Loading...
1// SPDX-License-Identifier: GPL-2.0-or-later
2/*
3 * Copyright (C) 2006
4 * NTT (Nippon Telegraph and Telephone Corporation).
5 */
6
7/*
8 * Algorithm Specification
9 * https://info.isl.ntt.co.jp/crypt/eng/camellia/specifications.html
10 */
11
12/*
13 *
14 * NOTE --- NOTE --- NOTE --- NOTE
15 * This implementation assumes that all memory addresses passed
16 * as parameters are four-byte aligned.
17 *
18 */
19
20#include <linux/crypto.h>
21#include <linux/errno.h>
22#include <linux/init.h>
23#include <linux/kernel.h>
24#include <linux/module.h>
25#include <linux/bitops.h>
26#include <asm/unaligned.h>
27
28static const u32 camellia_sp1110[256] = {
29 0x70707000, 0x82828200, 0x2c2c2c00, 0xececec00,
30 0xb3b3b300, 0x27272700, 0xc0c0c000, 0xe5e5e500,
31 0xe4e4e400, 0x85858500, 0x57575700, 0x35353500,
32 0xeaeaea00, 0x0c0c0c00, 0xaeaeae00, 0x41414100,
33 0x23232300, 0xefefef00, 0x6b6b6b00, 0x93939300,
34 0x45454500, 0x19191900, 0xa5a5a500, 0x21212100,
35 0xededed00, 0x0e0e0e00, 0x4f4f4f00, 0x4e4e4e00,
36 0x1d1d1d00, 0x65656500, 0x92929200, 0xbdbdbd00,
37 0x86868600, 0xb8b8b800, 0xafafaf00, 0x8f8f8f00,
38 0x7c7c7c00, 0xebebeb00, 0x1f1f1f00, 0xcecece00,
39 0x3e3e3e00, 0x30303000, 0xdcdcdc00, 0x5f5f5f00,
40 0x5e5e5e00, 0xc5c5c500, 0x0b0b0b00, 0x1a1a1a00,
41 0xa6a6a600, 0xe1e1e100, 0x39393900, 0xcacaca00,
42 0xd5d5d500, 0x47474700, 0x5d5d5d00, 0x3d3d3d00,
43 0xd9d9d900, 0x01010100, 0x5a5a5a00, 0xd6d6d600,
44 0x51515100, 0x56565600, 0x6c6c6c00, 0x4d4d4d00,
45 0x8b8b8b00, 0x0d0d0d00, 0x9a9a9a00, 0x66666600,
46 0xfbfbfb00, 0xcccccc00, 0xb0b0b000, 0x2d2d2d00,
47 0x74747400, 0x12121200, 0x2b2b2b00, 0x20202000,
48 0xf0f0f000, 0xb1b1b100, 0x84848400, 0x99999900,
49 0xdfdfdf00, 0x4c4c4c00, 0xcbcbcb00, 0xc2c2c200,
50 0x34343400, 0x7e7e7e00, 0x76767600, 0x05050500,
51 0x6d6d6d00, 0xb7b7b700, 0xa9a9a900, 0x31313100,
52 0xd1d1d100, 0x17171700, 0x04040400, 0xd7d7d700,
53 0x14141400, 0x58585800, 0x3a3a3a00, 0x61616100,
54 0xdedede00, 0x1b1b1b00, 0x11111100, 0x1c1c1c00,
55 0x32323200, 0x0f0f0f00, 0x9c9c9c00, 0x16161600,
56 0x53535300, 0x18181800, 0xf2f2f200, 0x22222200,
57 0xfefefe00, 0x44444400, 0xcfcfcf00, 0xb2b2b200,
58 0xc3c3c300, 0xb5b5b500, 0x7a7a7a00, 0x91919100,
59 0x24242400, 0x08080800, 0xe8e8e800, 0xa8a8a800,
60 0x60606000, 0xfcfcfc00, 0x69696900, 0x50505000,
61 0xaaaaaa00, 0xd0d0d000, 0xa0a0a000, 0x7d7d7d00,
62 0xa1a1a100, 0x89898900, 0x62626200, 0x97979700,
63 0x54545400, 0x5b5b5b00, 0x1e1e1e00, 0x95959500,
64 0xe0e0e000, 0xffffff00, 0x64646400, 0xd2d2d200,
65 0x10101000, 0xc4c4c400, 0x00000000, 0x48484800,
66 0xa3a3a300, 0xf7f7f700, 0x75757500, 0xdbdbdb00,
67 0x8a8a8a00, 0x03030300, 0xe6e6e600, 0xdadada00,
68 0x09090900, 0x3f3f3f00, 0xdddddd00, 0x94949400,
69 0x87878700, 0x5c5c5c00, 0x83838300, 0x02020200,
70 0xcdcdcd00, 0x4a4a4a00, 0x90909000, 0x33333300,
71 0x73737300, 0x67676700, 0xf6f6f600, 0xf3f3f300,
72 0x9d9d9d00, 0x7f7f7f00, 0xbfbfbf00, 0xe2e2e200,
73 0x52525200, 0x9b9b9b00, 0xd8d8d800, 0x26262600,
74 0xc8c8c800, 0x37373700, 0xc6c6c600, 0x3b3b3b00,
75 0x81818100, 0x96969600, 0x6f6f6f00, 0x4b4b4b00,
76 0x13131300, 0xbebebe00, 0x63636300, 0x2e2e2e00,
77 0xe9e9e900, 0x79797900, 0xa7a7a700, 0x8c8c8c00,
78 0x9f9f9f00, 0x6e6e6e00, 0xbcbcbc00, 0x8e8e8e00,
79 0x29292900, 0xf5f5f500, 0xf9f9f900, 0xb6b6b600,
80 0x2f2f2f00, 0xfdfdfd00, 0xb4b4b400, 0x59595900,
81 0x78787800, 0x98989800, 0x06060600, 0x6a6a6a00,
82 0xe7e7e700, 0x46464600, 0x71717100, 0xbababa00,
83 0xd4d4d400, 0x25252500, 0xababab00, 0x42424200,
84 0x88888800, 0xa2a2a200, 0x8d8d8d00, 0xfafafa00,
85 0x72727200, 0x07070700, 0xb9b9b900, 0x55555500,
86 0xf8f8f800, 0xeeeeee00, 0xacacac00, 0x0a0a0a00,
87 0x36363600, 0x49494900, 0x2a2a2a00, 0x68686800,
88 0x3c3c3c00, 0x38383800, 0xf1f1f100, 0xa4a4a400,
89 0x40404000, 0x28282800, 0xd3d3d300, 0x7b7b7b00,
90 0xbbbbbb00, 0xc9c9c900, 0x43434300, 0xc1c1c100,
91 0x15151500, 0xe3e3e300, 0xadadad00, 0xf4f4f400,
92 0x77777700, 0xc7c7c700, 0x80808000, 0x9e9e9e00,
93};
94
95static const u32 camellia_sp0222[256] = {
96 0x00e0e0e0, 0x00050505, 0x00585858, 0x00d9d9d9,
97 0x00676767, 0x004e4e4e, 0x00818181, 0x00cbcbcb,
98 0x00c9c9c9, 0x000b0b0b, 0x00aeaeae, 0x006a6a6a,
99 0x00d5d5d5, 0x00181818, 0x005d5d5d, 0x00828282,
100 0x00464646, 0x00dfdfdf, 0x00d6d6d6, 0x00272727,
101 0x008a8a8a, 0x00323232, 0x004b4b4b, 0x00424242,
102 0x00dbdbdb, 0x001c1c1c, 0x009e9e9e, 0x009c9c9c,
103 0x003a3a3a, 0x00cacaca, 0x00252525, 0x007b7b7b,
104 0x000d0d0d, 0x00717171, 0x005f5f5f, 0x001f1f1f,
105 0x00f8f8f8, 0x00d7d7d7, 0x003e3e3e, 0x009d9d9d,
106 0x007c7c7c, 0x00606060, 0x00b9b9b9, 0x00bebebe,
107 0x00bcbcbc, 0x008b8b8b, 0x00161616, 0x00343434,
108 0x004d4d4d, 0x00c3c3c3, 0x00727272, 0x00959595,
109 0x00ababab, 0x008e8e8e, 0x00bababa, 0x007a7a7a,
110 0x00b3b3b3, 0x00020202, 0x00b4b4b4, 0x00adadad,
111 0x00a2a2a2, 0x00acacac, 0x00d8d8d8, 0x009a9a9a,
112 0x00171717, 0x001a1a1a, 0x00353535, 0x00cccccc,
113 0x00f7f7f7, 0x00999999, 0x00616161, 0x005a5a5a,
114 0x00e8e8e8, 0x00242424, 0x00565656, 0x00404040,
115 0x00e1e1e1, 0x00636363, 0x00090909, 0x00333333,
116 0x00bfbfbf, 0x00989898, 0x00979797, 0x00858585,
117 0x00686868, 0x00fcfcfc, 0x00ececec, 0x000a0a0a,
118 0x00dadada, 0x006f6f6f, 0x00535353, 0x00626262,
119 0x00a3a3a3, 0x002e2e2e, 0x00080808, 0x00afafaf,
120 0x00282828, 0x00b0b0b0, 0x00747474, 0x00c2c2c2,
121 0x00bdbdbd, 0x00363636, 0x00222222, 0x00383838,
122 0x00646464, 0x001e1e1e, 0x00393939, 0x002c2c2c,
123 0x00a6a6a6, 0x00303030, 0x00e5e5e5, 0x00444444,
124 0x00fdfdfd, 0x00888888, 0x009f9f9f, 0x00656565,
125 0x00878787, 0x006b6b6b, 0x00f4f4f4, 0x00232323,
126 0x00484848, 0x00101010, 0x00d1d1d1, 0x00515151,
127 0x00c0c0c0, 0x00f9f9f9, 0x00d2d2d2, 0x00a0a0a0,
128 0x00555555, 0x00a1a1a1, 0x00414141, 0x00fafafa,
129 0x00434343, 0x00131313, 0x00c4c4c4, 0x002f2f2f,
130 0x00a8a8a8, 0x00b6b6b6, 0x003c3c3c, 0x002b2b2b,
131 0x00c1c1c1, 0x00ffffff, 0x00c8c8c8, 0x00a5a5a5,
132 0x00202020, 0x00898989, 0x00000000, 0x00909090,
133 0x00474747, 0x00efefef, 0x00eaeaea, 0x00b7b7b7,
134 0x00151515, 0x00060606, 0x00cdcdcd, 0x00b5b5b5,
135 0x00121212, 0x007e7e7e, 0x00bbbbbb, 0x00292929,
136 0x000f0f0f, 0x00b8b8b8, 0x00070707, 0x00040404,
137 0x009b9b9b, 0x00949494, 0x00212121, 0x00666666,
138 0x00e6e6e6, 0x00cecece, 0x00ededed, 0x00e7e7e7,
139 0x003b3b3b, 0x00fefefe, 0x007f7f7f, 0x00c5c5c5,
140 0x00a4a4a4, 0x00373737, 0x00b1b1b1, 0x004c4c4c,
141 0x00919191, 0x006e6e6e, 0x008d8d8d, 0x00767676,
142 0x00030303, 0x002d2d2d, 0x00dedede, 0x00969696,
143 0x00262626, 0x007d7d7d, 0x00c6c6c6, 0x005c5c5c,
144 0x00d3d3d3, 0x00f2f2f2, 0x004f4f4f, 0x00191919,
145 0x003f3f3f, 0x00dcdcdc, 0x00797979, 0x001d1d1d,
146 0x00525252, 0x00ebebeb, 0x00f3f3f3, 0x006d6d6d,
147 0x005e5e5e, 0x00fbfbfb, 0x00696969, 0x00b2b2b2,
148 0x00f0f0f0, 0x00313131, 0x000c0c0c, 0x00d4d4d4,
149 0x00cfcfcf, 0x008c8c8c, 0x00e2e2e2, 0x00757575,
150 0x00a9a9a9, 0x004a4a4a, 0x00575757, 0x00848484,
151 0x00111111, 0x00454545, 0x001b1b1b, 0x00f5f5f5,
152 0x00e4e4e4, 0x000e0e0e, 0x00737373, 0x00aaaaaa,
153 0x00f1f1f1, 0x00dddddd, 0x00595959, 0x00141414,
154 0x006c6c6c, 0x00929292, 0x00545454, 0x00d0d0d0,
155 0x00787878, 0x00707070, 0x00e3e3e3, 0x00494949,
156 0x00808080, 0x00505050, 0x00a7a7a7, 0x00f6f6f6,
157 0x00777777, 0x00939393, 0x00868686, 0x00838383,
158 0x002a2a2a, 0x00c7c7c7, 0x005b5b5b, 0x00e9e9e9,
159 0x00eeeeee, 0x008f8f8f, 0x00010101, 0x003d3d3d,
160};
161
162static const u32 camellia_sp3033[256] = {
163 0x38003838, 0x41004141, 0x16001616, 0x76007676,
164 0xd900d9d9, 0x93009393, 0x60006060, 0xf200f2f2,
165 0x72007272, 0xc200c2c2, 0xab00abab, 0x9a009a9a,
166 0x75007575, 0x06000606, 0x57005757, 0xa000a0a0,
167 0x91009191, 0xf700f7f7, 0xb500b5b5, 0xc900c9c9,
168 0xa200a2a2, 0x8c008c8c, 0xd200d2d2, 0x90009090,
169 0xf600f6f6, 0x07000707, 0xa700a7a7, 0x27002727,
170 0x8e008e8e, 0xb200b2b2, 0x49004949, 0xde00dede,
171 0x43004343, 0x5c005c5c, 0xd700d7d7, 0xc700c7c7,
172 0x3e003e3e, 0xf500f5f5, 0x8f008f8f, 0x67006767,
173 0x1f001f1f, 0x18001818, 0x6e006e6e, 0xaf00afaf,
174 0x2f002f2f, 0xe200e2e2, 0x85008585, 0x0d000d0d,
175 0x53005353, 0xf000f0f0, 0x9c009c9c, 0x65006565,
176 0xea00eaea, 0xa300a3a3, 0xae00aeae, 0x9e009e9e,
177 0xec00ecec, 0x80008080, 0x2d002d2d, 0x6b006b6b,
178 0xa800a8a8, 0x2b002b2b, 0x36003636, 0xa600a6a6,
179 0xc500c5c5, 0x86008686, 0x4d004d4d, 0x33003333,
180 0xfd00fdfd, 0x66006666, 0x58005858, 0x96009696,
181 0x3a003a3a, 0x09000909, 0x95009595, 0x10001010,
182 0x78007878, 0xd800d8d8, 0x42004242, 0xcc00cccc,
183 0xef00efef, 0x26002626, 0xe500e5e5, 0x61006161,
184 0x1a001a1a, 0x3f003f3f, 0x3b003b3b, 0x82008282,
185 0xb600b6b6, 0xdb00dbdb, 0xd400d4d4, 0x98009898,
186 0xe800e8e8, 0x8b008b8b, 0x02000202, 0xeb00ebeb,
187 0x0a000a0a, 0x2c002c2c, 0x1d001d1d, 0xb000b0b0,
188 0x6f006f6f, 0x8d008d8d, 0x88008888, 0x0e000e0e,
189 0x19001919, 0x87008787, 0x4e004e4e, 0x0b000b0b,
190 0xa900a9a9, 0x0c000c0c, 0x79007979, 0x11001111,
191 0x7f007f7f, 0x22002222, 0xe700e7e7, 0x59005959,
192 0xe100e1e1, 0xda00dada, 0x3d003d3d, 0xc800c8c8,
193 0x12001212, 0x04000404, 0x74007474, 0x54005454,
194 0x30003030, 0x7e007e7e, 0xb400b4b4, 0x28002828,
195 0x55005555, 0x68006868, 0x50005050, 0xbe00bebe,
196 0xd000d0d0, 0xc400c4c4, 0x31003131, 0xcb00cbcb,
197 0x2a002a2a, 0xad00adad, 0x0f000f0f, 0xca00caca,
198 0x70007070, 0xff00ffff, 0x32003232, 0x69006969,
199 0x08000808, 0x62006262, 0x00000000, 0x24002424,
200 0xd100d1d1, 0xfb00fbfb, 0xba00baba, 0xed00eded,
201 0x45004545, 0x81008181, 0x73007373, 0x6d006d6d,
202 0x84008484, 0x9f009f9f, 0xee00eeee, 0x4a004a4a,
203 0xc300c3c3, 0x2e002e2e, 0xc100c1c1, 0x01000101,
204 0xe600e6e6, 0x25002525, 0x48004848, 0x99009999,
205 0xb900b9b9, 0xb300b3b3, 0x7b007b7b, 0xf900f9f9,
206 0xce00cece, 0xbf00bfbf, 0xdf00dfdf, 0x71007171,
207 0x29002929, 0xcd00cdcd, 0x6c006c6c, 0x13001313,
208 0x64006464, 0x9b009b9b, 0x63006363, 0x9d009d9d,
209 0xc000c0c0, 0x4b004b4b, 0xb700b7b7, 0xa500a5a5,
210 0x89008989, 0x5f005f5f, 0xb100b1b1, 0x17001717,
211 0xf400f4f4, 0xbc00bcbc, 0xd300d3d3, 0x46004646,
212 0xcf00cfcf, 0x37003737, 0x5e005e5e, 0x47004747,
213 0x94009494, 0xfa00fafa, 0xfc00fcfc, 0x5b005b5b,
214 0x97009797, 0xfe00fefe, 0x5a005a5a, 0xac00acac,
215 0x3c003c3c, 0x4c004c4c, 0x03000303, 0x35003535,
216 0xf300f3f3, 0x23002323, 0xb800b8b8, 0x5d005d5d,
217 0x6a006a6a, 0x92009292, 0xd500d5d5, 0x21002121,
218 0x44004444, 0x51005151, 0xc600c6c6, 0x7d007d7d,
219 0x39003939, 0x83008383, 0xdc00dcdc, 0xaa00aaaa,
220 0x7c007c7c, 0x77007777, 0x56005656, 0x05000505,
221 0x1b001b1b, 0xa400a4a4, 0x15001515, 0x34003434,
222 0x1e001e1e, 0x1c001c1c, 0xf800f8f8, 0x52005252,
223 0x20002020, 0x14001414, 0xe900e9e9, 0xbd00bdbd,
224 0xdd00dddd, 0xe400e4e4, 0xa100a1a1, 0xe000e0e0,
225 0x8a008a8a, 0xf100f1f1, 0xd600d6d6, 0x7a007a7a,
226 0xbb00bbbb, 0xe300e3e3, 0x40004040, 0x4f004f4f,
227};
228
229static const u32 camellia_sp4404[256] = {
230 0x70700070, 0x2c2c002c, 0xb3b300b3, 0xc0c000c0,
231 0xe4e400e4, 0x57570057, 0xeaea00ea, 0xaeae00ae,
232 0x23230023, 0x6b6b006b, 0x45450045, 0xa5a500a5,
233 0xeded00ed, 0x4f4f004f, 0x1d1d001d, 0x92920092,
234 0x86860086, 0xafaf00af, 0x7c7c007c, 0x1f1f001f,
235 0x3e3e003e, 0xdcdc00dc, 0x5e5e005e, 0x0b0b000b,
236 0xa6a600a6, 0x39390039, 0xd5d500d5, 0x5d5d005d,
237 0xd9d900d9, 0x5a5a005a, 0x51510051, 0x6c6c006c,
238 0x8b8b008b, 0x9a9a009a, 0xfbfb00fb, 0xb0b000b0,
239 0x74740074, 0x2b2b002b, 0xf0f000f0, 0x84840084,
240 0xdfdf00df, 0xcbcb00cb, 0x34340034, 0x76760076,
241 0x6d6d006d, 0xa9a900a9, 0xd1d100d1, 0x04040004,
242 0x14140014, 0x3a3a003a, 0xdede00de, 0x11110011,
243 0x32320032, 0x9c9c009c, 0x53530053, 0xf2f200f2,
244 0xfefe00fe, 0xcfcf00cf, 0xc3c300c3, 0x7a7a007a,
245 0x24240024, 0xe8e800e8, 0x60600060, 0x69690069,
246 0xaaaa00aa, 0xa0a000a0, 0xa1a100a1, 0x62620062,
247 0x54540054, 0x1e1e001e, 0xe0e000e0, 0x64640064,
248 0x10100010, 0x00000000, 0xa3a300a3, 0x75750075,
249 0x8a8a008a, 0xe6e600e6, 0x09090009, 0xdddd00dd,
250 0x87870087, 0x83830083, 0xcdcd00cd, 0x90900090,
251 0x73730073, 0xf6f600f6, 0x9d9d009d, 0xbfbf00bf,
252 0x52520052, 0xd8d800d8, 0xc8c800c8, 0xc6c600c6,
253 0x81810081, 0x6f6f006f, 0x13130013, 0x63630063,
254 0xe9e900e9, 0xa7a700a7, 0x9f9f009f, 0xbcbc00bc,
255 0x29290029, 0xf9f900f9, 0x2f2f002f, 0xb4b400b4,
256 0x78780078, 0x06060006, 0xe7e700e7, 0x71710071,
257 0xd4d400d4, 0xabab00ab, 0x88880088, 0x8d8d008d,
258 0x72720072, 0xb9b900b9, 0xf8f800f8, 0xacac00ac,
259 0x36360036, 0x2a2a002a, 0x3c3c003c, 0xf1f100f1,
260 0x40400040, 0xd3d300d3, 0xbbbb00bb, 0x43430043,
261 0x15150015, 0xadad00ad, 0x77770077, 0x80800080,
262 0x82820082, 0xecec00ec, 0x27270027, 0xe5e500e5,
263 0x85850085, 0x35350035, 0x0c0c000c, 0x41410041,
264 0xefef00ef, 0x93930093, 0x19190019, 0x21210021,
265 0x0e0e000e, 0x4e4e004e, 0x65650065, 0xbdbd00bd,
266 0xb8b800b8, 0x8f8f008f, 0xebeb00eb, 0xcece00ce,
267 0x30300030, 0x5f5f005f, 0xc5c500c5, 0x1a1a001a,
268 0xe1e100e1, 0xcaca00ca, 0x47470047, 0x3d3d003d,
269 0x01010001, 0xd6d600d6, 0x56560056, 0x4d4d004d,
270 0x0d0d000d, 0x66660066, 0xcccc00cc, 0x2d2d002d,
271 0x12120012, 0x20200020, 0xb1b100b1, 0x99990099,
272 0x4c4c004c, 0xc2c200c2, 0x7e7e007e, 0x05050005,
273 0xb7b700b7, 0x31310031, 0x17170017, 0xd7d700d7,
274 0x58580058, 0x61610061, 0x1b1b001b, 0x1c1c001c,
275 0x0f0f000f, 0x16160016, 0x18180018, 0x22220022,
276 0x44440044, 0xb2b200b2, 0xb5b500b5, 0x91910091,
277 0x08080008, 0xa8a800a8, 0xfcfc00fc, 0x50500050,
278 0xd0d000d0, 0x7d7d007d, 0x89890089, 0x97970097,
279 0x5b5b005b, 0x95950095, 0xffff00ff, 0xd2d200d2,
280 0xc4c400c4, 0x48480048, 0xf7f700f7, 0xdbdb00db,
281 0x03030003, 0xdada00da, 0x3f3f003f, 0x94940094,
282 0x5c5c005c, 0x02020002, 0x4a4a004a, 0x33330033,
283 0x67670067, 0xf3f300f3, 0x7f7f007f, 0xe2e200e2,
284 0x9b9b009b, 0x26260026, 0x37370037, 0x3b3b003b,
285 0x96960096, 0x4b4b004b, 0xbebe00be, 0x2e2e002e,
286 0x79790079, 0x8c8c008c, 0x6e6e006e, 0x8e8e008e,
287 0xf5f500f5, 0xb6b600b6, 0xfdfd00fd, 0x59590059,
288 0x98980098, 0x6a6a006a, 0x46460046, 0xbaba00ba,
289 0x25250025, 0x42420042, 0xa2a200a2, 0xfafa00fa,
290 0x07070007, 0x55550055, 0xeeee00ee, 0x0a0a000a,
291 0x49490049, 0x68680068, 0x38380038, 0xa4a400a4,
292 0x28280028, 0x7b7b007b, 0xc9c900c9, 0xc1c100c1,
293 0xe3e300e3, 0xf4f400f4, 0xc7c700c7, 0x9e9e009e,
294};
295
296
297#define CAMELLIA_MIN_KEY_SIZE 16
298#define CAMELLIA_MAX_KEY_SIZE 32
299#define CAMELLIA_BLOCK_SIZE 16
300#define CAMELLIA_TABLE_BYTE_LEN 272
301
302/*
303 * NB: L and R below stand for 'left' and 'right' as in written numbers.
304 * That is, in (xxxL,xxxR) pair xxxL holds most significant digits,
305 * _not_ least significant ones!
306 */
307
308
309/* key constants */
310
311#define CAMELLIA_SIGMA1L (0xA09E667FL)
312#define CAMELLIA_SIGMA1R (0x3BCC908BL)
313#define CAMELLIA_SIGMA2L (0xB67AE858L)
314#define CAMELLIA_SIGMA2R (0x4CAA73B2L)
315#define CAMELLIA_SIGMA3L (0xC6EF372FL)
316#define CAMELLIA_SIGMA3R (0xE94F82BEL)
317#define CAMELLIA_SIGMA4L (0x54FF53A5L)
318#define CAMELLIA_SIGMA4R (0xF1D36F1CL)
319#define CAMELLIA_SIGMA5L (0x10E527FAL)
320#define CAMELLIA_SIGMA5R (0xDE682D1DL)
321#define CAMELLIA_SIGMA6L (0xB05688C2L)
322#define CAMELLIA_SIGMA6R (0xB3E6C1FDL)
323
324/*
325 * macros
326 */
327#define ROLDQ(ll, lr, rl, rr, w0, w1, bits) ({ \
328 w0 = ll; \
329 ll = (ll << bits) + (lr >> (32 - bits)); \
330 lr = (lr << bits) + (rl >> (32 - bits)); \
331 rl = (rl << bits) + (rr >> (32 - bits)); \
332 rr = (rr << bits) + (w0 >> (32 - bits)); \
333})
334
335#define ROLDQo32(ll, lr, rl, rr, w0, w1, bits) ({ \
336 w0 = ll; \
337 w1 = lr; \
338 ll = (lr << (bits - 32)) + (rl >> (64 - bits)); \
339 lr = (rl << (bits - 32)) + (rr >> (64 - bits)); \
340 rl = (rr << (bits - 32)) + (w0 >> (64 - bits)); \
341 rr = (w0 << (bits - 32)) + (w1 >> (64 - bits)); \
342})
343
344#define CAMELLIA_F(xl, xr, kl, kr, yl, yr, il, ir, t0, t1) ({ \
345 il = xl ^ kl; \
346 ir = xr ^ kr; \
347 t0 = il >> 16; \
348 t1 = ir >> 16; \
349 yl = camellia_sp1110[(u8)(ir)] \
350 ^ camellia_sp0222[(u8)(t1 >> 8)] \
351 ^ camellia_sp3033[(u8)(t1)] \
352 ^ camellia_sp4404[(u8)(ir >> 8)]; \
353 yr = camellia_sp1110[(u8)(t0 >> 8)] \
354 ^ camellia_sp0222[(u8)(t0)] \
355 ^ camellia_sp3033[(u8)(il >> 8)] \
356 ^ camellia_sp4404[(u8)(il)]; \
357 yl ^= yr; \
358 yr = ror32(yr, 8); \
359 yr ^= yl; \
360})
361
362#define SUBKEY_L(INDEX) (subkey[(INDEX)*2])
363#define SUBKEY_R(INDEX) (subkey[(INDEX)*2 + 1])
364
365static void camellia_setup_tail(u32 *subkey, u32 *subL, u32 *subR, int max)
366{
367 u32 dw, tl, tr;
368 u32 kw4l, kw4r;
369
370 /* absorb kw2 to other subkeys */
371 /* round 2 */
372 subL[3] ^= subL[1]; subR[3] ^= subR[1];
373 /* round 4 */
374 subL[5] ^= subL[1]; subR[5] ^= subR[1];
375 /* round 6 */
376 subL[7] ^= subL[1]; subR[7] ^= subR[1];
377 subL[1] ^= subR[1] & ~subR[9];
378 dw = subL[1] & subL[9];
379 subR[1] ^= rol32(dw, 1); /* modified for FLinv(kl2) */
380 /* round 8 */
381 subL[11] ^= subL[1]; subR[11] ^= subR[1];
382 /* round 10 */
383 subL[13] ^= subL[1]; subR[13] ^= subR[1];
384 /* round 12 */
385 subL[15] ^= subL[1]; subR[15] ^= subR[1];
386 subL[1] ^= subR[1] & ~subR[17];
387 dw = subL[1] & subL[17];
388 subR[1] ^= rol32(dw, 1); /* modified for FLinv(kl4) */
389 /* round 14 */
390 subL[19] ^= subL[1]; subR[19] ^= subR[1];
391 /* round 16 */
392 subL[21] ^= subL[1]; subR[21] ^= subR[1];
393 /* round 18 */
394 subL[23] ^= subL[1]; subR[23] ^= subR[1];
395 if (max == 24) {
396 /* kw3 */
397 subL[24] ^= subL[1]; subR[24] ^= subR[1];
398
399 /* absorb kw4 to other subkeys */
400 kw4l = subL[25]; kw4r = subR[25];
401 } else {
402 subL[1] ^= subR[1] & ~subR[25];
403 dw = subL[1] & subL[25];
404 subR[1] ^= rol32(dw, 1); /* modified for FLinv(kl6) */
405 /* round 20 */
406 subL[27] ^= subL[1]; subR[27] ^= subR[1];
407 /* round 22 */
408 subL[29] ^= subL[1]; subR[29] ^= subR[1];
409 /* round 24 */
410 subL[31] ^= subL[1]; subR[31] ^= subR[1];
411 /* kw3 */
412 subL[32] ^= subL[1]; subR[32] ^= subR[1];
413
414 /* absorb kw4 to other subkeys */
415 kw4l = subL[33]; kw4r = subR[33];
416 /* round 23 */
417 subL[30] ^= kw4l; subR[30] ^= kw4r;
418 /* round 21 */
419 subL[28] ^= kw4l; subR[28] ^= kw4r;
420 /* round 19 */
421 subL[26] ^= kw4l; subR[26] ^= kw4r;
422 kw4l ^= kw4r & ~subR[24];
423 dw = kw4l & subL[24];
424 kw4r ^= rol32(dw, 1); /* modified for FL(kl5) */
425 }
426 /* round 17 */
427 subL[22] ^= kw4l; subR[22] ^= kw4r;
428 /* round 15 */
429 subL[20] ^= kw4l; subR[20] ^= kw4r;
430 /* round 13 */
431 subL[18] ^= kw4l; subR[18] ^= kw4r;
432 kw4l ^= kw4r & ~subR[16];
433 dw = kw4l & subL[16];
434 kw4r ^= rol32(dw, 1); /* modified for FL(kl3) */
435 /* round 11 */
436 subL[14] ^= kw4l; subR[14] ^= kw4r;
437 /* round 9 */
438 subL[12] ^= kw4l; subR[12] ^= kw4r;
439 /* round 7 */
440 subL[10] ^= kw4l; subR[10] ^= kw4r;
441 kw4l ^= kw4r & ~subR[8];
442 dw = kw4l & subL[8];
443 kw4r ^= rol32(dw, 1); /* modified for FL(kl1) */
444 /* round 5 */
445 subL[6] ^= kw4l; subR[6] ^= kw4r;
446 /* round 3 */
447 subL[4] ^= kw4l; subR[4] ^= kw4r;
448 /* round 1 */
449 subL[2] ^= kw4l; subR[2] ^= kw4r;
450 /* kw1 */
451 subL[0] ^= kw4l; subR[0] ^= kw4r;
452
453 /* key XOR is end of F-function */
454 SUBKEY_L(0) = subL[0] ^ subL[2];/* kw1 */
455 SUBKEY_R(0) = subR[0] ^ subR[2];
456 SUBKEY_L(2) = subL[3]; /* round 1 */
457 SUBKEY_R(2) = subR[3];
458 SUBKEY_L(3) = subL[2] ^ subL[4]; /* round 2 */
459 SUBKEY_R(3) = subR[2] ^ subR[4];
460 SUBKEY_L(4) = subL[3] ^ subL[5]; /* round 3 */
461 SUBKEY_R(4) = subR[3] ^ subR[5];
462 SUBKEY_L(5) = subL[4] ^ subL[6]; /* round 4 */
463 SUBKEY_R(5) = subR[4] ^ subR[6];
464 SUBKEY_L(6) = subL[5] ^ subL[7]; /* round 5 */
465 SUBKEY_R(6) = subR[5] ^ subR[7];
466 tl = subL[10] ^ (subR[10] & ~subR[8]);
467 dw = tl & subL[8]; /* FL(kl1) */
468 tr = subR[10] ^ rol32(dw, 1);
469 SUBKEY_L(7) = subL[6] ^ tl; /* round 6 */
470 SUBKEY_R(7) = subR[6] ^ tr;
471 SUBKEY_L(8) = subL[8]; /* FL(kl1) */
472 SUBKEY_R(8) = subR[8];
473 SUBKEY_L(9) = subL[9]; /* FLinv(kl2) */
474 SUBKEY_R(9) = subR[9];
475 tl = subL[7] ^ (subR[7] & ~subR[9]);
476 dw = tl & subL[9]; /* FLinv(kl2) */
477 tr = subR[7] ^ rol32(dw, 1);
478 SUBKEY_L(10) = tl ^ subL[11]; /* round 7 */
479 SUBKEY_R(10) = tr ^ subR[11];
480 SUBKEY_L(11) = subL[10] ^ subL[12]; /* round 8 */
481 SUBKEY_R(11) = subR[10] ^ subR[12];
482 SUBKEY_L(12) = subL[11] ^ subL[13]; /* round 9 */
483 SUBKEY_R(12) = subR[11] ^ subR[13];
484 SUBKEY_L(13) = subL[12] ^ subL[14]; /* round 10 */
485 SUBKEY_R(13) = subR[12] ^ subR[14];
486 SUBKEY_L(14) = subL[13] ^ subL[15]; /* round 11 */
487 SUBKEY_R(14) = subR[13] ^ subR[15];
488 tl = subL[18] ^ (subR[18] & ~subR[16]);
489 dw = tl & subL[16]; /* FL(kl3) */
490 tr = subR[18] ^ rol32(dw, 1);
491 SUBKEY_L(15) = subL[14] ^ tl; /* round 12 */
492 SUBKEY_R(15) = subR[14] ^ tr;
493 SUBKEY_L(16) = subL[16]; /* FL(kl3) */
494 SUBKEY_R(16) = subR[16];
495 SUBKEY_L(17) = subL[17]; /* FLinv(kl4) */
496 SUBKEY_R(17) = subR[17];
497 tl = subL[15] ^ (subR[15] & ~subR[17]);
498 dw = tl & subL[17]; /* FLinv(kl4) */
499 tr = subR[15] ^ rol32(dw, 1);
500 SUBKEY_L(18) = tl ^ subL[19]; /* round 13 */
501 SUBKEY_R(18) = tr ^ subR[19];
502 SUBKEY_L(19) = subL[18] ^ subL[20]; /* round 14 */
503 SUBKEY_R(19) = subR[18] ^ subR[20];
504 SUBKEY_L(20) = subL[19] ^ subL[21]; /* round 15 */
505 SUBKEY_R(20) = subR[19] ^ subR[21];
506 SUBKEY_L(21) = subL[20] ^ subL[22]; /* round 16 */
507 SUBKEY_R(21) = subR[20] ^ subR[22];
508 SUBKEY_L(22) = subL[21] ^ subL[23]; /* round 17 */
509 SUBKEY_R(22) = subR[21] ^ subR[23];
510 if (max == 24) {
511 SUBKEY_L(23) = subL[22]; /* round 18 */
512 SUBKEY_R(23) = subR[22];
513 SUBKEY_L(24) = subL[24] ^ subL[23]; /* kw3 */
514 SUBKEY_R(24) = subR[24] ^ subR[23];
515 } else {
516 tl = subL[26] ^ (subR[26] & ~subR[24]);
517 dw = tl & subL[24]; /* FL(kl5) */
518 tr = subR[26] ^ rol32(dw, 1);
519 SUBKEY_L(23) = subL[22] ^ tl; /* round 18 */
520 SUBKEY_R(23) = subR[22] ^ tr;
521 SUBKEY_L(24) = subL[24]; /* FL(kl5) */
522 SUBKEY_R(24) = subR[24];
523 SUBKEY_L(25) = subL[25]; /* FLinv(kl6) */
524 SUBKEY_R(25) = subR[25];
525 tl = subL[23] ^ (subR[23] & ~subR[25]);
526 dw = tl & subL[25]; /* FLinv(kl6) */
527 tr = subR[23] ^ rol32(dw, 1);
528 SUBKEY_L(26) = tl ^ subL[27]; /* round 19 */
529 SUBKEY_R(26) = tr ^ subR[27];
530 SUBKEY_L(27) = subL[26] ^ subL[28]; /* round 20 */
531 SUBKEY_R(27) = subR[26] ^ subR[28];
532 SUBKEY_L(28) = subL[27] ^ subL[29]; /* round 21 */
533 SUBKEY_R(28) = subR[27] ^ subR[29];
534 SUBKEY_L(29) = subL[28] ^ subL[30]; /* round 22 */
535 SUBKEY_R(29) = subR[28] ^ subR[30];
536 SUBKEY_L(30) = subL[29] ^ subL[31]; /* round 23 */
537 SUBKEY_R(30) = subR[29] ^ subR[31];
538 SUBKEY_L(31) = subL[30]; /* round 24 */
539 SUBKEY_R(31) = subR[30];
540 SUBKEY_L(32) = subL[32] ^ subL[31]; /* kw3 */
541 SUBKEY_R(32) = subR[32] ^ subR[31];
542 }
543}
544
545static void camellia_setup128(const unsigned char *key, u32 *subkey)
546{
547 u32 kll, klr, krl, krr;
548 u32 il, ir, t0, t1, w0, w1;
549 u32 subL[26];
550 u32 subR[26];
551
552 /**
553 * k == kll || klr || krl || krr (|| is concatenation)
554 */
555 kll = get_unaligned_be32(key);
556 klr = get_unaligned_be32(key + 4);
557 krl = get_unaligned_be32(key + 8);
558 krr = get_unaligned_be32(key + 12);
559
560 /* generate KL dependent subkeys */
561 /* kw1 */
562 subL[0] = kll; subR[0] = klr;
563 /* kw2 */
564 subL[1] = krl; subR[1] = krr;
565 /* rotation left shift 15bit */
566 ROLDQ(kll, klr, krl, krr, w0, w1, 15);
567 /* k3 */
568 subL[4] = kll; subR[4] = klr;
569 /* k4 */
570 subL[5] = krl; subR[5] = krr;
571 /* rotation left shift 15+30bit */
572 ROLDQ(kll, klr, krl, krr, w0, w1, 30);
573 /* k7 */
574 subL[10] = kll; subR[10] = klr;
575 /* k8 */
576 subL[11] = krl; subR[11] = krr;
577 /* rotation left shift 15+30+15bit */
578 ROLDQ(kll, klr, krl, krr, w0, w1, 15);
579 /* k10 */
580 subL[13] = krl; subR[13] = krr;
581 /* rotation left shift 15+30+15+17 bit */
582 ROLDQ(kll, klr, krl, krr, w0, w1, 17);
583 /* kl3 */
584 subL[16] = kll; subR[16] = klr;
585 /* kl4 */
586 subL[17] = krl; subR[17] = krr;
587 /* rotation left shift 15+30+15+17+17 bit */
588 ROLDQ(kll, klr, krl, krr, w0, w1, 17);
589 /* k13 */
590 subL[18] = kll; subR[18] = klr;
591 /* k14 */
592 subL[19] = krl; subR[19] = krr;
593 /* rotation left shift 15+30+15+17+17+17 bit */
594 ROLDQ(kll, klr, krl, krr, w0, w1, 17);
595 /* k17 */
596 subL[22] = kll; subR[22] = klr;
597 /* k18 */
598 subL[23] = krl; subR[23] = krr;
599
600 /* generate KA */
601 kll = subL[0]; klr = subR[0];
602 krl = subL[1]; krr = subR[1];
603 CAMELLIA_F(kll, klr,
604 CAMELLIA_SIGMA1L, CAMELLIA_SIGMA1R,
605 w0, w1, il, ir, t0, t1);
606 krl ^= w0; krr ^= w1;
607 CAMELLIA_F(krl, krr,
608 CAMELLIA_SIGMA2L, CAMELLIA_SIGMA2R,
609 kll, klr, il, ir, t0, t1);
610 /* current status == (kll, klr, w0, w1) */
611 CAMELLIA_F(kll, klr,
612 CAMELLIA_SIGMA3L, CAMELLIA_SIGMA3R,
613 krl, krr, il, ir, t0, t1);
614 krl ^= w0; krr ^= w1;
615 CAMELLIA_F(krl, krr,
616 CAMELLIA_SIGMA4L, CAMELLIA_SIGMA4R,
617 w0, w1, il, ir, t0, t1);
618 kll ^= w0; klr ^= w1;
619
620 /* generate KA dependent subkeys */
621 /* k1, k2 */
622 subL[2] = kll; subR[2] = klr;
623 subL[3] = krl; subR[3] = krr;
624 ROLDQ(kll, klr, krl, krr, w0, w1, 15);
625 /* k5,k6 */
626 subL[6] = kll; subR[6] = klr;
627 subL[7] = krl; subR[7] = krr;
628 ROLDQ(kll, klr, krl, krr, w0, w1, 15);
629 /* kl1, kl2 */
630 subL[8] = kll; subR[8] = klr;
631 subL[9] = krl; subR[9] = krr;
632 ROLDQ(kll, klr, krl, krr, w0, w1, 15);
633 /* k9 */
634 subL[12] = kll; subR[12] = klr;
635 ROLDQ(kll, klr, krl, krr, w0, w1, 15);
636 /* k11, k12 */
637 subL[14] = kll; subR[14] = klr;
638 subL[15] = krl; subR[15] = krr;
639 ROLDQo32(kll, klr, krl, krr, w0, w1, 34);
640 /* k15, k16 */
641 subL[20] = kll; subR[20] = klr;
642 subL[21] = krl; subR[21] = krr;
643 ROLDQ(kll, klr, krl, krr, w0, w1, 17);
644 /* kw3, kw4 */
645 subL[24] = kll; subR[24] = klr;
646 subL[25] = krl; subR[25] = krr;
647
648 camellia_setup_tail(subkey, subL, subR, 24);
649}
650
651static void camellia_setup256(const unsigned char *key, u32 *subkey)
652{
653 u32 kll, klr, krl, krr; /* left half of key */
654 u32 krll, krlr, krrl, krrr; /* right half of key */
655 u32 il, ir, t0, t1, w0, w1; /* temporary variables */
656 u32 subL[34];
657 u32 subR[34];
658
659 /**
660 * key = (kll || klr || krl || krr || krll || krlr || krrl || krrr)
661 * (|| is concatenation)
662 */
663 kll = get_unaligned_be32(key);
664 klr = get_unaligned_be32(key + 4);
665 krl = get_unaligned_be32(key + 8);
666 krr = get_unaligned_be32(key + 12);
667 krll = get_unaligned_be32(key + 16);
668 krlr = get_unaligned_be32(key + 20);
669 krrl = get_unaligned_be32(key + 24);
670 krrr = get_unaligned_be32(key + 28);
671
672 /* generate KL dependent subkeys */
673 /* kw1 */
674 subL[0] = kll; subR[0] = klr;
675 /* kw2 */
676 subL[1] = krl; subR[1] = krr;
677 ROLDQo32(kll, klr, krl, krr, w0, w1, 45);
678 /* k9 */
679 subL[12] = kll; subR[12] = klr;
680 /* k10 */
681 subL[13] = krl; subR[13] = krr;
682 ROLDQ(kll, klr, krl, krr, w0, w1, 15);
683 /* kl3 */
684 subL[16] = kll; subR[16] = klr;
685 /* kl4 */
686 subL[17] = krl; subR[17] = krr;
687 ROLDQ(kll, klr, krl, krr, w0, w1, 17);
688 /* k17 */
689 subL[22] = kll; subR[22] = klr;
690 /* k18 */
691 subL[23] = krl; subR[23] = krr;
692 ROLDQo32(kll, klr, krl, krr, w0, w1, 34);
693 /* k23 */
694 subL[30] = kll; subR[30] = klr;
695 /* k24 */
696 subL[31] = krl; subR[31] = krr;
697
698 /* generate KR dependent subkeys */
699 ROLDQ(krll, krlr, krrl, krrr, w0, w1, 15);
700 /* k3 */
701 subL[4] = krll; subR[4] = krlr;
702 /* k4 */
703 subL[5] = krrl; subR[5] = krrr;
704 ROLDQ(krll, krlr, krrl, krrr, w0, w1, 15);
705 /* kl1 */
706 subL[8] = krll; subR[8] = krlr;
707 /* kl2 */
708 subL[9] = krrl; subR[9] = krrr;
709 ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
710 /* k13 */
711 subL[18] = krll; subR[18] = krlr;
712 /* k14 */
713 subL[19] = krrl; subR[19] = krrr;
714 ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 34);
715 /* k19 */
716 subL[26] = krll; subR[26] = krlr;
717 /* k20 */
718 subL[27] = krrl; subR[27] = krrr;
719 ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 34);
720
721 /* generate KA */
722 kll = subL[0] ^ krll; klr = subR[0] ^ krlr;
723 krl = subL[1] ^ krrl; krr = subR[1] ^ krrr;
724 CAMELLIA_F(kll, klr,
725 CAMELLIA_SIGMA1L, CAMELLIA_SIGMA1R,
726 w0, w1, il, ir, t0, t1);
727 krl ^= w0; krr ^= w1;
728 CAMELLIA_F(krl, krr,
729 CAMELLIA_SIGMA2L, CAMELLIA_SIGMA2R,
730 kll, klr, il, ir, t0, t1);
731 kll ^= krll; klr ^= krlr;
732 CAMELLIA_F(kll, klr,
733 CAMELLIA_SIGMA3L, CAMELLIA_SIGMA3R,
734 krl, krr, il, ir, t0, t1);
735 krl ^= w0 ^ krrl; krr ^= w1 ^ krrr;
736 CAMELLIA_F(krl, krr,
737 CAMELLIA_SIGMA4L, CAMELLIA_SIGMA4R,
738 w0, w1, il, ir, t0, t1);
739 kll ^= w0; klr ^= w1;
740
741 /* generate KB */
742 krll ^= kll; krlr ^= klr;
743 krrl ^= krl; krrr ^= krr;
744 CAMELLIA_F(krll, krlr,
745 CAMELLIA_SIGMA5L, CAMELLIA_SIGMA5R,
746 w0, w1, il, ir, t0, t1);
747 krrl ^= w0; krrr ^= w1;
748 CAMELLIA_F(krrl, krrr,
749 CAMELLIA_SIGMA6L, CAMELLIA_SIGMA6R,
750 w0, w1, il, ir, t0, t1);
751 krll ^= w0; krlr ^= w1;
752
753 /* generate KA dependent subkeys */
754 ROLDQ(kll, klr, krl, krr, w0, w1, 15);
755 /* k5 */
756 subL[6] = kll; subR[6] = klr;
757 /* k6 */
758 subL[7] = krl; subR[7] = krr;
759 ROLDQ(kll, klr, krl, krr, w0, w1, 30);
760 /* k11 */
761 subL[14] = kll; subR[14] = klr;
762 /* k12 */
763 subL[15] = krl; subR[15] = krr;
764 /* rotation left shift 32bit */
765 /* kl5 */
766 subL[24] = klr; subR[24] = krl;
767 /* kl6 */
768 subL[25] = krr; subR[25] = kll;
769 /* rotation left shift 49 from k11,k12 -> k21,k22 */
770 ROLDQo32(kll, klr, krl, krr, w0, w1, 49);
771 /* k21 */
772 subL[28] = kll; subR[28] = klr;
773 /* k22 */
774 subL[29] = krl; subR[29] = krr;
775
776 /* generate KB dependent subkeys */
777 /* k1 */
778 subL[2] = krll; subR[2] = krlr;
779 /* k2 */
780 subL[3] = krrl; subR[3] = krrr;
781 ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
782 /* k7 */
783 subL[10] = krll; subR[10] = krlr;
784 /* k8 */
785 subL[11] = krrl; subR[11] = krrr;
786 ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
787 /* k15 */
788 subL[20] = krll; subR[20] = krlr;
789 /* k16 */
790 subL[21] = krrl; subR[21] = krrr;
791 ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 51);
792 /* kw3 */
793 subL[32] = krll; subR[32] = krlr;
794 /* kw4 */
795 subL[33] = krrl; subR[33] = krrr;
796
797 camellia_setup_tail(subkey, subL, subR, 32);
798}
799
800static void camellia_setup192(const unsigned char *key, u32 *subkey)
801{
802 unsigned char kk[32];
803 u32 krll, krlr, krrl, krrr;
804
805 memcpy(kk, key, 24);
806 memcpy((unsigned char *)&krll, key+16, 4);
807 memcpy((unsigned char *)&krlr, key+20, 4);
808 krrl = ~krll;
809 krrr = ~krlr;
810 memcpy(kk+24, (unsigned char *)&krrl, 4);
811 memcpy(kk+28, (unsigned char *)&krrr, 4);
812 camellia_setup256(kk, subkey);
813}
814
815
816/*
817 * Encrypt/decrypt
818 */
819#define CAMELLIA_FLS(ll, lr, rl, rr, kll, klr, krl, krr, t0, t1, t2, t3) ({ \
820 t0 = kll; \
821 t2 = krr; \
822 t0 &= ll; \
823 t2 |= rr; \
824 rl ^= t2; \
825 lr ^= rol32(t0, 1); \
826 t3 = krl; \
827 t1 = klr; \
828 t3 &= rl; \
829 t1 |= lr; \
830 ll ^= t1; \
831 rr ^= rol32(t3, 1); \
832})
833
834#define CAMELLIA_ROUNDSM(xl, xr, kl, kr, yl, yr, il, ir) ({ \
835 yl ^= kl; \
836 yr ^= kr; \
837 ir = camellia_sp1110[(u8)xr]; \
838 il = camellia_sp1110[(u8)(xl >> 24)]; \
839 ir ^= camellia_sp0222[(u8)(xr >> 24)]; \
840 il ^= camellia_sp0222[(u8)(xl >> 16)]; \
841 ir ^= camellia_sp3033[(u8)(xr >> 16)]; \
842 il ^= camellia_sp3033[(u8)(xl >> 8)]; \
843 ir ^= camellia_sp4404[(u8)(xr >> 8)]; \
844 il ^= camellia_sp4404[(u8)xl]; \
845 ir ^= il; \
846 yl ^= ir; \
847 yr ^= ror32(il, 8) ^ ir; \
848})
849
850/* max = 24: 128bit encrypt, max = 32: 256bit encrypt */
851static void camellia_do_encrypt(const u32 *subkey, u32 *io, unsigned max)
852{
853 u32 il, ir, t0, t1; /* temporary variables */
854
855 /* pre whitening but absorb kw2 */
856 io[0] ^= SUBKEY_L(0);
857 io[1] ^= SUBKEY_R(0);
858
859 /* main iteration */
860#define ROUNDS(i) ({ \
861 CAMELLIA_ROUNDSM(io[0], io[1], \
862 SUBKEY_L(i + 2), SUBKEY_R(i + 2), \
863 io[2], io[3], il, ir); \
864 CAMELLIA_ROUNDSM(io[2], io[3], \
865 SUBKEY_L(i + 3), SUBKEY_R(i + 3), \
866 io[0], io[1], il, ir); \
867 CAMELLIA_ROUNDSM(io[0], io[1], \
868 SUBKEY_L(i + 4), SUBKEY_R(i + 4), \
869 io[2], io[3], il, ir); \
870 CAMELLIA_ROUNDSM(io[2], io[3], \
871 SUBKEY_L(i + 5), SUBKEY_R(i + 5), \
872 io[0], io[1], il, ir); \
873 CAMELLIA_ROUNDSM(io[0], io[1], \
874 SUBKEY_L(i + 6), SUBKEY_R(i + 6), \
875 io[2], io[3], il, ir); \
876 CAMELLIA_ROUNDSM(io[2], io[3], \
877 SUBKEY_L(i + 7), SUBKEY_R(i + 7), \
878 io[0], io[1], il, ir); \
879})
880#define FLS(i) ({ \
881 CAMELLIA_FLS(io[0], io[1], io[2], io[3], \
882 SUBKEY_L(i + 0), SUBKEY_R(i + 0), \
883 SUBKEY_L(i + 1), SUBKEY_R(i + 1), \
884 t0, t1, il, ir); \
885})
886
887 ROUNDS(0);
888 FLS(8);
889 ROUNDS(8);
890 FLS(16);
891 ROUNDS(16);
892 if (max == 32) {
893 FLS(24);
894 ROUNDS(24);
895 }
896
897#undef ROUNDS
898#undef FLS
899
900 /* post whitening but kw4 */
901 io[2] ^= SUBKEY_L(max);
902 io[3] ^= SUBKEY_R(max);
903 /* NB: io[0],[1] should be swapped with [2],[3] by caller! */
904}
905
906static void camellia_do_decrypt(const u32 *subkey, u32 *io, unsigned i)
907{
908 u32 il, ir, t0, t1; /* temporary variables */
909
910 /* pre whitening but absorb kw2 */
911 io[0] ^= SUBKEY_L(i);
912 io[1] ^= SUBKEY_R(i);
913
914 /* main iteration */
915#define ROUNDS(i) ({ \
916 CAMELLIA_ROUNDSM(io[0], io[1], \
917 SUBKEY_L(i + 7), SUBKEY_R(i + 7), \
918 io[2], io[3], il, ir); \
919 CAMELLIA_ROUNDSM(io[2], io[3], \
920 SUBKEY_L(i + 6), SUBKEY_R(i + 6), \
921 io[0], io[1], il, ir); \
922 CAMELLIA_ROUNDSM(io[0], io[1], \
923 SUBKEY_L(i + 5), SUBKEY_R(i + 5), \
924 io[2], io[3], il, ir); \
925 CAMELLIA_ROUNDSM(io[2], io[3], \
926 SUBKEY_L(i + 4), SUBKEY_R(i + 4), \
927 io[0], io[1], il, ir); \
928 CAMELLIA_ROUNDSM(io[0], io[1], \
929 SUBKEY_L(i + 3), SUBKEY_R(i + 3), \
930 io[2], io[3], il, ir); \
931 CAMELLIA_ROUNDSM(io[2], io[3], \
932 SUBKEY_L(i + 2), SUBKEY_R(i + 2), \
933 io[0], io[1], il, ir); \
934})
935#define FLS(i) ({ \
936 CAMELLIA_FLS(io[0], io[1], io[2], io[3], \
937 SUBKEY_L(i + 1), SUBKEY_R(i + 1), \
938 SUBKEY_L(i + 0), SUBKEY_R(i + 0), \
939 t0, t1, il, ir); \
940})
941
942 if (i == 32) {
943 ROUNDS(24);
944 FLS(24);
945 }
946 ROUNDS(16);
947 FLS(16);
948 ROUNDS(8);
949 FLS(8);
950 ROUNDS(0);
951
952#undef ROUNDS
953#undef FLS
954
955 /* post whitening but kw4 */
956 io[2] ^= SUBKEY_L(0);
957 io[3] ^= SUBKEY_R(0);
958 /* NB: 0,1 should be swapped with 2,3 by caller! */
959}
960
961
962struct camellia_ctx {
963 int key_length;
964 u32 key_table[CAMELLIA_TABLE_BYTE_LEN / sizeof(u32)];
965};
966
967static int
968camellia_set_key(struct crypto_tfm *tfm, const u8 *in_key,
969 unsigned int key_len)
970{
971 struct camellia_ctx *cctx = crypto_tfm_ctx(tfm);
972 const unsigned char *key = (const unsigned char *)in_key;
973
974 if (key_len != 16 && key_len != 24 && key_len != 32)
975 return -EINVAL;
976
977 cctx->key_length = key_len;
978
979 switch (key_len) {
980 case 16:
981 camellia_setup128(key, cctx->key_table);
982 break;
983 case 24:
984 camellia_setup192(key, cctx->key_table);
985 break;
986 case 32:
987 camellia_setup256(key, cctx->key_table);
988 break;
989 }
990
991 return 0;
992}
993
994static void camellia_encrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in)
995{
996 const struct camellia_ctx *cctx = crypto_tfm_ctx(tfm);
997 const __be32 *src = (const __be32 *)in;
998 __be32 *dst = (__be32 *)out;
999 unsigned int max;
1000
1001 u32 tmp[4];
1002
1003 tmp[0] = be32_to_cpu(src[0]);
1004 tmp[1] = be32_to_cpu(src[1]);
1005 tmp[2] = be32_to_cpu(src[2]);
1006 tmp[3] = be32_to_cpu(src[3]);
1007
1008 if (cctx->key_length == 16)
1009 max = 24;
1010 else
1011 max = 32; /* for key lengths of 24 and 32 */
1012
1013 camellia_do_encrypt(cctx->key_table, tmp, max);
1014
1015 /* do_encrypt returns 0,1 swapped with 2,3 */
1016 dst[0] = cpu_to_be32(tmp[2]);
1017 dst[1] = cpu_to_be32(tmp[3]);
1018 dst[2] = cpu_to_be32(tmp[0]);
1019 dst[3] = cpu_to_be32(tmp[1]);
1020}
1021
1022static void camellia_decrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in)
1023{
1024 const struct camellia_ctx *cctx = crypto_tfm_ctx(tfm);
1025 const __be32 *src = (const __be32 *)in;
1026 __be32 *dst = (__be32 *)out;
1027 unsigned int max;
1028
1029 u32 tmp[4];
1030
1031 tmp[0] = be32_to_cpu(src[0]);
1032 tmp[1] = be32_to_cpu(src[1]);
1033 tmp[2] = be32_to_cpu(src[2]);
1034 tmp[3] = be32_to_cpu(src[3]);
1035
1036 if (cctx->key_length == 16)
1037 max = 24;
1038 else
1039 max = 32; /* for key lengths of 24 and 32 */
1040
1041 camellia_do_decrypt(cctx->key_table, tmp, max);
1042
1043 /* do_decrypt returns 0,1 swapped with 2,3 */
1044 dst[0] = cpu_to_be32(tmp[2]);
1045 dst[1] = cpu_to_be32(tmp[3]);
1046 dst[2] = cpu_to_be32(tmp[0]);
1047 dst[3] = cpu_to_be32(tmp[1]);
1048}
1049
1050static struct crypto_alg camellia_alg = {
1051 .cra_name = "camellia",
1052 .cra_driver_name = "camellia-generic",
1053 .cra_priority = 100,
1054 .cra_flags = CRYPTO_ALG_TYPE_CIPHER,
1055 .cra_blocksize = CAMELLIA_BLOCK_SIZE,
1056 .cra_ctxsize = sizeof(struct camellia_ctx),
1057 .cra_alignmask = 3,
1058 .cra_module = THIS_MODULE,
1059 .cra_u = {
1060 .cipher = {
1061 .cia_min_keysize = CAMELLIA_MIN_KEY_SIZE,
1062 .cia_max_keysize = CAMELLIA_MAX_KEY_SIZE,
1063 .cia_setkey = camellia_set_key,
1064 .cia_encrypt = camellia_encrypt,
1065 .cia_decrypt = camellia_decrypt
1066 }
1067 }
1068};
1069
1070static int __init camellia_init(void)
1071{
1072 return crypto_register_alg(&camellia_alg);
1073}
1074
1075static void __exit camellia_fini(void)
1076{
1077 crypto_unregister_alg(&camellia_alg);
1078}
1079
1080subsys_initcall(camellia_init);
1081module_exit(camellia_fini);
1082
1083MODULE_DESCRIPTION("Camellia Cipher Algorithm");
1084MODULE_LICENSE("GPL");
1085MODULE_ALIAS_CRYPTO("camellia");
1086MODULE_ALIAS_CRYPTO("camellia-generic");
1// SPDX-License-Identifier: GPL-2.0-or-later
2/*
3 * Copyright (C) 2006
4 * NTT (Nippon Telegraph and Telephone Corporation).
5 */
6
7/*
8 * Algorithm Specification
9 * https://info.isl.ntt.co.jp/crypt/eng/camellia/specifications.html
10 */
11
12#include <crypto/algapi.h>
13#include <linux/errno.h>
14#include <linux/init.h>
15#include <linux/kernel.h>
16#include <linux/module.h>
17#include <linux/bitops.h>
18#include <asm/unaligned.h>
19
20static const u32 camellia_sp1110[256] = {
21 0x70707000, 0x82828200, 0x2c2c2c00, 0xececec00,
22 0xb3b3b300, 0x27272700, 0xc0c0c000, 0xe5e5e500,
23 0xe4e4e400, 0x85858500, 0x57575700, 0x35353500,
24 0xeaeaea00, 0x0c0c0c00, 0xaeaeae00, 0x41414100,
25 0x23232300, 0xefefef00, 0x6b6b6b00, 0x93939300,
26 0x45454500, 0x19191900, 0xa5a5a500, 0x21212100,
27 0xededed00, 0x0e0e0e00, 0x4f4f4f00, 0x4e4e4e00,
28 0x1d1d1d00, 0x65656500, 0x92929200, 0xbdbdbd00,
29 0x86868600, 0xb8b8b800, 0xafafaf00, 0x8f8f8f00,
30 0x7c7c7c00, 0xebebeb00, 0x1f1f1f00, 0xcecece00,
31 0x3e3e3e00, 0x30303000, 0xdcdcdc00, 0x5f5f5f00,
32 0x5e5e5e00, 0xc5c5c500, 0x0b0b0b00, 0x1a1a1a00,
33 0xa6a6a600, 0xe1e1e100, 0x39393900, 0xcacaca00,
34 0xd5d5d500, 0x47474700, 0x5d5d5d00, 0x3d3d3d00,
35 0xd9d9d900, 0x01010100, 0x5a5a5a00, 0xd6d6d600,
36 0x51515100, 0x56565600, 0x6c6c6c00, 0x4d4d4d00,
37 0x8b8b8b00, 0x0d0d0d00, 0x9a9a9a00, 0x66666600,
38 0xfbfbfb00, 0xcccccc00, 0xb0b0b000, 0x2d2d2d00,
39 0x74747400, 0x12121200, 0x2b2b2b00, 0x20202000,
40 0xf0f0f000, 0xb1b1b100, 0x84848400, 0x99999900,
41 0xdfdfdf00, 0x4c4c4c00, 0xcbcbcb00, 0xc2c2c200,
42 0x34343400, 0x7e7e7e00, 0x76767600, 0x05050500,
43 0x6d6d6d00, 0xb7b7b700, 0xa9a9a900, 0x31313100,
44 0xd1d1d100, 0x17171700, 0x04040400, 0xd7d7d700,
45 0x14141400, 0x58585800, 0x3a3a3a00, 0x61616100,
46 0xdedede00, 0x1b1b1b00, 0x11111100, 0x1c1c1c00,
47 0x32323200, 0x0f0f0f00, 0x9c9c9c00, 0x16161600,
48 0x53535300, 0x18181800, 0xf2f2f200, 0x22222200,
49 0xfefefe00, 0x44444400, 0xcfcfcf00, 0xb2b2b200,
50 0xc3c3c300, 0xb5b5b500, 0x7a7a7a00, 0x91919100,
51 0x24242400, 0x08080800, 0xe8e8e800, 0xa8a8a800,
52 0x60606000, 0xfcfcfc00, 0x69696900, 0x50505000,
53 0xaaaaaa00, 0xd0d0d000, 0xa0a0a000, 0x7d7d7d00,
54 0xa1a1a100, 0x89898900, 0x62626200, 0x97979700,
55 0x54545400, 0x5b5b5b00, 0x1e1e1e00, 0x95959500,
56 0xe0e0e000, 0xffffff00, 0x64646400, 0xd2d2d200,
57 0x10101000, 0xc4c4c400, 0x00000000, 0x48484800,
58 0xa3a3a300, 0xf7f7f700, 0x75757500, 0xdbdbdb00,
59 0x8a8a8a00, 0x03030300, 0xe6e6e600, 0xdadada00,
60 0x09090900, 0x3f3f3f00, 0xdddddd00, 0x94949400,
61 0x87878700, 0x5c5c5c00, 0x83838300, 0x02020200,
62 0xcdcdcd00, 0x4a4a4a00, 0x90909000, 0x33333300,
63 0x73737300, 0x67676700, 0xf6f6f600, 0xf3f3f300,
64 0x9d9d9d00, 0x7f7f7f00, 0xbfbfbf00, 0xe2e2e200,
65 0x52525200, 0x9b9b9b00, 0xd8d8d800, 0x26262600,
66 0xc8c8c800, 0x37373700, 0xc6c6c600, 0x3b3b3b00,
67 0x81818100, 0x96969600, 0x6f6f6f00, 0x4b4b4b00,
68 0x13131300, 0xbebebe00, 0x63636300, 0x2e2e2e00,
69 0xe9e9e900, 0x79797900, 0xa7a7a700, 0x8c8c8c00,
70 0x9f9f9f00, 0x6e6e6e00, 0xbcbcbc00, 0x8e8e8e00,
71 0x29292900, 0xf5f5f500, 0xf9f9f900, 0xb6b6b600,
72 0x2f2f2f00, 0xfdfdfd00, 0xb4b4b400, 0x59595900,
73 0x78787800, 0x98989800, 0x06060600, 0x6a6a6a00,
74 0xe7e7e700, 0x46464600, 0x71717100, 0xbababa00,
75 0xd4d4d400, 0x25252500, 0xababab00, 0x42424200,
76 0x88888800, 0xa2a2a200, 0x8d8d8d00, 0xfafafa00,
77 0x72727200, 0x07070700, 0xb9b9b900, 0x55555500,
78 0xf8f8f800, 0xeeeeee00, 0xacacac00, 0x0a0a0a00,
79 0x36363600, 0x49494900, 0x2a2a2a00, 0x68686800,
80 0x3c3c3c00, 0x38383800, 0xf1f1f100, 0xa4a4a400,
81 0x40404000, 0x28282800, 0xd3d3d300, 0x7b7b7b00,
82 0xbbbbbb00, 0xc9c9c900, 0x43434300, 0xc1c1c100,
83 0x15151500, 0xe3e3e300, 0xadadad00, 0xf4f4f400,
84 0x77777700, 0xc7c7c700, 0x80808000, 0x9e9e9e00,
85};
86
87static const u32 camellia_sp0222[256] = {
88 0x00e0e0e0, 0x00050505, 0x00585858, 0x00d9d9d9,
89 0x00676767, 0x004e4e4e, 0x00818181, 0x00cbcbcb,
90 0x00c9c9c9, 0x000b0b0b, 0x00aeaeae, 0x006a6a6a,
91 0x00d5d5d5, 0x00181818, 0x005d5d5d, 0x00828282,
92 0x00464646, 0x00dfdfdf, 0x00d6d6d6, 0x00272727,
93 0x008a8a8a, 0x00323232, 0x004b4b4b, 0x00424242,
94 0x00dbdbdb, 0x001c1c1c, 0x009e9e9e, 0x009c9c9c,
95 0x003a3a3a, 0x00cacaca, 0x00252525, 0x007b7b7b,
96 0x000d0d0d, 0x00717171, 0x005f5f5f, 0x001f1f1f,
97 0x00f8f8f8, 0x00d7d7d7, 0x003e3e3e, 0x009d9d9d,
98 0x007c7c7c, 0x00606060, 0x00b9b9b9, 0x00bebebe,
99 0x00bcbcbc, 0x008b8b8b, 0x00161616, 0x00343434,
100 0x004d4d4d, 0x00c3c3c3, 0x00727272, 0x00959595,
101 0x00ababab, 0x008e8e8e, 0x00bababa, 0x007a7a7a,
102 0x00b3b3b3, 0x00020202, 0x00b4b4b4, 0x00adadad,
103 0x00a2a2a2, 0x00acacac, 0x00d8d8d8, 0x009a9a9a,
104 0x00171717, 0x001a1a1a, 0x00353535, 0x00cccccc,
105 0x00f7f7f7, 0x00999999, 0x00616161, 0x005a5a5a,
106 0x00e8e8e8, 0x00242424, 0x00565656, 0x00404040,
107 0x00e1e1e1, 0x00636363, 0x00090909, 0x00333333,
108 0x00bfbfbf, 0x00989898, 0x00979797, 0x00858585,
109 0x00686868, 0x00fcfcfc, 0x00ececec, 0x000a0a0a,
110 0x00dadada, 0x006f6f6f, 0x00535353, 0x00626262,
111 0x00a3a3a3, 0x002e2e2e, 0x00080808, 0x00afafaf,
112 0x00282828, 0x00b0b0b0, 0x00747474, 0x00c2c2c2,
113 0x00bdbdbd, 0x00363636, 0x00222222, 0x00383838,
114 0x00646464, 0x001e1e1e, 0x00393939, 0x002c2c2c,
115 0x00a6a6a6, 0x00303030, 0x00e5e5e5, 0x00444444,
116 0x00fdfdfd, 0x00888888, 0x009f9f9f, 0x00656565,
117 0x00878787, 0x006b6b6b, 0x00f4f4f4, 0x00232323,
118 0x00484848, 0x00101010, 0x00d1d1d1, 0x00515151,
119 0x00c0c0c0, 0x00f9f9f9, 0x00d2d2d2, 0x00a0a0a0,
120 0x00555555, 0x00a1a1a1, 0x00414141, 0x00fafafa,
121 0x00434343, 0x00131313, 0x00c4c4c4, 0x002f2f2f,
122 0x00a8a8a8, 0x00b6b6b6, 0x003c3c3c, 0x002b2b2b,
123 0x00c1c1c1, 0x00ffffff, 0x00c8c8c8, 0x00a5a5a5,
124 0x00202020, 0x00898989, 0x00000000, 0x00909090,
125 0x00474747, 0x00efefef, 0x00eaeaea, 0x00b7b7b7,
126 0x00151515, 0x00060606, 0x00cdcdcd, 0x00b5b5b5,
127 0x00121212, 0x007e7e7e, 0x00bbbbbb, 0x00292929,
128 0x000f0f0f, 0x00b8b8b8, 0x00070707, 0x00040404,
129 0x009b9b9b, 0x00949494, 0x00212121, 0x00666666,
130 0x00e6e6e6, 0x00cecece, 0x00ededed, 0x00e7e7e7,
131 0x003b3b3b, 0x00fefefe, 0x007f7f7f, 0x00c5c5c5,
132 0x00a4a4a4, 0x00373737, 0x00b1b1b1, 0x004c4c4c,
133 0x00919191, 0x006e6e6e, 0x008d8d8d, 0x00767676,
134 0x00030303, 0x002d2d2d, 0x00dedede, 0x00969696,
135 0x00262626, 0x007d7d7d, 0x00c6c6c6, 0x005c5c5c,
136 0x00d3d3d3, 0x00f2f2f2, 0x004f4f4f, 0x00191919,
137 0x003f3f3f, 0x00dcdcdc, 0x00797979, 0x001d1d1d,
138 0x00525252, 0x00ebebeb, 0x00f3f3f3, 0x006d6d6d,
139 0x005e5e5e, 0x00fbfbfb, 0x00696969, 0x00b2b2b2,
140 0x00f0f0f0, 0x00313131, 0x000c0c0c, 0x00d4d4d4,
141 0x00cfcfcf, 0x008c8c8c, 0x00e2e2e2, 0x00757575,
142 0x00a9a9a9, 0x004a4a4a, 0x00575757, 0x00848484,
143 0x00111111, 0x00454545, 0x001b1b1b, 0x00f5f5f5,
144 0x00e4e4e4, 0x000e0e0e, 0x00737373, 0x00aaaaaa,
145 0x00f1f1f1, 0x00dddddd, 0x00595959, 0x00141414,
146 0x006c6c6c, 0x00929292, 0x00545454, 0x00d0d0d0,
147 0x00787878, 0x00707070, 0x00e3e3e3, 0x00494949,
148 0x00808080, 0x00505050, 0x00a7a7a7, 0x00f6f6f6,
149 0x00777777, 0x00939393, 0x00868686, 0x00838383,
150 0x002a2a2a, 0x00c7c7c7, 0x005b5b5b, 0x00e9e9e9,
151 0x00eeeeee, 0x008f8f8f, 0x00010101, 0x003d3d3d,
152};
153
154static const u32 camellia_sp3033[256] = {
155 0x38003838, 0x41004141, 0x16001616, 0x76007676,
156 0xd900d9d9, 0x93009393, 0x60006060, 0xf200f2f2,
157 0x72007272, 0xc200c2c2, 0xab00abab, 0x9a009a9a,
158 0x75007575, 0x06000606, 0x57005757, 0xa000a0a0,
159 0x91009191, 0xf700f7f7, 0xb500b5b5, 0xc900c9c9,
160 0xa200a2a2, 0x8c008c8c, 0xd200d2d2, 0x90009090,
161 0xf600f6f6, 0x07000707, 0xa700a7a7, 0x27002727,
162 0x8e008e8e, 0xb200b2b2, 0x49004949, 0xde00dede,
163 0x43004343, 0x5c005c5c, 0xd700d7d7, 0xc700c7c7,
164 0x3e003e3e, 0xf500f5f5, 0x8f008f8f, 0x67006767,
165 0x1f001f1f, 0x18001818, 0x6e006e6e, 0xaf00afaf,
166 0x2f002f2f, 0xe200e2e2, 0x85008585, 0x0d000d0d,
167 0x53005353, 0xf000f0f0, 0x9c009c9c, 0x65006565,
168 0xea00eaea, 0xa300a3a3, 0xae00aeae, 0x9e009e9e,
169 0xec00ecec, 0x80008080, 0x2d002d2d, 0x6b006b6b,
170 0xa800a8a8, 0x2b002b2b, 0x36003636, 0xa600a6a6,
171 0xc500c5c5, 0x86008686, 0x4d004d4d, 0x33003333,
172 0xfd00fdfd, 0x66006666, 0x58005858, 0x96009696,
173 0x3a003a3a, 0x09000909, 0x95009595, 0x10001010,
174 0x78007878, 0xd800d8d8, 0x42004242, 0xcc00cccc,
175 0xef00efef, 0x26002626, 0xe500e5e5, 0x61006161,
176 0x1a001a1a, 0x3f003f3f, 0x3b003b3b, 0x82008282,
177 0xb600b6b6, 0xdb00dbdb, 0xd400d4d4, 0x98009898,
178 0xe800e8e8, 0x8b008b8b, 0x02000202, 0xeb00ebeb,
179 0x0a000a0a, 0x2c002c2c, 0x1d001d1d, 0xb000b0b0,
180 0x6f006f6f, 0x8d008d8d, 0x88008888, 0x0e000e0e,
181 0x19001919, 0x87008787, 0x4e004e4e, 0x0b000b0b,
182 0xa900a9a9, 0x0c000c0c, 0x79007979, 0x11001111,
183 0x7f007f7f, 0x22002222, 0xe700e7e7, 0x59005959,
184 0xe100e1e1, 0xda00dada, 0x3d003d3d, 0xc800c8c8,
185 0x12001212, 0x04000404, 0x74007474, 0x54005454,
186 0x30003030, 0x7e007e7e, 0xb400b4b4, 0x28002828,
187 0x55005555, 0x68006868, 0x50005050, 0xbe00bebe,
188 0xd000d0d0, 0xc400c4c4, 0x31003131, 0xcb00cbcb,
189 0x2a002a2a, 0xad00adad, 0x0f000f0f, 0xca00caca,
190 0x70007070, 0xff00ffff, 0x32003232, 0x69006969,
191 0x08000808, 0x62006262, 0x00000000, 0x24002424,
192 0xd100d1d1, 0xfb00fbfb, 0xba00baba, 0xed00eded,
193 0x45004545, 0x81008181, 0x73007373, 0x6d006d6d,
194 0x84008484, 0x9f009f9f, 0xee00eeee, 0x4a004a4a,
195 0xc300c3c3, 0x2e002e2e, 0xc100c1c1, 0x01000101,
196 0xe600e6e6, 0x25002525, 0x48004848, 0x99009999,
197 0xb900b9b9, 0xb300b3b3, 0x7b007b7b, 0xf900f9f9,
198 0xce00cece, 0xbf00bfbf, 0xdf00dfdf, 0x71007171,
199 0x29002929, 0xcd00cdcd, 0x6c006c6c, 0x13001313,
200 0x64006464, 0x9b009b9b, 0x63006363, 0x9d009d9d,
201 0xc000c0c0, 0x4b004b4b, 0xb700b7b7, 0xa500a5a5,
202 0x89008989, 0x5f005f5f, 0xb100b1b1, 0x17001717,
203 0xf400f4f4, 0xbc00bcbc, 0xd300d3d3, 0x46004646,
204 0xcf00cfcf, 0x37003737, 0x5e005e5e, 0x47004747,
205 0x94009494, 0xfa00fafa, 0xfc00fcfc, 0x5b005b5b,
206 0x97009797, 0xfe00fefe, 0x5a005a5a, 0xac00acac,
207 0x3c003c3c, 0x4c004c4c, 0x03000303, 0x35003535,
208 0xf300f3f3, 0x23002323, 0xb800b8b8, 0x5d005d5d,
209 0x6a006a6a, 0x92009292, 0xd500d5d5, 0x21002121,
210 0x44004444, 0x51005151, 0xc600c6c6, 0x7d007d7d,
211 0x39003939, 0x83008383, 0xdc00dcdc, 0xaa00aaaa,
212 0x7c007c7c, 0x77007777, 0x56005656, 0x05000505,
213 0x1b001b1b, 0xa400a4a4, 0x15001515, 0x34003434,
214 0x1e001e1e, 0x1c001c1c, 0xf800f8f8, 0x52005252,
215 0x20002020, 0x14001414, 0xe900e9e9, 0xbd00bdbd,
216 0xdd00dddd, 0xe400e4e4, 0xa100a1a1, 0xe000e0e0,
217 0x8a008a8a, 0xf100f1f1, 0xd600d6d6, 0x7a007a7a,
218 0xbb00bbbb, 0xe300e3e3, 0x40004040, 0x4f004f4f,
219};
220
221static const u32 camellia_sp4404[256] = {
222 0x70700070, 0x2c2c002c, 0xb3b300b3, 0xc0c000c0,
223 0xe4e400e4, 0x57570057, 0xeaea00ea, 0xaeae00ae,
224 0x23230023, 0x6b6b006b, 0x45450045, 0xa5a500a5,
225 0xeded00ed, 0x4f4f004f, 0x1d1d001d, 0x92920092,
226 0x86860086, 0xafaf00af, 0x7c7c007c, 0x1f1f001f,
227 0x3e3e003e, 0xdcdc00dc, 0x5e5e005e, 0x0b0b000b,
228 0xa6a600a6, 0x39390039, 0xd5d500d5, 0x5d5d005d,
229 0xd9d900d9, 0x5a5a005a, 0x51510051, 0x6c6c006c,
230 0x8b8b008b, 0x9a9a009a, 0xfbfb00fb, 0xb0b000b0,
231 0x74740074, 0x2b2b002b, 0xf0f000f0, 0x84840084,
232 0xdfdf00df, 0xcbcb00cb, 0x34340034, 0x76760076,
233 0x6d6d006d, 0xa9a900a9, 0xd1d100d1, 0x04040004,
234 0x14140014, 0x3a3a003a, 0xdede00de, 0x11110011,
235 0x32320032, 0x9c9c009c, 0x53530053, 0xf2f200f2,
236 0xfefe00fe, 0xcfcf00cf, 0xc3c300c3, 0x7a7a007a,
237 0x24240024, 0xe8e800e8, 0x60600060, 0x69690069,
238 0xaaaa00aa, 0xa0a000a0, 0xa1a100a1, 0x62620062,
239 0x54540054, 0x1e1e001e, 0xe0e000e0, 0x64640064,
240 0x10100010, 0x00000000, 0xa3a300a3, 0x75750075,
241 0x8a8a008a, 0xe6e600e6, 0x09090009, 0xdddd00dd,
242 0x87870087, 0x83830083, 0xcdcd00cd, 0x90900090,
243 0x73730073, 0xf6f600f6, 0x9d9d009d, 0xbfbf00bf,
244 0x52520052, 0xd8d800d8, 0xc8c800c8, 0xc6c600c6,
245 0x81810081, 0x6f6f006f, 0x13130013, 0x63630063,
246 0xe9e900e9, 0xa7a700a7, 0x9f9f009f, 0xbcbc00bc,
247 0x29290029, 0xf9f900f9, 0x2f2f002f, 0xb4b400b4,
248 0x78780078, 0x06060006, 0xe7e700e7, 0x71710071,
249 0xd4d400d4, 0xabab00ab, 0x88880088, 0x8d8d008d,
250 0x72720072, 0xb9b900b9, 0xf8f800f8, 0xacac00ac,
251 0x36360036, 0x2a2a002a, 0x3c3c003c, 0xf1f100f1,
252 0x40400040, 0xd3d300d3, 0xbbbb00bb, 0x43430043,
253 0x15150015, 0xadad00ad, 0x77770077, 0x80800080,
254 0x82820082, 0xecec00ec, 0x27270027, 0xe5e500e5,
255 0x85850085, 0x35350035, 0x0c0c000c, 0x41410041,
256 0xefef00ef, 0x93930093, 0x19190019, 0x21210021,
257 0x0e0e000e, 0x4e4e004e, 0x65650065, 0xbdbd00bd,
258 0xb8b800b8, 0x8f8f008f, 0xebeb00eb, 0xcece00ce,
259 0x30300030, 0x5f5f005f, 0xc5c500c5, 0x1a1a001a,
260 0xe1e100e1, 0xcaca00ca, 0x47470047, 0x3d3d003d,
261 0x01010001, 0xd6d600d6, 0x56560056, 0x4d4d004d,
262 0x0d0d000d, 0x66660066, 0xcccc00cc, 0x2d2d002d,
263 0x12120012, 0x20200020, 0xb1b100b1, 0x99990099,
264 0x4c4c004c, 0xc2c200c2, 0x7e7e007e, 0x05050005,
265 0xb7b700b7, 0x31310031, 0x17170017, 0xd7d700d7,
266 0x58580058, 0x61610061, 0x1b1b001b, 0x1c1c001c,
267 0x0f0f000f, 0x16160016, 0x18180018, 0x22220022,
268 0x44440044, 0xb2b200b2, 0xb5b500b5, 0x91910091,
269 0x08080008, 0xa8a800a8, 0xfcfc00fc, 0x50500050,
270 0xd0d000d0, 0x7d7d007d, 0x89890089, 0x97970097,
271 0x5b5b005b, 0x95950095, 0xffff00ff, 0xd2d200d2,
272 0xc4c400c4, 0x48480048, 0xf7f700f7, 0xdbdb00db,
273 0x03030003, 0xdada00da, 0x3f3f003f, 0x94940094,
274 0x5c5c005c, 0x02020002, 0x4a4a004a, 0x33330033,
275 0x67670067, 0xf3f300f3, 0x7f7f007f, 0xe2e200e2,
276 0x9b9b009b, 0x26260026, 0x37370037, 0x3b3b003b,
277 0x96960096, 0x4b4b004b, 0xbebe00be, 0x2e2e002e,
278 0x79790079, 0x8c8c008c, 0x6e6e006e, 0x8e8e008e,
279 0xf5f500f5, 0xb6b600b6, 0xfdfd00fd, 0x59590059,
280 0x98980098, 0x6a6a006a, 0x46460046, 0xbaba00ba,
281 0x25250025, 0x42420042, 0xa2a200a2, 0xfafa00fa,
282 0x07070007, 0x55550055, 0xeeee00ee, 0x0a0a000a,
283 0x49490049, 0x68680068, 0x38380038, 0xa4a400a4,
284 0x28280028, 0x7b7b007b, 0xc9c900c9, 0xc1c100c1,
285 0xe3e300e3, 0xf4f400f4, 0xc7c700c7, 0x9e9e009e,
286};
287
288
289#define CAMELLIA_MIN_KEY_SIZE 16
290#define CAMELLIA_MAX_KEY_SIZE 32
291#define CAMELLIA_BLOCK_SIZE 16
292#define CAMELLIA_TABLE_BYTE_LEN 272
293
294/*
295 * NB: L and R below stand for 'left' and 'right' as in written numbers.
296 * That is, in (xxxL,xxxR) pair xxxL holds most significant digits,
297 * _not_ least significant ones!
298 */
299
300
301/* key constants */
302
303#define CAMELLIA_SIGMA1L (0xA09E667FL)
304#define CAMELLIA_SIGMA1R (0x3BCC908BL)
305#define CAMELLIA_SIGMA2L (0xB67AE858L)
306#define CAMELLIA_SIGMA2R (0x4CAA73B2L)
307#define CAMELLIA_SIGMA3L (0xC6EF372FL)
308#define CAMELLIA_SIGMA3R (0xE94F82BEL)
309#define CAMELLIA_SIGMA4L (0x54FF53A5L)
310#define CAMELLIA_SIGMA4R (0xF1D36F1CL)
311#define CAMELLIA_SIGMA5L (0x10E527FAL)
312#define CAMELLIA_SIGMA5R (0xDE682D1DL)
313#define CAMELLIA_SIGMA6L (0xB05688C2L)
314#define CAMELLIA_SIGMA6R (0xB3E6C1FDL)
315
316/*
317 * macros
318 */
319#define ROLDQ(ll, lr, rl, rr, w0, w1, bits) ({ \
320 w0 = ll; \
321 ll = (ll << bits) + (lr >> (32 - bits)); \
322 lr = (lr << bits) + (rl >> (32 - bits)); \
323 rl = (rl << bits) + (rr >> (32 - bits)); \
324 rr = (rr << bits) + (w0 >> (32 - bits)); \
325})
326
327#define ROLDQo32(ll, lr, rl, rr, w0, w1, bits) ({ \
328 w0 = ll; \
329 w1 = lr; \
330 ll = (lr << (bits - 32)) + (rl >> (64 - bits)); \
331 lr = (rl << (bits - 32)) + (rr >> (64 - bits)); \
332 rl = (rr << (bits - 32)) + (w0 >> (64 - bits)); \
333 rr = (w0 << (bits - 32)) + (w1 >> (64 - bits)); \
334})
335
336#define CAMELLIA_F(xl, xr, kl, kr, yl, yr, il, ir, t0, t1) ({ \
337 il = xl ^ kl; \
338 ir = xr ^ kr; \
339 t0 = il >> 16; \
340 t1 = ir >> 16; \
341 yl = camellia_sp1110[(u8)(ir)] \
342 ^ camellia_sp0222[(u8)(t1 >> 8)] \
343 ^ camellia_sp3033[(u8)(t1)] \
344 ^ camellia_sp4404[(u8)(ir >> 8)]; \
345 yr = camellia_sp1110[(u8)(t0 >> 8)] \
346 ^ camellia_sp0222[(u8)(t0)] \
347 ^ camellia_sp3033[(u8)(il >> 8)] \
348 ^ camellia_sp4404[(u8)(il)]; \
349 yl ^= yr; \
350 yr = ror32(yr, 8); \
351 yr ^= yl; \
352})
353
354#define SUBKEY_L(INDEX) (subkey[(INDEX)*2])
355#define SUBKEY_R(INDEX) (subkey[(INDEX)*2 + 1])
356
357static void camellia_setup_tail(u32 *subkey, u32 *subL, u32 *subR, int max)
358{
359 u32 dw, tl, tr;
360 u32 kw4l, kw4r;
361
362 /* absorb kw2 to other subkeys */
363 /* round 2 */
364 subL[3] ^= subL[1]; subR[3] ^= subR[1];
365 /* round 4 */
366 subL[5] ^= subL[1]; subR[5] ^= subR[1];
367 /* round 6 */
368 subL[7] ^= subL[1]; subR[7] ^= subR[1];
369 subL[1] ^= subR[1] & ~subR[9];
370 dw = subL[1] & subL[9];
371 subR[1] ^= rol32(dw, 1); /* modified for FLinv(kl2) */
372 /* round 8 */
373 subL[11] ^= subL[1]; subR[11] ^= subR[1];
374 /* round 10 */
375 subL[13] ^= subL[1]; subR[13] ^= subR[1];
376 /* round 12 */
377 subL[15] ^= subL[1]; subR[15] ^= subR[1];
378 subL[1] ^= subR[1] & ~subR[17];
379 dw = subL[1] & subL[17];
380 subR[1] ^= rol32(dw, 1); /* modified for FLinv(kl4) */
381 /* round 14 */
382 subL[19] ^= subL[1]; subR[19] ^= subR[1];
383 /* round 16 */
384 subL[21] ^= subL[1]; subR[21] ^= subR[1];
385 /* round 18 */
386 subL[23] ^= subL[1]; subR[23] ^= subR[1];
387 if (max == 24) {
388 /* kw3 */
389 subL[24] ^= subL[1]; subR[24] ^= subR[1];
390
391 /* absorb kw4 to other subkeys */
392 kw4l = subL[25]; kw4r = subR[25];
393 } else {
394 subL[1] ^= subR[1] & ~subR[25];
395 dw = subL[1] & subL[25];
396 subR[1] ^= rol32(dw, 1); /* modified for FLinv(kl6) */
397 /* round 20 */
398 subL[27] ^= subL[1]; subR[27] ^= subR[1];
399 /* round 22 */
400 subL[29] ^= subL[1]; subR[29] ^= subR[1];
401 /* round 24 */
402 subL[31] ^= subL[1]; subR[31] ^= subR[1];
403 /* kw3 */
404 subL[32] ^= subL[1]; subR[32] ^= subR[1];
405
406 /* absorb kw4 to other subkeys */
407 kw4l = subL[33]; kw4r = subR[33];
408 /* round 23 */
409 subL[30] ^= kw4l; subR[30] ^= kw4r;
410 /* round 21 */
411 subL[28] ^= kw4l; subR[28] ^= kw4r;
412 /* round 19 */
413 subL[26] ^= kw4l; subR[26] ^= kw4r;
414 kw4l ^= kw4r & ~subR[24];
415 dw = kw4l & subL[24];
416 kw4r ^= rol32(dw, 1); /* modified for FL(kl5) */
417 }
418 /* round 17 */
419 subL[22] ^= kw4l; subR[22] ^= kw4r;
420 /* round 15 */
421 subL[20] ^= kw4l; subR[20] ^= kw4r;
422 /* round 13 */
423 subL[18] ^= kw4l; subR[18] ^= kw4r;
424 kw4l ^= kw4r & ~subR[16];
425 dw = kw4l & subL[16];
426 kw4r ^= rol32(dw, 1); /* modified for FL(kl3) */
427 /* round 11 */
428 subL[14] ^= kw4l; subR[14] ^= kw4r;
429 /* round 9 */
430 subL[12] ^= kw4l; subR[12] ^= kw4r;
431 /* round 7 */
432 subL[10] ^= kw4l; subR[10] ^= kw4r;
433 kw4l ^= kw4r & ~subR[8];
434 dw = kw4l & subL[8];
435 kw4r ^= rol32(dw, 1); /* modified for FL(kl1) */
436 /* round 5 */
437 subL[6] ^= kw4l; subR[6] ^= kw4r;
438 /* round 3 */
439 subL[4] ^= kw4l; subR[4] ^= kw4r;
440 /* round 1 */
441 subL[2] ^= kw4l; subR[2] ^= kw4r;
442 /* kw1 */
443 subL[0] ^= kw4l; subR[0] ^= kw4r;
444
445 /* key XOR is end of F-function */
446 SUBKEY_L(0) = subL[0] ^ subL[2];/* kw1 */
447 SUBKEY_R(0) = subR[0] ^ subR[2];
448 SUBKEY_L(2) = subL[3]; /* round 1 */
449 SUBKEY_R(2) = subR[3];
450 SUBKEY_L(3) = subL[2] ^ subL[4]; /* round 2 */
451 SUBKEY_R(3) = subR[2] ^ subR[4];
452 SUBKEY_L(4) = subL[3] ^ subL[5]; /* round 3 */
453 SUBKEY_R(4) = subR[3] ^ subR[5];
454 SUBKEY_L(5) = subL[4] ^ subL[6]; /* round 4 */
455 SUBKEY_R(5) = subR[4] ^ subR[6];
456 SUBKEY_L(6) = subL[5] ^ subL[7]; /* round 5 */
457 SUBKEY_R(6) = subR[5] ^ subR[7];
458 tl = subL[10] ^ (subR[10] & ~subR[8]);
459 dw = tl & subL[8]; /* FL(kl1) */
460 tr = subR[10] ^ rol32(dw, 1);
461 SUBKEY_L(7) = subL[6] ^ tl; /* round 6 */
462 SUBKEY_R(7) = subR[6] ^ tr;
463 SUBKEY_L(8) = subL[8]; /* FL(kl1) */
464 SUBKEY_R(8) = subR[8];
465 SUBKEY_L(9) = subL[9]; /* FLinv(kl2) */
466 SUBKEY_R(9) = subR[9];
467 tl = subL[7] ^ (subR[7] & ~subR[9]);
468 dw = tl & subL[9]; /* FLinv(kl2) */
469 tr = subR[7] ^ rol32(dw, 1);
470 SUBKEY_L(10) = tl ^ subL[11]; /* round 7 */
471 SUBKEY_R(10) = tr ^ subR[11];
472 SUBKEY_L(11) = subL[10] ^ subL[12]; /* round 8 */
473 SUBKEY_R(11) = subR[10] ^ subR[12];
474 SUBKEY_L(12) = subL[11] ^ subL[13]; /* round 9 */
475 SUBKEY_R(12) = subR[11] ^ subR[13];
476 SUBKEY_L(13) = subL[12] ^ subL[14]; /* round 10 */
477 SUBKEY_R(13) = subR[12] ^ subR[14];
478 SUBKEY_L(14) = subL[13] ^ subL[15]; /* round 11 */
479 SUBKEY_R(14) = subR[13] ^ subR[15];
480 tl = subL[18] ^ (subR[18] & ~subR[16]);
481 dw = tl & subL[16]; /* FL(kl3) */
482 tr = subR[18] ^ rol32(dw, 1);
483 SUBKEY_L(15) = subL[14] ^ tl; /* round 12 */
484 SUBKEY_R(15) = subR[14] ^ tr;
485 SUBKEY_L(16) = subL[16]; /* FL(kl3) */
486 SUBKEY_R(16) = subR[16];
487 SUBKEY_L(17) = subL[17]; /* FLinv(kl4) */
488 SUBKEY_R(17) = subR[17];
489 tl = subL[15] ^ (subR[15] & ~subR[17]);
490 dw = tl & subL[17]; /* FLinv(kl4) */
491 tr = subR[15] ^ rol32(dw, 1);
492 SUBKEY_L(18) = tl ^ subL[19]; /* round 13 */
493 SUBKEY_R(18) = tr ^ subR[19];
494 SUBKEY_L(19) = subL[18] ^ subL[20]; /* round 14 */
495 SUBKEY_R(19) = subR[18] ^ subR[20];
496 SUBKEY_L(20) = subL[19] ^ subL[21]; /* round 15 */
497 SUBKEY_R(20) = subR[19] ^ subR[21];
498 SUBKEY_L(21) = subL[20] ^ subL[22]; /* round 16 */
499 SUBKEY_R(21) = subR[20] ^ subR[22];
500 SUBKEY_L(22) = subL[21] ^ subL[23]; /* round 17 */
501 SUBKEY_R(22) = subR[21] ^ subR[23];
502 if (max == 24) {
503 SUBKEY_L(23) = subL[22]; /* round 18 */
504 SUBKEY_R(23) = subR[22];
505 SUBKEY_L(24) = subL[24] ^ subL[23]; /* kw3 */
506 SUBKEY_R(24) = subR[24] ^ subR[23];
507 } else {
508 tl = subL[26] ^ (subR[26] & ~subR[24]);
509 dw = tl & subL[24]; /* FL(kl5) */
510 tr = subR[26] ^ rol32(dw, 1);
511 SUBKEY_L(23) = subL[22] ^ tl; /* round 18 */
512 SUBKEY_R(23) = subR[22] ^ tr;
513 SUBKEY_L(24) = subL[24]; /* FL(kl5) */
514 SUBKEY_R(24) = subR[24];
515 SUBKEY_L(25) = subL[25]; /* FLinv(kl6) */
516 SUBKEY_R(25) = subR[25];
517 tl = subL[23] ^ (subR[23] & ~subR[25]);
518 dw = tl & subL[25]; /* FLinv(kl6) */
519 tr = subR[23] ^ rol32(dw, 1);
520 SUBKEY_L(26) = tl ^ subL[27]; /* round 19 */
521 SUBKEY_R(26) = tr ^ subR[27];
522 SUBKEY_L(27) = subL[26] ^ subL[28]; /* round 20 */
523 SUBKEY_R(27) = subR[26] ^ subR[28];
524 SUBKEY_L(28) = subL[27] ^ subL[29]; /* round 21 */
525 SUBKEY_R(28) = subR[27] ^ subR[29];
526 SUBKEY_L(29) = subL[28] ^ subL[30]; /* round 22 */
527 SUBKEY_R(29) = subR[28] ^ subR[30];
528 SUBKEY_L(30) = subL[29] ^ subL[31]; /* round 23 */
529 SUBKEY_R(30) = subR[29] ^ subR[31];
530 SUBKEY_L(31) = subL[30]; /* round 24 */
531 SUBKEY_R(31) = subR[30];
532 SUBKEY_L(32) = subL[32] ^ subL[31]; /* kw3 */
533 SUBKEY_R(32) = subR[32] ^ subR[31];
534 }
535}
536
537static void camellia_setup128(const unsigned char *key, u32 *subkey)
538{
539 u32 kll, klr, krl, krr;
540 u32 il, ir, t0, t1, w0, w1;
541 u32 subL[26];
542 u32 subR[26];
543
544 /**
545 * k == kll || klr || krl || krr (|| is concatenation)
546 */
547 kll = get_unaligned_be32(key);
548 klr = get_unaligned_be32(key + 4);
549 krl = get_unaligned_be32(key + 8);
550 krr = get_unaligned_be32(key + 12);
551
552 /* generate KL dependent subkeys */
553 /* kw1 */
554 subL[0] = kll; subR[0] = klr;
555 /* kw2 */
556 subL[1] = krl; subR[1] = krr;
557 /* rotation left shift 15bit */
558 ROLDQ(kll, klr, krl, krr, w0, w1, 15);
559 /* k3 */
560 subL[4] = kll; subR[4] = klr;
561 /* k4 */
562 subL[5] = krl; subR[5] = krr;
563 /* rotation left shift 15+30bit */
564 ROLDQ(kll, klr, krl, krr, w0, w1, 30);
565 /* k7 */
566 subL[10] = kll; subR[10] = klr;
567 /* k8 */
568 subL[11] = krl; subR[11] = krr;
569 /* rotation left shift 15+30+15bit */
570 ROLDQ(kll, klr, krl, krr, w0, w1, 15);
571 /* k10 */
572 subL[13] = krl; subR[13] = krr;
573 /* rotation left shift 15+30+15+17 bit */
574 ROLDQ(kll, klr, krl, krr, w0, w1, 17);
575 /* kl3 */
576 subL[16] = kll; subR[16] = klr;
577 /* kl4 */
578 subL[17] = krl; subR[17] = krr;
579 /* rotation left shift 15+30+15+17+17 bit */
580 ROLDQ(kll, klr, krl, krr, w0, w1, 17);
581 /* k13 */
582 subL[18] = kll; subR[18] = klr;
583 /* k14 */
584 subL[19] = krl; subR[19] = krr;
585 /* rotation left shift 15+30+15+17+17+17 bit */
586 ROLDQ(kll, klr, krl, krr, w0, w1, 17);
587 /* k17 */
588 subL[22] = kll; subR[22] = klr;
589 /* k18 */
590 subL[23] = krl; subR[23] = krr;
591
592 /* generate KA */
593 kll = subL[0]; klr = subR[0];
594 krl = subL[1]; krr = subR[1];
595 CAMELLIA_F(kll, klr,
596 CAMELLIA_SIGMA1L, CAMELLIA_SIGMA1R,
597 w0, w1, il, ir, t0, t1);
598 krl ^= w0; krr ^= w1;
599 CAMELLIA_F(krl, krr,
600 CAMELLIA_SIGMA2L, CAMELLIA_SIGMA2R,
601 kll, klr, il, ir, t0, t1);
602 /* current status == (kll, klr, w0, w1) */
603 CAMELLIA_F(kll, klr,
604 CAMELLIA_SIGMA3L, CAMELLIA_SIGMA3R,
605 krl, krr, il, ir, t0, t1);
606 krl ^= w0; krr ^= w1;
607 CAMELLIA_F(krl, krr,
608 CAMELLIA_SIGMA4L, CAMELLIA_SIGMA4R,
609 w0, w1, il, ir, t0, t1);
610 kll ^= w0; klr ^= w1;
611
612 /* generate KA dependent subkeys */
613 /* k1, k2 */
614 subL[2] = kll; subR[2] = klr;
615 subL[3] = krl; subR[3] = krr;
616 ROLDQ(kll, klr, krl, krr, w0, w1, 15);
617 /* k5,k6 */
618 subL[6] = kll; subR[6] = klr;
619 subL[7] = krl; subR[7] = krr;
620 ROLDQ(kll, klr, krl, krr, w0, w1, 15);
621 /* kl1, kl2 */
622 subL[8] = kll; subR[8] = klr;
623 subL[9] = krl; subR[9] = krr;
624 ROLDQ(kll, klr, krl, krr, w0, w1, 15);
625 /* k9 */
626 subL[12] = kll; subR[12] = klr;
627 ROLDQ(kll, klr, krl, krr, w0, w1, 15);
628 /* k11, k12 */
629 subL[14] = kll; subR[14] = klr;
630 subL[15] = krl; subR[15] = krr;
631 ROLDQo32(kll, klr, krl, krr, w0, w1, 34);
632 /* k15, k16 */
633 subL[20] = kll; subR[20] = klr;
634 subL[21] = krl; subR[21] = krr;
635 ROLDQ(kll, klr, krl, krr, w0, w1, 17);
636 /* kw3, kw4 */
637 subL[24] = kll; subR[24] = klr;
638 subL[25] = krl; subR[25] = krr;
639
640 camellia_setup_tail(subkey, subL, subR, 24);
641}
642
643static void camellia_setup256(const unsigned char *key, u32 *subkey)
644{
645 u32 kll, klr, krl, krr; /* left half of key */
646 u32 krll, krlr, krrl, krrr; /* right half of key */
647 u32 il, ir, t0, t1, w0, w1; /* temporary variables */
648 u32 subL[34];
649 u32 subR[34];
650
651 /**
652 * key = (kll || klr || krl || krr || krll || krlr || krrl || krrr)
653 * (|| is concatenation)
654 */
655 kll = get_unaligned_be32(key);
656 klr = get_unaligned_be32(key + 4);
657 krl = get_unaligned_be32(key + 8);
658 krr = get_unaligned_be32(key + 12);
659 krll = get_unaligned_be32(key + 16);
660 krlr = get_unaligned_be32(key + 20);
661 krrl = get_unaligned_be32(key + 24);
662 krrr = get_unaligned_be32(key + 28);
663
664 /* generate KL dependent subkeys */
665 /* kw1 */
666 subL[0] = kll; subR[0] = klr;
667 /* kw2 */
668 subL[1] = krl; subR[1] = krr;
669 ROLDQo32(kll, klr, krl, krr, w0, w1, 45);
670 /* k9 */
671 subL[12] = kll; subR[12] = klr;
672 /* k10 */
673 subL[13] = krl; subR[13] = krr;
674 ROLDQ(kll, klr, krl, krr, w0, w1, 15);
675 /* kl3 */
676 subL[16] = kll; subR[16] = klr;
677 /* kl4 */
678 subL[17] = krl; subR[17] = krr;
679 ROLDQ(kll, klr, krl, krr, w0, w1, 17);
680 /* k17 */
681 subL[22] = kll; subR[22] = klr;
682 /* k18 */
683 subL[23] = krl; subR[23] = krr;
684 ROLDQo32(kll, klr, krl, krr, w0, w1, 34);
685 /* k23 */
686 subL[30] = kll; subR[30] = klr;
687 /* k24 */
688 subL[31] = krl; subR[31] = krr;
689
690 /* generate KR dependent subkeys */
691 ROLDQ(krll, krlr, krrl, krrr, w0, w1, 15);
692 /* k3 */
693 subL[4] = krll; subR[4] = krlr;
694 /* k4 */
695 subL[5] = krrl; subR[5] = krrr;
696 ROLDQ(krll, krlr, krrl, krrr, w0, w1, 15);
697 /* kl1 */
698 subL[8] = krll; subR[8] = krlr;
699 /* kl2 */
700 subL[9] = krrl; subR[9] = krrr;
701 ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
702 /* k13 */
703 subL[18] = krll; subR[18] = krlr;
704 /* k14 */
705 subL[19] = krrl; subR[19] = krrr;
706 ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 34);
707 /* k19 */
708 subL[26] = krll; subR[26] = krlr;
709 /* k20 */
710 subL[27] = krrl; subR[27] = krrr;
711 ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 34);
712
713 /* generate KA */
714 kll = subL[0] ^ krll; klr = subR[0] ^ krlr;
715 krl = subL[1] ^ krrl; krr = subR[1] ^ krrr;
716 CAMELLIA_F(kll, klr,
717 CAMELLIA_SIGMA1L, CAMELLIA_SIGMA1R,
718 w0, w1, il, ir, t0, t1);
719 krl ^= w0; krr ^= w1;
720 CAMELLIA_F(krl, krr,
721 CAMELLIA_SIGMA2L, CAMELLIA_SIGMA2R,
722 kll, klr, il, ir, t0, t1);
723 kll ^= krll; klr ^= krlr;
724 CAMELLIA_F(kll, klr,
725 CAMELLIA_SIGMA3L, CAMELLIA_SIGMA3R,
726 krl, krr, il, ir, t0, t1);
727 krl ^= w0 ^ krrl; krr ^= w1 ^ krrr;
728 CAMELLIA_F(krl, krr,
729 CAMELLIA_SIGMA4L, CAMELLIA_SIGMA4R,
730 w0, w1, il, ir, t0, t1);
731 kll ^= w0; klr ^= w1;
732
733 /* generate KB */
734 krll ^= kll; krlr ^= klr;
735 krrl ^= krl; krrr ^= krr;
736 CAMELLIA_F(krll, krlr,
737 CAMELLIA_SIGMA5L, CAMELLIA_SIGMA5R,
738 w0, w1, il, ir, t0, t1);
739 krrl ^= w0; krrr ^= w1;
740 CAMELLIA_F(krrl, krrr,
741 CAMELLIA_SIGMA6L, CAMELLIA_SIGMA6R,
742 w0, w1, il, ir, t0, t1);
743 krll ^= w0; krlr ^= w1;
744
745 /* generate KA dependent subkeys */
746 ROLDQ(kll, klr, krl, krr, w0, w1, 15);
747 /* k5 */
748 subL[6] = kll; subR[6] = klr;
749 /* k6 */
750 subL[7] = krl; subR[7] = krr;
751 ROLDQ(kll, klr, krl, krr, w0, w1, 30);
752 /* k11 */
753 subL[14] = kll; subR[14] = klr;
754 /* k12 */
755 subL[15] = krl; subR[15] = krr;
756 /* rotation left shift 32bit */
757 /* kl5 */
758 subL[24] = klr; subR[24] = krl;
759 /* kl6 */
760 subL[25] = krr; subR[25] = kll;
761 /* rotation left shift 49 from k11,k12 -> k21,k22 */
762 ROLDQo32(kll, klr, krl, krr, w0, w1, 49);
763 /* k21 */
764 subL[28] = kll; subR[28] = klr;
765 /* k22 */
766 subL[29] = krl; subR[29] = krr;
767
768 /* generate KB dependent subkeys */
769 /* k1 */
770 subL[2] = krll; subR[2] = krlr;
771 /* k2 */
772 subL[3] = krrl; subR[3] = krrr;
773 ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
774 /* k7 */
775 subL[10] = krll; subR[10] = krlr;
776 /* k8 */
777 subL[11] = krrl; subR[11] = krrr;
778 ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
779 /* k15 */
780 subL[20] = krll; subR[20] = krlr;
781 /* k16 */
782 subL[21] = krrl; subR[21] = krrr;
783 ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 51);
784 /* kw3 */
785 subL[32] = krll; subR[32] = krlr;
786 /* kw4 */
787 subL[33] = krrl; subR[33] = krrr;
788
789 camellia_setup_tail(subkey, subL, subR, 32);
790}
791
792static void camellia_setup192(const unsigned char *key, u32 *subkey)
793{
794 unsigned char kk[32];
795 u32 krll, krlr, krrl, krrr;
796
797 memcpy(kk, key, 24);
798 memcpy((unsigned char *)&krll, key+16, 4);
799 memcpy((unsigned char *)&krlr, key+20, 4);
800 krrl = ~krll;
801 krrr = ~krlr;
802 memcpy(kk+24, (unsigned char *)&krrl, 4);
803 memcpy(kk+28, (unsigned char *)&krrr, 4);
804 camellia_setup256(kk, subkey);
805}
806
807
808/*
809 * Encrypt/decrypt
810 */
811#define CAMELLIA_FLS(ll, lr, rl, rr, kll, klr, krl, krr, t0, t1, t2, t3) ({ \
812 t0 = kll; \
813 t2 = krr; \
814 t0 &= ll; \
815 t2 |= rr; \
816 rl ^= t2; \
817 lr ^= rol32(t0, 1); \
818 t3 = krl; \
819 t1 = klr; \
820 t3 &= rl; \
821 t1 |= lr; \
822 ll ^= t1; \
823 rr ^= rol32(t3, 1); \
824})
825
826#define CAMELLIA_ROUNDSM(xl, xr, kl, kr, yl, yr, il, ir) ({ \
827 yl ^= kl; \
828 yr ^= kr; \
829 ir = camellia_sp1110[(u8)xr]; \
830 il = camellia_sp1110[(u8)(xl >> 24)]; \
831 ir ^= camellia_sp0222[(u8)(xr >> 24)]; \
832 il ^= camellia_sp0222[(u8)(xl >> 16)]; \
833 ir ^= camellia_sp3033[(u8)(xr >> 16)]; \
834 il ^= camellia_sp3033[(u8)(xl >> 8)]; \
835 ir ^= camellia_sp4404[(u8)(xr >> 8)]; \
836 il ^= camellia_sp4404[(u8)xl]; \
837 ir ^= il; \
838 yl ^= ir; \
839 yr ^= ror32(il, 8) ^ ir; \
840})
841
842/* max = 24: 128bit encrypt, max = 32: 256bit encrypt */
843static void camellia_do_encrypt(const u32 *subkey, u32 *io, unsigned max)
844{
845 u32 il, ir, t0, t1; /* temporary variables */
846
847 /* pre whitening but absorb kw2 */
848 io[0] ^= SUBKEY_L(0);
849 io[1] ^= SUBKEY_R(0);
850
851 /* main iteration */
852#define ROUNDS(i) ({ \
853 CAMELLIA_ROUNDSM(io[0], io[1], \
854 SUBKEY_L(i + 2), SUBKEY_R(i + 2), \
855 io[2], io[3], il, ir); \
856 CAMELLIA_ROUNDSM(io[2], io[3], \
857 SUBKEY_L(i + 3), SUBKEY_R(i + 3), \
858 io[0], io[1], il, ir); \
859 CAMELLIA_ROUNDSM(io[0], io[1], \
860 SUBKEY_L(i + 4), SUBKEY_R(i + 4), \
861 io[2], io[3], il, ir); \
862 CAMELLIA_ROUNDSM(io[2], io[3], \
863 SUBKEY_L(i + 5), SUBKEY_R(i + 5), \
864 io[0], io[1], il, ir); \
865 CAMELLIA_ROUNDSM(io[0], io[1], \
866 SUBKEY_L(i + 6), SUBKEY_R(i + 6), \
867 io[2], io[3], il, ir); \
868 CAMELLIA_ROUNDSM(io[2], io[3], \
869 SUBKEY_L(i + 7), SUBKEY_R(i + 7), \
870 io[0], io[1], il, ir); \
871})
872#define FLS(i) ({ \
873 CAMELLIA_FLS(io[0], io[1], io[2], io[3], \
874 SUBKEY_L(i + 0), SUBKEY_R(i + 0), \
875 SUBKEY_L(i + 1), SUBKEY_R(i + 1), \
876 t0, t1, il, ir); \
877})
878
879 ROUNDS(0);
880 FLS(8);
881 ROUNDS(8);
882 FLS(16);
883 ROUNDS(16);
884 if (max == 32) {
885 FLS(24);
886 ROUNDS(24);
887 }
888
889#undef ROUNDS
890#undef FLS
891
892 /* post whitening but kw4 */
893 io[2] ^= SUBKEY_L(max);
894 io[3] ^= SUBKEY_R(max);
895 /* NB: io[0],[1] should be swapped with [2],[3] by caller! */
896}
897
898static void camellia_do_decrypt(const u32 *subkey, u32 *io, unsigned i)
899{
900 u32 il, ir, t0, t1; /* temporary variables */
901
902 /* pre whitening but absorb kw2 */
903 io[0] ^= SUBKEY_L(i);
904 io[1] ^= SUBKEY_R(i);
905
906 /* main iteration */
907#define ROUNDS(i) ({ \
908 CAMELLIA_ROUNDSM(io[0], io[1], \
909 SUBKEY_L(i + 7), SUBKEY_R(i + 7), \
910 io[2], io[3], il, ir); \
911 CAMELLIA_ROUNDSM(io[2], io[3], \
912 SUBKEY_L(i + 6), SUBKEY_R(i + 6), \
913 io[0], io[1], il, ir); \
914 CAMELLIA_ROUNDSM(io[0], io[1], \
915 SUBKEY_L(i + 5), SUBKEY_R(i + 5), \
916 io[2], io[3], il, ir); \
917 CAMELLIA_ROUNDSM(io[2], io[3], \
918 SUBKEY_L(i + 4), SUBKEY_R(i + 4), \
919 io[0], io[1], il, ir); \
920 CAMELLIA_ROUNDSM(io[0], io[1], \
921 SUBKEY_L(i + 3), SUBKEY_R(i + 3), \
922 io[2], io[3], il, ir); \
923 CAMELLIA_ROUNDSM(io[2], io[3], \
924 SUBKEY_L(i + 2), SUBKEY_R(i + 2), \
925 io[0], io[1], il, ir); \
926})
927#define FLS(i) ({ \
928 CAMELLIA_FLS(io[0], io[1], io[2], io[3], \
929 SUBKEY_L(i + 1), SUBKEY_R(i + 1), \
930 SUBKEY_L(i + 0), SUBKEY_R(i + 0), \
931 t0, t1, il, ir); \
932})
933
934 if (i == 32) {
935 ROUNDS(24);
936 FLS(24);
937 }
938 ROUNDS(16);
939 FLS(16);
940 ROUNDS(8);
941 FLS(8);
942 ROUNDS(0);
943
944#undef ROUNDS
945#undef FLS
946
947 /* post whitening but kw4 */
948 io[2] ^= SUBKEY_L(0);
949 io[3] ^= SUBKEY_R(0);
950 /* NB: 0,1 should be swapped with 2,3 by caller! */
951}
952
953
954struct camellia_ctx {
955 int key_length;
956 u32 key_table[CAMELLIA_TABLE_BYTE_LEN / sizeof(u32)];
957};
958
959static int
960camellia_set_key(struct crypto_tfm *tfm, const u8 *in_key,
961 unsigned int key_len)
962{
963 struct camellia_ctx *cctx = crypto_tfm_ctx(tfm);
964 const unsigned char *key = (const unsigned char *)in_key;
965
966 if (key_len != 16 && key_len != 24 && key_len != 32)
967 return -EINVAL;
968
969 cctx->key_length = key_len;
970
971 switch (key_len) {
972 case 16:
973 camellia_setup128(key, cctx->key_table);
974 break;
975 case 24:
976 camellia_setup192(key, cctx->key_table);
977 break;
978 case 32:
979 camellia_setup256(key, cctx->key_table);
980 break;
981 }
982
983 return 0;
984}
985
986static void camellia_encrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in)
987{
988 const struct camellia_ctx *cctx = crypto_tfm_ctx(tfm);
989 unsigned int max;
990
991 u32 tmp[4];
992
993 tmp[0] = get_unaligned_be32(in);
994 tmp[1] = get_unaligned_be32(in + 4);
995 tmp[2] = get_unaligned_be32(in + 8);
996 tmp[3] = get_unaligned_be32(in + 12);
997
998 if (cctx->key_length == 16)
999 max = 24;
1000 else
1001 max = 32; /* for key lengths of 24 and 32 */
1002
1003 camellia_do_encrypt(cctx->key_table, tmp, max);
1004
1005 /* do_encrypt returns 0,1 swapped with 2,3 */
1006 put_unaligned_be32(tmp[2], out);
1007 put_unaligned_be32(tmp[3], out + 4);
1008 put_unaligned_be32(tmp[0], out + 8);
1009 put_unaligned_be32(tmp[1], out + 12);
1010}
1011
1012static void camellia_decrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in)
1013{
1014 const struct camellia_ctx *cctx = crypto_tfm_ctx(tfm);
1015 unsigned int max;
1016
1017 u32 tmp[4];
1018
1019 tmp[0] = get_unaligned_be32(in);
1020 tmp[1] = get_unaligned_be32(in + 4);
1021 tmp[2] = get_unaligned_be32(in + 8);
1022 tmp[3] = get_unaligned_be32(in + 12);
1023
1024 if (cctx->key_length == 16)
1025 max = 24;
1026 else
1027 max = 32; /* for key lengths of 24 and 32 */
1028
1029 camellia_do_decrypt(cctx->key_table, tmp, max);
1030
1031 /* do_decrypt returns 0,1 swapped with 2,3 */
1032 put_unaligned_be32(tmp[2], out);
1033 put_unaligned_be32(tmp[3], out + 4);
1034 put_unaligned_be32(tmp[0], out + 8);
1035 put_unaligned_be32(tmp[1], out + 12);
1036}
1037
1038static struct crypto_alg camellia_alg = {
1039 .cra_name = "camellia",
1040 .cra_driver_name = "camellia-generic",
1041 .cra_priority = 100,
1042 .cra_flags = CRYPTO_ALG_TYPE_CIPHER,
1043 .cra_blocksize = CAMELLIA_BLOCK_SIZE,
1044 .cra_ctxsize = sizeof(struct camellia_ctx),
1045 .cra_module = THIS_MODULE,
1046 .cra_u = {
1047 .cipher = {
1048 .cia_min_keysize = CAMELLIA_MIN_KEY_SIZE,
1049 .cia_max_keysize = CAMELLIA_MAX_KEY_SIZE,
1050 .cia_setkey = camellia_set_key,
1051 .cia_encrypt = camellia_encrypt,
1052 .cia_decrypt = camellia_decrypt
1053 }
1054 }
1055};
1056
1057static int __init camellia_init(void)
1058{
1059 return crypto_register_alg(&camellia_alg);
1060}
1061
1062static void __exit camellia_fini(void)
1063{
1064 crypto_unregister_alg(&camellia_alg);
1065}
1066
1067subsys_initcall(camellia_init);
1068module_exit(camellia_fini);
1069
1070MODULE_DESCRIPTION("Camellia Cipher Algorithm");
1071MODULE_LICENSE("GPL");
1072MODULE_ALIAS_CRYPTO("camellia");
1073MODULE_ALIAS_CRYPTO("camellia-generic");