Coverage Report

Created: 2025-03-01 06:26

/src/mbedtls/library/camellia.c
Line
Count
Source (jump to first uncovered line)
1
/*
2
 *  Camellia implementation
3
 *
4
 *  Copyright The Mbed TLS Contributors
5
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6
 */
7
/*
8
 *  The Camellia block cipher was designed by NTT and Mitsubishi Electric
9
 *  Corporation.
10
 *
11
 *  http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/01espec.pdf
12
 */
13
14
#include "common.h"
15
16
#if defined(MBEDTLS_CAMELLIA_C)
17
18
#include "mbedtls/camellia.h"
19
#include "mbedtls/platform_util.h"
20
21
#include <string.h>
22
23
#include "mbedtls/platform.h"
24
25
#if !defined(MBEDTLS_CAMELLIA_ALT)
26
27
static const unsigned char SIGMA_CHARS[6][8] =
28
{
29
    { 0xa0, 0x9e, 0x66, 0x7f, 0x3b, 0xcc, 0x90, 0x8b },
30
    { 0xb6, 0x7a, 0xe8, 0x58, 0x4c, 0xaa, 0x73, 0xb2 },
31
    { 0xc6, 0xef, 0x37, 0x2f, 0xe9, 0x4f, 0x82, 0xbe },
32
    { 0x54, 0xff, 0x53, 0xa5, 0xf1, 0xd3, 0x6f, 0x1c },
33
    { 0x10, 0xe5, 0x27, 0xfa, 0xde, 0x68, 0x2d, 0x1d },
34
    { 0xb0, 0x56, 0x88, 0xc2, 0xb3, 0xe6, 0xc1, 0xfd }
35
};
36
37
#if defined(MBEDTLS_CAMELLIA_SMALL_MEMORY)
38
39
static const unsigned char FSb[256] =
40
{
41
    112, 130, 44, 236, 179, 39, 192, 229, 228, 133, 87, 53, 234, 12, 174, 65,
42
    35, 239, 107, 147, 69, 25, 165, 33, 237, 14, 79, 78, 29, 101, 146, 189,
43
    134, 184, 175, 143, 124, 235, 31, 206, 62, 48, 220, 95, 94, 197, 11, 26,
44
    166, 225, 57, 202, 213, 71, 93, 61, 217,  1, 90, 214, 81, 86, 108, 77,
45
    139, 13, 154, 102, 251, 204, 176, 45, 116, 18, 43, 32, 240, 177, 132, 153,
46
    223, 76, 203, 194, 52, 126, 118,  5, 109, 183, 169, 49, 209, 23,  4, 215,
47
    20, 88, 58, 97, 222, 27, 17, 28, 50, 15, 156, 22, 83, 24, 242, 34,
48
    254, 68, 207, 178, 195, 181, 122, 145, 36,  8, 232, 168, 96, 252, 105, 80,
49
    170, 208, 160, 125, 161, 137, 98, 151, 84, 91, 30, 149, 224, 255, 100, 210,
50
    16, 196,  0, 72, 163, 247, 117, 219, 138,  3, 230, 218,  9, 63, 221, 148,
51
    135, 92, 131,  2, 205, 74, 144, 51, 115, 103, 246, 243, 157, 127, 191, 226,
52
    82, 155, 216, 38, 200, 55, 198, 59, 129, 150, 111, 75, 19, 190, 99, 46,
53
    233, 121, 167, 140, 159, 110, 188, 142, 41, 245, 249, 182, 47, 253, 180, 89,
54
    120, 152,  6, 106, 231, 70, 113, 186, 212, 37, 171, 66, 136, 162, 141, 250,
55
    114,  7, 185, 85, 248, 238, 172, 10, 54, 73, 42, 104, 60, 56, 241, 164,
56
    64, 40, 211, 123, 187, 201, 67, 193, 21, 227, 173, 244, 119, 199, 128, 158
57
};
58
59
0
#define SBOX1(n) FSb[(n)]
60
0
#define SBOX2(n) (unsigned char) ((FSb[(n)] >> 7 ^ FSb[(n)] << 1) & 0xff)
61
0
#define SBOX3(n) (unsigned char) ((FSb[(n)] >> 1 ^ FSb[(n)] << 7) & 0xff)
62
0
#define SBOX4(n) FSb[((n) << 1 ^ (n) >> 7) &0xff]
63
64
#else /* MBEDTLS_CAMELLIA_SMALL_MEMORY */
65
66
static const unsigned char FSb[256] =
67
{
68
    112, 130,  44, 236, 179,  39, 192, 229, 228, 133,  87,  53, 234,  12, 174,  65,
69
    35, 239, 107, 147,  69,  25, 165,  33, 237,  14,  79,  78,  29, 101, 146, 189,
70
    134, 184, 175, 143, 124, 235,  31, 206,  62,  48, 220,  95,  94, 197,  11,  26,
71
    166, 225,  57, 202, 213,  71,  93,  61, 217,   1,  90, 214,  81,  86, 108,  77,
72
    139,  13, 154, 102, 251, 204, 176,  45, 116,  18,  43,  32, 240, 177, 132, 153,
73
    223,  76, 203, 194,  52, 126, 118,   5, 109, 183, 169,  49, 209,  23,   4, 215,
74
    20,  88,  58,  97, 222,  27,  17,  28,  50,  15, 156,  22,  83,  24, 242,  34,
75
    254,  68, 207, 178, 195, 181, 122, 145,  36,   8, 232, 168,  96, 252, 105,  80,
76
    170, 208, 160, 125, 161, 137,  98, 151,  84,  91,  30, 149, 224, 255, 100, 210,
77
    16, 196,   0,  72, 163, 247, 117, 219, 138,   3, 230, 218,   9,  63, 221, 148,
78
    135,  92, 131,   2, 205,  74, 144,  51, 115, 103, 246, 243, 157, 127, 191, 226,
79
    82, 155, 216,  38, 200,  55, 198,  59, 129, 150, 111,  75,  19, 190,  99,  46,
80
    233, 121, 167, 140, 159, 110, 188, 142,  41, 245, 249, 182,  47, 253, 180,  89,
81
    120, 152,   6, 106, 231,  70, 113, 186, 212,  37, 171,  66, 136, 162, 141, 250,
82
    114,   7, 185,  85, 248, 238, 172,  10,  54,  73,  42, 104,  60,  56, 241, 164,
83
    64,  40, 211, 123, 187, 201,  67, 193,  21, 227, 173, 244, 119, 199, 128, 158
84
};
85
86
static const unsigned char FSb2[256] =
87
{
88
    224,   5,  88, 217, 103,  78, 129, 203, 201,  11, 174, 106, 213,  24,  93, 130,
89
    70, 223, 214,  39, 138,  50,  75,  66, 219,  28, 158, 156,  58, 202,  37, 123,
90
    13, 113,  95,  31, 248, 215,  62, 157, 124,  96, 185, 190, 188, 139,  22,  52,
91
    77, 195, 114, 149, 171, 142, 186, 122, 179,   2, 180, 173, 162, 172, 216, 154,
92
    23,  26,  53, 204, 247, 153,  97,  90, 232,  36,  86,  64, 225,  99,   9,  51,
93
    191, 152, 151, 133, 104, 252, 236,  10, 218, 111,  83,  98, 163,  46,   8, 175,
94
    40, 176, 116, 194, 189,  54,  34,  56, 100,  30,  57,  44, 166,  48, 229,  68,
95
    253, 136, 159, 101, 135, 107, 244,  35,  72,  16, 209,  81, 192, 249, 210, 160,
96
    85, 161,  65, 250,  67,  19, 196,  47, 168, 182,  60,  43, 193, 255, 200, 165,
97
    32, 137,   0, 144,  71, 239, 234, 183,  21,   6, 205, 181,  18, 126, 187,  41,
98
    15, 184,   7,   4, 155, 148,  33, 102, 230, 206, 237, 231,  59, 254, 127, 197,
99
    164,  55, 177,  76, 145, 110, 141, 118,   3,  45, 222, 150,  38, 125, 198,  92,
100
    211, 242,  79,  25,  63, 220, 121,  29,  82, 235, 243, 109,  94, 251, 105, 178,
101
    240,  49,  12, 212, 207, 140, 226, 117, 169,  74,  87, 132,  17,  69,  27, 245,
102
    228,  14, 115, 170, 241, 221,  89,  20, 108, 146,  84, 208, 120, 112, 227,  73,
103
    128,  80, 167, 246, 119, 147, 134, 131,  42, 199,  91, 233, 238, 143,   1,  61
104
};
105
106
static const unsigned char FSb3[256] =
107
{
108
    56,  65,  22, 118, 217, 147,  96, 242, 114, 194, 171, 154, 117,   6,  87, 160,
109
    145, 247, 181, 201, 162, 140, 210, 144, 246,   7, 167,  39, 142, 178,  73, 222,
110
    67,  92, 215, 199,  62, 245, 143, 103,  31,  24, 110, 175,  47, 226, 133,  13,
111
    83, 240, 156, 101, 234, 163, 174, 158, 236, 128,  45, 107, 168,  43,  54, 166,
112
    197, 134,  77,  51, 253, 102,  88, 150,  58,   9, 149,  16, 120, 216,  66, 204,
113
    239,  38, 229,  97,  26,  63,  59, 130, 182, 219, 212, 152, 232, 139,   2, 235,
114
    10,  44,  29, 176, 111, 141, 136,  14,  25, 135,  78,  11, 169,  12, 121,  17,
115
    127,  34, 231,  89, 225, 218,  61, 200,  18,   4, 116,  84,  48, 126, 180,  40,
116
    85, 104,  80, 190, 208, 196,  49, 203,  42, 173,  15, 202, 112, 255,  50, 105,
117
    8,  98,   0,  36, 209, 251, 186, 237,  69, 129, 115, 109, 132, 159, 238,  74,
118
    195,  46, 193,   1, 230,  37,  72, 153, 185, 179, 123, 249, 206, 191, 223, 113,
119
    41, 205, 108,  19, 100, 155,  99, 157, 192,  75, 183, 165, 137,  95, 177,  23,
120
    244, 188, 211,  70, 207,  55,  94,  71, 148, 250, 252,  91, 151, 254,  90, 172,
121
    60,  76,   3,  53, 243,  35, 184,  93, 106, 146, 213,  33,  68,  81, 198, 125,
122
    57, 131, 220, 170, 124, 119,  86,   5,  27, 164,  21,  52,  30,  28, 248,  82,
123
    32,  20, 233, 189, 221, 228, 161, 224, 138, 241, 214, 122, 187, 227,  64,  79
124
};
125
126
static const unsigned char FSb4[256] =
127
{
128
    112,  44, 179, 192, 228,  87, 234, 174,  35, 107,  69, 165, 237,  79,  29, 146,
129
    134, 175, 124,  31,  62, 220,  94,  11, 166,  57, 213,  93, 217,  90,  81, 108,
130
    139, 154, 251, 176, 116,  43, 240, 132, 223, 203,  52, 118, 109, 169, 209,   4,
131
    20,  58, 222,  17,  50, 156,  83, 242, 254, 207, 195, 122,  36, 232,  96, 105,
132
    170, 160, 161,  98,  84,  30, 224, 100,  16,   0, 163, 117, 138, 230,   9, 221,
133
    135, 131, 205, 144, 115, 246, 157, 191,  82, 216, 200, 198, 129, 111,  19,  99,
134
    233, 167, 159, 188,  41, 249,  47, 180, 120,   6, 231, 113, 212, 171, 136, 141,
135
    114, 185, 248, 172,  54,  42,  60, 241,  64, 211, 187,  67,  21, 173, 119, 128,
136
    130, 236,  39, 229, 133,  53,  12,  65, 239, 147,  25,  33,  14,  78, 101, 189,
137
    184, 143, 235, 206,  48,  95, 197,  26, 225, 202,  71,  61,   1, 214,  86,  77,
138
    13, 102, 204,  45,  18,  32, 177, 153,  76, 194, 126,   5, 183,  49,  23, 215,
139
    88,  97,  27,  28,  15,  22,  24,  34,  68, 178, 181, 145,   8, 168, 252,  80,
140
    208, 125, 137, 151,  91, 149, 255, 210, 196,  72, 247, 219,   3, 218,  63, 148,
141
    92,   2,  74,  51, 103, 243, 127, 226, 155,  38,  55,  59, 150,  75, 190,  46,
142
    121, 140, 110, 142, 245, 182, 253,  89, 152, 106,  70, 186,  37,  66, 162, 250,
143
    7,  85, 238,  10,  73, 104,  56, 164,  40, 123, 201, 193, 227, 244, 199, 158
144
};
145
146
#define SBOX1(n) FSb[(n)]
147
#define SBOX2(n) FSb2[(n)]
148
#define SBOX3(n) FSb3[(n)]
149
#define SBOX4(n) FSb4[(n)]
150
151
#endif /* MBEDTLS_CAMELLIA_SMALL_MEMORY */
152
153
static const unsigned char shifts[2][4][4] =
154
{
155
    {
156
        { 1, 1, 1, 1 }, /* KL */
157
        { 0, 0, 0, 0 }, /* KR */
158
        { 1, 1, 1, 1 }, /* KA */
159
        { 0, 0, 0, 0 }  /* KB */
160
    },
161
    {
162
        { 1, 0, 1, 1 }, /* KL */
163
        { 1, 1, 0, 1 }, /* KR */
164
        { 1, 1, 1, 0 }, /* KA */
165
        { 1, 1, 0, 1 }  /* KB */
166
    }
167
};
168
169
static const signed char indexes[2][4][20] =
170
{
171
    {
172
        {  0,  1,  2,  3,  8,  9, 10, 11, 38, 39,
173
           36, 37, 23, 20, 21, 22, 27, -1, -1, 26 }, /* KL -> RK */
174
        { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
175
          -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 }, /* KR -> RK */
176
        {  4,  5,  6,  7, 12, 13, 14, 15, 16, 17,
177
           18, 19, -1, 24, 25, -1, 31, 28, 29, 30 }, /* KA -> RK */
178
        { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
179
          -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 }  /* KB -> RK */
180
    },
181
    {
182
        {  0,  1,  2,  3, 61, 62, 63, 60, -1, -1,
183
           -1, -1, 27, 24, 25, 26, 35, 32, 33, 34 }, /* KL -> RK */
184
        { -1, -1, -1, -1,  8,  9, 10, 11, 16, 17,
185
          18, 19, -1, -1, -1, -1, 39, 36, 37, 38 }, /* KR -> RK */
186
        { -1, -1, -1, -1, 12, 13, 14, 15, 58, 59,
187
          56, 57, 31, 28, 29, 30, -1, -1, -1, -1 }, /* KA -> RK */
188
        {  4,  5,  6,  7, 65, 66, 67, 64, 20, 21,
189
           22, 23, -1, -1, -1, -1, 43, 40, 41, 42 } /* KB -> RK */
190
    }
191
};
192
193
static const signed char transposes[2][20] =
194
{
195
    {
196
        21, 22, 23, 20,
197
        -1, -1, -1, -1,
198
        18, 19, 16, 17,
199
        11,  8,  9, 10,
200
        15, 12, 13, 14
201
    },
202
    {
203
        25, 26, 27, 24,
204
        29, 30, 31, 28,
205
        18, 19, 16, 17,
206
        -1, -1, -1, -1,
207
        -1, -1, -1, -1
208
    }
209
};
210
211
/* Shift macro for 128 bit strings with rotation smaller than 32 bits (!) */
212
#define ROTL(DEST, SRC, SHIFT)                                      \
213
0
    {                                                                   \
214
0
        (DEST)[0] = (SRC)[0] << (SHIFT) ^ (SRC)[1] >> (32 - (SHIFT));   \
215
0
        (DEST)[1] = (SRC)[1] << (SHIFT) ^ (SRC)[2] >> (32 - (SHIFT));   \
216
0
        (DEST)[2] = (SRC)[2] << (SHIFT) ^ (SRC)[3] >> (32 - (SHIFT));   \
217
0
        (DEST)[3] = (SRC)[3] << (SHIFT) ^ (SRC)[0] >> (32 - (SHIFT));   \
218
0
    }
219
220
#define FL(XL, XR, KL, KR)                                          \
221
0
    {                                                                   \
222
0
        (XR) = ((((XL) &(KL)) << 1) | (((XL) &(KL)) >> 31)) ^ (XR);   \
223
0
        (XL) = ((XR) | (KR)) ^ (XL);                                    \
224
0
    }
225
226
#define FLInv(YL, YR, KL, KR)                                       \
227
0
    {                                                                   \
228
0
        (YL) = ((YR) | (KR)) ^ (YL);                                    \
229
0
        (YR) = ((((YL) &(KL)) << 1) | (((YL) &(KL)) >> 31)) ^ (YR);   \
230
0
    }
231
232
#define SHIFT_AND_PLACE(INDEX, OFFSET)                      \
233
0
    {                                                           \
234
0
        TK[0] = KC[(OFFSET) * 4 + 0];                           \
235
0
        TK[1] = KC[(OFFSET) * 4 + 1];                           \
236
0
        TK[2] = KC[(OFFSET) * 4 + 2];                           \
237
0
        TK[3] = KC[(OFFSET) * 4 + 3];                           \
238
0
                                                            \
239
0
        for (i = 1; i <= 4; i++)                               \
240
0
        if (shifts[(INDEX)][(OFFSET)][i -1])               \
241
0
        ROTL(TK + i * 4, TK, (15 * i) % 32);          \
242
0
                                                            \
243
0
        for (i = 0; i < 20; i++)                               \
244
0
        if (indexes[(INDEX)][(OFFSET)][i] != -1) {         \
245
0
            RK[indexes[(INDEX)][(OFFSET)][i]] = TK[i];    \
246
0
        }                                                   \
247
0
    }
248
249
static void camellia_feistel(const uint32_t x[2], const uint32_t k[2],
250
                             uint32_t z[2])
251
0
{
252
0
    uint32_t I0, I1;
253
0
    I0 = x[0] ^ k[0];
254
0
    I1 = x[1] ^ k[1];
255
256
0
    I0 = ((uint32_t) SBOX1(MBEDTLS_BYTE_3(I0)) << 24) |
257
0
         ((uint32_t) SBOX2(MBEDTLS_BYTE_2(I0)) << 16) |
258
0
         ((uint32_t) SBOX3(MBEDTLS_BYTE_1(I0)) <<  8) |
259
0
         ((uint32_t) SBOX4(MBEDTLS_BYTE_0(I0)));
260
0
    I1 = ((uint32_t) SBOX2(MBEDTLS_BYTE_3(I1)) << 24) |
261
0
         ((uint32_t) SBOX3(MBEDTLS_BYTE_2(I1)) << 16) |
262
0
         ((uint32_t) SBOX4(MBEDTLS_BYTE_1(I1)) <<  8) |
263
0
         ((uint32_t) SBOX1(MBEDTLS_BYTE_0(I1)));
264
265
0
    I0 ^= (I1 << 8) | (I1 >> 24);
266
0
    I1 ^= (I0 << 16) | (I0 >> 16);
267
0
    I0 ^= (I1 >> 8) | (I1 << 24);
268
0
    I1 ^= (I0 >> 8) | (I0 << 24);
269
270
0
    z[0] ^= I1;
271
0
    z[1] ^= I0;
272
0
}
273
274
void mbedtls_camellia_init(mbedtls_camellia_context *ctx)
275
0
{
276
0
    memset(ctx, 0, sizeof(mbedtls_camellia_context));
277
0
}
278
279
void mbedtls_camellia_free(mbedtls_camellia_context *ctx)
280
0
{
281
0
    if (ctx == NULL) {
282
0
        return;
283
0
    }
284
285
0
    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_camellia_context));
286
0
}
287
288
/*
289
 * Camellia key schedule (encryption)
290
 */
291
int mbedtls_camellia_setkey_enc(mbedtls_camellia_context *ctx,
292
                                const unsigned char *key,
293
                                unsigned int keybits)
294
0
{
295
0
    int idx;
296
0
    size_t i;
297
0
    uint32_t *RK;
298
0
    unsigned char t[64];
299
0
    uint32_t SIGMA[6][2];
300
0
    uint32_t KC[16];
301
0
    uint32_t TK[20];
302
303
0
    RK = ctx->rk;
304
305
0
    memset(t, 0, 64);
306
0
    memset(RK, 0, sizeof(ctx->rk));
307
308
0
    switch (keybits) {
309
0
        case 128: ctx->nr = 3; idx = 0; break;
310
0
        case 192:
311
0
        case 256: ctx->nr = 4; idx = 1; break;
312
0
        default: return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA;
313
0
    }
314
315
0
    for (i = 0; i < keybits / 8; ++i) {
316
0
        t[i] = key[i];
317
0
    }
318
319
0
    if (keybits == 192) {
320
0
        for (i = 0; i < 8; i++) {
321
0
            t[24 + i] = ~t[16 + i];
322
0
        }
323
0
    }
324
325
    /*
326
     * Prepare SIGMA values
327
     */
328
0
    for (i = 0; i < 6; i++) {
329
0
        SIGMA[i][0] = MBEDTLS_GET_UINT32_BE(SIGMA_CHARS[i], 0);
330
0
        SIGMA[i][1] = MBEDTLS_GET_UINT32_BE(SIGMA_CHARS[i], 4);
331
0
    }
332
333
    /*
334
     * Key storage in KC
335
     * Order: KL, KR, KA, KB
336
     */
337
0
    memset(KC, 0, sizeof(KC));
338
339
    /* Store KL, KR */
340
0
    for (i = 0; i < 8; i++) {
341
0
        KC[i] = MBEDTLS_GET_UINT32_BE(t, i * 4);
342
0
    }
343
344
    /* Generate KA */
345
0
    for (i = 0; i < 4; ++i) {
346
0
        KC[8 + i] = KC[i] ^ KC[4 + i];
347
0
    }
348
349
0
    camellia_feistel(KC + 8, SIGMA[0], KC + 10);
350
0
    camellia_feistel(KC + 10, SIGMA[1], KC + 8);
351
352
0
    for (i = 0; i < 4; ++i) {
353
0
        KC[8 + i] ^= KC[i];
354
0
    }
355
356
0
    camellia_feistel(KC + 8, SIGMA[2], KC + 10);
357
0
    camellia_feistel(KC + 10, SIGMA[3], KC + 8);
358
359
0
    if (keybits > 128) {
360
        /* Generate KB */
361
0
        for (i = 0; i < 4; ++i) {
362
0
            KC[12 + i] = KC[4 + i] ^ KC[8 + i];
363
0
        }
364
365
0
        camellia_feistel(KC + 12, SIGMA[4], KC + 14);
366
0
        camellia_feistel(KC + 14, SIGMA[5], KC + 12);
367
0
    }
368
369
    /*
370
     * Generating subkeys
371
     */
372
373
    /* Manipulating KL */
374
0
    SHIFT_AND_PLACE(idx, 0);
375
376
    /* Manipulating KR */
377
0
    if (keybits > 128) {
378
0
        SHIFT_AND_PLACE(idx, 1);
379
0
    }
380
381
    /* Manipulating KA */
382
0
    SHIFT_AND_PLACE(idx, 2);
383
384
    /* Manipulating KB */
385
0
    if (keybits > 128) {
386
0
        SHIFT_AND_PLACE(idx, 3);
387
0
    }
388
389
    /* Do transpositions */
390
0
    for (i = 0; i < 20; i++) {
391
0
        if (transposes[idx][i] != -1) {
392
0
            RK[32 + 12 * idx + i] = RK[transposes[idx][i]];
393
0
        }
394
0
    }
395
396
0
    return 0;
397
0
}
398
399
/*
400
 * Camellia key schedule (decryption)
401
 */
402
#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
403
int mbedtls_camellia_setkey_dec(mbedtls_camellia_context *ctx,
404
                                const unsigned char *key,
405
                                unsigned int keybits)
406
0
{
407
0
    int idx, ret;
408
0
    size_t i;
409
0
    mbedtls_camellia_context cty;
410
0
    uint32_t *RK;
411
0
    uint32_t *SK;
412
413
0
    mbedtls_camellia_init(&cty);
414
415
    /* Also checks keybits */
416
0
    if ((ret = mbedtls_camellia_setkey_enc(&cty, key, keybits)) != 0) {
417
0
        goto exit;
418
0
    }
419
420
0
    ctx->nr = cty.nr;
421
0
    idx = (ctx->nr == 4);
422
423
0
    RK = ctx->rk;
424
0
    SK = cty.rk + 24 * 2 + 8 * idx * 2;
425
426
0
    *RK++ = *SK++;
427
0
    *RK++ = *SK++;
428
0
    *RK++ = *SK++;
429
0
    *RK++ = *SK++;
430
431
0
    for (i = 22 + 8 * idx, SK -= 6; i > 0; i--, SK -= 4) {
432
0
        *RK++ = *SK++;
433
0
        *RK++ = *SK++;
434
0
    }
435
436
0
    SK -= 2;
437
438
0
    *RK++ = *SK++;
439
0
    *RK++ = *SK++;
440
0
    *RK++ = *SK++;
441
0
    *RK++ = *SK++;
442
443
0
exit:
444
0
    mbedtls_camellia_free(&cty);
445
446
0
    return ret;
447
0
}
448
#endif /* !MBEDTLS_BLOCK_CIPHER_NO_DECRYPT */
449
450
/*
451
 * Camellia-ECB block encryption/decryption
452
 */
453
int mbedtls_camellia_crypt_ecb(mbedtls_camellia_context *ctx,
454
                               int mode,
455
                               const unsigned char input[16],
456
                               unsigned char output[16])
457
0
{
458
0
    int NR;
459
0
    uint32_t *RK, X[4];
460
0
    if (mode != MBEDTLS_CAMELLIA_ENCRYPT && mode != MBEDTLS_CAMELLIA_DECRYPT) {
461
0
        return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA;
462
0
    }
463
464
0
    ((void) mode);
465
466
0
    NR = ctx->nr;
467
0
    RK = ctx->rk;
468
469
0
    X[0] = MBEDTLS_GET_UINT32_BE(input,  0);
470
0
    X[1] = MBEDTLS_GET_UINT32_BE(input,  4);
471
0
    X[2] = MBEDTLS_GET_UINT32_BE(input,  8);
472
0
    X[3] = MBEDTLS_GET_UINT32_BE(input, 12);
473
474
0
    X[0] ^= *RK++;
475
0
    X[1] ^= *RK++;
476
0
    X[2] ^= *RK++;
477
0
    X[3] ^= *RK++;
478
479
0
    while (NR) {
480
0
        --NR;
481
0
        camellia_feistel(X, RK, X + 2);
482
0
        RK += 2;
483
0
        camellia_feistel(X + 2, RK, X);
484
0
        RK += 2;
485
0
        camellia_feistel(X, RK, X + 2);
486
0
        RK += 2;
487
0
        camellia_feistel(X + 2, RK, X);
488
0
        RK += 2;
489
0
        camellia_feistel(X, RK, X + 2);
490
0
        RK += 2;
491
0
        camellia_feistel(X + 2, RK, X);
492
0
        RK += 2;
493
494
0
        if (NR) {
495
0
            FL(X[0], X[1], RK[0], RK[1]);
496
0
            RK += 2;
497
0
            FLInv(X[2], X[3], RK[0], RK[1]);
498
0
            RK += 2;
499
0
        }
500
0
    }
501
502
0
    X[2] ^= *RK++;
503
0
    X[3] ^= *RK++;
504
0
    X[0] ^= *RK++;
505
0
    X[1] ^= *RK++;
506
507
0
    MBEDTLS_PUT_UINT32_BE(X[2], output,  0);
508
0
    MBEDTLS_PUT_UINT32_BE(X[3], output,  4);
509
0
    MBEDTLS_PUT_UINT32_BE(X[0], output,  8);
510
0
    MBEDTLS_PUT_UINT32_BE(X[1], output, 12);
511
512
0
    return 0;
513
0
}
514
515
#if defined(MBEDTLS_CIPHER_MODE_CBC)
516
/*
517
 * Camellia-CBC buffer encryption/decryption
518
 */
519
int mbedtls_camellia_crypt_cbc(mbedtls_camellia_context *ctx,
520
                               int mode,
521
                               size_t length,
522
                               unsigned char iv[16],
523
                               const unsigned char *input,
524
                               unsigned char *output)
525
0
{
526
0
    unsigned char temp[16];
527
0
    if (mode != MBEDTLS_CAMELLIA_ENCRYPT && mode != MBEDTLS_CAMELLIA_DECRYPT) {
528
0
        return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA;
529
0
    }
530
531
0
    if (length % 16) {
532
0
        return MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH;
533
0
    }
534
535
0
    if (mode == MBEDTLS_CAMELLIA_DECRYPT) {
536
0
        while (length > 0) {
537
0
            memcpy(temp, input, 16);
538
0
            mbedtls_camellia_crypt_ecb(ctx, mode, input, output);
539
540
0
            mbedtls_xor(output, output, iv, 16);
541
542
0
            memcpy(iv, temp, 16);
543
544
0
            input  += 16;
545
0
            output += 16;
546
0
            length -= 16;
547
0
        }
548
0
    } else {
549
0
        while (length > 0) {
550
0
            mbedtls_xor(output, input, iv, 16);
551
552
0
            mbedtls_camellia_crypt_ecb(ctx, mode, output, output);
553
0
            memcpy(iv, output, 16);
554
555
0
            input  += 16;
556
0
            output += 16;
557
0
            length -= 16;
558
0
        }
559
0
    }
560
561
0
    return 0;
562
0
}
563
#endif /* MBEDTLS_CIPHER_MODE_CBC */
564
565
#if defined(MBEDTLS_CIPHER_MODE_CFB)
566
/*
567
 * Camellia-CFB128 buffer encryption/decryption
568
 */
569
int mbedtls_camellia_crypt_cfb128(mbedtls_camellia_context *ctx,
570
                                  int mode,
571
                                  size_t length,
572
                                  size_t *iv_off,
573
                                  unsigned char iv[16],
574
                                  const unsigned char *input,
575
                                  unsigned char *output)
576
0
{
577
0
    int c;
578
0
    size_t n;
579
0
    if (mode != MBEDTLS_CAMELLIA_ENCRYPT && mode != MBEDTLS_CAMELLIA_DECRYPT) {
580
0
        return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA;
581
0
    }
582
583
0
    n = *iv_off;
584
0
    if (n >= 16) {
585
0
        return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA;
586
0
    }
587
588
0
    if (mode == MBEDTLS_CAMELLIA_DECRYPT) {
589
0
        while (length--) {
590
0
            if (n == 0) {
591
0
                mbedtls_camellia_crypt_ecb(ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv);
592
0
            }
593
594
0
            c = *input++;
595
0
            *output++ = (unsigned char) (c ^ iv[n]);
596
0
            iv[n] = (unsigned char) c;
597
598
0
            n = (n + 1) & 0x0F;
599
0
        }
600
0
    } else {
601
0
        while (length--) {
602
0
            if (n == 0) {
603
0
                mbedtls_camellia_crypt_ecb(ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv);
604
0
            }
605
606
0
            iv[n] = *output++ = (unsigned char) (iv[n] ^ *input++);
607
608
0
            n = (n + 1) & 0x0F;
609
0
        }
610
0
    }
611
612
0
    *iv_off = n;
613
614
0
    return 0;
615
0
}
616
#endif /* MBEDTLS_CIPHER_MODE_CFB */
617
618
#if defined(MBEDTLS_CIPHER_MODE_CTR)
619
/*
620
 * Camellia-CTR buffer encryption/decryption
621
 */
622
int mbedtls_camellia_crypt_ctr(mbedtls_camellia_context *ctx,
623
                               size_t length,
624
                               size_t *nc_off,
625
                               unsigned char nonce_counter[16],
626
                               unsigned char stream_block[16],
627
                               const unsigned char *input,
628
                               unsigned char *output)
629
0
{
630
0
    int c, i;
631
0
    size_t n;
632
633
0
    n = *nc_off;
634
0
    if (n >= 16) {
635
0
        return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA;
636
0
    }
637
638
0
    while (length--) {
639
0
        if (n == 0) {
640
0
            mbedtls_camellia_crypt_ecb(ctx, MBEDTLS_CAMELLIA_ENCRYPT, nonce_counter,
641
0
                                       stream_block);
642
643
0
            for (i = 16; i > 0; i--) {
644
0
                if (++nonce_counter[i - 1] != 0) {
645
0
                    break;
646
0
                }
647
0
            }
648
0
        }
649
0
        c = *input++;
650
0
        *output++ = (unsigned char) (c ^ stream_block[n]);
651
652
0
        n = (n + 1) & 0x0F;
653
0
    }
654
655
0
    *nc_off = n;
656
657
0
    return 0;
658
0
}
659
#endif /* MBEDTLS_CIPHER_MODE_CTR */
660
#endif /* !MBEDTLS_CAMELLIA_ALT */
661
662
#if defined(MBEDTLS_SELF_TEST)
663
664
/*
665
 * Camellia test vectors from:
666
 *
667
 * http://info.isl.ntt.co.jp/crypt/eng/camellia/technology.html:
668
 *   http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/intermediate.txt
669
 *   http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/t_camellia.txt
670
 *                      (For each bitlength: Key 0, Nr 39)
671
 */
672
0
#define CAMELLIA_TESTS_ECB  2
673
674
static const unsigned char camellia_test_ecb_key[3][CAMELLIA_TESTS_ECB][32] =
675
{
676
    {
677
        { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
678
          0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
679
        { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
680
          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
681
    },
682
    {
683
        { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
684
          0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
685
          0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77 },
686
        { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
687
          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
688
          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
689
    },
690
    {
691
        { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
692
          0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
693
          0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
694
          0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff },
695
        { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
696
          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
697
          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
698
          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
699
    },
700
};
701
702
static const unsigned char camellia_test_ecb_plain[CAMELLIA_TESTS_ECB][16] =
703
{
704
    { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
705
      0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
706
    { 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
707
      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
708
};
709
710
static const unsigned char camellia_test_ecb_cipher[3][CAMELLIA_TESTS_ECB][16] =
711
{
712
    {
713
        { 0x67, 0x67, 0x31, 0x38, 0x54, 0x96, 0x69, 0x73,
714
          0x08, 0x57, 0x06, 0x56, 0x48, 0xea, 0xbe, 0x43 },
715
        { 0x38, 0x3C, 0x6C, 0x2A, 0xAB, 0xEF, 0x7F, 0xDE,
716
          0x25, 0xCD, 0x47, 0x0B, 0xF7, 0x74, 0xA3, 0x31 }
717
    },
718
    {
719
        { 0xb4, 0x99, 0x34, 0x01, 0xb3, 0xe9, 0x96, 0xf8,
720
          0x4e, 0xe5, 0xce, 0xe7, 0xd7, 0x9b, 0x09, 0xb9 },
721
        { 0xD1, 0x76, 0x3F, 0xC0, 0x19, 0xD7, 0x7C, 0xC9,
722
          0x30, 0xBF, 0xF2, 0xA5, 0x6F, 0x7C, 0x93, 0x64 }
723
    },
724
    {
725
        { 0x9a, 0xcc, 0x23, 0x7d, 0xff, 0x16, 0xd7, 0x6c,
726
          0x20, 0xef, 0x7c, 0x91, 0x9e, 0x3a, 0x75, 0x09 },
727
        { 0x05, 0x03, 0xFB, 0x10, 0xAB, 0x24, 0x1E, 0x7C,
728
          0xF4, 0x5D, 0x8C, 0xDE, 0xEE, 0x47, 0x43, 0x35 }
729
    }
730
};
731
732
#if defined(MBEDTLS_CIPHER_MODE_CBC)
733
0
#define CAMELLIA_TESTS_CBC  3
734
735
static const unsigned char camellia_test_cbc_key[3][32] =
736
{
737
    { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
738
      0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }
739
    ,
740
    { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
741
      0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
742
      0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }
743
    ,
744
    { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
745
      0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
746
      0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
747
      0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
748
};
749
750
static const unsigned char camellia_test_cbc_iv[16] =
751
752
{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
753
  0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F }
754
;
755
756
static const unsigned char camellia_test_cbc_plain[CAMELLIA_TESTS_CBC][16] =
757
{
758
    { 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
759
      0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A },
760
    { 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
761
      0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51 },
762
    { 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
763
      0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF }
764
765
};
766
767
static const unsigned char camellia_test_cbc_cipher[3][CAMELLIA_TESTS_CBC][16] =
768
{
769
    {
770
        { 0x16, 0x07, 0xCF, 0x49, 0x4B, 0x36, 0xBB, 0xF0,
771
          0x0D, 0xAE, 0xB0, 0xB5, 0x03, 0xC8, 0x31, 0xAB },
772
        { 0xA2, 0xF2, 0xCF, 0x67, 0x16, 0x29, 0xEF, 0x78,
773
          0x40, 0xC5, 0xA5, 0xDF, 0xB5, 0x07, 0x48, 0x87 },
774
        { 0x0F, 0x06, 0x16, 0x50, 0x08, 0xCF, 0x8B, 0x8B,
775
          0x5A, 0x63, 0x58, 0x63, 0x62, 0x54, 0x3E, 0x54 }
776
    },
777
    {
778
        { 0x2A, 0x48, 0x30, 0xAB, 0x5A, 0xC4, 0xA1, 0xA2,
779
          0x40, 0x59, 0x55, 0xFD, 0x21, 0x95, 0xCF, 0x93 },
780
        { 0x5D, 0x5A, 0x86, 0x9B, 0xD1, 0x4C, 0xE5, 0x42,
781
          0x64, 0xF8, 0x92, 0xA6, 0xDD, 0x2E, 0xC3, 0xD5 },
782
        { 0x37, 0xD3, 0x59, 0xC3, 0x34, 0x98, 0x36, 0xD8,
783
          0x84, 0xE3, 0x10, 0xAD, 0xDF, 0x68, 0xC4, 0x49 }
784
    },
785
    {
786
        { 0xE6, 0xCF, 0xA3, 0x5F, 0xC0, 0x2B, 0x13, 0x4A,
787
          0x4D, 0x2C, 0x0B, 0x67, 0x37, 0xAC, 0x3E, 0xDA },
788
        { 0x36, 0xCB, 0xEB, 0x73, 0xBD, 0x50, 0x4B, 0x40,
789
          0x70, 0xB1, 0xB7, 0xDE, 0x2B, 0x21, 0xEB, 0x50 },
790
        { 0xE3, 0x1A, 0x60, 0x55, 0x29, 0x7D, 0x96, 0xCA,
791
          0x33, 0x30, 0xCD, 0xF1, 0xB1, 0x86, 0x0A, 0x83 }
792
    }
793
};
794
#endif /* MBEDTLS_CIPHER_MODE_CBC */
795
796
#if defined(MBEDTLS_CIPHER_MODE_CTR)
797
/*
798
 * Camellia-CTR test vectors from:
799
 *
800
 * http://www.faqs.org/rfcs/rfc5528.html
801
 */
802
803
static const unsigned char camellia_test_ctr_key[3][16] =
804
{
805
    { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
806
      0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
807
    { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
808
      0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
809
    { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
810
      0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
811
};
812
813
static const unsigned char camellia_test_ctr_nonce_counter[3][16] =
814
{
815
    { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
816
      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
817
    { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
818
      0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
819
    { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
820
      0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
821
};
822
823
static const unsigned char camellia_test_ctr_pt[3][48] =
824
{
825
    { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
826
      0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
827
828
    { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
829
      0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
830
      0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
831
      0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
832
833
    { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
834
      0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
835
      0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
836
      0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
837
      0x20, 0x21, 0x22, 0x23 }
838
};
839
840
static const unsigned char camellia_test_ctr_ct[3][48] =
841
{
842
    { 0xD0, 0x9D, 0xC2, 0x9A, 0x82, 0x14, 0x61, 0x9A,
843
      0x20, 0x87, 0x7C, 0x76, 0xDB, 0x1F, 0x0B, 0x3F },
844
    { 0xDB, 0xF3, 0xC7, 0x8D, 0xC0, 0x83, 0x96, 0xD4,
845
      0xDA, 0x7C, 0x90, 0x77, 0x65, 0xBB, 0xCB, 0x44,
846
      0x2B, 0x8E, 0x8E, 0x0F, 0x31, 0xF0, 0xDC, 0xA7,
847
      0x2C, 0x74, 0x17, 0xE3, 0x53, 0x60, 0xE0, 0x48 },
848
    { 0xB1, 0x9D, 0x1F, 0xCD, 0xCB, 0x75, 0xEB, 0x88,
849
      0x2F, 0x84, 0x9C, 0xE2, 0x4D, 0x85, 0xCF, 0x73,
850
      0x9C, 0xE6, 0x4B, 0x2B, 0x5C, 0x9D, 0x73, 0xF1,
851
      0x4F, 0x2D, 0x5D, 0x9D, 0xCE, 0x98, 0x89, 0xCD,
852
      0xDF, 0x50, 0x86, 0x96 }
853
};
854
855
static const int camellia_test_ctr_len[3] =
856
{ 16, 32, 36 };
857
#endif /* MBEDTLS_CIPHER_MODE_CTR */
858
859
/*
860
 * Checkup routine
861
 */
862
int mbedtls_camellia_self_test(int verbose)
863
0
{
864
0
    int i, j, u, v;
865
0
    unsigned char key[32];
866
0
    unsigned char buf[64];
867
0
    unsigned char src[16];
868
0
    unsigned char dst[16];
869
0
#if defined(MBEDTLS_CIPHER_MODE_CBC)
870
0
    unsigned char iv[16];
871
0
#endif
872
0
#if defined(MBEDTLS_CIPHER_MODE_CTR)
873
0
    size_t offset, len;
874
0
    unsigned char nonce_counter[16];
875
0
    unsigned char stream_block[16];
876
0
#endif
877
0
    int ret = 1;
878
879
0
    mbedtls_camellia_context ctx;
880
881
0
    mbedtls_camellia_init(&ctx);
882
0
    memset(key, 0, 32);
883
884
0
    for (j = 0; j < 6; j++) {
885
0
        u = j >> 1;
886
0
        v = j & 1;
887
888
0
        if (verbose != 0) {
889
0
            mbedtls_printf("  CAMELLIA-ECB-%3d (%s): ", 128 + u * 64,
890
0
                           (v == MBEDTLS_CAMELLIA_DECRYPT) ? "dec" : "enc");
891
0
        }
892
893
#if defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
894
        if (v == MBEDTLS_CAMELLIA_DECRYPT) {
895
            if (verbose != 0) {
896
                mbedtls_printf("skipped\n");
897
            }
898
            continue;
899
        }
900
#endif
901
902
0
        for (i = 0; i < CAMELLIA_TESTS_ECB; i++) {
903
0
            memcpy(key, camellia_test_ecb_key[u][i], 16 + 8 * u);
904
905
0
#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
906
0
            if (v == MBEDTLS_CAMELLIA_DECRYPT) {
907
0
                mbedtls_camellia_setkey_dec(&ctx, key, 128 + u * 64);
908
0
                memcpy(src, camellia_test_ecb_cipher[u][i], 16);
909
0
                memcpy(dst, camellia_test_ecb_plain[i], 16);
910
0
            } else
911
0
#endif
912
0
            { /* MBEDTLS_CAMELLIA_ENCRYPT */
913
0
                mbedtls_camellia_setkey_enc(&ctx, key, 128 + u * 64);
914
0
                memcpy(src, camellia_test_ecb_plain[i], 16);
915
0
                memcpy(dst, camellia_test_ecb_cipher[u][i], 16);
916
0
            }
917
918
0
            mbedtls_camellia_crypt_ecb(&ctx, v, src, buf);
919
920
0
            if (memcmp(buf, dst, 16) != 0) {
921
0
                if (verbose != 0) {
922
0
                    mbedtls_printf("failed\n");
923
0
                }
924
0
                goto exit;
925
0
            }
926
0
        }
927
928
0
        if (verbose != 0) {
929
0
            mbedtls_printf("passed\n");
930
0
        }
931
0
    }
932
933
0
    if (verbose != 0) {
934
0
        mbedtls_printf("\n");
935
0
    }
936
937
0
#if defined(MBEDTLS_CIPHER_MODE_CBC)
938
    /*
939
     * CBC mode
940
     */
941
0
    for (j = 0; j < 6; j++) {
942
0
        u = j >> 1;
943
0
        v = j  & 1;
944
945
0
        if (verbose != 0) {
946
0
            mbedtls_printf("  CAMELLIA-CBC-%3d (%s): ", 128 + u * 64,
947
0
                           (v == MBEDTLS_CAMELLIA_DECRYPT) ? "dec" : "enc");
948
0
        }
949
950
0
        memcpy(src, camellia_test_cbc_iv, 16);
951
0
        memcpy(dst, camellia_test_cbc_iv, 16);
952
0
        memcpy(key, camellia_test_cbc_key[u], 16 + 8 * u);
953
954
0
        if (v == MBEDTLS_CAMELLIA_DECRYPT) {
955
0
            mbedtls_camellia_setkey_dec(&ctx, key, 128 + u * 64);
956
0
        } else {
957
0
            mbedtls_camellia_setkey_enc(&ctx, key, 128 + u * 64);
958
0
        }
959
960
0
        for (i = 0; i < CAMELLIA_TESTS_CBC; i++) {
961
962
0
            if (v == MBEDTLS_CAMELLIA_DECRYPT) {
963
0
                memcpy(iv, src, 16);
964
0
                memcpy(src, camellia_test_cbc_cipher[u][i], 16);
965
0
                memcpy(dst, camellia_test_cbc_plain[i], 16);
966
0
            } else { /* MBEDTLS_CAMELLIA_ENCRYPT */
967
0
                memcpy(iv, dst, 16);
968
0
                memcpy(src, camellia_test_cbc_plain[i], 16);
969
0
                memcpy(dst, camellia_test_cbc_cipher[u][i], 16);
970
0
            }
971
972
0
            mbedtls_camellia_crypt_cbc(&ctx, v, 16, iv, src, buf);
973
974
0
            if (memcmp(buf, dst, 16) != 0) {
975
0
                if (verbose != 0) {
976
0
                    mbedtls_printf("failed\n");
977
0
                }
978
0
                goto exit;
979
0
            }
980
0
        }
981
982
0
        if (verbose != 0) {
983
0
            mbedtls_printf("passed\n");
984
0
        }
985
0
    }
986
0
#endif /* MBEDTLS_CIPHER_MODE_CBC */
987
988
0
    if (verbose != 0) {
989
0
        mbedtls_printf("\n");
990
0
    }
991
992
0
#if defined(MBEDTLS_CIPHER_MODE_CTR)
993
    /*
994
     * CTR mode
995
     */
996
0
    for (i = 0; i < 6; i++) {
997
0
        u = i >> 1;
998
0
        v = i  & 1;
999
1000
0
        if (verbose != 0) {
1001
0
            mbedtls_printf("  CAMELLIA-CTR-128 (%s): ",
1002
0
                           (v == MBEDTLS_CAMELLIA_DECRYPT) ? "dec" : "enc");
1003
0
        }
1004
1005
0
        memcpy(nonce_counter, camellia_test_ctr_nonce_counter[u], 16);
1006
0
        memcpy(key, camellia_test_ctr_key[u], 16);
1007
1008
0
        offset = 0;
1009
0
        mbedtls_camellia_setkey_enc(&ctx, key, 128);
1010
1011
0
        if (v == MBEDTLS_CAMELLIA_DECRYPT) {
1012
0
            len = camellia_test_ctr_len[u];
1013
0
            memcpy(buf, camellia_test_ctr_ct[u], len);
1014
1015
0
            mbedtls_camellia_crypt_ctr(&ctx, len, &offset, nonce_counter, stream_block,
1016
0
                                       buf, buf);
1017
1018
0
            if (memcmp(buf, camellia_test_ctr_pt[u], len) != 0) {
1019
0
                if (verbose != 0) {
1020
0
                    mbedtls_printf("failed\n");
1021
0
                }
1022
0
                goto exit;
1023
0
            }
1024
0
        } else {
1025
0
            len = camellia_test_ctr_len[u];
1026
0
            memcpy(buf, camellia_test_ctr_pt[u], len);
1027
1028
0
            mbedtls_camellia_crypt_ctr(&ctx, len, &offset, nonce_counter, stream_block,
1029
0
                                       buf, buf);
1030
1031
0
            if (memcmp(buf, camellia_test_ctr_ct[u], len) != 0) {
1032
0
                if (verbose != 0) {
1033
0
                    mbedtls_printf("failed\n");
1034
0
                }
1035
0
                goto exit;
1036
0
            }
1037
0
        }
1038
1039
0
        if (verbose != 0) {
1040
0
            mbedtls_printf("passed\n");
1041
0
        }
1042
0
    }
1043
1044
0
    if (verbose != 0) {
1045
0
        mbedtls_printf("\n");
1046
0
    }
1047
0
#endif /* MBEDTLS_CIPHER_MODE_CTR */
1048
1049
0
    ret = 0;
1050
1051
0
exit:
1052
0
    mbedtls_camellia_free(&ctx);
1053
0
    return ret;
1054
0
}
1055
1056
#endif /* MBEDTLS_SELF_TEST */
1057
1058
#endif /* MBEDTLS_CAMELLIA_C */