linux/crypto/camellia.c
<<
>>
Prefs
   1/*
   2 * Copyright (C) 2006
   3 * NTT (Nippon Telegraph and Telephone Corporation).
   4 *
   5 * This program is free software; you can redistribute it and/or
   6 * modify it under the terms of the GNU General Public License
   7 * as published by the Free Software Foundation; either version 2
   8 * of the License, or (at your option) any later version.
   9 *
  10 * This program is distributed in the hope that it will be useful,
  11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
  12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  13 * GNU General Public License for more details.
  14 *
  15 * You should have received a copy of the GNU General Public License
  16 * along with this program; if not, write to the Free Software
  17 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
  18 */
  19
  20/*
  21 * Algorithm Specification
  22 *  http://info.isl.ntt.co.jp/crypt/eng/camellia/specifications.html
  23 */
  24
  25/*
  26 *
  27 * NOTE --- NOTE --- NOTE --- NOTE
  28 * This implementation assumes that all memory addresses passed
  29 * as parameters are four-byte aligned.
  30 *
  31 */
  32
  33#include <linux/crypto.h>
  34#include <linux/errno.h>
  35#include <linux/init.h>
  36#include <linux/kernel.h>
  37#include <linux/module.h>
  38
  39static const u32 camellia_sp1110[256] = {
  40        0x70707000,0x82828200,0x2c2c2c00,0xececec00,
  41        0xb3b3b300,0x27272700,0xc0c0c000,0xe5e5e500,
  42        0xe4e4e400,0x85858500,0x57575700,0x35353500,
  43        0xeaeaea00,0x0c0c0c00,0xaeaeae00,0x41414100,
  44        0x23232300,0xefefef00,0x6b6b6b00,0x93939300,
  45        0x45454500,0x19191900,0xa5a5a500,0x21212100,
  46        0xededed00,0x0e0e0e00,0x4f4f4f00,0x4e4e4e00,
  47        0x1d1d1d00,0x65656500,0x92929200,0xbdbdbd00,
  48        0x86868600,0xb8b8b800,0xafafaf00,0x8f8f8f00,
  49        0x7c7c7c00,0xebebeb00,0x1f1f1f00,0xcecece00,
  50        0x3e3e3e00,0x30303000,0xdcdcdc00,0x5f5f5f00,
  51        0x5e5e5e00,0xc5c5c500,0x0b0b0b00,0x1a1a1a00,
  52        0xa6a6a600,0xe1e1e100,0x39393900,0xcacaca00,
  53        0xd5d5d500,0x47474700,0x5d5d5d00,0x3d3d3d00,
  54        0xd9d9d900,0x01010100,0x5a5a5a00,0xd6d6d600,
  55        0x51515100,0x56565600,0x6c6c6c00,0x4d4d4d00,
  56        0x8b8b8b00,0x0d0d0d00,0x9a9a9a00,0x66666600,
  57        0xfbfbfb00,0xcccccc00,0xb0b0b000,0x2d2d2d00,
  58        0x74747400,0x12121200,0x2b2b2b00,0x20202000,
  59        0xf0f0f000,0xb1b1b100,0x84848400,0x99999900,
  60        0xdfdfdf00,0x4c4c4c00,0xcbcbcb00,0xc2c2c200,
  61        0x34343400,0x7e7e7e00,0x76767600,0x05050500,
  62        0x6d6d6d00,0xb7b7b700,0xa9a9a900,0x31313100,
  63        0xd1d1d100,0x17171700,0x04040400,0xd7d7d700,
  64        0x14141400,0x58585800,0x3a3a3a00,0x61616100,
  65        0xdedede00,0x1b1b1b00,0x11111100,0x1c1c1c00,
  66        0x32323200,0x0f0f0f00,0x9c9c9c00,0x16161600,
  67        0x53535300,0x18181800,0xf2f2f200,0x22222200,
  68        0xfefefe00,0x44444400,0xcfcfcf00,0xb2b2b200,
  69        0xc3c3c300,0xb5b5b500,0x7a7a7a00,0x91919100,
  70        0x24242400,0x08080800,0xe8e8e800,0xa8a8a800,
  71        0x60606000,0xfcfcfc00,0x69696900,0x50505000,
  72        0xaaaaaa00,0xd0d0d000,0xa0a0a000,0x7d7d7d00,
  73        0xa1a1a100,0x89898900,0x62626200,0x97979700,
  74        0x54545400,0x5b5b5b00,0x1e1e1e00,0x95959500,
  75        0xe0e0e000,0xffffff00,0x64646400,0xd2d2d200,
  76        0x10101000,0xc4c4c400,0x00000000,0x48484800,
  77        0xa3a3a300,0xf7f7f700,0x75757500,0xdbdbdb00,
  78        0x8a8a8a00,0x03030300,0xe6e6e600,0xdadada00,
  79        0x09090900,0x3f3f3f00,0xdddddd00,0x94949400,
  80        0x87878700,0x5c5c5c00,0x83838300,0x02020200,
  81        0xcdcdcd00,0x4a4a4a00,0x90909000,0x33333300,
  82        0x73737300,0x67676700,0xf6f6f600,0xf3f3f300,
  83        0x9d9d9d00,0x7f7f7f00,0xbfbfbf00,0xe2e2e200,
  84        0x52525200,0x9b9b9b00,0xd8d8d800,0x26262600,
  85        0xc8c8c800,0x37373700,0xc6c6c600,0x3b3b3b00,
  86        0x81818100,0x96969600,0x6f6f6f00,0x4b4b4b00,
  87        0x13131300,0xbebebe00,0x63636300,0x2e2e2e00,
  88        0xe9e9e900,0x79797900,0xa7a7a700,0x8c8c8c00,
  89        0x9f9f9f00,0x6e6e6e00,0xbcbcbc00,0x8e8e8e00,
  90        0x29292900,0xf5f5f500,0xf9f9f900,0xb6b6b600,
  91        0x2f2f2f00,0xfdfdfd00,0xb4b4b400,0x59595900,
  92        0x78787800,0x98989800,0x06060600,0x6a6a6a00,
  93        0xe7e7e700,0x46464600,0x71717100,0xbababa00,
  94        0xd4d4d400,0x25252500,0xababab00,0x42424200,
  95        0x88888800,0xa2a2a200,0x8d8d8d00,0xfafafa00,
  96        0x72727200,0x07070700,0xb9b9b900,0x55555500,
  97        0xf8f8f800,0xeeeeee00,0xacacac00,0x0a0a0a00,
  98        0x36363600,0x49494900,0x2a2a2a00,0x68686800,
  99        0x3c3c3c00,0x38383800,0xf1f1f100,0xa4a4a400,
 100        0x40404000,0x28282800,0xd3d3d300,0x7b7b7b00,
 101        0xbbbbbb00,0xc9c9c900,0x43434300,0xc1c1c100,
 102        0x15151500,0xe3e3e300,0xadadad00,0xf4f4f400,
 103        0x77777700,0xc7c7c700,0x80808000,0x9e9e9e00,
 104};
 105
 106static const u32 camellia_sp0222[256] = {
 107        0x00e0e0e0,0x00050505,0x00585858,0x00d9d9d9,
 108        0x00676767,0x004e4e4e,0x00818181,0x00cbcbcb,
 109        0x00c9c9c9,0x000b0b0b,0x00aeaeae,0x006a6a6a,
 110        0x00d5d5d5,0x00181818,0x005d5d5d,0x00828282,
 111        0x00464646,0x00dfdfdf,0x00d6d6d6,0x00272727,
 112        0x008a8a8a,0x00323232,0x004b4b4b,0x00424242,
 113        0x00dbdbdb,0x001c1c1c,0x009e9e9e,0x009c9c9c,
 114        0x003a3a3a,0x00cacaca,0x00252525,0x007b7b7b,
 115        0x000d0d0d,0x00717171,0x005f5f5f,0x001f1f1f,
 116        0x00f8f8f8,0x00d7d7d7,0x003e3e3e,0x009d9d9d,
 117        0x007c7c7c,0x00606060,0x00b9b9b9,0x00bebebe,
 118        0x00bcbcbc,0x008b8b8b,0x00161616,0x00343434,
 119        0x004d4d4d,0x00c3c3c3,0x00727272,0x00959595,
 120        0x00ababab,0x008e8e8e,0x00bababa,0x007a7a7a,
 121        0x00b3b3b3,0x00020202,0x00b4b4b4,0x00adadad,
 122        0x00a2a2a2,0x00acacac,0x00d8d8d8,0x009a9a9a,
 123        0x00171717,0x001a1a1a,0x00353535,0x00cccccc,
 124        0x00f7f7f7,0x00999999,0x00616161,0x005a5a5a,
 125        0x00e8e8e8,0x00242424,0x00565656,0x00404040,
 126        0x00e1e1e1,0x00636363,0x00090909,0x00333333,
 127        0x00bfbfbf,0x00989898,0x00979797,0x00858585,
 128        0x00686868,0x00fcfcfc,0x00ececec,0x000a0a0a,
 129        0x00dadada,0x006f6f6f,0x00535353,0x00626262,
 130        0x00a3a3a3,0x002e2e2e,0x00080808,0x00afafaf,
 131        0x00282828,0x00b0b0b0,0x00747474,0x00c2c2c2,
 132        0x00bdbdbd,0x00363636,0x00222222,0x00383838,
 133        0x00646464,0x001e1e1e,0x00393939,0x002c2c2c,
 134        0x00a6a6a6,0x00303030,0x00e5e5e5,0x00444444,
 135        0x00fdfdfd,0x00888888,0x009f9f9f,0x00656565,
 136        0x00878787,0x006b6b6b,0x00f4f4f4,0x00232323,
 137        0x00484848,0x00101010,0x00d1d1d1,0x00515151,
 138        0x00c0c0c0,0x00f9f9f9,0x00d2d2d2,0x00a0a0a0,
 139        0x00555555,0x00a1a1a1,0x00414141,0x00fafafa,
 140        0x00434343,0x00131313,0x00c4c4c4,0x002f2f2f,
 141        0x00a8a8a8,0x00b6b6b6,0x003c3c3c,0x002b2b2b,
 142        0x00c1c1c1,0x00ffffff,0x00c8c8c8,0x00a5a5a5,
 143        0x00202020,0x00898989,0x00000000,0x00909090,
 144        0x00474747,0x00efefef,0x00eaeaea,0x00b7b7b7,
 145        0x00151515,0x00060606,0x00cdcdcd,0x00b5b5b5,
 146        0x00121212,0x007e7e7e,0x00bbbbbb,0x00292929,
 147        0x000f0f0f,0x00b8b8b8,0x00070707,0x00040404,
 148        0x009b9b9b,0x00949494,0x00212121,0x00666666,
 149        0x00e6e6e6,0x00cecece,0x00ededed,0x00e7e7e7,
 150        0x003b3b3b,0x00fefefe,0x007f7f7f,0x00c5c5c5,
 151        0x00a4a4a4,0x00373737,0x00b1b1b1,0x004c4c4c,
 152        0x00919191,0x006e6e6e,0x008d8d8d,0x00767676,
 153        0x00030303,0x002d2d2d,0x00dedede,0x00969696,
 154        0x00262626,0x007d7d7d,0x00c6c6c6,0x005c5c5c,
 155        0x00d3d3d3,0x00f2f2f2,0x004f4f4f,0x00191919,
 156        0x003f3f3f,0x00dcdcdc,0x00797979,0x001d1d1d,
 157        0x00525252,0x00ebebeb,0x00f3f3f3,0x006d6d6d,
 158        0x005e5e5e,0x00fbfbfb,0x00696969,0x00b2b2b2,
 159        0x00f0f0f0,0x00313131,0x000c0c0c,0x00d4d4d4,
 160        0x00cfcfcf,0x008c8c8c,0x00e2e2e2,0x00757575,
 161        0x00a9a9a9,0x004a4a4a,0x00575757,0x00848484,
 162        0x00111111,0x00454545,0x001b1b1b,0x00f5f5f5,
 163        0x00e4e4e4,0x000e0e0e,0x00737373,0x00aaaaaa,
 164        0x00f1f1f1,0x00dddddd,0x00595959,0x00141414,
 165        0x006c6c6c,0x00929292,0x00545454,0x00d0d0d0,
 166        0x00787878,0x00707070,0x00e3e3e3,0x00494949,
 167        0x00808080,0x00505050,0x00a7a7a7,0x00f6f6f6,
 168        0x00777777,0x00939393,0x00868686,0x00838383,
 169        0x002a2a2a,0x00c7c7c7,0x005b5b5b,0x00e9e9e9,
 170        0x00eeeeee,0x008f8f8f,0x00010101,0x003d3d3d,
 171};
 172
 173static const u32 camellia_sp3033[256] = {
 174        0x38003838,0x41004141,0x16001616,0x76007676,
 175        0xd900d9d9,0x93009393,0x60006060,0xf200f2f2,
 176        0x72007272,0xc200c2c2,0xab00abab,0x9a009a9a,
 177        0x75007575,0x06000606,0x57005757,0xa000a0a0,
 178        0x91009191,0xf700f7f7,0xb500b5b5,0xc900c9c9,
 179        0xa200a2a2,0x8c008c8c,0xd200d2d2,0x90009090,
 180        0xf600f6f6,0x07000707,0xa700a7a7,0x27002727,
 181        0x8e008e8e,0xb200b2b2,0x49004949,0xde00dede,
 182        0x43004343,0x5c005c5c,0xd700d7d7,0xc700c7c7,
 183        0x3e003e3e,0xf500f5f5,0x8f008f8f,0x67006767,
 184        0x1f001f1f,0x18001818,0x6e006e6e,0xaf00afaf,
 185        0x2f002f2f,0xe200e2e2,0x85008585,0x0d000d0d,
 186        0x53005353,0xf000f0f0,0x9c009c9c,0x65006565,
 187        0xea00eaea,0xa300a3a3,0xae00aeae,0x9e009e9e,
 188        0xec00ecec,0x80008080,0x2d002d2d,0x6b006b6b,
 189        0xa800a8a8,0x2b002b2b,0x36003636,0xa600a6a6,
 190        0xc500c5c5,0x86008686,0x4d004d4d,0x33003333,
 191        0xfd00fdfd,0x66006666,0x58005858,0x96009696,
 192        0x3a003a3a,0x09000909,0x95009595,0x10001010,
 193        0x78007878,0xd800d8d8,0x42004242,0xcc00cccc,
 194        0xef00efef,0x26002626,0xe500e5e5,0x61006161,
 195        0x1a001a1a,0x3f003f3f,0x3b003b3b,0x82008282,
 196        0xb600b6b6,0xdb00dbdb,0xd400d4d4,0x98009898,
 197        0xe800e8e8,0x8b008b8b,0x02000202,0xeb00ebeb,
 198        0x0a000a0a,0x2c002c2c,0x1d001d1d,0xb000b0b0,
 199        0x6f006f6f,0x8d008d8d,0x88008888,0x0e000e0e,
 200        0x19001919,0x87008787,0x4e004e4e,0x0b000b0b,
 201        0xa900a9a9,0x0c000c0c,0x79007979,0x11001111,
 202        0x7f007f7f,0x22002222,0xe700e7e7,0x59005959,
 203        0xe100e1e1,0xda00dada,0x3d003d3d,0xc800c8c8,
 204        0x12001212,0x04000404,0x74007474,0x54005454,
 205        0x30003030,0x7e007e7e,0xb400b4b4,0x28002828,
 206        0x55005555,0x68006868,0x50005050,0xbe00bebe,
 207        0xd000d0d0,0xc400c4c4,0x31003131,0xcb00cbcb,
 208        0x2a002a2a,0xad00adad,0x0f000f0f,0xca00caca,
 209        0x70007070,0xff00ffff,0x32003232,0x69006969,
 210        0x08000808,0x62006262,0x00000000,0x24002424,
 211        0xd100d1d1,0xfb00fbfb,0xba00baba,0xed00eded,
 212        0x45004545,0x81008181,0x73007373,0x6d006d6d,
 213        0x84008484,0x9f009f9f,0xee00eeee,0x4a004a4a,
 214        0xc300c3c3,0x2e002e2e,0xc100c1c1,0x01000101,
 215        0xe600e6e6,0x25002525,0x48004848,0x99009999,
 216        0xb900b9b9,0xb300b3b3,0x7b007b7b,0xf900f9f9,
 217        0xce00cece,0xbf00bfbf,0xdf00dfdf,0x71007171,
 218        0x29002929,0xcd00cdcd,0x6c006c6c,0x13001313,
 219        0x64006464,0x9b009b9b,0x63006363,0x9d009d9d,
 220        0xc000c0c0,0x4b004b4b,0xb700b7b7,0xa500a5a5,
 221        0x89008989,0x5f005f5f,0xb100b1b1,0x17001717,
 222        0xf400f4f4,0xbc00bcbc,0xd300d3d3,0x46004646,
 223        0xcf00cfcf,0x37003737,0x5e005e5e,0x47004747,
 224        0x94009494,0xfa00fafa,0xfc00fcfc,0x5b005b5b,
 225        0x97009797,0xfe00fefe,0x5a005a5a,0xac00acac,
 226        0x3c003c3c,0x4c004c4c,0x03000303,0x35003535,
 227        0xf300f3f3,0x23002323,0xb800b8b8,0x5d005d5d,
 228        0x6a006a6a,0x92009292,0xd500d5d5,0x21002121,
 229        0x44004444,0x51005151,0xc600c6c6,0x7d007d7d,
 230        0x39003939,0x83008383,0xdc00dcdc,0xaa00aaaa,
 231        0x7c007c7c,0x77007777,0x56005656,0x05000505,
 232        0x1b001b1b,0xa400a4a4,0x15001515,0x34003434,
 233        0x1e001e1e,0x1c001c1c,0xf800f8f8,0x52005252,
 234        0x20002020,0x14001414,0xe900e9e9,0xbd00bdbd,
 235        0xdd00dddd,0xe400e4e4,0xa100a1a1,0xe000e0e0,
 236        0x8a008a8a,0xf100f1f1,0xd600d6d6,0x7a007a7a,
 237        0xbb00bbbb,0xe300e3e3,0x40004040,0x4f004f4f,
 238};
 239
 240static const u32 camellia_sp4404[256] = {
 241        0x70700070,0x2c2c002c,0xb3b300b3,0xc0c000c0,
 242        0xe4e400e4,0x57570057,0xeaea00ea,0xaeae00ae,
 243        0x23230023,0x6b6b006b,0x45450045,0xa5a500a5,
 244        0xeded00ed,0x4f4f004f,0x1d1d001d,0x92920092,
 245        0x86860086,0xafaf00af,0x7c7c007c,0x1f1f001f,
 246        0x3e3e003e,0xdcdc00dc,0x5e5e005e,0x0b0b000b,
 247        0xa6a600a6,0x39390039,0xd5d500d5,0x5d5d005d,
 248        0xd9d900d9,0x5a5a005a,0x51510051,0x6c6c006c,
 249        0x8b8b008b,0x9a9a009a,0xfbfb00fb,0xb0b000b0,
 250        0x74740074,0x2b2b002b,0xf0f000f0,0x84840084,
 251        0xdfdf00df,0xcbcb00cb,0x34340034,0x76760076,
 252        0x6d6d006d,0xa9a900a9,0xd1d100d1,0x04040004,
 253        0x14140014,0x3a3a003a,0xdede00de,0x11110011,
 254        0x32320032,0x9c9c009c,0x53530053,0xf2f200f2,
 255        0xfefe00fe,0xcfcf00cf,0xc3c300c3,0x7a7a007a,
 256        0x24240024,0xe8e800e8,0x60600060,0x69690069,
 257        0xaaaa00aa,0xa0a000a0,0xa1a100a1,0x62620062,
 258        0x54540054,0x1e1e001e,0xe0e000e0,0x64640064,
 259        0x10100010,0x00000000,0xa3a300a3,0x75750075,
 260        0x8a8a008a,0xe6e600e6,0x09090009,0xdddd00dd,
 261        0x87870087,0x83830083,0xcdcd00cd,0x90900090,
 262        0x73730073,0xf6f600f6,0x9d9d009d,0xbfbf00bf,
 263        0x52520052,0xd8d800d8,0xc8c800c8,0xc6c600c6,
 264        0x81810081,0x6f6f006f,0x13130013,0x63630063,
 265        0xe9e900e9,0xa7a700a7,0x9f9f009f,0xbcbc00bc,
 266        0x29290029,0xf9f900f9,0x2f2f002f,0xb4b400b4,
 267        0x78780078,0x06060006,0xe7e700e7,0x71710071,
 268        0xd4d400d4,0xabab00ab,0x88880088,0x8d8d008d,
 269        0x72720072,0xb9b900b9,0xf8f800f8,0xacac00ac,
 270        0x36360036,0x2a2a002a,0x3c3c003c,0xf1f100f1,
 271        0x40400040,0xd3d300d3,0xbbbb00bb,0x43430043,
 272        0x15150015,0xadad00ad,0x77770077,0x80800080,
 273        0x82820082,0xecec00ec,0x27270027,0xe5e500e5,
 274        0x85850085,0x35350035,0x0c0c000c,0x41410041,
 275        0xefef00ef,0x93930093,0x19190019,0x21210021,
 276        0x0e0e000e,0x4e4e004e,0x65650065,0xbdbd00bd,
 277        0xb8b800b8,0x8f8f008f,0xebeb00eb,0xcece00ce,
 278        0x30300030,0x5f5f005f,0xc5c500c5,0x1a1a001a,
 279        0xe1e100e1,0xcaca00ca,0x47470047,0x3d3d003d,
 280        0x01010001,0xd6d600d6,0x56560056,0x4d4d004d,
 281        0x0d0d000d,0x66660066,0xcccc00cc,0x2d2d002d,
 282        0x12120012,0x20200020,0xb1b100b1,0x99990099,
 283        0x4c4c004c,0xc2c200c2,0x7e7e007e,0x05050005,
 284        0xb7b700b7,0x31310031,0x17170017,0xd7d700d7,
 285        0x58580058,0x61610061,0x1b1b001b,0x1c1c001c,
 286        0x0f0f000f,0x16160016,0x18180018,0x22220022,
 287        0x44440044,0xb2b200b2,0xb5b500b5,0x91910091,
 288        0x08080008,0xa8a800a8,0xfcfc00fc,0x50500050,
 289        0xd0d000d0,0x7d7d007d,0x89890089,0x97970097,
 290        0x5b5b005b,0x95950095,0xffff00ff,0xd2d200d2,
 291        0xc4c400c4,0x48480048,0xf7f700f7,0xdbdb00db,
 292        0x03030003,0xdada00da,0x3f3f003f,0x94940094,
 293        0x5c5c005c,0x02020002,0x4a4a004a,0x33330033,
 294        0x67670067,0xf3f300f3,0x7f7f007f,0xe2e200e2,
 295        0x9b9b009b,0x26260026,0x37370037,0x3b3b003b,
 296        0x96960096,0x4b4b004b,0xbebe00be,0x2e2e002e,
 297        0x79790079,0x8c8c008c,0x6e6e006e,0x8e8e008e,
 298        0xf5f500f5,0xb6b600b6,0xfdfd00fd,0x59590059,
 299        0x98980098,0x6a6a006a,0x46460046,0xbaba00ba,
 300        0x25250025,0x42420042,0xa2a200a2,0xfafa00fa,
 301        0x07070007,0x55550055,0xeeee00ee,0x0a0a000a,
 302        0x49490049,0x68680068,0x38380038,0xa4a400a4,
 303        0x28280028,0x7b7b007b,0xc9c900c9,0xc1c100c1,
 304        0xe3e300e3,0xf4f400f4,0xc7c700c7,0x9e9e009e,
 305};
 306
 307
 308#define CAMELLIA_MIN_KEY_SIZE        16
 309#define CAMELLIA_MAX_KEY_SIZE        32
 310#define CAMELLIA_BLOCK_SIZE          16
 311#define CAMELLIA_TABLE_BYTE_LEN     272
 312
 313/*
 314 * NB: L and R below stand for 'left' and 'right' as in written numbers.
 315 * That is, in (xxxL,xxxR) pair xxxL holds most significant digits,
 316 * _not_ least significant ones!
 317 */
 318
 319
 320/* key constants */
 321
 322#define CAMELLIA_SIGMA1L (0xA09E667FL)
 323#define CAMELLIA_SIGMA1R (0x3BCC908BL)
 324#define CAMELLIA_SIGMA2L (0xB67AE858L)
 325#define CAMELLIA_SIGMA2R (0x4CAA73B2L)
 326#define CAMELLIA_SIGMA3L (0xC6EF372FL)
 327#define CAMELLIA_SIGMA3R (0xE94F82BEL)
 328#define CAMELLIA_SIGMA4L (0x54FF53A5L)
 329#define CAMELLIA_SIGMA4R (0xF1D36F1CL)
 330#define CAMELLIA_SIGMA5L (0x10E527FAL)
 331#define CAMELLIA_SIGMA5R (0xDE682D1DL)
 332#define CAMELLIA_SIGMA6L (0xB05688C2L)
 333#define CAMELLIA_SIGMA6R (0xB3E6C1FDL)
 334
 335/*
 336 *  macros
 337 */
 338#define GETU32(v, pt) \
 339    do { \
 340        /* latest breed of gcc is clever enough to use move */ \
 341        memcpy(&(v), (pt), 4); \
 342        (v) = be32_to_cpu(v); \
 343    } while(0)
 344
 345/* rotation right shift 1byte */
 346#define ROR8(x) (((x) >> 8) + ((x) << 24))
 347/* rotation left shift 1bit */
 348#define ROL1(x) (((x) << 1) + ((x) >> 31))
 349/* rotation left shift 1byte */
 350#define ROL8(x) (((x) << 8) + ((x) >> 24))
 351
 352#define ROLDQ(ll, lr, rl, rr, w0, w1, bits)             \
 353    do {                                                \
 354        w0 = ll;                                        \
 355        ll = (ll << bits) + (lr >> (32 - bits));        \
 356        lr = (lr << bits) + (rl >> (32 - bits));        \
 357        rl = (rl << bits) + (rr >> (32 - bits));        \
 358        rr = (rr << bits) + (w0 >> (32 - bits));        \
 359    } while(0)
 360
 361#define ROLDQo32(ll, lr, rl, rr, w0, w1, bits)          \
 362    do {                                                \
 363        w0 = ll;                                        \
 364        w1 = lr;                                        \
 365        ll = (lr << (bits - 32)) + (rl >> (64 - bits)); \
 366        lr = (rl << (bits - 32)) + (rr >> (64 - bits)); \
 367        rl = (rr << (bits - 32)) + (w0 >> (64 - bits)); \
 368        rr = (w0 << (bits - 32)) + (w1 >> (64 - bits)); \
 369    } while(0)
 370
 371#define CAMELLIA_F(xl, xr, kl, kr, yl, yr, il, ir, t0, t1)      \
 372    do {                                                        \
 373        il = xl ^ kl;                                           \
 374        ir = xr ^ kr;                                           \
 375        t0 = il >> 16;                                          \
 376        t1 = ir >> 16;                                          \
 377        yl = camellia_sp1110[(u8)(ir     )]                     \
 378           ^ camellia_sp0222[    (t1 >> 8)]                     \
 379           ^ camellia_sp3033[(u8)(t1     )]                     \
 380           ^ camellia_sp4404[(u8)(ir >> 8)];                    \
 381        yr = camellia_sp1110[    (t0 >> 8)]                     \
 382           ^ camellia_sp0222[(u8)(t0     )]                     \
 383           ^ camellia_sp3033[(u8)(il >> 8)]                     \
 384           ^ camellia_sp4404[(u8)(il     )];                    \
 385        yl ^= yr;                                               \
 386        yr = ROR8(yr);                                          \
 387        yr ^= yl;                                               \
 388    } while(0)
 389
 390#define SUBKEY_L(INDEX) (subkey[(INDEX)*2])
 391#define SUBKEY_R(INDEX) (subkey[(INDEX)*2 + 1])
 392
 393static void camellia_setup_tail(u32 *subkey, u32 *subL, u32 *subR, int max)
 394{
 395        u32 dw, tl, tr;
 396        u32 kw4l, kw4r;
 397        int i;
 398
 399        /* absorb kw2 to other subkeys */
 400        /* round 2 */
 401        subL[3] ^= subL[1]; subR[3] ^= subR[1];
 402        /* round 4 */
 403        subL[5] ^= subL[1]; subR[5] ^= subR[1];
 404        /* round 6 */
 405        subL[7] ^= subL[1]; subR[7] ^= subR[1];
 406        subL[1] ^= subR[1] & ~subR[9];
 407        dw = subL[1] & subL[9],
 408                subR[1] ^= ROL1(dw); /* modified for FLinv(kl2) */
 409        /* round 8 */
 410        subL[11] ^= subL[1]; subR[11] ^= subR[1];
 411        /* round 10 */
 412        subL[13] ^= subL[1]; subR[13] ^= subR[1];
 413        /* round 12 */
 414        subL[15] ^= subL[1]; subR[15] ^= subR[1];
 415        subL[1] ^= subR[1] & ~subR[17];
 416        dw = subL[1] & subL[17],
 417                subR[1] ^= ROL1(dw); /* modified for FLinv(kl4) */
 418        /* round 14 */
 419        subL[19] ^= subL[1]; subR[19] ^= subR[1];
 420        /* round 16 */
 421        subL[21] ^= subL[1]; subR[21] ^= subR[1];
 422        /* round 18 */
 423        subL[23] ^= subL[1]; subR[23] ^= subR[1];
 424        if (max == 24) {
 425                /* kw3 */
 426                subL[24] ^= subL[1]; subR[24] ^= subR[1];
 427
 428        /* absorb kw4 to other subkeys */
 429                kw4l = subL[25]; kw4r = subR[25];
 430        } else {
 431                subL[1] ^= subR[1] & ~subR[25];
 432                dw = subL[1] & subL[25],
 433                        subR[1] ^= ROL1(dw); /* modified for FLinv(kl6) */
 434                /* round 20 */
 435                subL[27] ^= subL[1]; subR[27] ^= subR[1];
 436                /* round 22 */
 437                subL[29] ^= subL[1]; subR[29] ^= subR[1];
 438                /* round 24 */
 439                subL[31] ^= subL[1]; subR[31] ^= subR[1];
 440                /* kw3 */
 441                subL[32] ^= subL[1]; subR[32] ^= subR[1];
 442
 443        /* absorb kw4 to other subkeys */
 444                kw4l = subL[33]; kw4r = subR[33];
 445                /* round 23 */
 446                subL[30] ^= kw4l; subR[30] ^= kw4r;
 447                /* round 21 */
 448                subL[28] ^= kw4l; subR[28] ^= kw4r;
 449                /* round 19 */
 450                subL[26] ^= kw4l; subR[26] ^= kw4r;
 451                kw4l ^= kw4r & ~subR[24];
 452                dw = kw4l & subL[24],
 453                        kw4r ^= ROL1(dw); /* modified for FL(kl5) */
 454        }
 455        /* round 17 */
 456        subL[22] ^= kw4l; subR[22] ^= kw4r;
 457        /* round 15 */
 458        subL[20] ^= kw4l; subR[20] ^= kw4r;
 459        /* round 13 */
 460        subL[18] ^= kw4l; subR[18] ^= kw4r;
 461        kw4l ^= kw4r & ~subR[16];
 462        dw = kw4l & subL[16],
 463                kw4r ^= ROL1(dw); /* modified for FL(kl3) */
 464        /* round 11 */
 465        subL[14] ^= kw4l; subR[14] ^= kw4r;
 466        /* round 9 */
 467        subL[12] ^= kw4l; subR[12] ^= kw4r;
 468        /* round 7 */
 469        subL[10] ^= kw4l; subR[10] ^= kw4r;
 470        kw4l ^= kw4r & ~subR[8];
 471        dw = kw4l & subL[8],
 472                kw4r ^= ROL1(dw); /* modified for FL(kl1) */
 473        /* round 5 */
 474        subL[6] ^= kw4l; subR[6] ^= kw4r;
 475        /* round 3 */
 476        subL[4] ^= kw4l; subR[4] ^= kw4r;
 477        /* round 1 */
 478        subL[2] ^= kw4l; subR[2] ^= kw4r;
 479        /* kw1 */
 480        subL[0] ^= kw4l; subR[0] ^= kw4r;
 481
 482        /* key XOR is end of F-function */
 483        SUBKEY_L(0) = subL[0] ^ subL[2];/* kw1 */
 484        SUBKEY_R(0) = subR[0] ^ subR[2];
 485        SUBKEY_L(2) = subL[3];       /* round 1 */
 486        SUBKEY_R(2) = subR[3];
 487        SUBKEY_L(3) = subL[2] ^ subL[4]; /* round 2 */
 488        SUBKEY_R(3) = subR[2] ^ subR[4];
 489        SUBKEY_L(4) = subL[3] ^ subL[5]; /* round 3 */
 490        SUBKEY_R(4) = subR[3] ^ subR[5];
 491        SUBKEY_L(5) = subL[4] ^ subL[6]; /* round 4 */
 492        SUBKEY_R(5) = subR[4] ^ subR[6];
 493        SUBKEY_L(6) = subL[5] ^ subL[7]; /* round 5 */
 494        SUBKEY_R(6) = subR[5] ^ subR[7];
 495        tl = subL[10] ^ (subR[10] & ~subR[8]);
 496        dw = tl & subL[8],  /* FL(kl1) */
 497                tr = subR[10] ^ ROL1(dw);
 498        SUBKEY_L(7) = subL[6] ^ tl; /* round 6 */
 499        SUBKEY_R(7) = subR[6] ^ tr;
 500        SUBKEY_L(8) = subL[8];       /* FL(kl1) */
 501        SUBKEY_R(8) = subR[8];
 502        SUBKEY_L(9) = subL[9];       /* FLinv(kl2) */
 503        SUBKEY_R(9) = subR[9];
 504        tl = subL[7] ^ (subR[7] & ~subR[9]);
 505        dw = tl & subL[9],  /* FLinv(kl2) */
 506                tr = subR[7] ^ ROL1(dw);
 507        SUBKEY_L(10) = tl ^ subL[11]; /* round 7 */
 508        SUBKEY_R(10) = tr ^ subR[11];
 509        SUBKEY_L(11) = subL[10] ^ subL[12]; /* round 8 */
 510        SUBKEY_R(11) = subR[10] ^ subR[12];
 511        SUBKEY_L(12) = subL[11] ^ subL[13]; /* round 9 */
 512        SUBKEY_R(12) = subR[11] ^ subR[13];
 513        SUBKEY_L(13) = subL[12] ^ subL[14]; /* round 10 */
 514        SUBKEY_R(13) = subR[12] ^ subR[14];
 515        SUBKEY_L(14) = subL[13] ^ subL[15]; /* round 11 */
 516        SUBKEY_R(14) = subR[13] ^ subR[15];
 517        tl = subL[18] ^ (subR[18] & ~subR[16]);
 518        dw = tl & subL[16], /* FL(kl3) */
 519                tr = subR[18] ^ ROL1(dw);
 520        SUBKEY_L(15) = subL[14] ^ tl; /* round 12 */
 521        SUBKEY_R(15) = subR[14] ^ tr;
 522        SUBKEY_L(16) = subL[16];     /* FL(kl3) */
 523        SUBKEY_R(16) = subR[16];
 524        SUBKEY_L(17) = subL[17];     /* FLinv(kl4) */
 525        SUBKEY_R(17) = subR[17];
 526        tl = subL[15] ^ (subR[15] & ~subR[17]);
 527        dw = tl & subL[17], /* FLinv(kl4) */
 528                tr = subR[15] ^ ROL1(dw);
 529        SUBKEY_L(18) = tl ^ subL[19]; /* round 13 */
 530        SUBKEY_R(18) = tr ^ subR[19];
 531        SUBKEY_L(19) = subL[18] ^ subL[20]; /* round 14 */
 532        SUBKEY_R(19) = subR[18] ^ subR[20];
 533        SUBKEY_L(20) = subL[19] ^ subL[21]; /* round 15 */
 534        SUBKEY_R(20) = subR[19] ^ subR[21];
 535        SUBKEY_L(21) = subL[20] ^ subL[22]; /* round 16 */
 536        SUBKEY_R(21) = subR[20] ^ subR[22];
 537        SUBKEY_L(22) = subL[21] ^ subL[23]; /* round 17 */
 538        SUBKEY_R(22) = subR[21] ^ subR[23];
 539        if (max == 24) {
 540                SUBKEY_L(23) = subL[22];     /* round 18 */
 541                SUBKEY_R(23) = subR[22];
 542                SUBKEY_L(24) = subL[24] ^ subL[23]; /* kw3 */
 543                SUBKEY_R(24) = subR[24] ^ subR[23];
 544        } else {
 545                tl = subL[26] ^ (subR[26] & ~subR[24]);
 546                dw = tl & subL[24], /* FL(kl5) */
 547                        tr = subR[26] ^ ROL1(dw);
 548                SUBKEY_L(23) = subL[22] ^ tl; /* round 18 */
 549                SUBKEY_R(23) = subR[22] ^ tr;
 550                SUBKEY_L(24) = subL[24];     /* FL(kl5) */
 551                SUBKEY_R(24) = subR[24];
 552                SUBKEY_L(25) = subL[25];     /* FLinv(kl6) */
 553                SUBKEY_R(25) = subR[25];
 554                tl = subL[23] ^ (subR[23] & ~subR[25]);
 555                dw = tl & subL[25], /* FLinv(kl6) */
 556                        tr = subR[23] ^ ROL1(dw);
 557                SUBKEY_L(26) = tl ^ subL[27]; /* round 19 */
 558                SUBKEY_R(26) = tr ^ subR[27];
 559                SUBKEY_L(27) = subL[26] ^ subL[28]; /* round 20 */
 560                SUBKEY_R(27) = subR[26] ^ subR[28];
 561                SUBKEY_L(28) = subL[27] ^ subL[29]; /* round 21 */
 562                SUBKEY_R(28) = subR[27] ^ subR[29];
 563                SUBKEY_L(29) = subL[28] ^ subL[30]; /* round 22 */
 564                SUBKEY_R(29) = subR[28] ^ subR[30];
 565                SUBKEY_L(30) = subL[29] ^ subL[31]; /* round 23 */
 566                SUBKEY_R(30) = subR[29] ^ subR[31];
 567                SUBKEY_L(31) = subL[30];     /* round 24 */
 568                SUBKEY_R(31) = subR[30];
 569                SUBKEY_L(32) = subL[32] ^ subL[31]; /* kw3 */
 570                SUBKEY_R(32) = subR[32] ^ subR[31];
 571        }
 572
 573        /* apply the inverse of the last half of P-function */
 574        i = 2;
 575        do {
 576                dw = SUBKEY_L(i + 0) ^ SUBKEY_R(i + 0); dw = ROL8(dw);/* round 1 */
 577                SUBKEY_R(i + 0) = SUBKEY_L(i + 0) ^ dw; SUBKEY_L(i + 0) = dw;
 578                dw = SUBKEY_L(i + 1) ^ SUBKEY_R(i + 1); dw = ROL8(dw);/* round 2 */
 579                SUBKEY_R(i + 1) = SUBKEY_L(i + 1) ^ dw; SUBKEY_L(i + 1) = dw;
 580                dw = SUBKEY_L(i + 2) ^ SUBKEY_R(i + 2); dw = ROL8(dw);/* round 3 */
 581                SUBKEY_R(i + 2) = SUBKEY_L(i + 2) ^ dw; SUBKEY_L(i + 2) = dw;
 582                dw = SUBKEY_L(i + 3) ^ SUBKEY_R(i + 3); dw = ROL8(dw);/* round 4 */
 583                SUBKEY_R(i + 3) = SUBKEY_L(i + 3) ^ dw; SUBKEY_L(i + 3) = dw;
 584                dw = SUBKEY_L(i + 4) ^ SUBKEY_R(i + 4); dw = ROL8(dw);/* round 5 */
 585                SUBKEY_R(i + 4) = SUBKEY_L(i + 4) ^ dw; SUBKEY_L(i + 4) = dw;
 586                dw = SUBKEY_L(i + 5) ^ SUBKEY_R(i + 5); dw = ROL8(dw);/* round 6 */
 587                SUBKEY_R(i + 5) = SUBKEY_L(i + 5) ^ dw; SUBKEY_L(i + 5) = dw;
 588                i += 8;
 589        } while (i < max);
 590}
 591
 592static void camellia_setup128(const unsigned char *key, u32 *subkey)
 593{
 594        u32 kll, klr, krl, krr;
 595        u32 il, ir, t0, t1, w0, w1;
 596        u32 subL[26];
 597        u32 subR[26];
 598
 599        /**
 600         *  k == kll || klr || krl || krr (|| is concatenation)
 601         */
 602        GETU32(kll, key     );
 603        GETU32(klr, key +  4);
 604        GETU32(krl, key +  8);
 605        GETU32(krr, key + 12);
 606
 607        /* generate KL dependent subkeys */
 608        /* kw1 */
 609        subL[0] = kll; subR[0] = klr;
 610        /* kw2 */
 611        subL[1] = krl; subR[1] = krr;
 612        /* rotation left shift 15bit */
 613        ROLDQ(kll, klr, krl, krr, w0, w1, 15);
 614        /* k3 */
 615        subL[4] = kll; subR[4] = klr;
 616        /* k4 */
 617        subL[5] = krl; subR[5] = krr;
 618        /* rotation left shift 15+30bit */
 619        ROLDQ(kll, klr, krl, krr, w0, w1, 30);
 620        /* k7 */
 621        subL[10] = kll; subR[10] = klr;
 622        /* k8 */
 623        subL[11] = krl; subR[11] = krr;
 624        /* rotation left shift 15+30+15bit */
 625        ROLDQ(kll, klr, krl, krr, w0, w1, 15);
 626        /* k10 */
 627        subL[13] = krl; subR[13] = krr;
 628        /* rotation left shift 15+30+15+17 bit */
 629        ROLDQ(kll, klr, krl, krr, w0, w1, 17);
 630        /* kl3 */
 631        subL[16] = kll; subR[16] = klr;
 632        /* kl4 */
 633        subL[17] = krl; subR[17] = krr;
 634        /* rotation left shift 15+30+15+17+17 bit */
 635        ROLDQ(kll, klr, krl, krr, w0, w1, 17);
 636        /* k13 */
 637        subL[18] = kll; subR[18] = klr;
 638        /* k14 */
 639        subL[19] = krl; subR[19] = krr;
 640        /* rotation left shift 15+30+15+17+17+17 bit */
 641        ROLDQ(kll, klr, krl, krr, w0, w1, 17);
 642        /* k17 */
 643        subL[22] = kll; subR[22] = klr;
 644        /* k18 */
 645        subL[23] = krl; subR[23] = krr;
 646
 647        /* generate KA */
 648        kll = subL[0]; klr = subR[0];
 649        krl = subL[1]; krr = subR[1];
 650        CAMELLIA_F(kll, klr,
 651                   CAMELLIA_SIGMA1L, CAMELLIA_SIGMA1R,
 652                   w0, w1, il, ir, t0, t1);
 653        krl ^= w0; krr ^= w1;
 654        CAMELLIA_F(krl, krr,
 655                   CAMELLIA_SIGMA2L, CAMELLIA_SIGMA2R,
 656                   kll, klr, il, ir, t0, t1);
 657        /* current status == (kll, klr, w0, w1) */
 658        CAMELLIA_F(kll, klr,
 659                   CAMELLIA_SIGMA3L, CAMELLIA_SIGMA3R,
 660                   krl, krr, il, ir, t0, t1);
 661        krl ^= w0; krr ^= w1;
 662        CAMELLIA_F(krl, krr,
 663                   CAMELLIA_SIGMA4L, CAMELLIA_SIGMA4R,
 664                   w0, w1, il, ir, t0, t1);
 665        kll ^= w0; klr ^= w1;
 666
 667        /* generate KA dependent subkeys */
 668        /* k1, k2 */
 669        subL[2] = kll; subR[2] = klr;
 670        subL[3] = krl; subR[3] = krr;
 671        ROLDQ(kll, klr, krl, krr, w0, w1, 15);
 672        /* k5,k6 */
 673        subL[6] = kll; subR[6] = klr;
 674        subL[7] = krl; subR[7] = krr;
 675        ROLDQ(kll, klr, krl, krr, w0, w1, 15);
 676        /* kl1, kl2 */
 677        subL[8] = kll; subR[8] = klr;
 678        subL[9] = krl; subR[9] = krr;
 679        ROLDQ(kll, klr, krl, krr, w0, w1, 15);
 680        /* k9 */
 681        subL[12] = kll; subR[12] = klr;
 682        ROLDQ(kll, klr, krl, krr, w0, w1, 15);
 683        /* k11, k12 */
 684        subL[14] = kll; subR[14] = klr;
 685        subL[15] = krl; subR[15] = krr;
 686        ROLDQo32(kll, klr, krl, krr, w0, w1, 34);
 687        /* k15, k16 */
 688        subL[20] = kll; subR[20] = klr;
 689        subL[21] = krl; subR[21] = krr;
 690        ROLDQ(kll, klr, krl, krr, w0, w1, 17);
 691        /* kw3, kw4 */
 692        subL[24] = kll; subR[24] = klr;
 693        subL[25] = krl; subR[25] = krr;
 694
 695        camellia_setup_tail(subkey, subL, subR, 24);
 696}
 697
 698static void camellia_setup256(const unsigned char *key, u32 *subkey)
 699{
 700        u32 kll, klr, krl, krr;        /* left half of key */
 701        u32 krll, krlr, krrl, krrr;    /* right half of key */
 702        u32 il, ir, t0, t1, w0, w1;    /* temporary variables */
 703        u32 subL[34];
 704        u32 subR[34];
 705
 706        /**
 707         *  key = (kll || klr || krl || krr || krll || krlr || krrl || krrr)
 708         *  (|| is concatenation)
 709         */
 710        GETU32(kll,  key     );
 711        GETU32(klr,  key +  4);
 712        GETU32(krl,  key +  8);
 713        GETU32(krr,  key + 12);
 714        GETU32(krll, key + 16);
 715        GETU32(krlr, key + 20);
 716        GETU32(krrl, key + 24);
 717        GETU32(krrr, key + 28);
 718
 719        /* generate KL dependent subkeys */
 720        /* kw1 */
 721        subL[0] = kll; subR[0] = klr;
 722        /* kw2 */
 723        subL[1] = krl; subR[1] = krr;
 724        ROLDQo32(kll, klr, krl, krr, w0, w1, 45);
 725        /* k9 */
 726        subL[12] = kll; subR[12] = klr;
 727        /* k10 */
 728        subL[13] = krl; subR[13] = krr;
 729        ROLDQ(kll, klr, krl, krr, w0, w1, 15);
 730        /* kl3 */
 731        subL[16] = kll; subR[16] = klr;
 732        /* kl4 */
 733        subL[17] = krl; subR[17] = krr;
 734        ROLDQ(kll, klr, krl, krr, w0, w1, 17);
 735        /* k17 */
 736        subL[22] = kll; subR[22] = klr;
 737        /* k18 */
 738        subL[23] = krl; subR[23] = krr;
 739        ROLDQo32(kll, klr, krl, krr, w0, w1, 34);
 740        /* k23 */
 741        subL[30] = kll; subR[30] = klr;
 742        /* k24 */
 743        subL[31] = krl; subR[31] = krr;
 744
 745        /* generate KR dependent subkeys */
 746        ROLDQ(krll, krlr, krrl, krrr, w0, w1, 15);
 747        /* k3 */
 748        subL[4] = krll; subR[4] = krlr;
 749        /* k4 */
 750        subL[5] = krrl; subR[5] = krrr;
 751        ROLDQ(krll, krlr, krrl, krrr, w0, w1, 15);
 752        /* kl1 */
 753        subL[8] = krll; subR[8] = krlr;
 754        /* kl2 */
 755        subL[9] = krrl; subR[9] = krrr;
 756        ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
 757        /* k13 */
 758        subL[18] = krll; subR[18] = krlr;
 759        /* k14 */
 760        subL[19] = krrl; subR[19] = krrr;
 761        ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 34);
 762        /* k19 */
 763        subL[26] = krll; subR[26] = krlr;
 764        /* k20 */
 765        subL[27] = krrl; subR[27] = krrr;
 766        ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 34);
 767
 768        /* generate KA */
 769        kll = subL[0] ^ krll; klr = subR[0] ^ krlr;
 770        krl = subL[1] ^ krrl; krr = subR[1] ^ krrr;
 771        CAMELLIA_F(kll, klr,
 772                   CAMELLIA_SIGMA1L, CAMELLIA_SIGMA1R,
 773                   w0, w1, il, ir, t0, t1);
 774        krl ^= w0; krr ^= w1;
 775        CAMELLIA_F(krl, krr,
 776                   CAMELLIA_SIGMA2L, CAMELLIA_SIGMA2R,
 777                   kll, klr, il, ir, t0, t1);
 778        kll ^= krll; klr ^= krlr;
 779        CAMELLIA_F(kll, klr,
 780                   CAMELLIA_SIGMA3L, CAMELLIA_SIGMA3R,
 781                   krl, krr, il, ir, t0, t1);
 782        krl ^= w0 ^ krrl; krr ^= w1 ^ krrr;
 783        CAMELLIA_F(krl, krr,
 784                   CAMELLIA_SIGMA4L, CAMELLIA_SIGMA4R,
 785                   w0, w1, il, ir, t0, t1);
 786        kll ^= w0; klr ^= w1;
 787
 788        /* generate KB */
 789        krll ^= kll; krlr ^= klr;
 790        krrl ^= krl; krrr ^= krr;
 791        CAMELLIA_F(krll, krlr,
 792                   CAMELLIA_SIGMA5L, CAMELLIA_SIGMA5R,
 793                   w0, w1, il, ir, t0, t1);
 794        krrl ^= w0; krrr ^= w1;
 795        CAMELLIA_F(krrl, krrr,
 796                   CAMELLIA_SIGMA6L, CAMELLIA_SIGMA6R,
 797                   w0, w1, il, ir, t0, t1);
 798        krll ^= w0; krlr ^= w1;
 799
 800        /* generate KA dependent subkeys */
 801        ROLDQ(kll, klr, krl, krr, w0, w1, 15);
 802        /* k5 */
 803        subL[6] = kll; subR[6] = klr;
 804        /* k6 */
 805        subL[7] = krl; subR[7] = krr;
 806        ROLDQ(kll, klr, krl, krr, w0, w1, 30);
 807        /* k11 */
 808        subL[14] = kll; subR[14] = klr;
 809        /* k12 */
 810        subL[15] = krl; subR[15] = krr;
 811        /* rotation left shift 32bit */
 812        /* kl5 */
 813        subL[24] = klr; subR[24] = krl;
 814        /* kl6 */
 815        subL[25] = krr; subR[25] = kll;
 816        /* rotation left shift 49 from k11,k12 -> k21,k22 */
 817        ROLDQo32(kll, klr, krl, krr, w0, w1, 49);
 818        /* k21 */
 819        subL[28] = kll; subR[28] = klr;
 820        /* k22 */
 821        subL[29] = krl; subR[29] = krr;
 822
 823        /* generate KB dependent subkeys */
 824        /* k1 */
 825        subL[2] = krll; subR[2] = krlr;
 826        /* k2 */
 827        subL[3] = krrl; subR[3] = krrr;
 828        ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
 829        /* k7 */
 830        subL[10] = krll; subR[10] = krlr;
 831        /* k8 */
 832        subL[11] = krrl; subR[11] = krrr;
 833        ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
 834        /* k15 */
 835        subL[20] = krll; subR[20] = krlr;
 836        /* k16 */
 837        subL[21] = krrl; subR[21] = krrr;
 838        ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 51);
 839        /* kw3 */
 840        subL[32] = krll; subR[32] = krlr;
 841        /* kw4 */
 842        subL[33] = krrl; subR[33] = krrr;
 843
 844        camellia_setup_tail(subkey, subL, subR, 32);
 845}
 846
 847static void camellia_setup192(const unsigned char *key, u32 *subkey)
 848{
 849        unsigned char kk[32];
 850        u32 krll, krlr, krrl,krrr;
 851
 852        memcpy(kk, key, 24);
 853        memcpy((unsigned char *)&krll, key+16, 4);
 854        memcpy((unsigned char *)&krlr, key+20, 4);
 855        krrl = ~krll;
 856        krrr = ~krlr;
 857        memcpy(kk+24, (unsigned char *)&krrl, 4);
 858        memcpy(kk+28, (unsigned char *)&krrr, 4);
 859        camellia_setup256(kk, subkey);
 860}
 861
 862
 863/*
 864 * Encrypt/decrypt
 865 */
 866#define CAMELLIA_FLS(ll, lr, rl, rr, kll, klr, krl, krr, t0, t1, t2, t3) \
 867    do {                                                                \
 868        t0 = kll;                                                       \
 869        t2 = krr;                                                       \
 870        t0 &= ll;                                                       \
 871        t2 |= rr;                                                       \
 872        rl ^= t2;                                                       \
 873        lr ^= ROL1(t0);                                                 \
 874        t3 = krl;                                                       \
 875        t1 = klr;                                                       \
 876        t3 &= rl;                                                       \
 877        t1 |= lr;                                                       \
 878        ll ^= t1;                                                       \
 879        rr ^= ROL1(t3);                                                 \
 880    } while(0)
 881
 882#define CAMELLIA_ROUNDSM(xl, xr, kl, kr, yl, yr, il, ir)                \
 883    do {                                                                \
 884        ir =  camellia_sp1110[(u8)xr];                                  \
 885        il =  camellia_sp1110[    (xl >> 24)];                          \
 886        ir ^= camellia_sp0222[    (xr >> 24)];                          \
 887        il ^= camellia_sp0222[(u8)(xl >> 16)];                          \
 888        ir ^= camellia_sp3033[(u8)(xr >> 16)];                          \
 889        il ^= camellia_sp3033[(u8)(xl >> 8)];                           \
 890        ir ^= camellia_sp4404[(u8)(xr >> 8)];                           \
 891        il ^= camellia_sp4404[(u8)xl];                                  \
 892        il ^= kl;                                                       \
 893        ir ^= il ^ kr;                                                  \
 894        yl ^= ir;                                                       \
 895        yr ^= ROR8(il) ^ ir;                                            \
 896    } while(0)
 897
 898/* max = 24: 128bit encrypt, max = 32: 256bit encrypt */
 899static void camellia_do_encrypt(const u32 *subkey, u32 *io, unsigned max)
 900{
 901        u32 il,ir,t0,t1;               /* temporary variables */
 902
 903        /* pre whitening but absorb kw2 */
 904        io[0] ^= SUBKEY_L(0);
 905        io[1] ^= SUBKEY_R(0);
 906
 907        /* main iteration */
 908#define ROUNDS(i) do { \
 909        CAMELLIA_ROUNDSM(io[0],io[1], \
 910                         SUBKEY_L(i + 2),SUBKEY_R(i + 2), \
 911                         io[2],io[3],il,ir); \
 912        CAMELLIA_ROUNDSM(io[2],io[3], \
 913                         SUBKEY_L(i + 3),SUBKEY_R(i + 3), \
 914                         io[0],io[1],il,ir); \
 915        CAMELLIA_ROUNDSM(io[0],io[1], \
 916                         SUBKEY_L(i + 4),SUBKEY_R(i + 4), \
 917                         io[2],io[3],il,ir); \
 918        CAMELLIA_ROUNDSM(io[2],io[3], \
 919                         SUBKEY_L(i + 5),SUBKEY_R(i + 5), \
 920                         io[0],io[1],il,ir); \
 921        CAMELLIA_ROUNDSM(io[0],io[1], \
 922                         SUBKEY_L(i + 6),SUBKEY_R(i + 6), \
 923                         io[2],io[3],il,ir); \
 924        CAMELLIA_ROUNDSM(io[2],io[3], \
 925                         SUBKEY_L(i + 7),SUBKEY_R(i + 7), \
 926                         io[0],io[1],il,ir); \
 927} while (0)
 928#define FLS(i) do { \
 929        CAMELLIA_FLS(io[0],io[1],io[2],io[3], \
 930                     SUBKEY_L(i + 0),SUBKEY_R(i + 0), \
 931                     SUBKEY_L(i + 1),SUBKEY_R(i + 1), \
 932                     t0,t1,il,ir); \
 933} while (0)
 934
 935        ROUNDS(0);
 936        FLS(8);
 937        ROUNDS(8);
 938        FLS(16);
 939        ROUNDS(16);
 940        if (max == 32) {
 941                FLS(24);
 942                ROUNDS(24);
 943        }
 944
 945#undef ROUNDS
 946#undef FLS
 947
 948        /* post whitening but kw4 */
 949        io[2] ^= SUBKEY_L(max);
 950        io[3] ^= SUBKEY_R(max);
 951        /* NB: io[0],[1] should be swapped with [2],[3] by caller! */
 952}
 953
 954static void camellia_do_decrypt(const u32 *subkey, u32 *io, unsigned i)
 955{
 956        u32 il,ir,t0,t1;               /* temporary variables */
 957
 958        /* pre whitening but absorb kw2 */
 959        io[0] ^= SUBKEY_L(i);
 960        io[1] ^= SUBKEY_R(i);
 961
 962        /* main iteration */
 963#define ROUNDS(i) do { \
 964        CAMELLIA_ROUNDSM(io[0],io[1], \
 965                         SUBKEY_L(i + 7),SUBKEY_R(i + 7), \
 966                         io[2],io[3],il,ir); \
 967        CAMELLIA_ROUNDSM(io[2],io[3], \
 968                         SUBKEY_L(i + 6),SUBKEY_R(i + 6), \
 969                         io[0],io[1],il,ir); \
 970        CAMELLIA_ROUNDSM(io[0],io[1], \
 971                         SUBKEY_L(i + 5),SUBKEY_R(i + 5), \
 972                         io[2],io[3],il,ir); \
 973        CAMELLIA_ROUNDSM(io[2],io[3], \
 974                         SUBKEY_L(i + 4),SUBKEY_R(i + 4), \
 975                         io[0],io[1],il,ir); \
 976        CAMELLIA_ROUNDSM(io[0],io[1], \
 977                         SUBKEY_L(i + 3),SUBKEY_R(i + 3), \
 978                         io[2],io[3],il,ir); \
 979        CAMELLIA_ROUNDSM(io[2],io[3], \
 980                         SUBKEY_L(i + 2),SUBKEY_R(i + 2), \
 981                         io[0],io[1],il,ir); \
 982} while (0)
 983#define FLS(i) do { \
 984        CAMELLIA_FLS(io[0],io[1],io[2],io[3], \
 985                     SUBKEY_L(i + 1),SUBKEY_R(i + 1), \
 986                     SUBKEY_L(i + 0),SUBKEY_R(i + 0), \
 987                     t0,t1,il,ir); \
 988} while (0)
 989
 990        if (i == 32) {
 991                ROUNDS(24);
 992                FLS(24);
 993        }
 994        ROUNDS(16);
 995        FLS(16);
 996        ROUNDS(8);
 997        FLS(8);
 998        ROUNDS(0);
 999
1000#undef ROUNDS
1001#undef FLS
1002
1003        /* post whitening but kw4 */
1004        io[2] ^= SUBKEY_L(0);
1005        io[3] ^= SUBKEY_R(0);
1006        /* NB: 0,1 should be swapped with 2,3 by caller! */
1007}
1008
1009
1010struct camellia_ctx {
1011        int key_length;
1012        u32 key_table[CAMELLIA_TABLE_BYTE_LEN / sizeof(u32)];
1013};
1014
1015static int
1016camellia_set_key(struct crypto_tfm *tfm, const u8 *in_key,
1017                 unsigned int key_len)
1018{
1019        struct camellia_ctx *cctx = crypto_tfm_ctx(tfm);
1020        const unsigned char *key = (const unsigned char *)in_key;
1021        u32 *flags = &tfm->crt_flags;
1022
1023        if (key_len != 16 && key_len != 24 && key_len != 32) {
1024                *flags |= CRYPTO_TFM_RES_BAD_KEY_LEN;
1025                return -EINVAL;
1026        }
1027
1028        cctx->key_length = key_len;
1029
1030        switch (key_len) {
1031        case 16:
1032                camellia_setup128(key, cctx->key_table);
1033                break;
1034        case 24:
1035                camellia_setup192(key, cctx->key_table);
1036                break;
1037        case 32:
1038                camellia_setup256(key, cctx->key_table);
1039                break;
1040        }
1041
1042        return 0;
1043}
1044
1045static void camellia_encrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in)
1046{
1047        const struct camellia_ctx *cctx = crypto_tfm_ctx(tfm);
1048        const __be32 *src = (const __be32 *)in;
1049        __be32 *dst = (__be32 *)out;
1050
1051        u32 tmp[4];
1052
1053        tmp[0] = be32_to_cpu(src[0]);
1054        tmp[1] = be32_to_cpu(src[1]);
1055        tmp[2] = be32_to_cpu(src[2]);
1056        tmp[3] = be32_to_cpu(src[3]);
1057
1058        camellia_do_encrypt(cctx->key_table, tmp,
1059                cctx->key_length == 16 ? 24 : 32 /* for key lengths of 24 and 32 */
1060        );
1061
1062        /* do_encrypt returns 0,1 swapped with 2,3 */
1063        dst[0] = cpu_to_be32(tmp[2]);
1064        dst[1] = cpu_to_be32(tmp[3]);
1065        dst[2] = cpu_to_be32(tmp[0]);
1066        dst[3] = cpu_to_be32(tmp[1]);
1067}
1068
1069static void camellia_decrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in)
1070{
1071        const struct camellia_ctx *cctx = crypto_tfm_ctx(tfm);
1072        const __be32 *src = (const __be32 *)in;
1073        __be32 *dst = (__be32 *)out;
1074
1075        u32 tmp[4];
1076
1077        tmp[0] = be32_to_cpu(src[0]);
1078        tmp[1] = be32_to_cpu(src[1]);
1079        tmp[2] = be32_to_cpu(src[2]);
1080        tmp[3] = be32_to_cpu(src[3]);
1081
1082        camellia_do_decrypt(cctx->key_table, tmp,
1083                cctx->key_length == 16 ? 24 : 32 /* for key lengths of 24 and 32 */
1084        );
1085
1086        /* do_decrypt returns 0,1 swapped with 2,3 */
1087        dst[0] = cpu_to_be32(tmp[2]);
1088        dst[1] = cpu_to_be32(tmp[3]);
1089        dst[2] = cpu_to_be32(tmp[0]);
1090        dst[3] = cpu_to_be32(tmp[1]);
1091}
1092
1093static struct crypto_alg camellia_alg = {
1094        .cra_name               =       "camellia",
1095        .cra_driver_name        =       "camellia-generic",
1096        .cra_priority           =       100,
1097        .cra_flags              =       CRYPTO_ALG_TYPE_CIPHER,
1098        .cra_blocksize          =       CAMELLIA_BLOCK_SIZE,
1099        .cra_ctxsize            =       sizeof(struct camellia_ctx),
1100        .cra_alignmask          =       3,
1101        .cra_module             =       THIS_MODULE,
1102        .cra_list               =       LIST_HEAD_INIT(camellia_alg.cra_list),
1103        .cra_u                  =       {
1104                .cipher = {
1105                        .cia_min_keysize        =       CAMELLIA_MIN_KEY_SIZE,
1106                        .cia_max_keysize        =       CAMELLIA_MAX_KEY_SIZE,
1107                        .cia_setkey             =       camellia_set_key,
1108                        .cia_encrypt            =       camellia_encrypt,
1109                        .cia_decrypt            =       camellia_decrypt
1110                }
1111        }
1112};
1113
1114static int __init camellia_init(void)
1115{
1116        return crypto_register_alg(&camellia_alg);
1117}
1118
1119static void __exit camellia_fini(void)
1120{
1121        crypto_unregister_alg(&camellia_alg);
1122}
1123
1124module_init(camellia_init);
1125module_exit(camellia_fini);
1126
1127MODULE_DESCRIPTION("Camellia Cipher Algorithm");
1128MODULE_LICENSE("GPL");
1129