1 /* 2 * Camellia implementation 3 * 4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 6 * 7 * This file is provided under the Apache License 2.0, or the 8 * GNU General Public License v2.0 or later. 9 * 10 * ********** 11 * Apache License 2.0: 12 * 13 * Licensed under the Apache License, Version 2.0 (the "License"); you may 14 * not use this file except in compliance with the License. 15 * You may obtain a copy of the License at 16 * 17 * http://www.apache.org/licenses/LICENSE-2.0 18 * 19 * Unless required by applicable law or agreed to in writing, software 20 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 21 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 22 * See the License for the specific language governing permissions and 23 * limitations under the License. 24 * 25 * ********** 26 * 27 * ********** 28 * GNU General Public License v2.0 or later: 29 * 30 * This program is free software; you can redistribute it and/or modify 31 * it under the terms of the GNU General Public License as published by 32 * the Free Software Foundation; either version 2 of the License, or 33 * (at your option) any later version. 34 * 35 * This program is distributed in the hope that it will be useful, 36 * but WITHOUT ANY WARRANTY; without even the implied warranty of 37 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 38 * GNU General Public License for more details. 39 * 40 * You should have received a copy of the GNU General Public License along 41 * with this program; if not, write to the Free Software Foundation, Inc., 42 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 43 * 44 * ********** 45 * 46 * This file is part of mbed TLS (https://tls.mbed.org) 47 */ 48 /* 49 * The Camellia block cipher was designed by NTT and Mitsubishi Electric 50 * Corporation. 51 * 52 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/01espec.pdf 53 */ 54 55 #if !defined(MBEDTLS_CONFIG_FILE) 56 #include "mbedtls/config.h" 57 #else 58 #include MBEDTLS_CONFIG_FILE 59 #endif 60 61 #if defined(MBEDTLS_CAMELLIA_C) 62 63 #include "mbedtls/camellia.h" 64 65 #include <string.h> 66 67 #if defined(MBEDTLS_SELF_TEST) 68 #if defined(MBEDTLS_PLATFORM_C) 69 #include "mbedtls/platform.h" 70 #else 71 #include <stdio.h> 72 #define mbedtls_printf printf 73 #endif /* MBEDTLS_PLATFORM_C */ 74 #endif /* MBEDTLS_SELF_TEST */ 75 76 #if !defined(MBEDTLS_CAMELLIA_ALT) 77 78 /* Implementation that should never be optimized out by the compiler */ 79 static void mbedtls_zeroize( void *v, size_t n ) { 80 volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0; 81 } 82 83 /* 84 * 32-bit integer manipulation macros (big endian) 85 */ 86 #ifndef GET_UINT32_BE 87 #define GET_UINT32_BE(n,b,i) \ 88 { \ 89 (n) = ( (uint32_t) (b)[(i) ] << 24 ) \ 90 | ( (uint32_t) (b)[(i) + 1] << 16 ) \ 91 | ( (uint32_t) (b)[(i) + 2] << 8 ) \ 92 | ( (uint32_t) (b)[(i) + 3] ); \ 93 } 94 #endif 95 96 #ifndef PUT_UINT32_BE 97 #define PUT_UINT32_BE(n,b,i) \ 98 { \ 99 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \ 100 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \ 101 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \ 102 (b)[(i) + 3] = (unsigned char) ( (n) ); \ 103 } 104 #endif 105 106 static const unsigned char SIGMA_CHARS[6][8] = 107 { 108 { 0xa0, 0x9e, 0x66, 0x7f, 0x3b, 0xcc, 0x90, 0x8b }, 109 { 0xb6, 0x7a, 0xe8, 0x58, 0x4c, 0xaa, 0x73, 0xb2 }, 110 { 0xc6, 0xef, 0x37, 0x2f, 0xe9, 0x4f, 0x82, 0xbe }, 111 { 0x54, 0xff, 0x53, 0xa5, 0xf1, 0xd3, 0x6f, 0x1c }, 112 { 0x10, 0xe5, 0x27, 0xfa, 0xde, 0x68, 0x2d, 0x1d }, 113 { 0xb0, 0x56, 0x88, 0xc2, 0xb3, 0xe6, 0xc1, 0xfd } 114 }; 115 116 #if defined(MBEDTLS_CAMELLIA_SMALL_MEMORY) 117 118 static const unsigned char FSb[256] = 119 { 120 112,130, 44,236,179, 39,192,229,228,133, 87, 53,234, 12,174, 65, 121 35,239,107,147, 69, 25,165, 33,237, 14, 79, 78, 29,101,146,189, 122 134,184,175,143,124,235, 31,206, 62, 48,220, 95, 94,197, 11, 26, 123 166,225, 57,202,213, 71, 93, 61,217, 1, 90,214, 81, 86,108, 77, 124 139, 13,154,102,251,204,176, 45,116, 18, 43, 32,240,177,132,153, 125 223, 76,203,194, 52,126,118, 5,109,183,169, 49,209, 23, 4,215, 126 20, 88, 58, 97,222, 27, 17, 28, 50, 15,156, 22, 83, 24,242, 34, 127 254, 68,207,178,195,181,122,145, 36, 8,232,168, 96,252,105, 80, 128 170,208,160,125,161,137, 98,151, 84, 91, 30,149,224,255,100,210, 129 16,196, 0, 72,163,247,117,219,138, 3,230,218, 9, 63,221,148, 130 135, 92,131, 2,205, 74,144, 51,115,103,246,243,157,127,191,226, 131 82,155,216, 38,200, 55,198, 59,129,150,111, 75, 19,190, 99, 46, 132 233,121,167,140,159,110,188,142, 41,245,249,182, 47,253,180, 89, 133 120,152, 6,106,231, 70,113,186,212, 37,171, 66,136,162,141,250, 134 114, 7,185, 85,248,238,172, 10, 54, 73, 42,104, 60, 56,241,164, 135 64, 40,211,123,187,201, 67,193, 21,227,173,244,119,199,128,158 136 }; 137 138 #define SBOX1(n) FSb[(n)] 139 #define SBOX2(n) (unsigned char)((FSb[(n)] >> 7 ^ FSb[(n)] << 1) & 0xff) 140 #define SBOX3(n) (unsigned char)((FSb[(n)] >> 1 ^ FSb[(n)] << 7) & 0xff) 141 #define SBOX4(n) FSb[((n) << 1 ^ (n) >> 7) &0xff] 142 143 #else /* MBEDTLS_CAMELLIA_SMALL_MEMORY */ 144 145 static const unsigned char FSb[256] = 146 { 147 112, 130, 44, 236, 179, 39, 192, 229, 228, 133, 87, 53, 234, 12, 174, 65, 148 35, 239, 107, 147, 69, 25, 165, 33, 237, 14, 79, 78, 29, 101, 146, 189, 149 134, 184, 175, 143, 124, 235, 31, 206, 62, 48, 220, 95, 94, 197, 11, 26, 150 166, 225, 57, 202, 213, 71, 93, 61, 217, 1, 90, 214, 81, 86, 108, 77, 151 139, 13, 154, 102, 251, 204, 176, 45, 116, 18, 43, 32, 240, 177, 132, 153, 152 223, 76, 203, 194, 52, 126, 118, 5, 109, 183, 169, 49, 209, 23, 4, 215, 153 20, 88, 58, 97, 222, 27, 17, 28, 50, 15, 156, 22, 83, 24, 242, 34, 154 254, 68, 207, 178, 195, 181, 122, 145, 36, 8, 232, 168, 96, 252, 105, 80, 155 170, 208, 160, 125, 161, 137, 98, 151, 84, 91, 30, 149, 224, 255, 100, 210, 156 16, 196, 0, 72, 163, 247, 117, 219, 138, 3, 230, 218, 9, 63, 221, 148, 157 135, 92, 131, 2, 205, 74, 144, 51, 115, 103, 246, 243, 157, 127, 191, 226, 158 82, 155, 216, 38, 200, 55, 198, 59, 129, 150, 111, 75, 19, 190, 99, 46, 159 233, 121, 167, 140, 159, 110, 188, 142, 41, 245, 249, 182, 47, 253, 180, 89, 160 120, 152, 6, 106, 231, 70, 113, 186, 212, 37, 171, 66, 136, 162, 141, 250, 161 114, 7, 185, 85, 248, 238, 172, 10, 54, 73, 42, 104, 60, 56, 241, 164, 162 64, 40, 211, 123, 187, 201, 67, 193, 21, 227, 173, 244, 119, 199, 128, 158 163 }; 164 165 static const unsigned char FSb2[256] = 166 { 167 224, 5, 88, 217, 103, 78, 129, 203, 201, 11, 174, 106, 213, 24, 93, 130, 168 70, 223, 214, 39, 138, 50, 75, 66, 219, 28, 158, 156, 58, 202, 37, 123, 169 13, 113, 95, 31, 248, 215, 62, 157, 124, 96, 185, 190, 188, 139, 22, 52, 170 77, 195, 114, 149, 171, 142, 186, 122, 179, 2, 180, 173, 162, 172, 216, 154, 171 23, 26, 53, 204, 247, 153, 97, 90, 232, 36, 86, 64, 225, 99, 9, 51, 172 191, 152, 151, 133, 104, 252, 236, 10, 218, 111, 83, 98, 163, 46, 8, 175, 173 40, 176, 116, 194, 189, 54, 34, 56, 100, 30, 57, 44, 166, 48, 229, 68, 174 253, 136, 159, 101, 135, 107, 244, 35, 72, 16, 209, 81, 192, 249, 210, 160, 175 85, 161, 65, 250, 67, 19, 196, 47, 168, 182, 60, 43, 193, 255, 200, 165, 176 32, 137, 0, 144, 71, 239, 234, 183, 21, 6, 205, 181, 18, 126, 187, 41, 177 15, 184, 7, 4, 155, 148, 33, 102, 230, 206, 237, 231, 59, 254, 127, 197, 178 164, 55, 177, 76, 145, 110, 141, 118, 3, 45, 222, 150, 38, 125, 198, 92, 179 211, 242, 79, 25, 63, 220, 121, 29, 82, 235, 243, 109, 94, 251, 105, 178, 180 240, 49, 12, 212, 207, 140, 226, 117, 169, 74, 87, 132, 17, 69, 27, 245, 181 228, 14, 115, 170, 241, 221, 89, 20, 108, 146, 84, 208, 120, 112, 227, 73, 182 128, 80, 167, 246, 119, 147, 134, 131, 42, 199, 91, 233, 238, 143, 1, 61 183 }; 184 185 static const unsigned char FSb3[256] = 186 { 187 56, 65, 22, 118, 217, 147, 96, 242, 114, 194, 171, 154, 117, 6, 87, 160, 188 145, 247, 181, 201, 162, 140, 210, 144, 246, 7, 167, 39, 142, 178, 73, 222, 189 67, 92, 215, 199, 62, 245, 143, 103, 31, 24, 110, 175, 47, 226, 133, 13, 190 83, 240, 156, 101, 234, 163, 174, 158, 236, 128, 45, 107, 168, 43, 54, 166, 191 197, 134, 77, 51, 253, 102, 88, 150, 58, 9, 149, 16, 120, 216, 66, 204, 192 239, 38, 229, 97, 26, 63, 59, 130, 182, 219, 212, 152, 232, 139, 2, 235, 193 10, 44, 29, 176, 111, 141, 136, 14, 25, 135, 78, 11, 169, 12, 121, 17, 194 127, 34, 231, 89, 225, 218, 61, 200, 18, 4, 116, 84, 48, 126, 180, 40, 195 85, 104, 80, 190, 208, 196, 49, 203, 42, 173, 15, 202, 112, 255, 50, 105, 196 8, 98, 0, 36, 209, 251, 186, 237, 69, 129, 115, 109, 132, 159, 238, 74, 197 195, 46, 193, 1, 230, 37, 72, 153, 185, 179, 123, 249, 206, 191, 223, 113, 198 41, 205, 108, 19, 100, 155, 99, 157, 192, 75, 183, 165, 137, 95, 177, 23, 199 244, 188, 211, 70, 207, 55, 94, 71, 148, 250, 252, 91, 151, 254, 90, 172, 200 60, 76, 3, 53, 243, 35, 184, 93, 106, 146, 213, 33, 68, 81, 198, 125, 201 57, 131, 220, 170, 124, 119, 86, 5, 27, 164, 21, 52, 30, 28, 248, 82, 202 32, 20, 233, 189, 221, 228, 161, 224, 138, 241, 214, 122, 187, 227, 64, 79 203 }; 204 205 static const unsigned char FSb4[256] = 206 { 207 112, 44, 179, 192, 228, 87, 234, 174, 35, 107, 69, 165, 237, 79, 29, 146, 208 134, 175, 124, 31, 62, 220, 94, 11, 166, 57, 213, 93, 217, 90, 81, 108, 209 139, 154, 251, 176, 116, 43, 240, 132, 223, 203, 52, 118, 109, 169, 209, 4, 210 20, 58, 222, 17, 50, 156, 83, 242, 254, 207, 195, 122, 36, 232, 96, 105, 211 170, 160, 161, 98, 84, 30, 224, 100, 16, 0, 163, 117, 138, 230, 9, 221, 212 135, 131, 205, 144, 115, 246, 157, 191, 82, 216, 200, 198, 129, 111, 19, 99, 213 233, 167, 159, 188, 41, 249, 47, 180, 120, 6, 231, 113, 212, 171, 136, 141, 214 114, 185, 248, 172, 54, 42, 60, 241, 64, 211, 187, 67, 21, 173, 119, 128, 215 130, 236, 39, 229, 133, 53, 12, 65, 239, 147, 25, 33, 14, 78, 101, 189, 216 184, 143, 235, 206, 48, 95, 197, 26, 225, 202, 71, 61, 1, 214, 86, 77, 217 13, 102, 204, 45, 18, 32, 177, 153, 76, 194, 126, 5, 183, 49, 23, 215, 218 88, 97, 27, 28, 15, 22, 24, 34, 68, 178, 181, 145, 8, 168, 252, 80, 219 208, 125, 137, 151, 91, 149, 255, 210, 196, 72, 247, 219, 3, 218, 63, 148, 220 92, 2, 74, 51, 103, 243, 127, 226, 155, 38, 55, 59, 150, 75, 190, 46, 221 121, 140, 110, 142, 245, 182, 253, 89, 152, 106, 70, 186, 37, 66, 162, 250, 222 7, 85, 238, 10, 73, 104, 56, 164, 40, 123, 201, 193, 227, 244, 199, 158 223 }; 224 225 #define SBOX1(n) FSb[(n)] 226 #define SBOX2(n) FSb2[(n)] 227 #define SBOX3(n) FSb3[(n)] 228 #define SBOX4(n) FSb4[(n)] 229 230 #endif /* MBEDTLS_CAMELLIA_SMALL_MEMORY */ 231 232 static const unsigned char shifts[2][4][4] = 233 { 234 { 235 { 1, 1, 1, 1 }, /* KL */ 236 { 0, 0, 0, 0 }, /* KR */ 237 { 1, 1, 1, 1 }, /* KA */ 238 { 0, 0, 0, 0 } /* KB */ 239 }, 240 { 241 { 1, 0, 1, 1 }, /* KL */ 242 { 1, 1, 0, 1 }, /* KR */ 243 { 1, 1, 1, 0 }, /* KA */ 244 { 1, 1, 0, 1 } /* KB */ 245 } 246 }; 247 248 static const signed char indexes[2][4][20] = 249 { 250 { 251 { 0, 1, 2, 3, 8, 9, 10, 11, 38, 39, 252 36, 37, 23, 20, 21, 22, 27, -1, -1, 26 }, /* KL -> RK */ 253 { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 254 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 }, /* KR -> RK */ 255 { 4, 5, 6, 7, 12, 13, 14, 15, 16, 17, 256 18, 19, -1, 24, 25, -1, 31, 28, 29, 30 }, /* KA -> RK */ 257 { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 258 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 } /* KB -> RK */ 259 }, 260 { 261 { 0, 1, 2, 3, 61, 62, 63, 60, -1, -1, 262 -1, -1, 27, 24, 25, 26, 35, 32, 33, 34 }, /* KL -> RK */ 263 { -1, -1, -1, -1, 8, 9, 10, 11, 16, 17, 264 18, 19, -1, -1, -1, -1, 39, 36, 37, 38 }, /* KR -> RK */ 265 { -1, -1, -1, -1, 12, 13, 14, 15, 58, 59, 266 56, 57, 31, 28, 29, 30, -1, -1, -1, -1 }, /* KA -> RK */ 267 { 4, 5, 6, 7, 65, 66, 67, 64, 20, 21, 268 22, 23, -1, -1, -1, -1, 43, 40, 41, 42 } /* KB -> RK */ 269 } 270 }; 271 272 static const signed char transposes[2][20] = 273 { 274 { 275 21, 22, 23, 20, 276 -1, -1, -1, -1, 277 18, 19, 16, 17, 278 11, 8, 9, 10, 279 15, 12, 13, 14 280 }, 281 { 282 25, 26, 27, 24, 283 29, 30, 31, 28, 284 18, 19, 16, 17, 285 -1, -1, -1, -1, 286 -1, -1, -1, -1 287 } 288 }; 289 290 /* Shift macro for 128 bit strings with rotation smaller than 32 bits (!) */ 291 #define ROTL(DEST, SRC, SHIFT) \ 292 { \ 293 (DEST)[0] = (SRC)[0] << (SHIFT) ^ (SRC)[1] >> (32 - (SHIFT)); \ 294 (DEST)[1] = (SRC)[1] << (SHIFT) ^ (SRC)[2] >> (32 - (SHIFT)); \ 295 (DEST)[2] = (SRC)[2] << (SHIFT) ^ (SRC)[3] >> (32 - (SHIFT)); \ 296 (DEST)[3] = (SRC)[3] << (SHIFT) ^ (SRC)[0] >> (32 - (SHIFT)); \ 297 } 298 299 #define FL(XL, XR, KL, KR) \ 300 { \ 301 (XR) = ((((XL) & (KL)) << 1) | (((XL) & (KL)) >> 31)) ^ (XR); \ 302 (XL) = ((XR) | (KR)) ^ (XL); \ 303 } 304 305 #define FLInv(YL, YR, KL, KR) \ 306 { \ 307 (YL) = ((YR) | (KR)) ^ (YL); \ 308 (YR) = ((((YL) & (KL)) << 1) | (((YL) & (KL)) >> 31)) ^ (YR); \ 309 } 310 311 #define SHIFT_AND_PLACE(INDEX, OFFSET) \ 312 { \ 313 TK[0] = KC[(OFFSET) * 4 + 0]; \ 314 TK[1] = KC[(OFFSET) * 4 + 1]; \ 315 TK[2] = KC[(OFFSET) * 4 + 2]; \ 316 TK[3] = KC[(OFFSET) * 4 + 3]; \ 317 \ 318 for( i = 1; i <= 4; i++ ) \ 319 if( shifts[(INDEX)][(OFFSET)][i -1] ) \ 320 ROTL(TK + i * 4, TK, ( 15 * i ) % 32); \ 321 \ 322 for( i = 0; i < 20; i++ ) \ 323 if( indexes[(INDEX)][(OFFSET)][i] != -1 ) { \ 324 RK[indexes[(INDEX)][(OFFSET)][i]] = TK[ i ]; \ 325 } \ 326 } 327 328 static void camellia_feistel( const uint32_t x[2], const uint32_t k[2], 329 uint32_t z[2]) 330 { 331 uint32_t I0, I1; 332 I0 = x[0] ^ k[0]; 333 I1 = x[1] ^ k[1]; 334 335 I0 = ((uint32_t) SBOX1((I0 >> 24) & 0xFF) << 24) | 336 ((uint32_t) SBOX2((I0 >> 16) & 0xFF) << 16) | 337 ((uint32_t) SBOX3((I0 >> 8) & 0xFF) << 8) | 338 ((uint32_t) SBOX4((I0 ) & 0xFF) ); 339 I1 = ((uint32_t) SBOX2((I1 >> 24) & 0xFF) << 24) | 340 ((uint32_t) SBOX3((I1 >> 16) & 0xFF) << 16) | 341 ((uint32_t) SBOX4((I1 >> 8) & 0xFF) << 8) | 342 ((uint32_t) SBOX1((I1 ) & 0xFF) ); 343 344 I0 ^= (I1 << 8) | (I1 >> 24); 345 I1 ^= (I0 << 16) | (I0 >> 16); 346 I0 ^= (I1 >> 8) | (I1 << 24); 347 I1 ^= (I0 >> 8) | (I0 << 24); 348 349 z[0] ^= I1; 350 z[1] ^= I0; 351 } 352 353 void mbedtls_camellia_init( mbedtls_camellia_context *ctx ) 354 { 355 memset( ctx, 0, sizeof( mbedtls_camellia_context ) ); 356 } 357 358 void mbedtls_camellia_free( mbedtls_camellia_context *ctx ) 359 { 360 if( ctx == NULL ) 361 return; 362 363 mbedtls_zeroize( ctx, sizeof( mbedtls_camellia_context ) ); 364 } 365 366 /* 367 * Camellia key schedule (encryption) 368 */ 369 int mbedtls_camellia_setkey_enc( mbedtls_camellia_context *ctx, const unsigned char *key, 370 unsigned int keybits ) 371 { 372 int idx; 373 size_t i; 374 uint32_t *RK; 375 unsigned char t[64]; 376 uint32_t SIGMA[6][2]; 377 uint32_t KC[16]; 378 uint32_t TK[20]; 379 380 RK = ctx->rk; 381 382 memset( t, 0, 64 ); 383 memset( RK, 0, sizeof(ctx->rk) ); 384 385 switch( keybits ) 386 { 387 case 128: ctx->nr = 3; idx = 0; break; 388 case 192: 389 case 256: ctx->nr = 4; idx = 1; break; 390 default : return( MBEDTLS_ERR_CAMELLIA_INVALID_KEY_LENGTH ); 391 } 392 393 for( i = 0; i < keybits / 8; ++i ) 394 t[i] = key[i]; 395 396 if( keybits == 192 ) { 397 for( i = 0; i < 8; i++ ) 398 t[24 + i] = ~t[16 + i]; 399 } 400 401 /* 402 * Prepare SIGMA values 403 */ 404 for( i = 0; i < 6; i++ ) { 405 GET_UINT32_BE( SIGMA[i][0], SIGMA_CHARS[i], 0 ); 406 GET_UINT32_BE( SIGMA[i][1], SIGMA_CHARS[i], 4 ); 407 } 408 409 /* 410 * Key storage in KC 411 * Order: KL, KR, KA, KB 412 */ 413 memset( KC, 0, sizeof(KC) ); 414 415 /* Store KL, KR */ 416 for( i = 0; i < 8; i++ ) 417 GET_UINT32_BE( KC[i], t, i * 4 ); 418 419 /* Generate KA */ 420 for( i = 0; i < 4; ++i ) 421 KC[8 + i] = KC[i] ^ KC[4 + i]; 422 423 camellia_feistel( KC + 8, SIGMA[0], KC + 10 ); 424 camellia_feistel( KC + 10, SIGMA[1], KC + 8 ); 425 426 for( i = 0; i < 4; ++i ) 427 KC[8 + i] ^= KC[i]; 428 429 camellia_feistel( KC + 8, SIGMA[2], KC + 10 ); 430 camellia_feistel( KC + 10, SIGMA[3], KC + 8 ); 431 432 if( keybits > 128 ) { 433 /* Generate KB */ 434 for( i = 0; i < 4; ++i ) 435 KC[12 + i] = KC[4 + i] ^ KC[8 + i]; 436 437 camellia_feistel( KC + 12, SIGMA[4], KC + 14 ); 438 camellia_feistel( KC + 14, SIGMA[5], KC + 12 ); 439 } 440 441 /* 442 * Generating subkeys 443 */ 444 445 /* Manipulating KL */ 446 SHIFT_AND_PLACE( idx, 0 ); 447 448 /* Manipulating KR */ 449 if( keybits > 128 ) { 450 SHIFT_AND_PLACE( idx, 1 ); 451 } 452 453 /* Manipulating KA */ 454 SHIFT_AND_PLACE( idx, 2 ); 455 456 /* Manipulating KB */ 457 if( keybits > 128 ) { 458 SHIFT_AND_PLACE( idx, 3 ); 459 } 460 461 /* Do transpositions */ 462 for( i = 0; i < 20; i++ ) { 463 if( transposes[idx][i] != -1 ) { 464 RK[32 + 12 * idx + i] = RK[transposes[idx][i]]; 465 } 466 } 467 468 return( 0 ); 469 } 470 471 /* 472 * Camellia key schedule (decryption) 473 */ 474 int mbedtls_camellia_setkey_dec( mbedtls_camellia_context *ctx, const unsigned char *key, 475 unsigned int keybits ) 476 { 477 int idx, ret; 478 size_t i; 479 mbedtls_camellia_context cty; 480 uint32_t *RK; 481 uint32_t *SK; 482 483 mbedtls_camellia_init( &cty ); 484 485 /* Also checks keybits */ 486 if( ( ret = mbedtls_camellia_setkey_enc( &cty, key, keybits ) ) != 0 ) 487 goto exit; 488 489 ctx->nr = cty.nr; 490 idx = ( ctx->nr == 4 ); 491 492 RK = ctx->rk; 493 SK = cty.rk + 24 * 2 + 8 * idx * 2; 494 495 *RK++ = *SK++; 496 *RK++ = *SK++; 497 *RK++ = *SK++; 498 *RK++ = *SK++; 499 500 for( i = 22 + 8 * idx, SK -= 6; i > 0; i--, SK -= 4 ) 501 { 502 *RK++ = *SK++; 503 *RK++ = *SK++; 504 } 505 506 SK -= 2; 507 508 *RK++ = *SK++; 509 *RK++ = *SK++; 510 *RK++ = *SK++; 511 *RK++ = *SK++; 512 513 exit: 514 mbedtls_camellia_free( &cty ); 515 516 return( ret ); 517 } 518 519 /* 520 * Camellia-ECB block encryption/decryption 521 */ 522 int mbedtls_camellia_crypt_ecb( mbedtls_camellia_context *ctx, 523 int mode, 524 const unsigned char input[16], 525 unsigned char output[16] ) 526 { 527 int NR; 528 uint32_t *RK, X[4]; 529 530 ( (void) mode ); 531 532 NR = ctx->nr; 533 RK = ctx->rk; 534 535 GET_UINT32_BE( X[0], input, 0 ); 536 GET_UINT32_BE( X[1], input, 4 ); 537 GET_UINT32_BE( X[2], input, 8 ); 538 GET_UINT32_BE( X[3], input, 12 ); 539 540 X[0] ^= *RK++; 541 X[1] ^= *RK++; 542 X[2] ^= *RK++; 543 X[3] ^= *RK++; 544 545 while( NR ) { 546 --NR; 547 camellia_feistel( X, RK, X + 2 ); 548 RK += 2; 549 camellia_feistel( X + 2, RK, X ); 550 RK += 2; 551 camellia_feistel( X, RK, X + 2 ); 552 RK += 2; 553 camellia_feistel( X + 2, RK, X ); 554 RK += 2; 555 camellia_feistel( X, RK, X + 2 ); 556 RK += 2; 557 camellia_feistel( X + 2, RK, X ); 558 RK += 2; 559 560 if( NR ) { 561 FL(X[0], X[1], RK[0], RK[1]); 562 RK += 2; 563 FLInv(X[2], X[3], RK[0], RK[1]); 564 RK += 2; 565 } 566 } 567 568 X[2] ^= *RK++; 569 X[3] ^= *RK++; 570 X[0] ^= *RK++; 571 X[1] ^= *RK++; 572 573 PUT_UINT32_BE( X[2], output, 0 ); 574 PUT_UINT32_BE( X[3], output, 4 ); 575 PUT_UINT32_BE( X[0], output, 8 ); 576 PUT_UINT32_BE( X[1], output, 12 ); 577 578 return( 0 ); 579 } 580 581 #if defined(MBEDTLS_CIPHER_MODE_CBC) 582 /* 583 * Camellia-CBC buffer encryption/decryption 584 */ 585 int mbedtls_camellia_crypt_cbc( mbedtls_camellia_context *ctx, 586 int mode, 587 size_t length, 588 unsigned char iv[16], 589 const unsigned char *input, 590 unsigned char *output ) 591 { 592 int i; 593 unsigned char temp[16]; 594 595 if( length % 16 ) 596 return( MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH ); 597 598 if( mode == MBEDTLS_CAMELLIA_DECRYPT ) 599 { 600 while( length > 0 ) 601 { 602 memcpy( temp, input, 16 ); 603 mbedtls_camellia_crypt_ecb( ctx, mode, input, output ); 604 605 for( i = 0; i < 16; i++ ) 606 output[i] = (unsigned char)( output[i] ^ iv[i] ); 607 608 memcpy( iv, temp, 16 ); 609 610 input += 16; 611 output += 16; 612 length -= 16; 613 } 614 } 615 else 616 { 617 while( length > 0 ) 618 { 619 for( i = 0; i < 16; i++ ) 620 output[i] = (unsigned char)( input[i] ^ iv[i] ); 621 622 mbedtls_camellia_crypt_ecb( ctx, mode, output, output ); 623 memcpy( iv, output, 16 ); 624 625 input += 16; 626 output += 16; 627 length -= 16; 628 } 629 } 630 631 return( 0 ); 632 } 633 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 634 635 #if defined(MBEDTLS_CIPHER_MODE_CFB) 636 /* 637 * Camellia-CFB128 buffer encryption/decryption 638 */ 639 int mbedtls_camellia_crypt_cfb128( mbedtls_camellia_context *ctx, 640 int mode, 641 size_t length, 642 size_t *iv_off, 643 unsigned char iv[16], 644 const unsigned char *input, 645 unsigned char *output ) 646 { 647 int c; 648 size_t n = *iv_off; 649 650 if( mode == MBEDTLS_CAMELLIA_DECRYPT ) 651 { 652 while( length-- ) 653 { 654 if( n == 0 ) 655 mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv ); 656 657 c = *input++; 658 *output++ = (unsigned char)( c ^ iv[n] ); 659 iv[n] = (unsigned char) c; 660 661 n = ( n + 1 ) & 0x0F; 662 } 663 } 664 else 665 { 666 while( length-- ) 667 { 668 if( n == 0 ) 669 mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv ); 670 671 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ ); 672 673 n = ( n + 1 ) & 0x0F; 674 } 675 } 676 677 *iv_off = n; 678 679 return( 0 ); 680 } 681 #endif /* MBEDTLS_CIPHER_MODE_CFB */ 682 683 #if defined(MBEDTLS_CIPHER_MODE_CTR) 684 /* 685 * Camellia-CTR buffer encryption/decryption 686 */ 687 int mbedtls_camellia_crypt_ctr( mbedtls_camellia_context *ctx, 688 size_t length, 689 size_t *nc_off, 690 unsigned char nonce_counter[16], 691 unsigned char stream_block[16], 692 const unsigned char *input, 693 unsigned char *output ) 694 { 695 int c, i; 696 size_t n = *nc_off; 697 698 while( length-- ) 699 { 700 if( n == 0 ) { 701 mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, nonce_counter, 702 stream_block ); 703 704 for( i = 16; i > 0; i-- ) 705 if( ++nonce_counter[i - 1] != 0 ) 706 break; 707 } 708 c = *input++; 709 *output++ = (unsigned char)( c ^ stream_block[n] ); 710 711 n = ( n + 1 ) & 0x0F; 712 } 713 714 *nc_off = n; 715 716 return( 0 ); 717 } 718 #endif /* MBEDTLS_CIPHER_MODE_CTR */ 719 #endif /* !MBEDTLS_CAMELLIA_ALT */ 720 721 #if defined(MBEDTLS_SELF_TEST) 722 723 /* 724 * Camellia test vectors from: 725 * 726 * http://info.isl.ntt.co.jp/crypt/eng/camellia/technology.html: 727 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/intermediate.txt 728 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/t_camellia.txt 729 * (For each bitlength: Key 0, Nr 39) 730 */ 731 #define CAMELLIA_TESTS_ECB 2 732 733 static const unsigned char camellia_test_ecb_key[3][CAMELLIA_TESTS_ECB][32] = 734 { 735 { 736 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 737 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 }, 738 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 739 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 } 740 }, 741 { 742 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 743 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10, 744 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77 }, 745 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 746 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 747 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 } 748 }, 749 { 750 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 751 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10, 752 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 753 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff }, 754 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 755 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 756 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 757 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 } 758 }, 759 }; 760 761 static const unsigned char camellia_test_ecb_plain[CAMELLIA_TESTS_ECB][16] = 762 { 763 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 764 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 }, 765 { 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 766 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 } 767 }; 768 769 static const unsigned char camellia_test_ecb_cipher[3][CAMELLIA_TESTS_ECB][16] = 770 { 771 { 772 { 0x67, 0x67, 0x31, 0x38, 0x54, 0x96, 0x69, 0x73, 773 0x08, 0x57, 0x06, 0x56, 0x48, 0xea, 0xbe, 0x43 }, 774 { 0x38, 0x3C, 0x6C, 0x2A, 0xAB, 0xEF, 0x7F, 0xDE, 775 0x25, 0xCD, 0x47, 0x0B, 0xF7, 0x74, 0xA3, 0x31 } 776 }, 777 { 778 { 0xb4, 0x99, 0x34, 0x01, 0xb3, 0xe9, 0x96, 0xf8, 779 0x4e, 0xe5, 0xce, 0xe7, 0xd7, 0x9b, 0x09, 0xb9 }, 780 { 0xD1, 0x76, 0x3F, 0xC0, 0x19, 0xD7, 0x7C, 0xC9, 781 0x30, 0xBF, 0xF2, 0xA5, 0x6F, 0x7C, 0x93, 0x64 } 782 }, 783 { 784 { 0x9a, 0xcc, 0x23, 0x7d, 0xff, 0x16, 0xd7, 0x6c, 785 0x20, 0xef, 0x7c, 0x91, 0x9e, 0x3a, 0x75, 0x09 }, 786 { 0x05, 0x03, 0xFB, 0x10, 0xAB, 0x24, 0x1E, 0x7C, 787 0xF4, 0x5D, 0x8C, 0xDE, 0xEE, 0x47, 0x43, 0x35 } 788 } 789 }; 790 791 #if defined(MBEDTLS_CIPHER_MODE_CBC) 792 #define CAMELLIA_TESTS_CBC 3 793 794 static const unsigned char camellia_test_cbc_key[3][32] = 795 { 796 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6, 797 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C } 798 , 799 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52, 800 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5, 801 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B } 802 , 803 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE, 804 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81, 805 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7, 806 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 } 807 }; 808 809 static const unsigned char camellia_test_cbc_iv[16] = 810 811 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 812 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F } 813 ; 814 815 static const unsigned char camellia_test_cbc_plain[CAMELLIA_TESTS_CBC][16] = 816 { 817 { 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96, 818 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A }, 819 { 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C, 820 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51 }, 821 { 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11, 822 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF } 823 824 }; 825 826 static const unsigned char camellia_test_cbc_cipher[3][CAMELLIA_TESTS_CBC][16] = 827 { 828 { 829 { 0x16, 0x07, 0xCF, 0x49, 0x4B, 0x36, 0xBB, 0xF0, 830 0x0D, 0xAE, 0xB0, 0xB5, 0x03, 0xC8, 0x31, 0xAB }, 831 { 0xA2, 0xF2, 0xCF, 0x67, 0x16, 0x29, 0xEF, 0x78, 832 0x40, 0xC5, 0xA5, 0xDF, 0xB5, 0x07, 0x48, 0x87 }, 833 { 0x0F, 0x06, 0x16, 0x50, 0x08, 0xCF, 0x8B, 0x8B, 834 0x5A, 0x63, 0x58, 0x63, 0x62, 0x54, 0x3E, 0x54 } 835 }, 836 { 837 { 0x2A, 0x48, 0x30, 0xAB, 0x5A, 0xC4, 0xA1, 0xA2, 838 0x40, 0x59, 0x55, 0xFD, 0x21, 0x95, 0xCF, 0x93 }, 839 { 0x5D, 0x5A, 0x86, 0x9B, 0xD1, 0x4C, 0xE5, 0x42, 840 0x64, 0xF8, 0x92, 0xA6, 0xDD, 0x2E, 0xC3, 0xD5 }, 841 { 0x37, 0xD3, 0x59, 0xC3, 0x34, 0x98, 0x36, 0xD8, 842 0x84, 0xE3, 0x10, 0xAD, 0xDF, 0x68, 0xC4, 0x49 } 843 }, 844 { 845 { 0xE6, 0xCF, 0xA3, 0x5F, 0xC0, 0x2B, 0x13, 0x4A, 846 0x4D, 0x2C, 0x0B, 0x67, 0x37, 0xAC, 0x3E, 0xDA }, 847 { 0x36, 0xCB, 0xEB, 0x73, 0xBD, 0x50, 0x4B, 0x40, 848 0x70, 0xB1, 0xB7, 0xDE, 0x2B, 0x21, 0xEB, 0x50 }, 849 { 0xE3, 0x1A, 0x60, 0x55, 0x29, 0x7D, 0x96, 0xCA, 850 0x33, 0x30, 0xCD, 0xF1, 0xB1, 0x86, 0x0A, 0x83 } 851 } 852 }; 853 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 854 855 #if defined(MBEDTLS_CIPHER_MODE_CTR) 856 /* 857 * Camellia-CTR test vectors from: 858 * 859 * http://www.faqs.org/rfcs/rfc5528.html 860 */ 861 862 static const unsigned char camellia_test_ctr_key[3][16] = 863 { 864 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC, 865 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E }, 866 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7, 867 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 }, 868 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8, 869 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC } 870 }; 871 872 static const unsigned char camellia_test_ctr_nonce_counter[3][16] = 873 { 874 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00, 875 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 }, 876 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59, 877 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 }, 878 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F, 879 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 } 880 }; 881 882 static const unsigned char camellia_test_ctr_pt[3][48] = 883 { 884 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62, 885 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 }, 886 887 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 888 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 889 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 890 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F }, 891 892 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 893 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 894 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 895 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 896 0x20, 0x21, 0x22, 0x23 } 897 }; 898 899 static const unsigned char camellia_test_ctr_ct[3][48] = 900 { 901 { 0xD0, 0x9D, 0xC2, 0x9A, 0x82, 0x14, 0x61, 0x9A, 902 0x20, 0x87, 0x7C, 0x76, 0xDB, 0x1F, 0x0B, 0x3F }, 903 { 0xDB, 0xF3, 0xC7, 0x8D, 0xC0, 0x83, 0x96, 0xD4, 904 0xDA, 0x7C, 0x90, 0x77, 0x65, 0xBB, 0xCB, 0x44, 905 0x2B, 0x8E, 0x8E, 0x0F, 0x31, 0xF0, 0xDC, 0xA7, 906 0x2C, 0x74, 0x17, 0xE3, 0x53, 0x60, 0xE0, 0x48 }, 907 { 0xB1, 0x9D, 0x1F, 0xCD, 0xCB, 0x75, 0xEB, 0x88, 908 0x2F, 0x84, 0x9C, 0xE2, 0x4D, 0x85, 0xCF, 0x73, 909 0x9C, 0xE6, 0x4B, 0x2B, 0x5C, 0x9D, 0x73, 0xF1, 910 0x4F, 0x2D, 0x5D, 0x9D, 0xCE, 0x98, 0x89, 0xCD, 911 0xDF, 0x50, 0x86, 0x96 } 912 }; 913 914 static const int camellia_test_ctr_len[3] = 915 { 16, 32, 36 }; 916 #endif /* MBEDTLS_CIPHER_MODE_CTR */ 917 918 /* 919 * Checkup routine 920 */ 921 int mbedtls_camellia_self_test( int verbose ) 922 { 923 int i, j, u, v; 924 unsigned char key[32]; 925 unsigned char buf[64]; 926 unsigned char src[16]; 927 unsigned char dst[16]; 928 #if defined(MBEDTLS_CIPHER_MODE_CBC) 929 unsigned char iv[16]; 930 #endif 931 #if defined(MBEDTLS_CIPHER_MODE_CTR) 932 size_t offset, len; 933 unsigned char nonce_counter[16]; 934 unsigned char stream_block[16]; 935 #endif 936 937 mbedtls_camellia_context ctx; 938 939 memset( key, 0, 32 ); 940 941 for( j = 0; j < 6; j++ ) { 942 u = j >> 1; 943 v = j & 1; 944 945 if( verbose != 0 ) 946 mbedtls_printf( " CAMELLIA-ECB-%3d (%s): ", 128 + u * 64, 947 (v == MBEDTLS_CAMELLIA_DECRYPT) ? "dec" : "enc"); 948 949 for( i = 0; i < CAMELLIA_TESTS_ECB; i++ ) { 950 memcpy( key, camellia_test_ecb_key[u][i], 16 + 8 * u ); 951 952 if( v == MBEDTLS_CAMELLIA_DECRYPT ) { 953 mbedtls_camellia_setkey_dec( &ctx, key, 128 + u * 64 ); 954 memcpy( src, camellia_test_ecb_cipher[u][i], 16 ); 955 memcpy( dst, camellia_test_ecb_plain[i], 16 ); 956 } else { /* MBEDTLS_CAMELLIA_ENCRYPT */ 957 mbedtls_camellia_setkey_enc( &ctx, key, 128 + u * 64 ); 958 memcpy( src, camellia_test_ecb_plain[i], 16 ); 959 memcpy( dst, camellia_test_ecb_cipher[u][i], 16 ); 960 } 961 962 mbedtls_camellia_crypt_ecb( &ctx, v, src, buf ); 963 964 if( memcmp( buf, dst, 16 ) != 0 ) 965 { 966 if( verbose != 0 ) 967 mbedtls_printf( "failed\n" ); 968 969 return( 1 ); 970 } 971 } 972 973 if( verbose != 0 ) 974 mbedtls_printf( "passed\n" ); 975 } 976 977 if( verbose != 0 ) 978 mbedtls_printf( "\n" ); 979 980 #if defined(MBEDTLS_CIPHER_MODE_CBC) 981 /* 982 * CBC mode 983 */ 984 for( j = 0; j < 6; j++ ) 985 { 986 u = j >> 1; 987 v = j & 1; 988 989 if( verbose != 0 ) 990 mbedtls_printf( " CAMELLIA-CBC-%3d (%s): ", 128 + u * 64, 991 ( v == MBEDTLS_CAMELLIA_DECRYPT ) ? "dec" : "enc" ); 992 993 memcpy( src, camellia_test_cbc_iv, 16 ); 994 memcpy( dst, camellia_test_cbc_iv, 16 ); 995 memcpy( key, camellia_test_cbc_key[u], 16 + 8 * u ); 996 997 if( v == MBEDTLS_CAMELLIA_DECRYPT ) { 998 mbedtls_camellia_setkey_dec( &ctx, key, 128 + u * 64 ); 999 } else { 1000 mbedtls_camellia_setkey_enc( &ctx, key, 128 + u * 64 ); 1001 } 1002 1003 for( i = 0; i < CAMELLIA_TESTS_CBC; i++ ) { 1004 1005 if( v == MBEDTLS_CAMELLIA_DECRYPT ) { 1006 memcpy( iv , src, 16 ); 1007 memcpy( src, camellia_test_cbc_cipher[u][i], 16 ); 1008 memcpy( dst, camellia_test_cbc_plain[i], 16 ); 1009 } else { /* MBEDTLS_CAMELLIA_ENCRYPT */ 1010 memcpy( iv , dst, 16 ); 1011 memcpy( src, camellia_test_cbc_plain[i], 16 ); 1012 memcpy( dst, camellia_test_cbc_cipher[u][i], 16 ); 1013 } 1014 1015 mbedtls_camellia_crypt_cbc( &ctx, v, 16, iv, src, buf ); 1016 1017 if( memcmp( buf, dst, 16 ) != 0 ) 1018 { 1019 if( verbose != 0 ) 1020 mbedtls_printf( "failed\n" ); 1021 1022 return( 1 ); 1023 } 1024 } 1025 1026 if( verbose != 0 ) 1027 mbedtls_printf( "passed\n" ); 1028 } 1029 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 1030 1031 if( verbose != 0 ) 1032 mbedtls_printf( "\n" ); 1033 1034 #if defined(MBEDTLS_CIPHER_MODE_CTR) 1035 /* 1036 * CTR mode 1037 */ 1038 for( i = 0; i < 6; i++ ) 1039 { 1040 u = i >> 1; 1041 v = i & 1; 1042 1043 if( verbose != 0 ) 1044 mbedtls_printf( " CAMELLIA-CTR-128 (%s): ", 1045 ( v == MBEDTLS_CAMELLIA_DECRYPT ) ? "dec" : "enc" ); 1046 1047 memcpy( nonce_counter, camellia_test_ctr_nonce_counter[u], 16 ); 1048 memcpy( key, camellia_test_ctr_key[u], 16 ); 1049 1050 offset = 0; 1051 mbedtls_camellia_setkey_enc( &ctx, key, 128 ); 1052 1053 if( v == MBEDTLS_CAMELLIA_DECRYPT ) 1054 { 1055 len = camellia_test_ctr_len[u]; 1056 memcpy( buf, camellia_test_ctr_ct[u], len ); 1057 1058 mbedtls_camellia_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, 1059 buf, buf ); 1060 1061 if( memcmp( buf, camellia_test_ctr_pt[u], len ) != 0 ) 1062 { 1063 if( verbose != 0 ) 1064 mbedtls_printf( "failed\n" ); 1065 1066 return( 1 ); 1067 } 1068 } 1069 else 1070 { 1071 len = camellia_test_ctr_len[u]; 1072 memcpy( buf, camellia_test_ctr_pt[u], len ); 1073 1074 mbedtls_camellia_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, 1075 buf, buf ); 1076 1077 if( memcmp( buf, camellia_test_ctr_ct[u], len ) != 0 ) 1078 { 1079 if( verbose != 0 ) 1080 mbedtls_printf( "failed\n" ); 1081 1082 return( 1 ); 1083 } 1084 } 1085 1086 if( verbose != 0 ) 1087 mbedtls_printf( "passed\n" ); 1088 } 1089 1090 if( verbose != 0 ) 1091 mbedtls_printf( "\n" ); 1092 #endif /* MBEDTLS_CIPHER_MODE_CTR */ 1093 1094 return( 0 ); 1095 } 1096 1097 #endif /* MBEDTLS_SELF_TEST */ 1098 1099 #endif /* MBEDTLS_CAMELLIA_C */ 1100