1 /*
2 * Camellia implementation
3 *
4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 *
19 * This file is part of mbed TLS (https://tls.mbed.org)
20 */
21 /*
22 * The Camellia block cipher was designed by NTT and Mitsubishi Electric
23 * Corporation.
24 *
25 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/01espec.pdf
26 */
27
28 #if !defined(MBEDTLS_CONFIG_FILE)
29 #include "mbedtls/config.h"
30 #else
31 #include MBEDTLS_CONFIG_FILE
32 #endif
33
34 #if defined(MBEDTLS_CAMELLIA_C)
35
36 #include "mbedtls/camellia.h"
37 #include "mbedtls/platform_util.h"
38
39 #include <string.h>
40
41 #if defined(MBEDTLS_SELF_TEST)
42 #if defined(MBEDTLS_PLATFORM_C)
43 #include "mbedtls/platform.h"
44 #else
45 #include <stdio.h>
46 #define mbedtls_printf printf
47 #endif /* MBEDTLS_PLATFORM_C */
48 #endif /* MBEDTLS_SELF_TEST */
49
50 #if !defined(MBEDTLS_CAMELLIA_ALT)
51
52 /* Parameter validation macros */
53 #define CAMELLIA_VALIDATE_RET( cond ) \
54 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA )
55 #define CAMELLIA_VALIDATE( cond ) \
56 MBEDTLS_INTERNAL_VALIDATE( cond )
57
58 /*
59 * 32-bit integer manipulation macros (big endian)
60 */
61 #ifndef GET_UINT32_BE
62 #define GET_UINT32_BE(n,b,i) \
63 { \
64 (n) = ( (uint32_t) (b)[(i) ] << 24 ) \
65 | ( (uint32_t) (b)[(i) + 1] << 16 ) \
66 | ( (uint32_t) (b)[(i) + 2] << 8 ) \
67 | ( (uint32_t) (b)[(i) + 3] ); \
68 }
69 #endif
70
71 #ifndef PUT_UINT32_BE
72 #define PUT_UINT32_BE(n,b,i) \
73 { \
74 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
75 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
76 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
77 (b)[(i) + 3] = (unsigned char) ( (n) ); \
78 }
79 #endif
80
81 static const unsigned char SIGMA_CHARS[6][8] =
82 {
83 { 0xa0, 0x9e, 0x66, 0x7f, 0x3b, 0xcc, 0x90, 0x8b },
84 { 0xb6, 0x7a, 0xe8, 0x58, 0x4c, 0xaa, 0x73, 0xb2 },
85 { 0xc6, 0xef, 0x37, 0x2f, 0xe9, 0x4f, 0x82, 0xbe },
86 { 0x54, 0xff, 0x53, 0xa5, 0xf1, 0xd3, 0x6f, 0x1c },
87 { 0x10, 0xe5, 0x27, 0xfa, 0xde, 0x68, 0x2d, 0x1d },
88 { 0xb0, 0x56, 0x88, 0xc2, 0xb3, 0xe6, 0xc1, 0xfd }
89 };
90
91 #if defined(MBEDTLS_CAMELLIA_SMALL_MEMORY)
92
93 static const unsigned char FSb[256] =
94 {
95 112,130, 44,236,179, 39,192,229,228,133, 87, 53,234, 12,174, 65,
96 35,239,107,147, 69, 25,165, 33,237, 14, 79, 78, 29,101,146,189,
97 134,184,175,143,124,235, 31,206, 62, 48,220, 95, 94,197, 11, 26,
98 166,225, 57,202,213, 71, 93, 61,217, 1, 90,214, 81, 86,108, 77,
99 139, 13,154,102,251,204,176, 45,116, 18, 43, 32,240,177,132,153,
100 223, 76,203,194, 52,126,118, 5,109,183,169, 49,209, 23, 4,215,
101 20, 88, 58, 97,222, 27, 17, 28, 50, 15,156, 22, 83, 24,242, 34,
102 254, 68,207,178,195,181,122,145, 36, 8,232,168, 96,252,105, 80,
103 170,208,160,125,161,137, 98,151, 84, 91, 30,149,224,255,100,210,
104 16,196, 0, 72,163,247,117,219,138, 3,230,218, 9, 63,221,148,
105 135, 92,131, 2,205, 74,144, 51,115,103,246,243,157,127,191,226,
106 82,155,216, 38,200, 55,198, 59,129,150,111, 75, 19,190, 99, 46,
107 233,121,167,140,159,110,188,142, 41,245,249,182, 47,253,180, 89,
108 120,152, 6,106,231, 70,113,186,212, 37,171, 66,136,162,141,250,
109 114, 7,185, 85,248,238,172, 10, 54, 73, 42,104, 60, 56,241,164,
110 64, 40,211,123,187,201, 67,193, 21,227,173,244,119,199,128,158
111 };
112
113 #define SBOX1(n) FSb[(n)]
114 #define SBOX2(n) (unsigned char)((FSb[(n)] >> 7 ^ FSb[(n)] << 1) & 0xff)
115 #define SBOX3(n) (unsigned char)((FSb[(n)] >> 1 ^ FSb[(n)] << 7) & 0xff)
116 #define SBOX4(n) FSb[((n) << 1 ^ (n) >> 7) &0xff]
117
118 #else /* MBEDTLS_CAMELLIA_SMALL_MEMORY */
119
120 static const unsigned char FSb[256] =
121 {
122 112, 130, 44, 236, 179, 39, 192, 229, 228, 133, 87, 53, 234, 12, 174, 65,
123 35, 239, 107, 147, 69, 25, 165, 33, 237, 14, 79, 78, 29, 101, 146, 189,
124 134, 184, 175, 143, 124, 235, 31, 206, 62, 48, 220, 95, 94, 197, 11, 26,
125 166, 225, 57, 202, 213, 71, 93, 61, 217, 1, 90, 214, 81, 86, 108, 77,
126 139, 13, 154, 102, 251, 204, 176, 45, 116, 18, 43, 32, 240, 177, 132, 153,
127 223, 76, 203, 194, 52, 126, 118, 5, 109, 183, 169, 49, 209, 23, 4, 215,
128 20, 88, 58, 97, 222, 27, 17, 28, 50, 15, 156, 22, 83, 24, 242, 34,
129 254, 68, 207, 178, 195, 181, 122, 145, 36, 8, 232, 168, 96, 252, 105, 80,
130 170, 208, 160, 125, 161, 137, 98, 151, 84, 91, 30, 149, 224, 255, 100, 210,
131 16, 196, 0, 72, 163, 247, 117, 219, 138, 3, 230, 218, 9, 63, 221, 148,
132 135, 92, 131, 2, 205, 74, 144, 51, 115, 103, 246, 243, 157, 127, 191, 226,
133 82, 155, 216, 38, 200, 55, 198, 59, 129, 150, 111, 75, 19, 190, 99, 46,
134 233, 121, 167, 140, 159, 110, 188, 142, 41, 245, 249, 182, 47, 253, 180, 89,
135 120, 152, 6, 106, 231, 70, 113, 186, 212, 37, 171, 66, 136, 162, 141, 250,
136 114, 7, 185, 85, 248, 238, 172, 10, 54, 73, 42, 104, 60, 56, 241, 164,
137 64, 40, 211, 123, 187, 201, 67, 193, 21, 227, 173, 244, 119, 199, 128, 158
138 };
139
140 static const unsigned char FSb2[256] =
141 {
142 224, 5, 88, 217, 103, 78, 129, 203, 201, 11, 174, 106, 213, 24, 93, 130,
143 70, 223, 214, 39, 138, 50, 75, 66, 219, 28, 158, 156, 58, 202, 37, 123,
144 13, 113, 95, 31, 248, 215, 62, 157, 124, 96, 185, 190, 188, 139, 22, 52,
145 77, 195, 114, 149, 171, 142, 186, 122, 179, 2, 180, 173, 162, 172, 216, 154,
146 23, 26, 53, 204, 247, 153, 97, 90, 232, 36, 86, 64, 225, 99, 9, 51,
147 191, 152, 151, 133, 104, 252, 236, 10, 218, 111, 83, 98, 163, 46, 8, 175,
148 40, 176, 116, 194, 189, 54, 34, 56, 100, 30, 57, 44, 166, 48, 229, 68,
149 253, 136, 159, 101, 135, 107, 244, 35, 72, 16, 209, 81, 192, 249, 210, 160,
150 85, 161, 65, 250, 67, 19, 196, 47, 168, 182, 60, 43, 193, 255, 200, 165,
151 32, 137, 0, 144, 71, 239, 234, 183, 21, 6, 205, 181, 18, 126, 187, 41,
152 15, 184, 7, 4, 155, 148, 33, 102, 230, 206, 237, 231, 59, 254, 127, 197,
153 164, 55, 177, 76, 145, 110, 141, 118, 3, 45, 222, 150, 38, 125, 198, 92,
154 211, 242, 79, 25, 63, 220, 121, 29, 82, 235, 243, 109, 94, 251, 105, 178,
155 240, 49, 12, 212, 207, 140, 226, 117, 169, 74, 87, 132, 17, 69, 27, 245,
156 228, 14, 115, 170, 241, 221, 89, 20, 108, 146, 84, 208, 120, 112, 227, 73,
157 128, 80, 167, 246, 119, 147, 134, 131, 42, 199, 91, 233, 238, 143, 1, 61
158 };
159
160 static const unsigned char FSb3[256] =
161 {
162 56, 65, 22, 118, 217, 147, 96, 242, 114, 194, 171, 154, 117, 6, 87, 160,
163 145, 247, 181, 201, 162, 140, 210, 144, 246, 7, 167, 39, 142, 178, 73, 222,
164 67, 92, 215, 199, 62, 245, 143, 103, 31, 24, 110, 175, 47, 226, 133, 13,
165 83, 240, 156, 101, 234, 163, 174, 158, 236, 128, 45, 107, 168, 43, 54, 166,
166 197, 134, 77, 51, 253, 102, 88, 150, 58, 9, 149, 16, 120, 216, 66, 204,
167 239, 38, 229, 97, 26, 63, 59, 130, 182, 219, 212, 152, 232, 139, 2, 235,
168 10, 44, 29, 176, 111, 141, 136, 14, 25, 135, 78, 11, 169, 12, 121, 17,
169 127, 34, 231, 89, 225, 218, 61, 200, 18, 4, 116, 84, 48, 126, 180, 40,
170 85, 104, 80, 190, 208, 196, 49, 203, 42, 173, 15, 202, 112, 255, 50, 105,
171 8, 98, 0, 36, 209, 251, 186, 237, 69, 129, 115, 109, 132, 159, 238, 74,
172 195, 46, 193, 1, 230, 37, 72, 153, 185, 179, 123, 249, 206, 191, 223, 113,
173 41, 205, 108, 19, 100, 155, 99, 157, 192, 75, 183, 165, 137, 95, 177, 23,
174 244, 188, 211, 70, 207, 55, 94, 71, 148, 250, 252, 91, 151, 254, 90, 172,
175 60, 76, 3, 53, 243, 35, 184, 93, 106, 146, 213, 33, 68, 81, 198, 125,
176 57, 131, 220, 170, 124, 119, 86, 5, 27, 164, 21, 52, 30, 28, 248, 82,
177 32, 20, 233, 189, 221, 228, 161, 224, 138, 241, 214, 122, 187, 227, 64, 79
178 };
179
180 static const unsigned char FSb4[256] =
181 {
182 112, 44, 179, 192, 228, 87, 234, 174, 35, 107, 69, 165, 237, 79, 29, 146,
183 134, 175, 124, 31, 62, 220, 94, 11, 166, 57, 213, 93, 217, 90, 81, 108,
184 139, 154, 251, 176, 116, 43, 240, 132, 223, 203, 52, 118, 109, 169, 209, 4,
185 20, 58, 222, 17, 50, 156, 83, 242, 254, 207, 195, 122, 36, 232, 96, 105,
186 170, 160, 161, 98, 84, 30, 224, 100, 16, 0, 163, 117, 138, 230, 9, 221,
187 135, 131, 205, 144, 115, 246, 157, 191, 82, 216, 200, 198, 129, 111, 19, 99,
188 233, 167, 159, 188, 41, 249, 47, 180, 120, 6, 231, 113, 212, 171, 136, 141,
189 114, 185, 248, 172, 54, 42, 60, 241, 64, 211, 187, 67, 21, 173, 119, 128,
190 130, 236, 39, 229, 133, 53, 12, 65, 239, 147, 25, 33, 14, 78, 101, 189,
191 184, 143, 235, 206, 48, 95, 197, 26, 225, 202, 71, 61, 1, 214, 86, 77,
192 13, 102, 204, 45, 18, 32, 177, 153, 76, 194, 126, 5, 183, 49, 23, 215,
193 88, 97, 27, 28, 15, 22, 24, 34, 68, 178, 181, 145, 8, 168, 252, 80,
194 208, 125, 137, 151, 91, 149, 255, 210, 196, 72, 247, 219, 3, 218, 63, 148,
195 92, 2, 74, 51, 103, 243, 127, 226, 155, 38, 55, 59, 150, 75, 190, 46,
196 121, 140, 110, 142, 245, 182, 253, 89, 152, 106, 70, 186, 37, 66, 162, 250,
197 7, 85, 238, 10, 73, 104, 56, 164, 40, 123, 201, 193, 227, 244, 199, 158
198 };
199
200 #define SBOX1(n) FSb[(n)]
201 #define SBOX2(n) FSb2[(n)]
202 #define SBOX3(n) FSb3[(n)]
203 #define SBOX4(n) FSb4[(n)]
204
205 #endif /* MBEDTLS_CAMELLIA_SMALL_MEMORY */
206
207 static const unsigned char shifts[2][4][4] =
208 {
209 {
210 { 1, 1, 1, 1 }, /* KL */
211 { 0, 0, 0, 0 }, /* KR */
212 { 1, 1, 1, 1 }, /* KA */
213 { 0, 0, 0, 0 } /* KB */
214 },
215 {
216 { 1, 0, 1, 1 }, /* KL */
217 { 1, 1, 0, 1 }, /* KR */
218 { 1, 1, 1, 0 }, /* KA */
219 { 1, 1, 0, 1 } /* KB */
220 }
221 };
222
223 static const signed char indexes[2][4][20] =
224 {
225 {
226 { 0, 1, 2, 3, 8, 9, 10, 11, 38, 39,
227 36, 37, 23, 20, 21, 22, 27, -1, -1, 26 }, /* KL -> RK */
228 { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
229 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 }, /* KR -> RK */
230 { 4, 5, 6, 7, 12, 13, 14, 15, 16, 17,
231 18, 19, -1, 24, 25, -1, 31, 28, 29, 30 }, /* KA -> RK */
232 { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
233 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 } /* KB -> RK */
234 },
235 {
236 { 0, 1, 2, 3, 61, 62, 63, 60, -1, -1,
237 -1, -1, 27, 24, 25, 26, 35, 32, 33, 34 }, /* KL -> RK */
238 { -1, -1, -1, -1, 8, 9, 10, 11, 16, 17,
239 18, 19, -1, -1, -1, -1, 39, 36, 37, 38 }, /* KR -> RK */
240 { -1, -1, -1, -1, 12, 13, 14, 15, 58, 59,
241 56, 57, 31, 28, 29, 30, -1, -1, -1, -1 }, /* KA -> RK */
242 { 4, 5, 6, 7, 65, 66, 67, 64, 20, 21,
243 22, 23, -1, -1, -1, -1, 43, 40, 41, 42 } /* KB -> RK */
244 }
245 };
246
247 static const signed char transposes[2][20] =
248 {
249 {
250 21, 22, 23, 20,
251 -1, -1, -1, -1,
252 18, 19, 16, 17,
253 11, 8, 9, 10,
254 15, 12, 13, 14
255 },
256 {
257 25, 26, 27, 24,
258 29, 30, 31, 28,
259 18, 19, 16, 17,
260 -1, -1, -1, -1,
261 -1, -1, -1, -1
262 }
263 };
264
265 /* Shift macro for 128 bit strings with rotation smaller than 32 bits (!) */
266 #define ROTL(DEST, SRC, SHIFT) \
267 { \
268 (DEST)[0] = (SRC)[0] << (SHIFT) ^ (SRC)[1] >> (32 - (SHIFT)); \
269 (DEST)[1] = (SRC)[1] << (SHIFT) ^ (SRC)[2] >> (32 - (SHIFT)); \
270 (DEST)[2] = (SRC)[2] << (SHIFT) ^ (SRC)[3] >> (32 - (SHIFT)); \
271 (DEST)[3] = (SRC)[3] << (SHIFT) ^ (SRC)[0] >> (32 - (SHIFT)); \
272 }
273
274 #define FL(XL, XR, KL, KR) \
275 { \
276 (XR) = ((((XL) & (KL)) << 1) | (((XL) & (KL)) >> 31)) ^ (XR); \
277 (XL) = ((XR) | (KR)) ^ (XL); \
278 }
279
280 #define FLInv(YL, YR, KL, KR) \
281 { \
282 (YL) = ((YR) | (KR)) ^ (YL); \
283 (YR) = ((((YL) & (KL)) << 1) | (((YL) & (KL)) >> 31)) ^ (YR); \
284 }
285
286 #define SHIFT_AND_PLACE(INDEX, OFFSET) \
287 { \
288 TK[0] = KC[(OFFSET) * 4 + 0]; \
289 TK[1] = KC[(OFFSET) * 4 + 1]; \
290 TK[2] = KC[(OFFSET) * 4 + 2]; \
291 TK[3] = KC[(OFFSET) * 4 + 3]; \
292 \
293 for( i = 1; i <= 4; i++ ) \
294 if( shifts[(INDEX)][(OFFSET)][i -1] ) \
295 ROTL(TK + i * 4, TK, ( 15 * i ) % 32); \
296 \
297 for( i = 0; i < 20; i++ ) \
298 if( indexes[(INDEX)][(OFFSET)][i] != -1 ) { \
299 RK[indexes[(INDEX)][(OFFSET)][i]] = TK[ i ]; \
300 } \
301 }
302
camellia_feistel(const uint32_t x[2],const uint32_t k[2],uint32_t z[2])303 static void camellia_feistel( const uint32_t x[2], const uint32_t k[2],
304 uint32_t z[2])
305 {
306 uint32_t I0, I1;
307 I0 = x[0] ^ k[0];
308 I1 = x[1] ^ k[1];
309
310 I0 = ((uint32_t) SBOX1((I0 >> 24) & 0xFF) << 24) |
311 ((uint32_t) SBOX2((I0 >> 16) & 0xFF) << 16) |
312 ((uint32_t) SBOX3((I0 >> 8) & 0xFF) << 8) |
313 ((uint32_t) SBOX4((I0 ) & 0xFF) );
314 I1 = ((uint32_t) SBOX2((I1 >> 24) & 0xFF) << 24) |
315 ((uint32_t) SBOX3((I1 >> 16) & 0xFF) << 16) |
316 ((uint32_t) SBOX4((I1 >> 8) & 0xFF) << 8) |
317 ((uint32_t) SBOX1((I1 ) & 0xFF) );
318
319 I0 ^= (I1 << 8) | (I1 >> 24);
320 I1 ^= (I0 << 16) | (I0 >> 16);
321 I0 ^= (I1 >> 8) | (I1 << 24);
322 I1 ^= (I0 >> 8) | (I0 << 24);
323
324 z[0] ^= I1;
325 z[1] ^= I0;
326 }
327
mbedtls_camellia_init(mbedtls_camellia_context * ctx)328 void mbedtls_camellia_init( mbedtls_camellia_context *ctx )
329 {
330 CAMELLIA_VALIDATE( ctx != NULL );
331 memset( ctx, 0, sizeof( mbedtls_camellia_context ) );
332 }
333
mbedtls_camellia_free(mbedtls_camellia_context * ctx)334 void mbedtls_camellia_free( mbedtls_camellia_context *ctx )
335 {
336 if( ctx == NULL )
337 return;
338
339 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_camellia_context ) );
340 }
341
342 /*
343 * Camellia key schedule (encryption)
344 */
mbedtls_camellia_setkey_enc(mbedtls_camellia_context * ctx,const unsigned char * key,unsigned int keybits)345 int mbedtls_camellia_setkey_enc( mbedtls_camellia_context *ctx,
346 const unsigned char *key,
347 unsigned int keybits )
348 {
349 int idx;
350 size_t i;
351 uint32_t *RK;
352 unsigned char t[64];
353 uint32_t SIGMA[6][2];
354 uint32_t KC[16];
355 uint32_t TK[20];
356
357 CAMELLIA_VALIDATE_RET( ctx != NULL );
358 CAMELLIA_VALIDATE_RET( key != NULL );
359
360 RK = ctx->rk;
361
362 memset( t, 0, 64 );
363 memset( RK, 0, sizeof(ctx->rk) );
364
365 switch( keybits )
366 {
367 case 128: ctx->nr = 3; idx = 0; break;
368 case 192:
369 case 256: ctx->nr = 4; idx = 1; break;
370 default : return( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA );
371 }
372
373 for( i = 0; i < keybits / 8; ++i )
374 t[i] = key[i];
375
376 if( keybits == 192 ) {
377 for( i = 0; i < 8; i++ )
378 t[24 + i] = ~t[16 + i];
379 }
380
381 /*
382 * Prepare SIGMA values
383 */
384 for( i = 0; i < 6; i++ ) {
385 GET_UINT32_BE( SIGMA[i][0], SIGMA_CHARS[i], 0 );
386 GET_UINT32_BE( SIGMA[i][1], SIGMA_CHARS[i], 4 );
387 }
388
389 /*
390 * Key storage in KC
391 * Order: KL, KR, KA, KB
392 */
393 memset( KC, 0, sizeof(KC) );
394
395 /* Store KL, KR */
396 for( i = 0; i < 8; i++ )
397 GET_UINT32_BE( KC[i], t, i * 4 );
398
399 /* Generate KA */
400 for( i = 0; i < 4; ++i )
401 KC[8 + i] = KC[i] ^ KC[4 + i];
402
403 camellia_feistel( KC + 8, SIGMA[0], KC + 10 );
404 camellia_feistel( KC + 10, SIGMA[1], KC + 8 );
405
406 for( i = 0; i < 4; ++i )
407 KC[8 + i] ^= KC[i];
408
409 camellia_feistel( KC + 8, SIGMA[2], KC + 10 );
410 camellia_feistel( KC + 10, SIGMA[3], KC + 8 );
411
412 if( keybits > 128 ) {
413 /* Generate KB */
414 for( i = 0; i < 4; ++i )
415 KC[12 + i] = KC[4 + i] ^ KC[8 + i];
416
417 camellia_feistel( KC + 12, SIGMA[4], KC + 14 );
418 camellia_feistel( KC + 14, SIGMA[5], KC + 12 );
419 }
420
421 /*
422 * Generating subkeys
423 */
424
425 /* Manipulating KL */
426 SHIFT_AND_PLACE( idx, 0 );
427
428 /* Manipulating KR */
429 if( keybits > 128 ) {
430 SHIFT_AND_PLACE( idx, 1 );
431 }
432
433 /* Manipulating KA */
434 SHIFT_AND_PLACE( idx, 2 );
435
436 /* Manipulating KB */
437 if( keybits > 128 ) {
438 SHIFT_AND_PLACE( idx, 3 );
439 }
440
441 /* Do transpositions */
442 for( i = 0; i < 20; i++ ) {
443 if( transposes[idx][i] != -1 ) {
444 RK[32 + 12 * idx + i] = RK[transposes[idx][i]];
445 }
446 }
447
448 return( 0 );
449 }
450
451 /*
452 * Camellia key schedule (decryption)
453 */
mbedtls_camellia_setkey_dec(mbedtls_camellia_context * ctx,const unsigned char * key,unsigned int keybits)454 int mbedtls_camellia_setkey_dec( mbedtls_camellia_context *ctx,
455 const unsigned char *key,
456 unsigned int keybits )
457 {
458 int idx, ret;
459 size_t i;
460 mbedtls_camellia_context cty;
461 uint32_t *RK;
462 uint32_t *SK;
463 CAMELLIA_VALIDATE_RET( ctx != NULL );
464 CAMELLIA_VALIDATE_RET( key != NULL );
465
466 mbedtls_camellia_init( &cty );
467
468 /* Also checks keybits */
469 if( ( ret = mbedtls_camellia_setkey_enc( &cty, key, keybits ) ) != 0 )
470 goto exit;
471
472 ctx->nr = cty.nr;
473 idx = ( ctx->nr == 4 );
474
475 RK = ctx->rk;
476 SK = cty.rk + 24 * 2 + 8 * idx * 2;
477
478 *RK++ = *SK++;
479 *RK++ = *SK++;
480 *RK++ = *SK++;
481 *RK++ = *SK++;
482
483 for( i = 22 + 8 * idx, SK -= 6; i > 0; i--, SK -= 4 )
484 {
485 *RK++ = *SK++;
486 *RK++ = *SK++;
487 }
488
489 SK -= 2;
490
491 *RK++ = *SK++;
492 *RK++ = *SK++;
493 *RK++ = *SK++;
494 *RK++ = *SK++;
495
496 exit:
497 mbedtls_camellia_free( &cty );
498
499 return( ret );
500 }
501
502 /*
503 * Camellia-ECB block encryption/decryption
504 */
mbedtls_camellia_crypt_ecb(mbedtls_camellia_context * ctx,int mode,const unsigned char input[16],unsigned char output[16])505 int mbedtls_camellia_crypt_ecb( mbedtls_camellia_context *ctx,
506 int mode,
507 const unsigned char input[16],
508 unsigned char output[16] )
509 {
510 int NR;
511 uint32_t *RK, X[4];
512 CAMELLIA_VALIDATE_RET( ctx != NULL );
513 CAMELLIA_VALIDATE_RET( mode == MBEDTLS_CAMELLIA_ENCRYPT ||
514 mode == MBEDTLS_CAMELLIA_DECRYPT );
515 CAMELLIA_VALIDATE_RET( input != NULL );
516 CAMELLIA_VALIDATE_RET( output != NULL );
517
518 ( (void) mode );
519
520 NR = ctx->nr;
521 RK = ctx->rk;
522
523 GET_UINT32_BE( X[0], input, 0 );
524 GET_UINT32_BE( X[1], input, 4 );
525 GET_UINT32_BE( X[2], input, 8 );
526 GET_UINT32_BE( X[3], input, 12 );
527
528 X[0] ^= *RK++;
529 X[1] ^= *RK++;
530 X[2] ^= *RK++;
531 X[3] ^= *RK++;
532
533 while( NR ) {
534 --NR;
535 camellia_feistel( X, RK, X + 2 );
536 RK += 2;
537 camellia_feistel( X + 2, RK, X );
538 RK += 2;
539 camellia_feistel( X, RK, X + 2 );
540 RK += 2;
541 camellia_feistel( X + 2, RK, X );
542 RK += 2;
543 camellia_feistel( X, RK, X + 2 );
544 RK += 2;
545 camellia_feistel( X + 2, RK, X );
546 RK += 2;
547
548 if( NR ) {
549 FL(X[0], X[1], RK[0], RK[1]);
550 RK += 2;
551 FLInv(X[2], X[3], RK[0], RK[1]);
552 RK += 2;
553 }
554 }
555
556 X[2] ^= *RK++;
557 X[3] ^= *RK++;
558 X[0] ^= *RK++;
559 X[1] ^= *RK++;
560
561 PUT_UINT32_BE( X[2], output, 0 );
562 PUT_UINT32_BE( X[3], output, 4 );
563 PUT_UINT32_BE( X[0], output, 8 );
564 PUT_UINT32_BE( X[1], output, 12 );
565
566 return( 0 );
567 }
568
569 #if defined(MBEDTLS_CIPHER_MODE_CBC)
570 /*
571 * Camellia-CBC buffer encryption/decryption
572 */
mbedtls_camellia_crypt_cbc(mbedtls_camellia_context * ctx,int mode,size_t length,unsigned char iv[16],const unsigned char * input,unsigned char * output)573 int mbedtls_camellia_crypt_cbc( mbedtls_camellia_context *ctx,
574 int mode,
575 size_t length,
576 unsigned char iv[16],
577 const unsigned char *input,
578 unsigned char *output )
579 {
580 int i;
581 unsigned char temp[16];
582 CAMELLIA_VALIDATE_RET( ctx != NULL );
583 CAMELLIA_VALIDATE_RET( mode == MBEDTLS_CAMELLIA_ENCRYPT ||
584 mode == MBEDTLS_CAMELLIA_DECRYPT );
585 CAMELLIA_VALIDATE_RET( iv != NULL );
586 CAMELLIA_VALIDATE_RET( length == 0 || input != NULL );
587 CAMELLIA_VALIDATE_RET( length == 0 || output != NULL );
588
589 if( length % 16 )
590 return( MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH );
591
592 if( mode == MBEDTLS_CAMELLIA_DECRYPT )
593 {
594 while( length > 0 )
595 {
596 memcpy( temp, input, 16 );
597 mbedtls_camellia_crypt_ecb( ctx, mode, input, output );
598
599 for( i = 0; i < 16; i++ )
600 output[i] = (unsigned char)( output[i] ^ iv[i] );
601
602 memcpy( iv, temp, 16 );
603
604 input += 16;
605 output += 16;
606 length -= 16;
607 }
608 }
609 else
610 {
611 while( length > 0 )
612 {
613 for( i = 0; i < 16; i++ )
614 output[i] = (unsigned char)( input[i] ^ iv[i] );
615
616 mbedtls_camellia_crypt_ecb( ctx, mode, output, output );
617 memcpy( iv, output, 16 );
618
619 input += 16;
620 output += 16;
621 length -= 16;
622 }
623 }
624
625 return( 0 );
626 }
627 #endif /* MBEDTLS_CIPHER_MODE_CBC */
628
629 #if defined(MBEDTLS_CIPHER_MODE_CFB)
630 /*
631 * Camellia-CFB128 buffer encryption/decryption
632 */
mbedtls_camellia_crypt_cfb128(mbedtls_camellia_context * ctx,int mode,size_t length,size_t * iv_off,unsigned char iv[16],const unsigned char * input,unsigned char * output)633 int mbedtls_camellia_crypt_cfb128( mbedtls_camellia_context *ctx,
634 int mode,
635 size_t length,
636 size_t *iv_off,
637 unsigned char iv[16],
638 const unsigned char *input,
639 unsigned char *output )
640 {
641 int c;
642 size_t n;
643 CAMELLIA_VALIDATE_RET( ctx != NULL );
644 CAMELLIA_VALIDATE_RET( mode == MBEDTLS_CAMELLIA_ENCRYPT ||
645 mode == MBEDTLS_CAMELLIA_DECRYPT );
646 CAMELLIA_VALIDATE_RET( iv != NULL );
647 CAMELLIA_VALIDATE_RET( iv_off != NULL );
648 CAMELLIA_VALIDATE_RET( length == 0 || input != NULL );
649 CAMELLIA_VALIDATE_RET( length == 0 || output != NULL );
650
651 n = *iv_off;
652 if( n >= 16 )
653 return( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA );
654
655 if( mode == MBEDTLS_CAMELLIA_DECRYPT )
656 {
657 while( length-- )
658 {
659 if( n == 0 )
660 mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv );
661
662 c = *input++;
663 *output++ = (unsigned char)( c ^ iv[n] );
664 iv[n] = (unsigned char) c;
665
666 n = ( n + 1 ) & 0x0F;
667 }
668 }
669 else
670 {
671 while( length-- )
672 {
673 if( n == 0 )
674 mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv );
675
676 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
677
678 n = ( n + 1 ) & 0x0F;
679 }
680 }
681
682 *iv_off = n;
683
684 return( 0 );
685 }
686 #endif /* MBEDTLS_CIPHER_MODE_CFB */
687
688 #if defined(MBEDTLS_CIPHER_MODE_CTR)
689 /*
690 * Camellia-CTR buffer encryption/decryption
691 */
mbedtls_camellia_crypt_ctr(mbedtls_camellia_context * ctx,size_t length,size_t * nc_off,unsigned char nonce_counter[16],unsigned char stream_block[16],const unsigned char * input,unsigned char * output)692 int mbedtls_camellia_crypt_ctr( mbedtls_camellia_context *ctx,
693 size_t length,
694 size_t *nc_off,
695 unsigned char nonce_counter[16],
696 unsigned char stream_block[16],
697 const unsigned char *input,
698 unsigned char *output )
699 {
700 int c, i;
701 size_t n;
702 CAMELLIA_VALIDATE_RET( ctx != NULL );
703 CAMELLIA_VALIDATE_RET( nonce_counter != NULL );
704 CAMELLIA_VALIDATE_RET( stream_block != NULL );
705 CAMELLIA_VALIDATE_RET( nc_off != NULL );
706 CAMELLIA_VALIDATE_RET( length == 0 || input != NULL );
707 CAMELLIA_VALIDATE_RET( length == 0 || output != NULL );
708
709 n = *nc_off;
710 if( n >= 16 )
711 return( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA );
712
713 while( length-- )
714 {
715 if( n == 0 ) {
716 mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, nonce_counter,
717 stream_block );
718
719 for( i = 16; i > 0; i-- )
720 if( ++nonce_counter[i - 1] != 0 )
721 break;
722 }
723 c = *input++;
724 *output++ = (unsigned char)( c ^ stream_block[n] );
725
726 n = ( n + 1 ) & 0x0F;
727 }
728
729 *nc_off = n;
730
731 return( 0 );
732 }
733 #endif /* MBEDTLS_CIPHER_MODE_CTR */
734 #endif /* !MBEDTLS_CAMELLIA_ALT */
735
736 #if defined(MBEDTLS_SELF_TEST)
737
738 /*
739 * Camellia test vectors from:
740 *
741 * http://info.isl.ntt.co.jp/crypt/eng/camellia/technology.html:
742 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/intermediate.txt
743 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/t_camellia.txt
744 * (For each bitlength: Key 0, Nr 39)
745 */
746 #define CAMELLIA_TESTS_ECB 2
747
748 static const unsigned char camellia_test_ecb_key[3][CAMELLIA_TESTS_ECB][32] =
749 {
750 {
751 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
752 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
753 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
754 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
755 },
756 {
757 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
758 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
759 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77 },
760 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
761 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
762 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
763 },
764 {
765 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
766 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
767 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
768 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff },
769 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
770 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
771 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
772 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
773 },
774 };
775
776 static const unsigned char camellia_test_ecb_plain[CAMELLIA_TESTS_ECB][16] =
777 {
778 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
779 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
780 { 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
781 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
782 };
783
784 static const unsigned char camellia_test_ecb_cipher[3][CAMELLIA_TESTS_ECB][16] =
785 {
786 {
787 { 0x67, 0x67, 0x31, 0x38, 0x54, 0x96, 0x69, 0x73,
788 0x08, 0x57, 0x06, 0x56, 0x48, 0xea, 0xbe, 0x43 },
789 { 0x38, 0x3C, 0x6C, 0x2A, 0xAB, 0xEF, 0x7F, 0xDE,
790 0x25, 0xCD, 0x47, 0x0B, 0xF7, 0x74, 0xA3, 0x31 }
791 },
792 {
793 { 0xb4, 0x99, 0x34, 0x01, 0xb3, 0xe9, 0x96, 0xf8,
794 0x4e, 0xe5, 0xce, 0xe7, 0xd7, 0x9b, 0x09, 0xb9 },
795 { 0xD1, 0x76, 0x3F, 0xC0, 0x19, 0xD7, 0x7C, 0xC9,
796 0x30, 0xBF, 0xF2, 0xA5, 0x6F, 0x7C, 0x93, 0x64 }
797 },
798 {
799 { 0x9a, 0xcc, 0x23, 0x7d, 0xff, 0x16, 0xd7, 0x6c,
800 0x20, 0xef, 0x7c, 0x91, 0x9e, 0x3a, 0x75, 0x09 },
801 { 0x05, 0x03, 0xFB, 0x10, 0xAB, 0x24, 0x1E, 0x7C,
802 0xF4, 0x5D, 0x8C, 0xDE, 0xEE, 0x47, 0x43, 0x35 }
803 }
804 };
805
806 #if defined(MBEDTLS_CIPHER_MODE_CBC)
807 #define CAMELLIA_TESTS_CBC 3
808
809 static const unsigned char camellia_test_cbc_key[3][32] =
810 {
811 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
812 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }
813 ,
814 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
815 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
816 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }
817 ,
818 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
819 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
820 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
821 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
822 };
823
824 static const unsigned char camellia_test_cbc_iv[16] =
825
826 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
827 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F }
828 ;
829
830 static const unsigned char camellia_test_cbc_plain[CAMELLIA_TESTS_CBC][16] =
831 {
832 { 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
833 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A },
834 { 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
835 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51 },
836 { 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
837 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF }
838
839 };
840
841 static const unsigned char camellia_test_cbc_cipher[3][CAMELLIA_TESTS_CBC][16] =
842 {
843 {
844 { 0x16, 0x07, 0xCF, 0x49, 0x4B, 0x36, 0xBB, 0xF0,
845 0x0D, 0xAE, 0xB0, 0xB5, 0x03, 0xC8, 0x31, 0xAB },
846 { 0xA2, 0xF2, 0xCF, 0x67, 0x16, 0x29, 0xEF, 0x78,
847 0x40, 0xC5, 0xA5, 0xDF, 0xB5, 0x07, 0x48, 0x87 },
848 { 0x0F, 0x06, 0x16, 0x50, 0x08, 0xCF, 0x8B, 0x8B,
849 0x5A, 0x63, 0x58, 0x63, 0x62, 0x54, 0x3E, 0x54 }
850 },
851 {
852 { 0x2A, 0x48, 0x30, 0xAB, 0x5A, 0xC4, 0xA1, 0xA2,
853 0x40, 0x59, 0x55, 0xFD, 0x21, 0x95, 0xCF, 0x93 },
854 { 0x5D, 0x5A, 0x86, 0x9B, 0xD1, 0x4C, 0xE5, 0x42,
855 0x64, 0xF8, 0x92, 0xA6, 0xDD, 0x2E, 0xC3, 0xD5 },
856 { 0x37, 0xD3, 0x59, 0xC3, 0x34, 0x98, 0x36, 0xD8,
857 0x84, 0xE3, 0x10, 0xAD, 0xDF, 0x68, 0xC4, 0x49 }
858 },
859 {
860 { 0xE6, 0xCF, 0xA3, 0x5F, 0xC0, 0x2B, 0x13, 0x4A,
861 0x4D, 0x2C, 0x0B, 0x67, 0x37, 0xAC, 0x3E, 0xDA },
862 { 0x36, 0xCB, 0xEB, 0x73, 0xBD, 0x50, 0x4B, 0x40,
863 0x70, 0xB1, 0xB7, 0xDE, 0x2B, 0x21, 0xEB, 0x50 },
864 { 0xE3, 0x1A, 0x60, 0x55, 0x29, 0x7D, 0x96, 0xCA,
865 0x33, 0x30, 0xCD, 0xF1, 0xB1, 0x86, 0x0A, 0x83 }
866 }
867 };
868 #endif /* MBEDTLS_CIPHER_MODE_CBC */
869
870 #if defined(MBEDTLS_CIPHER_MODE_CTR)
871 /*
872 * Camellia-CTR test vectors from:
873 *
874 * http://www.faqs.org/rfcs/rfc5528.html
875 */
876
877 static const unsigned char camellia_test_ctr_key[3][16] =
878 {
879 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
880 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
881 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
882 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
883 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
884 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
885 };
886
887 static const unsigned char camellia_test_ctr_nonce_counter[3][16] =
888 {
889 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
890 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
891 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
892 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
893 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
894 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
895 };
896
897 static const unsigned char camellia_test_ctr_pt[3][48] =
898 {
899 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
900 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
901
902 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
903 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
904 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
905 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
906
907 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
908 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
909 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
910 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
911 0x20, 0x21, 0x22, 0x23 }
912 };
913
914 static const unsigned char camellia_test_ctr_ct[3][48] =
915 {
916 { 0xD0, 0x9D, 0xC2, 0x9A, 0x82, 0x14, 0x61, 0x9A,
917 0x20, 0x87, 0x7C, 0x76, 0xDB, 0x1F, 0x0B, 0x3F },
918 { 0xDB, 0xF3, 0xC7, 0x8D, 0xC0, 0x83, 0x96, 0xD4,
919 0xDA, 0x7C, 0x90, 0x77, 0x65, 0xBB, 0xCB, 0x44,
920 0x2B, 0x8E, 0x8E, 0x0F, 0x31, 0xF0, 0xDC, 0xA7,
921 0x2C, 0x74, 0x17, 0xE3, 0x53, 0x60, 0xE0, 0x48 },
922 { 0xB1, 0x9D, 0x1F, 0xCD, 0xCB, 0x75, 0xEB, 0x88,
923 0x2F, 0x84, 0x9C, 0xE2, 0x4D, 0x85, 0xCF, 0x73,
924 0x9C, 0xE6, 0x4B, 0x2B, 0x5C, 0x9D, 0x73, 0xF1,
925 0x4F, 0x2D, 0x5D, 0x9D, 0xCE, 0x98, 0x89, 0xCD,
926 0xDF, 0x50, 0x86, 0x96 }
927 };
928
929 static const int camellia_test_ctr_len[3] =
930 { 16, 32, 36 };
931 #endif /* MBEDTLS_CIPHER_MODE_CTR */
932
933 /*
934 * Checkup routine
935 */
mbedtls_camellia_self_test(int verbose)936 int mbedtls_camellia_self_test( int verbose )
937 {
938 int i, j, u, v;
939 unsigned char key[32];
940 unsigned char buf[64];
941 unsigned char src[16];
942 unsigned char dst[16];
943 #if defined(MBEDTLS_CIPHER_MODE_CBC)
944 unsigned char iv[16];
945 #endif
946 #if defined(MBEDTLS_CIPHER_MODE_CTR)
947 size_t offset, len;
948 unsigned char nonce_counter[16];
949 unsigned char stream_block[16];
950 #endif
951
952 mbedtls_camellia_context ctx;
953
954 memset( key, 0, 32 );
955
956 for( j = 0; j < 6; j++ ) {
957 u = j >> 1;
958 v = j & 1;
959
960 if( verbose != 0 )
961 mbedtls_printf( " CAMELLIA-ECB-%3d (%s): ", 128 + u * 64,
962 (v == MBEDTLS_CAMELLIA_DECRYPT) ? "dec" : "enc");
963
964 for( i = 0; i < CAMELLIA_TESTS_ECB; i++ ) {
965 memcpy( key, camellia_test_ecb_key[u][i], 16 + 8 * u );
966
967 if( v == MBEDTLS_CAMELLIA_DECRYPT ) {
968 mbedtls_camellia_setkey_dec( &ctx, key, 128 + u * 64 );
969 memcpy( src, camellia_test_ecb_cipher[u][i], 16 );
970 memcpy( dst, camellia_test_ecb_plain[i], 16 );
971 } else { /* MBEDTLS_CAMELLIA_ENCRYPT */
972 mbedtls_camellia_setkey_enc( &ctx, key, 128 + u * 64 );
973 memcpy( src, camellia_test_ecb_plain[i], 16 );
974 memcpy( dst, camellia_test_ecb_cipher[u][i], 16 );
975 }
976
977 mbedtls_camellia_crypt_ecb( &ctx, v, src, buf );
978
979 if( memcmp( buf, dst, 16 ) != 0 )
980 {
981 if( verbose != 0 )
982 mbedtls_printf( "failed\n" );
983
984 return( 1 );
985 }
986 }
987
988 if( verbose != 0 )
989 mbedtls_printf( "passed\n" );
990 }
991
992 if( verbose != 0 )
993 mbedtls_printf( "\n" );
994
995 #if defined(MBEDTLS_CIPHER_MODE_CBC)
996 /*
997 * CBC mode
998 */
999 for( j = 0; j < 6; j++ )
1000 {
1001 u = j >> 1;
1002 v = j & 1;
1003
1004 if( verbose != 0 )
1005 mbedtls_printf( " CAMELLIA-CBC-%3d (%s): ", 128 + u * 64,
1006 ( v == MBEDTLS_CAMELLIA_DECRYPT ) ? "dec" : "enc" );
1007
1008 memcpy( src, camellia_test_cbc_iv, 16 );
1009 memcpy( dst, camellia_test_cbc_iv, 16 );
1010 memcpy( key, camellia_test_cbc_key[u], 16 + 8 * u );
1011
1012 if( v == MBEDTLS_CAMELLIA_DECRYPT ) {
1013 mbedtls_camellia_setkey_dec( &ctx, key, 128 + u * 64 );
1014 } else {
1015 mbedtls_camellia_setkey_enc( &ctx, key, 128 + u * 64 );
1016 }
1017
1018 for( i = 0; i < CAMELLIA_TESTS_CBC; i++ ) {
1019
1020 if( v == MBEDTLS_CAMELLIA_DECRYPT ) {
1021 memcpy( iv , src, 16 );
1022 memcpy( src, camellia_test_cbc_cipher[u][i], 16 );
1023 memcpy( dst, camellia_test_cbc_plain[i], 16 );
1024 } else { /* MBEDTLS_CAMELLIA_ENCRYPT */
1025 memcpy( iv , dst, 16 );
1026 memcpy( src, camellia_test_cbc_plain[i], 16 );
1027 memcpy( dst, camellia_test_cbc_cipher[u][i], 16 );
1028 }
1029
1030 mbedtls_camellia_crypt_cbc( &ctx, v, 16, iv, src, buf );
1031
1032 if( memcmp( buf, dst, 16 ) != 0 )
1033 {
1034 if( verbose != 0 )
1035 mbedtls_printf( "failed\n" );
1036
1037 return( 1 );
1038 }
1039 }
1040
1041 if( verbose != 0 )
1042 mbedtls_printf( "passed\n" );
1043 }
1044 #endif /* MBEDTLS_CIPHER_MODE_CBC */
1045
1046 if( verbose != 0 )
1047 mbedtls_printf( "\n" );
1048
1049 #if defined(MBEDTLS_CIPHER_MODE_CTR)
1050 /*
1051 * CTR mode
1052 */
1053 for( i = 0; i < 6; i++ )
1054 {
1055 u = i >> 1;
1056 v = i & 1;
1057
1058 if( verbose != 0 )
1059 mbedtls_printf( " CAMELLIA-CTR-128 (%s): ",
1060 ( v == MBEDTLS_CAMELLIA_DECRYPT ) ? "dec" : "enc" );
1061
1062 memcpy( nonce_counter, camellia_test_ctr_nonce_counter[u], 16 );
1063 memcpy( key, camellia_test_ctr_key[u], 16 );
1064
1065 offset = 0;
1066 mbedtls_camellia_setkey_enc( &ctx, key, 128 );
1067
1068 if( v == MBEDTLS_CAMELLIA_DECRYPT )
1069 {
1070 len = camellia_test_ctr_len[u];
1071 memcpy( buf, camellia_test_ctr_ct[u], len );
1072
1073 mbedtls_camellia_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block,
1074 buf, buf );
1075
1076 if( memcmp( buf, camellia_test_ctr_pt[u], len ) != 0 )
1077 {
1078 if( verbose != 0 )
1079 mbedtls_printf( "failed\n" );
1080
1081 return( 1 );
1082 }
1083 }
1084 else
1085 {
1086 len = camellia_test_ctr_len[u];
1087 memcpy( buf, camellia_test_ctr_pt[u], len );
1088
1089 mbedtls_camellia_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block,
1090 buf, buf );
1091
1092 if( memcmp( buf, camellia_test_ctr_ct[u], len ) != 0 )
1093 {
1094 if( verbose != 0 )
1095 mbedtls_printf( "failed\n" );
1096
1097 return( 1 );
1098 }
1099 }
1100
1101 if( verbose != 0 )
1102 mbedtls_printf( "passed\n" );
1103 }
1104
1105 if( verbose != 0 )
1106 mbedtls_printf( "\n" );
1107 #endif /* MBEDTLS_CIPHER_MODE_CTR */
1108
1109 return( 0 );
1110 }
1111
1112 #endif /* MBEDTLS_SELF_TEST */
1113
1114 #endif /* MBEDTLS_CAMELLIA_C */
1115