TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 0fdf3cacf22361e724ee3c2adbcfa026bd7ae561 / . / library / camellia.c
blob: a24bfb534560d67248f02c0ee653242f199da854 [file] [log] [blame]
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]1/*
2 * Camellia implementation
3 *
Paul Bakker785a9ee2009-01-25 14:15:10 +0000[diff] [blame]4 * Copyright (C) 2009 Paul Bakker <polarssl_maintainer at polarssl dot org>
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License along
17 * with this program; if not, write to the Free Software Foundation, Inc.,
18 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
19 */
20/*
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]21 * The Camellia block cipher was designed by NTT and Mitsubishi Electric
22 * Corporation.
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]23 *
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]24 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/01espec.pdf
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]25 */
26
27#include "polarssl/config.h"
28
29#if defined(POLARSSL_CAMELLIA_C)
30
31#include "polarssl/camellia.h"
32
33#include <string.h>
34
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]35/*
36 * 32-bit integer manipulation macros (big endian)
37 */
38#ifndef GET_ULONG_BE
39#define GET_ULONG_BE(n,b,i) \
40{ \
41 (n) = ( (unsigned long) (b)[(i) ] << 24 ) \
42 | ( (unsigned long) (b)[(i) + 1] << 16 ) \
43 | ( (unsigned long) (b)[(i) + 2] << 8 ) \
44 | ( (unsigned long) (b)[(i) + 3] ); \
45}
46#endif
47
48#ifndef PUT_ULONG_BE
49#define PUT_ULONG_BE(n,b,i) \
50{ \
51 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
52 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
53 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
54 (b)[(i) + 3] = (unsigned char) ( (n) ); \
55}
56#endif
57
58static const unsigned char SIGMA_CHARS[6][8] =
59{
60 { 0xa0, 0x9e, 0x66, 0x7f, 0x3b, 0xcc, 0x90, 0x8b },
61 { 0xb6, 0x7a, 0xe8, 0x58, 0x4c, 0xaa, 0x73, 0xb2 },
62 { 0xc6, 0xef, 0x37, 0x2f, 0xe9, 0x4f, 0x82, 0xbe },
63 { 0x54, 0xff, 0x53, 0xa5, 0xf1, 0xd3, 0x6f, 0x1c },
64 { 0x10, 0xe5, 0x27, 0xfa, 0xde, 0x68, 0x2d, 0x1d },
65 { 0xb0, 0x56, 0x88, 0xc2, 0xb3, 0xe6, 0xc1, 0xfd }
66};
67
Paul Bakkerfa049db2009-01-12 22:12:03 +0000[diff] [blame]68#ifdef POLARSSL_CAMELLIA_SMALL_MEMORY
69
70static const unsigned char FSb[256] =
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]71{
72 112,130, 44,236,179, 39,192,229,228,133, 87, 53,234, 12,174, 65,
73 35,239,107,147, 69, 25,165, 33,237, 14, 79, 78, 29,101,146,189,
74 134,184,175,143,124,235, 31,206, 62, 48,220, 95, 94,197, 11, 26,
75 166,225, 57,202,213, 71, 93, 61,217, 1, 90,214, 81, 86,108, 77,
76 139, 13,154,102,251,204,176, 45,116, 18, 43, 32,240,177,132,153,
77 223, 76,203,194, 52,126,118, 5,109,183,169, 49,209, 23, 4,215,
78 20, 88, 58, 97,222, 27, 17, 28, 50, 15,156, 22, 83, 24,242, 34,
79 254, 68,207,178,195,181,122,145, 36, 8,232,168, 96,252,105, 80,
80 170,208,160,125,161,137, 98,151, 84, 91, 30,149,224,255,100,210,
81 16,196, 0, 72,163,247,117,219,138, 3,230,218, 9, 63,221,148,
82 135, 92,131, 2,205, 74,144, 51,115,103,246,243,157,127,191,226,
83 82,155,216, 38,200, 55,198, 59,129,150,111, 75, 19,190, 99, 46,
84 233,121,167,140,159,110,188,142, 41,245,249,182, 47,253,180, 89,
85 120,152, 6,106,231, 70,113,186,212, 37,171, 66,136,162,141,250,
86 114, 7,185, 85,248,238,172, 10, 54, 73, 42,104, 60, 56,241,164,
87 64, 40,211,123,187,201, 67,193, 21,227,173,244,119,199,128,158
88};
89
90#define SBOX1(n) FSb[(n)]
91#define SBOX2(n) (unsigned char)((FSb[(n)] >> 7 ^ FSb[(n)] << 1) & 0xff)
92#define SBOX3(n) (unsigned char)((FSb[(n)] >> 1 ^ FSb[(n)] << 7) & 0xff)
Paul Bakkerfa049db2009-01-12 22:12:03 +0000[diff] [blame]93#define SBOX4(n) FSb[((n) << 1 ^ (n) >> 7) &0xff]
94
95#else
96
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000[diff] [blame]97static const unsigned char FSb[256] =
98{
99 112, 130, 44, 236, 179, 39, 192, 229, 228, 133, 87, 53, 234, 12, 174, 65,
100 35, 239, 107, 147, 69, 25, 165, 33, 237, 14, 79, 78, 29, 101, 146, 189,
101 134, 184, 175, 143, 124, 235, 31, 206, 62, 48, 220, 95, 94, 197, 11, 26,
102 166, 225, 57, 202, 213, 71, 93, 61, 217, 1, 90, 214, 81, 86, 108, 77,
103 139, 13, 154, 102, 251, 204, 176, 45, 116, 18, 43, 32, 240, 177, 132, 153,
104 223, 76, 203, 194, 52, 126, 118, 5, 109, 183, 169, 49, 209, 23, 4, 215,
105 20, 88, 58, 97, 222, 27, 17, 28, 50, 15, 156, 22, 83, 24, 242, 34,
106 254, 68, 207, 178, 195, 181, 122, 145, 36, 8, 232, 168, 96, 252, 105, 80,
107 170, 208, 160, 125, 161, 137, 98, 151, 84, 91, 30, 149, 224, 255, 100, 210,
108 16, 196, 0, 72, 163, 247, 117, 219, 138, 3, 230, 218, 9, 63, 221, 148,
109 135, 92, 131, 2, 205, 74, 144, 51, 115, 103, 246, 243, 157, 127, 191, 226,
110 82, 155, 216, 38, 200, 55, 198, 59, 129, 150, 111, 75, 19, 190, 99, 46,
111 233, 121, 167, 140, 159, 110, 188, 142, 41, 245, 249, 182, 47, 253, 180, 89,
112 120, 152, 6, 106, 231, 70, 113, 186, 212, 37, 171, 66, 136, 162, 141, 250,
113 114, 7, 185, 85, 248, 238, 172, 10, 54, 73, 42, 104, 60, 56, 241, 164,
114 64, 40, 211, 123, 187, 201, 67, 193, 21, 227, 173, 244, 119, 199, 128, 158
115};
116
117static const unsigned char FSb2[256] =
118{
119 224, 5, 88, 217, 103, 78, 129, 203, 201, 11, 174, 106, 213, 24, 93, 130,
120 70, 223, 214, 39, 138, 50, 75, 66, 219, 28, 158, 156, 58, 202, 37, 123,
121 13, 113, 95, 31, 248, 215, 62, 157, 124, 96, 185, 190, 188, 139, 22, 52,
122 77, 195, 114, 149, 171, 142, 186, 122, 179, 2, 180, 173, 162, 172, 216, 154,
123 23, 26, 53, 204, 247, 153, 97, 90, 232, 36, 86, 64, 225, 99, 9, 51,
124 191, 152, 151, 133, 104, 252, 236, 10, 218, 111, 83, 98, 163, 46, 8, 175,
125 40, 176, 116, 194, 189, 54, 34, 56, 100, 30, 57, 44, 166, 48, 229, 68,
126 253, 136, 159, 101, 135, 107, 244, 35, 72, 16, 209, 81, 192, 249, 210, 160,
127 85, 161, 65, 250, 67, 19, 196, 47, 168, 182, 60, 43, 193, 255, 200, 165,
128 32, 137, 0, 144, 71, 239, 234, 183, 21, 6, 205, 181, 18, 126, 187, 41,
129 15, 184, 7, 4, 155, 148, 33, 102, 230, 206, 237, 231, 59, 254, 127, 197,
130 164, 55, 177, 76, 145, 110, 141, 118, 3, 45, 222, 150, 38, 125, 198, 92,
131 211, 242, 79, 25, 63, 220, 121, 29, 82, 235, 243, 109, 94, 251, 105, 178,
132 240, 49, 12, 212, 207, 140, 226, 117, 169, 74, 87, 132, 17, 69, 27, 245,
133 228, 14, 115, 170, 241, 221, 89, 20, 108, 146, 84, 208, 120, 112, 227, 73,
134 128, 80, 167, 246, 119, 147, 134, 131, 42, 199, 91, 233, 238, 143, 1, 61
135};
136
137static const unsigned char FSb3[256] =
138{
139 56, 65, 22, 118, 217, 147, 96, 242, 114, 194, 171, 154, 117, 6, 87, 160,
140 145, 247, 181, 201, 162, 140, 210, 144, 246, 7, 167, 39, 142, 178, 73, 222,
141 67, 92, 215, 199, 62, 245, 143, 103, 31, 24, 110, 175, 47, 226, 133, 13,
142 83, 240, 156, 101, 234, 163, 174, 158, 236, 128, 45, 107, 168, 43, 54, 166,
143 197, 134, 77, 51, 253, 102, 88, 150, 58, 9, 149, 16, 120, 216, 66, 204,
144 239, 38, 229, 97, 26, 63, 59, 130, 182, 219, 212, 152, 232, 139, 2, 235,
145 10, 44, 29, 176, 111, 141, 136, 14, 25, 135, 78, 11, 169, 12, 121, 17,
146 127, 34, 231, 89, 225, 218, 61, 200, 18, 4, 116, 84, 48, 126, 180, 40,
147 85, 104, 80, 190, 208, 196, 49, 203, 42, 173, 15, 202, 112, 255, 50, 105,
148 8, 98, 0, 36, 209, 251, 186, 237, 69, 129, 115, 109, 132, 159, 238, 74,
149 195, 46, 193, 1, 230, 37, 72, 153, 185, 179, 123, 249, 206, 191, 223, 113,
150 41, 205, 108, 19, 100, 155, 99, 157, 192, 75, 183, 165, 137, 95, 177, 23,
151 244, 188, 211, 70, 207, 55, 94, 71, 148, 250, 252, 91, 151, 254, 90, 172,
152 60, 76, 3, 53, 243, 35, 184, 93, 106, 146, 213, 33, 68, 81, 198, 125,
153 57, 131, 220, 170, 124, 119, 86, 5, 27, 164, 21, 52, 30, 28, 248, 82,
154 32, 20, 233, 189, 221, 228, 161, 224, 138, 241, 214, 122, 187, 227, 64, 79
155};
156
157static const unsigned char FSb4[256] =
158{
159 112, 44, 179, 192, 228, 87, 234, 174, 35, 107, 69, 165, 237, 79, 29, 146,
160 134, 175, 124, 31, 62, 220, 94, 11, 166, 57, 213, 93, 217, 90, 81, 108,
161 139, 154, 251, 176, 116, 43, 240, 132, 223, 203, 52, 118, 109, 169, 209, 4,
162 20, 58, 222, 17, 50, 156, 83, 242, 254, 207, 195, 122, 36, 232, 96, 105,
163 170, 160, 161, 98, 84, 30, 224, 100, 16, 0, 163, 117, 138, 230, 9, 221,
164 135, 131, 205, 144, 115, 246, 157, 191, 82, 216, 200, 198, 129, 111, 19, 99,
165 233, 167, 159, 188, 41, 249, 47, 180, 120, 6, 231, 113, 212, 171, 136, 141,
166 114, 185, 248, 172, 54, 42, 60, 241, 64, 211, 187, 67, 21, 173, 119, 128,
167 130, 236, 39, 229, 133, 53, 12, 65, 239, 147, 25, 33, 14, 78, 101, 189,
168 184, 143, 235, 206, 48, 95, 197, 26, 225, 202, 71, 61, 1, 214, 86, 77,
169 13, 102, 204, 45, 18, 32, 177, 153, 76, 194, 126, 5, 183, 49, 23, 215,
170 88, 97, 27, 28, 15, 22, 24, 34, 68, 178, 181, 145, 8, 168, 252, 80,
171 208, 125, 137, 151, 91, 149, 255, 210, 196, 72, 247, 219, 3, 218, 63, 148,
172 92, 2, 74, 51, 103, 243, 127, 226, 155, 38, 55, 59, 150, 75, 190, 46,
173 121, 140, 110, 142, 245, 182, 253, 89, 152, 106, 70, 186, 37, 66, 162, 250,
174 7, 85, 238, 10, 73, 104, 56, 164, 40, 123, 201, 193, 227, 244, 199, 158
175};
176
177#define SBOX1(n) FSb[(n)]
178#define SBOX2(n) FSb2[(n)]
179#define SBOX3(n) FSb3[(n)]
180#define SBOX4(n) FSb4[(n)]
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]181
Paul Bakkerfa049db2009-01-12 22:12:03 +0000[diff] [blame]182#endif
183
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]184static const unsigned char shifts[2][4][4] =
185{
186 {
187 { 1, 1, 1, 1 }, /* KL */
188 { 0, 0, 0, 0 }, /* KR */
189 { 1, 1, 1, 1 }, /* KA */
190 { 0, 0, 0, 0 } /* KB */
191 },
192 {
193 { 1, 0, 1, 1 }, /* KL */
194 { 1, 1, 0, 1 }, /* KR */
195 { 1, 1, 1, 0 }, /* KA */
196 { 1, 1, 0, 1 } /* KB */
197 }
198};
199
Paul Bakker026c03b2009-03-28 17:53:03 +0000[diff] [blame]200static const signed char indexes[2][4][20] =
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]201{
202 {
203 { 0, 1, 2, 3, 8, 9, 10, 11, 38, 39,
204 36, 37, 23, 20, 21, 22, 27, -1, -1, 26 }, /* KL -> RK */
205 { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
206 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 }, /* KR -> RK */
207 { 4, 5, 6, 7, 12, 13, 14, 15, 16, 17,
208 18, 19, -1, 24, 25, -1, 31, 28, 29, 30 }, /* KA -> RK */
209 { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
210 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 } /* KB -> RK */
211 },
212 {
213 { 0, 1, 2, 3, 61, 62, 63, 60, -1, -1,
214 -1, -1, 27, 24, 25, 26, 35, 32, 33, 34 }, /* KL -> RK */
215 { -1, -1, -1, -1, 8, 9, 10, 11, 16, 17,
216 18, 19, -1, -1, -1, -1, 39, 36, 37, 38 }, /* KR -> RK */
217 { -1, -1, -1, -1, 12, 13, 14, 15, 58, 59,
218 56, 57, 31, 28, 29, 30, -1, -1, -1, -1 }, /* KA -> RK */
219 { 4, 5, 6, 7, 65, 66, 67, 64, 20, 21,
220 22, 23, -1, -1, -1, -1, 43, 40, 41, 42 } /* KB -> RK */
221 }
222};
223
Paul Bakker026c03b2009-03-28 17:53:03 +0000[diff] [blame]224static const signed char transposes[2][20] =
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]225{
226 {
227 21, 22, 23, 20,
228 -1, -1, -1, -1,
229 18, 19, 16, 17,
230 11, 8, 9, 10,
231 15, 12, 13, 14
232 },
233 {
234 25, 26, 27, 24,
235 29, 30, 31, 28,
236 18, 19, 16, 17,
237 -1, -1, -1, -1,
238 -1, -1, -1, -1
239 }
240};
241
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000[diff] [blame]242/* Shift macro for 128 bit strings with rotation smaller than 32 bits (!) */
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]243#define ROTL(DEST, SRC, SHIFT) \
244{ \
245 (DEST)[0] = (SRC)[0] << (SHIFT) ^ (SRC)[1] >> (32 - (SHIFT)); \
246 (DEST)[1] = (SRC)[1] << (SHIFT) ^ (SRC)[2] >> (32 - (SHIFT)); \
247 (DEST)[2] = (SRC)[2] << (SHIFT) ^ (SRC)[3] >> (32 - (SHIFT)); \
248 (DEST)[3] = (SRC)[3] << (SHIFT) ^ (SRC)[0] >> (32 - (SHIFT)); \
249}
250
251#define FL(XL, XR, KL, KR) \
252{ \
253 (XR) = ((((XL) & (KL)) << 1) | (((XL) & (KL)) >> 31)) ^ (XR); \
254 (XL) = ((XR) | (KR)) ^ (XL); \
255}
256
257#define FLInv(YL, YR, KL, KR) \
258{ \
259 (YL) = ((YR) | (KR)) ^ (YL); \
260 (YR) = ((((YL) & (KL)) << 1) | (((YL) & (KL)) >> 31)) ^ (YR); \
261}
262
263#define SHIFT_AND_PLACE(INDEX, OFFSET) \
264{ \
265 TK[0] = KC[(OFFSET) * 4 + 0]; \
266 TK[1] = KC[(OFFSET) * 4 + 1]; \
267 TK[2] = KC[(OFFSET) * 4 + 2]; \
268 TK[3] = KC[(OFFSET) * 4 + 3]; \
269 \
270 for ( i = 1; i <= 4; i++ ) \
271 if (shifts[(INDEX)][(OFFSET)][i -1]) \
272 ROTL(TK + i * 4, TK, (15 * i) % 32); \
273 \
274 for ( i = 0; i < 20; i++ ) \
275 if (indexes[(INDEX)][(OFFSET)][i] != -1) { \
276 RK[indexes[(INDEX)][(OFFSET)][i]] = TK[ i ]; \
277 } \
278}
279
280void camellia_feistel(unsigned long x[2], unsigned long k[2], unsigned long z[2])
281{
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000[diff] [blame]282 unsigned long I0, I1;
283 I0 = x[0] ^ k[0];
284 I1 = x[1] ^ k[1];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]285
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000[diff] [blame]286 I0 = (SBOX1((I0 >> 24) & 0xFF) << 24) |
287 (SBOX2((I0 >> 16) & 0xFF) << 16) |
288 (SBOX3((I0 >> 8) & 0xFF) << 8) |
289 (SBOX4((I0 ) & 0xFF) );
290 I1 = (SBOX2((I1 >> 24) & 0xFF) << 24) |
291 (SBOX3((I1 >> 16) & 0xFF) << 16) |
292 (SBOX4((I1 >> 8) & 0xFF) << 8) |
293 (SBOX1((I1 ) & 0xFF) );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]294
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000[diff] [blame]295 I0 ^= (I1 << 8) | (I1 >> 24);
296 I1 ^= (I0 << 16) | (I0 >> 16);
297 I0 ^= (I1 >> 8) | (I1 << 24);
298 I1 ^= (I0 >> 8) | (I0 << 24);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]299
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000[diff] [blame]300 z[0] ^= I1;
301 z[1] ^= I0;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]302}
303
304/*
305 * Camellia key schedule (encryption)
306 */
307void camellia_setkey_enc( camellia_context *ctx, unsigned char *key, int keysize )
308{
309 int i, idx;
310 unsigned long *RK;
311 unsigned char t[64];
Paul Bakker026c03b2009-03-28 17:53:03 +0000[diff] [blame]312 unsigned long SIGMA[6][2];
313 unsigned long KC[16];
314 unsigned long TK[20];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]315
316 RK = ctx->rk;
317
318 memset(t, 0, 64);
319 memset(RK, 0, sizeof(ctx->rk));
320
321 switch( keysize )
322 {
323 case 128: ctx->nr = 3; idx = 0; break;
324 case 192:
325 case 256: ctx->nr = 4; idx = 1; break;
326 default : return;
327 }
328
329 for( i = 0; i < keysize / 8; ++i)
330 t[i] = key[i];
331
332 if (keysize == 192) {
333 for (i = 0; i < 8; i++)
334 t[24 + i] = ~t[16 + i];
335 }
336
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]337 /*
338 * Prepare SIGMA values
339 */
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]340 for (i = 0; i < 6; i++) {
341 GET_ULONG_BE(SIGMA[i][0], SIGMA_CHARS[i], 0);
342 GET_ULONG_BE(SIGMA[i][1], SIGMA_CHARS[i], 4);
343 }
344
345 /*
346 * Key storage in KC
347 * Order: KL, KR, KA, KB
348 */
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]349 memset(KC, 0, sizeof(KC));
350
351 /* Store KL, KR */
352 for (i = 0; i < 8; i++)
353 GET_ULONG_BE(KC[i], t, i * 4);
354
355 /* Generate KA */
356 for( i = 0; i < 4; ++i)
357 KC[8 + i] = KC[i] ^ KC[4 + i];
358
359 camellia_feistel(KC + 8, SIGMA[0], KC + 10);
360 camellia_feistel(KC + 10, SIGMA[1], KC + 8);
361
362 for( i = 0; i < 4; ++i)
363 KC[8 + i] ^= KC[i];
364
365 camellia_feistel(KC + 8, SIGMA[2], KC + 10);
366 camellia_feistel(KC + 10, SIGMA[3], KC + 8);
367
368 if (keysize > 128) {
369 /* Generate KB */
370 for( i = 0; i < 4; ++i)
371 KC[12 + i] = KC[4 + i] ^ KC[8 + i];
372
373 camellia_feistel(KC + 12, SIGMA[4], KC + 14);
374 camellia_feistel(KC + 14, SIGMA[5], KC + 12);
375 }
376
377 /*
378 * Generating subkeys
379 */
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]380
381 /* Manipulating KL */
382 SHIFT_AND_PLACE(idx, 0);
383
384 /* Manipulating KR */
385 if (keysize > 128) {
386 SHIFT_AND_PLACE(idx, 1);
387 }
388
389 /* Manipulating KA */
390 SHIFT_AND_PLACE(idx, 2);
391
392 /* Manipulating KB */
393 if (keysize > 128) {
394 SHIFT_AND_PLACE(idx, 3);
395 }
396
397 /* Do transpositions */
398 for ( i = 0; i < 20; i++ ) {
399 if (transposes[idx][i] != -1) {
400 RK[32 + 12 * idx + i] = RK[transposes[idx][i]];
401 }
402 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]403}
404
405/*
406 * Camellia key schedule (decryption)
407 */
408void camellia_setkey_dec( camellia_context *ctx, unsigned char *key, int keysize )
409{
410 int i, idx;
411 camellia_context cty;
412 unsigned long *RK;
413 unsigned long *SK;
414
415 switch( keysize )
416 {
417 case 128: ctx->nr = 3; idx = 0; break;
418 case 192:
419 case 256: ctx->nr = 4; idx = 1; break;
420 default : return;
421 }
422
423 RK = ctx->rk;
424
425 camellia_setkey_enc(&cty, key, keysize);
426
427 SK = cty.rk + 24 * 2 + 8 * idx * 2;
428
429 *RK++ = *SK++;
430 *RK++ = *SK++;
431 *RK++ = *SK++;
432 *RK++ = *SK++;
433
434 for (i = 22 + 8 * idx, SK -= 6; i > 0; i--, SK -= 4)
435 {
436 *RK++ = *SK++;
437 *RK++ = *SK++;
438 }
439
440 SK -= 2;
441
442 *RK++ = *SK++;
443 *RK++ = *SK++;
444 *RK++ = *SK++;
445 *RK++ = *SK++;
446
447 memset( &cty, 0, sizeof( camellia_context ) );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]448}
449
450/*
451 * Camellia-ECB block encryption/decryption
452 */
453void camellia_crypt_ecb( camellia_context *ctx,
454 int mode,
455 unsigned char input[16],
456 unsigned char output[16] )
457{
Paul Bakker026c03b2009-03-28 17:53:03 +0000[diff] [blame]458 int NR;
459 unsigned long *RK, X[4];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]460
461 NR = ctx->nr;
462 RK = ctx->rk;
463
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]464 GET_ULONG_BE( X[0], input, 0 );
465 GET_ULONG_BE( X[1], input, 4 );
466 GET_ULONG_BE( X[2], input, 8 );
467 GET_ULONG_BE( X[3], input, 12 );
468
469 X[0] ^= *RK++;
470 X[1] ^= *RK++;
471 X[2] ^= *RK++;
472 X[3] ^= *RK++;
473
474 while (NR) {
475 --NR;
476 camellia_feistel(X, RK, X + 2);
477 RK += 2;
478 camellia_feistel(X + 2, RK, X);
479 RK += 2;
480 camellia_feistel(X, RK, X + 2);
481 RK += 2;
482 camellia_feistel(X + 2, RK, X);
483 RK += 2;
484 camellia_feistel(X, RK, X + 2);
485 RK += 2;
486 camellia_feistel(X + 2, RK, X);
487 RK += 2;
488
489 if (NR) {
490 FL(X[0], X[1], RK[0], RK[1]);
491 RK += 2;
492 FLInv(X[2], X[3], RK[0], RK[1]);
493 RK += 2;
494 }
495 }
496
497 X[2] ^= *RK++;
498 X[3] ^= *RK++;
499 X[0] ^= *RK++;
500 X[1] ^= *RK++;
501
502 PUT_ULONG_BE( X[2], output, 0 );
503 PUT_ULONG_BE( X[3], output, 4 );
504 PUT_ULONG_BE( X[0], output, 8 );
505 PUT_ULONG_BE( X[1], output, 12 );
506}
507
508/*
509 * Camellia-CBC buffer encryption/decryption
510 */
511void camellia_crypt_cbc( camellia_context *ctx,
512 int mode,
513 int length,
514 unsigned char iv[16],
515 unsigned char *input,
516 unsigned char *output )
517{
518 int i;
519 unsigned char temp[16];
520
521 if( mode == CAMELLIA_DECRYPT )
522 {
523 while( length > 0 )
524 {
525 memcpy( temp, input, 16 );
526 camellia_crypt_ecb( ctx, mode, input, output );
527
528 for( i = 0; i < 16; i++ )
529 output[i] = (unsigned char)( output[i] ^ iv[i] );
530
531 memcpy( iv, temp, 16 );
532
533 input += 16;
534 output += 16;
535 length -= 16;
536 }
537 }
538 else
539 {
540 while( length > 0 )
541 {
542 for( i = 0; i < 16; i++ )
543 output[i] = (unsigned char)( input[i] ^ iv[i] );
544
545 camellia_crypt_ecb( ctx, mode, output, output );
546 memcpy( iv, output, 16 );
547
548 input += 16;
549 output += 16;
550 length -= 16;
551 }
552 }
553}
554
555/*
556 * Camellia-CFB128 buffer encryption/decryption
557 */
558void camellia_crypt_cfb128( camellia_context *ctx,
559 int mode,
560 int length,
561 int *iv_off,
562 unsigned char iv[16],
563 unsigned char *input,
564 unsigned char *output )
565{
566 int c, n = *iv_off;
567
568 if( mode == CAMELLIA_DECRYPT )
569 {
570 while( length-- )
571 {
572 if( n == 0 )
573 camellia_crypt_ecb( ctx, CAMELLIA_ENCRYPT, iv, iv );
574
575 c = *input++;
576 *output++ = (unsigned char)( c ^ iv[n] );
577 iv[n] = (unsigned char) c;
578
579 n = (n + 1) & 0x0F;
580 }
581 }
582 else
583 {
584 while( length-- )
585 {
586 if( n == 0 )
587 camellia_crypt_ecb( ctx, CAMELLIA_ENCRYPT, iv, iv );
588
589 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
590
591 n = (n + 1) & 0x0F;
592 }
593 }
594
595 *iv_off = n;
596}
597
598#if defined(POLARSSL_SELF_TEST)
599
600#include <stdio.h>
601
602/*
603 * Camellia test vectors from:
604 *
605 * http://info.isl.ntt.co.jp/crypt/eng/camellia/technology.html:
606 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/intermediate.txt
607 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/t_camellia.txt
608 * (For each bitlength: Key 0, Nr 39)
609 */
610#define CAMELLIA_TESTS_ECB 2
611
612static const unsigned char camellia_test_ecb_key[3][CAMELLIA_TESTS_ECB][32] =
613{
614 {
615 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
616 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
617 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
618 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
619 },
620 {
621 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
622 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
623 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77 },
624 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
625 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
626 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
627 },
628 {
629 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
630 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
631 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
632 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff },
633 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
634 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
635 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
636 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
637 },
638};
639
640static const unsigned char camellia_test_ecb_plain[CAMELLIA_TESTS_ECB][16] =
641{
642 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
643 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
644 { 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
645 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
646};
647
648static const unsigned char camellia_test_ecb_cipher[3][CAMELLIA_TESTS_ECB][16] =
649{
650 {
651 { 0x67, 0x67, 0x31, 0x38, 0x54, 0x96, 0x69, 0x73,
652 0x08, 0x57, 0x06, 0x56, 0x48, 0xea, 0xbe, 0x43 },
653 { 0x38, 0x3C, 0x6C, 0x2A, 0xAB, 0xEF, 0x7F, 0xDE,
654 0x25, 0xCD, 0x47, 0x0B, 0xF7, 0x74, 0xA3, 0x31 }
655 },
656 {
657 { 0xb4, 0x99, 0x34, 0x01, 0xb3, 0xe9, 0x96, 0xf8,
658 0x4e, 0xe5, 0xce, 0xe7, 0xd7, 0x9b, 0x09, 0xb9 },
659 { 0xD1, 0x76, 0x3F, 0xC0, 0x19, 0xD7, 0x7C, 0xC9,
660 0x30, 0xBF, 0xF2, 0xA5, 0x6F, 0x7C, 0x93, 0x64 }
661 },
662 {
663 { 0x9a, 0xcc, 0x23, 0x7d, 0xff, 0x16, 0xd7, 0x6c,
664 0x20, 0xef, 0x7c, 0x91, 0x9e, 0x3a, 0x75, 0x09 },
665 { 0x05, 0x03, 0xFB, 0x10, 0xAB, 0x24, 0x1E, 0x7C,
666 0xF4, 0x5D, 0x8C, 0xDE, 0xEE, 0x47, 0x43, 0x35 }
667 }
668};
669
670#define CAMELLIA_TESTS_CBC 3
671
672static const unsigned char camellia_test_cbc_key[3][32] =
673{
674 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
675 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }
676 ,
677 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
678 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
679 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }
680 ,
681 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
682 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
683 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
684 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
685};
686
687static const unsigned char camellia_test_cbc_iv[16] =
688
689 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
690 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F }
691;
692
693static const unsigned char camellia_test_cbc_plain[CAMELLIA_TESTS_CBC][16] =
694{
695 { 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
696 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A },
697 { 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
698 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51 },
699 { 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
700 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF }
701
702};
703
704static const unsigned char camellia_test_cbc_cipher[3][CAMELLIA_TESTS_CBC][16] =
705{
706 {
707 { 0x16, 0x07, 0xCF, 0x49, 0x4B, 0x36, 0xBB, 0xF0,
708 0x0D, 0xAE, 0xB0, 0xB5, 0x03, 0xC8, 0x31, 0xAB },
709 { 0xA2, 0xF2, 0xCF, 0x67, 0x16, 0x29, 0xEF, 0x78,
710 0x40, 0xC5, 0xA5, 0xDF, 0xB5, 0x07, 0x48, 0x87 },
711 { 0x0F, 0x06, 0x16, 0x50, 0x08, 0xCF, 0x8B, 0x8B,
712 0x5A, 0x63, 0x58, 0x63, 0x62, 0x54, 0x3E, 0x54 }
713 },
714 {
715 { 0x2A, 0x48, 0x30, 0xAB, 0x5A, 0xC4, 0xA1, 0xA2,
716 0x40, 0x59, 0x55, 0xFD, 0x21, 0x95, 0xCF, 0x93 },
717 { 0x5D, 0x5A, 0x86, 0x9B, 0xD1, 0x4C, 0xE5, 0x42,
718 0x64, 0xF8, 0x92, 0xA6, 0xDD, 0x2E, 0xC3, 0xD5 },
719 { 0x37, 0xD3, 0x59, 0xC3, 0x34, 0x98, 0x36, 0xD8,
720 0x84, 0xE3, 0x10, 0xAD, 0xDF, 0x68, 0xC4, 0x49 }
721 },
722 {
723 { 0xE6, 0xCF, 0xA3, 0x5F, 0xC0, 0x2B, 0x13, 0x4A,
724 0x4D, 0x2C, 0x0B, 0x67, 0x37, 0xAC, 0x3E, 0xDA },
725 { 0x36, 0xCB, 0xEB, 0x73, 0xBD, 0x50, 0x4B, 0x40,
726 0x70, 0xB1, 0xB7, 0xDE, 0x2B, 0x21, 0xEB, 0x50 },
727 { 0xE3, 0x1A, 0x60, 0x55, 0x29, 0x7D, 0x96, 0xCA,
728 0x33, 0x30, 0xCD, 0xF1, 0xB1, 0x86, 0x0A, 0x83 }
729 }
730};
731
732
733/*
734 * Checkup routine
735 */
736int camellia_self_test( int verbose )
737{
Paul Bakker026c03b2009-03-28 17:53:03 +0000[diff] [blame]738 int i, j, u, v;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]739 unsigned char key[32];
740 unsigned char buf[64];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]741 unsigned char src[16];
742 unsigned char dst[16];
743 unsigned char iv[16];
744 camellia_context ctx;
745
746 memset( key, 0, 32 );
747
748 for (j = 0; j < 6; j++) {
749 u = j >> 1;
750 v = j & 1;
751
752 if( verbose != 0 )
753 printf( " CAMELLIA-ECB-%3d (%s): ", 128 + u * 64,
754 (v == CAMELLIA_DECRYPT) ? "dec" : "enc");
755
756 for (i = 0; i < CAMELLIA_TESTS_ECB; i++ ) {
757 memcpy( key, camellia_test_ecb_key[u][i], 16 + 8 * u);
758
759 if (v == CAMELLIA_DECRYPT) {
760 camellia_setkey_dec(&ctx, key, 128 + u * 64);
761 memcpy(src, camellia_test_ecb_cipher[u][i], 16);
762 memcpy(dst, camellia_test_ecb_plain[i], 16);
763 } else { /* CAMELLIA_ENCRYPT */
764 camellia_setkey_enc(&ctx, key, 128 + u * 64);
765 memcpy(src, camellia_test_ecb_plain[i], 16);
766 memcpy(dst, camellia_test_ecb_cipher[u][i], 16);
767 }
768
769 camellia_crypt_ecb(&ctx, v, src, buf);
770
771 if( memcmp( buf, dst, 16 ) != 0 )
772 {
773 if( verbose != 0 )
774 printf( "failed\n" );
775
776 return( 1 );
777 }
778 }
779
780 if( verbose != 0 )
781 printf( "passed\n" );
782 }
783
784 if( verbose != 0 )
785 printf( "\n" );
786
787 /*
788 * CBC mode
789 */
790 for( j = 0; j < 6; j++ )
791 {
792 u = j >> 1;
793 v = j & 1;
794
795 if( verbose != 0 )
796 printf( " CAMELLIA-CBC-%3d (%s): ", 128 + u * 64,
797 ( v == CAMELLIA_DECRYPT ) ? "dec" : "enc" );
798
799 memcpy( src, camellia_test_cbc_iv, 16);
800 memcpy( dst, camellia_test_cbc_iv, 16);
801 memcpy( key, camellia_test_cbc_key[u], 16 + 8 * u);
802
803 if (v == CAMELLIA_DECRYPT) {
804 camellia_setkey_dec(&ctx, key, 128 + u * 64);
805 } else {
806 camellia_setkey_enc(&ctx, key, 128 + u * 64);
807 }
808
809 for (i = 0; i < CAMELLIA_TESTS_CBC; i++ ) {
810
811 if (v == CAMELLIA_DECRYPT) {
812 memcpy( iv , src, 16 );
813 memcpy(src, camellia_test_cbc_cipher[u][i], 16);
814 memcpy(dst, camellia_test_cbc_plain[i], 16);
815 } else { /* CAMELLIA_ENCRYPT */
816 memcpy( iv , dst, 16 );
817 memcpy(src, camellia_test_cbc_plain[i], 16);
818 memcpy(dst, camellia_test_cbc_cipher[u][i], 16);
819 }
820
821 camellia_crypt_cbc(&ctx, v, 16, iv, src, buf);
822
823 if( memcmp( buf, dst, 16 ) != 0 )
824 {
825 if( verbose != 0 )
826 printf( "failed\n" );
827
828 return( 1 );
829 }
830 }
831
832 if( verbose != 0 )
833 printf( "passed\n" );
834 }
835
836 if( verbose != 0 )
837 printf( "\n" );
838
839 return ( 0 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]840}
841
842#endif
843
844#endif