2
* Camellia implementation
4
* Copyright (C) 2006-2013, Brainspark B.V.
6
* This file is part of PolarSSL (http://www.polarssl.org)
7
* Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
11
* This program is free software; you can redistribute it and/or modify
12
* it under the terms of the GNU General Public License as published by
13
* the Free Software Foundation; either version 2 of the License, or
14
* (at your option) any later version.
16
* This program is distributed in the hope that it will be useful,
17
* but WITHOUT ANY WARRANTY; without even the implied warranty of
18
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19
* GNU General Public License for more details.
21
* You should have received a copy of the GNU General Public License along
22
* with this program; if not, write to the Free Software Foundation, Inc.,
23
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
26
* The Camellia block cipher was designed by NTT and Mitsubishi Electric
29
* http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/01espec.pdf
32
#include "polarssl/config.h"
34
#if defined(POLARSSL_CAMELLIA_C)
36
#include "polarssl/camellia.h"
38
#if !defined(POLARSSL_CAMELLIA_ALT)
41
* 32-bit integer manipulation macros (big endian)
44
#define GET_UINT32_BE(n,b,i) \
46
(n) = ( (uint32_t) (b)[(i) ] << 24 ) \
47
| ( (uint32_t) (b)[(i) + 1] << 16 ) \
48
| ( (uint32_t) (b)[(i) + 2] << 8 ) \
49
| ( (uint32_t) (b)[(i) + 3] ); \
54
#define PUT_UINT32_BE(n,b,i) \
56
(b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
57
(b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
58
(b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
59
(b)[(i) + 3] = (unsigned char) ( (n) ); \
63
static const unsigned char SIGMA_CHARS[6][8] =
65
{ 0xa0, 0x9e, 0x66, 0x7f, 0x3b, 0xcc, 0x90, 0x8b },
66
{ 0xb6, 0x7a, 0xe8, 0x58, 0x4c, 0xaa, 0x73, 0xb2 },
67
{ 0xc6, 0xef, 0x37, 0x2f, 0xe9, 0x4f, 0x82, 0xbe },
68
{ 0x54, 0xff, 0x53, 0xa5, 0xf1, 0xd3, 0x6f, 0x1c },
69
{ 0x10, 0xe5, 0x27, 0xfa, 0xde, 0x68, 0x2d, 0x1d },
70
{ 0xb0, 0x56, 0x88, 0xc2, 0xb3, 0xe6, 0xc1, 0xfd }
73
#if defined(POLARSSL_CAMELLIA_SMALL_MEMORY)
75
static const unsigned char FSb[256] =
77
112,130, 44,236,179, 39,192,229,228,133, 87, 53,234, 12,174, 65,
78
35,239,107,147, 69, 25,165, 33,237, 14, 79, 78, 29,101,146,189,
79
134,184,175,143,124,235, 31,206, 62, 48,220, 95, 94,197, 11, 26,
80
166,225, 57,202,213, 71, 93, 61,217, 1, 90,214, 81, 86,108, 77,
81
139, 13,154,102,251,204,176, 45,116, 18, 43, 32,240,177,132,153,
82
223, 76,203,194, 52,126,118, 5,109,183,169, 49,209, 23, 4,215,
83
20, 88, 58, 97,222, 27, 17, 28, 50, 15,156, 22, 83, 24,242, 34,
84
254, 68,207,178,195,181,122,145, 36, 8,232,168, 96,252,105, 80,
85
170,208,160,125,161,137, 98,151, 84, 91, 30,149,224,255,100,210,
86
16,196, 0, 72,163,247,117,219,138, 3,230,218, 9, 63,221,148,
87
135, 92,131, 2,205, 74,144, 51,115,103,246,243,157,127,191,226,
88
82,155,216, 38,200, 55,198, 59,129,150,111, 75, 19,190, 99, 46,
89
233,121,167,140,159,110,188,142, 41,245,249,182, 47,253,180, 89,
90
120,152, 6,106,231, 70,113,186,212, 37,171, 66,136,162,141,250,
91
114, 7,185, 85,248,238,172, 10, 54, 73, 42,104, 60, 56,241,164,
92
64, 40,211,123,187,201, 67,193, 21,227,173,244,119,199,128,158
95
#define SBOX1(n) FSb[(n)]
96
#define SBOX2(n) (unsigned char)((FSb[(n)] >> 7 ^ FSb[(n)] << 1) & 0xff)
97
#define SBOX3(n) (unsigned char)((FSb[(n)] >> 1 ^ FSb[(n)] << 7) & 0xff)
98
#define SBOX4(n) FSb[((n) << 1 ^ (n) >> 7) &0xff]
102
static const unsigned char FSb[256] =
104
112, 130, 44, 236, 179, 39, 192, 229, 228, 133, 87, 53, 234, 12, 174, 65,
105
35, 239, 107, 147, 69, 25, 165, 33, 237, 14, 79, 78, 29, 101, 146, 189,
106
134, 184, 175, 143, 124, 235, 31, 206, 62, 48, 220, 95, 94, 197, 11, 26,
107
166, 225, 57, 202, 213, 71, 93, 61, 217, 1, 90, 214, 81, 86, 108, 77,
108
139, 13, 154, 102, 251, 204, 176, 45, 116, 18, 43, 32, 240, 177, 132, 153,
109
223, 76, 203, 194, 52, 126, 118, 5, 109, 183, 169, 49, 209, 23, 4, 215,
110
20, 88, 58, 97, 222, 27, 17, 28, 50, 15, 156, 22, 83, 24, 242, 34,
111
254, 68, 207, 178, 195, 181, 122, 145, 36, 8, 232, 168, 96, 252, 105, 80,
112
170, 208, 160, 125, 161, 137, 98, 151, 84, 91, 30, 149, 224, 255, 100, 210,
113
16, 196, 0, 72, 163, 247, 117, 219, 138, 3, 230, 218, 9, 63, 221, 148,
114
135, 92, 131, 2, 205, 74, 144, 51, 115, 103, 246, 243, 157, 127, 191, 226,
115
82, 155, 216, 38, 200, 55, 198, 59, 129, 150, 111, 75, 19, 190, 99, 46,
116
233, 121, 167, 140, 159, 110, 188, 142, 41, 245, 249, 182, 47, 253, 180, 89,
117
120, 152, 6, 106, 231, 70, 113, 186, 212, 37, 171, 66, 136, 162, 141, 250,
118
114, 7, 185, 85, 248, 238, 172, 10, 54, 73, 42, 104, 60, 56, 241, 164,
119
64, 40, 211, 123, 187, 201, 67, 193, 21, 227, 173, 244, 119, 199, 128, 158
122
static const unsigned char FSb2[256] =
124
224, 5, 88, 217, 103, 78, 129, 203, 201, 11, 174, 106, 213, 24, 93, 130,
125
70, 223, 214, 39, 138, 50, 75, 66, 219, 28, 158, 156, 58, 202, 37, 123,
126
13, 113, 95, 31, 248, 215, 62, 157, 124, 96, 185, 190, 188, 139, 22, 52,
127
77, 195, 114, 149, 171, 142, 186, 122, 179, 2, 180, 173, 162, 172, 216, 154,
128
23, 26, 53, 204, 247, 153, 97, 90, 232, 36, 86, 64, 225, 99, 9, 51,
129
191, 152, 151, 133, 104, 252, 236, 10, 218, 111, 83, 98, 163, 46, 8, 175,
130
40, 176, 116, 194, 189, 54, 34, 56, 100, 30, 57, 44, 166, 48, 229, 68,
131
253, 136, 159, 101, 135, 107, 244, 35, 72, 16, 209, 81, 192, 249, 210, 160,
132
85, 161, 65, 250, 67, 19, 196, 47, 168, 182, 60, 43, 193, 255, 200, 165,
133
32, 137, 0, 144, 71, 239, 234, 183, 21, 6, 205, 181, 18, 126, 187, 41,
134
15, 184, 7, 4, 155, 148, 33, 102, 230, 206, 237, 231, 59, 254, 127, 197,
135
164, 55, 177, 76, 145, 110, 141, 118, 3, 45, 222, 150, 38, 125, 198, 92,
136
211, 242, 79, 25, 63, 220, 121, 29, 82, 235, 243, 109, 94, 251, 105, 178,
137
240, 49, 12, 212, 207, 140, 226, 117, 169, 74, 87, 132, 17, 69, 27, 245,
138
228, 14, 115, 170, 241, 221, 89, 20, 108, 146, 84, 208, 120, 112, 227, 73,
139
128, 80, 167, 246, 119, 147, 134, 131, 42, 199, 91, 233, 238, 143, 1, 61
142
static const unsigned char FSb3[256] =
144
56, 65, 22, 118, 217, 147, 96, 242, 114, 194, 171, 154, 117, 6, 87, 160,
145
145, 247, 181, 201, 162, 140, 210, 144, 246, 7, 167, 39, 142, 178, 73, 222,
146
67, 92, 215, 199, 62, 245, 143, 103, 31, 24, 110, 175, 47, 226, 133, 13,
147
83, 240, 156, 101, 234, 163, 174, 158, 236, 128, 45, 107, 168, 43, 54, 166,
148
197, 134, 77, 51, 253, 102, 88, 150, 58, 9, 149, 16, 120, 216, 66, 204,
149
239, 38, 229, 97, 26, 63, 59, 130, 182, 219, 212, 152, 232, 139, 2, 235,
150
10, 44, 29, 176, 111, 141, 136, 14, 25, 135, 78, 11, 169, 12, 121, 17,
151
127, 34, 231, 89, 225, 218, 61, 200, 18, 4, 116, 84, 48, 126, 180, 40,
152
85, 104, 80, 190, 208, 196, 49, 203, 42, 173, 15, 202, 112, 255, 50, 105,
153
8, 98, 0, 36, 209, 251, 186, 237, 69, 129, 115, 109, 132, 159, 238, 74,
154
195, 46, 193, 1, 230, 37, 72, 153, 185, 179, 123, 249, 206, 191, 223, 113,
155
41, 205, 108, 19, 100, 155, 99, 157, 192, 75, 183, 165, 137, 95, 177, 23,
156
244, 188, 211, 70, 207, 55, 94, 71, 148, 250, 252, 91, 151, 254, 90, 172,
157
60, 76, 3, 53, 243, 35, 184, 93, 106, 146, 213, 33, 68, 81, 198, 125,
158
57, 131, 220, 170, 124, 119, 86, 5, 27, 164, 21, 52, 30, 28, 248, 82,
159
32, 20, 233, 189, 221, 228, 161, 224, 138, 241, 214, 122, 187, 227, 64, 79
162
static const unsigned char FSb4[256] =
164
112, 44, 179, 192, 228, 87, 234, 174, 35, 107, 69, 165, 237, 79, 29, 146,
165
134, 175, 124, 31, 62, 220, 94, 11, 166, 57, 213, 93, 217, 90, 81, 108,
166
139, 154, 251, 176, 116, 43, 240, 132, 223, 203, 52, 118, 109, 169, 209, 4,
167
20, 58, 222, 17, 50, 156, 83, 242, 254, 207, 195, 122, 36, 232, 96, 105,
168
170, 160, 161, 98, 84, 30, 224, 100, 16, 0, 163, 117, 138, 230, 9, 221,
169
135, 131, 205, 144, 115, 246, 157, 191, 82, 216, 200, 198, 129, 111, 19, 99,
170
233, 167, 159, 188, 41, 249, 47, 180, 120, 6, 231, 113, 212, 171, 136, 141,
171
114, 185, 248, 172, 54, 42, 60, 241, 64, 211, 187, 67, 21, 173, 119, 128,
172
130, 236, 39, 229, 133, 53, 12, 65, 239, 147, 25, 33, 14, 78, 101, 189,
173
184, 143, 235, 206, 48, 95, 197, 26, 225, 202, 71, 61, 1, 214, 86, 77,
174
13, 102, 204, 45, 18, 32, 177, 153, 76, 194, 126, 5, 183, 49, 23, 215,
175
88, 97, 27, 28, 15, 22, 24, 34, 68, 178, 181, 145, 8, 168, 252, 80,
176
208, 125, 137, 151, 91, 149, 255, 210, 196, 72, 247, 219, 3, 218, 63, 148,
177
92, 2, 74, 51, 103, 243, 127, 226, 155, 38, 55, 59, 150, 75, 190, 46,
178
121, 140, 110, 142, 245, 182, 253, 89, 152, 106, 70, 186, 37, 66, 162, 250,
179
7, 85, 238, 10, 73, 104, 56, 164, 40, 123, 201, 193, 227, 244, 199, 158
182
#define SBOX1(n) FSb[(n)]
183
#define SBOX2(n) FSb2[(n)]
184
#define SBOX3(n) FSb3[(n)]
185
#define SBOX4(n) FSb4[(n)]
189
static const unsigned char shifts[2][4][4] =
192
{ 1, 1, 1, 1 }, /* KL */
193
{ 0, 0, 0, 0 }, /* KR */
194
{ 1, 1, 1, 1 }, /* KA */
195
{ 0, 0, 0, 0 } /* KB */
198
{ 1, 0, 1, 1 }, /* KL */
199
{ 1, 1, 0, 1 }, /* KR */
200
{ 1, 1, 1, 0 }, /* KA */
201
{ 1, 1, 0, 1 } /* KB */
205
static const signed char indexes[2][4][20] =
208
{ 0, 1, 2, 3, 8, 9, 10, 11, 38, 39,
209
36, 37, 23, 20, 21, 22, 27, -1, -1, 26 }, /* KL -> RK */
210
{ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
211
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1 }, /* KR -> RK */
212
{ 4, 5, 6, 7, 12, 13, 14, 15, 16, 17,
213
18, 19, -1, 24, 25, -1, 31, 28, 29, 30 }, /* KA -> RK */
214
{ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
215
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1 } /* KB -> RK */
218
{ 0, 1, 2, 3, 61, 62, 63, 60, -1, -1,
219
-1, -1, 27, 24, 25, 26, 35, 32, 33, 34 }, /* KL -> RK */
220
{ -1, -1, -1, -1, 8, 9, 10, 11, 16, 17,
221
18, 19, -1, -1, -1, -1, 39, 36, 37, 38 }, /* KR -> RK */
222
{ -1, -1, -1, -1, 12, 13, 14, 15, 58, 59,
223
56, 57, 31, 28, 29, 30, -1, -1, -1, -1 }, /* KA -> RK */
224
{ 4, 5, 6, 7, 65, 66, 67, 64, 20, 21,
225
22, 23, -1, -1, -1, -1, 43, 40, 41, 42 } /* KB -> RK */
229
static const signed char transposes[2][20] =
247
/* Shift macro for 128 bit strings with rotation smaller than 32 bits (!) */
248
#define ROTL(DEST, SRC, SHIFT) \
250
(DEST)[0] = (SRC)[0] << (SHIFT) ^ (SRC)[1] >> (32 - (SHIFT)); \
251
(DEST)[1] = (SRC)[1] << (SHIFT) ^ (SRC)[2] >> (32 - (SHIFT)); \
252
(DEST)[2] = (SRC)[2] << (SHIFT) ^ (SRC)[3] >> (32 - (SHIFT)); \
253
(DEST)[3] = (SRC)[3] << (SHIFT) ^ (SRC)[0] >> (32 - (SHIFT)); \
256
#define FL(XL, XR, KL, KR) \
258
(XR) = ((((XL) & (KL)) << 1) | (((XL) & (KL)) >> 31)) ^ (XR); \
259
(XL) = ((XR) | (KR)) ^ (XL); \
262
#define FLInv(YL, YR, KL, KR) \
264
(YL) = ((YR) | (KR)) ^ (YL); \
265
(YR) = ((((YL) & (KL)) << 1) | (((YL) & (KL)) >> 31)) ^ (YR); \
268
#define SHIFT_AND_PLACE(INDEX, OFFSET) \
270
TK[0] = KC[(OFFSET) * 4 + 0]; \
271
TK[1] = KC[(OFFSET) * 4 + 1]; \
272
TK[2] = KC[(OFFSET) * 4 + 2]; \
273
TK[3] = KC[(OFFSET) * 4 + 3]; \
275
for ( i = 1; i <= 4; i++ ) \
276
if (shifts[(INDEX)][(OFFSET)][i -1]) \
277
ROTL(TK + i * 4, TK, (15 * i) % 32); \
279
for ( i = 0; i < 20; i++ ) \
280
if (indexes[(INDEX)][(OFFSET)][i] != -1) { \
281
RK[indexes[(INDEX)][(OFFSET)][i]] = TK[ i ]; \
285
static void camellia_feistel(const uint32_t x[2], const uint32_t k[2], uint32_t z[2])
291
I0 = (SBOX1((I0 >> 24) & 0xFF) << 24) |
292
(SBOX2((I0 >> 16) & 0xFF) << 16) |
293
(SBOX3((I0 >> 8) & 0xFF) << 8) |
294
(SBOX4((I0 ) & 0xFF) );
295
I1 = (SBOX2((I1 >> 24) & 0xFF) << 24) |
296
(SBOX3((I1 >> 16) & 0xFF) << 16) |
297
(SBOX4((I1 >> 8) & 0xFF) << 8) |
298
(SBOX1((I1 ) & 0xFF) );
300
I0 ^= (I1 << 8) | (I1 >> 24);
301
I1 ^= (I0 << 16) | (I0 >> 16);
302
I0 ^= (I1 >> 8) | (I1 << 24);
303
I1 ^= (I0 >> 8) | (I0 << 24);
310
* Camellia key schedule (encryption)
312
int camellia_setkey_enc( camellia_context *ctx, const unsigned char *key, unsigned int keysize )
318
uint32_t SIGMA[6][2];
325
memset(RK, 0, sizeof(ctx->rk));
329
case 128: ctx->nr = 3; idx = 0; break;
331
case 256: ctx->nr = 4; idx = 1; break;
332
default : return( POLARSSL_ERR_CAMELLIA_INVALID_KEY_LENGTH );
335
for( i = 0; i < keysize / 8; ++i)
338
if (keysize == 192) {
339
for (i = 0; i < 8; i++)
340
t[24 + i] = ~t[16 + i];
344
* Prepare SIGMA values
346
for (i = 0; i < 6; i++) {
347
GET_UINT32_BE(SIGMA[i][0], SIGMA_CHARS[i], 0);
348
GET_UINT32_BE(SIGMA[i][1], SIGMA_CHARS[i], 4);
353
* Order: KL, KR, KA, KB
355
memset(KC, 0, sizeof(KC));
358
for (i = 0; i < 8; i++)
359
GET_UINT32_BE(KC[i], t, i * 4);
362
for( i = 0; i < 4; ++i)
363
KC[8 + i] = KC[i] ^ KC[4 + i];
365
camellia_feistel(KC + 8, SIGMA[0], KC + 10);
366
camellia_feistel(KC + 10, SIGMA[1], KC + 8);
368
for( i = 0; i < 4; ++i)
371
camellia_feistel(KC + 8, SIGMA[2], KC + 10);
372
camellia_feistel(KC + 10, SIGMA[3], KC + 8);
376
for( i = 0; i < 4; ++i)
377
KC[12 + i] = KC[4 + i] ^ KC[8 + i];
379
camellia_feistel(KC + 12, SIGMA[4], KC + 14);
380
camellia_feistel(KC + 14, SIGMA[5], KC + 12);
387
/* Manipulating KL */
388
SHIFT_AND_PLACE(idx, 0);
390
/* Manipulating KR */
392
SHIFT_AND_PLACE(idx, 1);
395
/* Manipulating KA */
396
SHIFT_AND_PLACE(idx, 2);
398
/* Manipulating KB */
400
SHIFT_AND_PLACE(idx, 3);
403
/* Do transpositions */
404
for ( i = 0; i < 20; i++ ) {
405
if (transposes[idx][i] != -1) {
406
RK[32 + 12 * idx + i] = RK[transposes[idx][i]];
414
* Camellia key schedule (decryption)
416
int camellia_setkey_dec( camellia_context *ctx, const unsigned char *key, unsigned int keysize )
420
camellia_context cty;
427
case 128: ctx->nr = 3; idx = 0; break;
429
case 256: ctx->nr = 4; idx = 1; break;
430
default : return( POLARSSL_ERR_CAMELLIA_INVALID_KEY_LENGTH );
435
ret = camellia_setkey_enc(&cty, key, keysize);
439
SK = cty.rk + 24 * 2 + 8 * idx * 2;
446
for (i = 22 + 8 * idx, SK -= 6; i > 0; i--, SK -= 4)
459
memset( &cty, 0, sizeof( camellia_context ) );
465
* Camellia-ECB block encryption/decryption
467
int camellia_crypt_ecb( camellia_context *ctx,
469
const unsigned char input[16],
470
unsigned char output[16] )
480
GET_UINT32_BE( X[0], input, 0 );
481
GET_UINT32_BE( X[1], input, 4 );
482
GET_UINT32_BE( X[2], input, 8 );
483
GET_UINT32_BE( X[3], input, 12 );
492
camellia_feistel(X, RK, X + 2);
494
camellia_feistel(X + 2, RK, X);
496
camellia_feistel(X, RK, X + 2);
498
camellia_feistel(X + 2, RK, X);
500
camellia_feistel(X, RK, X + 2);
502
camellia_feistel(X + 2, RK, X);
506
FL(X[0], X[1], RK[0], RK[1]);
508
FLInv(X[2], X[3], RK[0], RK[1]);
518
PUT_UINT32_BE( X[2], output, 0 );
519
PUT_UINT32_BE( X[3], output, 4 );
520
PUT_UINT32_BE( X[0], output, 8 );
521
PUT_UINT32_BE( X[1], output, 12 );
527
* Camellia-CBC buffer encryption/decryption
529
int camellia_crypt_cbc( camellia_context *ctx,
532
unsigned char iv[16],
533
const unsigned char *input,
534
unsigned char *output )
537
unsigned char temp[16];
540
return( POLARSSL_ERR_CAMELLIA_INVALID_INPUT_LENGTH );
542
if( mode == CAMELLIA_DECRYPT )
546
memcpy( temp, input, 16 );
547
camellia_crypt_ecb( ctx, mode, input, output );
549
for( i = 0; i < 16; i++ )
550
output[i] = (unsigned char)( output[i] ^ iv[i] );
552
memcpy( iv, temp, 16 );
563
for( i = 0; i < 16; i++ )
564
output[i] = (unsigned char)( input[i] ^ iv[i] );
566
camellia_crypt_ecb( ctx, mode, output, output );
567
memcpy( iv, output, 16 );
578
#if defined(POLARSSL_CIPHER_MODE_CFB)
580
* Camellia-CFB128 buffer encryption/decryption
582
int camellia_crypt_cfb128( camellia_context *ctx,
586
unsigned char iv[16],
587
const unsigned char *input,
588
unsigned char *output )
593
if( mode == CAMELLIA_DECRYPT )
598
camellia_crypt_ecb( ctx, CAMELLIA_ENCRYPT, iv, iv );
601
*output++ = (unsigned char)( c ^ iv[n] );
602
iv[n] = (unsigned char) c;
612
camellia_crypt_ecb( ctx, CAMELLIA_ENCRYPT, iv, iv );
614
iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
624
#endif /* POLARSSL_CIPHER_MODE_CFB */
626
#if defined(POLARSSL_CIPHER_MODE_CTR)
628
* Camellia-CTR buffer encryption/decryption
630
int camellia_crypt_ctr( camellia_context *ctx,
633
unsigned char nonce_counter[16],
634
unsigned char stream_block[16],
635
const unsigned char *input,
636
unsigned char *output )
644
camellia_crypt_ecb( ctx, CAMELLIA_ENCRYPT, nonce_counter, stream_block );
646
for( i = 16; i > 0; i-- )
647
if( ++nonce_counter[i - 1] != 0 )
651
*output++ = (unsigned char)( c ^ stream_block[n] );
660
#endif /* POLARSSL_CIPHER_MODE_CTR */
661
#endif /* !POLARSSL_CAMELLIA_ALT */
663
#if defined(POLARSSL_SELF_TEST)
668
* Camellia test vectors from:
670
* http://info.isl.ntt.co.jp/crypt/eng/camellia/technology.html:
671
* http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/intermediate.txt
672
* http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/t_camellia.txt
673
* (For each bitlength: Key 0, Nr 39)
675
#define CAMELLIA_TESTS_ECB 2
677
static const unsigned char camellia_test_ecb_key[3][CAMELLIA_TESTS_ECB][32] =
680
{ 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
681
0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
682
{ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
683
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
686
{ 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
687
0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
688
0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77 },
689
{ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
690
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
691
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
694
{ 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
695
0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
696
0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
697
0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff },
698
{ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
699
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
700
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
701
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
705
static const unsigned char camellia_test_ecb_plain[CAMELLIA_TESTS_ECB][16] =
707
{ 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
708
0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
709
{ 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
710
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
713
static const unsigned char camellia_test_ecb_cipher[3][CAMELLIA_TESTS_ECB][16] =
716
{ 0x67, 0x67, 0x31, 0x38, 0x54, 0x96, 0x69, 0x73,
717
0x08, 0x57, 0x06, 0x56, 0x48, 0xea, 0xbe, 0x43 },
718
{ 0x38, 0x3C, 0x6C, 0x2A, 0xAB, 0xEF, 0x7F, 0xDE,
719
0x25, 0xCD, 0x47, 0x0B, 0xF7, 0x74, 0xA3, 0x31 }
722
{ 0xb4, 0x99, 0x34, 0x01, 0xb3, 0xe9, 0x96, 0xf8,
723
0x4e, 0xe5, 0xce, 0xe7, 0xd7, 0x9b, 0x09, 0xb9 },
724
{ 0xD1, 0x76, 0x3F, 0xC0, 0x19, 0xD7, 0x7C, 0xC9,
725
0x30, 0xBF, 0xF2, 0xA5, 0x6F, 0x7C, 0x93, 0x64 }
728
{ 0x9a, 0xcc, 0x23, 0x7d, 0xff, 0x16, 0xd7, 0x6c,
729
0x20, 0xef, 0x7c, 0x91, 0x9e, 0x3a, 0x75, 0x09 },
730
{ 0x05, 0x03, 0xFB, 0x10, 0xAB, 0x24, 0x1E, 0x7C,
731
0xF4, 0x5D, 0x8C, 0xDE, 0xEE, 0x47, 0x43, 0x35 }
735
#define CAMELLIA_TESTS_CBC 3
737
static const unsigned char camellia_test_cbc_key[3][32] =
739
{ 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
740
0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }
742
{ 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
743
0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
744
0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }
746
{ 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
747
0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
748
0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
749
0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
752
static const unsigned char camellia_test_cbc_iv[16] =
754
{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
755
0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F }
758
static const unsigned char camellia_test_cbc_plain[CAMELLIA_TESTS_CBC][16] =
760
{ 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
761
0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A },
762
{ 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
763
0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51 },
764
{ 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
765
0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF }
769
static const unsigned char camellia_test_cbc_cipher[3][CAMELLIA_TESTS_CBC][16] =
772
{ 0x16, 0x07, 0xCF, 0x49, 0x4B, 0x36, 0xBB, 0xF0,
773
0x0D, 0xAE, 0xB0, 0xB5, 0x03, 0xC8, 0x31, 0xAB },
774
{ 0xA2, 0xF2, 0xCF, 0x67, 0x16, 0x29, 0xEF, 0x78,
775
0x40, 0xC5, 0xA5, 0xDF, 0xB5, 0x07, 0x48, 0x87 },
776
{ 0x0F, 0x06, 0x16, 0x50, 0x08, 0xCF, 0x8B, 0x8B,
777
0x5A, 0x63, 0x58, 0x63, 0x62, 0x54, 0x3E, 0x54 }
780
{ 0x2A, 0x48, 0x30, 0xAB, 0x5A, 0xC4, 0xA1, 0xA2,
781
0x40, 0x59, 0x55, 0xFD, 0x21, 0x95, 0xCF, 0x93 },
782
{ 0x5D, 0x5A, 0x86, 0x9B, 0xD1, 0x4C, 0xE5, 0x42,
783
0x64, 0xF8, 0x92, 0xA6, 0xDD, 0x2E, 0xC3, 0xD5 },
784
{ 0x37, 0xD3, 0x59, 0xC3, 0x34, 0x98, 0x36, 0xD8,
785
0x84, 0xE3, 0x10, 0xAD, 0xDF, 0x68, 0xC4, 0x49 }
788
{ 0xE6, 0xCF, 0xA3, 0x5F, 0xC0, 0x2B, 0x13, 0x4A,
789
0x4D, 0x2C, 0x0B, 0x67, 0x37, 0xAC, 0x3E, 0xDA },
790
{ 0x36, 0xCB, 0xEB, 0x73, 0xBD, 0x50, 0x4B, 0x40,
791
0x70, 0xB1, 0xB7, 0xDE, 0x2B, 0x21, 0xEB, 0x50 },
792
{ 0xE3, 0x1A, 0x60, 0x55, 0x29, 0x7D, 0x96, 0xCA,
793
0x33, 0x30, 0xCD, 0xF1, 0xB1, 0x86, 0x0A, 0x83 }
797
#if defined(POLARSSL_CIPHER_MODE_CTR)
799
* Camellia-CTR test vectors from:
801
* http://www.faqs.org/rfcs/rfc5528.html
804
static const unsigned char camellia_test_ctr_key[3][16] =
806
{ 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
807
0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
808
{ 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
809
0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
810
{ 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
811
0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
814
static const unsigned char camellia_test_ctr_nonce_counter[3][16] =
816
{ 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
817
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
818
{ 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
819
0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
820
{ 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
821
0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
824
static const unsigned char camellia_test_ctr_pt[3][48] =
826
{ 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
827
0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
829
{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
830
0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
831
0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
832
0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
834
{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
835
0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
836
0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
837
0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
838
0x20, 0x21, 0x22, 0x23 }
841
static const unsigned char camellia_test_ctr_ct[3][48] =
843
{ 0xD0, 0x9D, 0xC2, 0x9A, 0x82, 0x14, 0x61, 0x9A,
844
0x20, 0x87, 0x7C, 0x76, 0xDB, 0x1F, 0x0B, 0x3F },
845
{ 0xDB, 0xF3, 0xC7, 0x8D, 0xC0, 0x83, 0x96, 0xD4,
846
0xDA, 0x7C, 0x90, 0x77, 0x65, 0xBB, 0xCB, 0x44,
847
0x2B, 0x8E, 0x8E, 0x0F, 0x31, 0xF0, 0xDC, 0xA7,
848
0x2C, 0x74, 0x17, 0xE3, 0x53, 0x60, 0xE0, 0x48 },
849
{ 0xB1, 0x9D, 0x1F, 0xCD, 0xCB, 0x75, 0xEB, 0x88,
850
0x2F, 0x84, 0x9C, 0xE2, 0x4D, 0x85, 0xCF, 0x73,
851
0x9C, 0xE6, 0x4B, 0x2B, 0x5C, 0x9D, 0x73, 0xF1,
852
0x4F, 0x2D, 0x5D, 0x9D, 0xCE, 0x98, 0x89, 0xCD,
853
0xDF, 0x50, 0x86, 0x96 }
856
static const int camellia_test_ctr_len[3] =
858
#endif /* POLARSSL_CIPHER_MODE_CTR */
863
int camellia_self_test( int verbose )
866
unsigned char key[32];
867
unsigned char buf[64];
868
unsigned char src[16];
869
unsigned char dst[16];
870
unsigned char iv[16];
871
#if defined(POLARSSL_CIPHER_MODE_CTR)
873
unsigned char nonce_counter[16];
874
unsigned char stream_block[16];
877
camellia_context ctx;
879
memset( key, 0, 32 );
881
for (j = 0; j < 6; j++) {
886
printf( " CAMELLIA-ECB-%3d (%s): ", 128 + u * 64,
887
(v == CAMELLIA_DECRYPT) ? "dec" : "enc");
889
for (i = 0; i < CAMELLIA_TESTS_ECB; i++ ) {
890
memcpy( key, camellia_test_ecb_key[u][i], 16 + 8 * u);
892
if (v == CAMELLIA_DECRYPT) {
893
camellia_setkey_dec(&ctx, key, 128 + u * 64);
894
memcpy(src, camellia_test_ecb_cipher[u][i], 16);
895
memcpy(dst, camellia_test_ecb_plain[i], 16);
896
} else { /* CAMELLIA_ENCRYPT */
897
camellia_setkey_enc(&ctx, key, 128 + u * 64);
898
memcpy(src, camellia_test_ecb_plain[i], 16);
899
memcpy(dst, camellia_test_ecb_cipher[u][i], 16);
902
camellia_crypt_ecb(&ctx, v, src, buf);
904
if( memcmp( buf, dst, 16 ) != 0 )
907
printf( "failed\n" );
914
printf( "passed\n" );
923
for( j = 0; j < 6; j++ )
929
printf( " CAMELLIA-CBC-%3d (%s): ", 128 + u * 64,
930
( v == CAMELLIA_DECRYPT ) ? "dec" : "enc" );
932
memcpy( src, camellia_test_cbc_iv, 16);
933
memcpy( dst, camellia_test_cbc_iv, 16);
934
memcpy( key, camellia_test_cbc_key[u], 16 + 8 * u);
936
if (v == CAMELLIA_DECRYPT) {
937
camellia_setkey_dec(&ctx, key, 128 + u * 64);
939
camellia_setkey_enc(&ctx, key, 128 + u * 64);
942
for (i = 0; i < CAMELLIA_TESTS_CBC; i++ ) {
944
if (v == CAMELLIA_DECRYPT) {
945
memcpy( iv , src, 16 );
946
memcpy(src, camellia_test_cbc_cipher[u][i], 16);
947
memcpy(dst, camellia_test_cbc_plain[i], 16);
948
} else { /* CAMELLIA_ENCRYPT */
949
memcpy( iv , dst, 16 );
950
memcpy(src, camellia_test_cbc_plain[i], 16);
951
memcpy(dst, camellia_test_cbc_cipher[u][i], 16);
954
camellia_crypt_cbc(&ctx, v, 16, iv, src, buf);
956
if( memcmp( buf, dst, 16 ) != 0 )
959
printf( "failed\n" );
966
printf( "passed\n" );
972
#if defined(POLARSSL_CIPHER_MODE_CTR)
976
for( i = 0; i < 6; i++ )
982
printf( " CAMELLIA-CTR-128 (%s): ",
983
( v == CAMELLIA_DECRYPT ) ? "dec" : "enc" );
985
memcpy( nonce_counter, camellia_test_ctr_nonce_counter[u], 16 );
986
memcpy( key, camellia_test_ctr_key[u], 16 );
989
camellia_setkey_enc( &ctx, key, 128 );
991
if( v == CAMELLIA_DECRYPT )
993
len = camellia_test_ctr_len[u];
994
memcpy( buf, camellia_test_ctr_ct[u], len );
996
camellia_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
998
if( memcmp( buf, camellia_test_ctr_pt[u], len ) != 0 )
1001
printf( "failed\n" );
1008
len = camellia_test_ctr_len[u];
1009
memcpy( buf, camellia_test_ctr_pt[u], len );
1011
camellia_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1013
if( memcmp( buf, camellia_test_ctr_ct[u], len ) != 0 )
1016
printf( "failed\n" );
1023
printf( "passed\n" );
1028
#endif /* POLARSSL_CIPHER_MODE_CTR */