1 /*
2 Source Code for Cryptography (Just a touch)
3
4
5
6 SOURCE CODE FOR MD5
7
8 md5.h (the include file for the above C code)
9
10 Karn Encryption: Symmetric Secret with MD5
11
12 SHA-1 By Steve Reid
13
14 RSA Crypto Toolkit Totality
15
16 DES Encryption
17
18 Elliptic Curves
19
20 SOURCE CODE FOR MD5
21 */
22
23
24 #ifdef CPU386 /* Fast assembler version exists for 386/486 */
25
26 #pragma inline
27
28 #endif
29
30
31
32 /*
33
34 ***********************************************************************
35
36 ** md5.c -- the source code for MD5 routines **
37
38 ** RSA Data Security, Inc. MD5 Message-Digest Algorithm **
39
40 ** Created: 2/17/90 RLR **
41
42 ** Revised: 1/91 SRD,AJ,BSK,JT Reference C ver., 7/10 constant corr. **
43
44 ** 1992.2.13 Jouko Holopainen, 80x86 version **
45
46 ***********************************************************************
47
48 */
49
50
51
52 /*
53
54 ***********************************************************************
55
56 ** Copyright (C) 1990, RSA Data Security, Inc. All rights reserved. **
57
58 ** **
59
60 ** License to copy and use this software is granted provided that **
61
62 ** it is identified as the "RSA Data Security, Inc. MD5 Message- **
63
64 ** Digest Algorithm" in all material mentioning or referencing this **
65
66 ** software or this function. **
67
68 ** **
69
70 ** License is also granted to make and use derivative works **
71
72 ** provided that such works are identified as "derived from the RSA **
73
74 ** Data Security, Inc. MD5 Message-Digest Algorithm" in all **
75
76 ** material mentioning or referencing the derived work. **
77
78 ** **
79
80 ** RSA Data Security, Inc. makes no representations concerning **
81
82 ** either the merchantability of this software or the suitability **
83
84 ** of this software for any particular purpose. It is provided "as **
85
86 ** is" without express or implied warranty of any kind. **
87
88 ** **
89
90 ** These notices must be retained in any copies of any part of this **
91
92 ** documentation and/or software. **
93
94 ***********************************************************************
95
96 */
97
98
99
100 #include "md5.h"
101
102
103
104 /*
105
106 ***********************************************************************
107
108 ** Message-digest routines: **
109
110 ** To form the message digest for a message M **
111
112 ** (1) Initialize a context buffer mdContext using MD5Init **
113
114 ** (2) Call MD5Update on mdContext and M **
115
116 ** (3) Call MD5Final on mdContext **
117
118 ** The message digest is now in mdContext->digest[0...15] **
119
120 ***********************************************************************
121
122 */
123
124
125
126 static unsigned char PADDING[64] = {
127
128 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
129
130 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
131
132 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
133
134 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
135
136 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
137
138 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
139
140 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
141
142 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
143
144 };
145
146
147
148 #ifndef CPU386 /* Alternate defs exist for 386 assembler version */
149
150 /* F, G, H and I are basic MD5 functions */
151
152 #define F(x, y, z) (((x) & (y)) | ((~x) & (z)))
153
154 #define G(x, y, z) (((x) & (z)) | ((y) & (~z)))
155
156 #define H(x, y, z) ((x) ^ (y) ^ (z))
157
158 #define I(x, y, z) ((y) ^ ((x) | (~z)))
159
160
161
162 /* ROTATE_LEFT rotates x left n bits */
163
164 #define ROTATE_LEFT(x, n) (((x) << (n)) | ((x) >> (32-(n))))
165
166
167
168 /* FF, GG, HH, and II transformations for rounds 1, 2, 3, and 4 */
169
170 /* Rotation is separate from addition to prevent recomputation */
171
172 #define FF(a, b, c, d, x, s, ac) \
173
174 {(a) += F ((b), (c), (d)) + (x) + (UINT4)(ac); \
175
176 (a) = ROTATE_LEFT ((a), (s)); \
177
178 (a) += (b); \
179
180 }
181
182 #define GG(a, b, c, d, x, s, ac) \
183
184 {(a) += G ((b), (c), (d)) + (x) + (UINT4)(ac); \
185
186 (a) = ROTATE_LEFT ((a), (s)); \
187
188 (a) += (b); \
189
190 }
191
192 #define HH(a, b, c, d, x, s, ac) \
193
194 {(a) += H ((b), (c), (d)) + (x) + (UINT4)(ac); \
195
196 (a) = ROTATE_LEFT ((a), (s)); \
197
198 (a) += (b); \
199
200 }
201
202 #define II(a, b, c, d, x, s, ac) \
203
204 {(a) += I ((b), (c), (d)) + (x) + (UINT4)(ac); \
205
206 (a) = ROTATE_LEFT ((a), (s)); \
207
208 (a) += (b); \
209
210 }
211
212 #endif /* CPU386 */
213
214
215
216 /* The routine MD5Init initializes the message-digest context
217
218 mdContext. All fields are set to zero.
219
220 */
221
222 void MD5Init (mdContext)
223
224 MD5_CTX *mdContext;
225
226 {
227
228 mdContext->i[0] = mdContext->i[1] = (UINT4)0;
229
230
231
232 /* Load magic initialization constants.
233
234 */
235
236 mdContext->buf[0] = (UINT4)0x67452301;
237
238 mdContext->buf[1] = (UINT4)0xefcdab89;
239
240 mdContext->buf[2] = (UINT4)0x98badcfe;
241
242 mdContext->buf[3] = (UINT4)0x10325476;
243
244 }
245
246
247
248 /* The routine MD5Update updates the message-digest context to
249
250 account for the presence of each of the characters inBuf[0..inLen-1]
251
252 in the message whose digest is being computed.
253
254 */
255
256 void MD5Update (mdContext, inBuf, inLen)
257
258 MD5_CTX *mdContext;
259
260 unsigned char *inBuf;
261
262 unsigned int inLen;
263
264 {
265
266 UINT4 in[16];
267
268 int mdi;
269
270 unsigned int i, ii;
271
272
273
274 /* compute number of bytes mod 64 */
275
276 mdi = (int)((mdContext->i[0] >> 3) & 0x3F);
277
278
279
280 /* update number of bits */
281
282 if ((mdContext->i[0] + ((UINT4)inLen << 3)) < mdContext->i[0])
283
284 mdContext->i[1]++;
285
286 mdContext->i[0] += ((UINT4)inLen << 3);
287
288 mdContext->i[1] += ((UINT4)inLen >> 29);
289
290
291
292 #ifdef LITTLE_ENDIAN
293
294 /* Speedup for little-endian machines suggested in MD5 report --P Karn */
295
296 if(mdi == 0 && ((int)inBuf & 3) == 0){
297
298 while(inLen >= 64){
299
300 MD5Transform(mdContext->buf,(UINT4 *)inBuf);
301
302 inLen -= 64;
303
304 inBuf += 64;
305
306 }
307
308 }
309
310 #endif /* LITTLE_ENDIAN */
311
312 while (inLen--) {
313
314 /* add new character to buffer, increment mdi */
315
316 mdContext->in[mdi++] = *inBuf++;
317
318
319
320 /* transform if necessary */
321
322 if (mdi == 0x40) {
323
324 for (i = 0, ii = 0; i < 16; i++, ii += 4)
325
326 in[i] = (((UINT4)mdContext->in[ii+3]) << 24) |
327
328 (((UINT4)mdContext->in[ii+2]) << 16) |
329
330 (((UINT4)mdContext->in[ii+1]) << 8) |
331
332 ((UINT4)mdContext->in[ii]);
333
334 MD5Transform (mdContext->buf, in);
335
336 mdi = 0;
337
338 }
339
340 }
341
342 }
343
344
345
346 /* The routine MD5Final terminates the message-digest computation and
347
348 ends with the desired message digest in mdContext->digest[0...15].
349
350 */
351
352 void MD5Final (mdContext)
353
354 MD5_CTX *mdContext;
355
356 {
357
358 UINT4 in[16];
359
360 int mdi;
361
362 unsigned int i, ii;
363
364 unsigned int padLen;
365
366
367
368 /* save number of bits */
369
370 in[14] = mdContext->i[0];
371
372 in[15] = mdContext->i[1];
373
374
375
376 /* compute number of bytes mod 64 */
377
378 mdi = (int)((mdContext->i[0] >> 3) & 0x3F);
379
380
381
382 /* pad out to 56 mod 64 */
383
384 padLen = (mdi < 56) ? (56 - mdi) : (120 - mdi);
385
386 MD5Update (mdContext, PADDING, padLen);
387
388
389
390 /* append length in bits and transform */
391
392 for (i = 0, ii = 0; i < 14; i++, ii += 4)
393
394 in[i] = (((UINT4)mdContext->in[ii+3]) << 24) |
395
396 (((UINT4)mdContext->in[ii+2]) << 16) |
397
398 (((UINT4)mdContext->in[ii+1]) << 8) |
399
400 ((UINT4)mdContext->in[ii]);
401
402 MD5Transform (mdContext->buf, in);
403
404
405
406 /* store buffer in digest */
407
408 for (i = 0, ii = 0; i < 4; i++, ii += 4) {
409
410 mdContext->digest[ii] = (unsigned char)(mdContext->buf[i] & 0xFF);
411
412 mdContext->digest[ii+1] =
413
414 (unsigned char)((mdContext->buf[i] >> 8) & 0xFF);
415
416 mdContext->digest[ii+2] =
417
418 (unsigned char)((mdContext->buf[i] >> 16) & 0xFF);
419
420 mdContext->digest[ii+3] =
421
422 (unsigned char)((mdContext->buf[i] >> 24) & 0xFF);
423
424 }
425
426 }
427
428
429
430 #ifndef CPU386 /* Fast assembler version exists for 386/486 */
431
432
433
434 /* Basic MD5 step. Transforms buf based on in.
435
436 */
437
438 void MD5Transform (buf, in)
439
440 UINT4 *buf;
441
442 UINT4 *in;
443
444 {
445
446 UINT4 a = buf[0], b = buf[1], c = buf[2], d = buf[3];
447
448
449
450 /* Round 1 */
451
452 #define S11 7
453
454 #define S12 12
455
456 #define S13 17
457
458 #define S14 22
459
460 FF ( a, b, c, d, in[ 0], S11, 3614090360); /* 1 */
461
462 FF ( d, a, b, c, in[ 1], S12, 3905402710); /* 2 */
463
464 FF ( c, d, a, b, in[ 2], S13, 606105819); /* 3 */
465
466 FF ( b, c, d, a, in[ 3], S14, 3250441966); /* 4 */
467
468 FF ( a, b, c, d, in[ 4], S11, 4118548399); /* 5 */
469
470 FF ( d, a, b, c, in[ 5], S12, 1200080426); /* 6 */
471
472 FF ( c, d, a, b, in[ 6], S13, 2821735955); /* 7 */
473
474 FF ( b, c, d, a, in[ 7], S14, 4249261313); /* 8 */
475
476 FF ( a, b, c, d, in[ 8], S11, 1770035416); /* 9 */
477
478 FF ( d, a, b, c, in[ 9], S12, 2336552879); /* 10 */
479
480 FF ( c, d, a, b, in[10], S13, 4294925233); /* 11 */
481
482 FF ( b, c, d, a, in[11], S14, 2304563134); /* 12 */
483
484 FF ( a, b, c, d, in[12], S11, 1804603682); /* 13 */
485
486 FF ( d, a, b, c, in[13], S12, 4254626195); /* 14 */
487
488 FF ( c, d, a, b, in[14], S13, 2792965006); /* 15 */
489
490 FF ( b, c, d, a, in[15], S14, 1236535329); /* 16 */
491
492
493
494 /* Round 2 */
495
496 #define S21 5
497
498 #define S22 9
499
500 #define S23 14
501
502 #define S24 20
503
504 GG ( a, b, c, d, in[ 1], S21, 4129170786); /* 17 */
505
506 GG ( d, a, b, c, in[ 6], S22, 3225465664); /* 18 */
507
508 GG ( c, d, a, b, in[11], S23, 643717713); /* 19 */
509
510 GG ( b, c, d, a, in[ 0], S24, 3921069994); /* 20 */
511
512 GG ( a, b, c, d, in[ 5], S21, 3593408605); /* 21 */
513
514 GG ( d, a, b, c, in[10], S22, 38016083); /* 22 */
515
516 GG ( c, d, a, b, in[15], S23, 3634488961); /* 23 */
517
518 GG ( b, c, d, a, in[ 4], S24, 3889429448); /* 24 */
519
520 GG ( a, b, c, d, in[ 9], S21, 568446438); /* 25 */
521
522 GG ( d, a, b, c, in[14], S22, 3275163606); /* 26 */
523
524 GG ( c, d, a, b, in[ 3], S23, 4107603335); /* 27 */
525
526 GG ( b, c, d, a, in[ 8], S24, 1163531501); /* 28 */
527
528 GG ( a, b, c, d, in[13], S21, 2850285829); /* 29 */
529
530 GG ( d, a, b, c, in[ 2], S22, 4243563512); /* 30 */
531
532 GG ( c, d, a, b, in[ 7], S23, 1735328473); /* 31 */
533
534 GG ( b, c, d, a, in[12], S24, 2368359562); /* 32 */
535
536
537
538 /* Round 3 */
539
540 #define S31 4
541
542 #define S32 11
543
544 #define S33 16
545
546 #define S34 23
547
548 HH ( a, b, c, d, in[ 5], S31, 4294588738); /* 33 */
549
550 HH ( d, a, b, c, in[ 8], S32, 2272392833); /* 34 */
551
552 HH ( c, d, a, b, in[11], S33, 1839030562); /* 35 */
553
554 HH ( b, c, d, a, in[14], S34, 4259657740); /* 36 */
555
556 HH ( a, b, c, d, in[ 1], S31, 2763975236); /* 37 */
557
558 HH ( d, a, b, c, in[ 4], S32, 1272893353); /* 38 */
559
560 HH ( c, d, a, b, in[ 7], S33, 4139469664); /* 39 */
561
562 HH ( b, c, d, a, in[10], S34, 3200236656); /* 40 */
563
564 HH ( a, b, c, d, in[13], S31, 681279174); /* 41 */
565
566 HH ( d, a, b, c, in[ 0], S32, 3936430074); /* 42 */
567
568 HH ( c, d, a, b, in[ 3], S33, 3572445317); /* 43 */
569
570 HH ( b, c, d, a, in[ 6], S34, 76029189); /* 44 */
571
572 HH ( a, b, c, d, in[ 9], S31, 3654602809); /* 45 */
573
574 HH ( d, a, b, c, in[12], S32, 3873151461); /* 46 */
575
576 HH ( c, d, a, b, in[15], S33, 530742520); /* 47 */
577
578 HH ( b, c, d, a, in[ 2], S34, 3299628645); /* 48 */
579
580
581
582 /* Round 4 */
583
584 #define S41 6
585
586 #define S42 10
587
588 #define S43 15
589
590 #define S44 21
591
592 II ( a, b, c, d, in[ 0], S41, 4096336452); /* 49 */
593
594 II ( d, a, b, c, in[ 7], S42, 1126891415); /* 50 */
595
596 II ( c, d, a, b, in[14], S43, 2878612391); /* 51 */
597
598 II ( b, c, d, a, in[ 5], S44, 4237533241); /* 52 */
599
600 II ( a, b, c, d, in[12], S41, 1700485571); /* 53 */
601
602 II ( d, a, b, c, in[ 3], S42, 2399980690); /* 54 */
603
604 II ( c, d, a, b, in[10], S43, 4293915773); /* 55 */
605
606 II ( b, c, d, a, in[ 1], S44, 2240044497); /* 56 */
607
608 II ( a, b, c, d, in[ 8], S41, 1873313359); /* 57 */
609
610 II ( d, a, b, c, in[15], S42, 4264355552); /* 58 */
611
612 II ( c, d, a, b, in[ 6], S43, 2734768916); /* 59 */
613
614 II ( b, c, d, a, in[13], S44, 1309151649); /* 60 */
615
616 II ( a, b, c, d, in[ 4], S41, 4149444226); /* 61 */
617
618 II ( d, a, b, c, in[11], S42, 3174756917); /* 62 */
619
620 II ( c, d, a, b, in[ 2], S43, 718787259); /* 63 */
621
622 II ( b, c, d, a, in[ 9], S44, 3951481745); /* 64 */
623
624
625
626 buf[0] += a;
627
628 buf[1] += b;
629
630 buf[2] += c;
631
632 buf[3] += d;
633
634 }
635
636 #else /* CPU386 */
637
638 /* Fast 386 Borland C inline assembler version of the MD5Transform() function
639
640 * from the RSA Data Security, Inc, MD5 Message Digest Algorithm.
641
642 *
643
644 * This version uses native 32 bit registers, so it needs a 386 or 486 CPU.
645
646 *
647
648 * Because this function does *lots* of 32-bit operations, this version is
649
650 * MUCH faster than the reference C version compiled with a garden-
651
652 * variety 16-bit MS-DOS C compiler.
653
654 *
655
656 * Written and placed into the public domain on
657
658 * 22 February 1992 by Phil Karn, KA9Q
659
660 */
661
662 /* I really shouldn't have to do this explicitly... */
663
664 #ifdef __COMPACT__
665
666 asm .MODEL COMPACT
667
668 #elif __HUGE__
669
670 asm .MODEL HUGE
671
672 #elif __LARGE__
673
674 asm .MODEL LARGE
675
676 #elif __MEDIUM__
677
678 asm .MODEL MEDIUM
679
680 #elif __SMALL__
681
682 asm .MODEL SMALL
683
684 #elif __TINY__
685
686 asm .MODEL TINY
687
688 #endif
689
690
691
692 /* Code sequence common to all four rounds.
693
694 * evaluates a = b + (a + edi + x + t) <<< s
695
696 * Assumes a,b are registers, s,t are immediate constants
697
698 * The 'lea' instruction is just a fast way to compute "a = a+t+edi"
699
700 */
701
702 #define COM(a,b,x,s,t)\
703
704 asm lea a,t[a+edi];\
705
706 asm add a,x;\
707
708 asm rol a,s;\
709
710 asm add a,b;
711
712
713
714 /* Round 1 functions */
715
716 /* edi = F(x,y,z) = (x & y) | (~x & z) */
717
718 #define F(x,y,z)\
719
720 asm mov edi,x;\
721
722 asm and edi,y;\
723
724 asm mov esi,x;\
725
726 asm not esi;\
727
728 asm and esi,z;\
729
730 asm or edi,esi
731
732
733
734 /* a = b + ((a + F(x,y,z) + x + t) <<< s); */
735
736 #define FF(a,b,c,d,x,s,t)\
737
738 F(b,c,d);\
739
740 COM(a,b,x,s,t)
741
742
743
744 /* Round 2 functions */
745
746 /* edi = G(x,y,z) = F(z,x,y) = (x & z) | (y & ~z) */
747
748 #define G(x,y,z) F(z,x,y)
749
750
751
752 /* a = b + ((a + G(b,c,d) + x + t) <<< s) */
753
754 #define GG(a,b,c,d,x,s,t)\
755
756 G(b,c,d);\
757
758 COM(a,b,x,s,t)
759
760
761
762 /* Round 3 functions */
763
764 /* edi = H(x,y,z) = x ^ y ^ z */
765
766 #define H(x,y,z)\
767
768 asm mov edi,x;\
769
770 asm xor edi,y;\
771
772 asm xor edi,z
773
774
775
776 /* a = b + ((a + H(b,c,d) + x + t) <<< s) */
777
778 #define HH(a,b,c,d,x,s,t)\
779
780 H(b,c,d);\
781
782 COM(a,b,x,s,t)
783
784
785
786 /* Round 4 functions */
787
788 /* edi = I(x,y,z) = y ^ (x | ~z) */
789
790 #define I(x,y,z)\
791
792 asm mov edi,z;\
793
794 asm not edi;\
795
796 asm or edi,x;\
797
798 asm xor edi,y
799
800
801
802 /* a = b + ((a + I(b,c,d) + x + t) <<< s) */
803
804 #define II(a,b,c,d,x,s,t)\
805
806 I(b,c,d);\
807
808 COM(a,b,x,s,t)
809
810
811
812 #define A eax
813
814 #define B ebx
815
816 #define C ecx
817
818 #define D edx
819
820
821
822 void
823
824 MD5Transform(buf,input)
825
826 UINT4 *buf;
827
828 UINT4 *input;
829
830 {
831
832 asm .386; /* Allow use of 32-bit general registers */
833
834
835
836 /* Save caller's registers */
837
838 asm push si;
839
840 asm push di;
841
842 asm push es;
843
844 asm if @DataSize NE 0
845
846 asm push ds;
847
848 asm endif
849
850
851
852 /* Get buf argument */
853
854 asm if @DataSize NE 0
855
856 asm lds si,buf;
857
858 asm else
859
860 asm mov si,buf;
861
862 asm endif
863
864 asm mov A,dword ptr si[0*4]; /* A = buf[0] */
865
866 asm mov B,dword ptr si[1*4]; /* B = buf[1] */
867
868 asm mov C,dword ptr si[2*4]; /* C = buf[2] */
869
870 asm mov D,dword ptr si[3*4]; /* D = buf[3] */
871
872
873
874 /* Warning: This makes our other args inaccessible until bp
875
876 * is restored!
877
878 */
879
880 asm push bp;
881
882 asm les bp,input
883
884
885
886 /* Round 1. The *4 factors in the subscripts to bp account for the
887
888 * byte offsets of each long element in the input array.
889
890 */
891
892 #define S11 7
893
894 #define S12 12
895
896 #define S13 17
897
898 #define S14 22
899
900 FF(A,B,C,D,es:bp[ 0*4],S11,3614090360); /* 1 */
901
902 FF(D,A,B,C,es:bp[ 1*4],S12,3905402710); /* 2 */
903
904 FF(C,D,A,B,es:bp[ 2*4],S13, 606105819); /* 3 */
905
906 FF(B,C,D,A,es:bp[ 3*4],S14,3250441966); /* 4 */
907
908 FF(A,B,C,D,es:bp[ 4*4],S11,4118548399); /* 5 */
909
910 FF(D,A,B,C,es:bp[ 5*4],S12,1200080426); /* 6 */
911
912 FF(C,D,A,B,es:bp[ 6*4],S13,2821735955); /* 7 */
913
914 FF(B,C,D,A,es:bp[ 7*4],S14,4249261313); /* 8 */
915
916 FF(A,B,C,D,es:bp[ 8*4],S11,1770035416); /* 9 */
917
918 FF(D,A,B,C,es:bp[ 9*4],S12,2336552879); /* 10 */
919
920 FF(C,D,A,B,es:bp[10*4],S13,4294925233); /* 11 */
921
922 FF(B,C,D,A,es:bp[11*4],S14,2304563134); /* 12 */
923
924 FF(A,B,C,D,es:bp[12*4],S11,1804603682); /* 13 */
925
926 FF(D,A,B,C,es:bp[13*4],S12,4254626195); /* 14 */
927
928 FF(C,D,A,B,es:bp[14*4],S13,2792965006); /* 15 */
929
930 FF(B,C,D,A,es:bp[15*4],S14,1236535329); /* 16 */
931
932
933
934 /* Round 2 */
935
936 #define S21 5
937
938 #define S22 9
939
940 #define S23 14
941
942 #define S24 20
943
944 GG(A,B,C,D,es:bp[ 1*4],S21,4129170786); /* 17 */
945
946 GG(D,A,B,C,es:bp[ 6*4],S22,3225465664); /* 18 */
947
948 GG(C,D,A,B,es:bp[11*4],S23, 643717713); /* 19 */
949
950 GG(B,C,D,A,es:bp[ 0*4],S24,3921069994); /* 20 */
951
952 GG(A,B,C,D,es:bp[ 5*4],S21,3593408605); /* 21 */
953
954 GG(D,A,B,C,es:bp[10*4],S22, 38016083); /* 22 */
955
956 GG(C,D,A,B,es:bp[15*4],S23,3634488961); /* 23 */
957
958 GG(B,C,D,A,es:bp[ 4*4],S24,3889429448); /* 24 */
959
960 GG(A,B,C,D,es:bp[ 9*4],S21, 568446438); /* 25 */
961
962 GG(D,A,B,C,es:bp[14*4],S22,3275163606); /* 26 */
963
964 GG(C,D,A,B,es:bp[ 3*4],S23,4107603335); /* 27 */
965
966 GG(B,C,D,A,es:bp[ 8*4],S24,1163531501); /* 28 */
967
968 GG(A,B,C,D,es:bp[13*4],S21,2850285829); /* 29 */
969
970 GG(D,A,B,C,es:bp[ 2*4],S22,4243563512); /* 30 */
971
972 GG(C,D,A,B,es:bp[ 7*4],S23,1735328473); /* 31 */
973
974 GG(B,C,D,A,es:bp[12*4],S24,2368359562); /* 32 */
975
976
977
978 /* Round 3 */
979
980 #define S31 4
981
982 #define S32 11
983
984 #define S33 16
985
986 #define S34 23
987
988 HH(A,B,C,D,es:bp[ 5*4],S31,4294588738); /* 33 */
989
990 HH(D,A,B,C,es:bp[ 8*4],S32,2272392833); /* 34 */
991
992 HH(C,D,A,B,es:bp[11*4],S33,1839030562); /* 35 */
993
994 HH(B,C,D,A,es:bp[14*4],S34,4259657740); /* 36 */
995
996 HH(A,B,C,D,es:bp[ 1*4],S31,2763975236); /* 37 */
997
998 HH(D,A,B,C,es:bp[ 4*4],S32,1272893353); /* 38 */
999
1000 HH(C,D,A,B,es:bp[ 7*4],S33,4139469664); /* 39 */
1001
1002 HH(B,C,D,A,es:bp[10*4],S34,3200236656); /* 40 */
1003
1004 HH(A,B,C,D,es:bp[13*4],S31, 681279174); /* 41 */
1005
1006 HH(D,A,B,C,es:bp[ 0*4],S32,3936430074); /* 42 */
1007
1008 HH(C,D,A,B,es:bp[ 3*4],S33,3572445317); /* 43 */
1009
1010 HH(B,C,D,A,es:bp[ 6*4],S34, 76029189); /* 44 */
1011
1012 HH(A,B,C,D,es:bp[ 9*4],S31,3654602809); /* 45 */
1013
1014 HH(D,A,B,C,es:bp[12*4],S32,3873151461); /* 46 */
1015
1016 HH(C,D,A,B,es:bp[15*4],S33, 530742520); /* 47 */
1017
1018 HH(B,C,D,A,es:bp[ 2*4],S34,3299628645); /* 48 */
1019
1020
1021
1022 /* Round 4 */
1023
1024 #define S41 6
1025
1026 #define S42 10
1027
1028 #define S43 15
1029
1030 #define S44 21
1031
1032 II(A,B,C,D,es:bp[ 0*4],S41,4096336452); /* 49 */
1033
1034 II(D,A,B,C,es:bp[ 7*4],S42,1126891415); /* 50 */
1035
1036 II(C,D,A,B,es:bp[14*4],S43,2878612391); /* 51 */
1037
1038 II(B,C,D,A,es:bp[ 5*4],S44,4237533241); /* 52 */
1039
1040 II(A,B,C,D,es:bp[12*4],S41,1700485571); /* 53 */
1041
1042 II(D,A,B,C,es:bp[ 3*4],S42,2399980690); /* 54 */
1043
1044 II(C,D,A,B,es:bp[10*4],S43,4293915773); /* 55 */
1045
1046 II(B,C,D,A,es:bp[ 1*4],S44,2240044497); /* 56 */
1047
1048 II(A,B,C,D,es:bp[ 8*4],S41,1873313359); /* 57 */
1049
1050 II(D,A,B,C,es:bp[15*4],S42,4264355552); /* 58 */
1051
1052 II(C,D,A,B,es:bp[ 6*4],S43,2734768916); /* 59 */
1053
1054 II(B,C,D,A,es:bp[13*4],S44,1309151649); /* 60 */
1055
1056 II(A,B,C,D,es:bp[ 4*4],S41,4149444226); /* 61 */
1057
1058 II(D,A,B,C,es:bp[11*4],S42,3174756917); /* 62 */
1059
1060 II(C,D,A,B,es:bp[ 2*4],S43, 718787259); /* 63 */
1061
1062 II(B,C,D,A,es:bp[ 9*4],S44,3951481745); /* 64 */
1063
1064
1065
1066 asm pop bp; /* We can address our args again */
1067
1068 asm if @DataSize NE 0
1069
1070 asm lds si,buf
1071
1072 asm else
1073
1074 asm mov si,buf;
1075
1076 asm endif
1077
1078 asm add dword ptr si[0*4],A; /* buf[0] += A */
1079
1080 asm add dword ptr si[1*4],B; /* buf[1] += B */
1081
1082 asm add dword ptr si[2*4],C; /* buf[2] += C */
1083
1084 asm add dword ptr si[3*4],D; /* buf[3] += D */
1085
1086
1087
1088 /* Restore caller's registers */
1089
1090 asm if @DataSize NE 0
1091
1092 asm pop ds
1093
1094 asm endif
1095
1096
1097
1098 asm pop es;
1099
1100 asm pop di;
1101
1102 asm pop si;
1103
1104 }
1105
1106 #endif /* CPU386 */
1107
1108
1109
1110 /*
1111
1112 ***********************************************************************
1113
1114 ** End of md5.c **
1115
1116 ******************************** (cut) ********************************
1117
1118 */
1119
1120 md5.h (the include file for the above C code)
1121
1122 /*
1123
1124 ***********************************************************************
1125
1126 ** md5.h -- header file for implementation of MD5 **
1127
1128 ** RSA Data Security, Inc. MD5 Message-Digest Algorithm **
1129
1130 ** Created: 2/17/90 RLR **
1131
1132 ** Revised: 12/27/90 SRD,AJ,BSK,JT Reference C version **
1133
1134 ** Revised (for MD5): RLR 4/27/91 **
1135
1136 ** -- G modified to have y&~z instead of y&z **
1137
1138 ** -- FF, GG, HH modified to add in last register done **
1139
1140 ** -- Access pattern: round 2 works mod 5, round 3 works mod 3 **
1141
1142 ** -- distinct additive constant for each step **
1143
1144 ** -- round 4 added, working mod 7 **
1145
1146 ***********************************************************************
1147
1148 */
1149
1150 /*
1151
1152 ***********************************************************************
1153
1154 ** Copyright (C) 1990, RSA Data Security, Inc. All rights reserved. **
1155
1156 ** **
1157
1158 ** License to copy and use this software is granted provided that **
1159
1160 ** it is identified as the "RSA Data Security, Inc. MD5 Message- **
1161
1162 ** Digest Algorithm" in all material mentioning or referencing this **
1163
1164 ** software or this function. **
1165
1166 ** **
1167
1168 ** License is also granted to make and use derivative works **
1169
1170 ** provided that such works are identified as "derived from the RSA **
1171
1172 ** Data Security, Inc. MD5 Message-Digest Algorithm" in all **
1173
1174 ** material mentioning or referencing the derived work. **
1175
1176 ** **
1177
1178 ** RSA Data Security, Inc. makes no representations concerning **
1179
1180 ** either the merchantability of this software or the suitability **
1181
1182 ** of this software for any particular purpose. It is provided "as **
1183
1184 ** is" without express or implied warranty of any kind. **
1185
1186 ** **
1187
1188 ** These notices must be retained in any copies of any part of this **
1189
1190 ** documentation and/or software. **
1191
1192 ***********************************************************************
1193
1194 */
1195
1196
1197
1198 /* typedef a 32-bit type */
1199
1200 typedef unsigned long int UINT4;
1201
1202
1203
1204 /* Data structure for MD5 (Message-Digest) computation */
1205
1206 typedef struct {
1207
1208 UINT4 i[2]; /* number of _bits_ handled mod 2^64 */
1209
1210 UINT4 buf[4]; /* scratch buffer */
1211
1212 unsigned char in[64]; /* input buffer */
1213
1214 unsigned char digest[16]; /* actual digest after MD5Final call */
1215
1216 } MD5_CTX;
1217
1218
1219
1220 void MD5Init (MD5_CTX *);
1221
1222 void MD5Update (MD5_CTX *,unsigned char *,unsigned int);
1223
1224 void MD5Final (MD5_CTX *);
1225
1226 void MD5Transform(UINT4 *,UINT4 *);
1227
1228 /*
1229
1230 ***********************************************************************
1231
1232 ** End of md5.h **
1233
1234 ******************************** (cut) ********************************
1235
1236 */
1237
1238
1239 Karn Encryption: Symmetric Secret with MD5
1240
1241 /*
1242
1243 * Karn encryption
1244
1245 * Based on Phil Karn, sci.crypt, 13 Feb 1992
1246
1247 * See also his comments from sci.crypt, 23 Mar 1992.
1248
1249 * The method is a variant of that described in
1250
1251 * Zheng, Matsumoto and Imai, Crypto 89.
1252
1253 * See also, "A New Class of Cryptosystems Based on
1254
1255 * Interconnection Networks" by
1256
1257 * michaelp@terpsichore.informatic.rwth-aachen.de
1258
1259 *
1260
1261 * A method for turning a hash function, here MD5, into a fast
1262
1263 * secret-key encryption.
1264
1265 *
1266
1267 * This does triple hashing with nondistinct keys.
1268
1269 */
1270
1271
1272
1273 typedef unsigned long UINT4;
1274
1275
1276
1277 /* Initial values for MD5 Transform hash function */
1278
1279 static UINT4 ihash[4] = {
1280
1281 0x67452301L, 0xefcdab89L, 0x98badcfeL, 0x10325476L };
1282
1283
1284
1285 /* MD5 hash function */
1286
1287 extern void Transform ();
1288
1289
1290
1291
1292
1293 /* Basic transform for Karn encryption. Take two 16-byte
1294
1295 half-buffers, two 48-byte keys (which must be distinct), and use
1296
1297 the MD5 Transform algorithm to produce two 16-byte output
1298
1299 half-buffers.
1300
1301
1302
1303 This is reversible: If we get out1 and out2 from in1, in2, key1, key2,
1304
1305 then we can get in2 and in1 from out2, out1, key1, key2.
1306
1307
1308
1309 in1, in2, out1, and out2 should point to 16-byte buffers.
1310
1311 By convention, in1 and in2 are two halves of a 32-byte input
1312
1313 buffer, and out1 and out2 are two halves of a 32-byte output
1314
1315 buffer.
1316
1317
1318
1319 key1 and key2 should point to 48-byte buffers with different contents.
1320
1321 */
1322
1323 void
1324
1325 karn (out1, out2, in1, in2, key1, key2)
1326
1327 UINT4 *out1, *out2, *in1, *in2, *key1, *key2;
1328
1329 {
1330
1331 int i;
1332
1333 UINT4 buf[16];
1334
1335 UINT4 hash[4];
1336
1337 UINT4 temp[4];
1338
1339
1340
1341 bcopy (ihash, hash, sizeof(hash));
1342
1343 bcopy (in1, buf, 16);
1344
1345 bcopy (key1, buf+4, 48);
1346
1347 Transform (hash, buf);
1348
1349 for (i=0; i<4; ++i)
1350
1351 temp[i] = buf[i] = in2[i] ^ hash[i];
1352
1353 bcopy (ihash, hash, sizeof(hash));
1354
1355 bcopy (key2, buf+4, 48);
1356
1357 Transform (hash, buf);
1358
1359 for (i=0; i<4; ++i)
1360
1361 out2[i] = buf[i] = in1[i] ^ hash[i];
1362
1363 bcopy (ihash, hash, sizeof(hash));
1364
1365 bcopy (key1, buf+4, 48);
1366
1367 Transform (hash, buf);
1368
1369 for (i=0; i<4; ++i)
1370
1371 out1[i] = temp[i] ^ hash[i];
1372
1373 }
1374
1375
1376
1377
1378
1379 SHA-1 By Steve Reid
1380
1381 /*
1382
1383 SHA-1 in C
1384
1385 By Steve Reid <steve@edmweb.com>
1386
1387 100% Public Domain
1388
1389
1390
1391 Test Vectors (from FIPS PUB 180-1)
1392
1393 "abc"
1394
1395 A9993E36 4706816A BA3E2571 7850C26C 9CD0D89D
1396
1397 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"
1398
1399 84983E44 1C3BD26E BAAE4AA1 F95129E5 E54670F1
1400
1401 A million repetitions of "a"
1402
1403 34AA973C D4C4DAA4 F61EEB2B DBAD2731 6534016F
1404
1405 */
1406
1407
1408
1409 /* #define LITTLE_ENDIAN * This should be #define'd if true. */
1410
1411 /* #define SHA1HANDSOFF * Copies data before messing with it. */
1412
1413
1414
1415 #include <stdio.h>
1416
1417 #include <string.h>
1418
1419
1420
1421 typedef struct {
1422
1423 unsigned long state[5];
1424
1425 unsigned long count[2];
1426
1427 unsigned char buffer[64];
1428
1429 } SHA1_CTX;
1430
1431
1432
1433 void SHA1Transform(unsigned long state[5], unsigned char buffer[64]);
1434
1435 void SHA1Init(SHA1_CTX* context);
1436
1437 void SHA1Update(SHA1_CTX* context, unsigned char* data, unsigned int len);
1438
1439 void SHA1Final(unsigned char digest[20], SHA1_CTX* context);
1440
1441
1442
1443 #define rol(value, bits) (((value) << (bits)) | ((value) >> (32 - (bits))))
1444
1445
1446
1447 /* blk0() and blk() perform the initial expand. */
1448
1449 /* I got the idea of expanding during the round function from SSLeay */
1450
1451 #ifdef LITTLE_ENDIAN
1452
1453 #define blk0(i) (block->l[i] = (rol(block->l[i],24)&0xFF00FF00) \
1454
1455 |(rol(block->l[i],8)&0x00FF00FF))
1456
1457 #else
1458
1459 #define blk0(i) block->l[i]
1460
1461 #endif
1462
1463 #define blk(i) (block->l[i&15] = rol(block->l[(i+13)&15]^block->l[(i+8)&15] \
1464
1465 ^block->l[(i+2)&15]^block->l[i&15],1))
1466
1467
1468
1469 /* (R0+R1), R2, R3, R4 are the different operations used in SHA1 */
1470
1471 #define R0(v,w,x,y,z,i) z+=((w&(x^y))^y)+blk0(i)+0x5A827999+rol(v,5);w=rol(w,30);
1472
1473 #define R1(v,w,x,y,z,i) z+=((w&(x^y))^y)+blk(i)+0x5A827999+rol(v,5);w=rol(w,30);
1474
1475 #define R2(v,w,x,y,z,i) z+=(w^x^y)+blk(i)+0x6ED9EBA1+rol(v,5);w=rol(w,30);
1476
1477 #define R3(v,w,x,y,z,i) z+=(((w|x)&y)|(w&x))+blk(i)+0x8F1BBCDC+rol(v,5);w=rol(w,30);
1478
1479 #define R4(v,w,x,y,z,i) z+=(w^x^y)+blk(i)+0xCA62C1D6+rol(v,5);w=rol(w,30);
1480
1481
1482
1483
1484
1485 /* Hash a single 512-bit block. This is the core of the algorithm. */
1486
1487
1488
1489 void SHA1Transform(unsigned long state[5], unsigned char buffer[64])
1490
1491 {
1492
1493 unsigned long a, b, c, d, e;
1494
1495 typedef union {
1496
1497 unsigned char c[64];
1498
1499 unsigned long l[16];
1500
1501 } CHAR64LONG16;
1502
1503 CHAR64LONG16* block;
1504
1505 #ifdef SHA1HANDSOFF
1506
1507 static unsigned char workspace[64];
1508
1509 block = (CHAR64LONG16*)workspace;
1510
1511 memcpy(block, buffer, 64);
1512
1513 #else
1514
1515 block = (CHAR64LONG16*)buffer;
1516
1517 #endif
1518
1519 /* Copy context->state[] to working vars */
1520
1521 a = state[0];
1522
1523 b = state[1];
1524
1525 c = state[2];
1526
1527 d = state[3];
1528
1529 e = state[4];
1530
1531 /* 4 rounds of 20 operations each. Loop unrolled. */
1532
1533 R0(a,b,c,d,e, 0); R0(e,a,b,c,d, 1); R0(d,e,a,b,c, 2); R0(c,d,e,a,b, 3);
1534
1535 R0(b,c,d,e,a, 4); R0(a,b,c,d,e, 5); R0(e,a,b,c,d, 6); R0(d,e,a,b,c, 7);
1536
1537 R0(c,d,e,a,b, 8); R0(b,c,d,e,a, 9); R0(a,b,c,d,e,10); R0(e,a,b,c,d,11);
1538
1539 R0(d,e,a,b,c,12); R0(c,d,e,a,b,13); R0(b,c,d,e,a,14); R0(a,b,c,d,e,15);
1540
1541 R1(e,a,b,c,d,16); R1(d,e,a,b,c,17); R1(c,d,e,a,b,18); R1(b,c,d,e,a,19);
1542
1543 R2(a,b,c,d,e,20); R2(e,a,b,c,d,21); R2(d,e,a,b,c,22); R2(c,d,e,a,b,23);
1544
1545 R2(b,c,d,e,a,24); R2(a,b,c,d,e,25); R2(e,a,b,c,d,26); R2(d,e,a,b,c,27);
1546
1547 R2(c,d,e,a,b,28); R2(b,c,d,e,a,29); R2(a,b,c,d,e,30); R2(e,a,b,c,d,31);
1548
1549 R2(d,e,a,b,c,32); R2(c,d,e,a,b,33); R2(b,c,d,e,a,34); R2(a,b,c,d,e,35);
1550
1551 R2(e,a,b,c,d,36); R2(d,e,a,b,c,37); R2(c,d,e,a,b,38); R2(b,c,d,e,a,39);
1552
1553 R3(a,b,c,d,e,40); R3(e,a,b,c,d,41); R3(d,e,a,b,c,42); R3(c,d,e,a,b,43);
1554
1555 R3(b,c,d,e,a,44); R3(a,b,c,d,e,45); R3(e,a,b,c,d,46); R3(d,e,a,b,c,47);
1556
1557 R3(c,d,e,a,b,48); R3(b,c,d,e,a,49); R3(a,b,c,d,e,50); R3(e,a,b,c,d,51);
1558
1559 R3(d,e,a,b,c,52); R3(c,d,e,a,b,53); R3(b,c,d,e,a,54); R3(a,b,c,d,e,55);
1560
1561 R3(e,a,b,c,d,56); R3(d,e,a,b,c,57); R3(c,d,e,a,b,58); R3(b,c,d,e,a,59);
1562
1563 R4(a,b,c,d,e,60); R4(e,a,b,c,d,61); R4(d,e,a,b,c,62); R4(c,d,e,a,b,63);
1564
1565 R4(b,c,d,e,a,64); R4(a,b,c,d,e,65); R4(e,a,b,c,d,66); R4(d,e,a,b,c,67);
1566
1567 R4(c,d,e,a,b,68); R4(b,c,d,e,a,69); R4(a,b,c,d,e,70); R4(e,a,b,c,d,71);
1568
1569 R4(d,e,a,b,c,72); R4(c,d,e,a,b,73); R4(b,c,d,e,a,74); R4(a,b,c,d,e,75);
1570
1571 R4(e,a,b,c,d,76); R4(d,e,a,b,c,77); R4(c,d,e,a,b,78); R4(b,c,d,e,a,79);
1572
1573 /* Add the working vars back into context.state[] */
1574
1575 state[0] += a;
1576
1577 state[1] += b;
1578
1579 state[2] += c;
1580
1581 state[3] += d;
1582
1583 state[4] += e;
1584
1585 /* Wipe variables */
1586
1587 a = b = c = d = e = 0;
1588
1589 }
1590
1591
1592
1593
1594
1595 /* SHA1Init - Initialize new context */
1596
1597
1598
1599 void SHA1Init(SHA1_CTX* context)
1600
1601 {
1602
1603 /* SHA1 initialization constants */
1604
1605 context->state[0] = 0x67452301;
1606
1607 context->state[1] = 0xEFCDAB89;
1608
1609 context->state[2] = 0x98BADCFE;
1610
1611 context->state[3] = 0x10325476;
1612
1613 context->state[4] = 0xC3D2E1F0;
1614
1615 context->count[0] = context->count[1] = 0;
1616
1617 }
1618
1619
1620
1621
1622
1623 /* Run your data through this. */
1624
1625
1626
1627 void SHA1Update(SHA1_CTX* context, unsigned char* data, unsigned int len)
1628
1629 {
1630
1631 unsigned int i, j;
1632
1633
1634
1635 j = (context->count[0] >> 3) & 63;
1636
1637 if ((context->count[0] += len << 3) < (len << 3)) context->count[1]++;
1638
1639 context->count[1] += (len >> 29);
1640
1641 if ((j + len) > 63) {
1642
1643 memcpy(&context->buffer[j], data, (i = 64-j));
1644
1645 SHA1Transform(context->state, context->buffer);
1646
1647 for ( ; i + 63 < len; i += 64) {
1648
1649 SHA1Transform(context->state, &data[i]);
1650
1651 }
1652
1653 j = 0;
1654
1655 }
1656
1657 else i = 0;
1658
1659 memcpy(&context->buffer[j], &data[i], len - i);
1660
1661 }
1662
1663
1664
1665
1666
1667 /* Add padding and return the message digest. */
1668
1669
1670
1671 void SHA1Final(unsigned char digest[20], SHA1_CTX* context)
1672
1673 {
1674
1675 unsigned long i, j;
1676
1677 unsigned char finalcount[8];
1678
1679
1680
1681 for (i = 0; i < 8; i++) {
1682
1683 finalcount[i] = (unsigned char)((context->count[(i >= 4 ? 0 : 1)]
1684
1685 >> ((3-(i & 3)) * 8) ) & 255); /* Endian independent */
1686
1687 }
1688
1689 SHA1Update(context, (unsigned char *)"\200", 1);
1690
1691 while ((context->count[0] & 504) != 448) {
1692
1693 SHA1Update(context, (unsigned char *)"\0", 1);
1694
1695 }
1696
1697 SHA1Update(context, finalcount, 8); /* Should cause a SHA1Transform() */
1698
1699 for (i = 0; i < 20; i++) {
1700
1701 digest[i] = (unsigned char)
1702
1703 ((context->state[i>>2] >> ((3-(i & 3)) * 8) ) & 255);
1704
1705 }
1706
1707 /* Wipe variables */
1708
1709 i = j = 0;
1710
1711 memset(context->buffer, 0, 64);
1712
1713 memset(context->state, 0, 20);
1714
1715 memset(context->count, 0, 8);
1716
1717 memset(finalcount, 0, 8);
1718
1719 #ifdef SHA1HANDSOFF /* make SHA1Transform overwrite it's own static vars */
1720
1721 SHA1Transform(context->state, context->buffer);
1722
1723 #endif
1724
1725 }
1726
1727
1728
1729
1730
1731 /*************************************************************/
1732
1733
1734
1735
1736
1737 int main(int argc, char** argv)
1738
1739 {
1740
1741 int i, j;
1742
1743 SHA1_CTX context;
1744
1745 unsigned char digest[20], buffer[16384];
1746
1747 FILE* file;
1748
1749
1750
1751 if (argc > 2) {
1752
1753 puts("Public domain SHA-1 implementation - by Steve Reid <steve@edmweb.com>");
1754
1755 puts("Produces the SHA-1 hash of a file, or stdin if no file is specified.");
1756
1757 exit(0);
1758
1759 }
1760
1761 if (argc < 2) {
1762
1763 file = stdin;
1764
1765 }
1766
1767 else {
1768
1769 if (!(file = fopen(argv[1], "rb"))) {
1770
1771 fputs("Unable to open file.", stderr);
1772
1773 exit(-1);
1774
1775 }
1776
1777 }
1778
1779 SHA1Init(&context);
1780
1781 while (!feof(file)) { /* note: what if ferror(file) */
1782
1783 i = fread(buffer, 1, 16384, file);
1784
1785 SHA1Update(&context, buffer, i);
1786
1787 }
1788
1789 SHA1Final(digest, &context);
1790
1791 fclose(file);
1792
1793 for (i = 0; i < 5; i++) {
1794
1795 for (j = 0; j < 4; j++) {
1796
1797 printf("%02X", digest[i*4+j]);
1798
1799 }
1800
1801 putchar(' ');
1802
1803 }
1804
1805 putchar('\n');
1806
1807 exit(0);
1808
1809 }
1810
1811
1812
1813 RSA Crypto Toolkit Totality
1814
1815 /* RSAREF.H - header file for RSAREF cryptographic toolkit
1816
1817 */
1818
1819
1820
1821 /* Copyright (C) RSA Laboratories, a division of RSA Data Security,
1822
1823 Inc., created 1991. All rights reserved.
1824
1825 */
1826
1827
1828
1829 #ifndef _RSAREF_H_
1830
1831 #define _RSAREF_H_ 1
1832
1833
1834
1835 #include "md2.h"
1836
1837 #include "md5.h"
1838
1839 #include "des.h"
1840
1841
1842
1843 #ifdef __cplusplus
1844
1845 extern "C" {
1846
1847 #endif
1848
1849
1850
1851 /* Message-digest algorithms.
1852
1853 */
1854
1855 #define DA_MD2 3
1856
1857 #define DA_MD5 5
1858
1859
1860
1861 /* Encryption algorithms to be ored with digest algorithm in Seal and Open.
1862
1863 */
1864
1865 #define EA_DES_CBC 1
1866
1867 #define EA_DES_EDE2_CBC 2
1868
1869 #define EA_DES_EDE3_CBC 3
1870
1871 #define EA_DESX_CBC 4
1872
1873
1874
1875 /* RSA key lengths.
1876
1877 */
1878
1879 #define MIN_RSA_MODULUS_BITS 508
1880
1881 #define MAX_RSA_MODULUS_BITS 1024
1882
1883 #define MAX_RSA_MODULUS_LEN ((MAX_RSA_MODULUS_BITS + 7) / 8)
1884
1885 #define MAX_RSA_PRIME_BITS ((MAX_RSA_MODULUS_BITS + 1) / 2)
1886
1887 #define MAX_RSA_PRIME_LEN ((MAX_RSA_PRIME_BITS + 7) / 8)
1888
1889
1890
1891 /* Maximum lengths of encoded and encrypted content, as a function of
1892
1893 content length len. Also, inverse functions.
1894
1895 */
1896
1897 #define ENCODED_CONTENT_LEN(len) (4*(len)/3 + 3)
1898
1899 #define ENCRYPTED_CONTENT_LEN(len) ENCODED_CONTENT_LEN ((len)+8)
1900
1901 #define DECODED_CONTENT_LEN(len) (3*(len)/4 + 1)
1902
1903 #define DECRYPTED_CONTENT_LEN(len) (DECODED_CONTENT_LEN (len) - 1)
1904
1905
1906
1907 /* Maximum lengths of signatures, encrypted keys, encrypted
1908
1909 signatures, and message digests.
1910
1911 */
1912
1913 #define MAX_SIGNATURE_LEN MAX_RSA_MODULUS_LEN
1914
1915 #define MAX_PEM_SIGNATURE_LEN ENCODED_CONTENT_LEN (MAX_SIGNATURE_LEN)
1916
1917 #define MAX_ENCRYPTED_KEY_LEN MAX_RSA_MODULUS_LEN
1918
1919 #define MAX_PEM_ENCRYPTED_KEY_LEN ENCODED_CONTENT_LEN (MAX_ENCRYPTED_KEY_LEN)
1920
1921 #define MAX_PEM_ENCRYPTED_SIGNATURE_LEN \
1922
1923 ENCRYPTED_CONTENT_LEN (MAX_SIGNATURE_LEN)
1924
1925 #define MAX_DIGEST_LEN 16
1926
1927
1928
1929 /* Maximum length of Diffie-Hellman parameters.
1930
1931 */
1932
1933 #define DH_PRIME_LEN(bits) (((bits) + 7) / 8)
1934
1935
1936
1937 /* Error codes.
1938
1939 */
1940
1941 #define RE_CONTENT_ENCODING 0x0400
1942
1943 #define RE_DATA 0x0401
1944
1945 #define RE_DIGEST_ALGORITHM 0x0402
1946
1947 #define RE_ENCODING 0x0403
1948
1949 #define RE_KEY 0x0404
1950
1951 #define RE_KEY_ENCODING 0x0405
1952
1953 #define RE_LEN 0x0406
1954
1955 #define RE_MODULUS_LEN 0x0407
1956
1957 #define RE_NEED_RANDOM 0x0408
1958
1959 #define RE_PRIVATE_KEY 0x0409
1960
1961 #define RE_PUBLIC_KEY 0x040a
1962
1963 #define RE_SIGNATURE 0x040b
1964
1965 #define RE_SIGNATURE_ENCODING 0x040c
1966
1967 #define RE_ENCRYPTION_ALGORITHM 0x040d
1968
1969
1970
1971 /* Random structure.
1972
1973 */
1974
1975 typedef struct {
1976
1977 unsigned int bytesNeeded;
1978
1979 unsigned char state[16];
1980
1981 unsigned int outputAvailable;
1982
1983 unsigned char output[16];
1984
1985 } R_RANDOM_STRUCT;
1986
1987
1988
1989 /* RSA public and private key.
1990
1991 */
1992
1993 typedef struct {
1994
1995 unsigned int bits; /* length in bits of modulus */
1996
1997 unsigned char modulus[MAX_RSA_MODULUS_LEN]; /* modulus */
1998
1999 unsigned char exponent[MAX_RSA_MODULUS_LEN]; /* public exponent */
2000
2001 } R_RSA_PUBLIC_KEY;
2002
2003
2004
2005 typedef struct {
2006
2007 unsigned int bits; /* length in bits of modulus */
2008
2009 unsigned char modulus[MAX_RSA_MODULUS_LEN]; /* modulus */
2010
2011 unsigned char publicExponent[MAX_RSA_MODULUS_LEN]; /* public exponent */
2012
2013 unsigned char exponent[MAX_RSA_MODULUS_LEN]; /* private exponent */
2014
2015 unsigned char prime[2][MAX_RSA_PRIME_LEN]; /* prime factors */
2016
2017 unsigned char primeExponent[2][MAX_RSA_PRIME_LEN]; /* exponents for CRT */
2018
2019 unsigned char coefficient[MAX_RSA_PRIME_LEN]; /* CRT coefficient */
2020
2021 } R_RSA_PRIVATE_KEY;
2022
2023
2024
2025 /* RSA prototype key.
2026
2027 */
2028
2029 typedef struct {
2030
2031 unsigned int bits; /* length in bits of modulus */
2032
2033 int useFermat4; /* public exponent (1 = F4, 0 = 3) */
2034
2035 } R_RSA_PROTO_KEY;
2036
2037
2038
2039 /* Diffie-Hellman parameters.
2040
2041 */
2042
2043 typedef struct {
2044
2045 unsigned char *prime; /* prime */
2046
2047 unsigned int primeLen; /* length of prime */
2048
2049 unsigned char *generator; /* generator */
2050
2051 unsigned int generatorLen; /* length of generator */
2052
2053 } R_DH_PARAMS;
2054
2055
2056
2057 typedef struct {
2058
2059 int digestAlgorithm;
2060
2061 union {
2062
2063 MD2_CTX md2;
2064
2065 MD5_CTX md5;
2066
2067 } context;
2068
2069 } R_DIGEST_CTX;
2070
2071
2072
2073 typedef struct {
2074
2075 R_DIGEST_CTX digestContext;
2076
2077 } R_SIGNATURE_CTX;
2078
2079
2080
2081 typedef struct {
2082
2083 int encryptionAlgorithm;
2084
2085 union {
2086
2087 DES_CBC_CTX des;
2088
2089 DES3_CBC_CTX des3;
2090
2091 DESX_CBC_CTX desx;
2092
2093 } cipherContext;
2094
2095
2096
2097 unsigned char buffer[8];
2098
2099 unsigned int bufferLen;
2100
2101 } R_ENVELOPE_CTX;
2102
2103
2104
2105 /* Random structures.
2106
2107 */
2108
2109 int R_RandomInit PROTO_LIST ((R_RANDOM_STRUCT *));
2110
2111 int R_RandomUpdate PROTO_LIST
2112
2113 ((R_RANDOM_STRUCT *, unsigned char *, unsigned int));
2114
2115 int R_GetRandomBytesNeeded PROTO_LIST ((unsigned int *, R_RANDOM_STRUCT *));
2116
2117 void R_RandomFinal PROTO_LIST ((R_RANDOM_STRUCT *));
2118
2119
2120
2121 /* Cryptographic procedures "by parts"
2122
2123 */
2124
2125 int R_DigestInit PROTO_LIST ((R_DIGEST_CTX *, int));
2126
2127 int R_DigestUpdate PROTO_LIST
2128
2129 ((R_DIGEST_CTX *, unsigned char *, unsigned int));
2130
2131 int R_DigestFinal PROTO_LIST
2132
2133 ((R_DIGEST_CTX *, unsigned char *, unsigned int *));
2134
2135
2136
2137 int R_SignInit PROTO_LIST ((R_SIGNATURE_CTX *, int));
2138
2139 int R_SignUpdate PROTO_LIST
2140
2141 ((R_SIGNATURE_CTX *, unsigned char *, unsigned int));
2142
2143 int R_SignFinal PROTO_LIST
2144
2145 ((R_SIGNATURE_CTX *, unsigned char *, unsigned int *, R_RSA_PRIVATE_KEY *));
2146
2147
2148
2149 int R_VerifyInit PROTO_LIST ((R_SIGNATURE_CTX *, int));
2150
2151 int R_VerifyUpdate PROTO_LIST
2152
2153 ((R_SIGNATURE_CTX *, unsigned char *, unsigned int));
2154
2155 int R_VerifyFinal PROTO_LIST
2156
2157 ((R_SIGNATURE_CTX *, unsigned char *, unsigned int, R_RSA_PUBLIC_KEY *));
2158
2159
2160
2161 int R_SealInit PROTO_LIST
2162
2163 ((R_ENVELOPE_CTX *, unsigned char **, unsigned int *, unsigned char [8],
2164
2165 unsigned int, R_RSA_PUBLIC_KEY **, int, R_RANDOM_STRUCT *));
2166
2167 int R_SealUpdate PROTO_LIST
2168
2169 ((R_ENVELOPE_CTX *, unsigned char *, unsigned int *, unsigned char *,
2170
2171 unsigned int));
2172
2173 int R_SealFinal PROTO_LIST
2174
2175 ((R_ENVELOPE_CTX *, unsigned char *, unsigned int *));
2176
2177
2178
2179 int R_OpenInit PROTO_LIST
2180
2181 ((R_ENVELOPE_CTX *, int, unsigned char *, unsigned int, unsigned char [8],
2182
2183 R_RSA_PRIVATE_KEY *));
2184
2185 int R_OpenUpdate PROTO_LIST
2186
2187 ((R_ENVELOPE_CTX *, unsigned char *, unsigned int *, unsigned char *,
2188
2189 unsigned int));
2190
2191 int R_OpenFinal PROTO_LIST
2192
2193 ((R_ENVELOPE_CTX *, unsigned char *, unsigned int *));
2194
2195
2196
2197 /* Cryptographic enhancements by block.
2198
2199 */
2200
2201 int R_SignPEMBlock PROTO_LIST
2202
2203 ((unsigned char *, unsigned int *, unsigned char *, unsigned int *,
2204
2205 unsigned char *, unsigned int, int, int, R_RSA_PRIVATE_KEY *));
2206
2207 int R_SignBlock PROTO_LIST
2208
2209 ((unsigned char *, unsigned int *, unsigned char *, unsigned int, int,
2210
2211 R_RSA_PRIVATE_KEY *));
2212
2213 int R_VerifyPEMSignature PROTO_LIST
2214
2215 ((unsigned char *, unsigned int *, unsigned char *, unsigned int,
2216
2217 unsigned char *, unsigned int, int, int, R_RSA_PUBLIC_KEY *));
2218
2219 int R_VerifyBlockSignature PROTO_LIST
2220
2221 ((unsigned char *, unsigned int, unsigned char *, unsigned int, int,
2222
2223 R_RSA_PUBLIC_KEY *));
2224
2225 int R_SealPEMBlock PROTO_LIST
2226
2227 ((unsigned char *, unsigned int *, unsigned char *, unsigned int *,
2228
2229 unsigned char *, unsigned int *, unsigned char [8], unsigned char *,
2230
2231 unsigned int, int, R_RSA_PUBLIC_KEY *, R_RSA_PRIVATE_KEY *,
2232
2233 R_RANDOM_STRUCT *));
2234
2235 int R_OpenPEMBlock PROTO_LIST
2236
2237 ((unsigned char *, unsigned int *, unsigned char *, unsigned int,
2238
2239 unsigned char *, unsigned int, unsigned char *, unsigned int,
2240
2241 unsigned char [8], int, R_RSA_PRIVATE_KEY *, R_RSA_PUBLIC_KEY *));
2242
2243 int R_DigestBlock PROTO_LIST
2244
2245 ((unsigned char *, unsigned int *, unsigned char *, unsigned int, int));
2246
2247
2248
2249 /* Printable ASCII encoding and decoding.
2250
2251 */
2252
2253 int R_EncodePEMBlock PROTO_LIST
2254
2255 ((unsigned char *, unsigned int *, unsigned char *, unsigned int));
2256
2257 int R_DecodePEMBlock PROTO_LIST
2258
2259 ((unsigned char *, unsigned int *, unsigned char *, unsigned int));
2260
2261
2262
2263 /* Key-pair generation.
2264
2265 */
2266
2267 int R_GeneratePEMKeys PROTO_LIST
2268
2269 ((R_RSA_PUBLIC_KEY *, R_RSA_PRIVATE_KEY *, R_RSA_PROTO_KEY *,
2270
2271 R_RANDOM_STRUCT *));
2272
2273
2274
2275 /* Diffie-Hellman key agreement.
2276
2277 */
2278
2279 int R_GenerateDHParams PROTO_LIST
2280
2281 ((R_DH_PARAMS *, unsigned int, unsigned int, R_RANDOM_STRUCT *));
2282
2283 int R_SetupDHAgreement PROTO_LIST
2284
2285 ((unsigned char *, unsigned char *, unsigned int, R_DH_PARAMS *,
2286
2287 R_RANDOM_STRUCT *));
2288
2289 int R_ComputeDHAgreedKey PROTO_LIST
2290
2291 ((unsigned char *, unsigned char *, unsigned char *, unsigned int,
2292
2293 R_DH_PARAMS *));
2294
2295
2296
2297 /* Routines supplied by the implementor.
2298
2299 */
2300
2301 void R_memset PROTO_LIST ((POINTER, int, unsigned int));
2302
2303 void R_memcpy PROTO_LIST ((POINTER, POINTER, unsigned int));
2304
2305 int R_memcmp PROTO_LIST ((POINTER, POINTER, unsigned int));
2306
2307
2308
2309 #ifdef __cplusplus
2310
2311 }
2312
2313 #endif
2314
2315
2316
2317 #endif
2318
2319 DES Encryption
2320
2321 /*
2322
2323 * CDES -- DES encryption package
2324
2325 * options:
2326
2327 * -a key is in ASCII
2328
2329 * -b use key in old style (ie, don't reset parity bit)
2330
2331 * -- default unless key is in ASCII
2332
2333 * -c use CBC (cipher block chaining) mode
2334
2335 * -e use ECB (electronic code book) mode
2336
2337 * -f b use b-bit CFB (cipher feedback) mode
2338
2339 * -F b use b-bit CFB (cipher feedback) alternative mode
2340
2341 * -i invert (decrypt) input
2342
2343 * -m b generate a MAC of length b
2344
2345 * -o b use b-bit OFB (output feedback) mode
2346
2347 * -v v use v as the initialization vector (ignored for ECB)
2348
2349 * note: the last character of the last block is the ASCII digit indicating
2350
2351 * how many characters of that block are to be output.
2352
2353 */
2354
2355 #include <ctype.h>
2356
2357 #include <stdio.h>
2358
2359 #define C_NULL ((char *) NULL)
2360
2361
2362
2363 /*
2364
2365 * BSD and System V systems offer special library calls that do
2366
2367 * block moves and fills, so if possible we take advantage of them
2368
2369 */
2370
2371 #ifdef BSD4
2372
2373 # define MEMCPY(dest,src,len) bcopy((src),(dest),(len))
2374
2375 # define MEMZERO(dest,len) bzero((dest),(len))
2376
2377 #else
2378
2379 #ifdef SYSV
2380
2381 # include <memory.h>
2382
2383 # define MEMCPY(dest,src,len) (void) memcpy((dest),(src),(len))
2384
2385 # define MEMZERO(dest,len) (void) memset((dest),'\0',(len))
2386
2387 #else
2388
2389 # define MEMCPY(dest,src,len) \
2390
2391 { \
2392
2393 register int i1; \
2394
2395 for(i1 = 0; i1 < (len); i1++) \
2396
2397 (dest)[i1] = (src)[i1]; \
2398
2399 }
2400
2401 # define MEMZERO(dest,len) \
2402
2403 { \
2404
2405 register int i1; \
2406
2407 for(i1 = 0; i1 < (len); i1++) \
2408
2409 (dest)[i1] = '\0'; \
2410
2411 }
2412
2413 #endif
2414
2415 #endif
2416
2417
2418
2419 /*
2420
2421 * these "hide" the calls to the primitive encryption routines
2422
2423 */
2424
2425 #define DES_KEY(buf) { \
2426
2427 char bits1[64]; /* bits of key */ \
2428
2429 expand(buf, bits1); \
2430
2431 setkey(bits1); \
2432
2433 }
2434
2435 #define DES_XFORM(buf) { \
2436
2437 char bits1[64]; /* bits of message */ \
2438
2439 expand(buf, bits1); \
2440
2441 encrypt(bits1, inverse); \
2442
2443 compress(bits1, buf); \
2444
2445 }
2446
2447
2448
2449 /*
2450
2451 * this does an error-checking write
2452
2453 */
2454
2455 #define READ(buf, n) fread(buf, sizeof(char), n, stdin)
2456
2457 #define WRITE(buf,n) \
2458
2459 if (fwrite(buf, sizeof(char), n, stdout) != n) \
2460
2461 err(1, bn, C_NULL);
2462
2463
2464
2465 /*
2466
2467 * some things to make references easier
2468
2469 */
2470
2471 typedef char Desbuf[8];
2472
2473 #define CHAR(x,i) (x[i])
2474
2475 #define UCHAR(x,i) (x[i])
2476
2477 #define BUFFER(x) (x)
2478
2479 #define UBUFFER(x) (x)
2480
2481
2482
2483 /*
2484
2485 * global variables and related macros
2486
2487 */
2488
2489 #define KEY_DEFAULT 0 /* interpret radix of key from key */
2490
2491 #define KEY_ASCII 1 /* key is in ASCII characters */
2492
2493 int keybase = KEY_DEFAULT; /* how to interpret the key */
2494
2495
2496
2497 #define MODE_ENCRYPT 0x01 /* encrypt */
2498
2499 #define MODE_DECRYPT 0x02 /* decrypt */
2500
2501 #define MODE_AUTHENTICATE 0x04 /* authenticate */
2502
2503 #define GET_DIRECTION ((mode)&0xf)
2504
2505 #define ISSET_MODE_DIRECTION (GET_DIRECTION != 0)
2506
2507 #define MODE_ECB 0x10 /* ECB mode */
2508
2509 #define MODE_CBC 0x20 /* CBC mode */
2510
2511 #define MODE_CFB 0x30 /* cipher feedback mode */
2512
2513 #define MODE_OFB 0x40 /* output feedback mode */
2514
2515 #define MODE_CFBA 0x50 /* alternative cipher feedback mode */
2516
2517 #define GET_ALGORITHM ((mode)&0xf0)
2518
2519 #define ISSET_MODE_ALGORITHM (GET_ALGORITHM != 0)
2520
2521 int mode = 0; /* how to run */
2522
2523
2524
2525 char *keyrep = "*********"; /* replaces command-line key */
2526
2527 Desbuf ivec; /* initialization vector */
2528
2529 char bits[] = { '\200', '\100', /* used to extract bits from a char */
2530
2531 '\040', '\020', '\010', '\004', '\002', '\001' };
2532
2533 int inverse = 0; /* 0 ti encrypt, 1 to decrypt */
2534
2535 char *progname = "des program"; /* program name */
2536
2537 int parity = 1; /* 0 to reset key parity bits */
2538
2539 int macbits = -1; /* number of bits in authentication */
2540
2541 int fbbits = -1; /* number of feedback bits */
2542
2543 char *dummyargs[] = { "*****", NULL }; /* argument list to be printed */
2544
2545
2546
2547 /*
2548
2549 * library hooks
2550
2551 */
2552
2553 /* see getopt(3) */
2554
2555 extern int optind; /* option (argument) number */
2556
2557 extern char *optarg; /* argument to option if any */
2558
2559
2560
2561 /*
2562
2563 * library functions
2564
2565 */
2566
2567 char *sprintf(); /* in core formatted print */
2568
2569 char *getpass(); /* get a password from a terminal */
2570
2571
2572
2573 main(argc, argv)
2574
2575 int argc;
2576
2577 char **argv;
2578
2579 {
2580
2581 register int i; /* counter in a for loop */
2582
2583 register char *p; /* used to obtain the key */
2584
2585 int n; /* number of command-line errors */
2586
2587 Desbuf msgbuf; /* I/O buffer */
2588
2589 int nargs; /* internal number of arguments */
2590
2591 char **arglist; /* internal argument list */
2592
2593
2594
2595 /*
2596
2597 * hide the arguments
2598
2599 */
2600
2601 nargs = argc;
2602
2603 argc = 1;
2604
2605 arglist = argv;
2606
2607 argv = dummyargs;
2608
2609
2610
2611 /*
2612
2613 * initialize the initialization vctor
2614
2615 */
2616
2617 for(i = 0; i < 8; i++)
2618
2619 UCHAR(ivec, i) = 0x00;
2620
2621
2622
2623 /*
2624
2625 * process the argument list
2626
2627 */
2628
2629 progname = arglist[0];
2630
2631 n = 0;
2632
2633 while ((i = getopt(nargs, arglist, "abceF:f:im:o:v:")) != EOF)
2634
2635 switch(i){
2636
2637 case 'a': /* key is ASCII */
2638
2639 keybase = KEY_ASCII;
2640
2641 break;
2642
2643 case 'b': /* don't reset parity bit */
2644
2645 parity = 0;
2646
2647 break;
2648
2649 case 'c': /* use CBC mode */
2650
2651 if (ISSET_MODE_ALGORITHM)
2652
2653 err(1, -1, "two modes of operation specified");
2654
2655 mode |= MODE_CBC;
2656
2657 break;
2658
2659 case 'e': /* use ECB mode */
2660
2661 if (ISSET_MODE_ALGORITHM)
2662
2663 err(1, -1, "two modes of operation specified");
2664
2665 mode |= MODE_ECB;
2666
2667 break;
2668
2669 case 'F': /* use alternative CFB mode */
2670
2671 if (ISSET_MODE_ALGORITHM)
2672
2673 err(1, -1, "two modes of operation specified");
2674
2675 mode |= MODE_CFBA;
2676
2677 if ((fbbits = setbits(optarg, 7)) > 56 || fbbits == 0)
2678
2679 err(1, -1, "-F: number must be 1-56 inclusive");
2680
2681 else if (fbbits == -1)
2682
2683 err(1, -1, "-F: number must be a multiple of 7");
2684
2685 break;
2686
2687 case 'f': /* use CFB mode */
2688
2689 if (ISSET_MODE_ALGORITHM)
2690
2691 err(1, -1, "two modes of operation specified");
2692
2693 mode |= MODE_CFB;
2694
2695 if ((fbbits = setbits(optarg, 8)) > 64 || fbbits == 0)
2696
2697 err(1, -1, "-f: number must be 1-64 inclusive");
2698
2699 else if (fbbits == -1)
2700
2701 err(1, -1, "-f: number must be a multiple of 8");
2702
2703 break;
2704
2705 case 'i': /* decrypt */
2706
2707 if (ISSET_MODE_DIRECTION)
2708
2709 err(1, -1, "only one of -i and -m allowed");
2710
2711 mode |= MODE_DECRYPT;
2712
2713 break;
2714
2715 case 'm': /* number of bits for MACing */
2716
2717 if (ISSET_MODE_DIRECTION)
2718
2719 err(1, -1, "only one of -i and -m allowed");
2720
2721 mode |= MODE_AUTHENTICATE;
2722
2723 if ((macbits = setbits(optarg, 1)) > 64)
2724
2725 err(1, -1, "-m: number must be 0-64 inclusive");
2726
2727 break;
2728
2729 case 'o': /* use OFB mode */
2730
2731 if (ISSET_MODE_ALGORITHM)
2732
2733 err(1, -1, "two modes of operation specified");
2734
2735 mode |= MODE_OFB;
2736
2737 if ((fbbits = setbits(optarg, 8)) > 64 || fbbits == 0)
2738
2739 err(1, -1, "-o: number must be 1-64 inclusive");
2740
2741 else if (fbbits == -1)
2742
2743 err(1, -1, "-o: number must be a multiple of 8");
2744
2745 break;
2746
2747 case 'v': /* set initialization vector */
2748
2749 cvtkey(BUFFER(ivec), optarg);
2750
2751 break;
2752
2753 default: /* error */
2754
2755 n++;
2756
2757 break;
2758
2759 }
2760
2761 /*
2762
2763 * on error, quit
2764
2765 */
2766
2767 if (n > 0)
2768
2769 exit(1);
2770
2771 /*
2772
2773 * if no direction set, default to encryption
2774
2775 */
2776
2777 if (!ISSET_MODE_DIRECTION)
2778
2779 mode |= MODE_ENCRYPT;
2780
2781 if (!ISSET_MODE_ALGORITHM)
2782
2783 mode |= MODE_ECB;
2784
2785
2786
2787 /*
2788
2789 * pick up the key
2790
2791 * -- if there are no more arguments, prompt for it
2792
2793 * -- if there is 1 more argument, use it as the key
2794
2795 * -- if there are 2 or more arguments, error
2796
2797 */
2798
2799 if (optind == nargs){
2800
2801 /*
2802
2803 * if the key's not ASCII, can't do this since
2804
2805 * only the first 8 chars are significant
2806
2807 */
2808
2809 if (keybase != KEY_ASCII)
2810
2811 err(1, -1,
2812
2813 "you must enter non-ASCII keys on the command line");
2814
2815 /*
2816
2817 * get the key
2818
2819 */
2820
2821 if ((p = getpass("Enter key: ")) == NULL)
2822
2823 err(1, -1, "no key given");
2824
2825 /*
2826
2827 * copy it, nul-padded, into the key area
2828
2829 */
2830
2831 strncpy(BUFFER(msgbuf), p, 8);
2832
2833 }
2834
2835 else if (optind + 1 == nargs){
2836
2837 /*
2838
2839 * obtain the bit form of the key
2840
2841 * and hide it from a "ps"
2842
2843 */
2844
2845 cvtkey(BUFFER(msgbuf), arglist[optind]);
2846
2847 arglist[optind] = keyrep;
2848
2849 }
2850
2851 else{
2852
2853 /*
2854
2855 * extra arguments -- bomb
2856
2857 */
2858
2859 err(1, -1, "extraneous arguments");
2860
2861 }
2862
2863
2864
2865
2866
2867 /*
2868
2869 * main loop
2870
2871 */
2872
2873 switch(mode){
2874
2875 case MODE_ECB|MODE_ENCRYPT: /* encrypt using ECB mode */
2876
2877 inverse = 0;
2878
2879 makekey(msgbuf);
2880
2881 ecbenc();
2882
2883 break;
2884
2885 case MODE_ECB|MODE_DECRYPT: /* decrypt using ECB mode */
2886
2887 inverse = 1;
2888
2889 makekey(msgbuf);
2890
2891 ecbdec();
2892
2893 break;
2894
2895 case MODE_ECB|MODE_AUTHENTICATE: /* authenticate using ECB */
2896
2897 err(1, -1, "can't authenticate with ECB mode");
2898
2899 break;
2900
2901 case MODE_CBC|MODE_ENCRYPT: /* encrypt using CBC mode */
2902
2903 inverse = 0;
2904
2905 makekey(msgbuf);
2906
2907 cbcenc();
2908
2909 break;
2910
2911 case MODE_CBC|MODE_DECRYPT: /* decrypt using CBC mode */
2912
2913 inverse = 1;
2914
2915 makekey(msgbuf);
2916
2917 cbcdec();
2918
2919 break;
2920
2921 case MODE_CBC|MODE_AUTHENTICATE: /* authenticate using CBC */
2922
2923 inverse = 0;
2924
2925 makekey(msgbuf);
2926
2927 cbcauth();
2928
2929 break;
2930
2931 case MODE_CFB|MODE_ENCRYPT: /* encrypt using CFB mode */
2932
2933 inverse = 0;
2934
2935 makekey(msgbuf);
2936
2937 cfbenc();
2938
2939 break;
2940
2941 case MODE_CFB|MODE_DECRYPT: /* decrypt using CFB mode */
2942
2943 inverse = 0;
2944
2945 makekey(msgbuf);
2946
2947 cfbdec();
2948
2949 break;
2950
2951 case MODE_CFB|MODE_AUTHENTICATE: /* authenticate using CFB */
2952
2953 inverse = 0;
2954
2955 makekey(msgbuf);
2956
2957 cfbauth();
2958
2959 break;
2960
2961 case MODE_CFBA|MODE_ENCRYPT: /* alternative CFB mode */
2962
2963 inverse = 0;
2964
2965 makekey(msgbuf);
2966
2967 cfbaenc();
2968
2969 break;
2970
2971 case MODE_CFBA|MODE_DECRYPT: /* alternative CFB mode */
2972
2973 inverse = 0;
2974
2975 makekey(msgbuf);
2976
2977 cfbadec();
2978
2979 break;
2980
2981 case MODE_OFB|MODE_ENCRYPT: /* encrypt using OFB mode */
2982
2983 inverse = 0;
2984
2985 makekey(msgbuf);
2986
2987 ofbenc();
2988
2989 break;
2990
2991 case MODE_OFB|MODE_DECRYPT: /* decrypt using OFB mode */
2992
2993 inverse = 0;
2994
2995 makekey(msgbuf);
2996
2997 ofbdec();
2998
2999 break;
3000
3001 default: /* unimplemented */
3002
3003 err(1, -1, "can't handle that yet");
3004
3005 break;
3006
3007 }
3008
3009 exit(0);
3010
3011
3012
3013 }
3014
3015
3016
3017 /*
3018
3019 * print a warning message and, possibly, terminate
3020
3021 */
3022
3023 err(f, n, s)
3024
3025 int f; /* >0 if fatal (status code), 0 if not */
3026
3027 int n; /* offending block number */
3028
3029 char *s; /* the message */
3030
3031 {
3032
3033 char tbuf[BUFSIZ];
3034
3035
3036
3037 if (n > 0)
3038
3039 (void) sprintf(tbuf, "%s (block %d)", progname, n);
3040
3041 else
3042
3043 (void) sprintf(tbuf, "%s", progname);
3044
3045 if (s == C_NULL)
3046
3047 perror(tbuf);
3048
3049 else
3050
3051 fprintf(stderr, "%s: %s\n", tbuf, s);
3052
3053 if (f > 0)
3054
3055 exit(f);
3056
3057 }
3058
3059
3060
3061 /*
3062
3063 * map a hex character to an integer
3064
3065 */
3066
3067 int tohex(c)
3068
3069 char c;
3070
3071 {
3072
3073 switch(c){
3074
3075 case '0': return(0x0);
3076
3077 case '1': return(0x1);
3078
3079 case '2': return(0x2);
3080
3081 case '3': return(0x3);
3082
3083 case '4': return(0x4);
3084
3085 case '5': return(0x5);
3086
3087 case '6': return(0x6);
3088
3089 case '7': return(0x7);
3090
3091 case '8': return(0x8);
3092
3093 case '9': return(0x9);
3094
3095 case 'A': case 'a': return(0xa);
3096
3097 case 'B': case 'b': return(0xb);
3098
3099 case 'C': case 'c': return(0xc);
3100
3101 case 'D': case 'd': return(0xd);
3102
3103 case 'E': case 'e': return(0xe);
3104
3105 case 'F': case 'f': return(0xf);
3106
3107 }
3108
3109 /*
3110
3111 * invalid character
3112
3113 */
3114
3115 return(-1);
3116
3117 }
3118
3119
3120
3121 /*
3122
3123 * convert the key to a bit pattern
3124
3125 */
3126
3127 cvtkey(obuf, ibuf)
3128
3129 char *obuf;
3130
3131 char *ibuf;
3132
3133 {
3134
3135 register int i; /* counter in a for loop */
3136
3137 int nbuf[16]; /* used for hes/key translation */
3138
3139
3140
3141 /*
3142
3143 * just switch on the key base
3144
3145 */
3146
3147 switch(keybase){
3148
3149 case KEY_ASCII: /* ascii to integer */
3150
3151 (void) strncpy(obuf, ibuf, 8);
3152
3153 return;
3154
3155 case KEY_DEFAULT: /* tell from context */
3156
3157 /*
3158
3159 * leading '0x' or '0X' == hex key
3160
3161 */
3162
3163 if (ibuf[0] == '0' && (ibuf[1] == 'x' || ibuf[1] == 'x')){
3164
3165 ibuf = &ibuf[2];
3166
3167 /*
3168
3169 * now translate it,m bombing on any illegal hex digit
3170
3171 */
3172
3173 for(i = 0; ibuf[i] && i < 16; i++)
3174
3175 if ((nbuf[i] = tohex(ibuf[i])) == -1)
3176
3177 err(1, -1, "bad hex digit in key");
3178
3179 while(i < 16)
3180
3181 nbuf[i++] = 0;
3182
3183 for(i = 0; i < 8; i++)
3184
3185 obuf[i] = ((nbuf[2*i]&0xf)<<4)|
3186
3187 (nbuf[2*i+1]&0xf);
3188
3189 parity = 0;
3190
3191 return;
3192
3193 }
3194
3195 /*
3196
3197 * no special leader -- ASCII
3198
3199 */
3200
3201 (void) strncpy(obuf, ibuf, 8);
3202
3203 }
3204
3205 }
3206
3207
3208
3209 /*
3210
3211 * convert an ASCII string into a decimal number:
3212
3213 * 1. must be between 0 and 64 inclusive
3214
3215 * 2. must be a valid decimal number
3216
3217 * 3. must be a multiple of mult
3218
3219 */
3220
3221 setbits(s, mult)
3222
3223 char *s;
3224
3225 {
3226
3227 register char *p;
3228
3229 register int n = 0;
3230
3231
3232
3233 /*
3234
3235 * skip white space
3236
3237 */
3238
3239 while (isspace(*s))
3240
3241 s++;
3242
3243 /*
3244
3245 * get the integer
3246
3247 */
3248
3249 for(p = s; *p; p++){
3250
3251 if (isdigit(*p))
3252
3253 n = n * 10 + *p - '0';
3254
3255 else{
3256
3257 err(1, -1, "bad decimal digit in MAC length");
3258
3259 }
3260
3261 }
3262
3263 /*
3264
3265 * be sure it's a multiple of mult
3266
3267 */
3268
3269 return((n % mult != 0) ? -1 : n);
3270
3271 }
3272
3273
3274
3275 /*****************
3276
3277 * DES FUNCTIONS *
3278
3279 *****************/
3280
3281 /*
3282
3283 * This sets the DES key and (if you're using the deszip version)
3284
3285 * the direction of the transformation. Note there are two ways
3286
3287 * to map the 64-bit key onto the 56 bits that the key schedule
3288
3289 * generation routines use: the old way, which just uses the user-
3290
3291 * supplied 64 bits as is, and the new way, which resets the parity
3292
3293 * bit to be the same as the low-order bit in each character. The
3294
3295 * new way generates a greater variety of key schedules, since many
3296
3297 * systems set the parity (high) bit of each character to 0, and the
3298
3299 * DES ignores the low order bit of each character.
3300
3301 */
3302
3303 makekey(buf)
3304
3305 Desbuf buf; /* key block */
3306
3307 {
3308
3309 register int i; /* counter in a for loop */
3310
3311 /*
3312
3313 * if using new key arrangement, reset the parity bit
3314
3315 * to be the same as the low-order bit
3316
3317 */
3318
3319 if (parity){
3320
3321 for(i = 0; i < 8; i++)
3322
3323 UCHAR(buf, i) = (UCHAR(buf, i)&0177)|
3324
3325 ((UCHAR(buf, i)&01)<<7);
3326
3327 }
3328
3329 /*
3330
3331 * Make the key schedule
3332
3333 */
3334
3335 DES_KEY(UBUFFER(buf));
3336
3337 }
3338
3339
3340
3341 /*
3342
3343 * This encrypts using the Electronic Code Book mode of DES
3344
3345 */
3346
3347 ecbenc()
3348
3349 {
3350
3351 register int n; /* number of bytes actually read */
3352
3353 register int bn; /* block number */
3354
3355 Desbuf msgbuf; /* I/O buffer */
3356
3357
3358
3359 for(bn = 0; (n = READ(BUFFER(msgbuf), 8)) == 8; bn++){
3360
3361 /*
3362
3363 * do the transformation
3364
3365 */
3366
3367 DES_XFORM(UBUFFER(msgbuf));
3368
3369 WRITE(BUFFER(msgbuf), 8);
3370
3371 }
3372
3373 /*
3374
3375 * at EOF or last block -- in either ase, the last byte contains
3376
3377 * the character representation of the number of bytes in it
3378
3379 */
3380
3381 bn++;
3382
3383 MEMZERO(&CHAR(msgbuf, n), 8 - n);
3384
3385 CHAR(msgbuf, 7) = '0' + n;
3386
3387 DES_XFORM(UBUFFER(msgbuf));
3388
3389 WRITE(BUFFER(msgbuf), 8);
3390
3391
3392
3393 }
3394
3395
3396
3397 /*
3398
3399 * This decrypts using the Electronic Code Book mode of DES
3400
3401 */
3402
3403 ecbdec()
3404
3405 {
3406
3407 register int n; /* number of bytes actually read */
3408
3409 register int c; /* used to test for EOF */
3410
3411 register int bn; /* block number */
3412
3413 Desbuf msgbuf; /* I/O buffer */
3414
3415
3416
3417 for(bn = 1; (n = READ(BUFFER(msgbuf), 8)) == 8; bn++){
3418
3419 /*
3420
3421 * do the transformation
3422
3423 */
3424
3425 DES_XFORM(UBUFFER(msgbuf));
3426
3427 /*
3428
3429 * if the last one, handle it specially
3430
3431 */
3432
3433 if ((c = getchar()) == EOF){
3434
3435 if ((n = (CHAR(msgbuf, 7) - '0')) < 0 || n > 7)
3436
3437 err(1, bn,
3438
3439 "decryption failed (block corrupted)");
3440
3441 }
3442
3443 else
3444
3445 (void) ungetc(c, stdin);
3446
3447 WRITE(BUFFER(msgbuf), n);
3448
3449 }
3450
3451 if (n > 0)
3452
3453 err(1, bn, "decryption failed (incomplete block)");
3454
3455 }
3456
3457
3458
3459 /*
3460
3461 * This encrypts using the Cipher Block Chaining mode of DES
3462
3463 */
3464
3465 cbcenc()
3466
3467 {
3468
3469 register int n; /* number of bytes actually read */
3470
3471 register int bn; /* block number */
3472
3473 Desbuf msgbuf; /* I/O buffer */
3474
3475
3476
3477 /*
3478
3479 * do the transformation
3480
3481 */
3482
3483 for(bn = 1; (n = READ(BUFFER(msgbuf), 8)) == 8; bn++){
3484
3485 for(n = 0; n < 8; n++)
3486
3487 CHAR(msgbuf, n) ^= CHAR(ivec, n);
3488
3489 DES_XFORM(UBUFFER(msgbuf));
3490
3491 MEMCPY(BUFFER(ivec), BUFFER(msgbuf), 8);
3492
3493 WRITE(BUFFER(msgbuf), 8);
3494
3495 }
3496
3497 /*
3498
3499 * at EOF or last block -- in either case, the last byte contains
3500
3501 * the character representation of the number of bytes in it
3502
3503 */
3504
3505 bn++;
3506
3507 MEMZERO(&CHAR(msgbuf, n), 8 - n);
3508
3509 CHAR(msgbuf, 7) = '0' + n;
3510
3511 for(n = 0; n < 8; n++)
3512
3513 CHAR(msgbuf, n) ^= CHAR(ivec, n);
3514
3515 DES_XFORM(UBUFFER(msgbuf));
3516
3517 WRITE(BUFFER(msgbuf), 8);
3518
3519
3520
3521 }
3522
3523
3524
3525 /*
3526
3527 * This decrypts using the Cipher Block Chaining mode of DES
3528
3529 */
3530
3531 cbcdec()
3532
3533 {
3534
3535 register int n; /* number of bytes actually read */
3536
3537 Desbuf msgbuf; /* I/O buffer */
3538
3539 Desbuf ibuf; /* temp buffer for initialization vector */
3540
3541 register int c; /* used to test for EOF */
3542
3543 register int bn; /* block number */
3544
3545
3546
3547 for(bn = 0; (n = READ(BUFFER(msgbuf), 8)) == 8; bn++){
3548
3549 /*
3550
3551 * do the transformation
3552
3553 */
3554
3555 MEMCPY(BUFFER(ibuf), BUFFER(msgbuf), 8);
3556
3557 DES_XFORM(UBUFFER(msgbuf));
3558
3559 for(c = 0; c < 8; c++)
3560
3561 UCHAR(msgbuf, c) ^= UCHAR(ivec, c);
3562
3563 MEMCPY(BUFFER(ivec), BUFFER(ibuf), 8);
3564
3565 /*
3566
3567 * if the last one, handle it specially
3568
3569 */
3570
3571 if ((c = getchar()) == EOF){
3572
3573 if ((n = (CHAR(msgbuf, 7) - '0')) < 0 || n > 7)
3574
3575 err(1, bn,
3576
3577 "decryption failed (block corrupted)");
3578
3579 }
3580
3581 else
3582
3583 (void) ungetc(c, stdin);
3584
3585 WRITE(BUFFER(msgbuf), n);
3586
3587 }
3588
3589 if (n > 0)
3590
3591 err(1, bn, "decryption failed (incomplete block)");
3592
3593 }
3594
3595
3596
3597 /*
3598
3599 * This authenticates using the Cipher Block Chaining mode of DES
3600
3601 */
3602
3603 cbcauth()
3604
3605 {
3606
3607 register int n; /* number of bytes actually read */
3608
3609 Desbuf msgbuf; /* I/O buffer */
3610
3611 Desbuf encbuf; /* encryption buffer */
3612
3613
3614
3615 /*
3616
3617 * do the transformation
3618
3619 * note we DISCARD the encrypted block;
3620
3621 * we only care about the last one
3622
3623 */
3624
3625 while ((n = READ(BUFFER(msgbuf), 8)) == 8){
3626
3627 for(n = 0; n < 8; n++)
3628
3629 CHAR(encbuf, n) = CHAR(msgbuf, n) ^ CHAR(ivec, n);
3630
3631 DES_XFORM(UBUFFER(encbuf));
3632
3633 MEMCPY(BUFFER(ivec), BUFFER(encbuf), 8);
3634
3635 }
3636
3637 /*
3638
3639 * now compute the last one, right padding with '\0' if need be
3640
3641 */
3642
3643 if (n > 0){
3644
3645 MEMZERO(&CHAR(msgbuf, n), 8 - n);
3646
3647 for(n = 0; n < 8; n++)
3648
3649 CHAR(encbuf, n) = CHAR(msgbuf, n) ^ CHAR(ivec, n);
3650
3651 DES_XFORM(UBUFFER(encbuf));
3652
3653 }
3654
3655 /*
3656
3657 * drop the bits
3658
3659 * we write chars until fewer than 7 bits,
3660
3661 * and then pad the last one with 0 bits
3662
3663 */
3664
3665 for(n = 0; macbits > 7; n++, macbits -= 8)
3666
3667 putchar(CHAR(encbuf, n));
3668
3669 if (macbits > 0){
3670
3671 CHAR(msgbuf, 0) = 0x00;
3672
3673 for(n = 0; n < macbits; n++)
3674
3675 CHAR(msgbuf, 0) |= (CHAR(encbuf, n)&bits[n]);
3676
3677 putchar(CHAR(msgbuf, 0));
3678
3679 }
3680
3681 }
3682
3683
3684
3685 /*
3686
3687 * This encrypts using the Cipher FeedBack mode of DES
3688
3689 */
3690
3691 cfbenc()
3692
3693 {
3694
3695 register int n; /* number of bytes actually read */
3696
3697 register int nbytes; /* number of bytes to read */
3698
3699 register int bn; /* block number */
3700
3701 char ibuf[8]; /* input buffer */
3702
3703 Desbuf msgbuf; /* encryption buffer */
3704
3705
3706
3707 /*
3708
3709 * do things in bytes, not bits
3710
3711 */
3712
3713 nbytes = fbbits / 8;
3714
3715 /*
3716
3717 * do the transformation
3718
3719 */
3720
3721 for(bn = 1; (n = READ(ibuf, nbytes)) == nbytes; bn++){
3722
3723 MEMCPY(BUFFER(msgbuf), BUFFER(ivec), 8);
3724
3725 DES_XFORM(UBUFFER(msgbuf));
3726
3727 for(n = 0; n < 8 - nbytes; n++)
3728
3729 UCHAR(ivec, n) = UCHAR(ivec, n+nbytes);
3730
3731 for(n = 0; n < nbytes; n++)
3732
3733 UCHAR(ivec, 8-nbytes+n) = ibuf[n] ^ UCHAR(msgbuf, n);
3734
3735 WRITE(&CHAR(ivec, 8-nbytes), nbytes);
3736
3737 }
3738
3739 /*
3740
3741 * at EOF or last block -- in either case, the last byte contains
3742
3743 * the character representation of the number of bytes in it
3744
3745 */
3746
3747 bn++;
3748
3749 MEMZERO(&ibuf[n], nbytes - n);
3750
3751 ibuf[nbytes - 1] = '0' + n;
3752
3753 MEMCPY(BUFFER(msgbuf), BUFFER(ivec), 8);
3754
3755 DES_XFORM(UBUFFER(msgbuf));
3756
3757 for(n = 0; n < nbytes; n++)
3758
3759 ibuf[n] ^= UCHAR(msgbuf, n);
3760
3761 WRITE(ibuf, nbytes);
3762
3763 }
3764
3765
3766
3767 /*
3768
3769 * This decrypts using the Cipher Block Chaining mode of DES
3770
3771 */
3772
3773 cfbdec()
3774
3775 {
3776
3777 register int n; /* number of bytes actually read */
3778
3779 register int c; /* used to test for EOF */
3780
3781 register int nbytes; /* number of bytes to read */
3782
3783 register int bn; /* block number */
3784
3785 char ibuf[8]; /* input buffer */
3786
3787 char obuf[8]; /* output buffer */
3788
3789 Desbuf msgbuf; /* encryption buffer */
3790
3791
3792
3793 /*
3794
3795 * do things in bytes, not bits
3796
3797 */
3798
3799 nbytes = fbbits / 8;
3800
3801 /*
3802
3803 * do the transformation
3804
3805 */
3806
3807 for(bn = 1; (n = READ(ibuf, nbytes)) == nbytes; bn++){
3808
3809 MEMCPY(BUFFER(msgbuf), BUFFER(ivec), 8);
3810
3811 DES_XFORM(UBUFFER(msgbuf));
3812
3813 for(c = 0; c < 8 - nbytes; c++)
3814
3815 CHAR(ivec, c) = CHAR(ivec, c+nbytes);
3816
3817 for(c = 0; c < nbytes; c++){
3818
3819 CHAR(ivec, 8-nbytes+c) = ibuf[c];
3820
3821 obuf[c] = ibuf[c] ^ UCHAR(msgbuf, c);
3822
3823 }
3824
3825 /*
3826
3827 * if the last one, handle it specially
3828
3829 */
3830
3831 if ((c = getchar()) == EOF){
3832
3833 if ((n = (obuf[nbytes-1] - '0')) < 0
3834
3835 || n > nbytes-1)
3836
3837 err(1, bn,
3838
3839 "decryption failed (block corrupted)");
3840
3841 }
3842
3843 else
3844
3845 (void) ungetc(c, stdin);
3846
3847 WRITE(obuf, n);
3848
3849 }
3850
3851 if (n > 0)
3852
3853 err(1, bn, "decryption failed (incomplete block)");
3854
3855 }
3856
3857
3858
3859 /*
3860
3861 * This encrypts using the alternative Cipher FeedBack mode of DES
3862
3863 */
3864
3865 cfbaenc()
3866
3867 {
3868
3869 register int n; /* number of bytes actually read */
3870
3871 register int nbytes; /* number of bytes to read */
3872
3873 register int bn; /* block number */
3874
3875 char ibuf[8]; /* input buffer */
3876
3877 char obuf[8]; /* output buffer */
3878
3879 Desbuf msgbuf; /* encryption buffer */
3880
3881
3882
3883 /*
3884
3885 * do things in bytes, not bits
3886
3887 */
3888
3889 nbytes = fbbits / 7;
3890
3891 /*
3892
3893 * do the transformation
3894
3895 */
3896
3897 for(bn = 1; (n = READ(ibuf, nbytes)) == nbytes; bn++){
3898
3899 MEMCPY(BUFFER(msgbuf), BUFFER(ivec), 8);
3900
3901 DES_XFORM(UBUFFER(msgbuf));
3902
3903 for(n = 0; n < 8 - nbytes; n++)
3904
3905 UCHAR(ivec, n) = UCHAR(ivec, n+nbytes);
3906
3907 for(n = 0; n < nbytes; n++)
3908
3909 UCHAR(ivec, 8-nbytes+n) = (ibuf[n] ^ UCHAR(msgbuf, n))
3910
3911 |0200;
3912
3913 for(n = 0; n < nbytes; n++)
3914
3915 obuf[n] = CHAR(ivec, 8-nbytes+n)&0177;
3916
3917 WRITE(obuf, nbytes);
3918
3919 }
3920
3921 /*
3922
3923 * at EOF or last block -- in either case, the last byte contains
3924
3925 * the character representation of the number of bytes in it
3926
3927 */
3928
3929 bn++;
3930
3931 MEMZERO(&ibuf[n], nbytes - n);
3932
3933 ibuf[nbytes - 1] = ('0' + n)|0200;
3934
3935 MEMCPY(BUFFER(msgbuf), BUFFER(ivec), 8);
3936
3937 DES_XFORM(UBUFFER(msgbuf));
3938
3939 for(n = 0; n < nbytes; n++)
3940
3941 ibuf[n] ^= UCHAR(msgbuf, n);
3942
3943 WRITE(ibuf, nbytes);
3944
3945 }
3946
3947
3948
3949 /*
3950
3951 * This decrypts using the alternative Cipher Block Chaining mode of DES
3952
3953 */
3954
3955 cfbadec()
3956
3957 {
3958
3959 register int n; /* number of bytes actually read */
3960
3961 register int c; /* used to test for EOF */
3962
3963 register int nbytes; /* number of bytes to read */
3964
3965 register int bn; /* block number */
3966
3967 char ibuf[8]; /* input buffer */
3968
3969 char obuf[8]; /* output buffer */
3970
3971 Desbuf msgbuf; /* encryption buffer */
3972
3973
3974
3975 /*
3976
3977 * do things in bytes, not bits
3978
3979 */
3980
3981 nbytes = fbbits / 7;
3982
3983 /*
3984
3985 * do the transformation
3986
3987 */
3988
3989 for(bn = 1; (n = READ(ibuf, nbytes)) == nbytes; bn++){
3990
3991 MEMCPY(BUFFER(msgbuf), BUFFER(ivec), 8);
3992
3993 DES_XFORM(UBUFFER(msgbuf));
3994
3995 for(c = 0; c < 8 - nbytes; c++)
3996
3997 CHAR(ivec, c) = CHAR(ivec, c+nbytes);
3998
3999 for(c = 0; c < nbytes; c++){
4000
4001 CHAR(ivec, 8-nbytes+c) = ibuf[c]|0200;
4002
4003 obuf[c] = (ibuf[c] ^ UCHAR(msgbuf, c))&0177;
4004
4005 }
4006
4007 /*
4008
4009 * if the last one, handle it specially
4010
4011 */
4012
4013 if ((c = getchar()) == EOF){
4014
4015 if ((n = (obuf[nbytes-1] - '0')) < 0
4016
4017 || n > nbytes-1)
4018
4019 err(1, bn,
4020
4021 "decryption failed (block corrupted)");
4022
4023 }
4024
4025 else
4026
4027 (void) ungetc(c, stdin);
4028
4029 WRITE(obuf, n);
4030
4031 }
4032
4033 if (n > 0)
4034
4035 err(1, bn, "decryption failed (incomplete block)");
4036
4037 }
4038
4039
4040
4041
4042
4043 /*
4044
4045 * This encrypts using the Output FeedBack mode of DES
4046
4047 */
4048
4049 ofbenc()
4050
4051 {
4052
4053 register int n; /* number of bytes actually read */
4054
4055 register int c; /* used to test for EOF */
4056
4057 register int nbytes; /* number of bytes to read */
4058
4059 register int bn; /* block number */
4060
4061 char ibuf[8]; /* input buffer */
4062
4063 char obuf[8]; /* output buffer */
4064
4065 Desbuf msgbuf; /* encryption buffer */
4066
4067
4068
4069 /*
4070
4071 * do things in bytes, not bits
4072
4073 */
4074
4075 nbytes = fbbits / 8;
4076
4077 /*
4078
4079 * do the transformation
4080
4081 */
4082
4083 for(bn = 1; (n = READ(ibuf, nbytes)) == nbytes; bn++){
4084
4085 MEMCPY(BUFFER(msgbuf), BUFFER(ivec), 8);
4086
4087 DES_XFORM(UBUFFER(msgbuf));
4088
4089 for(n = 0; n < 8 - nbytes; n++)
4090
4091 UCHAR(ivec, n) = UCHAR(ivec, n+nbytes);
4092
4093 for(n = 0; n < nbytes; n++){
4094
4095 UCHAR(ivec, 8-nbytes+n) = UCHAR(msgbuf, n);
4096
4097 obuf[n] = ibuf[n] ^ UCHAR(msgbuf, n);
4098
4099 }
4100
4101 WRITE(obuf, nbytes);
4102
4103 }
4104
4105 /*
4106
4107 * at EOF or last block -- in either case, the last byte contains
4108
4109 * the character representation of the number of bytes in it
4110
4111 */
4112
4113 bn++;
4114
4115 MEMZERO(&ibuf[n], nbytes - n);
4116
4117 ibuf[nbytes - 1] = '0' + n;
4118
4119 MEMCPY(BUFFER(msgbuf), BUFFER(ivec), 8);
4120
4121 DES_XFORM(UBUFFER(msgbuf));
4122
4123 for(c = 0; c < nbytes; c++)
4124
4125 ibuf[c] ^= UCHAR(msgbuf, c);
4126
4127 WRITE(ibuf, nbytes);
4128
4129 }
4130
4131
4132
4133 /*
4134
4135 * This decrypts using the Output Block Chaining mode of DES
4136
4137 */
4138
4139 ofbdec()
4140
4141 {
4142
4143 register int n; /* number of bytes actually read */
4144
4145 register int c; /* used to test for EOF */
4146
4147 register int nbytes; /* number of bytes to read */
4148
4149 register int bn; /* block number */
4150
4151 char ibuf[8]; /* input buffer */
4152
4153 char obuf[8]; /* output buffer */
4154
4155 Desbuf msgbuf; /* encryption buffer */
4156
4157
4158
4159 /*
4160
4161 * do things in bytes, not bits
4162
4163 */
4164
4165 nbytes = fbbits / 8;
4166
4167 /*
4168
4169 * do the transformation
4170
4171 */
4172
4173 for(bn = 1; (n = READ(ibuf, nbytes)) == nbytes; bn++){
4174
4175 MEMCPY(BUFFER(msgbuf), BUFFER(ivec), 8);
4176
4177 DES_XFORM(UBUFFER(msgbuf));
4178
4179 for(c = 0; c < 8 - nbytes; c++)
4180
4181 CHAR(ivec, c) = CHAR(ivec, c+nbytes);
4182
4183 for(c = 0; c < nbytes; c++){
4184
4185 CHAR(ivec, 8-nbytes+c) = UCHAR(msgbuf, c);
4186
4187 obuf[c] = ibuf[c] ^ UCHAR(msgbuf, c);
4188
4189 }
4190
4191 /*
4192
4193 * if the last one, handle it specially
4194
4195 */
4196
4197 if ((c = getchar()) == EOF){
4198
4199 if ((n = (obuf[nbytes-1] - '0')) < 0
4200
4201 || n > nbytes-1)
4202
4203 err(1, bn,
4204
4205 "decryption failed (block corrupted)");
4206
4207 }
4208
4209 else
4210
4211 (void) ungetc(c, stdin);
4212
4213 /*
4214
4215 * dump it
4216
4217 */
4218
4219 WRITE(obuf, n);
4220
4221 }
4222
4223 if (n > 0)
4224
4225 err(1, bn, "decryption failed (incomplete block)");
4226
4227 }
4228
4229
4230
4231 /*
4232
4233 * This authenticates using the Cipher FeedBack mode of DES
4234
4235 */
4236
4237 cfbauth()
4238
4239 {
4240
4241 register int n; /* number of bytes actually read */
4242
4243 register int nbytes; /* number of bytes to read */
4244
4245 char ibuf[8]; /* input buffer */
4246
4247 Desbuf msgbuf; /* encryption buffer */
4248
4249
4250
4251 /*
4252
4253 * do things in bytes, not bits
4254
4255 */
4256
4257 nbytes = fbbits / 8;
4258
4259 /*
4260
4261 * do the transformation
4262
4263 */
4264
4265 while((n = READ(ibuf, nbytes)) == nbytes){
4266
4267 MEMCPY(BUFFER(msgbuf), BUFFER(ivec), 8);
4268
4269 DES_XFORM(UBUFFER(msgbuf));
4270
4271 for(n = 0; n < 8 - nbytes; n++)
4272
4273 UCHAR(ivec, n) = UCHAR(ivec, n+nbytes);
4274
4275 for(n = 0; n < nbytes; n++)
4276
4277 UCHAR(ivec, 8-nbytes+n) = ibuf[n] ^ UCHAR(msgbuf, n);
4278
4279 }
4280
4281 /*
4282
4283 * at EOF or last block -- in either case, the last byte contains
4284
4285 * the character representation of the number of bytes in it
4286
4287 */
4288
4289 MEMZERO(&ibuf[n], nbytes - n);
4290
4291 ibuf[nbytes - 1] = '0' + n;
4292
4293 MEMCPY(BUFFER(msgbuf), BUFFER(ivec), 8);
4294
4295 DES_XFORM(UBUFFER(msgbuf));
4296
4297 for(n = 0; n < nbytes; n++)
4298
4299 ibuf[n] ^= UCHAR(msgbuf, n);
4300
4301 /*
4302
4303 * drop the bits
4304
4305 * we write chars until fewer than 7 bits,
4306
4307 * and then pad the last one with 0 bits
4308
4309 */
4310
4311 for(n = 0; macbits > 7; n++, macbits -= 8)
4312
4313 putchar(CHAR(msgbuf, n));
4314
4315 if (macbits > 0){
4316
4317 CHAR(msgbuf, 0) = 0x00;
4318
4319 for(n = 0; n < macbits; n++)
4320
4321 CHAR(msgbuf, 0) |= (CHAR(msgbuf, n)&bits[n]);
4322
4323 putchar(CHAR(msgbuf, 0));
4324
4325 }
4326
4327 }
4328
4329
4330
4331 #ifdef ALONE
4332
4333
4334
4335 /*
4336
4337 * change from 8 bits/Uchar to 1 bit/Uchar
4338
4339 */
4340
4341 expand(from, to)
4342
4343 Desbuf from; /* 8bit/unsigned char string */
4344
4345 char to[64]; /* 1bit/char string */
4346
4347 {
4348
4349 register int i, j; /* counters in for loop */
4350
4351
4352
4353 for(i = 0; i < 8; i++)
4354
4355 for(j = 0; j < 8; j++)
4356
4357 to[i*8+j] = (CHAR(from, i)>>(7-j))&01;
4358
4359 }
4360
4361
4362
4363 /*
4364
4365 * change from 1 bit/char to 8 bits/Uchar
4366
4367 */
4368
4369 compress(from, to)
4370
4371 char from[64]; /* 1bit/char string */
4372
4373 Desbuf to; /* 8bit/unsigned char string */
4374
4375 {
4376
4377 register int i, j; /* counters in for loop */
4378
4379
4380
4381 for(i = 0; i < 8; i++){
4382
4383 CHAR(to, i) = 0;
4384
4385 for(j = 0; j < 8; j++)
4386
4387 CHAR(to, i) = (from[i*8+j]<<(7-j))|CHAR(to, i);
4388
4389 }
4390
4391 }
4392
4393
4394
4395 #endif
4396
4397 Elliptic Curves
4398
4399 /************************************************************************
4400
4401 * *
4402
4403 * Elliptic curves over Galois Fields. These routines find points *
4404
4405 * on a curve, add and double points for type 1 optimal normal bases. *
4406
4407 * *
4408
4409 * For succint explanaition, see Menezes, page 92 *
4410
4411 * *
4412
4413 ************************************************************************/
4414
4415
4416
4417 #include <stdio.h>
4418
4419 #include "bigint.h"
4420
4421 #include "eliptic.h"
4422
4423
4424
4425 /************************************************************************
4426
4427 * Note that the following is obvious to mathematicians. I thought it *
4428
4429 * was pretty cool when I discovered it myself, <sigh>. *
4430
4431 * *
4432
4433 * Routine to solve quadradic equation. Enter with coeficients *
4434
4435 * a and b and it returns solutions y[2]: y^2 + ay + b = 0. *
4436
4437 * If Tr(b/a^2) != 0, returns y=0 and error code 1. *
4438
4439 * If Tr(b/a^2) == 0, returns y[2] and error code 0. *
4440
4441 * If solution fails, returns y=0 and error code 2. *
4442
4443 * *
4444
4445 * Algorithm used based on normal basis GF math. Since (a+b)^2 = *
4446
4447 * a^2 + b^2 it follows that (a+b)^.5 = a^.5 + b^.5. Note that squaring*
4448
4449 * is a left shift and rooting is a right shift in a normal basis. *
4450
4451 * Transforming the source equation with y = ax and dividing by a^2 *
4452
4453 * gives: *
4454
4455 * x^2 + x + b/a^2 = 0 *
4456
4457 * *
4458
4459 * or x = x^.5 + (b/a^2)^.5 *
4460
4461 * *
4462
4463 * Let k_i = the ith significant bit of (b/a^2)^.5 and *
4464
4465 * x_i = the ith significant bit of x. *
4466
4467 * The above equation is equivelent to a bitwise representation as *
4468
4469 * *
4470
4471 * x_i = x_(i+1) + k_i *
4472
4473 * or *
4474
4475 * x(i+1) = x_i + k_i. *
4476
4477 * *
4478
4479 * Since both x and x+1 are solutions, and 1 is represented by all *
4480
4481 * bits set in a normal basis, we can start with x_0 = 0 or 1 at our *
4482
4483 * pleasure and use the recursion relation to discover every bit of x. *
4484
4485 * The answer is then ax and ax+a returned in y[0] and y[1] respectively*
4486
4487 * If the sum of x_(n-1) + k_(n-1) != x_0, returns error code 2 and *
4488
4489 * y = 0. *
4490
4491 * *
4492
4493 * error code returns *
4494
4495 * 0 y[0] and y[1] values *
4496
4497 * 1 y[0] = y[1] = 0 *
4498
4499 * 2 mathematicly impossible !!!! *
4500
4501 * *
4502
4503 ************************************************************************/
4504
4505
4506
4507 extern ELEMENT mask_table[WORDSIZE];
4508
4509 extern void opt_inv(), rot_left(), rot_right(), null(), opt_mul();
4510
4511 extern void big_print(), copy();
4512
4513
4514
4515 int gf_quadradic(a, b, y)
4516
4517 BIGINT *a, *b, *y;
4518
4519 {
4520
4521 INDEX i, l, bits;
4522
4523 BIGINT x, k, a2;
4524
4525 ELEMENT r, t, mask;
4526
4527
4528
4529 /* test for b=0. Won't work if it is. */
4530
4531
4532
4533 l = 1;
4534
4535 for (i=STRTPOS; i<MAXLONG; i++) {
4536
4537 if (b->b[i] == 0) continue;
4538
4539 else {
4540
4541 l = 0;
4542
4543 break;
4544
4545 }
4546
4547 }
4548
4549 if (l) {
4550
4551 null(&y[0]);
4552
4553 null(&y[1]);
4554
4555 return(1);
4556
4557 }
4558
4559
4560
4561 /* find a^-2 */
4562
4563
4564
4565 opt_inv( a, &a2);
4566
4567 rot_left(&a2);
4568
4569
4570
4571 /* find k=(b/a^2)^.5 */
4572
4573
4574
4575 opt_mul( b, &a2, &k);
4576
4577 rot_right(&k);
4578
4579 r = 0;
4580
4581
4582
4583 /* check that Tr(k) is zero. Combine all words first. */
4584
4585
4586
4587 for (i=STRTPOS; i<MAXLONG; i++)
4588
4589 r ^= k.b[i];
4590
4591
4592
4593 /* take trace of word, combining half of all the bits each time */
4594
4595
4596
4597 for (bits = WORDSIZE/2; bits > 0; bits /= 2)
4598
4599 r = ((r & mask_table[bits]) ^ (r >> bits));
4600
4601
4602
4603 /* if not zero, return error code 1. */
4604
4605
4606
4607 if (r) {
4608
4609 null(&y[0]);
4610
4611 null(&y[1]);
4612
4613 return(1);
4614
4615 }
4616
4617
4618
4619 /* point is valid, proceed with solution. mask points to bit i,
4620
4621 which is known, in x bits previously found and k (=b/a^2). */
4622
4623
4624
4625 null(&x);
4626
4627 mask = 1;
4628
4629 for (bits=0; bits < NUMBITS ; bits++) {
4630
4631
4632
4633 /* source long word could be different than destination */
4634
4635
4636
4637 i = LONGPOS - bits/WORDSIZE;
4638
4639 l = LONGPOS - (bits + 1)/WORDSIZE;
4640
4641
4642
4643 /* use present bits to compute next one */
4644
4645
4646
4647 r = k.b[i] & mask;
4648
4649 t = x.b[i] & mask;
4650
4651 r ^= t;
4652
4653
4654
4655 /* same word, so just shift result up */
4656
4657
4658
4659 if ( l == i ) {
4660
4661 r <<= 1;
4662
4663 x.b[l] |= r;
4664
4665 mask <<= 1;
4666
4667 } else {
4668
4669
4670
4671 /* different word, reset mask and use a 1 */
4672
4673
4674
4675 mask = 1;
4676
4677 if (r) x.b[l] = 1;
4678
4679 }
4680
4681 }
4682
4683
4684
4685 /* test that last bit generates a zero */
4686
4687
4688
4689 r = k.b[STRTPOS] & UPRBIT;
4690
4691 t = x.b[STRTPOS] & UPRBIT;
4692
4693 if ( r^t ) {
4694
4695 null(&y[0]);
4696
4697 null(&y[1]);
4698
4699 return(2);
4700
4701 }
4702
4703
4704
4705 /* convert solution back via y = ax */
4706
4707
4708
4709 opt_mul(a, &x, &y[0]);
4710
4711
4712
4713 /* and create complementary soultion y = ax + a */
4714
4715
4716
4717 null (&y[1]);
4718
4719 for (i = STRTPOS; i < MAXLONG; i++)
4720
4721 y[1].b[i] = y[0].b[i] ^ a->b[i];
4722
4723
4724
4725 /* no errors, bye! */
4726
4727
4728
4729 return(0);
4730
4731 }
4732
4733
4734
4735 /* compute R.H.S. f(x) = x^3 + a2*x^2 + a6
4736
4737 curv.form = 0 implies a2 = 0, so no extra multiply.
4738
4739 curv.form = 1 is the "twist" curve.
4740
4741 */
4742
4743
4744
4745 void fofx(x, curv, f)
4746
4747 BIGINT * x, * f;
4748
4749 CURVE * curv;
4750
4751 {
4752
4753
4754
4755 BIGINT x2,x3;
4756
4757 INDEX i;
4758
4759
4760
4761 copy(x, &x2);
4762
4763 rot_left(&x2);
4764
4765 opt_mul(x, &x2, &x3);
4766
4767 if (curv->form) opt_mul(&x2, &curv->a2, f);
4768
4769 else null(f);
4770
4771 for (i = STRTPOS; i < MAXLONG; i++)
4772
4773 f->b[i] ^= (x3.b[i] ^ curv->a6.b[i]);
4774
4775 }
4776
4777
4778
4779 /****************************************************************************
4780
4781 * *
4782
4783 * Implement elliptic curve point addition for optimal normal basis form. *
4784
4785 * This follows R. Schroeppel, H. Orman, S. O'Mally, "Fast Key Exchange with*
4786
4787 * Elliptic Curve Systems", CRYPTO '95, TR-95-03, Univ. of Arizona, Comp. *
4788
4789 * Science Dept. *
4790
4791 * *
4792
4793 * This version is faster for inversion processes requiring fewer *
4794
4795 * multiplies than projective math version. For NUMBITS = 148 or 226 this *
4796
4797 * is the case because only 10 multiplies are required for inversion but *
4798
4799 * 15 multiplies for projective math. I leave it as a paper to be written *
4800
4801 * [HINT!!] to propagate TR-95-03 to normal basis inversion. In that case *
4802
4803 * inversion will require order 2 multiplies and this method would be far *
4804
4805 * superior to projective coordinates. *
4806
4807 ****************************************************************************/
4808
4809
4810
4811 void esum (p1, p2, p3, curv)
4812
4813 POINT *p1, *p2, *p3;
4814
4815 CURVE *curv;
4816
4817 {
4818
4819 register INDEX i;
4820
4821 BIGINT x1, y1, lmda, onex, lmda2;
4822
4823
4824
4825 /* compute lambda = (y_1 + y_2)/(x_1 + x_2) */
4826
4827
4828
4829 null(&x1);
4830
4831 null(&y1);
4832
4833 SUMLOOP(i) {
4834
4835 x1.b[i] = p1->x.b[i] ^ p2->x.b[i];
4836
4837 y1.b[i] = p1->y.b[i] ^ p2->y.b[i];
4838
4839 }
4840
4841 opt_inv( &x1, &onex);
4842
4843 opt_mul( &onex, &y1, &lmda);
4844
4845 copy( &lmda, &lmda2);
4846
4847 rot_left(&lmda2);
4848
4849
4850
4851 /* with lambda and lamda^2, compute x_3 */
4852
4853
4854
4855 if (curv->form)
4856
4857 SUMLOOP (i)
4858
4859 p3->x.b[i] = lmda.b[i] ^ lmda2.b[i] ^ p1->x.b[i] ^ p2->x.b[i]
4860
4861 ^ curv->a2.b[i];
4862
4863 else
4864
4865 SUMLOOP (i)
4866
4867 p3->x.b[i] = lmda.b[i] ^ lmda2.b[i] ^ p1->x.b[i] ^ p2->x.b[i];
4868
4869
4870
4871 /* next find y_3 */
4872
4873
4874
4875 SUMLOOP (i) x1.b[i] = p1->x.b[i] ^ p3->x.b[i];
4876
4877 opt_mul( &x1, &lmda, &lmda2);
4878
4879 SUMLOOP (i) p3->y.b[i] = lmda2.b[i] ^ p3->x.b[i] ^ p1->y.b[i];
4880
4881 }
4882
4883
4884
4885 /* elliptic curve doubling routine for Schroeppel's algorithm over normal
4886
4887 basis. Enter with p1, p3 as source and destination as well as curv
4888
4889 to operate on. Returns p3 = 2*p1.
4890
4891 */
4892
4893
4894
4895 void edbl (p1, p3, curv)
4896
4897 POINT *p1, *p3;
4898
4899 CURVE *curv;
4900
4901 {
4902
4903 BIGINT x1, y1, lmda, lmda2, t1;
4904
4905 register INDEX i;
4906
4907
4908
4909 /* first compute lambda = x + y/x */
4910
4911
4912
4913 opt_inv( &p1->x, &x1);
4914
4915 opt_mul( &x1, &p1->y, &y1);
4916
4917 SUMLOOP (i) lmda.b[i] = p1->x.b[i] ^ y1.b[i];
4918
4919
4920
4921 /* next compute x_3 */
4922
4923
4924
4925 copy( &lmda, &lmda2);
4926
4927 rot_left(&lmda2);
4928
4929 if(curv->form)
4930
4931 SUMLOOP (i) p3->x.b[i] = lmda.b[i] ^ lmda2.b[i] ^ curv->a2.b[i];
4932
4933 else
4934
4935 SUMLOOP (i) p3->x.b[i] = lmda.b[i] ^ lmda2.b[i];
4936
4937
4938
4939 /* and lastly y_3 */
4940
4941
4942
4943 one( &y1);
4944
4945 SUMLOOP (i) y1.b[i] ^= lmda.b[i];
4946
4947 opt_mul( &y1, &p3->x, &t1);
4948
4949 copy( &p1->x, &x1);
4950
4951 rot_left( &x1);
4952
4953 SUMLOOP (i) p3->y.b[i] = x1.b[i] ^ t1.b[i];
4954
4955 }
4956
4957
4958
4959 /* subtract two points on a curve. just negates p2 and does a sum.
4960
4961 Returns p3 = p1 - p2 over curv.
4962
4963 */
4964
4965
4966
4967 void esub (p1, p2, p3, curv)
4968
4969 POINT *p1, *p2, *p3;
4970
4971 CURVE *curv;
4972
4973 {
4974
4975 POINT negp;
4976
4977 INDEX i;
4978
4979
4980
4981 copy ( &p2->x, &negp.x);
4982
4983 null (&negp.y);
4984
4985 SUMLOOP(i) negp.y.b[i] = p2->x.b[i] ^ p2->y.b[i];
4986
4987 esum (p1, &negp, p3, curv);
4988
4989 }
4990
4991
4992
4993 /* need to move points around, not just values. Optimize later. */
4994
4995
4996
4997 void copy_point (p1, p2)
4998
4999 POINT *p1, *p2;
5000
5001 {
5002
5003 copy (&p1->x, &p2->x);
5004
5005 copy (&p1->y, &p2->y);
5006
5007 }
5008
5009
5010
5011 /* Routine to compute kP where k is an integer (base 2, not normal basis)
5012
5013 and P is a point on an elliptic curve. This routine assumes that K
5014
5015 is representable in the same bit field as x, y or z values of P.
5016
5017 This is for simplicity, larger or smaller fields can be independently
5018
5019 implemented.
5020
5021 Enter with: integer k, source point P, curve to compute over (curv) and
5022
5023 Returns with: result point R.
5024
5025
5026
5027 Reference: Koblitz, "CM-Curves with good Cryptografic Properties",
5028
5029 Springer-Verlag LNCS #576, p279 (pg 284 really), 1992
5030
5031 */
5032
5033 ELEMENT bit_table[32] = {1, 2, 4, 8, 16, 32, 64, 128, 256,
5034
5035 0x200, 0x400, 0x800, 0x1000, 0x2000, 0x4000, 0x8000,
5036
5037 0x10000, 0x20000, 0x40000, 0x80000,
5038
5039 0x100000, 0x200000, 0x400000, 0x800000,
5040
5041 0x1000000, 0x2000000, 0x4000000, 0x8000000,
5042
5043 0x10000000, 0x20000000, 0x40000000, 0x80000000 };
5044
5045
5046
5047 void elptic_mul(k, p, r, curv)
5048
5049 BIGINT *k;
5050
5051 POINT *p, *r;
5052
5053 CURVE *curv;
5054
5055 {
5056
5057 char blncd[NUMBITS+1];
5058
5059 ELEMENT wordptr, mskindx, sequnce;
5060
5061 long bit_count;
5062
5063 POINT temp;
5064
5065
5066
5067 /* scan across k from right to left to expand bits to chars */
5068
5069
5070
5071 for (bit_count = 0; bit_count < NUMBITS; bit_count++) {
5072
5073 wordptr = LONGPOS - bit_count/WORDSIZE;
5074
5075 mskindx = bit_count % WORDSIZE;
5076
5077 if (k->b[wordptr] & bit_table[mskindx]) blncd[bit_count] = 1;
5078
5079 else blncd[bit_count] = 0;
5080
5081 }
5082
5083 blncd[NUMBITS] = 0;
5084
5085
5086
5087 /* Next convert balanced array to ballanced representation */
5088
5089 /* sequence flag used for multiple 1's being switched to 0's. */
5090
5091
5092
5093 sequnce = 0;
5094
5095 bit_count = 0;
5096
5097 while (bit_count <= NUMBITS) {
5098
5099 if ( blncd[bit_count]) {
5100
5101 if (sequnce) /* in middle of 1's sequence */
5102
5103 blncd[bit_count] = 0;
5104
5105 else if (blncd[bit_count+1]) {
5106
5107 sequnce = 1; /* next bit also set, begin sequnce */
5108
5109 blncd[bit_count] = -1;
5110
5111 }
5112
5113 bit_count++;
5114
5115 } else {
5116
5117 if (sequnce) { /* last bit of sequence */
5118
5119 blncd[bit_count] = 1;
5120
5121 sequnce = 0;
5122
5123 } else
5124
5125 bit_count++;
5126
5127 }
5128
5129 }
5130
5131
5132
5133 /* now follow ballanced representation and compute kP */
5134
5135
5136
5137 bit_count = NUMBITS;
5138
5139 while (!blncd[bit_count] && bit_count >= 0) bit_count--; /* find first bit */
5140
5141 if (bit_count < 0) {
5142
5143 null (&r->x);
5144
5145 null (&r->y);
5146
5147 return;
5148
5149 }
5150
5151 copy_point(p,r); /* first bit always set */
5152
5153 while (bit_count > 0) {
5154
5155 edbl(r, &temp, curv);
5156
5157 bit_count--;
5158
5159 switch (blncd[bit_count]) {
5160
5161 case 1: esum (p, &temp, r, curv);
5162
5163 break;
5164
5165 case -1: esub (&temp, p, r, curv);
5166
5167 break;
5168
5169 case 0: copy_point (&temp, r);
5170
5171 }
5172
5173 }
5174
5175 }
5176
5177
5178
5179 /* One is not what it appears to be. In any normal basis, "1" is the sum of
5180
5181 all powers of the generator. So this routine puts ones to fill the number size
5182
5183 being used in the address of the BIGINT supplied. */
5184
5185
5186
5187 void one (place)
5188
5189 BIGINT *place;
5190
5191 {
5192
5193 INDEX i;
5194
5195
5196
5197 SUMLOOP(i) place->b[i] = -1L;
5198
5199 place->b[STRTPOS] &= UPRMASK;
5200
5201 }
5202
5203 }