1 /*
2 * Camellia implementation
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 *
7 * This file is provided under the Apache License 2.0, or the
8 * GNU General Public License v2.0 or later.
9 *
10 * **********
11 * Apache License 2.0:
12 *
13 * Licensed under the Apache License, Version 2.0 (the "License"); you may
14 * not use this file except in compliance with the License.
15 * You may obtain a copy of the License at
16 *
17 * http://www.apache.org/licenses/LICENSE-2.0
18 *
19 * Unless required by applicable law or agreed to in writing, software
20 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
21 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
22 * See the License for the specific language governing permissions and
23 * limitations under the License.
24 *
25 * **********
26 *
27 * **********
28 * GNU General Public License v2.0 or later:
29 *
30 * This program is free software; you can redistribute it and/or modify
31 * it under the terms of the GNU General Public License as published by
32 * the Free Software Foundation; either version 2 of the License, or
33 * (at your option) any later version.
34 *
35 * This program is distributed in the hope that it will be useful,
36 * but WITHOUT ANY WARRANTY; without even the implied warranty of
37 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
38 * GNU General Public License for more details.
39 *
40 * You should have received a copy of the GNU General Public License along
41 * with this program; if not, write to the Free Software Foundation, Inc.,
42 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
43 *
44 * **********
45 */
46 /*
47 * The Camellia block cipher was designed by NTT and Mitsubishi Electric
48 * Corporation.
49 *
50 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/01espec.pdf
51 */
52
53 #if !defined(MBEDTLS_CONFIG_FILE)
54 #include "mbedtls/config.h"
55 #else
56 #include MBEDTLS_CONFIG_FILE
57 #endif
58
59 #if defined(MBEDTLS_CAMELLIA_C)
60
61 #include "mbedtls/camellia.h"
62
63 #include <string.h>
64
65 #if defined(MBEDTLS_SELF_TEST)
66 #if defined(MBEDTLS_PLATFORM_C)
67 #include "mbedtls/platform.h"
68 #else
69 #include <stdio.h>
70 #define mbedtls_printf printf
71 #endif /* MBEDTLS_PLATFORM_C */
72 #endif /* MBEDTLS_SELF_TEST */
73
74 #if !defined(MBEDTLS_CAMELLIA_ALT)
75
76 /* Implementation that should never be optimized out by the compiler */
mbedtls_zeroize(void * v,size_t n)77 static void mbedtls_zeroize( void *v, size_t n ) {
78 volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
79 }
80
81 /*
82 * 32-bit integer manipulation macros (big endian)
83 */
84 #ifndef GET_UINT32_BE
85 #define GET_UINT32_BE(n,b,i) \
86 { \
87 (n) = ( (uint32_t) (b)[(i) ] << 24 ) \
88 | ( (uint32_t) (b)[(i) + 1] << 16 ) \
89 | ( (uint32_t) (b)[(i) + 2] << 8 ) \
90 | ( (uint32_t) (b)[(i) + 3] ); \
91 }
92 #endif
93
94 #ifndef PUT_UINT32_BE
95 #define PUT_UINT32_BE(n,b,i) \
96 { \
97 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
98 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
99 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
100 (b)[(i) + 3] = (unsigned char) ( (n) ); \
101 }
102 #endif
103
104 static const unsigned char SIGMA_CHARS[6][8] =
105 {
106 { 0xa0, 0x9e, 0x66, 0x7f, 0x3b, 0xcc, 0x90, 0x8b },
107 { 0xb6, 0x7a, 0xe8, 0x58, 0x4c, 0xaa, 0x73, 0xb2 },
108 { 0xc6, 0xef, 0x37, 0x2f, 0xe9, 0x4f, 0x82, 0xbe },
109 { 0x54, 0xff, 0x53, 0xa5, 0xf1, 0xd3, 0x6f, 0x1c },
110 { 0x10, 0xe5, 0x27, 0xfa, 0xde, 0x68, 0x2d, 0x1d },
111 { 0xb0, 0x56, 0x88, 0xc2, 0xb3, 0xe6, 0xc1, 0xfd }
112 };
113
114 #if defined(MBEDTLS_CAMELLIA_SMALL_MEMORY)
115
116 static const unsigned char FSb[256] =
117 {
118 112,130, 44,236,179, 39,192,229,228,133, 87, 53,234, 12,174, 65,
119 35,239,107,147, 69, 25,165, 33,237, 14, 79, 78, 29,101,146,189,
120 134,184,175,143,124,235, 31,206, 62, 48,220, 95, 94,197, 11, 26,
121 166,225, 57,202,213, 71, 93, 61,217, 1, 90,214, 81, 86,108, 77,
122 139, 13,154,102,251,204,176, 45,116, 18, 43, 32,240,177,132,153,
123 223, 76,203,194, 52,126,118, 5,109,183,169, 49,209, 23, 4,215,
124 20, 88, 58, 97,222, 27, 17, 28, 50, 15,156, 22, 83, 24,242, 34,
125 254, 68,207,178,195,181,122,145, 36, 8,232,168, 96,252,105, 80,
126 170,208,160,125,161,137, 98,151, 84, 91, 30,149,224,255,100,210,
127 16,196, 0, 72,163,247,117,219,138, 3,230,218, 9, 63,221,148,
128 135, 92,131, 2,205, 74,144, 51,115,103,246,243,157,127,191,226,
129 82,155,216, 38,200, 55,198, 59,129,150,111, 75, 19,190, 99, 46,
130 233,121,167,140,159,110,188,142, 41,245,249,182, 47,253,180, 89,
131 120,152, 6,106,231, 70,113,186,212, 37,171, 66,136,162,141,250,
132 114, 7,185, 85,248,238,172, 10, 54, 73, 42,104, 60, 56,241,164,
133 64, 40,211,123,187,201, 67,193, 21,227,173,244,119,199,128,158
134 };
135
136 #define SBOX1(n) FSb[(n)]
137 #define SBOX2(n) (unsigned char)((FSb[(n)] >> 7 ^ FSb[(n)] << 1) & 0xff)
138 #define SBOX3(n) (unsigned char)((FSb[(n)] >> 1 ^ FSb[(n)] << 7) & 0xff)
139 #define SBOX4(n) FSb[((n) << 1 ^ (n) >> 7) &0xff]
140
141 #else /* MBEDTLS_CAMELLIA_SMALL_MEMORY */
142
143 static const unsigned char FSb[256] =
144 {
145 112, 130, 44, 236, 179, 39, 192, 229, 228, 133, 87, 53, 234, 12, 174, 65,
146 35, 239, 107, 147, 69, 25, 165, 33, 237, 14, 79, 78, 29, 101, 146, 189,
147 134, 184, 175, 143, 124, 235, 31, 206, 62, 48, 220, 95, 94, 197, 11, 26,
148 166, 225, 57, 202, 213, 71, 93, 61, 217, 1, 90, 214, 81, 86, 108, 77,
149 139, 13, 154, 102, 251, 204, 176, 45, 116, 18, 43, 32, 240, 177, 132, 153,
150 223, 76, 203, 194, 52, 126, 118, 5, 109, 183, 169, 49, 209, 23, 4, 215,
151 20, 88, 58, 97, 222, 27, 17, 28, 50, 15, 156, 22, 83, 24, 242, 34,
152 254, 68, 207, 178, 195, 181, 122, 145, 36, 8, 232, 168, 96, 252, 105, 80,
153 170, 208, 160, 125, 161, 137, 98, 151, 84, 91, 30, 149, 224, 255, 100, 210,
154 16, 196, 0, 72, 163, 247, 117, 219, 138, 3, 230, 218, 9, 63, 221, 148,
155 135, 92, 131, 2, 205, 74, 144, 51, 115, 103, 246, 243, 157, 127, 191, 226,
156 82, 155, 216, 38, 200, 55, 198, 59, 129, 150, 111, 75, 19, 190, 99, 46,
157 233, 121, 167, 140, 159, 110, 188, 142, 41, 245, 249, 182, 47, 253, 180, 89,
158 120, 152, 6, 106, 231, 70, 113, 186, 212, 37, 171, 66, 136, 162, 141, 250,
159 114, 7, 185, 85, 248, 238, 172, 10, 54, 73, 42, 104, 60, 56, 241, 164,
160 64, 40, 211, 123, 187, 201, 67, 193, 21, 227, 173, 244, 119, 199, 128, 158
161 };
162
163 static const unsigned char FSb2[256] =
164 {
165 224, 5, 88, 217, 103, 78, 129, 203, 201, 11, 174, 106, 213, 24, 93, 130,
166 70, 223, 214, 39, 138, 50, 75, 66, 219, 28, 158, 156, 58, 202, 37, 123,
167 13, 113, 95, 31, 248, 215, 62, 157, 124, 96, 185, 190, 188, 139, 22, 52,
168 77, 195, 114, 149, 171, 142, 186, 122, 179, 2, 180, 173, 162, 172, 216, 154,
169 23, 26, 53, 204, 247, 153, 97, 90, 232, 36, 86, 64, 225, 99, 9, 51,
170 191, 152, 151, 133, 104, 252, 236, 10, 218, 111, 83, 98, 163, 46, 8, 175,
171 40, 176, 116, 194, 189, 54, 34, 56, 100, 30, 57, 44, 166, 48, 229, 68,
172 253, 136, 159, 101, 135, 107, 244, 35, 72, 16, 209, 81, 192, 249, 210, 160,
173 85, 161, 65, 250, 67, 19, 196, 47, 168, 182, 60, 43, 193, 255, 200, 165,
174 32, 137, 0, 144, 71, 239, 234, 183, 21, 6, 205, 181, 18, 126, 187, 41,
175 15, 184, 7, 4, 155, 148, 33, 102, 230, 206, 237, 231, 59, 254, 127, 197,
176 164, 55, 177, 76, 145, 110, 141, 118, 3, 45, 222, 150, 38, 125, 198, 92,
177 211, 242, 79, 25, 63, 220, 121, 29, 82, 235, 243, 109, 94, 251, 105, 178,
178 240, 49, 12, 212, 207, 140, 226, 117, 169, 74, 87, 132, 17, 69, 27, 245,
179 228, 14, 115, 170, 241, 221, 89, 20, 108, 146, 84, 208, 120, 112, 227, 73,
180 128, 80, 167, 246, 119, 147, 134, 131, 42, 199, 91, 233, 238, 143, 1, 61
181 };
182
183 static const unsigned char FSb3[256] =
184 {
185 56, 65, 22, 118, 217, 147, 96, 242, 114, 194, 171, 154, 117, 6, 87, 160,
186 145, 247, 181, 201, 162, 140, 210, 144, 246, 7, 167, 39, 142, 178, 73, 222,
187 67, 92, 215, 199, 62, 245, 143, 103, 31, 24, 110, 175, 47, 226, 133, 13,
188 83, 240, 156, 101, 234, 163, 174, 158, 236, 128, 45, 107, 168, 43, 54, 166,
189 197, 134, 77, 51, 253, 102, 88, 150, 58, 9, 149, 16, 120, 216, 66, 204,
190 239, 38, 229, 97, 26, 63, 59, 130, 182, 219, 212, 152, 232, 139, 2, 235,
191 10, 44, 29, 176, 111, 141, 136, 14, 25, 135, 78, 11, 169, 12, 121, 17,
192 127, 34, 231, 89, 225, 218, 61, 200, 18, 4, 116, 84, 48, 126, 180, 40,
193 85, 104, 80, 190, 208, 196, 49, 203, 42, 173, 15, 202, 112, 255, 50, 105,
194 8, 98, 0, 36, 209, 251, 186, 237, 69, 129, 115, 109, 132, 159, 238, 74,
195 195, 46, 193, 1, 230, 37, 72, 153, 185, 179, 123, 249, 206, 191, 223, 113,
196 41, 205, 108, 19, 100, 155, 99, 157, 192, 75, 183, 165, 137, 95, 177, 23,
197 244, 188, 211, 70, 207, 55, 94, 71, 148, 250, 252, 91, 151, 254, 90, 172,
198 60, 76, 3, 53, 243, 35, 184, 93, 106, 146, 213, 33, 68, 81, 198, 125,
199 57, 131, 220, 170, 124, 119, 86, 5, 27, 164, 21, 52, 30, 28, 248, 82,
200 32, 20, 233, 189, 221, 228, 161, 224, 138, 241, 214, 122, 187, 227, 64, 79
201 };
202
203 static const unsigned char FSb4[256] =
204 {
205 112, 44, 179, 192, 228, 87, 234, 174, 35, 107, 69, 165, 237, 79, 29, 146,
206 134, 175, 124, 31, 62, 220, 94, 11, 166, 57, 213, 93, 217, 90, 81, 108,
207 139, 154, 251, 176, 116, 43, 240, 132, 223, 203, 52, 118, 109, 169, 209, 4,
208 20, 58, 222, 17, 50, 156, 83, 242, 254, 207, 195, 122, 36, 232, 96, 105,
209 170, 160, 161, 98, 84, 30, 224, 100, 16, 0, 163, 117, 138, 230, 9, 221,
210 135, 131, 205, 144, 115, 246, 157, 191, 82, 216, 200, 198, 129, 111, 19, 99,
211 233, 167, 159, 188, 41, 249, 47, 180, 120, 6, 231, 113, 212, 171, 136, 141,
212 114, 185, 248, 172, 54, 42, 60, 241, 64, 211, 187, 67, 21, 173, 119, 128,
213 130, 236, 39, 229, 133, 53, 12, 65, 239, 147, 25, 33, 14, 78, 101, 189,
214 184, 143, 235, 206, 48, 95, 197, 26, 225, 202, 71, 61, 1, 214, 86, 77,
215 13, 102, 204, 45, 18, 32, 177, 153, 76, 194, 126, 5, 183, 49, 23, 215,
216 88, 97, 27, 28, 15, 22, 24, 34, 68, 178, 181, 145, 8, 168, 252, 80,
217 208, 125, 137, 151, 91, 149, 255, 210, 196, 72, 247, 219, 3, 218, 63, 148,
218 92, 2, 74, 51, 103, 243, 127, 226, 155, 38, 55, 59, 150, 75, 190, 46,
219 121, 140, 110, 142, 245, 182, 253, 89, 152, 106, 70, 186, 37, 66, 162, 250,
220 7, 85, 238, 10, 73, 104, 56, 164, 40, 123, 201, 193, 227, 244, 199, 158
221 };
222
223 #define SBOX1(n) FSb[(n)]
224 #define SBOX2(n) FSb2[(n)]
225 #define SBOX3(n) FSb3[(n)]
226 #define SBOX4(n) FSb4[(n)]
227
228 #endif /* MBEDTLS_CAMELLIA_SMALL_MEMORY */
229
230 static const unsigned char shifts[2][4][4] =
231 {
232 {
233 { 1, 1, 1, 1 }, /* KL */
234 { 0, 0, 0, 0 }, /* KR */
235 { 1, 1, 1, 1 }, /* KA */
236 { 0, 0, 0, 0 } /* KB */
237 },
238 {
239 { 1, 0, 1, 1 }, /* KL */
240 { 1, 1, 0, 1 }, /* KR */
241 { 1, 1, 1, 0 }, /* KA */
242 { 1, 1, 0, 1 } /* KB */
243 }
244 };
245
246 static const signed char indexes[2][4][20] =
247 {
248 {
249 { 0, 1, 2, 3, 8, 9, 10, 11, 38, 39,
250 36, 37, 23, 20, 21, 22, 27, -1, -1, 26 }, /* KL -> RK */
251 { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
252 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 }, /* KR -> RK */
253 { 4, 5, 6, 7, 12, 13, 14, 15, 16, 17,
254 18, 19, -1, 24, 25, -1, 31, 28, 29, 30 }, /* KA -> RK */
255 { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
256 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 } /* KB -> RK */
257 },
258 {
259 { 0, 1, 2, 3, 61, 62, 63, 60, -1, -1,
260 -1, -1, 27, 24, 25, 26, 35, 32, 33, 34 }, /* KL -> RK */
261 { -1, -1, -1, -1, 8, 9, 10, 11, 16, 17,
262 18, 19, -1, -1, -1, -1, 39, 36, 37, 38 }, /* KR -> RK */
263 { -1, -1, -1, -1, 12, 13, 14, 15, 58, 59,
264 56, 57, 31, 28, 29, 30, -1, -1, -1, -1 }, /* KA -> RK */
265 { 4, 5, 6, 7, 65, 66, 67, 64, 20, 21,
266 22, 23, -1, -1, -1, -1, 43, 40, 41, 42 } /* KB -> RK */
267 }
268 };
269
270 static const signed char transposes[2][20] =
271 {
272 {
273 21, 22, 23, 20,
274 -1, -1, -1, -1,
275 18, 19, 16, 17,
276 11, 8, 9, 10,
277 15, 12, 13, 14
278 },
279 {
280 25, 26, 27, 24,
281 29, 30, 31, 28,
282 18, 19, 16, 17,
283 -1, -1, -1, -1,
284 -1, -1, -1, -1
285 }
286 };
287
288 /* Shift macro for 128 bit strings with rotation smaller than 32 bits (!) */
289 #define ROTL(DEST, SRC, SHIFT) \
290 { \
291 (DEST)[0] = (SRC)[0] << (SHIFT) ^ (SRC)[1] >> (32 - (SHIFT)); \
292 (DEST)[1] = (SRC)[1] << (SHIFT) ^ (SRC)[2] >> (32 - (SHIFT)); \
293 (DEST)[2] = (SRC)[2] << (SHIFT) ^ (SRC)[3] >> (32 - (SHIFT)); \
294 (DEST)[3] = (SRC)[3] << (SHIFT) ^ (SRC)[0] >> (32 - (SHIFT)); \
295 }
296
297 #define FL(XL, XR, KL, KR) \
298 { \
299 (XR) = ((((XL) & (KL)) << 1) | (((XL) & (KL)) >> 31)) ^ (XR); \
300 (XL) = ((XR) | (KR)) ^ (XL); \
301 }
302
303 #define FLInv(YL, YR, KL, KR) \
304 { \
305 (YL) = ((YR) | (KR)) ^ (YL); \
306 (YR) = ((((YL) & (KL)) << 1) | (((YL) & (KL)) >> 31)) ^ (YR); \
307 }
308
309 #define SHIFT_AND_PLACE(INDEX, OFFSET) \
310 { \
311 TK[0] = KC[(OFFSET) * 4 + 0]; \
312 TK[1] = KC[(OFFSET) * 4 + 1]; \
313 TK[2] = KC[(OFFSET) * 4 + 2]; \
314 TK[3] = KC[(OFFSET) * 4 + 3]; \
315 \
316 for( i = 1; i <= 4; i++ ) \
317 if( shifts[(INDEX)][(OFFSET)][i -1] ) \
318 ROTL(TK + i * 4, TK, ( 15 * i ) % 32); \
319 \
320 for( i = 0; i < 20; i++ ) \
321 if( indexes[(INDEX)][(OFFSET)][i] != -1 ) { \
322 RK[indexes[(INDEX)][(OFFSET)][i]] = TK[ i ]; \
323 } \
324 }
325
camellia_feistel(const uint32_t x[2],const uint32_t k[2],uint32_t z[2])326 static void camellia_feistel( const uint32_t x[2], const uint32_t k[2],
327 uint32_t z[2])
328 {
329 uint32_t I0, I1;
330 I0 = x[0] ^ k[0];
331 I1 = x[1] ^ k[1];
332
333 I0 = ((uint32_t) SBOX1((I0 >> 24) & 0xFF) << 24) |
334 ((uint32_t) SBOX2((I0 >> 16) & 0xFF) << 16) |
335 ((uint32_t) SBOX3((I0 >> 8) & 0xFF) << 8) |
336 ((uint32_t) SBOX4((I0 ) & 0xFF) );
337 I1 = ((uint32_t) SBOX2((I1 >> 24) & 0xFF) << 24) |
338 ((uint32_t) SBOX3((I1 >> 16) & 0xFF) << 16) |
339 ((uint32_t) SBOX4((I1 >> 8) & 0xFF) << 8) |
340 ((uint32_t) SBOX1((I1 ) & 0xFF) );
341
342 I0 ^= (I1 << 8) | (I1 >> 24);
343 I1 ^= (I0 << 16) | (I0 >> 16);
344 I0 ^= (I1 >> 8) | (I1 << 24);
345 I1 ^= (I0 >> 8) | (I0 << 24);
346
347 z[0] ^= I1;
348 z[1] ^= I0;
349 }
350
mbedtls_camellia_init(mbedtls_camellia_context * ctx)351 void mbedtls_camellia_init( mbedtls_camellia_context *ctx )
352 {
353 memset( ctx, 0, sizeof( mbedtls_camellia_context ) );
354 }
355
mbedtls_camellia_free(mbedtls_camellia_context * ctx)356 void mbedtls_camellia_free( mbedtls_camellia_context *ctx )
357 {
358 if( ctx == NULL )
359 return;
360
361 mbedtls_zeroize( ctx, sizeof( mbedtls_camellia_context ) );
362 }
363
364 /*
365 * Camellia key schedule (encryption)
366 */
mbedtls_camellia_setkey_enc(mbedtls_camellia_context * ctx,const unsigned char * key,unsigned int keybits)367 int mbedtls_camellia_setkey_enc( mbedtls_camellia_context *ctx, const unsigned char *key,
368 unsigned int keybits )
369 {
370 int idx;
371 size_t i;
372 uint32_t *RK;
373 unsigned char t[64];
374 uint32_t SIGMA[6][2];
375 uint32_t KC[16];
376 uint32_t TK[20];
377
378 RK = ctx->rk;
379
380 memset( t, 0, 64 );
381 memset( RK, 0, sizeof(ctx->rk) );
382
383 switch( keybits )
384 {
385 case 128: ctx->nr = 3; idx = 0; break;
386 case 192:
387 case 256: ctx->nr = 4; idx = 1; break;
388 default : return( MBEDTLS_ERR_CAMELLIA_INVALID_KEY_LENGTH );
389 }
390
391 for( i = 0; i < keybits / 8; ++i )
392 t[i] = key[i];
393
394 if( keybits == 192 ) {
395 for( i = 0; i < 8; i++ )
396 t[24 + i] = ~t[16 + i];
397 }
398
399 /*
400 * Prepare SIGMA values
401 */
402 for( i = 0; i < 6; i++ ) {
403 GET_UINT32_BE( SIGMA[i][0], SIGMA_CHARS[i], 0 );
404 GET_UINT32_BE( SIGMA[i][1], SIGMA_CHARS[i], 4 );
405 }
406
407 /*
408 * Key storage in KC
409 * Order: KL, KR, KA, KB
410 */
411 memset( KC, 0, sizeof(KC) );
412
413 /* Store KL, KR */
414 for( i = 0; i < 8; i++ )
415 GET_UINT32_BE( KC[i], t, i * 4 );
416
417 /* Generate KA */
418 for( i = 0; i < 4; ++i )
419 KC[8 + i] = KC[i] ^ KC[4 + i];
420
421 camellia_feistel( KC + 8, SIGMA[0], KC + 10 );
422 camellia_feistel( KC + 10, SIGMA[1], KC + 8 );
423
424 for( i = 0; i < 4; ++i )
425 KC[8 + i] ^= KC[i];
426
427 camellia_feistel( KC + 8, SIGMA[2], KC + 10 );
428 camellia_feistel( KC + 10, SIGMA[3], KC + 8 );
429
430 if( keybits > 128 ) {
431 /* Generate KB */
432 for( i = 0; i < 4; ++i )
433 KC[12 + i] = KC[4 + i] ^ KC[8 + i];
434
435 camellia_feistel( KC + 12, SIGMA[4], KC + 14 );
436 camellia_feistel( KC + 14, SIGMA[5], KC + 12 );
437 }
438
439 /*
440 * Generating subkeys
441 */
442
443 /* Manipulating KL */
444 SHIFT_AND_PLACE( idx, 0 );
445
446 /* Manipulating KR */
447 if( keybits > 128 ) {
448 SHIFT_AND_PLACE( idx, 1 );
449 }
450
451 /* Manipulating KA */
452 SHIFT_AND_PLACE( idx, 2 );
453
454 /* Manipulating KB */
455 if( keybits > 128 ) {
456 SHIFT_AND_PLACE( idx, 3 );
457 }
458
459 /* Do transpositions */
460 for( i = 0; i < 20; i++ ) {
461 if( transposes[idx][i] != -1 ) {
462 RK[32 + 12 * idx + i] = RK[transposes[idx][i]];
463 }
464 }
465
466 return( 0 );
467 }
468
469 /*
470 * Camellia key schedule (decryption)
471 */
mbedtls_camellia_setkey_dec(mbedtls_camellia_context * ctx,const unsigned char * key,unsigned int keybits)472 int mbedtls_camellia_setkey_dec( mbedtls_camellia_context *ctx, const unsigned char *key,
473 unsigned int keybits )
474 {
475 int idx, ret;
476 size_t i;
477 mbedtls_camellia_context cty;
478 uint32_t *RK;
479 uint32_t *SK;
480
481 mbedtls_camellia_init( &cty );
482
483 /* Also checks keybits */
484 if( ( ret = mbedtls_camellia_setkey_enc( &cty, key, keybits ) ) != 0 )
485 goto exit;
486
487 ctx->nr = cty.nr;
488 idx = ( ctx->nr == 4 );
489
490 RK = ctx->rk;
491 SK = cty.rk + 24 * 2 + 8 * idx * 2;
492
493 *RK++ = *SK++;
494 *RK++ = *SK++;
495 *RK++ = *SK++;
496 *RK++ = *SK++;
497
498 for( i = 22 + 8 * idx, SK -= 6; i > 0; i--, SK -= 4 )
499 {
500 *RK++ = *SK++;
501 *RK++ = *SK++;
502 }
503
504 SK -= 2;
505
506 *RK++ = *SK++;
507 *RK++ = *SK++;
508 *RK++ = *SK++;
509 *RK++ = *SK++;
510
511 exit:
512 mbedtls_camellia_free( &cty );
513
514 return( ret );
515 }
516
517 /*
518 * Camellia-ECB block encryption/decryption
519 */
mbedtls_camellia_crypt_ecb(mbedtls_camellia_context * ctx,int mode,const unsigned char input[16],unsigned char output[16])520 int mbedtls_camellia_crypt_ecb( mbedtls_camellia_context *ctx,
521 int mode,
522 const unsigned char input[16],
523 unsigned char output[16] )
524 {
525 int NR;
526 uint32_t *RK, X[4];
527
528 ( (void) mode );
529
530 NR = ctx->nr;
531 RK = ctx->rk;
532
533 GET_UINT32_BE( X[0], input, 0 );
534 GET_UINT32_BE( X[1], input, 4 );
535 GET_UINT32_BE( X[2], input, 8 );
536 GET_UINT32_BE( X[3], input, 12 );
537
538 X[0] ^= *RK++;
539 X[1] ^= *RK++;
540 X[2] ^= *RK++;
541 X[3] ^= *RK++;
542
543 while( NR ) {
544 --NR;
545 camellia_feistel( X, RK, X + 2 );
546 RK += 2;
547 camellia_feistel( X + 2, RK, X );
548 RK += 2;
549 camellia_feistel( X, RK, X + 2 );
550 RK += 2;
551 camellia_feistel( X + 2, RK, X );
552 RK += 2;
553 camellia_feistel( X, RK, X + 2 );
554 RK += 2;
555 camellia_feistel( X + 2, RK, X );
556 RK += 2;
557
558 if( NR ) {
559 FL(X[0], X[1], RK[0], RK[1]);
560 RK += 2;
561 FLInv(X[2], X[3], RK[0], RK[1]);
562 RK += 2;
563 }
564 }
565
566 X[2] ^= *RK++;
567 X[3] ^= *RK++;
568 X[0] ^= *RK++;
569 X[1] ^= *RK++;
570
571 PUT_UINT32_BE( X[2], output, 0 );
572 PUT_UINT32_BE( X[3], output, 4 );
573 PUT_UINT32_BE( X[0], output, 8 );
574 PUT_UINT32_BE( X[1], output, 12 );
575
576 return( 0 );
577 }
578
579 #if defined(MBEDTLS_CIPHER_MODE_CBC)
580 /*
581 * Camellia-CBC buffer encryption/decryption
582 */
mbedtls_camellia_crypt_cbc(mbedtls_camellia_context * ctx,int mode,size_t length,unsigned char iv[16],const unsigned char * input,unsigned char * output)583 int mbedtls_camellia_crypt_cbc( mbedtls_camellia_context *ctx,
584 int mode,
585 size_t length,
586 unsigned char iv[16],
587 const unsigned char *input,
588 unsigned char *output )
589 {
590 int i;
591 unsigned char temp[16];
592
593 if( length % 16 )
594 return( MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH );
595
596 if( mode == MBEDTLS_CAMELLIA_DECRYPT )
597 {
598 while( length > 0 )
599 {
600 memcpy( temp, input, 16 );
601 mbedtls_camellia_crypt_ecb( ctx, mode, input, output );
602
603 for( i = 0; i < 16; i++ )
604 output[i] = (unsigned char)( output[i] ^ iv[i] );
605
606 memcpy( iv, temp, 16 );
607
608 input += 16;
609 output += 16;
610 length -= 16;
611 }
612 }
613 else
614 {
615 while( length > 0 )
616 {
617 for( i = 0; i < 16; i++ )
618 output[i] = (unsigned char)( input[i] ^ iv[i] );
619
620 mbedtls_camellia_crypt_ecb( ctx, mode, output, output );
621 memcpy( iv, output, 16 );
622
623 input += 16;
624 output += 16;
625 length -= 16;
626 }
627 }
628
629 return( 0 );
630 }
631 #endif /* MBEDTLS_CIPHER_MODE_CBC */
632
633 #if defined(MBEDTLS_CIPHER_MODE_CFB)
634 /*
635 * Camellia-CFB128 buffer encryption/decryption
636 */
mbedtls_camellia_crypt_cfb128(mbedtls_camellia_context * ctx,int mode,size_t length,size_t * iv_off,unsigned char iv[16],const unsigned char * input,unsigned char * output)637 int mbedtls_camellia_crypt_cfb128( mbedtls_camellia_context *ctx,
638 int mode,
639 size_t length,
640 size_t *iv_off,
641 unsigned char iv[16],
642 const unsigned char *input,
643 unsigned char *output )
644 {
645 int c;
646 size_t n = *iv_off;
647
648 if( mode == MBEDTLS_CAMELLIA_DECRYPT )
649 {
650 while( length-- )
651 {
652 if( n == 0 )
653 mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv );
654
655 c = *input++;
656 *output++ = (unsigned char)( c ^ iv[n] );
657 iv[n] = (unsigned char) c;
658
659 n = ( n + 1 ) & 0x0F;
660 }
661 }
662 else
663 {
664 while( length-- )
665 {
666 if( n == 0 )
667 mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv );
668
669 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
670
671 n = ( n + 1 ) & 0x0F;
672 }
673 }
674
675 *iv_off = n;
676
677 return( 0 );
678 }
679 #endif /* MBEDTLS_CIPHER_MODE_CFB */
680
681 #if defined(MBEDTLS_CIPHER_MODE_CTR)
682 /*
683 * Camellia-CTR buffer encryption/decryption
684 */
mbedtls_camellia_crypt_ctr(mbedtls_camellia_context * ctx,size_t length,size_t * nc_off,unsigned char nonce_counter[16],unsigned char stream_block[16],const unsigned char * input,unsigned char * output)685 int mbedtls_camellia_crypt_ctr( mbedtls_camellia_context *ctx,
686 size_t length,
687 size_t *nc_off,
688 unsigned char nonce_counter[16],
689 unsigned char stream_block[16],
690 const unsigned char *input,
691 unsigned char *output )
692 {
693 int c, i;
694 size_t n = *nc_off;
695
696 while( length-- )
697 {
698 if( n == 0 ) {
699 mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, nonce_counter,
700 stream_block );
701
702 for( i = 16; i > 0; i-- )
703 if( ++nonce_counter[i - 1] != 0 )
704 break;
705 }
706 c = *input++;
707 *output++ = (unsigned char)( c ^ stream_block[n] );
708
709 n = ( n + 1 ) & 0x0F;
710 }
711
712 *nc_off = n;
713
714 return( 0 );
715 }
716 #endif /* MBEDTLS_CIPHER_MODE_CTR */
717 #endif /* !MBEDTLS_CAMELLIA_ALT */
718
719 #if defined(MBEDTLS_SELF_TEST)
720
721 /*
722 * Camellia test vectors from:
723 *
724 * http://info.isl.ntt.co.jp/crypt/eng/camellia/technology.html:
725 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/intermediate.txt
726 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/t_camellia.txt
727 * (For each bitlength: Key 0, Nr 39)
728 */
729 #define CAMELLIA_TESTS_ECB 2
730
731 static const unsigned char camellia_test_ecb_key[3][CAMELLIA_TESTS_ECB][32] =
732 {
733 {
734 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
735 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
736 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
737 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
738 },
739 {
740 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
741 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
742 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77 },
743 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
744 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
745 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
746 },
747 {
748 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
749 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
750 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
751 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff },
752 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
753 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
754 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
755 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
756 },
757 };
758
759 static const unsigned char camellia_test_ecb_plain[CAMELLIA_TESTS_ECB][16] =
760 {
761 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
762 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
763 { 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
764 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
765 };
766
767 static const unsigned char camellia_test_ecb_cipher[3][CAMELLIA_TESTS_ECB][16] =
768 {
769 {
770 { 0x67, 0x67, 0x31, 0x38, 0x54, 0x96, 0x69, 0x73,
771 0x08, 0x57, 0x06, 0x56, 0x48, 0xea, 0xbe, 0x43 },
772 { 0x38, 0x3C, 0x6C, 0x2A, 0xAB, 0xEF, 0x7F, 0xDE,
773 0x25, 0xCD, 0x47, 0x0B, 0xF7, 0x74, 0xA3, 0x31 }
774 },
775 {
776 { 0xb4, 0x99, 0x34, 0x01, 0xb3, 0xe9, 0x96, 0xf8,
777 0x4e, 0xe5, 0xce, 0xe7, 0xd7, 0x9b, 0x09, 0xb9 },
778 { 0xD1, 0x76, 0x3F, 0xC0, 0x19, 0xD7, 0x7C, 0xC9,
779 0x30, 0xBF, 0xF2, 0xA5, 0x6F, 0x7C, 0x93, 0x64 }
780 },
781 {
782 { 0x9a, 0xcc, 0x23, 0x7d, 0xff, 0x16, 0xd7, 0x6c,
783 0x20, 0xef, 0x7c, 0x91, 0x9e, 0x3a, 0x75, 0x09 },
784 { 0x05, 0x03, 0xFB, 0x10, 0xAB, 0x24, 0x1E, 0x7C,
785 0xF4, 0x5D, 0x8C, 0xDE, 0xEE, 0x47, 0x43, 0x35 }
786 }
787 };
788
789 #if defined(MBEDTLS_CIPHER_MODE_CBC)
790 #define CAMELLIA_TESTS_CBC 3
791
792 static const unsigned char camellia_test_cbc_key[3][32] =
793 {
794 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
795 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }
796 ,
797 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
798 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
799 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }
800 ,
801 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
802 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
803 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
804 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
805 };
806
807 static const unsigned char camellia_test_cbc_iv[16] =
808
809 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
810 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F }
811 ;
812
813 static const unsigned char camellia_test_cbc_plain[CAMELLIA_TESTS_CBC][16] =
814 {
815 { 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
816 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A },
817 { 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
818 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51 },
819 { 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
820 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF }
821
822 };
823
824 static const unsigned char camellia_test_cbc_cipher[3][CAMELLIA_TESTS_CBC][16] =
825 {
826 {
827 { 0x16, 0x07, 0xCF, 0x49, 0x4B, 0x36, 0xBB, 0xF0,
828 0x0D, 0xAE, 0xB0, 0xB5, 0x03, 0xC8, 0x31, 0xAB },
829 { 0xA2, 0xF2, 0xCF, 0x67, 0x16, 0x29, 0xEF, 0x78,
830 0x40, 0xC5, 0xA5, 0xDF, 0xB5, 0x07, 0x48, 0x87 },
831 { 0x0F, 0x06, 0x16, 0x50, 0x08, 0xCF, 0x8B, 0x8B,
832 0x5A, 0x63, 0x58, 0x63, 0x62, 0x54, 0x3E, 0x54 }
833 },
834 {
835 { 0x2A, 0x48, 0x30, 0xAB, 0x5A, 0xC4, 0xA1, 0xA2,
836 0x40, 0x59, 0x55, 0xFD, 0x21, 0x95, 0xCF, 0x93 },
837 { 0x5D, 0x5A, 0x86, 0x9B, 0xD1, 0x4C, 0xE5, 0x42,
838 0x64, 0xF8, 0x92, 0xA6, 0xDD, 0x2E, 0xC3, 0xD5 },
839 { 0x37, 0xD3, 0x59, 0xC3, 0x34, 0x98, 0x36, 0xD8,
840 0x84, 0xE3, 0x10, 0xAD, 0xDF, 0x68, 0xC4, 0x49 }
841 },
842 {
843 { 0xE6, 0xCF, 0xA3, 0x5F, 0xC0, 0x2B, 0x13, 0x4A,
844 0x4D, 0x2C, 0x0B, 0x67, 0x37, 0xAC, 0x3E, 0xDA },
845 { 0x36, 0xCB, 0xEB, 0x73, 0xBD, 0x50, 0x4B, 0x40,
846 0x70, 0xB1, 0xB7, 0xDE, 0x2B, 0x21, 0xEB, 0x50 },
847 { 0xE3, 0x1A, 0x60, 0x55, 0x29, 0x7D, 0x96, 0xCA,
848 0x33, 0x30, 0xCD, 0xF1, 0xB1, 0x86, 0x0A, 0x83 }
849 }
850 };
851 #endif /* MBEDTLS_CIPHER_MODE_CBC */
852
853 #if defined(MBEDTLS_CIPHER_MODE_CTR)
854 /*
855 * Camellia-CTR test vectors from:
856 *
857 * http://www.faqs.org/rfcs/rfc5528.html
858 */
859
860 static const unsigned char camellia_test_ctr_key[3][16] =
861 {
862 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
863 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
864 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
865 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
866 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
867 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
868 };
869
870 static const unsigned char camellia_test_ctr_nonce_counter[3][16] =
871 {
872 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
873 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
874 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
875 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
876 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
877 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
878 };
879
880 static const unsigned char camellia_test_ctr_pt[3][48] =
881 {
882 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
883 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
884
885 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
886 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
887 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
888 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
889
890 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
891 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
892 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
893 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
894 0x20, 0x21, 0x22, 0x23 }
895 };
896
897 static const unsigned char camellia_test_ctr_ct[3][48] =
898 {
899 { 0xD0, 0x9D, 0xC2, 0x9A, 0x82, 0x14, 0x61, 0x9A,
900 0x20, 0x87, 0x7C, 0x76, 0xDB, 0x1F, 0x0B, 0x3F },
901 { 0xDB, 0xF3, 0xC7, 0x8D, 0xC0, 0x83, 0x96, 0xD4,
902 0xDA, 0x7C, 0x90, 0x77, 0x65, 0xBB, 0xCB, 0x44,
903 0x2B, 0x8E, 0x8E, 0x0F, 0x31, 0xF0, 0xDC, 0xA7,
904 0x2C, 0x74, 0x17, 0xE3, 0x53, 0x60, 0xE0, 0x48 },
905 { 0xB1, 0x9D, 0x1F, 0xCD, 0xCB, 0x75, 0xEB, 0x88,
906 0x2F, 0x84, 0x9C, 0xE2, 0x4D, 0x85, 0xCF, 0x73,
907 0x9C, 0xE6, 0x4B, 0x2B, 0x5C, 0x9D, 0x73, 0xF1,
908 0x4F, 0x2D, 0x5D, 0x9D, 0xCE, 0x98, 0x89, 0xCD,
909 0xDF, 0x50, 0x86, 0x96 }
910 };
911
912 static const int camellia_test_ctr_len[3] =
913 { 16, 32, 36 };
914 #endif /* MBEDTLS_CIPHER_MODE_CTR */
915
916 /*
917 * Checkup routine
918 */
mbedtls_camellia_self_test(int verbose)919 int mbedtls_camellia_self_test( int verbose )
920 {
921 int i, j, u, v;
922 unsigned char key[32];
923 unsigned char buf[64];
924 unsigned char src[16];
925 unsigned char dst[16];
926 #if defined(MBEDTLS_CIPHER_MODE_CBC)
927 unsigned char iv[16];
928 #endif
929 #if defined(MBEDTLS_CIPHER_MODE_CTR)
930 size_t offset, len;
931 unsigned char nonce_counter[16];
932 unsigned char stream_block[16];
933 #endif
934
935 mbedtls_camellia_context ctx;
936
937 memset( key, 0, 32 );
938
939 for( j = 0; j < 6; j++ ) {
940 u = j >> 1;
941 v = j & 1;
942
943 if( verbose != 0 )
944 mbedtls_printf( " CAMELLIA-ECB-%3d (%s): ", 128 + u * 64,
945 (v == MBEDTLS_CAMELLIA_DECRYPT) ? "dec" : "enc");
946
947 for( i = 0; i < CAMELLIA_TESTS_ECB; i++ ) {
948 memcpy( key, camellia_test_ecb_key[u][i], 16 + 8 * u );
949
950 if( v == MBEDTLS_CAMELLIA_DECRYPT ) {
951 mbedtls_camellia_setkey_dec( &ctx, key, 128 + u * 64 );
952 memcpy( src, camellia_test_ecb_cipher[u][i], 16 );
953 memcpy( dst, camellia_test_ecb_plain[i], 16 );
954 } else { /* MBEDTLS_CAMELLIA_ENCRYPT */
955 mbedtls_camellia_setkey_enc( &ctx, key, 128 + u * 64 );
956 memcpy( src, camellia_test_ecb_plain[i], 16 );
957 memcpy( dst, camellia_test_ecb_cipher[u][i], 16 );
958 }
959
960 mbedtls_camellia_crypt_ecb( &ctx, v, src, buf );
961
962 if( memcmp( buf, dst, 16 ) != 0 )
963 {
964 if( verbose != 0 )
965 mbedtls_printf( "failed\n" );
966
967 return( 1 );
968 }
969 }
970
971 if( verbose != 0 )
972 mbedtls_printf( "passed\n" );
973 }
974
975 if( verbose != 0 )
976 mbedtls_printf( "\n" );
977
978 #if defined(MBEDTLS_CIPHER_MODE_CBC)
979 /*
980 * CBC mode
981 */
982 for( j = 0; j < 6; j++ )
983 {
984 u = j >> 1;
985 v = j & 1;
986
987 if( verbose != 0 )
988 mbedtls_printf( " CAMELLIA-CBC-%3d (%s): ", 128 + u * 64,
989 ( v == MBEDTLS_CAMELLIA_DECRYPT ) ? "dec" : "enc" );
990
991 memcpy( src, camellia_test_cbc_iv, 16 );
992 memcpy( dst, camellia_test_cbc_iv, 16 );
993 memcpy( key, camellia_test_cbc_key[u], 16 + 8 * u );
994
995 if( v == MBEDTLS_CAMELLIA_DECRYPT ) {
996 mbedtls_camellia_setkey_dec( &ctx, key, 128 + u * 64 );
997 } else {
998 mbedtls_camellia_setkey_enc( &ctx, key, 128 + u * 64 );
999 }
1000
1001 for( i = 0; i < CAMELLIA_TESTS_CBC; i++ ) {
1002
1003 if( v == MBEDTLS_CAMELLIA_DECRYPT ) {
1004 memcpy( iv , src, 16 );
1005 memcpy( src, camellia_test_cbc_cipher[u][i], 16 );
1006 memcpy( dst, camellia_test_cbc_plain[i], 16 );
1007 } else { /* MBEDTLS_CAMELLIA_ENCRYPT */
1008 memcpy( iv , dst, 16 );
1009 memcpy( src, camellia_test_cbc_plain[i], 16 );
1010 memcpy( dst, camellia_test_cbc_cipher[u][i], 16 );
1011 }
1012
1013 mbedtls_camellia_crypt_cbc( &ctx, v, 16, iv, src, buf );
1014
1015 if( memcmp( buf, dst, 16 ) != 0 )
1016 {
1017 if( verbose != 0 )
1018 mbedtls_printf( "failed\n" );
1019
1020 return( 1 );
1021 }
1022 }
1023
1024 if( verbose != 0 )
1025 mbedtls_printf( "passed\n" );
1026 }
1027 #endif /* MBEDTLS_CIPHER_MODE_CBC */
1028
1029 if( verbose != 0 )
1030 mbedtls_printf( "\n" );
1031
1032 #if defined(MBEDTLS_CIPHER_MODE_CTR)
1033 /*
1034 * CTR mode
1035 */
1036 for( i = 0; i < 6; i++ )
1037 {
1038 u = i >> 1;
1039 v = i & 1;
1040
1041 if( verbose != 0 )
1042 mbedtls_printf( " CAMELLIA-CTR-128 (%s): ",
1043 ( v == MBEDTLS_CAMELLIA_DECRYPT ) ? "dec" : "enc" );
1044
1045 memcpy( nonce_counter, camellia_test_ctr_nonce_counter[u], 16 );
1046 memcpy( key, camellia_test_ctr_key[u], 16 );
1047
1048 offset = 0;
1049 mbedtls_camellia_setkey_enc( &ctx, key, 128 );
1050
1051 if( v == MBEDTLS_CAMELLIA_DECRYPT )
1052 {
1053 len = camellia_test_ctr_len[u];
1054 memcpy( buf, camellia_test_ctr_ct[u], len );
1055
1056 mbedtls_camellia_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block,
1057 buf, buf );
1058
1059 if( memcmp( buf, camellia_test_ctr_pt[u], len ) != 0 )
1060 {
1061 if( verbose != 0 )
1062 mbedtls_printf( "failed\n" );
1063
1064 return( 1 );
1065 }
1066 }
1067 else
1068 {
1069 len = camellia_test_ctr_len[u];
1070 memcpy( buf, camellia_test_ctr_pt[u], len );
1071
1072 mbedtls_camellia_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block,
1073 buf, buf );
1074
1075 if( memcmp( buf, camellia_test_ctr_ct[u], len ) != 0 )
1076 {
1077 if( verbose != 0 )
1078 mbedtls_printf( "failed\n" );
1079
1080 return( 1 );
1081 }
1082 }
1083
1084 if( verbose != 0 )
1085 mbedtls_printf( "passed\n" );
1086 }
1087
1088 if( verbose != 0 )
1089 mbedtls_printf( "\n" );
1090 #endif /* MBEDTLS_CIPHER_MODE_CTR */
1091
1092 return( 0 );
1093 }
1094
1095 #endif /* MBEDTLS_SELF_TEST */
1096
1097 #endif /* MBEDTLS_CAMELLIA_C */
1098