TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 5c2364c2bac4c0c0c269235aa701ec7e07a1e00e / . / library / camellia.c
blob: 2bc3443776cf7b878ce486e90b011dedb8fe1e3a [file] [log] [blame]
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]1/*
2 * Camellia implementation
3 *
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]4 * Copyright (C) 2006-2010, Brainspark B.V.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]8 *
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]9 * All rights reserved.
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]10 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25/*
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]26 * The Camellia block cipher was designed by NTT and Mitsubishi Electric
27 * Corporation.
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]28 *
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]29 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/01espec.pdf
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]30 */
31
32#include "polarssl/config.h"
33
34#if defined(POLARSSL_CAMELLIA_C)
35
36#include "polarssl/camellia.h"
37
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]38/*
39 * 32-bit integer manipulation macros (big endian)
40 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame^]41#ifndef GET_UINT32_BE
42#define GET_UINT32_BE(n,b,i) \
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]43{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame^]44 (n) = ( (uint32_t) (b)[(i) ] << 24 ) \
45 | ( (uint32_t) (b)[(i) + 1] << 16 ) \
46 | ( (uint32_t) (b)[(i) + 2] << 8 ) \
47 | ( (uint32_t) (b)[(i) + 3] ); \
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]48}
49#endif
50
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame^]51#ifndef PUT_UINT32_BE
52#define PUT_UINT32_BE(n,b,i) \
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]53{ \
54 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
55 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
56 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
57 (b)[(i) + 3] = (unsigned char) ( (n) ); \
58}
59#endif
60
61static const unsigned char SIGMA_CHARS[6][8] =
62{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]63 { 0xa0, 0x9e, 0x66, 0x7f, 0x3b, 0xcc, 0x90, 0x8b },
64 { 0xb6, 0x7a, 0xe8, 0x58, 0x4c, 0xaa, 0x73, 0xb2 },
65 { 0xc6, 0xef, 0x37, 0x2f, 0xe9, 0x4f, 0x82, 0xbe },
66 { 0x54, 0xff, 0x53, 0xa5, 0xf1, 0xd3, 0x6f, 0x1c },
67 { 0x10, 0xe5, 0x27, 0xfa, 0xde, 0x68, 0x2d, 0x1d },
68 { 0xb0, 0x56, 0x88, 0xc2, 0xb3, 0xe6, 0xc1, 0xfd }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]69};
70
Paul Bakker33008ee2011-11-18 12:58:25 +0000[diff] [blame]71#if defined(POLARSSL_CAMELLIA_SMALL_MEMORY)
Paul Bakkerfa049db2009-01-12 22:12:03 +0000[diff] [blame]72
73static const unsigned char FSb[256] =
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]74{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]75 112,130, 44,236,179, 39,192,229,228,133, 87, 53,234, 12,174, 65,
76 35,239,107,147, 69, 25,165, 33,237, 14, 79, 78, 29,101,146,189,
77 134,184,175,143,124,235, 31,206, 62, 48,220, 95, 94,197, 11, 26,
78 166,225, 57,202,213, 71, 93, 61,217, 1, 90,214, 81, 86,108, 77,
79 139, 13,154,102,251,204,176, 45,116, 18, 43, 32,240,177,132,153,
80 223, 76,203,194, 52,126,118, 5,109,183,169, 49,209, 23, 4,215,
81 20, 88, 58, 97,222, 27, 17, 28, 50, 15,156, 22, 83, 24,242, 34,
82 254, 68,207,178,195,181,122,145, 36, 8,232,168, 96,252,105, 80,
83 170,208,160,125,161,137, 98,151, 84, 91, 30,149,224,255,100,210,
84 16,196, 0, 72,163,247,117,219,138, 3,230,218, 9, 63,221,148,
85 135, 92,131, 2,205, 74,144, 51,115,103,246,243,157,127,191,226,
86 82,155,216, 38,200, 55,198, 59,129,150,111, 75, 19,190, 99, 46,
87 233,121,167,140,159,110,188,142, 41,245,249,182, 47,253,180, 89,
88 120,152, 6,106,231, 70,113,186,212, 37,171, 66,136,162,141,250,
89 114, 7,185, 85,248,238,172, 10, 54, 73, 42,104, 60, 56,241,164,
90 64, 40,211,123,187,201, 67,193, 21,227,173,244,119,199,128,158
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]91};
92
93#define SBOX1(n) FSb[(n)]
94#define SBOX2(n) (unsigned char)((FSb[(n)] >> 7 ^ FSb[(n)] << 1) & 0xff)
95#define SBOX3(n) (unsigned char)((FSb[(n)] >> 1 ^ FSb[(n)] << 7) & 0xff)
Paul Bakkerfa049db2009-01-12 22:12:03 +0000[diff] [blame]96#define SBOX4(n) FSb[((n) << 1 ^ (n) >> 7) &0xff]
97
98#else
99
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000[diff] [blame]100static const unsigned char FSb[256] =
101{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]102 112, 130, 44, 236, 179, 39, 192, 229, 228, 133, 87, 53, 234, 12, 174, 65,
103 35, 239, 107, 147, 69, 25, 165, 33, 237, 14, 79, 78, 29, 101, 146, 189,
104 134, 184, 175, 143, 124, 235, 31, 206, 62, 48, 220, 95, 94, 197, 11, 26,
105 166, 225, 57, 202, 213, 71, 93, 61, 217, 1, 90, 214, 81, 86, 108, 77,
106 139, 13, 154, 102, 251, 204, 176, 45, 116, 18, 43, 32, 240, 177, 132, 153,
107 223, 76, 203, 194, 52, 126, 118, 5, 109, 183, 169, 49, 209, 23, 4, 215,
108 20, 88, 58, 97, 222, 27, 17, 28, 50, 15, 156, 22, 83, 24, 242, 34,
109 254, 68, 207, 178, 195, 181, 122, 145, 36, 8, 232, 168, 96, 252, 105, 80,
110 170, 208, 160, 125, 161, 137, 98, 151, 84, 91, 30, 149, 224, 255, 100, 210,
111 16, 196, 0, 72, 163, 247, 117, 219, 138, 3, 230, 218, 9, 63, 221, 148,
112 135, 92, 131, 2, 205, 74, 144, 51, 115, 103, 246, 243, 157, 127, 191, 226,
113 82, 155, 216, 38, 200, 55, 198, 59, 129, 150, 111, 75, 19, 190, 99, 46,
114 233, 121, 167, 140, 159, 110, 188, 142, 41, 245, 249, 182, 47, 253, 180, 89,
115 120, 152, 6, 106, 231, 70, 113, 186, 212, 37, 171, 66, 136, 162, 141, 250,
116 114, 7, 185, 85, 248, 238, 172, 10, 54, 73, 42, 104, 60, 56, 241, 164,
117 64, 40, 211, 123, 187, 201, 67, 193, 21, 227, 173, 244, 119, 199, 128, 158
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000[diff] [blame]118};
119
120static const unsigned char FSb2[256] =
121{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]122 224, 5, 88, 217, 103, 78, 129, 203, 201, 11, 174, 106, 213, 24, 93, 130,
123 70, 223, 214, 39, 138, 50, 75, 66, 219, 28, 158, 156, 58, 202, 37, 123,
124 13, 113, 95, 31, 248, 215, 62, 157, 124, 96, 185, 190, 188, 139, 22, 52,
125 77, 195, 114, 149, 171, 142, 186, 122, 179, 2, 180, 173, 162, 172, 216, 154,
126 23, 26, 53, 204, 247, 153, 97, 90, 232, 36, 86, 64, 225, 99, 9, 51,
127 191, 152, 151, 133, 104, 252, 236, 10, 218, 111, 83, 98, 163, 46, 8, 175,
128 40, 176, 116, 194, 189, 54, 34, 56, 100, 30, 57, 44, 166, 48, 229, 68,
129 253, 136, 159, 101, 135, 107, 244, 35, 72, 16, 209, 81, 192, 249, 210, 160,
130 85, 161, 65, 250, 67, 19, 196, 47, 168, 182, 60, 43, 193, 255, 200, 165,
131 32, 137, 0, 144, 71, 239, 234, 183, 21, 6, 205, 181, 18, 126, 187, 41,
132 15, 184, 7, 4, 155, 148, 33, 102, 230, 206, 237, 231, 59, 254, 127, 197,
133 164, 55, 177, 76, 145, 110, 141, 118, 3, 45, 222, 150, 38, 125, 198, 92,
134 211, 242, 79, 25, 63, 220, 121, 29, 82, 235, 243, 109, 94, 251, 105, 178,
135 240, 49, 12, 212, 207, 140, 226, 117, 169, 74, 87, 132, 17, 69, 27, 245,
136 228, 14, 115, 170, 241, 221, 89, 20, 108, 146, 84, 208, 120, 112, 227, 73,
137 128, 80, 167, 246, 119, 147, 134, 131, 42, 199, 91, 233, 238, 143, 1, 61
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000[diff] [blame]138};
139
140static const unsigned char FSb3[256] =
141{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]142 56, 65, 22, 118, 217, 147, 96, 242, 114, 194, 171, 154, 117, 6, 87, 160,
143 145, 247, 181, 201, 162, 140, 210, 144, 246, 7, 167, 39, 142, 178, 73, 222,
144 67, 92, 215, 199, 62, 245, 143, 103, 31, 24, 110, 175, 47, 226, 133, 13,
145 83, 240, 156, 101, 234, 163, 174, 158, 236, 128, 45, 107, 168, 43, 54, 166,
146 197, 134, 77, 51, 253, 102, 88, 150, 58, 9, 149, 16, 120, 216, 66, 204,
147 239, 38, 229, 97, 26, 63, 59, 130, 182, 219, 212, 152, 232, 139, 2, 235,
148 10, 44, 29, 176, 111, 141, 136, 14, 25, 135, 78, 11, 169, 12, 121, 17,
149 127, 34, 231, 89, 225, 218, 61, 200, 18, 4, 116, 84, 48, 126, 180, 40,
150 85, 104, 80, 190, 208, 196, 49, 203, 42, 173, 15, 202, 112, 255, 50, 105,
151 8, 98, 0, 36, 209, 251, 186, 237, 69, 129, 115, 109, 132, 159, 238, 74,
152 195, 46, 193, 1, 230, 37, 72, 153, 185, 179, 123, 249, 206, 191, 223, 113,
153 41, 205, 108, 19, 100, 155, 99, 157, 192, 75, 183, 165, 137, 95, 177, 23,
154 244, 188, 211, 70, 207, 55, 94, 71, 148, 250, 252, 91, 151, 254, 90, 172,
155 60, 76, 3, 53, 243, 35, 184, 93, 106, 146, 213, 33, 68, 81, 198, 125,
156 57, 131, 220, 170, 124, 119, 86, 5, 27, 164, 21, 52, 30, 28, 248, 82,
157 32, 20, 233, 189, 221, 228, 161, 224, 138, 241, 214, 122, 187, 227, 64, 79
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000[diff] [blame]158};
159
160static const unsigned char FSb4[256] =
161{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]162 112, 44, 179, 192, 228, 87, 234, 174, 35, 107, 69, 165, 237, 79, 29, 146,
163 134, 175, 124, 31, 62, 220, 94, 11, 166, 57, 213, 93, 217, 90, 81, 108,
164 139, 154, 251, 176, 116, 43, 240, 132, 223, 203, 52, 118, 109, 169, 209, 4,
165 20, 58, 222, 17, 50, 156, 83, 242, 254, 207, 195, 122, 36, 232, 96, 105,
166 170, 160, 161, 98, 84, 30, 224, 100, 16, 0, 163, 117, 138, 230, 9, 221,
167 135, 131, 205, 144, 115, 246, 157, 191, 82, 216, 200, 198, 129, 111, 19, 99,
168 233, 167, 159, 188, 41, 249, 47, 180, 120, 6, 231, 113, 212, 171, 136, 141,
169 114, 185, 248, 172, 54, 42, 60, 241, 64, 211, 187, 67, 21, 173, 119, 128,
170 130, 236, 39, 229, 133, 53, 12, 65, 239, 147, 25, 33, 14, 78, 101, 189,
171 184, 143, 235, 206, 48, 95, 197, 26, 225, 202, 71, 61, 1, 214, 86, 77,
172 13, 102, 204, 45, 18, 32, 177, 153, 76, 194, 126, 5, 183, 49, 23, 215,
173 88, 97, 27, 28, 15, 22, 24, 34, 68, 178, 181, 145, 8, 168, 252, 80,
174 208, 125, 137, 151, 91, 149, 255, 210, 196, 72, 247, 219, 3, 218, 63, 148,
175 92, 2, 74, 51, 103, 243, 127, 226, 155, 38, 55, 59, 150, 75, 190, 46,
176 121, 140, 110, 142, 245, 182, 253, 89, 152, 106, 70, 186, 37, 66, 162, 250,
177 7, 85, 238, 10, 73, 104, 56, 164, 40, 123, 201, 193, 227, 244, 199, 158
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000[diff] [blame]178};
179
180#define SBOX1(n) FSb[(n)]
181#define SBOX2(n) FSb2[(n)]
182#define SBOX3(n) FSb3[(n)]
183#define SBOX4(n) FSb4[(n)]
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]184
Paul Bakkerfa049db2009-01-12 22:12:03 +0000[diff] [blame]185#endif
186
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]187static const unsigned char shifts[2][4][4] =
188{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]189 {
190 { 1, 1, 1, 1 }, /* KL */
191 { 0, 0, 0, 0 }, /* KR */
192 { 1, 1, 1, 1 }, /* KA */
193 { 0, 0, 0, 0 } /* KB */
194 },
195 {
196 { 1, 0, 1, 1 }, /* KL */
197 { 1, 1, 0, 1 }, /* KR */
198 { 1, 1, 1, 0 }, /* KA */
199 { 1, 1, 0, 1 } /* KB */
200 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]201};
202
Paul Bakker026c03b2009-03-28 17:53:03 +0000[diff] [blame]203static const signed char indexes[2][4][20] =
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]204{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]205 {
206 { 0, 1, 2, 3, 8, 9, 10, 11, 38, 39,
207 36, 37, 23, 20, 21, 22, 27, -1, -1, 26 }, /* KL -> RK */
208 { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
209 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 }, /* KR -> RK */
210 { 4, 5, 6, 7, 12, 13, 14, 15, 16, 17,
211 18, 19, -1, 24, 25, -1, 31, 28, 29, 30 }, /* KA -> RK */
212 { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
213 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 } /* KB -> RK */
214 },
215 {
216 { 0, 1, 2, 3, 61, 62, 63, 60, -1, -1,
217 -1, -1, 27, 24, 25, 26, 35, 32, 33, 34 }, /* KL -> RK */
218 { -1, -1, -1, -1, 8, 9, 10, 11, 16, 17,
219 18, 19, -1, -1, -1, -1, 39, 36, 37, 38 }, /* KR -> RK */
220 { -1, -1, -1, -1, 12, 13, 14, 15, 58, 59,
221 56, 57, 31, 28, 29, 30, -1, -1, -1, -1 }, /* KA -> RK */
222 { 4, 5, 6, 7, 65, 66, 67, 64, 20, 21,
223 22, 23, -1, -1, -1, -1, 43, 40, 41, 42 } /* KB -> RK */
224 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]225};
226
Paul Bakker026c03b2009-03-28 17:53:03 +0000[diff] [blame]227static const signed char transposes[2][20] =
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]228{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]229 {
230 21, 22, 23, 20,
231 -1, -1, -1, -1,
232 18, 19, 16, 17,
233 11, 8, 9, 10,
234 15, 12, 13, 14
235 },
236 {
237 25, 26, 27, 24,
238 29, 30, 31, 28,
239 18, 19, 16, 17,
240 -1, -1, -1, -1,
241 -1, -1, -1, -1
242 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]243};
244
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000[diff] [blame]245/* Shift macro for 128 bit strings with rotation smaller than 32 bits (!) */
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]246#define ROTL(DEST, SRC, SHIFT) \
247{ \
248 (DEST)[0] = (SRC)[0] << (SHIFT) ^ (SRC)[1] >> (32 - (SHIFT)); \
249 (DEST)[1] = (SRC)[1] << (SHIFT) ^ (SRC)[2] >> (32 - (SHIFT)); \
250 (DEST)[2] = (SRC)[2] << (SHIFT) ^ (SRC)[3] >> (32 - (SHIFT)); \
251 (DEST)[3] = (SRC)[3] << (SHIFT) ^ (SRC)[0] >> (32 - (SHIFT)); \
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]252}
253
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]254#define FL(XL, XR, KL, KR) \
255{ \
256 (XR) = ((((XL) & (KL)) << 1) | (((XL) & (KL)) >> 31)) ^ (XR); \
257 (XL) = ((XR) | (KR)) ^ (XL); \
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]258}
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]259
260#define FLInv(YL, YR, KL, KR) \
261{ \
262 (YL) = ((YR) | (KR)) ^ (YL); \
263 (YR) = ((((YL) & (KL)) << 1) | (((YL) & (KL)) >> 31)) ^ (YR); \
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]264}
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]265
266#define SHIFT_AND_PLACE(INDEX, OFFSET) \
267{ \
268 TK[0] = KC[(OFFSET) * 4 + 0]; \
269 TK[1] = KC[(OFFSET) * 4 + 1]; \
270 TK[2] = KC[(OFFSET) * 4 + 2]; \
271 TK[3] = KC[(OFFSET) * 4 + 3]; \
272 \
273 for ( i = 1; i <= 4; i++ ) \
274 if (shifts[(INDEX)][(OFFSET)][i -1]) \
275 ROTL(TK + i * 4, TK, (15 * i) % 32); \
276 \
277 for ( i = 0; i < 20; i++ ) \
278 if (indexes[(INDEX)][(OFFSET)][i] != -1) { \
279 RK[indexes[(INDEX)][(OFFSET)][i]] = TK[ i ]; \
280 } \
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]281}
282
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]283static void camellia_feistel(const uint32_t x[2], const uint32_t k[2], uint32_t z[2])
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]284{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]285 uint32_t I0, I1;
286 I0 = x[0] ^ k[0];
287 I1 = x[1] ^ k[1];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]288
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]289 I0 = (SBOX1((I0 >> 24) & 0xFF) << 24) |
290 (SBOX2((I0 >> 16) & 0xFF) << 16) |
291 (SBOX3((I0 >> 8) & 0xFF) << 8) |
292 (SBOX4((I0 ) & 0xFF) );
293 I1 = (SBOX2((I1 >> 24) & 0xFF) << 24) |
294 (SBOX3((I1 >> 16) & 0xFF) << 16) |
295 (SBOX4((I1 >> 8) & 0xFF) << 8) |
296 (SBOX1((I1 ) & 0xFF) );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]297
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]298 I0 ^= (I1 << 8) | (I1 >> 24);
299 I1 ^= (I0 << 16) | (I0 >> 16);
300 I0 ^= (I1 >> 8) | (I1 << 24);
301 I1 ^= (I0 >> 8) | (I0 << 24);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]302
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]303 z[0] ^= I1;
304 z[1] ^= I0;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]305}
306
307/*
308 * Camellia key schedule (encryption)
309 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]310int camellia_setkey_enc( camellia_context *ctx, const unsigned char *key, unsigned int keysize )
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]311{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]312 int idx;
313 size_t i;
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]314 uint32_t *RK;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]315 unsigned char t[64];
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]316 uint32_t SIGMA[6][2];
317 uint32_t KC[16];
318 uint32_t TK[20];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]319
320 RK = ctx->rk;
321
322 memset(t, 0, 64);
323 memset(RK, 0, sizeof(ctx->rk));
324
325 switch( keysize )
326 {
327 case 128: ctx->nr = 3; idx = 0; break;
328 case 192:
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]329 case 256: ctx->nr = 4; idx = 1; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]330 default : return( POLARSSL_ERR_CAMELLIA_INVALID_KEY_LENGTH );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]331 }
332
333 for( i = 0; i < keysize / 8; ++i)
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]334 t[i] = key[i];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]335
336 if (keysize == 192) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]337 for (i = 0; i < 8; i++)
338 t[24 + i] = ~t[16 + i];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]339 }
340
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]341 /*
342 * Prepare SIGMA values
343 */
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]344 for (i = 0; i < 6; i++) {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame^]345 GET_UINT32_BE(SIGMA[i][0], SIGMA_CHARS[i], 0);
346 GET_UINT32_BE(SIGMA[i][1], SIGMA_CHARS[i], 4);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]347 }
348
349 /*
350 * Key storage in KC
351 * Order: KL, KR, KA, KB
352 */
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]353 memset(KC, 0, sizeof(KC));
354
355 /* Store KL, KR */
356 for (i = 0; i < 8; i++)
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame^]357 GET_UINT32_BE(KC[i], t, i * 4);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]358
359 /* Generate KA */
360 for( i = 0; i < 4; ++i)
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]361 KC[8 + i] = KC[i] ^ KC[4 + i];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]362
363 camellia_feistel(KC + 8, SIGMA[0], KC + 10);
364 camellia_feistel(KC + 10, SIGMA[1], KC + 8);
365
366 for( i = 0; i < 4; ++i)
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]367 KC[8 + i] ^= KC[i];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]368
369 camellia_feistel(KC + 8, SIGMA[2], KC + 10);
370 camellia_feistel(KC + 10, SIGMA[3], KC + 8);
371
372 if (keysize > 128) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]373 /* Generate KB */
374 for( i = 0; i < 4; ++i)
375 KC[12 + i] = KC[4 + i] ^ KC[8 + i];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]376
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]377 camellia_feistel(KC + 12, SIGMA[4], KC + 14);
378 camellia_feistel(KC + 14, SIGMA[5], KC + 12);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]379 }
380
381 /*
382 * Generating subkeys
383 */
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]384
385 /* Manipulating KL */
386 SHIFT_AND_PLACE(idx, 0);
387
388 /* Manipulating KR */
389 if (keysize > 128) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]390 SHIFT_AND_PLACE(idx, 1);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]391 }
392
393 /* Manipulating KA */
394 SHIFT_AND_PLACE(idx, 2);
395
396 /* Manipulating KB */
397 if (keysize > 128) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]398 SHIFT_AND_PLACE(idx, 3);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]399 }
400
401 /* Do transpositions */
402 for ( i = 0; i < 20; i++ ) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]403 if (transposes[idx][i] != -1) {
404 RK[32 + 12 * idx + i] = RK[transposes[idx][i]];
405 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]406 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]407
408 return( 0 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]409}
410
411/*
412 * Camellia key schedule (decryption)
413 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]414int camellia_setkey_dec( camellia_context *ctx, const unsigned char *key, unsigned int keysize )
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]415{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]416 int idx;
417 size_t i;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]418 camellia_context cty;
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]419 uint32_t *RK;
420 uint32_t *SK;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]421 int ret;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]422
423 switch( keysize )
424 {
425 case 128: ctx->nr = 3; idx = 0; break;
426 case 192:
427 case 256: ctx->nr = 4; idx = 1; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]428 default : return( POLARSSL_ERR_CAMELLIA_INVALID_KEY_LENGTH );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]429 }
430
431 RK = ctx->rk;
432
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]433 ret = camellia_setkey_enc(&cty, key, keysize);
434 if( ret != 0 )
435 return( ret );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]436
437 SK = cty.rk + 24 * 2 + 8 * idx * 2;
438
439 *RK++ = *SK++;
440 *RK++ = *SK++;
441 *RK++ = *SK++;
442 *RK++ = *SK++;
443
444 for (i = 22 + 8 * idx, SK -= 6; i > 0; i--, SK -= 4)
445 {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]446 *RK++ = *SK++;
447 *RK++ = *SK++;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]448 }
449
450 SK -= 2;
451
452 *RK++ = *SK++;
453 *RK++ = *SK++;
454 *RK++ = *SK++;
455 *RK++ = *SK++;
456
457 memset( &cty, 0, sizeof( camellia_context ) );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]458
459 return( 0 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]460}
461
462/*
463 * Camellia-ECB block encryption/decryption
464 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]465int camellia_crypt_ecb( camellia_context *ctx,
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]466 int mode,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]467 const unsigned char input[16],
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]468 unsigned char output[16] )
469{
Paul Bakker026c03b2009-03-28 17:53:03 +0000[diff] [blame]470 int NR;
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]471 uint32_t *RK, X[4];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]472
Paul Bakkerc2547b02009-07-20 20:40:52 +0000[diff] [blame]473 ( (void) mode );
474
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]475 NR = ctx->nr;
476 RK = ctx->rk;
477
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame^]478 GET_UINT32_BE( X[0], input, 0 );
479 GET_UINT32_BE( X[1], input, 4 );
480 GET_UINT32_BE( X[2], input, 8 );
481 GET_UINT32_BE( X[3], input, 12 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]482
483 X[0] ^= *RK++;
484 X[1] ^= *RK++;
485 X[2] ^= *RK++;
486 X[3] ^= *RK++;
487
488 while (NR) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]489 --NR;
490 camellia_feistel(X, RK, X + 2);
491 RK += 2;
492 camellia_feistel(X + 2, RK, X);
493 RK += 2;
494 camellia_feistel(X, RK, X + 2);
495 RK += 2;
496 camellia_feistel(X + 2, RK, X);
497 RK += 2;
498 camellia_feistel(X, RK, X + 2);
499 RK += 2;
500 camellia_feistel(X + 2, RK, X);
501 RK += 2;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]502
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]503 if (NR) {
504 FL(X[0], X[1], RK[0], RK[1]);
505 RK += 2;
506 FLInv(X[2], X[3], RK[0], RK[1]);
507 RK += 2;
508 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]509 }
510
511 X[2] ^= *RK++;
512 X[3] ^= *RK++;
513 X[0] ^= *RK++;
514 X[1] ^= *RK++;
515
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame^]516 PUT_UINT32_BE( X[2], output, 0 );
517 PUT_UINT32_BE( X[3], output, 4 );
518 PUT_UINT32_BE( X[0], output, 8 );
519 PUT_UINT32_BE( X[1], output, 12 );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]520
521 return( 0 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]522}
523
524/*
525 * Camellia-CBC buffer encryption/decryption
526 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]527int camellia_crypt_cbc( camellia_context *ctx,
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]528 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]529 size_t length,
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]530 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]531 const unsigned char *input,
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]532 unsigned char *output )
533{
534 int i;
535 unsigned char temp[16];
536
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]537 if( length % 16 )
538 return( POLARSSL_ERR_CAMELLIA_INVALID_INPUT_LENGTH );
539
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]540 if( mode == CAMELLIA_DECRYPT )
541 {
542 while( length > 0 )
543 {
544 memcpy( temp, input, 16 );
545 camellia_crypt_ecb( ctx, mode, input, output );
546
547 for( i = 0; i < 16; i++ )
548 output[i] = (unsigned char)( output[i] ^ iv[i] );
549
550 memcpy( iv, temp, 16 );
551
552 input += 16;
553 output += 16;
554 length -= 16;
555 }
556 }
557 else
558 {
559 while( length > 0 )
560 {
561 for( i = 0; i < 16; i++ )
562 output[i] = (unsigned char)( input[i] ^ iv[i] );
563
564 camellia_crypt_ecb( ctx, mode, output, output );
565 memcpy( iv, output, 16 );
566
567 input += 16;
568 output += 16;
569 length -= 16;
570 }
571 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]572
573 return( 0 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]574}
575
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]576#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]577/*
578 * Camellia-CFB128 buffer encryption/decryption
579 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]580int camellia_crypt_cfb128( camellia_context *ctx,
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]581 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]582 size_t length,
Paul Bakker1ef71df2011-06-09 14:14:58 +0000[diff] [blame]583 size_t *iv_off,
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]584 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]585 const unsigned char *input,
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]586 unsigned char *output )
587{
Paul Bakker1ef71df2011-06-09 14:14:58 +0000[diff] [blame]588 int c;
589 size_t n = *iv_off;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]590
591 if( mode == CAMELLIA_DECRYPT )
592 {
593 while( length-- )
594 {
595 if( n == 0 )
596 camellia_crypt_ecb( ctx, CAMELLIA_ENCRYPT, iv, iv );
597
598 c = *input++;
599 *output++ = (unsigned char)( c ^ iv[n] );
600 iv[n] = (unsigned char) c;
601
602 n = (n + 1) & 0x0F;
603 }
604 }
605 else
606 {
607 while( length-- )
608 {
609 if( n == 0 )
610 camellia_crypt_ecb( ctx, CAMELLIA_ENCRYPT, iv, iv );
611
612 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
613
614 n = (n + 1) & 0x0F;
615 }
616 }
617
618 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]619
620 return( 0 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]621}
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]622#endif /* POLARSSL_CIPHER_MODE_CFB */
623
624#if defined(POLARSSL_CIPHER_MODE_CTR)
625/*
626 * Camellia-CTR buffer encryption/decryption
627 */
628int camellia_crypt_ctr( camellia_context *ctx,
Paul Bakker1ef71df2011-06-09 14:14:58 +0000[diff] [blame]629 size_t length,
630 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]631 unsigned char nonce_counter[16],
632 unsigned char stream_block[16],
633 const unsigned char *input,
634 unsigned char *output )
635{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]636 int c, i;
Paul Bakker1ef71df2011-06-09 14:14:58 +0000[diff] [blame]637 size_t n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]638
639 while( length-- )
640 {
641 if( n == 0 ) {
642 camellia_crypt_ecb( ctx, CAMELLIA_ENCRYPT, nonce_counter, stream_block );
643
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]644 for( i = 16; i > 0; i-- )
645 if( ++nonce_counter[i - 1] != 0 )
646 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]647 }
648 c = *input++;
649 *output++ = (unsigned char)( c ^ stream_block[n] );
650
651 n = (n + 1) & 0x0F;
652 }
653
654 *nc_off = n;
655
656 return( 0 );
657}
658#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]659
660#if defined(POLARSSL_SELF_TEST)
661
662#include <stdio.h>
663
664/*
665 * Camellia test vectors from:
666 *
667 * http://info.isl.ntt.co.jp/crypt/eng/camellia/technology.html:
668 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/intermediate.txt
669 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/t_camellia.txt
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]670 * (For each bitlength: Key 0, Nr 39)
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]671 */
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]672#define CAMELLIA_TESTS_ECB 2
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]673
674static const unsigned char camellia_test_ecb_key[3][CAMELLIA_TESTS_ECB][32] =
675{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]676 {
677 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
678 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
679 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
680 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
681 },
682 {
683 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
684 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
685 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77 },
686 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
687 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
688 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
689 },
690 {
691 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
692 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
693 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
694 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff },
695 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
696 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
697 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
698 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
699 },
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]700};
701
702static const unsigned char camellia_test_ecb_plain[CAMELLIA_TESTS_ECB][16] =
703{
704 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
705 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
706 { 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
707 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
708};
709
710static const unsigned char camellia_test_ecb_cipher[3][CAMELLIA_TESTS_ECB][16] =
711{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]712 {
713 { 0x67, 0x67, 0x31, 0x38, 0x54, 0x96, 0x69, 0x73,
714 0x08, 0x57, 0x06, 0x56, 0x48, 0xea, 0xbe, 0x43 },
715 { 0x38, 0x3C, 0x6C, 0x2A, 0xAB, 0xEF, 0x7F, 0xDE,
716 0x25, 0xCD, 0x47, 0x0B, 0xF7, 0x74, 0xA3, 0x31 }
717 },
718 {
719 { 0xb4, 0x99, 0x34, 0x01, 0xb3, 0xe9, 0x96, 0xf8,
720 0x4e, 0xe5, 0xce, 0xe7, 0xd7, 0x9b, 0x09, 0xb9 },
721 { 0xD1, 0x76, 0x3F, 0xC0, 0x19, 0xD7, 0x7C, 0xC9,
722 0x30, 0xBF, 0xF2, 0xA5, 0x6F, 0x7C, 0x93, 0x64 }
723 },
724 {
725 { 0x9a, 0xcc, 0x23, 0x7d, 0xff, 0x16, 0xd7, 0x6c,
726 0x20, 0xef, 0x7c, 0x91, 0x9e, 0x3a, 0x75, 0x09 },
727 { 0x05, 0x03, 0xFB, 0x10, 0xAB, 0x24, 0x1E, 0x7C,
728 0xF4, 0x5D, 0x8C, 0xDE, 0xEE, 0x47, 0x43, 0x35 }
729 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]730};
731
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]732#define CAMELLIA_TESTS_CBC 3
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]733
734static const unsigned char camellia_test_cbc_key[3][32] =
735{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]736 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
737 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }
738 ,
739 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
740 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
741 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }
742 ,
743 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
744 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
745 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
746 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]747};
748
749static const unsigned char camellia_test_cbc_iv[16] =
750
751 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
752 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F }
753;
754
755static const unsigned char camellia_test_cbc_plain[CAMELLIA_TESTS_CBC][16] =
756{
757 { 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
758 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A },
759 { 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
760 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51 },
761 { 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
762 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF }
763
764};
765
766static const unsigned char camellia_test_cbc_cipher[3][CAMELLIA_TESTS_CBC][16] =
767{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]768 {
769 { 0x16, 0x07, 0xCF, 0x49, 0x4B, 0x36, 0xBB, 0xF0,
770 0x0D, 0xAE, 0xB0, 0xB5, 0x03, 0xC8, 0x31, 0xAB },
771 { 0xA2, 0xF2, 0xCF, 0x67, 0x16, 0x29, 0xEF, 0x78,
772 0x40, 0xC5, 0xA5, 0xDF, 0xB5, 0x07, 0x48, 0x87 },
773 { 0x0F, 0x06, 0x16, 0x50, 0x08, 0xCF, 0x8B, 0x8B,
774 0x5A, 0x63, 0x58, 0x63, 0x62, 0x54, 0x3E, 0x54 }
775 },
776 {
777 { 0x2A, 0x48, 0x30, 0xAB, 0x5A, 0xC4, 0xA1, 0xA2,
778 0x40, 0x59, 0x55, 0xFD, 0x21, 0x95, 0xCF, 0x93 },
779 { 0x5D, 0x5A, 0x86, 0x9B, 0xD1, 0x4C, 0xE5, 0x42,
780 0x64, 0xF8, 0x92, 0xA6, 0xDD, 0x2E, 0xC3, 0xD5 },
781 { 0x37, 0xD3, 0x59, 0xC3, 0x34, 0x98, 0x36, 0xD8,
782 0x84, 0xE3, 0x10, 0xAD, 0xDF, 0x68, 0xC4, 0x49 }
783 },
784 {
785 { 0xE6, 0xCF, 0xA3, 0x5F, 0xC0, 0x2B, 0x13, 0x4A,
786 0x4D, 0x2C, 0x0B, 0x67, 0x37, 0xAC, 0x3E, 0xDA },
787 { 0x36, 0xCB, 0xEB, 0x73, 0xBD, 0x50, 0x4B, 0x40,
788 0x70, 0xB1, 0xB7, 0xDE, 0x2B, 0x21, 0xEB, 0x50 },
789 { 0xE3, 0x1A, 0x60, 0x55, 0x29, 0x7D, 0x96, 0xCA,
790 0x33, 0x30, 0xCD, 0xF1, 0xB1, 0x86, 0x0A, 0x83 }
791 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]792};
793
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]794#if defined(POLARSSL_CIPHER_MODE_CTR)
795/*
796 * Camellia-CTR test vectors from:
797 *
798 * http://www.faqs.org/rfcs/rfc5528.html
799 */
800
801static const unsigned char camellia_test_ctr_key[3][16] =
802{
803 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
804 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
805 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
806 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
807 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
808 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
809};
810
811static const unsigned char camellia_test_ctr_nonce_counter[3][16] =
812{
813 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
814 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
815 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
816 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
817 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
818 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
819};
820
821static const unsigned char camellia_test_ctr_pt[3][48] =
822{
823 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
824 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
825
826 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
827 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
828 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
829 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
830
831 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
832 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
833 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
834 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
835 0x20, 0x21, 0x22, 0x23 }
836};
837
838static const unsigned char camellia_test_ctr_ct[3][48] =
839{
840 { 0xD0, 0x9D, 0xC2, 0x9A, 0x82, 0x14, 0x61, 0x9A,
841 0x20, 0x87, 0x7C, 0x76, 0xDB, 0x1F, 0x0B, 0x3F },
842 { 0xDB, 0xF3, 0xC7, 0x8D, 0xC0, 0x83, 0x96, 0xD4,
843 0xDA, 0x7C, 0x90, 0x77, 0x65, 0xBB, 0xCB, 0x44,
844 0x2B, 0x8E, 0x8E, 0x0F, 0x31, 0xF0, 0xDC, 0xA7,
845 0x2C, 0x74, 0x17, 0xE3, 0x53, 0x60, 0xE0, 0x48 },
846 { 0xB1, 0x9D, 0x1F, 0xCD, 0xCB, 0x75, 0xEB, 0x88,
847 0x2F, 0x84, 0x9C, 0xE2, 0x4D, 0x85, 0xCF, 0x73,
848 0x9C, 0xE6, 0x4B, 0x2B, 0x5C, 0x9D, 0x73, 0xF1,
849 0x4F, 0x2D, 0x5D, 0x9D, 0xCE, 0x98, 0x89, 0xCD,
850 0xDF, 0x50, 0x86, 0x96 }
851};
852
853static const int camellia_test_ctr_len[3] =
854 { 16, 32, 36 };
855#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]856
857/*
858 * Checkup routine
859 */
860int camellia_self_test( int verbose )
861{
Paul Bakker026c03b2009-03-28 17:53:03 +0000[diff] [blame]862 int i, j, u, v;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]863 unsigned char key[32];
864 unsigned char buf[64];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]865 unsigned char src[16];
866 unsigned char dst[16];
867 unsigned char iv[16];
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]868#if defined(POLARSSL_CIPHER_MODE_CTR)
Paul Bakker1ef71df2011-06-09 14:14:58 +0000[diff] [blame]869 size_t offset, len;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]870 unsigned char nonce_counter[16];
871 unsigned char stream_block[16];
872#endif
873
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]874 camellia_context ctx;
875
876 memset( key, 0, 32 );
877
878 for (j = 0; j < 6; j++) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]879 u = j >> 1;
880 v = j & 1;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]881
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]882 if( verbose != 0 )
883 printf( " CAMELLIA-ECB-%3d (%s): ", 128 + u * 64,
884 (v == CAMELLIA_DECRYPT) ? "dec" : "enc");
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]885
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]886 for (i = 0; i < CAMELLIA_TESTS_ECB; i++ ) {
887 memcpy( key, camellia_test_ecb_key[u][i], 16 + 8 * u);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]888
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]889 if (v == CAMELLIA_DECRYPT) {
890 camellia_setkey_dec(&ctx, key, 128 + u * 64);
891 memcpy(src, camellia_test_ecb_cipher[u][i], 16);
892 memcpy(dst, camellia_test_ecb_plain[i], 16);
893 } else { /* CAMELLIA_ENCRYPT */
894 camellia_setkey_enc(&ctx, key, 128 + u * 64);
895 memcpy(src, camellia_test_ecb_plain[i], 16);
896 memcpy(dst, camellia_test_ecb_cipher[u][i], 16);
897 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]898
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]899 camellia_crypt_ecb(&ctx, v, src, buf);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]900
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]901 if( memcmp( buf, dst, 16 ) != 0 )
902 {
903 if( verbose != 0 )
904 printf( "failed\n" );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]905
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]906 return( 1 );
907 }
908 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]909
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]910 if( verbose != 0 )
911 printf( "passed\n" );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]912 }
913
914 if( verbose != 0 )
915 printf( "\n" );
916
917 /*
918 * CBC mode
919 */
920 for( j = 0; j < 6; j++ )
921 {
922 u = j >> 1;
923 v = j & 1;
924
925 if( verbose != 0 )
926 printf( " CAMELLIA-CBC-%3d (%s): ", 128 + u * 64,
927 ( v == CAMELLIA_DECRYPT ) ? "dec" : "enc" );
928
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]929 memcpy( src, camellia_test_cbc_iv, 16);
930 memcpy( dst, camellia_test_cbc_iv, 16);
931 memcpy( key, camellia_test_cbc_key[u], 16 + 8 * u);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]932
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]933 if (v == CAMELLIA_DECRYPT) {
934 camellia_setkey_dec(&ctx, key, 128 + u * 64);
935 } else {
936 camellia_setkey_enc(&ctx, key, 128 + u * 64);
937 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]938
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]939 for (i = 0; i < CAMELLIA_TESTS_CBC; i++ ) {
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]940
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]941 if (v == CAMELLIA_DECRYPT) {
942 memcpy( iv , src, 16 );
943 memcpy(src, camellia_test_cbc_cipher[u][i], 16);
944 memcpy(dst, camellia_test_cbc_plain[i], 16);
945 } else { /* CAMELLIA_ENCRYPT */
946 memcpy( iv , dst, 16 );
947 memcpy(src, camellia_test_cbc_plain[i], 16);
948 memcpy(dst, camellia_test_cbc_cipher[u][i], 16);
949 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]950
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]951 camellia_crypt_cbc(&ctx, v, 16, iv, src, buf);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]952
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]953 if( memcmp( buf, dst, 16 ) != 0 )
954 {
955 if( verbose != 0 )
956 printf( "failed\n" );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]957
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]958 return( 1 );
959 }
960 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]961
962 if( verbose != 0 )
963 printf( "passed\n" );
964 }
965
966 if( verbose != 0 )
967 printf( "\n" );
968
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]969#if defined(POLARSSL_CIPHER_MODE_CTR)
970 /*
971 * CTR mode
972 */
973 for( i = 0; i < 6; i++ )
974 {
975 u = i >> 1;
976 v = i & 1;
977
978 if( verbose != 0 )
979 printf( " CAMELLIA-CTR-128 (%s): ",
980 ( v == CAMELLIA_DECRYPT ) ? "dec" : "enc" );
981
982 memcpy( nonce_counter, camellia_test_ctr_nonce_counter[u], 16 );
983 memcpy( key, camellia_test_ctr_key[u], 16 );
984
985 offset = 0;
986 camellia_setkey_enc( &ctx, key, 128 );
987
988 if( v == CAMELLIA_DECRYPT )
989 {
990 len = camellia_test_ctr_len[u];
991 memcpy( buf, camellia_test_ctr_ct[u], len );
992
993 camellia_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
994
995 if( memcmp( buf, camellia_test_ctr_pt[u], len ) != 0 )
996 {
997 if( verbose != 0 )
998 printf( "failed\n" );
999
1000 return( 1 );
1001 }
1002 }
1003 else
1004 {
1005 len = camellia_test_ctr_len[u];
1006 memcpy( buf, camellia_test_ctr_pt[u], len );
1007
1008 camellia_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1009
1010 if( memcmp( buf, camellia_test_ctr_ct[u], len ) != 0 )
1011 {
1012 if( verbose != 0 )
1013 printf( "failed\n" );
1014
1015 return( 1 );
1016 }
1017 }
1018
1019 if( verbose != 0 )
1020 printf( "passed\n" );
1021 }
1022
1023 if( verbose != 0 )
1024 printf( "\n" );
1025#endif /* POLARSSL_CIPHER_MODE_CTR */
1026
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]1027 return ( 0 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]1028}
1029
1030#endif
1031
1032#endif