• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * An implementation of the CAMELLIA algorithm as mentioned in RFC3713
3  * Copyright (c) 2014 Supraja Meedinti
4  *
5  * This file is part of FFmpeg.
6  *
7  * FFmpeg is free software; you can redistribute it and/or
8  * modify it under the terms of the GNU Lesser General Public
9  * License as published by the Free Software Foundation; either
10  * version 2.1 of the License, or (at your option) any later version.
11  *
12  * FFmpeg is distributed in the hope that it will be useful,
13  * but WITHOUT ANY WARRANTY; without even the implied warranty of
14  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
15  * Lesser General Public License for more details.
16  *
17  * You should have received a copy of the GNU Lesser General Public
18  * License along with FFmpeg; if not, write to the Free Software
19  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
20  */
21 #include "camellia.h"
22 #include "common.h"
23 #include "intreadwrite.h"
24 #include "attributes.h"
25 
26 #define LR32(x,c) ((x) << (c) | (x) >> (32 - (c)))
27 #define RR32(x,c) ((x) >> (c) | (x) << (32 - (c)))
28 
29 #define MASK8 0xff
30 #define MASK32 0xffffffff
31 #define MASK64 0xffffffffffffffff
32 
33 #define Sigma1  0xA09E667F3BCC908B
34 #define Sigma2  0xB67AE8584CAA73B2
35 #define Sigma3  0xC6EF372FE94F82BE
36 #define Sigma4  0x54FF53A5F1D36F1C
37 #define Sigma5  0x10E527FADE682D1D
38 #define Sigma6  0xB05688C2B3E6C1FD
39 
40 static uint64_t SP[8][256];
41 
42 typedef struct AVCAMELLIA {
43     uint64_t Kw[4];
44     uint64_t Ke[6];
45     uint64_t K[24];
46     int key_bits;
47 } AVCAMELLIA;
48 
49 static const uint8_t SBOX1[256] = {
50 112, 130,  44, 236, 179,  39, 192, 229, 228, 133,  87,  53, 234,  12, 174,  65,
51  35, 239, 107, 147,  69,  25, 165,  33, 237,  14,  79,  78,  29, 101, 146, 189,
52 134, 184, 175, 143, 124, 235,  31, 206,  62,  48, 220,  95,  94, 197,  11,  26,
53 166, 225,  57, 202, 213,  71,  93,  61, 217,   1,  90, 214,  81,  86, 108,  77,
54 139,  13, 154, 102, 251, 204, 176,  45, 116,  18,  43,  32, 240, 177, 132, 153,
55 223,  76, 203, 194,  52, 126, 118,   5, 109, 183, 169,  49, 209,  23,   4, 215,
56  20,  88,  58,  97, 222,  27,  17,  28,  50,  15, 156,  22,  83,  24, 242,  34,
57 254,  68, 207, 178, 195, 181, 122, 145,  36,   8, 232, 168,  96, 252, 105,  80,
58 170, 208, 160, 125, 161, 137,  98, 151,  84,  91,  30, 149, 224, 255, 100, 210,
59  16, 196,   0,  72, 163, 247, 117, 219, 138,   3, 230, 218,   9,  63, 221, 148,
60 135,  92, 131,   2, 205,  74, 144,  51, 115, 103, 246, 243, 157, 127, 191, 226,
61  82, 155, 216,  38, 200,  55, 198,  59, 129, 150, 111,  75,  19, 190,  99,  46,
62 233, 121, 167, 140, 159, 110, 188, 142,  41, 245, 249, 182,  47, 253, 180,  89,
63 120, 152,   6, 106, 231,  70, 113, 186, 212,  37, 171,  66, 136, 162, 141, 250,
64 114,   7, 185,  85, 248, 238, 172,  10,  54,  73,  42, 104,  60,  56, 241, 164,
65  64,  40, 211, 123, 187, 201,  67, 193,  21, 227, 173, 244, 119, 199, 128, 158
66 };
67 
68 static const uint8_t SBOX2[256] = {
69 224,   5,  88, 217, 103,  78, 129, 203, 201,  11, 174, 106, 213,  24,  93, 130,
70  70, 223, 214,  39, 138,  50,  75,  66, 219,  28, 158, 156,  58, 202,  37, 123,
71  13, 113,  95,  31, 248, 215,  62, 157, 124,  96, 185, 190, 188, 139,  22,  52,
72  77, 195, 114, 149, 171, 142, 186, 122, 179,   2, 180, 173, 162, 172, 216, 154,
73  23,  26,  53, 204, 247, 153,  97,  90, 232,  36,  86,  64, 225,  99,   9,  51,
74 191, 152, 151, 133, 104, 252, 236,  10, 218, 111,  83,  98, 163,  46,   8, 175,
75  40, 176, 116, 194, 189,  54,  34,  56, 100,  30,  57,  44, 166,  48, 229,  68,
76 253, 136, 159, 101, 135, 107, 244,  35,  72,  16, 209,  81, 192, 249, 210, 160,
77  85, 161,  65, 250,  67,  19, 196,  47, 168, 182,  60,  43, 193, 255, 200, 165,
78  32, 137,   0, 144,  71, 239, 234, 183,  21,   6, 205, 181,  18, 126, 187,  41,
79  15, 184,   7,   4, 155, 148,  33, 102, 230, 206, 237, 231,  59, 254, 127, 197,
80 164,  55, 177,  76, 145, 110, 141, 118,   3,  45, 222, 150,  38, 125, 198,  92,
81 211, 242,  79,  25,  63, 220, 121,  29,  82, 235, 243, 109,  94, 251, 105, 178,
82 240,  49,  12, 212, 207, 140, 226, 117, 169,  74,  87, 132,  17,  69,  27, 245,
83 228,  14, 115, 170, 241, 221,  89,  20, 108, 146,  84, 208, 120, 112, 227,  73,
84 128,  80, 167, 246, 119, 147, 134, 131,  42, 199,  91, 233, 238, 143,   1,  61
85 };
86 
87 static const uint8_t SBOX3[256] = {
88  56,  65,  22, 118, 217, 147,  96, 242, 114, 194, 171, 154, 117,   6,  87, 160,
89 145, 247, 181, 201, 162, 140, 210, 144, 246,   7, 167,  39, 142, 178,  73, 222,
90  67,  92, 215, 199,  62, 245, 143, 103,  31,  24, 110, 175,  47, 226, 133,  13,
91  83, 240, 156, 101, 234, 163, 174, 158, 236, 128,  45, 107, 168,  43,  54, 166,
92 197, 134,  77,  51, 253, 102,  88, 150,  58,   9, 149,  16, 120, 216,  66, 204,
93 239,  38, 229,  97,  26,  63,  59, 130, 182, 219, 212, 152, 232, 139,   2, 235,
94  10,  44,  29, 176, 111, 141, 136,  14,  25, 135,  78,  11, 169,  12, 121,  17,
95 127,  34, 231,  89, 225, 218,  61, 200,  18,   4, 116,  84,  48, 126, 180,  40,
96  85, 104,  80, 190, 208, 196,  49, 203,  42, 173,  15, 202, 112, 255,  50, 105,
97   8,  98,   0,  36, 209, 251, 186, 237,  69, 129, 115, 109, 132, 159, 238,  74,
98 195,  46, 193,   1, 230,  37,  72, 153, 185, 179, 123, 249, 206, 191, 223, 113,
99  41, 205, 108,  19, 100, 155,  99, 157, 192,  75, 183, 165, 137,  95, 177,  23,
100 244, 188, 211,  70, 207,  55,  94,  71, 148, 250, 252,  91, 151, 254,  90, 172,
101  60,  76,   3,  53, 243,  35, 184,  93, 106, 146, 213,  33,  68,  81, 198, 125,
102  57, 131, 220, 170, 124, 119,  86,   5,  27, 164,  21,  52,  30,  28, 248,  82,
103  32,  20, 233, 189, 221, 228, 161, 224, 138, 241, 214, 122, 187, 227,  64,  79
104 };
105 
106 static const uint8_t SBOX4[256] = {
107 112,  44, 179, 192, 228,  87, 234, 174,  35, 107,  69, 165, 237,  79,  29, 146,
108 134, 175, 124,  31,  62, 220,  94,  11, 166,  57, 213,  93, 217,  90,  81, 108,
109 139, 154, 251, 176, 116,  43, 240, 132, 223, 203,  52, 118, 109, 169, 209,   4,
110  20,  58, 222,  17,  50, 156,  83, 242, 254, 207, 195, 122,  36, 232,  96, 105,
111 170, 160, 161,  98,  84,  30, 224, 100,  16,   0, 163, 117, 138, 230,   9, 221,
112 135, 131, 205, 144, 115, 246, 157, 191,  82, 216, 200, 198, 129, 111,  19,  99,
113 233, 167, 159, 188,  41, 249,  47, 180, 120,   6, 231, 113, 212, 171, 136, 141,
114 114, 185, 248, 172,  54,  42,  60, 241,  64, 211, 187,  67,  21, 173, 119, 128,
115 130, 236,  39, 229, 133,  53,  12,  65, 239, 147,  25,  33,  14,  78, 101, 189,
116 184, 143, 235, 206,  48,  95, 197,  26, 225, 202,  71,  61,   1, 214,  86,  77,
117  13, 102, 204,  45,  18,  32, 177, 153,  76, 194, 126,   5, 183,  49,  23, 215,
118  88,  97,  27,  28,  15,  22,  24,  34,  68, 178, 181, 145,   8, 168, 252,  80,
119 208, 125, 137, 151,  91, 149, 255, 210, 196,  72, 247, 219,   3, 218,  63, 148,
120  92,   2,  74,  51, 103, 243, 127, 226, 155,  38,  55,  59, 150,  75, 190,  46,
121 121, 140, 110, 142, 245, 182, 253,  89, 152, 106,  70, 186,  37,  66, 162, 250,
122   7,  85, 238,  10,  73, 104,  56, 164,  40, 123, 201, 193, 227, 244, 199, 158
123 };
124 
125 const int av_camellia_size = sizeof(AVCAMELLIA);
126 
LR128(uint64_t d[2],const uint64_t K[2],int x)127 static void LR128(uint64_t d[2], const uint64_t K[2], int x)
128 {
129     int i = 0;
130     if (64 <= x && x < 128) {
131         i = 1;
132         x -= 64;
133     }
134     if (x <= 0 || x >= 128) {
135         d[0] = K[i];
136         d[1] = K[!i];
137         return;
138     }
139     d[0] = (K[i] << x | K[!i] >> (64 - x));
140     d[1] = (K[!i] << x | K[i] >> (64 - x));
141 }
142 
F(uint64_t F_IN,uint64_t KE)143 static uint64_t F(uint64_t F_IN, uint64_t KE)
144 {
145     KE ^= F_IN;
146     F_IN=SP[0][KE >> 56]^SP[1][(KE >> 48) & MASK8]^SP[2][(KE >> 40) & MASK8]^SP[3][(KE >> 32) & MASK8]^SP[4][(KE >> 24) & MASK8]^SP[5][(KE >> 16) & MASK8]^SP[6][(KE >> 8) & MASK8]^SP[7][KE & MASK8];
147     return F_IN;
148 }
149 
FL(uint64_t FL_IN,uint64_t KE)150 static uint64_t FL(uint64_t FL_IN, uint64_t KE)
151 {
152     uint32_t x1, x2, k1, k2;
153     x1 = FL_IN >> 32;
154     x2 = FL_IN & MASK32;
155     k1 = KE >> 32;
156     k2 = KE & MASK32;
157     x2 = x2 ^ LR32((x1 & k1), 1);
158     x1 = x1 ^ (x2 | k2);
159     return ((uint64_t)x1 << 32) | (uint64_t)x2;
160 }
161 
FLINV(uint64_t FLINV_IN,uint64_t KE)162 static uint64_t FLINV(uint64_t FLINV_IN, uint64_t KE)
163 {
164     uint32_t x1, x2, k1, k2;
165     x1 = FLINV_IN >> 32;
166     x2 = FLINV_IN & MASK32;
167     k1 = KE >> 32;
168     k2 = KE & MASK32;
169     x1 = x1 ^ (x2 | k2);
170     x2 = x2 ^ LR32((x1 & k1), 1);
171     return ((uint64_t)x1 << 32) | (uint64_t)x2;
172 }
173 
174 static const uint8_t shifts[2][12] = {
175     {0, 15, 15, 45, 45, 60, 94, 94, 111},
176     {0, 15, 15, 30, 45, 45, 60, 60,  77, 94, 94, 111}
177 };
178 
179 static const uint8_t vars[2][12] = {
180     {2, 0, 2, 0, 2, 2, 0, 2, 0},
181     {3, 1, 2, 3, 0, 2, 1, 3, 0, 1, 2, 0}
182 };
183 
generate_round_keys(AVCAMELLIA * cs,uint64_t Kl[2],uint64_t Kr[2],uint64_t Ka[2],uint64_t Kb[2])184 static void generate_round_keys(AVCAMELLIA *cs, uint64_t Kl[2], uint64_t Kr[2], uint64_t Ka[2], uint64_t Kb[2])
185 {
186     int i;
187     uint64_t *Kd[4], d[2];
188     Kd[0] = Kl;
189     Kd[1] = Kr;
190     Kd[2] = Ka;
191     Kd[3] = Kb;
192     cs->Kw[0] = Kl[0];
193     cs->Kw[1] = Kl[1];
194     if (cs->key_bits == 128) {
195         for (i = 0; i < 9; i++) {
196             LR128(d, Kd[vars[0][i]], shifts[0][i]);
197             cs->K[2*i] = d[0];
198             cs->K[2*i+1] = d[1];
199         }
200         LR128(d, Kd[0], 60);
201         cs->K[9] = d[1];
202         LR128(d, Kd[2], 30);
203         cs->Ke[0] = d[0];
204         cs->Ke[1] = d[1];
205         LR128(d, Kd[0], 77);
206         cs->Ke[2] = d[0];
207         cs->Ke[3] = d[1];
208         LR128(d, Kd[2], 111);
209         cs->Kw[2] = d[0];
210         cs->Kw[3] = d[1];
211     } else {
212         for (i = 0; i < 12; i++) {
213             LR128(d, Kd[vars[1][i]], shifts[1][i]);
214             cs->K[2*i] = d[0];
215             cs->K[2*i+1] = d[1];
216         }
217         LR128(d, Kd[1], 30);
218         cs->Ke[0] = d[0];
219         cs->Ke[1] = d[1];
220         LR128(d, Kd[0], 60);
221         cs->Ke[2] = d[0];
222         cs->Ke[3] = d[1];
223         LR128(d, Kd[2], 77);
224         cs->Ke[4] = d[0];
225         cs->Ke[5] = d[1];
226         LR128(d, Kd[3], 111);
227         cs->Kw[2] = d[0];
228         cs->Kw[3] = d[1];
229     }
230 }
231 
camellia_encrypt(AVCAMELLIA * cs,uint8_t * dst,const uint8_t * src)232 static void camellia_encrypt(AVCAMELLIA *cs, uint8_t *dst, const uint8_t *src)
233 {
234     uint64_t D1, D2;
235     D1 = AV_RB64(src);
236     D2 = AV_RB64(src + 8);
237     D1 ^= cs->Kw[0];
238     D2 ^= cs->Kw[1];
239     D2 ^= F(D1, cs->K[0]);
240     D1 ^= F(D2, cs->K[1]);
241     D2 ^= F(D1, cs->K[2]);
242     D1 ^= F(D2, cs->K[3]);
243     D2 ^= F(D1, cs->K[4]);
244     D1 ^= F(D2, cs->K[5]);
245     D1 = FL(D1, cs->Ke[0]);
246     D2 = FLINV(D2, cs->Ke[1]);
247     D2 ^= F(D1, cs->K[6]);
248     D1 ^= F(D2, cs->K[7]);
249     D2 ^= F(D1, cs->K[8]);
250     D1 ^= F(D2, cs->K[9]);
251     D2 ^= F(D1, cs->K[10]);
252     D1 ^= F(D2, cs->K[11]);
253     D1 = FL(D1, cs->Ke[2]);
254     D2 = FLINV(D2, cs->Ke[3]);
255     D2 ^= F(D1, cs->K[12]);
256     D1 ^= F(D2, cs->K[13]);
257     D2 ^= F(D1, cs->K[14]);
258     D1 ^= F(D2, cs->K[15]);
259     D2 ^= F(D1, cs->K[16]);
260     D1 ^= F(D2, cs->K[17]);
261     if (cs->key_bits != 128) {
262         D1 = FL(D1, cs->Ke[4]);
263         D2 = FLINV(D2, cs->Ke[5]);
264         D2 ^= F(D1, cs->K[18]);
265         D1 ^= F(D2, cs->K[19]);
266         D2 ^= F(D1, cs->K[20]);
267         D1 ^= F(D2, cs->K[21]);
268         D2 ^= F(D1, cs->K[22]);
269         D1 ^= F(D2, cs->K[23]);
270     }
271     D2 ^= cs->Kw[2];
272     D1 ^= cs->Kw[3];
273     AV_WB64(dst, D2);
274     AV_WB64(dst + 8, D1);
275 }
276 
camellia_decrypt(AVCAMELLIA * cs,uint8_t * dst,const uint8_t * src,uint8_t * iv)277 static void camellia_decrypt(AVCAMELLIA *cs, uint8_t *dst, const uint8_t *src, uint8_t *iv)
278 {
279     uint64_t D1, D2;
280     D1 = AV_RB64(src);
281     D2 = AV_RB64(src + 8);
282     D1 ^= cs->Kw[2];
283     D2 ^= cs->Kw[3];
284     if (cs->key_bits != 128) {
285         D2 ^= F(D1, cs->K[23]);
286         D1 ^= F(D2, cs->K[22]);
287         D2 ^= F(D1, cs->K[21]);
288         D1 ^= F(D2, cs->K[20]);
289         D2 ^= F(D1, cs->K[19]);
290         D1 ^= F(D2, cs->K[18]);
291         D1 = FL(D1, cs->Ke[5]);
292         D2 = FLINV(D2, cs->Ke[4]);
293     }
294     D2 ^= F(D1, cs->K[17]);
295     D1 ^= F(D2, cs->K[16]);
296     D2 ^= F(D1, cs->K[15]);
297     D1 ^= F(D2, cs->K[14]);
298     D2 ^= F(D1, cs->K[13]);
299     D1 ^= F(D2, cs->K[12]);
300     D1 = FL(D1, cs->Ke[3]);
301     D2 = FLINV(D2, cs->Ke[2]);
302     D2 ^= F(D1, cs->K[11]);
303     D1 ^= F(D2, cs->K[10]);
304     D2 ^= F(D1, cs->K[9]);
305     D1 ^= F(D2, cs->K[8]);
306     D2 ^= F(D1, cs->K[7]);
307     D1 ^= F(D2, cs->K[6]);
308     D1 = FL(D1, cs->Ke[1]);
309     D2 = FLINV(D2, cs->Ke[0]);
310     D2 ^= F(D1, cs->K[5]);
311     D1 ^= F(D2, cs->K[4]);
312     D2 ^= F(D1, cs->K[3]);
313     D1 ^= F(D2, cs->K[2]);
314     D2 ^= F(D1, cs->K[1]);
315     D1 ^= F(D2, cs->K[0]);
316     D2 ^= cs->Kw[0];
317     D1 ^= cs->Kw[1];
318     if (iv) {
319         D2 ^= AV_RB64(iv);
320         D1 ^= AV_RB64(iv + 8);
321         memcpy(iv, src, 16);
322     }
323     AV_WB64(dst, D2);
324     AV_WB64(dst + 8, D1);
325 }
326 
computeSP(void)327 static void computeSP(void)
328 {
329     uint64_t z;
330     int i;
331     for (i = 0; i < 256; i++) {
332         z = SBOX1[i];
333         SP[0][i] = (z << 56) ^ (z << 48) ^ (z << 40) ^ (z << 24) ^ z;
334         SP[7][i] = (z << 56) ^ (z << 48) ^ (z << 40) ^ (z << 24) ^ (z << 16) ^ (z << 8);
335         z = SBOX2[i];
336         SP[1][i] = (z << 48) ^ (z << 40) ^ (z << 32) ^ (z << 24) ^ (z << 16);
337         SP[4][i] = (z << 48) ^ (z << 40) ^ (z << 32) ^ (z << 16) ^ (z << 8) ^ z;
338         z = SBOX3[i];
339         SP[2][i] = (z << 56) ^ (z << 40) ^ (z << 32) ^ (z << 16) ^ (z << 8);
340         SP[5][i] = (z << 56) ^ (z << 40) ^ (z << 32) ^ (z << 24) ^ (z << 8) ^ z;
341         z = SBOX4[i];
342         SP[3][i] = (z << 56) ^ (z << 48) ^ (z << 32) ^ (z << 8) ^ z;
343         SP[6][i] = (z << 56) ^ (z << 48) ^ (z << 32) ^ (z << 24) ^ (z << 16) ^ z;
344     }
345 }
346 
av_camellia_alloc(void)347 struct AVCAMELLIA *av_camellia_alloc(void)
348 {
349     return av_mallocz(sizeof(struct AVCAMELLIA));
350 }
351 
av_camellia_init(AVCAMELLIA * cs,const uint8_t * key,int key_bits)352 av_cold int av_camellia_init(AVCAMELLIA *cs, const uint8_t *key, int key_bits)
353 {
354     uint64_t Kl[2], Kr[2], Ka[2], Kb[2];
355     uint64_t D1, D2;
356     if (key_bits != 128 && key_bits != 192 && key_bits != 256)
357         return AVERROR(EINVAL);
358     memset(Kb, 0, sizeof(Kb));
359     memset(Kr, 0, sizeof(Kr));
360     cs->key_bits = key_bits;
361     Kl[0] = AV_RB64(key);
362     Kl[1] = AV_RB64(key + 8);
363     if (key_bits == 192) {
364         Kr[0] = AV_RB64(key + 16);
365         Kr[1] = ~Kr[0];
366     } else if (key_bits == 256) {
367         Kr[0] = AV_RB64(key + 16);
368         Kr[1] = AV_RB64(key + 24);
369     }
370     computeSP();
371     D1 = Kl[0] ^ Kr[0];
372     D2 = Kl[1] ^ Kr[1];
373     D2 ^= F(D1, Sigma1);
374     D1 ^= F(D2, Sigma2);
375     D1 ^= Kl[0];
376     D2 ^= Kl[1];
377     D2 ^= F(D1, Sigma3);
378     D1 ^= F(D2, Sigma4);
379     Ka[0] = D1;
380     Ka[1] = D2;
381     if (key_bits != 128) {
382         D1 = Ka[0] ^ Kr[0];
383         D2 = Ka[1] ^ Kr[1];
384         D2 ^= F(D1, Sigma5);
385         D1 ^= F(D2, Sigma6);
386         Kb[0] = D1;
387         Kb[1] = D2;
388     }
389     generate_round_keys(cs, Kl, Kr, Ka, Kb);
390     return 0;
391 }
392 
av_camellia_crypt(AVCAMELLIA * cs,uint8_t * dst,const uint8_t * src,int count,uint8_t * iv,int decrypt)393 void av_camellia_crypt(AVCAMELLIA *cs, uint8_t *dst, const uint8_t *src, int count, uint8_t *iv, int decrypt)
394 {
395     int i;
396     while (count--) {
397         if (decrypt) {
398             camellia_decrypt(cs, dst, src, iv);
399         } else {
400             if (iv) {
401                 for (i = 0; i < 16; i++)
402                     dst[i] = src[i] ^ iv[i];
403                 camellia_encrypt(cs, dst, dst);
404                 memcpy(iv, dst, 16);
405             } else {
406                 camellia_encrypt(cs, dst, src);
407             }
408         }
409         src = src + 16;
410         dst = dst + 16;
411     }
412 }
413