• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  *  Camellia implementation
3  *
4  *  Copyright The Mbed TLS Contributors
5  *  SPDX-License-Identifier: Apache-2.0
6  *
7  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
8  *  not use this file except in compliance with the License.
9  *  You may obtain a copy of the License at
10  *
11  *  http://www.apache.org/licenses/LICENSE-2.0
12  *
13  *  Unless required by applicable law or agreed to in writing, software
14  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  *  See the License for the specific language governing permissions and
17  *  limitations under the License.
18  */
19 /*
20  *  The Camellia block cipher was designed by NTT and Mitsubishi Electric
21  *  Corporation.
22  *
23  *  http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/01espec.pdf
24  */
25 
26 #include "common.h"
27 
28 #if defined(MBEDTLS_CAMELLIA_C)
29 
30 #include "mbedtls/camellia.h"
31 #include "mbedtls/platform_util.h"
32 
33 #include <string.h>
34 
35 #if defined(MBEDTLS_SELF_TEST)
36 #if defined(MBEDTLS_PLATFORM_C)
37 #include "mbedtls/platform.h"
38 #else
39 #include <stdio.h>
40 #define mbedtls_printf printf
41 #endif /* MBEDTLS_PLATFORM_C */
42 #endif /* MBEDTLS_SELF_TEST */
43 
44 #if !defined(MBEDTLS_CAMELLIA_ALT)
45 
46 /* Parameter validation macros */
47 #define CAMELLIA_VALIDATE_RET( cond )                                       \
48     MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA )
49 #define CAMELLIA_VALIDATE( cond )                                           \
50     MBEDTLS_INTERNAL_VALIDATE( cond )
51 
52 static const unsigned char SIGMA_CHARS[6][8] =
53 {
54     { 0xa0, 0x9e, 0x66, 0x7f, 0x3b, 0xcc, 0x90, 0x8b },
55     { 0xb6, 0x7a, 0xe8, 0x58, 0x4c, 0xaa, 0x73, 0xb2 },
56     { 0xc6, 0xef, 0x37, 0x2f, 0xe9, 0x4f, 0x82, 0xbe },
57     { 0x54, 0xff, 0x53, 0xa5, 0xf1, 0xd3, 0x6f, 0x1c },
58     { 0x10, 0xe5, 0x27, 0xfa, 0xde, 0x68, 0x2d, 0x1d },
59     { 0xb0, 0x56, 0x88, 0xc2, 0xb3, 0xe6, 0xc1, 0xfd }
60 };
61 
62 #if defined(MBEDTLS_CAMELLIA_SMALL_MEMORY)
63 
64 static const unsigned char FSb[256] =
65 {
66     112,130, 44,236,179, 39,192,229,228,133, 87, 53,234, 12,174, 65,
67      35,239,107,147, 69, 25,165, 33,237, 14, 79, 78, 29,101,146,189,
68     134,184,175,143,124,235, 31,206, 62, 48,220, 95, 94,197, 11, 26,
69     166,225, 57,202,213, 71, 93, 61,217,  1, 90,214, 81, 86,108, 77,
70     139, 13,154,102,251,204,176, 45,116, 18, 43, 32,240,177,132,153,
71     223, 76,203,194, 52,126,118,  5,109,183,169, 49,209, 23,  4,215,
72      20, 88, 58, 97,222, 27, 17, 28, 50, 15,156, 22, 83, 24,242, 34,
73     254, 68,207,178,195,181,122,145, 36,  8,232,168, 96,252,105, 80,
74     170,208,160,125,161,137, 98,151, 84, 91, 30,149,224,255,100,210,
75      16,196,  0, 72,163,247,117,219,138,  3,230,218,  9, 63,221,148,
76     135, 92,131,  2,205, 74,144, 51,115,103,246,243,157,127,191,226,
77      82,155,216, 38,200, 55,198, 59,129,150,111, 75, 19,190, 99, 46,
78     233,121,167,140,159,110,188,142, 41,245,249,182, 47,253,180, 89,
79     120,152,  6,106,231, 70,113,186,212, 37,171, 66,136,162,141,250,
80     114,  7,185, 85,248,238,172, 10, 54, 73, 42,104, 60, 56,241,164,
81      64, 40,211,123,187,201, 67,193, 21,227,173,244,119,199,128,158
82 };
83 
84 #define SBOX1(n) FSb[(n)]
85 #define SBOX2(n) (unsigned char)((FSb[(n)] >> 7 ^ FSb[(n)] << 1) & 0xff)
86 #define SBOX3(n) (unsigned char)((FSb[(n)] >> 1 ^ FSb[(n)] << 7) & 0xff)
87 #define SBOX4(n) FSb[((n) << 1 ^ (n) >> 7) &0xff]
88 
89 #else /* MBEDTLS_CAMELLIA_SMALL_MEMORY */
90 
91 static const unsigned char FSb[256] =
92 {
93  112, 130,  44, 236, 179,  39, 192, 229, 228, 133,  87,  53, 234,  12, 174,  65,
94   35, 239, 107, 147,  69,  25, 165,  33, 237,  14,  79,  78,  29, 101, 146, 189,
95  134, 184, 175, 143, 124, 235,  31, 206,  62,  48, 220,  95,  94, 197,  11,  26,
96  166, 225,  57, 202, 213,  71,  93,  61, 217,   1,  90, 214,  81,  86, 108,  77,
97  139,  13, 154, 102, 251, 204, 176,  45, 116,  18,  43,  32, 240, 177, 132, 153,
98  223,  76, 203, 194,  52, 126, 118,   5, 109, 183, 169,  49, 209,  23,   4, 215,
99   20,  88,  58,  97, 222,  27,  17,  28,  50,  15, 156,  22,  83,  24, 242,  34,
100  254,  68, 207, 178, 195, 181, 122, 145,  36,   8, 232, 168,  96, 252, 105,  80,
101  170, 208, 160, 125, 161, 137,  98, 151,  84,  91,  30, 149, 224, 255, 100, 210,
102   16, 196,   0,  72, 163, 247, 117, 219, 138,   3, 230, 218,   9,  63, 221, 148,
103  135,  92, 131,   2, 205,  74, 144,  51, 115, 103, 246, 243, 157, 127, 191, 226,
104   82, 155, 216,  38, 200,  55, 198,  59, 129, 150, 111,  75,  19, 190,  99,  46,
105  233, 121, 167, 140, 159, 110, 188, 142,  41, 245, 249, 182,  47, 253, 180,  89,
106  120, 152,   6, 106, 231,  70, 113, 186, 212,  37, 171,  66, 136, 162, 141, 250,
107  114,   7, 185,  85, 248, 238, 172,  10,  54,  73,  42, 104,  60,  56, 241, 164,
108  64,  40, 211, 123, 187, 201,  67, 193,  21, 227, 173, 244, 119, 199, 128, 158
109 };
110 
111 static const unsigned char FSb2[256] =
112 {
113  224,   5,  88, 217, 103,  78, 129, 203, 201,  11, 174, 106, 213,  24,  93, 130,
114   70, 223, 214,  39, 138,  50,  75,  66, 219,  28, 158, 156,  58, 202,  37, 123,
115   13, 113,  95,  31, 248, 215,  62, 157, 124,  96, 185, 190, 188, 139,  22,  52,
116   77, 195, 114, 149, 171, 142, 186, 122, 179,   2, 180, 173, 162, 172, 216, 154,
117   23,  26,  53, 204, 247, 153,  97,  90, 232,  36,  86,  64, 225,  99,   9,  51,
118  191, 152, 151, 133, 104, 252, 236,  10, 218, 111,  83,  98, 163,  46,   8, 175,
119   40, 176, 116, 194, 189,  54,  34,  56, 100,  30,  57,  44, 166,  48, 229,  68,
120  253, 136, 159, 101, 135, 107, 244,  35,  72,  16, 209,  81, 192, 249, 210, 160,
121   85, 161,  65, 250,  67,  19, 196,  47, 168, 182,  60,  43, 193, 255, 200, 165,
122   32, 137,   0, 144,  71, 239, 234, 183,  21,   6, 205, 181,  18, 126, 187,  41,
123   15, 184,   7,   4, 155, 148,  33, 102, 230, 206, 237, 231,  59, 254, 127, 197,
124  164,  55, 177,  76, 145, 110, 141, 118,   3,  45, 222, 150,  38, 125, 198,  92,
125  211, 242,  79,  25,  63, 220, 121,  29,  82, 235, 243, 109,  94, 251, 105, 178,
126  240,  49,  12, 212, 207, 140, 226, 117, 169,  74,  87, 132,  17,  69,  27, 245,
127  228,  14, 115, 170, 241, 221,  89,  20, 108, 146,  84, 208, 120, 112, 227,  73,
128  128,  80, 167, 246, 119, 147, 134, 131,  42, 199,  91, 233, 238, 143,   1,  61
129 };
130 
131 static const unsigned char FSb3[256] =
132 {
133   56,  65,  22, 118, 217, 147,  96, 242, 114, 194, 171, 154, 117,   6,  87, 160,
134  145, 247, 181, 201, 162, 140, 210, 144, 246,   7, 167,  39, 142, 178,  73, 222,
135   67,  92, 215, 199,  62, 245, 143, 103,  31,  24, 110, 175,  47, 226, 133,  13,
136   83, 240, 156, 101, 234, 163, 174, 158, 236, 128,  45, 107, 168,  43,  54, 166,
137  197, 134,  77,  51, 253, 102,  88, 150,  58,   9, 149,  16, 120, 216,  66, 204,
138  239,  38, 229,  97,  26,  63,  59, 130, 182, 219, 212, 152, 232, 139,   2, 235,
139   10,  44,  29, 176, 111, 141, 136,  14,  25, 135,  78,  11, 169,  12, 121,  17,
140  127,  34, 231,  89, 225, 218,  61, 200,  18,   4, 116,  84,  48, 126, 180,  40,
141   85, 104,  80, 190, 208, 196,  49, 203,  42, 173,  15, 202, 112, 255,  50, 105,
142    8,  98,   0,  36, 209, 251, 186, 237,  69, 129, 115, 109, 132, 159, 238,  74,
143  195,  46, 193,   1, 230,  37,  72, 153, 185, 179, 123, 249, 206, 191, 223, 113,
144   41, 205, 108,  19, 100, 155,  99, 157, 192,  75, 183, 165, 137,  95, 177,  23,
145  244, 188, 211,  70, 207,  55,  94,  71, 148, 250, 252,  91, 151, 254,  90, 172,
146   60,  76,   3,  53, 243,  35, 184,  93, 106, 146, 213,  33,  68,  81, 198, 125,
147   57, 131, 220, 170, 124, 119,  86,   5,  27, 164,  21,  52,  30,  28, 248,  82,
148   32,  20, 233, 189, 221, 228, 161, 224, 138, 241, 214, 122, 187, 227,  64,  79
149 };
150 
151 static const unsigned char FSb4[256] =
152 {
153  112,  44, 179, 192, 228,  87, 234, 174,  35, 107,  69, 165, 237,  79,  29, 146,
154  134, 175, 124,  31,  62, 220,  94,  11, 166,  57, 213,  93, 217,  90,  81, 108,
155  139, 154, 251, 176, 116,  43, 240, 132, 223, 203,  52, 118, 109, 169, 209,   4,
156   20,  58, 222,  17,  50, 156,  83, 242, 254, 207, 195, 122,  36, 232,  96, 105,
157  170, 160, 161,  98,  84,  30, 224, 100,  16,   0, 163, 117, 138, 230,   9, 221,
158  135, 131, 205, 144, 115, 246, 157, 191,  82, 216, 200, 198, 129, 111,  19,  99,
159  233, 167, 159, 188,  41, 249,  47, 180, 120,   6, 231, 113, 212, 171, 136, 141,
160  114, 185, 248, 172,  54,  42,  60, 241,  64, 211, 187,  67,  21, 173, 119, 128,
161  130, 236,  39, 229, 133,  53,  12,  65, 239, 147,  25,  33,  14,  78, 101, 189,
162  184, 143, 235, 206,  48,  95, 197,  26, 225, 202,  71,  61,   1, 214,  86,  77,
163   13, 102, 204,  45,  18,  32, 177, 153,  76, 194, 126,   5, 183,  49,  23, 215,
164   88,  97,  27,  28,  15,  22,  24,  34,  68, 178, 181, 145,   8, 168, 252,  80,
165  208, 125, 137, 151,  91, 149, 255, 210, 196,  72, 247, 219,   3, 218,  63, 148,
166   92,   2,  74,  51, 103, 243, 127, 226, 155,  38,  55,  59, 150,  75, 190,  46,
167  121, 140, 110, 142, 245, 182, 253,  89, 152, 106,  70, 186,  37,  66, 162, 250,
168   7,  85, 238,  10,  73, 104,  56, 164,  40, 123, 201, 193, 227, 244, 199, 158
169 };
170 
171 #define SBOX1(n) FSb[(n)]
172 #define SBOX2(n) FSb2[(n)]
173 #define SBOX3(n) FSb3[(n)]
174 #define SBOX4(n) FSb4[(n)]
175 
176 #endif /* MBEDTLS_CAMELLIA_SMALL_MEMORY */
177 
178 static const unsigned char shifts[2][4][4] =
179 {
180     {
181         { 1, 1, 1, 1 }, /* KL */
182         { 0, 0, 0, 0 }, /* KR */
183         { 1, 1, 1, 1 }, /* KA */
184         { 0, 0, 0, 0 }  /* KB */
185     },
186     {
187         { 1, 0, 1, 1 }, /* KL */
188         { 1, 1, 0, 1 }, /* KR */
189         { 1, 1, 1, 0 }, /* KA */
190         { 1, 1, 0, 1 }  /* KB */
191     }
192 };
193 
194 static const signed char indexes[2][4][20] =
195 {
196     {
197         {  0,  1,  2,  3,  8,  9, 10, 11, 38, 39,
198           36, 37, 23, 20, 21, 22, 27, -1, -1, 26 }, /* KL -> RK */
199         { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
200           -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 }, /* KR -> RK */
201         {  4,  5,  6,  7, 12, 13, 14, 15, 16, 17,
202           18, 19, -1, 24, 25, -1, 31, 28, 29, 30 }, /* KA -> RK */
203         { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
204           -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 }  /* KB -> RK */
205     },
206     {
207         {  0,  1,  2,  3, 61, 62, 63, 60, -1, -1,
208           -1, -1, 27, 24, 25, 26, 35, 32, 33, 34 }, /* KL -> RK */
209         { -1, -1, -1, -1,  8,  9, 10, 11, 16, 17,
210           18, 19, -1, -1, -1, -1, 39, 36, 37, 38 }, /* KR -> RK */
211         { -1, -1, -1, -1, 12, 13, 14, 15, 58, 59,
212           56, 57, 31, 28, 29, 30, -1, -1, -1, -1 }, /* KA -> RK */
213         {  4,  5,  6,  7, 65, 66, 67, 64, 20, 21,
214           22, 23, -1, -1, -1, -1, 43, 40, 41, 42 }  /* KB -> RK */
215     }
216 };
217 
218 static const signed char transposes[2][20] =
219 {
220     {
221         21, 22, 23, 20,
222         -1, -1, -1, -1,
223         18, 19, 16, 17,
224         11,  8,  9, 10,
225         15, 12, 13, 14
226     },
227     {
228         25, 26, 27, 24,
229         29, 30, 31, 28,
230         18, 19, 16, 17,
231         -1, -1, -1, -1,
232         -1, -1, -1, -1
233     }
234 };
235 
236 /* Shift macro for 128 bit strings with rotation smaller than 32 bits (!) */
237 #define ROTL(DEST, SRC, SHIFT)                                      \
238 {                                                                   \
239     (DEST)[0] = (SRC)[0] << (SHIFT) ^ (SRC)[1] >> (32 - (SHIFT));   \
240     (DEST)[1] = (SRC)[1] << (SHIFT) ^ (SRC)[2] >> (32 - (SHIFT));   \
241     (DEST)[2] = (SRC)[2] << (SHIFT) ^ (SRC)[3] >> (32 - (SHIFT));   \
242     (DEST)[3] = (SRC)[3] << (SHIFT) ^ (SRC)[0] >> (32 - (SHIFT));   \
243 }
244 
245 #define FL(XL, XR, KL, KR)                                          \
246 {                                                                   \
247     (XR) = ((((XL) & (KL)) << 1) | (((XL) & (KL)) >> 31)) ^ (XR);   \
248     (XL) = ((XR) | (KR)) ^ (XL);                                    \
249 }
250 
251 #define FLInv(YL, YR, KL, KR)                                       \
252 {                                                                   \
253     (YL) = ((YR) | (KR)) ^ (YL);                                    \
254     (YR) = ((((YL) & (KL)) << 1) | (((YL) & (KL)) >> 31)) ^ (YR);   \
255 }
256 
257 #define SHIFT_AND_PLACE(INDEX, OFFSET)                      \
258 {                                                           \
259     TK[0] = KC[(OFFSET) * 4 + 0];                           \
260     TK[1] = KC[(OFFSET) * 4 + 1];                           \
261     TK[2] = KC[(OFFSET) * 4 + 2];                           \
262     TK[3] = KC[(OFFSET) * 4 + 3];                           \
263                                                             \
264     for( i = 1; i <= 4; i++ )                               \
265         if( shifts[(INDEX)][(OFFSET)][i -1] )               \
266             ROTL(TK + i * 4, TK, ( 15 * i ) % 32);          \
267                                                             \
268     for( i = 0; i < 20; i++ )                               \
269         if( indexes[(INDEX)][(OFFSET)][i] != -1 ) {         \
270             RK[indexes[(INDEX)][(OFFSET)][i]] = TK[ i ];    \
271         }                                                   \
272 }
273 
camellia_feistel(const uint32_t x[2],const uint32_t k[2],uint32_t z[2])274 static void camellia_feistel( const uint32_t x[2], const uint32_t k[2],
275                               uint32_t z[2])
276 {
277     uint32_t I0, I1;
278     I0 = x[0] ^ k[0];
279     I1 = x[1] ^ k[1];
280 
281     I0 = ((uint32_t) SBOX1( MBEDTLS_BYTE_3( I0 )) << 24) |
282          ((uint32_t) SBOX2( MBEDTLS_BYTE_2( I0 )) << 16) |
283          ((uint32_t) SBOX3( MBEDTLS_BYTE_1( I0 )) <<  8) |
284          ((uint32_t) SBOX4( MBEDTLS_BYTE_0( I0 ))      );
285     I1 = ((uint32_t) SBOX2( MBEDTLS_BYTE_3( I1 )) << 24) |
286          ((uint32_t) SBOX3( MBEDTLS_BYTE_2( I1 )) << 16) |
287          ((uint32_t) SBOX4( MBEDTLS_BYTE_1( I1 )) <<  8) |
288          ((uint32_t) SBOX1( MBEDTLS_BYTE_0( I1 ))      );
289 
290     I0 ^= (I1 << 8) | (I1 >> 24);
291     I1 ^= (I0 << 16) | (I0 >> 16);
292     I0 ^= (I1 >> 8) | (I1 << 24);
293     I1 ^= (I0 >> 8) | (I0 << 24);
294 
295     z[0] ^= I1;
296     z[1] ^= I0;
297 }
298 
mbedtls_camellia_init(mbedtls_camellia_context * ctx)299 void mbedtls_camellia_init( mbedtls_camellia_context *ctx )
300 {
301     CAMELLIA_VALIDATE( ctx != NULL );
302     memset( ctx, 0, sizeof( mbedtls_camellia_context ) );
303 }
304 
mbedtls_camellia_free(mbedtls_camellia_context * ctx)305 void mbedtls_camellia_free( mbedtls_camellia_context *ctx )
306 {
307     if( ctx == NULL )
308         return;
309 
310     mbedtls_platform_zeroize( ctx, sizeof( mbedtls_camellia_context ) );
311 }
312 
313 /*
314  * Camellia key schedule (encryption)
315  */
mbedtls_camellia_setkey_enc(mbedtls_camellia_context * ctx,const unsigned char * key,unsigned int keybits)316 int mbedtls_camellia_setkey_enc( mbedtls_camellia_context *ctx,
317                                  const unsigned char *key,
318                                  unsigned int keybits )
319 {
320     int idx;
321     size_t i;
322     uint32_t *RK;
323     unsigned char t[64];
324     uint32_t SIGMA[6][2];
325     uint32_t KC[16];
326     uint32_t TK[20];
327 
328     CAMELLIA_VALIDATE_RET( ctx != NULL );
329     CAMELLIA_VALIDATE_RET( key != NULL );
330 
331     RK = ctx->rk;
332 
333     memset( t, 0, 64 );
334     memset( RK, 0, sizeof(ctx->rk) );
335 
336     switch( keybits )
337     {
338         case 128: ctx->nr = 3; idx = 0; break;
339         case 192:
340         case 256: ctx->nr = 4; idx = 1; break;
341         default : return( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA );
342     }
343 
344     for( i = 0; i < keybits / 8; ++i )
345         t[i] = key[i];
346 
347     if( keybits == 192 ) {
348         for( i = 0; i < 8; i++ )
349             t[24 + i] = ~t[16 + i];
350     }
351 
352     /*
353      * Prepare SIGMA values
354      */
355     for( i = 0; i < 6; i++ ) {
356         SIGMA[i][0] = MBEDTLS_GET_UINT32_BE( SIGMA_CHARS[i], 0 );
357         SIGMA[i][1] = MBEDTLS_GET_UINT32_BE( SIGMA_CHARS[i], 4 );
358     }
359 
360     /*
361      * Key storage in KC
362      * Order: KL, KR, KA, KB
363      */
364     memset( KC, 0, sizeof(KC) );
365 
366     /* Store KL, KR */
367     for( i = 0; i < 8; i++ )
368         KC[i] = MBEDTLS_GET_UINT32_BE( t, i * 4 );
369 
370     /* Generate KA */
371     for( i = 0; i < 4; ++i )
372         KC[8 + i] = KC[i] ^ KC[4 + i];
373 
374     camellia_feistel( KC + 8, SIGMA[0], KC + 10 );
375     camellia_feistel( KC + 10, SIGMA[1], KC + 8 );
376 
377     for( i = 0; i < 4; ++i )
378         KC[8 + i] ^= KC[i];
379 
380     camellia_feistel( KC + 8, SIGMA[2], KC + 10 );
381     camellia_feistel( KC + 10, SIGMA[3], KC + 8 );
382 
383     if( keybits > 128 ) {
384         /* Generate KB */
385         for( i = 0; i < 4; ++i )
386             KC[12 + i] = KC[4 + i] ^ KC[8 + i];
387 
388         camellia_feistel( KC + 12, SIGMA[4], KC + 14 );
389         camellia_feistel( KC + 14, SIGMA[5], KC + 12 );
390     }
391 
392     /*
393      * Generating subkeys
394      */
395 
396     /* Manipulating KL */
397     SHIFT_AND_PLACE( idx, 0 );
398 
399     /* Manipulating KR */
400     if( keybits > 128 ) {
401         SHIFT_AND_PLACE( idx, 1 );
402     }
403 
404     /* Manipulating KA */
405     SHIFT_AND_PLACE( idx, 2 );
406 
407     /* Manipulating KB */
408     if( keybits > 128 ) {
409         SHIFT_AND_PLACE( idx, 3 );
410     }
411 
412     /* Do transpositions */
413     for( i = 0; i < 20; i++ ) {
414         if( transposes[idx][i] != -1 ) {
415             RK[32 + 12 * idx + i] = RK[transposes[idx][i]];
416         }
417     }
418 
419     return( 0 );
420 }
421 
422 /*
423  * Camellia key schedule (decryption)
424  */
mbedtls_camellia_setkey_dec(mbedtls_camellia_context * ctx,const unsigned char * key,unsigned int keybits)425 int mbedtls_camellia_setkey_dec( mbedtls_camellia_context *ctx,
426                                  const unsigned char *key,
427                                  unsigned int keybits )
428 {
429     int idx, ret;
430     size_t i;
431     mbedtls_camellia_context cty;
432     uint32_t *RK;
433     uint32_t *SK;
434     CAMELLIA_VALIDATE_RET( ctx != NULL );
435     CAMELLIA_VALIDATE_RET( key != NULL );
436 
437     mbedtls_camellia_init( &cty );
438 
439     /* Also checks keybits */
440     if( ( ret = mbedtls_camellia_setkey_enc( &cty, key, keybits ) ) != 0 )
441         goto exit;
442 
443     ctx->nr = cty.nr;
444     idx = ( ctx->nr == 4 );
445 
446     RK = ctx->rk;
447     SK = cty.rk + 24 * 2 + 8 * idx * 2;
448 
449     *RK++ = *SK++;
450     *RK++ = *SK++;
451     *RK++ = *SK++;
452     *RK++ = *SK++;
453 
454     for( i = 22 + 8 * idx, SK -= 6; i > 0; i--, SK -= 4 )
455     {
456         *RK++ = *SK++;
457         *RK++ = *SK++;
458     }
459 
460     SK -= 2;
461 
462     *RK++ = *SK++;
463     *RK++ = *SK++;
464     *RK++ = *SK++;
465     *RK++ = *SK++;
466 
467 exit:
468     mbedtls_camellia_free( &cty );
469 
470     return( ret );
471 }
472 
473 /*
474  * Camellia-ECB block encryption/decryption
475  */
mbedtls_camellia_crypt_ecb(mbedtls_camellia_context * ctx,int mode,const unsigned char input[16],unsigned char output[16])476 int mbedtls_camellia_crypt_ecb( mbedtls_camellia_context *ctx,
477                     int mode,
478                     const unsigned char input[16],
479                     unsigned char output[16] )
480 {
481     int NR;
482     uint32_t *RK, X[4];
483     CAMELLIA_VALIDATE_RET( ctx != NULL );
484     CAMELLIA_VALIDATE_RET( mode == MBEDTLS_CAMELLIA_ENCRYPT ||
485                            mode == MBEDTLS_CAMELLIA_DECRYPT );
486     CAMELLIA_VALIDATE_RET( input  != NULL );
487     CAMELLIA_VALIDATE_RET( output != NULL );
488 
489     ( (void) mode );
490 
491     NR = ctx->nr;
492     RK = ctx->rk;
493 
494     X[0] = MBEDTLS_GET_UINT32_BE( input,  0 );
495     X[1] = MBEDTLS_GET_UINT32_BE( input,  4 );
496     X[2] = MBEDTLS_GET_UINT32_BE( input,  8 );
497     X[3] = MBEDTLS_GET_UINT32_BE( input, 12 );
498 
499     X[0] ^= *RK++;
500     X[1] ^= *RK++;
501     X[2] ^= *RK++;
502     X[3] ^= *RK++;
503 
504     while( NR ) {
505         --NR;
506         camellia_feistel( X, RK, X + 2 );
507         RK += 2;
508         camellia_feistel( X + 2, RK, X );
509         RK += 2;
510         camellia_feistel( X, RK, X + 2 );
511         RK += 2;
512         camellia_feistel( X + 2, RK, X );
513         RK += 2;
514         camellia_feistel( X, RK, X + 2 );
515         RK += 2;
516         camellia_feistel( X + 2, RK, X );
517         RK += 2;
518 
519         if( NR ) {
520             FL(X[0], X[1], RK[0], RK[1]);
521             RK += 2;
522             FLInv(X[2], X[3], RK[0], RK[1]);
523             RK += 2;
524         }
525     }
526 
527     X[2] ^= *RK++;
528     X[3] ^= *RK++;
529     X[0] ^= *RK++;
530     X[1] ^= *RK++;
531 
532     MBEDTLS_PUT_UINT32_BE( X[2], output,  0 );
533     MBEDTLS_PUT_UINT32_BE( X[3], output,  4 );
534     MBEDTLS_PUT_UINT32_BE( X[0], output,  8 );
535     MBEDTLS_PUT_UINT32_BE( X[1], output, 12 );
536 
537     return( 0 );
538 }
539 
540 #if defined(MBEDTLS_CIPHER_MODE_CBC)
541 /*
542  * Camellia-CBC buffer encryption/decryption
543  */
mbedtls_camellia_crypt_cbc(mbedtls_camellia_context * ctx,int mode,size_t length,unsigned char iv[16],const unsigned char * input,unsigned char * output)544 int mbedtls_camellia_crypt_cbc( mbedtls_camellia_context *ctx,
545                                 int mode,
546                                 size_t length,
547                                 unsigned char iv[16],
548                                 const unsigned char *input,
549                                 unsigned char *output )
550 {
551     int i;
552     unsigned char temp[16];
553     CAMELLIA_VALIDATE_RET( ctx != NULL );
554     CAMELLIA_VALIDATE_RET( mode == MBEDTLS_CAMELLIA_ENCRYPT ||
555                            mode == MBEDTLS_CAMELLIA_DECRYPT );
556     CAMELLIA_VALIDATE_RET( iv != NULL );
557     CAMELLIA_VALIDATE_RET( length == 0 || input  != NULL );
558     CAMELLIA_VALIDATE_RET( length == 0 || output != NULL );
559 
560     if( length % 16 )
561         return( MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH );
562 
563     if( mode == MBEDTLS_CAMELLIA_DECRYPT )
564     {
565         while( length > 0 )
566         {
567             memcpy( temp, input, 16 );
568             mbedtls_camellia_crypt_ecb( ctx, mode, input, output );
569 
570             for( i = 0; i < 16; i++ )
571                 output[i] = (unsigned char)( output[i] ^ iv[i] );
572 
573             memcpy( iv, temp, 16 );
574 
575             input  += 16;
576             output += 16;
577             length -= 16;
578         }
579     }
580     else
581     {
582         while( length > 0 )
583         {
584             for( i = 0; i < 16; i++ )
585                 output[i] = (unsigned char)( input[i] ^ iv[i] );
586 
587             mbedtls_camellia_crypt_ecb( ctx, mode, output, output );
588             memcpy( iv, output, 16 );
589 
590             input  += 16;
591             output += 16;
592             length -= 16;
593         }
594     }
595 
596     return( 0 );
597 }
598 #endif /* MBEDTLS_CIPHER_MODE_CBC */
599 
600 #if defined(MBEDTLS_CIPHER_MODE_CFB)
601 /*
602  * Camellia-CFB128 buffer encryption/decryption
603  */
mbedtls_camellia_crypt_cfb128(mbedtls_camellia_context * ctx,int mode,size_t length,size_t * iv_off,unsigned char iv[16],const unsigned char * input,unsigned char * output)604 int mbedtls_camellia_crypt_cfb128( mbedtls_camellia_context *ctx,
605                        int mode,
606                        size_t length,
607                        size_t *iv_off,
608                        unsigned char iv[16],
609                        const unsigned char *input,
610                        unsigned char *output )
611 {
612     int c;
613     size_t n;
614     CAMELLIA_VALIDATE_RET( ctx != NULL );
615     CAMELLIA_VALIDATE_RET( mode == MBEDTLS_CAMELLIA_ENCRYPT ||
616                            mode == MBEDTLS_CAMELLIA_DECRYPT );
617     CAMELLIA_VALIDATE_RET( iv     != NULL );
618     CAMELLIA_VALIDATE_RET( iv_off != NULL );
619     CAMELLIA_VALIDATE_RET( length == 0 || input  != NULL );
620     CAMELLIA_VALIDATE_RET( length == 0 || output != NULL );
621 
622     n = *iv_off;
623     if( n >= 16 )
624         return( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA );
625 
626     if( mode == MBEDTLS_CAMELLIA_DECRYPT )
627     {
628         while( length-- )
629         {
630             if( n == 0 )
631                 mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv );
632 
633             c = *input++;
634             *output++ = (unsigned char)( c ^ iv[n] );
635             iv[n] = (unsigned char) c;
636 
637             n = ( n + 1 ) & 0x0F;
638         }
639     }
640     else
641     {
642         while( length-- )
643         {
644             if( n == 0 )
645                 mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv );
646 
647             iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
648 
649             n = ( n + 1 ) & 0x0F;
650         }
651     }
652 
653     *iv_off = n;
654 
655     return( 0 );
656 }
657 #endif /* MBEDTLS_CIPHER_MODE_CFB */
658 
659 #if defined(MBEDTLS_CIPHER_MODE_CTR)
660 /*
661  * Camellia-CTR buffer encryption/decryption
662  */
mbedtls_camellia_crypt_ctr(mbedtls_camellia_context * ctx,size_t length,size_t * nc_off,unsigned char nonce_counter[16],unsigned char stream_block[16],const unsigned char * input,unsigned char * output)663 int mbedtls_camellia_crypt_ctr( mbedtls_camellia_context *ctx,
664                        size_t length,
665                        size_t *nc_off,
666                        unsigned char nonce_counter[16],
667                        unsigned char stream_block[16],
668                        const unsigned char *input,
669                        unsigned char *output )
670 {
671     int c, i;
672     size_t n;
673     CAMELLIA_VALIDATE_RET( ctx != NULL );
674     CAMELLIA_VALIDATE_RET( nonce_counter != NULL );
675     CAMELLIA_VALIDATE_RET( stream_block  != NULL );
676     CAMELLIA_VALIDATE_RET( nc_off != NULL );
677     CAMELLIA_VALIDATE_RET( length == 0 || input  != NULL );
678     CAMELLIA_VALIDATE_RET( length == 0 || output != NULL );
679 
680     n = *nc_off;
681     if( n >= 16 )
682         return( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA );
683 
684     while( length-- )
685     {
686         if( n == 0 ) {
687             mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, nonce_counter,
688                                 stream_block );
689 
690             for( i = 16; i > 0; i-- )
691                 if( ++nonce_counter[i - 1] != 0 )
692                     break;
693         }
694         c = *input++;
695         *output++ = (unsigned char)( c ^ stream_block[n] );
696 
697         n = ( n + 1 ) & 0x0F;
698     }
699 
700     *nc_off = n;
701 
702     return( 0 );
703 }
704 #endif /* MBEDTLS_CIPHER_MODE_CTR */
705 #endif /* !MBEDTLS_CAMELLIA_ALT */
706 
707 #if defined(MBEDTLS_SELF_TEST)
708 
709 /*
710  * Camellia test vectors from:
711  *
712  * http://info.isl.ntt.co.jp/crypt/eng/camellia/technology.html:
713  *   http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/intermediate.txt
714  *   http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/t_camellia.txt
715  *                      (For each bitlength: Key 0, Nr 39)
716  */
717 #define CAMELLIA_TESTS_ECB  2
718 
719 static const unsigned char camellia_test_ecb_key[3][CAMELLIA_TESTS_ECB][32] =
720 {
721     {
722         { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
723           0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
724         { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
725           0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
726     },
727     {
728         { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
729           0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
730           0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77 },
731         { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
732           0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
733           0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
734     },
735     {
736         { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
737           0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
738           0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
739           0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff },
740         { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
741           0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
742           0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
743           0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
744     },
745 };
746 
747 static const unsigned char camellia_test_ecb_plain[CAMELLIA_TESTS_ECB][16] =
748 {
749     { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
750       0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
751     { 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
752       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
753 };
754 
755 static const unsigned char camellia_test_ecb_cipher[3][CAMELLIA_TESTS_ECB][16] =
756 {
757     {
758         { 0x67, 0x67, 0x31, 0x38, 0x54, 0x96, 0x69, 0x73,
759           0x08, 0x57, 0x06, 0x56, 0x48, 0xea, 0xbe, 0x43 },
760         { 0x38, 0x3C, 0x6C, 0x2A, 0xAB, 0xEF, 0x7F, 0xDE,
761           0x25, 0xCD, 0x47, 0x0B, 0xF7, 0x74, 0xA3, 0x31 }
762     },
763     {
764         { 0xb4, 0x99, 0x34, 0x01, 0xb3, 0xe9, 0x96, 0xf8,
765           0x4e, 0xe5, 0xce, 0xe7, 0xd7, 0x9b, 0x09, 0xb9 },
766         { 0xD1, 0x76, 0x3F, 0xC0, 0x19, 0xD7, 0x7C, 0xC9,
767           0x30, 0xBF, 0xF2, 0xA5, 0x6F, 0x7C, 0x93, 0x64 }
768     },
769     {
770         { 0x9a, 0xcc, 0x23, 0x7d, 0xff, 0x16, 0xd7, 0x6c,
771           0x20, 0xef, 0x7c, 0x91, 0x9e, 0x3a, 0x75, 0x09 },
772         { 0x05, 0x03, 0xFB, 0x10, 0xAB, 0x24, 0x1E, 0x7C,
773           0xF4, 0x5D, 0x8C, 0xDE, 0xEE, 0x47, 0x43, 0x35 }
774     }
775 };
776 
777 #if defined(MBEDTLS_CIPHER_MODE_CBC)
778 #define CAMELLIA_TESTS_CBC  3
779 
780 static const unsigned char camellia_test_cbc_key[3][32] =
781 {
782         { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
783           0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }
784     ,
785         { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
786           0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
787           0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }
788     ,
789         { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
790           0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
791           0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
792           0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
793 };
794 
795 static const unsigned char camellia_test_cbc_iv[16] =
796 
797     { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
798       0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F }
799 ;
800 
801 static const unsigned char camellia_test_cbc_plain[CAMELLIA_TESTS_CBC][16] =
802 {
803     { 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
804       0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A },
805     { 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
806       0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51 },
807     { 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
808       0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF }
809 
810 };
811 
812 static const unsigned char camellia_test_cbc_cipher[3][CAMELLIA_TESTS_CBC][16] =
813 {
814     {
815         { 0x16, 0x07, 0xCF, 0x49, 0x4B, 0x36, 0xBB, 0xF0,
816           0x0D, 0xAE, 0xB0, 0xB5, 0x03, 0xC8, 0x31, 0xAB },
817         { 0xA2, 0xF2, 0xCF, 0x67, 0x16, 0x29, 0xEF, 0x78,
818           0x40, 0xC5, 0xA5, 0xDF, 0xB5, 0x07, 0x48, 0x87 },
819         { 0x0F, 0x06, 0x16, 0x50, 0x08, 0xCF, 0x8B, 0x8B,
820           0x5A, 0x63, 0x58, 0x63, 0x62, 0x54, 0x3E, 0x54 }
821     },
822     {
823         { 0x2A, 0x48, 0x30, 0xAB, 0x5A, 0xC4, 0xA1, 0xA2,
824           0x40, 0x59, 0x55, 0xFD, 0x21, 0x95, 0xCF, 0x93 },
825         { 0x5D, 0x5A, 0x86, 0x9B, 0xD1, 0x4C, 0xE5, 0x42,
826           0x64, 0xF8, 0x92, 0xA6, 0xDD, 0x2E, 0xC3, 0xD5 },
827         { 0x37, 0xD3, 0x59, 0xC3, 0x34, 0x98, 0x36, 0xD8,
828           0x84, 0xE3, 0x10, 0xAD, 0xDF, 0x68, 0xC4, 0x49 }
829     },
830     {
831         { 0xE6, 0xCF, 0xA3, 0x5F, 0xC0, 0x2B, 0x13, 0x4A,
832           0x4D, 0x2C, 0x0B, 0x67, 0x37, 0xAC, 0x3E, 0xDA },
833         { 0x36, 0xCB, 0xEB, 0x73, 0xBD, 0x50, 0x4B, 0x40,
834           0x70, 0xB1, 0xB7, 0xDE, 0x2B, 0x21, 0xEB, 0x50 },
835         { 0xE3, 0x1A, 0x60, 0x55, 0x29, 0x7D, 0x96, 0xCA,
836           0x33, 0x30, 0xCD, 0xF1, 0xB1, 0x86, 0x0A, 0x83 }
837     }
838 };
839 #endif /* MBEDTLS_CIPHER_MODE_CBC */
840 
841 #if defined(MBEDTLS_CIPHER_MODE_CTR)
842 /*
843  * Camellia-CTR test vectors from:
844  *
845  * http://www.faqs.org/rfcs/rfc5528.html
846  */
847 
848 static const unsigned char camellia_test_ctr_key[3][16] =
849 {
850     { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
851       0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
852     { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
853       0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
854     { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
855       0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
856 };
857 
858 static const unsigned char camellia_test_ctr_nonce_counter[3][16] =
859 {
860     { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
861       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
862     { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
863       0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
864     { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
865       0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
866 };
867 
868 static const unsigned char camellia_test_ctr_pt[3][48] =
869 {
870     { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
871       0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
872 
873     { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
874       0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
875       0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
876       0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
877 
878     { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
879       0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
880       0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
881       0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
882       0x20, 0x21, 0x22, 0x23 }
883 };
884 
885 static const unsigned char camellia_test_ctr_ct[3][48] =
886 {
887     { 0xD0, 0x9D, 0xC2, 0x9A, 0x82, 0x14, 0x61, 0x9A,
888       0x20, 0x87, 0x7C, 0x76, 0xDB, 0x1F, 0x0B, 0x3F },
889     { 0xDB, 0xF3, 0xC7, 0x8D, 0xC0, 0x83, 0x96, 0xD4,
890       0xDA, 0x7C, 0x90, 0x77, 0x65, 0xBB, 0xCB, 0x44,
891       0x2B, 0x8E, 0x8E, 0x0F, 0x31, 0xF0, 0xDC, 0xA7,
892       0x2C, 0x74, 0x17, 0xE3, 0x53, 0x60, 0xE0, 0x48 },
893     { 0xB1, 0x9D, 0x1F, 0xCD, 0xCB, 0x75, 0xEB, 0x88,
894       0x2F, 0x84, 0x9C, 0xE2, 0x4D, 0x85, 0xCF, 0x73,
895       0x9C, 0xE6, 0x4B, 0x2B, 0x5C, 0x9D, 0x73, 0xF1,
896       0x4F, 0x2D, 0x5D, 0x9D, 0xCE, 0x98, 0x89, 0xCD,
897       0xDF, 0x50, 0x86, 0x96 }
898 };
899 
900 static const int camellia_test_ctr_len[3] =
901     { 16, 32, 36 };
902 #endif /* MBEDTLS_CIPHER_MODE_CTR */
903 
904 /*
905  * Checkup routine
906  */
mbedtls_camellia_self_test(int verbose)907 int mbedtls_camellia_self_test( int verbose )
908 {
909     int i, j, u, v;
910     unsigned char key[32];
911     unsigned char buf[64];
912     unsigned char src[16];
913     unsigned char dst[16];
914 #if defined(MBEDTLS_CIPHER_MODE_CBC)
915     unsigned char iv[16];
916 #endif
917 #if defined(MBEDTLS_CIPHER_MODE_CTR)
918     size_t offset, len;
919     unsigned char nonce_counter[16];
920     unsigned char stream_block[16];
921 #endif
922     int ret = 1;
923 
924     mbedtls_camellia_context ctx;
925 
926     mbedtls_camellia_init( &ctx );
927     memset( key, 0, 32 );
928 
929     for( j = 0; j < 6; j++ ) {
930         u = j >> 1;
931     v = j & 1;
932 
933     if( verbose != 0 )
934         mbedtls_printf( "  CAMELLIA-ECB-%3d (%s): ", 128 + u * 64,
935                          (v == MBEDTLS_CAMELLIA_DECRYPT) ? "dec" : "enc");
936 
937     for( i = 0; i < CAMELLIA_TESTS_ECB; i++ ) {
938         memcpy( key, camellia_test_ecb_key[u][i], 16 + 8 * u );
939 
940         if( v == MBEDTLS_CAMELLIA_DECRYPT ) {
941             mbedtls_camellia_setkey_dec( &ctx, key, 128 + u * 64 );
942             memcpy( src, camellia_test_ecb_cipher[u][i], 16 );
943             memcpy( dst, camellia_test_ecb_plain[i], 16 );
944         } else { /* MBEDTLS_CAMELLIA_ENCRYPT */
945             mbedtls_camellia_setkey_enc( &ctx, key, 128 + u * 64 );
946             memcpy( src, camellia_test_ecb_plain[i], 16 );
947             memcpy( dst, camellia_test_ecb_cipher[u][i], 16 );
948         }
949 
950         mbedtls_camellia_crypt_ecb( &ctx, v, src, buf );
951 
952         if( memcmp( buf, dst, 16 ) != 0 )
953         {
954             if( verbose != 0 )
955                 mbedtls_printf( "failed\n" );
956             goto exit;
957         }
958     }
959 
960     if( verbose != 0 )
961         mbedtls_printf( "passed\n" );
962     }
963 
964     if( verbose != 0 )
965         mbedtls_printf( "\n" );
966 
967 #if defined(MBEDTLS_CIPHER_MODE_CBC)
968     /*
969      * CBC mode
970      */
971     for( j = 0; j < 6; j++ )
972     {
973         u = j >> 1;
974         v = j  & 1;
975 
976         if( verbose != 0 )
977             mbedtls_printf( "  CAMELLIA-CBC-%3d (%s): ", 128 + u * 64,
978                              ( v == MBEDTLS_CAMELLIA_DECRYPT ) ? "dec" : "enc" );
979 
980         memcpy( src, camellia_test_cbc_iv, 16 );
981         memcpy( dst, camellia_test_cbc_iv, 16 );
982         memcpy( key, camellia_test_cbc_key[u], 16 + 8 * u );
983 
984         if( v == MBEDTLS_CAMELLIA_DECRYPT ) {
985             mbedtls_camellia_setkey_dec( &ctx, key, 128 + u * 64 );
986         } else {
987             mbedtls_camellia_setkey_enc( &ctx, key, 128 + u * 64 );
988         }
989 
990         for( i = 0; i < CAMELLIA_TESTS_CBC; i++ ) {
991 
992             if( v == MBEDTLS_CAMELLIA_DECRYPT ) {
993                 memcpy( iv , src, 16 );
994                 memcpy( src, camellia_test_cbc_cipher[u][i], 16 );
995                 memcpy( dst, camellia_test_cbc_plain[i], 16 );
996             } else { /* MBEDTLS_CAMELLIA_ENCRYPT */
997                 memcpy( iv , dst, 16 );
998                 memcpy( src, camellia_test_cbc_plain[i], 16 );
999                 memcpy( dst, camellia_test_cbc_cipher[u][i], 16 );
1000             }
1001 
1002             mbedtls_camellia_crypt_cbc( &ctx, v, 16, iv, src, buf );
1003 
1004             if( memcmp( buf, dst, 16 ) != 0 )
1005             {
1006                 if( verbose != 0 )
1007                     mbedtls_printf( "failed\n" );
1008                 goto exit;
1009             }
1010         }
1011 
1012         if( verbose != 0 )
1013             mbedtls_printf( "passed\n" );
1014     }
1015 #endif /* MBEDTLS_CIPHER_MODE_CBC */
1016 
1017     if( verbose != 0 )
1018         mbedtls_printf( "\n" );
1019 
1020 #if defined(MBEDTLS_CIPHER_MODE_CTR)
1021     /*
1022      * CTR mode
1023      */
1024     for( i = 0; i < 6; i++ )
1025     {
1026         u = i >> 1;
1027         v = i  & 1;
1028 
1029         if( verbose != 0 )
1030             mbedtls_printf( "  CAMELLIA-CTR-128 (%s): ",
1031                              ( v == MBEDTLS_CAMELLIA_DECRYPT ) ? "dec" : "enc" );
1032 
1033         memcpy( nonce_counter, camellia_test_ctr_nonce_counter[u], 16 );
1034         memcpy( key, camellia_test_ctr_key[u], 16 );
1035 
1036         offset = 0;
1037         mbedtls_camellia_setkey_enc( &ctx, key, 128 );
1038 
1039         if( v == MBEDTLS_CAMELLIA_DECRYPT )
1040         {
1041             len = camellia_test_ctr_len[u];
1042             memcpy( buf, camellia_test_ctr_ct[u], len );
1043 
1044             mbedtls_camellia_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block,
1045                                 buf, buf );
1046 
1047             if( memcmp( buf, camellia_test_ctr_pt[u], len ) != 0 )
1048             {
1049                 if( verbose != 0 )
1050                     mbedtls_printf( "failed\n" );
1051                 goto exit;
1052             }
1053         }
1054         else
1055         {
1056             len = camellia_test_ctr_len[u];
1057             memcpy( buf, camellia_test_ctr_pt[u], len );
1058 
1059             mbedtls_camellia_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block,
1060                                 buf, buf );
1061 
1062             if( memcmp( buf, camellia_test_ctr_ct[u], len ) != 0 )
1063             {
1064                 if( verbose != 0 )
1065                     mbedtls_printf( "failed\n" );
1066                 goto exit;
1067             }
1068         }
1069 
1070         if( verbose != 0 )
1071             mbedtls_printf( "passed\n" );
1072     }
1073 
1074     if( verbose != 0 )
1075         mbedtls_printf( "\n" );
1076 #endif /* MBEDTLS_CIPHER_MODE_CTR */
1077 
1078     ret = 0;
1079 
1080 exit:
1081     mbedtls_camellia_free( &ctx );
1082     return( ret );
1083 }
1084 
1085 #endif /* MBEDTLS_SELF_TEST */
1086 
1087 #endif /* MBEDTLS_CAMELLIA_C */
1088