1 // SPDX-License-Identifier: BSD-2-Clause
2 /* LibTomCrypt, modular cryptographic library -- Tom St Denis
3 *
4 * LibTomCrypt is a library that provides various cryptographic
5 * algorithms in a highly modular and flexible manner.
6 *
7 * The library is free for all purposes without any express
8 * guarantee it works.
9 */
10 /**********************************************************************\
11 * To commemorate the 1996 RSA Data Security Conference, the following *
12 * code is released into the public domain by its author. Prost! *
13 * *
14 * This cipher uses 16-bit words and little-endian byte ordering. *
15 * I wonder which processor it was optimized for? *
16 * *
17 * Thanks to CodeView, SoftIce, and D86 for helping bring this code to *
18 * the public. *
19 \**********************************************************************/
20 #include "tomcrypt_private.h"
21
22 /**
23 @file rc2.c
24 Implementation of RC2 with fixed effective key length of 64bits
25 */
26
27 #ifdef LTC_RC2
28
29 const struct ltc_cipher_descriptor rc2_desc = {
30 "rc2",
31 12, 8, 128, 8, 16,
32 &rc2_setup,
33 &rc2_ecb_encrypt,
34 &rc2_ecb_decrypt,
35 &rc2_test,
36 &rc2_done,
37 &rc2_keysize,
38 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
39 };
40
41 /* 256-entry permutation table, probably derived somehow from pi */
42 static const unsigned char permute[256] = {
43 217,120,249,196, 25,221,181,237, 40,233,253,121, 74,160,216,157,
44 198,126, 55,131, 43,118, 83,142, 98, 76,100,136, 68,139,251,162,
45 23,154, 89,245,135,179, 79, 19, 97, 69,109,141, 9,129,125, 50,
46 189,143, 64,235,134,183,123, 11,240,149, 33, 34, 92,107, 78,130,
47 84,214,101,147,206, 96,178, 28,115, 86,192, 20,167,140,241,220,
48 18,117,202, 31, 59,190,228,209, 66, 61,212, 48,163, 60,182, 38,
49 111,191, 14,218, 70,105, 7, 87, 39,242, 29,155,188,148, 67, 3,
50 248, 17,199,246,144,239, 62,231, 6,195,213, 47,200,102, 30,215,
51 8,232,234,222,128, 82,238,247,132,170,114,172, 53, 77,106, 42,
52 150, 26,210,113, 90, 21, 73,116, 75,159,208, 94, 4, 24,164,236,
53 194,224, 65,110, 15, 81,203,204, 36,145,175, 80,161,244,112, 57,
54 153,124, 58,133, 35,184,180,122,252, 2, 54, 91, 37, 85,151, 49,
55 45, 93,250,152,227,138,146,174, 5,223, 41, 16,103,108,186,201,
56 211, 0,230,207,225,158,168, 44, 99, 22, 1, 63, 88,226,137,169,
57 13, 56, 52, 27,171, 51,255,176,187, 72, 12, 95,185,177,205, 46,
58 197,243,219, 71,229,165,156,119, 10,166, 32,104,254,127,193,173
59 };
60
61 /**
62 Initialize the RC2 block cipher
63 @param key The symmetric key you wish to pass
64 @param keylen The key length in bytes
65 @param bits The effective key length in bits
66 @param num_rounds The number of rounds desired (0 for default)
67 @param skey The key in as scheduled by this function.
68 @return CRYPT_OK if successful
69 */
rc2_setup_ex(const unsigned char * key,int keylen,int bits,int num_rounds,symmetric_key * skey)70 int rc2_setup_ex(const unsigned char *key, int keylen, int bits, int num_rounds, symmetric_key *skey)
71 {
72 unsigned *xkey = skey->rc2.xkey;
73 unsigned char tmp[128];
74 unsigned T8, TM;
75 int i;
76
77 LTC_ARGCHK(key != NULL);
78 LTC_ARGCHK(skey != NULL);
79
80 if (keylen == 0 || keylen > 128 || bits > 1024) {
81 return CRYPT_INVALID_KEYSIZE;
82 }
83 if (bits == 0) {
84 bits = 1024;
85 }
86
87 if (num_rounds != 0 && num_rounds != 16) {
88 return CRYPT_INVALID_ROUNDS;
89 }
90
91 for (i = 0; i < keylen; i++) {
92 tmp[i] = key[i] & 255;
93 }
94
95 /* Phase 1: Expand input key to 128 bytes */
96 if (keylen < 128) {
97 for (i = keylen; i < 128; i++) {
98 tmp[i] = permute[(tmp[i - 1] + tmp[i - keylen]) & 255];
99 }
100 }
101
102 /* Phase 2 - reduce effective key size to "bits" */
103 T8 = (unsigned)(bits+7)>>3;
104 TM = (255 >> (unsigned)(7 & -bits));
105 tmp[128 - T8] = permute[tmp[128 - T8] & TM];
106 for (i = 127 - T8; i >= 0; i--) {
107 tmp[i] = permute[tmp[i + 1] ^ tmp[i + T8]];
108 }
109
110 /* Phase 3 - copy to xkey in little-endian order */
111 for (i = 0; i < 64; i++) {
112 xkey[i] = (unsigned)tmp[2*i] + ((unsigned)tmp[2*i+1] << 8);
113 }
114
115 #ifdef LTC_CLEAN_STACK
116 zeromem(tmp, sizeof(tmp));
117 #endif
118
119 return CRYPT_OK;
120 }
121
122 /**
123 Initialize the RC2 block cipher
124
125 The effective key length is here always keylen * 8
126
127 @param key The symmetric key you wish to pass
128 @param keylen The key length in bytes
129 @param num_rounds The number of rounds desired (0 for default)
130 @param skey The key in as scheduled by this function.
131 @return CRYPT_OK if successful
132 */
rc2_setup(const unsigned char * key,int keylen,int num_rounds,symmetric_key * skey)133 int rc2_setup(const unsigned char *key, int keylen, int num_rounds, symmetric_key *skey)
134 {
135 return rc2_setup_ex(key, keylen, keylen * 8, num_rounds, skey);
136 }
137
138 /**********************************************************************\
139 * Encrypt an 8-byte block of plaintext using the given key. *
140 \**********************************************************************/
141 /**
142 Encrypts a block of text with RC2
143 @param pt The input plaintext (8 bytes)
144 @param ct The output ciphertext (8 bytes)
145 @param skey The key as scheduled
146 @return CRYPT_OK if successful
147 */
148 #ifdef LTC_CLEAN_STACK
_rc2_ecb_encrypt(const unsigned char * pt,unsigned char * ct,const symmetric_key * skey)149 static int _rc2_ecb_encrypt( const unsigned char *pt,
150 unsigned char *ct,
151 const symmetric_key *skey)
152 #else
153 int rc2_ecb_encrypt( const unsigned char *pt,
154 unsigned char *ct,
155 const symmetric_key *skey)
156 #endif
157 {
158 const unsigned *xkey;
159 unsigned x76, x54, x32, x10, i;
160
161 LTC_ARGCHK(pt != NULL);
162 LTC_ARGCHK(ct != NULL);
163 LTC_ARGCHK(skey != NULL);
164
165 xkey = skey->rc2.xkey;
166
167 x76 = ((unsigned)pt[7] << 8) + (unsigned)pt[6];
168 x54 = ((unsigned)pt[5] << 8) + (unsigned)pt[4];
169 x32 = ((unsigned)pt[3] << 8) + (unsigned)pt[2];
170 x10 = ((unsigned)pt[1] << 8) + (unsigned)pt[0];
171
172 for (i = 0; i < 16; i++) {
173 x10 = (x10 + (x32 & ~x76) + (x54 & x76) + xkey[4*i+0]) & 0xFFFF;
174 x10 = ((x10 << 1) | (x10 >> 15));
175
176 x32 = (x32 + (x54 & ~x10) + (x76 & x10) + xkey[4*i+1]) & 0xFFFF;
177 x32 = ((x32 << 2) | (x32 >> 14));
178
179 x54 = (x54 + (x76 & ~x32) + (x10 & x32) + xkey[4*i+2]) & 0xFFFF;
180 x54 = ((x54 << 3) | (x54 >> 13));
181
182 x76 = (x76 + (x10 & ~x54) + (x32 & x54) + xkey[4*i+3]) & 0xFFFF;
183 x76 = ((x76 << 5) | (x76 >> 11));
184
185 if (i == 4 || i == 10) {
186 x10 = (x10 + xkey[x76 & 63]) & 0xFFFF;
187 x32 = (x32 + xkey[x10 & 63]) & 0xFFFF;
188 x54 = (x54 + xkey[x32 & 63]) & 0xFFFF;
189 x76 = (x76 + xkey[x54 & 63]) & 0xFFFF;
190 }
191 }
192
193 ct[0] = (unsigned char)x10;
194 ct[1] = (unsigned char)(x10 >> 8);
195 ct[2] = (unsigned char)x32;
196 ct[3] = (unsigned char)(x32 >> 8);
197 ct[4] = (unsigned char)x54;
198 ct[5] = (unsigned char)(x54 >> 8);
199 ct[6] = (unsigned char)x76;
200 ct[7] = (unsigned char)(x76 >> 8);
201
202 return CRYPT_OK;
203 }
204
205 #ifdef LTC_CLEAN_STACK
rc2_ecb_encrypt(const unsigned char * pt,unsigned char * ct,const symmetric_key * skey)206 int rc2_ecb_encrypt( const unsigned char *pt,
207 unsigned char *ct,
208 const symmetric_key *skey)
209 {
210 int err = _rc2_ecb_encrypt(pt, ct, skey);
211 burn_stack(sizeof(unsigned *) + sizeof(unsigned) * 5);
212 return err;
213 }
214 #endif
215
216 /**********************************************************************\
217 * Decrypt an 8-byte block of ciphertext using the given key. *
218 \**********************************************************************/
219 /**
220 Decrypts a block of text with RC2
221 @param ct The input ciphertext (8 bytes)
222 @param pt The output plaintext (8 bytes)
223 @param skey The key as scheduled
224 @return CRYPT_OK if successful
225 */
226 #ifdef LTC_CLEAN_STACK
_rc2_ecb_decrypt(const unsigned char * ct,unsigned char * pt,const symmetric_key * skey)227 static int _rc2_ecb_decrypt( const unsigned char *ct,
228 unsigned char *pt,
229 const symmetric_key *skey)
230 #else
231 int rc2_ecb_decrypt( const unsigned char *ct,
232 unsigned char *pt,
233 const symmetric_key *skey)
234 #endif
235 {
236 unsigned x76, x54, x32, x10;
237 const unsigned *xkey;
238 int i;
239
240 LTC_ARGCHK(pt != NULL);
241 LTC_ARGCHK(ct != NULL);
242 LTC_ARGCHK(skey != NULL);
243
244 xkey = skey->rc2.xkey;
245
246 x76 = ((unsigned)ct[7] << 8) + (unsigned)ct[6];
247 x54 = ((unsigned)ct[5] << 8) + (unsigned)ct[4];
248 x32 = ((unsigned)ct[3] << 8) + (unsigned)ct[2];
249 x10 = ((unsigned)ct[1] << 8) + (unsigned)ct[0];
250
251 for (i = 15; i >= 0; i--) {
252 if (i == 4 || i == 10) {
253 x76 = (x76 - xkey[x54 & 63]) & 0xFFFF;
254 x54 = (x54 - xkey[x32 & 63]) & 0xFFFF;
255 x32 = (x32 - xkey[x10 & 63]) & 0xFFFF;
256 x10 = (x10 - xkey[x76 & 63]) & 0xFFFF;
257 }
258
259 x76 = ((x76 << 11) | (x76 >> 5));
260 x76 = (x76 - ((x10 & ~x54) + (x32 & x54) + xkey[4*i+3])) & 0xFFFF;
261
262 x54 = ((x54 << 13) | (x54 >> 3));
263 x54 = (x54 - ((x76 & ~x32) + (x10 & x32) + xkey[4*i+2])) & 0xFFFF;
264
265 x32 = ((x32 << 14) | (x32 >> 2));
266 x32 = (x32 - ((x54 & ~x10) + (x76 & x10) + xkey[4*i+1])) & 0xFFFF;
267
268 x10 = ((x10 << 15) | (x10 >> 1));
269 x10 = (x10 - ((x32 & ~x76) + (x54 & x76) + xkey[4*i+0])) & 0xFFFF;
270 }
271
272 pt[0] = (unsigned char)x10;
273 pt[1] = (unsigned char)(x10 >> 8);
274 pt[2] = (unsigned char)x32;
275 pt[3] = (unsigned char)(x32 >> 8);
276 pt[4] = (unsigned char)x54;
277 pt[5] = (unsigned char)(x54 >> 8);
278 pt[6] = (unsigned char)x76;
279 pt[7] = (unsigned char)(x76 >> 8);
280
281 return CRYPT_OK;
282 }
283
284 #ifdef LTC_CLEAN_STACK
rc2_ecb_decrypt(const unsigned char * ct,unsigned char * pt,const symmetric_key * skey)285 int rc2_ecb_decrypt( const unsigned char *ct,
286 unsigned char *pt,
287 const symmetric_key *skey)
288 {
289 int err = _rc2_ecb_decrypt(ct, pt, skey);
290 burn_stack(sizeof(unsigned *) + sizeof(unsigned) * 4 + sizeof(int));
291 return err;
292 }
293 #endif
294
295 /**
296 Performs a self-test of the RC2 block cipher
297 @return CRYPT_OK if functional, CRYPT_NOP if self-test has been disabled
298 */
rc2_test(void)299 int rc2_test(void)
300 {
301 #ifndef LTC_TEST
302 return CRYPT_NOP;
303 #else
304 static const struct {
305 int keylen, bits;
306 unsigned char key[16], pt[8], ct[8];
307 } tests[] = {
308
309 { 8, 63,
310 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
311 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
312 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
313 { 0xeb, 0xb7, 0x73, 0xf9, 0x93, 0x27, 0x8e, 0xff }
314 },
315 { 8, 64,
316 { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
317 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
318 { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
319 { 0x27, 0x8b, 0x27, 0xe4, 0x2e, 0x2f, 0x0d, 0x49 }
320 },
321 { 8, 64,
322 { 0x30, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
323 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
324 { 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
325 { 0x30, 0x64, 0x9e, 0xdf, 0x9b, 0xe7, 0xd2, 0xc2 }
326 },
327 { 1, 64,
328 { 0x88, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
329 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
330 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
331 { 0x61, 0xa8, 0xa2, 0x44, 0xad, 0xac, 0xcc, 0xf0 }
332 },
333 { 7, 64,
334 { 0x88, 0xbc, 0xa9, 0x0e, 0x90, 0x87, 0x5a, 0x00,
335 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
336 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
337 { 0x6c, 0xcf, 0x43, 0x08, 0x97, 0x4c, 0x26, 0x7f }
338 },
339 { 16, 64,
340 { 0x88, 0xbc, 0xa9, 0x0e, 0x90, 0x87, 0x5a, 0x7f,
341 0x0f, 0x79, 0xc3, 0x84, 0x62, 0x7b, 0xaf, 0xb2 },
342 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
343 { 0x1a, 0x80, 0x7d, 0x27, 0x2b, 0xbe, 0x5d, 0xb1 }
344 },
345 { 16, 128,
346 { 0x88, 0xbc, 0xa9, 0x0e, 0x90, 0x87, 0x5a, 0x7f,
347 0x0f, 0x79, 0xc3, 0x84, 0x62, 0x7b, 0xaf, 0xb2 },
348 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
349 { 0x22, 0x69, 0x55, 0x2a, 0xb0, 0xf8, 0x5c, 0xa6 }
350 }
351 };
352 int x, y, err;
353 symmetric_key skey;
354 unsigned char tmp[2][8];
355
356 for (x = 0; x < (int)(sizeof(tests) / sizeof(tests[0])); x++) {
357 zeromem(tmp, sizeof(tmp));
358 if (tests[x].bits == (tests[x].keylen * 8)) {
359 if ((err = rc2_setup(tests[x].key, tests[x].keylen, 0, &skey)) != CRYPT_OK) {
360 return err;
361 }
362 }
363 else {
364 if ((err = rc2_setup_ex(tests[x].key, tests[x].keylen, tests[x].bits, 0, &skey)) != CRYPT_OK) {
365 return err;
366 }
367 }
368
369 rc2_ecb_encrypt(tests[x].pt, tmp[0], &skey);
370 rc2_ecb_decrypt(tmp[0], tmp[1], &skey);
371
372 if (compare_testvector(tmp[0], 8, tests[x].ct, 8, "RC2 CT", x) ||
373 compare_testvector(tmp[1], 8, tests[x].pt, 8, "RC2 PT", x)) {
374 return CRYPT_FAIL_TESTVECTOR;
375 }
376
377 /* now see if we can encrypt all zero bytes 1000 times, decrypt and come back where we started */
378 for (y = 0; y < 8; y++) tmp[0][y] = 0;
379 for (y = 0; y < 1000; y++) rc2_ecb_encrypt(tmp[0], tmp[0], &skey);
380 for (y = 0; y < 1000; y++) rc2_ecb_decrypt(tmp[0], tmp[0], &skey);
381 for (y = 0; y < 8; y++) if (tmp[0][y] != 0) return CRYPT_FAIL_TESTVECTOR;
382 }
383 return CRYPT_OK;
384 #endif
385 }
386
387 /** Terminate the context
388 @param skey The scheduled key
389 */
rc2_done(symmetric_key * skey)390 void rc2_done(symmetric_key *skey)
391 {
392 LTC_UNUSED_PARAM(skey);
393 }
394
395 /**
396 Gets suitable key size
397 @param keysize [in/out] The length of the recommended key (in bytes). This function will store the suitable size back in this variable.
398 @return CRYPT_OK if the input key size is acceptable.
399 */
rc2_keysize(int * keysize)400 int rc2_keysize(int *keysize)
401 {
402 LTC_ARGCHK(keysize != NULL);
403 if (*keysize < 1) {
404 return CRYPT_INVALID_KEYSIZE;
405 }
406 if (*keysize > 128) {
407 *keysize = 128;
408 }
409 return CRYPT_OK;
410 }
411
412 #endif
413
414
415
416
417 /* ref: $Format:%D$ */
418 /* git commit: $Format:%H$ */
419 /* commit time: $Format:%ai$ */
420