TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / f3ccc681001b8bc3a74e060597203a682072d6f6 / . / library / camellia.c
blob: 7656084673e430bd40e251a92eea484a1981ec7a [file] [log] [blame]
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]1/*
2 * Camellia implementation
3 *
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]4 * Copyright (C) 2006-2009, Paul Bakker <polarssl_maintainer at polarssl.org>
5 * All rights reserved.
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]6 *
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version.
11 *
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License along
18 * with this program; if not, write to the Free Software Foundation, Inc.,
19 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
20 */
21/*
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]22 * The Camellia block cipher was designed by NTT and Mitsubishi Electric
23 * Corporation.
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]24 *
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]25 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/01espec.pdf
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]26 */
27
28#include "polarssl/config.h"
29
30#if defined(POLARSSL_CAMELLIA_C)
31
32#include "polarssl/camellia.h"
33
34#include <string.h>
35
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]36/*
37 * 32-bit integer manipulation macros (big endian)
38 */
39#ifndef GET_ULONG_BE
40#define GET_ULONG_BE(n,b,i) \
41{ \
42 (n) = ( (unsigned long) (b)[(i) ] << 24 ) \
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]43 | ( (unsigned long) (b)[(i) + 1] << 16 ) \
44 | ( (unsigned long) (b)[(i) + 2] << 8 ) \
45 | ( (unsigned long) (b)[(i) + 3] ); \
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]46}
47#endif
48
49#ifndef PUT_ULONG_BE
50#define PUT_ULONG_BE(n,b,i) \
51{ \
52 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
53 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
54 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
55 (b)[(i) + 3] = (unsigned char) ( (n) ); \
56}
57#endif
58
59static const unsigned char SIGMA_CHARS[6][8] =
60{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]61 { 0xa0, 0x9e, 0x66, 0x7f, 0x3b, 0xcc, 0x90, 0x8b },
62 { 0xb6, 0x7a, 0xe8, 0x58, 0x4c, 0xaa, 0x73, 0xb2 },
63 { 0xc6, 0xef, 0x37, 0x2f, 0xe9, 0x4f, 0x82, 0xbe },
64 { 0x54, 0xff, 0x53, 0xa5, 0xf1, 0xd3, 0x6f, 0x1c },
65 { 0x10, 0xe5, 0x27, 0xfa, 0xde, 0x68, 0x2d, 0x1d },
66 { 0xb0, 0x56, 0x88, 0xc2, 0xb3, 0xe6, 0xc1, 0xfd }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]67};
68
Paul Bakkerfa049db2009-01-12 22:12:03 +0000[diff] [blame]69#ifdef POLARSSL_CAMELLIA_SMALL_MEMORY
70
71static const unsigned char FSb[256] =
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]72{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]73 112,130, 44,236,179, 39,192,229,228,133, 87, 53,234, 12,174, 65,
74 35,239,107,147, 69, 25,165, 33,237, 14, 79, 78, 29,101,146,189,
75 134,184,175,143,124,235, 31,206, 62, 48,220, 95, 94,197, 11, 26,
76 166,225, 57,202,213, 71, 93, 61,217, 1, 90,214, 81, 86,108, 77,
77 139, 13,154,102,251,204,176, 45,116, 18, 43, 32,240,177,132,153,
78 223, 76,203,194, 52,126,118, 5,109,183,169, 49,209, 23, 4,215,
79 20, 88, 58, 97,222, 27, 17, 28, 50, 15,156, 22, 83, 24,242, 34,
80 254, 68,207,178,195,181,122,145, 36, 8,232,168, 96,252,105, 80,
81 170,208,160,125,161,137, 98,151, 84, 91, 30,149,224,255,100,210,
82 16,196, 0, 72,163,247,117,219,138, 3,230,218, 9, 63,221,148,
83 135, 92,131, 2,205, 74,144, 51,115,103,246,243,157,127,191,226,
84 82,155,216, 38,200, 55,198, 59,129,150,111, 75, 19,190, 99, 46,
85 233,121,167,140,159,110,188,142, 41,245,249,182, 47,253,180, 89,
86 120,152, 6,106,231, 70,113,186,212, 37,171, 66,136,162,141,250,
87 114, 7,185, 85,248,238,172, 10, 54, 73, 42,104, 60, 56,241,164,
88 64, 40,211,123,187,201, 67,193, 21,227,173,244,119,199,128,158
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]89};
90
91#define SBOX1(n) FSb[(n)]
92#define SBOX2(n) (unsigned char)((FSb[(n)] >> 7 ^ FSb[(n)] << 1) & 0xff)
93#define SBOX3(n) (unsigned char)((FSb[(n)] >> 1 ^ FSb[(n)] << 7) & 0xff)
Paul Bakkerfa049db2009-01-12 22:12:03 +0000[diff] [blame]94#define SBOX4(n) FSb[((n) << 1 ^ (n) >> 7) &0xff]
95
96#else
97
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000[diff] [blame]98static const unsigned char FSb[256] =
99{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]100 112, 130, 44, 236, 179, 39, 192, 229, 228, 133, 87, 53, 234, 12, 174, 65,
101 35, 239, 107, 147, 69, 25, 165, 33, 237, 14, 79, 78, 29, 101, 146, 189,
102 134, 184, 175, 143, 124, 235, 31, 206, 62, 48, 220, 95, 94, 197, 11, 26,
103 166, 225, 57, 202, 213, 71, 93, 61, 217, 1, 90, 214, 81, 86, 108, 77,
104 139, 13, 154, 102, 251, 204, 176, 45, 116, 18, 43, 32, 240, 177, 132, 153,
105 223, 76, 203, 194, 52, 126, 118, 5, 109, 183, 169, 49, 209, 23, 4, 215,
106 20, 88, 58, 97, 222, 27, 17, 28, 50, 15, 156, 22, 83, 24, 242, 34,
107 254, 68, 207, 178, 195, 181, 122, 145, 36, 8, 232, 168, 96, 252, 105, 80,
108 170, 208, 160, 125, 161, 137, 98, 151, 84, 91, 30, 149, 224, 255, 100, 210,
109 16, 196, 0, 72, 163, 247, 117, 219, 138, 3, 230, 218, 9, 63, 221, 148,
110 135, 92, 131, 2, 205, 74, 144, 51, 115, 103, 246, 243, 157, 127, 191, 226,
111 82, 155, 216, 38, 200, 55, 198, 59, 129, 150, 111, 75, 19, 190, 99, 46,
112 233, 121, 167, 140, 159, 110, 188, 142, 41, 245, 249, 182, 47, 253, 180, 89,
113 120, 152, 6, 106, 231, 70, 113, 186, 212, 37, 171, 66, 136, 162, 141, 250,
114 114, 7, 185, 85, 248, 238, 172, 10, 54, 73, 42, 104, 60, 56, 241, 164,
115 64, 40, 211, 123, 187, 201, 67, 193, 21, 227, 173, 244, 119, 199, 128, 158
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000[diff] [blame]116};
117
118static const unsigned char FSb2[256] =
119{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]120 224, 5, 88, 217, 103, 78, 129, 203, 201, 11, 174, 106, 213, 24, 93, 130,
121 70, 223, 214, 39, 138, 50, 75, 66, 219, 28, 158, 156, 58, 202, 37, 123,
122 13, 113, 95, 31, 248, 215, 62, 157, 124, 96, 185, 190, 188, 139, 22, 52,
123 77, 195, 114, 149, 171, 142, 186, 122, 179, 2, 180, 173, 162, 172, 216, 154,
124 23, 26, 53, 204, 247, 153, 97, 90, 232, 36, 86, 64, 225, 99, 9, 51,
125 191, 152, 151, 133, 104, 252, 236, 10, 218, 111, 83, 98, 163, 46, 8, 175,
126 40, 176, 116, 194, 189, 54, 34, 56, 100, 30, 57, 44, 166, 48, 229, 68,
127 253, 136, 159, 101, 135, 107, 244, 35, 72, 16, 209, 81, 192, 249, 210, 160,
128 85, 161, 65, 250, 67, 19, 196, 47, 168, 182, 60, 43, 193, 255, 200, 165,
129 32, 137, 0, 144, 71, 239, 234, 183, 21, 6, 205, 181, 18, 126, 187, 41,
130 15, 184, 7, 4, 155, 148, 33, 102, 230, 206, 237, 231, 59, 254, 127, 197,
131 164, 55, 177, 76, 145, 110, 141, 118, 3, 45, 222, 150, 38, 125, 198, 92,
132 211, 242, 79, 25, 63, 220, 121, 29, 82, 235, 243, 109, 94, 251, 105, 178,
133 240, 49, 12, 212, 207, 140, 226, 117, 169, 74, 87, 132, 17, 69, 27, 245,
134 228, 14, 115, 170, 241, 221, 89, 20, 108, 146, 84, 208, 120, 112, 227, 73,
135 128, 80, 167, 246, 119, 147, 134, 131, 42, 199, 91, 233, 238, 143, 1, 61
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000[diff] [blame]136};
137
138static const unsigned char FSb3[256] =
139{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]140 56, 65, 22, 118, 217, 147, 96, 242, 114, 194, 171, 154, 117, 6, 87, 160,
141 145, 247, 181, 201, 162, 140, 210, 144, 246, 7, 167, 39, 142, 178, 73, 222,
142 67, 92, 215, 199, 62, 245, 143, 103, 31, 24, 110, 175, 47, 226, 133, 13,
143 83, 240, 156, 101, 234, 163, 174, 158, 236, 128, 45, 107, 168, 43, 54, 166,
144 197, 134, 77, 51, 253, 102, 88, 150, 58, 9, 149, 16, 120, 216, 66, 204,
145 239, 38, 229, 97, 26, 63, 59, 130, 182, 219, 212, 152, 232, 139, 2, 235,
146 10, 44, 29, 176, 111, 141, 136, 14, 25, 135, 78, 11, 169, 12, 121, 17,
147 127, 34, 231, 89, 225, 218, 61, 200, 18, 4, 116, 84, 48, 126, 180, 40,
148 85, 104, 80, 190, 208, 196, 49, 203, 42, 173, 15, 202, 112, 255, 50, 105,
149 8, 98, 0, 36, 209, 251, 186, 237, 69, 129, 115, 109, 132, 159, 238, 74,
150 195, 46, 193, 1, 230, 37, 72, 153, 185, 179, 123, 249, 206, 191, 223, 113,
151 41, 205, 108, 19, 100, 155, 99, 157, 192, 75, 183, 165, 137, 95, 177, 23,
152 244, 188, 211, 70, 207, 55, 94, 71, 148, 250, 252, 91, 151, 254, 90, 172,
153 60, 76, 3, 53, 243, 35, 184, 93, 106, 146, 213, 33, 68, 81, 198, 125,
154 57, 131, 220, 170, 124, 119, 86, 5, 27, 164, 21, 52, 30, 28, 248, 82,
155 32, 20, 233, 189, 221, 228, 161, 224, 138, 241, 214, 122, 187, 227, 64, 79
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000[diff] [blame]156};
157
158static const unsigned char FSb4[256] =
159{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]160 112, 44, 179, 192, 228, 87, 234, 174, 35, 107, 69, 165, 237, 79, 29, 146,
161 134, 175, 124, 31, 62, 220, 94, 11, 166, 57, 213, 93, 217, 90, 81, 108,
162 139, 154, 251, 176, 116, 43, 240, 132, 223, 203, 52, 118, 109, 169, 209, 4,
163 20, 58, 222, 17, 50, 156, 83, 242, 254, 207, 195, 122, 36, 232, 96, 105,
164 170, 160, 161, 98, 84, 30, 224, 100, 16, 0, 163, 117, 138, 230, 9, 221,
165 135, 131, 205, 144, 115, 246, 157, 191, 82, 216, 200, 198, 129, 111, 19, 99,
166 233, 167, 159, 188, 41, 249, 47, 180, 120, 6, 231, 113, 212, 171, 136, 141,
167 114, 185, 248, 172, 54, 42, 60, 241, 64, 211, 187, 67, 21, 173, 119, 128,
168 130, 236, 39, 229, 133, 53, 12, 65, 239, 147, 25, 33, 14, 78, 101, 189,
169 184, 143, 235, 206, 48, 95, 197, 26, 225, 202, 71, 61, 1, 214, 86, 77,
170 13, 102, 204, 45, 18, 32, 177, 153, 76, 194, 126, 5, 183, 49, 23, 215,
171 88, 97, 27, 28, 15, 22, 24, 34, 68, 178, 181, 145, 8, 168, 252, 80,
172 208, 125, 137, 151, 91, 149, 255, 210, 196, 72, 247, 219, 3, 218, 63, 148,
173 92, 2, 74, 51, 103, 243, 127, 226, 155, 38, 55, 59, 150, 75, 190, 46,
174 121, 140, 110, 142, 245, 182, 253, 89, 152, 106, 70, 186, 37, 66, 162, 250,
175 7, 85, 238, 10, 73, 104, 56, 164, 40, 123, 201, 193, 227, 244, 199, 158
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000[diff] [blame]176};
177
178#define SBOX1(n) FSb[(n)]
179#define SBOX2(n) FSb2[(n)]
180#define SBOX3(n) FSb3[(n)]
181#define SBOX4(n) FSb4[(n)]
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]182
Paul Bakkerfa049db2009-01-12 22:12:03 +0000[diff] [blame]183#endif
184
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]185static const unsigned char shifts[2][4][4] =
186{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]187 {
188 { 1, 1, 1, 1 }, /* KL */
189 { 0, 0, 0, 0 }, /* KR */
190 { 1, 1, 1, 1 }, /* KA */
191 { 0, 0, 0, 0 } /* KB */
192 },
193 {
194 { 1, 0, 1, 1 }, /* KL */
195 { 1, 1, 0, 1 }, /* KR */
196 { 1, 1, 1, 0 }, /* KA */
197 { 1, 1, 0, 1 } /* KB */
198 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]199};
200
Paul Bakker026c03b2009-03-28 17:53:03 +0000[diff] [blame]201static const signed char indexes[2][4][20] =
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]202{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]203 {
204 { 0, 1, 2, 3, 8, 9, 10, 11, 38, 39,
205 36, 37, 23, 20, 21, 22, 27, -1, -1, 26 }, /* KL -> RK */
206 { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
207 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 }, /* KR -> RK */
208 { 4, 5, 6, 7, 12, 13, 14, 15, 16, 17,
209 18, 19, -1, 24, 25, -1, 31, 28, 29, 30 }, /* KA -> RK */
210 { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
211 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 } /* KB -> RK */
212 },
213 {
214 { 0, 1, 2, 3, 61, 62, 63, 60, -1, -1,
215 -1, -1, 27, 24, 25, 26, 35, 32, 33, 34 }, /* KL -> RK */
216 { -1, -1, -1, -1, 8, 9, 10, 11, 16, 17,
217 18, 19, -1, -1, -1, -1, 39, 36, 37, 38 }, /* KR -> RK */
218 { -1, -1, -1, -1, 12, 13, 14, 15, 58, 59,
219 56, 57, 31, 28, 29, 30, -1, -1, -1, -1 }, /* KA -> RK */
220 { 4, 5, 6, 7, 65, 66, 67, 64, 20, 21,
221 22, 23, -1, -1, -1, -1, 43, 40, 41, 42 } /* KB -> RK */
222 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]223};
224
Paul Bakker026c03b2009-03-28 17:53:03 +0000[diff] [blame]225static const signed char transposes[2][20] =
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]226{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]227 {
228 21, 22, 23, 20,
229 -1, -1, -1, -1,
230 18, 19, 16, 17,
231 11, 8, 9, 10,
232 15, 12, 13, 14
233 },
234 {
235 25, 26, 27, 24,
236 29, 30, 31, 28,
237 18, 19, 16, 17,
238 -1, -1, -1, -1,
239 -1, -1, -1, -1
240 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]241};
242
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000[diff] [blame]243/* Shift macro for 128 bit strings with rotation smaller than 32 bits (!) */
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]244#define ROTL(DEST, SRC, SHIFT) \
245{ \
246 (DEST)[0] = (SRC)[0] << (SHIFT) ^ (SRC)[1] >> (32 - (SHIFT)); \
247 (DEST)[1] = (SRC)[1] << (SHIFT) ^ (SRC)[2] >> (32 - (SHIFT)); \
248 (DEST)[2] = (SRC)[2] << (SHIFT) ^ (SRC)[3] >> (32 - (SHIFT)); \
249 (DEST)[3] = (SRC)[3] << (SHIFT) ^ (SRC)[0] >> (32 - (SHIFT)); \
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]250}
251
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]252#define FL(XL, XR, KL, KR) \
253{ \
254 (XR) = ((((XL) & (KL)) << 1) | (((XL) & (KL)) >> 31)) ^ (XR); \
255 (XL) = ((XR) | (KR)) ^ (XL); \
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]256}
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]257
258#define FLInv(YL, YR, KL, KR) \
259{ \
260 (YL) = ((YR) | (KR)) ^ (YL); \
261 (YR) = ((((YL) & (KL)) << 1) | (((YL) & (KL)) >> 31)) ^ (YR); \
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]262}
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]263
264#define SHIFT_AND_PLACE(INDEX, OFFSET) \
265{ \
266 TK[0] = KC[(OFFSET) * 4 + 0]; \
267 TK[1] = KC[(OFFSET) * 4 + 1]; \
268 TK[2] = KC[(OFFSET) * 4 + 2]; \
269 TK[3] = KC[(OFFSET) * 4 + 3]; \
270 \
271 for ( i = 1; i <= 4; i++ ) \
272 if (shifts[(INDEX)][(OFFSET)][i -1]) \
273 ROTL(TK + i * 4, TK, (15 * i) % 32); \
274 \
275 for ( i = 0; i < 20; i++ ) \
276 if (indexes[(INDEX)][(OFFSET)][i] != -1) { \
277 RK[indexes[(INDEX)][(OFFSET)][i]] = TK[ i ]; \
278 } \
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]279}
280
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]281static void camellia_feistel(const uint32_t x[2], const uint32_t k[2], uint32_t z[2])
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]282{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]283 uint32_t I0, I1;
284 I0 = x[0] ^ k[0];
285 I1 = x[1] ^ k[1];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]286
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]287 I0 = (SBOX1((I0 >> 24) & 0xFF) << 24) |
288 (SBOX2((I0 >> 16) & 0xFF) << 16) |
289 (SBOX3((I0 >> 8) & 0xFF) << 8) |
290 (SBOX4((I0 ) & 0xFF) );
291 I1 = (SBOX2((I1 >> 24) & 0xFF) << 24) |
292 (SBOX3((I1 >> 16) & 0xFF) << 16) |
293 (SBOX4((I1 >> 8) & 0xFF) << 8) |
294 (SBOX1((I1 ) & 0xFF) );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]295
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]296 I0 ^= (I1 << 8) | (I1 >> 24);
297 I1 ^= (I0 << 16) | (I0 >> 16);
298 I0 ^= (I1 >> 8) | (I1 << 24);
299 I1 ^= (I0 >> 8) | (I0 << 24);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]300
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]301 z[0] ^= I1;
302 z[1] ^= I0;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]303}
304
305/*
306 * Camellia key schedule (encryption)
307 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]308int camellia_setkey_enc( camellia_context *ctx, const unsigned char *key, int keysize )
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]309{
310 int i, idx;
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]311 uint32_t *RK;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]312 unsigned char t[64];
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]313 uint32_t SIGMA[6][2];
314 uint32_t KC[16];
315 uint32_t TK[20];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]316
317 RK = ctx->rk;
318
319 memset(t, 0, 64);
320 memset(RK, 0, sizeof(ctx->rk));
321
322 switch( keysize )
323 {
324 case 128: ctx->nr = 3; idx = 0; break;
325 case 192:
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]326 case 256: ctx->nr = 4; idx = 1; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]327 default : return( POLARSSL_ERR_CAMELLIA_INVALID_KEY_LENGTH );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]328 }
329
330 for( i = 0; i < keysize / 8; ++i)
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]331 t[i] = key[i];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]332
333 if (keysize == 192) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]334 for (i = 0; i < 8; i++)
335 t[24 + i] = ~t[16 + i];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]336 }
337
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]338 /*
339 * Prepare SIGMA values
340 */
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]341 for (i = 0; i < 6; i++) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]342 GET_ULONG_BE(SIGMA[i][0], SIGMA_CHARS[i], 0);
343 GET_ULONG_BE(SIGMA[i][1], SIGMA_CHARS[i], 4);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]344 }
345
346 /*
347 * Key storage in KC
348 * Order: KL, KR, KA, KB
349 */
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]350 memset(KC, 0, sizeof(KC));
351
352 /* Store KL, KR */
353 for (i = 0; i < 8; i++)
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]354 GET_ULONG_BE(KC[i], t, i * 4);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]355
356 /* Generate KA */
357 for( i = 0; i < 4; ++i)
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]358 KC[8 + i] = KC[i] ^ KC[4 + i];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]359
360 camellia_feistel(KC + 8, SIGMA[0], KC + 10);
361 camellia_feistel(KC + 10, SIGMA[1], KC + 8);
362
363 for( i = 0; i < 4; ++i)
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]364 KC[8 + i] ^= KC[i];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]365
366 camellia_feistel(KC + 8, SIGMA[2], KC + 10);
367 camellia_feistel(KC + 10, SIGMA[3], KC + 8);
368
369 if (keysize > 128) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]370 /* Generate KB */
371 for( i = 0; i < 4; ++i)
372 KC[12 + i] = KC[4 + i] ^ KC[8 + i];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]373
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]374 camellia_feistel(KC + 12, SIGMA[4], KC + 14);
375 camellia_feistel(KC + 14, SIGMA[5], KC + 12);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]376 }
377
378 /*
379 * Generating subkeys
380 */
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]381
382 /* Manipulating KL */
383 SHIFT_AND_PLACE(idx, 0);
384
385 /* Manipulating KR */
386 if (keysize > 128) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]387 SHIFT_AND_PLACE(idx, 1);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]388 }
389
390 /* Manipulating KA */
391 SHIFT_AND_PLACE(idx, 2);
392
393 /* Manipulating KB */
394 if (keysize > 128) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]395 SHIFT_AND_PLACE(idx, 3);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]396 }
397
398 /* Do transpositions */
399 for ( i = 0; i < 20; i++ ) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]400 if (transposes[idx][i] != -1) {
401 RK[32 + 12 * idx + i] = RK[transposes[idx][i]];
402 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]403 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]404
405 return( 0 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]406}
407
408/*
409 * Camellia key schedule (decryption)
410 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]411int camellia_setkey_dec( camellia_context *ctx, const unsigned char *key, int keysize )
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]412{
413 int i, idx;
414 camellia_context cty;
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]415 uint32_t *RK;
416 uint32_t *SK;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]417 int ret;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]418
419 switch( keysize )
420 {
421 case 128: ctx->nr = 3; idx = 0; break;
422 case 192:
423 case 256: ctx->nr = 4; idx = 1; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]424 default : return( POLARSSL_ERR_CAMELLIA_INVALID_KEY_LENGTH );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]425 }
426
427 RK = ctx->rk;
428
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]429 ret = camellia_setkey_enc(&cty, key, keysize);
430 if( ret != 0 )
431 return( ret );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]432
433 SK = cty.rk + 24 * 2 + 8 * idx * 2;
434
435 *RK++ = *SK++;
436 *RK++ = *SK++;
437 *RK++ = *SK++;
438 *RK++ = *SK++;
439
440 for (i = 22 + 8 * idx, SK -= 6; i > 0; i--, SK -= 4)
441 {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]442 *RK++ = *SK++;
443 *RK++ = *SK++;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]444 }
445
446 SK -= 2;
447
448 *RK++ = *SK++;
449 *RK++ = *SK++;
450 *RK++ = *SK++;
451 *RK++ = *SK++;
452
453 memset( &cty, 0, sizeof( camellia_context ) );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]454
455 return( 0 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]456}
457
458/*
459 * Camellia-ECB block encryption/decryption
460 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame^]461int camellia_crypt_ecb( camellia_context *ctx,
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]462 int mode,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]463 const unsigned char input[16],
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]464 unsigned char output[16] )
465{
Paul Bakker026c03b2009-03-28 17:53:03 +0000[diff] [blame]466 int NR;
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]467 uint32_t *RK, X[4];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]468
Paul Bakkerc2547b02009-07-20 20:40:52 +0000[diff] [blame]469 ( (void) mode );
470
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]471 NR = ctx->nr;
472 RK = ctx->rk;
473
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]474 GET_ULONG_BE( X[0], input, 0 );
475 GET_ULONG_BE( X[1], input, 4 );
476 GET_ULONG_BE( X[2], input, 8 );
477 GET_ULONG_BE( X[3], input, 12 );
478
479 X[0] ^= *RK++;
480 X[1] ^= *RK++;
481 X[2] ^= *RK++;
482 X[3] ^= *RK++;
483
484 while (NR) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]485 --NR;
486 camellia_feistel(X, RK, X + 2);
487 RK += 2;
488 camellia_feistel(X + 2, RK, X);
489 RK += 2;
490 camellia_feistel(X, RK, X + 2);
491 RK += 2;
492 camellia_feistel(X + 2, RK, X);
493 RK += 2;
494 camellia_feistel(X, RK, X + 2);
495 RK += 2;
496 camellia_feistel(X + 2, RK, X);
497 RK += 2;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]498
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]499 if (NR) {
500 FL(X[0], X[1], RK[0], RK[1]);
501 RK += 2;
502 FLInv(X[2], X[3], RK[0], RK[1]);
503 RK += 2;
504 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]505 }
506
507 X[2] ^= *RK++;
508 X[3] ^= *RK++;
509 X[0] ^= *RK++;
510 X[1] ^= *RK++;
511
512 PUT_ULONG_BE( X[2], output, 0 );
513 PUT_ULONG_BE( X[3], output, 4 );
514 PUT_ULONG_BE( X[0], output, 8 );
515 PUT_ULONG_BE( X[1], output, 12 );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame^]516
517 return( 0 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]518}
519
520/*
521 * Camellia-CBC buffer encryption/decryption
522 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame^]523int camellia_crypt_cbc( camellia_context *ctx,
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]524 int mode,
525 int length,
526 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]527 const unsigned char *input,
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]528 unsigned char *output )
529{
530 int i;
531 unsigned char temp[16];
532
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame^]533 if( length % 16 )
534 return( POLARSSL_ERR_CAMELLIA_INVALID_INPUT_LENGTH );
535
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]536 if( mode == CAMELLIA_DECRYPT )
537 {
538 while( length > 0 )
539 {
540 memcpy( temp, input, 16 );
541 camellia_crypt_ecb( ctx, mode, input, output );
542
543 for( i = 0; i < 16; i++ )
544 output[i] = (unsigned char)( output[i] ^ iv[i] );
545
546 memcpy( iv, temp, 16 );
547
548 input += 16;
549 output += 16;
550 length -= 16;
551 }
552 }
553 else
554 {
555 while( length > 0 )
556 {
557 for( i = 0; i < 16; i++ )
558 output[i] = (unsigned char)( input[i] ^ iv[i] );
559
560 camellia_crypt_ecb( ctx, mode, output, output );
561 memcpy( iv, output, 16 );
562
563 input += 16;
564 output += 16;
565 length -= 16;
566 }
567 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame^]568
569 return( 0 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]570}
571
572/*
573 * Camellia-CFB128 buffer encryption/decryption
574 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame^]575int camellia_crypt_cfb128( camellia_context *ctx,
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]576 int mode,
577 int length,
578 int *iv_off,
579 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]580 const unsigned char *input,
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]581 unsigned char *output )
582{
583 int c, n = *iv_off;
584
585 if( mode == CAMELLIA_DECRYPT )
586 {
587 while( length-- )
588 {
589 if( n == 0 )
590 camellia_crypt_ecb( ctx, CAMELLIA_ENCRYPT, iv, iv );
591
592 c = *input++;
593 *output++ = (unsigned char)( c ^ iv[n] );
594 iv[n] = (unsigned char) c;
595
596 n = (n + 1) & 0x0F;
597 }
598 }
599 else
600 {
601 while( length-- )
602 {
603 if( n == 0 )
604 camellia_crypt_ecb( ctx, CAMELLIA_ENCRYPT, iv, iv );
605
606 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
607
608 n = (n + 1) & 0x0F;
609 }
610 }
611
612 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame^]613
614 return( 0 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]615}
616
617#if defined(POLARSSL_SELF_TEST)
618
619#include <stdio.h>
620
621/*
622 * Camellia test vectors from:
623 *
624 * http://info.isl.ntt.co.jp/crypt/eng/camellia/technology.html:
625 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/intermediate.txt
626 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/t_camellia.txt
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]627 * (For each bitlength: Key 0, Nr 39)
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]628 */
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]629#define CAMELLIA_TESTS_ECB 2
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]630
631static const unsigned char camellia_test_ecb_key[3][CAMELLIA_TESTS_ECB][32] =
632{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]633 {
634 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
635 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
636 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
637 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
638 },
639 {
640 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
641 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
642 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77 },
643 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
644 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
645 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
646 },
647 {
648 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
649 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
650 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
651 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff },
652 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
653 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
654 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
655 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
656 },
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]657};
658
659static const unsigned char camellia_test_ecb_plain[CAMELLIA_TESTS_ECB][16] =
660{
661 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
662 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
663 { 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
664 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
665};
666
667static const unsigned char camellia_test_ecb_cipher[3][CAMELLIA_TESTS_ECB][16] =
668{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]669 {
670 { 0x67, 0x67, 0x31, 0x38, 0x54, 0x96, 0x69, 0x73,
671 0x08, 0x57, 0x06, 0x56, 0x48, 0xea, 0xbe, 0x43 },
672 { 0x38, 0x3C, 0x6C, 0x2A, 0xAB, 0xEF, 0x7F, 0xDE,
673 0x25, 0xCD, 0x47, 0x0B, 0xF7, 0x74, 0xA3, 0x31 }
674 },
675 {
676 { 0xb4, 0x99, 0x34, 0x01, 0xb3, 0xe9, 0x96, 0xf8,
677 0x4e, 0xe5, 0xce, 0xe7, 0xd7, 0x9b, 0x09, 0xb9 },
678 { 0xD1, 0x76, 0x3F, 0xC0, 0x19, 0xD7, 0x7C, 0xC9,
679 0x30, 0xBF, 0xF2, 0xA5, 0x6F, 0x7C, 0x93, 0x64 }
680 },
681 {
682 { 0x9a, 0xcc, 0x23, 0x7d, 0xff, 0x16, 0xd7, 0x6c,
683 0x20, 0xef, 0x7c, 0x91, 0x9e, 0x3a, 0x75, 0x09 },
684 { 0x05, 0x03, 0xFB, 0x10, 0xAB, 0x24, 0x1E, 0x7C,
685 0xF4, 0x5D, 0x8C, 0xDE, 0xEE, 0x47, 0x43, 0x35 }
686 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]687};
688
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]689#define CAMELLIA_TESTS_CBC 3
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]690
691static const unsigned char camellia_test_cbc_key[3][32] =
692{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]693 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
694 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }
695 ,
696 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
697 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
698 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }
699 ,
700 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
701 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
702 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
703 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]704};
705
706static const unsigned char camellia_test_cbc_iv[16] =
707
708 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
709 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F }
710;
711
712static const unsigned char camellia_test_cbc_plain[CAMELLIA_TESTS_CBC][16] =
713{
714 { 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
715 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A },
716 { 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
717 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51 },
718 { 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
719 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF }
720
721};
722
723static const unsigned char camellia_test_cbc_cipher[3][CAMELLIA_TESTS_CBC][16] =
724{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]725 {
726 { 0x16, 0x07, 0xCF, 0x49, 0x4B, 0x36, 0xBB, 0xF0,
727 0x0D, 0xAE, 0xB0, 0xB5, 0x03, 0xC8, 0x31, 0xAB },
728 { 0xA2, 0xF2, 0xCF, 0x67, 0x16, 0x29, 0xEF, 0x78,
729 0x40, 0xC5, 0xA5, 0xDF, 0xB5, 0x07, 0x48, 0x87 },
730 { 0x0F, 0x06, 0x16, 0x50, 0x08, 0xCF, 0x8B, 0x8B,
731 0x5A, 0x63, 0x58, 0x63, 0x62, 0x54, 0x3E, 0x54 }
732 },
733 {
734 { 0x2A, 0x48, 0x30, 0xAB, 0x5A, 0xC4, 0xA1, 0xA2,
735 0x40, 0x59, 0x55, 0xFD, 0x21, 0x95, 0xCF, 0x93 },
736 { 0x5D, 0x5A, 0x86, 0x9B, 0xD1, 0x4C, 0xE5, 0x42,
737 0x64, 0xF8, 0x92, 0xA6, 0xDD, 0x2E, 0xC3, 0xD5 },
738 { 0x37, 0xD3, 0x59, 0xC3, 0x34, 0x98, 0x36, 0xD8,
739 0x84, 0xE3, 0x10, 0xAD, 0xDF, 0x68, 0xC4, 0x49 }
740 },
741 {
742 { 0xE6, 0xCF, 0xA3, 0x5F, 0xC0, 0x2B, 0x13, 0x4A,
743 0x4D, 0x2C, 0x0B, 0x67, 0x37, 0xAC, 0x3E, 0xDA },
744 { 0x36, 0xCB, 0xEB, 0x73, 0xBD, 0x50, 0x4B, 0x40,
745 0x70, 0xB1, 0xB7, 0xDE, 0x2B, 0x21, 0xEB, 0x50 },
746 { 0xE3, 0x1A, 0x60, 0x55, 0x29, 0x7D, 0x96, 0xCA,
747 0x33, 0x30, 0xCD, 0xF1, 0xB1, 0x86, 0x0A, 0x83 }
748 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]749};
750
751
752/*
753 * Checkup routine
754 */
755int camellia_self_test( int verbose )
756{
Paul Bakker026c03b2009-03-28 17:53:03 +0000[diff] [blame]757 int i, j, u, v;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]758 unsigned char key[32];
759 unsigned char buf[64];
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]760 unsigned char src[16];
761 unsigned char dst[16];
762 unsigned char iv[16];
763 camellia_context ctx;
764
765 memset( key, 0, 32 );
766
767 for (j = 0; j < 6; j++) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]768 u = j >> 1;
769 v = j & 1;
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]770
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]771 if( verbose != 0 )
772 printf( " CAMELLIA-ECB-%3d (%s): ", 128 + u * 64,
773 (v == CAMELLIA_DECRYPT) ? "dec" : "enc");
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]774
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]775 for (i = 0; i < CAMELLIA_TESTS_ECB; i++ ) {
776 memcpy( key, camellia_test_ecb_key[u][i], 16 + 8 * u);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]777
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]778 if (v == CAMELLIA_DECRYPT) {
779 camellia_setkey_dec(&ctx, key, 128 + u * 64);
780 memcpy(src, camellia_test_ecb_cipher[u][i], 16);
781 memcpy(dst, camellia_test_ecb_plain[i], 16);
782 } else { /* CAMELLIA_ENCRYPT */
783 camellia_setkey_enc(&ctx, key, 128 + u * 64);
784 memcpy(src, camellia_test_ecb_plain[i], 16);
785 memcpy(dst, camellia_test_ecb_cipher[u][i], 16);
786 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]787
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]788 camellia_crypt_ecb(&ctx, v, src, buf);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]789
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]790 if( memcmp( buf, dst, 16 ) != 0 )
791 {
792 if( verbose != 0 )
793 printf( "failed\n" );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]794
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]795 return( 1 );
796 }
797 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]798
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]799 if( verbose != 0 )
800 printf( "passed\n" );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]801 }
802
803 if( verbose != 0 )
804 printf( "\n" );
805
806 /*
807 * CBC mode
808 */
809 for( j = 0; j < 6; j++ )
810 {
811 u = j >> 1;
812 v = j & 1;
813
814 if( verbose != 0 )
815 printf( " CAMELLIA-CBC-%3d (%s): ", 128 + u * 64,
816 ( v == CAMELLIA_DECRYPT ) ? "dec" : "enc" );
817
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]818 memcpy( src, camellia_test_cbc_iv, 16);
819 memcpy( dst, camellia_test_cbc_iv, 16);
820 memcpy( key, camellia_test_cbc_key[u], 16 + 8 * u);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]821
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]822 if (v == CAMELLIA_DECRYPT) {
823 camellia_setkey_dec(&ctx, key, 128 + u * 64);
824 } else {
825 camellia_setkey_enc(&ctx, key, 128 + u * 64);
826 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]827
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]828 for (i = 0; i < CAMELLIA_TESTS_CBC; i++ ) {
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]829
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]830 if (v == CAMELLIA_DECRYPT) {
831 memcpy( iv , src, 16 );
832 memcpy(src, camellia_test_cbc_cipher[u][i], 16);
833 memcpy(dst, camellia_test_cbc_plain[i], 16);
834 } else { /* CAMELLIA_ENCRYPT */
835 memcpy( iv , dst, 16 );
836 memcpy(src, camellia_test_cbc_plain[i], 16);
837 memcpy(dst, camellia_test_cbc_cipher[u][i], 16);
838 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]839
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]840 camellia_crypt_cbc(&ctx, v, 16, iv, src, buf);
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]841
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]842 if( memcmp( buf, dst, 16 ) != 0 )
843 {
844 if( verbose != 0 )
845 printf( "failed\n" );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]846
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000[diff] [blame]847 return( 1 );
848 }
849 }
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]850
851 if( verbose != 0 )
852 printf( "passed\n" );
853 }
854
855 if( verbose != 0 )
856 printf( "\n" );
857
858 return ( 0 );
Paul Bakker38119b12009-01-10 23:31:23 +0000[diff] [blame]859}
860
861#endif
862
863#endif