xref: /freebsd/sys/crypto/camellia/camellia.c (revision f39bffc62c1395bde25d152c7f68fdf7cbaab414)
1 /* camellia.h ver 1.1.0
2  *
3  * Copyright (c) 2006
4  * NTT (Nippon Telegraph and Telephone Corporation) . All rights reserved.
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  * 1. Redistributions of source code must retain the above copyright
10  *   notice, this list of conditions and the following disclaimer as
11  *   the first lines of this file unmodified.
12  * 2. Redistributions in binary form must reproduce the above copyright
13  *   notice, this list of conditions and the following disclaimer in the
14  *   documentation and/or other materials provided with the distribution.
15  *
16  * THIS SOFTWARE IS PROVIDED BY NTT ``AS IS'' AND ANY EXPRESS OR
17  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
18  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
19  * IN NO EVENT SHALL NTT BE LIABLE FOR ANY DIRECT, INDIRECT,
20  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
21  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
22  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
23  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
24  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
25  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26  *
27  * $FreeBSD$
28  */
29 
30 /*
31  * Algorithm Specification
32  *  http://info.isl.ntt.co.jp/crypt/eng/camellia/specifications.html
33  */
34 
35 #include <sys/cdefs.h>
36 #include <sys/types.h>
37 #include <sys/endian.h>
38 #ifdef _KERNEL
39 #include <sys/systm.h>
40 #else
41 #include <string.h>
42 #include <assert.h>
43 #define KASSERT(exp, msg) assert(exp)
44 #endif
45 
46 #include <crypto/camellia/camellia.h>
47 
48 
49 /* key constants */
50 
51 #define CAMELLIA_SIGMA1L (0xA09E667FL)
52 #define CAMELLIA_SIGMA1R (0x3BCC908BL)
53 #define CAMELLIA_SIGMA2L (0xB67AE858L)
54 #define CAMELLIA_SIGMA2R (0x4CAA73B2L)
55 #define CAMELLIA_SIGMA3L (0xC6EF372FL)
56 #define CAMELLIA_SIGMA3R (0xE94F82BEL)
57 #define CAMELLIA_SIGMA4L (0x54FF53A5L)
58 #define CAMELLIA_SIGMA4R (0xF1D36F1CL)
59 #define CAMELLIA_SIGMA5L (0x10E527FAL)
60 #define CAMELLIA_SIGMA5R (0xDE682D1DL)
61 #define CAMELLIA_SIGMA6L (0xB05688C2L)
62 #define CAMELLIA_SIGMA6R (0xB3E6C1FDL)
63 
64 /*
65  *  macros
66  */
67 #define GETU32(pt) (((uint32_t)(pt)[0] << 24)		\
68 		     ^ ((uint32_t)(pt)[1] << 16)	\
69 		     ^ ((uint32_t)(pt)[2] <<  8)	\
70 		     ^ ((uint32_t)(pt)[3]))
71 
72 #define PUTU32(ct, st) {(ct)[0] = (uint8_t)((st) >> 24);	\
73 			(ct)[1] = (uint8_t)((st) >> 16);	\
74 			(ct)[2] = (uint8_t)((st) >>  8);	\
75 			(ct)[3] = (uint8_t)(st);}
76 
77 #define SUBL(INDEX) (subkey[(INDEX)*2+1])
78 #define SUBR(INDEX) (subkey[(INDEX)*2])
79 
80 #define CAMELLIA_RR8(x) (((x) >> 8) + ((x) << 24))
81 #define CAMELLIA_RL1(x) (((x) << 1) + ((x) >> 31))
82 #define CAMELLIA_RL8(x) (((x) << 8) + ((x) >> 24))
83 
84 #define CAMELLIA_ROLDQ(ll, lr, rl, rr, w0, w1, bits)	\
85     do {						\
86 	w0 = ll;					\
87 	ll = (ll << bits) + (lr >> (32 - bits));	\
88 	lr = (lr << bits) + (rl >> (32 - bits));	\
89 	rl = (rl << bits) + (rr >> (32 - bits));	\
90 	rr = (rr << bits) + (w0 >> (32 - bits));	\
91     } while(0)
92 
93 #define CAMELLIA_ROLDQo32(ll, lr, rl, rr, w0, w1, bits)	\
94     do {						\
95 	w0 = ll;					\
96 	w1 = lr;					\
97 	ll = (lr << (bits - 32)) + (rl >> (64 - bits));	\
98 	lr = (rl << (bits - 32)) + (rr >> (64 - bits));	\
99 	rl = (rr << (bits - 32)) + (w0 >> (64 - bits));	\
100 	rr = (w0 << (bits - 32)) + (w1 >> (64 - bits));	\
101     } while(0)
102 
103 #define CAMELLIA_SP1110(INDEX) (camellia_sp1110[(INDEX)])
104 #define CAMELLIA_SP0222(INDEX) (camellia_sp0222[(INDEX)])
105 #define CAMELLIA_SP3033(INDEX) (camellia_sp3033[(INDEX)])
106 #define CAMELLIA_SP4404(INDEX) (camellia_sp4404[(INDEX)])
107 
108 #define CAMELLIA_F(xl, xr, kl, kr, yl, yr, il, ir, t0, t1)	\
109     do {							\
110 	il = xl ^ kl;						\
111 	ir = xr ^ kr;						\
112 	t0 = il >> 16;						\
113 	t1 = ir >> 16;						\
114 	yl = CAMELLIA_SP1110(ir & 0xff)				\
115 	    ^ CAMELLIA_SP0222((t1 >> 8) & 0xff)			\
116 	    ^ CAMELLIA_SP3033(t1 & 0xff)			\
117 	    ^ CAMELLIA_SP4404((ir >> 8) & 0xff);		\
118 	yr = CAMELLIA_SP1110((t0 >> 8) & 0xff)			\
119 	    ^ CAMELLIA_SP0222(t0 & 0xff)			\
120 	    ^ CAMELLIA_SP3033((il >> 8) & 0xff)			\
121 	    ^ CAMELLIA_SP4404(il & 0xff);			\
122 	yl ^= yr;						\
123 	yr = CAMELLIA_RR8(yr);					\
124 	yr ^= yl;						\
125     } while(0)
126 
127 
128 #define CAMELLIA_FLS(ll, lr, rl, rr, kll, klr, krl, krr, t0, t1, t2, t3) \
129     do {								\
130 	t0 = kll;							\
131 	t2 = krr;							\
132 	t0 &= ll;							\
133 	t2 |= rr;							\
134 	rl ^= t2;							\
135 	lr ^= CAMELLIA_RL1(t0);						\
136 	t3 = krl;							\
137 	t1 = klr;							\
138 	t3 &= rl;							\
139 	t1 |= lr;							\
140 	ll ^= t1;							\
141 	rr ^= CAMELLIA_RL1(t3);						\
142     } while(0)
143 
144 #define CAMELLIA_ROUNDSM(xl, xr, kl, kr, yl, yr, il, ir, t0, t1)	\
145     do {								\
146 	ir =  CAMELLIA_SP1110(xr & 0xff);				\
147 	il =  CAMELLIA_SP1110((xl>>24) & 0xff);				\
148 	ir ^= CAMELLIA_SP0222((xr>>24) & 0xff);				\
149 	il ^= CAMELLIA_SP0222((xl>>16) & 0xff);				\
150 	ir ^= CAMELLIA_SP3033((xr>>16) & 0xff);				\
151 	il ^= CAMELLIA_SP3033((xl>>8) & 0xff);				\
152 	ir ^= CAMELLIA_SP4404((xr>>8) & 0xff);				\
153 	il ^= CAMELLIA_SP4404(xl & 0xff);				\
154 	il ^= kl;							\
155 	ir ^= kr;							\
156 	ir ^= il;							\
157 	il = CAMELLIA_RR8(il);						\
158 	il ^= ir;							\
159 	yl ^= ir;							\
160 	yr ^= il;							\
161     } while(0)
162 
163 
164 static const uint32_t camellia_sp1110[256] = {
165     0x70707000,0x82828200,0x2c2c2c00,0xececec00,
166     0xb3b3b300,0x27272700,0xc0c0c000,0xe5e5e500,
167     0xe4e4e400,0x85858500,0x57575700,0x35353500,
168     0xeaeaea00,0x0c0c0c00,0xaeaeae00,0x41414100,
169     0x23232300,0xefefef00,0x6b6b6b00,0x93939300,
170     0x45454500,0x19191900,0xa5a5a500,0x21212100,
171     0xededed00,0x0e0e0e00,0x4f4f4f00,0x4e4e4e00,
172     0x1d1d1d00,0x65656500,0x92929200,0xbdbdbd00,
173     0x86868600,0xb8b8b800,0xafafaf00,0x8f8f8f00,
174     0x7c7c7c00,0xebebeb00,0x1f1f1f00,0xcecece00,
175     0x3e3e3e00,0x30303000,0xdcdcdc00,0x5f5f5f00,
176     0x5e5e5e00,0xc5c5c500,0x0b0b0b00,0x1a1a1a00,
177     0xa6a6a600,0xe1e1e100,0x39393900,0xcacaca00,
178     0xd5d5d500,0x47474700,0x5d5d5d00,0x3d3d3d00,
179     0xd9d9d900,0x01010100,0x5a5a5a00,0xd6d6d600,
180     0x51515100,0x56565600,0x6c6c6c00,0x4d4d4d00,
181     0x8b8b8b00,0x0d0d0d00,0x9a9a9a00,0x66666600,
182     0xfbfbfb00,0xcccccc00,0xb0b0b000,0x2d2d2d00,
183     0x74747400,0x12121200,0x2b2b2b00,0x20202000,
184     0xf0f0f000,0xb1b1b100,0x84848400,0x99999900,
185     0xdfdfdf00,0x4c4c4c00,0xcbcbcb00,0xc2c2c200,
186     0x34343400,0x7e7e7e00,0x76767600,0x05050500,
187     0x6d6d6d00,0xb7b7b700,0xa9a9a900,0x31313100,
188     0xd1d1d100,0x17171700,0x04040400,0xd7d7d700,
189     0x14141400,0x58585800,0x3a3a3a00,0x61616100,
190     0xdedede00,0x1b1b1b00,0x11111100,0x1c1c1c00,
191     0x32323200,0x0f0f0f00,0x9c9c9c00,0x16161600,
192     0x53535300,0x18181800,0xf2f2f200,0x22222200,
193     0xfefefe00,0x44444400,0xcfcfcf00,0xb2b2b200,
194     0xc3c3c300,0xb5b5b500,0x7a7a7a00,0x91919100,
195     0x24242400,0x08080800,0xe8e8e800,0xa8a8a800,
196     0x60606000,0xfcfcfc00,0x69696900,0x50505000,
197     0xaaaaaa00,0xd0d0d000,0xa0a0a000,0x7d7d7d00,
198     0xa1a1a100,0x89898900,0x62626200,0x97979700,
199     0x54545400,0x5b5b5b00,0x1e1e1e00,0x95959500,
200     0xe0e0e000,0xffffff00,0x64646400,0xd2d2d200,
201     0x10101000,0xc4c4c400,0x00000000,0x48484800,
202     0xa3a3a300,0xf7f7f700,0x75757500,0xdbdbdb00,
203     0x8a8a8a00,0x03030300,0xe6e6e600,0xdadada00,
204     0x09090900,0x3f3f3f00,0xdddddd00,0x94949400,
205     0x87878700,0x5c5c5c00,0x83838300,0x02020200,
206     0xcdcdcd00,0x4a4a4a00,0x90909000,0x33333300,
207     0x73737300,0x67676700,0xf6f6f600,0xf3f3f300,
208     0x9d9d9d00,0x7f7f7f00,0xbfbfbf00,0xe2e2e200,
209     0x52525200,0x9b9b9b00,0xd8d8d800,0x26262600,
210     0xc8c8c800,0x37373700,0xc6c6c600,0x3b3b3b00,
211     0x81818100,0x96969600,0x6f6f6f00,0x4b4b4b00,
212     0x13131300,0xbebebe00,0x63636300,0x2e2e2e00,
213     0xe9e9e900,0x79797900,0xa7a7a700,0x8c8c8c00,
214     0x9f9f9f00,0x6e6e6e00,0xbcbcbc00,0x8e8e8e00,
215     0x29292900,0xf5f5f500,0xf9f9f900,0xb6b6b600,
216     0x2f2f2f00,0xfdfdfd00,0xb4b4b400,0x59595900,
217     0x78787800,0x98989800,0x06060600,0x6a6a6a00,
218     0xe7e7e700,0x46464600,0x71717100,0xbababa00,
219     0xd4d4d400,0x25252500,0xababab00,0x42424200,
220     0x88888800,0xa2a2a200,0x8d8d8d00,0xfafafa00,
221     0x72727200,0x07070700,0xb9b9b900,0x55555500,
222     0xf8f8f800,0xeeeeee00,0xacacac00,0x0a0a0a00,
223     0x36363600,0x49494900,0x2a2a2a00,0x68686800,
224     0x3c3c3c00,0x38383800,0xf1f1f100,0xa4a4a400,
225     0x40404000,0x28282800,0xd3d3d300,0x7b7b7b00,
226     0xbbbbbb00,0xc9c9c900,0x43434300,0xc1c1c100,
227     0x15151500,0xe3e3e300,0xadadad00,0xf4f4f400,
228     0x77777700,0xc7c7c700,0x80808000,0x9e9e9e00,
229 };
230 
231 static const uint32_t camellia_sp0222[256] = {
232     0x00e0e0e0,0x00050505,0x00585858,0x00d9d9d9,
233     0x00676767,0x004e4e4e,0x00818181,0x00cbcbcb,
234     0x00c9c9c9,0x000b0b0b,0x00aeaeae,0x006a6a6a,
235     0x00d5d5d5,0x00181818,0x005d5d5d,0x00828282,
236     0x00464646,0x00dfdfdf,0x00d6d6d6,0x00272727,
237     0x008a8a8a,0x00323232,0x004b4b4b,0x00424242,
238     0x00dbdbdb,0x001c1c1c,0x009e9e9e,0x009c9c9c,
239     0x003a3a3a,0x00cacaca,0x00252525,0x007b7b7b,
240     0x000d0d0d,0x00717171,0x005f5f5f,0x001f1f1f,
241     0x00f8f8f8,0x00d7d7d7,0x003e3e3e,0x009d9d9d,
242     0x007c7c7c,0x00606060,0x00b9b9b9,0x00bebebe,
243     0x00bcbcbc,0x008b8b8b,0x00161616,0x00343434,
244     0x004d4d4d,0x00c3c3c3,0x00727272,0x00959595,
245     0x00ababab,0x008e8e8e,0x00bababa,0x007a7a7a,
246     0x00b3b3b3,0x00020202,0x00b4b4b4,0x00adadad,
247     0x00a2a2a2,0x00acacac,0x00d8d8d8,0x009a9a9a,
248     0x00171717,0x001a1a1a,0x00353535,0x00cccccc,
249     0x00f7f7f7,0x00999999,0x00616161,0x005a5a5a,
250     0x00e8e8e8,0x00242424,0x00565656,0x00404040,
251     0x00e1e1e1,0x00636363,0x00090909,0x00333333,
252     0x00bfbfbf,0x00989898,0x00979797,0x00858585,
253     0x00686868,0x00fcfcfc,0x00ececec,0x000a0a0a,
254     0x00dadada,0x006f6f6f,0x00535353,0x00626262,
255     0x00a3a3a3,0x002e2e2e,0x00080808,0x00afafaf,
256     0x00282828,0x00b0b0b0,0x00747474,0x00c2c2c2,
257     0x00bdbdbd,0x00363636,0x00222222,0x00383838,
258     0x00646464,0x001e1e1e,0x00393939,0x002c2c2c,
259     0x00a6a6a6,0x00303030,0x00e5e5e5,0x00444444,
260     0x00fdfdfd,0x00888888,0x009f9f9f,0x00656565,
261     0x00878787,0x006b6b6b,0x00f4f4f4,0x00232323,
262     0x00484848,0x00101010,0x00d1d1d1,0x00515151,
263     0x00c0c0c0,0x00f9f9f9,0x00d2d2d2,0x00a0a0a0,
264     0x00555555,0x00a1a1a1,0x00414141,0x00fafafa,
265     0x00434343,0x00131313,0x00c4c4c4,0x002f2f2f,
266     0x00a8a8a8,0x00b6b6b6,0x003c3c3c,0x002b2b2b,
267     0x00c1c1c1,0x00ffffff,0x00c8c8c8,0x00a5a5a5,
268     0x00202020,0x00898989,0x00000000,0x00909090,
269     0x00474747,0x00efefef,0x00eaeaea,0x00b7b7b7,
270     0x00151515,0x00060606,0x00cdcdcd,0x00b5b5b5,
271     0x00121212,0x007e7e7e,0x00bbbbbb,0x00292929,
272     0x000f0f0f,0x00b8b8b8,0x00070707,0x00040404,
273     0x009b9b9b,0x00949494,0x00212121,0x00666666,
274     0x00e6e6e6,0x00cecece,0x00ededed,0x00e7e7e7,
275     0x003b3b3b,0x00fefefe,0x007f7f7f,0x00c5c5c5,
276     0x00a4a4a4,0x00373737,0x00b1b1b1,0x004c4c4c,
277     0x00919191,0x006e6e6e,0x008d8d8d,0x00767676,
278     0x00030303,0x002d2d2d,0x00dedede,0x00969696,
279     0x00262626,0x007d7d7d,0x00c6c6c6,0x005c5c5c,
280     0x00d3d3d3,0x00f2f2f2,0x004f4f4f,0x00191919,
281     0x003f3f3f,0x00dcdcdc,0x00797979,0x001d1d1d,
282     0x00525252,0x00ebebeb,0x00f3f3f3,0x006d6d6d,
283     0x005e5e5e,0x00fbfbfb,0x00696969,0x00b2b2b2,
284     0x00f0f0f0,0x00313131,0x000c0c0c,0x00d4d4d4,
285     0x00cfcfcf,0x008c8c8c,0x00e2e2e2,0x00757575,
286     0x00a9a9a9,0x004a4a4a,0x00575757,0x00848484,
287     0x00111111,0x00454545,0x001b1b1b,0x00f5f5f5,
288     0x00e4e4e4,0x000e0e0e,0x00737373,0x00aaaaaa,
289     0x00f1f1f1,0x00dddddd,0x00595959,0x00141414,
290     0x006c6c6c,0x00929292,0x00545454,0x00d0d0d0,
291     0x00787878,0x00707070,0x00e3e3e3,0x00494949,
292     0x00808080,0x00505050,0x00a7a7a7,0x00f6f6f6,
293     0x00777777,0x00939393,0x00868686,0x00838383,
294     0x002a2a2a,0x00c7c7c7,0x005b5b5b,0x00e9e9e9,
295     0x00eeeeee,0x008f8f8f,0x00010101,0x003d3d3d,
296 };
297 
298 static const uint32_t camellia_sp3033[256] = {
299     0x38003838,0x41004141,0x16001616,0x76007676,
300     0xd900d9d9,0x93009393,0x60006060,0xf200f2f2,
301     0x72007272,0xc200c2c2,0xab00abab,0x9a009a9a,
302     0x75007575,0x06000606,0x57005757,0xa000a0a0,
303     0x91009191,0xf700f7f7,0xb500b5b5,0xc900c9c9,
304     0xa200a2a2,0x8c008c8c,0xd200d2d2,0x90009090,
305     0xf600f6f6,0x07000707,0xa700a7a7,0x27002727,
306     0x8e008e8e,0xb200b2b2,0x49004949,0xde00dede,
307     0x43004343,0x5c005c5c,0xd700d7d7,0xc700c7c7,
308     0x3e003e3e,0xf500f5f5,0x8f008f8f,0x67006767,
309     0x1f001f1f,0x18001818,0x6e006e6e,0xaf00afaf,
310     0x2f002f2f,0xe200e2e2,0x85008585,0x0d000d0d,
311     0x53005353,0xf000f0f0,0x9c009c9c,0x65006565,
312     0xea00eaea,0xa300a3a3,0xae00aeae,0x9e009e9e,
313     0xec00ecec,0x80008080,0x2d002d2d,0x6b006b6b,
314     0xa800a8a8,0x2b002b2b,0x36003636,0xa600a6a6,
315     0xc500c5c5,0x86008686,0x4d004d4d,0x33003333,
316     0xfd00fdfd,0x66006666,0x58005858,0x96009696,
317     0x3a003a3a,0x09000909,0x95009595,0x10001010,
318     0x78007878,0xd800d8d8,0x42004242,0xcc00cccc,
319     0xef00efef,0x26002626,0xe500e5e5,0x61006161,
320     0x1a001a1a,0x3f003f3f,0x3b003b3b,0x82008282,
321     0xb600b6b6,0xdb00dbdb,0xd400d4d4,0x98009898,
322     0xe800e8e8,0x8b008b8b,0x02000202,0xeb00ebeb,
323     0x0a000a0a,0x2c002c2c,0x1d001d1d,0xb000b0b0,
324     0x6f006f6f,0x8d008d8d,0x88008888,0x0e000e0e,
325     0x19001919,0x87008787,0x4e004e4e,0x0b000b0b,
326     0xa900a9a9,0x0c000c0c,0x79007979,0x11001111,
327     0x7f007f7f,0x22002222,0xe700e7e7,0x59005959,
328     0xe100e1e1,0xda00dada,0x3d003d3d,0xc800c8c8,
329     0x12001212,0x04000404,0x74007474,0x54005454,
330     0x30003030,0x7e007e7e,0xb400b4b4,0x28002828,
331     0x55005555,0x68006868,0x50005050,0xbe00bebe,
332     0xd000d0d0,0xc400c4c4,0x31003131,0xcb00cbcb,
333     0x2a002a2a,0xad00adad,0x0f000f0f,0xca00caca,
334     0x70007070,0xff00ffff,0x32003232,0x69006969,
335     0x08000808,0x62006262,0x00000000,0x24002424,
336     0xd100d1d1,0xfb00fbfb,0xba00baba,0xed00eded,
337     0x45004545,0x81008181,0x73007373,0x6d006d6d,
338     0x84008484,0x9f009f9f,0xee00eeee,0x4a004a4a,
339     0xc300c3c3,0x2e002e2e,0xc100c1c1,0x01000101,
340     0xe600e6e6,0x25002525,0x48004848,0x99009999,
341     0xb900b9b9,0xb300b3b3,0x7b007b7b,0xf900f9f9,
342     0xce00cece,0xbf00bfbf,0xdf00dfdf,0x71007171,
343     0x29002929,0xcd00cdcd,0x6c006c6c,0x13001313,
344     0x64006464,0x9b009b9b,0x63006363,0x9d009d9d,
345     0xc000c0c0,0x4b004b4b,0xb700b7b7,0xa500a5a5,
346     0x89008989,0x5f005f5f,0xb100b1b1,0x17001717,
347     0xf400f4f4,0xbc00bcbc,0xd300d3d3,0x46004646,
348     0xcf00cfcf,0x37003737,0x5e005e5e,0x47004747,
349     0x94009494,0xfa00fafa,0xfc00fcfc,0x5b005b5b,
350     0x97009797,0xfe00fefe,0x5a005a5a,0xac00acac,
351     0x3c003c3c,0x4c004c4c,0x03000303,0x35003535,
352     0xf300f3f3,0x23002323,0xb800b8b8,0x5d005d5d,
353     0x6a006a6a,0x92009292,0xd500d5d5,0x21002121,
354     0x44004444,0x51005151,0xc600c6c6,0x7d007d7d,
355     0x39003939,0x83008383,0xdc00dcdc,0xaa00aaaa,
356     0x7c007c7c,0x77007777,0x56005656,0x05000505,
357     0x1b001b1b,0xa400a4a4,0x15001515,0x34003434,
358     0x1e001e1e,0x1c001c1c,0xf800f8f8,0x52005252,
359     0x20002020,0x14001414,0xe900e9e9,0xbd00bdbd,
360     0xdd00dddd,0xe400e4e4,0xa100a1a1,0xe000e0e0,
361     0x8a008a8a,0xf100f1f1,0xd600d6d6,0x7a007a7a,
362     0xbb00bbbb,0xe300e3e3,0x40004040,0x4f004f4f,
363 };
364 
365 static const uint32_t camellia_sp4404[256] = {
366     0x70700070,0x2c2c002c,0xb3b300b3,0xc0c000c0,
367     0xe4e400e4,0x57570057,0xeaea00ea,0xaeae00ae,
368     0x23230023,0x6b6b006b,0x45450045,0xa5a500a5,
369     0xeded00ed,0x4f4f004f,0x1d1d001d,0x92920092,
370     0x86860086,0xafaf00af,0x7c7c007c,0x1f1f001f,
371     0x3e3e003e,0xdcdc00dc,0x5e5e005e,0x0b0b000b,
372     0xa6a600a6,0x39390039,0xd5d500d5,0x5d5d005d,
373     0xd9d900d9,0x5a5a005a,0x51510051,0x6c6c006c,
374     0x8b8b008b,0x9a9a009a,0xfbfb00fb,0xb0b000b0,
375     0x74740074,0x2b2b002b,0xf0f000f0,0x84840084,
376     0xdfdf00df,0xcbcb00cb,0x34340034,0x76760076,
377     0x6d6d006d,0xa9a900a9,0xd1d100d1,0x04040004,
378     0x14140014,0x3a3a003a,0xdede00de,0x11110011,
379     0x32320032,0x9c9c009c,0x53530053,0xf2f200f2,
380     0xfefe00fe,0xcfcf00cf,0xc3c300c3,0x7a7a007a,
381     0x24240024,0xe8e800e8,0x60600060,0x69690069,
382     0xaaaa00aa,0xa0a000a0,0xa1a100a1,0x62620062,
383     0x54540054,0x1e1e001e,0xe0e000e0,0x64640064,
384     0x10100010,0x00000000,0xa3a300a3,0x75750075,
385     0x8a8a008a,0xe6e600e6,0x09090009,0xdddd00dd,
386     0x87870087,0x83830083,0xcdcd00cd,0x90900090,
387     0x73730073,0xf6f600f6,0x9d9d009d,0xbfbf00bf,
388     0x52520052,0xd8d800d8,0xc8c800c8,0xc6c600c6,
389     0x81810081,0x6f6f006f,0x13130013,0x63630063,
390     0xe9e900e9,0xa7a700a7,0x9f9f009f,0xbcbc00bc,
391     0x29290029,0xf9f900f9,0x2f2f002f,0xb4b400b4,
392     0x78780078,0x06060006,0xe7e700e7,0x71710071,
393     0xd4d400d4,0xabab00ab,0x88880088,0x8d8d008d,
394     0x72720072,0xb9b900b9,0xf8f800f8,0xacac00ac,
395     0x36360036,0x2a2a002a,0x3c3c003c,0xf1f100f1,
396     0x40400040,0xd3d300d3,0xbbbb00bb,0x43430043,
397     0x15150015,0xadad00ad,0x77770077,0x80800080,
398     0x82820082,0xecec00ec,0x27270027,0xe5e500e5,
399     0x85850085,0x35350035,0x0c0c000c,0x41410041,
400     0xefef00ef,0x93930093,0x19190019,0x21210021,
401     0x0e0e000e,0x4e4e004e,0x65650065,0xbdbd00bd,
402     0xb8b800b8,0x8f8f008f,0xebeb00eb,0xcece00ce,
403     0x30300030,0x5f5f005f,0xc5c500c5,0x1a1a001a,
404     0xe1e100e1,0xcaca00ca,0x47470047,0x3d3d003d,
405     0x01010001,0xd6d600d6,0x56560056,0x4d4d004d,
406     0x0d0d000d,0x66660066,0xcccc00cc,0x2d2d002d,
407     0x12120012,0x20200020,0xb1b100b1,0x99990099,
408     0x4c4c004c,0xc2c200c2,0x7e7e007e,0x05050005,
409     0xb7b700b7,0x31310031,0x17170017,0xd7d700d7,
410     0x58580058,0x61610061,0x1b1b001b,0x1c1c001c,
411     0x0f0f000f,0x16160016,0x18180018,0x22220022,
412     0x44440044,0xb2b200b2,0xb5b500b5,0x91910091,
413     0x08080008,0xa8a800a8,0xfcfc00fc,0x50500050,
414     0xd0d000d0,0x7d7d007d,0x89890089,0x97970097,
415     0x5b5b005b,0x95950095,0xffff00ff,0xd2d200d2,
416     0xc4c400c4,0x48480048,0xf7f700f7,0xdbdb00db,
417     0x03030003,0xdada00da,0x3f3f003f,0x94940094,
418     0x5c5c005c,0x02020002,0x4a4a004a,0x33330033,
419     0x67670067,0xf3f300f3,0x7f7f007f,0xe2e200e2,
420     0x9b9b009b,0x26260026,0x37370037,0x3b3b003b,
421     0x96960096,0x4b4b004b,0xbebe00be,0x2e2e002e,
422     0x79790079,0x8c8c008c,0x6e6e006e,0x8e8e008e,
423     0xf5f500f5,0xb6b600b6,0xfdfd00fd,0x59590059,
424     0x98980098,0x6a6a006a,0x46460046,0xbaba00ba,
425     0x25250025,0x42420042,0xa2a200a2,0xfafa00fa,
426     0x07070007,0x55550055,0xeeee00ee,0x0a0a000a,
427     0x49490049,0x68680068,0x38380038,0xa4a400a4,
428     0x28280028,0x7b7b007b,0xc9c900c9,0xc1c100c1,
429     0xe3e300e3,0xf4f400f4,0xc7c700c7,0x9e9e009e,
430 };
431 
432 
433 /*
434  * Stuff related to the Camellia key schedule
435  */
436 #define subl(x) subL[(x)]
437 #define subr(x) subR[(x)]
438 
439 void
440 camellia_setup128(const unsigned char *key, uint32_t *subkey)
441 {
442     uint32_t kll, klr, krl, krr;
443     uint32_t il, ir, t0, t1, w0, w1;
444     uint32_t kw4l, kw4r, dw, tl, tr;
445     uint32_t subL[26];
446     uint32_t subR[26];
447 
448     /*
449      *  k == kll || klr || krl || krr (|| is concatination)
450      */
451     kll = GETU32(key     );
452     klr = GETU32(key +  4);
453     krl = GETU32(key +  8);
454     krr = GETU32(key + 12);
455     /*
456      * generate KL dependent subkeys
457      */
458     subl(0) = kll; subr(0) = klr;
459     subl(1) = krl; subr(1) = krr;
460     CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
461     subl(4) = kll; subr(4) = klr;
462     subl(5) = krl; subr(5) = krr;
463     CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 30);
464     subl(10) = kll; subr(10) = klr;
465     subl(11) = krl; subr(11) = krr;
466     CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
467     subl(13) = krl; subr(13) = krr;
468     CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17);
469     subl(16) = kll; subr(16) = klr;
470     subl(17) = krl; subr(17) = krr;
471     CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17);
472     subl(18) = kll; subr(18) = klr;
473     subl(19) = krl; subr(19) = krr;
474     CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17);
475     subl(22) = kll; subr(22) = klr;
476     subl(23) = krl; subr(23) = krr;
477 
478     /* generate KA */
479     kll = subl(0); klr = subr(0);
480     krl = subl(1); krr = subr(1);
481     CAMELLIA_F(kll, klr, CAMELLIA_SIGMA1L, CAMELLIA_SIGMA1R,
482 	       w0, w1, il, ir, t0, t1);
483     krl ^= w0; krr ^= w1;
484     CAMELLIA_F(krl, krr, CAMELLIA_SIGMA2L, CAMELLIA_SIGMA2R,
485 	       kll, klr, il, ir, t0, t1);
486     CAMELLIA_F(kll, klr, CAMELLIA_SIGMA3L, CAMELLIA_SIGMA3R,
487 	       krl, krr, il, ir, t0, t1);
488     krl ^= w0; krr ^= w1;
489     CAMELLIA_F(krl, krr, CAMELLIA_SIGMA4L, CAMELLIA_SIGMA4R,
490 	       w0, w1, il, ir, t0, t1);
491     kll ^= w0; klr ^= w1;
492 
493     /* generate KA dependent subkeys */
494     subl(2) = kll; subr(2) = klr;
495     subl(3) = krl; subr(3) = krr;
496     CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
497     subl(6) = kll; subr(6) = klr;
498     subl(7) = krl; subr(7) = krr;
499     CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
500     subl(8) = kll; subr(8) = klr;
501     subl(9) = krl; subr(9) = krr;
502     CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
503     subl(12) = kll; subr(12) = klr;
504     CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
505     subl(14) = kll; subr(14) = klr;
506     subl(15) = krl; subr(15) = krr;
507     CAMELLIA_ROLDQo32(kll, klr, krl, krr, w0, w1, 34);
508     subl(20) = kll; subr(20) = klr;
509     subl(21) = krl; subr(21) = krr;
510     CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17);
511     subl(24) = kll; subr(24) = klr;
512     subl(25) = krl; subr(25) = krr;
513 
514 
515     /* absorb kw2 to other subkeys */
516     subl(3) ^= subl(1); subr(3) ^= subr(1);
517     subl(5) ^= subl(1); subr(5) ^= subr(1);
518     subl(7) ^= subl(1); subr(7) ^= subr(1);
519     subl(1) ^= subr(1) & ~subr(9);
520     dw = subl(1) & subl(9), subr(1) ^= CAMELLIA_RL1(dw);
521     subl(11) ^= subl(1); subr(11) ^= subr(1);
522     subl(13) ^= subl(1); subr(13) ^= subr(1);
523     subl(15) ^= subl(1); subr(15) ^= subr(1);
524     subl(1) ^= subr(1) & ~subr(17);
525     dw = subl(1) & subl(17), subr(1) ^= CAMELLIA_RL1(dw);
526     subl(19) ^= subl(1); subr(19) ^= subr(1);
527     subl(21) ^= subl(1); subr(21) ^= subr(1);
528     subl(23) ^= subl(1); subr(23) ^= subr(1);
529     subl(24) ^= subl(1); subr(24) ^= subr(1);
530 
531     /* absorb kw4 to other subkeys */
532     kw4l = subl(25); kw4r = subr(25);
533     subl(22) ^= kw4l; subr(22) ^= kw4r;
534     subl(20) ^= kw4l; subr(20) ^= kw4r;
535     subl(18) ^= kw4l; subr(18) ^= kw4r;
536     kw4l ^= kw4r & ~subr(16);
537     dw = kw4l & subl(16), kw4r ^= CAMELLIA_RL1(dw);
538     subl(14) ^= kw4l; subr(14) ^= kw4r;
539     subl(12) ^= kw4l; subr(12) ^= kw4r;
540     subl(10) ^= kw4l; subr(10) ^= kw4r;
541     kw4l ^= kw4r & ~subr(8);
542     dw = kw4l & subl(8), kw4r ^= CAMELLIA_RL1(dw);
543     subl(6) ^= kw4l; subr(6) ^= kw4r;
544     subl(4) ^= kw4l; subr(4) ^= kw4r;
545     subl(2) ^= kw4l; subr(2) ^= kw4r;
546     subl(0) ^= kw4l; subr(0) ^= kw4r;
547 
548     /* key XOR is end of F-function */
549     SUBL(0) = subl(0) ^ subl(2);
550     SUBR(0) = subr(0) ^ subr(2);
551     SUBL(2) = subl(3);
552     SUBR(2) = subr(3);
553     SUBL(3) = subl(2) ^ subl(4);
554     SUBR(3) = subr(2) ^ subr(4);
555     SUBL(4) = subl(3) ^ subl(5);
556     SUBR(4) = subr(3) ^ subr(5);
557     SUBL(5) = subl(4) ^ subl(6);
558     SUBR(5) = subr(4) ^ subr(6);
559     SUBL(6) = subl(5) ^ subl(7);
560     SUBR(6) = subr(5) ^ subr(7);
561     tl = subl(10) ^ (subr(10) & ~subr(8));
562     dw = tl & subl(8), tr = subr(10) ^ CAMELLIA_RL1(dw);
563     SUBL(7) = subl(6) ^ tl;
564     SUBR(7) = subr(6) ^ tr;
565     SUBL(8) = subl(8);
566     SUBR(8) = subr(8);
567     SUBL(9) = subl(9);
568     SUBR(9) = subr(9);
569     tl = subl(7) ^ (subr(7) & ~subr(9));
570     dw = tl & subl(9), tr = subr(7) ^ CAMELLIA_RL1(dw);
571     SUBL(10) = tl ^ subl(11);
572     SUBR(10) = tr ^ subr(11);
573     SUBL(11) = subl(10) ^ subl(12);
574     SUBR(11) = subr(10) ^ subr(12);
575     SUBL(12) = subl(11) ^ subl(13);
576     SUBR(12) = subr(11) ^ subr(13);
577     SUBL(13) = subl(12) ^ subl(14);
578     SUBR(13) = subr(12) ^ subr(14);
579     SUBL(14) = subl(13) ^ subl(15);
580     SUBR(14) = subr(13) ^ subr(15);
581     tl = subl(18) ^ (subr(18) & ~subr(16));
582     dw = tl & subl(16), tr = subr(18) ^ CAMELLIA_RL1(dw);
583     SUBL(15) = subl(14) ^ tl;
584     SUBR(15) = subr(14) ^ tr;
585     SUBL(16) = subl(16);
586     SUBR(16) = subr(16);
587     SUBL(17) = subl(17);
588     SUBR(17) = subr(17);
589     tl = subl(15) ^ (subr(15) & ~subr(17));
590     dw = tl & subl(17), tr = subr(15) ^ CAMELLIA_RL1(dw);
591     SUBL(18) = tl ^ subl(19);
592     SUBR(18) = tr ^ subr(19);
593     SUBL(19) = subl(18) ^ subl(20);
594     SUBR(19) = subr(18) ^ subr(20);
595     SUBL(20) = subl(19) ^ subl(21);
596     SUBR(20) = subr(19) ^ subr(21);
597     SUBL(21) = subl(20) ^ subl(22);
598     SUBR(21) = subr(20) ^ subr(22);
599     SUBL(22) = subl(21) ^ subl(23);
600     SUBR(22) = subr(21) ^ subr(23);
601     SUBL(23) = subl(22);
602     SUBR(23) = subr(22);
603     SUBL(24) = subl(24) ^ subl(23);
604     SUBR(24) = subr(24) ^ subr(23);
605 
606     /* apply the inverse of the last half of P-function */
607     dw = SUBL(2) ^ SUBR(2), dw = CAMELLIA_RL8(dw);
608     SUBR(2) = SUBL(2) ^ dw, SUBL(2) = dw;
609     dw = SUBL(3) ^ SUBR(3), dw = CAMELLIA_RL8(dw);
610     SUBR(3) = SUBL(3) ^ dw, SUBL(3) = dw;
611     dw = SUBL(4) ^ SUBR(4), dw = CAMELLIA_RL8(dw);
612     SUBR(4) = SUBL(4) ^ dw, SUBL(4) = dw;
613     dw = SUBL(5) ^ SUBR(5), dw = CAMELLIA_RL8(dw);
614     SUBR(5) = SUBL(5) ^ dw, SUBL(5) = dw;
615     dw = SUBL(6) ^ SUBR(6), dw = CAMELLIA_RL8(dw);
616     SUBR(6) = SUBL(6) ^ dw, SUBL(6) = dw;
617     dw = SUBL(7) ^ SUBR(7), dw = CAMELLIA_RL8(dw);
618     SUBR(7) = SUBL(7) ^ dw, SUBL(7) = dw;
619     dw = SUBL(10) ^ SUBR(10), dw = CAMELLIA_RL8(dw);
620     SUBR(10) = SUBL(10) ^ dw, SUBL(10) = dw;
621     dw = SUBL(11) ^ SUBR(11), dw = CAMELLIA_RL8(dw);
622     SUBR(11) = SUBL(11) ^ dw, SUBL(11) = dw;
623     dw = SUBL(12) ^ SUBR(12), dw = CAMELLIA_RL8(dw);
624     SUBR(12) = SUBL(12) ^ dw, SUBL(12) = dw;
625     dw = SUBL(13) ^ SUBR(13), dw = CAMELLIA_RL8(dw);
626     SUBR(13) = SUBL(13) ^ dw, SUBL(13) = dw;
627     dw = SUBL(14) ^ SUBR(14), dw = CAMELLIA_RL8(dw);
628     SUBR(14) = SUBL(14) ^ dw, SUBL(14) = dw;
629     dw = SUBL(15) ^ SUBR(15), dw = CAMELLIA_RL8(dw);
630     SUBR(15) = SUBL(15) ^ dw, SUBL(15) = dw;
631     dw = SUBL(18) ^ SUBR(18), dw = CAMELLIA_RL8(dw);
632     SUBR(18) = SUBL(18) ^ dw, SUBL(18) = dw;
633     dw = SUBL(19) ^ SUBR(19), dw = CAMELLIA_RL8(dw);
634     SUBR(19) = SUBL(19) ^ dw, SUBL(19) = dw;
635     dw = SUBL(20) ^ SUBR(20), dw = CAMELLIA_RL8(dw);
636     SUBR(20) = SUBL(20) ^ dw, SUBL(20) = dw;
637     dw = SUBL(21) ^ SUBR(21), dw = CAMELLIA_RL8(dw);
638     SUBR(21) = SUBL(21) ^ dw, SUBL(21) = dw;
639     dw = SUBL(22) ^ SUBR(22), dw = CAMELLIA_RL8(dw);
640     SUBR(22) = SUBL(22) ^ dw, SUBL(22) = dw;
641     dw = SUBL(23) ^ SUBR(23), dw = CAMELLIA_RL8(dw);
642     SUBR(23) = SUBL(23) ^ dw, SUBL(23) = dw;
643 }
644 
645 void
646 camellia_setup256(const unsigned char *key, uint32_t *subkey)
647 {
648     uint32_t kll,klr,krl,krr;           /* left half of key */
649     uint32_t krll,krlr,krrl,krrr;       /* right half of key */
650     uint32_t il, ir, t0, t1, w0, w1;    /* temporary variables */
651     uint32_t kw4l, kw4r, dw, tl, tr;
652     uint32_t subL[34];
653     uint32_t subR[34];
654 
655     /*
656      *  key = (kll || klr || krl || krr || krll || krlr || krrl || krrr)
657      *  (|| is concatination)
658      */
659 
660     kll  = GETU32(key     );
661     klr  = GETU32(key +  4);
662     krl  = GETU32(key +  8);
663     krr  = GETU32(key + 12);
664     krll = GETU32(key + 16);
665     krlr = GETU32(key + 20);
666     krrl = GETU32(key + 24);
667     krrr = GETU32(key + 28);
668 
669     /* generate KL dependent subkeys */
670     subl(0) = kll; subr(0) = klr;
671     subl(1) = krl; subr(1) = krr;
672     CAMELLIA_ROLDQo32(kll, klr, krl, krr, w0, w1, 45);
673     subl(12) = kll; subr(12) = klr;
674     subl(13) = krl; subr(13) = krr;
675     CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
676     subl(16) = kll; subr(16) = klr;
677     subl(17) = krl; subr(17) = krr;
678     CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17);
679     subl(22) = kll; subr(22) = klr;
680     subl(23) = krl; subr(23) = krr;
681     CAMELLIA_ROLDQo32(kll, klr, krl, krr, w0, w1, 34);
682     subl(30) = kll; subr(30) = klr;
683     subl(31) = krl; subr(31) = krr;
684 
685     /* generate KR dependent subkeys */
686     CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 15);
687     subl(4) = krll; subr(4) = krlr;
688     subl(5) = krrl; subr(5) = krrr;
689     CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 15);
690     subl(8) = krll; subr(8) = krlr;
691     subl(9) = krrl; subr(9) = krrr;
692     CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
693     subl(18) = krll; subr(18) = krlr;
694     subl(19) = krrl; subr(19) = krrr;
695     CAMELLIA_ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 34);
696     subl(26) = krll; subr(26) = krlr;
697     subl(27) = krrl; subr(27) = krrr;
698     CAMELLIA_ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 34);
699 
700     /* generate KA */
701     kll = subl(0) ^ krll; klr = subr(0) ^ krlr;
702     krl = subl(1) ^ krrl; krr = subr(1) ^ krrr;
703     CAMELLIA_F(kll, klr, CAMELLIA_SIGMA1L, CAMELLIA_SIGMA1R,
704 	       w0, w1, il, ir, t0, t1);
705     krl ^= w0; krr ^= w1;
706     CAMELLIA_F(krl, krr, CAMELLIA_SIGMA2L, CAMELLIA_SIGMA2R,
707 	       kll, klr, il, ir, t0, t1);
708     kll ^= krll; klr ^= krlr;
709     CAMELLIA_F(kll, klr, CAMELLIA_SIGMA3L, CAMELLIA_SIGMA3R,
710 	       krl, krr, il, ir, t0, t1);
711     krl ^= w0 ^ krrl; krr ^= w1 ^ krrr;
712     CAMELLIA_F(krl, krr, CAMELLIA_SIGMA4L, CAMELLIA_SIGMA4R,
713 	       w0, w1, il, ir, t0, t1);
714     kll ^= w0; klr ^= w1;
715 
716     /* generate KB */
717     krll ^= kll; krlr ^= klr;
718     krrl ^= krl; krrr ^= krr;
719     CAMELLIA_F(krll, krlr, CAMELLIA_SIGMA5L, CAMELLIA_SIGMA5R,
720 	       w0, w1, il, ir, t0, t1);
721     krrl ^= w0; krrr ^= w1;
722     CAMELLIA_F(krrl, krrr, CAMELLIA_SIGMA6L, CAMELLIA_SIGMA6R,
723 	       w0, w1, il, ir, t0, t1);
724     krll ^= w0; krlr ^= w1;
725 
726     /* generate KA dependent subkeys */
727     CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
728     subl(6) = kll; subr(6) = klr;
729     subl(7) = krl; subr(7) = krr;
730     CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 30);
731     subl(14) = kll; subr(14) = klr;
732     subl(15) = krl; subr(15) = krr;
733     subl(24) = klr; subr(24) = krl;
734     subl(25) = krr; subr(25) = kll;
735     CAMELLIA_ROLDQo32(kll, klr, krl, krr, w0, w1, 49);
736     subl(28) = kll; subr(28) = klr;
737     subl(29) = krl; subr(29) = krr;
738 
739     /* generate KB dependent subkeys */
740     subl(2) = krll; subr(2) = krlr;
741     subl(3) = krrl; subr(3) = krrr;
742     CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
743     subl(10) = krll; subr(10) = krlr;
744     subl(11) = krrl; subr(11) = krrr;
745     CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
746     subl(20) = krll; subr(20) = krlr;
747     subl(21) = krrl; subr(21) = krrr;
748     CAMELLIA_ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 51);
749     subl(32) = krll; subr(32) = krlr;
750     subl(33) = krrl; subr(33) = krrr;
751 
752     /* absorb kw2 to other subkeys */
753     subl(3) ^= subl(1); subr(3) ^= subr(1);
754     subl(5) ^= subl(1); subr(5) ^= subr(1);
755     subl(7) ^= subl(1); subr(7) ^= subr(1);
756     subl(1) ^= subr(1) & ~subr(9);
757     dw = subl(1) & subl(9), subr(1) ^= CAMELLIA_RL1(dw);
758     subl(11) ^= subl(1); subr(11) ^= subr(1);
759     subl(13) ^= subl(1); subr(13) ^= subr(1);
760     subl(15) ^= subl(1); subr(15) ^= subr(1);
761     subl(1) ^= subr(1) & ~subr(17);
762     dw = subl(1) & subl(17), subr(1) ^= CAMELLIA_RL1(dw);
763     subl(19) ^= subl(1); subr(19) ^= subr(1);
764     subl(21) ^= subl(1); subr(21) ^= subr(1);
765     subl(23) ^= subl(1); subr(23) ^= subr(1);
766     subl(1) ^= subr(1) & ~subr(25);
767     dw = subl(1) & subl(25), subr(1) ^= CAMELLIA_RL1(dw);
768     subl(27) ^= subl(1); subr(27) ^= subr(1);
769     subl(29) ^= subl(1); subr(29) ^= subr(1);
770     subl(31) ^= subl(1); subr(31) ^= subr(1);
771     subl(32) ^= subl(1); subr(32) ^= subr(1);
772 
773 
774     /* absorb kw4 to other subkeys */
775     kw4l = subl(33); kw4r = subr(33);
776     subl(30) ^= kw4l; subr(30) ^= kw4r;
777     subl(28) ^= kw4l; subr(28) ^= kw4r;
778     subl(26) ^= kw4l; subr(26) ^= kw4r;
779     kw4l ^= kw4r & ~subr(24);
780     dw = kw4l & subl(24), kw4r ^= CAMELLIA_RL1(dw);
781     subl(22) ^= kw4l; subr(22) ^= kw4r;
782     subl(20) ^= kw4l; subr(20) ^= kw4r;
783     subl(18) ^= kw4l; subr(18) ^= kw4r;
784     kw4l ^= kw4r & ~subr(16);
785     dw = kw4l & subl(16), kw4r ^= CAMELLIA_RL1(dw);
786     subl(14) ^= kw4l; subr(14) ^= kw4r;
787     subl(12) ^= kw4l; subr(12) ^= kw4r;
788     subl(10) ^= kw4l; subr(10) ^= kw4r;
789     kw4l ^= kw4r & ~subr(8);
790     dw = kw4l & subl(8), kw4r ^= CAMELLIA_RL1(dw);
791     subl(6) ^= kw4l; subr(6) ^= kw4r;
792     subl(4) ^= kw4l; subr(4) ^= kw4r;
793     subl(2) ^= kw4l; subr(2) ^= kw4r;
794     subl(0) ^= kw4l; subr(0) ^= kw4r;
795 
796     /* key XOR is end of F-function */
797     SUBL(0) = subl(0) ^ subl(2);
798     SUBR(0) = subr(0) ^ subr(2);
799     SUBL(2) = subl(3);
800     SUBR(2) = subr(3);
801     SUBL(3) = subl(2) ^ subl(4);
802     SUBR(3) = subr(2) ^ subr(4);
803     SUBL(4) = subl(3) ^ subl(5);
804     SUBR(4) = subr(3) ^ subr(5);
805     SUBL(5) = subl(4) ^ subl(6);
806     SUBR(5) = subr(4) ^ subr(6);
807     SUBL(6) = subl(5) ^ subl(7);
808     SUBR(6) = subr(5) ^ subr(7);
809     tl = subl(10) ^ (subr(10) & ~subr(8));
810     dw = tl & subl(8), tr = subr(10) ^ CAMELLIA_RL1(dw);
811     SUBL(7) = subl(6) ^ tl;
812     SUBR(7) = subr(6) ^ tr;
813     SUBL(8) = subl(8);
814     SUBR(8) = subr(8);
815     SUBL(9) = subl(9);
816     SUBR(9) = subr(9);
817     tl = subl(7) ^ (subr(7) & ~subr(9));
818     dw = tl & subl(9), tr = subr(7) ^ CAMELLIA_RL1(dw);
819     SUBL(10) = tl ^ subl(11);
820     SUBR(10) = tr ^ subr(11);
821     SUBL(11) = subl(10) ^ subl(12);
822     SUBR(11) = subr(10) ^ subr(12);
823     SUBL(12) = subl(11) ^ subl(13);
824     SUBR(12) = subr(11) ^ subr(13);
825     SUBL(13) = subl(12) ^ subl(14);
826     SUBR(13) = subr(12) ^ subr(14);
827     SUBL(14) = subl(13) ^ subl(15);
828     SUBR(14) = subr(13) ^ subr(15);
829     tl = subl(18) ^ (subr(18) & ~subr(16));
830     dw = tl & subl(16), tr = subr(18) ^ CAMELLIA_RL1(dw);
831     SUBL(15) = subl(14) ^ tl;
832     SUBR(15) = subr(14) ^ tr;
833     SUBL(16) = subl(16);
834     SUBR(16) = subr(16);
835     SUBL(17) = subl(17);
836     SUBR(17) = subr(17);
837     tl = subl(15) ^ (subr(15) & ~subr(17));
838     dw = tl & subl(17), tr = subr(15) ^ CAMELLIA_RL1(dw);
839     SUBL(18) = tl ^ subl(19);
840     SUBR(18) = tr ^ subr(19);
841     SUBL(19) = subl(18) ^ subl(20);
842     SUBR(19) = subr(18) ^ subr(20);
843     SUBL(20) = subl(19) ^ subl(21);
844     SUBR(20) = subr(19) ^ subr(21);
845     SUBL(21) = subl(20) ^ subl(22);
846     SUBR(21) = subr(20) ^ subr(22);
847     SUBL(22) = subl(21) ^ subl(23);
848     SUBR(22) = subr(21) ^ subr(23);
849     tl = subl(26) ^ (subr(26) & ~subr(24));
850     dw = tl & subl(24), tr = subr(26) ^ CAMELLIA_RL1(dw);
851     SUBL(23) = subl(22) ^ tl;
852     SUBR(23) = subr(22) ^ tr;
853     SUBL(24) = subl(24);
854     SUBR(24) = subr(24);
855     SUBL(25) = subl(25);
856     SUBR(25) = subr(25);
857     tl = subl(23) ^ (subr(23) & ~subr(25));
858     dw = tl & subl(25), tr = subr(23) ^ CAMELLIA_RL1(dw);
859     SUBL(26) = tl ^ subl(27);
860     SUBR(26) = tr ^ subr(27);
861     SUBL(27) = subl(26) ^ subl(28);
862     SUBR(27) = subr(26) ^ subr(28);
863     SUBL(28) = subl(27) ^ subl(29);
864     SUBR(28) = subr(27) ^ subr(29);
865     SUBL(29) = subl(28) ^ subl(30);
866     SUBR(29) = subr(28) ^ subr(30);
867     SUBL(30) = subl(29) ^ subl(31);
868     SUBR(30) = subr(29) ^ subr(31);
869     SUBL(31) = subl(30);
870     SUBR(31) = subr(30);
871     SUBL(32) = subl(32) ^ subl(31);
872     SUBR(32) = subr(32) ^ subr(31);
873 
874     /* apply the inverse of the last half of P-function */
875     dw = SUBL(2) ^ SUBR(2), dw = CAMELLIA_RL8(dw);
876     SUBR(2) = SUBL(2) ^ dw, SUBL(2) = dw;
877     dw = SUBL(3) ^ SUBR(3), dw = CAMELLIA_RL8(dw);
878     SUBR(3) = SUBL(3) ^ dw, SUBL(3) = dw;
879     dw = SUBL(4) ^ SUBR(4), dw = CAMELLIA_RL8(dw);
880     SUBR(4) = SUBL(4) ^ dw, SUBL(4) = dw;
881     dw = SUBL(5) ^ SUBR(5), dw = CAMELLIA_RL8(dw);
882     SUBR(5) = SUBL(5) ^ dw, SUBL(5) = dw;
883     dw = SUBL(6) ^ SUBR(6), dw = CAMELLIA_RL8(dw);
884     SUBR(6) = SUBL(6) ^ dw, SUBL(6) = dw;
885     dw = SUBL(7) ^ SUBR(7), dw = CAMELLIA_RL8(dw);
886     SUBR(7) = SUBL(7) ^ dw, SUBL(7) = dw;
887     dw = SUBL(10) ^ SUBR(10), dw = CAMELLIA_RL8(dw);
888     SUBR(10) = SUBL(10) ^ dw, SUBL(10) = dw;
889     dw = SUBL(11) ^ SUBR(11), dw = CAMELLIA_RL8(dw);
890     SUBR(11) = SUBL(11) ^ dw, SUBL(11) = dw;
891     dw = SUBL(12) ^ SUBR(12), dw = CAMELLIA_RL8(dw);
892     SUBR(12) = SUBL(12) ^ dw, SUBL(12) = dw;
893     dw = SUBL(13) ^ SUBR(13), dw = CAMELLIA_RL8(dw);
894     SUBR(13) = SUBL(13) ^ dw, SUBL(13) = dw;
895     dw = SUBL(14) ^ SUBR(14), dw = CAMELLIA_RL8(dw);
896     SUBR(14) = SUBL(14) ^ dw, SUBL(14) = dw;
897     dw = SUBL(15) ^ SUBR(15), dw = CAMELLIA_RL8(dw);
898     SUBR(15) = SUBL(15) ^ dw, SUBL(15) = dw;
899     dw = SUBL(18) ^ SUBR(18), dw = CAMELLIA_RL8(dw);
900     SUBR(18) = SUBL(18) ^ dw, SUBL(18) = dw;
901     dw = SUBL(19) ^ SUBR(19), dw = CAMELLIA_RL8(dw);
902     SUBR(19) = SUBL(19) ^ dw, SUBL(19) = dw;
903     dw = SUBL(20) ^ SUBR(20), dw = CAMELLIA_RL8(dw);
904     SUBR(20) = SUBL(20) ^ dw, SUBL(20) = dw;
905     dw = SUBL(21) ^ SUBR(21), dw = CAMELLIA_RL8(dw);
906     SUBR(21) = SUBL(21) ^ dw, SUBL(21) = dw;
907     dw = SUBL(22) ^ SUBR(22), dw = CAMELLIA_RL8(dw);
908     SUBR(22) = SUBL(22) ^ dw, SUBL(22) = dw;
909     dw = SUBL(23) ^ SUBR(23), dw = CAMELLIA_RL8(dw);
910     SUBR(23) = SUBL(23) ^ dw, SUBL(23) = dw;
911     dw = SUBL(26) ^ SUBR(26), dw = CAMELLIA_RL8(dw);
912     SUBR(26) = SUBL(26) ^ dw, SUBL(26) = dw;
913     dw = SUBL(27) ^ SUBR(27), dw = CAMELLIA_RL8(dw);
914     SUBR(27) = SUBL(27) ^ dw, SUBL(27) = dw;
915     dw = SUBL(28) ^ SUBR(28), dw = CAMELLIA_RL8(dw);
916     SUBR(28) = SUBL(28) ^ dw, SUBL(28) = dw;
917     dw = SUBL(29) ^ SUBR(29), dw = CAMELLIA_RL8(dw);
918     SUBR(29) = SUBL(29) ^ dw, SUBL(29) = dw;
919     dw = SUBL(30) ^ SUBR(30), dw = CAMELLIA_RL8(dw);
920     SUBR(30) = SUBL(30) ^ dw, SUBL(30) = dw;
921     dw = SUBL(31) ^ SUBR(31), dw = CAMELLIA_RL8(dw);
922     SUBR(31) = SUBL(31) ^ dw, SUBL(31) = dw;
923 }
924 
925 void
926 camellia_setup192(const unsigned char *key, uint32_t *subkey)
927 {
928     unsigned char kk[32];
929     uint32_t krll, krlr, krrl,krrr;
930 
931     memcpy(kk, key, 24);
932     memcpy((unsigned char *)&krll, key+16,4);
933     memcpy((unsigned char *)&krlr, key+20,4);
934     krrl = ~krll;
935     krrr = ~krlr;
936     memcpy(kk+24, (unsigned char *)&krrl, 4);
937     memcpy(kk+28, (unsigned char *)&krrr, 4);
938     camellia_setup256(kk, subkey);
939 }
940 
941 
942 /**
943  * Stuff related to camellia encryption/decryption
944  */
945 void
946 camellia_encrypt128(const uint32_t *subkey, uint32_t *io)
947 {
948     uint32_t il, ir, t0, t1;
949 
950     /* pre whitening but absorb kw2*/
951     io[0] ^= SUBL(0);
952     io[1] ^= SUBR(0);
953     /* main iteration */
954 
955     CAMELLIA_ROUNDSM(io[0],io[1], SUBL(2),SUBR(2),
956 		     io[2],io[3],il,ir,t0,t1);
957     CAMELLIA_ROUNDSM(io[2],io[3], SUBL(3),SUBR(3),
958 		     io[0],io[1],il,ir,t0,t1);
959     CAMELLIA_ROUNDSM(io[0],io[1], SUBL(4),SUBR(4),
960 		     io[2],io[3],il,ir,t0,t1);
961     CAMELLIA_ROUNDSM(io[2],io[3], SUBL(5),SUBR(5),
962 		     io[0],io[1],il,ir,t0,t1);
963     CAMELLIA_ROUNDSM(io[0],io[1], SUBL(6),SUBR(6),
964 		     io[2],io[3],il,ir,t0,t1);
965     CAMELLIA_ROUNDSM(io[2],io[3], SUBL(7),SUBR(7),
966 		     io[0],io[1],il,ir,t0,t1);
967 
968     CAMELLIA_FLS(io[0],io[1],io[2],io[3], SUBL(8),SUBR(8), SUBL(9),SUBR(9),
969 		 t0,t1,il,ir);
970 
971     CAMELLIA_ROUNDSM(io[0],io[1], SUBL(10),SUBR(10),
972 		     io[2],io[3],il,ir,t0,t1);
973     CAMELLIA_ROUNDSM(io[2],io[3], SUBL(11),SUBR(11),
974 		     io[0],io[1],il,ir,t0,t1);
975     CAMELLIA_ROUNDSM(io[0],io[1], SUBL(12),SUBR(12),
976 		     io[2],io[3],il,ir,t0,t1);
977     CAMELLIA_ROUNDSM(io[2],io[3], SUBL(13),SUBR(13),
978 		     io[0],io[1],il,ir,t0,t1);
979     CAMELLIA_ROUNDSM(io[0],io[1], SUBL(14),SUBR(14),
980 		     io[2],io[3],il,ir,t0,t1);
981     CAMELLIA_ROUNDSM(io[2],io[3], SUBL(15),SUBR(15),
982 		     io[0],io[1],il,ir,t0,t1);
983 
984     CAMELLIA_FLS(io[0],io[1],io[2],io[3], SUBL(16), SUBR(16), SUBL(17),SUBR(17),
985 		 t0,t1,il,ir);
986 
987     CAMELLIA_ROUNDSM(io[0],io[1], SUBL(18),SUBR(18),
988 		     io[2],io[3],il,ir,t0,t1);
989     CAMELLIA_ROUNDSM(io[2],io[3], SUBL(19),SUBR(19),
990 		     io[0],io[1],il,ir,t0,t1);
991     CAMELLIA_ROUNDSM(io[0],io[1], SUBL(20),SUBR(20),
992 		     io[2],io[3],il,ir,t0,t1);
993     CAMELLIA_ROUNDSM(io[2],io[3], SUBL(21),SUBR(21),
994 		     io[0],io[1],il,ir,t0,t1);
995     CAMELLIA_ROUNDSM(io[0],io[1], SUBL(22),SUBR(22),
996 		     io[2],io[3],il,ir,t0,t1);
997     CAMELLIA_ROUNDSM(io[2],io[3], SUBL(23),SUBR(23),
998 		     io[0],io[1],il,ir,t0,t1);
999 
1000     /* post whitening but kw4 */
1001     io[2] ^= SUBL(24);
1002     io[3] ^= SUBR(24);
1003 
1004     t0 = io[0];
1005     t1 = io[1];
1006     io[0] = io[2];
1007     io[1] = io[3];
1008     io[2] = t0;
1009     io[3] = t1;
1010 }
1011 
1012 void
1013 camellia_decrypt128(const uint32_t *subkey, uint32_t *io)
1014 {
1015     uint32_t il,ir,t0,t1;               /* temporary valiables */
1016 
1017     /* pre whitening but absorb kw2*/
1018     io[0] ^= SUBL(24);
1019     io[1] ^= SUBR(24);
1020 
1021     /* main iteration */
1022     CAMELLIA_ROUNDSM(io[0],io[1], SUBL(23),SUBR(23),
1023 		     io[2],io[3],il,ir,t0,t1);
1024     CAMELLIA_ROUNDSM(io[2],io[3], SUBL(22),SUBR(22),
1025 		     io[0],io[1],il,ir,t0,t1);
1026     CAMELLIA_ROUNDSM(io[0],io[1], SUBL(21),SUBR(21),
1027 		     io[2],io[3],il,ir,t0,t1);
1028     CAMELLIA_ROUNDSM(io[2],io[3], SUBL(20),SUBR(20),
1029 		     io[0],io[1],il,ir,t0,t1);
1030     CAMELLIA_ROUNDSM(io[0],io[1], SUBL(19),SUBR(19),
1031 		     io[2],io[3],il,ir,t0,t1);
1032     CAMELLIA_ROUNDSM(io[2],io[3], SUBL(18),SUBR(18),
1033 		     io[0],io[1],il,ir,t0,t1);
1034 
1035     CAMELLIA_FLS(io[0],io[1],io[2],io[3],SUBL(17),SUBR(17),SUBL(16),SUBR(16),
1036 		 t0,t1,il,ir);
1037 
1038     CAMELLIA_ROUNDSM(io[0],io[1], SUBL(15),SUBR(15),
1039 		     io[2],io[3],il,ir,t0,t1);
1040     CAMELLIA_ROUNDSM(io[2],io[3], SUBL(14),SUBR(14),
1041 		     io[0],io[1],il,ir,t0,t1);
1042     CAMELLIA_ROUNDSM(io[0],io[1], SUBL(13),SUBR(13),
1043 		     io[2],io[3],il,ir,t0,t1);
1044     CAMELLIA_ROUNDSM(io[2],io[3], SUBL(12),SUBR(12),
1045 		     io[0],io[1],il,ir,t0,t1);
1046     CAMELLIA_ROUNDSM(io[0],io[1], SUBL(11),SUBR(11),
1047 		     io[2],io[3],il,ir,t0,t1);
1048     CAMELLIA_ROUNDSM(io[2],io[3], SUBL(10),SUBR(10),
1049 		     io[0],io[1],il,ir,t0,t1);
1050 
1051     CAMELLIA_FLS(io[0],io[1],io[2],io[3], SUBL(9),SUBR(9), SUBL(8),SUBR(8),
1052 		 t0,t1,il,ir);
1053 
1054     CAMELLIA_ROUNDSM(io[0],io[1], SUBL(7),SUBR(7),
1055 		     io[2],io[3],il,ir,t0,t1);
1056     CAMELLIA_ROUNDSM(io[2],io[3], SUBL(6),SUBR(6),
1057 		     io[0],io[1],il,ir,t0,t1);
1058     CAMELLIA_ROUNDSM(io[0],io[1], SUBL(5),SUBR(5),
1059 		     io[2],io[3],il,ir,t0,t1);
1060     CAMELLIA_ROUNDSM(io[2],io[3], SUBL(4),SUBR(4),
1061 		     io[0],io[1],il,ir,t0,t1);
1062     CAMELLIA_ROUNDSM(io[0],io[1], SUBL(3),SUBR(3),
1063 		     io[2],io[3],il,ir,t0,t1);
1064     CAMELLIA_ROUNDSM(io[2],io[3], SUBL(2),SUBR(2),
1065 		     io[0],io[1],il,ir,t0,t1);
1066 
1067     /* post whitening but kw4 */
1068     io[2] ^= SUBL(0);
1069     io[3] ^= SUBR(0);
1070 
1071     t0 = io[0];
1072     t1 = io[1];
1073     io[0] = io[2];
1074     io[1] = io[3];
1075     io[2] = t0;
1076     io[3] = t1;
1077 }
1078 
1079 /**
1080  * stuff for 192 and 256bit encryption/decryption
1081  */
1082 void
1083 camellia_encrypt256(const uint32_t *subkey, uint32_t *io)
1084 {
1085     uint32_t il,ir,t0,t1;           /* temporary valiables */
1086 
1087     /* pre whitening but absorb kw2*/
1088     io[0] ^= SUBL(0);
1089     io[1] ^= SUBR(0);
1090 
1091     /* main iteration */
1092     CAMELLIA_ROUNDSM(io[0],io[1], SUBL(2),SUBR(2),
1093 		     io[2],io[3],il,ir,t0,t1);
1094     CAMELLIA_ROUNDSM(io[2],io[3], SUBL(3),SUBR(3),
1095 		     io[0],io[1],il,ir,t0,t1);
1096     CAMELLIA_ROUNDSM(io[0],io[1], SUBL(4),SUBR(4),
1097 		     io[2],io[3],il,ir,t0,t1);
1098     CAMELLIA_ROUNDSM(io[2],io[3], SUBL(5),SUBR(5),
1099 		     io[0],io[1],il,ir,t0,t1);
1100     CAMELLIA_ROUNDSM(io[0],io[1], SUBL(6),SUBR(6),
1101 		     io[2],io[3],il,ir,t0,t1);
1102     CAMELLIA_ROUNDSM(io[2],io[3], SUBL(7),SUBR(7),
1103 		     io[0],io[1],il,ir,t0,t1);
1104 
1105     CAMELLIA_FLS(io[0],io[1],io[2],io[3], SUBL(8),SUBR(8), SUBL(9),SUBR(9),
1106 		 t0,t1,il,ir);
1107 
1108     CAMELLIA_ROUNDSM(io[0],io[1], SUBL(10),SUBR(10),
1109 		     io[2],io[3],il,ir,t0,t1);
1110     CAMELLIA_ROUNDSM(io[2],io[3], SUBL(11),SUBR(11),
1111 		     io[0],io[1],il,ir,t0,t1);
1112     CAMELLIA_ROUNDSM(io[0],io[1], SUBL(12),SUBR(12),
1113 		     io[2],io[3],il,ir,t0,t1);
1114     CAMELLIA_ROUNDSM(io[2],io[3], SUBL(13),SUBR(13),
1115 		     io[0],io[1],il,ir,t0,t1);
1116     CAMELLIA_ROUNDSM(io[0],io[1], SUBL(14),SUBR(14),
1117 		     io[2],io[3],il,ir,t0,t1);
1118     CAMELLIA_ROUNDSM(io[2],io[3], SUBL(15),SUBR(15),
1119 		     io[0],io[1],il,ir,t0,t1);
1120 
1121     CAMELLIA_FLS(io[0],io[1],io[2],io[3], SUBL(16),SUBR(16), SUBL(17),SUBR(17),
1122 		 t0,t1,il,ir);
1123 
1124     CAMELLIA_ROUNDSM(io[0],io[1], SUBL(18),SUBR(18),
1125 		     io[2],io[3],il,ir,t0,t1);
1126     CAMELLIA_ROUNDSM(io[2],io[3], SUBL(19),SUBR(19),
1127 		     io[0],io[1],il,ir,t0,t1);
1128     CAMELLIA_ROUNDSM(io[0],io[1], SUBL(20),SUBR(20),
1129 		     io[2],io[3],il,ir,t0,t1);
1130     CAMELLIA_ROUNDSM(io[2],io[3], SUBL(21),SUBR(21),
1131 		     io[0],io[1],il,ir,t0,t1);
1132     CAMELLIA_ROUNDSM(io[0],io[1], SUBL(22),SUBR(22),
1133 		     io[2],io[3],il,ir,t0,t1);
1134     CAMELLIA_ROUNDSM(io[2],io[3], SUBL(23),SUBR(23),
1135 		     io[0],io[1],il,ir,t0,t1);
1136 
1137     CAMELLIA_FLS(io[0],io[1],io[2],io[3], SUBL(24),SUBR(24), SUBL(25),SUBR(25),
1138 		 t0,t1,il,ir);
1139 
1140     CAMELLIA_ROUNDSM(io[0],io[1], SUBL(26),SUBR(26),
1141 		     io[2],io[3],il,ir,t0,t1);
1142     CAMELLIA_ROUNDSM(io[2],io[3], SUBL(27),SUBR(27),
1143 		     io[0],io[1],il,ir,t0,t1);
1144     CAMELLIA_ROUNDSM(io[0],io[1], SUBL(28),SUBR(28),
1145 		     io[2],io[3],il,ir,t0,t1);
1146     CAMELLIA_ROUNDSM(io[2],io[3], SUBL(29),SUBR(29),
1147 		     io[0],io[1],il,ir,t0,t1);
1148     CAMELLIA_ROUNDSM(io[0],io[1], SUBL(30),SUBR(30),
1149 		     io[2],io[3],il,ir,t0,t1);
1150     CAMELLIA_ROUNDSM(io[2],io[3], SUBL(31),SUBR(31),
1151 		     io[0],io[1],il,ir,t0,t1);
1152 
1153     /* post whitening but kw4 */
1154     io[2] ^= SUBL(32);
1155     io[3] ^= SUBR(32);
1156 
1157     t0 = io[0];
1158     t1 = io[1];
1159     io[0] = io[2];
1160     io[1] = io[3];
1161     io[2] = t0;
1162     io[3] = t1;
1163 }
1164 
1165 void
1166 camellia_decrypt256(const uint32_t *subkey, uint32_t *io)
1167 {
1168     uint32_t il,ir,t0,t1;           /* temporary valiables */
1169 
1170     /* pre whitening but absorb kw2*/
1171     io[0] ^= SUBL(32);
1172     io[1] ^= SUBR(32);
1173 
1174     /* main iteration */
1175     CAMELLIA_ROUNDSM(io[0],io[1], SUBL(31),SUBR(31),
1176 		     io[2],io[3],il,ir,t0,t1);
1177     CAMELLIA_ROUNDSM(io[2],io[3], SUBL(30),SUBR(30),
1178 		     io[0],io[1],il,ir,t0,t1);
1179     CAMELLIA_ROUNDSM(io[0],io[1], SUBL(29),SUBR(29),
1180 		     io[2],io[3],il,ir,t0,t1);
1181     CAMELLIA_ROUNDSM(io[2],io[3], SUBL(28),SUBR(28),
1182 		     io[0],io[1],il,ir,t0,t1);
1183     CAMELLIA_ROUNDSM(io[0],io[1], SUBL(27),SUBR(27),
1184 		     io[2],io[3],il,ir,t0,t1);
1185     CAMELLIA_ROUNDSM(io[2],io[3], SUBL(26),SUBR(26),
1186 		     io[0],io[1],il,ir,t0,t1);
1187 
1188     CAMELLIA_FLS(io[0],io[1],io[2],io[3], SUBL(25),SUBR(25), SUBL(24),SUBR(24),
1189 		 t0,t1,il,ir);
1190 
1191     CAMELLIA_ROUNDSM(io[0],io[1], SUBL(23),SUBR(23),
1192 		     io[2],io[3],il,ir,t0,t1);
1193     CAMELLIA_ROUNDSM(io[2],io[3], SUBL(22),SUBR(22),
1194 		     io[0],io[1],il,ir,t0,t1);
1195     CAMELLIA_ROUNDSM(io[0],io[1], SUBL(21),SUBR(21),
1196 		     io[2],io[3],il,ir,t0,t1);
1197     CAMELLIA_ROUNDSM(io[2],io[3], SUBL(20),SUBR(20),
1198 		     io[0],io[1],il,ir,t0,t1);
1199     CAMELLIA_ROUNDSM(io[0],io[1], SUBL(19),SUBR(19),
1200 		     io[2],io[3],il,ir,t0,t1);
1201     CAMELLIA_ROUNDSM(io[2],io[3], SUBL(18),SUBR(18),
1202 		     io[0],io[1],il,ir,t0,t1);
1203 
1204     CAMELLIA_FLS(io[0],io[1],io[2],io[3], SUBL(17),SUBR(17), SUBL(16),SUBR(16),
1205 		 t0,t1,il,ir);
1206 
1207     CAMELLIA_ROUNDSM(io[0],io[1], SUBL(15),SUBR(15),
1208 		     io[2],io[3],il,ir,t0,t1);
1209     CAMELLIA_ROUNDSM(io[2],io[3], SUBL(14),SUBR(14),
1210 		     io[0],io[1],il,ir,t0,t1);
1211     CAMELLIA_ROUNDSM(io[0],io[1], SUBL(13),SUBR(13),
1212 		     io[2],io[3],il,ir,t0,t1);
1213     CAMELLIA_ROUNDSM(io[2],io[3], SUBL(12),SUBR(12),
1214 		     io[0],io[1],il,ir,t0,t1);
1215     CAMELLIA_ROUNDSM(io[0],io[1], SUBL(11),SUBR(11),
1216 		     io[2],io[3],il,ir,t0,t1);
1217     CAMELLIA_ROUNDSM(io[2],io[3], SUBL(10),SUBR(10),
1218 		     io[0],io[1],il,ir,t0,t1);
1219 
1220     CAMELLIA_FLS(io[0],io[1],io[2],io[3], SUBL(9),SUBR(9), SUBL(8),SUBR(8),
1221 		 t0,t1,il,ir);
1222 
1223     CAMELLIA_ROUNDSM(io[0],io[1], SUBL(7),SUBR(7),
1224 		     io[2],io[3],il,ir,t0,t1);
1225     CAMELLIA_ROUNDSM(io[2],io[3], SUBL(6),SUBR(6),
1226 		     io[0],io[1],il,ir,t0,t1);
1227     CAMELLIA_ROUNDSM(io[0],io[1], SUBL(5),SUBR(5),
1228 		     io[2],io[3],il,ir,t0,t1);
1229     CAMELLIA_ROUNDSM(io[2],io[3], SUBL(4),SUBR(4),
1230 		     io[0],io[1],il,ir,t0,t1);
1231     CAMELLIA_ROUNDSM(io[0],io[1], SUBL(3),SUBR(3),
1232 		     io[2],io[3],il,ir,t0,t1);
1233     CAMELLIA_ROUNDSM(io[2],io[3], SUBL(2),SUBR(2),
1234 		     io[0],io[1],il,ir,t0,t1);
1235 
1236     /* post whitening but kw4 */
1237     io[2] ^= SUBL(0);
1238     io[3] ^= SUBR(0);
1239 
1240     t0 = io[0];
1241     t1 = io[1];
1242     io[0] = io[2];
1243     io[1] = io[3];
1244     io[2] = t0;
1245     io[3] = t1;
1246 }
1247 
1248 void
1249 Camellia_Ekeygen(const int keyBitLength,
1250 		 const unsigned char *rawKey,
1251 		 uint32_t *subkey)
1252 {
1253     KASSERT(keyBitLength == 128 || keyBitLength == 192 || keyBitLength == 256,
1254 	    ("Invalid key size (%d).", keyBitLength));
1255 
1256     switch(keyBitLength) {
1257     case 128:
1258 	camellia_setup128(rawKey, subkey);
1259 	break;
1260     case 192:
1261 	camellia_setup192(rawKey, subkey);
1262 	break;
1263     case 256:
1264 	camellia_setup256(rawKey, subkey);
1265 	break;
1266     default:
1267 	break;
1268     }
1269 }
1270 void
1271 Camellia_EncryptBlock(const int keyBitLength,
1272 		      const unsigned char *plaintext,
1273 		      const uint32_t *subkey,
1274 		      unsigned char *ciphertext)
1275 {
1276     uint32_t tmp[4];
1277 
1278     tmp[0] = GETU32(plaintext);
1279     tmp[1] = GETU32(plaintext + 4);
1280     tmp[2] = GETU32(plaintext + 8);
1281     tmp[3] = GETU32(plaintext + 12);
1282 
1283     switch (keyBitLength) {
1284     case 128:
1285 	camellia_encrypt128(subkey, tmp);
1286 	break;
1287     case 192:
1288 	/* fall through */
1289     case 256:
1290 	camellia_encrypt256(subkey, tmp);
1291 	break;
1292     default:
1293 	break;
1294     }
1295 
1296     PUTU32(ciphertext,    tmp[0]);
1297     PUTU32(ciphertext+4,  tmp[1]);
1298     PUTU32(ciphertext+8,  tmp[2]);
1299     PUTU32(ciphertext+12, tmp[3]);
1300 }
1301 
1302 void
1303 Camellia_DecryptBlock(const int keyBitLength,
1304 		      const unsigned char *ciphertext,
1305 		      const uint32_t *subkey,
1306 		      unsigned char *plaintext)
1307 {
1308     uint32_t tmp[4];
1309 
1310     tmp[0] = GETU32(ciphertext);
1311     tmp[1] = GETU32(ciphertext + 4);
1312     tmp[2] = GETU32(ciphertext + 8);
1313     tmp[3] = GETU32(ciphertext + 12);
1314 
1315     switch (keyBitLength) {
1316     case 128:
1317 	camellia_decrypt128(subkey, tmp);
1318 	break;
1319     case 192:
1320 	/* fall through */
1321     case 256:
1322 	camellia_decrypt256(subkey, tmp);
1323 	break;
1324     default:
1325 	break;
1326     }
1327 
1328     PUTU32(plaintext,    tmp[0]);
1329     PUTU32(plaintext+4,  tmp[1]);
1330     PUTU32(plaintext+8,  tmp[2]);
1331     PUTU32(plaintext+12, tmp[3]);
1332 }
1333