blob: 4e63c1764df8b3b0079e626432f7cb4c0bc8a971 [file] [log] [blame]
Paul Bakker38119b12009-01-10 23:31:23 +00001/*
2 * Camellia implementation
3 *
4 * Copyright (C) 2009 Paul Bakker
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License along
17 * with this program; if not, write to the Free Software Foundation, Inc.,
18 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
19 */
20/*
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +000021 * The Camellia block cipher was designed by NTT and Mitsubishi Electric
22 * Corporation.
Paul Bakker38119b12009-01-10 23:31:23 +000023 *
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +000024 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/01espec.pdf
Paul Bakker38119b12009-01-10 23:31:23 +000025 */
26
27#include "polarssl/config.h"
28
29#if defined(POLARSSL_CAMELLIA_C)
30
31#include "polarssl/camellia.h"
32
33#include <string.h>
34
Paul Bakker38119b12009-01-10 23:31:23 +000035/*
36 * 32-bit integer manipulation macros (big endian)
37 */
38#ifndef GET_ULONG_BE
39#define GET_ULONG_BE(n,b,i) \
40{ \
41 (n) = ( (unsigned long) (b)[(i) ] << 24 ) \
42 | ( (unsigned long) (b)[(i) + 1] << 16 ) \
43 | ( (unsigned long) (b)[(i) + 2] << 8 ) \
44 | ( (unsigned long) (b)[(i) + 3] ); \
45}
46#endif
47
48#ifndef PUT_ULONG_BE
49#define PUT_ULONG_BE(n,b,i) \
50{ \
51 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
52 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
53 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
54 (b)[(i) + 3] = (unsigned char) ( (n) ); \
55}
56#endif
57
58static const unsigned char SIGMA_CHARS[6][8] =
59{
60 { 0xa0, 0x9e, 0x66, 0x7f, 0x3b, 0xcc, 0x90, 0x8b },
61 { 0xb6, 0x7a, 0xe8, 0x58, 0x4c, 0xaa, 0x73, 0xb2 },
62 { 0xc6, 0xef, 0x37, 0x2f, 0xe9, 0x4f, 0x82, 0xbe },
63 { 0x54, 0xff, 0x53, 0xa5, 0xf1, 0xd3, 0x6f, 0x1c },
64 { 0x10, 0xe5, 0x27, 0xfa, 0xde, 0x68, 0x2d, 0x1d },
65 { 0xb0, 0x56, 0x88, 0xc2, 0xb3, 0xe6, 0xc1, 0xfd }
66};
67
Paul Bakkerc32c6b52009-01-11 21:36:43 +000068/*static const unsigned char FSb[256] =
Paul Bakker38119b12009-01-10 23:31:23 +000069{
70 112,130, 44,236,179, 39,192,229,228,133, 87, 53,234, 12,174, 65,
71 35,239,107,147, 69, 25,165, 33,237, 14, 79, 78, 29,101,146,189,
72 134,184,175,143,124,235, 31,206, 62, 48,220, 95, 94,197, 11, 26,
73 166,225, 57,202,213, 71, 93, 61,217, 1, 90,214, 81, 86,108, 77,
74 139, 13,154,102,251,204,176, 45,116, 18, 43, 32,240,177,132,153,
75 223, 76,203,194, 52,126,118, 5,109,183,169, 49,209, 23, 4,215,
76 20, 88, 58, 97,222, 27, 17, 28, 50, 15,156, 22, 83, 24,242, 34,
77 254, 68,207,178,195,181,122,145, 36, 8,232,168, 96,252,105, 80,
78 170,208,160,125,161,137, 98,151, 84, 91, 30,149,224,255,100,210,
79 16,196, 0, 72,163,247,117,219,138, 3,230,218, 9, 63,221,148,
80 135, 92,131, 2,205, 74,144, 51,115,103,246,243,157,127,191,226,
81 82,155,216, 38,200, 55,198, 59,129,150,111, 75, 19,190, 99, 46,
82 233,121,167,140,159,110,188,142, 41,245,249,182, 47,253,180, 89,
83 120,152, 6,106,231, 70,113,186,212, 37,171, 66,136,162,141,250,
84 114, 7,185, 85,248,238,172, 10, 54, 73, 42,104, 60, 56,241,164,
85 64, 40,211,123,187,201, 67,193, 21,227,173,244,119,199,128,158
86};
87
88#define SBOX1(n) FSb[(n)]
89#define SBOX2(n) (unsigned char)((FSb[(n)] >> 7 ^ FSb[(n)] << 1) & 0xff)
90#define SBOX3(n) (unsigned char)((FSb[(n)] >> 1 ^ FSb[(n)] << 7) & 0xff)
Paul Bakkerc32c6b52009-01-11 21:36:43 +000091#define SBOX4(n) FSb[((n) << 1 ^ (n) >> 7) &0xff]*/
92static const unsigned char FSb[256] =
93{
94 112, 130, 44, 236, 179, 39, 192, 229, 228, 133, 87, 53, 234, 12, 174, 65,
95 35, 239, 107, 147, 69, 25, 165, 33, 237, 14, 79, 78, 29, 101, 146, 189,
96 134, 184, 175, 143, 124, 235, 31, 206, 62, 48, 220, 95, 94, 197, 11, 26,
97 166, 225, 57, 202, 213, 71, 93, 61, 217, 1, 90, 214, 81, 86, 108, 77,
98 139, 13, 154, 102, 251, 204, 176, 45, 116, 18, 43, 32, 240, 177, 132, 153,
99 223, 76, 203, 194, 52, 126, 118, 5, 109, 183, 169, 49, 209, 23, 4, 215,
100 20, 88, 58, 97, 222, 27, 17, 28, 50, 15, 156, 22, 83, 24, 242, 34,
101 254, 68, 207, 178, 195, 181, 122, 145, 36, 8, 232, 168, 96, 252, 105, 80,
102 170, 208, 160, 125, 161, 137, 98, 151, 84, 91, 30, 149, 224, 255, 100, 210,
103 16, 196, 0, 72, 163, 247, 117, 219, 138, 3, 230, 218, 9, 63, 221, 148,
104 135, 92, 131, 2, 205, 74, 144, 51, 115, 103, 246, 243, 157, 127, 191, 226,
105 82, 155, 216, 38, 200, 55, 198, 59, 129, 150, 111, 75, 19, 190, 99, 46,
106 233, 121, 167, 140, 159, 110, 188, 142, 41, 245, 249, 182, 47, 253, 180, 89,
107 120, 152, 6, 106, 231, 70, 113, 186, 212, 37, 171, 66, 136, 162, 141, 250,
108 114, 7, 185, 85, 248, 238, 172, 10, 54, 73, 42, 104, 60, 56, 241, 164,
109 64, 40, 211, 123, 187, 201, 67, 193, 21, 227, 173, 244, 119, 199, 128, 158
110};
111
112static const unsigned char FSb2[256] =
113{
114 224, 5, 88, 217, 103, 78, 129, 203, 201, 11, 174, 106, 213, 24, 93, 130,
115 70, 223, 214, 39, 138, 50, 75, 66, 219, 28, 158, 156, 58, 202, 37, 123,
116 13, 113, 95, 31, 248, 215, 62, 157, 124, 96, 185, 190, 188, 139, 22, 52,
117 77, 195, 114, 149, 171, 142, 186, 122, 179, 2, 180, 173, 162, 172, 216, 154,
118 23, 26, 53, 204, 247, 153, 97, 90, 232, 36, 86, 64, 225, 99, 9, 51,
119 191, 152, 151, 133, 104, 252, 236, 10, 218, 111, 83, 98, 163, 46, 8, 175,
120 40, 176, 116, 194, 189, 54, 34, 56, 100, 30, 57, 44, 166, 48, 229, 68,
121 253, 136, 159, 101, 135, 107, 244, 35, 72, 16, 209, 81, 192, 249, 210, 160,
122 85, 161, 65, 250, 67, 19, 196, 47, 168, 182, 60, 43, 193, 255, 200, 165,
123 32, 137, 0, 144, 71, 239, 234, 183, 21, 6, 205, 181, 18, 126, 187, 41,
124 15, 184, 7, 4, 155, 148, 33, 102, 230, 206, 237, 231, 59, 254, 127, 197,
125 164, 55, 177, 76, 145, 110, 141, 118, 3, 45, 222, 150, 38, 125, 198, 92,
126 211, 242, 79, 25, 63, 220, 121, 29, 82, 235, 243, 109, 94, 251, 105, 178,
127 240, 49, 12, 212, 207, 140, 226, 117, 169, 74, 87, 132, 17, 69, 27, 245,
128 228, 14, 115, 170, 241, 221, 89, 20, 108, 146, 84, 208, 120, 112, 227, 73,
129 128, 80, 167, 246, 119, 147, 134, 131, 42, 199, 91, 233, 238, 143, 1, 61
130};
131
132static const unsigned char FSb3[256] =
133{
134 56, 65, 22, 118, 217, 147, 96, 242, 114, 194, 171, 154, 117, 6, 87, 160,
135 145, 247, 181, 201, 162, 140, 210, 144, 246, 7, 167, 39, 142, 178, 73, 222,
136 67, 92, 215, 199, 62, 245, 143, 103, 31, 24, 110, 175, 47, 226, 133, 13,
137 83, 240, 156, 101, 234, 163, 174, 158, 236, 128, 45, 107, 168, 43, 54, 166,
138 197, 134, 77, 51, 253, 102, 88, 150, 58, 9, 149, 16, 120, 216, 66, 204,
139 239, 38, 229, 97, 26, 63, 59, 130, 182, 219, 212, 152, 232, 139, 2, 235,
140 10, 44, 29, 176, 111, 141, 136, 14, 25, 135, 78, 11, 169, 12, 121, 17,
141 127, 34, 231, 89, 225, 218, 61, 200, 18, 4, 116, 84, 48, 126, 180, 40,
142 85, 104, 80, 190, 208, 196, 49, 203, 42, 173, 15, 202, 112, 255, 50, 105,
143 8, 98, 0, 36, 209, 251, 186, 237, 69, 129, 115, 109, 132, 159, 238, 74,
144 195, 46, 193, 1, 230, 37, 72, 153, 185, 179, 123, 249, 206, 191, 223, 113,
145 41, 205, 108, 19, 100, 155, 99, 157, 192, 75, 183, 165, 137, 95, 177, 23,
146 244, 188, 211, 70, 207, 55, 94, 71, 148, 250, 252, 91, 151, 254, 90, 172,
147 60, 76, 3, 53, 243, 35, 184, 93, 106, 146, 213, 33, 68, 81, 198, 125,
148 57, 131, 220, 170, 124, 119, 86, 5, 27, 164, 21, 52, 30, 28, 248, 82,
149 32, 20, 233, 189, 221, 228, 161, 224, 138, 241, 214, 122, 187, 227, 64, 79
150};
151
152static const unsigned char FSb4[256] =
153{
154 112, 44, 179, 192, 228, 87, 234, 174, 35, 107, 69, 165, 237, 79, 29, 146,
155 134, 175, 124, 31, 62, 220, 94, 11, 166, 57, 213, 93, 217, 90, 81, 108,
156 139, 154, 251, 176, 116, 43, 240, 132, 223, 203, 52, 118, 109, 169, 209, 4,
157 20, 58, 222, 17, 50, 156, 83, 242, 254, 207, 195, 122, 36, 232, 96, 105,
158 170, 160, 161, 98, 84, 30, 224, 100, 16, 0, 163, 117, 138, 230, 9, 221,
159 135, 131, 205, 144, 115, 246, 157, 191, 82, 216, 200, 198, 129, 111, 19, 99,
160 233, 167, 159, 188, 41, 249, 47, 180, 120, 6, 231, 113, 212, 171, 136, 141,
161 114, 185, 248, 172, 54, 42, 60, 241, 64, 211, 187, 67, 21, 173, 119, 128,
162 130, 236, 39, 229, 133, 53, 12, 65, 239, 147, 25, 33, 14, 78, 101, 189,
163 184, 143, 235, 206, 48, 95, 197, 26, 225, 202, 71, 61, 1, 214, 86, 77,
164 13, 102, 204, 45, 18, 32, 177, 153, 76, 194, 126, 5, 183, 49, 23, 215,
165 88, 97, 27, 28, 15, 22, 24, 34, 68, 178, 181, 145, 8, 168, 252, 80,
166 208, 125, 137, 151, 91, 149, 255, 210, 196, 72, 247, 219, 3, 218, 63, 148,
167 92, 2, 74, 51, 103, 243, 127, 226, 155, 38, 55, 59, 150, 75, 190, 46,
168 121, 140, 110, 142, 245, 182, 253, 89, 152, 106, 70, 186, 37, 66, 162, 250,
169 7, 85, 238, 10, 73, 104, 56, 164, 40, 123, 201, 193, 227, 244, 199, 158
170};
171
172#define SBOX1(n) FSb[(n)]
173#define SBOX2(n) FSb2[(n)]
174#define SBOX3(n) FSb3[(n)]
175#define SBOX4(n) FSb4[(n)]
Paul Bakker38119b12009-01-10 23:31:23 +0000176
177static const unsigned char shifts[2][4][4] =
178{
179 {
180 { 1, 1, 1, 1 }, /* KL */
181 { 0, 0, 0, 0 }, /* KR */
182 { 1, 1, 1, 1 }, /* KA */
183 { 0, 0, 0, 0 } /* KB */
184 },
185 {
186 { 1, 0, 1, 1 }, /* KL */
187 { 1, 1, 0, 1 }, /* KR */
188 { 1, 1, 1, 0 }, /* KA */
189 { 1, 1, 0, 1 } /* KB */
190 }
191};
192
193static const char indexes[2][4][20] =
194{
195 {
196 { 0, 1, 2, 3, 8, 9, 10, 11, 38, 39,
197 36, 37, 23, 20, 21, 22, 27, -1, -1, 26 }, /* KL -> RK */
198 { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
199 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 }, /* KR -> RK */
200 { 4, 5, 6, 7, 12, 13, 14, 15, 16, 17,
201 18, 19, -1, 24, 25, -1, 31, 28, 29, 30 }, /* KA -> RK */
202 { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
203 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 } /* KB -> RK */
204 },
205 {
206 { 0, 1, 2, 3, 61, 62, 63, 60, -1, -1,
207 -1, -1, 27, 24, 25, 26, 35, 32, 33, 34 }, /* KL -> RK */
208 { -1, -1, -1, -1, 8, 9, 10, 11, 16, 17,
209 18, 19, -1, -1, -1, -1, 39, 36, 37, 38 }, /* KR -> RK */
210 { -1, -1, -1, -1, 12, 13, 14, 15, 58, 59,
211 56, 57, 31, 28, 29, 30, -1, -1, -1, -1 }, /* KA -> RK */
212 { 4, 5, 6, 7, 65, 66, 67, 64, 20, 21,
213 22, 23, -1, -1, -1, -1, 43, 40, 41, 42 } /* KB -> RK */
214 }
215};
216
217static const char transposes[2][20] =
218{
219 {
220 21, 22, 23, 20,
221 -1, -1, -1, -1,
222 18, 19, 16, 17,
223 11, 8, 9, 10,
224 15, 12, 13, 14
225 },
226 {
227 25, 26, 27, 24,
228 29, 30, 31, 28,
229 18, 19, 16, 17,
230 -1, -1, -1, -1,
231 -1, -1, -1, -1
232 }
233};
234
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000235/* Shift macro for 128 bit strings with rotation smaller than 32 bits (!) */
Paul Bakker38119b12009-01-10 23:31:23 +0000236#define ROTL(DEST, SRC, SHIFT) \
237{ \
238 (DEST)[0] = (SRC)[0] << (SHIFT) ^ (SRC)[1] >> (32 - (SHIFT)); \
239 (DEST)[1] = (SRC)[1] << (SHIFT) ^ (SRC)[2] >> (32 - (SHIFT)); \
240 (DEST)[2] = (SRC)[2] << (SHIFT) ^ (SRC)[3] >> (32 - (SHIFT)); \
241 (DEST)[3] = (SRC)[3] << (SHIFT) ^ (SRC)[0] >> (32 - (SHIFT)); \
242}
243
244#define FL(XL, XR, KL, KR) \
245{ \
246 (XR) = ((((XL) & (KL)) << 1) | (((XL) & (KL)) >> 31)) ^ (XR); \
247 (XL) = ((XR) | (KR)) ^ (XL); \
248}
249
250#define FLInv(YL, YR, KL, KR) \
251{ \
252 (YL) = ((YR) | (KR)) ^ (YL); \
253 (YR) = ((((YL) & (KL)) << 1) | (((YL) & (KL)) >> 31)) ^ (YR); \
254}
255
256#define SHIFT_AND_PLACE(INDEX, OFFSET) \
257{ \
258 TK[0] = KC[(OFFSET) * 4 + 0]; \
259 TK[1] = KC[(OFFSET) * 4 + 1]; \
260 TK[2] = KC[(OFFSET) * 4 + 2]; \
261 TK[3] = KC[(OFFSET) * 4 + 3]; \
262 \
263 for ( i = 1; i <= 4; i++ ) \
264 if (shifts[(INDEX)][(OFFSET)][i -1]) \
265 ROTL(TK + i * 4, TK, (15 * i) % 32); \
266 \
267 for ( i = 0; i < 20; i++ ) \
268 if (indexes[(INDEX)][(OFFSET)][i] != -1) { \
269 RK[indexes[(INDEX)][(OFFSET)][i]] = TK[ i ]; \
270 } \
271}
272
273void camellia_feistel(unsigned long x[2], unsigned long k[2], unsigned long z[2])
274{
275 unsigned char t[8];
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000276 unsigned long I0, I1;
277 I0 = x[0] ^ k[0];
278 I1 = x[1] ^ k[1];
Paul Bakker38119b12009-01-10 23:31:23 +0000279
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000280 I0 = (SBOX1((I0 >> 24) & 0xFF) << 24) |
281 (SBOX2((I0 >> 16) & 0xFF) << 16) |
282 (SBOX3((I0 >> 8) & 0xFF) << 8) |
283 (SBOX4((I0 ) & 0xFF) );
284 I1 = (SBOX2((I1 >> 24) & 0xFF) << 24) |
285 (SBOX3((I1 >> 16) & 0xFF) << 16) |
286 (SBOX4((I1 >> 8) & 0xFF) << 8) |
287 (SBOX1((I1 ) & 0xFF) );
Paul Bakker38119b12009-01-10 23:31:23 +0000288
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000289 I0 ^= (I1 << 8) | (I1 >> 24);
290 I1 ^= (I0 << 16) | (I0 >> 16);
291 I0 ^= (I1 >> 8) | (I1 << 24);
292 I1 ^= (I0 >> 8) | (I0 << 24);
Paul Bakker38119b12009-01-10 23:31:23 +0000293
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000294 z[0] ^= I1;
295 z[1] ^= I0;
Paul Bakker38119b12009-01-10 23:31:23 +0000296}
297
298/*
299 * Camellia key schedule (encryption)
300 */
301void camellia_setkey_enc( camellia_context *ctx, unsigned char *key, int keysize )
302{
303 int i, idx;
304 unsigned long *RK;
305 unsigned char t[64];
306
307 RK = ctx->rk;
308
309 memset(t, 0, 64);
310 memset(RK, 0, sizeof(ctx->rk));
311
312 switch( keysize )
313 {
314 case 128: ctx->nr = 3; idx = 0; break;
315 case 192:
316 case 256: ctx->nr = 4; idx = 1; break;
317 default : return;
318 }
319
320 for( i = 0; i < keysize / 8; ++i)
321 t[i] = key[i];
322
323 if (keysize == 192) {
324 for (i = 0; i < 8; i++)
325 t[24 + i] = ~t[16 + i];
326 }
327
Paul Bakker38119b12009-01-10 23:31:23 +0000328 /*
329 * Prepare SIGMA values
330 */
331 unsigned long SIGMA[6][2];
332 for (i = 0; i < 6; i++) {
333 GET_ULONG_BE(SIGMA[i][0], SIGMA_CHARS[i], 0);
334 GET_ULONG_BE(SIGMA[i][1], SIGMA_CHARS[i], 4);
335 }
336
337 /*
338 * Key storage in KC
339 * Order: KL, KR, KA, KB
340 */
341 unsigned long KC[16];
342 memset(KC, 0, sizeof(KC));
343
344 /* Store KL, KR */
345 for (i = 0; i < 8; i++)
346 GET_ULONG_BE(KC[i], t, i * 4);
347
348 /* Generate KA */
349 for( i = 0; i < 4; ++i)
350 KC[8 + i] = KC[i] ^ KC[4 + i];
351
352 camellia_feistel(KC + 8, SIGMA[0], KC + 10);
353 camellia_feistel(KC + 10, SIGMA[1], KC + 8);
354
355 for( i = 0; i < 4; ++i)
356 KC[8 + i] ^= KC[i];
357
358 camellia_feistel(KC + 8, SIGMA[2], KC + 10);
359 camellia_feistel(KC + 10, SIGMA[3], KC + 8);
360
361 if (keysize > 128) {
362 /* Generate KB */
363 for( i = 0; i < 4; ++i)
364 KC[12 + i] = KC[4 + i] ^ KC[8 + i];
365
366 camellia_feistel(KC + 12, SIGMA[4], KC + 14);
367 camellia_feistel(KC + 14, SIGMA[5], KC + 12);
368 }
369
370 /*
371 * Generating subkeys
372 */
373 unsigned long TK[20];
374
375 /* Manipulating KL */
376 SHIFT_AND_PLACE(idx, 0);
377
378 /* Manipulating KR */
379 if (keysize > 128) {
380 SHIFT_AND_PLACE(idx, 1);
381 }
382
383 /* Manipulating KA */
384 SHIFT_AND_PLACE(idx, 2);
385
386 /* Manipulating KB */
387 if (keysize > 128) {
388 SHIFT_AND_PLACE(idx, 3);
389 }
390
391 /* Do transpositions */
392 for ( i = 0; i < 20; i++ ) {
393 if (transposes[idx][i] != -1) {
394 RK[32 + 12 * idx + i] = RK[transposes[idx][i]];
395 }
396 }
Paul Bakker38119b12009-01-10 23:31:23 +0000397}
398
399/*
400 * Camellia key schedule (decryption)
401 */
402void camellia_setkey_dec( camellia_context *ctx, unsigned char *key, int keysize )
403{
404 int i, idx;
405 camellia_context cty;
406 unsigned long *RK;
407 unsigned long *SK;
408
409 switch( keysize )
410 {
411 case 128: ctx->nr = 3; idx = 0; break;
412 case 192:
413 case 256: ctx->nr = 4; idx = 1; break;
414 default : return;
415 }
416
417 RK = ctx->rk;
418
419 camellia_setkey_enc(&cty, key, keysize);
420
421 SK = cty.rk + 24 * 2 + 8 * idx * 2;
422
423 *RK++ = *SK++;
424 *RK++ = *SK++;
425 *RK++ = *SK++;
426 *RK++ = *SK++;
427
428 for (i = 22 + 8 * idx, SK -= 6; i > 0; i--, SK -= 4)
429 {
430 *RK++ = *SK++;
431 *RK++ = *SK++;
432 }
433
434 SK -= 2;
435
436 *RK++ = *SK++;
437 *RK++ = *SK++;
438 *RK++ = *SK++;
439 *RK++ = *SK++;
440
441 memset( &cty, 0, sizeof( camellia_context ) );
Paul Bakker38119b12009-01-10 23:31:23 +0000442}
443
444/*
445 * Camellia-ECB block encryption/decryption
446 */
447void camellia_crypt_ecb( camellia_context *ctx,
448 int mode,
449 unsigned char input[16],
450 unsigned char output[16] )
451{
452 int i, NR;
453 unsigned long *RK, X[4], Y[4], T;
454
455 NR = ctx->nr;
456 RK = ctx->rk;
457
Paul Bakker38119b12009-01-10 23:31:23 +0000458 GET_ULONG_BE( X[0], input, 0 );
459 GET_ULONG_BE( X[1], input, 4 );
460 GET_ULONG_BE( X[2], input, 8 );
461 GET_ULONG_BE( X[3], input, 12 );
462
463 X[0] ^= *RK++;
464 X[1] ^= *RK++;
465 X[2] ^= *RK++;
466 X[3] ^= *RK++;
467
468 while (NR) {
469 --NR;
470 camellia_feistel(X, RK, X + 2);
471 RK += 2;
472 camellia_feistel(X + 2, RK, X);
473 RK += 2;
474 camellia_feistel(X, RK, X + 2);
475 RK += 2;
476 camellia_feistel(X + 2, RK, X);
477 RK += 2;
478 camellia_feistel(X, RK, X + 2);
479 RK += 2;
480 camellia_feistel(X + 2, RK, X);
481 RK += 2;
482
483 if (NR) {
484 FL(X[0], X[1], RK[0], RK[1]);
485 RK += 2;
486 FLInv(X[2], X[3], RK[0], RK[1]);
487 RK += 2;
488 }
489 }
490
491 X[2] ^= *RK++;
492 X[3] ^= *RK++;
493 X[0] ^= *RK++;
494 X[1] ^= *RK++;
495
496 PUT_ULONG_BE( X[2], output, 0 );
497 PUT_ULONG_BE( X[3], output, 4 );
498 PUT_ULONG_BE( X[0], output, 8 );
499 PUT_ULONG_BE( X[1], output, 12 );
500}
501
502/*
503 * Camellia-CBC buffer encryption/decryption
504 */
505void camellia_crypt_cbc( camellia_context *ctx,
506 int mode,
507 int length,
508 unsigned char iv[16],
509 unsigned char *input,
510 unsigned char *output )
511{
512 int i;
513 unsigned char temp[16];
514
515 if( mode == CAMELLIA_DECRYPT )
516 {
517 while( length > 0 )
518 {
519 memcpy( temp, input, 16 );
520 camellia_crypt_ecb( ctx, mode, input, output );
521
522 for( i = 0; i < 16; i++ )
523 output[i] = (unsigned char)( output[i] ^ iv[i] );
524
525 memcpy( iv, temp, 16 );
526
527 input += 16;
528 output += 16;
529 length -= 16;
530 }
531 }
532 else
533 {
534 while( length > 0 )
535 {
536 for( i = 0; i < 16; i++ )
537 output[i] = (unsigned char)( input[i] ^ iv[i] );
538
539 camellia_crypt_ecb( ctx, mode, output, output );
540 memcpy( iv, output, 16 );
541
542 input += 16;
543 output += 16;
544 length -= 16;
545 }
546 }
547}
548
549/*
550 * Camellia-CFB128 buffer encryption/decryption
551 */
552void camellia_crypt_cfb128( camellia_context *ctx,
553 int mode,
554 int length,
555 int *iv_off,
556 unsigned char iv[16],
557 unsigned char *input,
558 unsigned char *output )
559{
560 int c, n = *iv_off;
561
562 if( mode == CAMELLIA_DECRYPT )
563 {
564 while( length-- )
565 {
566 if( n == 0 )
567 camellia_crypt_ecb( ctx, CAMELLIA_ENCRYPT, iv, iv );
568
569 c = *input++;
570 *output++ = (unsigned char)( c ^ iv[n] );
571 iv[n] = (unsigned char) c;
572
573 n = (n + 1) & 0x0F;
574 }
575 }
576 else
577 {
578 while( length-- )
579 {
580 if( n == 0 )
581 camellia_crypt_ecb( ctx, CAMELLIA_ENCRYPT, iv, iv );
582
583 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
584
585 n = (n + 1) & 0x0F;
586 }
587 }
588
589 *iv_off = n;
590}
591
592#if defined(POLARSSL_SELF_TEST)
593
594#include <stdio.h>
595
596/*
597 * Camellia test vectors from:
598 *
599 * http://info.isl.ntt.co.jp/crypt/eng/camellia/technology.html:
600 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/intermediate.txt
601 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/t_camellia.txt
602 * (For each bitlength: Key 0, Nr 39)
603 */
604#define CAMELLIA_TESTS_ECB 2
605
606static const unsigned char camellia_test_ecb_key[3][CAMELLIA_TESTS_ECB][32] =
607{
608 {
609 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
610 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
611 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
612 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
613 },
614 {
615 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
616 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
617 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77 },
618 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
619 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
620 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
621 },
622 {
623 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
624 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
625 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
626 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff },
627 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
628 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
629 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
630 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
631 },
632};
633
634static const unsigned char camellia_test_ecb_plain[CAMELLIA_TESTS_ECB][16] =
635{
636 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
637 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
638 { 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
639 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
640};
641
642static const unsigned char camellia_test_ecb_cipher[3][CAMELLIA_TESTS_ECB][16] =
643{
644 {
645 { 0x67, 0x67, 0x31, 0x38, 0x54, 0x96, 0x69, 0x73,
646 0x08, 0x57, 0x06, 0x56, 0x48, 0xea, 0xbe, 0x43 },
647 { 0x38, 0x3C, 0x6C, 0x2A, 0xAB, 0xEF, 0x7F, 0xDE,
648 0x25, 0xCD, 0x47, 0x0B, 0xF7, 0x74, 0xA3, 0x31 }
649 },
650 {
651 { 0xb4, 0x99, 0x34, 0x01, 0xb3, 0xe9, 0x96, 0xf8,
652 0x4e, 0xe5, 0xce, 0xe7, 0xd7, 0x9b, 0x09, 0xb9 },
653 { 0xD1, 0x76, 0x3F, 0xC0, 0x19, 0xD7, 0x7C, 0xC9,
654 0x30, 0xBF, 0xF2, 0xA5, 0x6F, 0x7C, 0x93, 0x64 }
655 },
656 {
657 { 0x9a, 0xcc, 0x23, 0x7d, 0xff, 0x16, 0xd7, 0x6c,
658 0x20, 0xef, 0x7c, 0x91, 0x9e, 0x3a, 0x75, 0x09 },
659 { 0x05, 0x03, 0xFB, 0x10, 0xAB, 0x24, 0x1E, 0x7C,
660 0xF4, 0x5D, 0x8C, 0xDE, 0xEE, 0x47, 0x43, 0x35 }
661 }
662};
663
664#define CAMELLIA_TESTS_CBC 3
665
666static const unsigned char camellia_test_cbc_key[3][32] =
667{
668 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
669 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }
670 ,
671 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
672 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
673 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }
674 ,
675 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
676 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
677 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
678 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
679};
680
681static const unsigned char camellia_test_cbc_iv[16] =
682
683 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
684 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F }
685;
686
687static const unsigned char camellia_test_cbc_plain[CAMELLIA_TESTS_CBC][16] =
688{
689 { 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
690 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A },
691 { 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
692 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51 },
693 { 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
694 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF }
695
696};
697
698static const unsigned char camellia_test_cbc_cipher[3][CAMELLIA_TESTS_CBC][16] =
699{
700 {
701 { 0x16, 0x07, 0xCF, 0x49, 0x4B, 0x36, 0xBB, 0xF0,
702 0x0D, 0xAE, 0xB0, 0xB5, 0x03, 0xC8, 0x31, 0xAB },
703 { 0xA2, 0xF2, 0xCF, 0x67, 0x16, 0x29, 0xEF, 0x78,
704 0x40, 0xC5, 0xA5, 0xDF, 0xB5, 0x07, 0x48, 0x87 },
705 { 0x0F, 0x06, 0x16, 0x50, 0x08, 0xCF, 0x8B, 0x8B,
706 0x5A, 0x63, 0x58, 0x63, 0x62, 0x54, 0x3E, 0x54 }
707 },
708 {
709 { 0x2A, 0x48, 0x30, 0xAB, 0x5A, 0xC4, 0xA1, 0xA2,
710 0x40, 0x59, 0x55, 0xFD, 0x21, 0x95, 0xCF, 0x93 },
711 { 0x5D, 0x5A, 0x86, 0x9B, 0xD1, 0x4C, 0xE5, 0x42,
712 0x64, 0xF8, 0x92, 0xA6, 0xDD, 0x2E, 0xC3, 0xD5 },
713 { 0x37, 0xD3, 0x59, 0xC3, 0x34, 0x98, 0x36, 0xD8,
714 0x84, 0xE3, 0x10, 0xAD, 0xDF, 0x68, 0xC4, 0x49 }
715 },
716 {
717 { 0xE6, 0xCF, 0xA3, 0x5F, 0xC0, 0x2B, 0x13, 0x4A,
718 0x4D, 0x2C, 0x0B, 0x67, 0x37, 0xAC, 0x3E, 0xDA },
719 { 0x36, 0xCB, 0xEB, 0x73, 0xBD, 0x50, 0x4B, 0x40,
720 0x70, 0xB1, 0xB7, 0xDE, 0x2B, 0x21, 0xEB, 0x50 },
721 { 0xE3, 0x1A, 0x60, 0x55, 0x29, 0x7D, 0x96, 0xCA,
722 0x33, 0x30, 0xCD, 0xF1, 0xB1, 0x86, 0x0A, 0x83 }
723 }
724};
725
726
727/*
728 * Checkup routine
729 */
730int camellia_self_test( int verbose )
731{
732 int i, j, u, v, offset;
733 unsigned char key[32];
734 unsigned char buf[64];
735 unsigned char prv[16];
736 unsigned char src[16];
737 unsigned char dst[16];
738 unsigned char iv[16];
739 camellia_context ctx;
740
741 memset( key, 0, 32 );
742
743 for (j = 0; j < 6; j++) {
744 u = j >> 1;
745 v = j & 1;
746
747 if( verbose != 0 )
748 printf( " CAMELLIA-ECB-%3d (%s): ", 128 + u * 64,
749 (v == CAMELLIA_DECRYPT) ? "dec" : "enc");
750
751 for (i = 0; i < CAMELLIA_TESTS_ECB; i++ ) {
752 memcpy( key, camellia_test_ecb_key[u][i], 16 + 8 * u);
753
754 if (v == CAMELLIA_DECRYPT) {
755 camellia_setkey_dec(&ctx, key, 128 + u * 64);
756 memcpy(src, camellia_test_ecb_cipher[u][i], 16);
757 memcpy(dst, camellia_test_ecb_plain[i], 16);
758 } else { /* CAMELLIA_ENCRYPT */
759 camellia_setkey_enc(&ctx, key, 128 + u * 64);
760 memcpy(src, camellia_test_ecb_plain[i], 16);
761 memcpy(dst, camellia_test_ecb_cipher[u][i], 16);
762 }
763
764 camellia_crypt_ecb(&ctx, v, src, buf);
765
766 if( memcmp( buf, dst, 16 ) != 0 )
767 {
768 if( verbose != 0 )
769 printf( "failed\n" );
770
771 return( 1 );
772 }
773 }
774
775 if( verbose != 0 )
776 printf( "passed\n" );
777 }
778
779 if( verbose != 0 )
780 printf( "\n" );
781
782 /*
783 * CBC mode
784 */
785 for( j = 0; j < 6; j++ )
786 {
787 u = j >> 1;
788 v = j & 1;
789
790 if( verbose != 0 )
791 printf( " CAMELLIA-CBC-%3d (%s): ", 128 + u * 64,
792 ( v == CAMELLIA_DECRYPT ) ? "dec" : "enc" );
793
794 memcpy( src, camellia_test_cbc_iv, 16);
795 memcpy( dst, camellia_test_cbc_iv, 16);
796 memcpy( key, camellia_test_cbc_key[u], 16 + 8 * u);
797
798 if (v == CAMELLIA_DECRYPT) {
799 camellia_setkey_dec(&ctx, key, 128 + u * 64);
800 } else {
801 camellia_setkey_enc(&ctx, key, 128 + u * 64);
802 }
803
804 for (i = 0; i < CAMELLIA_TESTS_CBC; i++ ) {
805
806 if (v == CAMELLIA_DECRYPT) {
807 memcpy( iv , src, 16 );
808 memcpy(src, camellia_test_cbc_cipher[u][i], 16);
809 memcpy(dst, camellia_test_cbc_plain[i], 16);
810 } else { /* CAMELLIA_ENCRYPT */
811 memcpy( iv , dst, 16 );
812 memcpy(src, camellia_test_cbc_plain[i], 16);
813 memcpy(dst, camellia_test_cbc_cipher[u][i], 16);
814 }
815
816 camellia_crypt_cbc(&ctx, v, 16, iv, src, buf);
817
818 if( memcmp( buf, dst, 16 ) != 0 )
819 {
820 if( verbose != 0 )
821 printf( "failed\n" );
822
823 return( 1 );
824 }
825 }
826
827 if( verbose != 0 )
828 printf( "passed\n" );
829 }
830
831 if( verbose != 0 )
832 printf( "\n" );
833
834 return ( 0 );
835
836 /*
837 * CFB128 mode
838 */
839 /*
840 for( i = 0; i < 6; i++ )
841 {
842 u = i >> 1;
843 v = i & 1;
844
845 if( verbose != 0 )
846 printf( " AES-CFB128-%3d (%s): ", 128 + u * 64,
847 ( v == AES_DECRYPT ) ? "dec" : "enc" );
848
849 memcpy( iv, aes_test_cfb128_iv, 16 );
850 memcpy( key, aes_test_cfb128_key[u], 16 + u * 8 );
851
852 offset = 0;
853 aes_setkey_enc( &ctx, key, 128 + u * 64 );
854
855 if( v == AES_DECRYPT )
856 {
857 memcpy( buf, aes_test_cfb128_ct[u], 64 );
858 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
859
860 if( memcmp( buf, aes_test_cfb128_pt, 64 ) != 0 )
861 {
862 if( verbose != 0 )
863 printf( "failed\n" );
864
865 return( 1 );
866 }
867 }
868 else
869 {
870 memcpy( buf, aes_test_cfb128_pt, 64 );
871 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
872
873 if( memcmp( buf, aes_test_cfb128_ct[u], 64 ) != 0 )
874 {
875 if( verbose != 0 )
876 printf( "failed\n" );
877
878 return( 1 );
879 }
880 }
881
882 if( verbose != 0 )
883 printf( "passed\n" );
884 }
885
886
887 if( verbose != 0 )
888 printf( "\n" );
889
890 return( 0 ); */
891}
892
893#endif
894
895#endif