• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3  * Copyright (C) 2006
4  * NTT (Nippon Telegraph and Telephone Corporation).
5  */
6 
7 /*
8  * Algorithm Specification
9  *  http://info.isl.ntt.co.jp/crypt/eng/camellia/specifications.html
10  */
11 
12 /*
13  *
14  * NOTE --- NOTE --- NOTE --- NOTE
15  * This implementation assumes that all memory addresses passed
16  * as parameters are four-byte aligned.
17  *
18  */
19 
20 #include <linux/crypto.h>
21 #include <linux/errno.h>
22 #include <linux/init.h>
23 #include <linux/kernel.h>
24 #include <linux/module.h>
25 #include <linux/bitops.h>
26 #include <asm/unaligned.h>
27 
28 static const u32 camellia_sp1110[256] = {
29 	0x70707000, 0x82828200, 0x2c2c2c00, 0xececec00,
30 	0xb3b3b300, 0x27272700, 0xc0c0c000, 0xe5e5e500,
31 	0xe4e4e400, 0x85858500, 0x57575700, 0x35353500,
32 	0xeaeaea00, 0x0c0c0c00, 0xaeaeae00, 0x41414100,
33 	0x23232300, 0xefefef00, 0x6b6b6b00, 0x93939300,
34 	0x45454500, 0x19191900, 0xa5a5a500, 0x21212100,
35 	0xededed00, 0x0e0e0e00, 0x4f4f4f00, 0x4e4e4e00,
36 	0x1d1d1d00, 0x65656500, 0x92929200, 0xbdbdbd00,
37 	0x86868600, 0xb8b8b800, 0xafafaf00, 0x8f8f8f00,
38 	0x7c7c7c00, 0xebebeb00, 0x1f1f1f00, 0xcecece00,
39 	0x3e3e3e00, 0x30303000, 0xdcdcdc00, 0x5f5f5f00,
40 	0x5e5e5e00, 0xc5c5c500, 0x0b0b0b00, 0x1a1a1a00,
41 	0xa6a6a600, 0xe1e1e100, 0x39393900, 0xcacaca00,
42 	0xd5d5d500, 0x47474700, 0x5d5d5d00, 0x3d3d3d00,
43 	0xd9d9d900, 0x01010100, 0x5a5a5a00, 0xd6d6d600,
44 	0x51515100, 0x56565600, 0x6c6c6c00, 0x4d4d4d00,
45 	0x8b8b8b00, 0x0d0d0d00, 0x9a9a9a00, 0x66666600,
46 	0xfbfbfb00, 0xcccccc00, 0xb0b0b000, 0x2d2d2d00,
47 	0x74747400, 0x12121200, 0x2b2b2b00, 0x20202000,
48 	0xf0f0f000, 0xb1b1b100, 0x84848400, 0x99999900,
49 	0xdfdfdf00, 0x4c4c4c00, 0xcbcbcb00, 0xc2c2c200,
50 	0x34343400, 0x7e7e7e00, 0x76767600, 0x05050500,
51 	0x6d6d6d00, 0xb7b7b700, 0xa9a9a900, 0x31313100,
52 	0xd1d1d100, 0x17171700, 0x04040400, 0xd7d7d700,
53 	0x14141400, 0x58585800, 0x3a3a3a00, 0x61616100,
54 	0xdedede00, 0x1b1b1b00, 0x11111100, 0x1c1c1c00,
55 	0x32323200, 0x0f0f0f00, 0x9c9c9c00, 0x16161600,
56 	0x53535300, 0x18181800, 0xf2f2f200, 0x22222200,
57 	0xfefefe00, 0x44444400, 0xcfcfcf00, 0xb2b2b200,
58 	0xc3c3c300, 0xb5b5b500, 0x7a7a7a00, 0x91919100,
59 	0x24242400, 0x08080800, 0xe8e8e800, 0xa8a8a800,
60 	0x60606000, 0xfcfcfc00, 0x69696900, 0x50505000,
61 	0xaaaaaa00, 0xd0d0d000, 0xa0a0a000, 0x7d7d7d00,
62 	0xa1a1a100, 0x89898900, 0x62626200, 0x97979700,
63 	0x54545400, 0x5b5b5b00, 0x1e1e1e00, 0x95959500,
64 	0xe0e0e000, 0xffffff00, 0x64646400, 0xd2d2d200,
65 	0x10101000, 0xc4c4c400, 0x00000000, 0x48484800,
66 	0xa3a3a300, 0xf7f7f700, 0x75757500, 0xdbdbdb00,
67 	0x8a8a8a00, 0x03030300, 0xe6e6e600, 0xdadada00,
68 	0x09090900, 0x3f3f3f00, 0xdddddd00, 0x94949400,
69 	0x87878700, 0x5c5c5c00, 0x83838300, 0x02020200,
70 	0xcdcdcd00, 0x4a4a4a00, 0x90909000, 0x33333300,
71 	0x73737300, 0x67676700, 0xf6f6f600, 0xf3f3f300,
72 	0x9d9d9d00, 0x7f7f7f00, 0xbfbfbf00, 0xe2e2e200,
73 	0x52525200, 0x9b9b9b00, 0xd8d8d800, 0x26262600,
74 	0xc8c8c800, 0x37373700, 0xc6c6c600, 0x3b3b3b00,
75 	0x81818100, 0x96969600, 0x6f6f6f00, 0x4b4b4b00,
76 	0x13131300, 0xbebebe00, 0x63636300, 0x2e2e2e00,
77 	0xe9e9e900, 0x79797900, 0xa7a7a700, 0x8c8c8c00,
78 	0x9f9f9f00, 0x6e6e6e00, 0xbcbcbc00, 0x8e8e8e00,
79 	0x29292900, 0xf5f5f500, 0xf9f9f900, 0xb6b6b600,
80 	0x2f2f2f00, 0xfdfdfd00, 0xb4b4b400, 0x59595900,
81 	0x78787800, 0x98989800, 0x06060600, 0x6a6a6a00,
82 	0xe7e7e700, 0x46464600, 0x71717100, 0xbababa00,
83 	0xd4d4d400, 0x25252500, 0xababab00, 0x42424200,
84 	0x88888800, 0xa2a2a200, 0x8d8d8d00, 0xfafafa00,
85 	0x72727200, 0x07070700, 0xb9b9b900, 0x55555500,
86 	0xf8f8f800, 0xeeeeee00, 0xacacac00, 0x0a0a0a00,
87 	0x36363600, 0x49494900, 0x2a2a2a00, 0x68686800,
88 	0x3c3c3c00, 0x38383800, 0xf1f1f100, 0xa4a4a400,
89 	0x40404000, 0x28282800, 0xd3d3d300, 0x7b7b7b00,
90 	0xbbbbbb00, 0xc9c9c900, 0x43434300, 0xc1c1c100,
91 	0x15151500, 0xe3e3e300, 0xadadad00, 0xf4f4f400,
92 	0x77777700, 0xc7c7c700, 0x80808000, 0x9e9e9e00,
93 };
94 
95 static const u32 camellia_sp0222[256] = {
96 	0x00e0e0e0, 0x00050505, 0x00585858, 0x00d9d9d9,
97 	0x00676767, 0x004e4e4e, 0x00818181, 0x00cbcbcb,
98 	0x00c9c9c9, 0x000b0b0b, 0x00aeaeae, 0x006a6a6a,
99 	0x00d5d5d5, 0x00181818, 0x005d5d5d, 0x00828282,
100 	0x00464646, 0x00dfdfdf, 0x00d6d6d6, 0x00272727,
101 	0x008a8a8a, 0x00323232, 0x004b4b4b, 0x00424242,
102 	0x00dbdbdb, 0x001c1c1c, 0x009e9e9e, 0x009c9c9c,
103 	0x003a3a3a, 0x00cacaca, 0x00252525, 0x007b7b7b,
104 	0x000d0d0d, 0x00717171, 0x005f5f5f, 0x001f1f1f,
105 	0x00f8f8f8, 0x00d7d7d7, 0x003e3e3e, 0x009d9d9d,
106 	0x007c7c7c, 0x00606060, 0x00b9b9b9, 0x00bebebe,
107 	0x00bcbcbc, 0x008b8b8b, 0x00161616, 0x00343434,
108 	0x004d4d4d, 0x00c3c3c3, 0x00727272, 0x00959595,
109 	0x00ababab, 0x008e8e8e, 0x00bababa, 0x007a7a7a,
110 	0x00b3b3b3, 0x00020202, 0x00b4b4b4, 0x00adadad,
111 	0x00a2a2a2, 0x00acacac, 0x00d8d8d8, 0x009a9a9a,
112 	0x00171717, 0x001a1a1a, 0x00353535, 0x00cccccc,
113 	0x00f7f7f7, 0x00999999, 0x00616161, 0x005a5a5a,
114 	0x00e8e8e8, 0x00242424, 0x00565656, 0x00404040,
115 	0x00e1e1e1, 0x00636363, 0x00090909, 0x00333333,
116 	0x00bfbfbf, 0x00989898, 0x00979797, 0x00858585,
117 	0x00686868, 0x00fcfcfc, 0x00ececec, 0x000a0a0a,
118 	0x00dadada, 0x006f6f6f, 0x00535353, 0x00626262,
119 	0x00a3a3a3, 0x002e2e2e, 0x00080808, 0x00afafaf,
120 	0x00282828, 0x00b0b0b0, 0x00747474, 0x00c2c2c2,
121 	0x00bdbdbd, 0x00363636, 0x00222222, 0x00383838,
122 	0x00646464, 0x001e1e1e, 0x00393939, 0x002c2c2c,
123 	0x00a6a6a6, 0x00303030, 0x00e5e5e5, 0x00444444,
124 	0x00fdfdfd, 0x00888888, 0x009f9f9f, 0x00656565,
125 	0x00878787, 0x006b6b6b, 0x00f4f4f4, 0x00232323,
126 	0x00484848, 0x00101010, 0x00d1d1d1, 0x00515151,
127 	0x00c0c0c0, 0x00f9f9f9, 0x00d2d2d2, 0x00a0a0a0,
128 	0x00555555, 0x00a1a1a1, 0x00414141, 0x00fafafa,
129 	0x00434343, 0x00131313, 0x00c4c4c4, 0x002f2f2f,
130 	0x00a8a8a8, 0x00b6b6b6, 0x003c3c3c, 0x002b2b2b,
131 	0x00c1c1c1, 0x00ffffff, 0x00c8c8c8, 0x00a5a5a5,
132 	0x00202020, 0x00898989, 0x00000000, 0x00909090,
133 	0x00474747, 0x00efefef, 0x00eaeaea, 0x00b7b7b7,
134 	0x00151515, 0x00060606, 0x00cdcdcd, 0x00b5b5b5,
135 	0x00121212, 0x007e7e7e, 0x00bbbbbb, 0x00292929,
136 	0x000f0f0f, 0x00b8b8b8, 0x00070707, 0x00040404,
137 	0x009b9b9b, 0x00949494, 0x00212121, 0x00666666,
138 	0x00e6e6e6, 0x00cecece, 0x00ededed, 0x00e7e7e7,
139 	0x003b3b3b, 0x00fefefe, 0x007f7f7f, 0x00c5c5c5,
140 	0x00a4a4a4, 0x00373737, 0x00b1b1b1, 0x004c4c4c,
141 	0x00919191, 0x006e6e6e, 0x008d8d8d, 0x00767676,
142 	0x00030303, 0x002d2d2d, 0x00dedede, 0x00969696,
143 	0x00262626, 0x007d7d7d, 0x00c6c6c6, 0x005c5c5c,
144 	0x00d3d3d3, 0x00f2f2f2, 0x004f4f4f, 0x00191919,
145 	0x003f3f3f, 0x00dcdcdc, 0x00797979, 0x001d1d1d,
146 	0x00525252, 0x00ebebeb, 0x00f3f3f3, 0x006d6d6d,
147 	0x005e5e5e, 0x00fbfbfb, 0x00696969, 0x00b2b2b2,
148 	0x00f0f0f0, 0x00313131, 0x000c0c0c, 0x00d4d4d4,
149 	0x00cfcfcf, 0x008c8c8c, 0x00e2e2e2, 0x00757575,
150 	0x00a9a9a9, 0x004a4a4a, 0x00575757, 0x00848484,
151 	0x00111111, 0x00454545, 0x001b1b1b, 0x00f5f5f5,
152 	0x00e4e4e4, 0x000e0e0e, 0x00737373, 0x00aaaaaa,
153 	0x00f1f1f1, 0x00dddddd, 0x00595959, 0x00141414,
154 	0x006c6c6c, 0x00929292, 0x00545454, 0x00d0d0d0,
155 	0x00787878, 0x00707070, 0x00e3e3e3, 0x00494949,
156 	0x00808080, 0x00505050, 0x00a7a7a7, 0x00f6f6f6,
157 	0x00777777, 0x00939393, 0x00868686, 0x00838383,
158 	0x002a2a2a, 0x00c7c7c7, 0x005b5b5b, 0x00e9e9e9,
159 	0x00eeeeee, 0x008f8f8f, 0x00010101, 0x003d3d3d,
160 };
161 
162 static const u32 camellia_sp3033[256] = {
163 	0x38003838, 0x41004141, 0x16001616, 0x76007676,
164 	0xd900d9d9, 0x93009393, 0x60006060, 0xf200f2f2,
165 	0x72007272, 0xc200c2c2, 0xab00abab, 0x9a009a9a,
166 	0x75007575, 0x06000606, 0x57005757, 0xa000a0a0,
167 	0x91009191, 0xf700f7f7, 0xb500b5b5, 0xc900c9c9,
168 	0xa200a2a2, 0x8c008c8c, 0xd200d2d2, 0x90009090,
169 	0xf600f6f6, 0x07000707, 0xa700a7a7, 0x27002727,
170 	0x8e008e8e, 0xb200b2b2, 0x49004949, 0xde00dede,
171 	0x43004343, 0x5c005c5c, 0xd700d7d7, 0xc700c7c7,
172 	0x3e003e3e, 0xf500f5f5, 0x8f008f8f, 0x67006767,
173 	0x1f001f1f, 0x18001818, 0x6e006e6e, 0xaf00afaf,
174 	0x2f002f2f, 0xe200e2e2, 0x85008585, 0x0d000d0d,
175 	0x53005353, 0xf000f0f0, 0x9c009c9c, 0x65006565,
176 	0xea00eaea, 0xa300a3a3, 0xae00aeae, 0x9e009e9e,
177 	0xec00ecec, 0x80008080, 0x2d002d2d, 0x6b006b6b,
178 	0xa800a8a8, 0x2b002b2b, 0x36003636, 0xa600a6a6,
179 	0xc500c5c5, 0x86008686, 0x4d004d4d, 0x33003333,
180 	0xfd00fdfd, 0x66006666, 0x58005858, 0x96009696,
181 	0x3a003a3a, 0x09000909, 0x95009595, 0x10001010,
182 	0x78007878, 0xd800d8d8, 0x42004242, 0xcc00cccc,
183 	0xef00efef, 0x26002626, 0xe500e5e5, 0x61006161,
184 	0x1a001a1a, 0x3f003f3f, 0x3b003b3b, 0x82008282,
185 	0xb600b6b6, 0xdb00dbdb, 0xd400d4d4, 0x98009898,
186 	0xe800e8e8, 0x8b008b8b, 0x02000202, 0xeb00ebeb,
187 	0x0a000a0a, 0x2c002c2c, 0x1d001d1d, 0xb000b0b0,
188 	0x6f006f6f, 0x8d008d8d, 0x88008888, 0x0e000e0e,
189 	0x19001919, 0x87008787, 0x4e004e4e, 0x0b000b0b,
190 	0xa900a9a9, 0x0c000c0c, 0x79007979, 0x11001111,
191 	0x7f007f7f, 0x22002222, 0xe700e7e7, 0x59005959,
192 	0xe100e1e1, 0xda00dada, 0x3d003d3d, 0xc800c8c8,
193 	0x12001212, 0x04000404, 0x74007474, 0x54005454,
194 	0x30003030, 0x7e007e7e, 0xb400b4b4, 0x28002828,
195 	0x55005555, 0x68006868, 0x50005050, 0xbe00bebe,
196 	0xd000d0d0, 0xc400c4c4, 0x31003131, 0xcb00cbcb,
197 	0x2a002a2a, 0xad00adad, 0x0f000f0f, 0xca00caca,
198 	0x70007070, 0xff00ffff, 0x32003232, 0x69006969,
199 	0x08000808, 0x62006262, 0x00000000, 0x24002424,
200 	0xd100d1d1, 0xfb00fbfb, 0xba00baba, 0xed00eded,
201 	0x45004545, 0x81008181, 0x73007373, 0x6d006d6d,
202 	0x84008484, 0x9f009f9f, 0xee00eeee, 0x4a004a4a,
203 	0xc300c3c3, 0x2e002e2e, 0xc100c1c1, 0x01000101,
204 	0xe600e6e6, 0x25002525, 0x48004848, 0x99009999,
205 	0xb900b9b9, 0xb300b3b3, 0x7b007b7b, 0xf900f9f9,
206 	0xce00cece, 0xbf00bfbf, 0xdf00dfdf, 0x71007171,
207 	0x29002929, 0xcd00cdcd, 0x6c006c6c, 0x13001313,
208 	0x64006464, 0x9b009b9b, 0x63006363, 0x9d009d9d,
209 	0xc000c0c0, 0x4b004b4b, 0xb700b7b7, 0xa500a5a5,
210 	0x89008989, 0x5f005f5f, 0xb100b1b1, 0x17001717,
211 	0xf400f4f4, 0xbc00bcbc, 0xd300d3d3, 0x46004646,
212 	0xcf00cfcf, 0x37003737, 0x5e005e5e, 0x47004747,
213 	0x94009494, 0xfa00fafa, 0xfc00fcfc, 0x5b005b5b,
214 	0x97009797, 0xfe00fefe, 0x5a005a5a, 0xac00acac,
215 	0x3c003c3c, 0x4c004c4c, 0x03000303, 0x35003535,
216 	0xf300f3f3, 0x23002323, 0xb800b8b8, 0x5d005d5d,
217 	0x6a006a6a, 0x92009292, 0xd500d5d5, 0x21002121,
218 	0x44004444, 0x51005151, 0xc600c6c6, 0x7d007d7d,
219 	0x39003939, 0x83008383, 0xdc00dcdc, 0xaa00aaaa,
220 	0x7c007c7c, 0x77007777, 0x56005656, 0x05000505,
221 	0x1b001b1b, 0xa400a4a4, 0x15001515, 0x34003434,
222 	0x1e001e1e, 0x1c001c1c, 0xf800f8f8, 0x52005252,
223 	0x20002020, 0x14001414, 0xe900e9e9, 0xbd00bdbd,
224 	0xdd00dddd, 0xe400e4e4, 0xa100a1a1, 0xe000e0e0,
225 	0x8a008a8a, 0xf100f1f1, 0xd600d6d6, 0x7a007a7a,
226 	0xbb00bbbb, 0xe300e3e3, 0x40004040, 0x4f004f4f,
227 };
228 
229 static const u32 camellia_sp4404[256] = {
230 	0x70700070, 0x2c2c002c, 0xb3b300b3, 0xc0c000c0,
231 	0xe4e400e4, 0x57570057, 0xeaea00ea, 0xaeae00ae,
232 	0x23230023, 0x6b6b006b, 0x45450045, 0xa5a500a5,
233 	0xeded00ed, 0x4f4f004f, 0x1d1d001d, 0x92920092,
234 	0x86860086, 0xafaf00af, 0x7c7c007c, 0x1f1f001f,
235 	0x3e3e003e, 0xdcdc00dc, 0x5e5e005e, 0x0b0b000b,
236 	0xa6a600a6, 0x39390039, 0xd5d500d5, 0x5d5d005d,
237 	0xd9d900d9, 0x5a5a005a, 0x51510051, 0x6c6c006c,
238 	0x8b8b008b, 0x9a9a009a, 0xfbfb00fb, 0xb0b000b0,
239 	0x74740074, 0x2b2b002b, 0xf0f000f0, 0x84840084,
240 	0xdfdf00df, 0xcbcb00cb, 0x34340034, 0x76760076,
241 	0x6d6d006d, 0xa9a900a9, 0xd1d100d1, 0x04040004,
242 	0x14140014, 0x3a3a003a, 0xdede00de, 0x11110011,
243 	0x32320032, 0x9c9c009c, 0x53530053, 0xf2f200f2,
244 	0xfefe00fe, 0xcfcf00cf, 0xc3c300c3, 0x7a7a007a,
245 	0x24240024, 0xe8e800e8, 0x60600060, 0x69690069,
246 	0xaaaa00aa, 0xa0a000a0, 0xa1a100a1, 0x62620062,
247 	0x54540054, 0x1e1e001e, 0xe0e000e0, 0x64640064,
248 	0x10100010, 0x00000000, 0xa3a300a3, 0x75750075,
249 	0x8a8a008a, 0xe6e600e6, 0x09090009, 0xdddd00dd,
250 	0x87870087, 0x83830083, 0xcdcd00cd, 0x90900090,
251 	0x73730073, 0xf6f600f6, 0x9d9d009d, 0xbfbf00bf,
252 	0x52520052, 0xd8d800d8, 0xc8c800c8, 0xc6c600c6,
253 	0x81810081, 0x6f6f006f, 0x13130013, 0x63630063,
254 	0xe9e900e9, 0xa7a700a7, 0x9f9f009f, 0xbcbc00bc,
255 	0x29290029, 0xf9f900f9, 0x2f2f002f, 0xb4b400b4,
256 	0x78780078, 0x06060006, 0xe7e700e7, 0x71710071,
257 	0xd4d400d4, 0xabab00ab, 0x88880088, 0x8d8d008d,
258 	0x72720072, 0xb9b900b9, 0xf8f800f8, 0xacac00ac,
259 	0x36360036, 0x2a2a002a, 0x3c3c003c, 0xf1f100f1,
260 	0x40400040, 0xd3d300d3, 0xbbbb00bb, 0x43430043,
261 	0x15150015, 0xadad00ad, 0x77770077, 0x80800080,
262 	0x82820082, 0xecec00ec, 0x27270027, 0xe5e500e5,
263 	0x85850085, 0x35350035, 0x0c0c000c, 0x41410041,
264 	0xefef00ef, 0x93930093, 0x19190019, 0x21210021,
265 	0x0e0e000e, 0x4e4e004e, 0x65650065, 0xbdbd00bd,
266 	0xb8b800b8, 0x8f8f008f, 0xebeb00eb, 0xcece00ce,
267 	0x30300030, 0x5f5f005f, 0xc5c500c5, 0x1a1a001a,
268 	0xe1e100e1, 0xcaca00ca, 0x47470047, 0x3d3d003d,
269 	0x01010001, 0xd6d600d6, 0x56560056, 0x4d4d004d,
270 	0x0d0d000d, 0x66660066, 0xcccc00cc, 0x2d2d002d,
271 	0x12120012, 0x20200020, 0xb1b100b1, 0x99990099,
272 	0x4c4c004c, 0xc2c200c2, 0x7e7e007e, 0x05050005,
273 	0xb7b700b7, 0x31310031, 0x17170017, 0xd7d700d7,
274 	0x58580058, 0x61610061, 0x1b1b001b, 0x1c1c001c,
275 	0x0f0f000f, 0x16160016, 0x18180018, 0x22220022,
276 	0x44440044, 0xb2b200b2, 0xb5b500b5, 0x91910091,
277 	0x08080008, 0xa8a800a8, 0xfcfc00fc, 0x50500050,
278 	0xd0d000d0, 0x7d7d007d, 0x89890089, 0x97970097,
279 	0x5b5b005b, 0x95950095, 0xffff00ff, 0xd2d200d2,
280 	0xc4c400c4, 0x48480048, 0xf7f700f7, 0xdbdb00db,
281 	0x03030003, 0xdada00da, 0x3f3f003f, 0x94940094,
282 	0x5c5c005c, 0x02020002, 0x4a4a004a, 0x33330033,
283 	0x67670067, 0xf3f300f3, 0x7f7f007f, 0xe2e200e2,
284 	0x9b9b009b, 0x26260026, 0x37370037, 0x3b3b003b,
285 	0x96960096, 0x4b4b004b, 0xbebe00be, 0x2e2e002e,
286 	0x79790079, 0x8c8c008c, 0x6e6e006e, 0x8e8e008e,
287 	0xf5f500f5, 0xb6b600b6, 0xfdfd00fd, 0x59590059,
288 	0x98980098, 0x6a6a006a, 0x46460046, 0xbaba00ba,
289 	0x25250025, 0x42420042, 0xa2a200a2, 0xfafa00fa,
290 	0x07070007, 0x55550055, 0xeeee00ee, 0x0a0a000a,
291 	0x49490049, 0x68680068, 0x38380038, 0xa4a400a4,
292 	0x28280028, 0x7b7b007b, 0xc9c900c9, 0xc1c100c1,
293 	0xe3e300e3, 0xf4f400f4, 0xc7c700c7, 0x9e9e009e,
294 };
295 
296 
297 #define CAMELLIA_MIN_KEY_SIZE        16
298 #define CAMELLIA_MAX_KEY_SIZE        32
299 #define CAMELLIA_BLOCK_SIZE          16
300 #define CAMELLIA_TABLE_BYTE_LEN     272
301 
302 /*
303  * NB: L and R below stand for 'left' and 'right' as in written numbers.
304  * That is, in (xxxL,xxxR) pair xxxL holds most significant digits,
305  * _not_ least significant ones!
306  */
307 
308 
309 /* key constants */
310 
311 #define CAMELLIA_SIGMA1L (0xA09E667FL)
312 #define CAMELLIA_SIGMA1R (0x3BCC908BL)
313 #define CAMELLIA_SIGMA2L (0xB67AE858L)
314 #define CAMELLIA_SIGMA2R (0x4CAA73B2L)
315 #define CAMELLIA_SIGMA3L (0xC6EF372FL)
316 #define CAMELLIA_SIGMA3R (0xE94F82BEL)
317 #define CAMELLIA_SIGMA4L (0x54FF53A5L)
318 #define CAMELLIA_SIGMA4R (0xF1D36F1CL)
319 #define CAMELLIA_SIGMA5L (0x10E527FAL)
320 #define CAMELLIA_SIGMA5R (0xDE682D1DL)
321 #define CAMELLIA_SIGMA6L (0xB05688C2L)
322 #define CAMELLIA_SIGMA6R (0xB3E6C1FDL)
323 
324 /*
325  *  macros
326  */
327 #define ROLDQ(ll, lr, rl, rr, w0, w1, bits) ({		\
328 	w0 = ll;					\
329 	ll = (ll << bits) + (lr >> (32 - bits));	\
330 	lr = (lr << bits) + (rl >> (32 - bits));	\
331 	rl = (rl << bits) + (rr >> (32 - bits));	\
332 	rr = (rr << bits) + (w0 >> (32 - bits));	\
333 })
334 
335 #define ROLDQo32(ll, lr, rl, rr, w0, w1, bits) ({	\
336 	w0 = ll;					\
337 	w1 = lr;					\
338 	ll = (lr << (bits - 32)) + (rl >> (64 - bits));	\
339 	lr = (rl << (bits - 32)) + (rr >> (64 - bits));	\
340 	rl = (rr << (bits - 32)) + (w0 >> (64 - bits));	\
341 	rr = (w0 << (bits - 32)) + (w1 >> (64 - bits));	\
342 })
343 
344 #define CAMELLIA_F(xl, xr, kl, kr, yl, yr, il, ir, t0, t1) ({	\
345 	il = xl ^ kl;						\
346 	ir = xr ^ kr;						\
347 	t0 = il >> 16;						\
348 	t1 = ir >> 16;						\
349 	yl = camellia_sp1110[(u8)(ir)]				\
350 	   ^ camellia_sp0222[(u8)(t1 >> 8)]			\
351 	   ^ camellia_sp3033[(u8)(t1)]				\
352 	   ^ camellia_sp4404[(u8)(ir >> 8)];			\
353 	yr = camellia_sp1110[(u8)(t0 >> 8)]			\
354 	   ^ camellia_sp0222[(u8)(t0)]				\
355 	   ^ camellia_sp3033[(u8)(il >> 8)]			\
356 	   ^ camellia_sp4404[(u8)(il)];				\
357 	yl ^= yr;						\
358 	yr = ror32(yr, 8);					\
359 	yr ^= yl;						\
360 })
361 
362 #define SUBKEY_L(INDEX) (subkey[(INDEX)*2])
363 #define SUBKEY_R(INDEX) (subkey[(INDEX)*2 + 1])
364 
camellia_setup_tail(u32 * subkey,u32 * subL,u32 * subR,int max)365 static void camellia_setup_tail(u32 *subkey, u32 *subL, u32 *subR, int max)
366 {
367 	u32 dw, tl, tr;
368 	u32 kw4l, kw4r;
369 
370 	/* absorb kw2 to other subkeys */
371 	/* round 2 */
372 	subL[3] ^= subL[1]; subR[3] ^= subR[1];
373 	/* round 4 */
374 	subL[5] ^= subL[1]; subR[5] ^= subR[1];
375 	/* round 6 */
376 	subL[7] ^= subL[1]; subR[7] ^= subR[1];
377 	subL[1] ^= subR[1] & ~subR[9];
378 	dw = subL[1] & subL[9];
379 	subR[1] ^= rol32(dw, 1); /* modified for FLinv(kl2) */
380 	/* round 8 */
381 	subL[11] ^= subL[1]; subR[11] ^= subR[1];
382 	/* round 10 */
383 	subL[13] ^= subL[1]; subR[13] ^= subR[1];
384 	/* round 12 */
385 	subL[15] ^= subL[1]; subR[15] ^= subR[1];
386 	subL[1] ^= subR[1] & ~subR[17];
387 	dw = subL[1] & subL[17];
388 	subR[1] ^= rol32(dw, 1); /* modified for FLinv(kl4) */
389 	/* round 14 */
390 	subL[19] ^= subL[1]; subR[19] ^= subR[1];
391 	/* round 16 */
392 	subL[21] ^= subL[1]; subR[21] ^= subR[1];
393 	/* round 18 */
394 	subL[23] ^= subL[1]; subR[23] ^= subR[1];
395 	if (max == 24) {
396 		/* kw3 */
397 		subL[24] ^= subL[1]; subR[24] ^= subR[1];
398 
399 	/* absorb kw4 to other subkeys */
400 		kw4l = subL[25]; kw4r = subR[25];
401 	} else {
402 		subL[1] ^= subR[1] & ~subR[25];
403 		dw = subL[1] & subL[25];
404 		subR[1] ^= rol32(dw, 1); /* modified for FLinv(kl6) */
405 		/* round 20 */
406 		subL[27] ^= subL[1]; subR[27] ^= subR[1];
407 		/* round 22 */
408 		subL[29] ^= subL[1]; subR[29] ^= subR[1];
409 		/* round 24 */
410 		subL[31] ^= subL[1]; subR[31] ^= subR[1];
411 		/* kw3 */
412 		subL[32] ^= subL[1]; subR[32] ^= subR[1];
413 
414 	/* absorb kw4 to other subkeys */
415 		kw4l = subL[33]; kw4r = subR[33];
416 		/* round 23 */
417 		subL[30] ^= kw4l; subR[30] ^= kw4r;
418 		/* round 21 */
419 		subL[28] ^= kw4l; subR[28] ^= kw4r;
420 		/* round 19 */
421 		subL[26] ^= kw4l; subR[26] ^= kw4r;
422 		kw4l ^= kw4r & ~subR[24];
423 		dw = kw4l & subL[24];
424 		kw4r ^= rol32(dw, 1); /* modified for FL(kl5) */
425 	}
426 	/* round 17 */
427 	subL[22] ^= kw4l; subR[22] ^= kw4r;
428 	/* round 15 */
429 	subL[20] ^= kw4l; subR[20] ^= kw4r;
430 	/* round 13 */
431 	subL[18] ^= kw4l; subR[18] ^= kw4r;
432 	kw4l ^= kw4r & ~subR[16];
433 	dw = kw4l & subL[16];
434 	kw4r ^= rol32(dw, 1); /* modified for FL(kl3) */
435 	/* round 11 */
436 	subL[14] ^= kw4l; subR[14] ^= kw4r;
437 	/* round 9 */
438 	subL[12] ^= kw4l; subR[12] ^= kw4r;
439 	/* round 7 */
440 	subL[10] ^= kw4l; subR[10] ^= kw4r;
441 	kw4l ^= kw4r & ~subR[8];
442 	dw = kw4l & subL[8];
443 	kw4r ^= rol32(dw, 1); /* modified for FL(kl1) */
444 	/* round 5 */
445 	subL[6] ^= kw4l; subR[6] ^= kw4r;
446 	/* round 3 */
447 	subL[4] ^= kw4l; subR[4] ^= kw4r;
448 	/* round 1 */
449 	subL[2] ^= kw4l; subR[2] ^= kw4r;
450 	/* kw1 */
451 	subL[0] ^= kw4l; subR[0] ^= kw4r;
452 
453 	/* key XOR is end of F-function */
454 	SUBKEY_L(0) = subL[0] ^ subL[2];/* kw1 */
455 	SUBKEY_R(0) = subR[0] ^ subR[2];
456 	SUBKEY_L(2) = subL[3];       /* round 1 */
457 	SUBKEY_R(2) = subR[3];
458 	SUBKEY_L(3) = subL[2] ^ subL[4]; /* round 2 */
459 	SUBKEY_R(3) = subR[2] ^ subR[4];
460 	SUBKEY_L(4) = subL[3] ^ subL[5]; /* round 3 */
461 	SUBKEY_R(4) = subR[3] ^ subR[5];
462 	SUBKEY_L(5) = subL[4] ^ subL[6]; /* round 4 */
463 	SUBKEY_R(5) = subR[4] ^ subR[6];
464 	SUBKEY_L(6) = subL[5] ^ subL[7]; /* round 5 */
465 	SUBKEY_R(6) = subR[5] ^ subR[7];
466 	tl = subL[10] ^ (subR[10] & ~subR[8]);
467 	dw = tl & subL[8];  /* FL(kl1) */
468 	tr = subR[10] ^ rol32(dw, 1);
469 	SUBKEY_L(7) = subL[6] ^ tl; /* round 6 */
470 	SUBKEY_R(7) = subR[6] ^ tr;
471 	SUBKEY_L(8) = subL[8];       /* FL(kl1) */
472 	SUBKEY_R(8) = subR[8];
473 	SUBKEY_L(9) = subL[9];       /* FLinv(kl2) */
474 	SUBKEY_R(9) = subR[9];
475 	tl = subL[7] ^ (subR[7] & ~subR[9]);
476 	dw = tl & subL[9];  /* FLinv(kl2) */
477 	tr = subR[7] ^ rol32(dw, 1);
478 	SUBKEY_L(10) = tl ^ subL[11]; /* round 7 */
479 	SUBKEY_R(10) = tr ^ subR[11];
480 	SUBKEY_L(11) = subL[10] ^ subL[12]; /* round 8 */
481 	SUBKEY_R(11) = subR[10] ^ subR[12];
482 	SUBKEY_L(12) = subL[11] ^ subL[13]; /* round 9 */
483 	SUBKEY_R(12) = subR[11] ^ subR[13];
484 	SUBKEY_L(13) = subL[12] ^ subL[14]; /* round 10 */
485 	SUBKEY_R(13) = subR[12] ^ subR[14];
486 	SUBKEY_L(14) = subL[13] ^ subL[15]; /* round 11 */
487 	SUBKEY_R(14) = subR[13] ^ subR[15];
488 	tl = subL[18] ^ (subR[18] & ~subR[16]);
489 	dw = tl & subL[16]; /* FL(kl3) */
490 	tr = subR[18] ^ rol32(dw, 1);
491 	SUBKEY_L(15) = subL[14] ^ tl; /* round 12 */
492 	SUBKEY_R(15) = subR[14] ^ tr;
493 	SUBKEY_L(16) = subL[16];     /* FL(kl3) */
494 	SUBKEY_R(16) = subR[16];
495 	SUBKEY_L(17) = subL[17];     /* FLinv(kl4) */
496 	SUBKEY_R(17) = subR[17];
497 	tl = subL[15] ^ (subR[15] & ~subR[17]);
498 	dw = tl & subL[17]; /* FLinv(kl4) */
499 	tr = subR[15] ^ rol32(dw, 1);
500 	SUBKEY_L(18) = tl ^ subL[19]; /* round 13 */
501 	SUBKEY_R(18) = tr ^ subR[19];
502 	SUBKEY_L(19) = subL[18] ^ subL[20]; /* round 14 */
503 	SUBKEY_R(19) = subR[18] ^ subR[20];
504 	SUBKEY_L(20) = subL[19] ^ subL[21]; /* round 15 */
505 	SUBKEY_R(20) = subR[19] ^ subR[21];
506 	SUBKEY_L(21) = subL[20] ^ subL[22]; /* round 16 */
507 	SUBKEY_R(21) = subR[20] ^ subR[22];
508 	SUBKEY_L(22) = subL[21] ^ subL[23]; /* round 17 */
509 	SUBKEY_R(22) = subR[21] ^ subR[23];
510 	if (max == 24) {
511 		SUBKEY_L(23) = subL[22];     /* round 18 */
512 		SUBKEY_R(23) = subR[22];
513 		SUBKEY_L(24) = subL[24] ^ subL[23]; /* kw3 */
514 		SUBKEY_R(24) = subR[24] ^ subR[23];
515 	} else {
516 		tl = subL[26] ^ (subR[26] & ~subR[24]);
517 		dw = tl & subL[24]; /* FL(kl5) */
518 		tr = subR[26] ^ rol32(dw, 1);
519 		SUBKEY_L(23) = subL[22] ^ tl; /* round 18 */
520 		SUBKEY_R(23) = subR[22] ^ tr;
521 		SUBKEY_L(24) = subL[24];     /* FL(kl5) */
522 		SUBKEY_R(24) = subR[24];
523 		SUBKEY_L(25) = subL[25];     /* FLinv(kl6) */
524 		SUBKEY_R(25) = subR[25];
525 		tl = subL[23] ^ (subR[23] & ~subR[25]);
526 		dw = tl & subL[25]; /* FLinv(kl6) */
527 		tr = subR[23] ^ rol32(dw, 1);
528 		SUBKEY_L(26) = tl ^ subL[27]; /* round 19 */
529 		SUBKEY_R(26) = tr ^ subR[27];
530 		SUBKEY_L(27) = subL[26] ^ subL[28]; /* round 20 */
531 		SUBKEY_R(27) = subR[26] ^ subR[28];
532 		SUBKEY_L(28) = subL[27] ^ subL[29]; /* round 21 */
533 		SUBKEY_R(28) = subR[27] ^ subR[29];
534 		SUBKEY_L(29) = subL[28] ^ subL[30]; /* round 22 */
535 		SUBKEY_R(29) = subR[28] ^ subR[30];
536 		SUBKEY_L(30) = subL[29] ^ subL[31]; /* round 23 */
537 		SUBKEY_R(30) = subR[29] ^ subR[31];
538 		SUBKEY_L(31) = subL[30];     /* round 24 */
539 		SUBKEY_R(31) = subR[30];
540 		SUBKEY_L(32) = subL[32] ^ subL[31]; /* kw3 */
541 		SUBKEY_R(32) = subR[32] ^ subR[31];
542 	}
543 }
544 
camellia_setup128(const unsigned char * key,u32 * subkey)545 static void camellia_setup128(const unsigned char *key, u32 *subkey)
546 {
547 	u32 kll, klr, krl, krr;
548 	u32 il, ir, t0, t1, w0, w1;
549 	u32 subL[26];
550 	u32 subR[26];
551 
552 	/**
553 	 *  k == kll || klr || krl || krr (|| is concatenation)
554 	 */
555 	kll = get_unaligned_be32(key);
556 	klr = get_unaligned_be32(key + 4);
557 	krl = get_unaligned_be32(key + 8);
558 	krr = get_unaligned_be32(key + 12);
559 
560 	/* generate KL dependent subkeys */
561 	/* kw1 */
562 	subL[0] = kll; subR[0] = klr;
563 	/* kw2 */
564 	subL[1] = krl; subR[1] = krr;
565 	/* rotation left shift 15bit */
566 	ROLDQ(kll, klr, krl, krr, w0, w1, 15);
567 	/* k3 */
568 	subL[4] = kll; subR[4] = klr;
569 	/* k4 */
570 	subL[5] = krl; subR[5] = krr;
571 	/* rotation left shift 15+30bit */
572 	ROLDQ(kll, klr, krl, krr, w0, w1, 30);
573 	/* k7 */
574 	subL[10] = kll; subR[10] = klr;
575 	/* k8 */
576 	subL[11] = krl; subR[11] = krr;
577 	/* rotation left shift 15+30+15bit */
578 	ROLDQ(kll, klr, krl, krr, w0, w1, 15);
579 	/* k10 */
580 	subL[13] = krl; subR[13] = krr;
581 	/* rotation left shift 15+30+15+17 bit */
582 	ROLDQ(kll, klr, krl, krr, w0, w1, 17);
583 	/* kl3 */
584 	subL[16] = kll; subR[16] = klr;
585 	/* kl4 */
586 	subL[17] = krl; subR[17] = krr;
587 	/* rotation left shift 15+30+15+17+17 bit */
588 	ROLDQ(kll, klr, krl, krr, w0, w1, 17);
589 	/* k13 */
590 	subL[18] = kll; subR[18] = klr;
591 	/* k14 */
592 	subL[19] = krl; subR[19] = krr;
593 	/* rotation left shift 15+30+15+17+17+17 bit */
594 	ROLDQ(kll, klr, krl, krr, w0, w1, 17);
595 	/* k17 */
596 	subL[22] = kll; subR[22] = klr;
597 	/* k18 */
598 	subL[23] = krl; subR[23] = krr;
599 
600 	/* generate KA */
601 	kll = subL[0]; klr = subR[0];
602 	krl = subL[1]; krr = subR[1];
603 	CAMELLIA_F(kll, klr,
604 		   CAMELLIA_SIGMA1L, CAMELLIA_SIGMA1R,
605 		   w0, w1, il, ir, t0, t1);
606 	krl ^= w0; krr ^= w1;
607 	CAMELLIA_F(krl, krr,
608 		   CAMELLIA_SIGMA2L, CAMELLIA_SIGMA2R,
609 		   kll, klr, il, ir, t0, t1);
610 	/* current status == (kll, klr, w0, w1) */
611 	CAMELLIA_F(kll, klr,
612 		   CAMELLIA_SIGMA3L, CAMELLIA_SIGMA3R,
613 		   krl, krr, il, ir, t0, t1);
614 	krl ^= w0; krr ^= w1;
615 	CAMELLIA_F(krl, krr,
616 		   CAMELLIA_SIGMA4L, CAMELLIA_SIGMA4R,
617 		   w0, w1, il, ir, t0, t1);
618 	kll ^= w0; klr ^= w1;
619 
620 	/* generate KA dependent subkeys */
621 	/* k1, k2 */
622 	subL[2] = kll; subR[2] = klr;
623 	subL[3] = krl; subR[3] = krr;
624 	ROLDQ(kll, klr, krl, krr, w0, w1, 15);
625 	/* k5,k6 */
626 	subL[6] = kll; subR[6] = klr;
627 	subL[7] = krl; subR[7] = krr;
628 	ROLDQ(kll, klr, krl, krr, w0, w1, 15);
629 	/* kl1, kl2 */
630 	subL[8] = kll; subR[8] = klr;
631 	subL[9] = krl; subR[9] = krr;
632 	ROLDQ(kll, klr, krl, krr, w0, w1, 15);
633 	/* k9 */
634 	subL[12] = kll; subR[12] = klr;
635 	ROLDQ(kll, klr, krl, krr, w0, w1, 15);
636 	/* k11, k12 */
637 	subL[14] = kll; subR[14] = klr;
638 	subL[15] = krl; subR[15] = krr;
639 	ROLDQo32(kll, klr, krl, krr, w0, w1, 34);
640 	/* k15, k16 */
641 	subL[20] = kll; subR[20] = klr;
642 	subL[21] = krl; subR[21] = krr;
643 	ROLDQ(kll, klr, krl, krr, w0, w1, 17);
644 	/* kw3, kw4 */
645 	subL[24] = kll; subR[24] = klr;
646 	subL[25] = krl; subR[25] = krr;
647 
648 	camellia_setup_tail(subkey, subL, subR, 24);
649 }
650 
camellia_setup256(const unsigned char * key,u32 * subkey)651 static void camellia_setup256(const unsigned char *key, u32 *subkey)
652 {
653 	u32 kll, klr, krl, krr;        /* left half of key */
654 	u32 krll, krlr, krrl, krrr;    /* right half of key */
655 	u32 il, ir, t0, t1, w0, w1;    /* temporary variables */
656 	u32 subL[34];
657 	u32 subR[34];
658 
659 	/**
660 	 *  key = (kll || klr || krl || krr || krll || krlr || krrl || krrr)
661 	 *  (|| is concatenation)
662 	 */
663 	kll = get_unaligned_be32(key);
664 	klr = get_unaligned_be32(key + 4);
665 	krl = get_unaligned_be32(key + 8);
666 	krr = get_unaligned_be32(key + 12);
667 	krll = get_unaligned_be32(key + 16);
668 	krlr = get_unaligned_be32(key + 20);
669 	krrl = get_unaligned_be32(key + 24);
670 	krrr = get_unaligned_be32(key + 28);
671 
672 	/* generate KL dependent subkeys */
673 	/* kw1 */
674 	subL[0] = kll; subR[0] = klr;
675 	/* kw2 */
676 	subL[1] = krl; subR[1] = krr;
677 	ROLDQo32(kll, klr, krl, krr, w0, w1, 45);
678 	/* k9 */
679 	subL[12] = kll; subR[12] = klr;
680 	/* k10 */
681 	subL[13] = krl; subR[13] = krr;
682 	ROLDQ(kll, klr, krl, krr, w0, w1, 15);
683 	/* kl3 */
684 	subL[16] = kll; subR[16] = klr;
685 	/* kl4 */
686 	subL[17] = krl; subR[17] = krr;
687 	ROLDQ(kll, klr, krl, krr, w0, w1, 17);
688 	/* k17 */
689 	subL[22] = kll; subR[22] = klr;
690 	/* k18 */
691 	subL[23] = krl; subR[23] = krr;
692 	ROLDQo32(kll, klr, krl, krr, w0, w1, 34);
693 	/* k23 */
694 	subL[30] = kll; subR[30] = klr;
695 	/* k24 */
696 	subL[31] = krl; subR[31] = krr;
697 
698 	/* generate KR dependent subkeys */
699 	ROLDQ(krll, krlr, krrl, krrr, w0, w1, 15);
700 	/* k3 */
701 	subL[4] = krll; subR[4] = krlr;
702 	/* k4 */
703 	subL[5] = krrl; subR[5] = krrr;
704 	ROLDQ(krll, krlr, krrl, krrr, w0, w1, 15);
705 	/* kl1 */
706 	subL[8] = krll; subR[8] = krlr;
707 	/* kl2 */
708 	subL[9] = krrl; subR[9] = krrr;
709 	ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
710 	/* k13 */
711 	subL[18] = krll; subR[18] = krlr;
712 	/* k14 */
713 	subL[19] = krrl; subR[19] = krrr;
714 	ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 34);
715 	/* k19 */
716 	subL[26] = krll; subR[26] = krlr;
717 	/* k20 */
718 	subL[27] = krrl; subR[27] = krrr;
719 	ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 34);
720 
721 	/* generate KA */
722 	kll = subL[0] ^ krll; klr = subR[0] ^ krlr;
723 	krl = subL[1] ^ krrl; krr = subR[1] ^ krrr;
724 	CAMELLIA_F(kll, klr,
725 		   CAMELLIA_SIGMA1L, CAMELLIA_SIGMA1R,
726 		   w0, w1, il, ir, t0, t1);
727 	krl ^= w0; krr ^= w1;
728 	CAMELLIA_F(krl, krr,
729 		   CAMELLIA_SIGMA2L, CAMELLIA_SIGMA2R,
730 		   kll, klr, il, ir, t0, t1);
731 	kll ^= krll; klr ^= krlr;
732 	CAMELLIA_F(kll, klr,
733 		   CAMELLIA_SIGMA3L, CAMELLIA_SIGMA3R,
734 		   krl, krr, il, ir, t0, t1);
735 	krl ^= w0 ^ krrl; krr ^= w1 ^ krrr;
736 	CAMELLIA_F(krl, krr,
737 		   CAMELLIA_SIGMA4L, CAMELLIA_SIGMA4R,
738 		   w0, w1, il, ir, t0, t1);
739 	kll ^= w0; klr ^= w1;
740 
741 	/* generate KB */
742 	krll ^= kll; krlr ^= klr;
743 	krrl ^= krl; krrr ^= krr;
744 	CAMELLIA_F(krll, krlr,
745 		   CAMELLIA_SIGMA5L, CAMELLIA_SIGMA5R,
746 		   w0, w1, il, ir, t0, t1);
747 	krrl ^= w0; krrr ^= w1;
748 	CAMELLIA_F(krrl, krrr,
749 		   CAMELLIA_SIGMA6L, CAMELLIA_SIGMA6R,
750 		   w0, w1, il, ir, t0, t1);
751 	krll ^= w0; krlr ^= w1;
752 
753 	/* generate KA dependent subkeys */
754 	ROLDQ(kll, klr, krl, krr, w0, w1, 15);
755 	/* k5 */
756 	subL[6] = kll; subR[6] = klr;
757 	/* k6 */
758 	subL[7] = krl; subR[7] = krr;
759 	ROLDQ(kll, klr, krl, krr, w0, w1, 30);
760 	/* k11 */
761 	subL[14] = kll; subR[14] = klr;
762 	/* k12 */
763 	subL[15] = krl; subR[15] = krr;
764 	/* rotation left shift 32bit */
765 	/* kl5 */
766 	subL[24] = klr; subR[24] = krl;
767 	/* kl6 */
768 	subL[25] = krr; subR[25] = kll;
769 	/* rotation left shift 49 from k11,k12 -> k21,k22 */
770 	ROLDQo32(kll, klr, krl, krr, w0, w1, 49);
771 	/* k21 */
772 	subL[28] = kll; subR[28] = klr;
773 	/* k22 */
774 	subL[29] = krl; subR[29] = krr;
775 
776 	/* generate KB dependent subkeys */
777 	/* k1 */
778 	subL[2] = krll; subR[2] = krlr;
779 	/* k2 */
780 	subL[3] = krrl; subR[3] = krrr;
781 	ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
782 	/* k7 */
783 	subL[10] = krll; subR[10] = krlr;
784 	/* k8 */
785 	subL[11] = krrl; subR[11] = krrr;
786 	ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
787 	/* k15 */
788 	subL[20] = krll; subR[20] = krlr;
789 	/* k16 */
790 	subL[21] = krrl; subR[21] = krrr;
791 	ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 51);
792 	/* kw3 */
793 	subL[32] = krll; subR[32] = krlr;
794 	/* kw4 */
795 	subL[33] = krrl; subR[33] = krrr;
796 
797 	camellia_setup_tail(subkey, subL, subR, 32);
798 }
799 
camellia_setup192(const unsigned char * key,u32 * subkey)800 static void camellia_setup192(const unsigned char *key, u32 *subkey)
801 {
802 	unsigned char kk[32];
803 	u32 krll, krlr, krrl, krrr;
804 
805 	memcpy(kk, key, 24);
806 	memcpy((unsigned char *)&krll, key+16, 4);
807 	memcpy((unsigned char *)&krlr, key+20, 4);
808 	krrl = ~krll;
809 	krrr = ~krlr;
810 	memcpy(kk+24, (unsigned char *)&krrl, 4);
811 	memcpy(kk+28, (unsigned char *)&krrr, 4);
812 	camellia_setup256(kk, subkey);
813 }
814 
815 
816 /*
817  * Encrypt/decrypt
818  */
819 #define CAMELLIA_FLS(ll, lr, rl, rr, kll, klr, krl, krr, t0, t1, t2, t3) ({ \
820 	t0 = kll;							\
821 	t2 = krr;							\
822 	t0 &= ll;							\
823 	t2 |= rr;							\
824 	rl ^= t2;							\
825 	lr ^= rol32(t0, 1);						\
826 	t3 = krl;							\
827 	t1 = klr;							\
828 	t3 &= rl;							\
829 	t1 |= lr;							\
830 	ll ^= t1;							\
831 	rr ^= rol32(t3, 1);						\
832 })
833 
834 #define CAMELLIA_ROUNDSM(xl, xr, kl, kr, yl, yr, il, ir) ({		\
835 	yl ^= kl;							\
836 	yr ^= kr;							\
837 	ir =  camellia_sp1110[(u8)xr];					\
838 	il =  camellia_sp1110[(u8)(xl >> 24)];				\
839 	ir ^= camellia_sp0222[(u8)(xr >> 24)];				\
840 	il ^= camellia_sp0222[(u8)(xl >> 16)];				\
841 	ir ^= camellia_sp3033[(u8)(xr >> 16)];				\
842 	il ^= camellia_sp3033[(u8)(xl >> 8)];				\
843 	ir ^= camellia_sp4404[(u8)(xr >> 8)];				\
844 	il ^= camellia_sp4404[(u8)xl];					\
845 	ir ^= il;							\
846 	yl ^= ir;							\
847 	yr ^= ror32(il, 8) ^ ir;					\
848 })
849 
850 /* max = 24: 128bit encrypt, max = 32: 256bit encrypt */
camellia_do_encrypt(const u32 * subkey,u32 * io,unsigned max)851 static void camellia_do_encrypt(const u32 *subkey, u32 *io, unsigned max)
852 {
853 	u32 il, ir, t0, t1;            /* temporary variables */
854 
855 	/* pre whitening but absorb kw2 */
856 	io[0] ^= SUBKEY_L(0);
857 	io[1] ^= SUBKEY_R(0);
858 
859 	/* main iteration */
860 #define ROUNDS(i) ({ \
861 	CAMELLIA_ROUNDSM(io[0], io[1], \
862 			 SUBKEY_L(i + 2), SUBKEY_R(i + 2), \
863 			 io[2], io[3], il, ir); \
864 	CAMELLIA_ROUNDSM(io[2], io[3], \
865 			 SUBKEY_L(i + 3), SUBKEY_R(i + 3), \
866 			 io[0], io[1], il, ir); \
867 	CAMELLIA_ROUNDSM(io[0], io[1], \
868 			 SUBKEY_L(i + 4), SUBKEY_R(i + 4), \
869 			 io[2], io[3], il, ir); \
870 	CAMELLIA_ROUNDSM(io[2], io[3], \
871 			 SUBKEY_L(i + 5), SUBKEY_R(i + 5), \
872 			 io[0], io[1], il, ir); \
873 	CAMELLIA_ROUNDSM(io[0], io[1], \
874 			 SUBKEY_L(i + 6), SUBKEY_R(i + 6), \
875 			 io[2], io[3], il, ir); \
876 	CAMELLIA_ROUNDSM(io[2], io[3], \
877 			 SUBKEY_L(i + 7), SUBKEY_R(i + 7), \
878 			 io[0], io[1], il, ir); \
879 })
880 #define FLS(i) ({ \
881 	CAMELLIA_FLS(io[0], io[1], io[2], io[3], \
882 		     SUBKEY_L(i + 0), SUBKEY_R(i + 0), \
883 		     SUBKEY_L(i + 1), SUBKEY_R(i + 1), \
884 		     t0, t1, il, ir); \
885 })
886 
887 	ROUNDS(0);
888 	FLS(8);
889 	ROUNDS(8);
890 	FLS(16);
891 	ROUNDS(16);
892 	if (max == 32) {
893 		FLS(24);
894 		ROUNDS(24);
895 	}
896 
897 #undef ROUNDS
898 #undef FLS
899 
900 	/* post whitening but kw4 */
901 	io[2] ^= SUBKEY_L(max);
902 	io[3] ^= SUBKEY_R(max);
903 	/* NB: io[0],[1] should be swapped with [2],[3] by caller! */
904 }
905 
camellia_do_decrypt(const u32 * subkey,u32 * io,unsigned i)906 static void camellia_do_decrypt(const u32 *subkey, u32 *io, unsigned i)
907 {
908 	u32 il, ir, t0, t1;            /* temporary variables */
909 
910 	/* pre whitening but absorb kw2 */
911 	io[0] ^= SUBKEY_L(i);
912 	io[1] ^= SUBKEY_R(i);
913 
914 	/* main iteration */
915 #define ROUNDS(i) ({ \
916 	CAMELLIA_ROUNDSM(io[0], io[1], \
917 			 SUBKEY_L(i + 7), SUBKEY_R(i + 7), \
918 			 io[2], io[3], il, ir); \
919 	CAMELLIA_ROUNDSM(io[2], io[3], \
920 			 SUBKEY_L(i + 6), SUBKEY_R(i + 6), \
921 			 io[0], io[1], il, ir); \
922 	CAMELLIA_ROUNDSM(io[0], io[1], \
923 			 SUBKEY_L(i + 5), SUBKEY_R(i + 5), \
924 			 io[2], io[3], il, ir); \
925 	CAMELLIA_ROUNDSM(io[2], io[3], \
926 			 SUBKEY_L(i + 4), SUBKEY_R(i + 4), \
927 			 io[0], io[1], il, ir); \
928 	CAMELLIA_ROUNDSM(io[0], io[1], \
929 			 SUBKEY_L(i + 3), SUBKEY_R(i + 3), \
930 			 io[2], io[3], il, ir); \
931 	CAMELLIA_ROUNDSM(io[2], io[3], \
932 			 SUBKEY_L(i + 2), SUBKEY_R(i + 2), \
933 			 io[0], io[1], il, ir); \
934 })
935 #define FLS(i) ({ \
936 	CAMELLIA_FLS(io[0], io[1], io[2], io[3], \
937 		     SUBKEY_L(i + 1), SUBKEY_R(i + 1), \
938 		     SUBKEY_L(i + 0), SUBKEY_R(i + 0), \
939 		     t0, t1, il, ir); \
940 })
941 
942 	if (i == 32) {
943 		ROUNDS(24);
944 		FLS(24);
945 	}
946 	ROUNDS(16);
947 	FLS(16);
948 	ROUNDS(8);
949 	FLS(8);
950 	ROUNDS(0);
951 
952 #undef ROUNDS
953 #undef FLS
954 
955 	/* post whitening but kw4 */
956 	io[2] ^= SUBKEY_L(0);
957 	io[3] ^= SUBKEY_R(0);
958 	/* NB: 0,1 should be swapped with 2,3 by caller! */
959 }
960 
961 
962 struct camellia_ctx {
963 	int key_length;
964 	u32 key_table[CAMELLIA_TABLE_BYTE_LEN / sizeof(u32)];
965 };
966 
967 static int
camellia_set_key(struct crypto_tfm * tfm,const u8 * in_key,unsigned int key_len)968 camellia_set_key(struct crypto_tfm *tfm, const u8 *in_key,
969 		 unsigned int key_len)
970 {
971 	struct camellia_ctx *cctx = crypto_tfm_ctx(tfm);
972 	const unsigned char *key = (const unsigned char *)in_key;
973 	u32 *flags = &tfm->crt_flags;
974 
975 	if (key_len != 16 && key_len != 24 && key_len != 32) {
976 		*flags |= CRYPTO_TFM_RES_BAD_KEY_LEN;
977 		return -EINVAL;
978 	}
979 
980 	cctx->key_length = key_len;
981 
982 	switch (key_len) {
983 	case 16:
984 		camellia_setup128(key, cctx->key_table);
985 		break;
986 	case 24:
987 		camellia_setup192(key, cctx->key_table);
988 		break;
989 	case 32:
990 		camellia_setup256(key, cctx->key_table);
991 		break;
992 	}
993 
994 	return 0;
995 }
996 
camellia_encrypt(struct crypto_tfm * tfm,u8 * out,const u8 * in)997 static void camellia_encrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in)
998 {
999 	const struct camellia_ctx *cctx = crypto_tfm_ctx(tfm);
1000 	const __be32 *src = (const __be32 *)in;
1001 	__be32 *dst = (__be32 *)out;
1002 	unsigned int max;
1003 
1004 	u32 tmp[4];
1005 
1006 	tmp[0] = be32_to_cpu(src[0]);
1007 	tmp[1] = be32_to_cpu(src[1]);
1008 	tmp[2] = be32_to_cpu(src[2]);
1009 	tmp[3] = be32_to_cpu(src[3]);
1010 
1011 	if (cctx->key_length == 16)
1012 		max = 24;
1013 	else
1014 		max = 32; /* for key lengths of 24 and 32 */
1015 
1016 	camellia_do_encrypt(cctx->key_table, tmp, max);
1017 
1018 	/* do_encrypt returns 0,1 swapped with 2,3 */
1019 	dst[0] = cpu_to_be32(tmp[2]);
1020 	dst[1] = cpu_to_be32(tmp[3]);
1021 	dst[2] = cpu_to_be32(tmp[0]);
1022 	dst[3] = cpu_to_be32(tmp[1]);
1023 }
1024 
camellia_decrypt(struct crypto_tfm * tfm,u8 * out,const u8 * in)1025 static void camellia_decrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in)
1026 {
1027 	const struct camellia_ctx *cctx = crypto_tfm_ctx(tfm);
1028 	const __be32 *src = (const __be32 *)in;
1029 	__be32 *dst = (__be32 *)out;
1030 	unsigned int max;
1031 
1032 	u32 tmp[4];
1033 
1034 	tmp[0] = be32_to_cpu(src[0]);
1035 	tmp[1] = be32_to_cpu(src[1]);
1036 	tmp[2] = be32_to_cpu(src[2]);
1037 	tmp[3] = be32_to_cpu(src[3]);
1038 
1039 	if (cctx->key_length == 16)
1040 		max = 24;
1041 	else
1042 		max = 32; /* for key lengths of 24 and 32 */
1043 
1044 	camellia_do_decrypt(cctx->key_table, tmp, max);
1045 
1046 	/* do_decrypt returns 0,1 swapped with 2,3 */
1047 	dst[0] = cpu_to_be32(tmp[2]);
1048 	dst[1] = cpu_to_be32(tmp[3]);
1049 	dst[2] = cpu_to_be32(tmp[0]);
1050 	dst[3] = cpu_to_be32(tmp[1]);
1051 }
1052 
1053 static struct crypto_alg camellia_alg = {
1054 	.cra_name		=	"camellia",
1055 	.cra_driver_name	=	"camellia-generic",
1056 	.cra_priority		=	100,
1057 	.cra_flags		=	CRYPTO_ALG_TYPE_CIPHER,
1058 	.cra_blocksize		=	CAMELLIA_BLOCK_SIZE,
1059 	.cra_ctxsize		=	sizeof(struct camellia_ctx),
1060 	.cra_alignmask		=	3,
1061 	.cra_module		=	THIS_MODULE,
1062 	.cra_u			=	{
1063 		.cipher = {
1064 			.cia_min_keysize	=	CAMELLIA_MIN_KEY_SIZE,
1065 			.cia_max_keysize	=	CAMELLIA_MAX_KEY_SIZE,
1066 			.cia_setkey		=	camellia_set_key,
1067 			.cia_encrypt		=	camellia_encrypt,
1068 			.cia_decrypt		=	camellia_decrypt
1069 		}
1070 	}
1071 };
1072 
camellia_init(void)1073 static int __init camellia_init(void)
1074 {
1075 	return crypto_register_alg(&camellia_alg);
1076 }
1077 
camellia_fini(void)1078 static void __exit camellia_fini(void)
1079 {
1080 	crypto_unregister_alg(&camellia_alg);
1081 }
1082 
1083 subsys_initcall(camellia_init);
1084 module_exit(camellia_fini);
1085 
1086 MODULE_DESCRIPTION("Camellia Cipher Algorithm");
1087 MODULE_LICENSE("GPL");
1088 MODULE_ALIAS_CRYPTO("camellia");
1089 MODULE_ALIAS_CRYPTO("camellia-generic");
1090