1 /*
2 * Camellia implementation
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 */
7 /*
8 * The Camellia block cipher was designed by NTT and Mitsubishi Electric
9 * Corporation.
10 *
11 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/01espec.pdf
12 */
13
14 #include "common.h"
15
16 #if defined(MBEDTLS_CAMELLIA_C)
17
18 #include "mbedtls/camellia.h"
19 #include "mbedtls/platform_util.h"
20
21 #include <string.h>
22
23 #include "mbedtls/platform.h"
24
25 #if !defined(MBEDTLS_CAMELLIA_ALT)
26
27 static const unsigned char SIGMA_CHARS[6][8] =
28 {
29 { 0xa0, 0x9e, 0x66, 0x7f, 0x3b, 0xcc, 0x90, 0x8b },
30 { 0xb6, 0x7a, 0xe8, 0x58, 0x4c, 0xaa, 0x73, 0xb2 },
31 { 0xc6, 0xef, 0x37, 0x2f, 0xe9, 0x4f, 0x82, 0xbe },
32 { 0x54, 0xff, 0x53, 0xa5, 0xf1, 0xd3, 0x6f, 0x1c },
33 { 0x10, 0xe5, 0x27, 0xfa, 0xde, 0x68, 0x2d, 0x1d },
34 { 0xb0, 0x56, 0x88, 0xc2, 0xb3, 0xe6, 0xc1, 0xfd }
35 };
36
37 #if defined(MBEDTLS_CAMELLIA_SMALL_MEMORY)
38
39 static const unsigned char FSb[256] =
40 {
41 112, 130, 44, 236, 179, 39, 192, 229, 228, 133, 87, 53, 234, 12, 174, 65,
42 35, 239, 107, 147, 69, 25, 165, 33, 237, 14, 79, 78, 29, 101, 146, 189,
43 134, 184, 175, 143, 124, 235, 31, 206, 62, 48, 220, 95, 94, 197, 11, 26,
44 166, 225, 57, 202, 213, 71, 93, 61, 217, 1, 90, 214, 81, 86, 108, 77,
45 139, 13, 154, 102, 251, 204, 176, 45, 116, 18, 43, 32, 240, 177, 132, 153,
46 223, 76, 203, 194, 52, 126, 118, 5, 109, 183, 169, 49, 209, 23, 4, 215,
47 20, 88, 58, 97, 222, 27, 17, 28, 50, 15, 156, 22, 83, 24, 242, 34,
48 254, 68, 207, 178, 195, 181, 122, 145, 36, 8, 232, 168, 96, 252, 105, 80,
49 170, 208, 160, 125, 161, 137, 98, 151, 84, 91, 30, 149, 224, 255, 100, 210,
50 16, 196, 0, 72, 163, 247, 117, 219, 138, 3, 230, 218, 9, 63, 221, 148,
51 135, 92, 131, 2, 205, 74, 144, 51, 115, 103, 246, 243, 157, 127, 191, 226,
52 82, 155, 216, 38, 200, 55, 198, 59, 129, 150, 111, 75, 19, 190, 99, 46,
53 233, 121, 167, 140, 159, 110, 188, 142, 41, 245, 249, 182, 47, 253, 180, 89,
54 120, 152, 6, 106, 231, 70, 113, 186, 212, 37, 171, 66, 136, 162, 141, 250,
55 114, 7, 185, 85, 248, 238, 172, 10, 54, 73, 42, 104, 60, 56, 241, 164,
56 64, 40, 211, 123, 187, 201, 67, 193, 21, 227, 173, 244, 119, 199, 128, 158
57 };
58
59 #define SBOX1(n) FSb[(n)]
60 #define SBOX2(n) (unsigned char) ((FSb[(n)] >> 7 ^ FSb[(n)] << 1) & 0xff)
61 #define SBOX3(n) (unsigned char) ((FSb[(n)] >> 1 ^ FSb[(n)] << 7) & 0xff)
62 #define SBOX4(n) FSb[((n) << 1 ^ (n) >> 7) &0xff]
63
64 #else /* MBEDTLS_CAMELLIA_SMALL_MEMORY */
65
66 static const unsigned char FSb[256] =
67 {
68 112, 130, 44, 236, 179, 39, 192, 229, 228, 133, 87, 53, 234, 12, 174, 65,
69 35, 239, 107, 147, 69, 25, 165, 33, 237, 14, 79, 78, 29, 101, 146, 189,
70 134, 184, 175, 143, 124, 235, 31, 206, 62, 48, 220, 95, 94, 197, 11, 26,
71 166, 225, 57, 202, 213, 71, 93, 61, 217, 1, 90, 214, 81, 86, 108, 77,
72 139, 13, 154, 102, 251, 204, 176, 45, 116, 18, 43, 32, 240, 177, 132, 153,
73 223, 76, 203, 194, 52, 126, 118, 5, 109, 183, 169, 49, 209, 23, 4, 215,
74 20, 88, 58, 97, 222, 27, 17, 28, 50, 15, 156, 22, 83, 24, 242, 34,
75 254, 68, 207, 178, 195, 181, 122, 145, 36, 8, 232, 168, 96, 252, 105, 80,
76 170, 208, 160, 125, 161, 137, 98, 151, 84, 91, 30, 149, 224, 255, 100, 210,
77 16, 196, 0, 72, 163, 247, 117, 219, 138, 3, 230, 218, 9, 63, 221, 148,
78 135, 92, 131, 2, 205, 74, 144, 51, 115, 103, 246, 243, 157, 127, 191, 226,
79 82, 155, 216, 38, 200, 55, 198, 59, 129, 150, 111, 75, 19, 190, 99, 46,
80 233, 121, 167, 140, 159, 110, 188, 142, 41, 245, 249, 182, 47, 253, 180, 89,
81 120, 152, 6, 106, 231, 70, 113, 186, 212, 37, 171, 66, 136, 162, 141, 250,
82 114, 7, 185, 85, 248, 238, 172, 10, 54, 73, 42, 104, 60, 56, 241, 164,
83 64, 40, 211, 123, 187, 201, 67, 193, 21, 227, 173, 244, 119, 199, 128, 158
84 };
85
86 static const unsigned char FSb2[256] =
87 {
88 224, 5, 88, 217, 103, 78, 129, 203, 201, 11, 174, 106, 213, 24, 93, 130,
89 70, 223, 214, 39, 138, 50, 75, 66, 219, 28, 158, 156, 58, 202, 37, 123,
90 13, 113, 95, 31, 248, 215, 62, 157, 124, 96, 185, 190, 188, 139, 22, 52,
91 77, 195, 114, 149, 171, 142, 186, 122, 179, 2, 180, 173, 162, 172, 216, 154,
92 23, 26, 53, 204, 247, 153, 97, 90, 232, 36, 86, 64, 225, 99, 9, 51,
93 191, 152, 151, 133, 104, 252, 236, 10, 218, 111, 83, 98, 163, 46, 8, 175,
94 40, 176, 116, 194, 189, 54, 34, 56, 100, 30, 57, 44, 166, 48, 229, 68,
95 253, 136, 159, 101, 135, 107, 244, 35, 72, 16, 209, 81, 192, 249, 210, 160,
96 85, 161, 65, 250, 67, 19, 196, 47, 168, 182, 60, 43, 193, 255, 200, 165,
97 32, 137, 0, 144, 71, 239, 234, 183, 21, 6, 205, 181, 18, 126, 187, 41,
98 15, 184, 7, 4, 155, 148, 33, 102, 230, 206, 237, 231, 59, 254, 127, 197,
99 164, 55, 177, 76, 145, 110, 141, 118, 3, 45, 222, 150, 38, 125, 198, 92,
100 211, 242, 79, 25, 63, 220, 121, 29, 82, 235, 243, 109, 94, 251, 105, 178,
101 240, 49, 12, 212, 207, 140, 226, 117, 169, 74, 87, 132, 17, 69, 27, 245,
102 228, 14, 115, 170, 241, 221, 89, 20, 108, 146, 84, 208, 120, 112, 227, 73,
103 128, 80, 167, 246, 119, 147, 134, 131, 42, 199, 91, 233, 238, 143, 1, 61
104 };
105
106 static const unsigned char FSb3[256] =
107 {
108 56, 65, 22, 118, 217, 147, 96, 242, 114, 194, 171, 154, 117, 6, 87, 160,
109 145, 247, 181, 201, 162, 140, 210, 144, 246, 7, 167, 39, 142, 178, 73, 222,
110 67, 92, 215, 199, 62, 245, 143, 103, 31, 24, 110, 175, 47, 226, 133, 13,
111 83, 240, 156, 101, 234, 163, 174, 158, 236, 128, 45, 107, 168, 43, 54, 166,
112 197, 134, 77, 51, 253, 102, 88, 150, 58, 9, 149, 16, 120, 216, 66, 204,
113 239, 38, 229, 97, 26, 63, 59, 130, 182, 219, 212, 152, 232, 139, 2, 235,
114 10, 44, 29, 176, 111, 141, 136, 14, 25, 135, 78, 11, 169, 12, 121, 17,
115 127, 34, 231, 89, 225, 218, 61, 200, 18, 4, 116, 84, 48, 126, 180, 40,
116 85, 104, 80, 190, 208, 196, 49, 203, 42, 173, 15, 202, 112, 255, 50, 105,
117 8, 98, 0, 36, 209, 251, 186, 237, 69, 129, 115, 109, 132, 159, 238, 74,
118 195, 46, 193, 1, 230, 37, 72, 153, 185, 179, 123, 249, 206, 191, 223, 113,
119 41, 205, 108, 19, 100, 155, 99, 157, 192, 75, 183, 165, 137, 95, 177, 23,
120 244, 188, 211, 70, 207, 55, 94, 71, 148, 250, 252, 91, 151, 254, 90, 172,
121 60, 76, 3, 53, 243, 35, 184, 93, 106, 146, 213, 33, 68, 81, 198, 125,
122 57, 131, 220, 170, 124, 119, 86, 5, 27, 164, 21, 52, 30, 28, 248, 82,
123 32, 20, 233, 189, 221, 228, 161, 224, 138, 241, 214, 122, 187, 227, 64, 79
124 };
125
126 static const unsigned char FSb4[256] =
127 {
128 112, 44, 179, 192, 228, 87, 234, 174, 35, 107, 69, 165, 237, 79, 29, 146,
129 134, 175, 124, 31, 62, 220, 94, 11, 166, 57, 213, 93, 217, 90, 81, 108,
130 139, 154, 251, 176, 116, 43, 240, 132, 223, 203, 52, 118, 109, 169, 209, 4,
131 20, 58, 222, 17, 50, 156, 83, 242, 254, 207, 195, 122, 36, 232, 96, 105,
132 170, 160, 161, 98, 84, 30, 224, 100, 16, 0, 163, 117, 138, 230, 9, 221,
133 135, 131, 205, 144, 115, 246, 157, 191, 82, 216, 200, 198, 129, 111, 19, 99,
134 233, 167, 159, 188, 41, 249, 47, 180, 120, 6, 231, 113, 212, 171, 136, 141,
135 114, 185, 248, 172, 54, 42, 60, 241, 64, 211, 187, 67, 21, 173, 119, 128,
136 130, 236, 39, 229, 133, 53, 12, 65, 239, 147, 25, 33, 14, 78, 101, 189,
137 184, 143, 235, 206, 48, 95, 197, 26, 225, 202, 71, 61, 1, 214, 86, 77,
138 13, 102, 204, 45, 18, 32, 177, 153, 76, 194, 126, 5, 183, 49, 23, 215,
139 88, 97, 27, 28, 15, 22, 24, 34, 68, 178, 181, 145, 8, 168, 252, 80,
140 208, 125, 137, 151, 91, 149, 255, 210, 196, 72, 247, 219, 3, 218, 63, 148,
141 92, 2, 74, 51, 103, 243, 127, 226, 155, 38, 55, 59, 150, 75, 190, 46,
142 121, 140, 110, 142, 245, 182, 253, 89, 152, 106, 70, 186, 37, 66, 162, 250,
143 7, 85, 238, 10, 73, 104, 56, 164, 40, 123, 201, 193, 227, 244, 199, 158
144 };
145
146 #define SBOX1(n) FSb[(n)]
147 #define SBOX2(n) FSb2[(n)]
148 #define SBOX3(n) FSb3[(n)]
149 #define SBOX4(n) FSb4[(n)]
150
151 #endif /* MBEDTLS_CAMELLIA_SMALL_MEMORY */
152
153 static const unsigned char shifts[2][4][4] =
154 {
155 {
156 { 1, 1, 1, 1 }, /* KL */
157 { 0, 0, 0, 0 }, /* KR */
158 { 1, 1, 1, 1 }, /* KA */
159 { 0, 0, 0, 0 } /* KB */
160 },
161 {
162 { 1, 0, 1, 1 }, /* KL */
163 { 1, 1, 0, 1 }, /* KR */
164 { 1, 1, 1, 0 }, /* KA */
165 { 1, 1, 0, 1 } /* KB */
166 }
167 };
168
169 static const signed char indexes[2][4][20] =
170 {
171 {
172 { 0, 1, 2, 3, 8, 9, 10, 11, 38, 39,
173 36, 37, 23, 20, 21, 22, 27, -1, -1, 26 }, /* KL -> RK */
174 { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
175 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 }, /* KR -> RK */
176 { 4, 5, 6, 7, 12, 13, 14, 15, 16, 17,
177 18, 19, -1, 24, 25, -1, 31, 28, 29, 30 }, /* KA -> RK */
178 { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
179 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 } /* KB -> RK */
180 },
181 {
182 { 0, 1, 2, 3, 61, 62, 63, 60, -1, -1,
183 -1, -1, 27, 24, 25, 26, 35, 32, 33, 34 }, /* KL -> RK */
184 { -1, -1, -1, -1, 8, 9, 10, 11, 16, 17,
185 18, 19, -1, -1, -1, -1, 39, 36, 37, 38 }, /* KR -> RK */
186 { -1, -1, -1, -1, 12, 13, 14, 15, 58, 59,
187 56, 57, 31, 28, 29, 30, -1, -1, -1, -1 }, /* KA -> RK */
188 { 4, 5, 6, 7, 65, 66, 67, 64, 20, 21,
189 22, 23, -1, -1, -1, -1, 43, 40, 41, 42 } /* KB -> RK */
190 }
191 };
192
193 static const signed char transposes[2][20] =
194 {
195 {
196 21, 22, 23, 20,
197 -1, -1, -1, -1,
198 18, 19, 16, 17,
199 11, 8, 9, 10,
200 15, 12, 13, 14
201 },
202 {
203 25, 26, 27, 24,
204 29, 30, 31, 28,
205 18, 19, 16, 17,
206 -1, -1, -1, -1,
207 -1, -1, -1, -1
208 }
209 };
210
211 /* Shift macro for 128 bit strings with rotation smaller than 32 bits (!) */
212 #define ROTL(DEST, SRC, SHIFT) \
213 { \
214 (DEST)[0] = (SRC)[0] << (SHIFT) ^ (SRC)[1] >> (32 - (SHIFT)); \
215 (DEST)[1] = (SRC)[1] << (SHIFT) ^ (SRC)[2] >> (32 - (SHIFT)); \
216 (DEST)[2] = (SRC)[2] << (SHIFT) ^ (SRC)[3] >> (32 - (SHIFT)); \
217 (DEST)[3] = (SRC)[3] << (SHIFT) ^ (SRC)[0] >> (32 - (SHIFT)); \
218 }
219
220 #define FL(XL, XR, KL, KR) \
221 { \
222 (XR) = ((((XL) &(KL)) << 1) | (((XL) &(KL)) >> 31)) ^ (XR); \
223 (XL) = ((XR) | (KR)) ^ (XL); \
224 }
225
226 #define FLInv(YL, YR, KL, KR) \
227 { \
228 (YL) = ((YR) | (KR)) ^ (YL); \
229 (YR) = ((((YL) &(KL)) << 1) | (((YL) &(KL)) >> 31)) ^ (YR); \
230 }
231
232 #define SHIFT_AND_PLACE(INDEX, OFFSET) \
233 { \
234 TK[0] = KC[(OFFSET) * 4 + 0]; \
235 TK[1] = KC[(OFFSET) * 4 + 1]; \
236 TK[2] = KC[(OFFSET) * 4 + 2]; \
237 TK[3] = KC[(OFFSET) * 4 + 3]; \
238 \
239 for (i = 1; i <= 4; i++) \
240 if (shifts[(INDEX)][(OFFSET)][i -1]) \
241 ROTL(TK + i * 4, TK, (15 * i) % 32); \
242 \
243 for (i = 0; i < 20; i++) \
244 if (indexes[(INDEX)][(OFFSET)][i] != -1) { \
245 RK[indexes[(INDEX)][(OFFSET)][i]] = TK[i]; \
246 } \
247 }
248
camellia_feistel(const uint32_t x[2],const uint32_t k[2],uint32_t z[2])249 static void camellia_feistel(const uint32_t x[2], const uint32_t k[2],
250 uint32_t z[2])
251 {
252 uint32_t I0, I1;
253 I0 = x[0] ^ k[0];
254 I1 = x[1] ^ k[1];
255
256 I0 = ((uint32_t) SBOX1(MBEDTLS_BYTE_3(I0)) << 24) |
257 ((uint32_t) SBOX2(MBEDTLS_BYTE_2(I0)) << 16) |
258 ((uint32_t) SBOX3(MBEDTLS_BYTE_1(I0)) << 8) |
259 ((uint32_t) SBOX4(MBEDTLS_BYTE_0(I0)));
260 I1 = ((uint32_t) SBOX2(MBEDTLS_BYTE_3(I1)) << 24) |
261 ((uint32_t) SBOX3(MBEDTLS_BYTE_2(I1)) << 16) |
262 ((uint32_t) SBOX4(MBEDTLS_BYTE_1(I1)) << 8) |
263 ((uint32_t) SBOX1(MBEDTLS_BYTE_0(I1)));
264
265 I0 ^= (I1 << 8) | (I1 >> 24);
266 I1 ^= (I0 << 16) | (I0 >> 16);
267 I0 ^= (I1 >> 8) | (I1 << 24);
268 I1 ^= (I0 >> 8) | (I0 << 24);
269
270 z[0] ^= I1;
271 z[1] ^= I0;
272 }
273
mbedtls_camellia_init(mbedtls_camellia_context * ctx)274 void mbedtls_camellia_init(mbedtls_camellia_context *ctx)
275 {
276 memset(ctx, 0, sizeof(mbedtls_camellia_context));
277 }
278
mbedtls_camellia_free(mbedtls_camellia_context * ctx)279 void mbedtls_camellia_free(mbedtls_camellia_context *ctx)
280 {
281 if (ctx == NULL) {
282 return;
283 }
284
285 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_camellia_context));
286 }
287
288 /*
289 * Camellia key schedule (encryption)
290 */
mbedtls_camellia_setkey_enc(mbedtls_camellia_context * ctx,const unsigned char * key,unsigned int keybits)291 int mbedtls_camellia_setkey_enc(mbedtls_camellia_context *ctx,
292 const unsigned char *key,
293 unsigned int keybits)
294 {
295 int idx;
296 size_t i;
297 uint32_t *RK;
298 unsigned char t[64];
299 uint32_t SIGMA[6][2];
300 uint32_t KC[16];
301 uint32_t TK[20];
302
303 RK = ctx->rk;
304
305 memset(t, 0, 64);
306 memset(RK, 0, sizeof(ctx->rk));
307
308 switch (keybits) {
309 case 128: ctx->nr = 3; idx = 0; break;
310 case 192:
311 case 256: ctx->nr = 4; idx = 1; break;
312 default: return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA;
313 }
314
315 for (i = 0; i < keybits / 8; ++i) {
316 t[i] = key[i];
317 }
318
319 if (keybits == 192) {
320 for (i = 0; i < 8; i++) {
321 t[24 + i] = ~t[16 + i];
322 }
323 }
324
325 /*
326 * Prepare SIGMA values
327 */
328 for (i = 0; i < 6; i++) {
329 SIGMA[i][0] = MBEDTLS_GET_UINT32_BE(SIGMA_CHARS[i], 0);
330 SIGMA[i][1] = MBEDTLS_GET_UINT32_BE(SIGMA_CHARS[i], 4);
331 }
332
333 /*
334 * Key storage in KC
335 * Order: KL, KR, KA, KB
336 */
337 memset(KC, 0, sizeof(KC));
338
339 /* Store KL, KR */
340 for (i = 0; i < 8; i++) {
341 KC[i] = MBEDTLS_GET_UINT32_BE(t, i * 4);
342 }
343
344 /* Generate KA */
345 for (i = 0; i < 4; ++i) {
346 KC[8 + i] = KC[i] ^ KC[4 + i];
347 }
348
349 camellia_feistel(KC + 8, SIGMA[0], KC + 10);
350 camellia_feistel(KC + 10, SIGMA[1], KC + 8);
351
352 for (i = 0; i < 4; ++i) {
353 KC[8 + i] ^= KC[i];
354 }
355
356 camellia_feistel(KC + 8, SIGMA[2], KC + 10);
357 camellia_feistel(KC + 10, SIGMA[3], KC + 8);
358
359 if (keybits > 128) {
360 /* Generate KB */
361 for (i = 0; i < 4; ++i) {
362 KC[12 + i] = KC[4 + i] ^ KC[8 + i];
363 }
364
365 camellia_feistel(KC + 12, SIGMA[4], KC + 14);
366 camellia_feistel(KC + 14, SIGMA[5], KC + 12);
367 }
368
369 /*
370 * Generating subkeys
371 */
372
373 /* Manipulating KL */
374 SHIFT_AND_PLACE(idx, 0);
375
376 /* Manipulating KR */
377 if (keybits > 128) {
378 SHIFT_AND_PLACE(idx, 1);
379 }
380
381 /* Manipulating KA */
382 SHIFT_AND_PLACE(idx, 2);
383
384 /* Manipulating KB */
385 if (keybits > 128) {
386 SHIFT_AND_PLACE(idx, 3);
387 }
388
389 /* Do transpositions */
390 for (i = 0; i < 20; i++) {
391 if (transposes[idx][i] != -1) {
392 RK[32 + 12 * idx + i] = RK[transposes[idx][i]];
393 }
394 }
395
396 return 0;
397 }
398
399 /*
400 * Camellia key schedule (decryption)
401 */
402 #if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
mbedtls_camellia_setkey_dec(mbedtls_camellia_context * ctx,const unsigned char * key,unsigned int keybits)403 int mbedtls_camellia_setkey_dec(mbedtls_camellia_context *ctx,
404 const unsigned char *key,
405 unsigned int keybits)
406 {
407 int idx, ret;
408 size_t i;
409 mbedtls_camellia_context cty;
410 uint32_t *RK;
411 uint32_t *SK;
412
413 mbedtls_camellia_init(&cty);
414
415 /* Also checks keybits */
416 if ((ret = mbedtls_camellia_setkey_enc(&cty, key, keybits)) != 0) {
417 goto exit;
418 }
419
420 ctx->nr = cty.nr;
421 idx = (ctx->nr == 4);
422
423 RK = ctx->rk;
424 SK = cty.rk + 24 * 2 + 8 * idx * 2;
425
426 *RK++ = *SK++;
427 *RK++ = *SK++;
428 *RK++ = *SK++;
429 *RK++ = *SK++;
430
431 for (i = 22 + 8 * idx, SK -= 6; i > 0; i--, SK -= 4) {
432 *RK++ = *SK++;
433 *RK++ = *SK++;
434 }
435
436 SK -= 2;
437
438 *RK++ = *SK++;
439 *RK++ = *SK++;
440 *RK++ = *SK++;
441 *RK++ = *SK++;
442
443 exit:
444 mbedtls_camellia_free(&cty);
445
446 return ret;
447 }
448 #endif /* !MBEDTLS_BLOCK_CIPHER_NO_DECRYPT */
449
450 /*
451 * Camellia-ECB block encryption/decryption
452 */
mbedtls_camellia_crypt_ecb(mbedtls_camellia_context * ctx,int mode,const unsigned char input[16],unsigned char output[16])453 int mbedtls_camellia_crypt_ecb(mbedtls_camellia_context *ctx,
454 int mode,
455 const unsigned char input[16],
456 unsigned char output[16])
457 {
458 int NR;
459 uint32_t *RK, X[4];
460 if (mode != MBEDTLS_CAMELLIA_ENCRYPT && mode != MBEDTLS_CAMELLIA_DECRYPT) {
461 return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA;
462 }
463
464 ((void) mode);
465
466 NR = ctx->nr;
467 RK = ctx->rk;
468
469 X[0] = MBEDTLS_GET_UINT32_BE(input, 0);
470 X[1] = MBEDTLS_GET_UINT32_BE(input, 4);
471 X[2] = MBEDTLS_GET_UINT32_BE(input, 8);
472 X[3] = MBEDTLS_GET_UINT32_BE(input, 12);
473
474 X[0] ^= *RK++;
475 X[1] ^= *RK++;
476 X[2] ^= *RK++;
477 X[3] ^= *RK++;
478
479 while (NR) {
480 --NR;
481 camellia_feistel(X, RK, X + 2);
482 RK += 2;
483 camellia_feistel(X + 2, RK, X);
484 RK += 2;
485 camellia_feistel(X, RK, X + 2);
486 RK += 2;
487 camellia_feistel(X + 2, RK, X);
488 RK += 2;
489 camellia_feistel(X, RK, X + 2);
490 RK += 2;
491 camellia_feistel(X + 2, RK, X);
492 RK += 2;
493
494 if (NR) {
495 FL(X[0], X[1], RK[0], RK[1]);
496 RK += 2;
497 FLInv(X[2], X[3], RK[0], RK[1]);
498 RK += 2;
499 }
500 }
501
502 X[2] ^= *RK++;
503 X[3] ^= *RK++;
504 X[0] ^= *RK++;
505 X[1] ^= *RK++;
506
507 MBEDTLS_PUT_UINT32_BE(X[2], output, 0);
508 MBEDTLS_PUT_UINT32_BE(X[3], output, 4);
509 MBEDTLS_PUT_UINT32_BE(X[0], output, 8);
510 MBEDTLS_PUT_UINT32_BE(X[1], output, 12);
511
512 return 0;
513 }
514
515 #if defined(MBEDTLS_CIPHER_MODE_CBC)
516 /*
517 * Camellia-CBC buffer encryption/decryption
518 */
mbedtls_camellia_crypt_cbc(mbedtls_camellia_context * ctx,int mode,size_t length,unsigned char iv[16],const unsigned char * input,unsigned char * output)519 int mbedtls_camellia_crypt_cbc(mbedtls_camellia_context *ctx,
520 int mode,
521 size_t length,
522 unsigned char iv[16],
523 const unsigned char *input,
524 unsigned char *output)
525 {
526 unsigned char temp[16];
527 if (mode != MBEDTLS_CAMELLIA_ENCRYPT && mode != MBEDTLS_CAMELLIA_DECRYPT) {
528 return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA;
529 }
530
531 if (length % 16) {
532 return MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH;
533 }
534
535 if (mode == MBEDTLS_CAMELLIA_DECRYPT) {
536 while (length > 0) {
537 memcpy(temp, input, 16);
538 mbedtls_camellia_crypt_ecb(ctx, mode, input, output);
539
540 mbedtls_xor(output, output, iv, 16);
541
542 memcpy(iv, temp, 16);
543
544 input += 16;
545 output += 16;
546 length -= 16;
547 }
548 } else {
549 while (length > 0) {
550 mbedtls_xor(output, input, iv, 16);
551
552 mbedtls_camellia_crypt_ecb(ctx, mode, output, output);
553 memcpy(iv, output, 16);
554
555 input += 16;
556 output += 16;
557 length -= 16;
558 }
559 }
560
561 return 0;
562 }
563 #endif /* MBEDTLS_CIPHER_MODE_CBC */
564
565 #if defined(MBEDTLS_CIPHER_MODE_CFB)
566 /*
567 * Camellia-CFB128 buffer encryption/decryption
568 */
mbedtls_camellia_crypt_cfb128(mbedtls_camellia_context * ctx,int mode,size_t length,size_t * iv_off,unsigned char iv[16],const unsigned char * input,unsigned char * output)569 int mbedtls_camellia_crypt_cfb128(mbedtls_camellia_context *ctx,
570 int mode,
571 size_t length,
572 size_t *iv_off,
573 unsigned char iv[16],
574 const unsigned char *input,
575 unsigned char *output)
576 {
577 int c;
578 size_t n;
579 if (mode != MBEDTLS_CAMELLIA_ENCRYPT && mode != MBEDTLS_CAMELLIA_DECRYPT) {
580 return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA;
581 }
582
583 n = *iv_off;
584 if (n >= 16) {
585 return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA;
586 }
587
588 if (mode == MBEDTLS_CAMELLIA_DECRYPT) {
589 while (length--) {
590 if (n == 0) {
591 mbedtls_camellia_crypt_ecb(ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv);
592 }
593
594 c = *input++;
595 *output++ = (unsigned char) (c ^ iv[n]);
596 iv[n] = (unsigned char) c;
597
598 n = (n + 1) & 0x0F;
599 }
600 } else {
601 while (length--) {
602 if (n == 0) {
603 mbedtls_camellia_crypt_ecb(ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv);
604 }
605
606 iv[n] = *output++ = (unsigned char) (iv[n] ^ *input++);
607
608 n = (n + 1) & 0x0F;
609 }
610 }
611
612 *iv_off = n;
613
614 return 0;
615 }
616 #endif /* MBEDTLS_CIPHER_MODE_CFB */
617
618 #if defined(MBEDTLS_CIPHER_MODE_CTR)
619 /*
620 * Camellia-CTR buffer encryption/decryption
621 */
mbedtls_camellia_crypt_ctr(mbedtls_camellia_context * ctx,size_t length,size_t * nc_off,unsigned char nonce_counter[16],unsigned char stream_block[16],const unsigned char * input,unsigned char * output)622 int mbedtls_camellia_crypt_ctr(mbedtls_camellia_context *ctx,
623 size_t length,
624 size_t *nc_off,
625 unsigned char nonce_counter[16],
626 unsigned char stream_block[16],
627 const unsigned char *input,
628 unsigned char *output)
629 {
630 int c, i;
631 size_t n;
632
633 n = *nc_off;
634 if (n >= 16) {
635 return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA;
636 }
637
638 while (length--) {
639 if (n == 0) {
640 mbedtls_camellia_crypt_ecb(ctx, MBEDTLS_CAMELLIA_ENCRYPT, nonce_counter,
641 stream_block);
642
643 for (i = 16; i > 0; i--) {
644 if (++nonce_counter[i - 1] != 0) {
645 break;
646 }
647 }
648 }
649 c = *input++;
650 *output++ = (unsigned char) (c ^ stream_block[n]);
651
652 n = (n + 1) & 0x0F;
653 }
654
655 *nc_off = n;
656
657 return 0;
658 }
659 #endif /* MBEDTLS_CIPHER_MODE_CTR */
660 #endif /* !MBEDTLS_CAMELLIA_ALT */
661
662 #if defined(MBEDTLS_SELF_TEST)
663
664 /*
665 * Camellia test vectors from:
666 *
667 * http://info.isl.ntt.co.jp/crypt/eng/camellia/technology.html:
668 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/intermediate.txt
669 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/t_camellia.txt
670 * (For each bitlength: Key 0, Nr 39)
671 */
672 #define CAMELLIA_TESTS_ECB 2
673
674 static const unsigned char camellia_test_ecb_key[3][CAMELLIA_TESTS_ECB][32] =
675 {
676 {
677 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
678 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
679 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
680 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
681 },
682 {
683 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
684 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
685 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77 },
686 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
687 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
688 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
689 },
690 {
691 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
692 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
693 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
694 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff },
695 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
696 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
697 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
698 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
699 },
700 };
701
702 static const unsigned char camellia_test_ecb_plain[CAMELLIA_TESTS_ECB][16] =
703 {
704 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
705 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
706 { 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
707 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
708 };
709
710 static const unsigned char camellia_test_ecb_cipher[3][CAMELLIA_TESTS_ECB][16] =
711 {
712 {
713 { 0x67, 0x67, 0x31, 0x38, 0x54, 0x96, 0x69, 0x73,
714 0x08, 0x57, 0x06, 0x56, 0x48, 0xea, 0xbe, 0x43 },
715 { 0x38, 0x3C, 0x6C, 0x2A, 0xAB, 0xEF, 0x7F, 0xDE,
716 0x25, 0xCD, 0x47, 0x0B, 0xF7, 0x74, 0xA3, 0x31 }
717 },
718 {
719 { 0xb4, 0x99, 0x34, 0x01, 0xb3, 0xe9, 0x96, 0xf8,
720 0x4e, 0xe5, 0xce, 0xe7, 0xd7, 0x9b, 0x09, 0xb9 },
721 { 0xD1, 0x76, 0x3F, 0xC0, 0x19, 0xD7, 0x7C, 0xC9,
722 0x30, 0xBF, 0xF2, 0xA5, 0x6F, 0x7C, 0x93, 0x64 }
723 },
724 {
725 { 0x9a, 0xcc, 0x23, 0x7d, 0xff, 0x16, 0xd7, 0x6c,
726 0x20, 0xef, 0x7c, 0x91, 0x9e, 0x3a, 0x75, 0x09 },
727 { 0x05, 0x03, 0xFB, 0x10, 0xAB, 0x24, 0x1E, 0x7C,
728 0xF4, 0x5D, 0x8C, 0xDE, 0xEE, 0x47, 0x43, 0x35 }
729 }
730 };
731
732 #if defined(MBEDTLS_CIPHER_MODE_CBC)
733 #define CAMELLIA_TESTS_CBC 3
734
735 static const unsigned char camellia_test_cbc_key[3][32] =
736 {
737 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
738 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }
739 ,
740 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
741 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
742 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }
743 ,
744 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
745 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
746 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
747 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
748 };
749
750 static const unsigned char camellia_test_cbc_iv[16] =
751
752 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
753 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F }
754 ;
755
756 static const unsigned char camellia_test_cbc_plain[CAMELLIA_TESTS_CBC][16] =
757 {
758 { 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
759 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A },
760 { 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
761 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51 },
762 { 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
763 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF }
764
765 };
766
767 static const unsigned char camellia_test_cbc_cipher[3][CAMELLIA_TESTS_CBC][16] =
768 {
769 {
770 { 0x16, 0x07, 0xCF, 0x49, 0x4B, 0x36, 0xBB, 0xF0,
771 0x0D, 0xAE, 0xB0, 0xB5, 0x03, 0xC8, 0x31, 0xAB },
772 { 0xA2, 0xF2, 0xCF, 0x67, 0x16, 0x29, 0xEF, 0x78,
773 0x40, 0xC5, 0xA5, 0xDF, 0xB5, 0x07, 0x48, 0x87 },
774 { 0x0F, 0x06, 0x16, 0x50, 0x08, 0xCF, 0x8B, 0x8B,
775 0x5A, 0x63, 0x58, 0x63, 0x62, 0x54, 0x3E, 0x54 }
776 },
777 {
778 { 0x2A, 0x48, 0x30, 0xAB, 0x5A, 0xC4, 0xA1, 0xA2,
779 0x40, 0x59, 0x55, 0xFD, 0x21, 0x95, 0xCF, 0x93 },
780 { 0x5D, 0x5A, 0x86, 0x9B, 0xD1, 0x4C, 0xE5, 0x42,
781 0x64, 0xF8, 0x92, 0xA6, 0xDD, 0x2E, 0xC3, 0xD5 },
782 { 0x37, 0xD3, 0x59, 0xC3, 0x34, 0x98, 0x36, 0xD8,
783 0x84, 0xE3, 0x10, 0xAD, 0xDF, 0x68, 0xC4, 0x49 }
784 },
785 {
786 { 0xE6, 0xCF, 0xA3, 0x5F, 0xC0, 0x2B, 0x13, 0x4A,
787 0x4D, 0x2C, 0x0B, 0x67, 0x37, 0xAC, 0x3E, 0xDA },
788 { 0x36, 0xCB, 0xEB, 0x73, 0xBD, 0x50, 0x4B, 0x40,
789 0x70, 0xB1, 0xB7, 0xDE, 0x2B, 0x21, 0xEB, 0x50 },
790 { 0xE3, 0x1A, 0x60, 0x55, 0x29, 0x7D, 0x96, 0xCA,
791 0x33, 0x30, 0xCD, 0xF1, 0xB1, 0x86, 0x0A, 0x83 }
792 }
793 };
794 #endif /* MBEDTLS_CIPHER_MODE_CBC */
795
796 #if defined(MBEDTLS_CIPHER_MODE_CTR)
797 /*
798 * Camellia-CTR test vectors from:
799 *
800 * http://www.faqs.org/rfcs/rfc5528.html
801 */
802
803 static const unsigned char camellia_test_ctr_key[3][16] =
804 {
805 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
806 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
807 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
808 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
809 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
810 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
811 };
812
813 static const unsigned char camellia_test_ctr_nonce_counter[3][16] =
814 {
815 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
816 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
817 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
818 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
819 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
820 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
821 };
822
823 static const unsigned char camellia_test_ctr_pt[3][48] =
824 {
825 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
826 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
827
828 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
829 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
830 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
831 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
832
833 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
834 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
835 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
836 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
837 0x20, 0x21, 0x22, 0x23 }
838 };
839
840 static const unsigned char camellia_test_ctr_ct[3][48] =
841 {
842 { 0xD0, 0x9D, 0xC2, 0x9A, 0x82, 0x14, 0x61, 0x9A,
843 0x20, 0x87, 0x7C, 0x76, 0xDB, 0x1F, 0x0B, 0x3F },
844 { 0xDB, 0xF3, 0xC7, 0x8D, 0xC0, 0x83, 0x96, 0xD4,
845 0xDA, 0x7C, 0x90, 0x77, 0x65, 0xBB, 0xCB, 0x44,
846 0x2B, 0x8E, 0x8E, 0x0F, 0x31, 0xF0, 0xDC, 0xA7,
847 0x2C, 0x74, 0x17, 0xE3, 0x53, 0x60, 0xE0, 0x48 },
848 { 0xB1, 0x9D, 0x1F, 0xCD, 0xCB, 0x75, 0xEB, 0x88,
849 0x2F, 0x84, 0x9C, 0xE2, 0x4D, 0x85, 0xCF, 0x73,
850 0x9C, 0xE6, 0x4B, 0x2B, 0x5C, 0x9D, 0x73, 0xF1,
851 0x4F, 0x2D, 0x5D, 0x9D, 0xCE, 0x98, 0x89, 0xCD,
852 0xDF, 0x50, 0x86, 0x96 }
853 };
854
855 static const int camellia_test_ctr_len[3] =
856 { 16, 32, 36 };
857 #endif /* MBEDTLS_CIPHER_MODE_CTR */
858
859 /*
860 * Checkup routine
861 */
mbedtls_camellia_self_test(int verbose)862 int mbedtls_camellia_self_test(int verbose)
863 {
864 int i, j, u, v;
865 unsigned char key[32];
866 unsigned char buf[64];
867 unsigned char src[16];
868 unsigned char dst[16];
869 #if defined(MBEDTLS_CIPHER_MODE_CBC)
870 unsigned char iv[16];
871 #endif
872 #if defined(MBEDTLS_CIPHER_MODE_CTR)
873 size_t offset, len;
874 unsigned char nonce_counter[16];
875 unsigned char stream_block[16];
876 #endif
877 int ret = 1;
878
879 mbedtls_camellia_context ctx;
880
881 mbedtls_camellia_init(&ctx);
882 memset(key, 0, 32);
883
884 for (j = 0; j < 6; j++) {
885 u = j >> 1;
886 v = j & 1;
887
888 if (verbose != 0) {
889 mbedtls_printf(" CAMELLIA-ECB-%3d (%s): ", 128 + u * 64,
890 (v == MBEDTLS_CAMELLIA_DECRYPT) ? "dec" : "enc");
891 }
892
893 #if defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
894 if (v == MBEDTLS_CAMELLIA_DECRYPT) {
895 if (verbose != 0) {
896 mbedtls_printf("skipped\n");
897 }
898 continue;
899 }
900 #endif
901
902 for (i = 0; i < CAMELLIA_TESTS_ECB; i++) {
903 memcpy(key, camellia_test_ecb_key[u][i], 16 + 8 * u);
904
905 #if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
906 if (v == MBEDTLS_CAMELLIA_DECRYPT) {
907 mbedtls_camellia_setkey_dec(&ctx, key, 128 + u * 64);
908 memcpy(src, camellia_test_ecb_cipher[u][i], 16);
909 memcpy(dst, camellia_test_ecb_plain[i], 16);
910 } else
911 #endif
912 { /* MBEDTLS_CAMELLIA_ENCRYPT */
913 mbedtls_camellia_setkey_enc(&ctx, key, 128 + u * 64);
914 memcpy(src, camellia_test_ecb_plain[i], 16);
915 memcpy(dst, camellia_test_ecb_cipher[u][i], 16);
916 }
917
918 mbedtls_camellia_crypt_ecb(&ctx, v, src, buf);
919
920 if (memcmp(buf, dst, 16) != 0) {
921 if (verbose != 0) {
922 mbedtls_printf("failed\n");
923 }
924 goto exit;
925 }
926 }
927
928 if (verbose != 0) {
929 mbedtls_printf("passed\n");
930 }
931 }
932
933 if (verbose != 0) {
934 mbedtls_printf("\n");
935 }
936
937 #if defined(MBEDTLS_CIPHER_MODE_CBC)
938 /*
939 * CBC mode
940 */
941 for (j = 0; j < 6; j++) {
942 u = j >> 1;
943 v = j & 1;
944
945 if (verbose != 0) {
946 mbedtls_printf(" CAMELLIA-CBC-%3d (%s): ", 128 + u * 64,
947 (v == MBEDTLS_CAMELLIA_DECRYPT) ? "dec" : "enc");
948 }
949
950 memcpy(src, camellia_test_cbc_iv, 16);
951 memcpy(dst, camellia_test_cbc_iv, 16);
952 memcpy(key, camellia_test_cbc_key[u], 16 + 8 * u);
953
954 if (v == MBEDTLS_CAMELLIA_DECRYPT) {
955 mbedtls_camellia_setkey_dec(&ctx, key, 128 + u * 64);
956 } else {
957 mbedtls_camellia_setkey_enc(&ctx, key, 128 + u * 64);
958 }
959
960 for (i = 0; i < CAMELLIA_TESTS_CBC; i++) {
961
962 if (v == MBEDTLS_CAMELLIA_DECRYPT) {
963 memcpy(iv, src, 16);
964 memcpy(src, camellia_test_cbc_cipher[u][i], 16);
965 memcpy(dst, camellia_test_cbc_plain[i], 16);
966 } else { /* MBEDTLS_CAMELLIA_ENCRYPT */
967 memcpy(iv, dst, 16);
968 memcpy(src, camellia_test_cbc_plain[i], 16);
969 memcpy(dst, camellia_test_cbc_cipher[u][i], 16);
970 }
971
972 mbedtls_camellia_crypt_cbc(&ctx, v, 16, iv, src, buf);
973
974 if (memcmp(buf, dst, 16) != 0) {
975 if (verbose != 0) {
976 mbedtls_printf("failed\n");
977 }
978 goto exit;
979 }
980 }
981
982 if (verbose != 0) {
983 mbedtls_printf("passed\n");
984 }
985 }
986 #endif /* MBEDTLS_CIPHER_MODE_CBC */
987
988 if (verbose != 0) {
989 mbedtls_printf("\n");
990 }
991
992 #if defined(MBEDTLS_CIPHER_MODE_CTR)
993 /*
994 * CTR mode
995 */
996 for (i = 0; i < 6; i++) {
997 u = i >> 1;
998 v = i & 1;
999
1000 if (verbose != 0) {
1001 mbedtls_printf(" CAMELLIA-CTR-128 (%s): ",
1002 (v == MBEDTLS_CAMELLIA_DECRYPT) ? "dec" : "enc");
1003 }
1004
1005 memcpy(nonce_counter, camellia_test_ctr_nonce_counter[u], 16);
1006 memcpy(key, camellia_test_ctr_key[u], 16);
1007
1008 offset = 0;
1009 mbedtls_camellia_setkey_enc(&ctx, key, 128);
1010
1011 if (v == MBEDTLS_CAMELLIA_DECRYPT) {
1012 len = camellia_test_ctr_len[u];
1013 memcpy(buf, camellia_test_ctr_ct[u], len);
1014
1015 mbedtls_camellia_crypt_ctr(&ctx, len, &offset, nonce_counter, stream_block,
1016 buf, buf);
1017
1018 if (memcmp(buf, camellia_test_ctr_pt[u], len) != 0) {
1019 if (verbose != 0) {
1020 mbedtls_printf("failed\n");
1021 }
1022 goto exit;
1023 }
1024 } else {
1025 len = camellia_test_ctr_len[u];
1026 memcpy(buf, camellia_test_ctr_pt[u], len);
1027
1028 mbedtls_camellia_crypt_ctr(&ctx, len, &offset, nonce_counter, stream_block,
1029 buf, buf);
1030
1031 if (memcmp(buf, camellia_test_ctr_ct[u], len) != 0) {
1032 if (verbose != 0) {
1033 mbedtls_printf("failed\n");
1034 }
1035 goto exit;
1036 }
1037 }
1038
1039 if (verbose != 0) {
1040 mbedtls_printf("passed\n");
1041 }
1042 }
1043
1044 if (verbose != 0) {
1045 mbedtls_printf("\n");
1046 }
1047 #endif /* MBEDTLS_CIPHER_MODE_CTR */
1048
1049 ret = 0;
1050
1051 exit:
1052 mbedtls_camellia_free(&ctx);
1053 return ret;
1054 }
1055
1056 #endif /* MBEDTLS_SELF_TEST */
1057
1058 #endif /* MBEDTLS_CAMELLIA_C */
1059
