1 /*
2 * Camellia implementation
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 */
7 /*
8 * The Camellia block cipher was designed by NTT and Mitsubishi Electric
9 * Corporation.
10 *
11 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/01espec.pdf
12 */
13
14 #include "common.h"
15
16 #if defined(MBEDTLS_CAMELLIA_C)
17
18 #include "mbedtls/camellia.h"
19 #include "mbedtls/platform_util.h"
20
21 #include <string.h>
22
23 #include "mbedtls/platform.h"
24
25 #if !defined(MBEDTLS_CAMELLIA_ALT)
26
27 static const unsigned char SIGMA_CHARS[6][8] =
28 {
29 { 0xa0, 0x9e, 0x66, 0x7f, 0x3b, 0xcc, 0x90, 0x8b },
30 { 0xb6, 0x7a, 0xe8, 0x58, 0x4c, 0xaa, 0x73, 0xb2 },
31 { 0xc6, 0xef, 0x37, 0x2f, 0xe9, 0x4f, 0x82, 0xbe },
32 { 0x54, 0xff, 0x53, 0xa5, 0xf1, 0xd3, 0x6f, 0x1c },
33 { 0x10, 0xe5, 0x27, 0xfa, 0xde, 0x68, 0x2d, 0x1d },
34 { 0xb0, 0x56, 0x88, 0xc2, 0xb3, 0xe6, 0xc1, 0xfd }
35 };
36
37 #if defined(MBEDTLS_CAMELLIA_SMALL_MEMORY)
38
39 static const unsigned char FSb[256] =
40 {
41 112, 130, 44, 236, 179, 39, 192, 229, 228, 133, 87, 53, 234, 12, 174, 65,
42 35, 239, 107, 147, 69, 25, 165, 33, 237, 14, 79, 78, 29, 101, 146, 189,
43 134, 184, 175, 143, 124, 235, 31, 206, 62, 48, 220, 95, 94, 197, 11, 26,
44 166, 225, 57, 202, 213, 71, 93, 61, 217, 1, 90, 214, 81, 86, 108, 77,
45 139, 13, 154, 102, 251, 204, 176, 45, 116, 18, 43, 32, 240, 177, 132, 153,
46 223, 76, 203, 194, 52, 126, 118, 5, 109, 183, 169, 49, 209, 23, 4, 215,
47 20, 88, 58, 97, 222, 27, 17, 28, 50, 15, 156, 22, 83, 24, 242, 34,
48 254, 68, 207, 178, 195, 181, 122, 145, 36, 8, 232, 168, 96, 252, 105, 80,
49 170, 208, 160, 125, 161, 137, 98, 151, 84, 91, 30, 149, 224, 255, 100, 210,
50 16, 196, 0, 72, 163, 247, 117, 219, 138, 3, 230, 218, 9, 63, 221, 148,
51 135, 92, 131, 2, 205, 74, 144, 51, 115, 103, 246, 243, 157, 127, 191, 226,
52 82, 155, 216, 38, 200, 55, 198, 59, 129, 150, 111, 75, 19, 190, 99, 46,
53 233, 121, 167, 140, 159, 110, 188, 142, 41, 245, 249, 182, 47, 253, 180, 89,
54 120, 152, 6, 106, 231, 70, 113, 186, 212, 37, 171, 66, 136, 162, 141, 250,
55 114, 7, 185, 85, 248, 238, 172, 10, 54, 73, 42, 104, 60, 56, 241, 164,
56 64, 40, 211, 123, 187, 201, 67, 193, 21, 227, 173, 244, 119, 199, 128, 158
57 };
58
59 #define SBOX1(n) FSb[(n)]
60 #define SBOX2(n) (unsigned char) ((FSb[(n)] >> 7 ^ FSb[(n)] << 1) & 0xff)
61 #define SBOX3(n) (unsigned char) ((FSb[(n)] >> 1 ^ FSb[(n)] << 7) & 0xff)
62 #define SBOX4(n) FSb[((n) << 1 ^ (n) >> 7) &0xff]
63
64 #else /* MBEDTLS_CAMELLIA_SMALL_MEMORY */
65
66 static const unsigned char FSb[256] =
67 {
68 112, 130, 44, 236, 179, 39, 192, 229, 228, 133, 87, 53, 234, 12, 174, 65,
69 35, 239, 107, 147, 69, 25, 165, 33, 237, 14, 79, 78, 29, 101, 146, 189,
70 134, 184, 175, 143, 124, 235, 31, 206, 62, 48, 220, 95, 94, 197, 11, 26,
71 166, 225, 57, 202, 213, 71, 93, 61, 217, 1, 90, 214, 81, 86, 108, 77,
72 139, 13, 154, 102, 251, 204, 176, 45, 116, 18, 43, 32, 240, 177, 132, 153,
73 223, 76, 203, 194, 52, 126, 118, 5, 109, 183, 169, 49, 209, 23, 4, 215,
74 20, 88, 58, 97, 222, 27, 17, 28, 50, 15, 156, 22, 83, 24, 242, 34,
75 254, 68, 207, 178, 195, 181, 122, 145, 36, 8, 232, 168, 96, 252, 105, 80,
76 170, 208, 160, 125, 161, 137, 98, 151, 84, 91, 30, 149, 224, 255, 100, 210,
77 16, 196, 0, 72, 163, 247, 117, 219, 138, 3, 230, 218, 9, 63, 221, 148,
78 135, 92, 131, 2, 205, 74, 144, 51, 115, 103, 246, 243, 157, 127, 191, 226,
79 82, 155, 216, 38, 200, 55, 198, 59, 129, 150, 111, 75, 19, 190, 99, 46,
80 233, 121, 167, 140, 159, 110, 188, 142, 41, 245, 249, 182, 47, 253, 180, 89,
81 120, 152, 6, 106, 231, 70, 113, 186, 212, 37, 171, 66, 136, 162, 141, 250,
82 114, 7, 185, 85, 248, 238, 172, 10, 54, 73, 42, 104, 60, 56, 241, 164,
83 64, 40, 211, 123, 187, 201, 67, 193, 21, 227, 173, 244, 119, 199, 128, 158
84 };
85
86 static const unsigned char FSb2[256] =
87 {
88 224, 5, 88, 217, 103, 78, 129, 203, 201, 11, 174, 106, 213, 24, 93, 130,
89 70, 223, 214, 39, 138, 50, 75, 66, 219, 28, 158, 156, 58, 202, 37, 123,
90 13, 113, 95, 31, 248, 215, 62, 157, 124, 96, 185, 190, 188, 139, 22, 52,
91 77, 195, 114, 149, 171, 142, 186, 122, 179, 2, 180, 173, 162, 172, 216, 154,
92 23, 26, 53, 204, 247, 153, 97, 90, 232, 36, 86, 64, 225, 99, 9, 51,
93 191, 152, 151, 133, 104, 252, 236, 10, 218, 111, 83, 98, 163, 46, 8, 175,
94 40, 176, 116, 194, 189, 54, 34, 56, 100, 30, 57, 44, 166, 48, 229, 68,
95 253, 136, 159, 101, 135, 107, 244, 35, 72, 16, 209, 81, 192, 249, 210, 160,
96 85, 161, 65, 250, 67, 19, 196, 47, 168, 182, 60, 43, 193, 255, 200, 165,
97 32, 137, 0, 144, 71, 239, 234, 183, 21, 6, 205, 181, 18, 126, 187, 41,
98 15, 184, 7, 4, 155, 148, 33, 102, 230, 206, 237, 231, 59, 254, 127, 197,
99 164, 55, 177, 76, 145, 110, 141, 118, 3, 45, 222, 150, 38, 125, 198, 92,
100 211, 242, 79, 25, 63, 220, 121, 29, 82, 235, 243, 109, 94, 251, 105, 178,
101 240, 49, 12, 212, 207, 140, 226, 117, 169, 74, 87, 132, 17, 69, 27, 245,
102 228, 14, 115, 170, 241, 221, 89, 20, 108, 146, 84, 208, 120, 112, 227, 73,
103 128, 80, 167, 246, 119, 147, 134, 131, 42, 199, 91, 233, 238, 143, 1, 61
104 };
105
106 static const unsigned char FSb3[256] =
107 {
108 56, 65, 22, 118, 217, 147, 96, 242, 114, 194, 171, 154, 117, 6, 87, 160,
109 145, 247, 181, 201, 162, 140, 210, 144, 246, 7, 167, 39, 142, 178, 73, 222,
110 67, 92, 215, 199, 62, 245, 143, 103, 31, 24, 110, 175, 47, 226, 133, 13,
111 83, 240, 156, 101, 234, 163, 174, 158, 236, 128, 45, 107, 168, 43, 54, 166,
112 197, 134, 77, 51, 253, 102, 88, 150, 58, 9, 149, 16, 120, 216, 66, 204,
113 239, 38, 229, 97, 26, 63, 59, 130, 182, 219, 212, 152, 232, 139, 2, 235,
114 10, 44, 29, 176, 111, 141, 136, 14, 25, 135, 78, 11, 169, 12, 121, 17,
115 127, 34, 231, 89, 225, 218, 61, 200, 18, 4, 116, 84, 48, 126, 180, 40,
116 85, 104, 80, 190, 208, 196, 49, 203, 42, 173, 15, 202, 112, 255, 50, 105,
117 8, 98, 0, 36, 209, 251, 186, 237, 69, 129, 115, 109, 132, 159, 238, 74,
118 195, 46, 193, 1, 230, 37, 72, 153, 185, 179, 123, 249, 206, 191, 223, 113,
119 41, 205, 108, 19, 100, 155, 99, 157, 192, 75, 183, 165, 137, 95, 177, 23,
120 244, 188, 211, 70, 207, 55, 94, 71, 148, 250, 252, 91, 151, 254, 90, 172,
121 60, 76, 3, 53, 243, 35, 184, 93, 106, 146, 213, 33, 68, 81, 198, 125,
122 57, 131, 220, 170, 124, 119, 86, 5, 27, 164, 21, 52, 30, 28, 248, 82,
123 32, 20, 233, 189, 221, 228, 161, 224, 138, 241, 214, 122, 187, 227, 64, 79
124 };
125
126 static const unsigned char FSb4[256] =
127 {
128 112, 44, 179, 192, 228, 87, 234, 174, 35, 107, 69, 165, 237, 79, 29, 146,
129 134, 175, 124, 31, 62, 220, 94, 11, 166, 57, 213, 93, 217, 90, 81, 108,
130 139, 154, 251, 176, 116, 43, 240, 132, 223, 203, 52, 118, 109, 169, 209, 4,
131 20, 58, 222, 17, 50, 156, 83, 242, 254, 207, 195, 122, 36, 232, 96, 105,
132 170, 160, 161, 98, 84, 30, 224, 100, 16, 0, 163, 117, 138, 230, 9, 221,
133 135, 131, 205, 144, 115, 246, 157, 191, 82, 216, 200, 198, 129, 111, 19, 99,
134 233, 167, 159, 188, 41, 249, 47, 180, 120, 6, 231, 113, 212, 171, 136, 141,
135 114, 185, 248, 172, 54, 42, 60, 241, 64, 211, 187, 67, 21, 173, 119, 128,
136 130, 236, 39, 229, 133, 53, 12, 65, 239, 147, 25, 33, 14, 78, 101, 189,
137 184, 143, 235, 206, 48, 95, 197, 26, 225, 202, 71, 61, 1, 214, 86, 77,
138 13, 102, 204, 45, 18, 32, 177, 153, 76, 194, 126, 5, 183, 49, 23, 215,
139 88, 97, 27, 28, 15, 22, 24, 34, 68, 178, 181, 145, 8, 168, 252, 80,
140 208, 125, 137, 151, 91, 149, 255, 210, 196, 72, 247, 219, 3, 218, 63, 148,
141 92, 2, 74, 51, 103, 243, 127, 226, 155, 38, 55, 59, 150, 75, 190, 46,
142 121, 140, 110, 142, 245, 182, 253, 89, 152, 106, 70, 186, 37, 66, 162, 250,
143 7, 85, 238, 10, 73, 104, 56, 164, 40, 123, 201, 193, 227, 244, 199, 158
144 };
145
146 #define SBOX1(n) FSb[(n)]
147 #define SBOX2(n) FSb2[(n)]
148 #define SBOX3(n) FSb3[(n)]
149 #define SBOX4(n) FSb4[(n)]
150
151 #endif /* MBEDTLS_CAMELLIA_SMALL_MEMORY */
152
153 static const unsigned char shifts[2][4][4] =
154 {
155 {
156 { 1, 1, 1, 1 }, /* KL */
157 { 0, 0, 0, 0 }, /* KR */
158 { 1, 1, 1, 1 }, /* KA */
159 { 0, 0, 0, 0 } /* KB */
160 },
161 {
162 { 1, 0, 1, 1 }, /* KL */
163 { 1, 1, 0, 1 }, /* KR */
164 { 1, 1, 1, 0 }, /* KA */
165 { 1, 1, 0, 1 } /* KB */
166 }
167 };
168
169 static const signed char indexes[2][4][20] =
170 {
171 {
172 { 0, 1, 2, 3, 8, 9, 10, 11, 38, 39,
173 36, 37, 23, 20, 21, 22, 27, -1, -1, 26 }, /* KL -> RK */
174 { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
175 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 }, /* KR -> RK */
176 { 4, 5, 6, 7, 12, 13, 14, 15, 16, 17,
177 18, 19, -1, 24, 25, -1, 31, 28, 29, 30 }, /* KA -> RK */
178 { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
179 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 } /* KB -> RK */
180 },
181 {
182 { 0, 1, 2, 3, 61, 62, 63, 60, -1, -1,
183 -1, -1, 27, 24, 25, 26, 35, 32, 33, 34 }, /* KL -> RK */
184 { -1, -1, -1, -1, 8, 9, 10, 11, 16, 17,
185 18, 19, -1, -1, -1, -1, 39, 36, 37, 38 }, /* KR -> RK */
186 { -1, -1, -1, -1, 12, 13, 14, 15, 58, 59,
187 56, 57, 31, 28, 29, 30, -1, -1, -1, -1 }, /* KA -> RK */
188 { 4, 5, 6, 7, 65, 66, 67, 64, 20, 21,
189 22, 23, -1, -1, -1, -1, 43, 40, 41, 42 } /* KB -> RK */
190 }
191 };
192
193 static const signed char transposes[2][20] =
194 {
195 {
196 21, 22, 23, 20,
197 -1, -1, -1, -1,
198 18, 19, 16, 17,
199 11, 8, 9, 10,
200 15, 12, 13, 14
201 },
202 {
203 25, 26, 27, 24,
204 29, 30, 31, 28,
205 18, 19, 16, 17,
206 -1, -1, -1, -1,
207 -1, -1, -1, -1
208 }
209 };
210
211 /* Shift macro for 128 bit strings with rotation smaller than 32 bits (!) */
212 #define ROTL(DEST, SRC, SHIFT) \
213 { \
214 (DEST)[0] = (SRC)[0] << (SHIFT) ^ (SRC)[1] >> (32 - (SHIFT)); \
215 (DEST)[1] = (SRC)[1] << (SHIFT) ^ (SRC)[2] >> (32 - (SHIFT)); \
216 (DEST)[2] = (SRC)[2] << (SHIFT) ^ (SRC)[3] >> (32 - (SHIFT)); \
217 (DEST)[3] = (SRC)[3] << (SHIFT) ^ (SRC)[0] >> (32 - (SHIFT)); \
218 }
219
220 #define FL(XL, XR, KL, KR) \
221 { \
222 (XR) = ((((XL) &(KL)) << 1) | (((XL) &(KL)) >> 31)) ^ (XR); \
223 (XL) = ((XR) | (KR)) ^ (XL); \
224 }
225
226 #define FLInv(YL, YR, KL, KR) \
227 { \
228 (YL) = ((YR) | (KR)) ^ (YL); \
229 (YR) = ((((YL) &(KL)) << 1) | (((YL) &(KL)) >> 31)) ^ (YR); \
230 }
231
232 #define SHIFT_AND_PLACE(INDEX, OFFSET) \
233 { \
234 TK[0] = KC[(OFFSET) * 4 + 0]; \
235 TK[1] = KC[(OFFSET) * 4 + 1]; \
236 TK[2] = KC[(OFFSET) * 4 + 2]; \
237 TK[3] = KC[(OFFSET) * 4 + 3]; \
238 \
239 for (i = 1; i <= 4; i++) \
240 if (shifts[(INDEX)][(OFFSET)][i -1]) \
241 ROTL(TK + i * 4, TK, (15 * i) % 32); \
242 \
243 for (i = 0; i < 20; i++) \
244 if (indexes[(INDEX)][(OFFSET)][i] != -1) { \
245 RK[indexes[(INDEX)][(OFFSET)][i]] = TK[i]; \
246 } \
247 }
248
camellia_feistel(const uint32_t x[2],const uint32_t k[2],uint32_t z[2])249 static void camellia_feistel(const uint32_t x[2], const uint32_t k[2],
250 uint32_t z[2])
251 {
252 uint32_t I0, I1;
253 I0 = x[0] ^ k[0];
254 I1 = x[1] ^ k[1];
255
256 I0 = ((uint32_t) SBOX1(MBEDTLS_BYTE_3(I0)) << 24) |
257 ((uint32_t) SBOX2(MBEDTLS_BYTE_2(I0)) << 16) |
258 ((uint32_t) SBOX3(MBEDTLS_BYTE_1(I0)) << 8) |
259 ((uint32_t) SBOX4(MBEDTLS_BYTE_0(I0)));
260 I1 = ((uint32_t) SBOX2(MBEDTLS_BYTE_3(I1)) << 24) |
261 ((uint32_t) SBOX3(MBEDTLS_BYTE_2(I1)) << 16) |
262 ((uint32_t) SBOX4(MBEDTLS_BYTE_1(I1)) << 8) |
263 ((uint32_t) SBOX1(MBEDTLS_BYTE_0(I1)));
264
265 I0 ^= (I1 << 8) | (I1 >> 24);
266 I1 ^= (I0 << 16) | (I0 >> 16);
267 I0 ^= (I1 >> 8) | (I1 << 24);
268 I1 ^= (I0 >> 8) | (I0 << 24);
269
270 z[0] ^= I1;
271 z[1] ^= I0;
272 }
273
mbedtls_camellia_init(mbedtls_camellia_context * ctx)274 void mbedtls_camellia_init(mbedtls_camellia_context *ctx)
275 {
276 memset(ctx, 0, sizeof(mbedtls_camellia_context));
277 }
278
mbedtls_camellia_free(mbedtls_camellia_context * ctx)279 void mbedtls_camellia_free(mbedtls_camellia_context *ctx)
280 {
281 if (ctx == NULL) {
282 return;
283 }
284
285 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_camellia_context));
286 }
287
288 /*
289 * Camellia key schedule (encryption)
290 */
mbedtls_camellia_setkey_enc(mbedtls_camellia_context * ctx,const unsigned char * key,unsigned int keybits)291 int mbedtls_camellia_setkey_enc(mbedtls_camellia_context *ctx,
292 const unsigned char *key,
293 unsigned int keybits)
294 {
295 int idx;
296 size_t i;
297 uint32_t *RK;
298 unsigned char t[64];
299 uint32_t SIGMA[6][2];
300 uint32_t KC[16];
301 uint32_t TK[20];
302
303 RK = ctx->rk;
304
305 memset(t, 0, 64);
306 memset(RK, 0, sizeof(ctx->rk));
307
308 switch (keybits) {
309 case 128: ctx->nr = 3; idx = 0; break;
310 case 192:
311 case 256: ctx->nr = 4; idx = 1; break;
312 default: return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA;
313 }
314
315 for (i = 0; i < keybits / 8; ++i) {
316 t[i] = key[i];
317 }
318
319 if (keybits == 192) {
320 for (i = 0; i < 8; i++) {
321 t[24 + i] = ~t[16 + i];
322 }
323 }
324
325 /*
326 * Prepare SIGMA values
327 */
328 for (i = 0; i < 6; i++) {
329 SIGMA[i][0] = MBEDTLS_GET_UINT32_BE(SIGMA_CHARS[i], 0);
330 SIGMA[i][1] = MBEDTLS_GET_UINT32_BE(SIGMA_CHARS[i], 4);
331 }
332
333 /*
334 * Key storage in KC
335 * Order: KL, KR, KA, KB
336 */
337 memset(KC, 0, sizeof(KC));
338
339 /* Store KL, KR */
340 for (i = 0; i < 8; i++) {
341 KC[i] = MBEDTLS_GET_UINT32_BE(t, i * 4);
342 }
343
344 /* Generate KA */
345 for (i = 0; i < 4; ++i) {
346 KC[8 + i] = KC[i] ^ KC[4 + i];
347 }
348
349 camellia_feistel(KC + 8, SIGMA[0], KC + 10);
350 camellia_feistel(KC + 10, SIGMA[1], KC + 8);
351
352 for (i = 0; i < 4; ++i) {
353 KC[8 + i] ^= KC[i];
354 }
355
356 camellia_feistel(KC + 8, SIGMA[2], KC + 10);
357 camellia_feistel(KC + 10, SIGMA[3], KC + 8);
358
359 if (keybits > 128) {
360 /* Generate KB */
361 for (i = 0; i < 4; ++i) {
362 KC[12 + i] = KC[4 + i] ^ KC[8 + i];
363 }
364
365 camellia_feistel(KC + 12, SIGMA[4], KC + 14);
366 camellia_feistel(KC + 14, SIGMA[5], KC + 12);
367 }
368
369 /*
370 * Generating subkeys
371 */
372
373 /* Manipulating KL */
374 SHIFT_AND_PLACE(idx, 0);
375
376 /* Manipulating KR */
377 if (keybits > 128) {
378 SHIFT_AND_PLACE(idx, 1);
379 }
380
381 /* Manipulating KA */
382 SHIFT_AND_PLACE(idx, 2);
383
384 /* Manipulating KB */
385 if (keybits > 128) {
386 SHIFT_AND_PLACE(idx, 3);
387 }
388
389 /* Do transpositions */
390 for (i = 0; i < 20; i++) {
391 if (transposes[idx][i] != -1) {
392 RK[32 + 12 * idx + i] = RK[transposes[idx][i]];
393 }
394 }
395
396 return 0;
397 }
398
399 /*
400 * Camellia key schedule (decryption)
401 */
mbedtls_camellia_setkey_dec(mbedtls_camellia_context * ctx,const unsigned char * key,unsigned int keybits)402 int mbedtls_camellia_setkey_dec(mbedtls_camellia_context *ctx,
403 const unsigned char *key,
404 unsigned int keybits)
405 {
406 int idx, ret;
407 size_t i;
408 mbedtls_camellia_context cty;
409 uint32_t *RK;
410 uint32_t *SK;
411
412 mbedtls_camellia_init(&cty);
413
414 /* Also checks keybits */
415 if ((ret = mbedtls_camellia_setkey_enc(&cty, key, keybits)) != 0) {
416 goto exit;
417 }
418
419 ctx->nr = cty.nr;
420 idx = (ctx->nr == 4);
421
422 RK = ctx->rk;
423 SK = cty.rk + 24 * 2 + 8 * idx * 2;
424
425 *RK++ = *SK++;
426 *RK++ = *SK++;
427 *RK++ = *SK++;
428 *RK++ = *SK++;
429
430 for (i = 22 + 8 * idx, SK -= 6; i > 0; i--, SK -= 4) {
431 *RK++ = *SK++;
432 *RK++ = *SK++;
433 }
434
435 SK -= 2;
436
437 *RK++ = *SK++;
438 *RK++ = *SK++;
439 *RK++ = *SK++;
440 *RK++ = *SK++;
441
442 exit:
443 mbedtls_camellia_free(&cty);
444
445 return ret;
446 }
447
448 /*
449 * Camellia-ECB block encryption/decryption
450 */
mbedtls_camellia_crypt_ecb(mbedtls_camellia_context * ctx,int mode,const unsigned char input[16],unsigned char output[16])451 int mbedtls_camellia_crypt_ecb(mbedtls_camellia_context *ctx,
452 int mode,
453 const unsigned char input[16],
454 unsigned char output[16])
455 {
456 int NR;
457 uint32_t *RK, X[4];
458 if (mode != MBEDTLS_CAMELLIA_ENCRYPT && mode != MBEDTLS_CAMELLIA_DECRYPT) {
459 return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA;
460 }
461
462 ((void) mode);
463
464 NR = ctx->nr;
465 RK = ctx->rk;
466
467 X[0] = MBEDTLS_GET_UINT32_BE(input, 0);
468 X[1] = MBEDTLS_GET_UINT32_BE(input, 4);
469 X[2] = MBEDTLS_GET_UINT32_BE(input, 8);
470 X[3] = MBEDTLS_GET_UINT32_BE(input, 12);
471
472 X[0] ^= *RK++;
473 X[1] ^= *RK++;
474 X[2] ^= *RK++;
475 X[3] ^= *RK++;
476
477 while (NR) {
478 --NR;
479 camellia_feistel(X, RK, X + 2);
480 RK += 2;
481 camellia_feistel(X + 2, RK, X);
482 RK += 2;
483 camellia_feistel(X, RK, X + 2);
484 RK += 2;
485 camellia_feistel(X + 2, RK, X);
486 RK += 2;
487 camellia_feistel(X, RK, X + 2);
488 RK += 2;
489 camellia_feistel(X + 2, RK, X);
490 RK += 2;
491
492 if (NR) {
493 FL(X[0], X[1], RK[0], RK[1]);
494 RK += 2;
495 FLInv(X[2], X[3], RK[0], RK[1]);
496 RK += 2;
497 }
498 }
499
500 X[2] ^= *RK++;
501 X[3] ^= *RK++;
502 X[0] ^= *RK++;
503 X[1] ^= *RK++;
504
505 MBEDTLS_PUT_UINT32_BE(X[2], output, 0);
506 MBEDTLS_PUT_UINT32_BE(X[3], output, 4);
507 MBEDTLS_PUT_UINT32_BE(X[0], output, 8);
508 MBEDTLS_PUT_UINT32_BE(X[1], output, 12);
509
510 return 0;
511 }
512
513 #if defined(MBEDTLS_CIPHER_MODE_CBC)
514 /*
515 * Camellia-CBC buffer encryption/decryption
516 */
mbedtls_camellia_crypt_cbc(mbedtls_camellia_context * ctx,int mode,size_t length,unsigned char iv[16],const unsigned char * input,unsigned char * output)517 int mbedtls_camellia_crypt_cbc(mbedtls_camellia_context *ctx,
518 int mode,
519 size_t length,
520 unsigned char iv[16],
521 const unsigned char *input,
522 unsigned char *output)
523 {
524 unsigned char temp[16];
525 if (mode != MBEDTLS_CAMELLIA_ENCRYPT && mode != MBEDTLS_CAMELLIA_DECRYPT) {
526 return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA;
527 }
528
529 if (length % 16) {
530 return MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH;
531 }
532
533 if (mode == MBEDTLS_CAMELLIA_DECRYPT) {
534 while (length > 0) {
535 memcpy(temp, input, 16);
536 mbedtls_camellia_crypt_ecb(ctx, mode, input, output);
537
538 mbedtls_xor(output, output, iv, 16);
539
540 memcpy(iv, temp, 16);
541
542 input += 16;
543 output += 16;
544 length -= 16;
545 }
546 } else {
547 while (length > 0) {
548 mbedtls_xor(output, input, iv, 16);
549
550 mbedtls_camellia_crypt_ecb(ctx, mode, output, output);
551 memcpy(iv, output, 16);
552
553 input += 16;
554 output += 16;
555 length -= 16;
556 }
557 }
558
559 return 0;
560 }
561 #endif /* MBEDTLS_CIPHER_MODE_CBC */
562
563 #if defined(MBEDTLS_CIPHER_MODE_CFB)
564 /*
565 * Camellia-CFB128 buffer encryption/decryption
566 */
mbedtls_camellia_crypt_cfb128(mbedtls_camellia_context * ctx,int mode,size_t length,size_t * iv_off,unsigned char iv[16],const unsigned char * input,unsigned char * output)567 int mbedtls_camellia_crypt_cfb128(mbedtls_camellia_context *ctx,
568 int mode,
569 size_t length,
570 size_t *iv_off,
571 unsigned char iv[16],
572 const unsigned char *input,
573 unsigned char *output)
574 {
575 int c;
576 size_t n;
577 if (mode != MBEDTLS_CAMELLIA_ENCRYPT && mode != MBEDTLS_CAMELLIA_DECRYPT) {
578 return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA;
579 }
580
581 n = *iv_off;
582 if (n >= 16) {
583 return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA;
584 }
585
586 if (mode == MBEDTLS_CAMELLIA_DECRYPT) {
587 while (length--) {
588 if (n == 0) {
589 mbedtls_camellia_crypt_ecb(ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv);
590 }
591
592 c = *input++;
593 *output++ = (unsigned char) (c ^ iv[n]);
594 iv[n] = (unsigned char) c;
595
596 n = (n + 1) & 0x0F;
597 }
598 } else {
599 while (length--) {
600 if (n == 0) {
601 mbedtls_camellia_crypt_ecb(ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv);
602 }
603
604 iv[n] = *output++ = (unsigned char) (iv[n] ^ *input++);
605
606 n = (n + 1) & 0x0F;
607 }
608 }
609
610 *iv_off = n;
611
612 return 0;
613 }
614 #endif /* MBEDTLS_CIPHER_MODE_CFB */
615
616 #if defined(MBEDTLS_CIPHER_MODE_CTR)
617 /*
618 * Camellia-CTR buffer encryption/decryption
619 */
mbedtls_camellia_crypt_ctr(mbedtls_camellia_context * ctx,size_t length,size_t * nc_off,unsigned char nonce_counter[16],unsigned char stream_block[16],const unsigned char * input,unsigned char * output)620 int mbedtls_camellia_crypt_ctr(mbedtls_camellia_context *ctx,
621 size_t length,
622 size_t *nc_off,
623 unsigned char nonce_counter[16],
624 unsigned char stream_block[16],
625 const unsigned char *input,
626 unsigned char *output)
627 {
628 int c, i;
629 size_t n;
630
631 n = *nc_off;
632 if (n >= 16) {
633 return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA;
634 }
635
636 while (length--) {
637 if (n == 0) {
638 mbedtls_camellia_crypt_ecb(ctx, MBEDTLS_CAMELLIA_ENCRYPT, nonce_counter,
639 stream_block);
640
641 for (i = 16; i > 0; i--) {
642 if (++nonce_counter[i - 1] != 0) {
643 break;
644 }
645 }
646 }
647 c = *input++;
648 *output++ = (unsigned char) (c ^ stream_block[n]);
649
650 n = (n + 1) & 0x0F;
651 }
652
653 *nc_off = n;
654
655 return 0;
656 }
657 #endif /* MBEDTLS_CIPHER_MODE_CTR */
658 #endif /* !MBEDTLS_CAMELLIA_ALT */
659
660 #if defined(MBEDTLS_SELF_TEST)
661
662 /*
663 * Camellia test vectors from:
664 *
665 * http://info.isl.ntt.co.jp/crypt/eng/camellia/technology.html:
666 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/intermediate.txt
667 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/t_camellia.txt
668 * (For each bitlength: Key 0, Nr 39)
669 */
670 #define CAMELLIA_TESTS_ECB 2
671
672 static const unsigned char camellia_test_ecb_key[3][CAMELLIA_TESTS_ECB][32] =
673 {
674 {
675 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
676 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
677 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
678 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
679 },
680 {
681 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
682 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
683 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77 },
684 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
685 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
686 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
687 },
688 {
689 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
690 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
691 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
692 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff },
693 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
694 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
695 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
696 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
697 },
698 };
699
700 static const unsigned char camellia_test_ecb_plain[CAMELLIA_TESTS_ECB][16] =
701 {
702 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
703 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
704 { 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
705 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
706 };
707
708 static const unsigned char camellia_test_ecb_cipher[3][CAMELLIA_TESTS_ECB][16] =
709 {
710 {
711 { 0x67, 0x67, 0x31, 0x38, 0x54, 0x96, 0x69, 0x73,
712 0x08, 0x57, 0x06, 0x56, 0x48, 0xea, 0xbe, 0x43 },
713 { 0x38, 0x3C, 0x6C, 0x2A, 0xAB, 0xEF, 0x7F, 0xDE,
714 0x25, 0xCD, 0x47, 0x0B, 0xF7, 0x74, 0xA3, 0x31 }
715 },
716 {
717 { 0xb4, 0x99, 0x34, 0x01, 0xb3, 0xe9, 0x96, 0xf8,
718 0x4e, 0xe5, 0xce, 0xe7, 0xd7, 0x9b, 0x09, 0xb9 },
719 { 0xD1, 0x76, 0x3F, 0xC0, 0x19, 0xD7, 0x7C, 0xC9,
720 0x30, 0xBF, 0xF2, 0xA5, 0x6F, 0x7C, 0x93, 0x64 }
721 },
722 {
723 { 0x9a, 0xcc, 0x23, 0x7d, 0xff, 0x16, 0xd7, 0x6c,
724 0x20, 0xef, 0x7c, 0x91, 0x9e, 0x3a, 0x75, 0x09 },
725 { 0x05, 0x03, 0xFB, 0x10, 0xAB, 0x24, 0x1E, 0x7C,
726 0xF4, 0x5D, 0x8C, 0xDE, 0xEE, 0x47, 0x43, 0x35 }
727 }
728 };
729
730 #if defined(MBEDTLS_CIPHER_MODE_CBC)
731 #define CAMELLIA_TESTS_CBC 3
732
733 static const unsigned char camellia_test_cbc_key[3][32] =
734 {
735 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
736 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }
737 ,
738 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
739 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
740 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }
741 ,
742 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
743 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
744 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
745 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
746 };
747
748 static const unsigned char camellia_test_cbc_iv[16] =
749
750 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
751 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F }
752 ;
753
754 static const unsigned char camellia_test_cbc_plain[CAMELLIA_TESTS_CBC][16] =
755 {
756 { 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
757 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A },
758 { 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
759 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51 },
760 { 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
761 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF }
762
763 };
764
765 static const unsigned char camellia_test_cbc_cipher[3][CAMELLIA_TESTS_CBC][16] =
766 {
767 {
768 { 0x16, 0x07, 0xCF, 0x49, 0x4B, 0x36, 0xBB, 0xF0,
769 0x0D, 0xAE, 0xB0, 0xB5, 0x03, 0xC8, 0x31, 0xAB },
770 { 0xA2, 0xF2, 0xCF, 0x67, 0x16, 0x29, 0xEF, 0x78,
771 0x40, 0xC5, 0xA5, 0xDF, 0xB5, 0x07, 0x48, 0x87 },
772 { 0x0F, 0x06, 0x16, 0x50, 0x08, 0xCF, 0x8B, 0x8B,
773 0x5A, 0x63, 0x58, 0x63, 0x62, 0x54, 0x3E, 0x54 }
774 },
775 {
776 { 0x2A, 0x48, 0x30, 0xAB, 0x5A, 0xC4, 0xA1, 0xA2,
777 0x40, 0x59, 0x55, 0xFD, 0x21, 0x95, 0xCF, 0x93 },
778 { 0x5D, 0x5A, 0x86, 0x9B, 0xD1, 0x4C, 0xE5, 0x42,
779 0x64, 0xF8, 0x92, 0xA6, 0xDD, 0x2E, 0xC3, 0xD5 },
780 { 0x37, 0xD3, 0x59, 0xC3, 0x34, 0x98, 0x36, 0xD8,
781 0x84, 0xE3, 0x10, 0xAD, 0xDF, 0x68, 0xC4, 0x49 }
782 },
783 {
784 { 0xE6, 0xCF, 0xA3, 0x5F, 0xC0, 0x2B, 0x13, 0x4A,
785 0x4D, 0x2C, 0x0B, 0x67, 0x37, 0xAC, 0x3E, 0xDA },
786 { 0x36, 0xCB, 0xEB, 0x73, 0xBD, 0x50, 0x4B, 0x40,
787 0x70, 0xB1, 0xB7, 0xDE, 0x2B, 0x21, 0xEB, 0x50 },
788 { 0xE3, 0x1A, 0x60, 0x55, 0x29, 0x7D, 0x96, 0xCA,
789 0x33, 0x30, 0xCD, 0xF1, 0xB1, 0x86, 0x0A, 0x83 }
790 }
791 };
792 #endif /* MBEDTLS_CIPHER_MODE_CBC */
793
794 #if defined(MBEDTLS_CIPHER_MODE_CTR)
795 /*
796 * Camellia-CTR test vectors from:
797 *
798 * http://www.faqs.org/rfcs/rfc5528.html
799 */
800
801 static const unsigned char camellia_test_ctr_key[3][16] =
802 {
803 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
804 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
805 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
806 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
807 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
808 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
809 };
810
811 static const unsigned char camellia_test_ctr_nonce_counter[3][16] =
812 {
813 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
814 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
815 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
816 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
817 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
818 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
819 };
820
821 static const unsigned char camellia_test_ctr_pt[3][48] =
822 {
823 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
824 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
825
826 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
827 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
828 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
829 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
830
831 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
832 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
833 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
834 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
835 0x20, 0x21, 0x22, 0x23 }
836 };
837
838 static const unsigned char camellia_test_ctr_ct[3][48] =
839 {
840 { 0xD0, 0x9D, 0xC2, 0x9A, 0x82, 0x14, 0x61, 0x9A,
841 0x20, 0x87, 0x7C, 0x76, 0xDB, 0x1F, 0x0B, 0x3F },
842 { 0xDB, 0xF3, 0xC7, 0x8D, 0xC0, 0x83, 0x96, 0xD4,
843 0xDA, 0x7C, 0x90, 0x77, 0x65, 0xBB, 0xCB, 0x44,
844 0x2B, 0x8E, 0x8E, 0x0F, 0x31, 0xF0, 0xDC, 0xA7,
845 0x2C, 0x74, 0x17, 0xE3, 0x53, 0x60, 0xE0, 0x48 },
846 { 0xB1, 0x9D, 0x1F, 0xCD, 0xCB, 0x75, 0xEB, 0x88,
847 0x2F, 0x84, 0x9C, 0xE2, 0x4D, 0x85, 0xCF, 0x73,
848 0x9C, 0xE6, 0x4B, 0x2B, 0x5C, 0x9D, 0x73, 0xF1,
849 0x4F, 0x2D, 0x5D, 0x9D, 0xCE, 0x98, 0x89, 0xCD,
850 0xDF, 0x50, 0x86, 0x96 }
851 };
852
853 static const int camellia_test_ctr_len[3] =
854 { 16, 32, 36 };
855 #endif /* MBEDTLS_CIPHER_MODE_CTR */
856
857 /*
858 * Checkup routine
859 */
mbedtls_camellia_self_test(int verbose)860 int mbedtls_camellia_self_test(int verbose)
861 {
862 int i, j, u, v;
863 unsigned char key[32];
864 unsigned char buf[64];
865 unsigned char src[16];
866 unsigned char dst[16];
867 #if defined(MBEDTLS_CIPHER_MODE_CBC)
868 unsigned char iv[16];
869 #endif
870 #if defined(MBEDTLS_CIPHER_MODE_CTR)
871 size_t offset, len;
872 unsigned char nonce_counter[16];
873 unsigned char stream_block[16];
874 #endif
875 int ret = 1;
876
877 mbedtls_camellia_context ctx;
878
879 mbedtls_camellia_init(&ctx);
880 memset(key, 0, 32);
881
882 for (j = 0; j < 6; j++) {
883 u = j >> 1;
884 v = j & 1;
885
886 if (verbose != 0) {
887 mbedtls_printf(" CAMELLIA-ECB-%3d (%s): ", 128 + u * 64,
888 (v == MBEDTLS_CAMELLIA_DECRYPT) ? "dec" : "enc");
889 }
890
891 for (i = 0; i < CAMELLIA_TESTS_ECB; i++) {
892 memcpy(key, camellia_test_ecb_key[u][i], 16 + 8 * u);
893
894 if (v == MBEDTLS_CAMELLIA_DECRYPT) {
895 mbedtls_camellia_setkey_dec(&ctx, key, 128 + u * 64);
896 memcpy(src, camellia_test_ecb_cipher[u][i], 16);
897 memcpy(dst, camellia_test_ecb_plain[i], 16);
898 } else { /* MBEDTLS_CAMELLIA_ENCRYPT */
899 mbedtls_camellia_setkey_enc(&ctx, key, 128 + u * 64);
900 memcpy(src, camellia_test_ecb_plain[i], 16);
901 memcpy(dst, camellia_test_ecb_cipher[u][i], 16);
902 }
903
904 mbedtls_camellia_crypt_ecb(&ctx, v, src, buf);
905
906 if (memcmp(buf, dst, 16) != 0) {
907 if (verbose != 0) {
908 mbedtls_printf("failed\n");
909 }
910 goto exit;
911 }
912 }
913
914 if (verbose != 0) {
915 mbedtls_printf("passed\n");
916 }
917 }
918
919 if (verbose != 0) {
920 mbedtls_printf("\n");
921 }
922
923 #if defined(MBEDTLS_CIPHER_MODE_CBC)
924 /*
925 * CBC mode
926 */
927 for (j = 0; j < 6; j++) {
928 u = j >> 1;
929 v = j & 1;
930
931 if (verbose != 0) {
932 mbedtls_printf(" CAMELLIA-CBC-%3d (%s): ", 128 + u * 64,
933 (v == MBEDTLS_CAMELLIA_DECRYPT) ? "dec" : "enc");
934 }
935
936 memcpy(src, camellia_test_cbc_iv, 16);
937 memcpy(dst, camellia_test_cbc_iv, 16);
938 memcpy(key, camellia_test_cbc_key[u], 16 + 8 * u);
939
940 if (v == MBEDTLS_CAMELLIA_DECRYPT) {
941 mbedtls_camellia_setkey_dec(&ctx, key, 128 + u * 64);
942 } else {
943 mbedtls_camellia_setkey_enc(&ctx, key, 128 + u * 64);
944 }
945
946 for (i = 0; i < CAMELLIA_TESTS_CBC; i++) {
947
948 if (v == MBEDTLS_CAMELLIA_DECRYPT) {
949 memcpy(iv, src, 16);
950 memcpy(src, camellia_test_cbc_cipher[u][i], 16);
951 memcpy(dst, camellia_test_cbc_plain[i], 16);
952 } else { /* MBEDTLS_CAMELLIA_ENCRYPT */
953 memcpy(iv, dst, 16);
954 memcpy(src, camellia_test_cbc_plain[i], 16);
955 memcpy(dst, camellia_test_cbc_cipher[u][i], 16);
956 }
957
958 mbedtls_camellia_crypt_cbc(&ctx, v, 16, iv, src, buf);
959
960 if (memcmp(buf, dst, 16) != 0) {
961 if (verbose != 0) {
962 mbedtls_printf("failed\n");
963 }
964 goto exit;
965 }
966 }
967
968 if (verbose != 0) {
969 mbedtls_printf("passed\n");
970 }
971 }
972 #endif /* MBEDTLS_CIPHER_MODE_CBC */
973
974 if (verbose != 0) {
975 mbedtls_printf("\n");
976 }
977
978 #if defined(MBEDTLS_CIPHER_MODE_CTR)
979 /*
980 * CTR mode
981 */
982 for (i = 0; i < 6; i++) {
983 u = i >> 1;
984 v = i & 1;
985
986 if (verbose != 0) {
987 mbedtls_printf(" CAMELLIA-CTR-128 (%s): ",
988 (v == MBEDTLS_CAMELLIA_DECRYPT) ? "dec" : "enc");
989 }
990
991 memcpy(nonce_counter, camellia_test_ctr_nonce_counter[u], 16);
992 memcpy(key, camellia_test_ctr_key[u], 16);
993
994 offset = 0;
995 mbedtls_camellia_setkey_enc(&ctx, key, 128);
996
997 if (v == MBEDTLS_CAMELLIA_DECRYPT) {
998 len = camellia_test_ctr_len[u];
999 memcpy(buf, camellia_test_ctr_ct[u], len);
1000
1001 mbedtls_camellia_crypt_ctr(&ctx, len, &offset, nonce_counter, stream_block,
1002 buf, buf);
1003
1004 if (memcmp(buf, camellia_test_ctr_pt[u], len) != 0) {
1005 if (verbose != 0) {
1006 mbedtls_printf("failed\n");
1007 }
1008 goto exit;
1009 }
1010 } else {
1011 len = camellia_test_ctr_len[u];
1012 memcpy(buf, camellia_test_ctr_pt[u], len);
1013
1014 mbedtls_camellia_crypt_ctr(&ctx, len, &offset, nonce_counter, stream_block,
1015 buf, buf);
1016
1017 if (memcmp(buf, camellia_test_ctr_ct[u], len) != 0) {
1018 if (verbose != 0) {
1019 mbedtls_printf("failed\n");
1020 }
1021 goto exit;
1022 }
1023 }
1024
1025 if (verbose != 0) {
1026 mbedtls_printf("passed\n");
1027 }
1028 }
1029
1030 if (verbose != 0) {
1031 mbedtls_printf("\n");
1032 }
1033 #endif /* MBEDTLS_CIPHER_MODE_CTR */
1034
1035 ret = 0;
1036
1037 exit:
1038 mbedtls_camellia_free(&ctx);
1039 return ret;
1040 }
1041
1042 #endif /* MBEDTLS_SELF_TEST */
1043
1044 #endif /* MBEDTLS_CAMELLIA_C */
1045
