blob: d60f9318807410259688bf0723a58af5688e1a21 [file] [log] [blame]
Paul Bakker38119b12009-01-10 23:31:23 +00001/*
2 * Camellia implementation
3 *
Bence Szépkúti1e148272020-08-07 13:07:28 +02004 * Copyright The Mbed TLS Contributors
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +02005 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakker38119b12009-01-10 23:31:23 +000018 */
19/*
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +000020 * The Camellia block cipher was designed by NTT and Mitsubishi Electric
21 * Corporation.
Paul Bakker38119b12009-01-10 23:31:23 +000022 *
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +000023 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/01espec.pdf
Paul Bakker38119b12009-01-10 23:31:23 +000024 */
25
Gilles Peskinedb09ef62020-06-03 01:43:33 +020026#include "common.h"
Paul Bakker38119b12009-01-10 23:31:23 +000027
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020028#if defined(MBEDTLS_CAMELLIA_C)
Paul Bakker38119b12009-01-10 23:31:23 +000029
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +000030#include "mbedtls/camellia.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -050031#include "mbedtls/platform_util.h"
Paul Bakker38119b12009-01-10 23:31:23 +000032
Rich Evans00ab4702015-02-06 13:43:58 +000033#include <string.h>
Manuel Pégourié-Gonnard394608e2015-02-17 16:01:07 +010034
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020035#if defined(MBEDTLS_SELF_TEST)
36#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +000037#include "mbedtls/platform.h"
Paul Bakker7dc4c442014-02-01 22:50:26 +010038#else
Rich Evans00ab4702015-02-06 13:43:58 +000039#include <stdio.h>
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020040#define mbedtls_printf printf
41#endif /* MBEDTLS_PLATFORM_C */
42#endif /* MBEDTLS_SELF_TEST */
Paul Bakker7dc4c442014-02-01 22:50:26 +010043
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020044#if !defined(MBEDTLS_CAMELLIA_ALT)
Paul Bakker90995b52013-06-24 19:20:35 +020045
Andrzej Kurekc470b6b2019-01-31 08:20:20 -050046/* Parameter validation macros */
47#define CAMELLIA_VALIDATE_RET( cond ) \
48 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA )
49#define CAMELLIA_VALIDATE( cond ) \
50 MBEDTLS_INTERNAL_VALIDATE( cond )
51
Paul Bakker38119b12009-01-10 23:31:23 +000052/*
53 * 32-bit integer manipulation macros (big endian)
54 */
Paul Bakker5c2364c2012-10-01 14:41:15 +000055#ifndef GET_UINT32_BE
56#define GET_UINT32_BE(n,b,i) \
Paul Bakker38119b12009-01-10 23:31:23 +000057{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +000058 (n) = ( (uint32_t) (b)[(i) ] << 24 ) \
59 | ( (uint32_t) (b)[(i) + 1] << 16 ) \
60 | ( (uint32_t) (b)[(i) + 2] << 8 ) \
61 | ( (uint32_t) (b)[(i) + 3] ); \
Paul Bakker38119b12009-01-10 23:31:23 +000062}
63#endif
64
Paul Bakker5c2364c2012-10-01 14:41:15 +000065#ifndef PUT_UINT32_BE
66#define PUT_UINT32_BE(n,b,i) \
Paul Bakker38119b12009-01-10 23:31:23 +000067{ \
68 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
69 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
70 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
71 (b)[(i) + 3] = (unsigned char) ( (n) ); \
72}
73#endif
74
75static const unsigned char SIGMA_CHARS[6][8] =
76{
Paul Bakkerc81f6c32009-05-03 13:09:15 +000077 { 0xa0, 0x9e, 0x66, 0x7f, 0x3b, 0xcc, 0x90, 0x8b },
78 { 0xb6, 0x7a, 0xe8, 0x58, 0x4c, 0xaa, 0x73, 0xb2 },
79 { 0xc6, 0xef, 0x37, 0x2f, 0xe9, 0x4f, 0x82, 0xbe },
80 { 0x54, 0xff, 0x53, 0xa5, 0xf1, 0xd3, 0x6f, 0x1c },
81 { 0x10, 0xe5, 0x27, 0xfa, 0xde, 0x68, 0x2d, 0x1d },
82 { 0xb0, 0x56, 0x88, 0xc2, 0xb3, 0xe6, 0xc1, 0xfd }
Paul Bakker38119b12009-01-10 23:31:23 +000083};
84
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020085#if defined(MBEDTLS_CAMELLIA_SMALL_MEMORY)
Paul Bakkerfa049db2009-01-12 22:12:03 +000086
87static const unsigned char FSb[256] =
Paul Bakker38119b12009-01-10 23:31:23 +000088{
Paul Bakkerc81f6c32009-05-03 13:09:15 +000089 112,130, 44,236,179, 39,192,229,228,133, 87, 53,234, 12,174, 65,
90 35,239,107,147, 69, 25,165, 33,237, 14, 79, 78, 29,101,146,189,
91 134,184,175,143,124,235, 31,206, 62, 48,220, 95, 94,197, 11, 26,
92 166,225, 57,202,213, 71, 93, 61,217, 1, 90,214, 81, 86,108, 77,
93 139, 13,154,102,251,204,176, 45,116, 18, 43, 32,240,177,132,153,
94 223, 76,203,194, 52,126,118, 5,109,183,169, 49,209, 23, 4,215,
95 20, 88, 58, 97,222, 27, 17, 28, 50, 15,156, 22, 83, 24,242, 34,
96 254, 68,207,178,195,181,122,145, 36, 8,232,168, 96,252,105, 80,
97 170,208,160,125,161,137, 98,151, 84, 91, 30,149,224,255,100,210,
98 16,196, 0, 72,163,247,117,219,138, 3,230,218, 9, 63,221,148,
99 135, 92,131, 2,205, 74,144, 51,115,103,246,243,157,127,191,226,
100 82,155,216, 38,200, 55,198, 59,129,150,111, 75, 19,190, 99, 46,
101 233,121,167,140,159,110,188,142, 41,245,249,182, 47,253,180, 89,
102 120,152, 6,106,231, 70,113,186,212, 37,171, 66,136,162,141,250,
103 114, 7,185, 85,248,238,172, 10, 54, 73, 42,104, 60, 56,241,164,
104 64, 40,211,123,187,201, 67,193, 21,227,173,244,119,199,128,158
Paul Bakker38119b12009-01-10 23:31:23 +0000105};
106
107#define SBOX1(n) FSb[(n)]
108#define SBOX2(n) (unsigned char)((FSb[(n)] >> 7 ^ FSb[(n)] << 1) & 0xff)
109#define SBOX3(n) (unsigned char)((FSb[(n)] >> 1 ^ FSb[(n)] << 7) & 0xff)
Paul Bakkerfa049db2009-01-12 22:12:03 +0000110#define SBOX4(n) FSb[((n) << 1 ^ (n) >> 7) &0xff]
111
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200112#else /* MBEDTLS_CAMELLIA_SMALL_MEMORY */
Paul Bakkerfa049db2009-01-12 22:12:03 +0000113
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000114static const unsigned char FSb[256] =
115{
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200116 112, 130, 44, 236, 179, 39, 192, 229, 228, 133, 87, 53, 234, 12, 174, 65,
117 35, 239, 107, 147, 69, 25, 165, 33, 237, 14, 79, 78, 29, 101, 146, 189,
118 134, 184, 175, 143, 124, 235, 31, 206, 62, 48, 220, 95, 94, 197, 11, 26,
119 166, 225, 57, 202, 213, 71, 93, 61, 217, 1, 90, 214, 81, 86, 108, 77,
120 139, 13, 154, 102, 251, 204, 176, 45, 116, 18, 43, 32, 240, 177, 132, 153,
121 223, 76, 203, 194, 52, 126, 118, 5, 109, 183, 169, 49, 209, 23, 4, 215,
122 20, 88, 58, 97, 222, 27, 17, 28, 50, 15, 156, 22, 83, 24, 242, 34,
123 254, 68, 207, 178, 195, 181, 122, 145, 36, 8, 232, 168, 96, 252, 105, 80,
124 170, 208, 160, 125, 161, 137, 98, 151, 84, 91, 30, 149, 224, 255, 100, 210,
125 16, 196, 0, 72, 163, 247, 117, 219, 138, 3, 230, 218, 9, 63, 221, 148,
126 135, 92, 131, 2, 205, 74, 144, 51, 115, 103, 246, 243, 157, 127, 191, 226,
127 82, 155, 216, 38, 200, 55, 198, 59, 129, 150, 111, 75, 19, 190, 99, 46,
128 233, 121, 167, 140, 159, 110, 188, 142, 41, 245, 249, 182, 47, 253, 180, 89,
129 120, 152, 6, 106, 231, 70, 113, 186, 212, 37, 171, 66, 136, 162, 141, 250,
130 114, 7, 185, 85, 248, 238, 172, 10, 54, 73, 42, 104, 60, 56, 241, 164,
131 64, 40, 211, 123, 187, 201, 67, 193, 21, 227, 173, 244, 119, 199, 128, 158
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000132};
133
134static const unsigned char FSb2[256] =
135{
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200136 224, 5, 88, 217, 103, 78, 129, 203, 201, 11, 174, 106, 213, 24, 93, 130,
137 70, 223, 214, 39, 138, 50, 75, 66, 219, 28, 158, 156, 58, 202, 37, 123,
138 13, 113, 95, 31, 248, 215, 62, 157, 124, 96, 185, 190, 188, 139, 22, 52,
139 77, 195, 114, 149, 171, 142, 186, 122, 179, 2, 180, 173, 162, 172, 216, 154,
140 23, 26, 53, 204, 247, 153, 97, 90, 232, 36, 86, 64, 225, 99, 9, 51,
141 191, 152, 151, 133, 104, 252, 236, 10, 218, 111, 83, 98, 163, 46, 8, 175,
142 40, 176, 116, 194, 189, 54, 34, 56, 100, 30, 57, 44, 166, 48, 229, 68,
143 253, 136, 159, 101, 135, 107, 244, 35, 72, 16, 209, 81, 192, 249, 210, 160,
144 85, 161, 65, 250, 67, 19, 196, 47, 168, 182, 60, 43, 193, 255, 200, 165,
145 32, 137, 0, 144, 71, 239, 234, 183, 21, 6, 205, 181, 18, 126, 187, 41,
146 15, 184, 7, 4, 155, 148, 33, 102, 230, 206, 237, 231, 59, 254, 127, 197,
147 164, 55, 177, 76, 145, 110, 141, 118, 3, 45, 222, 150, 38, 125, 198, 92,
148 211, 242, 79, 25, 63, 220, 121, 29, 82, 235, 243, 109, 94, 251, 105, 178,
149 240, 49, 12, 212, 207, 140, 226, 117, 169, 74, 87, 132, 17, 69, 27, 245,
150 228, 14, 115, 170, 241, 221, 89, 20, 108, 146, 84, 208, 120, 112, 227, 73,
151 128, 80, 167, 246, 119, 147, 134, 131, 42, 199, 91, 233, 238, 143, 1, 61
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000152};
153
154static const unsigned char FSb3[256] =
155{
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200156 56, 65, 22, 118, 217, 147, 96, 242, 114, 194, 171, 154, 117, 6, 87, 160,
157 145, 247, 181, 201, 162, 140, 210, 144, 246, 7, 167, 39, 142, 178, 73, 222,
158 67, 92, 215, 199, 62, 245, 143, 103, 31, 24, 110, 175, 47, 226, 133, 13,
159 83, 240, 156, 101, 234, 163, 174, 158, 236, 128, 45, 107, 168, 43, 54, 166,
160 197, 134, 77, 51, 253, 102, 88, 150, 58, 9, 149, 16, 120, 216, 66, 204,
161 239, 38, 229, 97, 26, 63, 59, 130, 182, 219, 212, 152, 232, 139, 2, 235,
162 10, 44, 29, 176, 111, 141, 136, 14, 25, 135, 78, 11, 169, 12, 121, 17,
163 127, 34, 231, 89, 225, 218, 61, 200, 18, 4, 116, 84, 48, 126, 180, 40,
164 85, 104, 80, 190, 208, 196, 49, 203, 42, 173, 15, 202, 112, 255, 50, 105,
165 8, 98, 0, 36, 209, 251, 186, 237, 69, 129, 115, 109, 132, 159, 238, 74,
166 195, 46, 193, 1, 230, 37, 72, 153, 185, 179, 123, 249, 206, 191, 223, 113,
167 41, 205, 108, 19, 100, 155, 99, 157, 192, 75, 183, 165, 137, 95, 177, 23,
168 244, 188, 211, 70, 207, 55, 94, 71, 148, 250, 252, 91, 151, 254, 90, 172,
169 60, 76, 3, 53, 243, 35, 184, 93, 106, 146, 213, 33, 68, 81, 198, 125,
170 57, 131, 220, 170, 124, 119, 86, 5, 27, 164, 21, 52, 30, 28, 248, 82,
171 32, 20, 233, 189, 221, 228, 161, 224, 138, 241, 214, 122, 187, 227, 64, 79
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000172};
173
174static const unsigned char FSb4[256] =
175{
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200176 112, 44, 179, 192, 228, 87, 234, 174, 35, 107, 69, 165, 237, 79, 29, 146,
177 134, 175, 124, 31, 62, 220, 94, 11, 166, 57, 213, 93, 217, 90, 81, 108,
178 139, 154, 251, 176, 116, 43, 240, 132, 223, 203, 52, 118, 109, 169, 209, 4,
179 20, 58, 222, 17, 50, 156, 83, 242, 254, 207, 195, 122, 36, 232, 96, 105,
180 170, 160, 161, 98, 84, 30, 224, 100, 16, 0, 163, 117, 138, 230, 9, 221,
181 135, 131, 205, 144, 115, 246, 157, 191, 82, 216, 200, 198, 129, 111, 19, 99,
182 233, 167, 159, 188, 41, 249, 47, 180, 120, 6, 231, 113, 212, 171, 136, 141,
183 114, 185, 248, 172, 54, 42, 60, 241, 64, 211, 187, 67, 21, 173, 119, 128,
184 130, 236, 39, 229, 133, 53, 12, 65, 239, 147, 25, 33, 14, 78, 101, 189,
185 184, 143, 235, 206, 48, 95, 197, 26, 225, 202, 71, 61, 1, 214, 86, 77,
186 13, 102, 204, 45, 18, 32, 177, 153, 76, 194, 126, 5, 183, 49, 23, 215,
187 88, 97, 27, 28, 15, 22, 24, 34, 68, 178, 181, 145, 8, 168, 252, 80,
188 208, 125, 137, 151, 91, 149, 255, 210, 196, 72, 247, 219, 3, 218, 63, 148,
189 92, 2, 74, 51, 103, 243, 127, 226, 155, 38, 55, 59, 150, 75, 190, 46,
190 121, 140, 110, 142, 245, 182, 253, 89, 152, 106, 70, 186, 37, 66, 162, 250,
191 7, 85, 238, 10, 73, 104, 56, 164, 40, 123, 201, 193, 227, 244, 199, 158
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000192};
193
194#define SBOX1(n) FSb[(n)]
195#define SBOX2(n) FSb2[(n)]
196#define SBOX3(n) FSb3[(n)]
197#define SBOX4(n) FSb4[(n)]
Paul Bakker38119b12009-01-10 23:31:23 +0000198
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200199#endif /* MBEDTLS_CAMELLIA_SMALL_MEMORY */
Paul Bakkerfa049db2009-01-12 22:12:03 +0000200
Paul Bakker38119b12009-01-10 23:31:23 +0000201static const unsigned char shifts[2][4][4] =
202{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000203 {
204 { 1, 1, 1, 1 }, /* KL */
205 { 0, 0, 0, 0 }, /* KR */
206 { 1, 1, 1, 1 }, /* KA */
207 { 0, 0, 0, 0 } /* KB */
208 },
209 {
210 { 1, 0, 1, 1 }, /* KL */
211 { 1, 1, 0, 1 }, /* KR */
212 { 1, 1, 1, 0 }, /* KA */
213 { 1, 1, 0, 1 } /* KB */
214 }
Paul Bakker38119b12009-01-10 23:31:23 +0000215};
216
Paul Bakker026c03b2009-03-28 17:53:03 +0000217static const signed char indexes[2][4][20] =
Paul Bakker38119b12009-01-10 23:31:23 +0000218{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000219 {
220 { 0, 1, 2, 3, 8, 9, 10, 11, 38, 39,
221 36, 37, 23, 20, 21, 22, 27, -1, -1, 26 }, /* KL -> RK */
222 { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
223 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 }, /* KR -> RK */
224 { 4, 5, 6, 7, 12, 13, 14, 15, 16, 17,
225 18, 19, -1, 24, 25, -1, 31, 28, 29, 30 }, /* KA -> RK */
226 { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
227 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 } /* KB -> RK */
228 },
229 {
230 { 0, 1, 2, 3, 61, 62, 63, 60, -1, -1,
231 -1, -1, 27, 24, 25, 26, 35, 32, 33, 34 }, /* KL -> RK */
232 { -1, -1, -1, -1, 8, 9, 10, 11, 16, 17,
233 18, 19, -1, -1, -1, -1, 39, 36, 37, 38 }, /* KR -> RK */
234 { -1, -1, -1, -1, 12, 13, 14, 15, 58, 59,
235 56, 57, 31, 28, 29, 30, -1, -1, -1, -1 }, /* KA -> RK */
236 { 4, 5, 6, 7, 65, 66, 67, 64, 20, 21,
237 22, 23, -1, -1, -1, -1, 43, 40, 41, 42 } /* KB -> RK */
238 }
Paul Bakker38119b12009-01-10 23:31:23 +0000239};
240
Paul Bakker026c03b2009-03-28 17:53:03 +0000241static const signed char transposes[2][20] =
Paul Bakker38119b12009-01-10 23:31:23 +0000242{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000243 {
244 21, 22, 23, 20,
245 -1, -1, -1, -1,
246 18, 19, 16, 17,
247 11, 8, 9, 10,
248 15, 12, 13, 14
249 },
250 {
251 25, 26, 27, 24,
252 29, 30, 31, 28,
253 18, 19, 16, 17,
254 -1, -1, -1, -1,
255 -1, -1, -1, -1
256 }
Paul Bakker38119b12009-01-10 23:31:23 +0000257};
258
Paul Bakkerc32c6b52009-01-11 21:36:43 +0000259/* Shift macro for 128 bit strings with rotation smaller than 32 bits (!) */
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000260#define ROTL(DEST, SRC, SHIFT) \
261{ \
262 (DEST)[0] = (SRC)[0] << (SHIFT) ^ (SRC)[1] >> (32 - (SHIFT)); \
263 (DEST)[1] = (SRC)[1] << (SHIFT) ^ (SRC)[2] >> (32 - (SHIFT)); \
264 (DEST)[2] = (SRC)[2] << (SHIFT) ^ (SRC)[3] >> (32 - (SHIFT)); \
265 (DEST)[3] = (SRC)[3] << (SHIFT) ^ (SRC)[0] >> (32 - (SHIFT)); \
Paul Bakker38119b12009-01-10 23:31:23 +0000266}
267
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000268#define FL(XL, XR, KL, KR) \
269{ \
270 (XR) = ((((XL) & (KL)) << 1) | (((XL) & (KL)) >> 31)) ^ (XR); \
271 (XL) = ((XR) | (KR)) ^ (XL); \
Paul Bakker38119b12009-01-10 23:31:23 +0000272}
Paul Bakker9af723c2014-05-01 13:03:14 +0200273
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000274#define FLInv(YL, YR, KL, KR) \
275{ \
276 (YL) = ((YR) | (KR)) ^ (YL); \
277 (YR) = ((((YL) & (KL)) << 1) | (((YL) & (KL)) >> 31)) ^ (YR); \
Paul Bakker38119b12009-01-10 23:31:23 +0000278}
Paul Bakker9af723c2014-05-01 13:03:14 +0200279
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000280#define SHIFT_AND_PLACE(INDEX, OFFSET) \
281{ \
282 TK[0] = KC[(OFFSET) * 4 + 0]; \
283 TK[1] = KC[(OFFSET) * 4 + 1]; \
284 TK[2] = KC[(OFFSET) * 4 + 2]; \
285 TK[3] = KC[(OFFSET) * 4 + 3]; \
286 \
Paul Bakker66d5d072014-06-17 16:39:18 +0200287 for( i = 1; i <= 4; i++ ) \
288 if( shifts[(INDEX)][(OFFSET)][i -1] ) \
289 ROTL(TK + i * 4, TK, ( 15 * i ) % 32); \
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000290 \
Paul Bakker66d5d072014-06-17 16:39:18 +0200291 for( i = 0; i < 20; i++ ) \
292 if( indexes[(INDEX)][(OFFSET)][i] != -1 ) { \
293 RK[indexes[(INDEX)][(OFFSET)][i]] = TK[ i ]; \
294 } \
Paul Bakker38119b12009-01-10 23:31:23 +0000295}
296
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200297static void camellia_feistel( const uint32_t x[2], const uint32_t k[2],
298 uint32_t z[2])
Paul Bakker38119b12009-01-10 23:31:23 +0000299{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000300 uint32_t I0, I1;
301 I0 = x[0] ^ k[0];
302 I1 = x[1] ^ k[1];
Paul Bakker38119b12009-01-10 23:31:23 +0000303
Manuel Pégourié-Gonnardb31b61b2014-11-10 13:05:43 +0100304 I0 = ((uint32_t) SBOX1((I0 >> 24) & 0xFF) << 24) |
305 ((uint32_t) SBOX2((I0 >> 16) & 0xFF) << 16) |
306 ((uint32_t) SBOX3((I0 >> 8) & 0xFF) << 8) |
307 ((uint32_t) SBOX4((I0 ) & 0xFF) );
308 I1 = ((uint32_t) SBOX2((I1 >> 24) & 0xFF) << 24) |
309 ((uint32_t) SBOX3((I1 >> 16) & 0xFF) << 16) |
310 ((uint32_t) SBOX4((I1 >> 8) & 0xFF) << 8) |
311 ((uint32_t) SBOX1((I1 ) & 0xFF) );
Paul Bakker38119b12009-01-10 23:31:23 +0000312
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000313 I0 ^= (I1 << 8) | (I1 >> 24);
314 I1 ^= (I0 << 16) | (I0 >> 16);
315 I0 ^= (I1 >> 8) | (I1 << 24);
316 I1 ^= (I0 >> 8) | (I0 << 24);
Paul Bakker38119b12009-01-10 23:31:23 +0000317
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000318 z[0] ^= I1;
319 z[1] ^= I0;
Paul Bakker38119b12009-01-10 23:31:23 +0000320}
321
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200322void mbedtls_camellia_init( mbedtls_camellia_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200323{
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500324 CAMELLIA_VALIDATE( ctx != NULL );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200325 memset( ctx, 0, sizeof( mbedtls_camellia_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200326}
327
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200328void mbedtls_camellia_free( mbedtls_camellia_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200329{
330 if( ctx == NULL )
331 return;
332
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500333 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_camellia_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200334}
335
Paul Bakker38119b12009-01-10 23:31:23 +0000336/*
337 * Camellia key schedule (encryption)
338 */
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500339int mbedtls_camellia_setkey_enc( mbedtls_camellia_context *ctx,
340 const unsigned char *key,
341 unsigned int keybits )
Paul Bakker38119b12009-01-10 23:31:23 +0000342{
Paul Bakker23986e52011-04-24 08:57:21 +0000343 int idx;
344 size_t i;
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000345 uint32_t *RK;
Paul Bakker38119b12009-01-10 23:31:23 +0000346 unsigned char t[64];
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000347 uint32_t SIGMA[6][2];
348 uint32_t KC[16];
349 uint32_t TK[20];
Paul Bakker38119b12009-01-10 23:31:23 +0000350
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500351 CAMELLIA_VALIDATE_RET( ctx != NULL );
352 CAMELLIA_VALIDATE_RET( key != NULL );
353
Paul Bakker38119b12009-01-10 23:31:23 +0000354 RK = ctx->rk;
355
Paul Bakker66d5d072014-06-17 16:39:18 +0200356 memset( t, 0, 64 );
357 memset( RK, 0, sizeof(ctx->rk) );
Paul Bakker38119b12009-01-10 23:31:23 +0000358
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200359 switch( keybits )
Paul Bakker38119b12009-01-10 23:31:23 +0000360 {
361 case 128: ctx->nr = 3; idx = 0; break;
362 case 192:
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000363 case 256: ctx->nr = 4; idx = 1; break;
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500364 default : return( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA );
Paul Bakker38119b12009-01-10 23:31:23 +0000365 }
366
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200367 for( i = 0; i < keybits / 8; ++i )
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000368 t[i] = key[i];
Paul Bakker38119b12009-01-10 23:31:23 +0000369
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200370 if( keybits == 192 ) {
Paul Bakker66d5d072014-06-17 16:39:18 +0200371 for( i = 0; i < 8; i++ )
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000372 t[24 + i] = ~t[16 + i];
Paul Bakker38119b12009-01-10 23:31:23 +0000373 }
374
Paul Bakker38119b12009-01-10 23:31:23 +0000375 /*
376 * Prepare SIGMA values
377 */
Paul Bakker66d5d072014-06-17 16:39:18 +0200378 for( i = 0; i < 6; i++ ) {
379 GET_UINT32_BE( SIGMA[i][0], SIGMA_CHARS[i], 0 );
380 GET_UINT32_BE( SIGMA[i][1], SIGMA_CHARS[i], 4 );
Paul Bakker38119b12009-01-10 23:31:23 +0000381 }
382
383 /*
384 * Key storage in KC
385 * Order: KL, KR, KA, KB
386 */
Paul Bakker66d5d072014-06-17 16:39:18 +0200387 memset( KC, 0, sizeof(KC) );
Paul Bakker38119b12009-01-10 23:31:23 +0000388
389 /* Store KL, KR */
Paul Bakker66d5d072014-06-17 16:39:18 +0200390 for( i = 0; i < 8; i++ )
391 GET_UINT32_BE( KC[i], t, i * 4 );
Paul Bakker38119b12009-01-10 23:31:23 +0000392
393 /* Generate KA */
Paul Bakker66d5d072014-06-17 16:39:18 +0200394 for( i = 0; i < 4; ++i )
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000395 KC[8 + i] = KC[i] ^ KC[4 + i];
Paul Bakker38119b12009-01-10 23:31:23 +0000396
Paul Bakker66d5d072014-06-17 16:39:18 +0200397 camellia_feistel( KC + 8, SIGMA[0], KC + 10 );
398 camellia_feistel( KC + 10, SIGMA[1], KC + 8 );
Paul Bakker38119b12009-01-10 23:31:23 +0000399
Paul Bakker66d5d072014-06-17 16:39:18 +0200400 for( i = 0; i < 4; ++i )
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000401 KC[8 + i] ^= KC[i];
Paul Bakker38119b12009-01-10 23:31:23 +0000402
Paul Bakker66d5d072014-06-17 16:39:18 +0200403 camellia_feistel( KC + 8, SIGMA[2], KC + 10 );
404 camellia_feistel( KC + 10, SIGMA[3], KC + 8 );
Paul Bakker38119b12009-01-10 23:31:23 +0000405
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200406 if( keybits > 128 ) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000407 /* Generate KB */
Paul Bakker66d5d072014-06-17 16:39:18 +0200408 for( i = 0; i < 4; ++i )
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000409 KC[12 + i] = KC[4 + i] ^ KC[8 + i];
Paul Bakker38119b12009-01-10 23:31:23 +0000410
Paul Bakker66d5d072014-06-17 16:39:18 +0200411 camellia_feistel( KC + 12, SIGMA[4], KC + 14 );
412 camellia_feistel( KC + 14, SIGMA[5], KC + 12 );
Paul Bakker38119b12009-01-10 23:31:23 +0000413 }
414
415 /*
416 * Generating subkeys
Paul Bakker9af723c2014-05-01 13:03:14 +0200417 */
Paul Bakker38119b12009-01-10 23:31:23 +0000418
419 /* Manipulating KL */
Paul Bakker66d5d072014-06-17 16:39:18 +0200420 SHIFT_AND_PLACE( idx, 0 );
Paul Bakker38119b12009-01-10 23:31:23 +0000421
422 /* Manipulating KR */
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200423 if( keybits > 128 ) {
Paul Bakker66d5d072014-06-17 16:39:18 +0200424 SHIFT_AND_PLACE( idx, 1 );
Paul Bakker38119b12009-01-10 23:31:23 +0000425 }
426
427 /* Manipulating KA */
Paul Bakker66d5d072014-06-17 16:39:18 +0200428 SHIFT_AND_PLACE( idx, 2 );
Paul Bakker38119b12009-01-10 23:31:23 +0000429
430 /* Manipulating KB */
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200431 if( keybits > 128 ) {
Paul Bakker66d5d072014-06-17 16:39:18 +0200432 SHIFT_AND_PLACE( idx, 3 );
Paul Bakker38119b12009-01-10 23:31:23 +0000433 }
434
435 /* Do transpositions */
Paul Bakker66d5d072014-06-17 16:39:18 +0200436 for( i = 0; i < 20; i++ ) {
437 if( transposes[idx][i] != -1 ) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000438 RK[32 + 12 * idx + i] = RK[transposes[idx][i]];
439 }
Paul Bakker38119b12009-01-10 23:31:23 +0000440 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000441
442 return( 0 );
Paul Bakker38119b12009-01-10 23:31:23 +0000443}
444
445/*
446 * Camellia key schedule (decryption)
447 */
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500448int mbedtls_camellia_setkey_dec( mbedtls_camellia_context *ctx,
449 const unsigned char *key,
450 unsigned int keybits )
Paul Bakker38119b12009-01-10 23:31:23 +0000451{
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200452 int idx, ret;
Paul Bakker23986e52011-04-24 08:57:21 +0000453 size_t i;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200454 mbedtls_camellia_context cty;
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000455 uint32_t *RK;
456 uint32_t *SK;
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500457 CAMELLIA_VALIDATE_RET( ctx != NULL );
458 CAMELLIA_VALIDATE_RET( key != NULL );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200459
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200460 mbedtls_camellia_init( &cty );
Paul Bakker38119b12009-01-10 23:31:23 +0000461
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200462 /* Also checks keybits */
463 if( ( ret = mbedtls_camellia_setkey_enc( &cty, key, keybits ) ) != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200464 goto exit;
Paul Bakker38119b12009-01-10 23:31:23 +0000465
Manuel Pégourié-Gonnard3ac6a2b2014-05-28 22:04:25 +0200466 ctx->nr = cty.nr;
467 idx = ( ctx->nr == 4 );
468
469 RK = ctx->rk;
Paul Bakker38119b12009-01-10 23:31:23 +0000470 SK = cty.rk + 24 * 2 + 8 * idx * 2;
471
472 *RK++ = *SK++;
473 *RK++ = *SK++;
474 *RK++ = *SK++;
475 *RK++ = *SK++;
476
Paul Bakker66d5d072014-06-17 16:39:18 +0200477 for( i = 22 + 8 * idx, SK -= 6; i > 0; i--, SK -= 4 )
Paul Bakker38119b12009-01-10 23:31:23 +0000478 {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000479 *RK++ = *SK++;
480 *RK++ = *SK++;
Paul Bakker38119b12009-01-10 23:31:23 +0000481 }
482
483 SK -= 2;
484
485 *RK++ = *SK++;
486 *RK++ = *SK++;
487 *RK++ = *SK++;
488 *RK++ = *SK++;
489
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200490exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200491 mbedtls_camellia_free( &cty );
Paul Bakker2b222c82009-07-27 21:03:45 +0000492
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200493 return( ret );
Paul Bakker38119b12009-01-10 23:31:23 +0000494}
495
496/*
497 * Camellia-ECB block encryption/decryption
498 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200499int mbedtls_camellia_crypt_ecb( mbedtls_camellia_context *ctx,
Paul Bakker38119b12009-01-10 23:31:23 +0000500 int mode,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000501 const unsigned char input[16],
Paul Bakker38119b12009-01-10 23:31:23 +0000502 unsigned char output[16] )
503{
Paul Bakker026c03b2009-03-28 17:53:03 +0000504 int NR;
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000505 uint32_t *RK, X[4];
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500506 CAMELLIA_VALIDATE_RET( ctx != NULL );
507 CAMELLIA_VALIDATE_RET( mode == MBEDTLS_CAMELLIA_ENCRYPT ||
508 mode == MBEDTLS_CAMELLIA_DECRYPT );
509 CAMELLIA_VALIDATE_RET( input != NULL );
510 CAMELLIA_VALIDATE_RET( output != NULL );
Paul Bakker38119b12009-01-10 23:31:23 +0000511
Paul Bakkerc2547b02009-07-20 20:40:52 +0000512 ( (void) mode );
513
Paul Bakker38119b12009-01-10 23:31:23 +0000514 NR = ctx->nr;
515 RK = ctx->rk;
516
Paul Bakker5c2364c2012-10-01 14:41:15 +0000517 GET_UINT32_BE( X[0], input, 0 );
518 GET_UINT32_BE( X[1], input, 4 );
519 GET_UINT32_BE( X[2], input, 8 );
520 GET_UINT32_BE( X[3], input, 12 );
Paul Bakker38119b12009-01-10 23:31:23 +0000521
522 X[0] ^= *RK++;
523 X[1] ^= *RK++;
524 X[2] ^= *RK++;
525 X[3] ^= *RK++;
526
Paul Bakker66d5d072014-06-17 16:39:18 +0200527 while( NR ) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000528 --NR;
Paul Bakker66d5d072014-06-17 16:39:18 +0200529 camellia_feistel( X, RK, X + 2 );
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000530 RK += 2;
Paul Bakker66d5d072014-06-17 16:39:18 +0200531 camellia_feistel( X + 2, RK, X );
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000532 RK += 2;
Paul Bakker66d5d072014-06-17 16:39:18 +0200533 camellia_feistel( X, RK, X + 2 );
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000534 RK += 2;
Paul Bakker66d5d072014-06-17 16:39:18 +0200535 camellia_feistel( X + 2, RK, X );
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000536 RK += 2;
Paul Bakker66d5d072014-06-17 16:39:18 +0200537 camellia_feistel( X, RK, X + 2 );
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000538 RK += 2;
Paul Bakker66d5d072014-06-17 16:39:18 +0200539 camellia_feistel( X + 2, RK, X );
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000540 RK += 2;
Paul Bakker38119b12009-01-10 23:31:23 +0000541
Paul Bakker66d5d072014-06-17 16:39:18 +0200542 if( NR ) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000543 FL(X[0], X[1], RK[0], RK[1]);
544 RK += 2;
545 FLInv(X[2], X[3], RK[0], RK[1]);
546 RK += 2;
547 }
Paul Bakker38119b12009-01-10 23:31:23 +0000548 }
549
550 X[2] ^= *RK++;
551 X[3] ^= *RK++;
552 X[0] ^= *RK++;
553 X[1] ^= *RK++;
554
Paul Bakker5c2364c2012-10-01 14:41:15 +0000555 PUT_UINT32_BE( X[2], output, 0 );
556 PUT_UINT32_BE( X[3], output, 4 );
557 PUT_UINT32_BE( X[0], output, 8 );
558 PUT_UINT32_BE( X[1], output, 12 );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000559
560 return( 0 );
Paul Bakker38119b12009-01-10 23:31:23 +0000561}
562
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200563#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker38119b12009-01-10 23:31:23 +0000564/*
565 * Camellia-CBC buffer encryption/decryption
566 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200567int mbedtls_camellia_crypt_cbc( mbedtls_camellia_context *ctx,
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500568 int mode,
569 size_t length,
570 unsigned char iv[16],
571 const unsigned char *input,
572 unsigned char *output )
Paul Bakker38119b12009-01-10 23:31:23 +0000573{
574 int i;
575 unsigned char temp[16];
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500576 CAMELLIA_VALIDATE_RET( ctx != NULL );
577 CAMELLIA_VALIDATE_RET( mode == MBEDTLS_CAMELLIA_ENCRYPT ||
578 mode == MBEDTLS_CAMELLIA_DECRYPT );
579 CAMELLIA_VALIDATE_RET( iv != NULL );
580 CAMELLIA_VALIDATE_RET( length == 0 || input != NULL );
581 CAMELLIA_VALIDATE_RET( length == 0 || output != NULL );
Paul Bakker38119b12009-01-10 23:31:23 +0000582
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000583 if( length % 16 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200584 return( MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000585
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200586 if( mode == MBEDTLS_CAMELLIA_DECRYPT )
Paul Bakker38119b12009-01-10 23:31:23 +0000587 {
588 while( length > 0 )
589 {
590 memcpy( temp, input, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200591 mbedtls_camellia_crypt_ecb( ctx, mode, input, output );
Paul Bakker38119b12009-01-10 23:31:23 +0000592
593 for( i = 0; i < 16; i++ )
594 output[i] = (unsigned char)( output[i] ^ iv[i] );
595
596 memcpy( iv, temp, 16 );
597
598 input += 16;
599 output += 16;
600 length -= 16;
601 }
602 }
603 else
604 {
605 while( length > 0 )
606 {
607 for( i = 0; i < 16; i++ )
608 output[i] = (unsigned char)( input[i] ^ iv[i] );
609
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200610 mbedtls_camellia_crypt_ecb( ctx, mode, output, output );
Paul Bakker38119b12009-01-10 23:31:23 +0000611 memcpy( iv, output, 16 );
612
613 input += 16;
614 output += 16;
615 length -= 16;
616 }
617 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000618
619 return( 0 );
Paul Bakker38119b12009-01-10 23:31:23 +0000620}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200621#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker38119b12009-01-10 23:31:23 +0000622
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200623#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker38119b12009-01-10 23:31:23 +0000624/*
625 * Camellia-CFB128 buffer encryption/decryption
626 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200627int mbedtls_camellia_crypt_cfb128( mbedtls_camellia_context *ctx,
Paul Bakker38119b12009-01-10 23:31:23 +0000628 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000629 size_t length,
Paul Bakker1ef71df2011-06-09 14:14:58 +0000630 size_t *iv_off,
Paul Bakker38119b12009-01-10 23:31:23 +0000631 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000632 const unsigned char *input,
Paul Bakker38119b12009-01-10 23:31:23 +0000633 unsigned char *output )
634{
Paul Bakker1ef71df2011-06-09 14:14:58 +0000635 int c;
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500636 size_t n;
637 CAMELLIA_VALIDATE_RET( ctx != NULL );
638 CAMELLIA_VALIDATE_RET( mode == MBEDTLS_CAMELLIA_ENCRYPT ||
639 mode == MBEDTLS_CAMELLIA_DECRYPT );
640 CAMELLIA_VALIDATE_RET( iv != NULL );
641 CAMELLIA_VALIDATE_RET( iv_off != NULL );
642 CAMELLIA_VALIDATE_RET( length == 0 || input != NULL );
643 CAMELLIA_VALIDATE_RET( length == 0 || output != NULL );
644
645 n = *iv_off;
646 if( n >= 16 )
647 return( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA );
Paul Bakker38119b12009-01-10 23:31:23 +0000648
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200649 if( mode == MBEDTLS_CAMELLIA_DECRYPT )
Paul Bakker38119b12009-01-10 23:31:23 +0000650 {
651 while( length-- )
652 {
653 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200654 mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv );
Paul Bakker38119b12009-01-10 23:31:23 +0000655
656 c = *input++;
657 *output++ = (unsigned char)( c ^ iv[n] );
658 iv[n] = (unsigned char) c;
659
Paul Bakker66d5d072014-06-17 16:39:18 +0200660 n = ( n + 1 ) & 0x0F;
Paul Bakker38119b12009-01-10 23:31:23 +0000661 }
662 }
663 else
664 {
665 while( length-- )
666 {
667 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200668 mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv );
Paul Bakker38119b12009-01-10 23:31:23 +0000669
670 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
671
Paul Bakker66d5d072014-06-17 16:39:18 +0200672 n = ( n + 1 ) & 0x0F;
Paul Bakker38119b12009-01-10 23:31:23 +0000673 }
674 }
675
676 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000677
678 return( 0 );
Paul Bakker38119b12009-01-10 23:31:23 +0000679}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200680#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000681
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200682#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000683/*
684 * Camellia-CTR buffer encryption/decryption
685 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200686int mbedtls_camellia_crypt_ctr( mbedtls_camellia_context *ctx,
Paul Bakker1ef71df2011-06-09 14:14:58 +0000687 size_t length,
688 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000689 unsigned char nonce_counter[16],
690 unsigned char stream_block[16],
691 const unsigned char *input,
692 unsigned char *output )
693{
Paul Bakker369e14b2012-04-18 14:16:09 +0000694 int c, i;
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500695 size_t n;
696 CAMELLIA_VALIDATE_RET( ctx != NULL );
697 CAMELLIA_VALIDATE_RET( nonce_counter != NULL );
698 CAMELLIA_VALIDATE_RET( stream_block != NULL );
699 CAMELLIA_VALIDATE_RET( nc_off != NULL );
700 CAMELLIA_VALIDATE_RET( length == 0 || input != NULL );
701 CAMELLIA_VALIDATE_RET( length == 0 || output != NULL );
702
703 n = *nc_off;
704 if( n >= 16 )
705 return( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000706
707 while( length-- )
708 {
709 if( n == 0 ) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200710 mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, nonce_counter,
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200711 stream_block );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000712
Paul Bakker369e14b2012-04-18 14:16:09 +0000713 for( i = 16; i > 0; i-- )
714 if( ++nonce_counter[i - 1] != 0 )
715 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000716 }
717 c = *input++;
718 *output++ = (unsigned char)( c ^ stream_block[n] );
719
Paul Bakker66d5d072014-06-17 16:39:18 +0200720 n = ( n + 1 ) & 0x0F;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000721 }
722
723 *nc_off = n;
724
725 return( 0 );
726}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200727#endif /* MBEDTLS_CIPHER_MODE_CTR */
728#endif /* !MBEDTLS_CAMELLIA_ALT */
Paul Bakker38119b12009-01-10 23:31:23 +0000729
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200730#if defined(MBEDTLS_SELF_TEST)
Paul Bakker38119b12009-01-10 23:31:23 +0000731
Paul Bakker38119b12009-01-10 23:31:23 +0000732/*
733 * Camellia test vectors from:
734 *
735 * http://info.isl.ntt.co.jp/crypt/eng/camellia/technology.html:
736 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/intermediate.txt
737 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/t_camellia.txt
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000738 * (For each bitlength: Key 0, Nr 39)
Paul Bakker38119b12009-01-10 23:31:23 +0000739 */
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000740#define CAMELLIA_TESTS_ECB 2
Paul Bakker38119b12009-01-10 23:31:23 +0000741
742static const unsigned char camellia_test_ecb_key[3][CAMELLIA_TESTS_ECB][32] =
743{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000744 {
745 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
746 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
Paul Bakker9af723c2014-05-01 13:03:14 +0200747 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000748 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
749 },
750 {
751 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
752 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
753 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77 },
Paul Bakker9af723c2014-05-01 13:03:14 +0200754 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000755 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
756 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
757 },
758 {
759 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
760 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
761 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
762 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff },
Paul Bakker9af723c2014-05-01 13:03:14 +0200763 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000764 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
765 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
766 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
767 },
Paul Bakker38119b12009-01-10 23:31:23 +0000768};
769
770static const unsigned char camellia_test_ecb_plain[CAMELLIA_TESTS_ECB][16] =
771{
772 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
773 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
Paul Bakker9af723c2014-05-01 13:03:14 +0200774 { 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
Paul Bakker38119b12009-01-10 23:31:23 +0000775 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
776};
777
778static const unsigned char camellia_test_ecb_cipher[3][CAMELLIA_TESTS_ECB][16] =
779{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000780 {
781 { 0x67, 0x67, 0x31, 0x38, 0x54, 0x96, 0x69, 0x73,
782 0x08, 0x57, 0x06, 0x56, 0x48, 0xea, 0xbe, 0x43 },
783 { 0x38, 0x3C, 0x6C, 0x2A, 0xAB, 0xEF, 0x7F, 0xDE,
784 0x25, 0xCD, 0x47, 0x0B, 0xF7, 0x74, 0xA3, 0x31 }
785 },
786 {
787 { 0xb4, 0x99, 0x34, 0x01, 0xb3, 0xe9, 0x96, 0xf8,
788 0x4e, 0xe5, 0xce, 0xe7, 0xd7, 0x9b, 0x09, 0xb9 },
789 { 0xD1, 0x76, 0x3F, 0xC0, 0x19, 0xD7, 0x7C, 0xC9,
790 0x30, 0xBF, 0xF2, 0xA5, 0x6F, 0x7C, 0x93, 0x64 }
791 },
792 {
793 { 0x9a, 0xcc, 0x23, 0x7d, 0xff, 0x16, 0xd7, 0x6c,
794 0x20, 0xef, 0x7c, 0x91, 0x9e, 0x3a, 0x75, 0x09 },
795 { 0x05, 0x03, 0xFB, 0x10, 0xAB, 0x24, 0x1E, 0x7C,
796 0xF4, 0x5D, 0x8C, 0xDE, 0xEE, 0x47, 0x43, 0x35 }
797 }
Paul Bakker38119b12009-01-10 23:31:23 +0000798};
799
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200800#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000801#define CAMELLIA_TESTS_CBC 3
Paul Bakker38119b12009-01-10 23:31:23 +0000802
803static const unsigned char camellia_test_cbc_key[3][32] =
804{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000805 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
806 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }
807 ,
808 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
809 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
810 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }
811 ,
812 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
813 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
814 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
815 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
Paul Bakker38119b12009-01-10 23:31:23 +0000816};
817
818static const unsigned char camellia_test_cbc_iv[16] =
819
820 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
821 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F }
822;
823
824static const unsigned char camellia_test_cbc_plain[CAMELLIA_TESTS_CBC][16] =
825{
826 { 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
827 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A },
828 { 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
829 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51 },
830 { 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
831 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF }
832
833};
834
835static const unsigned char camellia_test_cbc_cipher[3][CAMELLIA_TESTS_CBC][16] =
836{
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000837 {
838 { 0x16, 0x07, 0xCF, 0x49, 0x4B, 0x36, 0xBB, 0xF0,
839 0x0D, 0xAE, 0xB0, 0xB5, 0x03, 0xC8, 0x31, 0xAB },
840 { 0xA2, 0xF2, 0xCF, 0x67, 0x16, 0x29, 0xEF, 0x78,
841 0x40, 0xC5, 0xA5, 0xDF, 0xB5, 0x07, 0x48, 0x87 },
842 { 0x0F, 0x06, 0x16, 0x50, 0x08, 0xCF, 0x8B, 0x8B,
843 0x5A, 0x63, 0x58, 0x63, 0x62, 0x54, 0x3E, 0x54 }
844 },
845 {
846 { 0x2A, 0x48, 0x30, 0xAB, 0x5A, 0xC4, 0xA1, 0xA2,
847 0x40, 0x59, 0x55, 0xFD, 0x21, 0x95, 0xCF, 0x93 },
848 { 0x5D, 0x5A, 0x86, 0x9B, 0xD1, 0x4C, 0xE5, 0x42,
849 0x64, 0xF8, 0x92, 0xA6, 0xDD, 0x2E, 0xC3, 0xD5 },
850 { 0x37, 0xD3, 0x59, 0xC3, 0x34, 0x98, 0x36, 0xD8,
851 0x84, 0xE3, 0x10, 0xAD, 0xDF, 0x68, 0xC4, 0x49 }
852 },
853 {
854 { 0xE6, 0xCF, 0xA3, 0x5F, 0xC0, 0x2B, 0x13, 0x4A,
855 0x4D, 0x2C, 0x0B, 0x67, 0x37, 0xAC, 0x3E, 0xDA },
856 { 0x36, 0xCB, 0xEB, 0x73, 0xBD, 0x50, 0x4B, 0x40,
857 0x70, 0xB1, 0xB7, 0xDE, 0x2B, 0x21, 0xEB, 0x50 },
858 { 0xE3, 0x1A, 0x60, 0x55, 0x29, 0x7D, 0x96, 0xCA,
859 0x33, 0x30, 0xCD, 0xF1, 0xB1, 0x86, 0x0A, 0x83 }
860 }
Paul Bakker38119b12009-01-10 23:31:23 +0000861};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200862#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker38119b12009-01-10 23:31:23 +0000863
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200864#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000865/*
866 * Camellia-CTR test vectors from:
867 *
868 * http://www.faqs.org/rfcs/rfc5528.html
869 */
870
871static const unsigned char camellia_test_ctr_key[3][16] =
872{
873 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
874 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
875 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
876 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
877 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
878 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
879};
880
881static const unsigned char camellia_test_ctr_nonce_counter[3][16] =
882{
883 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
884 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
885 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
886 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
887 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
888 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
889};
890
891static const unsigned char camellia_test_ctr_pt[3][48] =
892{
893 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
894 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
895
896 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
897 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
898 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
899 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
900
901 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
902 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
903 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
904 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
905 0x20, 0x21, 0x22, 0x23 }
906};
907
908static const unsigned char camellia_test_ctr_ct[3][48] =
909{
910 { 0xD0, 0x9D, 0xC2, 0x9A, 0x82, 0x14, 0x61, 0x9A,
911 0x20, 0x87, 0x7C, 0x76, 0xDB, 0x1F, 0x0B, 0x3F },
912 { 0xDB, 0xF3, 0xC7, 0x8D, 0xC0, 0x83, 0x96, 0xD4,
913 0xDA, 0x7C, 0x90, 0x77, 0x65, 0xBB, 0xCB, 0x44,
914 0x2B, 0x8E, 0x8E, 0x0F, 0x31, 0xF0, 0xDC, 0xA7,
915 0x2C, 0x74, 0x17, 0xE3, 0x53, 0x60, 0xE0, 0x48 },
916 { 0xB1, 0x9D, 0x1F, 0xCD, 0xCB, 0x75, 0xEB, 0x88,
917 0x2F, 0x84, 0x9C, 0xE2, 0x4D, 0x85, 0xCF, 0x73,
918 0x9C, 0xE6, 0x4B, 0x2B, 0x5C, 0x9D, 0x73, 0xF1,
919 0x4F, 0x2D, 0x5D, 0x9D, 0xCE, 0x98, 0x89, 0xCD,
920 0xDF, 0x50, 0x86, 0x96 }
921};
922
923static const int camellia_test_ctr_len[3] =
924 { 16, 32, 36 };
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200925#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker38119b12009-01-10 23:31:23 +0000926
927/*
928 * Checkup routine
929 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200930int mbedtls_camellia_self_test( int verbose )
Paul Bakker38119b12009-01-10 23:31:23 +0000931{
Paul Bakker026c03b2009-03-28 17:53:03 +0000932 int i, j, u, v;
Paul Bakker38119b12009-01-10 23:31:23 +0000933 unsigned char key[32];
934 unsigned char buf[64];
Paul Bakker38119b12009-01-10 23:31:23 +0000935 unsigned char src[16];
936 unsigned char dst[16];
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200937#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker38119b12009-01-10 23:31:23 +0000938 unsigned char iv[16];
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200939#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200940#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakker1ef71df2011-06-09 14:14:58 +0000941 size_t offset, len;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000942 unsigned char nonce_counter[16];
943 unsigned char stream_block[16];
944#endif
945
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200946 mbedtls_camellia_context ctx;
Paul Bakker38119b12009-01-10 23:31:23 +0000947
948 memset( key, 0, 32 );
949
Paul Bakker66d5d072014-06-17 16:39:18 +0200950 for( j = 0; j < 6; j++ ) {
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000951 u = j >> 1;
952 v = j & 1;
Paul Bakker38119b12009-01-10 23:31:23 +0000953
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000954 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200955 mbedtls_printf( " CAMELLIA-ECB-%3d (%s): ", 128 + u * 64,
956 (v == MBEDTLS_CAMELLIA_DECRYPT) ? "dec" : "enc");
Paul Bakker38119b12009-01-10 23:31:23 +0000957
Paul Bakker66d5d072014-06-17 16:39:18 +0200958 for( i = 0; i < CAMELLIA_TESTS_ECB; i++ ) {
959 memcpy( key, camellia_test_ecb_key[u][i], 16 + 8 * u );
Paul Bakker38119b12009-01-10 23:31:23 +0000960
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200961 if( v == MBEDTLS_CAMELLIA_DECRYPT ) {
962 mbedtls_camellia_setkey_dec( &ctx, key, 128 + u * 64 );
Paul Bakker66d5d072014-06-17 16:39:18 +0200963 memcpy( src, camellia_test_ecb_cipher[u][i], 16 );
964 memcpy( dst, camellia_test_ecb_plain[i], 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200965 } else { /* MBEDTLS_CAMELLIA_ENCRYPT */
966 mbedtls_camellia_setkey_enc( &ctx, key, 128 + u * 64 );
Paul Bakker66d5d072014-06-17 16:39:18 +0200967 memcpy( src, camellia_test_ecb_plain[i], 16 );
968 memcpy( dst, camellia_test_ecb_cipher[u][i], 16 );
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000969 }
Paul Bakker38119b12009-01-10 23:31:23 +0000970
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200971 mbedtls_camellia_crypt_ecb( &ctx, v, src, buf );
Paul Bakker38119b12009-01-10 23:31:23 +0000972
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000973 if( memcmp( buf, dst, 16 ) != 0 )
974 {
975 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200976 mbedtls_printf( "failed\n" );
Paul Bakker38119b12009-01-10 23:31:23 +0000977
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000978 return( 1 );
979 }
980 }
Paul Bakker38119b12009-01-10 23:31:23 +0000981
Paul Bakkerc81f6c32009-05-03 13:09:15 +0000982 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200983 mbedtls_printf( "passed\n" );
Paul Bakker38119b12009-01-10 23:31:23 +0000984 }
985
986 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200987 mbedtls_printf( "\n" );
Paul Bakker38119b12009-01-10 23:31:23 +0000988
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200989#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker38119b12009-01-10 23:31:23 +0000990 /*
991 * CBC mode
992 */
993 for( j = 0; j < 6; j++ )
994 {
995 u = j >> 1;
996 v = j & 1;
997
998 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200999 mbedtls_printf( " CAMELLIA-CBC-%3d (%s): ", 128 + u * 64,
1000 ( v == MBEDTLS_CAMELLIA_DECRYPT ) ? "dec" : "enc" );
Paul Bakker38119b12009-01-10 23:31:23 +00001001
Janos Follath98e28a72016-05-31 14:03:54 +01001002 memcpy( src, camellia_test_cbc_iv, 16 );
1003 memcpy( dst, camellia_test_cbc_iv, 16 );
1004 memcpy( key, camellia_test_cbc_key[u], 16 + 8 * u );
Paul Bakker38119b12009-01-10 23:31:23 +00001005
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001006 if( v == MBEDTLS_CAMELLIA_DECRYPT ) {
Janos Follath98e28a72016-05-31 14:03:54 +01001007 mbedtls_camellia_setkey_dec( &ctx, key, 128 + u * 64 );
1008 } else {
1009 mbedtls_camellia_setkey_enc( &ctx, key, 128 + u * 64 );
Paul Bakkerc81f6c32009-05-03 13:09:15 +00001010 }
Paul Bakker38119b12009-01-10 23:31:23 +00001011
Janos Follath98e28a72016-05-31 14:03:54 +01001012 for( i = 0; i < CAMELLIA_TESTS_CBC; i++ ) {
Paul Bakker38119b12009-01-10 23:31:23 +00001013
Janos Follath98e28a72016-05-31 14:03:54 +01001014 if( v == MBEDTLS_CAMELLIA_DECRYPT ) {
1015 memcpy( iv , src, 16 );
1016 memcpy( src, camellia_test_cbc_cipher[u][i], 16 );
1017 memcpy( dst, camellia_test_cbc_plain[i], 16 );
1018 } else { /* MBEDTLS_CAMELLIA_ENCRYPT */
1019 memcpy( iv , dst, 16 );
1020 memcpy( src, camellia_test_cbc_plain[i], 16 );
1021 memcpy( dst, camellia_test_cbc_cipher[u][i], 16 );
1022 }
Paul Bakker38119b12009-01-10 23:31:23 +00001023
Janos Follath98e28a72016-05-31 14:03:54 +01001024 mbedtls_camellia_crypt_cbc( &ctx, v, 16, iv, src, buf );
1025
1026 if( memcmp( buf, dst, 16 ) != 0 )
1027 {
1028 if( verbose != 0 )
1029 mbedtls_printf( "failed\n" );
1030
1031 return( 1 );
1032 }
Paul Bakkerc81f6c32009-05-03 13:09:15 +00001033 }
Paul Bakker38119b12009-01-10 23:31:23 +00001034
1035 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001036 mbedtls_printf( "passed\n" );
Paul Bakker38119b12009-01-10 23:31:23 +00001037 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001038#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker38119b12009-01-10 23:31:23 +00001039
1040 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001041 mbedtls_printf( "\n" );
Paul Bakker38119b12009-01-10 23:31:23 +00001042
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001043#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +00001044 /*
1045 * CTR mode
1046 */
1047 for( i = 0; i < 6; i++ )
1048 {
1049 u = i >> 1;
1050 v = i & 1;
1051
1052 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001053 mbedtls_printf( " CAMELLIA-CTR-128 (%s): ",
1054 ( v == MBEDTLS_CAMELLIA_DECRYPT ) ? "dec" : "enc" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +00001055
1056 memcpy( nonce_counter, camellia_test_ctr_nonce_counter[u], 16 );
1057 memcpy( key, camellia_test_ctr_key[u], 16 );
1058
1059 offset = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001060 mbedtls_camellia_setkey_enc( &ctx, key, 128 );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +00001061
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001062 if( v == MBEDTLS_CAMELLIA_DECRYPT )
Paul Bakkerb6ecaf52011-04-19 14:29:23 +00001063 {
1064 len = camellia_test_ctr_len[u];
1065 memcpy( buf, camellia_test_ctr_ct[u], len );
1066
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001067 mbedtls_camellia_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block,
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +02001068 buf, buf );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +00001069
1070 if( memcmp( buf, camellia_test_ctr_pt[u], len ) != 0 )
1071 {
1072 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001073 mbedtls_printf( "failed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +00001074
1075 return( 1 );
1076 }
1077 }
1078 else
1079 {
1080 len = camellia_test_ctr_len[u];
1081 memcpy( buf, camellia_test_ctr_pt[u], len );
1082
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001083 mbedtls_camellia_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block,
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +02001084 buf, buf );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +00001085
1086 if( memcmp( buf, camellia_test_ctr_ct[u], len ) != 0 )
1087 {
1088 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001089 mbedtls_printf( "failed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +00001090
1091 return( 1 );
1092 }
1093 }
1094
1095 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001096 mbedtls_printf( "passed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +00001097 }
1098
1099 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001100 mbedtls_printf( "\n" );
1101#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +00001102
Paul Bakkerd8bb8262014-06-17 14:06:49 +02001103 return( 0 );
Paul Bakker38119b12009-01-10 23:31:23 +00001104}
1105
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001106#endif /* MBEDTLS_SELF_TEST */
Paul Bakker38119b12009-01-10 23:31:23 +00001107
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001108#endif /* MBEDTLS_CAMELLIA_C */