PolarSSL v1.1.4
camellia.c
Go to the documentation of this file.
00001 /*
00002  *  Camellia implementation
00003  *
00004  *  Copyright (C) 2006-2010, Brainspark B.V.
00005  *
00006  *  This file is part of PolarSSL (http://www.polarssl.org)
00007  *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
00008  *
00009  *  All rights reserved.
00010  *
00011  *  This program is free software; you can redistribute it and/or modify
00012  *  it under the terms of the GNU General Public License as published by
00013  *  the Free Software Foundation; either version 2 of the License, or
00014  *  (at your option) any later version.
00015  *
00016  *  This program is distributed in the hope that it will be useful,
00017  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
00018  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
00019  *  GNU General Public License for more details.
00020  *
00021  *  You should have received a copy of the GNU General Public License along
00022  *  with this program; if not, write to the Free Software Foundation, Inc.,
00023  *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
00024  */
00025 /*
00026  *  The Camellia block cipher was designed by NTT and Mitsubishi Electric
00027  *  Corporation.
00028  *
00029  *  http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/01espec.pdf
00030  */
00031 
00032 #include "polarssl/config.h"
00033 
00034 #if defined(POLARSSL_CAMELLIA_C)
00035 
00036 #include "polarssl/camellia.h"
00037 
00038 /*
00039  * 32-bit integer manipulation macros (big endian)
00040  */
00041 #ifndef GET_ULONG_BE
00042 #define GET_ULONG_BE(n,b,i)                             \
00043 {                                                       \
00044     (n) = ( (unsigned long) (b)[(i)    ] << 24 )        \
00045         | ( (unsigned long) (b)[(i) + 1] << 16 )        \
00046         | ( (unsigned long) (b)[(i) + 2] <<  8 )        \
00047         | ( (unsigned long) (b)[(i) + 3]       );       \
00048 }
00049 #endif
00050 
00051 #ifndef PUT_ULONG_BE
00052 #define PUT_ULONG_BE(n,b,i)                             \
00053 {                                                       \
00054     (b)[(i)    ] = (unsigned char) ( (n) >> 24 );       \
00055     (b)[(i) + 1] = (unsigned char) ( (n) >> 16 );       \
00056     (b)[(i) + 2] = (unsigned char) ( (n) >>  8 );       \
00057     (b)[(i) + 3] = (unsigned char) ( (n)       );       \
00058 }
00059 #endif
00060 
00061 static const unsigned char SIGMA_CHARS[6][8] =
00062 {
00063     { 0xa0, 0x9e, 0x66, 0x7f, 0x3b, 0xcc, 0x90, 0x8b },
00064     { 0xb6, 0x7a, 0xe8, 0x58, 0x4c, 0xaa, 0x73, 0xb2 },
00065     { 0xc6, 0xef, 0x37, 0x2f, 0xe9, 0x4f, 0x82, 0xbe },
00066     { 0x54, 0xff, 0x53, 0xa5, 0xf1, 0xd3, 0x6f, 0x1c },
00067     { 0x10, 0xe5, 0x27, 0xfa, 0xde, 0x68, 0x2d, 0x1d },
00068     { 0xb0, 0x56, 0x88, 0xc2, 0xb3, 0xe6, 0xc1, 0xfd }
00069 };
00070 
00071 #if defined(POLARSSL_CAMELLIA_SMALL_MEMORY)
00072 
00073 static const unsigned char FSb[256] =
00074 {
00075     112,130, 44,236,179, 39,192,229,228,133, 87, 53,234, 12,174, 65,
00076      35,239,107,147, 69, 25,165, 33,237, 14, 79, 78, 29,101,146,189,
00077     134,184,175,143,124,235, 31,206, 62, 48,220, 95, 94,197, 11, 26,
00078     166,225, 57,202,213, 71, 93, 61,217,  1, 90,214, 81, 86,108, 77,
00079     139, 13,154,102,251,204,176, 45,116, 18, 43, 32,240,177,132,153,
00080     223, 76,203,194, 52,126,118,  5,109,183,169, 49,209, 23,  4,215,
00081      20, 88, 58, 97,222, 27, 17, 28, 50, 15,156, 22, 83, 24,242, 34,
00082     254, 68,207,178,195,181,122,145, 36,  8,232,168, 96,252,105, 80,
00083     170,208,160,125,161,137, 98,151, 84, 91, 30,149,224,255,100,210,
00084      16,196,  0, 72,163,247,117,219,138,  3,230,218,  9, 63,221,148,
00085     135, 92,131,  2,205, 74,144, 51,115,103,246,243,157,127,191,226,
00086      82,155,216, 38,200, 55,198, 59,129,150,111, 75, 19,190, 99, 46,
00087     233,121,167,140,159,110,188,142, 41,245,249,182, 47,253,180, 89,
00088     120,152,  6,106,231, 70,113,186,212, 37,171, 66,136,162,141,250,
00089     114,  7,185, 85,248,238,172, 10, 54, 73, 42,104, 60, 56,241,164,
00090      64, 40,211,123,187,201, 67,193, 21,227,173,244,119,199,128,158
00091 };
00092 
00093 #define SBOX1(n) FSb[(n)]
00094 #define SBOX2(n) (unsigned char)((FSb[(n)] >> 7 ^ FSb[(n)] << 1) & 0xff)
00095 #define SBOX3(n) (unsigned char)((FSb[(n)] >> 1 ^ FSb[(n)] << 7) & 0xff)
00096 #define SBOX4(n) FSb[((n) << 1 ^ (n) >> 7) &0xff]
00097 
00098 #else
00099 
00100 static const unsigned char FSb[256] =
00101 {
00102     112, 130,  44, 236, 179,  39, 192, 229, 228, 133,  87,  53, 234,  12, 174,  65,
00103     35, 239, 107, 147,  69,  25, 165,  33, 237,  14,  79,  78,  29, 101, 146, 189,
00104     134, 184, 175, 143, 124, 235,  31, 206,  62,  48, 220,  95,  94, 197,  11,  26,
00105     166, 225,  57, 202, 213,  71,  93,  61, 217,   1,  90, 214,  81,  86, 108,  77,
00106     139,  13, 154, 102, 251, 204, 176,  45, 116,  18,  43,  32, 240, 177, 132, 153,
00107     223,  76, 203, 194,  52, 126, 118,   5, 109, 183, 169,  49, 209,  23,   4, 215,
00108     20,  88,  58,  97, 222,  27,  17,  28,  50,  15, 156,  22,  83,  24, 242,  34,
00109     254,  68, 207, 178, 195, 181, 122, 145,  36,   8, 232, 168,  96, 252, 105,  80,
00110     170, 208, 160, 125, 161, 137,  98, 151,  84,  91,  30, 149, 224, 255, 100, 210,
00111     16, 196,   0,  72, 163, 247, 117, 219, 138,   3, 230, 218,   9,  63, 221, 148,
00112     135,  92, 131,   2, 205,  74, 144,  51, 115, 103, 246, 243, 157, 127, 191, 226,
00113     82, 155, 216,  38, 200,  55, 198,  59, 129, 150, 111,  75,  19, 190,  99,  46,
00114     233, 121, 167, 140, 159, 110, 188, 142,  41, 245, 249, 182,  47, 253, 180,  89,
00115     120, 152,   6, 106, 231,  70, 113, 186, 212,  37, 171,  66, 136, 162, 141, 250,
00116     114,   7, 185,  85, 248, 238, 172,  10,  54,  73,  42, 104,  60,  56, 241, 164,
00117     64,  40, 211, 123, 187, 201,  67, 193,  21, 227, 173, 244, 119, 199, 128, 158
00118 };
00119 
00120 static const unsigned char FSb2[256] =
00121 {
00122     224,   5,  88, 217, 103,  78, 129, 203, 201,  11, 174, 106, 213,  24,  93, 130,
00123     70, 223, 214,  39, 138,  50,  75,  66, 219,  28, 158, 156,  58, 202,  37, 123,
00124     13, 113,  95,  31, 248, 215,  62, 157, 124,  96, 185, 190, 188, 139,  22,  52,
00125     77, 195, 114, 149, 171, 142, 186, 122, 179,   2, 180, 173, 162, 172, 216, 154,
00126     23,  26,  53, 204, 247, 153,  97,  90, 232,  36,  86,  64, 225,  99,   9,  51,
00127     191, 152, 151, 133, 104, 252, 236,  10, 218, 111,  83,  98, 163,  46,   8, 175,
00128     40, 176, 116, 194, 189,  54,  34,  56, 100,  30,  57,  44, 166,  48, 229,  68,
00129     253, 136, 159, 101, 135, 107, 244,  35,  72,  16, 209,  81, 192, 249, 210, 160,
00130     85, 161,  65, 250,  67,  19, 196,  47, 168, 182,  60,  43, 193, 255, 200, 165,
00131     32, 137,   0, 144,  71, 239, 234, 183,  21,   6, 205, 181,  18, 126, 187,  41,
00132     15, 184,   7,   4, 155, 148,  33, 102, 230, 206, 237, 231,  59, 254, 127, 197,
00133     164,  55, 177,  76, 145, 110, 141, 118,   3,  45, 222, 150,  38, 125, 198,  92,
00134     211, 242,  79,  25,  63, 220, 121,  29,  82, 235, 243, 109,  94, 251, 105, 178,
00135     240,  49,  12, 212, 207, 140, 226, 117, 169,  74,  87, 132,  17,  69,  27, 245,
00136     228,  14, 115, 170, 241, 221,  89,  20, 108, 146,  84, 208, 120, 112, 227,  73,
00137     128,  80, 167, 246, 119, 147, 134, 131,  42, 199,  91, 233, 238, 143,   1,  61
00138 };
00139 
00140 static const unsigned char FSb3[256] =
00141 {
00142     56,  65,  22, 118, 217, 147,  96, 242, 114, 194, 171, 154, 117,   6,  87, 160,
00143     145, 247, 181, 201, 162, 140, 210, 144, 246,   7, 167,  39, 142, 178,  73, 222,
00144     67,  92, 215, 199,  62, 245, 143, 103,  31,  24, 110, 175,  47, 226, 133,  13,
00145     83, 240, 156, 101, 234, 163, 174, 158, 236, 128,  45, 107, 168,  43,  54, 166,
00146     197, 134,  77,  51, 253, 102,  88, 150,  58,   9, 149,  16, 120, 216,  66, 204,
00147     239,  38, 229,  97,  26,  63,  59, 130, 182, 219, 212, 152, 232, 139,   2, 235,
00148     10,  44,  29, 176, 111, 141, 136,  14,  25, 135,  78,  11, 169,  12, 121,  17,
00149     127,  34, 231,  89, 225, 218,  61, 200,  18,   4, 116,  84,  48, 126, 180,  40,
00150     85, 104,  80, 190, 208, 196,  49, 203,  42, 173,  15, 202, 112, 255,  50, 105,
00151     8,  98,   0,  36, 209, 251, 186, 237,  69, 129, 115, 109, 132, 159, 238,  74,
00152     195,  46, 193,   1, 230,  37,  72, 153, 185, 179, 123, 249, 206, 191, 223, 113,
00153     41, 205, 108,  19, 100, 155,  99, 157, 192,  75, 183, 165, 137,  95, 177,  23,
00154     244, 188, 211,  70, 207,  55,  94,  71, 148, 250, 252,  91, 151, 254,  90, 172,
00155     60,  76,   3,  53, 243,  35, 184,  93, 106, 146, 213,  33,  68,  81, 198, 125,
00156     57, 131, 220, 170, 124, 119,  86,   5,  27, 164,  21,  52,  30,  28, 248,  82,
00157     32,  20, 233, 189, 221, 228, 161, 224, 138, 241, 214, 122, 187, 227,  64,  79
00158 };
00159 
00160 static const unsigned char FSb4[256] =
00161 {
00162     112,  44, 179, 192, 228,  87, 234, 174,  35, 107,  69, 165, 237,  79,  29, 146,
00163     134, 175, 124,  31,  62, 220,  94,  11, 166,  57, 213,  93, 217,  90,  81, 108,
00164     139, 154, 251, 176, 116,  43, 240, 132, 223, 203,  52, 118, 109, 169, 209,   4,
00165     20,  58, 222,  17,  50, 156,  83, 242, 254, 207, 195, 122,  36, 232,  96, 105,
00166     170, 160, 161,  98,  84,  30, 224, 100,  16,   0, 163, 117, 138, 230,   9, 221,
00167     135, 131, 205, 144, 115, 246, 157, 191,  82, 216, 200, 198, 129, 111,  19,  99,
00168     233, 167, 159, 188,  41, 249,  47, 180, 120,   6, 231, 113, 212, 171, 136, 141,
00169     114, 185, 248, 172,  54,  42,  60, 241,  64, 211, 187,  67,  21, 173, 119, 128,
00170     130, 236,  39, 229, 133,  53,  12,  65, 239, 147,  25,  33,  14,  78, 101, 189,
00171     184, 143, 235, 206,  48,  95, 197,  26, 225, 202,  71,  61,   1, 214,  86,  77,
00172     13, 102, 204,  45,  18,  32, 177, 153,  76, 194, 126,   5, 183,  49,  23, 215,
00173     88,  97,  27,  28,  15,  22,  24,  34,  68, 178, 181, 145,   8, 168, 252,  80,
00174     208, 125, 137, 151,  91, 149, 255, 210, 196,  72, 247, 219,   3, 218,  63, 148,
00175     92,   2,  74,  51, 103, 243, 127, 226, 155,  38,  55,  59, 150,  75, 190,  46,
00176     121, 140, 110, 142, 245, 182, 253,  89, 152, 106,  70, 186,  37,  66, 162, 250,
00177     7,  85, 238,  10,  73, 104,  56, 164,  40, 123, 201, 193, 227, 244, 199, 158
00178 };
00179 
00180 #define SBOX1(n) FSb[(n)]
00181 #define SBOX2(n) FSb2[(n)]
00182 #define SBOX3(n) FSb3[(n)]
00183 #define SBOX4(n) FSb4[(n)]
00184 
00185 #endif
00186 
00187 static const unsigned char shifts[2][4][4] =
00188 {
00189     {
00190         { 1, 1, 1, 1 }, /* KL */
00191         { 0, 0, 0, 0 }, /* KR */
00192         { 1, 1, 1, 1 }, /* KA */
00193         { 0, 0, 0, 0 }  /* KB */
00194     },
00195     {
00196         { 1, 0, 1, 1 }, /* KL */
00197         { 1, 1, 0, 1 }, /* KR */
00198         { 1, 1, 1, 0 }, /* KA */
00199         { 1, 1, 0, 1 }  /* KB */
00200     }
00201 };
00202 
00203 static const signed char indexes[2][4][20] =
00204 {
00205     {
00206         {  0,  1,  2,  3,  8,  9, 10, 11, 38, 39,
00207           36, 37, 23, 20, 21, 22, 27, -1, -1, 26 }, /* KL -> RK */
00208         { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
00209           -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 }, /* KR -> RK */
00210         {  4,  5,  6,  7, 12, 13, 14, 15, 16, 17,
00211           18, 19, -1, 24, 25, -1, 31, 28, 29, 30 }, /* KA -> RK */
00212         { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
00213           -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 }  /* KB -> RK */
00214     },
00215     {
00216         {  0,  1,  2,  3, 61, 62, 63, 60, -1, -1,
00217           -1, -1, 27, 24, 25, 26, 35, 32, 33, 34 }, /* KL -> RK */
00218         { -1, -1, -1, -1,  8,  9, 10, 11, 16, 17,
00219           18, 19, -1, -1, -1, -1, 39, 36, 37, 38 }, /* KR -> RK */
00220         { -1, -1, -1, -1, 12, 13, 14, 15, 58, 59,
00221           56, 57, 31, 28, 29, 30, -1, -1, -1, -1 }, /* KA -> RK */
00222         {  4,  5,  6,  7, 65, 66, 67, 64, 20, 21,
00223           22, 23, -1, -1, -1, -1, 43, 40, 41, 42 }  /* KB -> RK */
00224     }
00225 };
00226 
00227 static const signed char transposes[2][20] =
00228 {
00229     {
00230         21, 22, 23, 20,
00231         -1, -1, -1, -1,
00232         18, 19, 16, 17,
00233         11,  8,  9, 10,
00234         15, 12, 13, 14
00235     },
00236     {
00237         25, 26, 27, 24,
00238         29, 30, 31, 28,
00239         18, 19, 16, 17,
00240         -1, -1, -1, -1,
00241         -1, -1, -1, -1
00242     }
00243 };
00244 
00245 /* Shift macro for 128 bit strings with rotation smaller than 32 bits (!) */
00246 #define ROTL(DEST, SRC, SHIFT)                                      \
00247 {                                                                   \
00248     (DEST)[0] = (SRC)[0] << (SHIFT) ^ (SRC)[1] >> (32 - (SHIFT));   \
00249     (DEST)[1] = (SRC)[1] << (SHIFT) ^ (SRC)[2] >> (32 - (SHIFT));   \
00250     (DEST)[2] = (SRC)[2] << (SHIFT) ^ (SRC)[3] >> (32 - (SHIFT));   \
00251     (DEST)[3] = (SRC)[3] << (SHIFT) ^ (SRC)[0] >> (32 - (SHIFT));   \
00252 }
00253 
00254 #define FL(XL, XR, KL, KR)                                          \
00255 {                                                                   \
00256     (XR) = ((((XL) & (KL)) << 1) | (((XL) & (KL)) >> 31)) ^ (XR);   \
00257     (XL) = ((XR) | (KR)) ^ (XL);                                    \
00258 }
00259     
00260 #define FLInv(YL, YR, KL, KR)                                       \
00261 {                                                                   \
00262     (YL) = ((YR) | (KR)) ^ (YL);                                    \
00263     (YR) = ((((YL) & (KL)) << 1) | (((YL) & (KL)) >> 31)) ^ (YR);   \
00264 }
00265     
00266 #define SHIFT_AND_PLACE(INDEX, OFFSET)                      \
00267 {                                                           \
00268     TK[0] = KC[(OFFSET) * 4 + 0];                           \
00269     TK[1] = KC[(OFFSET) * 4 + 1];                           \
00270     TK[2] = KC[(OFFSET) * 4 + 2];                           \
00271     TK[3] = KC[(OFFSET) * 4 + 3];                           \
00272                                                             \
00273     for ( i = 1; i <= 4; i++ )                              \
00274         if (shifts[(INDEX)][(OFFSET)][i -1])                \
00275             ROTL(TK + i * 4, TK, (15 * i) % 32);            \
00276                                                             \
00277     for ( i = 0; i < 20; i++ )                              \
00278         if (indexes[(INDEX)][(OFFSET)][i] != -1) {          \
00279         RK[indexes[(INDEX)][(OFFSET)][i]] = TK[ i ];        \
00280     }                                                       \
00281 }
00282 
00283 static void camellia_feistel(const uint32_t x[2], const uint32_t k[2], uint32_t z[2])
00284 {
00285     uint32_t I0, I1;
00286     I0 = x[0] ^ k[0];
00287     I1 = x[1] ^ k[1];
00288 
00289     I0 = (SBOX1((I0 >> 24) & 0xFF) << 24) |
00290          (SBOX2((I0 >> 16) & 0xFF) << 16) |
00291          (SBOX3((I0 >>  8) & 0xFF) <<  8) |
00292          (SBOX4((I0      ) & 0xFF)      );
00293     I1 = (SBOX2((I1 >> 24) & 0xFF) << 24) |
00294          (SBOX3((I1 >> 16) & 0xFF) << 16) |
00295          (SBOX4((I1 >>  8) & 0xFF) <<  8) |
00296          (SBOX1((I1      ) & 0xFF)      );
00297 
00298     I0 ^= (I1 << 8) | (I1 >> 24);
00299     I1 ^= (I0 << 16) | (I0 >> 16);
00300     I0 ^= (I1 >> 8) | (I1 << 24);
00301     I1 ^= (I0 >> 8) | (I0 << 24);
00302 
00303     z[0] ^= I1;
00304     z[1] ^= I0;
00305 }
00306 
00307 /*
00308  * Camellia key schedule (encryption)
00309  */
00310 int camellia_setkey_enc( camellia_context *ctx, const unsigned char *key, unsigned int keysize )
00311 {
00312     int idx;
00313     size_t i;
00314     uint32_t *RK;
00315     unsigned char t[64];
00316     uint32_t SIGMA[6][2];
00317     uint32_t KC[16];
00318     uint32_t TK[20];
00319 
00320     RK = ctx->rk;
00321 
00322     memset(t, 0, 64);
00323     memset(RK, 0, sizeof(ctx->rk));
00324 
00325     switch( keysize )
00326     {
00327         case 128: ctx->nr = 3; idx = 0; break;
00328         case 192:
00329         case 256: ctx->nr = 4; idx = 1; break;
00330         default : return( POLARSSL_ERR_CAMELLIA_INVALID_KEY_LENGTH );
00331     }
00332 
00333     for( i = 0; i < keysize / 8; ++i)
00334         t[i] = key[i];
00335 
00336     if (keysize == 192) {
00337         for (i = 0; i < 8; i++)
00338             t[24 + i] = ~t[16 + i];
00339     }
00340 
00341     /*
00342      * Prepare SIGMA values
00343      */
00344     for (i = 0; i < 6; i++) {
00345         GET_ULONG_BE(SIGMA[i][0], SIGMA_CHARS[i], 0);
00346         GET_ULONG_BE(SIGMA[i][1], SIGMA_CHARS[i], 4);
00347     }
00348 
00349     /*
00350      * Key storage in KC
00351      * Order: KL, KR, KA, KB
00352      */
00353     memset(KC, 0, sizeof(KC));
00354 
00355     /* Store KL, KR */
00356     for (i = 0; i < 8; i++)
00357         GET_ULONG_BE(KC[i], t, i * 4);
00358 
00359     /* Generate KA */
00360     for( i = 0; i < 4; ++i)
00361         KC[8 + i] = KC[i] ^ KC[4 + i];
00362 
00363     camellia_feistel(KC + 8, SIGMA[0], KC + 10);
00364     camellia_feistel(KC + 10, SIGMA[1], KC + 8);
00365 
00366     for( i = 0; i < 4; ++i)
00367         KC[8 + i] ^= KC[i];
00368 
00369     camellia_feistel(KC + 8, SIGMA[2], KC + 10);
00370     camellia_feistel(KC + 10, SIGMA[3], KC + 8);
00371 
00372     if (keysize > 128) {
00373         /* Generate KB */
00374         for( i = 0; i < 4; ++i)
00375             KC[12 + i] = KC[4 + i] ^ KC[8 + i];
00376 
00377         camellia_feistel(KC + 12, SIGMA[4], KC + 14);
00378         camellia_feistel(KC + 14, SIGMA[5], KC + 12);
00379     }
00380 
00381     /*
00382      * Generating subkeys
00383      */ 
00384 
00385     /* Manipulating KL */
00386     SHIFT_AND_PLACE(idx, 0);
00387 
00388     /* Manipulating KR */
00389     if (keysize > 128) {
00390         SHIFT_AND_PLACE(idx, 1);
00391     }
00392 
00393     /* Manipulating KA */
00394     SHIFT_AND_PLACE(idx, 2);
00395 
00396     /* Manipulating KB */
00397     if (keysize > 128) {
00398         SHIFT_AND_PLACE(idx, 3);
00399     }
00400 
00401     /* Do transpositions */
00402     for ( i = 0; i < 20; i++ ) {
00403         if (transposes[idx][i] != -1) {
00404             RK[32 + 12 * idx + i] = RK[transposes[idx][i]];
00405         }
00406     }
00407 
00408     return( 0 );
00409 }
00410 
00411 /*
00412  * Camellia key schedule (decryption)
00413  */
00414 int camellia_setkey_dec( camellia_context *ctx, const unsigned char *key, unsigned int keysize )
00415 {
00416     int idx;
00417     size_t i;
00418     camellia_context cty;
00419     uint32_t *RK;
00420     uint32_t *SK;
00421     int ret;
00422 
00423     switch( keysize )
00424     {
00425         case 128: ctx->nr = 3; idx = 0; break;
00426         case 192:
00427         case 256: ctx->nr = 4; idx = 1; break;
00428         default : return( POLARSSL_ERR_CAMELLIA_INVALID_KEY_LENGTH );
00429     }
00430 
00431     RK = ctx->rk;
00432 
00433     ret = camellia_setkey_enc(&cty, key, keysize);
00434     if( ret != 0 )
00435         return( ret );
00436 
00437     SK = cty.rk + 24 * 2 + 8 * idx * 2;
00438 
00439     *RK++ = *SK++;
00440     *RK++ = *SK++;
00441     *RK++ = *SK++;
00442     *RK++ = *SK++;
00443 
00444     for (i = 22 + 8 * idx, SK -= 6; i > 0; i--, SK -= 4)
00445     {
00446         *RK++ = *SK++;
00447         *RK++ = *SK++;
00448     }
00449 
00450     SK -= 2;
00451 
00452     *RK++ = *SK++;
00453     *RK++ = *SK++;
00454     *RK++ = *SK++;
00455     *RK++ = *SK++;
00456 
00457     memset( &cty, 0, sizeof( camellia_context ) );
00458 
00459     return( 0 );
00460 }
00461 
00462 /*
00463  * Camellia-ECB block encryption/decryption
00464  */
00465 int camellia_crypt_ecb( camellia_context *ctx,
00466                     int mode,
00467                     const unsigned char input[16],
00468                     unsigned char output[16] )
00469 {
00470     int NR;
00471     uint32_t *RK, X[4];
00472 
00473     ( (void) mode );
00474 
00475     NR = ctx->nr;
00476     RK = ctx->rk;
00477 
00478     GET_ULONG_BE( X[0], input,  0 );
00479     GET_ULONG_BE( X[1], input,  4 );
00480     GET_ULONG_BE( X[2], input,  8 );
00481     GET_ULONG_BE( X[3], input, 12 );
00482 
00483     X[0] ^= *RK++;
00484     X[1] ^= *RK++;
00485     X[2] ^= *RK++;
00486     X[3] ^= *RK++;
00487 
00488     while (NR) {
00489         --NR;
00490         camellia_feistel(X, RK, X + 2);
00491         RK += 2;
00492         camellia_feistel(X + 2, RK, X);
00493         RK += 2;
00494         camellia_feistel(X, RK, X + 2);
00495         RK += 2;
00496         camellia_feistel(X + 2, RK, X);
00497         RK += 2;
00498         camellia_feistel(X, RK, X + 2);
00499         RK += 2;
00500         camellia_feistel(X + 2, RK, X);
00501         RK += 2;
00502 
00503         if (NR) {
00504             FL(X[0], X[1], RK[0], RK[1]);
00505             RK += 2;
00506             FLInv(X[2], X[3], RK[0], RK[1]);
00507             RK += 2;
00508         }
00509     }
00510 
00511     X[2] ^= *RK++;
00512     X[3] ^= *RK++;
00513     X[0] ^= *RK++;
00514     X[1] ^= *RK++;
00515 
00516     PUT_ULONG_BE( X[2], output,  0 );
00517     PUT_ULONG_BE( X[3], output,  4 );
00518     PUT_ULONG_BE( X[0], output,  8 );
00519     PUT_ULONG_BE( X[1], output, 12 );
00520 
00521     return( 0 );
00522 }
00523 
00524 /*
00525  * Camellia-CBC buffer encryption/decryption
00526  */
00527 int camellia_crypt_cbc( camellia_context *ctx,
00528                     int mode,
00529                     size_t length,
00530                     unsigned char iv[16],
00531                     const unsigned char *input,
00532                     unsigned char *output )
00533 {
00534     int i;
00535     unsigned char temp[16];
00536 
00537     if( length % 16 )
00538         return( POLARSSL_ERR_CAMELLIA_INVALID_INPUT_LENGTH );
00539 
00540     if( mode == CAMELLIA_DECRYPT )
00541     {
00542         while( length > 0 )
00543         {
00544             memcpy( temp, input, 16 );
00545             camellia_crypt_ecb( ctx, mode, input, output );
00546 
00547             for( i = 0; i < 16; i++ )
00548                 output[i] = (unsigned char)( output[i] ^ iv[i] );
00549 
00550             memcpy( iv, temp, 16 );
00551 
00552             input  += 16;
00553             output += 16;
00554             length -= 16;
00555         }
00556     }
00557     else
00558     {
00559         while( length > 0 )
00560         {
00561             for( i = 0; i < 16; i++ )
00562                 output[i] = (unsigned char)( input[i] ^ iv[i] );
00563 
00564             camellia_crypt_ecb( ctx, mode, output, output );
00565             memcpy( iv, output, 16 );
00566 
00567             input  += 16;
00568             output += 16;
00569             length -= 16;
00570         }
00571     }
00572 
00573     return( 0 );
00574 }
00575 
00576 #if defined(POLARSSL_CIPHER_MODE_CFB)
00577 /*
00578  * Camellia-CFB128 buffer encryption/decryption
00579  */
00580 int camellia_crypt_cfb128( camellia_context *ctx,
00581                        int mode,
00582                        size_t length,
00583                        size_t *iv_off,
00584                        unsigned char iv[16],
00585                        const unsigned char *input,
00586                        unsigned char *output )
00587 {
00588     int c;
00589     size_t n = *iv_off;
00590 
00591     if( mode == CAMELLIA_DECRYPT )
00592     {
00593         while( length-- )
00594         {
00595             if( n == 0 )
00596                 camellia_crypt_ecb( ctx, CAMELLIA_ENCRYPT, iv, iv );
00597 
00598             c = *input++;
00599             *output++ = (unsigned char)( c ^ iv[n] );
00600             iv[n] = (unsigned char) c;
00601 
00602             n = (n + 1) & 0x0F;
00603         }
00604     }
00605     else
00606     {
00607         while( length-- )
00608         {
00609             if( n == 0 )
00610                 camellia_crypt_ecb( ctx, CAMELLIA_ENCRYPT, iv, iv );
00611 
00612             iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
00613 
00614             n = (n + 1) & 0x0F;
00615         }
00616     }
00617 
00618     *iv_off = n;
00619 
00620     return( 0 );
00621 }
00622 #endif /* POLARSSL_CIPHER_MODE_CFB */
00623 
00624 #if defined(POLARSSL_CIPHER_MODE_CTR)
00625 /*
00626  * Camellia-CTR buffer encryption/decryption
00627  */
00628 int camellia_crypt_ctr( camellia_context *ctx,
00629                        size_t length,
00630                        size_t *nc_off,
00631                        unsigned char nonce_counter[16],
00632                        unsigned char stream_block[16],
00633                        const unsigned char *input,
00634                        unsigned char *output )
00635 {
00636     int c, i, cb;
00637     size_t n = *nc_off;
00638 
00639     while( length-- )
00640     {
00641         if( n == 0 ) {
00642             camellia_crypt_ecb( ctx, CAMELLIA_ENCRYPT, nonce_counter, stream_block );
00643 
00644             i = 15;
00645             do {
00646                nonce_counter[i]++;
00647                cb = nonce_counter[i] == 0;
00648             } while( i-- && cb );
00649 
00650         }
00651         c = *input++;
00652         *output++ = (unsigned char)( c ^ stream_block[n] );
00653 
00654         n = (n + 1) & 0x0F;
00655     }
00656 
00657     *nc_off = n;
00658 
00659     return( 0 );
00660 }
00661 #endif /* POLARSSL_CIPHER_MODE_CTR */
00662 
00663 #if defined(POLARSSL_SELF_TEST)
00664 
00665 #include <stdio.h>
00666 
00667 /*
00668  * Camellia test vectors from:
00669  *
00670  * http://info.isl.ntt.co.jp/crypt/eng/camellia/technology.html:
00671  *   http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/intermediate.txt
00672  *   http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/t_camellia.txt
00673  *                      (For each bitlength: Key 0, Nr 39)
00674  */
00675 #define CAMELLIA_TESTS_ECB  2
00676 
00677 static const unsigned char camellia_test_ecb_key[3][CAMELLIA_TESTS_ECB][32] =
00678 {
00679     {
00680         { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
00681           0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
00682         { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00683           0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
00684     },
00685     {
00686         { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
00687           0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
00688           0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77 },
00689         { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00690           0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00691           0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
00692     },
00693     {
00694         { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
00695           0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
00696           0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
00697           0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff },
00698         { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00699           0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00700           0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00701           0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
00702     },
00703 };
00704 
00705 static const unsigned char camellia_test_ecb_plain[CAMELLIA_TESTS_ECB][16] =
00706 {
00707     { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
00708       0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
00709     { 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 
00710       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
00711 };
00712 
00713 static const unsigned char camellia_test_ecb_cipher[3][CAMELLIA_TESTS_ECB][16] =
00714 {
00715     {
00716         { 0x67, 0x67, 0x31, 0x38, 0x54, 0x96, 0x69, 0x73,
00717           0x08, 0x57, 0x06, 0x56, 0x48, 0xea, 0xbe, 0x43 },
00718         { 0x38, 0x3C, 0x6C, 0x2A, 0xAB, 0xEF, 0x7F, 0xDE,
00719           0x25, 0xCD, 0x47, 0x0B, 0xF7, 0x74, 0xA3, 0x31 }
00720     },
00721     {
00722         { 0xb4, 0x99, 0x34, 0x01, 0xb3, 0xe9, 0x96, 0xf8,
00723           0x4e, 0xe5, 0xce, 0xe7, 0xd7, 0x9b, 0x09, 0xb9 },
00724         { 0xD1, 0x76, 0x3F, 0xC0, 0x19, 0xD7, 0x7C, 0xC9,
00725           0x30, 0xBF, 0xF2, 0xA5, 0x6F, 0x7C, 0x93, 0x64 }
00726     },
00727     {
00728         { 0x9a, 0xcc, 0x23, 0x7d, 0xff, 0x16, 0xd7, 0x6c,
00729           0x20, 0xef, 0x7c, 0x91, 0x9e, 0x3a, 0x75, 0x09 },
00730         { 0x05, 0x03, 0xFB, 0x10, 0xAB, 0x24, 0x1E, 0x7C,
00731           0xF4, 0x5D, 0x8C, 0xDE, 0xEE, 0x47, 0x43, 0x35 }
00732     }
00733 };
00734 
00735 #define CAMELLIA_TESTS_CBC  3
00736 
00737 static const unsigned char camellia_test_cbc_key[3][32] =
00738 {
00739         { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
00740           0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }
00741     ,
00742         { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
00743           0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
00744           0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }
00745     ,
00746         { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
00747           0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
00748           0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
00749           0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
00750 };
00751 
00752 static const unsigned char camellia_test_cbc_iv[16] =
00753 
00754     { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
00755       0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F }
00756 ;
00757 
00758 static const unsigned char camellia_test_cbc_plain[CAMELLIA_TESTS_CBC][16] =
00759 {
00760     { 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
00761       0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A },
00762     { 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
00763       0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51 },
00764     { 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
00765       0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF }
00766 
00767 };
00768 
00769 static const unsigned char camellia_test_cbc_cipher[3][CAMELLIA_TESTS_CBC][16] =
00770 {
00771     {
00772         { 0x16, 0x07, 0xCF, 0x49, 0x4B, 0x36, 0xBB, 0xF0,
00773           0x0D, 0xAE, 0xB0, 0xB5, 0x03, 0xC8, 0x31, 0xAB },
00774         { 0xA2, 0xF2, 0xCF, 0x67, 0x16, 0x29, 0xEF, 0x78,
00775           0x40, 0xC5, 0xA5, 0xDF, 0xB5, 0x07, 0x48, 0x87 },
00776         { 0x0F, 0x06, 0x16, 0x50, 0x08, 0xCF, 0x8B, 0x8B,
00777           0x5A, 0x63, 0x58, 0x63, 0x62, 0x54, 0x3E, 0x54 }
00778     },
00779     {
00780         { 0x2A, 0x48, 0x30, 0xAB, 0x5A, 0xC4, 0xA1, 0xA2,
00781           0x40, 0x59, 0x55, 0xFD, 0x21, 0x95, 0xCF, 0x93 },
00782         { 0x5D, 0x5A, 0x86, 0x9B, 0xD1, 0x4C, 0xE5, 0x42,
00783           0x64, 0xF8, 0x92, 0xA6, 0xDD, 0x2E, 0xC3, 0xD5 },
00784         { 0x37, 0xD3, 0x59, 0xC3, 0x34, 0x98, 0x36, 0xD8,
00785           0x84, 0xE3, 0x10, 0xAD, 0xDF, 0x68, 0xC4, 0x49 }
00786     },
00787     {
00788         { 0xE6, 0xCF, 0xA3, 0x5F, 0xC0, 0x2B, 0x13, 0x4A,
00789           0x4D, 0x2C, 0x0B, 0x67, 0x37, 0xAC, 0x3E, 0xDA },
00790         { 0x36, 0xCB, 0xEB, 0x73, 0xBD, 0x50, 0x4B, 0x40,
00791           0x70, 0xB1, 0xB7, 0xDE, 0x2B, 0x21, 0xEB, 0x50 },
00792         { 0xE3, 0x1A, 0x60, 0x55, 0x29, 0x7D, 0x96, 0xCA,
00793           0x33, 0x30, 0xCD, 0xF1, 0xB1, 0x86, 0x0A, 0x83 }
00794     }
00795 };
00796 
00797 #if defined(POLARSSL_CIPHER_MODE_CTR)
00798 /*
00799  * Camellia-CTR test vectors from:
00800  *
00801  * http://www.faqs.org/rfcs/rfc5528.html
00802  */
00803 
00804 static const unsigned char camellia_test_ctr_key[3][16] =
00805 {
00806     { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
00807       0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
00808     { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
00809       0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
00810     { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
00811       0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
00812 };
00813 
00814 static const unsigned char camellia_test_ctr_nonce_counter[3][16] =
00815 {
00816     { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
00817       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
00818     { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
00819       0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
00820     { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
00821       0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
00822 };
00823 
00824 static const unsigned char camellia_test_ctr_pt[3][48] =
00825 {
00826     { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
00827       0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
00828 
00829     { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
00830       0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
00831       0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
00832       0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
00833 
00834     { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
00835       0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
00836       0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
00837       0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
00838       0x20, 0x21, 0x22, 0x23 }
00839 };
00840 
00841 static const unsigned char camellia_test_ctr_ct[3][48] =
00842 {
00843     { 0xD0, 0x9D, 0xC2, 0x9A, 0x82, 0x14, 0x61, 0x9A,
00844       0x20, 0x87, 0x7C, 0x76, 0xDB, 0x1F, 0x0B, 0x3F },
00845     { 0xDB, 0xF3, 0xC7, 0x8D, 0xC0, 0x83, 0x96, 0xD4,
00846       0xDA, 0x7C, 0x90, 0x77, 0x65, 0xBB, 0xCB, 0x44,
00847       0x2B, 0x8E, 0x8E, 0x0F, 0x31, 0xF0, 0xDC, 0xA7,
00848       0x2C, 0x74, 0x17, 0xE3, 0x53, 0x60, 0xE0, 0x48 },
00849     { 0xB1, 0x9D, 0x1F, 0xCD, 0xCB, 0x75, 0xEB, 0x88,
00850       0x2F, 0x84, 0x9C, 0xE2, 0x4D, 0x85, 0xCF, 0x73,
00851       0x9C, 0xE6, 0x4B, 0x2B, 0x5C, 0x9D, 0x73, 0xF1,
00852       0x4F, 0x2D, 0x5D, 0x9D, 0xCE, 0x98, 0x89, 0xCD,
00853       0xDF, 0x50, 0x86, 0x96 }
00854 };
00855 
00856 static const int camellia_test_ctr_len[3] =
00857     { 16, 32, 36 };
00858 #endif /* POLARSSL_CIPHER_MODE_CTR */
00859 
00860 /*
00861  * Checkup routine
00862  */
00863 int camellia_self_test( int verbose )
00864 {
00865     int i, j, u, v;
00866     unsigned char key[32];
00867     unsigned char buf[64];
00868     unsigned char src[16];
00869     unsigned char dst[16];
00870     unsigned char iv[16];
00871 #if defined(POLARSSL_CIPHER_MODE_CTR)
00872     size_t offset, len;
00873     unsigned char nonce_counter[16];
00874     unsigned char stream_block[16];
00875 #endif
00876 
00877     camellia_context ctx;
00878 
00879     memset( key, 0, 32 );
00880 
00881     for (j = 0; j < 6; j++) {
00882         u = j >> 1;
00883     v = j & 1;
00884 
00885     if( verbose != 0 )
00886         printf( "  CAMELLIA-ECB-%3d (%s): ", 128 + u * 64,
00887                 (v == CAMELLIA_DECRYPT) ? "dec" : "enc");
00888 
00889     for (i = 0; i < CAMELLIA_TESTS_ECB; i++ ) {
00890         memcpy( key, camellia_test_ecb_key[u][i], 16 + 8 * u);
00891 
00892         if (v == CAMELLIA_DECRYPT) {
00893             camellia_setkey_dec(&ctx, key, 128 + u * 64);
00894             memcpy(src, camellia_test_ecb_cipher[u][i], 16);
00895             memcpy(dst, camellia_test_ecb_plain[i], 16);
00896         } else { /* CAMELLIA_ENCRYPT */
00897             camellia_setkey_enc(&ctx, key, 128 + u * 64);
00898             memcpy(src, camellia_test_ecb_plain[i], 16);
00899             memcpy(dst, camellia_test_ecb_cipher[u][i], 16);
00900         }
00901 
00902         camellia_crypt_ecb(&ctx, v, src, buf);
00903 
00904         if( memcmp( buf, dst, 16 ) != 0 )
00905         {
00906             if( verbose != 0 )
00907                 printf( "failed\n" );
00908 
00909             return( 1 );
00910         }
00911     }
00912 
00913     if( verbose != 0 )
00914         printf( "passed\n" );
00915     }
00916 
00917     if( verbose != 0 )
00918         printf( "\n" );
00919 
00920     /*
00921      * CBC mode
00922      */
00923     for( j = 0; j < 6; j++ )
00924     {
00925         u = j >> 1;
00926         v = j  & 1;
00927 
00928         if( verbose != 0 )
00929             printf( "  CAMELLIA-CBC-%3d (%s): ", 128 + u * 64,
00930                     ( v == CAMELLIA_DECRYPT ) ? "dec" : "enc" );
00931 
00932     memcpy( src, camellia_test_cbc_iv, 16);
00933     memcpy( dst, camellia_test_cbc_iv, 16);
00934     memcpy( key, camellia_test_cbc_key[u], 16 + 8 * u);
00935 
00936     if (v == CAMELLIA_DECRYPT) {
00937         camellia_setkey_dec(&ctx, key, 128 + u * 64);
00938     } else {
00939         camellia_setkey_enc(&ctx, key, 128 + u * 64);
00940     }
00941 
00942     for (i = 0; i < CAMELLIA_TESTS_CBC; i++ ) {
00943 
00944         if (v == CAMELLIA_DECRYPT) {
00945             memcpy( iv , src, 16 );
00946             memcpy(src, camellia_test_cbc_cipher[u][i], 16);
00947             memcpy(dst, camellia_test_cbc_plain[i], 16);
00948         } else { /* CAMELLIA_ENCRYPT */
00949             memcpy( iv , dst, 16 );
00950             memcpy(src, camellia_test_cbc_plain[i], 16);
00951             memcpy(dst, camellia_test_cbc_cipher[u][i], 16);
00952         }
00953 
00954         camellia_crypt_cbc(&ctx, v, 16, iv, src, buf);
00955 
00956         if( memcmp( buf, dst, 16 ) != 0 )
00957         {
00958             if( verbose != 0 )
00959                 printf( "failed\n" );
00960 
00961             return( 1 );
00962         }
00963     }
00964 
00965         if( verbose != 0 )
00966             printf( "passed\n" );
00967     }
00968 
00969     if( verbose != 0 )
00970         printf( "\n" );
00971 
00972 #if defined(POLARSSL_CIPHER_MODE_CTR)
00973     /*
00974      * CTR mode
00975      */
00976     for( i = 0; i < 6; i++ )
00977     {
00978         u = i >> 1;
00979         v = i  & 1;
00980 
00981         if( verbose != 0 )
00982             printf( "  CAMELLIA-CTR-128 (%s): ",
00983                     ( v == CAMELLIA_DECRYPT ) ? "dec" : "enc" );
00984 
00985         memcpy( nonce_counter, camellia_test_ctr_nonce_counter[u], 16 );
00986         memcpy( key, camellia_test_ctr_key[u], 16 );
00987 
00988         offset = 0;
00989         camellia_setkey_enc( &ctx, key, 128 );
00990 
00991         if( v == CAMELLIA_DECRYPT )
00992         {
00993             len = camellia_test_ctr_len[u];
00994             memcpy( buf, camellia_test_ctr_ct[u], len );
00995 
00996             camellia_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
00997 
00998             if( memcmp( buf, camellia_test_ctr_pt[u], len ) != 0 )
00999             {
01000                 if( verbose != 0 )
01001                     printf( "failed\n" );
01002 
01003                 return( 1 );
01004             }
01005         }
01006         else
01007         {
01008             len = camellia_test_ctr_len[u];
01009             memcpy( buf, camellia_test_ctr_pt[u], len );
01010 
01011             camellia_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
01012 
01013             if( memcmp( buf, camellia_test_ctr_ct[u], len ) != 0 )
01014             {
01015                 if( verbose != 0 )
01016                     printf( "failed\n" );
01017 
01018                 return( 1 );
01019             }
01020         }
01021 
01022         if( verbose != 0 )
01023             printf( "passed\n" );
01024     }
01025 
01026     if( verbose != 0 )
01027         printf( "\n" );
01028 #endif /* POLARSSL_CIPHER_MODE_CTR */
01029 
01030     return ( 0 );
01031 }
01032 
01033 #endif
01034 
01035 #endif