Add CAST encryption, implementation by Steve Reid <sreid@sea-to-sky.net>.

Man pages will come soon, I hope.
author: provos <> 1998-07-21 22:23:20 +0000
committer: provos <> 1998-07-21 22:23:20 +0000
commit: dbd466e2fd7a3d79f407cccbbe8cd826429790d8 (patch)
tree: cf1adc8c4ef8c3203083f3998c8bcca89cd45af9
parent: b811c9ad609b90ad8a28b3d5e9044db773f24841 (diff)
download: openbsd-dbd466e2fd7a3d79f407cccbbe8cd826429790d8.tar.gz
openbsd-dbd466e2fd7a3d79f407cccbbe8cd826429790d8.tar.bz2
openbsd-dbd466e2fd7a3d79f407cccbbe8cd826429790d8.zip
2 files changed, 242 insertions, 2 deletions
diff --git a/src/lib/libc/crypt/Makefile.inc b/src/lib/libc/crypt/Makefile.inc
index 7866f46a8e..9d96d657db 100644
--- a/src/lib/libc/crypt/Makefile.inc
+++ b/src/lib/libc/crypt/Makefile.inc
@@ -1,8 +1,8 @@
-#       $OpenBSD: Makefile.inc,v 1.9 1997/04/16 12:11:27 deraadt Exp $
+#       $OpenBSD: Makefile.inc,v 1.10 1998/07/21 22:23:20 provos Exp $
 .PATH: ${.CURDIR}/arch/${MACHINE_ARCH}/crypt ${.CURDIR}/crypt
-SRCS+=  crypt.c morecrypt.c md5crypt.c arc4random.c blowfish.c
+SRCS+=  cast.c crypt.c morecrypt.c md5crypt.c arc4random.c blowfish.c
 SRCS+=  bcrypt.c
 MAN+=   crypt.3 blowfish.3 arc4random.3
diff --git a/src/lib/libc/crypt/cast.c b/src/lib/libc/crypt/cast.c
new file mode 100644
index 0000000000..69dad6b6d2
--- /dev/null
+++ b/src/lib/libc/crypt/cast.c
@@ -0,0 +1,240 @@
+/*      $OpenBSD: cast.c,v 1.1 1998/07/21 22:23:19 provos Exp $       */
+/*
+ *      CAST-128 in C
+ *      Written by Steve Reid <sreid@sea-to-sky.net>
+ *      100% Public Domain - no warranty
+ *      Released 1997.10.11
+ */
+#include <netinet/ip_cast.h>
+#include <netinet/ip_castsb.h>
+/* Macros to access 8-bit bytes out of a 32-bit word */
+#define U8a(x) ( (u8) (x>>24) )
+#define U8b(x) ( (u8) ((x>>16)&255) )
+#define U8c(x) ( (u8) ((x>>8)&255) )
+#define U8d(x) ( (u8) ((x)&255) )
+/* Circular left shift */
+#define ROL(x, n) ( ((x)<<(n)) | ((x)>>(32-(n))) )
+/* CAST-128 uses three different round functions */
+#define F1(l, r, i) \
+        t = ROL(key->xkey[i] + r, key->xkey[i+16]); \
+        l ^= ((cast_sbox1[U8a(t)] ^ cast_sbox2[U8b(t)]) - \
+         cast_sbox3[U8c(t)]) + cast_sbox4[U8d(t)];
+#define F2(l, r, i) \
+        t = ROL(key->xkey[i] ^ r, key->xkey[i+16]); \
+        l ^= ((cast_sbox1[U8a(t)] - cast_sbox2[U8b(t)]) + \
+         cast_sbox3[U8c(t)]) ^ cast_sbox4[U8d(t)];
+#define F3(l, r, i) \
+        t = ROL(key->xkey[i] - r, key->xkey[i+16]); \
+        l ^= ((cast_sbox1[U8a(t)] + cast_sbox2[U8b(t)]) ^ \
+         cast_sbox3[U8c(t)]) - cast_sbox4[U8d(t)];
+/***** Encryption Function *****/
+void cast_encrypt(cast_key* key, u8* inblock, u8* outblock)
+{
+u32 t, l, r;
+        /* Get inblock into l,r */
+        l = ((u32)inblock[0] << 24) | ((u32)inblock[1] << 16) |
+         ((u32)inblock[2] << 8) | (u32)inblock[3];
+        r = ((u32)inblock[4] << 24) | ((u32)inblock[5] << 16) |
+         ((u32)inblock[6] << 8) | (u32)inblock[7];
+        /* Do the work */
+        F1(l, r,  0);
+        F2(r, l,  1);
+        F3(l, r,  2);
+        F1(r, l,  3);
+        F2(l, r,  4);
+        F3(r, l,  5);
+        F1(l, r,  6);
+        F2(r, l,  7);
+        F3(l, r,  8);
+        F1(r, l,  9);
+        F2(l, r, 10);
+        F3(r, l, 11);
+        /* Only do full 16 rounds if key length > 80 bits */
+        if (key->rounds > 12) {
+                F1(l, r, 12);
+                F2(r, l, 13);
+                F3(l, r, 14);
+                F1(r, l, 15);
+        }
+        /* Put l,r into outblock */
+        outblock[0] = U8a(r);
+        outblock[1] = U8b(r);
+        outblock[2] = U8c(r);
+        outblock[3] = U8d(r);
+        outblock[4] = U8a(l);
+        outblock[5] = U8b(l);
+        outblock[6] = U8c(l);
+        outblock[7] = U8d(l);
+        /* Wipe clean */
+        t = l = r = 0;
+}
+/***** Decryption Function *****/
+void cast_decrypt(cast_key* key, u8* inblock, u8* outblock)
+{
+u32 t, l, r;
+        /* Get inblock into l,r */
+        r = ((u32)inblock[0] << 24) | ((u32)inblock[1] << 16) |
+         ((u32)inblock[2] << 8) | (u32)inblock[3];
+        l = ((u32)inblock[4] << 24) | ((u32)inblock[5] << 16) |
+         ((u32)inblock[6] << 8) | (u32)inblock[7];
+        /* Do the work */
+        /* Only do full 16 rounds if key length > 80 bits */
+        if (key->rounds > 12) {
+                F1(r, l, 15);
+                F3(l, r, 14);
+                F2(r, l, 13);
+                F1(l, r, 12);
+        }
+        F3(r, l, 11);
+        F2(l, r, 10);
+        F1(r, l,  9);
+        F3(l, r,  8);
+        F2(r, l,  7);
+        F1(l, r,  6);
+        F3(r, l,  5);
+        F2(l, r,  4);
+        F1(r, l,  3);
+        F3(l, r,  2);
+        F2(r, l,  1);
+        F1(l, r,  0);
+        /* Put l,r into outblock */
+        outblock[0] = U8a(l);
+        outblock[1] = U8b(l);
+        outblock[2] = U8c(l);
+        outblock[3] = U8d(l);
+        outblock[4] = U8a(r);
+        outblock[5] = U8b(r);
+        outblock[6] = U8c(r);
+        outblock[7] = U8d(r);
+        /* Wipe clean */
+        t = l = r = 0;
+}
+/***** Key Schedual *****/
+void cast_setkey(cast_key* key, u8* rawkey, int keybytes)
+{
+u32 t[4], z[4], x[4];
+int i;
+        /* Set number of rounds to 12 or 16, depending on key length */
+        key->rounds = (keybytes <= 10 ? 12 : 16);
+        /* Copy key to workspace x */
+        for (i = 0; i < 4; i++) {
+                x[i] = 0;
+                if ((i*4+0) < keybytes) x[i] = (u32)rawkey[i*4+0] << 24;
+                if ((i*4+1) < keybytes) x[i] |= (u32)rawkey[i*4+1] << 16;
+                if ((i*4+2) < keybytes) x[i] |= (u32)rawkey[i*4+2] << 8;
+                if ((i*4+3) < keybytes) x[i] |= (u32)rawkey[i*4+3];
+        }
+        /* Generate 32 subkeys, four at a time */
+        for (i = 0; i < 32; i+=4) {
+                switch (i & 4) {
+                 case 0:
+                        t[0] = z[0] = x[0] ^ cast_sbox5[U8b(x[3])] ^
+                         cast_sbox6[U8d(x[3])] ^ cast_sbox7[U8a(x[3])] ^
+                         cast_sbox8[U8c(x[3])] ^ cast_sbox7[U8a(x[2])];
+                        t[1] = z[1] = x[2] ^ cast_sbox5[U8a(z[0])] ^
+                         cast_sbox6[U8c(z[0])] ^ cast_sbox7[U8b(z[0])] ^
+                         cast_sbox8[U8d(z[0])] ^ cast_sbox8[U8c(x[2])];
+                        t[2] = z[2] = x[3] ^ cast_sbox5[U8d(z[1])] ^
+                         cast_sbox6[U8c(z[1])] ^ cast_sbox7[U8b(z[1])] ^
+                         cast_sbox8[U8a(z[1])] ^ cast_sbox5[U8b(x[2])];
+                        t[3] = z[3] = x[1] ^ cast_sbox5[U8c(z[2])] ^
+                         cast_sbox6[U8b(z[2])] ^ cast_sbox7[U8d(z[2])] ^
+                         cast_sbox8[U8a(z[2])] ^ cast_sbox6[U8d(x[2])];
+                        break;
+                 case 4:
+                        t[0] = x[0] = z[2] ^ cast_sbox5[U8b(z[1])] ^
+                         cast_sbox6[U8d(z[1])] ^ cast_sbox7[U8a(z[1])] ^
+                         cast_sbox8[U8c(z[1])] ^ cast_sbox7[U8a(z[0])];
+                        t[1] = x[1] = z[0] ^ cast_sbox5[U8a(x[0])] ^
+                         cast_sbox6[U8c(x[0])] ^ cast_sbox7[U8b(x[0])] ^
+                         cast_sbox8[U8d(x[0])] ^ cast_sbox8[U8c(z[0])];
+                        t[2] = x[2] = z[1] ^ cast_sbox5[U8d(x[1])] ^
+                         cast_sbox6[U8c(x[1])] ^ cast_sbox7[U8b(x[1])] ^
+                         cast_sbox8[U8a(x[1])] ^ cast_sbox5[U8b(z[0])];
+                        t[3] = x[3] = z[3] ^ cast_sbox5[U8c(x[2])] ^
+                         cast_sbox6[U8b(x[2])] ^ cast_sbox7[U8d(x[2])] ^
+                         cast_sbox8[U8a(x[2])] ^ cast_sbox6[U8d(z[0])];
+                        break;
+                }
+                switch (i & 12) {
+                 case 0:
+                 case 12:
+                        key->xkey[i+0] = cast_sbox5[U8a(t[2])] ^ cast_sbox6[U8b(t[2])] ^
+                         cast_sbox7[U8d(t[1])] ^ cast_sbox8[U8c(t[1])];
+                        key->xkey[i+1] = cast_sbox5[U8c(t[2])] ^ cast_sbox6[U8d(t[2])] ^
+                         cast_sbox7[U8b(t[1])] ^ cast_sbox8[U8a(t[1])];
+                        key->xkey[i+2] = cast_sbox5[U8a(t[3])] ^ cast_sbox6[U8b(t[3])] ^
+                         cast_sbox7[U8d(t[0])] ^ cast_sbox8[U8c(t[0])];
+                        key->xkey[i+3] = cast_sbox5[U8c(t[3])] ^ cast_sbox6[U8d(t[3])] ^
+                         cast_sbox7[U8b(t[0])] ^ cast_sbox8[U8a(t[0])];
+                        break;
+                 case 4:
+                 case 8:
+                        key->xkey[i+0] = cast_sbox5[U8d(t[0])] ^ cast_sbox6[U8c(t[0])] ^
+                         cast_sbox7[U8a(t[3])] ^ cast_sbox8[U8b(t[3])];
+                        key->xkey[i+1] = cast_sbox5[U8b(t[0])] ^ cast_sbox6[U8a(t[0])] ^
+                         cast_sbox7[U8c(t[3])] ^ cast_sbox8[U8d(t[3])];
+                        key->xkey[i+2] = cast_sbox5[U8d(t[1])] ^ cast_sbox6[U8c(t[1])] ^
+                         cast_sbox7[U8a(t[2])] ^ cast_sbox8[U8b(t[2])];
+                        key->xkey[i+3] = cast_sbox5[U8b(t[1])] ^ cast_sbox6[U8a(t[1])] ^
+                         cast_sbox7[U8c(t[2])] ^ cast_sbox8[U8d(t[2])];
+                        break;
+                }
+                switch (i & 12) {
+                 case 0:
+                        key->xkey[i+0] ^= cast_sbox5[U8c(z[0])];
+                        key->xkey[i+1] ^= cast_sbox6[U8c(z[1])];
+                        key->xkey[i+2] ^= cast_sbox7[U8b(z[2])];
+                        key->xkey[i+3] ^= cast_sbox8[U8a(z[3])];
+                        break;
+                 case 4:
+                        key->xkey[i+0] ^= cast_sbox5[U8a(x[2])];
+                        key->xkey[i+1] ^= cast_sbox6[U8b(x[3])];
+                        key->xkey[i+2] ^= cast_sbox7[U8d(x[0])];
+                        key->xkey[i+3] ^= cast_sbox8[U8d(x[1])];
+                        break;
+                 case 8:
+                        key->xkey[i+0] ^= cast_sbox5[U8b(z[2])];
+                        key->xkey[i+1] ^= cast_sbox6[U8a(z[3])];
+                        key->xkey[i+2] ^= cast_sbox7[U8c(z[0])];
+                        key->xkey[i+3] ^= cast_sbox8[U8c(z[1])];
+                        break;
+                 case 12:
+                        key->xkey[i+0] ^= cast_sbox5[U8d(x[0])];
+                        key->xkey[i+1] ^= cast_sbox6[U8d(x[1])];
+                        key->xkey[i+2] ^= cast_sbox7[U8a(x[2])];
+                        key->xkey[i+3] ^= cast_sbox8[U8b(x[3])];
+                        break;
+                }
+                if (i >= 16) {
+                        key->xkey[i+0] &= 31;
+                        key->xkey[i+1] &= 31;
+                        key->xkey[i+2] &= 31;
+                        key->xkey[i+3] &= 31;
+                }
+        }
+        /* Wipe clean */
+        for (i = 0; i < 4; i++) {
+                t[i] = x[i] = z[i] = 0;
+        }
+}
+/* Made in Canada */
author	provos <>	1998-07-21 22:23:20 +0000
committer	provos <>	1998-07-21 22:23:20 +0000
commit	dbd466e2fd7a3d79f407cccbbe8cd826429790d8 (patch)
tree	cf1adc8c4ef8c3203083f3998c8bcca89cd45af9
parent	b811c9ad609b90ad8a28b3d5e9044db773f24841 (diff)
download	openbsd-dbd466e2fd7a3d79f407cccbbe8cd826429790d8.tar.gz openbsd-dbd466e2fd7a3d79f407cccbbe8cd826429790d8.tar.bz2 openbsd-dbd466e2fd7a3d79f407cccbbe8cd826429790d8.zip

diff --git a/src/lib/libc/crypt/Makefile.inc b/src/lib/libc/crypt/Makefile.inc index 7866f46a8e..9d96d657db 100644 --- a/src/lib/libc/crypt/Makefile.inc +++ b/src/lib/libc/crypt/Makefile.inc
@@ -1,8 +1,8 @@
1	# $OpenBSD: Makefile.inc,v 1.9 1997/04/16 12:11:27 deraadt Exp $	1	# $OpenBSD: Makefile.inc,v 1.10 1998/07/21 22:23:20 provos Exp $
2		2
3	.PATH: ${.CURDIR}/arch/${MACHINE_ARCH}/crypt ${.CURDIR}/crypt	3	.PATH: ${.CURDIR}/arch/${MACHINE_ARCH}/crypt ${.CURDIR}/crypt
4		4
5	SRCS+= crypt.c morecrypt.c md5crypt.c arc4random.c blowfish.c	5	SRCS+= cast.c crypt.c morecrypt.c md5crypt.c arc4random.c blowfish.c
6	SRCS+= bcrypt.c	6	SRCS+= bcrypt.c
7		7
8	MAN+= crypt.3 blowfish.3 arc4random.3	8	MAN+= crypt.3 blowfish.3 arc4random.3


diff --git a/src/lib/libc/crypt/cast.c b/src/lib/libc/crypt/cast.c new file mode 100644 index 0000000000..69dad6b6d2 --- /dev/null +++ b/src/lib/libc/crypt/cast.c
@@ -0,0 +1,240 @@
		1	/* $OpenBSD: cast.c,v 1.1 1998/07/21 22:23:19 provos Exp $ */
		2	/*
		3	* CAST-128 in C
		4	* Written by Steve Reid <sreid@sea-to-sky.net>
		5	* 100% Public Domain - no warranty
		6	* Released 1997.10.11
		7	*/
		8
		9	#include <netinet/ip_cast.h>
		10	#include <netinet/ip_castsb.h>
		11
		12	/* Macros to access 8-bit bytes out of a 32-bit word */
		13	#define U8a(x) ( (u8) (x>>24) )
		14	#define U8b(x) ( (u8) ((x>>16)&255) )
		15	#define U8c(x) ( (u8) ((x>>8)&255) )
		16	#define U8d(x) ( (u8) ((x)&255) )
		17
		18	/* Circular left shift */
		19	#define ROL(x, n) ( ((x)<<(n)) \| ((x)>>(32-(n))) )
		20
		21	/* CAST-128 uses three different round functions */
		22	#define F1(l, r, i) \
		23	t = ROL(key->xkey[i] + r, key->xkey[i+16]); \
		24	l ^= ((cast_sbox1[U8a(t)] ^ cast_sbox2[U8b(t)]) - \
		25	cast_sbox3[U8c(t)]) + cast_sbox4[U8d(t)];
		26	#define F2(l, r, i) \
		27	t = ROL(key->xkey[i] ^ r, key->xkey[i+16]); \
		28	l ^= ((cast_sbox1[U8a(t)] - cast_sbox2[U8b(t)]) + \
		29	cast_sbox3[U8c(t)]) ^ cast_sbox4[U8d(t)];
		30	#define F3(l, r, i) \
		31	t = ROL(key->xkey[i] - r, key->xkey[i+16]); \
		32	l ^= ((cast_sbox1[U8a(t)] + cast_sbox2[U8b(t)]) ^ \
		33	cast_sbox3[U8c(t)]) - cast_sbox4[U8d(t)];
		34
		35
		36	/*** Encryption Function ***/
		37
		38	void cast_encrypt(cast_key* key, u8* inblock, u8* outblock)
		39	{
		40	u32 t, l, r;
		41
		42	/* Get inblock into l,r */
		43	l = ((u32)inblock[0] << 24) \| ((u32)inblock[1] << 16) \|
		44	((u32)inblock[2] << 8) \| (u32)inblock[3];
		45	r = ((u32)inblock[4] << 24) \| ((u32)inblock[5] << 16) \|
		46	((u32)inblock[6] << 8) \| (u32)inblock[7];
		47	/* Do the work */
		48	F1(l, r, 0);
		49	F2(r, l, 1);
		50	F3(l, r, 2);
		51	F1(r, l, 3);
		52	F2(l, r, 4);
		53	F3(r, l, 5);
		54	F1(l, r, 6);
		55	F2(r, l, 7);
		56	F3(l, r, 8);
		57	F1(r, l, 9);
		58	F2(l, r, 10);
		59	F3(r, l, 11);
		60	/* Only do full 16 rounds if key length > 80 bits */
		61	if (key->rounds > 12) {
		62	F1(l, r, 12);
		63	F2(r, l, 13);
		64	F3(l, r, 14);
		65	F1(r, l, 15);
		66	}
		67	/* Put l,r into outblock */
		68	outblock[0] = U8a(r);
		69	outblock[1] = U8b(r);
		70	outblock[2] = U8c(r);
		71	outblock[3] = U8d(r);
		72	outblock[4] = U8a(l);
		73	outblock[5] = U8b(l);
		74	outblock[6] = U8c(l);
		75	outblock[7] = U8d(l);
		76	/* Wipe clean */
		77	t = l = r = 0;
		78	}
		79
		80
		81	/*** Decryption Function ***/
		82
		83	void cast_decrypt(cast_key* key, u8* inblock, u8* outblock)
		84	{
		85	u32 t, l, r;
		86
		87	/* Get inblock into l,r */
		88	r = ((u32)inblock[0] << 24) \| ((u32)inblock[1] << 16) \|
		89	((u32)inblock[2] << 8) \| (u32)inblock[3];
		90	l = ((u32)inblock[4] << 24) \| ((u32)inblock[5] << 16) \|
		91	((u32)inblock[6] << 8) \| (u32)inblock[7];
		92	/* Do the work */
		93	/* Only do full 16 rounds if key length > 80 bits */
		94	if (key->rounds > 12) {
		95	F1(r, l, 15);
		96	F3(l, r, 14);
		97	F2(r, l, 13);
		98	F1(l, r, 12);
		99	}
		100	F3(r, l, 11);
		101	F2(l, r, 10);
		102	F1(r, l, 9);
		103	F3(l, r, 8);
		104	F2(r, l, 7);
		105	F1(l, r, 6);
		106	F3(r, l, 5);
		107	F2(l, r, 4);
		108	F1(r, l, 3);
		109	F3(l, r, 2);
		110	F2(r, l, 1);
		111	F1(l, r, 0);
		112	/* Put l,r into outblock */
		113	outblock[0] = U8a(l);
		114	outblock[1] = U8b(l);
		115	outblock[2] = U8c(l);
		116	outblock[3] = U8d(l);
		117	outblock[4] = U8a(r);
		118	outblock[5] = U8b(r);
		119	outblock[6] = U8c(r);
		120	outblock[7] = U8d(r);
		121	/* Wipe clean */
		122	t = l = r = 0;
		123	}
		124
		125
		126	/*** Key Schedual ***/
		127
		128	void cast_setkey(cast_key* key, u8* rawkey, int keybytes)
		129	{
		130	u32 t[4], z[4], x[4];
		131	int i;
		132
		133	/* Set number of rounds to 12 or 16, depending on key length */
		134	key->rounds = (keybytes <= 10 ? 12 : 16);
		135
		136	/* Copy key to workspace x */
		137	for (i = 0; i < 4; i++) {
		138	x[i] = 0;
		139	if ((i4+0) < keybytes) x[i] = (u32)rawkey[i4+0] << 24;
		140	if ((i4+1) < keybytes) x[i] \|= (u32)rawkey[i4+1] << 16;
		141	if ((i4+2) < keybytes) x[i] \|= (u32)rawkey[i4+2] << 8;
		142	if ((i4+3) < keybytes) x[i] \|= (u32)rawkey[i4+3];
		143	}
		144	/* Generate 32 subkeys, four at a time */
		145	for (i = 0; i < 32; i+=4) {
		146	switch (i & 4) {
		147	case 0:
		148	t[0] = z[0] = x[0] ^ cast_sbox5[U8b(x[3])] ^
		149	cast_sbox6[U8d(x[3])] ^ cast_sbox7[U8a(x[3])] ^
		150	cast_sbox8[U8c(x[3])] ^ cast_sbox7[U8a(x[2])];
		151	t[1] = z[1] = x[2] ^ cast_sbox5[U8a(z[0])] ^
		152	cast_sbox6[U8c(z[0])] ^ cast_sbox7[U8b(z[0])] ^
		153	cast_sbox8[U8d(z[0])] ^ cast_sbox8[U8c(x[2])];
		154	t[2] = z[2] = x[3] ^ cast_sbox5[U8d(z[1])] ^
		155	cast_sbox6[U8c(z[1])] ^ cast_sbox7[U8b(z[1])] ^
		156	cast_sbox8[U8a(z[1])] ^ cast_sbox5[U8b(x[2])];
		157	t[3] = z[3] = x[1] ^ cast_sbox5[U8c(z[2])] ^
		158	cast_sbox6[U8b(z[2])] ^ cast_sbox7[U8d(z[2])] ^
		159	cast_sbox8[U8a(z[2])] ^ cast_sbox6[U8d(x[2])];
		160	break;
		161	case 4:
		162	t[0] = x[0] = z[2] ^ cast_sbox5[U8b(z[1])] ^
		163	cast_sbox6[U8d(z[1])] ^ cast_sbox7[U8a(z[1])] ^
		164	cast_sbox8[U8c(z[1])] ^ cast_sbox7[U8a(z[0])];
		165	t[1] = x[1] = z[0] ^ cast_sbox5[U8a(x[0])] ^
		166	cast_sbox6[U8c(x[0])] ^ cast_sbox7[U8b(x[0])] ^
		167	cast_sbox8[U8d(x[0])] ^ cast_sbox8[U8c(z[0])];
		168	t[2] = x[2] = z[1] ^ cast_sbox5[U8d(x[1])] ^
		169	cast_sbox6[U8c(x[1])] ^ cast_sbox7[U8b(x[1])] ^
		170	cast_sbox8[U8a(x[1])] ^ cast_sbox5[U8b(z[0])];
		171	t[3] = x[3] = z[3] ^ cast_sbox5[U8c(x[2])] ^
		172	cast_sbox6[U8b(x[2])] ^ cast_sbox7[U8d(x[2])] ^
		173	cast_sbox8[U8a(x[2])] ^ cast_sbox6[U8d(z[0])];
		174	break;
		175	}
		176	switch (i & 12) {
		177	case 0:
		178	case 12:
		179	key->xkey[i+0] = cast_sbox5[U8a(t[2])] ^ cast_sbox6[U8b(t[2])] ^
		180	cast_sbox7[U8d(t[1])] ^ cast_sbox8[U8c(t[1])];
		181	key->xkey[i+1] = cast_sbox5[U8c(t[2])] ^ cast_sbox6[U8d(t[2])] ^
		182	cast_sbox7[U8b(t[1])] ^ cast_sbox8[U8a(t[1])];
		183	key->xkey[i+2] = cast_sbox5[U8a(t[3])] ^ cast_sbox6[U8b(t[3])] ^
		184	cast_sbox7[U8d(t[0])] ^ cast_sbox8[U8c(t[0])];
		185	key->xkey[i+3] = cast_sbox5[U8c(t[3])] ^ cast_sbox6[U8d(t[3])] ^
		186	cast_sbox7[U8b(t[0])] ^ cast_sbox8[U8a(t[0])];
		187	break;
		188	case 4:
		189	case 8:
		190	key->xkey[i+0] = cast_sbox5[U8d(t[0])] ^ cast_sbox6[U8c(t[0])] ^
		191	cast_sbox7[U8a(t[3])] ^ cast_sbox8[U8b(t[3])];
		192	key->xkey[i+1] = cast_sbox5[U8b(t[0])] ^ cast_sbox6[U8a(t[0])] ^
		193	cast_sbox7[U8c(t[3])] ^ cast_sbox8[U8d(t[3])];
		194	key->xkey[i+2] = cast_sbox5[U8d(t[1])] ^ cast_sbox6[U8c(t[1])] ^
		195	cast_sbox7[U8a(t[2])] ^ cast_sbox8[U8b(t[2])];
		196	key->xkey[i+3] = cast_sbox5[U8b(t[1])] ^ cast_sbox6[U8a(t[1])] ^
		197	cast_sbox7[U8c(t[2])] ^ cast_sbox8[U8d(t[2])];
		198	break;
		199	}
		200	switch (i & 12) {
		201	case 0:
		202	key->xkey[i+0] ^= cast_sbox5[U8c(z[0])];
		203	key->xkey[i+1] ^= cast_sbox6[U8c(z[1])];
		204	key->xkey[i+2] ^= cast_sbox7[U8b(z[2])];
		205	key->xkey[i+3] ^= cast_sbox8[U8a(z[3])];
		206	break;
		207	case 4:
		208	key->xkey[i+0] ^= cast_sbox5[U8a(x[2])];
		209	key->xkey[i+1] ^= cast_sbox6[U8b(x[3])];
		210	key->xkey[i+2] ^= cast_sbox7[U8d(x[0])];
		211	key->xkey[i+3] ^= cast_sbox8[U8d(x[1])];
		212	break;
		213	case 8:
		214	key->xkey[i+0] ^= cast_sbox5[U8b(z[2])];
		215	key->xkey[i+1] ^= cast_sbox6[U8a(z[3])];
		216	key->xkey[i+2] ^= cast_sbox7[U8c(z[0])];
		217	key->xkey[i+3] ^= cast_sbox8[U8c(z[1])];
		218	break;
		219	case 12:
		220	key->xkey[i+0] ^= cast_sbox5[U8d(x[0])];
		221	key->xkey[i+1] ^= cast_sbox6[U8d(x[1])];
		222	key->xkey[i+2] ^= cast_sbox7[U8a(x[2])];
		223	key->xkey[i+3] ^= cast_sbox8[U8b(x[3])];
		224	break;
		225	}
		226	if (i >= 16) {
		227	key->xkey[i+0] &= 31;
		228	key->xkey[i+1] &= 31;
		229	key->xkey[i+2] &= 31;
		230	key->xkey[i+3] &= 31;
		231	}
		232	}
		233	/* Wipe clean */
		234	for (i = 0; i < 4; i++) {
		235	t[i] = x[i] = z[i] = 0;
		236	}
		237	}
		238
		239	/* Made in Canada */
		240