TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / cef4ad2509f6c19f6c3e9cf4e6a077bac9d98280 / . / library / camellia.c
blob: 4bf0b2939e4a8d7fe799b41e3dddfc1d5dfe4f34 [file] [log] [blame]
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]1/*
2 * Camellia implementation
3 *
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]4 * Copyright (C) 2006-2014, Brainspark B.V.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]8 *
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]9 * All rights reserved.
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]10 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25/*
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]26 * The Camellia block cipher was designed by NTT and Mitsubishi Electric
27 * Corporation.
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]28 *
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]29 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/01espec.pdf
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]30 */
31
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame^]32#if !defined(POLARSSL_CONFIG_FILE)
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]33#include "polarssl/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame^]34#else
35#include POLARSSL_CONFIG_FILE
36#endif
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]37
38#if defined(POLARSSL_CAMELLIA_C)
39
40#include "polarssl/camellia.h"
41
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]42#if defined(POLARSSL_PLATFORM_C)
43#include "polarssl/platform.h"
44#else
45#define polarssl_printf printf
46#endif
47
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]48#if !defined(POLARSSL_CAMELLIA_ALT)
49
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]50/*
51 * 32-bit integer manipulation macros (big endian)
52 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]53#ifndef GET_UINT32_BE
54#define GET_UINT32_BE(n,b,i) \
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]55{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]56 (n) = ( (uint32_t) (b)[(i) ] << 24 ) \
57 | ( (uint32_t) (b)[(i) + 1] << 16 ) \
58 | ( (uint32_t) (b)[(i) + 2] << 8 ) \
59 | ( (uint32_t) (b)[(i) + 3] ); \
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]60}
61#endif
62
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]63#ifndef PUT_UINT32_BE
64#define PUT_UINT32_BE(n,b,i) \
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]65{ \
66 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
67 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
68 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
69 (b)[(i) + 3] = (unsigned char) ( (n) ); \
70}
71#endif
72
73static const unsigned char SIGMA_CHARS[6][8] =
74{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]75 { 0xa0, 0x9e, 0x66, 0x7f, 0x3b, 0xcc, 0x90, 0x8b },
76 { 0xb6, 0x7a, 0xe8, 0x58, 0x4c, 0xaa, 0x73, 0xb2 },
77 { 0xc6, 0xef, 0x37, 0x2f, 0xe9, 0x4f, 0x82, 0xbe },
78 { 0x54, 0xff, 0x53, 0xa5, 0xf1, 0xd3, 0x6f, 0x1c },
79 { 0x10, 0xe5, 0x27, 0xfa, 0xde, 0x68, 0x2d, 0x1d },
80 { 0xb0, 0x56, 0x88, 0xc2, 0xb3, 0xe6, 0xc1, 0xfd }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]81};
82
Paul Bakker33008ee2011-11-18 12:58:25 +0000[diff] [blame]83#if defined(POLARSSL_CAMELLIA_SMALL_MEMORY)
Paul Bakkerfa049db2009-01-12 22:12:03 +0000[diff] [blame]84
85static const unsigned char FSb[256] =
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]86{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]87 112,130, 44,236,179, 39,192,229,228,133, 87, 53,234, 12,174, 65,
88 35,239,107,147, 69, 25,165, 33,237, 14, 79, 78, 29,101,146,189,
89 134,184,175,143,124,235, 31,206, 62, 48,220, 95, 94,197, 11, 26,
90 166,225, 57,202,213, 71, 93, 61,217, 1, 90,214, 81, 86,108, 77,
91 139, 13,154,102,251,204,176, 45,116, 18, 43, 32,240,177,132,153,
92 223, 76,203,194, 52,126,118, 5,109,183,169, 49,209, 23, 4,215,
93 20, 88, 58, 97,222, 27, 17, 28, 50, 15,156, 22, 83, 24,242, 34,
94 254, 68,207,178,195,181,122,145, 36, 8,232,168, 96,252,105, 80,
95 170,208,160,125,161,137, 98,151, 84, 91, 30,149,224,255,100,210,
96 16,196, 0, 72,163,247,117,219,138, 3,230,218, 9, 63,221,148,
97 135, 92,131, 2,205, 74,144, 51,115,103,246,243,157,127,191,226,
98 82,155,216, 38,200, 55,198, 59,129,150,111, 75, 19,190, 99, 46,
99 233,121,167,140,159,110,188,142, 41,245,249,182, 47,253,180, 89,
100 120,152, 6,106,231, 70,113,186,212, 37,171, 66,136,162,141,250,
101 114, 7,185, 85,248,238,172, 10, 54, 73, 42,104, 60, 56,241,164,
102 64, 40,211,123,187,201, 67,193, 21,227,173,244,119,199,128,158
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]103};
104
105#define SBOX1(n) FSb[(n)]
106#define SBOX2(n) (unsigned char)((FSb[(n)] >> 7 ^ FSb[(n)] << 1) & 0xff)
107#define SBOX3(n) (unsigned char)((FSb[(n)] >> 1 ^ FSb[(n)] << 7) & 0xff)
Paul Bakkerfa049db2009-01-12 22:12:03 +0000[diff] [blame]108#define SBOX4(n) FSb[((n) << 1 ^ (n) >> 7) &0xff]
109
110#else
111
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000[diff] [blame]112static const unsigned char FSb[256] =
113{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]114 112, 130, 44, 236, 179, 39, 192, 229, 228, 133, 87, 53, 234, 12, 174, 65,
115 35, 239, 107, 147, 69, 25, 165, 33, 237, 14, 79, 78, 29, 101, 146, 189,
116 134, 184, 175, 143, 124, 235, 31, 206, 62, 48, 220, 95, 94, 197, 11, 26,
117 166, 225, 57, 202, 213, 71, 93, 61, 217, 1, 90, 214, 81, 86, 108, 77,
118 139, 13, 154, 102, 251, 204, 176, 45, 116, 18, 43, 32, 240, 177, 132, 153,
119 223, 76, 203, 194, 52, 126, 118, 5, 109, 183, 169, 49, 209, 23, 4, 215,
120 20, 88, 58, 97, 222, 27, 17, 28, 50, 15, 156, 22, 83, 24, 242, 34,
121 254, 68, 207, 178, 195, 181, 122, 145, 36, 8, 232, 168, 96, 252, 105, 80,
122 170, 208, 160, 125, 161, 137, 98, 151, 84, 91, 30, 149, 224, 255, 100, 210,
123 16, 196, 0, 72, 163, 247, 117, 219, 138, 3, 230, 218, 9, 63, 221, 148,
124 135, 92, 131, 2, 205, 74, 144, 51, 115, 103, 246, 243, 157, 127, 191, 226,
125 82, 155, 216, 38, 200, 55, 198, 59, 129, 150, 111, 75, 19, 190, 99, 46,
126 233, 121, 167, 140, 159, 110, 188, 142, 41, 245, 249, 182, 47, 253, 180, 89,
127 120, 152, 6, 106, 231, 70, 113, 186, 212, 37, 171, 66, 136, 162, 141, 250,
128 114, 7, 185, 85, 248, 238, 172, 10, 54, 73, 42, 104, 60, 56, 241, 164,
129 64, 40, 211, 123, 187, 201, 67, 193, 21, 227, 173, 244, 119, 199, 128, 158
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000[diff] [blame]130};
131
132static const unsigned char FSb2[256] =
133{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]134 224, 5, 88, 217, 103, 78, 129, 203, 201, 11, 174, 106, 213, 24, 93, 130,
135 70, 223, 214, 39, 138, 50, 75, 66, 219, 28, 158, 156, 58, 202, 37, 123,
136 13, 113, 95, 31, 248, 215, 62, 157, 124, 96, 185, 190, 188, 139, 22, 52,
137 77, 195, 114, 149, 171, 142, 186, 122, 179, 2, 180, 173, 162, 172, 216, 154,
138 23, 26, 53, 204, 247, 153, 97, 90, 232, 36, 86, 64, 225, 99, 9, 51,
139 191, 152, 151, 133, 104, 252, 236, 10, 218, 111, 83, 98, 163, 46, 8, 175,
140 40, 176, 116, 194, 189, 54, 34, 56, 100, 30, 57, 44, 166, 48, 229, 68,
141 253, 136, 159, 101, 135, 107, 244, 35, 72, 16, 209, 81, 192, 249, 210, 160,
142 85, 161, 65, 250, 67, 19, 196, 47, 168, 182, 60, 43, 193, 255, 200, 165,
143 32, 137, 0, 144, 71, 239, 234, 183, 21, 6, 205, 181, 18, 126, 187, 41,
144 15, 184, 7, 4, 155, 148, 33, 102, 230, 206, 237, 231, 59, 254, 127, 197,
145 164, 55, 177, 76, 145, 110, 141, 118, 3, 45, 222, 150, 38, 125, 198, 92,
146 211, 242, 79, 25, 63, 220, 121, 29, 82, 235, 243, 109, 94, 251, 105, 178,
147 240, 49, 12, 212, 207, 140, 226, 117, 169, 74, 87, 132, 17, 69, 27, 245,
148 228, 14, 115, 170, 241, 221, 89, 20, 108, 146, 84, 208, 120, 112, 227, 73,
149 128, 80, 167, 246, 119, 147, 134, 131, 42, 199, 91, 233, 238, 143, 1, 61
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000[diff] [blame]150};
151
152static const unsigned char FSb3[256] =
153{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]154 56, 65, 22, 118, 217, 147, 96, 242, 114, 194, 171, 154, 117, 6, 87, 160,
155 145, 247, 181, 201, 162, 140, 210, 144, 246, 7, 167, 39, 142, 178, 73, 222,
156 67, 92, 215, 199, 62, 245, 143, 103, 31, 24, 110, 175, 47, 226, 133, 13,
157 83, 240, 156, 101, 234, 163, 174, 158, 236, 128, 45, 107, 168, 43, 54, 166,
158 197, 134, 77, 51, 253, 102, 88, 150, 58, 9, 149, 16, 120, 216, 66, 204,
159 239, 38, 229, 97, 26, 63, 59, 130, 182, 219, 212, 152, 232, 139, 2, 235,
160 10, 44, 29, 176, 111, 141, 136, 14, 25, 135, 78, 11, 169, 12, 121, 17,
161 127, 34, 231, 89, 225, 218, 61, 200, 18, 4, 116, 84, 48, 126, 180, 40,
162 85, 104, 80, 190, 208, 196, 49, 203, 42, 173, 15, 202, 112, 255, 50, 105,
163 8, 98, 0, 36, 209, 251, 186, 237, 69, 129, 115, 109, 132, 159, 238, 74,
164 195, 46, 193, 1, 230, 37, 72, 153, 185, 179, 123, 249, 206, 191, 223, 113,
165 41, 205, 108, 19, 100, 155, 99, 157, 192, 75, 183, 165, 137, 95, 177, 23,
166 244, 188, 211, 70, 207, 55, 94, 71, 148, 250, 252, 91, 151, 254, 90, 172,
167 60, 76, 3, 53, 243, 35, 184, 93, 106, 146, 213, 33, 68, 81, 198, 125,
168 57, 131, 220, 170, 124, 119, 86, 5, 27, 164, 21, 52, 30, 28, 248, 82,
169 32, 20, 233, 189, 221, 228, 161, 224, 138, 241, 214, 122, 187, 227, 64, 79
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000[diff] [blame]170};
171
172static const unsigned char FSb4[256] =
173{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]174 112, 44, 179, 192, 228, 87, 234, 174, 35, 107, 69, 165, 237, 79, 29, 146,
175 134, 175, 124, 31, 62, 220, 94, 11, 166, 57, 213, 93, 217, 90, 81, 108,
176 139, 154, 251, 176, 116, 43, 240, 132, 223, 203, 52, 118, 109, 169, 209, 4,
177 20, 58, 222, 17, 50, 156, 83, 242, 254, 207, 195, 122, 36, 232, 96, 105,
178 170, 160, 161, 98, 84, 30, 224, 100, 16, 0, 163, 117, 138, 230, 9, 221,
179 135, 131, 205, 144, 115, 246, 157, 191, 82, 216, 200, 198, 129, 111, 19, 99,
180 233, 167, 159, 188, 41, 249, 47, 180, 120, 6, 231, 113, 212, 171, 136, 141,
181 114, 185, 248, 172, 54, 42, 60, 241, 64, 211, 187, 67, 21, 173, 119, 128,
182 130, 236, 39, 229, 133, 53, 12, 65, 239, 147, 25, 33, 14, 78, 101, 189,
183 184, 143, 235, 206, 48, 95, 197, 26, 225, 202, 71, 61, 1, 214, 86, 77,
184 13, 102, 204, 45, 18, 32, 177, 153, 76, 194, 126, 5, 183, 49, 23, 215,
185 88, 97, 27, 28, 15, 22, 24, 34, 68, 178, 181, 145, 8, 168, 252, 80,
186 208, 125, 137, 151, 91, 149, 255, 210, 196, 72, 247, 219, 3, 218, 63, 148,
187 92, 2, 74, 51, 103, 243, 127, 226, 155, 38, 55, 59, 150, 75, 190, 46,
188 121, 140, 110, 142, 245, 182, 253, 89, 152, 106, 70, 186, 37, 66, 162, 250,
189 7, 85, 238, 10, 73, 104, 56, 164, 40, 123, 201, 193, 227, 244, 199, 158
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000[diff] [blame]190};
191
192#define SBOX1(n) FSb[(n)]
193#define SBOX2(n) FSb2[(n)]
194#define SBOX3(n) FSb3[(n)]
195#define SBOX4(n) FSb4[(n)]
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]196
Paul Bakkerfa049db2009-01-12 22:12:03 +0000[diff] [blame]197#endif
198
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]199static const unsigned char shifts[2][4][4] =
200{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]201 {
202 { 1, 1, 1, 1 }, /* KL */
203 { 0, 0, 0, 0 }, /* KR */
204 { 1, 1, 1, 1 }, /* KA */
205 { 0, 0, 0, 0 } /* KB */
206 },
207 {
208 { 1, 0, 1, 1 }, /* KL */
209 { 1, 1, 0, 1 }, /* KR */
210 { 1, 1, 1, 0 }, /* KA */
211 { 1, 1, 0, 1 } /* KB */
212 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]213};
214
Paul Bakker026c03b2009-03-28 17:53:03 +0000[diff] [blame]215static const signed char indexes[2][4][20] =
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]216{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]217 {
218 { 0, 1, 2, 3, 8, 9, 10, 11, 38, 39,
219 36, 37, 23, 20, 21, 22, 27, -1, -1, 26 }, /* KL -> RK */
220 { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
221 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 }, /* KR -> RK */
222 { 4, 5, 6, 7, 12, 13, 14, 15, 16, 17,
223 18, 19, -1, 24, 25, -1, 31, 28, 29, 30 }, /* KA -> RK */
224 { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
225 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 } /* KB -> RK */
226 },
227 {
228 { 0, 1, 2, 3, 61, 62, 63, 60, -1, -1,
229 -1, -1, 27, 24, 25, 26, 35, 32, 33, 34 }, /* KL -> RK */
230 { -1, -1, -1, -1, 8, 9, 10, 11, 16, 17,
231 18, 19, -1, -1, -1, -1, 39, 36, 37, 38 }, /* KR -> RK */
232 { -1, -1, -1, -1, 12, 13, 14, 15, 58, 59,
233 56, 57, 31, 28, 29, 30, -1, -1, -1, -1 }, /* KA -> RK */
234 { 4, 5, 6, 7, 65, 66, 67, 64, 20, 21,
235 22, 23, -1, -1, -1, -1, 43, 40, 41, 42 } /* KB -> RK */
236 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]237};
238
Paul Bakker026c03b2009-03-28 17:53:03 +0000[diff] [blame]239static const signed char transposes[2][20] =
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]240{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]241 {
242 21, 22, 23, 20,
243 -1, -1, -1, -1,
244 18, 19, 16, 17,
245 11, 8, 9, 10,
246 15, 12, 13, 14
247 },
248 {
249 25, 26, 27, 24,
250 29, 30, 31, 28,
251 18, 19, 16, 17,
252 -1, -1, -1, -1,
253 -1, -1, -1, -1
254 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]255};
256
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000[diff] [blame]257/* Shift macro for 128 bit strings with rotation smaller than 32 bits (!) */
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]258#define ROTL(DEST, SRC, SHIFT) \
259{ \
260 (DEST)[0] = (SRC)[0] << (SHIFT) ^ (SRC)[1] >> (32 - (SHIFT)); \
261 (DEST)[1] = (SRC)[1] << (SHIFT) ^ (SRC)[2] >> (32 - (SHIFT)); \
262 (DEST)[2] = (SRC)[2] << (SHIFT) ^ (SRC)[3] >> (32 - (SHIFT)); \
263 (DEST)[3] = (SRC)[3] << (SHIFT) ^ (SRC)[0] >> (32 - (SHIFT)); \
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]264}
265
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]266#define FL(XL, XR, KL, KR) \
267{ \
268 (XR) = ((((XL) & (KL)) << 1) | (((XL) & (KL)) >> 31)) ^ (XR); \
269 (XL) = ((XR) | (KR)) ^ (XL); \
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]270}
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]271
272#define FLInv(YL, YR, KL, KR) \
273{ \
274 (YL) = ((YR) | (KR)) ^ (YL); \
275 (YR) = ((((YL) & (KL)) << 1) | (((YL) & (KL)) >> 31)) ^ (YR); \
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]276}
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]277
278#define SHIFT_AND_PLACE(INDEX, OFFSET) \
279{ \
280 TK[0] = KC[(OFFSET) * 4 + 0]; \
281 TK[1] = KC[(OFFSET) * 4 + 1]; \
282 TK[2] = KC[(OFFSET) * 4 + 2]; \
283 TK[3] = KC[(OFFSET) * 4 + 3]; \
284 \
285 for ( i = 1; i <= 4; i++ ) \
286 if (shifts[(INDEX)][(OFFSET)][i -1]) \
287 ROTL(TK + i * 4, TK, (15 * i) % 32); \
288 \
289 for ( i = 0; i < 20; i++ ) \
290 if (indexes[(INDEX)][(OFFSET)][i] != -1) { \
291 RK[indexes[(INDEX)][(OFFSET)][i]] = TK[ i ]; \
292 } \
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]293}
294
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]295static void camellia_feistel(const uint32_t x[2], const uint32_t k[2], uint32_t z[2])
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]296{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]297 uint32_t I0, I1;
298 I0 = x[0] ^ k[0];
299 I1 = x[1] ^ k[1];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]300
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]301 I0 = (SBOX1((I0 >> 24) & 0xFF) << 24) |
302 (SBOX2((I0 >> 16) & 0xFF) << 16) |
303 (SBOX3((I0 >> 8) & 0xFF) << 8) |
304 (SBOX4((I0 ) & 0xFF) );
305 I1 = (SBOX2((I1 >> 24) & 0xFF) << 24) |
306 (SBOX3((I1 >> 16) & 0xFF) << 16) |
307 (SBOX4((I1 >> 8) & 0xFF) << 8) |
308 (SBOX1((I1 ) & 0xFF) );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]309
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]310 I0 ^= (I1 << 8) | (I1 >> 24);
311 I1 ^= (I0 << 16) | (I0 >> 16);
312 I0 ^= (I1 >> 8) | (I1 << 24);
313 I1 ^= (I0 >> 8) | (I0 << 24);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]314
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]315 z[0] ^= I1;
316 z[1] ^= I0;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]317}
318
319/*
320 * Camellia key schedule (encryption)
321 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]322int camellia_setkey_enc( camellia_context *ctx, const unsigned char *key, unsigned int keysize )
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]323{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]324 int idx;
325 size_t i;
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]326 uint32_t *RK;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]327 unsigned char t[64];
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]328 uint32_t SIGMA[6][2];
329 uint32_t KC[16];
330 uint32_t TK[20];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]331
332 RK = ctx->rk;
333
334 memset(t, 0, 64);
335 memset(RK, 0, sizeof(ctx->rk));
336
337 switch( keysize )
338 {
339 case 128: ctx->nr = 3; idx = 0; break;
340 case 192:
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]341 case 256: ctx->nr = 4; idx = 1; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]342 default : return( POLARSSL_ERR_CAMELLIA_INVALID_KEY_LENGTH );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]343 }
344
345 for( i = 0; i < keysize / 8; ++i)
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]346 t[i] = key[i];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]347
348 if (keysize == 192) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]349 for (i = 0; i < 8; i++)
350 t[24 + i] = ~t[16 + i];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]351 }
352
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]353 /*
354 * Prepare SIGMA values
355 */
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]356 for (i = 0; i < 6; i++) {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]357 GET_UINT32_BE(SIGMA[i][0], SIGMA_CHARS[i], 0);
358 GET_UINT32_BE(SIGMA[i][1], SIGMA_CHARS[i], 4);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]359 }
360
361 /*
362 * Key storage in KC
363 * Order: KL, KR, KA, KB
364 */
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]365 memset(KC, 0, sizeof(KC));
366
367 /* Store KL, KR */
368 for (i = 0; i < 8; i++)
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]369 GET_UINT32_BE(KC[i], t, i * 4);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]370
371 /* Generate KA */
372 for( i = 0; i < 4; ++i)
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]373 KC[8 + i] = KC[i] ^ KC[4 + i];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]374
375 camellia_feistel(KC + 8, SIGMA[0], KC + 10);
376 camellia_feistel(KC + 10, SIGMA[1], KC + 8);
377
378 for( i = 0; i < 4; ++i)
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]379 KC[8 + i] ^= KC[i];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]380
381 camellia_feistel(KC + 8, SIGMA[2], KC + 10);
382 camellia_feistel(KC + 10, SIGMA[3], KC + 8);
383
384 if (keysize > 128) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]385 /* Generate KB */
386 for( i = 0; i < 4; ++i)
387 KC[12 + i] = KC[4 + i] ^ KC[8 + i];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]388
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]389 camellia_feistel(KC + 12, SIGMA[4], KC + 14);
390 camellia_feistel(KC + 14, SIGMA[5], KC + 12);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]391 }
392
393 /*
394 * Generating subkeys
395 */
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]396
397 /* Manipulating KL */
398 SHIFT_AND_PLACE(idx, 0);
399
400 /* Manipulating KR */
401 if (keysize > 128) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]402 SHIFT_AND_PLACE(idx, 1);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]403 }
404
405 /* Manipulating KA */
406 SHIFT_AND_PLACE(idx, 2);
407
408 /* Manipulating KB */
409 if (keysize > 128) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]410 SHIFT_AND_PLACE(idx, 3);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]411 }
412
413 /* Do transpositions */
414 for ( i = 0; i < 20; i++ ) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]415 if (transposes[idx][i] != -1) {
416 RK[32 + 12 * idx + i] = RK[transposes[idx][i]];
417 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]418 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]419
420 return( 0 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]421}
422
423/*
424 * Camellia key schedule (decryption)
425 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]426int camellia_setkey_dec( camellia_context *ctx, const unsigned char *key, unsigned int keysize )
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]427{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]428 int idx;
429 size_t i;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]430 camellia_context cty;
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]431 uint32_t *RK;
432 uint32_t *SK;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]433 int ret;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]434
435 switch( keysize )
436 {
437 case 128: ctx->nr = 3; idx = 0; break;
438 case 192:
439 case 256: ctx->nr = 4; idx = 1; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]440 default : return( POLARSSL_ERR_CAMELLIA_INVALID_KEY_LENGTH );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]441 }
442
443 RK = ctx->rk;
444
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]445 ret = camellia_setkey_enc(&cty, key, keysize);
446 if( ret != 0 )
447 return( ret );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]448
449 SK = cty.rk + 24 * 2 + 8 * idx * 2;
450
451 *RK++ = *SK++;
452 *RK++ = *SK++;
453 *RK++ = *SK++;
454 *RK++ = *SK++;
455
456 for (i = 22 + 8 * idx, SK -= 6; i > 0; i--, SK -= 4)
457 {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]458 *RK++ = *SK++;
459 *RK++ = *SK++;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]460 }
461
462 SK -= 2;
463
464 *RK++ = *SK++;
465 *RK++ = *SK++;
466 *RK++ = *SK++;
467 *RK++ = *SK++;
468
469 memset( &cty, 0, sizeof( camellia_context ) );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]470
471 return( 0 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]472}
473
474/*
475 * Camellia-ECB block encryption/decryption
476 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]477int camellia_crypt_ecb( camellia_context *ctx,
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]478 int mode,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]479 const unsigned char input[16],
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]480 unsigned char output[16] )
481{
Paul Bakker026c03b2009-03-28 17:53:03 +0000[diff] [blame]482 int NR;
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]483 uint32_t *RK, X[4];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]484
Paul Bakkerc2547b02009-07-20 20:40:52 +0000[diff] [blame]485 ( (void) mode );
486
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]487 NR = ctx->nr;
488 RK = ctx->rk;
489
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]490 GET_UINT32_BE( X[0], input, 0 );
491 GET_UINT32_BE( X[1], input, 4 );
492 GET_UINT32_BE( X[2], input, 8 );
493 GET_UINT32_BE( X[3], input, 12 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]494
495 X[0] ^= *RK++;
496 X[1] ^= *RK++;
497 X[2] ^= *RK++;
498 X[3] ^= *RK++;
499
500 while (NR) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]501 --NR;
502 camellia_feistel(X, RK, X + 2);
503 RK += 2;
504 camellia_feistel(X + 2, RK, X);
505 RK += 2;
506 camellia_feistel(X, RK, X + 2);
507 RK += 2;
508 camellia_feistel(X + 2, RK, X);
509 RK += 2;
510 camellia_feistel(X, RK, X + 2);
511 RK += 2;
512 camellia_feistel(X + 2, RK, X);
513 RK += 2;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]514
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]515 if (NR) {
516 FL(X[0], X[1], RK[0], RK[1]);
517 RK += 2;
518 FLInv(X[2], X[3], RK[0], RK[1]);
519 RK += 2;
520 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]521 }
522
523 X[2] ^= *RK++;
524 X[3] ^= *RK++;
525 X[0] ^= *RK++;
526 X[1] ^= *RK++;
527
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]528 PUT_UINT32_BE( X[2], output, 0 );
529 PUT_UINT32_BE( X[3], output, 4 );
530 PUT_UINT32_BE( X[0], output, 8 );
531 PUT_UINT32_BE( X[1], output, 12 );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]532
533 return( 0 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]534}
535
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]536#if defined(POLARSSL_CIPHER_MODE_CBC)
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]537/*
538 * Camellia-CBC buffer encryption/decryption
539 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]540int camellia_crypt_cbc( camellia_context *ctx,
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]541 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]542 size_t length,
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]543 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]544 const unsigned char *input,
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]545 unsigned char *output )
546{
547 int i;
548 unsigned char temp[16];
549
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]550 if( length % 16 )
551 return( POLARSSL_ERR_CAMELLIA_INVALID_INPUT_LENGTH );
552
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]553 if( mode == CAMELLIA_DECRYPT )
554 {
555 while( length > 0 )
556 {
557 memcpy( temp, input, 16 );
558 camellia_crypt_ecb( ctx, mode, input, output );
559
560 for( i = 0; i < 16; i++ )
561 output[i] = (unsigned char)( output[i] ^ iv[i] );
562
563 memcpy( iv, temp, 16 );
564
565 input += 16;
566 output += 16;
567 length -= 16;
568 }
569 }
570 else
571 {
572 while( length > 0 )
573 {
574 for( i = 0; i < 16; i++ )
575 output[i] = (unsigned char)( input[i] ^ iv[i] );
576
577 camellia_crypt_ecb( ctx, mode, output, output );
578 memcpy( iv, output, 16 );
579
580 input += 16;
581 output += 16;
582 length -= 16;
583 }
584 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]585
586 return( 0 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]587}
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]588#endif /* POLARSSL_CIPHER_MODE_CBC */
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]589
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]590#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]591/*
592 * Camellia-CFB128 buffer encryption/decryption
593 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]594int camellia_crypt_cfb128( camellia_context *ctx,
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]595 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]596 size_t length,
Paul Bakker1ef71df2011-06-09 14:14:58 +0000[diff] [blame]597 size_t *iv_off,
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]598 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]599 const unsigned char *input,
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]600 unsigned char *output )
601{
Paul Bakker1ef71df2011-06-09 14:14:58 +0000[diff] [blame]602 int c;
603 size_t n = *iv_off;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]604
605 if( mode == CAMELLIA_DECRYPT )
606 {
607 while( length-- )
608 {
609 if( n == 0 )
610 camellia_crypt_ecb( ctx, CAMELLIA_ENCRYPT, iv, iv );
611
612 c = *input++;
613 *output++ = (unsigned char)( c ^ iv[n] );
614 iv[n] = (unsigned char) c;
615
616 n = (n + 1) & 0x0F;
617 }
618 }
619 else
620 {
621 while( length-- )
622 {
623 if( n == 0 )
624 camellia_crypt_ecb( ctx, CAMELLIA_ENCRYPT, iv, iv );
625
626 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
627
628 n = (n + 1) & 0x0F;
629 }
630 }
631
632 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]633
634 return( 0 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]635}
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]636#endif /* POLARSSL_CIPHER_MODE_CFB */
637
638#if defined(POLARSSL_CIPHER_MODE_CTR)
639/*
640 * Camellia-CTR buffer encryption/decryption
641 */
642int camellia_crypt_ctr( camellia_context *ctx,
Paul Bakker1ef71df2011-06-09 14:14:58 +0000[diff] [blame]643 size_t length,
644 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]645 unsigned char nonce_counter[16],
646 unsigned char stream_block[16],
647 const unsigned char *input,
648 unsigned char *output )
649{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]650 int c, i;
Paul Bakker1ef71df2011-06-09 14:14:58 +0000[diff] [blame]651 size_t n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]652
653 while( length-- )
654 {
655 if( n == 0 ) {
656 camellia_crypt_ecb( ctx, CAMELLIA_ENCRYPT, nonce_counter, stream_block );
657
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]658 for( i = 16; i > 0; i-- )
659 if( ++nonce_counter[i - 1] != 0 )
660 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]661 }
662 c = *input++;
663 *output++ = (unsigned char)( c ^ stream_block[n] );
664
665 n = (n + 1) & 0x0F;
666 }
667
668 *nc_off = n;
669
670 return( 0 );
671}
672#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]673#endif /* !POLARSSL_CAMELLIA_ALT */
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]674
675#if defined(POLARSSL_SELF_TEST)
676
677#include <stdio.h>
678
679/*
680 * Camellia test vectors from:
681 *
682 * http://info.isl.ntt.co.jp/crypt/eng/camellia/technology.html:
683 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/intermediate.txt
684 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/t_camellia.txt
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]685 * (For each bitlength: Key 0, Nr 39)
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]686 */
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]687#define CAMELLIA_TESTS_ECB 2
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]688
689static const unsigned char camellia_test_ecb_key[3][CAMELLIA_TESTS_ECB][32] =
690{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]691 {
692 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
693 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
694 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
695 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
696 },
697 {
698 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
699 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
700 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77 },
701 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
702 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
703 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
704 },
705 {
706 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
707 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
708 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
709 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff },
710 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
711 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
712 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
713 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
714 },
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]715};
716
717static const unsigned char camellia_test_ecb_plain[CAMELLIA_TESTS_ECB][16] =
718{
719 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
720 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
721 { 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
722 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
723};
724
725static const unsigned char camellia_test_ecb_cipher[3][CAMELLIA_TESTS_ECB][16] =
726{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]727 {
728 { 0x67, 0x67, 0x31, 0x38, 0x54, 0x96, 0x69, 0x73,
729 0x08, 0x57, 0x06, 0x56, 0x48, 0xea, 0xbe, 0x43 },
730 { 0x38, 0x3C, 0x6C, 0x2A, 0xAB, 0xEF, 0x7F, 0xDE,
731 0x25, 0xCD, 0x47, 0x0B, 0xF7, 0x74, 0xA3, 0x31 }
732 },
733 {
734 { 0xb4, 0x99, 0x34, 0x01, 0xb3, 0xe9, 0x96, 0xf8,
735 0x4e, 0xe5, 0xce, 0xe7, 0xd7, 0x9b, 0x09, 0xb9 },
736 { 0xD1, 0x76, 0x3F, 0xC0, 0x19, 0xD7, 0x7C, 0xC9,
737 0x30, 0xBF, 0xF2, 0xA5, 0x6F, 0x7C, 0x93, 0x64 }
738 },
739 {
740 { 0x9a, 0xcc, 0x23, 0x7d, 0xff, 0x16, 0xd7, 0x6c,
741 0x20, 0xef, 0x7c, 0x91, 0x9e, 0x3a, 0x75, 0x09 },
742 { 0x05, 0x03, 0xFB, 0x10, 0xAB, 0x24, 0x1E, 0x7C,
743 0xF4, 0x5D, 0x8C, 0xDE, 0xEE, 0x47, 0x43, 0x35 }
744 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]745};
746
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]747#if defined(POLARSSL_CIPHER_MODE_CBC)
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]748#define CAMELLIA_TESTS_CBC 3
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]749
750static const unsigned char camellia_test_cbc_key[3][32] =
751{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]752 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
753 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }
754 ,
755 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
756 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
757 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }
758 ,
759 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
760 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
761 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
762 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]763};
764
765static const unsigned char camellia_test_cbc_iv[16] =
766
767 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
768 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F }
769;
770
771static const unsigned char camellia_test_cbc_plain[CAMELLIA_TESTS_CBC][16] =
772{
773 { 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
774 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A },
775 { 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
776 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51 },
777 { 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
778 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF }
779
780};
781
782static const unsigned char camellia_test_cbc_cipher[3][CAMELLIA_TESTS_CBC][16] =
783{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]784 {
785 { 0x16, 0x07, 0xCF, 0x49, 0x4B, 0x36, 0xBB, 0xF0,
786 0x0D, 0xAE, 0xB0, 0xB5, 0x03, 0xC8, 0x31, 0xAB },
787 { 0xA2, 0xF2, 0xCF, 0x67, 0x16, 0x29, 0xEF, 0x78,
788 0x40, 0xC5, 0xA5, 0xDF, 0xB5, 0x07, 0x48, 0x87 },
789 { 0x0F, 0x06, 0x16, 0x50, 0x08, 0xCF, 0x8B, 0x8B,
790 0x5A, 0x63, 0x58, 0x63, 0x62, 0x54, 0x3E, 0x54 }
791 },
792 {
793 { 0x2A, 0x48, 0x30, 0xAB, 0x5A, 0xC4, 0xA1, 0xA2,
794 0x40, 0x59, 0x55, 0xFD, 0x21, 0x95, 0xCF, 0x93 },
795 { 0x5D, 0x5A, 0x86, 0x9B, 0xD1, 0x4C, 0xE5, 0x42,
796 0x64, 0xF8, 0x92, 0xA6, 0xDD, 0x2E, 0xC3, 0xD5 },
797 { 0x37, 0xD3, 0x59, 0xC3, 0x34, 0x98, 0x36, 0xD8,
798 0x84, 0xE3, 0x10, 0xAD, 0xDF, 0x68, 0xC4, 0x49 }
799 },
800 {
801 { 0xE6, 0xCF, 0xA3, 0x5F, 0xC0, 0x2B, 0x13, 0x4A,
802 0x4D, 0x2C, 0x0B, 0x67, 0x37, 0xAC, 0x3E, 0xDA },
803 { 0x36, 0xCB, 0xEB, 0x73, 0xBD, 0x50, 0x4B, 0x40,
804 0x70, 0xB1, 0xB7, 0xDE, 0x2B, 0x21, 0xEB, 0x50 },
805 { 0xE3, 0x1A, 0x60, 0x55, 0x29, 0x7D, 0x96, 0xCA,
806 0x33, 0x30, 0xCD, 0xF1, 0xB1, 0x86, 0x0A, 0x83 }
807 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]808};
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]809#endif /* POLARSSL_CIPHER_MODE_CBC */
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]810
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]811#if defined(POLARSSL_CIPHER_MODE_CTR)
812/*
813 * Camellia-CTR test vectors from:
814 *
815 * http://www.faqs.org/rfcs/rfc5528.html
816 */
817
818static const unsigned char camellia_test_ctr_key[3][16] =
819{
820 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
821 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
822 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
823 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
824 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
825 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
826};
827
828static const unsigned char camellia_test_ctr_nonce_counter[3][16] =
829{
830 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
831 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
832 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
833 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
834 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
835 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
836};
837
838static const unsigned char camellia_test_ctr_pt[3][48] =
839{
840 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
841 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
842
843 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
844 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
845 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
846 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
847
848 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
849 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
850 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
851 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
852 0x20, 0x21, 0x22, 0x23 }
853};
854
855static const unsigned char camellia_test_ctr_ct[3][48] =
856{
857 { 0xD0, 0x9D, 0xC2, 0x9A, 0x82, 0x14, 0x61, 0x9A,
858 0x20, 0x87, 0x7C, 0x76, 0xDB, 0x1F, 0x0B, 0x3F },
859 { 0xDB, 0xF3, 0xC7, 0x8D, 0xC0, 0x83, 0x96, 0xD4,
860 0xDA, 0x7C, 0x90, 0x77, 0x65, 0xBB, 0xCB, 0x44,
861 0x2B, 0x8E, 0x8E, 0x0F, 0x31, 0xF0, 0xDC, 0xA7,
862 0x2C, 0x74, 0x17, 0xE3, 0x53, 0x60, 0xE0, 0x48 },
863 { 0xB1, 0x9D, 0x1F, 0xCD, 0xCB, 0x75, 0xEB, 0x88,
864 0x2F, 0x84, 0x9C, 0xE2, 0x4D, 0x85, 0xCF, 0x73,
865 0x9C, 0xE6, 0x4B, 0x2B, 0x5C, 0x9D, 0x73, 0xF1,
866 0x4F, 0x2D, 0x5D, 0x9D, 0xCE, 0x98, 0x89, 0xCD,
867 0xDF, 0x50, 0x86, 0x96 }
868};
869
870static const int camellia_test_ctr_len[3] =
871 { 16, 32, 36 };
872#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]873
874/*
875 * Checkup routine
876 */
877int camellia_self_test( int verbose )
878{
Paul Bakker026c03b2009-03-28 17:53:03 +0000[diff] [blame]879 int i, j, u, v;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]880 unsigned char key[32];
881 unsigned char buf[64];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]882 unsigned char src[16];
883 unsigned char dst[16];
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]884#if defined(POLARSSL_CIPHER_MODE_CBC)
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]885 unsigned char iv[16];
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]886#endif
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]887#if defined(POLARSSL_CIPHER_MODE_CTR)
Paul Bakker1ef71df2011-06-09 14:14:58 +0000[diff] [blame]888 size_t offset, len;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]889 unsigned char nonce_counter[16];
890 unsigned char stream_block[16];
891#endif
892
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]893 camellia_context ctx;
894
895 memset( key, 0, 32 );
896
897 for (j = 0; j < 6; j++) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]898 u = j >> 1;
899 v = j & 1;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]900
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]901 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]902 polarssl_printf( " CAMELLIA-ECB-%3d (%s): ", 128 + u * 64,
903 (v == CAMELLIA_DECRYPT) ? "dec" : "enc");
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]904
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]905 for (i = 0; i < CAMELLIA_TESTS_ECB; i++ ) {
906 memcpy( key, camellia_test_ecb_key[u][i], 16 + 8 * u);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]907
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]908 if (v == CAMELLIA_DECRYPT) {
909 camellia_setkey_dec(&ctx, key, 128 + u * 64);
910 memcpy(src, camellia_test_ecb_cipher[u][i], 16);
911 memcpy(dst, camellia_test_ecb_plain[i], 16);
912 } else { /* CAMELLIA_ENCRYPT */
913 camellia_setkey_enc(&ctx, key, 128 + u * 64);
914 memcpy(src, camellia_test_ecb_plain[i], 16);
915 memcpy(dst, camellia_test_ecb_cipher[u][i], 16);
916 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]917
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]918 camellia_crypt_ecb(&ctx, v, src, buf);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]919
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]920 if( memcmp( buf, dst, 16 ) != 0 )
921 {
922 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]923 polarssl_printf( "failed\n" );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]924
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]925 return( 1 );
926 }
927 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]928
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]929 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]930 polarssl_printf( "passed\n" );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]931 }
932
933 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]934 polarssl_printf( "\n" );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]935
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]936#if defined(POLARSSL_CIPHER_MODE_CBC)
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]937 /*
938 * CBC mode
939 */
940 for( j = 0; j < 6; j++ )
941 {
942 u = j >> 1;
943 v = j & 1;
944
945 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]946 polarssl_printf( " CAMELLIA-CBC-%3d (%s): ", 128 + u * 64,
947 ( v == CAMELLIA_DECRYPT ) ? "dec" : "enc" );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]948
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]949 memcpy( src, camellia_test_cbc_iv, 16);
950 memcpy( dst, camellia_test_cbc_iv, 16);
951 memcpy( key, camellia_test_cbc_key[u], 16 + 8 * u);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]952
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]953 if (v == CAMELLIA_DECRYPT) {
954 camellia_setkey_dec(&ctx, key, 128 + u * 64);
955 } else {
956 camellia_setkey_enc(&ctx, key, 128 + u * 64);
957 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]958
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]959 for (i = 0; i < CAMELLIA_TESTS_CBC; i++ ) {
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]960
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]961 if (v == CAMELLIA_DECRYPT) {
962 memcpy( iv , src, 16 );
963 memcpy(src, camellia_test_cbc_cipher[u][i], 16);
964 memcpy(dst, camellia_test_cbc_plain[i], 16);
965 } else { /* CAMELLIA_ENCRYPT */
966 memcpy( iv , dst, 16 );
967 memcpy(src, camellia_test_cbc_plain[i], 16);
968 memcpy(dst, camellia_test_cbc_cipher[u][i], 16);
969 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]970
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]971 camellia_crypt_cbc(&ctx, v, 16, iv, src, buf);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]972
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]973 if( memcmp( buf, dst, 16 ) != 0 )
974 {
975 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]976 polarssl_printf( "failed\n" );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]977
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]978 return( 1 );
979 }
980 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]981
982 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]983 polarssl_printf( "passed\n" );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]984 }
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]985#endif /* POLARSSL_CIPHER_MODE_CBC */
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]986
987 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]988 polarssl_printf( "\n" );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]989
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]990#if defined(POLARSSL_CIPHER_MODE_CTR)
991 /*
992 * CTR mode
993 */
994 for( i = 0; i < 6; i++ )
995 {
996 u = i >> 1;
997 v = i & 1;
998
999 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1000 polarssl_printf( " CAMELLIA-CTR-128 (%s): ",
1001 ( v == CAMELLIA_DECRYPT ) ? "dec" : "enc" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1002
1003 memcpy( nonce_counter, camellia_test_ctr_nonce_counter[u], 16 );
1004 memcpy( key, camellia_test_ctr_key[u], 16 );
1005
1006 offset = 0;
1007 camellia_setkey_enc( &ctx, key, 128 );
1008
1009 if( v == CAMELLIA_DECRYPT )
1010 {
1011 len = camellia_test_ctr_len[u];
1012 memcpy( buf, camellia_test_ctr_ct[u], len );
1013
1014 camellia_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1015
1016 if( memcmp( buf, camellia_test_ctr_pt[u], len ) != 0 )
1017 {
1018 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1019 polarssl_printf( "failed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1020
1021 return( 1 );
1022 }
1023 }
1024 else
1025 {
1026 len = camellia_test_ctr_len[u];
1027 memcpy( buf, camellia_test_ctr_pt[u], len );
1028
1029 camellia_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1030
1031 if( memcmp( buf, camellia_test_ctr_ct[u], len ) != 0 )
1032 {
1033 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1034 polarssl_printf( "failed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1035
1036 return( 1 );
1037 }
1038 }
1039
1040 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1041 polarssl_printf( "passed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1042 }
1043
1044 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1045 polarssl_printf( "\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1046#endif /* POLARSSL_CIPHER_MODE_CTR */
1047
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]1048 return ( 0 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]1049}
1050
1051#endif
1052
1053#endif