Rivoreo Source Code Repositories
src.rivoreo.one / security / mbedtls / d4fd57dda4573466a9e319e121000e62c739cda9 / . / library / camellia.c
blob: 2366caed6c548cac55be55bf7007a94496b147f9 [file] [log] [blame] [raw]
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]1/*
2 * Camellia implementation
3 *
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]4 * Copyright (C) 2006-2013, Brainspark B.V.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]8 *
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]9 * All rights reserved.
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]10 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25/*
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]26 * The Camellia block cipher was designed by NTT and Mitsubishi Electric
27 * Corporation.
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]28 *
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]29 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/01espec.pdf
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]30 */
31
32#include "polarssl/config.h"
33
34#if defined(POLARSSL_CAMELLIA_C)
35
36#include "polarssl/camellia.h"
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]37
38#if !defined(POLARSSL_CAMELLIA_ALT)
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]39
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]40/*
41 * 32-bit integer manipulation macros (big endian)
42 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]43#ifndef GET_UINT32_BE
44#define GET_UINT32_BE(n,b,i) \
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]45{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]46 (n) = ( (uint32_t) (b)[(i) ] << 24 ) \
47 | ( (uint32_t) (b)[(i) + 1] << 16 ) \
48 | ( (uint32_t) (b)[(i) + 2] << 8 ) \
49 | ( (uint32_t) (b)[(i) + 3] ); \
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]50}
51#endif
52
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]53#ifndef PUT_UINT32_BE
54#define PUT_UINT32_BE(n,b,i) \
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]55{ \
56 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
57 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
58 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
59 (b)[(i) + 3] = (unsigned char) ( (n) ); \
60}
61#endif
62
63static const unsigned char SIGMA_CHARS[6][8] =
64{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]65 { 0xa0, 0x9e, 0x66, 0x7f, 0x3b, 0xcc, 0x90, 0x8b },
66 { 0xb6, 0x7a, 0xe8, 0x58, 0x4c, 0xaa, 0x73, 0xb2 },
67 { 0xc6, 0xef, 0x37, 0x2f, 0xe9, 0x4f, 0x82, 0xbe },
68 { 0x54, 0xff, 0x53, 0xa5, 0xf1, 0xd3, 0x6f, 0x1c },
69 { 0x10, 0xe5, 0x27, 0xfa, 0xde, 0x68, 0x2d, 0x1d },
70 { 0xb0, 0x56, 0x88, 0xc2, 0xb3, 0xe6, 0xc1, 0xfd }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]71};
72
Paul Bakker33008ee2011-11-18 12:58:25 +0000[diff] [blame]73#if defined(POLARSSL_CAMELLIA_SMALL_MEMORY)
Paul Bakkerfa049db2009-01-12 22:12:03 +0000[diff] [blame]74
75static const unsigned char FSb[256] =
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]76{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]77 112,130, 44,236,179, 39,192,229,228,133, 87, 53,234, 12,174, 65,
78 35,239,107,147, 69, 25,165, 33,237, 14, 79, 78, 29,101,146,189,
79 134,184,175,143,124,235, 31,206, 62, 48,220, 95, 94,197, 11, 26,
80 166,225, 57,202,213, 71, 93, 61,217, 1, 90,214, 81, 86,108, 77,
81 139, 13,154,102,251,204,176, 45,116, 18, 43, 32,240,177,132,153,
82 223, 76,203,194, 52,126,118, 5,109,183,169, 49,209, 23, 4,215,
83 20, 88, 58, 97,222, 27, 17, 28, 50, 15,156, 22, 83, 24,242, 34,
84 254, 68,207,178,195,181,122,145, 36, 8,232,168, 96,252,105, 80,
85 170,208,160,125,161,137, 98,151, 84, 91, 30,149,224,255,100,210,
86 16,196, 0, 72,163,247,117,219,138, 3,230,218, 9, 63,221,148,
87 135, 92,131, 2,205, 74,144, 51,115,103,246,243,157,127,191,226,
88 82,155,216, 38,200, 55,198, 59,129,150,111, 75, 19,190, 99, 46,
89 233,121,167,140,159,110,188,142, 41,245,249,182, 47,253,180, 89,
90 120,152, 6,106,231, 70,113,186,212, 37,171, 66,136,162,141,250,
91 114, 7,185, 85,248,238,172, 10, 54, 73, 42,104, 60, 56,241,164,
92 64, 40,211,123,187,201, 67,193, 21,227,173,244,119,199,128,158
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]93};
94
95#define SBOX1(n) FSb[(n)]
96#define SBOX2(n) (unsigned char)((FSb[(n)] >> 7 ^ FSb[(n)] << 1) & 0xff)
97#define SBOX3(n) (unsigned char)((FSb[(n)] >> 1 ^ FSb[(n)] << 7) & 0xff)
Paul Bakkerfa049db2009-01-12 22:12:03 +0000[diff] [blame]98#define SBOX4(n) FSb[((n) << 1 ^ (n) >> 7) &0xff]
99
100#else
101
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000[diff] [blame]102static const unsigned char FSb[256] =
103{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]104 112, 130, 44, 236, 179, 39, 192, 229, 228, 133, 87, 53, 234, 12, 174, 65,
105 35, 239, 107, 147, 69, 25, 165, 33, 237, 14, 79, 78, 29, 101, 146, 189,
106 134, 184, 175, 143, 124, 235, 31, 206, 62, 48, 220, 95, 94, 197, 11, 26,
107 166, 225, 57, 202, 213, 71, 93, 61, 217, 1, 90, 214, 81, 86, 108, 77,
108 139, 13, 154, 102, 251, 204, 176, 45, 116, 18, 43, 32, 240, 177, 132, 153,
109 223, 76, 203, 194, 52, 126, 118, 5, 109, 183, 169, 49, 209, 23, 4, 215,
110 20, 88, 58, 97, 222, 27, 17, 28, 50, 15, 156, 22, 83, 24, 242, 34,
111 254, 68, 207, 178, 195, 181, 122, 145, 36, 8, 232, 168, 96, 252, 105, 80,
112 170, 208, 160, 125, 161, 137, 98, 151, 84, 91, 30, 149, 224, 255, 100, 210,
113 16, 196, 0, 72, 163, 247, 117, 219, 138, 3, 230, 218, 9, 63, 221, 148,
114 135, 92, 131, 2, 205, 74, 144, 51, 115, 103, 246, 243, 157, 127, 191, 226,
115 82, 155, 216, 38, 200, 55, 198, 59, 129, 150, 111, 75, 19, 190, 99, 46,
116 233, 121, 167, 140, 159, 110, 188, 142, 41, 245, 249, 182, 47, 253, 180, 89,
117 120, 152, 6, 106, 231, 70, 113, 186, 212, 37, 171, 66, 136, 162, 141, 250,
118 114, 7, 185, 85, 248, 238, 172, 10, 54, 73, 42, 104, 60, 56, 241, 164,
119 64, 40, 211, 123, 187, 201, 67, 193, 21, 227, 173, 244, 119, 199, 128, 158
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000[diff] [blame]120};
121
122static const unsigned char FSb2[256] =
123{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]124 224, 5, 88, 217, 103, 78, 129, 203, 201, 11, 174, 106, 213, 24, 93, 130,
125 70, 223, 214, 39, 138, 50, 75, 66, 219, 28, 158, 156, 58, 202, 37, 123,
126 13, 113, 95, 31, 248, 215, 62, 157, 124, 96, 185, 190, 188, 139, 22, 52,
127 77, 195, 114, 149, 171, 142, 186, 122, 179, 2, 180, 173, 162, 172, 216, 154,
128 23, 26, 53, 204, 247, 153, 97, 90, 232, 36, 86, 64, 225, 99, 9, 51,
129 191, 152, 151, 133, 104, 252, 236, 10, 218, 111, 83, 98, 163, 46, 8, 175,
130 40, 176, 116, 194, 189, 54, 34, 56, 100, 30, 57, 44, 166, 48, 229, 68,
131 253, 136, 159, 101, 135, 107, 244, 35, 72, 16, 209, 81, 192, 249, 210, 160,
132 85, 161, 65, 250, 67, 19, 196, 47, 168, 182, 60, 43, 193, 255, 200, 165,
133 32, 137, 0, 144, 71, 239, 234, 183, 21, 6, 205, 181, 18, 126, 187, 41,
134 15, 184, 7, 4, 155, 148, 33, 102, 230, 206, 237, 231, 59, 254, 127, 197,
135 164, 55, 177, 76, 145, 110, 141, 118, 3, 45, 222, 150, 38, 125, 198, 92,
136 211, 242, 79, 25, 63, 220, 121, 29, 82, 235, 243, 109, 94, 251, 105, 178,
137 240, 49, 12, 212, 207, 140, 226, 117, 169, 74, 87, 132, 17, 69, 27, 245,
138 228, 14, 115, 170, 241, 221, 89, 20, 108, 146, 84, 208, 120, 112, 227, 73,
139 128, 80, 167, 246, 119, 147, 134, 131, 42, 199, 91, 233, 238, 143, 1, 61
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000[diff] [blame]140};
141
142static const unsigned char FSb3[256] =
143{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]144 56, 65, 22, 118, 217, 147, 96, 242, 114, 194, 171, 154, 117, 6, 87, 160,
145 145, 247, 181, 201, 162, 140, 210, 144, 246, 7, 167, 39, 142, 178, 73, 222,
146 67, 92, 215, 199, 62, 245, 143, 103, 31, 24, 110, 175, 47, 226, 133, 13,
147 83, 240, 156, 101, 234, 163, 174, 158, 236, 128, 45, 107, 168, 43, 54, 166,
148 197, 134, 77, 51, 253, 102, 88, 150, 58, 9, 149, 16, 120, 216, 66, 204,
149 239, 38, 229, 97, 26, 63, 59, 130, 182, 219, 212, 152, 232, 139, 2, 235,
150 10, 44, 29, 176, 111, 141, 136, 14, 25, 135, 78, 11, 169, 12, 121, 17,
151 127, 34, 231, 89, 225, 218, 61, 200, 18, 4, 116, 84, 48, 126, 180, 40,
152 85, 104, 80, 190, 208, 196, 49, 203, 42, 173, 15, 202, 112, 255, 50, 105,
153 8, 98, 0, 36, 209, 251, 186, 237, 69, 129, 115, 109, 132, 159, 238, 74,
154 195, 46, 193, 1, 230, 37, 72, 153, 185, 179, 123, 249, 206, 191, 223, 113,
155 41, 205, 108, 19, 100, 155, 99, 157, 192, 75, 183, 165, 137, 95, 177, 23,
156 244, 188, 211, 70, 207, 55, 94, 71, 148, 250, 252, 91, 151, 254, 90, 172,
157 60, 76, 3, 53, 243, 35, 184, 93, 106, 146, 213, 33, 68, 81, 198, 125,
158 57, 131, 220, 170, 124, 119, 86, 5, 27, 164, 21, 52, 30, 28, 248, 82,
159 32, 20, 233, 189, 221, 228, 161, 224, 138, 241, 214, 122, 187, 227, 64, 79
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000[diff] [blame]160};
161
162static const unsigned char FSb4[256] =
163{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]164 112, 44, 179, 192, 228, 87, 234, 174, 35, 107, 69, 165, 237, 79, 29, 146,
165 134, 175, 124, 31, 62, 220, 94, 11, 166, 57, 213, 93, 217, 90, 81, 108,
166 139, 154, 251, 176, 116, 43, 240, 132, 223, 203, 52, 118, 109, 169, 209, 4,
167 20, 58, 222, 17, 50, 156, 83, 242, 254, 207, 195, 122, 36, 232, 96, 105,
168 170, 160, 161, 98, 84, 30, 224, 100, 16, 0, 163, 117, 138, 230, 9, 221,
169 135, 131, 205, 144, 115, 246, 157, 191, 82, 216, 200, 198, 129, 111, 19, 99,
170 233, 167, 159, 188, 41, 249, 47, 180, 120, 6, 231, 113, 212, 171, 136, 141,
171 114, 185, 248, 172, 54, 42, 60, 241, 64, 211, 187, 67, 21, 173, 119, 128,
172 130, 236, 39, 229, 133, 53, 12, 65, 239, 147, 25, 33, 14, 78, 101, 189,
173 184, 143, 235, 206, 48, 95, 197, 26, 225, 202, 71, 61, 1, 214, 86, 77,
174 13, 102, 204, 45, 18, 32, 177, 153, 76, 194, 126, 5, 183, 49, 23, 215,
175 88, 97, 27, 28, 15, 22, 24, 34, 68, 178, 181, 145, 8, 168, 252, 80,
176 208, 125, 137, 151, 91, 149, 255, 210, 196, 72, 247, 219, 3, 218, 63, 148,
177 92, 2, 74, 51, 103, 243, 127, 226, 155, 38, 55, 59, 150, 75, 190, 46,
178 121, 140, 110, 142, 245, 182, 253, 89, 152, 106, 70, 186, 37, 66, 162, 250,
179 7, 85, 238, 10, 73, 104, 56, 164, 40, 123, 201, 193, 227, 244, 199, 158
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000[diff] [blame]180};
181
182#define SBOX1(n) FSb[(n)]
183#define SBOX2(n) FSb2[(n)]
184#define SBOX3(n) FSb3[(n)]
185#define SBOX4(n) FSb4[(n)]
Paul Bakkerfa049db2009-01-12 22:12:03 +0000[diff] [blame]186
187#endif
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]188
189static const unsigned char shifts[2][4][4] =
190{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]191 {
192 { 1, 1, 1, 1 }, /* KL */
193 { 0, 0, 0, 0 }, /* KR */
194 { 1, 1, 1, 1 }, /* KA */
195 { 0, 0, 0, 0 } /* KB */
196 },
197 {
198 { 1, 0, 1, 1 }, /* KL */
199 { 1, 1, 0, 1 }, /* KR */
200 { 1, 1, 1, 0 }, /* KA */
201 { 1, 1, 0, 1 } /* KB */
202 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]203};
204
Paul Bakker026c03b2009-03-28 17:53:03 +0000[diff] [blame]205static const signed char indexes[2][4][20] =
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]206{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]207 {
208 { 0, 1, 2, 3, 8, 9, 10, 11, 38, 39,
209 36, 37, 23, 20, 21, 22, 27, -1, -1, 26 }, /* KL -> RK */
210 { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
211 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 }, /* KR -> RK */
212 { 4, 5, 6, 7, 12, 13, 14, 15, 16, 17,
213 18, 19, -1, 24, 25, -1, 31, 28, 29, 30 }, /* KA -> RK */
214 { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
215 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 } /* KB -> RK */
216 },
217 {
218 { 0, 1, 2, 3, 61, 62, 63, 60, -1, -1,
219 -1, -1, 27, 24, 25, 26, 35, 32, 33, 34 }, /* KL -> RK */
220 { -1, -1, -1, -1, 8, 9, 10, 11, 16, 17,
221 18, 19, -1, -1, -1, -1, 39, 36, 37, 38 }, /* KR -> RK */
222 { -1, -1, -1, -1, 12, 13, 14, 15, 58, 59,
223 56, 57, 31, 28, 29, 30, -1, -1, -1, -1 }, /* KA -> RK */
224 { 4, 5, 6, 7, 65, 66, 67, 64, 20, 21,
225 22, 23, -1, -1, -1, -1, 43, 40, 41, 42 } /* KB -> RK */
226 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]227};
228
Paul Bakker026c03b2009-03-28 17:53:03 +0000[diff] [blame]229static const signed char transposes[2][20] =
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]230{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]231 {
232 21, 22, 23, 20,
233 -1, -1, -1, -1,
234 18, 19, 16, 17,
235 11, 8, 9, 10,
236 15, 12, 13, 14
237 },
238 {
239 25, 26, 27, 24,
240 29, 30, 31, 28,
241 18, 19, 16, 17,
242 -1, -1, -1, -1,
243 -1, -1, -1, -1
244 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]245};
246
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000[diff] [blame]247/* Shift macro for 128 bit strings with rotation smaller than 32 bits (!) */
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]248#define ROTL(DEST, SRC, SHIFT) \
249{ \
250 (DEST)[0] = (SRC)[0] << (SHIFT) ^ (SRC)[1] >> (32 - (SHIFT)); \
251 (DEST)[1] = (SRC)[1] << (SHIFT) ^ (SRC)[2] >> (32 - (SHIFT)); \
252 (DEST)[2] = (SRC)[2] << (SHIFT) ^ (SRC)[3] >> (32 - (SHIFT)); \
253 (DEST)[3] = (SRC)[3] << (SHIFT) ^ (SRC)[0] >> (32 - (SHIFT)); \
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]254}
255
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]256#define FL(XL, XR, KL, KR) \
257{ \
258 (XR) = ((((XL) & (KL)) << 1) | (((XL) & (KL)) >> 31)) ^ (XR); \
259 (XL) = ((XR) | (KR)) ^ (XL); \
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]260}
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]261
262#define FLInv(YL, YR, KL, KR) \
263{ \
264 (YL) = ((YR) | (KR)) ^ (YL); \
265 (YR) = ((((YL) & (KL)) << 1) | (((YL) & (KL)) >> 31)) ^ (YR); \
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]266}
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]267
268#define SHIFT_AND_PLACE(INDEX, OFFSET) \
269{ \
270 TK[0] = KC[(OFFSET) * 4 + 0]; \
271 TK[1] = KC[(OFFSET) * 4 + 1]; \
272 TK[2] = KC[(OFFSET) * 4 + 2]; \
273 TK[3] = KC[(OFFSET) * 4 + 3]; \
274 \
275 for ( i = 1; i <= 4; i++ ) \
276 if (shifts[(INDEX)][(OFFSET)][i -1]) \
277 ROTL(TK + i * 4, TK, (15 * i) % 32); \
278 \
279 for ( i = 0; i < 20; i++ ) \
280 if (indexes[(INDEX)][(OFFSET)][i] != -1) { \
281 RK[indexes[(INDEX)][(OFFSET)][i]] = TK[ i ]; \
282 } \
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]283}
284
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]285static void camellia_feistel(const uint32_t x[2], const uint32_t k[2], uint32_t z[2])
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]286{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]287 uint32_t I0, I1;
288 I0 = x[0] ^ k[0];
289 I1 = x[1] ^ k[1];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]290
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]291 I0 = (SBOX1((I0 >> 24) & 0xFF) << 24) |
292 (SBOX2((I0 >> 16) & 0xFF) << 16) |
293 (SBOX3((I0 >> 8) & 0xFF) << 8) |
294 (SBOX4((I0 ) & 0xFF) );
295 I1 = (SBOX2((I1 >> 24) & 0xFF) << 24) |
296 (SBOX3((I1 >> 16) & 0xFF) << 16) |
297 (SBOX4((I1 >> 8) & 0xFF) << 8) |
298 (SBOX1((I1 ) & 0xFF) );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]299
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]300 I0 ^= (I1 << 8) | (I1 >> 24);
301 I1 ^= (I0 << 16) | (I0 >> 16);
302 I0 ^= (I1 >> 8) | (I1 << 24);
303 I1 ^= (I0 >> 8) | (I0 << 24);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]304
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]305 z[0] ^= I1;
306 z[1] ^= I0;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]307}
308
309/*
310 * Camellia key schedule (encryption)
311 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]312int camellia_setkey_enc( camellia_context *ctx, const unsigned char *key, unsigned int keysize )
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]313{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]314 int idx;
315 size_t i;
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]316 uint32_t *RK;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]317 unsigned char t[64];
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]318 uint32_t SIGMA[6][2];
319 uint32_t KC[16];
320 uint32_t TK[20];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]321
322 RK = ctx->rk;
323
324 memset(t, 0, 64);
325 memset(RK, 0, sizeof(ctx->rk));
326
327 switch( keysize )
328 {
329 case 128: ctx->nr = 3; idx = 0; break;
330 case 192:
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]331 case 256: ctx->nr = 4; idx = 1; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]332 default : return( POLARSSL_ERR_CAMELLIA_INVALID_KEY_LENGTH );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]333 }
334
335 for( i = 0; i < keysize / 8; ++i)
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]336 t[i] = key[i];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]337
338 if (keysize == 192) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]339 for (i = 0; i < 8; i++)
340 t[24 + i] = ~t[16 + i];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]341 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]342
343 /*
344 * Prepare SIGMA values
345 */
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]346 for (i = 0; i < 6; i++) {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]347 GET_UINT32_BE(SIGMA[i][0], SIGMA_CHARS[i], 0);
348 GET_UINT32_BE(SIGMA[i][1], SIGMA_CHARS[i], 4);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]349 }
350
351 /*
352 * Key storage in KC
353 * Order: KL, KR, KA, KB
354 */
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]355 memset(KC, 0, sizeof(KC));
356
357 /* Store KL, KR */
358 for (i = 0; i < 8; i++)
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]359 GET_UINT32_BE(KC[i], t, i * 4);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]360
361 /* Generate KA */
362 for( i = 0; i < 4; ++i)
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]363 KC[8 + i] = KC[i] ^ KC[4 + i];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]364
365 camellia_feistel(KC + 8, SIGMA[0], KC + 10);
366 camellia_feistel(KC + 10, SIGMA[1], KC + 8);
367
368 for( i = 0; i < 4; ++i)
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]369 KC[8 + i] ^= KC[i];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]370
371 camellia_feistel(KC + 8, SIGMA[2], KC + 10);
372 camellia_feistel(KC + 10, SIGMA[3], KC + 8);
373
374 if (keysize > 128) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]375 /* Generate KB */
376 for( i = 0; i < 4; ++i)
377 KC[12 + i] = KC[4 + i] ^ KC[8 + i];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]378
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]379 camellia_feistel(KC + 12, SIGMA[4], KC + 14);
380 camellia_feistel(KC + 14, SIGMA[5], KC + 12);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]381 }
382
383 /*
384 * Generating subkeys
385 */
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]386
387 /* Manipulating KL */
388 SHIFT_AND_PLACE(idx, 0);
389
390 /* Manipulating KR */
391 if (keysize > 128) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]392 SHIFT_AND_PLACE(idx, 1);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]393 }
394
395 /* Manipulating KA */
396 SHIFT_AND_PLACE(idx, 2);
397
398 /* Manipulating KB */
399 if (keysize > 128) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]400 SHIFT_AND_PLACE(idx, 3);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]401 }
402
403 /* Do transpositions */
404 for ( i = 0; i < 20; i++ ) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]405 if (transposes[idx][i] != -1) {
406 RK[32 + 12 * idx + i] = RK[transposes[idx][i]];
407 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]408 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]409
410 return( 0 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]411}
412
413/*
414 * Camellia key schedule (decryption)
415 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]416int camellia_setkey_dec( camellia_context *ctx, const unsigned char *key, unsigned int keysize )
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]417{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]418 int idx;
419 size_t i;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]420 camellia_context cty;
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]421 uint32_t *RK;
422 uint32_t *SK;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]423 int ret;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]424
425 switch( keysize )
426 {
427 case 128: ctx->nr = 3; idx = 0; break;
428 case 192:
429 case 256: ctx->nr = 4; idx = 1; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]430 default : return( POLARSSL_ERR_CAMELLIA_INVALID_KEY_LENGTH );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]431 }
432
433 RK = ctx->rk;
434
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]435 ret = camellia_setkey_enc(&cty, key, keysize);
436 if( ret != 0 )
437 return( ret );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]438
439 SK = cty.rk + 24 * 2 + 8 * idx * 2;
440
441 *RK++ = *SK++;
442 *RK++ = *SK++;
443 *RK++ = *SK++;
444 *RK++ = *SK++;
445
446 for (i = 22 + 8 * idx, SK -= 6; i > 0; i--, SK -= 4)
447 {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]448 *RK++ = *SK++;
449 *RK++ = *SK++;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]450 }
451
452 SK -= 2;
453
454 *RK++ = *SK++;
455 *RK++ = *SK++;
456 *RK++ = *SK++;
457 *RK++ = *SK++;
458
459 memset( &cty, 0, sizeof( camellia_context ) );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]460
461 return( 0 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]462}
463
464/*
465 * Camellia-ECB block encryption/decryption
466 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]467int camellia_crypt_ecb( camellia_context *ctx,
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]468 int mode,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]469 const unsigned char input[16],
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]470 unsigned char output[16] )
471{
Paul Bakker026c03b2009-03-28 17:53:03 +0000[diff] [blame]472 int NR;
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]473 uint32_t *RK, X[4];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]474
Paul Bakkerc2547b02009-07-20 20:40:52 +0000[diff] [blame]475 ( (void) mode );
476
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]477 NR = ctx->nr;
478 RK = ctx->rk;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]479
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]480 GET_UINT32_BE( X[0], input, 0 );
481 GET_UINT32_BE( X[1], input, 4 );
482 GET_UINT32_BE( X[2], input, 8 );
483 GET_UINT32_BE( X[3], input, 12 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]484
485 X[0] ^= *RK++;
486 X[1] ^= *RK++;
487 X[2] ^= *RK++;
488 X[3] ^= *RK++;
489
490 while (NR) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]491 --NR;
492 camellia_feistel(X, RK, X + 2);
493 RK += 2;
494 camellia_feistel(X + 2, RK, X);
495 RK += 2;
496 camellia_feistel(X, RK, X + 2);
497 RK += 2;
498 camellia_feistel(X + 2, RK, X);
499 RK += 2;
500 camellia_feistel(X, RK, X + 2);
501 RK += 2;
502 camellia_feistel(X + 2, RK, X);
503 RK += 2;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]504
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]505 if (NR) {
506 FL(X[0], X[1], RK[0], RK[1]);
507 RK += 2;
508 FLInv(X[2], X[3], RK[0], RK[1]);
509 RK += 2;
510 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]511 }
512
513 X[2] ^= *RK++;
514 X[3] ^= *RK++;
515 X[0] ^= *RK++;
516 X[1] ^= *RK++;
517
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]518 PUT_UINT32_BE( X[2], output, 0 );
519 PUT_UINT32_BE( X[3], output, 4 );
520 PUT_UINT32_BE( X[0], output, 8 );
521 PUT_UINT32_BE( X[1], output, 12 );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]522
523 return( 0 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]524}
525
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]526#if defined(POLARSSL_CIPHER_MODE_CBC)
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]527/*
528 * Camellia-CBC buffer encryption/decryption
529 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]530int camellia_crypt_cbc( camellia_context *ctx,
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]531 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]532 size_t length,
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]533 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]534 const unsigned char *input,
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]535 unsigned char *output )
536{
537 int i;
538 unsigned char temp[16];
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]539
540 if( length % 16 )
541 return( POLARSSL_ERR_CAMELLIA_INVALID_INPUT_LENGTH );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]542
543 if( mode == CAMELLIA_DECRYPT )
544 {
545 while( length > 0 )
546 {
547 memcpy( temp, input, 16 );
548 camellia_crypt_ecb( ctx, mode, input, output );
549
550 for( i = 0; i < 16; i++ )
551 output[i] = (unsigned char)( output[i] ^ iv[i] );
552
553 memcpy( iv, temp, 16 );
554
555 input += 16;
556 output += 16;
557 length -= 16;
558 }
559 }
560 else
561 {
562 while( length > 0 )
563 {
564 for( i = 0; i < 16; i++ )
565 output[i] = (unsigned char)( input[i] ^ iv[i] );
566
567 camellia_crypt_ecb( ctx, mode, output, output );
568 memcpy( iv, output, 16 );
569
570 input += 16;
571 output += 16;
572 length -= 16;
573 }
574 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]575
576 return( 0 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]577}
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]578#endif /* POLARSSL_CIPHER_MODE_CBC */
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]579
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]580#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]581/*
582 * Camellia-CFB128 buffer encryption/decryption
583 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]584int camellia_crypt_cfb128( camellia_context *ctx,
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]585 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]586 size_t length,
Paul Bakker1ef71df2011-06-09 14:14:58 +0000[diff] [blame]587 size_t *iv_off,
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]588 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]589 const unsigned char *input,
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]590 unsigned char *output )
591{
Paul Bakker1ef71df2011-06-09 14:14:58 +0000[diff] [blame]592 int c;
593 size_t n = *iv_off;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]594
595 if( mode == CAMELLIA_DECRYPT )
596 {
597 while( length-- )
598 {
599 if( n == 0 )
600 camellia_crypt_ecb( ctx, CAMELLIA_ENCRYPT, iv, iv );
601
602 c = *input++;
603 *output++ = (unsigned char)( c ^ iv[n] );
604 iv[n] = (unsigned char) c;
605
606 n = (n + 1) & 0x0F;
607 }
608 }
609 else
610 {
611 while( length-- )
612 {
613 if( n == 0 )
614 camellia_crypt_ecb( ctx, CAMELLIA_ENCRYPT, iv, iv );
615
616 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
617
618 n = (n + 1) & 0x0F;
619 }
620 }
621
622 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]623
624 return( 0 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]625}
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]626#endif /* POLARSSL_CIPHER_MODE_CFB */
627
628#if defined(POLARSSL_CIPHER_MODE_CTR)
629/*
630 * Camellia-CTR buffer encryption/decryption
631 */
632int camellia_crypt_ctr( camellia_context *ctx,
Paul Bakker1ef71df2011-06-09 14:14:58 +0000[diff] [blame]633 size_t length,
634 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]635 unsigned char nonce_counter[16],
636 unsigned char stream_block[16],
637 const unsigned char *input,
638 unsigned char *output )
639{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]640 int c, i;
Paul Bakker1ef71df2011-06-09 14:14:58 +0000[diff] [blame]641 size_t n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]642
643 while( length-- )
644 {
645 if( n == 0 ) {
646 camellia_crypt_ecb( ctx, CAMELLIA_ENCRYPT, nonce_counter, stream_block );
647
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]648 for( i = 16; i > 0; i-- )
649 if( ++nonce_counter[i - 1] != 0 )
650 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]651 }
652 c = *input++;
653 *output++ = (unsigned char)( c ^ stream_block[n] );
654
655 n = (n + 1) & 0x0F;
656 }
657
658 *nc_off = n;
659
660 return( 0 );
661}
662#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]663#endif /* !POLARSSL_CAMELLIA_ALT */
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]664
665#if defined(POLARSSL_SELF_TEST)
666
667#include <stdio.h>
668
669/*
670 * Camellia test vectors from:
671 *
672 * http://info.isl.ntt.co.jp/crypt/eng/camellia/technology.html:
673 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/intermediate.txt
674 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/t_camellia.txt
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]675 * (For each bitlength: Key 0, Nr 39)
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]676 */
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]677#define CAMELLIA_TESTS_ECB 2
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]678
679static const unsigned char camellia_test_ecb_key[3][CAMELLIA_TESTS_ECB][32] =
680{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]681 {
682 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
683 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
684 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
685 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
686 },
687 {
688 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
689 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
690 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77 },
691 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
692 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
693 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
694 },
695 {
696 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
697 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
698 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
699 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff },
700 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
701 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
702 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
703 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
704 },
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]705};
706
707static const unsigned char camellia_test_ecb_plain[CAMELLIA_TESTS_ECB][16] =
708{
709 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
710 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
711 { 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
712 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
713};
714
715static const unsigned char camellia_test_ecb_cipher[3][CAMELLIA_TESTS_ECB][16] =
716{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]717 {
718 { 0x67, 0x67, 0x31, 0x38, 0x54, 0x96, 0x69, 0x73,
719 0x08, 0x57, 0x06, 0x56, 0x48, 0xea, 0xbe, 0x43 },
720 { 0x38, 0x3C, 0x6C, 0x2A, 0xAB, 0xEF, 0x7F, 0xDE,
721 0x25, 0xCD, 0x47, 0x0B, 0xF7, 0x74, 0xA3, 0x31 }
722 },
723 {
724 { 0xb4, 0x99, 0x34, 0x01, 0xb3, 0xe9, 0x96, 0xf8,
725 0x4e, 0xe5, 0xce, 0xe7, 0xd7, 0x9b, 0x09, 0xb9 },
726 { 0xD1, 0x76, 0x3F, 0xC0, 0x19, 0xD7, 0x7C, 0xC9,
727 0x30, 0xBF, 0xF2, 0xA5, 0x6F, 0x7C, 0x93, 0x64 }
728 },
729 {
730 { 0x9a, 0xcc, 0x23, 0x7d, 0xff, 0x16, 0xd7, 0x6c,
731 0x20, 0xef, 0x7c, 0x91, 0x9e, 0x3a, 0x75, 0x09 },
732 { 0x05, 0x03, 0xFB, 0x10, 0xAB, 0x24, 0x1E, 0x7C,
733 0xF4, 0x5D, 0x8C, 0xDE, 0xEE, 0x47, 0x43, 0x35 }
734 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]735};
736
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]737#if defined(POLARSSL_CIPHER_MODE_CBC)
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]738#define CAMELLIA_TESTS_CBC 3
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]739
740static const unsigned char camellia_test_cbc_key[3][32] =
741{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]742 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
743 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }
744 ,
745 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
746 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
747 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }
748 ,
749 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
750 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
751 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
752 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]753};
754
755static const unsigned char camellia_test_cbc_iv[16] =
756
757 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
758 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F }
759;
760
761static const unsigned char camellia_test_cbc_plain[CAMELLIA_TESTS_CBC][16] =
762{
763 { 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
764 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A },
765 { 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
766 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51 },
767 { 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
768 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF }
769
770};
771
772static const unsigned char camellia_test_cbc_cipher[3][CAMELLIA_TESTS_CBC][16] =
773{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]774 {
775 { 0x16, 0x07, 0xCF, 0x49, 0x4B, 0x36, 0xBB, 0xF0,
776 0x0D, 0xAE, 0xB0, 0xB5, 0x03, 0xC8, 0x31, 0xAB },
777 { 0xA2, 0xF2, 0xCF, 0x67, 0x16, 0x29, 0xEF, 0x78,
778 0x40, 0xC5, 0xA5, 0xDF, 0xB5, 0x07, 0x48, 0x87 },
779 { 0x0F, 0x06, 0x16, 0x50, 0x08, 0xCF, 0x8B, 0x8B,
780 0x5A, 0x63, 0x58, 0x63, 0x62, 0x54, 0x3E, 0x54 }
781 },
782 {
783 { 0x2A, 0x48, 0x30, 0xAB, 0x5A, 0xC4, 0xA1, 0xA2,
784 0x40, 0x59, 0x55, 0xFD, 0x21, 0x95, 0xCF, 0x93 },
785 { 0x5D, 0x5A, 0x86, 0x9B, 0xD1, 0x4C, 0xE5, 0x42,
786 0x64, 0xF8, 0x92, 0xA6, 0xDD, 0x2E, 0xC3, 0xD5 },
787 { 0x37, 0xD3, 0x59, 0xC3, 0x34, 0x98, 0x36, 0xD8,
788 0x84, 0xE3, 0x10, 0xAD, 0xDF, 0x68, 0xC4, 0x49 }
789 },
790 {
791 { 0xE6, 0xCF, 0xA3, 0x5F, 0xC0, 0x2B, 0x13, 0x4A,
792 0x4D, 0x2C, 0x0B, 0x67, 0x37, 0xAC, 0x3E, 0xDA },
793 { 0x36, 0xCB, 0xEB, 0x73, 0xBD, 0x50, 0x4B, 0x40,
794 0x70, 0xB1, 0xB7, 0xDE, 0x2B, 0x21, 0xEB, 0x50 },
795 { 0xE3, 0x1A, 0x60, 0x55, 0x29, 0x7D, 0x96, 0xCA,
796 0x33, 0x30, 0xCD, 0xF1, 0xB1, 0x86, 0x0A, 0x83 }
797 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]798};
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]799#endif /* POLARSSL_CIPHER_MODE_CBC */
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]800
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]801#if defined(POLARSSL_CIPHER_MODE_CTR)
802/*
803 * Camellia-CTR test vectors from:
804 *
805 * http://www.faqs.org/rfcs/rfc5528.html
806 */
807
808static const unsigned char camellia_test_ctr_key[3][16] =
809{
810 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
811 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
812 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
813 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
814 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
815 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
816};
817
818static const unsigned char camellia_test_ctr_nonce_counter[3][16] =
819{
820 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
821 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
822 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
823 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
824 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
825 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
826};
827
828static const unsigned char camellia_test_ctr_pt[3][48] =
829{
830 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
831 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
832
833 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
834 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
835 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
836 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
837
838 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
839 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
840 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
841 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
842 0x20, 0x21, 0x22, 0x23 }
843};
844
845static const unsigned char camellia_test_ctr_ct[3][48] =
846{
847 { 0xD0, 0x9D, 0xC2, 0x9A, 0x82, 0x14, 0x61, 0x9A,
848 0x20, 0x87, 0x7C, 0x76, 0xDB, 0x1F, 0x0B, 0x3F },
849 { 0xDB, 0xF3, 0xC7, 0x8D, 0xC0, 0x83, 0x96, 0xD4,
850 0xDA, 0x7C, 0x90, 0x77, 0x65, 0xBB, 0xCB, 0x44,
851 0x2B, 0x8E, 0x8E, 0x0F, 0x31, 0xF0, 0xDC, 0xA7,
852 0x2C, 0x74, 0x17, 0xE3, 0x53, 0x60, 0xE0, 0x48 },
853 { 0xB1, 0x9D, 0x1F, 0xCD, 0xCB, 0x75, 0xEB, 0x88,
854 0x2F, 0x84, 0x9C, 0xE2, 0x4D, 0x85, 0xCF, 0x73,
855 0x9C, 0xE6, 0x4B, 0x2B, 0x5C, 0x9D, 0x73, 0xF1,
856 0x4F, 0x2D, 0x5D, 0x9D, 0xCE, 0x98, 0x89, 0xCD,
857 0xDF, 0x50, 0x86, 0x96 }
858};
859
860static const int camellia_test_ctr_len[3] =
861 { 16, 32, 36 };
862#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]863
864/*
865 * Checkup routine
866 */
867int camellia_self_test( int verbose )
868{
Paul Bakker026c03b2009-03-28 17:53:03 +0000[diff] [blame]869 int i, j, u, v;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]870 unsigned char key[32];
871 unsigned char buf[64];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]872 unsigned char src[16];
873 unsigned char dst[16];
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]874#if defined(POLARSSL_CIPHER_MODE_CBC)
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]875 unsigned char iv[16];
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]876#endif
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]877#if defined(POLARSSL_CIPHER_MODE_CTR)
Paul Bakker1ef71df2011-06-09 14:14:58 +0000[diff] [blame]878 size_t offset, len;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]879 unsigned char nonce_counter[16];
880 unsigned char stream_block[16];
881#endif
882
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]883 camellia_context ctx;
884
885 memset( key, 0, 32 );
886
887 for (j = 0; j < 6; j++) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]888 u = j >> 1;
889 v = j & 1;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]890
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]891 if( verbose != 0 )
892 printf( " CAMELLIA-ECB-%3d (%s): ", 128 + u * 64,
893 (v == CAMELLIA_DECRYPT) ? "dec" : "enc");
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]894
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]895 for (i = 0; i < CAMELLIA_TESTS_ECB; i++ ) {
896 memcpy( key, camellia_test_ecb_key[u][i], 16 + 8 * u);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]897
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]898 if (v == CAMELLIA_DECRYPT) {
899 camellia_setkey_dec(&ctx, key, 128 + u * 64);
900 memcpy(src, camellia_test_ecb_cipher[u][i], 16);
901 memcpy(dst, camellia_test_ecb_plain[i], 16);
902 } else { /* CAMELLIA_ENCRYPT */
903 camellia_setkey_enc(&ctx, key, 128 + u * 64);
904 memcpy(src, camellia_test_ecb_plain[i], 16);
905 memcpy(dst, camellia_test_ecb_cipher[u][i], 16);
906 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]907
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]908 camellia_crypt_ecb(&ctx, v, src, buf);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]909
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]910 if( memcmp( buf, dst, 16 ) != 0 )
911 {
912 if( verbose != 0 )
913 printf( "failed\n" );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]914
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]915 return( 1 );
916 }
917 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]918
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]919 if( verbose != 0 )
920 printf( "passed\n" );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]921 }
922
923 if( verbose != 0 )
924 printf( "\n" );
925
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]926#if defined(POLARSSL_CIPHER_MODE_CBC)
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]927 /*
928 * CBC mode
929 */
930 for( j = 0; j < 6; j++ )
931 {
932 u = j >> 1;
933 v = j & 1;
934
935 if( verbose != 0 )
936 printf( " CAMELLIA-CBC-%3d (%s): ", 128 + u * 64,
937 ( v == CAMELLIA_DECRYPT ) ? "dec" : "enc" );
938
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]939 memcpy( src, camellia_test_cbc_iv, 16);
940 memcpy( dst, camellia_test_cbc_iv, 16);
941 memcpy( key, camellia_test_cbc_key[u], 16 + 8 * u);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]942
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]943 if (v == CAMELLIA_DECRYPT) {
944 camellia_setkey_dec(&ctx, key, 128 + u * 64);
945 } else {
946 camellia_setkey_enc(&ctx, key, 128 + u * 64);
947 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]948
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]949 for (i = 0; i < CAMELLIA_TESTS_CBC; i++ ) {
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]950
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]951 if (v == CAMELLIA_DECRYPT) {
952 memcpy( iv , src, 16 );
953 memcpy(src, camellia_test_cbc_cipher[u][i], 16);
954 memcpy(dst, camellia_test_cbc_plain[i], 16);
955 } else { /* CAMELLIA_ENCRYPT */
956 memcpy( iv , dst, 16 );
957 memcpy(src, camellia_test_cbc_plain[i], 16);
958 memcpy(dst, camellia_test_cbc_cipher[u][i], 16);
959 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]960
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]961 camellia_crypt_cbc(&ctx, v, 16, iv, src, buf);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]962
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]963 if( memcmp( buf, dst, 16 ) != 0 )
964 {
965 if( verbose != 0 )
966 printf( "failed\n" );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]967
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]968 return( 1 );
969 }
970 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]971
972 if( verbose != 0 )
973 printf( "passed\n" );
974 }
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]975#endif /* POLARSSL_CIPHER_MODE_CBC */
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]976
977 if( verbose != 0 )
978 printf( "\n" );
979
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]980#if defined(POLARSSL_CIPHER_MODE_CTR)
981 /*
982 * CTR mode
983 */
984 for( i = 0; i < 6; i++ )
985 {
986 u = i >> 1;
987 v = i & 1;
988
989 if( verbose != 0 )
990 printf( " CAMELLIA-CTR-128 (%s): ",
991 ( v == CAMELLIA_DECRYPT ) ? "dec" : "enc" );
992
993 memcpy( nonce_counter, camellia_test_ctr_nonce_counter[u], 16 );
994 memcpy( key, camellia_test_ctr_key[u], 16 );
995
996 offset = 0;
997 camellia_setkey_enc( &ctx, key, 128 );
998
999 if( v == CAMELLIA_DECRYPT )
1000 {
1001 len = camellia_test_ctr_len[u];
1002 memcpy( buf, camellia_test_ctr_ct[u], len );
1003
1004 camellia_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1005
1006 if( memcmp( buf, camellia_test_ctr_pt[u], len ) != 0 )
1007 {
1008 if( verbose != 0 )
1009 printf( "failed\n" );
1010
1011 return( 1 );
1012 }
1013 }
1014 else
1015 {
1016 len = camellia_test_ctr_len[u];
1017 memcpy( buf, camellia_test_ctr_pt[u], len );
1018
1019 camellia_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1020
1021 if( memcmp( buf, camellia_test_ctr_ct[u], len ) != 0 )
1022 {
1023 if( verbose != 0 )
1024 printf( "failed\n" );
1025
1026 return( 1 );
1027 }
1028 }
1029
1030 if( verbose != 0 )
1031 printf( "passed\n" );
1032 }
1033
1034 if( verbose != 0 )
1035 printf( "\n" );
1036#endif /* POLARSSL_CIPHER_MODE_CTR */
1037
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]1038 return ( 0 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]1039}
1040
1041#endif
1042
1043#endif