 0xFF, 0x96, 0x5C, 0xB1, 0xAB, 0x9E, 0x9C, 0x52, 0x1B,
75   0x5F, 0x93, 0x0A, 0xEF, 0x91, 0x85, 0x49, 0xEE, 0x2D, 0x4F, 0x8F, 0x3B,
76   0x47, 0x87, 0x6D, 0x46, 0xD6, 0x3E, 0x69, 0x64, 0x2A, 0xCE, 0xCB, 0x2F,
77   0xFC, 0x97, 0x05, 0x7A, 0xAC, 0x7F, 0xD5, 0x1A, 0x4B, 0x0E, 0xA7, 0x5A,
78   0x28, 0x14, 0x3F, 0x29, 0x88, 0x3C, 0x4C, 0x02, 0xB8, 0xDA, 0xB0, 0x17,
79   0x55, 0x1F, 0x8A, 0x7D, 0x57, 0xC7, 0x8D, 0x74, 0xB7, 0xC4, 0x9F, 0x72,
80   0x7E, 0x15, 0x22, 0x12, 0x58, 0x07, 0x99, 0x34, 0x6E, 0x50, 0xDE, 0x68,
81   0x65, 0xBC, 0xDB, 0xF8, 0xC8, 0xA8, 0x2B, 0x40, 0xDC, 0xFE, 0x32, 0xA4,
82   0xCA, 0x10, 0x21, 0xF0, 0xD3, 0x5D, 0x0F, 0x00, 0x6F, 0x9D, 0x36, 0x42,
83   0x4A, 0x5E, 0xC1, 0xE0
84};
85
86static const byte q1[256] = {
87   0x75, 0xF3, 0xC6, 0xF4, 0xDB, 0x7B, 0xFB, 0xC8, 0x4A, 0xD3, 0xE6, 0x6B,
88   0x45, 0x7D, 0xE8, 0x4B, 0xD6, 0x32, 0xD8, 0xFD, 0x37, 0x71, 0xF1, 0xE1,
89   0x30, 0x0F, 0xF8, 0x1B, 0x87, 0xFA, 0x06, 0x3F, 0x5E, 0xBA, 0xAE, 0x5B,
90   0x8A, 0x00, 0xBC, 0x9D, 0x6D, 0xC1, 0xB1, 0x0E, 0x80, 0x5D, 0xD2, 0xD5,
91   0xA0, 0x84, 0x07, 0x14, 0xB5, 0x90, 0x2C, 0xA3, 0xB2, 0x73, 0x4C, 0x54,
92   0x92, 0x74, 0x36, 0x51, 0x38, 0xB0, 0xBD, 0x5A, 0xFC, 0x60, 0x62, 0x96,
93   0x6C, 0x42, 0xF7, 0x10, 0x7C, 0x28, 0x27, 0x8C, 0x13, 0x95, 0x9C, 0xC7,
94   0x24, 0x46, 0x3B, 0x70, 0xCA, 0xE3, 0x85, 0xCB, 0x11, 0xD0, 0x93, 0xB8,
95   0xA6, 0x83, 0x20, 0xFF, 0x9F, 0x77, 0xC3, 0xCC, 0x03, 0x6F, 0x08, 0xBF,
96   0x40, 0xE7, 0x2B, 0xE2, 0x79, 0x0C, 0xAA, 0x82, 0x41, 0x3A, 0xEA, 0xB9,
97   0xE4, 0x9A, 0xA4, 0x97, 0x7E, 0xDA, 0x7A, 0x17, 0x66, 0x94, 0xA1, 0x1D,
98   0x3D, 0xF0, 0xDE, 0xB3, 0x0B, 0x72, 0xA7, 0x1C, 0xEF, 0xD1, 0x53, 0x3E,
99   0x8F, 0x33, 0x26, 0x5F, 0xEC, 0x76, 0x2A, 0x49, 0x81, 0x88, 0xEE, 0x21,
100   0xC4, 0x1A, 0xEB, 0xD9, 0xC5, 0x39, 0x99, 0xCD, 0xAD, 0x31, 0x8B, 0x01,
101   0x18, 0x23, 0xDD, 0x1F, 0x4E, 0x2D, 0xF9, 0x48, 0x4F, 0xF2, 0x65, 0x8E,
102   0x78, 0x5C, 0x58, 0x19, 0x8D, 0xE5, 0x98, 0x57, 0x67, 0x7F, 0x05, 0x64,
103   0xAF, 0x63, 0xB6, 0xFE, 0xF5, 0xB7, 0x3C, 0xA5, 0xCE, 0xE9, 0x68, 0x44,
104   0xE0, 0x4D, 0x43, 0x69, 0x29, 0x2E, 0xAC, 0x15, 0x59, 0xA8, 0x0A, 0x9E,
105   0x6E, 0x47, 0xDF, 0x34, 0x35, 0x6A, 0xCF, 0xDC, 0x22, 0xC9, 0xC0, 0x9B,
106   0x89, 0xD4, 0xED, 0xAB, 0x12, 0xA2, 0x0D, 0x52, 0xBB, 0x02, 0x2F, 0xA9,
107   0xD7, 0x61, 0x1E, 0xB4, 0x50, 0x04, 0xF6, 0xC2, 0x16, 0x25, 0x86, 0x56,
108   0x55, 0x09, 0xBE, 0x91
109};
110
111/* These MDS tables are actually tables of MDS composed with q0 and q1,
112 * because it is only ever used that way and we can save some time by
113 * precomputing.  Of course the main saving comes from precomputing the
114 * GF(2^8) multiplication involved in the MDS matrix multiply; by looking
115 * things up in these tables we reduce the matrix multiply to four lookups
116 * and three XORs.  Semi-formally, the definition of these tables is:
117 * mds[0][i] = MDS (q1[i] 0 0 0)^T  mds[1][i] = MDS (0 q0[i] 0 0)^T
118 * mds[2][i] = MDS (0 0 q1[i] 0)^T  mds[3][i] = MDS (0 0 0 q0[i])^T
119 * where ^T means "transpose", the matrix multiply is performed in GF(2^8)
120 * represented as GF(2)[x]/v(x) where v(x)=x^8+x^6+x^5+x^3+1 as described
121 * by Schneier et al, and I'm casually glossing over the byte/word
122 * conversion issues. */
123
124static const u32 mds[4][256] = {
125   {0xBCBC3275, 0xECEC21F3, 0x202043C6, 0xB3B3C9F4, 0xDADA03DB, 0x02028B7B,
126    0xE2E22BFB, 0x9E9EFAC8, 0xC9C9EC4A, 0xD4D409D3, 0x18186BE6, 0x1E1E9F6B,
127    0x98980E45, 0xB2B2387D, 0xA6A6D2E8, 0x2626B74B, 0x3C3C57D6, 0x93938A32,
128    0x8282EED8, 0x525298FD, 0x7B7BD437, 0xBBBB3771, 0x5B5B97F1, 0x474783E1,
129    0x24243C30, 0x5151E20F, 0xBABAC6F8, 0x4A4AF31B, 0xBFBF4887, 0x0D0D70FA,
130    0xB0B0B306, 0x7575DE3F, 0xD2D2FD5E, 0x7D7D20BA, 0x666631AE, 0x3A3AA35B,
131    0x59591C8A, 0x00000000, 0xCDCD93BC, 0x1A1AE09D, 0xAEAE2C6D, 0x7F7FABC1,
132    0x2B2BC7B1, 0xBEBEB90E, 0xE0E0A080, 0x8A8A105D, 0x3B3B52D2, 0x6464BAD5,
133    0xD8D888A0, 0xE7E7A584, 0x5F5FE807, 0x1B1B1114, 0x2C2CC2B5, 0xFCFCB490,
134    0x3131272C, 0x808065A3, 0x73732AB2, 0x0C0C8173, 0x79795F4C, 0x6B6B4154,
135    0x4B4B0292, 0x53536974, 0x94948F36, 0x83831F51, 0x2A2A3638, 0xC4C49CB0,
136    0x2222C8BD, 0xD5D5F85A, 0xBDBDC3FC, 0x48487860, 0xFFFFCE62, 0x4C4C0796,
137    0x4141776C, 0xC7C7E642, 0xEBEB24F7, 0x1C1C1410, 0x5D5D637C, 0x36362228,
138    0x6767C027, 0xE9E9AF8C, 0x4444F913, 0x1414EA95, 0xF5F5BB9C, 0xCFCF18C7,
139    0x3F3F2D24, 0xC0C0E346, 0x7272DB3B, 0x54546C70, 0x29294CCA, 0xF0F035E3,
140    0x0808FE85, 0xC6C617CB, 0xF3F34F11, 0x8C8CE4D0, 0xA4A45993, 0xCACA96B8,
141    0x68683BA6, 0xB8B84D83, 0x38382820, 0xE5E52EFF, 0xADAD569F, 0x0B0B8477,
142    0xC8C81DC3, 0x9999FFCC, 0x5858ED03, 0x19199A6F, 0x0E0E0A08, 0x95957EBF,
143    0x70705040, 0xF7F730E7, 0x6E6ECF2B, 0x1F1F6EE2, 0xB5B53D79, 0x09090F0C,
144    0x616134AA, 0x57571682, 0x9F9F0B41, 0x9D9D803A, 0x111164EA, 0x2525CDB9,
145    0xAFAFDDE4, 0x4545089A, 0xDFDF8DA4, 0xA3A35C97, 0xEAEAD57E, 0x353558DA,
146    0xEDEDD07A, 0x4343FC17, 0xF8F8CB66, 0xFBFBB194, 0x3737D3A1, 0xFAFA401D,
147    0xC2C2683D, 0xB4B4CCF0, 0x32325DDE, 0x9C9C71B3, 0x5656E70B, 0xE3E3DA72,
148    0x878760A7, 0x15151B1C, 0xF9F93AEF, 0x6363BFD1, 0x3434A953, 0x9A9A853E,
149    0xB1B1428F, 0x7C7CD133, 0x88889B26, 0x3D3DA65F, 0xA1A1D7EC, 0xE4E4DF76,
150    0x8181942A, 0x91910149, 0x0F0FFB81, 0xEEEEAA88, 0x161661EE, 0xD7D77321,
151    0x9797F5C4, 0xA5A5A81A, 0xFEFE3FEB, 0x6D6DB5D9, 0x7878AEC5, 0xC5C56D39,
152    0x1D1DE599, 0x7676A4CD, 0x3E3EDCAD, 0xCBCB6731, 0xB6B6478B, 0xEFEF5B01,
153    0x12121E18, 0x6060C523, 0x6A6AB0DD, 0x4D4DF61F, 0xCECEE94E, 0xDEDE7C2D,
154    0x55559DF9, 0x7E7E5A48, 0x2121B24F, 0x03037AF2, 0xA0A02665, 0x5E5E198E,
155    0x5A5A6678, 0x65654B5C, 0x62624E58, 0xFDFD4519, 0x0606F48D, 0x404086E5,
156    0xF2F2BE98, 0x3333AC57, 0x17179067, 0x05058E7F, 0xE8E85E05, 0x4F4F7D64,
157    0x89896AAF, 0x10109563, 0x74742FB6, 0x0A0A75FE, 0x5C5C92F5, 0x9B9B74B7,
158    0x2D2D333C, 0x3030D6A5, 0x2E2E49CE, 0x494989E9, 0x46467268, 0x77775544,
159    0xA8A8D8E0, 0x9696044D, 0x2828BD43, 0xA9A92969, 0xD9D97929, 0x8686912E,
160    0xD1D187AC, 0xF4F44A15, 0x8D8D1559, 0xD6D682A8, 0xB9B9BC0A, 0x42420D9E,
161    0xF6F6C16E, 0x2F2FB847, 0xDDDD06DF, 0x23233934, 0xCCCC6235, 0xF1F1C46A,
162    0xC1C112CF, 0x8585EBDC, 0x8F8F9E22, 0x7171A1C9, 0x9090F0C0, 0xAAAA539B,
163    0x0101F189, 0x8B8BE1D4, 0x4E4E8CED, 0x8E8E6FAB, 0xABABA212, 0x6F6F3EA2,
164    0xE6E6540D, 0xDBDBF252, 0x92927BBB, 0xB7B7B602, 0x6969CA2F, 0x3939D9A9,
165    0xD3D30CD7, 0xA7A72361, 0xA2A2AD1E, 0xC3C399B4, 0x6C6C4450, 0x07070504,
166    0x04047FF6, 0x272746C2, 0xACACA716, 0xD0D07625, 0x50501386, 0xDCDCF756,
167    0x84841A55, 0xE1E15109, 0x7A7A25BE, 0x1313EF91},
168
169   {0xA9D93939, 0x67901717, 0xB3719C9C, 0xE8D2A6A6, 0x04050707, 0xFD985252,
170    0xA3658080, 0x76DFE4E4, 0x9A084545, 0x92024B4B, 0x80A0E0E0, 0x78665A5A,
171    0xE4DDAFAF, 0xDDB06A6A, 0xD1BF6363, 0x38362A2A, 0x0D54E6E6, 0xC6432020,
172    0x3562CCCC, 0x98BEF2F2, 0x181E1212, 0xF724EBEB, 0xECD7A1A1, 0x6C774141,
173    0x43BD2828, 0x7532BCBC, 0x37D47B7B, 0x269B8888, 0xFA700D0D, 0x13F94444,
174    0x94B1FBFB, 0x485A7E7E, 0xF27A0303, 0xD0E48C8C, 0x8B47B6B6, 0x303C2424,
175    0x84A5E7E7, 0x54416B6B, 0xDF06DDDD, 0x23C56060, 0x1945FDFD, 0x5BA33A3A,
176    0x3D68C2C2, 0x59158D8D, 0xF321ECEC, 0xAE316666, 0xA23E6F6F, 0x82165757,
177    0x63951010, 0x015BEFEF, 0x834DB8B8, 0x2E918686, 0xD9B56D6D, 0x511F8383,
178    0x9B53AAAA, 0x7C635D5D, 0xA63B6868, 0xEB3FFEFE, 0xA5D63030, 0xBE257A7A,
179    0x16A7ACAC, 0x0C0F0909, 0xE335F0F0, 0x6123A7A7, 0xC0F09090, 0x8CAFE9E9,
180    0x3A809D9D, 0xF5925C5C, 0x73810C0C, 0x2C273131, 0x2576D0D0, 0x0BE75656,
181    0xBB7B9292, 0x4EE9CECE, 0x89F10101, 0x6B9F1E1E, 0x53A93434, 0x6AC4F1F1,
182    0xB499C3C3, 0xF1975B5B, 0xE1834747, 0xE66B1818, 0xBDC82222, 0x450E9898,
183    0xE26E1F1F, 0xF4C9B3B3, 0xB62F7474, 0x66CBF8F8, 0xCCFF9999, 0x95EA1414,
184    0x03ED5858, 0x56F7DCDC, 0xD4E18B8B, 0x1C1B1515, 0x1EADA2A2, 0xD70CD3D3,
185    0xFB2BE2E2, 0xC31DC8C8, 0x8E195E5E, 0xB5C22C2C, 0xE9894949, 0xCF12C1C1,
186    0xBF7E9595, 0xBA207D7D, 0xEA641111, 0x77840B0B, 0x396DC5C5, 0xAF6A8989,
187    0x33D17C7C, 0xC9A17171, 0x62CEFFFF, 0x7137BBBB, 0x81FB0F0F, 0x793DB5B5,
188    0x0951E1E1, 0xADDC3E3E, 0x242D3F3F, 0xCDA47676, 0xF99D5555, 0xD8EE8282,
189    0xE5864040, 0xC5AE7878, 0xB9CD2525, 0x4D049696, 0x44557777, 0x080A0E0E,
190    0x86135050, 0xE730F7F7, 0xA1D33737, 0x1D40FAFA, 0xAA346161, 0xED8C4E4E,
191    0x06B3B0B0, 0x706C5454, 0xB22A7373, 0xD2523B3B, 0x410B9F9F, 0x7B8B0202,
192    0xA088D8D8, 0x114FF3F3, 0x3167CBCB, 0xC2462727, 0x27C06767, 0x90B4FCFC,
193    0x20283838, 0xF67F0404, 0x60784848, 0xFF2EE5E5, 0x96074C4C, 0x5C4B6565,
194    0xB1C72B2B, 0xAB6F8E8E, 0x9E0D4242, 0x9CBBF5F5, 0x52F2DBDB, 0x1BF34A4A,
195    0x5FA63D3D, 0x9359A4A4, 0x0ABCB9B9, 0xEF3AF9F9, 0x91EF1313, 0x85FE0808,
196    0x49019191, 0xEE611616, 0x2D7CDEDE, 0x4FB22121, 0x8F42B1B1, 0x3BDB7272,
197    0x47B82F2F, 0x8748BFBF, 0x6D2CAEAE, 0x46E3C0C0, 0xD6573C3C, 0x3E859A9A,
198    0x6929A9A9, 0x647D4F4F, 0x2A948181, 0xCE492E2E, 0xCB17C6C6, 0x2FCA6969,
199    0xFCC3BDBD, 0x975CA3A3, 0x055EE8E8, 0x7AD0EDED, 0xAC87D1D1, 0x7F8E0505,
200    0xD5BA6464, 0x1AA8A5A5, 0x4BB72626, 0x0EB9BEBE, 0xA7608787, 0x5AF8D5D5,
201    0x28223636, 0x14111B1B, 0x3FDE7575, 0x2979D9D9, 0x88AAEEEE, 0x3C332D2D,
202    0x4C5F7979, 0x02B6B7B7, 0xB896CACA, 0xDA583535, 0xB09CC4C4, 0x17FC4343,
203    0x551A8484, 0x1FF64D4D, 0x8A1C5959, 0x7D38B2B2, 0x57AC3333, 0xC718CFCF,
204    0x8DF40606, 0x74695353, 0xB7749B9B, 0xC4F59797, 0x9F56ADAD, 0x72DAE3E3,
205    0x7ED5EAEA, 0x154AF4F4, 0x229E8F8F, 0x12A2ABAB, 0x584E6262, 0x07E85F5F,
206    0x99E51D1D, 0x34392323, 0x6EC1F6F6, 0x50446C6C, 0xDE5D3232, 0x68724646,
207    0x6526A0A0, 0xBC93CDCD, 0xDB03DADA, 0xF8C6BABA, 0xC8FA9E9E, 0xA882D6D6,
208    0x2BCF6E6E, 0x40507070, 0xDCEB8585, 0xFE750A0A, 0x328A9393, 0xA48DDFDF,
209    0xCA4C2929, 0x10141C1C, 0x2173D7D7, 0xF0CCB4B4, 0xD309D4D4, 0x5D108A8A,
210    0x0FE25151, 0x00000000, 0x6F9A1919, 0x9DE01A1A, 0x368F9494, 0x42E6C7C7,
211    0x4AECC9C9, 0x5EFDD2D2, 0xC1AB7F7F, 0xE0D8A8A8},
212
213   {0xBC75BC32, 0xECF3EC21, 0x20C62043, 0xB3F4B3C9, 0xDADBDA03, 0x027B028B,
214    0xE2FBE22B, 0x9EC89EFA, 0xC94AC9EC, 0xD4D3D409, 0x18E6186B, 0x1E6B1E9F,
215    0x9845980E, 0xB27DB238, 0xA6E8A6D2, 0x264B26B7, 0x3CD63C57, 0x9332938A,
216    0x82D882EE, 0x52FD5298, 0x7B377BD4, 0xBB71BB37, 0x5BF15B97, 0x47E14783,
217    0x2430243C, 0x510F51E2, 0xBAF8BAC6, 0x4A1B4AF3, 0xBF87BF48, 0x0DFA0D70,
218    0xB006B0B3, 0x753F75DE, 0xD25ED2FD, 0x7DBA7D20, 0x66AE6631, 0x3A5B3AA3,
219    0x598A591C, 0x00000000, 0xCDBCCD93, 0x1A9D1AE0, 0xAE6DAE2C, 0x7FC17FAB,
220    0x2BB12BC7, 0xBE0EBEB9, 0xE080E0A0, 0x8A5D8A10, 0x3BD23B52, 0x64D564BA,
221    0xD8A0D888, 0xE784E7A5, 0x5F075FE8, 0x1B141B11, 0x2CB52CC2, 0xFC90FCB4,
222    0x312C3127, 0x80A38065, 0x73B2732A, 0x0C730C81, 0x794C795F, 0x6B546B41,
223    0x4B924B02, 0x53745369, 0x9436948F, 0x8351831F, 0x2A382A36, 0xC4B0C49C,
224    0x22BD22C8, 0xD55AD5F8, 0xBDFCBDC3, 0x48604878, 0xFF62FFCE, 0x4C964C07,
225    0x416C4177, 0xC742C7E6, 0xEBF7EB24, 0x1C101C14, 0x5D7C5D63, 0x36283622,
226    0x672767C0, 0xE98CE9AF, 0x441344F9, 0x149514EA, 0xF59CF5BB, 0xCFC7CF18,
227    0x3F243F2D, 0xC046C0E3, 0x723B72DB, 0x5470546C, 0x29CA294C, 0xF0E3F035,
228    0x088508FE, 0xC6CBC617, 0xF311F34F, 0x8CD08CE4, 0xA493A459, 0xCAB8CA96,
229    0x68A6683B, 0xB883B84D, 0x38203828, 0xE5FFE52E, 0xAD9FAD56, 0x0B770B84,
230    0xC8C3C81D, 0x99CC99FF, 0x580358ED, 0x196F199A, 0x0E080E0A, 0x95BF957E,
231    0x70407050, 0xF7E7F730, 0x6E2B6ECF, 0x1FE21F6E, 0xB579B53D, 0x090C090F,
232    0x61AA6134, 0x57825716, 0x9F419F0B, 0x9D3A9D80, 0x11EA1164, 0x25B925CD,
233    0xAFE4AFDD, 0x459A4508, 0xDFA4DF8D, 0xA397A35C, 0xEA7EEAD5, 0x35DA3558,
234    0xED7AEDD0, 0x431743FC, 0xF866F8CB, 0xFB94FBB1, 0x37A137D3, 0xFA1DFA40,
235    0xC23DC268, 0xB4F0B4CC, 0x32DE325D, 0x9CB39C71, 0x560B56E7, 0xE372E3DA,
236    0x87A78760, 0x151C151B, 0xF9EFF93A, 0x63D163BF, 0x345334A9, 0x9A3E9A85,
237    0xB18FB142, 0x7C337CD1, 0x8826889B, 0x3D5F3DA6, 0xA1ECA1D7, 0xE476E4DF,
238    0x812A8194, 0x91499101, 0x0F810FFB, 0xEE88EEAA, 0x16EE1661, 0xD721D773,
239    0x97C497F5, 0xA51AA5A8, 0xFEEBFE3F, 0x6DD96DB5, 0x78C578AE, 0xC539C56D,
240    0x1D991DE5, 0x76CD76A4, 0x3EAD3EDC, 0xCB31CB67, 0xB68BB647, 0xEF01EF5B,
241    0x1218121E, 0x602360C5, 0x6ADD6AB0, 0x4D1F4DF6, 0xCE4ECEE9, 0xDE2DDE7C,
242    0x55F9559D, 0x7E487E5A, 0x214F21B2, 0x03F2037A, 0xA065A026, 0x5E8E5E19,
243    0x5A785A66, 0x655C654B, 0x6258624E, 0xFD19FD45, 0x068D06F4, 0x40E54086,
244    0xF298F2BE, 0x335733AC, 0x17671790, 0x057F058E, 0xE805E85E, 0x4F644F7D,
245    0x89AF896A, 0x10631095, 0x74B6742F, 0x0AFE0A75, 0x5CF55C92, 0x9BB79B74,
246    0x2D3C2D33, 0x30A530D6, 0x2ECE2E49, 0x49E94989, 0x46684672, 0x77447755,
247    0xA8E0A8D8, 0x964D9604, 0x284328BD, 0xA969A929, 0xD929D979, 0x862E8691,
248    0xD1ACD187, 0xF415F44A, 0x8D598D15, 0xD6A8D682, 0xB90AB9BC, 0x429E420D,
249    0xF66EF6C1, 0x2F472FB8, 0xDDDFDD06, 0x23342339, 0xCC35CC62, 0xF16AF1C4,
250    0xC1CFC112, 0x85DC85EB, 0x8F228F9E, 0x71C971A1, 0x90C090F0, 0xAA9BAA53,
251    0x018901F1, 0x8BD48BE1, 0x4EED4E8C, 0x8EAB8E6F, 0xAB12ABA2, 0x6FA26F3E,
252    0xE60DE654, 0xDB52DBF2, 0x92BB927B, 0xB702B7B6, 0x692F69CA, 0x39A939D9,
253    0xD3D7D30C, 0xA761A723, 0xA21EA2AD, 0xC3B4C399, 0x6C506C44, 0x07040705,
254    0x04F6047F, 0x27C22746, 0xAC16ACA7, 0xD025D076, 0x50865013, 0xDC56DCF7,
255    0x8455841A, 0xE109E151, 0x7ABE7A25, 0x139113EF},
256
257   {0xD939A9D9, 0x90176790, 0x719CB371, 0xD2A6E8D2, 0x05070405, 0x9852FD98,
258    0x6580A365, 0xDFE476DF, 0x08459A08, 0x024B9202, 0xA0E080A0, 0x665A7866,
259    0xDDAFE4DD, 0xB06ADDB0, 0xBF63D1BF, 0x362A3836, 0x54E60D54, 0x4320C643,
260    0x62CC3562, 0xBEF298BE, 0x1E12181E, 0x24EBF724, 0xD7A1ECD7, 0x77416C77,
261    0xBD2843BD, 0x32BC7532, 0xD47B37D4, 0x9B88269B, 0x700DFA70, 0xF94413F9,
262    0xB1FB94B1, 0x5A7E485A, 0x7A03F27A, 0xE48CD0E4, 0x47B68B47, 0x3C24303C,
263    0xA5E784A5, 0x416B5441, 0x06DDDF06, 0xC56023C5, 0x45FD1945, 0xA33A5BA3,
264    0x68C23D68, 0x158D5915, 0x21ECF321, 0x3166AE31, 0x3E6FA23E, 0x16578216,
265    0x95106395, 0x5BEF015B, 0x4DB8834D, 0x91862E91, 0xB56DD9B5, 0x1F83511F,
266    0x53AA9B53, 0x635D7C63, 0x3B68A63B, 0x3FFEEB3F, 0xD630A5D6, 0x257ABE25,
267    0xA7AC16A7, 0x0F090C0F, 0x35F0E335, 0x23A76123, 0xF090C0F0, 0xAFE98CAF,
268    0x809D3A80, 0x925CF592, 0x810C7381, 0x27312C27, 0x76D02576, 0xE7560BE7,
269    0x7B92BB7B, 0xE9CE4EE9, 0xF10189F1, 0x9F1E6B9F, 0xA93453A9, 0xC4F16AC4,
270    0x99C3B499, 0x975BF197, 0x8347E183, 0x6B18E66B, 0xC822BDC8, 0x0E98450E,
271    0x6E1FE26E, 0xC9B3F4C9, 0x2F74B62F, 0xCBF866CB, 0xFF99CCFF, 0xEA1495EA,
272    0xED5803ED, 0xF7DC56F7, 0xE18BD4E1, 0x1B151C1B, 0xADA21EAD, 0x0CD3D70C,
273    0x2BE2FB2B, 0x1DC8C31D, 0x195E8E19, 0xC22CB5C2, 0x8949E989, 0x12C1CF12,
274    0x7E95BF7E, 0x207DBA20, 0x6411EA64, 0x840B7784, 0x6DC5396D, 0x6A89AF6A,
275    0xD17C33D1, 0xA171C9A1, 0xCEFF62CE, 0x37BB7137, 0xFB0F81FB, 0x3DB5793D,
276    0x51E10951, 0xDC3EADDC, 0x2D3F242D, 0xA476CDA4, 0x9D55F99D, 0xEE82D8EE,
277    0x8640E586, 0xAE78C5AE, 0xCD25B9CD, 0x04964D04, 0x55774455, 0x0A0E080A,
278    0x13508613, 0x30F7E730, 0xD337A1D3, 0x40FA1D40, 0x3461AA34, 0x8C4EED8C,
279    0xB3B006B3, 0x6C54706C, 0x2A73B22A, 0x523BD252, 0x0B9F410B, 0x8B027B8B,
280    0x88D8A088, 0x4FF3114F, 0x67CB3167, 0x4627C246, 0xC06727C0, 0xB4FC90B4,
281    0x28382028, 0x7F04F67F, 0x78486078, 0x2EE5FF2E, 0x074C9607, 0x4B655C4B,
282    0xC72BB1C7, 0x6F8EAB6F, 0x0D429E0D, 0xBBF59CBB, 0xF2DB52F2, 0xF34A1BF3,
283    0xA63D5FA6, 0x59A49359, 0xBCB90ABC, 0x3AF9EF3A, 0xEF1391EF, 0xFE0885FE,
284    0x01914901, 0x6116EE61, 0x7CDE2D7C, 0xB2214FB2, 0x42B18F42, 0xDB723BDB,
285    0xB82F47B8, 0x48BF8748, 0x2CAE6D2C, 0xE3C046E3, 0x573CD657, 0x859A3E85,
286    0x29A96929, 0x7D4F647D, 0x94812A94, 0x492ECE49, 0x17C6CB17, 0xCA692FCA,
287    0xC3BDFCC3, 0x5CA3975C, 0x5EE8055E, 0xD0ED7AD0, 0x87D1AC87, 0x8E057F8E,
288    0xBA64D5BA, 0xA8A51AA8, 0xB7264BB7, 0xB9BE0EB9, 0x6087A760, 0xF8D55AF8,
289    0x22362822, 0x111B1411, 0xDE753FDE, 0x79D92979, 0xAAEE88AA, 0x332D3C33,
290    0x5F794C5F, 0xB6B702B6, 0x96CAB896, 0x5835DA58, 0x9CC4B09C, 0xFC4317FC,
291    0x1A84551A, 0xF64D1FF6, 0x1C598A1C, 0x38B27D38, 0xAC3357AC, 0x18CFC718,
292    0xF4068DF4, 0x69537469, 0x749BB774, 0xF597C4F5, 0x56AD9F56, 0xDAE372DA,
293    0xD5EA7ED5, 0x4AF4154A, 0x9E8F229E, 0xA2AB12A2, 0x4E62584E, 0xE85F07E8,
294    0xE51D99E5, 0x39233439, 0xC1F66EC1, 0x446C5044, 0x5D32DE5D, 0x72466872,
295    0x26A06526, 0x93CDBC93, 0x03DADB03, 0xC6BAF8C6, 0xFA9EC8FA, 0x82D6A882,
296    0xCF6E2BCF, 0x50704050, 0xEB85DCEB, 0x750AFE75, 0x8A93328A, 0x8DDFA48D,
297    0x4C29CA4C, 0x141C1014, 0x73D72173, 0xCCB4F0CC, 0x09D4D309, 0x108A5D10,
298    0xE2510FE2, 0x00000000, 0x9A196F9A, 0xE01A9DE0, 0x8F94368F, 0xE6C742E6,
299    0xECC94AEC, 0xFDD25EFD, 0xAB7FC1AB, 0xD8A8E0D8}
300};
301
302/* The exp_to_poly and poly_to_exp tables are used to perform efficient
303 * operations in GF(2^8) represented as GF(2)[x]/w(x) where
304 * w(x)=x^8+x^6+x^3+x^2+1.  We care about doing that because it's part of the
305 * definition of the RS matrix in the key schedule.  Elements of that field
306 * are polynomials of degree not greater than 7 and all coefficients 0 or 1,
307 * which can be represented naturally by bytes (just substitute x=2).  In that
308 * form, GF(2^8) addition is the same as bitwise XOR, but GF(2^8)
309 * multiplication is inefficient without hardware support.  To multiply
310 * faster, I make use of the fact x is a generator for the nonzero elements,
311 * so that every element p of GF(2)[x]/w(x) is either 0 or equal to (x)^n for
312 * some n in 0..254.  Note that that caret is exponentiation in GF(2^8),
313 * *not* polynomial notation.  So if I want to compute pq where p and q are
314 * in GF(2^8), I can just say:
315 *    1. if p=0 or q=0 then pq=0
316 *    2. otherwise, find m and n such that p=x^m and q=x^n
317 *    3. pq=(x^m)(x^n)=x^(m+n), so add m and n and find pq
318 * The translations in steps 2 and 3 are looked up in the tables
319 * poly_to_exp (for step 2) and exp_to_poly (for step 3).  To see this
320 * in action, look at the CALC_S macro.  As additional wrinkles, note that
321 * one of my operands is always a constant, so the poly_to_exp lookup on it
322 * is done in advance; I included the original values in the comments so
323 * readers can have some chance of recognizing that this *is* the RS matrix
324 * from the Twofish paper.  I've only included the table entries I actually
325 * need; I never do a lookup on a variable input of zero and the biggest
326 * exponents I'll ever see are 254 (variable) and 237 (constant), so they'll
327 * never sum to more than 491.  I'm repeating part of the exp_to_poly table
328 * so that I don't have to do mod-255 reduction in the exponent arithmetic.
329 * Since I know my constant operands are never zero, I only have to worry
330 * about zero values in the variable operand, and I do it with a simple
331 * conditional branch.  I know conditionals are expensive, but I couldn't
332 * see a non-horrible way of avoiding them, and I did manage to group the
333 * statements so that each if covers four group multiplications. */
334
335static const byte poly_to_exp[255] = {
336   0x00, 0x01, 0x17, 0x02, 0x2E, 0x18, 0x53, 0x03, 0x6A, 0x2F, 0x93, 0x19,
337   0x34, 0x54, 0x45, 0x04, 0x5C, 0x6B, 0xB6, 0x30, 0xA6, 0x94, 0x4B, 0x1A,
338   0x8C, 0x35, 0x81, 0x55, 0xAA, 0x46, 0x0D, 0x05, 0x24, 0x5D, 0x87, 0x6C,
339   0x9B, 0xB7, 0xC1, 0x31, 0x2B, 0xA7, 0xA3, 0x95, 0x98, 0x4C, 0xCA, 0x1B,
340   0xE6, 0x8D, 0x73, 0x36, 0xCD, 0x82, 0x12, 0x56, 0x62, 0xAB, 0xF0, 0x47,
341   0x4F, 0x0E, 0xBD, 0x06, 0xD4, 0x25, 0xD2, 0x5E, 0x27, 0x88, 0x66, 0x6D,
342   0xD6, 0x9C, 0x79, 0xB8, 0x08, 0xC2, 0xDF, 0x32, 0x68, 0x2C, 0xFD, 0xA8,
343   0x8A, 0xA4, 0x5A, 0x96, 0x29, 0x99, 0x22, 0x4D, 0x60, 0xCB, 0xE4, 0x1C,
344   0x7B, 0xE7, 0x3B, 0x8E, 0x9E, 0x74, 0xF4, 0x37, 0xD8, 0xCE, 0xF9, 0x83,
345   0x6F, 0x13, 0xB2, 0x57, 0xE1, 0x63, 0xDC, 0xAC, 0xC4, 0xF1, 0xAF, 0x48,
346   0x0A, 0x50, 0x42, 0x0F, 0xBA, 0xBE, 0xC7, 0x07, 0xDE, 0xD5, 0x78, 0x26,
347   0x65, 0xD3, 0xD1, 0x5F, 0xE3, 0x28, 0x21, 0x89, 0x59, 0x67, 0xFC, 0x6E,
348   0xB1, 0xD7, 0xF8, 0x9D, 0xF3, 0x7A, 0x3A, 0xB9, 0xC6, 0x09, 0x41, 0xC3,
349   0xAE, 0xE0, 0xDB, 0x33, 0x44, 0x69, 0x92, 0x2D, 0x52, 0xFE, 0x16, 0xA9,
350   0x0C, 0x8B, 0x80, 0xA5, 0x4A, 0x5B, 0xB5, 0x97, 0xC9, 0x2A, 0xA2, 0x9A,
351   0xC0, 0x23, 0x86, 0x4E, 0xBC, 0x61, 0xEF, 0xCC, 0x11, 0xE5, 0x72, 0x1D,
352   0x3D, 0x7C, 0xEB, 0xE8, 0xE9, 0x3C, 0xEA, 0x8F, 0x7D, 0x9F, 0xEC, 0x75,
353   0x1E, 0xF5, 0x3E, 0x38, 0xF6, 0xD9, 0x3F, 0xCF, 0x76, 0xFA, 0x1F, 0x84,
354   0xA0, 0x70, 0xED, 0x14, 0x90, 0xB3, 0x7E, 0x58, 0xFB, 0xE2, 0x20, 0x64,
355   0xD0, 0xDD, 0x77, 0xAD, 0xDA, 0xC5, 0x40, 0xF2, 0x39, 0xB0, 0xF7, 0x49,
356   0xB4, 0x0B, 0x7F, 0x51, 0x15, 0x43, 0x91, 0x10, 0x71, 0xBB, 0xEE, 0xBF,
357   0x85, 0xC8, 0xA1
358};
359
360static const byte exp_to_poly[492] = {
361   0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x4D, 0x9A, 0x79, 0xF2,
362   0xA9, 0x1F, 0x3E, 0x7C, 0xF8, 0xBD, 0x37, 0x6E, 0xDC, 0xF5, 0xA7, 0x03,
363   0x06, 0x0C, 0x18, 0x30, 0x60, 0xC0, 0xCD, 0xD7, 0xE3, 0x8B, 0x5B, 0xB6,
364   0x21, 0x42, 0x84, 0x45, 0x8A, 0x59, 0xB2, 0x29, 0x52, 0xA4, 0x05, 0x0A,
365   0x14, 0x28, 0x50, 0xA0, 0x0D, 0x1A, 0x34, 0x68, 0xD0, 0xED, 0x97, 0x63,
366   0xC6, 0xC1, 0xCF, 0xD3, 0xEB, 0x9B, 0x7B, 0xF6, 0xA1, 0x0F, 0x1E, 0x3C,
367   0x78, 0xF0, 0xAD, 0x17, 0x2E, 0x5C, 0xB8, 0x3D, 0x7A, 0xF4, 0xA5, 0x07,
368   0x0E, 0x1C, 0x38, 0x70, 0xE0, 0x8D, 0x57, 0xAE, 0x11, 0x22, 0x44, 0x88,
369   0x5D, 0xBA, 0x39, 0x72, 0xE4, 0x85, 0x47, 0x8E, 0x51, 0xA2, 0x09, 0x12,
370   0x24, 0x48, 0x90, 0x6D, 0xDA, 0xF9, 0xBF, 0x33, 0x66, 0xCC, 0xD5, 0xE7,
371   0x83, 0x4B, 0x96, 0x61, 0xC2, 0xC9, 0xDF, 0xF3, 0xAB, 0x1B, 0x36, 0x6C,
372   0xD8, 0xFD, 0xB7, 0x23, 0x46, 0x8C, 0x55, 0xAA, 0x19, 0x32, 0x64, 0xC8,
373   0xDD, 0xF7, 0xA3, 0x0B, 0x16, 0x2C, 0x58, 0xB0, 0x2D, 0x5A, 0xB4, 0x25,
374   0x4A, 0x94, 0x65, 0xCA, 0xD9, 0xFF, 0xB3, 0x2B, 0x56, 0xAC, 0x15, 0x2A,
375   0x54, 0xA8, 0x1D, 0x3A, 0x74, 0xE8, 0x9D, 0x77, 0xEE, 0x91, 0x6F, 0xDE,
376   0xF1, 0xAF, 0x13, 0x26, 0x4C, 0x98, 0x7D, 0xFA, 0xB9, 0x3F, 0x7E, 0xFC,
377   0xB5, 0x27, 0x4E, 0x9C, 0x75, 0xEA, 0x99, 0x7F, 0xFE, 0xB1, 0x2F, 0x5E,
378   0xBC, 0x35, 0x6A, 0xD4, 0xE5, 0x87, 0x43, 0x86, 0x41, 0x82, 0x49, 0x92,
379   0x69, 0xD2, 0xE9, 0x9F, 0x73, 0xE6, 0x81, 0x4F, 0x9E, 0x71, 0xE2, 0x89,
380   0x5F, 0xBE, 0x31, 0x62, 0xC4, 0xC5, 0xC7, 0xC3, 0xCB, 0xDB, 0xFB, 0xBB,
381   0x3B, 0x76, 0xEC, 0x95, 0x67, 0xCE, 0xD1, 0xEF, 0x93, 0x6B, 0xD6, 0xE1,
382   0x8F, 0x53, 0xA6, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x4D,
383   0x9A, 0x79, 0xF2, 0xA9, 0x1F, 0x3E, 0x7C, 0xF8, 0xBD, 0x37, 0x6E, 0xDC,
384   0xF5, 0xA7, 0x03, 0x06, 0x0C, 0x18, 0x30, 0x60, 0xC0, 0xCD, 0xD7, 0xE3,
385   0x8B, 0x5B, 0xB6, 0x21, 0x42, 0x84, 0x45, 0x8A, 0x59, 0xB2, 0x29, 0x52,
386   0xA4, 0x05, 0x0A, 0x14, 0x28, 0x50, 0xA0, 0x0D, 0x1A, 0x34, 0x68, 0xD0,
387   0xED, 0x97, 0x63, 0xC6, 0xC1, 0xCF, 0xD3, 0xEB, 0x9B, 0x7B, 0xF6, 0xA1,
388   0x0F, 0x1E, 0x3C, 0x78, 0xF0, 0xAD, 0x17, 0x2E, 0x5C, 0xB8, 0x3D, 0x7A,
389   0xF4, 0xA5, 0x07, 0x0E, 0x1C, 0x38, 0x70, 0xE0, 0x8D, 0x57, 0xAE, 0x11,
390   0x22, 0x44, 0x88, 0x5D, 0xBA, 0x39, 0x72, 0xE4, 0x85, 0x47, 0x8E, 0x51,
391   0xA2, 0x09, 0x12, 0x24, 0x48, 0x90, 0x6D, 0xDA, 0xF9, 0xBF, 0x33, 0x66,
392   0xCC, 0xD5, 0xE7, 0x83, 0x4B, 0x96, 0x61, 0xC2, 0xC9, 0xDF, 0xF3, 0xAB,
393   0x1B, 0x36, 0x6C, 0xD8, 0xFD, 0xB7, 0x23, 0x46, 0x8C, 0x55, 0xAA, 0x19,
394   0x32, 0x64, 0xC8, 0xDD, 0xF7, 0xA3, 0x0B, 0x16, 0x2C, 0x58, 0xB0, 0x2D,
395   0x5A, 0xB4, 0x25, 0x4A, 0x94, 0x65, 0xCA, 0xD9, 0xFF, 0xB3, 0x2B, 0x56,
396   0xAC, 0x15, 0x2A, 0x54, 0xA8, 0x1D, 0x3A, 0x74, 0xE8, 0x9D, 0x77, 0xEE,
397   0x91, 0x6F, 0xDE, 0xF1, 0xAF, 0x13, 0x26, 0x4C, 0x98, 0x7D, 0xFA, 0xB9,
398   0x3F, 0x7E, 0xFC, 0xB5, 0x27, 0x4E, 0x9C, 0x75, 0xEA, 0x99, 0x7F, 0xFE,
399   0xB1, 0x2F, 0x5E, 0xBC, 0x35, 0x6A, 0xD4, 0xE5, 0x87, 0x43, 0x86, 0x41,
400   0x82, 0x49, 0x92, 0x69, 0xD2, 0xE9, 0x9F, 0x73, 0xE6, 0x81, 0x4F, 0x9E,
401   0x71, 0xE2, 0x89, 0x5F, 0xBE, 0x31, 0x62, 0xC4, 0xC5, 0xC7, 0xC3, 0xCB
402};
403
404
405/* The table constants are indices of
406 * S-box entries, preprocessed through q0 and q1. */
407static byte calc_sb_tbl[512] = {
408    0xA9, 0x75, 0x67, 0xF3, 0xB3, 0xC6, 0xE8, 0xF4,
409    0x04, 0xDB, 0xFD, 0x7B, 0xA3, 0xFB, 0x76, 0xC8,
410    0x9A, 0x4A, 0x92, 0xD3, 0x80, 0xE6, 0x78, 0x6B,
411    0xE4, 0x45, 0xDD, 0x7D, 0xD1, 0xE8, 0x38, 0x4B,
412    0x0D, 0xD6, 0xC6, 0x32, 0x35, 0xD8, 0x98, 0xFD,
413    0x18, 0x37, 0xF7, 0x71, 0xEC, 0xF1, 0x6C, 0xE1,
414    0x43, 0x30, 0x75, 0x0F, 0x37, 0xF8, 0x26, 0x1B,
415    0xFA, 0x87, 0x13, 0xFA, 0x94, 0x06, 0x48, 0x3F,
416    0xF2, 0x5E, 0xD0, 0xBA, 0x8B, 0xAE, 0x30, 0x5B,
417    0x84, 0x8A, 0x54, 0x00, 0xDF, 0xBC, 0x23, 0x9D,
418    0x19, 0x6D, 0x5B, 0xC1, 0x3D, 0xB1, 0x59, 0x0E,
419    0xF3, 0x80, 0xAE, 0x5D, 0xA2, 0xD2, 0x82, 0xD5,
420    0x63, 0xA0, 0x01, 0x84, 0x83, 0x07, 0x2E, 0x14,
421    0xD9, 0xB5, 0x51, 0x90, 0x9B, 0x2C, 0x7C, 0xA3,
422    0xA6, 0xB2, 0xEB, 0x73, 0xA5, 0x4C, 0xBE, 0x54,
423    0x16, 0x92, 0x0C, 0x74, 0xE3, 0x36, 0x61, 0x51,
424    0xC0, 0x38, 0x8C, 0xB0, 0x3A, 0xBD, 0xF5, 0x5A,
425    0x73, 0xFC, 0x2C, 0x60, 0x25, 0x62, 0x0B, 0x96,
426    0xBB, 0x6C, 0x4E, 0x42, 0x89, 0xF7, 0x6B, 0x10,
427    0x53, 0x7C, 0x6A, 0x28, 0xB4, 0x27, 0xF1, 0x8C,
428    0xE1, 0x13, 0xE6, 0x95, 0xBD, 0x9C, 0x45, 0xC7,
429    0xE2, 0x24, 0xF4, 0x46, 0xB6, 0x3B, 0x66, 0x70,
430    0xCC, 0xCA, 0x95, 0xE3, 0x03, 0x85, 0x56, 0xCB,
431    0xD4, 0x11, 0x1C, 0xD0, 0x1E, 0x93, 0xD7, 0xB8,
432    0xFB, 0xA6, 0xC3, 0x83, 0x8E, 0x20, 0xB5, 0xFF,
433    0xE9, 0x9F, 0xCF, 0x77, 0xBF, 0xC3, 0xBA, 0xCC,
434    0xEA, 0x03, 0x77, 0x6F, 0x39, 0x08, 0xAF, 0xBF,
435    0x33, 0x40, 0xC9, 0xE7, 0x62, 0x2B, 0x71, 0xE2,
436    0x81, 0x79, 0x79, 0x0C, 0x09, 0xAA, 0xAD, 0x82,
437    0x24, 0x41, 0xCD, 0x3A, 0xF9, 0xEA, 0xD8, 0xB9,
438    0xE5, 0xE4, 0xC5, 0x9A, 0xB9, 0xA4, 0x4D, 0x97,
439    0x44, 0x7E, 0x08, 0xDA, 0x86, 0x7A, 0xE7, 0x17,
440    0xA1, 0x66, 0x1D, 0x94, 0xAA, 0xA1, 0xED, 0x1D,
441    0x06, 0x3D, 0x70, 0xF0, 0xB2, 0xDE, 0xD2, 0xB3,
442    0x41, 0x0B, 0x7B, 0x72, 0xA0, 0xA7, 0x11, 0x1C,
443    0x31, 0xEF, 0xC2, 0xD1, 0x27, 0x53, 0x90, 0x3E,
444    0x20, 0x8F, 0xF6, 0x33, 0x60, 0x26, 0xFF, 0x5F,
445    0x96, 0xEC, 0x5C, 0x76, 0xB1, 0x2A, 0xAB, 0x49,
446    0x9E, 0x81, 0x9C, 0x88, 0x52, 0xEE, 0x1B, 0x21,
447    0x5F, 0xC4, 0x93, 0x1A, 0x0A, 0xEB, 0xEF, 0xD9,
448    0x91, 0xC5, 0x85, 0x39, 0x49, 0x99, 0xEE, 0xCD,
449    0x2D, 0xAD, 0x4F, 0x31, 0x8F, 0x8B, 0x3B, 0x01,
450    0x47, 0x18, 0x87, 0x23, 0x6D, 0xDD, 0x46, 0x1F,
451    0xD6, 0x4E, 0x3E, 0x2D, 0x69, 0xF9, 0x64, 0x48,
452    0x2A, 0x4F, 0xCE, 0xF2, 0xCB, 0x65, 0x2F, 0x8E,
453    0xFC, 0x78, 0x97, 0x5C, 0x05, 0x58, 0x7A, 0x19,
454    0xAC, 0x8D, 0x7F, 0xE5, 0xD5, 0x98, 0x1A, 0x57,
455    0x4B, 0x67, 0x0E, 0x7F, 0xA7, 0x05, 0x5A, 0x64,
456    0x28, 0xAF, 0x14, 0x63, 0x3F, 0xB6, 0x29, 0xFE,
457    0x88, 0xF5, 0x3C, 0xB7, 0x4C, 0x3C, 0x02, 0xA5,
458    0xB8, 0xCE, 0xDA, 0xE9, 0xB0, 0x68, 0x17, 0x44,
459    0x55, 0xE0, 0x1F, 0x4D, 0x8A, 0x43, 0x7D, 0x69,
460    0x57, 0x29, 0xC7, 0x2E, 0x8D, 0xAC, 0x74, 0x15,
461    0xB7, 0x59, 0xC4, 0xA8, 0x9F, 0x0A, 0x72, 0x9E,
462    0x7E, 0x6E, 0x15, 0x47, 0x22, 0xDF, 0x12, 0x34,
463    0x58, 0x35, 0x07, 0x6A, 0x99, 0xCF, 0x34, 0xDC,
464    0x6E, 0x22, 0x50, 0xC9, 0xDE, 0xC0, 0x68, 0x9B,
465    0x65, 0x89, 0xBC, 0xD4, 0xDB, 0xED, 0xF8, 0xAB,
466    0xC8, 0x12, 0xA8, 0xA2, 0x2B, 0x0D, 0x40, 0x52,
467    0xDC, 0xBB, 0xFE, 0x02, 0x32, 0x2F, 0xA4, 0xA9,
468    0xCA, 0xD7, 0x10, 0x61, 0x21, 0x1E, 0xF0, 0xB4,
469    0xD3, 0x50, 0x5D, 0x04, 0x0F, 0xF6, 0x00, 0xC2,
470    0x6F, 0x16, 0x9D, 0x25, 0x36, 0x86, 0x42, 0x56,
471    0x4A, 0x55, 0x5E, 0x09, 0xC1, 0xBE, 0xE0, 0x91
472};
473/* Macro to perform one column of the RS matrix multiplication.  The
474 * parameters a, b, c, and d are the four bytes of output; i is the index
475 * of the key bytes, and w, x, y, and z, are the column of constants from
476 * the RS matrix, preprocessed through the poly_to_exp table. */
477
478#define CALC_S(a, b, c, d, i, w, x, y, z) \
479   if (key[i]) { \
480      tmp = poly_to_exp[key[i] - 1]; \
481      (a) ^= exp_to_poly[tmp + (w)]; \
482      (b) ^= exp_to_poly[tmp + (x)]; \
483      (c) ^= exp_to_poly[tmp + (y)]; \
484      (d) ^= exp_to_poly[tmp + (z)]; \
485   }
486
487/* Macros to calculate the key-dependent S-boxes for a 128-bit key using
488 * the S vector from CALC_S.  CALC_SB_2 computes a single entry in all
489 * four S-boxes, where i is the index of the entry to compute, and a and b
490 * are the index numbers preprocessed through the q0 and q1 tables
491 * respectively.  CALC_SB is simply a convenience to make the code shorter;
492 * it calls CALC_SB_2 four times with consecutive indices from i to i+3,
493 * using the remaining parameters two by two. */
494
495#define CALC_SB_2(i, a, b) \
496   ctx->s[0][i] = mds[0][q0[(a) ^ sa] ^ se]; \
497   ctx->s[1][i] = mds[1][q0[(b) ^ sb] ^ sf]; \
498   ctx->s[2][i] = mds[2][q1[(a) ^ sc] ^ sg]; \
499   ctx->s[3][i] = mds[3][q1[(b) ^ sd] ^ sh]
500
501#define CALC_SB(i, a, b, c, d, e, f, g, h) \
502   CALC_SB_2 (i, a, b); CALC_SB_2 ((i)+1, c, d); \
503   CALC_SB_2 ((i)+2, e, f); CALC_SB_2 ((i)+3, g, h)
504
505/* Macros exactly like CALC_SB and CALC_SB_2, but for 256-bit keys. */
506
507#define CALC_SB256_2(i, a, b) \
508   ctx->s[0][i] = mds[0][q0[q0[q1[(b) ^ sa] ^ se] ^ si] ^ sm]; \
509   ctx->s[1][i] = mds[1][q0[q1[q1[(a) ^ sb] ^ sf] ^ sj] ^ sn]; \
510   ctx->s[2][i] = mds[2][q1[q0[q0[(a) ^ sc] ^ sg] ^ sk] ^ so]; \
511   ctx->s[3][i] = mds[3][q1[q1[q0[(b) ^ sd] ^ sh] ^ sl] ^ sp];
512
513#define CALC_SB256(i, a, b, c, d, e, f, g, h) \
514   CALC_SB256_2 (i, a, b); CALC_SB256_2 ((i)+1, c, d); \
515   CALC_SB256_2 ((i)+2, e, f); CALC_SB256_2 ((i)+3, g, h)
516
517/* Macros to calculate the whitening and round subkeys.  CALC_K_2 computes the
518 * last two stages of the h() function for a given index (either 2i or 2i+1).
519 * a, b, c, and d are the four bytes going into the last two stages.  For
520 * 128-bit keys, this is the entire h() function and a and c are the index
521 * preprocessed through q0 and q1 respectively; for longer keys they are the
522 * output of previous stages.  j is the index of the first key byte to use.
523 * CALC_K computes a pair of subkeys for 128-bit Twofish, by calling CALC_K_2
524 * twice, doing the Pseudo-Hadamard Transform, and doing the necessary
525 * rotations.  Its parameters are: a, the array to write the results into,
526 * j, the index of the first output entry, k and l, the preprocessed indices
527 * for index 2i, and m and n, the preprocessed indices for index 2i+1.
528 * CALC_K256_2 expands CALC_K_2 to handle 256-bit keys, by doing two
529 * additional lookup-and-XOR stages.  The parameters a and b are the index
530 * preprocessed through q0 and q1 respectively; j is the index of the first
531 * key byte to use.  CALC_K256 is identical to CALC_K but for using the
532 * CALC_K256_2 macro instead of CALC_K_2. */
533
534#define CALC_K_2(a, b, c, d, j) \
535     mds[0][q0[a ^ key[(j) + 8]] ^ key[j]] \
536   ^ mds[1][q0[b ^ key[(j) + 9]] ^ key[(j) + 1]] \
537   ^ mds[2][q1[c ^ key[(j) + 10]] ^ key[(j) + 2]] \
538   ^ mds[3][q1[d ^ key[(j) + 11]] ^ key[(j) + 3]]
539
540#define CALC_K(a, j, k, l, m, n) \
541   x = CALC_K_2 (k, l, k, l, 0); \
542   y = CALC_K_2 (m, n, m, n, 4); \
543   y = (y << 8) + (y >> 24); \
544   x += y; y += x; ctx->a[j] = x; \
545   ctx->a[(j) + 1] = (y << 9) + (y >> 23)
546
547#define CALC_K256_2(a, b, j) \
548   CALC_K_2 (q0[q1[b ^ key[(j) + 24]] ^ key[(j) + 16]], \
549             q1[q1[a ^ key[(j) + 25]] ^ key[(j) + 17]], \
550             q0[q0[a ^ key[(j) + 26]] ^ key[(j) + 18]], \
551             q1[q0[b ^ key[(j) + 27]] ^ key[(j) + 19]], j)
552
553#define CALC_K256(a, j, k, l, m, n) \
554   x = CALC_K256_2 (k, l, 0); \
555   y = CALC_K256_2 (m, n, 4); \
556   y = (y << 8) + (y >> 24); \
557   x += y; y += x; ctx->a[j] = x; \
558   ctx->a[(j) + 1] = (y << 9) + (y >> 23)
559
560
561
562/* Perform the key setup.  Note that this works only with 128- and 256-bit
563 * keys, despite the API that looks like it might support other sizes. */
564
565static gcry_err_code_t
566do_twofish_setkey (TWOFISH_context *ctx, const byte *key, const unsigned keylen)
567{
568  int i, j, k;
569
570  /* Temporaries for CALC_K. */
571  u32 x, y;
572
573  /* The S vector used to key the S-boxes, split up into individual bytes.
574   * 128-bit keys use only sa through sh; 256-bit use all of them. */
575  byte sa = 0, sb = 0, sc = 0, sd = 0, se = 0, sf = 0, sg = 0, sh = 0;
576  byte si = 0, sj = 0, sk = 0, sl = 0, sm = 0, sn = 0, so = 0, sp = 0;
577
578  /* Temporary for CALC_S. */
579  byte tmp;
580
581  /* Flags for self-test. */
582  static int initialized = 0;
583  static const char *selftest_failed=0;
584
585  /* Check key length. */
586  if( ( ( keylen - 16 ) | 16 ) != 16 )
587    return GPG_ERR_INV_KEYLEN;
588
589  /* Do self-test if necessary. */
590  if (!initialized)
591    {
592      initialized = 1;
593      selftest_failed = selftest ();
594      if( selftest_failed )
595        log_error("%s\n", selftest_failed );
596    }
597  if( selftest_failed )
598    return GPG_ERR_SELFTEST_FAILED;
599
600  /* Compute the first two words of the S vector.  The magic numbers are
601   * the entries of the RS matrix, preprocessed through poly_to_exp.    The
602   * numbers in the comments are the original (polynomial form) matrix
603   * entries. */
604  CALC_S (sa, sb, sc, sd, 0, 0x00, 0x2D, 0x01, 0x2D); /* 01 A4 02 A4 */
605  CALC_S (sa, sb, sc, sd, 1, 0x2D, 0xA4, 0x44, 0x8A); /* A4 56 A1 55 */
606  CALC_S (sa, sb, sc, sd, 2, 0x8A, 0xD5, 0xBF, 0xD1); /* 55 82 FC 87 */
607  CALC_S (sa, sb, sc, sd, 3, 0xD1, 0x7F, 0x3D, 0x99); /* 87 F3 C1 5A */
608  CALC_S (sa, sb, sc, sd, 4, 0x99, 0x46, 0x66, 0x96); /* 5A 1E 47 58 */
609  CALC_S (sa, sb, sc, sd, 5, 0x96, 0x3C, 0x5B, 0xED); /* 58 C6 AE DB */
610  CALC_S (sa, sb, sc, sd, 6, 0xED, 0x37, 0x4F, 0xE0); /* DB 68 3D 9E */
611  CALC_S (sa, sb, sc, sd, 7, 0xE0, 0xD0, 0x8C, 0x17); /* 9E E5 19 03 */
612  CALC_S (se, sf, sg, sh, 8, 0x00, 0x2D, 0x01, 0x2D); /* 01 A4 02 A4 */
613  CALC_S (se, sf, sg, sh, 9, 0x2D, 0xA4, 0x44, 0x8A); /* A4 56 A1 55 */
614  CALC_S (se, sf, sg, sh, 10, 0x8A, 0xD5, 0xBF, 0xD1); /* 55 82 FC 87 */
615  CALC_S (se, sf, sg, sh, 11, 0xD1, 0x7F, 0x3D, 0x99); /* 87 F3 C1 5A */
616  CALC_S (se, sf, sg, sh, 12, 0x99, 0x46, 0x66, 0x96); /* 5A 1E 47 58 */
617  CALC_S (se, sf, sg, sh, 13, 0x96, 0x3C, 0x5B, 0xED); /* 58 C6 AE DB */
618  CALC_S (se, sf, sg, sh, 14, 0xED, 0x37, 0x4F, 0xE0); /* DB 68 3D 9E */
619  CALC_S (se, sf, sg, sh, 15, 0xE0, 0xD0, 0x8C, 0x17); /* 9E E5 19 03 */
620
621  if (keylen == 32)  /* 256-bit key */
622    {
623      /* Calculate the remaining two words of the S vector */
624      CALC_S (si, sj, sk, sl, 16, 0x00, 0x2D, 0x01, 0x2D); /* 01 A4 02 A4 */
625      CALC_S (si, sj, sk, sl, 17, 0x2D, 0xA4, 0x44, 0x8A); /* A4 56 A1 55 */
626      CALC_S (si, sj, sk, sl, 18, 0x8A, 0xD5, 0xBF, 0xD1); /* 55 82 FC 87 */
627      CALC_S (si, sj, sk, sl, 19, 0xD1, 0x7F, 0x3D, 0x99); /* 87 F3 C1 5A */
628      CALC_S (si, sj, sk, sl, 20, 0x99, 0x46, 0x66, 0x96); /* 5A 1E 47 58 */
629      CALC_S (si, sj, sk, sl, 21, 0x96, 0x3C, 0x5B, 0xED); /* 58 C6 AE DB */
630      CALC_S (si, sj, sk, sl, 22, 0xED, 0x37, 0x4F, 0xE0); /* DB 68 3D 9E */
631      CALC_S (si, sj, sk, sl, 23, 0xE0, 0xD0, 0x8C, 0x17); /* 9E E5 19 03 */
632      CALC_S (sm, sn, so, sp, 24, 0x00, 0x2D, 0x01, 0x2D); /* 01 A4 02 A4 */
633      CALC_S (sm, sn, so, sp, 25, 0x2D, 0xA4, 0x44, 0x8A); /* A4 56 A1 55 */
634      CALC_S (sm, sn, so, sp, 26, 0x8A, 0xD5, 0xBF, 0xD1); /* 55 82 FC 87 */
635      CALC_S (sm, sn, so, sp, 27, 0xD1, 0x7F, 0x3D, 0x99); /* 87 F3 C1 5A */
636      CALC_S (sm, sn, so, sp, 28, 0x99, 0x46, 0x66, 0x96); /* 5A 1E 47 58 */
637      CALC_S (sm, sn, so, sp, 29, 0x96, 0x3C, 0x5B, 0xED); /* 58 C6 AE DB */
638      CALC_S (sm, sn, so, sp, 30, 0xED, 0x37, 0x4F, 0xE0); /* DB 68 3D 9E */
639      CALC_S (sm, sn, so, sp, 31, 0xE0, 0xD0, 0x8C, 0x17); /* 9E E5 19 03 */
640
641      /* Compute the S-boxes. */
642      for(i=j=0,k=1; i < 256; i++, j += 2, k += 2 )
643        {
644          CALC_SB256_2( i, calc_sb_tbl[j], calc_sb_tbl[k] );
645        }
646
647      /* Calculate whitening and round subkeys.  The constants are
648       * indices of subkeys, preprocessed through q0 and q1. */
649      CALC_K256 (w, 0, 0xA9, 0x75, 0x67, 0xF3);
650      CALC_K256 (w, 2, 0xB3, 0xC6, 0xE8, 0xF4);
651      CALC_K256 (w, 4, 0x04, 0xDB, 0xFD, 0x7B);
652      CALC_K256 (w, 6, 0xA3, 0xFB, 0x76, 0xC8);
653      CALC_K256 (k, 0, 0x9A, 0x4A, 0x92, 0xD3);
654      CALC_K256 (k, 2, 0x80, 0xE6, 0x78, 0x6B);
655      CALC_K256 (k, 4, 0xE4, 0x45, 0xDD, 0x7D);
656      CALC_K256 (k, 6, 0xD1, 0xE8, 0x38, 0x4B);
657      CALC_K256 (k, 8, 0x0D, 0xD6, 0xC6, 0x32);
658      CALC_K256 (k, 10, 0x35, 0xD8, 0x98, 0xFD);
659      CALC_K256 (k, 12, 0x18, 0x37, 0xF7, 0x71);
660      CALC_K256 (k, 14, 0xEC, 0xF1, 0x6C, 0xE1);
661      CALC_K256 (k, 16, 0x43, 0x30, 0x75, 0x0F);
662      CALC_K256 (k, 18, 0x37, 0xF8, 0x26, 0x1B);
663      CALC_K256 (k, 20, 0xFA, 0x87, 0x13, 0xFA);
664      CALC_K256 (k, 22, 0x94, 0x06, 0x48, 0x3F);
665      CALC_K256 (k, 24, 0xF2, 0x5E, 0xD0, 0xBA);
666      CALC_K256 (k, 26, 0x8B, 0xAE, 0x30, 0x5B);
667      CALC_K256 (k, 28, 0x84, 0x8A, 0x54, 0x00);
668      CALC_K256 (k, 30, 0xDF, 0xBC, 0x23, 0x9D);
669    }
670  else
671    {
672      /* Compute the S-boxes. */
673      for(i=j=0,k=1; i < 256; i++, j += 2, k += 2 )
674        {
675          CALC_SB_2( i, calc_sb_tbl[j], calc_sb_tbl[k] );
676        }
677
678      /* Calculate whitening and round subkeys.  The constants are
679       * indices of subkeys, preprocessed through q0 and q1. */
680      CALC_K (w, 0, 0xA9, 0x75, 0x67, 0xF3);
681      CALC_K (w, 2, 0xB3, 0xC6, 0xE8, 0xF4);
682      CALC_K (w, 4, 0x04, 0xDB, 0xFD, 0x7B);
683      CALC_K (w, 6, 0xA3, 0xFB, 0x76, 0xC8);
684      CALC_K (k, 0, 0x9A, 0x4A, 0x92, 0xD3);
685      CALC_K (k, 2, 0x80, 0xE6, 0x78, 0x6B);
686      CALC_K (k, 4, 0xE4, 0x45, 0xDD, 0x7D);
687      CALC_K (k, 6, 0xD1, 0xE8, 0x38, 0x4B);
688      CALC_K (k, 8, 0x0D, 0xD6, 0xC6, 0x32);
689      CALC_K (k, 10, 0x35, 0xD8, 0x98, 0xFD);
690      CALC_K (k, 12, 0x18, 0x37, 0xF7, 0x71);
691      CALC_K (k, 14, 0xEC, 0xF1, 0x6C, 0xE1);
692      CALC_K (k, 16, 0x43, 0x30, 0x75, 0x0F);
693      CALC_K (k, 18, 0x37, 0xF8, 0x26, 0x1B);
694      CALC_K (k, 20, 0xFA, 0x87, 0x13, 0xFA);
695      CALC_K (k, 22, 0x94, 0x06, 0x48, 0x3F);
696      CALC_K (k, 24, 0xF2, 0x5E, 0xD0, 0xBA);
697      CALC_K (k, 26, 0x8B, 0xAE, 0x30, 0x5B);
698      CALC_K (k, 28, 0x84, 0x8A, 0x54, 0x00);
699      CALC_K (k, 30, 0xDF, 0xBC, 0x23, 0x9D);
700    }
701
702  return 0;
703}
704
705static gcry_err_code_t
706twofish_setkey (void *context, const byte *key, unsigned int keylen)
707{
708  TWOFISH_context *ctx = context;
709  int rc = do_twofish_setkey (ctx, key, keylen);
710  _gcry_burn_stack (23+6*sizeof(void*));
711  return rc;
712}
713
714
715
716/* Macros to compute the g() function in the encryption and decryption
717 * rounds.  G1 is the straight g() function; G2 includes the 8-bit
718 * rotation for the high 32-bit word. */
719
720#define G1(a) \
721     (ctx->s[0][(a) & 0xFF]) ^ (ctx->s[1][((a) >> 8) & 0xFF]) \
722   ^ (ctx->s[2][((a) >> 16) & 0xFF]) ^ (ctx->s[3][(a) >> 24])
723
724#define G2(b) \
725     (ctx->s[1][(b) & 0xFF]) ^ (ctx->s[2][((b) >> 8) & 0xFF]) \
726   ^ (ctx->s[3][((b) >> 16) & 0xFF]) ^ (ctx->s[0][(b) >> 24])
727
728/* Encryption and decryption Feistel rounds.  Each one calls the two g()
729 * macros, does the PHT, and performs the XOR and the appropriate bit
730 * rotations.  The parameters are the round number (used to select subkeys),
731 * and the four 32-bit chunks of the text. */
732
733#define ENCROUND(n, a, b, c, d) \
734   x = G1 (a); y = G2 (b); \
735   x += y; y += x + ctx->k[2 * (n) + 1]; \
736   (c) ^= x + ctx->k[2 * (n)]; \
737   (c) = ((c) >> 1) + ((c) << 31); \
738   (d) = (((d) << 1)+((d) >> 31)) ^ y
739
740#define DECROUND(n, a, b, c, d) \
741   x = G1 (a); y = G2 (b); \
742   x += y; y += x; \
743   (d) ^= y + ctx->k[2 * (n) + 1]; \
744   (d) = ((d) >> 1) + ((d) << 31); \
745   (c) = (((c) << 1)+((c) >> 31)); \
746   (c) ^= (x + ctx->k[2 * (n)])
747
748/* Encryption and decryption cycles; each one is simply two Feistel rounds
749 * with the 32-bit chunks re-ordered to simulate the "swap" */
750
751#define ENCCYCLE(n) \
752   ENCROUND (2 * (n), a, b, c, d); \
753   ENCROUND (2 * (n) + 1, c, d, a, b)
754
755#define DECCYCLE(n) \
756   DECROUND (2 * (n) + 1, c, d, a, b); \
757   DECROUND (2 * (n), a, b, c, d)
758
759/* Macros to convert the input and output bytes into 32-bit words,
760 * and simultaneously perform the whitening step.  INPACK packs word
761 * number n into the variable named by x, using whitening subkey number m.
762 * OUTUNPACK unpacks word number n from the variable named by x, using
763 * whitening subkey number m. */
764
765#define INPACK(n, x, m) \
766   x = in[4 * (n)] ^ (in[4 * (n) + 1] << 8) \
767     ^ (in[4 * (n) + 2] << 16) ^ (in[4 * (n) + 3] << 24) ^ ctx->w[m]
768
769#define OUTUNPACK(n, x, m) \
770   x ^= ctx->w[m]; \
771   out[4 * (n)] = x; out[4 * (n) + 1] = x >> 8; \
772   out[4 * (n) + 2] = x >> 16; out[4 * (n) + 3] = x >> 24
773
774/* Encrypt one block.  in and out may be the same. */
775
776static void
777do_twofish_encrypt (const TWOFISH_context *ctx, byte *out, const byte *in)
778{
779  /* The four 32-bit chunks of the text. */
780  u32 a, b, c, d;
781
782  /* Temporaries used by the round function. */
783  u32 x, y;
784
785  /* Input whitening and packing. */
786  INPACK (0, a, 0);
787  INPACK (1, b, 1);
788  INPACK (2, c, 2);
789  INPACK (3, d, 3);
790
791  /* Encryption Feistel cycles. */
792  ENCCYCLE (0);
793  ENCCYCLE (1);
794  ENCCYCLE (2);
795  ENCCYCLE (3);
796  ENCCYCLE (4);
797  ENCCYCLE (5);
798  ENCCYCLE (6);
799  ENCCYCLE (7);
800
801  /* Output whitening and unpacking. */
802  OUTUNPACK (0, c, 4);
803  OUTUNPACK (1, d, 5);
804  OUTUNPACK (2, a, 6);
805  OUTUNPACK (3, b, 7);
806}
807
808static void
809twofish_encrypt (void *context, byte *out, const byte *in)
810{
811  TWOFISH_context *ctx = context;
812  do_twofish_encrypt (ctx, out, in);
813  _gcry_burn_stack (24+3*sizeof (void*));
814}
815
816
817/* Decrypt one block.  in and out may be the same. */
818
819static void
820do_twofish_decrypt (const TWOFISH_context *ctx, byte *out, const byte *in)
821{
822  /* The four 32-bit chunks of the text. */
823  u32 a, b, c, d;
824
825  /* Temporaries used by the round function. */
826  u32 x, y;
827
828  /* Input whitening and packing. */
829  INPACK (0, c, 4);
830  INPACK (1, d, 5);
831  INPACK (2, a, 6);
832  INPACK (3, b, 7);
833
834  /* Encryption Feistel cycles. */
835  DECCYCLE (7);
836  DECCYCLE (6);
837  DECCYCLE (5);
838  DECCYCLE (4);
839  DECCYCLE (3);
840  DECCYCLE (2);
841  DECCYCLE (1);
842  DECCYCLE (0);
843
844  /* Output whitening and unpacking. */
845  OUTUNPACK (0, a, 0);
846  OUTUNPACK (1, b, 1);
847  OUTUNPACK (2, c, 2);
848  OUTUNPACK (3, d, 3);
849}
850
851static void
852twofish_decrypt (void *context, byte *out, const byte *in)
853{
854  TWOFISH_context *ctx = context;
855
856  do_twofish_decrypt (ctx, out, in);
857  _gcry_burn_stack (24+3*sizeof (void*));
858}
859
860
861/* Test a single encryption and decryption with each key size. */
862
863
864/* More complete test program.  This does 1000 encryptions and decryptions
865 * with each of 250 128-bit keys and 2000 encryptions and decryptions with
866 * each of 125 256-bit keys, using a feedback scheme similar to a Feistel
867 * cipher, so as to be sure of testing all the table entries pretty
868 * thoroughly.  We keep changing the keys so as to get a more meaningful
869 * performance number, since the key setup is non-trivial for Twofish. */
870
871#ifdef TEST
872
873
874int
875main()
876{
877  TWOFISH_context ctx;     /* Expanded key. */
878  int i, j;                 /* Loop counters. */
879
880  const char *encrypt_msg; /* Message to print regarding encryption test;
881                            * the printf is done outside the loop to avoid
882                            * stuffing up the timing. */
883  clock_t timer; /* For computing elapsed time. */
884
885  /* Test buffer. */
886  byte buffer[4][16] = {
887    {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
888     0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF},
889    {0x0F, 0x1E, 0x2D, 0x3C, 0x4B, 0x5A, 0x69, 0x78,
890     0x87, 0x96, 0xA5, 0xB4, 0xC3, 0xD2 ,0xE1, 0xF0},
891    {0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF,
892     0xFE, 0xDC, 0xBA, 0x98, 0x76, 0x54 ,0x32, 0x10},
893    {0x01, 0x23, 0x45, 0x67, 0x76, 0x54 ,0x32, 0x10,
894     0x89, 0xAB, 0xCD, 0xEF, 0xFE, 0xDC, 0xBA, 0x98}
895  };
896
897  /* Expected outputs for the million-operation test */
898  static const byte test_encrypt[4][16] = {
899    {0xC8, 0x23, 0xB8, 0xB7, 0x6B, 0xFE, 0x91, 0x13,
900     0x2F, 0xA7, 0x5E, 0xE6, 0x94, 0x77, 0x6F, 0x6B},
901    {0x90, 0x36, 0xD8, 0x29, 0xD5, 0x96, 0xC2, 0x8E,
902     0xE4, 0xFF, 0x76, 0xBC, 0xE5, 0x77, 0x88, 0x27},
903    {0xB8, 0x78, 0x69, 0xAF, 0x42, 0x8B, 0x48, 0x64,
904     0xF7, 0xE9, 0xF3, 0x9C, 0x42, 0x18, 0x7B, 0x73},
905    {0x7A, 0x88, 0xFB, 0xEB, 0x90, 0xA4, 0xB4, 0xA8,
906     0x43, 0xA3, 0x1D, 0xF1, 0x26, 0xC4, 0x53, 0x57}
907  };
908  static const byte test_decrypt[4][16] = {
909    {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
910     0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF},
911    {0x0F, 0x1E, 0x2D, 0x3C, 0x4B, 0x5A, 0x69, 0x78,
912     0x87, 0x96, 0xA5, 0xB4, 0xC3, 0xD2 ,0xE1, 0xF0},
913    {0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF,
914     0xFE, 0xDC, 0xBA, 0x98, 0x76, 0x54 ,0x32, 0x10},
915    {0x01, 0x23, 0x45, 0x67, 0x76, 0x54 ,0x32, 0x10,
916     0x89, 0xAB, 0xCD, 0xEF, 0xFE, 0xDC, 0xBA, 0x98}
917  };
918
919  /* Start the timer ticking. */
920  timer = clock ();
921
922  /* Encryption test. */
923  for (i = 0; i < 125; i++)
924    {
925      twofish_setkey (&ctx, buffer[0], sizeof (buffer[0]));
926      for (j = 0; j < 1000; j++)
927        twofish_encrypt (&ctx, buffer[2], buffer[2]);
928      twofish_setkey (&ctx, buffer[1], sizeof (buffer[1]));
929      for (j = 0; j < 1000; j++)
930        twofish_encrypt (&ctx, buffer[3], buffer[3]);
931      twofish_setkey (&ctx, buffer[2], sizeof (buffer[2])*2);
932      for (j = 0; j < 1000; j++) {
933        twofish_encrypt (&ctx, buffer[0], buffer[0]);
934        twofish_encrypt (&ctx, buffer[1], buffer[1]);
935      }
936    }
937  encrypt_msg = memcmp (buffer, test_encrypt, sizeof (test_encrypt)) ?
938    "encryption failure!\n" : "encryption OK!\n";
939
940  /* Decryption test. */
941  for (i = 0; i < 125; i++)
942    {
943      twofish_setkey (&ctx, buffer[2], sizeof (buffer[2])*2);
944      for (j = 0; j < 1000; j++) {
945        twofish_decrypt (&ctx, buffer[0], buffer[0]);
946        twofish_decrypt (&ctx, buffer[1], buffer[1]);
947      }
948      twofish_setkey (&ctx, buffer[1], sizeof (buffer[1]));
949      for (j = 0; j < 1000; j++)
950        twofish_decrypt (&ctx, buffer[3], buffer[3]);
951      twofish_setkey (&ctx, buffer[0], sizeof (buffer[0]));
952      for (j = 0; j < 1000; j++)
953        twofish_decrypt (&ctx, buffer[2], buffer[2]);
954    }
955
956  /* Stop the timer, and print results. */
957  timer = clock () - timer;
958  printf (encrypt_msg);
959  printf (memcmp (buffer, test_decrypt, sizeof (test_decrypt)) ?
960          "decryption failure!\n" : "decryption OK!\n");
961  printf ("elapsed time: %.1f s.\n", (float) timer / CLOCKS_PER_SEC);
962
963  return 0;
964}
965
966#endif /* TEST */
967
968
969
970gcry_cipher_spec_t _gcry_cipher_spec_twofish =
971  {
972    "TWOFISH", NULL, NULL, 16, 256, sizeof (TWOFISH_context),
973    twofish_setkey, twofish_encrypt, twofish_decrypt
974    ,
975#ifdef GRUB_UTIL
976    .modname = "gcry_twofish",
977#endif
978  };
979
980gcry_cipher_spec_t _gcry_cipher_spec_twofish128 =
981  {
982    "TWOFISH128", NULL, NULL, 16, 128, sizeof (TWOFISH_context),
983    twofish_setkey, twofish_encrypt, twofish_decrypt
984    ,
985#ifdef GRUB_UTIL
986    .modname = "gcry_twofish",
987#endif
988  };
989
990
991GRUB_MOD_INIT(gcry_twofish)
992{
993  grub_cipher_register (&_gcry_cipher_spec_twofish);
994  grub_cipher_register (&_gcry_cipher_spec_twofish128);
995}
996
997GRUB_MOD_FINI(gcry_twofish)
998{
999  grub_cipher_unregister (&_gcry_cipher_spec_twofish);
1000  grub_cipher_unregister (&_gcry_cipher_spec_twofish128);
1001}
Note: See TracBrowser for help on using the repository browser.