1 /*
2 * Camellia implementation
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 *
7 * This file is provided under the Apache License 2.0, or the
8 * GNU General Public License v2.0 or later.
9 *
10 * **********
11 * Apache License 2.0:
12 *
13 * Licensed under the Apache License, Version 2.0 (the "License"); you may
14 * not use this file except in compliance with the License.
15 * You may obtain a copy of the License at
16 *
17 * http://www.apache.org/licenses/LICENSE-2.0
18 *
19 * Unless required by applicable law or agreed to in writing, software
20 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
21 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
22 * See the License for the specific language governing permissions and
23 * limitations under the License.
24 *
25 * **********
26 *
27 * **********
28 * GNU General Public License v2.0 or later:
29 *
30 * This program is free software; you can redistribute it and/or modify
31 * it under the terms of the GNU General Public License as published by
32 * the Free Software Foundation; either version 2 of the License, or
33 * (at your option) any later version.
34 *
35 * This program is distributed in the hope that it will be useful,
36 * but WITHOUT ANY WARRANTY; without even the implied warranty of
37 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
38 * GNU General Public License for more details.
39 *
40 * You should have received a copy of the GNU General Public License along
41 * with this program; if not, write to the Free Software Foundation, Inc.,
42 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
43 *
44 * **********
45 */
46 /*
47 * The Camellia block cipher was designed by NTT and Mitsubishi Electric
48 * Corporation.
49 *
50 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/01espec.pdf
51 */
52
53 #if !defined(MBEDTLS_CONFIG_FILE)
54 #include "mbedtls/config.h"
55 #else
56 #include MBEDTLS_CONFIG_FILE
57 #endif
58
59 #if defined(MBEDTLS_CAMELLIA_C)
60
61 #include "mbedtls/camellia.h"
62 #include "mbedtls/platform_util.h"
63
64 #include <string.h>
65
66 #if defined(MBEDTLS_SELF_TEST)
67 #if defined(MBEDTLS_PLATFORM_C)
68 #include "mbedtls/platform.h"
69 #else
70 #include <stdio.h>
71 #define mbedtls_printf printf
72 #endif /* MBEDTLS_PLATFORM_C */
73 #endif /* MBEDTLS_SELF_TEST */
74
75 #if !defined(MBEDTLS_CAMELLIA_ALT)
76
77 /* Parameter validation macros */
78 #define CAMELLIA_VALIDATE_RET( cond ) \
79 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA )
80 #define CAMELLIA_VALIDATE( cond ) \
81 MBEDTLS_INTERNAL_VALIDATE( cond )
82
83 /*
84 * 32-bit integer manipulation macros (big endian)
85 */
86 #ifndef GET_UINT32_BE
87 #define GET_UINT32_BE(n,b,i) \
88 { \
89 (n) = ( (uint32_t) (b)[(i) ] << 24 ) \
90 | ( (uint32_t) (b)[(i) + 1] << 16 ) \
91 | ( (uint32_t) (b)[(i) + 2] << 8 ) \
92 | ( (uint32_t) (b)[(i) + 3] ); \
93 }
94 #endif
95
96 #ifndef PUT_UINT32_BE
97 #define PUT_UINT32_BE(n,b,i) \
98 { \
99 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
100 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
101 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
102 (b)[(i) + 3] = (unsigned char) ( (n) ); \
103 }
104 #endif
105
106 static const unsigned char SIGMA_CHARS[6][8] =
107 {
108 { 0xa0, 0x9e, 0x66, 0x7f, 0x3b, 0xcc, 0x90, 0x8b },
109 { 0xb6, 0x7a, 0xe8, 0x58, 0x4c, 0xaa, 0x73, 0xb2 },
110 { 0xc6, 0xef, 0x37, 0x2f, 0xe9, 0x4f, 0x82, 0xbe },
111 { 0x54, 0xff, 0x53, 0xa5, 0xf1, 0xd3, 0x6f, 0x1c },
112 { 0x10, 0xe5, 0x27, 0xfa, 0xde, 0x68, 0x2d, 0x1d },
113 { 0xb0, 0x56, 0x88, 0xc2, 0xb3, 0xe6, 0xc1, 0xfd }
114 };
115
116 #if defined(MBEDTLS_CAMELLIA_SMALL_MEMORY)
117
118 static const unsigned char FSb[256] =
119 {
120 112,130, 44,236,179, 39,192,229,228,133, 87, 53,234, 12,174, 65,
121 35,239,107,147, 69, 25,165, 33,237, 14, 79, 78, 29,101,146,189,
122 134,184,175,143,124,235, 31,206, 62, 48,220, 95, 94,197, 11, 26,
123 166,225, 57,202,213, 71, 93, 61,217, 1, 90,214, 81, 86,108, 77,
124 139, 13,154,102,251,204,176, 45,116, 18, 43, 32,240,177,132,153,
125 223, 76,203,194, 52,126,118, 5,109,183,169, 49,209, 23, 4,215,
126 20, 88, 58, 97,222, 27, 17, 28, 50, 15,156, 22, 83, 24,242, 34,
127 254, 68,207,178,195,181,122,145, 36, 8,232,168, 96,252,105, 80,
128 170,208,160,125,161,137, 98,151, 84, 91, 30,149,224,255,100,210,
129 16,196, 0, 72,163,247,117,219,138, 3,230,218, 9, 63,221,148,
130 135, 92,131, 2,205, 74,144, 51,115,103,246,243,157,127,191,226,
131 82,155,216, 38,200, 55,198, 59,129,150,111, 75, 19,190, 99, 46,
132 233,121,167,140,159,110,188,142, 41,245,249,182, 47,253,180, 89,
133 120,152, 6,106,231, 70,113,186,212, 37,171, 66,136,162,141,250,
134 114, 7,185, 85,248,238,172, 10, 54, 73, 42,104, 60, 56,241,164,
135 64, 40,211,123,187,201, 67,193, 21,227,173,244,119,199,128,158
136 };
137
138 #define SBOX1(n) FSb[(n)]
139 #define SBOX2(n) (unsigned char)((FSb[(n)] >> 7 ^ FSb[(n)] << 1) & 0xff)
140 #define SBOX3(n) (unsigned char)((FSb[(n)] >> 1 ^ FSb[(n)] << 7) & 0xff)
141 #define SBOX4(n) FSb[((n) << 1 ^ (n) >> 7) &0xff]
142
143 #else /* MBEDTLS_CAMELLIA_SMALL_MEMORY */
144
145 static const unsigned char FSb[256] =
146 {
147 112, 130, 44, 236, 179, 39, 192, 229, 228, 133, 87, 53, 234, 12, 174, 65,
148 35, 239, 107, 147, 69, 25, 165, 33, 237, 14, 79, 78, 29, 101, 146, 189,
149 134, 184, 175, 143, 124, 235, 31, 206, 62, 48, 220, 95, 94, 197, 11, 26,
150 166, 225, 57, 202, 213, 71, 93, 61, 217, 1, 90, 214, 81, 86, 108, 77,
151 139, 13, 154, 102, 251, 204, 176, 45, 116, 18, 43, 32, 240, 177, 132, 153,
152 223, 76, 203, 194, 52, 126, 118, 5, 109, 183, 169, 49, 209, 23, 4, 215,
153 20, 88, 58, 97, 222, 27, 17, 28, 50, 15, 156, 22, 83, 24, 242, 34,
154 254, 68, 207, 178, 195, 181, 122, 145, 36, 8, 232, 168, 96, 252, 105, 80,
155 170, 208, 160, 125, 161, 137, 98, 151, 84, 91, 30, 149, 224, 255, 100, 210,
156 16, 196, 0, 72, 163, 247, 117, 219, 138, 3, 230, 218, 9, 63, 221, 148,
157 135, 92, 131, 2, 205, 74, 144, 51, 115, 103, 246, 243, 157, 127, 191, 226,
158 82, 155, 216, 38, 200, 55, 198, 59, 129, 150, 111, 75, 19, 190, 99, 46,
159 233, 121, 167, 140, 159, 110, 188, 142, 41, 245, 249, 182, 47, 253, 180, 89,
160 120, 152, 6, 106, 231, 70, 113, 186, 212, 37, 171, 66, 136, 162, 141, 250,
161 114, 7, 185, 85, 248, 238, 172, 10, 54, 73, 42, 104, 60, 56, 241, 164,
162 64, 40, 211, 123, 187, 201, 67, 193, 21, 227, 173, 244, 119, 199, 128, 158
163 };
164
165 static const unsigned char FSb2[256] =
166 {
167 224, 5, 88, 217, 103, 78, 129, 203, 201, 11, 174, 106, 213, 24, 93, 130,
168 70, 223, 214, 39, 138, 50, 75, 66, 219, 28, 158, 156, 58, 202, 37, 123,
169 13, 113, 95, 31, 248, 215, 62, 157, 124, 96, 185, 190, 188, 139, 22, 52,
170 77, 195, 114, 149, 171, 142, 186, 122, 179, 2, 180, 173, 162, 172, 216, 154,
171 23, 26, 53, 204, 247, 153, 97, 90, 232, 36, 86, 64, 225, 99, 9, 51,
172 191, 152, 151, 133, 104, 252, 236, 10, 218, 111, 83, 98, 163, 46, 8, 175,
173 40, 176, 116, 194, 189, 54, 34, 56, 100, 30, 57, 44, 166, 48, 229, 68,
174 253, 136, 159, 101, 135, 107, 244, 35, 72, 16, 209, 81, 192, 249, 210, 160,
175 85, 161, 65, 250, 67, 19, 196, 47, 168, 182, 60, 43, 193, 255, 200, 165,
176 32, 137, 0, 144, 71, 239, 234, 183, 21, 6, 205, 181, 18, 126, 187, 41,
177 15, 184, 7, 4, 155, 148, 33, 102, 230, 206, 237, 231, 59, 254, 127, 197,
178 164, 55, 177, 76, 145, 110, 141, 118, 3, 45, 222, 150, 38, 125, 198, 92,
179 211, 242, 79, 25, 63, 220, 121, 29, 82, 235, 243, 109, 94, 251, 105, 178,
180 240, 49, 12, 212, 207, 140, 226, 117, 169, 74, 87, 132, 17, 69, 27, 245,
181 228, 14, 115, 170, 241, 221, 89, 20, 108, 146, 84, 208, 120, 112, 227, 73,
182 128, 80, 167, 246, 119, 147, 134, 131, 42, 199, 91, 233, 238, 143, 1, 61
183 };
184
185 static const unsigned char FSb3[256] =
186 {
187 56, 65, 22, 118, 217, 147, 96, 242, 114, 194, 171, 154, 117, 6, 87, 160,
188 145, 247, 181, 201, 162, 140, 210, 144, 246, 7, 167, 39, 142, 178, 73, 222,
189 67, 92, 215, 199, 62, 245, 143, 103, 31, 24, 110, 175, 47, 226, 133, 13,
190 83, 240, 156, 101, 234, 163, 174, 158, 236, 128, 45, 107, 168, 43, 54, 166,
191 197, 134, 77, 51, 253, 102, 88, 150, 58, 9, 149, 16, 120, 216, 66, 204,
192 239, 38, 229, 97, 26, 63, 59, 130, 182, 219, 212, 152, 232, 139, 2, 235,
193 10, 44, 29, 176, 111, 141, 136, 14, 25, 135, 78, 11, 169, 12, 121, 17,
194 127, 34, 231, 89, 225, 218, 61, 200, 18, 4, 116, 84, 48, 126, 180, 40,
195 85, 104, 80, 190, 208, 196, 49, 203, 42, 173, 15, 202, 112, 255, 50, 105,
196 8, 98, 0, 36, 209, 251, 186, 237, 69, 129, 115, 109, 132, 159, 238, 74,
197 195, 46, 193, 1, 230, 37, 72, 153, 185, 179, 123, 249, 206, 191, 223, 113,
198 41, 205, 108, 19, 100, 155, 99, 157, 192, 75, 183, 165, 137, 95, 177, 23,
199 244, 188, 211, 70, 207, 55, 94, 71, 148, 250, 252, 91, 151, 254, 90, 172,
200 60, 76, 3, 53, 243, 35, 184, 93, 106, 146, 213, 33, 68, 81, 198, 125,
201 57, 131, 220, 170, 124, 119, 86, 5, 27, 164, 21, 52, 30, 28, 248, 82,
202 32, 20, 233, 189, 221, 228, 161, 224, 138, 241, 214, 122, 187, 227, 64, 79
203 };
204
205 static const unsigned char FSb4[256] =
206 {
207 112, 44, 179, 192, 228, 87, 234, 174, 35, 107, 69, 165, 237, 79, 29, 146,
208 134, 175, 124, 31, 62, 220, 94, 11, 166, 57, 213, 93, 217, 90, 81, 108,
209 139, 154, 251, 176, 116, 43, 240, 132, 223, 203, 52, 118, 109, 169, 209, 4,
210 20, 58, 222, 17, 50, 156, 83, 242, 254, 207, 195, 122, 36, 232, 96, 105,
211 170, 160, 161, 98, 84, 30, 224, 100, 16, 0, 163, 117, 138, 230, 9, 221,
212 135, 131, 205, 144, 115, 246, 157, 191, 82, 216, 200, 198, 129, 111, 19, 99,
213 233, 167, 159, 188, 41, 249, 47, 180, 120, 6, 231, 113, 212, 171, 136, 141,
214 114, 185, 248, 172, 54, 42, 60, 241, 64, 211, 187, 67, 21, 173, 119, 128,
215 130, 236, 39, 229, 133, 53, 12, 65, 239, 147, 25, 33, 14, 78, 101, 189,
216 184, 143, 235, 206, 48, 95, 197, 26, 225, 202, 71, 61, 1, 214, 86, 77,
217 13, 102, 204, 45, 18, 32, 177, 153, 76, 194, 126, 5, 183, 49, 23, 215,
218 88, 97, 27, 28, 15, 22, 24, 34, 68, 178, 181, 145, 8, 168, 252, 80,
219 208, 125, 137, 151, 91, 149, 255, 210, 196, 72, 247, 219, 3, 218, 63, 148,
220 92, 2, 74, 51, 103, 243, 127, 226, 155, 38, 55, 59, 150, 75, 190, 46,
221 121, 140, 110, 142, 245, 182, 253, 89, 152, 106, 70, 186, 37, 66, 162, 250,
222 7, 85, 238, 10, 73, 104, 56, 164, 40, 123, 201, 193, 227, 244, 199, 158
223 };
224
225 #define SBOX1(n) FSb[(n)]
226 #define SBOX2(n) FSb2[(n)]
227 #define SBOX3(n) FSb3[(n)]
228 #define SBOX4(n) FSb4[(n)]
229
230 #endif /* MBEDTLS_CAMELLIA_SMALL_MEMORY */
231
232 static const unsigned char shifts[2][4][4] =
233 {
234 {
235 { 1, 1, 1, 1 }, /* KL */
236 { 0, 0, 0, 0 }, /* KR */
237 { 1, 1, 1, 1 }, /* KA */
238 { 0, 0, 0, 0 } /* KB */
239 },
240 {
241 { 1, 0, 1, 1 }, /* KL */
242 { 1, 1, 0, 1 }, /* KR */
243 { 1, 1, 1, 0 }, /* KA */
244 { 1, 1, 0, 1 } /* KB */
245 }
246 };
247
248 static const signed char indexes[2][4][20] =
249 {
250 {
251 { 0, 1, 2, 3, 8, 9, 10, 11, 38, 39,
252 36, 37, 23, 20, 21, 22, 27, -1, -1, 26 }, /* KL -> RK */
253 { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
254 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 }, /* KR -> RK */
255 { 4, 5, 6, 7, 12, 13, 14, 15, 16, 17,
256 18, 19, -1, 24, 25, -1, 31, 28, 29, 30 }, /* KA -> RK */
257 { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
258 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 } /* KB -> RK */
259 },
260 {
261 { 0, 1, 2, 3, 61, 62, 63, 60, -1, -1,
262 -1, -1, 27, 24, 25, 26, 35, 32, 33, 34 }, /* KL -> RK */
263 { -1, -1, -1, -1, 8, 9, 10, 11, 16, 17,
264 18, 19, -1, -1, -1, -1, 39, 36, 37, 38 }, /* KR -> RK */
265 { -1, -1, -1, -1, 12, 13, 14, 15, 58, 59,
266 56, 57, 31, 28, 29, 30, -1, -1, -1, -1 }, /* KA -> RK */
267 { 4, 5, 6, 7, 65, 66, 67, 64, 20, 21,
268 22, 23, -1, -1, -1, -1, 43, 40, 41, 42 } /* KB -> RK */
269 }
270 };
271
272 static const signed char transposes[2][20] =
273 {
274 {
275 21, 22, 23, 20,
276 -1, -1, -1, -1,
277 18, 19, 16, 17,
278 11, 8, 9, 10,
279 15, 12, 13, 14
280 },
281 {
282 25, 26, 27, 24,
283 29, 30, 31, 28,
284 18, 19, 16, 17,
285 -1, -1, -1, -1,
286 -1, -1, -1, -1
287 }
288 };
289
290 /* Shift macro for 128 bit strings with rotation smaller than 32 bits (!) */
291 #define ROTL(DEST, SRC, SHIFT) \
292 { \
293 (DEST)[0] = (SRC)[0] << (SHIFT) ^ (SRC)[1] >> (32 - (SHIFT)); \
294 (DEST)[1] = (SRC)[1] << (SHIFT) ^ (SRC)[2] >> (32 - (SHIFT)); \
295 (DEST)[2] = (SRC)[2] << (SHIFT) ^ (SRC)[3] >> (32 - (SHIFT)); \
296 (DEST)[3] = (SRC)[3] << (SHIFT) ^ (SRC)[0] >> (32 - (SHIFT)); \
297 }
298
299 #define FL(XL, XR, KL, KR) \
300 { \
301 (XR) = ((((XL) & (KL)) << 1) | (((XL) & (KL)) >> 31)) ^ (XR); \
302 (XL) = ((XR) | (KR)) ^ (XL); \
303 }
304
305 #define FLInv(YL, YR, KL, KR) \
306 { \
307 (YL) = ((YR) | (KR)) ^ (YL); \
308 (YR) = ((((YL) & (KL)) << 1) | (((YL) & (KL)) >> 31)) ^ (YR); \
309 }
310
311 #define SHIFT_AND_PLACE(INDEX, OFFSET) \
312 { \
313 TK[0] = KC[(OFFSET) * 4 + 0]; \
314 TK[1] = KC[(OFFSET) * 4 + 1]; \
315 TK[2] = KC[(OFFSET) * 4 + 2]; \
316 TK[3] = KC[(OFFSET) * 4 + 3]; \
317 \
318 for( i = 1; i <= 4; i++ ) \
319 if( shifts[(INDEX)][(OFFSET)][i -1] ) \
320 ROTL(TK + i * 4, TK, ( 15 * i ) % 32); \
321 \
322 for( i = 0; i < 20; i++ ) \
323 if( indexes[(INDEX)][(OFFSET)][i] != -1 ) { \
324 RK[indexes[(INDEX)][(OFFSET)][i]] = TK[ i ]; \
325 } \
326 }
327
camellia_feistel(const uint32_t x[2],const uint32_t k[2],uint32_t z[2])328 static void camellia_feistel( const uint32_t x[2], const uint32_t k[2],
329 uint32_t z[2])
330 {
331 uint32_t I0, I1;
332 I0 = x[0] ^ k[0];
333 I1 = x[1] ^ k[1];
334
335 I0 = ((uint32_t) SBOX1((I0 >> 24) & 0xFF) << 24) |
336 ((uint32_t) SBOX2((I0 >> 16) & 0xFF) << 16) |
337 ((uint32_t) SBOX3((I0 >> 8) & 0xFF) << 8) |
338 ((uint32_t) SBOX4((I0 ) & 0xFF) );
339 I1 = ((uint32_t) SBOX2((I1 >> 24) & 0xFF) << 24) |
340 ((uint32_t) SBOX3((I1 >> 16) & 0xFF) << 16) |
341 ((uint32_t) SBOX4((I1 >> 8) & 0xFF) << 8) |
342 ((uint32_t) SBOX1((I1 ) & 0xFF) );
343
344 I0 ^= (I1 << 8) | (I1 >> 24);
345 I1 ^= (I0 << 16) | (I0 >> 16);
346 I0 ^= (I1 >> 8) | (I1 << 24);
347 I1 ^= (I0 >> 8) | (I0 << 24);
348
349 z[0] ^= I1;
350 z[1] ^= I0;
351 }
352
mbedtls_camellia_init(mbedtls_camellia_context * ctx)353 void mbedtls_camellia_init( mbedtls_camellia_context *ctx )
354 {
355 CAMELLIA_VALIDATE( ctx != NULL );
356 memset( ctx, 0, sizeof( mbedtls_camellia_context ) );
357 }
358
mbedtls_camellia_free(mbedtls_camellia_context * ctx)359 void mbedtls_camellia_free( mbedtls_camellia_context *ctx )
360 {
361 if( ctx == NULL )
362 return;
363
364 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_camellia_context ) );
365 }
366
367 /*
368 * Camellia key schedule (encryption)
369 */
mbedtls_camellia_setkey_enc(mbedtls_camellia_context * ctx,const unsigned char * key,unsigned int keybits)370 int mbedtls_camellia_setkey_enc( mbedtls_camellia_context *ctx,
371 const unsigned char *key,
372 unsigned int keybits )
373 {
374 int idx;
375 size_t i;
376 uint32_t *RK;
377 unsigned char t[64];
378 uint32_t SIGMA[6][2];
379 uint32_t KC[16];
380 uint32_t TK[20];
381
382 CAMELLIA_VALIDATE_RET( ctx != NULL );
383 CAMELLIA_VALIDATE_RET( key != NULL );
384
385 RK = ctx->rk;
386
387 memset( t, 0, 64 );
388 memset( RK, 0, sizeof(ctx->rk) );
389
390 switch( keybits )
391 {
392 case 128: ctx->nr = 3; idx = 0; break;
393 case 192:
394 case 256: ctx->nr = 4; idx = 1; break;
395 default : return( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA );
396 }
397
398 for( i = 0; i < keybits / 8; ++i )
399 t[i] = key[i];
400
401 if( keybits == 192 ) {
402 for( i = 0; i < 8; i++ )
403 t[24 + i] = ~t[16 + i];
404 }
405
406 /*
407 * Prepare SIGMA values
408 */
409 for( i = 0; i < 6; i++ ) {
410 GET_UINT32_BE( SIGMA[i][0], SIGMA_CHARS[i], 0 );
411 GET_UINT32_BE( SIGMA[i][1], SIGMA_CHARS[i], 4 );
412 }
413
414 /*
415 * Key storage in KC
416 * Order: KL, KR, KA, KB
417 */
418 memset( KC, 0, sizeof(KC) );
419
420 /* Store KL, KR */
421 for( i = 0; i < 8; i++ )
422 GET_UINT32_BE( KC[i], t, i * 4 );
423
424 /* Generate KA */
425 for( i = 0; i < 4; ++i )
426 KC[8 + i] = KC[i] ^ KC[4 + i];
427
428 camellia_feistel( KC + 8, SIGMA[0], KC + 10 );
429 camellia_feistel( KC + 10, SIGMA[1], KC + 8 );
430
431 for( i = 0; i < 4; ++i )
432 KC[8 + i] ^= KC[i];
433
434 camellia_feistel( KC + 8, SIGMA[2], KC + 10 );
435 camellia_feistel( KC + 10, SIGMA[3], KC + 8 );
436
437 if( keybits > 128 ) {
438 /* Generate KB */
439 for( i = 0; i < 4; ++i )
440 KC[12 + i] = KC[4 + i] ^ KC[8 + i];
441
442 camellia_feistel( KC + 12, SIGMA[4], KC + 14 );
443 camellia_feistel( KC + 14, SIGMA[5], KC + 12 );
444 }
445
446 /*
447 * Generating subkeys
448 */
449
450 /* Manipulating KL */
451 SHIFT_AND_PLACE( idx, 0 );
452
453 /* Manipulating KR */
454 if( keybits > 128 ) {
455 SHIFT_AND_PLACE( idx, 1 );
456 }
457
458 /* Manipulating KA */
459 SHIFT_AND_PLACE( idx, 2 );
460
461 /* Manipulating KB */
462 if( keybits > 128 ) {
463 SHIFT_AND_PLACE( idx, 3 );
464 }
465
466 /* Do transpositions */
467 for( i = 0; i < 20; i++ ) {
468 if( transposes[idx][i] != -1 ) {
469 RK[32 + 12 * idx + i] = RK[transposes[idx][i]];
470 }
471 }
472
473 return( 0 );
474 }
475
476 /*
477 * Camellia key schedule (decryption)
478 */
mbedtls_camellia_setkey_dec(mbedtls_camellia_context * ctx,const unsigned char * key,unsigned int keybits)479 int mbedtls_camellia_setkey_dec( mbedtls_camellia_context *ctx,
480 const unsigned char *key,
481 unsigned int keybits )
482 {
483 int idx, ret;
484 size_t i;
485 mbedtls_camellia_context cty;
486 uint32_t *RK;
487 uint32_t *SK;
488 CAMELLIA_VALIDATE_RET( ctx != NULL );
489 CAMELLIA_VALIDATE_RET( key != NULL );
490
491 mbedtls_camellia_init( &cty );
492
493 /* Also checks keybits */
494 if( ( ret = mbedtls_camellia_setkey_enc( &cty, key, keybits ) ) != 0 )
495 goto exit;
496
497 ctx->nr = cty.nr;
498 idx = ( ctx->nr == 4 );
499
500 RK = ctx->rk;
501 SK = cty.rk + 24 * 2 + 8 * idx * 2;
502
503 *RK++ = *SK++;
504 *RK++ = *SK++;
505 *RK++ = *SK++;
506 *RK++ = *SK++;
507
508 for( i = 22 + 8 * idx, SK -= 6; i > 0; i--, SK -= 4 )
509 {
510 *RK++ = *SK++;
511 *RK++ = *SK++;
512 }
513
514 SK -= 2;
515
516 *RK++ = *SK++;
517 *RK++ = *SK++;
518 *RK++ = *SK++;
519 *RK++ = *SK++;
520
521 exit:
522 mbedtls_camellia_free( &cty );
523
524 return( ret );
525 }
526
527 /*
528 * Camellia-ECB block encryption/decryption
529 */
mbedtls_camellia_crypt_ecb(mbedtls_camellia_context * ctx,int mode,const unsigned char input[16],unsigned char output[16])530 int mbedtls_camellia_crypt_ecb( mbedtls_camellia_context *ctx,
531 int mode,
532 const unsigned char input[16],
533 unsigned char output[16] )
534 {
535 int NR;
536 uint32_t *RK, X[4];
537 CAMELLIA_VALIDATE_RET( ctx != NULL );
538 CAMELLIA_VALIDATE_RET( mode == MBEDTLS_CAMELLIA_ENCRYPT ||
539 mode == MBEDTLS_CAMELLIA_DECRYPT );
540 CAMELLIA_VALIDATE_RET( input != NULL );
541 CAMELLIA_VALIDATE_RET( output != NULL );
542
543 ( (void) mode );
544
545 NR = ctx->nr;
546 RK = ctx->rk;
547
548 GET_UINT32_BE( X[0], input, 0 );
549 GET_UINT32_BE( X[1], input, 4 );
550 GET_UINT32_BE( X[2], input, 8 );
551 GET_UINT32_BE( X[3], input, 12 );
552
553 X[0] ^= *RK++;
554 X[1] ^= *RK++;
555 X[2] ^= *RK++;
556 X[3] ^= *RK++;
557
558 while( NR ) {
559 --NR;
560 camellia_feistel( X, RK, X + 2 );
561 RK += 2;
562 camellia_feistel( X + 2, RK, X );
563 RK += 2;
564 camellia_feistel( X, RK, X + 2 );
565 RK += 2;
566 camellia_feistel( X + 2, RK, X );
567 RK += 2;
568 camellia_feistel( X, RK, X + 2 );
569 RK += 2;
570 camellia_feistel( X + 2, RK, X );
571 RK += 2;
572
573 if( NR ) {
574 FL(X[0], X[1], RK[0], RK[1]);
575 RK += 2;
576 FLInv(X[2], X[3], RK[0], RK[1]);
577 RK += 2;
578 }
579 }
580
581 X[2] ^= *RK++;
582 X[3] ^= *RK++;
583 X[0] ^= *RK++;
584 X[1] ^= *RK++;
585
586 PUT_UINT32_BE( X[2], output, 0 );
587 PUT_UINT32_BE( X[3], output, 4 );
588 PUT_UINT32_BE( X[0], output, 8 );
589 PUT_UINT32_BE( X[1], output, 12 );
590
591 return( 0 );
592 }
593
594 #if defined(MBEDTLS_CIPHER_MODE_CBC)
595 /*
596 * Camellia-CBC buffer encryption/decryption
597 */
mbedtls_camellia_crypt_cbc(mbedtls_camellia_context * ctx,int mode,size_t length,unsigned char iv[16],const unsigned char * input,unsigned char * output)598 int mbedtls_camellia_crypt_cbc( mbedtls_camellia_context *ctx,
599 int mode,
600 size_t length,
601 unsigned char iv[16],
602 const unsigned char *input,
603 unsigned char *output )
604 {
605 int i;
606 unsigned char temp[16];
607 CAMELLIA_VALIDATE_RET( ctx != NULL );
608 CAMELLIA_VALIDATE_RET( mode == MBEDTLS_CAMELLIA_ENCRYPT ||
609 mode == MBEDTLS_CAMELLIA_DECRYPT );
610 CAMELLIA_VALIDATE_RET( iv != NULL );
611 CAMELLIA_VALIDATE_RET( length == 0 || input != NULL );
612 CAMELLIA_VALIDATE_RET( length == 0 || output != NULL );
613
614 if( length % 16 )
615 return( MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH );
616
617 if( mode == MBEDTLS_CAMELLIA_DECRYPT )
618 {
619 while( length > 0 )
620 {
621 memcpy( temp, input, 16 );
622 mbedtls_camellia_crypt_ecb( ctx, mode, input, output );
623
624 for( i = 0; i < 16; i++ )
625 output[i] = (unsigned char)( output[i] ^ iv[i] );
626
627 memcpy( iv, temp, 16 );
628
629 input += 16;
630 output += 16;
631 length -= 16;
632 }
633 }
634 else
635 {
636 while( length > 0 )
637 {
638 for( i = 0; i < 16; i++ )
639 output[i] = (unsigned char)( input[i] ^ iv[i] );
640
641 mbedtls_camellia_crypt_ecb( ctx, mode, output, output );
642 memcpy( iv, output, 16 );
643
644 input += 16;
645 output += 16;
646 length -= 16;
647 }
648 }
649
650 return( 0 );
651 }
652 #endif /* MBEDTLS_CIPHER_MODE_CBC */
653
654 #if defined(MBEDTLS_CIPHER_MODE_CFB)
655 /*
656 * Camellia-CFB128 buffer encryption/decryption
657 */
mbedtls_camellia_crypt_cfb128(mbedtls_camellia_context * ctx,int mode,size_t length,size_t * iv_off,unsigned char iv[16],const unsigned char * input,unsigned char * output)658 int mbedtls_camellia_crypt_cfb128( mbedtls_camellia_context *ctx,
659 int mode,
660 size_t length,
661 size_t *iv_off,
662 unsigned char iv[16],
663 const unsigned char *input,
664 unsigned char *output )
665 {
666 int c;
667 size_t n;
668 CAMELLIA_VALIDATE_RET( ctx != NULL );
669 CAMELLIA_VALIDATE_RET( mode == MBEDTLS_CAMELLIA_ENCRYPT ||
670 mode == MBEDTLS_CAMELLIA_DECRYPT );
671 CAMELLIA_VALIDATE_RET( iv != NULL );
672 CAMELLIA_VALIDATE_RET( iv_off != NULL );
673 CAMELLIA_VALIDATE_RET( length == 0 || input != NULL );
674 CAMELLIA_VALIDATE_RET( length == 0 || output != NULL );
675
676 n = *iv_off;
677 if( n >= 16 )
678 return( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA );
679
680 if( mode == MBEDTLS_CAMELLIA_DECRYPT )
681 {
682 while( length-- )
683 {
684 if( n == 0 )
685 mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv );
686
687 c = *input++;
688 *output++ = (unsigned char)( c ^ iv[n] );
689 iv[n] = (unsigned char) c;
690
691 n = ( n + 1 ) & 0x0F;
692 }
693 }
694 else
695 {
696 while( length-- )
697 {
698 if( n == 0 )
699 mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv );
700
701 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
702
703 n = ( n + 1 ) & 0x0F;
704 }
705 }
706
707 *iv_off = n;
708
709 return( 0 );
710 }
711 #endif /* MBEDTLS_CIPHER_MODE_CFB */
712
713 #if defined(MBEDTLS_CIPHER_MODE_CTR)
714 /*
715 * Camellia-CTR buffer encryption/decryption
716 */
mbedtls_camellia_crypt_ctr(mbedtls_camellia_context * ctx,size_t length,size_t * nc_off,unsigned char nonce_counter[16],unsigned char stream_block[16],const unsigned char * input,unsigned char * output)717 int mbedtls_camellia_crypt_ctr( mbedtls_camellia_context *ctx,
718 size_t length,
719 size_t *nc_off,
720 unsigned char nonce_counter[16],
721 unsigned char stream_block[16],
722 const unsigned char *input,
723 unsigned char *output )
724 {
725 int c, i;
726 size_t n;
727 CAMELLIA_VALIDATE_RET( ctx != NULL );
728 CAMELLIA_VALIDATE_RET( nonce_counter != NULL );
729 CAMELLIA_VALIDATE_RET( stream_block != NULL );
730 CAMELLIA_VALIDATE_RET( nc_off != NULL );
731 CAMELLIA_VALIDATE_RET( length == 0 || input != NULL );
732 CAMELLIA_VALIDATE_RET( length == 0 || output != NULL );
733
734 n = *nc_off;
735 if( n >= 16 )
736 return( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA );
737
738 while( length-- )
739 {
740 if( n == 0 ) {
741 mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, nonce_counter,
742 stream_block );
743
744 for( i = 16; i > 0; i-- )
745 if( ++nonce_counter[i - 1] != 0 )
746 break;
747 }
748 c = *input++;
749 *output++ = (unsigned char)( c ^ stream_block[n] );
750
751 n = ( n + 1 ) & 0x0F;
752 }
753
754 *nc_off = n;
755
756 return( 0 );
757 }
758 #endif /* MBEDTLS_CIPHER_MODE_CTR */
759 #endif /* !MBEDTLS_CAMELLIA_ALT */
760
761 #if defined(MBEDTLS_SELF_TEST)
762
763 /*
764 * Camellia test vectors from:
765 *
766 * http://info.isl.ntt.co.jp/crypt/eng/camellia/technology.html:
767 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/intermediate.txt
768 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/t_camellia.txt
769 * (For each bitlength: Key 0, Nr 39)
770 */
771 #define CAMELLIA_TESTS_ECB 2
772
773 static const unsigned char camellia_test_ecb_key[3][CAMELLIA_TESTS_ECB][32] =
774 {
775 {
776 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
777 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
778 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
779 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
780 },
781 {
782 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
783 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
784 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77 },
785 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
786 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
787 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
788 },
789 {
790 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
791 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
792 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
793 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff },
794 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
795 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
796 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
797 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
798 },
799 };
800
801 static const unsigned char camellia_test_ecb_plain[CAMELLIA_TESTS_ECB][16] =
802 {
803 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
804 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
805 { 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
806 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
807 };
808
809 static const unsigned char camellia_test_ecb_cipher[3][CAMELLIA_TESTS_ECB][16] =
810 {
811 {
812 { 0x67, 0x67, 0x31, 0x38, 0x54, 0x96, 0x69, 0x73,
813 0x08, 0x57, 0x06, 0x56, 0x48, 0xea, 0xbe, 0x43 },
814 { 0x38, 0x3C, 0x6C, 0x2A, 0xAB, 0xEF, 0x7F, 0xDE,
815 0x25, 0xCD, 0x47, 0x0B, 0xF7, 0x74, 0xA3, 0x31 }
816 },
817 {
818 { 0xb4, 0x99, 0x34, 0x01, 0xb3, 0xe9, 0x96, 0xf8,
819 0x4e, 0xe5, 0xce, 0xe7, 0xd7, 0x9b, 0x09, 0xb9 },
820 { 0xD1, 0x76, 0x3F, 0xC0, 0x19, 0xD7, 0x7C, 0xC9,
821 0x30, 0xBF, 0xF2, 0xA5, 0x6F, 0x7C, 0x93, 0x64 }
822 },
823 {
824 { 0x9a, 0xcc, 0x23, 0x7d, 0xff, 0x16, 0xd7, 0x6c,
825 0x20, 0xef, 0x7c, 0x91, 0x9e, 0x3a, 0x75, 0x09 },
826 { 0x05, 0x03, 0xFB, 0x10, 0xAB, 0x24, 0x1E, 0x7C,
827 0xF4, 0x5D, 0x8C, 0xDE, 0xEE, 0x47, 0x43, 0x35 }
828 }
829 };
830
831 #if defined(MBEDTLS_CIPHER_MODE_CBC)
832 #define CAMELLIA_TESTS_CBC 3
833
834 static const unsigned char camellia_test_cbc_key[3][32] =
835 {
836 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
837 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }
838 ,
839 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
840 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
841 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }
842 ,
843 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
844 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
845 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
846 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
847 };
848
849 static const unsigned char camellia_test_cbc_iv[16] =
850
851 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
852 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F }
853 ;
854
855 static const unsigned char camellia_test_cbc_plain[CAMELLIA_TESTS_CBC][16] =
856 {
857 { 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
858 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A },
859 { 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
860 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51 },
861 { 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
862 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF }
863
864 };
865
866 static const unsigned char camellia_test_cbc_cipher[3][CAMELLIA_TESTS_CBC][16] =
867 {
868 {
869 { 0x16, 0x07, 0xCF, 0x49, 0x4B, 0x36, 0xBB, 0xF0,
870 0x0D, 0xAE, 0xB0, 0xB5, 0x03, 0xC8, 0x31, 0xAB },
871 { 0xA2, 0xF2, 0xCF, 0x67, 0x16, 0x29, 0xEF, 0x78,
872 0x40, 0xC5, 0xA5, 0xDF, 0xB5, 0x07, 0x48, 0x87 },
873 { 0x0F, 0x06, 0x16, 0x50, 0x08, 0xCF, 0x8B, 0x8B,
874 0x5A, 0x63, 0x58, 0x63, 0x62, 0x54, 0x3E, 0x54 }
875 },
876 {
877 { 0x2A, 0x48, 0x30, 0xAB, 0x5A, 0xC4, 0xA1, 0xA2,
878 0x40, 0x59, 0x55, 0xFD, 0x21, 0x95, 0xCF, 0x93 },
879 { 0x5D, 0x5A, 0x86, 0x9B, 0xD1, 0x4C, 0xE5, 0x42,
880 0x64, 0xF8, 0x92, 0xA6, 0xDD, 0x2E, 0xC3, 0xD5 },
881 { 0x37, 0xD3, 0x59, 0xC3, 0x34, 0x98, 0x36, 0xD8,
882 0x84, 0xE3, 0x10, 0xAD, 0xDF, 0x68, 0xC4, 0x49 }
883 },
884 {
885 { 0xE6, 0xCF, 0xA3, 0x5F, 0xC0, 0x2B, 0x13, 0x4A,
886 0x4D, 0x2C, 0x0B, 0x67, 0x37, 0xAC, 0x3E, 0xDA },
887 { 0x36, 0xCB, 0xEB, 0x73, 0xBD, 0x50, 0x4B, 0x40,
888 0x70, 0xB1, 0xB7, 0xDE, 0x2B, 0x21, 0xEB, 0x50 },
889 { 0xE3, 0x1A, 0x60, 0x55, 0x29, 0x7D, 0x96, 0xCA,
890 0x33, 0x30, 0xCD, 0xF1, 0xB1, 0x86, 0x0A, 0x83 }
891 }
892 };
893 #endif /* MBEDTLS_CIPHER_MODE_CBC */
894
895 #if defined(MBEDTLS_CIPHER_MODE_CTR)
896 /*
897 * Camellia-CTR test vectors from:
898 *
899 * http://www.faqs.org/rfcs/rfc5528.html
900 */
901
902 static const unsigned char camellia_test_ctr_key[3][16] =
903 {
904 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
905 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
906 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
907 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
908 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
909 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
910 };
911
912 static const unsigned char camellia_test_ctr_nonce_counter[3][16] =
913 {
914 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
915 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
916 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
917 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
918 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
919 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
920 };
921
922 static const unsigned char camellia_test_ctr_pt[3][48] =
923 {
924 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
925 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
926
927 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
928 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
929 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
930 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
931
932 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
933 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
934 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
935 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
936 0x20, 0x21, 0x22, 0x23 }
937 };
938
939 static const unsigned char camellia_test_ctr_ct[3][48] =
940 {
941 { 0xD0, 0x9D, 0xC2, 0x9A, 0x82, 0x14, 0x61, 0x9A,
942 0x20, 0x87, 0x7C, 0x76, 0xDB, 0x1F, 0x0B, 0x3F },
943 { 0xDB, 0xF3, 0xC7, 0x8D, 0xC0, 0x83, 0x96, 0xD4,
944 0xDA, 0x7C, 0x90, 0x77, 0x65, 0xBB, 0xCB, 0x44,
945 0x2B, 0x8E, 0x8E, 0x0F, 0x31, 0xF0, 0xDC, 0xA7,
946 0x2C, 0x74, 0x17, 0xE3, 0x53, 0x60, 0xE0, 0x48 },
947 { 0xB1, 0x9D, 0x1F, 0xCD, 0xCB, 0x75, 0xEB, 0x88,
948 0x2F, 0x84, 0x9C, 0xE2, 0x4D, 0x85, 0xCF, 0x73,
949 0x9C, 0xE6, 0x4B, 0x2B, 0x5C, 0x9D, 0x73, 0xF1,
950 0x4F, 0x2D, 0x5D, 0x9D, 0xCE, 0x98, 0x89, 0xCD,
951 0xDF, 0x50, 0x86, 0x96 }
952 };
953
954 static const int camellia_test_ctr_len[3] =
955 { 16, 32, 36 };
956 #endif /* MBEDTLS_CIPHER_MODE_CTR */
957
958 /*
959 * Checkup routine
960 */
mbedtls_camellia_self_test(int verbose)961 int mbedtls_camellia_self_test( int verbose )
962 {
963 int i, j, u, v;
964 unsigned char key[32];
965 unsigned char buf[64];
966 unsigned char src[16];
967 unsigned char dst[16];
968 #if defined(MBEDTLS_CIPHER_MODE_CBC)
969 unsigned char iv[16];
970 #endif
971 #if defined(MBEDTLS_CIPHER_MODE_CTR)
972 size_t offset, len;
973 unsigned char nonce_counter[16];
974 unsigned char stream_block[16];
975 #endif
976
977 mbedtls_camellia_context ctx;
978
979 memset( key, 0, 32 );
980
981 for( j = 0; j < 6; j++ ) {
982 u = j >> 1;
983 v = j & 1;
984
985 if( verbose != 0 )
986 mbedtls_printf( " CAMELLIA-ECB-%3d (%s): ", 128 + u * 64,
987 (v == MBEDTLS_CAMELLIA_DECRYPT) ? "dec" : "enc");
988
989 for( i = 0; i < CAMELLIA_TESTS_ECB; i++ ) {
990 memcpy( key, camellia_test_ecb_key[u][i], 16 + 8 * u );
991
992 if( v == MBEDTLS_CAMELLIA_DECRYPT ) {
993 mbedtls_camellia_setkey_dec( &ctx, key, 128 + u * 64 );
994 memcpy( src, camellia_test_ecb_cipher[u][i], 16 );
995 memcpy( dst, camellia_test_ecb_plain[i], 16 );
996 } else { /* MBEDTLS_CAMELLIA_ENCRYPT */
997 mbedtls_camellia_setkey_enc( &ctx, key, 128 + u * 64 );
998 memcpy( src, camellia_test_ecb_plain[i], 16 );
999 memcpy( dst, camellia_test_ecb_cipher[u][i], 16 );
1000 }
1001
1002 mbedtls_camellia_crypt_ecb( &ctx, v, src, buf );
1003
1004 if( memcmp( buf, dst, 16 ) != 0 )
1005 {
1006 if( verbose != 0 )
1007 mbedtls_printf( "failed\n" );
1008
1009 return( 1 );
1010 }
1011 }
1012
1013 if( verbose != 0 )
1014 mbedtls_printf( "passed\n" );
1015 }
1016
1017 if( verbose != 0 )
1018 mbedtls_printf( "\n" );
1019
1020 #if defined(MBEDTLS_CIPHER_MODE_CBC)
1021 /*
1022 * CBC mode
1023 */
1024 for( j = 0; j < 6; j++ )
1025 {
1026 u = j >> 1;
1027 v = j & 1;
1028
1029 if( verbose != 0 )
1030 mbedtls_printf( " CAMELLIA-CBC-%3d (%s): ", 128 + u * 64,
1031 ( v == MBEDTLS_CAMELLIA_DECRYPT ) ? "dec" : "enc" );
1032
1033 memcpy( src, camellia_test_cbc_iv, 16 );
1034 memcpy( dst, camellia_test_cbc_iv, 16 );
1035 memcpy( key, camellia_test_cbc_key[u], 16 + 8 * u );
1036
1037 if( v == MBEDTLS_CAMELLIA_DECRYPT ) {
1038 mbedtls_camellia_setkey_dec( &ctx, key, 128 + u * 64 );
1039 } else {
1040 mbedtls_camellia_setkey_enc( &ctx, key, 128 + u * 64 );
1041 }
1042
1043 for( i = 0; i < CAMELLIA_TESTS_CBC; i++ ) {
1044
1045 if( v == MBEDTLS_CAMELLIA_DECRYPT ) {
1046 memcpy( iv , src, 16 );
1047 memcpy( src, camellia_test_cbc_cipher[u][i], 16 );
1048 memcpy( dst, camellia_test_cbc_plain[i], 16 );
1049 } else { /* MBEDTLS_CAMELLIA_ENCRYPT */
1050 memcpy( iv , dst, 16 );
1051 memcpy( src, camellia_test_cbc_plain[i], 16 );
1052 memcpy( dst, camellia_test_cbc_cipher[u][i], 16 );
1053 }
1054
1055 mbedtls_camellia_crypt_cbc( &ctx, v, 16, iv, src, buf );
1056
1057 if( memcmp( buf, dst, 16 ) != 0 )
1058 {
1059 if( verbose != 0 )
1060 mbedtls_printf( "failed\n" );
1061
1062 return( 1 );
1063 }
1064 }
1065
1066 if( verbose != 0 )
1067 mbedtls_printf( "passed\n" );
1068 }
1069 #endif /* MBEDTLS_CIPHER_MODE_CBC */
1070
1071 if( verbose != 0 )
1072 mbedtls_printf( "\n" );
1073
1074 #if defined(MBEDTLS_CIPHER_MODE_CTR)
1075 /*
1076 * CTR mode
1077 */
1078 for( i = 0; i < 6; i++ )
1079 {
1080 u = i >> 1;
1081 v = i & 1;
1082
1083 if( verbose != 0 )
1084 mbedtls_printf( " CAMELLIA-CTR-128 (%s): ",
1085 ( v == MBEDTLS_CAMELLIA_DECRYPT ) ? "dec" : "enc" );
1086
1087 memcpy( nonce_counter, camellia_test_ctr_nonce_counter[u], 16 );
1088 memcpy( key, camellia_test_ctr_key[u], 16 );
1089
1090 offset = 0;
1091 mbedtls_camellia_setkey_enc( &ctx, key, 128 );
1092
1093 if( v == MBEDTLS_CAMELLIA_DECRYPT )
1094 {
1095 len = camellia_test_ctr_len[u];
1096 memcpy( buf, camellia_test_ctr_ct[u], len );
1097
1098 mbedtls_camellia_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block,
1099 buf, buf );
1100
1101 if( memcmp( buf, camellia_test_ctr_pt[u], len ) != 0 )
1102 {
1103 if( verbose != 0 )
1104 mbedtls_printf( "failed\n" );
1105
1106 return( 1 );
1107 }
1108 }
1109 else
1110 {
1111 len = camellia_test_ctr_len[u];
1112 memcpy( buf, camellia_test_ctr_pt[u], len );
1113
1114 mbedtls_camellia_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block,
1115 buf, buf );
1116
1117 if( memcmp( buf, camellia_test_ctr_ct[u], len ) != 0 )
1118 {
1119 if( verbose != 0 )
1120 mbedtls_printf( "failed\n" );
1121
1122 return( 1 );
1123 }
1124 }
1125
1126 if( verbose != 0 )
1127 mbedtls_printf( "passed\n" );
1128 }
1129
1130 if( verbose != 0 )
1131 mbedtls_printf( "\n" );
1132 #endif /* MBEDTLS_CIPHER_MODE_CTR */
1133
1134 return( 0 );
1135 }
1136
1137 #endif /* MBEDTLS_SELF_TEST */
1138
1139 #endif /* MBEDTLS_CAMELLIA_C */
1140