1 /* This Source Code Form is subject to the terms of the Mozilla Public
2 * License, v. 2.0. If a copy of the MPL was not distributed with this
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4
5 #ifdef FREEBL_NO_DEPEND
6 #include "stubs.h"
7 #endif
8
9 #include "prinit.h"
10 #include "prerr.h"
11 #include "secerr.h"
12
13 #include "prtypes.h"
14 #include "blapi.h"
15 #include "camellia.h"
16 #include "sha_fast.h" /* for SHA_HTONL and related configuration macros */
17
18 /* key constants */
19
20 #define CAMELLIA_SIGMA1L (0xA09E667FL)
21 #define CAMELLIA_SIGMA1R (0x3BCC908BL)
22 #define CAMELLIA_SIGMA2L (0xB67AE858L)
23 #define CAMELLIA_SIGMA2R (0x4CAA73B2L)
24 #define CAMELLIA_SIGMA3L (0xC6EF372FL)
25 #define CAMELLIA_SIGMA3R (0xE94F82BEL)
26 #define CAMELLIA_SIGMA4L (0x54FF53A5L)
27 #define CAMELLIA_SIGMA4R (0xF1D36F1CL)
28 #define CAMELLIA_SIGMA5L (0x10E527FAL)
29 #define CAMELLIA_SIGMA5R (0xDE682D1DL)
30 #define CAMELLIA_SIGMA6L (0xB05688C2L)
31 #define CAMELLIA_SIGMA6R (0xB3E6C1FDL)
32
33 /*
34 * macros
35 */
36
37 #if defined(HAVE_UNALIGNED_ACCESS)
38
39 /* require a CPU that allows unaligned access */
40
41 #if defined(SHA_NEED_TMP_VARIABLE)
42 #define CAMELLIA_NEED_TMP_VARIABLE 1
43 #endif
44
45 #define GETU32(p) SHA_HTONL(*((PRUint32 *)(p)))
46 #define PUTU32(ct, st) \
47 { \
48 *((PRUint32 *)(ct)) = SHA_HTONL(st); \
49 }
50
51 #else /* no unaligned access */
52
53 #define GETU32(pt) \
54 (((PRUint32)(pt)[0] << 24) ^ ((PRUint32)(pt)[1] << 16) ^ ((PRUint32)(pt)[2] << 8) ^ ((PRUint32)(pt)[3]))
55
56 #define PUTU32(ct, st) \
57 { \
58 (ct)[0] = (PRUint8)((st) >> 24); \
59 (ct)[1] = (PRUint8)((st) >> 16); \
60 (ct)[2] = (PRUint8)((st) >> 8); \
61 (ct)[3] = (PRUint8)(st); \
62 }
63
64 #endif
65
66 #define CamelliaSubkeyL(INDEX) (subkey[(INDEX)*2])
67 #define CamelliaSubkeyR(INDEX) (subkey[(INDEX)*2 + 1])
68
69 /* rotation right shift 1byte */
70 #define CAMELLIA_RR8(x) (((x) >> 8) + ((x) << 24))
71 /* rotation left shift 1bit */
72 #define CAMELLIA_RL1(x) (((x) << 1) + ((x) >> 31))
73 /* rotation left shift 1byte */
74 #define CAMELLIA_RL8(x) (((x) << 8) + ((x) >> 24))
75
76 #define CAMELLIA_ROLDQ(ll, lr, rl, rr, w0, w1, bits) \
77 do { \
78 w0 = ll; \
79 ll = (ll << bits) + (lr >> (32 - bits)); \
80 lr = (lr << bits) + (rl >> (32 - bits)); \
81 rl = (rl << bits) + (rr >> (32 - bits)); \
82 rr = (rr << bits) + (w0 >> (32 - bits)); \
83 } while (0)
84
85 #define CAMELLIA_ROLDQo32(ll, lr, rl, rr, w0, w1, bits) \
86 do { \
87 w0 = ll; \
88 w1 = lr; \
89 ll = (lr << (bits - 32)) + (rl >> (64 - bits)); \
90 lr = (rl << (bits - 32)) + (rr >> (64 - bits)); \
91 rl = (rr << (bits - 32)) + (w0 >> (64 - bits)); \
92 rr = (w0 << (bits - 32)) + (w1 >> (64 - bits)); \
93 } while (0)
94
95 #define CAMELLIA_SP1110(INDEX) (camellia_sp1110[(INDEX)])
96 #define CAMELLIA_SP0222(INDEX) (camellia_sp0222[(INDEX)])
97 #define CAMELLIA_SP3033(INDEX) (camellia_sp3033[(INDEX)])
98 #define CAMELLIA_SP4404(INDEX) (camellia_sp4404[(INDEX)])
99
100 #define CAMELLIA_F(xl, xr, kl, kr, yl, yr, il, ir, t0, t1) \
101 do { \
102 il = xl ^ kl; \
103 ir = xr ^ kr; \
104 t0 = il >> 16; \
105 t1 = ir >> 16; \
106 yl = CAMELLIA_SP1110(ir & 0xff) ^ \
107 CAMELLIA_SP0222((t1 >> 8) & 0xff) ^ \
108 CAMELLIA_SP3033(t1 & 0xff) ^ \
109 CAMELLIA_SP4404((ir >> 8) & 0xff); \
110 yr = CAMELLIA_SP1110((t0 >> 8) & 0xff) ^ \
111 CAMELLIA_SP0222(t0 & 0xff) ^ \
112 CAMELLIA_SP3033((il >> 8) & 0xff) ^ \
113 CAMELLIA_SP4404(il & 0xff); \
114 yl ^= yr; \
115 yr = CAMELLIA_RR8(yr); \
116 yr ^= yl; \
117 } while (0)
118
119 /*
120 * for speed up
121 *
122 */
123 #define CAMELLIA_FLS(ll, lr, rl, rr, kll, klr, krl, krr, t0, t1, t2, t3) \
124 do { \
125 t0 = kll; \
126 t0 &= ll; \
127 lr ^= CAMELLIA_RL1(t0); \
128 t1 = klr; \
129 t1 |= lr; \
130 ll ^= t1; \
131 \
132 t2 = krr; \
133 t2 |= rr; \
134 rl ^= t2; \
135 t3 = krl; \
136 t3 &= rl; \
137 rr ^= CAMELLIA_RL1(t3); \
138 } while (0)
139
140 #define CAMELLIA_ROUNDSM(xl, xr, kl, kr, yl, yr, il, ir, t0, t1) \
141 do { \
142 ir = CAMELLIA_SP1110(xr & 0xff) ^ \
143 CAMELLIA_SP0222((xr >> 24) & 0xff) ^ \
144 CAMELLIA_SP3033((xr >> 16) & 0xff) ^ \
145 CAMELLIA_SP4404((xr >> 8) & 0xff); \
146 il = CAMELLIA_SP1110((xl >> 24) & 0xff) ^ \
147 CAMELLIA_SP0222((xl >> 16) & 0xff) ^ \
148 CAMELLIA_SP3033((xl >> 8) & 0xff) ^ \
149 CAMELLIA_SP4404(xl & 0xff); \
150 il ^= kl; \
151 ir ^= kr; \
152 ir ^= il; \
153 il = CAMELLIA_RR8(il); \
154 il ^= ir; \
155 yl ^= ir; \
156 yr ^= il; \
157 } while (0)
158
159 static const PRUint32 camellia_sp1110[256] = {
160 0x70707000, 0x82828200, 0x2c2c2c00, 0xececec00,
161 0xb3b3b300, 0x27272700, 0xc0c0c000, 0xe5e5e500,
162 0xe4e4e400, 0x85858500, 0x57575700, 0x35353500,
163 0xeaeaea00, 0x0c0c0c00, 0xaeaeae00, 0x41414100,
164 0x23232300, 0xefefef00, 0x6b6b6b00, 0x93939300,
165 0x45454500, 0x19191900, 0xa5a5a500, 0x21212100,
166 0xededed00, 0x0e0e0e00, 0x4f4f4f00, 0x4e4e4e00,
167 0x1d1d1d00, 0x65656500, 0x92929200, 0xbdbdbd00,
168 0x86868600, 0xb8b8b800, 0xafafaf00, 0x8f8f8f00,
169 0x7c7c7c00, 0xebebeb00, 0x1f1f1f00, 0xcecece00,
170 0x3e3e3e00, 0x30303000, 0xdcdcdc00, 0x5f5f5f00,
171 0x5e5e5e00, 0xc5c5c500, 0x0b0b0b00, 0x1a1a1a00,
172 0xa6a6a600, 0xe1e1e100, 0x39393900, 0xcacaca00,
173 0xd5d5d500, 0x47474700, 0x5d5d5d00, 0x3d3d3d00,
174 0xd9d9d900, 0x01010100, 0x5a5a5a00, 0xd6d6d600,
175 0x51515100, 0x56565600, 0x6c6c6c00, 0x4d4d4d00,
176 0x8b8b8b00, 0x0d0d0d00, 0x9a9a9a00, 0x66666600,
177 0xfbfbfb00, 0xcccccc00, 0xb0b0b000, 0x2d2d2d00,
178 0x74747400, 0x12121200, 0x2b2b2b00, 0x20202000,
179 0xf0f0f000, 0xb1b1b100, 0x84848400, 0x99999900,
180 0xdfdfdf00, 0x4c4c4c00, 0xcbcbcb00, 0xc2c2c200,
181 0x34343400, 0x7e7e7e00, 0x76767600, 0x05050500,
182 0x6d6d6d00, 0xb7b7b700, 0xa9a9a900, 0x31313100,
183 0xd1d1d100, 0x17171700, 0x04040400, 0xd7d7d700,
184 0x14141400, 0x58585800, 0x3a3a3a00, 0x61616100,
185 0xdedede00, 0x1b1b1b00, 0x11111100, 0x1c1c1c00,
186 0x32323200, 0x0f0f0f00, 0x9c9c9c00, 0x16161600,
187 0x53535300, 0x18181800, 0xf2f2f200, 0x22222200,
188 0xfefefe00, 0x44444400, 0xcfcfcf00, 0xb2b2b200,
189 0xc3c3c300, 0xb5b5b500, 0x7a7a7a00, 0x91919100,
190 0x24242400, 0x08080800, 0xe8e8e800, 0xa8a8a800,
191 0x60606000, 0xfcfcfc00, 0x69696900, 0x50505000,
192 0xaaaaaa00, 0xd0d0d000, 0xa0a0a000, 0x7d7d7d00,
193 0xa1a1a100, 0x89898900, 0x62626200, 0x97979700,
194 0x54545400, 0x5b5b5b00, 0x1e1e1e00, 0x95959500,
195 0xe0e0e000, 0xffffff00, 0x64646400, 0xd2d2d200,
196 0x10101000, 0xc4c4c400, 0x00000000, 0x48484800,
197 0xa3a3a300, 0xf7f7f700, 0x75757500, 0xdbdbdb00,
198 0x8a8a8a00, 0x03030300, 0xe6e6e600, 0xdadada00,
199 0x09090900, 0x3f3f3f00, 0xdddddd00, 0x94949400,
200 0x87878700, 0x5c5c5c00, 0x83838300, 0x02020200,
201 0xcdcdcd00, 0x4a4a4a00, 0x90909000, 0x33333300,
202 0x73737300, 0x67676700, 0xf6f6f600, 0xf3f3f300,
203 0x9d9d9d00, 0x7f7f7f00, 0xbfbfbf00, 0xe2e2e200,
204 0x52525200, 0x9b9b9b00, 0xd8d8d800, 0x26262600,
205 0xc8c8c800, 0x37373700, 0xc6c6c600, 0x3b3b3b00,
206 0x81818100, 0x96969600, 0x6f6f6f00, 0x4b4b4b00,
207 0x13131300, 0xbebebe00, 0x63636300, 0x2e2e2e00,
208 0xe9e9e900, 0x79797900, 0xa7a7a700, 0x8c8c8c00,
209 0x9f9f9f00, 0x6e6e6e00, 0xbcbcbc00, 0x8e8e8e00,
210 0x29292900, 0xf5f5f500, 0xf9f9f900, 0xb6b6b600,
211 0x2f2f2f00, 0xfdfdfd00, 0xb4b4b400, 0x59595900,
212 0x78787800, 0x98989800, 0x06060600, 0x6a6a6a00,
213 0xe7e7e700, 0x46464600, 0x71717100, 0xbababa00,
214 0xd4d4d400, 0x25252500, 0xababab00, 0x42424200,
215 0x88888800, 0xa2a2a200, 0x8d8d8d00, 0xfafafa00,
216 0x72727200, 0x07070700, 0xb9b9b900, 0x55555500,
217 0xf8f8f800, 0xeeeeee00, 0xacacac00, 0x0a0a0a00,
218 0x36363600, 0x49494900, 0x2a2a2a00, 0x68686800,
219 0x3c3c3c00, 0x38383800, 0xf1f1f100, 0xa4a4a400,
220 0x40404000, 0x28282800, 0xd3d3d300, 0x7b7b7b00,
221 0xbbbbbb00, 0xc9c9c900, 0x43434300, 0xc1c1c100,
222 0x15151500, 0xe3e3e300, 0xadadad00, 0xf4f4f400,
223 0x77777700, 0xc7c7c700, 0x80808000, 0x9e9e9e00,
224 };
225
226 static const PRUint32 camellia_sp0222[256] = {
227 0x00e0e0e0, 0x00050505, 0x00585858, 0x00d9d9d9,
228 0x00676767, 0x004e4e4e, 0x00818181, 0x00cbcbcb,
229 0x00c9c9c9, 0x000b0b0b, 0x00aeaeae, 0x006a6a6a,
230 0x00d5d5d5, 0x00181818, 0x005d5d5d, 0x00828282,
231 0x00464646, 0x00dfdfdf, 0x00d6d6d6, 0x00272727,
232 0x008a8a8a, 0x00323232, 0x004b4b4b, 0x00424242,
233 0x00dbdbdb, 0x001c1c1c, 0x009e9e9e, 0x009c9c9c,
234 0x003a3a3a, 0x00cacaca, 0x00252525, 0x007b7b7b,
235 0x000d0d0d, 0x00717171, 0x005f5f5f, 0x001f1f1f,
236 0x00f8f8f8, 0x00d7d7d7, 0x003e3e3e, 0x009d9d9d,
237 0x007c7c7c, 0x00606060, 0x00b9b9b9, 0x00bebebe,
238 0x00bcbcbc, 0x008b8b8b, 0x00161616, 0x00343434,
239 0x004d4d4d, 0x00c3c3c3, 0x00727272, 0x00959595,
240 0x00ababab, 0x008e8e8e, 0x00bababa, 0x007a7a7a,
241 0x00b3b3b3, 0x00020202, 0x00b4b4b4, 0x00adadad,
242 0x00a2a2a2, 0x00acacac, 0x00d8d8d8, 0x009a9a9a,
243 0x00171717, 0x001a1a1a, 0x00353535, 0x00cccccc,
244 0x00f7f7f7, 0x00999999, 0x00616161, 0x005a5a5a,
245 0x00e8e8e8, 0x00242424, 0x00565656, 0x00404040,
246 0x00e1e1e1, 0x00636363, 0x00090909, 0x00333333,
247 0x00bfbfbf, 0x00989898, 0x00979797, 0x00858585,
248 0x00686868, 0x00fcfcfc, 0x00ececec, 0x000a0a0a,
249 0x00dadada, 0x006f6f6f, 0x00535353, 0x00626262,
250 0x00a3a3a3, 0x002e2e2e, 0x00080808, 0x00afafaf,
251 0x00282828, 0x00b0b0b0, 0x00747474, 0x00c2c2c2,
252 0x00bdbdbd, 0x00363636, 0x00222222, 0x00383838,
253 0x00646464, 0x001e1e1e, 0x00393939, 0x002c2c2c,
254 0x00a6a6a6, 0x00303030, 0x00e5e5e5, 0x00444444,
255 0x00fdfdfd, 0x00888888, 0x009f9f9f, 0x00656565,
256 0x00878787, 0x006b6b6b, 0x00f4f4f4, 0x00232323,
257 0x00484848, 0x00101010, 0x00d1d1d1, 0x00515151,
258 0x00c0c0c0, 0x00f9f9f9, 0x00d2d2d2, 0x00a0a0a0,
259 0x00555555, 0x00a1a1a1, 0x00414141, 0x00fafafa,
260 0x00434343, 0x00131313, 0x00c4c4c4, 0x002f2f2f,
261 0x00a8a8a8, 0x00b6b6b6, 0x003c3c3c, 0x002b2b2b,
262 0x00c1c1c1, 0x00ffffff, 0x00c8c8c8, 0x00a5a5a5,
263 0x00202020, 0x00898989, 0x00000000, 0x00909090,
264 0x00474747, 0x00efefef, 0x00eaeaea, 0x00b7b7b7,
265 0x00151515, 0x00060606, 0x00cdcdcd, 0x00b5b5b5,
266 0x00121212, 0x007e7e7e, 0x00bbbbbb, 0x00292929,
267 0x000f0f0f, 0x00b8b8b8, 0x00070707, 0x00040404,
268 0x009b9b9b, 0x00949494, 0x00212121, 0x00666666,
269 0x00e6e6e6, 0x00cecece, 0x00ededed, 0x00e7e7e7,
270 0x003b3b3b, 0x00fefefe, 0x007f7f7f, 0x00c5c5c5,
271 0x00a4a4a4, 0x00373737, 0x00b1b1b1, 0x004c4c4c,
272 0x00919191, 0x006e6e6e, 0x008d8d8d, 0x00767676,
273 0x00030303, 0x002d2d2d, 0x00dedede, 0x00969696,
274 0x00262626, 0x007d7d7d, 0x00c6c6c6, 0x005c5c5c,
275 0x00d3d3d3, 0x00f2f2f2, 0x004f4f4f, 0x00191919,
276 0x003f3f3f, 0x00dcdcdc, 0x00797979, 0x001d1d1d,
277 0x00525252, 0x00ebebeb, 0x00f3f3f3, 0x006d6d6d,
278 0x005e5e5e, 0x00fbfbfb, 0x00696969, 0x00b2b2b2,
279 0x00f0f0f0, 0x00313131, 0x000c0c0c, 0x00d4d4d4,
280 0x00cfcfcf, 0x008c8c8c, 0x00e2e2e2, 0x00757575,
281 0x00a9a9a9, 0x004a4a4a, 0x00575757, 0x00848484,
282 0x00111111, 0x00454545, 0x001b1b1b, 0x00f5f5f5,
283 0x00e4e4e4, 0x000e0e0e, 0x00737373, 0x00aaaaaa,
284 0x00f1f1f1, 0x00dddddd, 0x00595959, 0x00141414,
285 0x006c6c6c, 0x00929292, 0x00545454, 0x00d0d0d0,
286 0x00787878, 0x00707070, 0x00e3e3e3, 0x00494949,
287 0x00808080, 0x00505050, 0x00a7a7a7, 0x00f6f6f6,
288 0x00777777, 0x00939393, 0x00868686, 0x00838383,
289 0x002a2a2a, 0x00c7c7c7, 0x005b5b5b, 0x00e9e9e9,
290 0x00eeeeee, 0x008f8f8f, 0x00010101, 0x003d3d3d,
291 };
292
293 static const PRUint32 camellia_sp3033[256] = {
294 0x38003838, 0x41004141, 0x16001616, 0x76007676,
295 0xd900d9d9, 0x93009393, 0x60006060, 0xf200f2f2,
296 0x72007272, 0xc200c2c2, 0xab00abab, 0x9a009a9a,
297 0x75007575, 0x06000606, 0x57005757, 0xa000a0a0,
298 0x91009191, 0xf700f7f7, 0xb500b5b5, 0xc900c9c9,
299 0xa200a2a2, 0x8c008c8c, 0xd200d2d2, 0x90009090,
300 0xf600f6f6, 0x07000707, 0xa700a7a7, 0x27002727,
301 0x8e008e8e, 0xb200b2b2, 0x49004949, 0xde00dede,
302 0x43004343, 0x5c005c5c, 0xd700d7d7, 0xc700c7c7,
303 0x3e003e3e, 0xf500f5f5, 0x8f008f8f, 0x67006767,
304 0x1f001f1f, 0x18001818, 0x6e006e6e, 0xaf00afaf,
305 0x2f002f2f, 0xe200e2e2, 0x85008585, 0x0d000d0d,
306 0x53005353, 0xf000f0f0, 0x9c009c9c, 0x65006565,
307 0xea00eaea, 0xa300a3a3, 0xae00aeae, 0x9e009e9e,
308 0xec00ecec, 0x80008080, 0x2d002d2d, 0x6b006b6b,
309 0xa800a8a8, 0x2b002b2b, 0x36003636, 0xa600a6a6,
310 0xc500c5c5, 0x86008686, 0x4d004d4d, 0x33003333,
311 0xfd00fdfd, 0x66006666, 0x58005858, 0x96009696,
312 0x3a003a3a, 0x09000909, 0x95009595, 0x10001010,
313 0x78007878, 0xd800d8d8, 0x42004242, 0xcc00cccc,
314 0xef00efef, 0x26002626, 0xe500e5e5, 0x61006161,
315 0x1a001a1a, 0x3f003f3f, 0x3b003b3b, 0x82008282,
316 0xb600b6b6, 0xdb00dbdb, 0xd400d4d4, 0x98009898,
317 0xe800e8e8, 0x8b008b8b, 0x02000202, 0xeb00ebeb,
318 0x0a000a0a, 0x2c002c2c, 0x1d001d1d, 0xb000b0b0,
319 0x6f006f6f, 0x8d008d8d, 0x88008888, 0x0e000e0e,
320 0x19001919, 0x87008787, 0x4e004e4e, 0x0b000b0b,
321 0xa900a9a9, 0x0c000c0c, 0x79007979, 0x11001111,
322 0x7f007f7f, 0x22002222, 0xe700e7e7, 0x59005959,
323 0xe100e1e1, 0xda00dada, 0x3d003d3d, 0xc800c8c8,
324 0x12001212, 0x04000404, 0x74007474, 0x54005454,
325 0x30003030, 0x7e007e7e, 0xb400b4b4, 0x28002828,
326 0x55005555, 0x68006868, 0x50005050, 0xbe00bebe,
327 0xd000d0d0, 0xc400c4c4, 0x31003131, 0xcb00cbcb,
328 0x2a002a2a, 0xad00adad, 0x0f000f0f, 0xca00caca,
329 0x70007070, 0xff00ffff, 0x32003232, 0x69006969,
330 0x08000808, 0x62006262, 0x00000000, 0x24002424,
331 0xd100d1d1, 0xfb00fbfb, 0xba00baba, 0xed00eded,
332 0x45004545, 0x81008181, 0x73007373, 0x6d006d6d,
333 0x84008484, 0x9f009f9f, 0xee00eeee, 0x4a004a4a,
334 0xc300c3c3, 0x2e002e2e, 0xc100c1c1, 0x01000101,
335 0xe600e6e6, 0x25002525, 0x48004848, 0x99009999,
336 0xb900b9b9, 0xb300b3b3, 0x7b007b7b, 0xf900f9f9,
337 0xce00cece, 0xbf00bfbf, 0xdf00dfdf, 0x71007171,
338 0x29002929, 0xcd00cdcd, 0x6c006c6c, 0x13001313,
339 0x64006464, 0x9b009b9b, 0x63006363, 0x9d009d9d,
340 0xc000c0c0, 0x4b004b4b, 0xb700b7b7, 0xa500a5a5,
341 0x89008989, 0x5f005f5f, 0xb100b1b1, 0x17001717,
342 0xf400f4f4, 0xbc00bcbc, 0xd300d3d3, 0x46004646,
343 0xcf00cfcf, 0x37003737, 0x5e005e5e, 0x47004747,
344 0x94009494, 0xfa00fafa, 0xfc00fcfc, 0x5b005b5b,
345 0x97009797, 0xfe00fefe, 0x5a005a5a, 0xac00acac,
346 0x3c003c3c, 0x4c004c4c, 0x03000303, 0x35003535,
347 0xf300f3f3, 0x23002323, 0xb800b8b8, 0x5d005d5d,
348 0x6a006a6a, 0x92009292, 0xd500d5d5, 0x21002121,
349 0x44004444, 0x51005151, 0xc600c6c6, 0x7d007d7d,
350 0x39003939, 0x83008383, 0xdc00dcdc, 0xaa00aaaa,
351 0x7c007c7c, 0x77007777, 0x56005656, 0x05000505,
352 0x1b001b1b, 0xa400a4a4, 0x15001515, 0x34003434,
353 0x1e001e1e, 0x1c001c1c, 0xf800f8f8, 0x52005252,
354 0x20002020, 0x14001414, 0xe900e9e9, 0xbd00bdbd,
355 0xdd00dddd, 0xe400e4e4, 0xa100a1a1, 0xe000e0e0,
356 0x8a008a8a, 0xf100f1f1, 0xd600d6d6, 0x7a007a7a,
357 0xbb00bbbb, 0xe300e3e3, 0x40004040, 0x4f004f4f,
358 };
359
360 static const PRUint32 camellia_sp4404[256] = {
361 0x70700070, 0x2c2c002c, 0xb3b300b3, 0xc0c000c0,
362 0xe4e400e4, 0x57570057, 0xeaea00ea, 0xaeae00ae,
363 0x23230023, 0x6b6b006b, 0x45450045, 0xa5a500a5,
364 0xeded00ed, 0x4f4f004f, 0x1d1d001d, 0x92920092,
365 0x86860086, 0xafaf00af, 0x7c7c007c, 0x1f1f001f,
366 0x3e3e003e, 0xdcdc00dc, 0x5e5e005e, 0x0b0b000b,
367 0xa6a600a6, 0x39390039, 0xd5d500d5, 0x5d5d005d,
368 0xd9d900d9, 0x5a5a005a, 0x51510051, 0x6c6c006c,
369 0x8b8b008b, 0x9a9a009a, 0xfbfb00fb, 0xb0b000b0,
370 0x74740074, 0x2b2b002b, 0xf0f000f0, 0x84840084,
371 0xdfdf00df, 0xcbcb00cb, 0x34340034, 0x76760076,
372 0x6d6d006d, 0xa9a900a9, 0xd1d100d1, 0x04040004,
373 0x14140014, 0x3a3a003a, 0xdede00de, 0x11110011,
374 0x32320032, 0x9c9c009c, 0x53530053, 0xf2f200f2,
375 0xfefe00fe, 0xcfcf00cf, 0xc3c300c3, 0x7a7a007a,
376 0x24240024, 0xe8e800e8, 0x60600060, 0x69690069,
377 0xaaaa00aa, 0xa0a000a0, 0xa1a100a1, 0x62620062,
378 0x54540054, 0x1e1e001e, 0xe0e000e0, 0x64640064,
379 0x10100010, 0x00000000, 0xa3a300a3, 0x75750075,
380 0x8a8a008a, 0xe6e600e6, 0x09090009, 0xdddd00dd,
381 0x87870087, 0x83830083, 0xcdcd00cd, 0x90900090,
382 0x73730073, 0xf6f600f6, 0x9d9d009d, 0xbfbf00bf,
383 0x52520052, 0xd8d800d8, 0xc8c800c8, 0xc6c600c6,
384 0x81810081, 0x6f6f006f, 0x13130013, 0x63630063,
385 0xe9e900e9, 0xa7a700a7, 0x9f9f009f, 0xbcbc00bc,
386 0x29290029, 0xf9f900f9, 0x2f2f002f, 0xb4b400b4,
387 0x78780078, 0x06060006, 0xe7e700e7, 0x71710071,
388 0xd4d400d4, 0xabab00ab, 0x88880088, 0x8d8d008d,
389 0x72720072, 0xb9b900b9, 0xf8f800f8, 0xacac00ac,
390 0x36360036, 0x2a2a002a, 0x3c3c003c, 0xf1f100f1,
391 0x40400040, 0xd3d300d3, 0xbbbb00bb, 0x43430043,
392 0x15150015, 0xadad00ad, 0x77770077, 0x80800080,
393 0x82820082, 0xecec00ec, 0x27270027, 0xe5e500e5,
394 0x85850085, 0x35350035, 0x0c0c000c, 0x41410041,
395 0xefef00ef, 0x93930093, 0x19190019, 0x21210021,
396 0x0e0e000e, 0x4e4e004e, 0x65650065, 0xbdbd00bd,
397 0xb8b800b8, 0x8f8f008f, 0xebeb00eb, 0xcece00ce,
398 0x30300030, 0x5f5f005f, 0xc5c500c5, 0x1a1a001a,
399 0xe1e100e1, 0xcaca00ca, 0x47470047, 0x3d3d003d,
400 0x01010001, 0xd6d600d6, 0x56560056, 0x4d4d004d,
401 0x0d0d000d, 0x66660066, 0xcccc00cc, 0x2d2d002d,
402 0x12120012, 0x20200020, 0xb1b100b1, 0x99990099,
403 0x4c4c004c, 0xc2c200c2, 0x7e7e007e, 0x05050005,
404 0xb7b700b7, 0x31310031, 0x17170017, 0xd7d700d7,
405 0x58580058, 0x61610061, 0x1b1b001b, 0x1c1c001c,
406 0x0f0f000f, 0x16160016, 0x18180018, 0x22220022,
407 0x44440044, 0xb2b200b2, 0xb5b500b5, 0x91910091,
408 0x08080008, 0xa8a800a8, 0xfcfc00fc, 0x50500050,
409 0xd0d000d0, 0x7d7d007d, 0x89890089, 0x97970097,
410 0x5b5b005b, 0x95950095, 0xffff00ff, 0xd2d200d2,
411 0xc4c400c4, 0x48480048, 0xf7f700f7, 0xdbdb00db,
412 0x03030003, 0xdada00da, 0x3f3f003f, 0x94940094,
413 0x5c5c005c, 0x02020002, 0x4a4a004a, 0x33330033,
414 0x67670067, 0xf3f300f3, 0x7f7f007f, 0xe2e200e2,
415 0x9b9b009b, 0x26260026, 0x37370037, 0x3b3b003b,
416 0x96960096, 0x4b4b004b, 0xbebe00be, 0x2e2e002e,
417 0x79790079, 0x8c8c008c, 0x6e6e006e, 0x8e8e008e,
418 0xf5f500f5, 0xb6b600b6, 0xfdfd00fd, 0x59590059,
419 0x98980098, 0x6a6a006a, 0x46460046, 0xbaba00ba,
420 0x25250025, 0x42420042, 0xa2a200a2, 0xfafa00fa,
421 0x07070007, 0x55550055, 0xeeee00ee, 0x0a0a000a,
422 0x49490049, 0x68680068, 0x38380038, 0xa4a400a4,
423 0x28280028, 0x7b7b007b, 0xc9c900c9, 0xc1c100c1,
424 0xe3e300e3, 0xf4f400f4, 0xc7c700c7, 0x9e9e009e,
425 };
426
427 /**
428 * Stuff related to the Camellia key schedule
429 */
430 #define subl(x) subL[(x)]
431 #define subr(x) subR[(x)]
432
433 void
camellia_setup128(const unsigned char * key,PRUint32 * subkey)434 camellia_setup128(const unsigned char *key, PRUint32 *subkey)
435 {
436 PRUint32 kll, klr, krl, krr;
437 PRUint32 il, ir, t0, t1, w0, w1;
438 PRUint32 kw4l, kw4r, dw, tl, tr;
439 PRUint32 subL[26];
440 PRUint32 subR[26];
441 #if defined(CAMELLIA_NEED_TMP_VARIABLE)
442 PRUint32 tmp;
443 #endif
444
445 /**
446 * k == kll || klr || krl || krr (|| is concatination)
447 */
448 kll = GETU32(key);
449 klr = GETU32(key + 4);
450 krl = GETU32(key + 8);
451 krr = GETU32(key + 12);
452 /**
453 * generate KL dependent subkeys
454 */
455 subl(0) = kll;
456 subr(0) = klr;
457 subl(1) = krl;
458 subr(1) = krr;
459 CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
460 subl(4) = kll;
461 subr(4) = klr;
462 subl(5) = krl;
463 subr(5) = krr;
464 CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 30);
465 subl(10) = kll;
466 subr(10) = klr;
467 subl(11) = krl;
468 subr(11) = krr;
469 CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
470 subl(13) = krl;
471 subr(13) = krr;
472 CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17);
473 subl(16) = kll;
474 subr(16) = klr;
475 subl(17) = krl;
476 subr(17) = krr;
477 CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17);
478 subl(18) = kll;
479 subr(18) = klr;
480 subl(19) = krl;
481 subr(19) = krr;
482 CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17);
483 subl(22) = kll;
484 subr(22) = klr;
485 subl(23) = krl;
486 subr(23) = krr;
487
488 /* generate KA */
489 kll = subl(0);
490 klr = subr(0);
491 krl = subl(1);
492 krr = subr(1);
493 CAMELLIA_F(kll, klr,
494 CAMELLIA_SIGMA1L, CAMELLIA_SIGMA1R,
495 w0, w1, il, ir, t0, t1);
496 krl ^= w0;
497 krr ^= w1;
498 CAMELLIA_F(krl, krr,
499 CAMELLIA_SIGMA2L, CAMELLIA_SIGMA2R,
500 kll, klr, il, ir, t0, t1);
501 CAMELLIA_F(kll, klr,
502 CAMELLIA_SIGMA3L, CAMELLIA_SIGMA3R,
503 krl, krr, il, ir, t0, t1);
504 krl ^= w0;
505 krr ^= w1;
506 CAMELLIA_F(krl, krr,
507 CAMELLIA_SIGMA4L, CAMELLIA_SIGMA4R,
508 w0, w1, il, ir, t0, t1);
509 kll ^= w0;
510 klr ^= w1;
511
512 /* generate KA dependent subkeys */
513 subl(2) = kll;
514 subr(2) = klr;
515 subl(3) = krl;
516 subr(3) = krr;
517 CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
518 subl(6) = kll;
519 subr(6) = klr;
520 subl(7) = krl;
521 subr(7) = krr;
522 CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
523 subl(8) = kll;
524 subr(8) = klr;
525 subl(9) = krl;
526 subr(9) = krr;
527 CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
528 subl(12) = kll;
529 subr(12) = klr;
530 CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
531 subl(14) = kll;
532 subr(14) = klr;
533 subl(15) = krl;
534 subr(15) = krr;
535 CAMELLIA_ROLDQo32(kll, klr, krl, krr, w0, w1, 34);
536 subl(20) = kll;
537 subr(20) = klr;
538 subl(21) = krl;
539 subr(21) = krr;
540 CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17);
541 subl(24) = kll;
542 subr(24) = klr;
543 subl(25) = krl;
544 subr(25) = krr;
545
546 /* absorb kw2 to other subkeys */
547 subl(3) ^= subl(1);
548 subr(3) ^= subr(1);
549 subl(5) ^= subl(1);
550 subr(5) ^= subr(1);
551 subl(7) ^= subl(1);
552 subr(7) ^= subr(1);
553 subl(1) ^= subr(1) & ~subr(9);
554 dw = subl(1) & subl(9), subr(1) ^= CAMELLIA_RL1(dw);
555 subl(11) ^= subl(1);
556 subr(11) ^= subr(1);
557 subl(13) ^= subl(1);
558 subr(13) ^= subr(1);
559 subl(15) ^= subl(1);
560 subr(15) ^= subr(1);
561 subl(1) ^= subr(1) & ~subr(17);
562 dw = subl(1) & subl(17), subr(1) ^= CAMELLIA_RL1(dw);
563 subl(19) ^= subl(1);
564 subr(19) ^= subr(1);
565 subl(21) ^= subl(1);
566 subr(21) ^= subr(1);
567 subl(23) ^= subl(1);
568 subr(23) ^= subr(1);
569 subl(24) ^= subl(1);
570 subr(24) ^= subr(1);
571
572 /* absorb kw4 to other subkeys */
573 kw4l = subl(25);
574 kw4r = subr(25);
575 subl(22) ^= kw4l;
576 subr(22) ^= kw4r;
577 subl(20) ^= kw4l;
578 subr(20) ^= kw4r;
579 subl(18) ^= kw4l;
580 subr(18) ^= kw4r;
581 kw4l ^= kw4r & ~subr(16);
582 dw = kw4l & subl(16), kw4r ^= CAMELLIA_RL1(dw);
583 subl(14) ^= kw4l;
584 subr(14) ^= kw4r;
585 subl(12) ^= kw4l;
586 subr(12) ^= kw4r;
587 subl(10) ^= kw4l;
588 subr(10) ^= kw4r;
589 kw4l ^= kw4r & ~subr(8);
590 dw = kw4l & subl(8), kw4r ^= CAMELLIA_RL1(dw);
591 subl(6) ^= kw4l;
592 subr(6) ^= kw4r;
593 subl(4) ^= kw4l;
594 subr(4) ^= kw4r;
595 subl(2) ^= kw4l;
596 subr(2) ^= kw4r;
597 subl(0) ^= kw4l;
598 subr(0) ^= kw4r;
599
600 /* key XOR is end of F-function */
601 CamelliaSubkeyL(0) = subl(0) ^ subl(2);
602 CamelliaSubkeyR(0) = subr(0) ^ subr(2);
603 CamelliaSubkeyL(2) = subl(3);
604 CamelliaSubkeyR(2) = subr(3);
605 CamelliaSubkeyL(3) = subl(2) ^ subl(4);
606 CamelliaSubkeyR(3) = subr(2) ^ subr(4);
607 CamelliaSubkeyL(4) = subl(3) ^ subl(5);
608 CamelliaSubkeyR(4) = subr(3) ^ subr(5);
609 CamelliaSubkeyL(5) = subl(4) ^ subl(6);
610 CamelliaSubkeyR(5) = subr(4) ^ subr(6);
611 CamelliaSubkeyL(6) = subl(5) ^ subl(7);
612 CamelliaSubkeyR(6) = subr(5) ^ subr(7);
613 tl = subl(10) ^ (subr(10) & ~subr(8));
614 dw = tl & subl(8), tr = subr(10) ^ CAMELLIA_RL1(dw);
615 CamelliaSubkeyL(7) = subl(6) ^ tl;
616 CamelliaSubkeyR(7) = subr(6) ^ tr;
617 CamelliaSubkeyL(8) = subl(8);
618 CamelliaSubkeyR(8) = subr(8);
619 CamelliaSubkeyL(9) = subl(9);
620 CamelliaSubkeyR(9) = subr(9);
621 tl = subl(7) ^ (subr(7) & ~subr(9));
622 dw = tl & subl(9), tr = subr(7) ^ CAMELLIA_RL1(dw);
623 CamelliaSubkeyL(10) = tl ^ subl(11);
624 CamelliaSubkeyR(10) = tr ^ subr(11);
625 CamelliaSubkeyL(11) = subl(10) ^ subl(12);
626 CamelliaSubkeyR(11) = subr(10) ^ subr(12);
627 CamelliaSubkeyL(12) = subl(11) ^ subl(13);
628 CamelliaSubkeyR(12) = subr(11) ^ subr(13);
629 CamelliaSubkeyL(13) = subl(12) ^ subl(14);
630 CamelliaSubkeyR(13) = subr(12) ^ subr(14);
631 CamelliaSubkeyL(14) = subl(13) ^ subl(15);
632 CamelliaSubkeyR(14) = subr(13) ^ subr(15);
633 tl = subl(18) ^ (subr(18) & ~subr(16));
634 dw = tl & subl(16), tr = subr(18) ^ CAMELLIA_RL1(dw);
635 CamelliaSubkeyL(15) = subl(14) ^ tl;
636 CamelliaSubkeyR(15) = subr(14) ^ tr;
637 CamelliaSubkeyL(16) = subl(16);
638 CamelliaSubkeyR(16) = subr(16);
639 CamelliaSubkeyL(17) = subl(17);
640 CamelliaSubkeyR(17) = subr(17);
641 tl = subl(15) ^ (subr(15) & ~subr(17));
642 dw = tl & subl(17), tr = subr(15) ^ CAMELLIA_RL1(dw);
643 CamelliaSubkeyL(18) = tl ^ subl(19);
644 CamelliaSubkeyR(18) = tr ^ subr(19);
645 CamelliaSubkeyL(19) = subl(18) ^ subl(20);
646 CamelliaSubkeyR(19) = subr(18) ^ subr(20);
647 CamelliaSubkeyL(20) = subl(19) ^ subl(21);
648 CamelliaSubkeyR(20) = subr(19) ^ subr(21);
649 CamelliaSubkeyL(21) = subl(20) ^ subl(22);
650 CamelliaSubkeyR(21) = subr(20) ^ subr(22);
651 CamelliaSubkeyL(22) = subl(21) ^ subl(23);
652 CamelliaSubkeyR(22) = subr(21) ^ subr(23);
653 CamelliaSubkeyL(23) = subl(22);
654 CamelliaSubkeyR(23) = subr(22);
655 CamelliaSubkeyL(24) = subl(24) ^ subl(23);
656 CamelliaSubkeyR(24) = subr(24) ^ subr(23);
657
658 /* apply the inverse of the last half of P-function */
659 dw = CamelliaSubkeyL(2) ^ CamelliaSubkeyR(2), dw = CAMELLIA_RL8(dw);
660 CamelliaSubkeyR(2) = CamelliaSubkeyL(2) ^ dw, CamelliaSubkeyL(2) = dw;
661 dw = CamelliaSubkeyL(3) ^ CamelliaSubkeyR(3), dw = CAMELLIA_RL8(dw);
662 CamelliaSubkeyR(3) = CamelliaSubkeyL(3) ^ dw, CamelliaSubkeyL(3) = dw;
663 dw = CamelliaSubkeyL(4) ^ CamelliaSubkeyR(4), dw = CAMELLIA_RL8(dw);
664 CamelliaSubkeyR(4) = CamelliaSubkeyL(4) ^ dw, CamelliaSubkeyL(4) = dw;
665 dw = CamelliaSubkeyL(5) ^ CamelliaSubkeyR(5), dw = CAMELLIA_RL8(dw);
666 CamelliaSubkeyR(5) = CamelliaSubkeyL(5) ^ dw, CamelliaSubkeyL(5) = dw;
667 dw = CamelliaSubkeyL(6) ^ CamelliaSubkeyR(6), dw = CAMELLIA_RL8(dw);
668 CamelliaSubkeyR(6) = CamelliaSubkeyL(6) ^ dw, CamelliaSubkeyL(6) = dw;
669 dw = CamelliaSubkeyL(7) ^ CamelliaSubkeyR(7), dw = CAMELLIA_RL8(dw);
670 CamelliaSubkeyR(7) = CamelliaSubkeyL(7) ^ dw, CamelliaSubkeyL(7) = dw;
671 dw = CamelliaSubkeyL(10) ^ CamelliaSubkeyR(10), dw = CAMELLIA_RL8(dw);
672 CamelliaSubkeyR(10) = CamelliaSubkeyL(10) ^ dw, CamelliaSubkeyL(10) = dw;
673 dw = CamelliaSubkeyL(11) ^ CamelliaSubkeyR(11), dw = CAMELLIA_RL8(dw);
674 CamelliaSubkeyR(11) = CamelliaSubkeyL(11) ^ dw, CamelliaSubkeyL(11) = dw;
675 dw = CamelliaSubkeyL(12) ^ CamelliaSubkeyR(12), dw = CAMELLIA_RL8(dw);
676 CamelliaSubkeyR(12) = CamelliaSubkeyL(12) ^ dw, CamelliaSubkeyL(12) = dw;
677 dw = CamelliaSubkeyL(13) ^ CamelliaSubkeyR(13), dw = CAMELLIA_RL8(dw);
678 CamelliaSubkeyR(13) = CamelliaSubkeyL(13) ^ dw, CamelliaSubkeyL(13) = dw;
679 dw = CamelliaSubkeyL(14) ^ CamelliaSubkeyR(14), dw = CAMELLIA_RL8(dw);
680 CamelliaSubkeyR(14) = CamelliaSubkeyL(14) ^ dw, CamelliaSubkeyL(14) = dw;
681 dw = CamelliaSubkeyL(15) ^ CamelliaSubkeyR(15), dw = CAMELLIA_RL8(dw);
682 CamelliaSubkeyR(15) = CamelliaSubkeyL(15) ^ dw, CamelliaSubkeyL(15) = dw;
683 dw = CamelliaSubkeyL(18) ^ CamelliaSubkeyR(18), dw = CAMELLIA_RL8(dw);
684 CamelliaSubkeyR(18) = CamelliaSubkeyL(18) ^ dw, CamelliaSubkeyL(18) = dw;
685 dw = CamelliaSubkeyL(19) ^ CamelliaSubkeyR(19), dw = CAMELLIA_RL8(dw);
686 CamelliaSubkeyR(19) = CamelliaSubkeyL(19) ^ dw, CamelliaSubkeyL(19) = dw;
687 dw = CamelliaSubkeyL(20) ^ CamelliaSubkeyR(20), dw = CAMELLIA_RL8(dw);
688 CamelliaSubkeyR(20) = CamelliaSubkeyL(20) ^ dw, CamelliaSubkeyL(20) = dw;
689 dw = CamelliaSubkeyL(21) ^ CamelliaSubkeyR(21), dw = CAMELLIA_RL8(dw);
690 CamelliaSubkeyR(21) = CamelliaSubkeyL(21) ^ dw, CamelliaSubkeyL(21) = dw;
691 dw = CamelliaSubkeyL(22) ^ CamelliaSubkeyR(22), dw = CAMELLIA_RL8(dw);
692 CamelliaSubkeyR(22) = CamelliaSubkeyL(22) ^ dw, CamelliaSubkeyL(22) = dw;
693 dw = CamelliaSubkeyL(23) ^ CamelliaSubkeyR(23), dw = CAMELLIA_RL8(dw);
694 CamelliaSubkeyR(23) = CamelliaSubkeyL(23) ^ dw, CamelliaSubkeyL(23) = dw;
695
696 return;
697 }
698
699 void
camellia_setup256(const unsigned char * key,PRUint32 * subkey)700 camellia_setup256(const unsigned char *key, PRUint32 *subkey)
701 {
702 PRUint32 kll, klr, krl, krr; /* left half of key */
703 PRUint32 krll, krlr, krrl, krrr; /* right half of key */
704 PRUint32 il, ir, t0, t1, w0, w1; /* temporary variables */
705 PRUint32 kw4l, kw4r, dw, tl, tr;
706 PRUint32 subL[34];
707 PRUint32 subR[34];
708 #if defined(CAMELLIA_NEED_TMP_VARIABLE)
709 PRUint32 tmp;
710 #endif
711
712 /**
713 * key = (kll || klr || krl || krr || krll || krlr || krrl || krrr)
714 * (|| is concatination)
715 */
716
717 kll = GETU32(key);
718 klr = GETU32(key + 4);
719 krl = GETU32(key + 8);
720 krr = GETU32(key + 12);
721 krll = GETU32(key + 16);
722 krlr = GETU32(key + 20);
723 krrl = GETU32(key + 24);
724 krrr = GETU32(key + 28);
725
726 /* generate KL dependent subkeys */
727 subl(0) = kll;
728 subr(0) = klr;
729 subl(1) = krl;
730 subr(1) = krr;
731 CAMELLIA_ROLDQo32(kll, klr, krl, krr, w0, w1, 45);
732 subl(12) = kll;
733 subr(12) = klr;
734 subl(13) = krl;
735 subr(13) = krr;
736 CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
737 subl(16) = kll;
738 subr(16) = klr;
739 subl(17) = krl;
740 subr(17) = krr;
741 CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17);
742 subl(22) = kll;
743 subr(22) = klr;
744 subl(23) = krl;
745 subr(23) = krr;
746 CAMELLIA_ROLDQo32(kll, klr, krl, krr, w0, w1, 34);
747 subl(30) = kll;
748 subr(30) = klr;
749 subl(31) = krl;
750 subr(31) = krr;
751
752 /* generate KR dependent subkeys */
753 CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 15);
754 subl(4) = krll;
755 subr(4) = krlr;
756 subl(5) = krrl;
757 subr(5) = krrr;
758 CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 15);
759 subl(8) = krll;
760 subr(8) = krlr;
761 subl(9) = krrl;
762 subr(9) = krrr;
763 CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
764 subl(18) = krll;
765 subr(18) = krlr;
766 subl(19) = krrl;
767 subr(19) = krrr;
768 CAMELLIA_ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 34);
769 subl(26) = krll;
770 subr(26) = krlr;
771 subl(27) = krrl;
772 subr(27) = krrr;
773 CAMELLIA_ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 34);
774
775 /* generate KA */
776 kll = subl(0) ^ krll;
777 klr = subr(0) ^ krlr;
778 krl = subl(1) ^ krrl;
779 krr = subr(1) ^ krrr;
780 CAMELLIA_F(kll, klr,
781 CAMELLIA_SIGMA1L, CAMELLIA_SIGMA1R,
782 w0, w1, il, ir, t0, t1);
783 krl ^= w0;
784 krr ^= w1;
785 CAMELLIA_F(krl, krr,
786 CAMELLIA_SIGMA2L, CAMELLIA_SIGMA2R,
787 kll, klr, il, ir, t0, t1);
788 kll ^= krll;
789 klr ^= krlr;
790 CAMELLIA_F(kll, klr,
791 CAMELLIA_SIGMA3L, CAMELLIA_SIGMA3R,
792 krl, krr, il, ir, t0, t1);
793 krl ^= w0 ^ krrl;
794 krr ^= w1 ^ krrr;
795 CAMELLIA_F(krl, krr,
796 CAMELLIA_SIGMA4L, CAMELLIA_SIGMA4R,
797 w0, w1, il, ir, t0, t1);
798 kll ^= w0;
799 klr ^= w1;
800
801 /* generate KB */
802 krll ^= kll;
803 krlr ^= klr;
804 krrl ^= krl;
805 krrr ^= krr;
806 CAMELLIA_F(krll, krlr,
807 CAMELLIA_SIGMA5L, CAMELLIA_SIGMA5R,
808 w0, w1, il, ir, t0, t1);
809 krrl ^= w0;
810 krrr ^= w1;
811 CAMELLIA_F(krrl, krrr,
812 CAMELLIA_SIGMA6L, CAMELLIA_SIGMA6R,
813 w0, w1, il, ir, t0, t1);
814 krll ^= w0;
815 krlr ^= w1;
816
817 /* generate KA dependent subkeys */
818 CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
819 subl(6) = kll;
820 subr(6) = klr;
821 subl(7) = krl;
822 subr(7) = krr;
823 CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 30);
824 subl(14) = kll;
825 subr(14) = klr;
826 subl(15) = krl;
827 subr(15) = krr;
828 subl(24) = klr;
829 subr(24) = krl;
830 subl(25) = krr;
831 subr(25) = kll;
832 CAMELLIA_ROLDQo32(kll, klr, krl, krr, w0, w1, 49);
833 subl(28) = kll;
834 subr(28) = klr;
835 subl(29) = krl;
836 subr(29) = krr;
837
838 /* generate KB dependent subkeys */
839 subl(2) = krll;
840 subr(2) = krlr;
841 subl(3) = krrl;
842 subr(3) = krrr;
843 CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
844 subl(10) = krll;
845 subr(10) = krlr;
846 subl(11) = krrl;
847 subr(11) = krrr;
848 CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
849 subl(20) = krll;
850 subr(20) = krlr;
851 subl(21) = krrl;
852 subr(21) = krrr;
853 CAMELLIA_ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 51);
854 subl(32) = krll;
855 subr(32) = krlr;
856 subl(33) = krrl;
857 subr(33) = krrr;
858
859 /* absorb kw2 to other subkeys */
860 subl(3) ^= subl(1);
861 subr(3) ^= subr(1);
862 subl(5) ^= subl(1);
863 subr(5) ^= subr(1);
864 subl(7) ^= subl(1);
865 subr(7) ^= subr(1);
866 subl(1) ^= subr(1) & ~subr(9);
867 dw = subl(1) & subl(9), subr(1) ^= CAMELLIA_RL1(dw);
868 subl(11) ^= subl(1);
869 subr(11) ^= subr(1);
870 subl(13) ^= subl(1);
871 subr(13) ^= subr(1);
872 subl(15) ^= subl(1);
873 subr(15) ^= subr(1);
874 subl(1) ^= subr(1) & ~subr(17);
875 dw = subl(1) & subl(17), subr(1) ^= CAMELLIA_RL1(dw);
876 subl(19) ^= subl(1);
877 subr(19) ^= subr(1);
878 subl(21) ^= subl(1);
879 subr(21) ^= subr(1);
880 subl(23) ^= subl(1);
881 subr(23) ^= subr(1);
882 subl(1) ^= subr(1) & ~subr(25);
883 dw = subl(1) & subl(25), subr(1) ^= CAMELLIA_RL1(dw);
884 subl(27) ^= subl(1);
885 subr(27) ^= subr(1);
886 subl(29) ^= subl(1);
887 subr(29) ^= subr(1);
888 subl(31) ^= subl(1);
889 subr(31) ^= subr(1);
890 subl(32) ^= subl(1);
891 subr(32) ^= subr(1);
892
893 /* absorb kw4 to other subkeys */
894 kw4l = subl(33);
895 kw4r = subr(33);
896 subl(30) ^= kw4l;
897 subr(30) ^= kw4r;
898 subl(28) ^= kw4l;
899 subr(28) ^= kw4r;
900 subl(26) ^= kw4l;
901 subr(26) ^= kw4r;
902 kw4l ^= kw4r & ~subr(24);
903 dw = kw4l & subl(24), kw4r ^= CAMELLIA_RL1(dw);
904 subl(22) ^= kw4l;
905 subr(22) ^= kw4r;
906 subl(20) ^= kw4l;
907 subr(20) ^= kw4r;
908 subl(18) ^= kw4l;
909 subr(18) ^= kw4r;
910 kw4l ^= kw4r & ~subr(16);
911 dw = kw4l & subl(16), kw4r ^= CAMELLIA_RL1(dw);
912 subl(14) ^= kw4l;
913 subr(14) ^= kw4r;
914 subl(12) ^= kw4l;
915 subr(12) ^= kw4r;
916 subl(10) ^= kw4l;
917 subr(10) ^= kw4r;
918 kw4l ^= kw4r & ~subr(8);
919 dw = kw4l & subl(8), kw4r ^= CAMELLIA_RL1(dw);
920 subl(6) ^= kw4l;
921 subr(6) ^= kw4r;
922 subl(4) ^= kw4l;
923 subr(4) ^= kw4r;
924 subl(2) ^= kw4l;
925 subr(2) ^= kw4r;
926 subl(0) ^= kw4l;
927 subr(0) ^= kw4r;
928
929 /* key XOR is end of F-function */
930 CamelliaSubkeyL(0) = subl(0) ^ subl(2);
931 CamelliaSubkeyR(0) = subr(0) ^ subr(2);
932 CamelliaSubkeyL(2) = subl(3);
933 CamelliaSubkeyR(2) = subr(3);
934 CamelliaSubkeyL(3) = subl(2) ^ subl(4);
935 CamelliaSubkeyR(3) = subr(2) ^ subr(4);
936 CamelliaSubkeyL(4) = subl(3) ^ subl(5);
937 CamelliaSubkeyR(4) = subr(3) ^ subr(5);
938 CamelliaSubkeyL(5) = subl(4) ^ subl(6);
939 CamelliaSubkeyR(5) = subr(4) ^ subr(6);
940 CamelliaSubkeyL(6) = subl(5) ^ subl(7);
941 CamelliaSubkeyR(6) = subr(5) ^ subr(7);
942 tl = subl(10) ^ (subr(10) & ~subr(8));
943 dw = tl & subl(8), tr = subr(10) ^ CAMELLIA_RL1(dw);
944 CamelliaSubkeyL(7) = subl(6) ^ tl;
945 CamelliaSubkeyR(7) = subr(6) ^ tr;
946 CamelliaSubkeyL(8) = subl(8);
947 CamelliaSubkeyR(8) = subr(8);
948 CamelliaSubkeyL(9) = subl(9);
949 CamelliaSubkeyR(9) = subr(9);
950 tl = subl(7) ^ (subr(7) & ~subr(9));
951 dw = tl & subl(9), tr = subr(7) ^ CAMELLIA_RL1(dw);
952 CamelliaSubkeyL(10) = tl ^ subl(11);
953 CamelliaSubkeyR(10) = tr ^ subr(11);
954 CamelliaSubkeyL(11) = subl(10) ^ subl(12);
955 CamelliaSubkeyR(11) = subr(10) ^ subr(12);
956 CamelliaSubkeyL(12) = subl(11) ^ subl(13);
957 CamelliaSubkeyR(12) = subr(11) ^ subr(13);
958 CamelliaSubkeyL(13) = subl(12) ^ subl(14);
959 CamelliaSubkeyR(13) = subr(12) ^ subr(14);
960 CamelliaSubkeyL(14) = subl(13) ^ subl(15);
961 CamelliaSubkeyR(14) = subr(13) ^ subr(15);
962 tl = subl(18) ^ (subr(18) & ~subr(16));
963 dw = tl & subl(16), tr = subr(18) ^ CAMELLIA_RL1(dw);
964 CamelliaSubkeyL(15) = subl(14) ^ tl;
965 CamelliaSubkeyR(15) = subr(14) ^ tr;
966 CamelliaSubkeyL(16) = subl(16);
967 CamelliaSubkeyR(16) = subr(16);
968 CamelliaSubkeyL(17) = subl(17);
969 CamelliaSubkeyR(17) = subr(17);
970 tl = subl(15) ^ (subr(15) & ~subr(17));
971 dw = tl & subl(17), tr = subr(15) ^ CAMELLIA_RL1(dw);
972 CamelliaSubkeyL(18) = tl ^ subl(19);
973 CamelliaSubkeyR(18) = tr ^ subr(19);
974 CamelliaSubkeyL(19) = subl(18) ^ subl(20);
975 CamelliaSubkeyR(19) = subr(18) ^ subr(20);
976 CamelliaSubkeyL(20) = subl(19) ^ subl(21);
977 CamelliaSubkeyR(20) = subr(19) ^ subr(21);
978 CamelliaSubkeyL(21) = subl(20) ^ subl(22);
979 CamelliaSubkeyR(21) = subr(20) ^ subr(22);
980 CamelliaSubkeyL(22) = subl(21) ^ subl(23);
981 CamelliaSubkeyR(22) = subr(21) ^ subr(23);
982 tl = subl(26) ^ (subr(26) & ~subr(24));
983 dw = tl & subl(24), tr = subr(26) ^ CAMELLIA_RL1(dw);
984 CamelliaSubkeyL(23) = subl(22) ^ tl;
985 CamelliaSubkeyR(23) = subr(22) ^ tr;
986 CamelliaSubkeyL(24) = subl(24);
987 CamelliaSubkeyR(24) = subr(24);
988 CamelliaSubkeyL(25) = subl(25);
989 CamelliaSubkeyR(25) = subr(25);
990 tl = subl(23) ^ (subr(23) & ~subr(25));
991 dw = tl & subl(25), tr = subr(23) ^ CAMELLIA_RL1(dw);
992 CamelliaSubkeyL(26) = tl ^ subl(27);
993 CamelliaSubkeyR(26) = tr ^ subr(27);
994 CamelliaSubkeyL(27) = subl(26) ^ subl(28);
995 CamelliaSubkeyR(27) = subr(26) ^ subr(28);
996 CamelliaSubkeyL(28) = subl(27) ^ subl(29);
997 CamelliaSubkeyR(28) = subr(27) ^ subr(29);
998 CamelliaSubkeyL(29) = subl(28) ^ subl(30);
999 CamelliaSubkeyR(29) = subr(28) ^ subr(30);
1000 CamelliaSubkeyL(30) = subl(29) ^ subl(31);
1001 CamelliaSubkeyR(30) = subr(29) ^ subr(31);
1002 CamelliaSubkeyL(31) = subl(30);
1003 CamelliaSubkeyR(31) = subr(30);
1004 CamelliaSubkeyL(32) = subl(32) ^ subl(31);
1005 CamelliaSubkeyR(32) = subr(32) ^ subr(31);
1006
1007 /* apply the inverse of the last half of P-function */
1008 dw = CamelliaSubkeyL(2) ^ CamelliaSubkeyR(2), dw = CAMELLIA_RL8(dw);
1009 CamelliaSubkeyR(2) = CamelliaSubkeyL(2) ^ dw, CamelliaSubkeyL(2) = dw;
1010 dw = CamelliaSubkeyL(3) ^ CamelliaSubkeyR(3), dw = CAMELLIA_RL8(dw);
1011 CamelliaSubkeyR(3) = CamelliaSubkeyL(3) ^ dw, CamelliaSubkeyL(3) = dw;
1012 dw = CamelliaSubkeyL(4) ^ CamelliaSubkeyR(4), dw = CAMELLIA_RL8(dw);
1013 CamelliaSubkeyR(4) = CamelliaSubkeyL(4) ^ dw, CamelliaSubkeyL(4) = dw;
1014 dw = CamelliaSubkeyL(5) ^ CamelliaSubkeyR(5), dw = CAMELLIA_RL8(dw);
1015 CamelliaSubkeyR(5) = CamelliaSubkeyL(5) ^ dw, CamelliaSubkeyL(5) = dw;
1016 dw = CamelliaSubkeyL(6) ^ CamelliaSubkeyR(6), dw = CAMELLIA_RL8(dw);
1017 CamelliaSubkeyR(6) = CamelliaSubkeyL(6) ^ dw, CamelliaSubkeyL(6) = dw;
1018 dw = CamelliaSubkeyL(7) ^ CamelliaSubkeyR(7), dw = CAMELLIA_RL8(dw);
1019 CamelliaSubkeyR(7) = CamelliaSubkeyL(7) ^ dw, CamelliaSubkeyL(7) = dw;
1020 dw = CamelliaSubkeyL(10) ^ CamelliaSubkeyR(10), dw = CAMELLIA_RL8(dw);
1021 CamelliaSubkeyR(10) = CamelliaSubkeyL(10) ^ dw, CamelliaSubkeyL(10) = dw;
1022 dw = CamelliaSubkeyL(11) ^ CamelliaSubkeyR(11), dw = CAMELLIA_RL8(dw);
1023 CamelliaSubkeyR(11) = CamelliaSubkeyL(11) ^ dw, CamelliaSubkeyL(11) = dw;
1024 dw = CamelliaSubkeyL(12) ^ CamelliaSubkeyR(12), dw = CAMELLIA_RL8(dw);
1025 CamelliaSubkeyR(12) = CamelliaSubkeyL(12) ^ dw, CamelliaSubkeyL(12) = dw;
1026 dw = CamelliaSubkeyL(13) ^ CamelliaSubkeyR(13), dw = CAMELLIA_RL8(dw);
1027 CamelliaSubkeyR(13) = CamelliaSubkeyL(13) ^ dw, CamelliaSubkeyL(13) = dw;
1028 dw = CamelliaSubkeyL(14) ^ CamelliaSubkeyR(14), dw = CAMELLIA_RL8(dw);
1029 CamelliaSubkeyR(14) = CamelliaSubkeyL(14) ^ dw, CamelliaSubkeyL(14) = dw;
1030 dw = CamelliaSubkeyL(15) ^ CamelliaSubkeyR(15), dw = CAMELLIA_RL8(dw);
1031 CamelliaSubkeyR(15) = CamelliaSubkeyL(15) ^ dw, CamelliaSubkeyL(15) = dw;
1032 dw = CamelliaSubkeyL(18) ^ CamelliaSubkeyR(18), dw = CAMELLIA_RL8(dw);
1033 CamelliaSubkeyR(18) = CamelliaSubkeyL(18) ^ dw, CamelliaSubkeyL(18) = dw;
1034 dw = CamelliaSubkeyL(19) ^ CamelliaSubkeyR(19), dw = CAMELLIA_RL8(dw);
1035 CamelliaSubkeyR(19) = CamelliaSubkeyL(19) ^ dw, CamelliaSubkeyL(19) = dw;
1036 dw = CamelliaSubkeyL(20) ^ CamelliaSubkeyR(20), dw = CAMELLIA_RL8(dw);
1037 CamelliaSubkeyR(20) = CamelliaSubkeyL(20) ^ dw, CamelliaSubkeyL(20) = dw;
1038 dw = CamelliaSubkeyL(21) ^ CamelliaSubkeyR(21), dw = CAMELLIA_RL8(dw);
1039 CamelliaSubkeyR(21) = CamelliaSubkeyL(21) ^ dw, CamelliaSubkeyL(21) = dw;
1040 dw = CamelliaSubkeyL(22) ^ CamelliaSubkeyR(22), dw = CAMELLIA_RL8(dw);
1041 CamelliaSubkeyR(22) = CamelliaSubkeyL(22) ^ dw, CamelliaSubkeyL(22) = dw;
1042 dw = CamelliaSubkeyL(23) ^ CamelliaSubkeyR(23), dw = CAMELLIA_RL8(dw);
1043 CamelliaSubkeyR(23) = CamelliaSubkeyL(23) ^ dw, CamelliaSubkeyL(23) = dw;
1044 dw = CamelliaSubkeyL(26) ^ CamelliaSubkeyR(26), dw = CAMELLIA_RL8(dw);
1045 CamelliaSubkeyR(26) = CamelliaSubkeyL(26) ^ dw, CamelliaSubkeyL(26) = dw;
1046 dw = CamelliaSubkeyL(27) ^ CamelliaSubkeyR(27), dw = CAMELLIA_RL8(dw);
1047 CamelliaSubkeyR(27) = CamelliaSubkeyL(27) ^ dw, CamelliaSubkeyL(27) = dw;
1048 dw = CamelliaSubkeyL(28) ^ CamelliaSubkeyR(28), dw = CAMELLIA_RL8(dw);
1049 CamelliaSubkeyR(28) = CamelliaSubkeyL(28) ^ dw, CamelliaSubkeyL(28) = dw;
1050 dw = CamelliaSubkeyL(29) ^ CamelliaSubkeyR(29), dw = CAMELLIA_RL8(dw);
1051 CamelliaSubkeyR(29) = CamelliaSubkeyL(29) ^ dw, CamelliaSubkeyL(29) = dw;
1052 dw = CamelliaSubkeyL(30) ^ CamelliaSubkeyR(30), dw = CAMELLIA_RL8(dw);
1053 CamelliaSubkeyR(30) = CamelliaSubkeyL(30) ^ dw, CamelliaSubkeyL(30) = dw;
1054 dw = CamelliaSubkeyL(31) ^ CamelliaSubkeyR(31), dw = CAMELLIA_RL8(dw);
1055 CamelliaSubkeyR(31) = CamelliaSubkeyL(31) ^ dw, CamelliaSubkeyL(31) = dw;
1056
1057 return;
1058 }
1059
1060 void
camellia_setup192(const unsigned char * key,PRUint32 * subkey)1061 camellia_setup192(const unsigned char *key, PRUint32 *subkey)
1062 {
1063 unsigned char kk[32];
1064 PRUint32 krll, krlr, krrl, krrr;
1065
1066 memcpy(kk, key, 24);
1067 memcpy((unsigned char *)&krll, key + 16, 4);
1068 memcpy((unsigned char *)&krlr, key + 20, 4);
1069 krrl = ~krll;
1070 krrr = ~krlr;
1071 memcpy(kk + 24, (unsigned char *)&krrl, 4);
1072 memcpy(kk + 28, (unsigned char *)&krrr, 4);
1073 camellia_setup256(kk, subkey);
1074 return;
1075 }
1076
1077 /**
1078 * Stuff related to camellia encryption/decryption
1079 *
1080 */
1081 SECStatus NO_SANITIZE_ALIGNMENT
camellia_encrypt128(const PRUint32 * subkey,unsigned char * output,const unsigned char * input)1082 camellia_encrypt128(const PRUint32 *subkey,
1083 unsigned char *output,
1084 const unsigned char *input)
1085 {
1086 PRUint32 il, ir, t0, t1;
1087 PRUint32 io[4];
1088 #if defined(CAMELLIA_NEED_TMP_VARIABLE)
1089 PRUint32 tmp;
1090 #endif
1091
1092 io[0] = GETU32(input);
1093 io[1] = GETU32(input + 4);
1094 io[2] = GETU32(input + 8);
1095 io[3] = GETU32(input + 12);
1096
1097 /* pre whitening but absorb kw2*/
1098 io[0] ^= CamelliaSubkeyL(0);
1099 io[1] ^= CamelliaSubkeyR(0);
1100 /* main iteration */
1101
1102 CAMELLIA_ROUNDSM(io[0], io[1],
1103 CamelliaSubkeyL(2), CamelliaSubkeyR(2),
1104 io[2], io[3], il, ir, t0, t1);
1105 CAMELLIA_ROUNDSM(io[2], io[3],
1106 CamelliaSubkeyL(3), CamelliaSubkeyR(3),
1107 io[0], io[1], il, ir, t0, t1);
1108 CAMELLIA_ROUNDSM(io[0], io[1],
1109 CamelliaSubkeyL(4), CamelliaSubkeyR(4),
1110 io[2], io[3], il, ir, t0, t1);
1111 CAMELLIA_ROUNDSM(io[2], io[3],
1112 CamelliaSubkeyL(5), CamelliaSubkeyR(5),
1113 io[0], io[1], il, ir, t0, t1);
1114 CAMELLIA_ROUNDSM(io[0], io[1],
1115 CamelliaSubkeyL(6), CamelliaSubkeyR(6),
1116 io[2], io[3], il, ir, t0, t1);
1117 CAMELLIA_ROUNDSM(io[2], io[3],
1118 CamelliaSubkeyL(7), CamelliaSubkeyR(7),
1119 io[0], io[1], il, ir, t0, t1);
1120
1121 CAMELLIA_FLS(io[0], io[1], io[2], io[3],
1122 CamelliaSubkeyL(8), CamelliaSubkeyR(8),
1123 CamelliaSubkeyL(9), CamelliaSubkeyR(9),
1124 t0, t1, il, ir);
1125
1126 CAMELLIA_ROUNDSM(io[0], io[1],
1127 CamelliaSubkeyL(10), CamelliaSubkeyR(10),
1128 io[2], io[3], il, ir, t0, t1);
1129 CAMELLIA_ROUNDSM(io[2], io[3],
1130 CamelliaSubkeyL(11), CamelliaSubkeyR(11),
1131 io[0], io[1], il, ir, t0, t1);
1132 CAMELLIA_ROUNDSM(io[0], io[1],
1133 CamelliaSubkeyL(12), CamelliaSubkeyR(12),
1134 io[2], io[3], il, ir, t0, t1);
1135 CAMELLIA_ROUNDSM(io[2], io[3],
1136 CamelliaSubkeyL(13), CamelliaSubkeyR(13),
1137 io[0], io[1], il, ir, t0, t1);
1138 CAMELLIA_ROUNDSM(io[0], io[1],
1139 CamelliaSubkeyL(14), CamelliaSubkeyR(14),
1140 io[2], io[3], il, ir, t0, t1);
1141 CAMELLIA_ROUNDSM(io[2], io[3],
1142 CamelliaSubkeyL(15), CamelliaSubkeyR(15),
1143 io[0], io[1], il, ir, t0, t1);
1144
1145 CAMELLIA_FLS(io[0], io[1], io[2], io[3],
1146 CamelliaSubkeyL(16), CamelliaSubkeyR(16),
1147 CamelliaSubkeyL(17), CamelliaSubkeyR(17),
1148 t0, t1, il, ir);
1149
1150 CAMELLIA_ROUNDSM(io[0], io[1],
1151 CamelliaSubkeyL(18), CamelliaSubkeyR(18),
1152 io[2], io[3], il, ir, t0, t1);
1153 CAMELLIA_ROUNDSM(io[2], io[3],
1154 CamelliaSubkeyL(19), CamelliaSubkeyR(19),
1155 io[0], io[1], il, ir, t0, t1);
1156 CAMELLIA_ROUNDSM(io[0], io[1],
1157 CamelliaSubkeyL(20), CamelliaSubkeyR(20),
1158 io[2], io[3], il, ir, t0, t1);
1159 CAMELLIA_ROUNDSM(io[2], io[3],
1160 CamelliaSubkeyL(21), CamelliaSubkeyR(21),
1161 io[0], io[1], il, ir, t0, t1);
1162 CAMELLIA_ROUNDSM(io[0], io[1],
1163 CamelliaSubkeyL(22), CamelliaSubkeyR(22),
1164 io[2], io[3], il, ir, t0, t1);
1165 CAMELLIA_ROUNDSM(io[2], io[3],
1166 CamelliaSubkeyL(23), CamelliaSubkeyR(23),
1167 io[0], io[1], il, ir, t0, t1);
1168
1169 /* post whitening but kw4 */
1170 io[2] ^= CamelliaSubkeyL(24);
1171 io[3] ^= CamelliaSubkeyR(24);
1172
1173 t0 = io[0];
1174 t1 = io[1];
1175 io[0] = io[2];
1176 io[1] = io[3];
1177 io[2] = t0;
1178 io[3] = t1;
1179
1180 PUTU32(output, io[0]);
1181 PUTU32(output + 4, io[1]);
1182 PUTU32(output + 8, io[2]);
1183 PUTU32(output + 12, io[3]);
1184
1185 return SECSuccess;
1186 }
1187
1188 SECStatus NO_SANITIZE_ALIGNMENT
camellia_decrypt128(const PRUint32 * subkey,unsigned char * output,const unsigned char * input)1189 camellia_decrypt128(const PRUint32 *subkey,
1190 unsigned char *output,
1191 const unsigned char *input)
1192 {
1193 PRUint32 il, ir, t0, t1; /* temporary valiables */
1194 PRUint32 io[4];
1195 #if defined(CAMELLIA_NEED_TMP_VARIABLE)
1196 PRUint32 tmp;
1197 #endif
1198
1199 io[0] = GETU32(input);
1200 io[1] = GETU32(input + 4);
1201 io[2] = GETU32(input + 8);
1202 io[3] = GETU32(input + 12);
1203
1204 /* pre whitening but absorb kw2*/
1205 io[0] ^= CamelliaSubkeyL(24);
1206 io[1] ^= CamelliaSubkeyR(24);
1207
1208 /* main iteration */
1209 CAMELLIA_ROUNDSM(io[0], io[1],
1210 CamelliaSubkeyL(23), CamelliaSubkeyR(23),
1211 io[2], io[3], il, ir, t0, t1);
1212 CAMELLIA_ROUNDSM(io[2], io[3],
1213 CamelliaSubkeyL(22), CamelliaSubkeyR(22),
1214 io[0], io[1], il, ir, t0, t1);
1215 CAMELLIA_ROUNDSM(io[0], io[1],
1216 CamelliaSubkeyL(21), CamelliaSubkeyR(21),
1217 io[2], io[3], il, ir, t0, t1);
1218 CAMELLIA_ROUNDSM(io[2], io[3],
1219 CamelliaSubkeyL(20), CamelliaSubkeyR(20),
1220 io[0], io[1], il, ir, t0, t1);
1221 CAMELLIA_ROUNDSM(io[0], io[1],
1222 CamelliaSubkeyL(19), CamelliaSubkeyR(19),
1223 io[2], io[3], il, ir, t0, t1);
1224 CAMELLIA_ROUNDSM(io[2], io[3],
1225 CamelliaSubkeyL(18), CamelliaSubkeyR(18),
1226 io[0], io[1], il, ir, t0, t1);
1227
1228 CAMELLIA_FLS(io[0], io[1], io[2], io[3],
1229 CamelliaSubkeyL(17), CamelliaSubkeyR(17),
1230 CamelliaSubkeyL(16), CamelliaSubkeyR(16),
1231 t0, t1, il, ir);
1232
1233 CAMELLIA_ROUNDSM(io[0], io[1],
1234 CamelliaSubkeyL(15), CamelliaSubkeyR(15),
1235 io[2], io[3], il, ir, t0, t1);
1236 CAMELLIA_ROUNDSM(io[2], io[3],
1237 CamelliaSubkeyL(14), CamelliaSubkeyR(14),
1238 io[0], io[1], il, ir, t0, t1);
1239 CAMELLIA_ROUNDSM(io[0], io[1],
1240 CamelliaSubkeyL(13), CamelliaSubkeyR(13),
1241 io[2], io[3], il, ir, t0, t1);
1242 CAMELLIA_ROUNDSM(io[2], io[3],
1243 CamelliaSubkeyL(12), CamelliaSubkeyR(12),
1244 io[0], io[1], il, ir, t0, t1);
1245 CAMELLIA_ROUNDSM(io[0], io[1],
1246 CamelliaSubkeyL(11), CamelliaSubkeyR(11),
1247 io[2], io[3], il, ir, t0, t1);
1248 CAMELLIA_ROUNDSM(io[2], io[3],
1249 CamelliaSubkeyL(10), CamelliaSubkeyR(10),
1250 io[0], io[1], il, ir, t0, t1);
1251
1252 CAMELLIA_FLS(io[0], io[1], io[2], io[3],
1253 CamelliaSubkeyL(9), CamelliaSubkeyR(9),
1254 CamelliaSubkeyL(8), CamelliaSubkeyR(8),
1255 t0, t1, il, ir);
1256
1257 CAMELLIA_ROUNDSM(io[0], io[1],
1258 CamelliaSubkeyL(7), CamelliaSubkeyR(7),
1259 io[2], io[3], il, ir, t0, t1);
1260 CAMELLIA_ROUNDSM(io[2], io[3],
1261 CamelliaSubkeyL(6), CamelliaSubkeyR(6),
1262 io[0], io[1], il, ir, t0, t1);
1263 CAMELLIA_ROUNDSM(io[0], io[1],
1264 CamelliaSubkeyL(5), CamelliaSubkeyR(5),
1265 io[2], io[3], il, ir, t0, t1);
1266 CAMELLIA_ROUNDSM(io[2], io[3],
1267 CamelliaSubkeyL(4), CamelliaSubkeyR(4),
1268 io[0], io[1], il, ir, t0, t1);
1269 CAMELLIA_ROUNDSM(io[0], io[1],
1270 CamelliaSubkeyL(3), CamelliaSubkeyR(3),
1271 io[2], io[3], il, ir, t0, t1);
1272 CAMELLIA_ROUNDSM(io[2], io[3],
1273 CamelliaSubkeyL(2), CamelliaSubkeyR(2),
1274 io[0], io[1], il, ir, t0, t1);
1275
1276 /* post whitening but kw4 */
1277 io[2] ^= CamelliaSubkeyL(0);
1278 io[3] ^= CamelliaSubkeyR(0);
1279
1280 t0 = io[0];
1281 t1 = io[1];
1282 io[0] = io[2];
1283 io[1] = io[3];
1284 io[2] = t0;
1285 io[3] = t1;
1286
1287 PUTU32(output, io[0]);
1288 PUTU32(output + 4, io[1]);
1289 PUTU32(output + 8, io[2]);
1290 PUTU32(output + 12, io[3]);
1291
1292 return SECSuccess;
1293 }
1294
1295 /**
1296 * stuff for 192 and 256bit encryption/decryption
1297 */
1298 SECStatus NO_SANITIZE_ALIGNMENT
camellia_encrypt256(const PRUint32 * subkey,unsigned char * output,const unsigned char * input)1299 camellia_encrypt256(const PRUint32 *subkey,
1300 unsigned char *output,
1301 const unsigned char *input)
1302 {
1303 PRUint32 il, ir, t0, t1; /* temporary valiables */
1304 PRUint32 io[4];
1305 #if defined(CAMELLIA_NEED_TMP_VARIABLE)
1306 PRUint32 tmp;
1307 #endif
1308
1309 io[0] = GETU32(input);
1310 io[1] = GETU32(input + 4);
1311 io[2] = GETU32(input + 8);
1312 io[3] = GETU32(input + 12);
1313
1314 /* pre whitening but absorb kw2*/
1315 io[0] ^= CamelliaSubkeyL(0);
1316 io[1] ^= CamelliaSubkeyR(0);
1317
1318 /* main iteration */
1319 CAMELLIA_ROUNDSM(io[0], io[1],
1320 CamelliaSubkeyL(2), CamelliaSubkeyR(2),
1321 io[2], io[3], il, ir, t0, t1);
1322 CAMELLIA_ROUNDSM(io[2], io[3],
1323 CamelliaSubkeyL(3), CamelliaSubkeyR(3),
1324 io[0], io[1], il, ir, t0, t1);
1325 CAMELLIA_ROUNDSM(io[0], io[1],
1326 CamelliaSubkeyL(4), CamelliaSubkeyR(4),
1327 io[2], io[3], il, ir, t0, t1);
1328 CAMELLIA_ROUNDSM(io[2], io[3],
1329 CamelliaSubkeyL(5), CamelliaSubkeyR(5),
1330 io[0], io[1], il, ir, t0, t1);
1331 CAMELLIA_ROUNDSM(io[0], io[1],
1332 CamelliaSubkeyL(6), CamelliaSubkeyR(6),
1333 io[2], io[3], il, ir, t0, t1);
1334 CAMELLIA_ROUNDSM(io[2], io[3],
1335 CamelliaSubkeyL(7), CamelliaSubkeyR(7),
1336 io[0], io[1], il, ir, t0, t1);
1337
1338 CAMELLIA_FLS(io[0], io[1], io[2], io[3],
1339 CamelliaSubkeyL(8), CamelliaSubkeyR(8),
1340 CamelliaSubkeyL(9), CamelliaSubkeyR(9),
1341 t0, t1, il, ir);
1342
1343 CAMELLIA_ROUNDSM(io[0], io[1],
1344 CamelliaSubkeyL(10), CamelliaSubkeyR(10),
1345 io[2], io[3], il, ir, t0, t1);
1346 CAMELLIA_ROUNDSM(io[2], io[3],
1347 CamelliaSubkeyL(11), CamelliaSubkeyR(11),
1348 io[0], io[1], il, ir, t0, t1);
1349 CAMELLIA_ROUNDSM(io[0], io[1],
1350 CamelliaSubkeyL(12), CamelliaSubkeyR(12),
1351 io[2], io[3], il, ir, t0, t1);
1352 CAMELLIA_ROUNDSM(io[2], io[3],
1353 CamelliaSubkeyL(13), CamelliaSubkeyR(13),
1354 io[0], io[1], il, ir, t0, t1);
1355 CAMELLIA_ROUNDSM(io[0], io[1],
1356 CamelliaSubkeyL(14), CamelliaSubkeyR(14),
1357 io[2], io[3], il, ir, t0, t1);
1358 CAMELLIA_ROUNDSM(io[2], io[3],
1359 CamelliaSubkeyL(15), CamelliaSubkeyR(15),
1360 io[0], io[1], il, ir, t0, t1);
1361
1362 CAMELLIA_FLS(io[0], io[1], io[2], io[3],
1363 CamelliaSubkeyL(16), CamelliaSubkeyR(16),
1364 CamelliaSubkeyL(17), CamelliaSubkeyR(17),
1365 t0, t1, il, ir);
1366
1367 CAMELLIA_ROUNDSM(io[0], io[1],
1368 CamelliaSubkeyL(18), CamelliaSubkeyR(18),
1369 io[2], io[3], il, ir, t0, t1);
1370 CAMELLIA_ROUNDSM(io[2], io[3],
1371 CamelliaSubkeyL(19), CamelliaSubkeyR(19),
1372 io[0], io[1], il, ir, t0, t1);
1373 CAMELLIA_ROUNDSM(io[0], io[1],
1374 CamelliaSubkeyL(20), CamelliaSubkeyR(20),
1375 io[2], io[3], il, ir, t0, t1);
1376 CAMELLIA_ROUNDSM(io[2], io[3],
1377 CamelliaSubkeyL(21), CamelliaSubkeyR(21),
1378 io[0], io[1], il, ir, t0, t1);
1379 CAMELLIA_ROUNDSM(io[0], io[1],
1380 CamelliaSubkeyL(22), CamelliaSubkeyR(22),
1381 io[2], io[3], il, ir, t0, t1);
1382 CAMELLIA_ROUNDSM(io[2], io[3],
1383 CamelliaSubkeyL(23), CamelliaSubkeyR(23),
1384 io[0], io[1], il, ir, t0, t1);
1385
1386 CAMELLIA_FLS(io[0], io[1], io[2], io[3],
1387 CamelliaSubkeyL(24), CamelliaSubkeyR(24),
1388 CamelliaSubkeyL(25), CamelliaSubkeyR(25),
1389 t0, t1, il, ir);
1390
1391 CAMELLIA_ROUNDSM(io[0], io[1],
1392 CamelliaSubkeyL(26), CamelliaSubkeyR(26),
1393 io[2], io[3], il, ir, t0, t1);
1394 CAMELLIA_ROUNDSM(io[2], io[3],
1395 CamelliaSubkeyL(27), CamelliaSubkeyR(27),
1396 io[0], io[1], il, ir, t0, t1);
1397 CAMELLIA_ROUNDSM(io[0], io[1],
1398 CamelliaSubkeyL(28), CamelliaSubkeyR(28),
1399 io[2], io[3], il, ir, t0, t1);
1400 CAMELLIA_ROUNDSM(io[2], io[3],
1401 CamelliaSubkeyL(29), CamelliaSubkeyR(29),
1402 io[0], io[1], il, ir, t0, t1);
1403 CAMELLIA_ROUNDSM(io[0], io[1],
1404 CamelliaSubkeyL(30), CamelliaSubkeyR(30),
1405 io[2], io[3], il, ir, t0, t1);
1406 CAMELLIA_ROUNDSM(io[2], io[3],
1407 CamelliaSubkeyL(31), CamelliaSubkeyR(31),
1408 io[0], io[1], il, ir, t0, t1);
1409
1410 /* post whitening but kw4 */
1411 io[2] ^= CamelliaSubkeyL(32);
1412 io[3] ^= CamelliaSubkeyR(32);
1413
1414 t0 = io[0];
1415 t1 = io[1];
1416 io[0] = io[2];
1417 io[1] = io[3];
1418 io[2] = t0;
1419 io[3] = t1;
1420
1421 PUTU32(output, io[0]);
1422 PUTU32(output + 4, io[1]);
1423 PUTU32(output + 8, io[2]);
1424 PUTU32(output + 12, io[3]);
1425
1426 return SECSuccess;
1427 }
1428
1429 SECStatus NO_SANITIZE_ALIGNMENT
camellia_decrypt256(const PRUint32 * subkey,unsigned char * output,const unsigned char * input)1430 camellia_decrypt256(const PRUint32 *subkey,
1431 unsigned char *output,
1432 const unsigned char *input)
1433 {
1434 PRUint32 il, ir, t0, t1; /* temporary valiables */
1435 PRUint32 io[4];
1436 #if defined(CAMELLIA_NEED_TMP_VARIABLE)
1437 PRUint32 tmp;
1438 #endif
1439
1440 io[0] = GETU32(input);
1441 io[1] = GETU32(input + 4);
1442 io[2] = GETU32(input + 8);
1443 io[3] = GETU32(input + 12);
1444
1445 /* pre whitening but absorb kw2*/
1446 io[0] ^= CamelliaSubkeyL(32);
1447 io[1] ^= CamelliaSubkeyR(32);
1448
1449 /* main iteration */
1450 CAMELLIA_ROUNDSM(io[0], io[1],
1451 CamelliaSubkeyL(31), CamelliaSubkeyR(31),
1452 io[2], io[3], il, ir, t0, t1);
1453 CAMELLIA_ROUNDSM(io[2], io[3],
1454 CamelliaSubkeyL(30), CamelliaSubkeyR(30),
1455 io[0], io[1], il, ir, t0, t1);
1456 CAMELLIA_ROUNDSM(io[0], io[1],
1457 CamelliaSubkeyL(29), CamelliaSubkeyR(29),
1458 io[2], io[3], il, ir, t0, t1);
1459 CAMELLIA_ROUNDSM(io[2], io[3],
1460 CamelliaSubkeyL(28), CamelliaSubkeyR(28),
1461 io[0], io[1], il, ir, t0, t1);
1462 CAMELLIA_ROUNDSM(io[0], io[1],
1463 CamelliaSubkeyL(27), CamelliaSubkeyR(27),
1464 io[2], io[3], il, ir, t0, t1);
1465 CAMELLIA_ROUNDSM(io[2], io[3],
1466 CamelliaSubkeyL(26), CamelliaSubkeyR(26),
1467 io[0], io[1], il, ir, t0, t1);
1468
1469 CAMELLIA_FLS(io[0], io[1], io[2], io[3],
1470 CamelliaSubkeyL(25), CamelliaSubkeyR(25),
1471 CamelliaSubkeyL(24), CamelliaSubkeyR(24),
1472 t0, t1, il, ir);
1473
1474 CAMELLIA_ROUNDSM(io[0], io[1],
1475 CamelliaSubkeyL(23), CamelliaSubkeyR(23),
1476 io[2], io[3], il, ir, t0, t1);
1477 CAMELLIA_ROUNDSM(io[2], io[3],
1478 CamelliaSubkeyL(22), CamelliaSubkeyR(22),
1479 io[0], io[1], il, ir, t0, t1);
1480 CAMELLIA_ROUNDSM(io[0], io[1],
1481 CamelliaSubkeyL(21), CamelliaSubkeyR(21),
1482 io[2], io[3], il, ir, t0, t1);
1483 CAMELLIA_ROUNDSM(io[2], io[3],
1484 CamelliaSubkeyL(20), CamelliaSubkeyR(20),
1485 io[0], io[1], il, ir, t0, t1);
1486 CAMELLIA_ROUNDSM(io[0], io[1],
1487 CamelliaSubkeyL(19), CamelliaSubkeyR(19),
1488 io[2], io[3], il, ir, t0, t1);
1489 CAMELLIA_ROUNDSM(io[2], io[3],
1490 CamelliaSubkeyL(18), CamelliaSubkeyR(18),
1491 io[0], io[1], il, ir, t0, t1);
1492
1493 CAMELLIA_FLS(io[0], io[1], io[2], io[3],
1494 CamelliaSubkeyL(17), CamelliaSubkeyR(17),
1495 CamelliaSubkeyL(16), CamelliaSubkeyR(16),
1496 t0, t1, il, ir);
1497
1498 CAMELLIA_ROUNDSM(io[0], io[1],
1499 CamelliaSubkeyL(15), CamelliaSubkeyR(15),
1500 io[2], io[3], il, ir, t0, t1);
1501 CAMELLIA_ROUNDSM(io[2], io[3],
1502 CamelliaSubkeyL(14), CamelliaSubkeyR(14),
1503 io[0], io[1], il, ir, t0, t1);
1504 CAMELLIA_ROUNDSM(io[0], io[1],
1505 CamelliaSubkeyL(13), CamelliaSubkeyR(13),
1506 io[2], io[3], il, ir, t0, t1);
1507 CAMELLIA_ROUNDSM(io[2], io[3],
1508 CamelliaSubkeyL(12), CamelliaSubkeyR(12),
1509 io[0], io[1], il, ir, t0, t1);
1510 CAMELLIA_ROUNDSM(io[0], io[1],
1511 CamelliaSubkeyL(11), CamelliaSubkeyR(11),
1512 io[2], io[3], il, ir, t0, t1);
1513 CAMELLIA_ROUNDSM(io[2], io[3],
1514 CamelliaSubkeyL(10), CamelliaSubkeyR(10),
1515 io[0], io[1], il, ir, t0, t1);
1516
1517 CAMELLIA_FLS(io[0], io[1], io[2], io[3],
1518 CamelliaSubkeyL(9), CamelliaSubkeyR(9),
1519 CamelliaSubkeyL(8), CamelliaSubkeyR(8),
1520 t0, t1, il, ir);
1521
1522 CAMELLIA_ROUNDSM(io[0], io[1],
1523 CamelliaSubkeyL(7), CamelliaSubkeyR(7),
1524 io[2], io[3], il, ir, t0, t1);
1525 CAMELLIA_ROUNDSM(io[2], io[3],
1526 CamelliaSubkeyL(6), CamelliaSubkeyR(6),
1527 io[0], io[1], il, ir, t0, t1);
1528 CAMELLIA_ROUNDSM(io[0], io[1],
1529 CamelliaSubkeyL(5), CamelliaSubkeyR(5),
1530 io[2], io[3], il, ir, t0, t1);
1531 CAMELLIA_ROUNDSM(io[2], io[3],
1532 CamelliaSubkeyL(4), CamelliaSubkeyR(4),
1533 io[0], io[1], il, ir, t0, t1);
1534 CAMELLIA_ROUNDSM(io[0], io[1],
1535 CamelliaSubkeyL(3), CamelliaSubkeyR(3),
1536 io[2], io[3], il, ir, t0, t1);
1537 CAMELLIA_ROUNDSM(io[2], io[3],
1538 CamelliaSubkeyL(2), CamelliaSubkeyR(2),
1539 io[0], io[1], il, ir, t0, t1);
1540
1541 /* post whitening but kw4 */
1542 io[2] ^= CamelliaSubkeyL(0);
1543 io[3] ^= CamelliaSubkeyR(0);
1544
1545 t0 = io[0];
1546 t1 = io[1];
1547 io[0] = io[2];
1548 io[1] = io[3];
1549 io[2] = t0;
1550 io[3] = t1;
1551
1552 PUTU32(output, io[0]);
1553 PUTU32(output + 4, io[1]);
1554 PUTU32(output + 8, io[2]);
1555 PUTU32(output + 12, io[3]);
1556
1557 return SECSuccess;
1558 }
1559
1560 /**************************************************************************
1561 *
1562 * Stuff related to the Camellia key schedule
1563 *
1564 *************************************************************************/
1565
1566 SECStatus
camellia_key_expansion(CamelliaContext * cx,const unsigned char * key,const unsigned int keysize)1567 camellia_key_expansion(CamelliaContext *cx,
1568 const unsigned char *key,
1569 const unsigned int keysize)
1570 {
1571 cx->keysize = keysize;
1572
1573 switch (keysize) {
1574 case 16:
1575 camellia_setup128(key, cx->expandedKey);
1576 break;
1577 case 24:
1578 camellia_setup192(key, cx->expandedKey);
1579 break;
1580 case 32:
1581 camellia_setup256(key, cx->expandedKey);
1582 break;
1583 default:
1584 break;
1585 }
1586 return SECSuccess;
1587 }
1588
1589 /**************************************************************************
1590 *
1591 * Camellia modes of operation (ECB and CBC)
1592 *
1593 *************************************************************************/
1594
1595 SECStatus
camellia_encryptECB(CamelliaContext * cx,unsigned char * output,unsigned int * outputLen,unsigned int maxOutputLen,const unsigned char * input,unsigned int inputLen)1596 camellia_encryptECB(CamelliaContext *cx, unsigned char *output,
1597 unsigned int *outputLen, unsigned int maxOutputLen,
1598 const unsigned char *input, unsigned int inputLen)
1599 {
1600 CamelliaBlockFunc *encryptor;
1601
1602 encryptor = (cx->keysize == 16)
1603 ? &camellia_encrypt128
1604 : &camellia_encrypt256;
1605
1606 while (inputLen > 0) {
1607 (*encryptor)(cx->expandedKey, output, input);
1608
1609 output += CAMELLIA_BLOCK_SIZE;
1610 input += CAMELLIA_BLOCK_SIZE;
1611 inputLen -= CAMELLIA_BLOCK_SIZE;
1612 }
1613 return SECSuccess;
1614 }
1615
1616 SECStatus
camellia_encryptCBC(CamelliaContext * cx,unsigned char * output,unsigned int * outputLen,unsigned int maxOutputLen,const unsigned char * input,unsigned int inputLen)1617 camellia_encryptCBC(CamelliaContext *cx, unsigned char *output,
1618 unsigned int *outputLen, unsigned int maxOutputLen,
1619 const unsigned char *input, unsigned int inputLen)
1620 {
1621 unsigned int j;
1622 unsigned char *lastblock;
1623 unsigned char inblock[CAMELLIA_BLOCK_SIZE];
1624 CamelliaBlockFunc *encryptor;
1625
1626 if (!inputLen)
1627 return SECSuccess;
1628 lastblock = cx->iv;
1629
1630 encryptor = (cx->keysize == 16)
1631 ? &camellia_encrypt128
1632 : &camellia_encrypt256;
1633
1634 while (inputLen > 0) {
1635 /* XOR with the last block (IV if first block) */
1636 for (j = 0; j < CAMELLIA_BLOCK_SIZE; ++j)
1637 inblock[j] = input[j] ^ lastblock[j];
1638 /* encrypt */
1639 (*encryptor)(cx->expandedKey, output, inblock);
1640
1641 /* move to the next block */
1642 lastblock = output;
1643 output += CAMELLIA_BLOCK_SIZE;
1644 input += CAMELLIA_BLOCK_SIZE;
1645 inputLen -= CAMELLIA_BLOCK_SIZE;
1646 }
1647 memcpy(cx->iv, lastblock, CAMELLIA_BLOCK_SIZE);
1648 return SECSuccess;
1649 }
1650
1651 SECStatus
camellia_decryptECB(CamelliaContext * cx,unsigned char * output,unsigned int * outputLen,unsigned int maxOutputLen,const unsigned char * input,unsigned int inputLen)1652 camellia_decryptECB(CamelliaContext *cx, unsigned char *output,
1653 unsigned int *outputLen, unsigned int maxOutputLen,
1654 const unsigned char *input, unsigned int inputLen)
1655 {
1656 CamelliaBlockFunc *decryptor;
1657
1658 decryptor = (cx->keysize == 16)
1659 ? &camellia_decrypt128
1660 : &camellia_decrypt256;
1661
1662 while (inputLen > 0) {
1663
1664 (*decryptor)(cx->expandedKey, output, input);
1665
1666 output += CAMELLIA_BLOCK_SIZE;
1667 input += CAMELLIA_BLOCK_SIZE;
1668 inputLen -= CAMELLIA_BLOCK_SIZE;
1669 }
1670 return SECSuccess;
1671 }
1672
1673 SECStatus
camellia_decryptCBC(CamelliaContext * cx,unsigned char * output,unsigned int * outputLen,unsigned int maxOutputLen,const unsigned char * input,unsigned int inputLen)1674 camellia_decryptCBC(CamelliaContext *cx, unsigned char *output,
1675 unsigned int *outputLen, unsigned int maxOutputLen,
1676 const unsigned char *input, unsigned int inputLen)
1677 {
1678 const unsigned char *in;
1679 unsigned char *out;
1680 unsigned int j;
1681 unsigned char newIV[CAMELLIA_BLOCK_SIZE];
1682 CamelliaBlockFunc *decryptor;
1683
1684 if (!inputLen)
1685 return SECSuccess;
1686
1687 PORT_Assert(output - input >= 0 || input - output >= (int)inputLen);
1688
1689 in = input + (inputLen - CAMELLIA_BLOCK_SIZE);
1690 memcpy(newIV, in, CAMELLIA_BLOCK_SIZE);
1691 out = output + (inputLen - CAMELLIA_BLOCK_SIZE);
1692
1693 decryptor = (cx->keysize == 16)
1694 ? &camellia_decrypt128
1695 : &camellia_decrypt256;
1696
1697 while (inputLen > CAMELLIA_BLOCK_SIZE) {
1698 (*decryptor)(cx->expandedKey, out, in);
1699
1700 for (j = 0; j < CAMELLIA_BLOCK_SIZE; ++j)
1701 out[j] ^= in[(int)(j - CAMELLIA_BLOCK_SIZE)];
1702
1703 out -= CAMELLIA_BLOCK_SIZE;
1704 in -= CAMELLIA_BLOCK_SIZE;
1705 inputLen -= CAMELLIA_BLOCK_SIZE;
1706 }
1707 if (in == input) {
1708 (*decryptor)(cx->expandedKey, out, in);
1709
1710 for (j = 0; j < CAMELLIA_BLOCK_SIZE; ++j)
1711 out[j] ^= cx->iv[j];
1712 }
1713 memcpy(cx->iv, newIV, CAMELLIA_BLOCK_SIZE);
1714 return SECSuccess;
1715 }
1716
1717 /**************************************************************************
1718 *
1719 * BLAPI Interface functions
1720 *
1721 *************************************************************************/
1722
1723 CamelliaContext *
Camellia_AllocateContext(void)1724 Camellia_AllocateContext(void)
1725 {
1726 return PORT_ZNew(CamelliaContext);
1727 }
1728
1729 SECStatus
Camellia_InitContext(CamelliaContext * cx,const unsigned char * key,unsigned int keysize,const unsigned char * iv,int mode,unsigned int encrypt,unsigned int unused)1730 Camellia_InitContext(CamelliaContext *cx, const unsigned char *key,
1731 unsigned int keysize,
1732 const unsigned char *iv, int mode, unsigned int encrypt,
1733 unsigned int unused)
1734 {
1735 if (key == NULL ||
1736 (keysize != 16 && keysize != 24 && keysize != 32)) {
1737 PORT_SetError(SEC_ERROR_INVALID_ARGS);
1738 return SECFailure;
1739 }
1740 if (mode != NSS_CAMELLIA && mode != NSS_CAMELLIA_CBC) {
1741 PORT_SetError(SEC_ERROR_INVALID_ARGS);
1742 return SECFailure;
1743 }
1744 if (mode == NSS_CAMELLIA_CBC && iv == NULL) {
1745 PORT_SetError(SEC_ERROR_INVALID_ARGS);
1746 return SECFailure;
1747 }
1748 if (!cx) {
1749 PORT_SetError(SEC_ERROR_INVALID_ARGS);
1750 return SECFailure;
1751 }
1752 if (mode == NSS_CAMELLIA_CBC) {
1753 memcpy(cx->iv, iv, CAMELLIA_BLOCK_SIZE);
1754 cx->worker = (encrypt) ? &camellia_encryptCBC : &camellia_decryptCBC;
1755 } else {
1756 cx->worker = (encrypt) ? &camellia_encryptECB : &camellia_decryptECB;
1757 }
1758
1759 /* Generate expanded key */
1760 if (camellia_key_expansion(cx, key, keysize) != SECSuccess)
1761 goto cleanup;
1762
1763 return SECSuccess;
1764 cleanup:
1765 return SECFailure;
1766 }
1767
1768 /*
1769 * Camellia_CreateContext
1770 * create a new context for Camellia operations
1771 */
1772
1773 CamelliaContext *
Camellia_CreateContext(const unsigned char * key,const unsigned char * iv,int mode,int encrypt,unsigned int keysize)1774 Camellia_CreateContext(const unsigned char *key, const unsigned char *iv,
1775 int mode, int encrypt,
1776 unsigned int keysize)
1777 {
1778 CamelliaContext *cx;
1779
1780 if (key == NULL ||
1781 (keysize != 16 && keysize != 24 && keysize != 32)) {
1782 PORT_SetError(SEC_ERROR_INVALID_ARGS);
1783 return NULL;
1784 }
1785 if (mode != NSS_CAMELLIA && mode != NSS_CAMELLIA_CBC) {
1786 PORT_SetError(SEC_ERROR_INVALID_ARGS);
1787 return NULL;
1788 }
1789 if (mode == NSS_CAMELLIA_CBC && iv == NULL) {
1790 PORT_SetError(SEC_ERROR_INVALID_ARGS);
1791 return NULL;
1792 }
1793 cx = PORT_ZNew(CamelliaContext);
1794 if (!cx) {
1795 PORT_SetError(SEC_ERROR_NO_MEMORY);
1796 return NULL;
1797 }
1798
1799 /* copy in the iv, if neccessary */
1800 if (mode == NSS_CAMELLIA_CBC) {
1801 memcpy(cx->iv, iv, CAMELLIA_BLOCK_SIZE);
1802 cx->worker = (encrypt) ? &camellia_encryptCBC : &camellia_decryptCBC;
1803 } else {
1804 cx->worker = (encrypt) ? &camellia_encryptECB : &camellia_decryptECB;
1805 }
1806 /* copy keysize */
1807 cx->keysize = keysize;
1808
1809 /* Generate expanded key */
1810 if (camellia_key_expansion(cx, key, keysize) != SECSuccess)
1811 goto cleanup;
1812
1813 return cx;
1814 cleanup:
1815 PORT_ZFree(cx, sizeof *cx);
1816 return NULL;
1817 }
1818
1819 /*
1820 * Camellia_DestroyContext
1821 *
1822 * Zero an Camellia cipher context. If freeit is true, also free the pointer
1823 * to the context.
1824 */
1825 void
Camellia_DestroyContext(CamelliaContext * cx,PRBool freeit)1826 Camellia_DestroyContext(CamelliaContext *cx, PRBool freeit)
1827 {
1828 if (cx)
1829 memset(cx, 0, sizeof *cx);
1830 if (freeit)
1831 PORT_Free(cx);
1832 }
1833
1834 /*
1835 * Camellia_Encrypt
1836 *
1837 * Encrypt an arbitrary-length buffer. The output buffer must already be
1838 * allocated to at least inputLen.
1839 */
1840 SECStatus
Camellia_Encrypt(CamelliaContext * cx,unsigned char * output,unsigned int * outputLen,unsigned int maxOutputLen,const unsigned char * input,unsigned int inputLen)1841 Camellia_Encrypt(CamelliaContext *cx, unsigned char *output,
1842 unsigned int *outputLen, unsigned int maxOutputLen,
1843 const unsigned char *input, unsigned int inputLen)
1844 {
1845
1846 /* Check args */
1847 if (cx == NULL || output == NULL || input == NULL ||
1848 outputLen == NULL) {
1849 PORT_SetError(SEC_ERROR_INVALID_ARGS);
1850 return SECFailure;
1851 }
1852
1853 if (inputLen % CAMELLIA_BLOCK_SIZE != 0) {
1854 PORT_SetError(SEC_ERROR_INPUT_LEN);
1855 return SECFailure;
1856 }
1857 if (maxOutputLen < inputLen) {
1858 PORT_SetError(SEC_ERROR_OUTPUT_LEN);
1859 return SECFailure;
1860 }
1861 *outputLen = inputLen;
1862
1863 return (*cx->worker)(cx, output, outputLen, maxOutputLen,
1864 input, inputLen);
1865 }
1866
1867 /*
1868 * Camellia_Decrypt
1869 *
1870 * Decrypt and arbitrary-length buffer. The output buffer must already be
1871 * allocated to at least inputLen.
1872 */
1873 SECStatus
Camellia_Decrypt(CamelliaContext * cx,unsigned char * output,unsigned int * outputLen,unsigned int maxOutputLen,const unsigned char * input,unsigned int inputLen)1874 Camellia_Decrypt(CamelliaContext *cx, unsigned char *output,
1875 unsigned int *outputLen, unsigned int maxOutputLen,
1876 const unsigned char *input, unsigned int inputLen)
1877 {
1878
1879 /* Check args */
1880 if (cx == NULL || output == NULL || input == NULL || outputLen == NULL) {
1881 PORT_SetError(SEC_ERROR_INVALID_ARGS);
1882 return SECFailure;
1883 }
1884 if (inputLen % CAMELLIA_BLOCK_SIZE != 0) {
1885 PORT_SetError(SEC_ERROR_INPUT_LEN);
1886 return SECFailure;
1887 }
1888 if (maxOutputLen < inputLen) {
1889 PORT_SetError(SEC_ERROR_OUTPUT_LEN);
1890 return SECFailure;
1891 }
1892 *outputLen = inputLen;
1893
1894 return (*cx->worker)(cx, output, outputLen, maxOutputLen,
1895 input, inputLen);
1896 }
1897