1 /* 2 * Camellia implementation 3 * 4 * Copyright The Mbed TLS Contributors 5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 6 * 7 * This file is provided under the Apache License 2.0, or the 8 * GNU General Public License v2.0 or later. 9 * 10 * ********** 11 * Apache License 2.0: 12 * 13 * Licensed under the Apache License, Version 2.0 (the "License"); you may 14 * not use this file except in compliance with the License. 15 * You may obtain a copy of the License at 16 * 17 * http://www.apache.org/licenses/LICENSE-2.0 18 * 19 * Unless required by applicable law or agreed to in writing, software 20 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 21 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 22 * See the License for the specific language governing permissions and 23 * limitations under the License. 24 * 25 * ********** 26 * 27 * ********** 28 * GNU General Public License v2.0 or later: 29 * 30 * This program is free software; you can redistribute it and/or modify 31 * it under the terms of the GNU General Public License as published by 32 * the Free Software Foundation; either version 2 of the License, or 33 * (at your option) any later version. 34 * 35 * This program is distributed in the hope that it will be useful, 36 * but WITHOUT ANY WARRANTY; without even the implied warranty of 37 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 38 * GNU General Public License for more details. 39 * 40 * You should have received a copy of the GNU General Public License along 41 * with this program; if not, write to the Free Software Foundation, Inc., 42 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 43 * 44 * ********** 45 */ 46 /* 47 * The Camellia block cipher was designed by NTT and Mitsubishi Electric 48 * Corporation. 49 * 50 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/01espec.pdf 51 */ 52 53 #if !defined(MBEDTLS_CONFIG_FILE) 54 #include "mbedtls/config.h" 55 #else 56 #include MBEDTLS_CONFIG_FILE 57 #endif 58 59 #if defined(MBEDTLS_CAMELLIA_C) 60 61 #include "mbedtls/camellia.h" 62 #include "mbedtls/platform_util.h" 63 64 #include <string.h> 65 66 #if defined(MBEDTLS_SELF_TEST) 67 #if defined(MBEDTLS_PLATFORM_C) 68 #include "mbedtls/platform.h" 69 #else 70 #include <stdio.h> 71 #define mbedtls_printf printf 72 #endif /* MBEDTLS_PLATFORM_C */ 73 #endif /* MBEDTLS_SELF_TEST */ 74 75 #if !defined(MBEDTLS_CAMELLIA_ALT) 76 77 /* Parameter validation macros */ 78 #define CAMELLIA_VALIDATE_RET( cond ) \ 79 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA ) 80 #define CAMELLIA_VALIDATE( cond ) \ 81 MBEDTLS_INTERNAL_VALIDATE( cond ) 82 83 /* 84 * 32-bit integer manipulation macros (big endian) 85 */ 86 #ifndef GET_UINT32_BE 87 #define GET_UINT32_BE(n,b,i) \ 88 { \ 89 (n) = ( (uint32_t) (b)[(i) ] << 24 ) \ 90 | ( (uint32_t) (b)[(i) + 1] << 16 ) \ 91 | ( (uint32_t) (b)[(i) + 2] << 8 ) \ 92 | ( (uint32_t) (b)[(i) + 3] ); \ 93 } 94 #endif 95 96 #ifndef PUT_UINT32_BE 97 #define PUT_UINT32_BE(n,b,i) \ 98 { \ 99 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \ 100 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \ 101 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \ 102 (b)[(i) + 3] = (unsigned char) ( (n) ); \ 103 } 104 #endif 105 106 static const unsigned char SIGMA_CHARS[6][8] = 107 { 108 { 0xa0, 0x9e, 0x66, 0x7f, 0x3b, 0xcc, 0x90, 0x8b }, 109 { 0xb6, 0x7a, 0xe8, 0x58, 0x4c, 0xaa, 0x73, 0xb2 }, 110 { 0xc6, 0xef, 0x37, 0x2f, 0xe9, 0x4f, 0x82, 0xbe }, 111 { 0x54, 0xff, 0x53, 0xa5, 0xf1, 0xd3, 0x6f, 0x1c }, 112 { 0x10, 0xe5, 0x27, 0xfa, 0xde, 0x68, 0x2d, 0x1d }, 113 { 0xb0, 0x56, 0x88, 0xc2, 0xb3, 0xe6, 0xc1, 0xfd } 114 }; 115 116 #if defined(MBEDTLS_CAMELLIA_SMALL_MEMORY) 117 118 static const unsigned char FSb[256] = 119 { 120 112,130, 44,236,179, 39,192,229,228,133, 87, 53,234, 12,174, 65, 121 35,239,107,147, 69, 25,165, 33,237, 14, 79, 78, 29,101,146,189, 122 134,184,175,143,124,235, 31,206, 62, 48,220, 95, 94,197, 11, 26, 123 166,225, 57,202,213, 71, 93, 61,217, 1, 90,214, 81, 86,108, 77, 124 139, 13,154,102,251,204,176, 45,116, 18, 43, 32,240,177,132,153, 125 223, 76,203,194, 52,126,118, 5,109,183,169, 49,209, 23, 4,215, 126 20, 88, 58, 97,222, 27, 17, 28, 50, 15,156, 22, 83, 24,242, 34, 127 254, 68,207,178,195,181,122,145, 36, 8,232,168, 96,252,105, 80, 128 170,208,160,125,161,137, 98,151, 84, 91, 30,149,224,255,100,210, 129 16,196, 0, 72,163,247,117,219,138, 3,230,218, 9, 63,221,148, 130 135, 92,131, 2,205, 74,144, 51,115,103,246,243,157,127,191,226, 131 82,155,216, 38,200, 55,198, 59,129,150,111, 75, 19,190, 99, 46, 132 233,121,167,140,159,110,188,142, 41,245,249,182, 47,253,180, 89, 133 120,152, 6,106,231, 70,113,186,212, 37,171, 66,136,162,141,250, 134 114, 7,185, 85,248,238,172, 10, 54, 73, 42,104, 60, 56,241,164, 135 64, 40,211,123,187,201, 67,193, 21,227,173,244,119,199,128,158 136 }; 137 138 #define SBOX1(n) FSb[(n)] 139 #define SBOX2(n) (unsigned char)((FSb[(n)] >> 7 ^ FSb[(n)] << 1) & 0xff) 140 #define SBOX3(n) (unsigned char)((FSb[(n)] >> 1 ^ FSb[(n)] << 7) & 0xff) 141 #define SBOX4(n) FSb[((n) << 1 ^ (n) >> 7) &0xff] 142 143 #else /* MBEDTLS_CAMELLIA_SMALL_MEMORY */ 144 145 static const unsigned char FSb[256] = 146 { 147 112, 130, 44, 236, 179, 39, 192, 229, 228, 133, 87, 53, 234, 12, 174, 65, 148 35, 239, 107, 147, 69, 25, 165, 33, 237, 14, 79, 78, 29, 101, 146, 189, 149 134, 184, 175, 143, 124, 235, 31, 206, 62, 48, 220, 95, 94, 197, 11, 26, 150 166, 225, 57, 202, 213, 71, 93, 61, 217, 1, 90, 214, 81, 86, 108, 77, 151 139, 13, 154, 102, 251, 204, 176, 45, 116, 18, 43, 32, 240, 177, 132, 153, 152 223, 76, 203, 194, 52, 126, 118, 5, 109, 183, 169, 49, 209, 23, 4, 215, 153 20, 88, 58, 97, 222, 27, 17, 28, 50, 15, 156, 22, 83, 24, 242, 34, 154 254, 68, 207, 178, 195, 181, 122, 145, 36, 8, 232, 168, 96, 252, 105, 80, 155 170, 208, 160, 125, 161, 137, 98, 151, 84, 91, 30, 149, 224, 255, 100, 210, 156 16, 196, 0, 72, 163, 247, 117, 219, 138, 3, 230, 218, 9, 63, 221, 148, 157 135, 92, 131, 2, 205, 74, 144, 51, 115, 103, 246, 243, 157, 127, 191, 226, 158 82, 155, 216, 38, 200, 55, 198, 59, 129, 150, 111, 75, 19, 190, 99, 46, 159 233, 121, 167, 140, 159, 110, 188, 142, 41, 245, 249, 182, 47, 253, 180, 89, 160 120, 152, 6, 106, 231, 70, 113, 186, 212, 37, 171, 66, 136, 162, 141, 250, 161 114, 7, 185, 85, 248, 238, 172, 10, 54, 73, 42, 104, 60, 56, 241, 164, 162 64, 40, 211, 123, 187, 201, 67, 193, 21, 227, 173, 244, 119, 199, 128, 158 163 }; 164 165 static const unsigned char FSb2[256] = 166 { 167 224, 5, 88, 217, 103, 78, 129, 203, 201, 11, 174, 106, 213, 24, 93, 130, 168 70, 223, 214, 39, 138, 50, 75, 66, 219, 28, 158, 156, 58, 202, 37, 123, 169 13, 113, 95, 31, 248, 215, 62, 157, 124, 96, 185, 190, 188, 139, 22, 52, 170 77, 195, 114, 149, 171, 142, 186, 122, 179, 2, 180, 173, 162, 172, 216, 154, 171 23, 26, 53, 204, 247, 153, 97, 90, 232, 36, 86, 64, 225, 99, 9, 51, 172 191, 152, 151, 133, 104, 252, 236, 10, 218, 111, 83, 98, 163, 46, 8, 175, 173 40, 176, 116, 194, 189, 54, 34, 56, 100, 30, 57, 44, 166, 48, 229, 68, 174 253, 136, 159, 101, 135, 107, 244, 35, 72, 16, 209, 81, 192, 249, 210, 160, 175 85, 161, 65, 250, 67, 19, 196, 47, 168, 182, 60, 43, 193, 255, 200, 165, 176 32, 137, 0, 144, 71, 239, 234, 183, 21, 6, 205, 181, 18, 126, 187, 41, 177 15, 184, 7, 4, 155, 148, 33, 102, 230, 206, 237, 231, 59, 254, 127, 197, 178 164, 55, 177, 76, 145, 110, 141, 118, 3, 45, 222, 150, 38, 125, 198, 92, 179 211, 242, 79, 25, 63, 220, 121, 29, 82, 235, 243, 109, 94, 251, 105, 178, 180 240, 49, 12, 212, 207, 140, 226, 117, 169, 74, 87, 132, 17, 69, 27, 245, 181 228, 14, 115, 170, 241, 221, 89, 20, 108, 146, 84, 208, 120, 112, 227, 73, 182 128, 80, 167, 246, 119, 147, 134, 131, 42, 199, 91, 233, 238, 143, 1, 61 183 }; 184 185 static const unsigned char FSb3[256] = 186 { 187 56, 65, 22, 118, 217, 147, 96, 242, 114, 194, 171, 154, 117, 6, 87, 160, 188 145, 247, 181, 201, 162, 140, 210, 144, 246, 7, 167, 39, 142, 178, 73, 222, 189 67, 92, 215, 199, 62, 245, 143, 103, 31, 24, 110, 175, 47, 226, 133, 13, 190 83, 240, 156, 101, 234, 163, 174, 158, 236, 128, 45, 107, 168, 43, 54, 166, 191 197, 134, 77, 51, 253, 102, 88, 150, 58, 9, 149, 16, 120, 216, 66, 204, 192 239, 38, 229, 97, 26, 63, 59, 130, 182, 219, 212, 152, 232, 139, 2, 235, 193 10, 44, 29, 176, 111, 141, 136, 14, 25, 135, 78, 11, 169, 12, 121, 17, 194 127, 34, 231, 89, 225, 218, 61, 200, 18, 4, 116, 84, 48, 126, 180, 40, 195 85, 104, 80, 190, 208, 196, 49, 203, 42, 173, 15, 202, 112, 255, 50, 105, 196 8, 98, 0, 36, 209, 251, 186, 237, 69, 129, 115, 109, 132, 159, 238, 74, 197 195, 46, 193, 1, 230, 37, 72, 153, 185, 179, 123, 249, 206, 191, 223, 113, 198 41, 205, 108, 19, 100, 155, 99, 157, 192, 75, 183, 165, 137, 95, 177, 23, 199 244, 188, 211, 70, 207, 55, 94, 71, 148, 250, 252, 91, 151, 254, 90, 172, 200 60, 76, 3, 53, 243, 35, 184, 93, 106, 146, 213, 33, 68, 81, 198, 125, 201 57, 131, 220, 170, 124, 119, 86, 5, 27, 164, 21, 52, 30, 28, 248, 82, 202 32, 20, 233, 189, 221, 228, 161, 224, 138, 241, 214, 122, 187, 227, 64, 79 203 }; 204 205 static const unsigned char FSb4[256] = 206 { 207 112, 44, 179, 192, 228, 87, 234, 174, 35, 107, 69, 165, 237, 79, 29, 146, 208 134, 175, 124, 31, 62, 220, 94, 11, 166, 57, 213, 93, 217, 90, 81, 108, 209 139, 154, 251, 176, 116, 43, 240, 132, 223, 203, 52, 118, 109, 169, 209, 4, 210 20, 58, 222, 17, 50, 156, 83, 242, 254, 207, 195, 122, 36, 232, 96, 105, 211 170, 160, 161, 98, 84, 30, 224, 100, 16, 0, 163, 117, 138, 230, 9, 221, 212 135, 131, 205, 144, 115, 246, 157, 191, 82, 216, 200, 198, 129, 111, 19, 99, 213 233, 167, 159, 188, 41, 249, 47, 180, 120, 6, 231, 113, 212, 171, 136, 141, 214 114, 185, 248, 172, 54, 42, 60, 241, 64, 211, 187, 67, 21, 173, 119, 128, 215 130, 236, 39, 229, 133, 53, 12, 65, 239, 147, 25, 33, 14, 78, 101, 189, 216 184, 143, 235, 206, 48, 95, 197, 26, 225, 202, 71, 61, 1, 214, 86, 77, 217 13, 102, 204, 45, 18, 32, 177, 153, 76, 194, 126, 5, 183, 49, 23, 215, 218 88, 97, 27, 28, 15, 22, 24, 34, 68, 178, 181, 145, 8, 168, 252, 80, 219 208, 125, 137, 151, 91, 149, 255, 210, 196, 72, 247, 219, 3, 218, 63, 148, 220 92, 2, 74, 51, 103, 243, 127, 226, 155, 38, 55, 59, 150, 75, 190, 46, 221 121, 140, 110, 142, 245, 182, 253, 89, 152, 106, 70, 186, 37, 66, 162, 250, 222 7, 85, 238, 10, 73, 104, 56, 164, 40, 123, 201, 193, 227, 244, 199, 158 223 }; 224 225 #define SBOX1(n) FSb[(n)] 226 #define SBOX2(n) FSb2[(n)] 227 #define SBOX3(n) FSb3[(n)] 228 #define SBOX4(n) FSb4[(n)] 229 230 #endif /* MBEDTLS_CAMELLIA_SMALL_MEMORY */ 231 232 static const unsigned char shifts[2][4][4] = 233 { 234 { 235 { 1, 1, 1, 1 }, /* KL */ 236 { 0, 0, 0, 0 }, /* KR */ 237 { 1, 1, 1, 1 }, /* KA */ 238 { 0, 0, 0, 0 } /* KB */ 239 }, 240 { 241 { 1, 0, 1, 1 }, /* KL */ 242 { 1, 1, 0, 1 }, /* KR */ 243 { 1, 1, 1, 0 }, /* KA */ 244 { 1, 1, 0, 1 } /* KB */ 245 } 246 }; 247 248 static const signed char indexes[2][4][20] = 249 { 250 { 251 { 0, 1, 2, 3, 8, 9, 10, 11, 38, 39, 252 36, 37, 23, 20, 21, 22, 27, -1, -1, 26 }, /* KL -> RK */ 253 { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 254 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 }, /* KR -> RK */ 255 { 4, 5, 6, 7, 12, 13, 14, 15, 16, 17, 256 18, 19, -1, 24, 25, -1, 31, 28, 29, 30 }, /* KA -> RK */ 257 { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 258 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 } /* KB -> RK */ 259 }, 260 { 261 { 0, 1, 2, 3, 61, 62, 63, 60, -1, -1, 262 -1, -1, 27, 24, 25, 26, 35, 32, 33, 34 }, /* KL -> RK */ 263 { -1, -1, -1, -1, 8, 9, 10, 11, 16, 17, 264 18, 19, -1, -1, -1, -1, 39, 36, 37, 38 }, /* KR -> RK */ 265 { -1, -1, -1, -1, 12, 13, 14, 15, 58, 59, 266 56, 57, 31, 28, 29, 30, -1, -1, -1, -1 }, /* KA -> RK */ 267 { 4, 5, 6, 7, 65, 66, 67, 64, 20, 21, 268 22, 23, -1, -1, -1, -1, 43, 40, 41, 42 } /* KB -> RK */ 269 } 270 }; 271 272 static const signed char transposes[2][20] = 273 { 274 { 275 21, 22, 23, 20, 276 -1, -1, -1, -1, 277 18, 19, 16, 17, 278 11, 8, 9, 10, 279 15, 12, 13, 14 280 }, 281 { 282 25, 26, 27, 24, 283 29, 30, 31, 28, 284 18, 19, 16, 17, 285 -1, -1, -1, -1, 286 -1, -1, -1, -1 287 } 288 }; 289 290 /* Shift macro for 128 bit strings with rotation smaller than 32 bits (!) */ 291 #define ROTL(DEST, SRC, SHIFT) \ 292 { \ 293 (DEST)[0] = (SRC)[0] << (SHIFT) ^ (SRC)[1] >> (32 - (SHIFT)); \ 294 (DEST)[1] = (SRC)[1] << (SHIFT) ^ (SRC)[2] >> (32 - (SHIFT)); \ 295 (DEST)[2] = (SRC)[2] << (SHIFT) ^ (SRC)[3] >> (32 - (SHIFT)); \ 296 (DEST)[3] = (SRC)[3] << (SHIFT) ^ (SRC)[0] >> (32 - (SHIFT)); \ 297 } 298 299 #define FL(XL, XR, KL, KR) \ 300 { \ 301 (XR) = ((((XL) & (KL)) << 1) | (((XL) & (KL)) >> 31)) ^ (XR); \ 302 (XL) = ((XR) | (KR)) ^ (XL); \ 303 } 304 305 #define FLInv(YL, YR, KL, KR) \ 306 { \ 307 (YL) = ((YR) | (KR)) ^ (YL); \ 308 (YR) = ((((YL) & (KL)) << 1) | (((YL) & (KL)) >> 31)) ^ (YR); \ 309 } 310 311 #define SHIFT_AND_PLACE(INDEX, OFFSET) \ 312 { \ 313 TK[0] = KC[(OFFSET) * 4 + 0]; \ 314 TK[1] = KC[(OFFSET) * 4 + 1]; \ 315 TK[2] = KC[(OFFSET) * 4 + 2]; \ 316 TK[3] = KC[(OFFSET) * 4 + 3]; \ 317 \ 318 for( i = 1; i <= 4; i++ ) \ 319 if( shifts[(INDEX)][(OFFSET)][i -1] ) \ 320 ROTL(TK + i * 4, TK, ( 15 * i ) % 32); \ 321 \ 322 for( i = 0; i < 20; i++ ) \ 323 if( indexes[(INDEX)][(OFFSET)][i] != -1 ) { \ 324 RK[indexes[(INDEX)][(OFFSET)][i]] = TK[ i ]; \ 325 } \ 326 } 327 328 static void camellia_feistel( const uint32_t x[2], const uint32_t k[2], 329 uint32_t z[2]) 330 { 331 uint32_t I0, I1; 332 I0 = x[0] ^ k[0]; 333 I1 = x[1] ^ k[1]; 334 335 I0 = ((uint32_t) SBOX1((I0 >> 24) & 0xFF) << 24) | 336 ((uint32_t) SBOX2((I0 >> 16) & 0xFF) << 16) | 337 ((uint32_t) SBOX3((I0 >> 8) & 0xFF) << 8) | 338 ((uint32_t) SBOX4((I0 ) & 0xFF) ); 339 I1 = ((uint32_t) SBOX2((I1 >> 24) & 0xFF) << 24) | 340 ((uint32_t) SBOX3((I1 >> 16) & 0xFF) << 16) | 341 ((uint32_t) SBOX4((I1 >> 8) & 0xFF) << 8) | 342 ((uint32_t) SBOX1((I1 ) & 0xFF) ); 343 344 I0 ^= (I1 << 8) | (I1 >> 24); 345 I1 ^= (I0 << 16) | (I0 >> 16); 346 I0 ^= (I1 >> 8) | (I1 << 24); 347 I1 ^= (I0 >> 8) | (I0 << 24); 348 349 z[0] ^= I1; 350 z[1] ^= I0; 351 } 352 353 void mbedtls_camellia_init( mbedtls_camellia_context *ctx ) 354 { 355 CAMELLIA_VALIDATE( ctx != NULL ); 356 memset( ctx, 0, sizeof( mbedtls_camellia_context ) ); 357 } 358 359 void mbedtls_camellia_free( mbedtls_camellia_context *ctx ) 360 { 361 if( ctx == NULL ) 362 return; 363 364 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_camellia_context ) ); 365 } 366 367 /* 368 * Camellia key schedule (encryption) 369 */ 370 int mbedtls_camellia_setkey_enc( mbedtls_camellia_context *ctx, 371 const unsigned char *key, 372 unsigned int keybits ) 373 { 374 int idx; 375 size_t i; 376 uint32_t *RK; 377 unsigned char t[64]; 378 uint32_t SIGMA[6][2]; 379 uint32_t KC[16]; 380 uint32_t TK[20]; 381 382 CAMELLIA_VALIDATE_RET( ctx != NULL ); 383 CAMELLIA_VALIDATE_RET( key != NULL ); 384 385 RK = ctx->rk; 386 387 memset( t, 0, 64 ); 388 memset( RK, 0, sizeof(ctx->rk) ); 389 390 switch( keybits ) 391 { 392 case 128: ctx->nr = 3; idx = 0; break; 393 case 192: 394 case 256: ctx->nr = 4; idx = 1; break; 395 default : return( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA ); 396 } 397 398 for( i = 0; i < keybits / 8; ++i ) 399 t[i] = key[i]; 400 401 if( keybits == 192 ) { 402 for( i = 0; i < 8; i++ ) 403 t[24 + i] = ~t[16 + i]; 404 } 405 406 /* 407 * Prepare SIGMA values 408 */ 409 for( i = 0; i < 6; i++ ) { 410 GET_UINT32_BE( SIGMA[i][0], SIGMA_CHARS[i], 0 ); 411 GET_UINT32_BE( SIGMA[i][1], SIGMA_CHARS[i], 4 ); 412 } 413 414 /* 415 * Key storage in KC 416 * Order: KL, KR, KA, KB 417 */ 418 memset( KC, 0, sizeof(KC) ); 419 420 /* Store KL, KR */ 421 for( i = 0; i < 8; i++ ) 422 GET_UINT32_BE( KC[i], t, i * 4 ); 423 424 /* Generate KA */ 425 for( i = 0; i < 4; ++i ) 426 KC[8 + i] = KC[i] ^ KC[4 + i]; 427 428 camellia_feistel( KC + 8, SIGMA[0], KC + 10 ); 429 camellia_feistel( KC + 10, SIGMA[1], KC + 8 ); 430 431 for( i = 0; i < 4; ++i ) 432 KC[8 + i] ^= KC[i]; 433 434 camellia_feistel( KC + 8, SIGMA[2], KC + 10 ); 435 camellia_feistel( KC + 10, SIGMA[3], KC + 8 ); 436 437 if( keybits > 128 ) { 438 /* Generate KB */ 439 for( i = 0; i < 4; ++i ) 440 KC[12 + i] = KC[4 + i] ^ KC[8 + i]; 441 442 camellia_feistel( KC + 12, SIGMA[4], KC + 14 ); 443 camellia_feistel( KC + 14, SIGMA[5], KC + 12 ); 444 } 445 446 /* 447 * Generating subkeys 448 */ 449 450 /* Manipulating KL */ 451 SHIFT_AND_PLACE( idx, 0 ); 452 453 /* Manipulating KR */ 454 if( keybits > 128 ) { 455 SHIFT_AND_PLACE( idx, 1 ); 456 } 457 458 /* Manipulating KA */ 459 SHIFT_AND_PLACE( idx, 2 ); 460 461 /* Manipulating KB */ 462 if( keybits > 128 ) { 463 SHIFT_AND_PLACE( idx, 3 ); 464 } 465 466 /* Do transpositions */ 467 for( i = 0; i < 20; i++ ) { 468 if( transposes[idx][i] != -1 ) { 469 RK[32 + 12 * idx + i] = RK[transposes[idx][i]]; 470 } 471 } 472 473 return( 0 ); 474 } 475 476 /* 477 * Camellia key schedule (decryption) 478 */ 479 int mbedtls_camellia_setkey_dec( mbedtls_camellia_context *ctx, 480 const unsigned char *key, 481 unsigned int keybits ) 482 { 483 int idx, ret; 484 size_t i; 485 mbedtls_camellia_context cty; 486 uint32_t *RK; 487 uint32_t *SK; 488 CAMELLIA_VALIDATE_RET( ctx != NULL ); 489 CAMELLIA_VALIDATE_RET( key != NULL ); 490 491 mbedtls_camellia_init( &cty ); 492 493 /* Also checks keybits */ 494 if( ( ret = mbedtls_camellia_setkey_enc( &cty, key, keybits ) ) != 0 ) 495 goto exit; 496 497 ctx->nr = cty.nr; 498 idx = ( ctx->nr == 4 ); 499 500 RK = ctx->rk; 501 SK = cty.rk + 24 * 2 + 8 * idx * 2; 502 503 *RK++ = *SK++; 504 *RK++ = *SK++; 505 *RK++ = *SK++; 506 *RK++ = *SK++; 507 508 for( i = 22 + 8 * idx, SK -= 6; i > 0; i--, SK -= 4 ) 509 { 510 *RK++ = *SK++; 511 *RK++ = *SK++; 512 } 513 514 SK -= 2; 515 516 *RK++ = *SK++; 517 *RK++ = *SK++; 518 *RK++ = *SK++; 519 *RK++ = *SK++; 520 521 exit: 522 mbedtls_camellia_free( &cty ); 523 524 return( ret ); 525 } 526 527 /* 528 * Camellia-ECB block encryption/decryption 529 */ 530 int mbedtls_camellia_crypt_ecb( mbedtls_camellia_context *ctx, 531 int mode, 532 const unsigned char input[16], 533 unsigned char output[16] ) 534 { 535 int NR; 536 uint32_t *RK, X[4]; 537 CAMELLIA_VALIDATE_RET( ctx != NULL ); 538 CAMELLIA_VALIDATE_RET( mode == MBEDTLS_CAMELLIA_ENCRYPT || 539 mode == MBEDTLS_CAMELLIA_DECRYPT ); 540 CAMELLIA_VALIDATE_RET( input != NULL ); 541 CAMELLIA_VALIDATE_RET( output != NULL ); 542 543 ( (void) mode ); 544 545 NR = ctx->nr; 546 RK = ctx->rk; 547 548 GET_UINT32_BE( X[0], input, 0 ); 549 GET_UINT32_BE( X[1], input, 4 ); 550 GET_UINT32_BE( X[2], input, 8 ); 551 GET_UINT32_BE( X[3], input, 12 ); 552 553 X[0] ^= *RK++; 554 X[1] ^= *RK++; 555 X[2] ^= *RK++; 556 X[3] ^= *RK++; 557 558 while( NR ) { 559 --NR; 560 camellia_feistel( X, RK, X + 2 ); 561 RK += 2; 562 camellia_feistel( X + 2, RK, X ); 563 RK += 2; 564 camellia_feistel( X, RK, X + 2 ); 565 RK += 2; 566 camellia_feistel( X + 2, RK, X ); 567 RK += 2; 568 camellia_feistel( X, RK, X + 2 ); 569 RK += 2; 570 camellia_feistel( X + 2, RK, X ); 571 RK += 2; 572 573 if( NR ) { 574 FL(X[0], X[1], RK[0], RK[1]); 575 RK += 2; 576 FLInv(X[2], X[3], RK[0], RK[1]); 577 RK += 2; 578 } 579 } 580 581 X[2] ^= *RK++; 582 X[3] ^= *RK++; 583 X[0] ^= *RK++; 584 X[1] ^= *RK++; 585 586 PUT_UINT32_BE( X[2], output, 0 ); 587 PUT_UINT32_BE( X[3], output, 4 ); 588 PUT_UINT32_BE( X[0], output, 8 ); 589 PUT_UINT32_BE( X[1], output, 12 ); 590 591 return( 0 ); 592 } 593 594 #if defined(MBEDTLS_CIPHER_MODE_CBC) 595 /* 596 * Camellia-CBC buffer encryption/decryption 597 */ 598 int mbedtls_camellia_crypt_cbc( mbedtls_camellia_context *ctx, 599 int mode, 600 size_t length, 601 unsigned char iv[16], 602 const unsigned char *input, 603 unsigned char *output ) 604 { 605 int i; 606 unsigned char temp[16]; 607 CAMELLIA_VALIDATE_RET( ctx != NULL ); 608 CAMELLIA_VALIDATE_RET( mode == MBEDTLS_CAMELLIA_ENCRYPT || 609 mode == MBEDTLS_CAMELLIA_DECRYPT ); 610 CAMELLIA_VALIDATE_RET( iv != NULL ); 611 CAMELLIA_VALIDATE_RET( length == 0 || input != NULL ); 612 CAMELLIA_VALIDATE_RET( length == 0 || output != NULL ); 613 614 if( length % 16 ) 615 return( MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH ); 616 617 if( mode == MBEDTLS_CAMELLIA_DECRYPT ) 618 { 619 while( length > 0 ) 620 { 621 memcpy( temp, input, 16 ); 622 mbedtls_camellia_crypt_ecb( ctx, mode, input, output ); 623 624 for( i = 0; i < 16; i++ ) 625 output[i] = (unsigned char)( output[i] ^ iv[i] ); 626 627 memcpy( iv, temp, 16 ); 628 629 input += 16; 630 output += 16; 631 length -= 16; 632 } 633 } 634 else 635 { 636 while( length > 0 ) 637 { 638 for( i = 0; i < 16; i++ ) 639 output[i] = (unsigned char)( input[i] ^ iv[i] ); 640 641 mbedtls_camellia_crypt_ecb( ctx, mode, output, output ); 642 memcpy( iv, output, 16 ); 643 644 input += 16; 645 output += 16; 646 length -= 16; 647 } 648 } 649 650 return( 0 ); 651 } 652 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 653 654 #if defined(MBEDTLS_CIPHER_MODE_CFB) 655 /* 656 * Camellia-CFB128 buffer encryption/decryption 657 */ 658 int mbedtls_camellia_crypt_cfb128( mbedtls_camellia_context *ctx, 659 int mode, 660 size_t length, 661 size_t *iv_off, 662 unsigned char iv[16], 663 const unsigned char *input, 664 unsigned char *output ) 665 { 666 int c; 667 size_t n; 668 CAMELLIA_VALIDATE_RET( ctx != NULL ); 669 CAMELLIA_VALIDATE_RET( mode == MBEDTLS_CAMELLIA_ENCRYPT || 670 mode == MBEDTLS_CAMELLIA_DECRYPT ); 671 CAMELLIA_VALIDATE_RET( iv != NULL ); 672 CAMELLIA_VALIDATE_RET( iv_off != NULL ); 673 CAMELLIA_VALIDATE_RET( length == 0 || input != NULL ); 674 CAMELLIA_VALIDATE_RET( length == 0 || output != NULL ); 675 676 n = *iv_off; 677 if( n >= 16 ) 678 return( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA ); 679 680 if( mode == MBEDTLS_CAMELLIA_DECRYPT ) 681 { 682 while( length-- ) 683 { 684 if( n == 0 ) 685 mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv ); 686 687 c = *input++; 688 *output++ = (unsigned char)( c ^ iv[n] ); 689 iv[n] = (unsigned char) c; 690 691 n = ( n + 1 ) & 0x0F; 692 } 693 } 694 else 695 { 696 while( length-- ) 697 { 698 if( n == 0 ) 699 mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv ); 700 701 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ ); 702 703 n = ( n + 1 ) & 0x0F; 704 } 705 } 706 707 *iv_off = n; 708 709 return( 0 ); 710 } 711 #endif /* MBEDTLS_CIPHER_MODE_CFB */ 712 713 #if defined(MBEDTLS_CIPHER_MODE_CTR) 714 /* 715 * Camellia-CTR buffer encryption/decryption 716 */ 717 int mbedtls_camellia_crypt_ctr( mbedtls_camellia_context *ctx, 718 size_t length, 719 size_t *nc_off, 720 unsigned char nonce_counter[16], 721 unsigned char stream_block[16], 722 const unsigned char *input, 723 unsigned char *output ) 724 { 725 int c, i; 726 size_t n; 727 CAMELLIA_VALIDATE_RET( ctx != NULL ); 728 CAMELLIA_VALIDATE_RET( nonce_counter != NULL ); 729 CAMELLIA_VALIDATE_RET( stream_block != NULL ); 730 CAMELLIA_VALIDATE_RET( nc_off != NULL ); 731 CAMELLIA_VALIDATE_RET( length == 0 || input != NULL ); 732 CAMELLIA_VALIDATE_RET( length == 0 || output != NULL ); 733 734 n = *nc_off; 735 if( n >= 16 ) 736 return( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA ); 737 738 while( length-- ) 739 { 740 if( n == 0 ) { 741 mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, nonce_counter, 742 stream_block ); 743 744 for( i = 16; i > 0; i-- ) 745 if( ++nonce_counter[i - 1] != 0 ) 746 break; 747 } 748 c = *input++; 749 *output++ = (unsigned char)( c ^ stream_block[n] ); 750 751 n = ( n + 1 ) & 0x0F; 752 } 753 754 *nc_off = n; 755 756 return( 0 ); 757 } 758 #endif /* MBEDTLS_CIPHER_MODE_CTR */ 759 #endif /* !MBEDTLS_CAMELLIA_ALT */ 760 761 #if defined(MBEDTLS_SELF_TEST) 762 763 /* 764 * Camellia test vectors from: 765 * 766 * http://info.isl.ntt.co.jp/crypt/eng/camellia/technology.html: 767 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/intermediate.txt 768 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/t_camellia.txt 769 * (For each bitlength: Key 0, Nr 39) 770 */ 771 #define CAMELLIA_TESTS_ECB 2 772 773 static const unsigned char camellia_test_ecb_key[3][CAMELLIA_TESTS_ECB][32] = 774 { 775 { 776 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 777 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 }, 778 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 779 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 } 780 }, 781 { 782 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 783 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10, 784 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77 }, 785 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 786 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 787 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 } 788 }, 789 { 790 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 791 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10, 792 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 793 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff }, 794 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 795 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 796 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 797 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 } 798 }, 799 }; 800 801 static const unsigned char camellia_test_ecb_plain[CAMELLIA_TESTS_ECB][16] = 802 { 803 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 804 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 }, 805 { 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 806 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 } 807 }; 808 809 static const unsigned char camellia_test_ecb_cipher[3][CAMELLIA_TESTS_ECB][16] = 810 { 811 { 812 { 0x67, 0x67, 0x31, 0x38, 0x54, 0x96, 0x69, 0x73, 813 0x08, 0x57, 0x06, 0x56, 0x48, 0xea, 0xbe, 0x43 }, 814 { 0x38, 0x3C, 0x6C, 0x2A, 0xAB, 0xEF, 0x7F, 0xDE, 815 0x25, 0xCD, 0x47, 0x0B, 0xF7, 0x74, 0xA3, 0x31 } 816 }, 817 { 818 { 0xb4, 0x99, 0x34, 0x01, 0xb3, 0xe9, 0x96, 0xf8, 819 0x4e, 0xe5, 0xce, 0xe7, 0xd7, 0x9b, 0x09, 0xb9 }, 820 { 0xD1, 0x76, 0x3F, 0xC0, 0x19, 0xD7, 0x7C, 0xC9, 821 0x30, 0xBF, 0xF2, 0xA5, 0x6F, 0x7C, 0x93, 0x64 } 822 }, 823 { 824 { 0x9a, 0xcc, 0x23, 0x7d, 0xff, 0x16, 0xd7, 0x6c, 825 0x20, 0xef, 0x7c, 0x91, 0x9e, 0x3a, 0x75, 0x09 }, 826 { 0x05, 0x03, 0xFB, 0x10, 0xAB, 0x24, 0x1E, 0x7C, 827 0xF4, 0x5D, 0x8C, 0xDE, 0xEE, 0x47, 0x43, 0x35 } 828 } 829 }; 830 831 #if defined(MBEDTLS_CIPHER_MODE_CBC) 832 #define CAMELLIA_TESTS_CBC 3 833 834 static const unsigned char camellia_test_cbc_key[3][32] = 835 { 836 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6, 837 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C } 838 , 839 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52, 840 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5, 841 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B } 842 , 843 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE, 844 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81, 845 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7, 846 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 } 847 }; 848 849 static const unsigned char camellia_test_cbc_iv[16] = 850 851 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 852 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F } 853 ; 854 855 static const unsigned char camellia_test_cbc_plain[CAMELLIA_TESTS_CBC][16] = 856 { 857 { 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96, 858 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A }, 859 { 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C, 860 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51 }, 861 { 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11, 862 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF } 863 864 }; 865 866 static const unsigned char camellia_test_cbc_cipher[3][CAMELLIA_TESTS_CBC][16] = 867 { 868 { 869 { 0x16, 0x07, 0xCF, 0x49, 0x4B, 0x36, 0xBB, 0xF0, 870 0x0D, 0xAE, 0xB0, 0xB5, 0x03, 0xC8, 0x31, 0xAB }, 871 { 0xA2, 0xF2, 0xCF, 0x67, 0x16, 0x29, 0xEF, 0x78, 872 0x40, 0xC5, 0xA5, 0xDF, 0xB5, 0x07, 0x48, 0x87 }, 873 { 0x0F, 0x06, 0x16, 0x50, 0x08, 0xCF, 0x8B, 0x8B, 874 0x5A, 0x63, 0x58, 0x63, 0x62, 0x54, 0x3E, 0x54 } 875 }, 876 { 877 { 0x2A, 0x48, 0x30, 0xAB, 0x5A, 0xC4, 0xA1, 0xA2, 878 0x40, 0x59, 0x55, 0xFD, 0x21, 0x95, 0xCF, 0x93 }, 879 { 0x5D, 0x5A, 0x86, 0x9B, 0xD1, 0x4C, 0xE5, 0x42, 880 0x64, 0xF8, 0x92, 0xA6, 0xDD, 0x2E, 0xC3, 0xD5 }, 881 { 0x37, 0xD3, 0x59, 0xC3, 0x34, 0x98, 0x36, 0xD8, 882 0x84, 0xE3, 0x10, 0xAD, 0xDF, 0x68, 0xC4, 0x49 } 883 }, 884 { 885 { 0xE6, 0xCF, 0xA3, 0x5F, 0xC0, 0x2B, 0x13, 0x4A, 886 0x4D, 0x2C, 0x0B, 0x67, 0x37, 0xAC, 0x3E, 0xDA }, 887 { 0x36, 0xCB, 0xEB, 0x73, 0xBD, 0x50, 0x4B, 0x40, 888 0x70, 0xB1, 0xB7, 0xDE, 0x2B, 0x21, 0xEB, 0x50 }, 889 { 0xE3, 0x1A, 0x60, 0x55, 0x29, 0x7D, 0x96, 0xCA, 890 0x33, 0x30, 0xCD, 0xF1, 0xB1, 0x86, 0x0A, 0x83 } 891 } 892 }; 893 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 894 895 #if defined(MBEDTLS_CIPHER_MODE_CTR) 896 /* 897 * Camellia-CTR test vectors from: 898 * 899 * http://www.faqs.org/rfcs/rfc5528.html 900 */ 901 902 static const unsigned char camellia_test_ctr_key[3][16] = 903 { 904 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC, 905 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E }, 906 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7, 907 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 }, 908 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8, 909 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC } 910 }; 911 912 static const unsigned char camellia_test_ctr_nonce_counter[3][16] = 913 { 914 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00, 915 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 }, 916 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59, 917 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 }, 918 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F, 919 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 } 920 }; 921 922 static const unsigned char camellia_test_ctr_pt[3][48] = 923 { 924 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62, 925 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 }, 926 927 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 928 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 929 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 930 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F }, 931 932 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 933 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 934 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 935 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 936 0x20, 0x21, 0x22, 0x23 } 937 }; 938 939 static const unsigned char camellia_test_ctr_ct[3][48] = 940 { 941 { 0xD0, 0x9D, 0xC2, 0x9A, 0x82, 0x14, 0x61, 0x9A, 942 0x20, 0x87, 0x7C, 0x76, 0xDB, 0x1F, 0x0B, 0x3F }, 943 { 0xDB, 0xF3, 0xC7, 0x8D, 0xC0, 0x83, 0x96, 0xD4, 944 0xDA, 0x7C, 0x90, 0x77, 0x65, 0xBB, 0xCB, 0x44, 945 0x2B, 0x8E, 0x8E, 0x0F, 0x31, 0xF0, 0xDC, 0xA7, 946 0x2C, 0x74, 0x17, 0xE3, 0x53, 0x60, 0xE0, 0x48 }, 947 { 0xB1, 0x9D, 0x1F, 0xCD, 0xCB, 0x75, 0xEB, 0x88, 948 0x2F, 0x84, 0x9C, 0xE2, 0x4D, 0x85, 0xCF, 0x73, 949 0x9C, 0xE6, 0x4B, 0x2B, 0x5C, 0x9D, 0x73, 0xF1, 950 0x4F, 0x2D, 0x5D, 0x9D, 0xCE, 0x98, 0x89, 0xCD, 951 0xDF, 0x50, 0x86, 0x96 } 952 }; 953 954 static const int camellia_test_ctr_len[3] = 955 { 16, 32, 36 }; 956 #endif /* MBEDTLS_CIPHER_MODE_CTR */ 957 958 /* 959 * Checkup routine 960 */ 961 int mbedtls_camellia_self_test( int verbose ) 962 { 963 int i, j, u, v; 964 unsigned char key[32]; 965 unsigned char buf[64]; 966 unsigned char src[16]; 967 unsigned char dst[16]; 968 #if defined(MBEDTLS_CIPHER_MODE_CBC) 969 unsigned char iv[16]; 970 #endif 971 #if defined(MBEDTLS_CIPHER_MODE_CTR) 972 size_t offset, len; 973 unsigned char nonce_counter[16]; 974 unsigned char stream_block[16]; 975 #endif 976 int ret = 1; 977 978 mbedtls_camellia_context ctx; 979 980 mbedtls_camellia_init( &ctx ); 981 memset( key, 0, 32 ); 982 983 for( j = 0; j < 6; j++ ) { 984 u = j >> 1; 985 v = j & 1; 986 987 if( verbose != 0 ) 988 mbedtls_printf( " CAMELLIA-ECB-%3d (%s): ", 128 + u * 64, 989 (v == MBEDTLS_CAMELLIA_DECRYPT) ? "dec" : "enc"); 990 991 for( i = 0; i < CAMELLIA_TESTS_ECB; i++ ) { 992 memcpy( key, camellia_test_ecb_key[u][i], 16 + 8 * u ); 993 994 if( v == MBEDTLS_CAMELLIA_DECRYPT ) { 995 mbedtls_camellia_setkey_dec( &ctx, key, 128 + u * 64 ); 996 memcpy( src, camellia_test_ecb_cipher[u][i], 16 ); 997 memcpy( dst, camellia_test_ecb_plain[i], 16 ); 998 } else { /* MBEDTLS_CAMELLIA_ENCRYPT */ 999 mbedtls_camellia_setkey_enc( &ctx, key, 128 + u * 64 ); 1000 memcpy( src, camellia_test_ecb_plain[i], 16 ); 1001 memcpy( dst, camellia_test_ecb_cipher[u][i], 16 ); 1002 } 1003 1004 mbedtls_camellia_crypt_ecb( &ctx, v, src, buf ); 1005 1006 if( memcmp( buf, dst, 16 ) != 0 ) 1007 { 1008 if( verbose != 0 ) 1009 mbedtls_printf( "failed\n" ); 1010 goto exit; 1011 } 1012 } 1013 1014 if( verbose != 0 ) 1015 mbedtls_printf( "passed\n" ); 1016 } 1017 1018 if( verbose != 0 ) 1019 mbedtls_printf( "\n" ); 1020 1021 #if defined(MBEDTLS_CIPHER_MODE_CBC) 1022 /* 1023 * CBC mode 1024 */ 1025 for( j = 0; j < 6; j++ ) 1026 { 1027 u = j >> 1; 1028 v = j & 1; 1029 1030 if( verbose != 0 ) 1031 mbedtls_printf( " CAMELLIA-CBC-%3d (%s): ", 128 + u * 64, 1032 ( v == MBEDTLS_CAMELLIA_DECRYPT ) ? "dec" : "enc" ); 1033 1034 memcpy( src, camellia_test_cbc_iv, 16 ); 1035 memcpy( dst, camellia_test_cbc_iv, 16 ); 1036 memcpy( key, camellia_test_cbc_key[u], 16 + 8 * u ); 1037 1038 if( v == MBEDTLS_CAMELLIA_DECRYPT ) { 1039 mbedtls_camellia_setkey_dec( &ctx, key, 128 + u * 64 ); 1040 } else { 1041 mbedtls_camellia_setkey_enc( &ctx, key, 128 + u * 64 ); 1042 } 1043 1044 for( i = 0; i < CAMELLIA_TESTS_CBC; i++ ) { 1045 1046 if( v == MBEDTLS_CAMELLIA_DECRYPT ) { 1047 memcpy( iv , src, 16 ); 1048 memcpy( src, camellia_test_cbc_cipher[u][i], 16 ); 1049 memcpy( dst, camellia_test_cbc_plain[i], 16 ); 1050 } else { /* MBEDTLS_CAMELLIA_ENCRYPT */ 1051 memcpy( iv , dst, 16 ); 1052 memcpy( src, camellia_test_cbc_plain[i], 16 ); 1053 memcpy( dst, camellia_test_cbc_cipher[u][i], 16 ); 1054 } 1055 1056 mbedtls_camellia_crypt_cbc( &ctx, v, 16, iv, src, buf ); 1057 1058 if( memcmp( buf, dst, 16 ) != 0 ) 1059 { 1060 if( verbose != 0 ) 1061 mbedtls_printf( "failed\n" ); 1062 goto exit; 1063 } 1064 } 1065 1066 if( verbose != 0 ) 1067 mbedtls_printf( "passed\n" ); 1068 } 1069 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 1070 1071 if( verbose != 0 ) 1072 mbedtls_printf( "\n" ); 1073 1074 #if defined(MBEDTLS_CIPHER_MODE_CTR) 1075 /* 1076 * CTR mode 1077 */ 1078 for( i = 0; i < 6; i++ ) 1079 { 1080 u = i >> 1; 1081 v = i & 1; 1082 1083 if( verbose != 0 ) 1084 mbedtls_printf( " CAMELLIA-CTR-128 (%s): ", 1085 ( v == MBEDTLS_CAMELLIA_DECRYPT ) ? "dec" : "enc" ); 1086 1087 memcpy( nonce_counter, camellia_test_ctr_nonce_counter[u], 16 ); 1088 memcpy( key, camellia_test_ctr_key[u], 16 ); 1089 1090 offset = 0; 1091 mbedtls_camellia_setkey_enc( &ctx, key, 128 ); 1092 1093 if( v == MBEDTLS_CAMELLIA_DECRYPT ) 1094 { 1095 len = camellia_test_ctr_len[u]; 1096 memcpy( buf, camellia_test_ctr_ct[u], len ); 1097 1098 mbedtls_camellia_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, 1099 buf, buf ); 1100 1101 if( memcmp( buf, camellia_test_ctr_pt[u], len ) != 0 ) 1102 { 1103 if( verbose != 0 ) 1104 mbedtls_printf( "failed\n" ); 1105 goto exit; 1106 } 1107 } 1108 else 1109 { 1110 len = camellia_test_ctr_len[u]; 1111 memcpy( buf, camellia_test_ctr_pt[u], len ); 1112 1113 mbedtls_camellia_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, 1114 buf, buf ); 1115 1116 if( memcmp( buf, camellia_test_ctr_ct[u], len ) != 0 ) 1117 { 1118 if( verbose != 0 ) 1119 mbedtls_printf( "failed\n" ); 1120 goto exit; 1121 } 1122 } 1123 1124 if( verbose != 0 ) 1125 mbedtls_printf( "passed\n" ); 1126 } 1127 1128 if( verbose != 0 ) 1129 mbedtls_printf( "\n" ); 1130 #endif /* MBEDTLS_CIPHER_MODE_CTR */ 1131 1132 ret = 0; 1133 1134 exit: 1135 mbedtls_camellia_free( &ctx ); 1136 return( ret ); 1137 } 1138 1139 #endif /* MBEDTLS_SELF_TEST */ 1140 1141 #endif /* MBEDTLS_CAMELLIA_C */ 1142