/src/mbedtls/library/camellia.c

Line	Count	Source (jump to first uncovered line)
1		/*
2		* Camellia implementation
3		*
4		* Copyright The Mbed TLS Contributors
5		* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6		*/
7		/*
8		* The Camellia block cipher was designed by NTT and Mitsubishi Electric
9		* Corporation.
10		*
11		* http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/01espec.pdf
12		*/
13
14		#include "common.h"
15
16		#if defined(MBEDTLS_CAMELLIA_C)
17
18		#include "mbedtls/camellia.h"
19		#include "mbedtls/platform_util.h"
20
21		#include <string.h>
22
23		#include "mbedtls/platform.h"
24
25		#if !defined(MBEDTLS_CAMELLIA_ALT)
26
27		static const unsigned char SIGMA_CHARS[6][8] =
28		{
29		{ 0xa0, 0x9e, 0x66, 0x7f, 0x3b, 0xcc, 0x90, 0x8b },
30		{ 0xb6, 0x7a, 0xe8, 0x58, 0x4c, 0xaa, 0x73, 0xb2 },
31		{ 0xc6, 0xef, 0x37, 0x2f, 0xe9, 0x4f, 0x82, 0xbe },
32		{ 0x54, 0xff, 0x53, 0xa5, 0xf1, 0xd3, 0x6f, 0x1c },
33		{ 0x10, 0xe5, 0x27, 0xfa, 0xde, 0x68, 0x2d, 0x1d },
34		{ 0xb0, 0x56, 0x88, 0xc2, 0xb3, 0xe6, 0xc1, 0xfd }
35		};
36
37		#if defined(MBEDTLS_CAMELLIA_SMALL_MEMORY)
38
39		static const unsigned char FSb[256] =
40		{
41		112, 130, 44, 236, 179, 39, 192, 229, 228, 133, 87, 53, 234, 12, 174, 65,
42		35, 239, 107, 147, 69, 25, 165, 33, 237, 14, 79, 78, 29, 101, 146, 189,
43		134, 184, 175, 143, 124, 235, 31, 206, 62, 48, 220, 95, 94, 197, 11, 26,
44		166, 225, 57, 202, 213, 71, 93, 61, 217, 1, 90, 214, 81, 86, 108, 77,
45		139, 13, 154, 102, 251, 204, 176, 45, 116, 18, 43, 32, 240, 177, 132, 153,
46		223, 76, 203, 194, 52, 126, 118, 5, 109, 183, 169, 49, 209, 23, 4, 215,
47		20, 88, 58, 97, 222, 27, 17, 28, 50, 15, 156, 22, 83, 24, 242, 34,
48		254, 68, 207, 178, 195, 181, 122, 145, 36, 8, 232, 168, 96, 252, 105, 80,
49		170, 208, 160, 125, 161, 137, 98, 151, 84, 91, 30, 149, 224, 255, 100, 210,
50		16, 196, 0, 72, 163, 247, 117, 219, 138, 3, 230, 218, 9, 63, 221, 148,
51		135, 92, 131, 2, 205, 74, 144, 51, 115, 103, 246, 243, 157, 127, 191, 226,
52		82, 155, 216, 38, 200, 55, 198, 59, 129, 150, 111, 75, 19, 190, 99, 46,
53		233, 121, 167, 140, 159, 110, 188, 142, 41, 245, 249, 182, 47, 253, 180, 89,
54		120, 152, 6, 106, 231, 70, 113, 186, 212, 37, 171, 66, 136, 162, 141, 250,
55		114, 7, 185, 85, 248, 238, 172, 10, 54, 73, 42, 104, 60, 56, 241, 164,
56		64, 40, 211, 123, 187, 201, 67, 193, 21, 227, 173, 244, 119, 199, 128, 158
57		};
58
59	342k	#define SBOX1(n) FSb[(n)]
60	342k	#define SBOX2(n) (unsigned char) ((FSb[(n)] >> 7 ^ FSb[(n)] << 1) & 0xff)
61	342k	#define SBOX3(n) (unsigned char) ((FSb[(n)] >> 1 ^ FSb[(n)] << 7) & 0xff)
62	342k	#define SBOX4(n) FSb[((n) << 1 ^ (n) >> 7) &0xff]
63
64		#else /* MBEDTLS_CAMELLIA_SMALL_MEMORY */
65
66		static const unsigned char FSb[256] =
67		{
68		112, 130, 44, 236, 179, 39, 192, 229, 228, 133, 87, 53, 234, 12, 174, 65,
69		35, 239, 107, 147, 69, 25, 165, 33, 237, 14, 79, 78, 29, 101, 146, 189,
70		134, 184, 175, 143, 124, 235, 31, 206, 62, 48, 220, 95, 94, 197, 11, 26,
71		166, 225, 57, 202, 213, 71, 93, 61, 217, 1, 90, 214, 81, 86, 108, 77,
72		139, 13, 154, 102, 251, 204, 176, 45, 116, 18, 43, 32, 240, 177, 132, 153,
73		223, 76, 203, 194, 52, 126, 118, 5, 109, 183, 169, 49, 209, 23, 4, 215,
74		20, 88, 58, 97, 222, 27, 17, 28, 50, 15, 156, 22, 83, 24, 242, 34,
75		254, 68, 207, 178, 195, 181, 122, 145, 36, 8, 232, 168, 96, 252, 105, 80,
76		170, 208, 160, 125, 161, 137, 98, 151, 84, 91, 30, 149, 224, 255, 100, 210,
77		16, 196, 0, 72, 163, 247, 117, 219, 138, 3, 230, 218, 9, 63, 221, 148,
78		135, 92, 131, 2, 205, 74, 144, 51, 115, 103, 246, 243, 157, 127, 191, 226,
79		82, 155, 216, 38, 200, 55, 198, 59, 129, 150, 111, 75, 19, 190, 99, 46,
80		233, 121, 167, 140, 159, 110, 188, 142, 41, 245, 249, 182, 47, 253, 180, 89,
81		120, 152, 6, 106, 231, 70, 113, 186, 212, 37, 171, 66, 136, 162, 141, 250,
82		114, 7, 185, 85, 248, 238, 172, 10, 54, 73, 42, 104, 60, 56, 241, 164,
83		64, 40, 211, 123, 187, 201, 67, 193, 21, 227, 173, 244, 119, 199, 128, 158
84		};
85
86		static const unsigned char FSb2[256] =
87		{
88		224, 5, 88, 217, 103, 78, 129, 203, 201, 11, 174, 106, 213, 24, 93, 130,
89		70, 223, 214, 39, 138, 50, 75, 66, 219, 28, 158, 156, 58, 202, 37, 123,
90		13, 113, 95, 31, 248, 215, 62, 157, 124, 96, 185, 190, 188, 139, 22, 52,
91		77, 195, 114, 149, 171, 142, 186, 122, 179, 2, 180, 173, 162, 172, 216, 154,
92		23, 26, 53, 204, 247, 153, 97, 90, 232, 36, 86, 64, 225, 99, 9, 51,
93		191, 152, 151, 133, 104, 252, 236, 10, 218, 111, 83, 98, 163, 46, 8, 175,
94		40, 176, 116, 194, 189, 54, 34, 56, 100, 30, 57, 44, 166, 48, 229, 68,
95		253, 136, 159, 101, 135, 107, 244, 35, 72, 16, 209, 81, 192, 249, 210, 160,
96		85, 161, 65, 250, 67, 19, 196, 47, 168, 182, 60, 43, 193, 255, 200, 165,
97		32, 137, 0, 144, 71, 239, 234, 183, 21, 6, 205, 181, 18, 126, 187, 41,
98		15, 184, 7, 4, 155, 148, 33, 102, 230, 206, 237, 231, 59, 254, 127, 197,
99		164, 55, 177, 76, 145, 110, 141, 118, 3, 45, 222, 150, 38, 125, 198, 92,
100		211, 242, 79, 25, 63, 220, 121, 29, 82, 235, 243, 109, 94, 251, 105, 178,
101		240, 49, 12, 212, 207, 140, 226, 117, 169, 74, 87, 132, 17, 69, 27, 245,
102		228, 14, 115, 170, 241, 221, 89, 20, 108, 146, 84, 208, 120, 112, 227, 73,
103		128, 80, 167, 246, 119, 147, 134, 131, 42, 199, 91, 233, 238, 143, 1, 61
104		};
105
106		static const unsigned char FSb3[256] =
107		{
108		56, 65, 22, 118, 217, 147, 96, 242, 114, 194, 171, 154, 117, 6, 87, 160,
109		145, 247, 181, 201, 162, 140, 210, 144, 246, 7, 167, 39, 142, 178, 73, 222,
110		67, 92, 215, 199, 62, 245, 143, 103, 31, 24, 110, 175, 47, 226, 133, 13,
111		83, 240, 156, 101, 234, 163, 174, 158, 236, 128, 45, 107, 168, 43, 54, 166,
112		197, 134, 77, 51, 253, 102, 88, 150, 58, 9, 149, 16, 120, 216, 66, 204,
113		239, 38, 229, 97, 26, 63, 59, 130, 182, 219, 212, 152, 232, 139, 2, 235,
114		10, 44, 29, 176, 111, 141, 136, 14, 25, 135, 78, 11, 169, 12, 121, 17,
115		127, 34, 231, 89, 225, 218, 61, 200, 18, 4, 116, 84, 48, 126, 180, 40,
116		85, 104, 80, 190, 208, 196, 49, 203, 42, 173, 15, 202, 112, 255, 50, 105,
117		8, 98, 0, 36, 209, 251, 186, 237, 69, 129, 115, 109, 132, 159, 238, 74,
118		195, 46, 193, 1, 230, 37, 72, 153, 185, 179, 123, 249, 206, 191, 223, 113,
119		41, 205, 108, 19, 100, 155, 99, 157, 192, 75, 183, 165, 137, 95, 177, 23,
120		244, 188, 211, 70, 207, 55, 94, 71, 148, 250, 252, 91, 151, 254, 90, 172,
121		60, 76, 3, 53, 243, 35, 184, 93, 106, 146, 213, 33, 68, 81, 198, 125,
122		57, 131, 220, 170, 124, 119, 86, 5, 27, 164, 21, 52, 30, 28, 248, 82,
123		32, 20, 233, 189, 221, 228, 161, 224, 138, 241, 214, 122, 187, 227, 64, 79
124		};
125
126		static const unsigned char FSb4[256] =
127		{
128		112, 44, 179, 192, 228, 87, 234, 174, 35, 107, 69, 165, 237, 79, 29, 146,
129		134, 175, 124, 31, 62, 220, 94, 11, 166, 57, 213, 93, 217, 90, 81, 108,
130		139, 154, 251, 176, 116, 43, 240, 132, 223, 203, 52, 118, 109, 169, 209, 4,
131		20, 58, 222, 17, 50, 156, 83, 242, 254, 207, 195, 122, 36, 232, 96, 105,
132		170, 160, 161, 98, 84, 30, 224, 100, 16, 0, 163, 117, 138, 230, 9, 221,
133		135, 131, 205, 144, 115, 246, 157, 191, 82, 216, 200, 198, 129, 111, 19, 99,
134		233, 167, 159, 188, 41, 249, 47, 180, 120, 6, 231, 113, 212, 171, 136, 141,
135		114, 185, 248, 172, 54, 42, 60, 241, 64, 211, 187, 67, 21, 173, 119, 128,
136		130, 236, 39, 229, 133, 53, 12, 65, 239, 147, 25, 33, 14, 78, 101, 189,
137		184, 143, 235, 206, 48, 95, 197, 26, 225, 202, 71, 61, 1, 214, 86, 77,
138		13, 102, 204, 45, 18, 32, 177, 153, 76, 194, 126, 5, 183, 49, 23, 215,
139		88, 97, 27, 28, 15, 22, 24, 34, 68, 178, 181, 145, 8, 168, 252, 80,
140		208, 125, 137, 151, 91, 149, 255, 210, 196, 72, 247, 219, 3, 218, 63, 148,
141		92, 2, 74, 51, 103, 243, 127, 226, 155, 38, 55, 59, 150, 75, 190, 46,
142		121, 140, 110, 142, 245, 182, 253, 89, 152, 106, 70, 186, 37, 66, 162, 250,
143		7, 85, 238, 10, 73, 104, 56, 164, 40, 123, 201, 193, 227, 244, 199, 158
144		};
145
146		#define SBOX1(n) FSb[(n)]
147		#define SBOX2(n) FSb2[(n)]
148		#define SBOX3(n) FSb3[(n)]
149		#define SBOX4(n) FSb4[(n)]
150
151		#endif /* MBEDTLS_CAMELLIA_SMALL_MEMORY */
152
153		static const unsigned char shifts[2][4][4] =
154		{
155		{
156		{ 1, 1, 1, 1 }, /* KL */
157		{ 0, 0, 0, 0 }, /* KR */
158		{ 1, 1, 1, 1 }, /* KA */
159		{ 0, 0, 0, 0 } /* KB */
160		},
161		{
162		{ 1, 0, 1, 1 }, /* KL */
163		{ 1, 1, 0, 1 }, /* KR */
164		{ 1, 1, 1, 0 }, /* KA */
165		{ 1, 1, 0, 1 } /* KB */
166		}
167		};
168
169		static const signed char indexes[2][4][20] =
170		{
171		{
172		{ 0, 1, 2, 3, 8, 9, 10, 11, 38, 39,
173		36, 37, 23, 20, 21, 22, 27, -1, -1, 26 }, /* KL -> RK */
174		{ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
175		-1, -1, -1, -1, -1, -1, -1, -1, -1, -1 }, /* KR -> RK */
176		{ 4, 5, 6, 7, 12, 13, 14, 15, 16, 17,
177		18, 19, -1, 24, 25, -1, 31, 28, 29, 30 }, /* KA -> RK */
178		{ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
179		-1, -1, -1, -1, -1, -1, -1, -1, -1, -1 } /* KB -> RK */
180		},
181		{
182		{ 0, 1, 2, 3, 61, 62, 63, 60, -1, -1,
183		-1, -1, 27, 24, 25, 26, 35, 32, 33, 34 }, /* KL -> RK */
184		{ -1, -1, -1, -1, 8, 9, 10, 11, 16, 17,
185		18, 19, -1, -1, -1, -1, 39, 36, 37, 38 }, /* KR -> RK */
186		{ -1, -1, -1, -1, 12, 13, 14, 15, 58, 59,
187		56, 57, 31, 28, 29, 30, -1, -1, -1, -1 }, /* KA -> RK */
188		{ 4, 5, 6, 7, 65, 66, 67, 64, 20, 21,
189		22, 23, -1, -1, -1, -1, 43, 40, 41, 42 } /* KB -> RK */
190		}
191		};
192
193		static const signed char transposes[2][20] =
194		{
195		{
196		21, 22, 23, 20,
197		-1, -1, -1, -1,
198		18, 19, 16, 17,
199		11, 8, 9, 10,
200		15, 12, 13, 14
201		},
202		{
203		25, 26, 27, 24,
204		29, 30, 31, 28,
205		18, 19, 16, 17,
206		-1, -1, -1, -1,
207		-1, -1, -1, -1
208		}
209		};
210
211		/* Shift macro for 128 bit strings with rotation smaller than 32 bits (!) */
212		#define ROTL(DEST, SRC, SHIFT) \
213	5.43k	{ \
214	5.43k	(DEST)[0] = (SRC)[0] << (SHIFT) ^ (SRC)[1] >> (32 - (SHIFT)); \
215	5.43k	(DEST)[1] = (SRC)[1] << (SHIFT) ^ (SRC)[2] >> (32 - (SHIFT)); \
216	5.43k	(DEST)[2] = (SRC)[2] << (SHIFT) ^ (SRC)[3] >> (32 - (SHIFT)); \
217	5.43k	(DEST)[3] = (SRC)[3] << (SHIFT) ^ (SRC)[0] >> (32 - (SHIFT)); \
218	5.43k	}
219
220		#define FL(XL, XR, KL, KR) \
221	19.5k	{ \
222	19.5k	(XR) = ((((XL) &(KL)) << 1) \| (((XL) &(KL)) >> 31)) ^ (XR); \
223	19.5k	(XL) = ((XR) \| (KR)) ^ (XL); \
224	19.5k	}
225
226		#define FLInv(YL, YR, KL, KR) \
227	19.5k	{ \
228	19.5k	(YL) = ((YR) \| (KR)) ^ (YL); \
229	19.5k	(YR) = ((((YL) &(KL)) << 1) \| (((YL) &(KL)) >> 31)) ^ (YR); \
230	19.5k	}
231
232		#define SHIFT_AND_PLACE(INDEX, OFFSET) \
233	1.40k	{ \
234	1.40k	TK[0] = KC[(OFFSET) * 4 + 0]; \
235	1.40k	TK[1] = KC[(OFFSET) * 4 + 1]; \
236	1.40k	TK[2] = KC[(OFFSET) * 4 + 2]; \
237	1.40k	TK[3] = KC[(OFFSET) * 4 + 3]; \
238	1.40k	\
239	7.04k	for (i = 1; i <= 4; i++) \
240	5.63k	if (shifts[(INDEX)][(OFFSET)][i -1]) \
241	5.63k	ROTL(TK + i * 4, TK, (15 * i) % 32); \
242	1.40k	\
243	29.5k	for (i = 0; i < 20; i++) \
244	28.1k	if (indexes[(INDEX)][(OFFSET)][i] != -1) { \
245	21.0k	RK[indexes[(INDEX)][(OFFSET)][i]] = TK[i]; \
246	21.0k	} \
247	1.40k	}
248
249		static void camellia_feistel(const uint32_t x[2], const uint32_t k[2],
250		uint32_t z[2])
251	171k	{
252	171k	uint32_t I0, I1;
253	171k	I0 = x[0] ^ k[0];
254	171k	I1 = x[1] ^ k[1];
255
256	171k	I0 = ((uint32_t) SBOX1(MBEDTLS_BYTE_3(I0)) << 24) \|
257	171k	((uint32_t) SBOX2(MBEDTLS_BYTE_2(I0)) << 16) \|
258	171k	((uint32_t) SBOX3(MBEDTLS_BYTE_1(I0)) << 8) \|
259	171k	((uint32_t) SBOX4(MBEDTLS_BYTE_0(I0)));
260	171k	I1 = ((uint32_t) SBOX2(MBEDTLS_BYTE_3(I1)) << 24) \|
261	171k	((uint32_t) SBOX3(MBEDTLS_BYTE_2(I1)) << 16) \|
262	171k	((uint32_t) SBOX4(MBEDTLS_BYTE_1(I1)) << 8) \|
263	171k	((uint32_t) SBOX1(MBEDTLS_BYTE_0(I1)));
264
265	171k	I0 ^= (I1 << 8) \| (I1 >> 24);
266	171k	I1 ^= (I0 << 16) \| (I0 >> 16);
267	171k	I0 ^= (I1 >> 8) \| (I1 << 24);
268	171k	I1 ^= (I0 >> 8) \| (I0 << 24);
269
270	171k	z[0] ^= I1;
271	171k	z[1] ^= I0;
272	171k	}
273
274		void mbedtls_camellia_init(mbedtls_camellia_context *ctx)
275	628	{
276	628	memset(ctx, 0, sizeof(mbedtls_camellia_context));
277	628	}
278
279		void mbedtls_camellia_free(mbedtls_camellia_context *ctx)
280	628	{
281	628	if (ctx == NULL) {
282	0	return;
283	0	}
284
285	628	mbedtls_platform_zeroize(ctx, sizeof(mbedtls_camellia_context));
286	628	}
287
288		/*
289		* Camellia key schedule (encryption)
290		*/
291		int mbedtls_camellia_setkey_enc(mbedtls_camellia_context *ctx,
292		const unsigned char *key,
293		unsigned int keybits)
294	436	{
295	436	int idx;
296	436	size_t i;
297	436	uint32_t *RK;
298	436	unsigned char t[64];
299	436	uint32_t SIGMA[6][2];
300	436	uint32_t KC[16];
301	436	uint32_t TK[20];
302
303	436	RK = ctx->rk;
304
305	436	memset(t, 0, 64);
306	436	memset(RK, 0, sizeof(ctx->rk));
307
308	436	switch (keybits) {
309	168	case 128: ctx->nr = 3; idx = 0; break;
310	0	case 192:
311	268	case 256: ctx->nr = 4; idx = 1; break;
312	0	default: return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA;
313	436	}
314
315	11.7k	for (i = 0; i < keybits / 8; ++i) {
316	11.2k	t[i] = key[i];
317	11.2k	}
318
319	436	if (keybits == 192) {
320	0	for (i = 0; i < 8; i++) {
321	0	t[24 + i] = ~t[16 + i];
322	0	}
323	0	}
324
325		/*
326		* Prepare SIGMA values
327		*/
328	3.05k	for (i = 0; i < 6; i++) {
329	2.61k	SIGMA[i][0] = MBEDTLS_GET_UINT32_BE(SIGMA_CHARS[i], 0);
330	2.61k	SIGMA[i][1] = MBEDTLS_GET_UINT32_BE(SIGMA_CHARS[i], 4);
331	2.61k	}
332
333		/*
334		* Key storage in KC
335		* Order: KL, KR, KA, KB
336		*/
337	436	memset(KC, 0, sizeof(KC));
338
339		/* Store KL, KR */
340	3.92k	for (i = 0; i < 8; i++) {
341	3.48k	KC[i] = MBEDTLS_GET_UINT32_BE(t, i * 4);
342	3.48k	}
343
344		/* Generate KA */
345	2.18k	for (i = 0; i < 4; ++i) {
346	1.74k	KC[8 + i] = KC[i] ^ KC[4 + i];
347	1.74k	}
348
349	436	camellia_feistel(KC + 8, SIGMA[0], KC + 10);
350	436	camellia_feistel(KC + 10, SIGMA[1], KC + 8);
351
352	2.18k	for (i = 0; i < 4; ++i) {
353	1.74k	KC[8 + i] ^= KC[i];
354	1.74k	}
355
356	436	camellia_feistel(KC + 8, SIGMA[2], KC + 10);
357	436	camellia_feistel(KC + 10, SIGMA[3], KC + 8);
358
359	436	if (keybits > 128) {
360		/* Generate KB */
361	1.34k	for (i = 0; i < 4; ++i) {
362	1.07k	KC[12 + i] = KC[4 + i] ^ KC[8 + i];
363	1.07k	}
364
365	268	camellia_feistel(KC + 12, SIGMA[4], KC + 14);
366	268	camellia_feistel(KC + 14, SIGMA[5], KC + 12);
367	268	}
368
369		/*
370		* Generating subkeys
371		*/
372
373		/* Manipulating KL */
374	436	SHIFT_AND_PLACE(idx, 0);
375
376		/* Manipulating KR */
377	436	if (keybits > 128) {
378	268	SHIFT_AND_PLACE(idx, 1);
379	268	}
380
381		/* Manipulating KA */
382	436	SHIFT_AND_PLACE(idx, 2);
383
384		/* Manipulating KB */
385	436	if (keybits > 128) {
386	268	SHIFT_AND_PLACE(idx, 3);
387	268	}
388
389		/* Do transpositions */
390	9.15k	for (i = 0; i < 20; i++) {
391	8.72k	if (transposes[idx][i] != -1) {
392	5.90k	RK[32 + 12 * idx + i] = RK[transposes[idx][i]];
393	5.90k	}
394	8.72k	}
395
396	436	return 0;
397	436	}
398
399		/*
400		* Camellia key schedule (decryption)
401		*/
402		#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
403		int mbedtls_camellia_setkey_dec(mbedtls_camellia_context *ctx,
404		const unsigned char *key,
405		unsigned int keybits)
406	192	{
407	192	int idx, ret;
408	192	size_t i;
409	192	mbedtls_camellia_context cty;
410	192	uint32_t *RK;
411	192	uint32_t *SK;
412
413	192	mbedtls_camellia_init(&cty);
414
415		/* Also checks keybits */
416	192	if ((ret = mbedtls_camellia_setkey_enc(&cty, key, keybits)) != 0) {
417	0	goto exit;
418	0	}
419
420	192	ctx->nr = cty.nr;
421	192	idx = (ctx->nr == 4);
422
423	192	RK = ctx->rk;
424	192	SK = cty.rk + 24 * 2 + 8 * idx * 2;
425
426	192	RK++ = SK++;
427	192	RK++ = SK++;
428	192	RK++ = SK++;
429	192	RK++ = SK++;
430
431	5.40k	for (i = 22 + 8 * idx, SK -= 6; i > 0; i--, SK -= 4) {
432	5.20k	RK++ = SK++;
433	5.20k	RK++ = SK++;
434	5.20k	}
435
436	192	SK -= 2;
437
438	192	RK++ = SK++;
439	192	RK++ = SK++;
440	192	RK++ = SK++;
441	192	RK++ = SK++;
442
443	192	exit:
444	192	mbedtls_camellia_free(&cty);
445
446	192	return ret;
447	192	}
448		#endif /* !MBEDTLS_BLOCK_CIPHER_NO_DECRYPT */
449
450		/*
451		* Camellia-ECB block encryption/decryption
452		*/
453		int mbedtls_camellia_crypt_ecb(mbedtls_camellia_context *ctx,
454		int mode,
455		const unsigned char input[16],
456		unsigned char output[16])
457	8.60k	{
458	8.60k	int NR;
459	8.60k	uint32_t *RK, X[4];
460	8.60k	if (mode != MBEDTLS_CAMELLIA_ENCRYPT && mode != MBEDTLS_CAMELLIA_DECRYPT) {
461	0	return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA;
462	0	}
463
464	8.60k	((void) mode);
465
466	8.60k	NR = ctx->nr;
467	8.60k	RK = ctx->rk;
468
469	8.60k	X[0] = MBEDTLS_GET_UINT32_BE(input, 0);
470	8.60k	X[1] = MBEDTLS_GET_UINT32_BE(input, 4);
471	8.60k	X[2] = MBEDTLS_GET_UINT32_BE(input, 8);
472	8.60k	X[3] = MBEDTLS_GET_UINT32_BE(input, 12);
473
474	8.60k	X[0] ^= *RK++;
475	8.60k	X[1] ^= *RK++;
476	8.60k	X[2] ^= *RK++;
477	8.60k	X[3] ^= *RK++;
478
479	36.7k	while (NR) {
480	28.1k	--NR;
481	28.1k	camellia_feistel(X, RK, X + 2);
482	28.1k	RK += 2;
483	28.1k	camellia_feistel(X + 2, RK, X);
484	28.1k	RK += 2;
485	28.1k	camellia_feistel(X, RK, X + 2);
486	28.1k	RK += 2;
487	28.1k	camellia_feistel(X + 2, RK, X);
488	28.1k	RK += 2;
489	28.1k	camellia_feistel(X, RK, X + 2);
490	28.1k	RK += 2;
491	28.1k	camellia_feistel(X + 2, RK, X);
492	28.1k	RK += 2;
493
494	28.1k	if (NR) {
495	19.5k	FL(X[0], X[1], RK[0], RK[1]);
496	19.5k	RK += 2;
497	19.5k	FLInv(X[2], X[3], RK[0], RK[1]);
498	19.5k	RK += 2;
499	19.5k	}
500	28.1k	}
501
502	8.60k	X[2] ^= *RK++;
503	8.60k	X[3] ^= *RK++;
504	8.60k	X[0] ^= *RK++;
505	8.60k	X[1] ^= *RK++;
506
507	8.60k	MBEDTLS_PUT_UINT32_BE(X[2], output, 0);
508	8.60k	MBEDTLS_PUT_UINT32_BE(X[3], output, 4);
509	8.60k	MBEDTLS_PUT_UINT32_BE(X[0], output, 8);
510	8.60k	MBEDTLS_PUT_UINT32_BE(X[1], output, 12);
511
512	8.60k	return 0;
513	8.60k	}
514
515		#if defined(MBEDTLS_CIPHER_MODE_CBC)
516		/*
517		* Camellia-CBC buffer encryption/decryption
518		*/
519		int mbedtls_camellia_crypt_cbc(mbedtls_camellia_context *ctx,
520		int mode,
521		size_t length,
522		unsigned char iv[16],
523		const unsigned char *input,
524		unsigned char *output)
525	1.08k	{
526	1.08k	unsigned char temp[16];
527	1.08k	if (mode != MBEDTLS_CAMELLIA_ENCRYPT && mode != MBEDTLS_CAMELLIA_DECRYPT) {
528	0	return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA;
529	0	}
530
531	1.08k	if (length % 16) {
532	0	return MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH;
533	0	}
534
535	1.08k	if (mode == MBEDTLS_CAMELLIA_DECRYPT) {
536	1.11k	while (length > 0) {
537	1.09k	memcpy(temp, input, 16);
538	1.09k	mbedtls_camellia_crypt_ecb(ctx, mode, input, output);
539
540	1.09k	mbedtls_xor(output, output, iv, 16);
541
542	1.09k	memcpy(iv, temp, 16);
543
544	1.09k	input += 16;
545	1.09k	output += 16;
546	1.09k	length -= 16;
547	1.09k	}
548	1.06k	} else {
549	4.35k	while (length > 0) {
550	3.28k	mbedtls_xor(output, input, iv, 16);
551
552	3.28k	mbedtls_camellia_crypt_ecb(ctx, mode, output, output);
553	3.28k	memcpy(iv, output, 16);
554
555	3.28k	input += 16;
556	3.28k	output += 16;
557	3.28k	length -= 16;
558	3.28k	}
559	1.06k	}
560
561	1.08k	return 0;
562	1.08k	}
563		#endif /* MBEDTLS_CIPHER_MODE_CBC */
564
565		#if defined(MBEDTLS_CIPHER_MODE_CFB)
566		/*
567		* Camellia-CFB128 buffer encryption/decryption
568		*/
569		int mbedtls_camellia_crypt_cfb128(mbedtls_camellia_context *ctx,
570		int mode,
571		size_t length,
572		size_t *iv_off,
573		unsigned char iv[16],
574		const unsigned char *input,
575		unsigned char *output)
576	0	{
577	0	int c;
578	0	size_t n;
579	0	if (mode != MBEDTLS_CAMELLIA_ENCRYPT && mode != MBEDTLS_CAMELLIA_DECRYPT) {
580	0	return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA;
581	0	}
582
583	0	n = *iv_off;
584	0	if (n >= 16) {
585	0	return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA;
586	0	}
587
588	0	if (mode == MBEDTLS_CAMELLIA_DECRYPT) {
589	0	while (length--) {
590	0	if (n == 0) {
591	0	mbedtls_camellia_crypt_ecb(ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv);
592	0	}
593
594	0	c = *input++;
595	0	*output++ = (unsigned char) (c ^ iv[n]);
596	0	iv[n] = (unsigned char) c;
597
598	0	n = (n + 1) & 0x0F;
599	0	}
600	0	} else {
601	0	while (length--) {
602	0	if (n == 0) {
603	0	mbedtls_camellia_crypt_ecb(ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv);
604	0	}
605
606	0	iv[n] = output++ = (unsigned char) (iv[n] ^ input++);
607
608	0	n = (n + 1) & 0x0F;
609	0	}
610	0	}
611
612	0	*iv_off = n;
613
614	0	return 0;
615	0	}
616		#endif /* MBEDTLS_CIPHER_MODE_CFB */
617
618		#if defined(MBEDTLS_CIPHER_MODE_CTR)
619		/*
620		* Camellia-CTR buffer encryption/decryption
621		*/
622		int mbedtls_camellia_crypt_ctr(mbedtls_camellia_context *ctx,
623		size_t length,
624		size_t *nc_off,
625		unsigned char nonce_counter[16],
626		unsigned char stream_block[16],
627		const unsigned char *input,
628		unsigned char *output)
629	0	{
630	0	int c, i;
631	0	size_t n;
632
633	0	n = *nc_off;
634	0	if (n >= 16) {
635	0	return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA;
636	0	}
637
638	0	while (length--) {
639	0	if (n == 0) {
640	0	mbedtls_camellia_crypt_ecb(ctx, MBEDTLS_CAMELLIA_ENCRYPT, nonce_counter,
641	0	stream_block);
642
643	0	for (i = 16; i > 0; i--) {
644	0	if (++nonce_counter[i - 1] != 0) {
645	0	break;
646	0	}
647	0	}
648	0	}
649	0	c = *input++;
650	0	*output++ = (unsigned char) (c ^ stream_block[n]);
651
652	0	n = (n + 1) & 0x0F;
653	0	}
654
655	0	*nc_off = n;
656
657	0	return 0;
658	0	}
659		#endif /* MBEDTLS_CIPHER_MODE_CTR */
660		#endif /* !MBEDTLS_CAMELLIA_ALT */
661
662		#if defined(MBEDTLS_SELF_TEST)
663
664		/*
665		* Camellia test vectors from:
666		*
667		* http://info.isl.ntt.co.jp/crypt/eng/camellia/technology.html:
668		* http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/intermediate.txt
669		* http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/t_camellia.txt
670		* (For each bitlength: Key 0, Nr 39)
671		*/
672	0	#define CAMELLIA_TESTS_ECB 2
673
674		static const unsigned char camellia_test_ecb_key[3][CAMELLIA_TESTS_ECB][32] =
675		{
676		{
677		{ 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
678		0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
679		{ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
680		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
681		},
682		{
683		{ 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
684		0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
685		0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77 },
686		{ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
687		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
688		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
689		},
690		{
691		{ 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
692		0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
693		0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
694		0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff },
695		{ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
696		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
697		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
698		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
699		},
700		};
701
702		static const unsigned char camellia_test_ecb_plain[CAMELLIA_TESTS_ECB][16] =
703		{
704		{ 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
705		0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
706		{ 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
707		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
708		};
709
710		static const unsigned char camellia_test_ecb_cipher[3][CAMELLIA_TESTS_ECB][16] =
711		{
712		{
713		{ 0x67, 0x67, 0x31, 0x38, 0x54, 0x96, 0x69, 0x73,
714		0x08, 0x57, 0x06, 0x56, 0x48, 0xea, 0xbe, 0x43 },
715		{ 0x38, 0x3C, 0x6C, 0x2A, 0xAB, 0xEF, 0x7F, 0xDE,
716		0x25, 0xCD, 0x47, 0x0B, 0xF7, 0x74, 0xA3, 0x31 }
717		},
718		{
719		{ 0xb4, 0x99, 0x34, 0x01, 0xb3, 0xe9, 0x96, 0xf8,
720		0x4e, 0xe5, 0xce, 0xe7, 0xd7, 0x9b, 0x09, 0xb9 },
721		{ 0xD1, 0x76, 0x3F, 0xC0, 0x19, 0xD7, 0x7C, 0xC9,
722		0x30, 0xBF, 0xF2, 0xA5, 0x6F, 0x7C, 0x93, 0x64 }
723		},
724		{
725		{ 0x9a, 0xcc, 0x23, 0x7d, 0xff, 0x16, 0xd7, 0x6c,
726		0x20, 0xef, 0x7c, 0x91, 0x9e, 0x3a, 0x75, 0x09 },
727		{ 0x05, 0x03, 0xFB, 0x10, 0xAB, 0x24, 0x1E, 0x7C,
728		0xF4, 0x5D, 0x8C, 0xDE, 0xEE, 0x47, 0x43, 0x35 }
729		}
730		};
731
732		#if defined(MBEDTLS_CIPHER_MODE_CBC)
733	0	#define CAMELLIA_TESTS_CBC 3
734
735		static const unsigned char camellia_test_cbc_key[3][32] =
736		{
737		{ 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
738		0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }
739		,
740		{ 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
741		0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
742		0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }
743		,
744		{ 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
745		0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
746		0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
747		0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
748		};
749
750		static const unsigned char camellia_test_cbc_iv[16] =
751
752		{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
753		0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F }
754		;
755
756		static const unsigned char camellia_test_cbc_plain[CAMELLIA_TESTS_CBC][16] =
757		{
758		{ 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
759		0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A },
760		{ 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
761		0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51 },
762		{ 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
763		0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF }
764
765		};
766
767		static const unsigned char camellia_test_cbc_cipher[3][CAMELLIA_TESTS_CBC][16] =
768		{
769		{
770		{ 0x16, 0x07, 0xCF, 0x49, 0x4B, 0x36, 0xBB, 0xF0,
771		0x0D, 0xAE, 0xB0, 0xB5, 0x03, 0xC8, 0x31, 0xAB },
772		{ 0xA2, 0xF2, 0xCF, 0x67, 0x16, 0x29, 0xEF, 0x78,
773		0x40, 0xC5, 0xA5, 0xDF, 0xB5, 0x07, 0x48, 0x87 },
774		{ 0x0F, 0x06, 0x16, 0x50, 0x08, 0xCF, 0x8B, 0x8B,
775		0x5A, 0x63, 0x58, 0x63, 0x62, 0x54, 0x3E, 0x54 }
776		},
777		{
778		{ 0x2A, 0x48, 0x30, 0xAB, 0x5A, 0xC4, 0xA1, 0xA2,
779		0x40, 0x59, 0x55, 0xFD, 0x21, 0x95, 0xCF, 0x93 },
780		{ 0x5D, 0x5A, 0x86, 0x9B, 0xD1, 0x4C, 0xE5, 0x42,
781		0x64, 0xF8, 0x92, 0xA6, 0xDD, 0x2E, 0xC3, 0xD5 },
782		{ 0x37, 0xD3, 0x59, 0xC3, 0x34, 0x98, 0x36, 0xD8,
783		0x84, 0xE3, 0x10, 0xAD, 0xDF, 0x68, 0xC4, 0x49 }
784		},
785		{
786		{ 0xE6, 0xCF, 0xA3, 0x5F, 0xC0, 0x2B, 0x13, 0x4A,
787		0x4D, 0x2C, 0x0B, 0x67, 0x37, 0xAC, 0x3E, 0xDA },
788		{ 0x36, 0xCB, 0xEB, 0x73, 0xBD, 0x50, 0x4B, 0x40,
789		0x70, 0xB1, 0xB7, 0xDE, 0x2B, 0x21, 0xEB, 0x50 },
790		{ 0xE3, 0x1A, 0x60, 0x55, 0x29, 0x7D, 0x96, 0xCA,
791		0x33, 0x30, 0xCD, 0xF1, 0xB1, 0x86, 0x0A, 0x83 }
792		}
793		};
794		#endif /* MBEDTLS_CIPHER_MODE_CBC */
795
796		#if defined(MBEDTLS_CIPHER_MODE_CTR)
797		/*
798		* Camellia-CTR test vectors from:
799		*
800		* http://www.faqs.org/rfcs/rfc5528.html
801		*/
802
803		static const unsigned char camellia_test_ctr_key[3][16] =
804		{
805		{ 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
806		0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
807		{ 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
808		0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
809		{ 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
810		0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
811		};
812
813		static const unsigned char camellia_test_ctr_nonce_counter[3][16] =
814		{
815		{ 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
816		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
817		{ 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
818		0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
819		{ 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
820		0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
821		};
822
823		static const unsigned char camellia_test_ctr_pt[3][48] =
824		{
825		{ 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
826		0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
827
828		{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
829		0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
830		0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
831		0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
832
833		{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
834		0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
835		0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
836		0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
837		0x20, 0x21, 0x22, 0x23 }
838		};
839
840		static const unsigned char camellia_test_ctr_ct[3][48] =
841		{
842		{ 0xD0, 0x9D, 0xC2, 0x9A, 0x82, 0x14, 0x61, 0x9A,
843		0x20, 0x87, 0x7C, 0x76, 0xDB, 0x1F, 0x0B, 0x3F },
844		{ 0xDB, 0xF3, 0xC7, 0x8D, 0xC0, 0x83, 0x96, 0xD4,
845		0xDA, 0x7C, 0x90, 0x77, 0x65, 0xBB, 0xCB, 0x44,
846		0x2B, 0x8E, 0x8E, 0x0F, 0x31, 0xF0, 0xDC, 0xA7,
847		0x2C, 0x74, 0x17, 0xE3, 0x53, 0x60, 0xE0, 0x48 },
848		{ 0xB1, 0x9D, 0x1F, 0xCD, 0xCB, 0x75, 0xEB, 0x88,
849		0x2F, 0x84, 0x9C, 0xE2, 0x4D, 0x85, 0xCF, 0x73,
850		0x9C, 0xE6, 0x4B, 0x2B, 0x5C, 0x9D, 0x73, 0xF1,
851		0x4F, 0x2D, 0x5D, 0x9D, 0xCE, 0x98, 0x89, 0xCD,
852		0xDF, 0x50, 0x86, 0x96 }
853		};
854
855		static const int camellia_test_ctr_len[3] =
856		{ 16, 32, 36 };
857		#endif /* MBEDTLS_CIPHER_MODE_CTR */
858
859		/*
860		* Checkup routine
861		*/
862		int mbedtls_camellia_self_test(int verbose)
863	0	{
864	0	int i, j, u, v;
865	0	unsigned char key[32];
866	0	unsigned char buf[64];
867	0	unsigned char src[16];
868	0	unsigned char dst[16];
869	0	#if defined(MBEDTLS_CIPHER_MODE_CBC)
870	0	unsigned char iv[16];
871	0	#endif
872	0	#if defined(MBEDTLS_CIPHER_MODE_CTR)
873	0	size_t offset, len;
874	0	unsigned char nonce_counter[16];
875	0	unsigned char stream_block[16];
876	0	#endif
877	0	int ret = 1;
878
879	0	mbedtls_camellia_context ctx;
880
881	0	mbedtls_camellia_init(&ctx);
882	0	memset(key, 0, 32);
883
884	0	for (j = 0; j < 6; j++) {
885	0	u = j >> 1;
886	0	v = j & 1;
887
888	0	if (verbose != 0) {
889	0	mbedtls_printf(" CAMELLIA-ECB-%3d (%s): ", 128 + u * 64,
890	0	(v == MBEDTLS_CAMELLIA_DECRYPT) ? "dec" : "enc");
891	0	}
892
893		#if defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
894		if (v == MBEDTLS_CAMELLIA_DECRYPT) {
895		if (verbose != 0) {
896		mbedtls_printf("skipped\n");
897		}
898		continue;
899		}
900		#endif
901
902	0	for (i = 0; i < CAMELLIA_TESTS_ECB; i++) {
903	0	memcpy(key, camellia_test_ecb_key[u][i], 16 + 8 * u);
904
905	0	#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
906	0	if (v == MBEDTLS_CAMELLIA_DECRYPT) {
907	0	mbedtls_camellia_setkey_dec(&ctx, key, 128 + u * 64);
908	0	memcpy(src, camellia_test_ecb_cipher[u][i], 16);
909	0	memcpy(dst, camellia_test_ecb_plain[i], 16);
910	0	} else
911	0	#endif
912	0	{ /* MBEDTLS_CAMELLIA_ENCRYPT */
913	0	mbedtls_camellia_setkey_enc(&ctx, key, 128 + u * 64);
914	0	memcpy(src, camellia_test_ecb_plain[i], 16);
915	0	memcpy(dst, camellia_test_ecb_cipher[u][i], 16);
916	0	}
917
918	0	mbedtls_camellia_crypt_ecb(&ctx, v, src, buf);
919
920	0	if (memcmp(buf, dst, 16) != 0) {
921	0	if (verbose != 0) {
922	0	mbedtls_printf("failed\n");
923	0	}
924	0	goto exit;
925	0	}
926	0	}
927
928	0	if (verbose != 0) {
929	0	mbedtls_printf("passed\n");
930	0	}
931	0	}
932
933	0	if (verbose != 0) {
934	0	mbedtls_printf("\n");
935	0	}
936
937	0	#if defined(MBEDTLS_CIPHER_MODE_CBC)
938		/*
939		* CBC mode
940		*/
941	0	for (j = 0; j < 6; j++) {
942	0	u = j >> 1;
943	0	v = j & 1;
944
945	0	if (verbose != 0) {
946	0	mbedtls_printf(" CAMELLIA-CBC-%3d (%s): ", 128 + u * 64,
947	0	(v == MBEDTLS_CAMELLIA_DECRYPT) ? "dec" : "enc");
948	0	}
949
950	0	memcpy(src, camellia_test_cbc_iv, 16);
951	0	memcpy(dst, camellia_test_cbc_iv, 16);
952	0	memcpy(key, camellia_test_cbc_key[u], 16 + 8 * u);
953
954	0	if (v == MBEDTLS_CAMELLIA_DECRYPT) {
955	0	mbedtls_camellia_setkey_dec(&ctx, key, 128 + u * 64);
956	0	} else {
957	0	mbedtls_camellia_setkey_enc(&ctx, key, 128 + u * 64);
958	0	}
959
960	0	for (i = 0; i < CAMELLIA_TESTS_CBC; i++) {
961
962	0	if (v == MBEDTLS_CAMELLIA_DECRYPT) {
963	0	memcpy(iv, src, 16);
964	0	memcpy(src, camellia_test_cbc_cipher[u][i], 16);
965	0	memcpy(dst, camellia_test_cbc_plain[i], 16);
966	0	} else { /* MBEDTLS_CAMELLIA_ENCRYPT */
967	0	memcpy(iv, dst, 16);
968	0	memcpy(src, camellia_test_cbc_plain[i], 16);
969	0	memcpy(dst, camellia_test_cbc_cipher[u][i], 16);
970	0	}
971
972	0	mbedtls_camellia_crypt_cbc(&ctx, v, 16, iv, src, buf);
973
974	0	if (memcmp(buf, dst, 16) != 0) {
975	0	if (verbose != 0) {
976	0	mbedtls_printf("failed\n");
977	0	}
978	0	goto exit;
979	0	}
980	0	}
981
982	0	if (verbose != 0) {
983	0	mbedtls_printf("passed\n");
984	0	}
985	0	}
986	0	#endif /* MBEDTLS_CIPHER_MODE_CBC */
987
988	0	if (verbose != 0) {
989	0	mbedtls_printf("\n");
990	0	}
991
992	0	#if defined(MBEDTLS_CIPHER_MODE_CTR)
993		/*
994		* CTR mode
995		*/
996	0	for (i = 0; i < 6; i++) {
997	0	u = i >> 1;
998	0	v = i & 1;
999
1000	0	if (verbose != 0) {
1001	0	mbedtls_printf(" CAMELLIA-CTR-128 (%s): ",
1002	0	(v == MBEDTLS_CAMELLIA_DECRYPT) ? "dec" : "enc");
1003	0	}
1004
1005	0	memcpy(nonce_counter, camellia_test_ctr_nonce_counter[u], 16);
1006	0	memcpy(key, camellia_test_ctr_key[u], 16);
1007
1008	0	offset = 0;
1009	0	mbedtls_camellia_setkey_enc(&ctx, key, 128);
1010
1011	0	if (v == MBEDTLS_CAMELLIA_DECRYPT) {
1012	0	len = camellia_test_ctr_len[u];
1013	0	memcpy(buf, camellia_test_ctr_ct[u], len);
1014
1015	0	mbedtls_camellia_crypt_ctr(&ctx, len, &offset, nonce_counter, stream_block,
1016	0	buf, buf);
1017
1018	0	if (memcmp(buf, camellia_test_ctr_pt[u], len) != 0) {
1019	0	if (verbose != 0) {
1020	0	mbedtls_printf("failed\n");
1021	0	}
1022	0	goto exit;
1023	0	}
1024	0	} else {
1025	0	len = camellia_test_ctr_len[u];
1026	0	memcpy(buf, camellia_test_ctr_pt[u], len);
1027
1028	0	mbedtls_camellia_crypt_ctr(&ctx, len, &offset, nonce_counter, stream_block,
1029	0	buf, buf);
1030
1031	0	if (memcmp(buf, camellia_test_ctr_ct[u], len) != 0) {
1032	0	if (verbose != 0) {
1033	0	mbedtls_printf("failed\n");
1034	0	}
1035	0	goto exit;
1036	0	}
1037	0	}
1038
1039	0	if (verbose != 0) {
1040	0	mbedtls_printf("passed\n");
1041	0	}
1042	0	}
1043
1044	0	if (verbose != 0) {
1045	0	mbedtls_printf("\n");
1046	0	}
1047	0	#endif /* MBEDTLS_CIPHER_MODE_CTR */
1048
1049	0	ret = 0;
1050
1051	0	exit:
1052	0	mbedtls_camellia_free(&ctx);
1053	0	return ret;
1054	0	}
1055
1056		#endif /* MBEDTLS_SELF_TEST */
1057
1058		#endif /* MBEDTLS_CAMELLIA_C */

Coverage Report

Created: 2025-07-23 07:08