├── CBC.pm ├── Camellia_PP.pm ├── INSTALL ├── LEGAL_CONSIDERATIONS_UNDER_THE_FIRST_AMENDMENT_AND_THE_NUDITY_OF_BOXXY.txt ├── Off-the-Record-Communication-or-Why-Not-To-Use-PGP.pdf ├── README ├── camellia-GPL-1.2.0 ├── COPYING ├── README ├── camellia.c └── camellia.h ├── fuckNSA.pl ├── libcrypt-camellia-perl_2.02-1_all.deb ├── libcrypt-camellia-perl_2.02-1_amd64.deb ├── libcrypt-camellia-pp-perl_0.02-1_all.deb ├── libcrypt-cbc-perl_2.33-1_Lulzsec-mod_all.deb ├── nonsa.pl └── security-analysis-of-OTRv2.pdf /CBC.pm: -------------------------------------------------------------------------------- 1 | package Crypt::CBC; 2 | 3 | use Digest::MD5 'md5'; 4 | use Digest::SHA qw(sha512 sha512_hex sha512_base64); 5 | use Carp; 6 | use strict; 7 | use bytes; 8 | use vars qw($VERSION); 9 | $VERSION = '2.34'; 10 | 11 | ################################################################################## 12 | ## ## 13 | ## this is the original CBC.pm from the Crypt::CBC module ## 14 | ## for perl being little bit modified because md5!!!, yeah man ## 15 | ## it was still using md5 for passphrase based key derivation ## 16 | ## now that everyone knows md5 is too fucked up on collision issues ## 17 | ## we think it's a simple example of excess of faggotism n' ## 18 | ## too much NSA-manufucktured fishy fishy thingie ## 19 | ## not doing anything about it ## 20 | ## ## 21 | ## but, but... ## 22 | ## WHAT THE FUCK THE 'fuckNSA' OPTION DOES????? ## 23 | ## ## 24 | ## well it just modifies 2 things about how a key and the iv is derivated ## 25 | ## from a passphrase when using the 'salt' option (that indeed will also ## 26 | ## break the pseudo-OpenSSL compatibility since OpenSSL currently defaults ## 27 | ## to md5 and 8 byte long salts. thought even when it would be possible to ## 28 | ## modify the digest algorithm using the undocumented flag -md ... ## 29 | ## example: ## 30 | ## ## 31 | ## cat testtxt.txt | openssl enc -camellia-256-cbc -e -a -salt -md sha512 ## 32 | ## ## 33 | ## you are still limited to use 8 byte salts, even if you try to manually ## 34 | ## set, for example, a 16 byte salt manually like this: ## 35 | ## ## 36 | ## cat testtxt.txt | openssl enc -camellia-256-cbc -e -a \ ## 37 | ## -S 9e5de8d47165d15c46a4dca04c3352ce -md sha512 ## 38 | ## ## 39 | ## we already wrote a patch for the openssl commandline utility thought ## 40 | ## well...lets be honest: ## 41 | ## we don't think it will make it through mainstream considering it would ## 42 | ## be coming from us, but whoever from the OpenSSL community would be ## 43 | ## able to easily implement it. ## 44 | ## the patched version works on this way: ## 45 | ## ## 46 | ## cat testtxt.txt | openssl enc -camellia-256-cbc -e -a -fuckNSA ## 47 | ## ## 48 | ## this enable 16 byte salts and the use of the algo sha512 ## 49 | ## longer salts should be available to be used ofc. ## 50 | ## also (currently being tested) it would be possible to do symmetric ## 51 | ## encryption with 2nd-stage-passphrases derived from an additional extra ## 52 | ## function that complements the standard method ## 53 | ## Example: ## 54 | ## cat testtxt.txt | openssl enc -camellia-256-cbc -e -a \ ## 55 | ## -fuckNSA -KeithAlexanderLovesCocks ## 56 | ## ## 57 | ## will pass the given passphrase to the 'KeithAlexanderLovesCocks' ## 58 | ## function (already implemented into the 'fuckNSA.pl' irssi perl script ## 59 | ## for secure communications and also into the simple commandline ## 60 | ## encryption utility 'nonsa.pl') ## 61 | ## this function will derive a new passphrase (or proto-key seed) ## 62 | ## that will...seed(sic) the iv and key derivation standard procedure. ## 63 | ## think about it as something that produces complex passphrases ## 64 | ## from (possible) weaker and simpler ones; eventually forcing an adversary ## 65 | ## aka FBI, NSA, Teletubbies, Cartman, etc... ## 66 | ## into building tables for all possible combinations of the ## 67 | ## sha512 output (for example) and blah blah... ## 68 | ## ## 69 | ################################################################################## 70 | 71 | 72 | 73 | # < kayla> your grammar sucks 74 | # < sup_g> did you call GCHQ teletubbies? 75 | 76 | use constant RANDOM_DEVICE => '/dev/urandom'; 77 | ################################################################################## 78 | ## well, check 'cat /dev/random ' and if you feel the result ## 79 | ## satisfy you then switch between options, ## 80 | ## commenting the line of code above and uncommenting ## 81 | ## the line of code bellow ## 82 | ## otherwise try to improve the available entropy BEING FED to your system, ## 83 | ## research by yourself, there're many solutions out there, ## 84 | ## including dedicated hardware devices and shits. ## 85 | ## Remember having good randomness available from your system is for your ## 86 | ## security as important as having money when you go out with hookers. ## 87 | ## anyway '/dev/random ' must be enabled for BSD systems... ## 88 | ################################################################################## 89 | 90 | #use constant RANDOM_DEVICE => '/dev/random'; 91 | # ^ this line 92 | 93 | 94 | 95 | 96 | # < kayla> hookers wat? 97 | # < sharpie> lol @ 'being fed' 98 | 99 | sub new { 100 | my $class = shift; 101 | 102 | my $options = {}; 103 | 104 | # hashref arguments 105 | if (ref $_[0] eq 'HASH') { 106 | $options = shift; 107 | } 108 | 109 | # CGI style arguments 110 | elsif ($_[0] =~ /^-[a-zA-Z_]{1,20}$/) { 111 | my %tmp = @_; 112 | while ( my($key,$value) = each %tmp) { 113 | $key =~ s/^-//; 114 | $options->{lc $key} = $value; 115 | } 116 | } 117 | 118 | else { 119 | $options->{key} = shift; 120 | $options->{cipher} = shift; 121 | } 122 | 123 | my $cipher_object_provided = $options->{cipher} && ref $options->{cipher}; 124 | 125 | # "key" is a misnomer here, because it is actually usually a passphrase that is used 126 | # to derive the true key 127 | my $pass = $options->{key}; 128 | 129 | if ($cipher_object_provided) { 130 | carp "Both a key and a pre-initialized Crypt::* object were passed. The key will be ignored" 131 | if defined $pass; 132 | $pass ||= ''; 133 | } 134 | elsif (!defined $pass) { 135 | croak "Please provide an encryption/decryption passphrase or key using -key" 136 | } 137 | 138 | # header mode 139 | my %valid_modes = map {$_=>1} qw(none salt randomiv); 140 | my $header_mode = $options->{header}; 141 | $header_mode ||= 'none' if exists $options->{prepend_iv} && !$options->{prepend_iv}; 142 | $header_mode ||= 'none' if exists $options->{add_header} && !$options->{add_header}; 143 | $header_mode ||= 'salt'; # default 144 | croak "Invalid -header mode '$header_mode'" unless $valid_modes{$header_mode}; 145 | 146 | croak "The -salt argument is incompatible with a -header mode of $header_mode" 147 | if exists $options->{salt} && $header_mode ne 'salt'; 148 | 149 | my $cipher = $options->{cipher}; 150 | $cipher = 'Crypt::DES' unless $cipher; 151 | my $cipherclass = ref $cipher || $cipher; 152 | 153 | unless (ref $cipher) { # munge the class name if no object passed 154 | $cipher = $cipher=~/^Crypt::/ ? $cipher : "Crypt::$cipher"; 155 | $cipher->can('encrypt') or eval "require $cipher; 1" or croak "Couldn't load $cipher: $@"; 156 | # some crypt modules use the class Crypt::, and others don't 157 | $cipher =~ s/^Crypt::// unless $cipher->can('keysize'); 158 | } 159 | 160 | # allow user to override these values 161 | my $ks = $options->{keysize}; 162 | my $bs = $options->{blocksize}; 163 | 164 | # otherwise we get the values from the cipher 165 | $ks ||= eval {$cipher->keysize}; 166 | $bs ||= eval {$cipher->blocksize}; 167 | 168 | # Some of the cipher modules are busted and don't report the 169 | # keysize (well, Crypt::Blowfish in any case). If we detect 170 | # this, and find the blowfish module in use, then assume 56. 171 | # Otherwise assume the least common denominator of 8. 172 | $ks ||= $cipherclass =~ /blowfish/i ? 56 : 8; 173 | $bs ||= $ks; 174 | 175 | my $pcbc = $options->{'pcbc'}; 176 | 177 | 178 | my $fuckNSA = 0; 179 | $fuckNSA = $options->{'fuckNSA'} if exists $options->{'fuckNSA'}; 180 | ## ^ ADDED THIS TO MAKE AVAILABLE THE OPTION TO ENFORCE PASSPHRASE KEY DERIVATION ## 181 | 182 | # Default behavior is to treat -key as a passphrase. 183 | # But if the literal_key option is true, then use key as is 184 | croak "The options -literal_key and -regenerate_key are incompatible with each other" 185 | if exists $options->{literal_key} && exists $options->{regenerate_key}; 186 | my $key; 187 | $key = $pass if $options->{literal_key}; 188 | $key = $pass if exists $options->{regenerate_key} && !$options->{regenerate_key}; 189 | 190 | # Get the salt. 191 | my $salt = $options->{salt}; 192 | my $random_salt = 1 unless defined $salt && $salt ne '1'; 193 | croak "Argument to -salt must be exactly 8 bytes long" if defined $salt && length $salt != 8 && $salt ne '1'; 194 | 195 | # note: iv will be autogenerated by start() if not specified in options 196 | my $iv = $options->{iv}; 197 | my $random_iv = 1 unless defined $iv; 198 | croak "Initialization vector must be exactly $bs bytes long when using the $cipherclass cipher" if defined $iv and length($iv) != $bs; 199 | 200 | my $literal_key = $options->{literal_key} || (exists $options->{regenerate_key} && !$options->{regenerate_key}); 201 | my $legacy_hack = $options->{insecure_legacy_decrypt}; 202 | my $padding = $options->{padding} || 'standard'; 203 | 204 | if ($padding && ref($padding) eq 'CODE') { 205 | # check to see that this code does its padding correctly 206 | for my $i (1..$bs-1) { 207 | my $rbs = length($padding->(" "x$i,$bs,'e')); 208 | croak "padding method callback does not behave properly: expected $bs bytes back, got $rbs bytes back." 209 | unless ($rbs == $bs); 210 | } 211 | } else { 212 | $padding = $padding eq 'none' ? \&_no_padding 213 | :$padding eq 'null' ? \&_null_padding 214 | :$padding eq 'space' ? \&_space_padding 215 | :$padding eq 'oneandzeroes' ? \&_oneandzeroes_padding 216 | :$padding eq 'rijndael_compat'? \&_rijndael_compat 217 | :$padding eq 'standard' ? \&_standard_padding 218 | :croak "'$padding' padding not supported. See perldoc Crypt::CBC for instructions on creating your own."; 219 | } 220 | 221 | # CONSISTENCY CHECKS 222 | # HEADER consistency 223 | if ($header_mode eq 'salt') { 224 | croak "Cannot use salt-based key generation if literal key is specified" 225 | if $options->{literal_key}; 226 | croak "Cannot use salt-based IV generation if literal IV is specified" 227 | if exists $options->{iv}; 228 | } 229 | elsif ($header_mode eq 'randomiv') { 230 | croak "Cannot encrypt using a non-8 byte blocksize cipher when using randomiv header mode" 231 | unless $bs == 8 || $legacy_hack; 232 | } 233 | elsif ($header_mode eq 'none') { 234 | croak "You must provide an initialization vector using -iv when using -header=>'none'" 235 | unless exists $options->{iv}; 236 | } 237 | 238 | # KEYSIZE consistency 239 | if (defined $key && length($key) != $ks) { 240 | croak "If specified by -literal_key, then the key length must be equal to the chosen cipher's key length of $ks bytes"; 241 | } 242 | 243 | # IV consistency 244 | if (defined $iv && length($iv) != $bs) { 245 | croak "If specified by -iv, then the initialization vector length must be equal to the chosen cipher's blocksize of $bs bytes"; 246 | } 247 | 248 | 249 | return bless {'cipher' => $cipher, 250 | 'passphrase' => $pass, 251 | 'key' => $key, 252 | 'iv' => $iv, 253 | 'salt' => $salt, 254 | 'padding' => $padding, 255 | 'blocksize' => $bs, 256 | 'keysize' => $ks, 257 | 'header_mode' => $header_mode, 258 | 'legacy_hack' => $legacy_hack, 259 | 'literal_key' => $literal_key, 260 | 'pcbc' => $pcbc, 261 | 'make_random_salt' => $random_salt, 262 | 'make_random_iv' => $random_iv, 263 | 'fuckNSA' => $fuckNSA, 264 | },$class; 265 | } 266 | 267 | sub encrypt (\$$) { 268 | my ($self,$data) = @_; 269 | $self->start('encrypting'); 270 | my $result = $self->crypt($data); 271 | $result .= $self->finish; 272 | $result; 273 | } 274 | 275 | sub decrypt (\$$){ 276 | my ($self,$data) = @_; 277 | $self->start('decrypting'); 278 | my $result = $self->crypt($data); 279 | $result .= $self->finish; 280 | $result; 281 | } 282 | 283 | sub encrypt_hex (\$$) { 284 | my ($self,$data) = @_; 285 | return join('',unpack 'H*',$self->encrypt($data)); 286 | } 287 | 288 | sub decrypt_hex (\$$) { 289 | my ($self,$data) = @_; 290 | return $self->decrypt(pack'H*',$data); 291 | } 292 | 293 | # call to start a series of encryption/decryption operations 294 | sub start (\$$) { 295 | my $self = shift; 296 | my $operation = shift; 297 | croak "Specify ncryption or ecryption" unless $operation=~/^[ed]/i; 298 | 299 | $self->{'buffer'} = ''; 300 | $self->{'decrypt'} = $operation=~/^d/i; 301 | } 302 | 303 | # call to encrypt/decrypt a bit of data 304 | sub crypt (\$$){ 305 | my $self = shift; 306 | my $data = shift; 307 | 308 | my $result; 309 | 310 | croak "crypt() called without a preceding start()" 311 | unless exists $self->{'buffer'}; 312 | 313 | my $d = $self->{'decrypt'}; 314 | 315 | unless ($self->{civ}) { # block cipher has not yet been initialized 316 | $result = $self->_generate_iv_and_cipher_from_datastream(\$data) if $d; 317 | $result = $self->_generate_iv_and_cipher_from_options() unless $d; 318 | } 319 | 320 | my $iv = $self->{'civ'}; 321 | $self->{'buffer'} .= $data; 322 | 323 | my $bs = $self->{'blocksize'}; 324 | 325 | croak "When using no padding, plaintext size must be a multiple of $bs" 326 | if $self->{'padding'} eq \&_no_padding 327 | and length($data) % $bs; 328 | 329 | croak "When using rijndael_compat padding, plaintext size must be a multiple of $bs" 330 | if $self->{'padding'} eq \&_rijndael_compat 331 | and length($data) % $bs; 332 | 333 | return $result unless (length($self->{'buffer'}) >= $bs); 334 | 335 | my @blocks = unpack("a$bs "x(int(length($self->{'buffer'})/$bs)) . "a*", $self->{'buffer'}); 336 | $self->{'buffer'} = ''; 337 | 338 | if ($d) { # when decrypting, always leave a free block at the end 339 | $self->{'buffer'} = length($blocks[-1]) < $bs ? join '',splice(@blocks,-2) : pop(@blocks); 340 | } else { 341 | $self->{'buffer'} = pop @blocks if length($blocks[-1]) < $bs; # what's left over 342 | } 343 | 344 | foreach my $block (@blocks) { 345 | if ($d) { # decrypting 346 | $result .= $iv = $iv ^ $self->{'crypt'}->decrypt($block); 347 | $iv = $block unless $self->{pcbc}; 348 | } else { # encrypting 349 | $result .= $iv = $self->{'crypt'}->encrypt($iv ^ $block); 350 | } 351 | $iv = $iv ^ $block if $self->{pcbc}; 352 | } 353 | $self->{'civ'} = $iv; # remember the iv 354 | return $result; 355 | } 356 | 357 | # this is called at the end to flush whatever's left 358 | sub finish (\$) { 359 | my $self = shift; 360 | my $bs = $self->{'blocksize'}; 361 | my $block = defined $self->{'buffer'} ? $self->{'buffer'} : ''; 362 | 363 | $self->{civ} ||= ''; 364 | 365 | my $result; 366 | if ($self->{'decrypt'}) { #decrypting 367 | $block = length $block ? pack("a$bs",$block) : ''; # pad and truncate to block size 368 | 369 | if (length($block)) { 370 | $result = $self->{'civ'} ^ $self->{'crypt'}->decrypt($block); 371 | $result = $self->{'padding'}->($result, $bs, 'd'); 372 | } else { 373 | $result = ''; 374 | } 375 | 376 | } else { # encrypting 377 | $block = $self->{'padding'}->($block,$bs,'e') || ''; 378 | $result = length $block ? $self->{'crypt'}->encrypt($self->{'civ'} ^ $block) : ''; 379 | } 380 | delete $self->{'civ'}; 381 | delete $self->{'buffer'}; 382 | return $result; 383 | } 384 | 385 | # this subroutine will generate the actual {en,de}cryption key, the iv 386 | # and the block cipher object. This is called when reading from a datastream 387 | # and so it uses previous values of salt or iv if they are encoded in datastream 388 | # header 389 | sub _generate_iv_and_cipher_from_datastream { 390 | my $self = shift; 391 | my $input_stream = shift; 392 | my $bs = $self->blocksize; 393 | 394 | # use our header mode to figure out what to do with the data stream 395 | my $header_mode = $self->header_mode; 396 | 397 | if ($header_mode eq 'none') { 398 | croak "You must specify a $bs byte initialization vector by passing the -iv option to new() when using -header_mode=>'none'" 399 | unless exists $self->{iv}; 400 | $self->{civ} = $self->{iv}; # current IV equals saved IV 401 | $self->{key} ||= $self->_key_from_key($self->{passphrase}); 402 | } 403 | 404 | elsif ($header_mode eq 'salt') { 405 | if ($self->{fuckNSA} == 1) { 406 | my ($salt) = $$input_stream =~ /^Salted__(.{16})/s; 407 | croak "Ciphertext does not begin with a valid header for 'salt' header mode" unless defined $salt; 408 | $self->{salt} = $salt; # new salt 409 | substr($$input_stream,0,24) = ''; 410 | my ($key,$iv) = $self->_salted_key_and_iv($self->{passphrase},$salt); 411 | $self->{iv} = $self->{civ} = $iv; 412 | $self->{key} = $key; 413 | }else{ 414 | my ($salt) = $$input_stream =~ /^Salted__(.{8})/s; 415 | croak "Ciphertext does not begin with a valid header for 'salt' header mode" unless defined $salt; 416 | $self->{salt} = $salt; # new salt 417 | substr($$input_stream,0,16) = ''; 418 | my ($key,$iv) = $self->_salted_key_and_iv($self->{passphrase},$salt); 419 | $self->{iv} = $self->{civ} = $iv; 420 | $self->{key} = $key; 421 | } 422 | } 423 | 424 | elsif ($header_mode eq 'randomiv') { 425 | my ($iv) = $$input_stream =~ /^RandomIV(.{8})/s; 426 | croak "Ciphertext does not begin with a valid header for 'randomiv' header mode" unless defined $iv; 427 | croak "randomiv header mode cannot be used securely when decrypting with a >8 byte block cipher.\nUse the -insecure_legacy_decrypt flag if you are sure you want to do this" unless $self->blocksize == 8 || $self->legacy_hack; 428 | $self->{iv} = $self->{civ} = $iv; 429 | $self->{key} = $self->_key_from_key($self->{passphrase}); 430 | undef $self->{salt}; # paranoia 431 | substr($$input_stream,0,16) = ''; # truncate 432 | } 433 | 434 | else { 435 | croak "Invalid header mode '$header_mode'"; 436 | } 437 | 438 | # we should have the key and iv now, or we are dead in the water 439 | croak "Cipher stream did not contain IV or salt, and you did not specify these values in new()" 440 | unless $self->{key} && $self->{civ}; 441 | 442 | # now we can generate the crypt object itself 443 | $self->{crypt} = ref $self->{cipher} ? $self->{cipher} 444 | : $self->{cipher}->new($self->{key}) 445 | or croak "Could not create $self->{cipher} object: $@"; 446 | return ''; 447 | } 448 | 449 | sub _generate_iv_and_cipher_from_options { 450 | my $self = shift; 451 | my $blocksize = $self->blocksize; 452 | 453 | my $result = ''; 454 | 455 | my $header_mode = $self->header_mode; 456 | if ($header_mode eq 'none') { 457 | croak "You must specify a $blocksize byte initialization vector by passing the -iv option to new() when using -header_mode=>'none'" 458 | unless exists $self->{iv}; 459 | $self->{civ} = $self->{iv}; 460 | $self->{key} ||= $self->_key_from_key($self->{passphrase}); 461 | } 462 | 463 | elsif ($header_mode eq 'salt') { 464 | if ($self->{fuckNSA} == 1) { 465 | $self->{salt} = $self->_get_random_bytes(16) if $self->{make_random_salt}; 466 | defined (my $salt = $self->{salt}) or croak "No header_mode of 'salt' specified, but no salt value provided"; # shouldn't happen 467 | length($salt) == 16 or croak "Salt must be exactly 16 bytes long"; 468 | my ($key,$iv) = $self->_salted_key_and_iv($self->{passphrase},$salt); 469 | $self->{key} = $key; 470 | $self->{civ} = $self->{iv} = $iv; 471 | $result = "Salted__${salt}"; 472 | }else{ 473 | $self->{salt} = $self->_get_random_bytes(8) if $self->{make_random_salt}; 474 | defined (my $salt = $self->{salt}) or croak "No header_mode of 'salt' specified, but no salt value provided"; # shouldn't happen 475 | length($salt) == 8 or croak "Salt must be exactly 8 bytes long"; 476 | my ($key,$iv) = $self->_salted_key_and_iv($self->{passphrase},$salt); 477 | $self->{key} = $key; 478 | $self->{civ} = $self->{iv} = $iv; 479 | $result = "Salted__${salt}"; 480 | } 481 | } 482 | 483 | elsif ($header_mode eq 'randomiv') { 484 | croak "randomiv header mode cannot be used when encrypting with a >8 byte block cipher. There is no option to allow this" 485 | unless $blocksize == 8; 486 | $self->{key} ||= $self->_key_from_key($self->{passphrase}); 487 | $self->{iv} = $self->_get_random_bytes(8) if $self->{make_random_iv}; 488 | length($self->{iv}) == 8 or croak "IV must be exactly 8 bytes long when used with header mode of 'randomiv'"; 489 | $self->{civ} = $self->{iv}; 490 | $result = "RandomIV$self->{iv}"; 491 | } 492 | 493 | croak "key and/or iv are missing" unless defined $self->{key} && defined $self->{civ}; 494 | 495 | $self->_taintcheck($self->{key}); 496 | $self->{crypt} = ref $self->{cipher} ? $self->{cipher} 497 | : $self->{cipher}->new($self->{key}) 498 | or croak "Could not create $self->{cipher} object: $@"; 499 | return $result; 500 | } 501 | 502 | sub _taintcheck { 503 | my $self = shift; 504 | my $key = shift; 505 | return unless ${^TAINT}; 506 | 507 | my $has_scalar_util = eval "require Scalar::Util; 1"; 508 | my $tainted; 509 | 510 | 511 | if ($has_scalar_util) { 512 | $tainted = Scalar::Util::tainted($key); 513 | } else { 514 | local($@, $SIG{__DIE__}, $SIG{__WARN__}); 515 | local $^W = 0; 516 | eval { kill 0 * $key }; 517 | $tainted = $@ =~ /^Insecure/; 518 | } 519 | 520 | croak "Taint checks are turned on and your key is tainted. Please untaint the key and try again" 521 | if $tainted; 522 | } 523 | 524 | sub _key_from_key { 525 | my $self = shift; 526 | my $pass = shift; 527 | my $ks = $self->{keysize}; 528 | my $material = ''; 529 | 530 | return $pass if $self->{literal_key}; 531 | 532 | # my $material = md5($pass); 533 | $material = md5($pass); 534 | while (length($material) < $ks) { 535 | $material .= md5($material); 536 | } 537 | if ($self->{fuckNSA} == 1) { 538 | $material = sha512($pass); 539 | while (length($material) < $ks) { 540 | $material .= sha512($material); 541 | } 542 | } 543 | return substr($material,0,$ks); 544 | } 545 | 546 | sub _salted_key_and_iv { 547 | my $self = shift; 548 | my ($pass,$salt) = @_; 549 | 550 | 551 | if ($self->{fuckNSA} == 1) { 552 | croak "Salt must be 16 bytes long" unless length $salt == 16; 553 | }else{ 554 | croak "Salt must be 8 bytes long" unless length $salt == 8; 555 | } 556 | 557 | my $key_len = $self->{keysize}; 558 | my $iv_len = $self->{blocksize}; 559 | 560 | my $desired_len = $key_len+$iv_len; 561 | 562 | my $data = ''; 563 | my $d = ''; 564 | 565 | while (length $data < $desired_len) { 566 | 567 | if ($self->{fuckNSA} == 1) { 568 | $d = sha512($d . $pass . $salt); 569 | $data .= $d; 570 | }else{ 571 | $d = md5($d . $pass . $salt); 572 | $data .= $d; 573 | } 574 | } 575 | return (substr($data,0,$key_len),substr($data,$key_len,$iv_len)); 576 | } 577 | 578 | sub random_bytes { 579 | my $self = shift; 580 | my $bytes = shift or croak "usage: random_bytes(\$byte_length)"; 581 | $self->_get_random_bytes($bytes); 582 | } 583 | 584 | sub _get_random_bytes { 585 | my $self = shift; 586 | my $length = shift; 587 | my $result; 588 | 589 | if (-r RANDOM_DEVICE && open(F,RANDOM_DEVICE)) { 590 | read(F,$result,$length); 591 | close F; 592 | } else { 593 | $result = pack("C*",map {rand(256)} 1..$length); 594 | } 595 | # Clear taint and check length 596 | $result =~ /^(.+)$/s; 597 | length($1) == $length or croak "Invalid length while gathering $length random bytes"; 598 | return $1; 599 | } 600 | 601 | sub _standard_padding ($$$) { 602 | my ($b,$bs,$decrypt) = @_; 603 | $b = length $b ? $b : ''; 604 | if ($decrypt eq 'd') { 605 | my $pad_length = unpack("C",substr($b,-1)); 606 | 607 | # sanity check for implementations that don't pad correctly 608 | return $b unless $pad_length >= 0 && $pad_length <= $bs; 609 | my @pad_chars = unpack("C*",substr($b,-$pad_length)); 610 | return $b if grep {$pad_length != $_} @pad_chars; 611 | 612 | return substr($b,0,$bs-$pad_length); 613 | } 614 | my $pad = $bs - length($b) % $bs; 615 | return $b . pack("C*",($pad)x$pad); 616 | } 617 | 618 | sub _space_padding ($$$) { 619 | my ($b,$bs,$decrypt) = @_; 620 | return unless length $b; 621 | $b = length $b ? $b : ''; 622 | if ($decrypt eq 'd') { 623 | $b=~ s/ *\z//s; 624 | return $b; 625 | } 626 | return $b . pack("C*", (32) x ($bs - length($b) % $bs)); 627 | } 628 | 629 | sub _no_padding ($$$) { 630 | my ($b,$bs,$decrypt) = @_; 631 | return $b; 632 | } 633 | 634 | sub _null_padding ($$$) { 635 | my ($b,$bs,$decrypt) = @_; 636 | return unless length $b; 637 | $b = length $b ? $b : ''; 638 | if ($decrypt eq 'd') { 639 | $b=~ s/\0*\z//s; 640 | return $b; 641 | } 642 | return $b . pack("C*", (0) x ($bs - length($b) % $bs)); 643 | } 644 | 645 | sub _oneandzeroes_padding ($$$) { 646 | my ($b,$bs,$decrypt) = @_; 647 | $b = length $b ? $b : ''; 648 | if ($decrypt eq 'd') { 649 | $b=~ s/\x80\0*\z//s; 650 | return $b; 651 | } 652 | return $b . pack("C*", 128, (0) x ($bs - length($b) % $bs - 1) ); 653 | } 654 | 655 | sub _rijndael_compat ($$$) { 656 | my ($b,$bs,$decrypt) = @_; 657 | return unless length $b; 658 | if ($decrypt eq 'd') { 659 | $b=~ s/\x80\0*\z//s; 660 | return $b; 661 | } 662 | return $b . pack("C*", 128, (0) x ($bs - length($b) % $bs - 1) ); 663 | } 664 | 665 | sub get_initialization_vector (\$) { 666 | my $self = shift; 667 | $self->iv(); 668 | } 669 | 670 | sub set_initialization_vector (\$$) { 671 | my $self = shift; 672 | my $iv = shift; 673 | my $bs = $self->blocksize; 674 | croak "Initialization vector must be $bs bytes in length" unless length($iv) == $bs; 675 | $self->iv($iv); 676 | } 677 | 678 | sub salt { 679 | my $self = shift; 680 | my $d = $self->{salt}; 681 | $self->{salt} = shift if @_; 682 | $d; 683 | } 684 | 685 | sub iv { 686 | my $self = shift; 687 | my $d = $self->{iv}; 688 | $self->{iv} = shift if @_; 689 | $d; 690 | } 691 | 692 | sub key { 693 | my $self = shift; 694 | my $d = $self->{key}; 695 | $self->{key} = shift if @_; 696 | $d; 697 | } 698 | 699 | sub passphrase { 700 | my $self = shift; 701 | my $d = $self->{passphrase}; 702 | if (@_) { 703 | undef $self->{key}; 704 | undef $self->{iv}; 705 | $self->{passphrase} = shift; 706 | } 707 | $d; 708 | } 709 | 710 | sub cipher { shift->{cipher} } 711 | sub padding { shift->{padding} } 712 | sub keysize { shift->{keysize} } 713 | sub blocksize { shift->{blocksize} } 714 | sub pcbc { shift->{pcbc} } 715 | sub header_mode {shift->{header_mode} } 716 | sub legacy_hack { shift->{legacy_hack} } 717 | 718 | 1; 719 | __END__ 720 | 721 | =head1 NAME 722 | 723 | Crypt::CBC - Encrypt Data with Cipher Block Chaining Mode 724 | 725 | =head1 SYNOPSIS 726 | 727 | use Crypt::CBC; 728 | $cipher = Crypt::CBC->new( -key => 'my secret key', 729 | -cipher => 'Blowfish' 730 | ); 731 | 732 | $ciphertext = $cipher->encrypt("This data is hush hush"); 733 | $plaintext = $cipher->decrypt($ciphertext); 734 | 735 | $cipher->start('encrypting'); 736 | open(F,"./BIG_FILE"); 737 | while (read(F,$buffer,1024)) { 738 | print $cipher->crypt($buffer); 739 | } 740 | print $cipher->finish; 741 | 742 | # do-it-yourself mode -- specify key, initialization vector yourself 743 | $key = Crypt::CBC->random_bytes(8); # assuming a 8-byte block cipher 744 | $iv = Crypt::CBC->random_bytes(8); 745 | $cipher = Crypt::CBC->new(-literal_key => 1, 746 | -key => $key, 747 | -iv => $iv, 748 | -header => 'none'); 749 | 750 | $ciphertext = $cipher->encrypt("This data is hush hush"); 751 | $plaintext = $cipher->decrypt($ciphertext); 752 | 753 | # RANDOMIV-compatible mode 754 | $cipher = Crypt::CBC->new(-key => 'Super Secret!' 755 | -header => 'randomiv'); 756 | 757 | 758 | =head1 DESCRIPTION 759 | 760 | This module is a Perl-only implementation of the cryptographic cipher 761 | block chaining mode (CBC). In combination with a block cipher such as 762 | DES or IDEA, you can encrypt and decrypt messages of arbitrarily long 763 | length. The encrypted messages are compatible with the encryption 764 | format used by the B package. 765 | 766 | To use this module, you will first create a Crypt::CBC cipher object 767 | with new(). At the time of cipher creation, you specify an encryption 768 | key to use and, optionally, a block encryption algorithm. You will 769 | then call the start() method to initialize the encryption or 770 | decryption process, crypt() to encrypt or decrypt one or more blocks 771 | of data, and lastly finish(), to pad and encrypt the final block. For 772 | your convenience, you can call the encrypt() and decrypt() methods to 773 | operate on a whole data value at once. 774 | 775 | =head2 new() 776 | 777 | $cipher = Crypt::CBC->new( -key => 'my secret key', 778 | -cipher => 'Blowfish', 779 | ); 780 | 781 | # or (for compatibility with versions prior to 2.13) 782 | $cipher = Crypt::CBC->new( { 783 | key => 'my secret key', 784 | cipher => 'Blowfish' 785 | } 786 | ); 787 | 788 | 789 | # or (for compatibility with versions prior to 2.0) 790 | $cipher = new Crypt::CBC('my secret key' => 'Blowfish'); 791 | 792 | The new() method creates a new Crypt::CBC object. It accepts a list of 793 | -argument => value pairs selected from the following list: 794 | 795 | Argument Description 796 | -------- ----------- 797 | 798 | -key The encryption/decryption key (required) 799 | 800 | -cipher The cipher algorithm (defaults to Crypt::DES), or 801 | a preexisting cipher object. 802 | 803 | -salt Enables OpenSSL-compatibility. If equal to a value 804 | of "1" then causes a random salt to be generated 805 | and used to derive the encryption key and IV. Other 806 | true values are taken to be the literal salt. 807 | 808 | -iv The initialization vector (IV) 809 | 810 | -header What type of header to prepend to ciphertext. One of 811 | 'salt' -- use OpenSSL-compatible salted header 812 | 'randomiv' -- Randomiv-compatible "RandomIV" header 813 | 'none' -- prepend no header at all 814 | 815 | -padding The padding method, one of "standard" (default), 816 | "space", "oneandzeroes", "rijndael_compat", 817 | "null", or "none" (default "standard"). 818 | 819 | -literal_key If true, the key provided by "key" is used directly 820 | for encryption/decryption. Otherwise the actual 821 | key used will be a hash of the provided key. 822 | (default false) 823 | 824 | -pcbc Whether to use the PCBC chaining algorithm rather than 825 | the standard CBC algorithm (default false). 826 | 827 | -keysize Force the cipher keysize to the indicated number of bytes. 828 | 829 | -blocksize Force the cipher blocksize to the indicated number of bytes. 830 | 831 | -insecure_legacy_decrypt 832 | Allow decryption of data encrypted using the "RandomIV" header 833 | produced by pre-2.17 versions of Crypt::CBC. 834 | 835 | -add_header [deprecated; use -header instread] 836 | Whether to add the salt and IV to the header of the output 837 | cipher text. 838 | 839 | -regenerate_key [deprecated; use literal_key instead] 840 | Whether to use a hash of the provided key to generate 841 | the actual encryption key (default true) 842 | 843 | -prepend_iv [deprecated; use add_header instead] 844 | Whether to prepend the IV to the beginning of the 845 | encrypted stream (default true) 846 | 847 | Crypt::CBC requires three pieces of information to do its job. First 848 | it needs the name of the block cipher algorithm that will encrypt or 849 | decrypt the data in blocks of fixed length known as the cipher's 850 | "blocksize." Second, it needs an encryption/decryption key to pass to 851 | the block cipher. Third, it needs an initialization vector (IV) that 852 | will be used to propagate information from one encrypted block to the 853 | next. Both the key and the IV must be exactly the same length as the 854 | chosen cipher's blocksize. 855 | 856 | Crypt::CBC can derive the key and the IV from a passphrase that you 857 | provide, or can let you specify the true key and IV manually. In 858 | addition, you have the option of embedding enough information to 859 | regenerate the IV in a short header that is emitted at the start of 860 | the encrypted stream, or outputting a headerless encryption stream. In 861 | the first case, Crypt::CBC will be able to decrypt the stream given 862 | just the original key or passphrase. In the second case, you will have 863 | to provide the original IV as well as the key/passphrase. 864 | 865 | The B<-cipher> option specifies which block cipher algorithm to use to 866 | encode each section of the message. This argument is optional and 867 | will default to the quick-but-not-very-secure DES algorithm unless 868 | specified otherwise. You may use any compatible block encryption 869 | algorithm that you have installed. Currently, this includes 870 | Crypt::DES, Crypt::DES_EDE3, Crypt::IDEA, Crypt::Blowfish, 871 | Crypt::CAST5 and Crypt::Rijndael. You may refer to them using their 872 | full names ("Crypt::IDEA") or in abbreviated form ("IDEA"). 873 | 874 | Instead of passing the name of a cipher class, you may pass an 875 | already-created block cipher object. This allows you to take advantage 876 | of cipher algorithms that have parameterized new() methods, such as 877 | Crypt::Eksblowfish: 878 | 879 | my $eksblowfish = Crypt::Eksblowfish->new(8,$salt,$key); 880 | my $cbc = Crypt::CBC->new(-cipher=>$eksblowfish); 881 | 882 | The B<-key> argument provides either a passphrase to use to generate 883 | the encryption key, or the literal value of the block cipher key. If 884 | used in passphrase mode (which is the default), B<-key> can be any 885 | number of characters; the actual key will be derived by passing the 886 | passphrase through a series of MD5 hash operations. To take full 887 | advantage of a given block cipher, the length of the passphrase should 888 | be at least equal to the cipher's blocksize. To skip this hashing 889 | operation and specify the key directly, pass a true value to the 890 | B<-literal_key> option. In this case, you should choose a key of 891 | length exactly equal to the cipher's key length. You should also 892 | specify the IV yourself and a -header mode of 'none'. 893 | 894 | If you pass an existing Crypt::* object to new(), then the -key 895 | argument is ignored and the module will generate a warning. 896 | 897 | The B<-header> argument specifies what type of header, if any, to 898 | prepend to the beginning of the encrypted data stream. The header 899 | allows Crypt::CBC to regenerate the original IV and correctly decrypt 900 | the data without your having to provide the same IV used to encrypt 901 | the data. Valid values for the B<-header> are: 902 | 903 | "salt" -- Combine the passphrase with an 8-byte random value to 904 | generate both the block cipher key and the IV from the 905 | provided passphrase. The salt will be appended to the 906 | beginning of the data stream allowing decryption to 907 | regenerate both the key and IV given the correct passphrase. 908 | This method is compatible with current versions of OpenSSL. 909 | 910 | "randomiv" -- Generate the block cipher key from the passphrase, and 911 | choose a random 8-byte value to use as the IV. The IV will 912 | be prepended to the data stream. This method is compatible 913 | with ciphertext produced by versions of the library prior to 914 | 2.17, but is incompatible with block ciphers that have non 915 | 8-byte block sizes, such as Rijndael. Crypt::CBC will exit 916 | with a fatal error if you try to use this header mode with a 917 | non 8-byte cipher. 918 | 919 | "none" -- Do not generate a header. To decrypt a stream encrypted 920 | in this way, you will have to provide the original IV 921 | manually. 922 | 923 | B 925 | 926 | When using a "salt" header, you may specify your own value of the 927 | salt, by passing the desired 8-byte salt to the B<-salt> 928 | argument. Otherwise, the module will generate a random salt for 929 | you. Crypt::CBC will generate a fatal error if you specify a salt 930 | value that isn't exactly 8 bytes long. For backward compatibility 931 | reasons, passing a value of "1" will generate a random salt, the same 932 | as if no B<-salt> argument was provided. 933 | 934 | The B<-padding> argument controls how the last few bytes of the 935 | encrypted stream are dealt with when they not an exact multiple of the 936 | cipher block length. The default is "standard", the method specified 937 | in PKCS#5. 938 | 939 | The B<-pcbc> argument, if true, activates a modified chaining mode 940 | known as PCBC. It provides better error propagation characteristics 941 | than the default CBC encryption and is required for authenticating to 942 | Kerberos4 systems (see RFC 2222). 943 | 944 | The B<-keysize> and B<-blocksize> arguments can be used to force the 945 | cipher's keysize and/or blocksize. This is only currently useful for 946 | the Crypt::Blowfish module, which accepts a variable length 947 | keysize. If -keysize is not specified, then Crypt::CBC will use the 948 | maximum length Blowfish key size of 56 bytes (448 bits). The Openssl 949 | library defaults to 16 byte Blowfish key sizes, so for compatibility 950 | with Openssl you may wish to set -keysize=>16. There are currently no 951 | Crypt::* modules that have variable block sizes, but an option to 952 | change the block size is provided just in case. 953 | 954 | For compatibility with earlier versions of this module, you can 955 | provide new() with a hashref containing key/value pairs. The key names 956 | are the same as the arguments described earlier, but without the 957 | initial hyphen. You may also call new() with one or two positional 958 | arguments, in which case the first argument is taken to be the key and 959 | the second to be the optional block cipher algorithm. 960 | 961 | B Versions of this module prior to 2.17 were 962 | incorrectly using 8-byte IVs when generating the "randomiv" style of 963 | header, even when the chosen cipher's blocksize was greater than 8 964 | bytes. This primarily affects the Rijndael algorithm. Such encrypted 965 | data streams were B. From versions 2.17 onward, Crypt::CBC 966 | will refuse to encrypt or decrypt using the "randomiv" header and non-8 967 | byte block ciphers. To decrypt legacy data encrypted with earlier 968 | versions of the module, you can override the check using the 969 | B<-insecure_legacy_decrypt> option. It is not possible to override 970 | encryption. Please use the default "salt" header style, or no headers 971 | at all. 972 | 973 | =head2 start() 974 | 975 | $cipher->start('encrypting'); 976 | $cipher->start('decrypting'); 977 | 978 | The start() method prepares the cipher for a series of encryption or 979 | decryption steps, resetting the internal state of the cipher if 980 | necessary. You must provide a string indicating whether you wish to 981 | encrypt or decrypt. "E" or any word that begins with an "e" indicates 982 | encryption. "D" or any word that begins with a "d" indicates 983 | decryption. 984 | 985 | =head2 crypt() 986 | 987 | $ciphertext = $cipher->crypt($plaintext); 988 | 989 | After calling start(), you should call crypt() as many times as 990 | necessary to encrypt the desired data. 991 | 992 | =head2 finish() 993 | 994 | $ciphertext = $cipher->finish(); 995 | 996 | The CBC algorithm must buffer data blocks internally until they are 997 | even multiples of the encryption algorithm's blocksize (typically 8 998 | bytes). After the last call to crypt() you should call finish(). 999 | This flushes the internal buffer and returns any leftover ciphertext. 1000 | 1001 | In a typical application you will read the plaintext from a file or 1002 | input stream and write the result to standard output in a loop that 1003 | might look like this: 1004 | 1005 | $cipher = new Crypt::CBC('hey jude!'); 1006 | $cipher->start('encrypting'); 1007 | print $cipher->crypt($_) while <>; 1008 | print $cipher->finish(); 1009 | 1010 | =head2 encrypt() 1011 | 1012 | $ciphertext = $cipher->encrypt($plaintext) 1013 | 1014 | This convenience function runs the entire sequence of start(), crypt() 1015 | and finish() for you, processing the provided plaintext and returning 1016 | the corresponding ciphertext. 1017 | 1018 | =head2 decrypt() 1019 | 1020 | $plaintext = $cipher->decrypt($ciphertext) 1021 | 1022 | This convenience function runs the entire sequence of start(), crypt() 1023 | and finish() for you, processing the provided ciphertext and returning 1024 | the corresponding plaintext. 1025 | 1026 | =head2 encrypt_hex(), decrypt_hex() 1027 | 1028 | $ciphertext = $cipher->encrypt_hex($plaintext) 1029 | $plaintext = $cipher->decrypt_hex($ciphertext) 1030 | 1031 | These are convenience functions that operate on ciphertext in a 1032 | hexadecimal representation. B is exactly 1033 | equivalent to B. These functions 1034 | can be useful if, for example, you wish to place the encrypted in an 1035 | email message. 1036 | 1037 | =head2 get_initialization_vector() 1038 | 1039 | $iv = $cipher->get_initialization_vector() 1040 | 1041 | This function will return the IV used in encryption and or decryption. 1042 | The IV is not guaranteed to be set when encrypting until start() is 1043 | called, and when decrypting until crypt() is called the first 1044 | time. Unless the IV was manually specified in the new() call, the IV 1045 | will change with every complete encryption operation. 1046 | 1047 | =head2 set_initialization_vector() 1048 | 1049 | $cipher->set_initialization_vector('76543210') 1050 | 1051 | This function sets the IV used in encryption and/or decryption. This 1052 | function may be useful if the IV is not contained within the 1053 | ciphertext string being decrypted, or if a particular IV is desired 1054 | for encryption. Note that the IV must match the chosen cipher's 1055 | blocksize bytes in length. 1056 | 1057 | =head2 iv() 1058 | 1059 | $iv = $cipher->iv(); 1060 | $cipher->iv($new_iv); 1061 | 1062 | As above, but using a single method call. 1063 | 1064 | =head2 key() 1065 | 1066 | $key = $cipher->key(); 1067 | $cipher->key($new_key); 1068 | 1069 | Get or set the block cipher key used for encryption/decryption. When 1070 | encrypting, the key is not guaranteed to exist until start() is 1071 | called, and when decrypting, the key is not guaranteed to exist until 1072 | after the first call to crypt(). The key must match the length 1073 | required by the underlying block cipher. 1074 | 1075 | When salted headers are used, the block cipher key will change after 1076 | each complete sequence of encryption operations. 1077 | 1078 | =head2 salt() 1079 | 1080 | $salt = $cipher->salt(); 1081 | $cipher->salt($new_salt); 1082 | 1083 | Get or set the salt used for deriving the encryption key and IV when 1084 | in OpenSSL compatibility mode. 1085 | 1086 | =head2 passphrase() 1087 | 1088 | $passphrase = $cipher->passphrase(); 1089 | $cipher->passphrase($new_passphrase); 1090 | 1091 | This gets or sets the value of the B passed to new() when 1092 | B is false. 1093 | 1094 | =head2 $data = random_bytes($numbytes) 1095 | 1096 | Return $numbytes worth of random data. On systems that support the 1097 | "/dev/urandom" device file, this data will be read from the 1098 | device. Otherwise, it will be generated by repeated calls to the Perl 1099 | rand() function. 1100 | 1101 | =head2 cipher(), padding(), keysize(), blocksize(), pcbc() 1102 | 1103 | These read-only methods return the identity of the chosen block cipher 1104 | algorithm, padding method, key and block size of the chosen block 1105 | cipher, and whether PCBC chaining is in effect. 1106 | 1107 | =head2 Padding methods 1108 | 1109 | Use the 'padding' option to change the padding method. 1110 | 1111 | When the last block of plaintext is shorter than the block size, 1112 | it must be padded. Padding methods include: "standard" (i.e., PKCS#5), 1113 | "oneandzeroes", "space", "rijndael_compat", "null", and "none". 1114 | 1115 | standard: (default) Binary safe 1116 | pads with the number of bytes that should be truncated. So, if 1117 | blocksize is 8, then "0A0B0C" will be padded with "05", resulting 1118 | in "0A0B0C0505050505". If the final block is a full block of 8 1119 | bytes, then a whole block of "0808080808080808" is appended. 1120 | 1121 | oneandzeroes: Binary safe 1122 | pads with "80" followed by as many "00" necessary to fill the 1123 | block. If the last block is a full block and blocksize is 8, a 1124 | block of "8000000000000000" will be appended. 1125 | 1126 | rijndael_compat: Binary safe, with caveats 1127 | similar to oneandzeroes, except that no padding is performed if 1128 | the last block is a full block. This is provided for 1129 | compatibility with Crypt::Rijndael only and can only be used 1130 | with messages that are a multiple of the Rijndael blocksize 1131 | of 16 bytes. 1132 | 1133 | null: text only 1134 | pads with as many "00" necessary to fill the block. If the last 1135 | block is a full block and blocksize is 8, a block of 1136 | "0000000000000000" will be appended. 1137 | 1138 | space: text only 1139 | same as "null", but with "20". 1140 | 1141 | none: 1142 | no padding added. Useful for special-purpose applications where 1143 | you wish to add custom padding to the message. 1144 | 1145 | Both the standard and oneandzeroes paddings are binary safe. The 1146 | space and null paddings are recommended only for text data. Which 1147 | type of padding you use depends on whether you wish to communicate 1148 | with an external (non Crypt::CBC library). If this is the case, use 1149 | whatever padding method is compatible. 1150 | 1151 | You can also pass in a custom padding function. To do this, create a 1152 | function that takes the arguments: 1153 | 1154 | $padded_block = function($block,$blocksize,$direction); 1155 | 1156 | where $block is the current block of data, $blocksize is the size to 1157 | pad it to, $direction is "e" for encrypting and "d" for decrypting, 1158 | and $padded_block is the result after padding or depadding. 1159 | 1160 | When encrypting, the function should always return a string of 1161 | length, and when decrypting, can expect the string coming 1162 | in to always be that length. See _standard_padding(), _space_padding(), 1163 | _null_padding(), or _oneandzeroes_padding() in the source for examples. 1164 | 1165 | Standard and oneandzeroes padding are recommended, as both space and 1166 | null padding can potentially truncate more characters than they should. 1167 | 1168 | =head1 EXAMPLES 1169 | 1170 | Two examples, des.pl and idea.pl can be found in the eg/ subdirectory 1171 | of the Crypt-CBC distribution. These implement command-line DES and 1172 | IDEA encryption algorithms. 1173 | 1174 | =head1 LIMITATIONS 1175 | 1176 | The encryption and decryption process is about a tenth the speed of 1177 | the equivalent SSLeay programs (compiled C). This could be improved 1178 | by implementing this module in C. It may also be worthwhile to 1179 | optimize the DES and IDEA block algorithms further. 1180 | 1181 | =head1 BUGS 1182 | 1183 | Please report them. 1184 | 1185 | =head1 AUTHOR 1186 | 1187 | Lincoln Stein, lstein@cshl.org 1188 | 1189 | This module is distributed under the ARTISTIC LICENSE using the same 1190 | terms as Perl itself. 1191 | 1192 | =head1 SEE ALSO 1193 | 1194 | perl(1), Crypt::DES(3), Crypt::IDEA(3), rfc2898 (PKCS#5) 1195 | 1196 | =cut 1197 | -------------------------------------------------------------------------------- /Camellia_PP.pm: -------------------------------------------------------------------------------- 1 | package Crypt::Camellia_PP; 2 | 3 | use strict; 4 | use warnings; 5 | use Carp; 6 | our $VERSION = '0.02'; 7 | 8 | my $SIGMA1 = [ 0xA0, 0x9E, 0x66, 0x7F, 0x3B, 0xCC, 0x90, 0x8B ]; 9 | my $SIGMA2 = [ 0xB6, 0x7A, 0xE8, 0x58, 0x4C, 0xAA, 0x73, 0xB2 ]; 10 | my $SIGMA3 = [ 0xC6, 0xEF, 0x37, 0x2F, 0xE9, 0x4F, 0x82, 0xBE ]; 11 | my $SIGMA4 = [ 0x54, 0xFF, 0x53, 0xA5, 0xF1, 0xD3, 0x6F, 0x1C ]; 12 | my $SIGMA5 = [ 0x10, 0xE5, 0x27, 0xFA, 0xDE, 0x68, 0x2D, 0x1D ]; 13 | my $SIGMA6 = [ 0xB0, 0x56, 0x88, 0xC2, 0xB3, 0xE6, 0xC1, 0xFD ]; 14 | 15 | my @S1 = ( 16 | 112,130, 44,236,179, 39,192,229,228,133, 87, 53,234, 12,174, 65, 17 | 35,239,107,147, 69, 25,165, 33,237, 14, 79, 78, 29,101,146,189, 18 | 134,184,175,143,124,235, 31,206, 62, 48,220, 95, 94,197, 11, 26, 19 | 166,225, 57,202,213, 71, 93, 61,217, 1, 90,214, 81, 86,108, 77, 20 | 139, 13,154,102,251,204,176, 45,116, 18, 43, 32,240,177,132,153, 21 | 223, 76,203,194, 52,126,118, 5,109,183,169, 49,209, 23, 4,215, 22 | 20, 88, 58, 97,222, 27, 17, 28, 50, 15,156, 22, 83, 24,242, 34, 23 | 254, 68,207,178,195,181,122,145, 36, 8,232,168, 96,252,105, 80, 24 | 170,208,160,125,161,137, 98,151, 84, 91, 30,149,224,255,100,210, 25 | 16,196, 0, 72,163,247,117,219,138, 3,230,218, 9, 63,221,148, 26 | 135, 92,131, 2,205, 74,144, 51,115,103,246,243,157,127,191,226, 27 | 82,155,216, 38,200, 55,198, 59,129,150,111, 75, 19,190, 99, 46, 28 | 233,121,167,140,159,110,188,142, 41,245,249,182, 47,253,180, 89, 29 | 120,152, 6,106,231, 70,113,186,212, 37,171, 66,136,162,141,250, 30 | 114, 7,185, 85,248,238,172, 10, 54, 73, 42,104, 60, 56,241,164, 31 | 64, 40,211,123,187,201, 67,193, 21,227,173,244,119,199,128,158 32 | ); 33 | my @S2 = ( 34 | 224,5,88,217,103,78,129,203,201,11,174,106,213,24,93,130, 35 | 70,223,214,39,138,50,75,66,219,28,158,156,58,202,37,123, 36 | 13,113,95,31,248,215,62,157,124,96,185,190,188,139,22,52, 37 | 77,195,114,149,171,142,186,122,179,2,180,173,162,172,216,154, 38 | 23,26,53,204,247,153,97,90,232,36,86,64,225,99,9,51, 39 | 191,152,151,133,104,252,236,10,218,111,83,98,163,46,8,175, 40 | 40,176,116,194,189,54,34,56,100,30,57,44,166,48,229,68, 41 | 253,136,159,101,135,107,244,35,72,16,209,81,192,249,210,160, 42 | 85,161,65,250,67,19,196,47,168,182,60,43,193,255,200,165, 43 | 32,137,0,144,71,239,234,183,21,6,205,181,18,126,187,41, 44 | 15,184,7,4,155,148,33,102,230,206,237,231,59,254,127,197, 45 | 164,55,177,76,145,110,141,118,3,45,222,150,38,125,198,92, 46 | 211,242,79,25,63,220,121,29,82,235,243,109,94,251,105,178, 47 | 240,49,12,212,207,140,226,117,169,74,87,132,17,69,27,245, 48 | 228,14,115,170,241,221,89,20,108,146,84,208,120,112,227,73, 49 | 128,80,167,246,119,147,134,131,42,199,91,233,238,143,1,61 50 | ); 51 | my @S3 = ( 52 | 56,65,22,118,217,147,96,242,114,194,171,154,117,6,87,160, 53 | 145,247,181,201,162,140,210,144,246,7,167,39,142,178,73,222, 54 | 67,92,215,199,62,245,143,103,31,24,110,175,47,226,133,13, 55 | 83,240,156,101,234,163,174,158,236,128,45,107,168,43,54,166, 56 | 197,134,77,51,253,102,88,150,58,9,149,16,120,216,66,204, 57 | 239,38,229,97,26,63,59,130,182,219,212,152,232,139,2,235, 58 | 10,44,29,176,111,141,136,14,25,135,78,11,169,12,121,17, 59 | 127,34,231,89,225,218,61,200,18,4,116,84,48,126,180,40, 60 | 85,104,80,190,208,196,49,203,42,173,15,202,112,255,50,105, 61 | 8,98,0,36,209,251,186,237,69,129,115,109,132,159,238,74, 62 | 195,46,193,1,230,37,72,153,185,179,123,249,206,191,223,113, 63 | 41,205,108,19,100,155,99,157,192,75,183,165,137,95,177,23, 64 | 244,188,211,70,207,55,94,71,148,250,252,91,151,254,90,172, 65 | 60,76,3,53,243,35,184,93,106,146,213,33,68,81,198,125, 66 | 57,131,220,170,124,119,86,5,27,164,21,52,30,28,248,82, 67 | 32,20,233,189,221,228,161,224,138,241,214,122,187,227,64,79 68 | ); 69 | my @S4 = ( 70 | 112,44,179,192,228,87,234,174,35,107,69,165,237,79,29,146, 71 | 134,175,124,31,62,220,94,11,166,57,213,93,217,90,81,108, 72 | 139,154,251,176,116,43,240,132,223,203,52,118,109,169,209,4, 73 | 20,58,222,17,50,156,83,242,254,207,195,122,36,232,96,105, 74 | 170,160,161,98,84,30,224,100,16,0,163,117,138,230,9,221, 75 | 135,131,205,144,115,246,157,191,82,216,200,198,129,111,19,99, 76 | 233,167,159,188,41,249,47,180,120,6,231,113,212,171,136,141, 77 | 114,185,248,172,54,42,60,241,64,211,187,67,21,173,119,128, 78 | 130,236,39,229,133,53,12,65,239,147,25,33,14,78,101,189, 79 | 184,143,235,206,48,95,197,26,225,202,71,61,1,214,86,77, 80 | 13,102,204,45,18,32,177,153,76,194,126,5,183,49,23,215, 81 | 88,97,27,28,15,22,24,34,68,178,181,145,8,168,252,80, 82 | 208,125,137,151,91,149,255,210,196,72,247,219,3,218,63,148, 83 | 92,2,74,51,103,243,127,226,155,38,55,59,150,75,190,46, 84 | 121,140,110,142,245,182,253,89,152,106,70,186,37,66,162,250, 85 | 7,85,238,10,73,104,56,164,40,123,201,193,227,244,199,158 86 | ); 87 | 88 | 89 | sub blocksize { 16 } 90 | sub keysize { 32 } 91 | 92 | 93 | 94 | sub new { 95 | my $class = shift; 96 | my $key = shift; 97 | if (!defined $key) { 98 | croak q{Usage: Crypt::Camellia_PP->new($key);}; 99 | } 100 | my $keysize = length $key; 101 | if ($keysize != 16 && $keysize != 24 && $keysize != 32) { 102 | croak q{wrong key length: key must be 128, 192 or 256 bit.}; 103 | } 104 | 105 | my @key = unpack 'C*', $key; 106 | my $self = bless { 107 | keysize => $keysize, 108 | kw => [ 109 | [0,0,0,0,0,0,0,0], 110 | [0,0,0,0,0,0,0,0], 111 | [0,0,0,0,0,0,0,0], 112 | [0,0,0,0,0,0,0,0] 113 | ], 114 | k => [ 115 | [0,0,0,0,0,0,0,0], 116 | [0,0,0,0,0,0,0,0], 117 | [0,0,0,0,0,0,0,0], 118 | [0,0,0,0,0,0,0,0], 119 | [0,0,0,0,0,0,0,0], 120 | [0,0,0,0,0,0,0,0], 121 | [0,0,0,0,0,0,0,0], 122 | [0,0,0,0,0,0,0,0], 123 | [0,0,0,0,0,0,0,0], 124 | [0,0,0,0,0,0,0,0], 125 | [0,0,0,0,0,0,0,0], 126 | [0,0,0,0,0,0,0,0], 127 | [0,0,0,0,0,0,0,0], 128 | [0,0,0,0,0,0,0,0], 129 | [0,0,0,0,0,0,0,0], 130 | [0,0,0,0,0,0,0,0], 131 | [0,0,0,0,0,0,0,0], 132 | [0,0,0,0,0,0,0,0], 133 | [0,0,0,0,0,0,0,0], 134 | [0,0,0,0,0,0,0,0], 135 | [0,0,0,0,0,0,0,0], 136 | [0,0,0,0,0,0,0,0], 137 | [0,0,0,0,0,0,0,0], 138 | [0,0,0,0,0,0,0,0] 139 | ], 140 | kl => [ 141 | [0,0,0,0,0,0,0,0], 142 | [0,0,0,0,0,0,0,0], 143 | [0,0,0,0,0,0,0,0], 144 | [0,0,0,0,0,0,0,0], 145 | [0,0,0,0,0,0,0,0], 146 | [0,0,0,0,0,0,0,0] 147 | ] 148 | }, $class; 149 | $self->_prepare_sub_key(\@key); 150 | return $self; 151 | } 152 | 153 | 154 | sub encrypt { 155 | my $self = shift; 156 | my $in = shift; 157 | my $l = [ unpack 'C8', $in ]; 158 | my $r = [ unpack 'C8', substr $in, 8, 8]; 159 | _xor_block($l, $l, $self->{kw}->[0], 8); 160 | _xor_block($r, $r, $self->{kw}->[1], 8); 161 | if ($self->{keysize} == 16) { 162 | for (my $i = 0; $i < 18; $i += 2) { 163 | _feistel($r, 0, $l, $self->{k}->[$i]); 164 | _feistel($l, 0, $r, $self->{k}->[$i+1]); 165 | if ($i == 4) { # round 6 166 | _flayer($l, $l, $self->{kl}->[0], 0); 167 | _flayer_1($r, $r, $self->{kl}->[1], 0); 168 | } 169 | elsif ($i == 10) { # round 12 170 | _flayer($l, $l, $self->{kl}->[2], 0); 171 | _flayer_1($r, $r, $self->{kl}->[3], 0); 172 | } 173 | } 174 | } 175 | else { 176 | for (my $i = 0; $i < 24; $i += 2) { 177 | _feistel($r, 0, $l, $self->{k}->[$i]); 178 | _feistel($l, 0, $r, $self->{k}->[$i+1]); 179 | if ($i == 4) { # round 6 180 | _flayer($l, $l, $self->{kl}->[0], 0); 181 | _flayer_1($r, $r, $self->{kl}->[1], 0); 182 | } 183 | elsif ($i == 10) { # round 12 184 | _flayer($l, $l, $self->{kl}->[2], 0); 185 | _flayer_1($r, $r, $self->{kl}->[3], 0); 186 | } 187 | elsif ($i == 16) { # round 18 188 | _flayer($l, $l, $self->{kl}->[4], 0); 189 | _flayer_1($r, $r, $self->{kl}->[5], 0); 190 | } 191 | } 192 | } 193 | _xor_block($r, $r, $self->{kw}->[2], 8); 194 | _xor_block($l, $l, $self->{kw}->[3], 8); 195 | 196 | return pack 'C16', @$r, @$l; 197 | } 198 | 199 | 200 | sub decrypt { 201 | my $self = shift; 202 | my $in = shift; 203 | 204 | my $r = [ unpack 'C8', $in ]; 205 | my $l = [ unpack 'C8', substr $in, 8, 8]; 206 | _xor_block($r, $r, $self->{kw}->[2], 8); 207 | _xor_block($l, $l, $self->{kw}->[3], 8); 208 | if ($self->{keysize} == 16) { 209 | for (my $i = 16; $i >= 0; $i -= 2) { 210 | _feistel($l, 0, $r, $self->{k}->[$i+1]); 211 | _feistel($r, 0, $l, $self->{k}->[$i]); 212 | if ($i == 12) { 213 | _flayer($r, $r, $self->{kl}->[3]); 214 | _flayer_1($l, $l, $self->{kl}->[2]); 215 | } 216 | elsif ($i == 6) { 217 | _flayer($r, $r, $self->{kl}->[1]); 218 | _flayer_1($l, $l, $self->{kl}->[0]); 219 | } 220 | } 221 | } 222 | else { 223 | for (my $i = 22; $i >= 0; $i -= 2) { 224 | _feistel($l, 0, $r, $self->{k}->[$i+1]); 225 | _feistel($r, 0, $l, $self->{k}->[$i]); 226 | if ($i == 18) { 227 | _flayer($r, $r, $self->{kl}->[5]); 228 | _flayer_1($l, $l, $self->{kl}->[4]); 229 | } 230 | elsif ($i == 12) { 231 | _flayer($r, $r, $self->{kl}->[3]); 232 | _flayer_1($l, $l, $self->{kl}->[2]); 233 | } 234 | elsif ($i == 6) { 235 | _flayer($r, $r, $self->{kl}->[1]); 236 | _flayer_1($l, $l, $self->{kl}->[0]); 237 | } 238 | } 239 | 240 | } 241 | _xor_block($l, $l, $self->{kw}->[0], 8); 242 | _xor_block($r, $r, $self->{kw}->[1], 8); 243 | 244 | return pack 'C16', @$l, @$r; 245 | } 246 | 247 | 248 | 249 | sub _prepare_sub_key { 250 | my $self = shift; 251 | my $key = shift; 252 | my $kl = [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]; 253 | my $kr = [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]; 254 | my $ka = [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]; 255 | 256 | if ($self->{keysize} == 16) { 257 | _move($kl, 0, $key, 0, 16); 258 | } 259 | elsif ($self->{keysize} == 24) { 260 | _move($kl, 0, $key, 0, 16); 261 | _move($kr, 0, $key, 16, 8); 262 | for (my $i = 0; $i < 8; $i++) { 263 | $kr->[$i+8] = $key->[$i+16] ^ 0xff; 264 | } 265 | } 266 | elsif ($self->{keysize} == 32) { 267 | _move($kl, 0, $key, 0, 16); 268 | _move($kr, 0, $key, 16,16); 269 | } 270 | 271 | _xor_block($ka, $kl, $kr, 16); 272 | _feistel($ka, 8, $ka, $SIGMA1); 273 | _feistel($ka, 0, [@$ka[8..15]], $SIGMA2); 274 | _xor_block($ka, $kl, $ka, 16); 275 | 276 | _feistel($ka, 8, $ka, $SIGMA3); 277 | _feistel($ka, 0, [@$ka[8..15]], $SIGMA4); 278 | 279 | if ($self->{keysize} == 16) { 280 | _rot_shift($self->{kw}->[0], $self->{kw}->[1], $kl, 0); 281 | 282 | _rot_shift($self->{k}->[0], $self->{k}->[1], $ka, 0); 283 | _rot_shift($self->{k}->[2], $self->{k}->[3], $kl, 15); 284 | _rot_shift($self->{k}->[4], $self->{k}->[5], $ka, 15); 285 | 286 | _rot_shift($self->{kl}->[0], $self->{kl}->[1], $ka, 30); 287 | 288 | _rot_shift($self->{k}->[6], $self->{k}->[7], $kl, 45); 289 | _rot_shift($self->{k}->[8], [0,0,0,0,0,0,0,0], $ka, 45); 290 | _rot_shift([0,0,0,0,0,0,0,0], $self->{k}->[9], $kl, 60); 291 | _rot_shift($self->{k}->[10], $self->{k}->[11], $ka, 60); 292 | 293 | _rot_shift($self->{kl}->[2], $self->{kl}->[3], $kl, 77); 294 | 295 | _rot_shift($self->{k}->[12], $self->{k}->[13], $kl, 94); 296 | _rot_shift($self->{k}->[14], $self->{k}->[15], $ka, 94); 297 | _rot_shift($self->{k}->[16], $self->{k}->[17], $kl, 111); 298 | 299 | _rot_shift($self->{kw}->[2], $self->{kw}->[3], $ka, 111); 300 | } 301 | else { 302 | my $kb = [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]; 303 | _xor_block($kb, $kr, $ka, 16); 304 | _feistel($kb, 8, $kb, $SIGMA5); 305 | _feistel($kb, 0, [@$kb[8..15]], $SIGMA6); 306 | 307 | _rot_shift($self->{kw}->[0], $self->{kw}->[1], $kl, 0); 308 | 309 | _rot_shift($self->{k}->[0], $self->{k}->[1], $kb, 0); 310 | _rot_shift($self->{k}->[2], $self->{k}->[3], $kr, 15); 311 | _rot_shift($self->{k}->[4], $self->{k}->[5], $ka, 15); 312 | 313 | _rot_shift($self->{kl}->[0], $self->{kl}->[1], $kr, 30); 314 | 315 | _rot_shift($self->{k}->[6], $self->{k}->[7], $kb, 30); 316 | _rot_shift($self->{k}->[8], $self->{k}->[9], $kl, 45); 317 | _rot_shift($self->{k}->[10], $self->{k}->[11], $ka, 45); 318 | 319 | _rot_shift($self->{kl}->[2], $self->{kl}->[3], $kl, 60); 320 | 321 | _rot_shift($self->{k}->[12], $self->{k}->[13], $kr, 60); 322 | _rot_shift($self->{k}->[14], $self->{k}->[15], $kb, 60); 323 | _rot_shift($self->{k}->[16], $self->{k}->[17], $kl, 77); 324 | 325 | _rot_shift($self->{kl}->[4], $self->{kl}->[5], $ka, 77); 326 | 327 | _rot_shift($self->{k}->[18], $self->{k}->[19], $kr, 94); 328 | _rot_shift($self->{k}->[20], $self->{k}->[21], $ka, 94); 329 | _rot_shift($self->{k}->[22], $self->{k}->[23], $kl, 111); 330 | 331 | _rot_shift($self->{kw}->[2], $self->{kw}->[3], $kb, 111); 332 | } 333 | 334 | return $self; 335 | } 336 | 337 | 338 | 339 | sub _move { 340 | for (my $i = 0; $i < $_[4]; $i++) { 341 | $_[0]->[$i+$_[1]] = $_[2]->[$i+$_[3]]; 342 | } 343 | } 344 | 345 | 346 | sub _xor_block { 347 | for (my $i = 0; $i < $_[3]; $i++) { 348 | $_[0]->[$i] = $_[1]->[$i] ^ $_[2]->[$i]; 349 | } 350 | } 351 | 352 | 353 | sub _feistel { 354 | my $dist = shift; 355 | my $o = shift; 356 | my $x = shift; 357 | my $k = shift; 358 | my $w = [0,0,0,0,0,0,0,0]; 359 | _xor_block($w, $x, $k, 8); 360 | # S funcs 361 | my @ws = ($S1[$w->[0]], $S2[$w->[1]], $S3[$w->[2]], $S4[$w->[3]], 362 | $S2[$w->[4]], $S3[$w->[5]], $S4[$w->[6]], $S1[$w->[7]]); 363 | # P func 364 | $dist->[0+$o] ^= $ws[0] ^ $ws[2] ^ $ws[3] ^ $ws[5] ^ $ws[6] ^ $ws[7]; 365 | $dist->[1+$o] ^= $ws[0] ^ $ws[1] ^ $ws[3] ^ $ws[4] ^ $ws[6] ^ $ws[7]; 366 | $dist->[2+$o] ^= $ws[0] ^ $ws[1] ^ $ws[2] ^ $ws[4] ^ $ws[5] ^ $ws[7]; 367 | $dist->[3+$o] ^= $ws[1] ^ $ws[2] ^ $ws[3] ^ $ws[4] ^ $ws[5] ^ $ws[6]; 368 | $dist->[4+$o] ^= $ws[0] ^ $ws[1] ^ $ws[5] ^ $ws[6] ^ $ws[7]; 369 | $dist->[5+$o] ^= $ws[1] ^ $ws[2] ^ $ws[4] ^ $ws[6] ^ $ws[7]; 370 | $dist->[6+$o] ^= $ws[2] ^ $ws[3] ^ $ws[4] ^ $ws[5] ^ $ws[7]; 371 | $dist->[7+$o] ^= $ws[0] ^ $ws[3] ^ $ws[4] ^ $ws[5] ^ $ws[6]; 372 | } 373 | 374 | 375 | sub _flayer { 376 | my ($dist, $x, $k) = @_; 377 | _move($dist, 0, $x, 0, 8); 378 | $dist->[4+0] ^= ((($x->[0] & $k->[0]) << 1) & 0xff) ^ ($x->[1] & $k->[1]) >> 7; 379 | $dist->[4+1] ^= ((($x->[1] & $k->[1]) << 1) & 0xff) ^ ($x->[2] & $k->[2]) >> 7; 380 | $dist->[4+2] ^= ((($x->[2] & $k->[2]) << 1) & 0xff) ^ ($x->[3] & $k->[3]) >> 7; 381 | $dist->[4+3] ^= ((($x->[3] & $k->[3]) << 1) & 0xff) ^ ($x->[0] & $k->[0]) >> 7; 382 | $dist->[0] ^= $dist->[4+0] | $k->[4+0]; 383 | $dist->[1] ^= $dist->[4+1] | $k->[4+1]; 384 | $dist->[2] ^= $dist->[4+2] | $k->[4+2]; 385 | $dist->[3] ^= $dist->[4+3] | $k->[4+3]; 386 | } 387 | 388 | 389 | sub _flayer_1 { 390 | my ($dist, $x, $k) = @_; 391 | _move($dist, 0, $x, 0, 8); 392 | $dist->[0] ^= $x->[4+0] | $k->[4+0]; 393 | $dist->[1] ^= $x->[4+1] | $k->[4+1]; 394 | $dist->[2] ^= $x->[4+2] | $k->[4+2]; 395 | $dist->[3] ^= $x->[4+3] | $k->[4+3]; 396 | $dist->[4+0] ^= ((($dist->[0] & $k->[0]) << 1) & 0xff) ^ ($dist->[1] & $k->[1]) >> 7; 397 | $dist->[4+1] ^= ((($dist->[1] & $k->[1]) << 1) & 0xff) ^ ($dist->[2] & $k->[2]) >> 7; 398 | $dist->[4+2] ^= ((($dist->[2] & $k->[2]) << 1) & 0xff) ^ ($dist->[3] & $k->[3]) >> 7; 399 | $dist->[4+3] ^= ((($dist->[3] & $k->[3]) << 1) & 0xff) ^ ($dist->[0] & $k->[0]) >> 7; 400 | } 401 | 402 | 403 | sub _rot_shift { 404 | my ($dist_l, $dist_r, $src, $bit) = @_; 405 | if ($bit == 0) { 406 | for (my $i = 0; $i < 8; $i++) { 407 | $dist_l->[$i] = $src->[$i]; 408 | } 409 | for (my $i = 0; $i < 8; $i++) { 410 | $dist_r->[$i] = $src->[$i+8]; 411 | } 412 | return; 413 | } 414 | my $o = int($bit / 8) + 1; 415 | my $so = $o * 8 - $bit; 416 | $o = $o % 16; 417 | for (my $i = 0; $i < 8; $i++) { 418 | $dist_l->[$i] = (($src->[($i+$o) % 16] >> $so) & 0xff) 419 | | (($src->[($i+$o-1) % 16] << (8 - $so)) & 0xff); 420 | $dist_r->[$i] = (($src->[($i+8+$o) % 16] >> $so) & 0xff) 421 | | (($src->[($i+8+$o-1) % 16] << (8 - $so)) & 0xff); 422 | } 423 | } 424 | 425 | 1; 426 | __END__ 427 | 428 | =head1 NAME 429 | 430 | Crypt::Camellia_PP - Pure Perl Camellia 128-bit block cipher module. 431 | 432 | =head1 SYNOPSIS 433 | 434 | use Crypt::Camellia_PP; 435 | 436 | my $key = pack 'H*', '00000000000000000000000000000000'; 437 | my $plain_text = pack 'H*', '00000000000000000000000000000000'; 438 | my $c = Crypt::Camellia->new($key); 439 | my $cipher_text = $c->encrypt($plain_text); 440 | 441 | 442 | =head1 DESCRIPTION 443 | 444 | this module implements the Camellia cipher by Pure Perl. 445 | 446 | =head2 Methods 447 | 448 | =over 4 449 | 450 | =item new($key) 451 | 452 | Create a new "Crypt::Camellia_PP" cipher object with the given key (which must be 128 or 192 or 256 bit long). 453 | 454 | =item encrypt($data) 455 | 456 | Encrypt data. The size of $data must be a 16 bytes. 457 | 458 | =item decrypt($data) 459 | 460 | Decrypts $data. 461 | 462 | =back 463 | 464 | =head1 EXAMPLE 465 | 466 | =head2 Encrypt and Decrypt 467 | 468 | use Crypt::Camellia_PP; 469 | 470 | my $key = pack 'H*', '00112233445566778899AABBCCDDEEFF'; 471 | my $src = pack 'H*', 'FFEEDDCCBBAA99887766554433221100'; 472 | my $camellia = Crypt::Camellia_PP->new($key); 473 | my $cipher_string = $camellia->encrypt($src); 474 | 475 | my $plain_string = $camellia->decrypt($cipher_string); 476 | $plain_string eq $src; 477 | 478 | =head2 With Crypt::CBC module 479 | 480 | use Crypt::CBC; 481 | 482 | my $cbc = Crypt::CBC->new({ 483 | cipher => 'Crypt::Camellia_PP', 484 | key => pack('H*', '00112233445566778899aabbccddeeff'), 485 | iv => pack('H*', '00000000000000000000000000000000'), 486 | literal_key => 1, 487 | header => 'none', 488 | padding => 'standard', 489 | }); 490 | my $cipher_text = $cbc->encrypt('Hello World!'); 491 | my $plain_text = $cbc->decrypt($cipher_text); 492 | $plain_text eq 'Hello World!'; 493 | 494 | =head1 SEE ALSO 495 | 496 | L, 497 | http://search.cpan.org/dist/Crypt-Camellia/, 498 | http://info.isl.ntt.co.jp/crypt/camellia/ 499 | 500 | =head1 AUTHOR 501 | 502 | Hiroyuki OYAMA Eoyama@module.jpE 503 | 504 | =head1 COPYRIGHT AND LICENSE 505 | 506 | Copyright (C) 2006 by Hiroyuki OYAMA. Japan. 507 | 508 | This library is free software; you can redistribute it and/or modify 509 | it under the same terms as Perl itself, either Perl version 5.8.6 or, 510 | at your option, any later version of Perl 5 you may have available. 511 | 512 | =cut 513 | -------------------------------------------------------------------------------- /INSTALL: -------------------------------------------------------------------------------- 1 | 2 | INSTALLING THE SHIT 3 | 4 | fuckNSA.pl was tested on Linux, FreeBSD, NetBSD, OSX, under different architectures intel, ARM, SPARC 5 | 6 | put CBC.pm and Camellia_PP.pm 7 | on a 'Crypt' folder where you have your perl modules 8 | example: 9 | 10 | on FreeBSD: 11 | 12 | /usr/local/lib/perl5/5.*/Crypt/CBC.pm 13 | /usr/local/lib/perl5/5.*/Crypt/Camellia_PP.pm 14 | 15 | 16 | on Debian: 17 | 18 | /usr/share/perl5/Crypt/CBC.pm 19 | /usr/share/perl5/Crypt/Camellia_PP.pm 20 | 21 | 22 | on OSX: 23 | 24 | install Developer's command line tools 25 | use macports, fink or homebrew to install irssi 26 | needed: install openssl by your own. the Apple official version is flawed, 27 | lacking features. (no 'pkeyutl' and no camellia support for example, and you need pkeyutl) 28 | WHY APPLE? WHY? 29 | install Crypt/CBC.pm and Crypt/Camellia_PP.pm on both perl5 folders 30 | /System/Library/Perl/5.1* 31 | 32 | -- 33 | 34 | put fuckNSA.pl on your irssi script folder 35 | for example: 36 | 37 | ~/.irssi/scripts/fuckNSA.pl 38 | 39 | and then inside irssi: 40 | 41 | /script load fuckNSA.pl 42 | 43 | /fucknsahelp 44 | 45 | Tips: 46 | tune the irssi builtin flood control to speed up the key exchange process 47 | example: 48 | cmds_max_at_once = "256" 49 | cmd_queue_speed = "15ms" 50 | -------------------------------------------------------------------------------- /LEGAL_CONSIDERATIONS_UNDER_THE_FIRST_AMENDMENT_AND_THE_NUDITY_OF_BOXXY.txt: -------------------------------------------------------------------------------- 1 | 2 | 3 | Thanks to those ones looking at the code, guise 4 | 5 | pl0x avoid if u can, this kind of comment 6 | "oh, that's pretty safe, they encrypt the public key https://github.com/j0hnnMcCock/fuckNSA/blob/master/fuckNSA.pl#L1395 … What about the private key? " 7 | ^ 8 | thats the ephemeral dh public key being encrypted to be sent right after 9 | the also ephemeral dh private key must not be sent, like..ever... lolololo <3 10 | 11 | also 12 | "doing 1 on 1 handshakes in a multiparty may not be the way to go. We probably need another crypto algorithm to exchange keys" 13 | 14 | we totally agree with that DH can manage several keys thou perhaps theres no yet an efficient implementation 15 | about how to do that, right now. 16 | we believe there are many dilemmas to resolve 17 | and many thinks to question about mpOTR stuff itself, thou we tried to use this disadvantage for us: 18 | so for us this could be used, for example, to customise code to apply regex to erase some kinds of values like IP addresses from 19 | the text to be sent, on real time, whilst u chat and then apply this filter to specific nicks on a chat room, 20 | for people suspected of being snitches, or to help injecting on purpose some extra 21 | shit on the text before being encrypted so, as watermarks, if a log leaks happens u could identify the origin of such leak easily 22 | ejection and filtering. it is a needed feature for us. 23 | Do you all remember the Sabu thingie, innit? 24 | 25 | the script was not intended to be ready for public but to kick off some brainstorming about resolving the whole mpOTR thingie 26 | cause well, people need it right now and not tomorrow 27 | 28 | so we tried to get for ourselves something that works right now on the meanwhile better tools are engineered 29 | the script was a needed solution for our very own communications 30 | our communications happens under this context: 31 | group of less than 6 individuals working under knowledge they could be infiltrated 32 | by the FBI, because feds are trying to catch them permanently...u know 33 | people on such team works with fluid mobility, switching computers and OSes all time 34 | even establishing communications from hardware as uncommon as routers 35 | it requires avoiding compiling stuff cause it's not always possible to do that on some 'borrowed' box 36 | it must be quick to be installed, in 2 minutes, everywhere. 37 | it's required to avoid installing too many extra modules as possible (so openssl stay there) 38 | we dont trust AES, CTR modes, we dont think 8 bytes long salts are enough, we dont like passphrase based key derivation based on md5 39 | why nobody talks about this OpenSSL thingie anyway? 40 | it was careless and messy coded cause we r careless and messy in general 41 | and because we dont like code styling pattern recognition coming from nsa 42 | people should be able to change all parameters on it and fork different version as it fits to obfuscate methods 43 | thats the thing, its not set to be standard but 44 | to be used modified and customised by diff groups and improved by those who are able to 45 | many questions rise when u deal with mpOTR, too many practical limitations and difficulties. 46 | but then again we need something now 47 | and it must work... 48 | 49 | during this thing u need to take decisions, not easy ones, 50 | like making the authentification for each message vulnerable to be forged or not so much 51 | on the middle term, whilst providing enough proof of authenticity on real time, 52 | all this for the sake of keep some level of deniability. we paid a lot of attention to OTR key exchange protocol 53 | but we r getting rid of the hmac key post-convo publishing compensating such issue with small and weaker hashes 54 | people should think about better ways 55 | 56 | "plausible deniyability is already a dangerous concept. It will not hold automatically in court. Or anywhere else for that matter." 57 | 58 | we r not sure about it 59 | lawyers should help to spot some light on this point 60 | thou we wouldnt risk on it. 61 | 62 | besides all limitations 63 | it implements an OTR v2 protocol key exchange alike method, read the pdf on the repo and the Camellia encryption used is solid 64 | and it works for us, today, not tomorrow, because today is already late and many friends have being jailed already 65 | and we wanted to share it with all of you 66 | cause we hope that at least it could help someone too, somewhere and somehow 67 | 68 | love and cocks <3 69 | stay safe 70 | 71 | 72 | 73 | -------------------------------------------------------------------------------- /Off-the-Record-Communication-or-Why-Not-To-Use-PGP.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/j0hnnMcCock/fuckNSA/5ab1b84019382f1d075f7bd78cb68d6241614813/Off-the-Record-Communication-or-Why-Not-To-Use-PGP.pdf -------------------------------------------------------------------------------- /README: -------------------------------------------------------------------------------- 1 | 2 | ---------------------------------------------------------------------- 3 | ## "There come a time, when good men must wear mask.....kemosabe" ## 4 | ---------------------------------------------------------------------- 5 | _ _ __ .__ #FREEHAMMOND 6 | __| || |_______ _____/ |_|__| ______ ____ ____ #FREEASSANGE 7 | \ __ /\__ \ / \ __\ |/ ___// __ \_/ ___\ #FREECHELSEA 8 | | || | / __ \| | \ | | |\___ \\ ___/\ \___ #FREESNOWDEN 9 | /_ ~~ _\(____ /___| /__| |__/____ >\___ >\___ > #FREEBARRETT 10 | |_||_| \/ \/ \/ \/ \/ #FREEANONS16 11 | #FREELULZSEC 12 | ---------------------------------------------------------------------- 13 | ---------------------------------------------------------------------- 14 | ## ohai feds!!! we're still alive. ## 15 | ## the best trick ever pulled was to convince FBI they can catch us ## 16 | ---------------------------------------------------------------------- 17 | every single line of code is, today, equal to a magic spell. 18 | Magic that's able to change how things work around you, 19 | and eventually...the world itself. 20 | ---------------------------------------------------------------------- 21 | 22 | 23 | hi guise!!! <333 24 | so well... 25 | Hammond was sentenced to 10 years of prison for being a 26 | political dissident, doing what he felt was the right thing. 27 | it was the second time he was jailed cause some coward betrayed him. 28 | you are probably asking yourself: why did he start hacking again after 29 | being in prison the first time? well, Hammond was an honest idealist, 30 | who blindly hated a system that rips off all freedom and humanity 31 | from us. and he hated this to the point of trading 32 | his own freedom on the fight, because nobody can understand better 33 | how precious and fragile freedom is, than those ones who have lost theirs once. 34 | 35 | now he is being tortured by prison authorities and he is often kept in 36 | total isolation whilst the coward of Sabu lives dressed on silk 37 | kimonos and gets pimped in secret by FBI. 38 | yeah we know, rapists and other shits get less punishment. 39 | things are fucked up, but nobody seems to care to change this. 40 | 41 | so.. 42 | our greetings then for all those ones who have sacrificed their own 43 | comfort and freedom to tell us the truth. 44 | hammond, julian, snowden, chelsea(the hacker former known as brad), 45 | aaron and many others around the world, specially those ones 46 | whose existence will never be noticed by the world, those who save 47 | our world everyday and those around the world who perhaps we'll never 48 | know and who every single day make what they believe is the 49 | right thing even if that means going against their own interests. 50 | 51 | freedom of choice. that's what made of us humans. 52 | 53 | 54 | 55 | so now that Snowden has stepped up to prove what we have been tried to 56 | tell you for the last years, we consider ourselves on vacations. 57 | work is still going on but, now we've got rid of the FBI influence, 58 | we decided to play things with our own timings and rules. 59 | so what today? 60 | today we want to share some thoughts, concepts and stuff about 61 | safe irc/im communications and openssl. 62 | stuff that could be useful for our fellows to avoid some problems. 63 | and bringing the mpOTR gift to our IRC/IM communications. 64 | 65 | THE GIVING STUFF THINGIE...IS THAT WHATS ABOUT THANKSGIVING, INNIT? 66 | 67 | (if you dont care about details and just want the toy and candy 68 | just skip to the 'WHAT THE FUCK THEN fuckNSA DOES????' part) 69 | 70 | 71 | Background 72 | ---------- 73 | 74 | well all this started by accident, it's a funny story 75 | involving sex, hacking, japanese girls, NSA superspookcomputers, 76 | Julian Assange running naked through the underground of london 77 | and General Keith Alexander's personal pink tutus collection. 78 | so here we go: 79 | Once upon a time, in some remote irc channel on some hidden service, 80 | a bunch of guise trying to trade cool stuff were 81 | dragged into the following conversation 82 | (convo lightly changed for the sake of privacy): 83 | 84 | xx > do u have otr? 85 | yy > hold on, im sitting on a pwnd box, lemme check 86 | yy > nah, cant quick install it asap. i could compile and install it 87 | yy > but no time for it 88 | yy > what about blowjob? 89 | xx > ... 90 | yy > blowjob.pl i mean 91 | xx > lololol 92 | yy > u irssi? 93 | yy > well its a quicky one at least 94 | xx > blowfish is useless man 95 | yy > anyway its all fine about otr but not sure about how it really works 96 | yy > didnt check the code yet 97 | yy > but i would prefer something i can tinker with, and easier to move with 98 | yy > when im jumping box to box so.. the perl script 99 | xx > okok at least gimme 2 min, can u check if you have some Crypt:: algo installed 100 | yy > wait 101 | yy > can get Rijndael quickly 102 | xx > ok cool 103 | xx > get it installed and gimme 2 min 104 | xx > ok check this paste https://pastee.org/xxxxx 105 | xx > there, just a modified blowjob to use AES instead of blowfish, defaults to 256 106 | xx > ok? 107 | yy > got it 108 | xx > go to the other win and gimme a pass 109 | yy > ok 110 | 111 | ok..yeah..it was a quick solution to keep going on with the chat, thou not the best one. 112 | even when we were able to deploy a stronger cipher algorithm we were lacking 113 | of some important part, like solving a shared passphrase exchange. 114 | so we kept thinking about it. yeah we love 2 irc, theres no many popular 115 | options for encryption on it, we could use otr for irssi thou the current 116 | implementation seem lil bit buggy, otr 2 protocol look quite good but it's 117 | not always available for every situation sadly and even when ppl use it 118 | not everyone understand whats going on on the background, it just works 119 | for many ppl and thats enough but well perhaps some other ppl would prefer 120 | to get more control about whats going on and probably tweak and modify 121 | it as they think it fits better, like a group using their own 122 | diffie-hellmann parameters or ciphers or whatever. so basically we were 123 | discussing later this issue whilst modifying the original blowjob.pl 124 | it was funny. 125 | so we ended up with some PoC about many ideas we were discussing about. 126 | we read the OTR 2 protocol, we discussed about cipher algorithms, 127 | about openssl thingies, about NSA, FBI and other shits. 128 | what follows its the product of that dialog. 129 | 130 | Goddess on charge: Rinko Kikuchi B====D 131 | 132 | 133 | first: 134 | we tried at the beginning to rely mainly on openssl 135 | cause it's installed by default on many systems 136 | but the first problem was about what could be leaked and 137 | watched through the process list, yeah we could 138 | have just used files for everything but at the end 139 | we ended up lurking on many shits and discovering 140 | some interesting stuff. so we chose Camellia as cipher, 141 | https://en.wikipedia.org/wiki/Camellia_(cipher) 142 | cause we don't trust AES anymore. 143 | 144 | check the camellia code please. original camellia.c, camellia.h and 145 | camellia on pure perl are available on the repository 146 | but you can google them too. 147 | 148 | we use Camellia 256 149 | 150 | Crypt::Camellia 151 | or 152 | Crypt::Camellia_PP 153 | 154 | we strongly suggest you to install them by yourself, by the alikes of using cpan, 155 | but, for a quickie, we made some ready-to-go .deb packages 156 | containing the originals without modification, cause well, 157 | it seems there aren't .deb packages available on the 158 | debian repositories. and when you're using some stuff temporarily sometimes 159 | you don't have time to cpan burdens. 160 | 161 | so well then we discovered that the Crypt::CBC's password based key derivation fn 162 | was inspired by the openssl passphrase base key derivation fn and the use of a salt 163 | so using salts are good. but well, Crypt::CBC shared the fate of openssl... 164 | they both use md5 as default to hash the passphrase and salt. 165 | and we all know md5 has many issues about collisions and shits. 166 | if you are using openssl for symmetric encryption, 167 | it defaults to use md5 on 1 single round. 168 | eventually ppl could use the undocumented '-md ' 169 | flag to change this default. 170 | thought even when it would be possible to, 171 | for example: 172 | 173 | cat testtxt.txt | openssl enc -camellia-256-cbc -e -a -salt -md sha512 174 | 175 | ----------------------------------- 176 | | extracted from openssl's enc.c: | 177 | | | 178 | | if (dgst == NULL) | 179 | | { | 180 | | dgst = EVP_md5(); | 181 | | } | 182 | ----------------------------------- 183 | 184 | < kayla> lololol md5 185 | 186 | you are still limited to use 8 byte salts, even if you try to manually 187 | set, for example, a 16 byte salt manually like this: 188 | 189 | cat testtxt.txt | openssl enc -camellia-256-cbc -e -a \ 190 | -S 9e5de8d47165d15c46a4dca04c3352ce -md sha512 191 | 192 | because this 193 | -------------------------------------- 194 | | extracted from openssl's evp.h: | 195 | | | 196 | | #define PKCS5_SALT_LEN 8 | 197 | | | 198 | -------------------------------------- 199 | 200 | ------------------------------------------------------------------------- 201 | | and also this | 202 | | again from openssl's enc.c: | 203 | | | 204 | | EVP_BytesToKey(cipher,dgst,sptr, | 205 | | (unsigned char *)str, | 206 | | strlen(str),1,key,iv); | 207 | | | 208 | | so checking... evp_key.c : | 209 | | | 210 | | int EVP_BytesToKey(const EVP_CIPHER *type, const EVP_MD *md, | 211 | | const unsigned char *salt, const unsigned char *data, int datal, | 212 | | int count, unsigned char *key, unsigned char *iv) | 213 | | | 214 | | [...] | 215 | | | 216 | | for (i=1; i<(unsigned int)count; i++) | 217 | | { | 218 | | if (!EVP_DigestInit_ex(&c,md, NULL)) | 219 | | goto err; | 220 | | if (!EVP_DigestUpdate(&c,&(md_buf[0]),mds)) | 221 | | goto err; | 222 | | if (!EVP_DigestFinal_ex(&c,&(md_buf[0]),&mds)) | 223 | | goto err; | 224 | | } | 225 | | | 226 | ------------------------------------------------------------------------- 227 | 228 | > really guise... defaults to count = 1 ? 229 | > #?@!% 230 | 231 | 232 | wat the fuck was that? 233 | fuck with pkcs5 on these fuckin crazy times of mass surveillance 234 | if this was a decision made to keep retro-compatibility, 235 | why dont we also make enc algo to default to the caesar cipher? 236 | so we could easily decrypt also our old papers from the roman empire times, huh? 237 | 238 | 239 | we wrote a patch for the openssl commandline utility thought 240 | well...lets be honest: 241 | we don't think it will make it through mainstream considering it would 242 | be coming from us (we tried on the past, didnt work) 243 | but whoever from the OpenSSL community would be 244 | able to easily implement it. 245 | the patched version works on this way: 246 | example: 247 | 248 | cat testtxt.txt | openssl enc -camellia-256-cbc -e -a -fuckNSA 249 | 250 | this enable to default 16 byte salts and the use of the algo sha512 breaking 251 | pkcs5 lines but wtf anyway 252 | longer salts should be available to be used ofc. 253 | also (currently being tested) it would be possible to do symmetric 254 | encryption with 2nd-stage-passphrases, derived from an additional extra 255 | function that complements the standard method 256 | Example: 257 | cat testtxt.txt | openssl enc -camellia-256-cbc -e -a \ 258 | -fuckNSA -KeithAlexanderLovesCocks 259 | 260 | (yeah he and his transplanted hair loves cocks ) 261 | will pass the given passphrase to the 'KeithAlexanderLovesCocks' 262 | function (a PoC already implemented into the 'fuckNSA.pl' irssi perl script 263 | for secure communications and also into the simple commandline 264 | encryption utility 'nonsa.pl') 265 | this function will derive a new passphrase (or proto-key seed) 266 | that will...seed(sic) the iv and key derivation standard procedure. 267 | think about it as something that produces complex passphrases 268 | from (possible) weaker and simpler ones; eventually forcing an adversary 269 | aka FBI, NSA, Teletubbies, Cartman, etc... 270 | into building tables for all possible combinations of the 271 | sha512 output (for example) and blah blah... 272 | or well..at least add the fucking scrypt snippet into it.... 273 | you can use also just go gpg, way. installed by default on many *nices 274 | thou that doesnt change the fact openssl must modify some basic stuff to 275 | fit modern times. 276 | 277 | so well, we touched Crypt::CBC to address this whole thingie, 278 | enabling on it 16 byte long salts and sha512 digest algo. 279 | We make available our version of CBC.pm in the repository 280 | and we made a .deb package to quick install it. (we worked around the 281 | security of dh-make-perl to forge it) 282 | we strongly suggest you to read the code first, verify you r fine with it 283 | and then install the .pm by yourself. 284 | 285 | so thats all about perl modules needed to run our fuckNSA.pl 286 | we use those 2 modules, also check if your Digest module is updated. 287 | and we kept openssl for dh and rsa keys stuff to avoid demanding 288 | more perl modules to be installed, etc. 289 | 290 | HERE THE CANDY!!! 291 | 292 | WHAT THE FUCK THEN fuckNSA DOES???? ..mpOTR man, its all about mpOTR 293 | ----------------------------------- 294 | 295 | it implements advanced encryption over IM/IRC communications resolving 296 | the how-sharing-the-fucking-passphrase problem & deploying an inspired OTRv2 297 | key exchange agreement. it uses Camellia256, DH keys of 4096 bits, RSA 298 | keys of 4096 bits and sha512, sha256, etc. it produces 2 keys: one for encrypted 299 | communications and the second one to use on file encryption (in case 300 | ppl need to share stuff) it implements a flexible mpOTR solution, flexible 301 | enough to be easily hackable, letting a group of ppl on a given channel for 302 | example to exclude a non-trusted part (aka FBI snitch) from knowing other keys 303 | used for that channel, the use of temporary common keys to reduce flooding, the use 304 | of individual keys and all & whatever u prefer to do. If a computer belonging to 305 | some individual is seized by FBI, only last keys used would be compromised and only 306 | those ones shared with some individuals for the last conversation the individual 307 | has participated, therefore not compromising conversations that happened between 308 | other individuals on the same channel at different times. Users retain full control of the 309 | decisions to make. the DH parameters are easy to change, so different 310 | groups can easily employ their own parameters with keys of 16384 bits for example. 311 | it offers good verbosity and keep history of your peer's fingerprints in case 312 | you need to check it later, when you go full paranoid, and many other etc & etc... 313 | 314 | go to 315 | https://github.com/j0hnnMcCock/fuckNSA 316 | 317 | so: 318 | 1 READ THE FUCKING CODE 319 | 2 READ THE FUCKING CODE 320 | 3 READ THE FUCKING CODE 321 | 4 IMPROVE IT AND ENJOY IT 322 | 323 | 324 | 325 | also...wtf Keith Alexander does with his hair??? 326 | stop spending our taxes into your hair transplantation ops 327 | we know that your hair is coming from your ass!!! 328 | :( 329 | D: 330 | 331 | how to install: 332 | 333 | go here 334 | https://github.com/j0hnnMcCock/fuckNSA 335 | 336 | put fuckNSA.pl on your irssi script folder for example 337 | like: 338 | ~/.irssi/scripts/fuckNSA.pl 339 | and then: 340 | /script load fuckNSA.pl 341 | /fucknsahelp 342 | 343 | < kayla> that was silly to explain... :o 344 | 345 | requirements: 346 | install Crypt::Camellia or Crypt::Camellia_PP 347 | the pure perl version can slow down things lil bit 348 | but perhaps it's the simplest to get installed 349 | quickly on the run 350 | 351 | put CBC.pm and Camellia_PP.pm 352 | on a 'Crypt' folder where you have your perl modules 353 | example on freeBSD: 354 | /usr/local/lib/perl5/5.*/Crypt/CBC.pm 355 | /usr/local/lib/perl5/5.*/Crypt/Camellia_PP.pm 356 | 357 | (yeah fuckNSA.pl works not only on Linux but on freeBSD too, 358 | and it rocks there) 359 | 360 | it works on OSX too but... 361 | 362 | # ATTENTION OSX USERS # 363 | Apple couldnt have better idea than fuck openssl even more compiling the 364 | default installed version without 'pkeyutl' nor camellia algorithm neither 365 | why? WHY APPLE??? 366 | so theres no option guise and you need to install your own openssl thingie 367 | check internetz for that, its not that difficult. 368 | 369 | 370 | ofc you can modify the 371 | whole thingie to tap on gpg instead. so be free to do what u want. 372 | 373 | 374 | check the 'INSTALL' file for more info 375 | if you want to change from Camellia_PP to Camellia 376 | dont forget to modify fuckNSA.pl (commenting the option) 377 | 378 | tips: 379 | tune the irssi builtin flood control to speed up the key exchange process 380 | example: 381 | { cmds_max_at_once = "256"; cmd_queue_speed = "15ms"; } 382 | 383 | 384 | code is easy hackable to make suspected fbi snitches or regimes'spiez (for example) 385 | into believing they ve been infiltrating a conversation 386 | whilst sensitive parts of it 387 | are being modified on the fly for them. 388 | 389 | TO-DO and how to help: 390 | port fuckNSA for libpurple and other clients (pl0x help, we r lazy cunts) 391 | further testing and fix whatever appearing buggy, remember we 392 | wanted to release this for thanksgiving so it needs more testing & blah blah 393 | keep improving it 394 | write tutorials, explain others how to use it, read the code first. 395 | ...hm....READ THE CODE FIRST. 396 | 397 | https://github.com/j0hnnMcCock/fuckNSA 398 | SHA256SUMs 399 | 400 | b276785b0f84bc2713122d8b9588c44a8f3b63155a97b8b57547b9f63674705e fuckNSA.pl 401 | 33a5bb69f438b1e8dd05799531fe9d726c181d2662a0237ca69992f7387e8c59 nonsa.pl 402 | 403 | 77c3c8cca0476965e82327c55e136b09e1cb876ca4bb333dfa538b5ad4818af9 Camellia_PP.pm 404 | 5b24c307141d78b8224a21f3abd1efb099bdc821709520349bfa6b31bb241644 CBC.pm 405 | 406 | 43f50d2faa7fc28ca2a0267fa7456a0bdf5eec16e0cb84842166dbd242d20e0a libcrypt-camellia-perl_2.02-1_all.deb 407 | e137d9b335facb9aeaa7c77b424f8414c970a01e406d4a14b3b81c1b2b267344 libcrypt-camellia-perl_2.02-1_amd64.deb 408 | e3df84cfa22eb4d980317faf1e03cd567c0cdc80e1209ab7809418d1f74a980f libcrypt-camellia-pp-perl_0.02-1_all.deb 409 | 74cf6b69cbd379566168e5ae605317e7c935d04023fe9fae52ae0fd01cb1a9c8 libcrypt-cbc-perl_2.33-1_Lulzsec-mod_all.deb 410 | 411 | 3c35aa070086abacf429fabb75c696b963c8904475502ddc25f9828d8992f2c1 camellia.c 412 | 0d4acde103ad556aac4ec502358113ec7fdefc543266e68bf748a6048231ceaa camellia.h 413 | 414 | 415 | 416 | LICENSE 417 | ------- 418 | 419 | ############################################## 420 | ## LulzSec License ## 421 | ## ## 422 | ## Do whatever you fucking want with this, ## 423 | ## but you must produce at least one act of ## 424 | ## civil disobedience against the System ## 425 | ## and its rules, even if that represents ## 426 | ## not honoring this license at all. ## 427 | ## Fuck Cops' daughters, send cigarettes ## 428 | ## to those of us who are jailed, smash ## 429 | ## down CCTV cameras and... ## 430 | ## also cocks, because lulz. ## 431 | ## ## 432 | ############################################## 433 | 434 | 435 | 436 | the fucking idiots @ FBI were trying to take our bittie$ 437 | so pl0x show some love 438 | and drop some pennies to this one: 439 | 440 | 1KrvDzgWrzJeWjzEDPnxziUJbrPNKpS3bs 441 | 442 | ^ bitcoin 443 | 444 | 445 | 446 | Remember always the biggest danger we faced came from the human 447 | side (aka Sabu, other lame informants & other kind of feds'bitches) 448 | not from the tech side and if it happened, it came from mistakes 449 | made by ourselves or from the h4k0rz' usual drama & mutual pwnage. 450 | FBI can't find even when their wives are cheating on them. 451 | So be careful about who you trust to and what you are doing and 452 | how you are doing it, always. stay safe <3 453 | and code your freedom. 454 | 455 | 456 | < theo> & use condoms for buttraeping! 457 | 458 | 459 | dont forget to go to this CCC conf, even if many of us cant because feds lurking. 460 | feds suck, d'you know? 461 | 462 | if u have read all this PR without having brainzcancer 463 | at least because grammar 464 | u have our respect 465 | 466 | we wont give more details about this till Adrien Chen appears 467 | on the front page of Hustler, disguised as a baby on pink clothes 468 | with a buttplug on his mouth and... 469 | ok, we're joking... 470 | 471 | 472 | 473 | "Now I know what a ghost is. Unfinished business, that's what." 474 | ― Salman Rushdie, The Satanic Verses 475 | 476 | 477 | ``;` 478 | `,+@@@+ 479 | .+@@@@@@@; 480 | `;@@@@@@@@@@@ 481 | +@@@@@@@@@@@@@: 482 | ;@@@@@@@@@@@@@@@@ 483 | `@@@@@@@@@@@@@@@@@@` 484 | `@@@@@@@@@@@@@@@@@@# 485 | .@@@@@@@@@@@@@@@@@@, 486 | :@@@@@@@@@@@@@@@@@@ .'@@ 487 | #@@@@@@@@@@@@@@@@+; .+@@@@@ 488 | `@@@@@@@@@@@@@#;;+@+#@@@#:` 489 | #@@@@@@@@@@';'@@@@@@@:` 490 | `@@@@@@@+;;+@@@@@##` 491 | .@@@#;;+@@@@@#+',.,'. 492 | +;;'#@@@@#+;` ,: 493 | .#@@@@#++: @. ...` 494 | `'@@@@#++'. + .#++;;+ + 495 | ,@@@@@#++:``::+ `',:+,. , 496 | `@@@@#, #+` ',.`'. +` `` `, .+ 497 | @@:` ,+. ,`:``.: '. .',+++ # 498 | `` #+`++,.`:,`` :`+@@'@@@@' ```` 499 | #'`#+:`.,`:` .@@@+@# +`. : `: 500 | #:: +.`,.., `@@,#@':. + : ' 501 | #: ` ',:`,, @#`` + + ' `,; 502 | #: ` `:''` @` #:.. , ' #+++: 503 | #: , ;#'# + : `: #++ 504 | #; ' `'' , '. 505 | ;' ' # `@# 506 | #.; ;` ,#.:; 507 | `+; '. @ ` 508 | :#; `@: :` `, 509 | .#+; `'+.' + 510 | .@++#'+@+@++` ;@. ' 511 | `' ., ` #:`# `+.#+ :. 512 | ., : @#;.`;`: `#@. 513 | +``,.;`@+,. '# 514 | @' ' ;`@:+`#`;` 515 | `#+ ,'`# :. ' 516 | ' #. :`#` '`. + 517 | # +. .:+: :`. . 518 | `, +, ..+ '` : 519 | ;` #+@:,:#.;`` ' 520 | #'##:#+. : `; ; 521 | #. #: `'` : 522 | #, ` . 523 | 2013. All Your Base Are Belong To Us. 524 | -------------------------------------------------------------------------------- /camellia-GPL-1.2.0/COPYING: -------------------------------------------------------------------------------- 1 | GNU GENERAL PUBLIC LICENSE 2 | Version 2, June 1991 3 | 4 | Copyright (C) 1989, 1991 Free Software Foundation, Inc. 5 | 675 Mass Ave, Cambridge, MA 02139, USA 6 | Everyone is permitted to copy and distribute verbatim copies 7 | of this license document, but changing it is not allowed. 8 | 9 | Preamble 10 | 11 | The licenses for most software are designed to take away your 12 | freedom to share and change it. By contrast, the GNU General Public 13 | License is intended to guarantee your freedom to share and change free 14 | software--to make sure the software is free for all its users. This 15 | General Public License applies to most of the Free Software 16 | Foundation's software and to any other program whose authors commit to 17 | using it. (Some other Free Software Foundation software is covered by 18 | the GNU Library General Public License instead.) You can apply it to 19 | your programs, too. 20 | 21 | When we speak of free software, we are referring to freedom, not 22 | price. Our General Public Licenses are designed to make sure that you 23 | have the freedom to distribute copies of free software (and charge for 24 | this service if you wish), that you receive source code or can get it 25 | if you want it, that you can change the software or use pieces of it 26 | in new free programs; and that you know you can do these things. 27 | 28 | To protect your rights, we need to make restrictions that forbid 29 | anyone to deny you these rights or to ask you to surrender the rights. 30 | These restrictions translate to certain responsibilities for you if you 31 | distribute copies of the software, or if you modify it. 32 | 33 | For example, if you distribute copies of such a program, whether 34 | gratis or for a fee, you must give the recipients all the rights that 35 | you have. You must make sure that they, too, receive or can get the 36 | source code. And you must show them these terms so they know their 37 | rights. 38 | 39 | We protect your rights with two steps: (1) copyright the software, and 40 | (2) offer you this license which gives you legal permission to copy, 41 | distribute and/or modify the software. 42 | 43 | Also, for each author's protection and ours, we want to make certain 44 | that everyone understands that there is no warranty for this free 45 | software. If the software is modified by someone else and passed on, we 46 | want its recipients to know that what they have is not the original, so 47 | that any problems introduced by others will not reflect on the original 48 | authors' reputations. 49 | 50 | Finally, any free program is threatened constantly by software 51 | patents. We wish to avoid the danger that redistributors of a free 52 | program will individually obtain patent licenses, in effect making the 53 | program proprietary. To prevent this, we have made it clear that any 54 | patent must be licensed for everyone's free use or not licensed at all. 55 | 56 | The precise terms and conditions for copying, distribution and 57 | modification follow. 58 | 59 | GNU GENERAL PUBLIC LICENSE 60 | TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 61 | 62 | 0. This License applies to any program or other work which contains 63 | a notice placed by the copyright holder saying it may be distributed 64 | under the terms of this General Public License. The "Program", below, 65 | refers to any such program or work, and a "work based on the Program" 66 | means either the Program or any derivative work under copyright law: 67 | that is to say, a work containing the Program or a portion of it, 68 | either verbatim or with modifications and/or translated into another 69 | language. (Hereinafter, translation is included without limitation in 70 | the term "modification".) Each licensee is addressed as "you". 71 | 72 | Activities other than copying, distribution and modification are not 73 | covered by this License; they are outside its scope. The act of 74 | running the Program is not restricted, and the output from the Program 75 | is covered only if its contents constitute a work based on the 76 | Program (independent of having been made by running the Program). 77 | Whether that is true depends on what the Program does. 78 | 79 | 1. You may copy and distribute verbatim copies of the Program's 80 | source code as you receive it, in any medium, provided that you 81 | conspicuously and appropriately publish on each copy an appropriate 82 | copyright notice and disclaimer of warranty; keep intact all the 83 | notices that refer to this License and to the absence of any warranty; 84 | and give any other recipients of the Program a copy of this License 85 | along with the Program. 86 | 87 | You may charge a fee for the physical act of transferring a copy, and 88 | you may at your option offer warranty protection in exchange for a fee. 89 | 90 | 2. You may modify your copy or copies of the Program or any portion 91 | of it, thus forming a work based on the Program, and copy and 92 | distribute such modifications or work under the terms of Section 1 93 | above, provided that you also meet all of these conditions: 94 | 95 | a) You must cause the modified files to carry prominent notices 96 | stating that you changed the files and the date of any change. 97 | 98 | b) You must cause any work that you distribute or publish, that in 99 | whole or in part contains or is derived from the Program or any 100 | part thereof, to be licensed as a whole at no charge to all third 101 | parties under the terms of this License. 102 | 103 | c) If the modified program normally reads commands interactively 104 | when run, you must cause it, when started running for such 105 | interactive use in the most ordinary way, to print or display an 106 | announcement including an appropriate copyright notice and a 107 | notice that there is no warranty (or else, saying that you provide 108 | a warranty) and that users may redistribute the program under 109 | these conditions, and telling the user how to view a copy of this 110 | License. (Exception: if the Program itself is interactive but 111 | does not normally print such an announcement, your work based on 112 | the Program is not required to print an announcement.) 113 | 114 | These requirements apply to the modified work as a whole. If 115 | identifiable sections of that work are not derived from the Program, 116 | and can be reasonably considered independent and separate works in 117 | themselves, then this License, and its terms, do not apply to those 118 | sections when you distribute them as separate works. But when you 119 | distribute the same sections as part of a whole which is a work based 120 | on the Program, the distribution of the whole must be on the terms of 121 | this License, whose permissions for other licensees extend to the 122 | entire whole, and thus to each and every part regardless of who wrote it. 123 | 124 | Thus, it is not the intent of this section to claim rights or contest 125 | your rights to work written entirely by you; rather, the intent is to 126 | exercise the right to control the distribution of derivative or 127 | collective works based on the Program. 128 | 129 | In addition, mere aggregation of another work not based on the Program 130 | with the Program (or with a work based on the Program) on a volume of 131 | a storage or distribution medium does not bring the other work under 132 | the scope of this License. 133 | 134 | 3. You may copy and distribute the Program (or a work based on it, 135 | under Section 2) in object code or executable form under the terms of 136 | Sections 1 and 2 above provided that you also do one of the following: 137 | 138 | a) Accompany it with the complete corresponding machine-readable 139 | source code, which must be distributed under the terms of Sections 140 | 1 and 2 above on a medium customarily used for software interchange; or, 141 | 142 | b) Accompany it with a written offer, valid for at least three 143 | years, to give any third party, for a charge no more than your 144 | cost of physically performing source distribution, a complete 145 | machine-readable copy of the corresponding source code, to be 146 | distributed under the terms of Sections 1 and 2 above on a medium 147 | customarily used for software interchange; or, 148 | 149 | c) Accompany it with the information you received as to the offer 150 | to distribute corresponding source code. (This alternative is 151 | allowed only for noncommercial distribution and only if you 152 | received the program in object code or executable form with such 153 | an offer, in accord with Subsection b above.) 154 | 155 | The source code for a work means the preferred form of the work for 156 | making modifications to it. For an executable work, complete source 157 | code means all the source code for all modules it contains, plus any 158 | associated interface definition files, plus the scripts used to 159 | control compilation and installation of the executable. However, as a 160 | special exception, the source code distributed need not include 161 | anything that is normally distributed (in either source or binary 162 | form) with the major components (compiler, kernel, and so on) of the 163 | operating system on which the executable runs, unless that component 164 | itself accompanies the executable. 165 | 166 | If distribution of executable or object code is made by offering 167 | access to copy from a designated place, then offering equivalent 168 | access to copy the source code from the same place counts as 169 | distribution of the source code, even though third parties are not 170 | compelled to copy the source along with the object code. 171 | 172 | 4. You may not copy, modify, sublicense, or distribute the Program 173 | except as expressly provided under this License. Any attempt 174 | otherwise to copy, modify, sublicense or distribute the Program is 175 | void, and will automatically terminate your rights under this License. 176 | However, parties who have received copies, or rights, from you under 177 | this License will not have their licenses terminated so long as such 178 | parties remain in full compliance. 179 | 180 | 5. You are not required to accept this License, since you have not 181 | signed it. However, nothing else grants you permission to modify or 182 | distribute the Program or its derivative works. These actions are 183 | prohibited by law if you do not accept this License. Therefore, by 184 | modifying or distributing the Program (or any work based on the 185 | Program), you indicate your acceptance of this License to do so, and 186 | all its terms and conditions for copying, distributing or modifying 187 | the Program or works based on it. 188 | 189 | 6. Each time you redistribute the Program (or any work based on the 190 | Program), the recipient automatically receives a license from the 191 | original licensor to copy, distribute or modify the Program subject to 192 | these terms and conditions. You may not impose any further 193 | restrictions on the recipients' exercise of the rights granted herein. 194 | You are not responsible for enforcing compliance by third parties to 195 | this License. 196 | 197 | 7. If, as a consequence of a court judgment or allegation of patent 198 | infringement or for any other reason (not limited to patent issues), 199 | conditions are imposed on you (whether by court order, agreement or 200 | otherwise) that contradict the conditions of this License, they do not 201 | excuse you from the conditions of this License. If you cannot 202 | distribute so as to satisfy simultaneously your obligations under this 203 | License and any other pertinent obligations, then as a consequence you 204 | may not distribute the Program at all. For example, if a patent 205 | license would not permit royalty-free redistribution of the Program by 206 | all those who receive copies directly or indirectly through you, then 207 | the only way you could satisfy both it and this License would be to 208 | refrain entirely from distribution of the Program. 209 | 210 | If any portion of this section is held invalid or unenforceable under 211 | any particular circumstance, the balance of the section is intended to 212 | apply and the section as a whole is intended to apply in other 213 | circumstances. 214 | 215 | It is not the purpose of this section to induce you to infringe any 216 | patents or other property right claims or to contest validity of any 217 | such claims; this section has the sole purpose of protecting the 218 | integrity of the free software distribution system, which is 219 | implemented by public license practices. Many people have made 220 | generous contributions to the wide range of software distributed 221 | through that system in reliance on consistent application of that 222 | system; it is up to the author/donor to decide if he or she is willing 223 | to distribute software through any other system and a licensee cannot 224 | impose that choice. 225 | 226 | This section is intended to make thoroughly clear what is believed to 227 | be a consequence of the rest of this License. 228 | 229 | 8. If the distribution and/or use of the Program is restricted in 230 | certain countries either by patents or by copyrighted interfaces, the 231 | original copyright holder who places the Program under this License 232 | may add an explicit geographical distribution limitation excluding 233 | those countries, so that distribution is permitted only in or among 234 | countries not thus excluded. In such case, this License incorporates 235 | the limitation as if written in the body of this License. 236 | 237 | 9. The Free Software Foundation may publish revised and/or new versions 238 | of the General Public License from time to time. Such new versions will 239 | be similar in spirit to the present version, but may differ in detail to 240 | address new problems or concerns. 241 | 242 | Each version is given a distinguishing version number. If the Program 243 | specifies a version number of this License which applies to it and "any 244 | later version", you have the option of following the terms and conditions 245 | either of that version or of any later version published by the Free 246 | Software Foundation. If the Program does not specify a version number of 247 | this License, you may choose any version ever published by the Free Software 248 | Foundation. 249 | 250 | 10. If you wish to incorporate parts of the Program into other free 251 | programs whose distribution conditions are different, write to the author 252 | to ask for permission. For software which is copyrighted by the Free 253 | Software Foundation, write to the Free Software Foundation; we sometimes 254 | make exceptions for this. Our decision will be guided by the two goals 255 | of preserving the free status of all derivatives of our free software and 256 | of promoting the sharing and reuse of software generally. 257 | 258 | NO WARRANTY 259 | 260 | 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY 261 | FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN 262 | OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES 263 | PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED 264 | OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 265 | MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS 266 | TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE 267 | PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, 268 | REPAIR OR CORRECTION. 269 | 270 | 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 271 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR 272 | REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, 273 | INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING 274 | OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED 275 | TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY 276 | YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER 277 | PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE 278 | POSSIBILITY OF SUCH DAMAGES. 279 | 280 | END OF TERMS AND CONDITIONS 281 | 282 | Appendix: How to Apply These Terms to Your New Programs 283 | 284 | If you develop a new program, and you want it to be of the greatest 285 | possible use to the public, the best way to achieve this is to make it 286 | free software which everyone can redistribute and change under these terms. 287 | 288 | To do so, attach the following notices to the program. It is safest 289 | to attach them to the start of each source file to most effectively 290 | convey the exclusion of warranty; and each file should have at least 291 | the "copyright" line and a pointer to where the full notice is found. 292 | 293 | 294 | Copyright (C) 19yy 295 | 296 | This program is free software; you can redistribute it and/or modify 297 | it under the terms of the GNU General Public License as published by 298 | the Free Software Foundation; either version 2 of the License, or 299 | (at your option) any later version. 300 | 301 | This program is distributed in the hope that it will be useful, 302 | but WITHOUT ANY WARRANTY; without even the implied warranty of 303 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 304 | GNU General Public License for more details. 305 | 306 | You should have received a copy of the GNU General Public License 307 | along with this program; if not, write to the Free Software 308 | Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. 309 | 310 | Also add information on how to contact you by electronic and paper mail. 311 | 312 | If the program is interactive, make it output a short notice like this 313 | when it starts in an interactive mode: 314 | 315 | Gnomovision version 69, Copyright (C) 19yy name of author 316 | Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. 317 | This is free software, and you are welcome to redistribute it 318 | under certain conditions; type `show c' for details. 319 | 320 | The hypothetical commands `show w' and `show c' should show the appropriate 321 | parts of the General Public License. Of course, the commands you use may 322 | be called something other than `show w' and `show c'; they could even be 323 | mouse-clicks or menu items--whatever suits your program. 324 | 325 | You should also get your employer (if you work as a programmer) or your 326 | school, if any, to sign a "copyright disclaimer" for the program, if 327 | necessary. Here is a sample; alter the names: 328 | 329 | Yoyodyne, Inc., hereby disclaims all copyright interest in the program 330 | `Gnomovision' (which makes passes at compilers) written by James Hacker. 331 | 332 | , 1 April 1989 333 | Ty Coon, President of Vice 334 | 335 | This General Public License does not permit incorporating your program into 336 | proprietary programs. If your program is a subroutine library, you may 337 | consider it more useful to permit linking proprietary applications with the 338 | library. If this is what you want to do, use the GNU Library General 339 | Public License instead of this License. 340 | -------------------------------------------------------------------------------- /camellia-GPL-1.2.0/README: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | This is a Crypto engine for Camellia. 4 | 5 | Licence: GPL 6 | version: 1.2.0 7 | 8 | For inquires regarding of Camellia, please access here. 9 | http://info.isl.ntt.co.jp/crypt/eng/camellia/index.html 10 | 11 | --- 12 | Summary of changes from 1.0.0 to 1.0.1 13 | - The flag of using inline via macro was turned on by default. 14 | Summary of changes from 1.0.1 to 1.1.0 15 | - The engine was changed to improve performance. 16 | Summary of changes from 1.1.0 to 1.2.0 17 | - The engine was changed to architecture independent. 18 | -------------------------------------------------------------------------------- /camellia-GPL-1.2.0/camellia.c: -------------------------------------------------------------------------------- 1 | /* camellia.h ver 1.2.0 2 | * 3 | * Copyright (C) 2006,2007 4 | * NTT (Nippon Telegraph and Telephone Corporation). 5 | * 6 | * This program is free software; you can redistribute it and/or 7 | * modify it under the terms of the GNU General Public License 8 | * as published by the Free Software Foundation; either version 2 9 | * of the License, or (at your option) any later version. 10 | * 11 | * This program is distributed in the hope that it will be useful, 12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | * GNU General Public License for more details. 15 | * 16 | * You should have received a copy of the GNU General Public License 17 | * along with this program; if not, write to the Free Software 18 | * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | /* 22 | * Algorithm Specification 23 | * http://info.isl.ntt.co.jp/crypt/eng/camellia/specifications.html 24 | */ 25 | 26 | #include 27 | #include 28 | 29 | #include "camellia.h" 30 | 31 | /* u32 must be 32bit word */ 32 | typedef unsigned int u32; 33 | typedef unsigned char u8; 34 | 35 | /* key constants */ 36 | 37 | #define CAMELLIA_SIGMA1L (0xA09E667FL) 38 | #define CAMELLIA_SIGMA1R (0x3BCC908BL) 39 | #define CAMELLIA_SIGMA2L (0xB67AE858L) 40 | #define CAMELLIA_SIGMA2R (0x4CAA73B2L) 41 | #define CAMELLIA_SIGMA3L (0xC6EF372FL) 42 | #define CAMELLIA_SIGMA3R (0xE94F82BEL) 43 | #define CAMELLIA_SIGMA4L (0x54FF53A5L) 44 | #define CAMELLIA_SIGMA4R (0xF1D36F1CL) 45 | #define CAMELLIA_SIGMA5L (0x10E527FAL) 46 | #define CAMELLIA_SIGMA5R (0xDE682D1DL) 47 | #define CAMELLIA_SIGMA6L (0xB05688C2L) 48 | #define CAMELLIA_SIGMA6R (0xB3E6C1FDL) 49 | 50 | /* 51 | * macros 52 | */ 53 | 54 | 55 | #if defined(_MSC_VER) 56 | 57 | # define SWAP(x) (_lrotl(x, 8) & 0x00ff00ff | _lrotr(x, 8) & 0xff00ff00) 58 | # define GETU32(p) SWAP(*((u32 *)(p))) 59 | # define PUTU32(ct, st) {*((u32 *)(ct)) = SWAP((st));} 60 | 61 | #else /* not MS-VC */ 62 | 63 | # define GETU32(pt) \ 64 | (((u32)(pt)[0] << 24) \ 65 | ^ ((u32)(pt)[1] << 16) \ 66 | ^ ((u32)(pt)[2] << 8) \ 67 | ^ ((u32)(pt)[3])) 68 | 69 | # define PUTU32(ct, st) { \ 70 | (ct)[0] = (u8)((st) >> 24); \ 71 | (ct)[1] = (u8)((st) >> 16); \ 72 | (ct)[2] = (u8)((st) >> 8); \ 73 | (ct)[3] = (u8)(st); } 74 | 75 | #endif 76 | 77 | #define CamelliaSubkeyL(INDEX) (subkey[(INDEX)*2]) 78 | #define CamelliaSubkeyR(INDEX) (subkey[(INDEX)*2 + 1]) 79 | 80 | /* rotation right shift 1byte */ 81 | #define CAMELLIA_RR8(x) (((x) >> 8) + ((x) << 24)) 82 | /* rotation left shift 1bit */ 83 | #define CAMELLIA_RL1(x) (((x) << 1) + ((x) >> 31)) 84 | /* rotation left shift 1byte */ 85 | #define CAMELLIA_RL8(x) (((x) << 8) + ((x) >> 24)) 86 | 87 | #define CAMELLIA_ROLDQ(ll, lr, rl, rr, w0, w1, bits) \ 88 | do { \ 89 | w0 = ll; \ 90 | ll = (ll << bits) + (lr >> (32 - bits)); \ 91 | lr = (lr << bits) + (rl >> (32 - bits)); \ 92 | rl = (rl << bits) + (rr >> (32 - bits)); \ 93 | rr = (rr << bits) + (w0 >> (32 - bits)); \ 94 | } while(0) 95 | 96 | #define CAMELLIA_ROLDQo32(ll, lr, rl, rr, w0, w1, bits) \ 97 | do { \ 98 | w0 = ll; \ 99 | w1 = lr; \ 100 | ll = (lr << (bits - 32)) + (rl >> (64 - bits)); \ 101 | lr = (rl << (bits - 32)) + (rr >> (64 - bits)); \ 102 | rl = (rr << (bits - 32)) + (w0 >> (64 - bits)); \ 103 | rr = (w0 << (bits - 32)) + (w1 >> (64 - bits)); \ 104 | } while(0) 105 | 106 | #define CAMELLIA_SP1110(INDEX) (camellia_sp1110[(INDEX)]) 107 | #define CAMELLIA_SP0222(INDEX) (camellia_sp0222[(INDEX)]) 108 | #define CAMELLIA_SP3033(INDEX) (camellia_sp3033[(INDEX)]) 109 | #define CAMELLIA_SP4404(INDEX) (camellia_sp4404[(INDEX)]) 110 | 111 | #define CAMELLIA_F(xl, xr, kl, kr, yl, yr, il, ir, t0, t1) \ 112 | do { \ 113 | il = xl ^ kl; \ 114 | ir = xr ^ kr; \ 115 | t0 = il >> 16; \ 116 | t1 = ir >> 16; \ 117 | yl = CAMELLIA_SP1110(ir & 0xff) \ 118 | ^ CAMELLIA_SP0222((t1 >> 8) & 0xff) \ 119 | ^ CAMELLIA_SP3033(t1 & 0xff) \ 120 | ^ CAMELLIA_SP4404((ir >> 8) & 0xff); \ 121 | yr = CAMELLIA_SP1110((t0 >> 8) & 0xff) \ 122 | ^ CAMELLIA_SP0222(t0 & 0xff) \ 123 | ^ CAMELLIA_SP3033((il >> 8) & 0xff) \ 124 | ^ CAMELLIA_SP4404(il & 0xff); \ 125 | yl ^= yr; \ 126 | yr = CAMELLIA_RR8(yr); \ 127 | yr ^= yl; \ 128 | } while(0) 129 | 130 | 131 | /* 132 | * for speed up 133 | * 134 | */ 135 | #define CAMELLIA_FLS(ll, lr, rl, rr, kll, klr, krl, krr, t0, t1, t2, t3) \ 136 | do { \ 137 | t0 = kll; \ 138 | t0 &= ll; \ 139 | lr ^= CAMELLIA_RL1(t0); \ 140 | t1 = klr; \ 141 | t1 |= lr; \ 142 | ll ^= t1; \ 143 | \ 144 | t2 = krr; \ 145 | t2 |= rr; \ 146 | rl ^= t2; \ 147 | t3 = krl; \ 148 | t3 &= rl; \ 149 | rr ^= CAMELLIA_RL1(t3); \ 150 | } while(0) 151 | 152 | #define CAMELLIA_ROUNDSM(xl, xr, kl, kr, yl, yr, il, ir, t0, t1) \ 153 | do { \ 154 | ir = CAMELLIA_SP1110(xr & 0xff) \ 155 | ^ CAMELLIA_SP0222((xr >> 24) & 0xff) \ 156 | ^ CAMELLIA_SP3033((xr >> 16) & 0xff) \ 157 | ^ CAMELLIA_SP4404((xr >> 8) & 0xff); \ 158 | il = CAMELLIA_SP1110((xl >> 24) & 0xff) \ 159 | ^ CAMELLIA_SP0222((xl >> 16) & 0xff) \ 160 | ^ CAMELLIA_SP3033((xl >> 8) & 0xff) \ 161 | ^ CAMELLIA_SP4404(xl & 0xff); \ 162 | il ^= kl; \ 163 | ir ^= kr; \ 164 | ir ^= il; \ 165 | il = CAMELLIA_RR8(il); \ 166 | il ^= ir; \ 167 | yl ^= ir; \ 168 | yr ^= il; \ 169 | } while(0) 170 | 171 | 172 | static const u32 camellia_sp1110[256] = { 173 | 0x70707000,0x82828200,0x2c2c2c00,0xececec00, 174 | 0xb3b3b300,0x27272700,0xc0c0c000,0xe5e5e500, 175 | 0xe4e4e400,0x85858500,0x57575700,0x35353500, 176 | 0xeaeaea00,0x0c0c0c00,0xaeaeae00,0x41414100, 177 | 0x23232300,0xefefef00,0x6b6b6b00,0x93939300, 178 | 0x45454500,0x19191900,0xa5a5a500,0x21212100, 179 | 0xededed00,0x0e0e0e00,0x4f4f4f00,0x4e4e4e00, 180 | 0x1d1d1d00,0x65656500,0x92929200,0xbdbdbd00, 181 | 0x86868600,0xb8b8b800,0xafafaf00,0x8f8f8f00, 182 | 0x7c7c7c00,0xebebeb00,0x1f1f1f00,0xcecece00, 183 | 0x3e3e3e00,0x30303000,0xdcdcdc00,0x5f5f5f00, 184 | 0x5e5e5e00,0xc5c5c500,0x0b0b0b00,0x1a1a1a00, 185 | 0xa6a6a600,0xe1e1e100,0x39393900,0xcacaca00, 186 | 0xd5d5d500,0x47474700,0x5d5d5d00,0x3d3d3d00, 187 | 0xd9d9d900,0x01010100,0x5a5a5a00,0xd6d6d600, 188 | 0x51515100,0x56565600,0x6c6c6c00,0x4d4d4d00, 189 | 0x8b8b8b00,0x0d0d0d00,0x9a9a9a00,0x66666600, 190 | 0xfbfbfb00,0xcccccc00,0xb0b0b000,0x2d2d2d00, 191 | 0x74747400,0x12121200,0x2b2b2b00,0x20202000, 192 | 0xf0f0f000,0xb1b1b100,0x84848400,0x99999900, 193 | 0xdfdfdf00,0x4c4c4c00,0xcbcbcb00,0xc2c2c200, 194 | 0x34343400,0x7e7e7e00,0x76767600,0x05050500, 195 | 0x6d6d6d00,0xb7b7b700,0xa9a9a900,0x31313100, 196 | 0xd1d1d100,0x17171700,0x04040400,0xd7d7d700, 197 | 0x14141400,0x58585800,0x3a3a3a00,0x61616100, 198 | 0xdedede00,0x1b1b1b00,0x11111100,0x1c1c1c00, 199 | 0x32323200,0x0f0f0f00,0x9c9c9c00,0x16161600, 200 | 0x53535300,0x18181800,0xf2f2f200,0x22222200, 201 | 0xfefefe00,0x44444400,0xcfcfcf00,0xb2b2b200, 202 | 0xc3c3c300,0xb5b5b500,0x7a7a7a00,0x91919100, 203 | 0x24242400,0x08080800,0xe8e8e800,0xa8a8a800, 204 | 0x60606000,0xfcfcfc00,0x69696900,0x50505000, 205 | 0xaaaaaa00,0xd0d0d000,0xa0a0a000,0x7d7d7d00, 206 | 0xa1a1a100,0x89898900,0x62626200,0x97979700, 207 | 0x54545400,0x5b5b5b00,0x1e1e1e00,0x95959500, 208 | 0xe0e0e000,0xffffff00,0x64646400,0xd2d2d200, 209 | 0x10101000,0xc4c4c400,0x00000000,0x48484800, 210 | 0xa3a3a300,0xf7f7f700,0x75757500,0xdbdbdb00, 211 | 0x8a8a8a00,0x03030300,0xe6e6e600,0xdadada00, 212 | 0x09090900,0x3f3f3f00,0xdddddd00,0x94949400, 213 | 0x87878700,0x5c5c5c00,0x83838300,0x02020200, 214 | 0xcdcdcd00,0x4a4a4a00,0x90909000,0x33333300, 215 | 0x73737300,0x67676700,0xf6f6f600,0xf3f3f300, 216 | 0x9d9d9d00,0x7f7f7f00,0xbfbfbf00,0xe2e2e200, 217 | 0x52525200,0x9b9b9b00,0xd8d8d800,0x26262600, 218 | 0xc8c8c800,0x37373700,0xc6c6c600,0x3b3b3b00, 219 | 0x81818100,0x96969600,0x6f6f6f00,0x4b4b4b00, 220 | 0x13131300,0xbebebe00,0x63636300,0x2e2e2e00, 221 | 0xe9e9e900,0x79797900,0xa7a7a700,0x8c8c8c00, 222 | 0x9f9f9f00,0x6e6e6e00,0xbcbcbc00,0x8e8e8e00, 223 | 0x29292900,0xf5f5f500,0xf9f9f900,0xb6b6b600, 224 | 0x2f2f2f00,0xfdfdfd00,0xb4b4b400,0x59595900, 225 | 0x78787800,0x98989800,0x06060600,0x6a6a6a00, 226 | 0xe7e7e700,0x46464600,0x71717100,0xbababa00, 227 | 0xd4d4d400,0x25252500,0xababab00,0x42424200, 228 | 0x88888800,0xa2a2a200,0x8d8d8d00,0xfafafa00, 229 | 0x72727200,0x07070700,0xb9b9b900,0x55555500, 230 | 0xf8f8f800,0xeeeeee00,0xacacac00,0x0a0a0a00, 231 | 0x36363600,0x49494900,0x2a2a2a00,0x68686800, 232 | 0x3c3c3c00,0x38383800,0xf1f1f100,0xa4a4a400, 233 | 0x40404000,0x28282800,0xd3d3d300,0x7b7b7b00, 234 | 0xbbbbbb00,0xc9c9c900,0x43434300,0xc1c1c100, 235 | 0x15151500,0xe3e3e300,0xadadad00,0xf4f4f400, 236 | 0x77777700,0xc7c7c700,0x80808000,0x9e9e9e00, 237 | }; 238 | 239 | static const u32 camellia_sp0222[256] = { 240 | 0x00e0e0e0,0x00050505,0x00585858,0x00d9d9d9, 241 | 0x00676767,0x004e4e4e,0x00818181,0x00cbcbcb, 242 | 0x00c9c9c9,0x000b0b0b,0x00aeaeae,0x006a6a6a, 243 | 0x00d5d5d5,0x00181818,0x005d5d5d,0x00828282, 244 | 0x00464646,0x00dfdfdf,0x00d6d6d6,0x00272727, 245 | 0x008a8a8a,0x00323232,0x004b4b4b,0x00424242, 246 | 0x00dbdbdb,0x001c1c1c,0x009e9e9e,0x009c9c9c, 247 | 0x003a3a3a,0x00cacaca,0x00252525,0x007b7b7b, 248 | 0x000d0d0d,0x00717171,0x005f5f5f,0x001f1f1f, 249 | 0x00f8f8f8,0x00d7d7d7,0x003e3e3e,0x009d9d9d, 250 | 0x007c7c7c,0x00606060,0x00b9b9b9,0x00bebebe, 251 | 0x00bcbcbc,0x008b8b8b,0x00161616,0x00343434, 252 | 0x004d4d4d,0x00c3c3c3,0x00727272,0x00959595, 253 | 0x00ababab,0x008e8e8e,0x00bababa,0x007a7a7a, 254 | 0x00b3b3b3,0x00020202,0x00b4b4b4,0x00adadad, 255 | 0x00a2a2a2,0x00acacac,0x00d8d8d8,0x009a9a9a, 256 | 0x00171717,0x001a1a1a,0x00353535,0x00cccccc, 257 | 0x00f7f7f7,0x00999999,0x00616161,0x005a5a5a, 258 | 0x00e8e8e8,0x00242424,0x00565656,0x00404040, 259 | 0x00e1e1e1,0x00636363,0x00090909,0x00333333, 260 | 0x00bfbfbf,0x00989898,0x00979797,0x00858585, 261 | 0x00686868,0x00fcfcfc,0x00ececec,0x000a0a0a, 262 | 0x00dadada,0x006f6f6f,0x00535353,0x00626262, 263 | 0x00a3a3a3,0x002e2e2e,0x00080808,0x00afafaf, 264 | 0x00282828,0x00b0b0b0,0x00747474,0x00c2c2c2, 265 | 0x00bdbdbd,0x00363636,0x00222222,0x00383838, 266 | 0x00646464,0x001e1e1e,0x00393939,0x002c2c2c, 267 | 0x00a6a6a6,0x00303030,0x00e5e5e5,0x00444444, 268 | 0x00fdfdfd,0x00888888,0x009f9f9f,0x00656565, 269 | 0x00878787,0x006b6b6b,0x00f4f4f4,0x00232323, 270 | 0x00484848,0x00101010,0x00d1d1d1,0x00515151, 271 | 0x00c0c0c0,0x00f9f9f9,0x00d2d2d2,0x00a0a0a0, 272 | 0x00555555,0x00a1a1a1,0x00414141,0x00fafafa, 273 | 0x00434343,0x00131313,0x00c4c4c4,0x002f2f2f, 274 | 0x00a8a8a8,0x00b6b6b6,0x003c3c3c,0x002b2b2b, 275 | 0x00c1c1c1,0x00ffffff,0x00c8c8c8,0x00a5a5a5, 276 | 0x00202020,0x00898989,0x00000000,0x00909090, 277 | 0x00474747,0x00efefef,0x00eaeaea,0x00b7b7b7, 278 | 0x00151515,0x00060606,0x00cdcdcd,0x00b5b5b5, 279 | 0x00121212,0x007e7e7e,0x00bbbbbb,0x00292929, 280 | 0x000f0f0f,0x00b8b8b8,0x00070707,0x00040404, 281 | 0x009b9b9b,0x00949494,0x00212121,0x00666666, 282 | 0x00e6e6e6,0x00cecece,0x00ededed,0x00e7e7e7, 283 | 0x003b3b3b,0x00fefefe,0x007f7f7f,0x00c5c5c5, 284 | 0x00a4a4a4,0x00373737,0x00b1b1b1,0x004c4c4c, 285 | 0x00919191,0x006e6e6e,0x008d8d8d,0x00767676, 286 | 0x00030303,0x002d2d2d,0x00dedede,0x00969696, 287 | 0x00262626,0x007d7d7d,0x00c6c6c6,0x005c5c5c, 288 | 0x00d3d3d3,0x00f2f2f2,0x004f4f4f,0x00191919, 289 | 0x003f3f3f,0x00dcdcdc,0x00797979,0x001d1d1d, 290 | 0x00525252,0x00ebebeb,0x00f3f3f3,0x006d6d6d, 291 | 0x005e5e5e,0x00fbfbfb,0x00696969,0x00b2b2b2, 292 | 0x00f0f0f0,0x00313131,0x000c0c0c,0x00d4d4d4, 293 | 0x00cfcfcf,0x008c8c8c,0x00e2e2e2,0x00757575, 294 | 0x00a9a9a9,0x004a4a4a,0x00575757,0x00848484, 295 | 0x00111111,0x00454545,0x001b1b1b,0x00f5f5f5, 296 | 0x00e4e4e4,0x000e0e0e,0x00737373,0x00aaaaaa, 297 | 0x00f1f1f1,0x00dddddd,0x00595959,0x00141414, 298 | 0x006c6c6c,0x00929292,0x00545454,0x00d0d0d0, 299 | 0x00787878,0x00707070,0x00e3e3e3,0x00494949, 300 | 0x00808080,0x00505050,0x00a7a7a7,0x00f6f6f6, 301 | 0x00777777,0x00939393,0x00868686,0x00838383, 302 | 0x002a2a2a,0x00c7c7c7,0x005b5b5b,0x00e9e9e9, 303 | 0x00eeeeee,0x008f8f8f,0x00010101,0x003d3d3d, 304 | }; 305 | 306 | static const u32 camellia_sp3033[256] = { 307 | 0x38003838,0x41004141,0x16001616,0x76007676, 308 | 0xd900d9d9,0x93009393,0x60006060,0xf200f2f2, 309 | 0x72007272,0xc200c2c2,0xab00abab,0x9a009a9a, 310 | 0x75007575,0x06000606,0x57005757,0xa000a0a0, 311 | 0x91009191,0xf700f7f7,0xb500b5b5,0xc900c9c9, 312 | 0xa200a2a2,0x8c008c8c,0xd200d2d2,0x90009090, 313 | 0xf600f6f6,0x07000707,0xa700a7a7,0x27002727, 314 | 0x8e008e8e,0xb200b2b2,0x49004949,0xde00dede, 315 | 0x43004343,0x5c005c5c,0xd700d7d7,0xc700c7c7, 316 | 0x3e003e3e,0xf500f5f5,0x8f008f8f,0x67006767, 317 | 0x1f001f1f,0x18001818,0x6e006e6e,0xaf00afaf, 318 | 0x2f002f2f,0xe200e2e2,0x85008585,0x0d000d0d, 319 | 0x53005353,0xf000f0f0,0x9c009c9c,0x65006565, 320 | 0xea00eaea,0xa300a3a3,0xae00aeae,0x9e009e9e, 321 | 0xec00ecec,0x80008080,0x2d002d2d,0x6b006b6b, 322 | 0xa800a8a8,0x2b002b2b,0x36003636,0xa600a6a6, 323 | 0xc500c5c5,0x86008686,0x4d004d4d,0x33003333, 324 | 0xfd00fdfd,0x66006666,0x58005858,0x96009696, 325 | 0x3a003a3a,0x09000909,0x95009595,0x10001010, 326 | 0x78007878,0xd800d8d8,0x42004242,0xcc00cccc, 327 | 0xef00efef,0x26002626,0xe500e5e5,0x61006161, 328 | 0x1a001a1a,0x3f003f3f,0x3b003b3b,0x82008282, 329 | 0xb600b6b6,0xdb00dbdb,0xd400d4d4,0x98009898, 330 | 0xe800e8e8,0x8b008b8b,0x02000202,0xeb00ebeb, 331 | 0x0a000a0a,0x2c002c2c,0x1d001d1d,0xb000b0b0, 332 | 0x6f006f6f,0x8d008d8d,0x88008888,0x0e000e0e, 333 | 0x19001919,0x87008787,0x4e004e4e,0x0b000b0b, 334 | 0xa900a9a9,0x0c000c0c,0x79007979,0x11001111, 335 | 0x7f007f7f,0x22002222,0xe700e7e7,0x59005959, 336 | 0xe100e1e1,0xda00dada,0x3d003d3d,0xc800c8c8, 337 | 0x12001212,0x04000404,0x74007474,0x54005454, 338 | 0x30003030,0x7e007e7e,0xb400b4b4,0x28002828, 339 | 0x55005555,0x68006868,0x50005050,0xbe00bebe, 340 | 0xd000d0d0,0xc400c4c4,0x31003131,0xcb00cbcb, 341 | 0x2a002a2a,0xad00adad,0x0f000f0f,0xca00caca, 342 | 0x70007070,0xff00ffff,0x32003232,0x69006969, 343 | 0x08000808,0x62006262,0x00000000,0x24002424, 344 | 0xd100d1d1,0xfb00fbfb,0xba00baba,0xed00eded, 345 | 0x45004545,0x81008181,0x73007373,0x6d006d6d, 346 | 0x84008484,0x9f009f9f,0xee00eeee,0x4a004a4a, 347 | 0xc300c3c3,0x2e002e2e,0xc100c1c1,0x01000101, 348 | 0xe600e6e6,0x25002525,0x48004848,0x99009999, 349 | 0xb900b9b9,0xb300b3b3,0x7b007b7b,0xf900f9f9, 350 | 0xce00cece,0xbf00bfbf,0xdf00dfdf,0x71007171, 351 | 0x29002929,0xcd00cdcd,0x6c006c6c,0x13001313, 352 | 0x64006464,0x9b009b9b,0x63006363,0x9d009d9d, 353 | 0xc000c0c0,0x4b004b4b,0xb700b7b7,0xa500a5a5, 354 | 0x89008989,0x5f005f5f,0xb100b1b1,0x17001717, 355 | 0xf400f4f4,0xbc00bcbc,0xd300d3d3,0x46004646, 356 | 0xcf00cfcf,0x37003737,0x5e005e5e,0x47004747, 357 | 0x94009494,0xfa00fafa,0xfc00fcfc,0x5b005b5b, 358 | 0x97009797,0xfe00fefe,0x5a005a5a,0xac00acac, 359 | 0x3c003c3c,0x4c004c4c,0x03000303,0x35003535, 360 | 0xf300f3f3,0x23002323,0xb800b8b8,0x5d005d5d, 361 | 0x6a006a6a,0x92009292,0xd500d5d5,0x21002121, 362 | 0x44004444,0x51005151,0xc600c6c6,0x7d007d7d, 363 | 0x39003939,0x83008383,0xdc00dcdc,0xaa00aaaa, 364 | 0x7c007c7c,0x77007777,0x56005656,0x05000505, 365 | 0x1b001b1b,0xa400a4a4,0x15001515,0x34003434, 366 | 0x1e001e1e,0x1c001c1c,0xf800f8f8,0x52005252, 367 | 0x20002020,0x14001414,0xe900e9e9,0xbd00bdbd, 368 | 0xdd00dddd,0xe400e4e4,0xa100a1a1,0xe000e0e0, 369 | 0x8a008a8a,0xf100f1f1,0xd600d6d6,0x7a007a7a, 370 | 0xbb00bbbb,0xe300e3e3,0x40004040,0x4f004f4f, 371 | }; 372 | 373 | static const u32 camellia_sp4404[256] = { 374 | 0x70700070,0x2c2c002c,0xb3b300b3,0xc0c000c0, 375 | 0xe4e400e4,0x57570057,0xeaea00ea,0xaeae00ae, 376 | 0x23230023,0x6b6b006b,0x45450045,0xa5a500a5, 377 | 0xeded00ed,0x4f4f004f,0x1d1d001d,0x92920092, 378 | 0x86860086,0xafaf00af,0x7c7c007c,0x1f1f001f, 379 | 0x3e3e003e,0xdcdc00dc,0x5e5e005e,0x0b0b000b, 380 | 0xa6a600a6,0x39390039,0xd5d500d5,0x5d5d005d, 381 | 0xd9d900d9,0x5a5a005a,0x51510051,0x6c6c006c, 382 | 0x8b8b008b,0x9a9a009a,0xfbfb00fb,0xb0b000b0, 383 | 0x74740074,0x2b2b002b,0xf0f000f0,0x84840084, 384 | 0xdfdf00df,0xcbcb00cb,0x34340034,0x76760076, 385 | 0x6d6d006d,0xa9a900a9,0xd1d100d1,0x04040004, 386 | 0x14140014,0x3a3a003a,0xdede00de,0x11110011, 387 | 0x32320032,0x9c9c009c,0x53530053,0xf2f200f2, 388 | 0xfefe00fe,0xcfcf00cf,0xc3c300c3,0x7a7a007a, 389 | 0x24240024,0xe8e800e8,0x60600060,0x69690069, 390 | 0xaaaa00aa,0xa0a000a0,0xa1a100a1,0x62620062, 391 | 0x54540054,0x1e1e001e,0xe0e000e0,0x64640064, 392 | 0x10100010,0x00000000,0xa3a300a3,0x75750075, 393 | 0x8a8a008a,0xe6e600e6,0x09090009,0xdddd00dd, 394 | 0x87870087,0x83830083,0xcdcd00cd,0x90900090, 395 | 0x73730073,0xf6f600f6,0x9d9d009d,0xbfbf00bf, 396 | 0x52520052,0xd8d800d8,0xc8c800c8,0xc6c600c6, 397 | 0x81810081,0x6f6f006f,0x13130013,0x63630063, 398 | 0xe9e900e9,0xa7a700a7,0x9f9f009f,0xbcbc00bc, 399 | 0x29290029,0xf9f900f9,0x2f2f002f,0xb4b400b4, 400 | 0x78780078,0x06060006,0xe7e700e7,0x71710071, 401 | 0xd4d400d4,0xabab00ab,0x88880088,0x8d8d008d, 402 | 0x72720072,0xb9b900b9,0xf8f800f8,0xacac00ac, 403 | 0x36360036,0x2a2a002a,0x3c3c003c,0xf1f100f1, 404 | 0x40400040,0xd3d300d3,0xbbbb00bb,0x43430043, 405 | 0x15150015,0xadad00ad,0x77770077,0x80800080, 406 | 0x82820082,0xecec00ec,0x27270027,0xe5e500e5, 407 | 0x85850085,0x35350035,0x0c0c000c,0x41410041, 408 | 0xefef00ef,0x93930093,0x19190019,0x21210021, 409 | 0x0e0e000e,0x4e4e004e,0x65650065,0xbdbd00bd, 410 | 0xb8b800b8,0x8f8f008f,0xebeb00eb,0xcece00ce, 411 | 0x30300030,0x5f5f005f,0xc5c500c5,0x1a1a001a, 412 | 0xe1e100e1,0xcaca00ca,0x47470047,0x3d3d003d, 413 | 0x01010001,0xd6d600d6,0x56560056,0x4d4d004d, 414 | 0x0d0d000d,0x66660066,0xcccc00cc,0x2d2d002d, 415 | 0x12120012,0x20200020,0xb1b100b1,0x99990099, 416 | 0x4c4c004c,0xc2c200c2,0x7e7e007e,0x05050005, 417 | 0xb7b700b7,0x31310031,0x17170017,0xd7d700d7, 418 | 0x58580058,0x61610061,0x1b1b001b,0x1c1c001c, 419 | 0x0f0f000f,0x16160016,0x18180018,0x22220022, 420 | 0x44440044,0xb2b200b2,0xb5b500b5,0x91910091, 421 | 0x08080008,0xa8a800a8,0xfcfc00fc,0x50500050, 422 | 0xd0d000d0,0x7d7d007d,0x89890089,0x97970097, 423 | 0x5b5b005b,0x95950095,0xffff00ff,0xd2d200d2, 424 | 0xc4c400c4,0x48480048,0xf7f700f7,0xdbdb00db, 425 | 0x03030003,0xdada00da,0x3f3f003f,0x94940094, 426 | 0x5c5c005c,0x02020002,0x4a4a004a,0x33330033, 427 | 0x67670067,0xf3f300f3,0x7f7f007f,0xe2e200e2, 428 | 0x9b9b009b,0x26260026,0x37370037,0x3b3b003b, 429 | 0x96960096,0x4b4b004b,0xbebe00be,0x2e2e002e, 430 | 0x79790079,0x8c8c008c,0x6e6e006e,0x8e8e008e, 431 | 0xf5f500f5,0xb6b600b6,0xfdfd00fd,0x59590059, 432 | 0x98980098,0x6a6a006a,0x46460046,0xbaba00ba, 433 | 0x25250025,0x42420042,0xa2a200a2,0xfafa00fa, 434 | 0x07070007,0x55550055,0xeeee00ee,0x0a0a000a, 435 | 0x49490049,0x68680068,0x38380038,0xa4a400a4, 436 | 0x28280028,0x7b7b007b,0xc9c900c9,0xc1c100c1, 437 | 0xe3e300e3,0xf4f400f4,0xc7c700c7,0x9e9e009e, 438 | }; 439 | 440 | 441 | /** 442 | * Stuff related to the Camellia key schedule 443 | */ 444 | #define subl(x) subL[(x)] 445 | #define subr(x) subR[(x)] 446 | 447 | void camellia_setup128(const unsigned char *key, u32 *subkey) 448 | { 449 | u32 kll, klr, krl, krr; 450 | u32 il, ir, t0, t1, w0, w1; 451 | u32 kw4l, kw4r, dw, tl, tr; 452 | u32 subL[26]; 453 | u32 subR[26]; 454 | 455 | /** 456 | * k == kll || klr || krl || krr (|| is concatination) 457 | */ 458 | kll = GETU32(key ); 459 | klr = GETU32(key + 4); 460 | krl = GETU32(key + 8); 461 | krr = GETU32(key + 12); 462 | /** 463 | * generate KL dependent subkeys 464 | */ 465 | subl(0) = kll; subr(0) = klr; 466 | subl(1) = krl; subr(1) = krr; 467 | CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15); 468 | subl(4) = kll; subr(4) = klr; 469 | subl(5) = krl; subr(5) = krr; 470 | CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 30); 471 | subl(10) = kll; subr(10) = klr; 472 | subl(11) = krl; subr(11) = krr; 473 | CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15); 474 | subl(13) = krl; subr(13) = krr; 475 | CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17); 476 | subl(16) = kll; subr(16) = klr; 477 | subl(17) = krl; subr(17) = krr; 478 | CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17); 479 | subl(18) = kll; subr(18) = klr; 480 | subl(19) = krl; subr(19) = krr; 481 | CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17); 482 | subl(22) = kll; subr(22) = klr; 483 | subl(23) = krl; subr(23) = krr; 484 | 485 | /* generate KA */ 486 | kll = subl(0); klr = subr(0); 487 | krl = subl(1); krr = subr(1); 488 | CAMELLIA_F(kll, klr, 489 | CAMELLIA_SIGMA1L, CAMELLIA_SIGMA1R, 490 | w0, w1, il, ir, t0, t1); 491 | krl ^= w0; krr ^= w1; 492 | CAMELLIA_F(krl, krr, 493 | CAMELLIA_SIGMA2L, CAMELLIA_SIGMA2R, 494 | kll, klr, il, ir, t0, t1); 495 | CAMELLIA_F(kll, klr, 496 | CAMELLIA_SIGMA3L, CAMELLIA_SIGMA3R, 497 | krl, krr, il, ir, t0, t1); 498 | krl ^= w0; krr ^= w1; 499 | CAMELLIA_F(krl, krr, 500 | CAMELLIA_SIGMA4L, CAMELLIA_SIGMA4R, 501 | w0, w1, il, ir, t0, t1); 502 | kll ^= w0; klr ^= w1; 503 | 504 | /* generate KA dependent subkeys */ 505 | subl(2) = kll; subr(2) = klr; 506 | subl(3) = krl; subr(3) = krr; 507 | CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15); 508 | subl(6) = kll; subr(6) = klr; 509 | subl(7) = krl; subr(7) = krr; 510 | CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15); 511 | subl(8) = kll; subr(8) = klr; 512 | subl(9) = krl; subr(9) = krr; 513 | CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15); 514 | subl(12) = kll; subr(12) = klr; 515 | CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15); 516 | subl(14) = kll; subr(14) = klr; 517 | subl(15) = krl; subr(15) = krr; 518 | CAMELLIA_ROLDQo32(kll, klr, krl, krr, w0, w1, 34); 519 | subl(20) = kll; subr(20) = klr; 520 | subl(21) = krl; subr(21) = krr; 521 | CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17); 522 | subl(24) = kll; subr(24) = klr; 523 | subl(25) = krl; subr(25) = krr; 524 | 525 | 526 | /* absorb kw2 to other subkeys */ 527 | subl(3) ^= subl(1); subr(3) ^= subr(1); 528 | subl(5) ^= subl(1); subr(5) ^= subr(1); 529 | subl(7) ^= subl(1); subr(7) ^= subr(1); 530 | subl(1) ^= subr(1) & ~subr(9); 531 | dw = subl(1) & subl(9), subr(1) ^= CAMELLIA_RL1(dw); 532 | subl(11) ^= subl(1); subr(11) ^= subr(1); 533 | subl(13) ^= subl(1); subr(13) ^= subr(1); 534 | subl(15) ^= subl(1); subr(15) ^= subr(1); 535 | subl(1) ^= subr(1) & ~subr(17); 536 | dw = subl(1) & subl(17), subr(1) ^= CAMELLIA_RL1(dw); 537 | subl(19) ^= subl(1); subr(19) ^= subr(1); 538 | subl(21) ^= subl(1); subr(21) ^= subr(1); 539 | subl(23) ^= subl(1); subr(23) ^= subr(1); 540 | subl(24) ^= subl(1); subr(24) ^= subr(1); 541 | 542 | /* absorb kw4 to other subkeys */ 543 | kw4l = subl(25); kw4r = subr(25); 544 | subl(22) ^= kw4l; subr(22) ^= kw4r; 545 | subl(20) ^= kw4l; subr(20) ^= kw4r; 546 | subl(18) ^= kw4l; subr(18) ^= kw4r; 547 | kw4l ^= kw4r & ~subr(16); 548 | dw = kw4l & subl(16), kw4r ^= CAMELLIA_RL1(dw); 549 | subl(14) ^= kw4l; subr(14) ^= kw4r; 550 | subl(12) ^= kw4l; subr(12) ^= kw4r; 551 | subl(10) ^= kw4l; subr(10) ^= kw4r; 552 | kw4l ^= kw4r & ~subr(8); 553 | dw = kw4l & subl(8), kw4r ^= CAMELLIA_RL1(dw); 554 | subl(6) ^= kw4l; subr(6) ^= kw4r; 555 | subl(4) ^= kw4l; subr(4) ^= kw4r; 556 | subl(2) ^= kw4l; subr(2) ^= kw4r; 557 | subl(0) ^= kw4l; subr(0) ^= kw4r; 558 | 559 | /* key XOR is end of F-function */ 560 | CamelliaSubkeyL(0) = subl(0) ^ subl(2); 561 | CamelliaSubkeyR(0) = subr(0) ^ subr(2); 562 | CamelliaSubkeyL(2) = subl(3); 563 | CamelliaSubkeyR(2) = subr(3); 564 | CamelliaSubkeyL(3) = subl(2) ^ subl(4); 565 | CamelliaSubkeyR(3) = subr(2) ^ subr(4); 566 | CamelliaSubkeyL(4) = subl(3) ^ subl(5); 567 | CamelliaSubkeyR(4) = subr(3) ^ subr(5); 568 | CamelliaSubkeyL(5) = subl(4) ^ subl(6); 569 | CamelliaSubkeyR(5) = subr(4) ^ subr(6); 570 | CamelliaSubkeyL(6) = subl(5) ^ subl(7); 571 | CamelliaSubkeyR(6) = subr(5) ^ subr(7); 572 | tl = subl(10) ^ (subr(10) & ~subr(8)); 573 | dw = tl & subl(8), tr = subr(10) ^ CAMELLIA_RL1(dw); 574 | CamelliaSubkeyL(7) = subl(6) ^ tl; 575 | CamelliaSubkeyR(7) = subr(6) ^ tr; 576 | CamelliaSubkeyL(8) = subl(8); 577 | CamelliaSubkeyR(8) = subr(8); 578 | CamelliaSubkeyL(9) = subl(9); 579 | CamelliaSubkeyR(9) = subr(9); 580 | tl = subl(7) ^ (subr(7) & ~subr(9)); 581 | dw = tl & subl(9), tr = subr(7) ^ CAMELLIA_RL1(dw); 582 | CamelliaSubkeyL(10) = tl ^ subl(11); 583 | CamelliaSubkeyR(10) = tr ^ subr(11); 584 | CamelliaSubkeyL(11) = subl(10) ^ subl(12); 585 | CamelliaSubkeyR(11) = subr(10) ^ subr(12); 586 | CamelliaSubkeyL(12) = subl(11) ^ subl(13); 587 | CamelliaSubkeyR(12) = subr(11) ^ subr(13); 588 | CamelliaSubkeyL(13) = subl(12) ^ subl(14); 589 | CamelliaSubkeyR(13) = subr(12) ^ subr(14); 590 | CamelliaSubkeyL(14) = subl(13) ^ subl(15); 591 | CamelliaSubkeyR(14) = subr(13) ^ subr(15); 592 | tl = subl(18) ^ (subr(18) & ~subr(16)); 593 | dw = tl & subl(16), tr = subr(18) ^ CAMELLIA_RL1(dw); 594 | CamelliaSubkeyL(15) = subl(14) ^ tl; 595 | CamelliaSubkeyR(15) = subr(14) ^ tr; 596 | CamelliaSubkeyL(16) = subl(16); 597 | CamelliaSubkeyR(16) = subr(16); 598 | CamelliaSubkeyL(17) = subl(17); 599 | CamelliaSubkeyR(17) = subr(17); 600 | tl = subl(15) ^ (subr(15) & ~subr(17)); 601 | dw = tl & subl(17), tr = subr(15) ^ CAMELLIA_RL1(dw); 602 | CamelliaSubkeyL(18) = tl ^ subl(19); 603 | CamelliaSubkeyR(18) = tr ^ subr(19); 604 | CamelliaSubkeyL(19) = subl(18) ^ subl(20); 605 | CamelliaSubkeyR(19) = subr(18) ^ subr(20); 606 | CamelliaSubkeyL(20) = subl(19) ^ subl(21); 607 | CamelliaSubkeyR(20) = subr(19) ^ subr(21); 608 | CamelliaSubkeyL(21) = subl(20) ^ subl(22); 609 | CamelliaSubkeyR(21) = subr(20) ^ subr(22); 610 | CamelliaSubkeyL(22) = subl(21) ^ subl(23); 611 | CamelliaSubkeyR(22) = subr(21) ^ subr(23); 612 | CamelliaSubkeyL(23) = subl(22); 613 | CamelliaSubkeyR(23) = subr(22); 614 | CamelliaSubkeyL(24) = subl(24) ^ subl(23); 615 | CamelliaSubkeyR(24) = subr(24) ^ subr(23); 616 | 617 | /* apply the inverse of the last half of P-function */ 618 | dw = CamelliaSubkeyL(2) ^ CamelliaSubkeyR(2), dw = CAMELLIA_RL8(dw); 619 | CamelliaSubkeyR(2) = CamelliaSubkeyL(2) ^ dw, CamelliaSubkeyL(2) = dw; 620 | dw = CamelliaSubkeyL(3) ^ CamelliaSubkeyR(3), dw = CAMELLIA_RL8(dw); 621 | CamelliaSubkeyR(3) = CamelliaSubkeyL(3) ^ dw, CamelliaSubkeyL(3) = dw; 622 | dw = CamelliaSubkeyL(4) ^ CamelliaSubkeyR(4), dw = CAMELLIA_RL8(dw); 623 | CamelliaSubkeyR(4) = CamelliaSubkeyL(4) ^ dw, CamelliaSubkeyL(4) = dw; 624 | dw = CamelliaSubkeyL(5) ^ CamelliaSubkeyR(5), dw = CAMELLIA_RL8(dw); 625 | CamelliaSubkeyR(5) = CamelliaSubkeyL(5) ^ dw, CamelliaSubkeyL(5) = dw; 626 | dw = CamelliaSubkeyL(6) ^ CamelliaSubkeyR(6), dw = CAMELLIA_RL8(dw); 627 | CamelliaSubkeyR(6) = CamelliaSubkeyL(6) ^ dw, CamelliaSubkeyL(6) = dw; 628 | dw = CamelliaSubkeyL(7) ^ CamelliaSubkeyR(7), dw = CAMELLIA_RL8(dw); 629 | CamelliaSubkeyR(7) = CamelliaSubkeyL(7) ^ dw, CamelliaSubkeyL(7) = dw; 630 | dw = CamelliaSubkeyL(10) ^ CamelliaSubkeyR(10), dw = CAMELLIA_RL8(dw); 631 | CamelliaSubkeyR(10) = CamelliaSubkeyL(10) ^ dw, CamelliaSubkeyL(10) = dw; 632 | dw = CamelliaSubkeyL(11) ^ CamelliaSubkeyR(11), dw = CAMELLIA_RL8(dw); 633 | CamelliaSubkeyR(11) = CamelliaSubkeyL(11) ^ dw, CamelliaSubkeyL(11) = dw; 634 | dw = CamelliaSubkeyL(12) ^ CamelliaSubkeyR(12), dw = CAMELLIA_RL8(dw); 635 | CamelliaSubkeyR(12) = CamelliaSubkeyL(12) ^ dw, CamelliaSubkeyL(12) = dw; 636 | dw = CamelliaSubkeyL(13) ^ CamelliaSubkeyR(13), dw = CAMELLIA_RL8(dw); 637 | CamelliaSubkeyR(13) = CamelliaSubkeyL(13) ^ dw, CamelliaSubkeyL(13) = dw; 638 | dw = CamelliaSubkeyL(14) ^ CamelliaSubkeyR(14), dw = CAMELLIA_RL8(dw); 639 | CamelliaSubkeyR(14) = CamelliaSubkeyL(14) ^ dw, CamelliaSubkeyL(14) = dw; 640 | dw = CamelliaSubkeyL(15) ^ CamelliaSubkeyR(15), dw = CAMELLIA_RL8(dw); 641 | CamelliaSubkeyR(15) = CamelliaSubkeyL(15) ^ dw, CamelliaSubkeyL(15) = dw; 642 | dw = CamelliaSubkeyL(18) ^ CamelliaSubkeyR(18), dw = CAMELLIA_RL8(dw); 643 | CamelliaSubkeyR(18) = CamelliaSubkeyL(18) ^ dw, CamelliaSubkeyL(18) = dw; 644 | dw = CamelliaSubkeyL(19) ^ CamelliaSubkeyR(19), dw = CAMELLIA_RL8(dw); 645 | CamelliaSubkeyR(19) = CamelliaSubkeyL(19) ^ dw, CamelliaSubkeyL(19) = dw; 646 | dw = CamelliaSubkeyL(20) ^ CamelliaSubkeyR(20), dw = CAMELLIA_RL8(dw); 647 | CamelliaSubkeyR(20) = CamelliaSubkeyL(20) ^ dw, CamelliaSubkeyL(20) = dw; 648 | dw = CamelliaSubkeyL(21) ^ CamelliaSubkeyR(21), dw = CAMELLIA_RL8(dw); 649 | CamelliaSubkeyR(21) = CamelliaSubkeyL(21) ^ dw, CamelliaSubkeyL(21) = dw; 650 | dw = CamelliaSubkeyL(22) ^ CamelliaSubkeyR(22), dw = CAMELLIA_RL8(dw); 651 | CamelliaSubkeyR(22) = CamelliaSubkeyL(22) ^ dw, CamelliaSubkeyL(22) = dw; 652 | dw = CamelliaSubkeyL(23) ^ CamelliaSubkeyR(23), dw = CAMELLIA_RL8(dw); 653 | CamelliaSubkeyR(23) = CamelliaSubkeyL(23) ^ dw, CamelliaSubkeyL(23) = dw; 654 | 655 | return; 656 | } 657 | 658 | void camellia_setup256(const unsigned char *key, u32 *subkey) 659 | { 660 | u32 kll,klr,krl,krr; /* left half of key */ 661 | u32 krll,krlr,krrl,krrr; /* right half of key */ 662 | u32 il, ir, t0, t1, w0, w1; /* temporary variables */ 663 | u32 kw4l, kw4r, dw, tl, tr; 664 | u32 subL[34]; 665 | u32 subR[34]; 666 | 667 | /** 668 | * key = (kll || klr || krl || krr || krll || krlr || krrl || krrr) 669 | * (|| is concatination) 670 | */ 671 | 672 | kll = GETU32(key ); 673 | klr = GETU32(key + 4); 674 | krl = GETU32(key + 8); 675 | krr = GETU32(key + 12); 676 | krll = GETU32(key + 16); 677 | krlr = GETU32(key + 20); 678 | krrl = GETU32(key + 24); 679 | krrr = GETU32(key + 28); 680 | 681 | /* generate KL dependent subkeys */ 682 | subl(0) = kll; subr(0) = klr; 683 | subl(1) = krl; subr(1) = krr; 684 | CAMELLIA_ROLDQo32(kll, klr, krl, krr, w0, w1, 45); 685 | subl(12) = kll; subr(12) = klr; 686 | subl(13) = krl; subr(13) = krr; 687 | CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15); 688 | subl(16) = kll; subr(16) = klr; 689 | subl(17) = krl; subr(17) = krr; 690 | CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17); 691 | subl(22) = kll; subr(22) = klr; 692 | subl(23) = krl; subr(23) = krr; 693 | CAMELLIA_ROLDQo32(kll, klr, krl, krr, w0, w1, 34); 694 | subl(30) = kll; subr(30) = klr; 695 | subl(31) = krl; subr(31) = krr; 696 | 697 | /* generate KR dependent subkeys */ 698 | CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 15); 699 | subl(4) = krll; subr(4) = krlr; 700 | subl(5) = krrl; subr(5) = krrr; 701 | CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 15); 702 | subl(8) = krll; subr(8) = krlr; 703 | subl(9) = krrl; subr(9) = krrr; 704 | CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30); 705 | subl(18) = krll; subr(18) = krlr; 706 | subl(19) = krrl; subr(19) = krrr; 707 | CAMELLIA_ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 34); 708 | subl(26) = krll; subr(26) = krlr; 709 | subl(27) = krrl; subr(27) = krrr; 710 | CAMELLIA_ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 34); 711 | 712 | /* generate KA */ 713 | kll = subl(0) ^ krll; klr = subr(0) ^ krlr; 714 | krl = subl(1) ^ krrl; krr = subr(1) ^ krrr; 715 | CAMELLIA_F(kll, klr, 716 | CAMELLIA_SIGMA1L, CAMELLIA_SIGMA1R, 717 | w0, w1, il, ir, t0, t1); 718 | krl ^= w0; krr ^= w1; 719 | CAMELLIA_F(krl, krr, 720 | CAMELLIA_SIGMA2L, CAMELLIA_SIGMA2R, 721 | kll, klr, il, ir, t0, t1); 722 | kll ^= krll; klr ^= krlr; 723 | CAMELLIA_F(kll, klr, 724 | CAMELLIA_SIGMA3L, CAMELLIA_SIGMA3R, 725 | krl, krr, il, ir, t0, t1); 726 | krl ^= w0 ^ krrl; krr ^= w1 ^ krrr; 727 | CAMELLIA_F(krl, krr, 728 | CAMELLIA_SIGMA4L, CAMELLIA_SIGMA4R, 729 | w0, w1, il, ir, t0, t1); 730 | kll ^= w0; klr ^= w1; 731 | 732 | /* generate KB */ 733 | krll ^= kll; krlr ^= klr; 734 | krrl ^= krl; krrr ^= krr; 735 | CAMELLIA_F(krll, krlr, 736 | CAMELLIA_SIGMA5L, CAMELLIA_SIGMA5R, 737 | w0, w1, il, ir, t0, t1); 738 | krrl ^= w0; krrr ^= w1; 739 | CAMELLIA_F(krrl, krrr, 740 | CAMELLIA_SIGMA6L, CAMELLIA_SIGMA6R, 741 | w0, w1, il, ir, t0, t1); 742 | krll ^= w0; krlr ^= w1; 743 | 744 | /* generate KA dependent subkeys */ 745 | CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15); 746 | subl(6) = kll; subr(6) = klr; 747 | subl(7) = krl; subr(7) = krr; 748 | CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 30); 749 | subl(14) = kll; subr(14) = klr; 750 | subl(15) = krl; subr(15) = krr; 751 | subl(24) = klr; subr(24) = krl; 752 | subl(25) = krr; subr(25) = kll; 753 | CAMELLIA_ROLDQo32(kll, klr, krl, krr, w0, w1, 49); 754 | subl(28) = kll; subr(28) = klr; 755 | subl(29) = krl; subr(29) = krr; 756 | 757 | /* generate KB dependent subkeys */ 758 | subl(2) = krll; subr(2) = krlr; 759 | subl(3) = krrl; subr(3) = krrr; 760 | CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30); 761 | subl(10) = krll; subr(10) = krlr; 762 | subl(11) = krrl; subr(11) = krrr; 763 | CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30); 764 | subl(20) = krll; subr(20) = krlr; 765 | subl(21) = krrl; subr(21) = krrr; 766 | CAMELLIA_ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 51); 767 | subl(32) = krll; subr(32) = krlr; 768 | subl(33) = krrl; subr(33) = krrr; 769 | 770 | /* absorb kw2 to other subkeys */ 771 | subl(3) ^= subl(1); subr(3) ^= subr(1); 772 | subl(5) ^= subl(1); subr(5) ^= subr(1); 773 | subl(7) ^= subl(1); subr(7) ^= subr(1); 774 | subl(1) ^= subr(1) & ~subr(9); 775 | dw = subl(1) & subl(9), subr(1) ^= CAMELLIA_RL1(dw); 776 | subl(11) ^= subl(1); subr(11) ^= subr(1); 777 | subl(13) ^= subl(1); subr(13) ^= subr(1); 778 | subl(15) ^= subl(1); subr(15) ^= subr(1); 779 | subl(1) ^= subr(1) & ~subr(17); 780 | dw = subl(1) & subl(17), subr(1) ^= CAMELLIA_RL1(dw); 781 | subl(19) ^= subl(1); subr(19) ^= subr(1); 782 | subl(21) ^= subl(1); subr(21) ^= subr(1); 783 | subl(23) ^= subl(1); subr(23) ^= subr(1); 784 | subl(1) ^= subr(1) & ~subr(25); 785 | dw = subl(1) & subl(25), subr(1) ^= CAMELLIA_RL1(dw); 786 | subl(27) ^= subl(1); subr(27) ^= subr(1); 787 | subl(29) ^= subl(1); subr(29) ^= subr(1); 788 | subl(31) ^= subl(1); subr(31) ^= subr(1); 789 | subl(32) ^= subl(1); subr(32) ^= subr(1); 790 | 791 | /* absorb kw4 to other subkeys */ 792 | kw4l = subl(33); kw4r = subr(33); 793 | subl(30) ^= kw4l; subr(30) ^= kw4r; 794 | subl(28) ^= kw4l; subr(28) ^= kw4r; 795 | subl(26) ^= kw4l; subr(26) ^= kw4r; 796 | kw4l ^= kw4r & ~subr(24); 797 | dw = kw4l & subl(24), kw4r ^= CAMELLIA_RL1(dw); 798 | subl(22) ^= kw4l; subr(22) ^= kw4r; 799 | subl(20) ^= kw4l; subr(20) ^= kw4r; 800 | subl(18) ^= kw4l; subr(18) ^= kw4r; 801 | kw4l ^= kw4r & ~subr(16); 802 | dw = kw4l & subl(16), kw4r ^= CAMELLIA_RL1(dw); 803 | subl(14) ^= kw4l; subr(14) ^= kw4r; 804 | subl(12) ^= kw4l; subr(12) ^= kw4r; 805 | subl(10) ^= kw4l; subr(10) ^= kw4r; 806 | kw4l ^= kw4r & ~subr(8); 807 | dw = kw4l & subl(8), kw4r ^= CAMELLIA_RL1(dw); 808 | subl(6) ^= kw4l; subr(6) ^= kw4r; 809 | subl(4) ^= kw4l; subr(4) ^= kw4r; 810 | subl(2) ^= kw4l; subr(2) ^= kw4r; 811 | subl(0) ^= kw4l; subr(0) ^= kw4r; 812 | 813 | /* key XOR is end of F-function */ 814 | CamelliaSubkeyL(0) = subl(0) ^ subl(2); 815 | CamelliaSubkeyR(0) = subr(0) ^ subr(2); 816 | CamelliaSubkeyL(2) = subl(3); 817 | CamelliaSubkeyR(2) = subr(3); 818 | CamelliaSubkeyL(3) = subl(2) ^ subl(4); 819 | CamelliaSubkeyR(3) = subr(2) ^ subr(4); 820 | CamelliaSubkeyL(4) = subl(3) ^ subl(5); 821 | CamelliaSubkeyR(4) = subr(3) ^ subr(5); 822 | CamelliaSubkeyL(5) = subl(4) ^ subl(6); 823 | CamelliaSubkeyR(5) = subr(4) ^ subr(6); 824 | CamelliaSubkeyL(6) = subl(5) ^ subl(7); 825 | CamelliaSubkeyR(6) = subr(5) ^ subr(7); 826 | tl = subl(10) ^ (subr(10) & ~subr(8)); 827 | dw = tl & subl(8), tr = subr(10) ^ CAMELLIA_RL1(dw); 828 | CamelliaSubkeyL(7) = subl(6) ^ tl; 829 | CamelliaSubkeyR(7) = subr(6) ^ tr; 830 | CamelliaSubkeyL(8) = subl(8); 831 | CamelliaSubkeyR(8) = subr(8); 832 | CamelliaSubkeyL(9) = subl(9); 833 | CamelliaSubkeyR(9) = subr(9); 834 | tl = subl(7) ^ (subr(7) & ~subr(9)); 835 | dw = tl & subl(9), tr = subr(7) ^ CAMELLIA_RL1(dw); 836 | CamelliaSubkeyL(10) = tl ^ subl(11); 837 | CamelliaSubkeyR(10) = tr ^ subr(11); 838 | CamelliaSubkeyL(11) = subl(10) ^ subl(12); 839 | CamelliaSubkeyR(11) = subr(10) ^ subr(12); 840 | CamelliaSubkeyL(12) = subl(11) ^ subl(13); 841 | CamelliaSubkeyR(12) = subr(11) ^ subr(13); 842 | CamelliaSubkeyL(13) = subl(12) ^ subl(14); 843 | CamelliaSubkeyR(13) = subr(12) ^ subr(14); 844 | CamelliaSubkeyL(14) = subl(13) ^ subl(15); 845 | CamelliaSubkeyR(14) = subr(13) ^ subr(15); 846 | tl = subl(18) ^ (subr(18) & ~subr(16)); 847 | dw = tl & subl(16), tr = subr(18) ^ CAMELLIA_RL1(dw); 848 | CamelliaSubkeyL(15) = subl(14) ^ tl; 849 | CamelliaSubkeyR(15) = subr(14) ^ tr; 850 | CamelliaSubkeyL(16) = subl(16); 851 | CamelliaSubkeyR(16) = subr(16); 852 | CamelliaSubkeyL(17) = subl(17); 853 | CamelliaSubkeyR(17) = subr(17); 854 | tl = subl(15) ^ (subr(15) & ~subr(17)); 855 | dw = tl & subl(17), tr = subr(15) ^ CAMELLIA_RL1(dw); 856 | CamelliaSubkeyL(18) = tl ^ subl(19); 857 | CamelliaSubkeyR(18) = tr ^ subr(19); 858 | CamelliaSubkeyL(19) = subl(18) ^ subl(20); 859 | CamelliaSubkeyR(19) = subr(18) ^ subr(20); 860 | CamelliaSubkeyL(20) = subl(19) ^ subl(21); 861 | CamelliaSubkeyR(20) = subr(19) ^ subr(21); 862 | CamelliaSubkeyL(21) = subl(20) ^ subl(22); 863 | CamelliaSubkeyR(21) = subr(20) ^ subr(22); 864 | CamelliaSubkeyL(22) = subl(21) ^ subl(23); 865 | CamelliaSubkeyR(22) = subr(21) ^ subr(23); 866 | tl = subl(26) ^ (subr(26) & ~subr(24)); 867 | dw = tl & subl(24), tr = subr(26) ^ CAMELLIA_RL1(dw); 868 | CamelliaSubkeyL(23) = subl(22) ^ tl; 869 | CamelliaSubkeyR(23) = subr(22) ^ tr; 870 | CamelliaSubkeyL(24) = subl(24); 871 | CamelliaSubkeyR(24) = subr(24); 872 | CamelliaSubkeyL(25) = subl(25); 873 | CamelliaSubkeyR(25) = subr(25); 874 | tl = subl(23) ^ (subr(23) & ~subr(25)); 875 | dw = tl & subl(25), tr = subr(23) ^ CAMELLIA_RL1(dw); 876 | CamelliaSubkeyL(26) = tl ^ subl(27); 877 | CamelliaSubkeyR(26) = tr ^ subr(27); 878 | CamelliaSubkeyL(27) = subl(26) ^ subl(28); 879 | CamelliaSubkeyR(27) = subr(26) ^ subr(28); 880 | CamelliaSubkeyL(28) = subl(27) ^ subl(29); 881 | CamelliaSubkeyR(28) = subr(27) ^ subr(29); 882 | CamelliaSubkeyL(29) = subl(28) ^ subl(30); 883 | CamelliaSubkeyR(29) = subr(28) ^ subr(30); 884 | CamelliaSubkeyL(30) = subl(29) ^ subl(31); 885 | CamelliaSubkeyR(30) = subr(29) ^ subr(31); 886 | CamelliaSubkeyL(31) = subl(30); 887 | CamelliaSubkeyR(31) = subr(30); 888 | CamelliaSubkeyL(32) = subl(32) ^ subl(31); 889 | CamelliaSubkeyR(32) = subr(32) ^ subr(31); 890 | 891 | /* apply the inverse of the last half of P-function */ 892 | dw = CamelliaSubkeyL(2) ^ CamelliaSubkeyR(2), dw = CAMELLIA_RL8(dw); 893 | CamelliaSubkeyR(2) = CamelliaSubkeyL(2) ^ dw, CamelliaSubkeyL(2) = dw; 894 | dw = CamelliaSubkeyL(3) ^ CamelliaSubkeyR(3), dw = CAMELLIA_RL8(dw); 895 | CamelliaSubkeyR(3) = CamelliaSubkeyL(3) ^ dw, CamelliaSubkeyL(3) = dw; 896 | dw = CamelliaSubkeyL(4) ^ CamelliaSubkeyR(4), dw = CAMELLIA_RL8(dw); 897 | CamelliaSubkeyR(4) = CamelliaSubkeyL(4) ^ dw, CamelliaSubkeyL(4) = dw; 898 | dw = CamelliaSubkeyL(5) ^ CamelliaSubkeyR(5), dw = CAMELLIA_RL8(dw); 899 | CamelliaSubkeyR(5) = CamelliaSubkeyL(5) ^ dw, CamelliaSubkeyL(5) = dw; 900 | dw = CamelliaSubkeyL(6) ^ CamelliaSubkeyR(6), dw = CAMELLIA_RL8(dw); 901 | CamelliaSubkeyR(6) = CamelliaSubkeyL(6) ^ dw, CamelliaSubkeyL(6) = dw; 902 | dw = CamelliaSubkeyL(7) ^ CamelliaSubkeyR(7), dw = CAMELLIA_RL8(dw); 903 | CamelliaSubkeyR(7) = CamelliaSubkeyL(7) ^ dw, CamelliaSubkeyL(7) = dw; 904 | dw = CamelliaSubkeyL(10) ^ CamelliaSubkeyR(10), dw = CAMELLIA_RL8(dw); 905 | CamelliaSubkeyR(10) = CamelliaSubkeyL(10) ^ dw, CamelliaSubkeyL(10) = dw; 906 | dw = CamelliaSubkeyL(11) ^ CamelliaSubkeyR(11), dw = CAMELLIA_RL8(dw); 907 | CamelliaSubkeyR(11) = CamelliaSubkeyL(11) ^ dw, CamelliaSubkeyL(11) = dw; 908 | dw = CamelliaSubkeyL(12) ^ CamelliaSubkeyR(12), dw = CAMELLIA_RL8(dw); 909 | CamelliaSubkeyR(12) = CamelliaSubkeyL(12) ^ dw, CamelliaSubkeyL(12) = dw; 910 | dw = CamelliaSubkeyL(13) ^ CamelliaSubkeyR(13), dw = CAMELLIA_RL8(dw); 911 | CamelliaSubkeyR(13) = CamelliaSubkeyL(13) ^ dw, CamelliaSubkeyL(13) = dw; 912 | dw = CamelliaSubkeyL(14) ^ CamelliaSubkeyR(14), dw = CAMELLIA_RL8(dw); 913 | CamelliaSubkeyR(14) = CamelliaSubkeyL(14) ^ dw, CamelliaSubkeyL(14) = dw; 914 | dw = CamelliaSubkeyL(15) ^ CamelliaSubkeyR(15), dw = CAMELLIA_RL8(dw); 915 | CamelliaSubkeyR(15) = CamelliaSubkeyL(15) ^ dw, CamelliaSubkeyL(15) = dw; 916 | dw = CamelliaSubkeyL(18) ^ CamelliaSubkeyR(18), dw = CAMELLIA_RL8(dw); 917 | CamelliaSubkeyR(18) = CamelliaSubkeyL(18) ^ dw, CamelliaSubkeyL(18) = dw; 918 | dw = CamelliaSubkeyL(19) ^ CamelliaSubkeyR(19), dw = CAMELLIA_RL8(dw); 919 | CamelliaSubkeyR(19) = CamelliaSubkeyL(19) ^ dw, CamelliaSubkeyL(19) = dw; 920 | dw = CamelliaSubkeyL(20) ^ CamelliaSubkeyR(20), dw = CAMELLIA_RL8(dw); 921 | CamelliaSubkeyR(20) = CamelliaSubkeyL(20) ^ dw, CamelliaSubkeyL(20) = dw; 922 | dw = CamelliaSubkeyL(21) ^ CamelliaSubkeyR(21), dw = CAMELLIA_RL8(dw); 923 | CamelliaSubkeyR(21) = CamelliaSubkeyL(21) ^ dw, CamelliaSubkeyL(21) = dw; 924 | dw = CamelliaSubkeyL(22) ^ CamelliaSubkeyR(22), dw = CAMELLIA_RL8(dw); 925 | CamelliaSubkeyR(22) = CamelliaSubkeyL(22) ^ dw, CamelliaSubkeyL(22) = dw; 926 | dw = CamelliaSubkeyL(23) ^ CamelliaSubkeyR(23), dw = CAMELLIA_RL8(dw); 927 | CamelliaSubkeyR(23) = CamelliaSubkeyL(23) ^ dw, CamelliaSubkeyL(23) = dw; 928 | dw = CamelliaSubkeyL(26) ^ CamelliaSubkeyR(26), dw = CAMELLIA_RL8(dw); 929 | CamelliaSubkeyR(26) = CamelliaSubkeyL(26) ^ dw, CamelliaSubkeyL(26) = dw; 930 | dw = CamelliaSubkeyL(27) ^ CamelliaSubkeyR(27), dw = CAMELLIA_RL8(dw); 931 | CamelliaSubkeyR(27) = CamelliaSubkeyL(27) ^ dw, CamelliaSubkeyL(27) = dw; 932 | dw = CamelliaSubkeyL(28) ^ CamelliaSubkeyR(28), dw = CAMELLIA_RL8(dw); 933 | CamelliaSubkeyR(28) = CamelliaSubkeyL(28) ^ dw, CamelliaSubkeyL(28) = dw; 934 | dw = CamelliaSubkeyL(29) ^ CamelliaSubkeyR(29), dw = CAMELLIA_RL8(dw); 935 | CamelliaSubkeyR(29) = CamelliaSubkeyL(29) ^ dw, CamelliaSubkeyL(29) = dw; 936 | dw = CamelliaSubkeyL(30) ^ CamelliaSubkeyR(30), dw = CAMELLIA_RL8(dw); 937 | CamelliaSubkeyR(30) = CamelliaSubkeyL(30) ^ dw, CamelliaSubkeyL(30) = dw; 938 | dw = CamelliaSubkeyL(31) ^ CamelliaSubkeyR(31), dw = CAMELLIA_RL8(dw); 939 | CamelliaSubkeyR(31) = CamelliaSubkeyL(31) ^ dw,CamelliaSubkeyL(31) = dw; 940 | 941 | return; 942 | } 943 | 944 | void camellia_setup192(const unsigned char *key, u32 *subkey) 945 | { 946 | unsigned char kk[32]; 947 | u32 krll, krlr, krrl,krrr; 948 | 949 | memcpy(kk, key, 24); 950 | memcpy((unsigned char *)&krll, key+16,4); 951 | memcpy((unsigned char *)&krlr, key+20,4); 952 | krrl = ~krll; 953 | krrr = ~krlr; 954 | memcpy(kk+24, (unsigned char *)&krrl, 4); 955 | memcpy(kk+28, (unsigned char *)&krrr, 4); 956 | camellia_setup256(kk, subkey); 957 | return; 958 | } 959 | 960 | 961 | /** 962 | * Stuff related to camellia encryption/decryption 963 | * 964 | * "io" must be 4byte aligned and big-endian data. 965 | */ 966 | void camellia_encrypt128(const u32 *subkey, u32 *io) 967 | { 968 | u32 il, ir, t0, t1; 969 | 970 | /* pre whitening but absorb kw2*/ 971 | io[0] ^= CamelliaSubkeyL(0); 972 | io[1] ^= CamelliaSubkeyR(0); 973 | /* main iteration */ 974 | 975 | CAMELLIA_ROUNDSM(io[0],io[1], 976 | CamelliaSubkeyL(2),CamelliaSubkeyR(2), 977 | io[2],io[3],il,ir,t0,t1); 978 | CAMELLIA_ROUNDSM(io[2],io[3], 979 | CamelliaSubkeyL(3),CamelliaSubkeyR(3), 980 | io[0],io[1],il,ir,t0,t1); 981 | CAMELLIA_ROUNDSM(io[0],io[1], 982 | CamelliaSubkeyL(4),CamelliaSubkeyR(4), 983 | io[2],io[3],il,ir,t0,t1); 984 | CAMELLIA_ROUNDSM(io[2],io[3], 985 | CamelliaSubkeyL(5),CamelliaSubkeyR(5), 986 | io[0],io[1],il,ir,t0,t1); 987 | CAMELLIA_ROUNDSM(io[0],io[1], 988 | CamelliaSubkeyL(6),CamelliaSubkeyR(6), 989 | io[2],io[3],il,ir,t0,t1); 990 | CAMELLIA_ROUNDSM(io[2],io[3], 991 | CamelliaSubkeyL(7),CamelliaSubkeyR(7), 992 | io[0],io[1],il,ir,t0,t1); 993 | 994 | CAMELLIA_FLS(io[0],io[1],io[2],io[3], 995 | CamelliaSubkeyL(8),CamelliaSubkeyR(8), 996 | CamelliaSubkeyL(9),CamelliaSubkeyR(9), 997 | t0,t1,il,ir); 998 | 999 | CAMELLIA_ROUNDSM(io[0],io[1], 1000 | CamelliaSubkeyL(10),CamelliaSubkeyR(10), 1001 | io[2],io[3],il,ir,t0,t1); 1002 | CAMELLIA_ROUNDSM(io[2],io[3], 1003 | CamelliaSubkeyL(11),CamelliaSubkeyR(11), 1004 | io[0],io[1],il,ir,t0,t1); 1005 | CAMELLIA_ROUNDSM(io[0],io[1], 1006 | CamelliaSubkeyL(12),CamelliaSubkeyR(12), 1007 | io[2],io[3],il,ir,t0,t1); 1008 | CAMELLIA_ROUNDSM(io[2],io[3], 1009 | CamelliaSubkeyL(13),CamelliaSubkeyR(13), 1010 | io[0],io[1],il,ir,t0,t1); 1011 | CAMELLIA_ROUNDSM(io[0],io[1], 1012 | CamelliaSubkeyL(14),CamelliaSubkeyR(14), 1013 | io[2],io[3],il,ir,t0,t1); 1014 | CAMELLIA_ROUNDSM(io[2],io[3], 1015 | CamelliaSubkeyL(15),CamelliaSubkeyR(15), 1016 | io[0],io[1],il,ir,t0,t1); 1017 | 1018 | CAMELLIA_FLS(io[0],io[1],io[2],io[3], 1019 | CamelliaSubkeyL(16),CamelliaSubkeyR(16), 1020 | CamelliaSubkeyL(17),CamelliaSubkeyR(17), 1021 | t0,t1,il,ir); 1022 | 1023 | CAMELLIA_ROUNDSM(io[0],io[1], 1024 | CamelliaSubkeyL(18),CamelliaSubkeyR(18), 1025 | io[2],io[3],il,ir,t0,t1); 1026 | CAMELLIA_ROUNDSM(io[2],io[3], 1027 | CamelliaSubkeyL(19),CamelliaSubkeyR(19), 1028 | io[0],io[1],il,ir,t0,t1); 1029 | CAMELLIA_ROUNDSM(io[0],io[1], 1030 | CamelliaSubkeyL(20),CamelliaSubkeyR(20), 1031 | io[2],io[3],il,ir,t0,t1); 1032 | CAMELLIA_ROUNDSM(io[2],io[3], 1033 | CamelliaSubkeyL(21),CamelliaSubkeyR(21), 1034 | io[0],io[1],il,ir,t0,t1); 1035 | CAMELLIA_ROUNDSM(io[0],io[1], 1036 | CamelliaSubkeyL(22),CamelliaSubkeyR(22), 1037 | io[2],io[3],il,ir,t0,t1); 1038 | CAMELLIA_ROUNDSM(io[2],io[3], 1039 | CamelliaSubkeyL(23),CamelliaSubkeyR(23), 1040 | io[0],io[1],il,ir,t0,t1); 1041 | 1042 | /* post whitening but kw4 */ 1043 | io[2] ^= CamelliaSubkeyL(24); 1044 | io[3] ^= CamelliaSubkeyR(24); 1045 | 1046 | t0 = io[0]; 1047 | t1 = io[1]; 1048 | io[0] = io[2]; 1049 | io[1] = io[3]; 1050 | io[2] = t0; 1051 | io[3] = t1; 1052 | 1053 | return; 1054 | } 1055 | 1056 | void camellia_decrypt128(const u32 *subkey, u32 *io) 1057 | { 1058 | u32 il,ir,t0,t1; /* temporary valiables */ 1059 | 1060 | /* pre whitening but absorb kw2*/ 1061 | io[0] ^= CamelliaSubkeyL(24); 1062 | io[1] ^= CamelliaSubkeyR(24); 1063 | 1064 | /* main iteration */ 1065 | CAMELLIA_ROUNDSM(io[0],io[1], 1066 | CamelliaSubkeyL(23),CamelliaSubkeyR(23), 1067 | io[2],io[3],il,ir,t0,t1); 1068 | CAMELLIA_ROUNDSM(io[2],io[3], 1069 | CamelliaSubkeyL(22),CamelliaSubkeyR(22), 1070 | io[0],io[1],il,ir,t0,t1); 1071 | CAMELLIA_ROUNDSM(io[0],io[1], 1072 | CamelliaSubkeyL(21),CamelliaSubkeyR(21), 1073 | io[2],io[3],il,ir,t0,t1); 1074 | CAMELLIA_ROUNDSM(io[2],io[3], 1075 | CamelliaSubkeyL(20),CamelliaSubkeyR(20), 1076 | io[0],io[1],il,ir,t0,t1); 1077 | CAMELLIA_ROUNDSM(io[0],io[1], 1078 | CamelliaSubkeyL(19),CamelliaSubkeyR(19), 1079 | io[2],io[3],il,ir,t0,t1); 1080 | CAMELLIA_ROUNDSM(io[2],io[3], 1081 | CamelliaSubkeyL(18),CamelliaSubkeyR(18), 1082 | io[0],io[1],il,ir,t0,t1); 1083 | 1084 | CAMELLIA_FLS(io[0],io[1],io[2],io[3], 1085 | CamelliaSubkeyL(17),CamelliaSubkeyR(17), 1086 | CamelliaSubkeyL(16),CamelliaSubkeyR(16), 1087 | t0,t1,il,ir); 1088 | 1089 | CAMELLIA_ROUNDSM(io[0],io[1], 1090 | CamelliaSubkeyL(15),CamelliaSubkeyR(15), 1091 | io[2],io[3],il,ir,t0,t1); 1092 | CAMELLIA_ROUNDSM(io[2],io[3], 1093 | CamelliaSubkeyL(14),CamelliaSubkeyR(14), 1094 | io[0],io[1],il,ir,t0,t1); 1095 | CAMELLIA_ROUNDSM(io[0],io[1], 1096 | CamelliaSubkeyL(13),CamelliaSubkeyR(13), 1097 | io[2],io[3],il,ir,t0,t1); 1098 | CAMELLIA_ROUNDSM(io[2],io[3], 1099 | CamelliaSubkeyL(12),CamelliaSubkeyR(12), 1100 | io[0],io[1],il,ir,t0,t1); 1101 | CAMELLIA_ROUNDSM(io[0],io[1], 1102 | CamelliaSubkeyL(11),CamelliaSubkeyR(11), 1103 | io[2],io[3],il,ir,t0,t1); 1104 | CAMELLIA_ROUNDSM(io[2],io[3], 1105 | CamelliaSubkeyL(10),CamelliaSubkeyR(10), 1106 | io[0],io[1],il,ir,t0,t1); 1107 | 1108 | CAMELLIA_FLS(io[0],io[1],io[2],io[3], 1109 | CamelliaSubkeyL(9),CamelliaSubkeyR(9), 1110 | CamelliaSubkeyL(8),CamelliaSubkeyR(8), 1111 | t0,t1,il,ir); 1112 | 1113 | CAMELLIA_ROUNDSM(io[0],io[1], 1114 | CamelliaSubkeyL(7),CamelliaSubkeyR(7), 1115 | io[2],io[3],il,ir,t0,t1); 1116 | CAMELLIA_ROUNDSM(io[2],io[3], 1117 | CamelliaSubkeyL(6),CamelliaSubkeyR(6), 1118 | io[0],io[1],il,ir,t0,t1); 1119 | CAMELLIA_ROUNDSM(io[0],io[1], 1120 | CamelliaSubkeyL(5),CamelliaSubkeyR(5), 1121 | io[2],io[3],il,ir,t0,t1); 1122 | CAMELLIA_ROUNDSM(io[2],io[3], 1123 | CamelliaSubkeyL(4),CamelliaSubkeyR(4), 1124 | io[0],io[1],il,ir,t0,t1); 1125 | CAMELLIA_ROUNDSM(io[0],io[1], 1126 | CamelliaSubkeyL(3),CamelliaSubkeyR(3), 1127 | io[2],io[3],il,ir,t0,t1); 1128 | CAMELLIA_ROUNDSM(io[2],io[3], 1129 | CamelliaSubkeyL(2),CamelliaSubkeyR(2), 1130 | io[0],io[1],il,ir,t0,t1); 1131 | 1132 | /* post whitening but kw4 */ 1133 | io[2] ^= CamelliaSubkeyL(0); 1134 | io[3] ^= CamelliaSubkeyR(0); 1135 | 1136 | t0 = io[0]; 1137 | t1 = io[1]; 1138 | io[0] = io[2]; 1139 | io[1] = io[3]; 1140 | io[2] = t0; 1141 | io[3] = t1; 1142 | 1143 | return; 1144 | } 1145 | 1146 | /** 1147 | * stuff for 192 and 256bit encryption/decryption 1148 | */ 1149 | void camellia_encrypt256(const u32 *subkey, u32 *io) 1150 | { 1151 | u32 il,ir,t0,t1; /* temporary valiables */ 1152 | 1153 | /* pre whitening but absorb kw2*/ 1154 | io[0] ^= CamelliaSubkeyL(0); 1155 | io[1] ^= CamelliaSubkeyR(0); 1156 | 1157 | /* main iteration */ 1158 | CAMELLIA_ROUNDSM(io[0],io[1], 1159 | CamelliaSubkeyL(2),CamelliaSubkeyR(2), 1160 | io[2],io[3],il,ir,t0,t1); 1161 | CAMELLIA_ROUNDSM(io[2],io[3], 1162 | CamelliaSubkeyL(3),CamelliaSubkeyR(3), 1163 | io[0],io[1],il,ir,t0,t1); 1164 | CAMELLIA_ROUNDSM(io[0],io[1], 1165 | CamelliaSubkeyL(4),CamelliaSubkeyR(4), 1166 | io[2],io[3],il,ir,t0,t1); 1167 | CAMELLIA_ROUNDSM(io[2],io[3], 1168 | CamelliaSubkeyL(5),CamelliaSubkeyR(5), 1169 | io[0],io[1],il,ir,t0,t1); 1170 | CAMELLIA_ROUNDSM(io[0],io[1], 1171 | CamelliaSubkeyL(6),CamelliaSubkeyR(6), 1172 | io[2],io[3],il,ir,t0,t1); 1173 | CAMELLIA_ROUNDSM(io[2],io[3], 1174 | CamelliaSubkeyL(7),CamelliaSubkeyR(7), 1175 | io[0],io[1],il,ir,t0,t1); 1176 | 1177 | CAMELLIA_FLS(io[0],io[1],io[2],io[3], 1178 | CamelliaSubkeyL(8),CamelliaSubkeyR(8), 1179 | CamelliaSubkeyL(9),CamelliaSubkeyR(9), 1180 | t0,t1,il,ir); 1181 | 1182 | CAMELLIA_ROUNDSM(io[0],io[1], 1183 | CamelliaSubkeyL(10),CamelliaSubkeyR(10), 1184 | io[2],io[3],il,ir,t0,t1); 1185 | CAMELLIA_ROUNDSM(io[2],io[3], 1186 | CamelliaSubkeyL(11),CamelliaSubkeyR(11), 1187 | io[0],io[1],il,ir,t0,t1); 1188 | CAMELLIA_ROUNDSM(io[0],io[1], 1189 | CamelliaSubkeyL(12),CamelliaSubkeyR(12), 1190 | io[2],io[3],il,ir,t0,t1); 1191 | CAMELLIA_ROUNDSM(io[2],io[3], 1192 | CamelliaSubkeyL(13),CamelliaSubkeyR(13), 1193 | io[0],io[1],il,ir,t0,t1); 1194 | CAMELLIA_ROUNDSM(io[0],io[1], 1195 | CamelliaSubkeyL(14),CamelliaSubkeyR(14), 1196 | io[2],io[3],il,ir,t0,t1); 1197 | CAMELLIA_ROUNDSM(io[2],io[3], 1198 | CamelliaSubkeyL(15),CamelliaSubkeyR(15), 1199 | io[0],io[1],il,ir,t0,t1); 1200 | 1201 | CAMELLIA_FLS(io[0],io[1],io[2],io[3], 1202 | CamelliaSubkeyL(16),CamelliaSubkeyR(16), 1203 | CamelliaSubkeyL(17),CamelliaSubkeyR(17), 1204 | t0,t1,il,ir); 1205 | 1206 | CAMELLIA_ROUNDSM(io[0],io[1], 1207 | CamelliaSubkeyL(18),CamelliaSubkeyR(18), 1208 | io[2],io[3],il,ir,t0,t1); 1209 | CAMELLIA_ROUNDSM(io[2],io[3], 1210 | CamelliaSubkeyL(19),CamelliaSubkeyR(19), 1211 | io[0],io[1],il,ir,t0,t1); 1212 | CAMELLIA_ROUNDSM(io[0],io[1], 1213 | CamelliaSubkeyL(20),CamelliaSubkeyR(20), 1214 | io[2],io[3],il,ir,t0,t1); 1215 | CAMELLIA_ROUNDSM(io[2],io[3], 1216 | CamelliaSubkeyL(21),CamelliaSubkeyR(21), 1217 | io[0],io[1],il,ir,t0,t1); 1218 | CAMELLIA_ROUNDSM(io[0],io[1], 1219 | CamelliaSubkeyL(22),CamelliaSubkeyR(22), 1220 | io[2],io[3],il,ir,t0,t1); 1221 | CAMELLIA_ROUNDSM(io[2],io[3], 1222 | CamelliaSubkeyL(23),CamelliaSubkeyR(23), 1223 | io[0],io[1],il,ir,t0,t1); 1224 | 1225 | CAMELLIA_FLS(io[0],io[1],io[2],io[3], 1226 | CamelliaSubkeyL(24),CamelliaSubkeyR(24), 1227 | CamelliaSubkeyL(25),CamelliaSubkeyR(25), 1228 | t0,t1,il,ir); 1229 | 1230 | CAMELLIA_ROUNDSM(io[0],io[1], 1231 | CamelliaSubkeyL(26),CamelliaSubkeyR(26), 1232 | io[2],io[3],il,ir,t0,t1); 1233 | CAMELLIA_ROUNDSM(io[2],io[3], 1234 | CamelliaSubkeyL(27),CamelliaSubkeyR(27), 1235 | io[0],io[1],il,ir,t0,t1); 1236 | CAMELLIA_ROUNDSM(io[0],io[1], 1237 | CamelliaSubkeyL(28),CamelliaSubkeyR(28), 1238 | io[2],io[3],il,ir,t0,t1); 1239 | CAMELLIA_ROUNDSM(io[2],io[3], 1240 | CamelliaSubkeyL(29),CamelliaSubkeyR(29), 1241 | io[0],io[1],il,ir,t0,t1); 1242 | CAMELLIA_ROUNDSM(io[0],io[1], 1243 | CamelliaSubkeyL(30),CamelliaSubkeyR(30), 1244 | io[2],io[3],il,ir,t0,t1); 1245 | CAMELLIA_ROUNDSM(io[2],io[3], 1246 | CamelliaSubkeyL(31),CamelliaSubkeyR(31), 1247 | io[0],io[1],il,ir,t0,t1); 1248 | 1249 | /* post whitening but kw4 */ 1250 | io[2] ^= CamelliaSubkeyL(32); 1251 | io[3] ^= CamelliaSubkeyR(32); 1252 | 1253 | t0 = io[0]; 1254 | t1 = io[1]; 1255 | io[0] = io[2]; 1256 | io[1] = io[3]; 1257 | io[2] = t0; 1258 | io[3] = t1; 1259 | 1260 | return; 1261 | } 1262 | 1263 | void camellia_decrypt256(const u32 *subkey, u32 *io) 1264 | { 1265 | u32 il,ir,t0,t1; /* temporary valiables */ 1266 | 1267 | /* pre whitening but absorb kw2*/ 1268 | io[0] ^= CamelliaSubkeyL(32); 1269 | io[1] ^= CamelliaSubkeyR(32); 1270 | 1271 | /* main iteration */ 1272 | CAMELLIA_ROUNDSM(io[0],io[1], 1273 | CamelliaSubkeyL(31),CamelliaSubkeyR(31), 1274 | io[2],io[3],il,ir,t0,t1); 1275 | CAMELLIA_ROUNDSM(io[2],io[3], 1276 | CamelliaSubkeyL(30),CamelliaSubkeyR(30), 1277 | io[0],io[1],il,ir,t0,t1); 1278 | CAMELLIA_ROUNDSM(io[0],io[1], 1279 | CamelliaSubkeyL(29),CamelliaSubkeyR(29), 1280 | io[2],io[3],il,ir,t0,t1); 1281 | CAMELLIA_ROUNDSM(io[2],io[3], 1282 | CamelliaSubkeyL(28),CamelliaSubkeyR(28), 1283 | io[0],io[1],il,ir,t0,t1); 1284 | CAMELLIA_ROUNDSM(io[0],io[1], 1285 | CamelliaSubkeyL(27),CamelliaSubkeyR(27), 1286 | io[2],io[3],il,ir,t0,t1); 1287 | CAMELLIA_ROUNDSM(io[2],io[3], 1288 | CamelliaSubkeyL(26),CamelliaSubkeyR(26), 1289 | io[0],io[1],il,ir,t0,t1); 1290 | 1291 | CAMELLIA_FLS(io[0],io[1],io[2],io[3], 1292 | CamelliaSubkeyL(25),CamelliaSubkeyR(25), 1293 | CamelliaSubkeyL(24),CamelliaSubkeyR(24), 1294 | t0,t1,il,ir); 1295 | 1296 | CAMELLIA_ROUNDSM(io[0],io[1], 1297 | CamelliaSubkeyL(23),CamelliaSubkeyR(23), 1298 | io[2],io[3],il,ir,t0,t1); 1299 | CAMELLIA_ROUNDSM(io[2],io[3], 1300 | CamelliaSubkeyL(22),CamelliaSubkeyR(22), 1301 | io[0],io[1],il,ir,t0,t1); 1302 | CAMELLIA_ROUNDSM(io[0],io[1], 1303 | CamelliaSubkeyL(21),CamelliaSubkeyR(21), 1304 | io[2],io[3],il,ir,t0,t1); 1305 | CAMELLIA_ROUNDSM(io[2],io[3], 1306 | CamelliaSubkeyL(20),CamelliaSubkeyR(20), 1307 | io[0],io[1],il,ir,t0,t1); 1308 | CAMELLIA_ROUNDSM(io[0],io[1], 1309 | CamelliaSubkeyL(19),CamelliaSubkeyR(19), 1310 | io[2],io[3],il,ir,t0,t1); 1311 | CAMELLIA_ROUNDSM(io[2],io[3], 1312 | CamelliaSubkeyL(18),CamelliaSubkeyR(18), 1313 | io[0],io[1],il,ir,t0,t1); 1314 | 1315 | CAMELLIA_FLS(io[0],io[1],io[2],io[3], 1316 | CamelliaSubkeyL(17),CamelliaSubkeyR(17), 1317 | CamelliaSubkeyL(16),CamelliaSubkeyR(16), 1318 | t0,t1,il,ir); 1319 | 1320 | CAMELLIA_ROUNDSM(io[0],io[1], 1321 | CamelliaSubkeyL(15),CamelliaSubkeyR(15), 1322 | io[2],io[3],il,ir,t0,t1); 1323 | CAMELLIA_ROUNDSM(io[2],io[3], 1324 | CamelliaSubkeyL(14),CamelliaSubkeyR(14), 1325 | io[0],io[1],il,ir,t0,t1); 1326 | CAMELLIA_ROUNDSM(io[0],io[1], 1327 | CamelliaSubkeyL(13),CamelliaSubkeyR(13), 1328 | io[2],io[3],il,ir,t0,t1); 1329 | CAMELLIA_ROUNDSM(io[2],io[3], 1330 | CamelliaSubkeyL(12),CamelliaSubkeyR(12), 1331 | io[0],io[1],il,ir,t0,t1); 1332 | CAMELLIA_ROUNDSM(io[0],io[1], 1333 | CamelliaSubkeyL(11),CamelliaSubkeyR(11), 1334 | io[2],io[3],il,ir,t0,t1); 1335 | CAMELLIA_ROUNDSM(io[2],io[3], 1336 | CamelliaSubkeyL(10),CamelliaSubkeyR(10), 1337 | io[0],io[1],il,ir,t0,t1); 1338 | 1339 | CAMELLIA_FLS(io[0],io[1],io[2],io[3], 1340 | CamelliaSubkeyL(9),CamelliaSubkeyR(9), 1341 | CamelliaSubkeyL(8),CamelliaSubkeyR(8), 1342 | t0,t1,il,ir); 1343 | 1344 | CAMELLIA_ROUNDSM(io[0],io[1], 1345 | CamelliaSubkeyL(7),CamelliaSubkeyR(7), 1346 | io[2],io[3],il,ir,t0,t1); 1347 | CAMELLIA_ROUNDSM(io[2],io[3], 1348 | CamelliaSubkeyL(6),CamelliaSubkeyR(6), 1349 | io[0],io[1],il,ir,t0,t1); 1350 | CAMELLIA_ROUNDSM(io[0],io[1], 1351 | CamelliaSubkeyL(5),CamelliaSubkeyR(5), 1352 | io[2],io[3],il,ir,t0,t1); 1353 | CAMELLIA_ROUNDSM(io[2],io[3], 1354 | CamelliaSubkeyL(4),CamelliaSubkeyR(4), 1355 | io[0],io[1],il,ir,t0,t1); 1356 | CAMELLIA_ROUNDSM(io[0],io[1], 1357 | CamelliaSubkeyL(3),CamelliaSubkeyR(3), 1358 | io[2],io[3],il,ir,t0,t1); 1359 | CAMELLIA_ROUNDSM(io[2],io[3], 1360 | CamelliaSubkeyL(2),CamelliaSubkeyR(2), 1361 | io[0],io[1],il,ir,t0,t1); 1362 | 1363 | /* post whitening but kw4 */ 1364 | io[2] ^= CamelliaSubkeyL(0); 1365 | io[3] ^= CamelliaSubkeyR(0); 1366 | 1367 | t0 = io[0]; 1368 | t1 = io[1]; 1369 | io[0] = io[2]; 1370 | io[1] = io[3]; 1371 | io[2] = t0; 1372 | io[3] = t1; 1373 | 1374 | return; 1375 | } 1376 | 1377 | /*** 1378 | * 1379 | * API for compatibility 1380 | */ 1381 | 1382 | void Camellia_Ekeygen(const int keyBitLength, 1383 | const unsigned char *rawKey, 1384 | KEY_TABLE_TYPE keyTable) 1385 | { 1386 | switch(keyBitLength) { 1387 | case 128: 1388 | camellia_setup128(rawKey, keyTable); 1389 | break; 1390 | case 192: 1391 | camellia_setup192(rawKey, keyTable); 1392 | break; 1393 | case 256: 1394 | camellia_setup256(rawKey, keyTable); 1395 | break; 1396 | default: 1397 | break; 1398 | } 1399 | } 1400 | 1401 | 1402 | void Camellia_EncryptBlock(const int keyBitLength, 1403 | const unsigned char *plaintext, 1404 | const KEY_TABLE_TYPE keyTable, 1405 | unsigned char *ciphertext) 1406 | { 1407 | u32 tmp[4]; 1408 | 1409 | tmp[0] = GETU32(plaintext); 1410 | tmp[1] = GETU32(plaintext + 4); 1411 | tmp[2] = GETU32(plaintext + 8); 1412 | tmp[3] = GETU32(plaintext + 12); 1413 | 1414 | switch (keyBitLength) { 1415 | case 128: 1416 | camellia_encrypt128(keyTable, tmp); 1417 | break; 1418 | case 192: 1419 | /* fall through */ 1420 | case 256: 1421 | camellia_encrypt256(keyTable, tmp); 1422 | break; 1423 | default: 1424 | break; 1425 | } 1426 | 1427 | PUTU32(ciphertext, tmp[0]); 1428 | PUTU32(ciphertext + 4, tmp[1]); 1429 | PUTU32(ciphertext + 8, tmp[2]); 1430 | PUTU32(ciphertext + 12, tmp[3]); 1431 | } 1432 | 1433 | void Camellia_DecryptBlock(const int keyBitLength, 1434 | const unsigned char *ciphertext, 1435 | const KEY_TABLE_TYPE keyTable, 1436 | unsigned char *plaintext) 1437 | { 1438 | u32 tmp[4]; 1439 | 1440 | tmp[0] = GETU32(ciphertext); 1441 | tmp[1] = GETU32(ciphertext + 4); 1442 | tmp[2] = GETU32(ciphertext + 8); 1443 | tmp[3] = GETU32(ciphertext + 12); 1444 | 1445 | switch (keyBitLength) { 1446 | case 128: 1447 | camellia_decrypt128(keyTable, tmp); 1448 | break; 1449 | case 192: 1450 | /* fall through */ 1451 | case 256: 1452 | camellia_decrypt256(keyTable, tmp); 1453 | break; 1454 | default: 1455 | break; 1456 | } 1457 | PUTU32(plaintext, tmp[0]); 1458 | PUTU32(plaintext + 4, tmp[1]); 1459 | PUTU32(plaintext + 8, tmp[2]); 1460 | PUTU32(plaintext + 12, tmp[3]); 1461 | } 1462 | -------------------------------------------------------------------------------- /camellia-GPL-1.2.0/camellia.h: -------------------------------------------------------------------------------- 1 | /* camellia.h ver 1.2.0 2 | * 3 | * Copyright (C) 2006,2007 4 | * NTT (Nippon Telegraph and Telephone Corporation). 5 | * 6 | * This program is free software; you can redistribute it and/or 7 | * modify it under the terms of the GNU General Public License 8 | * as published by the Free Software Foundation; either version 2 9 | * of the License, or (at your option) any later version. 10 | * 11 | * This program is distributed in the hope that it will be useful, 12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | * GNU General Public License for more details. 15 | * 16 | * You should have received a copy of the GNU General Public License 17 | * along with this program; if not, write to the Free Software 18 | * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | #ifndef HEADER_CAMELLIA_H 22 | #define HEADER_CAMELLIA_H 23 | 24 | #ifdef __cplusplus 25 | extern "C" { 26 | #endif 27 | 28 | #define CAMELLIA_BLOCK_SIZE 16 29 | #define CAMELLIA_TABLE_BYTE_LEN 272 30 | #define CAMELLIA_TABLE_WORD_LEN (CAMELLIA_TABLE_BYTE_LEN / 4) 31 | 32 | typedef unsigned int KEY_TABLE_TYPE[CAMELLIA_TABLE_WORD_LEN]; 33 | 34 | 35 | void Camellia_Ekeygen(const int keyBitLength, 36 | const unsigned char *rawKey, 37 | KEY_TABLE_TYPE keyTable); 38 | 39 | void Camellia_EncryptBlock(const int keyBitLength, 40 | const unsigned char *plaintext, 41 | const KEY_TABLE_TYPE keyTable, 42 | unsigned char *cipherText); 43 | 44 | void Camellia_DecryptBlock(const int keyBitLength, 45 | const unsigned char *cipherText, 46 | const KEY_TABLE_TYPE keyTable, 47 | unsigned char *plaintext); 48 | 49 | 50 | #ifdef __cplusplus 51 | } 52 | #endif 53 | 54 | #endif /* HEADER_CAMELLIA_H */ 55 | -------------------------------------------------------------------------------- /libcrypt-camellia-perl_2.02-1_all.deb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/j0hnnMcCock/fuckNSA/5ab1b84019382f1d075f7bd78cb68d6241614813/libcrypt-camellia-perl_2.02-1_all.deb -------------------------------------------------------------------------------- /libcrypt-camellia-perl_2.02-1_amd64.deb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/j0hnnMcCock/fuckNSA/5ab1b84019382f1d075f7bd78cb68d6241614813/libcrypt-camellia-perl_2.02-1_amd64.deb -------------------------------------------------------------------------------- /libcrypt-camellia-pp-perl_0.02-1_all.deb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/j0hnnMcCock/fuckNSA/5ab1b84019382f1d075f7bd78cb68d6241614813/libcrypt-camellia-pp-perl_0.02-1_all.deb -------------------------------------------------------------------------------- /libcrypt-cbc-perl_2.33-1_Lulzsec-mod_all.deb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/j0hnnMcCock/fuckNSA/5ab1b84019382f1d075f7bd78cb68d6241614813/libcrypt-cbc-perl_2.33-1_Lulzsec-mod_all.deb -------------------------------------------------------------------------------- /nonsa.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl -w 2 | 3 | use strict; 4 | use warnings; 5 | use Digest::SHA qw(sha1 sha1_hex sha1_base64 sha384 sha512 sha512_hex sha512_base64 sha256 sha256_hex sha256_base64 hmac_sha256 hmac_sha256_base64 hmac_sha256_hex hmac_sha512 hmac_sha512_base64); 6 | use MIME::Base64; 7 | use Crypt::CBC qw(random_bytes); 8 | 9 | 10 | ## The utterly protopandemonic Analmaggedonical 'KeithAlexanderLovesCocks' function ## 11 | 12 | sub KeithAlexanderLovesCocks { 13 | 14 | my @dat = @_; 15 | 16 | my $d1 = sha512(sha512(sha512($dat[0]))); 17 | my $mk1 = sha256(sha256($d1)); 18 | my $d2 = sha512(sha384(sha256($dat[0]))); 19 | my $mk2 = sha256(sha256($d2)); 20 | 21 | my $hm1 = sha512(hmac_sha512($d2,$mk1)); 22 | my $hm2 = sha512(hmac_sha512($d1,$mk2)); 23 | 24 | my $hm = $hm1 ^ $hm2; 25 | 26 | my $mx = $d1 ^ $d2; 27 | $mx = $mx ^ $hm; 28 | my $mk = $mk1 ^ $mk2; 29 | 30 | $mx = sha512(hmac_sha512($mx,$mk)); 31 | 32 | my $dkA = sha512_base64(hmac_sha512($mx,$mk)); 33 | my $dkB = sha512_base64(sha384(hmac_sha512($mx,$mk))); 34 | 35 | my $dk = sha512_base64(hmac_sha512($dkA,$dkB)); 36 | 37 | return ($dk,$dkA,$dkB); 38 | } 39 | 40 | ## < kayla> lol 41 | 42 | 43 | my @args = @ARGV; 44 | 45 | if ( !($args[0] =~ m/^(-e|-d)$/ ) || !$args[1] || !$args[2] ) { 46 | 47 | print ("noNSA is a simple PoC to encrypt files with Camellia-256, \n"); 48 | print ("providing good verbose, HMAC of files, and deploying the\n"); 49 | print ("KeithAlexanderLovesCocks function to derive stronger \n"); 50 | print ("passphrases (or seeds) from the given ones, before the key derivation step. \n\n"); 51 | print ("Usage: nonsa <-e|-d> FILE \n\n"); 52 | print ("-e to encrypt a file \n"); 53 | print ("-d to decrypt a file \n"); 54 | print (" means..err.well..that you need to give the passphrase to use \n"); 55 | print ("FILE means..well..the name of the file you want to encrypt or decrypt... \n\n"); 56 | 57 | }else{ 58 | 59 | 60 | if (!( -e $args[2])) { 61 | 62 | print("$args[2] : File not found. \n"); 63 | exit; 64 | 65 | }else{ 66 | 67 | 68 | my ($penis,$penis2,$penis3) = KeithAlexanderLovesCocks($args[1]); 69 | 70 | 71 | my $cipher = Crypt::CBC->new( 72 | { 73 | 'key' => 'b0ssjP3n1s+d2y0l0+IATTsuxiOB1vz7', # change this to a decent key with 32 chars 74 | 75 | # 'cipher' => 'Rijndael', # change this if you want to use AES instead Camellia, 76 | # but we suggest to stick to Camellia, Camellia requires Crypt::Camellia 77 | # 'cipher' => 'Camellia', 78 | 'cipher' => 'Camellia_PP', # Optionally you could use the pure perl implementation of Camellia in case 79 | # you need it, considering the performance cost that implies. 80 | 'padding' => 'standard', 81 | 82 | 'fuckNSA' => 1, # if you want to use the enforced Crypt::CBC features 83 | } 84 | ); 85 | 86 | 87 | $cipher->{'passphrase'} = $penis; 88 | 89 | if ( $args[0] eq '-e' ) { 90 | 91 | my $buffer; 92 | $cipher->start('encrypting'); 93 | open(F,"<$args[2]") or die "cannot open file $args[2]" ; 94 | open(T,">$args[2].crypt") or die "cannot open file $args[2].crypt"; 95 | while (read(F,$buffer,1024)) { 96 | 97 | print T $cipher->crypt($buffer); 98 | 99 | 100 | } 101 | 102 | print T $cipher->finish; 103 | close(T); 104 | close(F); 105 | 106 | 107 | my $algo = $cipher->{cipher}; 108 | $algo =~ s/Crypt::// ; 109 | print "Algorithm : " . $algo . " Keysize: " . int($cipher->{keysize}) * 8 . "bits Blocksize: " . int($cipher->{blocksize}) * 8 . "bits \n\n" ; 110 | print "passphrase : " . $args[1] . " \n"; 111 | 112 | if ( ($cipher->{fuckNSA}) and ($cipher->{fuckNSA} == 1) ) { 113 | print "fuckNSA enabled : yes \n"; 114 | }else{ 115 | print "fuckNSA enabled : no \n"; 116 | } 117 | 118 | print "salt : " . unpack("H*",$cipher->{'salt'}) ." \n"; 119 | print "key : " . unpack("H*",$cipher->{'key'}) ." \n"; 120 | print "iv : " . unpack("H*",$cipher->{'iv'}) ." \n"; 121 | print "KALC derived proto-Key seed : $cipher->{'passphrase'} \n\n"; 122 | print "Encrypted output file is : $args[2].crypt \n\n"; 123 | 124 | my $file; 125 | open(F,"<$args[2]") or die "cannot open file $args[2]"; 126 | { 127 | local $/; 128 | $file = ; 129 | } 130 | close(F); 131 | print ("HMAC (SHA256) for unencrypted File: " . hmac_sha256_hex($file,substr($penis3,0,32)) . " \n"); 132 | print ("KALC derived HMAC key: " . substr($penis3,0,32) . " \n"); 133 | 134 | } 135 | if ( $args[0] eq '-d' ) { 136 | 137 | my $fname = $args[2]; 138 | $fname =~ s/\//_/g ; 139 | $fname =~ s/^/decrypted_/ ; 140 | $fname =~ s/\.crypt$// ; 141 | # lol. that was really lazy 142 | 143 | 144 | my $buffer; 145 | $cipher->start('decrypting'); 146 | open(F,"<$args[2]"); 147 | open(D,">$fname") or die "cannot open file $fname";; 148 | while (read(F,$buffer,1024)) { 149 | 150 | print D $cipher->crypt($buffer); 151 | 152 | 153 | } 154 | 155 | print D $cipher->finish(); 156 | 157 | close(D); 158 | close(F); 159 | 160 | my $algo = $cipher->{cipher}; 161 | $algo =~ s/Crypt::// ; ## perhaps not needed... 162 | print "Algorithm : " . $algo . " Keysize: " . int($cipher->{keysize}) * 8 . "bits Blocksize: " . int($cipher->{blocksize}) * 8 . "bits \n\n" ; 163 | print "passphrase : " . $args[1] . " \n"; 164 | print "salt : " . unpack("H*",$cipher->{'salt'}) ." \n"; 165 | print "key : " . unpack("H*",$cipher->{'key'}) ." \n"; 166 | print "iv : " . unpack("H*",$cipher->{'iv'}) ." \n"; 167 | print "KALC derived proto-Key seed : $cipher->{'passphrase'} \n\n"; 168 | print ("Decrypted output file is : $fname \n\n"); 169 | 170 | ## This is optional if you don't need it or it annoys you cause the memory thingie on big files just comment it out ## 171 | my $file; 172 | open(F,"<$fname") or die "cannot open file $fname"; 173 | { 174 | local $/; 175 | $file = ; 176 | } 177 | close(F); 178 | 179 | print ("HMAC for unencrypted File: " . hmac_sha256_hex($file,substr($penis3,0,32)) . " \n"); 180 | print ("KALC derived HMAC key: " . substr($penis3,0,32) . " \n"); 181 | ## hmac stuff ends here ## 182 | } 183 | 184 | } 185 | 186 | } 187 | 188 | 189 | 190 | 191 | 192 | -------------------------------------------------------------------------------- /security-analysis-of-OTRv2.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/j0hnnMcCock/fuckNSA/5ab1b84019382f1d075f7bd78cb68d6241614813/security-analysis-of-OTRv2.pdf --------------------------------------------------------------------------------