Botan 3.9.0
Crypto and TLS for C&
camellia.cpp
Go to the documentation of this file.
1/*
2* Camellia
3* (C) 2012,2020 Jack Lloyd
4*
5* Botan is released under the Simplified BSD License (see license.txt)
6*/
7
8#include <botan/internal/camellia.h>
9
10#include <botan/internal/loadstor.h>
11#include <botan/internal/prefetch.h>
12#include <botan/internal/rotate.h>
13
14#if defined(BOTAN_HAS_CPUID) && defined(BOTAN_HAS_CAMELLIA_GFNI)
15 #include <botan/internal/camellia_gfni.h>
16 #include <botan/internal/cpuid.h>
17#endif
18
19namespace Botan {
20
21namespace {
22
23namespace Camellia_F {
24
25alignas(256) const uint8_t SBOX1[256] = {
26 0x70, 0x82, 0x2C, 0xEC, 0xB3, 0x27, 0xC0, 0xE5, 0xE4, 0x85, 0x57, 0x35, 0xEA, 0x0C, 0xAE, 0x41, 0x23, 0xEF, 0x6B,
27 0x93, 0x45, 0x19, 0xA5, 0x21, 0xED, 0x0E, 0x4F, 0x4E, 0x1D, 0x65, 0x92, 0xBD, 0x86, 0xB8, 0xAF, 0x8F, 0x7C, 0xEB,
28 0x1F, 0xCE, 0x3E, 0x30, 0xDC, 0x5F, 0x5E, 0xC5, 0x0B, 0x1A, 0xA6, 0xE1, 0x39, 0xCA, 0xD5, 0x47, 0x5D, 0x3D, 0xD9,
29 0x01, 0x5A, 0xD6, 0x51, 0x56, 0x6C, 0x4D, 0x8B, 0x0D, 0x9A, 0x66, 0xFB, 0xCC, 0xB0, 0x2D, 0x74, 0x12, 0x2B, 0x20,
30 0xF0, 0xB1, 0x84, 0x99, 0xDF, 0x4C, 0xCB, 0xC2, 0x34, 0x7E, 0x76, 0x05, 0x6D, 0xB7, 0xA9, 0x31, 0xD1, 0x17, 0x04,
31 0xD7, 0x14, 0x58, 0x3A, 0x61, 0xDE, 0x1B, 0x11, 0x1C, 0x32, 0x0F, 0x9C, 0x16, 0x53, 0x18, 0xF2, 0x22, 0xFE, 0x44,
32 0xCF, 0xB2, 0xC3, 0xB5, 0x7A, 0x91, 0x24, 0x08, 0xE8, 0xA8, 0x60, 0xFC, 0x69, 0x50, 0xAA, 0xD0, 0xA0, 0x7D, 0xA1,
33 0x89, 0x62, 0x97, 0x54, 0x5B, 0x1E, 0x95, 0xE0, 0xFF, 0x64, 0xD2, 0x10, 0xC4, 0x00, 0x48, 0xA3, 0xF7, 0x75, 0xDB,
34 0x8A, 0x03, 0xE6, 0xDA, 0x09, 0x3F, 0xDD, 0x94, 0x87, 0x5C, 0x83, 0x02, 0xCD, 0x4A, 0x90, 0x33, 0x73, 0x67, 0xF6,
35 0xF3, 0x9D, 0x7F, 0xBF, 0xE2, 0x52, 0x9B, 0xD8, 0x26, 0xC8, 0x37, 0xC6, 0x3B, 0x81, 0x96, 0x6F, 0x4B, 0x13, 0xBE,
36 0x63, 0x2E, 0xE9, 0x79, 0xA7, 0x8C, 0x9F, 0x6E, 0xBC, 0x8E, 0x29, 0xF5, 0xF9, 0xB6, 0x2F, 0xFD, 0xB4, 0x59, 0x78,
37 0x98, 0x06, 0x6A, 0xE7, 0x46, 0x71, 0xBA, 0xD4, 0x25, 0xAB, 0x42, 0x88, 0xA2, 0x8D, 0xFA, 0x72, 0x07, 0xB9, 0x55,
38 0xF8, 0xEE, 0xAC, 0x0A, 0x36, 0x49, 0x2A, 0x68, 0x3C, 0x38, 0xF1, 0xA4, 0x40, 0x28, 0xD3, 0x7B, 0xBB, 0xC9, 0x43,
39 0xC1, 0x15, 0xE3, 0xAD, 0xF4, 0x77, 0xC7, 0x80, 0x9E};
40
41// SBOX2[x] = rotl<1>(SBOX1[x])
42alignas(256) const uint8_t SBOX2[256] = {
43 0xE0, 0x05, 0x58, 0xD9, 0x67, 0x4E, 0x81, 0xCB, 0xC9, 0x0B, 0xAE, 0x6A, 0xD5, 0x18, 0x5D, 0x82, 0x46, 0xDF, 0xD6,
44 0x27, 0x8A, 0x32, 0x4B, 0x42, 0xDB, 0x1C, 0x9E, 0x9C, 0x3A, 0xCA, 0x25, 0x7B, 0x0D, 0x71, 0x5F, 0x1F, 0xF8, 0xD7,
45 0x3E, 0x9D, 0x7C, 0x60, 0xB9, 0xBE, 0xBC, 0x8B, 0x16, 0x34, 0x4D, 0xC3, 0x72, 0x95, 0xAB, 0x8E, 0xBA, 0x7A, 0xB3,
46 0x02, 0xB4, 0xAD, 0xA2, 0xAC, 0xD8, 0x9A, 0x17, 0x1A, 0x35, 0xCC, 0xF7, 0x99, 0x61, 0x5A, 0xE8, 0x24, 0x56, 0x40,
47 0xE1, 0x63, 0x09, 0x33, 0xBF, 0x98, 0x97, 0x85, 0x68, 0xFC, 0xEC, 0x0A, 0xDA, 0x6F, 0x53, 0x62, 0xA3, 0x2E, 0x08,
48 0xAF, 0x28, 0xB0, 0x74, 0xC2, 0xBD, 0x36, 0x22, 0x38, 0x64, 0x1E, 0x39, 0x2C, 0xA6, 0x30, 0xE5, 0x44, 0xFD, 0x88,
49 0x9F, 0x65, 0x87, 0x6B, 0xF4, 0x23, 0x48, 0x10, 0xD1, 0x51, 0xC0, 0xF9, 0xD2, 0xA0, 0x55, 0xA1, 0x41, 0xFA, 0x43,
50 0x13, 0xC4, 0x2F, 0xA8, 0xB6, 0x3C, 0x2B, 0xC1, 0xFF, 0xC8, 0xA5, 0x20, 0x89, 0x00, 0x90, 0x47, 0xEF, 0xEA, 0xB7,
51 0x15, 0x06, 0xCD, 0xB5, 0x12, 0x7E, 0xBB, 0x29, 0x0F, 0xB8, 0x07, 0x04, 0x9B, 0x94, 0x21, 0x66, 0xE6, 0xCE, 0xED,
52 0xE7, 0x3B, 0xFE, 0x7F, 0xC5, 0xA4, 0x37, 0xB1, 0x4C, 0x91, 0x6E, 0x8D, 0x76, 0x03, 0x2D, 0xDE, 0x96, 0x26, 0x7D,
53 0xC6, 0x5C, 0xD3, 0xF2, 0x4F, 0x19, 0x3F, 0xDC, 0x79, 0x1D, 0x52, 0xEB, 0xF3, 0x6D, 0x5E, 0xFB, 0x69, 0xB2, 0xF0,
54 0x31, 0x0C, 0xD4, 0xCF, 0x8C, 0xE2, 0x75, 0xA9, 0x4A, 0x57, 0x84, 0x11, 0x45, 0x1B, 0xF5, 0xE4, 0x0E, 0x73, 0xAA,
55 0xF1, 0xDD, 0x59, 0x14, 0x6C, 0x92, 0x54, 0xD0, 0x78, 0x70, 0xE3, 0x49, 0x80, 0x50, 0xA7, 0xF6, 0x77, 0x93, 0x86,
56 0x83, 0x2A, 0xC7, 0x5B, 0xE9, 0xEE, 0x8F, 0x01, 0x3D};
57
58// SBOX3[x] = rotl<7>(SBOX1[x])
59alignas(256) const uint8_t SBOX3[256] = {
60 0x38, 0x41, 0x16, 0x76, 0xD9, 0x93, 0x60, 0xF2, 0x72, 0xC2, 0xAB, 0x9A, 0x75, 0x06, 0x57, 0xA0, 0x91, 0xF7, 0xB5,
61 0xC9, 0xA2, 0x8C, 0xD2, 0x90, 0xF6, 0x07, 0xA7, 0x27, 0x8E, 0xB2, 0x49, 0xDE, 0x43, 0x5C, 0xD7, 0xC7, 0x3E, 0xF5,
62 0x8F, 0x67, 0x1F, 0x18, 0x6E, 0xAF, 0x2F, 0xE2, 0x85, 0x0D, 0x53, 0xF0, 0x9C, 0x65, 0xEA, 0xA3, 0xAE, 0x9E, 0xEC,
63 0x80, 0x2D, 0x6B, 0xA8, 0x2B, 0x36, 0xA6, 0xC5, 0x86, 0x4D, 0x33, 0xFD, 0x66, 0x58, 0x96, 0x3A, 0x09, 0x95, 0x10,
64 0x78, 0xD8, 0x42, 0xCC, 0xEF, 0x26, 0xE5, 0x61, 0x1A, 0x3F, 0x3B, 0x82, 0xB6, 0xDB, 0xD4, 0x98, 0xE8, 0x8B, 0x02,
65 0xEB, 0x0A, 0x2C, 0x1D, 0xB0, 0x6F, 0x8D, 0x88, 0x0E, 0x19, 0x87, 0x4E, 0x0B, 0xA9, 0x0C, 0x79, 0x11, 0x7F, 0x22,
66 0xE7, 0x59, 0xE1, 0xDA, 0x3D, 0xC8, 0x12, 0x04, 0x74, 0x54, 0x30, 0x7E, 0xB4, 0x28, 0x55, 0x68, 0x50, 0xBE, 0xD0,
67 0xC4, 0x31, 0xCB, 0x2A, 0xAD, 0x0F, 0xCA, 0x70, 0xFF, 0x32, 0x69, 0x08, 0x62, 0x00, 0x24, 0xD1, 0xFB, 0xBA, 0xED,
68 0x45, 0x81, 0x73, 0x6D, 0x84, 0x9F, 0xEE, 0x4A, 0xC3, 0x2E, 0xC1, 0x01, 0xE6, 0x25, 0x48, 0x99, 0xB9, 0xB3, 0x7B,
69 0xF9, 0xCE, 0xBF, 0xDF, 0x71, 0x29, 0xCD, 0x6C, 0x13, 0x64, 0x9B, 0x63, 0x9D, 0xC0, 0x4B, 0xB7, 0xA5, 0x89, 0x5F,
70 0xB1, 0x17, 0xF4, 0xBC, 0xD3, 0x46, 0xCF, 0x37, 0x5E, 0x47, 0x94, 0xFA, 0xFC, 0x5B, 0x97, 0xFE, 0x5A, 0xAC, 0x3C,
71 0x4C, 0x03, 0x35, 0xF3, 0x23, 0xB8, 0x5D, 0x6A, 0x92, 0xD5, 0x21, 0x44, 0x51, 0xC6, 0x7D, 0x39, 0x83, 0xDC, 0xAA,
72 0x7C, 0x77, 0x56, 0x05, 0x1B, 0xA4, 0x15, 0x34, 0x1E, 0x1C, 0xF8, 0x52, 0x20, 0x14, 0xE9, 0xBD, 0xDD, 0xE4, 0xA1,
73 0xE0, 0x8A, 0xF1, 0xD6, 0x7A, 0xBB, 0xE3, 0x40, 0x4F};
74
75// SBOX4[x] = SBOX1[rotl<1>(x)]
76alignas(256) const uint8_t SBOX4[256] = {
77 0x70, 0x2C, 0xB3, 0xC0, 0xE4, 0x57, 0xEA, 0xAE, 0x23, 0x6B, 0x45, 0xA5, 0xED, 0x4F, 0x1D, 0x92, 0x86, 0xAF, 0x7C,
78 0x1F, 0x3E, 0xDC, 0x5E, 0x0B, 0xA6, 0x39, 0xD5, 0x5D, 0xD9, 0x5A, 0x51, 0x6C, 0x8B, 0x9A, 0xFB, 0xB0, 0x74, 0x2B,
79 0xF0, 0x84, 0xDF, 0xCB, 0x34, 0x76, 0x6D, 0xA9, 0xD1, 0x04, 0x14, 0x3A, 0xDE, 0x11, 0x32, 0x9C, 0x53, 0xF2, 0xFE,
80 0xCF, 0xC3, 0x7A, 0x24, 0xE8, 0x60, 0x69, 0xAA, 0xA0, 0xA1, 0x62, 0x54, 0x1E, 0xE0, 0x64, 0x10, 0x00, 0xA3, 0x75,
81 0x8A, 0xE6, 0x09, 0xDD, 0x87, 0x83, 0xCD, 0x90, 0x73, 0xF6, 0x9D, 0xBF, 0x52, 0xD8, 0xC8, 0xC6, 0x81, 0x6F, 0x13,
82 0x63, 0xE9, 0xA7, 0x9F, 0xBC, 0x29, 0xF9, 0x2F, 0xB4, 0x78, 0x06, 0xE7, 0x71, 0xD4, 0xAB, 0x88, 0x8D, 0x72, 0xB9,
83 0xF8, 0xAC, 0x36, 0x2A, 0x3C, 0xF1, 0x40, 0xD3, 0xBB, 0x43, 0x15, 0xAD, 0x77, 0x80, 0x82, 0xEC, 0x27, 0xE5, 0x85,
84 0x35, 0x0C, 0x41, 0xEF, 0x93, 0x19, 0x21, 0x0E, 0x4E, 0x65, 0xBD, 0xB8, 0x8F, 0xEB, 0xCE, 0x30, 0x5F, 0xC5, 0x1A,
85 0xE1, 0xCA, 0x47, 0x3D, 0x01, 0xD6, 0x56, 0x4D, 0x0D, 0x66, 0xCC, 0x2D, 0x12, 0x20, 0xB1, 0x99, 0x4C, 0xC2, 0x7E,
86 0x05, 0xB7, 0x31, 0x17, 0xD7, 0x58, 0x61, 0x1B, 0x1C, 0x0F, 0x16, 0x18, 0x22, 0x44, 0xB2, 0xB5, 0x91, 0x08, 0xA8,
87 0xFC, 0x50, 0xD0, 0x7D, 0x89, 0x97, 0x5B, 0x95, 0xFF, 0xD2, 0xC4, 0x48, 0xF7, 0xDB, 0x03, 0xDA, 0x3F, 0x94, 0x5C,
88 0x02, 0x4A, 0x33, 0x67, 0xF3, 0x7F, 0xE2, 0x9B, 0x26, 0x37, 0x3B, 0x96, 0x4B, 0xBE, 0x2E, 0x79, 0x8C, 0x6E, 0x8E,
89 0xF5, 0xB6, 0xFD, 0x59, 0x98, 0x6A, 0x46, 0xBA, 0x25, 0x42, 0xA2, 0xFA, 0x07, 0x55, 0xEE, 0x0A, 0x49, 0x68, 0x38,
90 0xA4, 0x28, 0x7B, 0xC9, 0xC1, 0xE3, 0xF4, 0xC7, 0x9E};
91
92uint64_t F(uint64_t v, uint64_t K) {
93 const uint64_t M1 = 0x0101010001000001;
94 const uint64_t M2 = 0x0001010101010000;
95 const uint64_t M3 = 0x0100010100010100;
96 const uint64_t M4 = 0x0101000100000101;
97 const uint64_t M5 = 0x0001010100010101;
98 const uint64_t M6 = 0x0100010101000101;
99 const uint64_t M7 = 0x0101000101010001;
100 const uint64_t M8 = 0x0101010001010100;
101
102 const uint64_t x = v ^ K;
103
104 const uint64_t Z1 = M1 * SBOX1[get_byte<0>(x)];
105 const uint64_t Z2 = M2 * SBOX2[get_byte<1>(x)];
106 const uint64_t Z3 = M3 * SBOX3[get_byte<2>(x)];
107 const uint64_t Z4 = M4 * SBOX4[get_byte<3>(x)];
108 const uint64_t Z5 = M5 * SBOX2[get_byte<4>(x)];
109 const uint64_t Z6 = M6 * SBOX3[get_byte<5>(x)];
110 const uint64_t Z7 = M7 * SBOX4[get_byte<6>(x)];
111 const uint64_t Z8 = M8 * SBOX1[get_byte<7>(x)];
112
113 return Z1 ^ Z2 ^ Z3 ^ Z4 ^ Z5 ^ Z6 ^ Z7 ^ Z8;
114}
115
116inline uint64_t FL(uint64_t v, uint64_t K) {
117 uint32_t x1 = static_cast<uint32_t>(v >> 32);
118 uint32_t x2 = static_cast<uint32_t>(v & 0xFFFFFFFF);
119
120 const uint32_t k1 = static_cast<uint32_t>(K >> 32);
121 const uint32_t k2 = static_cast<uint32_t>(K & 0xFFFFFFFF);
122
123 x2 ^= rotl<1>(x1 & k1);
124 x1 ^= (x2 | k2);
125
126 return ((static_cast<uint64_t>(x1) << 32) | x2);
127}
128
129inline uint64_t FLINV(uint64_t v, uint64_t K) {
130 uint32_t x1 = static_cast<uint32_t>(v >> 32);
131 uint32_t x2 = static_cast<uint32_t>(v & 0xFFFFFFFF);
132
133 const uint32_t k1 = static_cast<uint32_t>(K >> 32);
134 const uint32_t k2 = static_cast<uint32_t>(K & 0xFFFFFFFF);
135
136 x1 ^= (x2 | k2);
137 x2 ^= rotl<1>(x1 & k1);
138
139 return ((static_cast<uint64_t>(x1) << 32) | x2);
140}
141
142/*
143* Camellia Encryption
144*/
145void encrypt(const uint8_t in[], uint8_t out[], size_t blocks, const secure_vector<uint64_t>& SK, size_t rounds) {
146 prefetch_arrays(SBOX1, SBOX2, SBOX3, SBOX4);
147
148 for(size_t i = 0; i < blocks; ++i) {
149 uint64_t D1 = load_be<uint64_t>(in, 2 * i + 0);
150 uint64_t D2 = load_be<uint64_t>(in, 2 * i + 1);
151
152 const uint64_t* K = SK.data();
153
154 D1 ^= *K++;
155 D2 ^= *K++;
156
157 D2 ^= F(D1, *K++);
158 D1 ^= F(D2, *K++);
159
160 for(size_t r = 1; r != rounds - 1; ++r) {
161 if(r % 3 == 0) {
162 D1 = FL(D1, *K++);
163 D2 = FLINV(D2, *K++);
164 }
165
166 D2 ^= F(D1, *K++);
167 D1 ^= F(D2, *K++);
168 }
169
170 D2 ^= F(D1, *K++);
171 D1 ^= F(D2, *K++);
172
173 D2 ^= *K++;
174 D1 ^= *K++;
175
176 store_be(out + 16 * i, D2, D1);
177 }
178}
179
180/*
181* Camellia Decryption
182*/
183void decrypt(const uint8_t in[], uint8_t out[], size_t blocks, const secure_vector<uint64_t>& SK, size_t rounds) {
184 prefetch_arrays(SBOX1, SBOX2, SBOX3, SBOX4);
185
186 for(size_t i = 0; i < blocks; ++i) {
187 uint64_t D1 = load_be<uint64_t>(in, 2 * i + 0);
188 uint64_t D2 = load_be<uint64_t>(in, 2 * i + 1);
189
190 const uint64_t* K = &SK[SK.size() - 1];
191
192 D2 ^= *K--;
193 D1 ^= *K--;
194
195 D2 ^= F(D1, *K--);
196 D1 ^= F(D2, *K--);
197
198 for(size_t r = 1; r != rounds - 1; ++r) {
199 if(r % 3 == 0) {
200 D1 = FL(D1, *K--);
201 D2 = FLINV(D2, *K--);
202 }
203
204 D2 ^= F(D1, *K--);
205 D1 ^= F(D2, *K--);
206 }
207
208 D2 ^= F(D1, *K--);
209 D1 ^= F(D2, *K--);
210
211 D1 ^= *K--;
212 D2 ^= *K;
213
214 store_be(out + 16 * i, D2, D1);
215 }
216}
217
218inline uint64_t left_rot_hi(uint64_t h, uint64_t l, size_t shift) {
219 if(shift >= 64) {
220 shift -= 64;
221 }
222 return (h << shift) | (l >> (64 - shift));
223}
224
225inline uint64_t left_rot_lo(uint64_t h, uint64_t l, size_t shift) {
226 if(shift >= 64) {
227 shift -= 64;
228 }
229 return (h >> (64 - shift)) | (l << shift);
230}
231
232/*
233* Camellia Key Schedule
234*/
235void key_schedule(secure_vector<uint64_t>& SK, std::span<const uint8_t> key) {
236 const uint64_t Sigma1 = 0xA09E667F3BCC908B;
237 const uint64_t Sigma2 = 0xB67AE8584CAA73B2;
238 const uint64_t Sigma3 = 0xC6EF372FE94F82BE;
239 const uint64_t Sigma4 = 0x54FF53A5F1D36F1C;
240 const uint64_t Sigma5 = 0x10E527FADE682D1D;
241 const uint64_t Sigma6 = 0xB05688C2B3E6C1FD;
242
243 const uint64_t KL_H = load_be<uint64_t>(key.data(), 0);
244 const uint64_t KL_L = load_be<uint64_t>(key.data(), 1);
245
246 const uint64_t KR_H = (key.size() >= 24) ? load_be<uint64_t>(key.data(), 2) : 0;
247
248 const uint64_t KR_L = [&]() -> uint64_t {
249 if(key.size() == 32) {
250 return load_be<uint64_t>(key.data(), 3);
251 } else if(key.size() == 24) {
252 return ~KR_H;
253 } else {
254 return 0;
255 }
256 }();
257
258 uint64_t D1 = KL_H ^ KR_H;
259 uint64_t D2 = KL_L ^ KR_L;
260 D2 ^= F(D1, Sigma1);
261 D1 ^= F(D2, Sigma2);
262 D1 ^= KL_H;
263 D2 ^= KL_L;
264 D2 ^= F(D1, Sigma3);
265 D1 ^= F(D2, Sigma4);
266
267 const uint64_t KA_H = D1;
268 const uint64_t KA_L = D2;
269
270 D1 = KA_H ^ KR_H;
271 D2 = KA_L ^ KR_L;
272 D2 ^= F(D1, Sigma5);
273 D1 ^= F(D2, Sigma6);
274
275 const uint64_t KB_H = D1;
276 const uint64_t KB_L = D2;
277
278 if(key.size() == 16) {
279 SK.resize(26);
280
281 SK[0] = KL_H;
282 SK[1] = KL_L;
283 SK[2] = KA_H;
284 SK[3] = KA_L;
285 SK[4] = left_rot_hi(KL_H, KL_L, 15);
286 SK[5] = left_rot_lo(KL_H, KL_L, 15);
287 SK[6] = left_rot_hi(KA_H, KA_L, 15);
288 SK[7] = left_rot_lo(KA_H, KA_L, 15);
289 SK[8] = left_rot_hi(KA_H, KA_L, 30);
290 SK[9] = left_rot_lo(KA_H, KA_L, 30);
291 SK[10] = left_rot_hi(KL_H, KL_L, 45);
292 SK[11] = left_rot_lo(KL_H, KL_L, 45);
293 SK[12] = left_rot_hi(KA_H, KA_L, 45);
294 SK[13] = left_rot_lo(KL_H, KL_L, 60);
295 SK[14] = left_rot_hi(KA_H, KA_L, 60);
296 SK[15] = left_rot_lo(KA_H, KA_L, 60);
297 SK[16] = left_rot_lo(KL_H, KL_L, 77);
298 SK[17] = left_rot_hi(KL_H, KL_L, 77);
299 SK[18] = left_rot_lo(KL_H, KL_L, 94);
300 SK[19] = left_rot_hi(KL_H, KL_L, 94);
301 SK[20] = left_rot_lo(KA_H, KA_L, 94);
302 SK[21] = left_rot_hi(KA_H, KA_L, 94);
303 SK[22] = left_rot_lo(KL_H, KL_L, 111);
304 SK[23] = left_rot_hi(KL_H, KL_L, 111);
305 SK[24] = left_rot_lo(KA_H, KA_L, 111);
306 SK[25] = left_rot_hi(KA_H, KA_L, 111);
307 } else {
308 SK.resize(34);
309
310 SK[0] = KL_H;
311 SK[1] = KL_L;
312 SK[2] = KB_H;
313 SK[3] = KB_L;
314
315 SK[4] = left_rot_hi(KR_H, KR_L, 15);
316 SK[5] = left_rot_lo(KR_H, KR_L, 15);
317 SK[6] = left_rot_hi(KA_H, KA_L, 15);
318 SK[7] = left_rot_lo(KA_H, KA_L, 15);
319
320 SK[8] = left_rot_hi(KR_H, KR_L, 30);
321 SK[9] = left_rot_lo(KR_H, KR_L, 30);
322 SK[10] = left_rot_hi(KB_H, KB_L, 30);
323 SK[11] = left_rot_lo(KB_H, KB_L, 30);
324
325 SK[12] = left_rot_hi(KL_H, KL_L, 45);
326 SK[13] = left_rot_lo(KL_H, KL_L, 45);
327 SK[14] = left_rot_hi(KA_H, KA_L, 45);
328 SK[15] = left_rot_lo(KA_H, KA_L, 45);
329
330 SK[16] = left_rot_hi(KL_H, KL_L, 60);
331 SK[17] = left_rot_lo(KL_H, KL_L, 60);
332 SK[18] = left_rot_hi(KR_H, KR_L, 60);
333 SK[19] = left_rot_lo(KR_H, KR_L, 60);
334 SK[20] = left_rot_hi(KB_H, KB_L, 60);
335 SK[21] = left_rot_lo(KB_H, KB_L, 60);
336
337 SK[22] = left_rot_lo(KL_H, KL_L, 77);
338 SK[23] = left_rot_hi(KL_H, KL_L, 77);
339 SK[24] = left_rot_lo(KA_H, KA_L, 77);
340 SK[25] = left_rot_hi(KA_H, KA_L, 77);
341
342 SK[26] = left_rot_lo(KR_H, KR_L, 94);
343 SK[27] = left_rot_hi(KR_H, KR_L, 94);
344 SK[28] = left_rot_lo(KA_H, KA_L, 94);
345 SK[29] = left_rot_hi(KA_H, KA_L, 94);
346 SK[30] = left_rot_lo(KL_H, KL_L, 111);
347 SK[31] = left_rot_hi(KL_H, KL_L, 111);
348 SK[32] = left_rot_lo(KB_H, KB_L, 111);
349 SK[33] = left_rot_hi(KB_H, KB_L, 111);
350 }
351}
352
353std::string provider() {
354#if defined(BOTAN_HAS_CAMELLIA_GFNI)
355 if(auto feat = CPUID::check(CPUID::Feature::GFNI)) {
356 return *feat;
357 }
358#endif
359
360 return "base";
361}
362
363} // namespace Camellia_F
364
365} // namespace
366
367void Camellia_128::encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const {
368 assert_key_material_set();
369
370#if defined(BOTAN_HAS_CAMELLIA_GFNI)
371 if(CPUID::has(CPUID::Feature::GFNI)) {
372 return camellia_gfni_encrypt9(in, out, blocks, m_SK);
373 }
374#endif
375
376 Camellia_F::encrypt(in, out, blocks, m_SK, 9);
377}
378
379void Camellia_192::encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const {
380 assert_key_material_set();
381
382#if defined(BOTAN_HAS_CAMELLIA_GFNI)
383 if(CPUID::has(CPUID::Feature::GFNI)) {
384 return camellia_gfni_encrypt12(in, out, blocks, m_SK);
385 }
386#endif
387
388 Camellia_F::encrypt(in, out, blocks, m_SK, 12);
389}
390
391void Camellia_256::encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const {
392 assert_key_material_set();
393
394#if defined(BOTAN_HAS_CAMELLIA_GFNI)
395 if(CPUID::has(CPUID::Feature::GFNI)) {
396 return camellia_gfni_encrypt12(in, out, blocks, m_SK);
397 }
398#endif
399
400 Camellia_F::encrypt(in, out, blocks, m_SK, 12);
401}
402
403void Camellia_128::decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const {
404 assert_key_material_set();
405
406#if defined(BOTAN_HAS_CAMELLIA_GFNI)
407 if(CPUID::has(CPUID::Feature::GFNI)) {
408 return camellia_gfni_decrypt9(in, out, blocks, m_SK);
409 }
410#endif
411
412 Camellia_F::decrypt(in, out, blocks, m_SK, 9);
413}
414
415void Camellia_192::decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const {
416 assert_key_material_set();
417
418#if defined(BOTAN_HAS_CAMELLIA_GFNI)
419 if(CPUID::has(CPUID::Feature::GFNI)) {
420 return camellia_gfni_decrypt12(in, out, blocks, m_SK);
421 }
422#endif
423
424 Camellia_F::decrypt(in, out, blocks, m_SK, 12);
425}
426
427void Camellia_256::decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const {
428 assert_key_material_set();
429
430#if defined(BOTAN_HAS_CAMELLIA_GFNI)
431 if(CPUID::has(CPUID::Feature::GFNI)) {
432 return camellia_gfni_decrypt12(in, out, blocks, m_SK);
433 }
434#endif
435
436 Camellia_F::decrypt(in, out, blocks, m_SK, 12);
437}
438
439bool Camellia_128::has_keying_material() const {
440 return !m_SK.empty();
441}
442
443bool Camellia_192::has_keying_material() const {
444 return !m_SK.empty();
445}
446
447bool Camellia_256::has_keying_material() const {
448 return !m_SK.empty();
449}
450
451void Camellia_128::key_schedule(std::span<const uint8_t> key) {
452 Camellia_F::key_schedule(m_SK, key);
453}
454
455void Camellia_192::key_schedule(std::span<const uint8_t> key) {
456 Camellia_F::key_schedule(m_SK, key);
457}
458
459void Camellia_256::key_schedule(std::span<const uint8_t> key) {
460 Camellia_F::key_schedule(m_SK, key);
461}
462
463void Camellia_128::clear() {
464 zap(m_SK);
465}
466
467void Camellia_192::clear() {
468 zap(m_SK);
469}
470
471void Camellia_256::clear() {
472 zap(m_SK);
473}
474
475std::string Camellia_128::provider() const {
476 return Camellia_F::provider();
477}
478
479std::string Camellia_192::provider() const {
480 return Camellia_F::provider();
481}
482
483std::string Camellia_256::provider() const {
484 return Camellia_F::provider();
485}
486
487} // namespace Botan
Botan::CPUID::check
static std::optional< std::string > check(CPUID::Feature feat)
Definition cpuid.h:67
Botan::CPUID::has
static bool has(CPUID::Feature feat)
Definition cpuid.h:94
Botan::Camellia_128::decrypt_n
void decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const override
Definition camellia.cpp:403
Botan::Camellia_128::clear
void clear() override
Definition camellia.cpp:463
Botan::Camellia_128::has_keying_material
bool has_keying_material() const override
Definition camellia.cpp:439
Botan::Camellia_128::encrypt_n
void encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const override
Definition camellia.cpp:367
Botan::Camellia_128::provider
std::string provider() const override
Definition camellia.cpp:475
Botan::Camellia_192::encrypt_n
void encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const override
Definition camellia.cpp:379
Botan::Camellia_192::has_keying_material
bool has_keying_material() const override
Definition camellia.cpp:443
Botan::Camellia_192::provider
std::string provider() const override
Definition camellia.cpp:479
Botan::Camellia_192::decrypt_n
void decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const override
Definition camellia.cpp:415
Botan::Camellia_192::clear
void clear() override
Definition camellia.cpp:467
Botan::Camellia_256::decrypt_n
void decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const override
Definition camellia.cpp:427
Botan::Camellia_256::has_keying_material
bool has_keying_material() const override
Definition camellia.cpp:447
Botan::Camellia_256::provider
std::string provider() const override
Definition camellia.cpp:483
Botan::Camellia_256::encrypt_n
void encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const override
Definition camellia.cpp:391
Botan::Camellia_256::clear
void clear() override
Definition camellia.cpp:471
Botan::Camellia_F
Definition camellia.cpp:23
Botan::get_byte
constexpr uint8_t get_byte(T input)
Definition loadstor.h:79
Botan::zap
void zap(std::vector< T, Alloc > &vec)
Definition secmem.h:134
Botan::camellia_gfni_encrypt12
BOTAN_FN_ISA_AVX2_GFNI void camellia_gfni_encrypt12(const uint8_t in[], uint8_t out[], size_t blocks, std::span< const uint64_t > SK)
Definition camellia_gfni.cpp:228
Botan::prefetch_arrays
T prefetch_arrays(T(&... arr)[Ns]) noexcept
Definition prefetch.h:35
Botan::rotl
BOTAN_FORCE_INLINE constexpr T rotl(T input)
Definition rotate.h:23
Botan::camellia_gfni_decrypt12
BOTAN_FN_ISA_AVX2_GFNI void camellia_gfni_decrypt12(const uint8_t in[], uint8_t out[], size_t blocks, std::span< const uint64_t > SK)
Definition camellia_gfni.cpp:285
Botan::camellia_gfni_encrypt9
BOTAN_FN_ISA_AVX2_GFNI void camellia_gfni_encrypt9(const uint8_t in[], uint8_t out[], size_t blocks, std::span< const uint64_t > SK)
Definition camellia_gfni.cpp:132
Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:69
Botan::camellia_gfni_decrypt9
BOTAN_FN_ISA_AVX2_GFNI void camellia_gfni_decrypt9(const uint8_t in[], uint8_t out[], size_t blocks, std::span< const uint64_t > SK)
Definition camellia_gfni.cpp:179
Botan::store_be
constexpr auto store_be(ParamTs &&... params)
Definition loadstor.h:745
Botan::load_be
constexpr auto load_be(ParamTs &&... params)
Definition loadstor.h:504
Generated by doxygen 1.14.0