* this code *
**********************************************************************/
#include <string.h>
+#include <openssl/crypto.h>
+#include <openssl/rand.h>
#include "gost89.h"
/*-
Substitution blocks from RFC 4357
n2 = in[4] | (in[5] << 8) | (in[6] << 16) | ((word32) in[7] << 24);
/* Instead of swapping halves, swap names each round */
- n2 ^= f(c, n1 + c->k[0]);
- n1 ^= f(c, n2 + c->k[1]);
- n2 ^= f(c, n1 + c->k[2]);
- n1 ^= f(c, n2 + c->k[3]);
- n2 ^= f(c, n1 + c->k[4]);
- n1 ^= f(c, n2 + c->k[5]);
- n2 ^= f(c, n1 + c->k[6]);
- n1 ^= f(c, n2 + c->k[7]);
-
- n2 ^= f(c, n1 + c->k[0]);
- n1 ^= f(c, n2 + c->k[1]);
- n2 ^= f(c, n1 + c->k[2]);
- n1 ^= f(c, n2 + c->k[3]);
- n2 ^= f(c, n1 + c->k[4]);
- n1 ^= f(c, n2 + c->k[5]);
- n2 ^= f(c, n1 + c->k[6]);
- n1 ^= f(c, n2 + c->k[7]);
-
- n2 ^= f(c, n1 + c->k[0]);
- n1 ^= f(c, n2 + c->k[1]);
- n2 ^= f(c, n1 + c->k[2]);
- n1 ^= f(c, n2 + c->k[3]);
- n2 ^= f(c, n1 + c->k[4]);
- n1 ^= f(c, n2 + c->k[5]);
- n2 ^= f(c, n1 + c->k[6]);
- n1 ^= f(c, n2 + c->k[7]);
-
- n2 ^= f(c, n1 + c->k[7]);
- n1 ^= f(c, n2 + c->k[6]);
- n2 ^= f(c, n1 + c->k[5]);
- n1 ^= f(c, n2 + c->k[4]);
- n2 ^= f(c, n1 + c->k[3]);
- n1 ^= f(c, n2 + c->k[2]);
- n2 ^= f(c, n1 + c->k[1]);
- n1 ^= f(c, n2 + c->k[0]);
+ n2 ^= f(c, n1 + c->key[0] + c->mask[0]);
+ n1 ^= f(c, n2 + c->key[1] + c->mask[1]);
+ n2 ^= f(c, n1 + c->key[2] + c->mask[2]);
+ n1 ^= f(c, n2 + c->key[3] + c->mask[3]);
+ n2 ^= f(c, n1 + c->key[4] + c->mask[4]);
+ n1 ^= f(c, n2 + c->key[5] + c->mask[5]);
+ n2 ^= f(c, n1 + c->key[6] + c->mask[6]);
+ n1 ^= f(c, n2 + c->key[7] + c->mask[7]);
+
+ n2 ^= f(c, n1 + c->key[0] + c->mask[0]);
+ n1 ^= f(c, n2 + c->key[1] + c->mask[1]);
+ n2 ^= f(c, n1 + c->key[2] + c->mask[2]);
+ n1 ^= f(c, n2 + c->key[3] + c->mask[3]);
+ n2 ^= f(c, n1 + c->key[4] + c->mask[4]);
+ n1 ^= f(c, n2 + c->key[5] + c->mask[5]);
+ n2 ^= f(c, n1 + c->key[6] + c->mask[6]);
+ n1 ^= f(c, n2 + c->key[7] + c->mask[7]);
+
+ n2 ^= f(c, n1 + c->key[0] + c->mask[0]);
+ n1 ^= f(c, n2 + c->key[1] + c->mask[1]);
+ n2 ^= f(c, n1 + c->key[2] + c->mask[2]);
+ n1 ^= f(c, n2 + c->key[3] + c->mask[3]);
+ n2 ^= f(c, n1 + c->key[4] + c->mask[4]);
+ n1 ^= f(c, n2 + c->key[5] + c->mask[5]);
+ n2 ^= f(c, n1 + c->key[6] + c->mask[6]);
+ n1 ^= f(c, n2 + c->key[7] + c->mask[7]);
+
+ n2 ^= f(c, n1 + c->key[7] + c->mask[7]);
+ n1 ^= f(c, n2 + c->key[6] + c->mask[6]);
+ n2 ^= f(c, n1 + c->key[5] + c->mask[5]);
+ n1 ^= f(c, n2 + c->key[4] + c->mask[4]);
+ n2 ^= f(c, n1 + c->key[3] + c->mask[3]);
+ n1 ^= f(c, n2 + c->key[2] + c->mask[2]);
+ n2 ^= f(c, n1 + c->key[1] + c->mask[1]);
+ n1 ^= f(c, n2 + c->key[0] + c->mask[0]);
out[0] = (byte) (n2 & 0xff);
out[1] = (byte) ((n2 >> 8) & 0xff);
out[7] = (byte) (n1 >> 24);
}
+/* Low-level encryption routine - encrypts one 64 bit block*/
+void magmacrypt(gost_ctx * c, const byte * in, byte * out)
+{
+ register word32 n1, n2; /* As named in the GOST */
+ n1 = in[7-0] | (in[7-1] << 8) | (in[7-2] << 16) | ((word32) in[7-3] << 24);
+ n2 = in[7-4] | (in[7-5] << 8) | (in[7-6] << 16) | ((word32) in[7-7] << 24);
+ /* Instead of swapping halves, swap names each round */
+
+ n2 ^= f(c, n1 + c->key[0] + c->mask[0]);
+ n1 ^= f(c, n2 + c->key[1] + c->mask[1]);
+ n2 ^= f(c, n1 + c->key[2] + c->mask[2]);
+ n1 ^= f(c, n2 + c->key[3] + c->mask[3]);
+ n2 ^= f(c, n1 + c->key[4] + c->mask[4]);
+ n1 ^= f(c, n2 + c->key[5] + c->mask[5]);
+ n2 ^= f(c, n1 + c->key[6] + c->mask[6]);
+ n1 ^= f(c, n2 + c->key[7] + c->mask[7]);
+
+ n2 ^= f(c, n1 + c->key[0] + c->mask[0]);
+ n1 ^= f(c, n2 + c->key[1] + c->mask[1]);
+ n2 ^= f(c, n1 + c->key[2] + c->mask[2]);
+ n1 ^= f(c, n2 + c->key[3] + c->mask[3]);
+ n2 ^= f(c, n1 + c->key[4] + c->mask[4]);
+ n1 ^= f(c, n2 + c->key[5] + c->mask[5]);
+ n2 ^= f(c, n1 + c->key[6] + c->mask[6]);
+ n1 ^= f(c, n2 + c->key[7] + c->mask[7]);
+
+ n2 ^= f(c, n1 + c->key[0] + c->mask[0]);
+ n1 ^= f(c, n2 + c->key[1] + c->mask[1]);
+ n2 ^= f(c, n1 + c->key[2] + c->mask[2]);
+ n1 ^= f(c, n2 + c->key[3] + c->mask[3]);
+ n2 ^= f(c, n1 + c->key[4] + c->mask[4]);
+ n1 ^= f(c, n2 + c->key[5] + c->mask[5]);
+ n2 ^= f(c, n1 + c->key[6] + c->mask[6]);
+ n1 ^= f(c, n2 + c->key[7] + c->mask[7]);
+
+ n2 ^= f(c, n1 + c->key[7] + c->mask[7]);
+ n1 ^= f(c, n2 + c->key[6] + c->mask[6]);
+ n2 ^= f(c, n1 + c->key[5] + c->mask[5]);
+ n1 ^= f(c, n2 + c->key[4] + c->mask[4]);
+ n2 ^= f(c, n1 + c->key[3] + c->mask[3]);
+ n1 ^= f(c, n2 + c->key[2] + c->mask[2]);
+ n2 ^= f(c, n1 + c->key[1] + c->mask[1]);
+ n1 ^= f(c, n2 + c->key[0] + c->mask[0]);
+
+ out[7-0] = (byte) (n2 & 0xff);
+ out[7-1] = (byte) ((n2 >> 8) & 0xff);
+ out[7-2] = (byte) ((n2 >> 16) & 0xff);
+ out[7-3] = (byte) (n2 >> 24);
+ out[7-4] = (byte) (n1 & 0xff);
+ out[7-5] = (byte) ((n1 >> 8) & 0xff);
+ out[7-6] = (byte) ((n1 >> 16) & 0xff);
+ out[7-7] = (byte) (n1 >> 24);
+}
+
/* Low-level decryption routine. Decrypts one 64-bit block */
void gostdecrypt(gost_ctx * c, const byte * in, byte * out)
{
n1 = in[0] | (in[1] << 8) | (in[2] << 16) | ((word32) in[3] << 24);
n2 = in[4] | (in[5] << 8) | (in[6] << 16) | ((word32) in[7] << 24);
- n2 ^= f(c, n1 + c->k[0]);
- n1 ^= f(c, n2 + c->k[1]);
- n2 ^= f(c, n1 + c->k[2]);
- n1 ^= f(c, n2 + c->k[3]);
- n2 ^= f(c, n1 + c->k[4]);
- n1 ^= f(c, n2 + c->k[5]);
- n2 ^= f(c, n1 + c->k[6]);
- n1 ^= f(c, n2 + c->k[7]);
-
- n2 ^= f(c, n1 + c->k[7]);
- n1 ^= f(c, n2 + c->k[6]);
- n2 ^= f(c, n1 + c->k[5]);
- n1 ^= f(c, n2 + c->k[4]);
- n2 ^= f(c, n1 + c->k[3]);
- n1 ^= f(c, n2 + c->k[2]);
- n2 ^= f(c, n1 + c->k[1]);
- n1 ^= f(c, n2 + c->k[0]);
-
- n2 ^= f(c, n1 + c->k[7]);
- n1 ^= f(c, n2 + c->k[6]);
- n2 ^= f(c, n1 + c->k[5]);
- n1 ^= f(c, n2 + c->k[4]);
- n2 ^= f(c, n1 + c->k[3]);
- n1 ^= f(c, n2 + c->k[2]);
- n2 ^= f(c, n1 + c->k[1]);
- n1 ^= f(c, n2 + c->k[0]);
-
- n2 ^= f(c, n1 + c->k[7]);
- n1 ^= f(c, n2 + c->k[6]);
- n2 ^= f(c, n1 + c->k[5]);
- n1 ^= f(c, n2 + c->k[4]);
- n2 ^= f(c, n1 + c->k[3]);
- n1 ^= f(c, n2 + c->k[2]);
- n2 ^= f(c, n1 + c->k[1]);
- n1 ^= f(c, n2 + c->k[0]);
+ n2 ^= f(c, n1 + c->key[0] + c->mask[0]);
+ n1 ^= f(c, n2 + c->key[1] + c->mask[1]);
+ n2 ^= f(c, n1 + c->key[2] + c->mask[2]);
+ n1 ^= f(c, n2 + c->key[3] + c->mask[3]);
+ n2 ^= f(c, n1 + c->key[4] + c->mask[4]);
+ n1 ^= f(c, n2 + c->key[5] + c->mask[5]);
+ n2 ^= f(c, n1 + c->key[6] + c->mask[6]);
+ n1 ^= f(c, n2 + c->key[7] + c->mask[7]);
+
+ n2 ^= f(c, n1 + c->key[7] + c->mask[7]);
+ n1 ^= f(c, n2 + c->key[6] + c->mask[6]);
+ n2 ^= f(c, n1 + c->key[5] + c->mask[5]);
+ n1 ^= f(c, n2 + c->key[4] + c->mask[4]);
+ n2 ^= f(c, n1 + c->key[3] + c->mask[3]);
+ n1 ^= f(c, n2 + c->key[2] + c->mask[2]);
+ n2 ^= f(c, n1 + c->key[1] + c->mask[1]);
+ n1 ^= f(c, n2 + c->key[0] + c->mask[0]);
+
+ n2 ^= f(c, n1 + c->key[7] + c->mask[7]);
+ n1 ^= f(c, n2 + c->key[6] + c->mask[6]);
+ n2 ^= f(c, n1 + c->key[5] + c->mask[5]);
+ n1 ^= f(c, n2 + c->key[4] + c->mask[4]);
+ n2 ^= f(c, n1 + c->key[3] + c->mask[3]);
+ n1 ^= f(c, n2 + c->key[2] + c->mask[2]);
+ n2 ^= f(c, n1 + c->key[1] + c->mask[1]);
+ n1 ^= f(c, n2 + c->key[0] + c->mask[0]);
+
+ n2 ^= f(c, n1 + c->key[7] + c->mask[7]);
+ n1 ^= f(c, n2 + c->key[6] + c->mask[6]);
+ n2 ^= f(c, n1 + c->key[5] + c->mask[5]);
+ n1 ^= f(c, n2 + c->key[4] + c->mask[4]);
+ n2 ^= f(c, n1 + c->key[3] + c->mask[3]);
+ n1 ^= f(c, n2 + c->key[2] + c->mask[2]);
+ n2 ^= f(c, n1 + c->key[1] + c->mask[1]);
+ n1 ^= f(c, n2 + c->key[0] + c->mask[0]);
out[0] = (byte) (n2 & 0xff);
out[1] = (byte) ((n2 >> 8) & 0xff);
out[7] = (byte) (n1 >> 24);
}
+/* Low-level decryption routine. Decrypts one 64-bit block */
+void magmadecrypt(gost_ctx * c, const byte * in, byte * out)
+{
+ register word32 n1, n2; /* As named in the GOST */
+ n1 = in[7-0] | (in[7-1] << 8) | (in[7-2] << 16) | ((word32) in[7-3] << 24);
+ n2 = in[7-4] | (in[7-5] << 8) | (in[7-6] << 16) | ((word32) in[7-7] << 24);
+
+ n2 ^= f(c, n1 + c->key[0] + c->mask[0]);
+ n1 ^= f(c, n2 + c->key[1] + c->mask[1]);
+ n2 ^= f(c, n1 + c->key[2] + c->mask[2]);
+ n1 ^= f(c, n2 + c->key[3] + c->mask[3]);
+ n2 ^= f(c, n1 + c->key[4] + c->mask[4]);
+ n1 ^= f(c, n2 + c->key[5] + c->mask[5]);
+ n2 ^= f(c, n1 + c->key[6] + c->mask[6]);
+ n1 ^= f(c, n2 + c->key[7] + c->mask[7]);
+
+ n2 ^= f(c, n1 + c->key[7] + c->mask[7]);
+ n1 ^= f(c, n2 + c->key[6] + c->mask[6]);
+ n2 ^= f(c, n1 + c->key[5] + c->mask[5]);
+ n1 ^= f(c, n2 + c->key[4] + c->mask[4]);
+ n2 ^= f(c, n1 + c->key[3] + c->mask[3]);
+ n1 ^= f(c, n2 + c->key[2] + c->mask[2]);
+ n2 ^= f(c, n1 + c->key[1] + c->mask[1]);
+ n1 ^= f(c, n2 + c->key[0] + c->mask[0]);
+
+ n2 ^= f(c, n1 + c->key[7] + c->mask[7]);
+ n1 ^= f(c, n2 + c->key[6] + c->mask[6]);
+ n2 ^= f(c, n1 + c->key[5] + c->mask[5]);
+ n1 ^= f(c, n2 + c->key[4] + c->mask[4]);
+ n2 ^= f(c, n1 + c->key[3] + c->mask[3]);
+ n1 ^= f(c, n2 + c->key[2] + c->mask[2]);
+ n2 ^= f(c, n1 + c->key[1] + c->mask[1]);
+ n1 ^= f(c, n2 + c->key[0] + c->mask[0]);
+
+ n2 ^= f(c, n1 + c->key[7] + c->mask[7]);
+ n1 ^= f(c, n2 + c->key[6] + c->mask[6]);
+ n2 ^= f(c, n1 + c->key[5] + c->mask[5]);
+ n1 ^= f(c, n2 + c->key[4] + c->mask[4]);
+ n2 ^= f(c, n1 + c->key[3] + c->mask[3]);
+ n1 ^= f(c, n2 + c->key[2] + c->mask[2]);
+ n2 ^= f(c, n1 + c->key[1] + c->mask[1]);
+ n1 ^= f(c, n2 + c->key[0] + c->mask[0]);
+
+ out[7-0] = (byte) (n2 & 0xff);
+ out[7-1] = (byte) ((n2 >> 8) & 0xff);
+ out[7-2] = (byte) ((n2 >> 16) & 0xff);
+ out[7-3] = (byte) (n2 >> 24);
+ out[7-4] = (byte) (n1 & 0xff);
+ out[7-5] = (byte) ((n1 >> 8) & 0xff);
+ out[7-6] = (byte) ((n1 >> 16) & 0xff);
+ out[7-7] = (byte) (n1 >> 24);
+}
+
+
/* Encrypts several blocks in ECB mode */
void gost_enc(gost_ctx * c, const byte * clear, byte * cipher, int blocks)
{
void gost_enc_with_key(gost_ctx * c, byte * key, byte * inblock,
byte * outblock)
{
- gost_key(c, key);
+ gost_key_nomask(c, key);
gostcrypt(c, inblock, outblock);
}
-/* Set 256 bit gost89 key into context */
-void gost_key(gost_ctx * c, const byte * k)
+static void gost_key_impl(gost_ctx * c, const byte * k)
{
int i, j;
- for (i = 0, j = 0; i < 8; i++, j += 4) {
- c->k[i] =
- k[j] | (k[j + 1] << 8) | (k[j + 2] << 16) | ((word32) k[j + 3] <<
- 24);
+ for (i = 0, j = 0; i < 8; ++i, j += 4) {
+ c->key[i] =
+ (k[j] | (k[j + 1] << 8) | (k[j + 2] << 16) | ((word32) k[j + 3] <<
+ 24)) - c->mask[i];
}
}
+/* Set 256 bit gost89 key into context */
+void gost_key(gost_ctx * c, const byte * k)
+{
+ RAND_priv_bytes((unsigned char *)c->mask, sizeof(c->mask));
+ gost_key_impl(c, k);
+}
+
+/* Set 256 bit gost89 key into context without key mask */
+void gost_key_nomask(gost_ctx * c, const byte * k)
+{
+ memset(c->mask, 0, sizeof(c->mask));
+ gost_key_impl(c, k);
+}
+
/* Set 256 bit Magma key into context */
void magma_key(gost_ctx * c, const byte * k)
{
int i, j;
- for (i = 0, j = 0; i < 8; i++, j += 4) {
- c->k[i] =
- k[j + 3] | (k[j + 2] << 8) | (k[j + 1] << 16) | ((word32) k[j] <<
- 24);
+ RAND_priv_bytes((unsigned char *)c->mask, sizeof(c->mask));
+ for (i = 0, j = 0; i < 8; ++i, j += 4) {
+ c->key[i] =
+ (k[j + 3] | (k[j + 2] << 8) | (k[j + 1] << 16) | ((word32) k[j] <<
+ 24)) - c->mask[i];
}
}
+void magma_master_key(gost_ctx *c, const byte *k) {
+ memcpy(c->master_key, k, sizeof(c->master_key));
+}
+
/* Retrieve 256-bit gost89 key from context */
void gost_get_key(gost_ctx * c, byte * k)
{
int i, j;
for (i = 0, j = 0; i < 8; i++, j += 4) {
- k[j] = (byte) (c->k[i] & 0xFF);
- k[j + 1] = (byte) ((c->k[i] >> 8) & 0xFF);
- k[j + 2] = (byte) ((c->k[i] >> 16) & 0xFF);
- k[j + 3] = (byte) ((c->k[i] >> 24) & 0xFF);
+ k[j] = (byte)((c->key[i] + c->mask[i]) & 0xFF);
+ k[j+1] = (byte)(((c->key[i] + c->mask[i]) >> 8 )& 0xFF);
+ k[j+2] = (byte)(((c->key[i] + c->mask[i]) >> 16) & 0xFF);
+ k[j+3] = (byte)(((c->key[i] + c->mask[i]) >> 24) & 0xFF);
}
}
{
int i, j;
for (i = 0, j = 0; i < 8; i++, j += 4) {
- k[j + 3] = (byte) (c->k[i] & 0xFF);
- k[j + 2] = (byte) ((c->k[i] >> 8) & 0xFF);
- k[j + 1] = (byte) ((c->k[i] >> 16) & 0xFF);
- k[j + 0] = (byte) ((c->k[i] >> 24) & 0xFF);
+ k[j + 3] = (byte) ((c->key[i] + c->mask[i]) & 0xFF);
+ k[j + 2] = (byte) (((c->key[i] + c->mask[i]) >> 8) & 0xFF);
+ k[j + 1] = (byte) (((c->key[i] + c->mask[i]) >> 16) & 0xFF);
+ k[j + 0] = (byte) (((c->key[i] + c->mask[i]) >> 24) & 0xFF);
}
}
/* Cleans up key from context */
void gost_destroy(gost_ctx * c)
{
- int i;
- for (i = 0; i < 8; i++)
- c->k[i] = 0;
+ OPENSSL_cleanse(c->master_key, sizeof(c->master_key));
+ OPENSSL_cleanse(c->key, sizeof(c->key));
+ OPENSSL_cleanse(c->mask, sizeof(c->mask));
}
/*
buffer[7] << 24);
/* Instead of swapping halves, swap names each round */
- n2 ^= f(c, n1 + c->k[0]);
- n1 ^= f(c, n2 + c->k[1]);
- n2 ^= f(c, n1 + c->k[2]);
- n1 ^= f(c, n2 + c->k[3]);
- n2 ^= f(c, n1 + c->k[4]);
- n1 ^= f(c, n2 + c->k[5]);
- n2 ^= f(c, n1 + c->k[6]);
- n1 ^= f(c, n2 + c->k[7]);
-
- n2 ^= f(c, n1 + c->k[0]);
- n1 ^= f(c, n2 + c->k[1]);
- n2 ^= f(c, n1 + c->k[2]);
- n1 ^= f(c, n2 + c->k[3]);
- n2 ^= f(c, n1 + c->k[4]);
- n1 ^= f(c, n2 + c->k[5]);
- n2 ^= f(c, n1 + c->k[6]);
- n1 ^= f(c, n2 + c->k[7]);
+ n2 ^= f(c, n1 + c->key[0] + c->mask[0]);
+ n1 ^= f(c, n2 + c->key[1] + c->mask[1]);
+ n2 ^= f(c, n1 + c->key[2] + c->mask[2]);
+ n1 ^= f(c, n2 + c->key[3] + c->mask[3]);
+ n2 ^= f(c, n1 + c->key[4] + c->mask[4]);
+ n1 ^= f(c, n2 + c->key[5] + c->mask[5]);
+ n2 ^= f(c, n1 + c->key[6] + c->mask[6]);
+ n1 ^= f(c, n2 + c->key[7] + c->mask[7]);
+
+ n2 ^= f(c, n1 + c->key[0] + c->mask[0]);
+ n1 ^= f(c, n2 + c->key[1] + c->mask[1]);
+ n2 ^= f(c, n1 + c->key[2] + c->mask[2]);
+ n1 ^= f(c, n2 + c->key[3] + c->mask[3]);
+ n2 ^= f(c, n1 + c->key[4] + c->mask[4]);
+ n1 ^= f(c, n2 + c->key[5] + c->mask[5]);
+ n2 ^= f(c, n1 + c->key[6] + c->mask[6]);
+ n1 ^= f(c, n2 + c->key[7] + c->mask[7]);
buffer[0] = (byte) (n1 & 0xff);
buffer[1] = (byte) ((n1 >> 8) & 0xff);
gost_dec(ctx, CryptoProKeyMeshingKey, newkey, 4);
/* set new key */
gost_key(ctx, newkey);
+ OPENSSL_cleanse(newkey, sizeof(newkey));
/* Encrypt iv with new key */
if (iv != NULL ) {
unsigned char newiv[8];
gostcrypt(ctx, iv, newiv);
memcpy(iv, newiv, 8);
+ OPENSSL_cleanse(newiv, sizeof(newiv));
}
}
void acpkm_magma_key_meshing(gost_ctx * ctx)
{
unsigned char newkey[32];
- int i, j;
- unsigned char buf[8], keybuf[8];
-
+ int i;
for (i = 0; i < 4; i++) {
- for (j = 0; j < 8; j++) {
- buf[j] = ACPKM_D_const[8 * i + 7 - j];
- }
- gostcrypt(ctx, buf, keybuf);
- memcpy(newkey + 8 * i, keybuf + 4, 4);
- memcpy(newkey + 8 * i + 4, keybuf, 4);
+ magmacrypt(ctx, ACPKM_D_const + 8 * i, newkey + 8 * i);
}
/* set new key */
- gost_key(ctx, newkey);
+ magma_key(ctx, newkey);
+ OPENSSL_cleanse(newkey, sizeof(newkey));
}
projects / openssl-gost / engine.git / blobdiff