TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / refs/heads/archive/polarssl-1.2 / . / library / camellia.c
blob: 866b97af149bf0f2d91fb6c8d6805b1b42798a6c [file] [log] [blame]
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]1/*
2 * Camellia implementation
3 *
Paul Bakker530927b2015-02-13 14:24:10 +0100[diff] [blame]4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]5 *
Manuel Pégourié-Gonnarde12abf92015-01-28 17:13:45 +0000[diff] [blame]6 * This file is part of mbed TLS (https://polarssl.org)
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License along
19 * with this program; if not, write to the Free Software Foundation, Inc.,
20 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
21 */
22/*
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]23 * The Camellia block cipher was designed by NTT and Mitsubishi Electric
24 * Corporation.
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]25 *
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]26 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/01espec.pdf
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]27 */
28
29#include "polarssl/config.h"
30
31#if defined(POLARSSL_CAMELLIA_C)
32
33#include "polarssl/camellia.h"
34
Paul Bakker4087c472013-06-12 16:49:10 +0200[diff] [blame]35#if !defined(POLARSSL_CAMELLIA_ALT)
36
Paul Bakker312da332014-06-13 17:20:13 +0200[diff] [blame]37/* Implementation that should never be optimized out by the compiler */
38static void polarssl_zeroize( void *v, size_t n ) {
39 volatile unsigned char *p = v; while( n-- ) *p++ = 0;
40}
41
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]42/*
43 * 32-bit integer manipulation macros (big endian)
44 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]45#ifndef GET_UINT32_BE
46#define GET_UINT32_BE(n,b,i) \
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]47{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]48 (n) = ( (uint32_t) (b)[(i) ] << 24 ) \
49 | ( (uint32_t) (b)[(i) + 1] << 16 ) \
50 | ( (uint32_t) (b)[(i) + 2] << 8 ) \
51 | ( (uint32_t) (b)[(i) + 3] ); \
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]52}
53#endif
54
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]55#ifndef PUT_UINT32_BE
56#define PUT_UINT32_BE(n,b,i) \
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]57{ \
58 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
59 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
60 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
61 (b)[(i) + 3] = (unsigned char) ( (n) ); \
62}
63#endif
64
65static const unsigned char SIGMA_CHARS[6][8] =
66{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]67 { 0xa0, 0x9e, 0x66, 0x7f, 0x3b, 0xcc, 0x90, 0x8b },
68 { 0xb6, 0x7a, 0xe8, 0x58, 0x4c, 0xaa, 0x73, 0xb2 },
69 { 0xc6, 0xef, 0x37, 0x2f, 0xe9, 0x4f, 0x82, 0xbe },
70 { 0x54, 0xff, 0x53, 0xa5, 0xf1, 0xd3, 0x6f, 0x1c },
71 { 0x10, 0xe5, 0x27, 0xfa, 0xde, 0x68, 0x2d, 0x1d },
72 { 0xb0, 0x56, 0x88, 0xc2, 0xb3, 0xe6, 0xc1, 0xfd }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]73};
74
Paul Bakker33008ee2011-11-18 12:58:25 +0000[diff] [blame]75#if defined(POLARSSL_CAMELLIA_SMALL_MEMORY)
Paul Bakkerfa049db2009-01-12 22:12:03 +0000[diff] [blame]76
77static const unsigned char FSb[256] =
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]78{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]79 112,130, 44,236,179, 39,192,229,228,133, 87, 53,234, 12,174, 65,
80 35,239,107,147, 69, 25,165, 33,237, 14, 79, 78, 29,101,146,189,
81 134,184,175,143,124,235, 31,206, 62, 48,220, 95, 94,197, 11, 26,
82 166,225, 57,202,213, 71, 93, 61,217, 1, 90,214, 81, 86,108, 77,
83 139, 13,154,102,251,204,176, 45,116, 18, 43, 32,240,177,132,153,
84 223, 76,203,194, 52,126,118, 5,109,183,169, 49,209, 23, 4,215,
85 20, 88, 58, 97,222, 27, 17, 28, 50, 15,156, 22, 83, 24,242, 34,
86 254, 68,207,178,195,181,122,145, 36, 8,232,168, 96,252,105, 80,
87 170,208,160,125,161,137, 98,151, 84, 91, 30,149,224,255,100,210,
88 16,196, 0, 72,163,247,117,219,138, 3,230,218, 9, 63,221,148,
89 135, 92,131, 2,205, 74,144, 51,115,103,246,243,157,127,191,226,
90 82,155,216, 38,200, 55,198, 59,129,150,111, 75, 19,190, 99, 46,
91 233,121,167,140,159,110,188,142, 41,245,249,182, 47,253,180, 89,
92 120,152, 6,106,231, 70,113,186,212, 37,171, 66,136,162,141,250,
93 114, 7,185, 85,248,238,172, 10, 54, 73, 42,104, 60, 56,241,164,
94 64, 40,211,123,187,201, 67,193, 21,227,173,244,119,199,128,158
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]95};
96
97#define SBOX1(n) FSb[(n)]
98#define SBOX2(n) (unsigned char)((FSb[(n)] >> 7 ^ FSb[(n)] << 1) & 0xff)
99#define SBOX3(n) (unsigned char)((FSb[(n)] >> 1 ^ FSb[(n)] << 7) & 0xff)
Paul Bakkerfa049db2009-01-12 22:12:03 +0000[diff] [blame]100#define SBOX4(n) FSb[((n) << 1 ^ (n) >> 7) &0xff]
101
102#else
103
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000[diff] [blame]104static const unsigned char FSb[256] =
105{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]106 112, 130, 44, 236, 179, 39, 192, 229, 228, 133, 87, 53, 234, 12, 174, 65,
107 35, 239, 107, 147, 69, 25, 165, 33, 237, 14, 79, 78, 29, 101, 146, 189,
108 134, 184, 175, 143, 124, 235, 31, 206, 62, 48, 220, 95, 94, 197, 11, 26,
109 166, 225, 57, 202, 213, 71, 93, 61, 217, 1, 90, 214, 81, 86, 108, 77,
110 139, 13, 154, 102, 251, 204, 176, 45, 116, 18, 43, 32, 240, 177, 132, 153,
111 223, 76, 203, 194, 52, 126, 118, 5, 109, 183, 169, 49, 209, 23, 4, 215,
112 20, 88, 58, 97, 222, 27, 17, 28, 50, 15, 156, 22, 83, 24, 242, 34,
113 254, 68, 207, 178, 195, 181, 122, 145, 36, 8, 232, 168, 96, 252, 105, 80,
114 170, 208, 160, 125, 161, 137, 98, 151, 84, 91, 30, 149, 224, 255, 100, 210,
115 16, 196, 0, 72, 163, 247, 117, 219, 138, 3, 230, 218, 9, 63, 221, 148,
116 135, 92, 131, 2, 205, 74, 144, 51, 115, 103, 246, 243, 157, 127, 191, 226,
117 82, 155, 216, 38, 200, 55, 198, 59, 129, 150, 111, 75, 19, 190, 99, 46,
118 233, 121, 167, 140, 159, 110, 188, 142, 41, 245, 249, 182, 47, 253, 180, 89,
119 120, 152, 6, 106, 231, 70, 113, 186, 212, 37, 171, 66, 136, 162, 141, 250,
120 114, 7, 185, 85, 248, 238, 172, 10, 54, 73, 42, 104, 60, 56, 241, 164,
121 64, 40, 211, 123, 187, 201, 67, 193, 21, 227, 173, 244, 119, 199, 128, 158
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000[diff] [blame]122};
123
124static const unsigned char FSb2[256] =
125{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]126 224, 5, 88, 217, 103, 78, 129, 203, 201, 11, 174, 106, 213, 24, 93, 130,
127 70, 223, 214, 39, 138, 50, 75, 66, 219, 28, 158, 156, 58, 202, 37, 123,
128 13, 113, 95, 31, 248, 215, 62, 157, 124, 96, 185, 190, 188, 139, 22, 52,
129 77, 195, 114, 149, 171, 142, 186, 122, 179, 2, 180, 173, 162, 172, 216, 154,
130 23, 26, 53, 204, 247, 153, 97, 90, 232, 36, 86, 64, 225, 99, 9, 51,
131 191, 152, 151, 133, 104, 252, 236, 10, 218, 111, 83, 98, 163, 46, 8, 175,
132 40, 176, 116, 194, 189, 54, 34, 56, 100, 30, 57, 44, 166, 48, 229, 68,
133 253, 136, 159, 101, 135, 107, 244, 35, 72, 16, 209, 81, 192, 249, 210, 160,
134 85, 161, 65, 250, 67, 19, 196, 47, 168, 182, 60, 43, 193, 255, 200, 165,
135 32, 137, 0, 144, 71, 239, 234, 183, 21, 6, 205, 181, 18, 126, 187, 41,
136 15, 184, 7, 4, 155, 148, 33, 102, 230, 206, 237, 231, 59, 254, 127, 197,
137 164, 55, 177, 76, 145, 110, 141, 118, 3, 45, 222, 150, 38, 125, 198, 92,
138 211, 242, 79, 25, 63, 220, 121, 29, 82, 235, 243, 109, 94, 251, 105, 178,
139 240, 49, 12, 212, 207, 140, 226, 117, 169, 74, 87, 132, 17, 69, 27, 245,
140 228, 14, 115, 170, 241, 221, 89, 20, 108, 146, 84, 208, 120, 112, 227, 73,
141 128, 80, 167, 246, 119, 147, 134, 131, 42, 199, 91, 233, 238, 143, 1, 61
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000[diff] [blame]142};
143
144static const unsigned char FSb3[256] =
145{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]146 56, 65, 22, 118, 217, 147, 96, 242, 114, 194, 171, 154, 117, 6, 87, 160,
147 145, 247, 181, 201, 162, 140, 210, 144, 246, 7, 167, 39, 142, 178, 73, 222,
148 67, 92, 215, 199, 62, 245, 143, 103, 31, 24, 110, 175, 47, 226, 133, 13,
149 83, 240, 156, 101, 234, 163, 174, 158, 236, 128, 45, 107, 168, 43, 54, 166,
150 197, 134, 77, 51, 253, 102, 88, 150, 58, 9, 149, 16, 120, 216, 66, 204,
151 239, 38, 229, 97, 26, 63, 59, 130, 182, 219, 212, 152, 232, 139, 2, 235,
152 10, 44, 29, 176, 111, 141, 136, 14, 25, 135, 78, 11, 169, 12, 121, 17,
153 127, 34, 231, 89, 225, 218, 61, 200, 18, 4, 116, 84, 48, 126, 180, 40,
154 85, 104, 80, 190, 208, 196, 49, 203, 42, 173, 15, 202, 112, 255, 50, 105,
155 8, 98, 0, 36, 209, 251, 186, 237, 69, 129, 115, 109, 132, 159, 238, 74,
156 195, 46, 193, 1, 230, 37, 72, 153, 185, 179, 123, 249, 206, 191, 223, 113,
157 41, 205, 108, 19, 100, 155, 99, 157, 192, 75, 183, 165, 137, 95, 177, 23,
158 244, 188, 211, 70, 207, 55, 94, 71, 148, 250, 252, 91, 151, 254, 90, 172,
159 60, 76, 3, 53, 243, 35, 184, 93, 106, 146, 213, 33, 68, 81, 198, 125,
160 57, 131, 220, 170, 124, 119, 86, 5, 27, 164, 21, 52, 30, 28, 248, 82,
161 32, 20, 233, 189, 221, 228, 161, 224, 138, 241, 214, 122, 187, 227, 64, 79
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000[diff] [blame]162};
163
164static const unsigned char FSb4[256] =
165{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]166 112, 44, 179, 192, 228, 87, 234, 174, 35, 107, 69, 165, 237, 79, 29, 146,
167 134, 175, 124, 31, 62, 220, 94, 11, 166, 57, 213, 93, 217, 90, 81, 108,
168 139, 154, 251, 176, 116, 43, 240, 132, 223, 203, 52, 118, 109, 169, 209, 4,
169 20, 58, 222, 17, 50, 156, 83, 242, 254, 207, 195, 122, 36, 232, 96, 105,
170 170, 160, 161, 98, 84, 30, 224, 100, 16, 0, 163, 117, 138, 230, 9, 221,
171 135, 131, 205, 144, 115, 246, 157, 191, 82, 216, 200, 198, 129, 111, 19, 99,
172 233, 167, 159, 188, 41, 249, 47, 180, 120, 6, 231, 113, 212, 171, 136, 141,
173 114, 185, 248, 172, 54, 42, 60, 241, 64, 211, 187, 67, 21, 173, 119, 128,
174 130, 236, 39, 229, 133, 53, 12, 65, 239, 147, 25, 33, 14, 78, 101, 189,
175 184, 143, 235, 206, 48, 95, 197, 26, 225, 202, 71, 61, 1, 214, 86, 77,
176 13, 102, 204, 45, 18, 32, 177, 153, 76, 194, 126, 5, 183, 49, 23, 215,
177 88, 97, 27, 28, 15, 22, 24, 34, 68, 178, 181, 145, 8, 168, 252, 80,
178 208, 125, 137, 151, 91, 149, 255, 210, 196, 72, 247, 219, 3, 218, 63, 148,
179 92, 2, 74, 51, 103, 243, 127, 226, 155, 38, 55, 59, 150, 75, 190, 46,
180 121, 140, 110, 142, 245, 182, 253, 89, 152, 106, 70, 186, 37, 66, 162, 250,
181 7, 85, 238, 10, 73, 104, 56, 164, 40, 123, 201, 193, 227, 244, 199, 158
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000[diff] [blame]182};
183
184#define SBOX1(n) FSb[(n)]
185#define SBOX2(n) FSb2[(n)]
186#define SBOX3(n) FSb3[(n)]
187#define SBOX4(n) FSb4[(n)]
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]188
Paul Bakkerfa049db2009-01-12 22:12:03 +0000[diff] [blame]189#endif
190
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]191static const unsigned char shifts[2][4][4] =
192{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]193 {
194 { 1, 1, 1, 1 }, /* KL */
195 { 0, 0, 0, 0 }, /* KR */
196 { 1, 1, 1, 1 }, /* KA */
197 { 0, 0, 0, 0 } /* KB */
198 },
199 {
200 { 1, 0, 1, 1 }, /* KL */
201 { 1, 1, 0, 1 }, /* KR */
202 { 1, 1, 1, 0 }, /* KA */
203 { 1, 1, 0, 1 } /* KB */
204 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]205};
206
Paul Bakker026c03b2009-03-28 17:53:03 +0000[diff] [blame]207static const signed char indexes[2][4][20] =
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]208{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]209 {
210 { 0, 1, 2, 3, 8, 9, 10, 11, 38, 39,
211 36, 37, 23, 20, 21, 22, 27, -1, -1, 26 }, /* KL -> RK */
212 { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
213 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 }, /* KR -> RK */
214 { 4, 5, 6, 7, 12, 13, 14, 15, 16, 17,
215 18, 19, -1, 24, 25, -1, 31, 28, 29, 30 }, /* KA -> RK */
216 { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
217 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 } /* KB -> RK */
218 },
219 {
220 { 0, 1, 2, 3, 61, 62, 63, 60, -1, -1,
221 -1, -1, 27, 24, 25, 26, 35, 32, 33, 34 }, /* KL -> RK */
222 { -1, -1, -1, -1, 8, 9, 10, 11, 16, 17,
223 18, 19, -1, -1, -1, -1, 39, 36, 37, 38 }, /* KR -> RK */
224 { -1, -1, -1, -1, 12, 13, 14, 15, 58, 59,
225 56, 57, 31, 28, 29, 30, -1, -1, -1, -1 }, /* KA -> RK */
226 { 4, 5, 6, 7, 65, 66, 67, 64, 20, 21,
227 22, 23, -1, -1, -1, -1, 43, 40, 41, 42 } /* KB -> RK */
228 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]229};
230
Paul Bakker026c03b2009-03-28 17:53:03 +0000[diff] [blame]231static const signed char transposes[2][20] =
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]232{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]233 {
234 21, 22, 23, 20,
235 -1, -1, -1, -1,
236 18, 19, 16, 17,
237 11, 8, 9, 10,
238 15, 12, 13, 14
239 },
240 {
241 25, 26, 27, 24,
242 29, 30, 31, 28,
243 18, 19, 16, 17,
244 -1, -1, -1, -1,
245 -1, -1, -1, -1
246 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]247};
248
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000[diff] [blame]249/* Shift macro for 128 bit strings with rotation smaller than 32 bits (!) */
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]250#define ROTL(DEST, SRC, SHIFT) \
251{ \
252 (DEST)[0] = (SRC)[0] << (SHIFT) ^ (SRC)[1] >> (32 - (SHIFT)); \
253 (DEST)[1] = (SRC)[1] << (SHIFT) ^ (SRC)[2] >> (32 - (SHIFT)); \
254 (DEST)[2] = (SRC)[2] << (SHIFT) ^ (SRC)[3] >> (32 - (SHIFT)); \
255 (DEST)[3] = (SRC)[3] << (SHIFT) ^ (SRC)[0] >> (32 - (SHIFT)); \
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]256}
257
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]258#define FL(XL, XR, KL, KR) \
259{ \
260 (XR) = ((((XL) & (KL)) << 1) | (((XL) & (KL)) >> 31)) ^ (XR); \
261 (XL) = ((XR) | (KR)) ^ (XL); \
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]262}
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]263
264#define FLInv(YL, YR, KL, KR) \
265{ \
266 (YL) = ((YR) | (KR)) ^ (YL); \
267 (YR) = ((((YL) & (KL)) << 1) | (((YL) & (KL)) >> 31)) ^ (YR); \
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]268}
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]269
270#define SHIFT_AND_PLACE(INDEX, OFFSET) \
271{ \
272 TK[0] = KC[(OFFSET) * 4 + 0]; \
273 TK[1] = KC[(OFFSET) * 4 + 1]; \
274 TK[2] = KC[(OFFSET) * 4 + 2]; \
275 TK[3] = KC[(OFFSET) * 4 + 3]; \
276 \
277 for ( i = 1; i <= 4; i++ ) \
278 if (shifts[(INDEX)][(OFFSET)][i -1]) \
279 ROTL(TK + i * 4, TK, (15 * i) % 32); \
280 \
281 for ( i = 0; i < 20; i++ ) \
282 if (indexes[(INDEX)][(OFFSET)][i] != -1) { \
283 RK[indexes[(INDEX)][(OFFSET)][i]] = TK[ i ]; \
284 } \
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]285}
286
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]287static void camellia_feistel(const uint32_t x[2], const uint32_t k[2], uint32_t z[2])
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]288{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]289 uint32_t I0, I1;
290 I0 = x[0] ^ k[0];
291 I1 = x[1] ^ k[1];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]292
Manuel Pégourié-Gonnardffbeedb2014-11-10 13:05:43 +0100[diff] [blame]293 I0 = ((uint32_t) SBOX1((I0 >> 24) & 0xFF) << 24) |
294 ((uint32_t) SBOX2((I0 >> 16) & 0xFF) << 16) |
295 ((uint32_t) SBOX3((I0 >> 8) & 0xFF) << 8) |
296 ((uint32_t) SBOX4((I0 ) & 0xFF) );
297 I1 = ((uint32_t) SBOX2((I1 >> 24) & 0xFF) << 24) |
298 ((uint32_t) SBOX3((I1 >> 16) & 0xFF) << 16) |
299 ((uint32_t) SBOX4((I1 >> 8) & 0xFF) << 8) |
300 ((uint32_t) SBOX1((I1 ) & 0xFF) );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]301
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]302 I0 ^= (I1 << 8) | (I1 >> 24);
303 I1 ^= (I0 << 16) | (I0 >> 16);
304 I0 ^= (I1 >> 8) | (I1 << 24);
305 I1 ^= (I0 >> 8) | (I0 << 24);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]306
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]307 z[0] ^= I1;
308 z[1] ^= I0;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]309}
310
311/*
312 * Camellia key schedule (encryption)
313 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]314int camellia_setkey_enc( camellia_context *ctx, const unsigned char *key, unsigned int keysize )
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]315{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]316 int idx;
317 size_t i;
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]318 uint32_t *RK;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]319 unsigned char t[64];
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]320 uint32_t SIGMA[6][2];
321 uint32_t KC[16];
322 uint32_t TK[20];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]323
324 RK = ctx->rk;
325
326 memset(t, 0, 64);
327 memset(RK, 0, sizeof(ctx->rk));
328
329 switch( keysize )
330 {
331 case 128: ctx->nr = 3; idx = 0; break;
332 case 192:
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]333 case 256: ctx->nr = 4; idx = 1; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]334 default : return( POLARSSL_ERR_CAMELLIA_INVALID_KEY_LENGTH );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]335 }
336
337 for( i = 0; i < keysize / 8; ++i)
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]338 t[i] = key[i];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]339
340 if (keysize == 192) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]341 for (i = 0; i < 8; i++)
342 t[24 + i] = ~t[16 + i];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]343 }
344
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]345 /*
346 * Prepare SIGMA values
347 */
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]348 for (i = 0; i < 6; i++) {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]349 GET_UINT32_BE(SIGMA[i][0], SIGMA_CHARS[i], 0);
350 GET_UINT32_BE(SIGMA[i][1], SIGMA_CHARS[i], 4);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]351 }
352
353 /*
354 * Key storage in KC
355 * Order: KL, KR, KA, KB
356 */
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]357 memset(KC, 0, sizeof(KC));
358
359 /* Store KL, KR */
360 for (i = 0; i < 8; i++)
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]361 GET_UINT32_BE(KC[i], t, i * 4);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]362
363 /* Generate KA */
364 for( i = 0; i < 4; ++i)
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]365 KC[8 + i] = KC[i] ^ KC[4 + i];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]366
367 camellia_feistel(KC + 8, SIGMA[0], KC + 10);
368 camellia_feistel(KC + 10, SIGMA[1], KC + 8);
369
370 for( i = 0; i < 4; ++i)
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]371 KC[8 + i] ^= KC[i];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]372
373 camellia_feistel(KC + 8, SIGMA[2], KC + 10);
374 camellia_feistel(KC + 10, SIGMA[3], KC + 8);
375
376 if (keysize > 128) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]377 /* Generate KB */
378 for( i = 0; i < 4; ++i)
379 KC[12 + i] = KC[4 + i] ^ KC[8 + i];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]380
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]381 camellia_feistel(KC + 12, SIGMA[4], KC + 14);
382 camellia_feistel(KC + 14, SIGMA[5], KC + 12);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]383 }
384
385 /*
386 * Generating subkeys
387 */
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]388
389 /* Manipulating KL */
390 SHIFT_AND_PLACE(idx, 0);
391
392 /* Manipulating KR */
393 if (keysize > 128) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]394 SHIFT_AND_PLACE(idx, 1);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]395 }
396
397 /* Manipulating KA */
398 SHIFT_AND_PLACE(idx, 2);
399
400 /* Manipulating KB */
401 if (keysize > 128) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]402 SHIFT_AND_PLACE(idx, 3);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]403 }
404
405 /* Do transpositions */
406 for ( i = 0; i < 20; i++ ) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]407 if (transposes[idx][i] != -1) {
408 RK[32 + 12 * idx + i] = RK[transposes[idx][i]];
409 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]410 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]411
412 return( 0 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]413}
414
415/*
416 * Camellia key schedule (decryption)
417 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]418int camellia_setkey_dec( camellia_context *ctx, const unsigned char *key, unsigned int keysize )
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]419{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]420 int idx;
421 size_t i;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]422 camellia_context cty;
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]423 uint32_t *RK;
424 uint32_t *SK;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]425 int ret;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]426
427 switch( keysize )
428 {
429 case 128: ctx->nr = 3; idx = 0; break;
430 case 192:
431 case 256: ctx->nr = 4; idx = 1; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]432 default : return( POLARSSL_ERR_CAMELLIA_INVALID_KEY_LENGTH );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]433 }
434
435 RK = ctx->rk;
436
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]437 ret = camellia_setkey_enc(&cty, key, keysize);
438 if( ret != 0 )
439 return( ret );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]440
441 SK = cty.rk + 24 * 2 + 8 * idx * 2;
442
443 *RK++ = *SK++;
444 *RK++ = *SK++;
445 *RK++ = *SK++;
446 *RK++ = *SK++;
447
448 for (i = 22 + 8 * idx, SK -= 6; i > 0; i--, SK -= 4)
449 {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]450 *RK++ = *SK++;
451 *RK++ = *SK++;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]452 }
453
454 SK -= 2;
455
456 *RK++ = *SK++;
457 *RK++ = *SK++;
458 *RK++ = *SK++;
459 *RK++ = *SK++;
460
Paul Bakker312da332014-06-13 17:20:13 +0200[diff] [blame]461 polarssl_zeroize( &cty, sizeof( camellia_context ) );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]462
463 return( 0 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]464}
465
466/*
467 * Camellia-ECB block encryption/decryption
468 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]469int camellia_crypt_ecb( camellia_context *ctx,
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]470 int mode,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]471 const unsigned char input[16],
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]472 unsigned char output[16] )
473{
Paul Bakker026c03b2009-03-28 17:53:03 +0000[diff] [blame]474 int NR;
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]475 uint32_t *RK, X[4];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]476
Paul Bakkerc2547b02009-07-20 20:40:52 +0000[diff] [blame]477 ( (void) mode );
478
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]479 NR = ctx->nr;
480 RK = ctx->rk;
481
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]482 GET_UINT32_BE( X[0], input, 0 );
483 GET_UINT32_BE( X[1], input, 4 );
484 GET_UINT32_BE( X[2], input, 8 );
485 GET_UINT32_BE( X[3], input, 12 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]486
487 X[0] ^= *RK++;
488 X[1] ^= *RK++;
489 X[2] ^= *RK++;
490 X[3] ^= *RK++;
491
492 while (NR) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]493 --NR;
494 camellia_feistel(X, RK, X + 2);
495 RK += 2;
496 camellia_feistel(X + 2, RK, X);
497 RK += 2;
498 camellia_feistel(X, RK, X + 2);
499 RK += 2;
500 camellia_feistel(X + 2, RK, X);
501 RK += 2;
502 camellia_feistel(X, RK, X + 2);
503 RK += 2;
504 camellia_feistel(X + 2, RK, X);
505 RK += 2;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]506
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]507 if (NR) {
508 FL(X[0], X[1], RK[0], RK[1]);
509 RK += 2;
510 FLInv(X[2], X[3], RK[0], RK[1]);
511 RK += 2;
512 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]513 }
514
515 X[2] ^= *RK++;
516 X[3] ^= *RK++;
517 X[0] ^= *RK++;
518 X[1] ^= *RK++;
519
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]520 PUT_UINT32_BE( X[2], output, 0 );
521 PUT_UINT32_BE( X[3], output, 4 );
522 PUT_UINT32_BE( X[0], output, 8 );
523 PUT_UINT32_BE( X[1], output, 12 );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]524
525 return( 0 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]526}
527
528/*
529 * Camellia-CBC buffer encryption/decryption
530 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]531int camellia_crypt_cbc( camellia_context *ctx,
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]532 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]533 size_t length,
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]534 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]535 const unsigned char *input,
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]536 unsigned char *output )
537{
538 int i;
539 unsigned char temp[16];
540
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]541 if( length % 16 )
542 return( POLARSSL_ERR_CAMELLIA_INVALID_INPUT_LENGTH );
543
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]544 if( mode == CAMELLIA_DECRYPT )
545 {
546 while( length > 0 )
547 {
548 memcpy( temp, input, 16 );
549 camellia_crypt_ecb( ctx, mode, input, output );
550
551 for( i = 0; i < 16; i++ )
552 output[i] = (unsigned char)( output[i] ^ iv[i] );
553
554 memcpy( iv, temp, 16 );
555
556 input += 16;
557 output += 16;
558 length -= 16;
559 }
560 }
561 else
562 {
563 while( length > 0 )
564 {
565 for( i = 0; i < 16; i++ )
566 output[i] = (unsigned char)( input[i] ^ iv[i] );
567
568 camellia_crypt_ecb( ctx, mode, output, output );
569 memcpy( iv, output, 16 );
570
571 input += 16;
572 output += 16;
573 length -= 16;
574 }
575 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]576
577 return( 0 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]578}
579
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]580#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]581/*
582 * Camellia-CFB128 buffer encryption/decryption
583 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]584int camellia_crypt_cfb128( camellia_context *ctx,
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]585 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]586 size_t length,
Paul Bakker1ef71df2011-06-09 14:14:58 +0000[diff] [blame]587 size_t *iv_off,
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]588 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]589 const unsigned char *input,
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]590 unsigned char *output )
591{
Paul Bakker1ef71df2011-06-09 14:14:58 +0000[diff] [blame]592 int c;
593 size_t n = *iv_off;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]594
595 if( mode == CAMELLIA_DECRYPT )
596 {
597 while( length-- )
598 {
599 if( n == 0 )
600 camellia_crypt_ecb( ctx, CAMELLIA_ENCRYPT, iv, iv );
601
602 c = *input++;
603 *output++ = (unsigned char)( c ^ iv[n] );
604 iv[n] = (unsigned char) c;
605
606 n = (n + 1) & 0x0F;
607 }
608 }
609 else
610 {
611 while( length-- )
612 {
613 if( n == 0 )
614 camellia_crypt_ecb( ctx, CAMELLIA_ENCRYPT, iv, iv );
615
616 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
617
618 n = (n + 1) & 0x0F;
619 }
620 }
621
622 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]623
624 return( 0 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]625}
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]626#endif /* POLARSSL_CIPHER_MODE_CFB */
627
628#if defined(POLARSSL_CIPHER_MODE_CTR)
629/*
630 * Camellia-CTR buffer encryption/decryption
631 */
632int camellia_crypt_ctr( camellia_context *ctx,
Paul Bakker1ef71df2011-06-09 14:14:58 +0000[diff] [blame]633 size_t length,
634 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]635 unsigned char nonce_counter[16],
636 unsigned char stream_block[16],
637 const unsigned char *input,
638 unsigned char *output )
639{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]640 int c, i;
Paul Bakker1ef71df2011-06-09 14:14:58 +0000[diff] [blame]641 size_t n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]642
643 while( length-- )
644 {
645 if( n == 0 ) {
646 camellia_crypt_ecb( ctx, CAMELLIA_ENCRYPT, nonce_counter, stream_block );
647
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]648 for( i = 16; i > 0; i-- )
649 if( ++nonce_counter[i - 1] != 0 )
650 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]651 }
652 c = *input++;
653 *output++ = (unsigned char)( c ^ stream_block[n] );
654
655 n = (n + 1) & 0x0F;
656 }
657
658 *nc_off = n;
659
660 return( 0 );
661}
662#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker4087c472013-06-12 16:49:10 +0200[diff] [blame]663#endif /* !POLARSSL_CAMELLIA_ALT */
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]664
665#if defined(POLARSSL_SELF_TEST)
666
667#include <stdio.h>
668
669/*
670 * Camellia test vectors from:
671 *
672 * http://info.isl.ntt.co.jp/crypt/eng/camellia/technology.html:
673 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/intermediate.txt
674 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/t_camellia.txt
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]675 * (For each bitlength: Key 0, Nr 39)
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]676 */
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]677#define CAMELLIA_TESTS_ECB 2
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]678
679static const unsigned char camellia_test_ecb_key[3][CAMELLIA_TESTS_ECB][32] =
680{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]681 {
682 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
683 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
684 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
685 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
686 },
687 {
688 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
689 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
690 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77 },
691 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
692 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
693 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
694 },
695 {
696 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
697 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
698 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
699 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff },
700 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
701 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
702 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
703 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
704 },
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]705};
706
707static const unsigned char camellia_test_ecb_plain[CAMELLIA_TESTS_ECB][16] =
708{
709 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
710 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
711 { 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
712 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
713};
714
715static const unsigned char camellia_test_ecb_cipher[3][CAMELLIA_TESTS_ECB][16] =
716{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]717 {
718 { 0x67, 0x67, 0x31, 0x38, 0x54, 0x96, 0x69, 0x73,
719 0x08, 0x57, 0x06, 0x56, 0x48, 0xea, 0xbe, 0x43 },
720 { 0x38, 0x3C, 0x6C, 0x2A, 0xAB, 0xEF, 0x7F, 0xDE,
721 0x25, 0xCD, 0x47, 0x0B, 0xF7, 0x74, 0xA3, 0x31 }
722 },
723 {
724 { 0xb4, 0x99, 0x34, 0x01, 0xb3, 0xe9, 0x96, 0xf8,
725 0x4e, 0xe5, 0xce, 0xe7, 0xd7, 0x9b, 0x09, 0xb9 },
726 { 0xD1, 0x76, 0x3F, 0xC0, 0x19, 0xD7, 0x7C, 0xC9,
727 0x30, 0xBF, 0xF2, 0xA5, 0x6F, 0x7C, 0x93, 0x64 }
728 },
729 {
730 { 0x9a, 0xcc, 0x23, 0x7d, 0xff, 0x16, 0xd7, 0x6c,
731 0x20, 0xef, 0x7c, 0x91, 0x9e, 0x3a, 0x75, 0x09 },
732 { 0x05, 0x03, 0xFB, 0x10, 0xAB, 0x24, 0x1E, 0x7C,
733 0xF4, 0x5D, 0x8C, 0xDE, 0xEE, 0x47, 0x43, 0x35 }
734 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]735};
736
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]737#define CAMELLIA_TESTS_CBC 3
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]738
739static const unsigned char camellia_test_cbc_key[3][32] =
740{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]741 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
742 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }
743 ,
744 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
745 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
746 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }
747 ,
748 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
749 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
750 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
751 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]752};
753
754static const unsigned char camellia_test_cbc_iv[16] =
755
756 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
757 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F }
758;
759
760static const unsigned char camellia_test_cbc_plain[CAMELLIA_TESTS_CBC][16] =
761{
762 { 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
763 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A },
764 { 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
765 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51 },
766 { 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
767 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF }
768
769};
770
771static const unsigned char camellia_test_cbc_cipher[3][CAMELLIA_TESTS_CBC][16] =
772{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]773 {
774 { 0x16, 0x07, 0xCF, 0x49, 0x4B, 0x36, 0xBB, 0xF0,
775 0x0D, 0xAE, 0xB0, 0xB5, 0x03, 0xC8, 0x31, 0xAB },
776 { 0xA2, 0xF2, 0xCF, 0x67, 0x16, 0x29, 0xEF, 0x78,
777 0x40, 0xC5, 0xA5, 0xDF, 0xB5, 0x07, 0x48, 0x87 },
778 { 0x0F, 0x06, 0x16, 0x50, 0x08, 0xCF, 0x8B, 0x8B,
779 0x5A, 0x63, 0x58, 0x63, 0x62, 0x54, 0x3E, 0x54 }
780 },
781 {
782 { 0x2A, 0x48, 0x30, 0xAB, 0x5A, 0xC4, 0xA1, 0xA2,
783 0x40, 0x59, 0x55, 0xFD, 0x21, 0x95, 0xCF, 0x93 },
784 { 0x5D, 0x5A, 0x86, 0x9B, 0xD1, 0x4C, 0xE5, 0x42,
785 0x64, 0xF8, 0x92, 0xA6, 0xDD, 0x2E, 0xC3, 0xD5 },
786 { 0x37, 0xD3, 0x59, 0xC3, 0x34, 0x98, 0x36, 0xD8,
787 0x84, 0xE3, 0x10, 0xAD, 0xDF, 0x68, 0xC4, 0x49 }
788 },
789 {
790 { 0xE6, 0xCF, 0xA3, 0x5F, 0xC0, 0x2B, 0x13, 0x4A,
791 0x4D, 0x2C, 0x0B, 0x67, 0x37, 0xAC, 0x3E, 0xDA },
792 { 0x36, 0xCB, 0xEB, 0x73, 0xBD, 0x50, 0x4B, 0x40,
793 0x70, 0xB1, 0xB7, 0xDE, 0x2B, 0x21, 0xEB, 0x50 },
794 { 0xE3, 0x1A, 0x60, 0x55, 0x29, 0x7D, 0x96, 0xCA,
795 0x33, 0x30, 0xCD, 0xF1, 0xB1, 0x86, 0x0A, 0x83 }
796 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]797};
798
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]799#if defined(POLARSSL_CIPHER_MODE_CTR)
800/*
801 * Camellia-CTR test vectors from:
802 *
803 * http://www.faqs.org/rfcs/rfc5528.html
804 */
805
806static const unsigned char camellia_test_ctr_key[3][16] =
807{
808 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
809 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
810 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
811 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
812 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
813 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
814};
815
816static const unsigned char camellia_test_ctr_nonce_counter[3][16] =
817{
818 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
819 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
820 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
821 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
822 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
823 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
824};
825
826static const unsigned char camellia_test_ctr_pt[3][48] =
827{
828 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
829 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
830
831 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
832 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
833 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
834 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
835
836 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
837 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
838 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
839 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
840 0x20, 0x21, 0x22, 0x23 }
841};
842
843static const unsigned char camellia_test_ctr_ct[3][48] =
844{
845 { 0xD0, 0x9D, 0xC2, 0x9A, 0x82, 0x14, 0x61, 0x9A,
846 0x20, 0x87, 0x7C, 0x76, 0xDB, 0x1F, 0x0B, 0x3F },
847 { 0xDB, 0xF3, 0xC7, 0x8D, 0xC0, 0x83, 0x96, 0xD4,
848 0xDA, 0x7C, 0x90, 0x77, 0x65, 0xBB, 0xCB, 0x44,
849 0x2B, 0x8E, 0x8E, 0x0F, 0x31, 0xF0, 0xDC, 0xA7,
850 0x2C, 0x74, 0x17, 0xE3, 0x53, 0x60, 0xE0, 0x48 },
851 { 0xB1, 0x9D, 0x1F, 0xCD, 0xCB, 0x75, 0xEB, 0x88,
852 0x2F, 0x84, 0x9C, 0xE2, 0x4D, 0x85, 0xCF, 0x73,
853 0x9C, 0xE6, 0x4B, 0x2B, 0x5C, 0x9D, 0x73, 0xF1,
854 0x4F, 0x2D, 0x5D, 0x9D, 0xCE, 0x98, 0x89, 0xCD,
855 0xDF, 0x50, 0x86, 0x96 }
856};
857
858static const int camellia_test_ctr_len[3] =
859 { 16, 32, 36 };
860#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]861
862/*
863 * Checkup routine
864 */
865int camellia_self_test( int verbose )
866{
Paul Bakker026c03b2009-03-28 17:53:03 +0000[diff] [blame]867 int i, j, u, v;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]868 unsigned char key[32];
869 unsigned char buf[64];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]870 unsigned char src[16];
871 unsigned char dst[16];
872 unsigned char iv[16];
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]873#if defined(POLARSSL_CIPHER_MODE_CTR)
Paul Bakker1ef71df2011-06-09 14:14:58 +0000[diff] [blame]874 size_t offset, len;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]875 unsigned char nonce_counter[16];
876 unsigned char stream_block[16];
877#endif
878
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]879 camellia_context ctx;
880
881 memset( key, 0, 32 );
882
883 for (j = 0; j < 6; j++) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]884 u = j >> 1;
885 v = j & 1;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]886
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]887 if( verbose != 0 )
888 printf( " CAMELLIA-ECB-%3d (%s): ", 128 + u * 64,
889 (v == CAMELLIA_DECRYPT) ? "dec" : "enc");
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]890
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]891 for (i = 0; i < CAMELLIA_TESTS_ECB; i++ ) {
892 memcpy( key, camellia_test_ecb_key[u][i], 16 + 8 * u);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]893
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]894 if (v == CAMELLIA_DECRYPT) {
895 camellia_setkey_dec(&ctx, key, 128 + u * 64);
896 memcpy(src, camellia_test_ecb_cipher[u][i], 16);
897 memcpy(dst, camellia_test_ecb_plain[i], 16);
898 } else { /* CAMELLIA_ENCRYPT */
899 camellia_setkey_enc(&ctx, key, 128 + u * 64);
900 memcpy(src, camellia_test_ecb_plain[i], 16);
901 memcpy(dst, camellia_test_ecb_cipher[u][i], 16);
902 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]903
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]904 camellia_crypt_ecb(&ctx, v, src, buf);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]905
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]906 if( memcmp( buf, dst, 16 ) != 0 )
907 {
908 if( verbose != 0 )
909 printf( "failed\n" );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]910
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]911 return( 1 );
912 }
913 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]914
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]915 if( verbose != 0 )
916 printf( "passed\n" );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]917 }
918
919 if( verbose != 0 )
920 printf( "\n" );
921
922 /*
923 * CBC mode
924 */
925 for( j = 0; j < 6; j++ )
926 {
927 u = j >> 1;
928 v = j & 1;
929
930 if( verbose != 0 )
931 printf( " CAMELLIA-CBC-%3d (%s): ", 128 + u * 64,
932 ( v == CAMELLIA_DECRYPT ) ? "dec" : "enc" );
933
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]934 memcpy( src, camellia_test_cbc_iv, 16);
935 memcpy( dst, camellia_test_cbc_iv, 16);
936 memcpy( key, camellia_test_cbc_key[u], 16 + 8 * u);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]937
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]938 if (v == CAMELLIA_DECRYPT) {
939 camellia_setkey_dec(&ctx, key, 128 + u * 64);
940 } else {
941 camellia_setkey_enc(&ctx, key, 128 + u * 64);
942 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]943
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]944 for (i = 0; i < CAMELLIA_TESTS_CBC; i++ ) {
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]945
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]946 if (v == CAMELLIA_DECRYPT) {
947 memcpy( iv , src, 16 );
948 memcpy(src, camellia_test_cbc_cipher[u][i], 16);
949 memcpy(dst, camellia_test_cbc_plain[i], 16);
950 } else { /* CAMELLIA_ENCRYPT */
951 memcpy( iv , dst, 16 );
952 memcpy(src, camellia_test_cbc_plain[i], 16);
953 memcpy(dst, camellia_test_cbc_cipher[u][i], 16);
954 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]955
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]956 camellia_crypt_cbc(&ctx, v, 16, iv, src, buf);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]957
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]958 if( memcmp( buf, dst, 16 ) != 0 )
959 {
960 if( verbose != 0 )
961 printf( "failed\n" );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]962
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]963 return( 1 );
964 }
965 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]966
967 if( verbose != 0 )
968 printf( "passed\n" );
969 }
970
971 if( verbose != 0 )
972 printf( "\n" );
973
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]974#if defined(POLARSSL_CIPHER_MODE_CTR)
975 /*
976 * CTR mode
977 */
978 for( i = 0; i < 6; i++ )
979 {
980 u = i >> 1;
981 v = i & 1;
982
983 if( verbose != 0 )
984 printf( " CAMELLIA-CTR-128 (%s): ",
985 ( v == CAMELLIA_DECRYPT ) ? "dec" : "enc" );
986
987 memcpy( nonce_counter, camellia_test_ctr_nonce_counter[u], 16 );
988 memcpy( key, camellia_test_ctr_key[u], 16 );
989
990 offset = 0;
991 camellia_setkey_enc( &ctx, key, 128 );
992
993 if( v == CAMELLIA_DECRYPT )
994 {
995 len = camellia_test_ctr_len[u];
996 memcpy( buf, camellia_test_ctr_ct[u], len );
997
998 camellia_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
999
1000 if( memcmp( buf, camellia_test_ctr_pt[u], len ) != 0 )
1001 {
1002 if( verbose != 0 )
1003 printf( "failed\n" );
1004
1005 return( 1 );
1006 }
1007 }
1008 else
1009 {
1010 len = camellia_test_ctr_len[u];
1011 memcpy( buf, camellia_test_ctr_pt[u], len );
1012
1013 camellia_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1014
1015 if( memcmp( buf, camellia_test_ctr_ct[u], len ) != 0 )
1016 {
1017 if( verbose != 0 )
1018 printf( "failed\n" );
1019
1020 return( 1 );
1021 }
1022 }
1023
1024 if( verbose != 0 )
1025 printf( "passed\n" );
1026 }
1027
1028 if( verbose != 0 )
1029 printf( "\n" );
1030#endif /* POLARSSL_CIPHER_MODE_CTR */
1031
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]1032 return ( 0 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]1033}
1034
1035#endif
1036
1037#endif