TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / fa049dba4578098ac5a61777a27325dd6d304d5b / . / library / camellia.c
blob: 80444c245582564d6335c6a52d92dffee4df7177 [file] [log] [blame]
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]1/*
2 * Camellia implementation
3 *
4 * Copyright (C) 2009 Paul Bakker
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License along
17 * with this program; if not, write to the Free Software Foundation, Inc.,
18 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
19 */
20/*
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]21 * The Camellia block cipher was designed by NTT and Mitsubishi Electric
22 * Corporation.
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]23 *
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]24 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/01espec.pdf
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]25 */
26
27#include "polarssl/config.h"
28
29#if defined(POLARSSL_CAMELLIA_C)
30
31#include "polarssl/camellia.h"
32
33#include <string.h>
34
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]35/*
36 * 32-bit integer manipulation macros (big endian)
37 */
38#ifndef GET_ULONG_BE
39#define GET_ULONG_BE(n,b,i) \
40{ \
41 (n) = ( (unsigned long) (b)[(i) ] << 24 ) \
42 | ( (unsigned long) (b)[(i) + 1] << 16 ) \
43 | ( (unsigned long) (b)[(i) + 2] << 8 ) \
44 | ( (unsigned long) (b)[(i) + 3] ); \
45}
46#endif
47
48#ifndef PUT_ULONG_BE
49#define PUT_ULONG_BE(n,b,i) \
50{ \
51 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
52 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
53 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
54 (b)[(i) + 3] = (unsigned char) ( (n) ); \
55}
56#endif
57
58static const unsigned char SIGMA_CHARS[6][8] =
59{
60 { 0xa0, 0x9e, 0x66, 0x7f, 0x3b, 0xcc, 0x90, 0x8b },
61 { 0xb6, 0x7a, 0xe8, 0x58, 0x4c, 0xaa, 0x73, 0xb2 },
62 { 0xc6, 0xef, 0x37, 0x2f, 0xe9, 0x4f, 0x82, 0xbe },
63 { 0x54, 0xff, 0x53, 0xa5, 0xf1, 0xd3, 0x6f, 0x1c },
64 { 0x10, 0xe5, 0x27, 0xfa, 0xde, 0x68, 0x2d, 0x1d },
65 { 0xb0, 0x56, 0x88, 0xc2, 0xb3, 0xe6, 0xc1, 0xfd }
66};
67
Paul Bakkerfa049db2009-01-12 22:12:03 +0000[diff] [blame^]68#ifdef POLARSSL_CAMELLIA_SMALL_MEMORY
69
70static const unsigned char FSb[256] =
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]71{
72 112,130, 44,236,179, 39,192,229,228,133, 87, 53,234, 12,174, 65,
73 35,239,107,147, 69, 25,165, 33,237, 14, 79, 78, 29,101,146,189,
74 134,184,175,143,124,235, 31,206, 62, 48,220, 95, 94,197, 11, 26,
75 166,225, 57,202,213, 71, 93, 61,217, 1, 90,214, 81, 86,108, 77,
76 139, 13,154,102,251,204,176, 45,116, 18, 43, 32,240,177,132,153,
77 223, 76,203,194, 52,126,118, 5,109,183,169, 49,209, 23, 4,215,
78 20, 88, 58, 97,222, 27, 17, 28, 50, 15,156, 22, 83, 24,242, 34,
79 254, 68,207,178,195,181,122,145, 36, 8,232,168, 96,252,105, 80,
80 170,208,160,125,161,137, 98,151, 84, 91, 30,149,224,255,100,210,
81 16,196, 0, 72,163,247,117,219,138, 3,230,218, 9, 63,221,148,
82 135, 92,131, 2,205, 74,144, 51,115,103,246,243,157,127,191,226,
83 82,155,216, 38,200, 55,198, 59,129,150,111, 75, 19,190, 99, 46,
84 233,121,167,140,159,110,188,142, 41,245,249,182, 47,253,180, 89,
85 120,152, 6,106,231, 70,113,186,212, 37,171, 66,136,162,141,250,
86 114, 7,185, 85,248,238,172, 10, 54, 73, 42,104, 60, 56,241,164,
87 64, 40,211,123,187,201, 67,193, 21,227,173,244,119,199,128,158
88};
89
90#define SBOX1(n) FSb[(n)]
91#define SBOX2(n) (unsigned char)((FSb[(n)] >> 7 ^ FSb[(n)] << 1) & 0xff)
92#define SBOX3(n) (unsigned char)((FSb[(n)] >> 1 ^ FSb[(n)] << 7) & 0xff)
Paul Bakkerfa049db2009-01-12 22:12:03 +0000[diff] [blame^]93#define SBOX4(n) FSb[((n) << 1 ^ (n) >> 7) &0xff]
94
95#else
96
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000[diff] [blame]97static const unsigned char FSb[256] =
98{
99 112, 130, 44, 236, 179, 39, 192, 229, 228, 133, 87, 53, 234, 12, 174, 65,
100 35, 239, 107, 147, 69, 25, 165, 33, 237, 14, 79, 78, 29, 101, 146, 189,
101 134, 184, 175, 143, 124, 235, 31, 206, 62, 48, 220, 95, 94, 197, 11, 26,
102 166, 225, 57, 202, 213, 71, 93, 61, 217, 1, 90, 214, 81, 86, 108, 77,
103 139, 13, 154, 102, 251, 204, 176, 45, 116, 18, 43, 32, 240, 177, 132, 153,
104 223, 76, 203, 194, 52, 126, 118, 5, 109, 183, 169, 49, 209, 23, 4, 215,
105 20, 88, 58, 97, 222, 27, 17, 28, 50, 15, 156, 22, 83, 24, 242, 34,
106 254, 68, 207, 178, 195, 181, 122, 145, 36, 8, 232, 168, 96, 252, 105, 80,
107 170, 208, 160, 125, 161, 137, 98, 151, 84, 91, 30, 149, 224, 255, 100, 210,
108 16, 196, 0, 72, 163, 247, 117, 219, 138, 3, 230, 218, 9, 63, 221, 148,
109 135, 92, 131, 2, 205, 74, 144, 51, 115, 103, 246, 243, 157, 127, 191, 226,
110 82, 155, 216, 38, 200, 55, 198, 59, 129, 150, 111, 75, 19, 190, 99, 46,
111 233, 121, 167, 140, 159, 110, 188, 142, 41, 245, 249, 182, 47, 253, 180, 89,
112 120, 152, 6, 106, 231, 70, 113, 186, 212, 37, 171, 66, 136, 162, 141, 250,
113 114, 7, 185, 85, 248, 238, 172, 10, 54, 73, 42, 104, 60, 56, 241, 164,
114 64, 40, 211, 123, 187, 201, 67, 193, 21, 227, 173, 244, 119, 199, 128, 158
115};
116
117static const unsigned char FSb2[256] =
118{
119 224, 5, 88, 217, 103, 78, 129, 203, 201, 11, 174, 106, 213, 24, 93, 130,
120 70, 223, 214, 39, 138, 50, 75, 66, 219, 28, 158, 156, 58, 202, 37, 123,
121 13, 113, 95, 31, 248, 215, 62, 157, 124, 96, 185, 190, 188, 139, 22, 52,
122 77, 195, 114, 149, 171, 142, 186, 122, 179, 2, 180, 173, 162, 172, 216, 154,
123 23, 26, 53, 204, 247, 153, 97, 90, 232, 36, 86, 64, 225, 99, 9, 51,
124 191, 152, 151, 133, 104, 252, 236, 10, 218, 111, 83, 98, 163, 46, 8, 175,
125 40, 176, 116, 194, 189, 54, 34, 56, 100, 30, 57, 44, 166, 48, 229, 68,
126 253, 136, 159, 101, 135, 107, 244, 35, 72, 16, 209, 81, 192, 249, 210, 160,
127 85, 161, 65, 250, 67, 19, 196, 47, 168, 182, 60, 43, 193, 255, 200, 165,
128 32, 137, 0, 144, 71, 239, 234, 183, 21, 6, 205, 181, 18, 126, 187, 41,
129 15, 184, 7, 4, 155, 148, 33, 102, 230, 206, 237, 231, 59, 254, 127, 197,
130 164, 55, 177, 76, 145, 110, 141, 118, 3, 45, 222, 150, 38, 125, 198, 92,
131 211, 242, 79, 25, 63, 220, 121, 29, 82, 235, 243, 109, 94, 251, 105, 178,
132 240, 49, 12, 212, 207, 140, 226, 117, 169, 74, 87, 132, 17, 69, 27, 245,
133 228, 14, 115, 170, 241, 221, 89, 20, 108, 146, 84, 208, 120, 112, 227, 73,
134 128, 80, 167, 246, 119, 147, 134, 131, 42, 199, 91, 233, 238, 143, 1, 61
135};
136
137static const unsigned char FSb3[256] =
138{
139 56, 65, 22, 118, 217, 147, 96, 242, 114, 194, 171, 154, 117, 6, 87, 160,
140 145, 247, 181, 201, 162, 140, 210, 144, 246, 7, 167, 39, 142, 178, 73, 222,
141 67, 92, 215, 199, 62, 245, 143, 103, 31, 24, 110, 175, 47, 226, 133, 13,
142 83, 240, 156, 101, 234, 163, 174, 158, 236, 128, 45, 107, 168, 43, 54, 166,
143 197, 134, 77, 51, 253, 102, 88, 150, 58, 9, 149, 16, 120, 216, 66, 204,
144 239, 38, 229, 97, 26, 63, 59, 130, 182, 219, 212, 152, 232, 139, 2, 235,
145 10, 44, 29, 176, 111, 141, 136, 14, 25, 135, 78, 11, 169, 12, 121, 17,
146 127, 34, 231, 89, 225, 218, 61, 200, 18, 4, 116, 84, 48, 126, 180, 40,
147 85, 104, 80, 190, 208, 196, 49, 203, 42, 173, 15, 202, 112, 255, 50, 105,
148 8, 98, 0, 36, 209, 251, 186, 237, 69, 129, 115, 109, 132, 159, 238, 74,
149 195, 46, 193, 1, 230, 37, 72, 153, 185, 179, 123, 249, 206, 191, 223, 113,
150 41, 205, 108, 19, 100, 155, 99, 157, 192, 75, 183, 165, 137, 95, 177, 23,
151 244, 188, 211, 70, 207, 55, 94, 71, 148, 250, 252, 91, 151, 254, 90, 172,
152 60, 76, 3, 53, 243, 35, 184, 93, 106, 146, 213, 33, 68, 81, 198, 125,
153 57, 131, 220, 170, 124, 119, 86, 5, 27, 164, 21, 52, 30, 28, 248, 82,
154 32, 20, 233, 189, 221, 228, 161, 224, 138, 241, 214, 122, 187, 227, 64, 79
155};
156
157static const unsigned char FSb4[256] =
158{
159 112, 44, 179, 192, 228, 87, 234, 174, 35, 107, 69, 165, 237, 79, 29, 146,
160 134, 175, 124, 31, 62, 220, 94, 11, 166, 57, 213, 93, 217, 90, 81, 108,
161 139, 154, 251, 176, 116, 43, 240, 132, 223, 203, 52, 118, 109, 169, 209, 4,
162 20, 58, 222, 17, 50, 156, 83, 242, 254, 207, 195, 122, 36, 232, 96, 105,
163 170, 160, 161, 98, 84, 30, 224, 100, 16, 0, 163, 117, 138, 230, 9, 221,
164 135, 131, 205, 144, 115, 246, 157, 191, 82, 216, 200, 198, 129, 111, 19, 99,
165 233, 167, 159, 188, 41, 249, 47, 180, 120, 6, 231, 113, 212, 171, 136, 141,
166 114, 185, 248, 172, 54, 42, 60, 241, 64, 211, 187, 67, 21, 173, 119, 128,
167 130, 236, 39, 229, 133, 53, 12, 65, 239, 147, 25, 33, 14, 78, 101, 189,
168 184, 143, 235, 206, 48, 95, 197, 26, 225, 202, 71, 61, 1, 214, 86, 77,
169 13, 102, 204, 45, 18, 32, 177, 153, 76, 194, 126, 5, 183, 49, 23, 215,
170 88, 97, 27, 28, 15, 22, 24, 34, 68, 178, 181, 145, 8, 168, 252, 80,
171 208, 125, 137, 151, 91, 149, 255, 210, 196, 72, 247, 219, 3, 218, 63, 148,
172 92, 2, 74, 51, 103, 243, 127, 226, 155, 38, 55, 59, 150, 75, 190, 46,
173 121, 140, 110, 142, 245, 182, 253, 89, 152, 106, 70, 186, 37, 66, 162, 250,
174 7, 85, 238, 10, 73, 104, 56, 164, 40, 123, 201, 193, 227, 244, 199, 158
175};
176
177#define SBOX1(n) FSb[(n)]
178#define SBOX2(n) FSb2[(n)]
179#define SBOX3(n) FSb3[(n)]
180#define SBOX4(n) FSb4[(n)]
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]181
Paul Bakkerfa049db2009-01-12 22:12:03 +0000[diff] [blame^]182#endif
183
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]184static const unsigned char shifts[2][4][4] =
185{
186 {
187 { 1, 1, 1, 1 }, /* KL */
188 { 0, 0, 0, 0 }, /* KR */
189 { 1, 1, 1, 1 }, /* KA */
190 { 0, 0, 0, 0 } /* KB */
191 },
192 {
193 { 1, 0, 1, 1 }, /* KL */
194 { 1, 1, 0, 1 }, /* KR */
195 { 1, 1, 1, 0 }, /* KA */
196 { 1, 1, 0, 1 } /* KB */
197 }
198};
199
200static const char indexes[2][4][20] =
201{
202 {
203 { 0, 1, 2, 3, 8, 9, 10, 11, 38, 39,
204 36, 37, 23, 20, 21, 22, 27, -1, -1, 26 }, /* KL -> RK */
205 { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
206 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 }, /* KR -> RK */
207 { 4, 5, 6, 7, 12, 13, 14, 15, 16, 17,
208 18, 19, -1, 24, 25, -1, 31, 28, 29, 30 }, /* KA -> RK */
209 { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
210 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 } /* KB -> RK */
211 },
212 {
213 { 0, 1, 2, 3, 61, 62, 63, 60, -1, -1,
214 -1, -1, 27, 24, 25, 26, 35, 32, 33, 34 }, /* KL -> RK */
215 { -1, -1, -1, -1, 8, 9, 10, 11, 16, 17,
216 18, 19, -1, -1, -1, -1, 39, 36, 37, 38 }, /* KR -> RK */
217 { -1, -1, -1, -1, 12, 13, 14, 15, 58, 59,
218 56, 57, 31, 28, 29, 30, -1, -1, -1, -1 }, /* KA -> RK */
219 { 4, 5, 6, 7, 65, 66, 67, 64, 20, 21,
220 22, 23, -1, -1, -1, -1, 43, 40, 41, 42 } /* KB -> RK */
221 }
222};
223
224static const char transposes[2][20] =
225{
226 {
227 21, 22, 23, 20,
228 -1, -1, -1, -1,
229 18, 19, 16, 17,
230 11, 8, 9, 10,
231 15, 12, 13, 14
232 },
233 {
234 25, 26, 27, 24,
235 29, 30, 31, 28,
236 18, 19, 16, 17,
237 -1, -1, -1, -1,
238 -1, -1, -1, -1
239 }
240};
241
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000[diff] [blame]242/* Shift macro for 128 bit strings with rotation smaller than 32 bits (!) */
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]243#define ROTL(DEST, SRC, SHIFT) \
244{ \
245 (DEST)[0] = (SRC)[0] << (SHIFT) ^ (SRC)[1] >> (32 - (SHIFT)); \
246 (DEST)[1] = (SRC)[1] << (SHIFT) ^ (SRC)[2] >> (32 - (SHIFT)); \
247 (DEST)[2] = (SRC)[2] << (SHIFT) ^ (SRC)[3] >> (32 - (SHIFT)); \
248 (DEST)[3] = (SRC)[3] << (SHIFT) ^ (SRC)[0] >> (32 - (SHIFT)); \
249}
250
251#define FL(XL, XR, KL, KR) \
252{ \
253 (XR) = ((((XL) & (KL)) << 1) | (((XL) & (KL)) >> 31)) ^ (XR); \
254 (XL) = ((XR) | (KR)) ^ (XL); \
255}
256
257#define FLInv(YL, YR, KL, KR) \
258{ \
259 (YL) = ((YR) | (KR)) ^ (YL); \
260 (YR) = ((((YL) & (KL)) << 1) | (((YL) & (KL)) >> 31)) ^ (YR); \
261}
262
263#define SHIFT_AND_PLACE(INDEX, OFFSET) \
264{ \
265 TK[0] = KC[(OFFSET) * 4 + 0]; \
266 TK[1] = KC[(OFFSET) * 4 + 1]; \
267 TK[2] = KC[(OFFSET) * 4 + 2]; \
268 TK[3] = KC[(OFFSET) * 4 + 3]; \
269 \
270 for ( i = 1; i <= 4; i++ ) \
271 if (shifts[(INDEX)][(OFFSET)][i -1]) \
272 ROTL(TK + i * 4, TK, (15 * i) % 32); \
273 \
274 for ( i = 0; i < 20; i++ ) \
275 if (indexes[(INDEX)][(OFFSET)][i] != -1) { \
276 RK[indexes[(INDEX)][(OFFSET)][i]] = TK[ i ]; \
277 } \
278}
279
280void camellia_feistel(unsigned long x[2], unsigned long k[2], unsigned long z[2])
281{
282 unsigned char t[8];
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000[diff] [blame]283 unsigned long I0, I1;
284 I0 = x[0] ^ k[0];
285 I1 = x[1] ^ k[1];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]286
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000[diff] [blame]287 I0 = (SBOX1((I0 >> 24) & 0xFF) << 24) |
288 (SBOX2((I0 >> 16) & 0xFF) << 16) |
289 (SBOX3((I0 >> 8) & 0xFF) << 8) |
290 (SBOX4((I0 ) & 0xFF) );
291 I1 = (SBOX2((I1 >> 24) & 0xFF) << 24) |
292 (SBOX3((I1 >> 16) & 0xFF) << 16) |
293 (SBOX4((I1 >> 8) & 0xFF) << 8) |
294 (SBOX1((I1 ) & 0xFF) );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]295
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000[diff] [blame]296 I0 ^= (I1 << 8) | (I1 >> 24);
297 I1 ^= (I0 << 16) | (I0 >> 16);
298 I0 ^= (I1 >> 8) | (I1 << 24);
299 I1 ^= (I0 >> 8) | (I0 << 24);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]300
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000[diff] [blame]301 z[0] ^= I1;
302 z[1] ^= I0;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]303}
304
305/*
306 * Camellia key schedule (encryption)
307 */
308void camellia_setkey_enc( camellia_context *ctx, unsigned char *key, int keysize )
309{
310 int i, idx;
311 unsigned long *RK;
312 unsigned char t[64];
313
314 RK = ctx->rk;
315
316 memset(t, 0, 64);
317 memset(RK, 0, sizeof(ctx->rk));
318
319 switch( keysize )
320 {
321 case 128: ctx->nr = 3; idx = 0; break;
322 case 192:
323 case 256: ctx->nr = 4; idx = 1; break;
324 default : return;
325 }
326
327 for( i = 0; i < keysize / 8; ++i)
328 t[i] = key[i];
329
330 if (keysize == 192) {
331 for (i = 0; i < 8; i++)
332 t[24 + i] = ~t[16 + i];
333 }
334
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]335 /*
336 * Prepare SIGMA values
337 */
338 unsigned long SIGMA[6][2];
339 for (i = 0; i < 6; i++) {
340 GET_ULONG_BE(SIGMA[i][0], SIGMA_CHARS[i], 0);
341 GET_ULONG_BE(SIGMA[i][1], SIGMA_CHARS[i], 4);
342 }
343
344 /*
345 * Key storage in KC
346 * Order: KL, KR, KA, KB
347 */
348 unsigned long KC[16];
349 memset(KC, 0, sizeof(KC));
350
351 /* Store KL, KR */
352 for (i = 0; i < 8; i++)
353 GET_ULONG_BE(KC[i], t, i * 4);
354
355 /* Generate KA */
356 for( i = 0; i < 4; ++i)
357 KC[8 + i] = KC[i] ^ KC[4 + i];
358
359 camellia_feistel(KC + 8, SIGMA[0], KC + 10);
360 camellia_feistel(KC + 10, SIGMA[1], KC + 8);
361
362 for( i = 0; i < 4; ++i)
363 KC[8 + i] ^= KC[i];
364
365 camellia_feistel(KC + 8, SIGMA[2], KC + 10);
366 camellia_feistel(KC + 10, SIGMA[3], KC + 8);
367
368 if (keysize > 128) {
369 /* Generate KB */
370 for( i = 0; i < 4; ++i)
371 KC[12 + i] = KC[4 + i] ^ KC[8 + i];
372
373 camellia_feistel(KC + 12, SIGMA[4], KC + 14);
374 camellia_feistel(KC + 14, SIGMA[5], KC + 12);
375 }
376
377 /*
378 * Generating subkeys
379 */
380 unsigned long TK[20];
381
382 /* Manipulating KL */
383 SHIFT_AND_PLACE(idx, 0);
384
385 /* Manipulating KR */
386 if (keysize > 128) {
387 SHIFT_AND_PLACE(idx, 1);
388 }
389
390 /* Manipulating KA */
391 SHIFT_AND_PLACE(idx, 2);
392
393 /* Manipulating KB */
394 if (keysize > 128) {
395 SHIFT_AND_PLACE(idx, 3);
396 }
397
398 /* Do transpositions */
399 for ( i = 0; i < 20; i++ ) {
400 if (transposes[idx][i] != -1) {
401 RK[32 + 12 * idx + i] = RK[transposes[idx][i]];
402 }
403 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]404}
405
406/*
407 * Camellia key schedule (decryption)
408 */
409void camellia_setkey_dec( camellia_context *ctx, unsigned char *key, int keysize )
410{
411 int i, idx;
412 camellia_context cty;
413 unsigned long *RK;
414 unsigned long *SK;
415
416 switch( keysize )
417 {
418 case 128: ctx->nr = 3; idx = 0; break;
419 case 192:
420 case 256: ctx->nr = 4; idx = 1; break;
421 default : return;
422 }
423
424 RK = ctx->rk;
425
426 camellia_setkey_enc(&cty, key, keysize);
427
428 SK = cty.rk + 24 * 2 + 8 * idx * 2;
429
430 *RK++ = *SK++;
431 *RK++ = *SK++;
432 *RK++ = *SK++;
433 *RK++ = *SK++;
434
435 for (i = 22 + 8 * idx, SK -= 6; i > 0; i--, SK -= 4)
436 {
437 *RK++ = *SK++;
438 *RK++ = *SK++;
439 }
440
441 SK -= 2;
442
443 *RK++ = *SK++;
444 *RK++ = *SK++;
445 *RK++ = *SK++;
446 *RK++ = *SK++;
447
448 memset( &cty, 0, sizeof( camellia_context ) );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]449}
450
451/*
452 * Camellia-ECB block encryption/decryption
453 */
454void camellia_crypt_ecb( camellia_context *ctx,
455 int mode,
456 unsigned char input[16],
457 unsigned char output[16] )
458{
459 int i, NR;
460 unsigned long *RK, X[4], Y[4], T;
461
462 NR = ctx->nr;
463 RK = ctx->rk;
464
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]465 GET_ULONG_BE( X[0], input, 0 );
466 GET_ULONG_BE( X[1], input, 4 );
467 GET_ULONG_BE( X[2], input, 8 );
468 GET_ULONG_BE( X[3], input, 12 );
469
470 X[0] ^= *RK++;
471 X[1] ^= *RK++;
472 X[2] ^= *RK++;
473 X[3] ^= *RK++;
474
475 while (NR) {
476 --NR;
477 camellia_feistel(X, RK, X + 2);
478 RK += 2;
479 camellia_feistel(X + 2, RK, X);
480 RK += 2;
481 camellia_feistel(X, RK, X + 2);
482 RK += 2;
483 camellia_feistel(X + 2, RK, X);
484 RK += 2;
485 camellia_feistel(X, RK, X + 2);
486 RK += 2;
487 camellia_feistel(X + 2, RK, X);
488 RK += 2;
489
490 if (NR) {
491 FL(X[0], X[1], RK[0], RK[1]);
492 RK += 2;
493 FLInv(X[2], X[3], RK[0], RK[1]);
494 RK += 2;
495 }
496 }
497
498 X[2] ^= *RK++;
499 X[3] ^= *RK++;
500 X[0] ^= *RK++;
501 X[1] ^= *RK++;
502
503 PUT_ULONG_BE( X[2], output, 0 );
504 PUT_ULONG_BE( X[3], output, 4 );
505 PUT_ULONG_BE( X[0], output, 8 );
506 PUT_ULONG_BE( X[1], output, 12 );
507}
508
509/*
510 * Camellia-CBC buffer encryption/decryption
511 */
512void camellia_crypt_cbc( camellia_context *ctx,
513 int mode,
514 int length,
515 unsigned char iv[16],
516 unsigned char *input,
517 unsigned char *output )
518{
519 int i;
520 unsigned char temp[16];
521
522 if( mode == CAMELLIA_DECRYPT )
523 {
524 while( length > 0 )
525 {
526 memcpy( temp, input, 16 );
527 camellia_crypt_ecb( ctx, mode, input, output );
528
529 for( i = 0; i < 16; i++ )
530 output[i] = (unsigned char)( output[i] ^ iv[i] );
531
532 memcpy( iv, temp, 16 );
533
534 input += 16;
535 output += 16;
536 length -= 16;
537 }
538 }
539 else
540 {
541 while( length > 0 )
542 {
543 for( i = 0; i < 16; i++ )
544 output[i] = (unsigned char)( input[i] ^ iv[i] );
545
546 camellia_crypt_ecb( ctx, mode, output, output );
547 memcpy( iv, output, 16 );
548
549 input += 16;
550 output += 16;
551 length -= 16;
552 }
553 }
554}
555
556/*
557 * Camellia-CFB128 buffer encryption/decryption
558 */
559void camellia_crypt_cfb128( camellia_context *ctx,
560 int mode,
561 int length,
562 int *iv_off,
563 unsigned char iv[16],
564 unsigned char *input,
565 unsigned char *output )
566{
567 int c, n = *iv_off;
568
569 if( mode == CAMELLIA_DECRYPT )
570 {
571 while( length-- )
572 {
573 if( n == 0 )
574 camellia_crypt_ecb( ctx, CAMELLIA_ENCRYPT, iv, iv );
575
576 c = *input++;
577 *output++ = (unsigned char)( c ^ iv[n] );
578 iv[n] = (unsigned char) c;
579
580 n = (n + 1) & 0x0F;
581 }
582 }
583 else
584 {
585 while( length-- )
586 {
587 if( n == 0 )
588 camellia_crypt_ecb( ctx, CAMELLIA_ENCRYPT, iv, iv );
589
590 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
591
592 n = (n + 1) & 0x0F;
593 }
594 }
595
596 *iv_off = n;
597}
598
599#if defined(POLARSSL_SELF_TEST)
600
601#include <stdio.h>
602
603/*
604 * Camellia test vectors from:
605 *
606 * http://info.isl.ntt.co.jp/crypt/eng/camellia/technology.html:
607 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/intermediate.txt
608 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/t_camellia.txt
609 * (For each bitlength: Key 0, Nr 39)
610 */
611#define CAMELLIA_TESTS_ECB 2
612
613static const unsigned char camellia_test_ecb_key[3][CAMELLIA_TESTS_ECB][32] =
614{
615 {
616 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
617 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
618 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
619 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
620 },
621 {
622 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
623 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
624 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77 },
625 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
626 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
627 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
628 },
629 {
630 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
631 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
632 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
633 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff },
634 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
635 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
636 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
637 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
638 },
639};
640
641static const unsigned char camellia_test_ecb_plain[CAMELLIA_TESTS_ECB][16] =
642{
643 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
644 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
645 { 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
646 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
647};
648
649static const unsigned char camellia_test_ecb_cipher[3][CAMELLIA_TESTS_ECB][16] =
650{
651 {
652 { 0x67, 0x67, 0x31, 0x38, 0x54, 0x96, 0x69, 0x73,
653 0x08, 0x57, 0x06, 0x56, 0x48, 0xea, 0xbe, 0x43 },
654 { 0x38, 0x3C, 0x6C, 0x2A, 0xAB, 0xEF, 0x7F, 0xDE,
655 0x25, 0xCD, 0x47, 0x0B, 0xF7, 0x74, 0xA3, 0x31 }
656 },
657 {
658 { 0xb4, 0x99, 0x34, 0x01, 0xb3, 0xe9, 0x96, 0xf8,
659 0x4e, 0xe5, 0xce, 0xe7, 0xd7, 0x9b, 0x09, 0xb9 },
660 { 0xD1, 0x76, 0x3F, 0xC0, 0x19, 0xD7, 0x7C, 0xC9,
661 0x30, 0xBF, 0xF2, 0xA5, 0x6F, 0x7C, 0x93, 0x64 }
662 },
663 {
664 { 0x9a, 0xcc, 0x23, 0x7d, 0xff, 0x16, 0xd7, 0x6c,
665 0x20, 0xef, 0x7c, 0x91, 0x9e, 0x3a, 0x75, 0x09 },
666 { 0x05, 0x03, 0xFB, 0x10, 0xAB, 0x24, 0x1E, 0x7C,
667 0xF4, 0x5D, 0x8C, 0xDE, 0xEE, 0x47, 0x43, 0x35 }
668 }
669};
670
671#define CAMELLIA_TESTS_CBC 3
672
673static const unsigned char camellia_test_cbc_key[3][32] =
674{
675 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
676 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }
677 ,
678 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
679 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
680 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }
681 ,
682 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
683 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
684 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
685 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
686};
687
688static const unsigned char camellia_test_cbc_iv[16] =
689
690 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
691 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F }
692;
693
694static const unsigned char camellia_test_cbc_plain[CAMELLIA_TESTS_CBC][16] =
695{
696 { 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
697 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A },
698 { 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
699 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51 },
700 { 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
701 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF }
702
703};
704
705static const unsigned char camellia_test_cbc_cipher[3][CAMELLIA_TESTS_CBC][16] =
706{
707 {
708 { 0x16, 0x07, 0xCF, 0x49, 0x4B, 0x36, 0xBB, 0xF0,
709 0x0D, 0xAE, 0xB0, 0xB5, 0x03, 0xC8, 0x31, 0xAB },
710 { 0xA2, 0xF2, 0xCF, 0x67, 0x16, 0x29, 0xEF, 0x78,
711 0x40, 0xC5, 0xA5, 0xDF, 0xB5, 0x07, 0x48, 0x87 },
712 { 0x0F, 0x06, 0x16, 0x50, 0x08, 0xCF, 0x8B, 0x8B,
713 0x5A, 0x63, 0x58, 0x63, 0x62, 0x54, 0x3E, 0x54 }
714 },
715 {
716 { 0x2A, 0x48, 0x30, 0xAB, 0x5A, 0xC4, 0xA1, 0xA2,
717 0x40, 0x59, 0x55, 0xFD, 0x21, 0x95, 0xCF, 0x93 },
718 { 0x5D, 0x5A, 0x86, 0x9B, 0xD1, 0x4C, 0xE5, 0x42,
719 0x64, 0xF8, 0x92, 0xA6, 0xDD, 0x2E, 0xC3, 0xD5 },
720 { 0x37, 0xD3, 0x59, 0xC3, 0x34, 0x98, 0x36, 0xD8,
721 0x84, 0xE3, 0x10, 0xAD, 0xDF, 0x68, 0xC4, 0x49 }
722 },
723 {
724 { 0xE6, 0xCF, 0xA3, 0x5F, 0xC0, 0x2B, 0x13, 0x4A,
725 0x4D, 0x2C, 0x0B, 0x67, 0x37, 0xAC, 0x3E, 0xDA },
726 { 0x36, 0xCB, 0xEB, 0x73, 0xBD, 0x50, 0x4B, 0x40,
727 0x70, 0xB1, 0xB7, 0xDE, 0x2B, 0x21, 0xEB, 0x50 },
728 { 0xE3, 0x1A, 0x60, 0x55, 0x29, 0x7D, 0x96, 0xCA,
729 0x33, 0x30, 0xCD, 0xF1, 0xB1, 0x86, 0x0A, 0x83 }
730 }
731};
732
733
734/*
735 * Checkup routine
736 */
737int camellia_self_test( int verbose )
738{
739 int i, j, u, v, offset;
740 unsigned char key[32];
741 unsigned char buf[64];
742 unsigned char prv[16];
743 unsigned char src[16];
744 unsigned char dst[16];
745 unsigned char iv[16];
746 camellia_context ctx;
747
748 memset( key, 0, 32 );
749
750 for (j = 0; j < 6; j++) {
751 u = j >> 1;
752 v = j & 1;
753
754 if( verbose != 0 )
755 printf( " CAMELLIA-ECB-%3d (%s): ", 128 + u * 64,
756 (v == CAMELLIA_DECRYPT) ? "dec" : "enc");
757
758 for (i = 0; i < CAMELLIA_TESTS_ECB; i++ ) {
759 memcpy( key, camellia_test_ecb_key[u][i], 16 + 8 * u);
760
761 if (v == CAMELLIA_DECRYPT) {
762 camellia_setkey_dec(&ctx, key, 128 + u * 64);
763 memcpy(src, camellia_test_ecb_cipher[u][i], 16);
764 memcpy(dst, camellia_test_ecb_plain[i], 16);
765 } else { /* CAMELLIA_ENCRYPT */
766 camellia_setkey_enc(&ctx, key, 128 + u * 64);
767 memcpy(src, camellia_test_ecb_plain[i], 16);
768 memcpy(dst, camellia_test_ecb_cipher[u][i], 16);
769 }
770
771 camellia_crypt_ecb(&ctx, v, src, buf);
772
773 if( memcmp( buf, dst, 16 ) != 0 )
774 {
775 if( verbose != 0 )
776 printf( "failed\n" );
777
778 return( 1 );
779 }
780 }
781
782 if( verbose != 0 )
783 printf( "passed\n" );
784 }
785
786 if( verbose != 0 )
787 printf( "\n" );
788
789 /*
790 * CBC mode
791 */
792 for( j = 0; j < 6; j++ )
793 {
794 u = j >> 1;
795 v = j & 1;
796
797 if( verbose != 0 )
798 printf( " CAMELLIA-CBC-%3d (%s): ", 128 + u * 64,
799 ( v == CAMELLIA_DECRYPT ) ? "dec" : "enc" );
800
801 memcpy( src, camellia_test_cbc_iv, 16);
802 memcpy( dst, camellia_test_cbc_iv, 16);
803 memcpy( key, camellia_test_cbc_key[u], 16 + 8 * u);
804
805 if (v == CAMELLIA_DECRYPT) {
806 camellia_setkey_dec(&ctx, key, 128 + u * 64);
807 } else {
808 camellia_setkey_enc(&ctx, key, 128 + u * 64);
809 }
810
811 for (i = 0; i < CAMELLIA_TESTS_CBC; i++ ) {
812
813 if (v == CAMELLIA_DECRYPT) {
814 memcpy( iv , src, 16 );
815 memcpy(src, camellia_test_cbc_cipher[u][i], 16);
816 memcpy(dst, camellia_test_cbc_plain[i], 16);
817 } else { /* CAMELLIA_ENCRYPT */
818 memcpy( iv , dst, 16 );
819 memcpy(src, camellia_test_cbc_plain[i], 16);
820 memcpy(dst, camellia_test_cbc_cipher[u][i], 16);
821 }
822
823 camellia_crypt_cbc(&ctx, v, 16, iv, src, buf);
824
825 if( memcmp( buf, dst, 16 ) != 0 )
826 {
827 if( verbose != 0 )
828 printf( "failed\n" );
829
830 return( 1 );
831 }
832 }
833
834 if( verbose != 0 )
835 printf( "passed\n" );
836 }
837
838 if( verbose != 0 )
839 printf( "\n" );
840
841 return ( 0 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]842}
843
844#endif
845
846#endif