TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 1b6c09a62e5f597a7b2d95042b39f0c39b1025e1 / . / library / camellia.c
blob: ce034d74fb601da1346a34de81caaebfe5074227 [file] [log] [blame]
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]1/*
2 * Camellia implementation
3 *
Bence Szépkúti1e148272020-08-07 13:07:28 +0200[diff] [blame]4 * Copyright The Mbed TLS Contributors
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]18 */
19/*
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]20 * The Camellia block cipher was designed by NTT and Mitsubishi Electric
21 * Corporation.
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]22 *
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]23 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/01espec.pdf
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]24 */
25
Gilles Peskinedb09ef62020-06-03 01:43:33 +0200[diff] [blame]26#include "common.h"
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]27
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]28#if defined(MBEDTLS_CAMELLIA_C)
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]29
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]30#include "mbedtls/camellia.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]31#include "mbedtls/platform_util.h"
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]32
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]33#include <string.h>
Manuel Pégourié-Gonnard394608e2015-02-17 16:01:07 +0100[diff] [blame]34
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]35#include "mbedtls/platform.h"
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]36
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]37#if !defined(MBEDTLS_CAMELLIA_ALT)
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]38
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]39/* Parameter validation macros */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]40#define CAMELLIA_VALIDATE_RET(cond) \
41 MBEDTLS_INTERNAL_VALIDATE_RET(cond, MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA)
42#define CAMELLIA_VALIDATE(cond) \
43 MBEDTLS_INTERNAL_VALIDATE(cond)
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]44
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]45static const unsigned char SIGMA_CHARS[6][8] =
46{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]47 { 0xa0, 0x9e, 0x66, 0x7f, 0x3b, 0xcc, 0x90, 0x8b },
48 { 0xb6, 0x7a, 0xe8, 0x58, 0x4c, 0xaa, 0x73, 0xb2 },
49 { 0xc6, 0xef, 0x37, 0x2f, 0xe9, 0x4f, 0x82, 0xbe },
50 { 0x54, 0xff, 0x53, 0xa5, 0xf1, 0xd3, 0x6f, 0x1c },
51 { 0x10, 0xe5, 0x27, 0xfa, 0xde, 0x68, 0x2d, 0x1d },
52 { 0xb0, 0x56, 0x88, 0xc2, 0xb3, 0xe6, 0xc1, 0xfd }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]53};
54
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]55#if defined(MBEDTLS_CAMELLIA_SMALL_MEMORY)
Paul Bakkerfa049db2009-01-12 22:12:03 +0000[diff] [blame]56
57static const unsigned char FSb[256] =
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]58{
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]59 112, 130, 44, 236, 179, 39, 192, 229, 228, 133, 87, 53, 234, 12, 174, 65,
60 35, 239, 107, 147, 69, 25, 165, 33, 237, 14, 79, 78, 29, 101, 146, 189,
61 134, 184, 175, 143, 124, 235, 31, 206, 62, 48, 220, 95, 94, 197, 11, 26,
62 166, 225, 57, 202, 213, 71, 93, 61, 217, 1, 90, 214, 81, 86, 108, 77,
63 139, 13, 154, 102, 251, 204, 176, 45, 116, 18, 43, 32, 240, 177, 132, 153,
64 223, 76, 203, 194, 52, 126, 118, 5, 109, 183, 169, 49, 209, 23, 4, 215,
65 20, 88, 58, 97, 222, 27, 17, 28, 50, 15, 156, 22, 83, 24, 242, 34,
66 254, 68, 207, 178, 195, 181, 122, 145, 36, 8, 232, 168, 96, 252, 105, 80,
67 170, 208, 160, 125, 161, 137, 98, 151, 84, 91, 30, 149, 224, 255, 100, 210,
68 16, 196, 0, 72, 163, 247, 117, 219, 138, 3, 230, 218, 9, 63, 221, 148,
69 135, 92, 131, 2, 205, 74, 144, 51, 115, 103, 246, 243, 157, 127, 191, 226,
70 82, 155, 216, 38, 200, 55, 198, 59, 129, 150, 111, 75, 19, 190, 99, 46,
71 233, 121, 167, 140, 159, 110, 188, 142, 41, 245, 249, 182, 47, 253, 180, 89,
72 120, 152, 6, 106, 231, 70, 113, 186, 212, 37, 171, 66, 136, 162, 141, 250,
73 114, 7, 185, 85, 248, 238, 172, 10, 54, 73, 42, 104, 60, 56, 241, 164,
74 64, 40, 211, 123, 187, 201, 67, 193, 21, 227, 173, 244, 119, 199, 128, 158
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]75};
76
77#define SBOX1(n) FSb[(n)]
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]78#define SBOX2(n) (unsigned char) ((FSb[(n)] >> 7 ^ FSb[(n)] << 1) & 0xff)
79#define SBOX3(n) (unsigned char) ((FSb[(n)] >> 1 ^ FSb[(n)] << 7) & 0xff)
Paul Bakkerfa049db2009-01-12 22:12:03 +0000[diff] [blame]80#define SBOX4(n) FSb[((n) << 1 ^ (n) >> 7) &0xff]
81
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]82#else /* MBEDTLS_CAMELLIA_SMALL_MEMORY */
Paul Bakkerfa049db2009-01-12 22:12:03 +0000[diff] [blame]83
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000[diff] [blame]84static const unsigned char FSb[256] =
85{
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]86 112, 130, 44, 236, 179, 39, 192, 229, 228, 133, 87, 53, 234, 12, 174, 65,
87 35, 239, 107, 147, 69, 25, 165, 33, 237, 14, 79, 78, 29, 101, 146, 189,
88 134, 184, 175, 143, 124, 235, 31, 206, 62, 48, 220, 95, 94, 197, 11, 26,
89 166, 225, 57, 202, 213, 71, 93, 61, 217, 1, 90, 214, 81, 86, 108, 77,
90 139, 13, 154, 102, 251, 204, 176, 45, 116, 18, 43, 32, 240, 177, 132, 153,
91 223, 76, 203, 194, 52, 126, 118, 5, 109, 183, 169, 49, 209, 23, 4, 215,
92 20, 88, 58, 97, 222, 27, 17, 28, 50, 15, 156, 22, 83, 24, 242, 34,
93 254, 68, 207, 178, 195, 181, 122, 145, 36, 8, 232, 168, 96, 252, 105, 80,
94 170, 208, 160, 125, 161, 137, 98, 151, 84, 91, 30, 149, 224, 255, 100, 210,
95 16, 196, 0, 72, 163, 247, 117, 219, 138, 3, 230, 218, 9, 63, 221, 148,
96 135, 92, 131, 2, 205, 74, 144, 51, 115, 103, 246, 243, 157, 127, 191, 226,
97 82, 155, 216, 38, 200, 55, 198, 59, 129, 150, 111, 75, 19, 190, 99, 46,
98 233, 121, 167, 140, 159, 110, 188, 142, 41, 245, 249, 182, 47, 253, 180, 89,
99 120, 152, 6, 106, 231, 70, 113, 186, 212, 37, 171, 66, 136, 162, 141, 250,
100 114, 7, 185, 85, 248, 238, 172, 10, 54, 73, 42, 104, 60, 56, 241, 164,
101 64, 40, 211, 123, 187, 201, 67, 193, 21, 227, 173, 244, 119, 199, 128, 158
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000[diff] [blame]102};
103
104static const unsigned char FSb2[256] =
105{
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]106 224, 5, 88, 217, 103, 78, 129, 203, 201, 11, 174, 106, 213, 24, 93, 130,
107 70, 223, 214, 39, 138, 50, 75, 66, 219, 28, 158, 156, 58, 202, 37, 123,
108 13, 113, 95, 31, 248, 215, 62, 157, 124, 96, 185, 190, 188, 139, 22, 52,
109 77, 195, 114, 149, 171, 142, 186, 122, 179, 2, 180, 173, 162, 172, 216, 154,
110 23, 26, 53, 204, 247, 153, 97, 90, 232, 36, 86, 64, 225, 99, 9, 51,
111 191, 152, 151, 133, 104, 252, 236, 10, 218, 111, 83, 98, 163, 46, 8, 175,
112 40, 176, 116, 194, 189, 54, 34, 56, 100, 30, 57, 44, 166, 48, 229, 68,
113 253, 136, 159, 101, 135, 107, 244, 35, 72, 16, 209, 81, 192, 249, 210, 160,
114 85, 161, 65, 250, 67, 19, 196, 47, 168, 182, 60, 43, 193, 255, 200, 165,
115 32, 137, 0, 144, 71, 239, 234, 183, 21, 6, 205, 181, 18, 126, 187, 41,
116 15, 184, 7, 4, 155, 148, 33, 102, 230, 206, 237, 231, 59, 254, 127, 197,
117 164, 55, 177, 76, 145, 110, 141, 118, 3, 45, 222, 150, 38, 125, 198, 92,
118 211, 242, 79, 25, 63, 220, 121, 29, 82, 235, 243, 109, 94, 251, 105, 178,
119 240, 49, 12, 212, 207, 140, 226, 117, 169, 74, 87, 132, 17, 69, 27, 245,
120 228, 14, 115, 170, 241, 221, 89, 20, 108, 146, 84, 208, 120, 112, 227, 73,
121 128, 80, 167, 246, 119, 147, 134, 131, 42, 199, 91, 233, 238, 143, 1, 61
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000[diff] [blame]122};
123
124static const unsigned char FSb3[256] =
125{
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]126 56, 65, 22, 118, 217, 147, 96, 242, 114, 194, 171, 154, 117, 6, 87, 160,
127 145, 247, 181, 201, 162, 140, 210, 144, 246, 7, 167, 39, 142, 178, 73, 222,
128 67, 92, 215, 199, 62, 245, 143, 103, 31, 24, 110, 175, 47, 226, 133, 13,
129 83, 240, 156, 101, 234, 163, 174, 158, 236, 128, 45, 107, 168, 43, 54, 166,
130 197, 134, 77, 51, 253, 102, 88, 150, 58, 9, 149, 16, 120, 216, 66, 204,
131 239, 38, 229, 97, 26, 63, 59, 130, 182, 219, 212, 152, 232, 139, 2, 235,
132 10, 44, 29, 176, 111, 141, 136, 14, 25, 135, 78, 11, 169, 12, 121, 17,
133 127, 34, 231, 89, 225, 218, 61, 200, 18, 4, 116, 84, 48, 126, 180, 40,
134 85, 104, 80, 190, 208, 196, 49, 203, 42, 173, 15, 202, 112, 255, 50, 105,
135 8, 98, 0, 36, 209, 251, 186, 237, 69, 129, 115, 109, 132, 159, 238, 74,
136 195, 46, 193, 1, 230, 37, 72, 153, 185, 179, 123, 249, 206, 191, 223, 113,
137 41, 205, 108, 19, 100, 155, 99, 157, 192, 75, 183, 165, 137, 95, 177, 23,
138 244, 188, 211, 70, 207, 55, 94, 71, 148, 250, 252, 91, 151, 254, 90, 172,
139 60, 76, 3, 53, 243, 35, 184, 93, 106, 146, 213, 33, 68, 81, 198, 125,
140 57, 131, 220, 170, 124, 119, 86, 5, 27, 164, 21, 52, 30, 28, 248, 82,
141 32, 20, 233, 189, 221, 228, 161, 224, 138, 241, 214, 122, 187, 227, 64, 79
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000[diff] [blame]142};
143
144static const unsigned char FSb4[256] =
145{
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]146 112, 44, 179, 192, 228, 87, 234, 174, 35, 107, 69, 165, 237, 79, 29, 146,
147 134, 175, 124, 31, 62, 220, 94, 11, 166, 57, 213, 93, 217, 90, 81, 108,
148 139, 154, 251, 176, 116, 43, 240, 132, 223, 203, 52, 118, 109, 169, 209, 4,
149 20, 58, 222, 17, 50, 156, 83, 242, 254, 207, 195, 122, 36, 232, 96, 105,
150 170, 160, 161, 98, 84, 30, 224, 100, 16, 0, 163, 117, 138, 230, 9, 221,
151 135, 131, 205, 144, 115, 246, 157, 191, 82, 216, 200, 198, 129, 111, 19, 99,
152 233, 167, 159, 188, 41, 249, 47, 180, 120, 6, 231, 113, 212, 171, 136, 141,
153 114, 185, 248, 172, 54, 42, 60, 241, 64, 211, 187, 67, 21, 173, 119, 128,
154 130, 236, 39, 229, 133, 53, 12, 65, 239, 147, 25, 33, 14, 78, 101, 189,
155 184, 143, 235, 206, 48, 95, 197, 26, 225, 202, 71, 61, 1, 214, 86, 77,
156 13, 102, 204, 45, 18, 32, 177, 153, 76, 194, 126, 5, 183, 49, 23, 215,
157 88, 97, 27, 28, 15, 22, 24, 34, 68, 178, 181, 145, 8, 168, 252, 80,
158 208, 125, 137, 151, 91, 149, 255, 210, 196, 72, 247, 219, 3, 218, 63, 148,
159 92, 2, 74, 51, 103, 243, 127, 226, 155, 38, 55, 59, 150, 75, 190, 46,
160 121, 140, 110, 142, 245, 182, 253, 89, 152, 106, 70, 186, 37, 66, 162, 250,
161 7, 85, 238, 10, 73, 104, 56, 164, 40, 123, 201, 193, 227, 244, 199, 158
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000[diff] [blame]162};
163
164#define SBOX1(n) FSb[(n)]
165#define SBOX2(n) FSb2[(n)]
166#define SBOX3(n) FSb3[(n)]
167#define SBOX4(n) FSb4[(n)]
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]168
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]169#endif /* MBEDTLS_CAMELLIA_SMALL_MEMORY */
Paul Bakkerfa049db2009-01-12 22:12:03 +0000[diff] [blame]170
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]171static const unsigned char shifts[2][4][4] =
172{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]173 {
174 { 1, 1, 1, 1 }, /* KL */
175 { 0, 0, 0, 0 }, /* KR */
176 { 1, 1, 1, 1 }, /* KA */
177 { 0, 0, 0, 0 } /* KB */
178 },
179 {
180 { 1, 0, 1, 1 }, /* KL */
181 { 1, 1, 0, 1 }, /* KR */
182 { 1, 1, 1, 0 }, /* KA */
183 { 1, 1, 0, 1 } /* KB */
184 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]185};
186
Paul Bakker026c03b2009-03-28 17:53:03 +0000[diff] [blame]187static const signed char indexes[2][4][20] =
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]188{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]189 {
190 { 0, 1, 2, 3, 8, 9, 10, 11, 38, 39,
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]191 36, 37, 23, 20, 21, 22, 27, -1, -1, 26 }, /* KL -> RK */
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]192 { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
193 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 }, /* KR -> RK */
194 { 4, 5, 6, 7, 12, 13, 14, 15, 16, 17,
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]195 18, 19, -1, 24, 25, -1, 31, 28, 29, 30 }, /* KA -> RK */
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]196 { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
197 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 } /* KB -> RK */
198 },
199 {
200 { 0, 1, 2, 3, 61, 62, 63, 60, -1, -1,
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]201 -1, -1, 27, 24, 25, 26, 35, 32, 33, 34 }, /* KL -> RK */
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]202 { -1, -1, -1, -1, 8, 9, 10, 11, 16, 17,
203 18, 19, -1, -1, -1, -1, 39, 36, 37, 38 }, /* KR -> RK */
204 { -1, -1, -1, -1, 12, 13, 14, 15, 58, 59,
205 56, 57, 31, 28, 29, 30, -1, -1, -1, -1 }, /* KA -> RK */
206 { 4, 5, 6, 7, 65, 66, 67, 64, 20, 21,
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]207 22, 23, -1, -1, -1, -1, 43, 40, 41, 42 } /* KB -> RK */
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]208 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]209};
210
Paul Bakker026c03b2009-03-28 17:53:03 +0000[diff] [blame]211static const signed char transposes[2][20] =
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]212{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]213 {
214 21, 22, 23, 20,
215 -1, -1, -1, -1,
216 18, 19, 16, 17,
217 11, 8, 9, 10,
218 15, 12, 13, 14
219 },
220 {
221 25, 26, 27, 24,
222 29, 30, 31, 28,
223 18, 19, 16, 17,
224 -1, -1, -1, -1,
225 -1, -1, -1, -1
226 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]227};
228
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000[diff] [blame]229/* Shift macro for 128 bit strings with rotation smaller than 32 bits (!) */
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]230#define ROTL(DEST, SRC, SHIFT) \
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]231 { \
232 (DEST)[0] = (SRC)[0] << (SHIFT) ^ (SRC)[1] >> (32 - (SHIFT)); \
233 (DEST)[1] = (SRC)[1] << (SHIFT) ^ (SRC)[2] >> (32 - (SHIFT)); \
234 (DEST)[2] = (SRC)[2] << (SHIFT) ^ (SRC)[3] >> (32 - (SHIFT)); \
235 (DEST)[3] = (SRC)[3] << (SHIFT) ^ (SRC)[0] >> (32 - (SHIFT)); \
236 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]237
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]238#define FL(XL, XR, KL, KR) \
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]239 { \
240 (XR) = ((((XL) &(KL)) << 1) | (((XL) &(KL)) >> 31)) ^ (XR); \
241 (XL) = ((XR) | (KR)) ^ (XL); \
242 }
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]243
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]244#define FLInv(YL, YR, KL, KR) \
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]245 { \
246 (YL) = ((YR) | (KR)) ^ (YL); \
247 (YR) = ((((YL) &(KL)) << 1) | (((YL) &(KL)) >> 31)) ^ (YR); \
248 }
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]249
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]250#define SHIFT_AND_PLACE(INDEX, OFFSET) \
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]251 { \
252 TK[0] = KC[(OFFSET) * 4 + 0]; \
253 TK[1] = KC[(OFFSET) * 4 + 1]; \
254 TK[2] = KC[(OFFSET) * 4 + 2]; \
255 TK[3] = KC[(OFFSET) * 4 + 3]; \
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]256 \
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]257 for (i = 1; i <= 4; i++) \
258 if (shifts[(INDEX)][(OFFSET)][i -1]) \
259 ROTL(TK + i * 4, TK, (15 * i) % 32); \
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]260 \
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]261 for (i = 0; i < 20; i++) \
262 if (indexes[(INDEX)][(OFFSET)][i] != -1) { \
263 RK[indexes[(INDEX)][(OFFSET)][i]] = TK[i]; \
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]264 } \
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]265 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]266
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]267static void camellia_feistel(const uint32_t x[2], const uint32_t k[2],
268 uint32_t z[2])
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]269{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]270 uint32_t I0, I1;
271 I0 = x[0] ^ k[0];
272 I1 = x[1] ^ k[1];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]273
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]274 I0 = ((uint32_t) SBOX1(MBEDTLS_BYTE_3(I0)) << 24) |
275 ((uint32_t) SBOX2(MBEDTLS_BYTE_2(I0)) << 16) |
276 ((uint32_t) SBOX3(MBEDTLS_BYTE_1(I0)) << 8) |
277 ((uint32_t) SBOX4(MBEDTLS_BYTE_0(I0)));
278 I1 = ((uint32_t) SBOX2(MBEDTLS_BYTE_3(I1)) << 24) |
279 ((uint32_t) SBOX3(MBEDTLS_BYTE_2(I1)) << 16) |
280 ((uint32_t) SBOX4(MBEDTLS_BYTE_1(I1)) << 8) |
281 ((uint32_t) SBOX1(MBEDTLS_BYTE_0(I1)));
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]282
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]283 I0 ^= (I1 << 8) | (I1 >> 24);
284 I1 ^= (I0 << 16) | (I0 >> 16);
285 I0 ^= (I1 >> 8) | (I1 << 24);
286 I1 ^= (I0 >> 8) | (I0 << 24);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]287
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]288 z[0] ^= I1;
289 z[1] ^= I0;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]290}
291
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]292void mbedtls_camellia_init(mbedtls_camellia_context *ctx)
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]293{
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]294 CAMELLIA_VALIDATE(ctx != NULL);
295 memset(ctx, 0, sizeof(mbedtls_camellia_context));
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]296}
297
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]298void mbedtls_camellia_free(mbedtls_camellia_context *ctx)
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]299{
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]300 if (ctx == NULL) {
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]301 return;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]302 }
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]303
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]304 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_camellia_context));
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]305}
306
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]307/*
308 * Camellia key schedule (encryption)
309 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]310int mbedtls_camellia_setkey_enc(mbedtls_camellia_context *ctx,
311 const unsigned char *key,
312 unsigned int keybits)
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]313{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]314 int idx;
315 size_t i;
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]316 uint32_t *RK;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]317 unsigned char t[64];
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]318 uint32_t SIGMA[6][2];
319 uint32_t KC[16];
320 uint32_t TK[20];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]321
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]322 CAMELLIA_VALIDATE_RET(ctx != NULL);
323 CAMELLIA_VALIDATE_RET(key != NULL);
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]324
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]325 RK = ctx->rk;
326
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]327 memset(t, 0, 64);
328 memset(RK, 0, sizeof(ctx->rk));
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]329
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]330 switch (keybits) {
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]331 case 128: ctx->nr = 3; idx = 0; break;
332 case 192:
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]333 case 256: ctx->nr = 4; idx = 1; break;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]334 default: return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]335 }
336
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]337 for (i = 0; i < keybits / 8; ++i) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]338 t[i] = key[i];
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]339 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]340
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]341 if (keybits == 192) {
342 for (i = 0; i < 8; i++) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]343 t[24 + i] = ~t[16 + i];
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]344 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]345 }
346
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]347 /*
348 * Prepare SIGMA values
349 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]350 for (i = 0; i < 6; i++) {
351 SIGMA[i][0] = MBEDTLS_GET_UINT32_BE(SIGMA_CHARS[i], 0);
352 SIGMA[i][1] = MBEDTLS_GET_UINT32_BE(SIGMA_CHARS[i], 4);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]353 }
354
355 /*
356 * Key storage in KC
357 * Order: KL, KR, KA, KB
358 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]359 memset(KC, 0, sizeof(KC));
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]360
361 /* Store KL, KR */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]362 for (i = 0; i < 8; i++) {
363 KC[i] = MBEDTLS_GET_UINT32_BE(t, i * 4);
364 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]365
366 /* Generate KA */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]367 for (i = 0; i < 4; ++i) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]368 KC[8 + i] = KC[i] ^ KC[4 + i];
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]369 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]370
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]371 camellia_feistel(KC + 8, SIGMA[0], KC + 10);
372 camellia_feistel(KC + 10, SIGMA[1], KC + 8);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]373
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]374 for (i = 0; i < 4; ++i) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]375 KC[8 + i] ^= KC[i];
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]376 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]377
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]378 camellia_feistel(KC + 8, SIGMA[2], KC + 10);
379 camellia_feistel(KC + 10, SIGMA[3], KC + 8);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]380
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]381 if (keybits > 128) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]382 /* Generate KB */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]383 for (i = 0; i < 4; ++i) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]384 KC[12 + i] = KC[4 + i] ^ KC[8 + i];
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]385 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]386
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]387 camellia_feistel(KC + 12, SIGMA[4], KC + 14);
388 camellia_feistel(KC + 14, SIGMA[5], KC + 12);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]389 }
390
391 /*
392 * Generating subkeys
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]393 */
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]394
395 /* Manipulating KL */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]396 SHIFT_AND_PLACE(idx, 0);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]397
398 /* Manipulating KR */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]399 if (keybits > 128) {
400 SHIFT_AND_PLACE(idx, 1);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]401 }
402
403 /* Manipulating KA */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]404 SHIFT_AND_PLACE(idx, 2);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]405
406 /* Manipulating KB */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]407 if (keybits > 128) {
408 SHIFT_AND_PLACE(idx, 3);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]409 }
410
411 /* Do transpositions */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]412 for (i = 0; i < 20; i++) {
413 if (transposes[idx][i] != -1) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]414 RK[32 + 12 * idx + i] = RK[transposes[idx][i]];
415 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]416 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]417
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]418 return 0;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]419}
420
421/*
422 * Camellia key schedule (decryption)
423 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]424int mbedtls_camellia_setkey_dec(mbedtls_camellia_context *ctx,
425 const unsigned char *key,
426 unsigned int keybits)
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]427{
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]428 int idx, ret;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]429 size_t i;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]430 mbedtls_camellia_context cty;
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]431 uint32_t *RK;
432 uint32_t *SK;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]433 CAMELLIA_VALIDATE_RET(ctx != NULL);
434 CAMELLIA_VALIDATE_RET(key != NULL);
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]435
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]436 mbedtls_camellia_init(&cty);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]437
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]438 /* Also checks keybits */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]439 if ((ret = mbedtls_camellia_setkey_enc(&cty, key, keybits)) != 0) {
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]440 goto exit;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]441 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]442
Manuel Pégourié-Gonnard3ac6a2b2014-05-28 22:04:25 +0200[diff] [blame]443 ctx->nr = cty.nr;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]444 idx = (ctx->nr == 4);
Manuel Pégourié-Gonnard3ac6a2b2014-05-28 22:04:25 +0200[diff] [blame]445
446 RK = ctx->rk;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]447 SK = cty.rk + 24 * 2 + 8 * idx * 2;
448
449 *RK++ = *SK++;
450 *RK++ = *SK++;
451 *RK++ = *SK++;
452 *RK++ = *SK++;
453
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]454 for (i = 22 + 8 * idx, SK -= 6; i > 0; i--, SK -= 4) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]455 *RK++ = *SK++;
456 *RK++ = *SK++;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]457 }
458
459 SK -= 2;
460
461 *RK++ = *SK++;
462 *RK++ = *SK++;
463 *RK++ = *SK++;
464 *RK++ = *SK++;
465
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]466exit:
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]467 mbedtls_camellia_free(&cty);
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]468
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]469 return ret;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]470}
471
472/*
473 * Camellia-ECB block encryption/decryption
474 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]475int mbedtls_camellia_crypt_ecb(mbedtls_camellia_context *ctx,
476 int mode,
477 const unsigned char input[16],
478 unsigned char output[16])
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]479{
Paul Bakker026c03b2009-03-28 17:53:03 +0000[diff] [blame]480 int NR;
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]481 uint32_t *RK, X[4];
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]482 CAMELLIA_VALIDATE_RET(ctx != NULL);
483 CAMELLIA_VALIDATE_RET(mode == MBEDTLS_CAMELLIA_ENCRYPT ||
484 mode == MBEDTLS_CAMELLIA_DECRYPT);
485 CAMELLIA_VALIDATE_RET(input != NULL);
486 CAMELLIA_VALIDATE_RET(output != NULL);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]487
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]488 ((void) mode);
Paul Bakkerc2547b02009-07-20 20:40:52 +0000[diff] [blame]489
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]490 NR = ctx->nr;
491 RK = ctx->rk;
492
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]493 X[0] = MBEDTLS_GET_UINT32_BE(input, 0);
494 X[1] = MBEDTLS_GET_UINT32_BE(input, 4);
495 X[2] = MBEDTLS_GET_UINT32_BE(input, 8);
496 X[3] = MBEDTLS_GET_UINT32_BE(input, 12);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]497
498 X[0] ^= *RK++;
499 X[1] ^= *RK++;
500 X[2] ^= *RK++;
501 X[3] ^= *RK++;
502
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]503 while (NR) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]504 --NR;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]505 camellia_feistel(X, RK, X + 2);
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]506 RK += 2;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]507 camellia_feistel(X + 2, RK, X);
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]508 RK += 2;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]509 camellia_feistel(X, RK, X + 2);
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]510 RK += 2;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]511 camellia_feistel(X + 2, RK, X);
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]512 RK += 2;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]513 camellia_feistel(X, RK, X + 2);
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]514 RK += 2;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]515 camellia_feistel(X + 2, RK, X);
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]516 RK += 2;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]517
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]518 if (NR) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]519 FL(X[0], X[1], RK[0], RK[1]);
520 RK += 2;
521 FLInv(X[2], X[3], RK[0], RK[1]);
522 RK += 2;
523 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]524 }
525
526 X[2] ^= *RK++;
527 X[3] ^= *RK++;
528 X[0] ^= *RK++;
529 X[1] ^= *RK++;
530
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]531 MBEDTLS_PUT_UINT32_BE(X[2], output, 0);
532 MBEDTLS_PUT_UINT32_BE(X[3], output, 4);
533 MBEDTLS_PUT_UINT32_BE(X[0], output, 8);
534 MBEDTLS_PUT_UINT32_BE(X[1], output, 12);
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]535
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]536 return 0;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]537}
538
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]539#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]540/*
541 * Camellia-CBC buffer encryption/decryption
542 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]543int mbedtls_camellia_crypt_cbc(mbedtls_camellia_context *ctx,
544 int mode,
545 size_t length,
546 unsigned char iv[16],
547 const unsigned char *input,
548 unsigned char *output)
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]549{
550 int i;
551 unsigned char temp[16];
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]552 CAMELLIA_VALIDATE_RET(ctx != NULL);
553 CAMELLIA_VALIDATE_RET(mode == MBEDTLS_CAMELLIA_ENCRYPT ||
554 mode == MBEDTLS_CAMELLIA_DECRYPT);
555 CAMELLIA_VALIDATE_RET(iv != NULL);
556 CAMELLIA_VALIDATE_RET(length == 0 || input != NULL);
557 CAMELLIA_VALIDATE_RET(length == 0 || output != NULL);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]558
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]559 if (length % 16) {
560 return MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH;
561 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]562
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]563 if (mode == MBEDTLS_CAMELLIA_DECRYPT) {
564 while (length > 0) {
565 memcpy(temp, input, 16);
566 mbedtls_camellia_crypt_ecb(ctx, mode, input, output);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]567
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]568 for (i = 0; i < 16; i++) {
569 output[i] = (unsigned char) (output[i] ^ iv[i]);
570 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]571
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]572 memcpy(iv, temp, 16);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]573
574 input += 16;
575 output += 16;
576 length -= 16;
577 }
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]578 } else {
579 while (length > 0) {
580 for (i = 0; i < 16; i++) {
581 output[i] = (unsigned char) (input[i] ^ iv[i]);
582 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]583
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]584 mbedtls_camellia_crypt_ecb(ctx, mode, output, output);
585 memcpy(iv, output, 16);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]586
587 input += 16;
588 output += 16;
589 length -= 16;
590 }
591 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]592
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]593 return 0;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]594}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]595#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]596
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]597#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]598/*
599 * Camellia-CFB128 buffer encryption/decryption
600 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]601int mbedtls_camellia_crypt_cfb128(mbedtls_camellia_context *ctx,
602 int mode,
603 size_t length,
604 size_t *iv_off,
605 unsigned char iv[16],
606 const unsigned char *input,
607 unsigned char *output)
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]608{
Paul Bakker1ef71df2011-06-09 14:14:58 +0000[diff] [blame]609 int c;
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]610 size_t n;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]611 CAMELLIA_VALIDATE_RET(ctx != NULL);
612 CAMELLIA_VALIDATE_RET(mode == MBEDTLS_CAMELLIA_ENCRYPT ||
613 mode == MBEDTLS_CAMELLIA_DECRYPT);
614 CAMELLIA_VALIDATE_RET(iv != NULL);
615 CAMELLIA_VALIDATE_RET(iv_off != NULL);
616 CAMELLIA_VALIDATE_RET(length == 0 || input != NULL);
617 CAMELLIA_VALIDATE_RET(length == 0 || output != NULL);
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]618
619 n = *iv_off;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]620 if (n >= 16) {
621 return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA;
622 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]623
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]624 if (mode == MBEDTLS_CAMELLIA_DECRYPT) {
625 while (length--) {
626 if (n == 0) {
627 mbedtls_camellia_crypt_ecb(ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv);
628 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]629
630 c = *input++;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]631 *output++ = (unsigned char) (c ^ iv[n]);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]632 iv[n] = (unsigned char) c;
633
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]634 n = (n + 1) & 0x0F;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]635 }
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]636 } else {
637 while (length--) {
638 if (n == 0) {
639 mbedtls_camellia_crypt_ecb(ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv);
640 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]641
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]642 iv[n] = *output++ = (unsigned char) (iv[n] ^ *input++);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]643
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]644 n = (n + 1) & 0x0F;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]645 }
646 }
647
648 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]649
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]650 return 0;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]651}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]652#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]653
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]654#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]655/*
656 * Camellia-CTR buffer encryption/decryption
657 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]658int mbedtls_camellia_crypt_ctr(mbedtls_camellia_context *ctx,
659 size_t length,
660 size_t *nc_off,
661 unsigned char nonce_counter[16],
662 unsigned char stream_block[16],
663 const unsigned char *input,
664 unsigned char *output)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]665{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]666 int c, i;
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]667 size_t n;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]668 CAMELLIA_VALIDATE_RET(ctx != NULL);
669 CAMELLIA_VALIDATE_RET(nonce_counter != NULL);
670 CAMELLIA_VALIDATE_RET(stream_block != NULL);
671 CAMELLIA_VALIDATE_RET(nc_off != NULL);
672 CAMELLIA_VALIDATE_RET(length == 0 || input != NULL);
673 CAMELLIA_VALIDATE_RET(length == 0 || output != NULL);
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]674
675 n = *nc_off;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]676 if (n >= 16) {
677 return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA;
678 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]679
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]680 while (length--) {
681 if (n == 0) {
682 mbedtls_camellia_crypt_ecb(ctx, MBEDTLS_CAMELLIA_ENCRYPT, nonce_counter,
683 stream_block);
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]684
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]685 for (i = 16; i > 0; i--) {
686 if (++nonce_counter[i - 1] != 0) {
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]687 break;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]688 }
689 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]690 }
691 c = *input++;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]692 *output++ = (unsigned char) (c ^ stream_block[n]);
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]693
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]694 n = (n + 1) & 0x0F;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]695 }
696
697 *nc_off = n;
698
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]699 return 0;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]700}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]701#endif /* MBEDTLS_CIPHER_MODE_CTR */
702#endif /* !MBEDTLS_CAMELLIA_ALT */
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]703
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]704#if defined(MBEDTLS_SELF_TEST)
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]705
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]706/*
707 * Camellia test vectors from:
708 *
709 * http://info.isl.ntt.co.jp/crypt/eng/camellia/technology.html:
710 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/intermediate.txt
711 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/t_camellia.txt
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]712 * (For each bitlength: Key 0, Nr 39)
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]713 */
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]714#define CAMELLIA_TESTS_ECB 2
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]715
716static const unsigned char camellia_test_ecb_key[3][CAMELLIA_TESTS_ECB][32] =
717{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]718 {
719 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
720 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]721 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]722 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
723 },
724 {
725 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
726 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
727 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77 },
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]728 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]729 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
730 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
731 },
732 {
733 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
734 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
735 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
736 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff },
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]737 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]738 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
739 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
740 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
741 },
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]742};
743
744static const unsigned char camellia_test_ecb_plain[CAMELLIA_TESTS_ECB][16] =
745{
746 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
747 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]748 { 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]749 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
750};
751
752static const unsigned char camellia_test_ecb_cipher[3][CAMELLIA_TESTS_ECB][16] =
753{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]754 {
755 { 0x67, 0x67, 0x31, 0x38, 0x54, 0x96, 0x69, 0x73,
756 0x08, 0x57, 0x06, 0x56, 0x48, 0xea, 0xbe, 0x43 },
757 { 0x38, 0x3C, 0x6C, 0x2A, 0xAB, 0xEF, 0x7F, 0xDE,
758 0x25, 0xCD, 0x47, 0x0B, 0xF7, 0x74, 0xA3, 0x31 }
759 },
760 {
761 { 0xb4, 0x99, 0x34, 0x01, 0xb3, 0xe9, 0x96, 0xf8,
762 0x4e, 0xe5, 0xce, 0xe7, 0xd7, 0x9b, 0x09, 0xb9 },
763 { 0xD1, 0x76, 0x3F, 0xC0, 0x19, 0xD7, 0x7C, 0xC9,
764 0x30, 0xBF, 0xF2, 0xA5, 0x6F, 0x7C, 0x93, 0x64 }
765 },
766 {
767 { 0x9a, 0xcc, 0x23, 0x7d, 0xff, 0x16, 0xd7, 0x6c,
768 0x20, 0xef, 0x7c, 0x91, 0x9e, 0x3a, 0x75, 0x09 },
769 { 0x05, 0x03, 0xFB, 0x10, 0xAB, 0x24, 0x1E, 0x7C,
770 0xF4, 0x5D, 0x8C, 0xDE, 0xEE, 0x47, 0x43, 0x35 }
771 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]772};
773
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]774#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]775#define CAMELLIA_TESTS_CBC 3
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]776
777static const unsigned char camellia_test_cbc_key[3][32] =
778{
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]779 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
780 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]781 ,
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]782 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
783 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
784 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]785 ,
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]786 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
787 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
788 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
789 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]790};
791
792static const unsigned char camellia_test_cbc_iv[16] =
793
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]794{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
795 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]796;
797
798static const unsigned char camellia_test_cbc_plain[CAMELLIA_TESTS_CBC][16] =
799{
800 { 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
801 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A },
802 { 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
803 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51 },
804 { 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
805 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF }
806
807};
808
809static const unsigned char camellia_test_cbc_cipher[3][CAMELLIA_TESTS_CBC][16] =
810{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]811 {
812 { 0x16, 0x07, 0xCF, 0x49, 0x4B, 0x36, 0xBB, 0xF0,
813 0x0D, 0xAE, 0xB0, 0xB5, 0x03, 0xC8, 0x31, 0xAB },
814 { 0xA2, 0xF2, 0xCF, 0x67, 0x16, 0x29, 0xEF, 0x78,
815 0x40, 0xC5, 0xA5, 0xDF, 0xB5, 0x07, 0x48, 0x87 },
816 { 0x0F, 0x06, 0x16, 0x50, 0x08, 0xCF, 0x8B, 0x8B,
817 0x5A, 0x63, 0x58, 0x63, 0x62, 0x54, 0x3E, 0x54 }
818 },
819 {
820 { 0x2A, 0x48, 0x30, 0xAB, 0x5A, 0xC4, 0xA1, 0xA2,
821 0x40, 0x59, 0x55, 0xFD, 0x21, 0x95, 0xCF, 0x93 },
822 { 0x5D, 0x5A, 0x86, 0x9B, 0xD1, 0x4C, 0xE5, 0x42,
823 0x64, 0xF8, 0x92, 0xA6, 0xDD, 0x2E, 0xC3, 0xD5 },
824 { 0x37, 0xD3, 0x59, 0xC3, 0x34, 0x98, 0x36, 0xD8,
825 0x84, 0xE3, 0x10, 0xAD, 0xDF, 0x68, 0xC4, 0x49 }
826 },
827 {
828 { 0xE6, 0xCF, 0xA3, 0x5F, 0xC0, 0x2B, 0x13, 0x4A,
829 0x4D, 0x2C, 0x0B, 0x67, 0x37, 0xAC, 0x3E, 0xDA },
830 { 0x36, 0xCB, 0xEB, 0x73, 0xBD, 0x50, 0x4B, 0x40,
831 0x70, 0xB1, 0xB7, 0xDE, 0x2B, 0x21, 0xEB, 0x50 },
832 { 0xE3, 0x1A, 0x60, 0x55, 0x29, 0x7D, 0x96, 0xCA,
833 0x33, 0x30, 0xCD, 0xF1, 0xB1, 0x86, 0x0A, 0x83 }
834 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]835};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]836#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]837
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]838#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]839/*
840 * Camellia-CTR test vectors from:
841 *
842 * http://www.faqs.org/rfcs/rfc5528.html
843 */
844
845static const unsigned char camellia_test_ctr_key[3][16] =
846{
847 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
848 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
849 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
850 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
851 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
852 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
853};
854
855static const unsigned char camellia_test_ctr_nonce_counter[3][16] =
856{
857 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
858 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
859 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
860 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
861 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
862 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
863};
864
865static const unsigned char camellia_test_ctr_pt[3][48] =
866{
867 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
868 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
869
870 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
871 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
872 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
873 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
874
875 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
876 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
877 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
878 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
879 0x20, 0x21, 0x22, 0x23 }
880};
881
882static const unsigned char camellia_test_ctr_ct[3][48] =
883{
884 { 0xD0, 0x9D, 0xC2, 0x9A, 0x82, 0x14, 0x61, 0x9A,
885 0x20, 0x87, 0x7C, 0x76, 0xDB, 0x1F, 0x0B, 0x3F },
886 { 0xDB, 0xF3, 0xC7, 0x8D, 0xC0, 0x83, 0x96, 0xD4,
887 0xDA, 0x7C, 0x90, 0x77, 0x65, 0xBB, 0xCB, 0x44,
888 0x2B, 0x8E, 0x8E, 0x0F, 0x31, 0xF0, 0xDC, 0xA7,
889 0x2C, 0x74, 0x17, 0xE3, 0x53, 0x60, 0xE0, 0x48 },
890 { 0xB1, 0x9D, 0x1F, 0xCD, 0xCB, 0x75, 0xEB, 0x88,
891 0x2F, 0x84, 0x9C, 0xE2, 0x4D, 0x85, 0xCF, 0x73,
892 0x9C, 0xE6, 0x4B, 0x2B, 0x5C, 0x9D, 0x73, 0xF1,
893 0x4F, 0x2D, 0x5D, 0x9D, 0xCE, 0x98, 0x89, 0xCD,
894 0xDF, 0x50, 0x86, 0x96 }
895};
896
897static const int camellia_test_ctr_len[3] =
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]898{ 16, 32, 36 };
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]899#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]900
901/*
902 * Checkup routine
903 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]904int mbedtls_camellia_self_test(int verbose)
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]905{
Paul Bakker026c03b2009-03-28 17:53:03 +0000[diff] [blame]906 int i, j, u, v;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]907 unsigned char key[32];
908 unsigned char buf[64];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]909 unsigned char src[16];
910 unsigned char dst[16];
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]911#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]912 unsigned char iv[16];
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]913#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]914#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakker1ef71df2011-06-09 14:14:58 +0000[diff] [blame]915 size_t offset, len;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]916 unsigned char nonce_counter[16];
917 unsigned char stream_block[16];
918#endif
Gilles Peskine66c616a2021-05-25 09:17:46 +0200[diff] [blame]919 int ret = 1;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]920
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]921 mbedtls_camellia_context ctx;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]922
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]923 mbedtls_camellia_init(&ctx);
924 memset(key, 0, 32);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]925
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]926 for (j = 0; j < 6; j++) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]927 u = j >> 1;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]928 v = j & 1;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]929
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]930 if (verbose != 0) {
931 mbedtls_printf(" CAMELLIA-ECB-%3d (%s): ", 128 + u * 64,
932 (v == MBEDTLS_CAMELLIA_DECRYPT) ? "dec" : "enc");
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]933 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]934
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]935 for (i = 0; i < CAMELLIA_TESTS_ECB; i++) {
936 memcpy(key, camellia_test_ecb_key[u][i], 16 + 8 * u);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]937
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]938 if (v == MBEDTLS_CAMELLIA_DECRYPT) {
939 mbedtls_camellia_setkey_dec(&ctx, key, 128 + u * 64);
940 memcpy(src, camellia_test_ecb_cipher[u][i], 16);
941 memcpy(dst, camellia_test_ecb_plain[i], 16);
942 } else { /* MBEDTLS_CAMELLIA_ENCRYPT */
943 mbedtls_camellia_setkey_enc(&ctx, key, 128 + u * 64);
944 memcpy(src, camellia_test_ecb_plain[i], 16);
945 memcpy(dst, camellia_test_ecb_cipher[u][i], 16);
946 }
947
948 mbedtls_camellia_crypt_ecb(&ctx, v, src, buf);
949
950 if (memcmp(buf, dst, 16) != 0) {
951 if (verbose != 0) {
952 mbedtls_printf("failed\n");
953 }
954 goto exit;
955 }
956 }
957
958 if (verbose != 0) {
959 mbedtls_printf("passed\n");
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]960 }
961 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]962
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]963 if (verbose != 0) {
964 mbedtls_printf("\n");
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]965 }
966
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]967#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]968 /*
969 * CBC mode
970 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]971 for (j = 0; j < 6; j++) {
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]972 u = j >> 1;
973 v = j & 1;
974
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]975 if (verbose != 0) {
976 mbedtls_printf(" CAMELLIA-CBC-%3d (%s): ", 128 + u * 64,
977 (v == MBEDTLS_CAMELLIA_DECRYPT) ? "dec" : "enc");
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]978 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]979
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]980 memcpy(src, camellia_test_cbc_iv, 16);
981 memcpy(dst, camellia_test_cbc_iv, 16);
982 memcpy(key, camellia_test_cbc_key[u], 16 + 8 * u);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]983
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]984 if (v == MBEDTLS_CAMELLIA_DECRYPT) {
985 mbedtls_camellia_setkey_dec(&ctx, key, 128 + u * 64);
986 } else {
987 mbedtls_camellia_setkey_enc(&ctx, key, 128 + u * 64);
988 }
989
990 for (i = 0; i < CAMELLIA_TESTS_CBC; i++) {
991
992 if (v == MBEDTLS_CAMELLIA_DECRYPT) {
993 memcpy(iv, src, 16);
994 memcpy(src, camellia_test_cbc_cipher[u][i], 16);
995 memcpy(dst, camellia_test_cbc_plain[i], 16);
Janos Follath98e28a72016-05-31 14:03:54 +0100[diff] [blame]996 } else { /* MBEDTLS_CAMELLIA_ENCRYPT */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]997 memcpy(iv, dst, 16);
998 memcpy(src, camellia_test_cbc_plain[i], 16);
999 memcpy(dst, camellia_test_cbc_cipher[u][i], 16);
Janos Follath98e28a72016-05-31 14:03:54 +0100[diff] [blame]1000 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]1001
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]1002 mbedtls_camellia_crypt_cbc(&ctx, v, 16, iv, src, buf);
Janos Follath98e28a72016-05-31 14:03:54 +0100[diff] [blame]1003
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]1004 if (memcmp(buf, dst, 16) != 0) {
1005 if (verbose != 0) {
1006 mbedtls_printf("failed\n");
1007 }
Gilles Peskine66c616a2021-05-25 09:17:46 +0200[diff] [blame]1008 goto exit;
Janos Follath98e28a72016-05-31 14:03:54 +0100[diff] [blame]1009 }
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]1010 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]1011
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]1012 if (verbose != 0) {
1013 mbedtls_printf("passed\n");
1014 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]1015 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1016#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]1017
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]1018 if (verbose != 0) {
1019 mbedtls_printf("\n");
1020 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]1021
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1022#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1023 /*
1024 * CTR mode
1025 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]1026 for (i = 0; i < 6; i++) {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1027 u = i >> 1;
1028 v = i & 1;
1029
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]1030 if (verbose != 0) {
1031 mbedtls_printf(" CAMELLIA-CTR-128 (%s): ",
1032 (v == MBEDTLS_CAMELLIA_DECRYPT) ? "dec" : "enc");
1033 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1034
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]1035 memcpy(nonce_counter, camellia_test_ctr_nonce_counter[u], 16);
1036 memcpy(key, camellia_test_ctr_key[u], 16);
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1037
1038 offset = 0;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]1039 mbedtls_camellia_setkey_enc(&ctx, key, 128);
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1040
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]1041 if (v == MBEDTLS_CAMELLIA_DECRYPT) {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1042 len = camellia_test_ctr_len[u];
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]1043 memcpy(buf, camellia_test_ctr_ct[u], len);
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1044
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]1045 mbedtls_camellia_crypt_ctr(&ctx, len, &offset, nonce_counter, stream_block,
1046 buf, buf);
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1047
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]1048 if (memcmp(buf, camellia_test_ctr_pt[u], len) != 0) {
1049 if (verbose != 0) {
1050 mbedtls_printf("failed\n");
1051 }
Gilles Peskine66c616a2021-05-25 09:17:46 +0200[diff] [blame]1052 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1053 }
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]1054 } else {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1055 len = camellia_test_ctr_len[u];
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]1056 memcpy(buf, camellia_test_ctr_pt[u], len);
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1057
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]1058 mbedtls_camellia_crypt_ctr(&ctx, len, &offset, nonce_counter, stream_block,
1059 buf, buf);
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1060
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]1061 if (memcmp(buf, camellia_test_ctr_ct[u], len) != 0) {
1062 if (verbose != 0) {
1063 mbedtls_printf("failed\n");
1064 }
Gilles Peskine66c616a2021-05-25 09:17:46 +0200[diff] [blame]1065 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1066 }
1067 }
1068
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]1069 if (verbose != 0) {
1070 mbedtls_printf("passed\n");
1071 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1072 }
1073
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]1074 if (verbose != 0) {
1075 mbedtls_printf("\n");
1076 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1077#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1078
Gilles Peskine66c616a2021-05-25 09:17:46 +0200[diff] [blame]1079 ret = 0;
1080
1081exit:
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame^]1082 mbedtls_camellia_free(&ctx);
1083 return ret;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]1084}
1085
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1086#endif /* MBEDTLS_SELF_TEST */
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]1087
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1088#endif /* MBEDTLS_CAMELLIA_C */