blob: f007a46a3df885fd2427de4982f46f8dfad1030f [file] [log] [blame]
Paul Bakker38119b12009-01-10 23:31:23 +00001/*
2 * Camellia implementation
3 *
Paul Bakker7dc4c442014-02-01 22:50:26 +01004 * Copyright (C) 2006-2014, Brainspark B.V.
Paul Bakkerb96f1542010-07-18 20:36:00 +00005 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
Paul Bakker84f12b72010-07-18 10:13:04 +00007 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakkerb96f1542010-07-18 20:36:00 +00008 *
Paul Bakker77b385e2009-07-28 17:23:11 +00009 * All rights reserved.
Paul Bakker38119b12009-01-10 23:31:23 +000010 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25/*
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +000026 * The Camellia block cipher was designed by NTT and Mitsubishi Electric
27 * Corporation.
Paul Bakker38119b12009-01-10 23:31:23 +000028 *
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +000029 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/01espec.pdf
Paul Bakker38119b12009-01-10 23:31:23 +000030 */
31
32#include "polarssl/config.h"
33
34#if defined(POLARSSL_CAMELLIA_C)
35
36#include "polarssl/camellia.h"
37
Paul Bakker7dc4c442014-02-01 22:50:26 +010038#if defined(POLARSSL_PLATFORM_C)
39#include "polarssl/platform.h"
40#else
41#define polarssl_printf printf
42#endif
43
Paul Bakker90995b52013-06-24 19:20:35 +020044#if !defined(POLARSSL_CAMELLIA_ALT)
45
Paul Bakker38119b12009-01-10 23:31:23 +000046/*
47 * 32-bit integer manipulation macros (big endian)
48 */
Paul Bakker5c2364c2012-10-01 14:41:15 +000049#ifndef GET_UINT32_BE
50#define GET_UINT32_BE(n,b,i) \
Paul Bakker38119b12009-01-10 23:31:23 +000051{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +000052 (n) = ( (uint32_t) (b)[(i) ] << 24 ) \
53 | ( (uint32_t) (b)[(i) + 1] << 16 ) \
54 | ( (uint32_t) (b)[(i) + 2] << 8 ) \
55 | ( (uint32_t) (b)[(i) + 3] ); \
Paul Bakker38119b12009-01-10 23:31:23 +000056}
57#endif
58
Paul Bakker5c2364c2012-10-01 14:41:15 +000059#ifndef PUT_UINT32_BE
60#define PUT_UINT32_BE(n,b,i) \
Paul Bakker38119b12009-01-10 23:31:23 +000061{ \
62 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
63 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
64 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
65 (b)[(i) + 3] = (unsigned char) ( (n) ); \
66}
67#endif
68
69static const unsigned char SIGMA_CHARS[6][8] =
70{
Paul Bakkerc81f6c32009-05-03 13:09:15 +000071 { 0xa0, 0x9e, 0x66, 0x7f, 0x3b, 0xcc, 0x90, 0x8b },
72 { 0xb6, 0x7a, 0xe8, 0x58, 0x4c, 0xaa, 0x73, 0xb2 },
73 { 0xc6, 0xef, 0x37, 0x2f, 0xe9, 0x4f, 0x82, 0xbe },
74 { 0x54, 0xff, 0x53, 0xa5, 0xf1, 0xd3, 0x6f, 0x1c },
75 { 0x10, 0xe5, 0x27, 0xfa, 0xde, 0x68, 0x2d, 0x1d },
76 { 0xb0, 0x56, 0x88, 0xc2, 0xb3, 0xe6, 0xc1, 0xfd }
Paul Bakker38119b12009-01-10 23:31:23 +000077};
78
Paul Bakker33008ee2011-11-18 12:58:25 +000079#if defined(POLARSSL_CAMELLIA_SMALL_MEMORY)
Paul Bakkerfa049db2009-01-12 22:12:03 +000080
81static const unsigned char FSb[256] =
Paul Bakker38119b12009-01-10 23:31:23 +000082{
Paul Bakkerc81f6c32009-05-03 13:09:15 +000083 112,130, 44,236,179, 39,192,229,228,133, 87, 53,234, 12,174, 65,
84 35,239,107,147, 69, 25,165, 33,237, 14, 79, 78, 29,101,146,189,
85 134,184,175,143,124,235, 31,206, 62, 48,220, 95, 94,197, 11, 26,
86 166,225, 57,202,213, 71, 93, 61,217, 1, 90,214, 81, 86,108, 77,
87 139, 13,154,102,251,204,176, 45,116, 18, 43, 32,240,177,132,153,
88 223, 76,203,194, 52,126,118, 5,109,183,169, 49,209, 23, 4,215,
89 20, 88, 58, 97,222, 27, 17, 28, 50, 15,156, 22, 83, 24,242, 34,
90 254, 68,207,178,195,181,122,145, 36, 8,232,168, 96,252,105, 80,
91 170,208,160,125,161,137, 98,151, 84, 91, 30,149,224,255,100,210,
92 16,196, 0, 72,163,247,117,219,138, 3,230,218, 9, 63,221,148,
93 135, 92,131, 2,205, 74,144, 51,115,103,246,243,157,127,191,226,
94 82,155,216, 38,200, 55,198, 59,129,150,111, 75, 19,190, 99, 46,
95 233,121,167,140,159,110,188,142, 41,245,249,182, 47,253,180, 89,
96 120,152, 6,106,231, 70,113,186,212, 37,171, 66,136,162,141,250,
97 114, 7,185, 85,248,238,172, 10, 54, 73, 42,104, 60, 56,241,164,
98 64, 40,211,123,187,201, 67,193, 21,227,173,244,119,199,128,158
Paul Bakker38119b12009-01-10 23:31:23 +000099};
100
101#define SBOX1(n) FSb[(n)]
102#define SBOX2(n) (unsigned char)((FSb[(n)] >> 7 ^ FSb[(n)] << 1) & 0xff)
103#define SBOX3(n) (unsigned char)((FSb[(n)] >> 1 ^ FSb[(n)] << 7) & 0xff)
Paul Bakkerfa049db2009-01-12 22:12:03 +0000104#define SBOX4(n) FSb[((n) << 1 ^ (n) >> 7) &0xff]
105
106#else
107
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000108static const unsigned char FSb[256] =
109{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000110 112, 130, 44, 236, 179, 39, 192, 229, 228, 133, 87, 53, 234, 12, 174, 65,
111 35, 239, 107, 147, 69, 25, 165, 33, 237, 14, 79, 78, 29, 101, 146, 189,
112 134, 184, 175, 143, 124, 235, 31, 206, 62, 48, 220, 95, 94, 197, 11, 26,
113 166, 225, 57, 202, 213, 71, 93, 61, 217, 1, 90, 214, 81, 86, 108, 77,
114 139, 13, 154, 102, 251, 204, 176, 45, 116, 18, 43, 32, 240, 177, 132, 153,
115 223, 76, 203, 194, 52, 126, 118, 5, 109, 183, 169, 49, 209, 23, 4, 215,
116 20, 88, 58, 97, 222, 27, 17, 28, 50, 15, 156, 22, 83, 24, 242, 34,
117 254, 68, 207, 178, 195, 181, 122, 145, 36, 8, 232, 168, 96, 252, 105, 80,
118 170, 208, 160, 125, 161, 137, 98, 151, 84, 91, 30, 149, 224, 255, 100, 210,
119 16, 196, 0, 72, 163, 247, 117, 219, 138, 3, 230, 218, 9, 63, 221, 148,
120 135, 92, 131, 2, 205, 74, 144, 51, 115, 103, 246, 243, 157, 127, 191, 226,
121 82, 155, 216, 38, 200, 55, 198, 59, 129, 150, 111, 75, 19, 190, 99, 46,
122 233, 121, 167, 140, 159, 110, 188, 142, 41, 245, 249, 182, 47, 253, 180, 89,
123 120, 152, 6, 106, 231, 70, 113, 186, 212, 37, 171, 66, 136, 162, 141, 250,
124 114, 7, 185, 85, 248, 238, 172, 10, 54, 73, 42, 104, 60, 56, 241, 164,
125 64, 40, 211, 123, 187, 201, 67, 193, 21, 227, 173, 244, 119, 199, 128, 158
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000126};
127
128static const unsigned char FSb2[256] =
129{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000130 224, 5, 88, 217, 103, 78, 129, 203, 201, 11, 174, 106, 213, 24, 93, 130,
131 70, 223, 214, 39, 138, 50, 75, 66, 219, 28, 158, 156, 58, 202, 37, 123,
132 13, 113, 95, 31, 248, 215, 62, 157, 124, 96, 185, 190, 188, 139, 22, 52,
133 77, 195, 114, 149, 171, 142, 186, 122, 179, 2, 180, 173, 162, 172, 216, 154,
134 23, 26, 53, 204, 247, 153, 97, 90, 232, 36, 86, 64, 225, 99, 9, 51,
135 191, 152, 151, 133, 104, 252, 236, 10, 218, 111, 83, 98, 163, 46, 8, 175,
136 40, 176, 116, 194, 189, 54, 34, 56, 100, 30, 57, 44, 166, 48, 229, 68,
137 253, 136, 159, 101, 135, 107, 244, 35, 72, 16, 209, 81, 192, 249, 210, 160,
138 85, 161, 65, 250, 67, 19, 196, 47, 168, 182, 60, 43, 193, 255, 200, 165,
139 32, 137, 0, 144, 71, 239, 234, 183, 21, 6, 205, 181, 18, 126, 187, 41,
140 15, 184, 7, 4, 155, 148, 33, 102, 230, 206, 237, 231, 59, 254, 127, 197,
141 164, 55, 177, 76, 145, 110, 141, 118, 3, 45, 222, 150, 38, 125, 198, 92,
142 211, 242, 79, 25, 63, 220, 121, 29, 82, 235, 243, 109, 94, 251, 105, 178,
143 240, 49, 12, 212, 207, 140, 226, 117, 169, 74, 87, 132, 17, 69, 27, 245,
144 228, 14, 115, 170, 241, 221, 89, 20, 108, 146, 84, 208, 120, 112, 227, 73,
145 128, 80, 167, 246, 119, 147, 134, 131, 42, 199, 91, 233, 238, 143, 1, 61
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000146};
147
148static const unsigned char FSb3[256] =
149{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000150 56, 65, 22, 118, 217, 147, 96, 242, 114, 194, 171, 154, 117, 6, 87, 160,
151 145, 247, 181, 201, 162, 140, 210, 144, 246, 7, 167, 39, 142, 178, 73, 222,
152 67, 92, 215, 199, 62, 245, 143, 103, 31, 24, 110, 175, 47, 226, 133, 13,
153 83, 240, 156, 101, 234, 163, 174, 158, 236, 128, 45, 107, 168, 43, 54, 166,
154 197, 134, 77, 51, 253, 102, 88, 150, 58, 9, 149, 16, 120, 216, 66, 204,
155 239, 38, 229, 97, 26, 63, 59, 130, 182, 219, 212, 152, 232, 139, 2, 235,
156 10, 44, 29, 176, 111, 141, 136, 14, 25, 135, 78, 11, 169, 12, 121, 17,
157 127, 34, 231, 89, 225, 218, 61, 200, 18, 4, 116, 84, 48, 126, 180, 40,
158 85, 104, 80, 190, 208, 196, 49, 203, 42, 173, 15, 202, 112, 255, 50, 105,
159 8, 98, 0, 36, 209, 251, 186, 237, 69, 129, 115, 109, 132, 159, 238, 74,
160 195, 46, 193, 1, 230, 37, 72, 153, 185, 179, 123, 249, 206, 191, 223, 113,
161 41, 205, 108, 19, 100, 155, 99, 157, 192, 75, 183, 165, 137, 95, 177, 23,
162 244, 188, 211, 70, 207, 55, 94, 71, 148, 250, 252, 91, 151, 254, 90, 172,
163 60, 76, 3, 53, 243, 35, 184, 93, 106, 146, 213, 33, 68, 81, 198, 125,
164 57, 131, 220, 170, 124, 119, 86, 5, 27, 164, 21, 52, 30, 28, 248, 82,
165 32, 20, 233, 189, 221, 228, 161, 224, 138, 241, 214, 122, 187, 227, 64, 79
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000166};
167
168static const unsigned char FSb4[256] =
169{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000170 112, 44, 179, 192, 228, 87, 234, 174, 35, 107, 69, 165, 237, 79, 29, 146,
171 134, 175, 124, 31, 62, 220, 94, 11, 166, 57, 213, 93, 217, 90, 81, 108,
172 139, 154, 251, 176, 116, 43, 240, 132, 223, 203, 52, 118, 109, 169, 209, 4,
173 20, 58, 222, 17, 50, 156, 83, 242, 254, 207, 195, 122, 36, 232, 96, 105,
174 170, 160, 161, 98, 84, 30, 224, 100, 16, 0, 163, 117, 138, 230, 9, 221,
175 135, 131, 205, 144, 115, 246, 157, 191, 82, 216, 200, 198, 129, 111, 19, 99,
176 233, 167, 159, 188, 41, 249, 47, 180, 120, 6, 231, 113, 212, 171, 136, 141,
177 114, 185, 248, 172, 54, 42, 60, 241, 64, 211, 187, 67, 21, 173, 119, 128,
178 130, 236, 39, 229, 133, 53, 12, 65, 239, 147, 25, 33, 14, 78, 101, 189,
179 184, 143, 235, 206, 48, 95, 197, 26, 225, 202, 71, 61, 1, 214, 86, 77,
180 13, 102, 204, 45, 18, 32, 177, 153, 76, 194, 126, 5, 183, 49, 23, 215,
181 88, 97, 27, 28, 15, 22, 24, 34, 68, 178, 181, 145, 8, 168, 252, 80,
182 208, 125, 137, 151, 91, 149, 255, 210, 196, 72, 247, 219, 3, 218, 63, 148,
183 92, 2, 74, 51, 103, 243, 127, 226, 155, 38, 55, 59, 150, 75, 190, 46,
184 121, 140, 110, 142, 245, 182, 253, 89, 152, 106, 70, 186, 37, 66, 162, 250,
185 7, 85, 238, 10, 73, 104, 56, 164, 40, 123, 201, 193, 227, 244, 199, 158
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000186};
187
188#define SBOX1(n) FSb[(n)]
189#define SBOX2(n) FSb2[(n)]
190#define SBOX3(n) FSb3[(n)]
191#define SBOX4(n) FSb4[(n)]
Paul Bakker38119b12009-01-10 23:31:23 +0000192
Paul Bakkerfa049db2009-01-12 22:12:03 +0000193#endif
194
Paul Bakker38119b12009-01-10 23:31:23 +0000195static const unsigned char shifts[2][4][4] =
196{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000197 {
198 { 1, 1, 1, 1 }, /* KL */
199 { 0, 0, 0, 0 }, /* KR */
200 { 1, 1, 1, 1 }, /* KA */
201 { 0, 0, 0, 0 } /* KB */
202 },
203 {
204 { 1, 0, 1, 1 }, /* KL */
205 { 1, 1, 0, 1 }, /* KR */
206 { 1, 1, 1, 0 }, /* KA */
207 { 1, 1, 0, 1 } /* KB */
208 }
Paul Bakker38119b12009-01-10 23:31:23 +0000209};
210
Paul Bakker026c03b2009-03-28 17:53:03 +0000211static const signed char indexes[2][4][20] =
Paul Bakker38119b12009-01-10 23:31:23 +0000212{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000213 {
214 { 0, 1, 2, 3, 8, 9, 10, 11, 38, 39,
215 36, 37, 23, 20, 21, 22, 27, -1, -1, 26 }, /* KL -> RK */
216 { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
217 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 }, /* KR -> RK */
218 { 4, 5, 6, 7, 12, 13, 14, 15, 16, 17,
219 18, 19, -1, 24, 25, -1, 31, 28, 29, 30 }, /* KA -> RK */
220 { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
221 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 } /* KB -> RK */
222 },
223 {
224 { 0, 1, 2, 3, 61, 62, 63, 60, -1, -1,
225 -1, -1, 27, 24, 25, 26, 35, 32, 33, 34 }, /* KL -> RK */
226 { -1, -1, -1, -1, 8, 9, 10, 11, 16, 17,
227 18, 19, -1, -1, -1, -1, 39, 36, 37, 38 }, /* KR -> RK */
228 { -1, -1, -1, -1, 12, 13, 14, 15, 58, 59,
229 56, 57, 31, 28, 29, 30, -1, -1, -1, -1 }, /* KA -> RK */
230 { 4, 5, 6, 7, 65, 66, 67, 64, 20, 21,
231 22, 23, -1, -1, -1, -1, 43, 40, 41, 42 } /* KB -> RK */
232 }
Paul Bakker38119b12009-01-10 23:31:23 +0000233};
234
Paul Bakker026c03b2009-03-28 17:53:03 +0000235static const signed char transposes[2][20] =
Paul Bakker38119b12009-01-10 23:31:23 +0000236{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000237 {
238 21, 22, 23, 20,
239 -1, -1, -1, -1,
240 18, 19, 16, 17,
241 11, 8, 9, 10,
242 15, 12, 13, 14
243 },
244 {
245 25, 26, 27, 24,
246 29, 30, 31, 28,
247 18, 19, 16, 17,
248 -1, -1, -1, -1,
249 -1, -1, -1, -1
250 }
Paul Bakker38119b12009-01-10 23:31:23 +0000251};
252
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000253/* Shift macro for 128 bit strings with rotation smaller than 32 bits (!) */
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000254#define ROTL(DEST, SRC, SHIFT) \
255{ \
256 (DEST)[0] = (SRC)[0] << (SHIFT) ^ (SRC)[1] >> (32 - (SHIFT)); \
257 (DEST)[1] = (SRC)[1] << (SHIFT) ^ (SRC)[2] >> (32 - (SHIFT)); \
258 (DEST)[2] = (SRC)[2] << (SHIFT) ^ (SRC)[3] >> (32 - (SHIFT)); \
259 (DEST)[3] = (SRC)[3] << (SHIFT) ^ (SRC)[0] >> (32 - (SHIFT)); \
Paul Bakker38119b12009-01-10 23:31:23 +0000260}
261
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000262#define FL(XL, XR, KL, KR) \
263{ \
264 (XR) = ((((XL) & (KL)) << 1) | (((XL) & (KL)) >> 31)) ^ (XR); \
265 (XL) = ((XR) | (KR)) ^ (XL); \
Paul Bakker38119b12009-01-10 23:31:23 +0000266}
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000267
268#define FLInv(YL, YR, KL, KR) \
269{ \
270 (YL) = ((YR) | (KR)) ^ (YL); \
271 (YR) = ((((YL) & (KL)) << 1) | (((YL) & (KL)) >> 31)) ^ (YR); \
Paul Bakker38119b12009-01-10 23:31:23 +0000272}
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000273
274#define SHIFT_AND_PLACE(INDEX, OFFSET) \
275{ \
276 TK[0] = KC[(OFFSET) * 4 + 0]; \
277 TK[1] = KC[(OFFSET) * 4 + 1]; \
278 TK[2] = KC[(OFFSET) * 4 + 2]; \
279 TK[3] = KC[(OFFSET) * 4 + 3]; \
280 \
281 for ( i = 1; i <= 4; i++ ) \
282 if (shifts[(INDEX)][(OFFSET)][i -1]) \
283 ROTL(TK + i * 4, TK, (15 * i) % 32); \
284 \
285 for ( i = 0; i < 20; i++ ) \
286 if (indexes[(INDEX)][(OFFSET)][i] != -1) { \
287 RK[indexes[(INDEX)][(OFFSET)][i]] = TK[ i ]; \
288 } \
Paul Bakker38119b12009-01-10 23:31:23 +0000289}
290
Paul Bakkerff60ee62010-03-16 21:09:09 +0000291static void camellia_feistel(const uint32_t x[2], const uint32_t k[2], uint32_t z[2])
Paul Bakker38119b12009-01-10 23:31:23 +0000292{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000293 uint32_t I0, I1;
294 I0 = x[0] ^ k[0];
295 I1 = x[1] ^ k[1];
Paul Bakker38119b12009-01-10 23:31:23 +0000296
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000297 I0 = (SBOX1((I0 >> 24) & 0xFF) << 24) |
298 (SBOX2((I0 >> 16) & 0xFF) << 16) |
299 (SBOX3((I0 >> 8) & 0xFF) << 8) |
300 (SBOX4((I0 ) & 0xFF) );
301 I1 = (SBOX2((I1 >> 24) & 0xFF) << 24) |
302 (SBOX3((I1 >> 16) & 0xFF) << 16) |
303 (SBOX4((I1 >> 8) & 0xFF) << 8) |
304 (SBOX1((I1 ) & 0xFF) );
Paul Bakker38119b12009-01-10 23:31:23 +0000305
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000306 I0 ^= (I1 << 8) | (I1 >> 24);
307 I1 ^= (I0 << 16) | (I0 >> 16);
308 I0 ^= (I1 >> 8) | (I1 << 24);
309 I1 ^= (I0 >> 8) | (I0 << 24);
Paul Bakker38119b12009-01-10 23:31:23 +0000310
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000311 z[0] ^= I1;
312 z[1] ^= I0;
Paul Bakker38119b12009-01-10 23:31:23 +0000313}
314
315/*
316 * Camellia key schedule (encryption)
317 */
Paul Bakker23986e52011-04-24 08:57:21 +0000318int camellia_setkey_enc( camellia_context *ctx, const unsigned char *key, unsigned int keysize )
Paul Bakker38119b12009-01-10 23:31:23 +0000319{
Paul Bakker23986e52011-04-24 08:57:21 +0000320 int idx;
321 size_t i;
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000322 uint32_t *RK;
Paul Bakker38119b12009-01-10 23:31:23 +0000323 unsigned char t[64];
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000324 uint32_t SIGMA[6][2];
325 uint32_t KC[16];
326 uint32_t TK[20];
Paul Bakker38119b12009-01-10 23:31:23 +0000327
328 RK = ctx->rk;
329
330 memset(t, 0, 64);
331 memset(RK, 0, sizeof(ctx->rk));
332
333 switch( keysize )
334 {
335 case 128: ctx->nr = 3; idx = 0; break;
336 case 192:
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000337 case 256: ctx->nr = 4; idx = 1; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000338 default : return( POLARSSL_ERR_CAMELLIA_INVALID_KEY_LENGTH );
Paul Bakker38119b12009-01-10 23:31:23 +0000339 }
340
341 for( i = 0; i < keysize / 8; ++i)
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000342 t[i] = key[i];
Paul Bakker38119b12009-01-10 23:31:23 +0000343
344 if (keysize == 192) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000345 for (i = 0; i < 8; i++)
346 t[24 + i] = ~t[16 + i];
Paul Bakker38119b12009-01-10 23:31:23 +0000347 }
348
Paul Bakker38119b12009-01-10 23:31:23 +0000349 /*
350 * Prepare SIGMA values
351 */
Paul Bakker38119b12009-01-10 23:31:23 +0000352 for (i = 0; i < 6; i++) {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000353 GET_UINT32_BE(SIGMA[i][0], SIGMA_CHARS[i], 0);
354 GET_UINT32_BE(SIGMA[i][1], SIGMA_CHARS[i], 4);
Paul Bakker38119b12009-01-10 23:31:23 +0000355 }
356
357 /*
358 * Key storage in KC
359 * Order: KL, KR, KA, KB
360 */
Paul Bakker38119b12009-01-10 23:31:23 +0000361 memset(KC, 0, sizeof(KC));
362
363 /* Store KL, KR */
364 for (i = 0; i < 8; i++)
Paul Bakker5c2364c2012-10-01 14:41:15 +0000365 GET_UINT32_BE(KC[i], t, i * 4);
Paul Bakker38119b12009-01-10 23:31:23 +0000366
367 /* Generate KA */
368 for( i = 0; i < 4; ++i)
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000369 KC[8 + i] = KC[i] ^ KC[4 + i];
Paul Bakker38119b12009-01-10 23:31:23 +0000370
371 camellia_feistel(KC + 8, SIGMA[0], KC + 10);
372 camellia_feistel(KC + 10, SIGMA[1], KC + 8);
373
374 for( i = 0; i < 4; ++i)
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000375 KC[8 + i] ^= KC[i];
Paul Bakker38119b12009-01-10 23:31:23 +0000376
377 camellia_feistel(KC + 8, SIGMA[2], KC + 10);
378 camellia_feistel(KC + 10, SIGMA[3], KC + 8);
379
380 if (keysize > 128) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000381 /* Generate KB */
382 for( i = 0; i < 4; ++i)
383 KC[12 + i] = KC[4 + i] ^ KC[8 + i];
Paul Bakker38119b12009-01-10 23:31:23 +0000384
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000385 camellia_feistel(KC + 12, SIGMA[4], KC + 14);
386 camellia_feistel(KC + 14, SIGMA[5], KC + 12);
Paul Bakker38119b12009-01-10 23:31:23 +0000387 }
388
389 /*
390 * Generating subkeys
391 */
Paul Bakker38119b12009-01-10 23:31:23 +0000392
393 /* Manipulating KL */
394 SHIFT_AND_PLACE(idx, 0);
395
396 /* Manipulating KR */
397 if (keysize > 128) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000398 SHIFT_AND_PLACE(idx, 1);
Paul Bakker38119b12009-01-10 23:31:23 +0000399 }
400
401 /* Manipulating KA */
402 SHIFT_AND_PLACE(idx, 2);
403
404 /* Manipulating KB */
405 if (keysize > 128) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000406 SHIFT_AND_PLACE(idx, 3);
Paul Bakker38119b12009-01-10 23:31:23 +0000407 }
408
409 /* Do transpositions */
410 for ( i = 0; i < 20; i++ ) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000411 if (transposes[idx][i] != -1) {
412 RK[32 + 12 * idx + i] = RK[transposes[idx][i]];
413 }
Paul Bakker38119b12009-01-10 23:31:23 +0000414 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000415
416 return( 0 );
Paul Bakker38119b12009-01-10 23:31:23 +0000417}
418
419/*
420 * Camellia key schedule (decryption)
421 */
Paul Bakker23986e52011-04-24 08:57:21 +0000422int camellia_setkey_dec( camellia_context *ctx, const unsigned char *key, unsigned int keysize )
Paul Bakker38119b12009-01-10 23:31:23 +0000423{
Paul Bakker23986e52011-04-24 08:57:21 +0000424 int idx;
425 size_t i;
Paul Bakker38119b12009-01-10 23:31:23 +0000426 camellia_context cty;
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000427 uint32_t *RK;
428 uint32_t *SK;
Paul Bakker2b222c82009-07-27 21:03:45 +0000429 int ret;
Paul Bakker38119b12009-01-10 23:31:23 +0000430
431 switch( keysize )
432 {
433 case 128: ctx->nr = 3; idx = 0; break;
434 case 192:
435 case 256: ctx->nr = 4; idx = 1; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000436 default : return( POLARSSL_ERR_CAMELLIA_INVALID_KEY_LENGTH );
Paul Bakker38119b12009-01-10 23:31:23 +0000437 }
438
439 RK = ctx->rk;
440
Paul Bakker2b222c82009-07-27 21:03:45 +0000441 ret = camellia_setkey_enc(&cty, key, keysize);
442 if( ret != 0 )
443 return( ret );
Paul Bakker38119b12009-01-10 23:31:23 +0000444
445 SK = cty.rk + 24 * 2 + 8 * idx * 2;
446
447 *RK++ = *SK++;
448 *RK++ = *SK++;
449 *RK++ = *SK++;
450 *RK++ = *SK++;
451
452 for (i = 22 + 8 * idx, SK -= 6; i > 0; i--, SK -= 4)
453 {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000454 *RK++ = *SK++;
455 *RK++ = *SK++;
Paul Bakker38119b12009-01-10 23:31:23 +0000456 }
457
458 SK -= 2;
459
460 *RK++ = *SK++;
461 *RK++ = *SK++;
462 *RK++ = *SK++;
463 *RK++ = *SK++;
464
465 memset( &cty, 0, sizeof( camellia_context ) );
Paul Bakker2b222c82009-07-27 21:03:45 +0000466
467 return( 0 );
Paul Bakker38119b12009-01-10 23:31:23 +0000468}
469
470/*
471 * Camellia-ECB block encryption/decryption
472 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000473int camellia_crypt_ecb( camellia_context *ctx,
Paul Bakker38119b12009-01-10 23:31:23 +0000474 int mode,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000475 const unsigned char input[16],
Paul Bakker38119b12009-01-10 23:31:23 +0000476 unsigned char output[16] )
477{
Paul Bakker026c03b2009-03-28 17:53:03 +0000478 int NR;
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000479 uint32_t *RK, X[4];
Paul Bakker38119b12009-01-10 23:31:23 +0000480
Paul Bakkerc2547b02009-07-20 20:40:52 +0000481 ( (void) mode );
482
Paul Bakker38119b12009-01-10 23:31:23 +0000483 NR = ctx->nr;
484 RK = ctx->rk;
485
Paul Bakker5c2364c2012-10-01 14:41:15 +0000486 GET_UINT32_BE( X[0], input, 0 );
487 GET_UINT32_BE( X[1], input, 4 );
488 GET_UINT32_BE( X[2], input, 8 );
489 GET_UINT32_BE( X[3], input, 12 );
Paul Bakker38119b12009-01-10 23:31:23 +0000490
491 X[0] ^= *RK++;
492 X[1] ^= *RK++;
493 X[2] ^= *RK++;
494 X[3] ^= *RK++;
495
496 while (NR) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000497 --NR;
498 camellia_feistel(X, RK, X + 2);
499 RK += 2;
500 camellia_feistel(X + 2, RK, X);
501 RK += 2;
502 camellia_feistel(X, RK, X + 2);
503 RK += 2;
504 camellia_feistel(X + 2, RK, X);
505 RK += 2;
506 camellia_feistel(X, RK, X + 2);
507 RK += 2;
508 camellia_feistel(X + 2, RK, X);
509 RK += 2;
Paul Bakker38119b12009-01-10 23:31:23 +0000510
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000511 if (NR) {
512 FL(X[0], X[1], RK[0], RK[1]);
513 RK += 2;
514 FLInv(X[2], X[3], RK[0], RK[1]);
515 RK += 2;
516 }
Paul Bakker38119b12009-01-10 23:31:23 +0000517 }
518
519 X[2] ^= *RK++;
520 X[3] ^= *RK++;
521 X[0] ^= *RK++;
522 X[1] ^= *RK++;
523
Paul Bakker5c2364c2012-10-01 14:41:15 +0000524 PUT_UINT32_BE( X[2], output, 0 );
525 PUT_UINT32_BE( X[3], output, 4 );
526 PUT_UINT32_BE( X[0], output, 8 );
527 PUT_UINT32_BE( X[1], output, 12 );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000528
529 return( 0 );
Paul Bakker38119b12009-01-10 23:31:23 +0000530}
531
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200532#if defined(POLARSSL_CIPHER_MODE_CBC)
Paul Bakker38119b12009-01-10 23:31:23 +0000533/*
534 * Camellia-CBC buffer encryption/decryption
535 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000536int camellia_crypt_cbc( camellia_context *ctx,
Paul Bakker38119b12009-01-10 23:31:23 +0000537 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000538 size_t length,
Paul Bakker38119b12009-01-10 23:31:23 +0000539 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000540 const unsigned char *input,
Paul Bakker38119b12009-01-10 23:31:23 +0000541 unsigned char *output )
542{
543 int i;
544 unsigned char temp[16];
545
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000546 if( length % 16 )
547 return( POLARSSL_ERR_CAMELLIA_INVALID_INPUT_LENGTH );
548
Paul Bakker38119b12009-01-10 23:31:23 +0000549 if( mode == CAMELLIA_DECRYPT )
550 {
551 while( length > 0 )
552 {
553 memcpy( temp, input, 16 );
554 camellia_crypt_ecb( ctx, mode, input, output );
555
556 for( i = 0; i < 16; i++ )
557 output[i] = (unsigned char)( output[i] ^ iv[i] );
558
559 memcpy( iv, temp, 16 );
560
561 input += 16;
562 output += 16;
563 length -= 16;
564 }
565 }
566 else
567 {
568 while( length > 0 )
569 {
570 for( i = 0; i < 16; i++ )
571 output[i] = (unsigned char)( input[i] ^ iv[i] );
572
573 camellia_crypt_ecb( ctx, mode, output, output );
574 memcpy( iv, output, 16 );
575
576 input += 16;
577 output += 16;
578 length -= 16;
579 }
580 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000581
582 return( 0 );
Paul Bakker38119b12009-01-10 23:31:23 +0000583}
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200584#endif /* POLARSSL_CIPHER_MODE_CBC */
Paul Bakker38119b12009-01-10 23:31:23 +0000585
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000586#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker38119b12009-01-10 23:31:23 +0000587/*
588 * Camellia-CFB128 buffer encryption/decryption
589 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000590int camellia_crypt_cfb128( camellia_context *ctx,
Paul Bakker38119b12009-01-10 23:31:23 +0000591 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000592 size_t length,
Paul Bakker1ef71df2011-06-09 14:14:58 +0000593 size_t *iv_off,
Paul Bakker38119b12009-01-10 23:31:23 +0000594 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000595 const unsigned char *input,
Paul Bakker38119b12009-01-10 23:31:23 +0000596 unsigned char *output )
597{
Paul Bakker1ef71df2011-06-09 14:14:58 +0000598 int c;
599 size_t n = *iv_off;
Paul Bakker38119b12009-01-10 23:31:23 +0000600
601 if( mode == CAMELLIA_DECRYPT )
602 {
603 while( length-- )
604 {
605 if( n == 0 )
606 camellia_crypt_ecb( ctx, CAMELLIA_ENCRYPT, iv, iv );
607
608 c = *input++;
609 *output++ = (unsigned char)( c ^ iv[n] );
610 iv[n] = (unsigned char) c;
611
612 n = (n + 1) & 0x0F;
613 }
614 }
615 else
616 {
617 while( length-- )
618 {
619 if( n == 0 )
620 camellia_crypt_ecb( ctx, CAMELLIA_ENCRYPT, iv, iv );
621
622 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
623
624 n = (n + 1) & 0x0F;
625 }
626 }
627
628 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000629
630 return( 0 );
Paul Bakker38119b12009-01-10 23:31:23 +0000631}
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000632#endif /* POLARSSL_CIPHER_MODE_CFB */
633
634#if defined(POLARSSL_CIPHER_MODE_CTR)
635/*
636 * Camellia-CTR buffer encryption/decryption
637 */
638int camellia_crypt_ctr( camellia_context *ctx,
Paul Bakker1ef71df2011-06-09 14:14:58 +0000639 size_t length,
640 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000641 unsigned char nonce_counter[16],
642 unsigned char stream_block[16],
643 const unsigned char *input,
644 unsigned char *output )
645{
Paul Bakker369e14b2012-04-18 14:16:09 +0000646 int c, i;
Paul Bakker1ef71df2011-06-09 14:14:58 +0000647 size_t n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000648
649 while( length-- )
650 {
651 if( n == 0 ) {
652 camellia_crypt_ecb( ctx, CAMELLIA_ENCRYPT, nonce_counter, stream_block );
653
Paul Bakker369e14b2012-04-18 14:16:09 +0000654 for( i = 16; i > 0; i-- )
655 if( ++nonce_counter[i - 1] != 0 )
656 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000657 }
658 c = *input++;
659 *output++ = (unsigned char)( c ^ stream_block[n] );
660
661 n = (n + 1) & 0x0F;
662 }
663
664 *nc_off = n;
665
666 return( 0 );
667}
668#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker90995b52013-06-24 19:20:35 +0200669#endif /* !POLARSSL_CAMELLIA_ALT */
Paul Bakker38119b12009-01-10 23:31:23 +0000670
671#if defined(POLARSSL_SELF_TEST)
672
673#include <stdio.h>
674
675/*
676 * Camellia test vectors from:
677 *
678 * http://info.isl.ntt.co.jp/crypt/eng/camellia/technology.html:
679 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/intermediate.txt
680 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/t_camellia.txt
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000681 * (For each bitlength: Key 0, Nr 39)
Paul Bakker38119b12009-01-10 23:31:23 +0000682 */
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000683#define CAMELLIA_TESTS_ECB 2
Paul Bakker38119b12009-01-10 23:31:23 +0000684
685static const unsigned char camellia_test_ecb_key[3][CAMELLIA_TESTS_ECB][32] =
686{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000687 {
688 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
689 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
690 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
691 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
692 },
693 {
694 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
695 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
696 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77 },
697 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
698 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
699 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
700 },
701 {
702 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
703 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
704 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
705 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff },
706 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
707 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
708 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
709 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
710 },
Paul Bakker38119b12009-01-10 23:31:23 +0000711};
712
713static const unsigned char camellia_test_ecb_plain[CAMELLIA_TESTS_ECB][16] =
714{
715 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
716 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
717 { 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
718 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
719};
720
721static const unsigned char camellia_test_ecb_cipher[3][CAMELLIA_TESTS_ECB][16] =
722{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000723 {
724 { 0x67, 0x67, 0x31, 0x38, 0x54, 0x96, 0x69, 0x73,
725 0x08, 0x57, 0x06, 0x56, 0x48, 0xea, 0xbe, 0x43 },
726 { 0x38, 0x3C, 0x6C, 0x2A, 0xAB, 0xEF, 0x7F, 0xDE,
727 0x25, 0xCD, 0x47, 0x0B, 0xF7, 0x74, 0xA3, 0x31 }
728 },
729 {
730 { 0xb4, 0x99, 0x34, 0x01, 0xb3, 0xe9, 0x96, 0xf8,
731 0x4e, 0xe5, 0xce, 0xe7, 0xd7, 0x9b, 0x09, 0xb9 },
732 { 0xD1, 0x76, 0x3F, 0xC0, 0x19, 0xD7, 0x7C, 0xC9,
733 0x30, 0xBF, 0xF2, 0xA5, 0x6F, 0x7C, 0x93, 0x64 }
734 },
735 {
736 { 0x9a, 0xcc, 0x23, 0x7d, 0xff, 0x16, 0xd7, 0x6c,
737 0x20, 0xef, 0x7c, 0x91, 0x9e, 0x3a, 0x75, 0x09 },
738 { 0x05, 0x03, 0xFB, 0x10, 0xAB, 0x24, 0x1E, 0x7C,
739 0xF4, 0x5D, 0x8C, 0xDE, 0xEE, 0x47, 0x43, 0x35 }
740 }
Paul Bakker38119b12009-01-10 23:31:23 +0000741};
742
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200743#if defined(POLARSSL_CIPHER_MODE_CBC)
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000744#define CAMELLIA_TESTS_CBC 3
Paul Bakker38119b12009-01-10 23:31:23 +0000745
746static const unsigned char camellia_test_cbc_key[3][32] =
747{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000748 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
749 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }
750 ,
751 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
752 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
753 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }
754 ,
755 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
756 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
757 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
758 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
Paul Bakker38119b12009-01-10 23:31:23 +0000759};
760
761static const unsigned char camellia_test_cbc_iv[16] =
762
763 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
764 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F }
765;
766
767static const unsigned char camellia_test_cbc_plain[CAMELLIA_TESTS_CBC][16] =
768{
769 { 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
770 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A },
771 { 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
772 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51 },
773 { 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
774 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF }
775
776};
777
778static const unsigned char camellia_test_cbc_cipher[3][CAMELLIA_TESTS_CBC][16] =
779{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000780 {
781 { 0x16, 0x07, 0xCF, 0x49, 0x4B, 0x36, 0xBB, 0xF0,
782 0x0D, 0xAE, 0xB0, 0xB5, 0x03, 0xC8, 0x31, 0xAB },
783 { 0xA2, 0xF2, 0xCF, 0x67, 0x16, 0x29, 0xEF, 0x78,
784 0x40, 0xC5, 0xA5, 0xDF, 0xB5, 0x07, 0x48, 0x87 },
785 { 0x0F, 0x06, 0x16, 0x50, 0x08, 0xCF, 0x8B, 0x8B,
786 0x5A, 0x63, 0x58, 0x63, 0x62, 0x54, 0x3E, 0x54 }
787 },
788 {
789 { 0x2A, 0x48, 0x30, 0xAB, 0x5A, 0xC4, 0xA1, 0xA2,
790 0x40, 0x59, 0x55, 0xFD, 0x21, 0x95, 0xCF, 0x93 },
791 { 0x5D, 0x5A, 0x86, 0x9B, 0xD1, 0x4C, 0xE5, 0x42,
792 0x64, 0xF8, 0x92, 0xA6, 0xDD, 0x2E, 0xC3, 0xD5 },
793 { 0x37, 0xD3, 0x59, 0xC3, 0x34, 0x98, 0x36, 0xD8,
794 0x84, 0xE3, 0x10, 0xAD, 0xDF, 0x68, 0xC4, 0x49 }
795 },
796 {
797 { 0xE6, 0xCF, 0xA3, 0x5F, 0xC0, 0x2B, 0x13, 0x4A,
798 0x4D, 0x2C, 0x0B, 0x67, 0x37, 0xAC, 0x3E, 0xDA },
799 { 0x36, 0xCB, 0xEB, 0x73, 0xBD, 0x50, 0x4B, 0x40,
800 0x70, 0xB1, 0xB7, 0xDE, 0x2B, 0x21, 0xEB, 0x50 },
801 { 0xE3, 0x1A, 0x60, 0x55, 0x29, 0x7D, 0x96, 0xCA,
802 0x33, 0x30, 0xCD, 0xF1, 0xB1, 0x86, 0x0A, 0x83 }
803 }
Paul Bakker38119b12009-01-10 23:31:23 +0000804};
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200805#endif /* POLARSSL_CIPHER_MODE_CBC */
Paul Bakker38119b12009-01-10 23:31:23 +0000806
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000807#if defined(POLARSSL_CIPHER_MODE_CTR)
808/*
809 * Camellia-CTR test vectors from:
810 *
811 * http://www.faqs.org/rfcs/rfc5528.html
812 */
813
814static const unsigned char camellia_test_ctr_key[3][16] =
815{
816 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
817 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
818 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
819 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
820 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
821 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
822};
823
824static const unsigned char camellia_test_ctr_nonce_counter[3][16] =
825{
826 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
827 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
828 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
829 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
830 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
831 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
832};
833
834static const unsigned char camellia_test_ctr_pt[3][48] =
835{
836 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
837 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
838
839 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
840 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
841 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
842 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
843
844 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
845 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
846 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
847 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
848 0x20, 0x21, 0x22, 0x23 }
849};
850
851static const unsigned char camellia_test_ctr_ct[3][48] =
852{
853 { 0xD0, 0x9D, 0xC2, 0x9A, 0x82, 0x14, 0x61, 0x9A,
854 0x20, 0x87, 0x7C, 0x76, 0xDB, 0x1F, 0x0B, 0x3F },
855 { 0xDB, 0xF3, 0xC7, 0x8D, 0xC0, 0x83, 0x96, 0xD4,
856 0xDA, 0x7C, 0x90, 0x77, 0x65, 0xBB, 0xCB, 0x44,
857 0x2B, 0x8E, 0x8E, 0x0F, 0x31, 0xF0, 0xDC, 0xA7,
858 0x2C, 0x74, 0x17, 0xE3, 0x53, 0x60, 0xE0, 0x48 },
859 { 0xB1, 0x9D, 0x1F, 0xCD, 0xCB, 0x75, 0xEB, 0x88,
860 0x2F, 0x84, 0x9C, 0xE2, 0x4D, 0x85, 0xCF, 0x73,
861 0x9C, 0xE6, 0x4B, 0x2B, 0x5C, 0x9D, 0x73, 0xF1,
862 0x4F, 0x2D, 0x5D, 0x9D, 0xCE, 0x98, 0x89, 0xCD,
863 0xDF, 0x50, 0x86, 0x96 }
864};
865
866static const int camellia_test_ctr_len[3] =
867 { 16, 32, 36 };
868#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker38119b12009-01-10 23:31:23 +0000869
870/*
871 * Checkup routine
872 */
873int camellia_self_test( int verbose )
874{
Paul Bakker026c03b2009-03-28 17:53:03 +0000875 int i, j, u, v;
Paul Bakker38119b12009-01-10 23:31:23 +0000876 unsigned char key[32];
877 unsigned char buf[64];
Paul Bakker38119b12009-01-10 23:31:23 +0000878 unsigned char src[16];
879 unsigned char dst[16];
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200880#if defined(POLARSSL_CIPHER_MODE_CBC)
Paul Bakker38119b12009-01-10 23:31:23 +0000881 unsigned char iv[16];
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200882#endif
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000883#if defined(POLARSSL_CIPHER_MODE_CTR)
Paul Bakker1ef71df2011-06-09 14:14:58 +0000884 size_t offset, len;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000885 unsigned char nonce_counter[16];
886 unsigned char stream_block[16];
887#endif
888
Paul Bakker38119b12009-01-10 23:31:23 +0000889 camellia_context ctx;
890
891 memset( key, 0, 32 );
892
893 for (j = 0; j < 6; j++) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000894 u = j >> 1;
895 v = j & 1;
Paul Bakker38119b12009-01-10 23:31:23 +0000896
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000897 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100898 polarssl_printf( " CAMELLIA-ECB-%3d (%s): ", 128 + u * 64,
899 (v == CAMELLIA_DECRYPT) ? "dec" : "enc");
Paul Bakker38119b12009-01-10 23:31:23 +0000900
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000901 for (i = 0; i < CAMELLIA_TESTS_ECB; i++ ) {
902 memcpy( key, camellia_test_ecb_key[u][i], 16 + 8 * u);
Paul Bakker38119b12009-01-10 23:31:23 +0000903
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000904 if (v == CAMELLIA_DECRYPT) {
905 camellia_setkey_dec(&ctx, key, 128 + u * 64);
906 memcpy(src, camellia_test_ecb_cipher[u][i], 16);
907 memcpy(dst, camellia_test_ecb_plain[i], 16);
908 } else { /* CAMELLIA_ENCRYPT */
909 camellia_setkey_enc(&ctx, key, 128 + u * 64);
910 memcpy(src, camellia_test_ecb_plain[i], 16);
911 memcpy(dst, camellia_test_ecb_cipher[u][i], 16);
912 }
Paul Bakker38119b12009-01-10 23:31:23 +0000913
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000914 camellia_crypt_ecb(&ctx, v, src, buf);
Paul Bakker38119b12009-01-10 23:31:23 +0000915
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000916 if( memcmp( buf, dst, 16 ) != 0 )
917 {
918 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100919 polarssl_printf( "failed\n" );
Paul Bakker38119b12009-01-10 23:31:23 +0000920
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000921 return( 1 );
922 }
923 }
Paul Bakker38119b12009-01-10 23:31:23 +0000924
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000925 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100926 polarssl_printf( "passed\n" );
Paul Bakker38119b12009-01-10 23:31:23 +0000927 }
928
929 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100930 polarssl_printf( "\n" );
Paul Bakker38119b12009-01-10 23:31:23 +0000931
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200932#if defined(POLARSSL_CIPHER_MODE_CBC)
Paul Bakker38119b12009-01-10 23:31:23 +0000933 /*
934 * CBC mode
935 */
936 for( j = 0; j < 6; j++ )
937 {
938 u = j >> 1;
939 v = j & 1;
940
941 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100942 polarssl_printf( " CAMELLIA-CBC-%3d (%s): ", 128 + u * 64,
943 ( v == CAMELLIA_DECRYPT ) ? "dec" : "enc" );
Paul Bakker38119b12009-01-10 23:31:23 +0000944
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000945 memcpy( src, camellia_test_cbc_iv, 16);
946 memcpy( dst, camellia_test_cbc_iv, 16);
947 memcpy( key, camellia_test_cbc_key[u], 16 + 8 * u);
Paul Bakker38119b12009-01-10 23:31:23 +0000948
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000949 if (v == CAMELLIA_DECRYPT) {
950 camellia_setkey_dec(&ctx, key, 128 + u * 64);
951 } else {
952 camellia_setkey_enc(&ctx, key, 128 + u * 64);
953 }
Paul Bakker38119b12009-01-10 23:31:23 +0000954
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000955 for (i = 0; i < CAMELLIA_TESTS_CBC; i++ ) {
Paul Bakker38119b12009-01-10 23:31:23 +0000956
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000957 if (v == CAMELLIA_DECRYPT) {
958 memcpy( iv , src, 16 );
959 memcpy(src, camellia_test_cbc_cipher[u][i], 16);
960 memcpy(dst, camellia_test_cbc_plain[i], 16);
961 } else { /* CAMELLIA_ENCRYPT */
962 memcpy( iv , dst, 16 );
963 memcpy(src, camellia_test_cbc_plain[i], 16);
964 memcpy(dst, camellia_test_cbc_cipher[u][i], 16);
965 }
Paul Bakker38119b12009-01-10 23:31:23 +0000966
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000967 camellia_crypt_cbc(&ctx, v, 16, iv, src, buf);
Paul Bakker38119b12009-01-10 23:31:23 +0000968
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000969 if( memcmp( buf, dst, 16 ) != 0 )
970 {
971 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100972 polarssl_printf( "failed\n" );
Paul Bakker38119b12009-01-10 23:31:23 +0000973
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000974 return( 1 );
975 }
976 }
Paul Bakker38119b12009-01-10 23:31:23 +0000977
978 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100979 polarssl_printf( "passed\n" );
Paul Bakker38119b12009-01-10 23:31:23 +0000980 }
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200981#endif /* POLARSSL_CIPHER_MODE_CBC */
Paul Bakker38119b12009-01-10 23:31:23 +0000982
983 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100984 polarssl_printf( "\n" );
Paul Bakker38119b12009-01-10 23:31:23 +0000985
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000986#if defined(POLARSSL_CIPHER_MODE_CTR)
987 /*
988 * CTR mode
989 */
990 for( i = 0; i < 6; i++ )
991 {
992 u = i >> 1;
993 v = i & 1;
994
995 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100996 polarssl_printf( " CAMELLIA-CTR-128 (%s): ",
997 ( v == CAMELLIA_DECRYPT ) ? "dec" : "enc" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000998
999 memcpy( nonce_counter, camellia_test_ctr_nonce_counter[u], 16 );
1000 memcpy( key, camellia_test_ctr_key[u], 16 );
1001
1002 offset = 0;
1003 camellia_setkey_enc( &ctx, key, 128 );
1004
1005 if( v == CAMELLIA_DECRYPT )
1006 {
1007 len = camellia_test_ctr_len[u];
1008 memcpy( buf, camellia_test_ctr_ct[u], len );
1009
1010 camellia_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1011
1012 if( memcmp( buf, camellia_test_ctr_pt[u], len ) != 0 )
1013 {
1014 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +01001015 polarssl_printf( "failed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +00001016
1017 return( 1 );
1018 }
1019 }
1020 else
1021 {
1022 len = camellia_test_ctr_len[u];
1023 memcpy( buf, camellia_test_ctr_pt[u], len );
1024
1025 camellia_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1026
1027 if( memcmp( buf, camellia_test_ctr_ct[u], len ) != 0 )
1028 {
1029 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +01001030 polarssl_printf( "failed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +00001031
1032 return( 1 );
1033 }
1034 }
1035
1036 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +01001037 polarssl_printf( "passed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +00001038 }
1039
1040 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +01001041 polarssl_printf( "\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +00001042#endif /* POLARSSL_CIPHER_MODE_CTR */
1043
Paul Bakker38119b12009-01-10 23:31:23 +00001044 return ( 0 );
Paul Bakker38119b12009-01-10 23:31:23 +00001045}
1046
1047#endif
1048
1049#endif