• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /* crypto/camellia/camellia.c -*- mode:C; c-file-style: "eay" -*- */
2 /* ====================================================================
3  * Copyright 2006 NTT (Nippon Telegraph and Telephone Corporation) .
4  * ALL RIGHTS RESERVED.
5  *
6  * Intellectual Property information for Camellia:
7  *     http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html
8  *
9  * News Release for Announcement of Camellia open source:
10  *     http://www.ntt.co.jp/news/news06e/0604/060413a.html
11  *
12  * The Camellia Code included herein is developed by
13  * NTT (Nippon Telegraph and Telephone Corporation), and is contributed
14  * to the OpenSSL project.
15  *
16  * The Camellia Code is licensed pursuant to the OpenSSL open source
17  * license provided below.
18  */
19 /* ====================================================================
20  * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
21  *
22  * Redistribution and use in source and binary forms, with or without
23  * modification, are permitted provided that the following conditions
24  * are met:
25  *
26  * 1. Redistributions of source code must retain the above copyright
27  *    notice, this list of conditions and the following disclaimer.
28  *
29  * 2. Redistributions in binary form must reproduce the above copyright
30  *    notice, this list of conditions and the following disclaimer in
31  *    the documentation and/or other materials provided with the
32  *    distribution.
33  *
34  * 3. All advertising materials mentioning features or use of this
35  *    software must display the following acknowledgment:
36  *    "This product includes software developed by the OpenSSL Project
37  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
38  *
39  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
40  *    endorse or promote products derived from this software without
41  *    prior written permission. For written permission, please contact
42  *    openssl-core@openssl.org.
43  *
44  * 5. Products derived from this software may not be called "OpenSSL"
45  *    nor may "OpenSSL" appear in their names without prior written
46  *    permission of the OpenSSL Project.
47  *
48  * 6. Redistributions of any form whatsoever must retain the following
49  *    acknowledgment:
50  *    "This product includes software developed by the OpenSSL Project
51  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
52  *
53  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
54  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
55  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
56  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
57  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
58  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
59  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
60  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
61  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
62  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
63  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
64  * OF THE POSSIBILITY OF SUCH DAMAGE.
65  * ====================================================================
66  */
67 
68 /* Algorithm Specification
69    http://info.isl.ntt.co.jp/crypt/eng/camellia/specifications.html
70 */
71 
72 
73 #include <string.h>
74 #include <stdlib.h>
75 
76 #include "camellia.h"
77 #include "cmll_locl.h"
78 
79 /* key constants */
80 #define CAMELLIA_SIGMA1L (0xA09E667FL)
81 #define CAMELLIA_SIGMA1R (0x3BCC908BL)
82 #define CAMELLIA_SIGMA2L (0xB67AE858L)
83 #define CAMELLIA_SIGMA2R (0x4CAA73B2L)
84 #define CAMELLIA_SIGMA3L (0xC6EF372FL)
85 #define CAMELLIA_SIGMA3R (0xE94F82BEL)
86 #define CAMELLIA_SIGMA4L (0x54FF53A5L)
87 #define CAMELLIA_SIGMA4R (0xF1D36F1CL)
88 #define CAMELLIA_SIGMA5L (0x10E527FAL)
89 #define CAMELLIA_SIGMA5R (0xDE682D1DL)
90 #define CAMELLIA_SIGMA6L (0xB05688C2L)
91 #define CAMELLIA_SIGMA6R (0xB3E6C1FDL)
92 
93 /*
94  *  macros
95  */
96 
97 /* e is pointer of subkey */
98 #define CamelliaSubkeyL(INDEX) (subkey[(INDEX)*2])
99 #define CamelliaSubkeyR(INDEX) (subkey[(INDEX)*2 + 1])
100 
101 /* rotation right shift 1byte */
102 #define CAMELLIA_RR8(x) (((x) >> 8) + ((x) << 24))
103 /* rotation left shift 1bit */
104 #define CAMELLIA_RL1(x) (((x) << 1) + ((x) >> 31))
105 /* rotation left shift 1byte */
106 #define CAMELLIA_RL8(x) (((x) << 8) + ((x) >> 24))
107 
108 #define CAMELLIA_ROLDQ(ll, lr, rl, rr, w0, w1, bits)	\
109 do							\
110 	{						\
111 	w0 = ll;					\
112 	ll = (ll << bits) + (lr >> (32 - bits));	\
113 	lr = (lr << bits) + (rl >> (32 - bits));	\
114 	rl = (rl << bits) + (rr >> (32 - bits));	\
115 	rr = (rr << bits) + (w0 >> (32 - bits));	\
116 	} while(0)
117 
118 #define CAMELLIA_ROLDQo32(ll, lr, rl, rr, w0, w1, bits)	\
119 do							\
120 	{						\
121 	w0 = ll;					\
122 	w1 = lr;					\
123 	ll = (lr << (bits - 32)) + (rl >> (64 - bits));	\
124 	lr = (rl << (bits - 32)) + (rr >> (64 - bits));	\
125 	rl = (rr << (bits - 32)) + (w0 >> (64 - bits));	\
126 	rr = (w0 << (bits - 32)) + (w1 >> (64 - bits));	\
127 	} while(0)
128 
129 #define CAMELLIA_SP1110(INDEX) (camellia_sp1110[(INDEX)])
130 #define CAMELLIA_SP0222(INDEX) (camellia_sp0222[(INDEX)])
131 #define CAMELLIA_SP3033(INDEX) (camellia_sp3033[(INDEX)])
132 #define CAMELLIA_SP4404(INDEX) (camellia_sp4404[(INDEX)])
133 
134 #define CAMELLIA_F(xl, xr, kl, kr, yl, yr, il, ir, t0, t1)		\
135 do									\
136 	{								\
137 	il = xl ^ kl;							\
138 	ir = xr ^ kr;							\
139 	t0 = il >> 16;							\
140 	t1 = ir >> 16;							\
141 	yl = CAMELLIA_SP1110(ir & 0xff)					\
142 		^ CAMELLIA_SP0222((t1 >> 8) & 0xff)			\
143 		^ CAMELLIA_SP3033(t1 & 0xff)				\
144 		^ CAMELLIA_SP4404((ir >> 8) & 0xff);			\
145 	yr = CAMELLIA_SP1110((t0 >> 8) & 0xff)				\
146 		^ CAMELLIA_SP0222(t0 & 0xff)				\
147 		^ CAMELLIA_SP3033((il >> 8) & 0xff)			\
148 		^ CAMELLIA_SP4404(il & 0xff);				\
149 	yl ^= yr;							\
150 	yr = CAMELLIA_RR8(yr);						\
151 	yr ^= yl;							\
152 	} while(0)
153 
154 
155 /*
156  * for speed up
157  *
158  */
159 #define CAMELLIA_FLS(ll, lr, rl, rr, kll, klr, krl, krr, t0, t1, t2, t3) \
160 do									\
161 	{								\
162 	t0 = kll;							\
163 	t0 &= ll;							\
164 	lr ^= CAMELLIA_RL1(t0);						\
165 	t1 = klr;							\
166 	t1 |= lr;							\
167 	ll ^= t1;							\
168 									\
169 	t2 = krr;							\
170 	t2 |= rr;							\
171 	rl ^= t2;							\
172 	t3 = krl;							\
173 	t3 &= rl;							\
174 	rr ^= CAMELLIA_RL1(t3);						\
175 	} while(0)
176 
177 #define CAMELLIA_ROUNDSM(xl, xr, kl, kr, yl, yr, il, ir, t0, t1)	\
178 do									\
179 	{								\
180 	il = xl;							\
181 	ir = xr;							\
182 	t0 = il >> 16;							\
183 	t1 = ir >> 16;							\
184 	ir = CAMELLIA_SP1110(ir & 0xff)					\
185 		^ CAMELLIA_SP0222((t1 >> 8) & 0xff)			\
186 		^ CAMELLIA_SP3033(t1 & 0xff)				\
187 		^ CAMELLIA_SP4404((ir >> 8) & 0xff);			\
188 	il = CAMELLIA_SP1110((t0 >> 8) & 0xff)				\
189 		^ CAMELLIA_SP0222(t0 & 0xff)				\
190 		^ CAMELLIA_SP3033((il >> 8) & 0xff)			\
191 		^ CAMELLIA_SP4404(il & 0xff);				\
192 	il ^= kl;							\
193 	ir ^= kr;							\
194 	ir ^= il;							\
195 	il = CAMELLIA_RR8(il);						\
196 	il ^= ir;							\
197 	yl ^= ir;							\
198 	yr ^= il;							\
199 	} while(0)
200 
201 static const u32 camellia_sp1110[256] =
202 	{
203 	0x70707000,0x82828200,0x2c2c2c00,0xececec00,
204 	0xb3b3b300,0x27272700,0xc0c0c000,0xe5e5e500,
205 	0xe4e4e400,0x85858500,0x57575700,0x35353500,
206 	0xeaeaea00,0x0c0c0c00,0xaeaeae00,0x41414100,
207 	0x23232300,0xefefef00,0x6b6b6b00,0x93939300,
208 	0x45454500,0x19191900,0xa5a5a500,0x21212100,
209 	0xededed00,0x0e0e0e00,0x4f4f4f00,0x4e4e4e00,
210 	0x1d1d1d00,0x65656500,0x92929200,0xbdbdbd00,
211 	0x86868600,0xb8b8b800,0xafafaf00,0x8f8f8f00,
212 	0x7c7c7c00,0xebebeb00,0x1f1f1f00,0xcecece00,
213 	0x3e3e3e00,0x30303000,0xdcdcdc00,0x5f5f5f00,
214 	0x5e5e5e00,0xc5c5c500,0x0b0b0b00,0x1a1a1a00,
215 	0xa6a6a600,0xe1e1e100,0x39393900,0xcacaca00,
216 	0xd5d5d500,0x47474700,0x5d5d5d00,0x3d3d3d00,
217 	0xd9d9d900,0x01010100,0x5a5a5a00,0xd6d6d600,
218 	0x51515100,0x56565600,0x6c6c6c00,0x4d4d4d00,
219 	0x8b8b8b00,0x0d0d0d00,0x9a9a9a00,0x66666600,
220 	0xfbfbfb00,0xcccccc00,0xb0b0b000,0x2d2d2d00,
221 	0x74747400,0x12121200,0x2b2b2b00,0x20202000,
222 	0xf0f0f000,0xb1b1b100,0x84848400,0x99999900,
223 	0xdfdfdf00,0x4c4c4c00,0xcbcbcb00,0xc2c2c200,
224 	0x34343400,0x7e7e7e00,0x76767600,0x05050500,
225 	0x6d6d6d00,0xb7b7b700,0xa9a9a900,0x31313100,
226 	0xd1d1d100,0x17171700,0x04040400,0xd7d7d700,
227 	0x14141400,0x58585800,0x3a3a3a00,0x61616100,
228 	0xdedede00,0x1b1b1b00,0x11111100,0x1c1c1c00,
229 	0x32323200,0x0f0f0f00,0x9c9c9c00,0x16161600,
230 	0x53535300,0x18181800,0xf2f2f200,0x22222200,
231 	0xfefefe00,0x44444400,0xcfcfcf00,0xb2b2b200,
232 	0xc3c3c300,0xb5b5b500,0x7a7a7a00,0x91919100,
233 	0x24242400,0x08080800,0xe8e8e800,0xa8a8a800,
234 	0x60606000,0xfcfcfc00,0x69696900,0x50505000,
235 	0xaaaaaa00,0xd0d0d000,0xa0a0a000,0x7d7d7d00,
236 	0xa1a1a100,0x89898900,0x62626200,0x97979700,
237 	0x54545400,0x5b5b5b00,0x1e1e1e00,0x95959500,
238 	0xe0e0e000,0xffffff00,0x64646400,0xd2d2d200,
239 	0x10101000,0xc4c4c400,0x00000000,0x48484800,
240 	0xa3a3a300,0xf7f7f700,0x75757500,0xdbdbdb00,
241 	0x8a8a8a00,0x03030300,0xe6e6e600,0xdadada00,
242 	0x09090900,0x3f3f3f00,0xdddddd00,0x94949400,
243 	0x87878700,0x5c5c5c00,0x83838300,0x02020200,
244 	0xcdcdcd00,0x4a4a4a00,0x90909000,0x33333300,
245 	0x73737300,0x67676700,0xf6f6f600,0xf3f3f300,
246 	0x9d9d9d00,0x7f7f7f00,0xbfbfbf00,0xe2e2e200,
247 	0x52525200,0x9b9b9b00,0xd8d8d800,0x26262600,
248 	0xc8c8c800,0x37373700,0xc6c6c600,0x3b3b3b00,
249 	0x81818100,0x96969600,0x6f6f6f00,0x4b4b4b00,
250 	0x13131300,0xbebebe00,0x63636300,0x2e2e2e00,
251 	0xe9e9e900,0x79797900,0xa7a7a700,0x8c8c8c00,
252 	0x9f9f9f00,0x6e6e6e00,0xbcbcbc00,0x8e8e8e00,
253 	0x29292900,0xf5f5f500,0xf9f9f900,0xb6b6b600,
254 	0x2f2f2f00,0xfdfdfd00,0xb4b4b400,0x59595900,
255 	0x78787800,0x98989800,0x06060600,0x6a6a6a00,
256 	0xe7e7e700,0x46464600,0x71717100,0xbababa00,
257 	0xd4d4d400,0x25252500,0xababab00,0x42424200,
258 	0x88888800,0xa2a2a200,0x8d8d8d00,0xfafafa00,
259 	0x72727200,0x07070700,0xb9b9b900,0x55555500,
260 	0xf8f8f800,0xeeeeee00,0xacacac00,0x0a0a0a00,
261 	0x36363600,0x49494900,0x2a2a2a00,0x68686800,
262 	0x3c3c3c00,0x38383800,0xf1f1f100,0xa4a4a400,
263 	0x40404000,0x28282800,0xd3d3d300,0x7b7b7b00,
264 	0xbbbbbb00,0xc9c9c900,0x43434300,0xc1c1c100,
265 	0x15151500,0xe3e3e300,0xadadad00,0xf4f4f400,
266 	0x77777700,0xc7c7c700,0x80808000,0x9e9e9e00,
267 	};
268 
269 static const u32 camellia_sp0222[256] =
270 	{
271 	0x00e0e0e0,0x00050505,0x00585858,0x00d9d9d9,
272 	0x00676767,0x004e4e4e,0x00818181,0x00cbcbcb,
273 	0x00c9c9c9,0x000b0b0b,0x00aeaeae,0x006a6a6a,
274 	0x00d5d5d5,0x00181818,0x005d5d5d,0x00828282,
275 	0x00464646,0x00dfdfdf,0x00d6d6d6,0x00272727,
276 	0x008a8a8a,0x00323232,0x004b4b4b,0x00424242,
277 	0x00dbdbdb,0x001c1c1c,0x009e9e9e,0x009c9c9c,
278 	0x003a3a3a,0x00cacaca,0x00252525,0x007b7b7b,
279 	0x000d0d0d,0x00717171,0x005f5f5f,0x001f1f1f,
280 	0x00f8f8f8,0x00d7d7d7,0x003e3e3e,0x009d9d9d,
281 	0x007c7c7c,0x00606060,0x00b9b9b9,0x00bebebe,
282 	0x00bcbcbc,0x008b8b8b,0x00161616,0x00343434,
283 	0x004d4d4d,0x00c3c3c3,0x00727272,0x00959595,
284 	0x00ababab,0x008e8e8e,0x00bababa,0x007a7a7a,
285 	0x00b3b3b3,0x00020202,0x00b4b4b4,0x00adadad,
286 	0x00a2a2a2,0x00acacac,0x00d8d8d8,0x009a9a9a,
287 	0x00171717,0x001a1a1a,0x00353535,0x00cccccc,
288 	0x00f7f7f7,0x00999999,0x00616161,0x005a5a5a,
289 	0x00e8e8e8,0x00242424,0x00565656,0x00404040,
290 	0x00e1e1e1,0x00636363,0x00090909,0x00333333,
291 	0x00bfbfbf,0x00989898,0x00979797,0x00858585,
292 	0x00686868,0x00fcfcfc,0x00ececec,0x000a0a0a,
293 	0x00dadada,0x006f6f6f,0x00535353,0x00626262,
294 	0x00a3a3a3,0x002e2e2e,0x00080808,0x00afafaf,
295 	0x00282828,0x00b0b0b0,0x00747474,0x00c2c2c2,
296 	0x00bdbdbd,0x00363636,0x00222222,0x00383838,
297 	0x00646464,0x001e1e1e,0x00393939,0x002c2c2c,
298 	0x00a6a6a6,0x00303030,0x00e5e5e5,0x00444444,
299 	0x00fdfdfd,0x00888888,0x009f9f9f,0x00656565,
300 	0x00878787,0x006b6b6b,0x00f4f4f4,0x00232323,
301 	0x00484848,0x00101010,0x00d1d1d1,0x00515151,
302 	0x00c0c0c0,0x00f9f9f9,0x00d2d2d2,0x00a0a0a0,
303 	0x00555555,0x00a1a1a1,0x00414141,0x00fafafa,
304 	0x00434343,0x00131313,0x00c4c4c4,0x002f2f2f,
305 	0x00a8a8a8,0x00b6b6b6,0x003c3c3c,0x002b2b2b,
306 	0x00c1c1c1,0x00ffffff,0x00c8c8c8,0x00a5a5a5,
307 	0x00202020,0x00898989,0x00000000,0x00909090,
308 	0x00474747,0x00efefef,0x00eaeaea,0x00b7b7b7,
309 	0x00151515,0x00060606,0x00cdcdcd,0x00b5b5b5,
310 	0x00121212,0x007e7e7e,0x00bbbbbb,0x00292929,
311 	0x000f0f0f,0x00b8b8b8,0x00070707,0x00040404,
312 	0x009b9b9b,0x00949494,0x00212121,0x00666666,
313 	0x00e6e6e6,0x00cecece,0x00ededed,0x00e7e7e7,
314 	0x003b3b3b,0x00fefefe,0x007f7f7f,0x00c5c5c5,
315 	0x00a4a4a4,0x00373737,0x00b1b1b1,0x004c4c4c,
316 	0x00919191,0x006e6e6e,0x008d8d8d,0x00767676,
317 	0x00030303,0x002d2d2d,0x00dedede,0x00969696,
318 	0x00262626,0x007d7d7d,0x00c6c6c6,0x005c5c5c,
319 	0x00d3d3d3,0x00f2f2f2,0x004f4f4f,0x00191919,
320 	0x003f3f3f,0x00dcdcdc,0x00797979,0x001d1d1d,
321 	0x00525252,0x00ebebeb,0x00f3f3f3,0x006d6d6d,
322 	0x005e5e5e,0x00fbfbfb,0x00696969,0x00b2b2b2,
323 	0x00f0f0f0,0x00313131,0x000c0c0c,0x00d4d4d4,
324 	0x00cfcfcf,0x008c8c8c,0x00e2e2e2,0x00757575,
325 	0x00a9a9a9,0x004a4a4a,0x00575757,0x00848484,
326 	0x00111111,0x00454545,0x001b1b1b,0x00f5f5f5,
327 	0x00e4e4e4,0x000e0e0e,0x00737373,0x00aaaaaa,
328 	0x00f1f1f1,0x00dddddd,0x00595959,0x00141414,
329 	0x006c6c6c,0x00929292,0x00545454,0x00d0d0d0,
330 	0x00787878,0x00707070,0x00e3e3e3,0x00494949,
331 	0x00808080,0x00505050,0x00a7a7a7,0x00f6f6f6,
332 	0x00777777,0x00939393,0x00868686,0x00838383,
333 	0x002a2a2a,0x00c7c7c7,0x005b5b5b,0x00e9e9e9,
334 	0x00eeeeee,0x008f8f8f,0x00010101,0x003d3d3d,
335 	};
336 
337 static const u32 camellia_sp3033[256] =
338 	{
339 	0x38003838,0x41004141,0x16001616,0x76007676,
340 	0xd900d9d9,0x93009393,0x60006060,0xf200f2f2,
341 	0x72007272,0xc200c2c2,0xab00abab,0x9a009a9a,
342 	0x75007575,0x06000606,0x57005757,0xa000a0a0,
343 	0x91009191,0xf700f7f7,0xb500b5b5,0xc900c9c9,
344 	0xa200a2a2,0x8c008c8c,0xd200d2d2,0x90009090,
345 	0xf600f6f6,0x07000707,0xa700a7a7,0x27002727,
346 	0x8e008e8e,0xb200b2b2,0x49004949,0xde00dede,
347 	0x43004343,0x5c005c5c,0xd700d7d7,0xc700c7c7,
348 	0x3e003e3e,0xf500f5f5,0x8f008f8f,0x67006767,
349 	0x1f001f1f,0x18001818,0x6e006e6e,0xaf00afaf,
350 	0x2f002f2f,0xe200e2e2,0x85008585,0x0d000d0d,
351 	0x53005353,0xf000f0f0,0x9c009c9c,0x65006565,
352 	0xea00eaea,0xa300a3a3,0xae00aeae,0x9e009e9e,
353 	0xec00ecec,0x80008080,0x2d002d2d,0x6b006b6b,
354 	0xa800a8a8,0x2b002b2b,0x36003636,0xa600a6a6,
355 	0xc500c5c5,0x86008686,0x4d004d4d,0x33003333,
356 	0xfd00fdfd,0x66006666,0x58005858,0x96009696,
357 	0x3a003a3a,0x09000909,0x95009595,0x10001010,
358 	0x78007878,0xd800d8d8,0x42004242,0xcc00cccc,
359 	0xef00efef,0x26002626,0xe500e5e5,0x61006161,
360 	0x1a001a1a,0x3f003f3f,0x3b003b3b,0x82008282,
361 	0xb600b6b6,0xdb00dbdb,0xd400d4d4,0x98009898,
362 	0xe800e8e8,0x8b008b8b,0x02000202,0xeb00ebeb,
363 	0x0a000a0a,0x2c002c2c,0x1d001d1d,0xb000b0b0,
364 	0x6f006f6f,0x8d008d8d,0x88008888,0x0e000e0e,
365 	0x19001919,0x87008787,0x4e004e4e,0x0b000b0b,
366 	0xa900a9a9,0x0c000c0c,0x79007979,0x11001111,
367 	0x7f007f7f,0x22002222,0xe700e7e7,0x59005959,
368 	0xe100e1e1,0xda00dada,0x3d003d3d,0xc800c8c8,
369 	0x12001212,0x04000404,0x74007474,0x54005454,
370 	0x30003030,0x7e007e7e,0xb400b4b4,0x28002828,
371 	0x55005555,0x68006868,0x50005050,0xbe00bebe,
372 	0xd000d0d0,0xc400c4c4,0x31003131,0xcb00cbcb,
373 	0x2a002a2a,0xad00adad,0x0f000f0f,0xca00caca,
374 	0x70007070,0xff00ffff,0x32003232,0x69006969,
375 	0x08000808,0x62006262,0x00000000,0x24002424,
376 	0xd100d1d1,0xfb00fbfb,0xba00baba,0xed00eded,
377 	0x45004545,0x81008181,0x73007373,0x6d006d6d,
378 	0x84008484,0x9f009f9f,0xee00eeee,0x4a004a4a,
379 	0xc300c3c3,0x2e002e2e,0xc100c1c1,0x01000101,
380 	0xe600e6e6,0x25002525,0x48004848,0x99009999,
381 	0xb900b9b9,0xb300b3b3,0x7b007b7b,0xf900f9f9,
382 	0xce00cece,0xbf00bfbf,0xdf00dfdf,0x71007171,
383 	0x29002929,0xcd00cdcd,0x6c006c6c,0x13001313,
384 	0x64006464,0x9b009b9b,0x63006363,0x9d009d9d,
385 	0xc000c0c0,0x4b004b4b,0xb700b7b7,0xa500a5a5,
386 	0x89008989,0x5f005f5f,0xb100b1b1,0x17001717,
387 	0xf400f4f4,0xbc00bcbc,0xd300d3d3,0x46004646,
388 	0xcf00cfcf,0x37003737,0x5e005e5e,0x47004747,
389 	0x94009494,0xfa00fafa,0xfc00fcfc,0x5b005b5b,
390 	0x97009797,0xfe00fefe,0x5a005a5a,0xac00acac,
391 	0x3c003c3c,0x4c004c4c,0x03000303,0x35003535,
392 	0xf300f3f3,0x23002323,0xb800b8b8,0x5d005d5d,
393 	0x6a006a6a,0x92009292,0xd500d5d5,0x21002121,
394 	0x44004444,0x51005151,0xc600c6c6,0x7d007d7d,
395 	0x39003939,0x83008383,0xdc00dcdc,0xaa00aaaa,
396 	0x7c007c7c,0x77007777,0x56005656,0x05000505,
397 	0x1b001b1b,0xa400a4a4,0x15001515,0x34003434,
398 	0x1e001e1e,0x1c001c1c,0xf800f8f8,0x52005252,
399 	0x20002020,0x14001414,0xe900e9e9,0xbd00bdbd,
400 	0xdd00dddd,0xe400e4e4,0xa100a1a1,0xe000e0e0,
401 	0x8a008a8a,0xf100f1f1,0xd600d6d6,0x7a007a7a,
402 	0xbb00bbbb,0xe300e3e3,0x40004040,0x4f004f4f,
403 	};
404 
405 static const u32 camellia_sp4404[256] =
406 	{
407 	0x70700070,0x2c2c002c,0xb3b300b3,0xc0c000c0,
408 	0xe4e400e4,0x57570057,0xeaea00ea,0xaeae00ae,
409 	0x23230023,0x6b6b006b,0x45450045,0xa5a500a5,
410 	0xeded00ed,0x4f4f004f,0x1d1d001d,0x92920092,
411 	0x86860086,0xafaf00af,0x7c7c007c,0x1f1f001f,
412 	0x3e3e003e,0xdcdc00dc,0x5e5e005e,0x0b0b000b,
413 	0xa6a600a6,0x39390039,0xd5d500d5,0x5d5d005d,
414 	0xd9d900d9,0x5a5a005a,0x51510051,0x6c6c006c,
415 	0x8b8b008b,0x9a9a009a,0xfbfb00fb,0xb0b000b0,
416 	0x74740074,0x2b2b002b,0xf0f000f0,0x84840084,
417 	0xdfdf00df,0xcbcb00cb,0x34340034,0x76760076,
418 	0x6d6d006d,0xa9a900a9,0xd1d100d1,0x04040004,
419 	0x14140014,0x3a3a003a,0xdede00de,0x11110011,
420 	0x32320032,0x9c9c009c,0x53530053,0xf2f200f2,
421 	0xfefe00fe,0xcfcf00cf,0xc3c300c3,0x7a7a007a,
422 	0x24240024,0xe8e800e8,0x60600060,0x69690069,
423 	0xaaaa00aa,0xa0a000a0,0xa1a100a1,0x62620062,
424 	0x54540054,0x1e1e001e,0xe0e000e0,0x64640064,
425 	0x10100010,0x00000000,0xa3a300a3,0x75750075,
426 	0x8a8a008a,0xe6e600e6,0x09090009,0xdddd00dd,
427 	0x87870087,0x83830083,0xcdcd00cd,0x90900090,
428 	0x73730073,0xf6f600f6,0x9d9d009d,0xbfbf00bf,
429 	0x52520052,0xd8d800d8,0xc8c800c8,0xc6c600c6,
430 	0x81810081,0x6f6f006f,0x13130013,0x63630063,
431 	0xe9e900e9,0xa7a700a7,0x9f9f009f,0xbcbc00bc,
432 	0x29290029,0xf9f900f9,0x2f2f002f,0xb4b400b4,
433 	0x78780078,0x06060006,0xe7e700e7,0x71710071,
434 	0xd4d400d4,0xabab00ab,0x88880088,0x8d8d008d,
435 	0x72720072,0xb9b900b9,0xf8f800f8,0xacac00ac,
436 	0x36360036,0x2a2a002a,0x3c3c003c,0xf1f100f1,
437 	0x40400040,0xd3d300d3,0xbbbb00bb,0x43430043,
438 	0x15150015,0xadad00ad,0x77770077,0x80800080,
439 	0x82820082,0xecec00ec,0x27270027,0xe5e500e5,
440 	0x85850085,0x35350035,0x0c0c000c,0x41410041,
441 	0xefef00ef,0x93930093,0x19190019,0x21210021,
442 	0x0e0e000e,0x4e4e004e,0x65650065,0xbdbd00bd,
443 	0xb8b800b8,0x8f8f008f,0xebeb00eb,0xcece00ce,
444 	0x30300030,0x5f5f005f,0xc5c500c5,0x1a1a001a,
445 	0xe1e100e1,0xcaca00ca,0x47470047,0x3d3d003d,
446 	0x01010001,0xd6d600d6,0x56560056,0x4d4d004d,
447 	0x0d0d000d,0x66660066,0xcccc00cc,0x2d2d002d,
448 	0x12120012,0x20200020,0xb1b100b1,0x99990099,
449 	0x4c4c004c,0xc2c200c2,0x7e7e007e,0x05050005,
450 	0xb7b700b7,0x31310031,0x17170017,0xd7d700d7,
451 	0x58580058,0x61610061,0x1b1b001b,0x1c1c001c,
452 	0x0f0f000f,0x16160016,0x18180018,0x22220022,
453 	0x44440044,0xb2b200b2,0xb5b500b5,0x91910091,
454 	0x08080008,0xa8a800a8,0xfcfc00fc,0x50500050,
455 	0xd0d000d0,0x7d7d007d,0x89890089,0x97970097,
456 	0x5b5b005b,0x95950095,0xffff00ff,0xd2d200d2,
457 	0xc4c400c4,0x48480048,0xf7f700f7,0xdbdb00db,
458 	0x03030003,0xdada00da,0x3f3f003f,0x94940094,
459 	0x5c5c005c,0x02020002,0x4a4a004a,0x33330033,
460 	0x67670067,0xf3f300f3,0x7f7f007f,0xe2e200e2,
461 	0x9b9b009b,0x26260026,0x37370037,0x3b3b003b,
462 	0x96960096,0x4b4b004b,0xbebe00be,0x2e2e002e,
463 	0x79790079,0x8c8c008c,0x6e6e006e,0x8e8e008e,
464 	0xf5f500f5,0xb6b600b6,0xfdfd00fd,0x59590059,
465 	0x98980098,0x6a6a006a,0x46460046,0xbaba00ba,
466 	0x25250025,0x42420042,0xa2a200a2,0xfafa00fa,
467 	0x07070007,0x55550055,0xeeee00ee,0x0a0a000a,
468 	0x49490049,0x68680068,0x38380038,0xa4a400a4,
469 	0x28280028,0x7b7b007b,0xc9c900c9,0xc1c100c1,
470 	0xe3e300e3,0xf4f400f4,0xc7c700c7,0x9e9e009e,
471 	};
472 
473 /**
474  * Stuff related to the Camellia key schedule
475  */
476 #define subl(x) subL[(x)]
477 #define subr(x) subR[(x)]
478 
camellia_setup128(const u8 * key,u32 * subkey)479 void camellia_setup128(const u8 *key, u32 *subkey)
480 	{
481 	u32 kll, klr, krl, krr;
482 	u32 il, ir, t0, t1, w0, w1;
483 	u32 kw4l, kw4r, dw, tl, tr;
484 	u32 subL[26];
485 	u32 subR[26];
486 
487 	/**
488 	 *  k == kll || klr || krl || krr (|| is concatination)
489 	 */
490 	kll = GETU32(key     );
491 	klr = GETU32(key +  4);
492 	krl = GETU32(key +  8);
493 	krr = GETU32(key + 12);
494 	/**
495 	 * generate KL dependent subkeys
496 	 */
497 	/* kw1 */
498 	subl(0) = kll; subr(0) = klr;
499 	/* kw2 */
500 	subl(1) = krl; subr(1) = krr;
501 	/* rotation left shift 15bit */
502 	CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
503 	/* k3 */
504 	subl(4) = kll; subr(4) = klr;
505 	/* k4 */
506 	subl(5) = krl; subr(5) = krr;
507 	/* rotation left shift 15+30bit */
508 	CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 30);
509 	/* k7 */
510 	subl(10) = kll; subr(10) = klr;
511 	/* k8 */
512 	subl(11) = krl; subr(11) = krr;
513 	/* rotation left shift 15+30+15bit */
514 	CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
515 	/* k10 */
516 	subl(13) = krl; subr(13) = krr;
517 	/* rotation left shift 15+30+15+17 bit */
518 	CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17);
519 	/* kl3 */
520 	subl(16) = kll; subr(16) = klr;
521 	/* kl4 */
522 	subl(17) = krl; subr(17) = krr;
523 	/* rotation left shift 15+30+15+17+17 bit */
524 	CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17);
525 	/* k13 */
526 	subl(18) = kll; subr(18) = klr;
527 	/* k14 */
528 	subl(19) = krl; subr(19) = krr;
529 	/* rotation left shift 15+30+15+17+17+17 bit */
530 	CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17);
531 	/* k17 */
532 	subl(22) = kll; subr(22) = klr;
533 	/* k18 */
534 	subl(23) = krl; subr(23) = krr;
535 
536 	/* generate KA */
537 	kll = subl(0); klr = subr(0);
538 	krl = subl(1); krr = subr(1);
539 	CAMELLIA_F(kll, klr,
540 		CAMELLIA_SIGMA1L, CAMELLIA_SIGMA1R,
541 		w0, w1, il, ir, t0, t1);
542 	krl ^= w0; krr ^= w1;
543 	CAMELLIA_F(krl, krr,
544 		CAMELLIA_SIGMA2L, CAMELLIA_SIGMA2R,
545 		kll, klr, il, ir, t0, t1);
546 	/* current status == (kll, klr, w0, w1) */
547 	CAMELLIA_F(kll, klr,
548 		CAMELLIA_SIGMA3L, CAMELLIA_SIGMA3R,
549 		krl, krr, il, ir, t0, t1);
550 	krl ^= w0; krr ^= w1;
551 	CAMELLIA_F(krl, krr,
552 		CAMELLIA_SIGMA4L, CAMELLIA_SIGMA4R,
553 		w0, w1, il, ir, t0, t1);
554 	kll ^= w0; klr ^= w1;
555 
556 	/* generate KA dependent subkeys */
557 	/* k1, k2 */
558 	subl(2) = kll; subr(2) = klr;
559 	subl(3) = krl; subr(3) = krr;
560 	CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
561 	/* k5,k6 */
562 	subl(6) = kll; subr(6) = klr;
563 	subl(7) = krl; subr(7) = krr;
564 	CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
565 	/* kl1, kl2 */
566 	subl(8) = kll; subr(8) = klr;
567 	subl(9) = krl; subr(9) = krr;
568 	CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
569 	/* k9 */
570 	subl(12) = kll; subr(12) = klr;
571 	CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
572 	/* k11, k12 */
573 	subl(14) = kll; subr(14) = klr;
574 	subl(15) = krl; subr(15) = krr;
575 	CAMELLIA_ROLDQo32(kll, klr, krl, krr, w0, w1, 34);
576 	/* k15, k16 */
577 	subl(20) = kll; subr(20) = klr;
578 	subl(21) = krl; subr(21) = krr;
579 	CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17);
580 	/* kw3, kw4 */
581 	subl(24) = kll; subr(24) = klr;
582 	subl(25) = krl; subr(25) = krr;
583 
584 
585 	/* absorb kw2 to other subkeys */
586 /* round 2 */
587 	subl(3) ^= subl(1); subr(3) ^= subr(1);
588 /* round 4 */
589 	subl(5) ^= subl(1); subr(5) ^= subr(1);
590 /* round 6 */
591 	subl(7) ^= subl(1); subr(7) ^= subr(1);
592 	subl(1) ^= subr(1) & ~subr(9);
593 	dw = subl(1) & subl(9),
594 		subr(1) ^= CAMELLIA_RL1(dw); /* modified for FLinv(kl2) */
595 /* round 8 */
596 	subl(11) ^= subl(1); subr(11) ^= subr(1);
597 /* round 10 */
598 	subl(13) ^= subl(1); subr(13) ^= subr(1);
599 /* round 12 */
600 	subl(15) ^= subl(1); subr(15) ^= subr(1);
601 	subl(1) ^= subr(1) & ~subr(17);
602 	dw = subl(1) & subl(17),
603 		subr(1) ^= CAMELLIA_RL1(dw); /* modified for FLinv(kl4) */
604 /* round 14 */
605 	subl(19) ^= subl(1); subr(19) ^= subr(1);
606 /* round 16 */
607 	subl(21) ^= subl(1); subr(21) ^= subr(1);
608 /* round 18 */
609 	subl(23) ^= subl(1); subr(23) ^= subr(1);
610 /* kw3 */
611 	subl(24) ^= subl(1); subr(24) ^= subr(1);
612 
613 	/* absorb kw4 to other subkeys */
614 	kw4l = subl(25); kw4r = subr(25);
615 /* round 17 */
616 	subl(22) ^= kw4l; subr(22) ^= kw4r;
617 /* round 15 */
618 	subl(20) ^= kw4l; subr(20) ^= kw4r;
619 /* round 13 */
620 	subl(18) ^= kw4l; subr(18) ^= kw4r;
621 	kw4l ^= kw4r & ~subr(16);
622 	dw = kw4l & subl(16),
623 		kw4r ^= CAMELLIA_RL1(dw); /* modified for FL(kl3) */
624 /* round 11 */
625 	subl(14) ^= kw4l; subr(14) ^= kw4r;
626 /* round 9 */
627 	subl(12) ^= kw4l; subr(12) ^= kw4r;
628 /* round 7 */
629 	subl(10) ^= kw4l; subr(10) ^= kw4r;
630 	kw4l ^= kw4r & ~subr(8);
631 	dw = kw4l & subl(8),
632 		kw4r ^= CAMELLIA_RL1(dw); /* modified for FL(kl1) */
633 /* round 5 */
634 	subl(6) ^= kw4l; subr(6) ^= kw4r;
635 /* round 3 */
636 	subl(4) ^= kw4l; subr(4) ^= kw4r;
637 /* round 1 */
638 	subl(2) ^= kw4l; subr(2) ^= kw4r;
639 /* kw1 */
640 	subl(0) ^= kw4l; subr(0) ^= kw4r;
641 
642 
643 	/* key XOR is end of F-function */
644 	CamelliaSubkeyL(0) = subl(0) ^ subl(2);/* kw1 */
645 	CamelliaSubkeyR(0) = subr(0) ^ subr(2);
646 	CamelliaSubkeyL(2) = subl(3);       /* round 1 */
647 	CamelliaSubkeyR(2) = subr(3);
648 	CamelliaSubkeyL(3) = subl(2) ^ subl(4); /* round 2 */
649 	CamelliaSubkeyR(3) = subr(2) ^ subr(4);
650 	CamelliaSubkeyL(4) = subl(3) ^ subl(5); /* round 3 */
651 	CamelliaSubkeyR(4) = subr(3) ^ subr(5);
652 	CamelliaSubkeyL(5) = subl(4) ^ subl(6); /* round 4 */
653 	CamelliaSubkeyR(5) = subr(4) ^ subr(6);
654 	CamelliaSubkeyL(6) = subl(5) ^ subl(7); /* round 5 */
655 	CamelliaSubkeyR(6) = subr(5) ^ subr(7);
656 	tl = subl(10) ^ (subr(10) & ~subr(8));
657 	dw = tl & subl(8),  /* FL(kl1) */
658 		tr = subr(10) ^ CAMELLIA_RL1(dw);
659 	CamelliaSubkeyL(7) = subl(6) ^ tl; /* round 6 */
660 	CamelliaSubkeyR(7) = subr(6) ^ tr;
661 	CamelliaSubkeyL(8) = subl(8);       /* FL(kl1) */
662 	CamelliaSubkeyR(8) = subr(8);
663 	CamelliaSubkeyL(9) = subl(9);       /* FLinv(kl2) */
664 	CamelliaSubkeyR(9) = subr(9);
665 	tl = subl(7) ^ (subr(7) & ~subr(9));
666 	dw = tl & subl(9),  /* FLinv(kl2) */
667 		tr = subr(7) ^ CAMELLIA_RL1(dw);
668 	CamelliaSubkeyL(10) = tl ^ subl(11); /* round 7 */
669 	CamelliaSubkeyR(10) = tr ^ subr(11);
670 	CamelliaSubkeyL(11) = subl(10) ^ subl(12); /* round 8 */
671 	CamelliaSubkeyR(11) = subr(10) ^ subr(12);
672 	CamelliaSubkeyL(12) = subl(11) ^ subl(13); /* round 9 */
673 	CamelliaSubkeyR(12) = subr(11) ^ subr(13);
674 	CamelliaSubkeyL(13) = subl(12) ^ subl(14); /* round 10 */
675 	CamelliaSubkeyR(13) = subr(12) ^ subr(14);
676 	CamelliaSubkeyL(14) = subl(13) ^ subl(15); /* round 11 */
677 	CamelliaSubkeyR(14) = subr(13) ^ subr(15);
678 	tl = subl(18) ^ (subr(18) & ~subr(16));
679 	dw = tl & subl(16), /* FL(kl3) */
680 		tr = subr(18) ^ CAMELLIA_RL1(dw);
681 	CamelliaSubkeyL(15) = subl(14) ^ tl; /* round 12 */
682 	CamelliaSubkeyR(15) = subr(14) ^ tr;
683 	CamelliaSubkeyL(16) = subl(16);     /* FL(kl3) */
684 	CamelliaSubkeyR(16) = subr(16);
685 	CamelliaSubkeyL(17) = subl(17);     /* FLinv(kl4) */
686 	CamelliaSubkeyR(17) = subr(17);
687 	tl = subl(15) ^ (subr(15) & ~subr(17));
688 	dw = tl & subl(17), /* FLinv(kl4) */
689 		tr = subr(15) ^ CAMELLIA_RL1(dw);
690 	CamelliaSubkeyL(18) = tl ^ subl(19); /* round 13 */
691 	CamelliaSubkeyR(18) = tr ^ subr(19);
692 	CamelliaSubkeyL(19) = subl(18) ^ subl(20); /* round 14 */
693 	CamelliaSubkeyR(19) = subr(18) ^ subr(20);
694 	CamelliaSubkeyL(20) = subl(19) ^ subl(21); /* round 15 */
695 	CamelliaSubkeyR(20) = subr(19) ^ subr(21);
696 	CamelliaSubkeyL(21) = subl(20) ^ subl(22); /* round 16 */
697 	CamelliaSubkeyR(21) = subr(20) ^ subr(22);
698 	CamelliaSubkeyL(22) = subl(21) ^ subl(23); /* round 17 */
699 	CamelliaSubkeyR(22) = subr(21) ^ subr(23);
700 	CamelliaSubkeyL(23) = subl(22);     /* round 18 */
701 	CamelliaSubkeyR(23) = subr(22);
702 	CamelliaSubkeyL(24) = subl(24) ^ subl(23); /* kw3 */
703 	CamelliaSubkeyR(24) = subr(24) ^ subr(23);
704 
705 	/* apply the inverse of the last half of P-function */
706 	dw = CamelliaSubkeyL(2) ^ CamelliaSubkeyR(2),
707 		dw = CAMELLIA_RL8(dw);/* round 1 */
708 	CamelliaSubkeyR(2) = CamelliaSubkeyL(2) ^ dw,
709 		CamelliaSubkeyL(2) = dw;
710 	dw = CamelliaSubkeyL(3) ^ CamelliaSubkeyR(3),
711 		dw = CAMELLIA_RL8(dw);/* round 2 */
712 	CamelliaSubkeyR(3) = CamelliaSubkeyL(3) ^ dw,
713 		CamelliaSubkeyL(3) = dw;
714 	dw = CamelliaSubkeyL(4) ^ CamelliaSubkeyR(4),
715 		dw = CAMELLIA_RL8(dw);/* round 3 */
716 	CamelliaSubkeyR(4) = CamelliaSubkeyL(4) ^ dw,
717 		CamelliaSubkeyL(4) = dw;
718 	dw = CamelliaSubkeyL(5) ^ CamelliaSubkeyR(5),
719 		dw = CAMELLIA_RL8(dw);/* round 4 */
720 	CamelliaSubkeyR(5) = CamelliaSubkeyL(5) ^ dw,
721 		CamelliaSubkeyL(5) = dw;
722 	dw = CamelliaSubkeyL(6) ^ CamelliaSubkeyR(6),
723 		dw = CAMELLIA_RL8(dw);/* round 5 */
724 	CamelliaSubkeyR(6) = CamelliaSubkeyL(6) ^ dw,
725 		CamelliaSubkeyL(6) = dw;
726 	dw = CamelliaSubkeyL(7) ^ CamelliaSubkeyR(7),
727 		dw = CAMELLIA_RL8(dw);/* round 6 */
728 	CamelliaSubkeyR(7) = CamelliaSubkeyL(7) ^ dw,
729 		CamelliaSubkeyL(7) = dw;
730 	dw = CamelliaSubkeyL(10) ^ CamelliaSubkeyR(10),
731 		dw = CAMELLIA_RL8(dw);/* round 7 */
732 	CamelliaSubkeyR(10) = CamelliaSubkeyL(10) ^ dw,
733 		CamelliaSubkeyL(10) = dw;
734 	dw = CamelliaSubkeyL(11) ^ CamelliaSubkeyR(11),
735 		dw = CAMELLIA_RL8(dw);/* round 8 */
736 	CamelliaSubkeyR(11) = CamelliaSubkeyL(11) ^ dw,
737 		CamelliaSubkeyL(11) = dw;
738 	dw = CamelliaSubkeyL(12) ^ CamelliaSubkeyR(12),
739 		dw = CAMELLIA_RL8(dw);/* round 9 */
740 	CamelliaSubkeyR(12) = CamelliaSubkeyL(12) ^ dw,
741 		CamelliaSubkeyL(12) = dw;
742 	dw = CamelliaSubkeyL(13) ^ CamelliaSubkeyR(13),
743 		dw = CAMELLIA_RL8(dw);/* round 10 */
744 	CamelliaSubkeyR(13) = CamelliaSubkeyL(13) ^ dw,
745 		CamelliaSubkeyL(13) = dw;
746 	dw = CamelliaSubkeyL(14) ^ CamelliaSubkeyR(14),
747 		dw = CAMELLIA_RL8(dw);/* round 11 */
748 	CamelliaSubkeyR(14) = CamelliaSubkeyL(14) ^ dw,
749 		CamelliaSubkeyL(14) = dw;
750 	dw = CamelliaSubkeyL(15) ^ CamelliaSubkeyR(15),
751 		dw = CAMELLIA_RL8(dw);/* round 12 */
752 	CamelliaSubkeyR(15) = CamelliaSubkeyL(15) ^ dw,
753 		CamelliaSubkeyL(15) = dw;
754 	dw = CamelliaSubkeyL(18) ^ CamelliaSubkeyR(18),
755 		dw = CAMELLIA_RL8(dw);/* round 13 */
756 	CamelliaSubkeyR(18) = CamelliaSubkeyL(18) ^ dw,
757 		CamelliaSubkeyL(18) = dw;
758 	dw = CamelliaSubkeyL(19) ^ CamelliaSubkeyR(19),
759 		dw = CAMELLIA_RL8(dw);/* round 14 */
760 	CamelliaSubkeyR(19) = CamelliaSubkeyL(19) ^ dw,
761 		CamelliaSubkeyL(19) = dw;
762 	dw = CamelliaSubkeyL(20) ^ CamelliaSubkeyR(20),
763 		dw = CAMELLIA_RL8(dw);/* round 15 */
764 	CamelliaSubkeyR(20) = CamelliaSubkeyL(20) ^ dw,
765 		CamelliaSubkeyL(20) = dw;
766 	dw = CamelliaSubkeyL(21) ^ CamelliaSubkeyR(21),
767 		dw = CAMELLIA_RL8(dw);/* round 16 */
768 	CamelliaSubkeyR(21) = CamelliaSubkeyL(21) ^ dw,
769 		CamelliaSubkeyL(21) = dw;
770 	dw = CamelliaSubkeyL(22) ^ CamelliaSubkeyR(22),
771 		dw = CAMELLIA_RL8(dw);/* round 17 */
772 	CamelliaSubkeyR(22) = CamelliaSubkeyL(22) ^ dw,
773 		CamelliaSubkeyL(22) = dw;
774 	dw = CamelliaSubkeyL(23) ^ CamelliaSubkeyR(23),
775 		dw = CAMELLIA_RL8(dw);/* round 18 */
776 	CamelliaSubkeyR(23) = CamelliaSubkeyL(23) ^ dw,
777 		CamelliaSubkeyL(23) = dw;
778 
779 	return;
780 	}
781 
camellia_setup256(const u8 * key,u32 * subkey)782 void camellia_setup256(const u8 *key, u32 *subkey)
783 	{
784 	u32 kll,klr,krl,krr;           /* left half of key */
785 	u32 krll,krlr,krrl,krrr;       /* right half of key */
786 	u32 il, ir, t0, t1, w0, w1;    /* temporary variables */
787 	u32 kw4l, kw4r, dw, tl, tr;
788 	u32 subL[34];
789 	u32 subR[34];
790 
791 	/**
792 	 *  key = (kll || klr || krl || krr || krll || krlr || krrl || krrr)
793 	 *  (|| is concatination)
794 	 */
795 
796 	kll  = GETU32(key     );
797 	klr  = GETU32(key +  4);
798 	krl  = GETU32(key +  8);
799 	krr  = GETU32(key + 12);
800 	krll = GETU32(key + 16);
801 	krlr = GETU32(key + 20);
802 	krrl = GETU32(key + 24);
803 	krrr = GETU32(key + 28);
804 
805 	/* generate KL dependent subkeys */
806 	/* kw1 */
807 	subl(0) = kll; subr(0) = klr;
808 	/* kw2 */
809 	subl(1) = krl; subr(1) = krr;
810 	CAMELLIA_ROLDQo32(kll, klr, krl, krr, w0, w1, 45);
811 	/* k9 */
812 	subl(12) = kll; subr(12) = klr;
813 	/* k10 */
814 	subl(13) = krl; subr(13) = krr;
815 	CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
816 	/* kl3 */
817 	subl(16) = kll; subr(16) = klr;
818 	/* kl4 */
819 	subl(17) = krl; subr(17) = krr;
820 	CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17);
821 	/* k17 */
822 	subl(22) = kll; subr(22) = klr;
823 	/* k18 */
824 	subl(23) = krl; subr(23) = krr;
825 	CAMELLIA_ROLDQo32(kll, klr, krl, krr, w0, w1, 34);
826 	/* k23 */
827 	subl(30) = kll; subr(30) = klr;
828 	/* k24 */
829 	subl(31) = krl; subr(31) = krr;
830 
831 	/* generate KR dependent subkeys */
832 	CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 15);
833 	/* k3 */
834 	subl(4) = krll; subr(4) = krlr;
835 	/* k4 */
836 	subl(5) = krrl; subr(5) = krrr;
837 	CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 15);
838 	/* kl1 */
839 	subl(8) = krll; subr(8) = krlr;
840 	/* kl2 */
841 	subl(9) = krrl; subr(9) = krrr;
842 	CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
843 	/* k13 */
844 	subl(18) = krll; subr(18) = krlr;
845 	/* k14 */
846 	subl(19) = krrl; subr(19) = krrr;
847 	CAMELLIA_ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 34);
848 	/* k19 */
849 	subl(26) = krll; subr(26) = krlr;
850 	/* k20 */
851 	subl(27) = krrl; subr(27) = krrr;
852 	CAMELLIA_ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 34);
853 
854 	/* generate KA */
855 	kll = subl(0) ^ krll; klr = subr(0) ^ krlr;
856 	krl = subl(1) ^ krrl; krr = subr(1) ^ krrr;
857 	CAMELLIA_F(kll, klr,
858 		CAMELLIA_SIGMA1L, CAMELLIA_SIGMA1R,
859 		w0, w1, il, ir, t0, t1);
860 	krl ^= w0; krr ^= w1;
861 	CAMELLIA_F(krl, krr,
862 		CAMELLIA_SIGMA2L, CAMELLIA_SIGMA2R,
863 		kll, klr, il, ir, t0, t1);
864 	kll ^= krll; klr ^= krlr;
865 	CAMELLIA_F(kll, klr,
866 		CAMELLIA_SIGMA3L, CAMELLIA_SIGMA3R,
867 		krl, krr, il, ir, t0, t1);
868 	krl ^= w0 ^ krrl; krr ^= w1 ^ krrr;
869 	CAMELLIA_F(krl, krr,
870 		CAMELLIA_SIGMA4L, CAMELLIA_SIGMA4R,
871 		w0, w1, il, ir, t0, t1);
872 	kll ^= w0; klr ^= w1;
873 
874 	/* generate KB */
875 	krll ^= kll; krlr ^= klr;
876 	krrl ^= krl; krrr ^= krr;
877 	CAMELLIA_F(krll, krlr,
878 		CAMELLIA_SIGMA5L, CAMELLIA_SIGMA5R,
879 		w0, w1, il, ir, t0, t1);
880 	krrl ^= w0; krrr ^= w1;
881 	CAMELLIA_F(krrl, krrr,
882 		CAMELLIA_SIGMA6L, CAMELLIA_SIGMA6R,
883 		w0, w1, il, ir, t0, t1);
884 	krll ^= w0; krlr ^= w1;
885 
886 	/* generate KA dependent subkeys */
887 	CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
888 	/* k5 */
889 	subl(6) = kll; subr(6) = klr;
890 	/* k6 */
891 	subl(7) = krl; subr(7) = krr;
892 	CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 30);
893 	/* k11 */
894 	subl(14) = kll; subr(14) = klr;
895 	/* k12 */
896 	subl(15) = krl; subr(15) = krr;
897 	/* rotation left shift 32bit */
898 	/* kl5 */
899 	subl(24) = klr; subr(24) = krl;
900 	/* kl6 */
901 	subl(25) = krr; subr(25) = kll;
902 	/* rotation left shift 49 from k11,k12 -> k21,k22 */
903 	CAMELLIA_ROLDQo32(kll, klr, krl, krr, w0, w1, 49);
904 	/* k21 */
905 	subl(28) = kll; subr(28) = klr;
906 	/* k22 */
907 	subl(29) = krl; subr(29) = krr;
908 
909 	/* generate KB dependent subkeys */
910 	/* k1 */
911 	subl(2) = krll; subr(2) = krlr;
912 	/* k2 */
913 	subl(3) = krrl; subr(3) = krrr;
914 	CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
915 	/* k7 */
916 	subl(10) = krll; subr(10) = krlr;
917 	/* k8 */
918 	subl(11) = krrl; subr(11) = krrr;
919 	CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
920 	/* k15 */
921 	subl(20) = krll; subr(20) = krlr;
922 	/* k16 */
923 	subl(21) = krrl; subr(21) = krrr;
924 	CAMELLIA_ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 51);
925 	/* kw3 */
926 	subl(32) = krll; subr(32) = krlr;
927 	/* kw4 */
928 	subl(33) = krrl; subr(33) = krrr;
929 
930 	/* absorb kw2 to other subkeys */
931 /* round 2 */
932 	subl(3) ^= subl(1); subr(3) ^= subr(1);
933 /* round 4 */
934 	subl(5) ^= subl(1); subr(5) ^= subr(1);
935 /* round 6 */
936 	subl(7) ^= subl(1); subr(7) ^= subr(1);
937 	subl(1) ^= subr(1) & ~subr(9);
938 	dw = subl(1) & subl(9),
939 		subr(1) ^= CAMELLIA_RL1(dw); /* modified for FLinv(kl2) */
940 /* round 8 */
941 	subl(11) ^= subl(1); subr(11) ^= subr(1);
942 /* round 10 */
943 	subl(13) ^= subl(1); subr(13) ^= subr(1);
944 /* round 12 */
945 	subl(15) ^= subl(1); subr(15) ^= subr(1);
946 	subl(1) ^= subr(1) & ~subr(17);
947 	dw = subl(1) & subl(17),
948 		subr(1) ^= CAMELLIA_RL1(dw); /* modified for FLinv(kl4) */
949 /* round 14 */
950 	subl(19) ^= subl(1); subr(19) ^= subr(1);
951 /* round 16 */
952 	subl(21) ^= subl(1); subr(21) ^= subr(1);
953 /* round 18 */
954 	subl(23) ^= subl(1); subr(23) ^= subr(1);
955 	subl(1) ^= subr(1) & ~subr(25);
956 	dw = subl(1) & subl(25),
957 		subr(1) ^= CAMELLIA_RL1(dw); /* modified for FLinv(kl6) */
958 /* round 20 */
959 	subl(27) ^= subl(1); subr(27) ^= subr(1);
960 /* round 22 */
961 	subl(29) ^= subl(1); subr(29) ^= subr(1);
962 /* round 24 */
963 	subl(31) ^= subl(1); subr(31) ^= subr(1);
964 /* kw3 */
965 	subl(32) ^= subl(1); subr(32) ^= subr(1);
966 
967 
968 	/* absorb kw4 to other subkeys */
969 	kw4l = subl(33); kw4r = subr(33);
970 /* round 23 */
971 	subl(30) ^= kw4l; subr(30) ^= kw4r;
972 /* round 21 */
973 	subl(28) ^= kw4l; subr(28) ^= kw4r;
974 /* round 19 */
975 	subl(26) ^= kw4l; subr(26) ^= kw4r;
976 	kw4l ^= kw4r & ~subr(24);
977 	dw = kw4l & subl(24),
978 		kw4r ^= CAMELLIA_RL1(dw); /* modified for FL(kl5) */
979 /* round 17 */
980 	subl(22) ^= kw4l; subr(22) ^= kw4r;
981 /* round 15 */
982 	subl(20) ^= kw4l; subr(20) ^= kw4r;
983 /* round 13 */
984 	subl(18) ^= kw4l; subr(18) ^= kw4r;
985 	kw4l ^= kw4r & ~subr(16);
986 	dw = kw4l & subl(16),
987 		kw4r ^= CAMELLIA_RL1(dw); /* modified for FL(kl3) */
988 /* round 11 */
989 	subl(14) ^= kw4l; subr(14) ^= kw4r;
990 /* round 9 */
991 	subl(12) ^= kw4l; subr(12) ^= kw4r;
992 /* round 7 */
993 	subl(10) ^= kw4l; subr(10) ^= kw4r;
994 	kw4l ^= kw4r & ~subr(8);
995 	dw = kw4l & subl(8),
996 		kw4r ^= CAMELLIA_RL1(dw); /* modified for FL(kl1) */
997 /* round 5 */
998 	subl(6) ^= kw4l; subr(6) ^= kw4r;
999 /* round 3 */
1000 	subl(4) ^= kw4l; subr(4) ^= kw4r;
1001 /* round 1 */
1002 	subl(2) ^= kw4l; subr(2) ^= kw4r;
1003 /* kw1 */
1004 	subl(0) ^= kw4l; subr(0) ^= kw4r;
1005 
1006 	/* key XOR is end of F-function */
1007 	CamelliaSubkeyL(0) = subl(0) ^ subl(2);/* kw1 */
1008 	CamelliaSubkeyR(0) = subr(0) ^ subr(2);
1009 	CamelliaSubkeyL(2) = subl(3);       /* round 1 */
1010 	CamelliaSubkeyR(2) = subr(3);
1011 	CamelliaSubkeyL(3) = subl(2) ^ subl(4); /* round 2 */
1012 	CamelliaSubkeyR(3) = subr(2) ^ subr(4);
1013 	CamelliaSubkeyL(4) = subl(3) ^ subl(5); /* round 3 */
1014 	CamelliaSubkeyR(4) = subr(3) ^ subr(5);
1015 	CamelliaSubkeyL(5) = subl(4) ^ subl(6); /* round 4 */
1016 	CamelliaSubkeyR(5) = subr(4) ^ subr(6);
1017 	CamelliaSubkeyL(6) = subl(5) ^ subl(7); /* round 5 */
1018 	CamelliaSubkeyR(6) = subr(5) ^ subr(7);
1019 	tl = subl(10) ^ (subr(10) & ~subr(8));
1020 	dw = tl & subl(8),  /* FL(kl1) */
1021 		tr = subr(10) ^ CAMELLIA_RL1(dw);
1022 	CamelliaSubkeyL(7) = subl(6) ^ tl; /* round 6 */
1023 	CamelliaSubkeyR(7) = subr(6) ^ tr;
1024 	CamelliaSubkeyL(8) = subl(8);       /* FL(kl1) */
1025 	CamelliaSubkeyR(8) = subr(8);
1026 	CamelliaSubkeyL(9) = subl(9);       /* FLinv(kl2) */
1027 	CamelliaSubkeyR(9) = subr(9);
1028 	tl = subl(7) ^ (subr(7) & ~subr(9));
1029 	dw = tl & subl(9),  /* FLinv(kl2) */
1030 		tr = subr(7) ^ CAMELLIA_RL1(dw);
1031 	CamelliaSubkeyL(10) = tl ^ subl(11); /* round 7 */
1032 	CamelliaSubkeyR(10) = tr ^ subr(11);
1033 	CamelliaSubkeyL(11) = subl(10) ^ subl(12); /* round 8 */
1034 	CamelliaSubkeyR(11) = subr(10) ^ subr(12);
1035 	CamelliaSubkeyL(12) = subl(11) ^ subl(13); /* round 9 */
1036 	CamelliaSubkeyR(12) = subr(11) ^ subr(13);
1037 	CamelliaSubkeyL(13) = subl(12) ^ subl(14); /* round 10 */
1038 	CamelliaSubkeyR(13) = subr(12) ^ subr(14);
1039 	CamelliaSubkeyL(14) = subl(13) ^ subl(15); /* round 11 */
1040 	CamelliaSubkeyR(14) = subr(13) ^ subr(15);
1041 	tl = subl(18) ^ (subr(18) & ~subr(16));
1042 	dw = tl & subl(16), /* FL(kl3) */
1043 		tr = subr(18) ^ CAMELLIA_RL1(dw);
1044 	CamelliaSubkeyL(15) = subl(14) ^ tl; /* round 12 */
1045 	CamelliaSubkeyR(15) = subr(14) ^ tr;
1046 	CamelliaSubkeyL(16) = subl(16);     /* FL(kl3) */
1047 	CamelliaSubkeyR(16) = subr(16);
1048 	CamelliaSubkeyL(17) = subl(17);     /* FLinv(kl4) */
1049 	CamelliaSubkeyR(17) = subr(17);
1050 	tl = subl(15) ^ (subr(15) & ~subr(17));
1051 	dw = tl & subl(17), /* FLinv(kl4) */
1052 		tr = subr(15) ^ CAMELLIA_RL1(dw);
1053 	CamelliaSubkeyL(18) = tl ^ subl(19); /* round 13 */
1054 	CamelliaSubkeyR(18) = tr ^ subr(19);
1055 	CamelliaSubkeyL(19) = subl(18) ^ subl(20); /* round 14 */
1056 	CamelliaSubkeyR(19) = subr(18) ^ subr(20);
1057 	CamelliaSubkeyL(20) = subl(19) ^ subl(21); /* round 15 */
1058 	CamelliaSubkeyR(20) = subr(19) ^ subr(21);
1059 	CamelliaSubkeyL(21) = subl(20) ^ subl(22); /* round 16 */
1060 	CamelliaSubkeyR(21) = subr(20) ^ subr(22);
1061 	CamelliaSubkeyL(22) = subl(21) ^ subl(23); /* round 17 */
1062 	CamelliaSubkeyR(22) = subr(21) ^ subr(23);
1063 	tl = subl(26) ^ (subr(26)
1064 		& ~subr(24));
1065 	dw = tl & subl(24), /* FL(kl5) */
1066 		tr = subr(26) ^ CAMELLIA_RL1(dw);
1067 	CamelliaSubkeyL(23) = subl(22) ^ tl; /* round 18 */
1068 	CamelliaSubkeyR(23) = subr(22) ^ tr;
1069 	CamelliaSubkeyL(24) = subl(24);     /* FL(kl5) */
1070 	CamelliaSubkeyR(24) = subr(24);
1071 	CamelliaSubkeyL(25) = subl(25);     /* FLinv(kl6) */
1072 	CamelliaSubkeyR(25) = subr(25);
1073 	tl = subl(23) ^ (subr(23) &
1074 		~subr(25));
1075 	dw = tl & subl(25), /* FLinv(kl6) */
1076 		tr = subr(23) ^ CAMELLIA_RL1(dw);
1077 	CamelliaSubkeyL(26) = tl ^ subl(27); /* round 19 */
1078 	CamelliaSubkeyR(26) = tr ^ subr(27);
1079 	CamelliaSubkeyL(27) = subl(26) ^ subl(28); /* round 20 */
1080 	CamelliaSubkeyR(27) = subr(26) ^ subr(28);
1081 	CamelliaSubkeyL(28) = subl(27) ^ subl(29); /* round 21 */
1082 	CamelliaSubkeyR(28) = subr(27) ^ subr(29);
1083 	CamelliaSubkeyL(29) = subl(28) ^ subl(30); /* round 22 */
1084 	CamelliaSubkeyR(29) = subr(28) ^ subr(30);
1085 	CamelliaSubkeyL(30) = subl(29) ^ subl(31); /* round 23 */
1086 	CamelliaSubkeyR(30) = subr(29) ^ subr(31);
1087 	CamelliaSubkeyL(31) = subl(30);     /* round 24 */
1088 	CamelliaSubkeyR(31) = subr(30);
1089 	CamelliaSubkeyL(32) = subl(32) ^ subl(31); /* kw3 */
1090 	CamelliaSubkeyR(32) = subr(32) ^ subr(31);
1091 
1092 	/* apply the inverse of the last half of P-function */
1093 	dw = CamelliaSubkeyL(2) ^ CamelliaSubkeyR(2),
1094 		dw = CAMELLIA_RL8(dw);/* round 1 */
1095 	CamelliaSubkeyR(2) = CamelliaSubkeyL(2) ^ dw,
1096 		CamelliaSubkeyL(2) = dw;
1097 	dw = CamelliaSubkeyL(3) ^ CamelliaSubkeyR(3),
1098 		dw = CAMELLIA_RL8(dw);/* round 2 */
1099 	CamelliaSubkeyR(3) = CamelliaSubkeyL(3) ^ dw,
1100 		CamelliaSubkeyL(3) = dw;
1101 	dw = CamelliaSubkeyL(4) ^ CamelliaSubkeyR(4),
1102 		dw = CAMELLIA_RL8(dw);/* round 3 */
1103 	CamelliaSubkeyR(4) = CamelliaSubkeyL(4) ^ dw,
1104 		CamelliaSubkeyL(4) = dw;
1105 	dw = CamelliaSubkeyL(5) ^ CamelliaSubkeyR(5),
1106 		dw = CAMELLIA_RL8(dw);/* round 4 */
1107 	CamelliaSubkeyR(5) = CamelliaSubkeyL(5) ^ dw,
1108 		CamelliaSubkeyL(5) = dw;
1109 	dw = CamelliaSubkeyL(6) ^ CamelliaSubkeyR(6),
1110 		dw = CAMELLIA_RL8(dw);/* round 5 */
1111 	CamelliaSubkeyR(6) = CamelliaSubkeyL(6) ^ dw,
1112 		CamelliaSubkeyL(6) = dw;
1113 	dw = CamelliaSubkeyL(7) ^ CamelliaSubkeyR(7),
1114 		dw = CAMELLIA_RL8(dw);/* round 6 */
1115 	CamelliaSubkeyR(7) = CamelliaSubkeyL(7) ^ dw,
1116 		CamelliaSubkeyL(7) = dw;
1117 	dw = CamelliaSubkeyL(10) ^ CamelliaSubkeyR(10),
1118 		dw = CAMELLIA_RL8(dw);/* round 7 */
1119 	CamelliaSubkeyR(10) = CamelliaSubkeyL(10) ^ dw,
1120 		CamelliaSubkeyL(10) = dw;
1121 	dw = CamelliaSubkeyL(11) ^ CamelliaSubkeyR(11),
1122 		dw = CAMELLIA_RL8(dw);/* round 8 */
1123 	CamelliaSubkeyR(11) = CamelliaSubkeyL(11) ^ dw,
1124 		CamelliaSubkeyL(11) = dw;
1125 	dw = CamelliaSubkeyL(12) ^ CamelliaSubkeyR(12),
1126 		dw = CAMELLIA_RL8(dw);/* round 9 */
1127 	CamelliaSubkeyR(12) = CamelliaSubkeyL(12) ^ dw,
1128 		CamelliaSubkeyL(12) = dw;
1129 	dw = CamelliaSubkeyL(13) ^ CamelliaSubkeyR(13),
1130 		dw = CAMELLIA_RL8(dw);/* round 10 */
1131 	CamelliaSubkeyR(13) = CamelliaSubkeyL(13) ^ dw,
1132 		CamelliaSubkeyL(13) = dw;
1133 	dw = CamelliaSubkeyL(14) ^ CamelliaSubkeyR(14),
1134 		dw = CAMELLIA_RL8(dw);/* round 11 */
1135 	CamelliaSubkeyR(14) = CamelliaSubkeyL(14) ^ dw,
1136 		CamelliaSubkeyL(14) = dw;
1137 	dw = CamelliaSubkeyL(15) ^ CamelliaSubkeyR(15),
1138 		dw = CAMELLIA_RL8(dw);/* round 12 */
1139 	CamelliaSubkeyR(15) = CamelliaSubkeyL(15) ^ dw,
1140 		CamelliaSubkeyL(15) = dw;
1141 	dw = CamelliaSubkeyL(18) ^ CamelliaSubkeyR(18),
1142 		dw = CAMELLIA_RL8(dw);/* round 13 */
1143 	CamelliaSubkeyR(18) = CamelliaSubkeyL(18) ^ dw,
1144 		CamelliaSubkeyL(18) = dw;
1145 	dw = CamelliaSubkeyL(19) ^ CamelliaSubkeyR(19),
1146 		dw = CAMELLIA_RL8(dw);/* round 14 */
1147 	CamelliaSubkeyR(19) = CamelliaSubkeyL(19) ^ dw,
1148 		CamelliaSubkeyL(19) = dw;
1149 	dw = CamelliaSubkeyL(20) ^ CamelliaSubkeyR(20),
1150 		dw = CAMELLIA_RL8(dw);/* round 15 */
1151 	CamelliaSubkeyR(20) = CamelliaSubkeyL(20) ^ dw,
1152 		CamelliaSubkeyL(20) = dw;
1153 	dw = CamelliaSubkeyL(21) ^ CamelliaSubkeyR(21),
1154 		dw = CAMELLIA_RL8(dw);/* round 16 */
1155 	CamelliaSubkeyR(21) = CamelliaSubkeyL(21) ^ dw,
1156 		CamelliaSubkeyL(21) = dw;
1157 	dw = CamelliaSubkeyL(22) ^ CamelliaSubkeyR(22),
1158 		dw = CAMELLIA_RL8(dw);/* round 17 */
1159 	CamelliaSubkeyR(22) = CamelliaSubkeyL(22) ^ dw,
1160 		CamelliaSubkeyL(22) = dw;
1161 	dw = CamelliaSubkeyL(23) ^ CamelliaSubkeyR(23),
1162 		dw = CAMELLIA_RL8(dw);/* round 18 */
1163 	CamelliaSubkeyR(23) = CamelliaSubkeyL(23) ^ dw,
1164 		CamelliaSubkeyL(23) = dw;
1165 	dw = CamelliaSubkeyL(26) ^ CamelliaSubkeyR(26),
1166 		dw = CAMELLIA_RL8(dw);/* round 19 */
1167 	CamelliaSubkeyR(26) = CamelliaSubkeyL(26) ^ dw,
1168 		CamelliaSubkeyL(26) = dw;
1169 	dw = CamelliaSubkeyL(27) ^ CamelliaSubkeyR(27),
1170 		dw = CAMELLIA_RL8(dw);/* round 20 */
1171 	CamelliaSubkeyR(27) = CamelliaSubkeyL(27) ^ dw,
1172 		CamelliaSubkeyL(27) = dw;
1173 	dw = CamelliaSubkeyL(28) ^ CamelliaSubkeyR(28),
1174 		dw = CAMELLIA_RL8(dw);/* round 21 */
1175 	CamelliaSubkeyR(28) = CamelliaSubkeyL(28) ^ dw,
1176 		CamelliaSubkeyL(28) = dw;
1177 	dw = CamelliaSubkeyL(29) ^ CamelliaSubkeyR(29),
1178 		dw = CAMELLIA_RL8(dw);/* round 22 */
1179 	CamelliaSubkeyR(29) = CamelliaSubkeyL(29) ^ dw,
1180 		CamelliaSubkeyL(29) = dw;
1181 	dw = CamelliaSubkeyL(30) ^ CamelliaSubkeyR(30),
1182 		dw = CAMELLIA_RL8(dw);/* round 23 */
1183 	CamelliaSubkeyR(30) = CamelliaSubkeyL(30) ^ dw,
1184 		CamelliaSubkeyL(30) = dw;
1185 	dw = CamelliaSubkeyL(31) ^ CamelliaSubkeyR(31),
1186 		dw = CAMELLIA_RL8(dw);/* round 24 */
1187 	CamelliaSubkeyR(31) = CamelliaSubkeyL(31) ^ dw,
1188 		CamelliaSubkeyL(31) = dw;
1189 
1190 
1191 	return;
1192 	}
1193 
camellia_setup192(const u8 * key,u32 * subkey)1194 void camellia_setup192(const u8 *key, u32 *subkey)
1195 	{
1196 	u8 kk[32];
1197 	u32 krll, krlr, krrl,krrr;
1198 
1199 	memcpy(kk, key, 24);
1200 	memcpy((u8 *)&krll, key+16,4);
1201 	memcpy((u8 *)&krlr, key+20,4);
1202 	krrl = ~krll;
1203 	krrr = ~krlr;
1204 	memcpy(kk+24, (u8 *)&krrl, 4);
1205 	memcpy(kk+28, (u8 *)&krrr, 4);
1206 	camellia_setup256(kk, subkey);
1207 	return;
1208 	}
1209 
1210 
1211 /**
1212  * Stuff related to camellia encryption/decryption
1213  */
camellia_encrypt128(const u32 * subkey,u32 * io)1214 void camellia_encrypt128(const u32 *subkey, u32 *io)
1215 	{
1216 	u32 il, ir, t0, t1;
1217 
1218 	/* pre whitening but absorb kw2*/
1219 	io[0] ^= CamelliaSubkeyL(0);
1220 	io[1] ^= CamelliaSubkeyR(0);
1221 	/* main iteration */
1222 
1223 	CAMELLIA_ROUNDSM(io[0],io[1],
1224 		CamelliaSubkeyL(2),CamelliaSubkeyR(2),
1225 		io[2],io[3],il,ir,t0,t1);
1226 	CAMELLIA_ROUNDSM(io[2],io[3],
1227 		CamelliaSubkeyL(3),CamelliaSubkeyR(3),
1228 		io[0],io[1],il,ir,t0,t1);
1229 	CAMELLIA_ROUNDSM(io[0],io[1],
1230 		CamelliaSubkeyL(4),CamelliaSubkeyR(4),
1231 		io[2],io[3],il,ir,t0,t1);
1232 	CAMELLIA_ROUNDSM(io[2],io[3],
1233 		CamelliaSubkeyL(5),CamelliaSubkeyR(5),
1234 		io[0],io[1],il,ir,t0,t1);
1235 	CAMELLIA_ROUNDSM(io[0],io[1],
1236 		CamelliaSubkeyL(6),CamelliaSubkeyR(6),
1237 		io[2],io[3],il,ir,t0,t1);
1238 	CAMELLIA_ROUNDSM(io[2],io[3],
1239 		CamelliaSubkeyL(7),CamelliaSubkeyR(7),
1240 		io[0],io[1],il,ir,t0,t1);
1241 
1242 	CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1243 		CamelliaSubkeyL(8),CamelliaSubkeyR(8),
1244 		CamelliaSubkeyL(9),CamelliaSubkeyR(9),
1245 		t0,t1,il,ir);
1246 
1247 	CAMELLIA_ROUNDSM(io[0],io[1],
1248 		CamelliaSubkeyL(10),CamelliaSubkeyR(10),
1249 		io[2],io[3],il,ir,t0,t1);
1250 	CAMELLIA_ROUNDSM(io[2],io[3],
1251 		CamelliaSubkeyL(11),CamelliaSubkeyR(11),
1252 		io[0],io[1],il,ir,t0,t1);
1253 	CAMELLIA_ROUNDSM(io[0],io[1],
1254 		CamelliaSubkeyL(12),CamelliaSubkeyR(12),
1255 		io[2],io[3],il,ir,t0,t1);
1256 	CAMELLIA_ROUNDSM(io[2],io[3],
1257 		CamelliaSubkeyL(13),CamelliaSubkeyR(13),
1258 		io[0],io[1],il,ir,t0,t1);
1259 	CAMELLIA_ROUNDSM(io[0],io[1],
1260 		CamelliaSubkeyL(14),CamelliaSubkeyR(14),
1261 		io[2],io[3],il,ir,t0,t1);
1262 	CAMELLIA_ROUNDSM(io[2],io[3],
1263 		CamelliaSubkeyL(15),CamelliaSubkeyR(15),
1264 		io[0],io[1],il,ir,t0,t1);
1265 
1266 	CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1267 		CamelliaSubkeyL(16),CamelliaSubkeyR(16),
1268 		CamelliaSubkeyL(17),CamelliaSubkeyR(17),
1269 		t0,t1,il,ir);
1270 
1271 	CAMELLIA_ROUNDSM(io[0],io[1],
1272 		CamelliaSubkeyL(18),CamelliaSubkeyR(18),
1273 		io[2],io[3],il,ir,t0,t1);
1274 	CAMELLIA_ROUNDSM(io[2],io[3],
1275 		CamelliaSubkeyL(19),CamelliaSubkeyR(19),
1276 		io[0],io[1],il,ir,t0,t1);
1277 	CAMELLIA_ROUNDSM(io[0],io[1],
1278 		CamelliaSubkeyL(20),CamelliaSubkeyR(20),
1279 		io[2],io[3],il,ir,t0,t1);
1280 	CAMELLIA_ROUNDSM(io[2],io[3],
1281 		CamelliaSubkeyL(21),CamelliaSubkeyR(21),
1282 		io[0],io[1],il,ir,t0,t1);
1283 	CAMELLIA_ROUNDSM(io[0],io[1],
1284 		CamelliaSubkeyL(22),CamelliaSubkeyR(22),
1285 		io[2],io[3],il,ir,t0,t1);
1286 	CAMELLIA_ROUNDSM(io[2],io[3],
1287 		CamelliaSubkeyL(23),CamelliaSubkeyR(23),
1288 		io[0],io[1],il,ir,t0,t1);
1289 
1290 	/* post whitening but kw4 */
1291 	io[2] ^= CamelliaSubkeyL(24);
1292 	io[3] ^= CamelliaSubkeyR(24);
1293 
1294 	t0 = io[0];
1295 	t1 = io[1];
1296 	io[0] = io[2];
1297 	io[1] = io[3];
1298 	io[2] = t0;
1299 	io[3] = t1;
1300 
1301 	return;
1302 	}
1303 
camellia_decrypt128(const u32 * subkey,u32 * io)1304 void camellia_decrypt128(const u32 *subkey, u32 *io)
1305 	{
1306 	u32 il,ir,t0,t1;               /* temporary valiables */
1307 
1308 	/* pre whitening but absorb kw2*/
1309 	io[0] ^= CamelliaSubkeyL(24);
1310 	io[1] ^= CamelliaSubkeyR(24);
1311 
1312 	/* main iteration */
1313 	CAMELLIA_ROUNDSM(io[0],io[1],
1314 		CamelliaSubkeyL(23),CamelliaSubkeyR(23),
1315 		io[2],io[3],il,ir,t0,t1);
1316 	CAMELLIA_ROUNDSM(io[2],io[3],
1317 		CamelliaSubkeyL(22),CamelliaSubkeyR(22),
1318 		io[0],io[1],il,ir,t0,t1);
1319 	CAMELLIA_ROUNDSM(io[0],io[1],
1320 		CamelliaSubkeyL(21),CamelliaSubkeyR(21),
1321 		io[2],io[3],il,ir,t0,t1);
1322 	CAMELLIA_ROUNDSM(io[2],io[3],
1323 		CamelliaSubkeyL(20),CamelliaSubkeyR(20),
1324 		io[0],io[1],il,ir,t0,t1);
1325 	CAMELLIA_ROUNDSM(io[0],io[1],
1326 		CamelliaSubkeyL(19),CamelliaSubkeyR(19),
1327 		io[2],io[3],il,ir,t0,t1);
1328 	CAMELLIA_ROUNDSM(io[2],io[3],
1329 		CamelliaSubkeyL(18),CamelliaSubkeyR(18),
1330 		io[0],io[1],il,ir,t0,t1);
1331 
1332 	CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1333 		CamelliaSubkeyL(17),CamelliaSubkeyR(17),
1334 		CamelliaSubkeyL(16),CamelliaSubkeyR(16),
1335 		t0,t1,il,ir);
1336 
1337 	CAMELLIA_ROUNDSM(io[0],io[1],
1338 		CamelliaSubkeyL(15),CamelliaSubkeyR(15),
1339 		io[2],io[3],il,ir,t0,t1);
1340 	CAMELLIA_ROUNDSM(io[2],io[3],
1341 		CamelliaSubkeyL(14),CamelliaSubkeyR(14),
1342 		io[0],io[1],il,ir,t0,t1);
1343 	CAMELLIA_ROUNDSM(io[0],io[1],
1344 		CamelliaSubkeyL(13),CamelliaSubkeyR(13),
1345 		io[2],io[3],il,ir,t0,t1);
1346 	CAMELLIA_ROUNDSM(io[2],io[3],
1347 		CamelliaSubkeyL(12),CamelliaSubkeyR(12),
1348 		io[0],io[1],il,ir,t0,t1);
1349 	CAMELLIA_ROUNDSM(io[0],io[1],
1350 		CamelliaSubkeyL(11),CamelliaSubkeyR(11),
1351 		io[2],io[3],il,ir,t0,t1);
1352 	CAMELLIA_ROUNDSM(io[2],io[3],
1353 		CamelliaSubkeyL(10),CamelliaSubkeyR(10),
1354 		io[0],io[1],il,ir,t0,t1);
1355 
1356 	CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1357 		CamelliaSubkeyL(9),CamelliaSubkeyR(9),
1358 		CamelliaSubkeyL(8),CamelliaSubkeyR(8),
1359 		t0,t1,il,ir);
1360 
1361 	CAMELLIA_ROUNDSM(io[0],io[1],
1362 		CamelliaSubkeyL(7),CamelliaSubkeyR(7),
1363 		io[2],io[3],il,ir,t0,t1);
1364 	CAMELLIA_ROUNDSM(io[2],io[3],
1365 		CamelliaSubkeyL(6),CamelliaSubkeyR(6),
1366 		io[0],io[1],il,ir,t0,t1);
1367 	CAMELLIA_ROUNDSM(io[0],io[1],
1368 		CamelliaSubkeyL(5),CamelliaSubkeyR(5),
1369 		io[2],io[3],il,ir,t0,t1);
1370 	CAMELLIA_ROUNDSM(io[2],io[3],
1371 		CamelliaSubkeyL(4),CamelliaSubkeyR(4),
1372 		io[0],io[1],il,ir,t0,t1);
1373 	CAMELLIA_ROUNDSM(io[0],io[1],
1374 		CamelliaSubkeyL(3),CamelliaSubkeyR(3),
1375 		io[2],io[3],il,ir,t0,t1);
1376 	CAMELLIA_ROUNDSM(io[2],io[3],
1377 		CamelliaSubkeyL(2),CamelliaSubkeyR(2),
1378 		io[0],io[1],il,ir,t0,t1);
1379 
1380 	/* post whitening but kw4 */
1381 	io[2] ^= CamelliaSubkeyL(0);
1382 	io[3] ^= CamelliaSubkeyR(0);
1383 
1384 	t0 = io[0];
1385 	t1 = io[1];
1386 	io[0] = io[2];
1387 	io[1] = io[3];
1388 	io[2] = t0;
1389 	io[3] = t1;
1390 
1391 	return;
1392 	}
1393 
1394 /**
1395  * stuff for 192 and 256bit encryption/decryption
1396  */
camellia_encrypt256(const u32 * subkey,u32 * io)1397 void camellia_encrypt256(const u32 *subkey, u32 *io)
1398 	{
1399 	u32 il,ir,t0,t1;           /* temporary valiables */
1400 
1401 	/* pre whitening but absorb kw2*/
1402 	io[0] ^= CamelliaSubkeyL(0);
1403 	io[1] ^= CamelliaSubkeyR(0);
1404 
1405 	/* main iteration */
1406 	CAMELLIA_ROUNDSM(io[0],io[1],
1407 		CamelliaSubkeyL(2),CamelliaSubkeyR(2),
1408 		io[2],io[3],il,ir,t0,t1);
1409 	CAMELLIA_ROUNDSM(io[2],io[3],
1410 		CamelliaSubkeyL(3),CamelliaSubkeyR(3),
1411 		io[0],io[1],il,ir,t0,t1);
1412 	CAMELLIA_ROUNDSM(io[0],io[1],
1413 		CamelliaSubkeyL(4),CamelliaSubkeyR(4),
1414 		io[2],io[3],il,ir,t0,t1);
1415 	CAMELLIA_ROUNDSM(io[2],io[3],
1416 		CamelliaSubkeyL(5),CamelliaSubkeyR(5),
1417 		io[0],io[1],il,ir,t0,t1);
1418 	CAMELLIA_ROUNDSM(io[0],io[1],
1419 		CamelliaSubkeyL(6),CamelliaSubkeyR(6),
1420 		io[2],io[3],il,ir,t0,t1);
1421 	CAMELLIA_ROUNDSM(io[2],io[3],
1422 		CamelliaSubkeyL(7),CamelliaSubkeyR(7),
1423 		io[0],io[1],il,ir,t0,t1);
1424 
1425 	CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1426 		CamelliaSubkeyL(8),CamelliaSubkeyR(8),
1427 		CamelliaSubkeyL(9),CamelliaSubkeyR(9),
1428 		t0,t1,il,ir);
1429 
1430 	CAMELLIA_ROUNDSM(io[0],io[1],
1431 		CamelliaSubkeyL(10),CamelliaSubkeyR(10),
1432 		io[2],io[3],il,ir,t0,t1);
1433 	CAMELLIA_ROUNDSM(io[2],io[3],
1434 		CamelliaSubkeyL(11),CamelliaSubkeyR(11),
1435 		io[0],io[1],il,ir,t0,t1);
1436 	CAMELLIA_ROUNDSM(io[0],io[1],
1437 		CamelliaSubkeyL(12),CamelliaSubkeyR(12),
1438 		io[2],io[3],il,ir,t0,t1);
1439 	CAMELLIA_ROUNDSM(io[2],io[3],
1440 		CamelliaSubkeyL(13),CamelliaSubkeyR(13),
1441 		io[0],io[1],il,ir,t0,t1);
1442 	CAMELLIA_ROUNDSM(io[0],io[1],
1443 		CamelliaSubkeyL(14),CamelliaSubkeyR(14),
1444 		io[2],io[3],il,ir,t0,t1);
1445 	CAMELLIA_ROUNDSM(io[2],io[3],
1446 		CamelliaSubkeyL(15),CamelliaSubkeyR(15),
1447 		io[0],io[1],il,ir,t0,t1);
1448 
1449 	CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1450 		CamelliaSubkeyL(16),CamelliaSubkeyR(16),
1451 		CamelliaSubkeyL(17),CamelliaSubkeyR(17),
1452 		t0,t1,il,ir);
1453 
1454 	CAMELLIA_ROUNDSM(io[0],io[1],
1455 		CamelliaSubkeyL(18),CamelliaSubkeyR(18),
1456 		io[2],io[3],il,ir,t0,t1);
1457 	CAMELLIA_ROUNDSM(io[2],io[3],
1458 		CamelliaSubkeyL(19),CamelliaSubkeyR(19),
1459 		io[0],io[1],il,ir,t0,t1);
1460 	CAMELLIA_ROUNDSM(io[0],io[1],
1461 		CamelliaSubkeyL(20),CamelliaSubkeyR(20),
1462 		io[2],io[3],il,ir,t0,t1);
1463 	CAMELLIA_ROUNDSM(io[2],io[3],
1464 		CamelliaSubkeyL(21),CamelliaSubkeyR(21),
1465 		io[0],io[1],il,ir,t0,t1);
1466 	CAMELLIA_ROUNDSM(io[0],io[1],
1467 		CamelliaSubkeyL(22),CamelliaSubkeyR(22),
1468 		io[2],io[3],il,ir,t0,t1);
1469 	CAMELLIA_ROUNDSM(io[2],io[3],
1470 		CamelliaSubkeyL(23),CamelliaSubkeyR(23),
1471 		io[0],io[1],il,ir,t0,t1);
1472 
1473 	CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1474 		CamelliaSubkeyL(24),CamelliaSubkeyR(24),
1475 		CamelliaSubkeyL(25),CamelliaSubkeyR(25),
1476 		t0,t1,il,ir);
1477 
1478 	CAMELLIA_ROUNDSM(io[0],io[1],
1479 		CamelliaSubkeyL(26),CamelliaSubkeyR(26),
1480 		io[2],io[3],il,ir,t0,t1);
1481 	CAMELLIA_ROUNDSM(io[2],io[3],
1482 		CamelliaSubkeyL(27),CamelliaSubkeyR(27),
1483 		io[0],io[1],il,ir,t0,t1);
1484 	CAMELLIA_ROUNDSM(io[0],io[1],
1485 		CamelliaSubkeyL(28),CamelliaSubkeyR(28),
1486 		io[2],io[3],il,ir,t0,t1);
1487 	CAMELLIA_ROUNDSM(io[2],io[3],
1488 		CamelliaSubkeyL(29),CamelliaSubkeyR(29),
1489 		io[0],io[1],il,ir,t0,t1);
1490 	CAMELLIA_ROUNDSM(io[0],io[1],
1491 		CamelliaSubkeyL(30),CamelliaSubkeyR(30),
1492 		io[2],io[3],il,ir,t0,t1);
1493 	CAMELLIA_ROUNDSM(io[2],io[3],
1494 		CamelliaSubkeyL(31),CamelliaSubkeyR(31),
1495 		io[0],io[1],il,ir,t0,t1);
1496 
1497 	/* post whitening but kw4 */
1498 	io[2] ^= CamelliaSubkeyL(32);
1499 	io[3] ^= CamelliaSubkeyR(32);
1500 
1501 	t0 = io[0];
1502 	t1 = io[1];
1503 	io[0] = io[2];
1504 	io[1] = io[3];
1505 	io[2] = t0;
1506 	io[3] = t1;
1507 
1508 	return;
1509 	}
1510 
camellia_decrypt256(const u32 * subkey,u32 * io)1511 void camellia_decrypt256(const u32 *subkey, u32 *io)
1512 	{
1513 	u32 il,ir,t0,t1;           /* temporary valiables */
1514 
1515 	/* pre whitening but absorb kw2*/
1516 	io[0] ^= CamelliaSubkeyL(32);
1517 	io[1] ^= CamelliaSubkeyR(32);
1518 
1519 	/* main iteration */
1520 	CAMELLIA_ROUNDSM(io[0],io[1],
1521 		CamelliaSubkeyL(31),CamelliaSubkeyR(31),
1522 		io[2],io[3],il,ir,t0,t1);
1523 	CAMELLIA_ROUNDSM(io[2],io[3],
1524 		CamelliaSubkeyL(30),CamelliaSubkeyR(30),
1525 		io[0],io[1],il,ir,t0,t1);
1526 	CAMELLIA_ROUNDSM(io[0],io[1],
1527 		CamelliaSubkeyL(29),CamelliaSubkeyR(29),
1528 		io[2],io[3],il,ir,t0,t1);
1529 	CAMELLIA_ROUNDSM(io[2],io[3],
1530 		CamelliaSubkeyL(28),CamelliaSubkeyR(28),
1531 		io[0],io[1],il,ir,t0,t1);
1532 	CAMELLIA_ROUNDSM(io[0],io[1],
1533 		CamelliaSubkeyL(27),CamelliaSubkeyR(27),
1534 		io[2],io[3],il,ir,t0,t1);
1535 	CAMELLIA_ROUNDSM(io[2],io[3],
1536 		CamelliaSubkeyL(26),CamelliaSubkeyR(26),
1537 		io[0],io[1],il,ir,t0,t1);
1538 
1539 	CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1540 		CamelliaSubkeyL(25),CamelliaSubkeyR(25),
1541 		CamelliaSubkeyL(24),CamelliaSubkeyR(24),
1542 		t0,t1,il,ir);
1543 
1544 	CAMELLIA_ROUNDSM(io[0],io[1],
1545 		CamelliaSubkeyL(23),CamelliaSubkeyR(23),
1546 		io[2],io[3],il,ir,t0,t1);
1547 	CAMELLIA_ROUNDSM(io[2],io[3],
1548 		CamelliaSubkeyL(22),CamelliaSubkeyR(22),
1549 		io[0],io[1],il,ir,t0,t1);
1550 	CAMELLIA_ROUNDSM(io[0],io[1],
1551 		CamelliaSubkeyL(21),CamelliaSubkeyR(21),
1552 		io[2],io[3],il,ir,t0,t1);
1553 	CAMELLIA_ROUNDSM(io[2],io[3],
1554 		CamelliaSubkeyL(20),CamelliaSubkeyR(20),
1555 		io[0],io[1],il,ir,t0,t1);
1556 	CAMELLIA_ROUNDSM(io[0],io[1],
1557 		CamelliaSubkeyL(19),CamelliaSubkeyR(19),
1558 		io[2],io[3],il,ir,t0,t1);
1559 	CAMELLIA_ROUNDSM(io[2],io[3],
1560 		CamelliaSubkeyL(18),CamelliaSubkeyR(18),
1561 		io[0],io[1],il,ir,t0,t1);
1562 
1563 	CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1564 		CamelliaSubkeyL(17),CamelliaSubkeyR(17),
1565 		CamelliaSubkeyL(16),CamelliaSubkeyR(16),
1566 		t0,t1,il,ir);
1567 
1568 	CAMELLIA_ROUNDSM(io[0],io[1],
1569 		CamelliaSubkeyL(15),CamelliaSubkeyR(15),
1570 		io[2],io[3],il,ir,t0,t1);
1571 	CAMELLIA_ROUNDSM(io[2],io[3],
1572 		CamelliaSubkeyL(14),CamelliaSubkeyR(14),
1573 		io[0],io[1],il,ir,t0,t1);
1574 	CAMELLIA_ROUNDSM(io[0],io[1],
1575 		CamelliaSubkeyL(13),CamelliaSubkeyR(13),
1576 		io[2],io[3],il,ir,t0,t1);
1577 	CAMELLIA_ROUNDSM(io[2],io[3],
1578 		CamelliaSubkeyL(12),CamelliaSubkeyR(12),
1579 		io[0],io[1],il,ir,t0,t1);
1580 	CAMELLIA_ROUNDSM(io[0],io[1],
1581 		CamelliaSubkeyL(11),CamelliaSubkeyR(11),
1582 		io[2],io[3],il,ir,t0,t1);
1583 	CAMELLIA_ROUNDSM(io[2],io[3],
1584 		CamelliaSubkeyL(10),CamelliaSubkeyR(10),
1585 		io[0],io[1],il,ir,t0,t1);
1586 
1587 	CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1588 		CamelliaSubkeyL(9),CamelliaSubkeyR(9),
1589 		CamelliaSubkeyL(8),CamelliaSubkeyR(8),
1590 		t0,t1,il,ir);
1591 
1592 	CAMELLIA_ROUNDSM(io[0],io[1],
1593 		CamelliaSubkeyL(7),CamelliaSubkeyR(7),
1594 		io[2],io[3],il,ir,t0,t1);
1595 	CAMELLIA_ROUNDSM(io[2],io[3],
1596 		CamelliaSubkeyL(6),CamelliaSubkeyR(6),
1597 		io[0],io[1],il,ir,t0,t1);
1598 	CAMELLIA_ROUNDSM(io[0],io[1],
1599 		CamelliaSubkeyL(5),CamelliaSubkeyR(5),
1600 		io[2],io[3],il,ir,t0,t1);
1601 	CAMELLIA_ROUNDSM(io[2],io[3],
1602 		CamelliaSubkeyL(4),CamelliaSubkeyR(4),
1603 		io[0],io[1],il,ir,t0,t1);
1604 	CAMELLIA_ROUNDSM(io[0],io[1],
1605 		CamelliaSubkeyL(3),CamelliaSubkeyR(3),
1606 		io[2],io[3],il,ir,t0,t1);
1607 	CAMELLIA_ROUNDSM(io[2],io[3],
1608 		CamelliaSubkeyL(2),CamelliaSubkeyR(2),
1609 		io[0],io[1],il,ir,t0,t1);
1610 
1611 	/* post whitening but kw4 */
1612 	io[2] ^= CamelliaSubkeyL(0);
1613 	io[3] ^= CamelliaSubkeyR(0);
1614 
1615 	t0 = io[0];
1616 	t1 = io[1];
1617 	io[0] = io[2];
1618 	io[1] = io[3];
1619 	io[2] = t0;
1620 	io[3] = t1;
1621 
1622 	return;
1623 	}
1624 
1625