1 /*
2  *  Camellia implementation
3  *
4  *  Copyright The Mbed TLS Contributors
5  *  SPDX-License-Identifier: Apache-2.0
6  *
7  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
8  *  not use this file except in compliance with the License.
9  *  You may obtain a copy of the License at
10  *
11  *  http://www.apache.org/licenses/LICENSE-2.0
12  *
13  *  Unless required by applicable law or agreed to in writing, software
14  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  *  See the License for the specific language governing permissions and
17  *  limitations under the License.
18  */
19 /*
20  *  The Camellia block cipher was designed by NTT and Mitsubishi Electric
21  *  Corporation.
22  *
23  *  http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/01espec.pdf
24  */
25 
26 #include "common.h"
27 
28 #if defined(MBEDTLS_CAMELLIA_C)
29 
30 #include "mbedtls/camellia.h"
31 #include "mbedtls/platform_util.h"
32 
33 #include <string.h>
34 
35 #if defined(MBEDTLS_SELF_TEST)
36 #if defined(MBEDTLS_PLATFORM_C)
37 #include "mbedtls/platform.h"
38 #else
39 #include <stdio.h>
40 #define mbedtls_printf printf
41 #endif /* MBEDTLS_PLATFORM_C */
42 #endif /* MBEDTLS_SELF_TEST */
43 
44 #if !defined(MBEDTLS_CAMELLIA_ALT)
45 
46 /* Parameter validation macros */
47 #define CAMELLIA_VALIDATE_RET( cond )                                       \
48     MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA )
49 #define CAMELLIA_VALIDATE( cond )                                           \
50     MBEDTLS_INTERNAL_VALIDATE( cond )
51 
52 /*
53  * 32-bit integer manipulation macros (big endian)
54  */
55 #ifndef GET_UINT32_BE
56 #define GET_UINT32_BE(n,b,i)                            \
57 {                                                       \
58     (n) = ( (uint32_t) (b)[(i)    ] << 24 )             \
59         | ( (uint32_t) (b)[(i) + 1] << 16 )             \
60         | ( (uint32_t) (b)[(i) + 2] <<  8 )             \
61         | ( (uint32_t) (b)[(i) + 3]       );            \
62 }
63 #endif
64 
65 #ifndef PUT_UINT32_BE
66 #define PUT_UINT32_BE(n,b,i)                            \
67 {                                                       \
68     (b)[(i)    ] = (unsigned char) ( (n) >> 24 );       \
69     (b)[(i) + 1] = (unsigned char) ( (n) >> 16 );       \
70     (b)[(i) + 2] = (unsigned char) ( (n) >>  8 );       \
71     (b)[(i) + 3] = (unsigned char) ( (n)       );       \
72 }
73 #endif
74 
75 static const unsigned char SIGMA_CHARS[6][8] =
76 {
77     { 0xa0, 0x9e, 0x66, 0x7f, 0x3b, 0xcc, 0x90, 0x8b },
78     { 0xb6, 0x7a, 0xe8, 0x58, 0x4c, 0xaa, 0x73, 0xb2 },
79     { 0xc6, 0xef, 0x37, 0x2f, 0xe9, 0x4f, 0x82, 0xbe },
80     { 0x54, 0xff, 0x53, 0xa5, 0xf1, 0xd3, 0x6f, 0x1c },
81     { 0x10, 0xe5, 0x27, 0xfa, 0xde, 0x68, 0x2d, 0x1d },
82     { 0xb0, 0x56, 0x88, 0xc2, 0xb3, 0xe6, 0xc1, 0xfd }
83 };
84 
85 #if defined(MBEDTLS_CAMELLIA_SMALL_MEMORY)
86 
87 static const unsigned char FSb[256] =
88 {
89     112,130, 44,236,179, 39,192,229,228,133, 87, 53,234, 12,174, 65,
90      35,239,107,147, 69, 25,165, 33,237, 14, 79, 78, 29,101,146,189,
91     134,184,175,143,124,235, 31,206, 62, 48,220, 95, 94,197, 11, 26,
92     166,225, 57,202,213, 71, 93, 61,217,  1, 90,214, 81, 86,108, 77,
93     139, 13,154,102,251,204,176, 45,116, 18, 43, 32,240,177,132,153,
94     223, 76,203,194, 52,126,118,  5,109,183,169, 49,209, 23,  4,215,
95      20, 88, 58, 97,222, 27, 17, 28, 50, 15,156, 22, 83, 24,242, 34,
96     254, 68,207,178,195,181,122,145, 36,  8,232,168, 96,252,105, 80,
97     170,208,160,125,161,137, 98,151, 84, 91, 30,149,224,255,100,210,
98      16,196,  0, 72,163,247,117,219,138,  3,230,218,  9, 63,221,148,
99     135, 92,131,  2,205, 74,144, 51,115,103,246,243,157,127,191,226,
100      82,155,216, 38,200, 55,198, 59,129,150,111, 75, 19,190, 99, 46,
101     233,121,167,140,159,110,188,142, 41,245,249,182, 47,253,180, 89,
102     120,152,  6,106,231, 70,113,186,212, 37,171, 66,136,162,141,250,
103     114,  7,185, 85,248,238,172, 10, 54, 73, 42,104, 60, 56,241,164,
104      64, 40,211,123,187,201, 67,193, 21,227,173,244,119,199,128,158
105 };
106 
107 #define SBOX1(n) FSb[(n)]
108 #define SBOX2(n) (unsigned char)((FSb[(n)] >> 7 ^ FSb[(n)] << 1) & 0xff)
109 #define SBOX3(n) (unsigned char)((FSb[(n)] >> 1 ^ FSb[(n)] << 7) & 0xff)
110 #define SBOX4(n) FSb[((n) << 1 ^ (n) >> 7) &0xff]
111 
112 #else /* MBEDTLS_CAMELLIA_SMALL_MEMORY */
113 
114 static const unsigned char FSb[256] =
115 {
116  112, 130,  44, 236, 179,  39, 192, 229, 228, 133,  87,  53, 234,  12, 174,  65,
117   35, 239, 107, 147,  69,  25, 165,  33, 237,  14,  79,  78,  29, 101, 146, 189,
118  134, 184, 175, 143, 124, 235,  31, 206,  62,  48, 220,  95,  94, 197,  11,  26,
119  166, 225,  57, 202, 213,  71,  93,  61, 217,   1,  90, 214,  81,  86, 108,  77,
120  139,  13, 154, 102, 251, 204, 176,  45, 116,  18,  43,  32, 240, 177, 132, 153,
121  223,  76, 203, 194,  52, 126, 118,   5, 109, 183, 169,  49, 209,  23,   4, 215,
122   20,  88,  58,  97, 222,  27,  17,  28,  50,  15, 156,  22,  83,  24, 242,  34,
123  254,  68, 207, 178, 195, 181, 122, 145,  36,   8, 232, 168,  96, 252, 105,  80,
124  170, 208, 160, 125, 161, 137,  98, 151,  84,  91,  30, 149, 224, 255, 100, 210,
125   16, 196,   0,  72, 163, 247, 117, 219, 138,   3, 230, 218,   9,  63, 221, 148,
126  135,  92, 131,   2, 205,  74, 144,  51, 115, 103, 246, 243, 157, 127, 191, 226,
127   82, 155, 216,  38, 200,  55, 198,  59, 129, 150, 111,  75,  19, 190,  99,  46,
128  233, 121, 167, 140, 159, 110, 188, 142,  41, 245, 249, 182,  47, 253, 180,  89,
129  120, 152,   6, 106, 231,  70, 113, 186, 212,  37, 171,  66, 136, 162, 141, 250,
130  114,   7, 185,  85, 248, 238, 172,  10,  54,  73,  42, 104,  60,  56, 241, 164,
131  64,  40, 211, 123, 187, 201,  67, 193,  21, 227, 173, 244, 119, 199, 128, 158
132 };
133 
134 static const unsigned char FSb2[256] =
135 {
136  224,   5,  88, 217, 103,  78, 129, 203, 201,  11, 174, 106, 213,  24,  93, 130,
137   70, 223, 214,  39, 138,  50,  75,  66, 219,  28, 158, 156,  58, 202,  37, 123,
138   13, 113,  95,  31, 248, 215,  62, 157, 124,  96, 185, 190, 188, 139,  22,  52,
139   77, 195, 114, 149, 171, 142, 186, 122, 179,   2, 180, 173, 162, 172, 216, 154,
140   23,  26,  53, 204, 247, 153,  97,  90, 232,  36,  86,  64, 225,  99,   9,  51,
141  191, 152, 151, 133, 104, 252, 236,  10, 218, 111,  83,  98, 163,  46,   8, 175,
142   40, 176, 116, 194, 189,  54,  34,  56, 100,  30,  57,  44, 166,  48, 229,  68,
143  253, 136, 159, 101, 135, 107, 244,  35,  72,  16, 209,  81, 192, 249, 210, 160,
144   85, 161,  65, 250,  67,  19, 196,  47, 168, 182,  60,  43, 193, 255, 200, 165,
145   32, 137,   0, 144,  71, 239, 234, 183,  21,   6, 205, 181,  18, 126, 187,  41,
146   15, 184,   7,   4, 155, 148,  33, 102, 230, 206, 237, 231,  59, 254, 127, 197,
147  164,  55, 177,  76, 145, 110, 141, 118,   3,  45, 222, 150,  38, 125, 198,  92,
148  211, 242,  79,  25,  63, 220, 121,  29,  82, 235, 243, 109,  94, 251, 105, 178,
149  240,  49,  12, 212, 207, 140, 226, 117, 169,  74,  87, 132,  17,  69,  27, 245,
150  228,  14, 115, 170, 241, 221,  89,  20, 108, 146,  84, 208, 120, 112, 227,  73,
151  128,  80, 167, 246, 119, 147, 134, 131,  42, 199,  91, 233, 238, 143,   1,  61
152 };
153 
154 static const unsigned char FSb3[256] =
155 {
156   56,  65,  22, 118, 217, 147,  96, 242, 114, 194, 171, 154, 117,   6,  87, 160,
157  145, 247, 181, 201, 162, 140, 210, 144, 246,   7, 167,  39, 142, 178,  73, 222,
158   67,  92, 215, 199,  62, 245, 143, 103,  31,  24, 110, 175,  47, 226, 133,  13,
159   83, 240, 156, 101, 234, 163, 174, 158, 236, 128,  45, 107, 168,  43,  54, 166,
160  197, 134,  77,  51, 253, 102,  88, 150,  58,   9, 149,  16, 120, 216,  66, 204,
161  239,  38, 229,  97,  26,  63,  59, 130, 182, 219, 212, 152, 232, 139,   2, 235,
162   10,  44,  29, 176, 111, 141, 136,  14,  25, 135,  78,  11, 169,  12, 121,  17,
163  127,  34, 231,  89, 225, 218,  61, 200,  18,   4, 116,  84,  48, 126, 180,  40,
164   85, 104,  80, 190, 208, 196,  49, 203,  42, 173,  15, 202, 112, 255,  50, 105,
165    8,  98,   0,  36, 209, 251, 186, 237,  69, 129, 115, 109, 132, 159, 238,  74,
166  195,  46, 193,   1, 230,  37,  72, 153, 185, 179, 123, 249, 206, 191, 223, 113,
167   41, 205, 108,  19, 100, 155,  99, 157, 192,  75, 183, 165, 137,  95, 177,  23,
168  244, 188, 211,  70, 207,  55,  94,  71, 148, 250, 252,  91, 151, 254,  90, 172,
169   60,  76,   3,  53, 243,  35, 184,  93, 106, 146, 213,  33,  68,  81, 198, 125,
170   57, 131, 220, 170, 124, 119,  86,   5,  27, 164,  21,  52,  30,  28, 248,  82,
171   32,  20, 233, 189, 221, 228, 161, 224, 138, 241, 214, 122, 187, 227,  64,  79
172 };
173 
174 static const unsigned char FSb4[256] =
175 {
176  112,  44, 179, 192, 228,  87, 234, 174,  35, 107,  69, 165, 237,  79,  29, 146,
177  134, 175, 124,  31,  62, 220,  94,  11, 166,  57, 213,  93, 217,  90,  81, 108,
178  139, 154, 251, 176, 116,  43, 240, 132, 223, 203,  52, 118, 109, 169, 209,   4,
179   20,  58, 222,  17,  50, 156,  83, 242, 254, 207, 195, 122,  36, 232,  96, 105,
180  170, 160, 161,  98,  84,  30, 224, 100,  16,   0, 163, 117, 138, 230,   9, 221,
181  135, 131, 205, 144, 115, 246, 157, 191,  82, 216, 200, 198, 129, 111,  19,  99,
182  233, 167, 159, 188,  41, 249,  47, 180, 120,   6, 231, 113, 212, 171, 136, 141,
183  114, 185, 248, 172,  54,  42,  60, 241,  64, 211, 187,  67,  21, 173, 119, 128,
184  130, 236,  39, 229, 133,  53,  12,  65, 239, 147,  25,  33,  14,  78, 101, 189,
185  184, 143, 235, 206,  48,  95, 197,  26, 225, 202,  71,  61,   1, 214,  86,  77,
186   13, 102, 204,  45,  18,  32, 177, 153,  76, 194, 126,   5, 183,  49,  23, 215,
187   88,  97,  27,  28,  15,  22,  24,  34,  68, 178, 181, 145,   8, 168, 252,  80,
188  208, 125, 137, 151,  91, 149, 255, 210, 196,  72, 247, 219,   3, 218,  63, 148,
189   92,   2,  74,  51, 103, 243, 127, 226, 155,  38,  55,  59, 150,  75, 190,  46,
190  121, 140, 110, 142, 245, 182, 253,  89, 152, 106,  70, 186,  37,  66, 162, 250,
191   7,  85, 238,  10,  73, 104,  56, 164,  40, 123, 201, 193, 227, 244, 199, 158
192 };
193 
194 #define SBOX1(n) FSb[(n)]
195 #define SBOX2(n) FSb2[(n)]
196 #define SBOX3(n) FSb3[(n)]
197 #define SBOX4(n) FSb4[(n)]
198 
199 #endif /* MBEDTLS_CAMELLIA_SMALL_MEMORY */
200 
201 static const unsigned char shifts[2][4][4] =
202 {
203     {
204         { 1, 1, 1, 1 }, /* KL */
205         { 0, 0, 0, 0 }, /* KR */
206         { 1, 1, 1, 1 }, /* KA */
207         { 0, 0, 0, 0 }  /* KB */
208     },
209     {
210         { 1, 0, 1, 1 }, /* KL */
211         { 1, 1, 0, 1 }, /* KR */
212         { 1, 1, 1, 0 }, /* KA */
213         { 1, 1, 0, 1 }  /* KB */
214     }
215 };
216 
217 static const signed char indexes[2][4][20] =
218 {
219     {
220         {  0,  1,  2,  3,  8,  9, 10, 11, 38, 39,
221           36, 37, 23, 20, 21, 22, 27, -1, -1, 26 }, /* KL -> RK */
222         { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
223           -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 }, /* KR -> RK */
224         {  4,  5,  6,  7, 12, 13, 14, 15, 16, 17,
225           18, 19, -1, 24, 25, -1, 31, 28, 29, 30 }, /* KA -> RK */
226         { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
227           -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 }  /* KB -> RK */
228     },
229     {
230         {  0,  1,  2,  3, 61, 62, 63, 60, -1, -1,
231           -1, -1, 27, 24, 25, 26, 35, 32, 33, 34 }, /* KL -> RK */
232         { -1, -1, -1, -1,  8,  9, 10, 11, 16, 17,
233           18, 19, -1, -1, -1, -1, 39, 36, 37, 38 }, /* KR -> RK */
234         { -1, -1, -1, -1, 12, 13, 14, 15, 58, 59,
235           56, 57, 31, 28, 29, 30, -1, -1, -1, -1 }, /* KA -> RK */
236         {  4,  5,  6,  7, 65, 66, 67, 64, 20, 21,
237           22, 23, -1, -1, -1, -1, 43, 40, 41, 42 }  /* KB -> RK */
238     }
239 };
240 
241 static const signed char transposes[2][20] =
242 {
243     {
244         21, 22, 23, 20,
245         -1, -1, -1, -1,
246         18, 19, 16, 17,
247         11,  8,  9, 10,
248         15, 12, 13, 14
249     },
250     {
251         25, 26, 27, 24,
252         29, 30, 31, 28,
253         18, 19, 16, 17,
254         -1, -1, -1, -1,
255         -1, -1, -1, -1
256     }
257 };
258 
259 /* Shift macro for 128 bit strings with rotation smaller than 32 bits (!) */
260 #define ROTL(DEST, SRC, SHIFT)                                      \
261 {                                                                   \
262     (DEST)[0] = (SRC)[0] << (SHIFT) ^ (SRC)[1] >> (32 - (SHIFT));   \
263     (DEST)[1] = (SRC)[1] << (SHIFT) ^ (SRC)[2] >> (32 - (SHIFT));   \
264     (DEST)[2] = (SRC)[2] << (SHIFT) ^ (SRC)[3] >> (32 - (SHIFT));   \
265     (DEST)[3] = (SRC)[3] << (SHIFT) ^ (SRC)[0] >> (32 - (SHIFT));   \
266 }
267 
268 #define FL(XL, XR, KL, KR)                                          \
269 {                                                                   \
270     (XR) = ((((XL) & (KL)) << 1) | (((XL) & (KL)) >> 31)) ^ (XR);   \
271     (XL) = ((XR) | (KR)) ^ (XL);                                    \
272 }
273 
274 #define FLInv(YL, YR, KL, KR)                                       \
275 {                                                                   \
276     (YL) = ((YR) | (KR)) ^ (YL);                                    \
277     (YR) = ((((YL) & (KL)) << 1) | (((YL) & (KL)) >> 31)) ^ (YR);   \
278 }
279 
280 #define SHIFT_AND_PLACE(INDEX, OFFSET)                      \
281 {                                                           \
282     TK[0] = KC[(OFFSET) * 4 + 0];                           \
283     TK[1] = KC[(OFFSET) * 4 + 1];                           \
284     TK[2] = KC[(OFFSET) * 4 + 2];                           \
285     TK[3] = KC[(OFFSET) * 4 + 3];                           \
286                                                             \
287     for( i = 1; i <= 4; i++ )                               \
288         if( shifts[(INDEX)][(OFFSET)][i -1] )               \
289             ROTL(TK + i * 4, TK, ( 15 * i ) % 32);          \
290                                                             \
291     for( i = 0; i < 20; i++ )                               \
292         if( indexes[(INDEX)][(OFFSET)][i] != -1 ) {         \
293             RK[indexes[(INDEX)][(OFFSET)][i]] = TK[ i ];    \
294         }                                                   \
295 }
296 
camellia_feistel(const uint32_t x[2],const uint32_t k[2],uint32_t z[2])297 static void camellia_feistel( const uint32_t x[2], const uint32_t k[2],
298                               uint32_t z[2])
299 {
300     uint32_t I0, I1;
301     I0 = x[0] ^ k[0];
302     I1 = x[1] ^ k[1];
303 
304     I0 = ((uint32_t) SBOX1((I0 >> 24) & 0xFF) << 24) |
305          ((uint32_t) SBOX2((I0 >> 16) & 0xFF) << 16) |
306          ((uint32_t) SBOX3((I0 >>  8) & 0xFF) <<  8) |
307          ((uint32_t) SBOX4((I0      ) & 0xFF)      );
308     I1 = ((uint32_t) SBOX2((I1 >> 24) & 0xFF) << 24) |
309          ((uint32_t) SBOX3((I1 >> 16) & 0xFF) << 16) |
310          ((uint32_t) SBOX4((I1 >>  8) & 0xFF) <<  8) |
311          ((uint32_t) SBOX1((I1      ) & 0xFF)      );
312 
313     I0 ^= (I1 << 8) | (I1 >> 24);
314     I1 ^= (I0 << 16) | (I0 >> 16);
315     I0 ^= (I1 >> 8) | (I1 << 24);
316     I1 ^= (I0 >> 8) | (I0 << 24);
317 
318     z[0] ^= I1;
319     z[1] ^= I0;
320 }
321 
mbedtls_camellia_init(mbedtls_camellia_context * ctx)322 void mbedtls_camellia_init( mbedtls_camellia_context *ctx )
323 {
324     CAMELLIA_VALIDATE( ctx != NULL );
325     memset( ctx, 0, sizeof( mbedtls_camellia_context ) );
326 }
327 
mbedtls_camellia_free(mbedtls_camellia_context * ctx)328 void mbedtls_camellia_free( mbedtls_camellia_context *ctx )
329 {
330     if( ctx == NULL )
331         return;
332 
333     mbedtls_platform_zeroize( ctx, sizeof( mbedtls_camellia_context ) );
334 }
335 
336 /*
337  * Camellia key schedule (encryption)
338  */
mbedtls_camellia_setkey_enc(mbedtls_camellia_context * ctx,const unsigned char * key,unsigned int keybits)339 int mbedtls_camellia_setkey_enc( mbedtls_camellia_context *ctx,
340                                  const unsigned char *key,
341                                  unsigned int keybits )
342 {
343     int idx;
344     size_t i;
345     uint32_t *RK;
346     unsigned char t[64];
347     uint32_t SIGMA[6][2];
348     uint32_t KC[16];
349     uint32_t TK[20];
350 
351     CAMELLIA_VALIDATE_RET( ctx != NULL );
352     CAMELLIA_VALIDATE_RET( key != NULL );
353 
354     RK = ctx->rk;
355 
356     memset( t, 0, 64 );
357     memset( RK, 0, sizeof(ctx->rk) );
358 
359     switch( keybits )
360     {
361         case 128: ctx->nr = 3; idx = 0; break;
362         case 192:
363         case 256: ctx->nr = 4; idx = 1; break;
364         default : return( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA );
365     }
366 
367     for( i = 0; i < keybits / 8; ++i )
368         t[i] = key[i];
369 
370     if( keybits == 192 ) {
371         for( i = 0; i < 8; i++ )
372             t[24 + i] = ~t[16 + i];
373     }
374 
375     /*
376      * Prepare SIGMA values
377      */
378     for( i = 0; i < 6; i++ ) {
379         GET_UINT32_BE( SIGMA[i][0], SIGMA_CHARS[i], 0 );
380         GET_UINT32_BE( SIGMA[i][1], SIGMA_CHARS[i], 4 );
381     }
382 
383     /*
384      * Key storage in KC
385      * Order: KL, KR, KA, KB
386      */
387     memset( KC, 0, sizeof(KC) );
388 
389     /* Store KL, KR */
390     for( i = 0; i < 8; i++ )
391         GET_UINT32_BE( KC[i], t, i * 4 );
392 
393     /* Generate KA */
394     for( i = 0; i < 4; ++i )
395         KC[8 + i] = KC[i] ^ KC[4 + i];
396 
397     camellia_feistel( KC + 8, SIGMA[0], KC + 10 );
398     camellia_feistel( KC + 10, SIGMA[1], KC + 8 );
399 
400     for( i = 0; i < 4; ++i )
401         KC[8 + i] ^= KC[i];
402 
403     camellia_feistel( KC + 8, SIGMA[2], KC + 10 );
404     camellia_feistel( KC + 10, SIGMA[3], KC + 8 );
405 
406     if( keybits > 128 ) {
407         /* Generate KB */
408         for( i = 0; i < 4; ++i )
409             KC[12 + i] = KC[4 + i] ^ KC[8 + i];
410 
411         camellia_feistel( KC + 12, SIGMA[4], KC + 14 );
412         camellia_feistel( KC + 14, SIGMA[5], KC + 12 );
413     }
414 
415     /*
416      * Generating subkeys
417      */
418 
419     /* Manipulating KL */
420     SHIFT_AND_PLACE( idx, 0 );
421 
422     /* Manipulating KR */
423     if( keybits > 128 ) {
424         SHIFT_AND_PLACE( idx, 1 );
425     }
426 
427     /* Manipulating KA */
428     SHIFT_AND_PLACE( idx, 2 );
429 
430     /* Manipulating KB */
431     if( keybits > 128 ) {
432         SHIFT_AND_PLACE( idx, 3 );
433     }
434 
435     /* Do transpositions */
436     for( i = 0; i < 20; i++ ) {
437         if( transposes[idx][i] != -1 ) {
438             RK[32 + 12 * idx + i] = RK[transposes[idx][i]];
439         }
440     }
441 
442     return( 0 );
443 }
444 
445 /*
446  * Camellia key schedule (decryption)
447  */
mbedtls_camellia_setkey_dec(mbedtls_camellia_context * ctx,const unsigned char * key,unsigned int keybits)448 int mbedtls_camellia_setkey_dec( mbedtls_camellia_context *ctx,
449                                  const unsigned char *key,
450                                  unsigned int keybits )
451 {
452     int idx, ret;
453     size_t i;
454     mbedtls_camellia_context cty;
455     uint32_t *RK;
456     uint32_t *SK;
457     CAMELLIA_VALIDATE_RET( ctx != NULL );
458     CAMELLIA_VALIDATE_RET( key != NULL );
459 
460     mbedtls_camellia_init( &cty );
461 
462     /* Also checks keybits */
463     if( ( ret = mbedtls_camellia_setkey_enc( &cty, key, keybits ) ) != 0 )
464         goto exit;
465 
466     ctx->nr = cty.nr;
467     idx = ( ctx->nr == 4 );
468 
469     RK = ctx->rk;
470     SK = cty.rk + 24 * 2 + 8 * idx * 2;
471 
472     *RK++ = *SK++;
473     *RK++ = *SK++;
474     *RK++ = *SK++;
475     *RK++ = *SK++;
476 
477     for( i = 22 + 8 * idx, SK -= 6; i > 0; i--, SK -= 4 )
478     {
479         *RK++ = *SK++;
480         *RK++ = *SK++;
481     }
482 
483     SK -= 2;
484 
485     *RK++ = *SK++;
486     *RK++ = *SK++;
487     *RK++ = *SK++;
488     *RK++ = *SK++;
489 
490 exit:
491     mbedtls_camellia_free( &cty );
492 
493     return( ret );
494 }
495 
496 /*
497  * Camellia-ECB block encryption/decryption
498  */
mbedtls_camellia_crypt_ecb(mbedtls_camellia_context * ctx,int mode,const unsigned char input[16],unsigned char output[16])499 int mbedtls_camellia_crypt_ecb( mbedtls_camellia_context *ctx,
500                     int mode,
501                     const unsigned char input[16],
502                     unsigned char output[16] )
503 {
504     int NR;
505     uint32_t *RK, X[4];
506     CAMELLIA_VALIDATE_RET( ctx != NULL );
507     CAMELLIA_VALIDATE_RET( mode == MBEDTLS_CAMELLIA_ENCRYPT ||
508                            mode == MBEDTLS_CAMELLIA_DECRYPT );
509     CAMELLIA_VALIDATE_RET( input  != NULL );
510     CAMELLIA_VALIDATE_RET( output != NULL );
511 
512     ( (void) mode );
513 
514     NR = ctx->nr;
515     RK = ctx->rk;
516 
517     GET_UINT32_BE( X[0], input,  0 );
518     GET_UINT32_BE( X[1], input,  4 );
519     GET_UINT32_BE( X[2], input,  8 );
520     GET_UINT32_BE( X[3], input, 12 );
521 
522     X[0] ^= *RK++;
523     X[1] ^= *RK++;
524     X[2] ^= *RK++;
525     X[3] ^= *RK++;
526 
527     while( NR ) {
528         --NR;
529         camellia_feistel( X, RK, X + 2 );
530         RK += 2;
531         camellia_feistel( X + 2, RK, X );
532         RK += 2;
533         camellia_feistel( X, RK, X + 2 );
534         RK += 2;
535         camellia_feistel( X + 2, RK, X );
536         RK += 2;
537         camellia_feistel( X, RK, X + 2 );
538         RK += 2;
539         camellia_feistel( X + 2, RK, X );
540         RK += 2;
541 
542         if( NR ) {
543             FL(X[0], X[1], RK[0], RK[1]);
544             RK += 2;
545             FLInv(X[2], X[3], RK[0], RK[1]);
546             RK += 2;
547         }
548     }
549 
550     X[2] ^= *RK++;
551     X[3] ^= *RK++;
552     X[0] ^= *RK++;
553     X[1] ^= *RK++;
554 
555     PUT_UINT32_BE( X[2], output,  0 );
556     PUT_UINT32_BE( X[3], output,  4 );
557     PUT_UINT32_BE( X[0], output,  8 );
558     PUT_UINT32_BE( X[1], output, 12 );
559 
560     return( 0 );
561 }
562 
563 #if defined(MBEDTLS_CIPHER_MODE_CBC)
564 /*
565  * Camellia-CBC buffer encryption/decryption
566  */
mbedtls_camellia_crypt_cbc(mbedtls_camellia_context * ctx,int mode,size_t length,unsigned char iv[16],const unsigned char * input,unsigned char * output)567 int mbedtls_camellia_crypt_cbc( mbedtls_camellia_context *ctx,
568                                 int mode,
569                                 size_t length,
570                                 unsigned char iv[16],
571                                 const unsigned char *input,
572                                 unsigned char *output )
573 {
574     int i;
575     unsigned char temp[16];
576     CAMELLIA_VALIDATE_RET( ctx != NULL );
577     CAMELLIA_VALIDATE_RET( mode == MBEDTLS_CAMELLIA_ENCRYPT ||
578                            mode == MBEDTLS_CAMELLIA_DECRYPT );
579     CAMELLIA_VALIDATE_RET( iv != NULL );
580     CAMELLIA_VALIDATE_RET( length == 0 || input  != NULL );
581     CAMELLIA_VALIDATE_RET( length == 0 || output != NULL );
582 
583     if( length % 16 )
584         return( MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH );
585 
586     if( mode == MBEDTLS_CAMELLIA_DECRYPT )
587     {
588         while( length > 0 )
589         {
590             memcpy( temp, input, 16 );
591             mbedtls_camellia_crypt_ecb( ctx, mode, input, output );
592 
593             for( i = 0; i < 16; i++ )
594                 output[i] = (unsigned char)( output[i] ^ iv[i] );
595 
596             memcpy( iv, temp, 16 );
597 
598             input  += 16;
599             output += 16;
600             length -= 16;
601         }
602     }
603     else
604     {
605         while( length > 0 )
606         {
607             for( i = 0; i < 16; i++ )
608                 output[i] = (unsigned char)( input[i] ^ iv[i] );
609 
610             mbedtls_camellia_crypt_ecb( ctx, mode, output, output );
611             memcpy( iv, output, 16 );
612 
613             input  += 16;
614             output += 16;
615             length -= 16;
616         }
617     }
618 
619     return( 0 );
620 }
621 #endif /* MBEDTLS_CIPHER_MODE_CBC */
622 
623 #if defined(MBEDTLS_CIPHER_MODE_CFB)
624 /*
625  * Camellia-CFB128 buffer encryption/decryption
626  */
mbedtls_camellia_crypt_cfb128(mbedtls_camellia_context * ctx,int mode,size_t length,size_t * iv_off,unsigned char iv[16],const unsigned char * input,unsigned char * output)627 int mbedtls_camellia_crypt_cfb128( mbedtls_camellia_context *ctx,
628                        int mode,
629                        size_t length,
630                        size_t *iv_off,
631                        unsigned char iv[16],
632                        const unsigned char *input,
633                        unsigned char *output )
634 {
635     int c;
636     size_t n;
637     CAMELLIA_VALIDATE_RET( ctx != NULL );
638     CAMELLIA_VALIDATE_RET( mode == MBEDTLS_CAMELLIA_ENCRYPT ||
639                            mode == MBEDTLS_CAMELLIA_DECRYPT );
640     CAMELLIA_VALIDATE_RET( iv     != NULL );
641     CAMELLIA_VALIDATE_RET( iv_off != NULL );
642     CAMELLIA_VALIDATE_RET( length == 0 || input  != NULL );
643     CAMELLIA_VALIDATE_RET( length == 0 || output != NULL );
644 
645     n = *iv_off;
646     if( n >= 16 )
647         return( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA );
648 
649     if( mode == MBEDTLS_CAMELLIA_DECRYPT )
650     {
651         while( length-- )
652         {
653             if( n == 0 )
654                 mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv );
655 
656             c = *input++;
657             *output++ = (unsigned char)( c ^ iv[n] );
658             iv[n] = (unsigned char) c;
659 
660             n = ( n + 1 ) & 0x0F;
661         }
662     }
663     else
664     {
665         while( length-- )
666         {
667             if( n == 0 )
668                 mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv );
669 
670             iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
671 
672             n = ( n + 1 ) & 0x0F;
673         }
674     }
675 
676     *iv_off = n;
677 
678     return( 0 );
679 }
680 #endif /* MBEDTLS_CIPHER_MODE_CFB */
681 
682 #if defined(MBEDTLS_CIPHER_MODE_CTR)
683 /*
684  * Camellia-CTR buffer encryption/decryption
685  */
mbedtls_camellia_crypt_ctr(mbedtls_camellia_context * ctx,size_t length,size_t * nc_off,unsigned char nonce_counter[16],unsigned char stream_block[16],const unsigned char * input,unsigned char * output)686 int mbedtls_camellia_crypt_ctr( mbedtls_camellia_context *ctx,
687                        size_t length,
688                        size_t *nc_off,
689                        unsigned char nonce_counter[16],
690                        unsigned char stream_block[16],
691                        const unsigned char *input,
692                        unsigned char *output )
693 {
694     int c, i;
695     size_t n;
696     CAMELLIA_VALIDATE_RET( ctx != NULL );
697     CAMELLIA_VALIDATE_RET( nonce_counter != NULL );
698     CAMELLIA_VALIDATE_RET( stream_block  != NULL );
699     CAMELLIA_VALIDATE_RET( nc_off != NULL );
700     CAMELLIA_VALIDATE_RET( length == 0 || input  != NULL );
701     CAMELLIA_VALIDATE_RET( length == 0 || output != NULL );
702 
703     n = *nc_off;
704     if( n >= 16 )
705         return( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA );
706 
707     while( length-- )
708     {
709         if( n == 0 ) {
710             mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, nonce_counter,
711                                 stream_block );
712 
713             for( i = 16; i > 0; i-- )
714                 if( ++nonce_counter[i - 1] != 0 )
715                     break;
716         }
717         c = *input++;
718         *output++ = (unsigned char)( c ^ stream_block[n] );
719 
720         n = ( n + 1 ) & 0x0F;
721     }
722 
723     *nc_off = n;
724 
725     return( 0 );
726 }
727 #endif /* MBEDTLS_CIPHER_MODE_CTR */
728 #endif /* !MBEDTLS_CAMELLIA_ALT */
729 
730 #if defined(MBEDTLS_SELF_TEST)
731 
732 /*
733  * Camellia test vectors from:
734  *
735  * http://info.isl.ntt.co.jp/crypt/eng/camellia/technology.html:
736  *   http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/intermediate.txt
737  *   http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/t_camellia.txt
738  *                      (For each bitlength: Key 0, Nr 39)
739  */
740 #define CAMELLIA_TESTS_ECB  2
741 
742 static const unsigned char camellia_test_ecb_key[3][CAMELLIA_TESTS_ECB][32] =
743 {
744     {
745         { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
746           0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
747         { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
748           0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
749     },
750     {
751         { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
752           0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
753           0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77 },
754         { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
755           0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
756           0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
757     },
758     {
759         { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
760           0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
761           0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
762           0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff },
763         { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
764           0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
765           0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
766           0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
767     },
768 };
769 
770 static const unsigned char camellia_test_ecb_plain[CAMELLIA_TESTS_ECB][16] =
771 {
772     { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
773       0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
774     { 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
775       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
776 };
777 
778 static const unsigned char camellia_test_ecb_cipher[3][CAMELLIA_TESTS_ECB][16] =
779 {
780     {
781         { 0x67, 0x67, 0x31, 0x38, 0x54, 0x96, 0x69, 0x73,
782           0x08, 0x57, 0x06, 0x56, 0x48, 0xea, 0xbe, 0x43 },
783         { 0x38, 0x3C, 0x6C, 0x2A, 0xAB, 0xEF, 0x7F, 0xDE,
784           0x25, 0xCD, 0x47, 0x0B, 0xF7, 0x74, 0xA3, 0x31 }
785     },
786     {
787         { 0xb4, 0x99, 0x34, 0x01, 0xb3, 0xe9, 0x96, 0xf8,
788           0x4e, 0xe5, 0xce, 0xe7, 0xd7, 0x9b, 0x09, 0xb9 },
789         { 0xD1, 0x76, 0x3F, 0xC0, 0x19, 0xD7, 0x7C, 0xC9,
790           0x30, 0xBF, 0xF2, 0xA5, 0x6F, 0x7C, 0x93, 0x64 }
791     },
792     {
793         { 0x9a, 0xcc, 0x23, 0x7d, 0xff, 0x16, 0xd7, 0x6c,
794           0x20, 0xef, 0x7c, 0x91, 0x9e, 0x3a, 0x75, 0x09 },
795         { 0x05, 0x03, 0xFB, 0x10, 0xAB, 0x24, 0x1E, 0x7C,
796           0xF4, 0x5D, 0x8C, 0xDE, 0xEE, 0x47, 0x43, 0x35 }
797     }
798 };
799 
800 #if defined(MBEDTLS_CIPHER_MODE_CBC)
801 #define CAMELLIA_TESTS_CBC  3
802 
803 static const unsigned char camellia_test_cbc_key[3][32] =
804 {
805         { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
806           0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }
807     ,
808         { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
809           0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
810           0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }
811     ,
812         { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
813           0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
814           0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
815           0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
816 };
817 
818 static const unsigned char camellia_test_cbc_iv[16] =
819 
820     { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
821       0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F }
822 ;
823 
824 static const unsigned char camellia_test_cbc_plain[CAMELLIA_TESTS_CBC][16] =
825 {
826     { 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
827       0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A },
828     { 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
829       0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51 },
830     { 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
831       0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF }
832 
833 };
834 
835 static const unsigned char camellia_test_cbc_cipher[3][CAMELLIA_TESTS_CBC][16] =
836 {
837     {
838         { 0x16, 0x07, 0xCF, 0x49, 0x4B, 0x36, 0xBB, 0xF0,
839           0x0D, 0xAE, 0xB0, 0xB5, 0x03, 0xC8, 0x31, 0xAB },
840         { 0xA2, 0xF2, 0xCF, 0x67, 0x16, 0x29, 0xEF, 0x78,
841           0x40, 0xC5, 0xA5, 0xDF, 0xB5, 0x07, 0x48, 0x87 },
842         { 0x0F, 0x06, 0x16, 0x50, 0x08, 0xCF, 0x8B, 0x8B,
843           0x5A, 0x63, 0x58, 0x63, 0x62, 0x54, 0x3E, 0x54 }
844     },
845     {
846         { 0x2A, 0x48, 0x30, 0xAB, 0x5A, 0xC4, 0xA1, 0xA2,
847           0x40, 0x59, 0x55, 0xFD, 0x21, 0x95, 0xCF, 0x93 },
848         { 0x5D, 0x5A, 0x86, 0x9B, 0xD1, 0x4C, 0xE5, 0x42,
849           0x64, 0xF8, 0x92, 0xA6, 0xDD, 0x2E, 0xC3, 0xD5 },
850         { 0x37, 0xD3, 0x59, 0xC3, 0x34, 0x98, 0x36, 0xD8,
851           0x84, 0xE3, 0x10, 0xAD, 0xDF, 0x68, 0xC4, 0x49 }
852     },
853     {
854         { 0xE6, 0xCF, 0xA3, 0x5F, 0xC0, 0x2B, 0x13, 0x4A,
855           0x4D, 0x2C, 0x0B, 0x67, 0x37, 0xAC, 0x3E, 0xDA },
856         { 0x36, 0xCB, 0xEB, 0x73, 0xBD, 0x50, 0x4B, 0x40,
857           0x70, 0xB1, 0xB7, 0xDE, 0x2B, 0x21, 0xEB, 0x50 },
858         { 0xE3, 0x1A, 0x60, 0x55, 0x29, 0x7D, 0x96, 0xCA,
859           0x33, 0x30, 0xCD, 0xF1, 0xB1, 0x86, 0x0A, 0x83 }
860     }
861 };
862 #endif /* MBEDTLS_CIPHER_MODE_CBC */
863 
864 #if defined(MBEDTLS_CIPHER_MODE_CTR)
865 /*
866  * Camellia-CTR test vectors from:
867  *
868  * http://www.faqs.org/rfcs/rfc5528.html
869  */
870 
871 static const unsigned char camellia_test_ctr_key[3][16] =
872 {
873     { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
874       0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
875     { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
876       0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
877     { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
878       0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
879 };
880 
881 static const unsigned char camellia_test_ctr_nonce_counter[3][16] =
882 {
883     { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
884       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
885     { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
886       0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
887     { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
888       0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
889 };
890 
891 static const unsigned char camellia_test_ctr_pt[3][48] =
892 {
893     { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
894       0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
895 
896     { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
897       0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
898       0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
899       0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
900 
901     { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
902       0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
903       0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
904       0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
905       0x20, 0x21, 0x22, 0x23 }
906 };
907 
908 static const unsigned char camellia_test_ctr_ct[3][48] =
909 {
910     { 0xD0, 0x9D, 0xC2, 0x9A, 0x82, 0x14, 0x61, 0x9A,
911       0x20, 0x87, 0x7C, 0x76, 0xDB, 0x1F, 0x0B, 0x3F },
912     { 0xDB, 0xF3, 0xC7, 0x8D, 0xC0, 0x83, 0x96, 0xD4,
913       0xDA, 0x7C, 0x90, 0x77, 0x65, 0xBB, 0xCB, 0x44,
914       0x2B, 0x8E, 0x8E, 0x0F, 0x31, 0xF0, 0xDC, 0xA7,
915       0x2C, 0x74, 0x17, 0xE3, 0x53, 0x60, 0xE0, 0x48 },
916     { 0xB1, 0x9D, 0x1F, 0xCD, 0xCB, 0x75, 0xEB, 0x88,
917       0x2F, 0x84, 0x9C, 0xE2, 0x4D, 0x85, 0xCF, 0x73,
918       0x9C, 0xE6, 0x4B, 0x2B, 0x5C, 0x9D, 0x73, 0xF1,
919       0x4F, 0x2D, 0x5D, 0x9D, 0xCE, 0x98, 0x89, 0xCD,
920       0xDF, 0x50, 0x86, 0x96 }
921 };
922 
923 static const int camellia_test_ctr_len[3] =
924     { 16, 32, 36 };
925 #endif /* MBEDTLS_CIPHER_MODE_CTR */
926 
927 /*
928  * Checkup routine
929  */
mbedtls_camellia_self_test(int verbose)930 int mbedtls_camellia_self_test( int verbose )
931 {
932     int i, j, u, v;
933     unsigned char key[32];
934     unsigned char buf[64];
935     unsigned char src[16];
936     unsigned char dst[16];
937 #if defined(MBEDTLS_CIPHER_MODE_CBC)
938     unsigned char iv[16];
939 #endif
940 #if defined(MBEDTLS_CIPHER_MODE_CTR)
941     size_t offset, len;
942     unsigned char nonce_counter[16];
943     unsigned char stream_block[16];
944 #endif
945 
946     mbedtls_camellia_context ctx;
947 
948     memset( key, 0, 32 );
949 
950     for( j = 0; j < 6; j++ ) {
951         u = j >> 1;
952     v = j & 1;
953 
954     if( verbose != 0 )
955         mbedtls_printf( "  CAMELLIA-ECB-%3d (%s): ", 128 + u * 64,
956                          (v == MBEDTLS_CAMELLIA_DECRYPT) ? "dec" : "enc");
957 
958     for( i = 0; i < CAMELLIA_TESTS_ECB; i++ ) {
959         memcpy( key, camellia_test_ecb_key[u][i], 16 + 8 * u );
960 
961         if( v == MBEDTLS_CAMELLIA_DECRYPT ) {
962             mbedtls_camellia_setkey_dec( &ctx, key, 128 + u * 64 );
963             memcpy( src, camellia_test_ecb_cipher[u][i], 16 );
964             memcpy( dst, camellia_test_ecb_plain[i], 16 );
965         } else { /* MBEDTLS_CAMELLIA_ENCRYPT */
966             mbedtls_camellia_setkey_enc( &ctx, key, 128 + u * 64 );
967             memcpy( src, camellia_test_ecb_plain[i], 16 );
968             memcpy( dst, camellia_test_ecb_cipher[u][i], 16 );
969         }
970 
971         mbedtls_camellia_crypt_ecb( &ctx, v, src, buf );
972 
973         if( memcmp( buf, dst, 16 ) != 0 )
974         {
975             if( verbose != 0 )
976                 mbedtls_printf( "failed\n" );
977 
978             return( 1 );
979         }
980     }
981 
982     if( verbose != 0 )
983         mbedtls_printf( "passed\n" );
984     }
985 
986     if( verbose != 0 )
987         mbedtls_printf( "\n" );
988 
989 #if defined(MBEDTLS_CIPHER_MODE_CBC)
990     /*
991      * CBC mode
992      */
993     for( j = 0; j < 6; j++ )
994     {
995         u = j >> 1;
996         v = j  & 1;
997 
998         if( verbose != 0 )
999             mbedtls_printf( "  CAMELLIA-CBC-%3d (%s): ", 128 + u * 64,
1000                              ( v == MBEDTLS_CAMELLIA_DECRYPT ) ? "dec" : "enc" );
1001 
1002         memcpy( src, camellia_test_cbc_iv, 16 );
1003         memcpy( dst, camellia_test_cbc_iv, 16 );
1004         memcpy( key, camellia_test_cbc_key[u], 16 + 8 * u );
1005 
1006         if( v == MBEDTLS_CAMELLIA_DECRYPT ) {
1007             mbedtls_camellia_setkey_dec( &ctx, key, 128 + u * 64 );
1008         } else {
1009             mbedtls_camellia_setkey_enc( &ctx, key, 128 + u * 64 );
1010         }
1011 
1012         for( i = 0; i < CAMELLIA_TESTS_CBC; i++ ) {
1013 
1014             if( v == MBEDTLS_CAMELLIA_DECRYPT ) {
1015                 memcpy( iv , src, 16 );
1016                 memcpy( src, camellia_test_cbc_cipher[u][i], 16 );
1017                 memcpy( dst, camellia_test_cbc_plain[i], 16 );
1018             } else { /* MBEDTLS_CAMELLIA_ENCRYPT */
1019                 memcpy( iv , dst, 16 );
1020                 memcpy( src, camellia_test_cbc_plain[i], 16 );
1021                 memcpy( dst, camellia_test_cbc_cipher[u][i], 16 );
1022             }
1023 
1024             mbedtls_camellia_crypt_cbc( &ctx, v, 16, iv, src, buf );
1025 
1026             if( memcmp( buf, dst, 16 ) != 0 )
1027             {
1028                 if( verbose != 0 )
1029                     mbedtls_printf( "failed\n" );
1030 
1031                 return( 1 );
1032             }
1033         }
1034 
1035         if( verbose != 0 )
1036             mbedtls_printf( "passed\n" );
1037     }
1038 #endif /* MBEDTLS_CIPHER_MODE_CBC */
1039 
1040     if( verbose != 0 )
1041         mbedtls_printf( "\n" );
1042 
1043 #if defined(MBEDTLS_CIPHER_MODE_CTR)
1044     /*
1045      * CTR mode
1046      */
1047     for( i = 0; i < 6; i++ )
1048     {
1049         u = i >> 1;
1050         v = i  & 1;
1051 
1052         if( verbose != 0 )
1053             mbedtls_printf( "  CAMELLIA-CTR-128 (%s): ",
1054                              ( v == MBEDTLS_CAMELLIA_DECRYPT ) ? "dec" : "enc" );
1055 
1056         memcpy( nonce_counter, camellia_test_ctr_nonce_counter[u], 16 );
1057         memcpy( key, camellia_test_ctr_key[u], 16 );
1058 
1059         offset = 0;
1060         mbedtls_camellia_setkey_enc( &ctx, key, 128 );
1061 
1062         if( v == MBEDTLS_CAMELLIA_DECRYPT )
1063         {
1064             len = camellia_test_ctr_len[u];
1065             memcpy( buf, camellia_test_ctr_ct[u], len );
1066 
1067             mbedtls_camellia_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block,
1068                                 buf, buf );
1069 
1070             if( memcmp( buf, camellia_test_ctr_pt[u], len ) != 0 )
1071             {
1072                 if( verbose != 0 )
1073                     mbedtls_printf( "failed\n" );
1074 
1075                 return( 1 );
1076             }
1077         }
1078         else
1079         {
1080             len = camellia_test_ctr_len[u];
1081             memcpy( buf, camellia_test_ctr_pt[u], len );
1082 
1083             mbedtls_camellia_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block,
1084                                 buf, buf );
1085 
1086             if( memcmp( buf, camellia_test_ctr_ct[u], len ) != 0 )
1087             {
1088                 if( verbose != 0 )
1089                     mbedtls_printf( "failed\n" );
1090 
1091                 return( 1 );
1092             }
1093         }
1094 
1095         if( verbose != 0 )
1096             mbedtls_printf( "passed\n" );
1097     }
1098 
1099     if( verbose != 0 )
1100         mbedtls_printf( "\n" );
1101 #endif /* MBEDTLS_CIPHER_MODE_CTR */
1102 
1103     return( 0 );
1104 }
1105 
1106 #endif /* MBEDTLS_SELF_TEST */
1107 
1108 #endif /* MBEDTLS_CAMELLIA_C */
1109