TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 6b897c930c822575bc1746c31adfb6c9dfbd7ebf / . / library / camellia.c
blob: 29d730ab5369bf69c46daefea742145d442510a4 [file] [log] [blame]
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]1/*
2 * Camellia implementation
3 *
Bence Szépkúti1e148272020-08-07 13:07:28 +0200[diff] [blame]4 * Copyright The Mbed TLS Contributors
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]18 */
19/*
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]20 * The Camellia block cipher was designed by NTT and Mitsubishi Electric
21 * Corporation.
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]22 *
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]23 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/01espec.pdf
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]24 */
25
Gilles Peskinedb09ef62020-06-03 01:43:33 +0200[diff] [blame]26#include "common.h"
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]27
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]28#if defined(MBEDTLS_CAMELLIA_C)
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]29
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]30#include "mbedtls/camellia.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]31#include "mbedtls/platform_util.h"
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]32
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]33#include <string.h>
Manuel Pégourié-Gonnard394608e2015-02-17 16:01:07 +0100[diff] [blame]34
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]35#if defined(MBEDTLS_SELF_TEST)
36#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]37#include "mbedtls/platform.h"
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]38#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]39#include <stdio.h>
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]40#define mbedtls_printf printf
41#endif /* MBEDTLS_PLATFORM_C */
42#endif /* MBEDTLS_SELF_TEST */
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]43
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]44#if !defined(MBEDTLS_CAMELLIA_ALT)
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]45
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]46/* Parameter validation macros */
47#define CAMELLIA_VALIDATE_RET( cond ) \
48 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA )
49#define CAMELLIA_VALIDATE( cond ) \
50 MBEDTLS_INTERNAL_VALIDATE( cond )
51
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]52static const unsigned char SIGMA_CHARS[6][8] =
53{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]54 { 0xa0, 0x9e, 0x66, 0x7f, 0x3b, 0xcc, 0x90, 0x8b },
55 { 0xb6, 0x7a, 0xe8, 0x58, 0x4c, 0xaa, 0x73, 0xb2 },
56 { 0xc6, 0xef, 0x37, 0x2f, 0xe9, 0x4f, 0x82, 0xbe },
57 { 0x54, 0xff, 0x53, 0xa5, 0xf1, 0xd3, 0x6f, 0x1c },
58 { 0x10, 0xe5, 0x27, 0xfa, 0xde, 0x68, 0x2d, 0x1d },
59 { 0xb0, 0x56, 0x88, 0xc2, 0xb3, 0xe6, 0xc1, 0xfd }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]60};
61
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]62#if defined(MBEDTLS_CAMELLIA_SMALL_MEMORY)
Paul Bakkerfa049db2009-01-12 22:12:03 +0000[diff] [blame]63
64static const unsigned char FSb[256] =
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]65{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]66 112,130, 44,236,179, 39,192,229,228,133, 87, 53,234, 12,174, 65,
67 35,239,107,147, 69, 25,165, 33,237, 14, 79, 78, 29,101,146,189,
68 134,184,175,143,124,235, 31,206, 62, 48,220, 95, 94,197, 11, 26,
69 166,225, 57,202,213, 71, 93, 61,217, 1, 90,214, 81, 86,108, 77,
70 139, 13,154,102,251,204,176, 45,116, 18, 43, 32,240,177,132,153,
71 223, 76,203,194, 52,126,118, 5,109,183,169, 49,209, 23, 4,215,
72 20, 88, 58, 97,222, 27, 17, 28, 50, 15,156, 22, 83, 24,242, 34,
73 254, 68,207,178,195,181,122,145, 36, 8,232,168, 96,252,105, 80,
74 170,208,160,125,161,137, 98,151, 84, 91, 30,149,224,255,100,210,
75 16,196, 0, 72,163,247,117,219,138, 3,230,218, 9, 63,221,148,
76 135, 92,131, 2,205, 74,144, 51,115,103,246,243,157,127,191,226,
77 82,155,216, 38,200, 55,198, 59,129,150,111, 75, 19,190, 99, 46,
78 233,121,167,140,159,110,188,142, 41,245,249,182, 47,253,180, 89,
79 120,152, 6,106,231, 70,113,186,212, 37,171, 66,136,162,141,250,
80 114, 7,185, 85,248,238,172, 10, 54, 73, 42,104, 60, 56,241,164,
81 64, 40,211,123,187,201, 67,193, 21,227,173,244,119,199,128,158
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]82};
83
84#define SBOX1(n) FSb[(n)]
85#define SBOX2(n) (unsigned char)((FSb[(n)] >> 7 ^ FSb[(n)] << 1) & 0xff)
86#define SBOX3(n) (unsigned char)((FSb[(n)] >> 1 ^ FSb[(n)] << 7) & 0xff)
Paul Bakkerfa049db2009-01-12 22:12:03 +0000[diff] [blame]87#define SBOX4(n) FSb[((n) << 1 ^ (n) >> 7) &0xff]
88
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]89#else /* MBEDTLS_CAMELLIA_SMALL_MEMORY */
Paul Bakkerfa049db2009-01-12 22:12:03 +0000[diff] [blame]90
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000[diff] [blame]91static const unsigned char FSb[256] =
92{
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]93 112, 130, 44, 236, 179, 39, 192, 229, 228, 133, 87, 53, 234, 12, 174, 65,
94 35, 239, 107, 147, 69, 25, 165, 33, 237, 14, 79, 78, 29, 101, 146, 189,
95 134, 184, 175, 143, 124, 235, 31, 206, 62, 48, 220, 95, 94, 197, 11, 26,
96 166, 225, 57, 202, 213, 71, 93, 61, 217, 1, 90, 214, 81, 86, 108, 77,
97 139, 13, 154, 102, 251, 204, 176, 45, 116, 18, 43, 32, 240, 177, 132, 153,
98 223, 76, 203, 194, 52, 126, 118, 5, 109, 183, 169, 49, 209, 23, 4, 215,
99 20, 88, 58, 97, 222, 27, 17, 28, 50, 15, 156, 22, 83, 24, 242, 34,
100 254, 68, 207, 178, 195, 181, 122, 145, 36, 8, 232, 168, 96, 252, 105, 80,
101 170, 208, 160, 125, 161, 137, 98, 151, 84, 91, 30, 149, 224, 255, 100, 210,
102 16, 196, 0, 72, 163, 247, 117, 219, 138, 3, 230, 218, 9, 63, 221, 148,
103 135, 92, 131, 2, 205, 74, 144, 51, 115, 103, 246, 243, 157, 127, 191, 226,
104 82, 155, 216, 38, 200, 55, 198, 59, 129, 150, 111, 75, 19, 190, 99, 46,
105 233, 121, 167, 140, 159, 110, 188, 142, 41, 245, 249, 182, 47, 253, 180, 89,
106 120, 152, 6, 106, 231, 70, 113, 186, 212, 37, 171, 66, 136, 162, 141, 250,
107 114, 7, 185, 85, 248, 238, 172, 10, 54, 73, 42, 104, 60, 56, 241, 164,
108 64, 40, 211, 123, 187, 201, 67, 193, 21, 227, 173, 244, 119, 199, 128, 158
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000[diff] [blame]109};
110
111static const unsigned char FSb2[256] =
112{
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]113 224, 5, 88, 217, 103, 78, 129, 203, 201, 11, 174, 106, 213, 24, 93, 130,
114 70, 223, 214, 39, 138, 50, 75, 66, 219, 28, 158, 156, 58, 202, 37, 123,
115 13, 113, 95, 31, 248, 215, 62, 157, 124, 96, 185, 190, 188, 139, 22, 52,
116 77, 195, 114, 149, 171, 142, 186, 122, 179, 2, 180, 173, 162, 172, 216, 154,
117 23, 26, 53, 204, 247, 153, 97, 90, 232, 36, 86, 64, 225, 99, 9, 51,
118 191, 152, 151, 133, 104, 252, 236, 10, 218, 111, 83, 98, 163, 46, 8, 175,
119 40, 176, 116, 194, 189, 54, 34, 56, 100, 30, 57, 44, 166, 48, 229, 68,
120 253, 136, 159, 101, 135, 107, 244, 35, 72, 16, 209, 81, 192, 249, 210, 160,
121 85, 161, 65, 250, 67, 19, 196, 47, 168, 182, 60, 43, 193, 255, 200, 165,
122 32, 137, 0, 144, 71, 239, 234, 183, 21, 6, 205, 181, 18, 126, 187, 41,
123 15, 184, 7, 4, 155, 148, 33, 102, 230, 206, 237, 231, 59, 254, 127, 197,
124 164, 55, 177, 76, 145, 110, 141, 118, 3, 45, 222, 150, 38, 125, 198, 92,
125 211, 242, 79, 25, 63, 220, 121, 29, 82, 235, 243, 109, 94, 251, 105, 178,
126 240, 49, 12, 212, 207, 140, 226, 117, 169, 74, 87, 132, 17, 69, 27, 245,
127 228, 14, 115, 170, 241, 221, 89, 20, 108, 146, 84, 208, 120, 112, 227, 73,
128 128, 80, 167, 246, 119, 147, 134, 131, 42, 199, 91, 233, 238, 143, 1, 61
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000[diff] [blame]129};
130
131static const unsigned char FSb3[256] =
132{
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]133 56, 65, 22, 118, 217, 147, 96, 242, 114, 194, 171, 154, 117, 6, 87, 160,
134 145, 247, 181, 201, 162, 140, 210, 144, 246, 7, 167, 39, 142, 178, 73, 222,
135 67, 92, 215, 199, 62, 245, 143, 103, 31, 24, 110, 175, 47, 226, 133, 13,
136 83, 240, 156, 101, 234, 163, 174, 158, 236, 128, 45, 107, 168, 43, 54, 166,
137 197, 134, 77, 51, 253, 102, 88, 150, 58, 9, 149, 16, 120, 216, 66, 204,
138 239, 38, 229, 97, 26, 63, 59, 130, 182, 219, 212, 152, 232, 139, 2, 235,
139 10, 44, 29, 176, 111, 141, 136, 14, 25, 135, 78, 11, 169, 12, 121, 17,
140 127, 34, 231, 89, 225, 218, 61, 200, 18, 4, 116, 84, 48, 126, 180, 40,
141 85, 104, 80, 190, 208, 196, 49, 203, 42, 173, 15, 202, 112, 255, 50, 105,
142 8, 98, 0, 36, 209, 251, 186, 237, 69, 129, 115, 109, 132, 159, 238, 74,
143 195, 46, 193, 1, 230, 37, 72, 153, 185, 179, 123, 249, 206, 191, 223, 113,
144 41, 205, 108, 19, 100, 155, 99, 157, 192, 75, 183, 165, 137, 95, 177, 23,
145 244, 188, 211, 70, 207, 55, 94, 71, 148, 250, 252, 91, 151, 254, 90, 172,
146 60, 76, 3, 53, 243, 35, 184, 93, 106, 146, 213, 33, 68, 81, 198, 125,
147 57, 131, 220, 170, 124, 119, 86, 5, 27, 164, 21, 52, 30, 28, 248, 82,
148 32, 20, 233, 189, 221, 228, 161, 224, 138, 241, 214, 122, 187, 227, 64, 79
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000[diff] [blame]149};
150
151static const unsigned char FSb4[256] =
152{
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]153 112, 44, 179, 192, 228, 87, 234, 174, 35, 107, 69, 165, 237, 79, 29, 146,
154 134, 175, 124, 31, 62, 220, 94, 11, 166, 57, 213, 93, 217, 90, 81, 108,
155 139, 154, 251, 176, 116, 43, 240, 132, 223, 203, 52, 118, 109, 169, 209, 4,
156 20, 58, 222, 17, 50, 156, 83, 242, 254, 207, 195, 122, 36, 232, 96, 105,
157 170, 160, 161, 98, 84, 30, 224, 100, 16, 0, 163, 117, 138, 230, 9, 221,
158 135, 131, 205, 144, 115, 246, 157, 191, 82, 216, 200, 198, 129, 111, 19, 99,
159 233, 167, 159, 188, 41, 249, 47, 180, 120, 6, 231, 113, 212, 171, 136, 141,
160 114, 185, 248, 172, 54, 42, 60, 241, 64, 211, 187, 67, 21, 173, 119, 128,
161 130, 236, 39, 229, 133, 53, 12, 65, 239, 147, 25, 33, 14, 78, 101, 189,
162 184, 143, 235, 206, 48, 95, 197, 26, 225, 202, 71, 61, 1, 214, 86, 77,
163 13, 102, 204, 45, 18, 32, 177, 153, 76, 194, 126, 5, 183, 49, 23, 215,
164 88, 97, 27, 28, 15, 22, 24, 34, 68, 178, 181, 145, 8, 168, 252, 80,
165 208, 125, 137, 151, 91, 149, 255, 210, 196, 72, 247, 219, 3, 218, 63, 148,
166 92, 2, 74, 51, 103, 243, 127, 226, 155, 38, 55, 59, 150, 75, 190, 46,
167 121, 140, 110, 142, 245, 182, 253, 89, 152, 106, 70, 186, 37, 66, 162, 250,
168 7, 85, 238, 10, 73, 104, 56, 164, 40, 123, 201, 193, 227, 244, 199, 158
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000[diff] [blame]169};
170
171#define SBOX1(n) FSb[(n)]
172#define SBOX2(n) FSb2[(n)]
173#define SBOX3(n) FSb3[(n)]
174#define SBOX4(n) FSb4[(n)]
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]175
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]176#endif /* MBEDTLS_CAMELLIA_SMALL_MEMORY */
Paul Bakkerfa049db2009-01-12 22:12:03 +0000[diff] [blame]177
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]178static const unsigned char shifts[2][4][4] =
179{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]180 {
181 { 1, 1, 1, 1 }, /* KL */
182 { 0, 0, 0, 0 }, /* KR */
183 { 1, 1, 1, 1 }, /* KA */
184 { 0, 0, 0, 0 } /* KB */
185 },
186 {
187 { 1, 0, 1, 1 }, /* KL */
188 { 1, 1, 0, 1 }, /* KR */
189 { 1, 1, 1, 0 }, /* KA */
190 { 1, 1, 0, 1 } /* KB */
191 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]192};
193
Paul Bakker026c03b2009-03-28 17:53:03 +0000[diff] [blame]194static const signed char indexes[2][4][20] =
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]195{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]196 {
197 { 0, 1, 2, 3, 8, 9, 10, 11, 38, 39,
198 36, 37, 23, 20, 21, 22, 27, -1, -1, 26 }, /* KL -> RK */
199 { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
200 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 }, /* KR -> RK */
201 { 4, 5, 6, 7, 12, 13, 14, 15, 16, 17,
202 18, 19, -1, 24, 25, -1, 31, 28, 29, 30 }, /* KA -> RK */
203 { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
204 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 } /* KB -> RK */
205 },
206 {
207 { 0, 1, 2, 3, 61, 62, 63, 60, -1, -1,
208 -1, -1, 27, 24, 25, 26, 35, 32, 33, 34 }, /* KL -> RK */
209 { -1, -1, -1, -1, 8, 9, 10, 11, 16, 17,
210 18, 19, -1, -1, -1, -1, 39, 36, 37, 38 }, /* KR -> RK */
211 { -1, -1, -1, -1, 12, 13, 14, 15, 58, 59,
212 56, 57, 31, 28, 29, 30, -1, -1, -1, -1 }, /* KA -> RK */
213 { 4, 5, 6, 7, 65, 66, 67, 64, 20, 21,
214 22, 23, -1, -1, -1, -1, 43, 40, 41, 42 } /* KB -> RK */
215 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]216};
217
Paul Bakker026c03b2009-03-28 17:53:03 +0000[diff] [blame]218static const signed char transposes[2][20] =
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]219{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]220 {
221 21, 22, 23, 20,
222 -1, -1, -1, -1,
223 18, 19, 16, 17,
224 11, 8, 9, 10,
225 15, 12, 13, 14
226 },
227 {
228 25, 26, 27, 24,
229 29, 30, 31, 28,
230 18, 19, 16, 17,
231 -1, -1, -1, -1,
232 -1, -1, -1, -1
233 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]234};
235
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000[diff] [blame]236/* Shift macro for 128 bit strings with rotation smaller than 32 bits (!) */
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]237#define ROTL(DEST, SRC, SHIFT) \
238{ \
239 (DEST)[0] = (SRC)[0] << (SHIFT) ^ (SRC)[1] >> (32 - (SHIFT)); \
240 (DEST)[1] = (SRC)[1] << (SHIFT) ^ (SRC)[2] >> (32 - (SHIFT)); \
241 (DEST)[2] = (SRC)[2] << (SHIFT) ^ (SRC)[3] >> (32 - (SHIFT)); \
242 (DEST)[3] = (SRC)[3] << (SHIFT) ^ (SRC)[0] >> (32 - (SHIFT)); \
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]243}
244
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]245#define FL(XL, XR, KL, KR) \
246{ \
247 (XR) = ((((XL) & (KL)) << 1) | (((XL) & (KL)) >> 31)) ^ (XR); \
248 (XL) = ((XR) | (KR)) ^ (XL); \
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]249}
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]250
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]251#define FLInv(YL, YR, KL, KR) \
252{ \
253 (YL) = ((YR) | (KR)) ^ (YL); \
254 (YR) = ((((YL) & (KL)) << 1) | (((YL) & (KL)) >> 31)) ^ (YR); \
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]255}
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]256
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]257#define SHIFT_AND_PLACE(INDEX, OFFSET) \
258{ \
259 TK[0] = KC[(OFFSET) * 4 + 0]; \
260 TK[1] = KC[(OFFSET) * 4 + 1]; \
261 TK[2] = KC[(OFFSET) * 4 + 2]; \
262 TK[3] = KC[(OFFSET) * 4 + 3]; \
263 \
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]264 for( i = 1; i <= 4; i++ ) \
265 if( shifts[(INDEX)][(OFFSET)][i -1] ) \
266 ROTL(TK + i * 4, TK, ( 15 * i ) % 32); \
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]267 \
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]268 for( i = 0; i < 20; i++ ) \
269 if( indexes[(INDEX)][(OFFSET)][i] != -1 ) { \
270 RK[indexes[(INDEX)][(OFFSET)][i]] = TK[ i ]; \
271 } \
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]272}
273
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]274static void camellia_feistel( const uint32_t x[2], const uint32_t k[2],
275 uint32_t z[2])
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]276{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]277 uint32_t I0, I1;
278 I0 = x[0] ^ k[0];
279 I1 = x[1] ^ k[1];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]280
Joe Subbiani6b897c92021-07-08 14:59:52 +0100[diff] [blame^]281 I0 = ((uint32_t) SBOX1( MBEDTLS_BYTE_3( I0 )) << 24) |
282 ((uint32_t) SBOX2( MBEDTLS_BYTE_2( I0 )) << 16) |
283 ((uint32_t) SBOX3( MBEDTLS_BYTE_1( I0 )) << 8) |
284 ((uint32_t) SBOX4( MBEDTLS_BYTE_0( I0 )) );
285 I1 = ((uint32_t) SBOX2( MBEDTLS_BYTE_3( I1 )) << 24) |
286 ((uint32_t) SBOX3( MBEDTLS_BYTE_2( I1 )) << 16) |
287 ((uint32_t) SBOX4( MBEDTLS_BYTE_1( I1 )) << 8) |
288 ((uint32_t) SBOX1( MBEDTLS_BYTE_0( I1 )) );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]289
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]290 I0 ^= (I1 << 8) | (I1 >> 24);
291 I1 ^= (I0 << 16) | (I0 >> 16);
292 I0 ^= (I1 >> 8) | (I1 << 24);
293 I1 ^= (I0 >> 8) | (I0 << 24);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]294
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]295 z[0] ^= I1;
296 z[1] ^= I0;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]297}
298
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]299void mbedtls_camellia_init( mbedtls_camellia_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]300{
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]301 CAMELLIA_VALIDATE( ctx != NULL );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]302 memset( ctx, 0, sizeof( mbedtls_camellia_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]303}
304
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]305void mbedtls_camellia_free( mbedtls_camellia_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]306{
307 if( ctx == NULL )
308 return;
309
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]310 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_camellia_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]311}
312
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]313/*
314 * Camellia key schedule (encryption)
315 */
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]316int mbedtls_camellia_setkey_enc( mbedtls_camellia_context *ctx,
317 const unsigned char *key,
318 unsigned int keybits )
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]319{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]320 int idx;
321 size_t i;
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]322 uint32_t *RK;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]323 unsigned char t[64];
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]324 uint32_t SIGMA[6][2];
325 uint32_t KC[16];
326 uint32_t TK[20];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]327
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]328 CAMELLIA_VALIDATE_RET( ctx != NULL );
329 CAMELLIA_VALIDATE_RET( key != NULL );
330
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]331 RK = ctx->rk;
332
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]333 memset( t, 0, 64 );
334 memset( RK, 0, sizeof(ctx->rk) );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]335
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]336 switch( keybits )
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]337 {
338 case 128: ctx->nr = 3; idx = 0; break;
339 case 192:
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]340 case 256: ctx->nr = 4; idx = 1; break;
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]341 default : return( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]342 }
343
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]344 for( i = 0; i < keybits / 8; ++i )
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]345 t[i] = key[i];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]346
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]347 if( keybits == 192 ) {
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]348 for( i = 0; i < 8; i++ )
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]349 t[24 + i] = ~t[16 + i];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]350 }
351
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]352 /*
353 * Prepare SIGMA values
354 */
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]355 for( i = 0; i < 6; i++ ) {
Joe Subbiani9231d5f2021-07-07 16:56:29 +0100[diff] [blame]356 SIGMA[i][0] = MBEDTLS_GET_UINT32_BE( SIGMA_CHARS[i], 0 );
357 SIGMA[i][1] = MBEDTLS_GET_UINT32_BE( SIGMA_CHARS[i], 4 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]358 }
359
360 /*
361 * Key storage in KC
362 * Order: KL, KR, KA, KB
363 */
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]364 memset( KC, 0, sizeof(KC) );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]365
366 /* Store KL, KR */
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]367 for( i = 0; i < 8; i++ )
Joe Subbiani9231d5f2021-07-07 16:56:29 +0100[diff] [blame]368 KC[i] = MBEDTLS_GET_UINT32_BE( t, i * 4 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]369
370 /* Generate KA */
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]371 for( i = 0; i < 4; ++i )
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]372 KC[8 + i] = KC[i] ^ KC[4 + i];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]373
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]374 camellia_feistel( KC + 8, SIGMA[0], KC + 10 );
375 camellia_feistel( KC + 10, SIGMA[1], KC + 8 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]376
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]377 for( i = 0; i < 4; ++i )
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]378 KC[8 + i] ^= KC[i];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]379
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]380 camellia_feistel( KC + 8, SIGMA[2], KC + 10 );
381 camellia_feistel( KC + 10, SIGMA[3], KC + 8 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]382
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]383 if( keybits > 128 ) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]384 /* Generate KB */
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]385 for( i = 0; i < 4; ++i )
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]386 KC[12 + i] = KC[4 + i] ^ KC[8 + i];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]387
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]388 camellia_feistel( KC + 12, SIGMA[4], KC + 14 );
389 camellia_feistel( KC + 14, SIGMA[5], KC + 12 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]390 }
391
392 /*
393 * Generating subkeys
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]394 */
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]395
396 /* Manipulating KL */
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]397 SHIFT_AND_PLACE( idx, 0 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]398
399 /* Manipulating KR */
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]400 if( keybits > 128 ) {
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]401 SHIFT_AND_PLACE( idx, 1 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]402 }
403
404 /* Manipulating KA */
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]405 SHIFT_AND_PLACE( idx, 2 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]406
407 /* Manipulating KB */
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]408 if( keybits > 128 ) {
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]409 SHIFT_AND_PLACE( idx, 3 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]410 }
411
412 /* Do transpositions */
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]413 for( i = 0; i < 20; i++ ) {
414 if( transposes[idx][i] != -1 ) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]415 RK[32 + 12 * idx + i] = RK[transposes[idx][i]];
416 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]417 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]418
419 return( 0 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]420}
421
422/*
423 * Camellia key schedule (decryption)
424 */
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]425int mbedtls_camellia_setkey_dec( mbedtls_camellia_context *ctx,
426 const unsigned char *key,
427 unsigned int keybits )
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]428{
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]429 int idx, ret;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]430 size_t i;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]431 mbedtls_camellia_context cty;
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]432 uint32_t *RK;
433 uint32_t *SK;
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]434 CAMELLIA_VALIDATE_RET( ctx != NULL );
435 CAMELLIA_VALIDATE_RET( key != NULL );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]436
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]437 mbedtls_camellia_init( &cty );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]438
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]439 /* Also checks keybits */
440 if( ( ret = mbedtls_camellia_setkey_enc( &cty, key, keybits ) ) != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]441 goto exit;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]442
Manuel Pégourié-Gonnard3ac6a2b2014-05-28 22:04:25 +0200[diff] [blame]443 ctx->nr = cty.nr;
444 idx = ( ctx->nr == 4 );
445
446 RK = ctx->rk;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]447 SK = cty.rk + 24 * 2 + 8 * idx * 2;
448
449 *RK++ = *SK++;
450 *RK++ = *SK++;
451 *RK++ = *SK++;
452 *RK++ = *SK++;
453
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]454 for( i = 22 + 8 * idx, SK -= 6; i > 0; i--, SK -= 4 )
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]455 {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]456 *RK++ = *SK++;
457 *RK++ = *SK++;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]458 }
459
460 SK -= 2;
461
462 *RK++ = *SK++;
463 *RK++ = *SK++;
464 *RK++ = *SK++;
465 *RK++ = *SK++;
466
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]467exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]468 mbedtls_camellia_free( &cty );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]469
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]470 return( ret );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]471}
472
473/*
474 * Camellia-ECB block encryption/decryption
475 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]476int mbedtls_camellia_crypt_ecb( mbedtls_camellia_context *ctx,
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]477 int mode,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]478 const unsigned char input[16],
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]479 unsigned char output[16] )
480{
Paul Bakker026c03b2009-03-28 17:53:03 +0000[diff] [blame]481 int NR;
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]482 uint32_t *RK, X[4];
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]483 CAMELLIA_VALIDATE_RET( ctx != NULL );
484 CAMELLIA_VALIDATE_RET( mode == MBEDTLS_CAMELLIA_ENCRYPT ||
485 mode == MBEDTLS_CAMELLIA_DECRYPT );
486 CAMELLIA_VALIDATE_RET( input != NULL );
487 CAMELLIA_VALIDATE_RET( output != NULL );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]488
Paul Bakkerc2547b02009-07-20 20:40:52 +0000[diff] [blame]489 ( (void) mode );
490
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]491 NR = ctx->nr;
492 RK = ctx->rk;
493
Joe Subbiani9231d5f2021-07-07 16:56:29 +0100[diff] [blame]494 X[0] = MBEDTLS_GET_UINT32_BE( input, 0 );
495 X[1] = MBEDTLS_GET_UINT32_BE( input, 4 );
496 X[2] = MBEDTLS_GET_UINT32_BE( input, 8 );
497 X[3] = MBEDTLS_GET_UINT32_BE( input, 12 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]498
499 X[0] ^= *RK++;
500 X[1] ^= *RK++;
501 X[2] ^= *RK++;
502 X[3] ^= *RK++;
503
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]504 while( NR ) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]505 --NR;
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]506 camellia_feistel( X, RK, X + 2 );
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]507 RK += 2;
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]508 camellia_feistel( X + 2, RK, X );
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]509 RK += 2;
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]510 camellia_feistel( X, RK, X + 2 );
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]511 RK += 2;
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]512 camellia_feistel( X + 2, RK, X );
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]513 RK += 2;
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]514 camellia_feistel( X, RK, X + 2 );
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]515 RK += 2;
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]516 camellia_feistel( X + 2, RK, X );
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]517 RK += 2;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]518
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]519 if( NR ) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]520 FL(X[0], X[1], RK[0], RK[1]);
521 RK += 2;
522 FLInv(X[2], X[3], RK[0], RK[1]);
523 RK += 2;
524 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]525 }
526
527 X[2] ^= *RK++;
528 X[3] ^= *RK++;
529 X[0] ^= *RK++;
530 X[1] ^= *RK++;
531
Joe Subbiani2bbafda2021-06-24 13:00:03 +0100[diff] [blame]532 MBEDTLS_PUT_UINT32_BE( X[2], output, 0 );
533 MBEDTLS_PUT_UINT32_BE( X[3], output, 4 );
534 MBEDTLS_PUT_UINT32_BE( X[0], output, 8 );
535 MBEDTLS_PUT_UINT32_BE( X[1], output, 12 );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]536
537 return( 0 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]538}
539
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]540#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]541/*
542 * Camellia-CBC buffer encryption/decryption
543 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]544int mbedtls_camellia_crypt_cbc( mbedtls_camellia_context *ctx,
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]545 int mode,
546 size_t length,
547 unsigned char iv[16],
548 const unsigned char *input,
549 unsigned char *output )
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]550{
551 int i;
552 unsigned char temp[16];
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]553 CAMELLIA_VALIDATE_RET( ctx != NULL );
554 CAMELLIA_VALIDATE_RET( mode == MBEDTLS_CAMELLIA_ENCRYPT ||
555 mode == MBEDTLS_CAMELLIA_DECRYPT );
556 CAMELLIA_VALIDATE_RET( iv != NULL );
557 CAMELLIA_VALIDATE_RET( length == 0 || input != NULL );
558 CAMELLIA_VALIDATE_RET( length == 0 || output != NULL );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]559
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]560 if( length % 16 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]561 return( MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]562
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]563 if( mode == MBEDTLS_CAMELLIA_DECRYPT )
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]564 {
565 while( length > 0 )
566 {
567 memcpy( temp, input, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]568 mbedtls_camellia_crypt_ecb( ctx, mode, input, output );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]569
570 for( i = 0; i < 16; i++ )
571 output[i] = (unsigned char)( output[i] ^ iv[i] );
572
573 memcpy( iv, temp, 16 );
574
575 input += 16;
576 output += 16;
577 length -= 16;
578 }
579 }
580 else
581 {
582 while( length > 0 )
583 {
584 for( i = 0; i < 16; i++ )
585 output[i] = (unsigned char)( input[i] ^ iv[i] );
586
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]587 mbedtls_camellia_crypt_ecb( ctx, mode, output, output );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]588 memcpy( iv, output, 16 );
589
590 input += 16;
591 output += 16;
592 length -= 16;
593 }
594 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]595
596 return( 0 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]597}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]598#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]599
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]600#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]601/*
602 * Camellia-CFB128 buffer encryption/decryption
603 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]604int mbedtls_camellia_crypt_cfb128( mbedtls_camellia_context *ctx,
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]605 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]606 size_t length,
Paul Bakker1ef71df2011-06-09 14:14:58 +0000[diff] [blame]607 size_t *iv_off,
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]608 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]609 const unsigned char *input,
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]610 unsigned char *output )
611{
Paul Bakker1ef71df2011-06-09 14:14:58 +0000[diff] [blame]612 int c;
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]613 size_t n;
614 CAMELLIA_VALIDATE_RET( ctx != NULL );
615 CAMELLIA_VALIDATE_RET( mode == MBEDTLS_CAMELLIA_ENCRYPT ||
616 mode == MBEDTLS_CAMELLIA_DECRYPT );
617 CAMELLIA_VALIDATE_RET( iv != NULL );
618 CAMELLIA_VALIDATE_RET( iv_off != NULL );
619 CAMELLIA_VALIDATE_RET( length == 0 || input != NULL );
620 CAMELLIA_VALIDATE_RET( length == 0 || output != NULL );
621
622 n = *iv_off;
623 if( n >= 16 )
624 return( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]625
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]626 if( mode == MBEDTLS_CAMELLIA_DECRYPT )
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]627 {
628 while( length-- )
629 {
630 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]631 mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]632
633 c = *input++;
634 *output++ = (unsigned char)( c ^ iv[n] );
635 iv[n] = (unsigned char) c;
636
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]637 n = ( n + 1 ) & 0x0F;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]638 }
639 }
640 else
641 {
642 while( length-- )
643 {
644 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]645 mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]646
647 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
648
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]649 n = ( n + 1 ) & 0x0F;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]650 }
651 }
652
653 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]654
655 return( 0 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]656}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]657#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]658
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]659#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]660/*
661 * Camellia-CTR buffer encryption/decryption
662 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]663int mbedtls_camellia_crypt_ctr( mbedtls_camellia_context *ctx,
Paul Bakker1ef71df2011-06-09 14:14:58 +0000[diff] [blame]664 size_t length,
665 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]666 unsigned char nonce_counter[16],
667 unsigned char stream_block[16],
668 const unsigned char *input,
669 unsigned char *output )
670{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]671 int c, i;
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]672 size_t n;
673 CAMELLIA_VALIDATE_RET( ctx != NULL );
674 CAMELLIA_VALIDATE_RET( nonce_counter != NULL );
675 CAMELLIA_VALIDATE_RET( stream_block != NULL );
676 CAMELLIA_VALIDATE_RET( nc_off != NULL );
677 CAMELLIA_VALIDATE_RET( length == 0 || input != NULL );
678 CAMELLIA_VALIDATE_RET( length == 0 || output != NULL );
679
680 n = *nc_off;
681 if( n >= 16 )
682 return( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]683
684 while( length-- )
685 {
686 if( n == 0 ) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]687 mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, nonce_counter,
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]688 stream_block );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]689
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]690 for( i = 16; i > 0; i-- )
691 if( ++nonce_counter[i - 1] != 0 )
692 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]693 }
694 c = *input++;
695 *output++ = (unsigned char)( c ^ stream_block[n] );
696
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]697 n = ( n + 1 ) & 0x0F;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]698 }
699
700 *nc_off = n;
701
702 return( 0 );
703}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]704#endif /* MBEDTLS_CIPHER_MODE_CTR */
705#endif /* !MBEDTLS_CAMELLIA_ALT */
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]706
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]707#if defined(MBEDTLS_SELF_TEST)
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]708
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]709/*
710 * Camellia test vectors from:
711 *
712 * http://info.isl.ntt.co.jp/crypt/eng/camellia/technology.html:
713 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/intermediate.txt
714 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/t_camellia.txt
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]715 * (For each bitlength: Key 0, Nr 39)
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]716 */
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]717#define CAMELLIA_TESTS_ECB 2
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]718
719static const unsigned char camellia_test_ecb_key[3][CAMELLIA_TESTS_ECB][32] =
720{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]721 {
722 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
723 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]724 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]725 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
726 },
727 {
728 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
729 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
730 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77 },
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]731 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]732 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
733 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
734 },
735 {
736 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
737 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
738 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
739 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff },
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]740 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]741 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
742 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
743 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
744 },
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]745};
746
747static const unsigned char camellia_test_ecb_plain[CAMELLIA_TESTS_ECB][16] =
748{
749 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
750 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]751 { 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]752 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
753};
754
755static const unsigned char camellia_test_ecb_cipher[3][CAMELLIA_TESTS_ECB][16] =
756{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]757 {
758 { 0x67, 0x67, 0x31, 0x38, 0x54, 0x96, 0x69, 0x73,
759 0x08, 0x57, 0x06, 0x56, 0x48, 0xea, 0xbe, 0x43 },
760 { 0x38, 0x3C, 0x6C, 0x2A, 0xAB, 0xEF, 0x7F, 0xDE,
761 0x25, 0xCD, 0x47, 0x0B, 0xF7, 0x74, 0xA3, 0x31 }
762 },
763 {
764 { 0xb4, 0x99, 0x34, 0x01, 0xb3, 0xe9, 0x96, 0xf8,
765 0x4e, 0xe5, 0xce, 0xe7, 0xd7, 0x9b, 0x09, 0xb9 },
766 { 0xD1, 0x76, 0x3F, 0xC0, 0x19, 0xD7, 0x7C, 0xC9,
767 0x30, 0xBF, 0xF2, 0xA5, 0x6F, 0x7C, 0x93, 0x64 }
768 },
769 {
770 { 0x9a, 0xcc, 0x23, 0x7d, 0xff, 0x16, 0xd7, 0x6c,
771 0x20, 0xef, 0x7c, 0x91, 0x9e, 0x3a, 0x75, 0x09 },
772 { 0x05, 0x03, 0xFB, 0x10, 0xAB, 0x24, 0x1E, 0x7C,
773 0xF4, 0x5D, 0x8C, 0xDE, 0xEE, 0x47, 0x43, 0x35 }
774 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]775};
776
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]777#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]778#define CAMELLIA_TESTS_CBC 3
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]779
780static const unsigned char camellia_test_cbc_key[3][32] =
781{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]782 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
783 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }
784 ,
785 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
786 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
787 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }
788 ,
789 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
790 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
791 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
792 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]793};
794
795static const unsigned char camellia_test_cbc_iv[16] =
796
797 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
798 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F }
799;
800
801static const unsigned char camellia_test_cbc_plain[CAMELLIA_TESTS_CBC][16] =
802{
803 { 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
804 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A },
805 { 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
806 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51 },
807 { 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
808 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF }
809
810};
811
812static const unsigned char camellia_test_cbc_cipher[3][CAMELLIA_TESTS_CBC][16] =
813{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]814 {
815 { 0x16, 0x07, 0xCF, 0x49, 0x4B, 0x36, 0xBB, 0xF0,
816 0x0D, 0xAE, 0xB0, 0xB5, 0x03, 0xC8, 0x31, 0xAB },
817 { 0xA2, 0xF2, 0xCF, 0x67, 0x16, 0x29, 0xEF, 0x78,
818 0x40, 0xC5, 0xA5, 0xDF, 0xB5, 0x07, 0x48, 0x87 },
819 { 0x0F, 0x06, 0x16, 0x50, 0x08, 0xCF, 0x8B, 0x8B,
820 0x5A, 0x63, 0x58, 0x63, 0x62, 0x54, 0x3E, 0x54 }
821 },
822 {
823 { 0x2A, 0x48, 0x30, 0xAB, 0x5A, 0xC4, 0xA1, 0xA2,
824 0x40, 0x59, 0x55, 0xFD, 0x21, 0x95, 0xCF, 0x93 },
825 { 0x5D, 0x5A, 0x86, 0x9B, 0xD1, 0x4C, 0xE5, 0x42,
826 0x64, 0xF8, 0x92, 0xA6, 0xDD, 0x2E, 0xC3, 0xD5 },
827 { 0x37, 0xD3, 0x59, 0xC3, 0x34, 0x98, 0x36, 0xD8,
828 0x84, 0xE3, 0x10, 0xAD, 0xDF, 0x68, 0xC4, 0x49 }
829 },
830 {
831 { 0xE6, 0xCF, 0xA3, 0x5F, 0xC0, 0x2B, 0x13, 0x4A,
832 0x4D, 0x2C, 0x0B, 0x67, 0x37, 0xAC, 0x3E, 0xDA },
833 { 0x36, 0xCB, 0xEB, 0x73, 0xBD, 0x50, 0x4B, 0x40,
834 0x70, 0xB1, 0xB7, 0xDE, 0x2B, 0x21, 0xEB, 0x50 },
835 { 0xE3, 0x1A, 0x60, 0x55, 0x29, 0x7D, 0x96, 0xCA,
836 0x33, 0x30, 0xCD, 0xF1, 0xB1, 0x86, 0x0A, 0x83 }
837 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]838};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]839#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]840
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]841#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]842/*
843 * Camellia-CTR test vectors from:
844 *
845 * http://www.faqs.org/rfcs/rfc5528.html
846 */
847
848static const unsigned char camellia_test_ctr_key[3][16] =
849{
850 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
851 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
852 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
853 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
854 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
855 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
856};
857
858static const unsigned char camellia_test_ctr_nonce_counter[3][16] =
859{
860 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
861 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
862 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
863 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
864 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
865 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
866};
867
868static const unsigned char camellia_test_ctr_pt[3][48] =
869{
870 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
871 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
872
873 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
874 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
875 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
876 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
877
878 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
879 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
880 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
881 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
882 0x20, 0x21, 0x22, 0x23 }
883};
884
885static const unsigned char camellia_test_ctr_ct[3][48] =
886{
887 { 0xD0, 0x9D, 0xC2, 0x9A, 0x82, 0x14, 0x61, 0x9A,
888 0x20, 0x87, 0x7C, 0x76, 0xDB, 0x1F, 0x0B, 0x3F },
889 { 0xDB, 0xF3, 0xC7, 0x8D, 0xC0, 0x83, 0x96, 0xD4,
890 0xDA, 0x7C, 0x90, 0x77, 0x65, 0xBB, 0xCB, 0x44,
891 0x2B, 0x8E, 0x8E, 0x0F, 0x31, 0xF0, 0xDC, 0xA7,
892 0x2C, 0x74, 0x17, 0xE3, 0x53, 0x60, 0xE0, 0x48 },
893 { 0xB1, 0x9D, 0x1F, 0xCD, 0xCB, 0x75, 0xEB, 0x88,
894 0x2F, 0x84, 0x9C, 0xE2, 0x4D, 0x85, 0xCF, 0x73,
895 0x9C, 0xE6, 0x4B, 0x2B, 0x5C, 0x9D, 0x73, 0xF1,
896 0x4F, 0x2D, 0x5D, 0x9D, 0xCE, 0x98, 0x89, 0xCD,
897 0xDF, 0x50, 0x86, 0x96 }
898};
899
900static const int camellia_test_ctr_len[3] =
901 { 16, 32, 36 };
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]902#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]903
904/*
905 * Checkup routine
906 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]907int mbedtls_camellia_self_test( int verbose )
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]908{
Paul Bakker026c03b2009-03-28 17:53:03 +0000[diff] [blame]909 int i, j, u, v;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]910 unsigned char key[32];
911 unsigned char buf[64];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]912 unsigned char src[16];
913 unsigned char dst[16];
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]914#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]915 unsigned char iv[16];
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]916#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]917#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakker1ef71df2011-06-09 14:14:58 +0000[diff] [blame]918 size_t offset, len;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]919 unsigned char nonce_counter[16];
920 unsigned char stream_block[16];
921#endif
Gilles Peskine66c616a2021-05-25 09:17:46 +0200[diff] [blame]922 int ret = 1;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]923
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]924 mbedtls_camellia_context ctx;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]925
Gilles Peskine66c616a2021-05-25 09:17:46 +0200[diff] [blame]926 mbedtls_camellia_init( &ctx );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]927 memset( key, 0, 32 );
928
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]929 for( j = 0; j < 6; j++ ) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]930 u = j >> 1;
931 v = j & 1;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]932
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]933 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]934 mbedtls_printf( " CAMELLIA-ECB-%3d (%s): ", 128 + u * 64,
935 (v == MBEDTLS_CAMELLIA_DECRYPT) ? "dec" : "enc");
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]936
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]937 for( i = 0; i < CAMELLIA_TESTS_ECB; i++ ) {
938 memcpy( key, camellia_test_ecb_key[u][i], 16 + 8 * u );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]939
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]940 if( v == MBEDTLS_CAMELLIA_DECRYPT ) {
941 mbedtls_camellia_setkey_dec( &ctx, key, 128 + u * 64 );
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]942 memcpy( src, camellia_test_ecb_cipher[u][i], 16 );
943 memcpy( dst, camellia_test_ecb_plain[i], 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]944 } else { /* MBEDTLS_CAMELLIA_ENCRYPT */
945 mbedtls_camellia_setkey_enc( &ctx, key, 128 + u * 64 );
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]946 memcpy( src, camellia_test_ecb_plain[i], 16 );
947 memcpy( dst, camellia_test_ecb_cipher[u][i], 16 );
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]948 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]949
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]950 mbedtls_camellia_crypt_ecb( &ctx, v, src, buf );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]951
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]952 if( memcmp( buf, dst, 16 ) != 0 )
953 {
954 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]955 mbedtls_printf( "failed\n" );
Gilles Peskine66c616a2021-05-25 09:17:46 +0200[diff] [blame]956 goto exit;
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]957 }
958 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]959
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]960 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]961 mbedtls_printf( "passed\n" );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]962 }
963
964 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]965 mbedtls_printf( "\n" );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]966
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]967#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]968 /*
969 * CBC mode
970 */
971 for( j = 0; j < 6; j++ )
972 {
973 u = j >> 1;
974 v = j & 1;
975
976 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]977 mbedtls_printf( " CAMELLIA-CBC-%3d (%s): ", 128 + u * 64,
978 ( v == MBEDTLS_CAMELLIA_DECRYPT ) ? "dec" : "enc" );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]979
Janos Follath98e28a72016-05-31 14:03:54 +0100[diff] [blame]980 memcpy( src, camellia_test_cbc_iv, 16 );
981 memcpy( dst, camellia_test_cbc_iv, 16 );
982 memcpy( key, camellia_test_cbc_key[u], 16 + 8 * u );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]983
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]984 if( v == MBEDTLS_CAMELLIA_DECRYPT ) {
Janos Follath98e28a72016-05-31 14:03:54 +0100[diff] [blame]985 mbedtls_camellia_setkey_dec( &ctx, key, 128 + u * 64 );
986 } else {
987 mbedtls_camellia_setkey_enc( &ctx, key, 128 + u * 64 );
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]988 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]989
Janos Follath98e28a72016-05-31 14:03:54 +0100[diff] [blame]990 for( i = 0; i < CAMELLIA_TESTS_CBC; i++ ) {
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]991
Janos Follath98e28a72016-05-31 14:03:54 +0100[diff] [blame]992 if( v == MBEDTLS_CAMELLIA_DECRYPT ) {
993 memcpy( iv , src, 16 );
994 memcpy( src, camellia_test_cbc_cipher[u][i], 16 );
995 memcpy( dst, camellia_test_cbc_plain[i], 16 );
996 } else { /* MBEDTLS_CAMELLIA_ENCRYPT */
997 memcpy( iv , dst, 16 );
998 memcpy( src, camellia_test_cbc_plain[i], 16 );
999 memcpy( dst, camellia_test_cbc_cipher[u][i], 16 );
1000 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]1001
Janos Follath98e28a72016-05-31 14:03:54 +0100[diff] [blame]1002 mbedtls_camellia_crypt_cbc( &ctx, v, 16, iv, src, buf );
1003
1004 if( memcmp( buf, dst, 16 ) != 0 )
1005 {
1006 if( verbose != 0 )
1007 mbedtls_printf( "failed\n" );
Gilles Peskine66c616a2021-05-25 09:17:46 +0200[diff] [blame]1008 goto exit;
Janos Follath98e28a72016-05-31 14:03:54 +0100[diff] [blame]1009 }
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]1010 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]1011
1012 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1013 mbedtls_printf( "passed\n" );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]1014 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1015#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]1016
1017 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1018 mbedtls_printf( "\n" );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]1019
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1020#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1021 /*
1022 * CTR mode
1023 */
1024 for( i = 0; i < 6; i++ )
1025 {
1026 u = i >> 1;
1027 v = i & 1;
1028
1029 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1030 mbedtls_printf( " CAMELLIA-CTR-128 (%s): ",
1031 ( v == MBEDTLS_CAMELLIA_DECRYPT ) ? "dec" : "enc" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1032
1033 memcpy( nonce_counter, camellia_test_ctr_nonce_counter[u], 16 );
1034 memcpy( key, camellia_test_ctr_key[u], 16 );
1035
1036 offset = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1037 mbedtls_camellia_setkey_enc( &ctx, key, 128 );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1038
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1039 if( v == MBEDTLS_CAMELLIA_DECRYPT )
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1040 {
1041 len = camellia_test_ctr_len[u];
1042 memcpy( buf, camellia_test_ctr_ct[u], len );
1043
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1044 mbedtls_camellia_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block,
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]1045 buf, buf );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1046
1047 if( memcmp( buf, camellia_test_ctr_pt[u], len ) != 0 )
1048 {
1049 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1050 mbedtls_printf( "failed\n" );
Gilles Peskine66c616a2021-05-25 09:17:46 +0200[diff] [blame]1051 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1052 }
1053 }
1054 else
1055 {
1056 len = camellia_test_ctr_len[u];
1057 memcpy( buf, camellia_test_ctr_pt[u], len );
1058
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1059 mbedtls_camellia_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block,
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]1060 buf, buf );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1061
1062 if( memcmp( buf, camellia_test_ctr_ct[u], len ) != 0 )
1063 {
1064 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1065 mbedtls_printf( "failed\n" );
Gilles Peskine66c616a2021-05-25 09:17:46 +0200[diff] [blame]1066 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1067 }
1068 }
1069
1070 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1071 mbedtls_printf( "passed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1072 }
1073
1074 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1075 mbedtls_printf( "\n" );
1076#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1077
Gilles Peskine66c616a2021-05-25 09:17:46 +0200[diff] [blame]1078 ret = 0;
1079
1080exit:
1081 mbedtls_camellia_free( &ctx );
1082 return( ret );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]1083}
1084
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1085#endif /* MBEDTLS_SELF_TEST */
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]1086
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1087#endif /* MBEDTLS_CAMELLIA_C */