Camellia, prepare glue code for AES-NI/AVX implementation
[libgcrypt.git] / cipher / camellia-glue.c
1 /* camellia-glue.c - Glue for the Camellia cipher
2  * Copyright (C) 2007 Free Software Foundation, Inc.
3  *
4  * This file is part of Libgcrypt.
5  *
6  * Libgcrypt is free software; you can redistribute it and/or modify
7  * it under the terms of the GNU Lesser General Public License as
8  * published by the Free Software Foundation; either version 2.1 of
9  * the License, or (at your option) any later version.
10  *
11  * Libgcrypt is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14  * GNU General Public License for more details.
15  *
16  * You should have received a copy of the GNU Lesser General Public
17  * License along with this program; if not, write to the Free Software
18  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
19  * 02110-1301, USA.
20  */
21
22 /* I put all the libgcrypt-specific stuff in this file to keep the
23    camellia.c/camellia.h files exactly as provided by NTT.  If they
24    update their code, this should make it easier to bring the changes
25    in. - dshaw
26
27    There is one small change which needs to be done: Include the
28    following code at the top of camellia.h: */
29 #if 0
30
31 /* To use Camellia with libraries it is often useful to keep the name
32  * space of the library clean.  The following macro is thus useful:
33  *
34  *     #define CAMELLIA_EXT_SYM_PREFIX foo_
35  *
36  * This prefixes all external symbols with "foo_".
37  */
38 #ifdef HAVE_CONFIG_H
39 #include <config.h>
40 #endif
41 #ifdef CAMELLIA_EXT_SYM_PREFIX
42 #define CAMELLIA_PREFIX1(x,y) x ## y
43 #define CAMELLIA_PREFIX2(x,y) CAMELLIA_PREFIX1(x,y)
44 #define CAMELLIA_PREFIX(x)    CAMELLIA_PREFIX2(CAMELLIA_EXT_SYM_PREFIX,x)
45 #define Camellia_Ekeygen      CAMELLIA_PREFIX(Camellia_Ekeygen)
46 #define Camellia_EncryptBlock CAMELLIA_PREFIX(Camellia_EncryptBlock)
47 #define Camellia_DecryptBlock CAMELLIA_PREFIX(Camellia_DecryptBlock)
48 #define camellia_decrypt128   CAMELLIA_PREFIX(camellia_decrypt128)
49 #define camellia_decrypt256   CAMELLIA_PREFIX(camellia_decrypt256)
50 #define camellia_encrypt128   CAMELLIA_PREFIX(camellia_encrypt128)
51 #define camellia_encrypt256   CAMELLIA_PREFIX(camellia_encrypt256)
52 #define camellia_setup128     CAMELLIA_PREFIX(camellia_setup128)
53 #define camellia_setup192     CAMELLIA_PREFIX(camellia_setup192)
54 #define camellia_setup256     CAMELLIA_PREFIX(camellia_setup256)
55 #endif /*CAMELLIA_EXT_SYM_PREFIX*/
56
57 #endif /* Code sample. */
58
59
60 #include <config.h>
61 #include "types.h"
62 #include "g10lib.h"
63 #include "cipher.h"
64 #include "camellia.h"
65 #include "bufhelp.h"
66
67 /* Helper macro to force alignment to 16 bytes.  */
68 #ifdef HAVE_GCC_ATTRIBUTE_ALIGNED
69 # define ATTR_ALIGNED_16  __attribute__ ((aligned (16)))
70 #else
71 # define ATTR_ALIGNED_16
72 #endif
73
74 typedef struct
75 {
76   int keybitlength;
77   KEY_TABLE_TYPE keytable;
78 } CAMELLIA_context;
79
80 static const char *selftest(void);
81
82 static gcry_err_code_t
83 camellia_setkey(void *c, const byte *key, unsigned keylen)
84 {
85   CAMELLIA_context *ctx=c;
86   static int initialized=0;
87   static const char *selftest_failed=NULL;
88
89   if(keylen!=16 && keylen!=24 && keylen!=32)
90     return GPG_ERR_INV_KEYLEN;
91
92   if(!initialized)
93     {
94       initialized=1;
95       selftest_failed=selftest();
96       if(selftest_failed)
97         log_error("%s\n",selftest_failed);
98     }
99
100   if(selftest_failed)
101     return GPG_ERR_SELFTEST_FAILED;
102
103   ctx->keybitlength=keylen*8;
104   Camellia_Ekeygen(ctx->keybitlength,key,ctx->keytable);
105   _gcry_burn_stack
106     ((19+34+34)*sizeof(u32)+2*sizeof(void*) /* camellia_setup256 */
107      +(4+32)*sizeof(u32)+2*sizeof(void*)    /* camellia_setup192 */
108      +0+sizeof(int)+2*sizeof(void*)         /* Camellia_Ekeygen */
109      +3*2*sizeof(void*)                     /* Function calls.  */
110      );
111
112   return 0;
113 }
114
115 static void
116 camellia_encrypt(void *c, byte *outbuf, const byte *inbuf)
117 {
118   CAMELLIA_context *ctx=c;
119
120   Camellia_EncryptBlock(ctx->keybitlength,inbuf,ctx->keytable,outbuf);
121
122 #define CAMELLIA_encrypt_stack_burn_size \
123   (sizeof(int)+2*sizeof(unsigned char *)+sizeof(void*/*KEY_TABLE_TYPE*/) \
124      +4*sizeof(u32) \
125      +2*sizeof(u32*)+4*sizeof(u32) \
126      +2*2*sizeof(void*) /* Function calls.  */ \
127     )
128
129   _gcry_burn_stack(CAMELLIA_encrypt_stack_burn_size);
130 }
131
132 static void
133 camellia_decrypt(void *c, byte *outbuf, const byte *inbuf)
134 {
135   CAMELLIA_context *ctx=c;
136
137   Camellia_DecryptBlock(ctx->keybitlength,inbuf,ctx->keytable,outbuf);
138
139 #define CAMELLIA_decrypt_stack_burn_size \
140     (sizeof(int)+2*sizeof(unsigned char *)+sizeof(void*/*KEY_TABLE_TYPE*/) \
141      +4*sizeof(u32) \
142      +2*sizeof(u32*)+4*sizeof(u32) \
143      +2*2*sizeof(void*) /* Function calls.  */ \
144     )
145
146   _gcry_burn_stack(CAMELLIA_decrypt_stack_burn_size);
147 }
148
149 /* Bulk encryption of complete blocks in CTR mode.  This function is only
150    intended for the bulk encryption feature of cipher.c.  CTR is expected to be
151    of size CAMELLIA_BLOCK_SIZE. */
152 void
153 _gcry_camellia_ctr_enc(void *context, unsigned char *ctr,
154                        void *outbuf_arg, const void *inbuf_arg,
155                        unsigned int nblocks)
156 {
157   CAMELLIA_context *ctx = context;
158   unsigned char *outbuf = outbuf_arg;
159   const unsigned char *inbuf = inbuf_arg;
160   unsigned char tmpbuf[CAMELLIA_BLOCK_SIZE];
161   int i;
162
163   for ( ;nblocks; nblocks-- )
164     {
165       /* Encrypt the counter. */
166       Camellia_EncryptBlock(ctx->keybitlength, ctr, ctx->keytable, tmpbuf);
167       /* XOR the input with the encrypted counter and store in output.  */
168       buf_xor(outbuf, tmpbuf, inbuf, CAMELLIA_BLOCK_SIZE);
169       outbuf += CAMELLIA_BLOCK_SIZE;
170       inbuf  += CAMELLIA_BLOCK_SIZE;
171       /* Increment the counter.  */
172       for (i = CAMELLIA_BLOCK_SIZE; i > 0; i--)
173         {
174           ctr[i-1]++;
175           if (ctr[i-1])
176             break;
177         }
178     }
179
180   wipememory(tmpbuf, sizeof(tmpbuf));
181   _gcry_burn_stack(CAMELLIA_encrypt_stack_burn_size);
182 }
183
184 /* Bulk decryption of complete blocks in CBC mode.  This function is only
185    intended for the bulk encryption feature of cipher.c. */
186 void
187 _gcry_camellia_cbc_dec(void *context, unsigned char *iv,
188                        void *outbuf_arg, const void *inbuf_arg,
189                        unsigned int nblocks)
190 {
191   CAMELLIA_context *ctx = context;
192   unsigned char *outbuf = outbuf_arg;
193   const unsigned char *inbuf = inbuf_arg;
194   unsigned char savebuf[CAMELLIA_BLOCK_SIZE];
195
196   for ( ;nblocks; nblocks-- )
197     {
198       /* We need to save INBUF away because it may be identical to
199          OUTBUF.  */
200       memcpy(savebuf, inbuf, CAMELLIA_BLOCK_SIZE);
201
202       Camellia_DecryptBlock(ctx->keybitlength, inbuf, ctx->keytable, outbuf);
203
204       buf_xor(outbuf, outbuf, iv, CAMELLIA_BLOCK_SIZE);
205       memcpy(iv, savebuf, CAMELLIA_BLOCK_SIZE);
206       inbuf += CAMELLIA_BLOCK_SIZE;
207       outbuf += CAMELLIA_BLOCK_SIZE;
208     }
209
210   wipememory(savebuf, sizeof(savebuf));
211   _gcry_burn_stack(CAMELLIA_decrypt_stack_burn_size);
212 }
213
214 /* Run the self-tests for CAMELLIA-CTR-128, tests IV increment of bulk CTR
215    encryption.  Returns NULL on success. */
216 static const char*
217 selftest_ctr_128 (void)
218 {
219   const int nblocks = 16+1;
220   CAMELLIA_context ctx ATTR_ALIGNED_16;
221   unsigned char plaintext[nblocks*16] ATTR_ALIGNED_16;
222   unsigned char ciphertext[nblocks*16] ATTR_ALIGNED_16;
223   unsigned char plaintext2[nblocks*16] ATTR_ALIGNED_16;
224   unsigned char iv[16] ATTR_ALIGNED_16;
225   unsigned char iv2[16] ATTR_ALIGNED_16;
226   int i, j, diff;
227
228   static const unsigned char key[16] ATTR_ALIGNED_16 = {
229       0x06,0x9A,0x00,0x7F,0xC7,0x6A,0x45,0x9F,
230       0x98,0xBA,0xF9,0x17,0xFE,0xDF,0x95,0x21
231     };
232   static char error_str[128];
233
234   camellia_setkey (&ctx, key, sizeof (key));
235
236   /* Test single block code path */
237   memset(iv, 0xff, sizeof(iv));
238   for (i = 0; i < 16; i++)
239     plaintext[i] = i;
240
241   /* CTR manually.  */
242   camellia_encrypt (&ctx, ciphertext, iv);
243   for (i = 0; i < 16; i++)
244     ciphertext[i] ^= plaintext[i];
245   for (i = 16; i > 0; i--)
246     {
247       iv[i-1]++;
248       if (iv[i-1])
249         break;
250     }
251
252   memset(iv2, 0xff, sizeof(iv2));
253   _gcry_camellia_ctr_enc (&ctx, iv2, plaintext2, ciphertext, 1);
254
255   if (memcmp(plaintext2, plaintext, 16))
256     return "CAMELLIA-128-CTR test failed (plaintext mismatch)";
257
258   if (memcmp(iv2, iv, 16))
259     return "CAMELLIA-128-CTR test failed (IV mismatch)";
260
261   /* Test parallelized code paths */
262   for (diff = 0; diff < nblocks; diff++) {
263     memset(iv, 0xff, sizeof(iv));
264     iv[15] -= diff;
265
266     for (i = 0; i < sizeof(plaintext); i++)
267       plaintext[i] = i;
268
269     /* Create CTR ciphertext manually.  */
270     for (i = 0; i < sizeof(plaintext); i+=16)
271       {
272         camellia_encrypt (&ctx, &ciphertext[i], iv);
273         for (j = 0; j < 16; j++)
274           ciphertext[i+j] ^= plaintext[i+j];
275         for (j = 16; j > 0; j--)
276           {
277             iv[j-1]++;
278             if (iv[j-1])
279               break;
280           }
281       }
282
283     /* Decrypt using bulk CTR and compare result.  */
284     memset(iv2, 0xff, sizeof(iv2));
285     iv2[15] -= diff;
286
287     _gcry_camellia_ctr_enc (&ctx, iv2, plaintext2, ciphertext,
288                             sizeof(ciphertext) / CAMELLIA_BLOCK_SIZE);
289
290     if (memcmp(plaintext2, plaintext, sizeof(plaintext)))
291       {
292         snprintf(error_str, sizeof(error_str),
293                  "CAMELLIA-128-CTR test failed (plaintext mismatch, diff: %d)",
294                  diff);
295         return error_str;
296       }
297     if (memcmp(iv2, iv, sizeof(iv)))
298       {
299         snprintf(error_str, sizeof(error_str),
300                  "CAMELLIA-128-CTR test failed (IV mismatch, diff: %d)",
301                  diff);
302         return error_str;
303       }
304   }
305
306   return NULL;
307 }
308
309 static const char *
310 selftest(void)
311 {
312   CAMELLIA_context ctx;
313   byte scratch[16];
314   const char *r;
315
316   /* These test vectors are from RFC-3713 */
317   const byte plaintext[]=
318     {
319       0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef,
320       0xfe,0xdc,0xba,0x98,0x76,0x54,0x32,0x10
321     };
322   const byte key_128[]=
323     {
324       0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef,
325       0xfe,0xdc,0xba,0x98,0x76,0x54,0x32,0x10
326     };
327   const byte ciphertext_128[]=
328     {
329       0x67,0x67,0x31,0x38,0x54,0x96,0x69,0x73,
330       0x08,0x57,0x06,0x56,0x48,0xea,0xbe,0x43
331     };
332   const byte key_192[]=
333     {
334       0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef,0xfe,0xdc,0xba,0x98,
335       0x76,0x54,0x32,0x10,0x00,0x11,0x22,0x33,0x44,0x55,0x66,0x77
336     };
337   const byte ciphertext_192[]=
338     {
339       0xb4,0x99,0x34,0x01,0xb3,0xe9,0x96,0xf8,
340       0x4e,0xe5,0xce,0xe7,0xd7,0x9b,0x09,0xb9
341     };
342   const byte key_256[]=
343     {
344       0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef,0xfe,0xdc,0xba,
345       0x98,0x76,0x54,0x32,0x10,0x00,0x11,0x22,0x33,0x44,0x55,
346       0x66,0x77,0x88,0x99,0xaa,0xbb,0xcc,0xdd,0xee,0xff
347     };
348   const byte ciphertext_256[]=
349     {
350       0x9a,0xcc,0x23,0x7d,0xff,0x16,0xd7,0x6c,
351       0x20,0xef,0x7c,0x91,0x9e,0x3a,0x75,0x09
352     };
353
354   camellia_setkey(&ctx,key_128,sizeof(key_128));
355   camellia_encrypt(&ctx,scratch,plaintext);
356   if(memcmp(scratch,ciphertext_128,sizeof(ciphertext_128))!=0)
357     return "CAMELLIA-128 test encryption failed.";
358   camellia_decrypt(&ctx,scratch,scratch);
359   if(memcmp(scratch,plaintext,sizeof(plaintext))!=0)
360     return "CAMELLIA-128 test decryption failed.";
361
362   camellia_setkey(&ctx,key_192,sizeof(key_192));
363   camellia_encrypt(&ctx,scratch,plaintext);
364   if(memcmp(scratch,ciphertext_192,sizeof(ciphertext_192))!=0)
365     return "CAMELLIA-192 test encryption failed.";
366   camellia_decrypt(&ctx,scratch,scratch);
367   if(memcmp(scratch,plaintext,sizeof(plaintext))!=0)
368     return "CAMELLIA-192 test decryption failed.";
369
370   camellia_setkey(&ctx,key_256,sizeof(key_256));
371   camellia_encrypt(&ctx,scratch,plaintext);
372   if(memcmp(scratch,ciphertext_256,sizeof(ciphertext_256))!=0)
373     return "CAMELLIA-256 test encryption failed.";
374   camellia_decrypt(&ctx,scratch,scratch);
375   if(memcmp(scratch,plaintext,sizeof(plaintext))!=0)
376     return "CAMELLIA-256 test decryption failed.";
377
378   if ( (r = selftest_ctr_128 ()) )
379     return r;
380
381   return NULL;
382 }
383
384 /* These oids are from
385    <http://info.isl.ntt.co.jp/crypt/eng/camellia/specifications_oid.html>,
386    retrieved May 1, 2007. */
387
388 static gcry_cipher_oid_spec_t camellia128_oids[] =
389   {
390     {"1.2.392.200011.61.1.1.1.2", GCRY_CIPHER_MODE_CBC},
391     {"0.3.4401.5.3.1.9.1", GCRY_CIPHER_MODE_ECB},
392     {"0.3.4401.5.3.1.9.3", GCRY_CIPHER_MODE_OFB},
393     {"0.3.4401.5.3.1.9.4", GCRY_CIPHER_MODE_CFB},
394     { NULL }
395   };
396
397 static gcry_cipher_oid_spec_t camellia192_oids[] =
398   {
399     {"1.2.392.200011.61.1.1.1.3", GCRY_CIPHER_MODE_CBC},
400     {"0.3.4401.5.3.1.9.21", GCRY_CIPHER_MODE_ECB},
401     {"0.3.4401.5.3.1.9.23", GCRY_CIPHER_MODE_OFB},
402     {"0.3.4401.5.3.1.9.24", GCRY_CIPHER_MODE_CFB},
403     { NULL }
404   };
405
406 static gcry_cipher_oid_spec_t camellia256_oids[] =
407   {
408     {"1.2.392.200011.61.1.1.1.4", GCRY_CIPHER_MODE_CBC},
409     {"0.3.4401.5.3.1.9.41", GCRY_CIPHER_MODE_ECB},
410     {"0.3.4401.5.3.1.9.43", GCRY_CIPHER_MODE_OFB},
411     {"0.3.4401.5.3.1.9.44", GCRY_CIPHER_MODE_CFB},
412     { NULL }
413   };
414
415 gcry_cipher_spec_t _gcry_cipher_spec_camellia128 =
416   {
417     "CAMELLIA128",NULL,camellia128_oids,CAMELLIA_BLOCK_SIZE,128,
418     sizeof(CAMELLIA_context),camellia_setkey,camellia_encrypt,camellia_decrypt
419   };
420
421 gcry_cipher_spec_t _gcry_cipher_spec_camellia192 =
422   {
423     "CAMELLIA192",NULL,camellia192_oids,CAMELLIA_BLOCK_SIZE,192,
424     sizeof(CAMELLIA_context),camellia_setkey,camellia_encrypt,camellia_decrypt
425   };
426
427 gcry_cipher_spec_t _gcry_cipher_spec_camellia256 =
428   {
429     "CAMELLIA256",NULL,camellia256_oids,CAMELLIA_BLOCK_SIZE,256,
430     sizeof(CAMELLIA_context),camellia_setkey,camellia_encrypt,camellia_decrypt
431   };