1 /*
2 * Copyright (C) 2006
3 * NTT (Nippon Telegraph and Telephone Corporation).
4 *
5 * This program is free software; you can redistribute it and/or
6 * modify it under the terms of the GNU General Public License
7 * as published by the Free Software Foundation; either version 2
8 * of the License, or (at your option) any later version.
9 *
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
14 *
15 * You should have received a copy of the GNU General Public License
16 * along with this program; if not, write to the Free Software
17 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
18 */
19
20 /*
21 * Algorithm Specification
22 * http://info.isl.ntt.co.jp/crypt/eng/camellia/specifications.html
23 */
24
25 /*
26 *
27 * NOTE --- NOTE --- NOTE --- NOTE
28 * This implementation assumes that all memory addresses passed
29 * as parameters are four-byte aligned.
30 *
31 */
32
33 #include <linux/crypto.h>
34 #include <linux/errno.h>
35 #include <linux/init.h>
36 #include <linux/kernel.h>
37 #include <linux/module.h>
38 #include <linux/bitops.h>
39 #include <asm/unaligned.h>
40
41 static const u32 camellia_sp1110[256] = {
42 0x70707000,0x82828200,0x2c2c2c00,0xececec00,
43 0xb3b3b300,0x27272700,0xc0c0c000,0xe5e5e500,
44 0xe4e4e400,0x85858500,0x57575700,0x35353500,
45 0xeaeaea00,0x0c0c0c00,0xaeaeae00,0x41414100,
46 0x23232300,0xefefef00,0x6b6b6b00,0x93939300,
47 0x45454500,0x19191900,0xa5a5a500,0x21212100,
48 0xededed00,0x0e0e0e00,0x4f4f4f00,0x4e4e4e00,
49 0x1d1d1d00,0x65656500,0x92929200,0xbdbdbd00,
50 0x86868600,0xb8b8b800,0xafafaf00,0x8f8f8f00,
51 0x7c7c7c00,0xebebeb00,0x1f1f1f00,0xcecece00,
52 0x3e3e3e00,0x30303000,0xdcdcdc00,0x5f5f5f00,
53 0x5e5e5e00,0xc5c5c500,0x0b0b0b00,0x1a1a1a00,
54 0xa6a6a600,0xe1e1e100,0x39393900,0xcacaca00,
55 0xd5d5d500,0x47474700,0x5d5d5d00,0x3d3d3d00,
56 0xd9d9d900,0x01010100,0x5a5a5a00,0xd6d6d600,
57 0x51515100,0x56565600,0x6c6c6c00,0x4d4d4d00,
58 0x8b8b8b00,0x0d0d0d00,0x9a9a9a00,0x66666600,
59 0xfbfbfb00,0xcccccc00,0xb0b0b000,0x2d2d2d00,
60 0x74747400,0x12121200,0x2b2b2b00,0x20202000,
61 0xf0f0f000,0xb1b1b100,0x84848400,0x99999900,
62 0xdfdfdf00,0x4c4c4c00,0xcbcbcb00,0xc2c2c200,
63 0x34343400,0x7e7e7e00,0x76767600,0x05050500,
64 0x6d6d6d00,0xb7b7b700,0xa9a9a900,0x31313100,
65 0xd1d1d100,0x17171700,0x04040400,0xd7d7d700,
66 0x14141400,0x58585800,0x3a3a3a00,0x61616100,
67 0xdedede00,0x1b1b1b00,0x11111100,0x1c1c1c00,
68 0x32323200,0x0f0f0f00,0x9c9c9c00,0x16161600,
69 0x53535300,0x18181800,0xf2f2f200,0x22222200,
70 0xfefefe00,0x44444400,0xcfcfcf00,0xb2b2b200,
71 0xc3c3c300,0xb5b5b500,0x7a7a7a00,0x91919100,
72 0x24242400,0x08080800,0xe8e8e800,0xa8a8a800,
73 0x60606000,0xfcfcfc00,0x69696900,0x50505000,
74 0xaaaaaa00,0xd0d0d000,0xa0a0a000,0x7d7d7d00,
75 0xa1a1a100,0x89898900,0x62626200,0x97979700,
76 0x54545400,0x5b5b5b00,0x1e1e1e00,0x95959500,
77 0xe0e0e000,0xffffff00,0x64646400,0xd2d2d200,
78 0x10101000,0xc4c4c400,0x00000000,0x48484800,
79 0xa3a3a300,0xf7f7f700,0x75757500,0xdbdbdb00,
80 0x8a8a8a00,0x03030300,0xe6e6e600,0xdadada00,
81 0x09090900,0x3f3f3f00,0xdddddd00,0x94949400,
82 0x87878700,0x5c5c5c00,0x83838300,0x02020200,
83 0xcdcdcd00,0x4a4a4a00,0x90909000,0x33333300,
84 0x73737300,0x67676700,0xf6f6f600,0xf3f3f300,
85 0x9d9d9d00,0x7f7f7f00,0xbfbfbf00,0xe2e2e200,
86 0x52525200,0x9b9b9b00,0xd8d8d800,0x26262600,
87 0xc8c8c800,0x37373700,0xc6c6c600,0x3b3b3b00,
88 0x81818100,0x96969600,0x6f6f6f00,0x4b4b4b00,
89 0x13131300,0xbebebe00,0x63636300,0x2e2e2e00,
90 0xe9e9e900,0x79797900,0xa7a7a700,0x8c8c8c00,
91 0x9f9f9f00,0x6e6e6e00,0xbcbcbc00,0x8e8e8e00,
92 0x29292900,0xf5f5f500,0xf9f9f900,0xb6b6b600,
93 0x2f2f2f00,0xfdfdfd00,0xb4b4b400,0x59595900,
94 0x78787800,0x98989800,0x06060600,0x6a6a6a00,
95 0xe7e7e700,0x46464600,0x71717100,0xbababa00,
96 0xd4d4d400,0x25252500,0xababab00,0x42424200,
97 0x88888800,0xa2a2a200,0x8d8d8d00,0xfafafa00,
98 0x72727200,0x07070700,0xb9b9b900,0x55555500,
99 0xf8f8f800,0xeeeeee00,0xacacac00,0x0a0a0a00,
100 0x36363600,0x49494900,0x2a2a2a00,0x68686800,
101 0x3c3c3c00,0x38383800,0xf1f1f100,0xa4a4a400,
102 0x40404000,0x28282800,0xd3d3d300,0x7b7b7b00,
103 0xbbbbbb00,0xc9c9c900,0x43434300,0xc1c1c100,
104 0x15151500,0xe3e3e300,0xadadad00,0xf4f4f400,
105 0x77777700,0xc7c7c700,0x80808000,0x9e9e9e00,
106 };
107
108 static const u32 camellia_sp0222[256] = {
109 0x00e0e0e0,0x00050505,0x00585858,0x00d9d9d9,
110 0x00676767,0x004e4e4e,0x00818181,0x00cbcbcb,
111 0x00c9c9c9,0x000b0b0b,0x00aeaeae,0x006a6a6a,
112 0x00d5d5d5,0x00181818,0x005d5d5d,0x00828282,
113 0x00464646,0x00dfdfdf,0x00d6d6d6,0x00272727,
114 0x008a8a8a,0x00323232,0x004b4b4b,0x00424242,
115 0x00dbdbdb,0x001c1c1c,0x009e9e9e,0x009c9c9c,
116 0x003a3a3a,0x00cacaca,0x00252525,0x007b7b7b,
117 0x000d0d0d,0x00717171,0x005f5f5f,0x001f1f1f,
118 0x00f8f8f8,0x00d7d7d7,0x003e3e3e,0x009d9d9d,
119 0x007c7c7c,0x00606060,0x00b9b9b9,0x00bebebe,
120 0x00bcbcbc,0x008b8b8b,0x00161616,0x00343434,
121 0x004d4d4d,0x00c3c3c3,0x00727272,0x00959595,
122 0x00ababab,0x008e8e8e,0x00bababa,0x007a7a7a,
123 0x00b3b3b3,0x00020202,0x00b4b4b4,0x00adadad,
124 0x00a2a2a2,0x00acacac,0x00d8d8d8,0x009a9a9a,
125 0x00171717,0x001a1a1a,0x00353535,0x00cccccc,
126 0x00f7f7f7,0x00999999,0x00616161,0x005a5a5a,
127 0x00e8e8e8,0x00242424,0x00565656,0x00404040,
128 0x00e1e1e1,0x00636363,0x00090909,0x00333333,
129 0x00bfbfbf,0x00989898,0x00979797,0x00858585,
130 0x00686868,0x00fcfcfc,0x00ececec,0x000a0a0a,
131 0x00dadada,0x006f6f6f,0x00535353,0x00626262,
132 0x00a3a3a3,0x002e2e2e,0x00080808,0x00afafaf,
133 0x00282828,0x00b0b0b0,0x00747474,0x00c2c2c2,
134 0x00bdbdbd,0x00363636,0x00222222,0x00383838,
135 0x00646464,0x001e1e1e,0x00393939,0x002c2c2c,
136 0x00a6a6a6,0x00303030,0x00e5e5e5,0x00444444,
137 0x00fdfdfd,0x00888888,0x009f9f9f,0x00656565,
138 0x00878787,0x006b6b6b,0x00f4f4f4,0x00232323,
139 0x00484848,0x00101010,0x00d1d1d1,0x00515151,
140 0x00c0c0c0,0x00f9f9f9,0x00d2d2d2,0x00a0a0a0,
141 0x00555555,0x00a1a1a1,0x00414141,0x00fafafa,
142 0x00434343,0x00131313,0x00c4c4c4,0x002f2f2f,
143 0x00a8a8a8,0x00b6b6b6,0x003c3c3c,0x002b2b2b,
144 0x00c1c1c1,0x00ffffff,0x00c8c8c8,0x00a5a5a5,
145 0x00202020,0x00898989,0x00000000,0x00909090,
146 0x00474747,0x00efefef,0x00eaeaea,0x00b7b7b7,
147 0x00151515,0x00060606,0x00cdcdcd,0x00b5b5b5,
148 0x00121212,0x007e7e7e,0x00bbbbbb,0x00292929,
149 0x000f0f0f,0x00b8b8b8,0x00070707,0x00040404,
150 0x009b9b9b,0x00949494,0x00212121,0x00666666,
151 0x00e6e6e6,0x00cecece,0x00ededed,0x00e7e7e7,
152 0x003b3b3b,0x00fefefe,0x007f7f7f,0x00c5c5c5,
153 0x00a4a4a4,0x00373737,0x00b1b1b1,0x004c4c4c,
154 0x00919191,0x006e6e6e,0x008d8d8d,0x00767676,
155 0x00030303,0x002d2d2d,0x00dedede,0x00969696,
156 0x00262626,0x007d7d7d,0x00c6c6c6,0x005c5c5c,
157 0x00d3d3d3,0x00f2f2f2,0x004f4f4f,0x00191919,
158 0x003f3f3f,0x00dcdcdc,0x00797979,0x001d1d1d,
159 0x00525252,0x00ebebeb,0x00f3f3f3,0x006d6d6d,
160 0x005e5e5e,0x00fbfbfb,0x00696969,0x00b2b2b2,
161 0x00f0f0f0,0x00313131,0x000c0c0c,0x00d4d4d4,
162 0x00cfcfcf,0x008c8c8c,0x00e2e2e2,0x00757575,
163 0x00a9a9a9,0x004a4a4a,0x00575757,0x00848484,
164 0x00111111,0x00454545,0x001b1b1b,0x00f5f5f5,
165 0x00e4e4e4,0x000e0e0e,0x00737373,0x00aaaaaa,
166 0x00f1f1f1,0x00dddddd,0x00595959,0x00141414,
167 0x006c6c6c,0x00929292,0x00545454,0x00d0d0d0,
168 0x00787878,0x00707070,0x00e3e3e3,0x00494949,
169 0x00808080,0x00505050,0x00a7a7a7,0x00f6f6f6,
170 0x00777777,0x00939393,0x00868686,0x00838383,
171 0x002a2a2a,0x00c7c7c7,0x005b5b5b,0x00e9e9e9,
172 0x00eeeeee,0x008f8f8f,0x00010101,0x003d3d3d,
173 };
174
175 static const u32 camellia_sp3033[256] = {
176 0x38003838,0x41004141,0x16001616,0x76007676,
177 0xd900d9d9,0x93009393,0x60006060,0xf200f2f2,
178 0x72007272,0xc200c2c2,0xab00abab,0x9a009a9a,
179 0x75007575,0x06000606,0x57005757,0xa000a0a0,
180 0x91009191,0xf700f7f7,0xb500b5b5,0xc900c9c9,
181 0xa200a2a2,0x8c008c8c,0xd200d2d2,0x90009090,
182 0xf600f6f6,0x07000707,0xa700a7a7,0x27002727,
183 0x8e008e8e,0xb200b2b2,0x49004949,0xde00dede,
184 0x43004343,0x5c005c5c,0xd700d7d7,0xc700c7c7,
185 0x3e003e3e,0xf500f5f5,0x8f008f8f,0x67006767,
186 0x1f001f1f,0x18001818,0x6e006e6e,0xaf00afaf,
187 0x2f002f2f,0xe200e2e2,0x85008585,0x0d000d0d,
188 0x53005353,0xf000f0f0,0x9c009c9c,0x65006565,
189 0xea00eaea,0xa300a3a3,0xae00aeae,0x9e009e9e,
190 0xec00ecec,0x80008080,0x2d002d2d,0x6b006b6b,
191 0xa800a8a8,0x2b002b2b,0x36003636,0xa600a6a6,
192 0xc500c5c5,0x86008686,0x4d004d4d,0x33003333,
193 0xfd00fdfd,0x66006666,0x58005858,0x96009696,
194 0x3a003a3a,0x09000909,0x95009595,0x10001010,
195 0x78007878,0xd800d8d8,0x42004242,0xcc00cccc,
196 0xef00efef,0x26002626,0xe500e5e5,0x61006161,
197 0x1a001a1a,0x3f003f3f,0x3b003b3b,0x82008282,
198 0xb600b6b6,0xdb00dbdb,0xd400d4d4,0x98009898,
199 0xe800e8e8,0x8b008b8b,0x02000202,0xeb00ebeb,
200 0x0a000a0a,0x2c002c2c,0x1d001d1d,0xb000b0b0,
201 0x6f006f6f,0x8d008d8d,0x88008888,0x0e000e0e,
202 0x19001919,0x87008787,0x4e004e4e,0x0b000b0b,
203 0xa900a9a9,0x0c000c0c,0x79007979,0x11001111,
204 0x7f007f7f,0x22002222,0xe700e7e7,0x59005959,
205 0xe100e1e1,0xda00dada,0x3d003d3d,0xc800c8c8,
206 0x12001212,0x04000404,0x74007474,0x54005454,
207 0x30003030,0x7e007e7e,0xb400b4b4,0x28002828,
208 0x55005555,0x68006868,0x50005050,0xbe00bebe,
209 0xd000d0d0,0xc400c4c4,0x31003131,0xcb00cbcb,
210 0x2a002a2a,0xad00adad,0x0f000f0f,0xca00caca,
211 0x70007070,0xff00ffff,0x32003232,0x69006969,
212 0x08000808,0x62006262,0x00000000,0x24002424,
213 0xd100d1d1,0xfb00fbfb,0xba00baba,0xed00eded,
214 0x45004545,0x81008181,0x73007373,0x6d006d6d,
215 0x84008484,0x9f009f9f,0xee00eeee,0x4a004a4a,
216 0xc300c3c3,0x2e002e2e,0xc100c1c1,0x01000101,
217 0xe600e6e6,0x25002525,0x48004848,0x99009999,
218 0xb900b9b9,0xb300b3b3,0x7b007b7b,0xf900f9f9,
219 0xce00cece,0xbf00bfbf,0xdf00dfdf,0x71007171,
220 0x29002929,0xcd00cdcd,0x6c006c6c,0x13001313,
221 0x64006464,0x9b009b9b,0x63006363,0x9d009d9d,
222 0xc000c0c0,0x4b004b4b,0xb700b7b7,0xa500a5a5,
223 0x89008989,0x5f005f5f,0xb100b1b1,0x17001717,
224 0xf400f4f4,0xbc00bcbc,0xd300d3d3,0x46004646,
225 0xcf00cfcf,0x37003737,0x5e005e5e,0x47004747,
226 0x94009494,0xfa00fafa,0xfc00fcfc,0x5b005b5b,
227 0x97009797,0xfe00fefe,0x5a005a5a,0xac00acac,
228 0x3c003c3c,0x4c004c4c,0x03000303,0x35003535,
229 0xf300f3f3,0x23002323,0xb800b8b8,0x5d005d5d,
230 0x6a006a6a,0x92009292,0xd500d5d5,0x21002121,
231 0x44004444,0x51005151,0xc600c6c6,0x7d007d7d,
232 0x39003939,0x83008383,0xdc00dcdc,0xaa00aaaa,
233 0x7c007c7c,0x77007777,0x56005656,0x05000505,
234 0x1b001b1b,0xa400a4a4,0x15001515,0x34003434,
235 0x1e001e1e,0x1c001c1c,0xf800f8f8,0x52005252,
236 0x20002020,0x14001414,0xe900e9e9,0xbd00bdbd,
237 0xdd00dddd,0xe400e4e4,0xa100a1a1,0xe000e0e0,
238 0x8a008a8a,0xf100f1f1,0xd600d6d6,0x7a007a7a,
239 0xbb00bbbb,0xe300e3e3,0x40004040,0x4f004f4f,
240 };
241
242 static const u32 camellia_sp4404[256] = {
243 0x70700070,0x2c2c002c,0xb3b300b3,0xc0c000c0,
244 0xe4e400e4,0x57570057,0xeaea00ea,0xaeae00ae,
245 0x23230023,0x6b6b006b,0x45450045,0xa5a500a5,
246 0xeded00ed,0x4f4f004f,0x1d1d001d,0x92920092,
247 0x86860086,0xafaf00af,0x7c7c007c,0x1f1f001f,
248 0x3e3e003e,0xdcdc00dc,0x5e5e005e,0x0b0b000b,
249 0xa6a600a6,0x39390039,0xd5d500d5,0x5d5d005d,
250 0xd9d900d9,0x5a5a005a,0x51510051,0x6c6c006c,
251 0x8b8b008b,0x9a9a009a,0xfbfb00fb,0xb0b000b0,
252 0x74740074,0x2b2b002b,0xf0f000f0,0x84840084,
253 0xdfdf00df,0xcbcb00cb,0x34340034,0x76760076,
254 0x6d6d006d,0xa9a900a9,0xd1d100d1,0x04040004,
255 0x14140014,0x3a3a003a,0xdede00de,0x11110011,
256 0x32320032,0x9c9c009c,0x53530053,0xf2f200f2,
257 0xfefe00fe,0xcfcf00cf,0xc3c300c3,0x7a7a007a,
258 0x24240024,0xe8e800e8,0x60600060,0x69690069,
259 0xaaaa00aa,0xa0a000a0,0xa1a100a1,0x62620062,
260 0x54540054,0x1e1e001e,0xe0e000e0,0x64640064,
261 0x10100010,0x00000000,0xa3a300a3,0x75750075,
262 0x8a8a008a,0xe6e600e6,0x09090009,0xdddd00dd,
263 0x87870087,0x83830083,0xcdcd00cd,0x90900090,
264 0x73730073,0xf6f600f6,0x9d9d009d,0xbfbf00bf,
265 0x52520052,0xd8d800d8,0xc8c800c8,0xc6c600c6,
266 0x81810081,0x6f6f006f,0x13130013,0x63630063,
267 0xe9e900e9,0xa7a700a7,0x9f9f009f,0xbcbc00bc,
268 0x29290029,0xf9f900f9,0x2f2f002f,0xb4b400b4,
269 0x78780078,0x06060006,0xe7e700e7,0x71710071,
270 0xd4d400d4,0xabab00ab,0x88880088,0x8d8d008d,
271 0x72720072,0xb9b900b9,0xf8f800f8,0xacac00ac,
272 0x36360036,0x2a2a002a,0x3c3c003c,0xf1f100f1,
273 0x40400040,0xd3d300d3,0xbbbb00bb,0x43430043,
274 0x15150015,0xadad00ad,0x77770077,0x80800080,
275 0x82820082,0xecec00ec,0x27270027,0xe5e500e5,
276 0x85850085,0x35350035,0x0c0c000c,0x41410041,
277 0xefef00ef,0x93930093,0x19190019,0x21210021,
278 0x0e0e000e,0x4e4e004e,0x65650065,0xbdbd00bd,
279 0xb8b800b8,0x8f8f008f,0xebeb00eb,0xcece00ce,
280 0x30300030,0x5f5f005f,0xc5c500c5,0x1a1a001a,
281 0xe1e100e1,0xcaca00ca,0x47470047,0x3d3d003d,
282 0x01010001,0xd6d600d6,0x56560056,0x4d4d004d,
283 0x0d0d000d,0x66660066,0xcccc00cc,0x2d2d002d,
284 0x12120012,0x20200020,0xb1b100b1,0x99990099,
285 0x4c4c004c,0xc2c200c2,0x7e7e007e,0x05050005,
286 0xb7b700b7,0x31310031,0x17170017,0xd7d700d7,
287 0x58580058,0x61610061,0x1b1b001b,0x1c1c001c,
288 0x0f0f000f,0x16160016,0x18180018,0x22220022,
289 0x44440044,0xb2b200b2,0xb5b500b5,0x91910091,
290 0x08080008,0xa8a800a8,0xfcfc00fc,0x50500050,
291 0xd0d000d0,0x7d7d007d,0x89890089,0x97970097,
292 0x5b5b005b,0x95950095,0xffff00ff,0xd2d200d2,
293 0xc4c400c4,0x48480048,0xf7f700f7,0xdbdb00db,
294 0x03030003,0xdada00da,0x3f3f003f,0x94940094,
295 0x5c5c005c,0x02020002,0x4a4a004a,0x33330033,
296 0x67670067,0xf3f300f3,0x7f7f007f,0xe2e200e2,
297 0x9b9b009b,0x26260026,0x37370037,0x3b3b003b,
298 0x96960096,0x4b4b004b,0xbebe00be,0x2e2e002e,
299 0x79790079,0x8c8c008c,0x6e6e006e,0x8e8e008e,
300 0xf5f500f5,0xb6b600b6,0xfdfd00fd,0x59590059,
301 0x98980098,0x6a6a006a,0x46460046,0xbaba00ba,
302 0x25250025,0x42420042,0xa2a200a2,0xfafa00fa,
303 0x07070007,0x55550055,0xeeee00ee,0x0a0a000a,
304 0x49490049,0x68680068,0x38380038,0xa4a400a4,
305 0x28280028,0x7b7b007b,0xc9c900c9,0xc1c100c1,
306 0xe3e300e3,0xf4f400f4,0xc7c700c7,0x9e9e009e,
307 };
308
309
310 #define CAMELLIA_MIN_KEY_SIZE 16
311 #define CAMELLIA_MAX_KEY_SIZE 32
312 #define CAMELLIA_BLOCK_SIZE 16
313 #define CAMELLIA_TABLE_BYTE_LEN 272
314
315 /*
316 * NB: L and R below stand for 'left' and 'right' as in written numbers.
317 * That is, in (xxxL,xxxR) pair xxxL holds most significant digits,
318 * _not_ least significant ones!
319 */
320
321
322 /* key constants */
323
324 #define CAMELLIA_SIGMA1L (0xA09E667FL)
325 #define CAMELLIA_SIGMA1R (0x3BCC908BL)
326 #define CAMELLIA_SIGMA2L (0xB67AE858L)
327 #define CAMELLIA_SIGMA2R (0x4CAA73B2L)
328 #define CAMELLIA_SIGMA3L (0xC6EF372FL)
329 #define CAMELLIA_SIGMA3R (0xE94F82BEL)
330 #define CAMELLIA_SIGMA4L (0x54FF53A5L)
331 #define CAMELLIA_SIGMA4R (0xF1D36F1CL)
332 #define CAMELLIA_SIGMA5L (0x10E527FAL)
333 #define CAMELLIA_SIGMA5R (0xDE682D1DL)
334 #define CAMELLIA_SIGMA6L (0xB05688C2L)
335 #define CAMELLIA_SIGMA6R (0xB3E6C1FDL)
336
337 /*
338 * macros
339 */
340 #define ROLDQ(ll, lr, rl, rr, w0, w1, bits) \
341 do { \
342 w0 = ll; \
343 ll = (ll << bits) + (lr >> (32 - bits)); \
344 lr = (lr << bits) + (rl >> (32 - bits)); \
345 rl = (rl << bits) + (rr >> (32 - bits)); \
346 rr = (rr << bits) + (w0 >> (32 - bits)); \
347 } while(0)
348
349 #define ROLDQo32(ll, lr, rl, rr, w0, w1, bits) \
350 do { \
351 w0 = ll; \
352 w1 = lr; \
353 ll = (lr << (bits - 32)) + (rl >> (64 - bits)); \
354 lr = (rl << (bits - 32)) + (rr >> (64 - bits)); \
355 rl = (rr << (bits - 32)) + (w0 >> (64 - bits)); \
356 rr = (w0 << (bits - 32)) + (w1 >> (64 - bits)); \
357 } while(0)
358
359 #define CAMELLIA_F(xl, xr, kl, kr, yl, yr, il, ir, t0, t1) \
360 do { \
361 il = xl ^ kl; \
362 ir = xr ^ kr; \
363 t0 = il >> 16; \
364 t1 = ir >> 16; \
365 yl = camellia_sp1110[(u8)(ir )] \
366 ^ camellia_sp0222[ (t1 >> 8)] \
367 ^ camellia_sp3033[(u8)(t1 )] \
368 ^ camellia_sp4404[(u8)(ir >> 8)]; \
369 yr = camellia_sp1110[ (t0 >> 8)] \
370 ^ camellia_sp0222[(u8)(t0 )] \
371 ^ camellia_sp3033[(u8)(il >> 8)] \
372 ^ camellia_sp4404[(u8)(il )]; \
373 yl ^= yr; \
374 yr = ror32(yr, 8); \
375 yr ^= yl; \
376 } while(0)
377
378 #define SUBKEY_L(INDEX) (subkey[(INDEX)*2])
379 #define SUBKEY_R(INDEX) (subkey[(INDEX)*2 + 1])
380
camellia_setup_tail(u32 * subkey,u32 * subL,u32 * subR,int max)381 static void camellia_setup_tail(u32 *subkey, u32 *subL, u32 *subR, int max)
382 {
383 u32 dw, tl, tr;
384 u32 kw4l, kw4r;
385 int i;
386
387 /* absorb kw2 to other subkeys */
388 /* round 2 */
389 subL[3] ^= subL[1]; subR[3] ^= subR[1];
390 /* round 4 */
391 subL[5] ^= subL[1]; subR[5] ^= subR[1];
392 /* round 6 */
393 subL[7] ^= subL[1]; subR[7] ^= subR[1];
394 subL[1] ^= subR[1] & ~subR[9];
395 dw = subL[1] & subL[9],
396 subR[1] ^= rol32(dw, 1); /* modified for FLinv(kl2) */
397 /* round 8 */
398 subL[11] ^= subL[1]; subR[11] ^= subR[1];
399 /* round 10 */
400 subL[13] ^= subL[1]; subR[13] ^= subR[1];
401 /* round 12 */
402 subL[15] ^= subL[1]; subR[15] ^= subR[1];
403 subL[1] ^= subR[1] & ~subR[17];
404 dw = subL[1] & subL[17],
405 subR[1] ^= rol32(dw, 1); /* modified for FLinv(kl4) */
406 /* round 14 */
407 subL[19] ^= subL[1]; subR[19] ^= subR[1];
408 /* round 16 */
409 subL[21] ^= subL[1]; subR[21] ^= subR[1];
410 /* round 18 */
411 subL[23] ^= subL[1]; subR[23] ^= subR[1];
412 if (max == 24) {
413 /* kw3 */
414 subL[24] ^= subL[1]; subR[24] ^= subR[1];
415
416 /* absorb kw4 to other subkeys */
417 kw4l = subL[25]; kw4r = subR[25];
418 } else {
419 subL[1] ^= subR[1] & ~subR[25];
420 dw = subL[1] & subL[25],
421 subR[1] ^= rol32(dw, 1); /* modified for FLinv(kl6) */
422 /* round 20 */
423 subL[27] ^= subL[1]; subR[27] ^= subR[1];
424 /* round 22 */
425 subL[29] ^= subL[1]; subR[29] ^= subR[1];
426 /* round 24 */
427 subL[31] ^= subL[1]; subR[31] ^= subR[1];
428 /* kw3 */
429 subL[32] ^= subL[1]; subR[32] ^= subR[1];
430
431 /* absorb kw4 to other subkeys */
432 kw4l = subL[33]; kw4r = subR[33];
433 /* round 23 */
434 subL[30] ^= kw4l; subR[30] ^= kw4r;
435 /* round 21 */
436 subL[28] ^= kw4l; subR[28] ^= kw4r;
437 /* round 19 */
438 subL[26] ^= kw4l; subR[26] ^= kw4r;
439 kw4l ^= kw4r & ~subR[24];
440 dw = kw4l & subL[24],
441 kw4r ^= rol32(dw, 1); /* modified for FL(kl5) */
442 }
443 /* round 17 */
444 subL[22] ^= kw4l; subR[22] ^= kw4r;
445 /* round 15 */
446 subL[20] ^= kw4l; subR[20] ^= kw4r;
447 /* round 13 */
448 subL[18] ^= kw4l; subR[18] ^= kw4r;
449 kw4l ^= kw4r & ~subR[16];
450 dw = kw4l & subL[16],
451 kw4r ^= rol32(dw, 1); /* modified for FL(kl3) */
452 /* round 11 */
453 subL[14] ^= kw4l; subR[14] ^= kw4r;
454 /* round 9 */
455 subL[12] ^= kw4l; subR[12] ^= kw4r;
456 /* round 7 */
457 subL[10] ^= kw4l; subR[10] ^= kw4r;
458 kw4l ^= kw4r & ~subR[8];
459 dw = kw4l & subL[8],
460 kw4r ^= rol32(dw, 1); /* modified for FL(kl1) */
461 /* round 5 */
462 subL[6] ^= kw4l; subR[6] ^= kw4r;
463 /* round 3 */
464 subL[4] ^= kw4l; subR[4] ^= kw4r;
465 /* round 1 */
466 subL[2] ^= kw4l; subR[2] ^= kw4r;
467 /* kw1 */
468 subL[0] ^= kw4l; subR[0] ^= kw4r;
469
470 /* key XOR is end of F-function */
471 SUBKEY_L(0) = subL[0] ^ subL[2];/* kw1 */
472 SUBKEY_R(0) = subR[0] ^ subR[2];
473 SUBKEY_L(2) = subL[3]; /* round 1 */
474 SUBKEY_R(2) = subR[3];
475 SUBKEY_L(3) = subL[2] ^ subL[4]; /* round 2 */
476 SUBKEY_R(3) = subR[2] ^ subR[4];
477 SUBKEY_L(4) = subL[3] ^ subL[5]; /* round 3 */
478 SUBKEY_R(4) = subR[3] ^ subR[5];
479 SUBKEY_L(5) = subL[4] ^ subL[6]; /* round 4 */
480 SUBKEY_R(5) = subR[4] ^ subR[6];
481 SUBKEY_L(6) = subL[5] ^ subL[7]; /* round 5 */
482 SUBKEY_R(6) = subR[5] ^ subR[7];
483 tl = subL[10] ^ (subR[10] & ~subR[8]);
484 dw = tl & subL[8], /* FL(kl1) */
485 tr = subR[10] ^ rol32(dw, 1);
486 SUBKEY_L(7) = subL[6] ^ tl; /* round 6 */
487 SUBKEY_R(7) = subR[6] ^ tr;
488 SUBKEY_L(8) = subL[8]; /* FL(kl1) */
489 SUBKEY_R(8) = subR[8];
490 SUBKEY_L(9) = subL[9]; /* FLinv(kl2) */
491 SUBKEY_R(9) = subR[9];
492 tl = subL[7] ^ (subR[7] & ~subR[9]);
493 dw = tl & subL[9], /* FLinv(kl2) */
494 tr = subR[7] ^ rol32(dw, 1);
495 SUBKEY_L(10) = tl ^ subL[11]; /* round 7 */
496 SUBKEY_R(10) = tr ^ subR[11];
497 SUBKEY_L(11) = subL[10] ^ subL[12]; /* round 8 */
498 SUBKEY_R(11) = subR[10] ^ subR[12];
499 SUBKEY_L(12) = subL[11] ^ subL[13]; /* round 9 */
500 SUBKEY_R(12) = subR[11] ^ subR[13];
501 SUBKEY_L(13) = subL[12] ^ subL[14]; /* round 10 */
502 SUBKEY_R(13) = subR[12] ^ subR[14];
503 SUBKEY_L(14) = subL[13] ^ subL[15]; /* round 11 */
504 SUBKEY_R(14) = subR[13] ^ subR[15];
505 tl = subL[18] ^ (subR[18] & ~subR[16]);
506 dw = tl & subL[16], /* FL(kl3) */
507 tr = subR[18] ^ rol32(dw, 1);
508 SUBKEY_L(15) = subL[14] ^ tl; /* round 12 */
509 SUBKEY_R(15) = subR[14] ^ tr;
510 SUBKEY_L(16) = subL[16]; /* FL(kl3) */
511 SUBKEY_R(16) = subR[16];
512 SUBKEY_L(17) = subL[17]; /* FLinv(kl4) */
513 SUBKEY_R(17) = subR[17];
514 tl = subL[15] ^ (subR[15] & ~subR[17]);
515 dw = tl & subL[17], /* FLinv(kl4) */
516 tr = subR[15] ^ rol32(dw, 1);
517 SUBKEY_L(18) = tl ^ subL[19]; /* round 13 */
518 SUBKEY_R(18) = tr ^ subR[19];
519 SUBKEY_L(19) = subL[18] ^ subL[20]; /* round 14 */
520 SUBKEY_R(19) = subR[18] ^ subR[20];
521 SUBKEY_L(20) = subL[19] ^ subL[21]; /* round 15 */
522 SUBKEY_R(20) = subR[19] ^ subR[21];
523 SUBKEY_L(21) = subL[20] ^ subL[22]; /* round 16 */
524 SUBKEY_R(21) = subR[20] ^ subR[22];
525 SUBKEY_L(22) = subL[21] ^ subL[23]; /* round 17 */
526 SUBKEY_R(22) = subR[21] ^ subR[23];
527 if (max == 24) {
528 SUBKEY_L(23) = subL[22]; /* round 18 */
529 SUBKEY_R(23) = subR[22];
530 SUBKEY_L(24) = subL[24] ^ subL[23]; /* kw3 */
531 SUBKEY_R(24) = subR[24] ^ subR[23];
532 } else {
533 tl = subL[26] ^ (subR[26] & ~subR[24]);
534 dw = tl & subL[24], /* FL(kl5) */
535 tr = subR[26] ^ rol32(dw, 1);
536 SUBKEY_L(23) = subL[22] ^ tl; /* round 18 */
537 SUBKEY_R(23) = subR[22] ^ tr;
538 SUBKEY_L(24) = subL[24]; /* FL(kl5) */
539 SUBKEY_R(24) = subR[24];
540 SUBKEY_L(25) = subL[25]; /* FLinv(kl6) */
541 SUBKEY_R(25) = subR[25];
542 tl = subL[23] ^ (subR[23] & ~subR[25]);
543 dw = tl & subL[25], /* FLinv(kl6) */
544 tr = subR[23] ^ rol32(dw, 1);
545 SUBKEY_L(26) = tl ^ subL[27]; /* round 19 */
546 SUBKEY_R(26) = tr ^ subR[27];
547 SUBKEY_L(27) = subL[26] ^ subL[28]; /* round 20 */
548 SUBKEY_R(27) = subR[26] ^ subR[28];
549 SUBKEY_L(28) = subL[27] ^ subL[29]; /* round 21 */
550 SUBKEY_R(28) = subR[27] ^ subR[29];
551 SUBKEY_L(29) = subL[28] ^ subL[30]; /* round 22 */
552 SUBKEY_R(29) = subR[28] ^ subR[30];
553 SUBKEY_L(30) = subL[29] ^ subL[31]; /* round 23 */
554 SUBKEY_R(30) = subR[29] ^ subR[31];
555 SUBKEY_L(31) = subL[30]; /* round 24 */
556 SUBKEY_R(31) = subR[30];
557 SUBKEY_L(32) = subL[32] ^ subL[31]; /* kw3 */
558 SUBKEY_R(32) = subR[32] ^ subR[31];
559 }
560
561 /* apply the inverse of the last half of P-function */
562 i = 2;
563 do {
564 dw = SUBKEY_L(i + 0) ^ SUBKEY_R(i + 0); dw = rol32(dw, 8);/* round 1 */
565 SUBKEY_R(i + 0) = SUBKEY_L(i + 0) ^ dw; SUBKEY_L(i + 0) = dw;
566 dw = SUBKEY_L(i + 1) ^ SUBKEY_R(i + 1); dw = rol32(dw, 8);/* round 2 */
567 SUBKEY_R(i + 1) = SUBKEY_L(i + 1) ^ dw; SUBKEY_L(i + 1) = dw;
568 dw = SUBKEY_L(i + 2) ^ SUBKEY_R(i + 2); dw = rol32(dw, 8);/* round 3 */
569 SUBKEY_R(i + 2) = SUBKEY_L(i + 2) ^ dw; SUBKEY_L(i + 2) = dw;
570 dw = SUBKEY_L(i + 3) ^ SUBKEY_R(i + 3); dw = rol32(dw, 8);/* round 4 */
571 SUBKEY_R(i + 3) = SUBKEY_L(i + 3) ^ dw; SUBKEY_L(i + 3) = dw;
572 dw = SUBKEY_L(i + 4) ^ SUBKEY_R(i + 4); dw = rol32(dw, 8);/* round 5 */
573 SUBKEY_R(i + 4) = SUBKEY_L(i + 4) ^ dw; SUBKEY_L(i + 4) = dw;
574 dw = SUBKEY_L(i + 5) ^ SUBKEY_R(i + 5); dw = rol32(dw, 8);/* round 6 */
575 SUBKEY_R(i + 5) = SUBKEY_L(i + 5) ^ dw; SUBKEY_L(i + 5) = dw;
576 i += 8;
577 } while (i < max);
578 }
579
camellia_setup128(const unsigned char * key,u32 * subkey)580 static void camellia_setup128(const unsigned char *key, u32 *subkey)
581 {
582 u32 kll, klr, krl, krr;
583 u32 il, ir, t0, t1, w0, w1;
584 u32 subL[26];
585 u32 subR[26];
586
587 /**
588 * k == kll || klr || krl || krr (|| is concatenation)
589 */
590 kll = get_unaligned_be32(key);
591 klr = get_unaligned_be32(key + 4);
592 krl = get_unaligned_be32(key + 8);
593 krr = get_unaligned_be32(key + 12);
594
595 /* generate KL dependent subkeys */
596 /* kw1 */
597 subL[0] = kll; subR[0] = klr;
598 /* kw2 */
599 subL[1] = krl; subR[1] = krr;
600 /* rotation left shift 15bit */
601 ROLDQ(kll, klr, krl, krr, w0, w1, 15);
602 /* k3 */
603 subL[4] = kll; subR[4] = klr;
604 /* k4 */
605 subL[5] = krl; subR[5] = krr;
606 /* rotation left shift 15+30bit */
607 ROLDQ(kll, klr, krl, krr, w0, w1, 30);
608 /* k7 */
609 subL[10] = kll; subR[10] = klr;
610 /* k8 */
611 subL[11] = krl; subR[11] = krr;
612 /* rotation left shift 15+30+15bit */
613 ROLDQ(kll, klr, krl, krr, w0, w1, 15);
614 /* k10 */
615 subL[13] = krl; subR[13] = krr;
616 /* rotation left shift 15+30+15+17 bit */
617 ROLDQ(kll, klr, krl, krr, w0, w1, 17);
618 /* kl3 */
619 subL[16] = kll; subR[16] = klr;
620 /* kl4 */
621 subL[17] = krl; subR[17] = krr;
622 /* rotation left shift 15+30+15+17+17 bit */
623 ROLDQ(kll, klr, krl, krr, w0, w1, 17);
624 /* k13 */
625 subL[18] = kll; subR[18] = klr;
626 /* k14 */
627 subL[19] = krl; subR[19] = krr;
628 /* rotation left shift 15+30+15+17+17+17 bit */
629 ROLDQ(kll, klr, krl, krr, w0, w1, 17);
630 /* k17 */
631 subL[22] = kll; subR[22] = klr;
632 /* k18 */
633 subL[23] = krl; subR[23] = krr;
634
635 /* generate KA */
636 kll = subL[0]; klr = subR[0];
637 krl = subL[1]; krr = subR[1];
638 CAMELLIA_F(kll, klr,
639 CAMELLIA_SIGMA1L, CAMELLIA_SIGMA1R,
640 w0, w1, il, ir, t0, t1);
641 krl ^= w0; krr ^= w1;
642 CAMELLIA_F(krl, krr,
643 CAMELLIA_SIGMA2L, CAMELLIA_SIGMA2R,
644 kll, klr, il, ir, t0, t1);
645 /* current status == (kll, klr, w0, w1) */
646 CAMELLIA_F(kll, klr,
647 CAMELLIA_SIGMA3L, CAMELLIA_SIGMA3R,
648 krl, krr, il, ir, t0, t1);
649 krl ^= w0; krr ^= w1;
650 CAMELLIA_F(krl, krr,
651 CAMELLIA_SIGMA4L, CAMELLIA_SIGMA4R,
652 w0, w1, il, ir, t0, t1);
653 kll ^= w0; klr ^= w1;
654
655 /* generate KA dependent subkeys */
656 /* k1, k2 */
657 subL[2] = kll; subR[2] = klr;
658 subL[3] = krl; subR[3] = krr;
659 ROLDQ(kll, klr, krl, krr, w0, w1, 15);
660 /* k5,k6 */
661 subL[6] = kll; subR[6] = klr;
662 subL[7] = krl; subR[7] = krr;
663 ROLDQ(kll, klr, krl, krr, w0, w1, 15);
664 /* kl1, kl2 */
665 subL[8] = kll; subR[8] = klr;
666 subL[9] = krl; subR[9] = krr;
667 ROLDQ(kll, klr, krl, krr, w0, w1, 15);
668 /* k9 */
669 subL[12] = kll; subR[12] = klr;
670 ROLDQ(kll, klr, krl, krr, w0, w1, 15);
671 /* k11, k12 */
672 subL[14] = kll; subR[14] = klr;
673 subL[15] = krl; subR[15] = krr;
674 ROLDQo32(kll, klr, krl, krr, w0, w1, 34);
675 /* k15, k16 */
676 subL[20] = kll; subR[20] = klr;
677 subL[21] = krl; subR[21] = krr;
678 ROLDQ(kll, klr, krl, krr, w0, w1, 17);
679 /* kw3, kw4 */
680 subL[24] = kll; subR[24] = klr;
681 subL[25] = krl; subR[25] = krr;
682
683 camellia_setup_tail(subkey, subL, subR, 24);
684 }
685
camellia_setup256(const unsigned char * key,u32 * subkey)686 static void camellia_setup256(const unsigned char *key, u32 *subkey)
687 {
688 u32 kll, klr, krl, krr; /* left half of key */
689 u32 krll, krlr, krrl, krrr; /* right half of key */
690 u32 il, ir, t0, t1, w0, w1; /* temporary variables */
691 u32 subL[34];
692 u32 subR[34];
693
694 /**
695 * key = (kll || klr || krl || krr || krll || krlr || krrl || krrr)
696 * (|| is concatenation)
697 */
698 kll = get_unaligned_be32(key);
699 klr = get_unaligned_be32(key + 4);
700 krl = get_unaligned_be32(key + 8);
701 krr = get_unaligned_be32(key + 12);
702 krll = get_unaligned_be32(key + 16);
703 krlr = get_unaligned_be32(key + 20);
704 krrl = get_unaligned_be32(key + 24);
705 krrr = get_unaligned_be32(key + 28);
706
707 /* generate KL dependent subkeys */
708 /* kw1 */
709 subL[0] = kll; subR[0] = klr;
710 /* kw2 */
711 subL[1] = krl; subR[1] = krr;
712 ROLDQo32(kll, klr, krl, krr, w0, w1, 45);
713 /* k9 */
714 subL[12] = kll; subR[12] = klr;
715 /* k10 */
716 subL[13] = krl; subR[13] = krr;
717 ROLDQ(kll, klr, krl, krr, w0, w1, 15);
718 /* kl3 */
719 subL[16] = kll; subR[16] = klr;
720 /* kl4 */
721 subL[17] = krl; subR[17] = krr;
722 ROLDQ(kll, klr, krl, krr, w0, w1, 17);
723 /* k17 */
724 subL[22] = kll; subR[22] = klr;
725 /* k18 */
726 subL[23] = krl; subR[23] = krr;
727 ROLDQo32(kll, klr, krl, krr, w0, w1, 34);
728 /* k23 */
729 subL[30] = kll; subR[30] = klr;
730 /* k24 */
731 subL[31] = krl; subR[31] = krr;
732
733 /* generate KR dependent subkeys */
734 ROLDQ(krll, krlr, krrl, krrr, w0, w1, 15);
735 /* k3 */
736 subL[4] = krll; subR[4] = krlr;
737 /* k4 */
738 subL[5] = krrl; subR[5] = krrr;
739 ROLDQ(krll, krlr, krrl, krrr, w0, w1, 15);
740 /* kl1 */
741 subL[8] = krll; subR[8] = krlr;
742 /* kl2 */
743 subL[9] = krrl; subR[9] = krrr;
744 ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
745 /* k13 */
746 subL[18] = krll; subR[18] = krlr;
747 /* k14 */
748 subL[19] = krrl; subR[19] = krrr;
749 ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 34);
750 /* k19 */
751 subL[26] = krll; subR[26] = krlr;
752 /* k20 */
753 subL[27] = krrl; subR[27] = krrr;
754 ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 34);
755
756 /* generate KA */
757 kll = subL[0] ^ krll; klr = subR[0] ^ krlr;
758 krl = subL[1] ^ krrl; krr = subR[1] ^ krrr;
759 CAMELLIA_F(kll, klr,
760 CAMELLIA_SIGMA1L, CAMELLIA_SIGMA1R,
761 w0, w1, il, ir, t0, t1);
762 krl ^= w0; krr ^= w1;
763 CAMELLIA_F(krl, krr,
764 CAMELLIA_SIGMA2L, CAMELLIA_SIGMA2R,
765 kll, klr, il, ir, t0, t1);
766 kll ^= krll; klr ^= krlr;
767 CAMELLIA_F(kll, klr,
768 CAMELLIA_SIGMA3L, CAMELLIA_SIGMA3R,
769 krl, krr, il, ir, t0, t1);
770 krl ^= w0 ^ krrl; krr ^= w1 ^ krrr;
771 CAMELLIA_F(krl, krr,
772 CAMELLIA_SIGMA4L, CAMELLIA_SIGMA4R,
773 w0, w1, il, ir, t0, t1);
774 kll ^= w0; klr ^= w1;
775
776 /* generate KB */
777 krll ^= kll; krlr ^= klr;
778 krrl ^= krl; krrr ^= krr;
779 CAMELLIA_F(krll, krlr,
780 CAMELLIA_SIGMA5L, CAMELLIA_SIGMA5R,
781 w0, w1, il, ir, t0, t1);
782 krrl ^= w0; krrr ^= w1;
783 CAMELLIA_F(krrl, krrr,
784 CAMELLIA_SIGMA6L, CAMELLIA_SIGMA6R,
785 w0, w1, il, ir, t0, t1);
786 krll ^= w0; krlr ^= w1;
787
788 /* generate KA dependent subkeys */
789 ROLDQ(kll, klr, krl, krr, w0, w1, 15);
790 /* k5 */
791 subL[6] = kll; subR[6] = klr;
792 /* k6 */
793 subL[7] = krl; subR[7] = krr;
794 ROLDQ(kll, klr, krl, krr, w0, w1, 30);
795 /* k11 */
796 subL[14] = kll; subR[14] = klr;
797 /* k12 */
798 subL[15] = krl; subR[15] = krr;
799 /* rotation left shift 32bit */
800 /* kl5 */
801 subL[24] = klr; subR[24] = krl;
802 /* kl6 */
803 subL[25] = krr; subR[25] = kll;
804 /* rotation left shift 49 from k11,k12 -> k21,k22 */
805 ROLDQo32(kll, klr, krl, krr, w0, w1, 49);
806 /* k21 */
807 subL[28] = kll; subR[28] = klr;
808 /* k22 */
809 subL[29] = krl; subR[29] = krr;
810
811 /* generate KB dependent subkeys */
812 /* k1 */
813 subL[2] = krll; subR[2] = krlr;
814 /* k2 */
815 subL[3] = krrl; subR[3] = krrr;
816 ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
817 /* k7 */
818 subL[10] = krll; subR[10] = krlr;
819 /* k8 */
820 subL[11] = krrl; subR[11] = krrr;
821 ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
822 /* k15 */
823 subL[20] = krll; subR[20] = krlr;
824 /* k16 */
825 subL[21] = krrl; subR[21] = krrr;
826 ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 51);
827 /* kw3 */
828 subL[32] = krll; subR[32] = krlr;
829 /* kw4 */
830 subL[33] = krrl; subR[33] = krrr;
831
832 camellia_setup_tail(subkey, subL, subR, 32);
833 }
834
camellia_setup192(const unsigned char * key,u32 * subkey)835 static void camellia_setup192(const unsigned char *key, u32 *subkey)
836 {
837 unsigned char kk[32];
838 u32 krll, krlr, krrl,krrr;
839
840 memcpy(kk, key, 24);
841 memcpy((unsigned char *)&krll, key+16, 4);
842 memcpy((unsigned char *)&krlr, key+20, 4);
843 krrl = ~krll;
844 krrr = ~krlr;
845 memcpy(kk+24, (unsigned char *)&krrl, 4);
846 memcpy(kk+28, (unsigned char *)&krrr, 4);
847 camellia_setup256(kk, subkey);
848 }
849
850
851 /*
852 * Encrypt/decrypt
853 */
854 #define CAMELLIA_FLS(ll, lr, rl, rr, kll, klr, krl, krr, t0, t1, t2, t3) \
855 do { \
856 t0 = kll; \
857 t2 = krr; \
858 t0 &= ll; \
859 t2 |= rr; \
860 rl ^= t2; \
861 lr ^= rol32(t0, 1); \
862 t3 = krl; \
863 t1 = klr; \
864 t3 &= rl; \
865 t1 |= lr; \
866 ll ^= t1; \
867 rr ^= rol32(t3, 1); \
868 } while(0)
869
870 #define CAMELLIA_ROUNDSM(xl, xr, kl, kr, yl, yr, il, ir) \
871 do { \
872 ir = camellia_sp1110[(u8)xr]; \
873 il = camellia_sp1110[ (xl >> 24)]; \
874 ir ^= camellia_sp0222[ (xr >> 24)]; \
875 il ^= camellia_sp0222[(u8)(xl >> 16)]; \
876 ir ^= camellia_sp3033[(u8)(xr >> 16)]; \
877 il ^= camellia_sp3033[(u8)(xl >> 8)]; \
878 ir ^= camellia_sp4404[(u8)(xr >> 8)]; \
879 il ^= camellia_sp4404[(u8)xl]; \
880 il ^= kl; \
881 ir ^= il ^ kr; \
882 yl ^= ir; \
883 yr ^= ror32(il, 8) ^ ir; \
884 } while(0)
885
886 /* max = 24: 128bit encrypt, max = 32: 256bit encrypt */
camellia_do_encrypt(const u32 * subkey,u32 * io,unsigned max)887 static void camellia_do_encrypt(const u32 *subkey, u32 *io, unsigned max)
888 {
889 u32 il,ir,t0,t1; /* temporary variables */
890
891 /* pre whitening but absorb kw2 */
892 io[0] ^= SUBKEY_L(0);
893 io[1] ^= SUBKEY_R(0);
894
895 /* main iteration */
896 #define ROUNDS(i) do { \
897 CAMELLIA_ROUNDSM(io[0],io[1], \
898 SUBKEY_L(i + 2),SUBKEY_R(i + 2), \
899 io[2],io[3],il,ir); \
900 CAMELLIA_ROUNDSM(io[2],io[3], \
901 SUBKEY_L(i + 3),SUBKEY_R(i + 3), \
902 io[0],io[1],il,ir); \
903 CAMELLIA_ROUNDSM(io[0],io[1], \
904 SUBKEY_L(i + 4),SUBKEY_R(i + 4), \
905 io[2],io[3],il,ir); \
906 CAMELLIA_ROUNDSM(io[2],io[3], \
907 SUBKEY_L(i + 5),SUBKEY_R(i + 5), \
908 io[0],io[1],il,ir); \
909 CAMELLIA_ROUNDSM(io[0],io[1], \
910 SUBKEY_L(i + 6),SUBKEY_R(i + 6), \
911 io[2],io[3],il,ir); \
912 CAMELLIA_ROUNDSM(io[2],io[3], \
913 SUBKEY_L(i + 7),SUBKEY_R(i + 7), \
914 io[0],io[1],il,ir); \
915 } while (0)
916 #define FLS(i) do { \
917 CAMELLIA_FLS(io[0],io[1],io[2],io[3], \
918 SUBKEY_L(i + 0),SUBKEY_R(i + 0), \
919 SUBKEY_L(i + 1),SUBKEY_R(i + 1), \
920 t0,t1,il,ir); \
921 } while (0)
922
923 ROUNDS(0);
924 FLS(8);
925 ROUNDS(8);
926 FLS(16);
927 ROUNDS(16);
928 if (max == 32) {
929 FLS(24);
930 ROUNDS(24);
931 }
932
933 #undef ROUNDS
934 #undef FLS
935
936 /* post whitening but kw4 */
937 io[2] ^= SUBKEY_L(max);
938 io[3] ^= SUBKEY_R(max);
939 /* NB: io[0],[1] should be swapped with [2],[3] by caller! */
940 }
941
camellia_do_decrypt(const u32 * subkey,u32 * io,unsigned i)942 static void camellia_do_decrypt(const u32 *subkey, u32 *io, unsigned i)
943 {
944 u32 il,ir,t0,t1; /* temporary variables */
945
946 /* pre whitening but absorb kw2 */
947 io[0] ^= SUBKEY_L(i);
948 io[1] ^= SUBKEY_R(i);
949
950 /* main iteration */
951 #define ROUNDS(i) do { \
952 CAMELLIA_ROUNDSM(io[0],io[1], \
953 SUBKEY_L(i + 7),SUBKEY_R(i + 7), \
954 io[2],io[3],il,ir); \
955 CAMELLIA_ROUNDSM(io[2],io[3], \
956 SUBKEY_L(i + 6),SUBKEY_R(i + 6), \
957 io[0],io[1],il,ir); \
958 CAMELLIA_ROUNDSM(io[0],io[1], \
959 SUBKEY_L(i + 5),SUBKEY_R(i + 5), \
960 io[2],io[3],il,ir); \
961 CAMELLIA_ROUNDSM(io[2],io[3], \
962 SUBKEY_L(i + 4),SUBKEY_R(i + 4), \
963 io[0],io[1],il,ir); \
964 CAMELLIA_ROUNDSM(io[0],io[1], \
965 SUBKEY_L(i + 3),SUBKEY_R(i + 3), \
966 io[2],io[3],il,ir); \
967 CAMELLIA_ROUNDSM(io[2],io[3], \
968 SUBKEY_L(i + 2),SUBKEY_R(i + 2), \
969 io[0],io[1],il,ir); \
970 } while (0)
971 #define FLS(i) do { \
972 CAMELLIA_FLS(io[0],io[1],io[2],io[3], \
973 SUBKEY_L(i + 1),SUBKEY_R(i + 1), \
974 SUBKEY_L(i + 0),SUBKEY_R(i + 0), \
975 t0,t1,il,ir); \
976 } while (0)
977
978 if (i == 32) {
979 ROUNDS(24);
980 FLS(24);
981 }
982 ROUNDS(16);
983 FLS(16);
984 ROUNDS(8);
985 FLS(8);
986 ROUNDS(0);
987
988 #undef ROUNDS
989 #undef FLS
990
991 /* post whitening but kw4 */
992 io[2] ^= SUBKEY_L(0);
993 io[3] ^= SUBKEY_R(0);
994 /* NB: 0,1 should be swapped with 2,3 by caller! */
995 }
996
997
998 struct camellia_ctx {
999 int key_length;
1000 u32 key_table[CAMELLIA_TABLE_BYTE_LEN / sizeof(u32)];
1001 };
1002
1003 static int
camellia_set_key(struct crypto_tfm * tfm,const u8 * in_key,unsigned int key_len)1004 camellia_set_key(struct crypto_tfm *tfm, const u8 *in_key,
1005 unsigned int key_len)
1006 {
1007 struct camellia_ctx *cctx = crypto_tfm_ctx(tfm);
1008 const unsigned char *key = (const unsigned char *)in_key;
1009 u32 *flags = &tfm->crt_flags;
1010
1011 if (key_len != 16 && key_len != 24 && key_len != 32) {
1012 *flags |= CRYPTO_TFM_RES_BAD_KEY_LEN;
1013 return -EINVAL;
1014 }
1015
1016 cctx->key_length = key_len;
1017
1018 switch (key_len) {
1019 case 16:
1020 camellia_setup128(key, cctx->key_table);
1021 break;
1022 case 24:
1023 camellia_setup192(key, cctx->key_table);
1024 break;
1025 case 32:
1026 camellia_setup256(key, cctx->key_table);
1027 break;
1028 }
1029
1030 return 0;
1031 }
1032
camellia_encrypt(struct crypto_tfm * tfm,u8 * out,const u8 * in)1033 static void camellia_encrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in)
1034 {
1035 const struct camellia_ctx *cctx = crypto_tfm_ctx(tfm);
1036 const __be32 *src = (const __be32 *)in;
1037 __be32 *dst = (__be32 *)out;
1038
1039 u32 tmp[4];
1040
1041 tmp[0] = be32_to_cpu(src[0]);
1042 tmp[1] = be32_to_cpu(src[1]);
1043 tmp[2] = be32_to_cpu(src[2]);
1044 tmp[3] = be32_to_cpu(src[3]);
1045
1046 camellia_do_encrypt(cctx->key_table, tmp,
1047 cctx->key_length == 16 ? 24 : 32 /* for key lengths of 24 and 32 */
1048 );
1049
1050 /* do_encrypt returns 0,1 swapped with 2,3 */
1051 dst[0] = cpu_to_be32(tmp[2]);
1052 dst[1] = cpu_to_be32(tmp[3]);
1053 dst[2] = cpu_to_be32(tmp[0]);
1054 dst[3] = cpu_to_be32(tmp[1]);
1055 }
1056
camellia_decrypt(struct crypto_tfm * tfm,u8 * out,const u8 * in)1057 static void camellia_decrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in)
1058 {
1059 const struct camellia_ctx *cctx = crypto_tfm_ctx(tfm);
1060 const __be32 *src = (const __be32 *)in;
1061 __be32 *dst = (__be32 *)out;
1062
1063 u32 tmp[4];
1064
1065 tmp[0] = be32_to_cpu(src[0]);
1066 tmp[1] = be32_to_cpu(src[1]);
1067 tmp[2] = be32_to_cpu(src[2]);
1068 tmp[3] = be32_to_cpu(src[3]);
1069
1070 camellia_do_decrypt(cctx->key_table, tmp,
1071 cctx->key_length == 16 ? 24 : 32 /* for key lengths of 24 and 32 */
1072 );
1073
1074 /* do_decrypt returns 0,1 swapped with 2,3 */
1075 dst[0] = cpu_to_be32(tmp[2]);
1076 dst[1] = cpu_to_be32(tmp[3]);
1077 dst[2] = cpu_to_be32(tmp[0]);
1078 dst[3] = cpu_to_be32(tmp[1]);
1079 }
1080
1081 static struct crypto_alg camellia_alg = {
1082 .cra_name = "camellia",
1083 .cra_driver_name = "camellia-generic",
1084 .cra_priority = 100,
1085 .cra_flags = CRYPTO_ALG_TYPE_CIPHER,
1086 .cra_blocksize = CAMELLIA_BLOCK_SIZE,
1087 .cra_ctxsize = sizeof(struct camellia_ctx),
1088 .cra_alignmask = 3,
1089 .cra_module = THIS_MODULE,
1090 .cra_list = LIST_HEAD_INIT(camellia_alg.cra_list),
1091 .cra_u = {
1092 .cipher = {
1093 .cia_min_keysize = CAMELLIA_MIN_KEY_SIZE,
1094 .cia_max_keysize = CAMELLIA_MAX_KEY_SIZE,
1095 .cia_setkey = camellia_set_key,
1096 .cia_encrypt = camellia_encrypt,
1097 .cia_decrypt = camellia_decrypt
1098 }
1099 }
1100 };
1101
camellia_init(void)1102 static int __init camellia_init(void)
1103 {
1104 return crypto_register_alg(&camellia_alg);
1105 }
1106
camellia_fini(void)1107 static void __exit camellia_fini(void)
1108 {
1109 crypto_unregister_alg(&camellia_alg);
1110 }
1111
1112 module_init(camellia_init);
1113 module_exit(camellia_fini);
1114
1115 MODULE_DESCRIPTION("Camellia Cipher Algorithm");
1116 MODULE_LICENSE("GPL");
1117