PolarSSL v1.3.8
camellia.c
Go to the documentation of this file.
1 /*
2  * Camellia implementation
3  *
4  * Copyright (C) 2006-2014, Brainspark B.V.
5  *
6  * This file is part of PolarSSL (http://www.polarssl.org)
7  * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8  *
9  * All rights reserved.
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License as published by
13  * the Free Software Foundation; either version 2 of the License, or
14  * (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License along
22  * with this program; if not, write to the Free Software Foundation, Inc.,
23  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24  */
25 /*
26  * The Camellia block cipher was designed by NTT and Mitsubishi Electric
27  * Corporation.
28  *
29  * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/01espec.pdf
30  */
31 
32 #if !defined(POLARSSL_CONFIG_FILE)
33 #include "polarssl/config.h"
34 #else
35 #include POLARSSL_CONFIG_FILE
36 #endif
37 
38 #if defined(POLARSSL_CAMELLIA_C)
39 
40 #include "polarssl/camellia.h"
41 
42 #if defined(POLARSSL_PLATFORM_C)
43 #include "polarssl/platform.h"
44 #else
45 #define polarssl_printf printf
46 #endif
47 
48 #if !defined(POLARSSL_CAMELLIA_ALT)
49 
50 /* Implementation that should never be optimized out by the compiler */
51 static void polarssl_zeroize( void *v, size_t n ) {
52  volatile unsigned char *p = v; while( n-- ) *p++ = 0;
53 }
54 
55 /*
56  * 32-bit integer manipulation macros (big endian)
57  */
58 #ifndef GET_UINT32_BE
59 #define GET_UINT32_BE(n,b,i) \
60 { \
61  (n) = ( (uint32_t) (b)[(i) ] << 24 ) \
62  | ( (uint32_t) (b)[(i) + 1] << 16 ) \
63  | ( (uint32_t) (b)[(i) + 2] << 8 ) \
64  | ( (uint32_t) (b)[(i) + 3] ); \
65 }
66 #endif
67 
68 #ifndef PUT_UINT32_BE
69 #define PUT_UINT32_BE(n,b,i) \
70 { \
71  (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
72  (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
73  (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
74  (b)[(i) + 3] = (unsigned char) ( (n) ); \
75 }
76 #endif
77 
78 static const unsigned char SIGMA_CHARS[6][8] =
79 {
80  { 0xa0, 0x9e, 0x66, 0x7f, 0x3b, 0xcc, 0x90, 0x8b },
81  { 0xb6, 0x7a, 0xe8, 0x58, 0x4c, 0xaa, 0x73, 0xb2 },
82  { 0xc6, 0xef, 0x37, 0x2f, 0xe9, 0x4f, 0x82, 0xbe },
83  { 0x54, 0xff, 0x53, 0xa5, 0xf1, 0xd3, 0x6f, 0x1c },
84  { 0x10, 0xe5, 0x27, 0xfa, 0xde, 0x68, 0x2d, 0x1d },
85  { 0xb0, 0x56, 0x88, 0xc2, 0xb3, 0xe6, 0xc1, 0xfd }
86 };
87 
88 #if defined(POLARSSL_CAMELLIA_SMALL_MEMORY)
89 
90 static const unsigned char FSb[256] =
91 {
92  112,130, 44,236,179, 39,192,229,228,133, 87, 53,234, 12,174, 65,
93  35,239,107,147, 69, 25,165, 33,237, 14, 79, 78, 29,101,146,189,
94  134,184,175,143,124,235, 31,206, 62, 48,220, 95, 94,197, 11, 26,
95  166,225, 57,202,213, 71, 93, 61,217, 1, 90,214, 81, 86,108, 77,
96  139, 13,154,102,251,204,176, 45,116, 18, 43, 32,240,177,132,153,
97  223, 76,203,194, 52,126,118, 5,109,183,169, 49,209, 23, 4,215,
98  20, 88, 58, 97,222, 27, 17, 28, 50, 15,156, 22, 83, 24,242, 34,
99  254, 68,207,178,195,181,122,145, 36, 8,232,168, 96,252,105, 80,
100  170,208,160,125,161,137, 98,151, 84, 91, 30,149,224,255,100,210,
101  16,196, 0, 72,163,247,117,219,138, 3,230,218, 9, 63,221,148,
102  135, 92,131, 2,205, 74,144, 51,115,103,246,243,157,127,191,226,
103  82,155,216, 38,200, 55,198, 59,129,150,111, 75, 19,190, 99, 46,
104  233,121,167,140,159,110,188,142, 41,245,249,182, 47,253,180, 89,
105  120,152, 6,106,231, 70,113,186,212, 37,171, 66,136,162,141,250,
106  114, 7,185, 85,248,238,172, 10, 54, 73, 42,104, 60, 56,241,164,
107  64, 40,211,123,187,201, 67,193, 21,227,173,244,119,199,128,158
108 };
109 
110 #define SBOX1(n) FSb[(n)]
111 #define SBOX2(n) (unsigned char)((FSb[(n)] >> 7 ^ FSb[(n)] << 1) & 0xff)
112 #define SBOX3(n) (unsigned char)((FSb[(n)] >> 1 ^ FSb[(n)] << 7) & 0xff)
113 #define SBOX4(n) FSb[((n) << 1 ^ (n) >> 7) &0xff]
114 
115 #else /* POLARSSL_CAMELLIA_SMALL_MEMORY */
116 
117 static const unsigned char FSb[256] =
118 {
119  112, 130, 44, 236, 179, 39, 192, 229, 228, 133, 87, 53, 234, 12, 174, 65,
120  35, 239, 107, 147, 69, 25, 165, 33, 237, 14, 79, 78, 29, 101, 146, 189,
121  134, 184, 175, 143, 124, 235, 31, 206, 62, 48, 220, 95, 94, 197, 11, 26,
122  166, 225, 57, 202, 213, 71, 93, 61, 217, 1, 90, 214, 81, 86, 108, 77,
123  139, 13, 154, 102, 251, 204, 176, 45, 116, 18, 43, 32, 240, 177, 132, 153,
124  223, 76, 203, 194, 52, 126, 118, 5, 109, 183, 169, 49, 209, 23, 4, 215,
125  20, 88, 58, 97, 222, 27, 17, 28, 50, 15, 156, 22, 83, 24, 242, 34,
126  254, 68, 207, 178, 195, 181, 122, 145, 36, 8, 232, 168, 96, 252, 105, 80,
127  170, 208, 160, 125, 161, 137, 98, 151, 84, 91, 30, 149, 224, 255, 100, 210,
128  16, 196, 0, 72, 163, 247, 117, 219, 138, 3, 230, 218, 9, 63, 221, 148,
129  135, 92, 131, 2, 205, 74, 144, 51, 115, 103, 246, 243, 157, 127, 191, 226,
130  82, 155, 216, 38, 200, 55, 198, 59, 129, 150, 111, 75, 19, 190, 99, 46,
131  233, 121, 167, 140, 159, 110, 188, 142, 41, 245, 249, 182, 47, 253, 180, 89,
132  120, 152, 6, 106, 231, 70, 113, 186, 212, 37, 171, 66, 136, 162, 141, 250,
133  114, 7, 185, 85, 248, 238, 172, 10, 54, 73, 42, 104, 60, 56, 241, 164,
134  64, 40, 211, 123, 187, 201, 67, 193, 21, 227, 173, 244, 119, 199, 128, 158
135 };
136 
137 static const unsigned char FSb2[256] =
138 {
139  224, 5, 88, 217, 103, 78, 129, 203, 201, 11, 174, 106, 213, 24, 93, 130,
140  70, 223, 214, 39, 138, 50, 75, 66, 219, 28, 158, 156, 58, 202, 37, 123,
141  13, 113, 95, 31, 248, 215, 62, 157, 124, 96, 185, 190, 188, 139, 22, 52,
142  77, 195, 114, 149, 171, 142, 186, 122, 179, 2, 180, 173, 162, 172, 216, 154,
143  23, 26, 53, 204, 247, 153, 97, 90, 232, 36, 86, 64, 225, 99, 9, 51,
144  191, 152, 151, 133, 104, 252, 236, 10, 218, 111, 83, 98, 163, 46, 8, 175,
145  40, 176, 116, 194, 189, 54, 34, 56, 100, 30, 57, 44, 166, 48, 229, 68,
146  253, 136, 159, 101, 135, 107, 244, 35, 72, 16, 209, 81, 192, 249, 210, 160,
147  85, 161, 65, 250, 67, 19, 196, 47, 168, 182, 60, 43, 193, 255, 200, 165,
148  32, 137, 0, 144, 71, 239, 234, 183, 21, 6, 205, 181, 18, 126, 187, 41,
149  15, 184, 7, 4, 155, 148, 33, 102, 230, 206, 237, 231, 59, 254, 127, 197,
150  164, 55, 177, 76, 145, 110, 141, 118, 3, 45, 222, 150, 38, 125, 198, 92,
151  211, 242, 79, 25, 63, 220, 121, 29, 82, 235, 243, 109, 94, 251, 105, 178,
152  240, 49, 12, 212, 207, 140, 226, 117, 169, 74, 87, 132, 17, 69, 27, 245,
153  228, 14, 115, 170, 241, 221, 89, 20, 108, 146, 84, 208, 120, 112, 227, 73,
154  128, 80, 167, 246, 119, 147, 134, 131, 42, 199, 91, 233, 238, 143, 1, 61
155 };
156 
157 static const unsigned char FSb3[256] =
158 {
159  56, 65, 22, 118, 217, 147, 96, 242, 114, 194, 171, 154, 117, 6, 87, 160,
160  145, 247, 181, 201, 162, 140, 210, 144, 246, 7, 167, 39, 142, 178, 73, 222,
161  67, 92, 215, 199, 62, 245, 143, 103, 31, 24, 110, 175, 47, 226, 133, 13,
162  83, 240, 156, 101, 234, 163, 174, 158, 236, 128, 45, 107, 168, 43, 54, 166,
163  197, 134, 77, 51, 253, 102, 88, 150, 58, 9, 149, 16, 120, 216, 66, 204,
164  239, 38, 229, 97, 26, 63, 59, 130, 182, 219, 212, 152, 232, 139, 2, 235,
165  10, 44, 29, 176, 111, 141, 136, 14, 25, 135, 78, 11, 169, 12, 121, 17,
166  127, 34, 231, 89, 225, 218, 61, 200, 18, 4, 116, 84, 48, 126, 180, 40,
167  85, 104, 80, 190, 208, 196, 49, 203, 42, 173, 15, 202, 112, 255, 50, 105,
168  8, 98, 0, 36, 209, 251, 186, 237, 69, 129, 115, 109, 132, 159, 238, 74,
169  195, 46, 193, 1, 230, 37, 72, 153, 185, 179, 123, 249, 206, 191, 223, 113,
170  41, 205, 108, 19, 100, 155, 99, 157, 192, 75, 183, 165, 137, 95, 177, 23,
171  244, 188, 211, 70, 207, 55, 94, 71, 148, 250, 252, 91, 151, 254, 90, 172,
172  60, 76, 3, 53, 243, 35, 184, 93, 106, 146, 213, 33, 68, 81, 198, 125,
173  57, 131, 220, 170, 124, 119, 86, 5, 27, 164, 21, 52, 30, 28, 248, 82,
174  32, 20, 233, 189, 221, 228, 161, 224, 138, 241, 214, 122, 187, 227, 64, 79
175 };
176 
177 static const unsigned char FSb4[256] =
178 {
179  112, 44, 179, 192, 228, 87, 234, 174, 35, 107, 69, 165, 237, 79, 29, 146,
180  134, 175, 124, 31, 62, 220, 94, 11, 166, 57, 213, 93, 217, 90, 81, 108,
181  139, 154, 251, 176, 116, 43, 240, 132, 223, 203, 52, 118, 109, 169, 209, 4,
182  20, 58, 222, 17, 50, 156, 83, 242, 254, 207, 195, 122, 36, 232, 96, 105,
183  170, 160, 161, 98, 84, 30, 224, 100, 16, 0, 163, 117, 138, 230, 9, 221,
184  135, 131, 205, 144, 115, 246, 157, 191, 82, 216, 200, 198, 129, 111, 19, 99,
185  233, 167, 159, 188, 41, 249, 47, 180, 120, 6, 231, 113, 212, 171, 136, 141,
186  114, 185, 248, 172, 54, 42, 60, 241, 64, 211, 187, 67, 21, 173, 119, 128,
187  130, 236, 39, 229, 133, 53, 12, 65, 239, 147, 25, 33, 14, 78, 101, 189,
188  184, 143, 235, 206, 48, 95, 197, 26, 225, 202, 71, 61, 1, 214, 86, 77,
189  13, 102, 204, 45, 18, 32, 177, 153, 76, 194, 126, 5, 183, 49, 23, 215,
190  88, 97, 27, 28, 15, 22, 24, 34, 68, 178, 181, 145, 8, 168, 252, 80,
191  208, 125, 137, 151, 91, 149, 255, 210, 196, 72, 247, 219, 3, 218, 63, 148,
192  92, 2, 74, 51, 103, 243, 127, 226, 155, 38, 55, 59, 150, 75, 190, 46,
193  121, 140, 110, 142, 245, 182, 253, 89, 152, 106, 70, 186, 37, 66, 162, 250,
194  7, 85, 238, 10, 73, 104, 56, 164, 40, 123, 201, 193, 227, 244, 199, 158
195 };
196 
197 #define SBOX1(n) FSb[(n)]
198 #define SBOX2(n) FSb2[(n)]
199 #define SBOX3(n) FSb3[(n)]
200 #define SBOX4(n) FSb4[(n)]
201 
202 #endif /* POLARSSL_CAMELLIA_SMALL_MEMORY */
203 
204 static const unsigned char shifts[2][4][4] =
205 {
206  {
207  { 1, 1, 1, 1 }, /* KL */
208  { 0, 0, 0, 0 }, /* KR */
209  { 1, 1, 1, 1 }, /* KA */
210  { 0, 0, 0, 0 } /* KB */
211  },
212  {
213  { 1, 0, 1, 1 }, /* KL */
214  { 1, 1, 0, 1 }, /* KR */
215  { 1, 1, 1, 0 }, /* KA */
216  { 1, 1, 0, 1 } /* KB */
217  }
218 };
219 
220 static const signed char indexes[2][4][20] =
221 {
222  {
223  { 0, 1, 2, 3, 8, 9, 10, 11, 38, 39,
224  36, 37, 23, 20, 21, 22, 27, -1, -1, 26 }, /* KL -> RK */
225  { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
226  -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 }, /* KR -> RK */
227  { 4, 5, 6, 7, 12, 13, 14, 15, 16, 17,
228  18, 19, -1, 24, 25, -1, 31, 28, 29, 30 }, /* KA -> RK */
229  { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
230  -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 } /* KB -> RK */
231  },
232  {
233  { 0, 1, 2, 3, 61, 62, 63, 60, -1, -1,
234  -1, -1, 27, 24, 25, 26, 35, 32, 33, 34 }, /* KL -> RK */
235  { -1, -1, -1, -1, 8, 9, 10, 11, 16, 17,
236  18, 19, -1, -1, -1, -1, 39, 36, 37, 38 }, /* KR -> RK */
237  { -1, -1, -1, -1, 12, 13, 14, 15, 58, 59,
238  56, 57, 31, 28, 29, 30, -1, -1, -1, -1 }, /* KA -> RK */
239  { 4, 5, 6, 7, 65, 66, 67, 64, 20, 21,
240  22, 23, -1, -1, -1, -1, 43, 40, 41, 42 } /* KB -> RK */
241  }
242 };
243 
244 static const signed char transposes[2][20] =
245 {
246  {
247  21, 22, 23, 20,
248  -1, -1, -1, -1,
249  18, 19, 16, 17,
250  11, 8, 9, 10,
251  15, 12, 13, 14
252  },
253  {
254  25, 26, 27, 24,
255  29, 30, 31, 28,
256  18, 19, 16, 17,
257  -1, -1, -1, -1,
258  -1, -1, -1, -1
259  }
260 };
261 
262 /* Shift macro for 128 bit strings with rotation smaller than 32 bits (!) */
263 #define ROTL(DEST, SRC, SHIFT) \
264 { \
265  (DEST)[0] = (SRC)[0] << (SHIFT) ^ (SRC)[1] >> (32 - (SHIFT)); \
266  (DEST)[1] = (SRC)[1] << (SHIFT) ^ (SRC)[2] >> (32 - (SHIFT)); \
267  (DEST)[2] = (SRC)[2] << (SHIFT) ^ (SRC)[3] >> (32 - (SHIFT)); \
268  (DEST)[3] = (SRC)[3] << (SHIFT) ^ (SRC)[0] >> (32 - (SHIFT)); \
269 }
270 
271 #define FL(XL, XR, KL, KR) \
272 { \
273  (XR) = ((((XL) & (KL)) << 1) | (((XL) & (KL)) >> 31)) ^ (XR); \
274  (XL) = ((XR) | (KR)) ^ (XL); \
275 }
276 
277 #define FLInv(YL, YR, KL, KR) \
278 { \
279  (YL) = ((YR) | (KR)) ^ (YL); \
280  (YR) = ((((YL) & (KL)) << 1) | (((YL) & (KL)) >> 31)) ^ (YR); \
281 }
282 
283 #define SHIFT_AND_PLACE(INDEX, OFFSET) \
284 { \
285  TK[0] = KC[(OFFSET) * 4 + 0]; \
286  TK[1] = KC[(OFFSET) * 4 + 1]; \
287  TK[2] = KC[(OFFSET) * 4 + 2]; \
288  TK[3] = KC[(OFFSET) * 4 + 3]; \
289  \
290  for( i = 1; i <= 4; i++ ) \
291  if( shifts[(INDEX)][(OFFSET)][i -1] ) \
292  ROTL(TK + i * 4, TK, ( 15 * i ) % 32); \
293  \
294  for( i = 0; i < 20; i++ ) \
295  if( indexes[(INDEX)][(OFFSET)][i] != -1 ) { \
296  RK[indexes[(INDEX)][(OFFSET)][i]] = TK[ i ]; \
297  } \
298 }
299 
300 static void camellia_feistel( const uint32_t x[2], const uint32_t k[2],
301  uint32_t z[2])
302 {
303  uint32_t I0, I1;
304  I0 = x[0] ^ k[0];
305  I1 = x[1] ^ k[1];
306 
307  I0 = (SBOX1((I0 >> 24) & 0xFF) << 24) |
308  (SBOX2((I0 >> 16) & 0xFF) << 16) |
309  (SBOX3((I0 >> 8) & 0xFF) << 8) |
310  (SBOX4((I0 ) & 0xFF) );
311  I1 = (SBOX2((I1 >> 24) & 0xFF) << 24) |
312  (SBOX3((I1 >> 16) & 0xFF) << 16) |
313  (SBOX4((I1 >> 8) & 0xFF) << 8) |
314  (SBOX1((I1 ) & 0xFF) );
315 
316  I0 ^= (I1 << 8) | (I1 >> 24);
317  I1 ^= (I0 << 16) | (I0 >> 16);
318  I0 ^= (I1 >> 8) | (I1 << 24);
319  I1 ^= (I0 >> 8) | (I0 << 24);
320 
321  z[0] ^= I1;
322  z[1] ^= I0;
323 }
324 
325 void camellia_init( camellia_context *ctx )
326 {
327  memset( ctx, 0, sizeof( camellia_context ) );
328 }
329 
330 void camellia_free( camellia_context *ctx )
331 {
332  if( ctx == NULL )
333  return;
334 
335  polarssl_zeroize( ctx, sizeof( camellia_context ) );
336 }
337 
338 /*
339  * Camellia key schedule (encryption)
340  */
341 int camellia_setkey_enc( camellia_context *ctx, const unsigned char *key,
342  unsigned int keysize )
343 {
344  int idx;
345  size_t i;
346  uint32_t *RK;
347  unsigned char t[64];
348  uint32_t SIGMA[6][2];
349  uint32_t KC[16];
350  uint32_t TK[20];
351 
352  RK = ctx->rk;
353 
354  memset( t, 0, 64 );
355  memset( RK, 0, sizeof(ctx->rk) );
356 
357  switch( keysize )
358  {
359  case 128: ctx->nr = 3; idx = 0; break;
360  case 192:
361  case 256: ctx->nr = 4; idx = 1; break;
362  default : return( POLARSSL_ERR_CAMELLIA_INVALID_KEY_LENGTH );
363  }
364 
365  for( i = 0; i < keysize / 8; ++i )
366  t[i] = key[i];
367 
368  if( keysize == 192 ) {
369  for( i = 0; i < 8; i++ )
370  t[24 + i] = ~t[16 + i];
371  }
372 
373  /*
374  * Prepare SIGMA values
375  */
376  for( i = 0; i < 6; i++ ) {
377  GET_UINT32_BE( SIGMA[i][0], SIGMA_CHARS[i], 0 );
378  GET_UINT32_BE( SIGMA[i][1], SIGMA_CHARS[i], 4 );
379  }
380 
381  /*
382  * Key storage in KC
383  * Order: KL, KR, KA, KB
384  */
385  memset( KC, 0, sizeof(KC) );
386 
387  /* Store KL, KR */
388  for( i = 0; i < 8; i++ )
389  GET_UINT32_BE( KC[i], t, i * 4 );
390 
391  /* Generate KA */
392  for( i = 0; i < 4; ++i )
393  KC[8 + i] = KC[i] ^ KC[4 + i];
394 
395  camellia_feistel( KC + 8, SIGMA[0], KC + 10 );
396  camellia_feistel( KC + 10, SIGMA[1], KC + 8 );
397 
398  for( i = 0; i < 4; ++i )
399  KC[8 + i] ^= KC[i];
400 
401  camellia_feistel( KC + 8, SIGMA[2], KC + 10 );
402  camellia_feistel( KC + 10, SIGMA[3], KC + 8 );
403 
404  if( keysize > 128 ) {
405  /* Generate KB */
406  for( i = 0; i < 4; ++i )
407  KC[12 + i] = KC[4 + i] ^ KC[8 + i];
408 
409  camellia_feistel( KC + 12, SIGMA[4], KC + 14 );
410  camellia_feistel( KC + 14, SIGMA[5], KC + 12 );
411  }
412 
413  /*
414  * Generating subkeys
415  */
416 
417  /* Manipulating KL */
418  SHIFT_AND_PLACE( idx, 0 );
419 
420  /* Manipulating KR */
421  if( keysize > 128 ) {
422  SHIFT_AND_PLACE( idx, 1 );
423  }
424 
425  /* Manipulating KA */
426  SHIFT_AND_PLACE( idx, 2 );
427 
428  /* Manipulating KB */
429  if( keysize > 128 ) {
430  SHIFT_AND_PLACE( idx, 3 );
431  }
432 
433  /* Do transpositions */
434  for( i = 0; i < 20; i++ ) {
435  if( transposes[idx][i] != -1 ) {
436  RK[32 + 12 * idx + i] = RK[transposes[idx][i]];
437  }
438  }
439 
440  return( 0 );
441 }
442 
443 /*
444  * Camellia key schedule (decryption)
445  */
446 int camellia_setkey_dec( camellia_context *ctx, const unsigned char *key,
447  unsigned int keysize )
448 {
449  int idx, ret;
450  size_t i;
451  camellia_context cty;
452  uint32_t *RK;
453  uint32_t *SK;
454 
455  camellia_init( &cty );
456 
457  /* Also checks keysize */
458  if( ( ret = camellia_setkey_enc( &cty, key, keysize ) ) )
459  goto exit;
460 
461  ctx->nr = cty.nr;
462  idx = ( ctx->nr == 4 );
463 
464  RK = ctx->rk;
465  SK = cty.rk + 24 * 2 + 8 * idx * 2;
466 
467  *RK++ = *SK++;
468  *RK++ = *SK++;
469  *RK++ = *SK++;
470  *RK++ = *SK++;
471 
472  for( i = 22 + 8 * idx, SK -= 6; i > 0; i--, SK -= 4 )
473  {
474  *RK++ = *SK++;
475  *RK++ = *SK++;
476  }
477 
478  SK -= 2;
479 
480  *RK++ = *SK++;
481  *RK++ = *SK++;
482  *RK++ = *SK++;
483  *RK++ = *SK++;
484 
485 exit:
486  camellia_free( &cty );
487 
488  return( ret );
489 }
490 
491 /*
492  * Camellia-ECB block encryption/decryption
493  */
495  int mode,
496  const unsigned char input[16],
497  unsigned char output[16] )
498 {
499  int NR;
500  uint32_t *RK, X[4];
501 
502  ( (void) mode );
503 
504  NR = ctx->nr;
505  RK = ctx->rk;
506 
507  GET_UINT32_BE( X[0], input, 0 );
508  GET_UINT32_BE( X[1], input, 4 );
509  GET_UINT32_BE( X[2], input, 8 );
510  GET_UINT32_BE( X[3], input, 12 );
511 
512  X[0] ^= *RK++;
513  X[1] ^= *RK++;
514  X[2] ^= *RK++;
515  X[3] ^= *RK++;
516 
517  while( NR ) {
518  --NR;
519  camellia_feistel( X, RK, X + 2 );
520  RK += 2;
521  camellia_feistel( X + 2, RK, X );
522  RK += 2;
523  camellia_feistel( X, RK, X + 2 );
524  RK += 2;
525  camellia_feistel( X + 2, RK, X );
526  RK += 2;
527  camellia_feistel( X, RK, X + 2 );
528  RK += 2;
529  camellia_feistel( X + 2, RK, X );
530  RK += 2;
531 
532  if( NR ) {
533  FL(X[0], X[1], RK[0], RK[1]);
534  RK += 2;
535  FLInv(X[2], X[3], RK[0], RK[1]);
536  RK += 2;
537  }
538  }
539 
540  X[2] ^= *RK++;
541  X[3] ^= *RK++;
542  X[0] ^= *RK++;
543  X[1] ^= *RK++;
544 
545  PUT_UINT32_BE( X[2], output, 0 );
546  PUT_UINT32_BE( X[3], output, 4 );
547  PUT_UINT32_BE( X[0], output, 8 );
548  PUT_UINT32_BE( X[1], output, 12 );
549 
550  return( 0 );
551 }
552 
553 #if defined(POLARSSL_CIPHER_MODE_CBC)
554 /*
555  * Camellia-CBC buffer encryption/decryption
556  */
558  int mode,
559  size_t length,
560  unsigned char iv[16],
561  const unsigned char *input,
562  unsigned char *output )
563 {
564  int i;
565  unsigned char temp[16];
566 
567  if( length % 16 )
569 
570  if( mode == CAMELLIA_DECRYPT )
571  {
572  while( length > 0 )
573  {
574  memcpy( temp, input, 16 );
575  camellia_crypt_ecb( ctx, mode, input, output );
576 
577  for( i = 0; i < 16; i++ )
578  output[i] = (unsigned char)( output[i] ^ iv[i] );
579 
580  memcpy( iv, temp, 16 );
581 
582  input += 16;
583  output += 16;
584  length -= 16;
585  }
586  }
587  else
588  {
589  while( length > 0 )
590  {
591  for( i = 0; i < 16; i++ )
592  output[i] = (unsigned char)( input[i] ^ iv[i] );
593 
594  camellia_crypt_ecb( ctx, mode, output, output );
595  memcpy( iv, output, 16 );
596 
597  input += 16;
598  output += 16;
599  length -= 16;
600  }
601  }
602 
603  return( 0 );
604 }
605 #endif /* POLARSSL_CIPHER_MODE_CBC */
606 
607 #if defined(POLARSSL_CIPHER_MODE_CFB)
608 /*
609  * Camellia-CFB128 buffer encryption/decryption
610  */
612  int mode,
613  size_t length,
614  size_t *iv_off,
615  unsigned char iv[16],
616  const unsigned char *input,
617  unsigned char *output )
618 {
619  int c;
620  size_t n = *iv_off;
621 
622  if( mode == CAMELLIA_DECRYPT )
623  {
624  while( length-- )
625  {
626  if( n == 0 )
627  camellia_crypt_ecb( ctx, CAMELLIA_ENCRYPT, iv, iv );
628 
629  c = *input++;
630  *output++ = (unsigned char)( c ^ iv[n] );
631  iv[n] = (unsigned char) c;
632 
633  n = ( n + 1 ) & 0x0F;
634  }
635  }
636  else
637  {
638  while( length-- )
639  {
640  if( n == 0 )
641  camellia_crypt_ecb( ctx, CAMELLIA_ENCRYPT, iv, iv );
642 
643  iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
644 
645  n = ( n + 1 ) & 0x0F;
646  }
647  }
648 
649  *iv_off = n;
650 
651  return( 0 );
652 }
653 #endif /* POLARSSL_CIPHER_MODE_CFB */
654 
655 #if defined(POLARSSL_CIPHER_MODE_CTR)
656 /*
657  * Camellia-CTR buffer encryption/decryption
658  */
660  size_t length,
661  size_t *nc_off,
662  unsigned char nonce_counter[16],
663  unsigned char stream_block[16],
664  const unsigned char *input,
665  unsigned char *output )
666 {
667  int c, i;
668  size_t n = *nc_off;
669 
670  while( length-- )
671  {
672  if( n == 0 ) {
673  camellia_crypt_ecb( ctx, CAMELLIA_ENCRYPT, nonce_counter,
674  stream_block );
675 
676  for( i = 16; i > 0; i-- )
677  if( ++nonce_counter[i - 1] != 0 )
678  break;
679  }
680  c = *input++;
681  *output++ = (unsigned char)( c ^ stream_block[n] );
682 
683  n = ( n + 1 ) & 0x0F;
684  }
685 
686  *nc_off = n;
687 
688  return( 0 );
689 }
690 #endif /* POLARSSL_CIPHER_MODE_CTR */
691 #endif /* !POLARSSL_CAMELLIA_ALT */
692 
693 #if defined(POLARSSL_SELF_TEST)
694 
695 #include <stdio.h>
696 
697 /*
698  * Camellia test vectors from:
699  *
700  * http://info.isl.ntt.co.jp/crypt/eng/camellia/technology.html:
701  * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/intermediate.txt
702  * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/t_camellia.txt
703  * (For each bitlength: Key 0, Nr 39)
704  */
705 #define CAMELLIA_TESTS_ECB 2
706 
707 static const unsigned char camellia_test_ecb_key[3][CAMELLIA_TESTS_ECB][32] =
708 {
709  {
710  { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
711  0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
712  { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
713  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
714  },
715  {
716  { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
717  0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
718  0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77 },
719  { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
720  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
721  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
722  },
723  {
724  { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
725  0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
726  0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
727  0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff },
728  { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
729  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
730  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
731  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
732  },
733 };
734 
735 static const unsigned char camellia_test_ecb_plain[CAMELLIA_TESTS_ECB][16] =
736 {
737  { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
738  0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
739  { 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
740  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
741 };
742 
743 static const unsigned char camellia_test_ecb_cipher[3][CAMELLIA_TESTS_ECB][16] =
744 {
745  {
746  { 0x67, 0x67, 0x31, 0x38, 0x54, 0x96, 0x69, 0x73,
747  0x08, 0x57, 0x06, 0x56, 0x48, 0xea, 0xbe, 0x43 },
748  { 0x38, 0x3C, 0x6C, 0x2A, 0xAB, 0xEF, 0x7F, 0xDE,
749  0x25, 0xCD, 0x47, 0x0B, 0xF7, 0x74, 0xA3, 0x31 }
750  },
751  {
752  { 0xb4, 0x99, 0x34, 0x01, 0xb3, 0xe9, 0x96, 0xf8,
753  0x4e, 0xe5, 0xce, 0xe7, 0xd7, 0x9b, 0x09, 0xb9 },
754  { 0xD1, 0x76, 0x3F, 0xC0, 0x19, 0xD7, 0x7C, 0xC9,
755  0x30, 0xBF, 0xF2, 0xA5, 0x6F, 0x7C, 0x93, 0x64 }
756  },
757  {
758  { 0x9a, 0xcc, 0x23, 0x7d, 0xff, 0x16, 0xd7, 0x6c,
759  0x20, 0xef, 0x7c, 0x91, 0x9e, 0x3a, 0x75, 0x09 },
760  { 0x05, 0x03, 0xFB, 0x10, 0xAB, 0x24, 0x1E, 0x7C,
761  0xF4, 0x5D, 0x8C, 0xDE, 0xEE, 0x47, 0x43, 0x35 }
762  }
763 };
764 
765 #if defined(POLARSSL_CIPHER_MODE_CBC)
766 #define CAMELLIA_TESTS_CBC 3
767 
768 static const unsigned char camellia_test_cbc_key[3][32] =
769 {
770  { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
771  0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }
772  ,
773  { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
774  0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
775  0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }
776  ,
777  { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
778  0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
779  0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
780  0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
781 };
782 
783 static const unsigned char camellia_test_cbc_iv[16] =
784 
785  { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
786  0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F }
787 ;
788 
789 static const unsigned char camellia_test_cbc_plain[CAMELLIA_TESTS_CBC][16] =
790 {
791  { 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
792  0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A },
793  { 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
794  0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51 },
795  { 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
796  0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF }
797 
798 };
799 
800 static const unsigned char camellia_test_cbc_cipher[3][CAMELLIA_TESTS_CBC][16] =
801 {
802  {
803  { 0x16, 0x07, 0xCF, 0x49, 0x4B, 0x36, 0xBB, 0xF0,
804  0x0D, 0xAE, 0xB0, 0xB5, 0x03, 0xC8, 0x31, 0xAB },
805  { 0xA2, 0xF2, 0xCF, 0x67, 0x16, 0x29, 0xEF, 0x78,
806  0x40, 0xC5, 0xA5, 0xDF, 0xB5, 0x07, 0x48, 0x87 },
807  { 0x0F, 0x06, 0x16, 0x50, 0x08, 0xCF, 0x8B, 0x8B,
808  0x5A, 0x63, 0x58, 0x63, 0x62, 0x54, 0x3E, 0x54 }
809  },
810  {
811  { 0x2A, 0x48, 0x30, 0xAB, 0x5A, 0xC4, 0xA1, 0xA2,
812  0x40, 0x59, 0x55, 0xFD, 0x21, 0x95, 0xCF, 0x93 },
813  { 0x5D, 0x5A, 0x86, 0x9B, 0xD1, 0x4C, 0xE5, 0x42,
814  0x64, 0xF8, 0x92, 0xA6, 0xDD, 0x2E, 0xC3, 0xD5 },
815  { 0x37, 0xD3, 0x59, 0xC3, 0x34, 0x98, 0x36, 0xD8,
816  0x84, 0xE3, 0x10, 0xAD, 0xDF, 0x68, 0xC4, 0x49 }
817  },
818  {
819  { 0xE6, 0xCF, 0xA3, 0x5F, 0xC0, 0x2B, 0x13, 0x4A,
820  0x4D, 0x2C, 0x0B, 0x67, 0x37, 0xAC, 0x3E, 0xDA },
821  { 0x36, 0xCB, 0xEB, 0x73, 0xBD, 0x50, 0x4B, 0x40,
822  0x70, 0xB1, 0xB7, 0xDE, 0x2B, 0x21, 0xEB, 0x50 },
823  { 0xE3, 0x1A, 0x60, 0x55, 0x29, 0x7D, 0x96, 0xCA,
824  0x33, 0x30, 0xCD, 0xF1, 0xB1, 0x86, 0x0A, 0x83 }
825  }
826 };
827 #endif /* POLARSSL_CIPHER_MODE_CBC */
828 
829 #if defined(POLARSSL_CIPHER_MODE_CTR)
830 /*
831  * Camellia-CTR test vectors from:
832  *
833  * http://www.faqs.org/rfcs/rfc5528.html
834  */
835 
836 static const unsigned char camellia_test_ctr_key[3][16] =
837 {
838  { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
839  0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
840  { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
841  0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
842  { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
843  0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
844 };
845 
846 static const unsigned char camellia_test_ctr_nonce_counter[3][16] =
847 {
848  { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
849  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
850  { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
851  0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
852  { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
853  0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
854 };
855 
856 static const unsigned char camellia_test_ctr_pt[3][48] =
857 {
858  { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
859  0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
860 
861  { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
862  0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
863  0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
864  0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
865 
866  { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
867  0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
868  0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
869  0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
870  0x20, 0x21, 0x22, 0x23 }
871 };
872 
873 static const unsigned char camellia_test_ctr_ct[3][48] =
874 {
875  { 0xD0, 0x9D, 0xC2, 0x9A, 0x82, 0x14, 0x61, 0x9A,
876  0x20, 0x87, 0x7C, 0x76, 0xDB, 0x1F, 0x0B, 0x3F },
877  { 0xDB, 0xF3, 0xC7, 0x8D, 0xC0, 0x83, 0x96, 0xD4,
878  0xDA, 0x7C, 0x90, 0x77, 0x65, 0xBB, 0xCB, 0x44,
879  0x2B, 0x8E, 0x8E, 0x0F, 0x31, 0xF0, 0xDC, 0xA7,
880  0x2C, 0x74, 0x17, 0xE3, 0x53, 0x60, 0xE0, 0x48 },
881  { 0xB1, 0x9D, 0x1F, 0xCD, 0xCB, 0x75, 0xEB, 0x88,
882  0x2F, 0x84, 0x9C, 0xE2, 0x4D, 0x85, 0xCF, 0x73,
883  0x9C, 0xE6, 0x4B, 0x2B, 0x5C, 0x9D, 0x73, 0xF1,
884  0x4F, 0x2D, 0x5D, 0x9D, 0xCE, 0x98, 0x89, 0xCD,
885  0xDF, 0x50, 0x86, 0x96 }
886 };
887 
888 static const int camellia_test_ctr_len[3] =
889  { 16, 32, 36 };
890 #endif /* POLARSSL_CIPHER_MODE_CTR */
891 
892 /*
893  * Checkup routine
894  */
895 int camellia_self_test( int verbose )
896 {
897  int i, j, u, v;
898  unsigned char key[32];
899  unsigned char buf[64];
900  unsigned char src[16];
901  unsigned char dst[16];
902 #if defined(POLARSSL_CIPHER_MODE_CBC)
903  unsigned char iv[16];
904 #endif
905 #if defined(POLARSSL_CIPHER_MODE_CTR)
906  size_t offset, len;
907  unsigned char nonce_counter[16];
908  unsigned char stream_block[16];
909 #endif
910 
911  camellia_context ctx;
912 
913  memset( key, 0, 32 );
914 
915  for( j = 0; j < 6; j++ ) {
916  u = j >> 1;
917  v = j & 1;
918 
919  if( verbose != 0 )
920  polarssl_printf( " CAMELLIA-ECB-%3d (%s): ", 128 + u * 64,
921  (v == CAMELLIA_DECRYPT) ? "dec" : "enc");
922 
923  for( i = 0; i < CAMELLIA_TESTS_ECB; i++ ) {
924  memcpy( key, camellia_test_ecb_key[u][i], 16 + 8 * u );
925 
926  if( v == CAMELLIA_DECRYPT ) {
927  camellia_setkey_dec( &ctx, key, 128 + u * 64 );
928  memcpy( src, camellia_test_ecb_cipher[u][i], 16 );
929  memcpy( dst, camellia_test_ecb_plain[i], 16 );
930  } else { /* CAMELLIA_ENCRYPT */
931  camellia_setkey_enc( &ctx, key, 128 + u * 64 );
932  memcpy( src, camellia_test_ecb_plain[i], 16 );
933  memcpy( dst, camellia_test_ecb_cipher[u][i], 16 );
934  }
935 
936  camellia_crypt_ecb( &ctx, v, src, buf );
937 
938  if( memcmp( buf, dst, 16 ) != 0 )
939  {
940  if( verbose != 0 )
941  polarssl_printf( "failed\n" );
942 
943  return( 1 );
944  }
945  }
946 
947  if( verbose != 0 )
948  polarssl_printf( "passed\n" );
949  }
950 
951  if( verbose != 0 )
952  polarssl_printf( "\n" );
953 
954 #if defined(POLARSSL_CIPHER_MODE_CBC)
955  /*
956  * CBC mode
957  */
958  for( j = 0; j < 6; j++ )
959  {
960  u = j >> 1;
961  v = j & 1;
962 
963  if( verbose != 0 )
964  polarssl_printf( " CAMELLIA-CBC-%3d (%s): ", 128 + u * 64,
965  ( v == CAMELLIA_DECRYPT ) ? "dec" : "enc" );
966 
967  memcpy( src, camellia_test_cbc_iv, 16 );
968  memcpy( dst, camellia_test_cbc_iv, 16 );
969  memcpy( key, camellia_test_cbc_key[u], 16 + 8 * u );
970 
971  if( v == CAMELLIA_DECRYPT ) {
972  camellia_setkey_dec( &ctx, key, 128 + u * 64 );
973  } else {
974  camellia_setkey_enc( &ctx, key, 128 + u * 64 );
975  }
976 
977  for( i = 0; i < CAMELLIA_TESTS_CBC; i++ ) {
978 
979  if( v == CAMELLIA_DECRYPT ) {
980  memcpy( iv , src, 16 );
981  memcpy( src, camellia_test_cbc_cipher[u][i], 16 );
982  memcpy( dst, camellia_test_cbc_plain[i], 16 );
983  } else { /* CAMELLIA_ENCRYPT */
984  memcpy( iv , dst, 16 );
985  memcpy( src, camellia_test_cbc_plain[i], 16 );
986  memcpy( dst, camellia_test_cbc_cipher[u][i], 16 );
987  }
988 
989  camellia_crypt_cbc( &ctx, v, 16, iv, src, buf );
990 
991  if( memcmp( buf, dst, 16 ) != 0 )
992  {
993  if( verbose != 0 )
994  polarssl_printf( "failed\n" );
995 
996  return( 1 );
997  }
998  }
999 
1000  if( verbose != 0 )
1001  polarssl_printf( "passed\n" );
1002  }
1003 #endif /* POLARSSL_CIPHER_MODE_CBC */
1004 
1005  if( verbose != 0 )
1006  polarssl_printf( "\n" );
1007 
1008 #if defined(POLARSSL_CIPHER_MODE_CTR)
1009  /*
1010  * CTR mode
1011  */
1012  for( i = 0; i < 6; i++ )
1013  {
1014  u = i >> 1;
1015  v = i & 1;
1016 
1017  if( verbose != 0 )
1018  polarssl_printf( " CAMELLIA-CTR-128 (%s): ",
1019  ( v == CAMELLIA_DECRYPT ) ? "dec" : "enc" );
1020 
1021  memcpy( nonce_counter, camellia_test_ctr_nonce_counter[u], 16 );
1022  memcpy( key, camellia_test_ctr_key[u], 16 );
1023 
1024  offset = 0;
1025  camellia_setkey_enc( &ctx, key, 128 );
1026 
1027  if( v == CAMELLIA_DECRYPT )
1028  {
1029  len = camellia_test_ctr_len[u];
1030  memcpy( buf, camellia_test_ctr_ct[u], len );
1031 
1032  camellia_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block,
1033  buf, buf );
1034 
1035  if( memcmp( buf, camellia_test_ctr_pt[u], len ) != 0 )
1036  {
1037  if( verbose != 0 )
1038  polarssl_printf( "failed\n" );
1039 
1040  return( 1 );
1041  }
1042  }
1043  else
1044  {
1045  len = camellia_test_ctr_len[u];
1046  memcpy( buf, camellia_test_ctr_pt[u], len );
1047 
1048  camellia_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block,
1049  buf, buf );
1050 
1051  if( memcmp( buf, camellia_test_ctr_ct[u], len ) != 0 )
1052  {
1053  if( verbose != 0 )
1054  polarssl_printf( "failed\n" );
1055 
1056  return( 1 );
1057  }
1058  }
1059 
1060  if( verbose != 0 )
1061  polarssl_printf( "passed\n" );
1062  }
1063 
1064  if( verbose != 0 )
1065  polarssl_printf( "\n" );
1066 #endif /* POLARSSL_CIPHER_MODE_CTR */
1067 
1068  return( 0 );
1069 }
1070 
1071 #endif /* POLARSSL_SELF_TEST */
1072 
1073 #endif /* POLARSSL_CAMELLIA_C */