camellia.c 34.3 KB
Newer Older
1 2 3
/*
 *  Camellia implementation
 *
Manuel Pégourié-Gonnard's avatar
Manuel Pégourié-Gonnard committed
4
 *  Copyright (C) 2006-2014, ARM Limited, All Rights Reserved
Paul Bakker's avatar
Paul Bakker committed
5
 *
6
 *  This file is part of mbed TLS (https://tls.mbed.org)
Paul Bakker's avatar
Paul Bakker committed
7
 *
8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
/*
23 24
 *  The Camellia block cipher was designed by NTT and Mitsubishi Electric
 *  Corporation.
25
 *
26
 *  http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/01espec.pdf
27 28
 */

Manuel Pégourié-Gonnard's avatar
Manuel Pégourié-Gonnard committed
29
#if !defined(MBEDTLS_CONFIG_FILE)
30
#include "mbedtls/config.h"
31
#else
Manuel Pégourié-Gonnard's avatar
Manuel Pégourié-Gonnard committed
32
#include MBEDTLS_CONFIG_FILE
33
#endif
34

Manuel Pégourié-Gonnard's avatar
Manuel Pégourié-Gonnard committed
35
#if defined(MBEDTLS_CAMELLIA_C)
36

37
#include "mbedtls/camellia.h"
38

39
#include <string.h>
40

Manuel Pégourié-Gonnard's avatar
Manuel Pégourié-Gonnard committed
41 42
#if defined(MBEDTLS_SELF_TEST)
#if defined(MBEDTLS_PLATFORM_C)
43
#include "mbedtls/platform.h"
44
#else
45
#include <stdio.h>
Manuel Pégourié-Gonnard's avatar
Manuel Pégourié-Gonnard committed
46 47 48
#define mbedtls_printf printf
#endif /* MBEDTLS_PLATFORM_C */
#endif /* MBEDTLS_SELF_TEST */
49

Manuel Pégourié-Gonnard's avatar
Manuel Pégourié-Gonnard committed
50
#if !defined(MBEDTLS_CAMELLIA_ALT)
51

52
/* Implementation that should never be optimized out by the compiler */
Manuel Pégourié-Gonnard's avatar
Manuel Pégourié-Gonnard committed
53
static void mbedtls_zeroize( void *v, size_t n ) {
54 55 56
    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
}

57 58 59
/*
 * 32-bit integer manipulation macros (big endian)
 */
60 61
#ifndef GET_UINT32_BE
#define GET_UINT32_BE(n,b,i)                            \
62
{                                                       \
63 64 65 66
    (n) = ( (uint32_t) (b)[(i)    ] << 24 )             \
        | ( (uint32_t) (b)[(i) + 1] << 16 )             \
        | ( (uint32_t) (b)[(i) + 2] <<  8 )             \
        | ( (uint32_t) (b)[(i) + 3]       );            \
67 68 69
}
#endif

70 71
#ifndef PUT_UINT32_BE
#define PUT_UINT32_BE(n,b,i)                            \
72 73 74 75 76 77 78 79 80 81
{                                                       \
    (b)[(i)    ] = (unsigned char) ( (n) >> 24 );       \
    (b)[(i) + 1] = (unsigned char) ( (n) >> 16 );       \
    (b)[(i) + 2] = (unsigned char) ( (n) >>  8 );       \
    (b)[(i) + 3] = (unsigned char) ( (n)       );       \
}
#endif

static const unsigned char SIGMA_CHARS[6][8] =
{
82 83 84 85 86 87
    { 0xa0, 0x9e, 0x66, 0x7f, 0x3b, 0xcc, 0x90, 0x8b },
    { 0xb6, 0x7a, 0xe8, 0x58, 0x4c, 0xaa, 0x73, 0xb2 },
    { 0xc6, 0xef, 0x37, 0x2f, 0xe9, 0x4f, 0x82, 0xbe },
    { 0x54, 0xff, 0x53, 0xa5, 0xf1, 0xd3, 0x6f, 0x1c },
    { 0x10, 0xe5, 0x27, 0xfa, 0xde, 0x68, 0x2d, 0x1d },
    { 0xb0, 0x56, 0x88, 0xc2, 0xb3, 0xe6, 0xc1, 0xfd }
88 89
};

Manuel Pégourié-Gonnard's avatar
Manuel Pégourié-Gonnard committed
90
#if defined(MBEDTLS_CAMELLIA_SMALL_MEMORY)
91 92

static const unsigned char FSb[256] =
93
{
94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109
    112,130, 44,236,179, 39,192,229,228,133, 87, 53,234, 12,174, 65,
     35,239,107,147, 69, 25,165, 33,237, 14, 79, 78, 29,101,146,189,
    134,184,175,143,124,235, 31,206, 62, 48,220, 95, 94,197, 11, 26,
    166,225, 57,202,213, 71, 93, 61,217,  1, 90,214, 81, 86,108, 77,
    139, 13,154,102,251,204,176, 45,116, 18, 43, 32,240,177,132,153,
    223, 76,203,194, 52,126,118,  5,109,183,169, 49,209, 23,  4,215,
     20, 88, 58, 97,222, 27, 17, 28, 50, 15,156, 22, 83, 24,242, 34,
    254, 68,207,178,195,181,122,145, 36,  8,232,168, 96,252,105, 80,
    170,208,160,125,161,137, 98,151, 84, 91, 30,149,224,255,100,210,
     16,196,  0, 72,163,247,117,219,138,  3,230,218,  9, 63,221,148,
    135, 92,131,  2,205, 74,144, 51,115,103,246,243,157,127,191,226,
     82,155,216, 38,200, 55,198, 59,129,150,111, 75, 19,190, 99, 46,
    233,121,167,140,159,110,188,142, 41,245,249,182, 47,253,180, 89,
    120,152,  6,106,231, 70,113,186,212, 37,171, 66,136,162,141,250,
    114,  7,185, 85,248,238,172, 10, 54, 73, 42,104, 60, 56,241,164,
     64, 40,211,123,187,201, 67,193, 21,227,173,244,119,199,128,158
110 111 112 113 114
};

#define SBOX1(n) FSb[(n)]
#define SBOX2(n) (unsigned char)((FSb[(n)] >> 7 ^ FSb[(n)] << 1) & 0xff)
#define SBOX3(n) (unsigned char)((FSb[(n)] >> 1 ^ FSb[(n)] << 7) & 0xff)
115 116
#define SBOX4(n) FSb[((n) << 1 ^ (n) >> 7) &0xff]

Manuel Pégourié-Gonnard's avatar
Manuel Pégourié-Gonnard committed
117
#else /* MBEDTLS_CAMELLIA_SMALL_MEMORY */
118

119 120
static const unsigned char FSb[256] =
{
121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136
 112, 130,  44, 236, 179,  39, 192, 229, 228, 133,  87,  53, 234,  12, 174,  65,
  35, 239, 107, 147,  69,  25, 165,  33, 237,  14,  79,  78,  29, 101, 146, 189,
 134, 184, 175, 143, 124, 235,  31, 206,  62,  48, 220,  95,  94, 197,  11,  26,
 166, 225,  57, 202, 213,  71,  93,  61, 217,   1,  90, 214,  81,  86, 108,  77,
 139,  13, 154, 102, 251, 204, 176,  45, 116,  18,  43,  32, 240, 177, 132, 153,
 223,  76, 203, 194,  52, 126, 118,   5, 109, 183, 169,  49, 209,  23,   4, 215,
  20,  88,  58,  97, 222,  27,  17,  28,  50,  15, 156,  22,  83,  24, 242,  34,
 254,  68, 207, 178, 195, 181, 122, 145,  36,   8, 232, 168,  96, 252, 105,  80,
 170, 208, 160, 125, 161, 137,  98, 151,  84,  91,  30, 149, 224, 255, 100, 210,
  16, 196,   0,  72, 163, 247, 117, 219, 138,   3, 230, 218,   9,  63, 221, 148,
 135,  92, 131,   2, 205,  74, 144,  51, 115, 103, 246, 243, 157, 127, 191, 226,
  82, 155, 216,  38, 200,  55, 198,  59, 129, 150, 111,  75,  19, 190,  99,  46,
 233, 121, 167, 140, 159, 110, 188, 142,  41, 245, 249, 182,  47, 253, 180,  89,
 120, 152,   6, 106, 231,  70, 113, 186, 212,  37, 171,  66, 136, 162, 141, 250,
 114,   7, 185,  85, 248, 238, 172,  10,  54,  73,  42, 104,  60,  56, 241, 164,
 64,  40, 211, 123, 187, 201,  67, 193,  21, 227, 173, 244, 119, 199, 128, 158
137 138 139 140
};

static const unsigned char FSb2[256] =
{
141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156
 224,   5,  88, 217, 103,  78, 129, 203, 201,  11, 174, 106, 213,  24,  93, 130,
  70, 223, 214,  39, 138,  50,  75,  66, 219,  28, 158, 156,  58, 202,  37, 123,
  13, 113,  95,  31, 248, 215,  62, 157, 124,  96, 185, 190, 188, 139,  22,  52,
  77, 195, 114, 149, 171, 142, 186, 122, 179,   2, 180, 173, 162, 172, 216, 154,
  23,  26,  53, 204, 247, 153,  97,  90, 232,  36,  86,  64, 225,  99,   9,  51,
 191, 152, 151, 133, 104, 252, 236,  10, 218, 111,  83,  98, 163,  46,   8, 175,
  40, 176, 116, 194, 189,  54,  34,  56, 100,  30,  57,  44, 166,  48, 229,  68,
 253, 136, 159, 101, 135, 107, 244,  35,  72,  16, 209,  81, 192, 249, 210, 160,
  85, 161,  65, 250,  67,  19, 196,  47, 168, 182,  60,  43, 193, 255, 200, 165,
  32, 137,   0, 144,  71, 239, 234, 183,  21,   6, 205, 181,  18, 126, 187,  41,
  15, 184,   7,   4, 155, 148,  33, 102, 230, 206, 237, 231,  59, 254, 127, 197,
 164,  55, 177,  76, 145, 110, 141, 118,   3,  45, 222, 150,  38, 125, 198,  92,
 211, 242,  79,  25,  63, 220, 121,  29,  82, 235, 243, 109,  94, 251, 105, 178,
 240,  49,  12, 212, 207, 140, 226, 117, 169,  74,  87, 132,  17,  69,  27, 245,
 228,  14, 115, 170, 241, 221,  89,  20, 108, 146,  84, 208, 120, 112, 227,  73,
 128,  80, 167, 246, 119, 147, 134, 131,  42, 199,  91, 233, 238, 143,   1,  61
157 158 159 160
};

static const unsigned char FSb3[256] =
{
161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176
  56,  65,  22, 118, 217, 147,  96, 242, 114, 194, 171, 154, 117,   6,  87, 160,
 145, 247, 181, 201, 162, 140, 210, 144, 246,   7, 167,  39, 142, 178,  73, 222,
  67,  92, 215, 199,  62, 245, 143, 103,  31,  24, 110, 175,  47, 226, 133,  13,
  83, 240, 156, 101, 234, 163, 174, 158, 236, 128,  45, 107, 168,  43,  54, 166,
 197, 134,  77,  51, 253, 102,  88, 150,  58,   9, 149,  16, 120, 216,  66, 204,
 239,  38, 229,  97,  26,  63,  59, 130, 182, 219, 212, 152, 232, 139,   2, 235,
  10,  44,  29, 176, 111, 141, 136,  14,  25, 135,  78,  11, 169,  12, 121,  17,
 127,  34, 231,  89, 225, 218,  61, 200,  18,   4, 116,  84,  48, 126, 180,  40,
  85, 104,  80, 190, 208, 196,  49, 203,  42, 173,  15, 202, 112, 255,  50, 105,
   8,  98,   0,  36, 209, 251, 186, 237,  69, 129, 115, 109, 132, 159, 238,  74,
 195,  46, 193,   1, 230,  37,  72, 153, 185, 179, 123, 249, 206, 191, 223, 113,
  41, 205, 108,  19, 100, 155,  99, 157, 192,  75, 183, 165, 137,  95, 177,  23,
 244, 188, 211,  70, 207,  55,  94,  71, 148, 250, 252,  91, 151, 254,  90, 172,
  60,  76,   3,  53, 243,  35, 184,  93, 106, 146, 213,  33,  68,  81, 198, 125,
  57, 131, 220, 170, 124, 119,  86,   5,  27, 164,  21,  52,  30,  28, 248,  82,
  32,  20, 233, 189, 221, 228, 161, 224, 138, 241, 214, 122, 187, 227,  64,  79
177 178 179 180
};

static const unsigned char FSb4[256] =
{
181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196
 112,  44, 179, 192, 228,  87, 234, 174,  35, 107,  69, 165, 237,  79,  29, 146,
 134, 175, 124,  31,  62, 220,  94,  11, 166,  57, 213,  93, 217,  90,  81, 108,
 139, 154, 251, 176, 116,  43, 240, 132, 223, 203,  52, 118, 109, 169, 209,   4,
  20,  58, 222,  17,  50, 156,  83, 242, 254, 207, 195, 122,  36, 232,  96, 105,
 170, 160, 161,  98,  84,  30, 224, 100,  16,   0, 163, 117, 138, 230,   9, 221,
 135, 131, 205, 144, 115, 246, 157, 191,  82, 216, 200, 198, 129, 111,  19,  99,
 233, 167, 159, 188,  41, 249,  47, 180, 120,   6, 231, 113, 212, 171, 136, 141,
 114, 185, 248, 172,  54,  42,  60, 241,  64, 211, 187,  67,  21, 173, 119, 128,
 130, 236,  39, 229, 133,  53,  12,  65, 239, 147,  25,  33,  14,  78, 101, 189,
 184, 143, 235, 206,  48,  95, 197,  26, 225, 202,  71,  61,   1, 214,  86,  77,
  13, 102, 204,  45,  18,  32, 177, 153,  76, 194, 126,   5, 183,  49,  23, 215,
  88,  97,  27,  28,  15,  22,  24,  34,  68, 178, 181, 145,   8, 168, 252,  80,
 208, 125, 137, 151,  91, 149, 255, 210, 196,  72, 247, 219,   3, 218,  63, 148,
  92,   2,  74,  51, 103, 243, 127, 226, 155,  38,  55,  59, 150,  75, 190,  46,
 121, 140, 110, 142, 245, 182, 253,  89, 152, 106,  70, 186,  37,  66, 162, 250,
  7,  85, 238,  10,  73, 104,  56, 164,  40, 123, 201, 193, 227, 244, 199, 158
197 198 199 200 201 202
};

#define SBOX1(n) FSb[(n)]
#define SBOX2(n) FSb2[(n)]
#define SBOX3(n) FSb3[(n)]
#define SBOX4(n) FSb4[(n)]
203

Manuel Pégourié-Gonnard's avatar
Manuel Pégourié-Gonnard committed
204
#endif /* MBEDTLS_CAMELLIA_SMALL_MEMORY */
205

206 207
static const unsigned char shifts[2][4][4] =
{
208 209 210 211 212 213 214 215 216 217 218 219
    {
        { 1, 1, 1, 1 }, /* KL */
        { 0, 0, 0, 0 }, /* KR */
        { 1, 1, 1, 1 }, /* KA */
        { 0, 0, 0, 0 }  /* KB */
    },
    {
        { 1, 0, 1, 1 }, /* KL */
        { 1, 1, 0, 1 }, /* KR */
        { 1, 1, 1, 0 }, /* KA */
        { 1, 1, 0, 1 }  /* KB */
    }
220 221
};

222
static const signed char indexes[2][4][20] =
223
{
224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243
    {
        {  0,  1,  2,  3,  8,  9, 10, 11, 38, 39,
          36, 37, 23, 20, 21, 22, 27, -1, -1, 26 }, /* KL -> RK */
        { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
          -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 }, /* KR -> RK */
        {  4,  5,  6,  7, 12, 13, 14, 15, 16, 17,
          18, 19, -1, 24, 25, -1, 31, 28, 29, 30 }, /* KA -> RK */
        { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
          -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 }  /* KB -> RK */
    },
    {
        {  0,  1,  2,  3, 61, 62, 63, 60, -1, -1,
          -1, -1, 27, 24, 25, 26, 35, 32, 33, 34 }, /* KL -> RK */
        { -1, -1, -1, -1,  8,  9, 10, 11, 16, 17,
          18, 19, -1, -1, -1, -1, 39, 36, 37, 38 }, /* KR -> RK */
        { -1, -1, -1, -1, 12, 13, 14, 15, 58, 59,
          56, 57, 31, 28, 29, 30, -1, -1, -1, -1 }, /* KA -> RK */
        {  4,  5,  6,  7, 65, 66, 67, 64, 20, 21,
          22, 23, -1, -1, -1, -1, 43, 40, 41, 42 }  /* KB -> RK */
    }
244 245
};

246
static const signed char transposes[2][20] =
247
{
248 249 250 251 252 253 254 255 256 257 258 259 260 261
    {
        21, 22, 23, 20,
        -1, -1, -1, -1,
        18, 19, 16, 17,
        11,  8,  9, 10,
        15, 12, 13, 14
    },
    {
        25, 26, 27, 24,
        29, 30, 31, 28,
        18, 19, 16, 17,
        -1, -1, -1, -1,
        -1, -1, -1, -1
    }
262 263
};

264
/* Shift macro for 128 bit strings with rotation smaller than 32 bits (!) */
265 266 267 268 269 270
#define ROTL(DEST, SRC, SHIFT)                                      \
{                                                                   \
    (DEST)[0] = (SRC)[0] << (SHIFT) ^ (SRC)[1] >> (32 - (SHIFT));   \
    (DEST)[1] = (SRC)[1] << (SHIFT) ^ (SRC)[2] >> (32 - (SHIFT));   \
    (DEST)[2] = (SRC)[2] << (SHIFT) ^ (SRC)[3] >> (32 - (SHIFT));   \
    (DEST)[3] = (SRC)[3] << (SHIFT) ^ (SRC)[0] >> (32 - (SHIFT));   \
271 272
}

273 274 275 276
#define FL(XL, XR, KL, KR)                                          \
{                                                                   \
    (XR) = ((((XL) & (KL)) << 1) | (((XL) & (KL)) >> 31)) ^ (XR);   \
    (XL) = ((XR) | (KR)) ^ (XL);                                    \
277
}
278

279 280 281 282
#define FLInv(YL, YR, KL, KR)                                       \
{                                                                   \
    (YL) = ((YR) | (KR)) ^ (YL);                                    \
    (YR) = ((((YL) & (KL)) << 1) | (((YL) & (KL)) >> 31)) ^ (YR);   \
283
}
284

285 286 287 288 289 290 291
#define SHIFT_AND_PLACE(INDEX, OFFSET)                      \
{                                                           \
    TK[0] = KC[(OFFSET) * 4 + 0];                           \
    TK[1] = KC[(OFFSET) * 4 + 1];                           \
    TK[2] = KC[(OFFSET) * 4 + 2];                           \
    TK[3] = KC[(OFFSET) * 4 + 3];                           \
                                                            \
292 293 294
    for( i = 1; i <= 4; i++ )                               \
        if( shifts[(INDEX)][(OFFSET)][i -1] )               \
            ROTL(TK + i * 4, TK, ( 15 * i ) % 32);          \
295
                                                            \
296 297 298 299
    for( i = 0; i < 20; i++ )                               \
        if( indexes[(INDEX)][(OFFSET)][i] != -1 ) {         \
            RK[indexes[(INDEX)][(OFFSET)][i]] = TK[ i ];    \
        }                                                   \
300 301
}

302 303
static void camellia_feistel( const uint32_t x[2], const uint32_t k[2],
                              uint32_t z[2])
304
{
305 306 307 308
    uint32_t I0, I1;
    I0 = x[0] ^ k[0];
    I1 = x[1] ^ k[1];

309 310 311 312 313 314 315 316
    I0 = ((uint32_t) SBOX1((I0 >> 24) & 0xFF) << 24) |
         ((uint32_t) SBOX2((I0 >> 16) & 0xFF) << 16) |
         ((uint32_t) SBOX3((I0 >>  8) & 0xFF) <<  8) |
         ((uint32_t) SBOX4((I0      ) & 0xFF)      );
    I1 = ((uint32_t) SBOX2((I1 >> 24) & 0xFF) << 24) |
         ((uint32_t) SBOX3((I1 >> 16) & 0xFF) << 16) |
         ((uint32_t) SBOX4((I1 >>  8) & 0xFF) <<  8) |
         ((uint32_t) SBOX1((I1      ) & 0xFF)      );
317 318 319 320 321 322 323 324

    I0 ^= (I1 << 8) | (I1 >> 24);
    I1 ^= (I0 << 16) | (I0 >> 16);
    I0 ^= (I1 >> 8) | (I1 << 24);
    I1 ^= (I0 >> 8) | (I0 << 24);

    z[0] ^= I1;
    z[1] ^= I0;
325 326
}

Manuel Pégourié-Gonnard's avatar
Manuel Pégourié-Gonnard committed
327
void mbedtls_camellia_init( mbedtls_camellia_context *ctx )
328
{
Manuel Pégourié-Gonnard's avatar
Manuel Pégourié-Gonnard committed
329
    memset( ctx, 0, sizeof( mbedtls_camellia_context ) );
330 331
}

Manuel Pégourié-Gonnard's avatar
Manuel Pégourié-Gonnard committed
332
void mbedtls_camellia_free( mbedtls_camellia_context *ctx )
333 334 335 336
{
    if( ctx == NULL )
        return;

Manuel Pégourié-Gonnard's avatar
Manuel Pégourié-Gonnard committed
337
    mbedtls_zeroize( ctx, sizeof( mbedtls_camellia_context ) );
338 339
}

340 341 342
/*
 * Camellia key schedule (encryption)
 */
Manuel Pégourié-Gonnard's avatar
Manuel Pégourié-Gonnard committed
343
int mbedtls_camellia_setkey_enc( mbedtls_camellia_context *ctx, const unsigned char *key,
344
                         unsigned int keybits )
345
{
346 347
    int idx;
    size_t i;
348
    uint32_t *RK;
349
    unsigned char t[64];
350 351 352
    uint32_t SIGMA[6][2];
    uint32_t KC[16];
    uint32_t TK[20];
353 354 355

    RK = ctx->rk;

356 357
    memset( t, 0, 64 );
    memset( RK, 0, sizeof(ctx->rk) );
358

359
    switch( keybits )
360 361 362
    {
        case 128: ctx->nr = 3; idx = 0; break;
        case 192:
363
        case 256: ctx->nr = 4; idx = 1; break;
Manuel Pégourié-Gonnard's avatar
Manuel Pégourié-Gonnard committed
364
        default : return( MBEDTLS_ERR_CAMELLIA_INVALID_KEY_LENGTH );
365 366
    }

367
    for( i = 0; i < keybits / 8; ++i )
368
        t[i] = key[i];
369

370
    if( keybits == 192 ) {
371
        for( i = 0; i < 8; i++ )
372
            t[24 + i] = ~t[16 + i];
373 374 375 376 377
    }

    /*
     * Prepare SIGMA values
     */
378 379 380
    for( i = 0; i < 6; i++ ) {
        GET_UINT32_BE( SIGMA[i][0], SIGMA_CHARS[i], 0 );
        GET_UINT32_BE( SIGMA[i][1], SIGMA_CHARS[i], 4 );
381 382 383 384 385 386
    }

    /*
     * Key storage in KC
     * Order: KL, KR, KA, KB
     */
387
    memset( KC, 0, sizeof(KC) );
388 389

    /* Store KL, KR */
390 391
    for( i = 0; i < 8; i++ )
        GET_UINT32_BE( KC[i], t, i * 4 );
392 393

    /* Generate KA */
394
    for( i = 0; i < 4; ++i )
395
        KC[8 + i] = KC[i] ^ KC[4 + i];
396

397 398
    camellia_feistel( KC + 8, SIGMA[0], KC + 10 );
    camellia_feistel( KC + 10, SIGMA[1], KC + 8 );
399

400
    for( i = 0; i < 4; ++i )
401
        KC[8 + i] ^= KC[i];
402

403 404
    camellia_feistel( KC + 8, SIGMA[2], KC + 10 );
    camellia_feistel( KC + 10, SIGMA[3], KC + 8 );
405

406
    if( keybits > 128 ) {
407
        /* Generate KB */
408
        for( i = 0; i < 4; ++i )
409
            KC[12 + i] = KC[4 + i] ^ KC[8 + i];
410

411 412
        camellia_feistel( KC + 12, SIGMA[4], KC + 14 );
        camellia_feistel( KC + 14, SIGMA[5], KC + 12 );
413 414 415 416
    }

    /*
     * Generating subkeys
417
     */
418 419

    /* Manipulating KL */
420
    SHIFT_AND_PLACE( idx, 0 );
421 422

    /* Manipulating KR */
423
    if( keybits > 128 ) {
424
        SHIFT_AND_PLACE( idx, 1 );
425 426 427
    }

    /* Manipulating KA */
428
    SHIFT_AND_PLACE( idx, 2 );
429 430

    /* Manipulating KB */
431
    if( keybits > 128 ) {
432
        SHIFT_AND_PLACE( idx, 3 );
433 434 435
    }

    /* Do transpositions */
436 437
    for( i = 0; i < 20; i++ ) {
        if( transposes[idx][i] != -1 ) {
438 439
            RK[32 + 12 * idx + i] = RK[transposes[idx][i]];
        }
440
    }
441 442

    return( 0 );
443 444 445 446 447
}

/*
 * Camellia key schedule (decryption)
 */
Manuel Pégourié-Gonnard's avatar
Manuel Pégourié-Gonnard committed
448
int mbedtls_camellia_setkey_dec( mbedtls_camellia_context *ctx, const unsigned char *key,
449
                         unsigned int keybits )
450
{
451
    int idx, ret;
452
    size_t i;
Manuel Pégourié-Gonnard's avatar
Manuel Pégourié-Gonnard committed
453
    mbedtls_camellia_context cty;
454 455
    uint32_t *RK;
    uint32_t *SK;
456

Manuel Pégourié-Gonnard's avatar
Manuel Pégourié-Gonnard committed
457
    mbedtls_camellia_init( &cty );
458

459 460
    /* Also checks keybits */
    if( ( ret = mbedtls_camellia_setkey_enc( &cty, key, keybits ) ) != 0 )
461
        goto exit;
462

463 464 465 466
    ctx->nr = cty.nr;
    idx = ( ctx->nr == 4 );

    RK = ctx->rk;
467 468 469 470 471 472 473
    SK = cty.rk + 24 * 2 + 8 * idx * 2;

    *RK++ = *SK++;
    *RK++ = *SK++;
    *RK++ = *SK++;
    *RK++ = *SK++;

474
    for( i = 22 + 8 * idx, SK -= 6; i > 0; i--, SK -= 4 )
475
    {
476 477
        *RK++ = *SK++;
        *RK++ = *SK++;
478 479 480 481 482 483 484 485 486
    }

    SK -= 2;

    *RK++ = *SK++;
    *RK++ = *SK++;
    *RK++ = *SK++;
    *RK++ = *SK++;

487
exit:
Manuel Pégourié-Gonnard's avatar
Manuel Pégourié-Gonnard committed
488
    mbedtls_camellia_free( &cty );
489

490
    return( ret );
491 492 493 494 495
}

/*
 * Camellia-ECB block encryption/decryption
 */
Manuel Pégourié-Gonnard's avatar
Manuel Pégourié-Gonnard committed
496
int mbedtls_camellia_crypt_ecb( mbedtls_camellia_context *ctx,
497
                    int mode,
498
                    const unsigned char input[16],
499 500
                    unsigned char output[16] )
{
501
    int NR;
502
    uint32_t *RK, X[4];
503

504 505
    ( (void) mode );

506 507 508
    NR = ctx->nr;
    RK = ctx->rk;

509 510 511 512
    GET_UINT32_BE( X[0], input,  0 );
    GET_UINT32_BE( X[1], input,  4 );
    GET_UINT32_BE( X[2], input,  8 );
    GET_UINT32_BE( X[3], input, 12 );
513 514 515 516 517 518

    X[0] ^= *RK++;
    X[1] ^= *RK++;
    X[2] ^= *RK++;
    X[3] ^= *RK++;

519
    while( NR ) {
520
        --NR;
521
        camellia_feistel( X, RK, X + 2 );
522
        RK += 2;
523
        camellia_feistel( X + 2, RK, X );
524
        RK += 2;
525
        camellia_feistel( X, RK, X + 2 );
526
        RK += 2;
527
        camellia_feistel( X + 2, RK, X );
528
        RK += 2;
529
        camellia_feistel( X, RK, X + 2 );
530
        RK += 2;
531
        camellia_feistel( X + 2, RK, X );
532 533
        RK += 2;

534
        if( NR ) {
535 536 537 538 539
            FL(X[0], X[1], RK[0], RK[1]);
            RK += 2;
            FLInv(X[2], X[3], RK[0], RK[1]);
            RK += 2;
        }
540 541 542 543 544 545 546
    }

    X[2] ^= *RK++;
    X[3] ^= *RK++;
    X[0] ^= *RK++;
    X[1] ^= *RK++;

547 548 549 550
    PUT_UINT32_BE( X[2], output,  0 );
    PUT_UINT32_BE( X[3], output,  4 );
    PUT_UINT32_BE( X[0], output,  8 );
    PUT_UINT32_BE( X[1], output, 12 );
551 552

    return( 0 );
553 554
}

Manuel Pégourié-Gonnard's avatar
Manuel Pégourié-Gonnard committed
555
#if defined(MBEDTLS_CIPHER_MODE_CBC)
556 557 558
/*
 * Camellia-CBC buffer encryption/decryption
 */
Manuel Pégourié-Gonnard's avatar
Manuel Pégourié-Gonnard committed
559
int mbedtls_camellia_crypt_cbc( mbedtls_camellia_context *ctx,
560
                    int mode,
561
                    size_t length,
562
                    unsigned char iv[16],
563
                    const unsigned char *input,
564 565 566 567 568
                    unsigned char *output )
{
    int i;
    unsigned char temp[16];

569
    if( length % 16 )
Manuel Pégourié-Gonnard's avatar
Manuel Pégourié-Gonnard committed
570
        return( MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH );
571

Manuel Pégourié-Gonnard's avatar
Manuel Pégourié-Gonnard committed
572
    if( mode == MBEDTLS_CAMELLIA_DECRYPT )
573 574 575 576
    {
        while( length > 0 )
        {
            memcpy( temp, input, 16 );
Manuel Pégourié-Gonnard's avatar
Manuel Pégourié-Gonnard committed
577
            mbedtls_camellia_crypt_ecb( ctx, mode, input, output );
578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595

            for( i = 0; i < 16; i++ )
                output[i] = (unsigned char)( output[i] ^ iv[i] );

            memcpy( iv, temp, 16 );

            input  += 16;
            output += 16;
            length -= 16;
        }
    }
    else
    {
        while( length > 0 )
        {
            for( i = 0; i < 16; i++ )
                output[i] = (unsigned char)( input[i] ^ iv[i] );

Manuel Pégourié-Gonnard's avatar
Manuel Pégourié-Gonnard committed
596
            mbedtls_camellia_crypt_ecb( ctx, mode, output, output );
597 598 599 600 601 602 603
            memcpy( iv, output, 16 );

            input  += 16;
            output += 16;
            length -= 16;
        }
    }
604 605

    return( 0 );
606
}
Manuel Pégourié-Gonnard's avatar
Manuel Pégourié-Gonnard committed
607
#endif /* MBEDTLS_CIPHER_MODE_CBC */
608

Manuel Pégourié-Gonnard's avatar
Manuel Pégourié-Gonnard committed
609
#if defined(MBEDTLS_CIPHER_MODE_CFB)
610 611 612
/*
 * Camellia-CFB128 buffer encryption/decryption
 */
Manuel Pégourié-Gonnard's avatar
Manuel Pégourié-Gonnard committed
613
int mbedtls_camellia_crypt_cfb128( mbedtls_camellia_context *ctx,
614
                       int mode,
615
                       size_t length,
616
                       size_t *iv_off,
617
                       unsigned char iv[16],
618
                       const unsigned char *input,
619 620
                       unsigned char *output )
{
621 622
    int c;
    size_t n = *iv_off;
623

Manuel Pégourié-Gonnard's avatar
Manuel Pégourié-Gonnard committed
624
    if( mode == MBEDTLS_CAMELLIA_DECRYPT )
625 626 627 628
    {
        while( length-- )
        {
            if( n == 0 )
Manuel Pégourié-Gonnard's avatar
Manuel Pégourié-Gonnard committed
629
                mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv );
630 631 632 633 634

            c = *input++;
            *output++ = (unsigned char)( c ^ iv[n] );
            iv[n] = (unsigned char) c;

635
            n = ( n + 1 ) & 0x0F;
636 637 638 639 640 641 642
        }
    }
    else
    {
        while( length-- )
        {
            if( n == 0 )
Manuel Pégourié-Gonnard's avatar
Manuel Pégourié-Gonnard committed
643
                mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv );
644 645 646

            iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );

647
            n = ( n + 1 ) & 0x0F;
648 649 650 651
        }
    }

    *iv_off = n;
652 653

    return( 0 );
654
}
Manuel Pégourié-Gonnard's avatar
Manuel Pégourié-Gonnard committed
655
#endif /* MBEDTLS_CIPHER_MODE_CFB */
656

Manuel Pégourié-Gonnard's avatar
Manuel Pégourié-Gonnard committed
657
#if defined(MBEDTLS_CIPHER_MODE_CTR)
658 659 660
/*
 * Camellia-CTR buffer encryption/decryption
 */
Manuel Pégourié-Gonnard's avatar
Manuel Pégourié-Gonnard committed
661
int mbedtls_camellia_crypt_ctr( mbedtls_camellia_context *ctx,
662 663
                       size_t length,
                       size_t *nc_off,
664 665 666 667 668
                       unsigned char nonce_counter[16],
                       unsigned char stream_block[16],
                       const unsigned char *input,
                       unsigned char *output )
{
Paul Bakker's avatar
Paul Bakker committed
669
    int c, i;
670
    size_t n = *nc_off;
671 672 673 674

    while( length-- )
    {
        if( n == 0 ) {
Manuel Pégourié-Gonnard's avatar
Manuel Pégourié-Gonnard committed
675
            mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, nonce_counter,
676
                                stream_block );
677

Paul Bakker's avatar
Paul Bakker committed
678 679 680
            for( i = 16; i > 0; i-- )
                if( ++nonce_counter[i - 1] != 0 )
                    break;
681 682 683 684
        }
        c = *input++;
        *output++ = (unsigned char)( c ^ stream_block[n] );

685
        n = ( n + 1 ) & 0x0F;
686 687 688 689 690 691
    }

    *nc_off = n;

    return( 0 );
}
Manuel Pégourié-Gonnard's avatar
Manuel Pégourié-Gonnard committed
692 693
#endif /* MBEDTLS_CIPHER_MODE_CTR */
#endif /* !MBEDTLS_CAMELLIA_ALT */
694

Manuel Pégourié-Gonnard's avatar
Manuel Pégourié-Gonnard committed
695
#if defined(MBEDTLS_SELF_TEST)
696 697 698 699 700 701 702

/*
 * Camellia test vectors from:
 *
 * http://info.isl.ntt.co.jp/crypt/eng/camellia/technology.html:
 *   http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/intermediate.txt
 *   http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/t_camellia.txt
703
 *                      (For each bitlength: Key 0, Nr 39)
704
 */
705
#define CAMELLIA_TESTS_ECB  2
706 707 708

static const unsigned char camellia_test_ecb_key[3][CAMELLIA_TESTS_ECB][32] =
{
709 710 711
    {
        { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
          0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
712
        { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
713 714 715 716 717 718
          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
    },
    {
        { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
          0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
          0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77 },
719
        { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
720 721 722 723 724 725 726 727
          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
    },
    {
        { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
          0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
          0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
          0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff },
728
        { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
729 730 731 732
          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
    },
733 734 735 736 737 738
};

static const unsigned char camellia_test_ecb_plain[CAMELLIA_TESTS_ECB][16] =
{
    { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
      0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
739
    { 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
740 741 742 743 744
      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
};

static const unsigned char camellia_test_ecb_cipher[3][CAMELLIA_TESTS_ECB][16] =
{
745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762
    {
        { 0x67, 0x67, 0x31, 0x38, 0x54, 0x96, 0x69, 0x73,
          0x08, 0x57, 0x06, 0x56, 0x48, 0xea, 0xbe, 0x43 },
        { 0x38, 0x3C, 0x6C, 0x2A, 0xAB, 0xEF, 0x7F, 0xDE,
          0x25, 0xCD, 0x47, 0x0B, 0xF7, 0x74, 0xA3, 0x31 }
    },
    {
        { 0xb4, 0x99, 0x34, 0x01, 0xb3, 0xe9, 0x96, 0xf8,
          0x4e, 0xe5, 0xce, 0xe7, 0xd7, 0x9b, 0x09, 0xb9 },
        { 0xD1, 0x76, 0x3F, 0xC0, 0x19, 0xD7, 0x7C, 0xC9,
          0x30, 0xBF, 0xF2, 0xA5, 0x6F, 0x7C, 0x93, 0x64 }
    },
    {
        { 0x9a, 0xcc, 0x23, 0x7d, 0xff, 0x16, 0xd7, 0x6c,
          0x20, 0xef, 0x7c, 0x91, 0x9e, 0x3a, 0x75, 0x09 },
        { 0x05, 0x03, 0xFB, 0x10, 0xAB, 0x24, 0x1E, 0x7C,
          0xF4, 0x5D, 0x8C, 0xDE, 0xEE, 0x47, 0x43, 0x35 }
    }
763 764
};

Manuel Pégourié-Gonnard's avatar
Manuel Pégourié-Gonnard committed
765
#if defined(MBEDTLS_CIPHER_MODE_CBC)
766
#define CAMELLIA_TESTS_CBC  3
767 768 769

static const unsigned char camellia_test_cbc_key[3][32] =
{
770 771 772 773 774 775 776 777 778 779 780
        { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
          0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }
    ,
        { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
          0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
          0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }
    ,
        { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
          0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
          0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
          0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801
};

static const unsigned char camellia_test_cbc_iv[16] =

    { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
      0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F }
;

static const unsigned char camellia_test_cbc_plain[CAMELLIA_TESTS_CBC][16] =
{
    { 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
      0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A },
    { 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
      0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51 },
    { 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
      0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF }

};

static const unsigned char camellia_test_cbc_cipher[3][CAMELLIA_TESTS_CBC][16] =
{
802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825
    {
        { 0x16, 0x07, 0xCF, 0x49, 0x4B, 0x36, 0xBB, 0xF0,
          0x0D, 0xAE, 0xB0, 0xB5, 0x03, 0xC8, 0x31, 0xAB },
        { 0xA2, 0xF2, 0xCF, 0x67, 0x16, 0x29, 0xEF, 0x78,
          0x40, 0xC5, 0xA5, 0xDF, 0xB5, 0x07, 0x48, 0x87 },
        { 0x0F, 0x06, 0x16, 0x50, 0x08, 0xCF, 0x8B, 0x8B,
          0x5A, 0x63, 0x58, 0x63, 0x62, 0x54, 0x3E, 0x54 }
    },
    {
        { 0x2A, 0x48, 0x30, 0xAB, 0x5A, 0xC4, 0xA1, 0xA2,
          0x40, 0x59, 0x55, 0xFD, 0x21, 0x95, 0xCF, 0x93 },
        { 0x5D, 0x5A, 0x86, 0x9B, 0xD1, 0x4C, 0xE5, 0x42,
          0x64, 0xF8, 0x92, 0xA6, 0xDD, 0x2E, 0xC3, 0xD5 },
        { 0x37, 0xD3, 0x59, 0xC3, 0x34, 0x98, 0x36, 0xD8,
          0x84, 0xE3, 0x10, 0xAD, 0xDF, 0x68, 0xC4, 0x49 }
    },
    {
        { 0xE6, 0xCF, 0xA3, 0x5F, 0xC0, 0x2B, 0x13, 0x4A,
          0x4D, 0x2C, 0x0B, 0x67, 0x37, 0xAC, 0x3E, 0xDA },
        { 0x36, 0xCB, 0xEB, 0x73, 0xBD, 0x50, 0x4B, 0x40,
          0x70, 0xB1, 0xB7, 0xDE, 0x2B, 0x21, 0xEB, 0x50 },
        { 0xE3, 0x1A, 0x60, 0x55, 0x29, 0x7D, 0x96, 0xCA,
          0x33, 0x30, 0xCD, 0xF1, 0xB1, 0x86, 0x0A, 0x83 }
    }
826
};
Manuel Pégourié-Gonnard's avatar
Manuel Pégourié-Gonnard committed
827
#endif /* MBEDTLS_CIPHER_MODE_CBC */
828

Manuel Pégourié-Gonnard's avatar
Manuel Pégourié-Gonnard committed
829
#if defined(MBEDTLS_CIPHER_MODE_CTR)
830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889
/*
 * Camellia-CTR test vectors from:
 *
 * http://www.faqs.org/rfcs/rfc5528.html
 */

static const unsigned char camellia_test_ctr_key[3][16] =
{
    { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
      0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
    { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
      0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
    { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
      0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
};

static const unsigned char camellia_test_ctr_nonce_counter[3][16] =
{
    { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
    { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
      0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
    { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
      0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
};

static const unsigned char camellia_test_ctr_pt[3][48] =
{
    { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
      0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },

    { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
      0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
      0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
      0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },

    { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
      0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
      0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
      0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
      0x20, 0x21, 0x22, 0x23 }
};

static const unsigned char camellia_test_ctr_ct[3][48] =
{
    { 0xD0, 0x9D, 0xC2, 0x9A, 0x82, 0x14, 0x61, 0x9A,
      0x20, 0x87, 0x7C, 0x76, 0xDB, 0x1F, 0x0B, 0x3F },
    { 0xDB, 0xF3, 0xC7, 0x8D, 0xC0, 0x83, 0x96, 0xD4,
      0xDA, 0x7C, 0x90, 0x77, 0x65, 0xBB, 0xCB, 0x44,
      0x2B, 0x8E, 0x8E, 0x0F, 0x31, 0xF0, 0xDC, 0xA7,
      0x2C, 0x74, 0x17, 0xE3, 0x53, 0x60, 0xE0, 0x48 },
    { 0xB1, 0x9D, 0x1F, 0xCD, 0xCB, 0x75, 0xEB, 0x88,
      0x2F, 0x84, 0x9C, 0xE2, 0x4D, 0x85, 0xCF, 0x73,
      0x9C, 0xE6, 0x4B, 0x2B, 0x5C, 0x9D, 0x73, 0xF1,
      0x4F, 0x2D, 0x5D, 0x9D, 0xCE, 0x98, 0x89, 0xCD,
      0xDF, 0x50, 0x86, 0x96 }
};

static const int camellia_test_ctr_len[3] =
    { 16, 32, 36 };
Manuel Pégourié-Gonnard's avatar
Manuel Pégourié-Gonnard committed
890
#endif /* MBEDTLS_CIPHER_MODE_CTR */
891 892 893 894

/*
 * Checkup routine
 */
Manuel Pégourié-Gonnard's avatar
Manuel Pégourié-Gonnard committed
895
int mbedtls_camellia_self_test( int verbose )
896
{
897
    int i, j, u, v;
898 899 900 901
    unsigned char key[32];
    unsigned char buf[64];
    unsigned char src[16];
    unsigned char dst[16];
Manuel Pégourié-Gonnard's avatar
Manuel Pégourié-Gonnard committed
902
#if defined(MBEDTLS_CIPHER_MODE_CBC)
903
    unsigned char iv[16];
904
#endif
Manuel Pégourié-Gonnard's avatar
Manuel Pégourié-Gonnard committed
905
#if defined(MBEDTLS_CIPHER_MODE_CTR)
906
    size_t offset, len;
907 908 909 910
    unsigned char nonce_counter[16];
    unsigned char stream_block[16];
#endif

Manuel Pégourié-Gonnard's avatar
Manuel Pégourié-Gonnard committed
911
    mbedtls_camellia_context ctx;
912 913 914

    memset( key, 0, 32 );

915
    for( j = 0; j < 6; j++ ) {
916 917 918 919
        u = j >> 1;
    v = j & 1;

    if( verbose != 0 )
Manuel Pégourié-Gonnard's avatar
Manuel Pégourié-Gonnard committed
920 921
        mbedtls_printf( "  CAMELLIA-ECB-%3d (%s): ", 128 + u * 64,
                         (v == MBEDTLS_CAMELLIA_DECRYPT) ? "dec" : "enc");
922

923 924
    for( i = 0; i < CAMELLIA_TESTS_ECB; i++ ) {
        memcpy( key, camellia_test_ecb_key[u][i], 16 + 8 * u );