Merge tag 's390-5.4-2' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux
[platform/kernel/linux-rpi.git] / crypto / camellia_generic.c
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3  * Copyright (C) 2006
4  * NTT (Nippon Telegraph and Telephone Corporation).
5  */
6
7 /*
8  * Algorithm Specification
9  *  http://info.isl.ntt.co.jp/crypt/eng/camellia/specifications.html
10  */
11
12 /*
13  *
14  * NOTE --- NOTE --- NOTE --- NOTE
15  * This implementation assumes that all memory addresses passed
16  * as parameters are four-byte aligned.
17  *
18  */
19
20 #include <linux/crypto.h>
21 #include <linux/errno.h>
22 #include <linux/init.h>
23 #include <linux/kernel.h>
24 #include <linux/module.h>
25 #include <linux/bitops.h>
26 #include <asm/unaligned.h>
27
28 static const u32 camellia_sp1110[256] = {
29         0x70707000, 0x82828200, 0x2c2c2c00, 0xececec00,
30         0xb3b3b300, 0x27272700, 0xc0c0c000, 0xe5e5e500,
31         0xe4e4e400, 0x85858500, 0x57575700, 0x35353500,
32         0xeaeaea00, 0x0c0c0c00, 0xaeaeae00, 0x41414100,
33         0x23232300, 0xefefef00, 0x6b6b6b00, 0x93939300,
34         0x45454500, 0x19191900, 0xa5a5a500, 0x21212100,
35         0xededed00, 0x0e0e0e00, 0x4f4f4f00, 0x4e4e4e00,
36         0x1d1d1d00, 0x65656500, 0x92929200, 0xbdbdbd00,
37         0x86868600, 0xb8b8b800, 0xafafaf00, 0x8f8f8f00,
38         0x7c7c7c00, 0xebebeb00, 0x1f1f1f00, 0xcecece00,
39         0x3e3e3e00, 0x30303000, 0xdcdcdc00, 0x5f5f5f00,
40         0x5e5e5e00, 0xc5c5c500, 0x0b0b0b00, 0x1a1a1a00,
41         0xa6a6a600, 0xe1e1e100, 0x39393900, 0xcacaca00,
42         0xd5d5d500, 0x47474700, 0x5d5d5d00, 0x3d3d3d00,
43         0xd9d9d900, 0x01010100, 0x5a5a5a00, 0xd6d6d600,
44         0x51515100, 0x56565600, 0x6c6c6c00, 0x4d4d4d00,
45         0x8b8b8b00, 0x0d0d0d00, 0x9a9a9a00, 0x66666600,
46         0xfbfbfb00, 0xcccccc00, 0xb0b0b000, 0x2d2d2d00,
47         0x74747400, 0x12121200, 0x2b2b2b00, 0x20202000,
48         0xf0f0f000, 0xb1b1b100, 0x84848400, 0x99999900,
49         0xdfdfdf00, 0x4c4c4c00, 0xcbcbcb00, 0xc2c2c200,
50         0x34343400, 0x7e7e7e00, 0x76767600, 0x05050500,
51         0x6d6d6d00, 0xb7b7b700, 0xa9a9a900, 0x31313100,
52         0xd1d1d100, 0x17171700, 0x04040400, 0xd7d7d700,
53         0x14141400, 0x58585800, 0x3a3a3a00, 0x61616100,
54         0xdedede00, 0x1b1b1b00, 0x11111100, 0x1c1c1c00,
55         0x32323200, 0x0f0f0f00, 0x9c9c9c00, 0x16161600,
56         0x53535300, 0x18181800, 0xf2f2f200, 0x22222200,
57         0xfefefe00, 0x44444400, 0xcfcfcf00, 0xb2b2b200,
58         0xc3c3c300, 0xb5b5b500, 0x7a7a7a00, 0x91919100,
59         0x24242400, 0x08080800, 0xe8e8e800, 0xa8a8a800,
60         0x60606000, 0xfcfcfc00, 0x69696900, 0x50505000,
61         0xaaaaaa00, 0xd0d0d000, 0xa0a0a000, 0x7d7d7d00,
62         0xa1a1a100, 0x89898900, 0x62626200, 0x97979700,
63         0x54545400, 0x5b5b5b00, 0x1e1e1e00, 0x95959500,
64         0xe0e0e000, 0xffffff00, 0x64646400, 0xd2d2d200,
65         0x10101000, 0xc4c4c400, 0x00000000, 0x48484800,
66         0xa3a3a300, 0xf7f7f700, 0x75757500, 0xdbdbdb00,
67         0x8a8a8a00, 0x03030300, 0xe6e6e600, 0xdadada00,
68         0x09090900, 0x3f3f3f00, 0xdddddd00, 0x94949400,
69         0x87878700, 0x5c5c5c00, 0x83838300, 0x02020200,
70         0xcdcdcd00, 0x4a4a4a00, 0x90909000, 0x33333300,
71         0x73737300, 0x67676700, 0xf6f6f600, 0xf3f3f300,
72         0x9d9d9d00, 0x7f7f7f00, 0xbfbfbf00, 0xe2e2e200,
73         0x52525200, 0x9b9b9b00, 0xd8d8d800, 0x26262600,
74         0xc8c8c800, 0x37373700, 0xc6c6c600, 0x3b3b3b00,
75         0x81818100, 0x96969600, 0x6f6f6f00, 0x4b4b4b00,
76         0x13131300, 0xbebebe00, 0x63636300, 0x2e2e2e00,
77         0xe9e9e900, 0x79797900, 0xa7a7a700, 0x8c8c8c00,
78         0x9f9f9f00, 0x6e6e6e00, 0xbcbcbc00, 0x8e8e8e00,
79         0x29292900, 0xf5f5f500, 0xf9f9f900, 0xb6b6b600,
80         0x2f2f2f00, 0xfdfdfd00, 0xb4b4b400, 0x59595900,
81         0x78787800, 0x98989800, 0x06060600, 0x6a6a6a00,
82         0xe7e7e700, 0x46464600, 0x71717100, 0xbababa00,
83         0xd4d4d400, 0x25252500, 0xababab00, 0x42424200,
84         0x88888800, 0xa2a2a200, 0x8d8d8d00, 0xfafafa00,
85         0x72727200, 0x07070700, 0xb9b9b900, 0x55555500,
86         0xf8f8f800, 0xeeeeee00, 0xacacac00, 0x0a0a0a00,
87         0x36363600, 0x49494900, 0x2a2a2a00, 0x68686800,
88         0x3c3c3c00, 0x38383800, 0xf1f1f100, 0xa4a4a400,
89         0x40404000, 0x28282800, 0xd3d3d300, 0x7b7b7b00,
90         0xbbbbbb00, 0xc9c9c900, 0x43434300, 0xc1c1c100,
91         0x15151500, 0xe3e3e300, 0xadadad00, 0xf4f4f400,
92         0x77777700, 0xc7c7c700, 0x80808000, 0x9e9e9e00,
93 };
94
95 static const u32 camellia_sp0222[256] = {
96         0x00e0e0e0, 0x00050505, 0x00585858, 0x00d9d9d9,
97         0x00676767, 0x004e4e4e, 0x00818181, 0x00cbcbcb,
98         0x00c9c9c9, 0x000b0b0b, 0x00aeaeae, 0x006a6a6a,
99         0x00d5d5d5, 0x00181818, 0x005d5d5d, 0x00828282,
100         0x00464646, 0x00dfdfdf, 0x00d6d6d6, 0x00272727,
101         0x008a8a8a, 0x00323232, 0x004b4b4b, 0x00424242,
102         0x00dbdbdb, 0x001c1c1c, 0x009e9e9e, 0x009c9c9c,
103         0x003a3a3a, 0x00cacaca, 0x00252525, 0x007b7b7b,
104         0x000d0d0d, 0x00717171, 0x005f5f5f, 0x001f1f1f,
105         0x00f8f8f8, 0x00d7d7d7, 0x003e3e3e, 0x009d9d9d,
106         0x007c7c7c, 0x00606060, 0x00b9b9b9, 0x00bebebe,
107         0x00bcbcbc, 0x008b8b8b, 0x00161616, 0x00343434,
108         0x004d4d4d, 0x00c3c3c3, 0x00727272, 0x00959595,
109         0x00ababab, 0x008e8e8e, 0x00bababa, 0x007a7a7a,
110         0x00b3b3b3, 0x00020202, 0x00b4b4b4, 0x00adadad,
111         0x00a2a2a2, 0x00acacac, 0x00d8d8d8, 0x009a9a9a,
112         0x00171717, 0x001a1a1a, 0x00353535, 0x00cccccc,
113         0x00f7f7f7, 0x00999999, 0x00616161, 0x005a5a5a,
114         0x00e8e8e8, 0x00242424, 0x00565656, 0x00404040,
115         0x00e1e1e1, 0x00636363, 0x00090909, 0x00333333,
116         0x00bfbfbf, 0x00989898, 0x00979797, 0x00858585,
117         0x00686868, 0x00fcfcfc, 0x00ececec, 0x000a0a0a,
118         0x00dadada, 0x006f6f6f, 0x00535353, 0x00626262,
119         0x00a3a3a3, 0x002e2e2e, 0x00080808, 0x00afafaf,
120         0x00282828, 0x00b0b0b0, 0x00747474, 0x00c2c2c2,
121         0x00bdbdbd, 0x00363636, 0x00222222, 0x00383838,
122         0x00646464, 0x001e1e1e, 0x00393939, 0x002c2c2c,
123         0x00a6a6a6, 0x00303030, 0x00e5e5e5, 0x00444444,
124         0x00fdfdfd, 0x00888888, 0x009f9f9f, 0x00656565,
125         0x00878787, 0x006b6b6b, 0x00f4f4f4, 0x00232323,
126         0x00484848, 0x00101010, 0x00d1d1d1, 0x00515151,
127         0x00c0c0c0, 0x00f9f9f9, 0x00d2d2d2, 0x00a0a0a0,
128         0x00555555, 0x00a1a1a1, 0x00414141, 0x00fafafa,
129         0x00434343, 0x00131313, 0x00c4c4c4, 0x002f2f2f,
130         0x00a8a8a8, 0x00b6b6b6, 0x003c3c3c, 0x002b2b2b,
131         0x00c1c1c1, 0x00ffffff, 0x00c8c8c8, 0x00a5a5a5,
132         0x00202020, 0x00898989, 0x00000000, 0x00909090,
133         0x00474747, 0x00efefef, 0x00eaeaea, 0x00b7b7b7,
134         0x00151515, 0x00060606, 0x00cdcdcd, 0x00b5b5b5,
135         0x00121212, 0x007e7e7e, 0x00bbbbbb, 0x00292929,
136         0x000f0f0f, 0x00b8b8b8, 0x00070707, 0x00040404,
137         0x009b9b9b, 0x00949494, 0x00212121, 0x00666666,
138         0x00e6e6e6, 0x00cecece, 0x00ededed, 0x00e7e7e7,
139         0x003b3b3b, 0x00fefefe, 0x007f7f7f, 0x00c5c5c5,
140         0x00a4a4a4, 0x00373737, 0x00b1b1b1, 0x004c4c4c,
141         0x00919191, 0x006e6e6e, 0x008d8d8d, 0x00767676,
142         0x00030303, 0x002d2d2d, 0x00dedede, 0x00969696,
143         0x00262626, 0x007d7d7d, 0x00c6c6c6, 0x005c5c5c,
144         0x00d3d3d3, 0x00f2f2f2, 0x004f4f4f, 0x00191919,
145         0x003f3f3f, 0x00dcdcdc, 0x00797979, 0x001d1d1d,
146         0x00525252, 0x00ebebeb, 0x00f3f3f3, 0x006d6d6d,
147         0x005e5e5e, 0x00fbfbfb, 0x00696969, 0x00b2b2b2,
148         0x00f0f0f0, 0x00313131, 0x000c0c0c, 0x00d4d4d4,
149         0x00cfcfcf, 0x008c8c8c, 0x00e2e2e2, 0x00757575,
150         0x00a9a9a9, 0x004a4a4a, 0x00575757, 0x00848484,
151         0x00111111, 0x00454545, 0x001b1b1b, 0x00f5f5f5,
152         0x00e4e4e4, 0x000e0e0e, 0x00737373, 0x00aaaaaa,
153         0x00f1f1f1, 0x00dddddd, 0x00595959, 0x00141414,
154         0x006c6c6c, 0x00929292, 0x00545454, 0x00d0d0d0,
155         0x00787878, 0x00707070, 0x00e3e3e3, 0x00494949,
156         0x00808080, 0x00505050, 0x00a7a7a7, 0x00f6f6f6,
157         0x00777777, 0x00939393, 0x00868686, 0x00838383,
158         0x002a2a2a, 0x00c7c7c7, 0x005b5b5b, 0x00e9e9e9,
159         0x00eeeeee, 0x008f8f8f, 0x00010101, 0x003d3d3d,
160 };
161
162 static const u32 camellia_sp3033[256] = {
163         0x38003838, 0x41004141, 0x16001616, 0x76007676,
164         0xd900d9d9, 0x93009393, 0x60006060, 0xf200f2f2,
165         0x72007272, 0xc200c2c2, 0xab00abab, 0x9a009a9a,
166         0x75007575, 0x06000606, 0x57005757, 0xa000a0a0,
167         0x91009191, 0xf700f7f7, 0xb500b5b5, 0xc900c9c9,
168         0xa200a2a2, 0x8c008c8c, 0xd200d2d2, 0x90009090,
169         0xf600f6f6, 0x07000707, 0xa700a7a7, 0x27002727,
170         0x8e008e8e, 0xb200b2b2, 0x49004949, 0xde00dede,
171         0x43004343, 0x5c005c5c, 0xd700d7d7, 0xc700c7c7,
172         0x3e003e3e, 0xf500f5f5, 0x8f008f8f, 0x67006767,
173         0x1f001f1f, 0x18001818, 0x6e006e6e, 0xaf00afaf,
174         0x2f002f2f, 0xe200e2e2, 0x85008585, 0x0d000d0d,
175         0x53005353, 0xf000f0f0, 0x9c009c9c, 0x65006565,
176         0xea00eaea, 0xa300a3a3, 0xae00aeae, 0x9e009e9e,
177         0xec00ecec, 0x80008080, 0x2d002d2d, 0x6b006b6b,
178         0xa800a8a8, 0x2b002b2b, 0x36003636, 0xa600a6a6,
179         0xc500c5c5, 0x86008686, 0x4d004d4d, 0x33003333,
180         0xfd00fdfd, 0x66006666, 0x58005858, 0x96009696,
181         0x3a003a3a, 0x09000909, 0x95009595, 0x10001010,
182         0x78007878, 0xd800d8d8, 0x42004242, 0xcc00cccc,
183         0xef00efef, 0x26002626, 0xe500e5e5, 0x61006161,
184         0x1a001a1a, 0x3f003f3f, 0x3b003b3b, 0x82008282,
185         0xb600b6b6, 0xdb00dbdb, 0xd400d4d4, 0x98009898,
186         0xe800e8e8, 0x8b008b8b, 0x02000202, 0xeb00ebeb,
187         0x0a000a0a, 0x2c002c2c, 0x1d001d1d, 0xb000b0b0,
188         0x6f006f6f, 0x8d008d8d, 0x88008888, 0x0e000e0e,
189         0x19001919, 0x87008787, 0x4e004e4e, 0x0b000b0b,
190         0xa900a9a9, 0x0c000c0c, 0x79007979, 0x11001111,
191         0x7f007f7f, 0x22002222, 0xe700e7e7, 0x59005959,
192         0xe100e1e1, 0xda00dada, 0x3d003d3d, 0xc800c8c8,
193         0x12001212, 0x04000404, 0x74007474, 0x54005454,
194         0x30003030, 0x7e007e7e, 0xb400b4b4, 0x28002828,
195         0x55005555, 0x68006868, 0x50005050, 0xbe00bebe,
196         0xd000d0d0, 0xc400c4c4, 0x31003131, 0xcb00cbcb,
197         0x2a002a2a, 0xad00adad, 0x0f000f0f, 0xca00caca,
198         0x70007070, 0xff00ffff, 0x32003232, 0x69006969,
199         0x08000808, 0x62006262, 0x00000000, 0x24002424,
200         0xd100d1d1, 0xfb00fbfb, 0xba00baba, 0xed00eded,
201         0x45004545, 0x81008181, 0x73007373, 0x6d006d6d,
202         0x84008484, 0x9f009f9f, 0xee00eeee, 0x4a004a4a,
203         0xc300c3c3, 0x2e002e2e, 0xc100c1c1, 0x01000101,
204         0xe600e6e6, 0x25002525, 0x48004848, 0x99009999,
205         0xb900b9b9, 0xb300b3b3, 0x7b007b7b, 0xf900f9f9,
206         0xce00cece, 0xbf00bfbf, 0xdf00dfdf, 0x71007171,
207         0x29002929, 0xcd00cdcd, 0x6c006c6c, 0x13001313,
208         0x64006464, 0x9b009b9b, 0x63006363, 0x9d009d9d,
209         0xc000c0c0, 0x4b004b4b, 0xb700b7b7, 0xa500a5a5,
210         0x89008989, 0x5f005f5f, 0xb100b1b1, 0x17001717,
211         0xf400f4f4, 0xbc00bcbc, 0xd300d3d3, 0x46004646,
212         0xcf00cfcf, 0x37003737, 0x5e005e5e, 0x47004747,
213         0x94009494, 0xfa00fafa, 0xfc00fcfc, 0x5b005b5b,
214         0x97009797, 0xfe00fefe, 0x5a005a5a, 0xac00acac,
215         0x3c003c3c, 0x4c004c4c, 0x03000303, 0x35003535,
216         0xf300f3f3, 0x23002323, 0xb800b8b8, 0x5d005d5d,
217         0x6a006a6a, 0x92009292, 0xd500d5d5, 0x21002121,
218         0x44004444, 0x51005151, 0xc600c6c6, 0x7d007d7d,
219         0x39003939, 0x83008383, 0xdc00dcdc, 0xaa00aaaa,
220         0x7c007c7c, 0x77007777, 0x56005656, 0x05000505,
221         0x1b001b1b, 0xa400a4a4, 0x15001515, 0x34003434,
222         0x1e001e1e, 0x1c001c1c, 0xf800f8f8, 0x52005252,
223         0x20002020, 0x14001414, 0xe900e9e9, 0xbd00bdbd,
224         0xdd00dddd, 0xe400e4e4, 0xa100a1a1, 0xe000e0e0,
225         0x8a008a8a, 0xf100f1f1, 0xd600d6d6, 0x7a007a7a,
226         0xbb00bbbb, 0xe300e3e3, 0x40004040, 0x4f004f4f,
227 };
228
229 static const u32 camellia_sp4404[256] = {
230         0x70700070, 0x2c2c002c, 0xb3b300b3, 0xc0c000c0,
231         0xe4e400e4, 0x57570057, 0xeaea00ea, 0xaeae00ae,
232         0x23230023, 0x6b6b006b, 0x45450045, 0xa5a500a5,
233         0xeded00ed, 0x4f4f004f, 0x1d1d001d, 0x92920092,
234         0x86860086, 0xafaf00af, 0x7c7c007c, 0x1f1f001f,
235         0x3e3e003e, 0xdcdc00dc, 0x5e5e005e, 0x0b0b000b,
236         0xa6a600a6, 0x39390039, 0xd5d500d5, 0x5d5d005d,
237         0xd9d900d9, 0x5a5a005a, 0x51510051, 0x6c6c006c,
238         0x8b8b008b, 0x9a9a009a, 0xfbfb00fb, 0xb0b000b0,
239         0x74740074, 0x2b2b002b, 0xf0f000f0, 0x84840084,
240         0xdfdf00df, 0xcbcb00cb, 0x34340034, 0x76760076,
241         0x6d6d006d, 0xa9a900a9, 0xd1d100d1, 0x04040004,
242         0x14140014, 0x3a3a003a, 0xdede00de, 0x11110011,
243         0x32320032, 0x9c9c009c, 0x53530053, 0xf2f200f2,
244         0xfefe00fe, 0xcfcf00cf, 0xc3c300c3, 0x7a7a007a,
245         0x24240024, 0xe8e800e8, 0x60600060, 0x69690069,
246         0xaaaa00aa, 0xa0a000a0, 0xa1a100a1, 0x62620062,
247         0x54540054, 0x1e1e001e, 0xe0e000e0, 0x64640064,
248         0x10100010, 0x00000000, 0xa3a300a3, 0x75750075,
249         0x8a8a008a, 0xe6e600e6, 0x09090009, 0xdddd00dd,
250         0x87870087, 0x83830083, 0xcdcd00cd, 0x90900090,
251         0x73730073, 0xf6f600f6, 0x9d9d009d, 0xbfbf00bf,
252         0x52520052, 0xd8d800d8, 0xc8c800c8, 0xc6c600c6,
253         0x81810081, 0x6f6f006f, 0x13130013, 0x63630063,
254         0xe9e900e9, 0xa7a700a7, 0x9f9f009f, 0xbcbc00bc,
255         0x29290029, 0xf9f900f9, 0x2f2f002f, 0xb4b400b4,
256         0x78780078, 0x06060006, 0xe7e700e7, 0x71710071,
257         0xd4d400d4, 0xabab00ab, 0x88880088, 0x8d8d008d,
258         0x72720072, 0xb9b900b9, 0xf8f800f8, 0xacac00ac,
259         0x36360036, 0x2a2a002a, 0x3c3c003c, 0xf1f100f1,
260         0x40400040, 0xd3d300d3, 0xbbbb00bb, 0x43430043,
261         0x15150015, 0xadad00ad, 0x77770077, 0x80800080,
262         0x82820082, 0xecec00ec, 0x27270027, 0xe5e500e5,
263         0x85850085, 0x35350035, 0x0c0c000c, 0x41410041,
264         0xefef00ef, 0x93930093, 0x19190019, 0x21210021,
265         0x0e0e000e, 0x4e4e004e, 0x65650065, 0xbdbd00bd,
266         0xb8b800b8, 0x8f8f008f, 0xebeb00eb, 0xcece00ce,
267         0x30300030, 0x5f5f005f, 0xc5c500c5, 0x1a1a001a,
268         0xe1e100e1, 0xcaca00ca, 0x47470047, 0x3d3d003d,
269         0x01010001, 0xd6d600d6, 0x56560056, 0x4d4d004d,
270         0x0d0d000d, 0x66660066, 0xcccc00cc, 0x2d2d002d,
271         0x12120012, 0x20200020, 0xb1b100b1, 0x99990099,
272         0x4c4c004c, 0xc2c200c2, 0x7e7e007e, 0x05050005,
273         0xb7b700b7, 0x31310031, 0x17170017, 0xd7d700d7,
274         0x58580058, 0x61610061, 0x1b1b001b, 0x1c1c001c,
275         0x0f0f000f, 0x16160016, 0x18180018, 0x22220022,
276         0x44440044, 0xb2b200b2, 0xb5b500b5, 0x91910091,
277         0x08080008, 0xa8a800a8, 0xfcfc00fc, 0x50500050,
278         0xd0d000d0, 0x7d7d007d, 0x89890089, 0x97970097,
279         0x5b5b005b, 0x95950095, 0xffff00ff, 0xd2d200d2,
280         0xc4c400c4, 0x48480048, 0xf7f700f7, 0xdbdb00db,
281         0x03030003, 0xdada00da, 0x3f3f003f, 0x94940094,
282         0x5c5c005c, 0x02020002, 0x4a4a004a, 0x33330033,
283         0x67670067, 0xf3f300f3, 0x7f7f007f, 0xe2e200e2,
284         0x9b9b009b, 0x26260026, 0x37370037, 0x3b3b003b,
285         0x96960096, 0x4b4b004b, 0xbebe00be, 0x2e2e002e,
286         0x79790079, 0x8c8c008c, 0x6e6e006e, 0x8e8e008e,
287         0xf5f500f5, 0xb6b600b6, 0xfdfd00fd, 0x59590059,
288         0x98980098, 0x6a6a006a, 0x46460046, 0xbaba00ba,
289         0x25250025, 0x42420042, 0xa2a200a2, 0xfafa00fa,
290         0x07070007, 0x55550055, 0xeeee00ee, 0x0a0a000a,
291         0x49490049, 0x68680068, 0x38380038, 0xa4a400a4,
292         0x28280028, 0x7b7b007b, 0xc9c900c9, 0xc1c100c1,
293         0xe3e300e3, 0xf4f400f4, 0xc7c700c7, 0x9e9e009e,
294 };
295
296
297 #define CAMELLIA_MIN_KEY_SIZE        16
298 #define CAMELLIA_MAX_KEY_SIZE        32
299 #define CAMELLIA_BLOCK_SIZE          16
300 #define CAMELLIA_TABLE_BYTE_LEN     272
301
302 /*
303  * NB: L and R below stand for 'left' and 'right' as in written numbers.
304  * That is, in (xxxL,xxxR) pair xxxL holds most significant digits,
305  * _not_ least significant ones!
306  */
307
308
309 /* key constants */
310
311 #define CAMELLIA_SIGMA1L (0xA09E667FL)
312 #define CAMELLIA_SIGMA1R (0x3BCC908BL)
313 #define CAMELLIA_SIGMA2L (0xB67AE858L)
314 #define CAMELLIA_SIGMA2R (0x4CAA73B2L)
315 #define CAMELLIA_SIGMA3L (0xC6EF372FL)
316 #define CAMELLIA_SIGMA3R (0xE94F82BEL)
317 #define CAMELLIA_SIGMA4L (0x54FF53A5L)
318 #define CAMELLIA_SIGMA4R (0xF1D36F1CL)
319 #define CAMELLIA_SIGMA5L (0x10E527FAL)
320 #define CAMELLIA_SIGMA5R (0xDE682D1DL)
321 #define CAMELLIA_SIGMA6L (0xB05688C2L)
322 #define CAMELLIA_SIGMA6R (0xB3E6C1FDL)
323
324 /*
325  *  macros
326  */
327 #define ROLDQ(ll, lr, rl, rr, w0, w1, bits) ({          \
328         w0 = ll;                                        \
329         ll = (ll << bits) + (lr >> (32 - bits));        \
330         lr = (lr << bits) + (rl >> (32 - bits));        \
331         rl = (rl << bits) + (rr >> (32 - bits));        \
332         rr = (rr << bits) + (w0 >> (32 - bits));        \
333 })
334
335 #define ROLDQo32(ll, lr, rl, rr, w0, w1, bits) ({       \
336         w0 = ll;                                        \
337         w1 = lr;                                        \
338         ll = (lr << (bits - 32)) + (rl >> (64 - bits)); \
339         lr = (rl << (bits - 32)) + (rr >> (64 - bits)); \
340         rl = (rr << (bits - 32)) + (w0 >> (64 - bits)); \
341         rr = (w0 << (bits - 32)) + (w1 >> (64 - bits)); \
342 })
343
344 #define CAMELLIA_F(xl, xr, kl, kr, yl, yr, il, ir, t0, t1) ({   \
345         il = xl ^ kl;                                           \
346         ir = xr ^ kr;                                           \
347         t0 = il >> 16;                                          \
348         t1 = ir >> 16;                                          \
349         yl = camellia_sp1110[(u8)(ir)]                          \
350            ^ camellia_sp0222[(u8)(t1 >> 8)]                     \
351            ^ camellia_sp3033[(u8)(t1)]                          \
352            ^ camellia_sp4404[(u8)(ir >> 8)];                    \
353         yr = camellia_sp1110[(u8)(t0 >> 8)]                     \
354            ^ camellia_sp0222[(u8)(t0)]                          \
355            ^ camellia_sp3033[(u8)(il >> 8)]                     \
356            ^ camellia_sp4404[(u8)(il)];                         \
357         yl ^= yr;                                               \
358         yr = ror32(yr, 8);                                      \
359         yr ^= yl;                                               \
360 })
361
362 #define SUBKEY_L(INDEX) (subkey[(INDEX)*2])
363 #define SUBKEY_R(INDEX) (subkey[(INDEX)*2 + 1])
364
365 static void camellia_setup_tail(u32 *subkey, u32 *subL, u32 *subR, int max)
366 {
367         u32 dw, tl, tr;
368         u32 kw4l, kw4r;
369
370         /* absorb kw2 to other subkeys */
371         /* round 2 */
372         subL[3] ^= subL[1]; subR[3] ^= subR[1];
373         /* round 4 */
374         subL[5] ^= subL[1]; subR[5] ^= subR[1];
375         /* round 6 */
376         subL[7] ^= subL[1]; subR[7] ^= subR[1];
377         subL[1] ^= subR[1] & ~subR[9];
378         dw = subL[1] & subL[9];
379         subR[1] ^= rol32(dw, 1); /* modified for FLinv(kl2) */
380         /* round 8 */
381         subL[11] ^= subL[1]; subR[11] ^= subR[1];
382         /* round 10 */
383         subL[13] ^= subL[1]; subR[13] ^= subR[1];
384         /* round 12 */
385         subL[15] ^= subL[1]; subR[15] ^= subR[1];
386         subL[1] ^= subR[1] & ~subR[17];
387         dw = subL[1] & subL[17];
388         subR[1] ^= rol32(dw, 1); /* modified for FLinv(kl4) */
389         /* round 14 */
390         subL[19] ^= subL[1]; subR[19] ^= subR[1];
391         /* round 16 */
392         subL[21] ^= subL[1]; subR[21] ^= subR[1];
393         /* round 18 */
394         subL[23] ^= subL[1]; subR[23] ^= subR[1];
395         if (max == 24) {
396                 /* kw3 */
397                 subL[24] ^= subL[1]; subR[24] ^= subR[1];
398
399         /* absorb kw4 to other subkeys */
400                 kw4l = subL[25]; kw4r = subR[25];
401         } else {
402                 subL[1] ^= subR[1] & ~subR[25];
403                 dw = subL[1] & subL[25];
404                 subR[1] ^= rol32(dw, 1); /* modified for FLinv(kl6) */
405                 /* round 20 */
406                 subL[27] ^= subL[1]; subR[27] ^= subR[1];
407                 /* round 22 */
408                 subL[29] ^= subL[1]; subR[29] ^= subR[1];
409                 /* round 24 */
410                 subL[31] ^= subL[1]; subR[31] ^= subR[1];
411                 /* kw3 */
412                 subL[32] ^= subL[1]; subR[32] ^= subR[1];
413
414         /* absorb kw4 to other subkeys */
415                 kw4l = subL[33]; kw4r = subR[33];
416                 /* round 23 */
417                 subL[30] ^= kw4l; subR[30] ^= kw4r;
418                 /* round 21 */
419                 subL[28] ^= kw4l; subR[28] ^= kw4r;
420                 /* round 19 */
421                 subL[26] ^= kw4l; subR[26] ^= kw4r;
422                 kw4l ^= kw4r & ~subR[24];
423                 dw = kw4l & subL[24];
424                 kw4r ^= rol32(dw, 1); /* modified for FL(kl5) */
425         }
426         /* round 17 */
427         subL[22] ^= kw4l; subR[22] ^= kw4r;
428         /* round 15 */
429         subL[20] ^= kw4l; subR[20] ^= kw4r;
430         /* round 13 */
431         subL[18] ^= kw4l; subR[18] ^= kw4r;
432         kw4l ^= kw4r & ~subR[16];
433         dw = kw4l & subL[16];
434         kw4r ^= rol32(dw, 1); /* modified for FL(kl3) */
435         /* round 11 */
436         subL[14] ^= kw4l; subR[14] ^= kw4r;
437         /* round 9 */
438         subL[12] ^= kw4l; subR[12] ^= kw4r;
439         /* round 7 */
440         subL[10] ^= kw4l; subR[10] ^= kw4r;
441         kw4l ^= kw4r & ~subR[8];
442         dw = kw4l & subL[8];
443         kw4r ^= rol32(dw, 1); /* modified for FL(kl1) */
444         /* round 5 */
445         subL[6] ^= kw4l; subR[6] ^= kw4r;
446         /* round 3 */
447         subL[4] ^= kw4l; subR[4] ^= kw4r;
448         /* round 1 */
449         subL[2] ^= kw4l; subR[2] ^= kw4r;
450         /* kw1 */
451         subL[0] ^= kw4l; subR[0] ^= kw4r;
452
453         /* key XOR is end of F-function */
454         SUBKEY_L(0) = subL[0] ^ subL[2];/* kw1 */
455         SUBKEY_R(0) = subR[0] ^ subR[2];
456         SUBKEY_L(2) = subL[3];       /* round 1 */
457         SUBKEY_R(2) = subR[3];
458         SUBKEY_L(3) = subL[2] ^ subL[4]; /* round 2 */
459         SUBKEY_R(3) = subR[2] ^ subR[4];
460         SUBKEY_L(4) = subL[3] ^ subL[5]; /* round 3 */
461         SUBKEY_R(4) = subR[3] ^ subR[5];
462         SUBKEY_L(5) = subL[4] ^ subL[6]; /* round 4 */
463         SUBKEY_R(5) = subR[4] ^ subR[6];
464         SUBKEY_L(6) = subL[5] ^ subL[7]; /* round 5 */
465         SUBKEY_R(6) = subR[5] ^ subR[7];
466         tl = subL[10] ^ (subR[10] & ~subR[8]);
467         dw = tl & subL[8];  /* FL(kl1) */
468         tr = subR[10] ^ rol32(dw, 1);
469         SUBKEY_L(7) = subL[6] ^ tl; /* round 6 */
470         SUBKEY_R(7) = subR[6] ^ tr;
471         SUBKEY_L(8) = subL[8];       /* FL(kl1) */
472         SUBKEY_R(8) = subR[8];
473         SUBKEY_L(9) = subL[9];       /* FLinv(kl2) */
474         SUBKEY_R(9) = subR[9];
475         tl = subL[7] ^ (subR[7] & ~subR[9]);
476         dw = tl & subL[9];  /* FLinv(kl2) */
477         tr = subR[7] ^ rol32(dw, 1);
478         SUBKEY_L(10) = tl ^ subL[11]; /* round 7 */
479         SUBKEY_R(10) = tr ^ subR[11];
480         SUBKEY_L(11) = subL[10] ^ subL[12]; /* round 8 */
481         SUBKEY_R(11) = subR[10] ^ subR[12];
482         SUBKEY_L(12) = subL[11] ^ subL[13]; /* round 9 */
483         SUBKEY_R(12) = subR[11] ^ subR[13];
484         SUBKEY_L(13) = subL[12] ^ subL[14]; /* round 10 */
485         SUBKEY_R(13) = subR[12] ^ subR[14];
486         SUBKEY_L(14) = subL[13] ^ subL[15]; /* round 11 */
487         SUBKEY_R(14) = subR[13] ^ subR[15];
488         tl = subL[18] ^ (subR[18] & ~subR[16]);
489         dw = tl & subL[16]; /* FL(kl3) */
490         tr = subR[18] ^ rol32(dw, 1);
491         SUBKEY_L(15) = subL[14] ^ tl; /* round 12 */
492         SUBKEY_R(15) = subR[14] ^ tr;
493         SUBKEY_L(16) = subL[16];     /* FL(kl3) */
494         SUBKEY_R(16) = subR[16];
495         SUBKEY_L(17) = subL[17];     /* FLinv(kl4) */
496         SUBKEY_R(17) = subR[17];
497         tl = subL[15] ^ (subR[15] & ~subR[17]);
498         dw = tl & subL[17]; /* FLinv(kl4) */
499         tr = subR[15] ^ rol32(dw, 1);
500         SUBKEY_L(18) = tl ^ subL[19]; /* round 13 */
501         SUBKEY_R(18) = tr ^ subR[19];
502         SUBKEY_L(19) = subL[18] ^ subL[20]; /* round 14 */
503         SUBKEY_R(19) = subR[18] ^ subR[20];
504         SUBKEY_L(20) = subL[19] ^ subL[21]; /* round 15 */
505         SUBKEY_R(20) = subR[19] ^ subR[21];
506         SUBKEY_L(21) = subL[20] ^ subL[22]; /* round 16 */
507         SUBKEY_R(21) = subR[20] ^ subR[22];
508         SUBKEY_L(22) = subL[21] ^ subL[23]; /* round 17 */
509         SUBKEY_R(22) = subR[21] ^ subR[23];
510         if (max == 24) {
511                 SUBKEY_L(23) = subL[22];     /* round 18 */
512                 SUBKEY_R(23) = subR[22];
513                 SUBKEY_L(24) = subL[24] ^ subL[23]; /* kw3 */
514                 SUBKEY_R(24) = subR[24] ^ subR[23];
515         } else {
516                 tl = subL[26] ^ (subR[26] & ~subR[24]);
517                 dw = tl & subL[24]; /* FL(kl5) */
518                 tr = subR[26] ^ rol32(dw, 1);
519                 SUBKEY_L(23) = subL[22] ^ tl; /* round 18 */
520                 SUBKEY_R(23) = subR[22] ^ tr;
521                 SUBKEY_L(24) = subL[24];     /* FL(kl5) */
522                 SUBKEY_R(24) = subR[24];
523                 SUBKEY_L(25) = subL[25];     /* FLinv(kl6) */
524                 SUBKEY_R(25) = subR[25];
525                 tl = subL[23] ^ (subR[23] & ~subR[25]);
526                 dw = tl & subL[25]; /* FLinv(kl6) */
527                 tr = subR[23] ^ rol32(dw, 1);
528                 SUBKEY_L(26) = tl ^ subL[27]; /* round 19 */
529                 SUBKEY_R(26) = tr ^ subR[27];
530                 SUBKEY_L(27) = subL[26] ^ subL[28]; /* round 20 */
531                 SUBKEY_R(27) = subR[26] ^ subR[28];
532                 SUBKEY_L(28) = subL[27] ^ subL[29]; /* round 21 */
533                 SUBKEY_R(28) = subR[27] ^ subR[29];
534                 SUBKEY_L(29) = subL[28] ^ subL[30]; /* round 22 */
535                 SUBKEY_R(29) = subR[28] ^ subR[30];
536                 SUBKEY_L(30) = subL[29] ^ subL[31]; /* round 23 */
537                 SUBKEY_R(30) = subR[29] ^ subR[31];
538                 SUBKEY_L(31) = subL[30];     /* round 24 */
539                 SUBKEY_R(31) = subR[30];
540                 SUBKEY_L(32) = subL[32] ^ subL[31]; /* kw3 */
541                 SUBKEY_R(32) = subR[32] ^ subR[31];
542         }
543 }
544
545 static void camellia_setup128(const unsigned char *key, u32 *subkey)
546 {
547         u32 kll, klr, krl, krr;
548         u32 il, ir, t0, t1, w0, w1;
549         u32 subL[26];
550         u32 subR[26];
551
552         /**
553          *  k == kll || klr || krl || krr (|| is concatenation)
554          */
555         kll = get_unaligned_be32(key);
556         klr = get_unaligned_be32(key + 4);
557         krl = get_unaligned_be32(key + 8);
558         krr = get_unaligned_be32(key + 12);
559
560         /* generate KL dependent subkeys */
561         /* kw1 */
562         subL[0] = kll; subR[0] = klr;
563         /* kw2 */
564         subL[1] = krl; subR[1] = krr;
565         /* rotation left shift 15bit */
566         ROLDQ(kll, klr, krl, krr, w0, w1, 15);
567         /* k3 */
568         subL[4] = kll; subR[4] = klr;
569         /* k4 */
570         subL[5] = krl; subR[5] = krr;
571         /* rotation left shift 15+30bit */
572         ROLDQ(kll, klr, krl, krr, w0, w1, 30);
573         /* k7 */
574         subL[10] = kll; subR[10] = klr;
575         /* k8 */
576         subL[11] = krl; subR[11] = krr;
577         /* rotation left shift 15+30+15bit */
578         ROLDQ(kll, klr, krl, krr, w0, w1, 15);
579         /* k10 */
580         subL[13] = krl; subR[13] = krr;
581         /* rotation left shift 15+30+15+17 bit */
582         ROLDQ(kll, klr, krl, krr, w0, w1, 17);
583         /* kl3 */
584         subL[16] = kll; subR[16] = klr;
585         /* kl4 */
586         subL[17] = krl; subR[17] = krr;
587         /* rotation left shift 15+30+15+17+17 bit */
588         ROLDQ(kll, klr, krl, krr, w0, w1, 17);
589         /* k13 */
590         subL[18] = kll; subR[18] = klr;
591         /* k14 */
592         subL[19] = krl; subR[19] = krr;
593         /* rotation left shift 15+30+15+17+17+17 bit */
594         ROLDQ(kll, klr, krl, krr, w0, w1, 17);
595         /* k17 */
596         subL[22] = kll; subR[22] = klr;
597         /* k18 */
598         subL[23] = krl; subR[23] = krr;
599
600         /* generate KA */
601         kll = subL[0]; klr = subR[0];
602         krl = subL[1]; krr = subR[1];
603         CAMELLIA_F(kll, klr,
604                    CAMELLIA_SIGMA1L, CAMELLIA_SIGMA1R,
605                    w0, w1, il, ir, t0, t1);
606         krl ^= w0; krr ^= w1;
607         CAMELLIA_F(krl, krr,
608                    CAMELLIA_SIGMA2L, CAMELLIA_SIGMA2R,
609                    kll, klr, il, ir, t0, t1);
610         /* current status == (kll, klr, w0, w1) */
611         CAMELLIA_F(kll, klr,
612                    CAMELLIA_SIGMA3L, CAMELLIA_SIGMA3R,
613                    krl, krr, il, ir, t0, t1);
614         krl ^= w0; krr ^= w1;
615         CAMELLIA_F(krl, krr,
616                    CAMELLIA_SIGMA4L, CAMELLIA_SIGMA4R,
617                    w0, w1, il, ir, t0, t1);
618         kll ^= w0; klr ^= w1;
619
620         /* generate KA dependent subkeys */
621         /* k1, k2 */
622         subL[2] = kll; subR[2] = klr;
623         subL[3] = krl; subR[3] = krr;
624         ROLDQ(kll, klr, krl, krr, w0, w1, 15);
625         /* k5,k6 */
626         subL[6] = kll; subR[6] = klr;
627         subL[7] = krl; subR[7] = krr;
628         ROLDQ(kll, klr, krl, krr, w0, w1, 15);
629         /* kl1, kl2 */
630         subL[8] = kll; subR[8] = klr;
631         subL[9] = krl; subR[9] = krr;
632         ROLDQ(kll, klr, krl, krr, w0, w1, 15);
633         /* k9 */
634         subL[12] = kll; subR[12] = klr;
635         ROLDQ(kll, klr, krl, krr, w0, w1, 15);
636         /* k11, k12 */
637         subL[14] = kll; subR[14] = klr;
638         subL[15] = krl; subR[15] = krr;
639         ROLDQo32(kll, klr, krl, krr, w0, w1, 34);
640         /* k15, k16 */
641         subL[20] = kll; subR[20] = klr;
642         subL[21] = krl; subR[21] = krr;
643         ROLDQ(kll, klr, krl, krr, w0, w1, 17);
644         /* kw3, kw4 */
645         subL[24] = kll; subR[24] = klr;
646         subL[25] = krl; subR[25] = krr;
647
648         camellia_setup_tail(subkey, subL, subR, 24);
649 }
650
651 static void camellia_setup256(const unsigned char *key, u32 *subkey)
652 {
653         u32 kll, klr, krl, krr;        /* left half of key */
654         u32 krll, krlr, krrl, krrr;    /* right half of key */
655         u32 il, ir, t0, t1, w0, w1;    /* temporary variables */
656         u32 subL[34];
657         u32 subR[34];
658
659         /**
660          *  key = (kll || klr || krl || krr || krll || krlr || krrl || krrr)
661          *  (|| is concatenation)
662          */
663         kll = get_unaligned_be32(key);
664         klr = get_unaligned_be32(key + 4);
665         krl = get_unaligned_be32(key + 8);
666         krr = get_unaligned_be32(key + 12);
667         krll = get_unaligned_be32(key + 16);
668         krlr = get_unaligned_be32(key + 20);
669         krrl = get_unaligned_be32(key + 24);
670         krrr = get_unaligned_be32(key + 28);
671
672         /* generate KL dependent subkeys */
673         /* kw1 */
674         subL[0] = kll; subR[0] = klr;
675         /* kw2 */
676         subL[1] = krl; subR[1] = krr;
677         ROLDQo32(kll, klr, krl, krr, w0, w1, 45);
678         /* k9 */
679         subL[12] = kll; subR[12] = klr;
680         /* k10 */
681         subL[13] = krl; subR[13] = krr;
682         ROLDQ(kll, klr, krl, krr, w0, w1, 15);
683         /* kl3 */
684         subL[16] = kll; subR[16] = klr;
685         /* kl4 */
686         subL[17] = krl; subR[17] = krr;
687         ROLDQ(kll, klr, krl, krr, w0, w1, 17);
688         /* k17 */
689         subL[22] = kll; subR[22] = klr;
690         /* k18 */
691         subL[23] = krl; subR[23] = krr;
692         ROLDQo32(kll, klr, krl, krr, w0, w1, 34);
693         /* k23 */
694         subL[30] = kll; subR[30] = klr;
695         /* k24 */
696         subL[31] = krl; subR[31] = krr;
697
698         /* generate KR dependent subkeys */
699         ROLDQ(krll, krlr, krrl, krrr, w0, w1, 15);
700         /* k3 */
701         subL[4] = krll; subR[4] = krlr;
702         /* k4 */
703         subL[5] = krrl; subR[5] = krrr;
704         ROLDQ(krll, krlr, krrl, krrr, w0, w1, 15);
705         /* kl1 */
706         subL[8] = krll; subR[8] = krlr;
707         /* kl2 */
708         subL[9] = krrl; subR[9] = krrr;
709         ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
710         /* k13 */
711         subL[18] = krll; subR[18] = krlr;
712         /* k14 */
713         subL[19] = krrl; subR[19] = krrr;
714         ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 34);
715         /* k19 */
716         subL[26] = krll; subR[26] = krlr;
717         /* k20 */
718         subL[27] = krrl; subR[27] = krrr;
719         ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 34);
720
721         /* generate KA */
722         kll = subL[0] ^ krll; klr = subR[0] ^ krlr;
723         krl = subL[1] ^ krrl; krr = subR[1] ^ krrr;
724         CAMELLIA_F(kll, klr,
725                    CAMELLIA_SIGMA1L, CAMELLIA_SIGMA1R,
726                    w0, w1, il, ir, t0, t1);
727         krl ^= w0; krr ^= w1;
728         CAMELLIA_F(krl, krr,
729                    CAMELLIA_SIGMA2L, CAMELLIA_SIGMA2R,
730                    kll, klr, il, ir, t0, t1);
731         kll ^= krll; klr ^= krlr;
732         CAMELLIA_F(kll, klr,
733                    CAMELLIA_SIGMA3L, CAMELLIA_SIGMA3R,
734                    krl, krr, il, ir, t0, t1);
735         krl ^= w0 ^ krrl; krr ^= w1 ^ krrr;
736         CAMELLIA_F(krl, krr,
737                    CAMELLIA_SIGMA4L, CAMELLIA_SIGMA4R,
738                    w0, w1, il, ir, t0, t1);
739         kll ^= w0; klr ^= w1;
740
741         /* generate KB */
742         krll ^= kll; krlr ^= klr;
743         krrl ^= krl; krrr ^= krr;
744         CAMELLIA_F(krll, krlr,
745                    CAMELLIA_SIGMA5L, CAMELLIA_SIGMA5R,
746                    w0, w1, il, ir, t0, t1);
747         krrl ^= w0; krrr ^= w1;
748         CAMELLIA_F(krrl, krrr,
749                    CAMELLIA_SIGMA6L, CAMELLIA_SIGMA6R,
750                    w0, w1, il, ir, t0, t1);
751         krll ^= w0; krlr ^= w1;
752
753         /* generate KA dependent subkeys */
754         ROLDQ(kll, klr, krl, krr, w0, w1, 15);
755         /* k5 */
756         subL[6] = kll; subR[6] = klr;
757         /* k6 */
758         subL[7] = krl; subR[7] = krr;
759         ROLDQ(kll, klr, krl, krr, w0, w1, 30);
760         /* k11 */
761         subL[14] = kll; subR[14] = klr;
762         /* k12 */
763         subL[15] = krl; subR[15] = krr;
764         /* rotation left shift 32bit */
765         /* kl5 */
766         subL[24] = klr; subR[24] = krl;
767         /* kl6 */
768         subL[25] = krr; subR[25] = kll;
769         /* rotation left shift 49 from k11,k12 -> k21,k22 */
770         ROLDQo32(kll, klr, krl, krr, w0, w1, 49);
771         /* k21 */
772         subL[28] = kll; subR[28] = klr;
773         /* k22 */
774         subL[29] = krl; subR[29] = krr;
775
776         /* generate KB dependent subkeys */
777         /* k1 */
778         subL[2] = krll; subR[2] = krlr;
779         /* k2 */
780         subL[3] = krrl; subR[3] = krrr;
781         ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
782         /* k7 */
783         subL[10] = krll; subR[10] = krlr;
784         /* k8 */
785         subL[11] = krrl; subR[11] = krrr;
786         ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
787         /* k15 */
788         subL[20] = krll; subR[20] = krlr;
789         /* k16 */
790         subL[21] = krrl; subR[21] = krrr;
791         ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 51);
792         /* kw3 */
793         subL[32] = krll; subR[32] = krlr;
794         /* kw4 */
795         subL[33] = krrl; subR[33] = krrr;
796
797         camellia_setup_tail(subkey, subL, subR, 32);
798 }
799
800 static void camellia_setup192(const unsigned char *key, u32 *subkey)
801 {
802         unsigned char kk[32];
803         u32 krll, krlr, krrl, krrr;
804
805         memcpy(kk, key, 24);
806         memcpy((unsigned char *)&krll, key+16, 4);
807         memcpy((unsigned char *)&krlr, key+20, 4);
808         krrl = ~krll;
809         krrr = ~krlr;
810         memcpy(kk+24, (unsigned char *)&krrl, 4);
811         memcpy(kk+28, (unsigned char *)&krrr, 4);
812         camellia_setup256(kk, subkey);
813 }
814
815
816 /*
817  * Encrypt/decrypt
818  */
819 #define CAMELLIA_FLS(ll, lr, rl, rr, kll, klr, krl, krr, t0, t1, t2, t3) ({ \
820         t0 = kll;                                                       \
821         t2 = krr;                                                       \
822         t0 &= ll;                                                       \
823         t2 |= rr;                                                       \
824         rl ^= t2;                                                       \
825         lr ^= rol32(t0, 1);                                             \
826         t3 = krl;                                                       \
827         t1 = klr;                                                       \
828         t3 &= rl;                                                       \
829         t1 |= lr;                                                       \
830         ll ^= t1;                                                       \
831         rr ^= rol32(t3, 1);                                             \
832 })
833
834 #define CAMELLIA_ROUNDSM(xl, xr, kl, kr, yl, yr, il, ir) ({             \
835         yl ^= kl;                                                       \
836         yr ^= kr;                                                       \
837         ir =  camellia_sp1110[(u8)xr];                                  \
838         il =  camellia_sp1110[(u8)(xl >> 24)];                          \
839         ir ^= camellia_sp0222[(u8)(xr >> 24)];                          \
840         il ^= camellia_sp0222[(u8)(xl >> 16)];                          \
841         ir ^= camellia_sp3033[(u8)(xr >> 16)];                          \
842         il ^= camellia_sp3033[(u8)(xl >> 8)];                           \
843         ir ^= camellia_sp4404[(u8)(xr >> 8)];                           \
844         il ^= camellia_sp4404[(u8)xl];                                  \
845         ir ^= il;                                                       \
846         yl ^= ir;                                                       \
847         yr ^= ror32(il, 8) ^ ir;                                        \
848 })
849
850 /* max = 24: 128bit encrypt, max = 32: 256bit encrypt */
851 static void camellia_do_encrypt(const u32 *subkey, u32 *io, unsigned max)
852 {
853         u32 il, ir, t0, t1;            /* temporary variables */
854
855         /* pre whitening but absorb kw2 */
856         io[0] ^= SUBKEY_L(0);
857         io[1] ^= SUBKEY_R(0);
858
859         /* main iteration */
860 #define ROUNDS(i) ({ \
861         CAMELLIA_ROUNDSM(io[0], io[1], \
862                          SUBKEY_L(i + 2), SUBKEY_R(i + 2), \
863                          io[2], io[3], il, ir); \
864         CAMELLIA_ROUNDSM(io[2], io[3], \
865                          SUBKEY_L(i + 3), SUBKEY_R(i + 3), \
866                          io[0], io[1], il, ir); \
867         CAMELLIA_ROUNDSM(io[0], io[1], \
868                          SUBKEY_L(i + 4), SUBKEY_R(i + 4), \
869                          io[2], io[3], il, ir); \
870         CAMELLIA_ROUNDSM(io[2], io[3], \
871                          SUBKEY_L(i + 5), SUBKEY_R(i + 5), \
872                          io[0], io[1], il, ir); \
873         CAMELLIA_ROUNDSM(io[0], io[1], \
874                          SUBKEY_L(i + 6), SUBKEY_R(i + 6), \
875                          io[2], io[3], il, ir); \
876         CAMELLIA_ROUNDSM(io[2], io[3], \
877                          SUBKEY_L(i + 7), SUBKEY_R(i + 7), \
878                          io[0], io[1], il, ir); \
879 })
880 #define FLS(i) ({ \
881         CAMELLIA_FLS(io[0], io[1], io[2], io[3], \
882                      SUBKEY_L(i + 0), SUBKEY_R(i + 0), \
883                      SUBKEY_L(i + 1), SUBKEY_R(i + 1), \
884                      t0, t1, il, ir); \
885 })
886
887         ROUNDS(0);
888         FLS(8);
889         ROUNDS(8);
890         FLS(16);
891         ROUNDS(16);
892         if (max == 32) {
893                 FLS(24);
894                 ROUNDS(24);
895         }
896
897 #undef ROUNDS
898 #undef FLS
899
900         /* post whitening but kw4 */
901         io[2] ^= SUBKEY_L(max);
902         io[3] ^= SUBKEY_R(max);
903         /* NB: io[0],[1] should be swapped with [2],[3] by caller! */
904 }
905
906 static void camellia_do_decrypt(const u32 *subkey, u32 *io, unsigned i)
907 {
908         u32 il, ir, t0, t1;            /* temporary variables */
909
910         /* pre whitening but absorb kw2 */
911         io[0] ^= SUBKEY_L(i);
912         io[1] ^= SUBKEY_R(i);
913
914         /* main iteration */
915 #define ROUNDS(i) ({ \
916         CAMELLIA_ROUNDSM(io[0], io[1], \
917                          SUBKEY_L(i + 7), SUBKEY_R(i + 7), \
918                          io[2], io[3], il, ir); \
919         CAMELLIA_ROUNDSM(io[2], io[3], \
920                          SUBKEY_L(i + 6), SUBKEY_R(i + 6), \
921                          io[0], io[1], il, ir); \
922         CAMELLIA_ROUNDSM(io[0], io[1], \
923                          SUBKEY_L(i + 5), SUBKEY_R(i + 5), \
924                          io[2], io[3], il, ir); \
925         CAMELLIA_ROUNDSM(io[2], io[3], \
926                          SUBKEY_L(i + 4), SUBKEY_R(i + 4), \
927                          io[0], io[1], il, ir); \
928         CAMELLIA_ROUNDSM(io[0], io[1], \
929                          SUBKEY_L(i + 3), SUBKEY_R(i + 3), \
930                          io[2], io[3], il, ir); \
931         CAMELLIA_ROUNDSM(io[2], io[3], \
932                          SUBKEY_L(i + 2), SUBKEY_R(i + 2), \
933                          io[0], io[1], il, ir); \
934 })
935 #define FLS(i) ({ \
936         CAMELLIA_FLS(io[0], io[1], io[2], io[3], \
937                      SUBKEY_L(i + 1), SUBKEY_R(i + 1), \
938                      SUBKEY_L(i + 0), SUBKEY_R(i + 0), \
939                      t0, t1, il, ir); \
940 })
941
942         if (i == 32) {
943                 ROUNDS(24);
944                 FLS(24);
945         }
946         ROUNDS(16);
947         FLS(16);
948         ROUNDS(8);
949         FLS(8);
950         ROUNDS(0);
951
952 #undef ROUNDS
953 #undef FLS
954
955         /* post whitening but kw4 */
956         io[2] ^= SUBKEY_L(0);
957         io[3] ^= SUBKEY_R(0);
958         /* NB: 0,1 should be swapped with 2,3 by caller! */
959 }
960
961
962 struct camellia_ctx {
963         int key_length;
964         u32 key_table[CAMELLIA_TABLE_BYTE_LEN / sizeof(u32)];
965 };
966
967 static int
968 camellia_set_key(struct crypto_tfm *tfm, const u8 *in_key,
969                  unsigned int key_len)
970 {
971         struct camellia_ctx *cctx = crypto_tfm_ctx(tfm);
972         const unsigned char *key = (const unsigned char *)in_key;
973         u32 *flags = &tfm->crt_flags;
974
975         if (key_len != 16 && key_len != 24 && key_len != 32) {
976                 *flags |= CRYPTO_TFM_RES_BAD_KEY_LEN;
977                 return -EINVAL;
978         }
979
980         cctx->key_length = key_len;
981
982         switch (key_len) {
983         case 16:
984                 camellia_setup128(key, cctx->key_table);
985                 break;
986         case 24:
987                 camellia_setup192(key, cctx->key_table);
988                 break;
989         case 32:
990                 camellia_setup256(key, cctx->key_table);
991                 break;
992         }
993
994         return 0;
995 }
996
997 static void camellia_encrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in)
998 {
999         const struct camellia_ctx *cctx = crypto_tfm_ctx(tfm);
1000         const __be32 *src = (const __be32 *)in;
1001         __be32 *dst = (__be32 *)out;
1002         unsigned int max;
1003
1004         u32 tmp[4];
1005
1006         tmp[0] = be32_to_cpu(src[0]);
1007         tmp[1] = be32_to_cpu(src[1]);
1008         tmp[2] = be32_to_cpu(src[2]);
1009         tmp[3] = be32_to_cpu(src[3]);
1010
1011         if (cctx->key_length == 16)
1012                 max = 24;
1013         else
1014                 max = 32; /* for key lengths of 24 and 32 */
1015
1016         camellia_do_encrypt(cctx->key_table, tmp, max);
1017
1018         /* do_encrypt returns 0,1 swapped with 2,3 */
1019         dst[0] = cpu_to_be32(tmp[2]);
1020         dst[1] = cpu_to_be32(tmp[3]);
1021         dst[2] = cpu_to_be32(tmp[0]);
1022         dst[3] = cpu_to_be32(tmp[1]);
1023 }
1024
1025 static void camellia_decrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in)
1026 {
1027         const struct camellia_ctx *cctx = crypto_tfm_ctx(tfm);
1028         const __be32 *src = (const __be32 *)in;
1029         __be32 *dst = (__be32 *)out;
1030         unsigned int max;
1031
1032         u32 tmp[4];
1033
1034         tmp[0] = be32_to_cpu(src[0]);
1035         tmp[1] = be32_to_cpu(src[1]);
1036         tmp[2] = be32_to_cpu(src[2]);
1037         tmp[3] = be32_to_cpu(src[3]);
1038
1039         if (cctx->key_length == 16)
1040                 max = 24;
1041         else
1042                 max = 32; /* for key lengths of 24 and 32 */
1043
1044         camellia_do_decrypt(cctx->key_table, tmp, max);
1045
1046         /* do_decrypt returns 0,1 swapped with 2,3 */
1047         dst[0] = cpu_to_be32(tmp[2]);
1048         dst[1] = cpu_to_be32(tmp[3]);
1049         dst[2] = cpu_to_be32(tmp[0]);
1050         dst[3] = cpu_to_be32(tmp[1]);
1051 }
1052
1053 static struct crypto_alg camellia_alg = {
1054         .cra_name               =       "camellia",
1055         .cra_driver_name        =       "camellia-generic",
1056         .cra_priority           =       100,
1057         .cra_flags              =       CRYPTO_ALG_TYPE_CIPHER,
1058         .cra_blocksize          =       CAMELLIA_BLOCK_SIZE,
1059         .cra_ctxsize            =       sizeof(struct camellia_ctx),
1060         .cra_alignmask          =       3,
1061         .cra_module             =       THIS_MODULE,
1062         .cra_u                  =       {
1063                 .cipher = {
1064                         .cia_min_keysize        =       CAMELLIA_MIN_KEY_SIZE,
1065                         .cia_max_keysize        =       CAMELLIA_MAX_KEY_SIZE,
1066                         .cia_setkey             =       camellia_set_key,
1067                         .cia_encrypt            =       camellia_encrypt,
1068                         .cia_decrypt            =       camellia_decrypt
1069                 }
1070         }
1071 };
1072
1073 static int __init camellia_init(void)
1074 {
1075         return crypto_register_alg(&camellia_alg);
1076 }
1077
1078 static void __exit camellia_fini(void)
1079 {
1080         crypto_unregister_alg(&camellia_alg);
1081 }
1082
1083 subsys_initcall(camellia_init);
1084 module_exit(camellia_fini);
1085
1086 MODULE_DESCRIPTION("Camellia Cipher Algorithm");
1087 MODULE_LICENSE("GPL");
1088 MODULE_ALIAS_CRYPTO("camellia");
1089 MODULE_ALIAS_CRYPTO("camellia-generic");