• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  *  Camellia implementation
3  *
4  *  Copyright The Mbed TLS Contributors
5  *  SPDX-License-Identifier: Apache-2.0
6  *
7  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
8  *  not use this file except in compliance with the License.
9  *  You may obtain a copy of the License at
10  *
11  *  http://www.apache.org/licenses/LICENSE-2.0
12  *
13  *  Unless required by applicable law or agreed to in writing, software
14  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  *  See the License for the specific language governing permissions and
17  *  limitations under the License.
18  */
19 /*
20  *  The Camellia block cipher was designed by NTT and Mitsubishi Electric
21  *  Corporation.
22  *
23  *  http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/01espec.pdf
24  */
25 
26 #include "common.h"
27 
28 #if defined(MBEDTLS_CAMELLIA_C)
29 
30 #include "mbedtls/camellia.h"
31 #include "mbedtls/platform_util.h"
32 
33 #include <string.h>
34 
35 #include "mbedtls/platform.h"
36 
37 #if !defined(MBEDTLS_CAMELLIA_ALT)
38 
39 static const unsigned char SIGMA_CHARS[6][8] =
40 {
41     { 0xa0, 0x9e, 0x66, 0x7f, 0x3b, 0xcc, 0x90, 0x8b },
42     { 0xb6, 0x7a, 0xe8, 0x58, 0x4c, 0xaa, 0x73, 0xb2 },
43     { 0xc6, 0xef, 0x37, 0x2f, 0xe9, 0x4f, 0x82, 0xbe },
44     { 0x54, 0xff, 0x53, 0xa5, 0xf1, 0xd3, 0x6f, 0x1c },
45     { 0x10, 0xe5, 0x27, 0xfa, 0xde, 0x68, 0x2d, 0x1d },
46     { 0xb0, 0x56, 0x88, 0xc2, 0xb3, 0xe6, 0xc1, 0xfd }
47 };
48 
49 #if defined(MBEDTLS_CAMELLIA_SMALL_MEMORY)
50 
51 static const unsigned char FSb[256] =
52 {
53     112, 130, 44, 236, 179, 39, 192, 229, 228, 133, 87, 53, 234, 12, 174, 65,
54     35, 239, 107, 147, 69, 25, 165, 33, 237, 14, 79, 78, 29, 101, 146, 189,
55     134, 184, 175, 143, 124, 235, 31, 206, 62, 48, 220, 95, 94, 197, 11, 26,
56     166, 225, 57, 202, 213, 71, 93, 61, 217,  1, 90, 214, 81, 86, 108, 77,
57     139, 13, 154, 102, 251, 204, 176, 45, 116, 18, 43, 32, 240, 177, 132, 153,
58     223, 76, 203, 194, 52, 126, 118,  5, 109, 183, 169, 49, 209, 23,  4, 215,
59     20, 88, 58, 97, 222, 27, 17, 28, 50, 15, 156, 22, 83, 24, 242, 34,
60     254, 68, 207, 178, 195, 181, 122, 145, 36,  8, 232, 168, 96, 252, 105, 80,
61     170, 208, 160, 125, 161, 137, 98, 151, 84, 91, 30, 149, 224, 255, 100, 210,
62     16, 196,  0, 72, 163, 247, 117, 219, 138,  3, 230, 218,  9, 63, 221, 148,
63     135, 92, 131,  2, 205, 74, 144, 51, 115, 103, 246, 243, 157, 127, 191, 226,
64     82, 155, 216, 38, 200, 55, 198, 59, 129, 150, 111, 75, 19, 190, 99, 46,
65     233, 121, 167, 140, 159, 110, 188, 142, 41, 245, 249, 182, 47, 253, 180, 89,
66     120, 152,  6, 106, 231, 70, 113, 186, 212, 37, 171, 66, 136, 162, 141, 250,
67     114,  7, 185, 85, 248, 238, 172, 10, 54, 73, 42, 104, 60, 56, 241, 164,
68     64, 40, 211, 123, 187, 201, 67, 193, 21, 227, 173, 244, 119, 199, 128, 158
69 };
70 
71 #define SBOX1(n) FSb[(n)]
72 #define SBOX2(n) (unsigned char) ((FSb[(n)] >> 7 ^ FSb[(n)] << 1) & 0xff)
73 #define SBOX3(n) (unsigned char) ((FSb[(n)] >> 1 ^ FSb[(n)] << 7) & 0xff)
74 #define SBOX4(n) FSb[((n) << 1 ^ (n) >> 7) &0xff]
75 
76 #else /* MBEDTLS_CAMELLIA_SMALL_MEMORY */
77 
78 static const unsigned char FSb[256] =
79 {
80     112, 130,  44, 236, 179,  39, 192, 229, 228, 133,  87,  53, 234,  12, 174,  65,
81     35, 239, 107, 147,  69,  25, 165,  33, 237,  14,  79,  78,  29, 101, 146, 189,
82     134, 184, 175, 143, 124, 235,  31, 206,  62,  48, 220,  95,  94, 197,  11,  26,
83     166, 225,  57, 202, 213,  71,  93,  61, 217,   1,  90, 214,  81,  86, 108,  77,
84     139,  13, 154, 102, 251, 204, 176,  45, 116,  18,  43,  32, 240, 177, 132, 153,
85     223,  76, 203, 194,  52, 126, 118,   5, 109, 183, 169,  49, 209,  23,   4, 215,
86     20,  88,  58,  97, 222,  27,  17,  28,  50,  15, 156,  22,  83,  24, 242,  34,
87     254,  68, 207, 178, 195, 181, 122, 145,  36,   8, 232, 168,  96, 252, 105,  80,
88     170, 208, 160, 125, 161, 137,  98, 151,  84,  91,  30, 149, 224, 255, 100, 210,
89     16, 196,   0,  72, 163, 247, 117, 219, 138,   3, 230, 218,   9,  63, 221, 148,
90     135,  92, 131,   2, 205,  74, 144,  51, 115, 103, 246, 243, 157, 127, 191, 226,
91     82, 155, 216,  38, 200,  55, 198,  59, 129, 150, 111,  75,  19, 190,  99,  46,
92     233, 121, 167, 140, 159, 110, 188, 142,  41, 245, 249, 182,  47, 253, 180,  89,
93     120, 152,   6, 106, 231,  70, 113, 186, 212,  37, 171,  66, 136, 162, 141, 250,
94     114,   7, 185,  85, 248, 238, 172,  10,  54,  73,  42, 104,  60,  56, 241, 164,
95     64,  40, 211, 123, 187, 201,  67, 193,  21, 227, 173, 244, 119, 199, 128, 158
96 };
97 
98 static const unsigned char FSb2[256] =
99 {
100     224,   5,  88, 217, 103,  78, 129, 203, 201,  11, 174, 106, 213,  24,  93, 130,
101     70, 223, 214,  39, 138,  50,  75,  66, 219,  28, 158, 156,  58, 202,  37, 123,
102     13, 113,  95,  31, 248, 215,  62, 157, 124,  96, 185, 190, 188, 139,  22,  52,
103     77, 195, 114, 149, 171, 142, 186, 122, 179,   2, 180, 173, 162, 172, 216, 154,
104     23,  26,  53, 204, 247, 153,  97,  90, 232,  36,  86,  64, 225,  99,   9,  51,
105     191, 152, 151, 133, 104, 252, 236,  10, 218, 111,  83,  98, 163,  46,   8, 175,
106     40, 176, 116, 194, 189,  54,  34,  56, 100,  30,  57,  44, 166,  48, 229,  68,
107     253, 136, 159, 101, 135, 107, 244,  35,  72,  16, 209,  81, 192, 249, 210, 160,
108     85, 161,  65, 250,  67,  19, 196,  47, 168, 182,  60,  43, 193, 255, 200, 165,
109     32, 137,   0, 144,  71, 239, 234, 183,  21,   6, 205, 181,  18, 126, 187,  41,
110     15, 184,   7,   4, 155, 148,  33, 102, 230, 206, 237, 231,  59, 254, 127, 197,
111     164,  55, 177,  76, 145, 110, 141, 118,   3,  45, 222, 150,  38, 125, 198,  92,
112     211, 242,  79,  25,  63, 220, 121,  29,  82, 235, 243, 109,  94, 251, 105, 178,
113     240,  49,  12, 212, 207, 140, 226, 117, 169,  74,  87, 132,  17,  69,  27, 245,
114     228,  14, 115, 170, 241, 221,  89,  20, 108, 146,  84, 208, 120, 112, 227,  73,
115     128,  80, 167, 246, 119, 147, 134, 131,  42, 199,  91, 233, 238, 143,   1,  61
116 };
117 
118 static const unsigned char FSb3[256] =
119 {
120     56,  65,  22, 118, 217, 147,  96, 242, 114, 194, 171, 154, 117,   6,  87, 160,
121     145, 247, 181, 201, 162, 140, 210, 144, 246,   7, 167,  39, 142, 178,  73, 222,
122     67,  92, 215, 199,  62, 245, 143, 103,  31,  24, 110, 175,  47, 226, 133,  13,
123     83, 240, 156, 101, 234, 163, 174, 158, 236, 128,  45, 107, 168,  43,  54, 166,
124     197, 134,  77,  51, 253, 102,  88, 150,  58,   9, 149,  16, 120, 216,  66, 204,
125     239,  38, 229,  97,  26,  63,  59, 130, 182, 219, 212, 152, 232, 139,   2, 235,
126     10,  44,  29, 176, 111, 141, 136,  14,  25, 135,  78,  11, 169,  12, 121,  17,
127     127,  34, 231,  89, 225, 218,  61, 200,  18,   4, 116,  84,  48, 126, 180,  40,
128     85, 104,  80, 190, 208, 196,  49, 203,  42, 173,  15, 202, 112, 255,  50, 105,
129     8,  98,   0,  36, 209, 251, 186, 237,  69, 129, 115, 109, 132, 159, 238,  74,
130     195,  46, 193,   1, 230,  37,  72, 153, 185, 179, 123, 249, 206, 191, 223, 113,
131     41, 205, 108,  19, 100, 155,  99, 157, 192,  75, 183, 165, 137,  95, 177,  23,
132     244, 188, 211,  70, 207,  55,  94,  71, 148, 250, 252,  91, 151, 254,  90, 172,
133     60,  76,   3,  53, 243,  35, 184,  93, 106, 146, 213,  33,  68,  81, 198, 125,
134     57, 131, 220, 170, 124, 119,  86,   5,  27, 164,  21,  52,  30,  28, 248,  82,
135     32,  20, 233, 189, 221, 228, 161, 224, 138, 241, 214, 122, 187, 227,  64,  79
136 };
137 
138 static const unsigned char FSb4[256] =
139 {
140     112,  44, 179, 192, 228,  87, 234, 174,  35, 107,  69, 165, 237,  79,  29, 146,
141     134, 175, 124,  31,  62, 220,  94,  11, 166,  57, 213,  93, 217,  90,  81, 108,
142     139, 154, 251, 176, 116,  43, 240, 132, 223, 203,  52, 118, 109, 169, 209,   4,
143     20,  58, 222,  17,  50, 156,  83, 242, 254, 207, 195, 122,  36, 232,  96, 105,
144     170, 160, 161,  98,  84,  30, 224, 100,  16,   0, 163, 117, 138, 230,   9, 221,
145     135, 131, 205, 144, 115, 246, 157, 191,  82, 216, 200, 198, 129, 111,  19,  99,
146     233, 167, 159, 188,  41, 249,  47, 180, 120,   6, 231, 113, 212, 171, 136, 141,
147     114, 185, 248, 172,  54,  42,  60, 241,  64, 211, 187,  67,  21, 173, 119, 128,
148     130, 236,  39, 229, 133,  53,  12,  65, 239, 147,  25,  33,  14,  78, 101, 189,
149     184, 143, 235, 206,  48,  95, 197,  26, 225, 202,  71,  61,   1, 214,  86,  77,
150     13, 102, 204,  45,  18,  32, 177, 153,  76, 194, 126,   5, 183,  49,  23, 215,
151     88,  97,  27,  28,  15,  22,  24,  34,  68, 178, 181, 145,   8, 168, 252,  80,
152     208, 125, 137, 151,  91, 149, 255, 210, 196,  72, 247, 219,   3, 218,  63, 148,
153     92,   2,  74,  51, 103, 243, 127, 226, 155,  38,  55,  59, 150,  75, 190,  46,
154     121, 140, 110, 142, 245, 182, 253,  89, 152, 106,  70, 186,  37,  66, 162, 250,
155     7,  85, 238,  10,  73, 104,  56, 164,  40, 123, 201, 193, 227, 244, 199, 158
156 };
157 
158 #define SBOX1(n) FSb[(n)]
159 #define SBOX2(n) FSb2[(n)]
160 #define SBOX3(n) FSb3[(n)]
161 #define SBOX4(n) FSb4[(n)]
162 
163 #endif /* MBEDTLS_CAMELLIA_SMALL_MEMORY */
164 
165 static const unsigned char shifts[2][4][4] =
166 {
167     {
168         { 1, 1, 1, 1 }, /* KL */
169         { 0, 0, 0, 0 }, /* KR */
170         { 1, 1, 1, 1 }, /* KA */
171         { 0, 0, 0, 0 }  /* KB */
172     },
173     {
174         { 1, 0, 1, 1 }, /* KL */
175         { 1, 1, 0, 1 }, /* KR */
176         { 1, 1, 1, 0 }, /* KA */
177         { 1, 1, 0, 1 }  /* KB */
178     }
179 };
180 
181 static const signed char indexes[2][4][20] =
182 {
183     {
184         {  0,  1,  2,  3,  8,  9, 10, 11, 38, 39,
185            36, 37, 23, 20, 21, 22, 27, -1, -1, 26 }, /* KL -> RK */
186         { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
187           -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 }, /* KR -> RK */
188         {  4,  5,  6,  7, 12, 13, 14, 15, 16, 17,
189            18, 19, -1, 24, 25, -1, 31, 28, 29, 30 }, /* KA -> RK */
190         { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
191           -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 }  /* KB -> RK */
192     },
193     {
194         {  0,  1,  2,  3, 61, 62, 63, 60, -1, -1,
195            -1, -1, 27, 24, 25, 26, 35, 32, 33, 34 }, /* KL -> RK */
196         { -1, -1, -1, -1,  8,  9, 10, 11, 16, 17,
197           18, 19, -1, -1, -1, -1, 39, 36, 37, 38 }, /* KR -> RK */
198         { -1, -1, -1, -1, 12, 13, 14, 15, 58, 59,
199           56, 57, 31, 28, 29, 30, -1, -1, -1, -1 }, /* KA -> RK */
200         {  4,  5,  6,  7, 65, 66, 67, 64, 20, 21,
201            22, 23, -1, -1, -1, -1, 43, 40, 41, 42 } /* KB -> RK */
202     }
203 };
204 
205 static const signed char transposes[2][20] =
206 {
207     {
208         21, 22, 23, 20,
209         -1, -1, -1, -1,
210         18, 19, 16, 17,
211         11,  8,  9, 10,
212         15, 12, 13, 14
213     },
214     {
215         25, 26, 27, 24,
216         29, 30, 31, 28,
217         18, 19, 16, 17,
218         -1, -1, -1, -1,
219         -1, -1, -1, -1
220     }
221 };
222 
223 /* Shift macro for 128 bit strings with rotation smaller than 32 bits (!) */
224 #define ROTL(DEST, SRC, SHIFT)                                      \
225     {                                                                   \
226         (DEST)[0] = (SRC)[0] << (SHIFT) ^ (SRC)[1] >> (32 - (SHIFT));   \
227         (DEST)[1] = (SRC)[1] << (SHIFT) ^ (SRC)[2] >> (32 - (SHIFT));   \
228         (DEST)[2] = (SRC)[2] << (SHIFT) ^ (SRC)[3] >> (32 - (SHIFT));   \
229         (DEST)[3] = (SRC)[3] << (SHIFT) ^ (SRC)[0] >> (32 - (SHIFT));   \
230     }
231 
232 #define FL(XL, XR, KL, KR)                                          \
233     {                                                                   \
234         (XR) = ((((XL) &(KL)) << 1) | (((XL) &(KL)) >> 31)) ^ (XR);   \
235         (XL) = ((XR) | (KR)) ^ (XL);                                    \
236     }
237 
238 #define FLInv(YL, YR, KL, KR)                                       \
239     {                                                                   \
240         (YL) = ((YR) | (KR)) ^ (YL);                                    \
241         (YR) = ((((YL) &(KL)) << 1) | (((YL) &(KL)) >> 31)) ^ (YR);   \
242     }
243 
244 #define SHIFT_AND_PLACE(INDEX, OFFSET)                      \
245     {                                                           \
246         TK[0] = KC[(OFFSET) * 4 + 0];                           \
247         TK[1] = KC[(OFFSET) * 4 + 1];                           \
248         TK[2] = KC[(OFFSET) * 4 + 2];                           \
249         TK[3] = KC[(OFFSET) * 4 + 3];                           \
250                                                             \
251         for (i = 1; i <= 4; i++)                               \
252         if (shifts[(INDEX)][(OFFSET)][i -1])               \
253         ROTL(TK + i * 4, TK, (15 * i) % 32);          \
254                                                             \
255         for (i = 0; i < 20; i++)                               \
256         if (indexes[(INDEX)][(OFFSET)][i] != -1) {         \
257             RK[indexes[(INDEX)][(OFFSET)][i]] = TK[i];    \
258         }                                                   \
259     }
260 
camellia_feistel(const uint32_t x[2],const uint32_t k[2],uint32_t z[2])261 static void camellia_feistel(const uint32_t x[2], const uint32_t k[2],
262                              uint32_t z[2])
263 {
264     uint32_t I0, I1;
265     I0 = x[0] ^ k[0];
266     I1 = x[1] ^ k[1];
267 
268     I0 = ((uint32_t) SBOX1(MBEDTLS_BYTE_3(I0)) << 24) |
269          ((uint32_t) SBOX2(MBEDTLS_BYTE_2(I0)) << 16) |
270          ((uint32_t) SBOX3(MBEDTLS_BYTE_1(I0)) <<  8) |
271          ((uint32_t) SBOX4(MBEDTLS_BYTE_0(I0)));
272     I1 = ((uint32_t) SBOX2(MBEDTLS_BYTE_3(I1)) << 24) |
273          ((uint32_t) SBOX3(MBEDTLS_BYTE_2(I1)) << 16) |
274          ((uint32_t) SBOX4(MBEDTLS_BYTE_1(I1)) <<  8) |
275          ((uint32_t) SBOX1(MBEDTLS_BYTE_0(I1)));
276 
277     I0 ^= (I1 << 8) | (I1 >> 24);
278     I1 ^= (I0 << 16) | (I0 >> 16);
279     I0 ^= (I1 >> 8) | (I1 << 24);
280     I1 ^= (I0 >> 8) | (I0 << 24);
281 
282     z[0] ^= I1;
283     z[1] ^= I0;
284 }
285 
mbedtls_camellia_init(mbedtls_camellia_context * ctx)286 void mbedtls_camellia_init(mbedtls_camellia_context *ctx)
287 {
288     memset(ctx, 0, sizeof(mbedtls_camellia_context));
289 }
290 
mbedtls_camellia_free(mbedtls_camellia_context * ctx)291 void mbedtls_camellia_free(mbedtls_camellia_context *ctx)
292 {
293     if (ctx == NULL) {
294         return;
295     }
296 
297     mbedtls_platform_zeroize(ctx, sizeof(mbedtls_camellia_context));
298 }
299 
300 /*
301  * Camellia key schedule (encryption)
302  */
mbedtls_camellia_setkey_enc(mbedtls_camellia_context * ctx,const unsigned char * key,unsigned int keybits)303 int mbedtls_camellia_setkey_enc(mbedtls_camellia_context *ctx,
304                                 const unsigned char *key,
305                                 unsigned int keybits)
306 {
307     int idx;
308     size_t i;
309     uint32_t *RK;
310     unsigned char t[64];
311     uint32_t SIGMA[6][2];
312     uint32_t KC[16];
313     uint32_t TK[20];
314 
315     RK = ctx->rk;
316 
317     memset(t, 0, 64);
318     memset(RK, 0, sizeof(ctx->rk));
319 
320     switch (keybits) {
321         case 128: ctx->nr = 3; idx = 0; break;
322         case 192:
323         case 256: ctx->nr = 4; idx = 1; break;
324         default: return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA;
325     }
326 
327     for (i = 0; i < keybits / 8; ++i) {
328         t[i] = key[i];
329     }
330 
331     if (keybits == 192) {
332         for (i = 0; i < 8; i++) {
333             t[24 + i] = ~t[16 + i];
334         }
335     }
336 
337     /*
338      * Prepare SIGMA values
339      */
340     for (i = 0; i < 6; i++) {
341         SIGMA[i][0] = MBEDTLS_GET_UINT32_BE(SIGMA_CHARS[i], 0);
342         SIGMA[i][1] = MBEDTLS_GET_UINT32_BE(SIGMA_CHARS[i], 4);
343     }
344 
345     /*
346      * Key storage in KC
347      * Order: KL, KR, KA, KB
348      */
349     memset(KC, 0, sizeof(KC));
350 
351     /* Store KL, KR */
352     for (i = 0; i < 8; i++) {
353         KC[i] = MBEDTLS_GET_UINT32_BE(t, i * 4);
354     }
355 
356     /* Generate KA */
357     for (i = 0; i < 4; ++i) {
358         KC[8 + i] = KC[i] ^ KC[4 + i];
359     }
360 
361     camellia_feistel(KC + 8, SIGMA[0], KC + 10);
362     camellia_feistel(KC + 10, SIGMA[1], KC + 8);
363 
364     for (i = 0; i < 4; ++i) {
365         KC[8 + i] ^= KC[i];
366     }
367 
368     camellia_feistel(KC + 8, SIGMA[2], KC + 10);
369     camellia_feistel(KC + 10, SIGMA[3], KC + 8);
370 
371     if (keybits > 128) {
372         /* Generate KB */
373         for (i = 0; i < 4; ++i) {
374             KC[12 + i] = KC[4 + i] ^ KC[8 + i];
375         }
376 
377         camellia_feistel(KC + 12, SIGMA[4], KC + 14);
378         camellia_feistel(KC + 14, SIGMA[5], KC + 12);
379     }
380 
381     /*
382      * Generating subkeys
383      */
384 
385     /* Manipulating KL */
386     SHIFT_AND_PLACE(idx, 0);
387 
388     /* Manipulating KR */
389     if (keybits > 128) {
390         SHIFT_AND_PLACE(idx, 1);
391     }
392 
393     /* Manipulating KA */
394     SHIFT_AND_PLACE(idx, 2);
395 
396     /* Manipulating KB */
397     if (keybits > 128) {
398         SHIFT_AND_PLACE(idx, 3);
399     }
400 
401     /* Do transpositions */
402     for (i = 0; i < 20; i++) {
403         if (transposes[idx][i] != -1) {
404             RK[32 + 12 * idx + i] = RK[transposes[idx][i]];
405         }
406     }
407 
408     return 0;
409 }
410 
411 /*
412  * Camellia key schedule (decryption)
413  */
mbedtls_camellia_setkey_dec(mbedtls_camellia_context * ctx,const unsigned char * key,unsigned int keybits)414 int mbedtls_camellia_setkey_dec(mbedtls_camellia_context *ctx,
415                                 const unsigned char *key,
416                                 unsigned int keybits)
417 {
418     int idx, ret;
419     size_t i;
420     mbedtls_camellia_context cty;
421     uint32_t *RK;
422     uint32_t *SK;
423 
424     mbedtls_camellia_init(&cty);
425 
426     /* Also checks keybits */
427     if ((ret = mbedtls_camellia_setkey_enc(&cty, key, keybits)) != 0) {
428         goto exit;
429     }
430 
431     ctx->nr = cty.nr;
432     idx = (ctx->nr == 4);
433 
434     RK = ctx->rk;
435     SK = cty.rk + 24 * 2 + 8 * idx * 2;
436 
437     *RK++ = *SK++;
438     *RK++ = *SK++;
439     *RK++ = *SK++;
440     *RK++ = *SK++;
441 
442     for (i = 22 + 8 * idx, SK -= 6; i > 0; i--, SK -= 4) {
443         *RK++ = *SK++;
444         *RK++ = *SK++;
445     }
446 
447     SK -= 2;
448 
449     *RK++ = *SK++;
450     *RK++ = *SK++;
451     *RK++ = *SK++;
452     *RK++ = *SK++;
453 
454 exit:
455     mbedtls_camellia_free(&cty);
456 
457     return ret;
458 }
459 
460 /*
461  * Camellia-ECB block encryption/decryption
462  */
mbedtls_camellia_crypt_ecb(mbedtls_camellia_context * ctx,int mode,const unsigned char input[16],unsigned char output[16])463 int mbedtls_camellia_crypt_ecb(mbedtls_camellia_context *ctx,
464                                int mode,
465                                const unsigned char input[16],
466                                unsigned char output[16])
467 {
468     int NR;
469     uint32_t *RK, X[4];
470     if (mode != MBEDTLS_CAMELLIA_ENCRYPT && mode != MBEDTLS_CAMELLIA_DECRYPT) {
471         return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA;
472     }
473 
474     ((void) mode);
475 
476     NR = ctx->nr;
477     RK = ctx->rk;
478 
479     X[0] = MBEDTLS_GET_UINT32_BE(input,  0);
480     X[1] = MBEDTLS_GET_UINT32_BE(input,  4);
481     X[2] = MBEDTLS_GET_UINT32_BE(input,  8);
482     X[3] = MBEDTLS_GET_UINT32_BE(input, 12);
483 
484     X[0] ^= *RK++;
485     X[1] ^= *RK++;
486     X[2] ^= *RK++;
487     X[3] ^= *RK++;
488 
489     while (NR) {
490         --NR;
491         camellia_feistel(X, RK, X + 2);
492         RK += 2;
493         camellia_feistel(X + 2, RK, X);
494         RK += 2;
495         camellia_feistel(X, RK, X + 2);
496         RK += 2;
497         camellia_feistel(X + 2, RK, X);
498         RK += 2;
499         camellia_feistel(X, RK, X + 2);
500         RK += 2;
501         camellia_feistel(X + 2, RK, X);
502         RK += 2;
503 
504         if (NR) {
505             FL(X[0], X[1], RK[0], RK[1]);
506             RK += 2;
507             FLInv(X[2], X[3], RK[0], RK[1]);
508             RK += 2;
509         }
510     }
511 
512     X[2] ^= *RK++;
513     X[3] ^= *RK++;
514     X[0] ^= *RK++;
515     X[1] ^= *RK++;
516 
517     MBEDTLS_PUT_UINT32_BE(X[2], output,  0);
518     MBEDTLS_PUT_UINT32_BE(X[3], output,  4);
519     MBEDTLS_PUT_UINT32_BE(X[0], output,  8);
520     MBEDTLS_PUT_UINT32_BE(X[1], output, 12);
521 
522     return 0;
523 }
524 
525 #if defined(MBEDTLS_CIPHER_MODE_CBC)
526 /*
527  * Camellia-CBC buffer encryption/decryption
528  */
mbedtls_camellia_crypt_cbc(mbedtls_camellia_context * ctx,int mode,size_t length,unsigned char iv[16],const unsigned char * input,unsigned char * output)529 int mbedtls_camellia_crypt_cbc(mbedtls_camellia_context *ctx,
530                                int mode,
531                                size_t length,
532                                unsigned char iv[16],
533                                const unsigned char *input,
534                                unsigned char *output)
535 {
536     unsigned char temp[16];
537     if (mode != MBEDTLS_CAMELLIA_ENCRYPT && mode != MBEDTLS_CAMELLIA_DECRYPT) {
538         return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA;
539     }
540 
541     if (length % 16) {
542         return MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH;
543     }
544 
545     if (mode == MBEDTLS_CAMELLIA_DECRYPT) {
546         while (length > 0) {
547             memcpy(temp, input, 16);
548             mbedtls_camellia_crypt_ecb(ctx, mode, input, output);
549 
550             mbedtls_xor(output, output, iv, 16);
551 
552             memcpy(iv, temp, 16);
553 
554             input  += 16;
555             output += 16;
556             length -= 16;
557         }
558     } else {
559         while (length > 0) {
560             mbedtls_xor(output, input, iv, 16);
561 
562             mbedtls_camellia_crypt_ecb(ctx, mode, output, output);
563             memcpy(iv, output, 16);
564 
565             input  += 16;
566             output += 16;
567             length -= 16;
568         }
569     }
570 
571     return 0;
572 }
573 #endif /* MBEDTLS_CIPHER_MODE_CBC */
574 
575 #if defined(MBEDTLS_CIPHER_MODE_CFB)
576 /*
577  * Camellia-CFB128 buffer encryption/decryption
578  */
mbedtls_camellia_crypt_cfb128(mbedtls_camellia_context * ctx,int mode,size_t length,size_t * iv_off,unsigned char iv[16],const unsigned char * input,unsigned char * output)579 int mbedtls_camellia_crypt_cfb128(mbedtls_camellia_context *ctx,
580                                   int mode,
581                                   size_t length,
582                                   size_t *iv_off,
583                                   unsigned char iv[16],
584                                   const unsigned char *input,
585                                   unsigned char *output)
586 {
587     int c;
588     size_t n;
589     if (mode != MBEDTLS_CAMELLIA_ENCRYPT && mode != MBEDTLS_CAMELLIA_DECRYPT) {
590         return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA;
591     }
592 
593     n = *iv_off;
594     if (n >= 16) {
595         return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA;
596     }
597 
598     if (mode == MBEDTLS_CAMELLIA_DECRYPT) {
599         while (length--) {
600             if (n == 0) {
601                 mbedtls_camellia_crypt_ecb(ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv);
602             }
603 
604             c = *input++;
605             *output++ = (unsigned char) (c ^ iv[n]);
606             iv[n] = (unsigned char) c;
607 
608             n = (n + 1) & 0x0F;
609         }
610     } else {
611         while (length--) {
612             if (n == 0) {
613                 mbedtls_camellia_crypt_ecb(ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv);
614             }
615 
616             iv[n] = *output++ = (unsigned char) (iv[n] ^ *input++);
617 
618             n = (n + 1) & 0x0F;
619         }
620     }
621 
622     *iv_off = n;
623 
624     return 0;
625 }
626 #endif /* MBEDTLS_CIPHER_MODE_CFB */
627 
628 #if defined(MBEDTLS_CIPHER_MODE_CTR)
629 /*
630  * Camellia-CTR buffer encryption/decryption
631  */
mbedtls_camellia_crypt_ctr(mbedtls_camellia_context * ctx,size_t length,size_t * nc_off,unsigned char nonce_counter[16],unsigned char stream_block[16],const unsigned char * input,unsigned char * output)632 int mbedtls_camellia_crypt_ctr(mbedtls_camellia_context *ctx,
633                                size_t length,
634                                size_t *nc_off,
635                                unsigned char nonce_counter[16],
636                                unsigned char stream_block[16],
637                                const unsigned char *input,
638                                unsigned char *output)
639 {
640     int c, i;
641     size_t n;
642 
643     n = *nc_off;
644     if (n >= 16) {
645         return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA;
646     }
647 
648     while (length--) {
649         if (n == 0) {
650             mbedtls_camellia_crypt_ecb(ctx, MBEDTLS_CAMELLIA_ENCRYPT, nonce_counter,
651                                        stream_block);
652 
653             for (i = 16; i > 0; i--) {
654                 if (++nonce_counter[i - 1] != 0) {
655                     break;
656                 }
657             }
658         }
659         c = *input++;
660         *output++ = (unsigned char) (c ^ stream_block[n]);
661 
662         n = (n + 1) & 0x0F;
663     }
664 
665     *nc_off = n;
666 
667     return 0;
668 }
669 #endif /* MBEDTLS_CIPHER_MODE_CTR */
670 #endif /* !MBEDTLS_CAMELLIA_ALT */
671 
672 #if defined(MBEDTLS_SELF_TEST)
673 
674 /*
675  * Camellia test vectors from:
676  *
677  * http://info.isl.ntt.co.jp/crypt/eng/camellia/technology.html:
678  *   http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/intermediate.txt
679  *   http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/t_camellia.txt
680  *                      (For each bitlength: Key 0, Nr 39)
681  */
682 #define CAMELLIA_TESTS_ECB  2
683 
684 static const unsigned char camellia_test_ecb_key[3][CAMELLIA_TESTS_ECB][32] =
685 {
686     {
687         { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
688           0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
689         { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
690           0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
691     },
692     {
693         { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
694           0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
695           0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77 },
696         { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
697           0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
698           0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
699     },
700     {
701         { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
702           0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
703           0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
704           0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff },
705         { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
706           0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
707           0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
708           0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
709     },
710 };
711 
712 static const unsigned char camellia_test_ecb_plain[CAMELLIA_TESTS_ECB][16] =
713 {
714     { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
715       0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
716     { 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
717       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
718 };
719 
720 static const unsigned char camellia_test_ecb_cipher[3][CAMELLIA_TESTS_ECB][16] =
721 {
722     {
723         { 0x67, 0x67, 0x31, 0x38, 0x54, 0x96, 0x69, 0x73,
724           0x08, 0x57, 0x06, 0x56, 0x48, 0xea, 0xbe, 0x43 },
725         { 0x38, 0x3C, 0x6C, 0x2A, 0xAB, 0xEF, 0x7F, 0xDE,
726           0x25, 0xCD, 0x47, 0x0B, 0xF7, 0x74, 0xA3, 0x31 }
727     },
728     {
729         { 0xb4, 0x99, 0x34, 0x01, 0xb3, 0xe9, 0x96, 0xf8,
730           0x4e, 0xe5, 0xce, 0xe7, 0xd7, 0x9b, 0x09, 0xb9 },
731         { 0xD1, 0x76, 0x3F, 0xC0, 0x19, 0xD7, 0x7C, 0xC9,
732           0x30, 0xBF, 0xF2, 0xA5, 0x6F, 0x7C, 0x93, 0x64 }
733     },
734     {
735         { 0x9a, 0xcc, 0x23, 0x7d, 0xff, 0x16, 0xd7, 0x6c,
736           0x20, 0xef, 0x7c, 0x91, 0x9e, 0x3a, 0x75, 0x09 },
737         { 0x05, 0x03, 0xFB, 0x10, 0xAB, 0x24, 0x1E, 0x7C,
738           0xF4, 0x5D, 0x8C, 0xDE, 0xEE, 0x47, 0x43, 0x35 }
739     }
740 };
741 
742 #if defined(MBEDTLS_CIPHER_MODE_CBC)
743 #define CAMELLIA_TESTS_CBC  3
744 
745 static const unsigned char camellia_test_cbc_key[3][32] =
746 {
747     { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
748       0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }
749     ,
750     { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
751       0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
752       0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }
753     ,
754     { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
755       0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
756       0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
757       0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
758 };
759 
760 static const unsigned char camellia_test_cbc_iv[16] =
761 
762 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
763   0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F }
764 ;
765 
766 static const unsigned char camellia_test_cbc_plain[CAMELLIA_TESTS_CBC][16] =
767 {
768     { 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
769       0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A },
770     { 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
771       0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51 },
772     { 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
773       0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF }
774 
775 };
776 
777 static const unsigned char camellia_test_cbc_cipher[3][CAMELLIA_TESTS_CBC][16] =
778 {
779     {
780         { 0x16, 0x07, 0xCF, 0x49, 0x4B, 0x36, 0xBB, 0xF0,
781           0x0D, 0xAE, 0xB0, 0xB5, 0x03, 0xC8, 0x31, 0xAB },
782         { 0xA2, 0xF2, 0xCF, 0x67, 0x16, 0x29, 0xEF, 0x78,
783           0x40, 0xC5, 0xA5, 0xDF, 0xB5, 0x07, 0x48, 0x87 },
784         { 0x0F, 0x06, 0x16, 0x50, 0x08, 0xCF, 0x8B, 0x8B,
785           0x5A, 0x63, 0x58, 0x63, 0x62, 0x54, 0x3E, 0x54 }
786     },
787     {
788         { 0x2A, 0x48, 0x30, 0xAB, 0x5A, 0xC4, 0xA1, 0xA2,
789           0x40, 0x59, 0x55, 0xFD, 0x21, 0x95, 0xCF, 0x93 },
790         { 0x5D, 0x5A, 0x86, 0x9B, 0xD1, 0x4C, 0xE5, 0x42,
791           0x64, 0xF8, 0x92, 0xA6, 0xDD, 0x2E, 0xC3, 0xD5 },
792         { 0x37, 0xD3, 0x59, 0xC3, 0x34, 0x98, 0x36, 0xD8,
793           0x84, 0xE3, 0x10, 0xAD, 0xDF, 0x68, 0xC4, 0x49 }
794     },
795     {
796         { 0xE6, 0xCF, 0xA3, 0x5F, 0xC0, 0x2B, 0x13, 0x4A,
797           0x4D, 0x2C, 0x0B, 0x67, 0x37, 0xAC, 0x3E, 0xDA },
798         { 0x36, 0xCB, 0xEB, 0x73, 0xBD, 0x50, 0x4B, 0x40,
799           0x70, 0xB1, 0xB7, 0xDE, 0x2B, 0x21, 0xEB, 0x50 },
800         { 0xE3, 0x1A, 0x60, 0x55, 0x29, 0x7D, 0x96, 0xCA,
801           0x33, 0x30, 0xCD, 0xF1, 0xB1, 0x86, 0x0A, 0x83 }
802     }
803 };
804 #endif /* MBEDTLS_CIPHER_MODE_CBC */
805 
806 #if defined(MBEDTLS_CIPHER_MODE_CTR)
807 /*
808  * Camellia-CTR test vectors from:
809  *
810  * http://www.faqs.org/rfcs/rfc5528.html
811  */
812 
813 static const unsigned char camellia_test_ctr_key[3][16] =
814 {
815     { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
816       0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
817     { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
818       0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
819     { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
820       0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
821 };
822 
823 static const unsigned char camellia_test_ctr_nonce_counter[3][16] =
824 {
825     { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
826       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
827     { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
828       0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
829     { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
830       0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
831 };
832 
833 static const unsigned char camellia_test_ctr_pt[3][48] =
834 {
835     { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
836       0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
837 
838     { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
839       0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
840       0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
841       0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
842 
843     { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
844       0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
845       0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
846       0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
847       0x20, 0x21, 0x22, 0x23 }
848 };
849 
850 static const unsigned char camellia_test_ctr_ct[3][48] =
851 {
852     { 0xD0, 0x9D, 0xC2, 0x9A, 0x82, 0x14, 0x61, 0x9A,
853       0x20, 0x87, 0x7C, 0x76, 0xDB, 0x1F, 0x0B, 0x3F },
854     { 0xDB, 0xF3, 0xC7, 0x8D, 0xC0, 0x83, 0x96, 0xD4,
855       0xDA, 0x7C, 0x90, 0x77, 0x65, 0xBB, 0xCB, 0x44,
856       0x2B, 0x8E, 0x8E, 0x0F, 0x31, 0xF0, 0xDC, 0xA7,
857       0x2C, 0x74, 0x17, 0xE3, 0x53, 0x60, 0xE0, 0x48 },
858     { 0xB1, 0x9D, 0x1F, 0xCD, 0xCB, 0x75, 0xEB, 0x88,
859       0x2F, 0x84, 0x9C, 0xE2, 0x4D, 0x85, 0xCF, 0x73,
860       0x9C, 0xE6, 0x4B, 0x2B, 0x5C, 0x9D, 0x73, 0xF1,
861       0x4F, 0x2D, 0x5D, 0x9D, 0xCE, 0x98, 0x89, 0xCD,
862       0xDF, 0x50, 0x86, 0x96 }
863 };
864 
865 static const int camellia_test_ctr_len[3] =
866 { 16, 32, 36 };
867 #endif /* MBEDTLS_CIPHER_MODE_CTR */
868 
869 /*
870  * Checkup routine
871  */
mbedtls_camellia_self_test(int verbose)872 int mbedtls_camellia_self_test(int verbose)
873 {
874     int i, j, u, v;
875     unsigned char key[32];
876     unsigned char buf[64];
877     unsigned char src[16];
878     unsigned char dst[16];
879 #if defined(MBEDTLS_CIPHER_MODE_CBC)
880     unsigned char iv[16];
881 #endif
882 #if defined(MBEDTLS_CIPHER_MODE_CTR)
883     size_t offset, len;
884     unsigned char nonce_counter[16];
885     unsigned char stream_block[16];
886 #endif
887     int ret = 1;
888 
889     mbedtls_camellia_context ctx;
890 
891     mbedtls_camellia_init(&ctx);
892     memset(key, 0, 32);
893 
894     for (j = 0; j < 6; j++) {
895         u = j >> 1;
896         v = j & 1;
897 
898         if (verbose != 0) {
899             mbedtls_printf("  CAMELLIA-ECB-%3d (%s): ", 128 + u * 64,
900                            (v == MBEDTLS_CAMELLIA_DECRYPT) ? "dec" : "enc");
901         }
902 
903         for (i = 0; i < CAMELLIA_TESTS_ECB; i++) {
904             memcpy(key, camellia_test_ecb_key[u][i], 16 + 8 * u);
905 
906             if (v == MBEDTLS_CAMELLIA_DECRYPT) {
907                 mbedtls_camellia_setkey_dec(&ctx, key, 128 + u * 64);
908                 memcpy(src, camellia_test_ecb_cipher[u][i], 16);
909                 memcpy(dst, camellia_test_ecb_plain[i], 16);
910             } else { /* MBEDTLS_CAMELLIA_ENCRYPT */
911                 mbedtls_camellia_setkey_enc(&ctx, key, 128 + u * 64);
912                 memcpy(src, camellia_test_ecb_plain[i], 16);
913                 memcpy(dst, camellia_test_ecb_cipher[u][i], 16);
914             }
915 
916             mbedtls_camellia_crypt_ecb(&ctx, v, src, buf);
917 
918             if (memcmp(buf, dst, 16) != 0) {
919                 if (verbose != 0) {
920                     mbedtls_printf("failed\n");
921                 }
922                 goto exit;
923             }
924         }
925 
926         if (verbose != 0) {
927             mbedtls_printf("passed\n");
928         }
929     }
930 
931     if (verbose != 0) {
932         mbedtls_printf("\n");
933     }
934 
935 #if defined(MBEDTLS_CIPHER_MODE_CBC)
936     /*
937      * CBC mode
938      */
939     for (j = 0; j < 6; j++) {
940         u = j >> 1;
941         v = j  & 1;
942 
943         if (verbose != 0) {
944             mbedtls_printf("  CAMELLIA-CBC-%3d (%s): ", 128 + u * 64,
945                            (v == MBEDTLS_CAMELLIA_DECRYPT) ? "dec" : "enc");
946         }
947 
948         memcpy(src, camellia_test_cbc_iv, 16);
949         memcpy(dst, camellia_test_cbc_iv, 16);
950         memcpy(key, camellia_test_cbc_key[u], 16 + 8 * u);
951 
952         if (v == MBEDTLS_CAMELLIA_DECRYPT) {
953             mbedtls_camellia_setkey_dec(&ctx, key, 128 + u * 64);
954         } else {
955             mbedtls_camellia_setkey_enc(&ctx, key, 128 + u * 64);
956         }
957 
958         for (i = 0; i < CAMELLIA_TESTS_CBC; i++) {
959 
960             if (v == MBEDTLS_CAMELLIA_DECRYPT) {
961                 memcpy(iv, src, 16);
962                 memcpy(src, camellia_test_cbc_cipher[u][i], 16);
963                 memcpy(dst, camellia_test_cbc_plain[i], 16);
964             } else { /* MBEDTLS_CAMELLIA_ENCRYPT */
965                 memcpy(iv, dst, 16);
966                 memcpy(src, camellia_test_cbc_plain[i], 16);
967                 memcpy(dst, camellia_test_cbc_cipher[u][i], 16);
968             }
969 
970             mbedtls_camellia_crypt_cbc(&ctx, v, 16, iv, src, buf);
971 
972             if (memcmp(buf, dst, 16) != 0) {
973                 if (verbose != 0) {
974                     mbedtls_printf("failed\n");
975                 }
976                 goto exit;
977             }
978         }
979 
980         if (verbose != 0) {
981             mbedtls_printf("passed\n");
982         }
983     }
984 #endif /* MBEDTLS_CIPHER_MODE_CBC */
985 
986     if (verbose != 0) {
987         mbedtls_printf("\n");
988     }
989 
990 #if defined(MBEDTLS_CIPHER_MODE_CTR)
991     /*
992      * CTR mode
993      */
994     for (i = 0; i < 6; i++) {
995         u = i >> 1;
996         v = i  & 1;
997 
998         if (verbose != 0) {
999             mbedtls_printf("  CAMELLIA-CTR-128 (%s): ",
1000                            (v == MBEDTLS_CAMELLIA_DECRYPT) ? "dec" : "enc");
1001         }
1002 
1003         memcpy(nonce_counter, camellia_test_ctr_nonce_counter[u], 16);
1004         memcpy(key, camellia_test_ctr_key[u], 16);
1005 
1006         offset = 0;
1007         mbedtls_camellia_setkey_enc(&ctx, key, 128);
1008 
1009         if (v == MBEDTLS_CAMELLIA_DECRYPT) {
1010             len = camellia_test_ctr_len[u];
1011             memcpy(buf, camellia_test_ctr_ct[u], len);
1012 
1013             mbedtls_camellia_crypt_ctr(&ctx, len, &offset, nonce_counter, stream_block,
1014                                        buf, buf);
1015 
1016             if (memcmp(buf, camellia_test_ctr_pt[u], len) != 0) {
1017                 if (verbose != 0) {
1018                     mbedtls_printf("failed\n");
1019                 }
1020                 goto exit;
1021             }
1022         } else {
1023             len = camellia_test_ctr_len[u];
1024             memcpy(buf, camellia_test_ctr_pt[u], len);
1025 
1026             mbedtls_camellia_crypt_ctr(&ctx, len, &offset, nonce_counter, stream_block,
1027                                        buf, buf);
1028 
1029             if (memcmp(buf, camellia_test_ctr_ct[u], len) != 0) {
1030                 if (verbose != 0) {
1031                     mbedtls_printf("failed\n");
1032                 }
1033                 goto exit;
1034             }
1035         }
1036 
1037         if (verbose != 0) {
1038             mbedtls_printf("passed\n");
1039         }
1040     }
1041 
1042     if (verbose != 0) {
1043         mbedtls_printf("\n");
1044     }
1045 #endif /* MBEDTLS_CIPHER_MODE_CTR */
1046 
1047     ret = 0;
1048 
1049 exit:
1050     mbedtls_camellia_free(&ctx);
1051     return ret;
1052 }
1053 
1054 #endif /* MBEDTLS_SELF_TEST */
1055 
1056 #endif /* MBEDTLS_CAMELLIA_C */
1057