/* gost28147.c - GOST 28147-89 implementation for Libgcrypt
* Copyright (C) 2012 Free Software Foundation, Inc.
*
* This file is part of Libgcrypt.
*
* Libgcrypt is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as
* published by the Free Software Foundation; either version 2.1 of
* the License, or (at your option) any later version.
*
* Libgcrypt is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this program; if not, see .
*/
/* GOST 28147-89 defines several modes of encryption:
* - ECB which should be used only for key transfer
* - CFB mode
* - OFB-like mode with additional transformation on keystream
* RFC 5830 names this 'counter encryption' mode
* Original GOST text uses the term 'gammirovanie'
* - MAC mode ('imitovstavka')
*
* This implementation handles ECB and CFB modes via usual libgcrypt handling.
* OFB-like modes are unsupported.
*/
#include
#include "types.h"
#include "g10lib.h"
#include "cipher.h"
#include "mac-internal.h"
#include "bufhelp.h"
#include "cipher-internal.h"
#include "gost.h"
#include "gost-sb.h"
static void
gost_do_set_sbox (GOST28147_context *ctx, unsigned int index)
{
ctx->sbox = gost_oid_map[index].sbox;
ctx->mesh_limit = gost_oid_map[index].keymeshing ? 1024 : 0;
}
static gcry_err_code_t
gost_setkey (void *c, const byte *key, unsigned keylen,
cipher_bulk_ops_t *bulk_ops)
{
int i;
GOST28147_context *ctx = c;
(void)bulk_ops;
if (keylen != 256 / 8)
return GPG_ERR_INV_KEYLEN;
if (!ctx->sbox)
gost_do_set_sbox (ctx, 0);
for (i = 0; i < 8; i++)
{
ctx->key[i] = buf_get_le32(&key[4*i]);
}
ctx->mesh_counter = 0;
return GPG_ERR_NO_ERROR;
}
static inline u32
gost_val (u32 subkey, u32 cm1, const u32 *sbox)
{
cm1 += subkey;
cm1 = sbox[0*256 + ((cm1 >> 0) & 0xff)] |
sbox[1*256 + ((cm1 >> 8) & 0xff)] |
sbox[2*256 + ((cm1 >> 16) & 0xff)] |
sbox[3*256 + ((cm1 >> 24) & 0xff)];
return cm1;
}
static unsigned int
_gost_encrypt_data (const u32 *sbox, const u32 *key, u32 *o1, u32 *o2, u32 n1, u32 n2)
{
n2 ^= gost_val (key[0], n1, sbox); n1 ^= gost_val (key[1], n2, sbox);
n2 ^= gost_val (key[2], n1, sbox); n1 ^= gost_val (key[3], n2, sbox);
n2 ^= gost_val (key[4], n1, sbox); n1 ^= gost_val (key[5], n2, sbox);
n2 ^= gost_val (key[6], n1, sbox); n1 ^= gost_val (key[7], n2, sbox);
n2 ^= gost_val (key[0], n1, sbox); n1 ^= gost_val (key[1], n2, sbox);
n2 ^= gost_val (key[2], n1, sbox); n1 ^= gost_val (key[3], n2, sbox);
n2 ^= gost_val (key[4], n1, sbox); n1 ^= gost_val (key[5], n2, sbox);
n2 ^= gost_val (key[6], n1, sbox); n1 ^= gost_val (key[7], n2, sbox);
n2 ^= gost_val (key[0], n1, sbox); n1 ^= gost_val (key[1], n2, sbox);
n2 ^= gost_val (key[2], n1, sbox); n1 ^= gost_val (key[3], n2, sbox);
n2 ^= gost_val (key[4], n1, sbox); n1 ^= gost_val (key[5], n2, sbox);
n2 ^= gost_val (key[6], n1, sbox); n1 ^= gost_val (key[7], n2, sbox);
n2 ^= gost_val (key[7], n1, sbox); n1 ^= gost_val (key[6], n2, sbox);
n2 ^= gost_val (key[5], n1, sbox); n1 ^= gost_val (key[4], n2, sbox);
n2 ^= gost_val (key[3], n1, sbox); n1 ^= gost_val (key[2], n2, sbox);
n2 ^= gost_val (key[1], n1, sbox); n1 ^= gost_val (key[0], n2, sbox);
*o1 = n2;
*o2 = n1;
return /* burn_stack */ 4*sizeof(void*) /* func call */ +
3*sizeof(void*) /* stack */ +
4*sizeof(void*) /* gost_val call */;
}
static unsigned int
gost_encrypt_block (void *c, byte *outbuf, const byte *inbuf)
{
GOST28147_context *ctx = c;
u32 n1, n2;
unsigned int burn;
n1 = buf_get_le32 (inbuf);
n2 = buf_get_le32 (inbuf+4);
burn = _gost_encrypt_data(ctx->sbox, ctx->key, &n1, &n2, n1, n2);
buf_put_le32 (outbuf+0, n1);
buf_put_le32 (outbuf+4, n2);
return /* burn_stack */ burn + 6*sizeof(void*) /* func call */;
}
unsigned int _gcry_gost_enc_data (const u32 *key,
u32 *o1, u32 *o2, u32 n1, u32 n2, int cryptopro)
{
const u32 *sbox;
if (cryptopro)
sbox = sbox_CryptoPro_3411;
else
sbox = sbox_test_3411;
return _gost_encrypt_data (sbox, key, o1, o2, n1, n2) + 7 * sizeof(void *);
}
static unsigned int
gost_decrypt_block (void *c, byte *outbuf, const byte *inbuf)
{
GOST28147_context *ctx = c;
u32 n1, n2;
const u32 *sbox = ctx->sbox;
n1 = buf_get_le32 (inbuf);
n2 = buf_get_le32 (inbuf+4);
n2 ^= gost_val (ctx->key[0], n1, sbox); n1 ^= gost_val (ctx->key[1], n2, sbox);
n2 ^= gost_val (ctx->key[2], n1, sbox); n1 ^= gost_val (ctx->key[3], n2, sbox);
n2 ^= gost_val (ctx->key[4], n1, sbox); n1 ^= gost_val (ctx->key[5], n2, sbox);
n2 ^= gost_val (ctx->key[6], n1, sbox); n1 ^= gost_val (ctx->key[7], n2, sbox);
n2 ^= gost_val (ctx->key[7], n1, sbox); n1 ^= gost_val (ctx->key[6], n2, sbox);
n2 ^= gost_val (ctx->key[5], n1, sbox); n1 ^= gost_val (ctx->key[4], n2, sbox);
n2 ^= gost_val (ctx->key[3], n1, sbox); n1 ^= gost_val (ctx->key[2], n2, sbox);
n2 ^= gost_val (ctx->key[1], n1, sbox); n1 ^= gost_val (ctx->key[0], n2, sbox);
n2 ^= gost_val (ctx->key[7], n1, sbox); n1 ^= gost_val (ctx->key[6], n2, sbox);
n2 ^= gost_val (ctx->key[5], n1, sbox); n1 ^= gost_val (ctx->key[4], n2, sbox);
n2 ^= gost_val (ctx->key[3], n1, sbox); n1 ^= gost_val (ctx->key[2], n2, sbox);
n2 ^= gost_val (ctx->key[1], n1, sbox); n1 ^= gost_val (ctx->key[0], n2, sbox);
n2 ^= gost_val (ctx->key[7], n1, sbox); n1 ^= gost_val (ctx->key[6], n2, sbox);
n2 ^= gost_val (ctx->key[5], n1, sbox); n1 ^= gost_val (ctx->key[4], n2, sbox);
n2 ^= gost_val (ctx->key[3], n1, sbox); n1 ^= gost_val (ctx->key[2], n2, sbox);
n2 ^= gost_val (ctx->key[1], n1, sbox); n1 ^= gost_val (ctx->key[0], n2, sbox);
buf_put_le32 (outbuf+0, n2);
buf_put_le32 (outbuf+4, n1);
return /* burn_stack */ 4*sizeof(void*) /* func call */ +
3*sizeof(void*) /* stack */ +
4*sizeof(void*) /* gost_val call */;
}
static gpg_err_code_t
gost_set_sbox (GOST28147_context *ctx, const char *oid)
{
int i;
for (i = 0; gost_oid_map[i].oid; i++)
{
if (!strcmp(gost_oid_map[i].oid, oid))
{
gost_do_set_sbox (ctx, i);
return 0;
}
}
return GPG_ERR_VALUE_NOT_FOUND;
}
static gpg_err_code_t
gost_set_extra_info (void *c, int what, const void *buffer, size_t buflen)
{
GOST28147_context *ctx = c;
gpg_err_code_t ec = 0;
(void)buffer;
(void)buflen;
switch (what)
{
case GCRYCTL_SET_SBOX:
ec = gost_set_sbox (ctx, buffer);
break;
default:
ec = GPG_ERR_INV_OP;
break;
}
return ec;
}
static const byte CryptoProKeyMeshingKey[] = {
0x69, 0x00, 0x72, 0x22, 0x64, 0xC9, 0x04, 0x23,
0x8D, 0x3A, 0xDB, 0x96, 0x46, 0xE9, 0x2A, 0xC4,
0x18, 0xFE, 0xAC, 0x94, 0x00, 0xED, 0x07, 0x12,
0xC0, 0x86, 0xDC, 0xC2, 0xEF, 0x4C, 0xA9, 0x2B
};
/* Implements key meshing algorithm by modifing ctx and returning new IV.
Thanks to Dmitry Belyavskiy. */
static void
cryptopro_key_meshing (GOST28147_context *ctx)
{
unsigned char newkey[32];
unsigned int i;
/* "Decrypt" the static keymeshing key */
for (i = 0; i < 4; i++)
{
gost_decrypt_block (ctx, newkey + i*8, CryptoProKeyMeshingKey + i*8);
}
/* Set new key */
for (i = 0; i < 8; i++)
{
ctx->key[i] = buf_get_le32(&newkey[4*i]);
}
ctx->mesh_counter = 0;
}
static unsigned int
gost_encrypt_block_mesh (void *c, byte *outbuf, const byte *inbuf)
{
GOST28147_context *ctx = c;
u32 n1, n2;
unsigned int burn;
n1 = buf_get_le32 (inbuf);
n2 = buf_get_le32 (inbuf+4);
if (ctx->mesh_limit && (ctx->mesh_counter == ctx->mesh_limit))
{
cryptopro_key_meshing (ctx);
/* Yes, encrypt twice: once for KeyMeshing procedure per RFC 4357,
* once for block encryption */
_gost_encrypt_data(ctx->sbox, ctx->key, &n1, &n2, n1, n2);
}
burn = _gost_encrypt_data(ctx->sbox, ctx->key, &n1, &n2, n1, n2);
ctx->mesh_counter += 8;
buf_put_le32 (outbuf+0, n1);
buf_put_le32 (outbuf+4, n2);
return /* burn_stack */ burn + 6*sizeof(void*) /* func call */;
}
static const gcry_cipher_oid_spec_t oids_gost28147_mesh[] =
{
{ "1.2.643.2.2.21", GCRY_CIPHER_MODE_CFB },
/* { "1.2.643.2.2.31.0", GCRY_CIPHER_MODE_CNTGOST }, */
{ "1.2.643.2.2.31.1", GCRY_CIPHER_MODE_CFB },
{ "1.2.643.2.2.31.2", GCRY_CIPHER_MODE_CFB },
{ "1.2.643.2.2.31.3", GCRY_CIPHER_MODE_CFB },
{ "1.2.643.2.2.31.4", GCRY_CIPHER_MODE_CFB },
{ NULL }
};
gcry_cipher_spec_t _gcry_cipher_spec_gost28147 =
{
GCRY_CIPHER_GOST28147, {0, 0},
"GOST28147", NULL, NULL, 8, 256,
sizeof (GOST28147_context),
gost_setkey,
gost_encrypt_block,
gost_decrypt_block,
NULL, NULL, NULL, gost_set_extra_info,
};
/* Meshing is used only for CFB, so no need to have separate
* gost_decrypt_block_mesh.
* Moreover key meshing is specified as encrypting the block (IV). Decrypting
* it afterwards would be meaningless. */
gcry_cipher_spec_t _gcry_cipher_spec_gost28147_mesh =
{
GCRY_CIPHER_GOST28147_MESH, {0, 0},
"GOST28147_MESH", NULL, oids_gost28147_mesh, 8, 256,
sizeof (GOST28147_context),
gost_setkey,
gost_encrypt_block_mesh,
gost_decrypt_block,
NULL, NULL, NULL, gost_set_extra_info,
};
static gcry_err_code_t
gost_imit_open (gcry_mac_hd_t h)
{
memset(&h->u.imit, 0, sizeof(h->u.imit));
return 0;
}
static void
gost_imit_close (gcry_mac_hd_t h)
{
(void) h;
}
static gcry_err_code_t
gost_imit_setkey (gcry_mac_hd_t h, const unsigned char *key, size_t keylen)
{
int i;
if (keylen != 256 / 8)
return GPG_ERR_INV_KEYLEN;
if (!h->u.imit.ctx.sbox)
h->u.imit.ctx.sbox = sbox_CryptoPro_A;
for (i = 0; i < 8; i++)
{
h->u.imit.ctx.key[i] = buf_get_le32(&key[4*i]);
}
return 0;
}
static gcry_err_code_t
gost_imit_setiv (gcry_mac_hd_t h,
const unsigned char *iv,
size_t ivlen)
{
if (ivlen != 8)
return GPG_ERR_INV_LENGTH;
h->u.imit.n1 = buf_get_le32 (iv + 0);
h->u.imit.n2 = buf_get_le32 (iv + 4);
return 0;
}
static gcry_err_code_t
gost_imit_reset (gcry_mac_hd_t h)
{
h->u.imit.n1 = h->u.imit.n2 = 0;
h->u.imit.unused = 0;
return 0;
}
static unsigned int
_gost_imit_block (const u32 *sbox, const u32 *key, u32 *o1, u32 *o2, u32 n1, u32 n2)
{
n1 ^= *o1;
n2 ^= *o2;
n2 ^= gost_val (key[0], n1, sbox); n1 ^= gost_val (key[1], n2, sbox);
n2 ^= gost_val (key[2], n1, sbox); n1 ^= gost_val (key[3], n2, sbox);
n2 ^= gost_val (key[4], n1, sbox); n1 ^= gost_val (key[5], n2, sbox);
n2 ^= gost_val (key[6], n1, sbox); n1 ^= gost_val (key[7], n2, sbox);
n2 ^= gost_val (key[0], n1, sbox); n1 ^= gost_val (key[1], n2, sbox);
n2 ^= gost_val (key[2], n1, sbox); n1 ^= gost_val (key[3], n2, sbox);
n2 ^= gost_val (key[4], n1, sbox); n1 ^= gost_val (key[5], n2, sbox);
n2 ^= gost_val (key[6], n1, sbox); n1 ^= gost_val (key[7], n2, sbox);
*o1 = n1;
*o2 = n2;
return /* burn_stack */ 4*sizeof(void*) /* func call */ +
3*sizeof(void*) /* stack */ +
4*sizeof(void*) /* gost_val call */;
}
static inline unsigned int
gost_imit_block (GOST28147_context *ctx, u32 *n1, u32 *n2, const unsigned char *buf)
{
if (ctx->mesh_limit && (ctx->mesh_counter == ctx->mesh_limit))
cryptopro_key_meshing (ctx);
return _gost_imit_block (ctx->sbox, ctx->key,
n1, n2,
buf_get_le32 (buf+0),
buf_get_le32 (buf+4));
}
static gcry_err_code_t
gost_imit_write (gcry_mac_hd_t h, const unsigned char *buf, size_t buflen)
{
const int blocksize = 8;
unsigned int burn = 0;
if (!buflen || !buf)
return GPG_ERR_NO_ERROR;
if (h->u.imit.unused)
{
for (; buflen && h->u.imit.unused < blocksize; buflen --)
h->u.imit.lastiv[h->u.imit.unused++] = *buf++;
if (h->u.imit.unused < blocksize)
return GPG_ERR_NO_ERROR;
h->u.imit.count ++;
burn = gost_imit_block (&h->u.imit.ctx,
&h->u.imit.n1, &h->u.imit.n2,
h->u.imit.lastiv);
h->u.imit.unused = 0;
}
while (buflen >= blocksize)
{
h->u.imit.count ++;
burn = gost_imit_block (&h->u.imit.ctx,
&h->u.imit.n1, &h->u.imit.n2,
buf);
buf += blocksize;
buflen -= blocksize;
}
for (; buflen; buflen--)
h->u.imit.lastiv[h->u.imit.unused++] = *buf++;
_gcry_burn_stack (burn);
return GPG_ERR_NO_ERROR;
}
static void
gost_imit_finish (gcry_mac_hd_t h)
{
static const unsigned char zero[8] = {0};
/* Fill till full block */
if (h->u.imit.unused)
gost_imit_write(h, zero, 8 - h->u.imit.unused);
if (h->u.imit.count == 1)
gost_imit_write(h, zero, 8);
}
static gcry_err_code_t
gost_imit_read (gcry_mac_hd_t h, unsigned char *outbuf, size_t * outlen)
{
unsigned int dlen = 8;
unsigned char digest[8];
gost_imit_finish (h);
buf_put_le32 (digest+0, h->u.imit.n1);
buf_put_le32 (digest+4, h->u.imit.n2);
if (*outlen <= dlen)
buf_cpy (outbuf, digest, *outlen);
else
{
buf_cpy (outbuf, digest, dlen);
*outlen = dlen;
}
return 0;
}
static gcry_err_code_t
gost_imit_verify (gcry_mac_hd_t h, const unsigned char *buf, size_t buflen)
{
unsigned char tbuf[8];
gost_imit_finish (h);
buf_put_le32 (tbuf+0, h->u.imit.n1);
buf_put_le32 (tbuf+4, h->u.imit.n2);
return buf_eq_const(tbuf, buf, buflen) ?
GPG_ERR_NO_ERROR : GPG_ERR_CHECKSUM;
}
static unsigned int
gost_imit_get_maclen (int algo)
{
(void) algo;
return 4; /* or 8 */
}
static unsigned int
gost_imit_get_keylen (int algo)
{
(void) algo;
return 256 / 8;
}
static gpg_err_code_t
gost_imit_set_extra_info (gcry_mac_hd_t hd, int what, const void *buffer, size_t buflen)
{
gpg_err_code_t ec = 0;
(void)buffer;
(void)buflen;
switch (what)
{
case GCRYCTL_SET_SBOX:
ec = gost_set_sbox (&hd->u.imit.ctx, buffer);
break;
default:
ec = GPG_ERR_INV_OP;
break;
}
return ec;
}
static gcry_mac_spec_ops_t gost_imit_ops = {
gost_imit_open,
gost_imit_close,
gost_imit_setkey,
gost_imit_setiv,
gost_imit_reset,
gost_imit_write,
gost_imit_read,
gost_imit_verify,
gost_imit_get_maclen,
gost_imit_get_keylen,
gost_imit_set_extra_info,
NULL
};
const gcry_mac_spec_t _gcry_mac_type_spec_gost28147_imit =
{
GCRY_MAC_GOST28147_IMIT, {0, 0}, "GOST28147_IMIT",
&gost_imit_ops
};