TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 4e9f71227aa3e926ff457e01152c708ae7f3adcc / . / library / camellia.c
blob: e3609d3554c039c81fb23cceadfb0fe6d7711359 [file] [log] [blame]
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]1/*
2 * Camellia implementation
3 *
Manuel Pégourié-Gonnard6fb81872015-07-27 11:11:48 +0200[diff] [blame]4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
Bence Szépkúti4e9f7122020-06-05 13:02:18 +0200[diff] [blame^]5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 *
7 * This file is provided under the Apache License 2.0, or the
8 * GNU General Public License v2.0 or later.
9 *
10 * **********
11 * Apache License 2.0:
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]12 *
13 * Licensed under the Apache License, Version 2.0 (the "License"); you may
14 * not use this file except in compliance with the License.
15 * You may obtain a copy of the License at
16 *
17 * http://www.apache.org/licenses/LICENSE-2.0
18 *
19 * Unless required by applicable law or agreed to in writing, software
20 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
21 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
22 * See the License for the specific language governing permissions and
23 * limitations under the License.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]24 *
Bence Szépkúti4e9f7122020-06-05 13:02:18 +0200[diff] [blame^]25 * **********
26 *
27 * **********
28 * GNU General Public License v2.0 or later:
29 *
30 * This program is free software; you can redistribute it and/or modify
31 * it under the terms of the GNU General Public License as published by
32 * the Free Software Foundation; either version 2 of the License, or
33 * (at your option) any later version.
34 *
35 * This program is distributed in the hope that it will be useful,
36 * but WITHOUT ANY WARRANTY; without even the implied warranty of
37 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
38 * GNU General Public License for more details.
39 *
40 * You should have received a copy of the GNU General Public License along
41 * with this program; if not, write to the Free Software Foundation, Inc.,
42 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
43 *
44 * **********
45 *
Manuel Pégourié-Gonnardfe446432015-03-06 13:17:10 +0000[diff] [blame]46 * This file is part of mbed TLS (https://tls.mbed.org)
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]47 */
48/*
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]49 * The Camellia block cipher was designed by NTT and Mitsubishi Electric
50 * Corporation.
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]51 *
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]52 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/01espec.pdf
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]53 */
54
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]55#if !defined(MBEDTLS_CONFIG_FILE)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]56#include "mbedtls/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]57#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]58#include MBEDTLS_CONFIG_FILE
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]59#endif
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]60
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]61#if defined(MBEDTLS_CAMELLIA_C)
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]62
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]63#include "mbedtls/camellia.h"
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]64
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]65#include <string.h>
Manuel Pégourié-Gonnard394608e2015-02-17 16:01:07 +0100[diff] [blame]66
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]67#if defined(MBEDTLS_SELF_TEST)
68#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]69#include "mbedtls/platform.h"
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]70#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]71#include <stdio.h>
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]72#define mbedtls_printf printf
73#endif /* MBEDTLS_PLATFORM_C */
74#endif /* MBEDTLS_SELF_TEST */
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]75
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]76#if !defined(MBEDTLS_CAMELLIA_ALT)
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]77
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]78/* Implementation that should never be optimized out by the compiler */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]79static void mbedtls_zeroize( void *v, size_t n ) {
Simon Butcher88ffc082016-05-20 00:00:37 +0100[diff] [blame]80 volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]81}
82
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]83/*
84 * 32-bit integer manipulation macros (big endian)
85 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]86#ifndef GET_UINT32_BE
87#define GET_UINT32_BE(n,b,i) \
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]88{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]89 (n) = ( (uint32_t) (b)[(i) ] << 24 ) \
90 | ( (uint32_t) (b)[(i) + 1] << 16 ) \
91 | ( (uint32_t) (b)[(i) + 2] << 8 ) \
92 | ( (uint32_t) (b)[(i) + 3] ); \
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]93}
94#endif
95
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]96#ifndef PUT_UINT32_BE
97#define PUT_UINT32_BE(n,b,i) \
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]98{ \
99 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
100 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
101 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
102 (b)[(i) + 3] = (unsigned char) ( (n) ); \
103}
104#endif
105
106static const unsigned char SIGMA_CHARS[6][8] =
107{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]108 { 0xa0, 0x9e, 0x66, 0x7f, 0x3b, 0xcc, 0x90, 0x8b },
109 { 0xb6, 0x7a, 0xe8, 0x58, 0x4c, 0xaa, 0x73, 0xb2 },
110 { 0xc6, 0xef, 0x37, 0x2f, 0xe9, 0x4f, 0x82, 0xbe },
111 { 0x54, 0xff, 0x53, 0xa5, 0xf1, 0xd3, 0x6f, 0x1c },
112 { 0x10, 0xe5, 0x27, 0xfa, 0xde, 0x68, 0x2d, 0x1d },
113 { 0xb0, 0x56, 0x88, 0xc2, 0xb3, 0xe6, 0xc1, 0xfd }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]114};
115
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]116#if defined(MBEDTLS_CAMELLIA_SMALL_MEMORY)
Paul Bakkerfa049db2009-01-12 22:12:03 +0000[diff] [blame]117
118static const unsigned char FSb[256] =
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]119{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]120 112,130, 44,236,179, 39,192,229,228,133, 87, 53,234, 12,174, 65,
121 35,239,107,147, 69, 25,165, 33,237, 14, 79, 78, 29,101,146,189,
122 134,184,175,143,124,235, 31,206, 62, 48,220, 95, 94,197, 11, 26,
123 166,225, 57,202,213, 71, 93, 61,217, 1, 90,214, 81, 86,108, 77,
124 139, 13,154,102,251,204,176, 45,116, 18, 43, 32,240,177,132,153,
125 223, 76,203,194, 52,126,118, 5,109,183,169, 49,209, 23, 4,215,
126 20, 88, 58, 97,222, 27, 17, 28, 50, 15,156, 22, 83, 24,242, 34,
127 254, 68,207,178,195,181,122,145, 36, 8,232,168, 96,252,105, 80,
128 170,208,160,125,161,137, 98,151, 84, 91, 30,149,224,255,100,210,
129 16,196, 0, 72,163,247,117,219,138, 3,230,218, 9, 63,221,148,
130 135, 92,131, 2,205, 74,144, 51,115,103,246,243,157,127,191,226,
131 82,155,216, 38,200, 55,198, 59,129,150,111, 75, 19,190, 99, 46,
132 233,121,167,140,159,110,188,142, 41,245,249,182, 47,253,180, 89,
133 120,152, 6,106,231, 70,113,186,212, 37,171, 66,136,162,141,250,
134 114, 7,185, 85,248,238,172, 10, 54, 73, 42,104, 60, 56,241,164,
135 64, 40,211,123,187,201, 67,193, 21,227,173,244,119,199,128,158
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]136};
137
138#define SBOX1(n) FSb[(n)]
139#define SBOX2(n) (unsigned char)((FSb[(n)] >> 7 ^ FSb[(n)] << 1) & 0xff)
140#define SBOX3(n) (unsigned char)((FSb[(n)] >> 1 ^ FSb[(n)] << 7) & 0xff)
Paul Bakkerfa049db2009-01-12 22:12:03 +0000[diff] [blame]141#define SBOX4(n) FSb[((n) << 1 ^ (n) >> 7) &0xff]
142
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]143#else /* MBEDTLS_CAMELLIA_SMALL_MEMORY */
Paul Bakkerfa049db2009-01-12 22:12:03 +0000[diff] [blame]144
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000[diff] [blame]145static const unsigned char FSb[256] =
146{
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]147 112, 130, 44, 236, 179, 39, 192, 229, 228, 133, 87, 53, 234, 12, 174, 65,
148 35, 239, 107, 147, 69, 25, 165, 33, 237, 14, 79, 78, 29, 101, 146, 189,
149 134, 184, 175, 143, 124, 235, 31, 206, 62, 48, 220, 95, 94, 197, 11, 26,
150 166, 225, 57, 202, 213, 71, 93, 61, 217, 1, 90, 214, 81, 86, 108, 77,
151 139, 13, 154, 102, 251, 204, 176, 45, 116, 18, 43, 32, 240, 177, 132, 153,
152 223, 76, 203, 194, 52, 126, 118, 5, 109, 183, 169, 49, 209, 23, 4, 215,
153 20, 88, 58, 97, 222, 27, 17, 28, 50, 15, 156, 22, 83, 24, 242, 34,
154 254, 68, 207, 178, 195, 181, 122, 145, 36, 8, 232, 168, 96, 252, 105, 80,
155 170, 208, 160, 125, 161, 137, 98, 151, 84, 91, 30, 149, 224, 255, 100, 210,
156 16, 196, 0, 72, 163, 247, 117, 219, 138, 3, 230, 218, 9, 63, 221, 148,
157 135, 92, 131, 2, 205, 74, 144, 51, 115, 103, 246, 243, 157, 127, 191, 226,
158 82, 155, 216, 38, 200, 55, 198, 59, 129, 150, 111, 75, 19, 190, 99, 46,
159 233, 121, 167, 140, 159, 110, 188, 142, 41, 245, 249, 182, 47, 253, 180, 89,
160 120, 152, 6, 106, 231, 70, 113, 186, 212, 37, 171, 66, 136, 162, 141, 250,
161 114, 7, 185, 85, 248, 238, 172, 10, 54, 73, 42, 104, 60, 56, 241, 164,
162 64, 40, 211, 123, 187, 201, 67, 193, 21, 227, 173, 244, 119, 199, 128, 158
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000[diff] [blame]163};
164
165static const unsigned char FSb2[256] =
166{
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]167 224, 5, 88, 217, 103, 78, 129, 203, 201, 11, 174, 106, 213, 24, 93, 130,
168 70, 223, 214, 39, 138, 50, 75, 66, 219, 28, 158, 156, 58, 202, 37, 123,
169 13, 113, 95, 31, 248, 215, 62, 157, 124, 96, 185, 190, 188, 139, 22, 52,
170 77, 195, 114, 149, 171, 142, 186, 122, 179, 2, 180, 173, 162, 172, 216, 154,
171 23, 26, 53, 204, 247, 153, 97, 90, 232, 36, 86, 64, 225, 99, 9, 51,
172 191, 152, 151, 133, 104, 252, 236, 10, 218, 111, 83, 98, 163, 46, 8, 175,
173 40, 176, 116, 194, 189, 54, 34, 56, 100, 30, 57, 44, 166, 48, 229, 68,
174 253, 136, 159, 101, 135, 107, 244, 35, 72, 16, 209, 81, 192, 249, 210, 160,
175 85, 161, 65, 250, 67, 19, 196, 47, 168, 182, 60, 43, 193, 255, 200, 165,
176 32, 137, 0, 144, 71, 239, 234, 183, 21, 6, 205, 181, 18, 126, 187, 41,
177 15, 184, 7, 4, 155, 148, 33, 102, 230, 206, 237, 231, 59, 254, 127, 197,
178 164, 55, 177, 76, 145, 110, 141, 118, 3, 45, 222, 150, 38, 125, 198, 92,
179 211, 242, 79, 25, 63, 220, 121, 29, 82, 235, 243, 109, 94, 251, 105, 178,
180 240, 49, 12, 212, 207, 140, 226, 117, 169, 74, 87, 132, 17, 69, 27, 245,
181 228, 14, 115, 170, 241, 221, 89, 20, 108, 146, 84, 208, 120, 112, 227, 73,
182 128, 80, 167, 246, 119, 147, 134, 131, 42, 199, 91, 233, 238, 143, 1, 61
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000[diff] [blame]183};
184
185static const unsigned char FSb3[256] =
186{
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]187 56, 65, 22, 118, 217, 147, 96, 242, 114, 194, 171, 154, 117, 6, 87, 160,
188 145, 247, 181, 201, 162, 140, 210, 144, 246, 7, 167, 39, 142, 178, 73, 222,
189 67, 92, 215, 199, 62, 245, 143, 103, 31, 24, 110, 175, 47, 226, 133, 13,
190 83, 240, 156, 101, 234, 163, 174, 158, 236, 128, 45, 107, 168, 43, 54, 166,
191 197, 134, 77, 51, 253, 102, 88, 150, 58, 9, 149, 16, 120, 216, 66, 204,
192 239, 38, 229, 97, 26, 63, 59, 130, 182, 219, 212, 152, 232, 139, 2, 235,
193 10, 44, 29, 176, 111, 141, 136, 14, 25, 135, 78, 11, 169, 12, 121, 17,
194 127, 34, 231, 89, 225, 218, 61, 200, 18, 4, 116, 84, 48, 126, 180, 40,
195 85, 104, 80, 190, 208, 196, 49, 203, 42, 173, 15, 202, 112, 255, 50, 105,
196 8, 98, 0, 36, 209, 251, 186, 237, 69, 129, 115, 109, 132, 159, 238, 74,
197 195, 46, 193, 1, 230, 37, 72, 153, 185, 179, 123, 249, 206, 191, 223, 113,
198 41, 205, 108, 19, 100, 155, 99, 157, 192, 75, 183, 165, 137, 95, 177, 23,
199 244, 188, 211, 70, 207, 55, 94, 71, 148, 250, 252, 91, 151, 254, 90, 172,
200 60, 76, 3, 53, 243, 35, 184, 93, 106, 146, 213, 33, 68, 81, 198, 125,
201 57, 131, 220, 170, 124, 119, 86, 5, 27, 164, 21, 52, 30, 28, 248, 82,
202 32, 20, 233, 189, 221, 228, 161, 224, 138, 241, 214, 122, 187, 227, 64, 79
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000[diff] [blame]203};
204
205static const unsigned char FSb4[256] =
206{
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]207 112, 44, 179, 192, 228, 87, 234, 174, 35, 107, 69, 165, 237, 79, 29, 146,
208 134, 175, 124, 31, 62, 220, 94, 11, 166, 57, 213, 93, 217, 90, 81, 108,
209 139, 154, 251, 176, 116, 43, 240, 132, 223, 203, 52, 118, 109, 169, 209, 4,
210 20, 58, 222, 17, 50, 156, 83, 242, 254, 207, 195, 122, 36, 232, 96, 105,
211 170, 160, 161, 98, 84, 30, 224, 100, 16, 0, 163, 117, 138, 230, 9, 221,
212 135, 131, 205, 144, 115, 246, 157, 191, 82, 216, 200, 198, 129, 111, 19, 99,
213 233, 167, 159, 188, 41, 249, 47, 180, 120, 6, 231, 113, 212, 171, 136, 141,
214 114, 185, 248, 172, 54, 42, 60, 241, 64, 211, 187, 67, 21, 173, 119, 128,
215 130, 236, 39, 229, 133, 53, 12, 65, 239, 147, 25, 33, 14, 78, 101, 189,
216 184, 143, 235, 206, 48, 95, 197, 26, 225, 202, 71, 61, 1, 214, 86, 77,
217 13, 102, 204, 45, 18, 32, 177, 153, 76, 194, 126, 5, 183, 49, 23, 215,
218 88, 97, 27, 28, 15, 22, 24, 34, 68, 178, 181, 145, 8, 168, 252, 80,
219 208, 125, 137, 151, 91, 149, 255, 210, 196, 72, 247, 219, 3, 218, 63, 148,
220 92, 2, 74, 51, 103, 243, 127, 226, 155, 38, 55, 59, 150, 75, 190, 46,
221 121, 140, 110, 142, 245, 182, 253, 89, 152, 106, 70, 186, 37, 66, 162, 250,
222 7, 85, 238, 10, 73, 104, 56, 164, 40, 123, 201, 193, 227, 244, 199, 158
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000[diff] [blame]223};
224
225#define SBOX1(n) FSb[(n)]
226#define SBOX2(n) FSb2[(n)]
227#define SBOX3(n) FSb3[(n)]
228#define SBOX4(n) FSb4[(n)]
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]229
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]230#endif /* MBEDTLS_CAMELLIA_SMALL_MEMORY */
Paul Bakkerfa049db2009-01-12 22:12:03 +0000[diff] [blame]231
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]232static const unsigned char shifts[2][4][4] =
233{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]234 {
235 { 1, 1, 1, 1 }, /* KL */
236 { 0, 0, 0, 0 }, /* KR */
237 { 1, 1, 1, 1 }, /* KA */
238 { 0, 0, 0, 0 } /* KB */
239 },
240 {
241 { 1, 0, 1, 1 }, /* KL */
242 { 1, 1, 0, 1 }, /* KR */
243 { 1, 1, 1, 0 }, /* KA */
244 { 1, 1, 0, 1 } /* KB */
245 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]246};
247
Paul Bakker026c03b2009-03-28 17:53:03 +0000[diff] [blame]248static const signed char indexes[2][4][20] =
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]249{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]250 {
251 { 0, 1, 2, 3, 8, 9, 10, 11, 38, 39,
252 36, 37, 23, 20, 21, 22, 27, -1, -1, 26 }, /* KL -> RK */
253 { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
254 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 }, /* KR -> RK */
255 { 4, 5, 6, 7, 12, 13, 14, 15, 16, 17,
256 18, 19, -1, 24, 25, -1, 31, 28, 29, 30 }, /* KA -> RK */
257 { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
258 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 } /* KB -> RK */
259 },
260 {
261 { 0, 1, 2, 3, 61, 62, 63, 60, -1, -1,
262 -1, -1, 27, 24, 25, 26, 35, 32, 33, 34 }, /* KL -> RK */
263 { -1, -1, -1, -1, 8, 9, 10, 11, 16, 17,
264 18, 19, -1, -1, -1, -1, 39, 36, 37, 38 }, /* KR -> RK */
265 { -1, -1, -1, -1, 12, 13, 14, 15, 58, 59,
266 56, 57, 31, 28, 29, 30, -1, -1, -1, -1 }, /* KA -> RK */
267 { 4, 5, 6, 7, 65, 66, 67, 64, 20, 21,
268 22, 23, -1, -1, -1, -1, 43, 40, 41, 42 } /* KB -> RK */
269 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]270};
271
Paul Bakker026c03b2009-03-28 17:53:03 +0000[diff] [blame]272static const signed char transposes[2][20] =
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]273{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]274 {
275 21, 22, 23, 20,
276 -1, -1, -1, -1,
277 18, 19, 16, 17,
278 11, 8, 9, 10,
279 15, 12, 13, 14
280 },
281 {
282 25, 26, 27, 24,
283 29, 30, 31, 28,
284 18, 19, 16, 17,
285 -1, -1, -1, -1,
286 -1, -1, -1, -1
287 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]288};
289
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000[diff] [blame]290/* Shift macro for 128 bit strings with rotation smaller than 32 bits (!) */
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]291#define ROTL(DEST, SRC, SHIFT) \
292{ \
293 (DEST)[0] = (SRC)[0] << (SHIFT) ^ (SRC)[1] >> (32 - (SHIFT)); \
294 (DEST)[1] = (SRC)[1] << (SHIFT) ^ (SRC)[2] >> (32 - (SHIFT)); \
295 (DEST)[2] = (SRC)[2] << (SHIFT) ^ (SRC)[3] >> (32 - (SHIFT)); \
296 (DEST)[3] = (SRC)[3] << (SHIFT) ^ (SRC)[0] >> (32 - (SHIFT)); \
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]297}
298
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]299#define FL(XL, XR, KL, KR) \
300{ \
301 (XR) = ((((XL) & (KL)) << 1) | (((XL) & (KL)) >> 31)) ^ (XR); \
302 (XL) = ((XR) | (KR)) ^ (XL); \
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]303}
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]304
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]305#define FLInv(YL, YR, KL, KR) \
306{ \
307 (YL) = ((YR) | (KR)) ^ (YL); \
308 (YR) = ((((YL) & (KL)) << 1) | (((YL) & (KL)) >> 31)) ^ (YR); \
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]309}
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]310
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]311#define SHIFT_AND_PLACE(INDEX, OFFSET) \
312{ \
313 TK[0] = KC[(OFFSET) * 4 + 0]; \
314 TK[1] = KC[(OFFSET) * 4 + 1]; \
315 TK[2] = KC[(OFFSET) * 4 + 2]; \
316 TK[3] = KC[(OFFSET) * 4 + 3]; \
317 \
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]318 for( i = 1; i <= 4; i++ ) \
319 if( shifts[(INDEX)][(OFFSET)][i -1] ) \
320 ROTL(TK + i * 4, TK, ( 15 * i ) % 32); \
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]321 \
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]322 for( i = 0; i < 20; i++ ) \
323 if( indexes[(INDEX)][(OFFSET)][i] != -1 ) { \
324 RK[indexes[(INDEX)][(OFFSET)][i]] = TK[ i ]; \
325 } \
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]326}
327
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]328static void camellia_feistel( const uint32_t x[2], const uint32_t k[2],
329 uint32_t z[2])
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]330{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]331 uint32_t I0, I1;
332 I0 = x[0] ^ k[0];
333 I1 = x[1] ^ k[1];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]334
Manuel Pégourié-Gonnardb31b61b2014-11-10 13:05:43 +0100[diff] [blame]335 I0 = ((uint32_t) SBOX1((I0 >> 24) & 0xFF) << 24) |
336 ((uint32_t) SBOX2((I0 >> 16) & 0xFF) << 16) |
337 ((uint32_t) SBOX3((I0 >> 8) & 0xFF) << 8) |
338 ((uint32_t) SBOX4((I0 ) & 0xFF) );
339 I1 = ((uint32_t) SBOX2((I1 >> 24) & 0xFF) << 24) |
340 ((uint32_t) SBOX3((I1 >> 16) & 0xFF) << 16) |
341 ((uint32_t) SBOX4((I1 >> 8) & 0xFF) << 8) |
342 ((uint32_t) SBOX1((I1 ) & 0xFF) );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]343
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]344 I0 ^= (I1 << 8) | (I1 >> 24);
345 I1 ^= (I0 << 16) | (I0 >> 16);
346 I0 ^= (I1 >> 8) | (I1 << 24);
347 I1 ^= (I0 >> 8) | (I0 << 24);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]348
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]349 z[0] ^= I1;
350 z[1] ^= I0;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]351}
352
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]353void mbedtls_camellia_init( mbedtls_camellia_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]354{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]355 memset( ctx, 0, sizeof( mbedtls_camellia_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]356}
357
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]358void mbedtls_camellia_free( mbedtls_camellia_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]359{
360 if( ctx == NULL )
361 return;
362
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]363 mbedtls_zeroize( ctx, sizeof( mbedtls_camellia_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]364}
365
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]366/*
367 * Camellia key schedule (encryption)
368 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]369int mbedtls_camellia_setkey_enc( mbedtls_camellia_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]370 unsigned int keybits )
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]371{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]372 int idx;
373 size_t i;
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]374 uint32_t *RK;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]375 unsigned char t[64];
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]376 uint32_t SIGMA[6][2];
377 uint32_t KC[16];
378 uint32_t TK[20];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]379
380 RK = ctx->rk;
381
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]382 memset( t, 0, 64 );
383 memset( RK, 0, sizeof(ctx->rk) );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]384
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]385 switch( keybits )
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]386 {
387 case 128: ctx->nr = 3; idx = 0; break;
388 case 192:
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]389 case 256: ctx->nr = 4; idx = 1; break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]390 default : return( MBEDTLS_ERR_CAMELLIA_INVALID_KEY_LENGTH );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]391 }
392
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]393 for( i = 0; i < keybits / 8; ++i )
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]394 t[i] = key[i];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]395
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]396 if( keybits == 192 ) {
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]397 for( i = 0; i < 8; i++ )
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]398 t[24 + i] = ~t[16 + i];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]399 }
400
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]401 /*
402 * Prepare SIGMA values
403 */
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]404 for( i = 0; i < 6; i++ ) {
405 GET_UINT32_BE( SIGMA[i][0], SIGMA_CHARS[i], 0 );
406 GET_UINT32_BE( SIGMA[i][1], SIGMA_CHARS[i], 4 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]407 }
408
409 /*
410 * Key storage in KC
411 * Order: KL, KR, KA, KB
412 */
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]413 memset( KC, 0, sizeof(KC) );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]414
415 /* Store KL, KR */
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]416 for( i = 0; i < 8; i++ )
417 GET_UINT32_BE( KC[i], t, i * 4 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]418
419 /* Generate KA */
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]420 for( i = 0; i < 4; ++i )
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]421 KC[8 + i] = KC[i] ^ KC[4 + i];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]422
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]423 camellia_feistel( KC + 8, SIGMA[0], KC + 10 );
424 camellia_feistel( KC + 10, SIGMA[1], KC + 8 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]425
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]426 for( i = 0; i < 4; ++i )
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]427 KC[8 + i] ^= KC[i];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]428
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]429 camellia_feistel( KC + 8, SIGMA[2], KC + 10 );
430 camellia_feistel( KC + 10, SIGMA[3], KC + 8 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]431
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]432 if( keybits > 128 ) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]433 /* Generate KB */
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]434 for( i = 0; i < 4; ++i )
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]435 KC[12 + i] = KC[4 + i] ^ KC[8 + i];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]436
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]437 camellia_feistel( KC + 12, SIGMA[4], KC + 14 );
438 camellia_feistel( KC + 14, SIGMA[5], KC + 12 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]439 }
440
441 /*
442 * Generating subkeys
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]443 */
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]444
445 /* Manipulating KL */
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]446 SHIFT_AND_PLACE( idx, 0 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]447
448 /* Manipulating KR */
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]449 if( keybits > 128 ) {
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]450 SHIFT_AND_PLACE( idx, 1 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]451 }
452
453 /* Manipulating KA */
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]454 SHIFT_AND_PLACE( idx, 2 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]455
456 /* Manipulating KB */
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]457 if( keybits > 128 ) {
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]458 SHIFT_AND_PLACE( idx, 3 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]459 }
460
461 /* Do transpositions */
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]462 for( i = 0; i < 20; i++ ) {
463 if( transposes[idx][i] != -1 ) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]464 RK[32 + 12 * idx + i] = RK[transposes[idx][i]];
465 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]466 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]467
468 return( 0 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]469}
470
471/*
472 * Camellia key schedule (decryption)
473 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]474int mbedtls_camellia_setkey_dec( mbedtls_camellia_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]475 unsigned int keybits )
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]476{
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]477 int idx, ret;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]478 size_t i;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]479 mbedtls_camellia_context cty;
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]480 uint32_t *RK;
481 uint32_t *SK;
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]482
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]483 mbedtls_camellia_init( &cty );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]484
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]485 /* Also checks keybits */
486 if( ( ret = mbedtls_camellia_setkey_enc( &cty, key, keybits ) ) != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]487 goto exit;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]488
Manuel Pégourié-Gonnard3ac6a2b2014-05-28 22:04:25 +0200[diff] [blame]489 ctx->nr = cty.nr;
490 idx = ( ctx->nr == 4 );
491
492 RK = ctx->rk;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]493 SK = cty.rk + 24 * 2 + 8 * idx * 2;
494
495 *RK++ = *SK++;
496 *RK++ = *SK++;
497 *RK++ = *SK++;
498 *RK++ = *SK++;
499
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]500 for( i = 22 + 8 * idx, SK -= 6; i > 0; i--, SK -= 4 )
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]501 {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]502 *RK++ = *SK++;
503 *RK++ = *SK++;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]504 }
505
506 SK -= 2;
507
508 *RK++ = *SK++;
509 *RK++ = *SK++;
510 *RK++ = *SK++;
511 *RK++ = *SK++;
512
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]513exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]514 mbedtls_camellia_free( &cty );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]515
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]516 return( ret );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]517}
518
519/*
520 * Camellia-ECB block encryption/decryption
521 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]522int mbedtls_camellia_crypt_ecb( mbedtls_camellia_context *ctx,
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]523 int mode,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]524 const unsigned char input[16],
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]525 unsigned char output[16] )
526{
Paul Bakker026c03b2009-03-28 17:53:03 +0000[diff] [blame]527 int NR;
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]528 uint32_t *RK, X[4];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]529
Paul Bakkerc2547b02009-07-20 20:40:52 +0000[diff] [blame]530 ( (void) mode );
531
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]532 NR = ctx->nr;
533 RK = ctx->rk;
534
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]535 GET_UINT32_BE( X[0], input, 0 );
536 GET_UINT32_BE( X[1], input, 4 );
537 GET_UINT32_BE( X[2], input, 8 );
538 GET_UINT32_BE( X[3], input, 12 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]539
540 X[0] ^= *RK++;
541 X[1] ^= *RK++;
542 X[2] ^= *RK++;
543 X[3] ^= *RK++;
544
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]545 while( NR ) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]546 --NR;
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]547 camellia_feistel( X, RK, X + 2 );
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]548 RK += 2;
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]549 camellia_feistel( X + 2, RK, X );
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]550 RK += 2;
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]551 camellia_feistel( X, RK, X + 2 );
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]552 RK += 2;
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]553 camellia_feistel( X + 2, RK, X );
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]554 RK += 2;
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]555 camellia_feistel( X, RK, X + 2 );
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]556 RK += 2;
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]557 camellia_feistel( X + 2, RK, X );
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]558 RK += 2;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]559
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]560 if( NR ) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]561 FL(X[0], X[1], RK[0], RK[1]);
562 RK += 2;
563 FLInv(X[2], X[3], RK[0], RK[1]);
564 RK += 2;
565 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]566 }
567
568 X[2] ^= *RK++;
569 X[3] ^= *RK++;
570 X[0] ^= *RK++;
571 X[1] ^= *RK++;
572
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]573 PUT_UINT32_BE( X[2], output, 0 );
574 PUT_UINT32_BE( X[3], output, 4 );
575 PUT_UINT32_BE( X[0], output, 8 );
576 PUT_UINT32_BE( X[1], output, 12 );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]577
578 return( 0 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]579}
580
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]581#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]582/*
583 * Camellia-CBC buffer encryption/decryption
584 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]585int mbedtls_camellia_crypt_cbc( mbedtls_camellia_context *ctx,
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]586 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]587 size_t length,
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]588 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]589 const unsigned char *input,
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]590 unsigned char *output )
591{
592 int i;
593 unsigned char temp[16];
594
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]595 if( length % 16 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]596 return( MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]597
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]598 if( mode == MBEDTLS_CAMELLIA_DECRYPT )
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]599 {
600 while( length > 0 )
601 {
602 memcpy( temp, input, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]603 mbedtls_camellia_crypt_ecb( ctx, mode, input, output );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]604
605 for( i = 0; i < 16; i++ )
606 output[i] = (unsigned char)( output[i] ^ iv[i] );
607
608 memcpy( iv, temp, 16 );
609
610 input += 16;
611 output += 16;
612 length -= 16;
613 }
614 }
615 else
616 {
617 while( length > 0 )
618 {
619 for( i = 0; i < 16; i++ )
620 output[i] = (unsigned char)( input[i] ^ iv[i] );
621
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]622 mbedtls_camellia_crypt_ecb( ctx, mode, output, output );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]623 memcpy( iv, output, 16 );
624
625 input += 16;
626 output += 16;
627 length -= 16;
628 }
629 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]630
631 return( 0 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]632}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]633#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]634
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]635#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]636/*
637 * Camellia-CFB128 buffer encryption/decryption
638 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]639int mbedtls_camellia_crypt_cfb128( mbedtls_camellia_context *ctx,
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]640 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]641 size_t length,
Paul Bakker1ef71df2011-06-09 14:14:58 +0000[diff] [blame]642 size_t *iv_off,
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]643 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]644 const unsigned char *input,
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]645 unsigned char *output )
646{
Paul Bakker1ef71df2011-06-09 14:14:58 +0000[diff] [blame]647 int c;
648 size_t n = *iv_off;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]649
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]650 if( mode == MBEDTLS_CAMELLIA_DECRYPT )
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]651 {
652 while( length-- )
653 {
654 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]655 mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]656
657 c = *input++;
658 *output++ = (unsigned char)( c ^ iv[n] );
659 iv[n] = (unsigned char) c;
660
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]661 n = ( n + 1 ) & 0x0F;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]662 }
663 }
664 else
665 {
666 while( length-- )
667 {
668 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]669 mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]670
671 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
672
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]673 n = ( n + 1 ) & 0x0F;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]674 }
675 }
676
677 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]678
679 return( 0 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]680}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]681#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]682
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]683#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]684/*
685 * Camellia-CTR buffer encryption/decryption
686 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]687int mbedtls_camellia_crypt_ctr( mbedtls_camellia_context *ctx,
Paul Bakker1ef71df2011-06-09 14:14:58 +0000[diff] [blame]688 size_t length,
689 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]690 unsigned char nonce_counter[16],
691 unsigned char stream_block[16],
692 const unsigned char *input,
693 unsigned char *output )
694{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]695 int c, i;
Paul Bakker1ef71df2011-06-09 14:14:58 +0000[diff] [blame]696 size_t n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]697
698 while( length-- )
699 {
700 if( n == 0 ) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]701 mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, nonce_counter,
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]702 stream_block );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]703
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]704 for( i = 16; i > 0; i-- )
705 if( ++nonce_counter[i - 1] != 0 )
706 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]707 }
708 c = *input++;
709 *output++ = (unsigned char)( c ^ stream_block[n] );
710
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]711 n = ( n + 1 ) & 0x0F;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]712 }
713
714 *nc_off = n;
715
716 return( 0 );
717}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]718#endif /* MBEDTLS_CIPHER_MODE_CTR */
719#endif /* !MBEDTLS_CAMELLIA_ALT */
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]720
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]721#if defined(MBEDTLS_SELF_TEST)
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]722
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]723/*
724 * Camellia test vectors from:
725 *
726 * http://info.isl.ntt.co.jp/crypt/eng/camellia/technology.html:
727 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/intermediate.txt
728 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/t_camellia.txt
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]729 * (For each bitlength: Key 0, Nr 39)
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]730 */
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]731#define CAMELLIA_TESTS_ECB 2
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]732
733static const unsigned char camellia_test_ecb_key[3][CAMELLIA_TESTS_ECB][32] =
734{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]735 {
736 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
737 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]738 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]739 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
740 },
741 {
742 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
743 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
744 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77 },
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]745 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]746 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
747 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
748 },
749 {
750 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
751 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
752 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
753 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff },
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]754 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]755 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
756 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
757 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
758 },
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]759};
760
761static const unsigned char camellia_test_ecb_plain[CAMELLIA_TESTS_ECB][16] =
762{
763 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
764 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]765 { 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]766 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
767};
768
769static const unsigned char camellia_test_ecb_cipher[3][CAMELLIA_TESTS_ECB][16] =
770{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]771 {
772 { 0x67, 0x67, 0x31, 0x38, 0x54, 0x96, 0x69, 0x73,
773 0x08, 0x57, 0x06, 0x56, 0x48, 0xea, 0xbe, 0x43 },
774 { 0x38, 0x3C, 0x6C, 0x2A, 0xAB, 0xEF, 0x7F, 0xDE,
775 0x25, 0xCD, 0x47, 0x0B, 0xF7, 0x74, 0xA3, 0x31 }
776 },
777 {
778 { 0xb4, 0x99, 0x34, 0x01, 0xb3, 0xe9, 0x96, 0xf8,
779 0x4e, 0xe5, 0xce, 0xe7, 0xd7, 0x9b, 0x09, 0xb9 },
780 { 0xD1, 0x76, 0x3F, 0xC0, 0x19, 0xD7, 0x7C, 0xC9,
781 0x30, 0xBF, 0xF2, 0xA5, 0x6F, 0x7C, 0x93, 0x64 }
782 },
783 {
784 { 0x9a, 0xcc, 0x23, 0x7d, 0xff, 0x16, 0xd7, 0x6c,
785 0x20, 0xef, 0x7c, 0x91, 0x9e, 0x3a, 0x75, 0x09 },
786 { 0x05, 0x03, 0xFB, 0x10, 0xAB, 0x24, 0x1E, 0x7C,
787 0xF4, 0x5D, 0x8C, 0xDE, 0xEE, 0x47, 0x43, 0x35 }
788 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]789};
790
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]791#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]792#define CAMELLIA_TESTS_CBC 3
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]793
794static const unsigned char camellia_test_cbc_key[3][32] =
795{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]796 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
797 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }
798 ,
799 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
800 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
801 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }
802 ,
803 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
804 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
805 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
806 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]807};
808
809static const unsigned char camellia_test_cbc_iv[16] =
810
811 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
812 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F }
813;
814
815static const unsigned char camellia_test_cbc_plain[CAMELLIA_TESTS_CBC][16] =
816{
817 { 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
818 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A },
819 { 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
820 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51 },
821 { 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
822 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF }
823
824};
825
826static const unsigned char camellia_test_cbc_cipher[3][CAMELLIA_TESTS_CBC][16] =
827{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]828 {
829 { 0x16, 0x07, 0xCF, 0x49, 0x4B, 0x36, 0xBB, 0xF0,
830 0x0D, 0xAE, 0xB0, 0xB5, 0x03, 0xC8, 0x31, 0xAB },
831 { 0xA2, 0xF2, 0xCF, 0x67, 0x16, 0x29, 0xEF, 0x78,
832 0x40, 0xC5, 0xA5, 0xDF, 0xB5, 0x07, 0x48, 0x87 },
833 { 0x0F, 0x06, 0x16, 0x50, 0x08, 0xCF, 0x8B, 0x8B,
834 0x5A, 0x63, 0x58, 0x63, 0x62, 0x54, 0x3E, 0x54 }
835 },
836 {
837 { 0x2A, 0x48, 0x30, 0xAB, 0x5A, 0xC4, 0xA1, 0xA2,
838 0x40, 0x59, 0x55, 0xFD, 0x21, 0x95, 0xCF, 0x93 },
839 { 0x5D, 0x5A, 0x86, 0x9B, 0xD1, 0x4C, 0xE5, 0x42,
840 0x64, 0xF8, 0x92, 0xA6, 0xDD, 0x2E, 0xC3, 0xD5 },
841 { 0x37, 0xD3, 0x59, 0xC3, 0x34, 0x98, 0x36, 0xD8,
842 0x84, 0xE3, 0x10, 0xAD, 0xDF, 0x68, 0xC4, 0x49 }
843 },
844 {
845 { 0xE6, 0xCF, 0xA3, 0x5F, 0xC0, 0x2B, 0x13, 0x4A,
846 0x4D, 0x2C, 0x0B, 0x67, 0x37, 0xAC, 0x3E, 0xDA },
847 { 0x36, 0xCB, 0xEB, 0x73, 0xBD, 0x50, 0x4B, 0x40,
848 0x70, 0xB1, 0xB7, 0xDE, 0x2B, 0x21, 0xEB, 0x50 },
849 { 0xE3, 0x1A, 0x60, 0x55, 0x29, 0x7D, 0x96, 0xCA,
850 0x33, 0x30, 0xCD, 0xF1, 0xB1, 0x86, 0x0A, 0x83 }
851 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]852};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]853#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]854
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]855#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]856/*
857 * Camellia-CTR test vectors from:
858 *
859 * http://www.faqs.org/rfcs/rfc5528.html
860 */
861
862static const unsigned char camellia_test_ctr_key[3][16] =
863{
864 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
865 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
866 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
867 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
868 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
869 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
870};
871
872static const unsigned char camellia_test_ctr_nonce_counter[3][16] =
873{
874 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
875 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
876 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
877 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
878 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
879 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
880};
881
882static const unsigned char camellia_test_ctr_pt[3][48] =
883{
884 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
885 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
886
887 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
888 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
889 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
890 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
891
892 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
893 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
894 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
895 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
896 0x20, 0x21, 0x22, 0x23 }
897};
898
899static const unsigned char camellia_test_ctr_ct[3][48] =
900{
901 { 0xD0, 0x9D, 0xC2, 0x9A, 0x82, 0x14, 0x61, 0x9A,
902 0x20, 0x87, 0x7C, 0x76, 0xDB, 0x1F, 0x0B, 0x3F },
903 { 0xDB, 0xF3, 0xC7, 0x8D, 0xC0, 0x83, 0x96, 0xD4,
904 0xDA, 0x7C, 0x90, 0x77, 0x65, 0xBB, 0xCB, 0x44,
905 0x2B, 0x8E, 0x8E, 0x0F, 0x31, 0xF0, 0xDC, 0xA7,
906 0x2C, 0x74, 0x17, 0xE3, 0x53, 0x60, 0xE0, 0x48 },
907 { 0xB1, 0x9D, 0x1F, 0xCD, 0xCB, 0x75, 0xEB, 0x88,
908 0x2F, 0x84, 0x9C, 0xE2, 0x4D, 0x85, 0xCF, 0x73,
909 0x9C, 0xE6, 0x4B, 0x2B, 0x5C, 0x9D, 0x73, 0xF1,
910 0x4F, 0x2D, 0x5D, 0x9D, 0xCE, 0x98, 0x89, 0xCD,
911 0xDF, 0x50, 0x86, 0x96 }
912};
913
914static const int camellia_test_ctr_len[3] =
915 { 16, 32, 36 };
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]916#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]917
918/*
919 * Checkup routine
920 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]921int mbedtls_camellia_self_test( int verbose )
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]922{
Paul Bakker026c03b2009-03-28 17:53:03 +0000[diff] [blame]923 int i, j, u, v;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]924 unsigned char key[32];
925 unsigned char buf[64];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]926 unsigned char src[16];
927 unsigned char dst[16];
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]928#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]929 unsigned char iv[16];
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]930#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]931#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakker1ef71df2011-06-09 14:14:58 +0000[diff] [blame]932 size_t offset, len;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]933 unsigned char nonce_counter[16];
934 unsigned char stream_block[16];
935#endif
936
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]937 mbedtls_camellia_context ctx;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]938
939 memset( key, 0, 32 );
940
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]941 for( j = 0; j < 6; j++ ) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]942 u = j >> 1;
943 v = j & 1;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]944
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]945 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]946 mbedtls_printf( " CAMELLIA-ECB-%3d (%s): ", 128 + u * 64,
947 (v == MBEDTLS_CAMELLIA_DECRYPT) ? "dec" : "enc");
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]948
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]949 for( i = 0; i < CAMELLIA_TESTS_ECB; i++ ) {
950 memcpy( key, camellia_test_ecb_key[u][i], 16 + 8 * u );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]951
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]952 if( v == MBEDTLS_CAMELLIA_DECRYPT ) {
953 mbedtls_camellia_setkey_dec( &ctx, key, 128 + u * 64 );
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]954 memcpy( src, camellia_test_ecb_cipher[u][i], 16 );
955 memcpy( dst, camellia_test_ecb_plain[i], 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]956 } else { /* MBEDTLS_CAMELLIA_ENCRYPT */
957 mbedtls_camellia_setkey_enc( &ctx, key, 128 + u * 64 );
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]958 memcpy( src, camellia_test_ecb_plain[i], 16 );
959 memcpy( dst, camellia_test_ecb_cipher[u][i], 16 );
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]960 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]961
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]962 mbedtls_camellia_crypt_ecb( &ctx, v, src, buf );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]963
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]964 if( memcmp( buf, dst, 16 ) != 0 )
965 {
966 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]967 mbedtls_printf( "failed\n" );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]968
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]969 return( 1 );
970 }
971 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]972
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]973 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]974 mbedtls_printf( "passed\n" );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]975 }
976
977 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]978 mbedtls_printf( "\n" );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]979
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]980#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]981 /*
982 * CBC mode
983 */
984 for( j = 0; j < 6; j++ )
985 {
986 u = j >> 1;
987 v = j & 1;
988
989 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]990 mbedtls_printf( " CAMELLIA-CBC-%3d (%s): ", 128 + u * 64,
991 ( v == MBEDTLS_CAMELLIA_DECRYPT ) ? "dec" : "enc" );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]992
Janos Follath98e28a72016-05-31 14:03:54 +0100[diff] [blame]993 memcpy( src, camellia_test_cbc_iv, 16 );
994 memcpy( dst, camellia_test_cbc_iv, 16 );
995 memcpy( key, camellia_test_cbc_key[u], 16 + 8 * u );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]996
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]997 if( v == MBEDTLS_CAMELLIA_DECRYPT ) {
Janos Follath98e28a72016-05-31 14:03:54 +0100[diff] [blame]998 mbedtls_camellia_setkey_dec( &ctx, key, 128 + u * 64 );
999 } else {
1000 mbedtls_camellia_setkey_enc( &ctx, key, 128 + u * 64 );
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]1001 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]1002
Janos Follath98e28a72016-05-31 14:03:54 +0100[diff] [blame]1003 for( i = 0; i < CAMELLIA_TESTS_CBC; i++ ) {
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]1004
Janos Follath98e28a72016-05-31 14:03:54 +0100[diff] [blame]1005 if( v == MBEDTLS_CAMELLIA_DECRYPT ) {
1006 memcpy( iv , src, 16 );
1007 memcpy( src, camellia_test_cbc_cipher[u][i], 16 );
1008 memcpy( dst, camellia_test_cbc_plain[i], 16 );
1009 } else { /* MBEDTLS_CAMELLIA_ENCRYPT */
1010 memcpy( iv , dst, 16 );
1011 memcpy( src, camellia_test_cbc_plain[i], 16 );
1012 memcpy( dst, camellia_test_cbc_cipher[u][i], 16 );
1013 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]1014
Janos Follath98e28a72016-05-31 14:03:54 +0100[diff] [blame]1015 mbedtls_camellia_crypt_cbc( &ctx, v, 16, iv, src, buf );
1016
1017 if( memcmp( buf, dst, 16 ) != 0 )
1018 {
1019 if( verbose != 0 )
1020 mbedtls_printf( "failed\n" );
1021
1022 return( 1 );
1023 }
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]1024 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]1025
1026 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1027 mbedtls_printf( "passed\n" );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]1028 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1029#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]1030
1031 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1032 mbedtls_printf( "\n" );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]1033
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1034#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1035 /*
1036 * CTR mode
1037 */
1038 for( i = 0; i < 6; i++ )
1039 {
1040 u = i >> 1;
1041 v = i & 1;
1042
1043 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1044 mbedtls_printf( " CAMELLIA-CTR-128 (%s): ",
1045 ( v == MBEDTLS_CAMELLIA_DECRYPT ) ? "dec" : "enc" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1046
1047 memcpy( nonce_counter, camellia_test_ctr_nonce_counter[u], 16 );
1048 memcpy( key, camellia_test_ctr_key[u], 16 );
1049
1050 offset = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1051 mbedtls_camellia_setkey_enc( &ctx, key, 128 );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1052
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1053 if( v == MBEDTLS_CAMELLIA_DECRYPT )
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1054 {
1055 len = camellia_test_ctr_len[u];
1056 memcpy( buf, camellia_test_ctr_ct[u], len );
1057
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1058 mbedtls_camellia_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block,
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]1059 buf, buf );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1060
1061 if( memcmp( buf, camellia_test_ctr_pt[u], len ) != 0 )
1062 {
1063 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1064 mbedtls_printf( "failed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1065
1066 return( 1 );
1067 }
1068 }
1069 else
1070 {
1071 len = camellia_test_ctr_len[u];
1072 memcpy( buf, camellia_test_ctr_pt[u], len );
1073
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1074 mbedtls_camellia_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block,
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]1075 buf, buf );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1076
1077 if( memcmp( buf, camellia_test_ctr_ct[u], len ) != 0 )
1078 {
1079 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1080 mbedtls_printf( "failed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1081
1082 return( 1 );
1083 }
1084 }
1085
1086 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1087 mbedtls_printf( "passed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1088 }
1089
1090 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1091 mbedtls_printf( "\n" );
1092#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1093
Paul Bakkerd8bb8262014-06-17 14:06:49 +0200[diff] [blame]1094 return( 0 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]1095}
1096
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1097#endif /* MBEDTLS_SELF_TEST */
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]1098
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1099#endif /* MBEDTLS_CAMELLIA_C */