00001
00002
00003
00004
00005
00006
00007
00008
00009
00010
00011
00012
00013
00014
00015
00016
00017
00018
00019
00020
00021
00022
00023
00024
00025
00026
00027
00028
00029
00030
00031
00032 #include "polarssl/config.h"
00033
00034 #if defined(POLARSSL_CAMELLIA_C)
00035
00036 #include "polarssl/camellia.h"
00037
00038 #if !defined(POLARSSL_CAMELLIA_ALT)
00039
00040
00041
00042
00043 #ifndef GET_UINT32_BE
00044 #define GET_UINT32_BE(n,b,i) \
00045 { \
00046 (n) = ( (uint32_t) (b)[(i) ] << 24 ) \
00047 | ( (uint32_t) (b)[(i) + 1] << 16 ) \
00048 | ( (uint32_t) (b)[(i) + 2] << 8 ) \
00049 | ( (uint32_t) (b)[(i) + 3] ); \
00050 }
00051 #endif
00052
00053 #ifndef PUT_UINT32_BE
00054 #define PUT_UINT32_BE(n,b,i) \
00055 { \
00056 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
00057 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
00058 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
00059 (b)[(i) + 3] = (unsigned char) ( (n) ); \
00060 }
00061 #endif
00062
00063 static const unsigned char SIGMA_CHARS[6][8] =
00064 {
00065 { 0xa0, 0x9e, 0x66, 0x7f, 0x3b, 0xcc, 0x90, 0x8b },
00066 { 0xb6, 0x7a, 0xe8, 0x58, 0x4c, 0xaa, 0x73, 0xb2 },
00067 { 0xc6, 0xef, 0x37, 0x2f, 0xe9, 0x4f, 0x82, 0xbe },
00068 { 0x54, 0xff, 0x53, 0xa5, 0xf1, 0xd3, 0x6f, 0x1c },
00069 { 0x10, 0xe5, 0x27, 0xfa, 0xde, 0x68, 0x2d, 0x1d },
00070 { 0xb0, 0x56, 0x88, 0xc2, 0xb3, 0xe6, 0xc1, 0xfd }
00071 };
00072
00073 #if defined(POLARSSL_CAMELLIA_SMALL_MEMORY)
00074
00075 static const unsigned char FSb[256] =
00076 {
00077 112,130, 44,236,179, 39,192,229,228,133, 87, 53,234, 12,174, 65,
00078 35,239,107,147, 69, 25,165, 33,237, 14, 79, 78, 29,101,146,189,
00079 134,184,175,143,124,235, 31,206, 62, 48,220, 95, 94,197, 11, 26,
00080 166,225, 57,202,213, 71, 93, 61,217, 1, 90,214, 81, 86,108, 77,
00081 139, 13,154,102,251,204,176, 45,116, 18, 43, 32,240,177,132,153,
00082 223, 76,203,194, 52,126,118, 5,109,183,169, 49,209, 23, 4,215,
00083 20, 88, 58, 97,222, 27, 17, 28, 50, 15,156, 22, 83, 24,242, 34,
00084 254, 68,207,178,195,181,122,145, 36, 8,232,168, 96,252,105, 80,
00085 170,208,160,125,161,137, 98,151, 84, 91, 30,149,224,255,100,210,
00086 16,196, 0, 72,163,247,117,219,138, 3,230,218, 9, 63,221,148,
00087 135, 92,131, 2,205, 74,144, 51,115,103,246,243,157,127,191,226,
00088 82,155,216, 38,200, 55,198, 59,129,150,111, 75, 19,190, 99, 46,
00089 233,121,167,140,159,110,188,142, 41,245,249,182, 47,253,180, 89,
00090 120,152, 6,106,231, 70,113,186,212, 37,171, 66,136,162,141,250,
00091 114, 7,185, 85,248,238,172, 10, 54, 73, 42,104, 60, 56,241,164,
00092 64, 40,211,123,187,201, 67,193, 21,227,173,244,119,199,128,158
00093 };
00094
00095 #define SBOX1(n) FSb[(n)]
00096 #define SBOX2(n) (unsigned char)((FSb[(n)] >> 7 ^ FSb[(n)] << 1) & 0xff)
00097 #define SBOX3(n) (unsigned char)((FSb[(n)] >> 1 ^ FSb[(n)] << 7) & 0xff)
00098 #define SBOX4(n) FSb[((n) << 1 ^ (n) >> 7) &0xff]
00099
00100 #else
00101
00102 static const unsigned char FSb[256] =
00103 {
00104 112, 130, 44, 236, 179, 39, 192, 229, 228, 133, 87, 53, 234, 12, 174, 65,
00105 35, 239, 107, 147, 69, 25, 165, 33, 237, 14, 79, 78, 29, 101, 146, 189,
00106 134, 184, 175, 143, 124, 235, 31, 206, 62, 48, 220, 95, 94, 197, 11, 26,
00107 166, 225, 57, 202, 213, 71, 93, 61, 217, 1, 90, 214, 81, 86, 108, 77,
00108 139, 13, 154, 102, 251, 204, 176, 45, 116, 18, 43, 32, 240, 177, 132, 153,
00109 223, 76, 203, 194, 52, 126, 118, 5, 109, 183, 169, 49, 209, 23, 4, 215,
00110 20, 88, 58, 97, 222, 27, 17, 28, 50, 15, 156, 22, 83, 24, 242, 34,
00111 254, 68, 207, 178, 195, 181, 122, 145, 36, 8, 232, 168, 96, 252, 105, 80,
00112 170, 208, 160, 125, 161, 137, 98, 151, 84, 91, 30, 149, 224, 255, 100, 210,
00113 16, 196, 0, 72, 163, 247, 117, 219, 138, 3, 230, 218, 9, 63, 221, 148,
00114 135, 92, 131, 2, 205, 74, 144, 51, 115, 103, 246, 243, 157, 127, 191, 226,
00115 82, 155, 216, 38, 200, 55, 198, 59, 129, 150, 111, 75, 19, 190, 99, 46,
00116 233, 121, 167, 140, 159, 110, 188, 142, 41, 245, 249, 182, 47, 253, 180, 89,
00117 120, 152, 6, 106, 231, 70, 113, 186, 212, 37, 171, 66, 136, 162, 141, 250,
00118 114, 7, 185, 85, 248, 238, 172, 10, 54, 73, 42, 104, 60, 56, 241, 164,
00119 64, 40, 211, 123, 187, 201, 67, 193, 21, 227, 173, 244, 119, 199, 128, 158
00120 };
00121
00122 static const unsigned char FSb2[256] =
00123 {
00124 224, 5, 88, 217, 103, 78, 129, 203, 201, 11, 174, 106, 213, 24, 93, 130,
00125 70, 223, 214, 39, 138, 50, 75, 66, 219, 28, 158, 156, 58, 202, 37, 123,
00126 13, 113, 95, 31, 248, 215, 62, 157, 124, 96, 185, 190, 188, 139, 22, 52,
00127 77, 195, 114, 149, 171, 142, 186, 122, 179, 2, 180, 173, 162, 172, 216, 154,
00128 23, 26, 53, 204, 247, 153, 97, 90, 232, 36, 86, 64, 225, 99, 9, 51,
00129 191, 152, 151, 133, 104, 252, 236, 10, 218, 111, 83, 98, 163, 46, 8, 175,
00130 40, 176, 116, 194, 189, 54, 34, 56, 100, 30, 57, 44, 166, 48, 229, 68,
00131 253, 136, 159, 101, 135, 107, 244, 35, 72, 16, 209, 81, 192, 249, 210, 160,
00132 85, 161, 65, 250, 67, 19, 196, 47, 168, 182, 60, 43, 193, 255, 200, 165,
00133 32, 137, 0, 144, 71, 239, 234, 183, 21, 6, 205, 181, 18, 126, 187, 41,
00134 15, 184, 7, 4, 155, 148, 33, 102, 230, 206, 237, 231, 59, 254, 127, 197,
00135 164, 55, 177, 76, 145, 110, 141, 118, 3, 45, 222, 150, 38, 125, 198, 92,
00136 211, 242, 79, 25, 63, 220, 121, 29, 82, 235, 243, 109, 94, 251, 105, 178,
00137 240, 49, 12, 212, 207, 140, 226, 117, 169, 74, 87, 132, 17, 69, 27, 245,
00138 228, 14, 115, 170, 241, 221, 89, 20, 108, 146, 84, 208, 120, 112, 227, 73,
00139 128, 80, 167, 246, 119, 147, 134, 131, 42, 199, 91, 233, 238, 143, 1, 61
00140 };
00141
00142 static const unsigned char FSb3[256] =
00143 {
00144 56, 65, 22, 118, 217, 147, 96, 242, 114, 194, 171, 154, 117, 6, 87, 160,
00145 145, 247, 181, 201, 162, 140, 210, 144, 246, 7, 167, 39, 142, 178, 73, 222,
00146 67, 92, 215, 199, 62, 245, 143, 103, 31, 24, 110, 175, 47, 226, 133, 13,
00147 83, 240, 156, 101, 234, 163, 174, 158, 236, 128, 45, 107, 168, 43, 54, 166,
00148 197, 134, 77, 51, 253, 102, 88, 150, 58, 9, 149, 16, 120, 216, 66, 204,
00149 239, 38, 229, 97, 26, 63, 59, 130, 182, 219, 212, 152, 232, 139, 2, 235,
00150 10, 44, 29, 176, 111, 141, 136, 14, 25, 135, 78, 11, 169, 12, 121, 17,
00151 127, 34, 231, 89, 225, 218, 61, 200, 18, 4, 116, 84, 48, 126, 180, 40,
00152 85, 104, 80, 190, 208, 196, 49, 203, 42, 173, 15, 202, 112, 255, 50, 105,
00153 8, 98, 0, 36, 209, 251, 186, 237, 69, 129, 115, 109, 132, 159, 238, 74,
00154 195, 46, 193, 1, 230, 37, 72, 153, 185, 179, 123, 249, 206, 191, 223, 113,
00155 41, 205, 108, 19, 100, 155, 99, 157, 192, 75, 183, 165, 137, 95, 177, 23,
00156 244, 188, 211, 70, 207, 55, 94, 71, 148, 250, 252, 91, 151, 254, 90, 172,
00157 60, 76, 3, 53, 243, 35, 184, 93, 106, 146, 213, 33, 68, 81, 198, 125,
00158 57, 131, 220, 170, 124, 119, 86, 5, 27, 164, 21, 52, 30, 28, 248, 82,
00159 32, 20, 233, 189, 221, 228, 161, 224, 138, 241, 214, 122, 187, 227, 64, 79
00160 };
00161
00162 static const unsigned char FSb4[256] =
00163 {
00164 112, 44, 179, 192, 228, 87, 234, 174, 35, 107, 69, 165, 237, 79, 29, 146,
00165 134, 175, 124, 31, 62, 220, 94, 11, 166, 57, 213, 93, 217, 90, 81, 108,
00166 139, 154, 251, 176, 116, 43, 240, 132, 223, 203, 52, 118, 109, 169, 209, 4,
00167 20, 58, 222, 17, 50, 156, 83, 242, 254, 207, 195, 122, 36, 232, 96, 105,
00168 170, 160, 161, 98, 84, 30, 224, 100, 16, 0, 163, 117, 138, 230, 9, 221,
00169 135, 131, 205, 144, 115, 246, 157, 191, 82, 216, 200, 198, 129, 111, 19, 99,
00170 233, 167, 159, 188, 41, 249, 47, 180, 120, 6, 231, 113, 212, 171, 136, 141,
00171 114, 185, 248, 172, 54, 42, 60, 241, 64, 211, 187, 67, 21, 173, 119, 128,
00172 130, 236, 39, 229, 133, 53, 12, 65, 239, 147, 25, 33, 14, 78, 101, 189,
00173 184, 143, 235, 206, 48, 95, 197, 26, 225, 202, 71, 61, 1, 214, 86, 77,
00174 13, 102, 204, 45, 18, 32, 177, 153, 76, 194, 126, 5, 183, 49, 23, 215,
00175 88, 97, 27, 28, 15, 22, 24, 34, 68, 178, 181, 145, 8, 168, 252, 80,
00176 208, 125, 137, 151, 91, 149, 255, 210, 196, 72, 247, 219, 3, 218, 63, 148,
00177 92, 2, 74, 51, 103, 243, 127, 226, 155, 38, 55, 59, 150, 75, 190, 46,
00178 121, 140, 110, 142, 245, 182, 253, 89, 152, 106, 70, 186, 37, 66, 162, 250,
00179 7, 85, 238, 10, 73, 104, 56, 164, 40, 123, 201, 193, 227, 244, 199, 158
00180 };
00181
00182 #define SBOX1(n) FSb[(n)]
00183 #define SBOX2(n) FSb2[(n)]
00184 #define SBOX3(n) FSb3[(n)]
00185 #define SBOX4(n) FSb4[(n)]
00186
00187 #endif
00188
00189 static const unsigned char shifts[2][4][4] =
00190 {
00191 {
00192 { 1, 1, 1, 1 },
00193 { 0, 0, 0, 0 },
00194 { 1, 1, 1, 1 },
00195 { 0, 0, 0, 0 }
00196 },
00197 {
00198 { 1, 0, 1, 1 },
00199 { 1, 1, 0, 1 },
00200 { 1, 1, 1, 0 },
00201 { 1, 1, 0, 1 }
00202 }
00203 };
00204
00205 static const signed char indexes[2][4][20] =
00206 {
00207 {
00208 { 0, 1, 2, 3, 8, 9, 10, 11, 38, 39,
00209 36, 37, 23, 20, 21, 22, 27, -1, -1, 26 },
00210 { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
00211 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 },
00212 { 4, 5, 6, 7, 12, 13, 14, 15, 16, 17,
00213 18, 19, -1, 24, 25, -1, 31, 28, 29, 30 },
00214 { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
00215 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 }
00216 },
00217 {
00218 { 0, 1, 2, 3, 61, 62, 63, 60, -1, -1,
00219 -1, -1, 27, 24, 25, 26, 35, 32, 33, 34 },
00220 { -1, -1, -1, -1, 8, 9, 10, 11, 16, 17,
00221 18, 19, -1, -1, -1, -1, 39, 36, 37, 38 },
00222 { -1, -1, -1, -1, 12, 13, 14, 15, 58, 59,
00223 56, 57, 31, 28, 29, 30, -1, -1, -1, -1 },
00224 { 4, 5, 6, 7, 65, 66, 67, 64, 20, 21,
00225 22, 23, -1, -1, -1, -1, 43, 40, 41, 42 }
00226 }
00227 };
00228
00229 static const signed char transposes[2][20] =
00230 {
00231 {
00232 21, 22, 23, 20,
00233 -1, -1, -1, -1,
00234 18, 19, 16, 17,
00235 11, 8, 9, 10,
00236 15, 12, 13, 14
00237 },
00238 {
00239 25, 26, 27, 24,
00240 29, 30, 31, 28,
00241 18, 19, 16, 17,
00242 -1, -1, -1, -1,
00243 -1, -1, -1, -1
00244 }
00245 };
00246
00247
00248 #define ROTL(DEST, SRC, SHIFT) \
00249 { \
00250 (DEST)[0] = (SRC)[0] << (SHIFT) ^ (SRC)[1] >> (32 - (SHIFT)); \
00251 (DEST)[1] = (SRC)[1] << (SHIFT) ^ (SRC)[2] >> (32 - (SHIFT)); \
00252 (DEST)[2] = (SRC)[2] << (SHIFT) ^ (SRC)[3] >> (32 - (SHIFT)); \
00253 (DEST)[3] = (SRC)[3] << (SHIFT) ^ (SRC)[0] >> (32 - (SHIFT)); \
00254 }
00255
00256 #define FL(XL, XR, KL, KR) \
00257 { \
00258 (XR) = ((((XL) & (KL)) << 1) | (((XL) & (KL)) >> 31)) ^ (XR); \
00259 (XL) = ((XR) | (KR)) ^ (XL); \
00260 }
00261
00262 #define FLInv(YL, YR, KL, KR) \
00263 { \
00264 (YL) = ((YR) | (KR)) ^ (YL); \
00265 (YR) = ((((YL) & (KL)) << 1) | (((YL) & (KL)) >> 31)) ^ (YR); \
00266 }
00267
00268 #define SHIFT_AND_PLACE(INDEX, OFFSET) \
00269 { \
00270 TK[0] = KC[(OFFSET) * 4 + 0]; \
00271 TK[1] = KC[(OFFSET) * 4 + 1]; \
00272 TK[2] = KC[(OFFSET) * 4 + 2]; \
00273 TK[3] = KC[(OFFSET) * 4 + 3]; \
00274 \
00275 for ( i = 1; i <= 4; i++ ) \
00276 if (shifts[(INDEX)][(OFFSET)][i -1]) \
00277 ROTL(TK + i * 4, TK, (15 * i) % 32); \
00278 \
00279 for ( i = 0; i < 20; i++ ) \
00280 if (indexes[(INDEX)][(OFFSET)][i] != -1) { \
00281 RK[indexes[(INDEX)][(OFFSET)][i]] = TK[ i ]; \
00282 } \
00283 }
00284
00285 static void camellia_feistel(const uint32_t x[2], const uint32_t k[2], uint32_t z[2])
00286 {
00287 uint32_t I0, I1;
00288 I0 = x[0] ^ k[0];
00289 I1 = x[1] ^ k[1];
00290
00291 I0 = (SBOX1((I0 >> 24) & 0xFF) << 24) |
00292 (SBOX2((I0 >> 16) & 0xFF) << 16) |
00293 (SBOX3((I0 >> 8) & 0xFF) << 8) |
00294 (SBOX4((I0 ) & 0xFF) );
00295 I1 = (SBOX2((I1 >> 24) & 0xFF) << 24) |
00296 (SBOX3((I1 >> 16) & 0xFF) << 16) |
00297 (SBOX4((I1 >> 8) & 0xFF) << 8) |
00298 (SBOX1((I1 ) & 0xFF) );
00299
00300 I0 ^= (I1 << 8) | (I1 >> 24);
00301 I1 ^= (I0 << 16) | (I0 >> 16);
00302 I0 ^= (I1 >> 8) | (I1 << 24);
00303 I1 ^= (I0 >> 8) | (I0 << 24);
00304
00305 z[0] ^= I1;
00306 z[1] ^= I0;
00307 }
00308
00309
00310
00311
00312 int camellia_setkey_enc( camellia_context *ctx, const unsigned char *key, unsigned int keysize )
00313 {
00314 int idx;
00315 size_t i;
00316 uint32_t *RK;
00317 unsigned char t[64];
00318 uint32_t SIGMA[6][2];
00319 uint32_t KC[16];
00320 uint32_t TK[20];
00321
00322 RK = ctx->rk;
00323
00324 memset(t, 0, 64);
00325 memset(RK, 0, sizeof(ctx->rk));
00326
00327 switch( keysize )
00328 {
00329 case 128: ctx->nr = 3; idx = 0; break;
00330 case 192:
00331 case 256: ctx->nr = 4; idx = 1; break;
00332 default : return( POLARSSL_ERR_CAMELLIA_INVALID_KEY_LENGTH );
00333 }
00334
00335 for( i = 0; i < keysize / 8; ++i)
00336 t[i] = key[i];
00337
00338 if (keysize == 192) {
00339 for (i = 0; i < 8; i++)
00340 t[24 + i] = ~t[16 + i];
00341 }
00342
00343
00344
00345
00346 for (i = 0; i < 6; i++) {
00347 GET_UINT32_BE(SIGMA[i][0], SIGMA_CHARS[i], 0);
00348 GET_UINT32_BE(SIGMA[i][1], SIGMA_CHARS[i], 4);
00349 }
00350
00351
00352
00353
00354
00355 memset(KC, 0, sizeof(KC));
00356
00357
00358 for (i = 0; i < 8; i++)
00359 GET_UINT32_BE(KC[i], t, i * 4);
00360
00361
00362 for( i = 0; i < 4; ++i)
00363 KC[8 + i] = KC[i] ^ KC[4 + i];
00364
00365 camellia_feistel(KC + 8, SIGMA[0], KC + 10);
00366 camellia_feistel(KC + 10, SIGMA[1], KC + 8);
00367
00368 for( i = 0; i < 4; ++i)
00369 KC[8 + i] ^= KC[i];
00370
00371 camellia_feistel(KC + 8, SIGMA[2], KC + 10);
00372 camellia_feistel(KC + 10, SIGMA[3], KC + 8);
00373
00374 if (keysize > 128) {
00375
00376 for( i = 0; i < 4; ++i)
00377 KC[12 + i] = KC[4 + i] ^ KC[8 + i];
00378
00379 camellia_feistel(KC + 12, SIGMA[4], KC + 14);
00380 camellia_feistel(KC + 14, SIGMA[5], KC + 12);
00381 }
00382
00383
00384
00385
00386
00387
00388 SHIFT_AND_PLACE(idx, 0);
00389
00390
00391 if (keysize > 128) {
00392 SHIFT_AND_PLACE(idx, 1);
00393 }
00394
00395
00396 SHIFT_AND_PLACE(idx, 2);
00397
00398
00399 if (keysize > 128) {
00400 SHIFT_AND_PLACE(idx, 3);
00401 }
00402
00403
00404 for ( i = 0; i < 20; i++ ) {
00405 if (transposes[idx][i] != -1) {
00406 RK[32 + 12 * idx + i] = RK[transposes[idx][i]];
00407 }
00408 }
00409
00410 return( 0 );
00411 }
00412
00413
00414
00415
00416 int camellia_setkey_dec( camellia_context *ctx, const unsigned char *key, unsigned int keysize )
00417 {
00418 int idx;
00419 size_t i;
00420 camellia_context cty;
00421 uint32_t *RK;
00422 uint32_t *SK;
00423 int ret;
00424
00425 switch( keysize )
00426 {
00427 case 128: ctx->nr = 3; idx = 0; break;
00428 case 192:
00429 case 256: ctx->nr = 4; idx = 1; break;
00430 default : return( POLARSSL_ERR_CAMELLIA_INVALID_KEY_LENGTH );
00431 }
00432
00433 RK = ctx->rk;
00434
00435 ret = camellia_setkey_enc(&cty, key, keysize);
00436 if( ret != 0 )
00437 return( ret );
00438
00439 SK = cty.rk + 24 * 2 + 8 * idx * 2;
00440
00441 *RK++ = *SK++;
00442 *RK++ = *SK++;
00443 *RK++ = *SK++;
00444 *RK++ = *SK++;
00445
00446 for (i = 22 + 8 * idx, SK -= 6; i > 0; i--, SK -= 4)
00447 {
00448 *RK++ = *SK++;
00449 *RK++ = *SK++;
00450 }
00451
00452 SK -= 2;
00453
00454 *RK++ = *SK++;
00455 *RK++ = *SK++;
00456 *RK++ = *SK++;
00457 *RK++ = *SK++;
00458
00459 memset( &cty, 0, sizeof( camellia_context ) );
00460
00461 return( 0 );
00462 }
00463
00464
00465
00466
00467 int camellia_crypt_ecb( camellia_context *ctx,
00468 int mode,
00469 const unsigned char input[16],
00470 unsigned char output[16] )
00471 {
00472 int NR;
00473 uint32_t *RK, X[4];
00474
00475 ( (void) mode );
00476
00477 NR = ctx->nr;
00478 RK = ctx->rk;
00479
00480 GET_UINT32_BE( X[0], input, 0 );
00481 GET_UINT32_BE( X[1], input, 4 );
00482 GET_UINT32_BE( X[2], input, 8 );
00483 GET_UINT32_BE( X[3], input, 12 );
00484
00485 X[0] ^= *RK++;
00486 X[1] ^= *RK++;
00487 X[2] ^= *RK++;
00488 X[3] ^= *RK++;
00489
00490 while (NR) {
00491 --NR;
00492 camellia_feistel(X, RK, X + 2);
00493 RK += 2;
00494 camellia_feistel(X + 2, RK, X);
00495 RK += 2;
00496 camellia_feistel(X, RK, X + 2);
00497 RK += 2;
00498 camellia_feistel(X + 2, RK, X);
00499 RK += 2;
00500 camellia_feistel(X, RK, X + 2);
00501 RK += 2;
00502 camellia_feistel(X + 2, RK, X);
00503 RK += 2;
00504
00505 if (NR) {
00506 FL(X[0], X[1], RK[0], RK[1]);
00507 RK += 2;
00508 FLInv(X[2], X[3], RK[0], RK[1]);
00509 RK += 2;
00510 }
00511 }
00512
00513 X[2] ^= *RK++;
00514 X[3] ^= *RK++;
00515 X[0] ^= *RK++;
00516 X[1] ^= *RK++;
00517
00518 PUT_UINT32_BE( X[2], output, 0 );
00519 PUT_UINT32_BE( X[3], output, 4 );
00520 PUT_UINT32_BE( X[0], output, 8 );
00521 PUT_UINT32_BE( X[1], output, 12 );
00522
00523 return( 0 );
00524 }
00525
00526 #if defined(POLARSSL_CIPHER_MODE_CBC)
00527
00528
00529
00530 int camellia_crypt_cbc( camellia_context *ctx,
00531 int mode,
00532 size_t length,
00533 unsigned char iv[16],
00534 const unsigned char *input,
00535 unsigned char *output )
00536 {
00537 int i;
00538 unsigned char temp[16];
00539
00540 if( length % 16 )
00541 return( POLARSSL_ERR_CAMELLIA_INVALID_INPUT_LENGTH );
00542
00543 if( mode == CAMELLIA_DECRYPT )
00544 {
00545 while( length > 0 )
00546 {
00547 memcpy( temp, input, 16 );
00548 camellia_crypt_ecb( ctx, mode, input, output );
00549
00550 for( i = 0; i < 16; i++ )
00551 output[i] = (unsigned char)( output[i] ^ iv[i] );
00552
00553 memcpy( iv, temp, 16 );
00554
00555 input += 16;
00556 output += 16;
00557 length -= 16;
00558 }
00559 }
00560 else
00561 {
00562 while( length > 0 )
00563 {
00564 for( i = 0; i < 16; i++ )
00565 output[i] = (unsigned char)( input[i] ^ iv[i] );
00566
00567 camellia_crypt_ecb( ctx, mode, output, output );
00568 memcpy( iv, output, 16 );
00569
00570 input += 16;
00571 output += 16;
00572 length -= 16;
00573 }
00574 }
00575
00576 return( 0 );
00577 }
00578 #endif
00579
00580 #if defined(POLARSSL_CIPHER_MODE_CFB)
00581
00582
00583
00584 int camellia_crypt_cfb128( camellia_context *ctx,
00585 int mode,
00586 size_t length,
00587 size_t *iv_off,
00588 unsigned char iv[16],
00589 const unsigned char *input,
00590 unsigned char *output )
00591 {
00592 int c;
00593 size_t n = *iv_off;
00594
00595 if( mode == CAMELLIA_DECRYPT )
00596 {
00597 while( length-- )
00598 {
00599 if( n == 0 )
00600 camellia_crypt_ecb( ctx, CAMELLIA_ENCRYPT, iv, iv );
00601
00602 c = *input++;
00603 *output++ = (unsigned char)( c ^ iv[n] );
00604 iv[n] = (unsigned char) c;
00605
00606 n = (n + 1) & 0x0F;
00607 }
00608 }
00609 else
00610 {
00611 while( length-- )
00612 {
00613 if( n == 0 )
00614 camellia_crypt_ecb( ctx, CAMELLIA_ENCRYPT, iv, iv );
00615
00616 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
00617
00618 n = (n + 1) & 0x0F;
00619 }
00620 }
00621
00622 *iv_off = n;
00623
00624 return( 0 );
00625 }
00626 #endif
00627
00628 #if defined(POLARSSL_CIPHER_MODE_CTR)
00629
00630
00631
00632 int camellia_crypt_ctr( camellia_context *ctx,
00633 size_t length,
00634 size_t *nc_off,
00635 unsigned char nonce_counter[16],
00636 unsigned char stream_block[16],
00637 const unsigned char *input,
00638 unsigned char *output )
00639 {
00640 int c, i;
00641 size_t n = *nc_off;
00642
00643 while( length-- )
00644 {
00645 if( n == 0 ) {
00646 camellia_crypt_ecb( ctx, CAMELLIA_ENCRYPT, nonce_counter, stream_block );
00647
00648 for( i = 16; i > 0; i-- )
00649 if( ++nonce_counter[i - 1] != 0 )
00650 break;
00651 }
00652 c = *input++;
00653 *output++ = (unsigned char)( c ^ stream_block[n] );
00654
00655 n = (n + 1) & 0x0F;
00656 }
00657
00658 *nc_off = n;
00659
00660 return( 0 );
00661 }
00662 #endif
00663 #endif
00664
00665 #if defined(POLARSSL_SELF_TEST)
00666
00667 #include <stdio.h>
00668
00669
00670
00671
00672
00673
00674
00675
00676
00677 #define CAMELLIA_TESTS_ECB 2
00678
00679 static const unsigned char camellia_test_ecb_key[3][CAMELLIA_TESTS_ECB][32] =
00680 {
00681 {
00682 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
00683 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
00684 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00685 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
00686 },
00687 {
00688 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
00689 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
00690 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77 },
00691 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00692 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00693 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
00694 },
00695 {
00696 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
00697 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
00698 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
00699 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff },
00700 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00701 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00702 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00703 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
00704 },
00705 };
00706
00707 static const unsigned char camellia_test_ecb_plain[CAMELLIA_TESTS_ECB][16] =
00708 {
00709 { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
00710 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
00711 { 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
00712 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
00713 };
00714
00715 static const unsigned char camellia_test_ecb_cipher[3][CAMELLIA_TESTS_ECB][16] =
00716 {
00717 {
00718 { 0x67, 0x67, 0x31, 0x38, 0x54, 0x96, 0x69, 0x73,
00719 0x08, 0x57, 0x06, 0x56, 0x48, 0xea, 0xbe, 0x43 },
00720 { 0x38, 0x3C, 0x6C, 0x2A, 0xAB, 0xEF, 0x7F, 0xDE,
00721 0x25, 0xCD, 0x47, 0x0B, 0xF7, 0x74, 0xA3, 0x31 }
00722 },
00723 {
00724 { 0xb4, 0x99, 0x34, 0x01, 0xb3, 0xe9, 0x96, 0xf8,
00725 0x4e, 0xe5, 0xce, 0xe7, 0xd7, 0x9b, 0x09, 0xb9 },
00726 { 0xD1, 0x76, 0x3F, 0xC0, 0x19, 0xD7, 0x7C, 0xC9,
00727 0x30, 0xBF, 0xF2, 0xA5, 0x6F, 0x7C, 0x93, 0x64 }
00728 },
00729 {
00730 { 0x9a, 0xcc, 0x23, 0x7d, 0xff, 0x16, 0xd7, 0x6c,
00731 0x20, 0xef, 0x7c, 0x91, 0x9e, 0x3a, 0x75, 0x09 },
00732 { 0x05, 0x03, 0xFB, 0x10, 0xAB, 0x24, 0x1E, 0x7C,
00733 0xF4, 0x5D, 0x8C, 0xDE, 0xEE, 0x47, 0x43, 0x35 }
00734 }
00735 };
00736
00737 #if defined(POLARSSL_CIPHER_MODE_CBC)
00738 #define CAMELLIA_TESTS_CBC 3
00739
00740 static const unsigned char camellia_test_cbc_key[3][32] =
00741 {
00742 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
00743 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }
00744 ,
00745 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
00746 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
00747 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }
00748 ,
00749 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
00750 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
00751 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
00752 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
00753 };
00754
00755 static const unsigned char camellia_test_cbc_iv[16] =
00756
00757 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
00758 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F }
00759 ;
00760
00761 static const unsigned char camellia_test_cbc_plain[CAMELLIA_TESTS_CBC][16] =
00762 {
00763 { 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
00764 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A },
00765 { 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
00766 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51 },
00767 { 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
00768 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF }
00769
00770 };
00771
00772 static const unsigned char camellia_test_cbc_cipher[3][CAMELLIA_TESTS_CBC][16] =
00773 {
00774 {
00775 { 0x16, 0x07, 0xCF, 0x49, 0x4B, 0x36, 0xBB, 0xF0,
00776 0x0D, 0xAE, 0xB0, 0xB5, 0x03, 0xC8, 0x31, 0xAB },
00777 { 0xA2, 0xF2, 0xCF, 0x67, 0x16, 0x29, 0xEF, 0x78,
00778 0x40, 0xC5, 0xA5, 0xDF, 0xB5, 0x07, 0x48, 0x87 },
00779 { 0x0F, 0x06, 0x16, 0x50, 0x08, 0xCF, 0x8B, 0x8B,
00780 0x5A, 0x63, 0x58, 0x63, 0x62, 0x54, 0x3E, 0x54 }
00781 },
00782 {
00783 { 0x2A, 0x48, 0x30, 0xAB, 0x5A, 0xC4, 0xA1, 0xA2,
00784 0x40, 0x59, 0x55, 0xFD, 0x21, 0x95, 0xCF, 0x93 },
00785 { 0x5D, 0x5A, 0x86, 0x9B, 0xD1, 0x4C, 0xE5, 0x42,
00786 0x64, 0xF8, 0x92, 0xA6, 0xDD, 0x2E, 0xC3, 0xD5 },
00787 { 0x37, 0xD3, 0x59, 0xC3, 0x34, 0x98, 0x36, 0xD8,
00788 0x84, 0xE3, 0x10, 0xAD, 0xDF, 0x68, 0xC4, 0x49 }
00789 },
00790 {
00791 { 0xE6, 0xCF, 0xA3, 0x5F, 0xC0, 0x2B, 0x13, 0x4A,
00792 0x4D, 0x2C, 0x0B, 0x67, 0x37, 0xAC, 0x3E, 0xDA },
00793 { 0x36, 0xCB, 0xEB, 0x73, 0xBD, 0x50, 0x4B, 0x40,
00794 0x70, 0xB1, 0xB7, 0xDE, 0x2B, 0x21, 0xEB, 0x50 },
00795 { 0xE3, 0x1A, 0x60, 0x55, 0x29, 0x7D, 0x96, 0xCA,
00796 0x33, 0x30, 0xCD, 0xF1, 0xB1, 0x86, 0x0A, 0x83 }
00797 }
00798 };
00799 #endif
00800
00801 #if defined(POLARSSL_CIPHER_MODE_CTR)
00802
00803
00804
00805
00806
00807
00808 static const unsigned char camellia_test_ctr_key[3][16] =
00809 {
00810 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
00811 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
00812 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
00813 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
00814 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
00815 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
00816 };
00817
00818 static const unsigned char camellia_test_ctr_nonce_counter[3][16] =
00819 {
00820 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
00821 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
00822 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
00823 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
00824 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
00825 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
00826 };
00827
00828 static const unsigned char camellia_test_ctr_pt[3][48] =
00829 {
00830 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
00831 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
00832
00833 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
00834 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
00835 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
00836 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
00837
00838 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
00839 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
00840 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
00841 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
00842 0x20, 0x21, 0x22, 0x23 }
00843 };
00844
00845 static const unsigned char camellia_test_ctr_ct[3][48] =
00846 {
00847 { 0xD0, 0x9D, 0xC2, 0x9A, 0x82, 0x14, 0x61, 0x9A,
00848 0x20, 0x87, 0x7C, 0x76, 0xDB, 0x1F, 0x0B, 0x3F },
00849 { 0xDB, 0xF3, 0xC7, 0x8D, 0xC0, 0x83, 0x96, 0xD4,
00850 0xDA, 0x7C, 0x90, 0x77, 0x65, 0xBB, 0xCB, 0x44,
00851 0x2B, 0x8E, 0x8E, 0x0F, 0x31, 0xF0, 0xDC, 0xA7,
00852 0x2C, 0x74, 0x17, 0xE3, 0x53, 0x60, 0xE0, 0x48 },
00853 { 0xB1, 0x9D, 0x1F, 0xCD, 0xCB, 0x75, 0xEB, 0x88,
00854 0x2F, 0x84, 0x9C, 0xE2, 0x4D, 0x85, 0xCF, 0x73,
00855 0x9C, 0xE6, 0x4B, 0x2B, 0x5C, 0x9D, 0x73, 0xF1,
00856 0x4F, 0x2D, 0x5D, 0x9D, 0xCE, 0x98, 0x89, 0xCD,
00857 0xDF, 0x50, 0x86, 0x96 }
00858 };
00859
00860 static const int camellia_test_ctr_len[3] =
00861 { 16, 32, 36 };
00862 #endif
00863
00864
00865
00866
00867 int camellia_self_test( int verbose )
00868 {
00869 int i, j, u, v;
00870 unsigned char key[32];
00871 unsigned char buf[64];
00872 unsigned char src[16];
00873 unsigned char dst[16];
00874 #if defined(POLARSSL_CIPHER_MODE_CBC)
00875 unsigned char iv[16];
00876 #endif
00877 #if defined(POLARSSL_CIPHER_MODE_CTR)
00878 size_t offset, len;
00879 unsigned char nonce_counter[16];
00880 unsigned char stream_block[16];
00881 #endif
00882
00883 camellia_context ctx;
00884
00885 memset( key, 0, 32 );
00886
00887 for (j = 0; j < 6; j++) {
00888 u = j >> 1;
00889 v = j & 1;
00890
00891 if( verbose != 0 )
00892 printf( " CAMELLIA-ECB-%3d (%s): ", 128 + u * 64,
00893 (v == CAMELLIA_DECRYPT) ? "dec" : "enc");
00894
00895 for (i = 0; i < CAMELLIA_TESTS_ECB; i++ ) {
00896 memcpy( key, camellia_test_ecb_key[u][i], 16 + 8 * u);
00897
00898 if (v == CAMELLIA_DECRYPT) {
00899 camellia_setkey_dec(&ctx, key, 128 + u * 64);
00900 memcpy(src, camellia_test_ecb_cipher[u][i], 16);
00901 memcpy(dst, camellia_test_ecb_plain[i], 16);
00902 } else {
00903 camellia_setkey_enc(&ctx, key, 128 + u * 64);
00904 memcpy(src, camellia_test_ecb_plain[i], 16);
00905 memcpy(dst, camellia_test_ecb_cipher[u][i], 16);
00906 }
00907
00908 camellia_crypt_ecb(&ctx, v, src, buf);
00909
00910 if( memcmp( buf, dst, 16 ) != 0 )
00911 {
00912 if( verbose != 0 )
00913 printf( "failed\n" );
00914
00915 return( 1 );
00916 }
00917 }
00918
00919 if( verbose != 0 )
00920 printf( "passed\n" );
00921 }
00922
00923 if( verbose != 0 )
00924 printf( "\n" );
00925
00926 #if defined(POLARSSL_CIPHER_MODE_CBC)
00927
00928
00929
00930 for( j = 0; j < 6; j++ )
00931 {
00932 u = j >> 1;
00933 v = j & 1;
00934
00935 if( verbose != 0 )
00936 printf( " CAMELLIA-CBC-%3d (%s): ", 128 + u * 64,
00937 ( v == CAMELLIA_DECRYPT ) ? "dec" : "enc" );
00938
00939 memcpy( src, camellia_test_cbc_iv, 16);
00940 memcpy( dst, camellia_test_cbc_iv, 16);
00941 memcpy( key, camellia_test_cbc_key[u], 16 + 8 * u);
00942
00943 if (v == CAMELLIA_DECRYPT) {
00944 camellia_setkey_dec(&ctx, key, 128 + u * 64);
00945 } else {
00946 camellia_setkey_enc(&ctx, key, 128 + u * 64);
00947 }
00948
00949 for (i = 0; i < CAMELLIA_TESTS_CBC; i++ ) {
00950
00951 if (v == CAMELLIA_DECRYPT) {
00952 memcpy( iv , src, 16 );
00953 memcpy(src, camellia_test_cbc_cipher[u][i], 16);
00954 memcpy(dst, camellia_test_cbc_plain[i], 16);
00955 } else {
00956 memcpy( iv , dst, 16 );
00957 memcpy(src, camellia_test_cbc_plain[i], 16);
00958 memcpy(dst, camellia_test_cbc_cipher[u][i], 16);
00959 }
00960
00961 camellia_crypt_cbc(&ctx, v, 16, iv, src, buf);
00962
00963 if( memcmp( buf, dst, 16 ) != 0 )
00964 {
00965 if( verbose != 0 )
00966 printf( "failed\n" );
00967
00968 return( 1 );
00969 }
00970 }
00971
00972 if( verbose != 0 )
00973 printf( "passed\n" );
00974 }
00975 #endif
00976
00977 if( verbose != 0 )
00978 printf( "\n" );
00979
00980 #if defined(POLARSSL_CIPHER_MODE_CTR)
00981
00982
00983
00984 for( i = 0; i < 6; i++ )
00985 {
00986 u = i >> 1;
00987 v = i & 1;
00988
00989 if( verbose != 0 )
00990 printf( " CAMELLIA-CTR-128 (%s): ",
00991 ( v == CAMELLIA_DECRYPT ) ? "dec" : "enc" );
00992
00993 memcpy( nonce_counter, camellia_test_ctr_nonce_counter[u], 16 );
00994 memcpy( key, camellia_test_ctr_key[u], 16 );
00995
00996 offset = 0;
00997 camellia_setkey_enc( &ctx, key, 128 );
00998
00999 if( v == CAMELLIA_DECRYPT )
01000 {
01001 len = camellia_test_ctr_len[u];
01002 memcpy( buf, camellia_test_ctr_ct[u], len );
01003
01004 camellia_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
01005
01006 if( memcmp( buf, camellia_test_ctr_pt[u], len ) != 0 )
01007 {
01008 if( verbose != 0 )
01009 printf( "failed\n" );
01010
01011 return( 1 );
01012 }
01013 }
01014 else
01015 {
01016 len = camellia_test_ctr_len[u];
01017 memcpy( buf, camellia_test_ctr_pt[u], len );
01018
01019 camellia_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
01020
01021 if( memcmp( buf, camellia_test_ctr_ct[u], len ) != 0 )
01022 {
01023 if( verbose != 0 )
01024 printf( "failed\n" );
01025
01026 return( 1 );
01027 }
01028 }
01029
01030 if( verbose != 0 )
01031 printf( "passed\n" );
01032 }
01033
01034 if( verbose != 0 )
01035 printf( "\n" );
01036 #endif
01037
01038 return ( 0 );
01039 }
01040
01041 #endif
01042
01043 #endif