2 * An implementation of the CAMELLIA algorithm as mentioned in RFC3713
3 * Copyright (c) 2014 Supraja Meedinti
5 * This file is part of FFmpeg.
7 * FFmpeg is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU Lesser General Public
9 * License as published by the Free Software Foundation; either
10 * version 2.1 of the License, or (at your option) any later version.
12 * FFmpeg is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with FFmpeg; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
23 #include "intreadwrite.h"
24 #include "attributes.h"
26 #define LR32(x,c) ((x) << (c) | (x) >> (32 - (c)))
27 #define RR32(x,c) ((x) >> (c) | (x) << (32 - (c)))
30 #define MASK32 0xffffffff
31 #define MASK64 0xffffffffffffffff
33 #define Sigma1 0xA09E667F3BCC908B
34 #define Sigma2 0xB67AE8584CAA73B2
35 #define Sigma3 0xC6EF372FE94F82BE
36 #define Sigma4 0x54FF53A5F1D36F1C
37 #define Sigma5 0x10E527FADE682D1D
38 #define Sigma6 0xB05688C2B3E6C1FD
40 typedef struct AVCAMELLIA {
47 static const uint8_t SBOX1[256] = {
48 112, 130, 44, 236, 179, 39, 192, 229, 228, 133, 87, 53, 234, 12, 174, 65,
49 35, 239, 107, 147, 69, 25, 165, 33, 237, 14, 79, 78, 29, 101, 146, 189,
50 134, 184, 175, 143, 124, 235, 31, 206, 62, 48, 220, 95, 94, 197, 11, 26,
51 166, 225, 57, 202, 213, 71, 93, 61, 217, 1, 90, 214, 81, 86, 108, 77,
52 139, 13, 154, 102, 251, 204, 176, 45, 116, 18, 43, 32, 240, 177, 132, 153,
53 223, 76, 203, 194, 52, 126, 118, 5, 109, 183, 169, 49, 209, 23, 4, 215,
54 20, 88, 58, 97, 222, 27, 17, 28, 50, 15, 156, 22, 83, 24, 242, 34,
55 254, 68, 207, 178, 195, 181, 122, 145, 36, 8, 232, 168, 96, 252, 105, 80,
56 170, 208, 160, 125, 161, 137, 98, 151, 84, 91, 30, 149, 224, 255, 100, 210,
57 16, 196, 0, 72, 163, 247, 117, 219, 138, 3, 230, 218, 9, 63, 221, 148,
58 135, 92, 131, 2, 205, 74, 144, 51, 115, 103, 246, 243, 157, 127, 191, 226,
59 82, 155, 216, 38, 200, 55, 198, 59, 129, 150, 111, 75, 19, 190, 99, 46,
60 233, 121, 167, 140, 159, 110, 188, 142, 41, 245, 249, 182, 47, 253, 180, 89,
61 120, 152, 6, 106, 231, 70, 113, 186, 212, 37, 171, 66, 136, 162, 141, 250,
62 114, 7, 185, 85, 248, 238, 172, 10, 54, 73, 42, 104, 60, 56, 241, 164,
63 64, 40, 211, 123, 187, 201, 67, 193, 21, 227, 173, 244, 119, 199, 128, 158
66 static const uint8_t SBOX2[256] = {
67 224, 5, 88, 217, 103, 78, 129, 203, 201, 11, 174, 106, 213, 24, 93, 130,
68 70, 223, 214, 39, 138, 50, 75, 66, 219, 28, 158, 156, 58, 202, 37, 123,
69 13, 113, 95, 31, 248, 215, 62, 157, 124, 96, 185, 190, 188, 139, 22, 52,
70 77, 195, 114, 149, 171, 142, 186, 122, 179, 2, 180, 173, 162, 172, 216, 154,
71 23, 26, 53, 204, 247, 153, 97, 90, 232, 36, 86, 64, 225, 99, 9, 51,
72 191, 152, 151, 133, 104, 252, 236, 10, 218, 111, 83, 98, 163, 46, 8, 175,
73 40, 176, 116, 194, 189, 54, 34, 56, 100, 30, 57, 44, 166, 48, 229, 68,
74 253, 136, 159, 101, 135, 107, 244, 35, 72, 16, 209, 81, 192, 249, 210, 160,
75 85, 161, 65, 250, 67, 19, 196, 47, 168, 182, 60, 43, 193, 255, 200, 165,
76 32, 137, 0, 144, 71, 239, 234, 183, 21, 6, 205, 181, 18, 126, 187, 41,
77 15, 184, 7, 4, 155, 148, 33, 102, 230, 206, 237, 231, 59, 254, 127, 197,
78 164, 55, 177, 76, 145, 110, 141, 118, 3, 45, 222, 150, 38, 125, 198, 92,
79 211, 242, 79, 25, 63, 220, 121, 29, 82, 235, 243, 109, 94, 251, 105, 178,
80 240, 49, 12, 212, 207, 140, 226, 117, 169, 74, 87, 132, 17, 69, 27, 245,
81 228, 14, 115, 170, 241, 221, 89, 20, 108, 146, 84, 208, 120, 112, 227, 73,
82 128, 80, 167, 246, 119, 147, 134, 131, 42, 199, 91, 233, 238, 143, 1, 61
85 static const uint8_t SBOX3[256] = {
86 56, 65, 22, 118, 217, 147, 96, 242, 114, 194, 171, 154, 117, 6, 87, 160,
87 145, 247, 181, 201, 162, 140, 210, 144, 246, 7, 167, 39, 142, 178, 73, 222,
88 67, 92, 215, 199, 62, 245, 143, 103, 31, 24, 110, 175, 47, 226, 133, 13,
89 83, 240, 156, 101, 234, 163, 174, 158, 236, 128, 45, 107, 168, 43, 54, 166,
90 197, 134, 77, 51, 253, 102, 88, 150, 58, 9, 149, 16, 120, 216, 66, 204,
91 239, 38, 229, 97, 26, 63, 59, 130, 182, 219, 212, 152, 232, 139, 2, 235,
92 10, 44, 29, 176, 111, 141, 136, 14, 25, 135, 78, 11, 169, 12, 121, 17,
93 127, 34, 231, 89, 225, 218, 61, 200, 18, 4, 116, 84, 48, 126, 180, 40,
94 85, 104, 80, 190, 208, 196, 49, 203, 42, 173, 15, 202, 112, 255, 50, 105,
95 8, 98, 0, 36, 209, 251, 186, 237, 69, 129, 115, 109, 132, 159, 238, 74,
96 195, 46, 193, 1, 230, 37, 72, 153, 185, 179, 123, 249, 206, 191, 223, 113,
97 41, 205, 108, 19, 100, 155, 99, 157, 192, 75, 183, 165, 137, 95, 177, 23,
98 244, 188, 211, 70, 207, 55, 94, 71, 148, 250, 252, 91, 151, 254, 90, 172,
99 60, 76, 3, 53, 243, 35, 184, 93, 106, 146, 213, 33, 68, 81, 198, 125,
100 57, 131, 220, 170, 124, 119, 86, 5, 27, 164, 21, 52, 30, 28, 248, 82,
101 32, 20, 233, 189, 221, 228, 161, 224, 138, 241, 214, 122, 187, 227, 64, 79
104 static const uint8_t SBOX4[256] = {
105 112, 44, 179, 192, 228, 87, 234, 174, 35, 107, 69, 165, 237, 79, 29, 146,
106 134, 175, 124, 31, 62, 220, 94, 11, 166, 57, 213, 93, 217, 90, 81, 108,
107 139, 154, 251, 176, 116, 43, 240, 132, 223, 203, 52, 118, 109, 169, 209, 4,
108 20, 58, 222, 17, 50, 156, 83, 242, 254, 207, 195, 122, 36, 232, 96, 105,
109 170, 160, 161, 98, 84, 30, 224, 100, 16, 0, 163, 117, 138, 230, 9, 221,
110 135, 131, 205, 144, 115, 246, 157, 191, 82, 216, 200, 198, 129, 111, 19, 99,
111 233, 167, 159, 188, 41, 249, 47, 180, 120, 6, 231, 113, 212, 171, 136, 141,
112 114, 185, 248, 172, 54, 42, 60, 241, 64, 211, 187, 67, 21, 173, 119, 128,
113 130, 236, 39, 229, 133, 53, 12, 65, 239, 147, 25, 33, 14, 78, 101, 189,
114 184, 143, 235, 206, 48, 95, 197, 26, 225, 202, 71, 61, 1, 214, 86, 77,
115 13, 102, 204, 45, 18, 32, 177, 153, 76, 194, 126, 5, 183, 49, 23, 215,
116 88, 97, 27, 28, 15, 22, 24, 34, 68, 178, 181, 145, 8, 168, 252, 80,
117 208, 125, 137, 151, 91, 149, 255, 210, 196, 72, 247, 219, 3, 218, 63, 148,
118 92, 2, 74, 51, 103, 243, 127, 226, 155, 38, 55, 59, 150, 75, 190, 46,
119 121, 140, 110, 142, 245, 182, 253, 89, 152, 106, 70, 186, 37, 66, 162, 250,
120 7, 85, 238, 10, 73, 104, 56, 164, 40, 123, 201, 193, 227, 244, 199, 158
123 const int av_camellia_size = sizeof(AVCAMELLIA);
125 static void LR128(uint64_t d[2], const uint64_t K[2], int x)
128 if (64 <= x && x < 128) {
132 if (x <= 0 || x >= 128) {
137 d[0] = (K[i] << x | K[!i] >> (64 - x));
138 d[1] = (K[!i] << x | K[i] >> (64 - x));
141 static uint64_t F(uint64_t F_IN, uint64_t KE)
147 Zl = (((uint32_t)SBOX1[(Zl >> 24)] << 24) | ((uint32_t)SBOX2[(Zl >> 16) & MASK8] << 16) | ((uint32_t)SBOX3[(Zl >> 8) & MASK8] << 8) |(SBOX4[Zl & MASK8]));
148 Zr = (((uint32_t)SBOX2[(Zr >> 24)] << 24) | ((uint32_t)SBOX3[(Zr >> 16) & MASK8] << 16) | ((uint32_t)SBOX4[(Zr >> 8) & MASK8] << 8) |(SBOX1[Zr & MASK8]));
153 return ((uint64_t)Zr << 32) | (uint64_t)Zl;
156 static uint64_t FL(uint64_t FL_IN, uint64_t KE)
158 uint32_t x1, x2, k1, k2;
163 x2 = x2 ^ LR32((x1 & k1), 1);
165 return ((uint64_t)x1 << 32) | (uint64_t)x2;
168 static uint64_t FLINV(uint64_t FLINV_IN, uint64_t KE)
170 uint32_t x1, x2, k1, k2;
172 x2 = FLINV_IN & MASK32;
176 x2 = x2 ^ LR32((x1 & k1), 1);
177 return ((uint64_t)x1 << 32) | (uint64_t)x2;
180 static const uint8_t shifts[2][12] = {
181 {0, 15, 15, 45, 45, 60, 94, 94, 111},
182 {0, 15, 15, 30, 45, 45, 60, 60, 77, 94, 94, 111}
185 static const uint8_t vars[2][12] = {
186 {2, 0, 2, 0, 2, 2, 0, 2, 0},
187 {3, 1, 2, 3, 0, 2, 1, 3, 0, 1, 2, 0}
190 static void generate_round_keys(AVCAMELLIA *cs, uint64_t Kl[2], uint64_t Kr[2], uint64_t Ka[2], uint64_t Kb[2])
193 uint64_t *Kd[4], d[2];
200 if (cs->key_bits == 128) {
201 for (i = 0; i < 9; i++) {
202 LR128(d, Kd[vars[0][i]], shifts[0][i]);
214 LR128(d, Kd[2], 111);
218 for (i = 0; i < 12; i++) {
219 LR128(d, Kd[vars[1][i]], shifts[1][i]);
232 LR128(d, Kd[3], 111);
238 static void camellia_encrypt(AVCAMELLIA *cs, uint8_t *dst, const uint8_t *src)
242 D2 = AV_RB64(src + 8);
245 D2 ^= F(D1, cs->K[0]);
246 D1 ^= F(D2, cs->K[1]);
247 D2 ^= F(D1, cs->K[2]);
248 D1 ^= F(D2, cs->K[3]);
249 D2 ^= F(D1, cs->K[4]);
250 D1 ^= F(D2, cs->K[5]);
251 D1 = FL(D1, cs->Ke[0]);
252 D2 = FLINV(D2, cs->Ke[1]);
253 D2 ^= F(D1, cs->K[6]);
254 D1 ^= F(D2, cs->K[7]);
255 D2 ^= F(D1, cs->K[8]);
256 D1 ^= F(D2, cs->K[9]);
257 D2 ^= F(D1, cs->K[10]);
258 D1 ^= F(D2, cs->K[11]);
259 D1 = FL(D1, cs->Ke[2]);
260 D2 = FLINV(D2, cs->Ke[3]);
261 D2 ^= F(D1, cs->K[12]);
262 D1 ^= F(D2, cs->K[13]);
263 D2 ^= F(D1, cs->K[14]);
264 D1 ^= F(D2, cs->K[15]);
265 D2 ^= F(D1, cs->K[16]);
266 D1 ^= F(D2, cs->K[17]);
267 if (cs->key_bits != 128) {
268 D1 = FL(D1, cs->Ke[4]);
269 D2 = FLINV(D2, cs->Ke[5]);
270 D2 ^= F(D1, cs->K[18]);
271 D1 ^= F(D2, cs->K[19]);
272 D2 ^= F(D1, cs->K[20]);
273 D1 ^= F(D2, cs->K[21]);
274 D2 ^= F(D1, cs->K[22]);
275 D1 ^= F(D2, cs->K[23]);
280 AV_WB64(dst + 8, D1);
283 static void camellia_decrypt(AVCAMELLIA *cs, uint8_t *dst, const uint8_t *src, uint8_t *iv)
287 D2 = AV_RB64(src + 8);
290 if (cs->key_bits != 128) {
291 D2 ^= F(D1, cs->K[23]);
292 D1 ^= F(D2, cs->K[22]);
293 D2 ^= F(D1, cs->K[21]);
294 D1 ^= F(D2, cs->K[20]);
295 D2 ^= F(D1, cs->K[19]);
296 D1 ^= F(D2, cs->K[18]);
297 D1 = FL(D1, cs->Ke[5]);
298 D2 = FLINV(D2, cs->Ke[4]);
300 D2 ^= F(D1, cs->K[17]);
301 D1 ^= F(D2, cs->K[16]);
302 D2 ^= F(D1, cs->K[15]);
303 D1 ^= F(D2, cs->K[14]);
304 D2 ^= F(D1, cs->K[13]);
305 D1 ^= F(D2, cs->K[12]);
306 D1 = FL(D1, cs->Ke[3]);
307 D2 = FLINV(D2, cs->Ke[2]);
308 D2 ^= F(D1, cs->K[11]);
309 D1 ^= F(D2, cs->K[10]);
310 D2 ^= F(D1, cs->K[9]);
311 D1 ^= F(D2, cs->K[8]);
312 D2 ^= F(D1, cs->K[7]);
313 D1 ^= F(D2, cs->K[6]);
314 D1 = FL(D1, cs->Ke[1]);
315 D2 = FLINV(D2, cs->Ke[0]);
316 D2 ^= F(D1, cs->K[5]);
317 D1 ^= F(D2, cs->K[4]);
318 D2 ^= F(D1, cs->K[3]);
319 D1 ^= F(D2, cs->K[2]);
320 D2 ^= F(D1, cs->K[1]);
321 D1 ^= F(D2, cs->K[0]);
326 D1 ^= AV_RB64(iv + 8);
330 AV_WB64(dst + 8, D1);
333 struct AVCAMELLIA *av_camellia_alloc(void)
335 return av_mallocz(sizeof(struct AVCAMELLIA));
338 av_cold int av_camellia_init(AVCAMELLIA *cs, const uint8_t *key, int key_bits)
340 uint64_t Kl[2], Kr[2], Ka[2], Kb[2];
342 if (key_bits != 128 && key_bits != 192 && key_bits != 256)
344 memset(Kb, 0, sizeof(Kb));
345 memset(Kr, 0, sizeof(Kr));
346 cs->key_bits = key_bits;
347 Kl[0] = AV_RB64(key);
348 Kl[1] = AV_RB64(key + 8);
349 if (key_bits == 192) {
350 Kr[0] = AV_RB64(key + 16);
352 } else if (key_bits == 256) {
353 Kr[0] = AV_RB64(key + 16);
354 Kr[1] = AV_RB64(key + 24);
366 if (key_bits != 128) {
374 generate_round_keys(cs, Kl, Kr, Ka, Kb);
378 void av_camellia_crypt(AVCAMELLIA *cs, uint8_t *dst, const uint8_t *src, int count, uint8_t *iv, int decrypt)
383 camellia_decrypt(cs, dst, src, iv);
386 for (i = 0; i < 16; i++)
387 dst[i] = src[i] ^ iv[i];
388 camellia_encrypt(cs, dst, dst);
391 camellia_encrypt(cs, dst, src);
404 int main(int argc, char *argv[])
406 const uint8_t Key[3][32] = {
407 {0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10},
408 {0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10, 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77},
409 {0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10, 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff}
411 const uint8_t rct[3][16] = {
412 {0x67, 0x67, 0x31, 0x38, 0x54, 0x96, 0x69, 0x73, 0x08, 0x57, 0x06, 0x56, 0x48, 0xea, 0xbe, 0x43},
413 {0xb4, 0x99, 0x34, 0x01, 0xb3, 0xe9,0x96, 0xf8, 0x4e, 0xe5, 0xce, 0xe7, 0xd7, 0x9b, 0x09, 0xb9},
414 {0x9a, 0xcc, 0x23, 0x7d, 0xff, 0x16, 0xd7, 0x6c, 0x20, 0xef, 0x7c, 0x91, 0x9e, 0x3a, 0x75, 0x09}
416 const uint8_t rpt[32] = {0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10, 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10};
417 const int kbits[3] = {128, 192, 256};
419 uint8_t temp[32], iv[16];
421 cs = av_camellia_alloc();
424 for (j = 0; j < 3; j++) {
425 av_camellia_init(cs, Key[j], kbits[j]);
426 av_camellia_crypt(cs, temp, rpt, 1, NULL, 0);
427 for (i = 0; i < 16; i++) {
428 if (rct[j][i] != temp[i]) {
429 av_log(NULL, AV_LOG_ERROR, "%d %02x %02x\n", i, rct[j][i], temp[i]);
433 av_camellia_crypt(cs, temp, rct[j], 1, NULL, 1);
434 for (i = 0; i < 16; i++) {
435 if (rpt[i] != temp[i]) {
436 av_log(NULL, AV_LOG_ERROR, "%d %02x %02x\n", i, rpt[i], temp[i]);
441 av_camellia_init(cs, Key[0], 128);
442 memcpy(iv, "HALLO123HALLO123", 16);
443 av_camellia_crypt(cs, temp, rpt, 2, iv, 0);
444 memcpy(iv, "HALLO123HALLO123", 16);
445 av_camellia_crypt(cs, temp, temp, 2, iv, 1);
446 for (i = 0; i < 32; i++) {
447 if (rpt[i] != temp[i]) {
448 av_log(NULL, AV_LOG_ERROR, "%d %02x %02x\n", i, rpt[i], temp[i]);