Loading...
1/*
2 * Copyright (C) 2006
3 * NTT (Nippon Telegraph and Telephone Corporation).
4 *
5 * This program is free software; you can redistribute it and/or
6 * modify it under the terms of the GNU General Public License
7 * as published by the Free Software Foundation; either version 2
8 * of the License, or (at your option) any later version.
9 *
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
14 *
15 * You should have received a copy of the GNU General Public License
16 * along with this program; if not, write to the Free Software
17 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
18 */
19
20/*
21 * Algorithm Specification
22 * http://info.isl.ntt.co.jp/crypt/eng/camellia/specifications.html
23 */
24
25/*
26 *
27 * NOTE --- NOTE --- NOTE --- NOTE
28 * This implementation assumes that all memory addresses passed
29 * as parameters are four-byte aligned.
30 *
31 */
32
33#include <linux/crypto.h>
34#include <linux/errno.h>
35#include <linux/init.h>
36#include <linux/kernel.h>
37#include <linux/module.h>
38#include <linux/bitops.h>
39#include <asm/unaligned.h>
40
41static const u32 camellia_sp1110[256] = {
42 0x70707000, 0x82828200, 0x2c2c2c00, 0xececec00,
43 0xb3b3b300, 0x27272700, 0xc0c0c000, 0xe5e5e500,
44 0xe4e4e400, 0x85858500, 0x57575700, 0x35353500,
45 0xeaeaea00, 0x0c0c0c00, 0xaeaeae00, 0x41414100,
46 0x23232300, 0xefefef00, 0x6b6b6b00, 0x93939300,
47 0x45454500, 0x19191900, 0xa5a5a500, 0x21212100,
48 0xededed00, 0x0e0e0e00, 0x4f4f4f00, 0x4e4e4e00,
49 0x1d1d1d00, 0x65656500, 0x92929200, 0xbdbdbd00,
50 0x86868600, 0xb8b8b800, 0xafafaf00, 0x8f8f8f00,
51 0x7c7c7c00, 0xebebeb00, 0x1f1f1f00, 0xcecece00,
52 0x3e3e3e00, 0x30303000, 0xdcdcdc00, 0x5f5f5f00,
53 0x5e5e5e00, 0xc5c5c500, 0x0b0b0b00, 0x1a1a1a00,
54 0xa6a6a600, 0xe1e1e100, 0x39393900, 0xcacaca00,
55 0xd5d5d500, 0x47474700, 0x5d5d5d00, 0x3d3d3d00,
56 0xd9d9d900, 0x01010100, 0x5a5a5a00, 0xd6d6d600,
57 0x51515100, 0x56565600, 0x6c6c6c00, 0x4d4d4d00,
58 0x8b8b8b00, 0x0d0d0d00, 0x9a9a9a00, 0x66666600,
59 0xfbfbfb00, 0xcccccc00, 0xb0b0b000, 0x2d2d2d00,
60 0x74747400, 0x12121200, 0x2b2b2b00, 0x20202000,
61 0xf0f0f000, 0xb1b1b100, 0x84848400, 0x99999900,
62 0xdfdfdf00, 0x4c4c4c00, 0xcbcbcb00, 0xc2c2c200,
63 0x34343400, 0x7e7e7e00, 0x76767600, 0x05050500,
64 0x6d6d6d00, 0xb7b7b700, 0xa9a9a900, 0x31313100,
65 0xd1d1d100, 0x17171700, 0x04040400, 0xd7d7d700,
66 0x14141400, 0x58585800, 0x3a3a3a00, 0x61616100,
67 0xdedede00, 0x1b1b1b00, 0x11111100, 0x1c1c1c00,
68 0x32323200, 0x0f0f0f00, 0x9c9c9c00, 0x16161600,
69 0x53535300, 0x18181800, 0xf2f2f200, 0x22222200,
70 0xfefefe00, 0x44444400, 0xcfcfcf00, 0xb2b2b200,
71 0xc3c3c300, 0xb5b5b500, 0x7a7a7a00, 0x91919100,
72 0x24242400, 0x08080800, 0xe8e8e800, 0xa8a8a800,
73 0x60606000, 0xfcfcfc00, 0x69696900, 0x50505000,
74 0xaaaaaa00, 0xd0d0d000, 0xa0a0a000, 0x7d7d7d00,
75 0xa1a1a100, 0x89898900, 0x62626200, 0x97979700,
76 0x54545400, 0x5b5b5b00, 0x1e1e1e00, 0x95959500,
77 0xe0e0e000, 0xffffff00, 0x64646400, 0xd2d2d200,
78 0x10101000, 0xc4c4c400, 0x00000000, 0x48484800,
79 0xa3a3a300, 0xf7f7f700, 0x75757500, 0xdbdbdb00,
80 0x8a8a8a00, 0x03030300, 0xe6e6e600, 0xdadada00,
81 0x09090900, 0x3f3f3f00, 0xdddddd00, 0x94949400,
82 0x87878700, 0x5c5c5c00, 0x83838300, 0x02020200,
83 0xcdcdcd00, 0x4a4a4a00, 0x90909000, 0x33333300,
84 0x73737300, 0x67676700, 0xf6f6f600, 0xf3f3f300,
85 0x9d9d9d00, 0x7f7f7f00, 0xbfbfbf00, 0xe2e2e200,
86 0x52525200, 0x9b9b9b00, 0xd8d8d800, 0x26262600,
87 0xc8c8c800, 0x37373700, 0xc6c6c600, 0x3b3b3b00,
88 0x81818100, 0x96969600, 0x6f6f6f00, 0x4b4b4b00,
89 0x13131300, 0xbebebe00, 0x63636300, 0x2e2e2e00,
90 0xe9e9e900, 0x79797900, 0xa7a7a700, 0x8c8c8c00,
91 0x9f9f9f00, 0x6e6e6e00, 0xbcbcbc00, 0x8e8e8e00,
92 0x29292900, 0xf5f5f500, 0xf9f9f900, 0xb6b6b600,
93 0x2f2f2f00, 0xfdfdfd00, 0xb4b4b400, 0x59595900,
94 0x78787800, 0x98989800, 0x06060600, 0x6a6a6a00,
95 0xe7e7e700, 0x46464600, 0x71717100, 0xbababa00,
96 0xd4d4d400, 0x25252500, 0xababab00, 0x42424200,
97 0x88888800, 0xa2a2a200, 0x8d8d8d00, 0xfafafa00,
98 0x72727200, 0x07070700, 0xb9b9b900, 0x55555500,
99 0xf8f8f800, 0xeeeeee00, 0xacacac00, 0x0a0a0a00,
100 0x36363600, 0x49494900, 0x2a2a2a00, 0x68686800,
101 0x3c3c3c00, 0x38383800, 0xf1f1f100, 0xa4a4a400,
102 0x40404000, 0x28282800, 0xd3d3d300, 0x7b7b7b00,
103 0xbbbbbb00, 0xc9c9c900, 0x43434300, 0xc1c1c100,
104 0x15151500, 0xe3e3e300, 0xadadad00, 0xf4f4f400,
105 0x77777700, 0xc7c7c700, 0x80808000, 0x9e9e9e00,
106};
107
108static const u32 camellia_sp0222[256] = {
109 0x00e0e0e0, 0x00050505, 0x00585858, 0x00d9d9d9,
110 0x00676767, 0x004e4e4e, 0x00818181, 0x00cbcbcb,
111 0x00c9c9c9, 0x000b0b0b, 0x00aeaeae, 0x006a6a6a,
112 0x00d5d5d5, 0x00181818, 0x005d5d5d, 0x00828282,
113 0x00464646, 0x00dfdfdf, 0x00d6d6d6, 0x00272727,
114 0x008a8a8a, 0x00323232, 0x004b4b4b, 0x00424242,
115 0x00dbdbdb, 0x001c1c1c, 0x009e9e9e, 0x009c9c9c,
116 0x003a3a3a, 0x00cacaca, 0x00252525, 0x007b7b7b,
117 0x000d0d0d, 0x00717171, 0x005f5f5f, 0x001f1f1f,
118 0x00f8f8f8, 0x00d7d7d7, 0x003e3e3e, 0x009d9d9d,
119 0x007c7c7c, 0x00606060, 0x00b9b9b9, 0x00bebebe,
120 0x00bcbcbc, 0x008b8b8b, 0x00161616, 0x00343434,
121 0x004d4d4d, 0x00c3c3c3, 0x00727272, 0x00959595,
122 0x00ababab, 0x008e8e8e, 0x00bababa, 0x007a7a7a,
123 0x00b3b3b3, 0x00020202, 0x00b4b4b4, 0x00adadad,
124 0x00a2a2a2, 0x00acacac, 0x00d8d8d8, 0x009a9a9a,
125 0x00171717, 0x001a1a1a, 0x00353535, 0x00cccccc,
126 0x00f7f7f7, 0x00999999, 0x00616161, 0x005a5a5a,
127 0x00e8e8e8, 0x00242424, 0x00565656, 0x00404040,
128 0x00e1e1e1, 0x00636363, 0x00090909, 0x00333333,
129 0x00bfbfbf, 0x00989898, 0x00979797, 0x00858585,
130 0x00686868, 0x00fcfcfc, 0x00ececec, 0x000a0a0a,
131 0x00dadada, 0x006f6f6f, 0x00535353, 0x00626262,
132 0x00a3a3a3, 0x002e2e2e, 0x00080808, 0x00afafaf,
133 0x00282828, 0x00b0b0b0, 0x00747474, 0x00c2c2c2,
134 0x00bdbdbd, 0x00363636, 0x00222222, 0x00383838,
135 0x00646464, 0x001e1e1e, 0x00393939, 0x002c2c2c,
136 0x00a6a6a6, 0x00303030, 0x00e5e5e5, 0x00444444,
137 0x00fdfdfd, 0x00888888, 0x009f9f9f, 0x00656565,
138 0x00878787, 0x006b6b6b, 0x00f4f4f4, 0x00232323,
139 0x00484848, 0x00101010, 0x00d1d1d1, 0x00515151,
140 0x00c0c0c0, 0x00f9f9f9, 0x00d2d2d2, 0x00a0a0a0,
141 0x00555555, 0x00a1a1a1, 0x00414141, 0x00fafafa,
142 0x00434343, 0x00131313, 0x00c4c4c4, 0x002f2f2f,
143 0x00a8a8a8, 0x00b6b6b6, 0x003c3c3c, 0x002b2b2b,
144 0x00c1c1c1, 0x00ffffff, 0x00c8c8c8, 0x00a5a5a5,
145 0x00202020, 0x00898989, 0x00000000, 0x00909090,
146 0x00474747, 0x00efefef, 0x00eaeaea, 0x00b7b7b7,
147 0x00151515, 0x00060606, 0x00cdcdcd, 0x00b5b5b5,
148 0x00121212, 0x007e7e7e, 0x00bbbbbb, 0x00292929,
149 0x000f0f0f, 0x00b8b8b8, 0x00070707, 0x00040404,
150 0x009b9b9b, 0x00949494, 0x00212121, 0x00666666,
151 0x00e6e6e6, 0x00cecece, 0x00ededed, 0x00e7e7e7,
152 0x003b3b3b, 0x00fefefe, 0x007f7f7f, 0x00c5c5c5,
153 0x00a4a4a4, 0x00373737, 0x00b1b1b1, 0x004c4c4c,
154 0x00919191, 0x006e6e6e, 0x008d8d8d, 0x00767676,
155 0x00030303, 0x002d2d2d, 0x00dedede, 0x00969696,
156 0x00262626, 0x007d7d7d, 0x00c6c6c6, 0x005c5c5c,
157 0x00d3d3d3, 0x00f2f2f2, 0x004f4f4f, 0x00191919,
158 0x003f3f3f, 0x00dcdcdc, 0x00797979, 0x001d1d1d,
159 0x00525252, 0x00ebebeb, 0x00f3f3f3, 0x006d6d6d,
160 0x005e5e5e, 0x00fbfbfb, 0x00696969, 0x00b2b2b2,
161 0x00f0f0f0, 0x00313131, 0x000c0c0c, 0x00d4d4d4,
162 0x00cfcfcf, 0x008c8c8c, 0x00e2e2e2, 0x00757575,
163 0x00a9a9a9, 0x004a4a4a, 0x00575757, 0x00848484,
164 0x00111111, 0x00454545, 0x001b1b1b, 0x00f5f5f5,
165 0x00e4e4e4, 0x000e0e0e, 0x00737373, 0x00aaaaaa,
166 0x00f1f1f1, 0x00dddddd, 0x00595959, 0x00141414,
167 0x006c6c6c, 0x00929292, 0x00545454, 0x00d0d0d0,
168 0x00787878, 0x00707070, 0x00e3e3e3, 0x00494949,
169 0x00808080, 0x00505050, 0x00a7a7a7, 0x00f6f6f6,
170 0x00777777, 0x00939393, 0x00868686, 0x00838383,
171 0x002a2a2a, 0x00c7c7c7, 0x005b5b5b, 0x00e9e9e9,
172 0x00eeeeee, 0x008f8f8f, 0x00010101, 0x003d3d3d,
173};
174
175static const u32 camellia_sp3033[256] = {
176 0x38003838, 0x41004141, 0x16001616, 0x76007676,
177 0xd900d9d9, 0x93009393, 0x60006060, 0xf200f2f2,
178 0x72007272, 0xc200c2c2, 0xab00abab, 0x9a009a9a,
179 0x75007575, 0x06000606, 0x57005757, 0xa000a0a0,
180 0x91009191, 0xf700f7f7, 0xb500b5b5, 0xc900c9c9,
181 0xa200a2a2, 0x8c008c8c, 0xd200d2d2, 0x90009090,
182 0xf600f6f6, 0x07000707, 0xa700a7a7, 0x27002727,
183 0x8e008e8e, 0xb200b2b2, 0x49004949, 0xde00dede,
184 0x43004343, 0x5c005c5c, 0xd700d7d7, 0xc700c7c7,
185 0x3e003e3e, 0xf500f5f5, 0x8f008f8f, 0x67006767,
186 0x1f001f1f, 0x18001818, 0x6e006e6e, 0xaf00afaf,
187 0x2f002f2f, 0xe200e2e2, 0x85008585, 0x0d000d0d,
188 0x53005353, 0xf000f0f0, 0x9c009c9c, 0x65006565,
189 0xea00eaea, 0xa300a3a3, 0xae00aeae, 0x9e009e9e,
190 0xec00ecec, 0x80008080, 0x2d002d2d, 0x6b006b6b,
191 0xa800a8a8, 0x2b002b2b, 0x36003636, 0xa600a6a6,
192 0xc500c5c5, 0x86008686, 0x4d004d4d, 0x33003333,
193 0xfd00fdfd, 0x66006666, 0x58005858, 0x96009696,
194 0x3a003a3a, 0x09000909, 0x95009595, 0x10001010,
195 0x78007878, 0xd800d8d8, 0x42004242, 0xcc00cccc,
196 0xef00efef, 0x26002626, 0xe500e5e5, 0x61006161,
197 0x1a001a1a, 0x3f003f3f, 0x3b003b3b, 0x82008282,
198 0xb600b6b6, 0xdb00dbdb, 0xd400d4d4, 0x98009898,
199 0xe800e8e8, 0x8b008b8b, 0x02000202, 0xeb00ebeb,
200 0x0a000a0a, 0x2c002c2c, 0x1d001d1d, 0xb000b0b0,
201 0x6f006f6f, 0x8d008d8d, 0x88008888, 0x0e000e0e,
202 0x19001919, 0x87008787, 0x4e004e4e, 0x0b000b0b,
203 0xa900a9a9, 0x0c000c0c, 0x79007979, 0x11001111,
204 0x7f007f7f, 0x22002222, 0xe700e7e7, 0x59005959,
205 0xe100e1e1, 0xda00dada, 0x3d003d3d, 0xc800c8c8,
206 0x12001212, 0x04000404, 0x74007474, 0x54005454,
207 0x30003030, 0x7e007e7e, 0xb400b4b4, 0x28002828,
208 0x55005555, 0x68006868, 0x50005050, 0xbe00bebe,
209 0xd000d0d0, 0xc400c4c4, 0x31003131, 0xcb00cbcb,
210 0x2a002a2a, 0xad00adad, 0x0f000f0f, 0xca00caca,
211 0x70007070, 0xff00ffff, 0x32003232, 0x69006969,
212 0x08000808, 0x62006262, 0x00000000, 0x24002424,
213 0xd100d1d1, 0xfb00fbfb, 0xba00baba, 0xed00eded,
214 0x45004545, 0x81008181, 0x73007373, 0x6d006d6d,
215 0x84008484, 0x9f009f9f, 0xee00eeee, 0x4a004a4a,
216 0xc300c3c3, 0x2e002e2e, 0xc100c1c1, 0x01000101,
217 0xe600e6e6, 0x25002525, 0x48004848, 0x99009999,
218 0xb900b9b9, 0xb300b3b3, 0x7b007b7b, 0xf900f9f9,
219 0xce00cece, 0xbf00bfbf, 0xdf00dfdf, 0x71007171,
220 0x29002929, 0xcd00cdcd, 0x6c006c6c, 0x13001313,
221 0x64006464, 0x9b009b9b, 0x63006363, 0x9d009d9d,
222 0xc000c0c0, 0x4b004b4b, 0xb700b7b7, 0xa500a5a5,
223 0x89008989, 0x5f005f5f, 0xb100b1b1, 0x17001717,
224 0xf400f4f4, 0xbc00bcbc, 0xd300d3d3, 0x46004646,
225 0xcf00cfcf, 0x37003737, 0x5e005e5e, 0x47004747,
226 0x94009494, 0xfa00fafa, 0xfc00fcfc, 0x5b005b5b,
227 0x97009797, 0xfe00fefe, 0x5a005a5a, 0xac00acac,
228 0x3c003c3c, 0x4c004c4c, 0x03000303, 0x35003535,
229 0xf300f3f3, 0x23002323, 0xb800b8b8, 0x5d005d5d,
230 0x6a006a6a, 0x92009292, 0xd500d5d5, 0x21002121,
231 0x44004444, 0x51005151, 0xc600c6c6, 0x7d007d7d,
232 0x39003939, 0x83008383, 0xdc00dcdc, 0xaa00aaaa,
233 0x7c007c7c, 0x77007777, 0x56005656, 0x05000505,
234 0x1b001b1b, 0xa400a4a4, 0x15001515, 0x34003434,
235 0x1e001e1e, 0x1c001c1c, 0xf800f8f8, 0x52005252,
236 0x20002020, 0x14001414, 0xe900e9e9, 0xbd00bdbd,
237 0xdd00dddd, 0xe400e4e4, 0xa100a1a1, 0xe000e0e0,
238 0x8a008a8a, 0xf100f1f1, 0xd600d6d6, 0x7a007a7a,
239 0xbb00bbbb, 0xe300e3e3, 0x40004040, 0x4f004f4f,
240};
241
242static const u32 camellia_sp4404[256] = {
243 0x70700070, 0x2c2c002c, 0xb3b300b3, 0xc0c000c0,
244 0xe4e400e4, 0x57570057, 0xeaea00ea, 0xaeae00ae,
245 0x23230023, 0x6b6b006b, 0x45450045, 0xa5a500a5,
246 0xeded00ed, 0x4f4f004f, 0x1d1d001d, 0x92920092,
247 0x86860086, 0xafaf00af, 0x7c7c007c, 0x1f1f001f,
248 0x3e3e003e, 0xdcdc00dc, 0x5e5e005e, 0x0b0b000b,
249 0xa6a600a6, 0x39390039, 0xd5d500d5, 0x5d5d005d,
250 0xd9d900d9, 0x5a5a005a, 0x51510051, 0x6c6c006c,
251 0x8b8b008b, 0x9a9a009a, 0xfbfb00fb, 0xb0b000b0,
252 0x74740074, 0x2b2b002b, 0xf0f000f0, 0x84840084,
253 0xdfdf00df, 0xcbcb00cb, 0x34340034, 0x76760076,
254 0x6d6d006d, 0xa9a900a9, 0xd1d100d1, 0x04040004,
255 0x14140014, 0x3a3a003a, 0xdede00de, 0x11110011,
256 0x32320032, 0x9c9c009c, 0x53530053, 0xf2f200f2,
257 0xfefe00fe, 0xcfcf00cf, 0xc3c300c3, 0x7a7a007a,
258 0x24240024, 0xe8e800e8, 0x60600060, 0x69690069,
259 0xaaaa00aa, 0xa0a000a0, 0xa1a100a1, 0x62620062,
260 0x54540054, 0x1e1e001e, 0xe0e000e0, 0x64640064,
261 0x10100010, 0x00000000, 0xa3a300a3, 0x75750075,
262 0x8a8a008a, 0xe6e600e6, 0x09090009, 0xdddd00dd,
263 0x87870087, 0x83830083, 0xcdcd00cd, 0x90900090,
264 0x73730073, 0xf6f600f6, 0x9d9d009d, 0xbfbf00bf,
265 0x52520052, 0xd8d800d8, 0xc8c800c8, 0xc6c600c6,
266 0x81810081, 0x6f6f006f, 0x13130013, 0x63630063,
267 0xe9e900e9, 0xa7a700a7, 0x9f9f009f, 0xbcbc00bc,
268 0x29290029, 0xf9f900f9, 0x2f2f002f, 0xb4b400b4,
269 0x78780078, 0x06060006, 0xe7e700e7, 0x71710071,
270 0xd4d400d4, 0xabab00ab, 0x88880088, 0x8d8d008d,
271 0x72720072, 0xb9b900b9, 0xf8f800f8, 0xacac00ac,
272 0x36360036, 0x2a2a002a, 0x3c3c003c, 0xf1f100f1,
273 0x40400040, 0xd3d300d3, 0xbbbb00bb, 0x43430043,
274 0x15150015, 0xadad00ad, 0x77770077, 0x80800080,
275 0x82820082, 0xecec00ec, 0x27270027, 0xe5e500e5,
276 0x85850085, 0x35350035, 0x0c0c000c, 0x41410041,
277 0xefef00ef, 0x93930093, 0x19190019, 0x21210021,
278 0x0e0e000e, 0x4e4e004e, 0x65650065, 0xbdbd00bd,
279 0xb8b800b8, 0x8f8f008f, 0xebeb00eb, 0xcece00ce,
280 0x30300030, 0x5f5f005f, 0xc5c500c5, 0x1a1a001a,
281 0xe1e100e1, 0xcaca00ca, 0x47470047, 0x3d3d003d,
282 0x01010001, 0xd6d600d6, 0x56560056, 0x4d4d004d,
283 0x0d0d000d, 0x66660066, 0xcccc00cc, 0x2d2d002d,
284 0x12120012, 0x20200020, 0xb1b100b1, 0x99990099,
285 0x4c4c004c, 0xc2c200c2, 0x7e7e007e, 0x05050005,
286 0xb7b700b7, 0x31310031, 0x17170017, 0xd7d700d7,
287 0x58580058, 0x61610061, 0x1b1b001b, 0x1c1c001c,
288 0x0f0f000f, 0x16160016, 0x18180018, 0x22220022,
289 0x44440044, 0xb2b200b2, 0xb5b500b5, 0x91910091,
290 0x08080008, 0xa8a800a8, 0xfcfc00fc, 0x50500050,
291 0xd0d000d0, 0x7d7d007d, 0x89890089, 0x97970097,
292 0x5b5b005b, 0x95950095, 0xffff00ff, 0xd2d200d2,
293 0xc4c400c4, 0x48480048, 0xf7f700f7, 0xdbdb00db,
294 0x03030003, 0xdada00da, 0x3f3f003f, 0x94940094,
295 0x5c5c005c, 0x02020002, 0x4a4a004a, 0x33330033,
296 0x67670067, 0xf3f300f3, 0x7f7f007f, 0xe2e200e2,
297 0x9b9b009b, 0x26260026, 0x37370037, 0x3b3b003b,
298 0x96960096, 0x4b4b004b, 0xbebe00be, 0x2e2e002e,
299 0x79790079, 0x8c8c008c, 0x6e6e006e, 0x8e8e008e,
300 0xf5f500f5, 0xb6b600b6, 0xfdfd00fd, 0x59590059,
301 0x98980098, 0x6a6a006a, 0x46460046, 0xbaba00ba,
302 0x25250025, 0x42420042, 0xa2a200a2, 0xfafa00fa,
303 0x07070007, 0x55550055, 0xeeee00ee, 0x0a0a000a,
304 0x49490049, 0x68680068, 0x38380038, 0xa4a400a4,
305 0x28280028, 0x7b7b007b, 0xc9c900c9, 0xc1c100c1,
306 0xe3e300e3, 0xf4f400f4, 0xc7c700c7, 0x9e9e009e,
307};
308
309
310#define CAMELLIA_MIN_KEY_SIZE 16
311#define CAMELLIA_MAX_KEY_SIZE 32
312#define CAMELLIA_BLOCK_SIZE 16
313#define CAMELLIA_TABLE_BYTE_LEN 272
314
315/*
316 * NB: L and R below stand for 'left' and 'right' as in written numbers.
317 * That is, in (xxxL,xxxR) pair xxxL holds most significant digits,
318 * _not_ least significant ones!
319 */
320
321
322/* key constants */
323
324#define CAMELLIA_SIGMA1L (0xA09E667FL)
325#define CAMELLIA_SIGMA1R (0x3BCC908BL)
326#define CAMELLIA_SIGMA2L (0xB67AE858L)
327#define CAMELLIA_SIGMA2R (0x4CAA73B2L)
328#define CAMELLIA_SIGMA3L (0xC6EF372FL)
329#define CAMELLIA_SIGMA3R (0xE94F82BEL)
330#define CAMELLIA_SIGMA4L (0x54FF53A5L)
331#define CAMELLIA_SIGMA4R (0xF1D36F1CL)
332#define CAMELLIA_SIGMA5L (0x10E527FAL)
333#define CAMELLIA_SIGMA5R (0xDE682D1DL)
334#define CAMELLIA_SIGMA6L (0xB05688C2L)
335#define CAMELLIA_SIGMA6R (0xB3E6C1FDL)
336
337/*
338 * macros
339 */
340#define ROLDQ(ll, lr, rl, rr, w0, w1, bits) ({ \
341 w0 = ll; \
342 ll = (ll << bits) + (lr >> (32 - bits)); \
343 lr = (lr << bits) + (rl >> (32 - bits)); \
344 rl = (rl << bits) + (rr >> (32 - bits)); \
345 rr = (rr << bits) + (w0 >> (32 - bits)); \
346})
347
348#define ROLDQo32(ll, lr, rl, rr, w0, w1, bits) ({ \
349 w0 = ll; \
350 w1 = lr; \
351 ll = (lr << (bits - 32)) + (rl >> (64 - bits)); \
352 lr = (rl << (bits - 32)) + (rr >> (64 - bits)); \
353 rl = (rr << (bits - 32)) + (w0 >> (64 - bits)); \
354 rr = (w0 << (bits - 32)) + (w1 >> (64 - bits)); \
355})
356
357#define CAMELLIA_F(xl, xr, kl, kr, yl, yr, il, ir, t0, t1) ({ \
358 il = xl ^ kl; \
359 ir = xr ^ kr; \
360 t0 = il >> 16; \
361 t1 = ir >> 16; \
362 yl = camellia_sp1110[(u8)(ir)] \
363 ^ camellia_sp0222[(u8)(t1 >> 8)] \
364 ^ camellia_sp3033[(u8)(t1)] \
365 ^ camellia_sp4404[(u8)(ir >> 8)]; \
366 yr = camellia_sp1110[(u8)(t0 >> 8)] \
367 ^ camellia_sp0222[(u8)(t0)] \
368 ^ camellia_sp3033[(u8)(il >> 8)] \
369 ^ camellia_sp4404[(u8)(il)]; \
370 yl ^= yr; \
371 yr = ror32(yr, 8); \
372 yr ^= yl; \
373})
374
375#define SUBKEY_L(INDEX) (subkey[(INDEX)*2])
376#define SUBKEY_R(INDEX) (subkey[(INDEX)*2 + 1])
377
378static void camellia_setup_tail(u32 *subkey, u32 *subL, u32 *subR, int max)
379{
380 u32 dw, tl, tr;
381 u32 kw4l, kw4r;
382
383 /* absorb kw2 to other subkeys */
384 /* round 2 */
385 subL[3] ^= subL[1]; subR[3] ^= subR[1];
386 /* round 4 */
387 subL[5] ^= subL[1]; subR[5] ^= subR[1];
388 /* round 6 */
389 subL[7] ^= subL[1]; subR[7] ^= subR[1];
390 subL[1] ^= subR[1] & ~subR[9];
391 dw = subL[1] & subL[9];
392 subR[1] ^= rol32(dw, 1); /* modified for FLinv(kl2) */
393 /* round 8 */
394 subL[11] ^= subL[1]; subR[11] ^= subR[1];
395 /* round 10 */
396 subL[13] ^= subL[1]; subR[13] ^= subR[1];
397 /* round 12 */
398 subL[15] ^= subL[1]; subR[15] ^= subR[1];
399 subL[1] ^= subR[1] & ~subR[17];
400 dw = subL[1] & subL[17];
401 subR[1] ^= rol32(dw, 1); /* modified for FLinv(kl4) */
402 /* round 14 */
403 subL[19] ^= subL[1]; subR[19] ^= subR[1];
404 /* round 16 */
405 subL[21] ^= subL[1]; subR[21] ^= subR[1];
406 /* round 18 */
407 subL[23] ^= subL[1]; subR[23] ^= subR[1];
408 if (max == 24) {
409 /* kw3 */
410 subL[24] ^= subL[1]; subR[24] ^= subR[1];
411
412 /* absorb kw4 to other subkeys */
413 kw4l = subL[25]; kw4r = subR[25];
414 } else {
415 subL[1] ^= subR[1] & ~subR[25];
416 dw = subL[1] & subL[25];
417 subR[1] ^= rol32(dw, 1); /* modified for FLinv(kl6) */
418 /* round 20 */
419 subL[27] ^= subL[1]; subR[27] ^= subR[1];
420 /* round 22 */
421 subL[29] ^= subL[1]; subR[29] ^= subR[1];
422 /* round 24 */
423 subL[31] ^= subL[1]; subR[31] ^= subR[1];
424 /* kw3 */
425 subL[32] ^= subL[1]; subR[32] ^= subR[1];
426
427 /* absorb kw4 to other subkeys */
428 kw4l = subL[33]; kw4r = subR[33];
429 /* round 23 */
430 subL[30] ^= kw4l; subR[30] ^= kw4r;
431 /* round 21 */
432 subL[28] ^= kw4l; subR[28] ^= kw4r;
433 /* round 19 */
434 subL[26] ^= kw4l; subR[26] ^= kw4r;
435 kw4l ^= kw4r & ~subR[24];
436 dw = kw4l & subL[24];
437 kw4r ^= rol32(dw, 1); /* modified for FL(kl5) */
438 }
439 /* round 17 */
440 subL[22] ^= kw4l; subR[22] ^= kw4r;
441 /* round 15 */
442 subL[20] ^= kw4l; subR[20] ^= kw4r;
443 /* round 13 */
444 subL[18] ^= kw4l; subR[18] ^= kw4r;
445 kw4l ^= kw4r & ~subR[16];
446 dw = kw4l & subL[16];
447 kw4r ^= rol32(dw, 1); /* modified for FL(kl3) */
448 /* round 11 */
449 subL[14] ^= kw4l; subR[14] ^= kw4r;
450 /* round 9 */
451 subL[12] ^= kw4l; subR[12] ^= kw4r;
452 /* round 7 */
453 subL[10] ^= kw4l; subR[10] ^= kw4r;
454 kw4l ^= kw4r & ~subR[8];
455 dw = kw4l & subL[8];
456 kw4r ^= rol32(dw, 1); /* modified for FL(kl1) */
457 /* round 5 */
458 subL[6] ^= kw4l; subR[6] ^= kw4r;
459 /* round 3 */
460 subL[4] ^= kw4l; subR[4] ^= kw4r;
461 /* round 1 */
462 subL[2] ^= kw4l; subR[2] ^= kw4r;
463 /* kw1 */
464 subL[0] ^= kw4l; subR[0] ^= kw4r;
465
466 /* key XOR is end of F-function */
467 SUBKEY_L(0) = subL[0] ^ subL[2];/* kw1 */
468 SUBKEY_R(0) = subR[0] ^ subR[2];
469 SUBKEY_L(2) = subL[3]; /* round 1 */
470 SUBKEY_R(2) = subR[3];
471 SUBKEY_L(3) = subL[2] ^ subL[4]; /* round 2 */
472 SUBKEY_R(3) = subR[2] ^ subR[4];
473 SUBKEY_L(4) = subL[3] ^ subL[5]; /* round 3 */
474 SUBKEY_R(4) = subR[3] ^ subR[5];
475 SUBKEY_L(5) = subL[4] ^ subL[6]; /* round 4 */
476 SUBKEY_R(5) = subR[4] ^ subR[6];
477 SUBKEY_L(6) = subL[5] ^ subL[7]; /* round 5 */
478 SUBKEY_R(6) = subR[5] ^ subR[7];
479 tl = subL[10] ^ (subR[10] & ~subR[8]);
480 dw = tl & subL[8]; /* FL(kl1) */
481 tr = subR[10] ^ rol32(dw, 1);
482 SUBKEY_L(7) = subL[6] ^ tl; /* round 6 */
483 SUBKEY_R(7) = subR[6] ^ tr;
484 SUBKEY_L(8) = subL[8]; /* FL(kl1) */
485 SUBKEY_R(8) = subR[8];
486 SUBKEY_L(9) = subL[9]; /* FLinv(kl2) */
487 SUBKEY_R(9) = subR[9];
488 tl = subL[7] ^ (subR[7] & ~subR[9]);
489 dw = tl & subL[9]; /* FLinv(kl2) */
490 tr = subR[7] ^ rol32(dw, 1);
491 SUBKEY_L(10) = tl ^ subL[11]; /* round 7 */
492 SUBKEY_R(10) = tr ^ subR[11];
493 SUBKEY_L(11) = subL[10] ^ subL[12]; /* round 8 */
494 SUBKEY_R(11) = subR[10] ^ subR[12];
495 SUBKEY_L(12) = subL[11] ^ subL[13]; /* round 9 */
496 SUBKEY_R(12) = subR[11] ^ subR[13];
497 SUBKEY_L(13) = subL[12] ^ subL[14]; /* round 10 */
498 SUBKEY_R(13) = subR[12] ^ subR[14];
499 SUBKEY_L(14) = subL[13] ^ subL[15]; /* round 11 */
500 SUBKEY_R(14) = subR[13] ^ subR[15];
501 tl = subL[18] ^ (subR[18] & ~subR[16]);
502 dw = tl & subL[16]; /* FL(kl3) */
503 tr = subR[18] ^ rol32(dw, 1);
504 SUBKEY_L(15) = subL[14] ^ tl; /* round 12 */
505 SUBKEY_R(15) = subR[14] ^ tr;
506 SUBKEY_L(16) = subL[16]; /* FL(kl3) */
507 SUBKEY_R(16) = subR[16];
508 SUBKEY_L(17) = subL[17]; /* FLinv(kl4) */
509 SUBKEY_R(17) = subR[17];
510 tl = subL[15] ^ (subR[15] & ~subR[17]);
511 dw = tl & subL[17]; /* FLinv(kl4) */
512 tr = subR[15] ^ rol32(dw, 1);
513 SUBKEY_L(18) = tl ^ subL[19]; /* round 13 */
514 SUBKEY_R(18) = tr ^ subR[19];
515 SUBKEY_L(19) = subL[18] ^ subL[20]; /* round 14 */
516 SUBKEY_R(19) = subR[18] ^ subR[20];
517 SUBKEY_L(20) = subL[19] ^ subL[21]; /* round 15 */
518 SUBKEY_R(20) = subR[19] ^ subR[21];
519 SUBKEY_L(21) = subL[20] ^ subL[22]; /* round 16 */
520 SUBKEY_R(21) = subR[20] ^ subR[22];
521 SUBKEY_L(22) = subL[21] ^ subL[23]; /* round 17 */
522 SUBKEY_R(22) = subR[21] ^ subR[23];
523 if (max == 24) {
524 SUBKEY_L(23) = subL[22]; /* round 18 */
525 SUBKEY_R(23) = subR[22];
526 SUBKEY_L(24) = subL[24] ^ subL[23]; /* kw3 */
527 SUBKEY_R(24) = subR[24] ^ subR[23];
528 } else {
529 tl = subL[26] ^ (subR[26] & ~subR[24]);
530 dw = tl & subL[24]; /* FL(kl5) */
531 tr = subR[26] ^ rol32(dw, 1);
532 SUBKEY_L(23) = subL[22] ^ tl; /* round 18 */
533 SUBKEY_R(23) = subR[22] ^ tr;
534 SUBKEY_L(24) = subL[24]; /* FL(kl5) */
535 SUBKEY_R(24) = subR[24];
536 SUBKEY_L(25) = subL[25]; /* FLinv(kl6) */
537 SUBKEY_R(25) = subR[25];
538 tl = subL[23] ^ (subR[23] & ~subR[25]);
539 dw = tl & subL[25]; /* FLinv(kl6) */
540 tr = subR[23] ^ rol32(dw, 1);
541 SUBKEY_L(26) = tl ^ subL[27]; /* round 19 */
542 SUBKEY_R(26) = tr ^ subR[27];
543 SUBKEY_L(27) = subL[26] ^ subL[28]; /* round 20 */
544 SUBKEY_R(27) = subR[26] ^ subR[28];
545 SUBKEY_L(28) = subL[27] ^ subL[29]; /* round 21 */
546 SUBKEY_R(28) = subR[27] ^ subR[29];
547 SUBKEY_L(29) = subL[28] ^ subL[30]; /* round 22 */
548 SUBKEY_R(29) = subR[28] ^ subR[30];
549 SUBKEY_L(30) = subL[29] ^ subL[31]; /* round 23 */
550 SUBKEY_R(30) = subR[29] ^ subR[31];
551 SUBKEY_L(31) = subL[30]; /* round 24 */
552 SUBKEY_R(31) = subR[30];
553 SUBKEY_L(32) = subL[32] ^ subL[31]; /* kw3 */
554 SUBKEY_R(32) = subR[32] ^ subR[31];
555 }
556}
557
558static void camellia_setup128(const unsigned char *key, u32 *subkey)
559{
560 u32 kll, klr, krl, krr;
561 u32 il, ir, t0, t1, w0, w1;
562 u32 subL[26];
563 u32 subR[26];
564
565 /**
566 * k == kll || klr || krl || krr (|| is concatenation)
567 */
568 kll = get_unaligned_be32(key);
569 klr = get_unaligned_be32(key + 4);
570 krl = get_unaligned_be32(key + 8);
571 krr = get_unaligned_be32(key + 12);
572
573 /* generate KL dependent subkeys */
574 /* kw1 */
575 subL[0] = kll; subR[0] = klr;
576 /* kw2 */
577 subL[1] = krl; subR[1] = krr;
578 /* rotation left shift 15bit */
579 ROLDQ(kll, klr, krl, krr, w0, w1, 15);
580 /* k3 */
581 subL[4] = kll; subR[4] = klr;
582 /* k4 */
583 subL[5] = krl; subR[5] = krr;
584 /* rotation left shift 15+30bit */
585 ROLDQ(kll, klr, krl, krr, w0, w1, 30);
586 /* k7 */
587 subL[10] = kll; subR[10] = klr;
588 /* k8 */
589 subL[11] = krl; subR[11] = krr;
590 /* rotation left shift 15+30+15bit */
591 ROLDQ(kll, klr, krl, krr, w0, w1, 15);
592 /* k10 */
593 subL[13] = krl; subR[13] = krr;
594 /* rotation left shift 15+30+15+17 bit */
595 ROLDQ(kll, klr, krl, krr, w0, w1, 17);
596 /* kl3 */
597 subL[16] = kll; subR[16] = klr;
598 /* kl4 */
599 subL[17] = krl; subR[17] = krr;
600 /* rotation left shift 15+30+15+17+17 bit */
601 ROLDQ(kll, klr, krl, krr, w0, w1, 17);
602 /* k13 */
603 subL[18] = kll; subR[18] = klr;
604 /* k14 */
605 subL[19] = krl; subR[19] = krr;
606 /* rotation left shift 15+30+15+17+17+17 bit */
607 ROLDQ(kll, klr, krl, krr, w0, w1, 17);
608 /* k17 */
609 subL[22] = kll; subR[22] = klr;
610 /* k18 */
611 subL[23] = krl; subR[23] = krr;
612
613 /* generate KA */
614 kll = subL[0]; klr = subR[0];
615 krl = subL[1]; krr = subR[1];
616 CAMELLIA_F(kll, klr,
617 CAMELLIA_SIGMA1L, CAMELLIA_SIGMA1R,
618 w0, w1, il, ir, t0, t1);
619 krl ^= w0; krr ^= w1;
620 CAMELLIA_F(krl, krr,
621 CAMELLIA_SIGMA2L, CAMELLIA_SIGMA2R,
622 kll, klr, il, ir, t0, t1);
623 /* current status == (kll, klr, w0, w1) */
624 CAMELLIA_F(kll, klr,
625 CAMELLIA_SIGMA3L, CAMELLIA_SIGMA3R,
626 krl, krr, il, ir, t0, t1);
627 krl ^= w0; krr ^= w1;
628 CAMELLIA_F(krl, krr,
629 CAMELLIA_SIGMA4L, CAMELLIA_SIGMA4R,
630 w0, w1, il, ir, t0, t1);
631 kll ^= w0; klr ^= w1;
632
633 /* generate KA dependent subkeys */
634 /* k1, k2 */
635 subL[2] = kll; subR[2] = klr;
636 subL[3] = krl; subR[3] = krr;
637 ROLDQ(kll, klr, krl, krr, w0, w1, 15);
638 /* k5,k6 */
639 subL[6] = kll; subR[6] = klr;
640 subL[7] = krl; subR[7] = krr;
641 ROLDQ(kll, klr, krl, krr, w0, w1, 15);
642 /* kl1, kl2 */
643 subL[8] = kll; subR[8] = klr;
644 subL[9] = krl; subR[9] = krr;
645 ROLDQ(kll, klr, krl, krr, w0, w1, 15);
646 /* k9 */
647 subL[12] = kll; subR[12] = klr;
648 ROLDQ(kll, klr, krl, krr, w0, w1, 15);
649 /* k11, k12 */
650 subL[14] = kll; subR[14] = klr;
651 subL[15] = krl; subR[15] = krr;
652 ROLDQo32(kll, klr, krl, krr, w0, w1, 34);
653 /* k15, k16 */
654 subL[20] = kll; subR[20] = klr;
655 subL[21] = krl; subR[21] = krr;
656 ROLDQ(kll, klr, krl, krr, w0, w1, 17);
657 /* kw3, kw4 */
658 subL[24] = kll; subR[24] = klr;
659 subL[25] = krl; subR[25] = krr;
660
661 camellia_setup_tail(subkey, subL, subR, 24);
662}
663
664static void camellia_setup256(const unsigned char *key, u32 *subkey)
665{
666 u32 kll, klr, krl, krr; /* left half of key */
667 u32 krll, krlr, krrl, krrr; /* right half of key */
668 u32 il, ir, t0, t1, w0, w1; /* temporary variables */
669 u32 subL[34];
670 u32 subR[34];
671
672 /**
673 * key = (kll || klr || krl || krr || krll || krlr || krrl || krrr)
674 * (|| is concatenation)
675 */
676 kll = get_unaligned_be32(key);
677 klr = get_unaligned_be32(key + 4);
678 krl = get_unaligned_be32(key + 8);
679 krr = get_unaligned_be32(key + 12);
680 krll = get_unaligned_be32(key + 16);
681 krlr = get_unaligned_be32(key + 20);
682 krrl = get_unaligned_be32(key + 24);
683 krrr = get_unaligned_be32(key + 28);
684
685 /* generate KL dependent subkeys */
686 /* kw1 */
687 subL[0] = kll; subR[0] = klr;
688 /* kw2 */
689 subL[1] = krl; subR[1] = krr;
690 ROLDQo32(kll, klr, krl, krr, w0, w1, 45);
691 /* k9 */
692 subL[12] = kll; subR[12] = klr;
693 /* k10 */
694 subL[13] = krl; subR[13] = krr;
695 ROLDQ(kll, klr, krl, krr, w0, w1, 15);
696 /* kl3 */
697 subL[16] = kll; subR[16] = klr;
698 /* kl4 */
699 subL[17] = krl; subR[17] = krr;
700 ROLDQ(kll, klr, krl, krr, w0, w1, 17);
701 /* k17 */
702 subL[22] = kll; subR[22] = klr;
703 /* k18 */
704 subL[23] = krl; subR[23] = krr;
705 ROLDQo32(kll, klr, krl, krr, w0, w1, 34);
706 /* k23 */
707 subL[30] = kll; subR[30] = klr;
708 /* k24 */
709 subL[31] = krl; subR[31] = krr;
710
711 /* generate KR dependent subkeys */
712 ROLDQ(krll, krlr, krrl, krrr, w0, w1, 15);
713 /* k3 */
714 subL[4] = krll; subR[4] = krlr;
715 /* k4 */
716 subL[5] = krrl; subR[5] = krrr;
717 ROLDQ(krll, krlr, krrl, krrr, w0, w1, 15);
718 /* kl1 */
719 subL[8] = krll; subR[8] = krlr;
720 /* kl2 */
721 subL[9] = krrl; subR[9] = krrr;
722 ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
723 /* k13 */
724 subL[18] = krll; subR[18] = krlr;
725 /* k14 */
726 subL[19] = krrl; subR[19] = krrr;
727 ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 34);
728 /* k19 */
729 subL[26] = krll; subR[26] = krlr;
730 /* k20 */
731 subL[27] = krrl; subR[27] = krrr;
732 ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 34);
733
734 /* generate KA */
735 kll = subL[0] ^ krll; klr = subR[0] ^ krlr;
736 krl = subL[1] ^ krrl; krr = subR[1] ^ krrr;
737 CAMELLIA_F(kll, klr,
738 CAMELLIA_SIGMA1L, CAMELLIA_SIGMA1R,
739 w0, w1, il, ir, t0, t1);
740 krl ^= w0; krr ^= w1;
741 CAMELLIA_F(krl, krr,
742 CAMELLIA_SIGMA2L, CAMELLIA_SIGMA2R,
743 kll, klr, il, ir, t0, t1);
744 kll ^= krll; klr ^= krlr;
745 CAMELLIA_F(kll, klr,
746 CAMELLIA_SIGMA3L, CAMELLIA_SIGMA3R,
747 krl, krr, il, ir, t0, t1);
748 krl ^= w0 ^ krrl; krr ^= w1 ^ krrr;
749 CAMELLIA_F(krl, krr,
750 CAMELLIA_SIGMA4L, CAMELLIA_SIGMA4R,
751 w0, w1, il, ir, t0, t1);
752 kll ^= w0; klr ^= w1;
753
754 /* generate KB */
755 krll ^= kll; krlr ^= klr;
756 krrl ^= krl; krrr ^= krr;
757 CAMELLIA_F(krll, krlr,
758 CAMELLIA_SIGMA5L, CAMELLIA_SIGMA5R,
759 w0, w1, il, ir, t0, t1);
760 krrl ^= w0; krrr ^= w1;
761 CAMELLIA_F(krrl, krrr,
762 CAMELLIA_SIGMA6L, CAMELLIA_SIGMA6R,
763 w0, w1, il, ir, t0, t1);
764 krll ^= w0; krlr ^= w1;
765
766 /* generate KA dependent subkeys */
767 ROLDQ(kll, klr, krl, krr, w0, w1, 15);
768 /* k5 */
769 subL[6] = kll; subR[6] = klr;
770 /* k6 */
771 subL[7] = krl; subR[7] = krr;
772 ROLDQ(kll, klr, krl, krr, w0, w1, 30);
773 /* k11 */
774 subL[14] = kll; subR[14] = klr;
775 /* k12 */
776 subL[15] = krl; subR[15] = krr;
777 /* rotation left shift 32bit */
778 /* kl5 */
779 subL[24] = klr; subR[24] = krl;
780 /* kl6 */
781 subL[25] = krr; subR[25] = kll;
782 /* rotation left shift 49 from k11,k12 -> k21,k22 */
783 ROLDQo32(kll, klr, krl, krr, w0, w1, 49);
784 /* k21 */
785 subL[28] = kll; subR[28] = klr;
786 /* k22 */
787 subL[29] = krl; subR[29] = krr;
788
789 /* generate KB dependent subkeys */
790 /* k1 */
791 subL[2] = krll; subR[2] = krlr;
792 /* k2 */
793 subL[3] = krrl; subR[3] = krrr;
794 ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
795 /* k7 */
796 subL[10] = krll; subR[10] = krlr;
797 /* k8 */
798 subL[11] = krrl; subR[11] = krrr;
799 ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
800 /* k15 */
801 subL[20] = krll; subR[20] = krlr;
802 /* k16 */
803 subL[21] = krrl; subR[21] = krrr;
804 ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 51);
805 /* kw3 */
806 subL[32] = krll; subR[32] = krlr;
807 /* kw4 */
808 subL[33] = krrl; subR[33] = krrr;
809
810 camellia_setup_tail(subkey, subL, subR, 32);
811}
812
813static void camellia_setup192(const unsigned char *key, u32 *subkey)
814{
815 unsigned char kk[32];
816 u32 krll, krlr, krrl, krrr;
817
818 memcpy(kk, key, 24);
819 memcpy((unsigned char *)&krll, key+16, 4);
820 memcpy((unsigned char *)&krlr, key+20, 4);
821 krrl = ~krll;
822 krrr = ~krlr;
823 memcpy(kk+24, (unsigned char *)&krrl, 4);
824 memcpy(kk+28, (unsigned char *)&krrr, 4);
825 camellia_setup256(kk, subkey);
826}
827
828
829/*
830 * Encrypt/decrypt
831 */
832#define CAMELLIA_FLS(ll, lr, rl, rr, kll, klr, krl, krr, t0, t1, t2, t3) ({ \
833 t0 = kll; \
834 t2 = krr; \
835 t0 &= ll; \
836 t2 |= rr; \
837 rl ^= t2; \
838 lr ^= rol32(t0, 1); \
839 t3 = krl; \
840 t1 = klr; \
841 t3 &= rl; \
842 t1 |= lr; \
843 ll ^= t1; \
844 rr ^= rol32(t3, 1); \
845})
846
847#define CAMELLIA_ROUNDSM(xl, xr, kl, kr, yl, yr, il, ir) ({ \
848 yl ^= kl; \
849 yr ^= kr; \
850 ir = camellia_sp1110[(u8)xr]; \
851 il = camellia_sp1110[(u8)(xl >> 24)]; \
852 ir ^= camellia_sp0222[(u8)(xr >> 24)]; \
853 il ^= camellia_sp0222[(u8)(xl >> 16)]; \
854 ir ^= camellia_sp3033[(u8)(xr >> 16)]; \
855 il ^= camellia_sp3033[(u8)(xl >> 8)]; \
856 ir ^= camellia_sp4404[(u8)(xr >> 8)]; \
857 il ^= camellia_sp4404[(u8)xl]; \
858 ir ^= il; \
859 yl ^= ir; \
860 yr ^= ror32(il, 8) ^ ir; \
861})
862
863/* max = 24: 128bit encrypt, max = 32: 256bit encrypt */
864static void camellia_do_encrypt(const u32 *subkey, u32 *io, unsigned max)
865{
866 u32 il, ir, t0, t1; /* temporary variables */
867
868 /* pre whitening but absorb kw2 */
869 io[0] ^= SUBKEY_L(0);
870 io[1] ^= SUBKEY_R(0);
871
872 /* main iteration */
873#define ROUNDS(i) ({ \
874 CAMELLIA_ROUNDSM(io[0], io[1], \
875 SUBKEY_L(i + 2), SUBKEY_R(i + 2), \
876 io[2], io[3], il, ir); \
877 CAMELLIA_ROUNDSM(io[2], io[3], \
878 SUBKEY_L(i + 3), SUBKEY_R(i + 3), \
879 io[0], io[1], il, ir); \
880 CAMELLIA_ROUNDSM(io[0], io[1], \
881 SUBKEY_L(i + 4), SUBKEY_R(i + 4), \
882 io[2], io[3], il, ir); \
883 CAMELLIA_ROUNDSM(io[2], io[3], \
884 SUBKEY_L(i + 5), SUBKEY_R(i + 5), \
885 io[0], io[1], il, ir); \
886 CAMELLIA_ROUNDSM(io[0], io[1], \
887 SUBKEY_L(i + 6), SUBKEY_R(i + 6), \
888 io[2], io[3], il, ir); \
889 CAMELLIA_ROUNDSM(io[2], io[3], \
890 SUBKEY_L(i + 7), SUBKEY_R(i + 7), \
891 io[0], io[1], il, ir); \
892})
893#define FLS(i) ({ \
894 CAMELLIA_FLS(io[0], io[1], io[2], io[3], \
895 SUBKEY_L(i + 0), SUBKEY_R(i + 0), \
896 SUBKEY_L(i + 1), SUBKEY_R(i + 1), \
897 t0, t1, il, ir); \
898})
899
900 ROUNDS(0);
901 FLS(8);
902 ROUNDS(8);
903 FLS(16);
904 ROUNDS(16);
905 if (max == 32) {
906 FLS(24);
907 ROUNDS(24);
908 }
909
910#undef ROUNDS
911#undef FLS
912
913 /* post whitening but kw4 */
914 io[2] ^= SUBKEY_L(max);
915 io[3] ^= SUBKEY_R(max);
916 /* NB: io[0],[1] should be swapped with [2],[3] by caller! */
917}
918
919static void camellia_do_decrypt(const u32 *subkey, u32 *io, unsigned i)
920{
921 u32 il, ir, t0, t1; /* temporary variables */
922
923 /* pre whitening but absorb kw2 */
924 io[0] ^= SUBKEY_L(i);
925 io[1] ^= SUBKEY_R(i);
926
927 /* main iteration */
928#define ROUNDS(i) ({ \
929 CAMELLIA_ROUNDSM(io[0], io[1], \
930 SUBKEY_L(i + 7), SUBKEY_R(i + 7), \
931 io[2], io[3], il, ir); \
932 CAMELLIA_ROUNDSM(io[2], io[3], \
933 SUBKEY_L(i + 6), SUBKEY_R(i + 6), \
934 io[0], io[1], il, ir); \
935 CAMELLIA_ROUNDSM(io[0], io[1], \
936 SUBKEY_L(i + 5), SUBKEY_R(i + 5), \
937 io[2], io[3], il, ir); \
938 CAMELLIA_ROUNDSM(io[2], io[3], \
939 SUBKEY_L(i + 4), SUBKEY_R(i + 4), \
940 io[0], io[1], il, ir); \
941 CAMELLIA_ROUNDSM(io[0], io[1], \
942 SUBKEY_L(i + 3), SUBKEY_R(i + 3), \
943 io[2], io[3], il, ir); \
944 CAMELLIA_ROUNDSM(io[2], io[3], \
945 SUBKEY_L(i + 2), SUBKEY_R(i + 2), \
946 io[0], io[1], il, ir); \
947})
948#define FLS(i) ({ \
949 CAMELLIA_FLS(io[0], io[1], io[2], io[3], \
950 SUBKEY_L(i + 1), SUBKEY_R(i + 1), \
951 SUBKEY_L(i + 0), SUBKEY_R(i + 0), \
952 t0, t1, il, ir); \
953})
954
955 if (i == 32) {
956 ROUNDS(24);
957 FLS(24);
958 }
959 ROUNDS(16);
960 FLS(16);
961 ROUNDS(8);
962 FLS(8);
963 ROUNDS(0);
964
965#undef ROUNDS
966#undef FLS
967
968 /* post whitening but kw4 */
969 io[2] ^= SUBKEY_L(0);
970 io[3] ^= SUBKEY_R(0);
971 /* NB: 0,1 should be swapped with 2,3 by caller! */
972}
973
974
975struct camellia_ctx {
976 int key_length;
977 u32 key_table[CAMELLIA_TABLE_BYTE_LEN / sizeof(u32)];
978};
979
980static int
981camellia_set_key(struct crypto_tfm *tfm, const u8 *in_key,
982 unsigned int key_len)
983{
984 struct camellia_ctx *cctx = crypto_tfm_ctx(tfm);
985 const unsigned char *key = (const unsigned char *)in_key;
986 u32 *flags = &tfm->crt_flags;
987
988 if (key_len != 16 && key_len != 24 && key_len != 32) {
989 *flags |= CRYPTO_TFM_RES_BAD_KEY_LEN;
990 return -EINVAL;
991 }
992
993 cctx->key_length = key_len;
994
995 switch (key_len) {
996 case 16:
997 camellia_setup128(key, cctx->key_table);
998 break;
999 case 24:
1000 camellia_setup192(key, cctx->key_table);
1001 break;
1002 case 32:
1003 camellia_setup256(key, cctx->key_table);
1004 break;
1005 }
1006
1007 return 0;
1008}
1009
1010static void camellia_encrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in)
1011{
1012 const struct camellia_ctx *cctx = crypto_tfm_ctx(tfm);
1013 const __be32 *src = (const __be32 *)in;
1014 __be32 *dst = (__be32 *)out;
1015 unsigned int max;
1016
1017 u32 tmp[4];
1018
1019 tmp[0] = be32_to_cpu(src[0]);
1020 tmp[1] = be32_to_cpu(src[1]);
1021 tmp[2] = be32_to_cpu(src[2]);
1022 tmp[3] = be32_to_cpu(src[3]);
1023
1024 if (cctx->key_length == 16)
1025 max = 24;
1026 else
1027 max = 32; /* for key lengths of 24 and 32 */
1028
1029 camellia_do_encrypt(cctx->key_table, tmp, max);
1030
1031 /* do_encrypt returns 0,1 swapped with 2,3 */
1032 dst[0] = cpu_to_be32(tmp[2]);
1033 dst[1] = cpu_to_be32(tmp[3]);
1034 dst[2] = cpu_to_be32(tmp[0]);
1035 dst[3] = cpu_to_be32(tmp[1]);
1036}
1037
1038static void camellia_decrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in)
1039{
1040 const struct camellia_ctx *cctx = crypto_tfm_ctx(tfm);
1041 const __be32 *src = (const __be32 *)in;
1042 __be32 *dst = (__be32 *)out;
1043 unsigned int max;
1044
1045 u32 tmp[4];
1046
1047 tmp[0] = be32_to_cpu(src[0]);
1048 tmp[1] = be32_to_cpu(src[1]);
1049 tmp[2] = be32_to_cpu(src[2]);
1050 tmp[3] = be32_to_cpu(src[3]);
1051
1052 if (cctx->key_length == 16)
1053 max = 24;
1054 else
1055 max = 32; /* for key lengths of 24 and 32 */
1056
1057 camellia_do_decrypt(cctx->key_table, tmp, max);
1058
1059 /* do_decrypt returns 0,1 swapped with 2,3 */
1060 dst[0] = cpu_to_be32(tmp[2]);
1061 dst[1] = cpu_to_be32(tmp[3]);
1062 dst[2] = cpu_to_be32(tmp[0]);
1063 dst[3] = cpu_to_be32(tmp[1]);
1064}
1065
1066static struct crypto_alg camellia_alg = {
1067 .cra_name = "camellia",
1068 .cra_driver_name = "camellia-generic",
1069 .cra_priority = 100,
1070 .cra_flags = CRYPTO_ALG_TYPE_CIPHER,
1071 .cra_blocksize = CAMELLIA_BLOCK_SIZE,
1072 .cra_ctxsize = sizeof(struct camellia_ctx),
1073 .cra_alignmask = 3,
1074 .cra_module = THIS_MODULE,
1075 .cra_u = {
1076 .cipher = {
1077 .cia_min_keysize = CAMELLIA_MIN_KEY_SIZE,
1078 .cia_max_keysize = CAMELLIA_MAX_KEY_SIZE,
1079 .cia_setkey = camellia_set_key,
1080 .cia_encrypt = camellia_encrypt,
1081 .cia_decrypt = camellia_decrypt
1082 }
1083 }
1084};
1085
1086static int __init camellia_init(void)
1087{
1088 return crypto_register_alg(&camellia_alg);
1089}
1090
1091static void __exit camellia_fini(void)
1092{
1093 crypto_unregister_alg(&camellia_alg);
1094}
1095
1096module_init(camellia_init);
1097module_exit(camellia_fini);
1098
1099MODULE_DESCRIPTION("Camellia Cipher Algorithm");
1100MODULE_LICENSE("GPL");
1101MODULE_ALIAS_CRYPTO("camellia");
1102MODULE_ALIAS_CRYPTO("camellia-generic");
1/*
2 * Copyright (C) 2006
3 * NTT (Nippon Telegraph and Telephone Corporation).
4 *
5 * This program is free software; you can redistribute it and/or
6 * modify it under the terms of the GNU General Public License
7 * as published by the Free Software Foundation; either version 2
8 * of the License, or (at your option) any later version.
9 *
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
14 *
15 * You should have received a copy of the GNU General Public License
16 * along with this program. If not, see <http://www.gnu.org/licenses/>.
17 */
18
19/*
20 * Algorithm Specification
21 * http://info.isl.ntt.co.jp/crypt/eng/camellia/specifications.html
22 */
23
24/*
25 *
26 * NOTE --- NOTE --- NOTE --- NOTE
27 * This implementation assumes that all memory addresses passed
28 * as parameters are four-byte aligned.
29 *
30 */
31
32#include <linux/crypto.h>
33#include <linux/errno.h>
34#include <linux/init.h>
35#include <linux/kernel.h>
36#include <linux/module.h>
37#include <linux/bitops.h>
38#include <asm/unaligned.h>
39
40static const u32 camellia_sp1110[256] = {
41 0x70707000, 0x82828200, 0x2c2c2c00, 0xececec00,
42 0xb3b3b300, 0x27272700, 0xc0c0c000, 0xe5e5e500,
43 0xe4e4e400, 0x85858500, 0x57575700, 0x35353500,
44 0xeaeaea00, 0x0c0c0c00, 0xaeaeae00, 0x41414100,
45 0x23232300, 0xefefef00, 0x6b6b6b00, 0x93939300,
46 0x45454500, 0x19191900, 0xa5a5a500, 0x21212100,
47 0xededed00, 0x0e0e0e00, 0x4f4f4f00, 0x4e4e4e00,
48 0x1d1d1d00, 0x65656500, 0x92929200, 0xbdbdbd00,
49 0x86868600, 0xb8b8b800, 0xafafaf00, 0x8f8f8f00,
50 0x7c7c7c00, 0xebebeb00, 0x1f1f1f00, 0xcecece00,
51 0x3e3e3e00, 0x30303000, 0xdcdcdc00, 0x5f5f5f00,
52 0x5e5e5e00, 0xc5c5c500, 0x0b0b0b00, 0x1a1a1a00,
53 0xa6a6a600, 0xe1e1e100, 0x39393900, 0xcacaca00,
54 0xd5d5d500, 0x47474700, 0x5d5d5d00, 0x3d3d3d00,
55 0xd9d9d900, 0x01010100, 0x5a5a5a00, 0xd6d6d600,
56 0x51515100, 0x56565600, 0x6c6c6c00, 0x4d4d4d00,
57 0x8b8b8b00, 0x0d0d0d00, 0x9a9a9a00, 0x66666600,
58 0xfbfbfb00, 0xcccccc00, 0xb0b0b000, 0x2d2d2d00,
59 0x74747400, 0x12121200, 0x2b2b2b00, 0x20202000,
60 0xf0f0f000, 0xb1b1b100, 0x84848400, 0x99999900,
61 0xdfdfdf00, 0x4c4c4c00, 0xcbcbcb00, 0xc2c2c200,
62 0x34343400, 0x7e7e7e00, 0x76767600, 0x05050500,
63 0x6d6d6d00, 0xb7b7b700, 0xa9a9a900, 0x31313100,
64 0xd1d1d100, 0x17171700, 0x04040400, 0xd7d7d700,
65 0x14141400, 0x58585800, 0x3a3a3a00, 0x61616100,
66 0xdedede00, 0x1b1b1b00, 0x11111100, 0x1c1c1c00,
67 0x32323200, 0x0f0f0f00, 0x9c9c9c00, 0x16161600,
68 0x53535300, 0x18181800, 0xf2f2f200, 0x22222200,
69 0xfefefe00, 0x44444400, 0xcfcfcf00, 0xb2b2b200,
70 0xc3c3c300, 0xb5b5b500, 0x7a7a7a00, 0x91919100,
71 0x24242400, 0x08080800, 0xe8e8e800, 0xa8a8a800,
72 0x60606000, 0xfcfcfc00, 0x69696900, 0x50505000,
73 0xaaaaaa00, 0xd0d0d000, 0xa0a0a000, 0x7d7d7d00,
74 0xa1a1a100, 0x89898900, 0x62626200, 0x97979700,
75 0x54545400, 0x5b5b5b00, 0x1e1e1e00, 0x95959500,
76 0xe0e0e000, 0xffffff00, 0x64646400, 0xd2d2d200,
77 0x10101000, 0xc4c4c400, 0x00000000, 0x48484800,
78 0xa3a3a300, 0xf7f7f700, 0x75757500, 0xdbdbdb00,
79 0x8a8a8a00, 0x03030300, 0xe6e6e600, 0xdadada00,
80 0x09090900, 0x3f3f3f00, 0xdddddd00, 0x94949400,
81 0x87878700, 0x5c5c5c00, 0x83838300, 0x02020200,
82 0xcdcdcd00, 0x4a4a4a00, 0x90909000, 0x33333300,
83 0x73737300, 0x67676700, 0xf6f6f600, 0xf3f3f300,
84 0x9d9d9d00, 0x7f7f7f00, 0xbfbfbf00, 0xe2e2e200,
85 0x52525200, 0x9b9b9b00, 0xd8d8d800, 0x26262600,
86 0xc8c8c800, 0x37373700, 0xc6c6c600, 0x3b3b3b00,
87 0x81818100, 0x96969600, 0x6f6f6f00, 0x4b4b4b00,
88 0x13131300, 0xbebebe00, 0x63636300, 0x2e2e2e00,
89 0xe9e9e900, 0x79797900, 0xa7a7a700, 0x8c8c8c00,
90 0x9f9f9f00, 0x6e6e6e00, 0xbcbcbc00, 0x8e8e8e00,
91 0x29292900, 0xf5f5f500, 0xf9f9f900, 0xb6b6b600,
92 0x2f2f2f00, 0xfdfdfd00, 0xb4b4b400, 0x59595900,
93 0x78787800, 0x98989800, 0x06060600, 0x6a6a6a00,
94 0xe7e7e700, 0x46464600, 0x71717100, 0xbababa00,
95 0xd4d4d400, 0x25252500, 0xababab00, 0x42424200,
96 0x88888800, 0xa2a2a200, 0x8d8d8d00, 0xfafafa00,
97 0x72727200, 0x07070700, 0xb9b9b900, 0x55555500,
98 0xf8f8f800, 0xeeeeee00, 0xacacac00, 0x0a0a0a00,
99 0x36363600, 0x49494900, 0x2a2a2a00, 0x68686800,
100 0x3c3c3c00, 0x38383800, 0xf1f1f100, 0xa4a4a400,
101 0x40404000, 0x28282800, 0xd3d3d300, 0x7b7b7b00,
102 0xbbbbbb00, 0xc9c9c900, 0x43434300, 0xc1c1c100,
103 0x15151500, 0xe3e3e300, 0xadadad00, 0xf4f4f400,
104 0x77777700, 0xc7c7c700, 0x80808000, 0x9e9e9e00,
105};
106
107static const u32 camellia_sp0222[256] = {
108 0x00e0e0e0, 0x00050505, 0x00585858, 0x00d9d9d9,
109 0x00676767, 0x004e4e4e, 0x00818181, 0x00cbcbcb,
110 0x00c9c9c9, 0x000b0b0b, 0x00aeaeae, 0x006a6a6a,
111 0x00d5d5d5, 0x00181818, 0x005d5d5d, 0x00828282,
112 0x00464646, 0x00dfdfdf, 0x00d6d6d6, 0x00272727,
113 0x008a8a8a, 0x00323232, 0x004b4b4b, 0x00424242,
114 0x00dbdbdb, 0x001c1c1c, 0x009e9e9e, 0x009c9c9c,
115 0x003a3a3a, 0x00cacaca, 0x00252525, 0x007b7b7b,
116 0x000d0d0d, 0x00717171, 0x005f5f5f, 0x001f1f1f,
117 0x00f8f8f8, 0x00d7d7d7, 0x003e3e3e, 0x009d9d9d,
118 0x007c7c7c, 0x00606060, 0x00b9b9b9, 0x00bebebe,
119 0x00bcbcbc, 0x008b8b8b, 0x00161616, 0x00343434,
120 0x004d4d4d, 0x00c3c3c3, 0x00727272, 0x00959595,
121 0x00ababab, 0x008e8e8e, 0x00bababa, 0x007a7a7a,
122 0x00b3b3b3, 0x00020202, 0x00b4b4b4, 0x00adadad,
123 0x00a2a2a2, 0x00acacac, 0x00d8d8d8, 0x009a9a9a,
124 0x00171717, 0x001a1a1a, 0x00353535, 0x00cccccc,
125 0x00f7f7f7, 0x00999999, 0x00616161, 0x005a5a5a,
126 0x00e8e8e8, 0x00242424, 0x00565656, 0x00404040,
127 0x00e1e1e1, 0x00636363, 0x00090909, 0x00333333,
128 0x00bfbfbf, 0x00989898, 0x00979797, 0x00858585,
129 0x00686868, 0x00fcfcfc, 0x00ececec, 0x000a0a0a,
130 0x00dadada, 0x006f6f6f, 0x00535353, 0x00626262,
131 0x00a3a3a3, 0x002e2e2e, 0x00080808, 0x00afafaf,
132 0x00282828, 0x00b0b0b0, 0x00747474, 0x00c2c2c2,
133 0x00bdbdbd, 0x00363636, 0x00222222, 0x00383838,
134 0x00646464, 0x001e1e1e, 0x00393939, 0x002c2c2c,
135 0x00a6a6a6, 0x00303030, 0x00e5e5e5, 0x00444444,
136 0x00fdfdfd, 0x00888888, 0x009f9f9f, 0x00656565,
137 0x00878787, 0x006b6b6b, 0x00f4f4f4, 0x00232323,
138 0x00484848, 0x00101010, 0x00d1d1d1, 0x00515151,
139 0x00c0c0c0, 0x00f9f9f9, 0x00d2d2d2, 0x00a0a0a0,
140 0x00555555, 0x00a1a1a1, 0x00414141, 0x00fafafa,
141 0x00434343, 0x00131313, 0x00c4c4c4, 0x002f2f2f,
142 0x00a8a8a8, 0x00b6b6b6, 0x003c3c3c, 0x002b2b2b,
143 0x00c1c1c1, 0x00ffffff, 0x00c8c8c8, 0x00a5a5a5,
144 0x00202020, 0x00898989, 0x00000000, 0x00909090,
145 0x00474747, 0x00efefef, 0x00eaeaea, 0x00b7b7b7,
146 0x00151515, 0x00060606, 0x00cdcdcd, 0x00b5b5b5,
147 0x00121212, 0x007e7e7e, 0x00bbbbbb, 0x00292929,
148 0x000f0f0f, 0x00b8b8b8, 0x00070707, 0x00040404,
149 0x009b9b9b, 0x00949494, 0x00212121, 0x00666666,
150 0x00e6e6e6, 0x00cecece, 0x00ededed, 0x00e7e7e7,
151 0x003b3b3b, 0x00fefefe, 0x007f7f7f, 0x00c5c5c5,
152 0x00a4a4a4, 0x00373737, 0x00b1b1b1, 0x004c4c4c,
153 0x00919191, 0x006e6e6e, 0x008d8d8d, 0x00767676,
154 0x00030303, 0x002d2d2d, 0x00dedede, 0x00969696,
155 0x00262626, 0x007d7d7d, 0x00c6c6c6, 0x005c5c5c,
156 0x00d3d3d3, 0x00f2f2f2, 0x004f4f4f, 0x00191919,
157 0x003f3f3f, 0x00dcdcdc, 0x00797979, 0x001d1d1d,
158 0x00525252, 0x00ebebeb, 0x00f3f3f3, 0x006d6d6d,
159 0x005e5e5e, 0x00fbfbfb, 0x00696969, 0x00b2b2b2,
160 0x00f0f0f0, 0x00313131, 0x000c0c0c, 0x00d4d4d4,
161 0x00cfcfcf, 0x008c8c8c, 0x00e2e2e2, 0x00757575,
162 0x00a9a9a9, 0x004a4a4a, 0x00575757, 0x00848484,
163 0x00111111, 0x00454545, 0x001b1b1b, 0x00f5f5f5,
164 0x00e4e4e4, 0x000e0e0e, 0x00737373, 0x00aaaaaa,
165 0x00f1f1f1, 0x00dddddd, 0x00595959, 0x00141414,
166 0x006c6c6c, 0x00929292, 0x00545454, 0x00d0d0d0,
167 0x00787878, 0x00707070, 0x00e3e3e3, 0x00494949,
168 0x00808080, 0x00505050, 0x00a7a7a7, 0x00f6f6f6,
169 0x00777777, 0x00939393, 0x00868686, 0x00838383,
170 0x002a2a2a, 0x00c7c7c7, 0x005b5b5b, 0x00e9e9e9,
171 0x00eeeeee, 0x008f8f8f, 0x00010101, 0x003d3d3d,
172};
173
174static const u32 camellia_sp3033[256] = {
175 0x38003838, 0x41004141, 0x16001616, 0x76007676,
176 0xd900d9d9, 0x93009393, 0x60006060, 0xf200f2f2,
177 0x72007272, 0xc200c2c2, 0xab00abab, 0x9a009a9a,
178 0x75007575, 0x06000606, 0x57005757, 0xa000a0a0,
179 0x91009191, 0xf700f7f7, 0xb500b5b5, 0xc900c9c9,
180 0xa200a2a2, 0x8c008c8c, 0xd200d2d2, 0x90009090,
181 0xf600f6f6, 0x07000707, 0xa700a7a7, 0x27002727,
182 0x8e008e8e, 0xb200b2b2, 0x49004949, 0xde00dede,
183 0x43004343, 0x5c005c5c, 0xd700d7d7, 0xc700c7c7,
184 0x3e003e3e, 0xf500f5f5, 0x8f008f8f, 0x67006767,
185 0x1f001f1f, 0x18001818, 0x6e006e6e, 0xaf00afaf,
186 0x2f002f2f, 0xe200e2e2, 0x85008585, 0x0d000d0d,
187 0x53005353, 0xf000f0f0, 0x9c009c9c, 0x65006565,
188 0xea00eaea, 0xa300a3a3, 0xae00aeae, 0x9e009e9e,
189 0xec00ecec, 0x80008080, 0x2d002d2d, 0x6b006b6b,
190 0xa800a8a8, 0x2b002b2b, 0x36003636, 0xa600a6a6,
191 0xc500c5c5, 0x86008686, 0x4d004d4d, 0x33003333,
192 0xfd00fdfd, 0x66006666, 0x58005858, 0x96009696,
193 0x3a003a3a, 0x09000909, 0x95009595, 0x10001010,
194 0x78007878, 0xd800d8d8, 0x42004242, 0xcc00cccc,
195 0xef00efef, 0x26002626, 0xe500e5e5, 0x61006161,
196 0x1a001a1a, 0x3f003f3f, 0x3b003b3b, 0x82008282,
197 0xb600b6b6, 0xdb00dbdb, 0xd400d4d4, 0x98009898,
198 0xe800e8e8, 0x8b008b8b, 0x02000202, 0xeb00ebeb,
199 0x0a000a0a, 0x2c002c2c, 0x1d001d1d, 0xb000b0b0,
200 0x6f006f6f, 0x8d008d8d, 0x88008888, 0x0e000e0e,
201 0x19001919, 0x87008787, 0x4e004e4e, 0x0b000b0b,
202 0xa900a9a9, 0x0c000c0c, 0x79007979, 0x11001111,
203 0x7f007f7f, 0x22002222, 0xe700e7e7, 0x59005959,
204 0xe100e1e1, 0xda00dada, 0x3d003d3d, 0xc800c8c8,
205 0x12001212, 0x04000404, 0x74007474, 0x54005454,
206 0x30003030, 0x7e007e7e, 0xb400b4b4, 0x28002828,
207 0x55005555, 0x68006868, 0x50005050, 0xbe00bebe,
208 0xd000d0d0, 0xc400c4c4, 0x31003131, 0xcb00cbcb,
209 0x2a002a2a, 0xad00adad, 0x0f000f0f, 0xca00caca,
210 0x70007070, 0xff00ffff, 0x32003232, 0x69006969,
211 0x08000808, 0x62006262, 0x00000000, 0x24002424,
212 0xd100d1d1, 0xfb00fbfb, 0xba00baba, 0xed00eded,
213 0x45004545, 0x81008181, 0x73007373, 0x6d006d6d,
214 0x84008484, 0x9f009f9f, 0xee00eeee, 0x4a004a4a,
215 0xc300c3c3, 0x2e002e2e, 0xc100c1c1, 0x01000101,
216 0xe600e6e6, 0x25002525, 0x48004848, 0x99009999,
217 0xb900b9b9, 0xb300b3b3, 0x7b007b7b, 0xf900f9f9,
218 0xce00cece, 0xbf00bfbf, 0xdf00dfdf, 0x71007171,
219 0x29002929, 0xcd00cdcd, 0x6c006c6c, 0x13001313,
220 0x64006464, 0x9b009b9b, 0x63006363, 0x9d009d9d,
221 0xc000c0c0, 0x4b004b4b, 0xb700b7b7, 0xa500a5a5,
222 0x89008989, 0x5f005f5f, 0xb100b1b1, 0x17001717,
223 0xf400f4f4, 0xbc00bcbc, 0xd300d3d3, 0x46004646,
224 0xcf00cfcf, 0x37003737, 0x5e005e5e, 0x47004747,
225 0x94009494, 0xfa00fafa, 0xfc00fcfc, 0x5b005b5b,
226 0x97009797, 0xfe00fefe, 0x5a005a5a, 0xac00acac,
227 0x3c003c3c, 0x4c004c4c, 0x03000303, 0x35003535,
228 0xf300f3f3, 0x23002323, 0xb800b8b8, 0x5d005d5d,
229 0x6a006a6a, 0x92009292, 0xd500d5d5, 0x21002121,
230 0x44004444, 0x51005151, 0xc600c6c6, 0x7d007d7d,
231 0x39003939, 0x83008383, 0xdc00dcdc, 0xaa00aaaa,
232 0x7c007c7c, 0x77007777, 0x56005656, 0x05000505,
233 0x1b001b1b, 0xa400a4a4, 0x15001515, 0x34003434,
234 0x1e001e1e, 0x1c001c1c, 0xf800f8f8, 0x52005252,
235 0x20002020, 0x14001414, 0xe900e9e9, 0xbd00bdbd,
236 0xdd00dddd, 0xe400e4e4, 0xa100a1a1, 0xe000e0e0,
237 0x8a008a8a, 0xf100f1f1, 0xd600d6d6, 0x7a007a7a,
238 0xbb00bbbb, 0xe300e3e3, 0x40004040, 0x4f004f4f,
239};
240
241static const u32 camellia_sp4404[256] = {
242 0x70700070, 0x2c2c002c, 0xb3b300b3, 0xc0c000c0,
243 0xe4e400e4, 0x57570057, 0xeaea00ea, 0xaeae00ae,
244 0x23230023, 0x6b6b006b, 0x45450045, 0xa5a500a5,
245 0xeded00ed, 0x4f4f004f, 0x1d1d001d, 0x92920092,
246 0x86860086, 0xafaf00af, 0x7c7c007c, 0x1f1f001f,
247 0x3e3e003e, 0xdcdc00dc, 0x5e5e005e, 0x0b0b000b,
248 0xa6a600a6, 0x39390039, 0xd5d500d5, 0x5d5d005d,
249 0xd9d900d9, 0x5a5a005a, 0x51510051, 0x6c6c006c,
250 0x8b8b008b, 0x9a9a009a, 0xfbfb00fb, 0xb0b000b0,
251 0x74740074, 0x2b2b002b, 0xf0f000f0, 0x84840084,
252 0xdfdf00df, 0xcbcb00cb, 0x34340034, 0x76760076,
253 0x6d6d006d, 0xa9a900a9, 0xd1d100d1, 0x04040004,
254 0x14140014, 0x3a3a003a, 0xdede00de, 0x11110011,
255 0x32320032, 0x9c9c009c, 0x53530053, 0xf2f200f2,
256 0xfefe00fe, 0xcfcf00cf, 0xc3c300c3, 0x7a7a007a,
257 0x24240024, 0xe8e800e8, 0x60600060, 0x69690069,
258 0xaaaa00aa, 0xa0a000a0, 0xa1a100a1, 0x62620062,
259 0x54540054, 0x1e1e001e, 0xe0e000e0, 0x64640064,
260 0x10100010, 0x00000000, 0xa3a300a3, 0x75750075,
261 0x8a8a008a, 0xe6e600e6, 0x09090009, 0xdddd00dd,
262 0x87870087, 0x83830083, 0xcdcd00cd, 0x90900090,
263 0x73730073, 0xf6f600f6, 0x9d9d009d, 0xbfbf00bf,
264 0x52520052, 0xd8d800d8, 0xc8c800c8, 0xc6c600c6,
265 0x81810081, 0x6f6f006f, 0x13130013, 0x63630063,
266 0xe9e900e9, 0xa7a700a7, 0x9f9f009f, 0xbcbc00bc,
267 0x29290029, 0xf9f900f9, 0x2f2f002f, 0xb4b400b4,
268 0x78780078, 0x06060006, 0xe7e700e7, 0x71710071,
269 0xd4d400d4, 0xabab00ab, 0x88880088, 0x8d8d008d,
270 0x72720072, 0xb9b900b9, 0xf8f800f8, 0xacac00ac,
271 0x36360036, 0x2a2a002a, 0x3c3c003c, 0xf1f100f1,
272 0x40400040, 0xd3d300d3, 0xbbbb00bb, 0x43430043,
273 0x15150015, 0xadad00ad, 0x77770077, 0x80800080,
274 0x82820082, 0xecec00ec, 0x27270027, 0xe5e500e5,
275 0x85850085, 0x35350035, 0x0c0c000c, 0x41410041,
276 0xefef00ef, 0x93930093, 0x19190019, 0x21210021,
277 0x0e0e000e, 0x4e4e004e, 0x65650065, 0xbdbd00bd,
278 0xb8b800b8, 0x8f8f008f, 0xebeb00eb, 0xcece00ce,
279 0x30300030, 0x5f5f005f, 0xc5c500c5, 0x1a1a001a,
280 0xe1e100e1, 0xcaca00ca, 0x47470047, 0x3d3d003d,
281 0x01010001, 0xd6d600d6, 0x56560056, 0x4d4d004d,
282 0x0d0d000d, 0x66660066, 0xcccc00cc, 0x2d2d002d,
283 0x12120012, 0x20200020, 0xb1b100b1, 0x99990099,
284 0x4c4c004c, 0xc2c200c2, 0x7e7e007e, 0x05050005,
285 0xb7b700b7, 0x31310031, 0x17170017, 0xd7d700d7,
286 0x58580058, 0x61610061, 0x1b1b001b, 0x1c1c001c,
287 0x0f0f000f, 0x16160016, 0x18180018, 0x22220022,
288 0x44440044, 0xb2b200b2, 0xb5b500b5, 0x91910091,
289 0x08080008, 0xa8a800a8, 0xfcfc00fc, 0x50500050,
290 0xd0d000d0, 0x7d7d007d, 0x89890089, 0x97970097,
291 0x5b5b005b, 0x95950095, 0xffff00ff, 0xd2d200d2,
292 0xc4c400c4, 0x48480048, 0xf7f700f7, 0xdbdb00db,
293 0x03030003, 0xdada00da, 0x3f3f003f, 0x94940094,
294 0x5c5c005c, 0x02020002, 0x4a4a004a, 0x33330033,
295 0x67670067, 0xf3f300f3, 0x7f7f007f, 0xe2e200e2,
296 0x9b9b009b, 0x26260026, 0x37370037, 0x3b3b003b,
297 0x96960096, 0x4b4b004b, 0xbebe00be, 0x2e2e002e,
298 0x79790079, 0x8c8c008c, 0x6e6e006e, 0x8e8e008e,
299 0xf5f500f5, 0xb6b600b6, 0xfdfd00fd, 0x59590059,
300 0x98980098, 0x6a6a006a, 0x46460046, 0xbaba00ba,
301 0x25250025, 0x42420042, 0xa2a200a2, 0xfafa00fa,
302 0x07070007, 0x55550055, 0xeeee00ee, 0x0a0a000a,
303 0x49490049, 0x68680068, 0x38380038, 0xa4a400a4,
304 0x28280028, 0x7b7b007b, 0xc9c900c9, 0xc1c100c1,
305 0xe3e300e3, 0xf4f400f4, 0xc7c700c7, 0x9e9e009e,
306};
307
308
309#define CAMELLIA_MIN_KEY_SIZE 16
310#define CAMELLIA_MAX_KEY_SIZE 32
311#define CAMELLIA_BLOCK_SIZE 16
312#define CAMELLIA_TABLE_BYTE_LEN 272
313
314/*
315 * NB: L and R below stand for 'left' and 'right' as in written numbers.
316 * That is, in (xxxL,xxxR) pair xxxL holds most significant digits,
317 * _not_ least significant ones!
318 */
319
320
321/* key constants */
322
323#define CAMELLIA_SIGMA1L (0xA09E667FL)
324#define CAMELLIA_SIGMA1R (0x3BCC908BL)
325#define CAMELLIA_SIGMA2L (0xB67AE858L)
326#define CAMELLIA_SIGMA2R (0x4CAA73B2L)
327#define CAMELLIA_SIGMA3L (0xC6EF372FL)
328#define CAMELLIA_SIGMA3R (0xE94F82BEL)
329#define CAMELLIA_SIGMA4L (0x54FF53A5L)
330#define CAMELLIA_SIGMA4R (0xF1D36F1CL)
331#define CAMELLIA_SIGMA5L (0x10E527FAL)
332#define CAMELLIA_SIGMA5R (0xDE682D1DL)
333#define CAMELLIA_SIGMA6L (0xB05688C2L)
334#define CAMELLIA_SIGMA6R (0xB3E6C1FDL)
335
336/*
337 * macros
338 */
339#define ROLDQ(ll, lr, rl, rr, w0, w1, bits) ({ \
340 w0 = ll; \
341 ll = (ll << bits) + (lr >> (32 - bits)); \
342 lr = (lr << bits) + (rl >> (32 - bits)); \
343 rl = (rl << bits) + (rr >> (32 - bits)); \
344 rr = (rr << bits) + (w0 >> (32 - bits)); \
345})
346
347#define ROLDQo32(ll, lr, rl, rr, w0, w1, bits) ({ \
348 w0 = ll; \
349 w1 = lr; \
350 ll = (lr << (bits - 32)) + (rl >> (64 - bits)); \
351 lr = (rl << (bits - 32)) + (rr >> (64 - bits)); \
352 rl = (rr << (bits - 32)) + (w0 >> (64 - bits)); \
353 rr = (w0 << (bits - 32)) + (w1 >> (64 - bits)); \
354})
355
356#define CAMELLIA_F(xl, xr, kl, kr, yl, yr, il, ir, t0, t1) ({ \
357 il = xl ^ kl; \
358 ir = xr ^ kr; \
359 t0 = il >> 16; \
360 t1 = ir >> 16; \
361 yl = camellia_sp1110[(u8)(ir)] \
362 ^ camellia_sp0222[(u8)(t1 >> 8)] \
363 ^ camellia_sp3033[(u8)(t1)] \
364 ^ camellia_sp4404[(u8)(ir >> 8)]; \
365 yr = camellia_sp1110[(u8)(t0 >> 8)] \
366 ^ camellia_sp0222[(u8)(t0)] \
367 ^ camellia_sp3033[(u8)(il >> 8)] \
368 ^ camellia_sp4404[(u8)(il)]; \
369 yl ^= yr; \
370 yr = ror32(yr, 8); \
371 yr ^= yl; \
372})
373
374#define SUBKEY_L(INDEX) (subkey[(INDEX)*2])
375#define SUBKEY_R(INDEX) (subkey[(INDEX)*2 + 1])
376
377static void camellia_setup_tail(u32 *subkey, u32 *subL, u32 *subR, int max)
378{
379 u32 dw, tl, tr;
380 u32 kw4l, kw4r;
381
382 /* absorb kw2 to other subkeys */
383 /* round 2 */
384 subL[3] ^= subL[1]; subR[3] ^= subR[1];
385 /* round 4 */
386 subL[5] ^= subL[1]; subR[5] ^= subR[1];
387 /* round 6 */
388 subL[7] ^= subL[1]; subR[7] ^= subR[1];
389 subL[1] ^= subR[1] & ~subR[9];
390 dw = subL[1] & subL[9];
391 subR[1] ^= rol32(dw, 1); /* modified for FLinv(kl2) */
392 /* round 8 */
393 subL[11] ^= subL[1]; subR[11] ^= subR[1];
394 /* round 10 */
395 subL[13] ^= subL[1]; subR[13] ^= subR[1];
396 /* round 12 */
397 subL[15] ^= subL[1]; subR[15] ^= subR[1];
398 subL[1] ^= subR[1] & ~subR[17];
399 dw = subL[1] & subL[17];
400 subR[1] ^= rol32(dw, 1); /* modified for FLinv(kl4) */
401 /* round 14 */
402 subL[19] ^= subL[1]; subR[19] ^= subR[1];
403 /* round 16 */
404 subL[21] ^= subL[1]; subR[21] ^= subR[1];
405 /* round 18 */
406 subL[23] ^= subL[1]; subR[23] ^= subR[1];
407 if (max == 24) {
408 /* kw3 */
409 subL[24] ^= subL[1]; subR[24] ^= subR[1];
410
411 /* absorb kw4 to other subkeys */
412 kw4l = subL[25]; kw4r = subR[25];
413 } else {
414 subL[1] ^= subR[1] & ~subR[25];
415 dw = subL[1] & subL[25];
416 subR[1] ^= rol32(dw, 1); /* modified for FLinv(kl6) */
417 /* round 20 */
418 subL[27] ^= subL[1]; subR[27] ^= subR[1];
419 /* round 22 */
420 subL[29] ^= subL[1]; subR[29] ^= subR[1];
421 /* round 24 */
422 subL[31] ^= subL[1]; subR[31] ^= subR[1];
423 /* kw3 */
424 subL[32] ^= subL[1]; subR[32] ^= subR[1];
425
426 /* absorb kw4 to other subkeys */
427 kw4l = subL[33]; kw4r = subR[33];
428 /* round 23 */
429 subL[30] ^= kw4l; subR[30] ^= kw4r;
430 /* round 21 */
431 subL[28] ^= kw4l; subR[28] ^= kw4r;
432 /* round 19 */
433 subL[26] ^= kw4l; subR[26] ^= kw4r;
434 kw4l ^= kw4r & ~subR[24];
435 dw = kw4l & subL[24];
436 kw4r ^= rol32(dw, 1); /* modified for FL(kl5) */
437 }
438 /* round 17 */
439 subL[22] ^= kw4l; subR[22] ^= kw4r;
440 /* round 15 */
441 subL[20] ^= kw4l; subR[20] ^= kw4r;
442 /* round 13 */
443 subL[18] ^= kw4l; subR[18] ^= kw4r;
444 kw4l ^= kw4r & ~subR[16];
445 dw = kw4l & subL[16];
446 kw4r ^= rol32(dw, 1); /* modified for FL(kl3) */
447 /* round 11 */
448 subL[14] ^= kw4l; subR[14] ^= kw4r;
449 /* round 9 */
450 subL[12] ^= kw4l; subR[12] ^= kw4r;
451 /* round 7 */
452 subL[10] ^= kw4l; subR[10] ^= kw4r;
453 kw4l ^= kw4r & ~subR[8];
454 dw = kw4l & subL[8];
455 kw4r ^= rol32(dw, 1); /* modified for FL(kl1) */
456 /* round 5 */
457 subL[6] ^= kw4l; subR[6] ^= kw4r;
458 /* round 3 */
459 subL[4] ^= kw4l; subR[4] ^= kw4r;
460 /* round 1 */
461 subL[2] ^= kw4l; subR[2] ^= kw4r;
462 /* kw1 */
463 subL[0] ^= kw4l; subR[0] ^= kw4r;
464
465 /* key XOR is end of F-function */
466 SUBKEY_L(0) = subL[0] ^ subL[2];/* kw1 */
467 SUBKEY_R(0) = subR[0] ^ subR[2];
468 SUBKEY_L(2) = subL[3]; /* round 1 */
469 SUBKEY_R(2) = subR[3];
470 SUBKEY_L(3) = subL[2] ^ subL[4]; /* round 2 */
471 SUBKEY_R(3) = subR[2] ^ subR[4];
472 SUBKEY_L(4) = subL[3] ^ subL[5]; /* round 3 */
473 SUBKEY_R(4) = subR[3] ^ subR[5];
474 SUBKEY_L(5) = subL[4] ^ subL[6]; /* round 4 */
475 SUBKEY_R(5) = subR[4] ^ subR[6];
476 SUBKEY_L(6) = subL[5] ^ subL[7]; /* round 5 */
477 SUBKEY_R(6) = subR[5] ^ subR[7];
478 tl = subL[10] ^ (subR[10] & ~subR[8]);
479 dw = tl & subL[8]; /* FL(kl1) */
480 tr = subR[10] ^ rol32(dw, 1);
481 SUBKEY_L(7) = subL[6] ^ tl; /* round 6 */
482 SUBKEY_R(7) = subR[6] ^ tr;
483 SUBKEY_L(8) = subL[8]; /* FL(kl1) */
484 SUBKEY_R(8) = subR[8];
485 SUBKEY_L(9) = subL[9]; /* FLinv(kl2) */
486 SUBKEY_R(9) = subR[9];
487 tl = subL[7] ^ (subR[7] & ~subR[9]);
488 dw = tl & subL[9]; /* FLinv(kl2) */
489 tr = subR[7] ^ rol32(dw, 1);
490 SUBKEY_L(10) = tl ^ subL[11]; /* round 7 */
491 SUBKEY_R(10) = tr ^ subR[11];
492 SUBKEY_L(11) = subL[10] ^ subL[12]; /* round 8 */
493 SUBKEY_R(11) = subR[10] ^ subR[12];
494 SUBKEY_L(12) = subL[11] ^ subL[13]; /* round 9 */
495 SUBKEY_R(12) = subR[11] ^ subR[13];
496 SUBKEY_L(13) = subL[12] ^ subL[14]; /* round 10 */
497 SUBKEY_R(13) = subR[12] ^ subR[14];
498 SUBKEY_L(14) = subL[13] ^ subL[15]; /* round 11 */
499 SUBKEY_R(14) = subR[13] ^ subR[15];
500 tl = subL[18] ^ (subR[18] & ~subR[16]);
501 dw = tl & subL[16]; /* FL(kl3) */
502 tr = subR[18] ^ rol32(dw, 1);
503 SUBKEY_L(15) = subL[14] ^ tl; /* round 12 */
504 SUBKEY_R(15) = subR[14] ^ tr;
505 SUBKEY_L(16) = subL[16]; /* FL(kl3) */
506 SUBKEY_R(16) = subR[16];
507 SUBKEY_L(17) = subL[17]; /* FLinv(kl4) */
508 SUBKEY_R(17) = subR[17];
509 tl = subL[15] ^ (subR[15] & ~subR[17]);
510 dw = tl & subL[17]; /* FLinv(kl4) */
511 tr = subR[15] ^ rol32(dw, 1);
512 SUBKEY_L(18) = tl ^ subL[19]; /* round 13 */
513 SUBKEY_R(18) = tr ^ subR[19];
514 SUBKEY_L(19) = subL[18] ^ subL[20]; /* round 14 */
515 SUBKEY_R(19) = subR[18] ^ subR[20];
516 SUBKEY_L(20) = subL[19] ^ subL[21]; /* round 15 */
517 SUBKEY_R(20) = subR[19] ^ subR[21];
518 SUBKEY_L(21) = subL[20] ^ subL[22]; /* round 16 */
519 SUBKEY_R(21) = subR[20] ^ subR[22];
520 SUBKEY_L(22) = subL[21] ^ subL[23]; /* round 17 */
521 SUBKEY_R(22) = subR[21] ^ subR[23];
522 if (max == 24) {
523 SUBKEY_L(23) = subL[22]; /* round 18 */
524 SUBKEY_R(23) = subR[22];
525 SUBKEY_L(24) = subL[24] ^ subL[23]; /* kw3 */
526 SUBKEY_R(24) = subR[24] ^ subR[23];
527 } else {
528 tl = subL[26] ^ (subR[26] & ~subR[24]);
529 dw = tl & subL[24]; /* FL(kl5) */
530 tr = subR[26] ^ rol32(dw, 1);
531 SUBKEY_L(23) = subL[22] ^ tl; /* round 18 */
532 SUBKEY_R(23) = subR[22] ^ tr;
533 SUBKEY_L(24) = subL[24]; /* FL(kl5) */
534 SUBKEY_R(24) = subR[24];
535 SUBKEY_L(25) = subL[25]; /* FLinv(kl6) */
536 SUBKEY_R(25) = subR[25];
537 tl = subL[23] ^ (subR[23] & ~subR[25]);
538 dw = tl & subL[25]; /* FLinv(kl6) */
539 tr = subR[23] ^ rol32(dw, 1);
540 SUBKEY_L(26) = tl ^ subL[27]; /* round 19 */
541 SUBKEY_R(26) = tr ^ subR[27];
542 SUBKEY_L(27) = subL[26] ^ subL[28]; /* round 20 */
543 SUBKEY_R(27) = subR[26] ^ subR[28];
544 SUBKEY_L(28) = subL[27] ^ subL[29]; /* round 21 */
545 SUBKEY_R(28) = subR[27] ^ subR[29];
546 SUBKEY_L(29) = subL[28] ^ subL[30]; /* round 22 */
547 SUBKEY_R(29) = subR[28] ^ subR[30];
548 SUBKEY_L(30) = subL[29] ^ subL[31]; /* round 23 */
549 SUBKEY_R(30) = subR[29] ^ subR[31];
550 SUBKEY_L(31) = subL[30]; /* round 24 */
551 SUBKEY_R(31) = subR[30];
552 SUBKEY_L(32) = subL[32] ^ subL[31]; /* kw3 */
553 SUBKEY_R(32) = subR[32] ^ subR[31];
554 }
555}
556
557static void camellia_setup128(const unsigned char *key, u32 *subkey)
558{
559 u32 kll, klr, krl, krr;
560 u32 il, ir, t0, t1, w0, w1;
561 u32 subL[26];
562 u32 subR[26];
563
564 /**
565 * k == kll || klr || krl || krr (|| is concatenation)
566 */
567 kll = get_unaligned_be32(key);
568 klr = get_unaligned_be32(key + 4);
569 krl = get_unaligned_be32(key + 8);
570 krr = get_unaligned_be32(key + 12);
571
572 /* generate KL dependent subkeys */
573 /* kw1 */
574 subL[0] = kll; subR[0] = klr;
575 /* kw2 */
576 subL[1] = krl; subR[1] = krr;
577 /* rotation left shift 15bit */
578 ROLDQ(kll, klr, krl, krr, w0, w1, 15);
579 /* k3 */
580 subL[4] = kll; subR[4] = klr;
581 /* k4 */
582 subL[5] = krl; subR[5] = krr;
583 /* rotation left shift 15+30bit */
584 ROLDQ(kll, klr, krl, krr, w0, w1, 30);
585 /* k7 */
586 subL[10] = kll; subR[10] = klr;
587 /* k8 */
588 subL[11] = krl; subR[11] = krr;
589 /* rotation left shift 15+30+15bit */
590 ROLDQ(kll, klr, krl, krr, w0, w1, 15);
591 /* k10 */
592 subL[13] = krl; subR[13] = krr;
593 /* rotation left shift 15+30+15+17 bit */
594 ROLDQ(kll, klr, krl, krr, w0, w1, 17);
595 /* kl3 */
596 subL[16] = kll; subR[16] = klr;
597 /* kl4 */
598 subL[17] = krl; subR[17] = krr;
599 /* rotation left shift 15+30+15+17+17 bit */
600 ROLDQ(kll, klr, krl, krr, w0, w1, 17);
601 /* k13 */
602 subL[18] = kll; subR[18] = klr;
603 /* k14 */
604 subL[19] = krl; subR[19] = krr;
605 /* rotation left shift 15+30+15+17+17+17 bit */
606 ROLDQ(kll, klr, krl, krr, w0, w1, 17);
607 /* k17 */
608 subL[22] = kll; subR[22] = klr;
609 /* k18 */
610 subL[23] = krl; subR[23] = krr;
611
612 /* generate KA */
613 kll = subL[0]; klr = subR[0];
614 krl = subL[1]; krr = subR[1];
615 CAMELLIA_F(kll, klr,
616 CAMELLIA_SIGMA1L, CAMELLIA_SIGMA1R,
617 w0, w1, il, ir, t0, t1);
618 krl ^= w0; krr ^= w1;
619 CAMELLIA_F(krl, krr,
620 CAMELLIA_SIGMA2L, CAMELLIA_SIGMA2R,
621 kll, klr, il, ir, t0, t1);
622 /* current status == (kll, klr, w0, w1) */
623 CAMELLIA_F(kll, klr,
624 CAMELLIA_SIGMA3L, CAMELLIA_SIGMA3R,
625 krl, krr, il, ir, t0, t1);
626 krl ^= w0; krr ^= w1;
627 CAMELLIA_F(krl, krr,
628 CAMELLIA_SIGMA4L, CAMELLIA_SIGMA4R,
629 w0, w1, il, ir, t0, t1);
630 kll ^= w0; klr ^= w1;
631
632 /* generate KA dependent subkeys */
633 /* k1, k2 */
634 subL[2] = kll; subR[2] = klr;
635 subL[3] = krl; subR[3] = krr;
636 ROLDQ(kll, klr, krl, krr, w0, w1, 15);
637 /* k5,k6 */
638 subL[6] = kll; subR[6] = klr;
639 subL[7] = krl; subR[7] = krr;
640 ROLDQ(kll, klr, krl, krr, w0, w1, 15);
641 /* kl1, kl2 */
642 subL[8] = kll; subR[8] = klr;
643 subL[9] = krl; subR[9] = krr;
644 ROLDQ(kll, klr, krl, krr, w0, w1, 15);
645 /* k9 */
646 subL[12] = kll; subR[12] = klr;
647 ROLDQ(kll, klr, krl, krr, w0, w1, 15);
648 /* k11, k12 */
649 subL[14] = kll; subR[14] = klr;
650 subL[15] = krl; subR[15] = krr;
651 ROLDQo32(kll, klr, krl, krr, w0, w1, 34);
652 /* k15, k16 */
653 subL[20] = kll; subR[20] = klr;
654 subL[21] = krl; subR[21] = krr;
655 ROLDQ(kll, klr, krl, krr, w0, w1, 17);
656 /* kw3, kw4 */
657 subL[24] = kll; subR[24] = klr;
658 subL[25] = krl; subR[25] = krr;
659
660 camellia_setup_tail(subkey, subL, subR, 24);
661}
662
663static void camellia_setup256(const unsigned char *key, u32 *subkey)
664{
665 u32 kll, klr, krl, krr; /* left half of key */
666 u32 krll, krlr, krrl, krrr; /* right half of key */
667 u32 il, ir, t0, t1, w0, w1; /* temporary variables */
668 u32 subL[34];
669 u32 subR[34];
670
671 /**
672 * key = (kll || klr || krl || krr || krll || krlr || krrl || krrr)
673 * (|| is concatenation)
674 */
675 kll = get_unaligned_be32(key);
676 klr = get_unaligned_be32(key + 4);
677 krl = get_unaligned_be32(key + 8);
678 krr = get_unaligned_be32(key + 12);
679 krll = get_unaligned_be32(key + 16);
680 krlr = get_unaligned_be32(key + 20);
681 krrl = get_unaligned_be32(key + 24);
682 krrr = get_unaligned_be32(key + 28);
683
684 /* generate KL dependent subkeys */
685 /* kw1 */
686 subL[0] = kll; subR[0] = klr;
687 /* kw2 */
688 subL[1] = krl; subR[1] = krr;
689 ROLDQo32(kll, klr, krl, krr, w0, w1, 45);
690 /* k9 */
691 subL[12] = kll; subR[12] = klr;
692 /* k10 */
693 subL[13] = krl; subR[13] = krr;
694 ROLDQ(kll, klr, krl, krr, w0, w1, 15);
695 /* kl3 */
696 subL[16] = kll; subR[16] = klr;
697 /* kl4 */
698 subL[17] = krl; subR[17] = krr;
699 ROLDQ(kll, klr, krl, krr, w0, w1, 17);
700 /* k17 */
701 subL[22] = kll; subR[22] = klr;
702 /* k18 */
703 subL[23] = krl; subR[23] = krr;
704 ROLDQo32(kll, klr, krl, krr, w0, w1, 34);
705 /* k23 */
706 subL[30] = kll; subR[30] = klr;
707 /* k24 */
708 subL[31] = krl; subR[31] = krr;
709
710 /* generate KR dependent subkeys */
711 ROLDQ(krll, krlr, krrl, krrr, w0, w1, 15);
712 /* k3 */
713 subL[4] = krll; subR[4] = krlr;
714 /* k4 */
715 subL[5] = krrl; subR[5] = krrr;
716 ROLDQ(krll, krlr, krrl, krrr, w0, w1, 15);
717 /* kl1 */
718 subL[8] = krll; subR[8] = krlr;
719 /* kl2 */
720 subL[9] = krrl; subR[9] = krrr;
721 ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
722 /* k13 */
723 subL[18] = krll; subR[18] = krlr;
724 /* k14 */
725 subL[19] = krrl; subR[19] = krrr;
726 ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 34);
727 /* k19 */
728 subL[26] = krll; subR[26] = krlr;
729 /* k20 */
730 subL[27] = krrl; subR[27] = krrr;
731 ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 34);
732
733 /* generate KA */
734 kll = subL[0] ^ krll; klr = subR[0] ^ krlr;
735 krl = subL[1] ^ krrl; krr = subR[1] ^ krrr;
736 CAMELLIA_F(kll, klr,
737 CAMELLIA_SIGMA1L, CAMELLIA_SIGMA1R,
738 w0, w1, il, ir, t0, t1);
739 krl ^= w0; krr ^= w1;
740 CAMELLIA_F(krl, krr,
741 CAMELLIA_SIGMA2L, CAMELLIA_SIGMA2R,
742 kll, klr, il, ir, t0, t1);
743 kll ^= krll; klr ^= krlr;
744 CAMELLIA_F(kll, klr,
745 CAMELLIA_SIGMA3L, CAMELLIA_SIGMA3R,
746 krl, krr, il, ir, t0, t1);
747 krl ^= w0 ^ krrl; krr ^= w1 ^ krrr;
748 CAMELLIA_F(krl, krr,
749 CAMELLIA_SIGMA4L, CAMELLIA_SIGMA4R,
750 w0, w1, il, ir, t0, t1);
751 kll ^= w0; klr ^= w1;
752
753 /* generate KB */
754 krll ^= kll; krlr ^= klr;
755 krrl ^= krl; krrr ^= krr;
756 CAMELLIA_F(krll, krlr,
757 CAMELLIA_SIGMA5L, CAMELLIA_SIGMA5R,
758 w0, w1, il, ir, t0, t1);
759 krrl ^= w0; krrr ^= w1;
760 CAMELLIA_F(krrl, krrr,
761 CAMELLIA_SIGMA6L, CAMELLIA_SIGMA6R,
762 w0, w1, il, ir, t0, t1);
763 krll ^= w0; krlr ^= w1;
764
765 /* generate KA dependent subkeys */
766 ROLDQ(kll, klr, krl, krr, w0, w1, 15);
767 /* k5 */
768 subL[6] = kll; subR[6] = klr;
769 /* k6 */
770 subL[7] = krl; subR[7] = krr;
771 ROLDQ(kll, klr, krl, krr, w0, w1, 30);
772 /* k11 */
773 subL[14] = kll; subR[14] = klr;
774 /* k12 */
775 subL[15] = krl; subR[15] = krr;
776 /* rotation left shift 32bit */
777 /* kl5 */
778 subL[24] = klr; subR[24] = krl;
779 /* kl6 */
780 subL[25] = krr; subR[25] = kll;
781 /* rotation left shift 49 from k11,k12 -> k21,k22 */
782 ROLDQo32(kll, klr, krl, krr, w0, w1, 49);
783 /* k21 */
784 subL[28] = kll; subR[28] = klr;
785 /* k22 */
786 subL[29] = krl; subR[29] = krr;
787
788 /* generate KB dependent subkeys */
789 /* k1 */
790 subL[2] = krll; subR[2] = krlr;
791 /* k2 */
792 subL[3] = krrl; subR[3] = krrr;
793 ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
794 /* k7 */
795 subL[10] = krll; subR[10] = krlr;
796 /* k8 */
797 subL[11] = krrl; subR[11] = krrr;
798 ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
799 /* k15 */
800 subL[20] = krll; subR[20] = krlr;
801 /* k16 */
802 subL[21] = krrl; subR[21] = krrr;
803 ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 51);
804 /* kw3 */
805 subL[32] = krll; subR[32] = krlr;
806 /* kw4 */
807 subL[33] = krrl; subR[33] = krrr;
808
809 camellia_setup_tail(subkey, subL, subR, 32);
810}
811
812static void camellia_setup192(const unsigned char *key, u32 *subkey)
813{
814 unsigned char kk[32];
815 u32 krll, krlr, krrl, krrr;
816
817 memcpy(kk, key, 24);
818 memcpy((unsigned char *)&krll, key+16, 4);
819 memcpy((unsigned char *)&krlr, key+20, 4);
820 krrl = ~krll;
821 krrr = ~krlr;
822 memcpy(kk+24, (unsigned char *)&krrl, 4);
823 memcpy(kk+28, (unsigned char *)&krrr, 4);
824 camellia_setup256(kk, subkey);
825}
826
827
828/*
829 * Encrypt/decrypt
830 */
831#define CAMELLIA_FLS(ll, lr, rl, rr, kll, klr, krl, krr, t0, t1, t2, t3) ({ \
832 t0 = kll; \
833 t2 = krr; \
834 t0 &= ll; \
835 t2 |= rr; \
836 rl ^= t2; \
837 lr ^= rol32(t0, 1); \
838 t3 = krl; \
839 t1 = klr; \
840 t3 &= rl; \
841 t1 |= lr; \
842 ll ^= t1; \
843 rr ^= rol32(t3, 1); \
844})
845
846#define CAMELLIA_ROUNDSM(xl, xr, kl, kr, yl, yr, il, ir) ({ \
847 yl ^= kl; \
848 yr ^= kr; \
849 ir = camellia_sp1110[(u8)xr]; \
850 il = camellia_sp1110[(u8)(xl >> 24)]; \
851 ir ^= camellia_sp0222[(u8)(xr >> 24)]; \
852 il ^= camellia_sp0222[(u8)(xl >> 16)]; \
853 ir ^= camellia_sp3033[(u8)(xr >> 16)]; \
854 il ^= camellia_sp3033[(u8)(xl >> 8)]; \
855 ir ^= camellia_sp4404[(u8)(xr >> 8)]; \
856 il ^= camellia_sp4404[(u8)xl]; \
857 ir ^= il; \
858 yl ^= ir; \
859 yr ^= ror32(il, 8) ^ ir; \
860})
861
862/* max = 24: 128bit encrypt, max = 32: 256bit encrypt */
863static void camellia_do_encrypt(const u32 *subkey, u32 *io, unsigned max)
864{
865 u32 il, ir, t0, t1; /* temporary variables */
866
867 /* pre whitening but absorb kw2 */
868 io[0] ^= SUBKEY_L(0);
869 io[1] ^= SUBKEY_R(0);
870
871 /* main iteration */
872#define ROUNDS(i) ({ \
873 CAMELLIA_ROUNDSM(io[0], io[1], \
874 SUBKEY_L(i + 2), SUBKEY_R(i + 2), \
875 io[2], io[3], il, ir); \
876 CAMELLIA_ROUNDSM(io[2], io[3], \
877 SUBKEY_L(i + 3), SUBKEY_R(i + 3), \
878 io[0], io[1], il, ir); \
879 CAMELLIA_ROUNDSM(io[0], io[1], \
880 SUBKEY_L(i + 4), SUBKEY_R(i + 4), \
881 io[2], io[3], il, ir); \
882 CAMELLIA_ROUNDSM(io[2], io[3], \
883 SUBKEY_L(i + 5), SUBKEY_R(i + 5), \
884 io[0], io[1], il, ir); \
885 CAMELLIA_ROUNDSM(io[0], io[1], \
886 SUBKEY_L(i + 6), SUBKEY_R(i + 6), \
887 io[2], io[3], il, ir); \
888 CAMELLIA_ROUNDSM(io[2], io[3], \
889 SUBKEY_L(i + 7), SUBKEY_R(i + 7), \
890 io[0], io[1], il, ir); \
891})
892#define FLS(i) ({ \
893 CAMELLIA_FLS(io[0], io[1], io[2], io[3], \
894 SUBKEY_L(i + 0), SUBKEY_R(i + 0), \
895 SUBKEY_L(i + 1), SUBKEY_R(i + 1), \
896 t0, t1, il, ir); \
897})
898
899 ROUNDS(0);
900 FLS(8);
901 ROUNDS(8);
902 FLS(16);
903 ROUNDS(16);
904 if (max == 32) {
905 FLS(24);
906 ROUNDS(24);
907 }
908
909#undef ROUNDS
910#undef FLS
911
912 /* post whitening but kw4 */
913 io[2] ^= SUBKEY_L(max);
914 io[3] ^= SUBKEY_R(max);
915 /* NB: io[0],[1] should be swapped with [2],[3] by caller! */
916}
917
918static void camellia_do_decrypt(const u32 *subkey, u32 *io, unsigned i)
919{
920 u32 il, ir, t0, t1; /* temporary variables */
921
922 /* pre whitening but absorb kw2 */
923 io[0] ^= SUBKEY_L(i);
924 io[1] ^= SUBKEY_R(i);
925
926 /* main iteration */
927#define ROUNDS(i) ({ \
928 CAMELLIA_ROUNDSM(io[0], io[1], \
929 SUBKEY_L(i + 7), SUBKEY_R(i + 7), \
930 io[2], io[3], il, ir); \
931 CAMELLIA_ROUNDSM(io[2], io[3], \
932 SUBKEY_L(i + 6), SUBKEY_R(i + 6), \
933 io[0], io[1], il, ir); \
934 CAMELLIA_ROUNDSM(io[0], io[1], \
935 SUBKEY_L(i + 5), SUBKEY_R(i + 5), \
936 io[2], io[3], il, ir); \
937 CAMELLIA_ROUNDSM(io[2], io[3], \
938 SUBKEY_L(i + 4), SUBKEY_R(i + 4), \
939 io[0], io[1], il, ir); \
940 CAMELLIA_ROUNDSM(io[0], io[1], \
941 SUBKEY_L(i + 3), SUBKEY_R(i + 3), \
942 io[2], io[3], il, ir); \
943 CAMELLIA_ROUNDSM(io[2], io[3], \
944 SUBKEY_L(i + 2), SUBKEY_R(i + 2), \
945 io[0], io[1], il, ir); \
946})
947#define FLS(i) ({ \
948 CAMELLIA_FLS(io[0], io[1], io[2], io[3], \
949 SUBKEY_L(i + 1), SUBKEY_R(i + 1), \
950 SUBKEY_L(i + 0), SUBKEY_R(i + 0), \
951 t0, t1, il, ir); \
952})
953
954 if (i == 32) {
955 ROUNDS(24);
956 FLS(24);
957 }
958 ROUNDS(16);
959 FLS(16);
960 ROUNDS(8);
961 FLS(8);
962 ROUNDS(0);
963
964#undef ROUNDS
965#undef FLS
966
967 /* post whitening but kw4 */
968 io[2] ^= SUBKEY_L(0);
969 io[3] ^= SUBKEY_R(0);
970 /* NB: 0,1 should be swapped with 2,3 by caller! */
971}
972
973
974struct camellia_ctx {
975 int key_length;
976 u32 key_table[CAMELLIA_TABLE_BYTE_LEN / sizeof(u32)];
977};
978
979static int
980camellia_set_key(struct crypto_tfm *tfm, const u8 *in_key,
981 unsigned int key_len)
982{
983 struct camellia_ctx *cctx = crypto_tfm_ctx(tfm);
984 const unsigned char *key = (const unsigned char *)in_key;
985 u32 *flags = &tfm->crt_flags;
986
987 if (key_len != 16 && key_len != 24 && key_len != 32) {
988 *flags |= CRYPTO_TFM_RES_BAD_KEY_LEN;
989 return -EINVAL;
990 }
991
992 cctx->key_length = key_len;
993
994 switch (key_len) {
995 case 16:
996 camellia_setup128(key, cctx->key_table);
997 break;
998 case 24:
999 camellia_setup192(key, cctx->key_table);
1000 break;
1001 case 32:
1002 camellia_setup256(key, cctx->key_table);
1003 break;
1004 }
1005
1006 return 0;
1007}
1008
1009static void camellia_encrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in)
1010{
1011 const struct camellia_ctx *cctx = crypto_tfm_ctx(tfm);
1012 const __be32 *src = (const __be32 *)in;
1013 __be32 *dst = (__be32 *)out;
1014 unsigned int max;
1015
1016 u32 tmp[4];
1017
1018 tmp[0] = be32_to_cpu(src[0]);
1019 tmp[1] = be32_to_cpu(src[1]);
1020 tmp[2] = be32_to_cpu(src[2]);
1021 tmp[3] = be32_to_cpu(src[3]);
1022
1023 if (cctx->key_length == 16)
1024 max = 24;
1025 else
1026 max = 32; /* for key lengths of 24 and 32 */
1027
1028 camellia_do_encrypt(cctx->key_table, tmp, max);
1029
1030 /* do_encrypt returns 0,1 swapped with 2,3 */
1031 dst[0] = cpu_to_be32(tmp[2]);
1032 dst[1] = cpu_to_be32(tmp[3]);
1033 dst[2] = cpu_to_be32(tmp[0]);
1034 dst[3] = cpu_to_be32(tmp[1]);
1035}
1036
1037static void camellia_decrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in)
1038{
1039 const struct camellia_ctx *cctx = crypto_tfm_ctx(tfm);
1040 const __be32 *src = (const __be32 *)in;
1041 __be32 *dst = (__be32 *)out;
1042 unsigned int max;
1043
1044 u32 tmp[4];
1045
1046 tmp[0] = be32_to_cpu(src[0]);
1047 tmp[1] = be32_to_cpu(src[1]);
1048 tmp[2] = be32_to_cpu(src[2]);
1049 tmp[3] = be32_to_cpu(src[3]);
1050
1051 if (cctx->key_length == 16)
1052 max = 24;
1053 else
1054 max = 32; /* for key lengths of 24 and 32 */
1055
1056 camellia_do_decrypt(cctx->key_table, tmp, max);
1057
1058 /* do_decrypt returns 0,1 swapped with 2,3 */
1059 dst[0] = cpu_to_be32(tmp[2]);
1060 dst[1] = cpu_to_be32(tmp[3]);
1061 dst[2] = cpu_to_be32(tmp[0]);
1062 dst[3] = cpu_to_be32(tmp[1]);
1063}
1064
1065static struct crypto_alg camellia_alg = {
1066 .cra_name = "camellia",
1067 .cra_driver_name = "camellia-generic",
1068 .cra_priority = 100,
1069 .cra_flags = CRYPTO_ALG_TYPE_CIPHER,
1070 .cra_blocksize = CAMELLIA_BLOCK_SIZE,
1071 .cra_ctxsize = sizeof(struct camellia_ctx),
1072 .cra_alignmask = 3,
1073 .cra_module = THIS_MODULE,
1074 .cra_u = {
1075 .cipher = {
1076 .cia_min_keysize = CAMELLIA_MIN_KEY_SIZE,
1077 .cia_max_keysize = CAMELLIA_MAX_KEY_SIZE,
1078 .cia_setkey = camellia_set_key,
1079 .cia_encrypt = camellia_encrypt,
1080 .cia_decrypt = camellia_decrypt
1081 }
1082 }
1083};
1084
1085static int __init camellia_init(void)
1086{
1087 return crypto_register_alg(&camellia_alg);
1088}
1089
1090static void __exit camellia_fini(void)
1091{
1092 crypto_unregister_alg(&camellia_alg);
1093}
1094
1095module_init(camellia_init);
1096module_exit(camellia_fini);
1097
1098MODULE_DESCRIPTION("Camellia Cipher Algorithm");
1099MODULE_LICENSE("GPL");
1100MODULE_ALIAS_CRYPTO("camellia");
1101MODULE_ALIAS_CRYPTO("camellia-generic");