/*
* An implementation of the CAMELLIA algorithm as mentioned in RFC3713
* Copyright (c) 2014 Supraja Meedinti
*
* This file is part of FFmpeg.
*
* FFmpeg is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* FFmpeg is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with FFmpeg; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*/
#include "camellia.h"
#include "common.h"
#include "intreadwrite.h"
#include "attributes.h"
#define LR32(x,c) ((x) << (c) | (x) >> (32 - (c)))
#define RR32(x,c) ((x) >> (c) | (x) << (32 - (c)))
#define MASK8 0xff
#define MASK32 0xffffffff
#define MASK64 0xffffffffffffffff
#define Sigma1 0xA09E667F3BCC908B
#define Sigma2 0xB67AE8584CAA73B2
#define Sigma3 0xC6EF372FE94F82BE
#define Sigma4 0x54FF53A5F1D36F1C
#define Sigma5 0x10E527FADE682D1D
#define Sigma6 0xB05688C2B3E6C1FD
static uint64_t SP[8][256];
typedef struct AVCAMELLIA {
uint64_t Kw[4];
uint64_t Ke[6];
uint64_t K[24];
int key_bits;
} AVCAMELLIA;
static const uint8_t SBOX1[256] = {
112, 130, 44, 236, 179, 39, 192, 229, 228, 133, 87, 53, 234, 12, 174, 65,
35, 239, 107, 147, 69, 25, 165, 33, 237, 14, 79, 78, 29, 101, 146, 189,
134, 184, 175, 143, 124, 235, 31, 206, 62, 48, 220, 95, 94, 197, 11, 26,
166, 225, 57, 202, 213, 71, 93, 61, 217, 1, 90, 214, 81, 86, 108, 77,
139, 13, 154, 102, 251, 204, 176, 45, 116, 18, 43, 32, 240, 177, 132, 153,
223, 76, 203, 194, 52, 126, 118, 5, 109, 183, 169, 49, 209, 23, 4, 215,
20, 88, 58, 97, 222, 27, 17, 28, 50, 15, 156, 22, 83, 24, 242, 34,
254, 68, 207, 178, 195, 181, 122, 145, 36, 8, 232, 168, 96, 252, 105, 80,
170, 208, 160, 125, 161, 137, 98, 151, 84, 91, 30, 149, 224, 255, 100, 210,
16, 196, 0, 72, 163, 247, 117, 219, 138, 3, 230, 218, 9, 63, 221, 148,
135, 92, 131, 2, 205, 74, 144, 51, 115, 103, 246, 243, 157, 127, 191, 226,
82, 155, 216, 38, 200, 55, 198, 59, 129, 150, 111, 75, 19, 190, 99, 46,
233, 121, 167, 140, 159, 110, 188, 142, 41, 245, 249, 182, 47, 253, 180, 89,
120, 152, 6, 106, 231, 70, 113, 186, 212, 37, 171, 66, 136, 162, 141, 250,
114, 7, 185, 85, 248, 238, 172, 10, 54, 73, 42, 104, 60, 56, 241, 164,
64, 40, 211, 123, 187, 201, 67, 193, 21, 227, 173, 244, 119, 199, 128, 158
};
static const uint8_t SBOX2[256] = {
224, 5, 88, 217, 103, 78, 129, 203, 201, 11, 174, 106, 213, 24, 93, 130,
70, 223, 214, 39, 138, 50, 75, 66, 219, 28, 158, 156, 58, 202, 37, 123,
13, 113, 95, 31, 248, 215, 62, 157, 124, 96, 185, 190, 188, 139, 22, 52,
77, 195, 114, 149, 171, 142, 186, 122, 179, 2, 180, 173, 162, 172, 216, 154,
23, 26, 53, 204, 247, 153, 97, 90, 232, 36, 86, 64, 225, 99, 9, 51,
191, 152, 151, 133, 104, 252, 236, 10, 218, 111, 83, 98, 163, 46, 8, 175,
40, 176, 116, 194, 189, 54, 34, 56, 100, 30, 57, 44, 166, 48, 229, 68,
253, 136, 159, 101, 135, 107, 244, 35, 72, 16, 209, 81, 192, 249, 210, 160,
85, 161, 65, 250, 67, 19, 196, 47, 168, 182, 60, 43, 193, 255, 200, 165,
32, 137, 0, 144, 71, 239, 234, 183, 21, 6, 205, 181, 18, 126, 187, 41,
15, 184, 7, 4, 155, 148, 33, 102, 230, 206, 237, 231, 59, 254, 127, 197,
164, 55, 177, 76, 145, 110, 141, 118, 3, 45, 222, 150, 38, 125, 198, 92,
211, 242, 79, 25, 63, 220, 121, 29, 82, 235, 243, 109, 94, 251, 105, 178,
240, 49, 12, 212, 207, 140, 226, 117, 169, 74, 87, 132, 17, 69, 27, 245,
228, 14, 115, 170, 241, 221, 89, 20, 108, 146, 84, 208, 120, 112, 227, 73,
128, 80, 167, 246, 119, 147, 134, 131, 42, 199, 91, 233, 238, 143, 1, 61
};
static const uint8_t SBOX3[256] = {
56, 65, 22, 118, 217, 147, 96, 242, 114, 194, 171, 154, 117, 6, 87, 160,
145, 247, 181, 201, 162, 140, 210, 144, 246, 7, 167, 39, 142, 178, 73, 222,
67, 92, 215, 199, 62, 245, 143, 103, 31, 24, 110, 175, 47, 226, 133, 13,
83, 240, 156, 101, 234, 163, 174, 158, 236, 128, 45, 107, 168, 43, 54, 166,
197, 134, 77, 51, 253, 102, 88, 150, 58, 9, 149, 16, 120, 216, 66, 204,
239, 38, 229, 97, 26, 63, 59, 130, 182, 219, 212, 152, 232, 139, 2, 235,
10, 44, 29, 176, 111, 141, 136, 14, 25, 135, 78, 11, 169, 12, 121, 17,
127, 34, 231, 89, 225, 218, 61, 200, 18, 4, 116, 84, 48, 126, 180, 40,
85, 104, 80, 190, 208, 196, 49, 203, 42, 173, 15, 202, 112, 255, 50, 105,
8, 98, 0, 36, 209, 251, 186, 237, 69, 129, 115, 109, 132, 159, 238, 74,
195, 46, 193, 1, 230, 37, 72, 153, 185, 179, 123, 249, 206, 191, 223, 113,
41, 205, 108, 19, 100, 155, 99, 157, 192, 75, 183, 165, 137, 95, 177, 23,
244, 188, 211, 70, 207, 55, 94, 71, 148, 250, 252, 91, 151, 254, 90, 172,
60, 76, 3, 53, 243, 35, 184, 93, 106, 146, 213, 33, 68, 81, 198, 125,
57, 131, 220, 170, 124, 119, 86, 5, 27, 164, 21, 52, 30, 28, 248, 82,
32, 20, 233, 189, 221, 228, 161, 224, 138, 241, 214, 122, 187, 227, 64, 79
};
static const uint8_t SBOX4[256] = {
112, 44, 179, 192, 228, 87, 234, 174, 35, 107, 69, 165, 237, 79, 29, 146,
134, 175, 124, 31, 62, 220, 94, 11, 166, 57, 213, 93, 217, 90, 81, 108,
139, 154, 251, 176, 116, 43, 240, 132, 223, 203, 52, 118, 109, 169, 209, 4,
20, 58, 222, 17, 50, 156, 83, 242, 254, 207, 195, 122, 36, 232, 96, 105,
170, 160, 161, 98, 84, 30, 224, 100, 16, 0, 163, 117, 138, 230, 9, 221,
135, 131, 205, 144, 115, 246, 157, 191, 82, 216, 200, 198, 129, 111, 19, 99,
233, 167, 159, 188, 41, 249, 47, 180, 120, 6, 231, 113, 212, 171, 136, 141,
114, 185, 248, 172, 54, 42, 60, 241, 64, 211, 187, 67, 21, 173, 119, 128,
130, 236, 39, 229, 133, 53, 12, 65, 239, 147, 25, 33, 14, 78, 101, 189,
184, 143, 235, 206, 48, 95, 197, 26, 225, 202, 71, 61, 1, 214, 86, 77,
13, 102, 204, 45, 18, 32, 177, 153, 76, 194, 126, 5, 183, 49, 23, 215,
88, 97, 27, 28, 15, 22, 24, 34, 68, 178, 181, 145, 8, 168, 252, 80,
208, 125, 137, 151, 91, 149, 255, 210, 196, 72, 247, 219, 3, 218, 63, 148,
92, 2, 74, 51, 103, 243, 127, 226, 155, 38, 55, 59, 150, 75, 190, 46,
121, 140, 110, 142, 245, 182, 253, 89, 152, 106, 70, 186, 37, 66, 162, 250,
7, 85, 238, 10, 73, 104, 56, 164, 40, 123, 201, 193, 227, 244, 199, 158
};
const int av_camellia_size = sizeof(AVCAMELLIA);
static void LR128(uint64_t d[2], const uint64_t K[2], int x)
{
int i = 0;
if (64 <= x && x < 128) {
i = 1;
x -= 64;
}
if (x <= 0 || x >= 128) {
d[0] = K[i];
d[1] = K[!i];
return;
}
d[0] = (K[i] << x | K[!i] >> (64 - x));
d[1] = (K[!i] << x | K[i] >> (64 - x));
}
static uint64_t F(uint64_t F_IN, uint64_t KE)
{
KE ^= F_IN;
F_IN=SP[0][KE >> 56]^SP[1][(KE >> 48) & MASK8]^SP[2][(KE >> 40) & MASK8]^SP[3][(KE >> 32) & MASK8]^SP[4][(KE >> 24) & MASK8]^SP[5][(KE >> 16) & MASK8]^SP[6][(KE >> 8) & MASK8]^SP[7][KE & MASK8];
return F_IN;
}
static uint64_t FL(uint64_t FL_IN, uint64_t KE)
{
uint32_t x1, x2, k1, k2;
x1 = FL_IN >> 32;
x2 = FL_IN & MASK32;
k1 = KE >> 32;
k2 = KE & MASK32;
x2 = x2 ^ LR32((x1 & k1), 1);
x1 = x1 ^ (x2 | k2);
return ((uint64_t)x1 << 32) | (uint64_t)x2;
}
static uint64_t FLINV(uint64_t FLINV_IN, uint64_t KE)
{
uint32_t x1, x2, k1, k2;
x1 = FLINV_IN >> 32;
x2 = FLINV_IN & MASK32;
k1 = KE >> 32;
k2 = KE & MASK32;
x1 = x1 ^ (x2 | k2);
x2 = x2 ^ LR32((x1 & k1), 1);
return ((uint64_t)x1 << 32) | (uint64_t)x2;
}
static const uint8_t shifts[2][12] = {
{0, 15, 15, 45, 45, 60, 94, 94, 111},
{0, 15, 15, 30, 45, 45, 60, 60, 77, 94, 94, 111}
};
static const uint8_t vars[2][12] = {
{2, 0, 2, 0, 2, 2, 0, 2, 0},
{3, 1, 2, 3, 0, 2, 1, 3, 0, 1, 2, 0}
};
static void generate_round_keys(AVCAMELLIA *cs, uint64_t Kl[2], uint64_t Kr[2], uint64_t Ka[2], uint64_t Kb[2])
{
int i;
uint64_t *Kd[4], d[2];
Kd[0] = Kl;
Kd[1] = Kr;
Kd[2] = Ka;
Kd[3] = Kb;
cs->Kw[0] = Kl[0];
cs->Kw[1] = Kl[1];
if (cs->key_bits == 128) {
for (i = 0; i < 9; i++) {
LR128(d, Kd[vars[0][i]], shifts[0][i]);
cs->K[2*i] = d[0];
cs->K[2*i+1] = d[1];
}
LR128(d, Kd[0], 60);
cs->K[9] = d[1];
LR128(d, Kd[2], 30);
cs->Ke[0] = d[0];
cs->Ke[1] = d[1];
LR128(d, Kd[0], 77);
cs->Ke[2] = d[0];
cs->Ke[3] = d[1];
LR128(d, Kd[2], 111);
cs->Kw[2] = d[0];
cs->Kw[3] = d[1];
} else {
for (i = 0; i < 12; i++) {
LR128(d, Kd[vars[1][i]], shifts[1][i]);
cs->K[2*i] = d[0];
cs->K[2*i+1] = d[1];
}
LR128(d, Kd[1], 30);
cs->Ke[0] = d[0];
cs->Ke[1] = d[1];
LR128(d, Kd[0], 60);
cs->Ke[2] = d[0];
cs->Ke[3] = d[1];
LR128(d, Kd[2], 77);
cs->Ke[4] = d[0];
cs->Ke[5] = d[1];
LR128(d, Kd[3], 111);
cs->Kw[2] = d[0];
cs->Kw[3] = d[1];
}
}
static void camellia_encrypt(AVCAMELLIA *cs, uint8_t *dst, const uint8_t *src)
{
uint64_t D1, D2;
D1 = AV_RB64(src);
D2 = AV_RB64(src + 8);
D1 ^= cs->Kw[0];
D2 ^= cs->Kw[1];
D2 ^= F(D1, cs->K[0]);
D1 ^= F(D2, cs->K[1]);
D2 ^= F(D1, cs->K[2]);
D1 ^= F(D2, cs->K[3]);
D2 ^= F(D1, cs->K[4]);
D1 ^= F(D2, cs->K[5]);
D1 = FL(D1, cs->Ke[0]);
D2 = FLINV(D2, cs->Ke[1]);
D2 ^= F(D1, cs->K[6]);
D1 ^= F(D2, cs->K[7]);
D2 ^= F(D1, cs->K[8]);
D1 ^= F(D2, cs->K[9]);
D2 ^= F(D1, cs->K[10]);
D1 ^= F(D2, cs->K[11]);
D1 = FL(D1, cs->Ke[2]);
D2 = FLINV(D2, cs->Ke[3]);
D2 ^= F(D1, cs->K[12]);
D1 ^= F(D2, cs->K[13]);
D2 ^= F(D1, cs->K[14]);
D1 ^= F(D2, cs->K[15]);
D2 ^= F(D1, cs->K[16]);
D1 ^= F(D2, cs->K[17]);
if (cs->key_bits != 128) {
D1 = FL(D1, cs->Ke[4]);
D2 = FLINV(D2, cs->Ke[5]);
D2 ^= F(D1, cs->K[18]);
D1 ^= F(D2, cs->K[19]);
D2 ^= F(D1, cs->K[20]);
D1 ^= F(D2, cs->K[21]);
D2 ^= F(D1, cs->K[22]);
D1 ^= F(D2, cs->K[23]);
}
D2 ^= cs->Kw[2];
D1 ^= cs->Kw[3];
AV_WB64(dst, D2);
AV_WB64(dst + 8, D1);
}
static void camellia_decrypt(AVCAMELLIA *cs, uint8_t *dst, const uint8_t *src, uint8_t *iv)
{
uint64_t D1, D2;
D1 = AV_RB64(src);
D2 = AV_RB64(src + 8);
D1 ^= cs->Kw[2];
D2 ^= cs->Kw[3];
if (cs->key_bits != 128) {
D2 ^= F(D1, cs->K[23]);
D1 ^= F(D2, cs->K[22]);
D2 ^= F(D1, cs->K[21]);
D1 ^= F(D2, cs->K[20]);
D2 ^= F(D1, cs->K[19]);
D1 ^= F(D2, cs->K[18]);
D1 = FL(D1, cs->Ke[5]);
D2 = FLINV(D2, cs->Ke[4]);
}
D2 ^= F(D1, cs->K[17]);
D1 ^= F(D2, cs->K[16]);
D2 ^= F(D1, cs->K[15]);
D1 ^= F(D2, cs->K[14]);
D2 ^= F(D1, cs->K[13]);
D1 ^= F(D2, cs->K[12]);
D1 = FL(D1, cs->Ke[3]);
D2 = FLINV(D2, cs->Ke[2]);
D2 ^= F(D1, cs->K[11]);
D1 ^= F(D2, cs->K[10]);
D2 ^= F(D1, cs->K[9]);
D1 ^= F(D2, cs->K[8]);
D2 ^= F(D1, cs->K[7]);
D1 ^= F(D2, cs->K[6]);
D1 = FL(D1, cs->Ke[1]);
D2 = FLINV(D2, cs->Ke[0]);
D2 ^= F(D1, cs->K[5]);
D1 ^= F(D2, cs->K[4]);
D2 ^= F(D1, cs->K[3]);
D1 ^= F(D2, cs->K[2]);
D2 ^= F(D1, cs->K[1]);
D1 ^= F(D2, cs->K[0]);
D2 ^= cs->Kw[0];
D1 ^= cs->Kw[1];
if (iv) {
D2 ^= AV_RB64(iv);
D1 ^= AV_RB64(iv + 8);
}
AV_WB64(dst, D2);
AV_WB64(dst + 8, D1);
}
static void computeSP(void)
{
uint64_t z;
int i;
for (i = 0; i < 256; i++) {
z = SBOX1[i];
SP[0][i] = (z << 56) ^ (z << 48) ^ (z << 40) ^ (z << 24) ^ z;
SP[7][i] = (z << 56) ^ (z << 48) ^ (z << 40) ^ (z << 24) ^ (z << 16) ^ (z << 8);
z = SBOX2[i];
SP[1][i] = (z << 48) ^ (z << 40) ^ (z << 32) ^ (z << 24) ^ (z << 16);
SP[4][i] = (z << 48) ^ (z << 40) ^ (z << 32) ^ (z << 16) ^ (z << 8) ^ z;
z = SBOX3[i];
SP[2][i] = (z << 56) ^ (z << 40) ^ (z << 32) ^ (z << 16) ^ (z << 8);
SP[5][i] = (z << 56) ^ (z << 40) ^ (z << 32) ^ (z << 24) ^ (z << 8) ^ z;
z = SBOX4[i];
SP[3][i] = (z << 56) ^ (z << 48) ^ (z << 32) ^ (z << 8) ^ z;
SP[6][i] = (z << 56) ^ (z << 48) ^ (z << 32) ^ (z << 24) ^ (z << 16) ^ z;
}
}
struct AVCAMELLIA *av_camellia_alloc(void)
{
return av_mallocz(sizeof(struct AVCAMELLIA));
}
av_cold int av_camellia_init(AVCAMELLIA *cs, const uint8_t *key, int key_bits)
{
uint64_t Kl[2], Kr[2], Ka[2], Kb[2];
uint64_t D1, D2;
if (key_bits != 128 && key_bits != 192 && key_bits != 256)
return -1;
cs->key_bits = key_bits;
Kl[0] = AV_RB64(key);
Kl[1] = AV_RB64(key + 8);
if (key_bits == 192) {
Kr[0] = AV_RB64(key + 16);
Kr[1] = ~Kr[0];
} else if (key_bits == 256) {
Kr[0] = AV_RB64(key + 16);
Kr[1] = AV_RB64(key + 24);
}
computeSP();
D1 = Kl[0] ^ Kr[0];
D2 = Kl[1] ^ Kr[1];
D2 ^= F(D1, Sigma1);
D1 ^= F(D2, Sigma2);
D1 ^= Kl[0];
D2 ^= Kl[1];
D2 ^= F(D1, Sigma3);
D1 ^= F(D2, Sigma4);
Ka[0] = D1;
Ka[1] = D2;
if (key_bits != 128) {
D1 = Ka[0] ^ Kr[0];
D2 = Ka[1] ^ Kr[1];
D2 ^= F(D1, Sigma5);
D1 ^= F(D2, Sigma6);
Kb[0] = D1;
Kb[1] = D2;
}
generate_round_keys(cs, Kl, Kr, Ka, Kb);
return 0;
}
void av_camellia_crypt(AVCAMELLIA *cs, uint8_t *dst, const uint8_t *src, int count, uint8_t *iv, int decrypt)
{
int i;
while (count--) {
if (decrypt) {
camellia_decrypt(cs, dst, src, iv);
} else {
if (iv) {
for (i = 0; i < 16; i++)
dst[i] = src[i] ^ iv[i];
camellia_encrypt(cs, dst, dst);
} else {
camellia_encrypt(cs, dst, src);
}
}
src = src + 16;
dst = dst + 16;
}
}
#ifdef TEST
#include<stdio.h>
#include<stdlib.h>
#include"log.h"
int main(int argc, char *argv[])
{
const uint8_t Key[3][32] = {
{0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10},
{0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10, 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77},
{0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10, 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff}
};
const uint8_t rct[3][16] = {
{0x67, 0x67, 0x31, 0x38, 0x54, 0x96, 0x69, 0x73, 0x08, 0x57, 0x06, 0x56, 0x48, 0xea, 0xbe, 0x43},
{0xb4, 0x99, 0x34, 0x01, 0xb3, 0xe9,0x96, 0xf8, 0x4e, 0xe5, 0xce, 0xe7, 0xd7, 0x9b, 0x09, 0xb9},
{0x9a, 0xcc, 0x23, 0x7d, 0xff, 0x16, 0xd7, 0x6c, 0x20, 0xef, 0x7c, 0x91, 0x9e, 0x3a, 0x75, 0x09}
};
const uint8_t rpt[32] = {0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10, 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10};
const int kbits[3] = {128, 192, 256};
int i, j, err = 0;
uint8_t temp[32], iv[16];
AVCAMELLIA *cs;
cs = av_camellia_alloc();
if (!cs)
return 1;
for (j = 0; j < 3; j++) {
av_camellia_init(cs, Key[j], kbits[j]);
av_camellia_crypt(cs, temp, rpt, 1, NULL, 0);
for (i = 0; i < 16; i++) {
if (rct[j][i] != temp[i]) {
av_log(NULL, AV_LOG_ERROR, "%d %02x %02x\n", i, rct[j][i], temp[i]);
err = 1;
}
}
av_camellia_crypt(cs, temp, rct[j], 1, NULL, 1);
for (i = 0; i < 16; i++) {
if (rpt[i] != temp[i]) {
av_log(NULL, AV_LOG_ERROR, "%d %02x %02x\n", i, rpt[i], temp[i]);
err = 1;
}
}
}
av_camellia_init(cs, Key[0], 128);
memcpy(iv
, "HALLO123HALLO123", 16); av_camellia_crypt(cs, temp, rpt, 2, iv, 0);
memcpy(iv
, "HALLO123HALLO123", 16); av_camellia_crypt(cs, temp, temp, 2, iv, 1);
for (i = 0; i < 32; i++) {
if (rpt[i] != temp[i]) {
av_log(NULL, AV_LOG_ERROR, "%d %02x %02x\n", i, rpt[i], temp[i]);
err = 1;
}
}
av_free(cs);
return err;
}
#endif