camellia.c 35.2 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307
/*
 * Copyright (C) 2006
 * NTT (Nippon Telegraph and Telephone Corporation).
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License
 * as published by the Free Software Foundation; either version 2
 * of the License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
 */

/*
 * Algorithm Specification
 *  http://info.isl.ntt.co.jp/crypt/eng/camellia/specifications.html
 */

/*
 *
 * NOTE --- NOTE --- NOTE --- NOTE
 * This implementation assumes that all memory addresses passed
 * as parameters are four-byte aligned.
 *
 */

#include <linux/crypto.h>
#include <linux/errno.h>
#include <linux/init.h>
#include <linux/kernel.h>
#include <linux/module.h>

static const u32 camellia_sp1110[256] = {
	0x70707000,0x82828200,0x2c2c2c00,0xececec00,
	0xb3b3b300,0x27272700,0xc0c0c000,0xe5e5e500,
	0xe4e4e400,0x85858500,0x57575700,0x35353500,
	0xeaeaea00,0x0c0c0c00,0xaeaeae00,0x41414100,
	0x23232300,0xefefef00,0x6b6b6b00,0x93939300,
	0x45454500,0x19191900,0xa5a5a500,0x21212100,
	0xededed00,0x0e0e0e00,0x4f4f4f00,0x4e4e4e00,
	0x1d1d1d00,0x65656500,0x92929200,0xbdbdbd00,
	0x86868600,0xb8b8b800,0xafafaf00,0x8f8f8f00,
	0x7c7c7c00,0xebebeb00,0x1f1f1f00,0xcecece00,
	0x3e3e3e00,0x30303000,0xdcdcdc00,0x5f5f5f00,
	0x5e5e5e00,0xc5c5c500,0x0b0b0b00,0x1a1a1a00,
	0xa6a6a600,0xe1e1e100,0x39393900,0xcacaca00,
	0xd5d5d500,0x47474700,0x5d5d5d00,0x3d3d3d00,
	0xd9d9d900,0x01010100,0x5a5a5a00,0xd6d6d600,
	0x51515100,0x56565600,0x6c6c6c00,0x4d4d4d00,
	0x8b8b8b00,0x0d0d0d00,0x9a9a9a00,0x66666600,
	0xfbfbfb00,0xcccccc00,0xb0b0b000,0x2d2d2d00,
	0x74747400,0x12121200,0x2b2b2b00,0x20202000,
	0xf0f0f000,0xb1b1b100,0x84848400,0x99999900,
	0xdfdfdf00,0x4c4c4c00,0xcbcbcb00,0xc2c2c200,
	0x34343400,0x7e7e7e00,0x76767600,0x05050500,
	0x6d6d6d00,0xb7b7b700,0xa9a9a900,0x31313100,
	0xd1d1d100,0x17171700,0x04040400,0xd7d7d700,
	0x14141400,0x58585800,0x3a3a3a00,0x61616100,
	0xdedede00,0x1b1b1b00,0x11111100,0x1c1c1c00,
	0x32323200,0x0f0f0f00,0x9c9c9c00,0x16161600,
	0x53535300,0x18181800,0xf2f2f200,0x22222200,
	0xfefefe00,0x44444400,0xcfcfcf00,0xb2b2b200,
	0xc3c3c300,0xb5b5b500,0x7a7a7a00,0x91919100,
	0x24242400,0x08080800,0xe8e8e800,0xa8a8a800,
	0x60606000,0xfcfcfc00,0x69696900,0x50505000,
	0xaaaaaa00,0xd0d0d000,0xa0a0a000,0x7d7d7d00,
	0xa1a1a100,0x89898900,0x62626200,0x97979700,
	0x54545400,0x5b5b5b00,0x1e1e1e00,0x95959500,
	0xe0e0e000,0xffffff00,0x64646400,0xd2d2d200,
	0x10101000,0xc4c4c400,0x00000000,0x48484800,
	0xa3a3a300,0xf7f7f700,0x75757500,0xdbdbdb00,
	0x8a8a8a00,0x03030300,0xe6e6e600,0xdadada00,
	0x09090900,0x3f3f3f00,0xdddddd00,0x94949400,
	0x87878700,0x5c5c5c00,0x83838300,0x02020200,
	0xcdcdcd00,0x4a4a4a00,0x90909000,0x33333300,
	0x73737300,0x67676700,0xf6f6f600,0xf3f3f300,
	0x9d9d9d00,0x7f7f7f00,0xbfbfbf00,0xe2e2e200,
	0x52525200,0x9b9b9b00,0xd8d8d800,0x26262600,
	0xc8c8c800,0x37373700,0xc6c6c600,0x3b3b3b00,
	0x81818100,0x96969600,0x6f6f6f00,0x4b4b4b00,
	0x13131300,0xbebebe00,0x63636300,0x2e2e2e00,
	0xe9e9e900,0x79797900,0xa7a7a700,0x8c8c8c00,
	0x9f9f9f00,0x6e6e6e00,0xbcbcbc00,0x8e8e8e00,
	0x29292900,0xf5f5f500,0xf9f9f900,0xb6b6b600,
	0x2f2f2f00,0xfdfdfd00,0xb4b4b400,0x59595900,
	0x78787800,0x98989800,0x06060600,0x6a6a6a00,
	0xe7e7e700,0x46464600,0x71717100,0xbababa00,
	0xd4d4d400,0x25252500,0xababab00,0x42424200,
	0x88888800,0xa2a2a200,0x8d8d8d00,0xfafafa00,
	0x72727200,0x07070700,0xb9b9b900,0x55555500,
	0xf8f8f800,0xeeeeee00,0xacacac00,0x0a0a0a00,
	0x36363600,0x49494900,0x2a2a2a00,0x68686800,
	0x3c3c3c00,0x38383800,0xf1f1f100,0xa4a4a400,
	0x40404000,0x28282800,0xd3d3d300,0x7b7b7b00,
	0xbbbbbb00,0xc9c9c900,0x43434300,0xc1c1c100,
	0x15151500,0xe3e3e300,0xadadad00,0xf4f4f400,
	0x77777700,0xc7c7c700,0x80808000,0x9e9e9e00,
};

static const u32 camellia_sp0222[256] = {
	0x00e0e0e0,0x00050505,0x00585858,0x00d9d9d9,
	0x00676767,0x004e4e4e,0x00818181,0x00cbcbcb,
	0x00c9c9c9,0x000b0b0b,0x00aeaeae,0x006a6a6a,
	0x00d5d5d5,0x00181818,0x005d5d5d,0x00828282,
	0x00464646,0x00dfdfdf,0x00d6d6d6,0x00272727,
	0x008a8a8a,0x00323232,0x004b4b4b,0x00424242,
	0x00dbdbdb,0x001c1c1c,0x009e9e9e,0x009c9c9c,
	0x003a3a3a,0x00cacaca,0x00252525,0x007b7b7b,
	0x000d0d0d,0x00717171,0x005f5f5f,0x001f1f1f,
	0x00f8f8f8,0x00d7d7d7,0x003e3e3e,0x009d9d9d,
	0x007c7c7c,0x00606060,0x00b9b9b9,0x00bebebe,
	0x00bcbcbc,0x008b8b8b,0x00161616,0x00343434,
	0x004d4d4d,0x00c3c3c3,0x00727272,0x00959595,
	0x00ababab,0x008e8e8e,0x00bababa,0x007a7a7a,
	0x00b3b3b3,0x00020202,0x00b4b4b4,0x00adadad,
	0x00a2a2a2,0x00acacac,0x00d8d8d8,0x009a9a9a,
	0x00171717,0x001a1a1a,0x00353535,0x00cccccc,
	0x00f7f7f7,0x00999999,0x00616161,0x005a5a5a,
	0x00e8e8e8,0x00242424,0x00565656,0x00404040,
	0x00e1e1e1,0x00636363,0x00090909,0x00333333,
	0x00bfbfbf,0x00989898,0x00979797,0x00858585,
	0x00686868,0x00fcfcfc,0x00ececec,0x000a0a0a,
	0x00dadada,0x006f6f6f,0x00535353,0x00626262,
	0x00a3a3a3,0x002e2e2e,0x00080808,0x00afafaf,
	0x00282828,0x00b0b0b0,0x00747474,0x00c2c2c2,
	0x00bdbdbd,0x00363636,0x00222222,0x00383838,
	0x00646464,0x001e1e1e,0x00393939,0x002c2c2c,
	0x00a6a6a6,0x00303030,0x00e5e5e5,0x00444444,
	0x00fdfdfd,0x00888888,0x009f9f9f,0x00656565,
	0x00878787,0x006b6b6b,0x00f4f4f4,0x00232323,
	0x00484848,0x00101010,0x00d1d1d1,0x00515151,
	0x00c0c0c0,0x00f9f9f9,0x00d2d2d2,0x00a0a0a0,
	0x00555555,0x00a1a1a1,0x00414141,0x00fafafa,
	0x00434343,0x00131313,0x00c4c4c4,0x002f2f2f,
	0x00a8a8a8,0x00b6b6b6,0x003c3c3c,0x002b2b2b,
	0x00c1c1c1,0x00ffffff,0x00c8c8c8,0x00a5a5a5,
	0x00202020,0x00898989,0x00000000,0x00909090,
	0x00474747,0x00efefef,0x00eaeaea,0x00b7b7b7,
	0x00151515,0x00060606,0x00cdcdcd,0x00b5b5b5,
	0x00121212,0x007e7e7e,0x00bbbbbb,0x00292929,
	0x000f0f0f,0x00b8b8b8,0x00070707,0x00040404,
	0x009b9b9b,0x00949494,0x00212121,0x00666666,
	0x00e6e6e6,0x00cecece,0x00ededed,0x00e7e7e7,
	0x003b3b3b,0x00fefefe,0x007f7f7f,0x00c5c5c5,
	0x00a4a4a4,0x00373737,0x00b1b1b1,0x004c4c4c,
	0x00919191,0x006e6e6e,0x008d8d8d,0x00767676,
	0x00030303,0x002d2d2d,0x00dedede,0x00969696,
	0x00262626,0x007d7d7d,0x00c6c6c6,0x005c5c5c,
	0x00d3d3d3,0x00f2f2f2,0x004f4f4f,0x00191919,
	0x003f3f3f,0x00dcdcdc,0x00797979,0x001d1d1d,
	0x00525252,0x00ebebeb,0x00f3f3f3,0x006d6d6d,
	0x005e5e5e,0x00fbfbfb,0x00696969,0x00b2b2b2,
	0x00f0f0f0,0x00313131,0x000c0c0c,0x00d4d4d4,
	0x00cfcfcf,0x008c8c8c,0x00e2e2e2,0x00757575,
	0x00a9a9a9,0x004a4a4a,0x00575757,0x00848484,
	0x00111111,0x00454545,0x001b1b1b,0x00f5f5f5,
	0x00e4e4e4,0x000e0e0e,0x00737373,0x00aaaaaa,
	0x00f1f1f1,0x00dddddd,0x00595959,0x00141414,
	0x006c6c6c,0x00929292,0x00545454,0x00d0d0d0,
	0x00787878,0x00707070,0x00e3e3e3,0x00494949,
	0x00808080,0x00505050,0x00a7a7a7,0x00f6f6f6,
	0x00777777,0x00939393,0x00868686,0x00838383,
	0x002a2a2a,0x00c7c7c7,0x005b5b5b,0x00e9e9e9,
	0x00eeeeee,0x008f8f8f,0x00010101,0x003d3d3d,
};

static const u32 camellia_sp3033[256] = {
	0x38003838,0x41004141,0x16001616,0x76007676,
	0xd900d9d9,0x93009393,0x60006060,0xf200f2f2,
	0x72007272,0xc200c2c2,0xab00abab,0x9a009a9a,
	0x75007575,0x06000606,0x57005757,0xa000a0a0,
	0x91009191,0xf700f7f7,0xb500b5b5,0xc900c9c9,
	0xa200a2a2,0x8c008c8c,0xd200d2d2,0x90009090,
	0xf600f6f6,0x07000707,0xa700a7a7,0x27002727,
	0x8e008e8e,0xb200b2b2,0x49004949,0xde00dede,
	0x43004343,0x5c005c5c,0xd700d7d7,0xc700c7c7,
	0x3e003e3e,0xf500f5f5,0x8f008f8f,0x67006767,
	0x1f001f1f,0x18001818,0x6e006e6e,0xaf00afaf,
	0x2f002f2f,0xe200e2e2,0x85008585,0x0d000d0d,
	0x53005353,0xf000f0f0,0x9c009c9c,0x65006565,
	0xea00eaea,0xa300a3a3,0xae00aeae,0x9e009e9e,
	0xec00ecec,0x80008080,0x2d002d2d,0x6b006b6b,
	0xa800a8a8,0x2b002b2b,0x36003636,0xa600a6a6,
	0xc500c5c5,0x86008686,0x4d004d4d,0x33003333,
	0xfd00fdfd,0x66006666,0x58005858,0x96009696,
	0x3a003a3a,0x09000909,0x95009595,0x10001010,
	0x78007878,0xd800d8d8,0x42004242,0xcc00cccc,
	0xef00efef,0x26002626,0xe500e5e5,0x61006161,
	0x1a001a1a,0x3f003f3f,0x3b003b3b,0x82008282,
	0xb600b6b6,0xdb00dbdb,0xd400d4d4,0x98009898,
	0xe800e8e8,0x8b008b8b,0x02000202,0xeb00ebeb,
	0x0a000a0a,0x2c002c2c,0x1d001d1d,0xb000b0b0,
	0x6f006f6f,0x8d008d8d,0x88008888,0x0e000e0e,
	0x19001919,0x87008787,0x4e004e4e,0x0b000b0b,
	0xa900a9a9,0x0c000c0c,0x79007979,0x11001111,
	0x7f007f7f,0x22002222,0xe700e7e7,0x59005959,
	0xe100e1e1,0xda00dada,0x3d003d3d,0xc800c8c8,
	0x12001212,0x04000404,0x74007474,0x54005454,
	0x30003030,0x7e007e7e,0xb400b4b4,0x28002828,
	0x55005555,0x68006868,0x50005050,0xbe00bebe,
	0xd000d0d0,0xc400c4c4,0x31003131,0xcb00cbcb,
	0x2a002a2a,0xad00adad,0x0f000f0f,0xca00caca,
	0x70007070,0xff00ffff,0x32003232,0x69006969,
	0x08000808,0x62006262,0x00000000,0x24002424,
	0xd100d1d1,0xfb00fbfb,0xba00baba,0xed00eded,
	0x45004545,0x81008181,0x73007373,0x6d006d6d,
	0x84008484,0x9f009f9f,0xee00eeee,0x4a004a4a,
	0xc300c3c3,0x2e002e2e,0xc100c1c1,0x01000101,
	0xe600e6e6,0x25002525,0x48004848,0x99009999,
	0xb900b9b9,0xb300b3b3,0x7b007b7b,0xf900f9f9,
	0xce00cece,0xbf00bfbf,0xdf00dfdf,0x71007171,
	0x29002929,0xcd00cdcd,0x6c006c6c,0x13001313,
	0x64006464,0x9b009b9b,0x63006363,0x9d009d9d,
	0xc000c0c0,0x4b004b4b,0xb700b7b7,0xa500a5a5,
	0x89008989,0x5f005f5f,0xb100b1b1,0x17001717,
	0xf400f4f4,0xbc00bcbc,0xd300d3d3,0x46004646,
	0xcf00cfcf,0x37003737,0x5e005e5e,0x47004747,
	0x94009494,0xfa00fafa,0xfc00fcfc,0x5b005b5b,
	0x97009797,0xfe00fefe,0x5a005a5a,0xac00acac,
	0x3c003c3c,0x4c004c4c,0x03000303,0x35003535,
	0xf300f3f3,0x23002323,0xb800b8b8,0x5d005d5d,
	0x6a006a6a,0x92009292,0xd500d5d5,0x21002121,
	0x44004444,0x51005151,0xc600c6c6,0x7d007d7d,
	0x39003939,0x83008383,0xdc00dcdc,0xaa00aaaa,
	0x7c007c7c,0x77007777,0x56005656,0x05000505,
	0x1b001b1b,0xa400a4a4,0x15001515,0x34003434,
	0x1e001e1e,0x1c001c1c,0xf800f8f8,0x52005252,
	0x20002020,0x14001414,0xe900e9e9,0xbd00bdbd,
	0xdd00dddd,0xe400e4e4,0xa100a1a1,0xe000e0e0,
	0x8a008a8a,0xf100f1f1,0xd600d6d6,0x7a007a7a,
	0xbb00bbbb,0xe300e3e3,0x40004040,0x4f004f4f,
};

static const u32 camellia_sp4404[256] = {
	0x70700070,0x2c2c002c,0xb3b300b3,0xc0c000c0,
	0xe4e400e4,0x57570057,0xeaea00ea,0xaeae00ae,
	0x23230023,0x6b6b006b,0x45450045,0xa5a500a5,
	0xeded00ed,0x4f4f004f,0x1d1d001d,0x92920092,
	0x86860086,0xafaf00af,0x7c7c007c,0x1f1f001f,
	0x3e3e003e,0xdcdc00dc,0x5e5e005e,0x0b0b000b,
	0xa6a600a6,0x39390039,0xd5d500d5,0x5d5d005d,
	0xd9d900d9,0x5a5a005a,0x51510051,0x6c6c006c,
	0x8b8b008b,0x9a9a009a,0xfbfb00fb,0xb0b000b0,
	0x74740074,0x2b2b002b,0xf0f000f0,0x84840084,
	0xdfdf00df,0xcbcb00cb,0x34340034,0x76760076,
	0x6d6d006d,0xa9a900a9,0xd1d100d1,0x04040004,
	0x14140014,0x3a3a003a,0xdede00de,0x11110011,
	0x32320032,0x9c9c009c,0x53530053,0xf2f200f2,
	0xfefe00fe,0xcfcf00cf,0xc3c300c3,0x7a7a007a,
	0x24240024,0xe8e800e8,0x60600060,0x69690069,
	0xaaaa00aa,0xa0a000a0,0xa1a100a1,0x62620062,
	0x54540054,0x1e1e001e,0xe0e000e0,0x64640064,
	0x10100010,0x00000000,0xa3a300a3,0x75750075,
	0x8a8a008a,0xe6e600e6,0x09090009,0xdddd00dd,
	0x87870087,0x83830083,0xcdcd00cd,0x90900090,
	0x73730073,0xf6f600f6,0x9d9d009d,0xbfbf00bf,
	0x52520052,0xd8d800d8,0xc8c800c8,0xc6c600c6,
	0x81810081,0x6f6f006f,0x13130013,0x63630063,
	0xe9e900e9,0xa7a700a7,0x9f9f009f,0xbcbc00bc,
	0x29290029,0xf9f900f9,0x2f2f002f,0xb4b400b4,
	0x78780078,0x06060006,0xe7e700e7,0x71710071,
	0xd4d400d4,0xabab00ab,0x88880088,0x8d8d008d,
	0x72720072,0xb9b900b9,0xf8f800f8,0xacac00ac,
	0x36360036,0x2a2a002a,0x3c3c003c,0xf1f100f1,
	0x40400040,0xd3d300d3,0xbbbb00bb,0x43430043,
	0x15150015,0xadad00ad,0x77770077,0x80800080,
	0x82820082,0xecec00ec,0x27270027,0xe5e500e5,
	0x85850085,0x35350035,0x0c0c000c,0x41410041,
	0xefef00ef,0x93930093,0x19190019,0x21210021,
	0x0e0e000e,0x4e4e004e,0x65650065,0xbdbd00bd,
	0xb8b800b8,0x8f8f008f,0xebeb00eb,0xcece00ce,
	0x30300030,0x5f5f005f,0xc5c500c5,0x1a1a001a,
	0xe1e100e1,0xcaca00ca,0x47470047,0x3d3d003d,
	0x01010001,0xd6d600d6,0x56560056,0x4d4d004d,
	0x0d0d000d,0x66660066,0xcccc00cc,0x2d2d002d,
	0x12120012,0x20200020,0xb1b100b1,0x99990099,
	0x4c4c004c,0xc2c200c2,0x7e7e007e,0x05050005,
	0xb7b700b7,0x31310031,0x17170017,0xd7d700d7,
	0x58580058,0x61610061,0x1b1b001b,0x1c1c001c,
	0x0f0f000f,0x16160016,0x18180018,0x22220022,
	0x44440044,0xb2b200b2,0xb5b500b5,0x91910091,
	0x08080008,0xa8a800a8,0xfcfc00fc,0x50500050,
	0xd0d000d0,0x7d7d007d,0x89890089,0x97970097,
	0x5b5b005b,0x95950095,0xffff00ff,0xd2d200d2,
	0xc4c400c4,0x48480048,0xf7f700f7,0xdbdb00db,
	0x03030003,0xdada00da,0x3f3f003f,0x94940094,
	0x5c5c005c,0x02020002,0x4a4a004a,0x33330033,
	0x67670067,0xf3f300f3,0x7f7f007f,0xe2e200e2,
	0x9b9b009b,0x26260026,0x37370037,0x3b3b003b,
	0x96960096,0x4b4b004b,0xbebe00be,0x2e2e002e,
	0x79790079,0x8c8c008c,0x6e6e006e,0x8e8e008e,
	0xf5f500f5,0xb6b600b6,0xfdfd00fd,0x59590059,
	0x98980098,0x6a6a006a,0x46460046,0xbaba00ba,
	0x25250025,0x42420042,0xa2a200a2,0xfafa00fa,
	0x07070007,0x55550055,0xeeee00ee,0x0a0a000a,
	0x49490049,0x68680068,0x38380038,0xa4a400a4,
	0x28280028,0x7b7b007b,0xc9c900c9,0xc1c100c1,
	0xe3e300e3,0xf4f400f4,0xc7c700c7,0x9e9e009e,
};


D
Denys Vlasenko 已提交
308 309 310 311 312
#define CAMELLIA_MIN_KEY_SIZE        16
#define CAMELLIA_MAX_KEY_SIZE        32
#define CAMELLIA_BLOCK_SIZE          16
#define CAMELLIA_TABLE_BYTE_LEN     272

D
Denys Vlasenko 已提交
313 314 315 316 317 318
/*
 * NB: L and R below stand for 'left' and 'right' as in written numbers.
 * That is, in (xxxL,xxxR) pair xxxL holds most significant digits,
 * _not_ least significant ones!
 */

D
Denys Vlasenko 已提交
319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337

/* key constants */

#define CAMELLIA_SIGMA1L (0xA09E667FL)
#define CAMELLIA_SIGMA1R (0x3BCC908BL)
#define CAMELLIA_SIGMA2L (0xB67AE858L)
#define CAMELLIA_SIGMA2R (0x4CAA73B2L)
#define CAMELLIA_SIGMA3L (0xC6EF372FL)
#define CAMELLIA_SIGMA3R (0xE94F82BEL)
#define CAMELLIA_SIGMA4L (0x54FF53A5L)
#define CAMELLIA_SIGMA4R (0xF1D36F1CL)
#define CAMELLIA_SIGMA5L (0x10E527FAL)
#define CAMELLIA_SIGMA5R (0xDE682D1DL)
#define CAMELLIA_SIGMA6L (0xB05688C2L)
#define CAMELLIA_SIGMA6R (0xB3E6C1FDL)

/*
 *  macros
 */
338 339 340 341 342 343 344 345 346 347 348 349 350 351
#define GETU32(v, pt) \
    do { \
	/* latest breed of gcc is clever enough to use move */ \
	memcpy(&(v), (pt), 4); \
	(v) = be32_to_cpu(v); \
    } while(0)

/* rotation right shift 1byte */
#define ROR8(x) (((x) >> 8) + ((x) << 24))
/* rotation left shift 1bit */
#define ROL1(x) (((x) << 1) + ((x) >> 31))
/* rotation left shift 1byte */
#define ROL8(x) (((x) << 8) + ((x) >> 24))

D
Denys Vlasenko 已提交
352
#define ROLDQ(ll, lr, rl, rr, w0, w1, bits)		\
D
Denys Vlasenko 已提交
353 354 355 356 357 358 359 360
    do {						\
	w0 = ll;					\
	ll = (ll << bits) + (lr >> (32 - bits));	\
	lr = (lr << bits) + (rl >> (32 - bits));	\
	rl = (rl << bits) + (rr >> (32 - bits));	\
	rr = (rr << bits) + (w0 >> (32 - bits));	\
    } while(0)

D
Denys Vlasenko 已提交
361
#define ROLDQo32(ll, lr, rl, rr, w0, w1, bits)		\
D
Denys Vlasenko 已提交
362 363 364 365 366 367 368 369 370 371 372 373 374 375 376
    do {						\
	w0 = ll;					\
	w1 = lr;					\
	ll = (lr << (bits - 32)) + (rl >> (64 - bits));	\
	lr = (rl << (bits - 32)) + (rr >> (64 - bits));	\
	rl = (rr << (bits - 32)) + (w0 >> (64 - bits));	\
	rr = (w0 << (bits - 32)) + (w1 >> (64 - bits));	\
    } while(0)

#define CAMELLIA_F(xl, xr, kl, kr, yl, yr, il, ir, t0, t1)	\
    do {							\
	il = xl ^ kl;						\
	ir = xr ^ kr;						\
	t0 = il >> 16;						\
	t1 = ir >> 16;						\
D
Denys Vlasenko 已提交
377 378 379 380 381 382 383 384
	yl = camellia_sp1110[(u8)(ir     )]			\
	   ^ camellia_sp0222[    (t1 >> 8)]			\
	   ^ camellia_sp3033[(u8)(t1     )]			\
	   ^ camellia_sp4404[(u8)(ir >> 8)];			\
	yr = camellia_sp1110[    (t0 >> 8)]			\
	   ^ camellia_sp0222[(u8)(t0     )]			\
	   ^ camellia_sp3033[(u8)(il >> 8)]			\
	   ^ camellia_sp4404[(u8)(il     )];			\
D
Denys Vlasenko 已提交
385
	yl ^= yr;						\
386
	yr = ROR8(yr);						\
D
Denys Vlasenko 已提交
387 388 389
	yr ^= yl;						\
    } while(0)

D
Denys Vlasenko 已提交
390 391
#define SUBKEY_L(INDEX) (subkey[(INDEX)*2])
#define SUBKEY_R(INDEX) (subkey[(INDEX)*2 + 1])
392

393
static void camellia_setup_tail(u32 *subkey, u32 *subL, u32 *subR, int max)
D
Denys Vlasenko 已提交
394
{
395
	u32 dw, tl, tr;
396
	u32 kw4l, kw4r;
397 398
	int i;

399 400 401 402 403 404 405 406 407
	/* absorb kw2 to other subkeys */
	/* round 2 */
	subL[3] ^= subL[1]; subR[3] ^= subR[1];
	/* round 4 */
	subL[5] ^= subL[1]; subR[5] ^= subR[1];
	/* round 6 */
	subL[7] ^= subL[1]; subR[7] ^= subR[1];
	subL[1] ^= subR[1] & ~subR[9];
	dw = subL[1] & subL[9],
408
		subR[1] ^= ROL1(dw); /* modified for FLinv(kl2) */
409 410 411 412 413 414 415 416
	/* round 8 */
	subL[11] ^= subL[1]; subR[11] ^= subR[1];
	/* round 10 */
	subL[13] ^= subL[1]; subR[13] ^= subR[1];
	/* round 12 */
	subL[15] ^= subL[1]; subR[15] ^= subR[1];
	subL[1] ^= subR[1] & ~subR[17];
	dw = subL[1] & subL[17],
417
		subR[1] ^= ROL1(dw); /* modified for FLinv(kl4) */
418 419 420 421 422 423 424 425 426 427 428 429 430 431 432
	/* round 14 */
	subL[19] ^= subL[1]; subR[19] ^= subR[1];
	/* round 16 */
	subL[21] ^= subL[1]; subR[21] ^= subR[1];
	/* round 18 */
	subL[23] ^= subL[1]; subR[23] ^= subR[1];
	if (max == 24) {
		/* kw3 */
		subL[24] ^= subL[1]; subR[24] ^= subR[1];

	/* absorb kw4 to other subkeys */
		kw4l = subL[25]; kw4r = subR[25];
	} else {
		subL[1] ^= subR[1] & ~subR[25];
		dw = subL[1] & subL[25],
433
			subR[1] ^= ROL1(dw); /* modified for FLinv(kl6) */
434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452
		/* round 20 */
		subL[27] ^= subL[1]; subR[27] ^= subR[1];
		/* round 22 */
		subL[29] ^= subL[1]; subR[29] ^= subR[1];
		/* round 24 */
		subL[31] ^= subL[1]; subR[31] ^= subR[1];
		/* kw3 */
		subL[32] ^= subL[1]; subR[32] ^= subR[1];

	/* absorb kw4 to other subkeys */
		kw4l = subL[33]; kw4r = subR[33];
		/* round 23 */
		subL[30] ^= kw4l; subR[30] ^= kw4r;
		/* round 21 */
		subL[28] ^= kw4l; subR[28] ^= kw4r;
		/* round 19 */
		subL[26] ^= kw4l; subR[26] ^= kw4r;
		kw4l ^= kw4r & ~subR[24];
		dw = kw4l & subL[24],
453
			kw4r ^= ROL1(dw); /* modified for FL(kl5) */
454 455 456 457 458 459 460 461 462
	}
	/* round 17 */
	subL[22] ^= kw4l; subR[22] ^= kw4r;
	/* round 15 */
	subL[20] ^= kw4l; subR[20] ^= kw4r;
	/* round 13 */
	subL[18] ^= kw4l; subR[18] ^= kw4r;
	kw4l ^= kw4r & ~subR[16];
	dw = kw4l & subL[16],
463
		kw4r ^= ROL1(dw); /* modified for FL(kl3) */
464 465 466 467 468 469 470 471
	/* round 11 */
	subL[14] ^= kw4l; subR[14] ^= kw4r;
	/* round 9 */
	subL[12] ^= kw4l; subR[12] ^= kw4r;
	/* round 7 */
	subL[10] ^= kw4l; subR[10] ^= kw4r;
	kw4l ^= kw4r & ~subR[8];
	dw = kw4l & subL[8],
472
		kw4r ^= ROL1(dw); /* modified for FL(kl1) */
473 474 475 476 477 478 479 480 481
	/* round 5 */
	subL[6] ^= kw4l; subR[6] ^= kw4r;
	/* round 3 */
	subL[4] ^= kw4l; subR[4] ^= kw4r;
	/* round 1 */
	subL[2] ^= kw4l; subR[2] ^= kw4r;
	/* kw1 */
	subL[0] ^= kw4l; subR[0] ^= kw4r;

482 483 484 485 486 487 488 489 490 491 492 493 494 495 496
	/* key XOR is end of F-function */
	SUBKEY_L(0) = subL[0] ^ subL[2];/* kw1 */
	SUBKEY_R(0) = subR[0] ^ subR[2];
	SUBKEY_L(2) = subL[3];       /* round 1 */
	SUBKEY_R(2) = subR[3];
	SUBKEY_L(3) = subL[2] ^ subL[4]; /* round 2 */
	SUBKEY_R(3) = subR[2] ^ subR[4];
	SUBKEY_L(4) = subL[3] ^ subL[5]; /* round 3 */
	SUBKEY_R(4) = subR[3] ^ subR[5];
	SUBKEY_L(5) = subL[4] ^ subL[6]; /* round 4 */
	SUBKEY_R(5) = subR[4] ^ subR[6];
	SUBKEY_L(6) = subL[5] ^ subL[7]; /* round 5 */
	SUBKEY_R(6) = subR[5] ^ subR[7];
	tl = subL[10] ^ (subR[10] & ~subR[8]);
	dw = tl & subL[8],  /* FL(kl1) */
497
		tr = subR[10] ^ ROL1(dw);
498 499 500 501 502 503 504 505
	SUBKEY_L(7) = subL[6] ^ tl; /* round 6 */
	SUBKEY_R(7) = subR[6] ^ tr;
	SUBKEY_L(8) = subL[8];       /* FL(kl1) */
	SUBKEY_R(8) = subR[8];
	SUBKEY_L(9) = subL[9];       /* FLinv(kl2) */
	SUBKEY_R(9) = subR[9];
	tl = subL[7] ^ (subR[7] & ~subR[9]);
	dw = tl & subL[9],  /* FLinv(kl2) */
506
		tr = subR[7] ^ ROL1(dw);
507 508 509 510 511 512 513 514 515 516 517 518
	SUBKEY_L(10) = tl ^ subL[11]; /* round 7 */
	SUBKEY_R(10) = tr ^ subR[11];
	SUBKEY_L(11) = subL[10] ^ subL[12]; /* round 8 */
	SUBKEY_R(11) = subR[10] ^ subR[12];
	SUBKEY_L(12) = subL[11] ^ subL[13]; /* round 9 */
	SUBKEY_R(12) = subR[11] ^ subR[13];
	SUBKEY_L(13) = subL[12] ^ subL[14]; /* round 10 */
	SUBKEY_R(13) = subR[12] ^ subR[14];
	SUBKEY_L(14) = subL[13] ^ subL[15]; /* round 11 */
	SUBKEY_R(14) = subR[13] ^ subR[15];
	tl = subL[18] ^ (subR[18] & ~subR[16]);
	dw = tl & subL[16], /* FL(kl3) */
519
		tr = subR[18] ^ ROL1(dw);
520 521 522 523 524 525 526 527
	SUBKEY_L(15) = subL[14] ^ tl; /* round 12 */
	SUBKEY_R(15) = subR[14] ^ tr;
	SUBKEY_L(16) = subL[16];     /* FL(kl3) */
	SUBKEY_R(16) = subR[16];
	SUBKEY_L(17) = subL[17];     /* FLinv(kl4) */
	SUBKEY_R(17) = subR[17];
	tl = subL[15] ^ (subR[15] & ~subR[17]);
	dw = tl & subL[17], /* FLinv(kl4) */
528
		tr = subR[15] ^ ROL1(dw);
529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546
	SUBKEY_L(18) = tl ^ subL[19]; /* round 13 */
	SUBKEY_R(18) = tr ^ subR[19];
	SUBKEY_L(19) = subL[18] ^ subL[20]; /* round 14 */
	SUBKEY_R(19) = subR[18] ^ subR[20];
	SUBKEY_L(20) = subL[19] ^ subL[21]; /* round 15 */
	SUBKEY_R(20) = subR[19] ^ subR[21];
	SUBKEY_L(21) = subL[20] ^ subL[22]; /* round 16 */
	SUBKEY_R(21) = subR[20] ^ subR[22];
	SUBKEY_L(22) = subL[21] ^ subL[23]; /* round 17 */
	SUBKEY_R(22) = subR[21] ^ subR[23];
	if (max == 24) {
		SUBKEY_L(23) = subL[22];     /* round 18 */
		SUBKEY_R(23) = subR[22];
		SUBKEY_L(24) = subL[24] ^ subL[23]; /* kw3 */
		SUBKEY_R(24) = subR[24] ^ subR[23];
	} else {
		tl = subL[26] ^ (subR[26] & ~subR[24]);
		dw = tl & subL[24], /* FL(kl5) */
547
			tr = subR[26] ^ ROL1(dw);
548 549 550 551 552 553 554 555
		SUBKEY_L(23) = subL[22] ^ tl; /* round 18 */
		SUBKEY_R(23) = subR[22] ^ tr;
		SUBKEY_L(24) = subL[24];     /* FL(kl5) */
		SUBKEY_R(24) = subR[24];
		SUBKEY_L(25) = subL[25];     /* FLinv(kl6) */
		SUBKEY_R(25) = subR[25];
		tl = subL[23] ^ (subR[23] & ~subR[25]);
		dw = tl & subL[25], /* FLinv(kl6) */
556
			tr = subR[23] ^ ROL1(dw);
557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574
		SUBKEY_L(26) = tl ^ subL[27]; /* round 19 */
		SUBKEY_R(26) = tr ^ subR[27];
		SUBKEY_L(27) = subL[26] ^ subL[28]; /* round 20 */
		SUBKEY_R(27) = subR[26] ^ subR[28];
		SUBKEY_L(28) = subL[27] ^ subL[29]; /* round 21 */
		SUBKEY_R(28) = subR[27] ^ subR[29];
		SUBKEY_L(29) = subL[28] ^ subL[30]; /* round 22 */
		SUBKEY_R(29) = subR[28] ^ subR[30];
		SUBKEY_L(30) = subL[29] ^ subL[31]; /* round 23 */
		SUBKEY_R(30) = subR[29] ^ subR[31];
		SUBKEY_L(31) = subL[30];     /* round 24 */
		SUBKEY_R(31) = subR[30];
		SUBKEY_L(32) = subL[32] ^ subL[31]; /* kw3 */
		SUBKEY_R(32) = subR[32] ^ subR[31];
	}

	/* apply the inverse of the last half of P-function */
	i = 2;
D
Denys Vlasenko 已提交
575
	do {
576
		dw = SUBKEY_L(i + 0) ^ SUBKEY_R(i + 0); dw = ROL8(dw);/* round 1 */
D
Denys Vlasenko 已提交
577
		SUBKEY_R(i + 0) = SUBKEY_L(i + 0) ^ dw; SUBKEY_L(i + 0) = dw;
578
		dw = SUBKEY_L(i + 1) ^ SUBKEY_R(i + 1); dw = ROL8(dw);/* round 2 */
D
Denys Vlasenko 已提交
579
		SUBKEY_R(i + 1) = SUBKEY_L(i + 1) ^ dw; SUBKEY_L(i + 1) = dw;
580
		dw = SUBKEY_L(i + 2) ^ SUBKEY_R(i + 2); dw = ROL8(dw);/* round 3 */
D
Denys Vlasenko 已提交
581
		SUBKEY_R(i + 2) = SUBKEY_L(i + 2) ^ dw; SUBKEY_L(i + 2) = dw;
582
		dw = SUBKEY_L(i + 3) ^ SUBKEY_R(i + 3); dw = ROL8(dw);/* round 4 */
D
Denys Vlasenko 已提交
583
		SUBKEY_R(i + 3) = SUBKEY_L(i + 3) ^ dw; SUBKEY_L(i + 3) = dw;
584
		dw = SUBKEY_L(i + 4) ^ SUBKEY_R(i + 4); dw = ROL8(dw);/* round 5 */
D
Denys Vlasenko 已提交
585
		SUBKEY_R(i + 4) = SUBKEY_L(i + 4) ^ dw; SUBKEY_L(i + 4) = dw;
586
		dw = SUBKEY_L(i + 5) ^ SUBKEY_R(i + 5); dw = ROL8(dw);/* round 6 */
D
Denys Vlasenko 已提交
587 588 589 590 591
		SUBKEY_R(i + 5) = SUBKEY_L(i + 5) ^ dw; SUBKEY_L(i + 5) = dw;
		i += 8;
	} while (i < max);
}

592 593 594 595 596 597 598 599
static void camellia_setup128(const unsigned char *key, u32 *subkey)
{
	u32 kll, klr, krl, krr;
	u32 il, ir, t0, t1, w0, w1;
	u32 subL[26];
	u32 subR[26];

	/**
600
	 *  k == kll || klr || krl || krr (|| is concatenation)
601
	 */
602 603 604 605
	GETU32(kll, key     );
	GETU32(klr, key +  4);
	GETU32(krl, key +  8);
	GETU32(krr, key + 12);
D
Denys Vlasenko 已提交
606

607
	/* generate KL dependent subkeys */
608
	/* kw1 */
D
Denys Vlasenko 已提交
609
	subL[0] = kll; subR[0] = klr;
610
	/* kw2 */
D
Denys Vlasenko 已提交
611
	subL[1] = krl; subR[1] = krr;
612
	/* rotation left shift 15bit */
D
Denys Vlasenko 已提交
613
	ROLDQ(kll, klr, krl, krr, w0, w1, 15);
614
	/* k3 */
D
Denys Vlasenko 已提交
615
	subL[4] = kll; subR[4] = klr;
616
	/* k4 */
D
Denys Vlasenko 已提交
617
	subL[5] = krl; subR[5] = krr;
618
	/* rotation left shift 15+30bit */
D
Denys Vlasenko 已提交
619
	ROLDQ(kll, klr, krl, krr, w0, w1, 30);
620
	/* k7 */
D
Denys Vlasenko 已提交
621
	subL[10] = kll; subR[10] = klr;
622
	/* k8 */
D
Denys Vlasenko 已提交
623
	subL[11] = krl; subR[11] = krr;
624
	/* rotation left shift 15+30+15bit */
D
Denys Vlasenko 已提交
625
	ROLDQ(kll, klr, krl, krr, w0, w1, 15);
626
	/* k10 */
D
Denys Vlasenko 已提交
627
	subL[13] = krl; subR[13] = krr;
628
	/* rotation left shift 15+30+15+17 bit */
D
Denys Vlasenko 已提交
629
	ROLDQ(kll, klr, krl, krr, w0, w1, 17);
630
	/* kl3 */
D
Denys Vlasenko 已提交
631
	subL[16] = kll; subR[16] = klr;
632
	/* kl4 */
D
Denys Vlasenko 已提交
633
	subL[17] = krl; subR[17] = krr;
634
	/* rotation left shift 15+30+15+17+17 bit */
D
Denys Vlasenko 已提交
635
	ROLDQ(kll, klr, krl, krr, w0, w1, 17);
636
	/* k13 */
D
Denys Vlasenko 已提交
637
	subL[18] = kll; subR[18] = klr;
638
	/* k14 */
D
Denys Vlasenko 已提交
639
	subL[19] = krl; subR[19] = krr;
640
	/* rotation left shift 15+30+15+17+17+17 bit */
D
Denys Vlasenko 已提交
641
	ROLDQ(kll, klr, krl, krr, w0, w1, 17);
642
	/* k17 */
D
Denys Vlasenko 已提交
643
	subL[22] = kll; subR[22] = klr;
644
	/* k18 */
D
Denys Vlasenko 已提交
645
	subL[23] = krl; subR[23] = krr;
646 647

	/* generate KA */
D
Denys Vlasenko 已提交
648 649
	kll = subL[0]; klr = subR[0];
	krl = subL[1]; krr = subR[1];
650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668
	CAMELLIA_F(kll, klr,
		   CAMELLIA_SIGMA1L, CAMELLIA_SIGMA1R,
		   w0, w1, il, ir, t0, t1);
	krl ^= w0; krr ^= w1;
	CAMELLIA_F(krl, krr,
		   CAMELLIA_SIGMA2L, CAMELLIA_SIGMA2R,
		   kll, klr, il, ir, t0, t1);
	/* current status == (kll, klr, w0, w1) */
	CAMELLIA_F(kll, klr,
		   CAMELLIA_SIGMA3L, CAMELLIA_SIGMA3R,
		   krl, krr, il, ir, t0, t1);
	krl ^= w0; krr ^= w1;
	CAMELLIA_F(krl, krr,
		   CAMELLIA_SIGMA4L, CAMELLIA_SIGMA4R,
		   w0, w1, il, ir, t0, t1);
	kll ^= w0; klr ^= w1;

	/* generate KA dependent subkeys */
	/* k1, k2 */
D
Denys Vlasenko 已提交
669 670
	subL[2] = kll; subR[2] = klr;
	subL[3] = krl; subR[3] = krr;
D
Denys Vlasenko 已提交
671
	ROLDQ(kll, klr, krl, krr, w0, w1, 15);
672
	/* k5,k6 */
D
Denys Vlasenko 已提交
673 674
	subL[6] = kll; subR[6] = klr;
	subL[7] = krl; subR[7] = krr;
D
Denys Vlasenko 已提交
675
	ROLDQ(kll, klr, krl, krr, w0, w1, 15);
676
	/* kl1, kl2 */
D
Denys Vlasenko 已提交
677 678
	subL[8] = kll; subR[8] = klr;
	subL[9] = krl; subR[9] = krr;
D
Denys Vlasenko 已提交
679
	ROLDQ(kll, klr, krl, krr, w0, w1, 15);
680
	/* k9 */
D
Denys Vlasenko 已提交
681
	subL[12] = kll; subR[12] = klr;
D
Denys Vlasenko 已提交
682
	ROLDQ(kll, klr, krl, krr, w0, w1, 15);
683
	/* k11, k12 */
D
Denys Vlasenko 已提交
684 685
	subL[14] = kll; subR[14] = klr;
	subL[15] = krl; subR[15] = krr;
D
Denys Vlasenko 已提交
686
	ROLDQo32(kll, klr, krl, krr, w0, w1, 34);
687
	/* k15, k16 */
D
Denys Vlasenko 已提交
688 689
	subL[20] = kll; subR[20] = klr;
	subL[21] = krl; subR[21] = krr;
D
Denys Vlasenko 已提交
690
	ROLDQ(kll, klr, krl, krr, w0, w1, 17);
691
	/* kw3, kw4 */
D
Denys Vlasenko 已提交
692 693
	subL[24] = kll; subR[24] = klr;
	subL[25] = krl; subR[25] = krr;
694

695
	camellia_setup_tail(subkey, subL, subR, 24);
696 697 698 699
}

static void camellia_setup256(const unsigned char *key, u32 *subkey)
{
D
Denys Vlasenko 已提交
700 701
	u32 kll, klr, krl, krr;        /* left half of key */
	u32 krll, krlr, krrl, krrr;    /* right half of key */
702 703 704 705 706 707
	u32 il, ir, t0, t1, w0, w1;    /* temporary variables */
	u32 subL[34];
	u32 subR[34];

	/**
	 *  key = (kll || klr || krl || krr || krll || krlr || krrl || krrr)
708
	 *  (|| is concatenation)
709
	 */
710 711 712 713 714 715 716 717
	GETU32(kll,  key     );
	GETU32(klr,  key +  4);
	GETU32(krl,  key +  8);
	GETU32(krr,  key + 12);
	GETU32(krll, key + 16);
	GETU32(krlr, key + 20);
	GETU32(krrl, key + 24);
	GETU32(krrr, key + 28);
718 719 720

	/* generate KL dependent subkeys */
	/* kw1 */
D
Denys Vlasenko 已提交
721
	subL[0] = kll; subR[0] = klr;
722
	/* kw2 */
D
Denys Vlasenko 已提交
723
	subL[1] = krl; subR[1] = krr;
D
Denys Vlasenko 已提交
724
	ROLDQo32(kll, klr, krl, krr, w0, w1, 45);
725
	/* k9 */
D
Denys Vlasenko 已提交
726
	subL[12] = kll; subR[12] = klr;
727
	/* k10 */
D
Denys Vlasenko 已提交
728
	subL[13] = krl; subR[13] = krr;
D
Denys Vlasenko 已提交
729
	ROLDQ(kll, klr, krl, krr, w0, w1, 15);
730
	/* kl3 */
D
Denys Vlasenko 已提交
731
	subL[16] = kll; subR[16] = klr;
732
	/* kl4 */
D
Denys Vlasenko 已提交
733
	subL[17] = krl; subR[17] = krr;
D
Denys Vlasenko 已提交
734
	ROLDQ(kll, klr, krl, krr, w0, w1, 17);
735
	/* k17 */
D
Denys Vlasenko 已提交
736
	subL[22] = kll; subR[22] = klr;
737
	/* k18 */
D
Denys Vlasenko 已提交
738
	subL[23] = krl; subR[23] = krr;
D
Denys Vlasenko 已提交
739
	ROLDQo32(kll, klr, krl, krr, w0, w1, 34);
740
	/* k23 */
D
Denys Vlasenko 已提交
741
	subL[30] = kll; subR[30] = klr;
742
	/* k24 */
D
Denys Vlasenko 已提交
743
	subL[31] = krl; subR[31] = krr;
744 745

	/* generate KR dependent subkeys */
D
Denys Vlasenko 已提交
746
	ROLDQ(krll, krlr, krrl, krrr, w0, w1, 15);
747
	/* k3 */
D
Denys Vlasenko 已提交
748
	subL[4] = krll; subR[4] = krlr;
749
	/* k4 */
D
Denys Vlasenko 已提交
750
	subL[5] = krrl; subR[5] = krrr;
D
Denys Vlasenko 已提交
751
	ROLDQ(krll, krlr, krrl, krrr, w0, w1, 15);
752
	/* kl1 */
D
Denys Vlasenko 已提交
753
	subL[8] = krll; subR[8] = krlr;
754
	/* kl2 */
D
Denys Vlasenko 已提交
755
	subL[9] = krrl; subR[9] = krrr;
D
Denys Vlasenko 已提交
756
	ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
757
	/* k13 */
D
Denys Vlasenko 已提交
758
	subL[18] = krll; subR[18] = krlr;
759
	/* k14 */
D
Denys Vlasenko 已提交
760
	subL[19] = krrl; subR[19] = krrr;
D
Denys Vlasenko 已提交
761
	ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 34);
762
	/* k19 */
D
Denys Vlasenko 已提交
763
	subL[26] = krll; subR[26] = krlr;
764
	/* k20 */
D
Denys Vlasenko 已提交
765
	subL[27] = krrl; subR[27] = krrr;
D
Denys Vlasenko 已提交
766
	ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 34);
767 768

	/* generate KA */
D
Denys Vlasenko 已提交
769 770
	kll = subL[0] ^ krll; klr = subR[0] ^ krlr;
	krl = subL[1] ^ krrl; krr = subR[1] ^ krrr;
771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800
	CAMELLIA_F(kll, klr,
		   CAMELLIA_SIGMA1L, CAMELLIA_SIGMA1R,
		   w0, w1, il, ir, t0, t1);
	krl ^= w0; krr ^= w1;
	CAMELLIA_F(krl, krr,
		   CAMELLIA_SIGMA2L, CAMELLIA_SIGMA2R,
		   kll, klr, il, ir, t0, t1);
	kll ^= krll; klr ^= krlr;
	CAMELLIA_F(kll, klr,
		   CAMELLIA_SIGMA3L, CAMELLIA_SIGMA3R,
		   krl, krr, il, ir, t0, t1);
	krl ^= w0 ^ krrl; krr ^= w1 ^ krrr;
	CAMELLIA_F(krl, krr,
		   CAMELLIA_SIGMA4L, CAMELLIA_SIGMA4R,
		   w0, w1, il, ir, t0, t1);
	kll ^= w0; klr ^= w1;

	/* generate KB */
	krll ^= kll; krlr ^= klr;
	krrl ^= krl; krrr ^= krr;
	CAMELLIA_F(krll, krlr,
		   CAMELLIA_SIGMA5L, CAMELLIA_SIGMA5R,
		   w0, w1, il, ir, t0, t1);
	krrl ^= w0; krrr ^= w1;
	CAMELLIA_F(krrl, krrr,
		   CAMELLIA_SIGMA6L, CAMELLIA_SIGMA6R,
		   w0, w1, il, ir, t0, t1);
	krll ^= w0; krlr ^= w1;

	/* generate KA dependent subkeys */
D
Denys Vlasenko 已提交
801
	ROLDQ(kll, klr, krl, krr, w0, w1, 15);
802
	/* k5 */
D
Denys Vlasenko 已提交
803
	subL[6] = kll; subR[6] = klr;
804
	/* k6 */
D
Denys Vlasenko 已提交
805
	subL[7] = krl; subR[7] = krr;
D
Denys Vlasenko 已提交
806
	ROLDQ(kll, klr, krl, krr, w0, w1, 30);
807
	/* k11 */
D
Denys Vlasenko 已提交
808
	subL[14] = kll; subR[14] = klr;
809
	/* k12 */
D
Denys Vlasenko 已提交
810
	subL[15] = krl; subR[15] = krr;
811 812
	/* rotation left shift 32bit */
	/* kl5 */
D
Denys Vlasenko 已提交
813
	subL[24] = klr; subR[24] = krl;
814
	/* kl6 */
D
Denys Vlasenko 已提交
815
	subL[25] = krr; subR[25] = kll;
816
	/* rotation left shift 49 from k11,k12 -> k21,k22 */
D
Denys Vlasenko 已提交
817
	ROLDQo32(kll, klr, krl, krr, w0, w1, 49);
818
	/* k21 */
D
Denys Vlasenko 已提交
819
	subL[28] = kll; subR[28] = klr;
820
	/* k22 */
D
Denys Vlasenko 已提交
821
	subL[29] = krl; subR[29] = krr;
822 823 824

	/* generate KB dependent subkeys */
	/* k1 */
D
Denys Vlasenko 已提交
825
	subL[2] = krll; subR[2] = krlr;
826
	/* k2 */
D
Denys Vlasenko 已提交
827
	subL[3] = krrl; subR[3] = krrr;
D
Denys Vlasenko 已提交
828
	ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
829
	/* k7 */
D
Denys Vlasenko 已提交
830
	subL[10] = krll; subR[10] = krlr;
831
	/* k8 */
D
Denys Vlasenko 已提交
832
	subL[11] = krrl; subR[11] = krrr;
D
Denys Vlasenko 已提交
833
	ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
834
	/* k15 */
D
Denys Vlasenko 已提交
835
	subL[20] = krll; subR[20] = krlr;
836
	/* k16 */
D
Denys Vlasenko 已提交
837
	subL[21] = krrl; subR[21] = krrr;
D
Denys Vlasenko 已提交
838
	ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 51);
839
	/* kw3 */
D
Denys Vlasenko 已提交
840
	subL[32] = krll; subR[32] = krlr;
841
	/* kw4 */
D
Denys Vlasenko 已提交
842
	subL[33] = krrl; subR[33] = krrr;
843

844
	camellia_setup_tail(subkey, subL, subR, 32);
845 846 847 848 849 850 851 852
}

static void camellia_setup192(const unsigned char *key, u32 *subkey)
{
	unsigned char kk[32];
	u32 krll, krlr, krrl,krrr;

	memcpy(kk, key, 24);
D
Denys Vlasenko 已提交
853 854
	memcpy((unsigned char *)&krll, key+16, 4);
	memcpy((unsigned char *)&krlr, key+20, 4);
855 856 857 858 859 860 861 862
	krrl = ~krll;
	krrr = ~krlr;
	memcpy(kk+24, (unsigned char *)&krrl, 4);
	memcpy(kk+28, (unsigned char *)&krrr, 4);
	camellia_setup256(kk, subkey);
}


D
Denys Vlasenko 已提交
863 864 865 866 867 868 869 870 871 872
/*
 * Encrypt/decrypt
 */
#define CAMELLIA_FLS(ll, lr, rl, rr, kll, klr, krl, krr, t0, t1, t2, t3) \
    do {								\
	t0 = kll;							\
	t2 = krr;							\
	t0 &= ll;							\
	t2 |= rr;							\
	rl ^= t2;							\
873
	lr ^= ROL1(t0);							\
D
Denys Vlasenko 已提交
874 875 876 877 878
	t3 = krl;							\
	t1 = klr;							\
	t3 &= rl;							\
	t1 |= lr;							\
	ll ^= t1;							\
879
	rr ^= ROL1(t3);							\
D
Denys Vlasenko 已提交
880 881 882 883 884 885 886 887 888 889 890 891 892 893 894
    } while(0)

#define CAMELLIA_ROUNDSM(xl, xr, kl, kr, yl, yr, il, ir)		\
    do {								\
	ir =  camellia_sp1110[(u8)xr];					\
	il =  camellia_sp1110[    (xl >> 24)];				\
	ir ^= camellia_sp0222[    (xr >> 24)];				\
	il ^= camellia_sp0222[(u8)(xl >> 16)];				\
	ir ^= camellia_sp3033[(u8)(xr >> 16)];				\
	il ^= camellia_sp3033[(u8)(xl >> 8)];				\
	ir ^= camellia_sp4404[(u8)(xr >> 8)];				\
	il ^= camellia_sp4404[(u8)xl];					\
	il ^= kl;							\
	ir ^= il ^ kr;							\
	yl ^= ir;							\
895
	yr ^= ROR8(il) ^ ir;						\
D
Denys Vlasenko 已提交
896 897
    } while(0)

898 899
/* max = 24: 128bit encrypt, max = 32: 256bit encrypt */
static void camellia_do_encrypt(const u32 *subkey, u32 *io, unsigned max)
900
{
D
Denys Vlasenko 已提交
901
	u32 il,ir,t0,t1;               /* temporary variables */
902

D
Denys Vlasenko 已提交
903
	/* pre whitening but absorb kw2 */
904 905
	io[0] ^= SUBKEY_L(0);
	io[1] ^= SUBKEY_R(0);
906

D
Denys Vlasenko 已提交
907
	/* main iteration */
908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943
#define ROUNDS(i) do { \
	CAMELLIA_ROUNDSM(io[0],io[1], \
			 SUBKEY_L(i + 2),SUBKEY_R(i + 2), \
			 io[2],io[3],il,ir); \
	CAMELLIA_ROUNDSM(io[2],io[3], \
			 SUBKEY_L(i + 3),SUBKEY_R(i + 3), \
			 io[0],io[1],il,ir); \
	CAMELLIA_ROUNDSM(io[0],io[1], \
			 SUBKEY_L(i + 4),SUBKEY_R(i + 4), \
			 io[2],io[3],il,ir); \
	CAMELLIA_ROUNDSM(io[2],io[3], \
			 SUBKEY_L(i + 5),SUBKEY_R(i + 5), \
			 io[0],io[1],il,ir); \
	CAMELLIA_ROUNDSM(io[0],io[1], \
			 SUBKEY_L(i + 6),SUBKEY_R(i + 6), \
			 io[2],io[3],il,ir); \
	CAMELLIA_ROUNDSM(io[2],io[3], \
			 SUBKEY_L(i + 7),SUBKEY_R(i + 7), \
			 io[0],io[1],il,ir); \
} while (0)
#define FLS(i) do { \
	CAMELLIA_FLS(io[0],io[1],io[2],io[3], \
		     SUBKEY_L(i + 0),SUBKEY_R(i + 0), \
		     SUBKEY_L(i + 1),SUBKEY_R(i + 1), \
		     t0,t1,il,ir); \
} while (0)

	ROUNDS(0);
	FLS(8);
	ROUNDS(8);
	FLS(16);
	ROUNDS(16);
	if (max == 32) {
		FLS(24);
		ROUNDS(24);
	}
944

945 946
#undef ROUNDS
#undef FLS
947 948

	/* post whitening but kw4 */
949 950 951
	io[2] ^= SUBKEY_L(max);
	io[3] ^= SUBKEY_R(max);
	/* NB: io[0],[1] should be swapped with [2],[3] by caller! */
952 953
}

954
static void camellia_do_decrypt(const u32 *subkey, u32 *io, unsigned i)
955
{
956
	u32 il,ir,t0,t1;               /* temporary variables */
957

D
Denys Vlasenko 已提交
958
	/* pre whitening but absorb kw2 */
959 960
	io[0] ^= SUBKEY_L(i);
	io[1] ^= SUBKEY_R(i);
961 962

	/* main iteration */
963 964 965 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 990 991 992 993 994 995 996 997 998
#define ROUNDS(i) do { \
	CAMELLIA_ROUNDSM(io[0],io[1], \
			 SUBKEY_L(i + 7),SUBKEY_R(i + 7), \
			 io[2],io[3],il,ir); \
	CAMELLIA_ROUNDSM(io[2],io[3], \
			 SUBKEY_L(i + 6),SUBKEY_R(i + 6), \
			 io[0],io[1],il,ir); \
	CAMELLIA_ROUNDSM(io[0],io[1], \
			 SUBKEY_L(i + 5),SUBKEY_R(i + 5), \
			 io[2],io[3],il,ir); \
	CAMELLIA_ROUNDSM(io[2],io[3], \
			 SUBKEY_L(i + 4),SUBKEY_R(i + 4), \
			 io[0],io[1],il,ir); \
	CAMELLIA_ROUNDSM(io[0],io[1], \
			 SUBKEY_L(i + 3),SUBKEY_R(i + 3), \
			 io[2],io[3],il,ir); \
	CAMELLIA_ROUNDSM(io[2],io[3], \
			 SUBKEY_L(i + 2),SUBKEY_R(i + 2), \
			 io[0],io[1],il,ir); \
} while (0)
#define FLS(i) do { \
	CAMELLIA_FLS(io[0],io[1],io[2],io[3], \
		     SUBKEY_L(i + 1),SUBKEY_R(i + 1), \
		     SUBKEY_L(i + 0),SUBKEY_R(i + 0), \
		     t0,t1,il,ir); \
} while (0)

	if (i == 32) {
		ROUNDS(24);
		FLS(24);
	}
	ROUNDS(16);
	FLS(16);
	ROUNDS(8);
	FLS(8);
	ROUNDS(0);
999

1000 1001
#undef ROUNDS
#undef FLS
1002 1003

	/* post whitening but kw4 */
1004 1005 1006
	io[2] ^= SUBKEY_L(0);
	io[3] ^= SUBKEY_R(0);
	/* NB: 0,1 should be swapped with 2,3 by caller! */
1007 1008 1009
}


D
Denys Vlasenko 已提交
1010 1011
struct camellia_ctx {
	int key_length;
D
Denys Vlasenko 已提交
1012
	u32 key_table[CAMELLIA_TABLE_BYTE_LEN / sizeof(u32)];
D
Denys Vlasenko 已提交
1013 1014
};

1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029
static int
camellia_set_key(struct crypto_tfm *tfm, const u8 *in_key,
		 unsigned int key_len)
{
	struct camellia_ctx *cctx = crypto_tfm_ctx(tfm);
	const unsigned char *key = (const unsigned char *)in_key;
	u32 *flags = &tfm->crt_flags;

	if (key_len != 16 && key_len != 24 && key_len != 32) {
		*flags |= CRYPTO_TFM_RES_BAD_KEY_LEN;
		return -EINVAL;
	}

	cctx->key_length = key_len;

D
Denys Vlasenko 已提交
1030
	switch (key_len) {
1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050
	case 16:
		camellia_setup128(key, cctx->key_table);
		break;
	case 24:
		camellia_setup192(key, cctx->key_table);
		break;
	case 32:
		camellia_setup256(key, cctx->key_table);
		break;
	}

	return 0;
}

static void camellia_encrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in)
{
	const struct camellia_ctx *cctx = crypto_tfm_ctx(tfm);
	const __be32 *src = (const __be32 *)in;
	__be32 *dst = (__be32 *)out;

D
Denys Vlasenko 已提交
1051
	u32 tmp[4];
1052

D
Denys Vlasenko 已提交
1053 1054 1055 1056
	tmp[0] = be32_to_cpu(src[0]);
	tmp[1] = be32_to_cpu(src[1]);
	tmp[2] = be32_to_cpu(src[2]);
	tmp[3] = be32_to_cpu(src[3]);
1057

1058 1059 1060
	camellia_do_encrypt(cctx->key_table, tmp,
		cctx->key_length == 16 ? 24 : 32 /* for key lengths of 24 and 32 */
	);
1061

1062 1063 1064 1065 1066
	/* do_encrypt returns 0,1 swapped with 2,3 */
	dst[0] = cpu_to_be32(tmp[2]);
	dst[1] = cpu_to_be32(tmp[3]);
	dst[2] = cpu_to_be32(tmp[0]);
	dst[3] = cpu_to_be32(tmp[1]);
1067 1068 1069 1070 1071 1072 1073 1074
}

static void camellia_decrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in)
{
	const struct camellia_ctx *cctx = crypto_tfm_ctx(tfm);
	const __be32 *src = (const __be32 *)in;
	__be32 *dst = (__be32 *)out;

D
Denys Vlasenko 已提交
1075
	u32 tmp[4];
1076

D
Denys Vlasenko 已提交
1077 1078 1079 1080
	tmp[0] = be32_to_cpu(src[0]);
	tmp[1] = be32_to_cpu(src[1]);
	tmp[2] = be32_to_cpu(src[2]);
	tmp[3] = be32_to_cpu(src[3]);
1081

1082 1083 1084
	camellia_do_decrypt(cctx->key_table, tmp,
		cctx->key_length == 16 ? 24 : 32 /* for key lengths of 24 and 32 */
	);
1085

1086 1087 1088 1089 1090
	/* do_decrypt returns 0,1 swapped with 2,3 */
	dst[0] = cpu_to_be32(tmp[2]);
	dst[1] = cpu_to_be32(tmp[3]);
	dst[2] = cpu_to_be32(tmp[0]);
	dst[3] = cpu_to_be32(tmp[1]);
1091 1092 1093 1094 1095 1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113 1114 1115 1116 1117 1118 1119 1120 1121 1122 1123 1124 1125 1126 1127 1128
}

static struct crypto_alg camellia_alg = {
	.cra_name		=	"camellia",
	.cra_driver_name	=	"camellia-generic",
	.cra_priority		=	100,
	.cra_flags		=	CRYPTO_ALG_TYPE_CIPHER,
	.cra_blocksize		=	CAMELLIA_BLOCK_SIZE,
	.cra_ctxsize		=	sizeof(struct camellia_ctx),
	.cra_alignmask		=	3,
	.cra_module		=	THIS_MODULE,
	.cra_list		=	LIST_HEAD_INIT(camellia_alg.cra_list),
	.cra_u			=	{
		.cipher = {
			.cia_min_keysize	=	CAMELLIA_MIN_KEY_SIZE,
			.cia_max_keysize	=	CAMELLIA_MAX_KEY_SIZE,
			.cia_setkey		=	camellia_set_key,
			.cia_encrypt		=	camellia_encrypt,
			.cia_decrypt		=	camellia_decrypt
		}
	}
};

static int __init camellia_init(void)
{
	return crypto_register_alg(&camellia_alg);
}

static void __exit camellia_fini(void)
{
	crypto_unregister_alg(&camellia_alg);
}

module_init(camellia_init);
module_exit(camellia_fini);

MODULE_DESCRIPTION("Camellia Cipher Algorithm");
MODULE_LICENSE("GPL");