camellia: add ARMv6 assembly implementation
[libgcrypt.git] / cipher / camellia-glue.c
1 /* camellia-glue.c - Glue for the Camellia cipher
2  * Copyright (C) 2007 Free Software Foundation, Inc.
3  *
4  * This file is part of Libgcrypt.
5  *
6  * Libgcrypt is free software; you can redistribute it and/or modify
7  * it under the terms of the GNU Lesser General Public License as
8  * published by the Free Software Foundation; either version 2.1 of
9  * the License, or (at your option) any later version.
10  *
11  * Libgcrypt is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14  * GNU General Public License for more details.
15  *
16  * You should have received a copy of the GNU Lesser General Public
17  * License along with this program; if not, write to the Free Software
18  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
19  * 02110-1301, USA.
20  */
21
22 /* I put all the libgcrypt-specific stuff in this file to keep the
23    camellia.c/camellia.h files exactly as provided by NTT.  If they
24    update their code, this should make it easier to bring the changes
25    in. - dshaw
26
27    There is one small change which needs to be done: Include the
28    following code at the top of camellia.h: */
29 #if 0
30
31 /* To use Camellia with libraries it is often useful to keep the name
32  * space of the library clean.  The following macro is thus useful:
33  *
34  *     #define CAMELLIA_EXT_SYM_PREFIX foo_
35  *
36  * This prefixes all external symbols with "foo_".
37  */
38 #ifdef HAVE_CONFIG_H
39 #include <config.h>
40 #endif
41 #ifdef CAMELLIA_EXT_SYM_PREFIX
42 #define CAMELLIA_PREFIX1(x,y) x ## y
43 #define CAMELLIA_PREFIX2(x,y) CAMELLIA_PREFIX1(x,y)
44 #define CAMELLIA_PREFIX(x)    CAMELLIA_PREFIX2(CAMELLIA_EXT_SYM_PREFIX,x)
45 #define Camellia_Ekeygen      CAMELLIA_PREFIX(Camellia_Ekeygen)
46 #define Camellia_EncryptBlock CAMELLIA_PREFIX(Camellia_EncryptBlock)
47 #define Camellia_DecryptBlock CAMELLIA_PREFIX(Camellia_DecryptBlock)
48 #define camellia_decrypt128   CAMELLIA_PREFIX(camellia_decrypt128)
49 #define camellia_decrypt256   CAMELLIA_PREFIX(camellia_decrypt256)
50 #define camellia_encrypt128   CAMELLIA_PREFIX(camellia_encrypt128)
51 #define camellia_encrypt256   CAMELLIA_PREFIX(camellia_encrypt256)
52 #define camellia_setup128     CAMELLIA_PREFIX(camellia_setup128)
53 #define camellia_setup192     CAMELLIA_PREFIX(camellia_setup192)
54 #define camellia_setup256     CAMELLIA_PREFIX(camellia_setup256)
55 #endif /*CAMELLIA_EXT_SYM_PREFIX*/
56
57 #endif /* Code sample. */
58
59
60 #include <config.h>
61 #include "types.h"
62 #include "g10lib.h"
63 #include "cipher.h"
64 #include "camellia.h"
65 #include "bufhelp.h"
66 #include "cipher-selftest.h"
67
68 /* Helper macro to force alignment to 16 bytes.  */
69 #ifdef HAVE_GCC_ATTRIBUTE_ALIGNED
70 # define ATTR_ALIGNED_16  __attribute__ ((aligned (16)))
71 #else
72 # define ATTR_ALIGNED_16
73 #endif
74
75 /* USE_AESNI inidicates whether to compile with Intel AES-NI/AVX code. */
76 #undef USE_AESNI_AVX
77 #if defined(ENABLE_AESNI_SUPPORT) && defined(ENABLE_AVX_SUPPORT)
78 # if defined(__x86_64__) && defined(HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS)
79 #  define USE_AESNI_AVX 1
80 # endif
81 #endif
82
83 /* USE_AESNI_AVX2 inidicates whether to compile with Intel AES-NI/AVX2 code. */
84 #undef USE_AESNI_AVX2
85 #if defined(ENABLE_AESNI_SUPPORT) && defined(ENABLE_AVX2_SUPPORT)
86 # if defined(__x86_64__) && defined(HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS)
87 #  define USE_AESNI_AVX2 1
88 # endif
89 #endif
90
91 typedef struct
92 {
93   int keybitlength;
94   KEY_TABLE_TYPE keytable;
95 #ifdef USE_AESNI_AVX
96   int use_aesni_avx;            /* AES-NI/AVX implementation shall be used.  */
97 #endif /*USE_AESNI_AVX*/
98 #ifdef USE_AESNI_AVX2
99   int use_aesni_avx2;           /* AES-NI/AVX2 implementation shall be used.  */
100 #endif /*USE_AESNI_AVX2*/
101 } CAMELLIA_context;
102
103 #ifdef USE_AESNI_AVX
104 /* Assembler implementations of Camellia using AES-NI and AVX.  Process data
105    in 16 block same time.
106  */
107 extern void _gcry_camellia_aesni_avx_ctr_enc(CAMELLIA_context *ctx,
108                                              unsigned char *out,
109                                              const unsigned char *in,
110                                              unsigned char *ctr);
111
112 extern void _gcry_camellia_aesni_avx_cbc_dec(CAMELLIA_context *ctx,
113                                              unsigned char *out,
114                                              const unsigned char *in,
115                                              unsigned char *iv);
116
117 extern void _gcry_camellia_aesni_avx_cfb_dec(CAMELLIA_context *ctx,
118                                              unsigned char *out,
119                                              const unsigned char *in,
120                                              unsigned char *iv);
121 #endif
122
123 #ifdef USE_AESNI_AVX2
124 /* Assembler implementations of Camellia using AES-NI and AVX2.  Process data
125    in 32 block same time.
126  */
127 extern void _gcry_camellia_aesni_avx2_ctr_enc(CAMELLIA_context *ctx,
128                                               unsigned char *out,
129                                               const unsigned char *in,
130                                               unsigned char *ctr);
131
132 extern void _gcry_camellia_aesni_avx2_cbc_dec(CAMELLIA_context *ctx,
133                                               unsigned char *out,
134                                               const unsigned char *in,
135                                               unsigned char *iv);
136
137 extern void _gcry_camellia_aesni_avx2_cfb_dec(CAMELLIA_context *ctx,
138                                               unsigned char *out,
139                                               const unsigned char *in,
140                                               unsigned char *iv);
141 #endif
142
143 static const char *selftest(void);
144
145 static gcry_err_code_t
146 camellia_setkey(void *c, const byte *key, unsigned keylen)
147 {
148   CAMELLIA_context *ctx=c;
149   static int initialized=0;
150   static const char *selftest_failed=NULL;
151
152   if(keylen!=16 && keylen!=24 && keylen!=32)
153     return GPG_ERR_INV_KEYLEN;
154
155   if(!initialized)
156     {
157       initialized=1;
158       selftest_failed=selftest();
159       if(selftest_failed)
160         log_error("%s\n",selftest_failed);
161     }
162
163   if(selftest_failed)
164     return GPG_ERR_SELFTEST_FAILED;
165
166   ctx->keybitlength=keylen*8;
167   Camellia_Ekeygen(ctx->keybitlength,key,ctx->keytable);
168   _gcry_burn_stack
169     ((19+34+34)*sizeof(u32)+2*sizeof(void*) /* camellia_setup256 */
170      +(4+32)*sizeof(u32)+2*sizeof(void*)    /* camellia_setup192 */
171      +0+sizeof(int)+2*sizeof(void*)         /* Camellia_Ekeygen */
172      +3*2*sizeof(void*)                     /* Function calls.  */
173      );
174
175 #ifdef USE_AESNI_AVX
176   ctx->use_aesni_avx = 0;
177   if ((_gcry_get_hw_features () & HWF_INTEL_AESNI) &&
178       (_gcry_get_hw_features () & HWF_INTEL_AVX))
179     {
180       ctx->use_aesni_avx = 1;
181     }
182 #endif
183
184 #ifdef USE_AESNI_AVX2
185   ctx->use_aesni_avx2 = 0;
186   if ((_gcry_get_hw_features () & HWF_INTEL_AESNI) &&
187       (_gcry_get_hw_features () & HWF_INTEL_AVX2))
188     {
189       ctx->use_aesni_avx2 = 1;
190     }
191 #endif
192
193   return 0;
194 }
195
196 #ifdef USE_ARMV6_ASM
197
198 /* Assembly implementations of CAST5. */
199 extern void _gcry_camellia_armv6_encrypt_block(const KEY_TABLE_TYPE keyTable,
200                                                byte *outbuf, const byte *inbuf,
201                                                const int keybits);
202
203 extern void _gcry_camellia_armv6_decrypt_block(const KEY_TABLE_TYPE keyTable,
204                                                byte *outbuf, const byte *inbuf,
205                                                const int keybits);
206
207 static void Camellia_EncryptBlock(const int keyBitLength,
208                                   const unsigned char *plaintext,
209                                   const KEY_TABLE_TYPE keyTable,
210                                   unsigned char *cipherText)
211 {
212   _gcry_camellia_armv6_encrypt_block(keyTable, cipherText, plaintext,
213                                      keyBitLength);
214 }
215
216 static void Camellia_DecryptBlock(const int keyBitLength,
217                                   const unsigned char *cipherText,
218                                   const KEY_TABLE_TYPE keyTable,
219                                   unsigned char *plaintext)
220 {
221   _gcry_camellia_armv6_decrypt_block(keyTable, plaintext, cipherText,
222                                      keyBitLength);
223 }
224
225 static void
226 camellia_encrypt(void *c, byte *outbuf, const byte *inbuf)
227 {
228   CAMELLIA_context *ctx = c;
229   Camellia_EncryptBlock(ctx->keybitlength,inbuf,ctx->keytable,outbuf);
230 #define CAMELLIA_encrypt_stack_burn_size (15*4)
231   _gcry_burn_stack(CAMELLIA_encrypt_stack_burn_size);
232 }
233
234 static void
235 camellia_decrypt(void *c, byte *outbuf, const byte *inbuf)
236 {
237   CAMELLIA_context *ctx=c;
238   Camellia_DecryptBlock(ctx->keybitlength,inbuf,ctx->keytable,outbuf);
239 #define CAMELLIA_decrypt_stack_burn_size (15*4)
240   _gcry_burn_stack(CAMELLIA_decrypt_stack_burn_size);
241 }
242
243 #else /*USE_ARMV6_ASM*/
244
245 static void
246 camellia_encrypt(void *c, byte *outbuf, const byte *inbuf)
247 {
248   CAMELLIA_context *ctx=c;
249
250   Camellia_EncryptBlock(ctx->keybitlength,inbuf,ctx->keytable,outbuf);
251
252 #define CAMELLIA_encrypt_stack_burn_size \
253   (sizeof(int)+2*sizeof(unsigned char *)+sizeof(void*/*KEY_TABLE_TYPE*/) \
254      +4*sizeof(u32)+4*sizeof(u32) \
255      +2*sizeof(u32*)+4*sizeof(u32) \
256      +2*2*sizeof(void*) /* Function calls.  */ \
257     )
258
259   _gcry_burn_stack(CAMELLIA_encrypt_stack_burn_size);
260 }
261
262 static void
263 camellia_decrypt(void *c, byte *outbuf, const byte *inbuf)
264 {
265   CAMELLIA_context *ctx=c;
266
267   Camellia_DecryptBlock(ctx->keybitlength,inbuf,ctx->keytable,outbuf);
268
269 #define CAMELLIA_decrypt_stack_burn_size \
270     (sizeof(int)+2*sizeof(unsigned char *)+sizeof(void*/*KEY_TABLE_TYPE*/) \
271      +4*sizeof(u32)+4*sizeof(u32) \
272      +2*sizeof(u32*)+4*sizeof(u32) \
273      +2*2*sizeof(void*) /* Function calls.  */ \
274     )
275
276   _gcry_burn_stack(CAMELLIA_decrypt_stack_burn_size);
277 }
278
279 #endif /*!USE_ARMV6_ASM*/
280
281 /* Bulk encryption of complete blocks in CTR mode.  This function is only
282    intended for the bulk encryption feature of cipher.c.  CTR is expected to be
283    of size CAMELLIA_BLOCK_SIZE. */
284 void
285 _gcry_camellia_ctr_enc(void *context, unsigned char *ctr,
286                        void *outbuf_arg, const void *inbuf_arg,
287                        unsigned int nblocks)
288 {
289   CAMELLIA_context *ctx = context;
290   unsigned char *outbuf = outbuf_arg;
291   const unsigned char *inbuf = inbuf_arg;
292   unsigned char tmpbuf[CAMELLIA_BLOCK_SIZE];
293   int burn_stack_depth = CAMELLIA_encrypt_stack_burn_size;
294   int i;
295
296 #ifdef USE_AESNI_AVX2
297   if (ctx->use_aesni_avx2)
298     {
299       int did_use_aesni_avx2 = 0;
300
301       /* Process data in 32 block chunks. */
302       while (nblocks >= 32)
303         {
304           _gcry_camellia_aesni_avx2_ctr_enc(ctx, outbuf, inbuf, ctr);
305
306           nblocks -= 32;
307           outbuf += 32 * CAMELLIA_BLOCK_SIZE;
308           inbuf  += 32 * CAMELLIA_BLOCK_SIZE;
309           did_use_aesni_avx2 = 1;
310         }
311
312       if (did_use_aesni_avx2)
313         {
314           int avx2_burn_stack_depth = 32 * CAMELLIA_BLOCK_SIZE + 16 +
315                                         2 * sizeof(void *);
316
317           /* clear AVX registers */
318           asm volatile ("vzeroall;\n":::);
319
320           if (burn_stack_depth < avx2_burn_stack_depth)
321             burn_stack_depth = avx2_burn_stack_depth;
322         }
323
324       /* Use generic code to handle smaller chunks... */
325       /* TODO: use caching instead? */
326     }
327 #endif
328
329 #ifdef USE_AESNI_AVX
330   if (ctx->use_aesni_avx)
331     {
332       int did_use_aesni_avx = 0;
333
334       /* Process data in 16 block chunks. */
335       while (nblocks >= 16)
336         {
337           _gcry_camellia_aesni_avx_ctr_enc(ctx, outbuf, inbuf, ctr);
338
339           nblocks -= 16;
340           outbuf += 16 * CAMELLIA_BLOCK_SIZE;
341           inbuf  += 16 * CAMELLIA_BLOCK_SIZE;
342           did_use_aesni_avx = 1;
343         }
344
345       if (did_use_aesni_avx)
346         {
347           /* clear AVX registers */
348           asm volatile ("vzeroall;\n":::);
349
350           if (burn_stack_depth < 16 * CAMELLIA_BLOCK_SIZE + 2 * sizeof(void *))
351             burn_stack_depth = 16 * CAMELLIA_BLOCK_SIZE + 2 * sizeof(void *);
352         }
353
354       /* Use generic code to handle smaller chunks... */
355       /* TODO: use caching instead? */
356     }
357 #endif
358
359   for ( ;nblocks; nblocks-- )
360     {
361       /* Encrypt the counter. */
362       Camellia_EncryptBlock(ctx->keybitlength, ctr, ctx->keytable, tmpbuf);
363       /* XOR the input with the encrypted counter and store in output.  */
364       buf_xor(outbuf, tmpbuf, inbuf, CAMELLIA_BLOCK_SIZE);
365       outbuf += CAMELLIA_BLOCK_SIZE;
366       inbuf  += CAMELLIA_BLOCK_SIZE;
367       /* Increment the counter.  */
368       for (i = CAMELLIA_BLOCK_SIZE; i > 0; i--)
369         {
370           ctr[i-1]++;
371           if (ctr[i-1])
372             break;
373         }
374     }
375
376   wipememory(tmpbuf, sizeof(tmpbuf));
377   _gcry_burn_stack(burn_stack_depth);
378 }
379
380 /* Bulk decryption of complete blocks in CBC mode.  This function is only
381    intended for the bulk encryption feature of cipher.c. */
382 void
383 _gcry_camellia_cbc_dec(void *context, unsigned char *iv,
384                        void *outbuf_arg, const void *inbuf_arg,
385                        unsigned int nblocks)
386 {
387   CAMELLIA_context *ctx = context;
388   unsigned char *outbuf = outbuf_arg;
389   const unsigned char *inbuf = inbuf_arg;
390   unsigned char savebuf[CAMELLIA_BLOCK_SIZE];
391   int burn_stack_depth = CAMELLIA_decrypt_stack_burn_size;
392
393 #ifdef USE_AESNI_AVX2
394   if (ctx->use_aesni_avx2)
395     {
396       int did_use_aesni_avx2 = 0;
397
398       /* Process data in 32 block chunks. */
399       while (nblocks >= 32)
400         {
401           _gcry_camellia_aesni_avx2_cbc_dec(ctx, outbuf, inbuf, iv);
402
403           nblocks -= 32;
404           outbuf += 32 * CAMELLIA_BLOCK_SIZE;
405           inbuf  += 32 * CAMELLIA_BLOCK_SIZE;
406           did_use_aesni_avx2 = 1;
407         }
408
409       if (did_use_aesni_avx2)
410         {
411           int avx2_burn_stack_depth = 32 * CAMELLIA_BLOCK_SIZE + 16 +
412                                         2 * sizeof(void *);
413
414           /* clear AVX registers */
415           asm volatile ("vzeroall;\n":::);
416
417           if (burn_stack_depth < avx2_burn_stack_depth)
418             burn_stack_depth = avx2_burn_stack_depth;
419         }
420
421       /* Use generic code to handle smaller chunks... */
422     }
423 #endif
424
425 #ifdef USE_AESNI_AVX
426   if (ctx->use_aesni_avx)
427     {
428       int did_use_aesni_avx = 0;
429
430       /* Process data in 16 block chunks. */
431       while (nblocks >= 16)
432         {
433           _gcry_camellia_aesni_avx_cbc_dec(ctx, outbuf, inbuf, iv);
434
435           nblocks -= 16;
436           outbuf += 16 * CAMELLIA_BLOCK_SIZE;
437           inbuf  += 16 * CAMELLIA_BLOCK_SIZE;
438           did_use_aesni_avx = 1;
439         }
440
441       if (did_use_aesni_avx)
442         {
443           /* clear AVX registers */
444           asm volatile ("vzeroall;\n":::);
445
446           if (burn_stack_depth < 16 * CAMELLIA_BLOCK_SIZE + 2 * sizeof(void *))
447             burn_stack_depth = 16 * CAMELLIA_BLOCK_SIZE + 2 * sizeof(void *);
448         }
449
450       /* Use generic code to handle smaller chunks... */
451     }
452 #endif
453
454   for ( ;nblocks; nblocks-- )
455     {
456       /* We need to save INBUF away because it may be identical to
457          OUTBUF.  */
458       memcpy(savebuf, inbuf, CAMELLIA_BLOCK_SIZE);
459
460       Camellia_DecryptBlock(ctx->keybitlength, inbuf, ctx->keytable, outbuf);
461
462       buf_xor(outbuf, outbuf, iv, CAMELLIA_BLOCK_SIZE);
463       memcpy(iv, savebuf, CAMELLIA_BLOCK_SIZE);
464       inbuf += CAMELLIA_BLOCK_SIZE;
465       outbuf += CAMELLIA_BLOCK_SIZE;
466     }
467
468   wipememory(savebuf, sizeof(savebuf));
469   _gcry_burn_stack(burn_stack_depth);
470 }
471
472 /* Bulk decryption of complete blocks in CFB mode.  This function is only
473    intended for the bulk encryption feature of cipher.c. */
474 void
475 _gcry_camellia_cfb_dec(void *context, unsigned char *iv,
476                        void *outbuf_arg, const void *inbuf_arg,
477                        unsigned int nblocks)
478 {
479   CAMELLIA_context *ctx = context;
480   unsigned char *outbuf = outbuf_arg;
481   const unsigned char *inbuf = inbuf_arg;
482   int burn_stack_depth = CAMELLIA_decrypt_stack_burn_size;
483
484 #ifdef USE_AESNI_AVX2
485   if (ctx->use_aesni_avx2)
486     {
487       int did_use_aesni_avx2 = 0;
488
489       /* Process data in 32 block chunks. */
490       while (nblocks >= 32)
491         {
492           _gcry_camellia_aesni_avx2_cfb_dec(ctx, outbuf, inbuf, iv);
493
494           nblocks -= 32;
495           outbuf += 32 * CAMELLIA_BLOCK_SIZE;
496           inbuf  += 32 * CAMELLIA_BLOCK_SIZE;
497           did_use_aesni_avx2 = 1;
498         }
499
500       if (did_use_aesni_avx2)
501         {
502           int avx2_burn_stack_depth = 32 * CAMELLIA_BLOCK_SIZE + 16 +
503                                         2 * sizeof(void *);
504
505           /* clear AVX registers */
506           asm volatile ("vzeroall;\n":::);
507
508           if (burn_stack_depth < avx2_burn_stack_depth)
509             burn_stack_depth = avx2_burn_stack_depth;
510         }
511
512       /* Use generic code to handle smaller chunks... */
513     }
514 #endif
515
516 #ifdef USE_AESNI_AVX
517   if (ctx->use_aesni_avx)
518     {
519       int did_use_aesni_avx = 0;
520
521       /* Process data in 16 block chunks. */
522       while (nblocks >= 16)
523         {
524           _gcry_camellia_aesni_avx_cfb_dec(ctx, outbuf, inbuf, iv);
525
526           nblocks -= 16;
527           outbuf += 16 * CAMELLIA_BLOCK_SIZE;
528           inbuf  += 16 * CAMELLIA_BLOCK_SIZE;
529           did_use_aesni_avx = 1;
530         }
531
532       if (did_use_aesni_avx)
533         {
534           /* clear AVX registers */
535           asm volatile ("vzeroall;\n":::);
536
537           if (burn_stack_depth < 16 * CAMELLIA_BLOCK_SIZE + 2 * sizeof(void *))
538             burn_stack_depth = 16 * CAMELLIA_BLOCK_SIZE + 2 * sizeof(void *);
539         }
540
541       /* Use generic code to handle smaller chunks... */
542     }
543 #endif
544
545   for ( ;nblocks; nblocks-- )
546     {
547       Camellia_EncryptBlock(ctx->keybitlength, iv, ctx->keytable, iv);
548       buf_xor_n_copy(outbuf, iv, inbuf, CAMELLIA_BLOCK_SIZE);
549       outbuf += CAMELLIA_BLOCK_SIZE;
550       inbuf  += CAMELLIA_BLOCK_SIZE;
551     }
552
553   _gcry_burn_stack(burn_stack_depth);
554 }
555
556 /* Run the self-tests for CAMELLIA-CTR-128, tests IV increment of bulk CTR
557    encryption.  Returns NULL on success. */
558 static const char*
559 selftest_ctr_128 (void)
560 {
561   const int nblocks = 32+1;
562   const int blocksize = CAMELLIA_BLOCK_SIZE;
563   const int context_size = sizeof(CAMELLIA_context);
564
565   return _gcry_selftest_helper_ctr("CAMELLIA", &camellia_setkey,
566            &camellia_encrypt, &_gcry_camellia_ctr_enc, nblocks, blocksize,
567            context_size);
568 }
569
570 /* Run the self-tests for CAMELLIA-CBC-128, tests bulk CBC decryption.
571    Returns NULL on success. */
572 static const char*
573 selftest_cbc_128 (void)
574 {
575   const int nblocks = 32+2;
576   const int blocksize = CAMELLIA_BLOCK_SIZE;
577   const int context_size = sizeof(CAMELLIA_context);
578
579   return _gcry_selftest_helper_cbc("CAMELLIA", &camellia_setkey,
580            &camellia_encrypt, &_gcry_camellia_cbc_dec, nblocks, blocksize,
581            context_size);
582 }
583
584 /* Run the self-tests for CAMELLIA-CFB-128, tests bulk CFB decryption.
585    Returns NULL on success. */
586 static const char*
587 selftest_cfb_128 (void)
588 {
589   const int nblocks = 32+2;
590   const int blocksize = CAMELLIA_BLOCK_SIZE;
591   const int context_size = sizeof(CAMELLIA_context);
592
593   return _gcry_selftest_helper_cfb("CAMELLIA", &camellia_setkey,
594            &camellia_encrypt, &_gcry_camellia_cfb_dec, nblocks, blocksize,
595            context_size);
596 }
597
598 static const char *
599 selftest(void)
600 {
601   CAMELLIA_context ctx;
602   byte scratch[16];
603   const char *r;
604
605   /* These test vectors are from RFC-3713 */
606   const byte plaintext[]=
607     {
608       0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef,
609       0xfe,0xdc,0xba,0x98,0x76,0x54,0x32,0x10
610     };
611   const byte key_128[]=
612     {
613       0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef,
614       0xfe,0xdc,0xba,0x98,0x76,0x54,0x32,0x10
615     };
616   const byte ciphertext_128[]=
617     {
618       0x67,0x67,0x31,0x38,0x54,0x96,0x69,0x73,
619       0x08,0x57,0x06,0x56,0x48,0xea,0xbe,0x43
620     };
621   const byte key_192[]=
622     {
623       0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef,0xfe,0xdc,0xba,0x98,
624       0x76,0x54,0x32,0x10,0x00,0x11,0x22,0x33,0x44,0x55,0x66,0x77
625     };
626   const byte ciphertext_192[]=
627     {
628       0xb4,0x99,0x34,0x01,0xb3,0xe9,0x96,0xf8,
629       0x4e,0xe5,0xce,0xe7,0xd7,0x9b,0x09,0xb9
630     };
631   const byte key_256[]=
632     {
633       0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef,0xfe,0xdc,0xba,
634       0x98,0x76,0x54,0x32,0x10,0x00,0x11,0x22,0x33,0x44,0x55,
635       0x66,0x77,0x88,0x99,0xaa,0xbb,0xcc,0xdd,0xee,0xff
636     };
637   const byte ciphertext_256[]=
638     {
639       0x9a,0xcc,0x23,0x7d,0xff,0x16,0xd7,0x6c,
640       0x20,0xef,0x7c,0x91,0x9e,0x3a,0x75,0x09
641     };
642
643   camellia_setkey(&ctx,key_128,sizeof(key_128));
644   camellia_encrypt(&ctx,scratch,plaintext);
645   if(memcmp(scratch,ciphertext_128,sizeof(ciphertext_128))!=0)
646     return "CAMELLIA-128 test encryption failed.";
647   camellia_decrypt(&ctx,scratch,scratch);
648   if(memcmp(scratch,plaintext,sizeof(plaintext))!=0)
649     return "CAMELLIA-128 test decryption failed.";
650
651   camellia_setkey(&ctx,key_192,sizeof(key_192));
652   camellia_encrypt(&ctx,scratch,plaintext);
653   if(memcmp(scratch,ciphertext_192,sizeof(ciphertext_192))!=0)
654     return "CAMELLIA-192 test encryption failed.";
655   camellia_decrypt(&ctx,scratch,scratch);
656   if(memcmp(scratch,plaintext,sizeof(plaintext))!=0)
657     return "CAMELLIA-192 test decryption failed.";
658
659   camellia_setkey(&ctx,key_256,sizeof(key_256));
660   camellia_encrypt(&ctx,scratch,plaintext);
661   if(memcmp(scratch,ciphertext_256,sizeof(ciphertext_256))!=0)
662     return "CAMELLIA-256 test encryption failed.";
663   camellia_decrypt(&ctx,scratch,scratch);
664   if(memcmp(scratch,plaintext,sizeof(plaintext))!=0)
665     return "CAMELLIA-256 test decryption failed.";
666
667   if ( (r = selftest_ctr_128 ()) )
668     return r;
669
670   if ( (r = selftest_cbc_128 ()) )
671     return r;
672
673   if ( (r = selftest_cfb_128 ()) )
674     return r;
675
676   return NULL;
677 }
678
679 /* These oids are from
680    <http://info.isl.ntt.co.jp/crypt/eng/camellia/specifications_oid.html>,
681    retrieved May 1, 2007. */
682
683 static gcry_cipher_oid_spec_t camellia128_oids[] =
684   {
685     {"1.2.392.200011.61.1.1.1.2", GCRY_CIPHER_MODE_CBC},
686     {"0.3.4401.5.3.1.9.1", GCRY_CIPHER_MODE_ECB},
687     {"0.3.4401.5.3.1.9.3", GCRY_CIPHER_MODE_OFB},
688     {"0.3.4401.5.3.1.9.4", GCRY_CIPHER_MODE_CFB},
689     { NULL }
690   };
691
692 static gcry_cipher_oid_spec_t camellia192_oids[] =
693   {
694     {"1.2.392.200011.61.1.1.1.3", GCRY_CIPHER_MODE_CBC},
695     {"0.3.4401.5.3.1.9.21", GCRY_CIPHER_MODE_ECB},
696     {"0.3.4401.5.3.1.9.23", GCRY_CIPHER_MODE_OFB},
697     {"0.3.4401.5.3.1.9.24", GCRY_CIPHER_MODE_CFB},
698     { NULL }
699   };
700
701 static gcry_cipher_oid_spec_t camellia256_oids[] =
702   {
703     {"1.2.392.200011.61.1.1.1.4", GCRY_CIPHER_MODE_CBC},
704     {"0.3.4401.5.3.1.9.41", GCRY_CIPHER_MODE_ECB},
705     {"0.3.4401.5.3.1.9.43", GCRY_CIPHER_MODE_OFB},
706     {"0.3.4401.5.3.1.9.44", GCRY_CIPHER_MODE_CFB},
707     { NULL }
708   };
709
710 gcry_cipher_spec_t _gcry_cipher_spec_camellia128 =
711   {
712     "CAMELLIA128",NULL,camellia128_oids,CAMELLIA_BLOCK_SIZE,128,
713     sizeof(CAMELLIA_context),camellia_setkey,camellia_encrypt,camellia_decrypt
714   };
715
716 gcry_cipher_spec_t _gcry_cipher_spec_camellia192 =
717   {
718     "CAMELLIA192",NULL,camellia192_oids,CAMELLIA_BLOCK_SIZE,192,
719     sizeof(CAMELLIA_context),camellia_setkey,camellia_encrypt,camellia_decrypt
720   };
721
722 gcry_cipher_spec_t _gcry_cipher_spec_camellia256 =
723   {
724     "CAMELLIA256",NULL,camellia256_oids,CAMELLIA_BLOCK_SIZE,256,
725     sizeof(CAMELLIA_context),camellia_setkey,camellia_encrypt,camellia_decrypt
726   };