1 /*	$NetBSD: camellia-ntt.c,v 1.1.1.2 2014/04/24 12:45:30 pettai Exp $	*/
2 
3 /* camellia.c ver 1.2.0
4  *
5  * Copyright (c) 2006,2007
6  * NTT (Nippon Telegraph and Telephone Corporation) . All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  * 1. Redistributions of source code must retain the above copyright
12  *   notice, this list of conditions and the following disclaimer as
13  *   the first lines of this file unmodified.
14  * 2. Redistributions in binary form must reproduce the above copyright
15  *   notice, this list of conditions and the following disclaimer in the
16  *   documentation and/or other materials provided with the distribution.
17  *
18  * THIS SOFTWARE IS PROVIDED BY NTT ``AS IS'' AND ANY EXPRESS OR
19  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
20  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
21  * IN NO EVENT SHALL NTT BE LIABLE FOR ANY DIRECT, INDIRECT,
22  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
23  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
24  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
25  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
27  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28  */
29 
30 /*
31  * Algorithm Specification
32  *  http://info.isl.ntt.co.jp/crypt/eng/camellia/specifications.html
33  */
34 
35 #include "config.h"
36 
37 #include <string.h>
38 #include <stdlib.h>
39 
40 #include <krb5/krb5-types.h>
41 #include "camellia-ntt.h"
42 
43 #include <krb5/roken.h>
44 
45 /* key constants */
46 
47 #define CAMELLIA_SIGMA1L (0xA09E667FL)
48 #define CAMELLIA_SIGMA1R (0x3BCC908BL)
49 #define CAMELLIA_SIGMA2L (0xB67AE858L)
50 #define CAMELLIA_SIGMA2R (0x4CAA73B2L)
51 #define CAMELLIA_SIGMA3L (0xC6EF372FL)
52 #define CAMELLIA_SIGMA3R (0xE94F82BEL)
53 #define CAMELLIA_SIGMA4L (0x54FF53A5L)
54 #define CAMELLIA_SIGMA4R (0xF1D36F1CL)
55 #define CAMELLIA_SIGMA5L (0x10E527FAL)
56 #define CAMELLIA_SIGMA5R (0xDE682D1DL)
57 #define CAMELLIA_SIGMA6L (0xB05688C2L)
58 #define CAMELLIA_SIGMA6R (0xB3E6C1FDL)
59 
60 /*
61  *  macros
62  */
63 
64 
65 #if defined(_MSC_VER)
66 
67 # define SWAP(x) (_lrotl(x, 8) & 0x00ff00ff | _lrotr(x, 8) & 0xff00ff00)
68 # define GETU32(p) SWAP(*((u32 *)(p)))
69 # define PUTU32(ct, st) {*((u32 *)(ct)) = SWAP((st));}
70 
71 #else /* not MS-VC */
72 
73 # define GETU32(pt)				\
74     (((u32)(pt)[0] << 24)			\
75      ^ ((u32)(pt)[1] << 16)			\
76      ^ ((u32)(pt)[2] <<  8)			\
77      ^ ((u32)(pt)[3]))
78 
79 # define PUTU32(ct, st)  {			\
80 	(ct)[0] = (u8)((st) >> 24);		\
81 	(ct)[1] = (u8)((st) >> 16);		\
82 	(ct)[2] = (u8)((st) >>  8);		\
83 	(ct)[3] = (u8)(st); }
84 
85 #endif
86 
87 #define CamelliaSubkeyL(INDEX) (subkey[(INDEX)*2])
88 #define CamelliaSubkeyR(INDEX) (subkey[(INDEX)*2 + 1])
89 
90 /* rotation right shift 1byte */
91 #define CAMELLIA_RR8(x) (((x) >> 8) + ((x) << 24))
92 /* rotation left shift 1bit */
93 #define CAMELLIA_RL1(x) (((x) << 1) + ((x) >> 31))
94 /* rotation left shift 1byte */
95 #define CAMELLIA_RL8(x) (((x) << 8) + ((x) >> 24))
96 
97 #define CAMELLIA_ROLDQ(ll, lr, rl, rr, w0, w1, bits)	\
98     do {						\
99 	w0 = ll;					\
100 	ll = (ll << bits) + (lr >> (32 - bits));	\
101 	lr = (lr << bits) + (rl >> (32 - bits));	\
102 	rl = (rl << bits) + (rr >> (32 - bits));	\
103 	rr = (rr << bits) + (w0 >> (32 - bits));	\
104     } while(0)
105 
106 #define CAMELLIA_ROLDQo32(ll, lr, rl, rr, w0, w1, bits)	\
107     do {						\
108 	w0 = ll;					\
109 	w1 = lr;					\
110 	ll = (lr << (bits - 32)) + (rl >> (64 - bits));	\
111 	lr = (rl << (bits - 32)) + (rr >> (64 - bits));	\
112 	rl = (rr << (bits - 32)) + (w0 >> (64 - bits));	\
113 	rr = (w0 << (bits - 32)) + (w1 >> (64 - bits));	\
114     } while(0)
115 
116 #define CAMELLIA_SP1110(INDEX) (camellia_sp1110[(INDEX)])
117 #define CAMELLIA_SP0222(INDEX) (camellia_sp0222[(INDEX)])
118 #define CAMELLIA_SP3033(INDEX) (camellia_sp3033[(INDEX)])
119 #define CAMELLIA_SP4404(INDEX) (camellia_sp4404[(INDEX)])
120 
121 #define CAMELLIA_F(xl, xr, kl, kr, yl, yr, il, ir, t0, t1)	\
122     do {							\
123 	il = xl ^ kl;						\
124 	ir = xr ^ kr;						\
125 	t0 = il >> 16;						\
126 	t1 = ir >> 16;						\
127 	yl = CAMELLIA_SP1110(ir & 0xff)				\
128 	    ^ CAMELLIA_SP0222((t1 >> 8) & 0xff)			\
129 	    ^ CAMELLIA_SP3033(t1 & 0xff)			\
130 	    ^ CAMELLIA_SP4404((ir >> 8) & 0xff);		\
131 	yr = CAMELLIA_SP1110((t0 >> 8) & 0xff)			\
132 	    ^ CAMELLIA_SP0222(t0 & 0xff)			\
133 	    ^ CAMELLIA_SP3033((il >> 8) & 0xff)			\
134 	    ^ CAMELLIA_SP4404(il & 0xff);			\
135 	yl ^= yr;						\
136 	yr = CAMELLIA_RR8(yr);					\
137 	yr ^= yl;						\
138     } while(0)
139 
140 
141 /*
142  * for speed up
143  *
144  */
145 #define CAMELLIA_FLS(ll, lr, rl, rr, kll, klr, krl, krr, t0, t1, t2, t3) \
146     do {								\
147 	t0 = kll;							\
148 	t0 &= ll;							\
149 	lr ^= CAMELLIA_RL1(t0);						\
150 	t1 = klr;							\
151 	t1 |= lr;							\
152 	ll ^= t1;							\
153 									\
154 	t2 = krr;							\
155 	t2 |= rr;							\
156 	rl ^= t2;							\
157 	t3 = krl;							\
158 	t3 &= rl;							\
159 	rr ^= CAMELLIA_RL1(t3);						\
160     } while(0)
161 
162 #define CAMELLIA_ROUNDSM(xl, xr, kl, kr, yl, yr, il, ir, t0, t1)	\
163     do {								\
164 	ir = CAMELLIA_SP1110(xr & 0xff)					\
165 	    ^ CAMELLIA_SP0222((xr >> 24) & 0xff)			\
166 	    ^ CAMELLIA_SP3033((xr >> 16) & 0xff)			\
167 	    ^ CAMELLIA_SP4404((xr >> 8) & 0xff);			\
168 	il = CAMELLIA_SP1110((xl >> 24) & 0xff)				\
169 	    ^ CAMELLIA_SP0222((xl >> 16) & 0xff)			\
170 	    ^ CAMELLIA_SP3033((xl >> 8) & 0xff)				\
171 	    ^ CAMELLIA_SP4404(xl & 0xff);				\
172 	il ^= kl;							\
173 	ir ^= kr;							\
174 	ir ^= il;							\
175 	il = CAMELLIA_RR8(il);						\
176 	il ^= ir;							\
177 	yl ^= ir;							\
178 	yr ^= il;							\
179     } while(0)
180 
181 
182 static const u32 camellia_sp1110[256] = {
183     0x70707000,0x82828200,0x2c2c2c00,0xececec00,
184     0xb3b3b300,0x27272700,0xc0c0c000,0xe5e5e500,
185     0xe4e4e400,0x85858500,0x57575700,0x35353500,
186     0xeaeaea00,0x0c0c0c00,0xaeaeae00,0x41414100,
187     0x23232300,0xefefef00,0x6b6b6b00,0x93939300,
188     0x45454500,0x19191900,0xa5a5a500,0x21212100,
189     0xededed00,0x0e0e0e00,0x4f4f4f00,0x4e4e4e00,
190     0x1d1d1d00,0x65656500,0x92929200,0xbdbdbd00,
191     0x86868600,0xb8b8b800,0xafafaf00,0x8f8f8f00,
192     0x7c7c7c00,0xebebeb00,0x1f1f1f00,0xcecece00,
193     0x3e3e3e00,0x30303000,0xdcdcdc00,0x5f5f5f00,
194     0x5e5e5e00,0xc5c5c500,0x0b0b0b00,0x1a1a1a00,
195     0xa6a6a600,0xe1e1e100,0x39393900,0xcacaca00,
196     0xd5d5d500,0x47474700,0x5d5d5d00,0x3d3d3d00,
197     0xd9d9d900,0x01010100,0x5a5a5a00,0xd6d6d600,
198     0x51515100,0x56565600,0x6c6c6c00,0x4d4d4d00,
199     0x8b8b8b00,0x0d0d0d00,0x9a9a9a00,0x66666600,
200     0xfbfbfb00,0xcccccc00,0xb0b0b000,0x2d2d2d00,
201     0x74747400,0x12121200,0x2b2b2b00,0x20202000,
202     0xf0f0f000,0xb1b1b100,0x84848400,0x99999900,
203     0xdfdfdf00,0x4c4c4c00,0xcbcbcb00,0xc2c2c200,
204     0x34343400,0x7e7e7e00,0x76767600,0x05050500,
205     0x6d6d6d00,0xb7b7b700,0xa9a9a900,0x31313100,
206     0xd1d1d100,0x17171700,0x04040400,0xd7d7d700,
207     0x14141400,0x58585800,0x3a3a3a00,0x61616100,
208     0xdedede00,0x1b1b1b00,0x11111100,0x1c1c1c00,
209     0x32323200,0x0f0f0f00,0x9c9c9c00,0x16161600,
210     0x53535300,0x18181800,0xf2f2f200,0x22222200,
211     0xfefefe00,0x44444400,0xcfcfcf00,0xb2b2b200,
212     0xc3c3c300,0xb5b5b500,0x7a7a7a00,0x91919100,
213     0x24242400,0x08080800,0xe8e8e800,0xa8a8a800,
214     0x60606000,0xfcfcfc00,0x69696900,0x50505000,
215     0xaaaaaa00,0xd0d0d000,0xa0a0a000,0x7d7d7d00,
216     0xa1a1a100,0x89898900,0x62626200,0x97979700,
217     0x54545400,0x5b5b5b00,0x1e1e1e00,0x95959500,
218     0xe0e0e000,0xffffff00,0x64646400,0xd2d2d200,
219     0x10101000,0xc4c4c400,0x00000000,0x48484800,
220     0xa3a3a300,0xf7f7f700,0x75757500,0xdbdbdb00,
221     0x8a8a8a00,0x03030300,0xe6e6e600,0xdadada00,
222     0x09090900,0x3f3f3f00,0xdddddd00,0x94949400,
223     0x87878700,0x5c5c5c00,0x83838300,0x02020200,
224     0xcdcdcd00,0x4a4a4a00,0x90909000,0x33333300,
225     0x73737300,0x67676700,0xf6f6f600,0xf3f3f300,
226     0x9d9d9d00,0x7f7f7f00,0xbfbfbf00,0xe2e2e200,
227     0x52525200,0x9b9b9b00,0xd8d8d800,0x26262600,
228     0xc8c8c800,0x37373700,0xc6c6c600,0x3b3b3b00,
229     0x81818100,0x96969600,0x6f6f6f00,0x4b4b4b00,
230     0x13131300,0xbebebe00,0x63636300,0x2e2e2e00,
231     0xe9e9e900,0x79797900,0xa7a7a700,0x8c8c8c00,
232     0x9f9f9f00,0x6e6e6e00,0xbcbcbc00,0x8e8e8e00,
233     0x29292900,0xf5f5f500,0xf9f9f900,0xb6b6b600,
234     0x2f2f2f00,0xfdfdfd00,0xb4b4b400,0x59595900,
235     0x78787800,0x98989800,0x06060600,0x6a6a6a00,
236     0xe7e7e700,0x46464600,0x71717100,0xbababa00,
237     0xd4d4d400,0x25252500,0xababab00,0x42424200,
238     0x88888800,0xa2a2a200,0x8d8d8d00,0xfafafa00,
239     0x72727200,0x07070700,0xb9b9b900,0x55555500,
240     0xf8f8f800,0xeeeeee00,0xacacac00,0x0a0a0a00,
241     0x36363600,0x49494900,0x2a2a2a00,0x68686800,
242     0x3c3c3c00,0x38383800,0xf1f1f100,0xa4a4a400,
243     0x40404000,0x28282800,0xd3d3d300,0x7b7b7b00,
244     0xbbbbbb00,0xc9c9c900,0x43434300,0xc1c1c100,
245     0x15151500,0xe3e3e300,0xadadad00,0xf4f4f400,
246     0x77777700,0xc7c7c700,0x80808000,0x9e9e9e00,
247 };
248 
249 static const u32 camellia_sp0222[256] = {
250     0x00e0e0e0,0x00050505,0x00585858,0x00d9d9d9,
251     0x00676767,0x004e4e4e,0x00818181,0x00cbcbcb,
252     0x00c9c9c9,0x000b0b0b,0x00aeaeae,0x006a6a6a,
253     0x00d5d5d5,0x00181818,0x005d5d5d,0x00828282,
254     0x00464646,0x00dfdfdf,0x00d6d6d6,0x00272727,
255     0x008a8a8a,0x00323232,0x004b4b4b,0x00424242,
256     0x00dbdbdb,0x001c1c1c,0x009e9e9e,0x009c9c9c,
257     0x003a3a3a,0x00cacaca,0x00252525,0x007b7b7b,
258     0x000d0d0d,0x00717171,0x005f5f5f,0x001f1f1f,
259     0x00f8f8f8,0x00d7d7d7,0x003e3e3e,0x009d9d9d,
260     0x007c7c7c,0x00606060,0x00b9b9b9,0x00bebebe,
261     0x00bcbcbc,0x008b8b8b,0x00161616,0x00343434,
262     0x004d4d4d,0x00c3c3c3,0x00727272,0x00959595,
263     0x00ababab,0x008e8e8e,0x00bababa,0x007a7a7a,
264     0x00b3b3b3,0x00020202,0x00b4b4b4,0x00adadad,
265     0x00a2a2a2,0x00acacac,0x00d8d8d8,0x009a9a9a,
266     0x00171717,0x001a1a1a,0x00353535,0x00cccccc,
267     0x00f7f7f7,0x00999999,0x00616161,0x005a5a5a,
268     0x00e8e8e8,0x00242424,0x00565656,0x00404040,
269     0x00e1e1e1,0x00636363,0x00090909,0x00333333,
270     0x00bfbfbf,0x00989898,0x00979797,0x00858585,
271     0x00686868,0x00fcfcfc,0x00ececec,0x000a0a0a,
272     0x00dadada,0x006f6f6f,0x00535353,0x00626262,
273     0x00a3a3a3,0x002e2e2e,0x00080808,0x00afafaf,
274     0x00282828,0x00b0b0b0,0x00747474,0x00c2c2c2,
275     0x00bdbdbd,0x00363636,0x00222222,0x00383838,
276     0x00646464,0x001e1e1e,0x00393939,0x002c2c2c,
277     0x00a6a6a6,0x00303030,0x00e5e5e5,0x00444444,
278     0x00fdfdfd,0x00888888,0x009f9f9f,0x00656565,
279     0x00878787,0x006b6b6b,0x00f4f4f4,0x00232323,
280     0x00484848,0x00101010,0x00d1d1d1,0x00515151,
281     0x00c0c0c0,0x00f9f9f9,0x00d2d2d2,0x00a0a0a0,
282     0x00555555,0x00a1a1a1,0x00414141,0x00fafafa,
283     0x00434343,0x00131313,0x00c4c4c4,0x002f2f2f,
284     0x00a8a8a8,0x00b6b6b6,0x003c3c3c,0x002b2b2b,
285     0x00c1c1c1,0x00ffffff,0x00c8c8c8,0x00a5a5a5,
286     0x00202020,0x00898989,0x00000000,0x00909090,
287     0x00474747,0x00efefef,0x00eaeaea,0x00b7b7b7,
288     0x00151515,0x00060606,0x00cdcdcd,0x00b5b5b5,
289     0x00121212,0x007e7e7e,0x00bbbbbb,0x00292929,
290     0x000f0f0f,0x00b8b8b8,0x00070707,0x00040404,
291     0x009b9b9b,0x00949494,0x00212121,0x00666666,
292     0x00e6e6e6,0x00cecece,0x00ededed,0x00e7e7e7,
293     0x003b3b3b,0x00fefefe,0x007f7f7f,0x00c5c5c5,
294     0x00a4a4a4,0x00373737,0x00b1b1b1,0x004c4c4c,
295     0x00919191,0x006e6e6e,0x008d8d8d,0x00767676,
296     0x00030303,0x002d2d2d,0x00dedede,0x00969696,
297     0x00262626,0x007d7d7d,0x00c6c6c6,0x005c5c5c,
298     0x00d3d3d3,0x00f2f2f2,0x004f4f4f,0x00191919,
299     0x003f3f3f,0x00dcdcdc,0x00797979,0x001d1d1d,
300     0x00525252,0x00ebebeb,0x00f3f3f3,0x006d6d6d,
301     0x005e5e5e,0x00fbfbfb,0x00696969,0x00b2b2b2,
302     0x00f0f0f0,0x00313131,0x000c0c0c,0x00d4d4d4,
303     0x00cfcfcf,0x008c8c8c,0x00e2e2e2,0x00757575,
304     0x00a9a9a9,0x004a4a4a,0x00575757,0x00848484,
305     0x00111111,0x00454545,0x001b1b1b,0x00f5f5f5,
306     0x00e4e4e4,0x000e0e0e,0x00737373,0x00aaaaaa,
307     0x00f1f1f1,0x00dddddd,0x00595959,0x00141414,
308     0x006c6c6c,0x00929292,0x00545454,0x00d0d0d0,
309     0x00787878,0x00707070,0x00e3e3e3,0x00494949,
310     0x00808080,0x00505050,0x00a7a7a7,0x00f6f6f6,
311     0x00777777,0x00939393,0x00868686,0x00838383,
312     0x002a2a2a,0x00c7c7c7,0x005b5b5b,0x00e9e9e9,
313     0x00eeeeee,0x008f8f8f,0x00010101,0x003d3d3d,
314 };
315 
316 static const u32 camellia_sp3033[256] = {
317     0x38003838,0x41004141,0x16001616,0x76007676,
318     0xd900d9d9,0x93009393,0x60006060,0xf200f2f2,
319     0x72007272,0xc200c2c2,0xab00abab,0x9a009a9a,
320     0x75007575,0x06000606,0x57005757,0xa000a0a0,
321     0x91009191,0xf700f7f7,0xb500b5b5,0xc900c9c9,
322     0xa200a2a2,0x8c008c8c,0xd200d2d2,0x90009090,
323     0xf600f6f6,0x07000707,0xa700a7a7,0x27002727,
324     0x8e008e8e,0xb200b2b2,0x49004949,0xde00dede,
325     0x43004343,0x5c005c5c,0xd700d7d7,0xc700c7c7,
326     0x3e003e3e,0xf500f5f5,0x8f008f8f,0x67006767,
327     0x1f001f1f,0x18001818,0x6e006e6e,0xaf00afaf,
328     0x2f002f2f,0xe200e2e2,0x85008585,0x0d000d0d,
329     0x53005353,0xf000f0f0,0x9c009c9c,0x65006565,
330     0xea00eaea,0xa300a3a3,0xae00aeae,0x9e009e9e,
331     0xec00ecec,0x80008080,0x2d002d2d,0x6b006b6b,
332     0xa800a8a8,0x2b002b2b,0x36003636,0xa600a6a6,
333     0xc500c5c5,0x86008686,0x4d004d4d,0x33003333,
334     0xfd00fdfd,0x66006666,0x58005858,0x96009696,
335     0x3a003a3a,0x09000909,0x95009595,0x10001010,
336     0x78007878,0xd800d8d8,0x42004242,0xcc00cccc,
337     0xef00efef,0x26002626,0xe500e5e5,0x61006161,
338     0x1a001a1a,0x3f003f3f,0x3b003b3b,0x82008282,
339     0xb600b6b6,0xdb00dbdb,0xd400d4d4,0x98009898,
340     0xe800e8e8,0x8b008b8b,0x02000202,0xeb00ebeb,
341     0x0a000a0a,0x2c002c2c,0x1d001d1d,0xb000b0b0,
342     0x6f006f6f,0x8d008d8d,0x88008888,0x0e000e0e,
343     0x19001919,0x87008787,0x4e004e4e,0x0b000b0b,
344     0xa900a9a9,0x0c000c0c,0x79007979,0x11001111,
345     0x7f007f7f,0x22002222,0xe700e7e7,0x59005959,
346     0xe100e1e1,0xda00dada,0x3d003d3d,0xc800c8c8,
347     0x12001212,0x04000404,0x74007474,0x54005454,
348     0x30003030,0x7e007e7e,0xb400b4b4,0x28002828,
349     0x55005555,0x68006868,0x50005050,0xbe00bebe,
350     0xd000d0d0,0xc400c4c4,0x31003131,0xcb00cbcb,
351     0x2a002a2a,0xad00adad,0x0f000f0f,0xca00caca,
352     0x70007070,0xff00ffff,0x32003232,0x69006969,
353     0x08000808,0x62006262,0x00000000,0x24002424,
354     0xd100d1d1,0xfb00fbfb,0xba00baba,0xed00eded,
355     0x45004545,0x81008181,0x73007373,0x6d006d6d,
356     0x84008484,0x9f009f9f,0xee00eeee,0x4a004a4a,
357     0xc300c3c3,0x2e002e2e,0xc100c1c1,0x01000101,
358     0xe600e6e6,0x25002525,0x48004848,0x99009999,
359     0xb900b9b9,0xb300b3b3,0x7b007b7b,0xf900f9f9,
360     0xce00cece,0xbf00bfbf,0xdf00dfdf,0x71007171,
361     0x29002929,0xcd00cdcd,0x6c006c6c,0x13001313,
362     0x64006464,0x9b009b9b,0x63006363,0x9d009d9d,
363     0xc000c0c0,0x4b004b4b,0xb700b7b7,0xa500a5a5,
364     0x89008989,0x5f005f5f,0xb100b1b1,0x17001717,
365     0xf400f4f4,0xbc00bcbc,0xd300d3d3,0x46004646,
366     0xcf00cfcf,0x37003737,0x5e005e5e,0x47004747,
367     0x94009494,0xfa00fafa,0xfc00fcfc,0x5b005b5b,
368     0x97009797,0xfe00fefe,0x5a005a5a,0xac00acac,
369     0x3c003c3c,0x4c004c4c,0x03000303,0x35003535,
370     0xf300f3f3,0x23002323,0xb800b8b8,0x5d005d5d,
371     0x6a006a6a,0x92009292,0xd500d5d5,0x21002121,
372     0x44004444,0x51005151,0xc600c6c6,0x7d007d7d,
373     0x39003939,0x83008383,0xdc00dcdc,0xaa00aaaa,
374     0x7c007c7c,0x77007777,0x56005656,0x05000505,
375     0x1b001b1b,0xa400a4a4,0x15001515,0x34003434,
376     0x1e001e1e,0x1c001c1c,0xf800f8f8,0x52005252,
377     0x20002020,0x14001414,0xe900e9e9,0xbd00bdbd,
378     0xdd00dddd,0xe400e4e4,0xa100a1a1,0xe000e0e0,
379     0x8a008a8a,0xf100f1f1,0xd600d6d6,0x7a007a7a,
380     0xbb00bbbb,0xe300e3e3,0x40004040,0x4f004f4f,
381 };
382 
383 static const u32 camellia_sp4404[256] = {
384     0x70700070,0x2c2c002c,0xb3b300b3,0xc0c000c0,
385     0xe4e400e4,0x57570057,0xeaea00ea,0xaeae00ae,
386     0x23230023,0x6b6b006b,0x45450045,0xa5a500a5,
387     0xeded00ed,0x4f4f004f,0x1d1d001d,0x92920092,
388     0x86860086,0xafaf00af,0x7c7c007c,0x1f1f001f,
389     0x3e3e003e,0xdcdc00dc,0x5e5e005e,0x0b0b000b,
390     0xa6a600a6,0x39390039,0xd5d500d5,0x5d5d005d,
391     0xd9d900d9,0x5a5a005a,0x51510051,0x6c6c006c,
392     0x8b8b008b,0x9a9a009a,0xfbfb00fb,0xb0b000b0,
393     0x74740074,0x2b2b002b,0xf0f000f0,0x84840084,
394     0xdfdf00df,0xcbcb00cb,0x34340034,0x76760076,
395     0x6d6d006d,0xa9a900a9,0xd1d100d1,0x04040004,
396     0x14140014,0x3a3a003a,0xdede00de,0x11110011,
397     0x32320032,0x9c9c009c,0x53530053,0xf2f200f2,
398     0xfefe00fe,0xcfcf00cf,0xc3c300c3,0x7a7a007a,
399     0x24240024,0xe8e800e8,0x60600060,0x69690069,
400     0xaaaa00aa,0xa0a000a0,0xa1a100a1,0x62620062,
401     0x54540054,0x1e1e001e,0xe0e000e0,0x64640064,
402     0x10100010,0x00000000,0xa3a300a3,0x75750075,
403     0x8a8a008a,0xe6e600e6,0x09090009,0xdddd00dd,
404     0x87870087,0x83830083,0xcdcd00cd,0x90900090,
405     0x73730073,0xf6f600f6,0x9d9d009d,0xbfbf00bf,
406     0x52520052,0xd8d800d8,0xc8c800c8,0xc6c600c6,
407     0x81810081,0x6f6f006f,0x13130013,0x63630063,
408     0xe9e900e9,0xa7a700a7,0x9f9f009f,0xbcbc00bc,
409     0x29290029,0xf9f900f9,0x2f2f002f,0xb4b400b4,
410     0x78780078,0x06060006,0xe7e700e7,0x71710071,
411     0xd4d400d4,0xabab00ab,0x88880088,0x8d8d008d,
412     0x72720072,0xb9b900b9,0xf8f800f8,0xacac00ac,
413     0x36360036,0x2a2a002a,0x3c3c003c,0xf1f100f1,
414     0x40400040,0xd3d300d3,0xbbbb00bb,0x43430043,
415     0x15150015,0xadad00ad,0x77770077,0x80800080,
416     0x82820082,0xecec00ec,0x27270027,0xe5e500e5,
417     0x85850085,0x35350035,0x0c0c000c,0x41410041,
418     0xefef00ef,0x93930093,0x19190019,0x21210021,
419     0x0e0e000e,0x4e4e004e,0x65650065,0xbdbd00bd,
420     0xb8b800b8,0x8f8f008f,0xebeb00eb,0xcece00ce,
421     0x30300030,0x5f5f005f,0xc5c500c5,0x1a1a001a,
422     0xe1e100e1,0xcaca00ca,0x47470047,0x3d3d003d,
423     0x01010001,0xd6d600d6,0x56560056,0x4d4d004d,
424     0x0d0d000d,0x66660066,0xcccc00cc,0x2d2d002d,
425     0x12120012,0x20200020,0xb1b100b1,0x99990099,
426     0x4c4c004c,0xc2c200c2,0x7e7e007e,0x05050005,
427     0xb7b700b7,0x31310031,0x17170017,0xd7d700d7,
428     0x58580058,0x61610061,0x1b1b001b,0x1c1c001c,
429     0x0f0f000f,0x16160016,0x18180018,0x22220022,
430     0x44440044,0xb2b200b2,0xb5b500b5,0x91910091,
431     0x08080008,0xa8a800a8,0xfcfc00fc,0x50500050,
432     0xd0d000d0,0x7d7d007d,0x89890089,0x97970097,
433     0x5b5b005b,0x95950095,0xffff00ff,0xd2d200d2,
434     0xc4c400c4,0x48480048,0xf7f700f7,0xdbdb00db,
435     0x03030003,0xdada00da,0x3f3f003f,0x94940094,
436     0x5c5c005c,0x02020002,0x4a4a004a,0x33330033,
437     0x67670067,0xf3f300f3,0x7f7f007f,0xe2e200e2,
438     0x9b9b009b,0x26260026,0x37370037,0x3b3b003b,
439     0x96960096,0x4b4b004b,0xbebe00be,0x2e2e002e,
440     0x79790079,0x8c8c008c,0x6e6e006e,0x8e8e008e,
441     0xf5f500f5,0xb6b600b6,0xfdfd00fd,0x59590059,
442     0x98980098,0x6a6a006a,0x46460046,0xbaba00ba,
443     0x25250025,0x42420042,0xa2a200a2,0xfafa00fa,
444     0x07070007,0x55550055,0xeeee00ee,0x0a0a000a,
445     0x49490049,0x68680068,0x38380038,0xa4a400a4,
446     0x28280028,0x7b7b007b,0xc9c900c9,0xc1c100c1,
447     0xe3e300e3,0xf4f400f4,0xc7c700c7,0x9e9e009e,
448 };
449 
450 
451 /**
452  * Stuff related to the Camellia key schedule
453  */
454 #define subl(x) subL[(x)]
455 #define subr(x) subR[(x)]
456 
camellia_setup128(const unsigned char * key,u32 * subkey)457 static void camellia_setup128(const unsigned char *key, u32 *subkey)
458 {
459     u32 kll, klr, krl, krr;
460     u32 il, ir, t0, t1, w0, w1;
461     u32 kw4l, kw4r, dw, tl, tr;
462     u32 subL[26];
463     u32 subR[26];
464 
465     /**
466      *  k == kll || klr || krl || krr (|| is concatination)
467      */
468     kll = GETU32(key     );
469     klr = GETU32(key +  4);
470     krl = GETU32(key +  8);
471     krr = GETU32(key + 12);
472     /**
473      * generate KL dependent subkeys
474      */
475     subl(0) = kll; subr(0) = klr;
476     subl(1) = krl; subr(1) = krr;
477     CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
478     subl(4) = kll; subr(4) = klr;
479     subl(5) = krl; subr(5) = krr;
480     CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 30);
481     subl(10) = kll; subr(10) = klr;
482     subl(11) = krl; subr(11) = krr;
483     CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
484     subl(13) = krl; subr(13) = krr;
485     CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17);
486     subl(16) = kll; subr(16) = klr;
487     subl(17) = krl; subr(17) = krr;
488     CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17);
489     subl(18) = kll; subr(18) = klr;
490     subl(19) = krl; subr(19) = krr;
491     CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17);
492     subl(22) = kll; subr(22) = klr;
493     subl(23) = krl; subr(23) = krr;
494 
495     /* generate KA */
496     kll = subl(0); klr = subr(0);
497     krl = subl(1); krr = subr(1);
498     CAMELLIA_F(kll, klr,
499 	       CAMELLIA_SIGMA1L, CAMELLIA_SIGMA1R,
500 	       w0, w1, il, ir, t0, t1);
501     krl ^= w0; krr ^= w1;
502     CAMELLIA_F(krl, krr,
503 	       CAMELLIA_SIGMA2L, CAMELLIA_SIGMA2R,
504 	       kll, klr, il, ir, t0, t1);
505     CAMELLIA_F(kll, klr,
506 	       CAMELLIA_SIGMA3L, CAMELLIA_SIGMA3R,
507 	       krl, krr, il, ir, t0, t1);
508     krl ^= w0; krr ^= w1;
509     CAMELLIA_F(krl, krr,
510 	       CAMELLIA_SIGMA4L, CAMELLIA_SIGMA4R,
511 	       w0, w1, il, ir, t0, t1);
512     kll ^= w0; klr ^= w1;
513 
514     /* generate KA dependent subkeys */
515     subl(2) = kll; subr(2) = klr;
516     subl(3) = krl; subr(3) = krr;
517     CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
518     subl(6) = kll; subr(6) = klr;
519     subl(7) = krl; subr(7) = krr;
520     CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
521     subl(8) = kll; subr(8) = klr;
522     subl(9) = krl; subr(9) = krr;
523     CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
524     subl(12) = kll; subr(12) = klr;
525     CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
526     subl(14) = kll; subr(14) = klr;
527     subl(15) = krl; subr(15) = krr;
528     CAMELLIA_ROLDQo32(kll, klr, krl, krr, w0, w1, 34);
529     subl(20) = kll; subr(20) = klr;
530     subl(21) = krl; subr(21) = krr;
531     CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17);
532     subl(24) = kll; subr(24) = klr;
533     subl(25) = krl; subr(25) = krr;
534 
535 
536     /* absorb kw2 to other subkeys */
537     subl(3) ^= subl(1); subr(3) ^= subr(1);
538     subl(5) ^= subl(1); subr(5) ^= subr(1);
539     subl(7) ^= subl(1); subr(7) ^= subr(1);
540     subl(1) ^= subr(1) & ~subr(9);
541     dw = subl(1) & subl(9), subr(1) ^= CAMELLIA_RL1(dw);
542     subl(11) ^= subl(1); subr(11) ^= subr(1);
543     subl(13) ^= subl(1); subr(13) ^= subr(1);
544     subl(15) ^= subl(1); subr(15) ^= subr(1);
545     subl(1) ^= subr(1) & ~subr(17);
546     dw = subl(1) & subl(17), subr(1) ^= CAMELLIA_RL1(dw);
547     subl(19) ^= subl(1); subr(19) ^= subr(1);
548     subl(21) ^= subl(1); subr(21) ^= subr(1);
549     subl(23) ^= subl(1); subr(23) ^= subr(1);
550     subl(24) ^= subl(1); subr(24) ^= subr(1);
551 
552     /* absorb kw4 to other subkeys */
553     kw4l = subl(25); kw4r = subr(25);
554     subl(22) ^= kw4l; subr(22) ^= kw4r;
555     subl(20) ^= kw4l; subr(20) ^= kw4r;
556     subl(18) ^= kw4l; subr(18) ^= kw4r;
557     kw4l ^= kw4r & ~subr(16);
558     dw = kw4l & subl(16), kw4r ^= CAMELLIA_RL1(dw);
559     subl(14) ^= kw4l; subr(14) ^= kw4r;
560     subl(12) ^= kw4l; subr(12) ^= kw4r;
561     subl(10) ^= kw4l; subr(10) ^= kw4r;
562     kw4l ^= kw4r & ~subr(8);
563     dw = kw4l & subl(8), kw4r ^= CAMELLIA_RL1(dw);
564     subl(6) ^= kw4l; subr(6) ^= kw4r;
565     subl(4) ^= kw4l; subr(4) ^= kw4r;
566     subl(2) ^= kw4l; subr(2) ^= kw4r;
567     subl(0) ^= kw4l; subr(0) ^= kw4r;
568 
569     /* key XOR is end of F-function */
570     CamelliaSubkeyL(0) = subl(0) ^ subl(2);
571     CamelliaSubkeyR(0) = subr(0) ^ subr(2);
572     CamelliaSubkeyL(2) = subl(3);
573     CamelliaSubkeyR(2) = subr(3);
574     CamelliaSubkeyL(3) = subl(2) ^ subl(4);
575     CamelliaSubkeyR(3) = subr(2) ^ subr(4);
576     CamelliaSubkeyL(4) = subl(3) ^ subl(5);
577     CamelliaSubkeyR(4) = subr(3) ^ subr(5);
578     CamelliaSubkeyL(5) = subl(4) ^ subl(6);
579     CamelliaSubkeyR(5) = subr(4) ^ subr(6);
580     CamelliaSubkeyL(6) = subl(5) ^ subl(7);
581     CamelliaSubkeyR(6) = subr(5) ^ subr(7);
582     tl = subl(10) ^ (subr(10) & ~subr(8));
583     dw = tl & subl(8), tr = subr(10) ^ CAMELLIA_RL1(dw);
584     CamelliaSubkeyL(7) = subl(6) ^ tl;
585     CamelliaSubkeyR(7) = subr(6) ^ tr;
586     CamelliaSubkeyL(8) = subl(8);
587     CamelliaSubkeyR(8) = subr(8);
588     CamelliaSubkeyL(9) = subl(9);
589     CamelliaSubkeyR(9) = subr(9);
590     tl = subl(7) ^ (subr(7) & ~subr(9));
591     dw = tl & subl(9), tr = subr(7) ^ CAMELLIA_RL1(dw);
592     CamelliaSubkeyL(10) = tl ^ subl(11);
593     CamelliaSubkeyR(10) = tr ^ subr(11);
594     CamelliaSubkeyL(11) = subl(10) ^ subl(12);
595     CamelliaSubkeyR(11) = subr(10) ^ subr(12);
596     CamelliaSubkeyL(12) = subl(11) ^ subl(13);
597     CamelliaSubkeyR(12) = subr(11) ^ subr(13);
598     CamelliaSubkeyL(13) = subl(12) ^ subl(14);
599     CamelliaSubkeyR(13) = subr(12) ^ subr(14);
600     CamelliaSubkeyL(14) = subl(13) ^ subl(15);
601     CamelliaSubkeyR(14) = subr(13) ^ subr(15);
602     tl = subl(18) ^ (subr(18) & ~subr(16));
603     dw = tl & subl(16),	tr = subr(18) ^ CAMELLIA_RL1(dw);
604     CamelliaSubkeyL(15) = subl(14) ^ tl;
605     CamelliaSubkeyR(15) = subr(14) ^ tr;
606     CamelliaSubkeyL(16) = subl(16);
607     CamelliaSubkeyR(16) = subr(16);
608     CamelliaSubkeyL(17) = subl(17);
609     CamelliaSubkeyR(17) = subr(17);
610     tl = subl(15) ^ (subr(15) & ~subr(17));
611     dw = tl & subl(17),	tr = subr(15) ^ CAMELLIA_RL1(dw);
612     CamelliaSubkeyL(18) = tl ^ subl(19);
613     CamelliaSubkeyR(18) = tr ^ subr(19);
614     CamelliaSubkeyL(19) = subl(18) ^ subl(20);
615     CamelliaSubkeyR(19) = subr(18) ^ subr(20);
616     CamelliaSubkeyL(20) = subl(19) ^ subl(21);
617     CamelliaSubkeyR(20) = subr(19) ^ subr(21);
618     CamelliaSubkeyL(21) = subl(20) ^ subl(22);
619     CamelliaSubkeyR(21) = subr(20) ^ subr(22);
620     CamelliaSubkeyL(22) = subl(21) ^ subl(23);
621     CamelliaSubkeyR(22) = subr(21) ^ subr(23);
622     CamelliaSubkeyL(23) = subl(22);
623     CamelliaSubkeyR(23) = subr(22);
624     CamelliaSubkeyL(24) = subl(24) ^ subl(23);
625     CamelliaSubkeyR(24) = subr(24) ^ subr(23);
626 
627     /* apply the inverse of the last half of P-function */
628     dw = CamelliaSubkeyL(2) ^ CamelliaSubkeyR(2), dw = CAMELLIA_RL8(dw);
629     CamelliaSubkeyR(2) = CamelliaSubkeyL(2) ^ dw, CamelliaSubkeyL(2) = dw;
630     dw = CamelliaSubkeyL(3) ^ CamelliaSubkeyR(3), dw = CAMELLIA_RL8(dw);
631     CamelliaSubkeyR(3) = CamelliaSubkeyL(3) ^ dw, CamelliaSubkeyL(3) = dw;
632     dw = CamelliaSubkeyL(4) ^ CamelliaSubkeyR(4), dw = CAMELLIA_RL8(dw);
633     CamelliaSubkeyR(4) = CamelliaSubkeyL(4) ^ dw, CamelliaSubkeyL(4) = dw;
634     dw = CamelliaSubkeyL(5) ^ CamelliaSubkeyR(5), dw = CAMELLIA_RL8(dw);
635     CamelliaSubkeyR(5) = CamelliaSubkeyL(5) ^ dw, CamelliaSubkeyL(5) = dw;
636     dw = CamelliaSubkeyL(6) ^ CamelliaSubkeyR(6), dw = CAMELLIA_RL8(dw);
637     CamelliaSubkeyR(6) = CamelliaSubkeyL(6) ^ dw, CamelliaSubkeyL(6) = dw;
638     dw = CamelliaSubkeyL(7) ^ CamelliaSubkeyR(7), dw = CAMELLIA_RL8(dw);
639     CamelliaSubkeyR(7) = CamelliaSubkeyL(7) ^ dw, CamelliaSubkeyL(7) = dw;
640     dw = CamelliaSubkeyL(10) ^ CamelliaSubkeyR(10), dw = CAMELLIA_RL8(dw);
641     CamelliaSubkeyR(10) = CamelliaSubkeyL(10) ^ dw, CamelliaSubkeyL(10) = dw;
642     dw = CamelliaSubkeyL(11) ^ CamelliaSubkeyR(11), dw = CAMELLIA_RL8(dw);
643     CamelliaSubkeyR(11) = CamelliaSubkeyL(11) ^ dw, CamelliaSubkeyL(11) = dw;
644     dw = CamelliaSubkeyL(12) ^ CamelliaSubkeyR(12), dw = CAMELLIA_RL8(dw);
645     CamelliaSubkeyR(12) = CamelliaSubkeyL(12) ^ dw, CamelliaSubkeyL(12) = dw;
646     dw = CamelliaSubkeyL(13) ^ CamelliaSubkeyR(13), dw = CAMELLIA_RL8(dw);
647     CamelliaSubkeyR(13) = CamelliaSubkeyL(13) ^ dw, CamelliaSubkeyL(13) = dw;
648     dw = CamelliaSubkeyL(14) ^ CamelliaSubkeyR(14), dw = CAMELLIA_RL8(dw);
649     CamelliaSubkeyR(14) = CamelliaSubkeyL(14) ^ dw, CamelliaSubkeyL(14) = dw;
650     dw = CamelliaSubkeyL(15) ^ CamelliaSubkeyR(15), dw = CAMELLIA_RL8(dw);
651     CamelliaSubkeyR(15) = CamelliaSubkeyL(15) ^ dw, CamelliaSubkeyL(15) = dw;
652     dw = CamelliaSubkeyL(18) ^ CamelliaSubkeyR(18), dw = CAMELLIA_RL8(dw);
653     CamelliaSubkeyR(18) = CamelliaSubkeyL(18) ^ dw, CamelliaSubkeyL(18) = dw;
654     dw = CamelliaSubkeyL(19) ^ CamelliaSubkeyR(19), dw = CAMELLIA_RL8(dw);
655     CamelliaSubkeyR(19) = CamelliaSubkeyL(19) ^ dw, CamelliaSubkeyL(19) = dw;
656     dw = CamelliaSubkeyL(20) ^ CamelliaSubkeyR(20), dw = CAMELLIA_RL8(dw);
657     CamelliaSubkeyR(20) = CamelliaSubkeyL(20) ^ dw, CamelliaSubkeyL(20) = dw;
658     dw = CamelliaSubkeyL(21) ^ CamelliaSubkeyR(21), dw = CAMELLIA_RL8(dw);
659     CamelliaSubkeyR(21) = CamelliaSubkeyL(21) ^ dw, CamelliaSubkeyL(21) = dw;
660     dw = CamelliaSubkeyL(22) ^ CamelliaSubkeyR(22), dw = CAMELLIA_RL8(dw);
661     CamelliaSubkeyR(22) = CamelliaSubkeyL(22) ^ dw, CamelliaSubkeyL(22) = dw;
662     dw = CamelliaSubkeyL(23) ^ CamelliaSubkeyR(23), dw = CAMELLIA_RL8(dw);
663     CamelliaSubkeyR(23) = CamelliaSubkeyL(23) ^ dw, CamelliaSubkeyL(23) = dw;
664 
665     return;
666 }
667 
camellia_setup256(const unsigned char * key,u32 * subkey)668 static void camellia_setup256(const unsigned char *key, u32 *subkey)
669 {
670     u32 kll,klr,krl,krr;           /* left half of key */
671     u32 krll,krlr,krrl,krrr;       /* right half of key */
672     u32 il, ir, t0, t1, w0, w1;    /* temporary variables */
673     u32 kw4l, kw4r, dw, tl, tr;
674     u32 subL[34];
675     u32 subR[34];
676 
677     /**
678      *  key = (kll || klr || krl || krr || krll || krlr || krrl || krrr)
679      *  (|| is concatination)
680      */
681 
682     kll  = GETU32(key     );
683     klr  = GETU32(key +  4);
684     krl  = GETU32(key +  8);
685     krr  = GETU32(key + 12);
686     krll = GETU32(key + 16);
687     krlr = GETU32(key + 20);
688     krrl = GETU32(key + 24);
689     krrr = GETU32(key + 28);
690 
691     /* generate KL dependent subkeys */
692     subl(0) = kll; subr(0) = klr;
693     subl(1) = krl; subr(1) = krr;
694     CAMELLIA_ROLDQo32(kll, klr, krl, krr, w0, w1, 45);
695     subl(12) = kll; subr(12) = klr;
696     subl(13) = krl; subr(13) = krr;
697     CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
698     subl(16) = kll; subr(16) = klr;
699     subl(17) = krl; subr(17) = krr;
700     CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17);
701     subl(22) = kll; subr(22) = klr;
702     subl(23) = krl; subr(23) = krr;
703     CAMELLIA_ROLDQo32(kll, klr, krl, krr, w0, w1, 34);
704     subl(30) = kll; subr(30) = klr;
705     subl(31) = krl; subr(31) = krr;
706 
707     /* generate KR dependent subkeys */
708     CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 15);
709     subl(4) = krll; subr(4) = krlr;
710     subl(5) = krrl; subr(5) = krrr;
711     CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 15);
712     subl(8) = krll; subr(8) = krlr;
713     subl(9) = krrl; subr(9) = krrr;
714     CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
715     subl(18) = krll; subr(18) = krlr;
716     subl(19) = krrl; subr(19) = krrr;
717     CAMELLIA_ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 34);
718     subl(26) = krll; subr(26) = krlr;
719     subl(27) = krrl; subr(27) = krrr;
720     CAMELLIA_ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 34);
721 
722     /* generate KA */
723     kll = subl(0) ^ krll; klr = subr(0) ^ krlr;
724     krl = subl(1) ^ krrl; krr = subr(1) ^ krrr;
725     CAMELLIA_F(kll, klr,
726 	       CAMELLIA_SIGMA1L, CAMELLIA_SIGMA1R,
727 	       w0, w1, il, ir, t0, t1);
728     krl ^= w0; krr ^= w1;
729     CAMELLIA_F(krl, krr,
730 	       CAMELLIA_SIGMA2L, CAMELLIA_SIGMA2R,
731 	       kll, klr, il, ir, t0, t1);
732     kll ^= krll; klr ^= krlr;
733     CAMELLIA_F(kll, klr,
734 	       CAMELLIA_SIGMA3L, CAMELLIA_SIGMA3R,
735 	       krl, krr, il, ir, t0, t1);
736     krl ^= w0 ^ krrl; krr ^= w1 ^ krrr;
737     CAMELLIA_F(krl, krr,
738 	       CAMELLIA_SIGMA4L, CAMELLIA_SIGMA4R,
739 	       w0, w1, il, ir, t0, t1);
740     kll ^= w0; klr ^= w1;
741 
742     /* generate KB */
743     krll ^= kll; krlr ^= klr;
744     krrl ^= krl; krrr ^= krr;
745     CAMELLIA_F(krll, krlr,
746 	       CAMELLIA_SIGMA5L, CAMELLIA_SIGMA5R,
747 	       w0, w1, il, ir, t0, t1);
748     krrl ^= w0; krrr ^= w1;
749     CAMELLIA_F(krrl, krrr,
750 	       CAMELLIA_SIGMA6L, CAMELLIA_SIGMA6R,
751 	       w0, w1, il, ir, t0, t1);
752     krll ^= w0; krlr ^= w1;
753 
754     /* generate KA dependent subkeys */
755     CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
756     subl(6) = kll; subr(6) = klr;
757     subl(7) = krl; subr(7) = krr;
758     CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 30);
759     subl(14) = kll; subr(14) = klr;
760     subl(15) = krl; subr(15) = krr;
761     subl(24) = klr; subr(24) = krl;
762     subl(25) = krr; subr(25) = kll;
763     CAMELLIA_ROLDQo32(kll, klr, krl, krr, w0, w1, 49);
764     subl(28) = kll; subr(28) = klr;
765     subl(29) = krl; subr(29) = krr;
766 
767     /* generate KB dependent subkeys */
768     subl(2) = krll; subr(2) = krlr;
769     subl(3) = krrl; subr(3) = krrr;
770     CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
771     subl(10) = krll; subr(10) = krlr;
772     subl(11) = krrl; subr(11) = krrr;
773     CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
774     subl(20) = krll; subr(20) = krlr;
775     subl(21) = krrl; subr(21) = krrr;
776     CAMELLIA_ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 51);
777     subl(32) = krll; subr(32) = krlr;
778     subl(33) = krrl; subr(33) = krrr;
779 
780     /* absorb kw2 to other subkeys */
781     subl(3) ^= subl(1); subr(3) ^= subr(1);
782     subl(5) ^= subl(1); subr(5) ^= subr(1);
783     subl(7) ^= subl(1); subr(7) ^= subr(1);
784     subl(1) ^= subr(1) & ~subr(9);
785     dw = subl(1) & subl(9), subr(1) ^= CAMELLIA_RL1(dw);
786     subl(11) ^= subl(1); subr(11) ^= subr(1);
787     subl(13) ^= subl(1); subr(13) ^= subr(1);
788     subl(15) ^= subl(1); subr(15) ^= subr(1);
789     subl(1) ^= subr(1) & ~subr(17);
790     dw = subl(1) & subl(17), subr(1) ^= CAMELLIA_RL1(dw);
791     subl(19) ^= subl(1); subr(19) ^= subr(1);
792     subl(21) ^= subl(1); subr(21) ^= subr(1);
793     subl(23) ^= subl(1); subr(23) ^= subr(1);
794     subl(1) ^= subr(1) & ~subr(25);
795     dw = subl(1) & subl(25), subr(1) ^= CAMELLIA_RL1(dw);
796     subl(27) ^= subl(1); subr(27) ^= subr(1);
797     subl(29) ^= subl(1); subr(29) ^= subr(1);
798     subl(31) ^= subl(1); subr(31) ^= subr(1);
799     subl(32) ^= subl(1); subr(32) ^= subr(1);
800 
801     /* absorb kw4 to other subkeys */
802     kw4l = subl(33); kw4r = subr(33);
803     subl(30) ^= kw4l; subr(30) ^= kw4r;
804     subl(28) ^= kw4l; subr(28) ^= kw4r;
805     subl(26) ^= kw4l; subr(26) ^= kw4r;
806     kw4l ^= kw4r & ~subr(24);
807     dw = kw4l & subl(24), kw4r ^= CAMELLIA_RL1(dw);
808     subl(22) ^= kw4l; subr(22) ^= kw4r;
809     subl(20) ^= kw4l; subr(20) ^= kw4r;
810     subl(18) ^= kw4l; subr(18) ^= kw4r;
811     kw4l ^= kw4r & ~subr(16);
812     dw = kw4l & subl(16), kw4r ^= CAMELLIA_RL1(dw);
813     subl(14) ^= kw4l; subr(14) ^= kw4r;
814     subl(12) ^= kw4l; subr(12) ^= kw4r;
815     subl(10) ^= kw4l; subr(10) ^= kw4r;
816     kw4l ^= kw4r & ~subr(8);
817     dw = kw4l & subl(8), kw4r ^= CAMELLIA_RL1(dw);
818     subl(6) ^= kw4l; subr(6) ^= kw4r;
819     subl(4) ^= kw4l; subr(4) ^= kw4r;
820     subl(2) ^= kw4l; subr(2) ^= kw4r;
821     subl(0) ^= kw4l; subr(0) ^= kw4r;
822 
823     /* key XOR is end of F-function */
824     CamelliaSubkeyL(0) = subl(0) ^ subl(2);
825     CamelliaSubkeyR(0) = subr(0) ^ subr(2);
826     CamelliaSubkeyL(2) = subl(3);
827     CamelliaSubkeyR(2) = subr(3);
828     CamelliaSubkeyL(3) = subl(2) ^ subl(4);
829     CamelliaSubkeyR(3) = subr(2) ^ subr(4);
830     CamelliaSubkeyL(4) = subl(3) ^ subl(5);
831     CamelliaSubkeyR(4) = subr(3) ^ subr(5);
832     CamelliaSubkeyL(5) = subl(4) ^ subl(6);
833     CamelliaSubkeyR(5) = subr(4) ^ subr(6);
834     CamelliaSubkeyL(6) = subl(5) ^ subl(7);
835     CamelliaSubkeyR(6) = subr(5) ^ subr(7);
836     tl = subl(10) ^ (subr(10) & ~subr(8));
837     dw = tl & subl(8), tr = subr(10) ^ CAMELLIA_RL1(dw);
838     CamelliaSubkeyL(7) = subl(6) ^ tl;
839     CamelliaSubkeyR(7) = subr(6) ^ tr;
840     CamelliaSubkeyL(8) = subl(8);
841     CamelliaSubkeyR(8) = subr(8);
842     CamelliaSubkeyL(9) = subl(9);
843     CamelliaSubkeyR(9) = subr(9);
844     tl = subl(7) ^ (subr(7) & ~subr(9));
845     dw = tl & subl(9), tr = subr(7) ^ CAMELLIA_RL1(dw);
846     CamelliaSubkeyL(10) = tl ^ subl(11);
847     CamelliaSubkeyR(10) = tr ^ subr(11);
848     CamelliaSubkeyL(11) = subl(10) ^ subl(12);
849     CamelliaSubkeyR(11) = subr(10) ^ subr(12);
850     CamelliaSubkeyL(12) = subl(11) ^ subl(13);
851     CamelliaSubkeyR(12) = subr(11) ^ subr(13);
852     CamelliaSubkeyL(13) = subl(12) ^ subl(14);
853     CamelliaSubkeyR(13) = subr(12) ^ subr(14);
854     CamelliaSubkeyL(14) = subl(13) ^ subl(15);
855     CamelliaSubkeyR(14) = subr(13) ^ subr(15);
856     tl = subl(18) ^ (subr(18) & ~subr(16));
857     dw = tl & subl(16), tr = subr(18) ^ CAMELLIA_RL1(dw);
858     CamelliaSubkeyL(15) = subl(14) ^ tl;
859     CamelliaSubkeyR(15) = subr(14) ^ tr;
860     CamelliaSubkeyL(16) = subl(16);
861     CamelliaSubkeyR(16) = subr(16);
862     CamelliaSubkeyL(17) = subl(17);
863     CamelliaSubkeyR(17) = subr(17);
864     tl = subl(15) ^ (subr(15) & ~subr(17));
865     dw = tl & subl(17), tr = subr(15) ^ CAMELLIA_RL1(dw);
866     CamelliaSubkeyL(18) = tl ^ subl(19);
867     CamelliaSubkeyR(18) = tr ^ subr(19);
868     CamelliaSubkeyL(19) = subl(18) ^ subl(20);
869     CamelliaSubkeyR(19) = subr(18) ^ subr(20);
870     CamelliaSubkeyL(20) = subl(19) ^ subl(21);
871     CamelliaSubkeyR(20) = subr(19) ^ subr(21);
872     CamelliaSubkeyL(21) = subl(20) ^ subl(22);
873     CamelliaSubkeyR(21) = subr(20) ^ subr(22);
874     CamelliaSubkeyL(22) = subl(21) ^ subl(23);
875     CamelliaSubkeyR(22) = subr(21) ^ subr(23);
876     tl = subl(26) ^ (subr(26) & ~subr(24));
877     dw = tl & subl(24), tr = subr(26) ^ CAMELLIA_RL1(dw);
878     CamelliaSubkeyL(23) = subl(22) ^ tl;
879     CamelliaSubkeyR(23) = subr(22) ^ tr;
880     CamelliaSubkeyL(24) = subl(24);
881     CamelliaSubkeyR(24) = subr(24);
882     CamelliaSubkeyL(25) = subl(25);
883     CamelliaSubkeyR(25) = subr(25);
884     tl = subl(23) ^ (subr(23) &  ~subr(25));
885     dw = tl & subl(25), tr = subr(23) ^ CAMELLIA_RL1(dw);
886     CamelliaSubkeyL(26) = tl ^ subl(27);
887     CamelliaSubkeyR(26) = tr ^ subr(27);
888     CamelliaSubkeyL(27) = subl(26) ^ subl(28);
889     CamelliaSubkeyR(27) = subr(26) ^ subr(28);
890     CamelliaSubkeyL(28) = subl(27) ^ subl(29);
891     CamelliaSubkeyR(28) = subr(27) ^ subr(29);
892     CamelliaSubkeyL(29) = subl(28) ^ subl(30);
893     CamelliaSubkeyR(29) = subr(28) ^ subr(30);
894     CamelliaSubkeyL(30) = subl(29) ^ subl(31);
895     CamelliaSubkeyR(30) = subr(29) ^ subr(31);
896     CamelliaSubkeyL(31) = subl(30);
897     CamelliaSubkeyR(31) = subr(30);
898     CamelliaSubkeyL(32) = subl(32) ^ subl(31);
899     CamelliaSubkeyR(32) = subr(32) ^ subr(31);
900 
901     /* apply the inverse of the last half of P-function */
902     dw = CamelliaSubkeyL(2) ^ CamelliaSubkeyR(2), dw = CAMELLIA_RL8(dw);
903     CamelliaSubkeyR(2) = CamelliaSubkeyL(2) ^ dw, CamelliaSubkeyL(2) = dw;
904     dw = CamelliaSubkeyL(3) ^ CamelliaSubkeyR(3), dw = CAMELLIA_RL8(dw);
905     CamelliaSubkeyR(3) = CamelliaSubkeyL(3) ^ dw, CamelliaSubkeyL(3) = dw;
906     dw = CamelliaSubkeyL(4) ^ CamelliaSubkeyR(4), dw = CAMELLIA_RL8(dw);
907     CamelliaSubkeyR(4) = CamelliaSubkeyL(4) ^ dw, CamelliaSubkeyL(4) = dw;
908     dw = CamelliaSubkeyL(5) ^ CamelliaSubkeyR(5), dw = CAMELLIA_RL8(dw);
909     CamelliaSubkeyR(5) = CamelliaSubkeyL(5) ^ dw, CamelliaSubkeyL(5) = dw;
910     dw = CamelliaSubkeyL(6) ^ CamelliaSubkeyR(6), dw = CAMELLIA_RL8(dw);
911     CamelliaSubkeyR(6) = CamelliaSubkeyL(6) ^ dw, CamelliaSubkeyL(6) = dw;
912     dw = CamelliaSubkeyL(7) ^ CamelliaSubkeyR(7), dw = CAMELLIA_RL8(dw);
913     CamelliaSubkeyR(7) = CamelliaSubkeyL(7) ^ dw, CamelliaSubkeyL(7) = dw;
914     dw = CamelliaSubkeyL(10) ^ CamelliaSubkeyR(10), dw = CAMELLIA_RL8(dw);
915     CamelliaSubkeyR(10) = CamelliaSubkeyL(10) ^ dw, CamelliaSubkeyL(10) = dw;
916     dw = CamelliaSubkeyL(11) ^ CamelliaSubkeyR(11), dw = CAMELLIA_RL8(dw);
917     CamelliaSubkeyR(11) = CamelliaSubkeyL(11) ^ dw, CamelliaSubkeyL(11) = dw;
918     dw = CamelliaSubkeyL(12) ^ CamelliaSubkeyR(12), dw = CAMELLIA_RL8(dw);
919     CamelliaSubkeyR(12) = CamelliaSubkeyL(12) ^ dw, CamelliaSubkeyL(12) = dw;
920     dw = CamelliaSubkeyL(13) ^ CamelliaSubkeyR(13), dw = CAMELLIA_RL8(dw);
921     CamelliaSubkeyR(13) = CamelliaSubkeyL(13) ^ dw, CamelliaSubkeyL(13) = dw;
922     dw = CamelliaSubkeyL(14) ^ CamelliaSubkeyR(14), dw = CAMELLIA_RL8(dw);
923     CamelliaSubkeyR(14) = CamelliaSubkeyL(14) ^ dw, CamelliaSubkeyL(14) = dw;
924     dw = CamelliaSubkeyL(15) ^ CamelliaSubkeyR(15), dw = CAMELLIA_RL8(dw);
925     CamelliaSubkeyR(15) = CamelliaSubkeyL(15) ^ dw, CamelliaSubkeyL(15) = dw;
926     dw = CamelliaSubkeyL(18) ^ CamelliaSubkeyR(18), dw = CAMELLIA_RL8(dw);
927     CamelliaSubkeyR(18) = CamelliaSubkeyL(18) ^ dw, CamelliaSubkeyL(18) = dw;
928     dw = CamelliaSubkeyL(19) ^ CamelliaSubkeyR(19), dw = CAMELLIA_RL8(dw);
929     CamelliaSubkeyR(19) = CamelliaSubkeyL(19) ^ dw, CamelliaSubkeyL(19) = dw;
930     dw = CamelliaSubkeyL(20) ^ CamelliaSubkeyR(20), dw = CAMELLIA_RL8(dw);
931     CamelliaSubkeyR(20) = CamelliaSubkeyL(20) ^ dw, CamelliaSubkeyL(20) = dw;
932     dw = CamelliaSubkeyL(21) ^ CamelliaSubkeyR(21), dw = CAMELLIA_RL8(dw);
933     CamelliaSubkeyR(21) = CamelliaSubkeyL(21) ^ dw, CamelliaSubkeyL(21) = dw;
934     dw = CamelliaSubkeyL(22) ^ CamelliaSubkeyR(22), dw = CAMELLIA_RL8(dw);
935     CamelliaSubkeyR(22) = CamelliaSubkeyL(22) ^ dw, CamelliaSubkeyL(22) = dw;
936     dw = CamelliaSubkeyL(23) ^ CamelliaSubkeyR(23), dw = CAMELLIA_RL8(dw);
937     CamelliaSubkeyR(23) = CamelliaSubkeyL(23) ^ dw, CamelliaSubkeyL(23) = dw;
938     dw = CamelliaSubkeyL(26) ^ CamelliaSubkeyR(26), dw = CAMELLIA_RL8(dw);
939     CamelliaSubkeyR(26) = CamelliaSubkeyL(26) ^ dw, CamelliaSubkeyL(26) = dw;
940     dw = CamelliaSubkeyL(27) ^ CamelliaSubkeyR(27), dw = CAMELLIA_RL8(dw);
941     CamelliaSubkeyR(27) = CamelliaSubkeyL(27) ^ dw, CamelliaSubkeyL(27) = dw;
942     dw = CamelliaSubkeyL(28) ^ CamelliaSubkeyR(28), dw = CAMELLIA_RL8(dw);
943     CamelliaSubkeyR(28) = CamelliaSubkeyL(28) ^ dw, CamelliaSubkeyL(28) = dw;
944     dw = CamelliaSubkeyL(29) ^ CamelliaSubkeyR(29), dw = CAMELLIA_RL8(dw);
945     CamelliaSubkeyR(29) = CamelliaSubkeyL(29) ^ dw, CamelliaSubkeyL(29) = dw;
946     dw = CamelliaSubkeyL(30) ^ CamelliaSubkeyR(30), dw = CAMELLIA_RL8(dw);
947     CamelliaSubkeyR(30) = CamelliaSubkeyL(30) ^ dw, CamelliaSubkeyL(30) = dw;
948     dw = CamelliaSubkeyL(31) ^ CamelliaSubkeyR(31), dw = CAMELLIA_RL8(dw);
949     CamelliaSubkeyR(31) = CamelliaSubkeyL(31) ^ dw,CamelliaSubkeyL(31) = dw;
950 
951     return;
952 }
953 
camellia_setup192(const unsigned char * key,u32 * subkey)954 static void camellia_setup192(const unsigned char *key, u32 *subkey)
955 {
956     unsigned char kk[32];
957     u32 krll, krlr, krrl,krrr;
958 
959     memcpy(kk, key, 24);
960     memcpy((unsigned char *)&krll, key+16,4);
961     memcpy((unsigned char *)&krlr, key+20,4);
962     krrl = ~krll;
963     krrr = ~krlr;
964     memcpy(kk+24, (unsigned char *)&krrl, 4);
965     memcpy(kk+28, (unsigned char *)&krrr, 4);
966     camellia_setup256(kk, subkey);
967     return;
968 }
969 
970 
971 /**
972  * Stuff related to camellia encryption/decryption
973  *
974  * "io" must be 4byte aligned and big-endian data.
975  */
camellia_encrypt128(const u32 * subkey,u32 * io)976 static void camellia_encrypt128(const u32 *subkey, u32 *io)
977 {
978     u32 il, ir, t0, t1;
979 
980     /* pre whitening but absorb kw2*/
981     io[0] ^= CamelliaSubkeyL(0);
982     io[1] ^= CamelliaSubkeyR(0);
983     /* main iteration */
984 
985     CAMELLIA_ROUNDSM(io[0],io[1],
986 		     CamelliaSubkeyL(2),CamelliaSubkeyR(2),
987 		     io[2],io[3],il,ir,t0,t1);
988     CAMELLIA_ROUNDSM(io[2],io[3],
989 		     CamelliaSubkeyL(3),CamelliaSubkeyR(3),
990 		     io[0],io[1],il,ir,t0,t1);
991     CAMELLIA_ROUNDSM(io[0],io[1],
992 		     CamelliaSubkeyL(4),CamelliaSubkeyR(4),
993 		     io[2],io[3],il,ir,t0,t1);
994     CAMELLIA_ROUNDSM(io[2],io[3],
995 		     CamelliaSubkeyL(5),CamelliaSubkeyR(5),
996 		     io[0],io[1],il,ir,t0,t1);
997     CAMELLIA_ROUNDSM(io[0],io[1],
998 		     CamelliaSubkeyL(6),CamelliaSubkeyR(6),
999 		     io[2],io[3],il,ir,t0,t1);
1000     CAMELLIA_ROUNDSM(io[2],io[3],
1001 		     CamelliaSubkeyL(7),CamelliaSubkeyR(7),
1002 		     io[0],io[1],il,ir,t0,t1);
1003 
1004     CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1005 		 CamelliaSubkeyL(8),CamelliaSubkeyR(8),
1006 		 CamelliaSubkeyL(9),CamelliaSubkeyR(9),
1007 		 t0,t1,il,ir);
1008 
1009     CAMELLIA_ROUNDSM(io[0],io[1],
1010 		     CamelliaSubkeyL(10),CamelliaSubkeyR(10),
1011 		     io[2],io[3],il,ir,t0,t1);
1012     CAMELLIA_ROUNDSM(io[2],io[3],
1013 		     CamelliaSubkeyL(11),CamelliaSubkeyR(11),
1014 		     io[0],io[1],il,ir,t0,t1);
1015     CAMELLIA_ROUNDSM(io[0],io[1],
1016 		     CamelliaSubkeyL(12),CamelliaSubkeyR(12),
1017 		     io[2],io[3],il,ir,t0,t1);
1018     CAMELLIA_ROUNDSM(io[2],io[3],
1019 		     CamelliaSubkeyL(13),CamelliaSubkeyR(13),
1020 		     io[0],io[1],il,ir,t0,t1);
1021     CAMELLIA_ROUNDSM(io[0],io[1],
1022 		     CamelliaSubkeyL(14),CamelliaSubkeyR(14),
1023 		     io[2],io[3],il,ir,t0,t1);
1024     CAMELLIA_ROUNDSM(io[2],io[3],
1025 		     CamelliaSubkeyL(15),CamelliaSubkeyR(15),
1026 		     io[0],io[1],il,ir,t0,t1);
1027 
1028     CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1029 		 CamelliaSubkeyL(16),CamelliaSubkeyR(16),
1030 		 CamelliaSubkeyL(17),CamelliaSubkeyR(17),
1031 		 t0,t1,il,ir);
1032 
1033     CAMELLIA_ROUNDSM(io[0],io[1],
1034 		     CamelliaSubkeyL(18),CamelliaSubkeyR(18),
1035 		     io[2],io[3],il,ir,t0,t1);
1036     CAMELLIA_ROUNDSM(io[2],io[3],
1037 		     CamelliaSubkeyL(19),CamelliaSubkeyR(19),
1038 		     io[0],io[1],il,ir,t0,t1);
1039     CAMELLIA_ROUNDSM(io[0],io[1],
1040 		     CamelliaSubkeyL(20),CamelliaSubkeyR(20),
1041 		     io[2],io[3],il,ir,t0,t1);
1042     CAMELLIA_ROUNDSM(io[2],io[3],
1043 		     CamelliaSubkeyL(21),CamelliaSubkeyR(21),
1044 		     io[0],io[1],il,ir,t0,t1);
1045     CAMELLIA_ROUNDSM(io[0],io[1],
1046 		     CamelliaSubkeyL(22),CamelliaSubkeyR(22),
1047 		     io[2],io[3],il,ir,t0,t1);
1048     CAMELLIA_ROUNDSM(io[2],io[3],
1049 		     CamelliaSubkeyL(23),CamelliaSubkeyR(23),
1050 		     io[0],io[1],il,ir,t0,t1);
1051 
1052     /* post whitening but kw4 */
1053     io[2] ^= CamelliaSubkeyL(24);
1054     io[3] ^= CamelliaSubkeyR(24);
1055 
1056     t0 = io[0];
1057     t1 = io[1];
1058     io[0] = io[2];
1059     io[1] = io[3];
1060     io[2] = t0;
1061     io[3] = t1;
1062 
1063     return;
1064 }
1065 
camellia_decrypt128(const u32 * subkey,u32 * io)1066 static void camellia_decrypt128(const u32 *subkey, u32 *io)
1067 {
1068     u32 il,ir,t0,t1;               /* temporary valiables */
1069 
1070     /* pre whitening but absorb kw2*/
1071     io[0] ^= CamelliaSubkeyL(24);
1072     io[1] ^= CamelliaSubkeyR(24);
1073 
1074     /* main iteration */
1075     CAMELLIA_ROUNDSM(io[0],io[1],
1076 		     CamelliaSubkeyL(23),CamelliaSubkeyR(23),
1077 		     io[2],io[3],il,ir,t0,t1);
1078     CAMELLIA_ROUNDSM(io[2],io[3],
1079 		     CamelliaSubkeyL(22),CamelliaSubkeyR(22),
1080 		     io[0],io[1],il,ir,t0,t1);
1081     CAMELLIA_ROUNDSM(io[0],io[1],
1082 		     CamelliaSubkeyL(21),CamelliaSubkeyR(21),
1083 		     io[2],io[3],il,ir,t0,t1);
1084     CAMELLIA_ROUNDSM(io[2],io[3],
1085 		     CamelliaSubkeyL(20),CamelliaSubkeyR(20),
1086 		     io[0],io[1],il,ir,t0,t1);
1087     CAMELLIA_ROUNDSM(io[0],io[1],
1088 		     CamelliaSubkeyL(19),CamelliaSubkeyR(19),
1089 		     io[2],io[3],il,ir,t0,t1);
1090     CAMELLIA_ROUNDSM(io[2],io[3],
1091 		     CamelliaSubkeyL(18),CamelliaSubkeyR(18),
1092 		     io[0],io[1],il,ir,t0,t1);
1093 
1094     CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1095 		 CamelliaSubkeyL(17),CamelliaSubkeyR(17),
1096 		 CamelliaSubkeyL(16),CamelliaSubkeyR(16),
1097 		 t0,t1,il,ir);
1098 
1099     CAMELLIA_ROUNDSM(io[0],io[1],
1100 		     CamelliaSubkeyL(15),CamelliaSubkeyR(15),
1101 		     io[2],io[3],il,ir,t0,t1);
1102     CAMELLIA_ROUNDSM(io[2],io[3],
1103 		     CamelliaSubkeyL(14),CamelliaSubkeyR(14),
1104 		     io[0],io[1],il,ir,t0,t1);
1105     CAMELLIA_ROUNDSM(io[0],io[1],
1106 		     CamelliaSubkeyL(13),CamelliaSubkeyR(13),
1107 		     io[2],io[3],il,ir,t0,t1);
1108     CAMELLIA_ROUNDSM(io[2],io[3],
1109 		     CamelliaSubkeyL(12),CamelliaSubkeyR(12),
1110 		     io[0],io[1],il,ir,t0,t1);
1111     CAMELLIA_ROUNDSM(io[0],io[1],
1112 		     CamelliaSubkeyL(11),CamelliaSubkeyR(11),
1113 		     io[2],io[3],il,ir,t0,t1);
1114     CAMELLIA_ROUNDSM(io[2],io[3],
1115 		     CamelliaSubkeyL(10),CamelliaSubkeyR(10),
1116 		     io[0],io[1],il,ir,t0,t1);
1117 
1118     CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1119 		 CamelliaSubkeyL(9),CamelliaSubkeyR(9),
1120 		 CamelliaSubkeyL(8),CamelliaSubkeyR(8),
1121 		 t0,t1,il,ir);
1122 
1123     CAMELLIA_ROUNDSM(io[0],io[1],
1124 		     CamelliaSubkeyL(7),CamelliaSubkeyR(7),
1125 		     io[2],io[3],il,ir,t0,t1);
1126     CAMELLIA_ROUNDSM(io[2],io[3],
1127 		     CamelliaSubkeyL(6),CamelliaSubkeyR(6),
1128 		     io[0],io[1],il,ir,t0,t1);
1129     CAMELLIA_ROUNDSM(io[0],io[1],
1130 		     CamelliaSubkeyL(5),CamelliaSubkeyR(5),
1131 		     io[2],io[3],il,ir,t0,t1);
1132     CAMELLIA_ROUNDSM(io[2],io[3],
1133 		     CamelliaSubkeyL(4),CamelliaSubkeyR(4),
1134 		     io[0],io[1],il,ir,t0,t1);
1135     CAMELLIA_ROUNDSM(io[0],io[1],
1136 		     CamelliaSubkeyL(3),CamelliaSubkeyR(3),
1137 		     io[2],io[3],il,ir,t0,t1);
1138     CAMELLIA_ROUNDSM(io[2],io[3],
1139 		     CamelliaSubkeyL(2),CamelliaSubkeyR(2),
1140 		     io[0],io[1],il,ir,t0,t1);
1141 
1142     /* post whitening but kw4 */
1143     io[2] ^= CamelliaSubkeyL(0);
1144     io[3] ^= CamelliaSubkeyR(0);
1145 
1146     t0 = io[0];
1147     t1 = io[1];
1148     io[0] = io[2];
1149     io[1] = io[3];
1150     io[2] = t0;
1151     io[3] = t1;
1152 
1153     return;
1154 }
1155 
1156 /**
1157  * stuff for 192 and 256bit encryption/decryption
1158  */
camellia_encrypt256(const u32 * subkey,u32 * io)1159 static void camellia_encrypt256(const u32 *subkey, u32 *io)
1160 {
1161     u32 il,ir,t0,t1;           /* temporary valiables */
1162 
1163     /* pre whitening but absorb kw2*/
1164     io[0] ^= CamelliaSubkeyL(0);
1165     io[1] ^= CamelliaSubkeyR(0);
1166 
1167     /* main iteration */
1168     CAMELLIA_ROUNDSM(io[0],io[1],
1169 		     CamelliaSubkeyL(2),CamelliaSubkeyR(2),
1170 		     io[2],io[3],il,ir,t0,t1);
1171     CAMELLIA_ROUNDSM(io[2],io[3],
1172 		     CamelliaSubkeyL(3),CamelliaSubkeyR(3),
1173 		     io[0],io[1],il,ir,t0,t1);
1174     CAMELLIA_ROUNDSM(io[0],io[1],
1175 		     CamelliaSubkeyL(4),CamelliaSubkeyR(4),
1176 		     io[2],io[3],il,ir,t0,t1);
1177     CAMELLIA_ROUNDSM(io[2],io[3],
1178 		     CamelliaSubkeyL(5),CamelliaSubkeyR(5),
1179 		     io[0],io[1],il,ir,t0,t1);
1180     CAMELLIA_ROUNDSM(io[0],io[1],
1181 		     CamelliaSubkeyL(6),CamelliaSubkeyR(6),
1182 		     io[2],io[3],il,ir,t0,t1);
1183     CAMELLIA_ROUNDSM(io[2],io[3],
1184 		     CamelliaSubkeyL(7),CamelliaSubkeyR(7),
1185 		     io[0],io[1],il,ir,t0,t1);
1186 
1187     CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1188 		 CamelliaSubkeyL(8),CamelliaSubkeyR(8),
1189 		 CamelliaSubkeyL(9),CamelliaSubkeyR(9),
1190 		 t0,t1,il,ir);
1191 
1192     CAMELLIA_ROUNDSM(io[0],io[1],
1193 		     CamelliaSubkeyL(10),CamelliaSubkeyR(10),
1194 		     io[2],io[3],il,ir,t0,t1);
1195     CAMELLIA_ROUNDSM(io[2],io[3],
1196 		     CamelliaSubkeyL(11),CamelliaSubkeyR(11),
1197 		     io[0],io[1],il,ir,t0,t1);
1198     CAMELLIA_ROUNDSM(io[0],io[1],
1199 		     CamelliaSubkeyL(12),CamelliaSubkeyR(12),
1200 		     io[2],io[3],il,ir,t0,t1);
1201     CAMELLIA_ROUNDSM(io[2],io[3],
1202 		     CamelliaSubkeyL(13),CamelliaSubkeyR(13),
1203 		     io[0],io[1],il,ir,t0,t1);
1204     CAMELLIA_ROUNDSM(io[0],io[1],
1205 		     CamelliaSubkeyL(14),CamelliaSubkeyR(14),
1206 		     io[2],io[3],il,ir,t0,t1);
1207     CAMELLIA_ROUNDSM(io[2],io[3],
1208 		     CamelliaSubkeyL(15),CamelliaSubkeyR(15),
1209 		     io[0],io[1],il,ir,t0,t1);
1210 
1211     CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1212 		 CamelliaSubkeyL(16),CamelliaSubkeyR(16),
1213 		 CamelliaSubkeyL(17),CamelliaSubkeyR(17),
1214 		 t0,t1,il,ir);
1215 
1216     CAMELLIA_ROUNDSM(io[0],io[1],
1217 		     CamelliaSubkeyL(18),CamelliaSubkeyR(18),
1218 		     io[2],io[3],il,ir,t0,t1);
1219     CAMELLIA_ROUNDSM(io[2],io[3],
1220 		     CamelliaSubkeyL(19),CamelliaSubkeyR(19),
1221 		     io[0],io[1],il,ir,t0,t1);
1222     CAMELLIA_ROUNDSM(io[0],io[1],
1223 		     CamelliaSubkeyL(20),CamelliaSubkeyR(20),
1224 		     io[2],io[3],il,ir,t0,t1);
1225     CAMELLIA_ROUNDSM(io[2],io[3],
1226 		     CamelliaSubkeyL(21),CamelliaSubkeyR(21),
1227 		     io[0],io[1],il,ir,t0,t1);
1228     CAMELLIA_ROUNDSM(io[0],io[1],
1229 		     CamelliaSubkeyL(22),CamelliaSubkeyR(22),
1230 		     io[2],io[3],il,ir,t0,t1);
1231     CAMELLIA_ROUNDSM(io[2],io[3],
1232 		     CamelliaSubkeyL(23),CamelliaSubkeyR(23),
1233 		     io[0],io[1],il,ir,t0,t1);
1234 
1235     CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1236 		 CamelliaSubkeyL(24),CamelliaSubkeyR(24),
1237 		 CamelliaSubkeyL(25),CamelliaSubkeyR(25),
1238 		 t0,t1,il,ir);
1239 
1240     CAMELLIA_ROUNDSM(io[0],io[1],
1241 		     CamelliaSubkeyL(26),CamelliaSubkeyR(26),
1242 		     io[2],io[3],il,ir,t0,t1);
1243     CAMELLIA_ROUNDSM(io[2],io[3],
1244 		     CamelliaSubkeyL(27),CamelliaSubkeyR(27),
1245 		     io[0],io[1],il,ir,t0,t1);
1246     CAMELLIA_ROUNDSM(io[0],io[1],
1247 		     CamelliaSubkeyL(28),CamelliaSubkeyR(28),
1248 		     io[2],io[3],il,ir,t0,t1);
1249     CAMELLIA_ROUNDSM(io[2],io[3],
1250 		     CamelliaSubkeyL(29),CamelliaSubkeyR(29),
1251 		     io[0],io[1],il,ir,t0,t1);
1252     CAMELLIA_ROUNDSM(io[0],io[1],
1253 		     CamelliaSubkeyL(30),CamelliaSubkeyR(30),
1254 		     io[2],io[3],il,ir,t0,t1);
1255     CAMELLIA_ROUNDSM(io[2],io[3],
1256 		     CamelliaSubkeyL(31),CamelliaSubkeyR(31),
1257 		     io[0],io[1],il,ir,t0,t1);
1258 
1259     /* post whitening but kw4 */
1260     io[2] ^= CamelliaSubkeyL(32);
1261     io[3] ^= CamelliaSubkeyR(32);
1262 
1263     t0 = io[0];
1264     t1 = io[1];
1265     io[0] = io[2];
1266     io[1] = io[3];
1267     io[2] = t0;
1268     io[3] = t1;
1269 
1270     return;
1271 }
1272 
camellia_decrypt256(const u32 * subkey,u32 * io)1273 static void camellia_decrypt256(const u32 *subkey, u32 *io)
1274 {
1275     u32 il,ir,t0,t1;           /* temporary valiables */
1276 
1277     /* pre whitening but absorb kw2*/
1278     io[0] ^= CamelliaSubkeyL(32);
1279     io[1] ^= CamelliaSubkeyR(32);
1280 
1281     /* main iteration */
1282     CAMELLIA_ROUNDSM(io[0],io[1],
1283 		     CamelliaSubkeyL(31),CamelliaSubkeyR(31),
1284 		     io[2],io[3],il,ir,t0,t1);
1285     CAMELLIA_ROUNDSM(io[2],io[3],
1286 		     CamelliaSubkeyL(30),CamelliaSubkeyR(30),
1287 		     io[0],io[1],il,ir,t0,t1);
1288     CAMELLIA_ROUNDSM(io[0],io[1],
1289 		     CamelliaSubkeyL(29),CamelliaSubkeyR(29),
1290 		     io[2],io[3],il,ir,t0,t1);
1291     CAMELLIA_ROUNDSM(io[2],io[3],
1292 		     CamelliaSubkeyL(28),CamelliaSubkeyR(28),
1293 		     io[0],io[1],il,ir,t0,t1);
1294     CAMELLIA_ROUNDSM(io[0],io[1],
1295 		     CamelliaSubkeyL(27),CamelliaSubkeyR(27),
1296 		     io[2],io[3],il,ir,t0,t1);
1297     CAMELLIA_ROUNDSM(io[2],io[3],
1298 		     CamelliaSubkeyL(26),CamelliaSubkeyR(26),
1299 		     io[0],io[1],il,ir,t0,t1);
1300 
1301     CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1302 		 CamelliaSubkeyL(25),CamelliaSubkeyR(25),
1303 		 CamelliaSubkeyL(24),CamelliaSubkeyR(24),
1304 		 t0,t1,il,ir);
1305 
1306     CAMELLIA_ROUNDSM(io[0],io[1],
1307 		     CamelliaSubkeyL(23),CamelliaSubkeyR(23),
1308 		     io[2],io[3],il,ir,t0,t1);
1309     CAMELLIA_ROUNDSM(io[2],io[3],
1310 		     CamelliaSubkeyL(22),CamelliaSubkeyR(22),
1311 		     io[0],io[1],il,ir,t0,t1);
1312     CAMELLIA_ROUNDSM(io[0],io[1],
1313 		     CamelliaSubkeyL(21),CamelliaSubkeyR(21),
1314 		     io[2],io[3],il,ir,t0,t1);
1315     CAMELLIA_ROUNDSM(io[2],io[3],
1316 		     CamelliaSubkeyL(20),CamelliaSubkeyR(20),
1317 		     io[0],io[1],il,ir,t0,t1);
1318     CAMELLIA_ROUNDSM(io[0],io[1],
1319 		     CamelliaSubkeyL(19),CamelliaSubkeyR(19),
1320 		     io[2],io[3],il,ir,t0,t1);
1321     CAMELLIA_ROUNDSM(io[2],io[3],
1322 		     CamelliaSubkeyL(18),CamelliaSubkeyR(18),
1323 		     io[0],io[1],il,ir,t0,t1);
1324 
1325     CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1326 		 CamelliaSubkeyL(17),CamelliaSubkeyR(17),
1327 		 CamelliaSubkeyL(16),CamelliaSubkeyR(16),
1328 		 t0,t1,il,ir);
1329 
1330     CAMELLIA_ROUNDSM(io[0],io[1],
1331 		     CamelliaSubkeyL(15),CamelliaSubkeyR(15),
1332 		     io[2],io[3],il,ir,t0,t1);
1333     CAMELLIA_ROUNDSM(io[2],io[3],
1334 		     CamelliaSubkeyL(14),CamelliaSubkeyR(14),
1335 		     io[0],io[1],il,ir,t0,t1);
1336     CAMELLIA_ROUNDSM(io[0],io[1],
1337 		     CamelliaSubkeyL(13),CamelliaSubkeyR(13),
1338 		     io[2],io[3],il,ir,t0,t1);
1339     CAMELLIA_ROUNDSM(io[2],io[3],
1340 		     CamelliaSubkeyL(12),CamelliaSubkeyR(12),
1341 		     io[0],io[1],il,ir,t0,t1);
1342     CAMELLIA_ROUNDSM(io[0],io[1],
1343 		     CamelliaSubkeyL(11),CamelliaSubkeyR(11),
1344 		     io[2],io[3],il,ir,t0,t1);
1345     CAMELLIA_ROUNDSM(io[2],io[3],
1346 		     CamelliaSubkeyL(10),CamelliaSubkeyR(10),
1347 		     io[0],io[1],il,ir,t0,t1);
1348 
1349     CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1350 		 CamelliaSubkeyL(9),CamelliaSubkeyR(9),
1351 		 CamelliaSubkeyL(8),CamelliaSubkeyR(8),
1352 		 t0,t1,il,ir);
1353 
1354     CAMELLIA_ROUNDSM(io[0],io[1],
1355 		     CamelliaSubkeyL(7),CamelliaSubkeyR(7),
1356 		     io[2],io[3],il,ir,t0,t1);
1357     CAMELLIA_ROUNDSM(io[2],io[3],
1358 		     CamelliaSubkeyL(6),CamelliaSubkeyR(6),
1359 		     io[0],io[1],il,ir,t0,t1);
1360     CAMELLIA_ROUNDSM(io[0],io[1],
1361 		     CamelliaSubkeyL(5),CamelliaSubkeyR(5),
1362 		     io[2],io[3],il,ir,t0,t1);
1363     CAMELLIA_ROUNDSM(io[2],io[3],
1364 		     CamelliaSubkeyL(4),CamelliaSubkeyR(4),
1365 		     io[0],io[1],il,ir,t0,t1);
1366     CAMELLIA_ROUNDSM(io[0],io[1],
1367 		     CamelliaSubkeyL(3),CamelliaSubkeyR(3),
1368 		     io[2],io[3],il,ir,t0,t1);
1369     CAMELLIA_ROUNDSM(io[2],io[3],
1370 		     CamelliaSubkeyL(2),CamelliaSubkeyR(2),
1371 		     io[0],io[1],il,ir,t0,t1);
1372 
1373     /* post whitening but kw4 */
1374     io[2] ^= CamelliaSubkeyL(0);
1375     io[3] ^= CamelliaSubkeyR(0);
1376 
1377     t0 = io[0];
1378     t1 = io[1];
1379     io[0] = io[2];
1380     io[1] = io[3];
1381     io[2] = t0;
1382     io[3] = t1;
1383 
1384     return;
1385 }
1386 
1387 /***
1388  *
1389  * API for compatibility
1390  */
1391 
Camellia_Ekeygen(const int keyBitLength,const unsigned char * rawKey,KEY_TABLE_TYPE keyTable)1392 void Camellia_Ekeygen(const int keyBitLength,
1393 		      const unsigned char *rawKey,
1394 		      KEY_TABLE_TYPE keyTable)
1395 {
1396     switch(keyBitLength) {
1397     case 128:
1398 	camellia_setup128(rawKey, keyTable);
1399 	break;
1400     case 192:
1401 	camellia_setup192(rawKey, keyTable);
1402 	break;
1403     case 256:
1404 	camellia_setup256(rawKey, keyTable);
1405 	break;
1406     default:
1407 	break;
1408     }
1409 }
1410 
1411 
Camellia_EncryptBlock(const int keyBitLength,const unsigned char * plaintext,const KEY_TABLE_TYPE keyTable,unsigned char * ciphertext)1412 void Camellia_EncryptBlock(const int keyBitLength,
1413 			   const unsigned char *plaintext,
1414 			   const KEY_TABLE_TYPE keyTable,
1415 			   unsigned char *ciphertext)
1416 {
1417     u32 tmp[4];
1418 
1419     tmp[0] = GETU32(plaintext);
1420     tmp[1] = GETU32(plaintext + 4);
1421     tmp[2] = GETU32(plaintext + 8);
1422     tmp[3] = GETU32(plaintext + 12);
1423 
1424     switch (keyBitLength) {
1425     case 128:
1426 	camellia_encrypt128(keyTable, tmp);
1427 	break;
1428     case 192:
1429 	/* fall through */
1430     case 256:
1431 	camellia_encrypt256(keyTable, tmp);
1432 	break;
1433     default:
1434 	break;
1435     }
1436 
1437     PUTU32(ciphertext, tmp[0]);
1438     PUTU32(ciphertext + 4, tmp[1]);
1439     PUTU32(ciphertext + 8, tmp[2]);
1440     PUTU32(ciphertext + 12, tmp[3]);
1441 }
1442 
Camellia_DecryptBlock(const int keyBitLength,const unsigned char * ciphertext,const KEY_TABLE_TYPE keyTable,unsigned char * plaintext)1443 void Camellia_DecryptBlock(const int keyBitLength,
1444 			   const unsigned char *ciphertext,
1445 			   const KEY_TABLE_TYPE keyTable,
1446 			   unsigned char *plaintext)
1447 {
1448     u32 tmp[4];
1449 
1450     tmp[0] = GETU32(ciphertext);
1451     tmp[1] = GETU32(ciphertext + 4);
1452     tmp[2] = GETU32(ciphertext + 8);
1453     tmp[3] = GETU32(ciphertext + 12);
1454 
1455     switch (keyBitLength) {
1456     case 128:
1457 	camellia_decrypt128(keyTable, tmp);
1458 	break;
1459     case 192:
1460 	/* fall through */
1461     case 256:
1462 	camellia_decrypt256(keyTable, tmp);
1463 	break;
1464     default:
1465 	break;
1466     }
1467     PUTU32(plaintext, tmp[0]);
1468     PUTU32(plaintext + 4, tmp[1]);
1469     PUTU32(plaintext + 8, tmp[2]);
1470     PUTU32(plaintext + 12, tmp[3]);
1471 }
1472