1 /* camellia.h ver 1.1.0
2 *
3 * Copyright (c) 2006
4 * NTT (Nippon Telegraph and Telephone Corporation) . All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer as
11 * the first lines of this file unmodified.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 *
16 * THIS SOFTWARE IS PROVIDED BY NTT ``AS IS'' AND ANY EXPRESS OR
17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
19 * IN NO EVENT SHALL NTT BE LIABLE FOR ANY DIRECT, INDIRECT,
20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
22 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
23 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26 */
27
28 /*
29 * Algorithm Specification
30 * http://info.isl.ntt.co.jp/crypt/eng/camellia/specifications.html
31 */
32
33 #include <sys/types.h>
34 #include <sys/endian.h>
35 #ifdef _KERNEL
36 #include <sys/systm.h>
37 #else
38 #include <string.h>
39 #include <assert.h>
40 #define KASSERT(exp, msg) assert(exp)
41 #endif
42
43 #include <crypto/camellia/camellia.h>
44
45
46 /* key constants */
47
48 #define CAMELLIA_SIGMA1L (0xA09E667FL)
49 #define CAMELLIA_SIGMA1R (0x3BCC908BL)
50 #define CAMELLIA_SIGMA2L (0xB67AE858L)
51 #define CAMELLIA_SIGMA2R (0x4CAA73B2L)
52 #define CAMELLIA_SIGMA3L (0xC6EF372FL)
53 #define CAMELLIA_SIGMA3R (0xE94F82BEL)
54 #define CAMELLIA_SIGMA4L (0x54FF53A5L)
55 #define CAMELLIA_SIGMA4R (0xF1D36F1CL)
56 #define CAMELLIA_SIGMA5L (0x10E527FAL)
57 #define CAMELLIA_SIGMA5R (0xDE682D1DL)
58 #define CAMELLIA_SIGMA6L (0xB05688C2L)
59 #define CAMELLIA_SIGMA6R (0xB3E6C1FDL)
60
61 /*
62 * macros
63 */
64 #define GETU32(pt) (((uint32_t)(pt)[0] << 24) \
65 ^ ((uint32_t)(pt)[1] << 16) \
66 ^ ((uint32_t)(pt)[2] << 8) \
67 ^ ((uint32_t)(pt)[3]))
68
69 #define PUTU32(ct, st) {(ct)[0] = (uint8_t)((st) >> 24); \
70 (ct)[1] = (uint8_t)((st) >> 16); \
71 (ct)[2] = (uint8_t)((st) >> 8); \
72 (ct)[3] = (uint8_t)(st);}
73
74 #define SUBL(INDEX) (subkey[(INDEX)*2+1])
75 #define SUBR(INDEX) (subkey[(INDEX)*2])
76
77 #define CAMELLIA_RR8(x) (((x) >> 8) + ((x) << 24))
78 #define CAMELLIA_RL1(x) (((x) << 1) + ((x) >> 31))
79 #define CAMELLIA_RL8(x) (((x) << 8) + ((x) >> 24))
80
81 #define CAMELLIA_ROLDQ(ll, lr, rl, rr, w0, w1, bits) \
82 do { \
83 w0 = ll; \
84 ll = (ll << bits) + (lr >> (32 - bits)); \
85 lr = (lr << bits) + (rl >> (32 - bits)); \
86 rl = (rl << bits) + (rr >> (32 - bits)); \
87 rr = (rr << bits) + (w0 >> (32 - bits)); \
88 } while(0)
89
90 #define CAMELLIA_ROLDQo32(ll, lr, rl, rr, w0, w1, bits) \
91 do { \
92 w0 = ll; \
93 w1 = lr; \
94 ll = (lr << (bits - 32)) + (rl >> (64 - bits)); \
95 lr = (rl << (bits - 32)) + (rr >> (64 - bits)); \
96 rl = (rr << (bits - 32)) + (w0 >> (64 - bits)); \
97 rr = (w0 << (bits - 32)) + (w1 >> (64 - bits)); \
98 } while(0)
99
100 #define CAMELLIA_SP1110(INDEX) (camellia_sp1110[(INDEX)])
101 #define CAMELLIA_SP0222(INDEX) (camellia_sp0222[(INDEX)])
102 #define CAMELLIA_SP3033(INDEX) (camellia_sp3033[(INDEX)])
103 #define CAMELLIA_SP4404(INDEX) (camellia_sp4404[(INDEX)])
104
105 #define CAMELLIA_F(xl, xr, kl, kr, yl, yr, il, ir, t0, t1) \
106 do { \
107 il = xl ^ kl; \
108 ir = xr ^ kr; \
109 t0 = il >> 16; \
110 t1 = ir >> 16; \
111 yl = CAMELLIA_SP1110(ir & 0xff) \
112 ^ CAMELLIA_SP0222((t1 >> 8) & 0xff) \
113 ^ CAMELLIA_SP3033(t1 & 0xff) \
114 ^ CAMELLIA_SP4404((ir >> 8) & 0xff); \
115 yr = CAMELLIA_SP1110((t0 >> 8) & 0xff) \
116 ^ CAMELLIA_SP0222(t0 & 0xff) \
117 ^ CAMELLIA_SP3033((il >> 8) & 0xff) \
118 ^ CAMELLIA_SP4404(il & 0xff); \
119 yl ^= yr; \
120 yr = CAMELLIA_RR8(yr); \
121 yr ^= yl; \
122 } while(0)
123
124
125 #define CAMELLIA_FLS(ll, lr, rl, rr, kll, klr, krl, krr, t0, t1, t2, t3) \
126 do { \
127 t0 = kll; \
128 t2 = krr; \
129 t0 &= ll; \
130 t2 |= rr; \
131 rl ^= t2; \
132 lr ^= CAMELLIA_RL1(t0); \
133 t3 = krl; \
134 t1 = klr; \
135 t3 &= rl; \
136 t1 |= lr; \
137 ll ^= t1; \
138 rr ^= CAMELLIA_RL1(t3); \
139 } while(0)
140
141 #define CAMELLIA_ROUNDSM(xl, xr, kl, kr, yl, yr, il, ir, t0, t1) \
142 do { \
143 ir = CAMELLIA_SP1110(xr & 0xff); \
144 il = CAMELLIA_SP1110((xl>>24) & 0xff); \
145 ir ^= CAMELLIA_SP0222((xr>>24) & 0xff); \
146 il ^= CAMELLIA_SP0222((xl>>16) & 0xff); \
147 ir ^= CAMELLIA_SP3033((xr>>16) & 0xff); \
148 il ^= CAMELLIA_SP3033((xl>>8) & 0xff); \
149 ir ^= CAMELLIA_SP4404((xr>>8) & 0xff); \
150 il ^= CAMELLIA_SP4404(xl & 0xff); \
151 il ^= kl; \
152 ir ^= kr; \
153 ir ^= il; \
154 il = CAMELLIA_RR8(il); \
155 il ^= ir; \
156 yl ^= ir; \
157 yr ^= il; \
158 } while(0)
159
160
161 static const uint32_t camellia_sp1110[256] = {
162 0x70707000,0x82828200,0x2c2c2c00,0xececec00,
163 0xb3b3b300,0x27272700,0xc0c0c000,0xe5e5e500,
164 0xe4e4e400,0x85858500,0x57575700,0x35353500,
165 0xeaeaea00,0x0c0c0c00,0xaeaeae00,0x41414100,
166 0x23232300,0xefefef00,0x6b6b6b00,0x93939300,
167 0x45454500,0x19191900,0xa5a5a500,0x21212100,
168 0xededed00,0x0e0e0e00,0x4f4f4f00,0x4e4e4e00,
169 0x1d1d1d00,0x65656500,0x92929200,0xbdbdbd00,
170 0x86868600,0xb8b8b800,0xafafaf00,0x8f8f8f00,
171 0x7c7c7c00,0xebebeb00,0x1f1f1f00,0xcecece00,
172 0x3e3e3e00,0x30303000,0xdcdcdc00,0x5f5f5f00,
173 0x5e5e5e00,0xc5c5c500,0x0b0b0b00,0x1a1a1a00,
174 0xa6a6a600,0xe1e1e100,0x39393900,0xcacaca00,
175 0xd5d5d500,0x47474700,0x5d5d5d00,0x3d3d3d00,
176 0xd9d9d900,0x01010100,0x5a5a5a00,0xd6d6d600,
177 0x51515100,0x56565600,0x6c6c6c00,0x4d4d4d00,
178 0x8b8b8b00,0x0d0d0d00,0x9a9a9a00,0x66666600,
179 0xfbfbfb00,0xcccccc00,0xb0b0b000,0x2d2d2d00,
180 0x74747400,0x12121200,0x2b2b2b00,0x20202000,
181 0xf0f0f000,0xb1b1b100,0x84848400,0x99999900,
182 0xdfdfdf00,0x4c4c4c00,0xcbcbcb00,0xc2c2c200,
183 0x34343400,0x7e7e7e00,0x76767600,0x05050500,
184 0x6d6d6d00,0xb7b7b700,0xa9a9a900,0x31313100,
185 0xd1d1d100,0x17171700,0x04040400,0xd7d7d700,
186 0x14141400,0x58585800,0x3a3a3a00,0x61616100,
187 0xdedede00,0x1b1b1b00,0x11111100,0x1c1c1c00,
188 0x32323200,0x0f0f0f00,0x9c9c9c00,0x16161600,
189 0x53535300,0x18181800,0xf2f2f200,0x22222200,
190 0xfefefe00,0x44444400,0xcfcfcf00,0xb2b2b200,
191 0xc3c3c300,0xb5b5b500,0x7a7a7a00,0x91919100,
192 0x24242400,0x08080800,0xe8e8e800,0xa8a8a800,
193 0x60606000,0xfcfcfc00,0x69696900,0x50505000,
194 0xaaaaaa00,0xd0d0d000,0xa0a0a000,0x7d7d7d00,
195 0xa1a1a100,0x89898900,0x62626200,0x97979700,
196 0x54545400,0x5b5b5b00,0x1e1e1e00,0x95959500,
197 0xe0e0e000,0xffffff00,0x64646400,0xd2d2d200,
198 0x10101000,0xc4c4c400,0x00000000,0x48484800,
199 0xa3a3a300,0xf7f7f700,0x75757500,0xdbdbdb00,
200 0x8a8a8a00,0x03030300,0xe6e6e600,0xdadada00,
201 0x09090900,0x3f3f3f00,0xdddddd00,0x94949400,
202 0x87878700,0x5c5c5c00,0x83838300,0x02020200,
203 0xcdcdcd00,0x4a4a4a00,0x90909000,0x33333300,
204 0x73737300,0x67676700,0xf6f6f600,0xf3f3f300,
205 0x9d9d9d00,0x7f7f7f00,0xbfbfbf00,0xe2e2e200,
206 0x52525200,0x9b9b9b00,0xd8d8d800,0x26262600,
207 0xc8c8c800,0x37373700,0xc6c6c600,0x3b3b3b00,
208 0x81818100,0x96969600,0x6f6f6f00,0x4b4b4b00,
209 0x13131300,0xbebebe00,0x63636300,0x2e2e2e00,
210 0xe9e9e900,0x79797900,0xa7a7a700,0x8c8c8c00,
211 0x9f9f9f00,0x6e6e6e00,0xbcbcbc00,0x8e8e8e00,
212 0x29292900,0xf5f5f500,0xf9f9f900,0xb6b6b600,
213 0x2f2f2f00,0xfdfdfd00,0xb4b4b400,0x59595900,
214 0x78787800,0x98989800,0x06060600,0x6a6a6a00,
215 0xe7e7e700,0x46464600,0x71717100,0xbababa00,
216 0xd4d4d400,0x25252500,0xababab00,0x42424200,
217 0x88888800,0xa2a2a200,0x8d8d8d00,0xfafafa00,
218 0x72727200,0x07070700,0xb9b9b900,0x55555500,
219 0xf8f8f800,0xeeeeee00,0xacacac00,0x0a0a0a00,
220 0x36363600,0x49494900,0x2a2a2a00,0x68686800,
221 0x3c3c3c00,0x38383800,0xf1f1f100,0xa4a4a400,
222 0x40404000,0x28282800,0xd3d3d300,0x7b7b7b00,
223 0xbbbbbb00,0xc9c9c900,0x43434300,0xc1c1c100,
224 0x15151500,0xe3e3e300,0xadadad00,0xf4f4f400,
225 0x77777700,0xc7c7c700,0x80808000,0x9e9e9e00,
226 };
227
228 static const uint32_t camellia_sp0222[256] = {
229 0x00e0e0e0,0x00050505,0x00585858,0x00d9d9d9,
230 0x00676767,0x004e4e4e,0x00818181,0x00cbcbcb,
231 0x00c9c9c9,0x000b0b0b,0x00aeaeae,0x006a6a6a,
232 0x00d5d5d5,0x00181818,0x005d5d5d,0x00828282,
233 0x00464646,0x00dfdfdf,0x00d6d6d6,0x00272727,
234 0x008a8a8a,0x00323232,0x004b4b4b,0x00424242,
235 0x00dbdbdb,0x001c1c1c,0x009e9e9e,0x009c9c9c,
236 0x003a3a3a,0x00cacaca,0x00252525,0x007b7b7b,
237 0x000d0d0d,0x00717171,0x005f5f5f,0x001f1f1f,
238 0x00f8f8f8,0x00d7d7d7,0x003e3e3e,0x009d9d9d,
239 0x007c7c7c,0x00606060,0x00b9b9b9,0x00bebebe,
240 0x00bcbcbc,0x008b8b8b,0x00161616,0x00343434,
241 0x004d4d4d,0x00c3c3c3,0x00727272,0x00959595,
242 0x00ababab,0x008e8e8e,0x00bababa,0x007a7a7a,
243 0x00b3b3b3,0x00020202,0x00b4b4b4,0x00adadad,
244 0x00a2a2a2,0x00acacac,0x00d8d8d8,0x009a9a9a,
245 0x00171717,0x001a1a1a,0x00353535,0x00cccccc,
246 0x00f7f7f7,0x00999999,0x00616161,0x005a5a5a,
247 0x00e8e8e8,0x00242424,0x00565656,0x00404040,
248 0x00e1e1e1,0x00636363,0x00090909,0x00333333,
249 0x00bfbfbf,0x00989898,0x00979797,0x00858585,
250 0x00686868,0x00fcfcfc,0x00ececec,0x000a0a0a,
251 0x00dadada,0x006f6f6f,0x00535353,0x00626262,
252 0x00a3a3a3,0x002e2e2e,0x00080808,0x00afafaf,
253 0x00282828,0x00b0b0b0,0x00747474,0x00c2c2c2,
254 0x00bdbdbd,0x00363636,0x00222222,0x00383838,
255 0x00646464,0x001e1e1e,0x00393939,0x002c2c2c,
256 0x00a6a6a6,0x00303030,0x00e5e5e5,0x00444444,
257 0x00fdfdfd,0x00888888,0x009f9f9f,0x00656565,
258 0x00878787,0x006b6b6b,0x00f4f4f4,0x00232323,
259 0x00484848,0x00101010,0x00d1d1d1,0x00515151,
260 0x00c0c0c0,0x00f9f9f9,0x00d2d2d2,0x00a0a0a0,
261 0x00555555,0x00a1a1a1,0x00414141,0x00fafafa,
262 0x00434343,0x00131313,0x00c4c4c4,0x002f2f2f,
263 0x00a8a8a8,0x00b6b6b6,0x003c3c3c,0x002b2b2b,
264 0x00c1c1c1,0x00ffffff,0x00c8c8c8,0x00a5a5a5,
265 0x00202020,0x00898989,0x00000000,0x00909090,
266 0x00474747,0x00efefef,0x00eaeaea,0x00b7b7b7,
267 0x00151515,0x00060606,0x00cdcdcd,0x00b5b5b5,
268 0x00121212,0x007e7e7e,0x00bbbbbb,0x00292929,
269 0x000f0f0f,0x00b8b8b8,0x00070707,0x00040404,
270 0x009b9b9b,0x00949494,0x00212121,0x00666666,
271 0x00e6e6e6,0x00cecece,0x00ededed,0x00e7e7e7,
272 0x003b3b3b,0x00fefefe,0x007f7f7f,0x00c5c5c5,
273 0x00a4a4a4,0x00373737,0x00b1b1b1,0x004c4c4c,
274 0x00919191,0x006e6e6e,0x008d8d8d,0x00767676,
275 0x00030303,0x002d2d2d,0x00dedede,0x00969696,
276 0x00262626,0x007d7d7d,0x00c6c6c6,0x005c5c5c,
277 0x00d3d3d3,0x00f2f2f2,0x004f4f4f,0x00191919,
278 0x003f3f3f,0x00dcdcdc,0x00797979,0x001d1d1d,
279 0x00525252,0x00ebebeb,0x00f3f3f3,0x006d6d6d,
280 0x005e5e5e,0x00fbfbfb,0x00696969,0x00b2b2b2,
281 0x00f0f0f0,0x00313131,0x000c0c0c,0x00d4d4d4,
282 0x00cfcfcf,0x008c8c8c,0x00e2e2e2,0x00757575,
283 0x00a9a9a9,0x004a4a4a,0x00575757,0x00848484,
284 0x00111111,0x00454545,0x001b1b1b,0x00f5f5f5,
285 0x00e4e4e4,0x000e0e0e,0x00737373,0x00aaaaaa,
286 0x00f1f1f1,0x00dddddd,0x00595959,0x00141414,
287 0x006c6c6c,0x00929292,0x00545454,0x00d0d0d0,
288 0x00787878,0x00707070,0x00e3e3e3,0x00494949,
289 0x00808080,0x00505050,0x00a7a7a7,0x00f6f6f6,
290 0x00777777,0x00939393,0x00868686,0x00838383,
291 0x002a2a2a,0x00c7c7c7,0x005b5b5b,0x00e9e9e9,
292 0x00eeeeee,0x008f8f8f,0x00010101,0x003d3d3d,
293 };
294
295 static const uint32_t camellia_sp3033[256] = {
296 0x38003838,0x41004141,0x16001616,0x76007676,
297 0xd900d9d9,0x93009393,0x60006060,0xf200f2f2,
298 0x72007272,0xc200c2c2,0xab00abab,0x9a009a9a,
299 0x75007575,0x06000606,0x57005757,0xa000a0a0,
300 0x91009191,0xf700f7f7,0xb500b5b5,0xc900c9c9,
301 0xa200a2a2,0x8c008c8c,0xd200d2d2,0x90009090,
302 0xf600f6f6,0x07000707,0xa700a7a7,0x27002727,
303 0x8e008e8e,0xb200b2b2,0x49004949,0xde00dede,
304 0x43004343,0x5c005c5c,0xd700d7d7,0xc700c7c7,
305 0x3e003e3e,0xf500f5f5,0x8f008f8f,0x67006767,
306 0x1f001f1f,0x18001818,0x6e006e6e,0xaf00afaf,
307 0x2f002f2f,0xe200e2e2,0x85008585,0x0d000d0d,
308 0x53005353,0xf000f0f0,0x9c009c9c,0x65006565,
309 0xea00eaea,0xa300a3a3,0xae00aeae,0x9e009e9e,
310 0xec00ecec,0x80008080,0x2d002d2d,0x6b006b6b,
311 0xa800a8a8,0x2b002b2b,0x36003636,0xa600a6a6,
312 0xc500c5c5,0x86008686,0x4d004d4d,0x33003333,
313 0xfd00fdfd,0x66006666,0x58005858,0x96009696,
314 0x3a003a3a,0x09000909,0x95009595,0x10001010,
315 0x78007878,0xd800d8d8,0x42004242,0xcc00cccc,
316 0xef00efef,0x26002626,0xe500e5e5,0x61006161,
317 0x1a001a1a,0x3f003f3f,0x3b003b3b,0x82008282,
318 0xb600b6b6,0xdb00dbdb,0xd400d4d4,0x98009898,
319 0xe800e8e8,0x8b008b8b,0x02000202,0xeb00ebeb,
320 0x0a000a0a,0x2c002c2c,0x1d001d1d,0xb000b0b0,
321 0x6f006f6f,0x8d008d8d,0x88008888,0x0e000e0e,
322 0x19001919,0x87008787,0x4e004e4e,0x0b000b0b,
323 0xa900a9a9,0x0c000c0c,0x79007979,0x11001111,
324 0x7f007f7f,0x22002222,0xe700e7e7,0x59005959,
325 0xe100e1e1,0xda00dada,0x3d003d3d,0xc800c8c8,
326 0x12001212,0x04000404,0x74007474,0x54005454,
327 0x30003030,0x7e007e7e,0xb400b4b4,0x28002828,
328 0x55005555,0x68006868,0x50005050,0xbe00bebe,
329 0xd000d0d0,0xc400c4c4,0x31003131,0xcb00cbcb,
330 0x2a002a2a,0xad00adad,0x0f000f0f,0xca00caca,
331 0x70007070,0xff00ffff,0x32003232,0x69006969,
332 0x08000808,0x62006262,0x00000000,0x24002424,
333 0xd100d1d1,0xfb00fbfb,0xba00baba,0xed00eded,
334 0x45004545,0x81008181,0x73007373,0x6d006d6d,
335 0x84008484,0x9f009f9f,0xee00eeee,0x4a004a4a,
336 0xc300c3c3,0x2e002e2e,0xc100c1c1,0x01000101,
337 0xe600e6e6,0x25002525,0x48004848,0x99009999,
338 0xb900b9b9,0xb300b3b3,0x7b007b7b,0xf900f9f9,
339 0xce00cece,0xbf00bfbf,0xdf00dfdf,0x71007171,
340 0x29002929,0xcd00cdcd,0x6c006c6c,0x13001313,
341 0x64006464,0x9b009b9b,0x63006363,0x9d009d9d,
342 0xc000c0c0,0x4b004b4b,0xb700b7b7,0xa500a5a5,
343 0x89008989,0x5f005f5f,0xb100b1b1,0x17001717,
344 0xf400f4f4,0xbc00bcbc,0xd300d3d3,0x46004646,
345 0xcf00cfcf,0x37003737,0x5e005e5e,0x47004747,
346 0x94009494,0xfa00fafa,0xfc00fcfc,0x5b005b5b,
347 0x97009797,0xfe00fefe,0x5a005a5a,0xac00acac,
348 0x3c003c3c,0x4c004c4c,0x03000303,0x35003535,
349 0xf300f3f3,0x23002323,0xb800b8b8,0x5d005d5d,
350 0x6a006a6a,0x92009292,0xd500d5d5,0x21002121,
351 0x44004444,0x51005151,0xc600c6c6,0x7d007d7d,
352 0x39003939,0x83008383,0xdc00dcdc,0xaa00aaaa,
353 0x7c007c7c,0x77007777,0x56005656,0x05000505,
354 0x1b001b1b,0xa400a4a4,0x15001515,0x34003434,
355 0x1e001e1e,0x1c001c1c,0xf800f8f8,0x52005252,
356 0x20002020,0x14001414,0xe900e9e9,0xbd00bdbd,
357 0xdd00dddd,0xe400e4e4,0xa100a1a1,0xe000e0e0,
358 0x8a008a8a,0xf100f1f1,0xd600d6d6,0x7a007a7a,
359 0xbb00bbbb,0xe300e3e3,0x40004040,0x4f004f4f,
360 };
361
362 static const uint32_t camellia_sp4404[256] = {
363 0x70700070,0x2c2c002c,0xb3b300b3,0xc0c000c0,
364 0xe4e400e4,0x57570057,0xeaea00ea,0xaeae00ae,
365 0x23230023,0x6b6b006b,0x45450045,0xa5a500a5,
366 0xeded00ed,0x4f4f004f,0x1d1d001d,0x92920092,
367 0x86860086,0xafaf00af,0x7c7c007c,0x1f1f001f,
368 0x3e3e003e,0xdcdc00dc,0x5e5e005e,0x0b0b000b,
369 0xa6a600a6,0x39390039,0xd5d500d5,0x5d5d005d,
370 0xd9d900d9,0x5a5a005a,0x51510051,0x6c6c006c,
371 0x8b8b008b,0x9a9a009a,0xfbfb00fb,0xb0b000b0,
372 0x74740074,0x2b2b002b,0xf0f000f0,0x84840084,
373 0xdfdf00df,0xcbcb00cb,0x34340034,0x76760076,
374 0x6d6d006d,0xa9a900a9,0xd1d100d1,0x04040004,
375 0x14140014,0x3a3a003a,0xdede00de,0x11110011,
376 0x32320032,0x9c9c009c,0x53530053,0xf2f200f2,
377 0xfefe00fe,0xcfcf00cf,0xc3c300c3,0x7a7a007a,
378 0x24240024,0xe8e800e8,0x60600060,0x69690069,
379 0xaaaa00aa,0xa0a000a0,0xa1a100a1,0x62620062,
380 0x54540054,0x1e1e001e,0xe0e000e0,0x64640064,
381 0x10100010,0x00000000,0xa3a300a3,0x75750075,
382 0x8a8a008a,0xe6e600e6,0x09090009,0xdddd00dd,
383 0x87870087,0x83830083,0xcdcd00cd,0x90900090,
384 0x73730073,0xf6f600f6,0x9d9d009d,0xbfbf00bf,
385 0x52520052,0xd8d800d8,0xc8c800c8,0xc6c600c6,
386 0x81810081,0x6f6f006f,0x13130013,0x63630063,
387 0xe9e900e9,0xa7a700a7,0x9f9f009f,0xbcbc00bc,
388 0x29290029,0xf9f900f9,0x2f2f002f,0xb4b400b4,
389 0x78780078,0x06060006,0xe7e700e7,0x71710071,
390 0xd4d400d4,0xabab00ab,0x88880088,0x8d8d008d,
391 0x72720072,0xb9b900b9,0xf8f800f8,0xacac00ac,
392 0x36360036,0x2a2a002a,0x3c3c003c,0xf1f100f1,
393 0x40400040,0xd3d300d3,0xbbbb00bb,0x43430043,
394 0x15150015,0xadad00ad,0x77770077,0x80800080,
395 0x82820082,0xecec00ec,0x27270027,0xe5e500e5,
396 0x85850085,0x35350035,0x0c0c000c,0x41410041,
397 0xefef00ef,0x93930093,0x19190019,0x21210021,
398 0x0e0e000e,0x4e4e004e,0x65650065,0xbdbd00bd,
399 0xb8b800b8,0x8f8f008f,0xebeb00eb,0xcece00ce,
400 0x30300030,0x5f5f005f,0xc5c500c5,0x1a1a001a,
401 0xe1e100e1,0xcaca00ca,0x47470047,0x3d3d003d,
402 0x01010001,0xd6d600d6,0x56560056,0x4d4d004d,
403 0x0d0d000d,0x66660066,0xcccc00cc,0x2d2d002d,
404 0x12120012,0x20200020,0xb1b100b1,0x99990099,
405 0x4c4c004c,0xc2c200c2,0x7e7e007e,0x05050005,
406 0xb7b700b7,0x31310031,0x17170017,0xd7d700d7,
407 0x58580058,0x61610061,0x1b1b001b,0x1c1c001c,
408 0x0f0f000f,0x16160016,0x18180018,0x22220022,
409 0x44440044,0xb2b200b2,0xb5b500b5,0x91910091,
410 0x08080008,0xa8a800a8,0xfcfc00fc,0x50500050,
411 0xd0d000d0,0x7d7d007d,0x89890089,0x97970097,
412 0x5b5b005b,0x95950095,0xffff00ff,0xd2d200d2,
413 0xc4c400c4,0x48480048,0xf7f700f7,0xdbdb00db,
414 0x03030003,0xdada00da,0x3f3f003f,0x94940094,
415 0x5c5c005c,0x02020002,0x4a4a004a,0x33330033,
416 0x67670067,0xf3f300f3,0x7f7f007f,0xe2e200e2,
417 0x9b9b009b,0x26260026,0x37370037,0x3b3b003b,
418 0x96960096,0x4b4b004b,0xbebe00be,0x2e2e002e,
419 0x79790079,0x8c8c008c,0x6e6e006e,0x8e8e008e,
420 0xf5f500f5,0xb6b600b6,0xfdfd00fd,0x59590059,
421 0x98980098,0x6a6a006a,0x46460046,0xbaba00ba,
422 0x25250025,0x42420042,0xa2a200a2,0xfafa00fa,
423 0x07070007,0x55550055,0xeeee00ee,0x0a0a000a,
424 0x49490049,0x68680068,0x38380038,0xa4a400a4,
425 0x28280028,0x7b7b007b,0xc9c900c9,0xc1c100c1,
426 0xe3e300e3,0xf4f400f4,0xc7c700c7,0x9e9e009e,
427 };
428
429
430 /*
431 * Stuff related to the Camellia key schedule
432 */
433 #define subl(x) subL[(x)]
434 #define subr(x) subR[(x)]
435
436 void
camellia_setup128(const unsigned char * key,uint32_t * subkey)437 camellia_setup128(const unsigned char *key, uint32_t *subkey)
438 {
439 uint32_t kll, klr, krl, krr;
440 uint32_t il, ir, t0, t1, w0, w1;
441 uint32_t kw4l, kw4r, dw, tl, tr;
442 uint32_t subL[26];
443 uint32_t subR[26];
444
445 /*
446 * k == kll || klr || krl || krr (|| is concatination)
447 */
448 kll = GETU32(key );
449 klr = GETU32(key + 4);
450 krl = GETU32(key + 8);
451 krr = GETU32(key + 12);
452 /*
453 * generate KL dependent subkeys
454 */
455 subl(0) = kll; subr(0) = klr;
456 subl(1) = krl; subr(1) = krr;
457 CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
458 subl(4) = kll; subr(4) = klr;
459 subl(5) = krl; subr(5) = krr;
460 CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 30);
461 subl(10) = kll; subr(10) = klr;
462 subl(11) = krl; subr(11) = krr;
463 CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
464 subl(13) = krl; subr(13) = krr;
465 CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17);
466 subl(16) = kll; subr(16) = klr;
467 subl(17) = krl; subr(17) = krr;
468 CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17);
469 subl(18) = kll; subr(18) = klr;
470 subl(19) = krl; subr(19) = krr;
471 CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17);
472 subl(22) = kll; subr(22) = klr;
473 subl(23) = krl; subr(23) = krr;
474
475 /* generate KA */
476 kll = subl(0); klr = subr(0);
477 krl = subl(1); krr = subr(1);
478 CAMELLIA_F(kll, klr, CAMELLIA_SIGMA1L, CAMELLIA_SIGMA1R,
479 w0, w1, il, ir, t0, t1);
480 krl ^= w0; krr ^= w1;
481 CAMELLIA_F(krl, krr, CAMELLIA_SIGMA2L, CAMELLIA_SIGMA2R,
482 kll, klr, il, ir, t0, t1);
483 CAMELLIA_F(kll, klr, CAMELLIA_SIGMA3L, CAMELLIA_SIGMA3R,
484 krl, krr, il, ir, t0, t1);
485 krl ^= w0; krr ^= w1;
486 CAMELLIA_F(krl, krr, CAMELLIA_SIGMA4L, CAMELLIA_SIGMA4R,
487 w0, w1, il, ir, t0, t1);
488 kll ^= w0; klr ^= w1;
489
490 /* generate KA dependent subkeys */
491 subl(2) = kll; subr(2) = klr;
492 subl(3) = krl; subr(3) = krr;
493 CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
494 subl(6) = kll; subr(6) = klr;
495 subl(7) = krl; subr(7) = krr;
496 CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
497 subl(8) = kll; subr(8) = klr;
498 subl(9) = krl; subr(9) = krr;
499 CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
500 subl(12) = kll; subr(12) = klr;
501 CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
502 subl(14) = kll; subr(14) = klr;
503 subl(15) = krl; subr(15) = krr;
504 CAMELLIA_ROLDQo32(kll, klr, krl, krr, w0, w1, 34);
505 subl(20) = kll; subr(20) = klr;
506 subl(21) = krl; subr(21) = krr;
507 CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17);
508 subl(24) = kll; subr(24) = klr;
509 subl(25) = krl; subr(25) = krr;
510
511
512 /* absorb kw2 to other subkeys */
513 subl(3) ^= subl(1); subr(3) ^= subr(1);
514 subl(5) ^= subl(1); subr(5) ^= subr(1);
515 subl(7) ^= subl(1); subr(7) ^= subr(1);
516 subl(1) ^= subr(1) & ~subr(9);
517 dw = subl(1) & subl(9), subr(1) ^= CAMELLIA_RL1(dw);
518 subl(11) ^= subl(1); subr(11) ^= subr(1);
519 subl(13) ^= subl(1); subr(13) ^= subr(1);
520 subl(15) ^= subl(1); subr(15) ^= subr(1);
521 subl(1) ^= subr(1) & ~subr(17);
522 dw = subl(1) & subl(17), subr(1) ^= CAMELLIA_RL1(dw);
523 subl(19) ^= subl(1); subr(19) ^= subr(1);
524 subl(21) ^= subl(1); subr(21) ^= subr(1);
525 subl(23) ^= subl(1); subr(23) ^= subr(1);
526 subl(24) ^= subl(1); subr(24) ^= subr(1);
527
528 /* absorb kw4 to other subkeys */
529 kw4l = subl(25); kw4r = subr(25);
530 subl(22) ^= kw4l; subr(22) ^= kw4r;
531 subl(20) ^= kw4l; subr(20) ^= kw4r;
532 subl(18) ^= kw4l; subr(18) ^= kw4r;
533 kw4l ^= kw4r & ~subr(16);
534 dw = kw4l & subl(16), kw4r ^= CAMELLIA_RL1(dw);
535 subl(14) ^= kw4l; subr(14) ^= kw4r;
536 subl(12) ^= kw4l; subr(12) ^= kw4r;
537 subl(10) ^= kw4l; subr(10) ^= kw4r;
538 kw4l ^= kw4r & ~subr(8);
539 dw = kw4l & subl(8), kw4r ^= CAMELLIA_RL1(dw);
540 subl(6) ^= kw4l; subr(6) ^= kw4r;
541 subl(4) ^= kw4l; subr(4) ^= kw4r;
542 subl(2) ^= kw4l; subr(2) ^= kw4r;
543 subl(0) ^= kw4l; subr(0) ^= kw4r;
544
545 /* key XOR is end of F-function */
546 SUBL(0) = subl(0) ^ subl(2);
547 SUBR(0) = subr(0) ^ subr(2);
548 SUBL(2) = subl(3);
549 SUBR(2) = subr(3);
550 SUBL(3) = subl(2) ^ subl(4);
551 SUBR(3) = subr(2) ^ subr(4);
552 SUBL(4) = subl(3) ^ subl(5);
553 SUBR(4) = subr(3) ^ subr(5);
554 SUBL(5) = subl(4) ^ subl(6);
555 SUBR(5) = subr(4) ^ subr(6);
556 SUBL(6) = subl(5) ^ subl(7);
557 SUBR(6) = subr(5) ^ subr(7);
558 tl = subl(10) ^ (subr(10) & ~subr(8));
559 dw = tl & subl(8), tr = subr(10) ^ CAMELLIA_RL1(dw);
560 SUBL(7) = subl(6) ^ tl;
561 SUBR(7) = subr(6) ^ tr;
562 SUBL(8) = subl(8);
563 SUBR(8) = subr(8);
564 SUBL(9) = subl(9);
565 SUBR(9) = subr(9);
566 tl = subl(7) ^ (subr(7) & ~subr(9));
567 dw = tl & subl(9), tr = subr(7) ^ CAMELLIA_RL1(dw);
568 SUBL(10) = tl ^ subl(11);
569 SUBR(10) = tr ^ subr(11);
570 SUBL(11) = subl(10) ^ subl(12);
571 SUBR(11) = subr(10) ^ subr(12);
572 SUBL(12) = subl(11) ^ subl(13);
573 SUBR(12) = subr(11) ^ subr(13);
574 SUBL(13) = subl(12) ^ subl(14);
575 SUBR(13) = subr(12) ^ subr(14);
576 SUBL(14) = subl(13) ^ subl(15);
577 SUBR(14) = subr(13) ^ subr(15);
578 tl = subl(18) ^ (subr(18) & ~subr(16));
579 dw = tl & subl(16), tr = subr(18) ^ CAMELLIA_RL1(dw);
580 SUBL(15) = subl(14) ^ tl;
581 SUBR(15) = subr(14) ^ tr;
582 SUBL(16) = subl(16);
583 SUBR(16) = subr(16);
584 SUBL(17) = subl(17);
585 SUBR(17) = subr(17);
586 tl = subl(15) ^ (subr(15) & ~subr(17));
587 dw = tl & subl(17), tr = subr(15) ^ CAMELLIA_RL1(dw);
588 SUBL(18) = tl ^ subl(19);
589 SUBR(18) = tr ^ subr(19);
590 SUBL(19) = subl(18) ^ subl(20);
591 SUBR(19) = subr(18) ^ subr(20);
592 SUBL(20) = subl(19) ^ subl(21);
593 SUBR(20) = subr(19) ^ subr(21);
594 SUBL(21) = subl(20) ^ subl(22);
595 SUBR(21) = subr(20) ^ subr(22);
596 SUBL(22) = subl(21) ^ subl(23);
597 SUBR(22) = subr(21) ^ subr(23);
598 SUBL(23) = subl(22);
599 SUBR(23) = subr(22);
600 SUBL(24) = subl(24) ^ subl(23);
601 SUBR(24) = subr(24) ^ subr(23);
602
603 /* apply the inverse of the last half of P-function */
604 dw = SUBL(2) ^ SUBR(2), dw = CAMELLIA_RL8(dw);
605 SUBR(2) = SUBL(2) ^ dw, SUBL(2) = dw;
606 dw = SUBL(3) ^ SUBR(3), dw = CAMELLIA_RL8(dw);
607 SUBR(3) = SUBL(3) ^ dw, SUBL(3) = dw;
608 dw = SUBL(4) ^ SUBR(4), dw = CAMELLIA_RL8(dw);
609 SUBR(4) = SUBL(4) ^ dw, SUBL(4) = dw;
610 dw = SUBL(5) ^ SUBR(5), dw = CAMELLIA_RL8(dw);
611 SUBR(5) = SUBL(5) ^ dw, SUBL(5) = dw;
612 dw = SUBL(6) ^ SUBR(6), dw = CAMELLIA_RL8(dw);
613 SUBR(6) = SUBL(6) ^ dw, SUBL(6) = dw;
614 dw = SUBL(7) ^ SUBR(7), dw = CAMELLIA_RL8(dw);
615 SUBR(7) = SUBL(7) ^ dw, SUBL(7) = dw;
616 dw = SUBL(10) ^ SUBR(10), dw = CAMELLIA_RL8(dw);
617 SUBR(10) = SUBL(10) ^ dw, SUBL(10) = dw;
618 dw = SUBL(11) ^ SUBR(11), dw = CAMELLIA_RL8(dw);
619 SUBR(11) = SUBL(11) ^ dw, SUBL(11) = dw;
620 dw = SUBL(12) ^ SUBR(12), dw = CAMELLIA_RL8(dw);
621 SUBR(12) = SUBL(12) ^ dw, SUBL(12) = dw;
622 dw = SUBL(13) ^ SUBR(13), dw = CAMELLIA_RL8(dw);
623 SUBR(13) = SUBL(13) ^ dw, SUBL(13) = dw;
624 dw = SUBL(14) ^ SUBR(14), dw = CAMELLIA_RL8(dw);
625 SUBR(14) = SUBL(14) ^ dw, SUBL(14) = dw;
626 dw = SUBL(15) ^ SUBR(15), dw = CAMELLIA_RL8(dw);
627 SUBR(15) = SUBL(15) ^ dw, SUBL(15) = dw;
628 dw = SUBL(18) ^ SUBR(18), dw = CAMELLIA_RL8(dw);
629 SUBR(18) = SUBL(18) ^ dw, SUBL(18) = dw;
630 dw = SUBL(19) ^ SUBR(19), dw = CAMELLIA_RL8(dw);
631 SUBR(19) = SUBL(19) ^ dw, SUBL(19) = dw;
632 dw = SUBL(20) ^ SUBR(20), dw = CAMELLIA_RL8(dw);
633 SUBR(20) = SUBL(20) ^ dw, SUBL(20) = dw;
634 dw = SUBL(21) ^ SUBR(21), dw = CAMELLIA_RL8(dw);
635 SUBR(21) = SUBL(21) ^ dw, SUBL(21) = dw;
636 dw = SUBL(22) ^ SUBR(22), dw = CAMELLIA_RL8(dw);
637 SUBR(22) = SUBL(22) ^ dw, SUBL(22) = dw;
638 dw = SUBL(23) ^ SUBR(23), dw = CAMELLIA_RL8(dw);
639 SUBR(23) = SUBL(23) ^ dw, SUBL(23) = dw;
640 }
641
642 void
camellia_setup256(const unsigned char * key,uint32_t * subkey)643 camellia_setup256(const unsigned char *key, uint32_t *subkey)
644 {
645 uint32_t kll,klr,krl,krr; /* left half of key */
646 uint32_t krll,krlr,krrl,krrr; /* right half of key */
647 uint32_t il, ir, t0, t1, w0, w1; /* temporary variables */
648 uint32_t kw4l, kw4r, dw, tl, tr;
649 uint32_t subL[34];
650 uint32_t subR[34];
651
652 /*
653 * key = (kll || klr || krl || krr || krll || krlr || krrl || krrr)
654 * (|| is concatination)
655 */
656
657 kll = GETU32(key );
658 klr = GETU32(key + 4);
659 krl = GETU32(key + 8);
660 krr = GETU32(key + 12);
661 krll = GETU32(key + 16);
662 krlr = GETU32(key + 20);
663 krrl = GETU32(key + 24);
664 krrr = GETU32(key + 28);
665
666 /* generate KL dependent subkeys */
667 subl(0) = kll; subr(0) = klr;
668 subl(1) = krl; subr(1) = krr;
669 CAMELLIA_ROLDQo32(kll, klr, krl, krr, w0, w1, 45);
670 subl(12) = kll; subr(12) = klr;
671 subl(13) = krl; subr(13) = krr;
672 CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
673 subl(16) = kll; subr(16) = klr;
674 subl(17) = krl; subr(17) = krr;
675 CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17);
676 subl(22) = kll; subr(22) = klr;
677 subl(23) = krl; subr(23) = krr;
678 CAMELLIA_ROLDQo32(kll, klr, krl, krr, w0, w1, 34);
679 subl(30) = kll; subr(30) = klr;
680 subl(31) = krl; subr(31) = krr;
681
682 /* generate KR dependent subkeys */
683 CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 15);
684 subl(4) = krll; subr(4) = krlr;
685 subl(5) = krrl; subr(5) = krrr;
686 CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 15);
687 subl(8) = krll; subr(8) = krlr;
688 subl(9) = krrl; subr(9) = krrr;
689 CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
690 subl(18) = krll; subr(18) = krlr;
691 subl(19) = krrl; subr(19) = krrr;
692 CAMELLIA_ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 34);
693 subl(26) = krll; subr(26) = krlr;
694 subl(27) = krrl; subr(27) = krrr;
695 CAMELLIA_ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 34);
696
697 /* generate KA */
698 kll = subl(0) ^ krll; klr = subr(0) ^ krlr;
699 krl = subl(1) ^ krrl; krr = subr(1) ^ krrr;
700 CAMELLIA_F(kll, klr, CAMELLIA_SIGMA1L, CAMELLIA_SIGMA1R,
701 w0, w1, il, ir, t0, t1);
702 krl ^= w0; krr ^= w1;
703 CAMELLIA_F(krl, krr, CAMELLIA_SIGMA2L, CAMELLIA_SIGMA2R,
704 kll, klr, il, ir, t0, t1);
705 kll ^= krll; klr ^= krlr;
706 CAMELLIA_F(kll, klr, CAMELLIA_SIGMA3L, CAMELLIA_SIGMA3R,
707 krl, krr, il, ir, t0, t1);
708 krl ^= w0 ^ krrl; krr ^= w1 ^ krrr;
709 CAMELLIA_F(krl, krr, CAMELLIA_SIGMA4L, CAMELLIA_SIGMA4R,
710 w0, w1, il, ir, t0, t1);
711 kll ^= w0; klr ^= w1;
712
713 /* generate KB */
714 krll ^= kll; krlr ^= klr;
715 krrl ^= krl; krrr ^= krr;
716 CAMELLIA_F(krll, krlr, CAMELLIA_SIGMA5L, CAMELLIA_SIGMA5R,
717 w0, w1, il, ir, t0, t1);
718 krrl ^= w0; krrr ^= w1;
719 CAMELLIA_F(krrl, krrr, CAMELLIA_SIGMA6L, CAMELLIA_SIGMA6R,
720 w0, w1, il, ir, t0, t1);
721 krll ^= w0; krlr ^= w1;
722
723 /* generate KA dependent subkeys */
724 CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
725 subl(6) = kll; subr(6) = klr;
726 subl(7) = krl; subr(7) = krr;
727 CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 30);
728 subl(14) = kll; subr(14) = klr;
729 subl(15) = krl; subr(15) = krr;
730 subl(24) = klr; subr(24) = krl;
731 subl(25) = krr; subr(25) = kll;
732 CAMELLIA_ROLDQo32(kll, klr, krl, krr, w0, w1, 49);
733 subl(28) = kll; subr(28) = klr;
734 subl(29) = krl; subr(29) = krr;
735
736 /* generate KB dependent subkeys */
737 subl(2) = krll; subr(2) = krlr;
738 subl(3) = krrl; subr(3) = krrr;
739 CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
740 subl(10) = krll; subr(10) = krlr;
741 subl(11) = krrl; subr(11) = krrr;
742 CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
743 subl(20) = krll; subr(20) = krlr;
744 subl(21) = krrl; subr(21) = krrr;
745 CAMELLIA_ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 51);
746 subl(32) = krll; subr(32) = krlr;
747 subl(33) = krrl; subr(33) = krrr;
748
749 /* absorb kw2 to other subkeys */
750 subl(3) ^= subl(1); subr(3) ^= subr(1);
751 subl(5) ^= subl(1); subr(5) ^= subr(1);
752 subl(7) ^= subl(1); subr(7) ^= subr(1);
753 subl(1) ^= subr(1) & ~subr(9);
754 dw = subl(1) & subl(9), subr(1) ^= CAMELLIA_RL1(dw);
755 subl(11) ^= subl(1); subr(11) ^= subr(1);
756 subl(13) ^= subl(1); subr(13) ^= subr(1);
757 subl(15) ^= subl(1); subr(15) ^= subr(1);
758 subl(1) ^= subr(1) & ~subr(17);
759 dw = subl(1) & subl(17), subr(1) ^= CAMELLIA_RL1(dw);
760 subl(19) ^= subl(1); subr(19) ^= subr(1);
761 subl(21) ^= subl(1); subr(21) ^= subr(1);
762 subl(23) ^= subl(1); subr(23) ^= subr(1);
763 subl(1) ^= subr(1) & ~subr(25);
764 dw = subl(1) & subl(25), subr(1) ^= CAMELLIA_RL1(dw);
765 subl(27) ^= subl(1); subr(27) ^= subr(1);
766 subl(29) ^= subl(1); subr(29) ^= subr(1);
767 subl(31) ^= subl(1); subr(31) ^= subr(1);
768 subl(32) ^= subl(1); subr(32) ^= subr(1);
769
770
771 /* absorb kw4 to other subkeys */
772 kw4l = subl(33); kw4r = subr(33);
773 subl(30) ^= kw4l; subr(30) ^= kw4r;
774 subl(28) ^= kw4l; subr(28) ^= kw4r;
775 subl(26) ^= kw4l; subr(26) ^= kw4r;
776 kw4l ^= kw4r & ~subr(24);
777 dw = kw4l & subl(24), kw4r ^= CAMELLIA_RL1(dw);
778 subl(22) ^= kw4l; subr(22) ^= kw4r;
779 subl(20) ^= kw4l; subr(20) ^= kw4r;
780 subl(18) ^= kw4l; subr(18) ^= kw4r;
781 kw4l ^= kw4r & ~subr(16);
782 dw = kw4l & subl(16), kw4r ^= CAMELLIA_RL1(dw);
783 subl(14) ^= kw4l; subr(14) ^= kw4r;
784 subl(12) ^= kw4l; subr(12) ^= kw4r;
785 subl(10) ^= kw4l; subr(10) ^= kw4r;
786 kw4l ^= kw4r & ~subr(8);
787 dw = kw4l & subl(8), kw4r ^= CAMELLIA_RL1(dw);
788 subl(6) ^= kw4l; subr(6) ^= kw4r;
789 subl(4) ^= kw4l; subr(4) ^= kw4r;
790 subl(2) ^= kw4l; subr(2) ^= kw4r;
791 subl(0) ^= kw4l; subr(0) ^= kw4r;
792
793 /* key XOR is end of F-function */
794 SUBL(0) = subl(0) ^ subl(2);
795 SUBR(0) = subr(0) ^ subr(2);
796 SUBL(2) = subl(3);
797 SUBR(2) = subr(3);
798 SUBL(3) = subl(2) ^ subl(4);
799 SUBR(3) = subr(2) ^ subr(4);
800 SUBL(4) = subl(3) ^ subl(5);
801 SUBR(4) = subr(3) ^ subr(5);
802 SUBL(5) = subl(4) ^ subl(6);
803 SUBR(5) = subr(4) ^ subr(6);
804 SUBL(6) = subl(5) ^ subl(7);
805 SUBR(6) = subr(5) ^ subr(7);
806 tl = subl(10) ^ (subr(10) & ~subr(8));
807 dw = tl & subl(8), tr = subr(10) ^ CAMELLIA_RL1(dw);
808 SUBL(7) = subl(6) ^ tl;
809 SUBR(7) = subr(6) ^ tr;
810 SUBL(8) = subl(8);
811 SUBR(8) = subr(8);
812 SUBL(9) = subl(9);
813 SUBR(9) = subr(9);
814 tl = subl(7) ^ (subr(7) & ~subr(9));
815 dw = tl & subl(9), tr = subr(7) ^ CAMELLIA_RL1(dw);
816 SUBL(10) = tl ^ subl(11);
817 SUBR(10) = tr ^ subr(11);
818 SUBL(11) = subl(10) ^ subl(12);
819 SUBR(11) = subr(10) ^ subr(12);
820 SUBL(12) = subl(11) ^ subl(13);
821 SUBR(12) = subr(11) ^ subr(13);
822 SUBL(13) = subl(12) ^ subl(14);
823 SUBR(13) = subr(12) ^ subr(14);
824 SUBL(14) = subl(13) ^ subl(15);
825 SUBR(14) = subr(13) ^ subr(15);
826 tl = subl(18) ^ (subr(18) & ~subr(16));
827 dw = tl & subl(16), tr = subr(18) ^ CAMELLIA_RL1(dw);
828 SUBL(15) = subl(14) ^ tl;
829 SUBR(15) = subr(14) ^ tr;
830 SUBL(16) = subl(16);
831 SUBR(16) = subr(16);
832 SUBL(17) = subl(17);
833 SUBR(17) = subr(17);
834 tl = subl(15) ^ (subr(15) & ~subr(17));
835 dw = tl & subl(17), tr = subr(15) ^ CAMELLIA_RL1(dw);
836 SUBL(18) = tl ^ subl(19);
837 SUBR(18) = tr ^ subr(19);
838 SUBL(19) = subl(18) ^ subl(20);
839 SUBR(19) = subr(18) ^ subr(20);
840 SUBL(20) = subl(19) ^ subl(21);
841 SUBR(20) = subr(19) ^ subr(21);
842 SUBL(21) = subl(20) ^ subl(22);
843 SUBR(21) = subr(20) ^ subr(22);
844 SUBL(22) = subl(21) ^ subl(23);
845 SUBR(22) = subr(21) ^ subr(23);
846 tl = subl(26) ^ (subr(26) & ~subr(24));
847 dw = tl & subl(24), tr = subr(26) ^ CAMELLIA_RL1(dw);
848 SUBL(23) = subl(22) ^ tl;
849 SUBR(23) = subr(22) ^ tr;
850 SUBL(24) = subl(24);
851 SUBR(24) = subr(24);
852 SUBL(25) = subl(25);
853 SUBR(25) = subr(25);
854 tl = subl(23) ^ (subr(23) & ~subr(25));
855 dw = tl & subl(25), tr = subr(23) ^ CAMELLIA_RL1(dw);
856 SUBL(26) = tl ^ subl(27);
857 SUBR(26) = tr ^ subr(27);
858 SUBL(27) = subl(26) ^ subl(28);
859 SUBR(27) = subr(26) ^ subr(28);
860 SUBL(28) = subl(27) ^ subl(29);
861 SUBR(28) = subr(27) ^ subr(29);
862 SUBL(29) = subl(28) ^ subl(30);
863 SUBR(29) = subr(28) ^ subr(30);
864 SUBL(30) = subl(29) ^ subl(31);
865 SUBR(30) = subr(29) ^ subr(31);
866 SUBL(31) = subl(30);
867 SUBR(31) = subr(30);
868 SUBL(32) = subl(32) ^ subl(31);
869 SUBR(32) = subr(32) ^ subr(31);
870
871 /* apply the inverse of the last half of P-function */
872 dw = SUBL(2) ^ SUBR(2), dw = CAMELLIA_RL8(dw);
873 SUBR(2) = SUBL(2) ^ dw, SUBL(2) = dw;
874 dw = SUBL(3) ^ SUBR(3), dw = CAMELLIA_RL8(dw);
875 SUBR(3) = SUBL(3) ^ dw, SUBL(3) = dw;
876 dw = SUBL(4) ^ SUBR(4), dw = CAMELLIA_RL8(dw);
877 SUBR(4) = SUBL(4) ^ dw, SUBL(4) = dw;
878 dw = SUBL(5) ^ SUBR(5), dw = CAMELLIA_RL8(dw);
879 SUBR(5) = SUBL(5) ^ dw, SUBL(5) = dw;
880 dw = SUBL(6) ^ SUBR(6), dw = CAMELLIA_RL8(dw);
881 SUBR(6) = SUBL(6) ^ dw, SUBL(6) = dw;
882 dw = SUBL(7) ^ SUBR(7), dw = CAMELLIA_RL8(dw);
883 SUBR(7) = SUBL(7) ^ dw, SUBL(7) = dw;
884 dw = SUBL(10) ^ SUBR(10), dw = CAMELLIA_RL8(dw);
885 SUBR(10) = SUBL(10) ^ dw, SUBL(10) = dw;
886 dw = SUBL(11) ^ SUBR(11), dw = CAMELLIA_RL8(dw);
887 SUBR(11) = SUBL(11) ^ dw, SUBL(11) = dw;
888 dw = SUBL(12) ^ SUBR(12), dw = CAMELLIA_RL8(dw);
889 SUBR(12) = SUBL(12) ^ dw, SUBL(12) = dw;
890 dw = SUBL(13) ^ SUBR(13), dw = CAMELLIA_RL8(dw);
891 SUBR(13) = SUBL(13) ^ dw, SUBL(13) = dw;
892 dw = SUBL(14) ^ SUBR(14), dw = CAMELLIA_RL8(dw);
893 SUBR(14) = SUBL(14) ^ dw, SUBL(14) = dw;
894 dw = SUBL(15) ^ SUBR(15), dw = CAMELLIA_RL8(dw);
895 SUBR(15) = SUBL(15) ^ dw, SUBL(15) = dw;
896 dw = SUBL(18) ^ SUBR(18), dw = CAMELLIA_RL8(dw);
897 SUBR(18) = SUBL(18) ^ dw, SUBL(18) = dw;
898 dw = SUBL(19) ^ SUBR(19), dw = CAMELLIA_RL8(dw);
899 SUBR(19) = SUBL(19) ^ dw, SUBL(19) = dw;
900 dw = SUBL(20) ^ SUBR(20), dw = CAMELLIA_RL8(dw);
901 SUBR(20) = SUBL(20) ^ dw, SUBL(20) = dw;
902 dw = SUBL(21) ^ SUBR(21), dw = CAMELLIA_RL8(dw);
903 SUBR(21) = SUBL(21) ^ dw, SUBL(21) = dw;
904 dw = SUBL(22) ^ SUBR(22), dw = CAMELLIA_RL8(dw);
905 SUBR(22) = SUBL(22) ^ dw, SUBL(22) = dw;
906 dw = SUBL(23) ^ SUBR(23), dw = CAMELLIA_RL8(dw);
907 SUBR(23) = SUBL(23) ^ dw, SUBL(23) = dw;
908 dw = SUBL(26) ^ SUBR(26), dw = CAMELLIA_RL8(dw);
909 SUBR(26) = SUBL(26) ^ dw, SUBL(26) = dw;
910 dw = SUBL(27) ^ SUBR(27), dw = CAMELLIA_RL8(dw);
911 SUBR(27) = SUBL(27) ^ dw, SUBL(27) = dw;
912 dw = SUBL(28) ^ SUBR(28), dw = CAMELLIA_RL8(dw);
913 SUBR(28) = SUBL(28) ^ dw, SUBL(28) = dw;
914 dw = SUBL(29) ^ SUBR(29), dw = CAMELLIA_RL8(dw);
915 SUBR(29) = SUBL(29) ^ dw, SUBL(29) = dw;
916 dw = SUBL(30) ^ SUBR(30), dw = CAMELLIA_RL8(dw);
917 SUBR(30) = SUBL(30) ^ dw, SUBL(30) = dw;
918 dw = SUBL(31) ^ SUBR(31), dw = CAMELLIA_RL8(dw);
919 SUBR(31) = SUBL(31) ^ dw, SUBL(31) = dw;
920 }
921
922 void
camellia_setup192(const unsigned char * key,uint32_t * subkey)923 camellia_setup192(const unsigned char *key, uint32_t *subkey)
924 {
925 unsigned char kk[32];
926 uint32_t krll, krlr, krrl,krrr;
927
928 memcpy(kk, key, 24);
929 memcpy((unsigned char *)&krll, key+16,4);
930 memcpy((unsigned char *)&krlr, key+20,4);
931 krrl = ~krll;
932 krrr = ~krlr;
933 memcpy(kk+24, (unsigned char *)&krrl, 4);
934 memcpy(kk+28, (unsigned char *)&krrr, 4);
935 camellia_setup256(kk, subkey);
936 }
937
938
939 /**
940 * Stuff related to camellia encryption/decryption
941 */
942 void
camellia_encrypt128(const uint32_t * subkey,uint32_t * io)943 camellia_encrypt128(const uint32_t *subkey, uint32_t *io)
944 {
945 uint32_t il, ir, t0, t1;
946
947 /* pre whitening but absorb kw2*/
948 io[0] ^= SUBL(0);
949 io[1] ^= SUBR(0);
950 /* main iteration */
951
952 CAMELLIA_ROUNDSM(io[0],io[1], SUBL(2),SUBR(2),
953 io[2],io[3],il,ir,t0,t1);
954 CAMELLIA_ROUNDSM(io[2],io[3], SUBL(3),SUBR(3),
955 io[0],io[1],il,ir,t0,t1);
956 CAMELLIA_ROUNDSM(io[0],io[1], SUBL(4),SUBR(4),
957 io[2],io[3],il,ir,t0,t1);
958 CAMELLIA_ROUNDSM(io[2],io[3], SUBL(5),SUBR(5),
959 io[0],io[1],il,ir,t0,t1);
960 CAMELLIA_ROUNDSM(io[0],io[1], SUBL(6),SUBR(6),
961 io[2],io[3],il,ir,t0,t1);
962 CAMELLIA_ROUNDSM(io[2],io[3], SUBL(7),SUBR(7),
963 io[0],io[1],il,ir,t0,t1);
964
965 CAMELLIA_FLS(io[0],io[1],io[2],io[3], SUBL(8),SUBR(8), SUBL(9),SUBR(9),
966 t0,t1,il,ir);
967
968 CAMELLIA_ROUNDSM(io[0],io[1], SUBL(10),SUBR(10),
969 io[2],io[3],il,ir,t0,t1);
970 CAMELLIA_ROUNDSM(io[2],io[3], SUBL(11),SUBR(11),
971 io[0],io[1],il,ir,t0,t1);
972 CAMELLIA_ROUNDSM(io[0],io[1], SUBL(12),SUBR(12),
973 io[2],io[3],il,ir,t0,t1);
974 CAMELLIA_ROUNDSM(io[2],io[3], SUBL(13),SUBR(13),
975 io[0],io[1],il,ir,t0,t1);
976 CAMELLIA_ROUNDSM(io[0],io[1], SUBL(14),SUBR(14),
977 io[2],io[3],il,ir,t0,t1);
978 CAMELLIA_ROUNDSM(io[2],io[3], SUBL(15),SUBR(15),
979 io[0],io[1],il,ir,t0,t1);
980
981 CAMELLIA_FLS(io[0],io[1],io[2],io[3], SUBL(16), SUBR(16), SUBL(17),SUBR(17),
982 t0,t1,il,ir);
983
984 CAMELLIA_ROUNDSM(io[0],io[1], SUBL(18),SUBR(18),
985 io[2],io[3],il,ir,t0,t1);
986 CAMELLIA_ROUNDSM(io[2],io[3], SUBL(19),SUBR(19),
987 io[0],io[1],il,ir,t0,t1);
988 CAMELLIA_ROUNDSM(io[0],io[1], SUBL(20),SUBR(20),
989 io[2],io[3],il,ir,t0,t1);
990 CAMELLIA_ROUNDSM(io[2],io[3], SUBL(21),SUBR(21),
991 io[0],io[1],il,ir,t0,t1);
992 CAMELLIA_ROUNDSM(io[0],io[1], SUBL(22),SUBR(22),
993 io[2],io[3],il,ir,t0,t1);
994 CAMELLIA_ROUNDSM(io[2],io[3], SUBL(23),SUBR(23),
995 io[0],io[1],il,ir,t0,t1);
996
997 /* post whitening but kw4 */
998 io[2] ^= SUBL(24);
999 io[3] ^= SUBR(24);
1000
1001 t0 = io[0];
1002 t1 = io[1];
1003 io[0] = io[2];
1004 io[1] = io[3];
1005 io[2] = t0;
1006 io[3] = t1;
1007 }
1008
1009 void
camellia_decrypt128(const uint32_t * subkey,uint32_t * io)1010 camellia_decrypt128(const uint32_t *subkey, uint32_t *io)
1011 {
1012 uint32_t il,ir,t0,t1; /* temporary variables */
1013
1014 /* pre whitening but absorb kw2*/
1015 io[0] ^= SUBL(24);
1016 io[1] ^= SUBR(24);
1017
1018 /* main iteration */
1019 CAMELLIA_ROUNDSM(io[0],io[1], SUBL(23),SUBR(23),
1020 io[2],io[3],il,ir,t0,t1);
1021 CAMELLIA_ROUNDSM(io[2],io[3], SUBL(22),SUBR(22),
1022 io[0],io[1],il,ir,t0,t1);
1023 CAMELLIA_ROUNDSM(io[0],io[1], SUBL(21),SUBR(21),
1024 io[2],io[3],il,ir,t0,t1);
1025 CAMELLIA_ROUNDSM(io[2],io[3], SUBL(20),SUBR(20),
1026 io[0],io[1],il,ir,t0,t1);
1027 CAMELLIA_ROUNDSM(io[0],io[1], SUBL(19),SUBR(19),
1028 io[2],io[3],il,ir,t0,t1);
1029 CAMELLIA_ROUNDSM(io[2],io[3], SUBL(18),SUBR(18),
1030 io[0],io[1],il,ir,t0,t1);
1031
1032 CAMELLIA_FLS(io[0],io[1],io[2],io[3],SUBL(17),SUBR(17),SUBL(16),SUBR(16),
1033 t0,t1,il,ir);
1034
1035 CAMELLIA_ROUNDSM(io[0],io[1], SUBL(15),SUBR(15),
1036 io[2],io[3],il,ir,t0,t1);
1037 CAMELLIA_ROUNDSM(io[2],io[3], SUBL(14),SUBR(14),
1038 io[0],io[1],il,ir,t0,t1);
1039 CAMELLIA_ROUNDSM(io[0],io[1], SUBL(13),SUBR(13),
1040 io[2],io[3],il,ir,t0,t1);
1041 CAMELLIA_ROUNDSM(io[2],io[3], SUBL(12),SUBR(12),
1042 io[0],io[1],il,ir,t0,t1);
1043 CAMELLIA_ROUNDSM(io[0],io[1], SUBL(11),SUBR(11),
1044 io[2],io[3],il,ir,t0,t1);
1045 CAMELLIA_ROUNDSM(io[2],io[3], SUBL(10),SUBR(10),
1046 io[0],io[1],il,ir,t0,t1);
1047
1048 CAMELLIA_FLS(io[0],io[1],io[2],io[3], SUBL(9),SUBR(9), SUBL(8),SUBR(8),
1049 t0,t1,il,ir);
1050
1051 CAMELLIA_ROUNDSM(io[0],io[1], SUBL(7),SUBR(7),
1052 io[2],io[3],il,ir,t0,t1);
1053 CAMELLIA_ROUNDSM(io[2],io[3], SUBL(6),SUBR(6),
1054 io[0],io[1],il,ir,t0,t1);
1055 CAMELLIA_ROUNDSM(io[0],io[1], SUBL(5),SUBR(5),
1056 io[2],io[3],il,ir,t0,t1);
1057 CAMELLIA_ROUNDSM(io[2],io[3], SUBL(4),SUBR(4),
1058 io[0],io[1],il,ir,t0,t1);
1059 CAMELLIA_ROUNDSM(io[0],io[1], SUBL(3),SUBR(3),
1060 io[2],io[3],il,ir,t0,t1);
1061 CAMELLIA_ROUNDSM(io[2],io[3], SUBL(2),SUBR(2),
1062 io[0],io[1],il,ir,t0,t1);
1063
1064 /* post whitening but kw4 */
1065 io[2] ^= SUBL(0);
1066 io[3] ^= SUBR(0);
1067
1068 t0 = io[0];
1069 t1 = io[1];
1070 io[0] = io[2];
1071 io[1] = io[3];
1072 io[2] = t0;
1073 io[3] = t1;
1074 }
1075
1076 /**
1077 * stuff for 192 and 256bit encryption/decryption
1078 */
1079 void
camellia_encrypt256(const uint32_t * subkey,uint32_t * io)1080 camellia_encrypt256(const uint32_t *subkey, uint32_t *io)
1081 {
1082 uint32_t il,ir,t0,t1; /* temporary variables */
1083
1084 /* pre whitening but absorb kw2*/
1085 io[0] ^= SUBL(0);
1086 io[1] ^= SUBR(0);
1087
1088 /* main iteration */
1089 CAMELLIA_ROUNDSM(io[0],io[1], SUBL(2),SUBR(2),
1090 io[2],io[3],il,ir,t0,t1);
1091 CAMELLIA_ROUNDSM(io[2],io[3], SUBL(3),SUBR(3),
1092 io[0],io[1],il,ir,t0,t1);
1093 CAMELLIA_ROUNDSM(io[0],io[1], SUBL(4),SUBR(4),
1094 io[2],io[3],il,ir,t0,t1);
1095 CAMELLIA_ROUNDSM(io[2],io[3], SUBL(5),SUBR(5),
1096 io[0],io[1],il,ir,t0,t1);
1097 CAMELLIA_ROUNDSM(io[0],io[1], SUBL(6),SUBR(6),
1098 io[2],io[3],il,ir,t0,t1);
1099 CAMELLIA_ROUNDSM(io[2],io[3], SUBL(7),SUBR(7),
1100 io[0],io[1],il,ir,t0,t1);
1101
1102 CAMELLIA_FLS(io[0],io[1],io[2],io[3], SUBL(8),SUBR(8), SUBL(9),SUBR(9),
1103 t0,t1,il,ir);
1104
1105 CAMELLIA_ROUNDSM(io[0],io[1], SUBL(10),SUBR(10),
1106 io[2],io[3],il,ir,t0,t1);
1107 CAMELLIA_ROUNDSM(io[2],io[3], SUBL(11),SUBR(11),
1108 io[0],io[1],il,ir,t0,t1);
1109 CAMELLIA_ROUNDSM(io[0],io[1], SUBL(12),SUBR(12),
1110 io[2],io[3],il,ir,t0,t1);
1111 CAMELLIA_ROUNDSM(io[2],io[3], SUBL(13),SUBR(13),
1112 io[0],io[1],il,ir,t0,t1);
1113 CAMELLIA_ROUNDSM(io[0],io[1], SUBL(14),SUBR(14),
1114 io[2],io[3],il,ir,t0,t1);
1115 CAMELLIA_ROUNDSM(io[2],io[3], SUBL(15),SUBR(15),
1116 io[0],io[1],il,ir,t0,t1);
1117
1118 CAMELLIA_FLS(io[0],io[1],io[2],io[3], SUBL(16),SUBR(16), SUBL(17),SUBR(17),
1119 t0,t1,il,ir);
1120
1121 CAMELLIA_ROUNDSM(io[0],io[1], SUBL(18),SUBR(18),
1122 io[2],io[3],il,ir,t0,t1);
1123 CAMELLIA_ROUNDSM(io[2],io[3], SUBL(19),SUBR(19),
1124 io[0],io[1],il,ir,t0,t1);
1125 CAMELLIA_ROUNDSM(io[0],io[1], SUBL(20),SUBR(20),
1126 io[2],io[3],il,ir,t0,t1);
1127 CAMELLIA_ROUNDSM(io[2],io[3], SUBL(21),SUBR(21),
1128 io[0],io[1],il,ir,t0,t1);
1129 CAMELLIA_ROUNDSM(io[0],io[1], SUBL(22),SUBR(22),
1130 io[2],io[3],il,ir,t0,t1);
1131 CAMELLIA_ROUNDSM(io[2],io[3], SUBL(23),SUBR(23),
1132 io[0],io[1],il,ir,t0,t1);
1133
1134 CAMELLIA_FLS(io[0],io[1],io[2],io[3], SUBL(24),SUBR(24), SUBL(25),SUBR(25),
1135 t0,t1,il,ir);
1136
1137 CAMELLIA_ROUNDSM(io[0],io[1], SUBL(26),SUBR(26),
1138 io[2],io[3],il,ir,t0,t1);
1139 CAMELLIA_ROUNDSM(io[2],io[3], SUBL(27),SUBR(27),
1140 io[0],io[1],il,ir,t0,t1);
1141 CAMELLIA_ROUNDSM(io[0],io[1], SUBL(28),SUBR(28),
1142 io[2],io[3],il,ir,t0,t1);
1143 CAMELLIA_ROUNDSM(io[2],io[3], SUBL(29),SUBR(29),
1144 io[0],io[1],il,ir,t0,t1);
1145 CAMELLIA_ROUNDSM(io[0],io[1], SUBL(30),SUBR(30),
1146 io[2],io[3],il,ir,t0,t1);
1147 CAMELLIA_ROUNDSM(io[2],io[3], SUBL(31),SUBR(31),
1148 io[0],io[1],il,ir,t0,t1);
1149
1150 /* post whitening but kw4 */
1151 io[2] ^= SUBL(32);
1152 io[3] ^= SUBR(32);
1153
1154 t0 = io[0];
1155 t1 = io[1];
1156 io[0] = io[2];
1157 io[1] = io[3];
1158 io[2] = t0;
1159 io[3] = t1;
1160 }
1161
1162 void
camellia_decrypt256(const uint32_t * subkey,uint32_t * io)1163 camellia_decrypt256(const uint32_t *subkey, uint32_t *io)
1164 {
1165 uint32_t il,ir,t0,t1; /* temporary variables */
1166
1167 /* pre whitening but absorb kw2*/
1168 io[0] ^= SUBL(32);
1169 io[1] ^= SUBR(32);
1170
1171 /* main iteration */
1172 CAMELLIA_ROUNDSM(io[0],io[1], SUBL(31),SUBR(31),
1173 io[2],io[3],il,ir,t0,t1);
1174 CAMELLIA_ROUNDSM(io[2],io[3], SUBL(30),SUBR(30),
1175 io[0],io[1],il,ir,t0,t1);
1176 CAMELLIA_ROUNDSM(io[0],io[1], SUBL(29),SUBR(29),
1177 io[2],io[3],il,ir,t0,t1);
1178 CAMELLIA_ROUNDSM(io[2],io[3], SUBL(28),SUBR(28),
1179 io[0],io[1],il,ir,t0,t1);
1180 CAMELLIA_ROUNDSM(io[0],io[1], SUBL(27),SUBR(27),
1181 io[2],io[3],il,ir,t0,t1);
1182 CAMELLIA_ROUNDSM(io[2],io[3], SUBL(26),SUBR(26),
1183 io[0],io[1],il,ir,t0,t1);
1184
1185 CAMELLIA_FLS(io[0],io[1],io[2],io[3], SUBL(25),SUBR(25), SUBL(24),SUBR(24),
1186 t0,t1,il,ir);
1187
1188 CAMELLIA_ROUNDSM(io[0],io[1], SUBL(23),SUBR(23),
1189 io[2],io[3],il,ir,t0,t1);
1190 CAMELLIA_ROUNDSM(io[2],io[3], SUBL(22),SUBR(22),
1191 io[0],io[1],il,ir,t0,t1);
1192 CAMELLIA_ROUNDSM(io[0],io[1], SUBL(21),SUBR(21),
1193 io[2],io[3],il,ir,t0,t1);
1194 CAMELLIA_ROUNDSM(io[2],io[3], SUBL(20),SUBR(20),
1195 io[0],io[1],il,ir,t0,t1);
1196 CAMELLIA_ROUNDSM(io[0],io[1], SUBL(19),SUBR(19),
1197 io[2],io[3],il,ir,t0,t1);
1198 CAMELLIA_ROUNDSM(io[2],io[3], SUBL(18),SUBR(18),
1199 io[0],io[1],il,ir,t0,t1);
1200
1201 CAMELLIA_FLS(io[0],io[1],io[2],io[3], SUBL(17),SUBR(17), SUBL(16),SUBR(16),
1202 t0,t1,il,ir);
1203
1204 CAMELLIA_ROUNDSM(io[0],io[1], SUBL(15),SUBR(15),
1205 io[2],io[3],il,ir,t0,t1);
1206 CAMELLIA_ROUNDSM(io[2],io[3], SUBL(14),SUBR(14),
1207 io[0],io[1],il,ir,t0,t1);
1208 CAMELLIA_ROUNDSM(io[0],io[1], SUBL(13),SUBR(13),
1209 io[2],io[3],il,ir,t0,t1);
1210 CAMELLIA_ROUNDSM(io[2],io[3], SUBL(12),SUBR(12),
1211 io[0],io[1],il,ir,t0,t1);
1212 CAMELLIA_ROUNDSM(io[0],io[1], SUBL(11),SUBR(11),
1213 io[2],io[3],il,ir,t0,t1);
1214 CAMELLIA_ROUNDSM(io[2],io[3], SUBL(10),SUBR(10),
1215 io[0],io[1],il,ir,t0,t1);
1216
1217 CAMELLIA_FLS(io[0],io[1],io[2],io[3], SUBL(9),SUBR(9), SUBL(8),SUBR(8),
1218 t0,t1,il,ir);
1219
1220 CAMELLIA_ROUNDSM(io[0],io[1], SUBL(7),SUBR(7),
1221 io[2],io[3],il,ir,t0,t1);
1222 CAMELLIA_ROUNDSM(io[2],io[3], SUBL(6),SUBR(6),
1223 io[0],io[1],il,ir,t0,t1);
1224 CAMELLIA_ROUNDSM(io[0],io[1], SUBL(5),SUBR(5),
1225 io[2],io[3],il,ir,t0,t1);
1226 CAMELLIA_ROUNDSM(io[2],io[3], SUBL(4),SUBR(4),
1227 io[0],io[1],il,ir,t0,t1);
1228 CAMELLIA_ROUNDSM(io[0],io[1], SUBL(3),SUBR(3),
1229 io[2],io[3],il,ir,t0,t1);
1230 CAMELLIA_ROUNDSM(io[2],io[3], SUBL(2),SUBR(2),
1231 io[0],io[1],il,ir,t0,t1);
1232
1233 /* post whitening but kw4 */
1234 io[2] ^= SUBL(0);
1235 io[3] ^= SUBR(0);
1236
1237 t0 = io[0];
1238 t1 = io[1];
1239 io[0] = io[2];
1240 io[1] = io[3];
1241 io[2] = t0;
1242 io[3] = t1;
1243 }
1244
1245 void
Camellia_Ekeygen(const int keyBitLength,const unsigned char * rawKey,uint32_t * subkey)1246 Camellia_Ekeygen(const int keyBitLength,
1247 const unsigned char *rawKey,
1248 uint32_t *subkey)
1249 {
1250 KASSERT(keyBitLength == 128 || keyBitLength == 192 || keyBitLength == 256,
1251 ("Invalid key size (%d).", keyBitLength));
1252
1253 switch(keyBitLength) {
1254 case 128:
1255 camellia_setup128(rawKey, subkey);
1256 break;
1257 case 192:
1258 camellia_setup192(rawKey, subkey);
1259 break;
1260 case 256:
1261 camellia_setup256(rawKey, subkey);
1262 break;
1263 default:
1264 break;
1265 }
1266 }
1267 void
Camellia_EncryptBlock(const int keyBitLength,const unsigned char * plaintext,const uint32_t * subkey,unsigned char * ciphertext)1268 Camellia_EncryptBlock(const int keyBitLength,
1269 const unsigned char *plaintext,
1270 const uint32_t *subkey,
1271 unsigned char *ciphertext)
1272 {
1273 uint32_t tmp[4];
1274
1275 tmp[0] = GETU32(plaintext);
1276 tmp[1] = GETU32(plaintext + 4);
1277 tmp[2] = GETU32(plaintext + 8);
1278 tmp[3] = GETU32(plaintext + 12);
1279
1280 switch (keyBitLength) {
1281 case 128:
1282 camellia_encrypt128(subkey, tmp);
1283 break;
1284 case 192:
1285 /* fall through */
1286 case 256:
1287 camellia_encrypt256(subkey, tmp);
1288 break;
1289 default:
1290 break;
1291 }
1292
1293 PUTU32(ciphertext, tmp[0]);
1294 PUTU32(ciphertext+4, tmp[1]);
1295 PUTU32(ciphertext+8, tmp[2]);
1296 PUTU32(ciphertext+12, tmp[3]);
1297 }
1298
1299 void
Camellia_DecryptBlock(const int keyBitLength,const unsigned char * ciphertext,const uint32_t * subkey,unsigned char * plaintext)1300 Camellia_DecryptBlock(const int keyBitLength,
1301 const unsigned char *ciphertext,
1302 const uint32_t *subkey,
1303 unsigned char *plaintext)
1304 {
1305 uint32_t tmp[4];
1306
1307 tmp[0] = GETU32(ciphertext);
1308 tmp[1] = GETU32(ciphertext + 4);
1309 tmp[2] = GETU32(ciphertext + 8);
1310 tmp[3] = GETU32(ciphertext + 12);
1311
1312 switch (keyBitLength) {
1313 case 128:
1314 camellia_decrypt128(subkey, tmp);
1315 break;
1316 case 192:
1317 /* fall through */
1318 case 256:
1319 camellia_decrypt256(subkey, tmp);
1320 break;
1321 default:
1322 break;
1323 }
1324
1325 PUTU32(plaintext, tmp[0]);
1326 PUTU32(plaintext+4, tmp[1]);
1327 PUTU32(plaintext+8, tmp[2]);
1328 PUTU32(plaintext+12, tmp[3]);
1329 }
1330