1 /*
2 * Camellia implementation
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19 /*
20 * The Camellia block cipher was designed by NTT and Mitsubishi Electric
21 * Corporation.
22 *
23 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/01espec.pdf
24 */
25
26 #include "common.h"
27
28 #if defined(MBEDTLS_CAMELLIA_C)
29
30 #include "mbedtls/camellia.h"
31 #include "mbedtls/platform_util.h"
32
33 #include <string.h>
34
35 #include "mbedtls/platform.h"
36
37 #if !defined(MBEDTLS_CAMELLIA_ALT)
38
39 static const unsigned char SIGMA_CHARS[6][8] =
40 {
41 { 0xa0, 0x9e, 0x66, 0x7f, 0x3b, 0xcc, 0x90, 0x8b },
42 { 0xb6, 0x7a, 0xe8, 0x58, 0x4c, 0xaa, 0x73, 0xb2 },
43 { 0xc6, 0xef, 0x37, 0x2f, 0xe9, 0x4f, 0x82, 0xbe },
44 { 0x54, 0xff, 0x53, 0xa5, 0xf1, 0xd3, 0x6f, 0x1c },
45 { 0x10, 0xe5, 0x27, 0xfa, 0xde, 0x68, 0x2d, 0x1d },
46 { 0xb0, 0x56, 0x88, 0xc2, 0xb3, 0xe6, 0xc1, 0xfd }
47 };
48
49 #if defined(MBEDTLS_CAMELLIA_SMALL_MEMORY)
50
51 static const unsigned char FSb[256] =
52 {
53 112,130, 44,236,179, 39,192,229,228,133, 87, 53,234, 12,174, 65,
54 35,239,107,147, 69, 25,165, 33,237, 14, 79, 78, 29,101,146,189,
55 134,184,175,143,124,235, 31,206, 62, 48,220, 95, 94,197, 11, 26,
56 166,225, 57,202,213, 71, 93, 61,217, 1, 90,214, 81, 86,108, 77,
57 139, 13,154,102,251,204,176, 45,116, 18, 43, 32,240,177,132,153,
58 223, 76,203,194, 52,126,118, 5,109,183,169, 49,209, 23, 4,215,
59 20, 88, 58, 97,222, 27, 17, 28, 50, 15,156, 22, 83, 24,242, 34,
60 254, 68,207,178,195,181,122,145, 36, 8,232,168, 96,252,105, 80,
61 170,208,160,125,161,137, 98,151, 84, 91, 30,149,224,255,100,210,
62 16,196, 0, 72,163,247,117,219,138, 3,230,218, 9, 63,221,148,
63 135, 92,131, 2,205, 74,144, 51,115,103,246,243,157,127,191,226,
64 82,155,216, 38,200, 55,198, 59,129,150,111, 75, 19,190, 99, 46,
65 233,121,167,140,159,110,188,142, 41,245,249,182, 47,253,180, 89,
66 120,152, 6,106,231, 70,113,186,212, 37,171, 66,136,162,141,250,
67 114, 7,185, 85,248,238,172, 10, 54, 73, 42,104, 60, 56,241,164,
68 64, 40,211,123,187,201, 67,193, 21,227,173,244,119,199,128,158
69 };
70
71 #define SBOX1(n) FSb[(n)]
72 #define SBOX2(n) (unsigned char)((FSb[(n)] >> 7 ^ FSb[(n)] << 1) & 0xff)
73 #define SBOX3(n) (unsigned char)((FSb[(n)] >> 1 ^ FSb[(n)] << 7) & 0xff)
74 #define SBOX4(n) FSb[((n) << 1 ^ (n) >> 7) &0xff]
75
76 #else /* MBEDTLS_CAMELLIA_SMALL_MEMORY */
77
78 static const unsigned char FSb[256] =
79 {
80 112, 130, 44, 236, 179, 39, 192, 229, 228, 133, 87, 53, 234, 12, 174, 65,
81 35, 239, 107, 147, 69, 25, 165, 33, 237, 14, 79, 78, 29, 101, 146, 189,
82 134, 184, 175, 143, 124, 235, 31, 206, 62, 48, 220, 95, 94, 197, 11, 26,
83 166, 225, 57, 202, 213, 71, 93, 61, 217, 1, 90, 214, 81, 86, 108, 77,
84 139, 13, 154, 102, 251, 204, 176, 45, 116, 18, 43, 32, 240, 177, 132, 153,
85 223, 76, 203, 194, 52, 126, 118, 5, 109, 183, 169, 49, 209, 23, 4, 215,
86 20, 88, 58, 97, 222, 27, 17, 28, 50, 15, 156, 22, 83, 24, 242, 34,
87 254, 68, 207, 178, 195, 181, 122, 145, 36, 8, 232, 168, 96, 252, 105, 80,
88 170, 208, 160, 125, 161, 137, 98, 151, 84, 91, 30, 149, 224, 255, 100, 210,
89 16, 196, 0, 72, 163, 247, 117, 219, 138, 3, 230, 218, 9, 63, 221, 148,
90 135, 92, 131, 2, 205, 74, 144, 51, 115, 103, 246, 243, 157, 127, 191, 226,
91 82, 155, 216, 38, 200, 55, 198, 59, 129, 150, 111, 75, 19, 190, 99, 46,
92 233, 121, 167, 140, 159, 110, 188, 142, 41, 245, 249, 182, 47, 253, 180, 89,
93 120, 152, 6, 106, 231, 70, 113, 186, 212, 37, 171, 66, 136, 162, 141, 250,
94 114, 7, 185, 85, 248, 238, 172, 10, 54, 73, 42, 104, 60, 56, 241, 164,
95 64, 40, 211, 123, 187, 201, 67, 193, 21, 227, 173, 244, 119, 199, 128, 158
96 };
97
98 static const unsigned char FSb2[256] =
99 {
100 224, 5, 88, 217, 103, 78, 129, 203, 201, 11, 174, 106, 213, 24, 93, 130,
101 70, 223, 214, 39, 138, 50, 75, 66, 219, 28, 158, 156, 58, 202, 37, 123,
102 13, 113, 95, 31, 248, 215, 62, 157, 124, 96, 185, 190, 188, 139, 22, 52,
103 77, 195, 114, 149, 171, 142, 186, 122, 179, 2, 180, 173, 162, 172, 216, 154,
104 23, 26, 53, 204, 247, 153, 97, 90, 232, 36, 86, 64, 225, 99, 9, 51,
105 191, 152, 151, 133, 104, 252, 236, 10, 218, 111, 83, 98, 163, 46, 8, 175,
106 40, 176, 116, 194, 189, 54, 34, 56, 100, 30, 57, 44, 166, 48, 229, 68,
107 253, 136, 159, 101, 135, 107, 244, 35, 72, 16, 209, 81, 192, 249, 210, 160,
108 85, 161, 65, 250, 67, 19, 196, 47, 168, 182, 60, 43, 193, 255, 200, 165,
109 32, 137, 0, 144, 71, 239, 234, 183, 21, 6, 205, 181, 18, 126, 187, 41,
110 15, 184, 7, 4, 155, 148, 33, 102, 230, 206, 237, 231, 59, 254, 127, 197,
111 164, 55, 177, 76, 145, 110, 141, 118, 3, 45, 222, 150, 38, 125, 198, 92,
112 211, 242, 79, 25, 63, 220, 121, 29, 82, 235, 243, 109, 94, 251, 105, 178,
113 240, 49, 12, 212, 207, 140, 226, 117, 169, 74, 87, 132, 17, 69, 27, 245,
114 228, 14, 115, 170, 241, 221, 89, 20, 108, 146, 84, 208, 120, 112, 227, 73,
115 128, 80, 167, 246, 119, 147, 134, 131, 42, 199, 91, 233, 238, 143, 1, 61
116 };
117
118 static const unsigned char FSb3[256] =
119 {
120 56, 65, 22, 118, 217, 147, 96, 242, 114, 194, 171, 154, 117, 6, 87, 160,
121 145, 247, 181, 201, 162, 140, 210, 144, 246, 7, 167, 39, 142, 178, 73, 222,
122 67, 92, 215, 199, 62, 245, 143, 103, 31, 24, 110, 175, 47, 226, 133, 13,
123 83, 240, 156, 101, 234, 163, 174, 158, 236, 128, 45, 107, 168, 43, 54, 166,
124 197, 134, 77, 51, 253, 102, 88, 150, 58, 9, 149, 16, 120, 216, 66, 204,
125 239, 38, 229, 97, 26, 63, 59, 130, 182, 219, 212, 152, 232, 139, 2, 235,
126 10, 44, 29, 176, 111, 141, 136, 14, 25, 135, 78, 11, 169, 12, 121, 17,
127 127, 34, 231, 89, 225, 218, 61, 200, 18, 4, 116, 84, 48, 126, 180, 40,
128 85, 104, 80, 190, 208, 196, 49, 203, 42, 173, 15, 202, 112, 255, 50, 105,
129 8, 98, 0, 36, 209, 251, 186, 237, 69, 129, 115, 109, 132, 159, 238, 74,
130 195, 46, 193, 1, 230, 37, 72, 153, 185, 179, 123, 249, 206, 191, 223, 113,
131 41, 205, 108, 19, 100, 155, 99, 157, 192, 75, 183, 165, 137, 95, 177, 23,
132 244, 188, 211, 70, 207, 55, 94, 71, 148, 250, 252, 91, 151, 254, 90, 172,
133 60, 76, 3, 53, 243, 35, 184, 93, 106, 146, 213, 33, 68, 81, 198, 125,
134 57, 131, 220, 170, 124, 119, 86, 5, 27, 164, 21, 52, 30, 28, 248, 82,
135 32, 20, 233, 189, 221, 228, 161, 224, 138, 241, 214, 122, 187, 227, 64, 79
136 };
137
138 static const unsigned char FSb4[256] =
139 {
140 112, 44, 179, 192, 228, 87, 234, 174, 35, 107, 69, 165, 237, 79, 29, 146,
141 134, 175, 124, 31, 62, 220, 94, 11, 166, 57, 213, 93, 217, 90, 81, 108,
142 139, 154, 251, 176, 116, 43, 240, 132, 223, 203, 52, 118, 109, 169, 209, 4,
143 20, 58, 222, 17, 50, 156, 83, 242, 254, 207, 195, 122, 36, 232, 96, 105,
144 170, 160, 161, 98, 84, 30, 224, 100, 16, 0, 163, 117, 138, 230, 9, 221,
145 135, 131, 205, 144, 115, 246, 157, 191, 82, 216, 200, 198, 129, 111, 19, 99,
146 233, 167, 159, 188, 41, 249, 47, 180, 120, 6, 231, 113, 212, 171, 136, 141,
147 114, 185, 248, 172, 54, 42, 60, 241, 64, 211, 187, 67, 21, 173, 119, 128,
148 130, 236, 39, 229, 133, 53, 12, 65, 239, 147, 25, 33, 14, 78, 101, 189,
149 184, 143, 235, 206, 48, 95, 197, 26, 225, 202, 71, 61, 1, 214, 86, 77,
150 13, 102, 204, 45, 18, 32, 177, 153, 76, 194, 126, 5, 183, 49, 23, 215,
151 88, 97, 27, 28, 15, 22, 24, 34, 68, 178, 181, 145, 8, 168, 252, 80,
152 208, 125, 137, 151, 91, 149, 255, 210, 196, 72, 247, 219, 3, 218, 63, 148,
153 92, 2, 74, 51, 103, 243, 127, 226, 155, 38, 55, 59, 150, 75, 190, 46,
154 121, 140, 110, 142, 245, 182, 253, 89, 152, 106, 70, 186, 37, 66, 162, 250,
155 7, 85, 238, 10, 73, 104, 56, 164, 40, 123, 201, 193, 227, 244, 199, 158
156 };
157
158 #define SBOX1(n) FSb[(n)]
159 #define SBOX2(n) FSb2[(n)]
160 #define SBOX3(n) FSb3[(n)]
161 #define SBOX4(n) FSb4[(n)]
162
163 #endif /* MBEDTLS_CAMELLIA_SMALL_MEMORY */
164
165 static const unsigned char shifts[2][4][4] =
166 {
167 {
168 { 1, 1, 1, 1 }, /* KL */
169 { 0, 0, 0, 0 }, /* KR */
170 { 1, 1, 1, 1 }, /* KA */
171 { 0, 0, 0, 0 } /* KB */
172 },
173 {
174 { 1, 0, 1, 1 }, /* KL */
175 { 1, 1, 0, 1 }, /* KR */
176 { 1, 1, 1, 0 }, /* KA */
177 { 1, 1, 0, 1 } /* KB */
178 }
179 };
180
181 static const signed char indexes[2][4][20] =
182 {
183 {
184 { 0, 1, 2, 3, 8, 9, 10, 11, 38, 39,
185 36, 37, 23, 20, 21, 22, 27, -1, -1, 26 }, /* KL -> RK */
186 { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
187 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 }, /* KR -> RK */
188 { 4, 5, 6, 7, 12, 13, 14, 15, 16, 17,
189 18, 19, -1, 24, 25, -1, 31, 28, 29, 30 }, /* KA -> RK */
190 { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
191 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 } /* KB -> RK */
192 },
193 {
194 { 0, 1, 2, 3, 61, 62, 63, 60, -1, -1,
195 -1, -1, 27, 24, 25, 26, 35, 32, 33, 34 }, /* KL -> RK */
196 { -1, -1, -1, -1, 8, 9, 10, 11, 16, 17,
197 18, 19, -1, -1, -1, -1, 39, 36, 37, 38 }, /* KR -> RK */
198 { -1, -1, -1, -1, 12, 13, 14, 15, 58, 59,
199 56, 57, 31, 28, 29, 30, -1, -1, -1, -1 }, /* KA -> RK */
200 { 4, 5, 6, 7, 65, 66, 67, 64, 20, 21,
201 22, 23, -1, -1, -1, -1, 43, 40, 41, 42 } /* KB -> RK */
202 }
203 };
204
205 static const signed char transposes[2][20] =
206 {
207 {
208 21, 22, 23, 20,
209 -1, -1, -1, -1,
210 18, 19, 16, 17,
211 11, 8, 9, 10,
212 15, 12, 13, 14
213 },
214 {
215 25, 26, 27, 24,
216 29, 30, 31, 28,
217 18, 19, 16, 17,
218 -1, -1, -1, -1,
219 -1, -1, -1, -1
220 }
221 };
222
223 /* Shift macro for 128 bit strings with rotation smaller than 32 bits (!) */
224 #define ROTL(DEST, SRC, SHIFT) \
225 { \
226 (DEST)[0] = (SRC)[0] << (SHIFT) ^ (SRC)[1] >> (32 - (SHIFT)); \
227 (DEST)[1] = (SRC)[1] << (SHIFT) ^ (SRC)[2] >> (32 - (SHIFT)); \
228 (DEST)[2] = (SRC)[2] << (SHIFT) ^ (SRC)[3] >> (32 - (SHIFT)); \
229 (DEST)[3] = (SRC)[3] << (SHIFT) ^ (SRC)[0] >> (32 - (SHIFT)); \
230 }
231
232 #define FL(XL, XR, KL, KR) \
233 { \
234 (XR) = ((((XL) & (KL)) << 1) | (((XL) & (KL)) >> 31)) ^ (XR); \
235 (XL) = ((XR) | (KR)) ^ (XL); \
236 }
237
238 #define FLInv(YL, YR, KL, KR) \
239 { \
240 (YL) = ((YR) | (KR)) ^ (YL); \
241 (YR) = ((((YL) & (KL)) << 1) | (((YL) & (KL)) >> 31)) ^ (YR); \
242 }
243
244 #define SHIFT_AND_PLACE(INDEX, OFFSET) \
245 { \
246 TK[0] = KC[(OFFSET) * 4 + 0]; \
247 TK[1] = KC[(OFFSET) * 4 + 1]; \
248 TK[2] = KC[(OFFSET) * 4 + 2]; \
249 TK[3] = KC[(OFFSET) * 4 + 3]; \
250 \
251 for( i = 1; i <= 4; i++ ) \
252 if( shifts[(INDEX)][(OFFSET)][i -1] ) \
253 ROTL(TK + i * 4, TK, ( 15 * i ) % 32); \
254 \
255 for( i = 0; i < 20; i++ ) \
256 if( indexes[(INDEX)][(OFFSET)][i] != -1 ) { \
257 RK[indexes[(INDEX)][(OFFSET)][i]] = TK[ i ]; \
258 } \
259 }
260
camellia_feistel(const uint32_t x[2],const uint32_t k[2],uint32_t z[2])261 static void camellia_feistel( const uint32_t x[2], const uint32_t k[2],
262 uint32_t z[2])
263 {
264 uint32_t I0, I1;
265 I0 = x[0] ^ k[0];
266 I1 = x[1] ^ k[1];
267
268 I0 = ((uint32_t) SBOX1( MBEDTLS_BYTE_3( I0 )) << 24) |
269 ((uint32_t) SBOX2( MBEDTLS_BYTE_2( I0 )) << 16) |
270 ((uint32_t) SBOX3( MBEDTLS_BYTE_1( I0 )) << 8) |
271 ((uint32_t) SBOX4( MBEDTLS_BYTE_0( I0 )) );
272 I1 = ((uint32_t) SBOX2( MBEDTLS_BYTE_3( I1 )) << 24) |
273 ((uint32_t) SBOX3( MBEDTLS_BYTE_2( I1 )) << 16) |
274 ((uint32_t) SBOX4( MBEDTLS_BYTE_1( I1 )) << 8) |
275 ((uint32_t) SBOX1( MBEDTLS_BYTE_0( I1 )) );
276
277 I0 ^= (I1 << 8) | (I1 >> 24);
278 I1 ^= (I0 << 16) | (I0 >> 16);
279 I0 ^= (I1 >> 8) | (I1 << 24);
280 I1 ^= (I0 >> 8) | (I0 << 24);
281
282 z[0] ^= I1;
283 z[1] ^= I0;
284 }
285
mbedtls_camellia_init(mbedtls_camellia_context * ctx)286 void mbedtls_camellia_init( mbedtls_camellia_context *ctx )
287 {
288 memset( ctx, 0, sizeof( mbedtls_camellia_context ) );
289 }
290
mbedtls_camellia_free(mbedtls_camellia_context * ctx)291 void mbedtls_camellia_free( mbedtls_camellia_context *ctx )
292 {
293 if( ctx == NULL )
294 return;
295
296 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_camellia_context ) );
297 }
298
299 /*
300 * Camellia key schedule (encryption)
301 */
mbedtls_camellia_setkey_enc(mbedtls_camellia_context * ctx,const unsigned char * key,unsigned int keybits)302 int mbedtls_camellia_setkey_enc( mbedtls_camellia_context *ctx,
303 const unsigned char *key,
304 unsigned int keybits )
305 {
306 int idx;
307 size_t i;
308 uint32_t *RK;
309 unsigned char t[64];
310 uint32_t SIGMA[6][2];
311 uint32_t KC[16];
312 uint32_t TK[20];
313
314 RK = ctx->rk;
315
316 memset( t, 0, 64 );
317 memset( RK, 0, sizeof(ctx->rk) );
318
319 switch( keybits )
320 {
321 case 128: ctx->nr = 3; idx = 0; break;
322 case 192:
323 case 256: ctx->nr = 4; idx = 1; break;
324 default : return( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA );
325 }
326
327 for( i = 0; i < keybits / 8; ++i )
328 t[i] = key[i];
329
330 if( keybits == 192 ) {
331 for( i = 0; i < 8; i++ )
332 t[24 + i] = ~t[16 + i];
333 }
334
335 /*
336 * Prepare SIGMA values
337 */
338 for( i = 0; i < 6; i++ ) {
339 SIGMA[i][0] = MBEDTLS_GET_UINT32_BE( SIGMA_CHARS[i], 0 );
340 SIGMA[i][1] = MBEDTLS_GET_UINT32_BE( SIGMA_CHARS[i], 4 );
341 }
342
343 /*
344 * Key storage in KC
345 * Order: KL, KR, KA, KB
346 */
347 memset( KC, 0, sizeof(KC) );
348
349 /* Store KL, KR */
350 for( i = 0; i < 8; i++ )
351 KC[i] = MBEDTLS_GET_UINT32_BE( t, i * 4 );
352
353 /* Generate KA */
354 for( i = 0; i < 4; ++i )
355 KC[8 + i] = KC[i] ^ KC[4 + i];
356
357 camellia_feistel( KC + 8, SIGMA[0], KC + 10 );
358 camellia_feistel( KC + 10, SIGMA[1], KC + 8 );
359
360 for( i = 0; i < 4; ++i )
361 KC[8 + i] ^= KC[i];
362
363 camellia_feistel( KC + 8, SIGMA[2], KC + 10 );
364 camellia_feistel( KC + 10, SIGMA[3], KC + 8 );
365
366 if( keybits > 128 ) {
367 /* Generate KB */
368 for( i = 0; i < 4; ++i )
369 KC[12 + i] = KC[4 + i] ^ KC[8 + i];
370
371 camellia_feistel( KC + 12, SIGMA[4], KC + 14 );
372 camellia_feistel( KC + 14, SIGMA[5], KC + 12 );
373 }
374
375 /*
376 * Generating subkeys
377 */
378
379 /* Manipulating KL */
380 SHIFT_AND_PLACE( idx, 0 );
381
382 /* Manipulating KR */
383 if( keybits > 128 ) {
384 SHIFT_AND_PLACE( idx, 1 );
385 }
386
387 /* Manipulating KA */
388 SHIFT_AND_PLACE( idx, 2 );
389
390 /* Manipulating KB */
391 if( keybits > 128 ) {
392 SHIFT_AND_PLACE( idx, 3 );
393 }
394
395 /* Do transpositions */
396 for( i = 0; i < 20; i++ ) {
397 if( transposes[idx][i] != -1 ) {
398 RK[32 + 12 * idx + i] = RK[transposes[idx][i]];
399 }
400 }
401
402 return( 0 );
403 }
404
405 /*
406 * Camellia key schedule (decryption)
407 */
mbedtls_camellia_setkey_dec(mbedtls_camellia_context * ctx,const unsigned char * key,unsigned int keybits)408 int mbedtls_camellia_setkey_dec( mbedtls_camellia_context *ctx,
409 const unsigned char *key,
410 unsigned int keybits )
411 {
412 int idx, ret;
413 size_t i;
414 mbedtls_camellia_context cty;
415 uint32_t *RK;
416 uint32_t *SK;
417
418 mbedtls_camellia_init( &cty );
419
420 /* Also checks keybits */
421 if( ( ret = mbedtls_camellia_setkey_enc( &cty, key, keybits ) ) != 0 )
422 goto exit;
423
424 ctx->nr = cty.nr;
425 idx = ( ctx->nr == 4 );
426
427 RK = ctx->rk;
428 SK = cty.rk + 24 * 2 + 8 * idx * 2;
429
430 *RK++ = *SK++;
431 *RK++ = *SK++;
432 *RK++ = *SK++;
433 *RK++ = *SK++;
434
435 for( i = 22 + 8 * idx, SK -= 6; i > 0; i--, SK -= 4 )
436 {
437 *RK++ = *SK++;
438 *RK++ = *SK++;
439 }
440
441 SK -= 2;
442
443 *RK++ = *SK++;
444 *RK++ = *SK++;
445 *RK++ = *SK++;
446 *RK++ = *SK++;
447
448 exit:
449 mbedtls_camellia_free( &cty );
450
451 return( ret );
452 }
453
454 /*
455 * Camellia-ECB block encryption/decryption
456 */
mbedtls_camellia_crypt_ecb(mbedtls_camellia_context * ctx,int mode,const unsigned char input[16],unsigned char output[16])457 int mbedtls_camellia_crypt_ecb( mbedtls_camellia_context *ctx,
458 int mode,
459 const unsigned char input[16],
460 unsigned char output[16] )
461 {
462 int NR;
463 uint32_t *RK, X[4];
464 if( mode != MBEDTLS_CAMELLIA_ENCRYPT && mode != MBEDTLS_CAMELLIA_DECRYPT )
465 return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA;
466
467 ( (void) mode );
468
469 NR = ctx->nr;
470 RK = ctx->rk;
471
472 X[0] = MBEDTLS_GET_UINT32_BE( input, 0 );
473 X[1] = MBEDTLS_GET_UINT32_BE( input, 4 );
474 X[2] = MBEDTLS_GET_UINT32_BE( input, 8 );
475 X[3] = MBEDTLS_GET_UINT32_BE( input, 12 );
476
477 X[0] ^= *RK++;
478 X[1] ^= *RK++;
479 X[2] ^= *RK++;
480 X[3] ^= *RK++;
481
482 while( NR ) {
483 --NR;
484 camellia_feistel( X, RK, X + 2 );
485 RK += 2;
486 camellia_feistel( X + 2, RK, X );
487 RK += 2;
488 camellia_feistel( X, RK, X + 2 );
489 RK += 2;
490 camellia_feistel( X + 2, RK, X );
491 RK += 2;
492 camellia_feistel( X, RK, X + 2 );
493 RK += 2;
494 camellia_feistel( X + 2, RK, X );
495 RK += 2;
496
497 if( NR ) {
498 FL(X[0], X[1], RK[0], RK[1]);
499 RK += 2;
500 FLInv(X[2], X[3], RK[0], RK[1]);
501 RK += 2;
502 }
503 }
504
505 X[2] ^= *RK++;
506 X[3] ^= *RK++;
507 X[0] ^= *RK++;
508 X[1] ^= *RK++;
509
510 MBEDTLS_PUT_UINT32_BE( X[2], output, 0 );
511 MBEDTLS_PUT_UINT32_BE( X[3], output, 4 );
512 MBEDTLS_PUT_UINT32_BE( X[0], output, 8 );
513 MBEDTLS_PUT_UINT32_BE( X[1], output, 12 );
514
515 return( 0 );
516 }
517
518 #if defined(MBEDTLS_CIPHER_MODE_CBC)
519 /*
520 * Camellia-CBC buffer encryption/decryption
521 */
mbedtls_camellia_crypt_cbc(mbedtls_camellia_context * ctx,int mode,size_t length,unsigned char iv[16],const unsigned char * input,unsigned char * output)522 int mbedtls_camellia_crypt_cbc( mbedtls_camellia_context *ctx,
523 int mode,
524 size_t length,
525 unsigned char iv[16],
526 const unsigned char *input,
527 unsigned char *output )
528 {
529 int i;
530 unsigned char temp[16];
531 if( mode != MBEDTLS_CAMELLIA_ENCRYPT && mode != MBEDTLS_CAMELLIA_DECRYPT )
532 return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA;
533
534 if( length % 16 )
535 return( MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH );
536
537 if( mode == MBEDTLS_CAMELLIA_DECRYPT )
538 {
539 while( length > 0 )
540 {
541 memcpy( temp, input, 16 );
542 mbedtls_camellia_crypt_ecb( ctx, mode, input, output );
543
544 for( i = 0; i < 16; i++ )
545 output[i] = (unsigned char)( output[i] ^ iv[i] );
546
547 memcpy( iv, temp, 16 );
548
549 input += 16;
550 output += 16;
551 length -= 16;
552 }
553 }
554 else
555 {
556 while( length > 0 )
557 {
558 for( i = 0; i < 16; i++ )
559 output[i] = (unsigned char)( input[i] ^ iv[i] );
560
561 mbedtls_camellia_crypt_ecb( ctx, mode, output, output );
562 memcpy( iv, output, 16 );
563
564 input += 16;
565 output += 16;
566 length -= 16;
567 }
568 }
569
570 return( 0 );
571 }
572 #endif /* MBEDTLS_CIPHER_MODE_CBC */
573
574 #if defined(MBEDTLS_CIPHER_MODE_CFB)
575 /*
576 * Camellia-CFB128 buffer encryption/decryption
577 */
mbedtls_camellia_crypt_cfb128(mbedtls_camellia_context * ctx,int mode,size_t length,size_t * iv_off,unsigned char iv[16],const unsigned char * input,unsigned char * output)578 int mbedtls_camellia_crypt_cfb128( mbedtls_camellia_context *ctx,
579 int mode,
580 size_t length,
581 size_t *iv_off,
582 unsigned char iv[16],
583 const unsigned char *input,
584 unsigned char *output )
585 {
586 int c;
587 size_t n;
588 if( mode != MBEDTLS_CAMELLIA_ENCRYPT && mode != MBEDTLS_CAMELLIA_DECRYPT )
589 return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA;
590
591 n = *iv_off;
592 if( n >= 16 )
593 return( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA );
594
595 if( mode == MBEDTLS_CAMELLIA_DECRYPT )
596 {
597 while( length-- )
598 {
599 if( n == 0 )
600 mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv );
601
602 c = *input++;
603 *output++ = (unsigned char)( c ^ iv[n] );
604 iv[n] = (unsigned char) c;
605
606 n = ( n + 1 ) & 0x0F;
607 }
608 }
609 else
610 {
611 while( length-- )
612 {
613 if( n == 0 )
614 mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv );
615
616 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
617
618 n = ( n + 1 ) & 0x0F;
619 }
620 }
621
622 *iv_off = n;
623
624 return( 0 );
625 }
626 #endif /* MBEDTLS_CIPHER_MODE_CFB */
627
628 #if defined(MBEDTLS_CIPHER_MODE_CTR)
629 /*
630 * Camellia-CTR buffer encryption/decryption
631 */
mbedtls_camellia_crypt_ctr(mbedtls_camellia_context * ctx,size_t length,size_t * nc_off,unsigned char nonce_counter[16],unsigned char stream_block[16],const unsigned char * input,unsigned char * output)632 int mbedtls_camellia_crypt_ctr( mbedtls_camellia_context *ctx,
633 size_t length,
634 size_t *nc_off,
635 unsigned char nonce_counter[16],
636 unsigned char stream_block[16],
637 const unsigned char *input,
638 unsigned char *output )
639 {
640 int c, i;
641 size_t n;
642
643 n = *nc_off;
644 if( n >= 16 )
645 return( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA );
646
647 while( length-- )
648 {
649 if( n == 0 ) {
650 mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, nonce_counter,
651 stream_block );
652
653 for( i = 16; i > 0; i-- )
654 if( ++nonce_counter[i - 1] != 0 )
655 break;
656 }
657 c = *input++;
658 *output++ = (unsigned char)( c ^ stream_block[n] );
659
660 n = ( n + 1 ) & 0x0F;
661 }
662
663 *nc_off = n;
664
665 return( 0 );
666 }
667 #endif /* MBEDTLS_CIPHER_MODE_CTR */
668 #endif /* !MBEDTLS_CAMELLIA_ALT */
669
670 #if defined(MBEDTLS_SELF_TEST)
671
672 /*
673 * Camellia test vectors from:
674 *
675 * http://info.isl.ntt.co.jp/crypt/eng/camellia/technology.html:
676 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/intermediate.txt
677 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/t_camellia.txt
678 * (For each bitlength: Key 0, Nr 39)
679 */
680 #define CAMELLIA_TESTS_ECB 2
681
682 static const unsigned char camellia_test_ecb_key[3][CAMELLIA_TESTS_ECB][32] =
683 {
684 {
685 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
686 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
687 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
688 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
689 },
690 {
691 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
692 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
693 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77 },
694 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
695 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
696 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
697 },
698 {
699 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
700 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
701 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
702 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff },
703 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
704 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
705 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
706 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
707 },
708 };
709
710 static const unsigned char camellia_test_ecb_plain[CAMELLIA_TESTS_ECB][16] =
711 {
712 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
713 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
714 { 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
715 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
716 };
717
718 static const unsigned char camellia_test_ecb_cipher[3][CAMELLIA_TESTS_ECB][16] =
719 {
720 {
721 { 0x67, 0x67, 0x31, 0x38, 0x54, 0x96, 0x69, 0x73,
722 0x08, 0x57, 0x06, 0x56, 0x48, 0xea, 0xbe, 0x43 },
723 { 0x38, 0x3C, 0x6C, 0x2A, 0xAB, 0xEF, 0x7F, 0xDE,
724 0x25, 0xCD, 0x47, 0x0B, 0xF7, 0x74, 0xA3, 0x31 }
725 },
726 {
727 { 0xb4, 0x99, 0x34, 0x01, 0xb3, 0xe9, 0x96, 0xf8,
728 0x4e, 0xe5, 0xce, 0xe7, 0xd7, 0x9b, 0x09, 0xb9 },
729 { 0xD1, 0x76, 0x3F, 0xC0, 0x19, 0xD7, 0x7C, 0xC9,
730 0x30, 0xBF, 0xF2, 0xA5, 0x6F, 0x7C, 0x93, 0x64 }
731 },
732 {
733 { 0x9a, 0xcc, 0x23, 0x7d, 0xff, 0x16, 0xd7, 0x6c,
734 0x20, 0xef, 0x7c, 0x91, 0x9e, 0x3a, 0x75, 0x09 },
735 { 0x05, 0x03, 0xFB, 0x10, 0xAB, 0x24, 0x1E, 0x7C,
736 0xF4, 0x5D, 0x8C, 0xDE, 0xEE, 0x47, 0x43, 0x35 }
737 }
738 };
739
740 #if defined(MBEDTLS_CIPHER_MODE_CBC)
741 #define CAMELLIA_TESTS_CBC 3
742
743 static const unsigned char camellia_test_cbc_key[3][32] =
744 {
745 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
746 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }
747 ,
748 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
749 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
750 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }
751 ,
752 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
753 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
754 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
755 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
756 };
757
758 static const unsigned char camellia_test_cbc_iv[16] =
759
760 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
761 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F }
762 ;
763
764 static const unsigned char camellia_test_cbc_plain[CAMELLIA_TESTS_CBC][16] =
765 {
766 { 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
767 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A },
768 { 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
769 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51 },
770 { 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
771 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF }
772
773 };
774
775 static const unsigned char camellia_test_cbc_cipher[3][CAMELLIA_TESTS_CBC][16] =
776 {
777 {
778 { 0x16, 0x07, 0xCF, 0x49, 0x4B, 0x36, 0xBB, 0xF0,
779 0x0D, 0xAE, 0xB0, 0xB5, 0x03, 0xC8, 0x31, 0xAB },
780 { 0xA2, 0xF2, 0xCF, 0x67, 0x16, 0x29, 0xEF, 0x78,
781 0x40, 0xC5, 0xA5, 0xDF, 0xB5, 0x07, 0x48, 0x87 },
782 { 0x0F, 0x06, 0x16, 0x50, 0x08, 0xCF, 0x8B, 0x8B,
783 0x5A, 0x63, 0x58, 0x63, 0x62, 0x54, 0x3E, 0x54 }
784 },
785 {
786 { 0x2A, 0x48, 0x30, 0xAB, 0x5A, 0xC4, 0xA1, 0xA2,
787 0x40, 0x59, 0x55, 0xFD, 0x21, 0x95, 0xCF, 0x93 },
788 { 0x5D, 0x5A, 0x86, 0x9B, 0xD1, 0x4C, 0xE5, 0x42,
789 0x64, 0xF8, 0x92, 0xA6, 0xDD, 0x2E, 0xC3, 0xD5 },
790 { 0x37, 0xD3, 0x59, 0xC3, 0x34, 0x98, 0x36, 0xD8,
791 0x84, 0xE3, 0x10, 0xAD, 0xDF, 0x68, 0xC4, 0x49 }
792 },
793 {
794 { 0xE6, 0xCF, 0xA3, 0x5F, 0xC0, 0x2B, 0x13, 0x4A,
795 0x4D, 0x2C, 0x0B, 0x67, 0x37, 0xAC, 0x3E, 0xDA },
796 { 0x36, 0xCB, 0xEB, 0x73, 0xBD, 0x50, 0x4B, 0x40,
797 0x70, 0xB1, 0xB7, 0xDE, 0x2B, 0x21, 0xEB, 0x50 },
798 { 0xE3, 0x1A, 0x60, 0x55, 0x29, 0x7D, 0x96, 0xCA,
799 0x33, 0x30, 0xCD, 0xF1, 0xB1, 0x86, 0x0A, 0x83 }
800 }
801 };
802 #endif /* MBEDTLS_CIPHER_MODE_CBC */
803
804 #if defined(MBEDTLS_CIPHER_MODE_CTR)
805 /*
806 * Camellia-CTR test vectors from:
807 *
808 * http://www.faqs.org/rfcs/rfc5528.html
809 */
810
811 static const unsigned char camellia_test_ctr_key[3][16] =
812 {
813 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
814 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
815 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
816 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
817 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
818 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
819 };
820
821 static const unsigned char camellia_test_ctr_nonce_counter[3][16] =
822 {
823 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
824 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
825 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
826 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
827 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
828 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
829 };
830
831 static const unsigned char camellia_test_ctr_pt[3][48] =
832 {
833 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
834 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
835
836 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
837 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
838 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
839 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
840
841 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
842 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
843 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
844 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
845 0x20, 0x21, 0x22, 0x23 }
846 };
847
848 static const unsigned char camellia_test_ctr_ct[3][48] =
849 {
850 { 0xD0, 0x9D, 0xC2, 0x9A, 0x82, 0x14, 0x61, 0x9A,
851 0x20, 0x87, 0x7C, 0x76, 0xDB, 0x1F, 0x0B, 0x3F },
852 { 0xDB, 0xF3, 0xC7, 0x8D, 0xC0, 0x83, 0x96, 0xD4,
853 0xDA, 0x7C, 0x90, 0x77, 0x65, 0xBB, 0xCB, 0x44,
854 0x2B, 0x8E, 0x8E, 0x0F, 0x31, 0xF0, 0xDC, 0xA7,
855 0x2C, 0x74, 0x17, 0xE3, 0x53, 0x60, 0xE0, 0x48 },
856 { 0xB1, 0x9D, 0x1F, 0xCD, 0xCB, 0x75, 0xEB, 0x88,
857 0x2F, 0x84, 0x9C, 0xE2, 0x4D, 0x85, 0xCF, 0x73,
858 0x9C, 0xE6, 0x4B, 0x2B, 0x5C, 0x9D, 0x73, 0xF1,
859 0x4F, 0x2D, 0x5D, 0x9D, 0xCE, 0x98, 0x89, 0xCD,
860 0xDF, 0x50, 0x86, 0x96 }
861 };
862
863 static const int camellia_test_ctr_len[3] =
864 { 16, 32, 36 };
865 #endif /* MBEDTLS_CIPHER_MODE_CTR */
866
867 /*
868 * Checkup routine
869 */
mbedtls_camellia_self_test(int verbose)870 int mbedtls_camellia_self_test( int verbose )
871 {
872 int i, j, u, v;
873 unsigned char key[32];
874 unsigned char buf[64];
875 unsigned char src[16];
876 unsigned char dst[16];
877 #if defined(MBEDTLS_CIPHER_MODE_CBC)
878 unsigned char iv[16];
879 #endif
880 #if defined(MBEDTLS_CIPHER_MODE_CTR)
881 size_t offset, len;
882 unsigned char nonce_counter[16];
883 unsigned char stream_block[16];
884 #endif
885 int ret = 1;
886
887 mbedtls_camellia_context ctx;
888
889 mbedtls_camellia_init( &ctx );
890 memset( key, 0, 32 );
891
892 for( j = 0; j < 6; j++ ) {
893 u = j >> 1;
894 v = j & 1;
895
896 if( verbose != 0 )
897 mbedtls_printf( " CAMELLIA-ECB-%3d (%s): ", 128 + u * 64,
898 (v == MBEDTLS_CAMELLIA_DECRYPT) ? "dec" : "enc");
899
900 for( i = 0; i < CAMELLIA_TESTS_ECB; i++ ) {
901 memcpy( key, camellia_test_ecb_key[u][i], 16 + 8 * u );
902
903 if( v == MBEDTLS_CAMELLIA_DECRYPT ) {
904 mbedtls_camellia_setkey_dec( &ctx, key, 128 + u * 64 );
905 memcpy( src, camellia_test_ecb_cipher[u][i], 16 );
906 memcpy( dst, camellia_test_ecb_plain[i], 16 );
907 } else { /* MBEDTLS_CAMELLIA_ENCRYPT */
908 mbedtls_camellia_setkey_enc( &ctx, key, 128 + u * 64 );
909 memcpy( src, camellia_test_ecb_plain[i], 16 );
910 memcpy( dst, camellia_test_ecb_cipher[u][i], 16 );
911 }
912
913 mbedtls_camellia_crypt_ecb( &ctx, v, src, buf );
914
915 if( memcmp( buf, dst, 16 ) != 0 )
916 {
917 if( verbose != 0 )
918 mbedtls_printf( "failed\n" );
919 goto exit;
920 }
921 }
922
923 if( verbose != 0 )
924 mbedtls_printf( "passed\n" );
925 }
926
927 if( verbose != 0 )
928 mbedtls_printf( "\n" );
929
930 #if defined(MBEDTLS_CIPHER_MODE_CBC)
931 /*
932 * CBC mode
933 */
934 for( j = 0; j < 6; j++ )
935 {
936 u = j >> 1;
937 v = j & 1;
938
939 if( verbose != 0 )
940 mbedtls_printf( " CAMELLIA-CBC-%3d (%s): ", 128 + u * 64,
941 ( v == MBEDTLS_CAMELLIA_DECRYPT ) ? "dec" : "enc" );
942
943 memcpy( src, camellia_test_cbc_iv, 16 );
944 memcpy( dst, camellia_test_cbc_iv, 16 );
945 memcpy( key, camellia_test_cbc_key[u], 16 + 8 * u );
946
947 if( v == MBEDTLS_CAMELLIA_DECRYPT ) {
948 mbedtls_camellia_setkey_dec( &ctx, key, 128 + u * 64 );
949 } else {
950 mbedtls_camellia_setkey_enc( &ctx, key, 128 + u * 64 );
951 }
952
953 for( i = 0; i < CAMELLIA_TESTS_CBC; i++ ) {
954
955 if( v == MBEDTLS_CAMELLIA_DECRYPT ) {
956 memcpy( iv , src, 16 );
957 memcpy( src, camellia_test_cbc_cipher[u][i], 16 );
958 memcpy( dst, camellia_test_cbc_plain[i], 16 );
959 } else { /* MBEDTLS_CAMELLIA_ENCRYPT */
960 memcpy( iv , dst, 16 );
961 memcpy( src, camellia_test_cbc_plain[i], 16 );
962 memcpy( dst, camellia_test_cbc_cipher[u][i], 16 );
963 }
964
965 mbedtls_camellia_crypt_cbc( &ctx, v, 16, iv, src, buf );
966
967 if( memcmp( buf, dst, 16 ) != 0 )
968 {
969 if( verbose != 0 )
970 mbedtls_printf( "failed\n" );
971 goto exit;
972 }
973 }
974
975 if( verbose != 0 )
976 mbedtls_printf( "passed\n" );
977 }
978 #endif /* MBEDTLS_CIPHER_MODE_CBC */
979
980 if( verbose != 0 )
981 mbedtls_printf( "\n" );
982
983 #if defined(MBEDTLS_CIPHER_MODE_CTR)
984 /*
985 * CTR mode
986 */
987 for( i = 0; i < 6; i++ )
988 {
989 u = i >> 1;
990 v = i & 1;
991
992 if( verbose != 0 )
993 mbedtls_printf( " CAMELLIA-CTR-128 (%s): ",
994 ( v == MBEDTLS_CAMELLIA_DECRYPT ) ? "dec" : "enc" );
995
996 memcpy( nonce_counter, camellia_test_ctr_nonce_counter[u], 16 );
997 memcpy( key, camellia_test_ctr_key[u], 16 );
998
999 offset = 0;
1000 mbedtls_camellia_setkey_enc( &ctx, key, 128 );
1001
1002 if( v == MBEDTLS_CAMELLIA_DECRYPT )
1003 {
1004 len = camellia_test_ctr_len[u];
1005 memcpy( buf, camellia_test_ctr_ct[u], len );
1006
1007 mbedtls_camellia_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block,
1008 buf, buf );
1009
1010 if( memcmp( buf, camellia_test_ctr_pt[u], len ) != 0 )
1011 {
1012 if( verbose != 0 )
1013 mbedtls_printf( "failed\n" );
1014 goto exit;
1015 }
1016 }
1017 else
1018 {
1019 len = camellia_test_ctr_len[u];
1020 memcpy( buf, camellia_test_ctr_pt[u], len );
1021
1022 mbedtls_camellia_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block,
1023 buf, buf );
1024
1025 if( memcmp( buf, camellia_test_ctr_ct[u], len ) != 0 )
1026 {
1027 if( verbose != 0 )
1028 mbedtls_printf( "failed\n" );
1029 goto exit;
1030 }
1031 }
1032
1033 if( verbose != 0 )
1034 mbedtls_printf( "passed\n" );
1035 }
1036
1037 if( verbose != 0 )
1038 mbedtls_printf( "\n" );
1039 #endif /* MBEDTLS_CIPHER_MODE_CTR */
1040
1041 ret = 0;
1042
1043 exit:
1044 mbedtls_camellia_free( &ctx );
1045 return( ret );
1046 }
1047
1048 #endif /* MBEDTLS_SELF_TEST */
1049
1050 #endif /* MBEDTLS_CAMELLIA_C */
1051
