TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 480f683d15d63d4c9b870ae406da6166622d13da / . / library / camellia.c
blob: e90cd7f134ec2a9a6056127a7fa9e888258d8310 [file] [log] [blame]
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]1/*
2 * Camellia implementation
3 *
Bence Szépkúti1e148272020-08-07 13:07:28 +0200[diff] [blame]4 * Copyright The Mbed TLS Contributors
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]18 */
19/*
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]20 * The Camellia block cipher was designed by NTT and Mitsubishi Electric
21 * Corporation.
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]22 *
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]23 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/01espec.pdf
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]24 */
25
Gilles Peskinedb09ef62020-06-03 01:43:33 +0200[diff] [blame]26#include "common.h"
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]27
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]28#if defined(MBEDTLS_CAMELLIA_C)
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]29
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]30#include "mbedtls/camellia.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]31#include "mbedtls/platform_util.h"
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]32
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]33#include <string.h>
Manuel Pégourié-Gonnard394608e2015-02-17 16:01:07 +0100[diff] [blame]34
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]35#include "mbedtls/platform.h"
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]36
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]37#if !defined(MBEDTLS_CAMELLIA_ALT)
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]38
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]39/* Parameter validation macros */
40#define CAMELLIA_VALIDATE_RET( cond ) \
41 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA )
42#define CAMELLIA_VALIDATE( cond ) \
43 MBEDTLS_INTERNAL_VALIDATE( cond )
44
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]45static const unsigned char SIGMA_CHARS[6][8] =
46{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]47 { 0xa0, 0x9e, 0x66, 0x7f, 0x3b, 0xcc, 0x90, 0x8b },
48 { 0xb6, 0x7a, 0xe8, 0x58, 0x4c, 0xaa, 0x73, 0xb2 },
49 { 0xc6, 0xef, 0x37, 0x2f, 0xe9, 0x4f, 0x82, 0xbe },
50 { 0x54, 0xff, 0x53, 0xa5, 0xf1, 0xd3, 0x6f, 0x1c },
51 { 0x10, 0xe5, 0x27, 0xfa, 0xde, 0x68, 0x2d, 0x1d },
52 { 0xb0, 0x56, 0x88, 0xc2, 0xb3, 0xe6, 0xc1, 0xfd }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]53};
54
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]55#if defined(MBEDTLS_CAMELLIA_SMALL_MEMORY)
Paul Bakkerfa049db2009-01-12 22:12:03 +0000[diff] [blame]56
57static const unsigned char FSb[256] =
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]58{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]59 112,130, 44,236,179, 39,192,229,228,133, 87, 53,234, 12,174, 65,
60 35,239,107,147, 69, 25,165, 33,237, 14, 79, 78, 29,101,146,189,
61 134,184,175,143,124,235, 31,206, 62, 48,220, 95, 94,197, 11, 26,
62 166,225, 57,202,213, 71, 93, 61,217, 1, 90,214, 81, 86,108, 77,
63 139, 13,154,102,251,204,176, 45,116, 18, 43, 32,240,177,132,153,
64 223, 76,203,194, 52,126,118, 5,109,183,169, 49,209, 23, 4,215,
65 20, 88, 58, 97,222, 27, 17, 28, 50, 15,156, 22, 83, 24,242, 34,
66 254, 68,207,178,195,181,122,145, 36, 8,232,168, 96,252,105, 80,
67 170,208,160,125,161,137, 98,151, 84, 91, 30,149,224,255,100,210,
68 16,196, 0, 72,163,247,117,219,138, 3,230,218, 9, 63,221,148,
69 135, 92,131, 2,205, 74,144, 51,115,103,246,243,157,127,191,226,
70 82,155,216, 38,200, 55,198, 59,129,150,111, 75, 19,190, 99, 46,
71 233,121,167,140,159,110,188,142, 41,245,249,182, 47,253,180, 89,
72 120,152, 6,106,231, 70,113,186,212, 37,171, 66,136,162,141,250,
73 114, 7,185, 85,248,238,172, 10, 54, 73, 42,104, 60, 56,241,164,
74 64, 40,211,123,187,201, 67,193, 21,227,173,244,119,199,128,158
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]75};
76
77#define SBOX1(n) FSb[(n)]
78#define SBOX2(n) (unsigned char)((FSb[(n)] >> 7 ^ FSb[(n)] << 1) & 0xff)
79#define SBOX3(n) (unsigned char)((FSb[(n)] >> 1 ^ FSb[(n)] << 7) & 0xff)
Paul Bakkerfa049db2009-01-12 22:12:03 +0000[diff] [blame]80#define SBOX4(n) FSb[((n) << 1 ^ (n) >> 7) &0xff]
81
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]82#else /* MBEDTLS_CAMELLIA_SMALL_MEMORY */
Paul Bakkerfa049db2009-01-12 22:12:03 +0000[diff] [blame]83
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000[diff] [blame]84static const unsigned char FSb[256] =
85{
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]86 112, 130, 44, 236, 179, 39, 192, 229, 228, 133, 87, 53, 234, 12, 174, 65,
87 35, 239, 107, 147, 69, 25, 165, 33, 237, 14, 79, 78, 29, 101, 146, 189,
88 134, 184, 175, 143, 124, 235, 31, 206, 62, 48, 220, 95, 94, 197, 11, 26,
89 166, 225, 57, 202, 213, 71, 93, 61, 217, 1, 90, 214, 81, 86, 108, 77,
90 139, 13, 154, 102, 251, 204, 176, 45, 116, 18, 43, 32, 240, 177, 132, 153,
91 223, 76, 203, 194, 52, 126, 118, 5, 109, 183, 169, 49, 209, 23, 4, 215,
92 20, 88, 58, 97, 222, 27, 17, 28, 50, 15, 156, 22, 83, 24, 242, 34,
93 254, 68, 207, 178, 195, 181, 122, 145, 36, 8, 232, 168, 96, 252, 105, 80,
94 170, 208, 160, 125, 161, 137, 98, 151, 84, 91, 30, 149, 224, 255, 100, 210,
95 16, 196, 0, 72, 163, 247, 117, 219, 138, 3, 230, 218, 9, 63, 221, 148,
96 135, 92, 131, 2, 205, 74, 144, 51, 115, 103, 246, 243, 157, 127, 191, 226,
97 82, 155, 216, 38, 200, 55, 198, 59, 129, 150, 111, 75, 19, 190, 99, 46,
98 233, 121, 167, 140, 159, 110, 188, 142, 41, 245, 249, 182, 47, 253, 180, 89,
99 120, 152, 6, 106, 231, 70, 113, 186, 212, 37, 171, 66, 136, 162, 141, 250,
100 114, 7, 185, 85, 248, 238, 172, 10, 54, 73, 42, 104, 60, 56, 241, 164,
101 64, 40, 211, 123, 187, 201, 67, 193, 21, 227, 173, 244, 119, 199, 128, 158
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000[diff] [blame]102};
103
104static const unsigned char FSb2[256] =
105{
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]106 224, 5, 88, 217, 103, 78, 129, 203, 201, 11, 174, 106, 213, 24, 93, 130,
107 70, 223, 214, 39, 138, 50, 75, 66, 219, 28, 158, 156, 58, 202, 37, 123,
108 13, 113, 95, 31, 248, 215, 62, 157, 124, 96, 185, 190, 188, 139, 22, 52,
109 77, 195, 114, 149, 171, 142, 186, 122, 179, 2, 180, 173, 162, 172, 216, 154,
110 23, 26, 53, 204, 247, 153, 97, 90, 232, 36, 86, 64, 225, 99, 9, 51,
111 191, 152, 151, 133, 104, 252, 236, 10, 218, 111, 83, 98, 163, 46, 8, 175,
112 40, 176, 116, 194, 189, 54, 34, 56, 100, 30, 57, 44, 166, 48, 229, 68,
113 253, 136, 159, 101, 135, 107, 244, 35, 72, 16, 209, 81, 192, 249, 210, 160,
114 85, 161, 65, 250, 67, 19, 196, 47, 168, 182, 60, 43, 193, 255, 200, 165,
115 32, 137, 0, 144, 71, 239, 234, 183, 21, 6, 205, 181, 18, 126, 187, 41,
116 15, 184, 7, 4, 155, 148, 33, 102, 230, 206, 237, 231, 59, 254, 127, 197,
117 164, 55, 177, 76, 145, 110, 141, 118, 3, 45, 222, 150, 38, 125, 198, 92,
118 211, 242, 79, 25, 63, 220, 121, 29, 82, 235, 243, 109, 94, 251, 105, 178,
119 240, 49, 12, 212, 207, 140, 226, 117, 169, 74, 87, 132, 17, 69, 27, 245,
120 228, 14, 115, 170, 241, 221, 89, 20, 108, 146, 84, 208, 120, 112, 227, 73,
121 128, 80, 167, 246, 119, 147, 134, 131, 42, 199, 91, 233, 238, 143, 1, 61
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000[diff] [blame]122};
123
124static const unsigned char FSb3[256] =
125{
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]126 56, 65, 22, 118, 217, 147, 96, 242, 114, 194, 171, 154, 117, 6, 87, 160,
127 145, 247, 181, 201, 162, 140, 210, 144, 246, 7, 167, 39, 142, 178, 73, 222,
128 67, 92, 215, 199, 62, 245, 143, 103, 31, 24, 110, 175, 47, 226, 133, 13,
129 83, 240, 156, 101, 234, 163, 174, 158, 236, 128, 45, 107, 168, 43, 54, 166,
130 197, 134, 77, 51, 253, 102, 88, 150, 58, 9, 149, 16, 120, 216, 66, 204,
131 239, 38, 229, 97, 26, 63, 59, 130, 182, 219, 212, 152, 232, 139, 2, 235,
132 10, 44, 29, 176, 111, 141, 136, 14, 25, 135, 78, 11, 169, 12, 121, 17,
133 127, 34, 231, 89, 225, 218, 61, 200, 18, 4, 116, 84, 48, 126, 180, 40,
134 85, 104, 80, 190, 208, 196, 49, 203, 42, 173, 15, 202, 112, 255, 50, 105,
135 8, 98, 0, 36, 209, 251, 186, 237, 69, 129, 115, 109, 132, 159, 238, 74,
136 195, 46, 193, 1, 230, 37, 72, 153, 185, 179, 123, 249, 206, 191, 223, 113,
137 41, 205, 108, 19, 100, 155, 99, 157, 192, 75, 183, 165, 137, 95, 177, 23,
138 244, 188, 211, 70, 207, 55, 94, 71, 148, 250, 252, 91, 151, 254, 90, 172,
139 60, 76, 3, 53, 243, 35, 184, 93, 106, 146, 213, 33, 68, 81, 198, 125,
140 57, 131, 220, 170, 124, 119, 86, 5, 27, 164, 21, 52, 30, 28, 248, 82,
141 32, 20, 233, 189, 221, 228, 161, 224, 138, 241, 214, 122, 187, 227, 64, 79
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000[diff] [blame]142};
143
144static const unsigned char FSb4[256] =
145{
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]146 112, 44, 179, 192, 228, 87, 234, 174, 35, 107, 69, 165, 237, 79, 29, 146,
147 134, 175, 124, 31, 62, 220, 94, 11, 166, 57, 213, 93, 217, 90, 81, 108,
148 139, 154, 251, 176, 116, 43, 240, 132, 223, 203, 52, 118, 109, 169, 209, 4,
149 20, 58, 222, 17, 50, 156, 83, 242, 254, 207, 195, 122, 36, 232, 96, 105,
150 170, 160, 161, 98, 84, 30, 224, 100, 16, 0, 163, 117, 138, 230, 9, 221,
151 135, 131, 205, 144, 115, 246, 157, 191, 82, 216, 200, 198, 129, 111, 19, 99,
152 233, 167, 159, 188, 41, 249, 47, 180, 120, 6, 231, 113, 212, 171, 136, 141,
153 114, 185, 248, 172, 54, 42, 60, 241, 64, 211, 187, 67, 21, 173, 119, 128,
154 130, 236, 39, 229, 133, 53, 12, 65, 239, 147, 25, 33, 14, 78, 101, 189,
155 184, 143, 235, 206, 48, 95, 197, 26, 225, 202, 71, 61, 1, 214, 86, 77,
156 13, 102, 204, 45, 18, 32, 177, 153, 76, 194, 126, 5, 183, 49, 23, 215,
157 88, 97, 27, 28, 15, 22, 24, 34, 68, 178, 181, 145, 8, 168, 252, 80,
158 208, 125, 137, 151, 91, 149, 255, 210, 196, 72, 247, 219, 3, 218, 63, 148,
159 92, 2, 74, 51, 103, 243, 127, 226, 155, 38, 55, 59, 150, 75, 190, 46,
160 121, 140, 110, 142, 245, 182, 253, 89, 152, 106, 70, 186, 37, 66, 162, 250,
161 7, 85, 238, 10, 73, 104, 56, 164, 40, 123, 201, 193, 227, 244, 199, 158
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000[diff] [blame]162};
163
164#define SBOX1(n) FSb[(n)]
165#define SBOX2(n) FSb2[(n)]
166#define SBOX3(n) FSb3[(n)]
167#define SBOX4(n) FSb4[(n)]
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]168
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]169#endif /* MBEDTLS_CAMELLIA_SMALL_MEMORY */
Paul Bakkerfa049db2009-01-12 22:12:03 +0000[diff] [blame]170
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]171static const unsigned char shifts[2][4][4] =
172{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]173 {
174 { 1, 1, 1, 1 }, /* KL */
175 { 0, 0, 0, 0 }, /* KR */
176 { 1, 1, 1, 1 }, /* KA */
177 { 0, 0, 0, 0 } /* KB */
178 },
179 {
180 { 1, 0, 1, 1 }, /* KL */
181 { 1, 1, 0, 1 }, /* KR */
182 { 1, 1, 1, 0 }, /* KA */
183 { 1, 1, 0, 1 } /* KB */
184 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]185};
186
Paul Bakker026c03b2009-03-28 17:53:03 +0000[diff] [blame]187static const signed char indexes[2][4][20] =
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]188{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]189 {
190 { 0, 1, 2, 3, 8, 9, 10, 11, 38, 39,
191 36, 37, 23, 20, 21, 22, 27, -1, -1, 26 }, /* KL -> RK */
192 { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
193 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 }, /* KR -> RK */
194 { 4, 5, 6, 7, 12, 13, 14, 15, 16, 17,
195 18, 19, -1, 24, 25, -1, 31, 28, 29, 30 }, /* KA -> RK */
196 { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
197 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 } /* KB -> RK */
198 },
199 {
200 { 0, 1, 2, 3, 61, 62, 63, 60, -1, -1,
201 -1, -1, 27, 24, 25, 26, 35, 32, 33, 34 }, /* KL -> RK */
202 { -1, -1, -1, -1, 8, 9, 10, 11, 16, 17,
203 18, 19, -1, -1, -1, -1, 39, 36, 37, 38 }, /* KR -> RK */
204 { -1, -1, -1, -1, 12, 13, 14, 15, 58, 59,
205 56, 57, 31, 28, 29, 30, -1, -1, -1, -1 }, /* KA -> RK */
206 { 4, 5, 6, 7, 65, 66, 67, 64, 20, 21,
207 22, 23, -1, -1, -1, -1, 43, 40, 41, 42 } /* KB -> RK */
208 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]209};
210
Paul Bakker026c03b2009-03-28 17:53:03 +0000[diff] [blame]211static const signed char transposes[2][20] =
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]212{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]213 {
214 21, 22, 23, 20,
215 -1, -1, -1, -1,
216 18, 19, 16, 17,
217 11, 8, 9, 10,
218 15, 12, 13, 14
219 },
220 {
221 25, 26, 27, 24,
222 29, 30, 31, 28,
223 18, 19, 16, 17,
224 -1, -1, -1, -1,
225 -1, -1, -1, -1
226 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]227};
228
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000[diff] [blame]229/* Shift macro for 128 bit strings with rotation smaller than 32 bits (!) */
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]230#define ROTL(DEST, SRC, SHIFT) \
231{ \
232 (DEST)[0] = (SRC)[0] << (SHIFT) ^ (SRC)[1] >> (32 - (SHIFT)); \
233 (DEST)[1] = (SRC)[1] << (SHIFT) ^ (SRC)[2] >> (32 - (SHIFT)); \
234 (DEST)[2] = (SRC)[2] << (SHIFT) ^ (SRC)[3] >> (32 - (SHIFT)); \
235 (DEST)[3] = (SRC)[3] << (SHIFT) ^ (SRC)[0] >> (32 - (SHIFT)); \
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]236}
237
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]238#define FL(XL, XR, KL, KR) \
239{ \
240 (XR) = ((((XL) & (KL)) << 1) | (((XL) & (KL)) >> 31)) ^ (XR); \
241 (XL) = ((XR) | (KR)) ^ (XL); \
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]242}
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]243
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]244#define FLInv(YL, YR, KL, KR) \
245{ \
246 (YL) = ((YR) | (KR)) ^ (YL); \
247 (YR) = ((((YL) & (KL)) << 1) | (((YL) & (KL)) >> 31)) ^ (YR); \
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]248}
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]249
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]250#define SHIFT_AND_PLACE(INDEX, OFFSET) \
251{ \
252 TK[0] = KC[(OFFSET) * 4 + 0]; \
253 TK[1] = KC[(OFFSET) * 4 + 1]; \
254 TK[2] = KC[(OFFSET) * 4 + 2]; \
255 TK[3] = KC[(OFFSET) * 4 + 3]; \
256 \
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]257 for( i = 1; i <= 4; i++ ) \
258 if( shifts[(INDEX)][(OFFSET)][i -1] ) \
259 ROTL(TK + i * 4, TK, ( 15 * i ) % 32); \
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]260 \
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]261 for( i = 0; i < 20; i++ ) \
262 if( indexes[(INDEX)][(OFFSET)][i] != -1 ) { \
263 RK[indexes[(INDEX)][(OFFSET)][i]] = TK[ i ]; \
264 } \
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]265}
266
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]267static void camellia_feistel( const uint32_t x[2], const uint32_t k[2],
268 uint32_t z[2])
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]269{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]270 uint32_t I0, I1;
271 I0 = x[0] ^ k[0];
272 I1 = x[1] ^ k[1];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]273
Joe Subbiani6b897c92021-07-08 14:59:52 +0100[diff] [blame]274 I0 = ((uint32_t) SBOX1( MBEDTLS_BYTE_3( I0 )) << 24) |
275 ((uint32_t) SBOX2( MBEDTLS_BYTE_2( I0 )) << 16) |
276 ((uint32_t) SBOX3( MBEDTLS_BYTE_1( I0 )) << 8) |
277 ((uint32_t) SBOX4( MBEDTLS_BYTE_0( I0 )) );
278 I1 = ((uint32_t) SBOX2( MBEDTLS_BYTE_3( I1 )) << 24) |
279 ((uint32_t) SBOX3( MBEDTLS_BYTE_2( I1 )) << 16) |
280 ((uint32_t) SBOX4( MBEDTLS_BYTE_1( I1 )) << 8) |
281 ((uint32_t) SBOX1( MBEDTLS_BYTE_0( I1 )) );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]282
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]283 I0 ^= (I1 << 8) | (I1 >> 24);
284 I1 ^= (I0 << 16) | (I0 >> 16);
285 I0 ^= (I1 >> 8) | (I1 << 24);
286 I1 ^= (I0 >> 8) | (I0 << 24);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]287
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]288 z[0] ^= I1;
289 z[1] ^= I0;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]290}
291
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]292void mbedtls_camellia_init( mbedtls_camellia_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]293{
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]294 CAMELLIA_VALIDATE( ctx != NULL );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]295 memset( ctx, 0, sizeof( mbedtls_camellia_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]296}
297
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]298void mbedtls_camellia_free( mbedtls_camellia_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]299{
300 if( ctx == NULL )
301 return;
302
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]303 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_camellia_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]304}
305
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]306/*
307 * Camellia key schedule (encryption)
308 */
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]309int mbedtls_camellia_setkey_enc( mbedtls_camellia_context *ctx,
310 const unsigned char *key,
311 unsigned int keybits )
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]312{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]313 int idx;
314 size_t i;
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]315 uint32_t *RK;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]316 unsigned char t[64];
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]317 uint32_t SIGMA[6][2];
318 uint32_t KC[16];
319 uint32_t TK[20];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]320
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]321 CAMELLIA_VALIDATE_RET( ctx != NULL );
322 CAMELLIA_VALIDATE_RET( key != NULL );
323
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]324 RK = ctx->rk;
325
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]326 memset( t, 0, 64 );
327 memset( RK, 0, sizeof(ctx->rk) );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]328
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]329 switch( keybits )
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]330 {
331 case 128: ctx->nr = 3; idx = 0; break;
332 case 192:
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]333 case 256: ctx->nr = 4; idx = 1; break;
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]334 default : return( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]335 }
336
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]337 for( i = 0; i < keybits / 8; ++i )
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]338 t[i] = key[i];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]339
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]340 if( keybits == 192 ) {
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]341 for( i = 0; i < 8; i++ )
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]342 t[24 + i] = ~t[16 + i];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]343 }
344
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]345 /*
346 * Prepare SIGMA values
347 */
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]348 for( i = 0; i < 6; i++ ) {
Joe Subbiani9231d5f2021-07-07 16:56:29 +0100[diff] [blame]349 SIGMA[i][0] = MBEDTLS_GET_UINT32_BE( SIGMA_CHARS[i], 0 );
350 SIGMA[i][1] = MBEDTLS_GET_UINT32_BE( SIGMA_CHARS[i], 4 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]351 }
352
353 /*
354 * Key storage in KC
355 * Order: KL, KR, KA, KB
356 */
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]357 memset( KC, 0, sizeof(KC) );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]358
359 /* Store KL, KR */
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]360 for( i = 0; i < 8; i++ )
Joe Subbiani9231d5f2021-07-07 16:56:29 +0100[diff] [blame]361 KC[i] = MBEDTLS_GET_UINT32_BE( t, i * 4 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]362
363 /* Generate KA */
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]364 for( i = 0; i < 4; ++i )
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]365 KC[8 + i] = KC[i] ^ KC[4 + i];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]366
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]367 camellia_feistel( KC + 8, SIGMA[0], KC + 10 );
368 camellia_feistel( KC + 10, SIGMA[1], KC + 8 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]369
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]370 for( i = 0; i < 4; ++i )
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]371 KC[8 + i] ^= KC[i];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]372
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]373 camellia_feistel( KC + 8, SIGMA[2], KC + 10 );
374 camellia_feistel( KC + 10, SIGMA[3], KC + 8 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]375
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]376 if( keybits > 128 ) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]377 /* Generate KB */
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]378 for( i = 0; i < 4; ++i )
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]379 KC[12 + i] = KC[4 + i] ^ KC[8 + i];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]380
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]381 camellia_feistel( KC + 12, SIGMA[4], KC + 14 );
382 camellia_feistel( KC + 14, SIGMA[5], KC + 12 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]383 }
384
385 /*
386 * Generating subkeys
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]387 */
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]388
389 /* Manipulating KL */
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]390 SHIFT_AND_PLACE( idx, 0 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]391
392 /* Manipulating KR */
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]393 if( keybits > 128 ) {
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]394 SHIFT_AND_PLACE( idx, 1 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]395 }
396
397 /* Manipulating KA */
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]398 SHIFT_AND_PLACE( idx, 2 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]399
400 /* Manipulating KB */
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]401 if( keybits > 128 ) {
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]402 SHIFT_AND_PLACE( idx, 3 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]403 }
404
405 /* Do transpositions */
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]406 for( i = 0; i < 20; i++ ) {
407 if( transposes[idx][i] != -1 ) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]408 RK[32 + 12 * idx + i] = RK[transposes[idx][i]];
409 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]410 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]411
412 return( 0 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]413}
414
415/*
416 * Camellia key schedule (decryption)
417 */
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]418int mbedtls_camellia_setkey_dec( mbedtls_camellia_context *ctx,
419 const unsigned char *key,
420 unsigned int keybits )
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]421{
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]422 int idx, ret;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]423 size_t i;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]424 mbedtls_camellia_context cty;
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]425 uint32_t *RK;
426 uint32_t *SK;
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]427 CAMELLIA_VALIDATE_RET( ctx != NULL );
428 CAMELLIA_VALIDATE_RET( key != NULL );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]429
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]430 mbedtls_camellia_init( &cty );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]431
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]432 /* Also checks keybits */
433 if( ( ret = mbedtls_camellia_setkey_enc( &cty, key, keybits ) ) != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]434 goto exit;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]435
Manuel Pégourié-Gonnard3ac6a2b2014-05-28 22:04:25 +0200[diff] [blame]436 ctx->nr = cty.nr;
437 idx = ( ctx->nr == 4 );
438
439 RK = ctx->rk;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]440 SK = cty.rk + 24 * 2 + 8 * idx * 2;
441
442 *RK++ = *SK++;
443 *RK++ = *SK++;
444 *RK++ = *SK++;
445 *RK++ = *SK++;
446
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]447 for( i = 22 + 8 * idx, SK -= 6; i > 0; i--, SK -= 4 )
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]448 {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]449 *RK++ = *SK++;
450 *RK++ = *SK++;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]451 }
452
453 SK -= 2;
454
455 *RK++ = *SK++;
456 *RK++ = *SK++;
457 *RK++ = *SK++;
458 *RK++ = *SK++;
459
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]460exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]461 mbedtls_camellia_free( &cty );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]462
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]463 return( ret );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]464}
465
466/*
467 * Camellia-ECB block encryption/decryption
468 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]469int mbedtls_camellia_crypt_ecb( mbedtls_camellia_context *ctx,
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]470 int mode,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]471 const unsigned char input[16],
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]472 unsigned char output[16] )
473{
Paul Bakker026c03b2009-03-28 17:53:03 +0000[diff] [blame]474 int NR;
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]475 uint32_t *RK, X[4];
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]476 CAMELLIA_VALIDATE_RET( ctx != NULL );
477 CAMELLIA_VALIDATE_RET( mode == MBEDTLS_CAMELLIA_ENCRYPT ||
478 mode == MBEDTLS_CAMELLIA_DECRYPT );
479 CAMELLIA_VALIDATE_RET( input != NULL );
480 CAMELLIA_VALIDATE_RET( output != NULL );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]481
Paul Bakkerc2547b02009-07-20 20:40:52 +0000[diff] [blame]482 ( (void) mode );
483
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]484 NR = ctx->nr;
485 RK = ctx->rk;
486
Joe Subbiani9231d5f2021-07-07 16:56:29 +0100[diff] [blame]487 X[0] = MBEDTLS_GET_UINT32_BE( input, 0 );
488 X[1] = MBEDTLS_GET_UINT32_BE( input, 4 );
489 X[2] = MBEDTLS_GET_UINT32_BE( input, 8 );
490 X[3] = MBEDTLS_GET_UINT32_BE( input, 12 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]491
492 X[0] ^= *RK++;
493 X[1] ^= *RK++;
494 X[2] ^= *RK++;
495 X[3] ^= *RK++;
496
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]497 while( NR ) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]498 --NR;
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]499 camellia_feistel( X, RK, X + 2 );
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]500 RK += 2;
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]501 camellia_feistel( X + 2, RK, X );
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]502 RK += 2;
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]503 camellia_feistel( X, RK, X + 2 );
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]504 RK += 2;
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]505 camellia_feistel( X + 2, RK, X );
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]506 RK += 2;
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]507 camellia_feistel( X, RK, X + 2 );
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]508 RK += 2;
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]509 camellia_feistel( X + 2, RK, X );
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]510 RK += 2;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]511
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]512 if( NR ) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]513 FL(X[0], X[1], RK[0], RK[1]);
514 RK += 2;
515 FLInv(X[2], X[3], RK[0], RK[1]);
516 RK += 2;
517 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]518 }
519
520 X[2] ^= *RK++;
521 X[3] ^= *RK++;
522 X[0] ^= *RK++;
523 X[1] ^= *RK++;
524
Joe Subbiani2bbafda2021-06-24 13:00:03 +0100[diff] [blame]525 MBEDTLS_PUT_UINT32_BE( X[2], output, 0 );
526 MBEDTLS_PUT_UINT32_BE( X[3], output, 4 );
527 MBEDTLS_PUT_UINT32_BE( X[0], output, 8 );
528 MBEDTLS_PUT_UINT32_BE( X[1], output, 12 );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]529
530 return( 0 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]531}
532
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]533#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]534/*
535 * Camellia-CBC buffer encryption/decryption
536 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]537int mbedtls_camellia_crypt_cbc( mbedtls_camellia_context *ctx,
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]538 int mode,
539 size_t length,
540 unsigned char iv[16],
541 const unsigned char *input,
542 unsigned char *output )
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]543{
544 int i;
545 unsigned char temp[16];
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]546 CAMELLIA_VALIDATE_RET( ctx != NULL );
547 CAMELLIA_VALIDATE_RET( mode == MBEDTLS_CAMELLIA_ENCRYPT ||
548 mode == MBEDTLS_CAMELLIA_DECRYPT );
549 CAMELLIA_VALIDATE_RET( iv != NULL );
550 CAMELLIA_VALIDATE_RET( length == 0 || input != NULL );
551 CAMELLIA_VALIDATE_RET( length == 0 || output != NULL );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]552
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]553 if( length % 16 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]554 return( MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]555
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]556 if( mode == MBEDTLS_CAMELLIA_DECRYPT )
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]557 {
558 while( length > 0 )
559 {
560 memcpy( temp, input, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]561 mbedtls_camellia_crypt_ecb( ctx, mode, input, output );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]562
563 for( i = 0; i < 16; i++ )
564 output[i] = (unsigned char)( output[i] ^ iv[i] );
565
566 memcpy( iv, temp, 16 );
567
568 input += 16;
569 output += 16;
570 length -= 16;
571 }
572 }
573 else
574 {
575 while( length > 0 )
576 {
577 for( i = 0; i < 16; i++ )
578 output[i] = (unsigned char)( input[i] ^ iv[i] );
579
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]580 mbedtls_camellia_crypt_ecb( ctx, mode, output, output );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]581 memcpy( iv, output, 16 );
582
583 input += 16;
584 output += 16;
585 length -= 16;
586 }
587 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]588
589 return( 0 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]590}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]591#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]592
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]593#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]594/*
595 * Camellia-CFB128 buffer encryption/decryption
596 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]597int mbedtls_camellia_crypt_cfb128( mbedtls_camellia_context *ctx,
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]598 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]599 size_t length,
Paul Bakker1ef71df2011-06-09 14:14:58 +0000[diff] [blame]600 size_t *iv_off,
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]601 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]602 const unsigned char *input,
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]603 unsigned char *output )
604{
Paul Bakker1ef71df2011-06-09 14:14:58 +0000[diff] [blame]605 int c;
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]606 size_t n;
607 CAMELLIA_VALIDATE_RET( ctx != NULL );
608 CAMELLIA_VALIDATE_RET( mode == MBEDTLS_CAMELLIA_ENCRYPT ||
609 mode == MBEDTLS_CAMELLIA_DECRYPT );
610 CAMELLIA_VALIDATE_RET( iv != NULL );
611 CAMELLIA_VALIDATE_RET( iv_off != NULL );
612 CAMELLIA_VALIDATE_RET( length == 0 || input != NULL );
613 CAMELLIA_VALIDATE_RET( length == 0 || output != NULL );
614
615 n = *iv_off;
616 if( n >= 16 )
617 return( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]618
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]619 if( mode == MBEDTLS_CAMELLIA_DECRYPT )
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]620 {
621 while( length-- )
622 {
623 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]624 mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]625
626 c = *input++;
627 *output++ = (unsigned char)( c ^ iv[n] );
628 iv[n] = (unsigned char) c;
629
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]630 n = ( n + 1 ) & 0x0F;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]631 }
632 }
633 else
634 {
635 while( length-- )
636 {
637 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]638 mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]639
640 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
641
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]642 n = ( n + 1 ) & 0x0F;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]643 }
644 }
645
646 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]647
648 return( 0 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]649}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]650#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]651
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]652#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]653/*
654 * Camellia-CTR buffer encryption/decryption
655 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]656int mbedtls_camellia_crypt_ctr( mbedtls_camellia_context *ctx,
Paul Bakker1ef71df2011-06-09 14:14:58 +0000[diff] [blame]657 size_t length,
658 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]659 unsigned char nonce_counter[16],
660 unsigned char stream_block[16],
661 const unsigned char *input,
662 unsigned char *output )
663{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]664 int c, i;
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]665 size_t n;
666 CAMELLIA_VALIDATE_RET( ctx != NULL );
667 CAMELLIA_VALIDATE_RET( nonce_counter != NULL );
668 CAMELLIA_VALIDATE_RET( stream_block != NULL );
669 CAMELLIA_VALIDATE_RET( nc_off != NULL );
670 CAMELLIA_VALIDATE_RET( length == 0 || input != NULL );
671 CAMELLIA_VALIDATE_RET( length == 0 || output != NULL );
672
673 n = *nc_off;
674 if( n >= 16 )
675 return( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]676
677 while( length-- )
678 {
679 if( n == 0 ) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]680 mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, nonce_counter,
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]681 stream_block );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]682
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]683 for( i = 16; i > 0; i-- )
684 if( ++nonce_counter[i - 1] != 0 )
685 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]686 }
687 c = *input++;
688 *output++ = (unsigned char)( c ^ stream_block[n] );
689
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]690 n = ( n + 1 ) & 0x0F;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]691 }
692
693 *nc_off = n;
694
695 return( 0 );
696}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]697#endif /* MBEDTLS_CIPHER_MODE_CTR */
698#endif /* !MBEDTLS_CAMELLIA_ALT */
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]699
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]700#if defined(MBEDTLS_SELF_TEST)
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]701
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]702/*
703 * Camellia test vectors from:
704 *
705 * http://info.isl.ntt.co.jp/crypt/eng/camellia/technology.html:
706 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/intermediate.txt
707 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/t_camellia.txt
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]708 * (For each bitlength: Key 0, Nr 39)
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]709 */
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]710#define CAMELLIA_TESTS_ECB 2
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]711
712static const unsigned char camellia_test_ecb_key[3][CAMELLIA_TESTS_ECB][32] =
713{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]714 {
715 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
716 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]717 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]718 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
719 },
720 {
721 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
722 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
723 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77 },
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]724 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]725 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
726 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
727 },
728 {
729 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
730 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
731 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
732 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff },
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]733 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]734 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
735 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
736 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
737 },
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]738};
739
740static const unsigned char camellia_test_ecb_plain[CAMELLIA_TESTS_ECB][16] =
741{
742 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
743 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]744 { 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]745 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
746};
747
748static const unsigned char camellia_test_ecb_cipher[3][CAMELLIA_TESTS_ECB][16] =
749{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]750 {
751 { 0x67, 0x67, 0x31, 0x38, 0x54, 0x96, 0x69, 0x73,
752 0x08, 0x57, 0x06, 0x56, 0x48, 0xea, 0xbe, 0x43 },
753 { 0x38, 0x3C, 0x6C, 0x2A, 0xAB, 0xEF, 0x7F, 0xDE,
754 0x25, 0xCD, 0x47, 0x0B, 0xF7, 0x74, 0xA3, 0x31 }
755 },
756 {
757 { 0xb4, 0x99, 0x34, 0x01, 0xb3, 0xe9, 0x96, 0xf8,
758 0x4e, 0xe5, 0xce, 0xe7, 0xd7, 0x9b, 0x09, 0xb9 },
759 { 0xD1, 0x76, 0x3F, 0xC0, 0x19, 0xD7, 0x7C, 0xC9,
760 0x30, 0xBF, 0xF2, 0xA5, 0x6F, 0x7C, 0x93, 0x64 }
761 },
762 {
763 { 0x9a, 0xcc, 0x23, 0x7d, 0xff, 0x16, 0xd7, 0x6c,
764 0x20, 0xef, 0x7c, 0x91, 0x9e, 0x3a, 0x75, 0x09 },
765 { 0x05, 0x03, 0xFB, 0x10, 0xAB, 0x24, 0x1E, 0x7C,
766 0xF4, 0x5D, 0x8C, 0xDE, 0xEE, 0x47, 0x43, 0x35 }
767 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]768};
769
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]770#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]771#define CAMELLIA_TESTS_CBC 3
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]772
773static const unsigned char camellia_test_cbc_key[3][32] =
774{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]775 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
776 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }
777 ,
778 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
779 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
780 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }
781 ,
782 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
783 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
784 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
785 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]786};
787
788static const unsigned char camellia_test_cbc_iv[16] =
789
790 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
791 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F }
792;
793
794static const unsigned char camellia_test_cbc_plain[CAMELLIA_TESTS_CBC][16] =
795{
796 { 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
797 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A },
798 { 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
799 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51 },
800 { 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
801 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF }
802
803};
804
805static const unsigned char camellia_test_cbc_cipher[3][CAMELLIA_TESTS_CBC][16] =
806{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]807 {
808 { 0x16, 0x07, 0xCF, 0x49, 0x4B, 0x36, 0xBB, 0xF0,
809 0x0D, 0xAE, 0xB0, 0xB5, 0x03, 0xC8, 0x31, 0xAB },
810 { 0xA2, 0xF2, 0xCF, 0x67, 0x16, 0x29, 0xEF, 0x78,
811 0x40, 0xC5, 0xA5, 0xDF, 0xB5, 0x07, 0x48, 0x87 },
812 { 0x0F, 0x06, 0x16, 0x50, 0x08, 0xCF, 0x8B, 0x8B,
813 0x5A, 0x63, 0x58, 0x63, 0x62, 0x54, 0x3E, 0x54 }
814 },
815 {
816 { 0x2A, 0x48, 0x30, 0xAB, 0x5A, 0xC4, 0xA1, 0xA2,
817 0x40, 0x59, 0x55, 0xFD, 0x21, 0x95, 0xCF, 0x93 },
818 { 0x5D, 0x5A, 0x86, 0x9B, 0xD1, 0x4C, 0xE5, 0x42,
819 0x64, 0xF8, 0x92, 0xA6, 0xDD, 0x2E, 0xC3, 0xD5 },
820 { 0x37, 0xD3, 0x59, 0xC3, 0x34, 0x98, 0x36, 0xD8,
821 0x84, 0xE3, 0x10, 0xAD, 0xDF, 0x68, 0xC4, 0x49 }
822 },
823 {
824 { 0xE6, 0xCF, 0xA3, 0x5F, 0xC0, 0x2B, 0x13, 0x4A,
825 0x4D, 0x2C, 0x0B, 0x67, 0x37, 0xAC, 0x3E, 0xDA },
826 { 0x36, 0xCB, 0xEB, 0x73, 0xBD, 0x50, 0x4B, 0x40,
827 0x70, 0xB1, 0xB7, 0xDE, 0x2B, 0x21, 0xEB, 0x50 },
828 { 0xE3, 0x1A, 0x60, 0x55, 0x29, 0x7D, 0x96, 0xCA,
829 0x33, 0x30, 0xCD, 0xF1, 0xB1, 0x86, 0x0A, 0x83 }
830 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]831};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]832#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]833
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]834#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]835/*
836 * Camellia-CTR test vectors from:
837 *
838 * http://www.faqs.org/rfcs/rfc5528.html
839 */
840
841static const unsigned char camellia_test_ctr_key[3][16] =
842{
843 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
844 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
845 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
846 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
847 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
848 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
849};
850
851static const unsigned char camellia_test_ctr_nonce_counter[3][16] =
852{
853 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
854 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
855 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
856 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
857 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
858 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
859};
860
861static const unsigned char camellia_test_ctr_pt[3][48] =
862{
863 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
864 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
865
866 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
867 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
868 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
869 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
870
871 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
872 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
873 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
874 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
875 0x20, 0x21, 0x22, 0x23 }
876};
877
878static const unsigned char camellia_test_ctr_ct[3][48] =
879{
880 { 0xD0, 0x9D, 0xC2, 0x9A, 0x82, 0x14, 0x61, 0x9A,
881 0x20, 0x87, 0x7C, 0x76, 0xDB, 0x1F, 0x0B, 0x3F },
882 { 0xDB, 0xF3, 0xC7, 0x8D, 0xC0, 0x83, 0x96, 0xD4,
883 0xDA, 0x7C, 0x90, 0x77, 0x65, 0xBB, 0xCB, 0x44,
884 0x2B, 0x8E, 0x8E, 0x0F, 0x31, 0xF0, 0xDC, 0xA7,
885 0x2C, 0x74, 0x17, 0xE3, 0x53, 0x60, 0xE0, 0x48 },
886 { 0xB1, 0x9D, 0x1F, 0xCD, 0xCB, 0x75, 0xEB, 0x88,
887 0x2F, 0x84, 0x9C, 0xE2, 0x4D, 0x85, 0xCF, 0x73,
888 0x9C, 0xE6, 0x4B, 0x2B, 0x5C, 0x9D, 0x73, 0xF1,
889 0x4F, 0x2D, 0x5D, 0x9D, 0xCE, 0x98, 0x89, 0xCD,
890 0xDF, 0x50, 0x86, 0x96 }
891};
892
893static const int camellia_test_ctr_len[3] =
894 { 16, 32, 36 };
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]895#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]896
897/*
898 * Checkup routine
899 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]900int mbedtls_camellia_self_test( int verbose )
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]901{
Paul Bakker026c03b2009-03-28 17:53:03 +0000[diff] [blame]902 int i, j, u, v;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]903 unsigned char key[32];
904 unsigned char buf[64];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]905 unsigned char src[16];
906 unsigned char dst[16];
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]907#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]908 unsigned char iv[16];
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]909#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]910#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakker1ef71df2011-06-09 14:14:58 +0000[diff] [blame]911 size_t offset, len;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]912 unsigned char nonce_counter[16];
913 unsigned char stream_block[16];
914#endif
Gilles Peskine66c616a2021-05-25 09:17:46 +0200[diff] [blame]915 int ret = 1;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]916
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]917 mbedtls_camellia_context ctx;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]918
Gilles Peskine66c616a2021-05-25 09:17:46 +0200[diff] [blame]919 mbedtls_camellia_init( &ctx );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]920 memset( key, 0, 32 );
921
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]922 for( j = 0; j < 6; j++ ) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]923 u = j >> 1;
924 v = j & 1;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]925
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]926 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]927 mbedtls_printf( " CAMELLIA-ECB-%3d (%s): ", 128 + u * 64,
928 (v == MBEDTLS_CAMELLIA_DECRYPT) ? "dec" : "enc");
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]929
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]930 for( i = 0; i < CAMELLIA_TESTS_ECB; i++ ) {
931 memcpy( key, camellia_test_ecb_key[u][i], 16 + 8 * u );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]932
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]933 if( v == MBEDTLS_CAMELLIA_DECRYPT ) {
934 mbedtls_camellia_setkey_dec( &ctx, key, 128 + u * 64 );
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]935 memcpy( src, camellia_test_ecb_cipher[u][i], 16 );
936 memcpy( dst, camellia_test_ecb_plain[i], 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]937 } else { /* MBEDTLS_CAMELLIA_ENCRYPT */
938 mbedtls_camellia_setkey_enc( &ctx, key, 128 + u * 64 );
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]939 memcpy( src, camellia_test_ecb_plain[i], 16 );
940 memcpy( dst, camellia_test_ecb_cipher[u][i], 16 );
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]941 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]942
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]943 mbedtls_camellia_crypt_ecb( &ctx, v, src, buf );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]944
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]945 if( memcmp( buf, dst, 16 ) != 0 )
946 {
947 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]948 mbedtls_printf( "failed\n" );
Gilles Peskine66c616a2021-05-25 09:17:46 +0200[diff] [blame]949 goto exit;
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]950 }
951 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]952
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]953 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]954 mbedtls_printf( "passed\n" );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]955 }
956
957 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]958 mbedtls_printf( "\n" );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]959
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]960#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]961 /*
962 * CBC mode
963 */
964 for( j = 0; j < 6; j++ )
965 {
966 u = j >> 1;
967 v = j & 1;
968
969 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]970 mbedtls_printf( " CAMELLIA-CBC-%3d (%s): ", 128 + u * 64,
971 ( v == MBEDTLS_CAMELLIA_DECRYPT ) ? "dec" : "enc" );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]972
Janos Follath98e28a72016-05-31 14:03:54 +0100[diff] [blame]973 memcpy( src, camellia_test_cbc_iv, 16 );
974 memcpy( dst, camellia_test_cbc_iv, 16 );
975 memcpy( key, camellia_test_cbc_key[u], 16 + 8 * u );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]976
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]977 if( v == MBEDTLS_CAMELLIA_DECRYPT ) {
Janos Follath98e28a72016-05-31 14:03:54 +0100[diff] [blame]978 mbedtls_camellia_setkey_dec( &ctx, key, 128 + u * 64 );
979 } else {
980 mbedtls_camellia_setkey_enc( &ctx, key, 128 + u * 64 );
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]981 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]982
Janos Follath98e28a72016-05-31 14:03:54 +0100[diff] [blame]983 for( i = 0; i < CAMELLIA_TESTS_CBC; i++ ) {
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]984
Janos Follath98e28a72016-05-31 14:03:54 +0100[diff] [blame]985 if( v == MBEDTLS_CAMELLIA_DECRYPT ) {
986 memcpy( iv , src, 16 );
987 memcpy( src, camellia_test_cbc_cipher[u][i], 16 );
988 memcpy( dst, camellia_test_cbc_plain[i], 16 );
989 } else { /* MBEDTLS_CAMELLIA_ENCRYPT */
990 memcpy( iv , dst, 16 );
991 memcpy( src, camellia_test_cbc_plain[i], 16 );
992 memcpy( dst, camellia_test_cbc_cipher[u][i], 16 );
993 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]994
Janos Follath98e28a72016-05-31 14:03:54 +0100[diff] [blame]995 mbedtls_camellia_crypt_cbc( &ctx, v, 16, iv, src, buf );
996
997 if( memcmp( buf, dst, 16 ) != 0 )
998 {
999 if( verbose != 0 )
1000 mbedtls_printf( "failed\n" );
Gilles Peskine66c616a2021-05-25 09:17:46 +0200[diff] [blame]1001 goto exit;
Janos Follath98e28a72016-05-31 14:03:54 +0100[diff] [blame]1002 }
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]1003 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]1004
1005 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1006 mbedtls_printf( "passed\n" );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]1007 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1008#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]1009
1010 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1011 mbedtls_printf( "\n" );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]1012
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1013#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1014 /*
1015 * CTR mode
1016 */
1017 for( i = 0; i < 6; i++ )
1018 {
1019 u = i >> 1;
1020 v = i & 1;
1021
1022 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1023 mbedtls_printf( " CAMELLIA-CTR-128 (%s): ",
1024 ( v == MBEDTLS_CAMELLIA_DECRYPT ) ? "dec" : "enc" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1025
1026 memcpy( nonce_counter, camellia_test_ctr_nonce_counter[u], 16 );
1027 memcpy( key, camellia_test_ctr_key[u], 16 );
1028
1029 offset = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1030 mbedtls_camellia_setkey_enc( &ctx, key, 128 );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1031
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1032 if( v == MBEDTLS_CAMELLIA_DECRYPT )
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1033 {
1034 len = camellia_test_ctr_len[u];
1035 memcpy( buf, camellia_test_ctr_ct[u], len );
1036
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1037 mbedtls_camellia_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block,
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]1038 buf, buf );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1039
1040 if( memcmp( buf, camellia_test_ctr_pt[u], len ) != 0 )
1041 {
1042 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1043 mbedtls_printf( "failed\n" );
Gilles Peskine66c616a2021-05-25 09:17:46 +0200[diff] [blame]1044 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1045 }
1046 }
1047 else
1048 {
1049 len = camellia_test_ctr_len[u];
1050 memcpy( buf, camellia_test_ctr_pt[u], len );
1051
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1052 mbedtls_camellia_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block,
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]1053 buf, buf );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1054
1055 if( memcmp( buf, camellia_test_ctr_ct[u], len ) != 0 )
1056 {
1057 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1058 mbedtls_printf( "failed\n" );
Gilles Peskine66c616a2021-05-25 09:17:46 +0200[diff] [blame]1059 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1060 }
1061 }
1062
1063 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1064 mbedtls_printf( "passed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1065 }
1066
1067 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1068 mbedtls_printf( "\n" );
1069#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1070
Gilles Peskine66c616a2021-05-25 09:17:46 +0200[diff] [blame]1071 ret = 0;
1072
1073exit:
1074 mbedtls_camellia_free( &ctx );
1075 return( ret );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]1076}
1077
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1078#endif /* MBEDTLS_SELF_TEST */
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]1079
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1080#endif /* MBEDTLS_CAMELLIA_C */