TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / OP-TEE / optee_os / d2d2912d8950b80a567e90fc8c4b62e5d9355542 / . / lib / libmbedtls / mbedtls / library / camellia.c
blob: 29d730ab5369bf69c46daefea742145d442510a4 [file] [log] [blame]
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1/*
2 * Camellia implementation
3 *
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]18 */
19/*
20 * The Camellia block cipher was designed by NTT and Mitsubishi Electric
21 * Corporation.
22 *
23 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/01espec.pdf
24 */
25
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]26#include "common.h"
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]27
28#if defined(MBEDTLS_CAMELLIA_C)
29
30#include "mbedtls/camellia.h"
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]31#include "mbedtls/platform_util.h"
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]32
33#include <string.h>
34
35#if defined(MBEDTLS_SELF_TEST)
36#if defined(MBEDTLS_PLATFORM_C)
37#include "mbedtls/platform.h"
38#else
39#include <stdio.h>
40#define mbedtls_printf printf
41#endif /* MBEDTLS_PLATFORM_C */
42#endif /* MBEDTLS_SELF_TEST */
43
44#if !defined(MBEDTLS_CAMELLIA_ALT)
45
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]46/* Parameter validation macros */
47#define CAMELLIA_VALIDATE_RET( cond ) \
48 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA )
49#define CAMELLIA_VALIDATE( cond ) \
50 MBEDTLS_INTERNAL_VALIDATE( cond )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]51
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]52static const unsigned char SIGMA_CHARS[6][8] =
53{
54 { 0xa0, 0x9e, 0x66, 0x7f, 0x3b, 0xcc, 0x90, 0x8b },
55 { 0xb6, 0x7a, 0xe8, 0x58, 0x4c, 0xaa, 0x73, 0xb2 },
56 { 0xc6, 0xef, 0x37, 0x2f, 0xe9, 0x4f, 0x82, 0xbe },
57 { 0x54, 0xff, 0x53, 0xa5, 0xf1, 0xd3, 0x6f, 0x1c },
58 { 0x10, 0xe5, 0x27, 0xfa, 0xde, 0x68, 0x2d, 0x1d },
59 { 0xb0, 0x56, 0x88, 0xc2, 0xb3, 0xe6, 0xc1, 0xfd }
60};
61
62#if defined(MBEDTLS_CAMELLIA_SMALL_MEMORY)
63
64static const unsigned char FSb[256] =
65{
66 112,130, 44,236,179, 39,192,229,228,133, 87, 53,234, 12,174, 65,
67 35,239,107,147, 69, 25,165, 33,237, 14, 79, 78, 29,101,146,189,
68 134,184,175,143,124,235, 31,206, 62, 48,220, 95, 94,197, 11, 26,
69 166,225, 57,202,213, 71, 93, 61,217, 1, 90,214, 81, 86,108, 77,
70 139, 13,154,102,251,204,176, 45,116, 18, 43, 32,240,177,132,153,
71 223, 76,203,194, 52,126,118, 5,109,183,169, 49,209, 23, 4,215,
72 20, 88, 58, 97,222, 27, 17, 28, 50, 15,156, 22, 83, 24,242, 34,
73 254, 68,207,178,195,181,122,145, 36, 8,232,168, 96,252,105, 80,
74 170,208,160,125,161,137, 98,151, 84, 91, 30,149,224,255,100,210,
75 16,196, 0, 72,163,247,117,219,138, 3,230,218, 9, 63,221,148,
76 135, 92,131, 2,205, 74,144, 51,115,103,246,243,157,127,191,226,
77 82,155,216, 38,200, 55,198, 59,129,150,111, 75, 19,190, 99, 46,
78 233,121,167,140,159,110,188,142, 41,245,249,182, 47,253,180, 89,
79 120,152, 6,106,231, 70,113,186,212, 37,171, 66,136,162,141,250,
80 114, 7,185, 85,248,238,172, 10, 54, 73, 42,104, 60, 56,241,164,
81 64, 40,211,123,187,201, 67,193, 21,227,173,244,119,199,128,158
82};
83
84#define SBOX1(n) FSb[(n)]
85#define SBOX2(n) (unsigned char)((FSb[(n)] >> 7 ^ FSb[(n)] << 1) & 0xff)
86#define SBOX3(n) (unsigned char)((FSb[(n)] >> 1 ^ FSb[(n)] << 7) & 0xff)
87#define SBOX4(n) FSb[((n) << 1 ^ (n) >> 7) &0xff]
88
89#else /* MBEDTLS_CAMELLIA_SMALL_MEMORY */
90
91static const unsigned char FSb[256] =
92{
93 112, 130, 44, 236, 179, 39, 192, 229, 228, 133, 87, 53, 234, 12, 174, 65,
94 35, 239, 107, 147, 69, 25, 165, 33, 237, 14, 79, 78, 29, 101, 146, 189,
95 134, 184, 175, 143, 124, 235, 31, 206, 62, 48, 220, 95, 94, 197, 11, 26,
96 166, 225, 57, 202, 213, 71, 93, 61, 217, 1, 90, 214, 81, 86, 108, 77,
97 139, 13, 154, 102, 251, 204, 176, 45, 116, 18, 43, 32, 240, 177, 132, 153,
98 223, 76, 203, 194, 52, 126, 118, 5, 109, 183, 169, 49, 209, 23, 4, 215,
99 20, 88, 58, 97, 222, 27, 17, 28, 50, 15, 156, 22, 83, 24, 242, 34,
100 254, 68, 207, 178, 195, 181, 122, 145, 36, 8, 232, 168, 96, 252, 105, 80,
101 170, 208, 160, 125, 161, 137, 98, 151, 84, 91, 30, 149, 224, 255, 100, 210,
102 16, 196, 0, 72, 163, 247, 117, 219, 138, 3, 230, 218, 9, 63, 221, 148,
103 135, 92, 131, 2, 205, 74, 144, 51, 115, 103, 246, 243, 157, 127, 191, 226,
104 82, 155, 216, 38, 200, 55, 198, 59, 129, 150, 111, 75, 19, 190, 99, 46,
105 233, 121, 167, 140, 159, 110, 188, 142, 41, 245, 249, 182, 47, 253, 180, 89,
106 120, 152, 6, 106, 231, 70, 113, 186, 212, 37, 171, 66, 136, 162, 141, 250,
107 114, 7, 185, 85, 248, 238, 172, 10, 54, 73, 42, 104, 60, 56, 241, 164,
108 64, 40, 211, 123, 187, 201, 67, 193, 21, 227, 173, 244, 119, 199, 128, 158
109};
110
111static const unsigned char FSb2[256] =
112{
113 224, 5, 88, 217, 103, 78, 129, 203, 201, 11, 174, 106, 213, 24, 93, 130,
114 70, 223, 214, 39, 138, 50, 75, 66, 219, 28, 158, 156, 58, 202, 37, 123,
115 13, 113, 95, 31, 248, 215, 62, 157, 124, 96, 185, 190, 188, 139, 22, 52,
116 77, 195, 114, 149, 171, 142, 186, 122, 179, 2, 180, 173, 162, 172, 216, 154,
117 23, 26, 53, 204, 247, 153, 97, 90, 232, 36, 86, 64, 225, 99, 9, 51,
118 191, 152, 151, 133, 104, 252, 236, 10, 218, 111, 83, 98, 163, 46, 8, 175,
119 40, 176, 116, 194, 189, 54, 34, 56, 100, 30, 57, 44, 166, 48, 229, 68,
120 253, 136, 159, 101, 135, 107, 244, 35, 72, 16, 209, 81, 192, 249, 210, 160,
121 85, 161, 65, 250, 67, 19, 196, 47, 168, 182, 60, 43, 193, 255, 200, 165,
122 32, 137, 0, 144, 71, 239, 234, 183, 21, 6, 205, 181, 18, 126, 187, 41,
123 15, 184, 7, 4, 155, 148, 33, 102, 230, 206, 237, 231, 59, 254, 127, 197,
124 164, 55, 177, 76, 145, 110, 141, 118, 3, 45, 222, 150, 38, 125, 198, 92,
125 211, 242, 79, 25, 63, 220, 121, 29, 82, 235, 243, 109, 94, 251, 105, 178,
126 240, 49, 12, 212, 207, 140, 226, 117, 169, 74, 87, 132, 17, 69, 27, 245,
127 228, 14, 115, 170, 241, 221, 89, 20, 108, 146, 84, 208, 120, 112, 227, 73,
128 128, 80, 167, 246, 119, 147, 134, 131, 42, 199, 91, 233, 238, 143, 1, 61
129};
130
131static const unsigned char FSb3[256] =
132{
133 56, 65, 22, 118, 217, 147, 96, 242, 114, 194, 171, 154, 117, 6, 87, 160,
134 145, 247, 181, 201, 162, 140, 210, 144, 246, 7, 167, 39, 142, 178, 73, 222,
135 67, 92, 215, 199, 62, 245, 143, 103, 31, 24, 110, 175, 47, 226, 133, 13,
136 83, 240, 156, 101, 234, 163, 174, 158, 236, 128, 45, 107, 168, 43, 54, 166,
137 197, 134, 77, 51, 253, 102, 88, 150, 58, 9, 149, 16, 120, 216, 66, 204,
138 239, 38, 229, 97, 26, 63, 59, 130, 182, 219, 212, 152, 232, 139, 2, 235,
139 10, 44, 29, 176, 111, 141, 136, 14, 25, 135, 78, 11, 169, 12, 121, 17,
140 127, 34, 231, 89, 225, 218, 61, 200, 18, 4, 116, 84, 48, 126, 180, 40,
141 85, 104, 80, 190, 208, 196, 49, 203, 42, 173, 15, 202, 112, 255, 50, 105,
142 8, 98, 0, 36, 209, 251, 186, 237, 69, 129, 115, 109, 132, 159, 238, 74,
143 195, 46, 193, 1, 230, 37, 72, 153, 185, 179, 123, 249, 206, 191, 223, 113,
144 41, 205, 108, 19, 100, 155, 99, 157, 192, 75, 183, 165, 137, 95, 177, 23,
145 244, 188, 211, 70, 207, 55, 94, 71, 148, 250, 252, 91, 151, 254, 90, 172,
146 60, 76, 3, 53, 243, 35, 184, 93, 106, 146, 213, 33, 68, 81, 198, 125,
147 57, 131, 220, 170, 124, 119, 86, 5, 27, 164, 21, 52, 30, 28, 248, 82,
148 32, 20, 233, 189, 221, 228, 161, 224, 138, 241, 214, 122, 187, 227, 64, 79
149};
150
151static const unsigned char FSb4[256] =
152{
153 112, 44, 179, 192, 228, 87, 234, 174, 35, 107, 69, 165, 237, 79, 29, 146,
154 134, 175, 124, 31, 62, 220, 94, 11, 166, 57, 213, 93, 217, 90, 81, 108,
155 139, 154, 251, 176, 116, 43, 240, 132, 223, 203, 52, 118, 109, 169, 209, 4,
156 20, 58, 222, 17, 50, 156, 83, 242, 254, 207, 195, 122, 36, 232, 96, 105,
157 170, 160, 161, 98, 84, 30, 224, 100, 16, 0, 163, 117, 138, 230, 9, 221,
158 135, 131, 205, 144, 115, 246, 157, 191, 82, 216, 200, 198, 129, 111, 19, 99,
159 233, 167, 159, 188, 41, 249, 47, 180, 120, 6, 231, 113, 212, 171, 136, 141,
160 114, 185, 248, 172, 54, 42, 60, 241, 64, 211, 187, 67, 21, 173, 119, 128,
161 130, 236, 39, 229, 133, 53, 12, 65, 239, 147, 25, 33, 14, 78, 101, 189,
162 184, 143, 235, 206, 48, 95, 197, 26, 225, 202, 71, 61, 1, 214, 86, 77,
163 13, 102, 204, 45, 18, 32, 177, 153, 76, 194, 126, 5, 183, 49, 23, 215,
164 88, 97, 27, 28, 15, 22, 24, 34, 68, 178, 181, 145, 8, 168, 252, 80,
165 208, 125, 137, 151, 91, 149, 255, 210, 196, 72, 247, 219, 3, 218, 63, 148,
166 92, 2, 74, 51, 103, 243, 127, 226, 155, 38, 55, 59, 150, 75, 190, 46,
167 121, 140, 110, 142, 245, 182, 253, 89, 152, 106, 70, 186, 37, 66, 162, 250,
168 7, 85, 238, 10, 73, 104, 56, 164, 40, 123, 201, 193, 227, 244, 199, 158
169};
170
171#define SBOX1(n) FSb[(n)]
172#define SBOX2(n) FSb2[(n)]
173#define SBOX3(n) FSb3[(n)]
174#define SBOX4(n) FSb4[(n)]
175
176#endif /* MBEDTLS_CAMELLIA_SMALL_MEMORY */
177
178static const unsigned char shifts[2][4][4] =
179{
180 {
181 { 1, 1, 1, 1 }, /* KL */
182 { 0, 0, 0, 0 }, /* KR */
183 { 1, 1, 1, 1 }, /* KA */
184 { 0, 0, 0, 0 } /* KB */
185 },
186 {
187 { 1, 0, 1, 1 }, /* KL */
188 { 1, 1, 0, 1 }, /* KR */
189 { 1, 1, 1, 0 }, /* KA */
190 { 1, 1, 0, 1 } /* KB */
191 }
192};
193
194static const signed char indexes[2][4][20] =
195{
196 {
197 { 0, 1, 2, 3, 8, 9, 10, 11, 38, 39,
198 36, 37, 23, 20, 21, 22, 27, -1, -1, 26 }, /* KL -> RK */
199 { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
200 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 }, /* KR -> RK */
201 { 4, 5, 6, 7, 12, 13, 14, 15, 16, 17,
202 18, 19, -1, 24, 25, -1, 31, 28, 29, 30 }, /* KA -> RK */
203 { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
204 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 } /* KB -> RK */
205 },
206 {
207 { 0, 1, 2, 3, 61, 62, 63, 60, -1, -1,
208 -1, -1, 27, 24, 25, 26, 35, 32, 33, 34 }, /* KL -> RK */
209 { -1, -1, -1, -1, 8, 9, 10, 11, 16, 17,
210 18, 19, -1, -1, -1, -1, 39, 36, 37, 38 }, /* KR -> RK */
211 { -1, -1, -1, -1, 12, 13, 14, 15, 58, 59,
212 56, 57, 31, 28, 29, 30, -1, -1, -1, -1 }, /* KA -> RK */
213 { 4, 5, 6, 7, 65, 66, 67, 64, 20, 21,
214 22, 23, -1, -1, -1, -1, 43, 40, 41, 42 } /* KB -> RK */
215 }
216};
217
218static const signed char transposes[2][20] =
219{
220 {
221 21, 22, 23, 20,
222 -1, -1, -1, -1,
223 18, 19, 16, 17,
224 11, 8, 9, 10,
225 15, 12, 13, 14
226 },
227 {
228 25, 26, 27, 24,
229 29, 30, 31, 28,
230 18, 19, 16, 17,
231 -1, -1, -1, -1,
232 -1, -1, -1, -1
233 }
234};
235
236/* Shift macro for 128 bit strings with rotation smaller than 32 bits (!) */
237#define ROTL(DEST, SRC, SHIFT) \
238{ \
239 (DEST)[0] = (SRC)[0] << (SHIFT) ^ (SRC)[1] >> (32 - (SHIFT)); \
240 (DEST)[1] = (SRC)[1] << (SHIFT) ^ (SRC)[2] >> (32 - (SHIFT)); \
241 (DEST)[2] = (SRC)[2] << (SHIFT) ^ (SRC)[3] >> (32 - (SHIFT)); \
242 (DEST)[3] = (SRC)[3] << (SHIFT) ^ (SRC)[0] >> (32 - (SHIFT)); \
243}
244
245#define FL(XL, XR, KL, KR) \
246{ \
247 (XR) = ((((XL) & (KL)) << 1) | (((XL) & (KL)) >> 31)) ^ (XR); \
248 (XL) = ((XR) | (KR)) ^ (XL); \
249}
250
251#define FLInv(YL, YR, KL, KR) \
252{ \
253 (YL) = ((YR) | (KR)) ^ (YL); \
254 (YR) = ((((YL) & (KL)) << 1) | (((YL) & (KL)) >> 31)) ^ (YR); \
255}
256
257#define SHIFT_AND_PLACE(INDEX, OFFSET) \
258{ \
259 TK[0] = KC[(OFFSET) * 4 + 0]; \
260 TK[1] = KC[(OFFSET) * 4 + 1]; \
261 TK[2] = KC[(OFFSET) * 4 + 2]; \
262 TK[3] = KC[(OFFSET) * 4 + 3]; \
263 \
264 for( i = 1; i <= 4; i++ ) \
265 if( shifts[(INDEX)][(OFFSET)][i -1] ) \
266 ROTL(TK + i * 4, TK, ( 15 * i ) % 32); \
267 \
268 for( i = 0; i < 20; i++ ) \
269 if( indexes[(INDEX)][(OFFSET)][i] != -1 ) { \
270 RK[indexes[(INDEX)][(OFFSET)][i]] = TK[ i ]; \
271 } \
272}
273
274static void camellia_feistel( const uint32_t x[2], const uint32_t k[2],
275 uint32_t z[2])
276{
277 uint32_t I0, I1;
278 I0 = x[0] ^ k[0];
279 I1 = x[1] ^ k[1];
280
Jerome Forissier039e02d2022-08-09 17:10:15 +0200[diff] [blame]281 I0 = ((uint32_t) SBOX1( MBEDTLS_BYTE_3( I0 )) << 24) |
282 ((uint32_t) SBOX2( MBEDTLS_BYTE_2( I0 )) << 16) |
283 ((uint32_t) SBOX3( MBEDTLS_BYTE_1( I0 )) << 8) |
284 ((uint32_t) SBOX4( MBEDTLS_BYTE_0( I0 )) );
285 I1 = ((uint32_t) SBOX2( MBEDTLS_BYTE_3( I1 )) << 24) |
286 ((uint32_t) SBOX3( MBEDTLS_BYTE_2( I1 )) << 16) |
287 ((uint32_t) SBOX4( MBEDTLS_BYTE_1( I1 )) << 8) |
288 ((uint32_t) SBOX1( MBEDTLS_BYTE_0( I1 )) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]289
290 I0 ^= (I1 << 8) | (I1 >> 24);
291 I1 ^= (I0 << 16) | (I0 >> 16);
292 I0 ^= (I1 >> 8) | (I1 << 24);
293 I1 ^= (I0 >> 8) | (I0 << 24);
294
295 z[0] ^= I1;
296 z[1] ^= I0;
297}
298
299void mbedtls_camellia_init( mbedtls_camellia_context *ctx )
300{
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]301 CAMELLIA_VALIDATE( ctx != NULL );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]302 memset( ctx, 0, sizeof( mbedtls_camellia_context ) );
303}
304
305void mbedtls_camellia_free( mbedtls_camellia_context *ctx )
306{
307 if( ctx == NULL )
308 return;
309
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]310 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_camellia_context ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]311}
312
313/*
314 * Camellia key schedule (encryption)
315 */
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]316int mbedtls_camellia_setkey_enc( mbedtls_camellia_context *ctx,
317 const unsigned char *key,
318 unsigned int keybits )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]319{
320 int idx;
321 size_t i;
322 uint32_t *RK;
323 unsigned char t[64];
324 uint32_t SIGMA[6][2];
325 uint32_t KC[16];
326 uint32_t TK[20];
327
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]328 CAMELLIA_VALIDATE_RET( ctx != NULL );
329 CAMELLIA_VALIDATE_RET( key != NULL );
330
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]331 RK = ctx->rk;
332
333 memset( t, 0, 64 );
334 memset( RK, 0, sizeof(ctx->rk) );
335
336 switch( keybits )
337 {
338 case 128: ctx->nr = 3; idx = 0; break;
339 case 192:
340 case 256: ctx->nr = 4; idx = 1; break;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]341 default : return( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]342 }
343
344 for( i = 0; i < keybits / 8; ++i )
345 t[i] = key[i];
346
347 if( keybits == 192 ) {
348 for( i = 0; i < 8; i++ )
349 t[24 + i] = ~t[16 + i];
350 }
351
352 /*
353 * Prepare SIGMA values
354 */
355 for( i = 0; i < 6; i++ ) {
Jerome Forissier039e02d2022-08-09 17:10:15 +0200[diff] [blame]356 SIGMA[i][0] = MBEDTLS_GET_UINT32_BE( SIGMA_CHARS[i], 0 );
357 SIGMA[i][1] = MBEDTLS_GET_UINT32_BE( SIGMA_CHARS[i], 4 );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]358 }
359
360 /*
361 * Key storage in KC
362 * Order: KL, KR, KA, KB
363 */
364 memset( KC, 0, sizeof(KC) );
365
366 /* Store KL, KR */
367 for( i = 0; i < 8; i++ )
Jerome Forissier039e02d2022-08-09 17:10:15 +0200[diff] [blame]368 KC[i] = MBEDTLS_GET_UINT32_BE( t, i * 4 );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]369
370 /* Generate KA */
371 for( i = 0; i < 4; ++i )
372 KC[8 + i] = KC[i] ^ KC[4 + i];
373
374 camellia_feistel( KC + 8, SIGMA[0], KC + 10 );
375 camellia_feistel( KC + 10, SIGMA[1], KC + 8 );
376
377 for( i = 0; i < 4; ++i )
378 KC[8 + i] ^= KC[i];
379
380 camellia_feistel( KC + 8, SIGMA[2], KC + 10 );
381 camellia_feistel( KC + 10, SIGMA[3], KC + 8 );
382
383 if( keybits > 128 ) {
384 /* Generate KB */
385 for( i = 0; i < 4; ++i )
386 KC[12 + i] = KC[4 + i] ^ KC[8 + i];
387
388 camellia_feistel( KC + 12, SIGMA[4], KC + 14 );
389 camellia_feistel( KC + 14, SIGMA[5], KC + 12 );
390 }
391
392 /*
393 * Generating subkeys
394 */
395
396 /* Manipulating KL */
397 SHIFT_AND_PLACE( idx, 0 );
398
399 /* Manipulating KR */
400 if( keybits > 128 ) {
401 SHIFT_AND_PLACE( idx, 1 );
402 }
403
404 /* Manipulating KA */
405 SHIFT_AND_PLACE( idx, 2 );
406
407 /* Manipulating KB */
408 if( keybits > 128 ) {
409 SHIFT_AND_PLACE( idx, 3 );
410 }
411
412 /* Do transpositions */
413 for( i = 0; i < 20; i++ ) {
414 if( transposes[idx][i] != -1 ) {
415 RK[32 + 12 * idx + i] = RK[transposes[idx][i]];
416 }
417 }
418
419 return( 0 );
420}
421
422/*
423 * Camellia key schedule (decryption)
424 */
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]425int mbedtls_camellia_setkey_dec( mbedtls_camellia_context *ctx,
426 const unsigned char *key,
427 unsigned int keybits )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]428{
429 int idx, ret;
430 size_t i;
431 mbedtls_camellia_context cty;
432 uint32_t *RK;
433 uint32_t *SK;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]434 CAMELLIA_VALIDATE_RET( ctx != NULL );
435 CAMELLIA_VALIDATE_RET( key != NULL );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]436
437 mbedtls_camellia_init( &cty );
438
439 /* Also checks keybits */
440 if( ( ret = mbedtls_camellia_setkey_enc( &cty, key, keybits ) ) != 0 )
441 goto exit;
442
443 ctx->nr = cty.nr;
444 idx = ( ctx->nr == 4 );
445
446 RK = ctx->rk;
447 SK = cty.rk + 24 * 2 + 8 * idx * 2;
448
449 *RK++ = *SK++;
450 *RK++ = *SK++;
451 *RK++ = *SK++;
452 *RK++ = *SK++;
453
454 for( i = 22 + 8 * idx, SK -= 6; i > 0; i--, SK -= 4 )
455 {
456 *RK++ = *SK++;
457 *RK++ = *SK++;
458 }
459
460 SK -= 2;
461
462 *RK++ = *SK++;
463 *RK++ = *SK++;
464 *RK++ = *SK++;
465 *RK++ = *SK++;
466
467exit:
468 mbedtls_camellia_free( &cty );
469
470 return( ret );
471}
472
473/*
474 * Camellia-ECB block encryption/decryption
475 */
476int mbedtls_camellia_crypt_ecb( mbedtls_camellia_context *ctx,
477 int mode,
478 const unsigned char input[16],
479 unsigned char output[16] )
480{
481 int NR;
482 uint32_t *RK, X[4];
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]483 CAMELLIA_VALIDATE_RET( ctx != NULL );
484 CAMELLIA_VALIDATE_RET( mode == MBEDTLS_CAMELLIA_ENCRYPT ||
485 mode == MBEDTLS_CAMELLIA_DECRYPT );
486 CAMELLIA_VALIDATE_RET( input != NULL );
487 CAMELLIA_VALIDATE_RET( output != NULL );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]488
489 ( (void) mode );
490
491 NR = ctx->nr;
492 RK = ctx->rk;
493
Jerome Forissier039e02d2022-08-09 17:10:15 +0200[diff] [blame]494 X[0] = MBEDTLS_GET_UINT32_BE( input, 0 );
495 X[1] = MBEDTLS_GET_UINT32_BE( input, 4 );
496 X[2] = MBEDTLS_GET_UINT32_BE( input, 8 );
497 X[3] = MBEDTLS_GET_UINT32_BE( input, 12 );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]498
499 X[0] ^= *RK++;
500 X[1] ^= *RK++;
501 X[2] ^= *RK++;
502 X[3] ^= *RK++;
503
504 while( NR ) {
505 --NR;
506 camellia_feistel( X, RK, X + 2 );
507 RK += 2;
508 camellia_feistel( X + 2, RK, X );
509 RK += 2;
510 camellia_feistel( X, RK, X + 2 );
511 RK += 2;
512 camellia_feistel( X + 2, RK, X );
513 RK += 2;
514 camellia_feistel( X, RK, X + 2 );
515 RK += 2;
516 camellia_feistel( X + 2, RK, X );
517 RK += 2;
518
519 if( NR ) {
520 FL(X[0], X[1], RK[0], RK[1]);
521 RK += 2;
522 FLInv(X[2], X[3], RK[0], RK[1]);
523 RK += 2;
524 }
525 }
526
527 X[2] ^= *RK++;
528 X[3] ^= *RK++;
529 X[0] ^= *RK++;
530 X[1] ^= *RK++;
531
Jerome Forissier039e02d2022-08-09 17:10:15 +0200[diff] [blame]532 MBEDTLS_PUT_UINT32_BE( X[2], output, 0 );
533 MBEDTLS_PUT_UINT32_BE( X[3], output, 4 );
534 MBEDTLS_PUT_UINT32_BE( X[0], output, 8 );
535 MBEDTLS_PUT_UINT32_BE( X[1], output, 12 );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]536
537 return( 0 );
538}
539
540#if defined(MBEDTLS_CIPHER_MODE_CBC)
541/*
542 * Camellia-CBC buffer encryption/decryption
543 */
544int mbedtls_camellia_crypt_cbc( mbedtls_camellia_context *ctx,
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]545 int mode,
546 size_t length,
547 unsigned char iv[16],
548 const unsigned char *input,
549 unsigned char *output )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]550{
551 int i;
552 unsigned char temp[16];
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]553 CAMELLIA_VALIDATE_RET( ctx != NULL );
554 CAMELLIA_VALIDATE_RET( mode == MBEDTLS_CAMELLIA_ENCRYPT ||
555 mode == MBEDTLS_CAMELLIA_DECRYPT );
556 CAMELLIA_VALIDATE_RET( iv != NULL );
557 CAMELLIA_VALIDATE_RET( length == 0 || input != NULL );
558 CAMELLIA_VALIDATE_RET( length == 0 || output != NULL );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]559
560 if( length % 16 )
561 return( MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH );
562
563 if( mode == MBEDTLS_CAMELLIA_DECRYPT )
564 {
565 while( length > 0 )
566 {
567 memcpy( temp, input, 16 );
568 mbedtls_camellia_crypt_ecb( ctx, mode, input, output );
569
570 for( i = 0; i < 16; i++ )
571 output[i] = (unsigned char)( output[i] ^ iv[i] );
572
573 memcpy( iv, temp, 16 );
574
575 input += 16;
576 output += 16;
577 length -= 16;
578 }
579 }
580 else
581 {
582 while( length > 0 )
583 {
584 for( i = 0; i < 16; i++ )
585 output[i] = (unsigned char)( input[i] ^ iv[i] );
586
587 mbedtls_camellia_crypt_ecb( ctx, mode, output, output );
588 memcpy( iv, output, 16 );
589
590 input += 16;
591 output += 16;
592 length -= 16;
593 }
594 }
595
596 return( 0 );
597}
598#endif /* MBEDTLS_CIPHER_MODE_CBC */
599
600#if defined(MBEDTLS_CIPHER_MODE_CFB)
601/*
602 * Camellia-CFB128 buffer encryption/decryption
603 */
604int mbedtls_camellia_crypt_cfb128( mbedtls_camellia_context *ctx,
605 int mode,
606 size_t length,
607 size_t *iv_off,
608 unsigned char iv[16],
609 const unsigned char *input,
610 unsigned char *output )
611{
612 int c;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]613 size_t n;
614 CAMELLIA_VALIDATE_RET( ctx != NULL );
615 CAMELLIA_VALIDATE_RET( mode == MBEDTLS_CAMELLIA_ENCRYPT ||
616 mode == MBEDTLS_CAMELLIA_DECRYPT );
617 CAMELLIA_VALIDATE_RET( iv != NULL );
618 CAMELLIA_VALIDATE_RET( iv_off != NULL );
619 CAMELLIA_VALIDATE_RET( length == 0 || input != NULL );
620 CAMELLIA_VALIDATE_RET( length == 0 || output != NULL );
621
622 n = *iv_off;
623 if( n >= 16 )
624 return( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]625
626 if( mode == MBEDTLS_CAMELLIA_DECRYPT )
627 {
628 while( length-- )
629 {
630 if( n == 0 )
631 mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv );
632
633 c = *input++;
634 *output++ = (unsigned char)( c ^ iv[n] );
635 iv[n] = (unsigned char) c;
636
637 n = ( n + 1 ) & 0x0F;
638 }
639 }
640 else
641 {
642 while( length-- )
643 {
644 if( n == 0 )
645 mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv );
646
647 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
648
649 n = ( n + 1 ) & 0x0F;
650 }
651 }
652
653 *iv_off = n;
654
655 return( 0 );
656}
657#endif /* MBEDTLS_CIPHER_MODE_CFB */
658
659#if defined(MBEDTLS_CIPHER_MODE_CTR)
660/*
661 * Camellia-CTR buffer encryption/decryption
662 */
663int mbedtls_camellia_crypt_ctr( mbedtls_camellia_context *ctx,
664 size_t length,
665 size_t *nc_off,
666 unsigned char nonce_counter[16],
667 unsigned char stream_block[16],
668 const unsigned char *input,
669 unsigned char *output )
670{
671 int c, i;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]672 size_t n;
673 CAMELLIA_VALIDATE_RET( ctx != NULL );
674 CAMELLIA_VALIDATE_RET( nonce_counter != NULL );
675 CAMELLIA_VALIDATE_RET( stream_block != NULL );
676 CAMELLIA_VALIDATE_RET( nc_off != NULL );
677 CAMELLIA_VALIDATE_RET( length == 0 || input != NULL );
678 CAMELLIA_VALIDATE_RET( length == 0 || output != NULL );
679
680 n = *nc_off;
681 if( n >= 16 )
682 return( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]683
684 while( length-- )
685 {
686 if( n == 0 ) {
687 mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, nonce_counter,
688 stream_block );
689
690 for( i = 16; i > 0; i-- )
691 if( ++nonce_counter[i - 1] != 0 )
692 break;
693 }
694 c = *input++;
695 *output++ = (unsigned char)( c ^ stream_block[n] );
696
697 n = ( n + 1 ) & 0x0F;
698 }
699
700 *nc_off = n;
701
702 return( 0 );
703}
704#endif /* MBEDTLS_CIPHER_MODE_CTR */
705#endif /* !MBEDTLS_CAMELLIA_ALT */
706
707#if defined(MBEDTLS_SELF_TEST)
708
709/*
710 * Camellia test vectors from:
711 *
712 * http://info.isl.ntt.co.jp/crypt/eng/camellia/technology.html:
713 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/intermediate.txt
714 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/t_camellia.txt
715 * (For each bitlength: Key 0, Nr 39)
716 */
717#define CAMELLIA_TESTS_ECB 2
718
719static const unsigned char camellia_test_ecb_key[3][CAMELLIA_TESTS_ECB][32] =
720{
721 {
722 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
723 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
724 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
725 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
726 },
727 {
728 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
729 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
730 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77 },
731 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
732 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
733 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
734 },
735 {
736 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
737 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
738 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
739 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff },
740 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
741 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
742 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
743 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
744 },
745};
746
747static const unsigned char camellia_test_ecb_plain[CAMELLIA_TESTS_ECB][16] =
748{
749 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
750 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
751 { 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
752 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
753};
754
755static const unsigned char camellia_test_ecb_cipher[3][CAMELLIA_TESTS_ECB][16] =
756{
757 {
758 { 0x67, 0x67, 0x31, 0x38, 0x54, 0x96, 0x69, 0x73,
759 0x08, 0x57, 0x06, 0x56, 0x48, 0xea, 0xbe, 0x43 },
760 { 0x38, 0x3C, 0x6C, 0x2A, 0xAB, 0xEF, 0x7F, 0xDE,
761 0x25, 0xCD, 0x47, 0x0B, 0xF7, 0x74, 0xA3, 0x31 }
762 },
763 {
764 { 0xb4, 0x99, 0x34, 0x01, 0xb3, 0xe9, 0x96, 0xf8,
765 0x4e, 0xe5, 0xce, 0xe7, 0xd7, 0x9b, 0x09, 0xb9 },
766 { 0xD1, 0x76, 0x3F, 0xC0, 0x19, 0xD7, 0x7C, 0xC9,
767 0x30, 0xBF, 0xF2, 0xA5, 0x6F, 0x7C, 0x93, 0x64 }
768 },
769 {
770 { 0x9a, 0xcc, 0x23, 0x7d, 0xff, 0x16, 0xd7, 0x6c,
771 0x20, 0xef, 0x7c, 0x91, 0x9e, 0x3a, 0x75, 0x09 },
772 { 0x05, 0x03, 0xFB, 0x10, 0xAB, 0x24, 0x1E, 0x7C,
773 0xF4, 0x5D, 0x8C, 0xDE, 0xEE, 0x47, 0x43, 0x35 }
774 }
775};
776
777#if defined(MBEDTLS_CIPHER_MODE_CBC)
778#define CAMELLIA_TESTS_CBC 3
779
780static const unsigned char camellia_test_cbc_key[3][32] =
781{
782 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
783 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }
784 ,
785 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
786 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
787 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }
788 ,
789 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
790 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
791 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
792 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
793};
794
795static const unsigned char camellia_test_cbc_iv[16] =
796
797 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
798 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F }
799;
800
801static const unsigned char camellia_test_cbc_plain[CAMELLIA_TESTS_CBC][16] =
802{
803 { 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
804 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A },
805 { 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
806 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51 },
807 { 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
808 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF }
809
810};
811
812static const unsigned char camellia_test_cbc_cipher[3][CAMELLIA_TESTS_CBC][16] =
813{
814 {
815 { 0x16, 0x07, 0xCF, 0x49, 0x4B, 0x36, 0xBB, 0xF0,
816 0x0D, 0xAE, 0xB0, 0xB5, 0x03, 0xC8, 0x31, 0xAB },
817 { 0xA2, 0xF2, 0xCF, 0x67, 0x16, 0x29, 0xEF, 0x78,
818 0x40, 0xC5, 0xA5, 0xDF, 0xB5, 0x07, 0x48, 0x87 },
819 { 0x0F, 0x06, 0x16, 0x50, 0x08, 0xCF, 0x8B, 0x8B,
820 0x5A, 0x63, 0x58, 0x63, 0x62, 0x54, 0x3E, 0x54 }
821 },
822 {
823 { 0x2A, 0x48, 0x30, 0xAB, 0x5A, 0xC4, 0xA1, 0xA2,
824 0x40, 0x59, 0x55, 0xFD, 0x21, 0x95, 0xCF, 0x93 },
825 { 0x5D, 0x5A, 0x86, 0x9B, 0xD1, 0x4C, 0xE5, 0x42,
826 0x64, 0xF8, 0x92, 0xA6, 0xDD, 0x2E, 0xC3, 0xD5 },
827 { 0x37, 0xD3, 0x59, 0xC3, 0x34, 0x98, 0x36, 0xD8,
828 0x84, 0xE3, 0x10, 0xAD, 0xDF, 0x68, 0xC4, 0x49 }
829 },
830 {
831 { 0xE6, 0xCF, 0xA3, 0x5F, 0xC0, 0x2B, 0x13, 0x4A,
832 0x4D, 0x2C, 0x0B, 0x67, 0x37, 0xAC, 0x3E, 0xDA },
833 { 0x36, 0xCB, 0xEB, 0x73, 0xBD, 0x50, 0x4B, 0x40,
834 0x70, 0xB1, 0xB7, 0xDE, 0x2B, 0x21, 0xEB, 0x50 },
835 { 0xE3, 0x1A, 0x60, 0x55, 0x29, 0x7D, 0x96, 0xCA,
836 0x33, 0x30, 0xCD, 0xF1, 0xB1, 0x86, 0x0A, 0x83 }
837 }
838};
839#endif /* MBEDTLS_CIPHER_MODE_CBC */
840
841#if defined(MBEDTLS_CIPHER_MODE_CTR)
842/*
843 * Camellia-CTR test vectors from:
844 *
845 * http://www.faqs.org/rfcs/rfc5528.html
846 */
847
848static const unsigned char camellia_test_ctr_key[3][16] =
849{
850 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
851 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
852 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
853 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
854 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
855 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
856};
857
858static const unsigned char camellia_test_ctr_nonce_counter[3][16] =
859{
860 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
861 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
862 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
863 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
864 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
865 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
866};
867
868static const unsigned char camellia_test_ctr_pt[3][48] =
869{
870 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
871 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
872
873 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
874 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
875 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
876 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
877
878 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
879 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
880 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
881 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
882 0x20, 0x21, 0x22, 0x23 }
883};
884
885static const unsigned char camellia_test_ctr_ct[3][48] =
886{
887 { 0xD0, 0x9D, 0xC2, 0x9A, 0x82, 0x14, 0x61, 0x9A,
888 0x20, 0x87, 0x7C, 0x76, 0xDB, 0x1F, 0x0B, 0x3F },
889 { 0xDB, 0xF3, 0xC7, 0x8D, 0xC0, 0x83, 0x96, 0xD4,
890 0xDA, 0x7C, 0x90, 0x77, 0x65, 0xBB, 0xCB, 0x44,
891 0x2B, 0x8E, 0x8E, 0x0F, 0x31, 0xF0, 0xDC, 0xA7,
892 0x2C, 0x74, 0x17, 0xE3, 0x53, 0x60, 0xE0, 0x48 },
893 { 0xB1, 0x9D, 0x1F, 0xCD, 0xCB, 0x75, 0xEB, 0x88,
894 0x2F, 0x84, 0x9C, 0xE2, 0x4D, 0x85, 0xCF, 0x73,
895 0x9C, 0xE6, 0x4B, 0x2B, 0x5C, 0x9D, 0x73, 0xF1,
896 0x4F, 0x2D, 0x5D, 0x9D, 0xCE, 0x98, 0x89, 0xCD,
897 0xDF, 0x50, 0x86, 0x96 }
898};
899
900static const int camellia_test_ctr_len[3] =
901 { 16, 32, 36 };
902#endif /* MBEDTLS_CIPHER_MODE_CTR */
903
904/*
905 * Checkup routine
906 */
907int mbedtls_camellia_self_test( int verbose )
908{
909 int i, j, u, v;
910 unsigned char key[32];
911 unsigned char buf[64];
912 unsigned char src[16];
913 unsigned char dst[16];
914#if defined(MBEDTLS_CIPHER_MODE_CBC)
915 unsigned char iv[16];
916#endif
917#if defined(MBEDTLS_CIPHER_MODE_CTR)
918 size_t offset, len;
919 unsigned char nonce_counter[16];
920 unsigned char stream_block[16];
921#endif
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]922 int ret = 1;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]923
924 mbedtls_camellia_context ctx;
925
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]926 mbedtls_camellia_init( &ctx );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]927 memset( key, 0, 32 );
928
929 for( j = 0; j < 6; j++ ) {
930 u = j >> 1;
931 v = j & 1;
932
933 if( verbose != 0 )
934 mbedtls_printf( " CAMELLIA-ECB-%3d (%s): ", 128 + u * 64,
935 (v == MBEDTLS_CAMELLIA_DECRYPT) ? "dec" : "enc");
936
937 for( i = 0; i < CAMELLIA_TESTS_ECB; i++ ) {
938 memcpy( key, camellia_test_ecb_key[u][i], 16 + 8 * u );
939
940 if( v == MBEDTLS_CAMELLIA_DECRYPT ) {
941 mbedtls_camellia_setkey_dec( &ctx, key, 128 + u * 64 );
942 memcpy( src, camellia_test_ecb_cipher[u][i], 16 );
943 memcpy( dst, camellia_test_ecb_plain[i], 16 );
944 } else { /* MBEDTLS_CAMELLIA_ENCRYPT */
945 mbedtls_camellia_setkey_enc( &ctx, key, 128 + u * 64 );
946 memcpy( src, camellia_test_ecb_plain[i], 16 );
947 memcpy( dst, camellia_test_ecb_cipher[u][i], 16 );
948 }
949
950 mbedtls_camellia_crypt_ecb( &ctx, v, src, buf );
951
952 if( memcmp( buf, dst, 16 ) != 0 )
953 {
954 if( verbose != 0 )
955 mbedtls_printf( "failed\n" );
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]956 goto exit;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]957 }
958 }
959
960 if( verbose != 0 )
961 mbedtls_printf( "passed\n" );
962 }
963
964 if( verbose != 0 )
965 mbedtls_printf( "\n" );
966
967#if defined(MBEDTLS_CIPHER_MODE_CBC)
968 /*
969 * CBC mode
970 */
971 for( j = 0; j < 6; j++ )
972 {
973 u = j >> 1;
974 v = j & 1;
975
976 if( verbose != 0 )
977 mbedtls_printf( " CAMELLIA-CBC-%3d (%s): ", 128 + u * 64,
978 ( v == MBEDTLS_CAMELLIA_DECRYPT ) ? "dec" : "enc" );
979
980 memcpy( src, camellia_test_cbc_iv, 16 );
981 memcpy( dst, camellia_test_cbc_iv, 16 );
982 memcpy( key, camellia_test_cbc_key[u], 16 + 8 * u );
983
984 if( v == MBEDTLS_CAMELLIA_DECRYPT ) {
985 mbedtls_camellia_setkey_dec( &ctx, key, 128 + u * 64 );
986 } else {
987 mbedtls_camellia_setkey_enc( &ctx, key, 128 + u * 64 );
988 }
989
990 for( i = 0; i < CAMELLIA_TESTS_CBC; i++ ) {
991
992 if( v == MBEDTLS_CAMELLIA_DECRYPT ) {
993 memcpy( iv , src, 16 );
994 memcpy( src, camellia_test_cbc_cipher[u][i], 16 );
995 memcpy( dst, camellia_test_cbc_plain[i], 16 );
996 } else { /* MBEDTLS_CAMELLIA_ENCRYPT */
997 memcpy( iv , dst, 16 );
998 memcpy( src, camellia_test_cbc_plain[i], 16 );
999 memcpy( dst, camellia_test_cbc_cipher[u][i], 16 );
1000 }
1001
1002 mbedtls_camellia_crypt_cbc( &ctx, v, 16, iv, src, buf );
1003
1004 if( memcmp( buf, dst, 16 ) != 0 )
1005 {
1006 if( verbose != 0 )
1007 mbedtls_printf( "failed\n" );
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1008 goto exit;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1009 }
1010 }
1011
1012 if( verbose != 0 )
1013 mbedtls_printf( "passed\n" );
1014 }
1015#endif /* MBEDTLS_CIPHER_MODE_CBC */
1016
1017 if( verbose != 0 )
1018 mbedtls_printf( "\n" );
1019
1020#if defined(MBEDTLS_CIPHER_MODE_CTR)
1021 /*
1022 * CTR mode
1023 */
1024 for( i = 0; i < 6; i++ )
1025 {
1026 u = i >> 1;
1027 v = i & 1;
1028
1029 if( verbose != 0 )
1030 mbedtls_printf( " CAMELLIA-CTR-128 (%s): ",
1031 ( v == MBEDTLS_CAMELLIA_DECRYPT ) ? "dec" : "enc" );
1032
1033 memcpy( nonce_counter, camellia_test_ctr_nonce_counter[u], 16 );
1034 memcpy( key, camellia_test_ctr_key[u], 16 );
1035
1036 offset = 0;
1037 mbedtls_camellia_setkey_enc( &ctx, key, 128 );
1038
1039 if( v == MBEDTLS_CAMELLIA_DECRYPT )
1040 {
1041 len = camellia_test_ctr_len[u];
1042 memcpy( buf, camellia_test_ctr_ct[u], len );
1043
1044 mbedtls_camellia_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block,
1045 buf, buf );
1046
1047 if( memcmp( buf, camellia_test_ctr_pt[u], len ) != 0 )
1048 {
1049 if( verbose != 0 )
1050 mbedtls_printf( "failed\n" );
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1051 goto exit;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1052 }
1053 }
1054 else
1055 {
1056 len = camellia_test_ctr_len[u];
1057 memcpy( buf, camellia_test_ctr_pt[u], len );
1058
1059 mbedtls_camellia_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block,
1060 buf, buf );
1061
1062 if( memcmp( buf, camellia_test_ctr_ct[u], len ) != 0 )
1063 {
1064 if( verbose != 0 )
1065 mbedtls_printf( "failed\n" );
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1066 goto exit;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1067 }
1068 }
1069
1070 if( verbose != 0 )
1071 mbedtls_printf( "passed\n" );
1072 }
1073
1074 if( verbose != 0 )
1075 mbedtls_printf( "\n" );
1076#endif /* MBEDTLS_CIPHER_MODE_CTR */
1077
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1078 ret = 0;
1079
1080exit:
1081 mbedtls_camellia_free( &ctx );
1082 return( ret );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1083}
1084
1085#endif /* MBEDTLS_SELF_TEST */
1086
1087#endif /* MBEDTLS_CAMELLIA_C */