| 1 |
10 |
simon111 |
/*
|
| 2 |
|
|
dvb common scrambling algorithm
|
| 3 |
|
|
|
| 4 |
|
|
refs:
|
| 5 |
|
|
uk patent: gb 2322 994
|
| 6 |
|
|
uk patent: gb 2322 995
|
| 7 |
|
|
freedec v2.1
|
| 8 |
|
|
iso/iec 13818-1
|
| 9 |
|
|
etr289 / dvb document a007
|
| 10 |
|
|
|
| 11 |
|
|
*/
|
| 12 |
|
|
|
| 13 |
|
|
#include <memory.h>
|
| 14 |
15 |
simon111 |
#include <stdio.h>
|
| 15 |
10 |
simon111 |
#include "csa.h"
|
| 16 |
|
|
|
| 17 |
20 |
simon111 |
#include "misc.h"
|
| 18 |
|
|
|
| 19 |
10 |
simon111 |
#ifndef NULL
|
| 20 |
|
|
#define NULL 0
|
| 21 |
|
|
#endif
|
| 22 |
|
|
|
| 23 |
|
|
/* stream cypher */
|
| 24 |
|
|
|
| 25 |
|
|
/* 107 state bits */
|
| 26 |
|
|
/* 26 nibbles (4 bit) */
|
| 27 |
|
|
/* + 3 bits */
|
| 28 |
|
|
/* reg A[1]-A[10], 10 nibbles */
|
| 29 |
|
|
/* reg B[1]-B[10], 10 nibbles */
|
| 30 |
|
|
/* reg X, 1 nibble */
|
| 31 |
|
|
/* reg Y, 1 nibble */
|
| 32 |
|
|
/* reg Z, 1 nibble */
|
| 33 |
|
|
/* reg D, 1 nibble */
|
| 34 |
|
|
/* reg E, 1 nibble */
|
| 35 |
|
|
/* reg F, 1 nibble */
|
| 36 |
|
|
/* reg p, 1 bit */
|
| 37 |
|
|
/* reg q, 1 bit */
|
| 38 |
|
|
/* reg r, 1 bit */
|
| 39 |
|
|
|
| 40 |
|
|
int sbox1[0x20] = {2,0,1,1,2,3,3,0, 3,2,2,0,1,1,0,3, 0,3,3,0,2,2,1,1, 2,2,0,3,1,1,3,0};
|
| 41 |
|
|
int sbox2[0x20] = {3,1,0,2,2,3,3,0, 1,3,2,1,0,0,1,2, 3,1,0,3,3,2,0,2, 0,0,1,2,2,1,3,1};
|
| 42 |
|
|
int sbox3[0x20] = {2,0,1,2,2,3,3,1, 1,1,0,3,3,0,2,0, 1,3,0,1,3,0,2,2, 2,0,1,2,0,3,3,1};
|
| 43 |
|
|
int sbox4[0x20] = {3,1,2,3,0,2,1,2, 1,2,0,1,3,0,0,3, 1,0,3,1,2,3,0,3, 0,3,2,0,1,2,2,1};
|
| 44 |
|
|
int sbox5[0x20] = {2,0,0,1,3,2,3,2, 0,1,3,3,1,0,2,1, 2,3,2,0,0,3,1,1, 1,0,3,2,3,1,0,2};
|
| 45 |
|
|
int sbox6[0x20] = {0,1,2,3,1,2,2,0, 0,1,3,0,2,3,1,3, 2,3,0,2,3,0,1,1, 2,1,1,2,0,3,3,0};
|
| 46 |
|
|
int sbox7[0x20] = {0,3,2,2,3,0,0,1, 3,0,1,3,1,2,2,1, 1,0,3,3,0,1,1,2, 2,3,1,0,2,3,0,2};
|
| 47 |
|
|
|
| 48 |
|
|
void stream_cypher(int init, unsigned char *CK, unsigned char *sb, unsigned char *cb) {
|
| 49 |
|
|
int i,j;
|
| 50 |
|
|
int in1; /* most significant nibble of input byte */
|
| 51 |
|
|
int in2; /* least significant nibble of input byte */
|
| 52 |
|
|
int op;
|
| 53 |
|
|
int extra_B;
|
| 54 |
|
|
int s1,s2,s3,s4,s5,s6,s7;
|
| 55 |
|
|
int next_A1;
|
| 56 |
|
|
int next_B1;
|
| 57 |
|
|
int next_E;
|
| 58 |
|
|
|
| 59 |
|
|
static int A[11];
|
| 60 |
|
|
static int B[11];
|
| 61 |
|
|
static int X;
|
| 62 |
|
|
static int Y;
|
| 63 |
|
|
static int Z;
|
| 64 |
|
|
static int D;
|
| 65 |
|
|
static int E;
|
| 66 |
|
|
static int F;
|
| 67 |
|
|
static int p;
|
| 68 |
|
|
static int q;
|
| 69 |
|
|
static int r;
|
| 70 |
|
|
|
| 71 |
|
|
/* reset */
|
| 72 |
|
|
if (init) {
|
| 73 |
|
|
/* load first 32 bits of CK into A[1]..A[8] */
|
| 74 |
|
|
/* load last 32 bits of CK into B[1]..B[8] */
|
| 75 |
|
|
/* all other regs = 0 */
|
| 76 |
|
|
A[1] = (CK[0] >> 4) & 0xf;
|
| 77 |
|
|
A[2] = (CK[0] >> 0) & 0xf;
|
| 78 |
|
|
A[3] = (CK[1] >> 4) & 0xf;
|
| 79 |
|
|
A[4] = (CK[1] >> 0) & 0xf;
|
| 80 |
|
|
A[5] = (CK[2] >> 4) & 0xf;
|
| 81 |
|
|
A[6] = (CK[2] >> 0) & 0xf;
|
| 82 |
|
|
A[7] = (CK[3] >> 4) & 0xf;
|
| 83 |
|
|
A[8] = (CK[3] >> 0) & 0xf;
|
| 84 |
|
|
A[9] = 0;
|
| 85 |
|
|
A[10] = 0;
|
| 86 |
|
|
B[1] = (CK[4] >> 4) & 0xf;
|
| 87 |
|
|
B[2] = (CK[4] >> 0) & 0xf;
|
| 88 |
|
|
B[3] = (CK[5] >> 4) & 0xf;
|
| 89 |
|
|
B[4] = (CK[5] >> 0) & 0xf;
|
| 90 |
|
|
B[5] = (CK[6] >> 4) & 0xf;
|
| 91 |
|
|
B[6] = (CK[6] >> 0) & 0xf;
|
| 92 |
|
|
B[7] = (CK[7] >> 4) & 0xf;
|
| 93 |
|
|
B[8] = (CK[7] >> 0) & 0xf;
|
| 94 |
|
|
B[9] = 0;
|
| 95 |
|
|
B[10] = 0;
|
| 96 |
|
|
|
| 97 |
|
|
X=0;
|
| 98 |
|
|
Y=0;
|
| 99 |
|
|
Z=0;
|
| 100 |
|
|
D=0;
|
| 101 |
|
|
E=0;
|
| 102 |
|
|
F=0;
|
| 103 |
|
|
p=0;
|
| 104 |
|
|
q=0;
|
| 105 |
|
|
r=0;
|
| 106 |
|
|
} /* init */
|
| 107 |
|
|
|
| 108 |
20 |
simon111 |
|
| 109 |
|
|
|
| 110 |
10 |
simon111 |
/* 8 bytes per operation */
|
| 111 |
|
|
for(i=0; i<8; i++) {
|
| 112 |
|
|
if (init) {
|
| 113 |
|
|
in1 = (sb[i] >> 4) & 0x0f;
|
| 114 |
|
|
in2 = (sb[i] >> 0) & 0x0f;
|
| 115 |
|
|
} /* init */
|
| 116 |
|
|
op = 0;
|
| 117 |
|
|
/* 2 bits per iteration */
|
| 118 |
|
|
for(j=0; j<4; j++) {
|
| 119 |
|
|
/* from A[1]..A[10], 35 bits are selected as inputs to 7 s-boxes */
|
| 120 |
|
|
/* 5 bits input per s-box, 2 bits output per s-box */
|
| 121 |
|
|
s1 = sbox1[ (((A[4]>>0)&1)<<4) | (((A[1]>>2)&1)<<3) | (((A[6]>>1)&1)<<2) | (((A[7]>>3)&1)<<1) | (((A[9]>>0)&1)<<0) ];
|
| 122 |
|
|
s2 = sbox2[ (((A[2]>>1)&1)<<4) | (((A[3]>>2)&1)<<3) | (((A[6]>>3)&1)<<2) | (((A[7]>>0)&1)<<1) | (((A[9]>>1)&1)<<0) ];
|
| 123 |
|
|
s3 = sbox3[ (((A[1]>>3)&1)<<4) | (((A[2]>>0)&1)<<3) | (((A[5]>>1)&1)<<2) | (((A[5]>>3)&1)<<1) | (((A[6]>>2)&1)<<0) ];
|
| 124 |
|
|
s4 = sbox4[ (((A[3]>>3)&1)<<4) | (((A[1]>>1)&1)<<3) | (((A[2]>>3)&1)<<2) | (((A[4]>>2)&1)<<1) | (((A[8]>>0)&1)<<0) ];
|
| 125 |
|
|
s5 = sbox5[ (((A[5]>>2)&1)<<4) | (((A[4]>>3)&1)<<3) | (((A[6]>>0)&1)<<2) | (((A[8]>>1)&1)<<1) | (((A[9]>>2)&1)<<0) ];
|
| 126 |
|
|
s6 = sbox6[ (((A[3]>>1)&1)<<4) | (((A[4]>>1)&1)<<3) | (((A[5]>>0)&1)<<2) | (((A[7]>>2)&1)<<1) | (((A[9]>>3)&1)<<0) ];
|
| 127 |
|
|
s7 = sbox7[ (((A[2]>>2)&1)<<4) | (((A[3]>>0)&1)<<3) | (((A[7]>>1)&1)<<2) | (((A[8]>>2)&1)<<1) | (((A[8]>>3)&1)<<0) ];
|
| 128 |
|
|
|
| 129 |
|
|
/* use 4x4 xor to produce extra nibble for T3 */
|
| 130 |
|
|
extra_B = ( ((B[3]&1)<<3) ^ ((B[6]&2)<<2) ^ ((B[7]&4)<<1) ^ ((B[9]&8)>>0) ) |
|
| 131 |
|
|
( ((B[6]&1)<<2) ^ ((B[8]&2)<<1) ^ ((B[3]&8)>>1) ^ ((B[4]&4)>>0) ) |
|
| 132 |
|
|
( ((B[5]&8)>>2) ^ ((B[8]&4)>>1) ^ ((B[4]&1)<<1) ^ ((B[5]&2)>>0) ) |
|
| 133 |
|
|
( ((B[9]&4)>>2) ^ ((B[6]&8)>>3) ^ ((B[3]&2)>>1) ^ ((B[8]&1)>>0) ) ;
|
| 134 |
22 |
simon111 |
|
| 135 |
10 |
simon111 |
/* T1 = xor all inputs */
|
| 136 |
|
|
/* in1,in2, D are only used in T1 during initialisation, not generation */
|
| 137 |
|
|
next_A1 = A[10] ^ X;
|
| 138 |
|
|
if (init)
|
| 139 |
22 |
simon111 |
next_A1 = next_A1 ^ D ^ ((j % 2) ? in2 : in1);
|
| 140 |
10 |
simon111 |
|
| 141 |
20 |
simon111 |
|
| 142 |
10 |
simon111 |
/* T2 = xor all inputs */
|
| 143 |
|
|
/* in1,in2 are only used in T1 during initialisation, not generation */
|
| 144 |
|
|
/* if p=0, use this, if p=1, rotate the result left */
|
| 145 |
|
|
next_B1 = B[7] ^ B[10] ^ Y;
|
| 146 |
|
|
if (init)
|
| 147 |
22 |
simon111 |
next_B1 = next_B1 ^ ((j % 2) ? in1 : in2);
|
| 148 |
10 |
simon111 |
|
| 149 |
|
|
/* if p=1, rotate left */
|
| 150 |
|
|
if (p)
|
| 151 |
22 |
simon111 |
next_B1 = ( (next_B1 << 1) | ((next_B1 >> 3) & 1) ) & 0xf;
|
| 152 |
10 |
simon111 |
|
| 153 |
|
|
/* T3 = xor all inputs */
|
| 154 |
|
|
D = E ^ Z ^ extra_B;
|
| 155 |
|
|
|
| 156 |
|
|
/* T4 = sum, carry of Z + E + r */
|
| 157 |
|
|
next_E = F;
|
| 158 |
|
|
if (q) {
|
| 159 |
|
|
F = Z + E + r;
|
| 160 |
|
|
/* r is the carry */
|
| 161 |
|
|
r = (F >> 4) & 1;
|
| 162 |
|
|
F = F & 0x0f;
|
| 163 |
|
|
} /* q */
|
| 164 |
|
|
else {
|
| 165 |
|
|
F = E;
|
| 166 |
|
|
}
|
| 167 |
|
|
E = next_E;
|
| 168 |
|
|
|
| 169 |
|
|
A[10] = A[9];
|
| 170 |
|
|
A[9] = A[8];
|
| 171 |
|
|
A[8] = A[7];
|
| 172 |
|
|
A[7] = A[6];
|
| 173 |
|
|
A[6] = A[5];
|
| 174 |
|
|
A[5] = A[4];
|
| 175 |
|
|
A[4] = A[3];
|
| 176 |
|
|
A[3] = A[2];
|
| 177 |
|
|
A[2] = A[1];
|
| 178 |
|
|
A[1]= next_A1;
|
| 179 |
|
|
|
| 180 |
|
|
B[10] = B[9];
|
| 181 |
|
|
B[9] = B[8];
|
| 182 |
|
|
B[8] = B[7];
|
| 183 |
|
|
B[7] = B[6];
|
| 184 |
|
|
B[6] = B[5];
|
| 185 |
|
|
B[5] = B[4];
|
| 186 |
|
|
B[4] = B[3];
|
| 187 |
|
|
B[3] = B[2];
|
| 188 |
|
|
B[2] = B[1];
|
| 189 |
|
|
B[1] = next_B1;
|
| 190 |
|
|
|
| 191 |
|
|
X = ((s4&1)<<3) | ((s3&1)<<2) | (s2&2) | ((s1&2)>>1);
|
| 192 |
|
|
Y = ((s6&1)<<3) | ((s5&1)<<2) | (s4&2) | ((s3&2)>>1);
|
| 193 |
|
|
Z = ((s2&1)<<3) | ((s1&1)<<2) | (s6&2) | ((s5&2)>>1);
|
| 194 |
|
|
p = (s7&2)>>1;
|
| 195 |
|
|
q = (s7&1);
|
| 196 |
|
|
|
| 197 |
|
|
/* require 4 loops per output byte */
|
| 198 |
|
|
/* 2 output bits are a function of the 4 bits of D */
|
| 199 |
|
|
/* xor 2 by 2 */
|
| 200 |
|
|
op = (op << 2)^ ( (((D^(D>>1))>>1)&2) | ((D^(D>>1))&1) );
|
| 201 |
|
|
}
|
| 202 |
|
|
/* return input data during init */
|
| 203 |
|
|
cb[i] = (init) ? sb[i] : op;
|
| 204 |
|
|
}
|
| 205 |
|
|
}
|
| 206 |
|
|
|
| 207 |
|
|
/* block cypher */
|
| 208 |
|
|
|
| 209 |
|
|
/* key preparation */
|
| 210 |
|
|
unsigned char key_perm[0x40] = {
|
| 211 |
|
|
0x12,0x24,0x09,0x07,0x2A,0x31,0x1D,0x15,0x1C,0x36,0x3E,0x32,0x13,0x21,0x3B,0x40,
|
| 212 |
|
|
0x18,0x14,0x25,0x27,0x02,0x35,0x1B,0x01,0x22,0x04,0x0D,0x0E,0x39,0x28,0x1A,0x29,
|
| 213 |
|
|
0x33,0x23,0x34,0x0C,0x16,0x30,0x1E,0x3A,0x2D,0x1F,0x08,0x19,0x17,0x2F,0x3D,0x11,
|
| 214 |
|
|
0x3C,0x05,0x38,0x2B,0x0B,0x06,0x0A,0x2C,0x20,0x3F,0x2E,0x0F,0x03,0x26,0x10,0x37,
|
| 215 |
|
|
};
|
| 216 |
|
|
|
| 217 |
|
|
/* block - sbox */
|
| 218 |
|
|
unsigned char block_sbox[0x100] = {
|
| 219 |
|
|
0x3A,0xEA,0x68,0xFE,0x33,0xE9,0x88,0x1A,0x83,0xCF,0xE1,0x7F,0xBA,0xE2,0x38,0x12,
|
| 220 |
|
|
0xE8,0x27,0x61,0x95,0x0C,0x36,0xE5,0x70,0xA2,0x06,0x82,0x7C,0x17,0xA3,0x26,0x49,
|
| 221 |
|
|
0xBE,0x7A,0x6D,0x47,0xC1,0x51,0x8F,0xF3,0xCC,0x5B,0x67,0xBD,0xCD,0x18,0x08,0xC9,
|
| 222 |
|
|
0xFF,0x69,0xEF,0x03,0x4E,0x48,0x4A,0x84,0x3F,0xB4,0x10,0x04,0xDC,0xF5,0x5C,0xC6,
|
| 223 |
|
|
0x16,0xAB,0xAC,0x4C,0xF1,0x6A,0x2F,0x3C,0x3B,0xD4,0xD5,0x94,0xD0,0xC4,0x63,0x62,
|
| 224 |
|
|
0x71,0xA1,0xF9,0x4F,0x2E,0xAA,0xC5,0x56,0xE3,0x39,0x93,0xCE,0x65,0x64,0xE4,0x58,
|
| 225 |
|
|
0x6C,0x19,0x42,0x79,0xDD,0xEE,0x96,0xF6,0x8A,0xEC,0x1E,0x85,0x53,0x45,0xDE,0xBB,
|
| 226 |
|
|
0x7E,0x0A,0x9A,0x13,0x2A,0x9D,0xC2,0x5E,0x5A,0x1F,0x32,0x35,0x9C,0xA8,0x73,0x30,
|
| 227 |
|
|
|
| 228 |
|
|
0x29,0x3D,0xE7,0x92,0x87,0x1B,0x2B,0x4B,0xA5,0x57,0x97,0x40,0x15,0xE6,0xBC,0x0E,
|
| 229 |
|
|
0xEB,0xC3,0x34,0x2D,0xB8,0x44,0x25,0xA4,0x1C,0xC7,0x23,0xED,0x90,0x6E,0x50,0x00,
|
| 230 |
|
|
0x99,0x9E,0x4D,0xD9,0xDA,0x8D,0x6F,0x5F,0x3E,0xD7,0x21,0x74,0x86,0xDF,0x6B,0x05,
|
| 231 |
|
|
0x8E,0x5D,0x37,0x11,0xD2,0x28,0x75,0xD6,0xA7,0x77,0x24,0xBF,0xF0,0xB0,0x02,0xB7,
|
| 232 |
|
|
0xF8,0xFC,0x81,0x09,0xB1,0x01,0x76,0x91,0x7D,0x0F,0xC8,0xA0,0xF2,0xCB,0x78,0x60,
|
| 233 |
|
|
0xD1,0xF7,0xE0,0xB5,0x98,0x22,0xB3,0x20,0x1D,0xA6,0xDB,0x7B,0x59,0x9F,0xAE,0x31,
|
| 234 |
|
|
0xFB,0xD3,0xB6,0xCA,0x43,0x72,0x07,0xF4,0xD8,0x41,0x14,0x55,0x0D,0x54,0x8B,0xB9,
|
| 235 |
|
|
0xAD,0x46,0x0B,0xAF,0x80,0x52,0x2C,0xFA,0x8C,0x89,0x66,0xFD,0xB2,0xA9,0x9B,0xC0,
|
| 236 |
|
|
};
|
| 237 |
|
|
|
| 238 |
|
|
/* block - perm */
|
| 239 |
|
|
unsigned long block_perm[0x100] = {
|
| 240 |
|
|
0x00,0x02,0x80,0x82,0x20,0x22,0xA0,0xA2, 0x10,0x12,0x90,0x92,0x30,0x32,0xB0,0xB2,
|
| 241 |
|
|
0x04,0x06,0x84,0x86,0x24,0x26,0xA4,0xA6, 0x14,0x16,0x94,0x96,0x34,0x36,0xB4,0xB6,
|
| 242 |
|
|
0x40,0x42,0xC0,0xC2,0x60,0x62,0xE0,0xE2, 0x50,0x52,0xD0,0xD2,0x70,0x72,0xF0,0xF2,
|
| 243 |
|
|
0x44,0x46,0xC4,0xC6,0x64,0x66,0xE4,0xE6, 0x54,0x56,0xD4,0xD6,0x74,0x76,0xF4,0xF6,
|
| 244 |
|
|
0x01,0x03,0x81,0x83,0x21,0x23,0xA1,0xA3, 0x11,0x13,0x91,0x93,0x31,0x33,0xB1,0xB3,
|
| 245 |
|
|
0x05,0x07,0x85,0x87,0x25,0x27,0xA5,0xA7, 0x15,0x17,0x95,0x97,0x35,0x37,0xB5,0xB7,
|
| 246 |
|
|
0x41,0x43,0xC1,0xC3,0x61,0x63,0xE1,0xE3, 0x51,0x53,0xD1,0xD3,0x71,0x73,0xF1,0xF3,
|
| 247 |
|
|
0x45,0x47,0xC5,0xC7,0x65,0x67,0xE5,0xE7, 0x55,0x57,0xD5,0xD7,0x75,0x77,0xF5,0xF7,
|
| 248 |
|
|
|
| 249 |
|
|
0x08,0x0A,0x88,0x8A,0x28,0x2A,0xA8,0xAA, 0x18,0x1A,0x98,0x9A,0x38,0x3A,0xB8,0xBA,
|
| 250 |
|
|
0x0C,0x0E,0x8C,0x8E,0x2C,0x2E,0xAC,0xAE, 0x1C,0x1E,0x9C,0x9E,0x3C,0x3E,0xBC,0xBE,
|
| 251 |
|
|
0x48,0x4A,0xC8,0xCA,0x68,0x6A,0xE8,0xEA, 0x58,0x5A,0xD8,0xDA,0x78,0x7A,0xF8,0xFA,
|
| 252 |
|
|
0x4C,0x4E,0xCC,0xCE,0x6C,0x6E,0xEC,0xEE, 0x5C,0x5E,0xDC,0xDE,0x7C,0x7E,0xFC,0xFE,
|
| 253 |
|
|
0x09,0x0B,0x89,0x8B,0x29,0x2B,0xA9,0xAB, 0x19,0x1B,0x99,0x9B,0x39,0x3B,0xB9,0xBB,
|
| 254 |
|
|
0x0D,0x0F,0x8D,0x8F,0x2D,0x2F,0xAD,0xAF, 0x1D,0x1F,0x9D,0x9F,0x3D,0x3F,0xBD,0xBF,
|
| 255 |
|
|
0x49,0x4B,0xC9,0xCB,0x69,0x6B,0xE9,0xEB, 0x59,0x5B,0xD9,0xDB,0x79,0x7B,0xF9,0xFB,
|
| 256 |
|
|
0x4D,0x4F,0xCD,0xCF,0x6D,0x6F,0xED,0xEF, 0x5D,0x5F,0xDD,0xDF,0x7D,0x7F,0xFD,0xFF,
|
| 257 |
|
|
};
|
| 258 |
|
|
|
| 259 |
13 |
simon111 |
void key_schedule(unsigned char *CK, int *kk)
|
| 260 |
|
|
{
|
| 261 |
10 |
simon111 |
int i,j,k;
|
| 262 |
|
|
int bit[64];
|
| 263 |
|
|
int newbit[64];
|
| 264 |
|
|
int kb[9][8];
|
| 265 |
|
|
|
| 266 |
|
|
/* 56 steps */
|
| 267 |
|
|
/* 56 key bytes kk(56)..kk(1) by key schedule from CK */
|
| 268 |
|
|
|
| 269 |
|
|
/* kb(7,1) .. kb(7,8) = CK(1) .. CK(8) */
|
| 270 |
|
|
kb[7][1] = CK[0];
|
| 271 |
|
|
kb[7][2] = CK[1];
|
| 272 |
|
|
kb[7][3] = CK[2];
|
| 273 |
|
|
kb[7][4] = CK[3];
|
| 274 |
|
|
kb[7][5] = CK[4];
|
| 275 |
|
|
kb[7][6] = CK[5];
|
| 276 |
|
|
kb[7][7] = CK[6];
|
| 277 |
|
|
kb[7][8] = CK[7];
|
| 278 |
|
|
|
| 279 |
|
|
/* calculate kb[6] .. kb[1] */
|
| 280 |
|
|
for(i=0; i<7; i++) {
|
| 281 |
|
|
/* 64 bit perm on kb */
|
| 282 |
|
|
for(j=0; j<8; j++) {
|
| 283 |
|
|
for(k=0; k<8; k++) {
|
| 284 |
|
|
bit[j*8+k] = (kb[7-i][1+j] >> (7-k)) & 1;
|
| 285 |
|
|
newbit[key_perm[j*8+k]-1] = bit[j*8+k];
|
| 286 |
|
|
}
|
| 287 |
|
|
}
|
| 288 |
|
|
for(j=0; j<8; j++) {
|
| 289 |
|
|
kb[6-i][1+j] = 0;
|
| 290 |
|
|
for(k=0; k<8; k++) {
|
| 291 |
|
|
kb[6-i][1+j] |= newbit[j*8+k] << (7-k);
|
| 292 |
|
|
}
|
| 293 |
|
|
}
|
| 294 |
|
|
}
|
| 295 |
|
|
|
| 296 |
|
|
/* xor to give kk */
|
| 297 |
|
|
for(i=0; i<7; i++) {
|
| 298 |
|
|
for(j=0; j<8; j++) {
|
| 299 |
|
|
kk[1+i*8+j] = kb[1+i][1+j] ^ i;
|
| 300 |
|
|
}
|
| 301 |
|
|
}
|
| 302 |
|
|
}
|
| 303 |
|
|
|
| 304 |
|
|
void block_decypher(int *kk, unsigned char *ib, unsigned char *bd) {
|
| 305 |
|
|
int i;
|
| 306 |
|
|
int sbox_in;
|
| 307 |
|
|
int sbox_out;
|
| 308 |
|
|
int perm_out;
|
| 309 |
|
|
int R[9];
|
| 310 |
|
|
int next_R8;
|
| 311 |
|
|
|
| 312 |
|
|
R[1] = ib[0];
|
| 313 |
|
|
R[2] = ib[1];
|
| 314 |
|
|
R[3] = ib[2];
|
| 315 |
|
|
R[4] = ib[3];
|
| 316 |
|
|
R[5] = ib[4];
|
| 317 |
|
|
R[6] = ib[5];
|
| 318 |
|
|
R[7] = ib[6];
|
| 319 |
|
|
R[8] = ib[7];
|
| 320 |
|
|
|
| 321 |
|
|
/* loop over kk[56]..kk[1] */
|
| 322 |
|
|
for(i=56; i>0; i--) {
|
| 323 |
|
|
sbox_in = kk[i] ^ R[7];
|
| 324 |
|
|
sbox_out = block_sbox[sbox_in];
|
| 325 |
|
|
perm_out = block_perm[sbox_out];
|
| 326 |
|
|
|
| 327 |
|
|
next_R8 = R[7];
|
| 328 |
|
|
R[7] = R[6] ^ perm_out;
|
| 329 |
|
|
R[6] = R[5];
|
| 330 |
|
|
R[5] = R[4] ^ R[8] ^ sbox_out;
|
| 331 |
|
|
R[4] = R[3] ^ R[8] ^ sbox_out;
|
| 332 |
|
|
R[3] = R[2] ^ R[8] ^ sbox_out;
|
| 333 |
|
|
R[2] = R[1];
|
| 334 |
|
|
R[1] = R[8] ^ sbox_out;
|
| 335 |
|
|
|
| 336 |
|
|
R[8] = next_R8;
|
| 337 |
|
|
}
|
| 338 |
|
|
|
| 339 |
|
|
bd[0] = R[1];
|
| 340 |
|
|
bd[1] = R[2];
|
| 341 |
|
|
bd[2] = R[3];
|
| 342 |
|
|
bd[3] = R[4];
|
| 343 |
|
|
bd[4] = R[5];
|
| 344 |
|
|
bd[5] = R[6];
|
| 345 |
|
|
bd[6] = R[7];
|
| 346 |
|
|
bd[7] = R[8];
|
| 347 |
|
|
|
| 348 |
|
|
}
|
| 349 |
|
|
|
| 350 |
|
|
void set_cws(unsigned char *cws, struct key *key) {
|
| 351 |
22 |
simon111 |
memcpy(key->odd_ck,cws+8,8);
|
| 352 |
|
|
memcpy(key->even_ck,cws,8);
|
| 353 |
|
|
key_schedule(key->odd_ck,key->odd_kk);
|
| 354 |
|
|
key_schedule(key->even_ck,key->even_kk);
|
| 355 |
10 |
simon111 |
}
|
| 356 |
|
|
|
| 357 |
|
|
void decrypt(struct key *key, unsigned char *encrypted, unsigned char *decrypted) {
|
| 358 |
|
|
int i,j,offset=4,N;
|
| 359 |
|
|
int *kk=key->even_kk;
|
| 360 |
|
|
unsigned char *ck=key->even_ck;
|
| 361 |
|
|
unsigned char stream[8];
|
| 362 |
|
|
unsigned char ib[8];
|
| 363 |
|
|
unsigned char block[8];
|
| 364 |
|
|
int residue;
|
| 365 |
|
|
|
| 366 |
22 |
simon111 |
((unsigned long *) decrypted)[0]=((unsigned long *) encrypted)[0];
|
| 367 |
|
|
|
| 368 |
|
|
if(decrypted[3]&0x40) {
|
| 369 |
|
|
kk=key->odd_kk;
|
| 370 |
|
|
ck=key->odd_ck;
|
| 371 |
|
|
}
|
| 372 |
|
|
|
| 373 |
10 |
simon111 |
decrypted[3] &= 0x3f; /* remove scrambling bits */
|
| 374 |
22 |
simon111 |
|
| 375 |
10 |
simon111 |
if ((decrypted[3] & 0x20) == 0x20)
|
| 376 |
|
|
offset += (encrypted[4] +1); /* skip adaption field */
|
| 377 |
|
|
|
| 378 |
|
|
N = (188 - offset) / 8;
|
| 379 |
|
|
residue = (188 - offset) % 8;
|
| 380 |
|
|
|
| 381 |
|
|
/* 1st 8 bytes of initialisation */
|
| 382 |
|
|
stream_cypher(1, ck, &encrypted[offset], ib);
|
| 383 |
22 |
simon111 |
DEBUG_OUTPUT_ARR(ib,8);
|
| 384 |
10 |
simon111 |
|
| 385 |
|
|
for(j=1; j<(N+1); j++) {
|
| 386 |
22 |
simon111 |
block_decypher(kk, ib, block);
|
| 387 |
10 |
simon111 |
|
| 388 |
|
|
if (j != N) {
|
| 389 |
|
|
stream_cypher(0, ck, NULL, stream);
|
| 390 |
|
|
|
| 391 |
|
|
/* xor sb x stream */
|
| 392 |
|
|
for(i=0; i<8; i++)
|
| 393 |
|
|
ib[i] = encrypted[offset+8*j+i] ^ stream[i];
|
| 394 |
|
|
}
|
| 395 |
|
|
else {
|
| 396 |
|
|
/* last block - sb[N+1] = IV(initialisation vetor)(=0) */
|
| 397 |
|
|
for(i=0; i<8; i++) ib[i] = 0;
|
| 398 |
|
|
}
|
| 399 |
|
|
|
| 400 |
|
|
/* xor ib x block */
|
| 401 |
|
|
for(i=0; i<8; i++)
|
| 402 |
|
|
decrypted[offset+8*(j-1)+i] = ib[i] ^ block[i];
|
| 403 |
22 |
simon111 |
DEBUG_OUTPUT_ARR(ib,8);
|
| 404 |
|
|
DEBUG_OUTPUT_ARR(block,8);
|
| 405 |
|
|
DEBUG_OUTPUT_ARR(&decrypted[offset+8*(j-1)+0],8);
|
| 406 |
10 |
simon111 |
} /* for(j=1; j<(N+1); j++) */
|
| 407 |
|
|
|
| 408 |
|
|
if (residue) {
|
| 409 |
|
|
stream_cypher(0, ck, NULL, stream);
|
| 410 |
|
|
for (i=0;i<residue;i++)
|
| 411 |
|
|
decrypted[188-residue+i] = encrypted[188-residue+i] ^ stream[i];
|
| 412 |
|
|
}
|
| 413 |
|
|
|
| 414 |
|
|
}
|
| 415 |
|
|
|
