1 /* 2 * Camellia implementation 3 * 4 * Copyright The Mbed TLS Contributors 5 * SPDX-License-Identifier: Apache-2.0 6 * 7 * Licensed under the Apache License, Version 2.0 (the "License"); you may 8 * not use this file except in compliance with the License. 9 * You may obtain a copy of the License at 10 * 11 * http://www.apache.org/licenses/LICENSE-2.0 12 * 13 * Unless required by applicable law or agreed to in writing, software 14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 * See the License for the specific language governing permissions and 17 * limitations under the License. 18 */ 19 /* 20 * The Camellia block cipher was designed by NTT and Mitsubishi Electric 21 * Corporation. 22 * 23 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/01espec.pdf 24 */ 25 26 #include "common.h" 27 28 #if defined(MBEDTLS_CAMELLIA_C) 29 30 #include "mbedtls/camellia.h" 31 #include "mbedtls/platform_util.h" 32 33 #include <string.h> 34 35 #if defined(MBEDTLS_SELF_TEST) 36 #if defined(MBEDTLS_PLATFORM_C) 37 #include "mbedtls/platform.h" 38 #else 39 #include <stdio.h> 40 #define mbedtls_printf printf 41 #endif /* MBEDTLS_PLATFORM_C */ 42 #endif /* MBEDTLS_SELF_TEST */ 43 44 #if !defined(MBEDTLS_CAMELLIA_ALT) 45 46 /* Parameter validation macros */ 47 #define CAMELLIA_VALIDATE_RET( cond ) \ 48 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA ) 49 #define CAMELLIA_VALIDATE( cond ) \ 50 MBEDTLS_INTERNAL_VALIDATE( cond ) 51 52 static const unsigned char SIGMA_CHARS[6][8] = 53 { 54 { 0xa0, 0x9e, 0x66, 0x7f, 0x3b, 0xcc, 0x90, 0x8b }, 55 { 0xb6, 0x7a, 0xe8, 0x58, 0x4c, 0xaa, 0x73, 0xb2 }, 56 { 0xc6, 0xef, 0x37, 0x2f, 0xe9, 0x4f, 0x82, 0xbe }, 57 { 0x54, 0xff, 0x53, 0xa5, 0xf1, 0xd3, 0x6f, 0x1c }, 58 { 0x10, 0xe5, 0x27, 0xfa, 0xde, 0x68, 0x2d, 0x1d }, 59 { 0xb0, 0x56, 0x88, 0xc2, 0xb3, 0xe6, 0xc1, 0xfd } 60 }; 61 62 #if defined(MBEDTLS_CAMELLIA_SMALL_MEMORY) 63 64 static const unsigned char FSb[256] = 65 { 66 112,130, 44,236,179, 39,192,229,228,133, 87, 53,234, 12,174, 65, 67 35,239,107,147, 69, 25,165, 33,237, 14, 79, 78, 29,101,146,189, 68 134,184,175,143,124,235, 31,206, 62, 48,220, 95, 94,197, 11, 26, 69 166,225, 57,202,213, 71, 93, 61,217, 1, 90,214, 81, 86,108, 77, 70 139, 13,154,102,251,204,176, 45,116, 18, 43, 32,240,177,132,153, 71 223, 76,203,194, 52,126,118, 5,109,183,169, 49,209, 23, 4,215, 72 20, 88, 58, 97,222, 27, 17, 28, 50, 15,156, 22, 83, 24,242, 34, 73 254, 68,207,178,195,181,122,145, 36, 8,232,168, 96,252,105, 80, 74 170,208,160,125,161,137, 98,151, 84, 91, 30,149,224,255,100,210, 75 16,196, 0, 72,163,247,117,219,138, 3,230,218, 9, 63,221,148, 76 135, 92,131, 2,205, 74,144, 51,115,103,246,243,157,127,191,226, 77 82,155,216, 38,200, 55,198, 59,129,150,111, 75, 19,190, 99, 46, 78 233,121,167,140,159,110,188,142, 41,245,249,182, 47,253,180, 89, 79 120,152, 6,106,231, 70,113,186,212, 37,171, 66,136,162,141,250, 80 114, 7,185, 85,248,238,172, 10, 54, 73, 42,104, 60, 56,241,164, 81 64, 40,211,123,187,201, 67,193, 21,227,173,244,119,199,128,158 82 }; 83 84 #define SBOX1(n) FSb[(n)] 85 #define SBOX2(n) (unsigned char)((FSb[(n)] >> 7 ^ FSb[(n)] << 1) & 0xff) 86 #define SBOX3(n) (unsigned char)((FSb[(n)] >> 1 ^ FSb[(n)] << 7) & 0xff) 87 #define SBOX4(n) FSb[((n) << 1 ^ (n) >> 7) &0xff] 88 89 #else /* MBEDTLS_CAMELLIA_SMALL_MEMORY */ 90 91 static const unsigned char FSb[256] = 92 { 93 112, 130, 44, 236, 179, 39, 192, 229, 228, 133, 87, 53, 234, 12, 174, 65, 94 35, 239, 107, 147, 69, 25, 165, 33, 237, 14, 79, 78, 29, 101, 146, 189, 95 134, 184, 175, 143, 124, 235, 31, 206, 62, 48, 220, 95, 94, 197, 11, 26, 96 166, 225, 57, 202, 213, 71, 93, 61, 217, 1, 90, 214, 81, 86, 108, 77, 97 139, 13, 154, 102, 251, 204, 176, 45, 116, 18, 43, 32, 240, 177, 132, 153, 98 223, 76, 203, 194, 52, 126, 118, 5, 109, 183, 169, 49, 209, 23, 4, 215, 99 20, 88, 58, 97, 222, 27, 17, 28, 50, 15, 156, 22, 83, 24, 242, 34, 100 254, 68, 207, 178, 195, 181, 122, 145, 36, 8, 232, 168, 96, 252, 105, 80, 101 170, 208, 160, 125, 161, 137, 98, 151, 84, 91, 30, 149, 224, 255, 100, 210, 102 16, 196, 0, 72, 163, 247, 117, 219, 138, 3, 230, 218, 9, 63, 221, 148, 103 135, 92, 131, 2, 205, 74, 144, 51, 115, 103, 246, 243, 157, 127, 191, 226, 104 82, 155, 216, 38, 200, 55, 198, 59, 129, 150, 111, 75, 19, 190, 99, 46, 105 233, 121, 167, 140, 159, 110, 188, 142, 41, 245, 249, 182, 47, 253, 180, 89, 106 120, 152, 6, 106, 231, 70, 113, 186, 212, 37, 171, 66, 136, 162, 141, 250, 107 114, 7, 185, 85, 248, 238, 172, 10, 54, 73, 42, 104, 60, 56, 241, 164, 108 64, 40, 211, 123, 187, 201, 67, 193, 21, 227, 173, 244, 119, 199, 128, 158 109 }; 110 111 static const unsigned char FSb2[256] = 112 { 113 224, 5, 88, 217, 103, 78, 129, 203, 201, 11, 174, 106, 213, 24, 93, 130, 114 70, 223, 214, 39, 138, 50, 75, 66, 219, 28, 158, 156, 58, 202, 37, 123, 115 13, 113, 95, 31, 248, 215, 62, 157, 124, 96, 185, 190, 188, 139, 22, 52, 116 77, 195, 114, 149, 171, 142, 186, 122, 179, 2, 180, 173, 162, 172, 216, 154, 117 23, 26, 53, 204, 247, 153, 97, 90, 232, 36, 86, 64, 225, 99, 9, 51, 118 191, 152, 151, 133, 104, 252, 236, 10, 218, 111, 83, 98, 163, 46, 8, 175, 119 40, 176, 116, 194, 189, 54, 34, 56, 100, 30, 57, 44, 166, 48, 229, 68, 120 253, 136, 159, 101, 135, 107, 244, 35, 72, 16, 209, 81, 192, 249, 210, 160, 121 85, 161, 65, 250, 67, 19, 196, 47, 168, 182, 60, 43, 193, 255, 200, 165, 122 32, 137, 0, 144, 71, 239, 234, 183, 21, 6, 205, 181, 18, 126, 187, 41, 123 15, 184, 7, 4, 155, 148, 33, 102, 230, 206, 237, 231, 59, 254, 127, 197, 124 164, 55, 177, 76, 145, 110, 141, 118, 3, 45, 222, 150, 38, 125, 198, 92, 125 211, 242, 79, 25, 63, 220, 121, 29, 82, 235, 243, 109, 94, 251, 105, 178, 126 240, 49, 12, 212, 207, 140, 226, 117, 169, 74, 87, 132, 17, 69, 27, 245, 127 228, 14, 115, 170, 241, 221, 89, 20, 108, 146, 84, 208, 120, 112, 227, 73, 128 128, 80, 167, 246, 119, 147, 134, 131, 42, 199, 91, 233, 238, 143, 1, 61 129 }; 130 131 static const unsigned char FSb3[256] = 132 { 133 56, 65, 22, 118, 217, 147, 96, 242, 114, 194, 171, 154, 117, 6, 87, 160, 134 145, 247, 181, 201, 162, 140, 210, 144, 246, 7, 167, 39, 142, 178, 73, 222, 135 67, 92, 215, 199, 62, 245, 143, 103, 31, 24, 110, 175, 47, 226, 133, 13, 136 83, 240, 156, 101, 234, 163, 174, 158, 236, 128, 45, 107, 168, 43, 54, 166, 137 197, 134, 77, 51, 253, 102, 88, 150, 58, 9, 149, 16, 120, 216, 66, 204, 138 239, 38, 229, 97, 26, 63, 59, 130, 182, 219, 212, 152, 232, 139, 2, 235, 139 10, 44, 29, 176, 111, 141, 136, 14, 25, 135, 78, 11, 169, 12, 121, 17, 140 127, 34, 231, 89, 225, 218, 61, 200, 18, 4, 116, 84, 48, 126, 180, 40, 141 85, 104, 80, 190, 208, 196, 49, 203, 42, 173, 15, 202, 112, 255, 50, 105, 142 8, 98, 0, 36, 209, 251, 186, 237, 69, 129, 115, 109, 132, 159, 238, 74, 143 195, 46, 193, 1, 230, 37, 72, 153, 185, 179, 123, 249, 206, 191, 223, 113, 144 41, 205, 108, 19, 100, 155, 99, 157, 192, 75, 183, 165, 137, 95, 177, 23, 145 244, 188, 211, 70, 207, 55, 94, 71, 148, 250, 252, 91, 151, 254, 90, 172, 146 60, 76, 3, 53, 243, 35, 184, 93, 106, 146, 213, 33, 68, 81, 198, 125, 147 57, 131, 220, 170, 124, 119, 86, 5, 27, 164, 21, 52, 30, 28, 248, 82, 148 32, 20, 233, 189, 221, 228, 161, 224, 138, 241, 214, 122, 187, 227, 64, 79 149 }; 150 151 static const unsigned char FSb4[256] = 152 { 153 112, 44, 179, 192, 228, 87, 234, 174, 35, 107, 69, 165, 237, 79, 29, 146, 154 134, 175, 124, 31, 62, 220, 94, 11, 166, 57, 213, 93, 217, 90, 81, 108, 155 139, 154, 251, 176, 116, 43, 240, 132, 223, 203, 52, 118, 109, 169, 209, 4, 156 20, 58, 222, 17, 50, 156, 83, 242, 254, 207, 195, 122, 36, 232, 96, 105, 157 170, 160, 161, 98, 84, 30, 224, 100, 16, 0, 163, 117, 138, 230, 9, 221, 158 135, 131, 205, 144, 115, 246, 157, 191, 82, 216, 200, 198, 129, 111, 19, 99, 159 233, 167, 159, 188, 41, 249, 47, 180, 120, 6, 231, 113, 212, 171, 136, 141, 160 114, 185, 248, 172, 54, 42, 60, 241, 64, 211, 187, 67, 21, 173, 119, 128, 161 130, 236, 39, 229, 133, 53, 12, 65, 239, 147, 25, 33, 14, 78, 101, 189, 162 184, 143, 235, 206, 48, 95, 197, 26, 225, 202, 71, 61, 1, 214, 86, 77, 163 13, 102, 204, 45, 18, 32, 177, 153, 76, 194, 126, 5, 183, 49, 23, 215, 164 88, 97, 27, 28, 15, 22, 24, 34, 68, 178, 181, 145, 8, 168, 252, 80, 165 208, 125, 137, 151, 91, 149, 255, 210, 196, 72, 247, 219, 3, 218, 63, 148, 166 92, 2, 74, 51, 103, 243, 127, 226, 155, 38, 55, 59, 150, 75, 190, 46, 167 121, 140, 110, 142, 245, 182, 253, 89, 152, 106, 70, 186, 37, 66, 162, 250, 168 7, 85, 238, 10, 73, 104, 56, 164, 40, 123, 201, 193, 227, 244, 199, 158 169 }; 170 171 #define SBOX1(n) FSb[(n)] 172 #define SBOX2(n) FSb2[(n)] 173 #define SBOX3(n) FSb3[(n)] 174 #define SBOX4(n) FSb4[(n)] 175 176 #endif /* MBEDTLS_CAMELLIA_SMALL_MEMORY */ 177 178 static const unsigned char shifts[2][4][4] = 179 { 180 { 181 { 1, 1, 1, 1 }, /* KL */ 182 { 0, 0, 0, 0 }, /* KR */ 183 { 1, 1, 1, 1 }, /* KA */ 184 { 0, 0, 0, 0 } /* KB */ 185 }, 186 { 187 { 1, 0, 1, 1 }, /* KL */ 188 { 1, 1, 0, 1 }, /* KR */ 189 { 1, 1, 1, 0 }, /* KA */ 190 { 1, 1, 0, 1 } /* KB */ 191 } 192 }; 193 194 static const signed char indexes[2][4][20] = 195 { 196 { 197 { 0, 1, 2, 3, 8, 9, 10, 11, 38, 39, 198 36, 37, 23, 20, 21, 22, 27, -1, -1, 26 }, /* KL -> RK */ 199 { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 200 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 }, /* KR -> RK */ 201 { 4, 5, 6, 7, 12, 13, 14, 15, 16, 17, 202 18, 19, -1, 24, 25, -1, 31, 28, 29, 30 }, /* KA -> RK */ 203 { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 204 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 } /* KB -> RK */ 205 }, 206 { 207 { 0, 1, 2, 3, 61, 62, 63, 60, -1, -1, 208 -1, -1, 27, 24, 25, 26, 35, 32, 33, 34 }, /* KL -> RK */ 209 { -1, -1, -1, -1, 8, 9, 10, 11, 16, 17, 210 18, 19, -1, -1, -1, -1, 39, 36, 37, 38 }, /* KR -> RK */ 211 { -1, -1, -1, -1, 12, 13, 14, 15, 58, 59, 212 56, 57, 31, 28, 29, 30, -1, -1, -1, -1 }, /* KA -> RK */ 213 { 4, 5, 6, 7, 65, 66, 67, 64, 20, 21, 214 22, 23, -1, -1, -1, -1, 43, 40, 41, 42 } /* KB -> RK */ 215 } 216 }; 217 218 static const signed char transposes[2][20] = 219 { 220 { 221 21, 22, 23, 20, 222 -1, -1, -1, -1, 223 18, 19, 16, 17, 224 11, 8, 9, 10, 225 15, 12, 13, 14 226 }, 227 { 228 25, 26, 27, 24, 229 29, 30, 31, 28, 230 18, 19, 16, 17, 231 -1, -1, -1, -1, 232 -1, -1, -1, -1 233 } 234 }; 235 236 /* Shift macro for 128 bit strings with rotation smaller than 32 bits (!) */ 237 #define ROTL(DEST, SRC, SHIFT) \ 238 { \ 239 (DEST)[0] = (SRC)[0] << (SHIFT) ^ (SRC)[1] >> (32 - (SHIFT)); \ 240 (DEST)[1] = (SRC)[1] << (SHIFT) ^ (SRC)[2] >> (32 - (SHIFT)); \ 241 (DEST)[2] = (SRC)[2] << (SHIFT) ^ (SRC)[3] >> (32 - (SHIFT)); \ 242 (DEST)[3] = (SRC)[3] << (SHIFT) ^ (SRC)[0] >> (32 - (SHIFT)); \ 243 } 244 245 #define FL(XL, XR, KL, KR) \ 246 { \ 247 (XR) = ((((XL) & (KL)) << 1) | (((XL) & (KL)) >> 31)) ^ (XR); \ 248 (XL) = ((XR) | (KR)) ^ (XL); \ 249 } 250 251 #define FLInv(YL, YR, KL, KR) \ 252 { \ 253 (YL) = ((YR) | (KR)) ^ (YL); \ 254 (YR) = ((((YL) & (KL)) << 1) | (((YL) & (KL)) >> 31)) ^ (YR); \ 255 } 256 257 #define SHIFT_AND_PLACE(INDEX, OFFSET) \ 258 { \ 259 TK[0] = KC[(OFFSET) * 4 + 0]; \ 260 TK[1] = KC[(OFFSET) * 4 + 1]; \ 261 TK[2] = KC[(OFFSET) * 4 + 2]; \ 262 TK[3] = KC[(OFFSET) * 4 + 3]; \ 263 \ 264 for( i = 1; i <= 4; i++ ) \ 265 if( shifts[(INDEX)][(OFFSET)][i -1] ) \ 266 ROTL(TK + i * 4, TK, ( 15 * i ) % 32); \ 267 \ 268 for( i = 0; i < 20; i++ ) \ 269 if( indexes[(INDEX)][(OFFSET)][i] != -1 ) { \ 270 RK[indexes[(INDEX)][(OFFSET)][i]] = TK[ i ]; \ 271 } \ 272 } 273 274 static void camellia_feistel( const uint32_t x[2], const uint32_t k[2], 275 uint32_t z[2]) 276 { 277 uint32_t I0, I1; 278 I0 = x[0] ^ k[0]; 279 I1 = x[1] ^ k[1]; 280 281 I0 = ((uint32_t) SBOX1( MBEDTLS_BYTE_3( I0 )) << 24) | 282 ((uint32_t) SBOX2( MBEDTLS_BYTE_2( I0 )) << 16) | 283 ((uint32_t) SBOX3( MBEDTLS_BYTE_1( I0 )) << 8) | 284 ((uint32_t) SBOX4( MBEDTLS_BYTE_0( I0 )) ); 285 I1 = ((uint32_t) SBOX2( MBEDTLS_BYTE_3( I1 )) << 24) | 286 ((uint32_t) SBOX3( MBEDTLS_BYTE_2( I1 )) << 16) | 287 ((uint32_t) SBOX4( MBEDTLS_BYTE_1( I1 )) << 8) | 288 ((uint32_t) SBOX1( MBEDTLS_BYTE_0( I1 )) ); 289 290 I0 ^= (I1 << 8) | (I1 >> 24); 291 I1 ^= (I0 << 16) | (I0 >> 16); 292 I0 ^= (I1 >> 8) | (I1 << 24); 293 I1 ^= (I0 >> 8) | (I0 << 24); 294 295 z[0] ^= I1; 296 z[1] ^= I0; 297 } 298 299 void mbedtls_camellia_init( mbedtls_camellia_context *ctx ) 300 { 301 CAMELLIA_VALIDATE( ctx != NULL ); 302 memset( ctx, 0, sizeof( mbedtls_camellia_context ) ); 303 } 304 305 void mbedtls_camellia_free( mbedtls_camellia_context *ctx ) 306 { 307 if( ctx == NULL ) 308 return; 309 310 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_camellia_context ) ); 311 } 312 313 /* 314 * Camellia key schedule (encryption) 315 */ 316 int mbedtls_camellia_setkey_enc( mbedtls_camellia_context *ctx, 317 const unsigned char *key, 318 unsigned int keybits ) 319 { 320 int idx; 321 size_t i; 322 uint32_t *RK; 323 unsigned char t[64]; 324 uint32_t SIGMA[6][2]; 325 uint32_t KC[16]; 326 uint32_t TK[20]; 327 328 CAMELLIA_VALIDATE_RET( ctx != NULL ); 329 CAMELLIA_VALIDATE_RET( key != NULL ); 330 331 RK = ctx->rk; 332 333 memset( t, 0, 64 ); 334 memset( RK, 0, sizeof(ctx->rk) ); 335 336 switch( keybits ) 337 { 338 case 128: ctx->nr = 3; idx = 0; break; 339 case 192: 340 case 256: ctx->nr = 4; idx = 1; break; 341 default : return( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA ); 342 } 343 344 for( i = 0; i < keybits / 8; ++i ) 345 t[i] = key[i]; 346 347 if( keybits == 192 ) { 348 for( i = 0; i < 8; i++ ) 349 t[24 + i] = ~t[16 + i]; 350 } 351 352 /* 353 * Prepare SIGMA values 354 */ 355 for( i = 0; i < 6; i++ ) { 356 SIGMA[i][0] = MBEDTLS_GET_UINT32_BE( SIGMA_CHARS[i], 0 ); 357 SIGMA[i][1] = MBEDTLS_GET_UINT32_BE( SIGMA_CHARS[i], 4 ); 358 } 359 360 /* 361 * Key storage in KC 362 * Order: KL, KR, KA, KB 363 */ 364 memset( KC, 0, sizeof(KC) ); 365 366 /* Store KL, KR */ 367 for( i = 0; i < 8; i++ ) 368 KC[i] = MBEDTLS_GET_UINT32_BE( t, i * 4 ); 369 370 /* Generate KA */ 371 for( i = 0; i < 4; ++i ) 372 KC[8 + i] = KC[i] ^ KC[4 + i]; 373 374 camellia_feistel( KC + 8, SIGMA[0], KC + 10 ); 375 camellia_feistel( KC + 10, SIGMA[1], KC + 8 ); 376 377 for( i = 0; i < 4; ++i ) 378 KC[8 + i] ^= KC[i]; 379 380 camellia_feistel( KC + 8, SIGMA[2], KC + 10 ); 381 camellia_feistel( KC + 10, SIGMA[3], KC + 8 ); 382 383 if( keybits > 128 ) { 384 /* Generate KB */ 385 for( i = 0; i < 4; ++i ) 386 KC[12 + i] = KC[4 + i] ^ KC[8 + i]; 387 388 camellia_feistel( KC + 12, SIGMA[4], KC + 14 ); 389 camellia_feistel( KC + 14, SIGMA[5], KC + 12 ); 390 } 391 392 /* 393 * Generating subkeys 394 */ 395 396 /* Manipulating KL */ 397 SHIFT_AND_PLACE( idx, 0 ); 398 399 /* Manipulating KR */ 400 if( keybits > 128 ) { 401 SHIFT_AND_PLACE( idx, 1 ); 402 } 403 404 /* Manipulating KA */ 405 SHIFT_AND_PLACE( idx, 2 ); 406 407 /* Manipulating KB */ 408 if( keybits > 128 ) { 409 SHIFT_AND_PLACE( idx, 3 ); 410 } 411 412 /* Do transpositions */ 413 for( i = 0; i < 20; i++ ) { 414 if( transposes[idx][i] != -1 ) { 415 RK[32 + 12 * idx + i] = RK[transposes[idx][i]]; 416 } 417 } 418 419 return( 0 ); 420 } 421 422 /* 423 * Camellia key schedule (decryption) 424 */ 425 int mbedtls_camellia_setkey_dec( mbedtls_camellia_context *ctx, 426 const unsigned char *key, 427 unsigned int keybits ) 428 { 429 int idx, ret; 430 size_t i; 431 mbedtls_camellia_context cty; 432 uint32_t *RK; 433 uint32_t *SK; 434 CAMELLIA_VALIDATE_RET( ctx != NULL ); 435 CAMELLIA_VALIDATE_RET( key != NULL ); 436 437 mbedtls_camellia_init( &cty ); 438 439 /* Also checks keybits */ 440 if( ( ret = mbedtls_camellia_setkey_enc( &cty, key, keybits ) ) != 0 ) 441 goto exit; 442 443 ctx->nr = cty.nr; 444 idx = ( ctx->nr == 4 ); 445 446 RK = ctx->rk; 447 SK = cty.rk + 24 * 2 + 8 * idx * 2; 448 449 *RK++ = *SK++; 450 *RK++ = *SK++; 451 *RK++ = *SK++; 452 *RK++ = *SK++; 453 454 for( i = 22 + 8 * idx, SK -= 6; i > 0; i--, SK -= 4 ) 455 { 456 *RK++ = *SK++; 457 *RK++ = *SK++; 458 } 459 460 SK -= 2; 461 462 *RK++ = *SK++; 463 *RK++ = *SK++; 464 *RK++ = *SK++; 465 *RK++ = *SK++; 466 467 exit: 468 mbedtls_camellia_free( &cty ); 469 470 return( ret ); 471 } 472 473 /* 474 * Camellia-ECB block encryption/decryption 475 */ 476 int mbedtls_camellia_crypt_ecb( mbedtls_camellia_context *ctx, 477 int mode, 478 const unsigned char input[16], 479 unsigned char output[16] ) 480 { 481 int NR; 482 uint32_t *RK, X[4]; 483 CAMELLIA_VALIDATE_RET( ctx != NULL ); 484 CAMELLIA_VALIDATE_RET( mode == MBEDTLS_CAMELLIA_ENCRYPT || 485 mode == MBEDTLS_CAMELLIA_DECRYPT ); 486 CAMELLIA_VALIDATE_RET( input != NULL ); 487 CAMELLIA_VALIDATE_RET( output != NULL ); 488 489 ( (void) mode ); 490 491 NR = ctx->nr; 492 RK = ctx->rk; 493 494 X[0] = MBEDTLS_GET_UINT32_BE( input, 0 ); 495 X[1] = MBEDTLS_GET_UINT32_BE( input, 4 ); 496 X[2] = MBEDTLS_GET_UINT32_BE( input, 8 ); 497 X[3] = MBEDTLS_GET_UINT32_BE( input, 12 ); 498 499 X[0] ^= *RK++; 500 X[1] ^= *RK++; 501 X[2] ^= *RK++; 502 X[3] ^= *RK++; 503 504 while( NR ) { 505 --NR; 506 camellia_feistel( X, RK, X + 2 ); 507 RK += 2; 508 camellia_feistel( X + 2, RK, X ); 509 RK += 2; 510 camellia_feistel( X, RK, X + 2 ); 511 RK += 2; 512 camellia_feistel( X + 2, RK, X ); 513 RK += 2; 514 camellia_feistel( X, RK, X + 2 ); 515 RK += 2; 516 camellia_feistel( X + 2, RK, X ); 517 RK += 2; 518 519 if( NR ) { 520 FL(X[0], X[1], RK[0], RK[1]); 521 RK += 2; 522 FLInv(X[2], X[3], RK[0], RK[1]); 523 RK += 2; 524 } 525 } 526 527 X[2] ^= *RK++; 528 X[3] ^= *RK++; 529 X[0] ^= *RK++; 530 X[1] ^= *RK++; 531 532 MBEDTLS_PUT_UINT32_BE( X[2], output, 0 ); 533 MBEDTLS_PUT_UINT32_BE( X[3], output, 4 ); 534 MBEDTLS_PUT_UINT32_BE( X[0], output, 8 ); 535 MBEDTLS_PUT_UINT32_BE( X[1], output, 12 ); 536 537 return( 0 ); 538 } 539 540 #if defined(MBEDTLS_CIPHER_MODE_CBC) 541 /* 542 * Camellia-CBC buffer encryption/decryption 543 */ 544 int mbedtls_camellia_crypt_cbc( mbedtls_camellia_context *ctx, 545 int mode, 546 size_t length, 547 unsigned char iv[16], 548 const unsigned char *input, 549 unsigned char *output ) 550 { 551 int i; 552 unsigned char temp[16]; 553 CAMELLIA_VALIDATE_RET( ctx != NULL ); 554 CAMELLIA_VALIDATE_RET( mode == MBEDTLS_CAMELLIA_ENCRYPT || 555 mode == MBEDTLS_CAMELLIA_DECRYPT ); 556 CAMELLIA_VALIDATE_RET( iv != NULL ); 557 CAMELLIA_VALIDATE_RET( length == 0 || input != NULL ); 558 CAMELLIA_VALIDATE_RET( length == 0 || output != NULL ); 559 560 if( length % 16 ) 561 return( MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH ); 562 563 if( mode == MBEDTLS_CAMELLIA_DECRYPT ) 564 { 565 while( length > 0 ) 566 { 567 memcpy( temp, input, 16 ); 568 mbedtls_camellia_crypt_ecb( ctx, mode, input, output ); 569 570 for( i = 0; i < 16; i++ ) 571 output[i] = (unsigned char)( output[i] ^ iv[i] ); 572 573 memcpy( iv, temp, 16 ); 574 575 input += 16; 576 output += 16; 577 length -= 16; 578 } 579 } 580 else 581 { 582 while( length > 0 ) 583 { 584 for( i = 0; i < 16; i++ ) 585 output[i] = (unsigned char)( input[i] ^ iv[i] ); 586 587 mbedtls_camellia_crypt_ecb( ctx, mode, output, output ); 588 memcpy( iv, output, 16 ); 589 590 input += 16; 591 output += 16; 592 length -= 16; 593 } 594 } 595 596 return( 0 ); 597 } 598 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 599 600 #if defined(MBEDTLS_CIPHER_MODE_CFB) 601 /* 602 * Camellia-CFB128 buffer encryption/decryption 603 */ 604 int mbedtls_camellia_crypt_cfb128( mbedtls_camellia_context *ctx, 605 int mode, 606 size_t length, 607 size_t *iv_off, 608 unsigned char iv[16], 609 const unsigned char *input, 610 unsigned char *output ) 611 { 612 int c; 613 size_t n; 614 CAMELLIA_VALIDATE_RET( ctx != NULL ); 615 CAMELLIA_VALIDATE_RET( mode == MBEDTLS_CAMELLIA_ENCRYPT || 616 mode == MBEDTLS_CAMELLIA_DECRYPT ); 617 CAMELLIA_VALIDATE_RET( iv != NULL ); 618 CAMELLIA_VALIDATE_RET( iv_off != NULL ); 619 CAMELLIA_VALIDATE_RET( length == 0 || input != NULL ); 620 CAMELLIA_VALIDATE_RET( length == 0 || output != NULL ); 621 622 n = *iv_off; 623 if( n >= 16 ) 624 return( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA ); 625 626 if( mode == MBEDTLS_CAMELLIA_DECRYPT ) 627 { 628 while( length-- ) 629 { 630 if( n == 0 ) 631 mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv ); 632 633 c = *input++; 634 *output++ = (unsigned char)( c ^ iv[n] ); 635 iv[n] = (unsigned char) c; 636 637 n = ( n + 1 ) & 0x0F; 638 } 639 } 640 else 641 { 642 while( length-- ) 643 { 644 if( n == 0 ) 645 mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv ); 646 647 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ ); 648 649 n = ( n + 1 ) & 0x0F; 650 } 651 } 652 653 *iv_off = n; 654 655 return( 0 ); 656 } 657 #endif /* MBEDTLS_CIPHER_MODE_CFB */ 658 659 #if defined(MBEDTLS_CIPHER_MODE_CTR) 660 /* 661 * Camellia-CTR buffer encryption/decryption 662 */ 663 int mbedtls_camellia_crypt_ctr( mbedtls_camellia_context *ctx, 664 size_t length, 665 size_t *nc_off, 666 unsigned char nonce_counter[16], 667 unsigned char stream_block[16], 668 const unsigned char *input, 669 unsigned char *output ) 670 { 671 int c, i; 672 size_t n; 673 CAMELLIA_VALIDATE_RET( ctx != NULL ); 674 CAMELLIA_VALIDATE_RET( nonce_counter != NULL ); 675 CAMELLIA_VALIDATE_RET( stream_block != NULL ); 676 CAMELLIA_VALIDATE_RET( nc_off != NULL ); 677 CAMELLIA_VALIDATE_RET( length == 0 || input != NULL ); 678 CAMELLIA_VALIDATE_RET( length == 0 || output != NULL ); 679 680 n = *nc_off; 681 if( n >= 16 ) 682 return( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA ); 683 684 while( length-- ) 685 { 686 if( n == 0 ) { 687 mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, nonce_counter, 688 stream_block ); 689 690 for( i = 16; i > 0; i-- ) 691 if( ++nonce_counter[i - 1] != 0 ) 692 break; 693 } 694 c = *input++; 695 *output++ = (unsigned char)( c ^ stream_block[n] ); 696 697 n = ( n + 1 ) & 0x0F; 698 } 699 700 *nc_off = n; 701 702 return( 0 ); 703 } 704 #endif /* MBEDTLS_CIPHER_MODE_CTR */ 705 #endif /* !MBEDTLS_CAMELLIA_ALT */ 706 707 #if defined(MBEDTLS_SELF_TEST) 708 709 /* 710 * Camellia test vectors from: 711 * 712 * http://info.isl.ntt.co.jp/crypt/eng/camellia/technology.html: 713 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/intermediate.txt 714 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/t_camellia.txt 715 * (For each bitlength: Key 0, Nr 39) 716 */ 717 #define CAMELLIA_TESTS_ECB 2 718 719 static const unsigned char camellia_test_ecb_key[3][CAMELLIA_TESTS_ECB][32] = 720 { 721 { 722 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 723 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 }, 724 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 725 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 } 726 }, 727 { 728 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 729 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10, 730 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77 }, 731 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 732 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 733 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 } 734 }, 735 { 736 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 737 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10, 738 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 739 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff }, 740 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 741 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 742 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 743 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 } 744 }, 745 }; 746 747 static const unsigned char camellia_test_ecb_plain[CAMELLIA_TESTS_ECB][16] = 748 { 749 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 750 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 }, 751 { 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 752 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 } 753 }; 754 755 static const unsigned char camellia_test_ecb_cipher[3][CAMELLIA_TESTS_ECB][16] = 756 { 757 { 758 { 0x67, 0x67, 0x31, 0x38, 0x54, 0x96, 0x69, 0x73, 759 0x08, 0x57, 0x06, 0x56, 0x48, 0xea, 0xbe, 0x43 }, 760 { 0x38, 0x3C, 0x6C, 0x2A, 0xAB, 0xEF, 0x7F, 0xDE, 761 0x25, 0xCD, 0x47, 0x0B, 0xF7, 0x74, 0xA3, 0x31 } 762 }, 763 { 764 { 0xb4, 0x99, 0x34, 0x01, 0xb3, 0xe9, 0x96, 0xf8, 765 0x4e, 0xe5, 0xce, 0xe7, 0xd7, 0x9b, 0x09, 0xb9 }, 766 { 0xD1, 0x76, 0x3F, 0xC0, 0x19, 0xD7, 0x7C, 0xC9, 767 0x30, 0xBF, 0xF2, 0xA5, 0x6F, 0x7C, 0x93, 0x64 } 768 }, 769 { 770 { 0x9a, 0xcc, 0x23, 0x7d, 0xff, 0x16, 0xd7, 0x6c, 771 0x20, 0xef, 0x7c, 0x91, 0x9e, 0x3a, 0x75, 0x09 }, 772 { 0x05, 0x03, 0xFB, 0x10, 0xAB, 0x24, 0x1E, 0x7C, 773 0xF4, 0x5D, 0x8C, 0xDE, 0xEE, 0x47, 0x43, 0x35 } 774 } 775 }; 776 777 #if defined(MBEDTLS_CIPHER_MODE_CBC) 778 #define CAMELLIA_TESTS_CBC 3 779 780 static const unsigned char camellia_test_cbc_key[3][32] = 781 { 782 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6, 783 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C } 784 , 785 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52, 786 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5, 787 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B } 788 , 789 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE, 790 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81, 791 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7, 792 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 } 793 }; 794 795 static const unsigned char camellia_test_cbc_iv[16] = 796 797 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 798 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F } 799 ; 800 801 static const unsigned char camellia_test_cbc_plain[CAMELLIA_TESTS_CBC][16] = 802 { 803 { 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96, 804 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A }, 805 { 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C, 806 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51 }, 807 { 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11, 808 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF } 809 810 }; 811 812 static const unsigned char camellia_test_cbc_cipher[3][CAMELLIA_TESTS_CBC][16] = 813 { 814 { 815 { 0x16, 0x07, 0xCF, 0x49, 0x4B, 0x36, 0xBB, 0xF0, 816 0x0D, 0xAE, 0xB0, 0xB5, 0x03, 0xC8, 0x31, 0xAB }, 817 { 0xA2, 0xF2, 0xCF, 0x67, 0x16, 0x29, 0xEF, 0x78, 818 0x40, 0xC5, 0xA5, 0xDF, 0xB5, 0x07, 0x48, 0x87 }, 819 { 0x0F, 0x06, 0x16, 0x50, 0x08, 0xCF, 0x8B, 0x8B, 820 0x5A, 0x63, 0x58, 0x63, 0x62, 0x54, 0x3E, 0x54 } 821 }, 822 { 823 { 0x2A, 0x48, 0x30, 0xAB, 0x5A, 0xC4, 0xA1, 0xA2, 824 0x40, 0x59, 0x55, 0xFD, 0x21, 0x95, 0xCF, 0x93 }, 825 { 0x5D, 0x5A, 0x86, 0x9B, 0xD1, 0x4C, 0xE5, 0x42, 826 0x64, 0xF8, 0x92, 0xA6, 0xDD, 0x2E, 0xC3, 0xD5 }, 827 { 0x37, 0xD3, 0x59, 0xC3, 0x34, 0x98, 0x36, 0xD8, 828 0x84, 0xE3, 0x10, 0xAD, 0xDF, 0x68, 0xC4, 0x49 } 829 }, 830 { 831 { 0xE6, 0xCF, 0xA3, 0x5F, 0xC0, 0x2B, 0x13, 0x4A, 832 0x4D, 0x2C, 0x0B, 0x67, 0x37, 0xAC, 0x3E, 0xDA }, 833 { 0x36, 0xCB, 0xEB, 0x73, 0xBD, 0x50, 0x4B, 0x40, 834 0x70, 0xB1, 0xB7, 0xDE, 0x2B, 0x21, 0xEB, 0x50 }, 835 { 0xE3, 0x1A, 0x60, 0x55, 0x29, 0x7D, 0x96, 0xCA, 836 0x33, 0x30, 0xCD, 0xF1, 0xB1, 0x86, 0x0A, 0x83 } 837 } 838 }; 839 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 840 841 #if defined(MBEDTLS_CIPHER_MODE_CTR) 842 /* 843 * Camellia-CTR test vectors from: 844 * 845 * http://www.faqs.org/rfcs/rfc5528.html 846 */ 847 848 static const unsigned char camellia_test_ctr_key[3][16] = 849 { 850 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC, 851 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E }, 852 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7, 853 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 }, 854 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8, 855 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC } 856 }; 857 858 static const unsigned char camellia_test_ctr_nonce_counter[3][16] = 859 { 860 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00, 861 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 }, 862 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59, 863 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 }, 864 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F, 865 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 } 866 }; 867 868 static const unsigned char camellia_test_ctr_pt[3][48] = 869 { 870 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62, 871 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 }, 872 873 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 874 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 875 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 876 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F }, 877 878 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 879 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 880 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 881 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 882 0x20, 0x21, 0x22, 0x23 } 883 }; 884 885 static const unsigned char camellia_test_ctr_ct[3][48] = 886 { 887 { 0xD0, 0x9D, 0xC2, 0x9A, 0x82, 0x14, 0x61, 0x9A, 888 0x20, 0x87, 0x7C, 0x76, 0xDB, 0x1F, 0x0B, 0x3F }, 889 { 0xDB, 0xF3, 0xC7, 0x8D, 0xC0, 0x83, 0x96, 0xD4, 890 0xDA, 0x7C, 0x90, 0x77, 0x65, 0xBB, 0xCB, 0x44, 891 0x2B, 0x8E, 0x8E, 0x0F, 0x31, 0xF0, 0xDC, 0xA7, 892 0x2C, 0x74, 0x17, 0xE3, 0x53, 0x60, 0xE0, 0x48 }, 893 { 0xB1, 0x9D, 0x1F, 0xCD, 0xCB, 0x75, 0xEB, 0x88, 894 0x2F, 0x84, 0x9C, 0xE2, 0x4D, 0x85, 0xCF, 0x73, 895 0x9C, 0xE6, 0x4B, 0x2B, 0x5C, 0x9D, 0x73, 0xF1, 896 0x4F, 0x2D, 0x5D, 0x9D, 0xCE, 0x98, 0x89, 0xCD, 897 0xDF, 0x50, 0x86, 0x96 } 898 }; 899 900 static const int camellia_test_ctr_len[3] = 901 { 16, 32, 36 }; 902 #endif /* MBEDTLS_CIPHER_MODE_CTR */ 903 904 /* 905 * Checkup routine 906 */ 907 int mbedtls_camellia_self_test( int verbose ) 908 { 909 int i, j, u, v; 910 unsigned char key[32]; 911 unsigned char buf[64]; 912 unsigned char src[16]; 913 unsigned char dst[16]; 914 #if defined(MBEDTLS_CIPHER_MODE_CBC) 915 unsigned char iv[16]; 916 #endif 917 #if defined(MBEDTLS_CIPHER_MODE_CTR) 918 size_t offset, len; 919 unsigned char nonce_counter[16]; 920 unsigned char stream_block[16]; 921 #endif 922 int ret = 1; 923 924 mbedtls_camellia_context ctx; 925 926 mbedtls_camellia_init( &ctx ); 927 memset( key, 0, 32 ); 928 929 for( j = 0; j < 6; j++ ) { 930 u = j >> 1; 931 v = j & 1; 932 933 if( verbose != 0 ) 934 mbedtls_printf( " CAMELLIA-ECB-%3d (%s): ", 128 + u * 64, 935 (v == MBEDTLS_CAMELLIA_DECRYPT) ? "dec" : "enc"); 936 937 for( i = 0; i < CAMELLIA_TESTS_ECB; i++ ) { 938 memcpy( key, camellia_test_ecb_key[u][i], 16 + 8 * u ); 939 940 if( v == MBEDTLS_CAMELLIA_DECRYPT ) { 941 mbedtls_camellia_setkey_dec( &ctx, key, 128 + u * 64 ); 942 memcpy( src, camellia_test_ecb_cipher[u][i], 16 ); 943 memcpy( dst, camellia_test_ecb_plain[i], 16 ); 944 } else { /* MBEDTLS_CAMELLIA_ENCRYPT */ 945 mbedtls_camellia_setkey_enc( &ctx, key, 128 + u * 64 ); 946 memcpy( src, camellia_test_ecb_plain[i], 16 ); 947 memcpy( dst, camellia_test_ecb_cipher[u][i], 16 ); 948 } 949 950 mbedtls_camellia_crypt_ecb( &ctx, v, src, buf ); 951 952 if( memcmp( buf, dst, 16 ) != 0 ) 953 { 954 if( verbose != 0 ) 955 mbedtls_printf( "failed\n" ); 956 goto exit; 957 } 958 } 959 960 if( verbose != 0 ) 961 mbedtls_printf( "passed\n" ); 962 } 963 964 if( verbose != 0 ) 965 mbedtls_printf( "\n" ); 966 967 #if defined(MBEDTLS_CIPHER_MODE_CBC) 968 /* 969 * CBC mode 970 */ 971 for( j = 0; j < 6; j++ ) 972 { 973 u = j >> 1; 974 v = j & 1; 975 976 if( verbose != 0 ) 977 mbedtls_printf( " CAMELLIA-CBC-%3d (%s): ", 128 + u * 64, 978 ( v == MBEDTLS_CAMELLIA_DECRYPT ) ? "dec" : "enc" ); 979 980 memcpy( src, camellia_test_cbc_iv, 16 ); 981 memcpy( dst, camellia_test_cbc_iv, 16 ); 982 memcpy( key, camellia_test_cbc_key[u], 16 + 8 * u ); 983 984 if( v == MBEDTLS_CAMELLIA_DECRYPT ) { 985 mbedtls_camellia_setkey_dec( &ctx, key, 128 + u * 64 ); 986 } else { 987 mbedtls_camellia_setkey_enc( &ctx, key, 128 + u * 64 ); 988 } 989 990 for( i = 0; i < CAMELLIA_TESTS_CBC; i++ ) { 991 992 if( v == MBEDTLS_CAMELLIA_DECRYPT ) { 993 memcpy( iv , src, 16 ); 994 memcpy( src, camellia_test_cbc_cipher[u][i], 16 ); 995 memcpy( dst, camellia_test_cbc_plain[i], 16 ); 996 } else { /* MBEDTLS_CAMELLIA_ENCRYPT */ 997 memcpy( iv , dst, 16 ); 998 memcpy( src, camellia_test_cbc_plain[i], 16 ); 999 memcpy( dst, camellia_test_cbc_cipher[u][i], 16 ); 1000 } 1001 1002 mbedtls_camellia_crypt_cbc( &ctx, v, 16, iv, src, buf ); 1003 1004 if( memcmp( buf, dst, 16 ) != 0 ) 1005 { 1006 if( verbose != 0 ) 1007 mbedtls_printf( "failed\n" ); 1008 goto exit; 1009 } 1010 } 1011 1012 if( verbose != 0 ) 1013 mbedtls_printf( "passed\n" ); 1014 } 1015 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 1016 1017 if( verbose != 0 ) 1018 mbedtls_printf( "\n" ); 1019 1020 #if defined(MBEDTLS_CIPHER_MODE_CTR) 1021 /* 1022 * CTR mode 1023 */ 1024 for( i = 0; i < 6; i++ ) 1025 { 1026 u = i >> 1; 1027 v = i & 1; 1028 1029 if( verbose != 0 ) 1030 mbedtls_printf( " CAMELLIA-CTR-128 (%s): ", 1031 ( v == MBEDTLS_CAMELLIA_DECRYPT ) ? "dec" : "enc" ); 1032 1033 memcpy( nonce_counter, camellia_test_ctr_nonce_counter[u], 16 ); 1034 memcpy( key, camellia_test_ctr_key[u], 16 ); 1035 1036 offset = 0; 1037 mbedtls_camellia_setkey_enc( &ctx, key, 128 ); 1038 1039 if( v == MBEDTLS_CAMELLIA_DECRYPT ) 1040 { 1041 len = camellia_test_ctr_len[u]; 1042 memcpy( buf, camellia_test_ctr_ct[u], len ); 1043 1044 mbedtls_camellia_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, 1045 buf, buf ); 1046 1047 if( memcmp( buf, camellia_test_ctr_pt[u], len ) != 0 ) 1048 { 1049 if( verbose != 0 ) 1050 mbedtls_printf( "failed\n" ); 1051 goto exit; 1052 } 1053 } 1054 else 1055 { 1056 len = camellia_test_ctr_len[u]; 1057 memcpy( buf, camellia_test_ctr_pt[u], len ); 1058 1059 mbedtls_camellia_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, 1060 buf, buf ); 1061 1062 if( memcmp( buf, camellia_test_ctr_ct[u], len ) != 0 ) 1063 { 1064 if( verbose != 0 ) 1065 mbedtls_printf( "failed\n" ); 1066 goto exit; 1067 } 1068 } 1069 1070 if( verbose != 0 ) 1071 mbedtls_printf( "passed\n" ); 1072 } 1073 1074 if( verbose != 0 ) 1075 mbedtls_printf( "\n" ); 1076 #endif /* MBEDTLS_CIPHER_MODE_CTR */ 1077 1078 ret = 0; 1079 1080 exit: 1081 mbedtls_camellia_free( &ctx ); 1082 return( ret ); 1083 } 1084 1085 #endif /* MBEDTLS_SELF_TEST */ 1086 1087 #endif /* MBEDTLS_CAMELLIA_C */ 1088