├── .gitignore ├── .travis.yml ├── LICENSE ├── MANIFEST.in ├── README.rst ├── setup.py ├── tox.ini ├── twofish-0.3 ├── twofish.c └── twofish.h ├── twofish.c └── twofish.py /.gitignore: -------------------------------------------------------------------------------- 1 | *.py[cod] 2 | 3 | # C extensions 4 | *.so 5 | 6 | # Packages 7 | *.egg 8 | *.egg-info 9 | dist 10 | build 11 | eggs 12 | parts 13 | bin 14 | var 15 | sdist 16 | develop-eggs 17 | .installed.cfg 18 | lib 19 | lib64 20 | __pycache__ 21 | 22 | # Installer logs 23 | pip-log.txt 24 | 25 | # Unit test / coverage reports 26 | .coverage 27 | .tox 28 | nosetests.xml 29 | 30 | # Translations 31 | *.mo 32 | 33 | # Mr Developer 34 | .mr.developer.cfg 35 | .project 36 | .pydevproject 37 | 38 | MANIFEST 39 | -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- 1 | language: 2 | python 3 | python: 4 | - 2.6 5 | - 2.7 6 | - 3.3 7 | install: 8 | python setup.py install 9 | script: 10 | python -m doctest -v README.rst 11 | notifications: 12 | email: 13 | - filippo.valsorda@gmail.com 14 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Copyright (c) 2013, Keybase 2 | All rights reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | * Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | * Redistributions in binary form must reproduce the above copyright notice, this 11 | list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | * Neither the name of Keybase nor the names of its 15 | contributors may be used to endorse or promote products derived from 16 | this software without specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | -------------------------------------------------------------------------------- /MANIFEST.in: -------------------------------------------------------------------------------- 1 | include twofish-0.3/twofish.h 2 | include README.rst 3 | include tox.ini 4 | include LICENSE 5 | -------------------------------------------------------------------------------- /README.rst: -------------------------------------------------------------------------------- 1 | python-twofish 2 | ============== 3 | 4 | Bindings for the Twofish implementation by Niels Ferguson libtwofish-dev_. 5 | 6 | Compatible with Python 2.6, 2.7 and 3.3. 7 | 8 | The library performs a self-test at each import. 9 | 10 | .. _libtwofish-dev: http://packages.debian.org/sid/libtwofish-dev 11 | 12 | Installation 13 | ------------ 14 | 15 | :: 16 | 17 | pip install twofish 18 | 19 | Usage 20 | ----- 21 | 22 | Create a ``twofish.Twofish`` instance with a key of length ]0, 32] and then use the ``encrypt`` and ``decrypt`` methods on 16 bytes blocks. 23 | 24 | All values must be binary strings (``str`` on Python 2, ``bytes`` on Python 3) 25 | 26 | **[WARNING]** this should be used in a senseful cipher mode, like CTR or CBC. If you don't know what this mean, you should probably usa a higher level library. 27 | 28 | Example 29 | ------- 30 | 31 | >>> from twofish import Twofish 32 | >>> T = Twofish(b'*secret*') 33 | >>> x = T.encrypt(b'YELLOWSUBMARINES') 34 | >>> print(T.decrypt(x).decode()) 35 | YELLOWSUBMARINES 36 | -------------------------------------------------------------------------------- /setup.py: -------------------------------------------------------------------------------- 1 | """ 2 | This file is part of Python Twofish 3 | a Python bridge to the C Twofish library by Niels Ferguson 4 | 5 | Released under The BSD 3-Clause License 6 | Copyright (c) 2013 Keybase 7 | 8 | setup.py - build and package info 9 | """ 10 | 11 | from distutils.core import setup, Extension 12 | 13 | twofish_module = Extension('_twofish', 14 | sources=['twofish-0.3/twofish.c', 'twofish.c'], 15 | include_dirs=['twofish-0.3']) 16 | 17 | setup(name='twofish', 18 | version='0.3.0', 19 | description='Bindings for the Twofish implementation by Niels Ferguson', 20 | author='Filippo Valsorda', 21 | author_email='filippo.valsorda@gmail.com', 22 | url='http://github.com/keybase/python-twofish', 23 | py_modules=['twofish'], 24 | ext_modules=[twofish_module], 25 | classifiers=['Development Status :: 4 - Beta', 26 | 'Intended Audience :: Developers', 27 | 'License :: OSI Approved :: BSD License', 28 | 'Programming Language :: Python :: 2.6', 29 | 'Programming Language :: Python :: 2.7', 30 | 'Programming Language :: Python :: 3.3', 31 | 'Topic :: Security :: Cryptography', 32 | 'Topic :: Software Development :: Libraries'], 33 | license='3-clause BSD', 34 | long_description=open('README.rst').read()) 35 | -------------------------------------------------------------------------------- /tox.ini: -------------------------------------------------------------------------------- 1 | [tox] 2 | envlist = py26,py27,py33 3 | 4 | [testenv] 5 | commands = python -m doctest -v README.rst 6 | -------------------------------------------------------------------------------- /twofish-0.3/twofish.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Fast, portable, and easy-to-use Twofish implementation, 3 | * Version 0.3. 4 | * Copyright (c) 2002 by Niels Ferguson. 5 | * (See further down for the almost-unrestricted licensing terms.) 6 | * 7 | * -------------------------------------------------------------------------- 8 | * There are two files for this implementation: 9 | * - twofish.h, the header file. 10 | * - twofish.c, the code file. 11 | * 12 | * To incorporate this code into your program you should: 13 | * - Check the licensing terms further down in this comment. 14 | * - Fix the two type definitions in twofish.h to suit your platform. 15 | * - Fix a few definitions in twofish.c in the section marked 16 | * PLATFORM FIXES. There is one important ones that affects 17 | * functionality, and then a few definitions that you can optimise 18 | * for efficiency but those have no effect on the functionality. 19 | * Don't change anything else. 20 | * - Put the code in your project and compile it. 21 | * 22 | * To use this library you should: 23 | * - Call Twofish_initialise() in your program before any other function in 24 | * this library. 25 | * - Use Twofish_prepare_key(...) to convert a key to internal form. 26 | * - Use Twofish_encrypt(...) and Twofish_decrypt(...) to encrypt and decrypt 27 | * data. 28 | * See the comments in the header file for details on these functions. 29 | * -------------------------------------------------------------------------- 30 | * 31 | * There are many Twofish implementation available for free on the web. 32 | * Most of them are hard to integrate into your own program. 33 | * As we like people to use our cipher, I thought I would make it easier. 34 | * Here is a free and easy-to-integrate Twofish implementation in C. 35 | * The latest version is always available from my personal home page at 36 | * http://niels.ferguson.net/ 37 | * 38 | * Integrating library code into a project is difficult because the library 39 | * header files interfere with the project's header files and code. 40 | * And of course the project's header files interfere with the library code. 41 | * I've tried to resolve these problems here. 42 | * The header file of this implementation is very light-weight. 43 | * It contains two typedefs, a structure, and a few function declarations. 44 | * All names it defines start with "Twofish_". 45 | * The header file is therefore unlikely to cause problems in your project. 46 | * The code file of this implementation doesn't need to include the header 47 | * files of the project. There is thus no danger of the project interfering 48 | * with all the definitions and macros of the Twofish code. 49 | * In most situations, all you need to do is fill in a few platform-specific 50 | * definitions in the header file and code file, 51 | * and you should be able to run the Twofish code in your project. 52 | * I estimate it should take you less than an hour to integrate this code 53 | * into your project, most of it spent reading the comments telling you what 54 | * to do. 55 | * 56 | * For people using C++: it is very easy to wrap this library into a 57 | * TwofishKey class. One of the big advantages is that you can automate the 58 | * wiping of the key material in the destructor. I have not provided a C++ 59 | * class because the interface depends too much on the abstract base class 60 | * you use for block ciphers in your program, which I don't know about. 61 | * 62 | * This implementation is designed for use on PC-class machines. It uses the 63 | * Twofish 'full' keying option which uses large tables. Total table size is 64 | * around 5-6 kB for static tables plus 4.5 kB for each pre-processed key. 65 | * If you need an implementation that uses less memory, 66 | * take a look at Brian Gladman's code on his web site: 67 | * http://fp.gladman.plus.com/cryptography_technology/aes/ 68 | * He has code for all AES candidates. 69 | * His Twofish code has lots of options trading off table size vs. speed. 70 | * You can also take a look at the optimised code by Doug Whiting on the 71 | * Twofish web site 72 | * http://www.counterpane.com/twofish.html 73 | * which has loads of options. 74 | * I believe these existing implementations are harder to re-use because they 75 | * are not clean libraries and they impose requirements on the environment. 76 | * This implementation is very careful to minimise those, 77 | * and should be easier to integrate into any larger program. 78 | * 79 | * The default mode of this implementation is fully portable as it uses no 80 | * behaviour not defined in the C standard. (This is harder than you think.) 81 | * If you have any problems porting the default mode, please let me know 82 | * so that I can fix the problem. (But only if this code is at fault, I 83 | * don't fix compilers.) 84 | * Most of the platform fixes are related to non-portable but faster ways 85 | * of implementing certain functions. 86 | * 87 | * In general I've tried to make the code as fast as possible, at the expense 88 | * of memory and code size. However, C does impose limits, and this 89 | * implementation will be slower than an optimised assembler implementation. 90 | * But beware of assembler implementations: a good Pentium implementation 91 | * uses completely different code than a good Pentium II implementation. 92 | * You basically have to re-write the assembly code for every generation of 93 | * processor. Unless you are severely pressed for speed, stick with C. 94 | * 95 | * The initialisation routine of this implementation contains a self-test. 96 | * If initialisation succeeds without calling the fatal routine, then 97 | * the implementation works. I don't think you can break the implementation 98 | * in such a way that it still passes the tests, unless you are malicious. 99 | * In other words: if the initialisation routine returns, 100 | * you have successfully ported the implementation. 101 | * (Or not implemented the fatal routine properly, but that is your problem.) 102 | * 103 | * I'm indebted to many people who helped me in one way or another to write 104 | * this code. During the design of Twofish and the AES process I had very 105 | * extensive discussions of all implementation issues with various people. 106 | * Doug Whiting in particular provided a wealth of information. The Twofish 107 | * team spent untold hours discussion various cipher features, and their 108 | * implementation. Brian Gladman implemented all AES candidates in C, 109 | * and we had some fruitful discussions on how to implement Twofish in C. 110 | * Jan Nieuwenhuizen tested this code on Linux using GCC. 111 | * 112 | * Now for the license: 113 | * The author hereby grants a perpetual license to everybody to 114 | * use this code for any purpose as long as the copyright message is included 115 | * in the source code of this or any derived work. 116 | * 117 | * Yes, this means that you, your company, your club, and anyone else 118 | * can use this code anywhere you want. You can change it and distribute it 119 | * under the GPL, include it in your commercial product without releasing 120 | * the source code, put it on the web, etc. 121 | * The only thing you cannot do is remove my copyright message, 122 | * or distribute any source code based on this implementation that does not 123 | * include my copyright message. 124 | * 125 | * I appreciate a mention in the documentation or credits, 126 | * but I understand if that is difficult to do. 127 | * I also appreciate it if you tell me where and why you used my code. 128 | * 129 | * Please send any questions or comments to niels@ferguson.net 130 | * 131 | * Have Fun! 132 | * 133 | * Niels 134 | */ 135 | 136 | /* 137 | * DISCLAIMER: As I'm giving away my work for free, I'm of course not going 138 | * to accept any liability of any form. This code, or the Twofish cipher, 139 | * might very well be flawed; you have been warned. 140 | * This software is provided as-is, without any kind of warrenty or 141 | * guarantee. And that is really all you can expect when you download 142 | * code for free from the Internet. 143 | * 144 | * I think it is really sad that disclaimers like this seem to be necessary. 145 | * If people only had a little bit more common sense, and didn't come 146 | * whining like little children every time something happens.... 147 | */ 148 | 149 | /* 150 | * Version history: 151 | * Version 0.0, 2002-08-30 152 | * First written. 153 | * Version 0.1, 2002-09-03 154 | * Added disclaimer. Improved self-tests. 155 | * Version 0.2, 2002-09-09 156 | * Removed last non-portabilities. Default now works completely within 157 | * the C standard. UInt32 can be larger than 32 bits without problems. 158 | * Version 0.3, 2002-09-28 159 | * Bugfix: use instead of to adhere to ANSI/ISO. 160 | * Rename BIG_ENDIAN macro to CPU_IS_BIG_ENDIAN. The gcc library 161 | * header already defines BIG_ENDIAN, even though it is not 162 | * supposed to. 163 | */ 164 | 165 | 166 | /* 167 | * Minimum set of include files. 168 | * You should not need any application-specific include files for this code. 169 | * In fact, adding you own header files could break one of the many macros or 170 | * functions in this file. Be very careful. 171 | * Standard include files will probably be ok. 172 | */ 173 | #include /* for memset(), memcpy(), and memcmp() */ 174 | #include "twofish.h" 175 | 176 | 177 | /* 178 | * PLATFORM FIXES 179 | * ============== 180 | * 181 | * Fix the type definitions in twofish.h first! 182 | * 183 | * The following definitions have to be fixed for each particular platform 184 | * you work on. If you have a multi-platform program, you no doubt have 185 | * portable definitions that you can substitute here without changing the 186 | * rest of the code. 187 | */ 188 | 189 | 190 | /* 191 | * Function called if something is fatally wrong with the implementation. 192 | * This fatal function is called when a coding error is detected in the 193 | * Twofish implementation, or when somebody passes an obviously erroneous 194 | * parameter to this implementation. There is not much you can do when 195 | * the code contains bugs, so we just stop. 196 | * 197 | * The argument is a string. Ideally the fatal function prints this string 198 | * as an error message. Whatever else this function does, it should never 199 | * return. A typical implementation would stop the program completely after 200 | * printing the error message. 201 | * 202 | * This default implementation is not very useful, 203 | * but does not assume anything about your environment. 204 | * It will at least let you know something is wrong.... 205 | * I didn't want to include any libraries to print and error or so, 206 | * as this makes the code much harder to integrate in a project. 207 | * 208 | * Note that the Twofish_fatal function may not return to the caller. 209 | * Unfortunately this is not something the self-test can test for, 210 | * so you have to make sure of this yourself. 211 | * 212 | * If you want to call an external function, be careful about including 213 | * your own header files here. This code uses a lot of macros, and your 214 | * header file could easily break it. Maybe the best solution is to use 215 | * a separate extern statement for your fatal function. 216 | */ 217 | #define Twofish_fatal( msg ) {for(;;);} 218 | 219 | 220 | /* 221 | * The rest of the settings are not important for the functionality 222 | * of this Twofish implementation. That is, their default settings 223 | * work on all platforms. You can change them to improve the 224 | * speed of the implementation on your platform. Erroneous settings 225 | * will result in erroneous implementations, but the self-test should 226 | * catch those. 227 | */ 228 | 229 | 230 | /* 231 | * Macros to rotate a Twofish_UInt32 value left or right by the 232 | * specified number of bits. This should be a 32-bit rotation, 233 | * and not rotation of, say, 64-bit values. 234 | * 235 | * Every encryption or decryption operation uses 32 of these rotations, 236 | * so it is a good idea to make these macros efficient. 237 | * 238 | * This fully portable definition has one piece of tricky stuff. 239 | * The UInt32 might be larger than 32 bits, so we have to mask 240 | * any higher bits off. The simplest way to do this is to 'and' the 241 | * value first with 0xffffffff and then shift it right. An optimising 242 | * compiler that has a 32-bit type can optimise this 'and' away. 243 | * 244 | * Unfortunately there is no portable way of writing the constant 245 | * 0xffffffff. You don't know which suffix to use (U, or UL?) 246 | * The UINT32_MASK definition uses a bit of trickery. Shift-left 247 | * is only defined if the shift amount is strictly less than the size 248 | * of the UInt32, so we can't use (1<<32). The answer it to take the value 249 | * 2, cast it to a UInt32, shift it left 31 positions, and subtract one. 250 | * Another example of how to make something very simple extremely difficult. 251 | * I hate C. 252 | * 253 | * The rotation macros are straightforward. 254 | * They are only applied to UInt32 values, which are _unsigned_ 255 | * so the >> operator must do a logical shift that brings in zeroes. 256 | * On most platforms you will only need to optimise the ROL32 macro; the 257 | * ROR32 macro is not inefficient on an optimising compiler as all rotation 258 | * amounts in this code are known at compile time. 259 | * 260 | * On many platforms there is a faster solution. 261 | * For example, MS compilers have the __rotl and __rotr functions 262 | * that generate x86 rotation instructions. 263 | */ 264 | #define UINT32_MASK ( (((UInt32)2)<<31) - 1 ) 265 | #define ROL32( x, n ) ( (x)<<(n) | ((x) & UINT32_MASK) >> (32-(n)) ) 266 | #define ROR32( x, n ) ROL32( (x), 32-(n) ) 267 | 268 | 269 | /* 270 | * Select data type for q-table entries. 271 | * 272 | * Larger entry types cost more memory (1.5 kB), and might be faster 273 | * or slower depending on the CPU and compiler details. 274 | * 275 | * This choice only affects the static data size and the key setup speed. 276 | * Functionality, expanded key size, or encryption speed are not affected. 277 | * Define to 1 to get large q-table entries. 278 | */ 279 | #define LARGE_Q_TABLE 0 /* default = 0 */ 280 | 281 | 282 | /* 283 | * Method to select a single byte from a UInt32. 284 | * WARNING: non-portable code if set; might not work on all platforms. 285 | * 286 | * Inside the inner loop of Twofish it is necessary to access the 4 287 | * individual bytes of a UInt32. This can be done using either shifts 288 | * and masks, or memory accesses. 289 | * 290 | * Set to 0 to use shift and mask operations for the byte selection. 291 | * This is more ALU intensive. It is also fully portable. 292 | * 293 | * Set to 1 to use memory accesses. The UInt32 is stored in memory and 294 | * the individual bytes are read from memory one at a time. 295 | * This solution is more memory-intensive, and not fully portable. 296 | * It might be faster on your platform, or not. If you use this option, 297 | * make sure you set the CPU_IS_BIG_ENDIAN flag appropriately. 298 | * 299 | * This macro does not affect the conversion of the inputs and outputs 300 | * of the cipher. See the CONVERT_USING_CASTS macro for that. 301 | */ 302 | #define SELECT_BYTE_FROM_UINT32_IN_MEMORY 0 /* default = 0 */ 303 | 304 | 305 | /* 306 | * Method used to read the input and write the output. 307 | * WARNING: non-portable code if set; might not work on all platforms. 308 | * 309 | * Twofish operates on 32-bit words. The input to the cipher is 310 | * a byte array, as is the output. The portable method of doing the 311 | * conversion is a bunch of rotate and mask operations, but on many 312 | * platforms it can be done faster using a cast. 313 | * This only works if your CPU allows UInt32 accesses to arbitrary Byte 314 | * addresses. 315 | * 316 | * Set to 0 to use the shift and mask operations. This is fully 317 | * portable. . 318 | * 319 | * Set to 1 to use a cast. The Byte * is cast to a UInt32 *, and a 320 | * UInt32 is read. If necessary (as indicated by the CPU_IS_BIG_ENDIAN 321 | * macro) the byte order in the UInt32 is swapped. The reverse is done 322 | * to write the output of the encryption/decryption. Make sure you set 323 | * the CPU_IS_BIG_ENDIAN flag appropriately. 324 | * This option does not work unless a UInt32 is exactly 32 bits. 325 | * 326 | * This macro only changes the reading/writing of the plaintext/ciphertext. 327 | * See the SELECT_BYTE_FROM_UINT32_IN_MEMORY to affect the way in which 328 | * a UInt32 is split into 4 bytes for the S-box selection. 329 | */ 330 | #define CONVERT_USING_CASTS 0 /* default = 0 */ 331 | 332 | 333 | /* 334 | * Endianness switch. 335 | * Only relevant if SELECT_BYTE_FROM_UINT32_IN_MEMORY or 336 | * CONVERT_USING_CASTS is set. 337 | * 338 | * Set to 1 on a big-endian machine, and to 0 on a little-endian machine. 339 | * Twofish uses the little-endian convention (least significant byte first) 340 | * and big-endian machines (using most significant byte first) 341 | * have to do a few conversions. 342 | * 343 | * CAUTION: This code has never been tested on a big-endian machine, 344 | * because I don't have access to one. Feedback appreciated. 345 | */ 346 | #define CPU_IS_BIG_ENDIAN 0 347 | 348 | 349 | /* 350 | * Macro to reverse the order of the bytes in a UInt32. 351 | * Used to convert to little-endian on big-endian machines. 352 | * This macro is always tested, but only used in the encryption and 353 | * decryption if CONVERT_USING_CASTS, and CPU_IS_BIG_ENDIAN 354 | * are both set. In other words: this macro is only speed-critical if 355 | * both these flags have been set. 356 | * 357 | * This default definition of SWAP works, but on many platforms there is a 358 | * more efficient implementation. 359 | */ 360 | #define BSWAP(x) ((ROL32((x),8) & 0x00ff00ff) | (ROR32((x),8) & 0xff00ff00)) 361 | 362 | 363 | /* 364 | * END OF PLATFORM FIXES 365 | * ===================== 366 | * 367 | * You should not have to touch the rest of this file. 368 | */ 369 | 370 | 371 | /* 372 | * Convert the external type names to some that are easier to use inside 373 | * this file. I didn't want to use the names Byte and UInt32 in the 374 | * header file, because many programs already define them and using two 375 | * conventions at once can be very difficult. 376 | * Don't change these definitions! Change the originals 377 | * in twofish.h instead. 378 | */ 379 | /* A Byte must be an unsigned integer, 8 bits long. */ 380 | typedef Twofish_Byte Byte; 381 | /* A UInt32 must be an unsigned integer at least 32 bits long. */ 382 | typedef Twofish_UInt32 UInt32; 383 | 384 | 385 | /* 386 | * Define a macro ENDIAN_CONVERT. 387 | * 388 | * We define a macro ENDIAN_CONVERT that performs a BSWAP on big-endian 389 | * machines, and is the identity function on little-endian machines. 390 | * The code then uses this macro without considering the endianness. 391 | */ 392 | #if CPU_IS_BIG_ENDIAN 393 | #define ENDIAN_CONVERT(x) BSWAP(x) 394 | #else 395 | #define ENDIAN_CONVERT(x) (x) 396 | #endif 397 | 398 | 399 | /* 400 | * Compute byte offset within a UInt32 stored in memory. 401 | * 402 | * This is only used when SELECT_BYTE_FROM_UINT32_IN_MEMORY is set. 403 | * 404 | * The input is the byte number 0..3, 0 for least significant. 405 | * Note the use of sizeof() to support UInt32 types that are larger 406 | * than 4 bytes. 407 | */ 408 | #if CPU_IS_BIG_ENDIAN 409 | #define BYTE_OFFSET( n ) (sizeof(UInt32) - 1 - (n) ) 410 | #else 411 | #define BYTE_OFFSET( n ) (n) 412 | #endif 413 | 414 | 415 | /* 416 | * Macro to get Byte no. b from UInt32 value X. 417 | * We use two different definition, depending on the settings. 418 | */ 419 | #if SELECT_BYTE_FROM_UINT32_IN_MEMORY 420 | /* Pick the byte from the memory in which X is stored. */ 421 | #define SELECT_BYTE( X, b ) (((Byte *)(&(X)))[BYTE_OFFSET(b)]) 422 | #else 423 | /* Portable solution: Pick the byte directly from the X value. */ 424 | #define SELECT_BYTE( X, b ) (((X) >> 8*(b)) & 0xff) 425 | #endif 426 | 427 | 428 | /* Some shorthands because we use byte selection in large formulae. */ 429 | #define b0(X) SELECT_BYTE((X),0) 430 | #define b1(X) SELECT_BYTE((X),1) 431 | #define b2(X) SELECT_BYTE((X),2) 432 | #define b3(X) SELECT_BYTE((X),3) 433 | 434 | 435 | /* 436 | * We need macros to load and store UInt32 from/to byte arrays 437 | * using the least-significant-byte-first convention. 438 | * 439 | * GET32( p ) gets a UInt32 in lsb-first form from four bytes pointed to 440 | * by p. 441 | * PUT32( v, p ) writes the UInt32 value v at address p in lsb-first form. 442 | */ 443 | #if CONVERT_USING_CASTS 444 | 445 | /* Get UInt32 from four bytes pointed to by p. */ 446 | #define GET32( p ) ENDIAN_CONVERT( *((UInt32 *)(p)) ) 447 | /* Put UInt32 into four bytes pointed to by p */ 448 | #define PUT32( v, p ) *((UInt32 *)(p)) = ENDIAN_CONVERT(v) 449 | 450 | #else 451 | 452 | /* Get UInt32 from four bytes pointed to by p. */ 453 | #define GET32( p ) \ 454 | ( \ 455 | (UInt32)((p)[0]) \ 456 | | (UInt32)((p)[1])<< 8\ 457 | | (UInt32)((p)[2])<<16\ 458 | | (UInt32)((p)[3])<<24\ 459 | ) 460 | /* Put UInt32 into four bytes pointed to by p */ 461 | #define PUT32( v, p ) \ 462 | (p)[0] = (Byte)(((v) ) & 0xff);\ 463 | (p)[1] = (Byte)(((v) >> 8) & 0xff);\ 464 | (p)[2] = (Byte)(((v) >> 16) & 0xff);\ 465 | (p)[3] = (Byte)(((v) >> 24) & 0xff) 466 | 467 | #endif 468 | 469 | 470 | /* 471 | * Test the platform-specific macros. 472 | * This function tests the macros defined so far to make sure the 473 | * definitions are appropriate for this platform. 474 | * If you make any mistake in the platform configuration, this should detect 475 | * that and inform you what went wrong. 476 | * Somewhere, someday, this is going to save somebody a lot of time, 477 | * because misbehaving macros are hard to debug. 478 | */ 479 | static void test_platform() 480 | { 481 | /* Buffer with test values. */ 482 | Byte buf[] = {0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0}; 483 | UInt32 C; 484 | UInt32 x,y; 485 | int i; 486 | 487 | /* 488 | * Some sanity checks on the types that can't be done in compile time. 489 | * A smart compiler will just optimise these tests away. 490 | * The pre-processor doesn't understand different types, so we cannot 491 | * do these checks in compile-time. 492 | * 493 | * I hate C. 494 | * 495 | * The first check in each case is to make sure the size is correct. 496 | * The second check is to ensure that it is an unsigned type. 497 | */ 498 | if( ((UInt32) ((UInt32)1 << 31) == 0) || ((UInt32)-1 < 0) ) 499 | { 500 | Twofish_fatal( "Twofish code: Twofish_UInt32 type not suitable" ); 501 | } 502 | if( (sizeof( Byte ) != 1) || ((Byte)-1 < 0) ) 503 | { 504 | Twofish_fatal( "Twofish code: Twofish_Byte type not suitable" ); 505 | } 506 | 507 | /* 508 | * Sanity-check the endianness conversions. 509 | * This is just an aid to find problems. If you do the endianness 510 | * conversion macros wrong you will fail the full cipher test, 511 | * but that does not help you find the error. 512 | * Always make it easy to find the bugs! 513 | * 514 | * Detail: There is no fully portable way of writing UInt32 constants, 515 | * as you don't know whether to use the U or UL suffix. Using only U you 516 | * might only be allowed 16-bit constants. Using UL you might get 64-bit 517 | * constants which cannot be stored in a UInt32 without warnings, and 518 | * which generally behave subtly different from a true UInt32. 519 | * As long as we're just comparing with the constant, 520 | * we can always use the UL suffix and at worst lose some efficiency. 521 | * I use a separate '32-bit constant' macro in most of my other code. 522 | * 523 | * I hate C. 524 | * 525 | * Start with testing GET32. We test it on all positions modulo 4 526 | * to make sure we can handly any position of inputs. (Some CPUs 527 | * do not allow non-aligned accesses which we would do if you used 528 | * the CONVERT_USING_CASTS option. 529 | */ 530 | if( GET32( buf ) != 0x78563412UL || GET32(buf+1) != 0x9a785634UL 531 | || GET32( buf+2 ) != 0xbc9a7856UL || GET32(buf+3) != 0xdebc9a78UL ) 532 | { 533 | Twofish_fatal( "Twofish code: GET32 not implemented properly" ); 534 | } 535 | 536 | /* 537 | * We can now use GET32 to test PUT32. 538 | * We don't test the shifted versions. If GET32 can do that then 539 | * so should PUT32. 540 | */ 541 | C = GET32( buf ); 542 | PUT32( 3*C, buf ); 543 | if( GET32( buf ) != 0x69029c36UL ) 544 | { 545 | Twofish_fatal( "Twofish code: PUT32 not implemented properly" ); 546 | } 547 | 548 | 549 | /* Test ROL and ROR */ 550 | for( i=1; i<32; i++ ) 551 | { 552 | /* Just a simple test. */ 553 | x = ROR32( C, i ); 554 | y = ROL32( C, i ); 555 | x ^= (C>>i) ^ (C<<(32-i)); 556 | y ^= (C<>(32-i)); 557 | x |= y; 558 | /* 559 | * Now all we check is that x is zero in the least significant 560 | * 32 bits. Using the UL suffix is safe here, as it doesn't matter 561 | * if we get a larger type. 562 | */ 563 | if( (x & 0xffffffffUL) != 0 ) 564 | { 565 | Twofish_fatal( "Twofish ROL or ROR not properly defined." ); 566 | } 567 | } 568 | 569 | /* Test the BSWAP macro */ 570 | if( (BSWAP(C)) != 0x12345678UL ) 571 | { 572 | /* 573 | * The BSWAP macro should always work, even if you are not using it. 574 | * A smart optimising compiler will just remove this entire test. 575 | */ 576 | Twofish_fatal( "BSWAP not properly defined." ); 577 | } 578 | 579 | /* And we can test the b macros which use SELECT_BYTE. */ 580 | if( (b0(C)!=0x12) || (b1(C) != 0x34) || (b2(C) != 0x56) || (b3(C) != 0x78) ) 581 | { 582 | /* 583 | * There are many reasons why this could fail. 584 | * Most likely is that CPU_IS_BIG_ENDIAN has the wrong value. 585 | */ 586 | Twofish_fatal( "Twofish code: SELECT_BYTE not implemented properly" ); 587 | } 588 | } 589 | 590 | 591 | /* 592 | * Finally, we can start on the Twofish-related code. 593 | * You really need the Twofish specifications to understand this code. The 594 | * best source is the Twofish book: 595 | * "The Twofish Encryption Algorithm", by Bruce Schneier, John Kelsey, 596 | * Doug Whiting, David Wagner, Chris Hall, and Niels Ferguson. 597 | * you can also use the AES submission document of Twofish, which is 598 | * available from my list of publications on my personal web site at 599 | * http://niels.ferguson.net/. 600 | * 601 | * The first thing we do is write the testing routines. This is what the 602 | * implementation has to satisfy in the end. We only test the external 603 | * behaviour of the implementation of course. 604 | */ 605 | 606 | 607 | /* 608 | * Perform a single self test on a (plaintext,ciphertext,key) triple. 609 | * Arguments: 610 | * key array of key bytes 611 | * key_len length of key in bytes 612 | * p plaintext 613 | * c ciphertext 614 | */ 615 | static void test_vector( Byte key[], int key_len, Byte p[16], Byte c[16] ) 616 | { 617 | Byte tmp[16]; /* scratch pad. */ 618 | Twofish_key xkey; /* The expanded key */ 619 | int i; 620 | 621 | 622 | /* Prepare the key */ 623 | Twofish_prepare_key( key, key_len, &xkey ); 624 | 625 | /* 626 | * We run the test twice to ensure that the xkey structure 627 | * is not damaged by the first encryption. 628 | * Those are hideous bugs to find if you get them in an application. 629 | */ 630 | for( i=0; i<2; i++ ) 631 | { 632 | /* Encrypt and test */ 633 | Twofish_encrypt( &xkey, p, tmp ); 634 | if( memcmp( c, tmp, 16 ) != 0 ) 635 | { 636 | Twofish_fatal( "Twofish encryption failure" ); 637 | } 638 | 639 | /* Decrypt and test */ 640 | Twofish_decrypt( &xkey, c, tmp ); 641 | if( memcmp( p, tmp, 16 ) != 0 ) 642 | { 643 | Twofish_fatal( "Twofish decryption failure" ); 644 | } 645 | } 646 | 647 | /* The test keys are not secret, so we don't need to wipe xkey. */ 648 | } 649 | 650 | 651 | /* 652 | * Check implementation using three (key,plaintext,ciphertext) 653 | * test vectors, one for each major key length. 654 | * 655 | * This is an absolutely minimal self-test. 656 | * This routine does not test odd-sized keys. 657 | */ 658 | static void test_vectors() 659 | { 660 | /* 661 | * We run three tests, one for each major key length. 662 | * These test vectors come from the Twofish specification. 663 | * One encryption and one decryption using randomish data and key 664 | * will detect almost any error, especially since we generate the 665 | * tables ourselves, so we don't have the problem of a single 666 | * damaged table entry in the source. 667 | */ 668 | 669 | /* 128-bit test is the I=3 case of section B.2 of the Twofish book. */ 670 | static Byte k128[] = { 671 | 0x9F, 0x58, 0x9F, 0x5C, 0xF6, 0x12, 0x2C, 0x32, 672 | 0xB6, 0xBF, 0xEC, 0x2F, 0x2A, 0xE8, 0xC3, 0x5A, 673 | }; 674 | static Byte p128[] = { 675 | 0xD4, 0x91, 0xDB, 0x16, 0xE7, 0xB1, 0xC3, 0x9E, 676 | 0x86, 0xCB, 0x08, 0x6B, 0x78, 0x9F, 0x54, 0x19 677 | }; 678 | static Byte c128[] = { 679 | 0x01, 0x9F, 0x98, 0x09, 0xDE, 0x17, 0x11, 0x85, 680 | 0x8F, 0xAA, 0xC3, 0xA3, 0xBA, 0x20, 0xFB, 0xC3 681 | }; 682 | 683 | /* 192-bit test is the I=4 case of section B.2 of the Twofish book. */ 684 | static Byte k192[] = { 685 | 0x88, 0xB2, 0xB2, 0x70, 0x6B, 0x10, 0x5E, 0x36, 686 | 0xB4, 0x46, 0xBB, 0x6D, 0x73, 0x1A, 0x1E, 0x88, 687 | 0xEF, 0xA7, 0x1F, 0x78, 0x89, 0x65, 0xBD, 0x44 688 | }; 689 | static Byte p192[] = { 690 | 0x39, 0xDA, 0x69, 0xD6, 0xBA, 0x49, 0x97, 0xD5, 691 | 0x85, 0xB6, 0xDC, 0x07, 0x3C, 0xA3, 0x41, 0xB2 692 | }; 693 | static Byte c192[] = { 694 | 0x18, 0x2B, 0x02, 0xD8, 0x14, 0x97, 0xEA, 0x45, 695 | 0xF9, 0xDA, 0xAC, 0xDC, 0x29, 0x19, 0x3A, 0x65 696 | }; 697 | 698 | /* 256-bit test is the I=4 case of section B.2 of the Twofish book. */ 699 | static Byte k256[] = { 700 | 0xD4, 0x3B, 0xB7, 0x55, 0x6E, 0xA3, 0x2E, 0x46, 701 | 0xF2, 0xA2, 0x82, 0xB7, 0xD4, 0x5B, 0x4E, 0x0D, 702 | 0x57, 0xFF, 0x73, 0x9D, 0x4D, 0xC9, 0x2C, 0x1B, 703 | 0xD7, 0xFC, 0x01, 0x70, 0x0C, 0xC8, 0x21, 0x6F 704 | }; 705 | static Byte p256[] = { 706 | 0x90, 0xAF, 0xE9, 0x1B, 0xB2, 0x88, 0x54, 0x4F, 707 | 0x2C, 0x32, 0xDC, 0x23, 0x9B, 0x26, 0x35, 0xE6 708 | }; 709 | static Byte c256[] = { 710 | 0x6C, 0xB4, 0x56, 0x1C, 0x40, 0xBF, 0x0A, 0x97, 711 | 0x05, 0x93, 0x1C, 0xB6, 0xD4, 0x08, 0xE7, 0xFA 712 | }; 713 | 714 | /* Run the actual tests. */ 715 | test_vector( k128, 16, p128, c128 ); 716 | test_vector( k192, 24, p192, c192 ); 717 | test_vector( k256, 32, p256, c256 ); 718 | } 719 | 720 | 721 | /* 722 | * Perform extensive test for a single key size. 723 | * 724 | * Test a single key size against the test vectors from section 725 | * B.2 in the Twofish book. This is a sequence of 49 encryptions 726 | * and decryptions. Each plaintext is equal to the ciphertext of 727 | * the previous encryption. The key is made up from the ciphertext 728 | * two and three encryptions ago. Both plaintext and key start 729 | * at the zero value. 730 | * We should have designed a cleaner recurrence relation for 731 | * these tests, but it is too late for that now. At least we learned 732 | * how to do it better next time. 733 | * For details see appendix B of the book. 734 | * 735 | * Arguments: 736 | * key_len Number of bytes of key 737 | * final_value Final plaintext value after 49 iterations 738 | */ 739 | static void test_sequence( int key_len, Byte final_value[] ) 740 | { 741 | Byte buf[ (50+3)*16 ]; /* Buffer to hold our computation values. */ 742 | Byte tmp[16]; /* Temp for testing the decryption. */ 743 | Twofish_key xkey; /* The expanded key */ 744 | int i; 745 | Byte * p; 746 | 747 | /* Wipe the buffer */ 748 | memset( buf, 0, sizeof( buf ) ); 749 | 750 | /* 751 | * Because the recurrence relation is done in an inconvenient manner 752 | * we end up looping backwards over the buffer. 753 | */ 754 | 755 | /* Pointer in buffer points to current plaintext. */ 756 | p = &buf[50*16]; 757 | for( i=1; i<50; i++ ) 758 | { 759 | /* 760 | * Prepare a key. 761 | * This automatically checks that key_len is valid. 762 | */ 763 | Twofish_prepare_key( p+16, key_len, &xkey ); 764 | 765 | /* Compute the next 16 bytes in the buffer */ 766 | Twofish_encrypt( &xkey, p, p-16 ); 767 | 768 | /* Check that the decryption is correct. */ 769 | Twofish_decrypt( &xkey, p-16, tmp ); 770 | if( memcmp( tmp, p, 16 ) != 0 ) 771 | { 772 | Twofish_fatal( "Twofish decryption failure in sequence" ); 773 | } 774 | /* Move on to next 16 bytes in the buffer. */ 775 | p -= 16; 776 | } 777 | 778 | /* And check the final value. */ 779 | if( memcmp( p, final_value, 16 ) != 0 ) 780 | { 781 | Twofish_fatal( "Twofish encryption failure in sequence" ); 782 | } 783 | 784 | /* None of the data was secret, so there is no need to wipe anything. */ 785 | } 786 | 787 | 788 | /* 789 | * Run all three sequence tests from the Twofish test vectors. 790 | * 791 | * This checks the most extensive test vectors currently available 792 | * for Twofish. The data is from the Twofish book, appendix B.2. 793 | */ 794 | static void test_sequences() 795 | { 796 | static Byte r128[] = { 797 | 0x5D, 0x9D, 0x4E, 0xEF, 0xFA, 0x91, 0x51, 0x57, 798 | 0x55, 0x24, 0xF1, 0x15, 0x81, 0x5A, 0x12, 0xE0 799 | }; 800 | static Byte r192[] = { 801 | 0xE7, 0x54, 0x49, 0x21, 0x2B, 0xEE, 0xF9, 0xF4, 802 | 0xA3, 0x90, 0xBD, 0x86, 0x0A, 0x64, 0x09, 0x41 803 | }; 804 | static Byte r256[] = { 805 | 0x37, 0xFE, 0x26, 0xFF, 0x1C, 0xF6, 0x61, 0x75, 806 | 0xF5, 0xDD, 0xF4, 0xC3, 0x3B, 0x97, 0xA2, 0x05 807 | }; 808 | 809 | /* Run the three sequence test vectors */ 810 | test_sequence( 16, r128 ); 811 | test_sequence( 24, r192 ); 812 | test_sequence( 32, r256 ); 813 | } 814 | 815 | 816 | /* 817 | * Test the odd-sized keys. 818 | * 819 | * Every odd-sized key is equivalent to a one of 128, 192, or 256 bits. 820 | * The equivalent key is found by padding at the end with zero bytes 821 | * until a regular key size is reached. 822 | * 823 | * We just test that the key expansion routine behaves properly. 824 | * If the expanded keys are identical, then the encryptions and decryptions 825 | * will behave the same. 826 | */ 827 | static void test_odd_sized_keys() 828 | { 829 | Byte buf[32]; 830 | Twofish_key xkey; 831 | Twofish_key xkey_two; 832 | int i; 833 | 834 | /* 835 | * We first create an all-zero key to use as PRNG key. 836 | * Normally we would not have to fill the buffer with zeroes, as we could 837 | * just pass a zero key length to the Twofish_prepare_key function. 838 | * However, this relies on using odd-sized keys, and those are just the 839 | * ones we are testing here. We can't use an untested function to test 840 | * itself. 841 | */ 842 | memset( buf, 0, sizeof( buf ) ); 843 | Twofish_prepare_key( buf, 16, &xkey ); 844 | 845 | /* Fill buffer with pseudo-random data derived from two encryptions */ 846 | Twofish_encrypt( &xkey, buf, buf ); 847 | Twofish_encrypt( &xkey, buf, buf+16 ); 848 | 849 | /* Create all possible shorter keys that are prefixes of the buffer. */ 850 | for( i=31; i>=0; i-- ) 851 | { 852 | /* Set a byte to zero. This is the new padding byte */ 853 | buf[i] = 0; 854 | 855 | /* Expand the key with only i bytes of length */ 856 | Twofish_prepare_key( buf, i, &xkey ); 857 | 858 | /* Expand the corresponding padded key of regular length */ 859 | Twofish_prepare_key( buf, i<=16 ? 16 : i<= 24 ? 24 : 32, &xkey_two ); 860 | 861 | /* Compare the two */ 862 | if( memcmp( &xkey, &xkey_two, sizeof( xkey ) ) != 0 ) 863 | { 864 | Twofish_fatal( "Odd sized keys do not expand properly" ); 865 | } 866 | } 867 | 868 | /* None of the key values are secret, so we don't need to wipe them. */ 869 | } 870 | 871 | 872 | /* 873 | * Test the Twofish implementation. 874 | * 875 | * This routine runs all the self tests, in order of importance. 876 | * It is called by the Twofish_initialise routine. 877 | * 878 | * In almost all applications the cost of running the self tests during 879 | * initialisation is insignificant, especially 880 | * compared to the time it takes to load the application from disk. 881 | * If you are very pressed for initialisation performance, 882 | * you could remove some of the tests. Make sure you did run them 883 | * once in the software and hardware configuration you are using. 884 | */ 885 | static void self_test() 886 | { 887 | /* The three test vectors form an absolute minimal test set. */ 888 | test_vectors(); 889 | 890 | /* 891 | * If at all possible you should run these tests too. They take 892 | * more time, but provide a more thorough coverage. 893 | */ 894 | test_sequences(); 895 | 896 | /* Test the odd-sized keys. */ 897 | test_odd_sized_keys(); 898 | } 899 | 900 | 901 | /* 902 | * And now, the actual Twofish implementation. 903 | * 904 | * This implementation generates all the tables during initialisation. 905 | * I don't like large tables in the code, especially since they are easily 906 | * damaged in the source without anyone noticing it. You need code to 907 | * generate them anyway, and this way all the code is close together. 908 | * Generating them in the application leads to a smaller executable 909 | * (the code is smaller than the tables it generates) and a 910 | * larger static memory footprint. 911 | * 912 | * Twofish can be implemented in many ways. I have chosen to 913 | * use large tables with a relatively long key setup time. 914 | * If you encrypt more than a few blocks of data it pays to pre-compute 915 | * as much as possible. This implementation is relatively inefficient for 916 | * applications that need to re-key every block or so. 917 | */ 918 | 919 | /* 920 | * We start with the t-tables, directly from the Twofish definition. 921 | * These are nibble-tables, but merging them and putting them two nibbles 922 | * in one byte is more work than it is worth. 923 | */ 924 | static Byte t_table[2][4][16] = { 925 | { 926 | {0x8,0x1,0x7,0xD,0x6,0xF,0x3,0x2,0x0,0xB,0x5,0x9,0xE,0xC,0xA,0x4}, 927 | {0xE,0xC,0xB,0x8,0x1,0x2,0x3,0x5,0xF,0x4,0xA,0x6,0x7,0x0,0x9,0xD}, 928 | {0xB,0xA,0x5,0xE,0x6,0xD,0x9,0x0,0xC,0x8,0xF,0x3,0x2,0x4,0x7,0x1}, 929 | {0xD,0x7,0xF,0x4,0x1,0x2,0x6,0xE,0x9,0xB,0x3,0x0,0x8,0x5,0xC,0xA} 930 | }, 931 | { 932 | {0x2,0x8,0xB,0xD,0xF,0x7,0x6,0xE,0x3,0x1,0x9,0x4,0x0,0xA,0xC,0x5}, 933 | {0x1,0xE,0x2,0xB,0x4,0xC,0x3,0x7,0x6,0xD,0xA,0x5,0xF,0x9,0x0,0x8}, 934 | {0x4,0xC,0x7,0x5,0x1,0x6,0x9,0xA,0x0,0xE,0xD,0x8,0x2,0xB,0x3,0xF}, 935 | {0xB,0x9,0x5,0x1,0xC,0x3,0xD,0xE,0x6,0x4,0x7,0xF,0x2,0x0,0x8,0xA} 936 | } 937 | }; 938 | 939 | 940 | /* A 1-bit rotation of 4-bit values. Input must be in range 0..15 */ 941 | #define ROR4BY1( x ) (((x)>>1) | (((x)<<3) & 0x8) ) 942 | 943 | /* 944 | * The q-boxes are only used during the key schedule computations. 945 | * These are 8->8 bit lookup tables. Some CPUs prefer to have 8->32 bit 946 | * lookup tables as it is faster to load a 32-bit value than to load an 947 | * 8-bit value and zero the rest of the register. 948 | * The LARGE_Q_TABLE switch allows you to choose 32-bit entries in 949 | * the q-tables. Here we just define the Qtype which is used to store 950 | * the entries of the q-tables. 951 | */ 952 | #if LARGE_Q_TABLE 953 | typedef UInt32 Qtype; 954 | #else 955 | typedef Byte Qtype; 956 | #endif 957 | 958 | /* 959 | * The actual q-box tables. 960 | * There are two q-boxes, each having 256 entries. 961 | */ 962 | static Qtype q_table[2][256]; 963 | 964 | 965 | /* 966 | * Now the function that converts a single t-table into a q-table. 967 | * 968 | * Arguments: 969 | * t[4][16] : four 4->4bit lookup tables that define the q-box 970 | * q[256] : output parameter: the resulting q-box as a lookup table. 971 | */ 972 | static void make_q_table( Byte t[4][16], Qtype q[256] ) 973 | { 974 | int ae,be,ao,bo; /* Some temporaries. */ 975 | int i; 976 | /* Loop over all input values and compute the q-box result. */ 977 | for( i=0; i<256; i++ ) { 978 | /* 979 | * This is straight from the Twofish specifications. 980 | * 981 | * The ae variable is used for the a_i values from the specs 982 | * with even i, and ao for the odd i's. Similarly for the b's. 983 | */ 984 | ae = i>>4; be = i&0xf; 985 | ao = ae ^ be; bo = ae ^ ROR4BY1(be) ^ ((ae<<3)&8); 986 | ae = t[0][ao]; be = t[1][bo]; 987 | ao = ae ^ be; bo = ae ^ ROR4BY1(be) ^ ((ae<<3)&8); 988 | ae = t[2][ao]; be = t[3][bo]; 989 | 990 | /* Store the result in the q-box table, the cast avoids a warning. */ 991 | q[i] = (Qtype) ((be<<4) | ae); 992 | } 993 | } 994 | 995 | 996 | /* 997 | * Initialise both q-box tables. 998 | */ 999 | static void initialise_q_boxes() { 1000 | /* Initialise each of the q-boxes using the t-tables */ 1001 | make_q_table( t_table[0], q_table[0] ); 1002 | make_q_table( t_table[1], q_table[1] ); 1003 | } 1004 | 1005 | 1006 | /* 1007 | * Next up is the MDS matrix multiplication. 1008 | * The MDS matrix multiplication operates in the field 1009 | * GF(2)[x]/p(x) with p(x)=x^8+x^6+x^5+x^3+1. 1010 | * If you don't understand this, read a book on finite fields. You cannot 1011 | * follow the finite-field computations without some background. 1012 | * 1013 | * In this field, multiplication by x is easy: shift left one bit 1014 | * and if bit 8 is set then xor the result with 0x169. 1015 | * 1016 | * The MDS coefficients use a multiplication by 1/x, 1017 | * or rather a division by x. This is easy too: first make the 1018 | * value 'even' (i.e. bit 0 is zero) by xorring with 0x169 if necessary, 1019 | * and then shift right one position. 1020 | * Even easier: shift right and xor with 0xb4 if the lsbit was set. 1021 | * 1022 | * The MDS coefficients are 1, EF, and 5B, and we use the fact that 1023 | * EF = 1 + 1/x + 1/x^2 1024 | * 5B = 1 + 1/x^2 1025 | * in this field. This makes multiplication by EF and 5B relatively easy. 1026 | * 1027 | * This property is no accident, the MDS matrix was designed to allow 1028 | * this implementation technique to be used. 1029 | * 1030 | * We have four MDS tables, each mapping 8 bits to 32 bits. 1031 | * Each table performs one column of the matrix multiplication. 1032 | * As the MDS is always preceded by q-boxes, each of these tables 1033 | * also implements the q-box just previous to that column. 1034 | */ 1035 | 1036 | /* The actual MDS tables. */ 1037 | static UInt32 MDS_table[4][256]; 1038 | 1039 | /* A small table to get easy conditional access to the 0xb4 constant. */ 1040 | static UInt32 mds_poly_divx_const[] = {0,0xb4}; 1041 | 1042 | /* Function to initialise the MDS tables. */ 1043 | static void initialise_mds_tables() 1044 | { 1045 | int i; 1046 | UInt32 q,qef,q5b; /* Temporary variables. */ 1047 | 1048 | /* Loop over all 8-bit input values */ 1049 | for( i=0; i<256; i++ ) 1050 | { 1051 | /* 1052 | * To save some work during the key expansion we include the last 1053 | * of the q-box layers from the h() function in these MDS tables. 1054 | */ 1055 | 1056 | /* We first do the inputs that are mapped through the q0 table. */ 1057 | q = q_table[0][i]; 1058 | /* 1059 | * Here we divide by x, note the table to get 0xb4 only if the 1060 | * lsbit is set. 1061 | * This sets qef = (1/x)*q in the finite field 1062 | */ 1063 | qef = (q >> 1) ^ mds_poly_divx_const[ q & 1 ]; 1064 | /* 1065 | * Divide by x again, and add q to get (1+1/x^2)*q. 1066 | * Note that (1+1/x^2) = 5B in the field, and addition in the field 1067 | * is exclusive or on the bits. 1068 | */ 1069 | q5b = (qef >> 1) ^ mds_poly_divx_const[ qef & 1 ] ^ q; 1070 | /* 1071 | * Add q5b to qef to set qef = (1+1/x+1/x^2)*q. 1072 | * Again, (1+1/x+1/x^2) = EF in the field. 1073 | */ 1074 | qef ^= q5b; 1075 | 1076 | /* 1077 | * Now that we have q5b = 5B * q and qef = EF * q 1078 | * we can fill two of the entries in the MDS matrix table. 1079 | * See the Twofish specifications for the order of the constants. 1080 | */ 1081 | MDS_table[1][i] = q <<24 | q5b<<16 | qef<<8 | qef; 1082 | MDS_table[3][i] = q5b<<24 | qef<<16 | q <<8 | q5b; 1083 | 1084 | /* Now we do it all again for the two columns that have a q1 box. */ 1085 | q = q_table[1][i]; 1086 | qef = (q >> 1) ^ mds_poly_divx_const[ q & 1 ]; 1087 | q5b = (qef >> 1) ^ mds_poly_divx_const[ qef & 1 ] ^ q; 1088 | qef ^= q5b; 1089 | 1090 | /* The other two columns use the coefficient in a different order. */ 1091 | MDS_table[0][i] = qef<<24 | qef<<16 | q5b<<8 | q ; 1092 | MDS_table[2][i] = qef<<24 | q <<16 | qef<<8 | q5b; 1093 | } 1094 | } 1095 | 1096 | 1097 | /* 1098 | * The h() function is the heart of the Twofish cipher. 1099 | * It is a complicated sequence of q-box lookups, key material xors, 1100 | * and finally the MDS matrix. 1101 | * We use lots of macros to make this reasonably fast. 1102 | */ 1103 | 1104 | /* First a shorthand for the two q-tables */ 1105 | #define q0 q_table[0] 1106 | #define q1 q_table[1] 1107 | 1108 | /* 1109 | * Each macro computes one column of the h for either 2, 3, or 4 stages. 1110 | * As there are 4 columns, we have 12 macros in all. 1111 | * 1112 | * The key bytes are stored in the Byte array L at offset 1113 | * 0,1,2,3, 8,9,10,11, [16,17,18,19, [24,25,26,27]] as this is the 1114 | * order we get the bytes from the user. If you look at the Twofish 1115 | * specs, you'll see that h() is applied to the even key words or the 1116 | * odd key words. The bytes of the even words appear in this spacing, 1117 | * and those of the odd key words too. 1118 | * 1119 | * These macros are the only place where the q-boxes and the MDS table 1120 | * are used. 1121 | */ 1122 | #define H02( y, L ) MDS_table[0][q0[q0[y]^L[ 8]]^L[0]] 1123 | #define H12( y, L ) MDS_table[1][q0[q1[y]^L[ 9]]^L[1]] 1124 | #define H22( y, L ) MDS_table[2][q1[q0[y]^L[10]]^L[2]] 1125 | #define H32( y, L ) MDS_table[3][q1[q1[y]^L[11]]^L[3]] 1126 | #define H03( y, L ) H02( q1[y]^L[16], L ) 1127 | #define H13( y, L ) H12( q1[y]^L[17], L ) 1128 | #define H23( y, L ) H22( q0[y]^L[18], L ) 1129 | #define H33( y, L ) H32( q0[y]^L[19], L ) 1130 | #define H04( y, L ) H03( q1[y]^L[24], L ) 1131 | #define H14( y, L ) H13( q0[y]^L[25], L ) 1132 | #define H24( y, L ) H23( q0[y]^L[26], L ) 1133 | #define H34( y, L ) H33( q1[y]^L[27], L ) 1134 | 1135 | /* 1136 | * Now we can define the h() function given an array of key bytes. 1137 | * This function is only used in the key schedule, and not to pre-compute 1138 | * the keyed S-boxes. 1139 | * 1140 | * In the key schedule, the input is always of the form k*(1+2^8+2^16+2^24) 1141 | * so we only provide k as an argument. 1142 | * 1143 | * Arguments: 1144 | * k input to the h() function. 1145 | * L pointer to array of key bytes at 1146 | * offsets 0,1,2,3, ... 8,9,10,11, [16,17,18,19, [24,25,26,27]] 1147 | * kCycles # key cycles, 2, 3, or 4. 1148 | */ 1149 | static UInt32 h( int k, Byte L[], int kCycles ) 1150 | { 1151 | switch( kCycles ) { 1152 | /* We code all 3 cases separately for speed reasons. */ 1153 | case 2: 1154 | return H02(k,L) ^ H12(k,L) ^ H22(k,L) ^ H32(k,L); 1155 | case 3: 1156 | return H03(k,L) ^ H13(k,L) ^ H23(k,L) ^ H33(k,L); 1157 | case 4: 1158 | return H04(k,L) ^ H14(k,L) ^ H24(k,L) ^ H34(k,L); 1159 | default: 1160 | /* This is always a coding error, which is fatal. */ 1161 | Twofish_fatal( "Twofish h(): Illegal argument" ); 1162 | } 1163 | } 1164 | 1165 | 1166 | /* 1167 | * Pre-compute the keyed S-boxes. 1168 | * Fill the pre-computed S-box array in the expanded key structure. 1169 | * Each pre-computed S-box maps 8 bits to 32 bits. 1170 | * 1171 | * The S argument contains half the number of bytes of the full key, but is 1172 | * derived from the full key. (See Twofish specifications for details.) 1173 | * S has the weird byte input order used by the Hxx macros. 1174 | * 1175 | * This function takes most of the time of a key expansion. 1176 | * 1177 | * Arguments: 1178 | * S pointer to array of 8*kCycles Bytes containing the S vector. 1179 | * kCycles number of key words, must be in the set {2,3,4} 1180 | * xkey pointer to Twofish_key structure that will contain the S-boxes. 1181 | */ 1182 | static void fill_keyed_sboxes( Byte S[], int kCycles, Twofish_key * xkey ) 1183 | { 1184 | int i; 1185 | switch( kCycles ) { 1186 | /* We code all 3 cases separately for speed reasons. */ 1187 | case 2: 1188 | for( i=0; i<256; i++ ) 1189 | { 1190 | xkey->s[0][i]= H02( i, S ); 1191 | xkey->s[1][i]= H12( i, S ); 1192 | xkey->s[2][i]= H22( i, S ); 1193 | xkey->s[3][i]= H32( i, S ); 1194 | } 1195 | break; 1196 | case 3: 1197 | for( i=0; i<256; i++ ) 1198 | { 1199 | xkey->s[0][i]= H03( i, S ); 1200 | xkey->s[1][i]= H13( i, S ); 1201 | xkey->s[2][i]= H23( i, S ); 1202 | xkey->s[3][i]= H33( i, S ); 1203 | } 1204 | break; 1205 | case 4: 1206 | for( i=0; i<256; i++ ) 1207 | { 1208 | xkey->s[0][i]= H04( i, S ); 1209 | xkey->s[1][i]= H14( i, S ); 1210 | xkey->s[2][i]= H24( i, S ); 1211 | xkey->s[3][i]= H34( i, S ); 1212 | } 1213 | break; 1214 | default: 1215 | /* This is always a coding error, which is fatal. */ 1216 | Twofish_fatal( "Twofish fill_keyed_sboxes(): Illegal argument" ); 1217 | } 1218 | } 1219 | 1220 | 1221 | /* A flag to keep track of whether we have been initialised or not. */ 1222 | static int Twofish_initialised = 0; 1223 | 1224 | /* 1225 | * Initialise the Twofish implementation. 1226 | * This function must be called before any other function in the 1227 | * Twofish implementation is called. 1228 | * This routine also does some sanity checks, to make sure that 1229 | * all the macros behave, and it tests the whole cipher. 1230 | */ 1231 | void Twofish_initialise() 1232 | { 1233 | /* First test the various platform-specific definitions. */ 1234 | test_platform(); 1235 | 1236 | /* We can now generate our tables, in the right order of course. */ 1237 | initialise_q_boxes(); 1238 | initialise_mds_tables(); 1239 | 1240 | /* We're finished with the initialisation itself. */ 1241 | Twofish_initialised = 1; 1242 | 1243 | /* 1244 | * And run some tests on the whole cipher. 1245 | * Yes, you need to do this every time you start your program. 1246 | * It is called assurance; you have to be certain that your program 1247 | * still works properly. 1248 | */ 1249 | self_test(); 1250 | } 1251 | 1252 | 1253 | /* 1254 | * The Twofish key schedule uses an Reed-Solomon code matrix multiply. 1255 | * Just like the MDS matrix, the RS-matrix is designed to be easy 1256 | * to implement. Details are below in the code. 1257 | * 1258 | * These constants make it easy to compute in the finite field used 1259 | * for the RS code. 1260 | * 1261 | * We use Bytes for the RS computation, but these are automatically 1262 | * widened to unsigned integers in the expressions. Having unsigned 1263 | * ints in these tables therefore provides the fastest access. 1264 | */ 1265 | static unsigned int rs_poly_const[] = {0, 0x14d}; 1266 | static unsigned int rs_poly_div_const[] = {0, 0xa6 }; 1267 | 1268 | 1269 | /* 1270 | * Prepare a key for use in encryption and decryption. 1271 | * Like most block ciphers, Twofish allows the key schedule 1272 | * to be pre-computed given only the key. 1273 | * Twofish has a fairly 'heavy' key schedule that takes a lot of time 1274 | * to compute. The main work is pre-computing the S-boxes used in the 1275 | * encryption and decryption. We feel that this makes the cipher much 1276 | * harder to attack. The attacker doesn't even know what the S-boxes 1277 | * contain without including the entire key schedule in the analysis. 1278 | * 1279 | * Unlike most Twofish implementations, this one allows any key size from 1280 | * 0 to 32 bytes. Odd key sizes are defined for Twofish (see the 1281 | * specifications); the key is simply padded with zeroes to the next real 1282 | * key size of 16, 24, or 32 bytes. 1283 | * Each odd-sized key is thus equivalent to a single normal-sized key. 1284 | * 1285 | * Arguments: 1286 | * key array of key bytes 1287 | * key_len number of bytes in the key, must be in the range 0,...,32. 1288 | * xkey Pointer to an Twofish_key structure that will be filled 1289 | * with the internal form of the cipher key. 1290 | */ 1291 | void Twofish_prepare_key( Byte key[], int key_len, Twofish_key * xkey ) 1292 | { 1293 | /* We use a single array to store all key material in, 1294 | * to simplify the wiping of the key material at the end. 1295 | * The first 32 bytes contain the actual (padded) cipher key. 1296 | * The next 32 bytes contain the S-vector in its weird format, 1297 | * and we have 4 bytes of overrun necessary for the RS-reduction. 1298 | */ 1299 | Byte K[32+32+4]; 1300 | 1301 | int kCycles; /* # key cycles, 2,3, or 4. */ 1302 | 1303 | int i; 1304 | UInt32 A, B; /* Used to compute the round keys. */ 1305 | 1306 | Byte * kptr; /* Three pointers for the RS computation. */ 1307 | Byte * sptr; 1308 | Byte * t; 1309 | 1310 | Byte b,bx,bxx; /* Some more temporaries for the RS computation. */ 1311 | 1312 | /* Check that the Twofish implementation was initialised. */ 1313 | if( Twofish_initialised == 0 ) 1314 | { 1315 | /* 1316 | * You didn't call Twofish_initialise before calling this routine. 1317 | * This is a programming error, and therefore we call the fatal 1318 | * routine. 1319 | * 1320 | * I could of course call the initialisation routine here, 1321 | * but there are a few reasons why I don't. First of all, the 1322 | * self-tests have to be done at startup. It is no good to inform 1323 | * the user that the cipher implementation fails when he wants to 1324 | * write his data to disk in encrypted form. You have to warn him 1325 | * before he spends time typing his data. Second, the initialisation 1326 | * and self test are much slower than a single key expansion. 1327 | * Calling the initialisation here makes the performance of the 1328 | * cipher unpredictable. This can lead to really weird problems 1329 | * if you use the cipher for a real-time task. Suddenly it fails 1330 | * once in a while the first time you try to use it. Things like 1331 | * that are almost impossible to debug. 1332 | */ 1333 | Twofish_fatal( "Twofish implementation was not initialised." ); 1334 | 1335 | /* 1336 | * There is always a danger that the Twofish_fatal routine returns, 1337 | * in spite of the specifications that it should not. 1338 | * (A good programming rule: don't trust the rest of the code.) 1339 | * This would be disasterous. If the q-tables and MDS-tables have 1340 | * not been initialised, they are probably still filled with zeroes. 1341 | * Suppose the MDS-tables are all zero. The key expansion would then 1342 | * generate all-zero round keys, and all-zero s-boxes. The danger 1343 | * is that nobody would notice as the encryption function still 1344 | * mangles the input, and the decryption still 'decrypts' it, 1345 | * but now in a completely key-independent manner. 1346 | * To stop such security disasters, we use blunt force. 1347 | * If your program hangs here: fix the fatal routine! 1348 | */ 1349 | for(;;); /* Infinite loop, which beats being insecure. */ 1350 | } 1351 | 1352 | /* Check for valid key length. */ 1353 | if( key_len < 0 || key_len > 32 ) 1354 | { 1355 | /* 1356 | * This can only happen if a programmer didn't read the limitations 1357 | * on the key size. 1358 | */ 1359 | Twofish_fatal( "Twofish_prepare_key: illegal key length" ); 1360 | /* 1361 | * A return statement just in case the fatal macro returns. 1362 | * The rest of the code assumes that key_len is in range, and would 1363 | * buffer-overflow if it wasn't. 1364 | * 1365 | * Why do we still use a programming language that has problems like 1366 | * buffer overflows, when these problems were solved in 1960 with 1367 | * the development of Algol? Have we not leared anything? 1368 | */ 1369 | return; 1370 | } 1371 | 1372 | /* Pad the key with zeroes to the next suitable key length. */ 1373 | memcpy( K, key, key_len ); 1374 | memset( K+key_len, 0, sizeof(K)-key_len ); 1375 | 1376 | /* 1377 | * Compute kCycles: the number of key cycles used in the cipher. 1378 | * 2 for 128-bit keys, 3 for 192-bit keys, and 4 for 256-bit keys. 1379 | */ 1380 | kCycles = (key_len + 7) >> 3; 1381 | /* Handle the special case of very short keys: minimum 2 cycles. */ 1382 | if( kCycles < 2 ) 1383 | { 1384 | kCycles = 2; 1385 | } 1386 | 1387 | /* 1388 | * From now on we just pretend to have 8*kCycles bytes of 1389 | * key material in K. This handles all the key size cases. 1390 | */ 1391 | 1392 | /* 1393 | * We first compute the 40 expanded key words, 1394 | * formulas straight from the Twofish specifications. 1395 | */ 1396 | for( i=0; i<40; i+=2 ) 1397 | { 1398 | /* 1399 | * Due to the byte spacing expected by the h() function 1400 | * we can pick the bytes directly from the key K. 1401 | * As we use bytes, we never have the little/big endian 1402 | * problem. 1403 | * 1404 | * Note that we apply the rotation function only to simple 1405 | * variables, as the rotation macro might evaluate its argument 1406 | * more than once. 1407 | */ 1408 | A = h( i , K , kCycles ); 1409 | B = h( i+1, K+4, kCycles ); 1410 | B = ROL32( B, 8 ); 1411 | 1412 | /* Compute and store the round keys. */ 1413 | A += B; 1414 | B += A; 1415 | xkey->K[i] = A; 1416 | xkey->K[i+1] = ROL32( B, 9 ); 1417 | } 1418 | 1419 | /* Wipe variables that contained key material. */ 1420 | A=B=0; 1421 | 1422 | /* 1423 | * And now the dreaded RS multiplication that few seem to understand. 1424 | * The RS matrix is not random, and is specially designed to compute the 1425 | * RS matrix multiplication in a simple way. 1426 | * 1427 | * We work in the field GF(2)[x]/x^8+x^6+x^3+x^2+1. Note that this is a 1428 | * different field than used for the MDS matrix. 1429 | * (At least, it is a different representation because all GF(2^8) 1430 | * representations are equivalent in some form.) 1431 | * 1432 | * We take 8 consecutive bytes of the key and interpret them as 1433 | * a polynomial k_0 + k_1 y + k_2 y^2 + ... + k_7 y^7 where 1434 | * the k_i bytes are the key bytes and are elements of the finite field. 1435 | * We multiply this polynomial by y^4 and reduce it modulo 1436 | * y^4 + (x + 1/x)y^3 + (x)y^2 + (x + 1/x)y + 1. 1437 | * using straightforward polynomial modulo reduction. 1438 | * The coefficients of the result are the result of the RS 1439 | * matrix multiplication. When we wrote the Twofish specification, 1440 | * the original RS definition used the polynomials, 1441 | * but that requires much more mathematical knowledge. 1442 | * We were already using matrix multiplication in a finite field for 1443 | * the MDS matrix, so I re-wrote the RS operation as a matrix 1444 | * multiplication to reduce the difficulty of understanding it. 1445 | * Some implementors have not picked up on this simpler method of 1446 | * computing the RS operation, even though it is mentioned in the 1447 | * specifications. 1448 | * 1449 | * It is possible to perform these computations faster by using 32-bit 1450 | * word operations, but that is not portable and this is not a speed- 1451 | * critical area. 1452 | * 1453 | * We explained the 1/x computation when we did the MDS matrix. 1454 | * 1455 | * The S vector is stored in K[32..64]. 1456 | * The S vector has to be reversed, so we loop cross-wise. 1457 | * 1458 | * Note the weird byte spacing of the S-vector, to match the even 1459 | * or odd key words arrays. See the discussion at the Hxx macros for 1460 | * details. 1461 | */ 1462 | kptr = K + 8*kCycles; /* Start at end of key */ 1463 | sptr = K + 32; /* Start at start of S */ 1464 | 1465 | /* Loop over all key material */ 1466 | while( kptr > K ) 1467 | { 1468 | kptr -= 8; 1469 | /* 1470 | * Initialise the polynimial in sptr[0..12] 1471 | * The first four coefficients are 0 as we have to multiply by y^4. 1472 | * The next 8 coefficients are from the key material. 1473 | */ 1474 | memset( sptr, 0, 4 ); 1475 | memcpy( sptr+4, kptr, 8 ); 1476 | 1477 | /* 1478 | * The 12 bytes starting at sptr are now the coefficients of 1479 | * the polynomial we need to reduce. 1480 | */ 1481 | 1482 | /* Loop over the polynomial coefficients from high to low */ 1483 | t = sptr+11; 1484 | /* Keep looping until polynomial is degree 3; */ 1485 | while( t > sptr+3 ) 1486 | { 1487 | /* Pick up the highest coefficient of the poly. */ 1488 | b = *t; 1489 | 1490 | /* 1491 | * Compute x and (x+1/x) times this coefficient. 1492 | * See the MDS matrix implementation for a discussion of 1493 | * multiplication by x and 1/x. We just use different 1494 | * constants here as we are in a 1495 | * different finite field representation. 1496 | * 1497 | * These two statements set 1498 | * bx = (x) * b 1499 | * bxx= (x + 1/x) * b 1500 | */ 1501 | bx = (Byte)((b<<1) ^ rs_poly_const[ b>>7 ]); 1502 | bxx= (Byte)((b>>1) ^ rs_poly_div_const[ b&1 ] ^ bx); 1503 | 1504 | /* 1505 | * Subtract suitable multiple of 1506 | * y^4 + (x + 1/x)y^3 + (x)y^2 + (x + 1/x)y + 1 1507 | * from the polynomial, except that we don't bother 1508 | * updating t[0] as it will become zero anyway. 1509 | */ 1510 | t[-1] ^= bxx; 1511 | t[-2] ^= bx; 1512 | t[-3] ^= bxx; 1513 | t[-4] ^= b; 1514 | 1515 | /* Go to the next coefficient. */ 1516 | t--; 1517 | } 1518 | 1519 | /* Go to next S-vector word, obeying the weird spacing rules. */ 1520 | sptr += 8; 1521 | } 1522 | 1523 | /* Wipe variables that contained key material. */ 1524 | b = bx = bxx = 0; 1525 | 1526 | /* And finally, we can compute the key-dependent S-boxes. */ 1527 | fill_keyed_sboxes( &K[32], kCycles, xkey ); 1528 | 1529 | /* Wipe array that contained key material. */ 1530 | memset( K, 0, sizeof( K ) ); 1531 | } 1532 | 1533 | 1534 | /* 1535 | * We can now start on the actual encryption and decryption code. 1536 | * As these are often speed-critical we will use a lot of macros. 1537 | */ 1538 | 1539 | /* 1540 | * The g() function is the heart of the round function. 1541 | * We have two versions of the g() function, one without an input 1542 | * rotation and one with. 1543 | * The pre-computed S-boxes make this pretty simple. 1544 | */ 1545 | #define g0(X,xkey) \ 1546 | (xkey->s[0][b0(X)]^xkey->s[1][b1(X)]^xkey->s[2][b2(X)]^xkey->s[3][b3(X)]) 1547 | 1548 | #define g1(X,xkey) \ 1549 | (xkey->s[0][b3(X)]^xkey->s[1][b0(X)]^xkey->s[2][b1(X)]^xkey->s[3][b2(X)]) 1550 | 1551 | /* 1552 | * A single round of Twofish. The A,B,C,D are the four state variables, 1553 | * T0 and T1 are temporaries, xkey is the expanded key, and r the 1554 | * round number. 1555 | * 1556 | * Note that this macro does not implement the swap at the end of the round. 1557 | */ 1558 | #define ENCRYPT_RND( A,B,C,D, T0, T1, xkey, r ) \ 1559 | T0 = g0(A,xkey); T1 = g1(B,xkey);\ 1560 | C ^= T0+T1+xkey->K[8+2*(r)]; C = ROR32(C,1);\ 1561 | D = ROL32(D,1); D ^= T0+2*T1+xkey->K[8+2*(r)+1] 1562 | 1563 | /* 1564 | * Encrypt a single cycle, consisting of two rounds. 1565 | * This avoids the swapping of the two halves. 1566 | * Parameter r is now the cycle number. 1567 | */ 1568 | #define ENCRYPT_CYCLE( A, B, C, D, T0, T1, xkey, r ) \ 1569 | ENCRYPT_RND( A,B,C,D,T0,T1,xkey,2*(r) );\ 1570 | ENCRYPT_RND( C,D,A,B,T0,T1,xkey,2*(r)+1 ) 1571 | 1572 | /* Full 16-round encryption */ 1573 | #define ENCRYPT( A,B,C,D,T0,T1,xkey ) \ 1574 | ENCRYPT_CYCLE( A,B,C,D,T0,T1,xkey, 0 );\ 1575 | ENCRYPT_CYCLE( A,B,C,D,T0,T1,xkey, 1 );\ 1576 | ENCRYPT_CYCLE( A,B,C,D,T0,T1,xkey, 2 );\ 1577 | ENCRYPT_CYCLE( A,B,C,D,T0,T1,xkey, 3 );\ 1578 | ENCRYPT_CYCLE( A,B,C,D,T0,T1,xkey, 4 );\ 1579 | ENCRYPT_CYCLE( A,B,C,D,T0,T1,xkey, 5 );\ 1580 | ENCRYPT_CYCLE( A,B,C,D,T0,T1,xkey, 6 );\ 1581 | ENCRYPT_CYCLE( A,B,C,D,T0,T1,xkey, 7 ) 1582 | 1583 | /* 1584 | * A single round of Twofish for decryption. It differs from 1585 | * ENCRYTP_RND only because of the 1-bit rotations. 1586 | */ 1587 | #define DECRYPT_RND( A,B,C,D, T0, T1, xkey, r ) \ 1588 | T0 = g0(A,xkey); T1 = g1(B,xkey);\ 1589 | C = ROL32(C,1); C ^= T0+T1+xkey->K[8+2*(r)];\ 1590 | D ^= T0+2*T1+xkey->K[8+2*(r)+1]; D = ROR32(D,1) 1591 | 1592 | /* 1593 | * Decrypt a single cycle, consisting of two rounds. 1594 | * This avoids the swapping of the two halves. 1595 | * Parameter r is now the cycle number. 1596 | */ 1597 | #define DECRYPT_CYCLE( A, B, C, D, T0, T1, xkey, r ) \ 1598 | DECRYPT_RND( A,B,C,D,T0,T1,xkey,2*(r)+1 );\ 1599 | DECRYPT_RND( C,D,A,B,T0,T1,xkey,2*(r) ) 1600 | 1601 | /* Full 16-round decryption. */ 1602 | #define DECRYPT( A,B,C,D,T0,T1, xkey ) \ 1603 | DECRYPT_CYCLE( A,B,C,D,T0,T1,xkey, 7 );\ 1604 | DECRYPT_CYCLE( A,B,C,D,T0,T1,xkey, 6 );\ 1605 | DECRYPT_CYCLE( A,B,C,D,T0,T1,xkey, 5 );\ 1606 | DECRYPT_CYCLE( A,B,C,D,T0,T1,xkey, 4 );\ 1607 | DECRYPT_CYCLE( A,B,C,D,T0,T1,xkey, 3 );\ 1608 | DECRYPT_CYCLE( A,B,C,D,T0,T1,xkey, 2 );\ 1609 | DECRYPT_CYCLE( A,B,C,D,T0,T1,xkey, 1 );\ 1610 | DECRYPT_CYCLE( A,B,C,D,T0,T1,xkey, 0 ) 1611 | 1612 | /* 1613 | * A macro to read the state from the plaintext and do the initial key xors. 1614 | * The koff argument allows us to use the same macro 1615 | * for the decryption which uses different key words at the start. 1616 | */ 1617 | #define GET_INPUT( src, A,B,C,D, xkey, koff ) \ 1618 | A = GET32(src )^xkey->K[ koff]; B = GET32(src+ 4)^xkey->K[1+koff]; \ 1619 | C = GET32(src+ 8)^xkey->K[2+koff]; D = GET32(src+12)^xkey->K[3+koff] 1620 | 1621 | /* 1622 | * Similar macro to put the ciphertext in the output buffer. 1623 | * We xor the keys into the state variables before we use the PUT32 1624 | * macro as the macro might use its argument multiple times. 1625 | */ 1626 | #define PUT_OUTPUT( A,B,C,D, dst, xkey, koff ) \ 1627 | A ^= xkey->K[ koff]; B ^= xkey->K[1+koff]; \ 1628 | C ^= xkey->K[2+koff]; D ^= xkey->K[3+koff]; \ 1629 | PUT32( A, dst ); PUT32( B, dst+ 4 ); \ 1630 | PUT32( C, dst+8 ); PUT32( D, dst+12 ) 1631 | 1632 | 1633 | /* 1634 | * Twofish block encryption 1635 | * 1636 | * Arguments: 1637 | * xkey expanded key array 1638 | * p 16 bytes of plaintext 1639 | * c 16 bytes in which to store the ciphertext 1640 | */ 1641 | void Twofish_encrypt( Twofish_key * xkey, Byte p[16], Byte c[16]) 1642 | { 1643 | UInt32 A,B,C,D,T0,T1; /* Working variables */ 1644 | 1645 | /* Get the four plaintext words xorred with the key */ 1646 | GET_INPUT( p, A,B,C,D, xkey, 0 ); 1647 | 1648 | /* Do 8 cycles (= 16 rounds) */ 1649 | ENCRYPT( A,B,C,D,T0,T1,xkey ); 1650 | 1651 | /* Store them with the final swap and the output whitening. */ 1652 | PUT_OUTPUT( C,D,A,B, c, xkey, 4 ); 1653 | } 1654 | 1655 | 1656 | /* 1657 | * Twofish block decryption. 1658 | * 1659 | * Arguments: 1660 | * xkey expanded key array 1661 | * p 16 bytes of plaintext 1662 | * c 16 bytes in which to store the ciphertext 1663 | */ 1664 | void Twofish_decrypt( Twofish_key * xkey, Byte c[16], Byte p[16]) 1665 | { 1666 | UInt32 A,B,C,D,T0,T1; /* Working variables */ 1667 | 1668 | /* Get the four plaintext words xorred with the key */ 1669 | GET_INPUT( c, A,B,C,D, xkey, 4 ); 1670 | 1671 | /* Do 8 cycles (= 16 rounds) */ 1672 | DECRYPT( A,B,C,D,T0,T1,xkey ); 1673 | 1674 | /* Store them with the final swap and the output whitening. */ 1675 | PUT_OUTPUT( C,D,A,B, p, xkey, 0 ); 1676 | } 1677 | 1678 | /* 1679 | * Using the macros it is easy to make special routines for 1680 | * CBC mode, CTR mode etc. The only thing you might want to 1681 | * add is a XOR_PUT_OUTPUT which xors the outputs into the 1682 | * destinationa instead of overwriting the data. This requires 1683 | * a XOR_PUT32 macro as well, but that should all be trivial. 1684 | * 1685 | * I thought about including routines for the separate cipher 1686 | * modes here, but it is unclear which modes should be included, 1687 | * and each encryption or decryption routine takes up a lot of code space. 1688 | * Also, I don't have any test vectors for any cipher modes 1689 | * with Twofish. 1690 | */ 1691 | -------------------------------------------------------------------------------- /twofish-0.3/twofish.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Fast, portable, and easy-to-use Twofish implementation, 3 | * Version 0.3. 4 | * Copyright (c) 2002 by Niels Ferguson. 5 | * 6 | * See the twofish.c file for the details of the how and why of this code. 7 | * 8 | * The author hereby grants a perpetual license to everybody to 9 | * use this code for any purpose as long as the copyright message is included 10 | * in the source code of this or any derived work. 11 | */ 12 | 13 | #include 14 | 15 | /* 16 | * PLATFORM FIXES 17 | * ============== 18 | * 19 | * The following definitions have to be fixed for each particular platform 20 | * you work on. If you have a multi-platform program, you no doubt have 21 | * portable definitions that you can substitute here without changing 22 | * the rest of the code. 23 | * 24 | * The defaults provided here should work on most PC compilers. 25 | */ 26 | 27 | 28 | /* 29 | * A Twofish_Byte must be an unsigned 8-bit integer. 30 | * It must also be the elementary data size of your C platform, 31 | * i.e. sizeof( Twofish_Byte ) == 1. 32 | */ 33 | typedef uint8_t Twofish_Byte; 34 | 35 | /* 36 | * A Twofish_UInt32 must be an unsigned integer of at least 32 bits. 37 | * 38 | * This type is used only internally in the implementation, so ideally it 39 | * would not appear in the header file, but it is used inside the 40 | * Twofish_key structure which means it has to be included here. 41 | */ 42 | typedef uint32_t Twofish_UInt32; 43 | 44 | 45 | /* 46 | * END OF PLATFORM FIXES 47 | * ===================== 48 | * 49 | * You should not have to touch the rest of this file, but the code 50 | * in twofish.c has a few things you need to fix too. 51 | */ 52 | 53 | 54 | /* 55 | * Structure that contains a prepared Twofish key. 56 | * A cipher key is used in two stages. In the first stage it is converted 57 | * form the original form to an internal representation. 58 | * This internal form is then used to encrypt and decrypt data. 59 | * This structure contains the internal form. It is rather large: 4256 bytes 60 | * on a platform with 32-bit unsigned values. 61 | * 62 | * Treat this as an opague structure, and don't try to manipulate the 63 | * elements in it. I wish I could hide the inside of the structure, 64 | * but C doesn't allow that. 65 | */ 66 | typedef 67 | struct 68 | { 69 | Twofish_UInt32 s[4][256]; /* pre-computed S-boxes */ 70 | Twofish_UInt32 K[40]; /* Round key words */ 71 | } 72 | Twofish_key; 73 | 74 | 75 | /* 76 | * Initialise and test the Twofish implementation. 77 | * 78 | * This function MUST be called before any other function in the 79 | * Twofish implementation is called. 80 | * It only needs to be called once. 81 | * 82 | * Apart from initialising the implementation it performs a self test. 83 | * If the Twofish_fatal function is not called, the code passed the test. 84 | * (See the twofish.c file for details on the Twofish_fatal function.) 85 | */ 86 | extern void Twofish_initialise(); 87 | 88 | 89 | /* 90 | * Convert a cipher key to the internal form used for 91 | * encryption and decryption. 92 | * 93 | * The cipher key is an array of bytes; the Twofish_Byte type is 94 | * defined above to a type suitable on your platform. 95 | * 96 | * Any key must be converted to an internal form in the Twofisk_key structure 97 | * before it can be used. 98 | * The encryption and decryption functions only work with the internal form. 99 | * The conversion to internal form need only be done once for each key value. 100 | * 101 | * Be sure to wipe all key storage, including the Twofish_key structure, 102 | * once you are done with the key data. 103 | * A simple memset( TwofishKey, 0, sizeof( TwofishKey ) ) will do just fine. 104 | * 105 | * Unlike most implementations, this one allows any key size from 0 bytes 106 | * to 32 bytes. According to the Twofish specifications, 107 | * irregular key sizes are handled by padding the key with zeroes at the end 108 | * until the key size is 16, 24, or 32 bytes, whichever 109 | * comes first. Note that each key of irregular size is equivalent to exactly 110 | * one key of 16, 24, or 32 bytes. 111 | * 112 | * WARNING: Short keys have low entropy, and result in low security. 113 | * Anything less than 8 bytes is utterly insecure. For good security 114 | * use at least 16 bytes. I prefer to use 32-byte keys to prevent 115 | * any collision attacks on the key. 116 | * 117 | * The key length argument key_len must be in the proper range. 118 | * If key_len is not in the range 0,...,32 this routine attempts to generate 119 | * a fatal error (depending on the code environment), 120 | * and at best (or worst) returns without having done anything. 121 | * 122 | * Arguments: 123 | * key Array of key bytes 124 | * key_len Number of key bytes, must be in the range 0,1,...,32. 125 | * xkey Pointer to an Twofish_key structure that will be filled 126 | * with the internal form of the cipher key. 127 | */ 128 | extern void Twofish_prepare_key( 129 | Twofish_Byte key[], 130 | int key_len, 131 | Twofish_key * xkey 132 | ); 133 | 134 | 135 | /* 136 | * Encrypt a single block of data. 137 | * 138 | * This function encrypts a single block of 16 bytes of data. 139 | * If you want to encrypt a larger or variable-length message, 140 | * you will have to use a cipher mode, such as CBC or CTR. 141 | * These are outside the scope of this implementation. 142 | * 143 | * The xkey structure is not modified by this routine, and can be 144 | * used for further encryption and decryption operations. 145 | * 146 | * Arguments: 147 | * xkey pointer to Twofish_key, internal form of the key 148 | * produces by Twofish_prepare_key() 149 | * p Plaintext to be encrypted 150 | * c Place to store the ciphertext 151 | */ 152 | extern void Twofish_encrypt( 153 | Twofish_key * xkey, 154 | Twofish_Byte p[16], 155 | Twofish_Byte c[16] 156 | ); 157 | 158 | 159 | /* 160 | * Decrypt a single block of data. 161 | * 162 | * This function decrypts a single block of 16 bytes of data. 163 | * If you want to decrypt a larger or variable-length message, 164 | * you will have to use a cipher mode, such as CBC or CTR. 165 | * These are outside the scope of this implementation. 166 | * 167 | * The xkey structure is not modified by this routine, and can be 168 | * used for further encryption and decryption operations. 169 | * 170 | * Arguments: 171 | * xkey pointer to Twofish_key, internal form of the key 172 | * produces by Twofish_prepare_key() 173 | * c Ciphertext to be decrypted 174 | * p Place to store the plaintext 175 | */ 176 | extern void Twofish_decrypt( 177 | Twofish_key * xkey, 178 | Twofish_Byte c[16], 179 | Twofish_Byte p[16] 180 | ); 181 | -------------------------------------------------------------------------------- /twofish.c: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Python Twofish 3 | * a Python bridge to the C Twofish library by Niels Ferguson 4 | * 5 | * Released under The BSD 3-Clause License 6 | * Copyright (c) 2013 Keybase 7 | * 8 | * Bridge C module 9 | */ 10 | 11 | #include 12 | #include "twofish.h" 13 | 14 | #if !defined(DL_EXPORT) 15 | 16 | #if defined(HAVE_DECLSPEC_DLL) 17 | #define DL_EXPORT(type) __declspec(dllexport) type 18 | #else 19 | #define DL_EXPORT(type) type 20 | #endif 21 | 22 | #endif 23 | 24 | /* Exported trampolines */ 25 | DL_EXPORT(void) exp_Twofish_initialise() { 26 | Twofish_initialise(); 27 | } 28 | 29 | DL_EXPORT(void) exp_Twofish_prepare_key(uint8_t key[], int key_len, Twofish_key * xkey) { 30 | Twofish_prepare_key(key, key_len, xkey); 31 | } 32 | 33 | DL_EXPORT(void) exp_Twofish_encrypt(Twofish_key * xkey, uint8_t p[16], uint8_t c[16]) { 34 | Twofish_encrypt(xkey, p, c); 35 | } 36 | 37 | DL_EXPORT(void) exp_Twofish_decrypt(Twofish_key * xkey, uint8_t c[16], uint8_t p[16]) { 38 | Twofish_decrypt(xkey, c, p); 39 | } 40 | 41 | /* 42 | We need a stub init_twofish function so the module will link as a proper module. 43 | Do not import _twofish from python; it will not work since _twofish is not a *real* module 44 | */ 45 | PyMODINIT_FUNC init_twofish(void) { } 46 | PyMODINIT_FUNC PyInit__twofish(void) { } 47 | -------------------------------------------------------------------------------- /twofish.py: -------------------------------------------------------------------------------- 1 | """ 2 | This file is part of Python Twofish 3 | a Python bridge to the C Twofish library by Niels Ferguson 4 | 5 | Released under The BSD 3-Clause License 6 | Copyright (c) 2013 Keybase 7 | 8 | Python module and ctypes bindings 9 | """ 10 | 11 | import imp 12 | import sys 13 | 14 | from ctypes import (cdll, Structure, 15 | POINTER, pointer, 16 | c_char_p, c_int, c_uint32, 17 | create_string_buffer) 18 | 19 | _twofish = cdll.LoadLibrary(imp.find_module('_twofish')[1]) 20 | 21 | class _Twofish_key(Structure): 22 | _fields_ = [("s", (c_uint32 * 4) * 256), 23 | ("K", c_uint32 * 40)] 24 | 25 | _Twofish_initialise = _twofish.exp_Twofish_initialise 26 | _Twofish_initialise.argtypes = [] 27 | _Twofish_initialise.restype = None 28 | 29 | _Twofish_prepare_key = _twofish.exp_Twofish_prepare_key 30 | _Twofish_prepare_key.argtypes = [ c_char_p, # uint8_t key[] 31 | c_int, # int key_len 32 | POINTER(_Twofish_key) ] 33 | _Twofish_prepare_key.restype = None 34 | 35 | _Twofish_encrypt = _twofish.exp_Twofish_encrypt 36 | _Twofish_encrypt.argtypes = [ POINTER(_Twofish_key), 37 | c_char_p, # uint8_t p[16] 38 | c_char_p # uint8_t c[16] 39 | ] 40 | _Twofish_encrypt.restype = None 41 | 42 | _Twofish_decrypt = _twofish.exp_Twofish_decrypt 43 | _Twofish_decrypt.argtypes = [ POINTER(_Twofish_key), 44 | c_char_p, # uint8_t c[16] 45 | c_char_p # uint8_t p[16] 46 | ] 47 | _Twofish_decrypt.restype = None 48 | 49 | _Twofish_initialise() 50 | 51 | IS_PY2 = sys.version_info < (3, 0, 0, 'final', 0) 52 | 53 | def _ensure_bytes(data): 54 | if (IS_PY2 and not isinstance(data, str)) or (not IS_PY2 and not isinstance(data, bytes)): 55 | raise TypeError('can not encrypt/decrypt unicode objects') 56 | 57 | 58 | class Twofish(): 59 | def __init__(self, key): 60 | if not (len(key) > 0 and len(key) <= 32): 61 | raise ValueError('invalid key length') 62 | _ensure_bytes(key) 63 | 64 | self.key = _Twofish_key() 65 | _Twofish_prepare_key(key, len(key), pointer(self.key)) 66 | 67 | def encrypt(self, data): 68 | if not len(data) == 16: 69 | raise ValueError('invalid block length') 70 | _ensure_bytes(data) 71 | 72 | outbuf = create_string_buffer(len(data)) 73 | _Twofish_encrypt(pointer(self.key), data, outbuf) 74 | return outbuf.raw 75 | 76 | def decrypt(self, data): 77 | if not len(data) == 16: 78 | raise ValueError('invalid block length') 79 | _ensure_bytes(data) 80 | 81 | outbuf = create_string_buffer(len(data)) 82 | _Twofish_decrypt(pointer(self.key), data, outbuf) 83 | return outbuf.raw 84 | 85 | 86 | # Repeat the test on the same vectors checked at runtime by the library 87 | def self_test(): 88 | import binascii 89 | 90 | # 128-bit test is the I=3 case of section B.2 of the Twofish book. 91 | t128 = ('9F589F5CF6122C32B6BFEC2F2AE8C35A', 92 | 'D491DB16E7B1C39E86CB086B789F5419', 93 | '019F9809DE1711858FAAC3A3BA20FBC3') 94 | 95 | # 192-bit test is the I=4 case of section B.2 of the Twofish book. 96 | t192 = ('88B2B2706B105E36B446BB6D731A1E88EFA71F788965BD44', 97 | '39DA69D6BA4997D585B6DC073CA341B2', 98 | '182B02D81497EA45F9DAACDC29193A65') 99 | 100 | # 256-bit test is the I=4 case of section B.2 of the Twofish book. 101 | t256 = ('D43BB7556EA32E46F2A282B7D45B4E0D57FF739D4DC92C1BD7FC01700CC8216F', 102 | '90AFE91BB288544F2C32DC239B2635E6', 103 | '6CB4561C40BF0A9705931CB6D408E7FA') 104 | 105 | for t in (t128, t192, t256): 106 | k = binascii.unhexlify(t[0]) 107 | p = binascii.unhexlify(t[1]) 108 | c = binascii.unhexlify(t[2]) 109 | 110 | T = Twofish(k) 111 | if not T.encrypt(p) == c or not T.decrypt(c) == p: 112 | raise ImportError('the Twofish library is corrupted') 113 | 114 | self_test() 115 | --------------------------------------------------------------------------------