blob: 48fc3e6882cffb3496b0d90d51aba6bc92423775 [file] [log] [blame]
Paul Bakker38119b12009-01-10 23:31:23 +00001/*
2 * Camellia implementation
3 *
Paul Bakker4087c472013-06-12 16:49:10 +02004 * Copyright (C) 2006-2013, Brainspark B.V.
Paul Bakkerb96f1542010-07-18 20:36:00 +00005 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
Paul Bakker84f12b72010-07-18 10:13:04 +00007 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakkerb96f1542010-07-18 20:36:00 +00008 *
Paul Bakker77b385e2009-07-28 17:23:11 +00009 * All rights reserved.
Paul Bakker38119b12009-01-10 23:31:23 +000010 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25/*
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +000026 * The Camellia block cipher was designed by NTT and Mitsubishi Electric
27 * Corporation.
Paul Bakker38119b12009-01-10 23:31:23 +000028 *
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +000029 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/01espec.pdf
Paul Bakker38119b12009-01-10 23:31:23 +000030 */
31
32#include "polarssl/config.h"
33
34#if defined(POLARSSL_CAMELLIA_C)
35
36#include "polarssl/camellia.h"
37
Paul Bakker4087c472013-06-12 16:49:10 +020038#if !defined(POLARSSL_CAMELLIA_ALT)
39
Paul Bakker312da332014-06-13 17:20:13 +020040/* Implementation that should never be optimized out by the compiler */
41static void polarssl_zeroize( void *v, size_t n ) {
42 volatile unsigned char *p = v; while( n-- ) *p++ = 0;
43}
44
Paul Bakker38119b12009-01-10 23:31:23 +000045/*
46 * 32-bit integer manipulation macros (big endian)
47 */
Paul Bakker5c2364c2012-10-01 14:41:15 +000048#ifndef GET_UINT32_BE
49#define GET_UINT32_BE(n,b,i) \
Paul Bakker38119b12009-01-10 23:31:23 +000050{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +000051 (n) = ( (uint32_t) (b)[(i) ] << 24 ) \
52 | ( (uint32_t) (b)[(i) + 1] << 16 ) \
53 | ( (uint32_t) (b)[(i) + 2] << 8 ) \
54 | ( (uint32_t) (b)[(i) + 3] ); \
Paul Bakker38119b12009-01-10 23:31:23 +000055}
56#endif
57
Paul Bakker5c2364c2012-10-01 14:41:15 +000058#ifndef PUT_UINT32_BE
59#define PUT_UINT32_BE(n,b,i) \
Paul Bakker38119b12009-01-10 23:31:23 +000060{ \
61 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
62 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
63 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
64 (b)[(i) + 3] = (unsigned char) ( (n) ); \
65}
66#endif
67
68static const unsigned char SIGMA_CHARS[6][8] =
69{
Paul Bakkerc81f6c32009-05-03 13:09:15 +000070 { 0xa0, 0x9e, 0x66, 0x7f, 0x3b, 0xcc, 0x90, 0x8b },
71 { 0xb6, 0x7a, 0xe8, 0x58, 0x4c, 0xaa, 0x73, 0xb2 },
72 { 0xc6, 0xef, 0x37, 0x2f, 0xe9, 0x4f, 0x82, 0xbe },
73 { 0x54, 0xff, 0x53, 0xa5, 0xf1, 0xd3, 0x6f, 0x1c },
74 { 0x10, 0xe5, 0x27, 0xfa, 0xde, 0x68, 0x2d, 0x1d },
75 { 0xb0, 0x56, 0x88, 0xc2, 0xb3, 0xe6, 0xc1, 0xfd }
Paul Bakker38119b12009-01-10 23:31:23 +000076};
77
Paul Bakker33008ee2011-11-18 12:58:25 +000078#if defined(POLARSSL_CAMELLIA_SMALL_MEMORY)
Paul Bakkerfa049db2009-01-12 22:12:03 +000079
80static const unsigned char FSb[256] =
Paul Bakker38119b12009-01-10 23:31:23 +000081{
Paul Bakkerc81f6c32009-05-03 13:09:15 +000082 112,130, 44,236,179, 39,192,229,228,133, 87, 53,234, 12,174, 65,
83 35,239,107,147, 69, 25,165, 33,237, 14, 79, 78, 29,101,146,189,
84 134,184,175,143,124,235, 31,206, 62, 48,220, 95, 94,197, 11, 26,
85 166,225, 57,202,213, 71, 93, 61,217, 1, 90,214, 81, 86,108, 77,
86 139, 13,154,102,251,204,176, 45,116, 18, 43, 32,240,177,132,153,
87 223, 76,203,194, 52,126,118, 5,109,183,169, 49,209, 23, 4,215,
88 20, 88, 58, 97,222, 27, 17, 28, 50, 15,156, 22, 83, 24,242, 34,
89 254, 68,207,178,195,181,122,145, 36, 8,232,168, 96,252,105, 80,
90 170,208,160,125,161,137, 98,151, 84, 91, 30,149,224,255,100,210,
91 16,196, 0, 72,163,247,117,219,138, 3,230,218, 9, 63,221,148,
92 135, 92,131, 2,205, 74,144, 51,115,103,246,243,157,127,191,226,
93 82,155,216, 38,200, 55,198, 59,129,150,111, 75, 19,190, 99, 46,
94 233,121,167,140,159,110,188,142, 41,245,249,182, 47,253,180, 89,
95 120,152, 6,106,231, 70,113,186,212, 37,171, 66,136,162,141,250,
96 114, 7,185, 85,248,238,172, 10, 54, 73, 42,104, 60, 56,241,164,
97 64, 40,211,123,187,201, 67,193, 21,227,173,244,119,199,128,158
Paul Bakker38119b12009-01-10 23:31:23 +000098};
99
100#define SBOX1(n) FSb[(n)]
101#define SBOX2(n) (unsigned char)((FSb[(n)] >> 7 ^ FSb[(n)] << 1) & 0xff)
102#define SBOX3(n) (unsigned char)((FSb[(n)] >> 1 ^ FSb[(n)] << 7) & 0xff)
Paul Bakkerfa049db2009-01-12 22:12:03 +0000103#define SBOX4(n) FSb[((n) << 1 ^ (n) >> 7) &0xff]
104
105#else
106
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000107static const unsigned char FSb[256] =
108{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000109 112, 130, 44, 236, 179, 39, 192, 229, 228, 133, 87, 53, 234, 12, 174, 65,
110 35, 239, 107, 147, 69, 25, 165, 33, 237, 14, 79, 78, 29, 101, 146, 189,
111 134, 184, 175, 143, 124, 235, 31, 206, 62, 48, 220, 95, 94, 197, 11, 26,
112 166, 225, 57, 202, 213, 71, 93, 61, 217, 1, 90, 214, 81, 86, 108, 77,
113 139, 13, 154, 102, 251, 204, 176, 45, 116, 18, 43, 32, 240, 177, 132, 153,
114 223, 76, 203, 194, 52, 126, 118, 5, 109, 183, 169, 49, 209, 23, 4, 215,
115 20, 88, 58, 97, 222, 27, 17, 28, 50, 15, 156, 22, 83, 24, 242, 34,
116 254, 68, 207, 178, 195, 181, 122, 145, 36, 8, 232, 168, 96, 252, 105, 80,
117 170, 208, 160, 125, 161, 137, 98, 151, 84, 91, 30, 149, 224, 255, 100, 210,
118 16, 196, 0, 72, 163, 247, 117, 219, 138, 3, 230, 218, 9, 63, 221, 148,
119 135, 92, 131, 2, 205, 74, 144, 51, 115, 103, 246, 243, 157, 127, 191, 226,
120 82, 155, 216, 38, 200, 55, 198, 59, 129, 150, 111, 75, 19, 190, 99, 46,
121 233, 121, 167, 140, 159, 110, 188, 142, 41, 245, 249, 182, 47, 253, 180, 89,
122 120, 152, 6, 106, 231, 70, 113, 186, 212, 37, 171, 66, 136, 162, 141, 250,
123 114, 7, 185, 85, 248, 238, 172, 10, 54, 73, 42, 104, 60, 56, 241, 164,
124 64, 40, 211, 123, 187, 201, 67, 193, 21, 227, 173, 244, 119, 199, 128, 158
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000125};
126
127static const unsigned char FSb2[256] =
128{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000129 224, 5, 88, 217, 103, 78, 129, 203, 201, 11, 174, 106, 213, 24, 93, 130,
130 70, 223, 214, 39, 138, 50, 75, 66, 219, 28, 158, 156, 58, 202, 37, 123,
131 13, 113, 95, 31, 248, 215, 62, 157, 124, 96, 185, 190, 188, 139, 22, 52,
132 77, 195, 114, 149, 171, 142, 186, 122, 179, 2, 180, 173, 162, 172, 216, 154,
133 23, 26, 53, 204, 247, 153, 97, 90, 232, 36, 86, 64, 225, 99, 9, 51,
134 191, 152, 151, 133, 104, 252, 236, 10, 218, 111, 83, 98, 163, 46, 8, 175,
135 40, 176, 116, 194, 189, 54, 34, 56, 100, 30, 57, 44, 166, 48, 229, 68,
136 253, 136, 159, 101, 135, 107, 244, 35, 72, 16, 209, 81, 192, 249, 210, 160,
137 85, 161, 65, 250, 67, 19, 196, 47, 168, 182, 60, 43, 193, 255, 200, 165,
138 32, 137, 0, 144, 71, 239, 234, 183, 21, 6, 205, 181, 18, 126, 187, 41,
139 15, 184, 7, 4, 155, 148, 33, 102, 230, 206, 237, 231, 59, 254, 127, 197,
140 164, 55, 177, 76, 145, 110, 141, 118, 3, 45, 222, 150, 38, 125, 198, 92,
141 211, 242, 79, 25, 63, 220, 121, 29, 82, 235, 243, 109, 94, 251, 105, 178,
142 240, 49, 12, 212, 207, 140, 226, 117, 169, 74, 87, 132, 17, 69, 27, 245,
143 228, 14, 115, 170, 241, 221, 89, 20, 108, 146, 84, 208, 120, 112, 227, 73,
144 128, 80, 167, 246, 119, 147, 134, 131, 42, 199, 91, 233, 238, 143, 1, 61
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000145};
146
147static const unsigned char FSb3[256] =
148{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000149 56, 65, 22, 118, 217, 147, 96, 242, 114, 194, 171, 154, 117, 6, 87, 160,
150 145, 247, 181, 201, 162, 140, 210, 144, 246, 7, 167, 39, 142, 178, 73, 222,
151 67, 92, 215, 199, 62, 245, 143, 103, 31, 24, 110, 175, 47, 226, 133, 13,
152 83, 240, 156, 101, 234, 163, 174, 158, 236, 128, 45, 107, 168, 43, 54, 166,
153 197, 134, 77, 51, 253, 102, 88, 150, 58, 9, 149, 16, 120, 216, 66, 204,
154 239, 38, 229, 97, 26, 63, 59, 130, 182, 219, 212, 152, 232, 139, 2, 235,
155 10, 44, 29, 176, 111, 141, 136, 14, 25, 135, 78, 11, 169, 12, 121, 17,
156 127, 34, 231, 89, 225, 218, 61, 200, 18, 4, 116, 84, 48, 126, 180, 40,
157 85, 104, 80, 190, 208, 196, 49, 203, 42, 173, 15, 202, 112, 255, 50, 105,
158 8, 98, 0, 36, 209, 251, 186, 237, 69, 129, 115, 109, 132, 159, 238, 74,
159 195, 46, 193, 1, 230, 37, 72, 153, 185, 179, 123, 249, 206, 191, 223, 113,
160 41, 205, 108, 19, 100, 155, 99, 157, 192, 75, 183, 165, 137, 95, 177, 23,
161 244, 188, 211, 70, 207, 55, 94, 71, 148, 250, 252, 91, 151, 254, 90, 172,
162 60, 76, 3, 53, 243, 35, 184, 93, 106, 146, 213, 33, 68, 81, 198, 125,
163 57, 131, 220, 170, 124, 119, 86, 5, 27, 164, 21, 52, 30, 28, 248, 82,
164 32, 20, 233, 189, 221, 228, 161, 224, 138, 241, 214, 122, 187, 227, 64, 79
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000165};
166
167static const unsigned char FSb4[256] =
168{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000169 112, 44, 179, 192, 228, 87, 234, 174, 35, 107, 69, 165, 237, 79, 29, 146,
170 134, 175, 124, 31, 62, 220, 94, 11, 166, 57, 213, 93, 217, 90, 81, 108,
171 139, 154, 251, 176, 116, 43, 240, 132, 223, 203, 52, 118, 109, 169, 209, 4,
172 20, 58, 222, 17, 50, 156, 83, 242, 254, 207, 195, 122, 36, 232, 96, 105,
173 170, 160, 161, 98, 84, 30, 224, 100, 16, 0, 163, 117, 138, 230, 9, 221,
174 135, 131, 205, 144, 115, 246, 157, 191, 82, 216, 200, 198, 129, 111, 19, 99,
175 233, 167, 159, 188, 41, 249, 47, 180, 120, 6, 231, 113, 212, 171, 136, 141,
176 114, 185, 248, 172, 54, 42, 60, 241, 64, 211, 187, 67, 21, 173, 119, 128,
177 130, 236, 39, 229, 133, 53, 12, 65, 239, 147, 25, 33, 14, 78, 101, 189,
178 184, 143, 235, 206, 48, 95, 197, 26, 225, 202, 71, 61, 1, 214, 86, 77,
179 13, 102, 204, 45, 18, 32, 177, 153, 76, 194, 126, 5, 183, 49, 23, 215,
180 88, 97, 27, 28, 15, 22, 24, 34, 68, 178, 181, 145, 8, 168, 252, 80,
181 208, 125, 137, 151, 91, 149, 255, 210, 196, 72, 247, 219, 3, 218, 63, 148,
182 92, 2, 74, 51, 103, 243, 127, 226, 155, 38, 55, 59, 150, 75, 190, 46,
183 121, 140, 110, 142, 245, 182, 253, 89, 152, 106, 70, 186, 37, 66, 162, 250,
184 7, 85, 238, 10, 73, 104, 56, 164, 40, 123, 201, 193, 227, 244, 199, 158
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000185};
186
187#define SBOX1(n) FSb[(n)]
188#define SBOX2(n) FSb2[(n)]
189#define SBOX3(n) FSb3[(n)]
190#define SBOX4(n) FSb4[(n)]
Paul Bakker38119b12009-01-10 23:31:23 +0000191
Paul Bakkerfa049db2009-01-12 22:12:03 +0000192#endif
193
Paul Bakker38119b12009-01-10 23:31:23 +0000194static const unsigned char shifts[2][4][4] =
195{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000196 {
197 { 1, 1, 1, 1 }, /* KL */
198 { 0, 0, 0, 0 }, /* KR */
199 { 1, 1, 1, 1 }, /* KA */
200 { 0, 0, 0, 0 } /* KB */
201 },
202 {
203 { 1, 0, 1, 1 }, /* KL */
204 { 1, 1, 0, 1 }, /* KR */
205 { 1, 1, 1, 0 }, /* KA */
206 { 1, 1, 0, 1 } /* KB */
207 }
Paul Bakker38119b12009-01-10 23:31:23 +0000208};
209
Paul Bakker026c03b2009-03-28 17:53:03 +0000210static const signed char indexes[2][4][20] =
Paul Bakker38119b12009-01-10 23:31:23 +0000211{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000212 {
213 { 0, 1, 2, 3, 8, 9, 10, 11, 38, 39,
214 36, 37, 23, 20, 21, 22, 27, -1, -1, 26 }, /* KL -> RK */
215 { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
216 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 }, /* KR -> RK */
217 { 4, 5, 6, 7, 12, 13, 14, 15, 16, 17,
218 18, 19, -1, 24, 25, -1, 31, 28, 29, 30 }, /* KA -> RK */
219 { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
220 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 } /* KB -> RK */
221 },
222 {
223 { 0, 1, 2, 3, 61, 62, 63, 60, -1, -1,
224 -1, -1, 27, 24, 25, 26, 35, 32, 33, 34 }, /* KL -> RK */
225 { -1, -1, -1, -1, 8, 9, 10, 11, 16, 17,
226 18, 19, -1, -1, -1, -1, 39, 36, 37, 38 }, /* KR -> RK */
227 { -1, -1, -1, -1, 12, 13, 14, 15, 58, 59,
228 56, 57, 31, 28, 29, 30, -1, -1, -1, -1 }, /* KA -> RK */
229 { 4, 5, 6, 7, 65, 66, 67, 64, 20, 21,
230 22, 23, -1, -1, -1, -1, 43, 40, 41, 42 } /* KB -> RK */
231 }
Paul Bakker38119b12009-01-10 23:31:23 +0000232};
233
Paul Bakker026c03b2009-03-28 17:53:03 +0000234static const signed char transposes[2][20] =
Paul Bakker38119b12009-01-10 23:31:23 +0000235{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000236 {
237 21, 22, 23, 20,
238 -1, -1, -1, -1,
239 18, 19, 16, 17,
240 11, 8, 9, 10,
241 15, 12, 13, 14
242 },
243 {
244 25, 26, 27, 24,
245 29, 30, 31, 28,
246 18, 19, 16, 17,
247 -1, -1, -1, -1,
248 -1, -1, -1, -1
249 }
Paul Bakker38119b12009-01-10 23:31:23 +0000250};
251
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000252/* Shift macro for 128 bit strings with rotation smaller than 32 bits (!) */
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000253#define ROTL(DEST, SRC, SHIFT) \
254{ \
255 (DEST)[0] = (SRC)[0] << (SHIFT) ^ (SRC)[1] >> (32 - (SHIFT)); \
256 (DEST)[1] = (SRC)[1] << (SHIFT) ^ (SRC)[2] >> (32 - (SHIFT)); \
257 (DEST)[2] = (SRC)[2] << (SHIFT) ^ (SRC)[3] >> (32 - (SHIFT)); \
258 (DEST)[3] = (SRC)[3] << (SHIFT) ^ (SRC)[0] >> (32 - (SHIFT)); \
Paul Bakker38119b12009-01-10 23:31:23 +0000259}
260
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000261#define FL(XL, XR, KL, KR) \
262{ \
263 (XR) = ((((XL) & (KL)) << 1) | (((XL) & (KL)) >> 31)) ^ (XR); \
264 (XL) = ((XR) | (KR)) ^ (XL); \
Paul Bakker38119b12009-01-10 23:31:23 +0000265}
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000266
267#define FLInv(YL, YR, KL, KR) \
268{ \
269 (YL) = ((YR) | (KR)) ^ (YL); \
270 (YR) = ((((YL) & (KL)) << 1) | (((YL) & (KL)) >> 31)) ^ (YR); \
Paul Bakker38119b12009-01-10 23:31:23 +0000271}
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000272
273#define SHIFT_AND_PLACE(INDEX, OFFSET) \
274{ \
275 TK[0] = KC[(OFFSET) * 4 + 0]; \
276 TK[1] = KC[(OFFSET) * 4 + 1]; \
277 TK[2] = KC[(OFFSET) * 4 + 2]; \
278 TK[3] = KC[(OFFSET) * 4 + 3]; \
279 \
280 for ( i = 1; i <= 4; i++ ) \
281 if (shifts[(INDEX)][(OFFSET)][i -1]) \
282 ROTL(TK + i * 4, TK, (15 * i) % 32); \
283 \
284 for ( i = 0; i < 20; i++ ) \
285 if (indexes[(INDEX)][(OFFSET)][i] != -1) { \
286 RK[indexes[(INDEX)][(OFFSET)][i]] = TK[ i ]; \
287 } \
Paul Bakker38119b12009-01-10 23:31:23 +0000288}
289
Paul Bakkerff60ee62010-03-16 21:09:09 +0000290static void camellia_feistel(const uint32_t x[2], const uint32_t k[2], uint32_t z[2])
Paul Bakker38119b12009-01-10 23:31:23 +0000291{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000292 uint32_t I0, I1;
293 I0 = x[0] ^ k[0];
294 I1 = x[1] ^ k[1];
Paul Bakker38119b12009-01-10 23:31:23 +0000295
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000296 I0 = (SBOX1((I0 >> 24) & 0xFF) << 24) |
297 (SBOX2((I0 >> 16) & 0xFF) << 16) |
298 (SBOX3((I0 >> 8) & 0xFF) << 8) |
299 (SBOX4((I0 ) & 0xFF) );
300 I1 = (SBOX2((I1 >> 24) & 0xFF) << 24) |
301 (SBOX3((I1 >> 16) & 0xFF) << 16) |
302 (SBOX4((I1 >> 8) & 0xFF) << 8) |
303 (SBOX1((I1 ) & 0xFF) );
Paul Bakker38119b12009-01-10 23:31:23 +0000304
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000305 I0 ^= (I1 << 8) | (I1 >> 24);
306 I1 ^= (I0 << 16) | (I0 >> 16);
307 I0 ^= (I1 >> 8) | (I1 << 24);
308 I1 ^= (I0 >> 8) | (I0 << 24);
Paul Bakker38119b12009-01-10 23:31:23 +0000309
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000310 z[0] ^= I1;
311 z[1] ^= I0;
Paul Bakker38119b12009-01-10 23:31:23 +0000312}
313
314/*
315 * Camellia key schedule (encryption)
316 */
Paul Bakker23986e52011-04-24 08:57:21 +0000317int camellia_setkey_enc( camellia_context *ctx, const unsigned char *key, unsigned int keysize )
Paul Bakker38119b12009-01-10 23:31:23 +0000318{
Paul Bakker23986e52011-04-24 08:57:21 +0000319 int idx;
320 size_t i;
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000321 uint32_t *RK;
Paul Bakker38119b12009-01-10 23:31:23 +0000322 unsigned char t[64];
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000323 uint32_t SIGMA[6][2];
324 uint32_t KC[16];
325 uint32_t TK[20];
Paul Bakker38119b12009-01-10 23:31:23 +0000326
327 RK = ctx->rk;
328
329 memset(t, 0, 64);
330 memset(RK, 0, sizeof(ctx->rk));
331
332 switch( keysize )
333 {
334 case 128: ctx->nr = 3; idx = 0; break;
335 case 192:
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000336 case 256: ctx->nr = 4; idx = 1; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000337 default : return( POLARSSL_ERR_CAMELLIA_INVALID_KEY_LENGTH );
Paul Bakker38119b12009-01-10 23:31:23 +0000338 }
339
340 for( i = 0; i < keysize / 8; ++i)
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000341 t[i] = key[i];
Paul Bakker38119b12009-01-10 23:31:23 +0000342
343 if (keysize == 192) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000344 for (i = 0; i < 8; i++)
345 t[24 + i] = ~t[16 + i];
Paul Bakker38119b12009-01-10 23:31:23 +0000346 }
347
Paul Bakker38119b12009-01-10 23:31:23 +0000348 /*
349 * Prepare SIGMA values
350 */
Paul Bakker38119b12009-01-10 23:31:23 +0000351 for (i = 0; i < 6; i++) {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000352 GET_UINT32_BE(SIGMA[i][0], SIGMA_CHARS[i], 0);
353 GET_UINT32_BE(SIGMA[i][1], SIGMA_CHARS[i], 4);
Paul Bakker38119b12009-01-10 23:31:23 +0000354 }
355
356 /*
357 * Key storage in KC
358 * Order: KL, KR, KA, KB
359 */
Paul Bakker38119b12009-01-10 23:31:23 +0000360 memset(KC, 0, sizeof(KC));
361
362 /* Store KL, KR */
363 for (i = 0; i < 8; i++)
Paul Bakker5c2364c2012-10-01 14:41:15 +0000364 GET_UINT32_BE(KC[i], t, i * 4);
Paul Bakker38119b12009-01-10 23:31:23 +0000365
366 /* Generate KA */
367 for( i = 0; i < 4; ++i)
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000368 KC[8 + i] = KC[i] ^ KC[4 + i];
Paul Bakker38119b12009-01-10 23:31:23 +0000369
370 camellia_feistel(KC + 8, SIGMA[0], KC + 10);
371 camellia_feistel(KC + 10, SIGMA[1], KC + 8);
372
373 for( i = 0; i < 4; ++i)
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000374 KC[8 + i] ^= KC[i];
Paul Bakker38119b12009-01-10 23:31:23 +0000375
376 camellia_feistel(KC + 8, SIGMA[2], KC + 10);
377 camellia_feistel(KC + 10, SIGMA[3], KC + 8);
378
379 if (keysize > 128) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000380 /* Generate KB */
381 for( i = 0; i < 4; ++i)
382 KC[12 + i] = KC[4 + i] ^ KC[8 + i];
Paul Bakker38119b12009-01-10 23:31:23 +0000383
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000384 camellia_feistel(KC + 12, SIGMA[4], KC + 14);
385 camellia_feistel(KC + 14, SIGMA[5], KC + 12);
Paul Bakker38119b12009-01-10 23:31:23 +0000386 }
387
388 /*
389 * Generating subkeys
390 */
Paul Bakker38119b12009-01-10 23:31:23 +0000391
392 /* Manipulating KL */
393 SHIFT_AND_PLACE(idx, 0);
394
395 /* Manipulating KR */
396 if (keysize > 128) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000397 SHIFT_AND_PLACE(idx, 1);
Paul Bakker38119b12009-01-10 23:31:23 +0000398 }
399
400 /* Manipulating KA */
401 SHIFT_AND_PLACE(idx, 2);
402
403 /* Manipulating KB */
404 if (keysize > 128) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000405 SHIFT_AND_PLACE(idx, 3);
Paul Bakker38119b12009-01-10 23:31:23 +0000406 }
407
408 /* Do transpositions */
409 for ( i = 0; i < 20; i++ ) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000410 if (transposes[idx][i] != -1) {
411 RK[32 + 12 * idx + i] = RK[transposes[idx][i]];
412 }
Paul Bakker38119b12009-01-10 23:31:23 +0000413 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000414
415 return( 0 );
Paul Bakker38119b12009-01-10 23:31:23 +0000416}
417
418/*
419 * Camellia key schedule (decryption)
420 */
Paul Bakker23986e52011-04-24 08:57:21 +0000421int camellia_setkey_dec( camellia_context *ctx, const unsigned char *key, unsigned int keysize )
Paul Bakker38119b12009-01-10 23:31:23 +0000422{
Paul Bakker23986e52011-04-24 08:57:21 +0000423 int idx;
424 size_t i;
Paul Bakker38119b12009-01-10 23:31:23 +0000425 camellia_context cty;
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000426 uint32_t *RK;
427 uint32_t *SK;
Paul Bakker2b222c82009-07-27 21:03:45 +0000428 int ret;
Paul Bakker38119b12009-01-10 23:31:23 +0000429
430 switch( keysize )
431 {
432 case 128: ctx->nr = 3; idx = 0; break;
433 case 192:
434 case 256: ctx->nr = 4; idx = 1; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000435 default : return( POLARSSL_ERR_CAMELLIA_INVALID_KEY_LENGTH );
Paul Bakker38119b12009-01-10 23:31:23 +0000436 }
437
438 RK = ctx->rk;
439
Paul Bakker2b222c82009-07-27 21:03:45 +0000440 ret = camellia_setkey_enc(&cty, key, keysize);
441 if( ret != 0 )
442 return( ret );
Paul Bakker38119b12009-01-10 23:31:23 +0000443
444 SK = cty.rk + 24 * 2 + 8 * idx * 2;
445
446 *RK++ = *SK++;
447 *RK++ = *SK++;
448 *RK++ = *SK++;
449 *RK++ = *SK++;
450
451 for (i = 22 + 8 * idx, SK -= 6; i > 0; i--, SK -= 4)
452 {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000453 *RK++ = *SK++;
454 *RK++ = *SK++;
Paul Bakker38119b12009-01-10 23:31:23 +0000455 }
456
457 SK -= 2;
458
459 *RK++ = *SK++;
460 *RK++ = *SK++;
461 *RK++ = *SK++;
462 *RK++ = *SK++;
463
Paul Bakker312da332014-06-13 17:20:13 +0200464 polarssl_zeroize( &cty, sizeof( camellia_context ) );
Paul Bakker2b222c82009-07-27 21:03:45 +0000465
466 return( 0 );
Paul Bakker38119b12009-01-10 23:31:23 +0000467}
468
469/*
470 * Camellia-ECB block encryption/decryption
471 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000472int camellia_crypt_ecb( camellia_context *ctx,
Paul Bakker38119b12009-01-10 23:31:23 +0000473 int mode,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000474 const unsigned char input[16],
Paul Bakker38119b12009-01-10 23:31:23 +0000475 unsigned char output[16] )
476{
Paul Bakker026c03b2009-03-28 17:53:03 +0000477 int NR;
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000478 uint32_t *RK, X[4];
Paul Bakker38119b12009-01-10 23:31:23 +0000479
Paul Bakkerc2547b02009-07-20 20:40:52 +0000480 ( (void) mode );
481
Paul Bakker38119b12009-01-10 23:31:23 +0000482 NR = ctx->nr;
483 RK = ctx->rk;
484
Paul Bakker5c2364c2012-10-01 14:41:15 +0000485 GET_UINT32_BE( X[0], input, 0 );
486 GET_UINT32_BE( X[1], input, 4 );
487 GET_UINT32_BE( X[2], input, 8 );
488 GET_UINT32_BE( X[3], input, 12 );
Paul Bakker38119b12009-01-10 23:31:23 +0000489
490 X[0] ^= *RK++;
491 X[1] ^= *RK++;
492 X[2] ^= *RK++;
493 X[3] ^= *RK++;
494
495 while (NR) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000496 --NR;
497 camellia_feistel(X, RK, X + 2);
498 RK += 2;
499 camellia_feistel(X + 2, RK, X);
500 RK += 2;
501 camellia_feistel(X, RK, X + 2);
502 RK += 2;
503 camellia_feistel(X + 2, RK, X);
504 RK += 2;
505 camellia_feistel(X, RK, X + 2);
506 RK += 2;
507 camellia_feistel(X + 2, RK, X);
508 RK += 2;
Paul Bakker38119b12009-01-10 23:31:23 +0000509
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000510 if (NR) {
511 FL(X[0], X[1], RK[0], RK[1]);
512 RK += 2;
513 FLInv(X[2], X[3], RK[0], RK[1]);
514 RK += 2;
515 }
Paul Bakker38119b12009-01-10 23:31:23 +0000516 }
517
518 X[2] ^= *RK++;
519 X[3] ^= *RK++;
520 X[0] ^= *RK++;
521 X[1] ^= *RK++;
522
Paul Bakker5c2364c2012-10-01 14:41:15 +0000523 PUT_UINT32_BE( X[2], output, 0 );
524 PUT_UINT32_BE( X[3], output, 4 );
525 PUT_UINT32_BE( X[0], output, 8 );
526 PUT_UINT32_BE( X[1], output, 12 );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000527
528 return( 0 );
Paul Bakker38119b12009-01-10 23:31:23 +0000529}
530
531/*
532 * Camellia-CBC buffer encryption/decryption
533 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000534int camellia_crypt_cbc( camellia_context *ctx,
Paul Bakker38119b12009-01-10 23:31:23 +0000535 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000536 size_t length,
Paul Bakker38119b12009-01-10 23:31:23 +0000537 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000538 const unsigned char *input,
Paul Bakker38119b12009-01-10 23:31:23 +0000539 unsigned char *output )
540{
541 int i;
542 unsigned char temp[16];
543
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000544 if( length % 16 )
545 return( POLARSSL_ERR_CAMELLIA_INVALID_INPUT_LENGTH );
546
Paul Bakker38119b12009-01-10 23:31:23 +0000547 if( mode == CAMELLIA_DECRYPT )
548 {
549 while( length > 0 )
550 {
551 memcpy( temp, input, 16 );
552 camellia_crypt_ecb( ctx, mode, input, output );
553
554 for( i = 0; i < 16; i++ )
555 output[i] = (unsigned char)( output[i] ^ iv[i] );
556
557 memcpy( iv, temp, 16 );
558
559 input += 16;
560 output += 16;
561 length -= 16;
562 }
563 }
564 else
565 {
566 while( length > 0 )
567 {
568 for( i = 0; i < 16; i++ )
569 output[i] = (unsigned char)( input[i] ^ iv[i] );
570
571 camellia_crypt_ecb( ctx, mode, output, output );
572 memcpy( iv, output, 16 );
573
574 input += 16;
575 output += 16;
576 length -= 16;
577 }
578 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000579
580 return( 0 );
Paul Bakker38119b12009-01-10 23:31:23 +0000581}
582
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000583#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker38119b12009-01-10 23:31:23 +0000584/*
585 * Camellia-CFB128 buffer encryption/decryption
586 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000587int camellia_crypt_cfb128( camellia_context *ctx,
Paul Bakker38119b12009-01-10 23:31:23 +0000588 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000589 size_t length,
Paul Bakker1ef71df2011-06-09 14:14:58 +0000590 size_t *iv_off,
Paul Bakker38119b12009-01-10 23:31:23 +0000591 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000592 const unsigned char *input,
Paul Bakker38119b12009-01-10 23:31:23 +0000593 unsigned char *output )
594{
Paul Bakker1ef71df2011-06-09 14:14:58 +0000595 int c;
596 size_t n = *iv_off;
Paul Bakker38119b12009-01-10 23:31:23 +0000597
598 if( mode == CAMELLIA_DECRYPT )
599 {
600 while( length-- )
601 {
602 if( n == 0 )
603 camellia_crypt_ecb( ctx, CAMELLIA_ENCRYPT, iv, iv );
604
605 c = *input++;
606 *output++ = (unsigned char)( c ^ iv[n] );
607 iv[n] = (unsigned char) c;
608
609 n = (n + 1) & 0x0F;
610 }
611 }
612 else
613 {
614 while( length-- )
615 {
616 if( n == 0 )
617 camellia_crypt_ecb( ctx, CAMELLIA_ENCRYPT, iv, iv );
618
619 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
620
621 n = (n + 1) & 0x0F;
622 }
623 }
624
625 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000626
627 return( 0 );
Paul Bakker38119b12009-01-10 23:31:23 +0000628}
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000629#endif /* POLARSSL_CIPHER_MODE_CFB */
630
631#if defined(POLARSSL_CIPHER_MODE_CTR)
632/*
633 * Camellia-CTR buffer encryption/decryption
634 */
635int camellia_crypt_ctr( camellia_context *ctx,
Paul Bakker1ef71df2011-06-09 14:14:58 +0000636 size_t length,
637 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000638 unsigned char nonce_counter[16],
639 unsigned char stream_block[16],
640 const unsigned char *input,
641 unsigned char *output )
642{
Paul Bakker369e14b2012-04-18 14:16:09 +0000643 int c, i;
Paul Bakker1ef71df2011-06-09 14:14:58 +0000644 size_t n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000645
646 while( length-- )
647 {
648 if( n == 0 ) {
649 camellia_crypt_ecb( ctx, CAMELLIA_ENCRYPT, nonce_counter, stream_block );
650
Paul Bakker369e14b2012-04-18 14:16:09 +0000651 for( i = 16; i > 0; i-- )
652 if( ++nonce_counter[i - 1] != 0 )
653 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000654 }
655 c = *input++;
656 *output++ = (unsigned char)( c ^ stream_block[n] );
657
658 n = (n + 1) & 0x0F;
659 }
660
661 *nc_off = n;
662
663 return( 0 );
664}
665#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker4087c472013-06-12 16:49:10 +0200666#endif /* !POLARSSL_CAMELLIA_ALT */
Paul Bakker38119b12009-01-10 23:31:23 +0000667
668#if defined(POLARSSL_SELF_TEST)
669
670#include <stdio.h>
671
672/*
673 * Camellia test vectors from:
674 *
675 * http://info.isl.ntt.co.jp/crypt/eng/camellia/technology.html:
676 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/intermediate.txt
677 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/t_camellia.txt
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000678 * (For each bitlength: Key 0, Nr 39)
Paul Bakker38119b12009-01-10 23:31:23 +0000679 */
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000680#define CAMELLIA_TESTS_ECB 2
Paul Bakker38119b12009-01-10 23:31:23 +0000681
682static const unsigned char camellia_test_ecb_key[3][CAMELLIA_TESTS_ECB][32] =
683{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000684 {
685 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
686 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
687 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
688 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
689 },
690 {
691 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
692 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
693 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77 },
694 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
695 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
696 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
697 },
698 {
699 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
700 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
701 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
702 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff },
703 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
704 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
705 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
706 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
707 },
Paul Bakker38119b12009-01-10 23:31:23 +0000708};
709
710static const unsigned char camellia_test_ecb_plain[CAMELLIA_TESTS_ECB][16] =
711{
712 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
713 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
714 { 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
715 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
716};
717
718static const unsigned char camellia_test_ecb_cipher[3][CAMELLIA_TESTS_ECB][16] =
719{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000720 {
721 { 0x67, 0x67, 0x31, 0x38, 0x54, 0x96, 0x69, 0x73,
722 0x08, 0x57, 0x06, 0x56, 0x48, 0xea, 0xbe, 0x43 },
723 { 0x38, 0x3C, 0x6C, 0x2A, 0xAB, 0xEF, 0x7F, 0xDE,
724 0x25, 0xCD, 0x47, 0x0B, 0xF7, 0x74, 0xA3, 0x31 }
725 },
726 {
727 { 0xb4, 0x99, 0x34, 0x01, 0xb3, 0xe9, 0x96, 0xf8,
728 0x4e, 0xe5, 0xce, 0xe7, 0xd7, 0x9b, 0x09, 0xb9 },
729 { 0xD1, 0x76, 0x3F, 0xC0, 0x19, 0xD7, 0x7C, 0xC9,
730 0x30, 0xBF, 0xF2, 0xA5, 0x6F, 0x7C, 0x93, 0x64 }
731 },
732 {
733 { 0x9a, 0xcc, 0x23, 0x7d, 0xff, 0x16, 0xd7, 0x6c,
734 0x20, 0xef, 0x7c, 0x91, 0x9e, 0x3a, 0x75, 0x09 },
735 { 0x05, 0x03, 0xFB, 0x10, 0xAB, 0x24, 0x1E, 0x7C,
736 0xF4, 0x5D, 0x8C, 0xDE, 0xEE, 0x47, 0x43, 0x35 }
737 }
Paul Bakker38119b12009-01-10 23:31:23 +0000738};
739
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000740#define CAMELLIA_TESTS_CBC 3
Paul Bakker38119b12009-01-10 23:31:23 +0000741
742static const unsigned char camellia_test_cbc_key[3][32] =
743{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000744 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
745 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }
746 ,
747 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
748 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
749 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }
750 ,
751 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
752 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
753 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
754 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
Paul Bakker38119b12009-01-10 23:31:23 +0000755};
756
757static const unsigned char camellia_test_cbc_iv[16] =
758
759 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
760 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F }
761;
762
763static const unsigned char camellia_test_cbc_plain[CAMELLIA_TESTS_CBC][16] =
764{
765 { 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
766 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A },
767 { 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
768 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51 },
769 { 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
770 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF }
771
772};
773
774static const unsigned char camellia_test_cbc_cipher[3][CAMELLIA_TESTS_CBC][16] =
775{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000776 {
777 { 0x16, 0x07, 0xCF, 0x49, 0x4B, 0x36, 0xBB, 0xF0,
778 0x0D, 0xAE, 0xB0, 0xB5, 0x03, 0xC8, 0x31, 0xAB },
779 { 0xA2, 0xF2, 0xCF, 0x67, 0x16, 0x29, 0xEF, 0x78,
780 0x40, 0xC5, 0xA5, 0xDF, 0xB5, 0x07, 0x48, 0x87 },
781 { 0x0F, 0x06, 0x16, 0x50, 0x08, 0xCF, 0x8B, 0x8B,
782 0x5A, 0x63, 0x58, 0x63, 0x62, 0x54, 0x3E, 0x54 }
783 },
784 {
785 { 0x2A, 0x48, 0x30, 0xAB, 0x5A, 0xC4, 0xA1, 0xA2,
786 0x40, 0x59, 0x55, 0xFD, 0x21, 0x95, 0xCF, 0x93 },
787 { 0x5D, 0x5A, 0x86, 0x9B, 0xD1, 0x4C, 0xE5, 0x42,
788 0x64, 0xF8, 0x92, 0xA6, 0xDD, 0x2E, 0xC3, 0xD5 },
789 { 0x37, 0xD3, 0x59, 0xC3, 0x34, 0x98, 0x36, 0xD8,
790 0x84, 0xE3, 0x10, 0xAD, 0xDF, 0x68, 0xC4, 0x49 }
791 },
792 {
793 { 0xE6, 0xCF, 0xA3, 0x5F, 0xC0, 0x2B, 0x13, 0x4A,
794 0x4D, 0x2C, 0x0B, 0x67, 0x37, 0xAC, 0x3E, 0xDA },
795 { 0x36, 0xCB, 0xEB, 0x73, 0xBD, 0x50, 0x4B, 0x40,
796 0x70, 0xB1, 0xB7, 0xDE, 0x2B, 0x21, 0xEB, 0x50 },
797 { 0xE3, 0x1A, 0x60, 0x55, 0x29, 0x7D, 0x96, 0xCA,
798 0x33, 0x30, 0xCD, 0xF1, 0xB1, 0x86, 0x0A, 0x83 }
799 }
Paul Bakker38119b12009-01-10 23:31:23 +0000800};
801
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000802#if defined(POLARSSL_CIPHER_MODE_CTR)
803/*
804 * Camellia-CTR test vectors from:
805 *
806 * http://www.faqs.org/rfcs/rfc5528.html
807 */
808
809static const unsigned char camellia_test_ctr_key[3][16] =
810{
811 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
812 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
813 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
814 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
815 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
816 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
817};
818
819static const unsigned char camellia_test_ctr_nonce_counter[3][16] =
820{
821 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
822 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
823 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
824 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
825 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
826 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
827};
828
829static const unsigned char camellia_test_ctr_pt[3][48] =
830{
831 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
832 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
833
834 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
835 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
836 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
837 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
838
839 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
840 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
841 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
842 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
843 0x20, 0x21, 0x22, 0x23 }
844};
845
846static const unsigned char camellia_test_ctr_ct[3][48] =
847{
848 { 0xD0, 0x9D, 0xC2, 0x9A, 0x82, 0x14, 0x61, 0x9A,
849 0x20, 0x87, 0x7C, 0x76, 0xDB, 0x1F, 0x0B, 0x3F },
850 { 0xDB, 0xF3, 0xC7, 0x8D, 0xC0, 0x83, 0x96, 0xD4,
851 0xDA, 0x7C, 0x90, 0x77, 0x65, 0xBB, 0xCB, 0x44,
852 0x2B, 0x8E, 0x8E, 0x0F, 0x31, 0xF0, 0xDC, 0xA7,
853 0x2C, 0x74, 0x17, 0xE3, 0x53, 0x60, 0xE0, 0x48 },
854 { 0xB1, 0x9D, 0x1F, 0xCD, 0xCB, 0x75, 0xEB, 0x88,
855 0x2F, 0x84, 0x9C, 0xE2, 0x4D, 0x85, 0xCF, 0x73,
856 0x9C, 0xE6, 0x4B, 0x2B, 0x5C, 0x9D, 0x73, 0xF1,
857 0x4F, 0x2D, 0x5D, 0x9D, 0xCE, 0x98, 0x89, 0xCD,
858 0xDF, 0x50, 0x86, 0x96 }
859};
860
861static const int camellia_test_ctr_len[3] =
862 { 16, 32, 36 };
863#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker38119b12009-01-10 23:31:23 +0000864
865/*
866 * Checkup routine
867 */
868int camellia_self_test( int verbose )
869{
Paul Bakker026c03b2009-03-28 17:53:03 +0000870 int i, j, u, v;
Paul Bakker38119b12009-01-10 23:31:23 +0000871 unsigned char key[32];
872 unsigned char buf[64];
Paul Bakker38119b12009-01-10 23:31:23 +0000873 unsigned char src[16];
874 unsigned char dst[16];
875 unsigned char iv[16];
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000876#if defined(POLARSSL_CIPHER_MODE_CTR)
Paul Bakker1ef71df2011-06-09 14:14:58 +0000877 size_t offset, len;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000878 unsigned char nonce_counter[16];
879 unsigned char stream_block[16];
880#endif
881
Paul Bakker38119b12009-01-10 23:31:23 +0000882 camellia_context ctx;
883
884 memset( key, 0, 32 );
885
886 for (j = 0; j < 6; j++) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000887 u = j >> 1;
888 v = j & 1;
Paul Bakker38119b12009-01-10 23:31:23 +0000889
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000890 if( verbose != 0 )
891 printf( " CAMELLIA-ECB-%3d (%s): ", 128 + u * 64,
892 (v == CAMELLIA_DECRYPT) ? "dec" : "enc");
Paul Bakker38119b12009-01-10 23:31:23 +0000893
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000894 for (i = 0; i < CAMELLIA_TESTS_ECB; i++ ) {
895 memcpy( key, camellia_test_ecb_key[u][i], 16 + 8 * u);
Paul Bakker38119b12009-01-10 23:31:23 +0000896
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000897 if (v == CAMELLIA_DECRYPT) {
898 camellia_setkey_dec(&ctx, key, 128 + u * 64);
899 memcpy(src, camellia_test_ecb_cipher[u][i], 16);
900 memcpy(dst, camellia_test_ecb_plain[i], 16);
901 } else { /* CAMELLIA_ENCRYPT */
902 camellia_setkey_enc(&ctx, key, 128 + u * 64);
903 memcpy(src, camellia_test_ecb_plain[i], 16);
904 memcpy(dst, camellia_test_ecb_cipher[u][i], 16);
905 }
Paul Bakker38119b12009-01-10 23:31:23 +0000906
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000907 camellia_crypt_ecb(&ctx, v, src, buf);
Paul Bakker38119b12009-01-10 23:31:23 +0000908
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000909 if( memcmp( buf, dst, 16 ) != 0 )
910 {
911 if( verbose != 0 )
912 printf( "failed\n" );
Paul Bakker38119b12009-01-10 23:31:23 +0000913
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000914 return( 1 );
915 }
916 }
Paul Bakker38119b12009-01-10 23:31:23 +0000917
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000918 if( verbose != 0 )
919 printf( "passed\n" );
Paul Bakker38119b12009-01-10 23:31:23 +0000920 }
921
922 if( verbose != 0 )
923 printf( "\n" );
924
925 /*
926 * CBC mode
927 */
928 for( j = 0; j < 6; j++ )
929 {
930 u = j >> 1;
931 v = j & 1;
932
933 if( verbose != 0 )
934 printf( " CAMELLIA-CBC-%3d (%s): ", 128 + u * 64,
935 ( v == CAMELLIA_DECRYPT ) ? "dec" : "enc" );
936
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000937 memcpy( src, camellia_test_cbc_iv, 16);
938 memcpy( dst, camellia_test_cbc_iv, 16);
939 memcpy( key, camellia_test_cbc_key[u], 16 + 8 * u);
Paul Bakker38119b12009-01-10 23:31:23 +0000940
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000941 if (v == CAMELLIA_DECRYPT) {
942 camellia_setkey_dec(&ctx, key, 128 + u * 64);
943 } else {
944 camellia_setkey_enc(&ctx, key, 128 + u * 64);
945 }
Paul Bakker38119b12009-01-10 23:31:23 +0000946
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000947 for (i = 0; i < CAMELLIA_TESTS_CBC; i++ ) {
Paul Bakker38119b12009-01-10 23:31:23 +0000948
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000949 if (v == CAMELLIA_DECRYPT) {
950 memcpy( iv , src, 16 );
951 memcpy(src, camellia_test_cbc_cipher[u][i], 16);
952 memcpy(dst, camellia_test_cbc_plain[i], 16);
953 } else { /* CAMELLIA_ENCRYPT */
954 memcpy( iv , dst, 16 );
955 memcpy(src, camellia_test_cbc_plain[i], 16);
956 memcpy(dst, camellia_test_cbc_cipher[u][i], 16);
957 }
Paul Bakker38119b12009-01-10 23:31:23 +0000958
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000959 camellia_crypt_cbc(&ctx, v, 16, iv, src, buf);
Paul Bakker38119b12009-01-10 23:31:23 +0000960
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000961 if( memcmp( buf, dst, 16 ) != 0 )
962 {
963 if( verbose != 0 )
964 printf( "failed\n" );
Paul Bakker38119b12009-01-10 23:31:23 +0000965
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000966 return( 1 );
967 }
968 }
Paul Bakker38119b12009-01-10 23:31:23 +0000969
970 if( verbose != 0 )
971 printf( "passed\n" );
972 }
973
974 if( verbose != 0 )
975 printf( "\n" );
976
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000977#if defined(POLARSSL_CIPHER_MODE_CTR)
978 /*
979 * CTR mode
980 */
981 for( i = 0; i < 6; i++ )
982 {
983 u = i >> 1;
984 v = i & 1;
985
986 if( verbose != 0 )
987 printf( " CAMELLIA-CTR-128 (%s): ",
988 ( v == CAMELLIA_DECRYPT ) ? "dec" : "enc" );
989
990 memcpy( nonce_counter, camellia_test_ctr_nonce_counter[u], 16 );
991 memcpy( key, camellia_test_ctr_key[u], 16 );
992
993 offset = 0;
994 camellia_setkey_enc( &ctx, key, 128 );
995
996 if( v == CAMELLIA_DECRYPT )
997 {
998 len = camellia_test_ctr_len[u];
999 memcpy( buf, camellia_test_ctr_ct[u], len );
1000
1001 camellia_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1002
1003 if( memcmp( buf, camellia_test_ctr_pt[u], len ) != 0 )
1004 {
1005 if( verbose != 0 )
1006 printf( "failed\n" );
1007
1008 return( 1 );
1009 }
1010 }
1011 else
1012 {
1013 len = camellia_test_ctr_len[u];
1014 memcpy( buf, camellia_test_ctr_pt[u], len );
1015
1016 camellia_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1017
1018 if( memcmp( buf, camellia_test_ctr_ct[u], len ) != 0 )
1019 {
1020 if( verbose != 0 )
1021 printf( "failed\n" );
1022
1023 return( 1 );
1024 }
1025 }
1026
1027 if( verbose != 0 )
1028 printf( "passed\n" );
1029 }
1030
1031 if( verbose != 0 )
1032 printf( "\n" );
1033#endif /* POLARSSL_CIPHER_MODE_CTR */
1034
Paul Bakker38119b12009-01-10 23:31:23 +00001035 return ( 0 );
Paul Bakker38119b12009-01-10 23:31:23 +00001036}
1037
1038#endif
1039
1040#endif