1 // SPDX-License-Identifier: BSD-2-Clause 2 /* LibTomCrypt, modular cryptographic library -- Tom St Denis 3 * 4 * LibTomCrypt is a library that provides various cryptographic 5 * algorithms in a highly modular and flexible manner. 6 * 7 * The library is free for all purposes without any express 8 * guarantee it works. 9 */ 10 /**********************************************************************\ 11 * To commemorate the 1996 RSA Data Security Conference, the following * 12 * code is released into the public domain by its author. Prost! * 13 * * 14 * This cipher uses 16-bit words and little-endian byte ordering. * 15 * I wonder which processor it was optimized for? * 16 * * 17 * Thanks to CodeView, SoftIce, and D86 for helping bring this code to * 18 * the public. * 19 \**********************************************************************/ 20 #include "tomcrypt_private.h" 21 22 /** 23 @file rc2.c 24 Implementation of RC2 with fixed effective key length of 64bits 25 */ 26 27 #ifdef LTC_RC2 28 29 const struct ltc_cipher_descriptor rc2_desc = { 30 "rc2", 31 12, 8, 128, 8, 16, 32 &rc2_setup, 33 &rc2_ecb_encrypt, 34 &rc2_ecb_decrypt, 35 &rc2_test, 36 &rc2_done, 37 &rc2_keysize, 38 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL 39 }; 40 41 /* 256-entry permutation table, probably derived somehow from pi */ 42 static const unsigned char permute[256] = { 43 217,120,249,196, 25,221,181,237, 40,233,253,121, 74,160,216,157, 44 198,126, 55,131, 43,118, 83,142, 98, 76,100,136, 68,139,251,162, 45 23,154, 89,245,135,179, 79, 19, 97, 69,109,141, 9,129,125, 50, 46 189,143, 64,235,134,183,123, 11,240,149, 33, 34, 92,107, 78,130, 47 84,214,101,147,206, 96,178, 28,115, 86,192, 20,167,140,241,220, 48 18,117,202, 31, 59,190,228,209, 66, 61,212, 48,163, 60,182, 38, 49 111,191, 14,218, 70,105, 7, 87, 39,242, 29,155,188,148, 67, 3, 50 248, 17,199,246,144,239, 62,231, 6,195,213, 47,200,102, 30,215, 51 8,232,234,222,128, 82,238,247,132,170,114,172, 53, 77,106, 42, 52 150, 26,210,113, 90, 21, 73,116, 75,159,208, 94, 4, 24,164,236, 53 194,224, 65,110, 15, 81,203,204, 36,145,175, 80,161,244,112, 57, 54 153,124, 58,133, 35,184,180,122,252, 2, 54, 91, 37, 85,151, 49, 55 45, 93,250,152,227,138,146,174, 5,223, 41, 16,103,108,186,201, 56 211, 0,230,207,225,158,168, 44, 99, 22, 1, 63, 88,226,137,169, 57 13, 56, 52, 27,171, 51,255,176,187, 72, 12, 95,185,177,205, 46, 58 197,243,219, 71,229,165,156,119, 10,166, 32,104,254,127,193,173 59 }; 60 61 /** 62 Initialize the RC2 block cipher 63 @param key The symmetric key you wish to pass 64 @param keylen The key length in bytes 65 @param bits The effective key length in bits 66 @param num_rounds The number of rounds desired (0 for default) 67 @param skey The key in as scheduled by this function. 68 @return CRYPT_OK if successful 69 */ 70 int rc2_setup_ex(const unsigned char *key, int keylen, int bits, int num_rounds, symmetric_key *skey) 71 { 72 unsigned *xkey = skey->rc2.xkey; 73 unsigned char tmp[128]; 74 unsigned T8, TM; 75 int i; 76 77 LTC_ARGCHK(key != NULL); 78 LTC_ARGCHK(skey != NULL); 79 80 if (keylen == 0 || keylen > 128 || bits > 1024) { 81 return CRYPT_INVALID_KEYSIZE; 82 } 83 if (bits == 0) { 84 bits = 1024; 85 } 86 87 if (num_rounds != 0 && num_rounds != 16) { 88 return CRYPT_INVALID_ROUNDS; 89 } 90 91 for (i = 0; i < keylen; i++) { 92 tmp[i] = key[i] & 255; 93 } 94 95 /* Phase 1: Expand input key to 128 bytes */ 96 if (keylen < 128) { 97 for (i = keylen; i < 128; i++) { 98 tmp[i] = permute[(tmp[i - 1] + tmp[i - keylen]) & 255]; 99 } 100 } 101 102 /* Phase 2 - reduce effective key size to "bits" */ 103 T8 = (unsigned)(bits+7)>>3; 104 TM = (255 >> (unsigned)(7 & -bits)); 105 tmp[128 - T8] = permute[tmp[128 - T8] & TM]; 106 for (i = 127 - T8; i >= 0; i--) { 107 tmp[i] = permute[tmp[i + 1] ^ tmp[i + T8]]; 108 } 109 110 /* Phase 3 - copy to xkey in little-endian order */ 111 for (i = 0; i < 64; i++) { 112 xkey[i] = (unsigned)tmp[2*i] + ((unsigned)tmp[2*i+1] << 8); 113 } 114 115 #ifdef LTC_CLEAN_STACK 116 zeromem(tmp, sizeof(tmp)); 117 #endif 118 119 return CRYPT_OK; 120 } 121 122 /** 123 Initialize the RC2 block cipher 124 125 The effective key length is here always keylen * 8 126 127 @param key The symmetric key you wish to pass 128 @param keylen The key length in bytes 129 @param num_rounds The number of rounds desired (0 for default) 130 @param skey The key in as scheduled by this function. 131 @return CRYPT_OK if successful 132 */ 133 int rc2_setup(const unsigned char *key, int keylen, int num_rounds, symmetric_key *skey) 134 { 135 return rc2_setup_ex(key, keylen, keylen * 8, num_rounds, skey); 136 } 137 138 /**********************************************************************\ 139 * Encrypt an 8-byte block of plaintext using the given key. * 140 \**********************************************************************/ 141 /** 142 Encrypts a block of text with RC2 143 @param pt The input plaintext (8 bytes) 144 @param ct The output ciphertext (8 bytes) 145 @param skey The key as scheduled 146 @return CRYPT_OK if successful 147 */ 148 #ifdef LTC_CLEAN_STACK 149 static int _rc2_ecb_encrypt( const unsigned char *pt, 150 unsigned char *ct, 151 const symmetric_key *skey) 152 #else 153 int rc2_ecb_encrypt( const unsigned char *pt, 154 unsigned char *ct, 155 const symmetric_key *skey) 156 #endif 157 { 158 const unsigned *xkey; 159 unsigned x76, x54, x32, x10, i; 160 161 LTC_ARGCHK(pt != NULL); 162 LTC_ARGCHK(ct != NULL); 163 LTC_ARGCHK(skey != NULL); 164 165 xkey = skey->rc2.xkey; 166 167 x76 = ((unsigned)pt[7] << 8) + (unsigned)pt[6]; 168 x54 = ((unsigned)pt[5] << 8) + (unsigned)pt[4]; 169 x32 = ((unsigned)pt[3] << 8) + (unsigned)pt[2]; 170 x10 = ((unsigned)pt[1] << 8) + (unsigned)pt[0]; 171 172 for (i = 0; i < 16; i++) { 173 x10 = (x10 + (x32 & ~x76) + (x54 & x76) + xkey[4*i+0]) & 0xFFFF; 174 x10 = ((x10 << 1) | (x10 >> 15)); 175 176 x32 = (x32 + (x54 & ~x10) + (x76 & x10) + xkey[4*i+1]) & 0xFFFF; 177 x32 = ((x32 << 2) | (x32 >> 14)); 178 179 x54 = (x54 + (x76 & ~x32) + (x10 & x32) + xkey[4*i+2]) & 0xFFFF; 180 x54 = ((x54 << 3) | (x54 >> 13)); 181 182 x76 = (x76 + (x10 & ~x54) + (x32 & x54) + xkey[4*i+3]) & 0xFFFF; 183 x76 = ((x76 << 5) | (x76 >> 11)); 184 185 if (i == 4 || i == 10) { 186 x10 = (x10 + xkey[x76 & 63]) & 0xFFFF; 187 x32 = (x32 + xkey[x10 & 63]) & 0xFFFF; 188 x54 = (x54 + xkey[x32 & 63]) & 0xFFFF; 189 x76 = (x76 + xkey[x54 & 63]) & 0xFFFF; 190 } 191 } 192 193 ct[0] = (unsigned char)x10; 194 ct[1] = (unsigned char)(x10 >> 8); 195 ct[2] = (unsigned char)x32; 196 ct[3] = (unsigned char)(x32 >> 8); 197 ct[4] = (unsigned char)x54; 198 ct[5] = (unsigned char)(x54 >> 8); 199 ct[6] = (unsigned char)x76; 200 ct[7] = (unsigned char)(x76 >> 8); 201 202 return CRYPT_OK; 203 } 204 205 #ifdef LTC_CLEAN_STACK 206 int rc2_ecb_encrypt( const unsigned char *pt, 207 unsigned char *ct, 208 const symmetric_key *skey) 209 { 210 int err = _rc2_ecb_encrypt(pt, ct, skey); 211 burn_stack(sizeof(unsigned *) + sizeof(unsigned) * 5); 212 return err; 213 } 214 #endif 215 216 /**********************************************************************\ 217 * Decrypt an 8-byte block of ciphertext using the given key. * 218 \**********************************************************************/ 219 /** 220 Decrypts a block of text with RC2 221 @param ct The input ciphertext (8 bytes) 222 @param pt The output plaintext (8 bytes) 223 @param skey The key as scheduled 224 @return CRYPT_OK if successful 225 */ 226 #ifdef LTC_CLEAN_STACK 227 static int _rc2_ecb_decrypt( const unsigned char *ct, 228 unsigned char *pt, 229 const symmetric_key *skey) 230 #else 231 int rc2_ecb_decrypt( const unsigned char *ct, 232 unsigned char *pt, 233 const symmetric_key *skey) 234 #endif 235 { 236 unsigned x76, x54, x32, x10; 237 const unsigned *xkey; 238 int i; 239 240 LTC_ARGCHK(pt != NULL); 241 LTC_ARGCHK(ct != NULL); 242 LTC_ARGCHK(skey != NULL); 243 244 xkey = skey->rc2.xkey; 245 246 x76 = ((unsigned)ct[7] << 8) + (unsigned)ct[6]; 247 x54 = ((unsigned)ct[5] << 8) + (unsigned)ct[4]; 248 x32 = ((unsigned)ct[3] << 8) + (unsigned)ct[2]; 249 x10 = ((unsigned)ct[1] << 8) + (unsigned)ct[0]; 250 251 for (i = 15; i >= 0; i--) { 252 if (i == 4 || i == 10) { 253 x76 = (x76 - xkey[x54 & 63]) & 0xFFFF; 254 x54 = (x54 - xkey[x32 & 63]) & 0xFFFF; 255 x32 = (x32 - xkey[x10 & 63]) & 0xFFFF; 256 x10 = (x10 - xkey[x76 & 63]) & 0xFFFF; 257 } 258 259 x76 = ((x76 << 11) | (x76 >> 5)); 260 x76 = (x76 - ((x10 & ~x54) + (x32 & x54) + xkey[4*i+3])) & 0xFFFF; 261 262 x54 = ((x54 << 13) | (x54 >> 3)); 263 x54 = (x54 - ((x76 & ~x32) + (x10 & x32) + xkey[4*i+2])) & 0xFFFF; 264 265 x32 = ((x32 << 14) | (x32 >> 2)); 266 x32 = (x32 - ((x54 & ~x10) + (x76 & x10) + xkey[4*i+1])) & 0xFFFF; 267 268 x10 = ((x10 << 15) | (x10 >> 1)); 269 x10 = (x10 - ((x32 & ~x76) + (x54 & x76) + xkey[4*i+0])) & 0xFFFF; 270 } 271 272 pt[0] = (unsigned char)x10; 273 pt[1] = (unsigned char)(x10 >> 8); 274 pt[2] = (unsigned char)x32; 275 pt[3] = (unsigned char)(x32 >> 8); 276 pt[4] = (unsigned char)x54; 277 pt[5] = (unsigned char)(x54 >> 8); 278 pt[6] = (unsigned char)x76; 279 pt[7] = (unsigned char)(x76 >> 8); 280 281 return CRYPT_OK; 282 } 283 284 #ifdef LTC_CLEAN_STACK 285 int rc2_ecb_decrypt( const unsigned char *ct, 286 unsigned char *pt, 287 const symmetric_key *skey) 288 { 289 int err = _rc2_ecb_decrypt(ct, pt, skey); 290 burn_stack(sizeof(unsigned *) + sizeof(unsigned) * 4 + sizeof(int)); 291 return err; 292 } 293 #endif 294 295 /** 296 Performs a self-test of the RC2 block cipher 297 @return CRYPT_OK if functional, CRYPT_NOP if self-test has been disabled 298 */ 299 int rc2_test(void) 300 { 301 #ifndef LTC_TEST 302 return CRYPT_NOP; 303 #else 304 static const struct { 305 int keylen, bits; 306 unsigned char key[16], pt[8], ct[8]; 307 } tests[] = { 308 309 { 8, 63, 310 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 311 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 312 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 313 { 0xeb, 0xb7, 0x73, 0xf9, 0x93, 0x27, 0x8e, 0xff } 314 }, 315 { 8, 64, 316 { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 317 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 318 { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, 319 { 0x27, 0x8b, 0x27, 0xe4, 0x2e, 0x2f, 0x0d, 0x49 } 320 }, 321 { 8, 64, 322 { 0x30, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 323 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 324 { 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 }, 325 { 0x30, 0x64, 0x9e, 0xdf, 0x9b, 0xe7, 0xd2, 0xc2 } 326 }, 327 { 1, 64, 328 { 0x88, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 329 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 330 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 331 { 0x61, 0xa8, 0xa2, 0x44, 0xad, 0xac, 0xcc, 0xf0 } 332 }, 333 { 7, 64, 334 { 0x88, 0xbc, 0xa9, 0x0e, 0x90, 0x87, 0x5a, 0x00, 335 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 336 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 337 { 0x6c, 0xcf, 0x43, 0x08, 0x97, 0x4c, 0x26, 0x7f } 338 }, 339 { 16, 64, 340 { 0x88, 0xbc, 0xa9, 0x0e, 0x90, 0x87, 0x5a, 0x7f, 341 0x0f, 0x79, 0xc3, 0x84, 0x62, 0x7b, 0xaf, 0xb2 }, 342 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 343 { 0x1a, 0x80, 0x7d, 0x27, 0x2b, 0xbe, 0x5d, 0xb1 } 344 }, 345 { 16, 128, 346 { 0x88, 0xbc, 0xa9, 0x0e, 0x90, 0x87, 0x5a, 0x7f, 347 0x0f, 0x79, 0xc3, 0x84, 0x62, 0x7b, 0xaf, 0xb2 }, 348 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 349 { 0x22, 0x69, 0x55, 0x2a, 0xb0, 0xf8, 0x5c, 0xa6 } 350 } 351 }; 352 int x, y, err; 353 symmetric_key skey; 354 unsigned char tmp[2][8]; 355 356 for (x = 0; x < (int)(sizeof(tests) / sizeof(tests[0])); x++) { 357 zeromem(tmp, sizeof(tmp)); 358 if (tests[x].bits == (tests[x].keylen * 8)) { 359 if ((err = rc2_setup(tests[x].key, tests[x].keylen, 0, &skey)) != CRYPT_OK) { 360 return err; 361 } 362 } 363 else { 364 if ((err = rc2_setup_ex(tests[x].key, tests[x].keylen, tests[x].bits, 0, &skey)) != CRYPT_OK) { 365 return err; 366 } 367 } 368 369 rc2_ecb_encrypt(tests[x].pt, tmp[0], &skey); 370 rc2_ecb_decrypt(tmp[0], tmp[1], &skey); 371 372 if (compare_testvector(tmp[0], 8, tests[x].ct, 8, "RC2 CT", x) || 373 compare_testvector(tmp[1], 8, tests[x].pt, 8, "RC2 PT", x)) { 374 return CRYPT_FAIL_TESTVECTOR; 375 } 376 377 /* now see if we can encrypt all zero bytes 1000 times, decrypt and come back where we started */ 378 for (y = 0; y < 8; y++) tmp[0][y] = 0; 379 for (y = 0; y < 1000; y++) rc2_ecb_encrypt(tmp[0], tmp[0], &skey); 380 for (y = 0; y < 1000; y++) rc2_ecb_decrypt(tmp[0], tmp[0], &skey); 381 for (y = 0; y < 8; y++) if (tmp[0][y] != 0) return CRYPT_FAIL_TESTVECTOR; 382 } 383 return CRYPT_OK; 384 #endif 385 } 386 387 /** Terminate the context 388 @param skey The scheduled key 389 */ 390 void rc2_done(symmetric_key *skey) 391 { 392 LTC_UNUSED_PARAM(skey); 393 } 394 395 /** 396 Gets suitable key size 397 @param keysize [in/out] The length of the recommended key (in bytes). This function will store the suitable size back in this variable. 398 @return CRYPT_OK if the input key size is acceptable. 399 */ 400 int rc2_keysize(int *keysize) 401 { 402 LTC_ARGCHK(keysize != NULL); 403 if (*keysize < 1) { 404 return CRYPT_INVALID_KEYSIZE; 405 } 406 if (*keysize > 128) { 407 *keysize = 128; 408 } 409 return CRYPT_OK; 410 } 411 412 #endif 413 414 415 416 417 /* ref: $Format:%D$ */ 418 /* git commit: $Format:%H$ */ 419 /* commit time: $Format:%ai$ */ 420