3 * $Id: seal.c,v 1.2 2004/04/08 01:36:15 mdw Exp $
5 * The SEAL pseudo-random function family
7 * (c) 2000 Straylight/Edgeware
10 /*----- Licensing notice --------------------------------------------------*
12 * This file is part of Catacomb.
14 * Catacomb is free software; you can redistribute it and/or modify
15 * it under the terms of the GNU Library General Public License as
16 * published by the Free Software Foundation; either version 2 of the
17 * License, or (at your option) any later version.
19 * Catacomb is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 * GNU Library General Public License for more details.
24 * You should have received a copy of the GNU Library General Public
25 * License along with Catacomb; if not, write to the Free
26 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
30 /*----- Header files ------------------------------------------------------*/
36 #include <mLib/bits.h>
45 /*----- Global variables --------------------------------------------------*/
47 const octet seal_keysz[] = { KSZ_ANY, SHA_HASHSZ };
49 /*----- Main code ---------------------------------------------------------*/
53 * Arguments: @uint32 *p@ = output table
54 * @size_t sz@ = size of the output table
55 * @const void *k@ = pointer to key material
56 * @unsigned i@ = integer offset
60 * Use: Initializes a SEAL key table.
63 static void gamma(uint32 *p, size_t sz, const void *k, unsigned i)
65 uint32 buf[80] = { 0 };
67 uint32 aa = LOAD32(kk);
68 uint32 bb = LOAD32(kk + 4);
69 uint32 cc = LOAD32(kk + 8);
70 uint32 dd = LOAD32(kk + 12);
71 uint32 ee = LOAD32(kk + 16);
73 unsigned skip = i % 5;
76 /* --- While there's hashing to do, do hashing --- */
79 uint32 a = aa, b = bb, c = cc, d = dd, e = ee;
82 /* --- Initialize and expand the buffer --- */
86 for (j = 16; j < 80; j++) {
87 uint32 x = buf[j - 3] ^ buf[j - 8] ^ buf[j - 14] ^ buf[j - 16];
91 /* --- Definitions for round functions --- */
93 #define F(x, y, z) (((x) & (y)) | (~(x) & (z)))
94 #define G(x, y, z) ((x) ^ (y) ^ (z))
95 #define H(x, y, z) (((x) & (y)) | ((x) & (z)) | ((y) & (z)))
97 #define T(v, w, x, y, z, i, f, k) do { \
99 z = ROL32(v, 5) + f(w, x, y) + z + buf[i] + k; \
101 _x = v; v = z; z = y; y = x; x = w; w = _x; \
104 #define FF(v, w, x, y, z, i) T(v, w, x, y, z, i, F, 0x5a827999)
105 #define GG(v, w, x, y, z, i) T(v, w, x, y, z, i, G, 0x6ed9eba1)
106 #define HH(v, w, x, y, z, i) T(v, w, x, y, z, i, H, 0x8f1bbcdc)
107 #define II(v, w, x, y, z, i) T(v, w, x, y, z, i, G, 0xca62c1d6)
109 /* --- The main compression function --- *
111 * Since this isn't doing bulk hashing, do it the easy way.
114 for (j = 0; j < 20; j++)
115 FF(a, b, c, d, e, j);
116 for (j = 20; j < 40; j++)
117 GG(a, b, c, d, e, j);
118 for (j = 40; j < 60; j++)
119 HH(a, b, c, d, e, j);
120 for (j = 60; j < 80; j++)
121 II(a, b, c, d, e, j);
123 /* --- Do the chaining at the end --- */
125 a += aa; b += bb; c += cc; d += dd; e += ee;
127 /* --- Write to the output buffer --- */
131 if (sz) { *p++ = a; sz--; }
133 if (sz) { *p++ = b; sz--; }
135 if (sz) { *p++ = c; sz--; }
137 if (sz) { *p++ = d; sz--; }
139 if (sz) { *p++ = e; sz--; }
145 /* --- @seal_initkey@ --- *
147 * Arguments: @seal_key *k@ = pointer to key block
148 * @const void *buf@ = pointer to key material
149 * @size_t sz@ = size of the key material
153 * Use: Initializes a SEAL key block. The key material may be any
154 * size, but if it's not 20 bytes long it's passed to SHA for
158 void seal_initkey(seal_key *k, const void *buf, size_t sz)
160 /* --- Hash the key if it's the wrong size --- */
162 if (sz == SHA_HASHSZ)
163 memcpy(k->k, buf, sizeof(k->k));
167 sha_hash(&c, buf, sz);
171 /* --- Expand the key to fit the various tables --- */
173 gamma(k->t, 512, k->k, 0);
174 gamma(k->s, 256, k->k, 0x1000);
175 gamma(k->r, SEAL_R, k->k, 0x2000);
178 /* --- @seal_reset@ --- *
180 * Arguments: @seal_ctx *c@ = pointer to a SEAL context
184 * Use: Resets the context so that more data can be extracted from
188 static void seal_reset(seal_ctx *c)
195 /* --- Initialize the new chaining variables --- */
197 if (c->l >= SEAL_R) {
198 gamma(c->rbuf, SEAL_R, k->k, c->ri);
205 B = ROR32(n, 8) ^ c->r[1];
206 C = ROR32(n, 16) ^ c->r[2];
207 D = ROR32(n, 24) ^ c->r[3];
211 /* --- Ensure that everything is sufficiently diffused --- */
213 p = A & 0x7fc; B += k->t[p >> 2]; A = ROR32(A, 9);
214 p = B & 0x7fc; C += k->t[p >> 2]; B = ROR32(B, 9);
215 p = C & 0x7fc; D += k->t[p >> 2]; C = ROR32(C, 9);
216 p = D & 0x7fc; A += k->t[p >> 2]; D = ROR32(D, 9);
217 p = A & 0x7fc; B += k->t[p >> 2]; A = ROR32(A, 9);
218 p = B & 0x7fc; C += k->t[p >> 2]; B = ROR32(B, 9);
219 p = C & 0x7fc; D += k->t[p >> 2]; C = ROR32(C, 9);
220 p = D & 0x7fc; A += k->t[p >> 2]; D = ROR32(D, 9);
222 /* --- Write out some context --- */
224 c->n1 = D; c->n2 = B; c->n3 = A; c->n4 = C;
226 /* --- Diffuse some more --- */
228 p = A & 0x7fc; B += k->t[p >> 2]; A = ROR32(A, 9);
229 p = B & 0x7fc; C += k->t[p >> 2]; B = ROR32(B, 9);
230 p = C & 0x7fc; D += k->t[p >> 2]; C = ROR32(C, 9);
231 p = D & 0x7fc; A += k->t[p >> 2]; D = ROR32(D, 9);
233 /* --- Write out the magic numbers --- */
235 c->a = A; c->b = B; c->c = C; c->d = D;
239 /* --- @seal_initctx@ --- *
241 * Arguments: @seal_ctx *c@ = pointer to a SEAL context
242 * @seal_key *k@ = pointer to a SEAL key
243 * @uint32 n@ = integer sequence number
247 * Use: Initializes a SEAL context which can be used for random
248 * number generation or whatever.
251 void seal_initctx(seal_ctx *c, seal_key *k, uint32 n)
257 c->ri = 0x2000 + SEAL_R;
262 /* --- @seal_encrypt@ --- *
264 * Arguments: @seal_ctx *c@ = pointer to a SEAL context
265 * @const void *src@ = pointer to source data
266 * @void *dest@ = pointer to destination data
267 * @size_t sz@ = size of the data
271 * Use: Encrypts a block of data using SEAL. If @src@ is zero,
272 * @dest@ is filled with SEAL output. If @dest@ is zero, the
273 * SEAL generator is just spun around for a bit. This shouldn't
274 * be necessary, because SEAL isn't RC4.
277 void seal_encrypt(seal_ctx *c, const void *src, void *dest, size_t sz)
279 const octet *s = src;
282 /* --- Expect a big dollop of bytes --- */
286 uint32 A = c->a, B = c->b, C = c->c, D = c->d;
287 uint32 n1 = c->n1, n2 = c->n2, n3 = c->n3, n4 = c->n4;
288 uint32 aa, bb, cc, dd;
291 /* --- Empty the queue first --- */
296 octet *p = c->q + sizeof(c->q) - c->qsz;
297 for (i = 0; i < c->qsz; i++)
298 *d++ = (s ? *s++ ^ *p++ : *p++);
303 /* --- Main sequence --- */
308 /* --- Reset if we've run out of steam on this iteration --- */
312 A = c->a, B = c->b, C = c->c, D = c->d;
313 n1 = c->n1, n2 = c->n2, n3 = c->n3, n4 = c->n4;
317 /* --- Make some new numbers --- */
319 P = A & 0x7fc; B += k->t[P >> 2]; A = ROR32(A, 9); B ^= A;
320 Q = B & 0x7fc; C ^= k->t[Q >> 2]; B = ROR32(B, 9); C += B;
321 P = (P + C) & 0x7fc; D += k->t[P >> 2]; C = ROR32(C, 9); D ^= C;
322 Q = (Q + D) & 0x7fc; A ^= k->t[Q >> 2]; D = ROR32(D, 9); A += D;
323 P = (P + A) & 0x7fc; B ^= k->t[P >> 2]; A = ROR32(A, 9);
324 Q = (Q + B) & 0x7fc; C += k->t[Q >> 2]; B = ROR32(B, 9);
325 P = (P + C) & 0x7fc; D ^= k->t[P >> 2]; C = ROR32(C, 9);
326 Q = (Q + D) & 0x7fc; A += k->t[Q >> 2]; D = ROR32(D, 9);
328 /* --- Remember the output and set up the next round --- */
330 aa = B + k->s[j + 0];
331 bb = C ^ k->s[j + 1];
332 cc = D + k->s[j + 2];
333 dd = A ^ k->s[j + 3];
337 A += n1, B += n2, C ^= n1, D ^= n2;
339 A += n3, B += n4, C ^= n3, D ^= n4;
341 /* --- Bail out here if we need to do buffering --- */
346 /* --- Write the next 16 bytes --- */
350 aa ^= LOAD32_L(s + 0);
351 bb ^= LOAD32_L(s + 4);
352 cc ^= LOAD32_L(s + 8);
353 dd ^= LOAD32_L(s + 12);
356 STORE32_L(d + 0, aa);
357 STORE32_L(d + 4, bb);
358 STORE32_L(d + 8, cc);
359 STORE32_L(d + 12, dd);
365 /* --- Write the new queue --- */
367 STORE32_L(c->q + 0, aa);
368 STORE32_L(c->q + 4, bb);
369 STORE32_L(c->q + 8, cc);
370 STORE32_L(c->q + 12, dd);
373 c->a = A; c->b = B; c->c = C; c->d = D;
377 /* --- Deal with the rest from the queue --- */
381 octet *p = c->q + sizeof(c->q) - c->qsz;
383 for (i = 0; i < sz; i++)
384 *d++ = (s ? *s++ ^ *p++ : *p++);
390 /*----- Generic cipher interface ------------------------------------------*/
392 typedef struct gctx {
398 static const gcipher_ops gops;
400 static gcipher *ginit(const void *k, size_t sz)
402 gctx *g = S_CREATE(gctx);
404 seal_initkey(&g->k, k, sz);
405 seal_initctx(&g->cc, &g->k, 0);
409 static void gencrypt(gcipher *c, const void *s, void *t, size_t sz)
412 seal_encrypt(&g->cc, s, t, sz);
415 static void gsetiv(gcipher *c, const void *iv)
418 uint32 n = *(const uint32 *)iv;
419 seal_initctx(&g->cc, &g->k, n);
422 static void gdestroy(gcipher *c)
429 static const gcipher_ops gops = {
431 gencrypt, gencrypt, gdestroy, gsetiv, 0
434 const gccipher seal = {
435 "seal", seal_keysz, 0,
439 /*----- Generic random number generator interface -------------------------*/
441 typedef struct grctx {
447 static void grdestroy(grand *r)
449 grctx *g = (grctx *)r;
454 static int grmisc(grand *r, unsigned op, ...)
456 grctx *g = (grctx *)r;
463 switch (va_arg(ap, unsigned)) {
466 case GRAND_SEEDUINT32:
467 case GRAND_SEEDBLOCK:
477 seal_initctx(&g->cc, &g->k, va_arg(ap, int));
479 case GRAND_SEEDUINT32:
480 seal_initctx(&g->cc, &g->k, va_arg(ap, uint32));
482 case GRAND_SEEDBLOCK: {
483 const void *p = va_arg(ap, const void *);
484 size_t sz = va_arg(ap, size_t);
489 octet buf[4] = { 0 };
493 seal_initctx(&g->cc, &g->k, n);
495 case GRAND_SEEDRAND: {
496 grand *rr = va_arg(ap, grand *);
497 seal_initctx(&g->cc, &g->k, rr->ops->word(rr));
508 static octet grbyte(grand *r)
510 grctx *g = (grctx *)r;
512 seal_encrypt(&g->cc, 0, &o, 1);
516 static uint32 grword(grand *r)
518 grctx *g = (grctx *)r;
520 seal_encrypt(&g->cc, 0, b, 4);
524 static void grfill(grand *r, void *p, size_t sz)
526 grctx *g = (grctx *)r;
527 seal_encrypt(&g->cc, 0, p, sz);
530 static const grand_ops grops = {
534 grword, grbyte, grword, grand_range, grfill
537 /* --- @seal_rand@ --- *
539 * Arguments: @const void *k@ = pointer to key material
540 * @size_t sz@ = size of key material
541 * @uint32 n@ = sequence number
543 * Returns: Pointer to generic random number generator interface.
545 * Use: Creates a random number interface wrapper around a SEAL
546 * pseudorandom function.
549 grand *seal_rand(const void *k, size_t sz, uint32 n)
551 grctx *g = S_CREATE(grctx);
553 seal_initkey(&g->k, k, sz);
554 seal_initctx(&g->cc, &g->k, n);
558 /*----- Test rig ----------------------------------------------------------*/
564 #include <mLib/testrig.h>
566 static int verify(dstr *v)
570 uint32 n = *(uint32 *)v[1].buf;
576 DENSURE(&d, v[2].len);
577 DENSURE(&z, v[2].len);
578 memset(z.buf, 0, v[2].len);
579 z.len = d.len = v[2].len;
580 seal_initkey(&k, v[0].buf, v[0].len);
582 for (i = 0; i < v[2].len; i++) {
583 seal_initctx(&c, &k, n);
584 seal_encrypt(&c, 0, d.buf, i);
585 seal_encrypt(&c, z.buf, d.buf + i, d.len - i);
586 if (memcmp(d.buf, v[2].buf, d.len) != 0) {
588 printf("*** seal failure\n");
589 printf("*** k = "); type_hex.dump(&v[0], stdout); putchar('\n');
590 printf("*** n = %08lx\n", (unsigned long)n);
591 printf("*** i = %i\n", i);
592 printf("*** expected = "); type_hex.dump(&v[2], stdout); putchar('\n');
593 printf("*** computed = "); type_hex.dump(&d, stdout); putchar('\n');
603 static test_chunk defs[] = {
604 { "seal", verify, { &type_hex, &type_uint32, &type_hex, 0 } },
608 int main(int argc, char *argv[])
610 test_run(argc, argv, defs, SRCDIR"/tests/seal");
616 /*----- That's all, folks -------------------------------------------------*/