search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
ssl/tls: add proper const attributes to functions, context members
[tropicssl.git] / library / camellia.c
blobedbb8c248f4a6034b075aaf262583746e65ff490
1 /*
2 * Camellia implementation
3 *
4 * Copyright (C) 2009 Paul Bakker <polarssl_maintainer at polarssl dot org>
5 *
6 * All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * * Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * * Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * * Neither the names of PolarSSL or XySSL nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
22 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
23 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
24 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
25 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
26 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
27 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
28 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
29 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
30 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
31 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
32 */
33 /*
34 * The Camellia block cipher was designed by NTT and Mitsubishi Electric
35 * Corporation.
36 *
37 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/01espec.pdf
38 */
39
40 #include "tropicssl/config.h"
41
42 #if defined(TROPICSSL_CAMELLIA_C)
43
44 #include "tropicssl/camellia.h"
45
46 #include <string.h>
47
48 /*
49 * 32-bit integer manipulation macros (big endian)
50 */
51 #ifndef GET_ULONG_BE
52 #define GET_ULONG_BE(n,b,i) \
53 { \
54 (n) = ( (unsigned long) (b)[(i) ] << 24 ) \
55 | ( (unsigned long) (b)[(i) + 1] << 16 ) \
56 | ( (unsigned long) (b)[(i) + 2] << 8 ) \
57 | ( (unsigned long) (b)[(i) + 3] ); \
58 }
59 #endif
60
61 #ifndef PUT_ULONG_BE
62 #define PUT_ULONG_BE(n,b,i) \
63 { \
64 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
65 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
66 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
67 (b)[(i) + 3] = (unsigned char) ( (n) ); \
68 }
69 #endif
70
71 static const unsigned char SIGMA_CHARS[6][8] = {
72 {0xa0, 0x9e, 0x66, 0x7f, 0x3b, 0xcc, 0x90, 0x8b},
73 {0xb6, 0x7a, 0xe8, 0x58, 0x4c, 0xaa, 0x73, 0xb2},
74 {0xc6, 0xef, 0x37, 0x2f, 0xe9, 0x4f, 0x82, 0xbe},
75 {0x54, 0xff, 0x53, 0xa5, 0xf1, 0xd3, 0x6f, 0x1c},
76 {0x10, 0xe5, 0x27, 0xfa, 0xde, 0x68, 0x2d, 0x1d},
77 {0xb0, 0x56, 0x88, 0xc2, 0xb3, 0xe6, 0xc1, 0xfd}
78 };
79
80 #ifdef TROPICSSL_CAMELLIA_SMALL_MEMORY
81
82 static const unsigned char FSb[256] = {
83 112, 130, 44, 236, 179, 39, 192, 229, 228, 133, 87, 53, 234, 12, 174,
84 65,
85 35, 239, 107, 147, 69, 25, 165, 33, 237, 14, 79, 78, 29, 101, 146, 189,
86 134, 184, 175, 143, 124, 235, 31, 206, 62, 48, 220, 95, 94, 197, 11, 26,
87 166, 225, 57, 202, 213, 71, 93, 61, 217, 1, 90, 214, 81, 86, 108, 77,
88 139, 13, 154, 102, 251, 204, 176, 45, 116, 18, 43, 32, 240, 177, 132,
89 153,
90 223, 76, 203, 194, 52, 126, 118, 5, 109, 183, 169, 49, 209, 23, 4, 215,
91 20, 88, 58, 97, 222, 27, 17, 28, 50, 15, 156, 22, 83, 24, 242, 34,
92 254, 68, 207, 178, 195, 181, 122, 145, 36, 8, 232, 168, 96, 252, 105,
93 80,
94 170, 208, 160, 125, 161, 137, 98, 151, 84, 91, 30, 149, 224, 255, 100,
95 210,
96 16, 196, 0, 72, 163, 247, 117, 219, 138, 3, 230, 218, 9, 63, 221, 148,
97 135, 92, 131, 2, 205, 74, 144, 51, 115, 103, 246, 243, 157, 127, 191,
98 226,
99 82, 155, 216, 38, 200, 55, 198, 59, 129, 150, 111, 75, 19, 190, 99, 46,
100 233, 121, 167, 140, 159, 110, 188, 142, 41, 245, 249, 182, 47, 253, 180,
101 89,
102 120, 152, 6, 106, 231, 70, 113, 186, 212, 37, 171, 66, 136, 162, 141,
103 250,
104 114, 7, 185, 85, 248, 238, 172, 10, 54, 73, 42, 104, 60, 56, 241, 164,
105 64, 40, 211, 123, 187, 201, 67, 193, 21, 227, 173, 244, 119, 199, 128,
106 158
107 };
108
109 #define SBOX1(n) FSb[(n)]
110 #define SBOX2(n) (unsigned char)((FSb[(n)] >> 7 ^ FSb[(n)] << 1) & 0xff)
111 #define SBOX3(n) (unsigned char)((FSb[(n)] >> 1 ^ FSb[(n)] << 7) & 0xff)
112 #define SBOX4(n) FSb[((n) << 1 ^ (n) >> 7) &0xff]
113
114 #else
115
116 static const unsigned char FSb[256] = {
117 112, 130, 44, 236, 179, 39, 192, 229, 228, 133, 87, 53, 234, 12, 174,
118 65,
119 35, 239, 107, 147, 69, 25, 165, 33, 237, 14, 79, 78, 29, 101, 146, 189,
120 134, 184, 175, 143, 124, 235, 31, 206, 62, 48, 220, 95, 94, 197, 11, 26,
121 166, 225, 57, 202, 213, 71, 93, 61, 217, 1, 90, 214, 81, 86, 108, 77,
122 139, 13, 154, 102, 251, 204, 176, 45, 116, 18, 43, 32, 240, 177, 132,
123 153,
124 223, 76, 203, 194, 52, 126, 118, 5, 109, 183, 169, 49, 209, 23, 4, 215,
125 20, 88, 58, 97, 222, 27, 17, 28, 50, 15, 156, 22, 83, 24, 242, 34,
126 254, 68, 207, 178, 195, 181, 122, 145, 36, 8, 232, 168, 96, 252, 105,
127 80,
128 170, 208, 160, 125, 161, 137, 98, 151, 84, 91, 30, 149, 224, 255, 100,
129 210,
130 16, 196, 0, 72, 163, 247, 117, 219, 138, 3, 230, 218, 9, 63, 221, 148,
131 135, 92, 131, 2, 205, 74, 144, 51, 115, 103, 246, 243, 157, 127, 191,
132 226,
133 82, 155, 216, 38, 200, 55, 198, 59, 129, 150, 111, 75, 19, 190, 99, 46,
134 233, 121, 167, 140, 159, 110, 188, 142, 41, 245, 249, 182, 47, 253, 180,
135 89,
136 120, 152, 6, 106, 231, 70, 113, 186, 212, 37, 171, 66, 136, 162, 141,
137 250,
138 114, 7, 185, 85, 248, 238, 172, 10, 54, 73, 42, 104, 60, 56, 241, 164,
139 64, 40, 211, 123, 187, 201, 67, 193, 21, 227, 173, 244, 119, 199, 128,
140 158
141 };
142
143 static const unsigned char FSb2[256] = {
144 224, 5, 88, 217, 103, 78, 129, 203, 201, 11, 174, 106, 213, 24, 93, 130,
145 70, 223, 214, 39, 138, 50, 75, 66, 219, 28, 158, 156, 58, 202, 37, 123,
146 13, 113, 95, 31, 248, 215, 62, 157, 124, 96, 185, 190, 188, 139, 22, 52,
147 77, 195, 114, 149, 171, 142, 186, 122, 179, 2, 180, 173, 162, 172, 216,
148 154,
149 23, 26, 53, 204, 247, 153, 97, 90, 232, 36, 86, 64, 225, 99, 9, 51,
150 191, 152, 151, 133, 104, 252, 236, 10, 218, 111, 83, 98, 163, 46, 8,
151 175,
152 40, 176, 116, 194, 189, 54, 34, 56, 100, 30, 57, 44, 166, 48, 229, 68,
153 253, 136, 159, 101, 135, 107, 244, 35, 72, 16, 209, 81, 192, 249, 210,
154 160,
155 85, 161, 65, 250, 67, 19, 196, 47, 168, 182, 60, 43, 193, 255, 200, 165,
156 32, 137, 0, 144, 71, 239, 234, 183, 21, 6, 205, 181, 18, 126, 187, 41,
157 15, 184, 7, 4, 155, 148, 33, 102, 230, 206, 237, 231, 59, 254, 127, 197,
158 164, 55, 177, 76, 145, 110, 141, 118, 3, 45, 222, 150, 38, 125, 198, 92,
159 211, 242, 79, 25, 63, 220, 121, 29, 82, 235, 243, 109, 94, 251, 105,
160 178,
161 240, 49, 12, 212, 207, 140, 226, 117, 169, 74, 87, 132, 17, 69, 27, 245,
162 228, 14, 115, 170, 241, 221, 89, 20, 108, 146, 84, 208, 120, 112, 227,
163 73,
164 128, 80, 167, 246, 119, 147, 134, 131, 42, 199, 91, 233, 238, 143, 1, 61
165 };
166
167 static const unsigned char FSb3[256] = {
168 56, 65, 22, 118, 217, 147, 96, 242, 114, 194, 171, 154, 117, 6, 87, 160,
169 145, 247, 181, 201, 162, 140, 210, 144, 246, 7, 167, 39, 142, 178, 73,
170 222,
171 67, 92, 215, 199, 62, 245, 143, 103, 31, 24, 110, 175, 47, 226, 133, 13,
172 83, 240, 156, 101, 234, 163, 174, 158, 236, 128, 45, 107, 168, 43, 54,
173 166,
174 197, 134, 77, 51, 253, 102, 88, 150, 58, 9, 149, 16, 120, 216, 66, 204,
175 239, 38, 229, 97, 26, 63, 59, 130, 182, 219, 212, 152, 232, 139, 2, 235,
176 10, 44, 29, 176, 111, 141, 136, 14, 25, 135, 78, 11, 169, 12, 121, 17,
177 127, 34, 231, 89, 225, 218, 61, 200, 18, 4, 116, 84, 48, 126, 180, 40,
178 85, 104, 80, 190, 208, 196, 49, 203, 42, 173, 15, 202, 112, 255, 50,
179 105,
180 8, 98, 0, 36, 209, 251, 186, 237, 69, 129, 115, 109, 132, 159, 238, 74,
181 195, 46, 193, 1, 230, 37, 72, 153, 185, 179, 123, 249, 206, 191, 223,
182 113,
183 41, 205, 108, 19, 100, 155, 99, 157, 192, 75, 183, 165, 137, 95, 177,
184 23,
185 244, 188, 211, 70, 207, 55, 94, 71, 148, 250, 252, 91, 151, 254, 90,
186 172,
187 60, 76, 3, 53, 243, 35, 184, 93, 106, 146, 213, 33, 68, 81, 198, 125,
188 57, 131, 220, 170, 124, 119, 86, 5, 27, 164, 21, 52, 30, 28, 248, 82,
189 32, 20, 233, 189, 221, 228, 161, 224, 138, 241, 214, 122, 187, 227, 64,
190 79
191 };
192
193 static const unsigned char FSb4[256] = {
194 112, 44, 179, 192, 228, 87, 234, 174, 35, 107, 69, 165, 237, 79, 29,
195 146,
196 134, 175, 124, 31, 62, 220, 94, 11, 166, 57, 213, 93, 217, 90, 81, 108,
197 139, 154, 251, 176, 116, 43, 240, 132, 223, 203, 52, 118, 109, 169, 209,
198 4,
199 20, 58, 222, 17, 50, 156, 83, 242, 254, 207, 195, 122, 36, 232, 96, 105,
200 170, 160, 161, 98, 84, 30, 224, 100, 16, 0, 163, 117, 138, 230, 9, 221,
201 135, 131, 205, 144, 115, 246, 157, 191, 82, 216, 200, 198, 129, 111, 19,
202 99,
203 233, 167, 159, 188, 41, 249, 47, 180, 120, 6, 231, 113, 212, 171, 136,
204 141,
205 114, 185, 248, 172, 54, 42, 60, 241, 64, 211, 187, 67, 21, 173, 119,
206 128,
207 130, 236, 39, 229, 133, 53, 12, 65, 239, 147, 25, 33, 14, 78, 101, 189,
208 184, 143, 235, 206, 48, 95, 197, 26, 225, 202, 71, 61, 1, 214, 86, 77,
209 13, 102, 204, 45, 18, 32, 177, 153, 76, 194, 126, 5, 183, 49, 23, 215,
210 88, 97, 27, 28, 15, 22, 24, 34, 68, 178, 181, 145, 8, 168, 252, 80,
211 208, 125, 137, 151, 91, 149, 255, 210, 196, 72, 247, 219, 3, 218, 63,
212 148,
213 92, 2, 74, 51, 103, 243, 127, 226, 155, 38, 55, 59, 150, 75, 190, 46,
214 121, 140, 110, 142, 245, 182, 253, 89, 152, 106, 70, 186, 37, 66, 162,
215 250,
216 7, 85, 238, 10, 73, 104, 56, 164, 40, 123, 201, 193, 227, 244, 199, 158
217 };
218
219 #define SBOX1(n) FSb[(n)]
220 #define SBOX2(n) FSb2[(n)]
221 #define SBOX3(n) FSb3[(n)]
222 #define SBOX4(n) FSb4[(n)]
223
224 #endif
225
226 static const unsigned char shifts[2][4][4] = {
227 {
228 {1, 1, 1, 1}, /* KL */
229 {0, 0, 0, 0}, /* KR */
230 {1, 1, 1, 1}, /* KA */
231 {0, 0, 0, 0} /* KB */
232 },
233 {
234 {1, 0, 1, 1}, /* KL */
235 {1, 1, 0, 1}, /* KR */
236 {1, 1, 1, 0}, /* KA */
237 {1, 1, 0, 1} /* KB */
238 }
239 };
240
241 static const char indexes[2][4][20] = {
242 {
243 {
244 0, 1, 2, 3, 8, 9, 10, 11, 38, 39,
245 36, 37, 23, 20, 21, 22, 27, -1, -1, 26}, /* KL -> RK */
246 {
247 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
248 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1}, /* KR -> RK */
249 {
250 4, 5, 6, 7, 12, 13, 14, 15, 16, 17,
251 18, 19, -1, 24, 25, -1, 31, 28, 29, 30}, /* KA -> RK */
252 {
253 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
254 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1} /* KB -> RK */
255 },
256 {
257 {
258 0, 1, 2, 3, 61, 62, 63, 60, -1, -1,
259 -1, -1, 27, 24, 25, 26, 35, 32, 33, 34}, /* KL -> RK */
260 {
261 -1, -1, -1, -1, 8, 9, 10, 11, 16, 17,
262 18, 19, -1, -1, -1, -1, 39, 36, 37, 38}, /* KR -> RK */
263 {
264 -1, -1, -1, -1, 12, 13, 14, 15, 58, 59,
265 56, 57, 31, 28, 29, 30, -1, -1, -1, -1}, /* KA -> RK */
266 {
267 4, 5, 6, 7, 65, 66, 67, 64, 20, 21,
268 22, 23, -1, -1, -1, -1, 43, 40, 41, 42} /* KB -> RK */
269 }
270 };
271
272 static const char transposes[2][20] = {
273 {
274 21, 22, 23, 20,
275 -1, -1, -1, -1,
276 18, 19, 16, 17,
277 11, 8, 9, 10,
278 15, 12, 13, 14},
279 {
280 25, 26, 27, 24,
281 29, 30, 31, 28,
282 18, 19, 16, 17,
283 -1, -1, -1, -1,
284 -1, -1, -1, -1}
285 };
286
287 /* Shift macro for 128 bit strings with rotation smaller than 32 bits (!) */
288 #define ROTL(DEST, SRC, SHIFT) \
289 { \
290 (DEST)[0] = (SRC)[0] << (SHIFT) ^ (SRC)[1] >> (32 - (SHIFT)); \
291 (DEST)[1] = (SRC)[1] << (SHIFT) ^ (SRC)[2] >> (32 - (SHIFT)); \
292 (DEST)[2] = (SRC)[2] << (SHIFT) ^ (SRC)[3] >> (32 - (SHIFT)); \
293 (DEST)[3] = (SRC)[3] << (SHIFT) ^ (SRC)[0] >> (32 - (SHIFT)); \
294 }
295
296 #define FL(XL, XR, KL, KR) \
297 { \
298 (XR) = ((((XL) & (KL)) << 1) | (((XL) & (KL)) >> 31)) ^ (XR); \
299 (XL) = ((XR) | (KR)) ^ (XL); \
300 }
301
302 #define FLInv(YL, YR, KL, KR) \
303 { \
304 (YL) = ((YR) | (KR)) ^ (YL); \
305 (YR) = ((((YL) & (KL)) << 1) | (((YL) & (KL)) >> 31)) ^ (YR); \
306 }
307
308 #define SHIFT_AND_PLACE(INDEX, OFFSET) \
309 { \
310 TK[0] = KC[(OFFSET) * 4 + 0]; \
311 TK[1] = KC[(OFFSET) * 4 + 1]; \
312 TK[2] = KC[(OFFSET) * 4 + 2]; \
313 TK[3] = KC[(OFFSET) * 4 + 3]; \
314 \
315 for ( i = 1; i <= 4; i++ ) \
316 if (shifts[(INDEX)][(OFFSET)][i -1]) \
317 ROTL(TK + i * 4, TK, (15 * i) % 32); \
318 \
319 for ( i = 0; i < 20; i++ ) \
320 if (indexes[(INDEX)][(OFFSET)][i] != -1) { \
321 RK[(int)indexes[(INDEX)][(OFFSET)][i]] = TK[ i ]; \
322 } \
323 }
324
325 static void camellia_feistel(const unsigned long x[2],
326 const unsigned long k[2], unsigned long z[2])
327 {
328 unsigned long I0, I1;
329 I0 = x[0] ^ k[0];
330 I1 = x[1] ^ k[1];
331
332 I0 = (SBOX1((I0 >> 24) & 0xFF) << 24) |
333 (SBOX2((I0 >> 16) & 0xFF) << 16) |
334 (SBOX3((I0 >> 8) & 0xFF) << 8) | (SBOX4((I0) & 0xFF));
335 I1 = (SBOX2((I1 >> 24) & 0xFF) << 24) |
336 (SBOX3((I1 >> 16) & 0xFF) << 16) |
337 (SBOX4((I1 >> 8) & 0xFF) << 8) | (SBOX1((I1) & 0xFF));
338
339 I0 ^= (I1 << 8) | (I1 >> 24);
340 I1 ^= (I0 << 16) | (I0 >> 16);
341 I0 ^= (I1 >> 8) | (I1 << 24);
342 I1 ^= (I0 >> 8) | (I0 << 24);
343
344 z[0] ^= I1;
345 z[1] ^= I0;
346 }
347
348 /*
349 * Camellia key schedule (encryption)
350 */
351 void camellia_setkey_enc(camellia_context * ctx, const unsigned char *key,
352 int keysize)
353 {
354 int i, idx;
355 unsigned long *RK;
356 unsigned char t[64];
357
358 RK = ctx->rk;
359
360 memset(t, 0, 64);
361 memset(RK, 0, sizeof(ctx->rk));
362
363 switch (keysize) {
364 case 128:
365 ctx->nr = 3;
366 idx = 0;
367 break;
368 case 192:
369 case 256:
370 ctx->nr = 4;
371 idx = 1;
372 break;
373 default:
374 return;
375 }
376
377 for (i = 0; i < keysize / 8; ++i)
378 t[i] = key[i];
379
380 if (keysize == 192) {
381 for (i = 0; i < 8; i++)
382 t[24 + i] = ~t[16 + i];
383 }
384
385 /*
386 * Prepare SIGMA values
387 */
388 unsigned long SIGMA[6][2];
389 for (i = 0; i < 6; i++) {
390 GET_ULONG_BE(SIGMA[i][0], SIGMA_CHARS[i], 0);
391 GET_ULONG_BE(SIGMA[i][1], SIGMA_CHARS[i], 4);
392 }
393
394 /*
395 * Key storage in KC
396 * Order: KL, KR, KA, KB
397 */
398 unsigned long KC[16];
399 memset(KC, 0, sizeof(KC));
400
401 /* Store KL, KR */
402 for (i = 0; i < 8; i++)
403 GET_ULONG_BE(KC[i], t, i * 4);
404
405 /* Generate KA */
406 for (i = 0; i < 4; ++i)
407 KC[8 + i] = KC[i] ^ KC[4 + i];
408
409 camellia_feistel(KC + 8, SIGMA[0], KC + 10);
410 camellia_feistel(KC + 10, SIGMA[1], KC + 8);
411
412 for (i = 0; i < 4; ++i)
413 KC[8 + i] ^= KC[i];
414
415 camellia_feistel(KC + 8, SIGMA[2], KC + 10);
416 camellia_feistel(KC + 10, SIGMA[3], KC + 8);
417
418 if (keysize > 128) {
419 /* Generate KB */
420 for (i = 0; i < 4; ++i)
421 KC[12 + i] = KC[4 + i] ^ KC[8 + i];
422
423 camellia_feistel(KC + 12, SIGMA[4], KC + 14);
424 camellia_feistel(KC + 14, SIGMA[5], KC + 12);
425 }
426
427 /*
428 * Generating subkeys
429 */
430 unsigned long TK[20];
431
432 /* Manipulating KL */
433 SHIFT_AND_PLACE(idx, 0);
434
435 /* Manipulating KR */
436 if (keysize > 128) {
437 SHIFT_AND_PLACE(idx, 1);
438 }
439
440 /* Manipulating KA */
441 SHIFT_AND_PLACE(idx, 2);
442
443 /* Manipulating KB */
444 if (keysize > 128) {
445 SHIFT_AND_PLACE(idx, 3);
446 }
447
448 /* Do transpositions */
449 for (i = 0; i < 20; i++) {
450 if (transposes[idx][i] != -1) {
451 RK[32 + 12 * idx + i] = RK[(int)transposes[idx][i]];
452 }
453 }
454 }
455
456 /*
457 * Camellia key schedule (decryption)
458 */
459 void camellia_setkey_dec(camellia_context * ctx, const unsigned char *key,
460 int keysize)
461 {
462 int i, idx;
463 camellia_context cty;
464 unsigned long *RK;
465 unsigned long *SK;
466
467 switch (keysize) {
468 case 128:
469 ctx->nr = 3;
470 idx = 0;
471 break;
472 case 192:
473 case 256:
474 ctx->nr = 4;
475 idx = 1;
476 break;
477 default:
478 return;
479 }
480
481 RK = ctx->rk;
482
483 camellia_setkey_enc(&cty, key, keysize);
484
485 SK = cty.rk + 24 * 2 + 8 * idx * 2;
486
487 *RK++ = *SK++;
488 *RK++ = *SK++;
489 *RK++ = *SK++;
490 *RK++ = *SK++;
491
492 for (i = 22 + 8 * idx, SK -= 6; i > 0; i--, SK -= 4) {
493 *RK++ = *SK++;
494 *RK++ = *SK++;
495 }
496
497 SK -= 2;
498
499 *RK++ = *SK++;
500 *RK++ = *SK++;
501 *RK++ = *SK++;
502 *RK++ = *SK++;
503
504 memset(&cty, 0, sizeof(camellia_context));
505 }
506
507 /*
508 * Camellia-ECB block encryption/decryption
509 */
510 void camellia_crypt_ecb(camellia_context * ctx,
511 int mode,
512 const unsigned char input[16],
513 unsigned char output[16])
514 {
515 int NR;
516 unsigned long *RK, X[4];
517
518 ((void)mode);
519
520 NR = ctx->nr;
521 RK = ctx->rk;
522
523 GET_ULONG_BE(X[0], input, 0);
524 GET_ULONG_BE(X[1], input, 4);
525 GET_ULONG_BE(X[2], input, 8);
526 GET_ULONG_BE(X[3], input, 12);
527
528 X[0] ^= *RK++;
529 X[1] ^= *RK++;
530 X[2] ^= *RK++;
531 X[3] ^= *RK++;
532
533 while (NR) {
534 --NR;
535 camellia_feistel(X, RK, X + 2);
536 RK += 2;
537 camellia_feistel(X + 2, RK, X);
538 RK += 2;
539 camellia_feistel(X, RK, X + 2);
540 RK += 2;
541 camellia_feistel(X + 2, RK, X);
542 RK += 2;
543 camellia_feistel(X, RK, X + 2);
544 RK += 2;
545 camellia_feistel(X + 2, RK, X);
546 RK += 2;
547
548 if (NR) {
549 FL(X[0], X[1], RK[0], RK[1]);
550 RK += 2;
551 FLInv(X[2], X[3], RK[0], RK[1]);
552 RK += 2;
553 }
554 }
555
556 X[2] ^= *RK++;
557 X[3] ^= *RK++;
558 X[0] ^= *RK++;
559 X[1] ^= *RK++;
560
561 PUT_ULONG_BE(X[2], output, 0);
562 PUT_ULONG_BE(X[3], output, 4);
563 PUT_ULONG_BE(X[0], output, 8);
564 PUT_ULONG_BE(X[1], output, 12);
565 }
566
567 /*
568 * Camellia-CBC buffer encryption/decryption
569 */
570 void camellia_crypt_cbc(camellia_context * ctx,
571 int mode,
572 int length,
573 unsigned char iv[16],
574 const unsigned char *input,
575 unsigned char *output)
576 {
577 int i;
578 unsigned char temp[16];
579
580 if (mode == CAMELLIA_DECRYPT) {
581 while (length > 0) {
582 memcpy(temp, input, 16);
583 camellia_crypt_ecb(ctx, mode, input, output);
584
585 for (i = 0; i < 16; i++)
586 output[i] = (unsigned char)(output[i] ^ iv[i]);
587
588 memcpy(iv, temp, 16);
589
590 input += 16;
591 output += 16;
592 length -= 16;
593 }
594 } else {
595 while (length > 0) {
596 for (i = 0; i < 16; i++)
597 output[i] = (unsigned char)(input[i] ^ iv[i]);
598
599 camellia_crypt_ecb(ctx, mode, output, output);
600 memcpy(iv, output, 16);
601
602 input += 16;
603 output += 16;
604 length -= 16;
605 }
606 }
607 }
608
609 /*
610 * Camellia-CFB128 buffer encryption/decryption
611 */
612 void camellia_crypt_cfb128(camellia_context * ctx,
613 int mode,
614 int length,
615 int *iv_off,
616 unsigned char iv[16],
617 const unsigned char *input,
618 unsigned char *output)
619 {
620 int c, n = *iv_off;
621
622 if (mode == CAMELLIA_DECRYPT) {
623 while (length--) {
624 if (n == 0)
625 camellia_crypt_ecb(ctx, CAMELLIA_ENCRYPT, iv,
626 iv);
627
628 c = *input++;
629 *output++ = (unsigned char)(c ^ iv[n]);
630 iv[n] = (unsigned char)c;
631
632 n = (n + 1) & 0x0F;
633 }
634 } else {
635 while (length--) {
636 if (n == 0)
637 camellia_crypt_ecb(ctx, CAMELLIA_ENCRYPT, iv,
638 iv);
639
640 iv[n] = *output++ = (unsigned char)(iv[n] ^ *input++);
641
642 n = (n + 1) & 0x0F;
643 }
644 }
645
646 *iv_off = n;
647 }
648
649 #if defined(TROPICSSL_SELF_TEST)
650
651 #include <stdio.h>
652
653 /*
654 * Camellia test vectors from:
655 *
656 * http://info.isl.ntt.co.jp/crypt/eng/camellia/technology.html:
657 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/intermediate.txt
658 * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/t_camellia.txt
659 * (For each bitlength: Key 0, Nr 39)
660 */
661 #define CAMELLIA_TESTS_ECB 2
662
663 static const unsigned char camellia_test_ecb_key[3][CAMELLIA_TESTS_ECB][32] = {
664 {
665 {
666 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
667 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10},
668 {
669 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
670 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}
671 },
672 {
673 {
674 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
675 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
676 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77},
677 {
678 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
679 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
680 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}
681 },
682 {
683 {
684 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
685 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
686 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
687 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff},
688 {
689 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
690 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
691 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
692 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}
693 },
694 };
695
696 static const unsigned char camellia_test_ecb_plain[CAMELLIA_TESTS_ECB][16] = {
697 {
698 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
699 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10},
700 {
701 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
702 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}
703 };
704
705 static const unsigned char camellia_test_ecb_cipher[3][CAMELLIA_TESTS_ECB][16] = {
706 {
707 {
708 0x67, 0x67, 0x31, 0x38, 0x54, 0x96, 0x69, 0x73,
709 0x08, 0x57, 0x06, 0x56, 0x48, 0xea, 0xbe, 0x43},
710 {
711 0x38, 0x3C, 0x6C, 0x2A, 0xAB, 0xEF, 0x7F, 0xDE,
712 0x25, 0xCD, 0x47, 0x0B, 0xF7, 0x74, 0xA3, 0x31}
713 },
714 {
715 {
716 0xb4, 0x99, 0x34, 0x01, 0xb3, 0xe9, 0x96, 0xf8,
717 0x4e, 0xe5, 0xce, 0xe7, 0xd7, 0x9b, 0x09, 0xb9},
718 {
719 0xD1, 0x76, 0x3F, 0xC0, 0x19, 0xD7, 0x7C, 0xC9,
720 0x30, 0xBF, 0xF2, 0xA5, 0x6F, 0x7C, 0x93, 0x64}
721 },
722 {
723 {
724 0x9a, 0xcc, 0x23, 0x7d, 0xff, 0x16, 0xd7, 0x6c,
725 0x20, 0xef, 0x7c, 0x91, 0x9e, 0x3a, 0x75, 0x09},
726 {
727 0x05, 0x03, 0xFB, 0x10, 0xAB, 0x24, 0x1E, 0x7C,
728 0xF4, 0x5D, 0x8C, 0xDE, 0xEE, 0x47, 0x43, 0x35}
729 }
730 };
731
732 #define CAMELLIA_TESTS_CBC 3
733
734 static const unsigned char camellia_test_cbc_key[3][32] = {
735 {
736 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
737 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C}
738 ,
739 {
740 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
741 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
742 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B}
743 ,
744 {
745 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
746 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
747 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
748 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4}
749 };
750
751 static const unsigned char camellia_test_cbc_iv[16] = {
752 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
753 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
754 }
755
756 ;
757
758 static const unsigned char camellia_test_cbc_plain[CAMELLIA_TESTS_CBC][16] = {
759 {
760 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
761 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A},
762 {
763 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
764 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51},
765 {
766 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
767 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF}
768
769 };
770
771 static const unsigned char camellia_test_cbc_cipher[3][CAMELLIA_TESTS_CBC][16] = {
772 {
773 {
774 0x16, 0x07, 0xCF, 0x49, 0x4B, 0x36, 0xBB, 0xF0,
775 0x0D, 0xAE, 0xB0, 0xB5, 0x03, 0xC8, 0x31, 0xAB},
776 {
777 0xA2, 0xF2, 0xCF, 0x67, 0x16, 0x29, 0xEF, 0x78,
778 0x40, 0xC5, 0xA5, 0xDF, 0xB5, 0x07, 0x48, 0x87},
779 {
780 0x0F, 0x06, 0x16, 0x50, 0x08, 0xCF, 0x8B, 0x8B,
781 0x5A, 0x63, 0x58, 0x63, 0x62, 0x54, 0x3E, 0x54}
782 },
783 {
784 {
785 0x2A, 0x48, 0x30, 0xAB, 0x5A, 0xC4, 0xA1, 0xA2,
786 0x40, 0x59, 0x55, 0xFD, 0x21, 0x95, 0xCF, 0x93},
787 {
788 0x5D, 0x5A, 0x86, 0x9B, 0xD1, 0x4C, 0xE5, 0x42,
789 0x64, 0xF8, 0x92, 0xA6, 0xDD, 0x2E, 0xC3, 0xD5},
790 {
791 0x37, 0xD3, 0x59, 0xC3, 0x34, 0x98, 0x36, 0xD8,
792 0x84, 0xE3, 0x10, 0xAD, 0xDF, 0x68, 0xC4, 0x49}
793 },
794 {
795 {
796 0xE6, 0xCF, 0xA3, 0x5F, 0xC0, 0x2B, 0x13, 0x4A,
797 0x4D, 0x2C, 0x0B, 0x67, 0x37, 0xAC, 0x3E, 0xDA},
798 {
799 0x36, 0xCB, 0xEB, 0x73, 0xBD, 0x50, 0x4B, 0x40,
800 0x70, 0xB1, 0xB7, 0xDE, 0x2B, 0x21, 0xEB, 0x50},
801 {
802 0xE3, 0x1A, 0x60, 0x55, 0x29, 0x7D, 0x96, 0xCA,
803 0x33, 0x30, 0xCD, 0xF1, 0xB1, 0x86, 0x0A, 0x83}
804 }
805 };
806
807 /*
808 * Checkup routine
809 */
810 int camellia_self_test(int verbose)
811 {
812 int i, j, u, v;
813 unsigned char key[32];
814 unsigned char buf[64];
815 unsigned char src[16];
816 unsigned char dst[16];
817 unsigned char iv[16];
818 camellia_context ctx;
819
820 memset(key, 0, 32);
821
822 for (j = 0; j < 6; j++) {
823 u = j >> 1;
824 v = j & 1;
825
826 if (verbose != 0)
827 printf(" CAMELLIA-ECB-%3d (%s): ", 128 + u * 64,
828 (v == CAMELLIA_DECRYPT) ? "dec" : "enc");
829
830 for (i = 0; i < CAMELLIA_TESTS_ECB; i++) {
831 memcpy(key, camellia_test_ecb_key[u][i], 16 + 8 * u);
832
833 if (v == CAMELLIA_DECRYPT) {
834 camellia_setkey_dec(&ctx, key, 128 + u * 64);
835 memcpy(src, camellia_test_ecb_cipher[u][i], 16);
836 memcpy(dst, camellia_test_ecb_plain[i], 16);
837 } else { /* CAMELLIA_ENCRYPT */
838 camellia_setkey_enc(&ctx, key, 128 + u * 64);
839 memcpy(src, camellia_test_ecb_plain[i], 16);
840 memcpy(dst, camellia_test_ecb_cipher[u][i], 16);
841 }
842
843 camellia_crypt_ecb(&ctx, v, src, buf);
844
845 if (memcmp(buf, dst, 16) != 0) {
846 if (verbose != 0)
847 printf("failed\n");
848
849 return (1);
850 }
851 }
852
853 if (verbose != 0)
854 printf("passed\n");
855 }
856
857 if (verbose != 0)
858 printf("\n");
859
860 /*
861 * CBC mode
862 */
863 for (j = 0; j < 6; j++) {
864 u = j >> 1;
865 v = j & 1;
866
867 if (verbose != 0)
868 printf(" CAMELLIA-CBC-%3d (%s): ", 128 + u * 64,
869 (v == CAMELLIA_DECRYPT) ? "dec" : "enc");
870
871 memcpy(src, camellia_test_cbc_iv, 16);
872 memcpy(dst, camellia_test_cbc_iv, 16);
873 memcpy(key, camellia_test_cbc_key[u], 16 + 8 * u);
874
875 if (v == CAMELLIA_DECRYPT) {
876 camellia_setkey_dec(&ctx, key, 128 + u * 64);
877 } else {
878 camellia_setkey_enc(&ctx, key, 128 + u * 64);
879 }
880
881 for (i = 0; i < CAMELLIA_TESTS_CBC; i++) {
882
883 if (v == CAMELLIA_DECRYPT) {
884 memcpy(iv, src, 16);
885 memcpy(src, camellia_test_cbc_cipher[u][i], 16);
886 memcpy(dst, camellia_test_cbc_plain[i], 16);
887 } else { /* CAMELLIA_ENCRYPT */
888 memcpy(iv, dst, 16);
889 memcpy(src, camellia_test_cbc_plain[i], 16);
890 memcpy(dst, camellia_test_cbc_cipher[u][i], 16);
891 }
892
893 camellia_crypt_cbc(&ctx, v, 16, iv, src, buf);
894
895 if (memcmp(buf, dst, 16) != 0) {
896 if (verbose != 0)
897 printf("failed\n");
898
899 return (1);
900 }
901 }
902
903 if (verbose != 0)
904 printf("passed\n");
905 }
906
907 if (verbose != 0)
908 printf("\n");
909
910 return (0);
911 }
912
913 #endif
914
915 #endif
fork of last BSD polarssl