GCM: GHASH optimizations
[libgcrypt.git] / cipher / camellia-glue.c
1 /* camellia-glue.c - Glue for the Camellia cipher
2  * Copyright (C) 2007 Free Software Foundation, Inc.
3  *
4  * This file is part of Libgcrypt.
5  *
6  * Libgcrypt is free software; you can redistribute it and/or modify
7  * it under the terms of the GNU Lesser General Public License as
8  * published by the Free Software Foundation; either version 2.1 of
9  * the License, or (at your option) any later version.
10  *
11  * Libgcrypt is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14  * GNU General Public License for more details.
15  *
16  * You should have received a copy of the GNU Lesser General Public
17  * License along with this program; if not, write to the Free Software
18  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
19  * 02110-1301, USA.
20  */
21
22 /* I put all the libgcrypt-specific stuff in this file to keep the
23    camellia.c/camellia.h files exactly as provided by NTT.  If they
24    update their code, this should make it easier to bring the changes
25    in. - dshaw
26
27    There is one small change which needs to be done: Include the
28    following code at the top of camellia.h: */
29 #if 0
30
31 /* To use Camellia with libraries it is often useful to keep the name
32  * space of the library clean.  The following macro is thus useful:
33  *
34  *     #define CAMELLIA_EXT_SYM_PREFIX foo_
35  *
36  * This prefixes all external symbols with "foo_".
37  */
38 #ifdef HAVE_CONFIG_H
39 #include <config.h>
40 #endif
41 #ifdef CAMELLIA_EXT_SYM_PREFIX
42 #define CAMELLIA_PREFIX1(x,y) x ## y
43 #define CAMELLIA_PREFIX2(x,y) CAMELLIA_PREFIX1(x,y)
44 #define CAMELLIA_PREFIX(x)    CAMELLIA_PREFIX2(CAMELLIA_EXT_SYM_PREFIX,x)
45 #define Camellia_Ekeygen      CAMELLIA_PREFIX(Camellia_Ekeygen)
46 #define Camellia_EncryptBlock CAMELLIA_PREFIX(Camellia_EncryptBlock)
47 #define Camellia_DecryptBlock CAMELLIA_PREFIX(Camellia_DecryptBlock)
48 #define camellia_decrypt128   CAMELLIA_PREFIX(camellia_decrypt128)
49 #define camellia_decrypt256   CAMELLIA_PREFIX(camellia_decrypt256)
50 #define camellia_encrypt128   CAMELLIA_PREFIX(camellia_encrypt128)
51 #define camellia_encrypt256   CAMELLIA_PREFIX(camellia_encrypt256)
52 #define camellia_setup128     CAMELLIA_PREFIX(camellia_setup128)
53 #define camellia_setup192     CAMELLIA_PREFIX(camellia_setup192)
54 #define camellia_setup256     CAMELLIA_PREFIX(camellia_setup256)
55 #endif /*CAMELLIA_EXT_SYM_PREFIX*/
56
57 #endif /* Code sample. */
58
59
60 #include <config.h>
61 #include "types.h"
62 #include "g10lib.h"
63 #include "cipher.h"
64 #include "camellia.h"
65 #include "bufhelp.h"
66 #include "cipher-selftest.h"
67
68 /* Helper macro to force alignment to 16 bytes.  */
69 #ifdef HAVE_GCC_ATTRIBUTE_ALIGNED
70 # define ATTR_ALIGNED_16  __attribute__ ((aligned (16)))
71 #else
72 # define ATTR_ALIGNED_16
73 #endif
74
75 /* USE_AESNI inidicates whether to compile with Intel AES-NI/AVX code. */
76 #undef USE_AESNI_AVX
77 #if defined(ENABLE_AESNI_SUPPORT) && defined(ENABLE_AVX_SUPPORT)
78 # if defined(__x86_64__) && defined(HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS)
79 #  define USE_AESNI_AVX 1
80 # endif
81 #endif
82
83 /* USE_AESNI_AVX2 inidicates whether to compile with Intel AES-NI/AVX2 code. */
84 #undef USE_AESNI_AVX2
85 #if defined(ENABLE_AESNI_SUPPORT) && defined(ENABLE_AVX2_SUPPORT)
86 # if defined(__x86_64__) && defined(HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS)
87 #  define USE_AESNI_AVX2 1
88 # endif
89 #endif
90
91 typedef struct
92 {
93   KEY_TABLE_TYPE keytable;
94   int keybitlength;
95 #ifdef USE_AESNI_AVX
96   unsigned int use_aesni_avx:1; /* AES-NI/AVX implementation shall be used.  */
97 #endif /*USE_AESNI_AVX*/
98 #ifdef USE_AESNI_AVX2
99   unsigned int use_aesni_avx2:1;/* AES-NI/AVX2 implementation shall be used.  */
100 #endif /*USE_AESNI_AVX2*/
101 } CAMELLIA_context;
102
103 #ifdef USE_AESNI_AVX
104 /* Assembler implementations of Camellia using AES-NI and AVX.  Process data
105    in 16 block same time.
106  */
107 extern void _gcry_camellia_aesni_avx_ctr_enc(CAMELLIA_context *ctx,
108                                              unsigned char *out,
109                                              const unsigned char *in,
110                                              unsigned char *ctr);
111
112 extern void _gcry_camellia_aesni_avx_cbc_dec(CAMELLIA_context *ctx,
113                                              unsigned char *out,
114                                              const unsigned char *in,
115                                              unsigned char *iv);
116
117 extern void _gcry_camellia_aesni_avx_cfb_dec(CAMELLIA_context *ctx,
118                                              unsigned char *out,
119                                              const unsigned char *in,
120                                              unsigned char *iv);
121
122 extern void _gcry_camellia_aesni_avx_keygen(CAMELLIA_context *ctx,
123                                             const unsigned char *key,
124                                             unsigned int keylen);
125 #endif
126
127 #ifdef USE_AESNI_AVX2
128 /* Assembler implementations of Camellia using AES-NI and AVX2.  Process data
129    in 32 block same time.
130  */
131 extern void _gcry_camellia_aesni_avx2_ctr_enc(CAMELLIA_context *ctx,
132                                               unsigned char *out,
133                                               const unsigned char *in,
134                                               unsigned char *ctr);
135
136 extern void _gcry_camellia_aesni_avx2_cbc_dec(CAMELLIA_context *ctx,
137                                               unsigned char *out,
138                                               const unsigned char *in,
139                                               unsigned char *iv);
140
141 extern void _gcry_camellia_aesni_avx2_cfb_dec(CAMELLIA_context *ctx,
142                                               unsigned char *out,
143                                               const unsigned char *in,
144                                               unsigned char *iv);
145 #endif
146
147 static const char *selftest(void);
148
149 static gcry_err_code_t
150 camellia_setkey(void *c, const byte *key, unsigned keylen)
151 {
152   CAMELLIA_context *ctx=c;
153   static int initialized=0;
154   static const char *selftest_failed=NULL;
155 #if defined(USE_AESNI_AVX) || defined(USE_AESNI_AVX2)
156   unsigned int hwf = _gcry_get_hw_features ();
157 #endif
158
159   if(keylen!=16 && keylen!=24 && keylen!=32)
160     return GPG_ERR_INV_KEYLEN;
161
162   if(!initialized)
163     {
164       initialized=1;
165       selftest_failed=selftest();
166       if(selftest_failed)
167         log_error("%s\n",selftest_failed);
168     }
169
170   if(selftest_failed)
171     return GPG_ERR_SELFTEST_FAILED;
172
173 #ifdef USE_AESNI_AVX
174   ctx->use_aesni_avx = (hwf & HWF_INTEL_AESNI) && (hwf & HWF_INTEL_AVX);
175 #endif
176 #ifdef USE_AESNI_AVX2
177   ctx->use_aesni_avx2 = (hwf & HWF_INTEL_AESNI) && (hwf & HWF_INTEL_AVX2);
178 #endif
179
180   ctx->keybitlength=keylen*8;
181
182   if (0)
183     { }
184 #ifdef USE_AESNI_AVX
185   else if (ctx->use_aesni_avx)
186     _gcry_camellia_aesni_avx_keygen(ctx, key, keylen);
187   else
188 #endif
189     {
190       Camellia_Ekeygen(ctx->keybitlength,key,ctx->keytable);
191       _gcry_burn_stack
192         ((19+34+34)*sizeof(u32)+2*sizeof(void*) /* camellia_setup256 */
193          +(4+32)*sizeof(u32)+2*sizeof(void*)    /* camellia_setup192 */
194          +0+sizeof(int)+2*sizeof(void*)         /* Camellia_Ekeygen */
195          +3*2*sizeof(void*)                     /* Function calls.  */
196          );
197     }
198
199   return 0;
200 }
201
202 #ifdef USE_ARM_ASM
203
204 /* Assembly implementations of Camellia. */
205 extern void _gcry_camellia_arm_encrypt_block(const KEY_TABLE_TYPE keyTable,
206                                                byte *outbuf, const byte *inbuf,
207                                                const int keybits);
208
209 extern void _gcry_camellia_arm_decrypt_block(const KEY_TABLE_TYPE keyTable,
210                                                byte *outbuf, const byte *inbuf,
211                                                const int keybits);
212
213 static void Camellia_EncryptBlock(const int keyBitLength,
214                                   const unsigned char *plaintext,
215                                   const KEY_TABLE_TYPE keyTable,
216                                   unsigned char *cipherText)
217 {
218   _gcry_camellia_arm_encrypt_block(keyTable, cipherText, plaintext,
219                                      keyBitLength);
220 }
221
222 static void Camellia_DecryptBlock(const int keyBitLength,
223                                   const unsigned char *cipherText,
224                                   const KEY_TABLE_TYPE keyTable,
225                                   unsigned char *plaintext)
226 {
227   _gcry_camellia_arm_decrypt_block(keyTable, plaintext, cipherText,
228                                      keyBitLength);
229 }
230
231 static unsigned int
232 camellia_encrypt(void *c, byte *outbuf, const byte *inbuf)
233 {
234   CAMELLIA_context *ctx = c;
235   Camellia_EncryptBlock(ctx->keybitlength,inbuf,ctx->keytable,outbuf);
236 #define CAMELLIA_encrypt_stack_burn_size (15*4)
237   return /*burn_stack*/ (CAMELLIA_encrypt_stack_burn_size);
238 }
239
240 static unsigned int
241 camellia_decrypt(void *c, byte *outbuf, const byte *inbuf)
242 {
243   CAMELLIA_context *ctx=c;
244   Camellia_DecryptBlock(ctx->keybitlength,inbuf,ctx->keytable,outbuf);
245 #define CAMELLIA_decrypt_stack_burn_size (15*4)
246   return /*burn_stack*/ (CAMELLIA_decrypt_stack_burn_size);
247 }
248
249 #else /*USE_ARM_ASM*/
250
251 static unsigned int
252 camellia_encrypt(void *c, byte *outbuf, const byte *inbuf)
253 {
254   CAMELLIA_context *ctx=c;
255
256   Camellia_EncryptBlock(ctx->keybitlength,inbuf,ctx->keytable,outbuf);
257
258 #define CAMELLIA_encrypt_stack_burn_size \
259   (sizeof(int)+2*sizeof(unsigned char *)+sizeof(void*/*KEY_TABLE_TYPE*/) \
260      +4*sizeof(u32)+4*sizeof(u32) \
261      +2*sizeof(u32*)+4*sizeof(u32) \
262      +2*2*sizeof(void*) /* Function calls.  */ \
263     )
264
265   return /*burn_stack*/ (CAMELLIA_encrypt_stack_burn_size);
266 }
267
268 static unsigned int
269 camellia_decrypt(void *c, byte *outbuf, const byte *inbuf)
270 {
271   CAMELLIA_context *ctx=c;
272
273   Camellia_DecryptBlock(ctx->keybitlength,inbuf,ctx->keytable,outbuf);
274
275 #define CAMELLIA_decrypt_stack_burn_size \
276     (sizeof(int)+2*sizeof(unsigned char *)+sizeof(void*/*KEY_TABLE_TYPE*/) \
277      +4*sizeof(u32)+4*sizeof(u32) \
278      +2*sizeof(u32*)+4*sizeof(u32) \
279      +2*2*sizeof(void*) /* Function calls.  */ \
280     )
281
282   return /*burn_stack*/ (CAMELLIA_decrypt_stack_burn_size);
283 }
284
285 #endif /*!USE_ARM_ASM*/
286
287 /* Bulk encryption of complete blocks in CTR mode.  This function is only
288    intended for the bulk encryption feature of cipher.c.  CTR is expected to be
289    of size CAMELLIA_BLOCK_SIZE. */
290 void
291 _gcry_camellia_ctr_enc(void *context, unsigned char *ctr,
292                        void *outbuf_arg, const void *inbuf_arg,
293                        size_t nblocks)
294 {
295   CAMELLIA_context *ctx = context;
296   unsigned char *outbuf = outbuf_arg;
297   const unsigned char *inbuf = inbuf_arg;
298   unsigned char tmpbuf[CAMELLIA_BLOCK_SIZE];
299   int burn_stack_depth = CAMELLIA_encrypt_stack_burn_size;
300   int i;
301
302 #ifdef USE_AESNI_AVX2
303   if (ctx->use_aesni_avx2)
304     {
305       int did_use_aesni_avx2 = 0;
306
307       /* Process data in 32 block chunks. */
308       while (nblocks >= 32)
309         {
310           _gcry_camellia_aesni_avx2_ctr_enc(ctx, outbuf, inbuf, ctr);
311
312           nblocks -= 32;
313           outbuf += 32 * CAMELLIA_BLOCK_SIZE;
314           inbuf  += 32 * CAMELLIA_BLOCK_SIZE;
315           did_use_aesni_avx2 = 1;
316         }
317
318       if (did_use_aesni_avx2)
319         {
320           int avx2_burn_stack_depth = 32 * CAMELLIA_BLOCK_SIZE + 16 +
321                                         2 * sizeof(void *);
322
323           if (burn_stack_depth < avx2_burn_stack_depth)
324             burn_stack_depth = avx2_burn_stack_depth;
325         }
326
327       /* Use generic code to handle smaller chunks... */
328       /* TODO: use caching instead? */
329     }
330 #endif
331
332 #ifdef USE_AESNI_AVX
333   if (ctx->use_aesni_avx)
334     {
335       int did_use_aesni_avx = 0;
336
337       /* Process data in 16 block chunks. */
338       while (nblocks >= 16)
339         {
340           _gcry_camellia_aesni_avx_ctr_enc(ctx, outbuf, inbuf, ctr);
341
342           nblocks -= 16;
343           outbuf += 16 * CAMELLIA_BLOCK_SIZE;
344           inbuf  += 16 * CAMELLIA_BLOCK_SIZE;
345           did_use_aesni_avx = 1;
346         }
347
348       if (did_use_aesni_avx)
349         {
350           if (burn_stack_depth < 16 * CAMELLIA_BLOCK_SIZE + 2 * sizeof(void *))
351             burn_stack_depth = 16 * CAMELLIA_BLOCK_SIZE + 2 * sizeof(void *);
352         }
353
354       /* Use generic code to handle smaller chunks... */
355       /* TODO: use caching instead? */
356     }
357 #endif
358
359   for ( ;nblocks; nblocks-- )
360     {
361       /* Encrypt the counter. */
362       Camellia_EncryptBlock(ctx->keybitlength, ctr, ctx->keytable, tmpbuf);
363       /* XOR the input with the encrypted counter and store in output.  */
364       buf_xor(outbuf, tmpbuf, inbuf, CAMELLIA_BLOCK_SIZE);
365       outbuf += CAMELLIA_BLOCK_SIZE;
366       inbuf  += CAMELLIA_BLOCK_SIZE;
367       /* Increment the counter.  */
368       for (i = CAMELLIA_BLOCK_SIZE; i > 0; i--)
369         {
370           ctr[i-1]++;
371           if (ctr[i-1])
372             break;
373         }
374     }
375
376   wipememory(tmpbuf, sizeof(tmpbuf));
377   _gcry_burn_stack(burn_stack_depth);
378 }
379
380 /* Bulk decryption of complete blocks in CBC mode.  This function is only
381    intended for the bulk encryption feature of cipher.c. */
382 void
383 _gcry_camellia_cbc_dec(void *context, unsigned char *iv,
384                        void *outbuf_arg, const void *inbuf_arg,
385                        size_t nblocks)
386 {
387   CAMELLIA_context *ctx = context;
388   unsigned char *outbuf = outbuf_arg;
389   const unsigned char *inbuf = inbuf_arg;
390   unsigned char savebuf[CAMELLIA_BLOCK_SIZE];
391   int burn_stack_depth = CAMELLIA_decrypt_stack_burn_size;
392
393 #ifdef USE_AESNI_AVX2
394   if (ctx->use_aesni_avx2)
395     {
396       int did_use_aesni_avx2 = 0;
397
398       /* Process data in 32 block chunks. */
399       while (nblocks >= 32)
400         {
401           _gcry_camellia_aesni_avx2_cbc_dec(ctx, outbuf, inbuf, iv);
402
403           nblocks -= 32;
404           outbuf += 32 * CAMELLIA_BLOCK_SIZE;
405           inbuf  += 32 * CAMELLIA_BLOCK_SIZE;
406           did_use_aesni_avx2 = 1;
407         }
408
409       if (did_use_aesni_avx2)
410         {
411           int avx2_burn_stack_depth = 32 * CAMELLIA_BLOCK_SIZE + 16 +
412                                         2 * sizeof(void *);
413
414           if (burn_stack_depth < avx2_burn_stack_depth)
415             burn_stack_depth = avx2_burn_stack_depth;
416         }
417
418       /* Use generic code to handle smaller chunks... */
419     }
420 #endif
421
422 #ifdef USE_AESNI_AVX
423   if (ctx->use_aesni_avx)
424     {
425       int did_use_aesni_avx = 0;
426
427       /* Process data in 16 block chunks. */
428       while (nblocks >= 16)
429         {
430           _gcry_camellia_aesni_avx_cbc_dec(ctx, outbuf, inbuf, iv);
431
432           nblocks -= 16;
433           outbuf += 16 * CAMELLIA_BLOCK_SIZE;
434           inbuf  += 16 * CAMELLIA_BLOCK_SIZE;
435           did_use_aesni_avx = 1;
436         }
437
438       if (did_use_aesni_avx)
439         {
440           if (burn_stack_depth < 16 * CAMELLIA_BLOCK_SIZE + 2 * sizeof(void *))
441             burn_stack_depth = 16 * CAMELLIA_BLOCK_SIZE + 2 * sizeof(void *);
442         }
443
444       /* Use generic code to handle smaller chunks... */
445     }
446 #endif
447
448   for ( ;nblocks; nblocks-- )
449     {
450       /* INBUF is needed later and it may be identical to OUTBUF, so store
451          the intermediate result to SAVEBUF.  */
452       Camellia_DecryptBlock(ctx->keybitlength, inbuf, ctx->keytable, savebuf);
453
454       buf_xor_n_copy_2(outbuf, savebuf, iv, inbuf, CAMELLIA_BLOCK_SIZE);
455       inbuf += CAMELLIA_BLOCK_SIZE;
456       outbuf += CAMELLIA_BLOCK_SIZE;
457     }
458
459   wipememory(savebuf, sizeof(savebuf));
460   _gcry_burn_stack(burn_stack_depth);
461 }
462
463 /* Bulk decryption of complete blocks in CFB mode.  This function is only
464    intended for the bulk encryption feature of cipher.c. */
465 void
466 _gcry_camellia_cfb_dec(void *context, unsigned char *iv,
467                        void *outbuf_arg, const void *inbuf_arg,
468                        size_t nblocks)
469 {
470   CAMELLIA_context *ctx = context;
471   unsigned char *outbuf = outbuf_arg;
472   const unsigned char *inbuf = inbuf_arg;
473   int burn_stack_depth = CAMELLIA_decrypt_stack_burn_size;
474
475 #ifdef USE_AESNI_AVX2
476   if (ctx->use_aesni_avx2)
477     {
478       int did_use_aesni_avx2 = 0;
479
480       /* Process data in 32 block chunks. */
481       while (nblocks >= 32)
482         {
483           _gcry_camellia_aesni_avx2_cfb_dec(ctx, outbuf, inbuf, iv);
484
485           nblocks -= 32;
486           outbuf += 32 * CAMELLIA_BLOCK_SIZE;
487           inbuf  += 32 * CAMELLIA_BLOCK_SIZE;
488           did_use_aesni_avx2 = 1;
489         }
490
491       if (did_use_aesni_avx2)
492         {
493           int avx2_burn_stack_depth = 32 * CAMELLIA_BLOCK_SIZE + 16 +
494                                         2 * sizeof(void *);
495
496           if (burn_stack_depth < avx2_burn_stack_depth)
497             burn_stack_depth = avx2_burn_stack_depth;
498         }
499
500       /* Use generic code to handle smaller chunks... */
501     }
502 #endif
503
504 #ifdef USE_AESNI_AVX
505   if (ctx->use_aesni_avx)
506     {
507       int did_use_aesni_avx = 0;
508
509       /* Process data in 16 block chunks. */
510       while (nblocks >= 16)
511         {
512           _gcry_camellia_aesni_avx_cfb_dec(ctx, outbuf, inbuf, iv);
513
514           nblocks -= 16;
515           outbuf += 16 * CAMELLIA_BLOCK_SIZE;
516           inbuf  += 16 * CAMELLIA_BLOCK_SIZE;
517           did_use_aesni_avx = 1;
518         }
519
520       if (did_use_aesni_avx)
521         {
522           if (burn_stack_depth < 16 * CAMELLIA_BLOCK_SIZE + 2 * sizeof(void *))
523             burn_stack_depth = 16 * CAMELLIA_BLOCK_SIZE + 2 * sizeof(void *);
524         }
525
526       /* Use generic code to handle smaller chunks... */
527     }
528 #endif
529
530   for ( ;nblocks; nblocks-- )
531     {
532       Camellia_EncryptBlock(ctx->keybitlength, iv, ctx->keytable, iv);
533       buf_xor_n_copy(outbuf, iv, inbuf, CAMELLIA_BLOCK_SIZE);
534       outbuf += CAMELLIA_BLOCK_SIZE;
535       inbuf  += CAMELLIA_BLOCK_SIZE;
536     }
537
538   _gcry_burn_stack(burn_stack_depth);
539 }
540
541 /* Run the self-tests for CAMELLIA-CTR-128, tests IV increment of bulk CTR
542    encryption.  Returns NULL on success. */
543 static const char*
544 selftest_ctr_128 (void)
545 {
546   const int nblocks = 32+16+1;
547   const int blocksize = CAMELLIA_BLOCK_SIZE;
548   const int context_size = sizeof(CAMELLIA_context);
549
550   return _gcry_selftest_helper_ctr("CAMELLIA", &camellia_setkey,
551            &camellia_encrypt, &_gcry_camellia_ctr_enc, nblocks, blocksize,
552            context_size);
553 }
554
555 /* Run the self-tests for CAMELLIA-CBC-128, tests bulk CBC decryption.
556    Returns NULL on success. */
557 static const char*
558 selftest_cbc_128 (void)
559 {
560   const int nblocks = 32+16+2;
561   const int blocksize = CAMELLIA_BLOCK_SIZE;
562   const int context_size = sizeof(CAMELLIA_context);
563
564   return _gcry_selftest_helper_cbc("CAMELLIA", &camellia_setkey,
565            &camellia_encrypt, &_gcry_camellia_cbc_dec, nblocks, blocksize,
566            context_size);
567 }
568
569 /* Run the self-tests for CAMELLIA-CFB-128, tests bulk CFB decryption.
570    Returns NULL on success. */
571 static const char*
572 selftest_cfb_128 (void)
573 {
574   const int nblocks = 32+16+2;
575   const int blocksize = CAMELLIA_BLOCK_SIZE;
576   const int context_size = sizeof(CAMELLIA_context);
577
578   return _gcry_selftest_helper_cfb("CAMELLIA", &camellia_setkey,
579            &camellia_encrypt, &_gcry_camellia_cfb_dec, nblocks, blocksize,
580            context_size);
581 }
582
583 static const char *
584 selftest(void)
585 {
586   CAMELLIA_context ctx;
587   byte scratch[16];
588   const char *r;
589
590   /* These test vectors are from RFC-3713 */
591   static const byte plaintext[]=
592     {
593       0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef,
594       0xfe,0xdc,0xba,0x98,0x76,0x54,0x32,0x10
595     };
596   static const byte key_128[]=
597     {
598       0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef,
599       0xfe,0xdc,0xba,0x98,0x76,0x54,0x32,0x10
600     };
601   static const byte ciphertext_128[]=
602     {
603       0x67,0x67,0x31,0x38,0x54,0x96,0x69,0x73,
604       0x08,0x57,0x06,0x56,0x48,0xea,0xbe,0x43
605     };
606   static const byte key_192[]=
607     {
608       0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef,0xfe,0xdc,0xba,0x98,
609       0x76,0x54,0x32,0x10,0x00,0x11,0x22,0x33,0x44,0x55,0x66,0x77
610     };
611   static const byte ciphertext_192[]=
612     {
613       0xb4,0x99,0x34,0x01,0xb3,0xe9,0x96,0xf8,
614       0x4e,0xe5,0xce,0xe7,0xd7,0x9b,0x09,0xb9
615     };
616   static const byte key_256[]=
617     {
618       0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef,0xfe,0xdc,0xba,
619       0x98,0x76,0x54,0x32,0x10,0x00,0x11,0x22,0x33,0x44,0x55,
620       0x66,0x77,0x88,0x99,0xaa,0xbb,0xcc,0xdd,0xee,0xff
621     };
622   static const byte ciphertext_256[]=
623     {
624       0x9a,0xcc,0x23,0x7d,0xff,0x16,0xd7,0x6c,
625       0x20,0xef,0x7c,0x91,0x9e,0x3a,0x75,0x09
626     };
627
628   camellia_setkey(&ctx,key_128,sizeof(key_128));
629   camellia_encrypt(&ctx,scratch,plaintext);
630   if(memcmp(scratch,ciphertext_128,sizeof(ciphertext_128))!=0)
631     return "CAMELLIA-128 test encryption failed.";
632   camellia_decrypt(&ctx,scratch,scratch);
633   if(memcmp(scratch,plaintext,sizeof(plaintext))!=0)
634     return "CAMELLIA-128 test decryption failed.";
635
636   camellia_setkey(&ctx,key_192,sizeof(key_192));
637   camellia_encrypt(&ctx,scratch,plaintext);
638   if(memcmp(scratch,ciphertext_192,sizeof(ciphertext_192))!=0)
639     return "CAMELLIA-192 test encryption failed.";
640   camellia_decrypt(&ctx,scratch,scratch);
641   if(memcmp(scratch,plaintext,sizeof(plaintext))!=0)
642     return "CAMELLIA-192 test decryption failed.";
643
644   camellia_setkey(&ctx,key_256,sizeof(key_256));
645   camellia_encrypt(&ctx,scratch,plaintext);
646   if(memcmp(scratch,ciphertext_256,sizeof(ciphertext_256))!=0)
647     return "CAMELLIA-256 test encryption failed.";
648   camellia_decrypt(&ctx,scratch,scratch);
649   if(memcmp(scratch,plaintext,sizeof(plaintext))!=0)
650     return "CAMELLIA-256 test decryption failed.";
651
652   if ( (r = selftest_ctr_128 ()) )
653     return r;
654
655   if ( (r = selftest_cbc_128 ()) )
656     return r;
657
658   if ( (r = selftest_cfb_128 ()) )
659     return r;
660
661   return NULL;
662 }
663
664 /* These oids are from
665    <http://info.isl.ntt.co.jp/crypt/eng/camellia/specifications_oid.html>,
666    retrieved May 1, 2007. */
667
668 static gcry_cipher_oid_spec_t camellia128_oids[] =
669   {
670     {"1.2.392.200011.61.1.1.1.2", GCRY_CIPHER_MODE_CBC},
671     {"0.3.4401.5.3.1.9.1", GCRY_CIPHER_MODE_ECB},
672     {"0.3.4401.5.3.1.9.3", GCRY_CIPHER_MODE_OFB},
673     {"0.3.4401.5.3.1.9.4", GCRY_CIPHER_MODE_CFB},
674     { NULL }
675   };
676
677 static gcry_cipher_oid_spec_t camellia192_oids[] =
678   {
679     {"1.2.392.200011.61.1.1.1.3", GCRY_CIPHER_MODE_CBC},
680     {"0.3.4401.5.3.1.9.21", GCRY_CIPHER_MODE_ECB},
681     {"0.3.4401.5.3.1.9.23", GCRY_CIPHER_MODE_OFB},
682     {"0.3.4401.5.3.1.9.24", GCRY_CIPHER_MODE_CFB},
683     { NULL }
684   };
685
686 static gcry_cipher_oid_spec_t camellia256_oids[] =
687   {
688     {"1.2.392.200011.61.1.1.1.4", GCRY_CIPHER_MODE_CBC},
689     {"0.3.4401.5.3.1.9.41", GCRY_CIPHER_MODE_ECB},
690     {"0.3.4401.5.3.1.9.43", GCRY_CIPHER_MODE_OFB},
691     {"0.3.4401.5.3.1.9.44", GCRY_CIPHER_MODE_CFB},
692     { NULL }
693   };
694
695 gcry_cipher_spec_t _gcry_cipher_spec_camellia128 =
696   {
697     GCRY_CIPHER_CAMELLIA128, {0, 0},
698     "CAMELLIA128",NULL,camellia128_oids,CAMELLIA_BLOCK_SIZE,128,
699     sizeof(CAMELLIA_context),camellia_setkey,camellia_encrypt,camellia_decrypt
700   };
701
702 gcry_cipher_spec_t _gcry_cipher_spec_camellia192 =
703   {
704     GCRY_CIPHER_CAMELLIA192, {0, 0},
705     "CAMELLIA192",NULL,camellia192_oids,CAMELLIA_BLOCK_SIZE,192,
706     sizeof(CAMELLIA_context),camellia_setkey,camellia_encrypt,camellia_decrypt
707   };
708
709 gcry_cipher_spec_t _gcry_cipher_spec_camellia256 =
710   {
711     GCRY_CIPHER_CAMELLIA256, {0, 0},
712     "CAMELLIA256",NULL,camellia256_oids,CAMELLIA_BLOCK_SIZE,256,
713     sizeof(CAMELLIA_context),camellia_setkey,camellia_encrypt,camellia_decrypt
714   };