2 * Camellia implementation
4 * Copyright (C) 2006-2014, ARM Limited, All Rights Reserved
6 * This file is part of mbed TLS (https://polarssl.org)
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License along
19 * with this program; if not, write to the Free Software Foundation, Inc.,
20 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
23 * The Camellia block cipher was designed by NTT and Mitsubishi Electric
26 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/01espec.pdf
29 #if !defined(POLARSSL_CONFIG_FILE)
30 #include "polarssl/config.h"
32 #include POLARSSL_CONFIG_FILE
35 #if defined(POLARSSL_CAMELLIA_C)
37 #include "polarssl/camellia.h"
39 #if defined(POLARSSL_PLATFORM_C)
40 #include "polarssl/platform.h"
42 #define polarssl_printf printf
45 #if !defined(POLARSSL_CAMELLIA_ALT)
47 /* Implementation that should never be optimized out by the compiler */
48 static void polarssl_zeroize( void *v
, size_t n
) {
49 volatile unsigned char *p
= v
; while( n
-- ) *p
++ = 0;
53 * 32-bit integer manipulation macros (big endian)
56 #define GET_UINT32_BE(n,b,i) \
58 (n) = ( (uint32_t) (b)[(i) ] << 24 ) \
59 | ( (uint32_t) (b)[(i) + 1] << 16 ) \
60 | ( (uint32_t) (b)[(i) + 2] << 8 ) \
61 | ( (uint32_t) (b)[(i) + 3] ); \
66 #define PUT_UINT32_BE(n,b,i) \
68 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
69 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
70 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
71 (b)[(i) + 3] = (unsigned char) ( (n) ); \
75 static const unsigned char SIGMA_CHARS
[6][8] =
77 { 0xa0, 0x9e, 0x66, 0x7f, 0x3b, 0xcc, 0x90, 0x8b },
78 { 0xb6, 0x7a, 0xe8, 0x58, 0x4c, 0xaa, 0x73, 0xb2 },
79 { 0xc6, 0xef, 0x37, 0x2f, 0xe9, 0x4f, 0x82, 0xbe },
80 { 0x54, 0xff, 0x53, 0xa5, 0xf1, 0xd3, 0x6f, 0x1c },
81 { 0x10, 0xe5, 0x27, 0xfa, 0xde, 0x68, 0x2d, 0x1d },
82 { 0xb0, 0x56, 0x88, 0xc2, 0xb3, 0xe6, 0xc1, 0xfd }
85 #if defined(POLARSSL_CAMELLIA_SMALL_MEMORY)
87 static const unsigned char FSb
[256] =
89 112,130, 44,236,179, 39,192,229,228,133, 87, 53,234, 12,174, 65,
90 35,239,107,147, 69, 25,165, 33,237, 14, 79, 78, 29,101,146,189,
91 134,184,175,143,124,235, 31,206, 62, 48,220, 95, 94,197, 11, 26,
92 166,225, 57,202,213, 71, 93, 61,217, 1, 90,214, 81, 86,108, 77,
93 139, 13,154,102,251,204,176, 45,116, 18, 43, 32,240,177,132,153,
94 223, 76,203,194, 52,126,118, 5,109,183,169, 49,209, 23, 4,215,
95 20, 88, 58, 97,222, 27, 17, 28, 50, 15,156, 22, 83, 24,242, 34,
96 254, 68,207,178,195,181,122,145, 36, 8,232,168, 96,252,105, 80,
97 170,208,160,125,161,137, 98,151, 84, 91, 30,149,224,255,100,210,
98 16,196, 0, 72,163,247,117,219,138, 3,230,218, 9, 63,221,148,
99 135, 92,131, 2,205, 74,144, 51,115,103,246,243,157,127,191,226,
100 82,155,216, 38,200, 55,198, 59,129,150,111, 75, 19,190, 99, 46,
101 233,121,167,140,159,110,188,142, 41,245,249,182, 47,253,180, 89,
102 120,152, 6,106,231, 70,113,186,212, 37,171, 66,136,162,141,250,
103 114, 7,185, 85,248,238,172, 10, 54, 73, 42,104, 60, 56,241,164,
104 64, 40,211,123,187,201, 67,193, 21,227,173,244,119,199,128,158
107 #define SBOX1(n) FSb[(n)]
108 #define SBOX2(n) (unsigned char)((FSb[(n)] >> 7 ^ FSb[(n)] << 1) & 0xff)
109 #define SBOX3(n) (unsigned char)((FSb[(n)] >> 1 ^ FSb[(n)] << 7) & 0xff)
110 #define SBOX4(n) FSb[((n) << 1 ^ (n) >> 7) &0xff]
112 #else /* POLARSSL_CAMELLIA_SMALL_MEMORY */
114 static const unsigned char FSb
[256] =
116 112, 130, 44, 236, 179, 39, 192, 229, 228, 133, 87, 53, 234, 12, 174, 65,
117 35, 239, 107, 147, 69, 25, 165, 33, 237, 14, 79, 78, 29, 101, 146, 189,
118 134, 184, 175, 143, 124, 235, 31, 206, 62, 48, 220, 95, 94, 197, 11, 26,
119 166, 225, 57, 202, 213, 71, 93, 61, 217, 1, 90, 214, 81, 86, 108, 77,
120 139, 13, 154, 102, 251, 204, 176, 45, 116, 18, 43, 32, 240, 177, 132, 153,
121 223, 76, 203, 194, 52, 126, 118, 5, 109, 183, 169, 49, 209, 23, 4, 215,
122 20, 88, 58, 97, 222, 27, 17, 28, 50, 15, 156, 22, 83, 24, 242, 34,
123 254, 68, 207, 178, 195, 181, 122, 145, 36, 8, 232, 168, 96, 252, 105, 80,
124 170, 208, 160, 125, 161, 137, 98, 151, 84, 91, 30, 149, 224, 255, 100, 210,
125 16, 196, 0, 72, 163, 247, 117, 219, 138, 3, 230, 218, 9, 63, 221, 148,
126 135, 92, 131, 2, 205, 74, 144, 51, 115, 103, 246, 243, 157, 127, 191, 226,
127 82, 155, 216, 38, 200, 55, 198, 59, 129, 150, 111, 75, 19, 190, 99, 46,
128 233, 121, 167, 140, 159, 110, 188, 142, 41, 245, 249, 182, 47, 253, 180, 89,
129 120, 152, 6, 106, 231, 70, 113, 186, 212, 37, 171, 66, 136, 162, 141, 250,
130 114, 7, 185, 85, 248, 238, 172, 10, 54, 73, 42, 104, 60, 56, 241, 164,
131 64, 40, 211, 123, 187, 201, 67, 193, 21, 227, 173, 244, 119, 199, 128, 158
134 static const unsigned char FSb2
[256] =
136 224, 5, 88, 217, 103, 78, 129, 203, 201, 11, 174, 106, 213, 24, 93, 130,
137 70, 223, 214, 39, 138, 50, 75, 66, 219, 28, 158, 156, 58, 202, 37, 123,
138 13, 113, 95, 31, 248, 215, 62, 157, 124, 96, 185, 190, 188, 139, 22, 52,
139 77, 195, 114, 149, 171, 142, 186, 122, 179, 2, 180, 173, 162, 172, 216, 154,
140 23, 26, 53, 204, 247, 153, 97, 90, 232, 36, 86, 64, 225, 99, 9, 51,
141 191, 152, 151, 133, 104, 252, 236, 10, 218, 111, 83, 98, 163, 46, 8, 175,
142 40, 176, 116, 194, 189, 54, 34, 56, 100, 30, 57, 44, 166, 48, 229, 68,
143 253, 136, 159, 101, 135, 107, 244, 35, 72, 16, 209, 81, 192, 249, 210, 160,
144 85, 161, 65, 250, 67, 19, 196, 47, 168, 182, 60, 43, 193, 255, 200, 165,
145 32, 137, 0, 144, 71, 239, 234, 183, 21, 6, 205, 181, 18, 126, 187, 41,
146 15, 184, 7, 4, 155, 148, 33, 102, 230, 206, 237, 231, 59, 254, 127, 197,
147 164, 55, 177, 76, 145, 110, 141, 118, 3, 45, 222, 150, 38, 125, 198, 92,
148 211, 242, 79, 25, 63, 220, 121, 29, 82, 235, 243, 109, 94, 251, 105, 178,
149 240, 49, 12, 212, 207, 140, 226, 117, 169, 74, 87, 132, 17, 69, 27, 245,
150 228, 14, 115, 170, 241, 221, 89, 20, 108, 146, 84, 208, 120, 112, 227, 73,
151 128, 80, 167, 246, 119, 147, 134, 131, 42, 199, 91, 233, 238, 143, 1, 61
154 static const unsigned char FSb3
[256] =
156 56, 65, 22, 118, 217, 147, 96, 242, 114, 194, 171, 154, 117, 6, 87, 160,
157 145, 247, 181, 201, 162, 140, 210, 144, 246, 7, 167, 39, 142, 178, 73, 222,
158 67, 92, 215, 199, 62, 245, 143, 103, 31, 24, 110, 175, 47, 226, 133, 13,
159 83, 240, 156, 101, 234, 163, 174, 158, 236, 128, 45, 107, 168, 43, 54, 166,
160 197, 134, 77, 51, 253, 102, 88, 150, 58, 9, 149, 16, 120, 216, 66, 204,
161 239, 38, 229, 97, 26, 63, 59, 130, 182, 219, 212, 152, 232, 139, 2, 235,
162 10, 44, 29, 176, 111, 141, 136, 14, 25, 135, 78, 11, 169, 12, 121, 17,
163 127, 34, 231, 89, 225, 218, 61, 200, 18, 4, 116, 84, 48, 126, 180, 40,
164 85, 104, 80, 190, 208, 196, 49, 203, 42, 173, 15, 202, 112, 255, 50, 105,
165 8, 98, 0, 36, 209, 251, 186, 237, 69, 129, 115, 109, 132, 159, 238, 74,
166 195, 46, 193, 1, 230, 37, 72, 153, 185, 179, 123, 249, 206, 191, 223, 113,
167 41, 205, 108, 19, 100, 155, 99, 157, 192, 75, 183, 165, 137, 95, 177, 23,
168 244, 188, 211, 70, 207, 55, 94, 71, 148, 250, 252, 91, 151, 254, 90, 172,
169 60, 76, 3, 53, 243, 35, 184, 93, 106, 146, 213, 33, 68, 81, 198, 125,
170 57, 131, 220, 170, 124, 119, 86, 5, 27, 164, 21, 52, 30, 28, 248, 82,
171 32, 20, 233, 189, 221, 228, 161, 224, 138, 241, 214, 122, 187, 227, 64, 79
174 static const unsigned char FSb4
[256] =
176 112, 44, 179, 192, 228, 87, 234, 174, 35, 107, 69, 165, 237, 79, 29, 146,
177 134, 175, 124, 31, 62, 220, 94, 11, 166, 57, 213, 93, 217, 90, 81, 108,
178 139, 154, 251, 176, 116, 43, 240, 132, 223, 203, 52, 118, 109, 169, 209, 4,
179 20, 58, 222, 17, 50, 156, 83, 242, 254, 207, 195, 122, 36, 232, 96, 105,
180 170, 160, 161, 98, 84, 30, 224, 100, 16, 0, 163, 117, 138, 230, 9, 221,
181 135, 131, 205, 144, 115, 246, 157, 191, 82, 216, 200, 198, 129, 111, 19, 99,
182 233, 167, 159, 188, 41, 249, 47, 180, 120, 6, 231, 113, 212, 171, 136, 141,
183 114, 185, 248, 172, 54, 42, 60, 241, 64, 211, 187, 67, 21, 173, 119, 128,
184 130, 236, 39, 229, 133, 53, 12, 65, 239, 147, 25, 33, 14, 78, 101, 189,
185 184, 143, 235, 206, 48, 95, 197, 26, 225, 202, 71, 61, 1, 214, 86, 77,
186 13, 102, 204, 45, 18, 32, 177, 153, 76, 194, 126, 5, 183, 49, 23, 215,
187 88, 97, 27, 28, 15, 22, 24, 34, 68, 178, 181, 145, 8, 168, 252, 80,
188 208, 125, 137, 151, 91, 149, 255, 210, 196, 72, 247, 219, 3, 218, 63, 148,
189 92, 2, 74, 51, 103, 243, 127, 226, 155, 38, 55, 59, 150, 75, 190, 46,
190 121, 140, 110, 142, 245, 182, 253, 89, 152, 106, 70, 186, 37, 66, 162, 250,
191 7, 85, 238, 10, 73, 104, 56, 164, 40, 123, 201, 193, 227, 244, 199, 158
194 #define SBOX1(n) FSb[(n)]
195 #define SBOX2(n) FSb2[(n)]
196 #define SBOX3(n) FSb3[(n)]
197 #define SBOX4(n) FSb4[(n)]
199 #endif /* POLARSSL_CAMELLIA_SMALL_MEMORY */
201 static const unsigned char shifts
[2][4][4] =
204 { 1, 1, 1, 1 }, /* KL */
205 { 0, 0, 0, 0 }, /* KR */
206 { 1, 1, 1, 1 }, /* KA */
207 { 0, 0, 0, 0 } /* KB */
210 { 1, 0, 1, 1 }, /* KL */
211 { 1, 1, 0, 1 }, /* KR */
212 { 1, 1, 1, 0 }, /* KA */
213 { 1, 1, 0, 1 } /* KB */
217 static const signed char indexes
[2][4][20] =
220 { 0, 1, 2, 3, 8, 9, 10, 11, 38, 39,
221 36, 37, 23, 20, 21, 22, 27, -1, -1, 26 }, /* KL -> RK */
222 { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
223 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 }, /* KR -> RK */
224 { 4, 5, 6, 7, 12, 13, 14, 15, 16, 17,
225 18, 19, -1, 24, 25, -1, 31, 28, 29, 30 }, /* KA -> RK */
226 { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
227 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 } /* KB -> RK */
230 { 0, 1, 2, 3, 61, 62, 63, 60, -1, -1,
231 -1, -1, 27, 24, 25, 26, 35, 32, 33, 34 }, /* KL -> RK */
232 { -1, -1, -1, -1, 8, 9, 10, 11, 16, 17,
233 18, 19, -1, -1, -1, -1, 39, 36, 37, 38 }, /* KR -> RK */
234 { -1, -1, -1, -1, 12, 13, 14, 15, 58, 59,
235 56, 57, 31, 28, 29, 30, -1, -1, -1, -1 }, /* KA -> RK */
236 { 4, 5, 6, 7, 65, 66, 67, 64, 20, 21,
237 22, 23, -1, -1, -1, -1, 43, 40, 41, 42 } /* KB -> RK */
241 static const signed char transposes
[2][20] =
259 /* Shift macro for 128 bit strings with rotation smaller than 32 bits (!) */
260 #define ROTL(DEST, SRC, SHIFT) \
262 (DEST)[0] = (SRC)[0] << (SHIFT) ^ (SRC)[1] >> (32 - (SHIFT)); \
263 (DEST)[1] = (SRC)[1] << (SHIFT) ^ (SRC)[2] >> (32 - (SHIFT)); \
264 (DEST)[2] = (SRC)[2] << (SHIFT) ^ (SRC)[3] >> (32 - (SHIFT)); \
265 (DEST)[3] = (SRC)[3] << (SHIFT) ^ (SRC)[0] >> (32 - (SHIFT)); \
268 #define FL(XL, XR, KL, KR) \
270 (XR) = ((((XL) & (KL)) << 1) | (((XL) & (KL)) >> 31)) ^ (XR); \
271 (XL) = ((XR) | (KR)) ^ (XL); \
274 #define FLInv(YL, YR, KL, KR) \
276 (YL) = ((YR) | (KR)) ^ (YL); \
277 (YR) = ((((YL) & (KL)) << 1) | (((YL) & (KL)) >> 31)) ^ (YR); \
280 #define SHIFT_AND_PLACE(INDEX, OFFSET) \
282 TK[0] = KC[(OFFSET) * 4 + 0]; \
283 TK[1] = KC[(OFFSET) * 4 + 1]; \
284 TK[2] = KC[(OFFSET) * 4 + 2]; \
285 TK[3] = KC[(OFFSET) * 4 + 3]; \
287 for( i = 1; i <= 4; i++ ) \
288 if( shifts[(INDEX)][(OFFSET)][i -1] ) \
289 ROTL(TK + i * 4, TK, ( 15 * i ) % 32); \
291 for( i = 0; i < 20; i++ ) \
292 if( indexes[(INDEX)][(OFFSET)][i] != -1 ) { \
293 RK[indexes[(INDEX)][(OFFSET)][i]] = TK[ i ]; \
297 static void camellia_feistel( const uint32_t x
[2], const uint32_t k
[2],
304 I0
= ((uint32_t) SBOX1((I0
>> 24) & 0xFF) << 24) |
305 ((uint32_t) SBOX2((I0
>> 16) & 0xFF) << 16) |
306 ((uint32_t) SBOX3((I0
>> 8) & 0xFF) << 8) |
307 ((uint32_t) SBOX4((I0
) & 0xFF) );
308 I1
= ((uint32_t) SBOX2((I1
>> 24) & 0xFF) << 24) |
309 ((uint32_t) SBOX3((I1
>> 16) & 0xFF) << 16) |
310 ((uint32_t) SBOX4((I1
>> 8) & 0xFF) << 8) |
311 ((uint32_t) SBOX1((I1
) & 0xFF) );
313 I0
^= (I1
<< 8) | (I1
>> 24);
314 I1
^= (I0
<< 16) | (I0
>> 16);
315 I0
^= (I1
>> 8) | (I1
<< 24);
316 I1
^= (I0
>> 8) | (I0
<< 24);
322 void camellia_init( camellia_context
*ctx
)
324 memset( ctx
, 0, sizeof( camellia_context
) );
327 void camellia_free( camellia_context
*ctx
)
332 polarssl_zeroize( ctx
, sizeof( camellia_context
) );
336 * Camellia key schedule (encryption)
338 int camellia_setkey_enc( camellia_context
*ctx
, const unsigned char *key
,
339 unsigned int keysize
)
345 uint32_t SIGMA
[6][2];
352 memset( RK
, 0, sizeof(ctx
->rk
) );
356 case 128: ctx
->nr
= 3; idx
= 0; break;
358 case 256: ctx
->nr
= 4; idx
= 1; break;
359 default : return( POLARSSL_ERR_CAMELLIA_INVALID_KEY_LENGTH
);
362 for( i
= 0; i
< keysize
/ 8; ++i
)
365 if( keysize
== 192 ) {
366 for( i
= 0; i
< 8; i
++ )
367 t
[24 + i
] = ~t
[16 + i
];
371 * Prepare SIGMA values
373 for( i
= 0; i
< 6; i
++ ) {
374 GET_UINT32_BE( SIGMA
[i
][0], SIGMA_CHARS
[i
], 0 );
375 GET_UINT32_BE( SIGMA
[i
][1], SIGMA_CHARS
[i
], 4 );
380 * Order: KL, KR, KA, KB
382 memset( KC
, 0, sizeof(KC
) );
385 for( i
= 0; i
< 8; i
++ )
386 GET_UINT32_BE( KC
[i
], t
, i
* 4 );
389 for( i
= 0; i
< 4; ++i
)
390 KC
[8 + i
] = KC
[i
] ^ KC
[4 + i
];
392 camellia_feistel( KC
+ 8, SIGMA
[0], KC
+ 10 );
393 camellia_feistel( KC
+ 10, SIGMA
[1], KC
+ 8 );
395 for( i
= 0; i
< 4; ++i
)
398 camellia_feistel( KC
+ 8, SIGMA
[2], KC
+ 10 );
399 camellia_feistel( KC
+ 10, SIGMA
[3], KC
+ 8 );
401 if( keysize
> 128 ) {
403 for( i
= 0; i
< 4; ++i
)
404 KC
[12 + i
] = KC
[4 + i
] ^ KC
[8 + i
];
406 camellia_feistel( KC
+ 12, SIGMA
[4], KC
+ 14 );
407 camellia_feistel( KC
+ 14, SIGMA
[5], KC
+ 12 );
414 /* Manipulating KL */
415 SHIFT_AND_PLACE( idx
, 0 );
417 /* Manipulating KR */
418 if( keysize
> 128 ) {
419 SHIFT_AND_PLACE( idx
, 1 );
422 /* Manipulating KA */
423 SHIFT_AND_PLACE( idx
, 2 );
425 /* Manipulating KB */
426 if( keysize
> 128 ) {
427 SHIFT_AND_PLACE( idx
, 3 );
430 /* Do transpositions */
431 for( i
= 0; i
< 20; i
++ ) {
432 if( transposes
[idx
][i
] != -1 ) {
433 RK
[32 + 12 * idx
+ i
] = RK
[transposes
[idx
][i
]];
441 * Camellia key schedule (decryption)
443 int camellia_setkey_dec( camellia_context
*ctx
, const unsigned char *key
,
444 unsigned int keysize
)
448 camellia_context cty
;
452 camellia_init( &cty
);
454 /* Also checks keysize */
455 if( ( ret
= camellia_setkey_enc( &cty
, key
, keysize
) ) )
459 idx
= ( ctx
->nr
== 4 );
462 SK
= cty
.rk
+ 24 * 2 + 8 * idx
* 2;
469 for( i
= 22 + 8 * idx
, SK
-= 6; i
> 0; i
--, SK
-= 4 )
483 camellia_free( &cty
);
489 * Camellia-ECB block encryption/decryption
491 int camellia_crypt_ecb( camellia_context
*ctx
,
493 const unsigned char input
[16],
494 unsigned char output
[16] )
504 GET_UINT32_BE( X
[0], input
, 0 );
505 GET_UINT32_BE( X
[1], input
, 4 );
506 GET_UINT32_BE( X
[2], input
, 8 );
507 GET_UINT32_BE( X
[3], input
, 12 );
516 camellia_feistel( X
, RK
, X
+ 2 );
518 camellia_feistel( X
+ 2, RK
, X
);
520 camellia_feistel( X
, RK
, X
+ 2 );
522 camellia_feistel( X
+ 2, RK
, X
);
524 camellia_feistel( X
, RK
, X
+ 2 );
526 camellia_feistel( X
+ 2, RK
, X
);
530 FL(X
[0], X
[1], RK
[0], RK
[1]);
532 FLInv(X
[2], X
[3], RK
[0], RK
[1]);
542 PUT_UINT32_BE( X
[2], output
, 0 );
543 PUT_UINT32_BE( X
[3], output
, 4 );
544 PUT_UINT32_BE( X
[0], output
, 8 );
545 PUT_UINT32_BE( X
[1], output
, 12 );
550 #if defined(POLARSSL_CIPHER_MODE_CBC)
552 * Camellia-CBC buffer encryption/decryption
554 int camellia_crypt_cbc( camellia_context
*ctx
,
557 unsigned char iv
[16],
558 const unsigned char *input
,
559 unsigned char *output
)
562 unsigned char temp
[16];
565 return( POLARSSL_ERR_CAMELLIA_INVALID_INPUT_LENGTH
);
567 if( mode
== CAMELLIA_DECRYPT
)
571 memcpy( temp
, input
, 16 );
572 camellia_crypt_ecb( ctx
, mode
, input
, output
);
574 for( i
= 0; i
< 16; i
++ )
575 output
[i
] = (unsigned char)( output
[i
] ^ iv
[i
] );
577 memcpy( iv
, temp
, 16 );
588 for( i
= 0; i
< 16; i
++ )
589 output
[i
] = (unsigned char)( input
[i
] ^ iv
[i
] );
591 camellia_crypt_ecb( ctx
, mode
, output
, output
);
592 memcpy( iv
, output
, 16 );
602 #endif /* POLARSSL_CIPHER_MODE_CBC */
604 #if defined(POLARSSL_CIPHER_MODE_CFB)
606 * Camellia-CFB128 buffer encryption/decryption
608 int camellia_crypt_cfb128( camellia_context
*ctx
,
612 unsigned char iv
[16],
613 const unsigned char *input
,
614 unsigned char *output
)
619 if( mode
== CAMELLIA_DECRYPT
)
624 camellia_crypt_ecb( ctx
, CAMELLIA_ENCRYPT
, iv
, iv
);
627 *output
++ = (unsigned char)( c
^ iv
[n
] );
628 iv
[n
] = (unsigned char) c
;
630 n
= ( n
+ 1 ) & 0x0F;
638 camellia_crypt_ecb( ctx
, CAMELLIA_ENCRYPT
, iv
, iv
);
640 iv
[n
] = *output
++ = (unsigned char)( iv
[n
] ^ *input
++ );
642 n
= ( n
+ 1 ) & 0x0F;
650 #endif /* POLARSSL_CIPHER_MODE_CFB */
652 #if defined(POLARSSL_CIPHER_MODE_CTR)
654 * Camellia-CTR buffer encryption/decryption
656 int camellia_crypt_ctr( camellia_context
*ctx
,
659 unsigned char nonce_counter
[16],
660 unsigned char stream_block
[16],
661 const unsigned char *input
,
662 unsigned char *output
)
670 camellia_crypt_ecb( ctx
, CAMELLIA_ENCRYPT
, nonce_counter
,
673 for( i
= 16; i
> 0; i
-- )
674 if( ++nonce_counter
[i
- 1] != 0 )
678 *output
++ = (unsigned char)( c
^ stream_block
[n
] );
680 n
= ( n
+ 1 ) & 0x0F;
687 #endif /* POLARSSL_CIPHER_MODE_CTR */
688 #endif /* !POLARSSL_CAMELLIA_ALT */
690 #if defined(POLARSSL_SELF_TEST)
695 * Camellia test vectors from:
697 * http://info.isl.ntt.co.jp/crypt/eng/camellia/technology.html:
698 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/intermediate.txt
699 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/t_camellia.txt
700 * (For each bitlength: Key 0, Nr 39)
702 #define CAMELLIA_TESTS_ECB 2
704 static const unsigned char camellia_test_ecb_key
[3][CAMELLIA_TESTS_ECB
][32] =
707 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
708 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
709 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
710 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
713 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
714 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
715 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77 },
716 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
717 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
718 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
721 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
722 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
723 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
724 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff },
725 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
726 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
727 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
728 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
732 static const unsigned char camellia_test_ecb_plain
[CAMELLIA_TESTS_ECB
][16] =
734 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
735 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
736 { 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
737 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
740 static const unsigned char camellia_test_ecb_cipher
[3][CAMELLIA_TESTS_ECB
][16] =
743 { 0x67, 0x67, 0x31, 0x38, 0x54, 0x96, 0x69, 0x73,
744 0x08, 0x57, 0x06, 0x56, 0x48, 0xea, 0xbe, 0x43 },
745 { 0x38, 0x3C, 0x6C, 0x2A, 0xAB, 0xEF, 0x7F, 0xDE,
746 0x25, 0xCD, 0x47, 0x0B, 0xF7, 0x74, 0xA3, 0x31 }
749 { 0xb4, 0x99, 0x34, 0x01, 0xb3, 0xe9, 0x96, 0xf8,
750 0x4e, 0xe5, 0xce, 0xe7, 0xd7, 0x9b, 0x09, 0xb9 },
751 { 0xD1, 0x76, 0x3F, 0xC0, 0x19, 0xD7, 0x7C, 0xC9,
752 0x30, 0xBF, 0xF2, 0xA5, 0x6F, 0x7C, 0x93, 0x64 }
755 { 0x9a, 0xcc, 0x23, 0x7d, 0xff, 0x16, 0xd7, 0x6c,
756 0x20, 0xef, 0x7c, 0x91, 0x9e, 0x3a, 0x75, 0x09 },
757 { 0x05, 0x03, 0xFB, 0x10, 0xAB, 0x24, 0x1E, 0x7C,
758 0xF4, 0x5D, 0x8C, 0xDE, 0xEE, 0x47, 0x43, 0x35 }
762 #if defined(POLARSSL_CIPHER_MODE_CBC)
763 #define CAMELLIA_TESTS_CBC 3
765 static const unsigned char camellia_test_cbc_key
[3][32] =
767 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
768 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }
770 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
771 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
772 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }
774 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
775 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
776 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
777 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
780 static const unsigned char camellia_test_cbc_iv
[16] =
782 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
783 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F }
786 static const unsigned char camellia_test_cbc_plain
[CAMELLIA_TESTS_CBC
][16] =
788 { 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
789 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A },
790 { 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
791 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51 },
792 { 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
793 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF }
797 static const unsigned char camellia_test_cbc_cipher
[3][CAMELLIA_TESTS_CBC
][16] =
800 { 0x16, 0x07, 0xCF, 0x49, 0x4B, 0x36, 0xBB, 0xF0,
801 0x0D, 0xAE, 0xB0, 0xB5, 0x03, 0xC8, 0x31, 0xAB },
802 { 0xA2, 0xF2, 0xCF, 0x67, 0x16, 0x29, 0xEF, 0x78,
803 0x40, 0xC5, 0xA5, 0xDF, 0xB5, 0x07, 0x48, 0x87 },
804 { 0x0F, 0x06, 0x16, 0x50, 0x08, 0xCF, 0x8B, 0x8B,
805 0x5A, 0x63, 0x58, 0x63, 0x62, 0x54, 0x3E, 0x54 }
808 { 0x2A, 0x48, 0x30, 0xAB, 0x5A, 0xC4, 0xA1, 0xA2,
809 0x40, 0x59, 0x55, 0xFD, 0x21, 0x95, 0xCF, 0x93 },
810 { 0x5D, 0x5A, 0x86, 0x9B, 0xD1, 0x4C, 0xE5, 0x42,
811 0x64, 0xF8, 0x92, 0xA6, 0xDD, 0x2E, 0xC3, 0xD5 },
812 { 0x37, 0xD3, 0x59, 0xC3, 0x34, 0x98, 0x36, 0xD8,
813 0x84, 0xE3, 0x10, 0xAD, 0xDF, 0x68, 0xC4, 0x49 }
816 { 0xE6, 0xCF, 0xA3, 0x5F, 0xC0, 0x2B, 0x13, 0x4A,
817 0x4D, 0x2C, 0x0B, 0x67, 0x37, 0xAC, 0x3E, 0xDA },
818 { 0x36, 0xCB, 0xEB, 0x73, 0xBD, 0x50, 0x4B, 0x40,
819 0x70, 0xB1, 0xB7, 0xDE, 0x2B, 0x21, 0xEB, 0x50 },
820 { 0xE3, 0x1A, 0x60, 0x55, 0x29, 0x7D, 0x96, 0xCA,
821 0x33, 0x30, 0xCD, 0xF1, 0xB1, 0x86, 0x0A, 0x83 }
824 #endif /* POLARSSL_CIPHER_MODE_CBC */
826 #if defined(POLARSSL_CIPHER_MODE_CTR)
828 * Camellia-CTR test vectors from:
830 * http://www.faqs.org/rfcs/rfc5528.html
833 static const unsigned char camellia_test_ctr_key
[3][16] =
835 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
836 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
837 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
838 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
839 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
840 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
843 static const unsigned char camellia_test_ctr_nonce_counter
[3][16] =
845 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
846 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
847 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
848 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
849 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
850 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
853 static const unsigned char camellia_test_ctr_pt
[3][48] =
855 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
856 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
858 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
859 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
860 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
861 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
863 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
864 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
865 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
866 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
867 0x20, 0x21, 0x22, 0x23 }
870 static const unsigned char camellia_test_ctr_ct
[3][48] =
872 { 0xD0, 0x9D, 0xC2, 0x9A, 0x82, 0x14, 0x61, 0x9A,
873 0x20, 0x87, 0x7C, 0x76, 0xDB, 0x1F, 0x0B, 0x3F },
874 { 0xDB, 0xF3, 0xC7, 0x8D, 0xC0, 0x83, 0x96, 0xD4,
875 0xDA, 0x7C, 0x90, 0x77, 0x65, 0xBB, 0xCB, 0x44,
876 0x2B, 0x8E, 0x8E, 0x0F, 0x31, 0xF0, 0xDC, 0xA7,
877 0x2C, 0x74, 0x17, 0xE3, 0x53, 0x60, 0xE0, 0x48 },
878 { 0xB1, 0x9D, 0x1F, 0xCD, 0xCB, 0x75, 0xEB, 0x88,
879 0x2F, 0x84, 0x9C, 0xE2, 0x4D, 0x85, 0xCF, 0x73,
880 0x9C, 0xE6, 0x4B, 0x2B, 0x5C, 0x9D, 0x73, 0xF1,
881 0x4F, 0x2D, 0x5D, 0x9D, 0xCE, 0x98, 0x89, 0xCD,
882 0xDF, 0x50, 0x86, 0x96 }
885 static const int camellia_test_ctr_len
[3] =
887 #endif /* POLARSSL_CIPHER_MODE_CTR */
892 int camellia_self_test( int verbose
)
895 unsigned char key
[32];
896 unsigned char buf
[64];
897 unsigned char src
[16];
898 unsigned char dst
[16];
899 #if defined(POLARSSL_CIPHER_MODE_CBC)
900 unsigned char iv
[16];
902 #if defined(POLARSSL_CIPHER_MODE_CTR)
904 unsigned char nonce_counter
[16];
905 unsigned char stream_block
[16];
908 camellia_context ctx
;
910 memset( key
, 0, 32 );
912 for( j
= 0; j
< 6; j
++ ) {
917 polarssl_printf( " CAMELLIA-ECB-%3d (%s): ", 128 + u
* 64,
918 (v
== CAMELLIA_DECRYPT
) ? "dec" : "enc");
920 for( i
= 0; i
< CAMELLIA_TESTS_ECB
; i
++ ) {
921 memcpy( key
, camellia_test_ecb_key
[u
][i
], 16 + 8 * u
);
923 if( v
== CAMELLIA_DECRYPT
) {
924 camellia_setkey_dec( &ctx
, key
, 128 + u
* 64 );
925 memcpy( src
, camellia_test_ecb_cipher
[u
][i
], 16 );
926 memcpy( dst
, camellia_test_ecb_plain
[i
], 16 );
927 } else { /* CAMELLIA_ENCRYPT */
928 camellia_setkey_enc( &ctx
, key
, 128 + u
* 64 );
929 memcpy( src
, camellia_test_ecb_plain
[i
], 16 );
930 memcpy( dst
, camellia_test_ecb_cipher
[u
][i
], 16 );
933 camellia_crypt_ecb( &ctx
, v
, src
, buf
);
935 if( memcmp( buf
, dst
, 16 ) != 0 )
938 polarssl_printf( "failed\n" );
945 polarssl_printf( "passed\n" );
949 polarssl_printf( "\n" );
951 #if defined(POLARSSL_CIPHER_MODE_CBC)
955 for( j
= 0; j
< 6; j
++ )
961 polarssl_printf( " CAMELLIA-CBC-%3d (%s): ", 128 + u
* 64,
962 ( v
== CAMELLIA_DECRYPT
) ? "dec" : "enc" );
964 memcpy( src
, camellia_test_cbc_iv
, 16 );
965 memcpy( dst
, camellia_test_cbc_iv
, 16 );
966 memcpy( key
, camellia_test_cbc_key
[u
], 16 + 8 * u
);
968 if( v
== CAMELLIA_DECRYPT
) {
969 camellia_setkey_dec( &ctx
, key
, 128 + u
* 64 );
971 camellia_setkey_enc( &ctx
, key
, 128 + u
* 64 );
974 for( i
= 0; i
< CAMELLIA_TESTS_CBC
; i
++ ) {
976 if( v
== CAMELLIA_DECRYPT
) {
977 memcpy( iv
, src
, 16 );
978 memcpy( src
, camellia_test_cbc_cipher
[u
][i
], 16 );
979 memcpy( dst
, camellia_test_cbc_plain
[i
], 16 );
980 } else { /* CAMELLIA_ENCRYPT */
981 memcpy( iv
, dst
, 16 );
982 memcpy( src
, camellia_test_cbc_plain
[i
], 16 );
983 memcpy( dst
, camellia_test_cbc_cipher
[u
][i
], 16 );
986 camellia_crypt_cbc( &ctx
, v
, 16, iv
, src
, buf
);
988 if( memcmp( buf
, dst
, 16 ) != 0 )
991 polarssl_printf( "failed\n" );
998 polarssl_printf( "passed\n" );
1000 #endif /* POLARSSL_CIPHER_MODE_CBC */
1003 polarssl_printf( "\n" );
1005 #if defined(POLARSSL_CIPHER_MODE_CTR)
1009 for( i
= 0; i
< 6; i
++ )
1015 polarssl_printf( " CAMELLIA-CTR-128 (%s): ",
1016 ( v
== CAMELLIA_DECRYPT
) ? "dec" : "enc" );
1018 memcpy( nonce_counter
, camellia_test_ctr_nonce_counter
[u
], 16 );
1019 memcpy( key
, camellia_test_ctr_key
[u
], 16 );
1022 camellia_setkey_enc( &ctx
, key
, 128 );
1024 if( v
== CAMELLIA_DECRYPT
)
1026 len
= camellia_test_ctr_len
[u
];
1027 memcpy( buf
, camellia_test_ctr_ct
[u
], len
);
1029 camellia_crypt_ctr( &ctx
, len
, &offset
, nonce_counter
, stream_block
,
1032 if( memcmp( buf
, camellia_test_ctr_pt
[u
], len
) != 0 )
1035 polarssl_printf( "failed\n" );
1042 len
= camellia_test_ctr_len
[u
];
1043 memcpy( buf
, camellia_test_ctr_pt
[u
], len
);
1045 camellia_crypt_ctr( &ctx
, len
, &offset
, nonce_counter
, stream_block
,
1048 if( memcmp( buf
, camellia_test_ctr_ct
[u
], len
) != 0 )
1051 polarssl_printf( "failed\n" );
1058 polarssl_printf( "passed\n" );
1062 polarssl_printf( "\n" );
1063 #endif /* POLARSSL_CIPHER_MODE_CTR */
1068 #endif /* POLARSSL_SELF_TEST */
1070 #endif /* POLARSSL_CAMELLIA_C */