1 /*
2 * Camellia implementation
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19 /*
20 * The Camellia block cipher was designed by NTT and Mitsubishi Electric
21 * Corporation.
22 *
23 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/01espec.pdf
24 */
25
26 #include "common.h"
27
28 #if defined(MBEDTLS_CAMELLIA_C)
29
30 #include "mbedtls/camellia.h"
31 #include "mbedtls/platform_util.h"
32
33 #include <string.h>
34
35 #if defined(MBEDTLS_SELF_TEST)
36 #if defined(MBEDTLS_PLATFORM_C)
37 #include "mbedtls/platform.h"
38 #else
39 #include <stdio.h>
40 #define mbedtls_printf printf
41 #endif /* MBEDTLS_PLATFORM_C */
42 #endif /* MBEDTLS_SELF_TEST */
43
44 #if !defined(MBEDTLS_CAMELLIA_ALT)
45
46 /* Parameter validation macros */
47 #define CAMELLIA_VALIDATE_RET( cond ) \
48 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA )
49 #define CAMELLIA_VALIDATE( cond ) \
50 MBEDTLS_INTERNAL_VALIDATE( cond )
51
52 /*
53 * 32-bit integer manipulation macros (big endian)
54 */
55 #ifndef GET_UINT32_BE
56 #define GET_UINT32_BE(n,b,i) \
57 { \
58 (n) = ( (uint32_t) (b)[(i) ] << 24 ) \
59 | ( (uint32_t) (b)[(i) + 1] << 16 ) \
60 | ( (uint32_t) (b)[(i) + 2] << 8 ) \
61 | ( (uint32_t) (b)[(i) + 3] ); \
62 }
63 #endif
64
65 #ifndef PUT_UINT32_BE
66 #define PUT_UINT32_BE(n,b,i) \
67 { \
68 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
69 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
70 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
71 (b)[(i) + 3] = (unsigned char) ( (n) ); \
72 }
73 #endif
74
75 static const unsigned char SIGMA_CHARS[6][8] =
76 {
77 { 0xa0, 0x9e, 0x66, 0x7f, 0x3b, 0xcc, 0x90, 0x8b },
78 { 0xb6, 0x7a, 0xe8, 0x58, 0x4c, 0xaa, 0x73, 0xb2 },
79 { 0xc6, 0xef, 0x37, 0x2f, 0xe9, 0x4f, 0x82, 0xbe },
80 { 0x54, 0xff, 0x53, 0xa5, 0xf1, 0xd3, 0x6f, 0x1c },
81 { 0x10, 0xe5, 0x27, 0xfa, 0xde, 0x68, 0x2d, 0x1d },
82 { 0xb0, 0x56, 0x88, 0xc2, 0xb3, 0xe6, 0xc1, 0xfd }
83 };
84
85 #if defined(MBEDTLS_CAMELLIA_SMALL_MEMORY)
86
87 static const unsigned char FSb[256] =
88 {
89 112,130, 44,236,179, 39,192,229,228,133, 87, 53,234, 12,174, 65,
90 35,239,107,147, 69, 25,165, 33,237, 14, 79, 78, 29,101,146,189,
91 134,184,175,143,124,235, 31,206, 62, 48,220, 95, 94,197, 11, 26,
92 166,225, 57,202,213, 71, 93, 61,217, 1, 90,214, 81, 86,108, 77,
93 139, 13,154,102,251,204,176, 45,116, 18, 43, 32,240,177,132,153,
94 223, 76,203,194, 52,126,118, 5,109,183,169, 49,209, 23, 4,215,
95 20, 88, 58, 97,222, 27, 17, 28, 50, 15,156, 22, 83, 24,242, 34,
96 254, 68,207,178,195,181,122,145, 36, 8,232,168, 96,252,105, 80,
97 170,208,160,125,161,137, 98,151, 84, 91, 30,149,224,255,100,210,
98 16,196, 0, 72,163,247,117,219,138, 3,230,218, 9, 63,221,148,
99 135, 92,131, 2,205, 74,144, 51,115,103,246,243,157,127,191,226,
100 82,155,216, 38,200, 55,198, 59,129,150,111, 75, 19,190, 99, 46,
101 233,121,167,140,159,110,188,142, 41,245,249,182, 47,253,180, 89,
102 120,152, 6,106,231, 70,113,186,212, 37,171, 66,136,162,141,250,
103 114, 7,185, 85,248,238,172, 10, 54, 73, 42,104, 60, 56,241,164,
104 64, 40,211,123,187,201, 67,193, 21,227,173,244,119,199,128,158
105 };
106
107 #define SBOX1(n) FSb[(n)]
108 #define SBOX2(n) (unsigned char)((FSb[(n)] >> 7 ^ FSb[(n)] << 1) & 0xff)
109 #define SBOX3(n) (unsigned char)((FSb[(n)] >> 1 ^ FSb[(n)] << 7) & 0xff)
110 #define SBOX4(n) FSb[((n) << 1 ^ (n) >> 7) &0xff]
111
112 #else /* MBEDTLS_CAMELLIA_SMALL_MEMORY */
113
114 static const unsigned char FSb[256] =
115 {
116 112, 130, 44, 236, 179, 39, 192, 229, 228, 133, 87, 53, 234, 12, 174, 65,
117 35, 239, 107, 147, 69, 25, 165, 33, 237, 14, 79, 78, 29, 101, 146, 189,
118 134, 184, 175, 143, 124, 235, 31, 206, 62, 48, 220, 95, 94, 197, 11, 26,
119 166, 225, 57, 202, 213, 71, 93, 61, 217, 1, 90, 214, 81, 86, 108, 77,
120 139, 13, 154, 102, 251, 204, 176, 45, 116, 18, 43, 32, 240, 177, 132, 153,
121 223, 76, 203, 194, 52, 126, 118, 5, 109, 183, 169, 49, 209, 23, 4, 215,
122 20, 88, 58, 97, 222, 27, 17, 28, 50, 15, 156, 22, 83, 24, 242, 34,
123 254, 68, 207, 178, 195, 181, 122, 145, 36, 8, 232, 168, 96, 252, 105, 80,
124 170, 208, 160, 125, 161, 137, 98, 151, 84, 91, 30, 149, 224, 255, 100, 210,
125 16, 196, 0, 72, 163, 247, 117, 219, 138, 3, 230, 218, 9, 63, 221, 148,
126 135, 92, 131, 2, 205, 74, 144, 51, 115, 103, 246, 243, 157, 127, 191, 226,
127 82, 155, 216, 38, 200, 55, 198, 59, 129, 150, 111, 75, 19, 190, 99, 46,
128 233, 121, 167, 140, 159, 110, 188, 142, 41, 245, 249, 182, 47, 253, 180, 89,
129 120, 152, 6, 106, 231, 70, 113, 186, 212, 37, 171, 66, 136, 162, 141, 250,
130 114, 7, 185, 85, 248, 238, 172, 10, 54, 73, 42, 104, 60, 56, 241, 164,
131 64, 40, 211, 123, 187, 201, 67, 193, 21, 227, 173, 244, 119, 199, 128, 158
132 };
133
134 static const unsigned char FSb2[256] =
135 {
136 224, 5, 88, 217, 103, 78, 129, 203, 201, 11, 174, 106, 213, 24, 93, 130,
137 70, 223, 214, 39, 138, 50, 75, 66, 219, 28, 158, 156, 58, 202, 37, 123,
138 13, 113, 95, 31, 248, 215, 62, 157, 124, 96, 185, 190, 188, 139, 22, 52,
139 77, 195, 114, 149, 171, 142, 186, 122, 179, 2, 180, 173, 162, 172, 216, 154,
140 23, 26, 53, 204, 247, 153, 97, 90, 232, 36, 86, 64, 225, 99, 9, 51,
141 191, 152, 151, 133, 104, 252, 236, 10, 218, 111, 83, 98, 163, 46, 8, 175,
142 40, 176, 116, 194, 189, 54, 34, 56, 100, 30, 57, 44, 166, 48, 229, 68,
143 253, 136, 159, 101, 135, 107, 244, 35, 72, 16, 209, 81, 192, 249, 210, 160,
144 85, 161, 65, 250, 67, 19, 196, 47, 168, 182, 60, 43, 193, 255, 200, 165,
145 32, 137, 0, 144, 71, 239, 234, 183, 21, 6, 205, 181, 18, 126, 187, 41,
146 15, 184, 7, 4, 155, 148, 33, 102, 230, 206, 237, 231, 59, 254, 127, 197,
147 164, 55, 177, 76, 145, 110, 141, 118, 3, 45, 222, 150, 38, 125, 198, 92,
148 211, 242, 79, 25, 63, 220, 121, 29, 82, 235, 243, 109, 94, 251, 105, 178,
149 240, 49, 12, 212, 207, 140, 226, 117, 169, 74, 87, 132, 17, 69, 27, 245,
150 228, 14, 115, 170, 241, 221, 89, 20, 108, 146, 84, 208, 120, 112, 227, 73,
151 128, 80, 167, 246, 119, 147, 134, 131, 42, 199, 91, 233, 238, 143, 1, 61
152 };
153
154 static const unsigned char FSb3[256] =
155 {
156 56, 65, 22, 118, 217, 147, 96, 242, 114, 194, 171, 154, 117, 6, 87, 160,
157 145, 247, 181, 201, 162, 140, 210, 144, 246, 7, 167, 39, 142, 178, 73, 222,
158 67, 92, 215, 199, 62, 245, 143, 103, 31, 24, 110, 175, 47, 226, 133, 13,
159 83, 240, 156, 101, 234, 163, 174, 158, 236, 128, 45, 107, 168, 43, 54, 166,
160 197, 134, 77, 51, 253, 102, 88, 150, 58, 9, 149, 16, 120, 216, 66, 204,
161 239, 38, 229, 97, 26, 63, 59, 130, 182, 219, 212, 152, 232, 139, 2, 235,
162 10, 44, 29, 176, 111, 141, 136, 14, 25, 135, 78, 11, 169, 12, 121, 17,
163 127, 34, 231, 89, 225, 218, 61, 200, 18, 4, 116, 84, 48, 126, 180, 40,
164 85, 104, 80, 190, 208, 196, 49, 203, 42, 173, 15, 202, 112, 255, 50, 105,
165 8, 98, 0, 36, 209, 251, 186, 237, 69, 129, 115, 109, 132, 159, 238, 74,
166 195, 46, 193, 1, 230, 37, 72, 153, 185, 179, 123, 249, 206, 191, 223, 113,
167 41, 205, 108, 19, 100, 155, 99, 157, 192, 75, 183, 165, 137, 95, 177, 23,
168 244, 188, 211, 70, 207, 55, 94, 71, 148, 250, 252, 91, 151, 254, 90, 172,
169 60, 76, 3, 53, 243, 35, 184, 93, 106, 146, 213, 33, 68, 81, 198, 125,
170 57, 131, 220, 170, 124, 119, 86, 5, 27, 164, 21, 52, 30, 28, 248, 82,
171 32, 20, 233, 189, 221, 228, 161, 224, 138, 241, 214, 122, 187, 227, 64, 79
172 };
173
174 static const unsigned char FSb4[256] =
175 {
176 112, 44, 179, 192, 228, 87, 234, 174, 35, 107, 69, 165, 237, 79, 29, 146,
177 134, 175, 124, 31, 62, 220, 94, 11, 166, 57, 213, 93, 217, 90, 81, 108,
178 139, 154, 251, 176, 116, 43, 240, 132, 223, 203, 52, 118, 109, 169, 209, 4,
179 20, 58, 222, 17, 50, 156, 83, 242, 254, 207, 195, 122, 36, 232, 96, 105,
180 170, 160, 161, 98, 84, 30, 224, 100, 16, 0, 163, 117, 138, 230, 9, 221,
181 135, 131, 205, 144, 115, 246, 157, 191, 82, 216, 200, 198, 129, 111, 19, 99,
182 233, 167, 159, 188, 41, 249, 47, 180, 120, 6, 231, 113, 212, 171, 136, 141,
183 114, 185, 248, 172, 54, 42, 60, 241, 64, 211, 187, 67, 21, 173, 119, 128,
184 130, 236, 39, 229, 133, 53, 12, 65, 239, 147, 25, 33, 14, 78, 101, 189,
185 184, 143, 235, 206, 48, 95, 197, 26, 225, 202, 71, 61, 1, 214, 86, 77,
186 13, 102, 204, 45, 18, 32, 177, 153, 76, 194, 126, 5, 183, 49, 23, 215,
187 88, 97, 27, 28, 15, 22, 24, 34, 68, 178, 181, 145, 8, 168, 252, 80,
188 208, 125, 137, 151, 91, 149, 255, 210, 196, 72, 247, 219, 3, 218, 63, 148,
189 92, 2, 74, 51, 103, 243, 127, 226, 155, 38, 55, 59, 150, 75, 190, 46,
190 121, 140, 110, 142, 245, 182, 253, 89, 152, 106, 70, 186, 37, 66, 162, 250,
191 7, 85, 238, 10, 73, 104, 56, 164, 40, 123, 201, 193, 227, 244, 199, 158
192 };
193
194 #define SBOX1(n) FSb[(n)]
195 #define SBOX2(n) FSb2[(n)]
196 #define SBOX3(n) FSb3[(n)]
197 #define SBOX4(n) FSb4[(n)]
198
199 #endif /* MBEDTLS_CAMELLIA_SMALL_MEMORY */
200
201 static const unsigned char shifts[2][4][4] =
202 {
203 {
204 { 1, 1, 1, 1 }, /* KL */
205 { 0, 0, 0, 0 }, /* KR */
206 { 1, 1, 1, 1 }, /* KA */
207 { 0, 0, 0, 0 } /* KB */
208 },
209 {
210 { 1, 0, 1, 1 }, /* KL */
211 { 1, 1, 0, 1 }, /* KR */
212 { 1, 1, 1, 0 }, /* KA */
213 { 1, 1, 0, 1 } /* KB */
214 }
215 };
216
217 static const signed char indexes[2][4][20] =
218 {
219 {
220 { 0, 1, 2, 3, 8, 9, 10, 11, 38, 39,
221 36, 37, 23, 20, 21, 22, 27, -1, -1, 26 }, /* KL -> RK */
222 { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
223 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 }, /* KR -> RK */
224 { 4, 5, 6, 7, 12, 13, 14, 15, 16, 17,
225 18, 19, -1, 24, 25, -1, 31, 28, 29, 30 }, /* KA -> RK */
226 { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
227 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 } /* KB -> RK */
228 },
229 {
230 { 0, 1, 2, 3, 61, 62, 63, 60, -1, -1,
231 -1, -1, 27, 24, 25, 26, 35, 32, 33, 34 }, /* KL -> RK */
232 { -1, -1, -1, -1, 8, 9, 10, 11, 16, 17,
233 18, 19, -1, -1, -1, -1, 39, 36, 37, 38 }, /* KR -> RK */
234 { -1, -1, -1, -1, 12, 13, 14, 15, 58, 59,
235 56, 57, 31, 28, 29, 30, -1, -1, -1, -1 }, /* KA -> RK */
236 { 4, 5, 6, 7, 65, 66, 67, 64, 20, 21,
237 22, 23, -1, -1, -1, -1, 43, 40, 41, 42 } /* KB -> RK */
238 }
239 };
240
241 static const signed char transposes[2][20] =
242 {
243 {
244 21, 22, 23, 20,
245 -1, -1, -1, -1,
246 18, 19, 16, 17,
247 11, 8, 9, 10,
248 15, 12, 13, 14
249 },
250 {
251 25, 26, 27, 24,
252 29, 30, 31, 28,
253 18, 19, 16, 17,
254 -1, -1, -1, -1,
255 -1, -1, -1, -1
256 }
257 };
258
259 /* Shift macro for 128 bit strings with rotation smaller than 32 bits (!) */
260 #define ROTL(DEST, SRC, SHIFT) \
261 { \
262 (DEST)[0] = (SRC)[0] << (SHIFT) ^ (SRC)[1] >> (32 - (SHIFT)); \
263 (DEST)[1] = (SRC)[1] << (SHIFT) ^ (SRC)[2] >> (32 - (SHIFT)); \
264 (DEST)[2] = (SRC)[2] << (SHIFT) ^ (SRC)[3] >> (32 - (SHIFT)); \
265 (DEST)[3] = (SRC)[3] << (SHIFT) ^ (SRC)[0] >> (32 - (SHIFT)); \
266 }
267
268 #define FL(XL, XR, KL, KR) \
269 { \
270 (XR) = ((((XL) & (KL)) << 1) | (((XL) & (KL)) >> 31)) ^ (XR); \
271 (XL) = ((XR) | (KR)) ^ (XL); \
272 }
273
274 #define FLInv(YL, YR, KL, KR) \
275 { \
276 (YL) = ((YR) | (KR)) ^ (YL); \
277 (YR) = ((((YL) & (KL)) << 1) | (((YL) & (KL)) >> 31)) ^ (YR); \
278 }
279
280 #define SHIFT_AND_PLACE(INDEX, OFFSET) \
281 { \
282 TK[0] = KC[(OFFSET) * 4 + 0]; \
283 TK[1] = KC[(OFFSET) * 4 + 1]; \
284 TK[2] = KC[(OFFSET) * 4 + 2]; \
285 TK[3] = KC[(OFFSET) * 4 + 3]; \
286 \
287 for( i = 1; i <= 4; i++ ) \
288 if( shifts[(INDEX)][(OFFSET)][i -1] ) \
289 ROTL(TK + i * 4, TK, ( 15 * i ) % 32); \
290 \
291 for( i = 0; i < 20; i++ ) \
292 if( indexes[(INDEX)][(OFFSET)][i] != -1 ) { \
293 RK[indexes[(INDEX)][(OFFSET)][i]] = TK[ i ]; \
294 } \
295 }
296
camellia_feistel(const uint32_t x[2],const uint32_t k[2],uint32_t z[2])297 static void camellia_feistel( const uint32_t x[2], const uint32_t k[2],
298 uint32_t z[2])
299 {
300 uint32_t I0, I1;
301 I0 = x[0] ^ k[0];
302 I1 = x[1] ^ k[1];
303
304 I0 = ((uint32_t) SBOX1((I0 >> 24) & 0xFF) << 24) |
305 ((uint32_t) SBOX2((I0 >> 16) & 0xFF) << 16) |
306 ((uint32_t) SBOX3((I0 >> 8) & 0xFF) << 8) |
307 ((uint32_t) SBOX4((I0 ) & 0xFF) );
308 I1 = ((uint32_t) SBOX2((I1 >> 24) & 0xFF) << 24) |
309 ((uint32_t) SBOX3((I1 >> 16) & 0xFF) << 16) |
310 ((uint32_t) SBOX4((I1 >> 8) & 0xFF) << 8) |
311 ((uint32_t) SBOX1((I1 ) & 0xFF) );
312
313 I0 ^= (I1 << 8) | (I1 >> 24);
314 I1 ^= (I0 << 16) | (I0 >> 16);
315 I0 ^= (I1 >> 8) | (I1 << 24);
316 I1 ^= (I0 >> 8) | (I0 << 24);
317
318 z[0] ^= I1;
319 z[1] ^= I0;
320 }
321
mbedtls_camellia_init(mbedtls_camellia_context * ctx)322 void mbedtls_camellia_init( mbedtls_camellia_context *ctx )
323 {
324 CAMELLIA_VALIDATE( ctx != NULL );
325 memset( ctx, 0, sizeof( mbedtls_camellia_context ) );
326 }
327
mbedtls_camellia_free(mbedtls_camellia_context * ctx)328 void mbedtls_camellia_free( mbedtls_camellia_context *ctx )
329 {
330 if( ctx == NULL )
331 return;
332
333 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_camellia_context ) );
334 }
335
336 /*
337 * Camellia key schedule (encryption)
338 */
mbedtls_camellia_setkey_enc(mbedtls_camellia_context * ctx,const unsigned char * key,unsigned int keybits)339 int mbedtls_camellia_setkey_enc( mbedtls_camellia_context *ctx,
340 const unsigned char *key,
341 unsigned int keybits )
342 {
343 int idx;
344 size_t i;
345 uint32_t *RK;
346 unsigned char t[64];
347 uint32_t SIGMA[6][2];
348 uint32_t KC[16];
349 uint32_t TK[20];
350
351 CAMELLIA_VALIDATE_RET( ctx != NULL );
352 CAMELLIA_VALIDATE_RET( key != NULL );
353
354 RK = ctx->rk;
355
356 memset( t, 0, 64 );
357 memset( RK, 0, sizeof(ctx->rk) );
358
359 switch( keybits )
360 {
361 case 128: ctx->nr = 3; idx = 0; break;
362 case 192:
363 case 256: ctx->nr = 4; idx = 1; break;
364 default : return( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA );
365 }
366
367 for( i = 0; i < keybits / 8; ++i )
368 t[i] = key[i];
369
370 if( keybits == 192 ) {
371 for( i = 0; i < 8; i++ )
372 t[24 + i] = ~t[16 + i];
373 }
374
375 /*
376 * Prepare SIGMA values
377 */
378 for( i = 0; i < 6; i++ ) {
379 GET_UINT32_BE( SIGMA[i][0], SIGMA_CHARS[i], 0 );
380 GET_UINT32_BE( SIGMA[i][1], SIGMA_CHARS[i], 4 );
381 }
382
383 /*
384 * Key storage in KC
385 * Order: KL, KR, KA, KB
386 */
387 memset( KC, 0, sizeof(KC) );
388
389 /* Store KL, KR */
390 for( i = 0; i < 8; i++ )
391 GET_UINT32_BE( KC[i], t, i * 4 );
392
393 /* Generate KA */
394 for( i = 0; i < 4; ++i )
395 KC[8 + i] = KC[i] ^ KC[4 + i];
396
397 camellia_feistel( KC + 8, SIGMA[0], KC + 10 );
398 camellia_feistel( KC + 10, SIGMA[1], KC + 8 );
399
400 for( i = 0; i < 4; ++i )
401 KC[8 + i] ^= KC[i];
402
403 camellia_feistel( KC + 8, SIGMA[2], KC + 10 );
404 camellia_feistel( KC + 10, SIGMA[3], KC + 8 );
405
406 if( keybits > 128 ) {
407 /* Generate KB */
408 for( i = 0; i < 4; ++i )
409 KC[12 + i] = KC[4 + i] ^ KC[8 + i];
410
411 camellia_feistel( KC + 12, SIGMA[4], KC + 14 );
412 camellia_feistel( KC + 14, SIGMA[5], KC + 12 );
413 }
414
415 /*
416 * Generating subkeys
417 */
418
419 /* Manipulating KL */
420 SHIFT_AND_PLACE( idx, 0 );
421
422 /* Manipulating KR */
423 if( keybits > 128 ) {
424 SHIFT_AND_PLACE( idx, 1 );
425 }
426
427 /* Manipulating KA */
428 SHIFT_AND_PLACE( idx, 2 );
429
430 /* Manipulating KB */
431 if( keybits > 128 ) {
432 SHIFT_AND_PLACE( idx, 3 );
433 }
434
435 /* Do transpositions */
436 for( i = 0; i < 20; i++ ) {
437 if( transposes[idx][i] != -1 ) {
438 RK[32 + 12 * idx + i] = RK[transposes[idx][i]];
439 }
440 }
441
442 return( 0 );
443 }
444
445 /*
446 * Camellia key schedule (decryption)
447 */
mbedtls_camellia_setkey_dec(mbedtls_camellia_context * ctx,const unsigned char * key,unsigned int keybits)448 int mbedtls_camellia_setkey_dec( mbedtls_camellia_context *ctx,
449 const unsigned char *key,
450 unsigned int keybits )
451 {
452 int idx, ret;
453 size_t i;
454 mbedtls_camellia_context cty;
455 uint32_t *RK;
456 uint32_t *SK;
457 CAMELLIA_VALIDATE_RET( ctx != NULL );
458 CAMELLIA_VALIDATE_RET( key != NULL );
459
460 mbedtls_camellia_init( &cty );
461
462 /* Also checks keybits */
463 if( ( ret = mbedtls_camellia_setkey_enc( &cty, key, keybits ) ) != 0 )
464 goto exit;
465
466 ctx->nr = cty.nr;
467 idx = ( ctx->nr == 4 );
468
469 RK = ctx->rk;
470 SK = cty.rk + 24 * 2 + 8 * idx * 2;
471
472 *RK++ = *SK++;
473 *RK++ = *SK++;
474 *RK++ = *SK++;
475 *RK++ = *SK++;
476
477 for( i = 22 + 8 * idx, SK -= 6; i > 0; i--, SK -= 4 )
478 {
479 *RK++ = *SK++;
480 *RK++ = *SK++;
481 }
482
483 SK -= 2;
484
485 *RK++ = *SK++;
486 *RK++ = *SK++;
487 *RK++ = *SK++;
488 *RK++ = *SK++;
489
490 exit:
491 mbedtls_camellia_free( &cty );
492
493 return( ret );
494 }
495
496 /*
497 * Camellia-ECB block encryption/decryption
498 */
mbedtls_camellia_crypt_ecb(mbedtls_camellia_context * ctx,int mode,const unsigned char input[16],unsigned char output[16])499 int mbedtls_camellia_crypt_ecb( mbedtls_camellia_context *ctx,
500 int mode,
501 const unsigned char input[16],
502 unsigned char output[16] )
503 {
504 int NR;
505 uint32_t *RK, X[4];
506 CAMELLIA_VALIDATE_RET( ctx != NULL );
507 CAMELLIA_VALIDATE_RET( mode == MBEDTLS_CAMELLIA_ENCRYPT ||
508 mode == MBEDTLS_CAMELLIA_DECRYPT );
509 CAMELLIA_VALIDATE_RET( input != NULL );
510 CAMELLIA_VALIDATE_RET( output != NULL );
511
512 ( (void) mode );
513
514 NR = ctx->nr;
515 RK = ctx->rk;
516
517 GET_UINT32_BE( X[0], input, 0 );
518 GET_UINT32_BE( X[1], input, 4 );
519 GET_UINT32_BE( X[2], input, 8 );
520 GET_UINT32_BE( X[3], input, 12 );
521
522 X[0] ^= *RK++;
523 X[1] ^= *RK++;
524 X[2] ^= *RK++;
525 X[3] ^= *RK++;
526
527 while( NR ) {
528 --NR;
529 camellia_feistel( X, RK, X + 2 );
530 RK += 2;
531 camellia_feistel( X + 2, RK, X );
532 RK += 2;
533 camellia_feistel( X, RK, X + 2 );
534 RK += 2;
535 camellia_feistel( X + 2, RK, X );
536 RK += 2;
537 camellia_feistel( X, RK, X + 2 );
538 RK += 2;
539 camellia_feistel( X + 2, RK, X );
540 RK += 2;
541
542 if( NR ) {
543 FL(X[0], X[1], RK[0], RK[1]);
544 RK += 2;
545 FLInv(X[2], X[3], RK[0], RK[1]);
546 RK += 2;
547 }
548 }
549
550 X[2] ^= *RK++;
551 X[3] ^= *RK++;
552 X[0] ^= *RK++;
553 X[1] ^= *RK++;
554
555 PUT_UINT32_BE( X[2], output, 0 );
556 PUT_UINT32_BE( X[3], output, 4 );
557 PUT_UINT32_BE( X[0], output, 8 );
558 PUT_UINT32_BE( X[1], output, 12 );
559
560 return( 0 );
561 }
562
563 #if defined(MBEDTLS_CIPHER_MODE_CBC)
564 /*
565 * Camellia-CBC buffer encryption/decryption
566 */
mbedtls_camellia_crypt_cbc(mbedtls_camellia_context * ctx,int mode,size_t length,unsigned char iv[16],const unsigned char * input,unsigned char * output)567 int mbedtls_camellia_crypt_cbc( mbedtls_camellia_context *ctx,
568 int mode,
569 size_t length,
570 unsigned char iv[16],
571 const unsigned char *input,
572 unsigned char *output )
573 {
574 int i;
575 unsigned char temp[16];
576 CAMELLIA_VALIDATE_RET( ctx != NULL );
577 CAMELLIA_VALIDATE_RET( mode == MBEDTLS_CAMELLIA_ENCRYPT ||
578 mode == MBEDTLS_CAMELLIA_DECRYPT );
579 CAMELLIA_VALIDATE_RET( iv != NULL );
580 CAMELLIA_VALIDATE_RET( length == 0 || input != NULL );
581 CAMELLIA_VALIDATE_RET( length == 0 || output != NULL );
582
583 if( length % 16 )
584 return( MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH );
585
586 if( mode == MBEDTLS_CAMELLIA_DECRYPT )
587 {
588 while( length > 0 )
589 {
590 memcpy( temp, input, 16 );
591 mbedtls_camellia_crypt_ecb( ctx, mode, input, output );
592
593 for( i = 0; i < 16; i++ )
594 output[i] = (unsigned char)( output[i] ^ iv[i] );
595
596 memcpy( iv, temp, 16 );
597
598 input += 16;
599 output += 16;
600 length -= 16;
601 }
602 }
603 else
604 {
605 while( length > 0 )
606 {
607 for( i = 0; i < 16; i++ )
608 output[i] = (unsigned char)( input[i] ^ iv[i] );
609
610 mbedtls_camellia_crypt_ecb( ctx, mode, output, output );
611 memcpy( iv, output, 16 );
612
613 input += 16;
614 output += 16;
615 length -= 16;
616 }
617 }
618
619 return( 0 );
620 }
621 #endif /* MBEDTLS_CIPHER_MODE_CBC */
622
623 #if defined(MBEDTLS_CIPHER_MODE_CFB)
624 /*
625 * Camellia-CFB128 buffer encryption/decryption
626 */
mbedtls_camellia_crypt_cfb128(mbedtls_camellia_context * ctx,int mode,size_t length,size_t * iv_off,unsigned char iv[16],const unsigned char * input,unsigned char * output)627 int mbedtls_camellia_crypt_cfb128( mbedtls_camellia_context *ctx,
628 int mode,
629 size_t length,
630 size_t *iv_off,
631 unsigned char iv[16],
632 const unsigned char *input,
633 unsigned char *output )
634 {
635 int c;
636 size_t n;
637 CAMELLIA_VALIDATE_RET( ctx != NULL );
638 CAMELLIA_VALIDATE_RET( mode == MBEDTLS_CAMELLIA_ENCRYPT ||
639 mode == MBEDTLS_CAMELLIA_DECRYPT );
640 CAMELLIA_VALIDATE_RET( iv != NULL );
641 CAMELLIA_VALIDATE_RET( iv_off != NULL );
642 CAMELLIA_VALIDATE_RET( length == 0 || input != NULL );
643 CAMELLIA_VALIDATE_RET( length == 0 || output != NULL );
644
645 n = *iv_off;
646 if( n >= 16 )
647 return( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA );
648
649 if( mode == MBEDTLS_CAMELLIA_DECRYPT )
650 {
651 while( length-- )
652 {
653 if( n == 0 )
654 mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv );
655
656 c = *input++;
657 *output++ = (unsigned char)( c ^ iv[n] );
658 iv[n] = (unsigned char) c;
659
660 n = ( n + 1 ) & 0x0F;
661 }
662 }
663 else
664 {
665 while( length-- )
666 {
667 if( n == 0 )
668 mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv );
669
670 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
671
672 n = ( n + 1 ) & 0x0F;
673 }
674 }
675
676 *iv_off = n;
677
678 return( 0 );
679 }
680 #endif /* MBEDTLS_CIPHER_MODE_CFB */
681
682 #if defined(MBEDTLS_CIPHER_MODE_CTR)
683 /*
684 * Camellia-CTR buffer encryption/decryption
685 */
mbedtls_camellia_crypt_ctr(mbedtls_camellia_context * ctx,size_t length,size_t * nc_off,unsigned char nonce_counter[16],unsigned char stream_block[16],const unsigned char * input,unsigned char * output)686 int mbedtls_camellia_crypt_ctr( mbedtls_camellia_context *ctx,
687 size_t length,
688 size_t *nc_off,
689 unsigned char nonce_counter[16],
690 unsigned char stream_block[16],
691 const unsigned char *input,
692 unsigned char *output )
693 {
694 int c, i;
695 size_t n;
696 CAMELLIA_VALIDATE_RET( ctx != NULL );
697 CAMELLIA_VALIDATE_RET( nonce_counter != NULL );
698 CAMELLIA_VALIDATE_RET( stream_block != NULL );
699 CAMELLIA_VALIDATE_RET( nc_off != NULL );
700 CAMELLIA_VALIDATE_RET( length == 0 || input != NULL );
701 CAMELLIA_VALIDATE_RET( length == 0 || output != NULL );
702
703 n = *nc_off;
704 if( n >= 16 )
705 return( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA );
706
707 while( length-- )
708 {
709 if( n == 0 ) {
710 mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, nonce_counter,
711 stream_block );
712
713 for( i = 16; i > 0; i-- )
714 if( ++nonce_counter[i - 1] != 0 )
715 break;
716 }
717 c = *input++;
718 *output++ = (unsigned char)( c ^ stream_block[n] );
719
720 n = ( n + 1 ) & 0x0F;
721 }
722
723 *nc_off = n;
724
725 return( 0 );
726 }
727 #endif /* MBEDTLS_CIPHER_MODE_CTR */
728 #endif /* !MBEDTLS_CAMELLIA_ALT */
729
730 #if defined(MBEDTLS_SELF_TEST)
731
732 /*
733 * Camellia test vectors from:
734 *
735 * http://info.isl.ntt.co.jp/crypt/eng/camellia/technology.html:
736 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/intermediate.txt
737 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/t_camellia.txt
738 * (For each bitlength: Key 0, Nr 39)
739 */
740 #define CAMELLIA_TESTS_ECB 2
741
742 static const unsigned char camellia_test_ecb_key[3][CAMELLIA_TESTS_ECB][32] =
743 {
744 {
745 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
746 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
747 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
748 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
749 },
750 {
751 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
752 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
753 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77 },
754 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
755 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
756 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
757 },
758 {
759 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
760 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
761 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
762 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff },
763 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
764 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
765 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
766 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
767 },
768 };
769
770 static const unsigned char camellia_test_ecb_plain[CAMELLIA_TESTS_ECB][16] =
771 {
772 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
773 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
774 { 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
775 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
776 };
777
778 static const unsigned char camellia_test_ecb_cipher[3][CAMELLIA_TESTS_ECB][16] =
779 {
780 {
781 { 0x67, 0x67, 0x31, 0x38, 0x54, 0x96, 0x69, 0x73,
782 0x08, 0x57, 0x06, 0x56, 0x48, 0xea, 0xbe, 0x43 },
783 { 0x38, 0x3C, 0x6C, 0x2A, 0xAB, 0xEF, 0x7F, 0xDE,
784 0x25, 0xCD, 0x47, 0x0B, 0xF7, 0x74, 0xA3, 0x31 }
785 },
786 {
787 { 0xb4, 0x99, 0x34, 0x01, 0xb3, 0xe9, 0x96, 0xf8,
788 0x4e, 0xe5, 0xce, 0xe7, 0xd7, 0x9b, 0x09, 0xb9 },
789 { 0xD1, 0x76, 0x3F, 0xC0, 0x19, 0xD7, 0x7C, 0xC9,
790 0x30, 0xBF, 0xF2, 0xA5, 0x6F, 0x7C, 0x93, 0x64 }
791 },
792 {
793 { 0x9a, 0xcc, 0x23, 0x7d, 0xff, 0x16, 0xd7, 0x6c,
794 0x20, 0xef, 0x7c, 0x91, 0x9e, 0x3a, 0x75, 0x09 },
795 { 0x05, 0x03, 0xFB, 0x10, 0xAB, 0x24, 0x1E, 0x7C,
796 0xF4, 0x5D, 0x8C, 0xDE, 0xEE, 0x47, 0x43, 0x35 }
797 }
798 };
799
800 #if defined(MBEDTLS_CIPHER_MODE_CBC)
801 #define CAMELLIA_TESTS_CBC 3
802
803 static const unsigned char camellia_test_cbc_key[3][32] =
804 {
805 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
806 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }
807 ,
808 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
809 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
810 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }
811 ,
812 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
813 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
814 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
815 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
816 };
817
818 static const unsigned char camellia_test_cbc_iv[16] =
819
820 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
821 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F }
822 ;
823
824 static const unsigned char camellia_test_cbc_plain[CAMELLIA_TESTS_CBC][16] =
825 {
826 { 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
827 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A },
828 { 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
829 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51 },
830 { 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
831 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF }
832
833 };
834
835 static const unsigned char camellia_test_cbc_cipher[3][CAMELLIA_TESTS_CBC][16] =
836 {
837 {
838 { 0x16, 0x07, 0xCF, 0x49, 0x4B, 0x36, 0xBB, 0xF0,
839 0x0D, 0xAE, 0xB0, 0xB5, 0x03, 0xC8, 0x31, 0xAB },
840 { 0xA2, 0xF2, 0xCF, 0x67, 0x16, 0x29, 0xEF, 0x78,
841 0x40, 0xC5, 0xA5, 0xDF, 0xB5, 0x07, 0x48, 0x87 },
842 { 0x0F, 0x06, 0x16, 0x50, 0x08, 0xCF, 0x8B, 0x8B,
843 0x5A, 0x63, 0x58, 0x63, 0x62, 0x54, 0x3E, 0x54 }
844 },
845 {
846 { 0x2A, 0x48, 0x30, 0xAB, 0x5A, 0xC4, 0xA1, 0xA2,
847 0x40, 0x59, 0x55, 0xFD, 0x21, 0x95, 0xCF, 0x93 },
848 { 0x5D, 0x5A, 0x86, 0x9B, 0xD1, 0x4C, 0xE5, 0x42,
849 0x64, 0xF8, 0x92, 0xA6, 0xDD, 0x2E, 0xC3, 0xD5 },
850 { 0x37, 0xD3, 0x59, 0xC3, 0x34, 0x98, 0x36, 0xD8,
851 0x84, 0xE3, 0x10, 0xAD, 0xDF, 0x68, 0xC4, 0x49 }
852 },
853 {
854 { 0xE6, 0xCF, 0xA3, 0x5F, 0xC0, 0x2B, 0x13, 0x4A,
855 0x4D, 0x2C, 0x0B, 0x67, 0x37, 0xAC, 0x3E, 0xDA },
856 { 0x36, 0xCB, 0xEB, 0x73, 0xBD, 0x50, 0x4B, 0x40,
857 0x70, 0xB1, 0xB7, 0xDE, 0x2B, 0x21, 0xEB, 0x50 },
858 { 0xE3, 0x1A, 0x60, 0x55, 0x29, 0x7D, 0x96, 0xCA,
859 0x33, 0x30, 0xCD, 0xF1, 0xB1, 0x86, 0x0A, 0x83 }
860 }
861 };
862 #endif /* MBEDTLS_CIPHER_MODE_CBC */
863
864 #if defined(MBEDTLS_CIPHER_MODE_CTR)
865 /*
866 * Camellia-CTR test vectors from:
867 *
868 * http://www.faqs.org/rfcs/rfc5528.html
869 */
870
871 static const unsigned char camellia_test_ctr_key[3][16] =
872 {
873 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
874 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
875 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
876 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
877 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
878 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
879 };
880
881 static const unsigned char camellia_test_ctr_nonce_counter[3][16] =
882 {
883 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
884 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
885 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
886 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
887 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
888 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
889 };
890
891 static const unsigned char camellia_test_ctr_pt[3][48] =
892 {
893 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
894 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
895
896 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
897 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
898 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
899 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
900
901 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
902 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
903 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
904 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
905 0x20, 0x21, 0x22, 0x23 }
906 };
907
908 static const unsigned char camellia_test_ctr_ct[3][48] =
909 {
910 { 0xD0, 0x9D, 0xC2, 0x9A, 0x82, 0x14, 0x61, 0x9A,
911 0x20, 0x87, 0x7C, 0x76, 0xDB, 0x1F, 0x0B, 0x3F },
912 { 0xDB, 0xF3, 0xC7, 0x8D, 0xC0, 0x83, 0x96, 0xD4,
913 0xDA, 0x7C, 0x90, 0x77, 0x65, 0xBB, 0xCB, 0x44,
914 0x2B, 0x8E, 0x8E, 0x0F, 0x31, 0xF0, 0xDC, 0xA7,
915 0x2C, 0x74, 0x17, 0xE3, 0x53, 0x60, 0xE0, 0x48 },
916 { 0xB1, 0x9D, 0x1F, 0xCD, 0xCB, 0x75, 0xEB, 0x88,
917 0x2F, 0x84, 0x9C, 0xE2, 0x4D, 0x85, 0xCF, 0x73,
918 0x9C, 0xE6, 0x4B, 0x2B, 0x5C, 0x9D, 0x73, 0xF1,
919 0x4F, 0x2D, 0x5D, 0x9D, 0xCE, 0x98, 0x89, 0xCD,
920 0xDF, 0x50, 0x86, 0x96 }
921 };
922
923 static const int camellia_test_ctr_len[3] =
924 { 16, 32, 36 };
925 #endif /* MBEDTLS_CIPHER_MODE_CTR */
926
927 /*
928 * Checkup routine
929 */
mbedtls_camellia_self_test(int verbose)930 int mbedtls_camellia_self_test( int verbose )
931 {
932 int i, j, u, v;
933 unsigned char key[32];
934 unsigned char buf[64];
935 unsigned char src[16];
936 unsigned char dst[16];
937 #if defined(MBEDTLS_CIPHER_MODE_CBC)
938 unsigned char iv[16];
939 #endif
940 #if defined(MBEDTLS_CIPHER_MODE_CTR)
941 size_t offset, len;
942 unsigned char nonce_counter[16];
943 unsigned char stream_block[16];
944 #endif
945
946 mbedtls_camellia_context ctx;
947
948 memset( key, 0, 32 );
949
950 for( j = 0; j < 6; j++ ) {
951 u = j >> 1;
952 v = j & 1;
953
954 if( verbose != 0 )
955 mbedtls_printf( " CAMELLIA-ECB-%3d (%s): ", 128 + u * 64,
956 (v == MBEDTLS_CAMELLIA_DECRYPT) ? "dec" : "enc");
957
958 for( i = 0; i < CAMELLIA_TESTS_ECB; i++ ) {
959 memcpy( key, camellia_test_ecb_key[u][i], 16 + 8 * u );
960
961 if( v == MBEDTLS_CAMELLIA_DECRYPT ) {
962 mbedtls_camellia_setkey_dec( &ctx, key, 128 + u * 64 );
963 memcpy( src, camellia_test_ecb_cipher[u][i], 16 );
964 memcpy( dst, camellia_test_ecb_plain[i], 16 );
965 } else { /* MBEDTLS_CAMELLIA_ENCRYPT */
966 mbedtls_camellia_setkey_enc( &ctx, key, 128 + u * 64 );
967 memcpy( src, camellia_test_ecb_plain[i], 16 );
968 memcpy( dst, camellia_test_ecb_cipher[u][i], 16 );
969 }
970
971 mbedtls_camellia_crypt_ecb( &ctx, v, src, buf );
972
973 if( memcmp( buf, dst, 16 ) != 0 )
974 {
975 if( verbose != 0 )
976 mbedtls_printf( "failed\n" );
977
978 return( 1 );
979 }
980 }
981
982 if( verbose != 0 )
983 mbedtls_printf( "passed\n" );
984 }
985
986 if( verbose != 0 )
987 mbedtls_printf( "\n" );
988
989 #if defined(MBEDTLS_CIPHER_MODE_CBC)
990 /*
991 * CBC mode
992 */
993 for( j = 0; j < 6; j++ )
994 {
995 u = j >> 1;
996 v = j & 1;
997
998 if( verbose != 0 )
999 mbedtls_printf( " CAMELLIA-CBC-%3d (%s): ", 128 + u * 64,
1000 ( v == MBEDTLS_CAMELLIA_DECRYPT ) ? "dec" : "enc" );
1001
1002 memcpy( src, camellia_test_cbc_iv, 16 );
1003 memcpy( dst, camellia_test_cbc_iv, 16 );
1004 memcpy( key, camellia_test_cbc_key[u], 16 + 8 * u );
1005
1006 if( v == MBEDTLS_CAMELLIA_DECRYPT ) {
1007 mbedtls_camellia_setkey_dec( &ctx, key, 128 + u * 64 );
1008 } else {
1009 mbedtls_camellia_setkey_enc( &ctx, key, 128 + u * 64 );
1010 }
1011
1012 for( i = 0; i < CAMELLIA_TESTS_CBC; i++ ) {
1013
1014 if( v == MBEDTLS_CAMELLIA_DECRYPT ) {
1015 memcpy( iv , src, 16 );
1016 memcpy( src, camellia_test_cbc_cipher[u][i], 16 );
1017 memcpy( dst, camellia_test_cbc_plain[i], 16 );
1018 } else { /* MBEDTLS_CAMELLIA_ENCRYPT */
1019 memcpy( iv , dst, 16 );
1020 memcpy( src, camellia_test_cbc_plain[i], 16 );
1021 memcpy( dst, camellia_test_cbc_cipher[u][i], 16 );
1022 }
1023
1024 mbedtls_camellia_crypt_cbc( &ctx, v, 16, iv, src, buf );
1025
1026 if( memcmp( buf, dst, 16 ) != 0 )
1027 {
1028 if( verbose != 0 )
1029 mbedtls_printf( "failed\n" );
1030
1031 return( 1 );
1032 }
1033 }
1034
1035 if( verbose != 0 )
1036 mbedtls_printf( "passed\n" );
1037 }
1038 #endif /* MBEDTLS_CIPHER_MODE_CBC */
1039
1040 if( verbose != 0 )
1041 mbedtls_printf( "\n" );
1042
1043 #if defined(MBEDTLS_CIPHER_MODE_CTR)
1044 /*
1045 * CTR mode
1046 */
1047 for( i = 0; i < 6; i++ )
1048 {
1049 u = i >> 1;
1050 v = i & 1;
1051
1052 if( verbose != 0 )
1053 mbedtls_printf( " CAMELLIA-CTR-128 (%s): ",
1054 ( v == MBEDTLS_CAMELLIA_DECRYPT ) ? "dec" : "enc" );
1055
1056 memcpy( nonce_counter, camellia_test_ctr_nonce_counter[u], 16 );
1057 memcpy( key, camellia_test_ctr_key[u], 16 );
1058
1059 offset = 0;
1060 mbedtls_camellia_setkey_enc( &ctx, key, 128 );
1061
1062 if( v == MBEDTLS_CAMELLIA_DECRYPT )
1063 {
1064 len = camellia_test_ctr_len[u];
1065 memcpy( buf, camellia_test_ctr_ct[u], len );
1066
1067 mbedtls_camellia_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block,
1068 buf, buf );
1069
1070 if( memcmp( buf, camellia_test_ctr_pt[u], len ) != 0 )
1071 {
1072 if( verbose != 0 )
1073 mbedtls_printf( "failed\n" );
1074
1075 return( 1 );
1076 }
1077 }
1078 else
1079 {
1080 len = camellia_test_ctr_len[u];
1081 memcpy( buf, camellia_test_ctr_pt[u], len );
1082
1083 mbedtls_camellia_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block,
1084 buf, buf );
1085
1086 if( memcmp( buf, camellia_test_ctr_ct[u], len ) != 0 )
1087 {
1088 if( verbose != 0 )
1089 mbedtls_printf( "failed\n" );
1090
1091 return( 1 );
1092 }
1093 }
1094
1095 if( verbose != 0 )
1096 mbedtls_printf( "passed\n" );
1097 }
1098
1099 if( verbose != 0 )
1100 mbedtls_printf( "\n" );
1101 #endif /* MBEDTLS_CIPHER_MODE_CTR */
1102
1103 return( 0 );
1104 }
1105
1106 #endif /* MBEDTLS_SELF_TEST */
1107
1108 #endif /* MBEDTLS_CAMELLIA_C */
1109