• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (C) 2006
3  * NTT (Nippon Telegraph and Telephone Corporation).
4  *
5  * This program is free software; you can redistribute it and/or
6  * modify it under the terms of the GNU General Public License
7  * as published by the Free Software Foundation; either version 2
8  * of the License, or (at your option) any later version.
9  *
10  * This program is distributed in the hope that it will be useful,
11  * but WITHOUT ANY WARRANTY; without even the implied warranty of
12  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
13  * GNU General Public License for more details.
14  *
15  * You should have received a copy of the GNU General Public License
16  * along with this program; if not, write to the Free Software
17  * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
18  */
19 
20 /*
21  * Algorithm Specification
22  *  http://info.isl.ntt.co.jp/crypt/eng/camellia/specifications.html
23  */
24 
25 /*
26  *
27  * NOTE --- NOTE --- NOTE --- NOTE
28  * This implementation assumes that all memory addresses passed
29  * as parameters are four-byte aligned.
30  *
31  */
32 
33 #include <linux/crypto.h>
34 #include <linux/errno.h>
35 #include <linux/init.h>
36 #include <linux/kernel.h>
37 #include <linux/module.h>
38 #include <linux/bitops.h>
39 #include <asm/unaligned.h>
40 
41 static const u32 camellia_sp1110[256] = {
42 	0x70707000, 0x82828200, 0x2c2c2c00, 0xececec00,
43 	0xb3b3b300, 0x27272700, 0xc0c0c000, 0xe5e5e500,
44 	0xe4e4e400, 0x85858500, 0x57575700, 0x35353500,
45 	0xeaeaea00, 0x0c0c0c00, 0xaeaeae00, 0x41414100,
46 	0x23232300, 0xefefef00, 0x6b6b6b00, 0x93939300,
47 	0x45454500, 0x19191900, 0xa5a5a500, 0x21212100,
48 	0xededed00, 0x0e0e0e00, 0x4f4f4f00, 0x4e4e4e00,
49 	0x1d1d1d00, 0x65656500, 0x92929200, 0xbdbdbd00,
50 	0x86868600, 0xb8b8b800, 0xafafaf00, 0x8f8f8f00,
51 	0x7c7c7c00, 0xebebeb00, 0x1f1f1f00, 0xcecece00,
52 	0x3e3e3e00, 0x30303000, 0xdcdcdc00, 0x5f5f5f00,
53 	0x5e5e5e00, 0xc5c5c500, 0x0b0b0b00, 0x1a1a1a00,
54 	0xa6a6a600, 0xe1e1e100, 0x39393900, 0xcacaca00,
55 	0xd5d5d500, 0x47474700, 0x5d5d5d00, 0x3d3d3d00,
56 	0xd9d9d900, 0x01010100, 0x5a5a5a00, 0xd6d6d600,
57 	0x51515100, 0x56565600, 0x6c6c6c00, 0x4d4d4d00,
58 	0x8b8b8b00, 0x0d0d0d00, 0x9a9a9a00, 0x66666600,
59 	0xfbfbfb00, 0xcccccc00, 0xb0b0b000, 0x2d2d2d00,
60 	0x74747400, 0x12121200, 0x2b2b2b00, 0x20202000,
61 	0xf0f0f000, 0xb1b1b100, 0x84848400, 0x99999900,
62 	0xdfdfdf00, 0x4c4c4c00, 0xcbcbcb00, 0xc2c2c200,
63 	0x34343400, 0x7e7e7e00, 0x76767600, 0x05050500,
64 	0x6d6d6d00, 0xb7b7b700, 0xa9a9a900, 0x31313100,
65 	0xd1d1d100, 0x17171700, 0x04040400, 0xd7d7d700,
66 	0x14141400, 0x58585800, 0x3a3a3a00, 0x61616100,
67 	0xdedede00, 0x1b1b1b00, 0x11111100, 0x1c1c1c00,
68 	0x32323200, 0x0f0f0f00, 0x9c9c9c00, 0x16161600,
69 	0x53535300, 0x18181800, 0xf2f2f200, 0x22222200,
70 	0xfefefe00, 0x44444400, 0xcfcfcf00, 0xb2b2b200,
71 	0xc3c3c300, 0xb5b5b500, 0x7a7a7a00, 0x91919100,
72 	0x24242400, 0x08080800, 0xe8e8e800, 0xa8a8a800,
73 	0x60606000, 0xfcfcfc00, 0x69696900, 0x50505000,
74 	0xaaaaaa00, 0xd0d0d000, 0xa0a0a000, 0x7d7d7d00,
75 	0xa1a1a100, 0x89898900, 0x62626200, 0x97979700,
76 	0x54545400, 0x5b5b5b00, 0x1e1e1e00, 0x95959500,
77 	0xe0e0e000, 0xffffff00, 0x64646400, 0xd2d2d200,
78 	0x10101000, 0xc4c4c400, 0x00000000, 0x48484800,
79 	0xa3a3a300, 0xf7f7f700, 0x75757500, 0xdbdbdb00,
80 	0x8a8a8a00, 0x03030300, 0xe6e6e600, 0xdadada00,
81 	0x09090900, 0x3f3f3f00, 0xdddddd00, 0x94949400,
82 	0x87878700, 0x5c5c5c00, 0x83838300, 0x02020200,
83 	0xcdcdcd00, 0x4a4a4a00, 0x90909000, 0x33333300,
84 	0x73737300, 0x67676700, 0xf6f6f600, 0xf3f3f300,
85 	0x9d9d9d00, 0x7f7f7f00, 0xbfbfbf00, 0xe2e2e200,
86 	0x52525200, 0x9b9b9b00, 0xd8d8d800, 0x26262600,
87 	0xc8c8c800, 0x37373700, 0xc6c6c600, 0x3b3b3b00,
88 	0x81818100, 0x96969600, 0x6f6f6f00, 0x4b4b4b00,
89 	0x13131300, 0xbebebe00, 0x63636300, 0x2e2e2e00,
90 	0xe9e9e900, 0x79797900, 0xa7a7a700, 0x8c8c8c00,
91 	0x9f9f9f00, 0x6e6e6e00, 0xbcbcbc00, 0x8e8e8e00,
92 	0x29292900, 0xf5f5f500, 0xf9f9f900, 0xb6b6b600,
93 	0x2f2f2f00, 0xfdfdfd00, 0xb4b4b400, 0x59595900,
94 	0x78787800, 0x98989800, 0x06060600, 0x6a6a6a00,
95 	0xe7e7e700, 0x46464600, 0x71717100, 0xbababa00,
96 	0xd4d4d400, 0x25252500, 0xababab00, 0x42424200,
97 	0x88888800, 0xa2a2a200, 0x8d8d8d00, 0xfafafa00,
98 	0x72727200, 0x07070700, 0xb9b9b900, 0x55555500,
99 	0xf8f8f800, 0xeeeeee00, 0xacacac00, 0x0a0a0a00,
100 	0x36363600, 0x49494900, 0x2a2a2a00, 0x68686800,
101 	0x3c3c3c00, 0x38383800, 0xf1f1f100, 0xa4a4a400,
102 	0x40404000, 0x28282800, 0xd3d3d300, 0x7b7b7b00,
103 	0xbbbbbb00, 0xc9c9c900, 0x43434300, 0xc1c1c100,
104 	0x15151500, 0xe3e3e300, 0xadadad00, 0xf4f4f400,
105 	0x77777700, 0xc7c7c700, 0x80808000, 0x9e9e9e00,
106 };
107 
108 static const u32 camellia_sp0222[256] = {
109 	0x00e0e0e0, 0x00050505, 0x00585858, 0x00d9d9d9,
110 	0x00676767, 0x004e4e4e, 0x00818181, 0x00cbcbcb,
111 	0x00c9c9c9, 0x000b0b0b, 0x00aeaeae, 0x006a6a6a,
112 	0x00d5d5d5, 0x00181818, 0x005d5d5d, 0x00828282,
113 	0x00464646, 0x00dfdfdf, 0x00d6d6d6, 0x00272727,
114 	0x008a8a8a, 0x00323232, 0x004b4b4b, 0x00424242,
115 	0x00dbdbdb, 0x001c1c1c, 0x009e9e9e, 0x009c9c9c,
116 	0x003a3a3a, 0x00cacaca, 0x00252525, 0x007b7b7b,
117 	0x000d0d0d, 0x00717171, 0x005f5f5f, 0x001f1f1f,
118 	0x00f8f8f8, 0x00d7d7d7, 0x003e3e3e, 0x009d9d9d,
119 	0x007c7c7c, 0x00606060, 0x00b9b9b9, 0x00bebebe,
120 	0x00bcbcbc, 0x008b8b8b, 0x00161616, 0x00343434,
121 	0x004d4d4d, 0x00c3c3c3, 0x00727272, 0x00959595,
122 	0x00ababab, 0x008e8e8e, 0x00bababa, 0x007a7a7a,
123 	0x00b3b3b3, 0x00020202, 0x00b4b4b4, 0x00adadad,
124 	0x00a2a2a2, 0x00acacac, 0x00d8d8d8, 0x009a9a9a,
125 	0x00171717, 0x001a1a1a, 0x00353535, 0x00cccccc,
126 	0x00f7f7f7, 0x00999999, 0x00616161, 0x005a5a5a,
127 	0x00e8e8e8, 0x00242424, 0x00565656, 0x00404040,
128 	0x00e1e1e1, 0x00636363, 0x00090909, 0x00333333,
129 	0x00bfbfbf, 0x00989898, 0x00979797, 0x00858585,
130 	0x00686868, 0x00fcfcfc, 0x00ececec, 0x000a0a0a,
131 	0x00dadada, 0x006f6f6f, 0x00535353, 0x00626262,
132 	0x00a3a3a3, 0x002e2e2e, 0x00080808, 0x00afafaf,
133 	0x00282828, 0x00b0b0b0, 0x00747474, 0x00c2c2c2,
134 	0x00bdbdbd, 0x00363636, 0x00222222, 0x00383838,
135 	0x00646464, 0x001e1e1e, 0x00393939, 0x002c2c2c,
136 	0x00a6a6a6, 0x00303030, 0x00e5e5e5, 0x00444444,
137 	0x00fdfdfd, 0x00888888, 0x009f9f9f, 0x00656565,
138 	0x00878787, 0x006b6b6b, 0x00f4f4f4, 0x00232323,
139 	0x00484848, 0x00101010, 0x00d1d1d1, 0x00515151,
140 	0x00c0c0c0, 0x00f9f9f9, 0x00d2d2d2, 0x00a0a0a0,
141 	0x00555555, 0x00a1a1a1, 0x00414141, 0x00fafafa,
142 	0x00434343, 0x00131313, 0x00c4c4c4, 0x002f2f2f,
143 	0x00a8a8a8, 0x00b6b6b6, 0x003c3c3c, 0x002b2b2b,
144 	0x00c1c1c1, 0x00ffffff, 0x00c8c8c8, 0x00a5a5a5,
145 	0x00202020, 0x00898989, 0x00000000, 0x00909090,
146 	0x00474747, 0x00efefef, 0x00eaeaea, 0x00b7b7b7,
147 	0x00151515, 0x00060606, 0x00cdcdcd, 0x00b5b5b5,
148 	0x00121212, 0x007e7e7e, 0x00bbbbbb, 0x00292929,
149 	0x000f0f0f, 0x00b8b8b8, 0x00070707, 0x00040404,
150 	0x009b9b9b, 0x00949494, 0x00212121, 0x00666666,
151 	0x00e6e6e6, 0x00cecece, 0x00ededed, 0x00e7e7e7,
152 	0x003b3b3b, 0x00fefefe, 0x007f7f7f, 0x00c5c5c5,
153 	0x00a4a4a4, 0x00373737, 0x00b1b1b1, 0x004c4c4c,
154 	0x00919191, 0x006e6e6e, 0x008d8d8d, 0x00767676,
155 	0x00030303, 0x002d2d2d, 0x00dedede, 0x00969696,
156 	0x00262626, 0x007d7d7d, 0x00c6c6c6, 0x005c5c5c,
157 	0x00d3d3d3, 0x00f2f2f2, 0x004f4f4f, 0x00191919,
158 	0x003f3f3f, 0x00dcdcdc, 0x00797979, 0x001d1d1d,
159 	0x00525252, 0x00ebebeb, 0x00f3f3f3, 0x006d6d6d,
160 	0x005e5e5e, 0x00fbfbfb, 0x00696969, 0x00b2b2b2,
161 	0x00f0f0f0, 0x00313131, 0x000c0c0c, 0x00d4d4d4,
162 	0x00cfcfcf, 0x008c8c8c, 0x00e2e2e2, 0x00757575,
163 	0x00a9a9a9, 0x004a4a4a, 0x00575757, 0x00848484,
164 	0x00111111, 0x00454545, 0x001b1b1b, 0x00f5f5f5,
165 	0x00e4e4e4, 0x000e0e0e, 0x00737373, 0x00aaaaaa,
166 	0x00f1f1f1, 0x00dddddd, 0x00595959, 0x00141414,
167 	0x006c6c6c, 0x00929292, 0x00545454, 0x00d0d0d0,
168 	0x00787878, 0x00707070, 0x00e3e3e3, 0x00494949,
169 	0x00808080, 0x00505050, 0x00a7a7a7, 0x00f6f6f6,
170 	0x00777777, 0x00939393, 0x00868686, 0x00838383,
171 	0x002a2a2a, 0x00c7c7c7, 0x005b5b5b, 0x00e9e9e9,
172 	0x00eeeeee, 0x008f8f8f, 0x00010101, 0x003d3d3d,
173 };
174 
175 static const u32 camellia_sp3033[256] = {
176 	0x38003838, 0x41004141, 0x16001616, 0x76007676,
177 	0xd900d9d9, 0x93009393, 0x60006060, 0xf200f2f2,
178 	0x72007272, 0xc200c2c2, 0xab00abab, 0x9a009a9a,
179 	0x75007575, 0x06000606, 0x57005757, 0xa000a0a0,
180 	0x91009191, 0xf700f7f7, 0xb500b5b5, 0xc900c9c9,
181 	0xa200a2a2, 0x8c008c8c, 0xd200d2d2, 0x90009090,
182 	0xf600f6f6, 0x07000707, 0xa700a7a7, 0x27002727,
183 	0x8e008e8e, 0xb200b2b2, 0x49004949, 0xde00dede,
184 	0x43004343, 0x5c005c5c, 0xd700d7d7, 0xc700c7c7,
185 	0x3e003e3e, 0xf500f5f5, 0x8f008f8f, 0x67006767,
186 	0x1f001f1f, 0x18001818, 0x6e006e6e, 0xaf00afaf,
187 	0x2f002f2f, 0xe200e2e2, 0x85008585, 0x0d000d0d,
188 	0x53005353, 0xf000f0f0, 0x9c009c9c, 0x65006565,
189 	0xea00eaea, 0xa300a3a3, 0xae00aeae, 0x9e009e9e,
190 	0xec00ecec, 0x80008080, 0x2d002d2d, 0x6b006b6b,
191 	0xa800a8a8, 0x2b002b2b, 0x36003636, 0xa600a6a6,
192 	0xc500c5c5, 0x86008686, 0x4d004d4d, 0x33003333,
193 	0xfd00fdfd, 0x66006666, 0x58005858, 0x96009696,
194 	0x3a003a3a, 0x09000909, 0x95009595, 0x10001010,
195 	0x78007878, 0xd800d8d8, 0x42004242, 0xcc00cccc,
196 	0xef00efef, 0x26002626, 0xe500e5e5, 0x61006161,
197 	0x1a001a1a, 0x3f003f3f, 0x3b003b3b, 0x82008282,
198 	0xb600b6b6, 0xdb00dbdb, 0xd400d4d4, 0x98009898,
199 	0xe800e8e8, 0x8b008b8b, 0x02000202, 0xeb00ebeb,
200 	0x0a000a0a, 0x2c002c2c, 0x1d001d1d, 0xb000b0b0,
201 	0x6f006f6f, 0x8d008d8d, 0x88008888, 0x0e000e0e,
202 	0x19001919, 0x87008787, 0x4e004e4e, 0x0b000b0b,
203 	0xa900a9a9, 0x0c000c0c, 0x79007979, 0x11001111,
204 	0x7f007f7f, 0x22002222, 0xe700e7e7, 0x59005959,
205 	0xe100e1e1, 0xda00dada, 0x3d003d3d, 0xc800c8c8,
206 	0x12001212, 0x04000404, 0x74007474, 0x54005454,
207 	0x30003030, 0x7e007e7e, 0xb400b4b4, 0x28002828,
208 	0x55005555, 0x68006868, 0x50005050, 0xbe00bebe,
209 	0xd000d0d0, 0xc400c4c4, 0x31003131, 0xcb00cbcb,
210 	0x2a002a2a, 0xad00adad, 0x0f000f0f, 0xca00caca,
211 	0x70007070, 0xff00ffff, 0x32003232, 0x69006969,
212 	0x08000808, 0x62006262, 0x00000000, 0x24002424,
213 	0xd100d1d1, 0xfb00fbfb, 0xba00baba, 0xed00eded,
214 	0x45004545, 0x81008181, 0x73007373, 0x6d006d6d,
215 	0x84008484, 0x9f009f9f, 0xee00eeee, 0x4a004a4a,
216 	0xc300c3c3, 0x2e002e2e, 0xc100c1c1, 0x01000101,
217 	0xe600e6e6, 0x25002525, 0x48004848, 0x99009999,
218 	0xb900b9b9, 0xb300b3b3, 0x7b007b7b, 0xf900f9f9,
219 	0xce00cece, 0xbf00bfbf, 0xdf00dfdf, 0x71007171,
220 	0x29002929, 0xcd00cdcd, 0x6c006c6c, 0x13001313,
221 	0x64006464, 0x9b009b9b, 0x63006363, 0x9d009d9d,
222 	0xc000c0c0, 0x4b004b4b, 0xb700b7b7, 0xa500a5a5,
223 	0x89008989, 0x5f005f5f, 0xb100b1b1, 0x17001717,
224 	0xf400f4f4, 0xbc00bcbc, 0xd300d3d3, 0x46004646,
225 	0xcf00cfcf, 0x37003737, 0x5e005e5e, 0x47004747,
226 	0x94009494, 0xfa00fafa, 0xfc00fcfc, 0x5b005b5b,
227 	0x97009797, 0xfe00fefe, 0x5a005a5a, 0xac00acac,
228 	0x3c003c3c, 0x4c004c4c, 0x03000303, 0x35003535,
229 	0xf300f3f3, 0x23002323, 0xb800b8b8, 0x5d005d5d,
230 	0x6a006a6a, 0x92009292, 0xd500d5d5, 0x21002121,
231 	0x44004444, 0x51005151, 0xc600c6c6, 0x7d007d7d,
232 	0x39003939, 0x83008383, 0xdc00dcdc, 0xaa00aaaa,
233 	0x7c007c7c, 0x77007777, 0x56005656, 0x05000505,
234 	0x1b001b1b, 0xa400a4a4, 0x15001515, 0x34003434,
235 	0x1e001e1e, 0x1c001c1c, 0xf800f8f8, 0x52005252,
236 	0x20002020, 0x14001414, 0xe900e9e9, 0xbd00bdbd,
237 	0xdd00dddd, 0xe400e4e4, 0xa100a1a1, 0xe000e0e0,
238 	0x8a008a8a, 0xf100f1f1, 0xd600d6d6, 0x7a007a7a,
239 	0xbb00bbbb, 0xe300e3e3, 0x40004040, 0x4f004f4f,
240 };
241 
242 static const u32 camellia_sp4404[256] = {
243 	0x70700070, 0x2c2c002c, 0xb3b300b3, 0xc0c000c0,
244 	0xe4e400e4, 0x57570057, 0xeaea00ea, 0xaeae00ae,
245 	0x23230023, 0x6b6b006b, 0x45450045, 0xa5a500a5,
246 	0xeded00ed, 0x4f4f004f, 0x1d1d001d, 0x92920092,
247 	0x86860086, 0xafaf00af, 0x7c7c007c, 0x1f1f001f,
248 	0x3e3e003e, 0xdcdc00dc, 0x5e5e005e, 0x0b0b000b,
249 	0xa6a600a6, 0x39390039, 0xd5d500d5, 0x5d5d005d,
250 	0xd9d900d9, 0x5a5a005a, 0x51510051, 0x6c6c006c,
251 	0x8b8b008b, 0x9a9a009a, 0xfbfb00fb, 0xb0b000b0,
252 	0x74740074, 0x2b2b002b, 0xf0f000f0, 0x84840084,
253 	0xdfdf00df, 0xcbcb00cb, 0x34340034, 0x76760076,
254 	0x6d6d006d, 0xa9a900a9, 0xd1d100d1, 0x04040004,
255 	0x14140014, 0x3a3a003a, 0xdede00de, 0x11110011,
256 	0x32320032, 0x9c9c009c, 0x53530053, 0xf2f200f2,
257 	0xfefe00fe, 0xcfcf00cf, 0xc3c300c3, 0x7a7a007a,
258 	0x24240024, 0xe8e800e8, 0x60600060, 0x69690069,
259 	0xaaaa00aa, 0xa0a000a0, 0xa1a100a1, 0x62620062,
260 	0x54540054, 0x1e1e001e, 0xe0e000e0, 0x64640064,
261 	0x10100010, 0x00000000, 0xa3a300a3, 0x75750075,
262 	0x8a8a008a, 0xe6e600e6, 0x09090009, 0xdddd00dd,
263 	0x87870087, 0x83830083, 0xcdcd00cd, 0x90900090,
264 	0x73730073, 0xf6f600f6, 0x9d9d009d, 0xbfbf00bf,
265 	0x52520052, 0xd8d800d8, 0xc8c800c8, 0xc6c600c6,
266 	0x81810081, 0x6f6f006f, 0x13130013, 0x63630063,
267 	0xe9e900e9, 0xa7a700a7, 0x9f9f009f, 0xbcbc00bc,
268 	0x29290029, 0xf9f900f9, 0x2f2f002f, 0xb4b400b4,
269 	0x78780078, 0x06060006, 0xe7e700e7, 0x71710071,
270 	0xd4d400d4, 0xabab00ab, 0x88880088, 0x8d8d008d,
271 	0x72720072, 0xb9b900b9, 0xf8f800f8, 0xacac00ac,
272 	0x36360036, 0x2a2a002a, 0x3c3c003c, 0xf1f100f1,
273 	0x40400040, 0xd3d300d3, 0xbbbb00bb, 0x43430043,
274 	0x15150015, 0xadad00ad, 0x77770077, 0x80800080,
275 	0x82820082, 0xecec00ec, 0x27270027, 0xe5e500e5,
276 	0x85850085, 0x35350035, 0x0c0c000c, 0x41410041,
277 	0xefef00ef, 0x93930093, 0x19190019, 0x21210021,
278 	0x0e0e000e, 0x4e4e004e, 0x65650065, 0xbdbd00bd,
279 	0xb8b800b8, 0x8f8f008f, 0xebeb00eb, 0xcece00ce,
280 	0x30300030, 0x5f5f005f, 0xc5c500c5, 0x1a1a001a,
281 	0xe1e100e1, 0xcaca00ca, 0x47470047, 0x3d3d003d,
282 	0x01010001, 0xd6d600d6, 0x56560056, 0x4d4d004d,
283 	0x0d0d000d, 0x66660066, 0xcccc00cc, 0x2d2d002d,
284 	0x12120012, 0x20200020, 0xb1b100b1, 0x99990099,
285 	0x4c4c004c, 0xc2c200c2, 0x7e7e007e, 0x05050005,
286 	0xb7b700b7, 0x31310031, 0x17170017, 0xd7d700d7,
287 	0x58580058, 0x61610061, 0x1b1b001b, 0x1c1c001c,
288 	0x0f0f000f, 0x16160016, 0x18180018, 0x22220022,
289 	0x44440044, 0xb2b200b2, 0xb5b500b5, 0x91910091,
290 	0x08080008, 0xa8a800a8, 0xfcfc00fc, 0x50500050,
291 	0xd0d000d0, 0x7d7d007d, 0x89890089, 0x97970097,
292 	0x5b5b005b, 0x95950095, 0xffff00ff, 0xd2d200d2,
293 	0xc4c400c4, 0x48480048, 0xf7f700f7, 0xdbdb00db,
294 	0x03030003, 0xdada00da, 0x3f3f003f, 0x94940094,
295 	0x5c5c005c, 0x02020002, 0x4a4a004a, 0x33330033,
296 	0x67670067, 0xf3f300f3, 0x7f7f007f, 0xe2e200e2,
297 	0x9b9b009b, 0x26260026, 0x37370037, 0x3b3b003b,
298 	0x96960096, 0x4b4b004b, 0xbebe00be, 0x2e2e002e,
299 	0x79790079, 0x8c8c008c, 0x6e6e006e, 0x8e8e008e,
300 	0xf5f500f5, 0xb6b600b6, 0xfdfd00fd, 0x59590059,
301 	0x98980098, 0x6a6a006a, 0x46460046, 0xbaba00ba,
302 	0x25250025, 0x42420042, 0xa2a200a2, 0xfafa00fa,
303 	0x07070007, 0x55550055, 0xeeee00ee, 0x0a0a000a,
304 	0x49490049, 0x68680068, 0x38380038, 0xa4a400a4,
305 	0x28280028, 0x7b7b007b, 0xc9c900c9, 0xc1c100c1,
306 	0xe3e300e3, 0xf4f400f4, 0xc7c700c7, 0x9e9e009e,
307 };
308 
309 
310 #define CAMELLIA_MIN_KEY_SIZE        16
311 #define CAMELLIA_MAX_KEY_SIZE        32
312 #define CAMELLIA_BLOCK_SIZE          16
313 #define CAMELLIA_TABLE_BYTE_LEN     272
314 
315 /*
316  * NB: L and R below stand for 'left' and 'right' as in written numbers.
317  * That is, in (xxxL,xxxR) pair xxxL holds most significant digits,
318  * _not_ least significant ones!
319  */
320 
321 
322 /* key constants */
323 
324 #define CAMELLIA_SIGMA1L (0xA09E667FL)
325 #define CAMELLIA_SIGMA1R (0x3BCC908BL)
326 #define CAMELLIA_SIGMA2L (0xB67AE858L)
327 #define CAMELLIA_SIGMA2R (0x4CAA73B2L)
328 #define CAMELLIA_SIGMA3L (0xC6EF372FL)
329 #define CAMELLIA_SIGMA3R (0xE94F82BEL)
330 #define CAMELLIA_SIGMA4L (0x54FF53A5L)
331 #define CAMELLIA_SIGMA4R (0xF1D36F1CL)
332 #define CAMELLIA_SIGMA5L (0x10E527FAL)
333 #define CAMELLIA_SIGMA5R (0xDE682D1DL)
334 #define CAMELLIA_SIGMA6L (0xB05688C2L)
335 #define CAMELLIA_SIGMA6R (0xB3E6C1FDL)
336 
337 /*
338  *  macros
339  */
340 #define ROLDQ(ll, lr, rl, rr, w0, w1, bits) ({		\
341 	w0 = ll;					\
342 	ll = (ll << bits) + (lr >> (32 - bits));	\
343 	lr = (lr << bits) + (rl >> (32 - bits));	\
344 	rl = (rl << bits) + (rr >> (32 - bits));	\
345 	rr = (rr << bits) + (w0 >> (32 - bits));	\
346 })
347 
348 #define ROLDQo32(ll, lr, rl, rr, w0, w1, bits) ({	\
349 	w0 = ll;					\
350 	w1 = lr;					\
351 	ll = (lr << (bits - 32)) + (rl >> (64 - bits));	\
352 	lr = (rl << (bits - 32)) + (rr >> (64 - bits));	\
353 	rl = (rr << (bits - 32)) + (w0 >> (64 - bits));	\
354 	rr = (w0 << (bits - 32)) + (w1 >> (64 - bits));	\
355 })
356 
357 #define CAMELLIA_F(xl, xr, kl, kr, yl, yr, il, ir, t0, t1) ({	\
358 	il = xl ^ kl;						\
359 	ir = xr ^ kr;						\
360 	t0 = il >> 16;						\
361 	t1 = ir >> 16;						\
362 	yl = camellia_sp1110[(u8)(ir)]				\
363 	   ^ camellia_sp0222[(u8)(t1 >> 8)]			\
364 	   ^ camellia_sp3033[(u8)(t1)]				\
365 	   ^ camellia_sp4404[(u8)(ir >> 8)];			\
366 	yr = camellia_sp1110[(u8)(t0 >> 8)]			\
367 	   ^ camellia_sp0222[(u8)(t0)]				\
368 	   ^ camellia_sp3033[(u8)(il >> 8)]			\
369 	   ^ camellia_sp4404[(u8)(il)];				\
370 	yl ^= yr;						\
371 	yr = ror32(yr, 8);					\
372 	yr ^= yl;						\
373 })
374 
375 #define SUBKEY_L(INDEX) (subkey[(INDEX)*2])
376 #define SUBKEY_R(INDEX) (subkey[(INDEX)*2 + 1])
377 
camellia_setup_tail(u32 * subkey,u32 * subL,u32 * subR,int max)378 static void camellia_setup_tail(u32 *subkey, u32 *subL, u32 *subR, int max)
379 {
380 	u32 dw, tl, tr;
381 	u32 kw4l, kw4r;
382 
383 	/* absorb kw2 to other subkeys */
384 	/* round 2 */
385 	subL[3] ^= subL[1]; subR[3] ^= subR[1];
386 	/* round 4 */
387 	subL[5] ^= subL[1]; subR[5] ^= subR[1];
388 	/* round 6 */
389 	subL[7] ^= subL[1]; subR[7] ^= subR[1];
390 	subL[1] ^= subR[1] & ~subR[9];
391 	dw = subL[1] & subL[9];
392 	subR[1] ^= rol32(dw, 1); /* modified for FLinv(kl2) */
393 	/* round 8 */
394 	subL[11] ^= subL[1]; subR[11] ^= subR[1];
395 	/* round 10 */
396 	subL[13] ^= subL[1]; subR[13] ^= subR[1];
397 	/* round 12 */
398 	subL[15] ^= subL[1]; subR[15] ^= subR[1];
399 	subL[1] ^= subR[1] & ~subR[17];
400 	dw = subL[1] & subL[17];
401 	subR[1] ^= rol32(dw, 1); /* modified for FLinv(kl4) */
402 	/* round 14 */
403 	subL[19] ^= subL[1]; subR[19] ^= subR[1];
404 	/* round 16 */
405 	subL[21] ^= subL[1]; subR[21] ^= subR[1];
406 	/* round 18 */
407 	subL[23] ^= subL[1]; subR[23] ^= subR[1];
408 	if (max == 24) {
409 		/* kw3 */
410 		subL[24] ^= subL[1]; subR[24] ^= subR[1];
411 
412 	/* absorb kw4 to other subkeys */
413 		kw4l = subL[25]; kw4r = subR[25];
414 	} else {
415 		subL[1] ^= subR[1] & ~subR[25];
416 		dw = subL[1] & subL[25];
417 		subR[1] ^= rol32(dw, 1); /* modified for FLinv(kl6) */
418 		/* round 20 */
419 		subL[27] ^= subL[1]; subR[27] ^= subR[1];
420 		/* round 22 */
421 		subL[29] ^= subL[1]; subR[29] ^= subR[1];
422 		/* round 24 */
423 		subL[31] ^= subL[1]; subR[31] ^= subR[1];
424 		/* kw3 */
425 		subL[32] ^= subL[1]; subR[32] ^= subR[1];
426 
427 	/* absorb kw4 to other subkeys */
428 		kw4l = subL[33]; kw4r = subR[33];
429 		/* round 23 */
430 		subL[30] ^= kw4l; subR[30] ^= kw4r;
431 		/* round 21 */
432 		subL[28] ^= kw4l; subR[28] ^= kw4r;
433 		/* round 19 */
434 		subL[26] ^= kw4l; subR[26] ^= kw4r;
435 		kw4l ^= kw4r & ~subR[24];
436 		dw = kw4l & subL[24];
437 		kw4r ^= rol32(dw, 1); /* modified for FL(kl5) */
438 	}
439 	/* round 17 */
440 	subL[22] ^= kw4l; subR[22] ^= kw4r;
441 	/* round 15 */
442 	subL[20] ^= kw4l; subR[20] ^= kw4r;
443 	/* round 13 */
444 	subL[18] ^= kw4l; subR[18] ^= kw4r;
445 	kw4l ^= kw4r & ~subR[16];
446 	dw = kw4l & subL[16];
447 	kw4r ^= rol32(dw, 1); /* modified for FL(kl3) */
448 	/* round 11 */
449 	subL[14] ^= kw4l; subR[14] ^= kw4r;
450 	/* round 9 */
451 	subL[12] ^= kw4l; subR[12] ^= kw4r;
452 	/* round 7 */
453 	subL[10] ^= kw4l; subR[10] ^= kw4r;
454 	kw4l ^= kw4r & ~subR[8];
455 	dw = kw4l & subL[8];
456 	kw4r ^= rol32(dw, 1); /* modified for FL(kl1) */
457 	/* round 5 */
458 	subL[6] ^= kw4l; subR[6] ^= kw4r;
459 	/* round 3 */
460 	subL[4] ^= kw4l; subR[4] ^= kw4r;
461 	/* round 1 */
462 	subL[2] ^= kw4l; subR[2] ^= kw4r;
463 	/* kw1 */
464 	subL[0] ^= kw4l; subR[0] ^= kw4r;
465 
466 	/* key XOR is end of F-function */
467 	SUBKEY_L(0) = subL[0] ^ subL[2];/* kw1 */
468 	SUBKEY_R(0) = subR[0] ^ subR[2];
469 	SUBKEY_L(2) = subL[3];       /* round 1 */
470 	SUBKEY_R(2) = subR[3];
471 	SUBKEY_L(3) = subL[2] ^ subL[4]; /* round 2 */
472 	SUBKEY_R(3) = subR[2] ^ subR[4];
473 	SUBKEY_L(4) = subL[3] ^ subL[5]; /* round 3 */
474 	SUBKEY_R(4) = subR[3] ^ subR[5];
475 	SUBKEY_L(5) = subL[4] ^ subL[6]; /* round 4 */
476 	SUBKEY_R(5) = subR[4] ^ subR[6];
477 	SUBKEY_L(6) = subL[5] ^ subL[7]; /* round 5 */
478 	SUBKEY_R(6) = subR[5] ^ subR[7];
479 	tl = subL[10] ^ (subR[10] & ~subR[8]);
480 	dw = tl & subL[8];  /* FL(kl1) */
481 	tr = subR[10] ^ rol32(dw, 1);
482 	SUBKEY_L(7) = subL[6] ^ tl; /* round 6 */
483 	SUBKEY_R(7) = subR[6] ^ tr;
484 	SUBKEY_L(8) = subL[8];       /* FL(kl1) */
485 	SUBKEY_R(8) = subR[8];
486 	SUBKEY_L(9) = subL[9];       /* FLinv(kl2) */
487 	SUBKEY_R(9) = subR[9];
488 	tl = subL[7] ^ (subR[7] & ~subR[9]);
489 	dw = tl & subL[9];  /* FLinv(kl2) */
490 	tr = subR[7] ^ rol32(dw, 1);
491 	SUBKEY_L(10) = tl ^ subL[11]; /* round 7 */
492 	SUBKEY_R(10) = tr ^ subR[11];
493 	SUBKEY_L(11) = subL[10] ^ subL[12]; /* round 8 */
494 	SUBKEY_R(11) = subR[10] ^ subR[12];
495 	SUBKEY_L(12) = subL[11] ^ subL[13]; /* round 9 */
496 	SUBKEY_R(12) = subR[11] ^ subR[13];
497 	SUBKEY_L(13) = subL[12] ^ subL[14]; /* round 10 */
498 	SUBKEY_R(13) = subR[12] ^ subR[14];
499 	SUBKEY_L(14) = subL[13] ^ subL[15]; /* round 11 */
500 	SUBKEY_R(14) = subR[13] ^ subR[15];
501 	tl = subL[18] ^ (subR[18] & ~subR[16]);
502 	dw = tl & subL[16]; /* FL(kl3) */
503 	tr = subR[18] ^ rol32(dw, 1);
504 	SUBKEY_L(15) = subL[14] ^ tl; /* round 12 */
505 	SUBKEY_R(15) = subR[14] ^ tr;
506 	SUBKEY_L(16) = subL[16];     /* FL(kl3) */
507 	SUBKEY_R(16) = subR[16];
508 	SUBKEY_L(17) = subL[17];     /* FLinv(kl4) */
509 	SUBKEY_R(17) = subR[17];
510 	tl = subL[15] ^ (subR[15] & ~subR[17]);
511 	dw = tl & subL[17]; /* FLinv(kl4) */
512 	tr = subR[15] ^ rol32(dw, 1);
513 	SUBKEY_L(18) = tl ^ subL[19]; /* round 13 */
514 	SUBKEY_R(18) = tr ^ subR[19];
515 	SUBKEY_L(19) = subL[18] ^ subL[20]; /* round 14 */
516 	SUBKEY_R(19) = subR[18] ^ subR[20];
517 	SUBKEY_L(20) = subL[19] ^ subL[21]; /* round 15 */
518 	SUBKEY_R(20) = subR[19] ^ subR[21];
519 	SUBKEY_L(21) = subL[20] ^ subL[22]; /* round 16 */
520 	SUBKEY_R(21) = subR[20] ^ subR[22];
521 	SUBKEY_L(22) = subL[21] ^ subL[23]; /* round 17 */
522 	SUBKEY_R(22) = subR[21] ^ subR[23];
523 	if (max == 24) {
524 		SUBKEY_L(23) = subL[22];     /* round 18 */
525 		SUBKEY_R(23) = subR[22];
526 		SUBKEY_L(24) = subL[24] ^ subL[23]; /* kw3 */
527 		SUBKEY_R(24) = subR[24] ^ subR[23];
528 	} else {
529 		tl = subL[26] ^ (subR[26] & ~subR[24]);
530 		dw = tl & subL[24]; /* FL(kl5) */
531 		tr = subR[26] ^ rol32(dw, 1);
532 		SUBKEY_L(23) = subL[22] ^ tl; /* round 18 */
533 		SUBKEY_R(23) = subR[22] ^ tr;
534 		SUBKEY_L(24) = subL[24];     /* FL(kl5) */
535 		SUBKEY_R(24) = subR[24];
536 		SUBKEY_L(25) = subL[25];     /* FLinv(kl6) */
537 		SUBKEY_R(25) = subR[25];
538 		tl = subL[23] ^ (subR[23] & ~subR[25]);
539 		dw = tl & subL[25]; /* FLinv(kl6) */
540 		tr = subR[23] ^ rol32(dw, 1);
541 		SUBKEY_L(26) = tl ^ subL[27]; /* round 19 */
542 		SUBKEY_R(26) = tr ^ subR[27];
543 		SUBKEY_L(27) = subL[26] ^ subL[28]; /* round 20 */
544 		SUBKEY_R(27) = subR[26] ^ subR[28];
545 		SUBKEY_L(28) = subL[27] ^ subL[29]; /* round 21 */
546 		SUBKEY_R(28) = subR[27] ^ subR[29];
547 		SUBKEY_L(29) = subL[28] ^ subL[30]; /* round 22 */
548 		SUBKEY_R(29) = subR[28] ^ subR[30];
549 		SUBKEY_L(30) = subL[29] ^ subL[31]; /* round 23 */
550 		SUBKEY_R(30) = subR[29] ^ subR[31];
551 		SUBKEY_L(31) = subL[30];     /* round 24 */
552 		SUBKEY_R(31) = subR[30];
553 		SUBKEY_L(32) = subL[32] ^ subL[31]; /* kw3 */
554 		SUBKEY_R(32) = subR[32] ^ subR[31];
555 	}
556 }
557 
camellia_setup128(const unsigned char * key,u32 * subkey)558 static void camellia_setup128(const unsigned char *key, u32 *subkey)
559 {
560 	u32 kll, klr, krl, krr;
561 	u32 il, ir, t0, t1, w0, w1;
562 	u32 subL[26];
563 	u32 subR[26];
564 
565 	/**
566 	 *  k == kll || klr || krl || krr (|| is concatenation)
567 	 */
568 	kll = get_unaligned_be32(key);
569 	klr = get_unaligned_be32(key + 4);
570 	krl = get_unaligned_be32(key + 8);
571 	krr = get_unaligned_be32(key + 12);
572 
573 	/* generate KL dependent subkeys */
574 	/* kw1 */
575 	subL[0] = kll; subR[0] = klr;
576 	/* kw2 */
577 	subL[1] = krl; subR[1] = krr;
578 	/* rotation left shift 15bit */
579 	ROLDQ(kll, klr, krl, krr, w0, w1, 15);
580 	/* k3 */
581 	subL[4] = kll; subR[4] = klr;
582 	/* k4 */
583 	subL[5] = krl; subR[5] = krr;
584 	/* rotation left shift 15+30bit */
585 	ROLDQ(kll, klr, krl, krr, w0, w1, 30);
586 	/* k7 */
587 	subL[10] = kll; subR[10] = klr;
588 	/* k8 */
589 	subL[11] = krl; subR[11] = krr;
590 	/* rotation left shift 15+30+15bit */
591 	ROLDQ(kll, klr, krl, krr, w0, w1, 15);
592 	/* k10 */
593 	subL[13] = krl; subR[13] = krr;
594 	/* rotation left shift 15+30+15+17 bit */
595 	ROLDQ(kll, klr, krl, krr, w0, w1, 17);
596 	/* kl3 */
597 	subL[16] = kll; subR[16] = klr;
598 	/* kl4 */
599 	subL[17] = krl; subR[17] = krr;
600 	/* rotation left shift 15+30+15+17+17 bit */
601 	ROLDQ(kll, klr, krl, krr, w0, w1, 17);
602 	/* k13 */
603 	subL[18] = kll; subR[18] = klr;
604 	/* k14 */
605 	subL[19] = krl; subR[19] = krr;
606 	/* rotation left shift 15+30+15+17+17+17 bit */
607 	ROLDQ(kll, klr, krl, krr, w0, w1, 17);
608 	/* k17 */
609 	subL[22] = kll; subR[22] = klr;
610 	/* k18 */
611 	subL[23] = krl; subR[23] = krr;
612 
613 	/* generate KA */
614 	kll = subL[0]; klr = subR[0];
615 	krl = subL[1]; krr = subR[1];
616 	CAMELLIA_F(kll, klr,
617 		   CAMELLIA_SIGMA1L, CAMELLIA_SIGMA1R,
618 		   w0, w1, il, ir, t0, t1);
619 	krl ^= w0; krr ^= w1;
620 	CAMELLIA_F(krl, krr,
621 		   CAMELLIA_SIGMA2L, CAMELLIA_SIGMA2R,
622 		   kll, klr, il, ir, t0, t1);
623 	/* current status == (kll, klr, w0, w1) */
624 	CAMELLIA_F(kll, klr,
625 		   CAMELLIA_SIGMA3L, CAMELLIA_SIGMA3R,
626 		   krl, krr, il, ir, t0, t1);
627 	krl ^= w0; krr ^= w1;
628 	CAMELLIA_F(krl, krr,
629 		   CAMELLIA_SIGMA4L, CAMELLIA_SIGMA4R,
630 		   w0, w1, il, ir, t0, t1);
631 	kll ^= w0; klr ^= w1;
632 
633 	/* generate KA dependent subkeys */
634 	/* k1, k2 */
635 	subL[2] = kll; subR[2] = klr;
636 	subL[3] = krl; subR[3] = krr;
637 	ROLDQ(kll, klr, krl, krr, w0, w1, 15);
638 	/* k5,k6 */
639 	subL[6] = kll; subR[6] = klr;
640 	subL[7] = krl; subR[7] = krr;
641 	ROLDQ(kll, klr, krl, krr, w0, w1, 15);
642 	/* kl1, kl2 */
643 	subL[8] = kll; subR[8] = klr;
644 	subL[9] = krl; subR[9] = krr;
645 	ROLDQ(kll, klr, krl, krr, w0, w1, 15);
646 	/* k9 */
647 	subL[12] = kll; subR[12] = klr;
648 	ROLDQ(kll, klr, krl, krr, w0, w1, 15);
649 	/* k11, k12 */
650 	subL[14] = kll; subR[14] = klr;
651 	subL[15] = krl; subR[15] = krr;
652 	ROLDQo32(kll, klr, krl, krr, w0, w1, 34);
653 	/* k15, k16 */
654 	subL[20] = kll; subR[20] = klr;
655 	subL[21] = krl; subR[21] = krr;
656 	ROLDQ(kll, klr, krl, krr, w0, w1, 17);
657 	/* kw3, kw4 */
658 	subL[24] = kll; subR[24] = klr;
659 	subL[25] = krl; subR[25] = krr;
660 
661 	camellia_setup_tail(subkey, subL, subR, 24);
662 }
663 
camellia_setup256(const unsigned char * key,u32 * subkey)664 static void camellia_setup256(const unsigned char *key, u32 *subkey)
665 {
666 	u32 kll, klr, krl, krr;        /* left half of key */
667 	u32 krll, krlr, krrl, krrr;    /* right half of key */
668 	u32 il, ir, t0, t1, w0, w1;    /* temporary variables */
669 	u32 subL[34];
670 	u32 subR[34];
671 
672 	/**
673 	 *  key = (kll || klr || krl || krr || krll || krlr || krrl || krrr)
674 	 *  (|| is concatenation)
675 	 */
676 	kll = get_unaligned_be32(key);
677 	klr = get_unaligned_be32(key + 4);
678 	krl = get_unaligned_be32(key + 8);
679 	krr = get_unaligned_be32(key + 12);
680 	krll = get_unaligned_be32(key + 16);
681 	krlr = get_unaligned_be32(key + 20);
682 	krrl = get_unaligned_be32(key + 24);
683 	krrr = get_unaligned_be32(key + 28);
684 
685 	/* generate KL dependent subkeys */
686 	/* kw1 */
687 	subL[0] = kll; subR[0] = klr;
688 	/* kw2 */
689 	subL[1] = krl; subR[1] = krr;
690 	ROLDQo32(kll, klr, krl, krr, w0, w1, 45);
691 	/* k9 */
692 	subL[12] = kll; subR[12] = klr;
693 	/* k10 */
694 	subL[13] = krl; subR[13] = krr;
695 	ROLDQ(kll, klr, krl, krr, w0, w1, 15);
696 	/* kl3 */
697 	subL[16] = kll; subR[16] = klr;
698 	/* kl4 */
699 	subL[17] = krl; subR[17] = krr;
700 	ROLDQ(kll, klr, krl, krr, w0, w1, 17);
701 	/* k17 */
702 	subL[22] = kll; subR[22] = klr;
703 	/* k18 */
704 	subL[23] = krl; subR[23] = krr;
705 	ROLDQo32(kll, klr, krl, krr, w0, w1, 34);
706 	/* k23 */
707 	subL[30] = kll; subR[30] = klr;
708 	/* k24 */
709 	subL[31] = krl; subR[31] = krr;
710 
711 	/* generate KR dependent subkeys */
712 	ROLDQ(krll, krlr, krrl, krrr, w0, w1, 15);
713 	/* k3 */
714 	subL[4] = krll; subR[4] = krlr;
715 	/* k4 */
716 	subL[5] = krrl; subR[5] = krrr;
717 	ROLDQ(krll, krlr, krrl, krrr, w0, w1, 15);
718 	/* kl1 */
719 	subL[8] = krll; subR[8] = krlr;
720 	/* kl2 */
721 	subL[9] = krrl; subR[9] = krrr;
722 	ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
723 	/* k13 */
724 	subL[18] = krll; subR[18] = krlr;
725 	/* k14 */
726 	subL[19] = krrl; subR[19] = krrr;
727 	ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 34);
728 	/* k19 */
729 	subL[26] = krll; subR[26] = krlr;
730 	/* k20 */
731 	subL[27] = krrl; subR[27] = krrr;
732 	ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 34);
733 
734 	/* generate KA */
735 	kll = subL[0] ^ krll; klr = subR[0] ^ krlr;
736 	krl = subL[1] ^ krrl; krr = subR[1] ^ krrr;
737 	CAMELLIA_F(kll, klr,
738 		   CAMELLIA_SIGMA1L, CAMELLIA_SIGMA1R,
739 		   w0, w1, il, ir, t0, t1);
740 	krl ^= w0; krr ^= w1;
741 	CAMELLIA_F(krl, krr,
742 		   CAMELLIA_SIGMA2L, CAMELLIA_SIGMA2R,
743 		   kll, klr, il, ir, t0, t1);
744 	kll ^= krll; klr ^= krlr;
745 	CAMELLIA_F(kll, klr,
746 		   CAMELLIA_SIGMA3L, CAMELLIA_SIGMA3R,
747 		   krl, krr, il, ir, t0, t1);
748 	krl ^= w0 ^ krrl; krr ^= w1 ^ krrr;
749 	CAMELLIA_F(krl, krr,
750 		   CAMELLIA_SIGMA4L, CAMELLIA_SIGMA4R,
751 		   w0, w1, il, ir, t0, t1);
752 	kll ^= w0; klr ^= w1;
753 
754 	/* generate KB */
755 	krll ^= kll; krlr ^= klr;
756 	krrl ^= krl; krrr ^= krr;
757 	CAMELLIA_F(krll, krlr,
758 		   CAMELLIA_SIGMA5L, CAMELLIA_SIGMA5R,
759 		   w0, w1, il, ir, t0, t1);
760 	krrl ^= w0; krrr ^= w1;
761 	CAMELLIA_F(krrl, krrr,
762 		   CAMELLIA_SIGMA6L, CAMELLIA_SIGMA6R,
763 		   w0, w1, il, ir, t0, t1);
764 	krll ^= w0; krlr ^= w1;
765 
766 	/* generate KA dependent subkeys */
767 	ROLDQ(kll, klr, krl, krr, w0, w1, 15);
768 	/* k5 */
769 	subL[6] = kll; subR[6] = klr;
770 	/* k6 */
771 	subL[7] = krl; subR[7] = krr;
772 	ROLDQ(kll, klr, krl, krr, w0, w1, 30);
773 	/* k11 */
774 	subL[14] = kll; subR[14] = klr;
775 	/* k12 */
776 	subL[15] = krl; subR[15] = krr;
777 	/* rotation left shift 32bit */
778 	/* kl5 */
779 	subL[24] = klr; subR[24] = krl;
780 	/* kl6 */
781 	subL[25] = krr; subR[25] = kll;
782 	/* rotation left shift 49 from k11,k12 -> k21,k22 */
783 	ROLDQo32(kll, klr, krl, krr, w0, w1, 49);
784 	/* k21 */
785 	subL[28] = kll; subR[28] = klr;
786 	/* k22 */
787 	subL[29] = krl; subR[29] = krr;
788 
789 	/* generate KB dependent subkeys */
790 	/* k1 */
791 	subL[2] = krll; subR[2] = krlr;
792 	/* k2 */
793 	subL[3] = krrl; subR[3] = krrr;
794 	ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
795 	/* k7 */
796 	subL[10] = krll; subR[10] = krlr;
797 	/* k8 */
798 	subL[11] = krrl; subR[11] = krrr;
799 	ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
800 	/* k15 */
801 	subL[20] = krll; subR[20] = krlr;
802 	/* k16 */
803 	subL[21] = krrl; subR[21] = krrr;
804 	ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 51);
805 	/* kw3 */
806 	subL[32] = krll; subR[32] = krlr;
807 	/* kw4 */
808 	subL[33] = krrl; subR[33] = krrr;
809 
810 	camellia_setup_tail(subkey, subL, subR, 32);
811 }
812 
camellia_setup192(const unsigned char * key,u32 * subkey)813 static void camellia_setup192(const unsigned char *key, u32 *subkey)
814 {
815 	unsigned char kk[32];
816 	u32 krll, krlr, krrl, krrr;
817 
818 	memcpy(kk, key, 24);
819 	memcpy((unsigned char *)&krll, key+16, 4);
820 	memcpy((unsigned char *)&krlr, key+20, 4);
821 	krrl = ~krll;
822 	krrr = ~krlr;
823 	memcpy(kk+24, (unsigned char *)&krrl, 4);
824 	memcpy(kk+28, (unsigned char *)&krrr, 4);
825 	camellia_setup256(kk, subkey);
826 }
827 
828 
829 /*
830  * Encrypt/decrypt
831  */
832 #define CAMELLIA_FLS(ll, lr, rl, rr, kll, klr, krl, krr, t0, t1, t2, t3) ({ \
833 	t0 = kll;							\
834 	t2 = krr;							\
835 	t0 &= ll;							\
836 	t2 |= rr;							\
837 	rl ^= t2;							\
838 	lr ^= rol32(t0, 1);						\
839 	t3 = krl;							\
840 	t1 = klr;							\
841 	t3 &= rl;							\
842 	t1 |= lr;							\
843 	ll ^= t1;							\
844 	rr ^= rol32(t3, 1);						\
845 })
846 
847 #define CAMELLIA_ROUNDSM(xl, xr, kl, kr, yl, yr, il, ir) ({		\
848 	yl ^= kl;							\
849 	yr ^= kr;							\
850 	ir =  camellia_sp1110[(u8)xr];					\
851 	il =  camellia_sp1110[(u8)(xl >> 24)];				\
852 	ir ^= camellia_sp0222[(u8)(xr >> 24)];				\
853 	il ^= camellia_sp0222[(u8)(xl >> 16)];				\
854 	ir ^= camellia_sp3033[(u8)(xr >> 16)];				\
855 	il ^= camellia_sp3033[(u8)(xl >> 8)];				\
856 	ir ^= camellia_sp4404[(u8)(xr >> 8)];				\
857 	il ^= camellia_sp4404[(u8)xl];					\
858 	ir ^= il;							\
859 	yl ^= ir;							\
860 	yr ^= ror32(il, 8) ^ ir;					\
861 })
862 
863 /* max = 24: 128bit encrypt, max = 32: 256bit encrypt */
camellia_do_encrypt(const u32 * subkey,u32 * io,unsigned max)864 static void camellia_do_encrypt(const u32 *subkey, u32 *io, unsigned max)
865 {
866 	u32 il, ir, t0, t1;            /* temporary variables */
867 
868 	/* pre whitening but absorb kw2 */
869 	io[0] ^= SUBKEY_L(0);
870 	io[1] ^= SUBKEY_R(0);
871 
872 	/* main iteration */
873 #define ROUNDS(i) ({ \
874 	CAMELLIA_ROUNDSM(io[0], io[1], \
875 			 SUBKEY_L(i + 2), SUBKEY_R(i + 2), \
876 			 io[2], io[3], il, ir); \
877 	CAMELLIA_ROUNDSM(io[2], io[3], \
878 			 SUBKEY_L(i + 3), SUBKEY_R(i + 3), \
879 			 io[0], io[1], il, ir); \
880 	CAMELLIA_ROUNDSM(io[0], io[1], \
881 			 SUBKEY_L(i + 4), SUBKEY_R(i + 4), \
882 			 io[2], io[3], il, ir); \
883 	CAMELLIA_ROUNDSM(io[2], io[3], \
884 			 SUBKEY_L(i + 5), SUBKEY_R(i + 5), \
885 			 io[0], io[1], il, ir); \
886 	CAMELLIA_ROUNDSM(io[0], io[1], \
887 			 SUBKEY_L(i + 6), SUBKEY_R(i + 6), \
888 			 io[2], io[3], il, ir); \
889 	CAMELLIA_ROUNDSM(io[2], io[3], \
890 			 SUBKEY_L(i + 7), SUBKEY_R(i + 7), \
891 			 io[0], io[1], il, ir); \
892 })
893 #define FLS(i) ({ \
894 	CAMELLIA_FLS(io[0], io[1], io[2], io[3], \
895 		     SUBKEY_L(i + 0), SUBKEY_R(i + 0), \
896 		     SUBKEY_L(i + 1), SUBKEY_R(i + 1), \
897 		     t0, t1, il, ir); \
898 })
899 
900 	ROUNDS(0);
901 	FLS(8);
902 	ROUNDS(8);
903 	FLS(16);
904 	ROUNDS(16);
905 	if (max == 32) {
906 		FLS(24);
907 		ROUNDS(24);
908 	}
909 
910 #undef ROUNDS
911 #undef FLS
912 
913 	/* post whitening but kw4 */
914 	io[2] ^= SUBKEY_L(max);
915 	io[3] ^= SUBKEY_R(max);
916 	/* NB: io[0],[1] should be swapped with [2],[3] by caller! */
917 }
918 
camellia_do_decrypt(const u32 * subkey,u32 * io,unsigned i)919 static void camellia_do_decrypt(const u32 *subkey, u32 *io, unsigned i)
920 {
921 	u32 il, ir, t0, t1;            /* temporary variables */
922 
923 	/* pre whitening but absorb kw2 */
924 	io[0] ^= SUBKEY_L(i);
925 	io[1] ^= SUBKEY_R(i);
926 
927 	/* main iteration */
928 #define ROUNDS(i) ({ \
929 	CAMELLIA_ROUNDSM(io[0], io[1], \
930 			 SUBKEY_L(i + 7), SUBKEY_R(i + 7), \
931 			 io[2], io[3], il, ir); \
932 	CAMELLIA_ROUNDSM(io[2], io[3], \
933 			 SUBKEY_L(i + 6), SUBKEY_R(i + 6), \
934 			 io[0], io[1], il, ir); \
935 	CAMELLIA_ROUNDSM(io[0], io[1], \
936 			 SUBKEY_L(i + 5), SUBKEY_R(i + 5), \
937 			 io[2], io[3], il, ir); \
938 	CAMELLIA_ROUNDSM(io[2], io[3], \
939 			 SUBKEY_L(i + 4), SUBKEY_R(i + 4), \
940 			 io[0], io[1], il, ir); \
941 	CAMELLIA_ROUNDSM(io[0], io[1], \
942 			 SUBKEY_L(i + 3), SUBKEY_R(i + 3), \
943 			 io[2], io[3], il, ir); \
944 	CAMELLIA_ROUNDSM(io[2], io[3], \
945 			 SUBKEY_L(i + 2), SUBKEY_R(i + 2), \
946 			 io[0], io[1], il, ir); \
947 })
948 #define FLS(i) ({ \
949 	CAMELLIA_FLS(io[0], io[1], io[2], io[3], \
950 		     SUBKEY_L(i + 1), SUBKEY_R(i + 1), \
951 		     SUBKEY_L(i + 0), SUBKEY_R(i + 0), \
952 		     t0, t1, il, ir); \
953 })
954 
955 	if (i == 32) {
956 		ROUNDS(24);
957 		FLS(24);
958 	}
959 	ROUNDS(16);
960 	FLS(16);
961 	ROUNDS(8);
962 	FLS(8);
963 	ROUNDS(0);
964 
965 #undef ROUNDS
966 #undef FLS
967 
968 	/* post whitening but kw4 */
969 	io[2] ^= SUBKEY_L(0);
970 	io[3] ^= SUBKEY_R(0);
971 	/* NB: 0,1 should be swapped with 2,3 by caller! */
972 }
973 
974 
975 struct camellia_ctx {
976 	int key_length;
977 	u32 key_table[CAMELLIA_TABLE_BYTE_LEN / sizeof(u32)];
978 };
979 
980 static int
camellia_set_key(struct crypto_tfm * tfm,const u8 * in_key,unsigned int key_len)981 camellia_set_key(struct crypto_tfm *tfm, const u8 *in_key,
982 		 unsigned int key_len)
983 {
984 	struct camellia_ctx *cctx = crypto_tfm_ctx(tfm);
985 	const unsigned char *key = (const unsigned char *)in_key;
986 	u32 *flags = &tfm->crt_flags;
987 
988 	if (key_len != 16 && key_len != 24 && key_len != 32) {
989 		*flags |= CRYPTO_TFM_RES_BAD_KEY_LEN;
990 		return -EINVAL;
991 	}
992 
993 	cctx->key_length = key_len;
994 
995 	switch (key_len) {
996 	case 16:
997 		camellia_setup128(key, cctx->key_table);
998 		break;
999 	case 24:
1000 		camellia_setup192(key, cctx->key_table);
1001 		break;
1002 	case 32:
1003 		camellia_setup256(key, cctx->key_table);
1004 		break;
1005 	}
1006 
1007 	return 0;
1008 }
1009 
camellia_encrypt(struct crypto_tfm * tfm,u8 * out,const u8 * in)1010 static void camellia_encrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in)
1011 {
1012 	const struct camellia_ctx *cctx = crypto_tfm_ctx(tfm);
1013 	const __be32 *src = (const __be32 *)in;
1014 	__be32 *dst = (__be32 *)out;
1015 	unsigned int max;
1016 
1017 	u32 tmp[4];
1018 
1019 	tmp[0] = be32_to_cpu(src[0]);
1020 	tmp[1] = be32_to_cpu(src[1]);
1021 	tmp[2] = be32_to_cpu(src[2]);
1022 	tmp[3] = be32_to_cpu(src[3]);
1023 
1024 	if (cctx->key_length == 16)
1025 		max = 24;
1026 	else
1027 		max = 32; /* for key lengths of 24 and 32 */
1028 
1029 	camellia_do_encrypt(cctx->key_table, tmp, max);
1030 
1031 	/* do_encrypt returns 0,1 swapped with 2,3 */
1032 	dst[0] = cpu_to_be32(tmp[2]);
1033 	dst[1] = cpu_to_be32(tmp[3]);
1034 	dst[2] = cpu_to_be32(tmp[0]);
1035 	dst[3] = cpu_to_be32(tmp[1]);
1036 }
1037 
camellia_decrypt(struct crypto_tfm * tfm,u8 * out,const u8 * in)1038 static void camellia_decrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in)
1039 {
1040 	const struct camellia_ctx *cctx = crypto_tfm_ctx(tfm);
1041 	const __be32 *src = (const __be32 *)in;
1042 	__be32 *dst = (__be32 *)out;
1043 	unsigned int max;
1044 
1045 	u32 tmp[4];
1046 
1047 	tmp[0] = be32_to_cpu(src[0]);
1048 	tmp[1] = be32_to_cpu(src[1]);
1049 	tmp[2] = be32_to_cpu(src[2]);
1050 	tmp[3] = be32_to_cpu(src[3]);
1051 
1052 	if (cctx->key_length == 16)
1053 		max = 24;
1054 	else
1055 		max = 32; /* for key lengths of 24 and 32 */
1056 
1057 	camellia_do_decrypt(cctx->key_table, tmp, max);
1058 
1059 	/* do_decrypt returns 0,1 swapped with 2,3 */
1060 	dst[0] = cpu_to_be32(tmp[2]);
1061 	dst[1] = cpu_to_be32(tmp[3]);
1062 	dst[2] = cpu_to_be32(tmp[0]);
1063 	dst[3] = cpu_to_be32(tmp[1]);
1064 }
1065 
1066 static struct crypto_alg camellia_alg = {
1067 	.cra_name		=	"camellia",
1068 	.cra_driver_name	=	"camellia-generic",
1069 	.cra_priority		=	100,
1070 	.cra_flags		=	CRYPTO_ALG_TYPE_CIPHER,
1071 	.cra_blocksize		=	CAMELLIA_BLOCK_SIZE,
1072 	.cra_ctxsize		=	sizeof(struct camellia_ctx),
1073 	.cra_alignmask		=	3,
1074 	.cra_module		=	THIS_MODULE,
1075 	.cra_u			=	{
1076 		.cipher = {
1077 			.cia_min_keysize	=	CAMELLIA_MIN_KEY_SIZE,
1078 			.cia_max_keysize	=	CAMELLIA_MAX_KEY_SIZE,
1079 			.cia_setkey		=	camellia_set_key,
1080 			.cia_encrypt		=	camellia_encrypt,
1081 			.cia_decrypt		=	camellia_decrypt
1082 		}
1083 	}
1084 };
1085 
camellia_init(void)1086 static int __init camellia_init(void)
1087 {
1088 	return crypto_register_alg(&camellia_alg);
1089 }
1090 
camellia_fini(void)1091 static void __exit camellia_fini(void)
1092 {
1093 	crypto_unregister_alg(&camellia_alg);
1094 }
1095 
1096 module_init(camellia_init);
1097 module_exit(camellia_fini);
1098 
1099 MODULE_DESCRIPTION("Camellia Cipher Algorithm");
1100 MODULE_LICENSE("GPL");
1101 MODULE_ALIAS_CRYPTO("camellia");
1102 MODULE_ALIAS_CRYPTO("camellia-generic");
1103