Botan 3.2.0
Crypto and TLS for C&
camellia.cpp
Go to the documentation of this file.
1/*
2* Camellia
3* (C) 2012,2020 Jack Lloyd
4*
5* Botan is released under the Simplified BSD License (see license.txt)
6*/
7
8#include <botan/internal/camellia.h>
9
10#include <botan/internal/loadstor.h>
11#include <botan/internal/prefetch.h>
12#include <botan/internal/rotate.h>
13
14namespace Botan {
15
16namespace {
17
18namespace Camellia_F {
19
20alignas(256) const uint8_t SBOX1[256] = {
21 0x70, 0x82, 0x2C, 0xEC, 0xB3, 0x27, 0xC0, 0xE5, 0xE4, 0x85, 0x57, 0x35, 0xEA, 0x0C, 0xAE, 0x41, 0x23, 0xEF, 0x6B,
22 0x93, 0x45, 0x19, 0xA5, 0x21, 0xED, 0x0E, 0x4F, 0x4E, 0x1D, 0x65, 0x92, 0xBD, 0x86, 0xB8, 0xAF, 0x8F, 0x7C, 0xEB,
23 0x1F, 0xCE, 0x3E, 0x30, 0xDC, 0x5F, 0x5E, 0xC5, 0x0B, 0x1A, 0xA6, 0xE1, 0x39, 0xCA, 0xD5, 0x47, 0x5D, 0x3D, 0xD9,
24 0x01, 0x5A, 0xD6, 0x51, 0x56, 0x6C, 0x4D, 0x8B, 0x0D, 0x9A, 0x66, 0xFB, 0xCC, 0xB0, 0x2D, 0x74, 0x12, 0x2B, 0x20,
25 0xF0, 0xB1, 0x84, 0x99, 0xDF, 0x4C, 0xCB, 0xC2, 0x34, 0x7E, 0x76, 0x05, 0x6D, 0xB7, 0xA9, 0x31, 0xD1, 0x17, 0x04,
26 0xD7, 0x14, 0x58, 0x3A, 0x61, 0xDE, 0x1B, 0x11, 0x1C, 0x32, 0x0F, 0x9C, 0x16, 0x53, 0x18, 0xF2, 0x22, 0xFE, 0x44,
27 0xCF, 0xB2, 0xC3, 0xB5, 0x7A, 0x91, 0x24, 0x08, 0xE8, 0xA8, 0x60, 0xFC, 0x69, 0x50, 0xAA, 0xD0, 0xA0, 0x7D, 0xA1,
28 0x89, 0x62, 0x97, 0x54, 0x5B, 0x1E, 0x95, 0xE0, 0xFF, 0x64, 0xD2, 0x10, 0xC4, 0x00, 0x48, 0xA3, 0xF7, 0x75, 0xDB,
29 0x8A, 0x03, 0xE6, 0xDA, 0x09, 0x3F, 0xDD, 0x94, 0x87, 0x5C, 0x83, 0x02, 0xCD, 0x4A, 0x90, 0x33, 0x73, 0x67, 0xF6,
30 0xF3, 0x9D, 0x7F, 0xBF, 0xE2, 0x52, 0x9B, 0xD8, 0x26, 0xC8, 0x37, 0xC6, 0x3B, 0x81, 0x96, 0x6F, 0x4B, 0x13, 0xBE,
31 0x63, 0x2E, 0xE9, 0x79, 0xA7, 0x8C, 0x9F, 0x6E, 0xBC, 0x8E, 0x29, 0xF5, 0xF9, 0xB6, 0x2F, 0xFD, 0xB4, 0x59, 0x78,
32 0x98, 0x06, 0x6A, 0xE7, 0x46, 0x71, 0xBA, 0xD4, 0x25, 0xAB, 0x42, 0x88, 0xA2, 0x8D, 0xFA, 0x72, 0x07, 0xB9, 0x55,
33 0xF8, 0xEE, 0xAC, 0x0A, 0x36, 0x49, 0x2A, 0x68, 0x3C, 0x38, 0xF1, 0xA4, 0x40, 0x28, 0xD3, 0x7B, 0xBB, 0xC9, 0x43,
34 0xC1, 0x15, 0xE3, 0xAD, 0xF4, 0x77, 0xC7, 0x80, 0x9E};
35
36// SBOX2[x] = rotl<1>(SBOX1[x])
37alignas(256) const uint8_t SBOX2[256] = {
38 0xE0, 0x05, 0x58, 0xD9, 0x67, 0x4E, 0x81, 0xCB, 0xC9, 0x0B, 0xAE, 0x6A, 0xD5, 0x18, 0x5D, 0x82, 0x46, 0xDF, 0xD6,
39 0x27, 0x8A, 0x32, 0x4B, 0x42, 0xDB, 0x1C, 0x9E, 0x9C, 0x3A, 0xCA, 0x25, 0x7B, 0x0D, 0x71, 0x5F, 0x1F, 0xF8, 0xD7,
40 0x3E, 0x9D, 0x7C, 0x60, 0xB9, 0xBE, 0xBC, 0x8B, 0x16, 0x34, 0x4D, 0xC3, 0x72, 0x95, 0xAB, 0x8E, 0xBA, 0x7A, 0xB3,
41 0x02, 0xB4, 0xAD, 0xA2, 0xAC, 0xD8, 0x9A, 0x17, 0x1A, 0x35, 0xCC, 0xF7, 0x99, 0x61, 0x5A, 0xE8, 0x24, 0x56, 0x40,
42 0xE1, 0x63, 0x09, 0x33, 0xBF, 0x98, 0x97, 0x85, 0x68, 0xFC, 0xEC, 0x0A, 0xDA, 0x6F, 0x53, 0x62, 0xA3, 0x2E, 0x08,
43 0xAF, 0x28, 0xB0, 0x74, 0xC2, 0xBD, 0x36, 0x22, 0x38, 0x64, 0x1E, 0x39, 0x2C, 0xA6, 0x30, 0xE5, 0x44, 0xFD, 0x88,
44 0x9F, 0x65, 0x87, 0x6B, 0xF4, 0x23, 0x48, 0x10, 0xD1, 0x51, 0xC0, 0xF9, 0xD2, 0xA0, 0x55, 0xA1, 0x41, 0xFA, 0x43,
45 0x13, 0xC4, 0x2F, 0xA8, 0xB6, 0x3C, 0x2B, 0xC1, 0xFF, 0xC8, 0xA5, 0x20, 0x89, 0x00, 0x90, 0x47, 0xEF, 0xEA, 0xB7,
46 0x15, 0x06, 0xCD, 0xB5, 0x12, 0x7E, 0xBB, 0x29, 0x0F, 0xB8, 0x07, 0x04, 0x9B, 0x94, 0x21, 0x66, 0xE6, 0xCE, 0xED,
47 0xE7, 0x3B, 0xFE, 0x7F, 0xC5, 0xA4, 0x37, 0xB1, 0x4C, 0x91, 0x6E, 0x8D, 0x76, 0x03, 0x2D, 0xDE, 0x96, 0x26, 0x7D,
48 0xC6, 0x5C, 0xD3, 0xF2, 0x4F, 0x19, 0x3F, 0xDC, 0x79, 0x1D, 0x52, 0xEB, 0xF3, 0x6D, 0x5E, 0xFB, 0x69, 0xB2, 0xF0,
49 0x31, 0x0C, 0xD4, 0xCF, 0x8C, 0xE2, 0x75, 0xA9, 0x4A, 0x57, 0x84, 0x11, 0x45, 0x1B, 0xF5, 0xE4, 0x0E, 0x73, 0xAA,
50 0xF1, 0xDD, 0x59, 0x14, 0x6C, 0x92, 0x54, 0xD0, 0x78, 0x70, 0xE3, 0x49, 0x80, 0x50, 0xA7, 0xF6, 0x77, 0x93, 0x86,
51 0x83, 0x2A, 0xC7, 0x5B, 0xE9, 0xEE, 0x8F, 0x01, 0x3D};
52
53// SBOX3[x] = rotl<7>(SBOX1[x])
54alignas(256) const uint8_t SBOX3[256] = {
55 0x38, 0x41, 0x16, 0x76, 0xD9, 0x93, 0x60, 0xF2, 0x72, 0xC2, 0xAB, 0x9A, 0x75, 0x06, 0x57, 0xA0, 0x91, 0xF7, 0xB5,
56 0xC9, 0xA2, 0x8C, 0xD2, 0x90, 0xF6, 0x07, 0xA7, 0x27, 0x8E, 0xB2, 0x49, 0xDE, 0x43, 0x5C, 0xD7, 0xC7, 0x3E, 0xF5,
57 0x8F, 0x67, 0x1F, 0x18, 0x6E, 0xAF, 0x2F, 0xE2, 0x85, 0x0D, 0x53, 0xF0, 0x9C, 0x65, 0xEA, 0xA3, 0xAE, 0x9E, 0xEC,
58 0x80, 0x2D, 0x6B, 0xA8, 0x2B, 0x36, 0xA6, 0xC5, 0x86, 0x4D, 0x33, 0xFD, 0x66, 0x58, 0x96, 0x3A, 0x09, 0x95, 0x10,
59 0x78, 0xD8, 0x42, 0xCC, 0xEF, 0x26, 0xE5, 0x61, 0x1A, 0x3F, 0x3B, 0x82, 0xB6, 0xDB, 0xD4, 0x98, 0xE8, 0x8B, 0x02,
60 0xEB, 0x0A, 0x2C, 0x1D, 0xB0, 0x6F, 0x8D, 0x88, 0x0E, 0x19, 0x87, 0x4E, 0x0B, 0xA9, 0x0C, 0x79, 0x11, 0x7F, 0x22,
61 0xE7, 0x59, 0xE1, 0xDA, 0x3D, 0xC8, 0x12, 0x04, 0x74, 0x54, 0x30, 0x7E, 0xB4, 0x28, 0x55, 0x68, 0x50, 0xBE, 0xD0,
62 0xC4, 0x31, 0xCB, 0x2A, 0xAD, 0x0F, 0xCA, 0x70, 0xFF, 0x32, 0x69, 0x08, 0x62, 0x00, 0x24, 0xD1, 0xFB, 0xBA, 0xED,
63 0x45, 0x81, 0x73, 0x6D, 0x84, 0x9F, 0xEE, 0x4A, 0xC3, 0x2E, 0xC1, 0x01, 0xE6, 0x25, 0x48, 0x99, 0xB9, 0xB3, 0x7B,
64 0xF9, 0xCE, 0xBF, 0xDF, 0x71, 0x29, 0xCD, 0x6C, 0x13, 0x64, 0x9B, 0x63, 0x9D, 0xC0, 0x4B, 0xB7, 0xA5, 0x89, 0x5F,
65 0xB1, 0x17, 0xF4, 0xBC, 0xD3, 0x46, 0xCF, 0x37, 0x5E, 0x47, 0x94, 0xFA, 0xFC, 0x5B, 0x97, 0xFE, 0x5A, 0xAC, 0x3C,
66 0x4C, 0x03, 0x35, 0xF3, 0x23, 0xB8, 0x5D, 0x6A, 0x92, 0xD5, 0x21, 0x44, 0x51, 0xC6, 0x7D, 0x39, 0x83, 0xDC, 0xAA,
67 0x7C, 0x77, 0x56, 0x05, 0x1B, 0xA4, 0x15, 0x34, 0x1E, 0x1C, 0xF8, 0x52, 0x20, 0x14, 0xE9, 0xBD, 0xDD, 0xE4, 0xA1,
68 0xE0, 0x8A, 0xF1, 0xD6, 0x7A, 0xBB, 0xE3, 0x40, 0x4F};
69
70// SBOX4[x] = SBOX1[rotl<1>(x)]
71alignas(256) const uint8_t SBOX4[256] = {
72 0x70, 0x2C, 0xB3, 0xC0, 0xE4, 0x57, 0xEA, 0xAE, 0x23, 0x6B, 0x45, 0xA5, 0xED, 0x4F, 0x1D, 0x92, 0x86, 0xAF, 0x7C,
73 0x1F, 0x3E, 0xDC, 0x5E, 0x0B, 0xA6, 0x39, 0xD5, 0x5D, 0xD9, 0x5A, 0x51, 0x6C, 0x8B, 0x9A, 0xFB, 0xB0, 0x74, 0x2B,
74 0xF0, 0x84, 0xDF, 0xCB, 0x34, 0x76, 0x6D, 0xA9, 0xD1, 0x04, 0x14, 0x3A, 0xDE, 0x11, 0x32, 0x9C, 0x53, 0xF2, 0xFE,
75 0xCF, 0xC3, 0x7A, 0x24, 0xE8, 0x60, 0x69, 0xAA, 0xA0, 0xA1, 0x62, 0x54, 0x1E, 0xE0, 0x64, 0x10, 0x00, 0xA3, 0x75,
76 0x8A, 0xE6, 0x09, 0xDD, 0x87, 0x83, 0xCD, 0x90, 0x73, 0xF6, 0x9D, 0xBF, 0x52, 0xD8, 0xC8, 0xC6, 0x81, 0x6F, 0x13,
77 0x63, 0xE9, 0xA7, 0x9F, 0xBC, 0x29, 0xF9, 0x2F, 0xB4, 0x78, 0x06, 0xE7, 0x71, 0xD4, 0xAB, 0x88, 0x8D, 0x72, 0xB9,
78 0xF8, 0xAC, 0x36, 0x2A, 0x3C, 0xF1, 0x40, 0xD3, 0xBB, 0x43, 0x15, 0xAD, 0x77, 0x80, 0x82, 0xEC, 0x27, 0xE5, 0x85,
79 0x35, 0x0C, 0x41, 0xEF, 0x93, 0x19, 0x21, 0x0E, 0x4E, 0x65, 0xBD, 0xB8, 0x8F, 0xEB, 0xCE, 0x30, 0x5F, 0xC5, 0x1A,
80 0xE1, 0xCA, 0x47, 0x3D, 0x01, 0xD6, 0x56, 0x4D, 0x0D, 0x66, 0xCC, 0x2D, 0x12, 0x20, 0xB1, 0x99, 0x4C, 0xC2, 0x7E,
81 0x05, 0xB7, 0x31, 0x17, 0xD7, 0x58, 0x61, 0x1B, 0x1C, 0x0F, 0x16, 0x18, 0x22, 0x44, 0xB2, 0xB5, 0x91, 0x08, 0xA8,
82 0xFC, 0x50, 0xD0, 0x7D, 0x89, 0x97, 0x5B, 0x95, 0xFF, 0xD2, 0xC4, 0x48, 0xF7, 0xDB, 0x03, 0xDA, 0x3F, 0x94, 0x5C,
83 0x02, 0x4A, 0x33, 0x67, 0xF3, 0x7F, 0xE2, 0x9B, 0x26, 0x37, 0x3B, 0x96, 0x4B, 0xBE, 0x2E, 0x79, 0x8C, 0x6E, 0x8E,
84 0xF5, 0xB6, 0xFD, 0x59, 0x98, 0x6A, 0x46, 0xBA, 0x25, 0x42, 0xA2, 0xFA, 0x07, 0x55, 0xEE, 0x0A, 0x49, 0x68, 0x38,
85 0xA4, 0x28, 0x7B, 0xC9, 0xC1, 0xE3, 0xF4, 0xC7, 0x9E};
86
87uint64_t F(uint64_t v, uint64_t K) {
88 const uint64_t M1 = 0x0101010001000001;
89 const uint64_t M2 = 0x0001010101010000;
90 const uint64_t M3 = 0x0100010100010100;
91 const uint64_t M4 = 0x0101000100000101;
92 const uint64_t M5 = 0x0001010100010101;
93 const uint64_t M6 = 0x0100010101000101;
94 const uint64_t M7 = 0x0101000101010001;
95 const uint64_t M8 = 0x0101010001010100;
96
97 const uint64_t x = v ^ K;
98
99 const uint64_t Z1 = M1 * SBOX1[get_byte<0>(x)];
100 const uint64_t Z2 = M2 * SBOX2[get_byte<1>(x)];
101 const uint64_t Z3 = M3 * SBOX3[get_byte<2>(x)];
102 const uint64_t Z4 = M4 * SBOX4[get_byte<3>(x)];
103 const uint64_t Z5 = M5 * SBOX2[get_byte<4>(x)];
104 const uint64_t Z6 = M6 * SBOX3[get_byte<5>(x)];
105 const uint64_t Z7 = M7 * SBOX4[get_byte<6>(x)];
106 const uint64_t Z8 = M8 * SBOX1[get_byte<7>(x)];
107
108 return Z1 ^ Z2 ^ Z3 ^ Z4 ^ Z5 ^ Z6 ^ Z7 ^ Z8;
109}
110
111inline uint64_t FL(uint64_t v, uint64_t K) {
112 uint32_t x1 = static_cast<uint32_t>(v >> 32);
113 uint32_t x2 = static_cast<uint32_t>(v & 0xFFFFFFFF);
114
115 const uint32_t k1 = static_cast<uint32_t>(K >> 32);
116 const uint32_t k2 = static_cast<uint32_t>(K & 0xFFFFFFFF);
117
118 x2 ^= rotl<1>(x1 & k1);
119 x1 ^= (x2 | k2);
120
121 return ((static_cast<uint64_t>(x1) << 32) | x2);
122}
123
124inline uint64_t FLINV(uint64_t v, uint64_t K) {
125 uint32_t x1 = static_cast<uint32_t>(v >> 32);
126 uint32_t x2 = static_cast<uint32_t>(v & 0xFFFFFFFF);
127
128 const uint32_t k1 = static_cast<uint32_t>(K >> 32);
129 const uint32_t k2 = static_cast<uint32_t>(K & 0xFFFFFFFF);
130
131 x1 ^= (x2 | k2);
132 x2 ^= rotl<1>(x1 & k1);
133
134 return ((static_cast<uint64_t>(x1) << 32) | x2);
135}
136
137/*
138* Camellia Encryption
139*/
140void encrypt(const uint8_t in[], uint8_t out[], size_t blocks, const secure_vector<uint64_t>& SK, const size_t rounds) {
141 prefetch_arrays(SBOX1, SBOX2, SBOX3, SBOX4);
142
143 for(size_t i = 0; i < blocks; ++i) {
144 uint64_t D1, D2;
145 load_be(in + 16 * i, D1, D2);
146
147 const uint64_t* K = SK.data();
148
149 D1 ^= *K++;
150 D2 ^= *K++;
151
152 D2 ^= F(D1, *K++);
153 D1 ^= F(D2, *K++);
154
155 for(size_t r = 1; r != rounds - 1; ++r) {
156 if(r % 3 == 0) {
157 D1 = FL(D1, *K++);
158 D2 = FLINV(D2, *K++);
159 }
160
161 D2 ^= F(D1, *K++);
162 D1 ^= F(D2, *K++);
163 }
164
165 D2 ^= F(D1, *K++);
166 D1 ^= F(D2, *K++);
167
168 D2 ^= *K++;
169 D1 ^= *K++;
170
171 store_be(out + 16 * i, D2, D1);
172 }
173}
174
175/*
176* Camellia Decryption
177*/
178void decrypt(const uint8_t in[], uint8_t out[], size_t blocks, const secure_vector<uint64_t>& SK, const size_t rounds) {
179 prefetch_arrays(SBOX1, SBOX2, SBOX3, SBOX4);
180
181 for(size_t i = 0; i < blocks; ++i) {
182 uint64_t D1, D2;
183 load_be(in + 16 * i, D1, D2);
184
185 const uint64_t* K = &SK[SK.size() - 1];
186
187 D2 ^= *K--;
188 D1 ^= *K--;
189
190 D2 ^= F(D1, *K--);
191 D1 ^= F(D2, *K--);
192
193 for(size_t r = 1; r != rounds - 1; ++r) {
194 if(r % 3 == 0) {
195 D1 = FL(D1, *K--);
196 D2 = FLINV(D2, *K--);
197 }
198
199 D2 ^= F(D1, *K--);
200 D1 ^= F(D2, *K--);
201 }
202
203 D2 ^= F(D1, *K--);
204 D1 ^= F(D2, *K--);
205
206 D1 ^= *K--;
207 D2 ^= *K;
208
209 store_be(out + 16 * i, D2, D1);
210 }
211}
212
213inline uint64_t left_rot_hi(uint64_t h, uint64_t l, size_t shift) {
214 if(shift >= 64) {
215 shift -= 64;
216 }
217 return (h << shift) | (l >> (64 - shift));
218}
219
220inline uint64_t left_rot_lo(uint64_t h, uint64_t l, size_t shift) {
221 if(shift >= 64) {
222 shift -= 64;
223 }
224 return (h >> (64 - shift)) | (l << shift);
225}
226
227/*
228* Camellia Key Schedule
229*/
230void key_schedule(secure_vector<uint64_t>& SK, std::span<const uint8_t> key) {
231 const uint64_t Sigma1 = 0xA09E667F3BCC908B;
232 const uint64_t Sigma2 = 0xB67AE8584CAA73B2;
233 const uint64_t Sigma3 = 0xC6EF372FE94F82BE;
234 const uint64_t Sigma4 = 0x54FF53A5F1D36F1C;
235 const uint64_t Sigma5 = 0x10E527FADE682D1D;
236 const uint64_t Sigma6 = 0xB05688C2B3E6C1FD;
237
238 const uint64_t KL_H = load_be<uint64_t>(key.data(), 0);
239 const uint64_t KL_L = load_be<uint64_t>(key.data(), 1);
240
241 const uint64_t KR_H = (key.size() >= 24) ? load_be<uint64_t>(key.data(), 2) : 0;
242 const uint64_t KR_L = (key.size() == 32) ? load_be<uint64_t>(key.data(), 3) : ((key.size() == 24) ? ~KR_H : 0);
243
244 uint64_t D1 = KL_H ^ KR_H;
245 uint64_t D2 = KL_L ^ KR_L;
246 D2 ^= F(D1, Sigma1);
247 D1 ^= F(D2, Sigma2);
248 D1 ^= KL_H;
249 D2 ^= KL_L;
250 D2 ^= F(D1, Sigma3);
251 D1 ^= F(D2, Sigma4);
252
253 const uint64_t KA_H = D1;
254 const uint64_t KA_L = D2;
255
256 D1 = KA_H ^ KR_H;
257 D2 = KA_L ^ KR_L;
258 D2 ^= F(D1, Sigma5);
259 D1 ^= F(D2, Sigma6);
260
261 const uint64_t KB_H = D1;
262 const uint64_t KB_L = D2;
263
264 if(key.size() == 16) {
265 SK.resize(26);
266
267 SK[0] = KL_H;
268 SK[1] = KL_L;
269 SK[2] = KA_H;
270 SK[3] = KA_L;
271 SK[4] = left_rot_hi(KL_H, KL_L, 15);
272 SK[5] = left_rot_lo(KL_H, KL_L, 15);
273 SK[6] = left_rot_hi(KA_H, KA_L, 15);
274 SK[7] = left_rot_lo(KA_H, KA_L, 15);
275 SK[8] = left_rot_hi(KA_H, KA_L, 30);
276 SK[9] = left_rot_lo(KA_H, KA_L, 30);
277 SK[10] = left_rot_hi(KL_H, KL_L, 45);
278 SK[11] = left_rot_lo(KL_H, KL_L, 45);
279 SK[12] = left_rot_hi(KA_H, KA_L, 45);
280 SK[13] = left_rot_lo(KL_H, KL_L, 60);
281 SK[14] = left_rot_hi(KA_H, KA_L, 60);
282 SK[15] = left_rot_lo(KA_H, KA_L, 60);
283 SK[16] = left_rot_lo(KL_H, KL_L, 77);
284 SK[17] = left_rot_hi(KL_H, KL_L, 77);
285 SK[18] = left_rot_lo(KL_H, KL_L, 94);
286 SK[19] = left_rot_hi(KL_H, KL_L, 94);
287 SK[20] = left_rot_lo(KA_H, KA_L, 94);
288 SK[21] = left_rot_hi(KA_H, KA_L, 94);
289 SK[22] = left_rot_lo(KL_H, KL_L, 111);
290 SK[23] = left_rot_hi(KL_H, KL_L, 111);
291 SK[24] = left_rot_lo(KA_H, KA_L, 111);
292 SK[25] = left_rot_hi(KA_H, KA_L, 111);
293 } else {
294 SK.resize(34);
295
296 SK[0] = KL_H;
297 SK[1] = KL_L;
298 SK[2] = KB_H;
299 SK[3] = KB_L;
300
301 SK[4] = left_rot_hi(KR_H, KR_L, 15);
302 SK[5] = left_rot_lo(KR_H, KR_L, 15);
303 SK[6] = left_rot_hi(KA_H, KA_L, 15);
304 SK[7] = left_rot_lo(KA_H, KA_L, 15);
305
306 SK[8] = left_rot_hi(KR_H, KR_L, 30);
307 SK[9] = left_rot_lo(KR_H, KR_L, 30);
308 SK[10] = left_rot_hi(KB_H, KB_L, 30);
309 SK[11] = left_rot_lo(KB_H, KB_L, 30);
310
311 SK[12] = left_rot_hi(KL_H, KL_L, 45);
312 SK[13] = left_rot_lo(KL_H, KL_L, 45);
313 SK[14] = left_rot_hi(KA_H, KA_L, 45);
314 SK[15] = left_rot_lo(KA_H, KA_L, 45);
315
316 SK[16] = left_rot_hi(KL_H, KL_L, 60);
317 SK[17] = left_rot_lo(KL_H, KL_L, 60);
318 SK[18] = left_rot_hi(KR_H, KR_L, 60);
319 SK[19] = left_rot_lo(KR_H, KR_L, 60);
320 SK[20] = left_rot_hi(KB_H, KB_L, 60);
321 SK[21] = left_rot_lo(KB_H, KB_L, 60);
322
323 SK[22] = left_rot_lo(KL_H, KL_L, 77);
324 SK[23] = left_rot_hi(KL_H, KL_L, 77);
325 SK[24] = left_rot_lo(KA_H, KA_L, 77);
326 SK[25] = left_rot_hi(KA_H, KA_L, 77);
327
328 SK[26] = left_rot_lo(KR_H, KR_L, 94);
329 SK[27] = left_rot_hi(KR_H, KR_L, 94);
330 SK[28] = left_rot_lo(KA_H, KA_L, 94);
331 SK[29] = left_rot_hi(KA_H, KA_L, 94);
332 SK[30] = left_rot_lo(KL_H, KL_L, 111);
333 SK[31] = left_rot_hi(KL_H, KL_L, 111);
334 SK[32] = left_rot_lo(KB_H, KB_L, 111);
335 SK[33] = left_rot_hi(KB_H, KB_L, 111);
336 }
337}
338
339} // namespace Camellia_F
340
341} // namespace
342
343void Camellia_128::encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const {
344 assert_key_material_set();
345 Camellia_F::encrypt(in, out, blocks, m_SK, 9);
346}
347
348void Camellia_192::encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const {
349 assert_key_material_set();
350 Camellia_F::encrypt(in, out, blocks, m_SK, 12);
351}
352
353void Camellia_256::encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const {
354 assert_key_material_set();
355 Camellia_F::encrypt(in, out, blocks, m_SK, 12);
356}
357
358void Camellia_128::decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const {
359 assert_key_material_set();
360 Camellia_F::decrypt(in, out, blocks, m_SK, 9);
361}
362
363void Camellia_192::decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const {
364 assert_key_material_set();
365 Camellia_F::decrypt(in, out, blocks, m_SK, 12);
366}
367
368void Camellia_256::decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const {
369 assert_key_material_set();
370 Camellia_F::decrypt(in, out, blocks, m_SK, 12);
371}
372
373bool Camellia_128::has_keying_material() const {
374 return !m_SK.empty();
375}
376
377bool Camellia_192::has_keying_material() const {
378 return !m_SK.empty();
379}
380
381bool Camellia_256::has_keying_material() const {
382 return !m_SK.empty();
383}
384
385void Camellia_128::key_schedule(std::span<const uint8_t> key) {
386 Camellia_F::key_schedule(m_SK, key);
387}
388
389void Camellia_192::key_schedule(std::span<const uint8_t> key) {
390 Camellia_F::key_schedule(m_SK, key);
391}
392
393void Camellia_256::key_schedule(std::span<const uint8_t> key) {
394 Camellia_F::key_schedule(m_SK, key);
395}
396
397void Camellia_128::clear() {
398 zap(m_SK);
399}
400
401void Camellia_192::clear() {
402 zap(m_SK);
403}
404
405void Camellia_256::clear() {
406 zap(m_SK);
407}
408
409} // namespace Botan
Botan::Camellia_128::decrypt_n
void decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const override
Definition camellia.cpp:358
Botan::Camellia_128::clear
void clear() override
Definition camellia.cpp:397
Botan::Camellia_128::has_keying_material
bool has_keying_material() const override
Definition camellia.cpp:373
Botan::Camellia_128::encrypt_n
void encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const override
Definition camellia.cpp:343
Botan::Camellia_192::encrypt_n
void encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const override
Definition camellia.cpp:348
Botan::Camellia_192::has_keying_material
bool has_keying_material() const override
Definition camellia.cpp:377
Botan::Camellia_192::decrypt_n
void decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const override
Definition camellia.cpp:363
Botan::Camellia_192::clear
void clear() override
Definition camellia.cpp:401
Botan::Camellia_256::decrypt_n
void decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const override
Definition camellia.cpp:368
Botan::Camellia_256::has_keying_material
bool has_keying_material() const override
Definition camellia.cpp:381
Botan::Camellia_256::encrypt_n
void encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const override
Definition camellia.cpp:353
Botan::Camellia_256::clear
void clear() override
Definition camellia.cpp:405
Botan::SymmetricAlgorithm::assert_key_material_set
void assert_key_material_set() const
Definition sym_algo.h:139
Botan::zap
void zap(std::vector< T, Alloc > &vec)
Definition secmem.h:117
Botan::load_be< uint64_t >
constexpr uint64_t load_be< uint64_t >(const uint8_t in[], size_t off)
Definition loadstor.h:200
Botan::store_be
constexpr void store_be(uint16_t in, uint8_t out[2])
Definition loadstor.h:389
Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:61
Botan::load_be
constexpr T load_be(const uint8_t in[], size_t off)
Definition loadstor.h:92
Generated by doxygen 1.9.8