1 /* 2 * Camellia implementation 3 * 4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 5 * SPDX-License-Identifier: GPL-2.0 6 * 7 * This program is free software; you can redistribute it and/or modify 8 * it under the terms of the GNU General Public License as published by 9 * the Free Software Foundation; either version 2 of the License, or 10 * (at your option) any later version. 11 * 12 * This program is distributed in the hope that it will be useful, 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 * GNU General Public License for more details. 16 * 17 * You should have received a copy of the GNU General Public License along 18 * with this program; if not, write to the Free Software Foundation, Inc., 19 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * This file is part of mbed TLS (https://tls.mbed.org) 22 */ 23 /* 24 * The Camellia block cipher was designed by NTT and Mitsubishi Electric 25 * Corporation. 26 * 27 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/01espec.pdf 28 */ 29 30 #if !defined(MBEDTLS_CONFIG_FILE) 31 #include "mbedtls/config.h" 32 #else 33 #include MBEDTLS_CONFIG_FILE 34 #endif 35 36 #if defined(MBEDTLS_CAMELLIA_C) 37 38 #include "mbedtls/camellia.h" 39 40 #include <string.h> 41 42 #if defined(MBEDTLS_SELF_TEST) 43 #if defined(MBEDTLS_PLATFORM_C) 44 #include "mbedtls/platform.h" 45 #else 46 #include <stdio.h> 47 #define mbedtls_printf printf 48 #endif /* MBEDTLS_PLATFORM_C */ 49 #endif /* MBEDTLS_SELF_TEST */ 50 51 #if !defined(MBEDTLS_CAMELLIA_ALT) 52 53 /* Implementation that should never be optimized out by the compiler */ 54 static void mbedtls_zeroize( void *v, size_t n ) { 55 volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0; 56 } 57 58 /* 59 * 32-bit integer manipulation macros (big endian) 60 */ 61 #ifndef GET_UINT32_BE 62 #define GET_UINT32_BE(n,b,i) \ 63 { \ 64 (n) = ( (uint32_t) (b)[(i) ] << 24 ) \ 65 | ( (uint32_t) (b)[(i) + 1] << 16 ) \ 66 | ( (uint32_t) (b)[(i) + 2] << 8 ) \ 67 | ( (uint32_t) (b)[(i) + 3] ); \ 68 } 69 #endif 70 71 #ifndef PUT_UINT32_BE 72 #define PUT_UINT32_BE(n,b,i) \ 73 { \ 74 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \ 75 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \ 76 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \ 77 (b)[(i) + 3] = (unsigned char) ( (n) ); \ 78 } 79 #endif 80 81 static const unsigned char SIGMA_CHARS[6][8] = 82 { 83 { 0xa0, 0x9e, 0x66, 0x7f, 0x3b, 0xcc, 0x90, 0x8b }, 84 { 0xb6, 0x7a, 0xe8, 0x58, 0x4c, 0xaa, 0x73, 0xb2 }, 85 { 0xc6, 0xef, 0x37, 0x2f, 0xe9, 0x4f, 0x82, 0xbe }, 86 { 0x54, 0xff, 0x53, 0xa5, 0xf1, 0xd3, 0x6f, 0x1c }, 87 { 0x10, 0xe5, 0x27, 0xfa, 0xde, 0x68, 0x2d, 0x1d }, 88 { 0xb0, 0x56, 0x88, 0xc2, 0xb3, 0xe6, 0xc1, 0xfd } 89 }; 90 91 #if defined(MBEDTLS_CAMELLIA_SMALL_MEMORY) 92 93 static const unsigned char FSb[256] = 94 { 95 112,130, 44,236,179, 39,192,229,228,133, 87, 53,234, 12,174, 65, 96 35,239,107,147, 69, 25,165, 33,237, 14, 79, 78, 29,101,146,189, 97 134,184,175,143,124,235, 31,206, 62, 48,220, 95, 94,197, 11, 26, 98 166,225, 57,202,213, 71, 93, 61,217, 1, 90,214, 81, 86,108, 77, 99 139, 13,154,102,251,204,176, 45,116, 18, 43, 32,240,177,132,153, 100 223, 76,203,194, 52,126,118, 5,109,183,169, 49,209, 23, 4,215, 101 20, 88, 58, 97,222, 27, 17, 28, 50, 15,156, 22, 83, 24,242, 34, 102 254, 68,207,178,195,181,122,145, 36, 8,232,168, 96,252,105, 80, 103 170,208,160,125,161,137, 98,151, 84, 91, 30,149,224,255,100,210, 104 16,196, 0, 72,163,247,117,219,138, 3,230,218, 9, 63,221,148, 105 135, 92,131, 2,205, 74,144, 51,115,103,246,243,157,127,191,226, 106 82,155,216, 38,200, 55,198, 59,129,150,111, 75, 19,190, 99, 46, 107 233,121,167,140,159,110,188,142, 41,245,249,182, 47,253,180, 89, 108 120,152, 6,106,231, 70,113,186,212, 37,171, 66,136,162,141,250, 109 114, 7,185, 85,248,238,172, 10, 54, 73, 42,104, 60, 56,241,164, 110 64, 40,211,123,187,201, 67,193, 21,227,173,244,119,199,128,158 111 }; 112 113 #define SBOX1(n) FSb[(n)] 114 #define SBOX2(n) (unsigned char)((FSb[(n)] >> 7 ^ FSb[(n)] << 1) & 0xff) 115 #define SBOX3(n) (unsigned char)((FSb[(n)] >> 1 ^ FSb[(n)] << 7) & 0xff) 116 #define SBOX4(n) FSb[((n) << 1 ^ (n) >> 7) &0xff] 117 118 #else /* MBEDTLS_CAMELLIA_SMALL_MEMORY */ 119 120 static const unsigned char FSb[256] = 121 { 122 112, 130, 44, 236, 179, 39, 192, 229, 228, 133, 87, 53, 234, 12, 174, 65, 123 35, 239, 107, 147, 69, 25, 165, 33, 237, 14, 79, 78, 29, 101, 146, 189, 124 134, 184, 175, 143, 124, 235, 31, 206, 62, 48, 220, 95, 94, 197, 11, 26, 125 166, 225, 57, 202, 213, 71, 93, 61, 217, 1, 90, 214, 81, 86, 108, 77, 126 139, 13, 154, 102, 251, 204, 176, 45, 116, 18, 43, 32, 240, 177, 132, 153, 127 223, 76, 203, 194, 52, 126, 118, 5, 109, 183, 169, 49, 209, 23, 4, 215, 128 20, 88, 58, 97, 222, 27, 17, 28, 50, 15, 156, 22, 83, 24, 242, 34, 129 254, 68, 207, 178, 195, 181, 122, 145, 36, 8, 232, 168, 96, 252, 105, 80, 130 170, 208, 160, 125, 161, 137, 98, 151, 84, 91, 30, 149, 224, 255, 100, 210, 131 16, 196, 0, 72, 163, 247, 117, 219, 138, 3, 230, 218, 9, 63, 221, 148, 132 135, 92, 131, 2, 205, 74, 144, 51, 115, 103, 246, 243, 157, 127, 191, 226, 133 82, 155, 216, 38, 200, 55, 198, 59, 129, 150, 111, 75, 19, 190, 99, 46, 134 233, 121, 167, 140, 159, 110, 188, 142, 41, 245, 249, 182, 47, 253, 180, 89, 135 120, 152, 6, 106, 231, 70, 113, 186, 212, 37, 171, 66, 136, 162, 141, 250, 136 114, 7, 185, 85, 248, 238, 172, 10, 54, 73, 42, 104, 60, 56, 241, 164, 137 64, 40, 211, 123, 187, 201, 67, 193, 21, 227, 173, 244, 119, 199, 128, 158 138 }; 139 140 static const unsigned char FSb2[256] = 141 { 142 224, 5, 88, 217, 103, 78, 129, 203, 201, 11, 174, 106, 213, 24, 93, 130, 143 70, 223, 214, 39, 138, 50, 75, 66, 219, 28, 158, 156, 58, 202, 37, 123, 144 13, 113, 95, 31, 248, 215, 62, 157, 124, 96, 185, 190, 188, 139, 22, 52, 145 77, 195, 114, 149, 171, 142, 186, 122, 179, 2, 180, 173, 162, 172, 216, 154, 146 23, 26, 53, 204, 247, 153, 97, 90, 232, 36, 86, 64, 225, 99, 9, 51, 147 191, 152, 151, 133, 104, 252, 236, 10, 218, 111, 83, 98, 163, 46, 8, 175, 148 40, 176, 116, 194, 189, 54, 34, 56, 100, 30, 57, 44, 166, 48, 229, 68, 149 253, 136, 159, 101, 135, 107, 244, 35, 72, 16, 209, 81, 192, 249, 210, 160, 150 85, 161, 65, 250, 67, 19, 196, 47, 168, 182, 60, 43, 193, 255, 200, 165, 151 32, 137, 0, 144, 71, 239, 234, 183, 21, 6, 205, 181, 18, 126, 187, 41, 152 15, 184, 7, 4, 155, 148, 33, 102, 230, 206, 237, 231, 59, 254, 127, 197, 153 164, 55, 177, 76, 145, 110, 141, 118, 3, 45, 222, 150, 38, 125, 198, 92, 154 211, 242, 79, 25, 63, 220, 121, 29, 82, 235, 243, 109, 94, 251, 105, 178, 155 240, 49, 12, 212, 207, 140, 226, 117, 169, 74, 87, 132, 17, 69, 27, 245, 156 228, 14, 115, 170, 241, 221, 89, 20, 108, 146, 84, 208, 120, 112, 227, 73, 157 128, 80, 167, 246, 119, 147, 134, 131, 42, 199, 91, 233, 238, 143, 1, 61 158 }; 159 160 static const unsigned char FSb3[256] = 161 { 162 56, 65, 22, 118, 217, 147, 96, 242, 114, 194, 171, 154, 117, 6, 87, 160, 163 145, 247, 181, 201, 162, 140, 210, 144, 246, 7, 167, 39, 142, 178, 73, 222, 164 67, 92, 215, 199, 62, 245, 143, 103, 31, 24, 110, 175, 47, 226, 133, 13, 165 83, 240, 156, 101, 234, 163, 174, 158, 236, 128, 45, 107, 168, 43, 54, 166, 166 197, 134, 77, 51, 253, 102, 88, 150, 58, 9, 149, 16, 120, 216, 66, 204, 167 239, 38, 229, 97, 26, 63, 59, 130, 182, 219, 212, 152, 232, 139, 2, 235, 168 10, 44, 29, 176, 111, 141, 136, 14, 25, 135, 78, 11, 169, 12, 121, 17, 169 127, 34, 231, 89, 225, 218, 61, 200, 18, 4, 116, 84, 48, 126, 180, 40, 170 85, 104, 80, 190, 208, 196, 49, 203, 42, 173, 15, 202, 112, 255, 50, 105, 171 8, 98, 0, 36, 209, 251, 186, 237, 69, 129, 115, 109, 132, 159, 238, 74, 172 195, 46, 193, 1, 230, 37, 72, 153, 185, 179, 123, 249, 206, 191, 223, 113, 173 41, 205, 108, 19, 100, 155, 99, 157, 192, 75, 183, 165, 137, 95, 177, 23, 174 244, 188, 211, 70, 207, 55, 94, 71, 148, 250, 252, 91, 151, 254, 90, 172, 175 60, 76, 3, 53, 243, 35, 184, 93, 106, 146, 213, 33, 68, 81, 198, 125, 176 57, 131, 220, 170, 124, 119, 86, 5, 27, 164, 21, 52, 30, 28, 248, 82, 177 32, 20, 233, 189, 221, 228, 161, 224, 138, 241, 214, 122, 187, 227, 64, 79 178 }; 179 180 static const unsigned char FSb4[256] = 181 { 182 112, 44, 179, 192, 228, 87, 234, 174, 35, 107, 69, 165, 237, 79, 29, 146, 183 134, 175, 124, 31, 62, 220, 94, 11, 166, 57, 213, 93, 217, 90, 81, 108, 184 139, 154, 251, 176, 116, 43, 240, 132, 223, 203, 52, 118, 109, 169, 209, 4, 185 20, 58, 222, 17, 50, 156, 83, 242, 254, 207, 195, 122, 36, 232, 96, 105, 186 170, 160, 161, 98, 84, 30, 224, 100, 16, 0, 163, 117, 138, 230, 9, 221, 187 135, 131, 205, 144, 115, 246, 157, 191, 82, 216, 200, 198, 129, 111, 19, 99, 188 233, 167, 159, 188, 41, 249, 47, 180, 120, 6, 231, 113, 212, 171, 136, 141, 189 114, 185, 248, 172, 54, 42, 60, 241, 64, 211, 187, 67, 21, 173, 119, 128, 190 130, 236, 39, 229, 133, 53, 12, 65, 239, 147, 25, 33, 14, 78, 101, 189, 191 184, 143, 235, 206, 48, 95, 197, 26, 225, 202, 71, 61, 1, 214, 86, 77, 192 13, 102, 204, 45, 18, 32, 177, 153, 76, 194, 126, 5, 183, 49, 23, 215, 193 88, 97, 27, 28, 15, 22, 24, 34, 68, 178, 181, 145, 8, 168, 252, 80, 194 208, 125, 137, 151, 91, 149, 255, 210, 196, 72, 247, 219, 3, 218, 63, 148, 195 92, 2, 74, 51, 103, 243, 127, 226, 155, 38, 55, 59, 150, 75, 190, 46, 196 121, 140, 110, 142, 245, 182, 253, 89, 152, 106, 70, 186, 37, 66, 162, 250, 197 7, 85, 238, 10, 73, 104, 56, 164, 40, 123, 201, 193, 227, 244, 199, 158 198 }; 199 200 #define SBOX1(n) FSb[(n)] 201 #define SBOX2(n) FSb2[(n)] 202 #define SBOX3(n) FSb3[(n)] 203 #define SBOX4(n) FSb4[(n)] 204 205 #endif /* MBEDTLS_CAMELLIA_SMALL_MEMORY */ 206 207 static const unsigned char shifts[2][4][4] = 208 { 209 { 210 { 1, 1, 1, 1 }, /* KL */ 211 { 0, 0, 0, 0 }, /* KR */ 212 { 1, 1, 1, 1 }, /* KA */ 213 { 0, 0, 0, 0 } /* KB */ 214 }, 215 { 216 { 1, 0, 1, 1 }, /* KL */ 217 { 1, 1, 0, 1 }, /* KR */ 218 { 1, 1, 1, 0 }, /* KA */ 219 { 1, 1, 0, 1 } /* KB */ 220 } 221 }; 222 223 static const signed char indexes[2][4][20] = 224 { 225 { 226 { 0, 1, 2, 3, 8, 9, 10, 11, 38, 39, 227 36, 37, 23, 20, 21, 22, 27, -1, -1, 26 }, /* KL -> RK */ 228 { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 229 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 }, /* KR -> RK */ 230 { 4, 5, 6, 7, 12, 13, 14, 15, 16, 17, 231 18, 19, -1, 24, 25, -1, 31, 28, 29, 30 }, /* KA -> RK */ 232 { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 233 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 } /* KB -> RK */ 234 }, 235 { 236 { 0, 1, 2, 3, 61, 62, 63, 60, -1, -1, 237 -1, -1, 27, 24, 25, 26, 35, 32, 33, 34 }, /* KL -> RK */ 238 { -1, -1, -1, -1, 8, 9, 10, 11, 16, 17, 239 18, 19, -1, -1, -1, -1, 39, 36, 37, 38 }, /* KR -> RK */ 240 { -1, -1, -1, -1, 12, 13, 14, 15, 58, 59, 241 56, 57, 31, 28, 29, 30, -1, -1, -1, -1 }, /* KA -> RK */ 242 { 4, 5, 6, 7, 65, 66, 67, 64, 20, 21, 243 22, 23, -1, -1, -1, -1, 43, 40, 41, 42 } /* KB -> RK */ 244 } 245 }; 246 247 static const signed char transposes[2][20] = 248 { 249 { 250 21, 22, 23, 20, 251 -1, -1, -1, -1, 252 18, 19, 16, 17, 253 11, 8, 9, 10, 254 15, 12, 13, 14 255 }, 256 { 257 25, 26, 27, 24, 258 29, 30, 31, 28, 259 18, 19, 16, 17, 260 -1, -1, -1, -1, 261 -1, -1, -1, -1 262 } 263 }; 264 265 /* Shift macro for 128 bit strings with rotation smaller than 32 bits (!) */ 266 #define ROTL(DEST, SRC, SHIFT) \ 267 { \ 268 (DEST)[0] = (SRC)[0] << (SHIFT) ^ (SRC)[1] >> (32 - (SHIFT)); \ 269 (DEST)[1] = (SRC)[1] << (SHIFT) ^ (SRC)[2] >> (32 - (SHIFT)); \ 270 (DEST)[2] = (SRC)[2] << (SHIFT) ^ (SRC)[3] >> (32 - (SHIFT)); \ 271 (DEST)[3] = (SRC)[3] << (SHIFT) ^ (SRC)[0] >> (32 - (SHIFT)); \ 272 } 273 274 #define FL(XL, XR, KL, KR) \ 275 { \ 276 (XR) = ((((XL) & (KL)) << 1) | (((XL) & (KL)) >> 31)) ^ (XR); \ 277 (XL) = ((XR) | (KR)) ^ (XL); \ 278 } 279 280 #define FLInv(YL, YR, KL, KR) \ 281 { \ 282 (YL) = ((YR) | (KR)) ^ (YL); \ 283 (YR) = ((((YL) & (KL)) << 1) | (((YL) & (KL)) >> 31)) ^ (YR); \ 284 } 285 286 #define SHIFT_AND_PLACE(INDEX, OFFSET) \ 287 { \ 288 TK[0] = KC[(OFFSET) * 4 + 0]; \ 289 TK[1] = KC[(OFFSET) * 4 + 1]; \ 290 TK[2] = KC[(OFFSET) * 4 + 2]; \ 291 TK[3] = KC[(OFFSET) * 4 + 3]; \ 292 \ 293 for( i = 1; i <= 4; i++ ) \ 294 if( shifts[(INDEX)][(OFFSET)][i -1] ) \ 295 ROTL(TK + i * 4, TK, ( 15 * i ) % 32); \ 296 \ 297 for( i = 0; i < 20; i++ ) \ 298 if( indexes[(INDEX)][(OFFSET)][i] != -1 ) { \ 299 RK[indexes[(INDEX)][(OFFSET)][i]] = TK[ i ]; \ 300 } \ 301 } 302 303 static void camellia_feistel( const uint32_t x[2], const uint32_t k[2], 304 uint32_t z[2]) 305 { 306 uint32_t I0, I1; 307 I0 = x[0] ^ k[0]; 308 I1 = x[1] ^ k[1]; 309 310 I0 = ((uint32_t) SBOX1((I0 >> 24) & 0xFF) << 24) | 311 ((uint32_t) SBOX2((I0 >> 16) & 0xFF) << 16) | 312 ((uint32_t) SBOX3((I0 >> 8) & 0xFF) << 8) | 313 ((uint32_t) SBOX4((I0 ) & 0xFF) ); 314 I1 = ((uint32_t) SBOX2((I1 >> 24) & 0xFF) << 24) | 315 ((uint32_t) SBOX3((I1 >> 16) & 0xFF) << 16) | 316 ((uint32_t) SBOX4((I1 >> 8) & 0xFF) << 8) | 317 ((uint32_t) SBOX1((I1 ) & 0xFF) ); 318 319 I0 ^= (I1 << 8) | (I1 >> 24); 320 I1 ^= (I0 << 16) | (I0 >> 16); 321 I0 ^= (I1 >> 8) | (I1 << 24); 322 I1 ^= (I0 >> 8) | (I0 << 24); 323 324 z[0] ^= I1; 325 z[1] ^= I0; 326 } 327 328 void mbedtls_camellia_init( mbedtls_camellia_context *ctx ) 329 { 330 memset( ctx, 0, sizeof( mbedtls_camellia_context ) ); 331 } 332 333 void mbedtls_camellia_free( mbedtls_camellia_context *ctx ) 334 { 335 if( ctx == NULL ) 336 return; 337 338 mbedtls_zeroize( ctx, sizeof( mbedtls_camellia_context ) ); 339 } 340 341 /* 342 * Camellia key schedule (encryption) 343 */ 344 int mbedtls_camellia_setkey_enc( mbedtls_camellia_context *ctx, const unsigned char *key, 345 unsigned int keybits ) 346 { 347 int idx; 348 size_t i; 349 uint32_t *RK; 350 unsigned char t[64]; 351 uint32_t SIGMA[6][2]; 352 uint32_t KC[16]; 353 uint32_t TK[20]; 354 355 RK = ctx->rk; 356 357 memset( t, 0, 64 ); 358 memset( RK, 0, sizeof(ctx->rk) ); 359 360 switch( keybits ) 361 { 362 case 128: ctx->nr = 3; idx = 0; break; 363 case 192: 364 case 256: ctx->nr = 4; idx = 1; break; 365 default : return( MBEDTLS_ERR_CAMELLIA_INVALID_KEY_LENGTH ); 366 } 367 368 for( i = 0; i < keybits / 8; ++i ) 369 t[i] = key[i]; 370 371 if( keybits == 192 ) { 372 for( i = 0; i < 8; i++ ) 373 t[24 + i] = ~t[16 + i]; 374 } 375 376 /* 377 * Prepare SIGMA values 378 */ 379 for( i = 0; i < 6; i++ ) { 380 GET_UINT32_BE( SIGMA[i][0], SIGMA_CHARS[i], 0 ); 381 GET_UINT32_BE( SIGMA[i][1], SIGMA_CHARS[i], 4 ); 382 } 383 384 /* 385 * Key storage in KC 386 * Order: KL, KR, KA, KB 387 */ 388 memset( KC, 0, sizeof(KC) ); 389 390 /* Store KL, KR */ 391 for( i = 0; i < 8; i++ ) 392 GET_UINT32_BE( KC[i], t, i * 4 ); 393 394 /* Generate KA */ 395 for( i = 0; i < 4; ++i ) 396 KC[8 + i] = KC[i] ^ KC[4 + i]; 397 398 camellia_feistel( KC + 8, SIGMA[0], KC + 10 ); 399 camellia_feistel( KC + 10, SIGMA[1], KC + 8 ); 400 401 for( i = 0; i < 4; ++i ) 402 KC[8 + i] ^= KC[i]; 403 404 camellia_feistel( KC + 8, SIGMA[2], KC + 10 ); 405 camellia_feistel( KC + 10, SIGMA[3], KC + 8 ); 406 407 if( keybits > 128 ) { 408 /* Generate KB */ 409 for( i = 0; i < 4; ++i ) 410 KC[12 + i] = KC[4 + i] ^ KC[8 + i]; 411 412 camellia_feistel( KC + 12, SIGMA[4], KC + 14 ); 413 camellia_feistel( KC + 14, SIGMA[5], KC + 12 ); 414 } 415 416 /* 417 * Generating subkeys 418 */ 419 420 /* Manipulating KL */ 421 SHIFT_AND_PLACE( idx, 0 ); 422 423 /* Manipulating KR */ 424 if( keybits > 128 ) { 425 SHIFT_AND_PLACE( idx, 1 ); 426 } 427 428 /* Manipulating KA */ 429 SHIFT_AND_PLACE( idx, 2 ); 430 431 /* Manipulating KB */ 432 if( keybits > 128 ) { 433 SHIFT_AND_PLACE( idx, 3 ); 434 } 435 436 /* Do transpositions */ 437 for( i = 0; i < 20; i++ ) { 438 if( transposes[idx][i] != -1 ) { 439 RK[32 + 12 * idx + i] = RK[transposes[idx][i]]; 440 } 441 } 442 443 return( 0 ); 444 } 445 446 /* 447 * Camellia key schedule (decryption) 448 */ 449 int mbedtls_camellia_setkey_dec( mbedtls_camellia_context *ctx, const unsigned char *key, 450 unsigned int keybits ) 451 { 452 int idx, ret; 453 size_t i; 454 mbedtls_camellia_context cty; 455 uint32_t *RK; 456 uint32_t *SK; 457 458 mbedtls_camellia_init( &cty ); 459 460 /* Also checks keybits */ 461 if( ( ret = mbedtls_camellia_setkey_enc( &cty, key, keybits ) ) != 0 ) 462 goto exit; 463 464 ctx->nr = cty.nr; 465 idx = ( ctx->nr == 4 ); 466 467 RK = ctx->rk; 468 SK = cty.rk + 24 * 2 + 8 * idx * 2; 469 470 *RK++ = *SK++; 471 *RK++ = *SK++; 472 *RK++ = *SK++; 473 *RK++ = *SK++; 474 475 for( i = 22 + 8 * idx, SK -= 6; i > 0; i--, SK -= 4 ) 476 { 477 *RK++ = *SK++; 478 *RK++ = *SK++; 479 } 480 481 SK -= 2; 482 483 *RK++ = *SK++; 484 *RK++ = *SK++; 485 *RK++ = *SK++; 486 *RK++ = *SK++; 487 488 exit: 489 mbedtls_camellia_free( &cty ); 490 491 return( ret ); 492 } 493 494 /* 495 * Camellia-ECB block encryption/decryption 496 */ 497 int mbedtls_camellia_crypt_ecb( mbedtls_camellia_context *ctx, 498 int mode, 499 const unsigned char input[16], 500 unsigned char output[16] ) 501 { 502 int NR; 503 uint32_t *RK, X[4]; 504 505 ( (void) mode ); 506 507 NR = ctx->nr; 508 RK = ctx->rk; 509 510 GET_UINT32_BE( X[0], input, 0 ); 511 GET_UINT32_BE( X[1], input, 4 ); 512 GET_UINT32_BE( X[2], input, 8 ); 513 GET_UINT32_BE( X[3], input, 12 ); 514 515 X[0] ^= *RK++; 516 X[1] ^= *RK++; 517 X[2] ^= *RK++; 518 X[3] ^= *RK++; 519 520 while( NR ) { 521 --NR; 522 camellia_feistel( X, RK, X + 2 ); 523 RK += 2; 524 camellia_feistel( X + 2, RK, X ); 525 RK += 2; 526 camellia_feistel( X, RK, X + 2 ); 527 RK += 2; 528 camellia_feistel( X + 2, RK, X ); 529 RK += 2; 530 camellia_feistel( X, RK, X + 2 ); 531 RK += 2; 532 camellia_feistel( X + 2, RK, X ); 533 RK += 2; 534 535 if( NR ) { 536 FL(X[0], X[1], RK[0], RK[1]); 537 RK += 2; 538 FLInv(X[2], X[3], RK[0], RK[1]); 539 RK += 2; 540 } 541 } 542 543 X[2] ^= *RK++; 544 X[3] ^= *RK++; 545 X[0] ^= *RK++; 546 X[1] ^= *RK++; 547 548 PUT_UINT32_BE( X[2], output, 0 ); 549 PUT_UINT32_BE( X[3], output, 4 ); 550 PUT_UINT32_BE( X[0], output, 8 ); 551 PUT_UINT32_BE( X[1], output, 12 ); 552 553 return( 0 ); 554 } 555 556 #if defined(MBEDTLS_CIPHER_MODE_CBC) 557 /* 558 * Camellia-CBC buffer encryption/decryption 559 */ 560 int mbedtls_camellia_crypt_cbc( mbedtls_camellia_context *ctx, 561 int mode, 562 size_t length, 563 unsigned char iv[16], 564 const unsigned char *input, 565 unsigned char *output ) 566 { 567 int i; 568 unsigned char temp[16]; 569 570 if( length % 16 ) 571 return( MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH ); 572 573 if( mode == MBEDTLS_CAMELLIA_DECRYPT ) 574 { 575 while( length > 0 ) 576 { 577 memcpy( temp, input, 16 ); 578 mbedtls_camellia_crypt_ecb( ctx, mode, input, output ); 579 580 for( i = 0; i < 16; i++ ) 581 output[i] = (unsigned char)( output[i] ^ iv[i] ); 582 583 memcpy( iv, temp, 16 ); 584 585 input += 16; 586 output += 16; 587 length -= 16; 588 } 589 } 590 else 591 { 592 while( length > 0 ) 593 { 594 for( i = 0; i < 16; i++ ) 595 output[i] = (unsigned char)( input[i] ^ iv[i] ); 596 597 mbedtls_camellia_crypt_ecb( ctx, mode, output, output ); 598 memcpy( iv, output, 16 ); 599 600 input += 16; 601 output += 16; 602 length -= 16; 603 } 604 } 605 606 return( 0 ); 607 } 608 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 609 610 #if defined(MBEDTLS_CIPHER_MODE_CFB) 611 /* 612 * Camellia-CFB128 buffer encryption/decryption 613 */ 614 int mbedtls_camellia_crypt_cfb128( mbedtls_camellia_context *ctx, 615 int mode, 616 size_t length, 617 size_t *iv_off, 618 unsigned char iv[16], 619 const unsigned char *input, 620 unsigned char *output ) 621 { 622 int c; 623 size_t n = *iv_off; 624 625 if( mode == MBEDTLS_CAMELLIA_DECRYPT ) 626 { 627 while( length-- ) 628 { 629 if( n == 0 ) 630 mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv ); 631 632 c = *input++; 633 *output++ = (unsigned char)( c ^ iv[n] ); 634 iv[n] = (unsigned char) c; 635 636 n = ( n + 1 ) & 0x0F; 637 } 638 } 639 else 640 { 641 while( length-- ) 642 { 643 if( n == 0 ) 644 mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv ); 645 646 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ ); 647 648 n = ( n + 1 ) & 0x0F; 649 } 650 } 651 652 *iv_off = n; 653 654 return( 0 ); 655 } 656 #endif /* MBEDTLS_CIPHER_MODE_CFB */ 657 658 #if defined(MBEDTLS_CIPHER_MODE_CTR) 659 /* 660 * Camellia-CTR buffer encryption/decryption 661 */ 662 int mbedtls_camellia_crypt_ctr( mbedtls_camellia_context *ctx, 663 size_t length, 664 size_t *nc_off, 665 unsigned char nonce_counter[16], 666 unsigned char stream_block[16], 667 const unsigned char *input, 668 unsigned char *output ) 669 { 670 int c, i; 671 size_t n = *nc_off; 672 673 while( length-- ) 674 { 675 if( n == 0 ) { 676 mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, nonce_counter, 677 stream_block ); 678 679 for( i = 16; i > 0; i-- ) 680 if( ++nonce_counter[i - 1] != 0 ) 681 break; 682 } 683 c = *input++; 684 *output++ = (unsigned char)( c ^ stream_block[n] ); 685 686 n = ( n + 1 ) & 0x0F; 687 } 688 689 *nc_off = n; 690 691 return( 0 ); 692 } 693 #endif /* MBEDTLS_CIPHER_MODE_CTR */ 694 #endif /* !MBEDTLS_CAMELLIA_ALT */ 695 696 #if defined(MBEDTLS_SELF_TEST) 697 698 /* 699 * Camellia test vectors from: 700 * 701 * http://info.isl.ntt.co.jp/crypt/eng/camellia/technology.html: 702 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/intermediate.txt 703 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/t_camellia.txt 704 * (For each bitlength: Key 0, Nr 39) 705 */ 706 #define CAMELLIA_TESTS_ECB 2 707 708 static const unsigned char camellia_test_ecb_key[3][CAMELLIA_TESTS_ECB][32] = 709 { 710 { 711 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 712 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 }, 713 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 714 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 } 715 }, 716 { 717 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 718 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10, 719 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77 }, 720 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 721 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 722 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 } 723 }, 724 { 725 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 726 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10, 727 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 728 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff }, 729 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 730 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 731 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 732 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 } 733 }, 734 }; 735 736 static const unsigned char camellia_test_ecb_plain[CAMELLIA_TESTS_ECB][16] = 737 { 738 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 739 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 }, 740 { 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 741 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 } 742 }; 743 744 static const unsigned char camellia_test_ecb_cipher[3][CAMELLIA_TESTS_ECB][16] = 745 { 746 { 747 { 0x67, 0x67, 0x31, 0x38, 0x54, 0x96, 0x69, 0x73, 748 0x08, 0x57, 0x06, 0x56, 0x48, 0xea, 0xbe, 0x43 }, 749 { 0x38, 0x3C, 0x6C, 0x2A, 0xAB, 0xEF, 0x7F, 0xDE, 750 0x25, 0xCD, 0x47, 0x0B, 0xF7, 0x74, 0xA3, 0x31 } 751 }, 752 { 753 { 0xb4, 0x99, 0x34, 0x01, 0xb3, 0xe9, 0x96, 0xf8, 754 0x4e, 0xe5, 0xce, 0xe7, 0xd7, 0x9b, 0x09, 0xb9 }, 755 { 0xD1, 0x76, 0x3F, 0xC0, 0x19, 0xD7, 0x7C, 0xC9, 756 0x30, 0xBF, 0xF2, 0xA5, 0x6F, 0x7C, 0x93, 0x64 } 757 }, 758 { 759 { 0x9a, 0xcc, 0x23, 0x7d, 0xff, 0x16, 0xd7, 0x6c, 760 0x20, 0xef, 0x7c, 0x91, 0x9e, 0x3a, 0x75, 0x09 }, 761 { 0x05, 0x03, 0xFB, 0x10, 0xAB, 0x24, 0x1E, 0x7C, 762 0xF4, 0x5D, 0x8C, 0xDE, 0xEE, 0x47, 0x43, 0x35 } 763 } 764 }; 765 766 #if defined(MBEDTLS_CIPHER_MODE_CBC) 767 #define CAMELLIA_TESTS_CBC 3 768 769 static const unsigned char camellia_test_cbc_key[3][32] = 770 { 771 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6, 772 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C } 773 , 774 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52, 775 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5, 776 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B } 777 , 778 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE, 779 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81, 780 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7, 781 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 } 782 }; 783 784 static const unsigned char camellia_test_cbc_iv[16] = 785 786 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 787 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F } 788 ; 789 790 static const unsigned char camellia_test_cbc_plain[CAMELLIA_TESTS_CBC][16] = 791 { 792 { 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96, 793 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A }, 794 { 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C, 795 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51 }, 796 { 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11, 797 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF } 798 799 }; 800 801 static const unsigned char camellia_test_cbc_cipher[3][CAMELLIA_TESTS_CBC][16] = 802 { 803 { 804 { 0x16, 0x07, 0xCF, 0x49, 0x4B, 0x36, 0xBB, 0xF0, 805 0x0D, 0xAE, 0xB0, 0xB5, 0x03, 0xC8, 0x31, 0xAB }, 806 { 0xA2, 0xF2, 0xCF, 0x67, 0x16, 0x29, 0xEF, 0x78, 807 0x40, 0xC5, 0xA5, 0xDF, 0xB5, 0x07, 0x48, 0x87 }, 808 { 0x0F, 0x06, 0x16, 0x50, 0x08, 0xCF, 0x8B, 0x8B, 809 0x5A, 0x63, 0x58, 0x63, 0x62, 0x54, 0x3E, 0x54 } 810 }, 811 { 812 { 0x2A, 0x48, 0x30, 0xAB, 0x5A, 0xC4, 0xA1, 0xA2, 813 0x40, 0x59, 0x55, 0xFD, 0x21, 0x95, 0xCF, 0x93 }, 814 { 0x5D, 0x5A, 0x86, 0x9B, 0xD1, 0x4C, 0xE5, 0x42, 815 0x64, 0xF8, 0x92, 0xA6, 0xDD, 0x2E, 0xC3, 0xD5 }, 816 { 0x37, 0xD3, 0x59, 0xC3, 0x34, 0x98, 0x36, 0xD8, 817 0x84, 0xE3, 0x10, 0xAD, 0xDF, 0x68, 0xC4, 0x49 } 818 }, 819 { 820 { 0xE6, 0xCF, 0xA3, 0x5F, 0xC0, 0x2B, 0x13, 0x4A, 821 0x4D, 0x2C, 0x0B, 0x67, 0x37, 0xAC, 0x3E, 0xDA }, 822 { 0x36, 0xCB, 0xEB, 0x73, 0xBD, 0x50, 0x4B, 0x40, 823 0x70, 0xB1, 0xB7, 0xDE, 0x2B, 0x21, 0xEB, 0x50 }, 824 { 0xE3, 0x1A, 0x60, 0x55, 0x29, 0x7D, 0x96, 0xCA, 825 0x33, 0x30, 0xCD, 0xF1, 0xB1, 0x86, 0x0A, 0x83 } 826 } 827 }; 828 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 829 830 #if defined(MBEDTLS_CIPHER_MODE_CTR) 831 /* 832 * Camellia-CTR test vectors from: 833 * 834 * http://www.faqs.org/rfcs/rfc5528.html 835 */ 836 837 static const unsigned char camellia_test_ctr_key[3][16] = 838 { 839 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC, 840 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E }, 841 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7, 842 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 }, 843 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8, 844 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC } 845 }; 846 847 static const unsigned char camellia_test_ctr_nonce_counter[3][16] = 848 { 849 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00, 850 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 }, 851 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59, 852 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 }, 853 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F, 854 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 } 855 }; 856 857 static const unsigned char camellia_test_ctr_pt[3][48] = 858 { 859 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62, 860 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 }, 861 862 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 863 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 864 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 865 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F }, 866 867 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 868 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 869 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 870 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 871 0x20, 0x21, 0x22, 0x23 } 872 }; 873 874 static const unsigned char camellia_test_ctr_ct[3][48] = 875 { 876 { 0xD0, 0x9D, 0xC2, 0x9A, 0x82, 0x14, 0x61, 0x9A, 877 0x20, 0x87, 0x7C, 0x76, 0xDB, 0x1F, 0x0B, 0x3F }, 878 { 0xDB, 0xF3, 0xC7, 0x8D, 0xC0, 0x83, 0x96, 0xD4, 879 0xDA, 0x7C, 0x90, 0x77, 0x65, 0xBB, 0xCB, 0x44, 880 0x2B, 0x8E, 0x8E, 0x0F, 0x31, 0xF0, 0xDC, 0xA7, 881 0x2C, 0x74, 0x17, 0xE3, 0x53, 0x60, 0xE0, 0x48 }, 882 { 0xB1, 0x9D, 0x1F, 0xCD, 0xCB, 0x75, 0xEB, 0x88, 883 0x2F, 0x84, 0x9C, 0xE2, 0x4D, 0x85, 0xCF, 0x73, 884 0x9C, 0xE6, 0x4B, 0x2B, 0x5C, 0x9D, 0x73, 0xF1, 885 0x4F, 0x2D, 0x5D, 0x9D, 0xCE, 0x98, 0x89, 0xCD, 886 0xDF, 0x50, 0x86, 0x96 } 887 }; 888 889 static const int camellia_test_ctr_len[3] = 890 { 16, 32, 36 }; 891 #endif /* MBEDTLS_CIPHER_MODE_CTR */ 892 893 /* 894 * Checkup routine 895 */ 896 int mbedtls_camellia_self_test( int verbose ) 897 { 898 int i, j, u, v; 899 unsigned char key[32]; 900 unsigned char buf[64]; 901 unsigned char src[16]; 902 unsigned char dst[16]; 903 #if defined(MBEDTLS_CIPHER_MODE_CBC) 904 unsigned char iv[16]; 905 #endif 906 #if defined(MBEDTLS_CIPHER_MODE_CTR) 907 size_t offset, len; 908 unsigned char nonce_counter[16]; 909 unsigned char stream_block[16]; 910 #endif 911 912 mbedtls_camellia_context ctx; 913 914 memset( key, 0, 32 ); 915 916 for( j = 0; j < 6; j++ ) { 917 u = j >> 1; 918 v = j & 1; 919 920 if( verbose != 0 ) 921 mbedtls_printf( " CAMELLIA-ECB-%3d (%s): ", 128 + u * 64, 922 (v == MBEDTLS_CAMELLIA_DECRYPT) ? "dec" : "enc"); 923 924 for( i = 0; i < CAMELLIA_TESTS_ECB; i++ ) { 925 memcpy( key, camellia_test_ecb_key[u][i], 16 + 8 * u ); 926 927 if( v == MBEDTLS_CAMELLIA_DECRYPT ) { 928 mbedtls_camellia_setkey_dec( &ctx, key, 128 + u * 64 ); 929 memcpy( src, camellia_test_ecb_cipher[u][i], 16 ); 930 memcpy( dst, camellia_test_ecb_plain[i], 16 ); 931 } else { /* MBEDTLS_CAMELLIA_ENCRYPT */ 932 mbedtls_camellia_setkey_enc( &ctx, key, 128 + u * 64 ); 933 memcpy( src, camellia_test_ecb_plain[i], 16 ); 934 memcpy( dst, camellia_test_ecb_cipher[u][i], 16 ); 935 } 936 937 mbedtls_camellia_crypt_ecb( &ctx, v, src, buf ); 938 939 if( memcmp( buf, dst, 16 ) != 0 ) 940 { 941 if( verbose != 0 ) 942 mbedtls_printf( "failed\n" ); 943 944 return( 1 ); 945 } 946 } 947 948 if( verbose != 0 ) 949 mbedtls_printf( "passed\n" ); 950 } 951 952 if( verbose != 0 ) 953 mbedtls_printf( "\n" ); 954 955 #if defined(MBEDTLS_CIPHER_MODE_CBC) 956 /* 957 * CBC mode 958 */ 959 for( j = 0; j < 6; j++ ) 960 { 961 u = j >> 1; 962 v = j & 1; 963 964 if( verbose != 0 ) 965 mbedtls_printf( " CAMELLIA-CBC-%3d (%s): ", 128 + u * 64, 966 ( v == MBEDTLS_CAMELLIA_DECRYPT ) ? "dec" : "enc" ); 967 968 memcpy( src, camellia_test_cbc_iv, 16 ); 969 memcpy( dst, camellia_test_cbc_iv, 16 ); 970 memcpy( key, camellia_test_cbc_key[u], 16 + 8 * u ); 971 972 if( v == MBEDTLS_CAMELLIA_DECRYPT ) { 973 mbedtls_camellia_setkey_dec( &ctx, key, 128 + u * 64 ); 974 } else { 975 mbedtls_camellia_setkey_enc( &ctx, key, 128 + u * 64 ); 976 } 977 978 for( i = 0; i < CAMELLIA_TESTS_CBC; i++ ) { 979 980 if( v == MBEDTLS_CAMELLIA_DECRYPT ) { 981 memcpy( iv , src, 16 ); 982 memcpy( src, camellia_test_cbc_cipher[u][i], 16 ); 983 memcpy( dst, camellia_test_cbc_plain[i], 16 ); 984 } else { /* MBEDTLS_CAMELLIA_ENCRYPT */ 985 memcpy( iv , dst, 16 ); 986 memcpy( src, camellia_test_cbc_plain[i], 16 ); 987 memcpy( dst, camellia_test_cbc_cipher[u][i], 16 ); 988 } 989 990 mbedtls_camellia_crypt_cbc( &ctx, v, 16, iv, src, buf ); 991 992 if( memcmp( buf, dst, 16 ) != 0 ) 993 { 994 if( verbose != 0 ) 995 mbedtls_printf( "failed\n" ); 996 997 return( 1 ); 998 } 999 } 1000 1001 if( verbose != 0 ) 1002 mbedtls_printf( "passed\n" ); 1003 } 1004 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 1005 1006 if( verbose != 0 ) 1007 mbedtls_printf( "\n" ); 1008 1009 #if defined(MBEDTLS_CIPHER_MODE_CTR) 1010 /* 1011 * CTR mode 1012 */ 1013 for( i = 0; i < 6; i++ ) 1014 { 1015 u = i >> 1; 1016 v = i & 1; 1017 1018 if( verbose != 0 ) 1019 mbedtls_printf( " CAMELLIA-CTR-128 (%s): ", 1020 ( v == MBEDTLS_CAMELLIA_DECRYPT ) ? "dec" : "enc" ); 1021 1022 memcpy( nonce_counter, camellia_test_ctr_nonce_counter[u], 16 ); 1023 memcpy( key, camellia_test_ctr_key[u], 16 ); 1024 1025 offset = 0; 1026 mbedtls_camellia_setkey_enc( &ctx, key, 128 ); 1027 1028 if( v == MBEDTLS_CAMELLIA_DECRYPT ) 1029 { 1030 len = camellia_test_ctr_len[u]; 1031 memcpy( buf, camellia_test_ctr_ct[u], len ); 1032 1033 mbedtls_camellia_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, 1034 buf, buf ); 1035 1036 if( memcmp( buf, camellia_test_ctr_pt[u], len ) != 0 ) 1037 { 1038 if( verbose != 0 ) 1039 mbedtls_printf( "failed\n" ); 1040 1041 return( 1 ); 1042 } 1043 } 1044 else 1045 { 1046 len = camellia_test_ctr_len[u]; 1047 memcpy( buf, camellia_test_ctr_pt[u], len ); 1048 1049 mbedtls_camellia_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, 1050 buf, buf ); 1051 1052 if( memcmp( buf, camellia_test_ctr_ct[u], len ) != 0 ) 1053 { 1054 if( verbose != 0 ) 1055 mbedtls_printf( "failed\n" ); 1056 1057 return( 1 ); 1058 } 1059 } 1060 1061 if( verbose != 0 ) 1062 mbedtls_printf( "passed\n" ); 1063 } 1064 1065 if( verbose != 0 ) 1066 mbedtls_printf( "\n" ); 1067 #endif /* MBEDTLS_CIPHER_MODE_CTR */ 1068 1069 return( 0 ); 1070 } 1071 1072 #endif /* MBEDTLS_SELF_TEST */ 1073 1074 #endif /* MBEDTLS_CAMELLIA_C */ 1075