Coverage Report

Created: 2025-07-01 06:54

/work/mbedtls-2.28.8/library/camellia.c
Line
Count
Source (jump to first uncovered line)
1
/*
2
 *  Camellia implementation
3
 *
4
 *  Copyright The Mbed TLS Contributors
5
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6
 */
7
/*
8
 *  The Camellia block cipher was designed by NTT and Mitsubishi Electric
9
 *  Corporation.
10
 *
11
 *  http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/01espec.pdf
12
 */
13
14
#include "common.h"
15
16
#if defined(MBEDTLS_CAMELLIA_C)
17
18
#include "mbedtls/camellia.h"
19
#include "mbedtls/platform_util.h"
20
21
#include <string.h>
22
23
#include "mbedtls/platform.h"
24
25
#if !defined(MBEDTLS_CAMELLIA_ALT)
26
27
/* Parameter validation macros */
28
#define CAMELLIA_VALIDATE_RET(cond)                                       \
29
0
    MBEDTLS_INTERNAL_VALIDATE_RET(cond, MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA)
30
#define CAMELLIA_VALIDATE(cond)                                           \
31
0
    MBEDTLS_INTERNAL_VALIDATE(cond)
32
33
static const unsigned char SIGMA_CHARS[6][8] =
34
{
35
    { 0xa0, 0x9e, 0x66, 0x7f, 0x3b, 0xcc, 0x90, 0x8b },
36
    { 0xb6, 0x7a, 0xe8, 0x58, 0x4c, 0xaa, 0x73, 0xb2 },
37
    { 0xc6, 0xef, 0x37, 0x2f, 0xe9, 0x4f, 0x82, 0xbe },
38
    { 0x54, 0xff, 0x53, 0xa5, 0xf1, 0xd3, 0x6f, 0x1c },
39
    { 0x10, 0xe5, 0x27, 0xfa, 0xde, 0x68, 0x2d, 0x1d },
40
    { 0xb0, 0x56, 0x88, 0xc2, 0xb3, 0xe6, 0xc1, 0xfd }
41
};
42
43
#if defined(MBEDTLS_CAMELLIA_SMALL_MEMORY)
44
45
static const unsigned char FSb[256] =
46
{
47
    112, 130, 44, 236, 179, 39, 192, 229, 228, 133, 87, 53, 234, 12, 174, 65,
48
    35, 239, 107, 147, 69, 25, 165, 33, 237, 14, 79, 78, 29, 101, 146, 189,
49
    134, 184, 175, 143, 124, 235, 31, 206, 62, 48, 220, 95, 94, 197, 11, 26,
50
    166, 225, 57, 202, 213, 71, 93, 61, 217,  1, 90, 214, 81, 86, 108, 77,
51
    139, 13, 154, 102, 251, 204, 176, 45, 116, 18, 43, 32, 240, 177, 132, 153,
52
    223, 76, 203, 194, 52, 126, 118,  5, 109, 183, 169, 49, 209, 23,  4, 215,
53
    20, 88, 58, 97, 222, 27, 17, 28, 50, 15, 156, 22, 83, 24, 242, 34,
54
    254, 68, 207, 178, 195, 181, 122, 145, 36,  8, 232, 168, 96, 252, 105, 80,
55
    170, 208, 160, 125, 161, 137, 98, 151, 84, 91, 30, 149, 224, 255, 100, 210,
56
    16, 196,  0, 72, 163, 247, 117, 219, 138,  3, 230, 218,  9, 63, 221, 148,
57
    135, 92, 131,  2, 205, 74, 144, 51, 115, 103, 246, 243, 157, 127, 191, 226,
58
    82, 155, 216, 38, 200, 55, 198, 59, 129, 150, 111, 75, 19, 190, 99, 46,
59
    233, 121, 167, 140, 159, 110, 188, 142, 41, 245, 249, 182, 47, 253, 180, 89,
60
    120, 152,  6, 106, 231, 70, 113, 186, 212, 37, 171, 66, 136, 162, 141, 250,
61
    114,  7, 185, 85, 248, 238, 172, 10, 54, 73, 42, 104, 60, 56, 241, 164,
62
    64, 40, 211, 123, 187, 201, 67, 193, 21, 227, 173, 244, 119, 199, 128, 158
63
};
64
65
#define SBOX1(n) FSb[(n)]
66
#define SBOX2(n) (unsigned char) ((FSb[(n)] >> 7 ^ FSb[(n)] << 1) & 0xff)
67
#define SBOX3(n) (unsigned char) ((FSb[(n)] >> 1 ^ FSb[(n)] << 7) & 0xff)
68
#define SBOX4(n) FSb[((n) << 1 ^ (n) >> 7) &0xff]
69
70
#else /* MBEDTLS_CAMELLIA_SMALL_MEMORY */
71
72
static const unsigned char FSb[256] =
73
{
74
    112, 130,  44, 236, 179,  39, 192, 229, 228, 133,  87,  53, 234,  12, 174,  65,
75
    35, 239, 107, 147,  69,  25, 165,  33, 237,  14,  79,  78,  29, 101, 146, 189,
76
    134, 184, 175, 143, 124, 235,  31, 206,  62,  48, 220,  95,  94, 197,  11,  26,
77
    166, 225,  57, 202, 213,  71,  93,  61, 217,   1,  90, 214,  81,  86, 108,  77,
78
    139,  13, 154, 102, 251, 204, 176,  45, 116,  18,  43,  32, 240, 177, 132, 153,
79
    223,  76, 203, 194,  52, 126, 118,   5, 109, 183, 169,  49, 209,  23,   4, 215,
80
    20,  88,  58,  97, 222,  27,  17,  28,  50,  15, 156,  22,  83,  24, 242,  34,
81
    254,  68, 207, 178, 195, 181, 122, 145,  36,   8, 232, 168,  96, 252, 105,  80,
82
    170, 208, 160, 125, 161, 137,  98, 151,  84,  91,  30, 149, 224, 255, 100, 210,
83
    16, 196,   0,  72, 163, 247, 117, 219, 138,   3, 230, 218,   9,  63, 221, 148,
84
    135,  92, 131,   2, 205,  74, 144,  51, 115, 103, 246, 243, 157, 127, 191, 226,
85
    82, 155, 216,  38, 200,  55, 198,  59, 129, 150, 111,  75,  19, 190,  99,  46,
86
    233, 121, 167, 140, 159, 110, 188, 142,  41, 245, 249, 182,  47, 253, 180,  89,
87
    120, 152,   6, 106, 231,  70, 113, 186, 212,  37, 171,  66, 136, 162, 141, 250,
88
    114,   7, 185,  85, 248, 238, 172,  10,  54,  73,  42, 104,  60,  56, 241, 164,
89
    64,  40, 211, 123, 187, 201,  67, 193,  21, 227, 173, 244, 119, 199, 128, 158
90
};
91
92
static const unsigned char FSb2[256] =
93
{
94
    224,   5,  88, 217, 103,  78, 129, 203, 201,  11, 174, 106, 213,  24,  93, 130,
95
    70, 223, 214,  39, 138,  50,  75,  66, 219,  28, 158, 156,  58, 202,  37, 123,
96
    13, 113,  95,  31, 248, 215,  62, 157, 124,  96, 185, 190, 188, 139,  22,  52,
97
    77, 195, 114, 149, 171, 142, 186, 122, 179,   2, 180, 173, 162, 172, 216, 154,
98
    23,  26,  53, 204, 247, 153,  97,  90, 232,  36,  86,  64, 225,  99,   9,  51,
99
    191, 152, 151, 133, 104, 252, 236,  10, 218, 111,  83,  98, 163,  46,   8, 175,
100
    40, 176, 116, 194, 189,  54,  34,  56, 100,  30,  57,  44, 166,  48, 229,  68,
101
    253, 136, 159, 101, 135, 107, 244,  35,  72,  16, 209,  81, 192, 249, 210, 160,
102
    85, 161,  65, 250,  67,  19, 196,  47, 168, 182,  60,  43, 193, 255, 200, 165,
103
    32, 137,   0, 144,  71, 239, 234, 183,  21,   6, 205, 181,  18, 126, 187,  41,
104
    15, 184,   7,   4, 155, 148,  33, 102, 230, 206, 237, 231,  59, 254, 127, 197,
105
    164,  55, 177,  76, 145, 110, 141, 118,   3,  45, 222, 150,  38, 125, 198,  92,
106
    211, 242,  79,  25,  63, 220, 121,  29,  82, 235, 243, 109,  94, 251, 105, 178,
107
    240,  49,  12, 212, 207, 140, 226, 117, 169,  74,  87, 132,  17,  69,  27, 245,
108
    228,  14, 115, 170, 241, 221,  89,  20, 108, 146,  84, 208, 120, 112, 227,  73,
109
    128,  80, 167, 246, 119, 147, 134, 131,  42, 199,  91, 233, 238, 143,   1,  61
110
};
111
112
static const unsigned char FSb3[256] =
113
{
114
    56,  65,  22, 118, 217, 147,  96, 242, 114, 194, 171, 154, 117,   6,  87, 160,
115
    145, 247, 181, 201, 162, 140, 210, 144, 246,   7, 167,  39, 142, 178,  73, 222,
116
    67,  92, 215, 199,  62, 245, 143, 103,  31,  24, 110, 175,  47, 226, 133,  13,
117
    83, 240, 156, 101, 234, 163, 174, 158, 236, 128,  45, 107, 168,  43,  54, 166,
118
    197, 134,  77,  51, 253, 102,  88, 150,  58,   9, 149,  16, 120, 216,  66, 204,
119
    239,  38, 229,  97,  26,  63,  59, 130, 182, 219, 212, 152, 232, 139,   2, 235,
120
    10,  44,  29, 176, 111, 141, 136,  14,  25, 135,  78,  11, 169,  12, 121,  17,
121
    127,  34, 231,  89, 225, 218,  61, 200,  18,   4, 116,  84,  48, 126, 180,  40,
122
    85, 104,  80, 190, 208, 196,  49, 203,  42, 173,  15, 202, 112, 255,  50, 105,
123
    8,  98,   0,  36, 209, 251, 186, 237,  69, 129, 115, 109, 132, 159, 238,  74,
124
    195,  46, 193,   1, 230,  37,  72, 153, 185, 179, 123, 249, 206, 191, 223, 113,
125
    41, 205, 108,  19, 100, 155,  99, 157, 192,  75, 183, 165, 137,  95, 177,  23,
126
    244, 188, 211,  70, 207,  55,  94,  71, 148, 250, 252,  91, 151, 254,  90, 172,
127
    60,  76,   3,  53, 243,  35, 184,  93, 106, 146, 213,  33,  68,  81, 198, 125,
128
    57, 131, 220, 170, 124, 119,  86,   5,  27, 164,  21,  52,  30,  28, 248,  82,
129
    32,  20, 233, 189, 221, 228, 161, 224, 138, 241, 214, 122, 187, 227,  64,  79
130
};
131
132
static const unsigned char FSb4[256] =
133
{
134
    112,  44, 179, 192, 228,  87, 234, 174,  35, 107,  69, 165, 237,  79,  29, 146,
135
    134, 175, 124,  31,  62, 220,  94,  11, 166,  57, 213,  93, 217,  90,  81, 108,
136
    139, 154, 251, 176, 116,  43, 240, 132, 223, 203,  52, 118, 109, 169, 209,   4,
137
    20,  58, 222,  17,  50, 156,  83, 242, 254, 207, 195, 122,  36, 232,  96, 105,
138
    170, 160, 161,  98,  84,  30, 224, 100,  16,   0, 163, 117, 138, 230,   9, 221,
139
    135, 131, 205, 144, 115, 246, 157, 191,  82, 216, 200, 198, 129, 111,  19,  99,
140
    233, 167, 159, 188,  41, 249,  47, 180, 120,   6, 231, 113, 212, 171, 136, 141,
141
    114, 185, 248, 172,  54,  42,  60, 241,  64, 211, 187,  67,  21, 173, 119, 128,
142
    130, 236,  39, 229, 133,  53,  12,  65, 239, 147,  25,  33,  14,  78, 101, 189,
143
    184, 143, 235, 206,  48,  95, 197,  26, 225, 202,  71,  61,   1, 214,  86,  77,
144
    13, 102, 204,  45,  18,  32, 177, 153,  76, 194, 126,   5, 183,  49,  23, 215,
145
    88,  97,  27,  28,  15,  22,  24,  34,  68, 178, 181, 145,   8, 168, 252,  80,
146
    208, 125, 137, 151,  91, 149, 255, 210, 196,  72, 247, 219,   3, 218,  63, 148,
147
    92,   2,  74,  51, 103, 243, 127, 226, 155,  38,  55,  59, 150,  75, 190,  46,
148
    121, 140, 110, 142, 245, 182, 253,  89, 152, 106,  70, 186,  37,  66, 162, 250,
149
    7,  85, 238,  10,  73, 104,  56, 164,  40, 123, 201, 193, 227, 244, 199, 158
150
};
151
152
0
#define SBOX1(n) FSb[(n)]
153
0
#define SBOX2(n) FSb2[(n)]
154
0
#define SBOX3(n) FSb3[(n)]
155
0
#define SBOX4(n) FSb4[(n)]
156
157
#endif /* MBEDTLS_CAMELLIA_SMALL_MEMORY */
158
159
static const unsigned char shifts[2][4][4] =
160
{
161
    {
162
        { 1, 1, 1, 1 }, /* KL */
163
        { 0, 0, 0, 0 }, /* KR */
164
        { 1, 1, 1, 1 }, /* KA */
165
        { 0, 0, 0, 0 }  /* KB */
166
    },
167
    {
168
        { 1, 0, 1, 1 }, /* KL */
169
        { 1, 1, 0, 1 }, /* KR */
170
        { 1, 1, 1, 0 }, /* KA */
171
        { 1, 1, 0, 1 }  /* KB */
172
    }
173
};
174
175
static const signed char indexes[2][4][20] =
176
{
177
    {
178
        {  0,  1,  2,  3,  8,  9, 10, 11, 38, 39,
179
           36, 37, 23, 20, 21, 22, 27, -1, -1, 26 }, /* KL -> RK */
180
        { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
181
          -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 }, /* KR -> RK */
182
        {  4,  5,  6,  7, 12, 13, 14, 15, 16, 17,
183
           18, 19, -1, 24, 25, -1, 31, 28, 29, 30 }, /* KA -> RK */
184
        { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
185
          -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 }  /* KB -> RK */
186
    },
187
    {
188
        {  0,  1,  2,  3, 61, 62, 63, 60, -1, -1,
189
           -1, -1, 27, 24, 25, 26, 35, 32, 33, 34 }, /* KL -> RK */
190
        { -1, -1, -1, -1,  8,  9, 10, 11, 16, 17,
191
          18, 19, -1, -1, -1, -1, 39, 36, 37, 38 }, /* KR -> RK */
192
        { -1, -1, -1, -1, 12, 13, 14, 15, 58, 59,
193
          56, 57, 31, 28, 29, 30, -1, -1, -1, -1 }, /* KA -> RK */
194
        {  4,  5,  6,  7, 65, 66, 67, 64, 20, 21,
195
           22, 23, -1, -1, -1, -1, 43, 40, 41, 42 } /* KB -> RK */
196
    }
197
};
198
199
static const signed char transposes[2][20] =
200
{
201
    {
202
        21, 22, 23, 20,
203
        -1, -1, -1, -1,
204
        18, 19, 16, 17,
205
        11,  8,  9, 10,
206
        15, 12, 13, 14
207
    },
208
    {
209
        25, 26, 27, 24,
210
        29, 30, 31, 28,
211
        18, 19, 16, 17,
212
        -1, -1, -1, -1,
213
        -1, -1, -1, -1
214
    }
215
};
216
217
/* Shift macro for 128 bit strings with rotation smaller than 32 bits (!) */
218
#define ROTL(DEST, SRC, SHIFT)                                      \
219
0
    {                                                                   \
220
0
        (DEST)[0] = (SRC)[0] << (SHIFT) ^ (SRC)[1] >> (32 - (SHIFT));   \
221
0
        (DEST)[1] = (SRC)[1] << (SHIFT) ^ (SRC)[2] >> (32 - (SHIFT));   \
222
0
        (DEST)[2] = (SRC)[2] << (SHIFT) ^ (SRC)[3] >> (32 - (SHIFT));   \
223
0
        (DEST)[3] = (SRC)[3] << (SHIFT) ^ (SRC)[0] >> (32 - (SHIFT));   \
224
0
    }
225
226
#define FL(XL, XR, KL, KR)                                          \
227
0
    {                                                                   \
228
0
        (XR) = ((((XL) &(KL)) << 1) | (((XL) &(KL)) >> 31)) ^ (XR);   \
229
0
        (XL) = ((XR) | (KR)) ^ (XL);                                    \
230
0
    }
231
232
#define FLInv(YL, YR, KL, KR)                                       \
233
0
    {                                                                   \
234
0
        (YL) = ((YR) | (KR)) ^ (YL);                                    \
235
0
        (YR) = ((((YL) &(KL)) << 1) | (((YL) &(KL)) >> 31)) ^ (YR);   \
236
0
    }
237
238
#define SHIFT_AND_PLACE(INDEX, OFFSET)                      \
239
0
    {                                                           \
240
0
        TK[0] = KC[(OFFSET) * 4 + 0];                           \
241
0
        TK[1] = KC[(OFFSET) * 4 + 1];                           \
242
0
        TK[2] = KC[(OFFSET) * 4 + 2];                           \
243
0
        TK[3] = KC[(OFFSET) * 4 + 3];                           \
244
0
                                                            \
245
0
        for (i = 1; i <= 4; i++)                               \
246
0
        if (shifts[(INDEX)][(OFFSET)][i -1])               \
247
0
        ROTL(TK + i * 4, TK, (15 * i) % 32);          \
248
0
                                                            \
249
0
        for (i = 0; i < 20; i++)                               \
250
0
        if (indexes[(INDEX)][(OFFSET)][i] != -1) {         \
251
0
            RK[indexes[(INDEX)][(OFFSET)][i]] = TK[i];    \
252
0
        }                                                   \
253
0
    }
254
255
static void camellia_feistel(const uint32_t x[2], const uint32_t k[2],
256
                             uint32_t z[2])
257
0
{
258
0
    uint32_t I0, I1;
259
0
    I0 = x[0] ^ k[0];
260
0
    I1 = x[1] ^ k[1];
261
262
0
    I0 = ((uint32_t) SBOX1(MBEDTLS_BYTE_3(I0)) << 24) |
263
0
         ((uint32_t) SBOX2(MBEDTLS_BYTE_2(I0)) << 16) |
264
0
         ((uint32_t) SBOX3(MBEDTLS_BYTE_1(I0)) <<  8) |
265
0
         ((uint32_t) SBOX4(MBEDTLS_BYTE_0(I0)));
266
0
    I1 = ((uint32_t) SBOX2(MBEDTLS_BYTE_3(I1)) << 24) |
267
0
         ((uint32_t) SBOX3(MBEDTLS_BYTE_2(I1)) << 16) |
268
0
         ((uint32_t) SBOX4(MBEDTLS_BYTE_1(I1)) <<  8) |
269
0
         ((uint32_t) SBOX1(MBEDTLS_BYTE_0(I1)));
270
271
0
    I0 ^= (I1 << 8) | (I1 >> 24);
272
0
    I1 ^= (I0 << 16) | (I0 >> 16);
273
0
    I0 ^= (I1 >> 8) | (I1 << 24);
274
0
    I1 ^= (I0 >> 8) | (I0 << 24);
275
276
0
    z[0] ^= I1;
277
0
    z[1] ^= I0;
278
0
}
279
280
void mbedtls_camellia_init(mbedtls_camellia_context *ctx)
281
0
{
282
0
    CAMELLIA_VALIDATE(ctx != NULL);
283
0
    memset(ctx, 0, sizeof(mbedtls_camellia_context));
284
0
}
285
286
void mbedtls_camellia_free(mbedtls_camellia_context *ctx)
287
0
{
288
0
    if (ctx == NULL) {
289
0
        return;
290
0
    }
291
292
0
    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_camellia_context));
293
0
}
294
295
/*
296
 * Camellia key schedule (encryption)
297
 */
298
int mbedtls_camellia_setkey_enc(mbedtls_camellia_context *ctx,
299
                                const unsigned char *key,
300
                                unsigned int keybits)
301
0
{
302
0
    int idx;
303
0
    size_t i;
304
0
    uint32_t *RK;
305
0
    unsigned char t[64];
306
0
    uint32_t SIGMA[6][2];
307
0
    uint32_t KC[16];
308
0
    uint32_t TK[20];
309
310
0
    CAMELLIA_VALIDATE_RET(ctx != NULL);
311
0
    CAMELLIA_VALIDATE_RET(key != NULL);
312
313
0
    RK = ctx->rk;
314
315
0
    memset(t, 0, 64);
316
0
    memset(RK, 0, sizeof(ctx->rk));
317
318
0
    switch (keybits) {
319
0
        case 128: ctx->nr = 3; idx = 0; break;
320
0
        case 192:
321
0
        case 256: ctx->nr = 4; idx = 1; break;
322
0
        default: return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA;
323
0
    }
324
325
0
    for (i = 0; i < keybits / 8; ++i) {
326
0
        t[i] = key[i];
327
0
    }
328
329
0
    if (keybits == 192) {
330
0
        for (i = 0; i < 8; i++) {
331
0
            t[24 + i] = ~t[16 + i];
332
0
        }
333
0
    }
334
335
    /*
336
     * Prepare SIGMA values
337
     */
338
0
    for (i = 0; i < 6; i++) {
339
0
        SIGMA[i][0] = MBEDTLS_GET_UINT32_BE(SIGMA_CHARS[i], 0);
340
0
        SIGMA[i][1] = MBEDTLS_GET_UINT32_BE(SIGMA_CHARS[i], 4);
341
0
    }
342
343
    /*
344
     * Key storage in KC
345
     * Order: KL, KR, KA, KB
346
     */
347
0
    memset(KC, 0, sizeof(KC));
348
349
    /* Store KL, KR */
350
0
    for (i = 0; i < 8; i++) {
351
0
        KC[i] = MBEDTLS_GET_UINT32_BE(t, i * 4);
352
0
    }
353
354
    /* Generate KA */
355
0
    for (i = 0; i < 4; ++i) {
356
0
        KC[8 + i] = KC[i] ^ KC[4 + i];
357
0
    }
358
359
0
    camellia_feistel(KC + 8, SIGMA[0], KC + 10);
360
0
    camellia_feistel(KC + 10, SIGMA[1], KC + 8);
361
362
0
    for (i = 0; i < 4; ++i) {
363
0
        KC[8 + i] ^= KC[i];
364
0
    }
365
366
0
    camellia_feistel(KC + 8, SIGMA[2], KC + 10);
367
0
    camellia_feistel(KC + 10, SIGMA[3], KC + 8);
368
369
0
    if (keybits > 128) {
370
        /* Generate KB */
371
0
        for (i = 0; i < 4; ++i) {
372
0
            KC[12 + i] = KC[4 + i] ^ KC[8 + i];
373
0
        }
374
375
0
        camellia_feistel(KC + 12, SIGMA[4], KC + 14);
376
0
        camellia_feistel(KC + 14, SIGMA[5], KC + 12);
377
0
    }
378
379
    /*
380
     * Generating subkeys
381
     */
382
383
    /* Manipulating KL */
384
0
    SHIFT_AND_PLACE(idx, 0);
385
386
    /* Manipulating KR */
387
0
    if (keybits > 128) {
388
0
        SHIFT_AND_PLACE(idx, 1);
389
0
    }
390
391
    /* Manipulating KA */
392
0
    SHIFT_AND_PLACE(idx, 2);
393
394
    /* Manipulating KB */
395
0
    if (keybits > 128) {
396
0
        SHIFT_AND_PLACE(idx, 3);
397
0
    }
398
399
    /* Do transpositions */
400
0
    for (i = 0; i < 20; i++) {
401
0
        if (transposes[idx][i] != -1) {
402
0
            RK[32 + 12 * idx + i] = RK[transposes[idx][i]];
403
0
        }
404
0
    }
405
406
0
    return 0;
407
0
}
408
409
/*
410
 * Camellia key schedule (decryption)
411
 */
412
int mbedtls_camellia_setkey_dec(mbedtls_camellia_context *ctx,
413
                                const unsigned char *key,
414
                                unsigned int keybits)
415
0
{
416
0
    int idx, ret;
417
0
    size_t i;
418
0
    mbedtls_camellia_context cty;
419
0
    uint32_t *RK;
420
0
    uint32_t *SK;
421
0
    CAMELLIA_VALIDATE_RET(ctx != NULL);
422
0
    CAMELLIA_VALIDATE_RET(key != NULL);
423
424
0
    mbedtls_camellia_init(&cty);
425
426
    /* Also checks keybits */
427
0
    if ((ret = mbedtls_camellia_setkey_enc(&cty, key, keybits)) != 0) {
428
0
        goto exit;
429
0
    }
430
431
0
    ctx->nr = cty.nr;
432
0
    idx = (ctx->nr == 4);
433
434
0
    RK = ctx->rk;
435
0
    SK = cty.rk + 24 * 2 + 8 * idx * 2;
436
437
0
    *RK++ = *SK++;
438
0
    *RK++ = *SK++;
439
0
    *RK++ = *SK++;
440
0
    *RK++ = *SK++;
441
442
0
    for (i = 22 + 8 * idx, SK -= 6; i > 0; i--, SK -= 4) {
443
0
        *RK++ = *SK++;
444
0
        *RK++ = *SK++;
445
0
    }
446
447
0
    SK -= 2;
448
449
0
    *RK++ = *SK++;
450
0
    *RK++ = *SK++;
451
0
    *RK++ = *SK++;
452
0
    *RK++ = *SK++;
453
454
0
exit:
455
0
    mbedtls_camellia_free(&cty);
456
457
0
    return ret;
458
0
}
459
460
/*
461
 * Camellia-ECB block encryption/decryption
462
 */
463
int mbedtls_camellia_crypt_ecb(mbedtls_camellia_context *ctx,
464
                               int mode,
465
                               const unsigned char input[16],
466
                               unsigned char output[16])
467
0
{
468
0
    int NR;
469
0
    uint32_t *RK, X[4];
470
0
    CAMELLIA_VALIDATE_RET(ctx != NULL);
471
0
    CAMELLIA_VALIDATE_RET(mode == MBEDTLS_CAMELLIA_ENCRYPT ||
472
0
                          mode == MBEDTLS_CAMELLIA_DECRYPT);
473
0
    CAMELLIA_VALIDATE_RET(input  != NULL);
474
0
    CAMELLIA_VALIDATE_RET(output != NULL);
475
476
0
    ((void) mode);
477
478
0
    NR = ctx->nr;
479
0
    RK = ctx->rk;
480
481
0
    X[0] = MBEDTLS_GET_UINT32_BE(input,  0);
482
0
    X[1] = MBEDTLS_GET_UINT32_BE(input,  4);
483
0
    X[2] = MBEDTLS_GET_UINT32_BE(input,  8);
484
0
    X[3] = MBEDTLS_GET_UINT32_BE(input, 12);
485
486
0
    X[0] ^= *RK++;
487
0
    X[1] ^= *RK++;
488
0
    X[2] ^= *RK++;
489
0
    X[3] ^= *RK++;
490
491
0
    while (NR) {
492
0
        --NR;
493
0
        camellia_feistel(X, RK, X + 2);
494
0
        RK += 2;
495
0
        camellia_feistel(X + 2, RK, X);
496
0
        RK += 2;
497
0
        camellia_feistel(X, RK, X + 2);
498
0
        RK += 2;
499
0
        camellia_feistel(X + 2, RK, X);
500
0
        RK += 2;
501
0
        camellia_feistel(X, RK, X + 2);
502
0
        RK += 2;
503
0
        camellia_feistel(X + 2, RK, X);
504
0
        RK += 2;
505
506
0
        if (NR) {
507
0
            FL(X[0], X[1], RK[0], RK[1]);
508
0
            RK += 2;
509
0
            FLInv(X[2], X[3], RK[0], RK[1]);
510
0
            RK += 2;
511
0
        }
512
0
    }
513
514
0
    X[2] ^= *RK++;
515
0
    X[3] ^= *RK++;
516
0
    X[0] ^= *RK++;
517
0
    X[1] ^= *RK++;
518
519
0
    MBEDTLS_PUT_UINT32_BE(X[2], output,  0);
520
0
    MBEDTLS_PUT_UINT32_BE(X[3], output,  4);
521
0
    MBEDTLS_PUT_UINT32_BE(X[0], output,  8);
522
0
    MBEDTLS_PUT_UINT32_BE(X[1], output, 12);
523
524
0
    return 0;
525
0
}
526
527
#if defined(MBEDTLS_CIPHER_MODE_CBC)
528
/*
529
 * Camellia-CBC buffer encryption/decryption
530
 */
531
int mbedtls_camellia_crypt_cbc(mbedtls_camellia_context *ctx,
532
                               int mode,
533
                               size_t length,
534
                               unsigned char iv[16],
535
                               const unsigned char *input,
536
                               unsigned char *output)
537
0
{
538
0
    int i;
539
0
    unsigned char temp[16];
540
0
    CAMELLIA_VALIDATE_RET(ctx != NULL);
541
0
    CAMELLIA_VALIDATE_RET(mode == MBEDTLS_CAMELLIA_ENCRYPT ||
542
0
                          mode == MBEDTLS_CAMELLIA_DECRYPT);
543
0
    CAMELLIA_VALIDATE_RET(iv != NULL);
544
0
    CAMELLIA_VALIDATE_RET(length == 0 || input  != NULL);
545
0
    CAMELLIA_VALIDATE_RET(length == 0 || output != NULL);
546
547
0
    if (length % 16) {
548
0
        return MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH;
549
0
    }
550
551
0
    if (mode == MBEDTLS_CAMELLIA_DECRYPT) {
552
0
        while (length > 0) {
553
0
            memcpy(temp, input, 16);
554
0
            mbedtls_camellia_crypt_ecb(ctx, mode, input, output);
555
556
0
            for (i = 0; i < 16; i++) {
557
0
                output[i] = (unsigned char) (output[i] ^ iv[i]);
558
0
            }
559
560
0
            memcpy(iv, temp, 16);
561
562
0
            input  += 16;
563
0
            output += 16;
564
0
            length -= 16;
565
0
        }
566
0
    } else {
567
0
        while (length > 0) {
568
0
            for (i = 0; i < 16; i++) {
569
0
                output[i] = (unsigned char) (input[i] ^ iv[i]);
570
0
            }
571
572
0
            mbedtls_camellia_crypt_ecb(ctx, mode, output, output);
573
0
            memcpy(iv, output, 16);
574
575
0
            input  += 16;
576
0
            output += 16;
577
0
            length -= 16;
578
0
        }
579
0
    }
580
581
0
    return 0;
582
0
}
583
#endif /* MBEDTLS_CIPHER_MODE_CBC */
584
585
#if defined(MBEDTLS_CIPHER_MODE_CFB)
586
/*
587
 * Camellia-CFB128 buffer encryption/decryption
588
 */
589
int mbedtls_camellia_crypt_cfb128(mbedtls_camellia_context *ctx,
590
                                  int mode,
591
                                  size_t length,
592
                                  size_t *iv_off,
593
                                  unsigned char iv[16],
594
                                  const unsigned char *input,
595
                                  unsigned char *output)
596
0
{
597
0
    int c;
598
0
    size_t n;
599
0
    CAMELLIA_VALIDATE_RET(ctx != NULL);
600
0
    CAMELLIA_VALIDATE_RET(mode == MBEDTLS_CAMELLIA_ENCRYPT ||
601
0
                          mode == MBEDTLS_CAMELLIA_DECRYPT);
602
0
    CAMELLIA_VALIDATE_RET(iv     != NULL);
603
0
    CAMELLIA_VALIDATE_RET(iv_off != NULL);
604
0
    CAMELLIA_VALIDATE_RET(length == 0 || input  != NULL);
605
0
    CAMELLIA_VALIDATE_RET(length == 0 || output != NULL);
606
607
0
    n = *iv_off;
608
0
    if (n >= 16) {
609
0
        return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA;
610
0
    }
611
612
0
    if (mode == MBEDTLS_CAMELLIA_DECRYPT) {
613
0
        while (length--) {
614
0
            if (n == 0) {
615
0
                mbedtls_camellia_crypt_ecb(ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv);
616
0
            }
617
618
0
            c = *input++;
619
0
            *output++ = (unsigned char) (c ^ iv[n]);
620
0
            iv[n] = (unsigned char) c;
621
622
0
            n = (n + 1) & 0x0F;
623
0
        }
624
0
    } else {
625
0
        while (length--) {
626
0
            if (n == 0) {
627
0
                mbedtls_camellia_crypt_ecb(ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv);
628
0
            }
629
630
0
            iv[n] = *output++ = (unsigned char) (iv[n] ^ *input++);
631
632
0
            n = (n + 1) & 0x0F;
633
0
        }
634
0
    }
635
636
0
    *iv_off = n;
637
638
0
    return 0;
639
0
}
640
#endif /* MBEDTLS_CIPHER_MODE_CFB */
641
642
#if defined(MBEDTLS_CIPHER_MODE_CTR)
643
/*
644
 * Camellia-CTR buffer encryption/decryption
645
 */
646
int mbedtls_camellia_crypt_ctr(mbedtls_camellia_context *ctx,
647
                               size_t length,
648
                               size_t *nc_off,
649
                               unsigned char nonce_counter[16],
650
                               unsigned char stream_block[16],
651
                               const unsigned char *input,
652
                               unsigned char *output)
653
0
{
654
0
    int c, i;
655
0
    size_t n;
656
0
    CAMELLIA_VALIDATE_RET(ctx != NULL);
657
0
    CAMELLIA_VALIDATE_RET(nonce_counter != NULL);
658
0
    CAMELLIA_VALIDATE_RET(stream_block  != NULL);
659
0
    CAMELLIA_VALIDATE_RET(nc_off != NULL);
660
0
    CAMELLIA_VALIDATE_RET(length == 0 || input  != NULL);
661
0
    CAMELLIA_VALIDATE_RET(length == 0 || output != NULL);
662
663
0
    n = *nc_off;
664
0
    if (n >= 16) {
665
0
        return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA;
666
0
    }
667
668
0
    while (length--) {
669
0
        if (n == 0) {
670
0
            mbedtls_camellia_crypt_ecb(ctx, MBEDTLS_CAMELLIA_ENCRYPT, nonce_counter,
671
0
                                       stream_block);
672
673
0
            for (i = 16; i > 0; i--) {
674
0
                if (++nonce_counter[i - 1] != 0) {
675
0
                    break;
676
0
                }
677
0
            }
678
0
        }
679
0
        c = *input++;
680
0
        *output++ = (unsigned char) (c ^ stream_block[n]);
681
682
0
        n = (n + 1) & 0x0F;
683
0
    }
684
685
0
    *nc_off = n;
686
687
0
    return 0;
688
0
}
689
#endif /* MBEDTLS_CIPHER_MODE_CTR */
690
#endif /* !MBEDTLS_CAMELLIA_ALT */
691
692
#if defined(MBEDTLS_SELF_TEST)
693
694
/*
695
 * Camellia test vectors from:
696
 *
697
 * http://info.isl.ntt.co.jp/crypt/eng/camellia/technology.html:
698
 *   http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/intermediate.txt
699
 *   http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/t_camellia.txt
700
 *                      (For each bitlength: Key 0, Nr 39)
701
 */
702
0
#define CAMELLIA_TESTS_ECB  2
703
704
static const unsigned char camellia_test_ecb_key[3][CAMELLIA_TESTS_ECB][32] =
705
{
706
    {
707
        { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
708
          0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
709
        { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
710
          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
711
    },
712
    {
713
        { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
714
          0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
715
          0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77 },
716
        { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
717
          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
718
          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
719
    },
720
    {
721
        { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
722
          0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
723
          0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
724
          0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff },
725
        { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
726
          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
727
          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
728
          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
729
    },
730
};
731
732
static const unsigned char camellia_test_ecb_plain[CAMELLIA_TESTS_ECB][16] =
733
{
734
    { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
735
      0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
736
    { 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
737
      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
738
};
739
740
static const unsigned char camellia_test_ecb_cipher[3][CAMELLIA_TESTS_ECB][16] =
741
{
742
    {
743
        { 0x67, 0x67, 0x31, 0x38, 0x54, 0x96, 0x69, 0x73,
744
          0x08, 0x57, 0x06, 0x56, 0x48, 0xea, 0xbe, 0x43 },
745
        { 0x38, 0x3C, 0x6C, 0x2A, 0xAB, 0xEF, 0x7F, 0xDE,
746
          0x25, 0xCD, 0x47, 0x0B, 0xF7, 0x74, 0xA3, 0x31 }
747
    },
748
    {
749
        { 0xb4, 0x99, 0x34, 0x01, 0xb3, 0xe9, 0x96, 0xf8,
750
          0x4e, 0xe5, 0xce, 0xe7, 0xd7, 0x9b, 0x09, 0xb9 },
751
        { 0xD1, 0x76, 0x3F, 0xC0, 0x19, 0xD7, 0x7C, 0xC9,
752
          0x30, 0xBF, 0xF2, 0xA5, 0x6F, 0x7C, 0x93, 0x64 }
753
    },
754
    {
755
        { 0x9a, 0xcc, 0x23, 0x7d, 0xff, 0x16, 0xd7, 0x6c,
756
          0x20, 0xef, 0x7c, 0x91, 0x9e, 0x3a, 0x75, 0x09 },
757
        { 0x05, 0x03, 0xFB, 0x10, 0xAB, 0x24, 0x1E, 0x7C,
758
          0xF4, 0x5D, 0x8C, 0xDE, 0xEE, 0x47, 0x43, 0x35 }
759
    }
760
};
761
762
#if defined(MBEDTLS_CIPHER_MODE_CBC)
763
0
#define CAMELLIA_TESTS_CBC  3
764
765
static const unsigned char camellia_test_cbc_key[3][32] =
766
{
767
    { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
768
      0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }
769
    ,
770
    { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
771
      0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
772
      0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }
773
    ,
774
    { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
775
      0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
776
      0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
777
      0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
778
};
779
780
static const unsigned char camellia_test_cbc_iv[16] =
781
782
{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
783
  0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F }
784
;
785
786
static const unsigned char camellia_test_cbc_plain[CAMELLIA_TESTS_CBC][16] =
787
{
788
    { 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
789
      0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A },
790
    { 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
791
      0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51 },
792
    { 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
793
      0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF }
794
795
};
796
797
static const unsigned char camellia_test_cbc_cipher[3][CAMELLIA_TESTS_CBC][16] =
798
{
799
    {
800
        { 0x16, 0x07, 0xCF, 0x49, 0x4B, 0x36, 0xBB, 0xF0,
801
          0x0D, 0xAE, 0xB0, 0xB5, 0x03, 0xC8, 0x31, 0xAB },
802
        { 0xA2, 0xF2, 0xCF, 0x67, 0x16, 0x29, 0xEF, 0x78,
803
          0x40, 0xC5, 0xA5, 0xDF, 0xB5, 0x07, 0x48, 0x87 },
804
        { 0x0F, 0x06, 0x16, 0x50, 0x08, 0xCF, 0x8B, 0x8B,
805
          0x5A, 0x63, 0x58, 0x63, 0x62, 0x54, 0x3E, 0x54 }
806
    },
807
    {
808
        { 0x2A, 0x48, 0x30, 0xAB, 0x5A, 0xC4, 0xA1, 0xA2,
809
          0x40, 0x59, 0x55, 0xFD, 0x21, 0x95, 0xCF, 0x93 },
810
        { 0x5D, 0x5A, 0x86, 0x9B, 0xD1, 0x4C, 0xE5, 0x42,
811
          0x64, 0xF8, 0x92, 0xA6, 0xDD, 0x2E, 0xC3, 0xD5 },
812
        { 0x37, 0xD3, 0x59, 0xC3, 0x34, 0x98, 0x36, 0xD8,
813
          0x84, 0xE3, 0x10, 0xAD, 0xDF, 0x68, 0xC4, 0x49 }
814
    },
815
    {
816
        { 0xE6, 0xCF, 0xA3, 0x5F, 0xC0, 0x2B, 0x13, 0x4A,
817
          0x4D, 0x2C, 0x0B, 0x67, 0x37, 0xAC, 0x3E, 0xDA },
818
        { 0x36, 0xCB, 0xEB, 0x73, 0xBD, 0x50, 0x4B, 0x40,
819
          0x70, 0xB1, 0xB7, 0xDE, 0x2B, 0x21, 0xEB, 0x50 },
820
        { 0xE3, 0x1A, 0x60, 0x55, 0x29, 0x7D, 0x96, 0xCA,
821
          0x33, 0x30, 0xCD, 0xF1, 0xB1, 0x86, 0x0A, 0x83 }
822
    }
823
};
824
#endif /* MBEDTLS_CIPHER_MODE_CBC */
825
826
#if defined(MBEDTLS_CIPHER_MODE_CTR)
827
/*
828
 * Camellia-CTR test vectors from:
829
 *
830
 * http://www.faqs.org/rfcs/rfc5528.html
831
 */
832
833
static const unsigned char camellia_test_ctr_key[3][16] =
834
{
835
    { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
836
      0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
837
    { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
838
      0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
839
    { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
840
      0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
841
};
842
843
static const unsigned char camellia_test_ctr_nonce_counter[3][16] =
844
{
845
    { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
846
      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
847
    { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
848
      0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
849
    { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
850
      0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
851
};
852
853
static const unsigned char camellia_test_ctr_pt[3][48] =
854
{
855
    { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
856
      0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
857
858
    { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
859
      0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
860
      0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
861
      0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
862
863
    { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
864
      0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
865
      0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
866
      0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
867
      0x20, 0x21, 0x22, 0x23 }
868
};
869
870
static const unsigned char camellia_test_ctr_ct[3][48] =
871
{
872
    { 0xD0, 0x9D, 0xC2, 0x9A, 0x82, 0x14, 0x61, 0x9A,
873
      0x20, 0x87, 0x7C, 0x76, 0xDB, 0x1F, 0x0B, 0x3F },
874
    { 0xDB, 0xF3, 0xC7, 0x8D, 0xC0, 0x83, 0x96, 0xD4,
875
      0xDA, 0x7C, 0x90, 0x77, 0x65, 0xBB, 0xCB, 0x44,
876
      0x2B, 0x8E, 0x8E, 0x0F, 0x31, 0xF0, 0xDC, 0xA7,
877
      0x2C, 0x74, 0x17, 0xE3, 0x53, 0x60, 0xE0, 0x48 },
878
    { 0xB1, 0x9D, 0x1F, 0xCD, 0xCB, 0x75, 0xEB, 0x88,
879
      0x2F, 0x84, 0x9C, 0xE2, 0x4D, 0x85, 0xCF, 0x73,
880
      0x9C, 0xE6, 0x4B, 0x2B, 0x5C, 0x9D, 0x73, 0xF1,
881
      0x4F, 0x2D, 0x5D, 0x9D, 0xCE, 0x98, 0x89, 0xCD,
882
      0xDF, 0x50, 0x86, 0x96 }
883
};
884
885
static const int camellia_test_ctr_len[3] =
886
{ 16, 32, 36 };
887
#endif /* MBEDTLS_CIPHER_MODE_CTR */
888
889
/*
890
 * Checkup routine
891
 */
892
int mbedtls_camellia_self_test(int verbose)
893
0
{
894
0
    int i, j, u, v;
895
0
    unsigned char key[32];
896
0
    unsigned char buf[64];
897
0
    unsigned char src[16];
898
0
    unsigned char dst[16];
899
0
#if defined(MBEDTLS_CIPHER_MODE_CBC)
900
0
    unsigned char iv[16];
901
0
#endif
902
0
#if defined(MBEDTLS_CIPHER_MODE_CTR)
903
0
    size_t offset, len;
904
0
    unsigned char nonce_counter[16];
905
0
    unsigned char stream_block[16];
906
0
#endif
907
0
    int ret = 1;
908
909
0
    mbedtls_camellia_context ctx;
910
911
0
    mbedtls_camellia_init(&ctx);
912
0
    memset(key, 0, 32);
913
914
0
    for (j = 0; j < 6; j++) {
915
0
        u = j >> 1;
916
0
        v = j & 1;
917
918
0
        if (verbose != 0) {
919
0
            mbedtls_printf("  CAMELLIA-ECB-%3d (%s): ", 128 + u * 64,
920
0
                           (v == MBEDTLS_CAMELLIA_DECRYPT) ? "dec" : "enc");
921
0
        }
922
923
0
        for (i = 0; i < CAMELLIA_TESTS_ECB; i++) {
924
0
            memcpy(key, camellia_test_ecb_key[u][i], 16 + 8 * u);
925
926
0
            if (v == MBEDTLS_CAMELLIA_DECRYPT) {
927
0
                mbedtls_camellia_setkey_dec(&ctx, key, 128 + u * 64);
928
0
                memcpy(src, camellia_test_ecb_cipher[u][i], 16);
929
0
                memcpy(dst, camellia_test_ecb_plain[i], 16);
930
0
            } else { /* MBEDTLS_CAMELLIA_ENCRYPT */
931
0
                mbedtls_camellia_setkey_enc(&ctx, key, 128 + u * 64);
932
0
                memcpy(src, camellia_test_ecb_plain[i], 16);
933
0
                memcpy(dst, camellia_test_ecb_cipher[u][i], 16);
934
0
            }
935
936
0
            mbedtls_camellia_crypt_ecb(&ctx, v, src, buf);
937
938
0
            if (memcmp(buf, dst, 16) != 0) {
939
0
                if (verbose != 0) {
940
0
                    mbedtls_printf("failed\n");
941
0
                }
942
0
                goto exit;
943
0
            }
944
0
        }
945
946
0
        if (verbose != 0) {
947
0
            mbedtls_printf("passed\n");
948
0
        }
949
0
    }
950
951
0
    if (verbose != 0) {
952
0
        mbedtls_printf("\n");
953
0
    }
954
955
0
#if defined(MBEDTLS_CIPHER_MODE_CBC)
956
    /*
957
     * CBC mode
958
     */
959
0
    for (j = 0; j < 6; j++) {
960
0
        u = j >> 1;
961
0
        v = j  & 1;
962
963
0
        if (verbose != 0) {
964
0
            mbedtls_printf("  CAMELLIA-CBC-%3d (%s): ", 128 + u * 64,
965
0
                           (v == MBEDTLS_CAMELLIA_DECRYPT) ? "dec" : "enc");
966
0
        }
967
968
0
        memcpy(src, camellia_test_cbc_iv, 16);
969
0
        memcpy(dst, camellia_test_cbc_iv, 16);
970
0
        memcpy(key, camellia_test_cbc_key[u], 16 + 8 * u);
971
972
0
        if (v == MBEDTLS_CAMELLIA_DECRYPT) {
973
0
            mbedtls_camellia_setkey_dec(&ctx, key, 128 + u * 64);
974
0
        } else {
975
0
            mbedtls_camellia_setkey_enc(&ctx, key, 128 + u * 64);
976
0
        }
977
978
0
        for (i = 0; i < CAMELLIA_TESTS_CBC; i++) {
979
980
0
            if (v == MBEDTLS_CAMELLIA_DECRYPT) {
981
0
                memcpy(iv, src, 16);
982
0
                memcpy(src, camellia_test_cbc_cipher[u][i], 16);
983
0
                memcpy(dst, camellia_test_cbc_plain[i], 16);
984
0
            } else { /* MBEDTLS_CAMELLIA_ENCRYPT */
985
0
                memcpy(iv, dst, 16);
986
0
                memcpy(src, camellia_test_cbc_plain[i], 16);
987
0
                memcpy(dst, camellia_test_cbc_cipher[u][i], 16);
988
0
            }
989
990
0
            mbedtls_camellia_crypt_cbc(&ctx, v, 16, iv, src, buf);
991
992
0
            if (memcmp(buf, dst, 16) != 0) {
993
0
                if (verbose != 0) {
994
0
                    mbedtls_printf("failed\n");
995
0
                }
996
0
                goto exit;
997
0
            }
998
0
        }
999
1000
0
        if (verbose != 0) {
1001
0
            mbedtls_printf("passed\n");
1002
0
        }
1003
0
    }
1004
0
#endif /* MBEDTLS_CIPHER_MODE_CBC */
1005
1006
0
    if (verbose != 0) {
1007
0
        mbedtls_printf("\n");
1008
0
    }
1009
1010
0
#if defined(MBEDTLS_CIPHER_MODE_CTR)
1011
    /*
1012
     * CTR mode
1013
     */
1014
0
    for (i = 0; i < 6; i++) {
1015
0
        u = i >> 1;
1016
0
        v = i  & 1;
1017
1018
0
        if (verbose != 0) {
1019
0
            mbedtls_printf("  CAMELLIA-CTR-128 (%s): ",
1020
0
                           (v == MBEDTLS_CAMELLIA_DECRYPT) ? "dec" : "enc");
1021
0
        }
1022
1023
0
        memcpy(nonce_counter, camellia_test_ctr_nonce_counter[u], 16);
1024
0
        memcpy(key, camellia_test_ctr_key[u], 16);
1025
1026
0
        offset = 0;
1027
0
        mbedtls_camellia_setkey_enc(&ctx, key, 128);
1028
1029
0
        if (v == MBEDTLS_CAMELLIA_DECRYPT) {
1030
0
            len = camellia_test_ctr_len[u];
1031
0
            memcpy(buf, camellia_test_ctr_ct[u], len);
1032
1033
0
            mbedtls_camellia_crypt_ctr(&ctx, len, &offset, nonce_counter, stream_block,
1034
0
                                       buf, buf);
1035
1036
0
            if (memcmp(buf, camellia_test_ctr_pt[u], len) != 0) {
1037
0
                if (verbose != 0) {
1038
0
                    mbedtls_printf("failed\n");
1039
0
                }
1040
0
                goto exit;
1041
0
            }
1042
0
        } else {
1043
0
            len = camellia_test_ctr_len[u];
1044
0
            memcpy(buf, camellia_test_ctr_pt[u], len);
1045
1046
0
            mbedtls_camellia_crypt_ctr(&ctx, len, &offset, nonce_counter, stream_block,
1047
0
                                       buf, buf);
1048
1049
0
            if (memcmp(buf, camellia_test_ctr_ct[u], len) != 0) {
1050
0
                if (verbose != 0) {
1051
0
                    mbedtls_printf("failed\n");
1052
0
                }
1053
0
                goto exit;
1054
0
            }
1055
0
        }
1056
1057
0
        if (verbose != 0) {
1058
0
            mbedtls_printf("passed\n");
1059
0
        }
1060
0
    }
1061
1062
0
    if (verbose != 0) {
1063
0
        mbedtls_printf("\n");
1064
0
    }
1065
0
#endif /* MBEDTLS_CIPHER_MODE_CTR */
1066
1067
0
    ret = 0;
1068
1069
0
exit:
1070
0
    mbedtls_camellia_free(&ctx);
1071
0
    return ret;
1072
0
}
1073
1074
#endif /* MBEDTLS_SELF_TEST */
1075
1076
#endif /* MBEDTLS_CAMELLIA_C */