/*
 * The GOST 28147-89 cipher
 *
 * This is based on the 25 Movember 1993 draft translation
 * by Aleksandr Malchik, with Whitfield Diffie, of the Government
 * Standard of the U.S.S.R. GOST 28149-89, "Cryptographic Transformation
 * Algorithm", effective 1 July 1990.  (Whitfield.Diffie@eng.sun.com)
 *
 * That is a draft, and may contain errors, which will be faithfully
 * reflected here, along with possible exciting new bugs.
 *
 * Some details have been cleared up by the paper "Soviet Encryption
 * Algorithm" by Josef Pieprzyk and Leonid Tombak of the University
 * of Wollongong, New South Wales.  (josef/leo@cs.adfa.oz.au)
 *
 * The standard is written by A. Zabotin (project leader), G.P. Glazkov,
 * and V.B. Isaeva.  It was accepted and introduced into use by the
 * action of the State Standards Committee of the USSR on 2 June 89 as
 * No. 1409.  It was to be reviewed in 1993, but whether anyone wishes
 * to take on this obligation from the USSR is questionable.
 *
 * This code is placed in the public domain.
 */

/*
 * If you read the standard, it belabors the point of copying corresponding
 * bits from point A to point B quite a bit.  It helps to understand that
 * the standard is uniformly little-endian, although it numbers bits from
 * 1 rather than 0, so bit n has value 2^(n-1).  The least significant bit
 * of the 32-bit words that are manipulated in the algorithm is the first,
 * lowest-numbered, in the bit string.
 */


/* A 32-bit data type */
#ifdef __alpha  /* Any other 64-bit machines? */
typedef unsigned int word32;
#else
typedef unsigned long word32;
#endif

/*
 * The standard does not specify the contents of the 8 4 bit->4 bit
 * substitution boxes, saying they're a parameter of the network
 * being set up.  For illustration purposes here, I have used
 * the first rows of the 8 S-boxes from the DES.  (Note that the
 * DES S-boxes are numbered starting from 1 at the msb.  In keeping
 * with the rest of the GOST, I have used little-endian numbering.
 * Thus, k8 is S-box 1.
 *
 * Obviously, a careful look at the cryptographic properties of the cipher
 * must be undertaken before "production" substitution boxes are defined.
 *
 * The standard also does not specify a standard bit-string representation
 * for the contents of these blocks.
 */
static unsigned char const k8[16] = {
  14,  4, 13,  1,  2, 15, 11,  8,  3, 10,  6, 12,  5,  9,  0,  7 }; 
static unsigned char const k7[16] = {
  15,  1,  8, 14,  6, 11,  3,  4,  9,  7,  2, 13, 12,  0,  5, 10 };
static unsigned char const k6[16] = {
  10,  0,  9, 14,  6,  3, 15,  5,  1, 13, 12,  7, 11,  4,  2,  8 };
static unsigned char const k5[16] = {
   7, 13, 14,  3,  0,  6,  9, 10,  1,  2,  8,  5, 11, 12,  4, 15 };
static unsigned char const k4[16] = {
   2, 12,  4,  1,  7, 10, 11,  6,  8,  5,  3, 15, 13,  0, 14,  9 };
static unsigned char const k3[16] = {
  12,  1, 10, 15,  9,  2,  6,  8,  0, 13,  3,  4, 14,  7,  5, 11 };
static unsigned char const k2[16] = {
   4, 11,  2, 14, 15,  0,  8, 13,  3, 12,  9,  7,  5, 10,  6,  1 };
static unsigned char const k1[16] = {
  13,  2,  8,  4,  6, 15, 11,  1, 10,  9,  3, 14,  5,  0, 12,  7 };

/* Byte-at-a-time substitution boxes */
static unsigned char k87[256];
static unsigned char k65[256];
static unsigned char k43[256];
static unsigned char k21[256];

/*
 * Build byte-at-a-time subtitution tables.
 * This must be called once for global setup.
 */
void
kboxinit(void)
{
  int i;
  for (i = 0; i < 256; i++) {
    k87[i] = k8[i >> 4] << 4 | k7[i & 15];
    k65[i] = k6[i >> 4] << 4 | k5[i & 15];
    k43[i] = k4[i >> 4] << 4 | k3[i & 15];
    k21[i] = k2[i >> 4] << 4 | k1[i & 15];
  }
}

/*
 * Do the substitution and rotation that are the core of the operation,
 * like the expansion, substitution and permutation of the DES.
 * It would be possible to perform DES-like optimisations and store
 * the table entries as 32-bit words, already rotated, but the
 * efficiency gain is questionable.
 *
 * This should be inlined for maximum speed
 */
#if __GNUC__
__inline__
#endif
static word32
f(word32 x)
{
  /* Do substitutions */
#if 0
  /* This is annoyingly slow */
  x = k8[x>>28 & 15] << 28 | k7[x>>24 & 15] << 24 |
      k6[x>>20 & 15] << 20 | k5[x>>16 & 15] << 16 |
      k4[x>>12 & 15] << 12 | k3[x>> 8 & 15] <<  8 |
      k2[x>> 4 & 15] <<  4 | k1[x     & 15];
#else
  /* This is faster */
  x = k87[x>>24 & 255] << 24 | k65[x>>16 & 255] << 16 |
      k43[x>> 8 & 255] <<  8 | k21[x & 255];
#endif

  /* Rotate left 11 bits */
  return x<<11 | x>>(32-11);
}

/*
 * The GOST standard defines the input in terms of bits 1..64, with
 * bit 1 being the lsb of in[0] and bit 64 being the msb of in[1].
 *
 * The keys are defined similarly, with bit 256 being the msb of key[7].
 */
void
gostcrypt(word32 const in[2], word32 out[2], word32 const key[8])
{
  register word32 n1, n2; /* As named in the GOST */

  n1 = in[0];
  n2 = in[1];

  /* Instead of swapping halves, swap names each round */
  n2 ^= f(n1+key[0]);
  n1 ^= f(n2+key[1]);
  n2 ^= f(n1+key[2]);
  n1 ^= f(n2+key[3]);
  n2 ^= f(n1+key[4]);
  n1 ^= f(n2+key[5]);
  n2 ^= f(n1+key[6]);
  n1 ^= f(n2+key[7]);

  n2 ^= f(n1+key[0]);
  n1 ^= f(n2+key[1]);
  n2 ^= f(n1+key[2]);
  n1 ^= f(n2+key[3]);
  n2 ^= f(n1+key[4]);
  n1 ^= f(n2+key[5]);
  n2 ^= f(n1+key[6]);
  n1 ^= f(n2+key[7]);

  n2 ^= f(n1+key[0]);
  n1 ^= f(n2+key[1]);
  n2 ^= f(n1+key[2]);
  n1 ^= f(n2+key[3]);
  n2 ^= f(n1+key[4]);
  n1 ^= f(n2+key[5]);
  n2 ^= f(n1+key[6]);
  n1 ^= f(n2+key[7]);

  n2 ^= f(n1+key[7]);
  n1 ^= f(n2+key[6]);
  n2 ^= f(n1+key[5]);
  n1 ^= f(n2+key[4]);
  n2 ^= f(n1+key[3]);
  n1 ^= f(n2+key[2]);
  n2 ^= f(n1+key[1]);
  n1 ^= f(n2+key[0]);

  /* There is no swap after the last round */
  out[0] = n2;
  out[1] = n1;
}
  

/*
 * The key schedule is somewhat different for decryption.
 * (The key table is used once forward and three times backward.)
 * You could define an expanded key, or just write the code twice,
 * as done here.
 */
void
gostdecrypt(word32 const in[2], word32 out[2], word32 const key[8])
{
  register word32 n1, n2; /* As named in the GOST */

  n1 = in[0];
  n2 = in[1];

  n2 ^= f(n1+key[0]);
  n1 ^= f(n2+key[1]);
  n2 ^= f(n1+key[2]);
  n1 ^= f(n2+key[3]);
  n2 ^= f(n1+key[4]);
  n1 ^= f(n2+key[5]);
  n2 ^= f(n1+key[6]);
  n1 ^= f(n2+key[7]);

  n2 ^= f(n1+key[7]);
  n1 ^= f(n2+key[6]);
  n2 ^= f(n1+key[5]);
  n1 ^= f(n2+key[4]);
  n2 ^= f(n1+key[3]);
  n1 ^= f(n2+key[2]);
  n2 ^= f(n1+key[1]);
  n1 ^= f(n2+key[0]);

  n2 ^= f(n1+key[7]);
  n1 ^= f(n2+key[6]);
  n2 ^= f(n1+key[5]);
  n1 ^= f(n2+key[4]);
  n2 ^= f(n1+key[3]);
  n1 ^= f(n2+key[2]);
  n2 ^= f(n1+key[1]);
  n1 ^= f(n2+key[0]);

  n2 ^= f(n1+key[7]);
  n1 ^= f(n2+key[6]);
  n2 ^= f(n1+key[5]);
  n1 ^= f(n2+key[4]);
  n2 ^= f(n1+key[3]);
  n1 ^= f(n2+key[2]);
  n2 ^= f(n1+key[1]);
  n1 ^= f(n2+key[0]);

  out[0] = n2;
  out[1] = n1;
}

/*
 * The GOST "Output feedback" standard.  It seems closer morally
 * to the counter feedback mode some people have proposed for DES.
 * The avoidance of the short cycles that are possible in OFB seems
 * like a Good Thing.
 *
 * Calling it the stream mode makes more sense.
 *
 * The IV is encrypted with the key to produce the initial counter value.
 * Then, for each output block, a constant is added, modulo 2^32-1
 * (0 is represented as all-ones, not all-zeros), to each half of
 * the counter, and the counter is encrypted to produce the value
 * to XOR with the output.
 *
 * Len is the number of blocks.  Sub-block encryption is
 * left as an exercise for the user.  Remember that the
 * standard defines everything in a little-endian manner,
 * so you want to use the low bit of gamma[0] first.
 *
 * OFB is, of course, self-inverse, so there is only one function.
 */

/* The constants for addition */
#define C1 0x01010104
#define C2 0x01010101

void
gostofb(word32 const *in, word32 *out, int len,
  word32 const iv[2], word32 const key[8])
{
  word32 temp[2];         /* Counter */
  word32 gamma[2];        /* Output XOR value */

  /* Compute starting value for counter */
  gostcrypt(iv, temp, key);

  while (len--) {
    temp[0] += C2;
    if (temp[0] < C2)       /* Wrap modulo 2^32? */
      temp[0]++;      /* Make it modulo 2^32-1 */
    temp[1] += C1;
    if (temp[1] < C1)       /* Wrap modulo 2^32? */
      temp[1]++;      /* Make it modulo 2^32-1 */

    gostcrypt(temp, gamma, key);

    *out++ = *in++ ^ gamma[0];
    *out++ = *in++ ^ gamma[1];
  }
}

/*
 * The CFB mode is just what you'd expect.  Each block of ciphertext y[] is
 * derived from the input x[] by the following pseudocode:
 * y[i] = x[i] ^ gostcrypt(y[i-1])
 * x[i] = y[i] ^ gostcrypt(y[i-1])
 * Where y[-1] is the IV.
 *
 * The IV is modified in place.  Again, len is in *blocks*.
 */

void
gostcfbencrypt(word32 const *in, word32 *out, int len,
         word32 iv[2], word32 const key[8])
{
  while (len--) {
    gostcrypt(iv, iv, key);
    iv[0] = *out++ ^= iv[0];
    iv[1] = *out++ ^= iv[1];
  }
}

void
gostcfbdecrypt(word32 const *in, word32 *out, int len,
         word32 iv[2], word32 const key[8])
{
  word32 t;
  while (len--) {
    gostcrypt(iv, iv, key);
    t = *out;
    *out++ ^= iv[0];
    iv[0] = t;
    t = *out;
    *out++ ^= iv[1];
    iv[1] = t;
  }
}


/*
 * The message suthetication code uses only 16 of the 32 rounds.
 * There *is* a swap after the 16th round.
 * The last block should be padded to 64 bits with zeros.
 * len is the number of *blocks* in the input.
 */
void
gostmac(word32 const *in, int len, word32 out[2], word32 const key[8])
{
  register word32 n1, n2; /* As named in the GOST */

  n1 = 0;
  n2 = 0;

  while (len--) {
    n1 ^= *in++;
    n2 = *in++;

    /* Instead of swapping halves, swap names each round */
    n2 ^= f(n1+key[0]);
    n1 ^= f(n2+key[1]);
    n2 ^= f(n1+key[2]);
    n1 ^= f(n2+key[3]);
    n2 ^= f(n1+key[4]);
    n1 ^= f(n2+key[5]);
    n2 ^= f(n1+key[6]);
    n1 ^= f(n2+key[7]);

    n2 ^= f(n1+key[0]);
    n1 ^= f(n2+key[1]);
    n2 ^= f(n1+key[2]);
    n1 ^= f(n2+key[3]);
    n2 ^= f(n1+key[4]);
    n1 ^= f(n2+key[5]);
    n2 ^= f(n1+key[6]);
    n1 ^= f(n2+key[7]);
  }

  out[0] = n1;
  out[1] = n2;
}

#ifdef TEST

#include <stdio.h>
#include <stdlib.h>

/* Designed to cope with 15-bit rand() implementations */
#define RAND32 ((word32)rand() << 17 ^ (word32)rand() << 9 ^ rand())

int
main(void)
{
  word32 key[8];
  word32 plain[2];
  word32 cipher[2];
  int i, j;

  kboxinit();

  printf("GOST 21847-89 test driver.\n");

  for (i = 0; i < 1000; i++) {
    for (j = 0; j < 8; j++)
      key[j] = RAND32;
    plain[0] = RAND32;
    plain[1] = RAND32;

    printf("%3d\r", i);
    fflush(stdout);

    gostcrypt(plain, cipher, key);
    for (j = 0; j < 99; j++)
      gostcrypt(cipher, cipher, key);
    for (j = 0; j < 100; j++)
      gostdecrypt(cipher, cipher, key);

    if (plain[0] != cipher[0] || plain[1] != cipher[1]) {
      fprintf(stderr, "\nError! i = %d\n", i);
      return 1;
    }
  }
  printf("All tests passed.\n");
  return 0;
}

#endif /* TEST */