1/* 2 * Camellia implementation 3 * 4 * Copyright The Mbed TLS Contributors 5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 6 */ 7/* 8 * The Camellia block cipher was designed by NTT and Mitsubishi Electric 9 * Corporation. 10 * 11 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/01espec.pdf 12 */ 13 14#include "common.h" 15 16#if defined(MBEDTLS_CAMELLIA_C) 17 18#include "mbedtls/camellia.h" 19#include "mbedtls/platform_util.h" 20 21#include <string.h> 22 23#include "mbedtls/platform.h" 24 25#if !defined(MBEDTLS_CAMELLIA_ALT) 26 27static const unsigned char SIGMA_CHARS[6][8] = 28{ 29 { 0xa0, 0x9e, 0x66, 0x7f, 0x3b, 0xcc, 0x90, 0x8b }, 30 { 0xb6, 0x7a, 0xe8, 0x58, 0x4c, 0xaa, 0x73, 0xb2 }, 31 { 0xc6, 0xef, 0x37, 0x2f, 0xe9, 0x4f, 0x82, 0xbe }, 32 { 0x54, 0xff, 0x53, 0xa5, 0xf1, 0xd3, 0x6f, 0x1c }, 33 { 0x10, 0xe5, 0x27, 0xfa, 0xde, 0x68, 0x2d, 0x1d }, 34 { 0xb0, 0x56, 0x88, 0xc2, 0xb3, 0xe6, 0xc1, 0xfd } 35}; 36 37#if defined(MBEDTLS_CAMELLIA_SMALL_MEMORY) 38 39static const unsigned char FSb[256] = 40{ 41 112, 130, 44, 236, 179, 39, 192, 229, 228, 133, 87, 53, 234, 12, 174, 65, 42 35, 239, 107, 147, 69, 25, 165, 33, 237, 14, 79, 78, 29, 101, 146, 189, 43 134, 184, 175, 143, 124, 235, 31, 206, 62, 48, 220, 95, 94, 197, 11, 26, 44 166, 225, 57, 202, 213, 71, 93, 61, 217, 1, 90, 214, 81, 86, 108, 77, 45 139, 13, 154, 102, 251, 204, 176, 45, 116, 18, 43, 32, 240, 177, 132, 153, 46 223, 76, 203, 194, 52, 126, 118, 5, 109, 183, 169, 49, 209, 23, 4, 215, 47 20, 88, 58, 97, 222, 27, 17, 28, 50, 15, 156, 22, 83, 24, 242, 34, 48 254, 68, 207, 178, 195, 181, 122, 145, 36, 8, 232, 168, 96, 252, 105, 80, 49 170, 208, 160, 125, 161, 137, 98, 151, 84, 91, 30, 149, 224, 255, 100, 210, 50 16, 196, 0, 72, 163, 247, 117, 219, 138, 3, 230, 218, 9, 63, 221, 148, 51 135, 92, 131, 2, 205, 74, 144, 51, 115, 103, 246, 243, 157, 127, 191, 226, 52 82, 155, 216, 38, 200, 55, 198, 59, 129, 150, 111, 75, 19, 190, 99, 46, 53 233, 121, 167, 140, 159, 110, 188, 142, 41, 245, 249, 182, 47, 253, 180, 89, 54 120, 152, 6, 106, 231, 70, 113, 186, 212, 37, 171, 66, 136, 162, 141, 250, 55 114, 7, 185, 85, 248, 238, 172, 10, 54, 73, 42, 104, 60, 56, 241, 164, 56 64, 40, 211, 123, 187, 201, 67, 193, 21, 227, 173, 244, 119, 199, 128, 158 57}; 58 59#define SBOX1(n) FSb[(n)] 60#define SBOX2(n) (unsigned char) ((FSb[(n)] >> 7 ^ FSb[(n)] << 1) & 0xff) 61#define SBOX3(n) (unsigned char) ((FSb[(n)] >> 1 ^ FSb[(n)] << 7) & 0xff) 62#define SBOX4(n) FSb[((n) << 1 ^ (n) >> 7) &0xff] 63 64#else /* MBEDTLS_CAMELLIA_SMALL_MEMORY */ 65 66static const unsigned char FSb[256] = 67{ 68 112, 130, 44, 236, 179, 39, 192, 229, 228, 133, 87, 53, 234, 12, 174, 65, 69 35, 239, 107, 147, 69, 25, 165, 33, 237, 14, 79, 78, 29, 101, 146, 189, 70 134, 184, 175, 143, 124, 235, 31, 206, 62, 48, 220, 95, 94, 197, 11, 26, 71 166, 225, 57, 202, 213, 71, 93, 61, 217, 1, 90, 214, 81, 86, 108, 77, 72 139, 13, 154, 102, 251, 204, 176, 45, 116, 18, 43, 32, 240, 177, 132, 153, 73 223, 76, 203, 194, 52, 126, 118, 5, 109, 183, 169, 49, 209, 23, 4, 215, 74 20, 88, 58, 97, 222, 27, 17, 28, 50, 15, 156, 22, 83, 24, 242, 34, 75 254, 68, 207, 178, 195, 181, 122, 145, 36, 8, 232, 168, 96, 252, 105, 80, 76 170, 208, 160, 125, 161, 137, 98, 151, 84, 91, 30, 149, 224, 255, 100, 210, 77 16, 196, 0, 72, 163, 247, 117, 219, 138, 3, 230, 218, 9, 63, 221, 148, 78 135, 92, 131, 2, 205, 74, 144, 51, 115, 103, 246, 243, 157, 127, 191, 226, 79 82, 155, 216, 38, 200, 55, 198, 59, 129, 150, 111, 75, 19, 190, 99, 46, 80 233, 121, 167, 140, 159, 110, 188, 142, 41, 245, 249, 182, 47, 253, 180, 89, 81 120, 152, 6, 106, 231, 70, 113, 186, 212, 37, 171, 66, 136, 162, 141, 250, 82 114, 7, 185, 85, 248, 238, 172, 10, 54, 73, 42, 104, 60, 56, 241, 164, 83 64, 40, 211, 123, 187, 201, 67, 193, 21, 227, 173, 244, 119, 199, 128, 158 84}; 85 86static const unsigned char FSb2[256] = 87{ 88 224, 5, 88, 217, 103, 78, 129, 203, 201, 11, 174, 106, 213, 24, 93, 130, 89 70, 223, 214, 39, 138, 50, 75, 66, 219, 28, 158, 156, 58, 202, 37, 123, 90 13, 113, 95, 31, 248, 215, 62, 157, 124, 96, 185, 190, 188, 139, 22, 52, 91 77, 195, 114, 149, 171, 142, 186, 122, 179, 2, 180, 173, 162, 172, 216, 154, 92 23, 26, 53, 204, 247, 153, 97, 90, 232, 36, 86, 64, 225, 99, 9, 51, 93 191, 152, 151, 133, 104, 252, 236, 10, 218, 111, 83, 98, 163, 46, 8, 175, 94 40, 176, 116, 194, 189, 54, 34, 56, 100, 30, 57, 44, 166, 48, 229, 68, 95 253, 136, 159, 101, 135, 107, 244, 35, 72, 16, 209, 81, 192, 249, 210, 160, 96 85, 161, 65, 250, 67, 19, 196, 47, 168, 182, 60, 43, 193, 255, 200, 165, 97 32, 137, 0, 144, 71, 239, 234, 183, 21, 6, 205, 181, 18, 126, 187, 41, 98 15, 184, 7, 4, 155, 148, 33, 102, 230, 206, 237, 231, 59, 254, 127, 197, 99 164, 55, 177, 76, 145, 110, 141, 118, 3, 45, 222, 150, 38, 125, 198, 92, 100 211, 242, 79, 25, 63, 220, 121, 29, 82, 235, 243, 109, 94, 251, 105, 178, 101 240, 49, 12, 212, 207, 140, 226, 117, 169, 74, 87, 132, 17, 69, 27, 245, 102 228, 14, 115, 170, 241, 221, 89, 20, 108, 146, 84, 208, 120, 112, 227, 73, 103 128, 80, 167, 246, 119, 147, 134, 131, 42, 199, 91, 233, 238, 143, 1, 61 104}; 105 106static const unsigned char FSb3[256] = 107{ 108 56, 65, 22, 118, 217, 147, 96, 242, 114, 194, 171, 154, 117, 6, 87, 160, 109 145, 247, 181, 201, 162, 140, 210, 144, 246, 7, 167, 39, 142, 178, 73, 222, 110 67, 92, 215, 199, 62, 245, 143, 103, 31, 24, 110, 175, 47, 226, 133, 13, 111 83, 240, 156, 101, 234, 163, 174, 158, 236, 128, 45, 107, 168, 43, 54, 166, 112 197, 134, 77, 51, 253, 102, 88, 150, 58, 9, 149, 16, 120, 216, 66, 204, 113 239, 38, 229, 97, 26, 63, 59, 130, 182, 219, 212, 152, 232, 139, 2, 235, 114 10, 44, 29, 176, 111, 141, 136, 14, 25, 135, 78, 11, 169, 12, 121, 17, 115 127, 34, 231, 89, 225, 218, 61, 200, 18, 4, 116, 84, 48, 126, 180, 40, 116 85, 104, 80, 190, 208, 196, 49, 203, 42, 173, 15, 202, 112, 255, 50, 105, 117 8, 98, 0, 36, 209, 251, 186, 237, 69, 129, 115, 109, 132, 159, 238, 74, 118 195, 46, 193, 1, 230, 37, 72, 153, 185, 179, 123, 249, 206, 191, 223, 113, 119 41, 205, 108, 19, 100, 155, 99, 157, 192, 75, 183, 165, 137, 95, 177, 23, 120 244, 188, 211, 70, 207, 55, 94, 71, 148, 250, 252, 91, 151, 254, 90, 172, 121 60, 76, 3, 53, 243, 35, 184, 93, 106, 146, 213, 33, 68, 81, 198, 125, 122 57, 131, 220, 170, 124, 119, 86, 5, 27, 164, 21, 52, 30, 28, 248, 82, 123 32, 20, 233, 189, 221, 228, 161, 224, 138, 241, 214, 122, 187, 227, 64, 79 124}; 125 126static const unsigned char FSb4[256] = 127{ 128 112, 44, 179, 192, 228, 87, 234, 174, 35, 107, 69, 165, 237, 79, 29, 146, 129 134, 175, 124, 31, 62, 220, 94, 11, 166, 57, 213, 93, 217, 90, 81, 108, 130 139, 154, 251, 176, 116, 43, 240, 132, 223, 203, 52, 118, 109, 169, 209, 4, 131 20, 58, 222, 17, 50, 156, 83, 242, 254, 207, 195, 122, 36, 232, 96, 105, 132 170, 160, 161, 98, 84, 30, 224, 100, 16, 0, 163, 117, 138, 230, 9, 221, 133 135, 131, 205, 144, 115, 246, 157, 191, 82, 216, 200, 198, 129, 111, 19, 99, 134 233, 167, 159, 188, 41, 249, 47, 180, 120, 6, 231, 113, 212, 171, 136, 141, 135 114, 185, 248, 172, 54, 42, 60, 241, 64, 211, 187, 67, 21, 173, 119, 128, 136 130, 236, 39, 229, 133, 53, 12, 65, 239, 147, 25, 33, 14, 78, 101, 189, 137 184, 143, 235, 206, 48, 95, 197, 26, 225, 202, 71, 61, 1, 214, 86, 77, 138 13, 102, 204, 45, 18, 32, 177, 153, 76, 194, 126, 5, 183, 49, 23, 215, 139 88, 97, 27, 28, 15, 22, 24, 34, 68, 178, 181, 145, 8, 168, 252, 80, 140 208, 125, 137, 151, 91, 149, 255, 210, 196, 72, 247, 219, 3, 218, 63, 148, 141 92, 2, 74, 51, 103, 243, 127, 226, 155, 38, 55, 59, 150, 75, 190, 46, 142 121, 140, 110, 142, 245, 182, 253, 89, 152, 106, 70, 186, 37, 66, 162, 250, 143 7, 85, 238, 10, 73, 104, 56, 164, 40, 123, 201, 193, 227, 244, 199, 158 144}; 145 146#define SBOX1(n) FSb[(n)] 147#define SBOX2(n) FSb2[(n)] 148#define SBOX3(n) FSb3[(n)] 149#define SBOX4(n) FSb4[(n)] 150 151#endif /* MBEDTLS_CAMELLIA_SMALL_MEMORY */ 152 153static const unsigned char shifts[2][4][4] = 154{ 155 { 156 { 1, 1, 1, 1 }, /* KL */ 157 { 0, 0, 0, 0 }, /* KR */ 158 { 1, 1, 1, 1 }, /* KA */ 159 { 0, 0, 0, 0 } /* KB */ 160 }, 161 { 162 { 1, 0, 1, 1 }, /* KL */ 163 { 1, 1, 0, 1 }, /* KR */ 164 { 1, 1, 1, 0 }, /* KA */ 165 { 1, 1, 0, 1 } /* KB */ 166 } 167}; 168 169static const signed char indexes[2][4][20] = 170{ 171 { 172 { 0, 1, 2, 3, 8, 9, 10, 11, 38, 39, 173 36, 37, 23, 20, 21, 22, 27, -1, -1, 26 }, /* KL -> RK */ 174 { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 175 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 }, /* KR -> RK */ 176 { 4, 5, 6, 7, 12, 13, 14, 15, 16, 17, 177 18, 19, -1, 24, 25, -1, 31, 28, 29, 30 }, /* KA -> RK */ 178 { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 179 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 } /* KB -> RK */ 180 }, 181 { 182 { 0, 1, 2, 3, 61, 62, 63, 60, -1, -1, 183 -1, -1, 27, 24, 25, 26, 35, 32, 33, 34 }, /* KL -> RK */ 184 { -1, -1, -1, -1, 8, 9, 10, 11, 16, 17, 185 18, 19, -1, -1, -1, -1, 39, 36, 37, 38 }, /* KR -> RK */ 186 { -1, -1, -1, -1, 12, 13, 14, 15, 58, 59, 187 56, 57, 31, 28, 29, 30, -1, -1, -1, -1 }, /* KA -> RK */ 188 { 4, 5, 6, 7, 65, 66, 67, 64, 20, 21, 189 22, 23, -1, -1, -1, -1, 43, 40, 41, 42 } /* KB -> RK */ 190 } 191}; 192 193static const signed char transposes[2][20] = 194{ 195 { 196 21, 22, 23, 20, 197 -1, -1, -1, -1, 198 18, 19, 16, 17, 199 11, 8, 9, 10, 200 15, 12, 13, 14 201 }, 202 { 203 25, 26, 27, 24, 204 29, 30, 31, 28, 205 18, 19, 16, 17, 206 -1, -1, -1, -1, 207 -1, -1, -1, -1 208 } 209}; 210 211/* Shift macro for 128 bit strings with rotation smaller than 32 bits (!) */ 212#define ROTL(DEST, SRC, SHIFT) \ 213 { \ 214 (DEST)[0] = (SRC)[0] << (SHIFT) ^ (SRC)[1] >> (32 - (SHIFT)); \ 215 (DEST)[1] = (SRC)[1] << (SHIFT) ^ (SRC)[2] >> (32 - (SHIFT)); \ 216 (DEST)[2] = (SRC)[2] << (SHIFT) ^ (SRC)[3] >> (32 - (SHIFT)); \ 217 (DEST)[3] = (SRC)[3] << (SHIFT) ^ (SRC)[0] >> (32 - (SHIFT)); \ 218 } 219 220#define FL(XL, XR, KL, KR) \ 221 { \ 222 (XR) = ((((XL) &(KL)) << 1) | (((XL) &(KL)) >> 31)) ^ (XR); \ 223 (XL) = ((XR) | (KR)) ^ (XL); \ 224 } 225 226#define FLInv(YL, YR, KL, KR) \ 227 { \ 228 (YL) = ((YR) | (KR)) ^ (YL); \ 229 (YR) = ((((YL) &(KL)) << 1) | (((YL) &(KL)) >> 31)) ^ (YR); \ 230 } 231 232#define SHIFT_AND_PLACE(INDEX, OFFSET) \ 233 { \ 234 TK[0] = KC[(OFFSET) * 4 + 0]; \ 235 TK[1] = KC[(OFFSET) * 4 + 1]; \ 236 TK[2] = KC[(OFFSET) * 4 + 2]; \ 237 TK[3] = KC[(OFFSET) * 4 + 3]; \ 238 \ 239 for (i = 1; i <= 4; i++) \ 240 if (shifts[(INDEX)][(OFFSET)][i -1]) \ 241 ROTL(TK + i * 4, TK, (15 * i) % 32); \ 242 \ 243 for (i = 0; i < 20; i++) \ 244 if (indexes[(INDEX)][(OFFSET)][i] != -1) { \ 245 RK[indexes[(INDEX)][(OFFSET)][i]] = TK[i]; \ 246 } \ 247 } 248 249static void camellia_feistel(const uint32_t x[2], const uint32_t k[2], 250 uint32_t z[2]) 251{ 252 uint32_t I0, I1; 253 I0 = x[0] ^ k[0]; 254 I1 = x[1] ^ k[1]; 255 256 I0 = ((uint32_t) SBOX1(MBEDTLS_BYTE_3(I0)) << 24) | 257 ((uint32_t) SBOX2(MBEDTLS_BYTE_2(I0)) << 16) | 258 ((uint32_t) SBOX3(MBEDTLS_BYTE_1(I0)) << 8) | 259 ((uint32_t) SBOX4(MBEDTLS_BYTE_0(I0))); 260 I1 = ((uint32_t) SBOX2(MBEDTLS_BYTE_3(I1)) << 24) | 261 ((uint32_t) SBOX3(MBEDTLS_BYTE_2(I1)) << 16) | 262 ((uint32_t) SBOX4(MBEDTLS_BYTE_1(I1)) << 8) | 263 ((uint32_t) SBOX1(MBEDTLS_BYTE_0(I1))); 264 265 I0 ^= (I1 << 8) | (I1 >> 24); 266 I1 ^= (I0 << 16) | (I0 >> 16); 267 I0 ^= (I1 >> 8) | (I1 << 24); 268 I1 ^= (I0 >> 8) | (I0 << 24); 269 270 z[0] ^= I1; 271 z[1] ^= I0; 272} 273 274void mbedtls_camellia_init(mbedtls_camellia_context *ctx) 275{ 276 memset(ctx, 0, sizeof(mbedtls_camellia_context)); 277} 278 279void mbedtls_camellia_free(mbedtls_camellia_context *ctx) 280{ 281 if (ctx == NULL) { 282 return; 283 } 284 285 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_camellia_context)); 286} 287 288/* 289 * Camellia key schedule (encryption) 290 */ 291int mbedtls_camellia_setkey_enc(mbedtls_camellia_context *ctx, 292 const unsigned char *key, 293 unsigned int keybits) 294{ 295 int idx; 296 size_t i; 297 uint32_t *RK; 298 unsigned char t[64]; 299 uint32_t SIGMA[6][2]; 300 uint32_t KC[16]; 301 uint32_t TK[20]; 302 303 RK = ctx->rk; 304 305 memset(t, 0, 64); 306 memset(RK, 0, sizeof(ctx->rk)); 307 308 switch (keybits) { 309 case 128: ctx->nr = 3; idx = 0; break; 310 case 192: 311 case 256: ctx->nr = 4; idx = 1; break; 312 default: return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA; 313 } 314 315 for (i = 0; i < keybits / 8; ++i) { 316 t[i] = key[i]; 317 } 318 319 if (keybits == 192) { 320 for (i = 0; i < 8; i++) { 321 t[24 + i] = ~t[16 + i]; 322 } 323 } 324 325 /* 326 * Prepare SIGMA values 327 */ 328 for (i = 0; i < 6; i++) { 329 SIGMA[i][0] = MBEDTLS_GET_UINT32_BE(SIGMA_CHARS[i], 0); 330 SIGMA[i][1] = MBEDTLS_GET_UINT32_BE(SIGMA_CHARS[i], 4); 331 } 332 333 /* 334 * Key storage in KC 335 * Order: KL, KR, KA, KB 336 */ 337 memset(KC, 0, sizeof(KC)); 338 339 /* Store KL, KR */ 340 for (i = 0; i < 8; i++) { 341 KC[i] = MBEDTLS_GET_UINT32_BE(t, i * 4); 342 } 343 344 /* Generate KA */ 345 for (i = 0; i < 4; ++i) { 346 KC[8 + i] = KC[i] ^ KC[4 + i]; 347 } 348 349 camellia_feistel(KC + 8, SIGMA[0], KC + 10); 350 camellia_feistel(KC + 10, SIGMA[1], KC + 8); 351 352 for (i = 0; i < 4; ++i) { 353 KC[8 + i] ^= KC[i]; 354 } 355 356 camellia_feistel(KC + 8, SIGMA[2], KC + 10); 357 camellia_feistel(KC + 10, SIGMA[3], KC + 8); 358 359 if (keybits > 128) { 360 /* Generate KB */ 361 for (i = 0; i < 4; ++i) { 362 KC[12 + i] = KC[4 + i] ^ KC[8 + i]; 363 } 364 365 camellia_feistel(KC + 12, SIGMA[4], KC + 14); 366 camellia_feistel(KC + 14, SIGMA[5], KC + 12); 367 } 368 369 /* 370 * Generating subkeys 371 */ 372 373 /* Manipulating KL */ 374 SHIFT_AND_PLACE(idx, 0); 375 376 /* Manipulating KR */ 377 if (keybits > 128) { 378 SHIFT_AND_PLACE(idx, 1); 379 } 380 381 /* Manipulating KA */ 382 SHIFT_AND_PLACE(idx, 2); 383 384 /* Manipulating KB */ 385 if (keybits > 128) { 386 SHIFT_AND_PLACE(idx, 3); 387 } 388 389 /* Do transpositions */ 390 for (i = 0; i < 20; i++) { 391 if (transposes[idx][i] != -1) { 392 RK[32 + 12 * idx + i] = RK[transposes[idx][i]]; 393 } 394 } 395 396 return 0; 397} 398 399/* 400 * Camellia key schedule (decryption) 401 */ 402#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT) 403int mbedtls_camellia_setkey_dec(mbedtls_camellia_context *ctx, 404 const unsigned char *key, 405 unsigned int keybits) 406{ 407 int idx, ret; 408 size_t i; 409 mbedtls_camellia_context cty; 410 uint32_t *RK; 411 uint32_t *SK; 412 413 mbedtls_camellia_init(&cty); 414 415 /* Also checks keybits */ 416 if ((ret = mbedtls_camellia_setkey_enc(&cty, key, keybits)) != 0) { 417 goto exit; 418 } 419 420 ctx->nr = cty.nr; 421 idx = (ctx->nr == 4); 422 423 RK = ctx->rk; 424 SK = cty.rk + 24 * 2 + 8 * idx * 2; 425 426 *RK++ = *SK++; 427 *RK++ = *SK++; 428 *RK++ = *SK++; 429 *RK++ = *SK++; 430 431 for (i = 22 + 8 * idx, SK -= 6; i > 0; i--, SK -= 4) { 432 *RK++ = *SK++; 433 *RK++ = *SK++; 434 } 435 436 SK -= 2; 437 438 *RK++ = *SK++; 439 *RK++ = *SK++; 440 *RK++ = *SK++; 441 *RK++ = *SK++; 442 443exit: 444 mbedtls_camellia_free(&cty); 445 446 return ret; 447} 448#endif /* !MBEDTLS_BLOCK_CIPHER_NO_DECRYPT */ 449 450/* 451 * Camellia-ECB block encryption/decryption 452 */ 453int mbedtls_camellia_crypt_ecb(mbedtls_camellia_context *ctx, 454 int mode, 455 const unsigned char input[16], 456 unsigned char output[16]) 457{ 458 int NR; 459 uint32_t *RK, X[4]; 460 if (mode != MBEDTLS_CAMELLIA_ENCRYPT && mode != MBEDTLS_CAMELLIA_DECRYPT) { 461 return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA; 462 } 463 464 ((void) mode); 465 466 NR = ctx->nr; 467 RK = ctx->rk; 468 469 X[0] = MBEDTLS_GET_UINT32_BE(input, 0); 470 X[1] = MBEDTLS_GET_UINT32_BE(input, 4); 471 X[2] = MBEDTLS_GET_UINT32_BE(input, 8); 472 X[3] = MBEDTLS_GET_UINT32_BE(input, 12); 473 474 X[0] ^= *RK++; 475 X[1] ^= *RK++; 476 X[2] ^= *RK++; 477 X[3] ^= *RK++; 478 479 while (NR) { 480 --NR; 481 camellia_feistel(X, RK, X + 2); 482 RK += 2; 483 camellia_feistel(X + 2, RK, X); 484 RK += 2; 485 camellia_feistel(X, RK, X + 2); 486 RK += 2; 487 camellia_feistel(X + 2, RK, X); 488 RK += 2; 489 camellia_feistel(X, RK, X + 2); 490 RK += 2; 491 camellia_feistel(X + 2, RK, X); 492 RK += 2; 493 494 if (NR) { 495 FL(X[0], X[1], RK[0], RK[1]); 496 RK += 2; 497 FLInv(X[2], X[3], RK[0], RK[1]); 498 RK += 2; 499 } 500 } 501 502 X[2] ^= *RK++; 503 X[3] ^= *RK++; 504 X[0] ^= *RK++; 505 X[1] ^= *RK++; 506 507 MBEDTLS_PUT_UINT32_BE(X[2], output, 0); 508 MBEDTLS_PUT_UINT32_BE(X[3], output, 4); 509 MBEDTLS_PUT_UINT32_BE(X[0], output, 8); 510 MBEDTLS_PUT_UINT32_BE(X[1], output, 12); 511 512 return 0; 513} 514 515#if defined(MBEDTLS_CIPHER_MODE_CBC) 516/* 517 * Camellia-CBC buffer encryption/decryption 518 */ 519int mbedtls_camellia_crypt_cbc(mbedtls_camellia_context *ctx, 520 int mode, 521 size_t length, 522 unsigned char iv[16], 523 const unsigned char *input, 524 unsigned char *output) 525{ 526 unsigned char temp[16]; 527 if (mode != MBEDTLS_CAMELLIA_ENCRYPT && mode != MBEDTLS_CAMELLIA_DECRYPT) { 528 return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA; 529 } 530 531 if (length % 16) { 532 return MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH; 533 } 534 535 if (mode == MBEDTLS_CAMELLIA_DECRYPT) { 536 while (length > 0) { 537 memcpy(temp, input, 16); 538 mbedtls_camellia_crypt_ecb(ctx, mode, input, output); 539 540 mbedtls_xor(output, output, iv, 16); 541 542 memcpy(iv, temp, 16); 543 544 input += 16; 545 output += 16; 546 length -= 16; 547 } 548 } else { 549 while (length > 0) { 550 mbedtls_xor(output, input, iv, 16); 551 552 mbedtls_camellia_crypt_ecb(ctx, mode, output, output); 553 memcpy(iv, output, 16); 554 555 input += 16; 556 output += 16; 557 length -= 16; 558 } 559 } 560 561 return 0; 562} 563#endif /* MBEDTLS_CIPHER_MODE_CBC */ 564 565#if defined(MBEDTLS_CIPHER_MODE_CFB) 566/* 567 * Camellia-CFB128 buffer encryption/decryption 568 */ 569int mbedtls_camellia_crypt_cfb128(mbedtls_camellia_context *ctx, 570 int mode, 571 size_t length, 572 size_t *iv_off, 573 unsigned char iv[16], 574 const unsigned char *input, 575 unsigned char *output) 576{ 577 int c; 578 size_t n; 579 if (mode != MBEDTLS_CAMELLIA_ENCRYPT && mode != MBEDTLS_CAMELLIA_DECRYPT) { 580 return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA; 581 } 582 583 n = *iv_off; 584 if (n >= 16) { 585 return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA; 586 } 587 588 if (mode == MBEDTLS_CAMELLIA_DECRYPT) { 589 while (length--) { 590 if (n == 0) { 591 mbedtls_camellia_crypt_ecb(ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv); 592 } 593 594 c = *input++; 595 *output++ = (unsigned char) (c ^ iv[n]); 596 iv[n] = (unsigned char) c; 597 598 n = (n + 1) & 0x0F; 599 } 600 } else { 601 while (length--) { 602 if (n == 0) { 603 mbedtls_camellia_crypt_ecb(ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv); 604 } 605 606 iv[n] = *output++ = (unsigned char) (iv[n] ^ *input++); 607 608 n = (n + 1) & 0x0F; 609 } 610 } 611 612 *iv_off = n; 613 614 return 0; 615} 616#endif /* MBEDTLS_CIPHER_MODE_CFB */ 617 618#if defined(MBEDTLS_CIPHER_MODE_CTR) 619/* 620 * Camellia-CTR buffer encryption/decryption 621 */ 622int mbedtls_camellia_crypt_ctr(mbedtls_camellia_context *ctx, 623 size_t length, 624 size_t *nc_off, 625 unsigned char nonce_counter[16], 626 unsigned char stream_block[16], 627 const unsigned char *input, 628 unsigned char *output) 629{ 630 int c, i; 631 size_t n; 632 633 n = *nc_off; 634 if (n >= 16) { 635 return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA; 636 } 637 638 while (length--) { 639 if (n == 0) { 640 mbedtls_camellia_crypt_ecb(ctx, MBEDTLS_CAMELLIA_ENCRYPT, nonce_counter, 641 stream_block); 642 643 for (i = 16; i > 0; i--) { 644 if (++nonce_counter[i - 1] != 0) { 645 break; 646 } 647 } 648 } 649 c = *input++; 650 *output++ = (unsigned char) (c ^ stream_block[n]); 651 652 n = (n + 1) & 0x0F; 653 } 654 655 *nc_off = n; 656 657 return 0; 658} 659#endif /* MBEDTLS_CIPHER_MODE_CTR */ 660#endif /* !MBEDTLS_CAMELLIA_ALT */ 661 662#if defined(MBEDTLS_SELF_TEST) 663 664/* 665 * Camellia test vectors from: 666 * 667 * http://info.isl.ntt.co.jp/crypt/eng/camellia/technology.html: 668 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/intermediate.txt 669 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/t_camellia.txt 670 * (For each bitlength: Key 0, Nr 39) 671 */ 672#define CAMELLIA_TESTS_ECB 2 673 674static const unsigned char camellia_test_ecb_key[3][CAMELLIA_TESTS_ECB][32] = 675{ 676 { 677 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 678 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 }, 679 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 680 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 } 681 }, 682 { 683 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 684 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10, 685 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77 }, 686 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 687 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 688 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 } 689 }, 690 { 691 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 692 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10, 693 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 694 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff }, 695 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 696 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 697 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 698 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 } 699 }, 700}; 701 702static const unsigned char camellia_test_ecb_plain[CAMELLIA_TESTS_ECB][16] = 703{ 704 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 705 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 }, 706 { 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 707 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 } 708}; 709 710static const unsigned char camellia_test_ecb_cipher[3][CAMELLIA_TESTS_ECB][16] = 711{ 712 { 713 { 0x67, 0x67, 0x31, 0x38, 0x54, 0x96, 0x69, 0x73, 714 0x08, 0x57, 0x06, 0x56, 0x48, 0xea, 0xbe, 0x43 }, 715 { 0x38, 0x3C, 0x6C, 0x2A, 0xAB, 0xEF, 0x7F, 0xDE, 716 0x25, 0xCD, 0x47, 0x0B, 0xF7, 0x74, 0xA3, 0x31 } 717 }, 718 { 719 { 0xb4, 0x99, 0x34, 0x01, 0xb3, 0xe9, 0x96, 0xf8, 720 0x4e, 0xe5, 0xce, 0xe7, 0xd7, 0x9b, 0x09, 0xb9 }, 721 { 0xD1, 0x76, 0x3F, 0xC0, 0x19, 0xD7, 0x7C, 0xC9, 722 0x30, 0xBF, 0xF2, 0xA5, 0x6F, 0x7C, 0x93, 0x64 } 723 }, 724 { 725 { 0x9a, 0xcc, 0x23, 0x7d, 0xff, 0x16, 0xd7, 0x6c, 726 0x20, 0xef, 0x7c, 0x91, 0x9e, 0x3a, 0x75, 0x09 }, 727 { 0x05, 0x03, 0xFB, 0x10, 0xAB, 0x24, 0x1E, 0x7C, 728 0xF4, 0x5D, 0x8C, 0xDE, 0xEE, 0x47, 0x43, 0x35 } 729 } 730}; 731 732#if defined(MBEDTLS_CIPHER_MODE_CBC) 733#define CAMELLIA_TESTS_CBC 3 734 735static const unsigned char camellia_test_cbc_key[3][32] = 736{ 737 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6, 738 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C } 739 , 740 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52, 741 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5, 742 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B } 743 , 744 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE, 745 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81, 746 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7, 747 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 } 748}; 749 750static const unsigned char camellia_test_cbc_iv[16] = 751 752{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 753 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F } 754; 755 756static const unsigned char camellia_test_cbc_plain[CAMELLIA_TESTS_CBC][16] = 757{ 758 { 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96, 759 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A }, 760 { 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C, 761 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51 }, 762 { 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11, 763 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF } 764 765}; 766 767static const unsigned char camellia_test_cbc_cipher[3][CAMELLIA_TESTS_CBC][16] = 768{ 769 { 770 { 0x16, 0x07, 0xCF, 0x49, 0x4B, 0x36, 0xBB, 0xF0, 771 0x0D, 0xAE, 0xB0, 0xB5, 0x03, 0xC8, 0x31, 0xAB }, 772 { 0xA2, 0xF2, 0xCF, 0x67, 0x16, 0x29, 0xEF, 0x78, 773 0x40, 0xC5, 0xA5, 0xDF, 0xB5, 0x07, 0x48, 0x87 }, 774 { 0x0F, 0x06, 0x16, 0x50, 0x08, 0xCF, 0x8B, 0x8B, 775 0x5A, 0x63, 0x58, 0x63, 0x62, 0x54, 0x3E, 0x54 } 776 }, 777 { 778 { 0x2A, 0x48, 0x30, 0xAB, 0x5A, 0xC4, 0xA1, 0xA2, 779 0x40, 0x59, 0x55, 0xFD, 0x21, 0x95, 0xCF, 0x93 }, 780 { 0x5D, 0x5A, 0x86, 0x9B, 0xD1, 0x4C, 0xE5, 0x42, 781 0x64, 0xF8, 0x92, 0xA6, 0xDD, 0x2E, 0xC3, 0xD5 }, 782 { 0x37, 0xD3, 0x59, 0xC3, 0x34, 0x98, 0x36, 0xD8, 783 0x84, 0xE3, 0x10, 0xAD, 0xDF, 0x68, 0xC4, 0x49 } 784 }, 785 { 786 { 0xE6, 0xCF, 0xA3, 0x5F, 0xC0, 0x2B, 0x13, 0x4A, 787 0x4D, 0x2C, 0x0B, 0x67, 0x37, 0xAC, 0x3E, 0xDA }, 788 { 0x36, 0xCB, 0xEB, 0x73, 0xBD, 0x50, 0x4B, 0x40, 789 0x70, 0xB1, 0xB7, 0xDE, 0x2B, 0x21, 0xEB, 0x50 }, 790 { 0xE3, 0x1A, 0x60, 0x55, 0x29, 0x7D, 0x96, 0xCA, 791 0x33, 0x30, 0xCD, 0xF1, 0xB1, 0x86, 0x0A, 0x83 } 792 } 793}; 794#endif /* MBEDTLS_CIPHER_MODE_CBC */ 795 796#if defined(MBEDTLS_CIPHER_MODE_CTR) 797/* 798 * Camellia-CTR test vectors from: 799 * 800 * http://www.faqs.org/rfcs/rfc5528.html 801 */ 802 803static const unsigned char camellia_test_ctr_key[3][16] = 804{ 805 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC, 806 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E }, 807 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7, 808 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 }, 809 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8, 810 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC } 811}; 812 813static const unsigned char camellia_test_ctr_nonce_counter[3][16] = 814{ 815 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00, 816 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 }, 817 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59, 818 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 }, 819 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F, 820 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 } 821}; 822 823static const unsigned char camellia_test_ctr_pt[3][48] = 824{ 825 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62, 826 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 }, 827 828 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 829 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 830 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 831 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F }, 832 833 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 834 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 835 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 836 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 837 0x20, 0x21, 0x22, 0x23 } 838}; 839 840static const unsigned char camellia_test_ctr_ct[3][48] = 841{ 842 { 0xD0, 0x9D, 0xC2, 0x9A, 0x82, 0x14, 0x61, 0x9A, 843 0x20, 0x87, 0x7C, 0x76, 0xDB, 0x1F, 0x0B, 0x3F }, 844 { 0xDB, 0xF3, 0xC7, 0x8D, 0xC0, 0x83, 0x96, 0xD4, 845 0xDA, 0x7C, 0x90, 0x77, 0x65, 0xBB, 0xCB, 0x44, 846 0x2B, 0x8E, 0x8E, 0x0F, 0x31, 0xF0, 0xDC, 0xA7, 847 0x2C, 0x74, 0x17, 0xE3, 0x53, 0x60, 0xE0, 0x48 }, 848 { 0xB1, 0x9D, 0x1F, 0xCD, 0xCB, 0x75, 0xEB, 0x88, 849 0x2F, 0x84, 0x9C, 0xE2, 0x4D, 0x85, 0xCF, 0x73, 850 0x9C, 0xE6, 0x4B, 0x2B, 0x5C, 0x9D, 0x73, 0xF1, 851 0x4F, 0x2D, 0x5D, 0x9D, 0xCE, 0x98, 0x89, 0xCD, 852 0xDF, 0x50, 0x86, 0x96 } 853}; 854 855static const int camellia_test_ctr_len[3] = 856{ 16, 32, 36 }; 857#endif /* MBEDTLS_CIPHER_MODE_CTR */ 858 859/* 860 * Checkup routine 861 */ 862int mbedtls_camellia_self_test(int verbose) 863{ 864 int i, j, u, v; 865 unsigned char key[32]; 866 unsigned char buf[64]; 867 unsigned char src[16]; 868 unsigned char dst[16]; 869#if defined(MBEDTLS_CIPHER_MODE_CBC) 870 unsigned char iv[16]; 871#endif 872#if defined(MBEDTLS_CIPHER_MODE_CTR) 873 size_t offset, len; 874 unsigned char nonce_counter[16]; 875 unsigned char stream_block[16]; 876#endif 877 int ret = 1; 878 879 mbedtls_camellia_context ctx; 880 881 mbedtls_camellia_init(&ctx); 882 memset(key, 0, 32); 883 884 for (j = 0; j < 6; j++) { 885 u = j >> 1; 886 v = j & 1; 887 888 if (verbose != 0) { 889 mbedtls_printf(" CAMELLIA-ECB-%3d (%s): ", 128 + u * 64, 890 (v == MBEDTLS_CAMELLIA_DECRYPT) ? "dec" : "enc"); 891 } 892 893#if defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT) 894 if (v == MBEDTLS_CAMELLIA_DECRYPT) { 895 if (verbose != 0) { 896 mbedtls_printf("skipped\n"); 897 } 898 continue; 899 } 900#endif 901 902 for (i = 0; i < CAMELLIA_TESTS_ECB; i++) { 903 memcpy(key, camellia_test_ecb_key[u][i], 16 + 8 * u); 904 905#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT) 906 if (v == MBEDTLS_CAMELLIA_DECRYPT) { 907 mbedtls_camellia_setkey_dec(&ctx, key, 128 + u * 64); 908 memcpy(src, camellia_test_ecb_cipher[u][i], 16); 909 memcpy(dst, camellia_test_ecb_plain[i], 16); 910 } else 911#endif 912 { /* MBEDTLS_CAMELLIA_ENCRYPT */ 913 mbedtls_camellia_setkey_enc(&ctx, key, 128 + u * 64); 914 memcpy(src, camellia_test_ecb_plain[i], 16); 915 memcpy(dst, camellia_test_ecb_cipher[u][i], 16); 916 } 917 918 mbedtls_camellia_crypt_ecb(&ctx, v, src, buf); 919 920 if (memcmp(buf, dst, 16) != 0) { 921 if (verbose != 0) { 922 mbedtls_printf("failed\n"); 923 } 924 goto exit; 925 } 926 } 927 928 if (verbose != 0) { 929 mbedtls_printf("passed\n"); 930 } 931 } 932 933 if (verbose != 0) { 934 mbedtls_printf("\n"); 935 } 936 937#if defined(MBEDTLS_CIPHER_MODE_CBC) 938 /* 939 * CBC mode 940 */ 941 for (j = 0; j < 6; j++) { 942 u = j >> 1; 943 v = j & 1; 944 945 if (verbose != 0) { 946 mbedtls_printf(" CAMELLIA-CBC-%3d (%s): ", 128 + u * 64, 947 (v == MBEDTLS_CAMELLIA_DECRYPT) ? "dec" : "enc"); 948 } 949 950 memcpy(src, camellia_test_cbc_iv, 16); 951 memcpy(dst, camellia_test_cbc_iv, 16); 952 memcpy(key, camellia_test_cbc_key[u], 16 + 8 * u); 953 954 if (v == MBEDTLS_CAMELLIA_DECRYPT) { 955 mbedtls_camellia_setkey_dec(&ctx, key, 128 + u * 64); 956 } else { 957 mbedtls_camellia_setkey_enc(&ctx, key, 128 + u * 64); 958 } 959 960 for (i = 0; i < CAMELLIA_TESTS_CBC; i++) { 961 962 if (v == MBEDTLS_CAMELLIA_DECRYPT) { 963 memcpy(iv, src, 16); 964 memcpy(src, camellia_test_cbc_cipher[u][i], 16); 965 memcpy(dst, camellia_test_cbc_plain[i], 16); 966 } else { /* MBEDTLS_CAMELLIA_ENCRYPT */ 967 memcpy(iv, dst, 16); 968 memcpy(src, camellia_test_cbc_plain[i], 16); 969 memcpy(dst, camellia_test_cbc_cipher[u][i], 16); 970 } 971 972 mbedtls_camellia_crypt_cbc(&ctx, v, 16, iv, src, buf); 973 974 if (memcmp(buf, dst, 16) != 0) { 975 if (verbose != 0) { 976 mbedtls_printf("failed\n"); 977 } 978 goto exit; 979 } 980 } 981 982 if (verbose != 0) { 983 mbedtls_printf("passed\n"); 984 } 985 } 986#endif /* MBEDTLS_CIPHER_MODE_CBC */ 987 988 if (verbose != 0) { 989 mbedtls_printf("\n"); 990 } 991 992#if defined(MBEDTLS_CIPHER_MODE_CTR) 993 /* 994 * CTR mode 995 */ 996 for (i = 0; i < 6; i++) { 997 u = i >> 1; 998 v = i & 1; 999 1000 if (verbose != 0) { 1001 mbedtls_printf(" CAMELLIA-CTR-128 (%s): ", 1002 (v == MBEDTLS_CAMELLIA_DECRYPT) ? "dec" : "enc"); 1003 } 1004 1005 memcpy(nonce_counter, camellia_test_ctr_nonce_counter[u], 16); 1006 memcpy(key, camellia_test_ctr_key[u], 16); 1007 1008 offset = 0; 1009 mbedtls_camellia_setkey_enc(&ctx, key, 128); 1010 1011 if (v == MBEDTLS_CAMELLIA_DECRYPT) { 1012 len = camellia_test_ctr_len[u]; 1013 memcpy(buf, camellia_test_ctr_ct[u], len); 1014 1015 mbedtls_camellia_crypt_ctr(&ctx, len, &offset, nonce_counter, stream_block, 1016 buf, buf); 1017 1018 if (memcmp(buf, camellia_test_ctr_pt[u], len) != 0) { 1019 if (verbose != 0) { 1020 mbedtls_printf("failed\n"); 1021 } 1022 goto exit; 1023 } 1024 } else { 1025 len = camellia_test_ctr_len[u]; 1026 memcpy(buf, camellia_test_ctr_pt[u], len); 1027 1028 mbedtls_camellia_crypt_ctr(&ctx, len, &offset, nonce_counter, stream_block, 1029 buf, buf); 1030 1031 if (memcmp(buf, camellia_test_ctr_ct[u], len) != 0) { 1032 if (verbose != 0) { 1033 mbedtls_printf("failed\n"); 1034 } 1035 goto exit; 1036 } 1037 } 1038 1039 if (verbose != 0) { 1040 mbedtls_printf("passed\n"); 1041 } 1042 } 1043 1044 if (verbose != 0) { 1045 mbedtls_printf("\n"); 1046 } 1047#endif /* MBEDTLS_CIPHER_MODE_CTR */ 1048 1049 ret = 0; 1050 1051exit: 1052 mbedtls_camellia_free(&ctx); 1053 return ret; 1054} 1055 1056#endif /* MBEDTLS_SELF_TEST */ 1057 1058#endif /* MBEDTLS_CAMELLIA_C */ 1059