Kenji Arai / mbed-os_TYBLE16

Dependents:   TYBLE16_simple_data_logger TYBLE16_MP3_Air

Embed: (wiki syntax)

« Back to documentation index

Show/hide line numbers camellia.c Source File

camellia.c

00001 /*
00002  *  Camellia implementation
00003  *
00004  *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
00005  *  SPDX-License-Identifier: Apache-2.0
00006  *
00007  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
00008  *  not use this file except in compliance with the License.
00009  *  You may obtain a copy of the License at
00010  *
00011  *  http://www.apache.org/licenses/LICENSE-2.0
00012  *
00013  *  Unless required by applicable law or agreed to in writing, software
00014  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
00015  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
00016  *  See the License for the specific language governing permissions and
00017  *  limitations under the License.
00018  *
00019  *  This file is part of mbed TLS (https://tls.mbed.org)
00020  */
00021 /*
00022  *  The Camellia block cipher was designed by NTT and Mitsubishi Electric
00023  *  Corporation.
00024  *
00025  *  http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/01espec.pdf
00026  */
00027 
00028 #if !defined(MBEDTLS_CONFIG_FILE)
00029 #include "mbedtls/config.h"
00030 #else
00031 #include MBEDTLS_CONFIG_FILE
00032 #endif
00033 
00034 #if defined(MBEDTLS_CAMELLIA_C)
00035 
00036 #include "mbedtls/camellia.h"
00037 #include "mbedtls/platform_util.h"
00038 
00039 #include <string.h>
00040 
00041 #if defined(MBEDTLS_SELF_TEST)
00042 #if defined(MBEDTLS_PLATFORM_C)
00043 #include "mbedtls/platform.h"
00044 #else
00045 #include <stdio.h>
00046 #define mbedtls_printf printf
00047 #endif /* MBEDTLS_PLATFORM_C */
00048 #endif /* MBEDTLS_SELF_TEST */
00049 
00050 #if !defined(MBEDTLS_CAMELLIA_ALT)
00051 
00052 /* Parameter validation macros */
00053 #define CAMELLIA_VALIDATE_RET( cond )                                       \
00054     MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA )
00055 #define CAMELLIA_VALIDATE( cond )                                           \
00056     MBEDTLS_INTERNAL_VALIDATE( cond )
00057 
00058 /*
00059  * 32-bit integer manipulation macros (big endian)
00060  */
00061 #ifndef GET_UINT32_BE
00062 #define GET_UINT32_BE(n,b,i)                            \
00063 {                                                       \
00064     (n) = ( (uint32_t) (b)[(i)    ] << 24 )             \
00065         | ( (uint32_t) (b)[(i) + 1] << 16 )             \
00066         | ( (uint32_t) (b)[(i) + 2] <<  8 )             \
00067         | ( (uint32_t) (b)[(i) + 3]       );            \
00068 }
00069 #endif
00070 
00071 #ifndef PUT_UINT32_BE
00072 #define PUT_UINT32_BE(n,b,i)                            \
00073 {                                                       \
00074     (b)[(i)    ] = (unsigned char) ( (n) >> 24 );       \
00075     (b)[(i) + 1] = (unsigned char) ( (n) >> 16 );       \
00076     (b)[(i) + 2] = (unsigned char) ( (n) >>  8 );       \
00077     (b)[(i) + 3] = (unsigned char) ( (n)       );       \
00078 }
00079 #endif
00080 
00081 static const unsigned char SIGMA_CHARS[6][8] =
00082 {
00083     { 0xa0, 0x9e, 0x66, 0x7f, 0x3b, 0xcc, 0x90, 0x8b },
00084     { 0xb6, 0x7a, 0xe8, 0x58, 0x4c, 0xaa, 0x73, 0xb2 },
00085     { 0xc6, 0xef, 0x37, 0x2f, 0xe9, 0x4f, 0x82, 0xbe },
00086     { 0x54, 0xff, 0x53, 0xa5, 0xf1, 0xd3, 0x6f, 0x1c },
00087     { 0x10, 0xe5, 0x27, 0xfa, 0xde, 0x68, 0x2d, 0x1d },
00088     { 0xb0, 0x56, 0x88, 0xc2, 0xb3, 0xe6, 0xc1, 0xfd }
00089 };
00090 
00091 #if defined(MBEDTLS_CAMELLIA_SMALL_MEMORY)
00092 
00093 static const unsigned char FSb[256] =
00094 {
00095     112,130, 44,236,179, 39,192,229,228,133, 87, 53,234, 12,174, 65,
00096      35,239,107,147, 69, 25,165, 33,237, 14, 79, 78, 29,101,146,189,
00097     134,184,175,143,124,235, 31,206, 62, 48,220, 95, 94,197, 11, 26,
00098     166,225, 57,202,213, 71, 93, 61,217,  1, 90,214, 81, 86,108, 77,
00099     139, 13,154,102,251,204,176, 45,116, 18, 43, 32,240,177,132,153,
00100     223, 76,203,194, 52,126,118,  5,109,183,169, 49,209, 23,  4,215,
00101      20, 88, 58, 97,222, 27, 17, 28, 50, 15,156, 22, 83, 24,242, 34,
00102     254, 68,207,178,195,181,122,145, 36,  8,232,168, 96,252,105, 80,
00103     170,208,160,125,161,137, 98,151, 84, 91, 30,149,224,255,100,210,
00104      16,196,  0, 72,163,247,117,219,138,  3,230,218,  9, 63,221,148,
00105     135, 92,131,  2,205, 74,144, 51,115,103,246,243,157,127,191,226,
00106      82,155,216, 38,200, 55,198, 59,129,150,111, 75, 19,190, 99, 46,
00107     233,121,167,140,159,110,188,142, 41,245,249,182, 47,253,180, 89,
00108     120,152,  6,106,231, 70,113,186,212, 37,171, 66,136,162,141,250,
00109     114,  7,185, 85,248,238,172, 10, 54, 73, 42,104, 60, 56,241,164,
00110      64, 40,211,123,187,201, 67,193, 21,227,173,244,119,199,128,158
00111 };
00112 
00113 #define SBOX1(n) FSb[(n)]
00114 #define SBOX2(n) (unsigned char)((FSb[(n)] >> 7 ^ FSb[(n)] << 1) & 0xff)
00115 #define SBOX3(n) (unsigned char)((FSb[(n)] >> 1 ^ FSb[(n)] << 7) & 0xff)
00116 #define SBOX4(n) FSb[((n) << 1 ^ (n) >> 7) &0xff]
00117 
00118 #else /* MBEDTLS_CAMELLIA_SMALL_MEMORY */
00119 
00120 static const unsigned char FSb[256] =
00121 {
00122  112, 130,  44, 236, 179,  39, 192, 229, 228, 133,  87,  53, 234,  12, 174,  65,
00123   35, 239, 107, 147,  69,  25, 165,  33, 237,  14,  79,  78,  29, 101, 146, 189,
00124  134, 184, 175, 143, 124, 235,  31, 206,  62,  48, 220,  95,  94, 197,  11,  26,
00125  166, 225,  57, 202, 213,  71,  93,  61, 217,   1,  90, 214,  81,  86, 108,  77,
00126  139,  13, 154, 102, 251, 204, 176,  45, 116,  18,  43,  32, 240, 177, 132, 153,
00127  223,  76, 203, 194,  52, 126, 118,   5, 109, 183, 169,  49, 209,  23,   4, 215,
00128   20,  88,  58,  97, 222,  27,  17,  28,  50,  15, 156,  22,  83,  24, 242,  34,
00129  254,  68, 207, 178, 195, 181, 122, 145,  36,   8, 232, 168,  96, 252, 105,  80,
00130  170, 208, 160, 125, 161, 137,  98, 151,  84,  91,  30, 149, 224, 255, 100, 210,
00131   16, 196,   0,  72, 163, 247, 117, 219, 138,   3, 230, 218,   9,  63, 221, 148,
00132  135,  92, 131,   2, 205,  74, 144,  51, 115, 103, 246, 243, 157, 127, 191, 226,
00133   82, 155, 216,  38, 200,  55, 198,  59, 129, 150, 111,  75,  19, 190,  99,  46,
00134  233, 121, 167, 140, 159, 110, 188, 142,  41, 245, 249, 182,  47, 253, 180,  89,
00135  120, 152,   6, 106, 231,  70, 113, 186, 212,  37, 171,  66, 136, 162, 141, 250,
00136  114,   7, 185,  85, 248, 238, 172,  10,  54,  73,  42, 104,  60,  56, 241, 164,
00137  64,  40, 211, 123, 187, 201,  67, 193,  21, 227, 173, 244, 119, 199, 128, 158
00138 };
00139 
00140 static const unsigned char FSb2[256] =
00141 {
00142  224,   5,  88, 217, 103,  78, 129, 203, 201,  11, 174, 106, 213,  24,  93, 130,
00143   70, 223, 214,  39, 138,  50,  75,  66, 219,  28, 158, 156,  58, 202,  37, 123,
00144   13, 113,  95,  31, 248, 215,  62, 157, 124,  96, 185, 190, 188, 139,  22,  52,
00145   77, 195, 114, 149, 171, 142, 186, 122, 179,   2, 180, 173, 162, 172, 216, 154,
00146   23,  26,  53, 204, 247, 153,  97,  90, 232,  36,  86,  64, 225,  99,   9,  51,
00147  191, 152, 151, 133, 104, 252, 236,  10, 218, 111,  83,  98, 163,  46,   8, 175,
00148   40, 176, 116, 194, 189,  54,  34,  56, 100,  30,  57,  44, 166,  48, 229,  68,
00149  253, 136, 159, 101, 135, 107, 244,  35,  72,  16, 209,  81, 192, 249, 210, 160,
00150   85, 161,  65, 250,  67,  19, 196,  47, 168, 182,  60,  43, 193, 255, 200, 165,
00151   32, 137,   0, 144,  71, 239, 234, 183,  21,   6, 205, 181,  18, 126, 187,  41,
00152   15, 184,   7,   4, 155, 148,  33, 102, 230, 206, 237, 231,  59, 254, 127, 197,
00153  164,  55, 177,  76, 145, 110, 141, 118,   3,  45, 222, 150,  38, 125, 198,  92,
00154  211, 242,  79,  25,  63, 220, 121,  29,  82, 235, 243, 109,  94, 251, 105, 178,
00155  240,  49,  12, 212, 207, 140, 226, 117, 169,  74,  87, 132,  17,  69,  27, 245,
00156  228,  14, 115, 170, 241, 221,  89,  20, 108, 146,  84, 208, 120, 112, 227,  73,
00157  128,  80, 167, 246, 119, 147, 134, 131,  42, 199,  91, 233, 238, 143,   1,  61
00158 };
00159 
00160 static const unsigned char FSb3[256] =
00161 {
00162   56,  65,  22, 118, 217, 147,  96, 242, 114, 194, 171, 154, 117,   6,  87, 160,
00163  145, 247, 181, 201, 162, 140, 210, 144, 246,   7, 167,  39, 142, 178,  73, 222,
00164   67,  92, 215, 199,  62, 245, 143, 103,  31,  24, 110, 175,  47, 226, 133,  13,
00165   83, 240, 156, 101, 234, 163, 174, 158, 236, 128,  45, 107, 168,  43,  54, 166,
00166  197, 134,  77,  51, 253, 102,  88, 150,  58,   9, 149,  16, 120, 216,  66, 204,
00167  239,  38, 229,  97,  26,  63,  59, 130, 182, 219, 212, 152, 232, 139,   2, 235,
00168   10,  44,  29, 176, 111, 141, 136,  14,  25, 135,  78,  11, 169,  12, 121,  17,
00169  127,  34, 231,  89, 225, 218,  61, 200,  18,   4, 116,  84,  48, 126, 180,  40,
00170   85, 104,  80, 190, 208, 196,  49, 203,  42, 173,  15, 202, 112, 255,  50, 105,
00171    8,  98,   0,  36, 209, 251, 186, 237,  69, 129, 115, 109, 132, 159, 238,  74,
00172  195,  46, 193,   1, 230,  37,  72, 153, 185, 179, 123, 249, 206, 191, 223, 113,
00173   41, 205, 108,  19, 100, 155,  99, 157, 192,  75, 183, 165, 137,  95, 177,  23,
00174  244, 188, 211,  70, 207,  55,  94,  71, 148, 250, 252,  91, 151, 254,  90, 172,
00175   60,  76,   3,  53, 243,  35, 184,  93, 106, 146, 213,  33,  68,  81, 198, 125,
00176   57, 131, 220, 170, 124, 119,  86,   5,  27, 164,  21,  52,  30,  28, 248,  82,
00177   32,  20, 233, 189, 221, 228, 161, 224, 138, 241, 214, 122, 187, 227,  64,  79
00178 };
00179 
00180 static const unsigned char FSb4[256] =
00181 {
00182  112,  44, 179, 192, 228,  87, 234, 174,  35, 107,  69, 165, 237,  79,  29, 146,
00183  134, 175, 124,  31,  62, 220,  94,  11, 166,  57, 213,  93, 217,  90,  81, 108,
00184  139, 154, 251, 176, 116,  43, 240, 132, 223, 203,  52, 118, 109, 169, 209,   4,
00185   20,  58, 222,  17,  50, 156,  83, 242, 254, 207, 195, 122,  36, 232,  96, 105,
00186  170, 160, 161,  98,  84,  30, 224, 100,  16,   0, 163, 117, 138, 230,   9, 221,
00187  135, 131, 205, 144, 115, 246, 157, 191,  82, 216, 200, 198, 129, 111,  19,  99,
00188  233, 167, 159, 188,  41, 249,  47, 180, 120,   6, 231, 113, 212, 171, 136, 141,
00189  114, 185, 248, 172,  54,  42,  60, 241,  64, 211, 187,  67,  21, 173, 119, 128,
00190  130, 236,  39, 229, 133,  53,  12,  65, 239, 147,  25,  33,  14,  78, 101, 189,
00191  184, 143, 235, 206,  48,  95, 197,  26, 225, 202,  71,  61,   1, 214,  86,  77,
00192   13, 102, 204,  45,  18,  32, 177, 153,  76, 194, 126,   5, 183,  49,  23, 215,
00193   88,  97,  27,  28,  15,  22,  24,  34,  68, 178, 181, 145,   8, 168, 252,  80,
00194  208, 125, 137, 151,  91, 149, 255, 210, 196,  72, 247, 219,   3, 218,  63, 148,
00195   92,   2,  74,  51, 103, 243, 127, 226, 155,  38,  55,  59, 150,  75, 190,  46,
00196  121, 140, 110, 142, 245, 182, 253,  89, 152, 106,  70, 186,  37,  66, 162, 250,
00197   7,  85, 238,  10,  73, 104,  56, 164,  40, 123, 201, 193, 227, 244, 199, 158
00198 };
00199 
00200 #define SBOX1(n) FSb[(n)]
00201 #define SBOX2(n) FSb2[(n)]
00202 #define SBOX3(n) FSb3[(n)]
00203 #define SBOX4(n) FSb4[(n)]
00204 
00205 #endif /* MBEDTLS_CAMELLIA_SMALL_MEMORY */
00206 
00207 static const unsigned char shifts[2][4][4] =
00208 {
00209     {
00210         { 1, 1, 1, 1 }, /* KL */
00211         { 0, 0, 0, 0 }, /* KR */
00212         { 1, 1, 1, 1 }, /* KA */
00213         { 0, 0, 0, 0 }  /* KB */
00214     },
00215     {
00216         { 1, 0, 1, 1 }, /* KL */
00217         { 1, 1, 0, 1 }, /* KR */
00218         { 1, 1, 1, 0 }, /* KA */
00219         { 1, 1, 0, 1 }  /* KB */
00220     }
00221 };
00222 
00223 static const signed char indexes[2][4][20] =
00224 {
00225     {
00226         {  0,  1,  2,  3,  8,  9, 10, 11, 38, 39,
00227           36, 37, 23, 20, 21, 22, 27, -1, -1, 26 }, /* KL -> RK */
00228         { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
00229           -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 }, /* KR -> RK */
00230         {  4,  5,  6,  7, 12, 13, 14, 15, 16, 17,
00231           18, 19, -1, 24, 25, -1, 31, 28, 29, 30 }, /* KA -> RK */
00232         { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
00233           -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 }  /* KB -> RK */
00234     },
00235     {
00236         {  0,  1,  2,  3, 61, 62, 63, 60, -1, -1,
00237           -1, -1, 27, 24, 25, 26, 35, 32, 33, 34 }, /* KL -> RK */
00238         { -1, -1, -1, -1,  8,  9, 10, 11, 16, 17,
00239           18, 19, -1, -1, -1, -1, 39, 36, 37, 38 }, /* KR -> RK */
00240         { -1, -1, -1, -1, 12, 13, 14, 15, 58, 59,
00241           56, 57, 31, 28, 29, 30, -1, -1, -1, -1 }, /* KA -> RK */
00242         {  4,  5,  6,  7, 65, 66, 67, 64, 20, 21,
00243           22, 23, -1, -1, -1, -1, 43, 40, 41, 42 }  /* KB -> RK */
00244     }
00245 };
00246 
00247 static const signed char transposes[2][20] =
00248 {
00249     {
00250         21, 22, 23, 20,
00251         -1, -1, -1, -1,
00252         18, 19, 16, 17,
00253         11,  8,  9, 10,
00254         15, 12, 13, 14
00255     },
00256     {
00257         25, 26, 27, 24,
00258         29, 30, 31, 28,
00259         18, 19, 16, 17,
00260         -1, -1, -1, -1,
00261         -1, -1, -1, -1
00262     }
00263 };
00264 
00265 /* Shift macro for 128 bit strings with rotation smaller than 32 bits (!) */
00266 #define ROTL(DEST, SRC, SHIFT)                                      \
00267 {                                                                   \
00268     (DEST)[0] = (SRC)[0] << (SHIFT) ^ (SRC)[1] >> (32 - (SHIFT));   \
00269     (DEST)[1] = (SRC)[1] << (SHIFT) ^ (SRC)[2] >> (32 - (SHIFT));   \
00270     (DEST)[2] = (SRC)[2] << (SHIFT) ^ (SRC)[3] >> (32 - (SHIFT));   \
00271     (DEST)[3] = (SRC)[3] << (SHIFT) ^ (SRC)[0] >> (32 - (SHIFT));   \
00272 }
00273 
00274 #define FL(XL, XR, KL, KR)                                          \
00275 {                                                                   \
00276     (XR) = ((((XL) & (KL)) << 1) | (((XL) & (KL)) >> 31)) ^ (XR);   \
00277     (XL) = ((XR) | (KR)) ^ (XL);                                    \
00278 }
00279 
00280 #define FLInv(YL, YR, KL, KR)                                       \
00281 {                                                                   \
00282     (YL) = ((YR) | (KR)) ^ (YL);                                    \
00283     (YR) = ((((YL) & (KL)) << 1) | (((YL) & (KL)) >> 31)) ^ (YR);   \
00284 }
00285 
00286 #define SHIFT_AND_PLACE(INDEX, OFFSET)                      \
00287 {                                                           \
00288     TK[0] = KC[(OFFSET) * 4 + 0];                           \
00289     TK[1] = KC[(OFFSET) * 4 + 1];                           \
00290     TK[2] = KC[(OFFSET) * 4 + 2];                           \
00291     TK[3] = KC[(OFFSET) * 4 + 3];                           \
00292                                                             \
00293     for( i = 1; i <= 4; i++ )                               \
00294         if( shifts[(INDEX)][(OFFSET)][i -1] )               \
00295             ROTL(TK + i * 4, TK, ( 15 * i ) % 32);          \
00296                                                             \
00297     for( i = 0; i < 20; i++ )                               \
00298         if( indexes[(INDEX)][(OFFSET)][i] != -1 ) {         \
00299             RK[indexes[(INDEX)][(OFFSET)][i]] = TK[ i ];    \
00300         }                                                   \
00301 }
00302 
00303 static void camellia_feistel( const uint32_t x[2], const uint32_t k[2],
00304                               uint32_t z[2])
00305 {
00306     uint32_t I0, I1;
00307     I0 = x[0] ^ k[0];
00308     I1 = x[1] ^ k[1];
00309 
00310     I0 = ((uint32_t) SBOX1((I0 >> 24) & 0xFF) << 24) |
00311          ((uint32_t) SBOX2((I0 >> 16) & 0xFF) << 16) |
00312          ((uint32_t) SBOX3((I0 >>  8) & 0xFF) <<  8) |
00313          ((uint32_t) SBOX4((I0      ) & 0xFF)      );
00314     I1 = ((uint32_t) SBOX2((I1 >> 24) & 0xFF) << 24) |
00315          ((uint32_t) SBOX3((I1 >> 16) & 0xFF) << 16) |
00316          ((uint32_t) SBOX4((I1 >>  8) & 0xFF) <<  8) |
00317          ((uint32_t) SBOX1((I1      ) & 0xFF)      );
00318 
00319     I0 ^= (I1 << 8) | (I1 >> 24);
00320     I1 ^= (I0 << 16) | (I0 >> 16);
00321     I0 ^= (I1 >> 8) | (I1 << 24);
00322     I1 ^= (I0 >> 8) | (I0 << 24);
00323 
00324     z[0] ^= I1;
00325     z[1] ^= I0;
00326 }
00327 
00328 void mbedtls_camellia_init( mbedtls_camellia_context *ctx )
00329 {
00330     CAMELLIA_VALIDATE( ctx != NULL );
00331     memset( ctx, 0, sizeof( mbedtls_camellia_context ) );
00332 }
00333 
00334 void mbedtls_camellia_free( mbedtls_camellia_context *ctx )
00335 {
00336     if( ctx == NULL )
00337         return;
00338 
00339     mbedtls_platform_zeroize( ctx, sizeof( mbedtls_camellia_context ) );
00340 }
00341 
00342 /*
00343  * Camellia key schedule (encryption)
00344  */
00345 int mbedtls_camellia_setkey_enc( mbedtls_camellia_context *ctx,
00346                                  const unsigned char *key,
00347                                  unsigned int keybits )
00348 {
00349     int idx;
00350     size_t i;
00351     uint32_t *RK;
00352     unsigned char t[64];
00353     uint32_t SIGMA[6][2];
00354     uint32_t KC[16];
00355     uint32_t TK[20];
00356 
00357     CAMELLIA_VALIDATE_RET( ctx != NULL );
00358     CAMELLIA_VALIDATE_RET( key != NULL );
00359 
00360     RK = ctx->rk ;
00361 
00362     memset( t, 0, 64 );
00363     memset( RK, 0, sizeof(ctx->rk ) );
00364 
00365     switch( keybits )
00366     {
00367         case 128: ctx->nr  = 3; idx = 0; break;
00368         case 192:
00369         case 256: ctx->nr  = 4; idx = 1; break;
00370         default : return( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA );
00371     }
00372 
00373     for( i = 0; i < keybits / 8; ++i )
00374         t[i] = key[i];
00375 
00376     if( keybits == 192 ) {
00377         for( i = 0; i < 8; i++ )
00378             t[24 + i] = ~t[16 + i];
00379     }
00380 
00381     /*
00382      * Prepare SIGMA values
00383      */
00384     for( i = 0; i < 6; i++ ) {
00385         GET_UINT32_BE( SIGMA[i][0], SIGMA_CHARS[i], 0 );
00386         GET_UINT32_BE( SIGMA[i][1], SIGMA_CHARS[i], 4 );
00387     }
00388 
00389     /*
00390      * Key storage in KC
00391      * Order: KL, KR, KA, KB
00392      */
00393     memset( KC, 0, sizeof(KC) );
00394 
00395     /* Store KL, KR */
00396     for( i = 0; i < 8; i++ )
00397         GET_UINT32_BE( KC[i], t, i * 4 );
00398 
00399     /* Generate KA */
00400     for( i = 0; i < 4; ++i )
00401         KC[8 + i] = KC[i] ^ KC[4 + i];
00402 
00403     camellia_feistel( KC + 8, SIGMA[0], KC + 10 );
00404     camellia_feistel( KC + 10, SIGMA[1], KC + 8 );
00405 
00406     for( i = 0; i < 4; ++i )
00407         KC[8 + i] ^= KC[i];
00408 
00409     camellia_feistel( KC + 8, SIGMA[2], KC + 10 );
00410     camellia_feistel( KC + 10, SIGMA[3], KC + 8 );
00411 
00412     if( keybits > 128 ) {
00413         /* Generate KB */
00414         for( i = 0; i < 4; ++i )
00415             KC[12 + i] = KC[4 + i] ^ KC[8 + i];
00416 
00417         camellia_feistel( KC + 12, SIGMA[4], KC + 14 );
00418         camellia_feistel( KC + 14, SIGMA[5], KC + 12 );
00419     }
00420 
00421     /*
00422      * Generating subkeys
00423      */
00424 
00425     /* Manipulating KL */
00426     SHIFT_AND_PLACE( idx, 0 );
00427 
00428     /* Manipulating KR */
00429     if( keybits > 128 ) {
00430         SHIFT_AND_PLACE( idx, 1 );
00431     }
00432 
00433     /* Manipulating KA */
00434     SHIFT_AND_PLACE( idx, 2 );
00435 
00436     /* Manipulating KB */
00437     if( keybits > 128 ) {
00438         SHIFT_AND_PLACE( idx, 3 );
00439     }
00440 
00441     /* Do transpositions */
00442     for( i = 0; i < 20; i++ ) {
00443         if( transposes[idx][i] != -1 ) {
00444             RK[32 + 12 * idx + i] = RK[transposes[idx][i]];
00445         }
00446     }
00447 
00448     return( 0 );
00449 }
00450 
00451 /*
00452  * Camellia key schedule (decryption)
00453  */
00454 int mbedtls_camellia_setkey_dec( mbedtls_camellia_context *ctx,
00455                                  const unsigned char *key,
00456                                  unsigned int keybits )
00457 {
00458     int idx, ret;
00459     size_t i;
00460     mbedtls_camellia_context cty;
00461     uint32_t *RK;
00462     uint32_t *SK;
00463     CAMELLIA_VALIDATE_RET( ctx != NULL );
00464     CAMELLIA_VALIDATE_RET( key != NULL );
00465 
00466     mbedtls_camellia_init( &cty );
00467 
00468     /* Also checks keybits */
00469     if( ( ret = mbedtls_camellia_setkey_enc( &cty, key, keybits ) ) != 0 )
00470         goto exit;
00471 
00472     ctx->nr  = cty.nr ;
00473     idx = ( ctx->nr  == 4 );
00474 
00475     RK = ctx->rk ;
00476     SK = cty.rk  + 24 * 2 + 8 * idx * 2;
00477 
00478     *RK++ = *SK++;
00479     *RK++ = *SK++;
00480     *RK++ = *SK++;
00481     *RK++ = *SK++;
00482 
00483     for( i = 22 + 8 * idx, SK -= 6; i > 0; i--, SK -= 4 )
00484     {
00485         *RK++ = *SK++;
00486         *RK++ = *SK++;
00487     }
00488 
00489     SK -= 2;
00490 
00491     *RK++ = *SK++;
00492     *RK++ = *SK++;
00493     *RK++ = *SK++;
00494     *RK++ = *SK++;
00495 
00496 exit:
00497     mbedtls_camellia_free( &cty );
00498 
00499     return( ret );
00500 }
00501 
00502 /*
00503  * Camellia-ECB block encryption/decryption
00504  */
00505 int mbedtls_camellia_crypt_ecb( mbedtls_camellia_context *ctx,
00506                     int mode,
00507                     const unsigned char input[16],
00508                     unsigned char output[16] )
00509 {
00510     int NR;
00511     uint32_t *RK, X[4];
00512     CAMELLIA_VALIDATE_RET( ctx != NULL );
00513     CAMELLIA_VALIDATE_RET( mode == MBEDTLS_CAMELLIA_ENCRYPT ||
00514                            mode == MBEDTLS_CAMELLIA_DECRYPT );
00515     CAMELLIA_VALIDATE_RET( input  != NULL );
00516     CAMELLIA_VALIDATE_RET( output != NULL );
00517 
00518     ( (void) mode );
00519 
00520     NR = ctx->nr ;
00521     RK = ctx->rk ;
00522 
00523     GET_UINT32_BE( X[0], input,  0 );
00524     GET_UINT32_BE( X[1], input,  4 );
00525     GET_UINT32_BE( X[2], input,  8 );
00526     GET_UINT32_BE( X[3], input, 12 );
00527 
00528     X[0] ^= *RK++;
00529     X[1] ^= *RK++;
00530     X[2] ^= *RK++;
00531     X[3] ^= *RK++;
00532 
00533     while( NR ) {
00534         --NR;
00535         camellia_feistel( X, RK, X + 2 );
00536         RK += 2;
00537         camellia_feistel( X + 2, RK, X );
00538         RK += 2;
00539         camellia_feistel( X, RK, X + 2 );
00540         RK += 2;
00541         camellia_feistel( X + 2, RK, X );
00542         RK += 2;
00543         camellia_feistel( X, RK, X + 2 );
00544         RK += 2;
00545         camellia_feistel( X + 2, RK, X );
00546         RK += 2;
00547 
00548         if( NR ) {
00549             FL(X[0], X[1], RK[0], RK[1]);
00550             RK += 2;
00551             FLInv(X[2], X[3], RK[0], RK[1]);
00552             RK += 2;
00553         }
00554     }
00555 
00556     X[2] ^= *RK++;
00557     X[3] ^= *RK++;
00558     X[0] ^= *RK++;
00559     X[1] ^= *RK++;
00560 
00561     PUT_UINT32_BE( X[2], output,  0 );
00562     PUT_UINT32_BE( X[3], output,  4 );
00563     PUT_UINT32_BE( X[0], output,  8 );
00564     PUT_UINT32_BE( X[1], output, 12 );
00565 
00566     return( 0 );
00567 }
00568 
00569 #if defined(MBEDTLS_CIPHER_MODE_CBC)
00570 /*
00571  * Camellia-CBC buffer encryption/decryption
00572  */
00573 int mbedtls_camellia_crypt_cbc( mbedtls_camellia_context *ctx,
00574                                 int mode,
00575                                 size_t length,
00576                                 unsigned char iv[16],
00577                                 const unsigned char *input,
00578                                 unsigned char *output )
00579 {
00580     int i;
00581     unsigned char temp[16];
00582     CAMELLIA_VALIDATE_RET( ctx != NULL );
00583     CAMELLIA_VALIDATE_RET( mode == MBEDTLS_CAMELLIA_ENCRYPT ||
00584                            mode == MBEDTLS_CAMELLIA_DECRYPT );
00585     CAMELLIA_VALIDATE_RET( iv != NULL );
00586     CAMELLIA_VALIDATE_RET( length == 0 || input  != NULL );
00587     CAMELLIA_VALIDATE_RET( length == 0 || output != NULL );
00588 
00589     if( length % 16 )
00590         return( MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH );
00591 
00592     if( mode == MBEDTLS_CAMELLIA_DECRYPT )
00593     {
00594         while( length > 0 )
00595         {
00596             memcpy( temp, input, 16 );
00597             mbedtls_camellia_crypt_ecb( ctx, mode, input, output );
00598 
00599             for( i = 0; i < 16; i++ )
00600                 output[i] = (unsigned char)( output[i] ^ iv[i] );
00601 
00602             memcpy( iv, temp, 16 );
00603 
00604             input  += 16;
00605             output += 16;
00606             length -= 16;
00607         }
00608     }
00609     else
00610     {
00611         while( length > 0 )
00612         {
00613             for( i = 0; i < 16; i++ )
00614                 output[i] = (unsigned char)( input[i] ^ iv[i] );
00615 
00616             mbedtls_camellia_crypt_ecb( ctx, mode, output, output );
00617             memcpy( iv, output, 16 );
00618 
00619             input  += 16;
00620             output += 16;
00621             length -= 16;
00622         }
00623     }
00624 
00625     return( 0 );
00626 }
00627 #endif /* MBEDTLS_CIPHER_MODE_CBC */
00628 
00629 #if defined(MBEDTLS_CIPHER_MODE_CFB)
00630 /*
00631  * Camellia-CFB128 buffer encryption/decryption
00632  */
00633 int mbedtls_camellia_crypt_cfb128( mbedtls_camellia_context *ctx,
00634                        int mode,
00635                        size_t length,
00636                        size_t *iv_off,
00637                        unsigned char iv[16],
00638                        const unsigned char *input,
00639                        unsigned char *output )
00640 {
00641     int c;
00642     size_t n;
00643     CAMELLIA_VALIDATE_RET( ctx != NULL );
00644     CAMELLIA_VALIDATE_RET( mode == MBEDTLS_CAMELLIA_ENCRYPT ||
00645                            mode == MBEDTLS_CAMELLIA_DECRYPT );
00646     CAMELLIA_VALIDATE_RET( iv     != NULL );
00647     CAMELLIA_VALIDATE_RET( iv_off != NULL );
00648     CAMELLIA_VALIDATE_RET( length == 0 || input  != NULL );
00649     CAMELLIA_VALIDATE_RET( length == 0 || output != NULL );
00650 
00651     n = *iv_off;
00652     if( n >= 16 )
00653         return( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA );
00654 
00655     if( mode == MBEDTLS_CAMELLIA_DECRYPT )
00656     {
00657         while( length-- )
00658         {
00659             if( n == 0 )
00660                 mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv );
00661 
00662             c = *input++;
00663             *output++ = (unsigned char)( c ^ iv[n] );
00664             iv[n] = (unsigned char) c;
00665 
00666             n = ( n + 1 ) & 0x0F;
00667         }
00668     }
00669     else
00670     {
00671         while( length-- )
00672         {
00673             if( n == 0 )
00674                 mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv );
00675 
00676             iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
00677 
00678             n = ( n + 1 ) & 0x0F;
00679         }
00680     }
00681 
00682     *iv_off = n;
00683 
00684     return( 0 );
00685 }
00686 #endif /* MBEDTLS_CIPHER_MODE_CFB */
00687 
00688 #if defined(MBEDTLS_CIPHER_MODE_CTR)
00689 /*
00690  * Camellia-CTR buffer encryption/decryption
00691  */
00692 int mbedtls_camellia_crypt_ctr( mbedtls_camellia_context *ctx,
00693                        size_t length,
00694                        size_t *nc_off,
00695                        unsigned char nonce_counter[16],
00696                        unsigned char stream_block[16],
00697                        const unsigned char *input,
00698                        unsigned char *output )
00699 {
00700     int c, i;
00701     size_t n;
00702     CAMELLIA_VALIDATE_RET( ctx != NULL );
00703     CAMELLIA_VALIDATE_RET( nonce_counter != NULL );
00704     CAMELLIA_VALIDATE_RET( stream_block  != NULL );
00705     CAMELLIA_VALIDATE_RET( nc_off != NULL );
00706     CAMELLIA_VALIDATE_RET( length == 0 || input  != NULL );
00707     CAMELLIA_VALIDATE_RET( length == 0 || output != NULL );
00708 
00709     n = *nc_off;
00710     if( n >= 16 )
00711         return( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA );
00712 
00713     while( length-- )
00714     {
00715         if( n == 0 ) {
00716             mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, nonce_counter,
00717                                 stream_block );
00718 
00719             for( i = 16; i > 0; i-- )
00720                 if( ++nonce_counter[i - 1] != 0 )
00721                     break;
00722         }
00723         c = *input++;
00724         *output++ = (unsigned char)( c ^ stream_block[n] );
00725 
00726         n = ( n + 1 ) & 0x0F;
00727     }
00728 
00729     *nc_off = n;
00730 
00731     return( 0 );
00732 }
00733 #endif /* MBEDTLS_CIPHER_MODE_CTR */
00734 #endif /* !MBEDTLS_CAMELLIA_ALT */
00735 
00736 #if defined(MBEDTLS_SELF_TEST)
00737 
00738 /*
00739  * Camellia test vectors from:
00740  *
00741  * http://info.isl.ntt.co.jp/crypt/eng/camellia/technology.html:
00742  *   http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/intermediate.txt
00743  *   http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/t_camellia.txt
00744  *                      (For each bitlength: Key 0, Nr 39)
00745  */
00746 #define CAMELLIA_TESTS_ECB  2
00747 
00748 static const unsigned char camellia_test_ecb_key[3][CAMELLIA_TESTS_ECB][32] =
00749 {
00750     {
00751         { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
00752           0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
00753         { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00754           0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
00755     },
00756     {
00757         { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
00758           0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
00759           0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77 },
00760         { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00761           0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00762           0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
00763     },
00764     {
00765         { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
00766           0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
00767           0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
00768           0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff },
00769         { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00770           0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00771           0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00772           0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
00773     },
00774 };
00775 
00776 static const unsigned char camellia_test_ecb_plain[CAMELLIA_TESTS_ECB][16] =
00777 {
00778     { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
00779       0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
00780     { 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
00781       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
00782 };
00783 
00784 static const unsigned char camellia_test_ecb_cipher[3][CAMELLIA_TESTS_ECB][16] =
00785 {
00786     {
00787         { 0x67, 0x67, 0x31, 0x38, 0x54, 0x96, 0x69, 0x73,
00788           0x08, 0x57, 0x06, 0x56, 0x48, 0xea, 0xbe, 0x43 },
00789         { 0x38, 0x3C, 0x6C, 0x2A, 0xAB, 0xEF, 0x7F, 0xDE,
00790           0x25, 0xCD, 0x47, 0x0B, 0xF7, 0x74, 0xA3, 0x31 }
00791     },
00792     {
00793         { 0xb4, 0x99, 0x34, 0x01, 0xb3, 0xe9, 0x96, 0xf8,
00794           0x4e, 0xe5, 0xce, 0xe7, 0xd7, 0x9b, 0x09, 0xb9 },
00795         { 0xD1, 0x76, 0x3F, 0xC0, 0x19, 0xD7, 0x7C, 0xC9,
00796           0x30, 0xBF, 0xF2, 0xA5, 0x6F, 0x7C, 0x93, 0x64 }
00797     },
00798     {
00799         { 0x9a, 0xcc, 0x23, 0x7d, 0xff, 0x16, 0xd7, 0x6c,
00800           0x20, 0xef, 0x7c, 0x91, 0x9e, 0x3a, 0x75, 0x09 },
00801         { 0x05, 0x03, 0xFB, 0x10, 0xAB, 0x24, 0x1E, 0x7C,
00802           0xF4, 0x5D, 0x8C, 0xDE, 0xEE, 0x47, 0x43, 0x35 }
00803     }
00804 };
00805 
00806 #if defined(MBEDTLS_CIPHER_MODE_CBC)
00807 #define CAMELLIA_TESTS_CBC  3
00808 
00809 static const unsigned char camellia_test_cbc_key[3][32] =
00810 {
00811         { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
00812           0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }
00813     ,
00814         { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
00815           0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
00816           0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }
00817     ,
00818         { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
00819           0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
00820           0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
00821           0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
00822 };
00823 
00824 static const unsigned char camellia_test_cbc_iv[16] =
00825 
00826     { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
00827       0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F }
00828 ;
00829 
00830 static const unsigned char camellia_test_cbc_plain[CAMELLIA_TESTS_CBC][16] =
00831 {
00832     { 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
00833       0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A },
00834     { 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
00835       0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51 },
00836     { 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
00837       0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF }
00838 
00839 };
00840 
00841 static const unsigned char camellia_test_cbc_cipher[3][CAMELLIA_TESTS_CBC][16] =
00842 {
00843     {
00844         { 0x16, 0x07, 0xCF, 0x49, 0x4B, 0x36, 0xBB, 0xF0,
00845           0x0D, 0xAE, 0xB0, 0xB5, 0x03, 0xC8, 0x31, 0xAB },
00846         { 0xA2, 0xF2, 0xCF, 0x67, 0x16, 0x29, 0xEF, 0x78,
00847           0x40, 0xC5, 0xA5, 0xDF, 0xB5, 0x07, 0x48, 0x87 },
00848         { 0x0F, 0x06, 0x16, 0x50, 0x08, 0xCF, 0x8B, 0x8B,
00849           0x5A, 0x63, 0x58, 0x63, 0x62, 0x54, 0x3E, 0x54 }
00850     },
00851     {
00852         { 0x2A, 0x48, 0x30, 0xAB, 0x5A, 0xC4, 0xA1, 0xA2,
00853           0x40, 0x59, 0x55, 0xFD, 0x21, 0x95, 0xCF, 0x93 },
00854         { 0x5D, 0x5A, 0x86, 0x9B, 0xD1, 0x4C, 0xE5, 0x42,
00855           0x64, 0xF8, 0x92, 0xA6, 0xDD, 0x2E, 0xC3, 0xD5 },
00856         { 0x37, 0xD3, 0x59, 0xC3, 0x34, 0x98, 0x36, 0xD8,
00857           0x84, 0xE3, 0x10, 0xAD, 0xDF, 0x68, 0xC4, 0x49 }
00858     },
00859     {
00860         { 0xE6, 0xCF, 0xA3, 0x5F, 0xC0, 0x2B, 0x13, 0x4A,
00861           0x4D, 0x2C, 0x0B, 0x67, 0x37, 0xAC, 0x3E, 0xDA },
00862         { 0x36, 0xCB, 0xEB, 0x73, 0xBD, 0x50, 0x4B, 0x40,
00863           0x70, 0xB1, 0xB7, 0xDE, 0x2B, 0x21, 0xEB, 0x50 },
00864         { 0xE3, 0x1A, 0x60, 0x55, 0x29, 0x7D, 0x96, 0xCA,
00865           0x33, 0x30, 0xCD, 0xF1, 0xB1, 0x86, 0x0A, 0x83 }
00866     }
00867 };
00868 #endif /* MBEDTLS_CIPHER_MODE_CBC */
00869 
00870 #if defined(MBEDTLS_CIPHER_MODE_CTR)
00871 /*
00872  * Camellia-CTR test vectors from:
00873  *
00874  * http://www.faqs.org/rfcs/rfc5528.html
00875  */
00876 
00877 static const unsigned char camellia_test_ctr_key[3][16] =
00878 {
00879     { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
00880       0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
00881     { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
00882       0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
00883     { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
00884       0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
00885 };
00886 
00887 static const unsigned char camellia_test_ctr_nonce_counter[3][16] =
00888 {
00889     { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
00890       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
00891     { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
00892       0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
00893     { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
00894       0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
00895 };
00896 
00897 static const unsigned char camellia_test_ctr_pt[3][48] =
00898 {
00899     { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
00900       0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
00901 
00902     { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
00903       0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
00904       0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
00905       0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
00906 
00907     { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
00908       0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
00909       0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
00910       0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
00911       0x20, 0x21, 0x22, 0x23 }
00912 };
00913 
00914 static const unsigned char camellia_test_ctr_ct[3][48] =
00915 {
00916     { 0xD0, 0x9D, 0xC2, 0x9A, 0x82, 0x14, 0x61, 0x9A,
00917       0x20, 0x87, 0x7C, 0x76, 0xDB, 0x1F, 0x0B, 0x3F },
00918     { 0xDB, 0xF3, 0xC7, 0x8D, 0xC0, 0x83, 0x96, 0xD4,
00919       0xDA, 0x7C, 0x90, 0x77, 0x65, 0xBB, 0xCB, 0x44,
00920       0x2B, 0x8E, 0x8E, 0x0F, 0x31, 0xF0, 0xDC, 0xA7,
00921       0x2C, 0x74, 0x17, 0xE3, 0x53, 0x60, 0xE0, 0x48 },
00922     { 0xB1, 0x9D, 0x1F, 0xCD, 0xCB, 0x75, 0xEB, 0x88,
00923       0x2F, 0x84, 0x9C, 0xE2, 0x4D, 0x85, 0xCF, 0x73,
00924       0x9C, 0xE6, 0x4B, 0x2B, 0x5C, 0x9D, 0x73, 0xF1,
00925       0x4F, 0x2D, 0x5D, 0x9D, 0xCE, 0x98, 0x89, 0xCD,
00926       0xDF, 0x50, 0x86, 0x96 }
00927 };
00928 
00929 static const int camellia_test_ctr_len[3] =
00930     { 16, 32, 36 };
00931 #endif /* MBEDTLS_CIPHER_MODE_CTR */
00932 
00933 /*
00934  * Checkup routine
00935  */
00936 int mbedtls_camellia_self_test( int verbose )
00937 {
00938     int i, j, u, v;
00939     unsigned char key[32];
00940     unsigned char buf[64];
00941     unsigned char src[16];
00942     unsigned char dst[16];
00943 #if defined(MBEDTLS_CIPHER_MODE_CBC)
00944     unsigned char iv[16];
00945 #endif
00946 #if defined(MBEDTLS_CIPHER_MODE_CTR)
00947     size_t offset, len;
00948     unsigned char nonce_counter[16];
00949     unsigned char stream_block[16];
00950 #endif
00951 
00952     mbedtls_camellia_context ctx;
00953 
00954     memset( key, 0, 32 );
00955 
00956     for( j = 0; j < 6; j++ ) {
00957         u = j >> 1;
00958     v = j & 1;
00959 
00960     if( verbose != 0 )
00961         mbedtls_printf( "  CAMELLIA-ECB-%3d (%s): ", 128 + u * 64,
00962                          (v == MBEDTLS_CAMELLIA_DECRYPT) ? "dec" : "enc");
00963 
00964     for( i = 0; i < CAMELLIA_TESTS_ECB; i++ ) {
00965         memcpy( key, camellia_test_ecb_key[u][i], 16 + 8 * u );
00966 
00967         if( v == MBEDTLS_CAMELLIA_DECRYPT ) {
00968             mbedtls_camellia_setkey_dec( &ctx, key, 128 + u * 64 );
00969             memcpy( src, camellia_test_ecb_cipher[u][i], 16 );
00970             memcpy( dst, camellia_test_ecb_plain[i], 16 );
00971         } else { /* MBEDTLS_CAMELLIA_ENCRYPT */
00972             mbedtls_camellia_setkey_enc( &ctx, key, 128 + u * 64 );
00973             memcpy( src, camellia_test_ecb_plain[i], 16 );
00974             memcpy( dst, camellia_test_ecb_cipher[u][i], 16 );
00975         }
00976 
00977         mbedtls_camellia_crypt_ecb( &ctx, v, src, buf );
00978 
00979         if( memcmp( buf, dst, 16 ) != 0 )
00980         {
00981             if( verbose != 0 )
00982                 mbedtls_printf( "failed\n" );
00983 
00984             return( 1 );
00985         }
00986     }
00987 
00988     if( verbose != 0 )
00989         mbedtls_printf( "passed\n" );
00990     }
00991 
00992     if( verbose != 0 )
00993         mbedtls_printf( "\n" );
00994 
00995 #if defined(MBEDTLS_CIPHER_MODE_CBC)
00996     /*
00997      * CBC mode
00998      */
00999     for( j = 0; j < 6; j++ )
01000     {
01001         u = j >> 1;
01002         v = j  & 1;
01003 
01004         if( verbose != 0 )
01005             mbedtls_printf( "  CAMELLIA-CBC-%3d (%s): ", 128 + u * 64,
01006                              ( v == MBEDTLS_CAMELLIA_DECRYPT ) ? "dec" : "enc" );
01007 
01008         memcpy( src, camellia_test_cbc_iv, 16 );
01009         memcpy( dst, camellia_test_cbc_iv, 16 );
01010         memcpy( key, camellia_test_cbc_key[u], 16 + 8 * u );
01011 
01012         if( v == MBEDTLS_CAMELLIA_DECRYPT ) {
01013             mbedtls_camellia_setkey_dec( &ctx, key, 128 + u * 64 );
01014         } else {
01015             mbedtls_camellia_setkey_enc( &ctx, key, 128 + u * 64 );
01016         }
01017 
01018         for( i = 0; i < CAMELLIA_TESTS_CBC; i++ ) {
01019 
01020             if( v == MBEDTLS_CAMELLIA_DECRYPT ) {
01021                 memcpy( iv , src, 16 );
01022                 memcpy( src, camellia_test_cbc_cipher[u][i], 16 );
01023                 memcpy( dst, camellia_test_cbc_plain[i], 16 );
01024             } else { /* MBEDTLS_CAMELLIA_ENCRYPT */
01025                 memcpy( iv , dst, 16 );
01026                 memcpy( src, camellia_test_cbc_plain[i], 16 );
01027                 memcpy( dst, camellia_test_cbc_cipher[u][i], 16 );
01028             }
01029 
01030             mbedtls_camellia_crypt_cbc( &ctx, v, 16, iv, src, buf );
01031 
01032             if( memcmp( buf, dst, 16 ) != 0 )
01033             {
01034                 if( verbose != 0 )
01035                     mbedtls_printf( "failed\n" );
01036 
01037                 return( 1 );
01038             }
01039         }
01040 
01041         if( verbose != 0 )
01042             mbedtls_printf( "passed\n" );
01043     }
01044 #endif /* MBEDTLS_CIPHER_MODE_CBC */
01045 
01046     if( verbose != 0 )
01047         mbedtls_printf( "\n" );
01048 
01049 #if defined(MBEDTLS_CIPHER_MODE_CTR)
01050     /*
01051      * CTR mode
01052      */
01053     for( i = 0; i < 6; i++ )
01054     {
01055         u = i >> 1;
01056         v = i  & 1;
01057 
01058         if( verbose != 0 )
01059             mbedtls_printf( "  CAMELLIA-CTR-128 (%s): ",
01060                              ( v == MBEDTLS_CAMELLIA_DECRYPT ) ? "dec" : "enc" );
01061 
01062         memcpy( nonce_counter, camellia_test_ctr_nonce_counter[u], 16 );
01063         memcpy( key, camellia_test_ctr_key[u], 16 );
01064 
01065         offset = 0;
01066         mbedtls_camellia_setkey_enc( &ctx, key, 128 );
01067 
01068         if( v == MBEDTLS_CAMELLIA_DECRYPT )
01069         {
01070             len = camellia_test_ctr_len[u];
01071             memcpy( buf, camellia_test_ctr_ct[u], len );
01072 
01073             mbedtls_camellia_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block,
01074                                 buf, buf );
01075 
01076             if( memcmp( buf, camellia_test_ctr_pt[u], len ) != 0 )
01077             {
01078                 if( verbose != 0 )
01079                     mbedtls_printf( "failed\n" );
01080 
01081                 return( 1 );
01082             }
01083         }
01084         else
01085         {
01086             len = camellia_test_ctr_len[u];
01087             memcpy( buf, camellia_test_ctr_pt[u], len );
01088 
01089             mbedtls_camellia_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block,
01090                                 buf, buf );
01091 
01092             if( memcmp( buf, camellia_test_ctr_ct[u], len ) != 0 )
01093             {
01094                 if( verbose != 0 )
01095                     mbedtls_printf( "failed\n" );
01096 
01097                 return( 1 );
01098             }
01099         }
01100 
01101         if( verbose != 0 )
01102             mbedtls_printf( "passed\n" );
01103     }
01104 
01105     if( verbose != 0 )
01106         mbedtls_printf( "\n" );
01107 #endif /* MBEDTLS_CIPHER_MODE_CTR */
01108 
01109     return( 0 );
01110 }
01111 
01112 #endif /* MBEDTLS_SELF_TEST */
01113 
01114 #endif /* MBEDTLS_CAMELLIA_C */