2 * Camellia implementation
4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
5 * SPDX-License-Identifier: Apache-2.0
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
11 * http://www.apache.org/licenses/LICENSE-2.0
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
19 * This file is part of mbed TLS (https://tls.mbed.org)
22 * The Camellia block cipher was designed by NTT and Mitsubishi Electric
25 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/01espec.pdf
28 #if !defined(MBEDTLS_CONFIG_FILE)
29 #include "mbedtls/config.h"
31 #include MBEDTLS_CONFIG_FILE
34 #if defined(MBEDTLS_CAMELLIA_C)
36 #include "mbedtls/camellia.h"
37 #include "mbedtls/platform_util.h"
41 #if defined(MBEDTLS_SELF_TEST)
42 #if defined(MBEDTLS_PLATFORM_C)
43 #include "mbedtls/platform.h"
46 #define mbedtls_printf printf
47 #endif /* MBEDTLS_PLATFORM_C */
48 #endif /* MBEDTLS_SELF_TEST */
50 #if !defined(MBEDTLS_CAMELLIA_ALT)
52 /* Parameter validation macros */
53 #define CAMELLIA_VALIDATE_RET( cond ) \
54 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA )
55 #define CAMELLIA_VALIDATE( cond ) \
56 MBEDTLS_INTERNAL_VALIDATE( cond )
59 * 32-bit integer manipulation macros (big endian)
62 #define GET_UINT32_BE(n,b,i) \
64 (n) = ( (uint32_t) (b)[(i) ] << 24 ) \
65 | ( (uint32_t) (b)[(i) + 1] << 16 ) \
66 | ( (uint32_t) (b)[(i) + 2] << 8 ) \
67 | ( (uint32_t) (b)[(i) + 3] ); \
72 #define PUT_UINT32_BE(n,b,i) \
74 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
75 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
76 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
77 (b)[(i) + 3] = (unsigned char) ( (n) ); \
81 static const unsigned char SIGMA_CHARS[6][8] =
83 { 0xa0, 0x9e, 0x66, 0x7f, 0x3b, 0xcc, 0x90, 0x8b },
84 { 0xb6, 0x7a, 0xe8, 0x58, 0x4c, 0xaa, 0x73, 0xb2 },
85 { 0xc6, 0xef, 0x37, 0x2f, 0xe9, 0x4f, 0x82, 0xbe },
86 { 0x54, 0xff, 0x53, 0xa5, 0xf1, 0xd3, 0x6f, 0x1c },
87 { 0x10, 0xe5, 0x27, 0xfa, 0xde, 0x68, 0x2d, 0x1d },
88 { 0xb0, 0x56, 0x88, 0xc2, 0xb3, 0xe6, 0xc1, 0xfd }
91 #if defined(MBEDTLS_CAMELLIA_SMALL_MEMORY)
93 static const unsigned char FSb[256] =
95 112,130, 44,236,179, 39,192,229,228,133, 87, 53,234, 12,174, 65,
96 35,239,107,147, 69, 25,165, 33,237, 14, 79, 78, 29,101,146,189,
97 134,184,175,143,124,235, 31,206, 62, 48,220, 95, 94,197, 11, 26,
98 166,225, 57,202,213, 71, 93, 61,217, 1, 90,214, 81, 86,108, 77,
99 139, 13,154,102,251,204,176, 45,116, 18, 43, 32,240,177,132,153,
100 223, 76,203,194, 52,126,118, 5,109,183,169, 49,209, 23, 4,215,
101 20, 88, 58, 97,222, 27, 17, 28, 50, 15,156, 22, 83, 24,242, 34,
102 254, 68,207,178,195,181,122,145, 36, 8,232,168, 96,252,105, 80,
103 170,208,160,125,161,137, 98,151, 84, 91, 30,149,224,255,100,210,
104 16,196, 0, 72,163,247,117,219,138, 3,230,218, 9, 63,221,148,
105 135, 92,131, 2,205, 74,144, 51,115,103,246,243,157,127,191,226,
106 82,155,216, 38,200, 55,198, 59,129,150,111, 75, 19,190, 99, 46,
107 233,121,167,140,159,110,188,142, 41,245,249,182, 47,253,180, 89,
108 120,152, 6,106,231, 70,113,186,212, 37,171, 66,136,162,141,250,
109 114, 7,185, 85,248,238,172, 10, 54, 73, 42,104, 60, 56,241,164,
110 64, 40,211,123,187,201, 67,193, 21,227,173,244,119,199,128,158
113 #define SBOX1(n) FSb[(n)]
114 #define SBOX2(n) (unsigned char)((FSb[(n)] >> 7 ^ FSb[(n)] << 1) & 0xff)
115 #define SBOX3(n) (unsigned char)((FSb[(n)] >> 1 ^ FSb[(n)] << 7) & 0xff)
116 #define SBOX4(n) FSb[((n) << 1 ^ (n) >> 7) &0xff]
118 #else /* MBEDTLS_CAMELLIA_SMALL_MEMORY */
120 static const unsigned char FSb[256] =
122 112, 130, 44, 236, 179, 39, 192, 229, 228, 133, 87, 53, 234, 12, 174, 65,
123 35, 239, 107, 147, 69, 25, 165, 33, 237, 14, 79, 78, 29, 101, 146, 189,
124 134, 184, 175, 143, 124, 235, 31, 206, 62, 48, 220, 95, 94, 197, 11, 26,
125 166, 225, 57, 202, 213, 71, 93, 61, 217, 1, 90, 214, 81, 86, 108, 77,
126 139, 13, 154, 102, 251, 204, 176, 45, 116, 18, 43, 32, 240, 177, 132, 153,
127 223, 76, 203, 194, 52, 126, 118, 5, 109, 183, 169, 49, 209, 23, 4, 215,
128 20, 88, 58, 97, 222, 27, 17, 28, 50, 15, 156, 22, 83, 24, 242, 34,
129 254, 68, 207, 178, 195, 181, 122, 145, 36, 8, 232, 168, 96, 252, 105, 80,
130 170, 208, 160, 125, 161, 137, 98, 151, 84, 91, 30, 149, 224, 255, 100, 210,
131 16, 196, 0, 72, 163, 247, 117, 219, 138, 3, 230, 218, 9, 63, 221, 148,
132 135, 92, 131, 2, 205, 74, 144, 51, 115, 103, 246, 243, 157, 127, 191, 226,
133 82, 155, 216, 38, 200, 55, 198, 59, 129, 150, 111, 75, 19, 190, 99, 46,
134 233, 121, 167, 140, 159, 110, 188, 142, 41, 245, 249, 182, 47, 253, 180, 89,
135 120, 152, 6, 106, 231, 70, 113, 186, 212, 37, 171, 66, 136, 162, 141, 250,
136 114, 7, 185, 85, 248, 238, 172, 10, 54, 73, 42, 104, 60, 56, 241, 164,
137 64, 40, 211, 123, 187, 201, 67, 193, 21, 227, 173, 244, 119, 199, 128, 158
140 static const unsigned char FSb2[256] =
142 224, 5, 88, 217, 103, 78, 129, 203, 201, 11, 174, 106, 213, 24, 93, 130,
143 70, 223, 214, 39, 138, 50, 75, 66, 219, 28, 158, 156, 58, 202, 37, 123,
144 13, 113, 95, 31, 248, 215, 62, 157, 124, 96, 185, 190, 188, 139, 22, 52,
145 77, 195, 114, 149, 171, 142, 186, 122, 179, 2, 180, 173, 162, 172, 216, 154,
146 23, 26, 53, 204, 247, 153, 97, 90, 232, 36, 86, 64, 225, 99, 9, 51,
147 191, 152, 151, 133, 104, 252, 236, 10, 218, 111, 83, 98, 163, 46, 8, 175,
148 40, 176, 116, 194, 189, 54, 34, 56, 100, 30, 57, 44, 166, 48, 229, 68,
149 253, 136, 159, 101, 135, 107, 244, 35, 72, 16, 209, 81, 192, 249, 210, 160,
150 85, 161, 65, 250, 67, 19, 196, 47, 168, 182, 60, 43, 193, 255, 200, 165,
151 32, 137, 0, 144, 71, 239, 234, 183, 21, 6, 205, 181, 18, 126, 187, 41,
152 15, 184, 7, 4, 155, 148, 33, 102, 230, 206, 237, 231, 59, 254, 127, 197,
153 164, 55, 177, 76, 145, 110, 141, 118, 3, 45, 222, 150, 38, 125, 198, 92,
154 211, 242, 79, 25, 63, 220, 121, 29, 82, 235, 243, 109, 94, 251, 105, 178,
155 240, 49, 12, 212, 207, 140, 226, 117, 169, 74, 87, 132, 17, 69, 27, 245,
156 228, 14, 115, 170, 241, 221, 89, 20, 108, 146, 84, 208, 120, 112, 227, 73,
157 128, 80, 167, 246, 119, 147, 134, 131, 42, 199, 91, 233, 238, 143, 1, 61
160 static const unsigned char FSb3[256] =
162 56, 65, 22, 118, 217, 147, 96, 242, 114, 194, 171, 154, 117, 6, 87, 160,
163 145, 247, 181, 201, 162, 140, 210, 144, 246, 7, 167, 39, 142, 178, 73, 222,
164 67, 92, 215, 199, 62, 245, 143, 103, 31, 24, 110, 175, 47, 226, 133, 13,
165 83, 240, 156, 101, 234, 163, 174, 158, 236, 128, 45, 107, 168, 43, 54, 166,
166 197, 134, 77, 51, 253, 102, 88, 150, 58, 9, 149, 16, 120, 216, 66, 204,
167 239, 38, 229, 97, 26, 63, 59, 130, 182, 219, 212, 152, 232, 139, 2, 235,
168 10, 44, 29, 176, 111, 141, 136, 14, 25, 135, 78, 11, 169, 12, 121, 17,
169 127, 34, 231, 89, 225, 218, 61, 200, 18, 4, 116, 84, 48, 126, 180, 40,
170 85, 104, 80, 190, 208, 196, 49, 203, 42, 173, 15, 202, 112, 255, 50, 105,
171 8, 98, 0, 36, 209, 251, 186, 237, 69, 129, 115, 109, 132, 159, 238, 74,
172 195, 46, 193, 1, 230, 37, 72, 153, 185, 179, 123, 249, 206, 191, 223, 113,
173 41, 205, 108, 19, 100, 155, 99, 157, 192, 75, 183, 165, 137, 95, 177, 23,
174 244, 188, 211, 70, 207, 55, 94, 71, 148, 250, 252, 91, 151, 254, 90, 172,
175 60, 76, 3, 53, 243, 35, 184, 93, 106, 146, 213, 33, 68, 81, 198, 125,
176 57, 131, 220, 170, 124, 119, 86, 5, 27, 164, 21, 52, 30, 28, 248, 82,
177 32, 20, 233, 189, 221, 228, 161, 224, 138, 241, 214, 122, 187, 227, 64, 79
180 static const unsigned char FSb4[256] =
182 112, 44, 179, 192, 228, 87, 234, 174, 35, 107, 69, 165, 237, 79, 29, 146,
183 134, 175, 124, 31, 62, 220, 94, 11, 166, 57, 213, 93, 217, 90, 81, 108,
184 139, 154, 251, 176, 116, 43, 240, 132, 223, 203, 52, 118, 109, 169, 209, 4,
185 20, 58, 222, 17, 50, 156, 83, 242, 254, 207, 195, 122, 36, 232, 96, 105,
186 170, 160, 161, 98, 84, 30, 224, 100, 16, 0, 163, 117, 138, 230, 9, 221,
187 135, 131, 205, 144, 115, 246, 157, 191, 82, 216, 200, 198, 129, 111, 19, 99,
188 233, 167, 159, 188, 41, 249, 47, 180, 120, 6, 231, 113, 212, 171, 136, 141,
189 114, 185, 248, 172, 54, 42, 60, 241, 64, 211, 187, 67, 21, 173, 119, 128,
190 130, 236, 39, 229, 133, 53, 12, 65, 239, 147, 25, 33, 14, 78, 101, 189,
191 184, 143, 235, 206, 48, 95, 197, 26, 225, 202, 71, 61, 1, 214, 86, 77,
192 13, 102, 204, 45, 18, 32, 177, 153, 76, 194, 126, 5, 183, 49, 23, 215,
193 88, 97, 27, 28, 15, 22, 24, 34, 68, 178, 181, 145, 8, 168, 252, 80,
194 208, 125, 137, 151, 91, 149, 255, 210, 196, 72, 247, 219, 3, 218, 63, 148,
195 92, 2, 74, 51, 103, 243, 127, 226, 155, 38, 55, 59, 150, 75, 190, 46,
196 121, 140, 110, 142, 245, 182, 253, 89, 152, 106, 70, 186, 37, 66, 162, 250,
197 7, 85, 238, 10, 73, 104, 56, 164, 40, 123, 201, 193, 227, 244, 199, 158
200 #define SBOX1(n) FSb[(n)]
201 #define SBOX2(n) FSb2[(n)]
202 #define SBOX3(n) FSb3[(n)]
203 #define SBOX4(n) FSb4[(n)]
205 #endif /* MBEDTLS_CAMELLIA_SMALL_MEMORY */
207 static const unsigned char shifts[2][4][4] =
210 { 1, 1, 1, 1 }, /* KL */
211 { 0, 0, 0, 0 }, /* KR */
212 { 1, 1, 1, 1 }, /* KA */
213 { 0, 0, 0, 0 } /* KB */
216 { 1, 0, 1, 1 }, /* KL */
217 { 1, 1, 0, 1 }, /* KR */
218 { 1, 1, 1, 0 }, /* KA */
219 { 1, 1, 0, 1 } /* KB */
223 static const signed char indexes[2][4][20] =
226 { 0, 1, 2, 3, 8, 9, 10, 11, 38, 39,
227 36, 37, 23, 20, 21, 22, 27, -1, -1, 26 }, /* KL -> RK */
228 { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
229 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 }, /* KR -> RK */
230 { 4, 5, 6, 7, 12, 13, 14, 15, 16, 17,
231 18, 19, -1, 24, 25, -1, 31, 28, 29, 30 }, /* KA -> RK */
232 { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
233 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 } /* KB -> RK */
236 { 0, 1, 2, 3, 61, 62, 63, 60, -1, -1,
237 -1, -1, 27, 24, 25, 26, 35, 32, 33, 34 }, /* KL -> RK */
238 { -1, -1, -1, -1, 8, 9, 10, 11, 16, 17,
239 18, 19, -1, -1, -1, -1, 39, 36, 37, 38 }, /* KR -> RK */
240 { -1, -1, -1, -1, 12, 13, 14, 15, 58, 59,
241 56, 57, 31, 28, 29, 30, -1, -1, -1, -1 }, /* KA -> RK */
242 { 4, 5, 6, 7, 65, 66, 67, 64, 20, 21,
243 22, 23, -1, -1, -1, -1, 43, 40, 41, 42 } /* KB -> RK */
247 static const signed char transposes[2][20] =
265 /* Shift macro for 128 bit strings with rotation smaller than 32 bits (!) */
266 #define ROTL(DEST, SRC, SHIFT) \
268 (DEST)[0] = (SRC)[0] << (SHIFT) ^ (SRC)[1] >> (32 - (SHIFT)); \
269 (DEST)[1] = (SRC)[1] << (SHIFT) ^ (SRC)[2] >> (32 - (SHIFT)); \
270 (DEST)[2] = (SRC)[2] << (SHIFT) ^ (SRC)[3] >> (32 - (SHIFT)); \
271 (DEST)[3] = (SRC)[3] << (SHIFT) ^ (SRC)[0] >> (32 - (SHIFT)); \
274 #define FL(XL, XR, KL, KR) \
276 (XR) = ((((XL) & (KL)) << 1) | (((XL) & (KL)) >> 31)) ^ (XR); \
277 (XL) = ((XR) | (KR)) ^ (XL); \
280 #define FLInv(YL, YR, KL, KR) \
282 (YL) = ((YR) | (KR)) ^ (YL); \
283 (YR) = ((((YL) & (KL)) << 1) | (((YL) & (KL)) >> 31)) ^ (YR); \
286 #define SHIFT_AND_PLACE(INDEX, OFFSET) \
288 TK[0] = KC[(OFFSET) * 4 + 0]; \
289 TK[1] = KC[(OFFSET) * 4 + 1]; \
290 TK[2] = KC[(OFFSET) * 4 + 2]; \
291 TK[3] = KC[(OFFSET) * 4 + 3]; \
293 for( i = 1; i <= 4; i++ ) \
294 if( shifts[(INDEX)][(OFFSET)][i -1] ) \
295 ROTL(TK + i * 4, TK, ( 15 * i ) % 32); \
297 for( i = 0; i < 20; i++ ) \
298 if( indexes[(INDEX)][(OFFSET)][i] != -1 ) { \
299 RK[indexes[(INDEX)][(OFFSET)][i]] = TK[ i ]; \
303 static void camellia_feistel( const uint32_t x[2], const uint32_t k[2],
310 I0 = ((uint32_t) SBOX1((I0 >> 24) & 0xFF) << 24) |
311 ((uint32_t) SBOX2((I0 >> 16) & 0xFF) << 16) |
312 ((uint32_t) SBOX3((I0 >> 8) & 0xFF) << 8) |
313 ((uint32_t) SBOX4((I0 ) & 0xFF) );
314 I1 = ((uint32_t) SBOX2((I1 >> 24) & 0xFF) << 24) |
315 ((uint32_t) SBOX3((I1 >> 16) & 0xFF) << 16) |
316 ((uint32_t) SBOX4((I1 >> 8) & 0xFF) << 8) |
317 ((uint32_t) SBOX1((I1 ) & 0xFF) );
319 I0 ^= (I1 << 8) | (I1 >> 24);
320 I1 ^= (I0 << 16) | (I0 >> 16);
321 I0 ^= (I1 >> 8) | (I1 << 24);
322 I1 ^= (I0 >> 8) | (I0 << 24);
328 void mbedtls_camellia_init( mbedtls_camellia_context *ctx )
330 CAMELLIA_VALIDATE( ctx != NULL );
331 memset( ctx, 0, sizeof( mbedtls_camellia_context ) );
334 void mbedtls_camellia_free( mbedtls_camellia_context *ctx )
339 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_camellia_context ) );
343 * Camellia key schedule (encryption)
345 int mbedtls_camellia_setkey_enc( mbedtls_camellia_context *ctx,
346 const unsigned char *key,
347 unsigned int keybits )
353 uint32_t SIGMA[6][2];
357 CAMELLIA_VALIDATE_RET( ctx != NULL );
358 CAMELLIA_VALIDATE_RET( key != NULL );
363 memset( RK, 0, sizeof(ctx->rk) );
367 case 128: ctx->nr = 3; idx = 0; break;
369 case 256: ctx->nr = 4; idx = 1; break;
370 default : return( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA );
373 for( i = 0; i < keybits / 8; ++i )
376 if( keybits == 192 ) {
377 for( i = 0; i < 8; i++ )
378 t[24 + i] = ~t[16 + i];
382 * Prepare SIGMA values
384 for( i = 0; i < 6; i++ ) {
385 GET_UINT32_BE( SIGMA[i][0], SIGMA_CHARS[i], 0 );
386 GET_UINT32_BE( SIGMA[i][1], SIGMA_CHARS[i], 4 );
391 * Order: KL, KR, KA, KB
393 memset( KC, 0, sizeof(KC) );
396 for( i = 0; i < 8; i++ )
397 GET_UINT32_BE( KC[i], t, i * 4 );
400 for( i = 0; i < 4; ++i )
401 KC[8 + i] = KC[i] ^ KC[4 + i];
403 camellia_feistel( KC + 8, SIGMA[0], KC + 10 );
404 camellia_feistel( KC + 10, SIGMA[1], KC + 8 );
406 for( i = 0; i < 4; ++i )
409 camellia_feistel( KC + 8, SIGMA[2], KC + 10 );
410 camellia_feistel( KC + 10, SIGMA[3], KC + 8 );
412 if( keybits > 128 ) {
414 for( i = 0; i < 4; ++i )
415 KC[12 + i] = KC[4 + i] ^ KC[8 + i];
417 camellia_feistel( KC + 12, SIGMA[4], KC + 14 );
418 camellia_feistel( KC + 14, SIGMA[5], KC + 12 );
425 /* Manipulating KL */
426 SHIFT_AND_PLACE( idx, 0 );
428 /* Manipulating KR */
429 if( keybits > 128 ) {
430 SHIFT_AND_PLACE( idx, 1 );
433 /* Manipulating KA */
434 SHIFT_AND_PLACE( idx, 2 );
436 /* Manipulating KB */
437 if( keybits > 128 ) {
438 SHIFT_AND_PLACE( idx, 3 );
441 /* Do transpositions */
442 for( i = 0; i < 20; i++ ) {
443 if( transposes[idx][i] != -1 ) {
444 RK[32 + 12 * idx + i] = RK[transposes[idx][i]];
452 * Camellia key schedule (decryption)
454 int mbedtls_camellia_setkey_dec( mbedtls_camellia_context *ctx,
455 const unsigned char *key,
456 unsigned int keybits )
460 mbedtls_camellia_context cty;
463 CAMELLIA_VALIDATE_RET( ctx != NULL );
464 CAMELLIA_VALIDATE_RET( key != NULL );
466 mbedtls_camellia_init( &cty );
468 /* Also checks keybits */
469 if( ( ret = mbedtls_camellia_setkey_enc( &cty, key, keybits ) ) != 0 )
473 idx = ( ctx->nr == 4 );
476 SK = cty.rk + 24 * 2 + 8 * idx * 2;
483 for( i = 22 + 8 * idx, SK -= 6; i > 0; i--, SK -= 4 )
497 mbedtls_camellia_free( &cty );
503 * Camellia-ECB block encryption/decryption
505 int mbedtls_camellia_crypt_ecb( mbedtls_camellia_context *ctx,
507 const unsigned char input[16],
508 unsigned char output[16] )
512 CAMELLIA_VALIDATE_RET( ctx != NULL );
513 CAMELLIA_VALIDATE_RET( mode == MBEDTLS_CAMELLIA_ENCRYPT ||
514 mode == MBEDTLS_CAMELLIA_DECRYPT );
515 CAMELLIA_VALIDATE_RET( input != NULL );
516 CAMELLIA_VALIDATE_RET( output != NULL );
523 GET_UINT32_BE( X[0], input, 0 );
524 GET_UINT32_BE( X[1], input, 4 );
525 GET_UINT32_BE( X[2], input, 8 );
526 GET_UINT32_BE( X[3], input, 12 );
535 camellia_feistel( X, RK, X + 2 );
537 camellia_feistel( X + 2, RK, X );
539 camellia_feistel( X, RK, X + 2 );
541 camellia_feistel( X + 2, RK, X );
543 camellia_feistel( X, RK, X + 2 );
545 camellia_feistel( X + 2, RK, X );
549 FL(X[0], X[1], RK[0], RK[1]);
551 FLInv(X[2], X[3], RK[0], RK[1]);
561 PUT_UINT32_BE( X[2], output, 0 );
562 PUT_UINT32_BE( X[3], output, 4 );
563 PUT_UINT32_BE( X[0], output, 8 );
564 PUT_UINT32_BE( X[1], output, 12 );
569 #if defined(MBEDTLS_CIPHER_MODE_CBC)
571 * Camellia-CBC buffer encryption/decryption
573 int mbedtls_camellia_crypt_cbc( mbedtls_camellia_context *ctx,
576 unsigned char iv[16],
577 const unsigned char *input,
578 unsigned char *output )
581 unsigned char temp[16];
582 CAMELLIA_VALIDATE_RET( ctx != NULL );
583 CAMELLIA_VALIDATE_RET( mode == MBEDTLS_CAMELLIA_ENCRYPT ||
584 mode == MBEDTLS_CAMELLIA_DECRYPT );
585 CAMELLIA_VALIDATE_RET( iv != NULL );
586 CAMELLIA_VALIDATE_RET( length == 0 || input != NULL );
587 CAMELLIA_VALIDATE_RET( length == 0 || output != NULL );
590 return( MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH );
592 if( mode == MBEDTLS_CAMELLIA_DECRYPT )
596 memcpy( temp, input, 16 );
597 mbedtls_camellia_crypt_ecb( ctx, mode, input, output );
599 for( i = 0; i < 16; i++ )
600 output[i] = (unsigned char)( output[i] ^ iv[i] );
602 memcpy( iv, temp, 16 );
613 for( i = 0; i < 16; i++ )
614 output[i] = (unsigned char)( input[i] ^ iv[i] );
616 mbedtls_camellia_crypt_ecb( ctx, mode, output, output );
617 memcpy( iv, output, 16 );
627 #endif /* MBEDTLS_CIPHER_MODE_CBC */
629 #if defined(MBEDTLS_CIPHER_MODE_CFB)
631 * Camellia-CFB128 buffer encryption/decryption
633 int mbedtls_camellia_crypt_cfb128( mbedtls_camellia_context *ctx,
637 unsigned char iv[16],
638 const unsigned char *input,
639 unsigned char *output )
643 CAMELLIA_VALIDATE_RET( ctx != NULL );
644 CAMELLIA_VALIDATE_RET( mode == MBEDTLS_CAMELLIA_ENCRYPT ||
645 mode == MBEDTLS_CAMELLIA_DECRYPT );
646 CAMELLIA_VALIDATE_RET( iv != NULL );
647 CAMELLIA_VALIDATE_RET( iv_off != NULL );
648 CAMELLIA_VALIDATE_RET( length == 0 || input != NULL );
649 CAMELLIA_VALIDATE_RET( length == 0 || output != NULL );
653 return( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA );
655 if( mode == MBEDTLS_CAMELLIA_DECRYPT )
660 mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv );
663 *output++ = (unsigned char)( c ^ iv[n] );
664 iv[n] = (unsigned char) c;
666 n = ( n + 1 ) & 0x0F;
674 mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv );
676 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
678 n = ( n + 1 ) & 0x0F;
686 #endif /* MBEDTLS_CIPHER_MODE_CFB */
688 #if defined(MBEDTLS_CIPHER_MODE_CTR)
690 * Camellia-CTR buffer encryption/decryption
692 int mbedtls_camellia_crypt_ctr( mbedtls_camellia_context *ctx,
695 unsigned char nonce_counter[16],
696 unsigned char stream_block[16],
697 const unsigned char *input,
698 unsigned char *output )
702 CAMELLIA_VALIDATE_RET( ctx != NULL );
703 CAMELLIA_VALIDATE_RET( nonce_counter != NULL );
704 CAMELLIA_VALIDATE_RET( stream_block != NULL );
705 CAMELLIA_VALIDATE_RET( nc_off != NULL );
706 CAMELLIA_VALIDATE_RET( length == 0 || input != NULL );
707 CAMELLIA_VALIDATE_RET( length == 0 || output != NULL );
711 return( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA );
716 mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, nonce_counter,
719 for( i = 16; i > 0; i-- )
720 if( ++nonce_counter[i - 1] != 0 )
724 *output++ = (unsigned char)( c ^ stream_block[n] );
726 n = ( n + 1 ) & 0x0F;
733 #endif /* MBEDTLS_CIPHER_MODE_CTR */
734 #endif /* !MBEDTLS_CAMELLIA_ALT */
736 #if defined(MBEDTLS_SELF_TEST)
739 * Camellia test vectors from:
741 * http://info.isl.ntt.co.jp/crypt/eng/camellia/technology.html:
742 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/intermediate.txt
743 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/t_camellia.txt
744 * (For each bitlength: Key 0, Nr 39)
746 #define CAMELLIA_TESTS_ECB 2
748 static const unsigned char camellia_test_ecb_key[3][CAMELLIA_TESTS_ECB][32] =
751 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
752 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
753 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
754 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
757 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
758 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
759 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77 },
760 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
761 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
762 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
765 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
766 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
767 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
768 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff },
769 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
770 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
771 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
772 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
776 static const unsigned char camellia_test_ecb_plain[CAMELLIA_TESTS_ECB][16] =
778 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
779 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
780 { 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
781 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
784 static const unsigned char camellia_test_ecb_cipher[3][CAMELLIA_TESTS_ECB][16] =
787 { 0x67, 0x67, 0x31, 0x38, 0x54, 0x96, 0x69, 0x73,
788 0x08, 0x57, 0x06, 0x56, 0x48, 0xea, 0xbe, 0x43 },
789 { 0x38, 0x3C, 0x6C, 0x2A, 0xAB, 0xEF, 0x7F, 0xDE,
790 0x25, 0xCD, 0x47, 0x0B, 0xF7, 0x74, 0xA3, 0x31 }
793 { 0xb4, 0x99, 0x34, 0x01, 0xb3, 0xe9, 0x96, 0xf8,
794 0x4e, 0xe5, 0xce, 0xe7, 0xd7, 0x9b, 0x09, 0xb9 },
795 { 0xD1, 0x76, 0x3F, 0xC0, 0x19, 0xD7, 0x7C, 0xC9,
796 0x30, 0xBF, 0xF2, 0xA5, 0x6F, 0x7C, 0x93, 0x64 }
799 { 0x9a, 0xcc, 0x23, 0x7d, 0xff, 0x16, 0xd7, 0x6c,
800 0x20, 0xef, 0x7c, 0x91, 0x9e, 0x3a, 0x75, 0x09 },
801 { 0x05, 0x03, 0xFB, 0x10, 0xAB, 0x24, 0x1E, 0x7C,
802 0xF4, 0x5D, 0x8C, 0xDE, 0xEE, 0x47, 0x43, 0x35 }
806 #if defined(MBEDTLS_CIPHER_MODE_CBC)
807 #define CAMELLIA_TESTS_CBC 3
809 static const unsigned char camellia_test_cbc_key[3][32] =
811 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
812 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }
814 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
815 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
816 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }
818 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
819 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
820 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
821 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
824 static const unsigned char camellia_test_cbc_iv[16] =
826 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
827 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F }
830 static const unsigned char camellia_test_cbc_plain[CAMELLIA_TESTS_CBC][16] =
832 { 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
833 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A },
834 { 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
835 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51 },
836 { 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
837 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF }
841 static const unsigned char camellia_test_cbc_cipher[3][CAMELLIA_TESTS_CBC][16] =
844 { 0x16, 0x07, 0xCF, 0x49, 0x4B, 0x36, 0xBB, 0xF0,
845 0x0D, 0xAE, 0xB0, 0xB5, 0x03, 0xC8, 0x31, 0xAB },
846 { 0xA2, 0xF2, 0xCF, 0x67, 0x16, 0x29, 0xEF, 0x78,
847 0x40, 0xC5, 0xA5, 0xDF, 0xB5, 0x07, 0x48, 0x87 },
848 { 0x0F, 0x06, 0x16, 0x50, 0x08, 0xCF, 0x8B, 0x8B,
849 0x5A, 0x63, 0x58, 0x63, 0x62, 0x54, 0x3E, 0x54 }
852 { 0x2A, 0x48, 0x30, 0xAB, 0x5A, 0xC4, 0xA1, 0xA2,
853 0x40, 0x59, 0x55, 0xFD, 0x21, 0x95, 0xCF, 0x93 },
854 { 0x5D, 0x5A, 0x86, 0x9B, 0xD1, 0x4C, 0xE5, 0x42,
855 0x64, 0xF8, 0x92, 0xA6, 0xDD, 0x2E, 0xC3, 0xD5 },
856 { 0x37, 0xD3, 0x59, 0xC3, 0x34, 0x98, 0x36, 0xD8,
857 0x84, 0xE3, 0x10, 0xAD, 0xDF, 0x68, 0xC4, 0x49 }
860 { 0xE6, 0xCF, 0xA3, 0x5F, 0xC0, 0x2B, 0x13, 0x4A,
861 0x4D, 0x2C, 0x0B, 0x67, 0x37, 0xAC, 0x3E, 0xDA },
862 { 0x36, 0xCB, 0xEB, 0x73, 0xBD, 0x50, 0x4B, 0x40,
863 0x70, 0xB1, 0xB7, 0xDE, 0x2B, 0x21, 0xEB, 0x50 },
864 { 0xE3, 0x1A, 0x60, 0x55, 0x29, 0x7D, 0x96, 0xCA,
865 0x33, 0x30, 0xCD, 0xF1, 0xB1, 0x86, 0x0A, 0x83 }
868 #endif /* MBEDTLS_CIPHER_MODE_CBC */
870 #if defined(MBEDTLS_CIPHER_MODE_CTR)
872 * Camellia-CTR test vectors from:
874 * http://www.faqs.org/rfcs/rfc5528.html
877 static const unsigned char camellia_test_ctr_key[3][16] =
879 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
880 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
881 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
882 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
883 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
884 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
887 static const unsigned char camellia_test_ctr_nonce_counter[3][16] =
889 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
890 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
891 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
892 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
893 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
894 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
897 static const unsigned char camellia_test_ctr_pt[3][48] =
899 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
900 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
902 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
903 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
904 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
905 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
907 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
908 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
909 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
910 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
911 0x20, 0x21, 0x22, 0x23 }
914 static const unsigned char camellia_test_ctr_ct[3][48] =
916 { 0xD0, 0x9D, 0xC2, 0x9A, 0x82, 0x14, 0x61, 0x9A,
917 0x20, 0x87, 0x7C, 0x76, 0xDB, 0x1F, 0x0B, 0x3F },
918 { 0xDB, 0xF3, 0xC7, 0x8D, 0xC0, 0x83, 0x96, 0xD4,
919 0xDA, 0x7C, 0x90, 0x77, 0x65, 0xBB, 0xCB, 0x44,
920 0x2B, 0x8E, 0x8E, 0x0F, 0x31, 0xF0, 0xDC, 0xA7,
921 0x2C, 0x74, 0x17, 0xE3, 0x53, 0x60, 0xE0, 0x48 },
922 { 0xB1, 0x9D, 0x1F, 0xCD, 0xCB, 0x75, 0xEB, 0x88,
923 0x2F, 0x84, 0x9C, 0xE2, 0x4D, 0x85, 0xCF, 0x73,
924 0x9C, 0xE6, 0x4B, 0x2B, 0x5C, 0x9D, 0x73, 0xF1,
925 0x4F, 0x2D, 0x5D, 0x9D, 0xCE, 0x98, 0x89, 0xCD,
926 0xDF, 0x50, 0x86, 0x96 }
929 static const int camellia_test_ctr_len[3] =
931 #endif /* MBEDTLS_CIPHER_MODE_CTR */
936 int mbedtls_camellia_self_test( int verbose )
939 unsigned char key[32];
940 unsigned char buf[64];
941 unsigned char src[16];
942 unsigned char dst[16];
943 #if defined(MBEDTLS_CIPHER_MODE_CBC)
944 unsigned char iv[16];
946 #if defined(MBEDTLS_CIPHER_MODE_CTR)
948 unsigned char nonce_counter[16];
949 unsigned char stream_block[16];
952 mbedtls_camellia_context ctx;
954 memset( key, 0, 32 );
956 for( j = 0; j < 6; j++ ) {
961 mbedtls_printf( " CAMELLIA-ECB-%3d (%s): ", 128 + u * 64,
962 (v == MBEDTLS_CAMELLIA_DECRYPT) ? "dec" : "enc");
964 for( i = 0; i < CAMELLIA_TESTS_ECB; i++ ) {
965 memcpy( key, camellia_test_ecb_key[u][i], 16 + 8 * u );
967 if( v == MBEDTLS_CAMELLIA_DECRYPT ) {
968 mbedtls_camellia_setkey_dec( &ctx, key, 128 + u * 64 );
969 memcpy( src, camellia_test_ecb_cipher[u][i], 16 );
970 memcpy( dst, camellia_test_ecb_plain[i], 16 );
971 } else { /* MBEDTLS_CAMELLIA_ENCRYPT */
972 mbedtls_camellia_setkey_enc( &ctx, key, 128 + u * 64 );
973 memcpy( src, camellia_test_ecb_plain[i], 16 );
974 memcpy( dst, camellia_test_ecb_cipher[u][i], 16 );
977 mbedtls_camellia_crypt_ecb( &ctx, v, src, buf );
979 if( memcmp( buf, dst, 16 ) != 0 )
982 mbedtls_printf( "failed\n" );
989 mbedtls_printf( "passed\n" );
993 mbedtls_printf( "\n" );
995 #if defined(MBEDTLS_CIPHER_MODE_CBC)
999 for( j = 0; j < 6; j++ )
1005 mbedtls_printf( " CAMELLIA-CBC-%3d (%s): ", 128 + u * 64,
1006 ( v == MBEDTLS_CAMELLIA_DECRYPT ) ? "dec" : "enc" );
1008 memcpy( src, camellia_test_cbc_iv, 16 );
1009 memcpy( dst, camellia_test_cbc_iv, 16 );
1010 memcpy( key, camellia_test_cbc_key[u], 16 + 8 * u );
1012 if( v == MBEDTLS_CAMELLIA_DECRYPT ) {
1013 mbedtls_camellia_setkey_dec( &ctx, key, 128 + u * 64 );
1015 mbedtls_camellia_setkey_enc( &ctx, key, 128 + u * 64 );
1018 for( i = 0; i < CAMELLIA_TESTS_CBC; i++ ) {
1020 if( v == MBEDTLS_CAMELLIA_DECRYPT ) {
1021 memcpy( iv , src, 16 );
1022 memcpy( src, camellia_test_cbc_cipher[u][i], 16 );
1023 memcpy( dst, camellia_test_cbc_plain[i], 16 );
1024 } else { /* MBEDTLS_CAMELLIA_ENCRYPT */
1025 memcpy( iv , dst, 16 );
1026 memcpy( src, camellia_test_cbc_plain[i], 16 );
1027 memcpy( dst, camellia_test_cbc_cipher[u][i], 16 );
1030 mbedtls_camellia_crypt_cbc( &ctx, v, 16, iv, src, buf );
1032 if( memcmp( buf, dst, 16 ) != 0 )
1035 mbedtls_printf( "failed\n" );
1042 mbedtls_printf( "passed\n" );
1044 #endif /* MBEDTLS_CIPHER_MODE_CBC */
1047 mbedtls_printf( "\n" );
1049 #if defined(MBEDTLS_CIPHER_MODE_CTR)
1053 for( i = 0; i < 6; i++ )
1059 mbedtls_printf( " CAMELLIA-CTR-128 (%s): ",
1060 ( v == MBEDTLS_CAMELLIA_DECRYPT ) ? "dec" : "enc" );
1062 memcpy( nonce_counter, camellia_test_ctr_nonce_counter[u], 16 );
1063 memcpy( key, camellia_test_ctr_key[u], 16 );
1066 mbedtls_camellia_setkey_enc( &ctx, key, 128 );
1068 if( v == MBEDTLS_CAMELLIA_DECRYPT )
1070 len = camellia_test_ctr_len[u];
1071 memcpy( buf, camellia_test_ctr_ct[u], len );
1073 mbedtls_camellia_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block,
1076 if( memcmp( buf, camellia_test_ctr_pt[u], len ) != 0 )
1079 mbedtls_printf( "failed\n" );
1086 len = camellia_test_ctr_len[u];
1087 memcpy( buf, camellia_test_ctr_pt[u], len );
1089 mbedtls_camellia_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block,
1092 if( memcmp( buf, camellia_test_ctr_ct[u], len ) != 0 )
1095 mbedtls_printf( "failed\n" );
1102 mbedtls_printf( "passed\n" );
1106 mbedtls_printf( "\n" );
1107 #endif /* MBEDTLS_CIPHER_MODE_CTR */
1112 #endif /* MBEDTLS_SELF_TEST */
1114 #endif /* MBEDTLS_CAMELLIA_C */