2 * An implementation of the CAMELLIA algorithm as mentioned in RFC3713
3 * Copyright (c) 2014 Supraja Meedinti
5 * This file is part of FFmpeg.
7 * FFmpeg is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU Lesser General Public
9 * License as published by the Free Software Foundation; either
10 * version 2.1 of the License, or (at your option) any later version.
12 * FFmpeg is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with FFmpeg; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
23 #include "intreadwrite.h"
24 #include "attributes.h"
26 #define LR32(x,c) ((x) << (c) | (x) >> (32 - (c)))
27 #define RR32(x,c) ((x) >> (c) | (x) << (32 - (c)))
30 #define MASK32 0xffffffff
31 #define MASK64 0xffffffffffffffff
33 #define Sigma1 0xA09E667F3BCC908B
34 #define Sigma2 0xB67AE8584CAA73B2
35 #define Sigma3 0xC6EF372FE94F82BE
36 #define Sigma4 0x54FF53A5F1D36F1C
37 #define Sigma5 0x10E527FADE682D1D
38 #define Sigma6 0xB05688C2B3E6C1FD
40 static uint64_t SP[8][256];
42 typedef struct AVCAMELLIA {
49 static const uint8_t SBOX1[256] = {
50 112, 130, 44, 236, 179, 39, 192, 229, 228, 133, 87, 53, 234, 12, 174, 65,
51 35, 239, 107, 147, 69, 25, 165, 33, 237, 14, 79, 78, 29, 101, 146, 189,
52 134, 184, 175, 143, 124, 235, 31, 206, 62, 48, 220, 95, 94, 197, 11, 26,
53 166, 225, 57, 202, 213, 71, 93, 61, 217, 1, 90, 214, 81, 86, 108, 77,
54 139, 13, 154, 102, 251, 204, 176, 45, 116, 18, 43, 32, 240, 177, 132, 153,
55 223, 76, 203, 194, 52, 126, 118, 5, 109, 183, 169, 49, 209, 23, 4, 215,
56 20, 88, 58, 97, 222, 27, 17, 28, 50, 15, 156, 22, 83, 24, 242, 34,
57 254, 68, 207, 178, 195, 181, 122, 145, 36, 8, 232, 168, 96, 252, 105, 80,
58 170, 208, 160, 125, 161, 137, 98, 151, 84, 91, 30, 149, 224, 255, 100, 210,
59 16, 196, 0, 72, 163, 247, 117, 219, 138, 3, 230, 218, 9, 63, 221, 148,
60 135, 92, 131, 2, 205, 74, 144, 51, 115, 103, 246, 243, 157, 127, 191, 226,
61 82, 155, 216, 38, 200, 55, 198, 59, 129, 150, 111, 75, 19, 190, 99, 46,
62 233, 121, 167, 140, 159, 110, 188, 142, 41, 245, 249, 182, 47, 253, 180, 89,
63 120, 152, 6, 106, 231, 70, 113, 186, 212, 37, 171, 66, 136, 162, 141, 250,
64 114, 7, 185, 85, 248, 238, 172, 10, 54, 73, 42, 104, 60, 56, 241, 164,
65 64, 40, 211, 123, 187, 201, 67, 193, 21, 227, 173, 244, 119, 199, 128, 158
68 static const uint8_t SBOX2[256] = {
69 224, 5, 88, 217, 103, 78, 129, 203, 201, 11, 174, 106, 213, 24, 93, 130,
70 70, 223, 214, 39, 138, 50, 75, 66, 219, 28, 158, 156, 58, 202, 37, 123,
71 13, 113, 95, 31, 248, 215, 62, 157, 124, 96, 185, 190, 188, 139, 22, 52,
72 77, 195, 114, 149, 171, 142, 186, 122, 179, 2, 180, 173, 162, 172, 216, 154,
73 23, 26, 53, 204, 247, 153, 97, 90, 232, 36, 86, 64, 225, 99, 9, 51,
74 191, 152, 151, 133, 104, 252, 236, 10, 218, 111, 83, 98, 163, 46, 8, 175,
75 40, 176, 116, 194, 189, 54, 34, 56, 100, 30, 57, 44, 166, 48, 229, 68,
76 253, 136, 159, 101, 135, 107, 244, 35, 72, 16, 209, 81, 192, 249, 210, 160,
77 85, 161, 65, 250, 67, 19, 196, 47, 168, 182, 60, 43, 193, 255, 200, 165,
78 32, 137, 0, 144, 71, 239, 234, 183, 21, 6, 205, 181, 18, 126, 187, 41,
79 15, 184, 7, 4, 155, 148, 33, 102, 230, 206, 237, 231, 59, 254, 127, 197,
80 164, 55, 177, 76, 145, 110, 141, 118, 3, 45, 222, 150, 38, 125, 198, 92,
81 211, 242, 79, 25, 63, 220, 121, 29, 82, 235, 243, 109, 94, 251, 105, 178,
82 240, 49, 12, 212, 207, 140, 226, 117, 169, 74, 87, 132, 17, 69, 27, 245,
83 228, 14, 115, 170, 241, 221, 89, 20, 108, 146, 84, 208, 120, 112, 227, 73,
84 128, 80, 167, 246, 119, 147, 134, 131, 42, 199, 91, 233, 238, 143, 1, 61
87 static const uint8_t SBOX3[256] = {
88 56, 65, 22, 118, 217, 147, 96, 242, 114, 194, 171, 154, 117, 6, 87, 160,
89 145, 247, 181, 201, 162, 140, 210, 144, 246, 7, 167, 39, 142, 178, 73, 222,
90 67, 92, 215, 199, 62, 245, 143, 103, 31, 24, 110, 175, 47, 226, 133, 13,
91 83, 240, 156, 101, 234, 163, 174, 158, 236, 128, 45, 107, 168, 43, 54, 166,
92 197, 134, 77, 51, 253, 102, 88, 150, 58, 9, 149, 16, 120, 216, 66, 204,
93 239, 38, 229, 97, 26, 63, 59, 130, 182, 219, 212, 152, 232, 139, 2, 235,
94 10, 44, 29, 176, 111, 141, 136, 14, 25, 135, 78, 11, 169, 12, 121, 17,
95 127, 34, 231, 89, 225, 218, 61, 200, 18, 4, 116, 84, 48, 126, 180, 40,
96 85, 104, 80, 190, 208, 196, 49, 203, 42, 173, 15, 202, 112, 255, 50, 105,
97 8, 98, 0, 36, 209, 251, 186, 237, 69, 129, 115, 109, 132, 159, 238, 74,
98 195, 46, 193, 1, 230, 37, 72, 153, 185, 179, 123, 249, 206, 191, 223, 113,
99 41, 205, 108, 19, 100, 155, 99, 157, 192, 75, 183, 165, 137, 95, 177, 23,
100 244, 188, 211, 70, 207, 55, 94, 71, 148, 250, 252, 91, 151, 254, 90, 172,
101 60, 76, 3, 53, 243, 35, 184, 93, 106, 146, 213, 33, 68, 81, 198, 125,
102 57, 131, 220, 170, 124, 119, 86, 5, 27, 164, 21, 52, 30, 28, 248, 82,
103 32, 20, 233, 189, 221, 228, 161, 224, 138, 241, 214, 122, 187, 227, 64, 79
106 static const uint8_t SBOX4[256] = {
107 112, 44, 179, 192, 228, 87, 234, 174, 35, 107, 69, 165, 237, 79, 29, 146,
108 134, 175, 124, 31, 62, 220, 94, 11, 166, 57, 213, 93, 217, 90, 81, 108,
109 139, 154, 251, 176, 116, 43, 240, 132, 223, 203, 52, 118, 109, 169, 209, 4,
110 20, 58, 222, 17, 50, 156, 83, 242, 254, 207, 195, 122, 36, 232, 96, 105,
111 170, 160, 161, 98, 84, 30, 224, 100, 16, 0, 163, 117, 138, 230, 9, 221,
112 135, 131, 205, 144, 115, 246, 157, 191, 82, 216, 200, 198, 129, 111, 19, 99,
113 233, 167, 159, 188, 41, 249, 47, 180, 120, 6, 231, 113, 212, 171, 136, 141,
114 114, 185, 248, 172, 54, 42, 60, 241, 64, 211, 187, 67, 21, 173, 119, 128,
115 130, 236, 39, 229, 133, 53, 12, 65, 239, 147, 25, 33, 14, 78, 101, 189,
116 184, 143, 235, 206, 48, 95, 197, 26, 225, 202, 71, 61, 1, 214, 86, 77,
117 13, 102, 204, 45, 18, 32, 177, 153, 76, 194, 126, 5, 183, 49, 23, 215,
118 88, 97, 27, 28, 15, 22, 24, 34, 68, 178, 181, 145, 8, 168, 252, 80,
119 208, 125, 137, 151, 91, 149, 255, 210, 196, 72, 247, 219, 3, 218, 63, 148,
120 92, 2, 74, 51, 103, 243, 127, 226, 155, 38, 55, 59, 150, 75, 190, 46,
121 121, 140, 110, 142, 245, 182, 253, 89, 152, 106, 70, 186, 37, 66, 162, 250,
122 7, 85, 238, 10, 73, 104, 56, 164, 40, 123, 201, 193, 227, 244, 199, 158
125 const int av_camellia_size = sizeof(AVCAMELLIA);
127 static void LR128(uint64_t d[2], const uint64_t K[2], int x)
130 if (64 <= x && x < 128) {
134 if (x <= 0 || x >= 128) {
139 d[0] = (K[i] << x | K[!i] >> (64 - x));
140 d[1] = (K[!i] << x | K[i] >> (64 - x));
143 static uint64_t F(uint64_t F_IN, uint64_t KE)
146 F_IN=SP[0][KE >> 56]^SP[1][(KE >> 48) & MASK8]^SP[2][(KE >> 40) & MASK8]^SP[3][(KE >> 32) & MASK8]^SP[4][(KE >> 24) & MASK8]^SP[5][(KE >> 16) & MASK8]^SP[6][(KE >> 8) & MASK8]^SP[7][KE & MASK8];
150 static uint64_t FL(uint64_t FL_IN, uint64_t KE)
152 uint32_t x1, x2, k1, k2;
157 x2 = x2 ^ LR32((x1 & k1), 1);
159 return ((uint64_t)x1 << 32) | (uint64_t)x2;
162 static uint64_t FLINV(uint64_t FLINV_IN, uint64_t KE)
164 uint32_t x1, x2, k1, k2;
166 x2 = FLINV_IN & MASK32;
170 x2 = x2 ^ LR32((x1 & k1), 1);
171 return ((uint64_t)x1 << 32) | (uint64_t)x2;
174 static const uint8_t shifts[2][12] = {
175 {0, 15, 15, 45, 45, 60, 94, 94, 111},
176 {0, 15, 15, 30, 45, 45, 60, 60, 77, 94, 94, 111}
179 static const uint8_t vars[2][12] = {
180 {2, 0, 2, 0, 2, 2, 0, 2, 0},
181 {3, 1, 2, 3, 0, 2, 1, 3, 0, 1, 2, 0}
184 static void generate_round_keys(AVCAMELLIA *cs, uint64_t Kl[2], uint64_t Kr[2], uint64_t Ka[2], uint64_t Kb[2])
187 uint64_t *Kd[4], d[2];
194 if (cs->key_bits == 128) {
195 for (i = 0; i < 9; i++) {
196 LR128(d, Kd[vars[0][i]], shifts[0][i]);
208 LR128(d, Kd[2], 111);
212 for (i = 0; i < 12; i++) {
213 LR128(d, Kd[vars[1][i]], shifts[1][i]);
226 LR128(d, Kd[3], 111);
232 static void camellia_encrypt(AVCAMELLIA *cs, uint8_t *dst, const uint8_t *src)
236 D2 = AV_RB64(src + 8);
239 D2 ^= F(D1, cs->K[0]);
240 D1 ^= F(D2, cs->K[1]);
241 D2 ^= F(D1, cs->K[2]);
242 D1 ^= F(D2, cs->K[3]);
243 D2 ^= F(D1, cs->K[4]);
244 D1 ^= F(D2, cs->K[5]);
245 D1 = FL(D1, cs->Ke[0]);
246 D2 = FLINV(D2, cs->Ke[1]);
247 D2 ^= F(D1, cs->K[6]);
248 D1 ^= F(D2, cs->K[7]);
249 D2 ^= F(D1, cs->K[8]);
250 D1 ^= F(D2, cs->K[9]);
251 D2 ^= F(D1, cs->K[10]);
252 D1 ^= F(D2, cs->K[11]);
253 D1 = FL(D1, cs->Ke[2]);
254 D2 = FLINV(D2, cs->Ke[3]);
255 D2 ^= F(D1, cs->K[12]);
256 D1 ^= F(D2, cs->K[13]);
257 D2 ^= F(D1, cs->K[14]);
258 D1 ^= F(D2, cs->K[15]);
259 D2 ^= F(D1, cs->K[16]);
260 D1 ^= F(D2, cs->K[17]);
261 if (cs->key_bits != 128) {
262 D1 = FL(D1, cs->Ke[4]);
263 D2 = FLINV(D2, cs->Ke[5]);
264 D2 ^= F(D1, cs->K[18]);
265 D1 ^= F(D2, cs->K[19]);
266 D2 ^= F(D1, cs->K[20]);
267 D1 ^= F(D2, cs->K[21]);
268 D2 ^= F(D1, cs->K[22]);
269 D1 ^= F(D2, cs->K[23]);
274 AV_WB64(dst + 8, D1);
277 static void camellia_decrypt(AVCAMELLIA *cs, uint8_t *dst, const uint8_t *src, uint8_t *iv)
281 D2 = AV_RB64(src + 8);
284 if (cs->key_bits != 128) {
285 D2 ^= F(D1, cs->K[23]);
286 D1 ^= F(D2, cs->K[22]);
287 D2 ^= F(D1, cs->K[21]);
288 D1 ^= F(D2, cs->K[20]);
289 D2 ^= F(D1, cs->K[19]);
290 D1 ^= F(D2, cs->K[18]);
291 D1 = FL(D1, cs->Ke[5]);
292 D2 = FLINV(D2, cs->Ke[4]);
294 D2 ^= F(D1, cs->K[17]);
295 D1 ^= F(D2, cs->K[16]);
296 D2 ^= F(D1, cs->K[15]);
297 D1 ^= F(D2, cs->K[14]);
298 D2 ^= F(D1, cs->K[13]);
299 D1 ^= F(D2, cs->K[12]);
300 D1 = FL(D1, cs->Ke[3]);
301 D2 = FLINV(D2, cs->Ke[2]);
302 D2 ^= F(D1, cs->K[11]);
303 D1 ^= F(D2, cs->K[10]);
304 D2 ^= F(D1, cs->K[9]);
305 D1 ^= F(D2, cs->K[8]);
306 D2 ^= F(D1, cs->K[7]);
307 D1 ^= F(D2, cs->K[6]);
308 D1 = FL(D1, cs->Ke[1]);
309 D2 = FLINV(D2, cs->Ke[0]);
310 D2 ^= F(D1, cs->K[5]);
311 D1 ^= F(D2, cs->K[4]);
312 D2 ^= F(D1, cs->K[3]);
313 D1 ^= F(D2, cs->K[2]);
314 D2 ^= F(D1, cs->K[1]);
315 D1 ^= F(D2, cs->K[0]);
320 D1 ^= AV_RB64(iv + 8);
324 AV_WB64(dst + 8, D1);
327 static void computeSP(void)
331 for (i = 0; i < 256; i++) {
333 SP[0][i] = (z << 56) ^ (z << 48) ^ (z << 40) ^ (z << 24) ^ z;
334 SP[7][i] = (z << 56) ^ (z << 48) ^ (z << 40) ^ (z << 24) ^ (z << 16) ^ (z << 8);
336 SP[1][i] = (z << 48) ^ (z << 40) ^ (z << 32) ^ (z << 24) ^ (z << 16);
337 SP[4][i] = (z << 48) ^ (z << 40) ^ (z << 32) ^ (z << 16) ^ (z << 8) ^ z;
339 SP[2][i] = (z << 56) ^ (z << 40) ^ (z << 32) ^ (z << 16) ^ (z << 8);
340 SP[5][i] = (z << 56) ^ (z << 40) ^ (z << 32) ^ (z << 24) ^ (z << 8) ^ z;
342 SP[3][i] = (z << 56) ^ (z << 48) ^ (z << 32) ^ (z << 8) ^ z;
343 SP[6][i] = (z << 56) ^ (z << 48) ^ (z << 32) ^ (z << 24) ^ (z << 16) ^ z;
347 struct AVCAMELLIA *av_camellia_alloc(void)
349 return av_mallocz(sizeof(struct AVCAMELLIA));
352 av_cold int av_camellia_init(AVCAMELLIA *cs, const uint8_t *key, int key_bits)
354 uint64_t Kl[2], Kr[2], Ka[2], Kb[2];
356 if (key_bits != 128 && key_bits != 192 && key_bits != 256)
357 return AVERROR(EINVAL);
358 memset(Kb, 0, sizeof(Kb));
359 memset(Kr, 0, sizeof(Kr));
360 cs->key_bits = key_bits;
361 Kl[0] = AV_RB64(key);
362 Kl[1] = AV_RB64(key + 8);
363 if (key_bits == 192) {
364 Kr[0] = AV_RB64(key + 16);
366 } else if (key_bits == 256) {
367 Kr[0] = AV_RB64(key + 16);
368 Kr[1] = AV_RB64(key + 24);
381 if (key_bits != 128) {
389 generate_round_keys(cs, Kl, Kr, Ka, Kb);
393 void av_camellia_crypt(AVCAMELLIA *cs, uint8_t *dst, const uint8_t *src, int count, uint8_t *iv, int decrypt)
398 camellia_decrypt(cs, dst, src, iv);
401 for (i = 0; i < 16; i++)
402 dst[i] = src[i] ^ iv[i];
403 camellia_encrypt(cs, dst, dst);
406 camellia_encrypt(cs, dst, src);