1 /*
2 * Camellia implementation
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19 /*
20 * The Camellia block cipher was designed by NTT and Mitsubishi Electric
21 * Corporation.
22 *
23 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/01espec.pdf
24 */
25
26 #include "common.h"
27
28 #if defined(MBEDTLS_CAMELLIA_C)
29
30 #include "mbedtls/camellia.h"
31 #include "mbedtls/platform_util.h"
32
33 #include <string.h>
34
35 #include "mbedtls/platform.h"
36
37 #if !defined(MBEDTLS_CAMELLIA_ALT)
38
39 static const unsigned char SIGMA_CHARS[6][8] =
40 {
41 { 0xa0, 0x9e, 0x66, 0x7f, 0x3b, 0xcc, 0x90, 0x8b },
42 { 0xb6, 0x7a, 0xe8, 0x58, 0x4c, 0xaa, 0x73, 0xb2 },
43 { 0xc6, 0xef, 0x37, 0x2f, 0xe9, 0x4f, 0x82, 0xbe },
44 { 0x54, 0xff, 0x53, 0xa5, 0xf1, 0xd3, 0x6f, 0x1c },
45 { 0x10, 0xe5, 0x27, 0xfa, 0xde, 0x68, 0x2d, 0x1d },
46 { 0xb0, 0x56, 0x88, 0xc2, 0xb3, 0xe6, 0xc1, 0xfd }
47 };
48
49 #if defined(MBEDTLS_CAMELLIA_SMALL_MEMORY)
50
51 static const unsigned char FSb[256] =
52 {
53 112, 130, 44, 236, 179, 39, 192, 229, 228, 133, 87, 53, 234, 12, 174, 65,
54 35, 239, 107, 147, 69, 25, 165, 33, 237, 14, 79, 78, 29, 101, 146, 189,
55 134, 184, 175, 143, 124, 235, 31, 206, 62, 48, 220, 95, 94, 197, 11, 26,
56 166, 225, 57, 202, 213, 71, 93, 61, 217, 1, 90, 214, 81, 86, 108, 77,
57 139, 13, 154, 102, 251, 204, 176, 45, 116, 18, 43, 32, 240, 177, 132, 153,
58 223, 76, 203, 194, 52, 126, 118, 5, 109, 183, 169, 49, 209, 23, 4, 215,
59 20, 88, 58, 97, 222, 27, 17, 28, 50, 15, 156, 22, 83, 24, 242, 34,
60 254, 68, 207, 178, 195, 181, 122, 145, 36, 8, 232, 168, 96, 252, 105, 80,
61 170, 208, 160, 125, 161, 137, 98, 151, 84, 91, 30, 149, 224, 255, 100, 210,
62 16, 196, 0, 72, 163, 247, 117, 219, 138, 3, 230, 218, 9, 63, 221, 148,
63 135, 92, 131, 2, 205, 74, 144, 51, 115, 103, 246, 243, 157, 127, 191, 226,
64 82, 155, 216, 38, 200, 55, 198, 59, 129, 150, 111, 75, 19, 190, 99, 46,
65 233, 121, 167, 140, 159, 110, 188, 142, 41, 245, 249, 182, 47, 253, 180, 89,
66 120, 152, 6, 106, 231, 70, 113, 186, 212, 37, 171, 66, 136, 162, 141, 250,
67 114, 7, 185, 85, 248, 238, 172, 10, 54, 73, 42, 104, 60, 56, 241, 164,
68 64, 40, 211, 123, 187, 201, 67, 193, 21, 227, 173, 244, 119, 199, 128, 158
69 };
70
71 #define SBOX1(n) FSb[(n)]
72 #define SBOX2(n) (unsigned char) ((FSb[(n)] >> 7 ^ FSb[(n)] << 1) & 0xff)
73 #define SBOX3(n) (unsigned char) ((FSb[(n)] >> 1 ^ FSb[(n)] << 7) & 0xff)
74 #define SBOX4(n) FSb[((n) << 1 ^ (n) >> 7) &0xff]
75
76 #else /* MBEDTLS_CAMELLIA_SMALL_MEMORY */
77
78 static const unsigned char FSb[256] =
79 {
80 112, 130, 44, 236, 179, 39, 192, 229, 228, 133, 87, 53, 234, 12, 174, 65,
81 35, 239, 107, 147, 69, 25, 165, 33, 237, 14, 79, 78, 29, 101, 146, 189,
82 134, 184, 175, 143, 124, 235, 31, 206, 62, 48, 220, 95, 94, 197, 11, 26,
83 166, 225, 57, 202, 213, 71, 93, 61, 217, 1, 90, 214, 81, 86, 108, 77,
84 139, 13, 154, 102, 251, 204, 176, 45, 116, 18, 43, 32, 240, 177, 132, 153,
85 223, 76, 203, 194, 52, 126, 118, 5, 109, 183, 169, 49, 209, 23, 4, 215,
86 20, 88, 58, 97, 222, 27, 17, 28, 50, 15, 156, 22, 83, 24, 242, 34,
87 254, 68, 207, 178, 195, 181, 122, 145, 36, 8, 232, 168, 96, 252, 105, 80,
88 170, 208, 160, 125, 161, 137, 98, 151, 84, 91, 30, 149, 224, 255, 100, 210,
89 16, 196, 0, 72, 163, 247, 117, 219, 138, 3, 230, 218, 9, 63, 221, 148,
90 135, 92, 131, 2, 205, 74, 144, 51, 115, 103, 246, 243, 157, 127, 191, 226,
91 82, 155, 216, 38, 200, 55, 198, 59, 129, 150, 111, 75, 19, 190, 99, 46,
92 233, 121, 167, 140, 159, 110, 188, 142, 41, 245, 249, 182, 47, 253, 180, 89,
93 120, 152, 6, 106, 231, 70, 113, 186, 212, 37, 171, 66, 136, 162, 141, 250,
94 114, 7, 185, 85, 248, 238, 172, 10, 54, 73, 42, 104, 60, 56, 241, 164,
95 64, 40, 211, 123, 187, 201, 67, 193, 21, 227, 173, 244, 119, 199, 128, 158
96 };
97
98 static const unsigned char FSb2[256] =
99 {
100 224, 5, 88, 217, 103, 78, 129, 203, 201, 11, 174, 106, 213, 24, 93, 130,
101 70, 223, 214, 39, 138, 50, 75, 66, 219, 28, 158, 156, 58, 202, 37, 123,
102 13, 113, 95, 31, 248, 215, 62, 157, 124, 96, 185, 190, 188, 139, 22, 52,
103 77, 195, 114, 149, 171, 142, 186, 122, 179, 2, 180, 173, 162, 172, 216, 154,
104 23, 26, 53, 204, 247, 153, 97, 90, 232, 36, 86, 64, 225, 99, 9, 51,
105 191, 152, 151, 133, 104, 252, 236, 10, 218, 111, 83, 98, 163, 46, 8, 175,
106 40, 176, 116, 194, 189, 54, 34, 56, 100, 30, 57, 44, 166, 48, 229, 68,
107 253, 136, 159, 101, 135, 107, 244, 35, 72, 16, 209, 81, 192, 249, 210, 160,
108 85, 161, 65, 250, 67, 19, 196, 47, 168, 182, 60, 43, 193, 255, 200, 165,
109 32, 137, 0, 144, 71, 239, 234, 183, 21, 6, 205, 181, 18, 126, 187, 41,
110 15, 184, 7, 4, 155, 148, 33, 102, 230, 206, 237, 231, 59, 254, 127, 197,
111 164, 55, 177, 76, 145, 110, 141, 118, 3, 45, 222, 150, 38, 125, 198, 92,
112 211, 242, 79, 25, 63, 220, 121, 29, 82, 235, 243, 109, 94, 251, 105, 178,
113 240, 49, 12, 212, 207, 140, 226, 117, 169, 74, 87, 132, 17, 69, 27, 245,
114 228, 14, 115, 170, 241, 221, 89, 20, 108, 146, 84, 208, 120, 112, 227, 73,
115 128, 80, 167, 246, 119, 147, 134, 131, 42, 199, 91, 233, 238, 143, 1, 61
116 };
117
118 static const unsigned char FSb3[256] =
119 {
120 56, 65, 22, 118, 217, 147, 96, 242, 114, 194, 171, 154, 117, 6, 87, 160,
121 145, 247, 181, 201, 162, 140, 210, 144, 246, 7, 167, 39, 142, 178, 73, 222,
122 67, 92, 215, 199, 62, 245, 143, 103, 31, 24, 110, 175, 47, 226, 133, 13,
123 83, 240, 156, 101, 234, 163, 174, 158, 236, 128, 45, 107, 168, 43, 54, 166,
124 197, 134, 77, 51, 253, 102, 88, 150, 58, 9, 149, 16, 120, 216, 66, 204,
125 239, 38, 229, 97, 26, 63, 59, 130, 182, 219, 212, 152, 232, 139, 2, 235,
126 10, 44, 29, 176, 111, 141, 136, 14, 25, 135, 78, 11, 169, 12, 121, 17,
127 127, 34, 231, 89, 225, 218, 61, 200, 18, 4, 116, 84, 48, 126, 180, 40,
128 85, 104, 80, 190, 208, 196, 49, 203, 42, 173, 15, 202, 112, 255, 50, 105,
129 8, 98, 0, 36, 209, 251, 186, 237, 69, 129, 115, 109, 132, 159, 238, 74,
130 195, 46, 193, 1, 230, 37, 72, 153, 185, 179, 123, 249, 206, 191, 223, 113,
131 41, 205, 108, 19, 100, 155, 99, 157, 192, 75, 183, 165, 137, 95, 177, 23,
132 244, 188, 211, 70, 207, 55, 94, 71, 148, 250, 252, 91, 151, 254, 90, 172,
133 60, 76, 3, 53, 243, 35, 184, 93, 106, 146, 213, 33, 68, 81, 198, 125,
134 57, 131, 220, 170, 124, 119, 86, 5, 27, 164, 21, 52, 30, 28, 248, 82,
135 32, 20, 233, 189, 221, 228, 161, 224, 138, 241, 214, 122, 187, 227, 64, 79
136 };
137
138 static const unsigned char FSb4[256] =
139 {
140 112, 44, 179, 192, 228, 87, 234, 174, 35, 107, 69, 165, 237, 79, 29, 146,
141 134, 175, 124, 31, 62, 220, 94, 11, 166, 57, 213, 93, 217, 90, 81, 108,
142 139, 154, 251, 176, 116, 43, 240, 132, 223, 203, 52, 118, 109, 169, 209, 4,
143 20, 58, 222, 17, 50, 156, 83, 242, 254, 207, 195, 122, 36, 232, 96, 105,
144 170, 160, 161, 98, 84, 30, 224, 100, 16, 0, 163, 117, 138, 230, 9, 221,
145 135, 131, 205, 144, 115, 246, 157, 191, 82, 216, 200, 198, 129, 111, 19, 99,
146 233, 167, 159, 188, 41, 249, 47, 180, 120, 6, 231, 113, 212, 171, 136, 141,
147 114, 185, 248, 172, 54, 42, 60, 241, 64, 211, 187, 67, 21, 173, 119, 128,
148 130, 236, 39, 229, 133, 53, 12, 65, 239, 147, 25, 33, 14, 78, 101, 189,
149 184, 143, 235, 206, 48, 95, 197, 26, 225, 202, 71, 61, 1, 214, 86, 77,
150 13, 102, 204, 45, 18, 32, 177, 153, 76, 194, 126, 5, 183, 49, 23, 215,
151 88, 97, 27, 28, 15, 22, 24, 34, 68, 178, 181, 145, 8, 168, 252, 80,
152 208, 125, 137, 151, 91, 149, 255, 210, 196, 72, 247, 219, 3, 218, 63, 148,
153 92, 2, 74, 51, 103, 243, 127, 226, 155, 38, 55, 59, 150, 75, 190, 46,
154 121, 140, 110, 142, 245, 182, 253, 89, 152, 106, 70, 186, 37, 66, 162, 250,
155 7, 85, 238, 10, 73, 104, 56, 164, 40, 123, 201, 193, 227, 244, 199, 158
156 };
157
158 #define SBOX1(n) FSb[(n)]
159 #define SBOX2(n) FSb2[(n)]
160 #define SBOX3(n) FSb3[(n)]
161 #define SBOX4(n) FSb4[(n)]
162
163 #endif /* MBEDTLS_CAMELLIA_SMALL_MEMORY */
164
165 static const unsigned char shifts[2][4][4] =
166 {
167 {
168 { 1, 1, 1, 1 }, /* KL */
169 { 0, 0, 0, 0 }, /* KR */
170 { 1, 1, 1, 1 }, /* KA */
171 { 0, 0, 0, 0 } /* KB */
172 },
173 {
174 { 1, 0, 1, 1 }, /* KL */
175 { 1, 1, 0, 1 }, /* KR */
176 { 1, 1, 1, 0 }, /* KA */
177 { 1, 1, 0, 1 } /* KB */
178 }
179 };
180
181 static const signed char indexes[2][4][20] =
182 {
183 {
184 { 0, 1, 2, 3, 8, 9, 10, 11, 38, 39,
185 36, 37, 23, 20, 21, 22, 27, -1, -1, 26 }, /* KL -> RK */
186 { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
187 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 }, /* KR -> RK */
188 { 4, 5, 6, 7, 12, 13, 14, 15, 16, 17,
189 18, 19, -1, 24, 25, -1, 31, 28, 29, 30 }, /* KA -> RK */
190 { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
191 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 } /* KB -> RK */
192 },
193 {
194 { 0, 1, 2, 3, 61, 62, 63, 60, -1, -1,
195 -1, -1, 27, 24, 25, 26, 35, 32, 33, 34 }, /* KL -> RK */
196 { -1, -1, -1, -1, 8, 9, 10, 11, 16, 17,
197 18, 19, -1, -1, -1, -1, 39, 36, 37, 38 }, /* KR -> RK */
198 { -1, -1, -1, -1, 12, 13, 14, 15, 58, 59,
199 56, 57, 31, 28, 29, 30, -1, -1, -1, -1 }, /* KA -> RK */
200 { 4, 5, 6, 7, 65, 66, 67, 64, 20, 21,
201 22, 23, -1, -1, -1, -1, 43, 40, 41, 42 } /* KB -> RK */
202 }
203 };
204
205 static const signed char transposes[2][20] =
206 {
207 {
208 21, 22, 23, 20,
209 -1, -1, -1, -1,
210 18, 19, 16, 17,
211 11, 8, 9, 10,
212 15, 12, 13, 14
213 },
214 {
215 25, 26, 27, 24,
216 29, 30, 31, 28,
217 18, 19, 16, 17,
218 -1, -1, -1, -1,
219 -1, -1, -1, -1
220 }
221 };
222
223 /* Shift macro for 128 bit strings with rotation smaller than 32 bits (!) */
224 #define ROTL(DEST, SRC, SHIFT) \
225 { \
226 (DEST)[0] = (SRC)[0] << (SHIFT) ^ (SRC)[1] >> (32 - (SHIFT)); \
227 (DEST)[1] = (SRC)[1] << (SHIFT) ^ (SRC)[2] >> (32 - (SHIFT)); \
228 (DEST)[2] = (SRC)[2] << (SHIFT) ^ (SRC)[3] >> (32 - (SHIFT)); \
229 (DEST)[3] = (SRC)[3] << (SHIFT) ^ (SRC)[0] >> (32 - (SHIFT)); \
230 }
231
232 #define FL(XL, XR, KL, KR) \
233 { \
234 (XR) = ((((XL) &(KL)) << 1) | (((XL) &(KL)) >> 31)) ^ (XR); \
235 (XL) = ((XR) | (KR)) ^ (XL); \
236 }
237
238 #define FLInv(YL, YR, KL, KR) \
239 { \
240 (YL) = ((YR) | (KR)) ^ (YL); \
241 (YR) = ((((YL) &(KL)) << 1) | (((YL) &(KL)) >> 31)) ^ (YR); \
242 }
243
244 #define SHIFT_AND_PLACE(INDEX, OFFSET) \
245 { \
246 TK[0] = KC[(OFFSET) * 4 + 0]; \
247 TK[1] = KC[(OFFSET) * 4 + 1]; \
248 TK[2] = KC[(OFFSET) * 4 + 2]; \
249 TK[3] = KC[(OFFSET) * 4 + 3]; \
250 \
251 for (i = 1; i <= 4; i++) \
252 if (shifts[(INDEX)][(OFFSET)][i -1]) \
253 ROTL(TK + i * 4, TK, (15 * i) % 32); \
254 \
255 for (i = 0; i < 20; i++) \
256 if (indexes[(INDEX)][(OFFSET)][i] != -1) { \
257 RK[indexes[(INDEX)][(OFFSET)][i]] = TK[i]; \
258 } \
259 }
260
camellia_feistel(const uint32_t x[2],const uint32_t k[2],uint32_t z[2])261 static void camellia_feistel(const uint32_t x[2], const uint32_t k[2],
262 uint32_t z[2])
263 {
264 uint32_t I0, I1;
265 I0 = x[0] ^ k[0];
266 I1 = x[1] ^ k[1];
267
268 I0 = ((uint32_t) SBOX1(MBEDTLS_BYTE_3(I0)) << 24) |
269 ((uint32_t) SBOX2(MBEDTLS_BYTE_2(I0)) << 16) |
270 ((uint32_t) SBOX3(MBEDTLS_BYTE_1(I0)) << 8) |
271 ((uint32_t) SBOX4(MBEDTLS_BYTE_0(I0)));
272 I1 = ((uint32_t) SBOX2(MBEDTLS_BYTE_3(I1)) << 24) |
273 ((uint32_t) SBOX3(MBEDTLS_BYTE_2(I1)) << 16) |
274 ((uint32_t) SBOX4(MBEDTLS_BYTE_1(I1)) << 8) |
275 ((uint32_t) SBOX1(MBEDTLS_BYTE_0(I1)));
276
277 I0 ^= (I1 << 8) | (I1 >> 24);
278 I1 ^= (I0 << 16) | (I0 >> 16);
279 I0 ^= (I1 >> 8) | (I1 << 24);
280 I1 ^= (I0 >> 8) | (I0 << 24);
281
282 z[0] ^= I1;
283 z[1] ^= I0;
284 }
285
mbedtls_camellia_init(mbedtls_camellia_context * ctx)286 void mbedtls_camellia_init(mbedtls_camellia_context *ctx)
287 {
288 memset(ctx, 0, sizeof(mbedtls_camellia_context));
289 }
290
mbedtls_camellia_free(mbedtls_camellia_context * ctx)291 void mbedtls_camellia_free(mbedtls_camellia_context *ctx)
292 {
293 if (ctx == NULL) {
294 return;
295 }
296
297 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_camellia_context));
298 }
299
300 /*
301 * Camellia key schedule (encryption)
302 */
mbedtls_camellia_setkey_enc(mbedtls_camellia_context * ctx,const unsigned char * key,unsigned int keybits)303 int mbedtls_camellia_setkey_enc(mbedtls_camellia_context *ctx,
304 const unsigned char *key,
305 unsigned int keybits)
306 {
307 int idx;
308 size_t i;
309 uint32_t *RK;
310 unsigned char t[64];
311 uint32_t SIGMA[6][2];
312 uint32_t KC[16];
313 uint32_t TK[20];
314
315 RK = ctx->rk;
316
317 memset(t, 0, 64);
318 memset(RK, 0, sizeof(ctx->rk));
319
320 switch (keybits) {
321 case 128: ctx->nr = 3; idx = 0; break;
322 case 192:
323 case 256: ctx->nr = 4; idx = 1; break;
324 default: return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA;
325 }
326
327 for (i = 0; i < keybits / 8; ++i) {
328 t[i] = key[i];
329 }
330
331 if (keybits == 192) {
332 for (i = 0; i < 8; i++) {
333 t[24 + i] = ~t[16 + i];
334 }
335 }
336
337 /*
338 * Prepare SIGMA values
339 */
340 for (i = 0; i < 6; i++) {
341 SIGMA[i][0] = MBEDTLS_GET_UINT32_BE(SIGMA_CHARS[i], 0);
342 SIGMA[i][1] = MBEDTLS_GET_UINT32_BE(SIGMA_CHARS[i], 4);
343 }
344
345 /*
346 * Key storage in KC
347 * Order: KL, KR, KA, KB
348 */
349 memset(KC, 0, sizeof(KC));
350
351 /* Store KL, KR */
352 for (i = 0; i < 8; i++) {
353 KC[i] = MBEDTLS_GET_UINT32_BE(t, i * 4);
354 }
355
356 /* Generate KA */
357 for (i = 0; i < 4; ++i) {
358 KC[8 + i] = KC[i] ^ KC[4 + i];
359 }
360
361 camellia_feistel(KC + 8, SIGMA[0], KC + 10);
362 camellia_feistel(KC + 10, SIGMA[1], KC + 8);
363
364 for (i = 0; i < 4; ++i) {
365 KC[8 + i] ^= KC[i];
366 }
367
368 camellia_feistel(KC + 8, SIGMA[2], KC + 10);
369 camellia_feistel(KC + 10, SIGMA[3], KC + 8);
370
371 if (keybits > 128) {
372 /* Generate KB */
373 for (i = 0; i < 4; ++i) {
374 KC[12 + i] = KC[4 + i] ^ KC[8 + i];
375 }
376
377 camellia_feistel(KC + 12, SIGMA[4], KC + 14);
378 camellia_feistel(KC + 14, SIGMA[5], KC + 12);
379 }
380
381 /*
382 * Generating subkeys
383 */
384
385 /* Manipulating KL */
386 SHIFT_AND_PLACE(idx, 0);
387
388 /* Manipulating KR */
389 if (keybits > 128) {
390 SHIFT_AND_PLACE(idx, 1);
391 }
392
393 /* Manipulating KA */
394 SHIFT_AND_PLACE(idx, 2);
395
396 /* Manipulating KB */
397 if (keybits > 128) {
398 SHIFT_AND_PLACE(idx, 3);
399 }
400
401 /* Do transpositions */
402 for (i = 0; i < 20; i++) {
403 if (transposes[idx][i] != -1) {
404 RK[32 + 12 * idx + i] = RK[transposes[idx][i]];
405 }
406 }
407
408 return 0;
409 }
410
411 /*
412 * Camellia key schedule (decryption)
413 */
mbedtls_camellia_setkey_dec(mbedtls_camellia_context * ctx,const unsigned char * key,unsigned int keybits)414 int mbedtls_camellia_setkey_dec(mbedtls_camellia_context *ctx,
415 const unsigned char *key,
416 unsigned int keybits)
417 {
418 int idx, ret;
419 size_t i;
420 mbedtls_camellia_context cty;
421 uint32_t *RK;
422 uint32_t *SK;
423
424 mbedtls_camellia_init(&cty);
425
426 /* Also checks keybits */
427 if ((ret = mbedtls_camellia_setkey_enc(&cty, key, keybits)) != 0) {
428 goto exit;
429 }
430
431 ctx->nr = cty.nr;
432 idx = (ctx->nr == 4);
433
434 RK = ctx->rk;
435 SK = cty.rk + 24 * 2 + 8 * idx * 2;
436
437 *RK++ = *SK++;
438 *RK++ = *SK++;
439 *RK++ = *SK++;
440 *RK++ = *SK++;
441
442 for (i = 22 + 8 * idx, SK -= 6; i > 0; i--, SK -= 4) {
443 *RK++ = *SK++;
444 *RK++ = *SK++;
445 }
446
447 SK -= 2;
448
449 *RK++ = *SK++;
450 *RK++ = *SK++;
451 *RK++ = *SK++;
452 *RK++ = *SK++;
453
454 exit:
455 mbedtls_camellia_free(&cty);
456
457 return ret;
458 }
459
460 /*
461 * Camellia-ECB block encryption/decryption
462 */
mbedtls_camellia_crypt_ecb(mbedtls_camellia_context * ctx,int mode,const unsigned char input[16],unsigned char output[16])463 int mbedtls_camellia_crypt_ecb(mbedtls_camellia_context *ctx,
464 int mode,
465 const unsigned char input[16],
466 unsigned char output[16])
467 {
468 int NR;
469 uint32_t *RK, X[4];
470 if (mode != MBEDTLS_CAMELLIA_ENCRYPT && mode != MBEDTLS_CAMELLIA_DECRYPT) {
471 return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA;
472 }
473
474 ((void) mode);
475
476 NR = ctx->nr;
477 RK = ctx->rk;
478
479 X[0] = MBEDTLS_GET_UINT32_BE(input, 0);
480 X[1] = MBEDTLS_GET_UINT32_BE(input, 4);
481 X[2] = MBEDTLS_GET_UINT32_BE(input, 8);
482 X[3] = MBEDTLS_GET_UINT32_BE(input, 12);
483
484 X[0] ^= *RK++;
485 X[1] ^= *RK++;
486 X[2] ^= *RK++;
487 X[3] ^= *RK++;
488
489 while (NR) {
490 --NR;
491 camellia_feistel(X, RK, X + 2);
492 RK += 2;
493 camellia_feistel(X + 2, RK, X);
494 RK += 2;
495 camellia_feistel(X, RK, X + 2);
496 RK += 2;
497 camellia_feistel(X + 2, RK, X);
498 RK += 2;
499 camellia_feistel(X, RK, X + 2);
500 RK += 2;
501 camellia_feistel(X + 2, RK, X);
502 RK += 2;
503
504 if (NR) {
505 FL(X[0], X[1], RK[0], RK[1]);
506 RK += 2;
507 FLInv(X[2], X[3], RK[0], RK[1]);
508 RK += 2;
509 }
510 }
511
512 X[2] ^= *RK++;
513 X[3] ^= *RK++;
514 X[0] ^= *RK++;
515 X[1] ^= *RK++;
516
517 MBEDTLS_PUT_UINT32_BE(X[2], output, 0);
518 MBEDTLS_PUT_UINT32_BE(X[3], output, 4);
519 MBEDTLS_PUT_UINT32_BE(X[0], output, 8);
520 MBEDTLS_PUT_UINT32_BE(X[1], output, 12);
521
522 return 0;
523 }
524
525 #if defined(MBEDTLS_CIPHER_MODE_CBC)
526 /*
527 * Camellia-CBC buffer encryption/decryption
528 */
mbedtls_camellia_crypt_cbc(mbedtls_camellia_context * ctx,int mode,size_t length,unsigned char iv[16],const unsigned char * input,unsigned char * output)529 int mbedtls_camellia_crypt_cbc(mbedtls_camellia_context *ctx,
530 int mode,
531 size_t length,
532 unsigned char iv[16],
533 const unsigned char *input,
534 unsigned char *output)
535 {
536 unsigned char temp[16];
537 if (mode != MBEDTLS_CAMELLIA_ENCRYPT && mode != MBEDTLS_CAMELLIA_DECRYPT) {
538 return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA;
539 }
540
541 if (length % 16) {
542 return MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH;
543 }
544
545 if (mode == MBEDTLS_CAMELLIA_DECRYPT) {
546 while (length > 0) {
547 memcpy(temp, input, 16);
548 mbedtls_camellia_crypt_ecb(ctx, mode, input, output);
549
550 mbedtls_xor(output, output, iv, 16);
551
552 memcpy(iv, temp, 16);
553
554 input += 16;
555 output += 16;
556 length -= 16;
557 }
558 } else {
559 while (length > 0) {
560 mbedtls_xor(output, input, iv, 16);
561
562 mbedtls_camellia_crypt_ecb(ctx, mode, output, output);
563 memcpy(iv, output, 16);
564
565 input += 16;
566 output += 16;
567 length -= 16;
568 }
569 }
570
571 return 0;
572 }
573 #endif /* MBEDTLS_CIPHER_MODE_CBC */
574
575 #if defined(MBEDTLS_CIPHER_MODE_CFB)
576 /*
577 * Camellia-CFB128 buffer encryption/decryption
578 */
mbedtls_camellia_crypt_cfb128(mbedtls_camellia_context * ctx,int mode,size_t length,size_t * iv_off,unsigned char iv[16],const unsigned char * input,unsigned char * output)579 int mbedtls_camellia_crypt_cfb128(mbedtls_camellia_context *ctx,
580 int mode,
581 size_t length,
582 size_t *iv_off,
583 unsigned char iv[16],
584 const unsigned char *input,
585 unsigned char *output)
586 {
587 int c;
588 size_t n;
589 if (mode != MBEDTLS_CAMELLIA_ENCRYPT && mode != MBEDTLS_CAMELLIA_DECRYPT) {
590 return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA;
591 }
592
593 n = *iv_off;
594 if (n >= 16) {
595 return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA;
596 }
597
598 if (mode == MBEDTLS_CAMELLIA_DECRYPT) {
599 while (length--) {
600 if (n == 0) {
601 mbedtls_camellia_crypt_ecb(ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv);
602 }
603
604 c = *input++;
605 *output++ = (unsigned char) (c ^ iv[n]);
606 iv[n] = (unsigned char) c;
607
608 n = (n + 1) & 0x0F;
609 }
610 } else {
611 while (length--) {
612 if (n == 0) {
613 mbedtls_camellia_crypt_ecb(ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv);
614 }
615
616 iv[n] = *output++ = (unsigned char) (iv[n] ^ *input++);
617
618 n = (n + 1) & 0x0F;
619 }
620 }
621
622 *iv_off = n;
623
624 return 0;
625 }
626 #endif /* MBEDTLS_CIPHER_MODE_CFB */
627
628 #if defined(MBEDTLS_CIPHER_MODE_CTR)
629 /*
630 * Camellia-CTR buffer encryption/decryption
631 */
mbedtls_camellia_crypt_ctr(mbedtls_camellia_context * ctx,size_t length,size_t * nc_off,unsigned char nonce_counter[16],unsigned char stream_block[16],const unsigned char * input,unsigned char * output)632 int mbedtls_camellia_crypt_ctr(mbedtls_camellia_context *ctx,
633 size_t length,
634 size_t *nc_off,
635 unsigned char nonce_counter[16],
636 unsigned char stream_block[16],
637 const unsigned char *input,
638 unsigned char *output)
639 {
640 int c, i;
641 size_t n;
642
643 n = *nc_off;
644 if (n >= 16) {
645 return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA;
646 }
647
648 while (length--) {
649 if (n == 0) {
650 mbedtls_camellia_crypt_ecb(ctx, MBEDTLS_CAMELLIA_ENCRYPT, nonce_counter,
651 stream_block);
652
653 for (i = 16; i > 0; i--) {
654 if (++nonce_counter[i - 1] != 0) {
655 break;
656 }
657 }
658 }
659 c = *input++;
660 *output++ = (unsigned char) (c ^ stream_block[n]);
661
662 n = (n + 1) & 0x0F;
663 }
664
665 *nc_off = n;
666
667 return 0;
668 }
669 #endif /* MBEDTLS_CIPHER_MODE_CTR */
670 #endif /* !MBEDTLS_CAMELLIA_ALT */
671
672 #if defined(MBEDTLS_SELF_TEST)
673
674 /*
675 * Camellia test vectors from:
676 *
677 * http://info.isl.ntt.co.jp/crypt/eng/camellia/technology.html:
678 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/intermediate.txt
679 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/t_camellia.txt
680 * (For each bitlength: Key 0, Nr 39)
681 */
682 #define CAMELLIA_TESTS_ECB 2
683
684 static const unsigned char camellia_test_ecb_key[3][CAMELLIA_TESTS_ECB][32] =
685 {
686 {
687 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
688 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
689 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
690 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
691 },
692 {
693 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
694 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
695 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77 },
696 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
697 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
698 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
699 },
700 {
701 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
702 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
703 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
704 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff },
705 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
706 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
707 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
708 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
709 },
710 };
711
712 static const unsigned char camellia_test_ecb_plain[CAMELLIA_TESTS_ECB][16] =
713 {
714 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
715 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
716 { 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
717 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
718 };
719
720 static const unsigned char camellia_test_ecb_cipher[3][CAMELLIA_TESTS_ECB][16] =
721 {
722 {
723 { 0x67, 0x67, 0x31, 0x38, 0x54, 0x96, 0x69, 0x73,
724 0x08, 0x57, 0x06, 0x56, 0x48, 0xea, 0xbe, 0x43 },
725 { 0x38, 0x3C, 0x6C, 0x2A, 0xAB, 0xEF, 0x7F, 0xDE,
726 0x25, 0xCD, 0x47, 0x0B, 0xF7, 0x74, 0xA3, 0x31 }
727 },
728 {
729 { 0xb4, 0x99, 0x34, 0x01, 0xb3, 0xe9, 0x96, 0xf8,
730 0x4e, 0xe5, 0xce, 0xe7, 0xd7, 0x9b, 0x09, 0xb9 },
731 { 0xD1, 0x76, 0x3F, 0xC0, 0x19, 0xD7, 0x7C, 0xC9,
732 0x30, 0xBF, 0xF2, 0xA5, 0x6F, 0x7C, 0x93, 0x64 }
733 },
734 {
735 { 0x9a, 0xcc, 0x23, 0x7d, 0xff, 0x16, 0xd7, 0x6c,
736 0x20, 0xef, 0x7c, 0x91, 0x9e, 0x3a, 0x75, 0x09 },
737 { 0x05, 0x03, 0xFB, 0x10, 0xAB, 0x24, 0x1E, 0x7C,
738 0xF4, 0x5D, 0x8C, 0xDE, 0xEE, 0x47, 0x43, 0x35 }
739 }
740 };
741
742 #if defined(MBEDTLS_CIPHER_MODE_CBC)
743 #define CAMELLIA_TESTS_CBC 3
744
745 static const unsigned char camellia_test_cbc_key[3][32] =
746 {
747 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
748 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }
749 ,
750 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
751 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
752 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }
753 ,
754 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
755 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
756 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
757 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
758 };
759
760 static const unsigned char camellia_test_cbc_iv[16] =
761
762 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
763 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F }
764 ;
765
766 static const unsigned char camellia_test_cbc_plain[CAMELLIA_TESTS_CBC][16] =
767 {
768 { 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
769 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A },
770 { 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
771 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51 },
772 { 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
773 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF }
774
775 };
776
777 static const unsigned char camellia_test_cbc_cipher[3][CAMELLIA_TESTS_CBC][16] =
778 {
779 {
780 { 0x16, 0x07, 0xCF, 0x49, 0x4B, 0x36, 0xBB, 0xF0,
781 0x0D, 0xAE, 0xB0, 0xB5, 0x03, 0xC8, 0x31, 0xAB },
782 { 0xA2, 0xF2, 0xCF, 0x67, 0x16, 0x29, 0xEF, 0x78,
783 0x40, 0xC5, 0xA5, 0xDF, 0xB5, 0x07, 0x48, 0x87 },
784 { 0x0F, 0x06, 0x16, 0x50, 0x08, 0xCF, 0x8B, 0x8B,
785 0x5A, 0x63, 0x58, 0x63, 0x62, 0x54, 0x3E, 0x54 }
786 },
787 {
788 { 0x2A, 0x48, 0x30, 0xAB, 0x5A, 0xC4, 0xA1, 0xA2,
789 0x40, 0x59, 0x55, 0xFD, 0x21, 0x95, 0xCF, 0x93 },
790 { 0x5D, 0x5A, 0x86, 0x9B, 0xD1, 0x4C, 0xE5, 0x42,
791 0x64, 0xF8, 0x92, 0xA6, 0xDD, 0x2E, 0xC3, 0xD5 },
792 { 0x37, 0xD3, 0x59, 0xC3, 0x34, 0x98, 0x36, 0xD8,
793 0x84, 0xE3, 0x10, 0xAD, 0xDF, 0x68, 0xC4, 0x49 }
794 },
795 {
796 { 0xE6, 0xCF, 0xA3, 0x5F, 0xC0, 0x2B, 0x13, 0x4A,
797 0x4D, 0x2C, 0x0B, 0x67, 0x37, 0xAC, 0x3E, 0xDA },
798 { 0x36, 0xCB, 0xEB, 0x73, 0xBD, 0x50, 0x4B, 0x40,
799 0x70, 0xB1, 0xB7, 0xDE, 0x2B, 0x21, 0xEB, 0x50 },
800 { 0xE3, 0x1A, 0x60, 0x55, 0x29, 0x7D, 0x96, 0xCA,
801 0x33, 0x30, 0xCD, 0xF1, 0xB1, 0x86, 0x0A, 0x83 }
802 }
803 };
804 #endif /* MBEDTLS_CIPHER_MODE_CBC */
805
806 #if defined(MBEDTLS_CIPHER_MODE_CTR)
807 /*
808 * Camellia-CTR test vectors from:
809 *
810 * http://www.faqs.org/rfcs/rfc5528.html
811 */
812
813 static const unsigned char camellia_test_ctr_key[3][16] =
814 {
815 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
816 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
817 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
818 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
819 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
820 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
821 };
822
823 static const unsigned char camellia_test_ctr_nonce_counter[3][16] =
824 {
825 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
826 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
827 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
828 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
829 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
830 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
831 };
832
833 static const unsigned char camellia_test_ctr_pt[3][48] =
834 {
835 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
836 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
837
838 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
839 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
840 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
841 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
842
843 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
844 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
845 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
846 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
847 0x20, 0x21, 0x22, 0x23 }
848 };
849
850 static const unsigned char camellia_test_ctr_ct[3][48] =
851 {
852 { 0xD0, 0x9D, 0xC2, 0x9A, 0x82, 0x14, 0x61, 0x9A,
853 0x20, 0x87, 0x7C, 0x76, 0xDB, 0x1F, 0x0B, 0x3F },
854 { 0xDB, 0xF3, 0xC7, 0x8D, 0xC0, 0x83, 0x96, 0xD4,
855 0xDA, 0x7C, 0x90, 0x77, 0x65, 0xBB, 0xCB, 0x44,
856 0x2B, 0x8E, 0x8E, 0x0F, 0x31, 0xF0, 0xDC, 0xA7,
857 0x2C, 0x74, 0x17, 0xE3, 0x53, 0x60, 0xE0, 0x48 },
858 { 0xB1, 0x9D, 0x1F, 0xCD, 0xCB, 0x75, 0xEB, 0x88,
859 0x2F, 0x84, 0x9C, 0xE2, 0x4D, 0x85, 0xCF, 0x73,
860 0x9C, 0xE6, 0x4B, 0x2B, 0x5C, 0x9D, 0x73, 0xF1,
861 0x4F, 0x2D, 0x5D, 0x9D, 0xCE, 0x98, 0x89, 0xCD,
862 0xDF, 0x50, 0x86, 0x96 }
863 };
864
865 static const int camellia_test_ctr_len[3] =
866 { 16, 32, 36 };
867 #endif /* MBEDTLS_CIPHER_MODE_CTR */
868
869 /*
870 * Checkup routine
871 */
mbedtls_camellia_self_test(int verbose)872 int mbedtls_camellia_self_test(int verbose)
873 {
874 int i, j, u, v;
875 unsigned char key[32];
876 unsigned char buf[64];
877 unsigned char src[16];
878 unsigned char dst[16];
879 #if defined(MBEDTLS_CIPHER_MODE_CBC)
880 unsigned char iv[16];
881 #endif
882 #if defined(MBEDTLS_CIPHER_MODE_CTR)
883 size_t offset, len;
884 unsigned char nonce_counter[16];
885 unsigned char stream_block[16];
886 #endif
887 int ret = 1;
888
889 mbedtls_camellia_context ctx;
890
891 mbedtls_camellia_init(&ctx);
892 memset(key, 0, 32);
893
894 for (j = 0; j < 6; j++) {
895 u = j >> 1;
896 v = j & 1;
897
898 if (verbose != 0) {
899 mbedtls_printf(" CAMELLIA-ECB-%3d (%s): ", 128 + u * 64,
900 (v == MBEDTLS_CAMELLIA_DECRYPT) ? "dec" : "enc");
901 }
902
903 for (i = 0; i < CAMELLIA_TESTS_ECB; i++) {
904 memcpy(key, camellia_test_ecb_key[u][i], 16 + 8 * u);
905
906 if (v == MBEDTLS_CAMELLIA_DECRYPT) {
907 mbedtls_camellia_setkey_dec(&ctx, key, 128 + u * 64);
908 memcpy(src, camellia_test_ecb_cipher[u][i], 16);
909 memcpy(dst, camellia_test_ecb_plain[i], 16);
910 } else { /* MBEDTLS_CAMELLIA_ENCRYPT */
911 mbedtls_camellia_setkey_enc(&ctx, key, 128 + u * 64);
912 memcpy(src, camellia_test_ecb_plain[i], 16);
913 memcpy(dst, camellia_test_ecb_cipher[u][i], 16);
914 }
915
916 mbedtls_camellia_crypt_ecb(&ctx, v, src, buf);
917
918 if (memcmp(buf, dst, 16) != 0) {
919 if (verbose != 0) {
920 mbedtls_printf("failed\n");
921 }
922 goto exit;
923 }
924 }
925
926 if (verbose != 0) {
927 mbedtls_printf("passed\n");
928 }
929 }
930
931 if (verbose != 0) {
932 mbedtls_printf("\n");
933 }
934
935 #if defined(MBEDTLS_CIPHER_MODE_CBC)
936 /*
937 * CBC mode
938 */
939 for (j = 0; j < 6; j++) {
940 u = j >> 1;
941 v = j & 1;
942
943 if (verbose != 0) {
944 mbedtls_printf(" CAMELLIA-CBC-%3d (%s): ", 128 + u * 64,
945 (v == MBEDTLS_CAMELLIA_DECRYPT) ? "dec" : "enc");
946 }
947
948 memcpy(src, camellia_test_cbc_iv, 16);
949 memcpy(dst, camellia_test_cbc_iv, 16);
950 memcpy(key, camellia_test_cbc_key[u], 16 + 8 * u);
951
952 if (v == MBEDTLS_CAMELLIA_DECRYPT) {
953 mbedtls_camellia_setkey_dec(&ctx, key, 128 + u * 64);
954 } else {
955 mbedtls_camellia_setkey_enc(&ctx, key, 128 + u * 64);
956 }
957
958 for (i = 0; i < CAMELLIA_TESTS_CBC; i++) {
959
960 if (v == MBEDTLS_CAMELLIA_DECRYPT) {
961 memcpy(iv, src, 16);
962 memcpy(src, camellia_test_cbc_cipher[u][i], 16);
963 memcpy(dst, camellia_test_cbc_plain[i], 16);
964 } else { /* MBEDTLS_CAMELLIA_ENCRYPT */
965 memcpy(iv, dst, 16);
966 memcpy(src, camellia_test_cbc_plain[i], 16);
967 memcpy(dst, camellia_test_cbc_cipher[u][i], 16);
968 }
969
970 mbedtls_camellia_crypt_cbc(&ctx, v, 16, iv, src, buf);
971
972 if (memcmp(buf, dst, 16) != 0) {
973 if (verbose != 0) {
974 mbedtls_printf("failed\n");
975 }
976 goto exit;
977 }
978 }
979
980 if (verbose != 0) {
981 mbedtls_printf("passed\n");
982 }
983 }
984 #endif /* MBEDTLS_CIPHER_MODE_CBC */
985
986 if (verbose != 0) {
987 mbedtls_printf("\n");
988 }
989
990 #if defined(MBEDTLS_CIPHER_MODE_CTR)
991 /*
992 * CTR mode
993 */
994 for (i = 0; i < 6; i++) {
995 u = i >> 1;
996 v = i & 1;
997
998 if (verbose != 0) {
999 mbedtls_printf(" CAMELLIA-CTR-128 (%s): ",
1000 (v == MBEDTLS_CAMELLIA_DECRYPT) ? "dec" : "enc");
1001 }
1002
1003 memcpy(nonce_counter, camellia_test_ctr_nonce_counter[u], 16);
1004 memcpy(key, camellia_test_ctr_key[u], 16);
1005
1006 offset = 0;
1007 mbedtls_camellia_setkey_enc(&ctx, key, 128);
1008
1009 if (v == MBEDTLS_CAMELLIA_DECRYPT) {
1010 len = camellia_test_ctr_len[u];
1011 memcpy(buf, camellia_test_ctr_ct[u], len);
1012
1013 mbedtls_camellia_crypt_ctr(&ctx, len, &offset, nonce_counter, stream_block,
1014 buf, buf);
1015
1016 if (memcmp(buf, camellia_test_ctr_pt[u], len) != 0) {
1017 if (verbose != 0) {
1018 mbedtls_printf("failed\n");
1019 }
1020 goto exit;
1021 }
1022 } else {
1023 len = camellia_test_ctr_len[u];
1024 memcpy(buf, camellia_test_ctr_pt[u], len);
1025
1026 mbedtls_camellia_crypt_ctr(&ctx, len, &offset, nonce_counter, stream_block,
1027 buf, buf);
1028
1029 if (memcmp(buf, camellia_test_ctr_ct[u], len) != 0) {
1030 if (verbose != 0) {
1031 mbedtls_printf("failed\n");
1032 }
1033 goto exit;
1034 }
1035 }
1036
1037 if (verbose != 0) {
1038 mbedtls_printf("passed\n");
1039 }
1040 }
1041
1042 if (verbose != 0) {
1043 mbedtls_printf("\n");
1044 }
1045 #endif /* MBEDTLS_CIPHER_MODE_CTR */
1046
1047 ret = 0;
1048
1049 exit:
1050 mbedtls_camellia_free(&ctx);
1051 return ret;
1052 }
1053
1054 #endif /* MBEDTLS_SELF_TEST */
1055
1056 #endif /* MBEDTLS_CAMELLIA_C */
1057
