1 /* 2 * Camellia implementation 3 * 4 * Copyright The Mbed TLS Contributors 5 * SPDX-License-Identifier: Apache-2.0 6 * 7 * Licensed under the Apache License, Version 2.0 (the "License"); you may 8 * not use this file except in compliance with the License. 9 * You may obtain a copy of the License at 10 * 11 * http://www.apache.org/licenses/LICENSE-2.0 12 * 13 * Unless required by applicable law or agreed to in writing, software 14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 * See the License for the specific language governing permissions and 17 * limitations under the License. 18 */ 19 /* 20 * The Camellia block cipher was designed by NTT and Mitsubishi Electric 21 * Corporation. 22 * 23 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/01espec.pdf 24 */ 25 26 #include "common.h" 27 28 #if defined(MBEDTLS_CAMELLIA_C) 29 30 #include "mbedtls/camellia.h" 31 #include "mbedtls/platform_util.h" 32 33 #include <string.h> 34 35 #if defined(MBEDTLS_SELF_TEST) 36 #if defined(MBEDTLS_PLATFORM_C) 37 #include "mbedtls/platform.h" 38 #else 39 #include <stdio.h> 40 #define mbedtls_printf printf 41 #endif /* MBEDTLS_PLATFORM_C */ 42 #endif /* MBEDTLS_SELF_TEST */ 43 44 #if !defined(MBEDTLS_CAMELLIA_ALT) 45 46 /* Parameter validation macros */ 47 #define CAMELLIA_VALIDATE_RET( cond ) \ 48 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA ) 49 #define CAMELLIA_VALIDATE( cond ) \ 50 MBEDTLS_INTERNAL_VALIDATE( cond ) 51 52 /* 53 * 32-bit integer manipulation macros (big endian) 54 */ 55 #ifndef GET_UINT32_BE 56 #define GET_UINT32_BE(n,b,i) \ 57 { \ 58 (n) = ( (uint32_t) (b)[(i) ] << 24 ) \ 59 | ( (uint32_t) (b)[(i) + 1] << 16 ) \ 60 | ( (uint32_t) (b)[(i) + 2] << 8 ) \ 61 | ( (uint32_t) (b)[(i) + 3] ); \ 62 } 63 #endif 64 65 #ifndef PUT_UINT32_BE 66 #define PUT_UINT32_BE(n,b,i) \ 67 { \ 68 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \ 69 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \ 70 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \ 71 (b)[(i) + 3] = (unsigned char) ( (n) ); \ 72 } 73 #endif 74 75 static const unsigned char SIGMA_CHARS[6][8] = 76 { 77 { 0xa0, 0x9e, 0x66, 0x7f, 0x3b, 0xcc, 0x90, 0x8b }, 78 { 0xb6, 0x7a, 0xe8, 0x58, 0x4c, 0xaa, 0x73, 0xb2 }, 79 { 0xc6, 0xef, 0x37, 0x2f, 0xe9, 0x4f, 0x82, 0xbe }, 80 { 0x54, 0xff, 0x53, 0xa5, 0xf1, 0xd3, 0x6f, 0x1c }, 81 { 0x10, 0xe5, 0x27, 0xfa, 0xde, 0x68, 0x2d, 0x1d }, 82 { 0xb0, 0x56, 0x88, 0xc2, 0xb3, 0xe6, 0xc1, 0xfd } 83 }; 84 85 #if defined(MBEDTLS_CAMELLIA_SMALL_MEMORY) 86 87 static const unsigned char FSb[256] = 88 { 89 112,130, 44,236,179, 39,192,229,228,133, 87, 53,234, 12,174, 65, 90 35,239,107,147, 69, 25,165, 33,237, 14, 79, 78, 29,101,146,189, 91 134,184,175,143,124,235, 31,206, 62, 48,220, 95, 94,197, 11, 26, 92 166,225, 57,202,213, 71, 93, 61,217, 1, 90,214, 81, 86,108, 77, 93 139, 13,154,102,251,204,176, 45,116, 18, 43, 32,240,177,132,153, 94 223, 76,203,194, 52,126,118, 5,109,183,169, 49,209, 23, 4,215, 95 20, 88, 58, 97,222, 27, 17, 28, 50, 15,156, 22, 83, 24,242, 34, 96 254, 68,207,178,195,181,122,145, 36, 8,232,168, 96,252,105, 80, 97 170,208,160,125,161,137, 98,151, 84, 91, 30,149,224,255,100,210, 98 16,196, 0, 72,163,247,117,219,138, 3,230,218, 9, 63,221,148, 99 135, 92,131, 2,205, 74,144, 51,115,103,246,243,157,127,191,226, 100 82,155,216, 38,200, 55,198, 59,129,150,111, 75, 19,190, 99, 46, 101 233,121,167,140,159,110,188,142, 41,245,249,182, 47,253,180, 89, 102 120,152, 6,106,231, 70,113,186,212, 37,171, 66,136,162,141,250, 103 114, 7,185, 85,248,238,172, 10, 54, 73, 42,104, 60, 56,241,164, 104 64, 40,211,123,187,201, 67,193, 21,227,173,244,119,199,128,158 105 }; 106 107 #define SBOX1(n) FSb[(n)] 108 #define SBOX2(n) (unsigned char)((FSb[(n)] >> 7 ^ FSb[(n)] << 1) & 0xff) 109 #define SBOX3(n) (unsigned char)((FSb[(n)] >> 1 ^ FSb[(n)] << 7) & 0xff) 110 #define SBOX4(n) FSb[((n) << 1 ^ (n) >> 7) &0xff] 111 112 #else /* MBEDTLS_CAMELLIA_SMALL_MEMORY */ 113 114 static const unsigned char FSb[256] = 115 { 116 112, 130, 44, 236, 179, 39, 192, 229, 228, 133, 87, 53, 234, 12, 174, 65, 117 35, 239, 107, 147, 69, 25, 165, 33, 237, 14, 79, 78, 29, 101, 146, 189, 118 134, 184, 175, 143, 124, 235, 31, 206, 62, 48, 220, 95, 94, 197, 11, 26, 119 166, 225, 57, 202, 213, 71, 93, 61, 217, 1, 90, 214, 81, 86, 108, 77, 120 139, 13, 154, 102, 251, 204, 176, 45, 116, 18, 43, 32, 240, 177, 132, 153, 121 223, 76, 203, 194, 52, 126, 118, 5, 109, 183, 169, 49, 209, 23, 4, 215, 122 20, 88, 58, 97, 222, 27, 17, 28, 50, 15, 156, 22, 83, 24, 242, 34, 123 254, 68, 207, 178, 195, 181, 122, 145, 36, 8, 232, 168, 96, 252, 105, 80, 124 170, 208, 160, 125, 161, 137, 98, 151, 84, 91, 30, 149, 224, 255, 100, 210, 125 16, 196, 0, 72, 163, 247, 117, 219, 138, 3, 230, 218, 9, 63, 221, 148, 126 135, 92, 131, 2, 205, 74, 144, 51, 115, 103, 246, 243, 157, 127, 191, 226, 127 82, 155, 216, 38, 200, 55, 198, 59, 129, 150, 111, 75, 19, 190, 99, 46, 128 233, 121, 167, 140, 159, 110, 188, 142, 41, 245, 249, 182, 47, 253, 180, 89, 129 120, 152, 6, 106, 231, 70, 113, 186, 212, 37, 171, 66, 136, 162, 141, 250, 130 114, 7, 185, 85, 248, 238, 172, 10, 54, 73, 42, 104, 60, 56, 241, 164, 131 64, 40, 211, 123, 187, 201, 67, 193, 21, 227, 173, 244, 119, 199, 128, 158 132 }; 133 134 static const unsigned char FSb2[256] = 135 { 136 224, 5, 88, 217, 103, 78, 129, 203, 201, 11, 174, 106, 213, 24, 93, 130, 137 70, 223, 214, 39, 138, 50, 75, 66, 219, 28, 158, 156, 58, 202, 37, 123, 138 13, 113, 95, 31, 248, 215, 62, 157, 124, 96, 185, 190, 188, 139, 22, 52, 139 77, 195, 114, 149, 171, 142, 186, 122, 179, 2, 180, 173, 162, 172, 216, 154, 140 23, 26, 53, 204, 247, 153, 97, 90, 232, 36, 86, 64, 225, 99, 9, 51, 141 191, 152, 151, 133, 104, 252, 236, 10, 218, 111, 83, 98, 163, 46, 8, 175, 142 40, 176, 116, 194, 189, 54, 34, 56, 100, 30, 57, 44, 166, 48, 229, 68, 143 253, 136, 159, 101, 135, 107, 244, 35, 72, 16, 209, 81, 192, 249, 210, 160, 144 85, 161, 65, 250, 67, 19, 196, 47, 168, 182, 60, 43, 193, 255, 200, 165, 145 32, 137, 0, 144, 71, 239, 234, 183, 21, 6, 205, 181, 18, 126, 187, 41, 146 15, 184, 7, 4, 155, 148, 33, 102, 230, 206, 237, 231, 59, 254, 127, 197, 147 164, 55, 177, 76, 145, 110, 141, 118, 3, 45, 222, 150, 38, 125, 198, 92, 148 211, 242, 79, 25, 63, 220, 121, 29, 82, 235, 243, 109, 94, 251, 105, 178, 149 240, 49, 12, 212, 207, 140, 226, 117, 169, 74, 87, 132, 17, 69, 27, 245, 150 228, 14, 115, 170, 241, 221, 89, 20, 108, 146, 84, 208, 120, 112, 227, 73, 151 128, 80, 167, 246, 119, 147, 134, 131, 42, 199, 91, 233, 238, 143, 1, 61 152 }; 153 154 static const unsigned char FSb3[256] = 155 { 156 56, 65, 22, 118, 217, 147, 96, 242, 114, 194, 171, 154, 117, 6, 87, 160, 157 145, 247, 181, 201, 162, 140, 210, 144, 246, 7, 167, 39, 142, 178, 73, 222, 158 67, 92, 215, 199, 62, 245, 143, 103, 31, 24, 110, 175, 47, 226, 133, 13, 159 83, 240, 156, 101, 234, 163, 174, 158, 236, 128, 45, 107, 168, 43, 54, 166, 160 197, 134, 77, 51, 253, 102, 88, 150, 58, 9, 149, 16, 120, 216, 66, 204, 161 239, 38, 229, 97, 26, 63, 59, 130, 182, 219, 212, 152, 232, 139, 2, 235, 162 10, 44, 29, 176, 111, 141, 136, 14, 25, 135, 78, 11, 169, 12, 121, 17, 163 127, 34, 231, 89, 225, 218, 61, 200, 18, 4, 116, 84, 48, 126, 180, 40, 164 85, 104, 80, 190, 208, 196, 49, 203, 42, 173, 15, 202, 112, 255, 50, 105, 165 8, 98, 0, 36, 209, 251, 186, 237, 69, 129, 115, 109, 132, 159, 238, 74, 166 195, 46, 193, 1, 230, 37, 72, 153, 185, 179, 123, 249, 206, 191, 223, 113, 167 41, 205, 108, 19, 100, 155, 99, 157, 192, 75, 183, 165, 137, 95, 177, 23, 168 244, 188, 211, 70, 207, 55, 94, 71, 148, 250, 252, 91, 151, 254, 90, 172, 169 60, 76, 3, 53, 243, 35, 184, 93, 106, 146, 213, 33, 68, 81, 198, 125, 170 57, 131, 220, 170, 124, 119, 86, 5, 27, 164, 21, 52, 30, 28, 248, 82, 171 32, 20, 233, 189, 221, 228, 161, 224, 138, 241, 214, 122, 187, 227, 64, 79 172 }; 173 174 static const unsigned char FSb4[256] = 175 { 176 112, 44, 179, 192, 228, 87, 234, 174, 35, 107, 69, 165, 237, 79, 29, 146, 177 134, 175, 124, 31, 62, 220, 94, 11, 166, 57, 213, 93, 217, 90, 81, 108, 178 139, 154, 251, 176, 116, 43, 240, 132, 223, 203, 52, 118, 109, 169, 209, 4, 179 20, 58, 222, 17, 50, 156, 83, 242, 254, 207, 195, 122, 36, 232, 96, 105, 180 170, 160, 161, 98, 84, 30, 224, 100, 16, 0, 163, 117, 138, 230, 9, 221, 181 135, 131, 205, 144, 115, 246, 157, 191, 82, 216, 200, 198, 129, 111, 19, 99, 182 233, 167, 159, 188, 41, 249, 47, 180, 120, 6, 231, 113, 212, 171, 136, 141, 183 114, 185, 248, 172, 54, 42, 60, 241, 64, 211, 187, 67, 21, 173, 119, 128, 184 130, 236, 39, 229, 133, 53, 12, 65, 239, 147, 25, 33, 14, 78, 101, 189, 185 184, 143, 235, 206, 48, 95, 197, 26, 225, 202, 71, 61, 1, 214, 86, 77, 186 13, 102, 204, 45, 18, 32, 177, 153, 76, 194, 126, 5, 183, 49, 23, 215, 187 88, 97, 27, 28, 15, 22, 24, 34, 68, 178, 181, 145, 8, 168, 252, 80, 188 208, 125, 137, 151, 91, 149, 255, 210, 196, 72, 247, 219, 3, 218, 63, 148, 189 92, 2, 74, 51, 103, 243, 127, 226, 155, 38, 55, 59, 150, 75, 190, 46, 190 121, 140, 110, 142, 245, 182, 253, 89, 152, 106, 70, 186, 37, 66, 162, 250, 191 7, 85, 238, 10, 73, 104, 56, 164, 40, 123, 201, 193, 227, 244, 199, 158 192 }; 193 194 #define SBOX1(n) FSb[(n)] 195 #define SBOX2(n) FSb2[(n)] 196 #define SBOX3(n) FSb3[(n)] 197 #define SBOX4(n) FSb4[(n)] 198 199 #endif /* MBEDTLS_CAMELLIA_SMALL_MEMORY */ 200 201 static const unsigned char shifts[2][4][4] = 202 { 203 { 204 { 1, 1, 1, 1 }, /* KL */ 205 { 0, 0, 0, 0 }, /* KR */ 206 { 1, 1, 1, 1 }, /* KA */ 207 { 0, 0, 0, 0 } /* KB */ 208 }, 209 { 210 { 1, 0, 1, 1 }, /* KL */ 211 { 1, 1, 0, 1 }, /* KR */ 212 { 1, 1, 1, 0 }, /* KA */ 213 { 1, 1, 0, 1 } /* KB */ 214 } 215 }; 216 217 static const signed char indexes[2][4][20] = 218 { 219 { 220 { 0, 1, 2, 3, 8, 9, 10, 11, 38, 39, 221 36, 37, 23, 20, 21, 22, 27, -1, -1, 26 }, /* KL -> RK */ 222 { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 223 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 }, /* KR -> RK */ 224 { 4, 5, 6, 7, 12, 13, 14, 15, 16, 17, 225 18, 19, -1, 24, 25, -1, 31, 28, 29, 30 }, /* KA -> RK */ 226 { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 227 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 } /* KB -> RK */ 228 }, 229 { 230 { 0, 1, 2, 3, 61, 62, 63, 60, -1, -1, 231 -1, -1, 27, 24, 25, 26, 35, 32, 33, 34 }, /* KL -> RK */ 232 { -1, -1, -1, -1, 8, 9, 10, 11, 16, 17, 233 18, 19, -1, -1, -1, -1, 39, 36, 37, 38 }, /* KR -> RK */ 234 { -1, -1, -1, -1, 12, 13, 14, 15, 58, 59, 235 56, 57, 31, 28, 29, 30, -1, -1, -1, -1 }, /* KA -> RK */ 236 { 4, 5, 6, 7, 65, 66, 67, 64, 20, 21, 237 22, 23, -1, -1, -1, -1, 43, 40, 41, 42 } /* KB -> RK */ 238 } 239 }; 240 241 static const signed char transposes[2][20] = 242 { 243 { 244 21, 22, 23, 20, 245 -1, -1, -1, -1, 246 18, 19, 16, 17, 247 11, 8, 9, 10, 248 15, 12, 13, 14 249 }, 250 { 251 25, 26, 27, 24, 252 29, 30, 31, 28, 253 18, 19, 16, 17, 254 -1, -1, -1, -1, 255 -1, -1, -1, -1 256 } 257 }; 258 259 /* Shift macro for 128 bit strings with rotation smaller than 32 bits (!) */ 260 #define ROTL(DEST, SRC, SHIFT) \ 261 { \ 262 (DEST)[0] = (SRC)[0] << (SHIFT) ^ (SRC)[1] >> (32 - (SHIFT)); \ 263 (DEST)[1] = (SRC)[1] << (SHIFT) ^ (SRC)[2] >> (32 - (SHIFT)); \ 264 (DEST)[2] = (SRC)[2] << (SHIFT) ^ (SRC)[3] >> (32 - (SHIFT)); \ 265 (DEST)[3] = (SRC)[3] << (SHIFT) ^ (SRC)[0] >> (32 - (SHIFT)); \ 266 } 267 268 #define FL(XL, XR, KL, KR) \ 269 { \ 270 (XR) = ((((XL) & (KL)) << 1) | (((XL) & (KL)) >> 31)) ^ (XR); \ 271 (XL) = ((XR) | (KR)) ^ (XL); \ 272 } 273 274 #define FLInv(YL, YR, KL, KR) \ 275 { \ 276 (YL) = ((YR) | (KR)) ^ (YL); \ 277 (YR) = ((((YL) & (KL)) << 1) | (((YL) & (KL)) >> 31)) ^ (YR); \ 278 } 279 280 #define SHIFT_AND_PLACE(INDEX, OFFSET) \ 281 { \ 282 TK[0] = KC[(OFFSET) * 4 + 0]; \ 283 TK[1] = KC[(OFFSET) * 4 + 1]; \ 284 TK[2] = KC[(OFFSET) * 4 + 2]; \ 285 TK[3] = KC[(OFFSET) * 4 + 3]; \ 286 \ 287 for( i = 1; i <= 4; i++ ) \ 288 if( shifts[(INDEX)][(OFFSET)][i -1] ) \ 289 ROTL(TK + i * 4, TK, ( 15 * i ) % 32); \ 290 \ 291 for( i = 0; i < 20; i++ ) \ 292 if( indexes[(INDEX)][(OFFSET)][i] != -1 ) { \ 293 RK[indexes[(INDEX)][(OFFSET)][i]] = TK[ i ]; \ 294 } \ 295 } 296 297 static void camellia_feistel( const uint32_t x[2], const uint32_t k[2], 298 uint32_t z[2]) 299 { 300 uint32_t I0, I1; 301 I0 = x[0] ^ k[0]; 302 I1 = x[1] ^ k[1]; 303 304 I0 = ((uint32_t) SBOX1((I0 >> 24) & 0xFF) << 24) | 305 ((uint32_t) SBOX2((I0 >> 16) & 0xFF) << 16) | 306 ((uint32_t) SBOX3((I0 >> 8) & 0xFF) << 8) | 307 ((uint32_t) SBOX4((I0 ) & 0xFF) ); 308 I1 = ((uint32_t) SBOX2((I1 >> 24) & 0xFF) << 24) | 309 ((uint32_t) SBOX3((I1 >> 16) & 0xFF) << 16) | 310 ((uint32_t) SBOX4((I1 >> 8) & 0xFF) << 8) | 311 ((uint32_t) SBOX1((I1 ) & 0xFF) ); 312 313 I0 ^= (I1 << 8) | (I1 >> 24); 314 I1 ^= (I0 << 16) | (I0 >> 16); 315 I0 ^= (I1 >> 8) | (I1 << 24); 316 I1 ^= (I0 >> 8) | (I0 << 24); 317 318 z[0] ^= I1; 319 z[1] ^= I0; 320 } 321 322 void mbedtls_camellia_init( mbedtls_camellia_context *ctx ) 323 { 324 CAMELLIA_VALIDATE( ctx != NULL ); 325 memset( ctx, 0, sizeof( mbedtls_camellia_context ) ); 326 } 327 328 void mbedtls_camellia_free( mbedtls_camellia_context *ctx ) 329 { 330 if( ctx == NULL ) 331 return; 332 333 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_camellia_context ) ); 334 } 335 336 /* 337 * Camellia key schedule (encryption) 338 */ 339 int mbedtls_camellia_setkey_enc( mbedtls_camellia_context *ctx, 340 const unsigned char *key, 341 unsigned int keybits ) 342 { 343 int idx; 344 size_t i; 345 uint32_t *RK; 346 unsigned char t[64]; 347 uint32_t SIGMA[6][2]; 348 uint32_t KC[16]; 349 uint32_t TK[20]; 350 351 CAMELLIA_VALIDATE_RET( ctx != NULL ); 352 CAMELLIA_VALIDATE_RET( key != NULL ); 353 354 RK = ctx->rk; 355 356 memset( t, 0, 64 ); 357 memset( RK, 0, sizeof(ctx->rk) ); 358 359 switch( keybits ) 360 { 361 case 128: ctx->nr = 3; idx = 0; break; 362 case 192: 363 case 256: ctx->nr = 4; idx = 1; break; 364 default : return( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA ); 365 } 366 367 for( i = 0; i < keybits / 8; ++i ) 368 t[i] = key[i]; 369 370 if( keybits == 192 ) { 371 for( i = 0; i < 8; i++ ) 372 t[24 + i] = ~t[16 + i]; 373 } 374 375 /* 376 * Prepare SIGMA values 377 */ 378 for( i = 0; i < 6; i++ ) { 379 GET_UINT32_BE( SIGMA[i][0], SIGMA_CHARS[i], 0 ); 380 GET_UINT32_BE( SIGMA[i][1], SIGMA_CHARS[i], 4 ); 381 } 382 383 /* 384 * Key storage in KC 385 * Order: KL, KR, KA, KB 386 */ 387 memset( KC, 0, sizeof(KC) ); 388 389 /* Store KL, KR */ 390 for( i = 0; i < 8; i++ ) 391 GET_UINT32_BE( KC[i], t, i * 4 ); 392 393 /* Generate KA */ 394 for( i = 0; i < 4; ++i ) 395 KC[8 + i] = KC[i] ^ KC[4 + i]; 396 397 camellia_feistel( KC + 8, SIGMA[0], KC + 10 ); 398 camellia_feistel( KC + 10, SIGMA[1], KC + 8 ); 399 400 for( i = 0; i < 4; ++i ) 401 KC[8 + i] ^= KC[i]; 402 403 camellia_feistel( KC + 8, SIGMA[2], KC + 10 ); 404 camellia_feistel( KC + 10, SIGMA[3], KC + 8 ); 405 406 if( keybits > 128 ) { 407 /* Generate KB */ 408 for( i = 0; i < 4; ++i ) 409 KC[12 + i] = KC[4 + i] ^ KC[8 + i]; 410 411 camellia_feistel( KC + 12, SIGMA[4], KC + 14 ); 412 camellia_feistel( KC + 14, SIGMA[5], KC + 12 ); 413 } 414 415 /* 416 * Generating subkeys 417 */ 418 419 /* Manipulating KL */ 420 SHIFT_AND_PLACE( idx, 0 ); 421 422 /* Manipulating KR */ 423 if( keybits > 128 ) { 424 SHIFT_AND_PLACE( idx, 1 ); 425 } 426 427 /* Manipulating KA */ 428 SHIFT_AND_PLACE( idx, 2 ); 429 430 /* Manipulating KB */ 431 if( keybits > 128 ) { 432 SHIFT_AND_PLACE( idx, 3 ); 433 } 434 435 /* Do transpositions */ 436 for( i = 0; i < 20; i++ ) { 437 if( transposes[idx][i] != -1 ) { 438 RK[32 + 12 * idx + i] = RK[transposes[idx][i]]; 439 } 440 } 441 442 return( 0 ); 443 } 444 445 /* 446 * Camellia key schedule (decryption) 447 */ 448 int mbedtls_camellia_setkey_dec( mbedtls_camellia_context *ctx, 449 const unsigned char *key, 450 unsigned int keybits ) 451 { 452 int idx, ret; 453 size_t i; 454 mbedtls_camellia_context cty; 455 uint32_t *RK; 456 uint32_t *SK; 457 CAMELLIA_VALIDATE_RET( ctx != NULL ); 458 CAMELLIA_VALIDATE_RET( key != NULL ); 459 460 mbedtls_camellia_init( &cty ); 461 462 /* Also checks keybits */ 463 if( ( ret = mbedtls_camellia_setkey_enc( &cty, key, keybits ) ) != 0 ) 464 goto exit; 465 466 ctx->nr = cty.nr; 467 idx = ( ctx->nr == 4 ); 468 469 RK = ctx->rk; 470 SK = cty.rk + 24 * 2 + 8 * idx * 2; 471 472 *RK++ = *SK++; 473 *RK++ = *SK++; 474 *RK++ = *SK++; 475 *RK++ = *SK++; 476 477 for( i = 22 + 8 * idx, SK -= 6; i > 0; i--, SK -= 4 ) 478 { 479 *RK++ = *SK++; 480 *RK++ = *SK++; 481 } 482 483 SK -= 2; 484 485 *RK++ = *SK++; 486 *RK++ = *SK++; 487 *RK++ = *SK++; 488 *RK++ = *SK++; 489 490 exit: 491 mbedtls_camellia_free( &cty ); 492 493 return( ret ); 494 } 495 496 /* 497 * Camellia-ECB block encryption/decryption 498 */ 499 int mbedtls_camellia_crypt_ecb( mbedtls_camellia_context *ctx, 500 int mode, 501 const unsigned char input[16], 502 unsigned char output[16] ) 503 { 504 int NR; 505 uint32_t *RK, X[4]; 506 CAMELLIA_VALIDATE_RET( ctx != NULL ); 507 CAMELLIA_VALIDATE_RET( mode == MBEDTLS_CAMELLIA_ENCRYPT || 508 mode == MBEDTLS_CAMELLIA_DECRYPT ); 509 CAMELLIA_VALIDATE_RET( input != NULL ); 510 CAMELLIA_VALIDATE_RET( output != NULL ); 511 512 ( (void) mode ); 513 514 NR = ctx->nr; 515 RK = ctx->rk; 516 517 GET_UINT32_BE( X[0], input, 0 ); 518 GET_UINT32_BE( X[1], input, 4 ); 519 GET_UINT32_BE( X[2], input, 8 ); 520 GET_UINT32_BE( X[3], input, 12 ); 521 522 X[0] ^= *RK++; 523 X[1] ^= *RK++; 524 X[2] ^= *RK++; 525 X[3] ^= *RK++; 526 527 while( NR ) { 528 --NR; 529 camellia_feistel( X, RK, X + 2 ); 530 RK += 2; 531 camellia_feistel( X + 2, RK, X ); 532 RK += 2; 533 camellia_feistel( X, RK, X + 2 ); 534 RK += 2; 535 camellia_feistel( X + 2, RK, X ); 536 RK += 2; 537 camellia_feistel( X, RK, X + 2 ); 538 RK += 2; 539 camellia_feistel( X + 2, RK, X ); 540 RK += 2; 541 542 if( NR ) { 543 FL(X[0], X[1], RK[0], RK[1]); 544 RK += 2; 545 FLInv(X[2], X[3], RK[0], RK[1]); 546 RK += 2; 547 } 548 } 549 550 X[2] ^= *RK++; 551 X[3] ^= *RK++; 552 X[0] ^= *RK++; 553 X[1] ^= *RK++; 554 555 PUT_UINT32_BE( X[2], output, 0 ); 556 PUT_UINT32_BE( X[3], output, 4 ); 557 PUT_UINT32_BE( X[0], output, 8 ); 558 PUT_UINT32_BE( X[1], output, 12 ); 559 560 return( 0 ); 561 } 562 563 #if defined(MBEDTLS_CIPHER_MODE_CBC) 564 /* 565 * Camellia-CBC buffer encryption/decryption 566 */ 567 int mbedtls_camellia_crypt_cbc( mbedtls_camellia_context *ctx, 568 int mode, 569 size_t length, 570 unsigned char iv[16], 571 const unsigned char *input, 572 unsigned char *output ) 573 { 574 int i; 575 unsigned char temp[16]; 576 CAMELLIA_VALIDATE_RET( ctx != NULL ); 577 CAMELLIA_VALIDATE_RET( mode == MBEDTLS_CAMELLIA_ENCRYPT || 578 mode == MBEDTLS_CAMELLIA_DECRYPT ); 579 CAMELLIA_VALIDATE_RET( iv != NULL ); 580 CAMELLIA_VALIDATE_RET( length == 0 || input != NULL ); 581 CAMELLIA_VALIDATE_RET( length == 0 || output != NULL ); 582 583 if( length % 16 ) 584 return( MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH ); 585 586 if( mode == MBEDTLS_CAMELLIA_DECRYPT ) 587 { 588 while( length > 0 ) 589 { 590 memcpy( temp, input, 16 ); 591 mbedtls_camellia_crypt_ecb( ctx, mode, input, output ); 592 593 for( i = 0; i < 16; i++ ) 594 output[i] = (unsigned char)( output[i] ^ iv[i] ); 595 596 memcpy( iv, temp, 16 ); 597 598 input += 16; 599 output += 16; 600 length -= 16; 601 } 602 } 603 else 604 { 605 while( length > 0 ) 606 { 607 for( i = 0; i < 16; i++ ) 608 output[i] = (unsigned char)( input[i] ^ iv[i] ); 609 610 mbedtls_camellia_crypt_ecb( ctx, mode, output, output ); 611 memcpy( iv, output, 16 ); 612 613 input += 16; 614 output += 16; 615 length -= 16; 616 } 617 } 618 619 return( 0 ); 620 } 621 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 622 623 #if defined(MBEDTLS_CIPHER_MODE_CFB) 624 /* 625 * Camellia-CFB128 buffer encryption/decryption 626 */ 627 int mbedtls_camellia_crypt_cfb128( mbedtls_camellia_context *ctx, 628 int mode, 629 size_t length, 630 size_t *iv_off, 631 unsigned char iv[16], 632 const unsigned char *input, 633 unsigned char *output ) 634 { 635 int c; 636 size_t n; 637 CAMELLIA_VALIDATE_RET( ctx != NULL ); 638 CAMELLIA_VALIDATE_RET( mode == MBEDTLS_CAMELLIA_ENCRYPT || 639 mode == MBEDTLS_CAMELLIA_DECRYPT ); 640 CAMELLIA_VALIDATE_RET( iv != NULL ); 641 CAMELLIA_VALIDATE_RET( iv_off != NULL ); 642 CAMELLIA_VALIDATE_RET( length == 0 || input != NULL ); 643 CAMELLIA_VALIDATE_RET( length == 0 || output != NULL ); 644 645 n = *iv_off; 646 if( n >= 16 ) 647 return( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA ); 648 649 if( mode == MBEDTLS_CAMELLIA_DECRYPT ) 650 { 651 while( length-- ) 652 { 653 if( n == 0 ) 654 mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv ); 655 656 c = *input++; 657 *output++ = (unsigned char)( c ^ iv[n] ); 658 iv[n] = (unsigned char) c; 659 660 n = ( n + 1 ) & 0x0F; 661 } 662 } 663 else 664 { 665 while( length-- ) 666 { 667 if( n == 0 ) 668 mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv ); 669 670 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ ); 671 672 n = ( n + 1 ) & 0x0F; 673 } 674 } 675 676 *iv_off = n; 677 678 return( 0 ); 679 } 680 #endif /* MBEDTLS_CIPHER_MODE_CFB */ 681 682 #if defined(MBEDTLS_CIPHER_MODE_CTR) 683 /* 684 * Camellia-CTR buffer encryption/decryption 685 */ 686 int mbedtls_camellia_crypt_ctr( mbedtls_camellia_context *ctx, 687 size_t length, 688 size_t *nc_off, 689 unsigned char nonce_counter[16], 690 unsigned char stream_block[16], 691 const unsigned char *input, 692 unsigned char *output ) 693 { 694 int c, i; 695 size_t n; 696 CAMELLIA_VALIDATE_RET( ctx != NULL ); 697 CAMELLIA_VALIDATE_RET( nonce_counter != NULL ); 698 CAMELLIA_VALIDATE_RET( stream_block != NULL ); 699 CAMELLIA_VALIDATE_RET( nc_off != NULL ); 700 CAMELLIA_VALIDATE_RET( length == 0 || input != NULL ); 701 CAMELLIA_VALIDATE_RET( length == 0 || output != NULL ); 702 703 n = *nc_off; 704 if( n >= 16 ) 705 return( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA ); 706 707 while( length-- ) 708 { 709 if( n == 0 ) { 710 mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, nonce_counter, 711 stream_block ); 712 713 for( i = 16; i > 0; i-- ) 714 if( ++nonce_counter[i - 1] != 0 ) 715 break; 716 } 717 c = *input++; 718 *output++ = (unsigned char)( c ^ stream_block[n] ); 719 720 n = ( n + 1 ) & 0x0F; 721 } 722 723 *nc_off = n; 724 725 return( 0 ); 726 } 727 #endif /* MBEDTLS_CIPHER_MODE_CTR */ 728 #endif /* !MBEDTLS_CAMELLIA_ALT */ 729 730 #if defined(MBEDTLS_SELF_TEST) 731 732 /* 733 * Camellia test vectors from: 734 * 735 * http://info.isl.ntt.co.jp/crypt/eng/camellia/technology.html: 736 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/intermediate.txt 737 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/t_camellia.txt 738 * (For each bitlength: Key 0, Nr 39) 739 */ 740 #define CAMELLIA_TESTS_ECB 2 741 742 static const unsigned char camellia_test_ecb_key[3][CAMELLIA_TESTS_ECB][32] = 743 { 744 { 745 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 746 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 }, 747 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 748 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 } 749 }, 750 { 751 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 752 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10, 753 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77 }, 754 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 755 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 756 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 } 757 }, 758 { 759 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 760 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10, 761 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 762 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff }, 763 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 764 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 765 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 766 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 } 767 }, 768 }; 769 770 static const unsigned char camellia_test_ecb_plain[CAMELLIA_TESTS_ECB][16] = 771 { 772 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 773 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 }, 774 { 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 775 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 } 776 }; 777 778 static const unsigned char camellia_test_ecb_cipher[3][CAMELLIA_TESTS_ECB][16] = 779 { 780 { 781 { 0x67, 0x67, 0x31, 0x38, 0x54, 0x96, 0x69, 0x73, 782 0x08, 0x57, 0x06, 0x56, 0x48, 0xea, 0xbe, 0x43 }, 783 { 0x38, 0x3C, 0x6C, 0x2A, 0xAB, 0xEF, 0x7F, 0xDE, 784 0x25, 0xCD, 0x47, 0x0B, 0xF7, 0x74, 0xA3, 0x31 } 785 }, 786 { 787 { 0xb4, 0x99, 0x34, 0x01, 0xb3, 0xe9, 0x96, 0xf8, 788 0x4e, 0xe5, 0xce, 0xe7, 0xd7, 0x9b, 0x09, 0xb9 }, 789 { 0xD1, 0x76, 0x3F, 0xC0, 0x19, 0xD7, 0x7C, 0xC9, 790 0x30, 0xBF, 0xF2, 0xA5, 0x6F, 0x7C, 0x93, 0x64 } 791 }, 792 { 793 { 0x9a, 0xcc, 0x23, 0x7d, 0xff, 0x16, 0xd7, 0x6c, 794 0x20, 0xef, 0x7c, 0x91, 0x9e, 0x3a, 0x75, 0x09 }, 795 { 0x05, 0x03, 0xFB, 0x10, 0xAB, 0x24, 0x1E, 0x7C, 796 0xF4, 0x5D, 0x8C, 0xDE, 0xEE, 0x47, 0x43, 0x35 } 797 } 798 }; 799 800 #if defined(MBEDTLS_CIPHER_MODE_CBC) 801 #define CAMELLIA_TESTS_CBC 3 802 803 static const unsigned char camellia_test_cbc_key[3][32] = 804 { 805 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6, 806 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C } 807 , 808 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52, 809 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5, 810 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B } 811 , 812 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE, 813 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81, 814 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7, 815 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 } 816 }; 817 818 static const unsigned char camellia_test_cbc_iv[16] = 819 820 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 821 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F } 822 ; 823 824 static const unsigned char camellia_test_cbc_plain[CAMELLIA_TESTS_CBC][16] = 825 { 826 { 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96, 827 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A }, 828 { 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C, 829 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51 }, 830 { 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11, 831 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF } 832 833 }; 834 835 static const unsigned char camellia_test_cbc_cipher[3][CAMELLIA_TESTS_CBC][16] = 836 { 837 { 838 { 0x16, 0x07, 0xCF, 0x49, 0x4B, 0x36, 0xBB, 0xF0, 839 0x0D, 0xAE, 0xB0, 0xB5, 0x03, 0xC8, 0x31, 0xAB }, 840 { 0xA2, 0xF2, 0xCF, 0x67, 0x16, 0x29, 0xEF, 0x78, 841 0x40, 0xC5, 0xA5, 0xDF, 0xB5, 0x07, 0x48, 0x87 }, 842 { 0x0F, 0x06, 0x16, 0x50, 0x08, 0xCF, 0x8B, 0x8B, 843 0x5A, 0x63, 0x58, 0x63, 0x62, 0x54, 0x3E, 0x54 } 844 }, 845 { 846 { 0x2A, 0x48, 0x30, 0xAB, 0x5A, 0xC4, 0xA1, 0xA2, 847 0x40, 0x59, 0x55, 0xFD, 0x21, 0x95, 0xCF, 0x93 }, 848 { 0x5D, 0x5A, 0x86, 0x9B, 0xD1, 0x4C, 0xE5, 0x42, 849 0x64, 0xF8, 0x92, 0xA6, 0xDD, 0x2E, 0xC3, 0xD5 }, 850 { 0x37, 0xD3, 0x59, 0xC3, 0x34, 0x98, 0x36, 0xD8, 851 0x84, 0xE3, 0x10, 0xAD, 0xDF, 0x68, 0xC4, 0x49 } 852 }, 853 { 854 { 0xE6, 0xCF, 0xA3, 0x5F, 0xC0, 0x2B, 0x13, 0x4A, 855 0x4D, 0x2C, 0x0B, 0x67, 0x37, 0xAC, 0x3E, 0xDA }, 856 { 0x36, 0xCB, 0xEB, 0x73, 0xBD, 0x50, 0x4B, 0x40, 857 0x70, 0xB1, 0xB7, 0xDE, 0x2B, 0x21, 0xEB, 0x50 }, 858 { 0xE3, 0x1A, 0x60, 0x55, 0x29, 0x7D, 0x96, 0xCA, 859 0x33, 0x30, 0xCD, 0xF1, 0xB1, 0x86, 0x0A, 0x83 } 860 } 861 }; 862 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 863 864 #if defined(MBEDTLS_CIPHER_MODE_CTR) 865 /* 866 * Camellia-CTR test vectors from: 867 * 868 * http://www.faqs.org/rfcs/rfc5528.html 869 */ 870 871 static const unsigned char camellia_test_ctr_key[3][16] = 872 { 873 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC, 874 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E }, 875 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7, 876 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 }, 877 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8, 878 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC } 879 }; 880 881 static const unsigned char camellia_test_ctr_nonce_counter[3][16] = 882 { 883 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00, 884 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 }, 885 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59, 886 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 }, 887 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F, 888 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 } 889 }; 890 891 static const unsigned char camellia_test_ctr_pt[3][48] = 892 { 893 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62, 894 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 }, 895 896 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 897 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 898 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 899 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F }, 900 901 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 902 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 903 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 904 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 905 0x20, 0x21, 0x22, 0x23 } 906 }; 907 908 static const unsigned char camellia_test_ctr_ct[3][48] = 909 { 910 { 0xD0, 0x9D, 0xC2, 0x9A, 0x82, 0x14, 0x61, 0x9A, 911 0x20, 0x87, 0x7C, 0x76, 0xDB, 0x1F, 0x0B, 0x3F }, 912 { 0xDB, 0xF3, 0xC7, 0x8D, 0xC0, 0x83, 0x96, 0xD4, 913 0xDA, 0x7C, 0x90, 0x77, 0x65, 0xBB, 0xCB, 0x44, 914 0x2B, 0x8E, 0x8E, 0x0F, 0x31, 0xF0, 0xDC, 0xA7, 915 0x2C, 0x74, 0x17, 0xE3, 0x53, 0x60, 0xE0, 0x48 }, 916 { 0xB1, 0x9D, 0x1F, 0xCD, 0xCB, 0x75, 0xEB, 0x88, 917 0x2F, 0x84, 0x9C, 0xE2, 0x4D, 0x85, 0xCF, 0x73, 918 0x9C, 0xE6, 0x4B, 0x2B, 0x5C, 0x9D, 0x73, 0xF1, 919 0x4F, 0x2D, 0x5D, 0x9D, 0xCE, 0x98, 0x89, 0xCD, 920 0xDF, 0x50, 0x86, 0x96 } 921 }; 922 923 static const int camellia_test_ctr_len[3] = 924 { 16, 32, 36 }; 925 #endif /* MBEDTLS_CIPHER_MODE_CTR */ 926 927 /* 928 * Checkup routine 929 */ 930 int mbedtls_camellia_self_test( int verbose ) 931 { 932 int i, j, u, v; 933 unsigned char key[32]; 934 unsigned char buf[64]; 935 unsigned char src[16]; 936 unsigned char dst[16]; 937 #if defined(MBEDTLS_CIPHER_MODE_CBC) 938 unsigned char iv[16]; 939 #endif 940 #if defined(MBEDTLS_CIPHER_MODE_CTR) 941 size_t offset, len; 942 unsigned char nonce_counter[16]; 943 unsigned char stream_block[16]; 944 #endif 945 int ret = 1; 946 947 mbedtls_camellia_context ctx; 948 949 mbedtls_camellia_init( &ctx ); 950 memset( key, 0, 32 ); 951 952 for( j = 0; j < 6; j++ ) { 953 u = j >> 1; 954 v = j & 1; 955 956 if( verbose != 0 ) 957 mbedtls_printf( " CAMELLIA-ECB-%3d (%s): ", 128 + u * 64, 958 (v == MBEDTLS_CAMELLIA_DECRYPT) ? "dec" : "enc"); 959 960 for( i = 0; i < CAMELLIA_TESTS_ECB; i++ ) { 961 memcpy( key, camellia_test_ecb_key[u][i], 16 + 8 * u ); 962 963 if( v == MBEDTLS_CAMELLIA_DECRYPT ) { 964 mbedtls_camellia_setkey_dec( &ctx, key, 128 + u * 64 ); 965 memcpy( src, camellia_test_ecb_cipher[u][i], 16 ); 966 memcpy( dst, camellia_test_ecb_plain[i], 16 ); 967 } else { /* MBEDTLS_CAMELLIA_ENCRYPT */ 968 mbedtls_camellia_setkey_enc( &ctx, key, 128 + u * 64 ); 969 memcpy( src, camellia_test_ecb_plain[i], 16 ); 970 memcpy( dst, camellia_test_ecb_cipher[u][i], 16 ); 971 } 972 973 mbedtls_camellia_crypt_ecb( &ctx, v, src, buf ); 974 975 if( memcmp( buf, dst, 16 ) != 0 ) 976 { 977 if( verbose != 0 ) 978 mbedtls_printf( "failed\n" ); 979 goto exit; 980 } 981 } 982 983 if( verbose != 0 ) 984 mbedtls_printf( "passed\n" ); 985 } 986 987 if( verbose != 0 ) 988 mbedtls_printf( "\n" ); 989 990 #if defined(MBEDTLS_CIPHER_MODE_CBC) 991 /* 992 * CBC mode 993 */ 994 for( j = 0; j < 6; j++ ) 995 { 996 u = j >> 1; 997 v = j & 1; 998 999 if( verbose != 0 ) 1000 mbedtls_printf( " CAMELLIA-CBC-%3d (%s): ", 128 + u * 64, 1001 ( v == MBEDTLS_CAMELLIA_DECRYPT ) ? "dec" : "enc" ); 1002 1003 memcpy( src, camellia_test_cbc_iv, 16 ); 1004 memcpy( dst, camellia_test_cbc_iv, 16 ); 1005 memcpy( key, camellia_test_cbc_key[u], 16 + 8 * u ); 1006 1007 if( v == MBEDTLS_CAMELLIA_DECRYPT ) { 1008 mbedtls_camellia_setkey_dec( &ctx, key, 128 + u * 64 ); 1009 } else { 1010 mbedtls_camellia_setkey_enc( &ctx, key, 128 + u * 64 ); 1011 } 1012 1013 for( i = 0; i < CAMELLIA_TESTS_CBC; i++ ) { 1014 1015 if( v == MBEDTLS_CAMELLIA_DECRYPT ) { 1016 memcpy( iv , src, 16 ); 1017 memcpy( src, camellia_test_cbc_cipher[u][i], 16 ); 1018 memcpy( dst, camellia_test_cbc_plain[i], 16 ); 1019 } else { /* MBEDTLS_CAMELLIA_ENCRYPT */ 1020 memcpy( iv , dst, 16 ); 1021 memcpy( src, camellia_test_cbc_plain[i], 16 ); 1022 memcpy( dst, camellia_test_cbc_cipher[u][i], 16 ); 1023 } 1024 1025 mbedtls_camellia_crypt_cbc( &ctx, v, 16, iv, src, buf ); 1026 1027 if( memcmp( buf, dst, 16 ) != 0 ) 1028 { 1029 if( verbose != 0 ) 1030 mbedtls_printf( "failed\n" ); 1031 goto exit; 1032 } 1033 } 1034 1035 if( verbose != 0 ) 1036 mbedtls_printf( "passed\n" ); 1037 } 1038 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 1039 1040 if( verbose != 0 ) 1041 mbedtls_printf( "\n" ); 1042 1043 #if defined(MBEDTLS_CIPHER_MODE_CTR) 1044 /* 1045 * CTR mode 1046 */ 1047 for( i = 0; i < 6; i++ ) 1048 { 1049 u = i >> 1; 1050 v = i & 1; 1051 1052 if( verbose != 0 ) 1053 mbedtls_printf( " CAMELLIA-CTR-128 (%s): ", 1054 ( v == MBEDTLS_CAMELLIA_DECRYPT ) ? "dec" : "enc" ); 1055 1056 memcpy( nonce_counter, camellia_test_ctr_nonce_counter[u], 16 ); 1057 memcpy( key, camellia_test_ctr_key[u], 16 ); 1058 1059 offset = 0; 1060 mbedtls_camellia_setkey_enc( &ctx, key, 128 ); 1061 1062 if( v == MBEDTLS_CAMELLIA_DECRYPT ) 1063 { 1064 len = camellia_test_ctr_len[u]; 1065 memcpy( buf, camellia_test_ctr_ct[u], len ); 1066 1067 mbedtls_camellia_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, 1068 buf, buf ); 1069 1070 if( memcmp( buf, camellia_test_ctr_pt[u], len ) != 0 ) 1071 { 1072 if( verbose != 0 ) 1073 mbedtls_printf( "failed\n" ); 1074 goto exit; 1075 } 1076 } 1077 else 1078 { 1079 len = camellia_test_ctr_len[u]; 1080 memcpy( buf, camellia_test_ctr_pt[u], len ); 1081 1082 mbedtls_camellia_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, 1083 buf, buf ); 1084 1085 if( memcmp( buf, camellia_test_ctr_ct[u], len ) != 0 ) 1086 { 1087 if( verbose != 0 ) 1088 mbedtls_printf( "failed\n" ); 1089 goto exit; 1090 } 1091 } 1092 1093 if( verbose != 0 ) 1094 mbedtls_printf( "passed\n" ); 1095 } 1096 1097 if( verbose != 0 ) 1098 mbedtls_printf( "\n" ); 1099 #endif /* MBEDTLS_CIPHER_MODE_CTR */ 1100 1101 ret = 0; 1102 1103 exit: 1104 mbedtls_camellia_free( &ctx ); 1105 return( ret ); 1106 } 1107 1108 #endif /* MBEDTLS_SELF_TEST */ 1109 1110 #endif /* MBEDTLS_CAMELLIA_C */ 1111