1 /*
2 * An implementation of the CAMELLIA algorithm as mentioned in RFC3713
3 * Copyright (c) 2014 Supraja Meedinti
4 *
5 * This file is part of FFmpeg.
6 *
7 * FFmpeg is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU Lesser General Public
9 * License as published by the Free Software Foundation; either
10 * version 2.1 of the License, or (at your option) any later version.
11 *
12 * FFmpeg is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
16 *
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with FFmpeg; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
20 */
21
22 #include <string.h>
23
24 #include "camellia.h"
25 #include "error.h"
26 #include "intreadwrite.h"
27 #include "mem.h"
28 #include "attributes.h"
29
30 #define LR32(x,c) ((x) << (c) | (x) >> (32 - (c)))
31 #define RR32(x,c) ((x) >> (c) | (x) << (32 - (c)))
32
33 #define MASK8 0xff
34 #define MASK32 0xffffffff
35 #define MASK64 0xffffffffffffffff
36
37 #define Sigma1 0xA09E667F3BCC908B
38 #define Sigma2 0xB67AE8584CAA73B2
39 #define Sigma3 0xC6EF372FE94F82BE
40 #define Sigma4 0x54FF53A5F1D36F1C
41 #define Sigma5 0x10E527FADE682D1D
42 #define Sigma6 0xB05688C2B3E6C1FD
43
44 static uint64_t SP[8][256];
45
46 typedef struct AVCAMELLIA {
47 uint64_t Kw[4];
48 uint64_t Ke[6];
49 uint64_t K[24];
50 int key_bits;
51 } AVCAMELLIA;
52
53 static const uint8_t SBOX1[256] = {
54 112, 130, 44, 236, 179, 39, 192, 229, 228, 133, 87, 53, 234, 12, 174, 65,
55 35, 239, 107, 147, 69, 25, 165, 33, 237, 14, 79, 78, 29, 101, 146, 189,
56 134, 184, 175, 143, 124, 235, 31, 206, 62, 48, 220, 95, 94, 197, 11, 26,
57 166, 225, 57, 202, 213, 71, 93, 61, 217, 1, 90, 214, 81, 86, 108, 77,
58 139, 13, 154, 102, 251, 204, 176, 45, 116, 18, 43, 32, 240, 177, 132, 153,
59 223, 76, 203, 194, 52, 126, 118, 5, 109, 183, 169, 49, 209, 23, 4, 215,
60 20, 88, 58, 97, 222, 27, 17, 28, 50, 15, 156, 22, 83, 24, 242, 34,
61 254, 68, 207, 178, 195, 181, 122, 145, 36, 8, 232, 168, 96, 252, 105, 80,
62 170, 208, 160, 125, 161, 137, 98, 151, 84, 91, 30, 149, 224, 255, 100, 210,
63 16, 196, 0, 72, 163, 247, 117, 219, 138, 3, 230, 218, 9, 63, 221, 148,
64 135, 92, 131, 2, 205, 74, 144, 51, 115, 103, 246, 243, 157, 127, 191, 226,
65 82, 155, 216, 38, 200, 55, 198, 59, 129, 150, 111, 75, 19, 190, 99, 46,
66 233, 121, 167, 140, 159, 110, 188, 142, 41, 245, 249, 182, 47, 253, 180, 89,
67 120, 152, 6, 106, 231, 70, 113, 186, 212, 37, 171, 66, 136, 162, 141, 250,
68 114, 7, 185, 85, 248, 238, 172, 10, 54, 73, 42, 104, 60, 56, 241, 164,
69 64, 40, 211, 123, 187, 201, 67, 193, 21, 227, 173, 244, 119, 199, 128, 158
70 };
71
72 static const uint8_t SBOX2[256] = {
73 224, 5, 88, 217, 103, 78, 129, 203, 201, 11, 174, 106, 213, 24, 93, 130,
74 70, 223, 214, 39, 138, 50, 75, 66, 219, 28, 158, 156, 58, 202, 37, 123,
75 13, 113, 95, 31, 248, 215, 62, 157, 124, 96, 185, 190, 188, 139, 22, 52,
76 77, 195, 114, 149, 171, 142, 186, 122, 179, 2, 180, 173, 162, 172, 216, 154,
77 23, 26, 53, 204, 247, 153, 97, 90, 232, 36, 86, 64, 225, 99, 9, 51,
78 191, 152, 151, 133, 104, 252, 236, 10, 218, 111, 83, 98, 163, 46, 8, 175,
79 40, 176, 116, 194, 189, 54, 34, 56, 100, 30, 57, 44, 166, 48, 229, 68,
80 253, 136, 159, 101, 135, 107, 244, 35, 72, 16, 209, 81, 192, 249, 210, 160,
81 85, 161, 65, 250, 67, 19, 196, 47, 168, 182, 60, 43, 193, 255, 200, 165,
82 32, 137, 0, 144, 71, 239, 234, 183, 21, 6, 205, 181, 18, 126, 187, 41,
83 15, 184, 7, 4, 155, 148, 33, 102, 230, 206, 237, 231, 59, 254, 127, 197,
84 164, 55, 177, 76, 145, 110, 141, 118, 3, 45, 222, 150, 38, 125, 198, 92,
85 211, 242, 79, 25, 63, 220, 121, 29, 82, 235, 243, 109, 94, 251, 105, 178,
86 240, 49, 12, 212, 207, 140, 226, 117, 169, 74, 87, 132, 17, 69, 27, 245,
87 228, 14, 115, 170, 241, 221, 89, 20, 108, 146, 84, 208, 120, 112, 227, 73,
88 128, 80, 167, 246, 119, 147, 134, 131, 42, 199, 91, 233, 238, 143, 1, 61
89 };
90
91 static const uint8_t SBOX3[256] = {
92 56, 65, 22, 118, 217, 147, 96, 242, 114, 194, 171, 154, 117, 6, 87, 160,
93 145, 247, 181, 201, 162, 140, 210, 144, 246, 7, 167, 39, 142, 178, 73, 222,
94 67, 92, 215, 199, 62, 245, 143, 103, 31, 24, 110, 175, 47, 226, 133, 13,
95 83, 240, 156, 101, 234, 163, 174, 158, 236, 128, 45, 107, 168, 43, 54, 166,
96 197, 134, 77, 51, 253, 102, 88, 150, 58, 9, 149, 16, 120, 216, 66, 204,
97 239, 38, 229, 97, 26, 63, 59, 130, 182, 219, 212, 152, 232, 139, 2, 235,
98 10, 44, 29, 176, 111, 141, 136, 14, 25, 135, 78, 11, 169, 12, 121, 17,
99 127, 34, 231, 89, 225, 218, 61, 200, 18, 4, 116, 84, 48, 126, 180, 40,
100 85, 104, 80, 190, 208, 196, 49, 203, 42, 173, 15, 202, 112, 255, 50, 105,
101 8, 98, 0, 36, 209, 251, 186, 237, 69, 129, 115, 109, 132, 159, 238, 74,
102 195, 46, 193, 1, 230, 37, 72, 153, 185, 179, 123, 249, 206, 191, 223, 113,
103 41, 205, 108, 19, 100, 155, 99, 157, 192, 75, 183, 165, 137, 95, 177, 23,
104 244, 188, 211, 70, 207, 55, 94, 71, 148, 250, 252, 91, 151, 254, 90, 172,
105 60, 76, 3, 53, 243, 35, 184, 93, 106, 146, 213, 33, 68, 81, 198, 125,
106 57, 131, 220, 170, 124, 119, 86, 5, 27, 164, 21, 52, 30, 28, 248, 82,
107 32, 20, 233, 189, 221, 228, 161, 224, 138, 241, 214, 122, 187, 227, 64, 79
108 };
109
110 static const uint8_t SBOX4[256] = {
111 112, 44, 179, 192, 228, 87, 234, 174, 35, 107, 69, 165, 237, 79, 29, 146,
112 134, 175, 124, 31, 62, 220, 94, 11, 166, 57, 213, 93, 217, 90, 81, 108,
113 139, 154, 251, 176, 116, 43, 240, 132, 223, 203, 52, 118, 109, 169, 209, 4,
114 20, 58, 222, 17, 50, 156, 83, 242, 254, 207, 195, 122, 36, 232, 96, 105,
115 170, 160, 161, 98, 84, 30, 224, 100, 16, 0, 163, 117, 138, 230, 9, 221,
116 135, 131, 205, 144, 115, 246, 157, 191, 82, 216, 200, 198, 129, 111, 19, 99,
117 233, 167, 159, 188, 41, 249, 47, 180, 120, 6, 231, 113, 212, 171, 136, 141,
118 114, 185, 248, 172, 54, 42, 60, 241, 64, 211, 187, 67, 21, 173, 119, 128,
119 130, 236, 39, 229, 133, 53, 12, 65, 239, 147, 25, 33, 14, 78, 101, 189,
120 184, 143, 235, 206, 48, 95, 197, 26, 225, 202, 71, 61, 1, 214, 86, 77,
121 13, 102, 204, 45, 18, 32, 177, 153, 76, 194, 126, 5, 183, 49, 23, 215,
122 88, 97, 27, 28, 15, 22, 24, 34, 68, 178, 181, 145, 8, 168, 252, 80,
123 208, 125, 137, 151, 91, 149, 255, 210, 196, 72, 247, 219, 3, 218, 63, 148,
124 92, 2, 74, 51, 103, 243, 127, 226, 155, 38, 55, 59, 150, 75, 190, 46,
125 121, 140, 110, 142, 245, 182, 253, 89, 152, 106, 70, 186, 37, 66, 162, 250,
126 7, 85, 238, 10, 73, 104, 56, 164, 40, 123, 201, 193, 227, 244, 199, 158
127 };
128
129 const int av_camellia_size = sizeof(AVCAMELLIA);
130
LR128(uint64_t d[2],const uint64_t K[2],int x)131 static void LR128(uint64_t d[2], const uint64_t K[2], int x)
132 {
133 int i = 0;
134 if (64 <= x && x < 128) {
135 i = 1;
136 x -= 64;
137 }
138 if (x <= 0 || x >= 128) {
139 d[0] = K[i];
140 d[1] = K[!i];
141 return;
142 }
143 d[0] = (K[i] << x | K[!i] >> (64 - x));
144 d[1] = (K[!i] << x | K[i] >> (64 - x));
145 }
146
F(uint64_t F_IN,uint64_t KE)147 static uint64_t F(uint64_t F_IN, uint64_t KE)
148 {
149 KE ^= F_IN;
150 F_IN=SP[0][KE >> 56]^SP[1][(KE >> 48) & MASK8]^SP[2][(KE >> 40) & MASK8]^SP[3][(KE >> 32) & MASK8]^SP[4][(KE >> 24) & MASK8]^SP[5][(KE >> 16) & MASK8]^SP[6][(KE >> 8) & MASK8]^SP[7][KE & MASK8];
151 return F_IN;
152 }
153
FL(uint64_t FL_IN,uint64_t KE)154 static uint64_t FL(uint64_t FL_IN, uint64_t KE)
155 {
156 uint32_t x1, x2, k1, k2;
157 x1 = FL_IN >> 32;
158 x2 = FL_IN & MASK32;
159 k1 = KE >> 32;
160 k2 = KE & MASK32;
161 x2 = x2 ^ LR32((x1 & k1), 1);
162 x1 = x1 ^ (x2 | k2);
163 return ((uint64_t)x1 << 32) | (uint64_t)x2;
164 }
165
FLINV(uint64_t FLINV_IN,uint64_t KE)166 static uint64_t FLINV(uint64_t FLINV_IN, uint64_t KE)
167 {
168 uint32_t x1, x2, k1, k2;
169 x1 = FLINV_IN >> 32;
170 x2 = FLINV_IN & MASK32;
171 k1 = KE >> 32;
172 k2 = KE & MASK32;
173 x1 = x1 ^ (x2 | k2);
174 x2 = x2 ^ LR32((x1 & k1), 1);
175 return ((uint64_t)x1 << 32) | (uint64_t)x2;
176 }
177
178 static const uint8_t shifts[2][12] = {
179 {0, 15, 15, 45, 45, 60, 94, 94, 111},
180 {0, 15, 15, 30, 45, 45, 60, 60, 77, 94, 94, 111}
181 };
182
183 static const uint8_t vars[2][12] = {
184 {2, 0, 2, 0, 2, 2, 0, 2, 0},
185 {3, 1, 2, 3, 0, 2, 1, 3, 0, 1, 2, 0}
186 };
187
generate_round_keys(AVCAMELLIA * cs,uint64_t Kl[2],uint64_t Kr[2],uint64_t Ka[2],uint64_t Kb[2])188 static void generate_round_keys(AVCAMELLIA *cs, uint64_t Kl[2], uint64_t Kr[2], uint64_t Ka[2], uint64_t Kb[2])
189 {
190 int i;
191 uint64_t *Kd[4], d[2];
192 Kd[0] = Kl;
193 Kd[1] = Kr;
194 Kd[2] = Ka;
195 Kd[3] = Kb;
196 cs->Kw[0] = Kl[0];
197 cs->Kw[1] = Kl[1];
198 if (cs->key_bits == 128) {
199 for (i = 0; i < 9; i++) {
200 LR128(d, Kd[vars[0][i]], shifts[0][i]);
201 cs->K[2*i] = d[0];
202 cs->K[2*i+1] = d[1];
203 }
204 LR128(d, Kd[0], 60);
205 cs->K[9] = d[1];
206 LR128(d, Kd[2], 30);
207 cs->Ke[0] = d[0];
208 cs->Ke[1] = d[1];
209 LR128(d, Kd[0], 77);
210 cs->Ke[2] = d[0];
211 cs->Ke[3] = d[1];
212 LR128(d, Kd[2], 111);
213 cs->Kw[2] = d[0];
214 cs->Kw[3] = d[1];
215 } else {
216 for (i = 0; i < 12; i++) {
217 LR128(d, Kd[vars[1][i]], shifts[1][i]);
218 cs->K[2*i] = d[0];
219 cs->K[2*i+1] = d[1];
220 }
221 LR128(d, Kd[1], 30);
222 cs->Ke[0] = d[0];
223 cs->Ke[1] = d[1];
224 LR128(d, Kd[0], 60);
225 cs->Ke[2] = d[0];
226 cs->Ke[3] = d[1];
227 LR128(d, Kd[2], 77);
228 cs->Ke[4] = d[0];
229 cs->Ke[5] = d[1];
230 LR128(d, Kd[3], 111);
231 cs->Kw[2] = d[0];
232 cs->Kw[3] = d[1];
233 }
234 }
235
camellia_encrypt(AVCAMELLIA * cs,uint8_t * dst,const uint8_t * src)236 static void camellia_encrypt(AVCAMELLIA *cs, uint8_t *dst, const uint8_t *src)
237 {
238 uint64_t D1, D2;
239 D1 = AV_RB64(src);
240 D2 = AV_RB64(src + 8);
241 D1 ^= cs->Kw[0];
242 D2 ^= cs->Kw[1];
243 D2 ^= F(D1, cs->K[0]);
244 D1 ^= F(D2, cs->K[1]);
245 D2 ^= F(D1, cs->K[2]);
246 D1 ^= F(D2, cs->K[3]);
247 D2 ^= F(D1, cs->K[4]);
248 D1 ^= F(D2, cs->K[5]);
249 D1 = FL(D1, cs->Ke[0]);
250 D2 = FLINV(D2, cs->Ke[1]);
251 D2 ^= F(D1, cs->K[6]);
252 D1 ^= F(D2, cs->K[7]);
253 D2 ^= F(D1, cs->K[8]);
254 D1 ^= F(D2, cs->K[9]);
255 D2 ^= F(D1, cs->K[10]);
256 D1 ^= F(D2, cs->K[11]);
257 D1 = FL(D1, cs->Ke[2]);
258 D2 = FLINV(D2, cs->Ke[3]);
259 D2 ^= F(D1, cs->K[12]);
260 D1 ^= F(D2, cs->K[13]);
261 D2 ^= F(D1, cs->K[14]);
262 D1 ^= F(D2, cs->K[15]);
263 D2 ^= F(D1, cs->K[16]);
264 D1 ^= F(D2, cs->K[17]);
265 if (cs->key_bits != 128) {
266 D1 = FL(D1, cs->Ke[4]);
267 D2 = FLINV(D2, cs->Ke[5]);
268 D2 ^= F(D1, cs->K[18]);
269 D1 ^= F(D2, cs->K[19]);
270 D2 ^= F(D1, cs->K[20]);
271 D1 ^= F(D2, cs->K[21]);
272 D2 ^= F(D1, cs->K[22]);
273 D1 ^= F(D2, cs->K[23]);
274 }
275 D2 ^= cs->Kw[2];
276 D1 ^= cs->Kw[3];
277 AV_WB64(dst, D2);
278 AV_WB64(dst + 8, D1);
279 }
280
camellia_decrypt(AVCAMELLIA * cs,uint8_t * dst,const uint8_t * src,uint8_t * iv)281 static void camellia_decrypt(AVCAMELLIA *cs, uint8_t *dst, const uint8_t *src, uint8_t *iv)
282 {
283 uint64_t D1, D2;
284 D1 = AV_RB64(src);
285 D2 = AV_RB64(src + 8);
286 D1 ^= cs->Kw[2];
287 D2 ^= cs->Kw[3];
288 if (cs->key_bits != 128) {
289 D2 ^= F(D1, cs->K[23]);
290 D1 ^= F(D2, cs->K[22]);
291 D2 ^= F(D1, cs->K[21]);
292 D1 ^= F(D2, cs->K[20]);
293 D2 ^= F(D1, cs->K[19]);
294 D1 ^= F(D2, cs->K[18]);
295 D1 = FL(D1, cs->Ke[5]);
296 D2 = FLINV(D2, cs->Ke[4]);
297 }
298 D2 ^= F(D1, cs->K[17]);
299 D1 ^= F(D2, cs->K[16]);
300 D2 ^= F(D1, cs->K[15]);
301 D1 ^= F(D2, cs->K[14]);
302 D2 ^= F(D1, cs->K[13]);
303 D1 ^= F(D2, cs->K[12]);
304 D1 = FL(D1, cs->Ke[3]);
305 D2 = FLINV(D2, cs->Ke[2]);
306 D2 ^= F(D1, cs->K[11]);
307 D1 ^= F(D2, cs->K[10]);
308 D2 ^= F(D1, cs->K[9]);
309 D1 ^= F(D2, cs->K[8]);
310 D2 ^= F(D1, cs->K[7]);
311 D1 ^= F(D2, cs->K[6]);
312 D1 = FL(D1, cs->Ke[1]);
313 D2 = FLINV(D2, cs->Ke[0]);
314 D2 ^= F(D1, cs->K[5]);
315 D1 ^= F(D2, cs->K[4]);
316 D2 ^= F(D1, cs->K[3]);
317 D1 ^= F(D2, cs->K[2]);
318 D2 ^= F(D1, cs->K[1]);
319 D1 ^= F(D2, cs->K[0]);
320 D2 ^= cs->Kw[0];
321 D1 ^= cs->Kw[1];
322 if (iv) {
323 D2 ^= AV_RB64(iv);
324 D1 ^= AV_RB64(iv + 8);
325 memcpy(iv, src, 16);
326 }
327 AV_WB64(dst, D2);
328 AV_WB64(dst + 8, D1);
329 }
330
computeSP(void)331 static void computeSP(void)
332 {
333 uint64_t z;
334 int i;
335 for (i = 0; i < 256; i++) {
336 z = SBOX1[i];
337 SP[0][i] = (z << 56) ^ (z << 48) ^ (z << 40) ^ (z << 24) ^ z;
338 SP[7][i] = (z << 56) ^ (z << 48) ^ (z << 40) ^ (z << 24) ^ (z << 16) ^ (z << 8);
339 z = SBOX2[i];
340 SP[1][i] = (z << 48) ^ (z << 40) ^ (z << 32) ^ (z << 24) ^ (z << 16);
341 SP[4][i] = (z << 48) ^ (z << 40) ^ (z << 32) ^ (z << 16) ^ (z << 8) ^ z;
342 z = SBOX3[i];
343 SP[2][i] = (z << 56) ^ (z << 40) ^ (z << 32) ^ (z << 16) ^ (z << 8);
344 SP[5][i] = (z << 56) ^ (z << 40) ^ (z << 32) ^ (z << 24) ^ (z << 8) ^ z;
345 z = SBOX4[i];
346 SP[3][i] = (z << 56) ^ (z << 48) ^ (z << 32) ^ (z << 8) ^ z;
347 SP[6][i] = (z << 56) ^ (z << 48) ^ (z << 32) ^ (z << 24) ^ (z << 16) ^ z;
348 }
349 }
350
av_camellia_alloc(void)351 struct AVCAMELLIA *av_camellia_alloc(void)
352 {
353 return av_mallocz(sizeof(struct AVCAMELLIA));
354 }
355
av_camellia_init(AVCAMELLIA * cs,const uint8_t * key,int key_bits)356 av_cold int av_camellia_init(AVCAMELLIA *cs, const uint8_t *key, int key_bits)
357 {
358 uint64_t Kl[2], Kr[2], Ka[2], Kb[2];
359 uint64_t D1, D2;
360 if (key_bits != 128 && key_bits != 192 && key_bits != 256)
361 return AVERROR(EINVAL);
362 memset(Kb, 0, sizeof(Kb));
363 memset(Kr, 0, sizeof(Kr));
364 cs->key_bits = key_bits;
365 Kl[0] = AV_RB64(key);
366 Kl[1] = AV_RB64(key + 8);
367 if (key_bits == 192) {
368 Kr[0] = AV_RB64(key + 16);
369 Kr[1] = ~Kr[0];
370 } else if (key_bits == 256) {
371 Kr[0] = AV_RB64(key + 16);
372 Kr[1] = AV_RB64(key + 24);
373 }
374 computeSP();
375 D1 = Kl[0] ^ Kr[0];
376 D2 = Kl[1] ^ Kr[1];
377 D2 ^= F(D1, Sigma1);
378 D1 ^= F(D2, Sigma2);
379 D1 ^= Kl[0];
380 D2 ^= Kl[1];
381 D2 ^= F(D1, Sigma3);
382 D1 ^= F(D2, Sigma4);
383 Ka[0] = D1;
384 Ka[1] = D2;
385 if (key_bits != 128) {
386 D1 = Ka[0] ^ Kr[0];
387 D2 = Ka[1] ^ Kr[1];
388 D2 ^= F(D1, Sigma5);
389 D1 ^= F(D2, Sigma6);
390 Kb[0] = D1;
391 Kb[1] = D2;
392 }
393 generate_round_keys(cs, Kl, Kr, Ka, Kb);
394 return 0;
395 }
396
av_camellia_crypt(AVCAMELLIA * cs,uint8_t * dst,const uint8_t * src,int count,uint8_t * iv,int decrypt)397 void av_camellia_crypt(AVCAMELLIA *cs, uint8_t *dst, const uint8_t *src, int count, uint8_t *iv, int decrypt)
398 {
399 int i;
400 while (count--) {
401 if (decrypt) {
402 camellia_decrypt(cs, dst, src, iv);
403 } else {
404 if (iv) {
405 for (i = 0; i < 16; i++)
406 dst[i] = src[i] ^ iv[i];
407 camellia_encrypt(cs, dst, dst);
408 memcpy(iv, dst, 16);
409 } else {
410 camellia_encrypt(cs, dst, src);
411 }
412 }
413 src = src + 16;
414 dst = dst + 16;
415 }
416 }
417