Merge tag '9p-for-6.2-rc1' of https://github.com/martinetd/linux
[platform/kernel/linux-rpi.git] / crypto / camellia_generic.c
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3  * Copyright (C) 2006
4  * NTT (Nippon Telegraph and Telephone Corporation).
5  */
6
7 /*
8  * Algorithm Specification
9  *  https://info.isl.ntt.co.jp/crypt/eng/camellia/specifications.html
10  */
11
12 #include <crypto/algapi.h>
13 #include <linux/errno.h>
14 #include <linux/init.h>
15 #include <linux/kernel.h>
16 #include <linux/module.h>
17 #include <linux/bitops.h>
18 #include <asm/unaligned.h>
19
20 static const u32 camellia_sp1110[256] = {
21         0x70707000, 0x82828200, 0x2c2c2c00, 0xececec00,
22         0xb3b3b300, 0x27272700, 0xc0c0c000, 0xe5e5e500,
23         0xe4e4e400, 0x85858500, 0x57575700, 0x35353500,
24         0xeaeaea00, 0x0c0c0c00, 0xaeaeae00, 0x41414100,
25         0x23232300, 0xefefef00, 0x6b6b6b00, 0x93939300,
26         0x45454500, 0x19191900, 0xa5a5a500, 0x21212100,
27         0xededed00, 0x0e0e0e00, 0x4f4f4f00, 0x4e4e4e00,
28         0x1d1d1d00, 0x65656500, 0x92929200, 0xbdbdbd00,
29         0x86868600, 0xb8b8b800, 0xafafaf00, 0x8f8f8f00,
30         0x7c7c7c00, 0xebebeb00, 0x1f1f1f00, 0xcecece00,
31         0x3e3e3e00, 0x30303000, 0xdcdcdc00, 0x5f5f5f00,
32         0x5e5e5e00, 0xc5c5c500, 0x0b0b0b00, 0x1a1a1a00,
33         0xa6a6a600, 0xe1e1e100, 0x39393900, 0xcacaca00,
34         0xd5d5d500, 0x47474700, 0x5d5d5d00, 0x3d3d3d00,
35         0xd9d9d900, 0x01010100, 0x5a5a5a00, 0xd6d6d600,
36         0x51515100, 0x56565600, 0x6c6c6c00, 0x4d4d4d00,
37         0x8b8b8b00, 0x0d0d0d00, 0x9a9a9a00, 0x66666600,
38         0xfbfbfb00, 0xcccccc00, 0xb0b0b000, 0x2d2d2d00,
39         0x74747400, 0x12121200, 0x2b2b2b00, 0x20202000,
40         0xf0f0f000, 0xb1b1b100, 0x84848400, 0x99999900,
41         0xdfdfdf00, 0x4c4c4c00, 0xcbcbcb00, 0xc2c2c200,
42         0x34343400, 0x7e7e7e00, 0x76767600, 0x05050500,
43         0x6d6d6d00, 0xb7b7b700, 0xa9a9a900, 0x31313100,
44         0xd1d1d100, 0x17171700, 0x04040400, 0xd7d7d700,
45         0x14141400, 0x58585800, 0x3a3a3a00, 0x61616100,
46         0xdedede00, 0x1b1b1b00, 0x11111100, 0x1c1c1c00,
47         0x32323200, 0x0f0f0f00, 0x9c9c9c00, 0x16161600,
48         0x53535300, 0x18181800, 0xf2f2f200, 0x22222200,
49         0xfefefe00, 0x44444400, 0xcfcfcf00, 0xb2b2b200,
50         0xc3c3c300, 0xb5b5b500, 0x7a7a7a00, 0x91919100,
51         0x24242400, 0x08080800, 0xe8e8e800, 0xa8a8a800,
52         0x60606000, 0xfcfcfc00, 0x69696900, 0x50505000,
53         0xaaaaaa00, 0xd0d0d000, 0xa0a0a000, 0x7d7d7d00,
54         0xa1a1a100, 0x89898900, 0x62626200, 0x97979700,
55         0x54545400, 0x5b5b5b00, 0x1e1e1e00, 0x95959500,
56         0xe0e0e000, 0xffffff00, 0x64646400, 0xd2d2d200,
57         0x10101000, 0xc4c4c400, 0x00000000, 0x48484800,
58         0xa3a3a300, 0xf7f7f700, 0x75757500, 0xdbdbdb00,
59         0x8a8a8a00, 0x03030300, 0xe6e6e600, 0xdadada00,
60         0x09090900, 0x3f3f3f00, 0xdddddd00, 0x94949400,
61         0x87878700, 0x5c5c5c00, 0x83838300, 0x02020200,
62         0xcdcdcd00, 0x4a4a4a00, 0x90909000, 0x33333300,
63         0x73737300, 0x67676700, 0xf6f6f600, 0xf3f3f300,
64         0x9d9d9d00, 0x7f7f7f00, 0xbfbfbf00, 0xe2e2e200,
65         0x52525200, 0x9b9b9b00, 0xd8d8d800, 0x26262600,
66         0xc8c8c800, 0x37373700, 0xc6c6c600, 0x3b3b3b00,
67         0x81818100, 0x96969600, 0x6f6f6f00, 0x4b4b4b00,
68         0x13131300, 0xbebebe00, 0x63636300, 0x2e2e2e00,
69         0xe9e9e900, 0x79797900, 0xa7a7a700, 0x8c8c8c00,
70         0x9f9f9f00, 0x6e6e6e00, 0xbcbcbc00, 0x8e8e8e00,
71         0x29292900, 0xf5f5f500, 0xf9f9f900, 0xb6b6b600,
72         0x2f2f2f00, 0xfdfdfd00, 0xb4b4b400, 0x59595900,
73         0x78787800, 0x98989800, 0x06060600, 0x6a6a6a00,
74         0xe7e7e700, 0x46464600, 0x71717100, 0xbababa00,
75         0xd4d4d400, 0x25252500, 0xababab00, 0x42424200,
76         0x88888800, 0xa2a2a200, 0x8d8d8d00, 0xfafafa00,
77         0x72727200, 0x07070700, 0xb9b9b900, 0x55555500,
78         0xf8f8f800, 0xeeeeee00, 0xacacac00, 0x0a0a0a00,
79         0x36363600, 0x49494900, 0x2a2a2a00, 0x68686800,
80         0x3c3c3c00, 0x38383800, 0xf1f1f100, 0xa4a4a400,
81         0x40404000, 0x28282800, 0xd3d3d300, 0x7b7b7b00,
82         0xbbbbbb00, 0xc9c9c900, 0x43434300, 0xc1c1c100,
83         0x15151500, 0xe3e3e300, 0xadadad00, 0xf4f4f400,
84         0x77777700, 0xc7c7c700, 0x80808000, 0x9e9e9e00,
85 };
86
87 static const u32 camellia_sp0222[256] = {
88         0x00e0e0e0, 0x00050505, 0x00585858, 0x00d9d9d9,
89         0x00676767, 0x004e4e4e, 0x00818181, 0x00cbcbcb,
90         0x00c9c9c9, 0x000b0b0b, 0x00aeaeae, 0x006a6a6a,
91         0x00d5d5d5, 0x00181818, 0x005d5d5d, 0x00828282,
92         0x00464646, 0x00dfdfdf, 0x00d6d6d6, 0x00272727,
93         0x008a8a8a, 0x00323232, 0x004b4b4b, 0x00424242,
94         0x00dbdbdb, 0x001c1c1c, 0x009e9e9e, 0x009c9c9c,
95         0x003a3a3a, 0x00cacaca, 0x00252525, 0x007b7b7b,
96         0x000d0d0d, 0x00717171, 0x005f5f5f, 0x001f1f1f,
97         0x00f8f8f8, 0x00d7d7d7, 0x003e3e3e, 0x009d9d9d,
98         0x007c7c7c, 0x00606060, 0x00b9b9b9, 0x00bebebe,
99         0x00bcbcbc, 0x008b8b8b, 0x00161616, 0x00343434,
100         0x004d4d4d, 0x00c3c3c3, 0x00727272, 0x00959595,
101         0x00ababab, 0x008e8e8e, 0x00bababa, 0x007a7a7a,
102         0x00b3b3b3, 0x00020202, 0x00b4b4b4, 0x00adadad,
103         0x00a2a2a2, 0x00acacac, 0x00d8d8d8, 0x009a9a9a,
104         0x00171717, 0x001a1a1a, 0x00353535, 0x00cccccc,
105         0x00f7f7f7, 0x00999999, 0x00616161, 0x005a5a5a,
106         0x00e8e8e8, 0x00242424, 0x00565656, 0x00404040,
107         0x00e1e1e1, 0x00636363, 0x00090909, 0x00333333,
108         0x00bfbfbf, 0x00989898, 0x00979797, 0x00858585,
109         0x00686868, 0x00fcfcfc, 0x00ececec, 0x000a0a0a,
110         0x00dadada, 0x006f6f6f, 0x00535353, 0x00626262,
111         0x00a3a3a3, 0x002e2e2e, 0x00080808, 0x00afafaf,
112         0x00282828, 0x00b0b0b0, 0x00747474, 0x00c2c2c2,
113         0x00bdbdbd, 0x00363636, 0x00222222, 0x00383838,
114         0x00646464, 0x001e1e1e, 0x00393939, 0x002c2c2c,
115         0x00a6a6a6, 0x00303030, 0x00e5e5e5, 0x00444444,
116         0x00fdfdfd, 0x00888888, 0x009f9f9f, 0x00656565,
117         0x00878787, 0x006b6b6b, 0x00f4f4f4, 0x00232323,
118         0x00484848, 0x00101010, 0x00d1d1d1, 0x00515151,
119         0x00c0c0c0, 0x00f9f9f9, 0x00d2d2d2, 0x00a0a0a0,
120         0x00555555, 0x00a1a1a1, 0x00414141, 0x00fafafa,
121         0x00434343, 0x00131313, 0x00c4c4c4, 0x002f2f2f,
122         0x00a8a8a8, 0x00b6b6b6, 0x003c3c3c, 0x002b2b2b,
123         0x00c1c1c1, 0x00ffffff, 0x00c8c8c8, 0x00a5a5a5,
124         0x00202020, 0x00898989, 0x00000000, 0x00909090,
125         0x00474747, 0x00efefef, 0x00eaeaea, 0x00b7b7b7,
126         0x00151515, 0x00060606, 0x00cdcdcd, 0x00b5b5b5,
127         0x00121212, 0x007e7e7e, 0x00bbbbbb, 0x00292929,
128         0x000f0f0f, 0x00b8b8b8, 0x00070707, 0x00040404,
129         0x009b9b9b, 0x00949494, 0x00212121, 0x00666666,
130         0x00e6e6e6, 0x00cecece, 0x00ededed, 0x00e7e7e7,
131         0x003b3b3b, 0x00fefefe, 0x007f7f7f, 0x00c5c5c5,
132         0x00a4a4a4, 0x00373737, 0x00b1b1b1, 0x004c4c4c,
133         0x00919191, 0x006e6e6e, 0x008d8d8d, 0x00767676,
134         0x00030303, 0x002d2d2d, 0x00dedede, 0x00969696,
135         0x00262626, 0x007d7d7d, 0x00c6c6c6, 0x005c5c5c,
136         0x00d3d3d3, 0x00f2f2f2, 0x004f4f4f, 0x00191919,
137         0x003f3f3f, 0x00dcdcdc, 0x00797979, 0x001d1d1d,
138         0x00525252, 0x00ebebeb, 0x00f3f3f3, 0x006d6d6d,
139         0x005e5e5e, 0x00fbfbfb, 0x00696969, 0x00b2b2b2,
140         0x00f0f0f0, 0x00313131, 0x000c0c0c, 0x00d4d4d4,
141         0x00cfcfcf, 0x008c8c8c, 0x00e2e2e2, 0x00757575,
142         0x00a9a9a9, 0x004a4a4a, 0x00575757, 0x00848484,
143         0x00111111, 0x00454545, 0x001b1b1b, 0x00f5f5f5,
144         0x00e4e4e4, 0x000e0e0e, 0x00737373, 0x00aaaaaa,
145         0x00f1f1f1, 0x00dddddd, 0x00595959, 0x00141414,
146         0x006c6c6c, 0x00929292, 0x00545454, 0x00d0d0d0,
147         0x00787878, 0x00707070, 0x00e3e3e3, 0x00494949,
148         0x00808080, 0x00505050, 0x00a7a7a7, 0x00f6f6f6,
149         0x00777777, 0x00939393, 0x00868686, 0x00838383,
150         0x002a2a2a, 0x00c7c7c7, 0x005b5b5b, 0x00e9e9e9,
151         0x00eeeeee, 0x008f8f8f, 0x00010101, 0x003d3d3d,
152 };
153
154 static const u32 camellia_sp3033[256] = {
155         0x38003838, 0x41004141, 0x16001616, 0x76007676,
156         0xd900d9d9, 0x93009393, 0x60006060, 0xf200f2f2,
157         0x72007272, 0xc200c2c2, 0xab00abab, 0x9a009a9a,
158         0x75007575, 0x06000606, 0x57005757, 0xa000a0a0,
159         0x91009191, 0xf700f7f7, 0xb500b5b5, 0xc900c9c9,
160         0xa200a2a2, 0x8c008c8c, 0xd200d2d2, 0x90009090,
161         0xf600f6f6, 0x07000707, 0xa700a7a7, 0x27002727,
162         0x8e008e8e, 0xb200b2b2, 0x49004949, 0xde00dede,
163         0x43004343, 0x5c005c5c, 0xd700d7d7, 0xc700c7c7,
164         0x3e003e3e, 0xf500f5f5, 0x8f008f8f, 0x67006767,
165         0x1f001f1f, 0x18001818, 0x6e006e6e, 0xaf00afaf,
166         0x2f002f2f, 0xe200e2e2, 0x85008585, 0x0d000d0d,
167         0x53005353, 0xf000f0f0, 0x9c009c9c, 0x65006565,
168         0xea00eaea, 0xa300a3a3, 0xae00aeae, 0x9e009e9e,
169         0xec00ecec, 0x80008080, 0x2d002d2d, 0x6b006b6b,
170         0xa800a8a8, 0x2b002b2b, 0x36003636, 0xa600a6a6,
171         0xc500c5c5, 0x86008686, 0x4d004d4d, 0x33003333,
172         0xfd00fdfd, 0x66006666, 0x58005858, 0x96009696,
173         0x3a003a3a, 0x09000909, 0x95009595, 0x10001010,
174         0x78007878, 0xd800d8d8, 0x42004242, 0xcc00cccc,
175         0xef00efef, 0x26002626, 0xe500e5e5, 0x61006161,
176         0x1a001a1a, 0x3f003f3f, 0x3b003b3b, 0x82008282,
177         0xb600b6b6, 0xdb00dbdb, 0xd400d4d4, 0x98009898,
178         0xe800e8e8, 0x8b008b8b, 0x02000202, 0xeb00ebeb,
179         0x0a000a0a, 0x2c002c2c, 0x1d001d1d, 0xb000b0b0,
180         0x6f006f6f, 0x8d008d8d, 0x88008888, 0x0e000e0e,
181         0x19001919, 0x87008787, 0x4e004e4e, 0x0b000b0b,
182         0xa900a9a9, 0x0c000c0c, 0x79007979, 0x11001111,
183         0x7f007f7f, 0x22002222, 0xe700e7e7, 0x59005959,
184         0xe100e1e1, 0xda00dada, 0x3d003d3d, 0xc800c8c8,
185         0x12001212, 0x04000404, 0x74007474, 0x54005454,
186         0x30003030, 0x7e007e7e, 0xb400b4b4, 0x28002828,
187         0x55005555, 0x68006868, 0x50005050, 0xbe00bebe,
188         0xd000d0d0, 0xc400c4c4, 0x31003131, 0xcb00cbcb,
189         0x2a002a2a, 0xad00adad, 0x0f000f0f, 0xca00caca,
190         0x70007070, 0xff00ffff, 0x32003232, 0x69006969,
191         0x08000808, 0x62006262, 0x00000000, 0x24002424,
192         0xd100d1d1, 0xfb00fbfb, 0xba00baba, 0xed00eded,
193         0x45004545, 0x81008181, 0x73007373, 0x6d006d6d,
194         0x84008484, 0x9f009f9f, 0xee00eeee, 0x4a004a4a,
195         0xc300c3c3, 0x2e002e2e, 0xc100c1c1, 0x01000101,
196         0xe600e6e6, 0x25002525, 0x48004848, 0x99009999,
197         0xb900b9b9, 0xb300b3b3, 0x7b007b7b, 0xf900f9f9,
198         0xce00cece, 0xbf00bfbf, 0xdf00dfdf, 0x71007171,
199         0x29002929, 0xcd00cdcd, 0x6c006c6c, 0x13001313,
200         0x64006464, 0x9b009b9b, 0x63006363, 0x9d009d9d,
201         0xc000c0c0, 0x4b004b4b, 0xb700b7b7, 0xa500a5a5,
202         0x89008989, 0x5f005f5f, 0xb100b1b1, 0x17001717,
203         0xf400f4f4, 0xbc00bcbc, 0xd300d3d3, 0x46004646,
204         0xcf00cfcf, 0x37003737, 0x5e005e5e, 0x47004747,
205         0x94009494, 0xfa00fafa, 0xfc00fcfc, 0x5b005b5b,
206         0x97009797, 0xfe00fefe, 0x5a005a5a, 0xac00acac,
207         0x3c003c3c, 0x4c004c4c, 0x03000303, 0x35003535,
208         0xf300f3f3, 0x23002323, 0xb800b8b8, 0x5d005d5d,
209         0x6a006a6a, 0x92009292, 0xd500d5d5, 0x21002121,
210         0x44004444, 0x51005151, 0xc600c6c6, 0x7d007d7d,
211         0x39003939, 0x83008383, 0xdc00dcdc, 0xaa00aaaa,
212         0x7c007c7c, 0x77007777, 0x56005656, 0x05000505,
213         0x1b001b1b, 0xa400a4a4, 0x15001515, 0x34003434,
214         0x1e001e1e, 0x1c001c1c, 0xf800f8f8, 0x52005252,
215         0x20002020, 0x14001414, 0xe900e9e9, 0xbd00bdbd,
216         0xdd00dddd, 0xe400e4e4, 0xa100a1a1, 0xe000e0e0,
217         0x8a008a8a, 0xf100f1f1, 0xd600d6d6, 0x7a007a7a,
218         0xbb00bbbb, 0xe300e3e3, 0x40004040, 0x4f004f4f,
219 };
220
221 static const u32 camellia_sp4404[256] = {
222         0x70700070, 0x2c2c002c, 0xb3b300b3, 0xc0c000c0,
223         0xe4e400e4, 0x57570057, 0xeaea00ea, 0xaeae00ae,
224         0x23230023, 0x6b6b006b, 0x45450045, 0xa5a500a5,
225         0xeded00ed, 0x4f4f004f, 0x1d1d001d, 0x92920092,
226         0x86860086, 0xafaf00af, 0x7c7c007c, 0x1f1f001f,
227         0x3e3e003e, 0xdcdc00dc, 0x5e5e005e, 0x0b0b000b,
228         0xa6a600a6, 0x39390039, 0xd5d500d5, 0x5d5d005d,
229         0xd9d900d9, 0x5a5a005a, 0x51510051, 0x6c6c006c,
230         0x8b8b008b, 0x9a9a009a, 0xfbfb00fb, 0xb0b000b0,
231         0x74740074, 0x2b2b002b, 0xf0f000f0, 0x84840084,
232         0xdfdf00df, 0xcbcb00cb, 0x34340034, 0x76760076,
233         0x6d6d006d, 0xa9a900a9, 0xd1d100d1, 0x04040004,
234         0x14140014, 0x3a3a003a, 0xdede00de, 0x11110011,
235         0x32320032, 0x9c9c009c, 0x53530053, 0xf2f200f2,
236         0xfefe00fe, 0xcfcf00cf, 0xc3c300c3, 0x7a7a007a,
237         0x24240024, 0xe8e800e8, 0x60600060, 0x69690069,
238         0xaaaa00aa, 0xa0a000a0, 0xa1a100a1, 0x62620062,
239         0x54540054, 0x1e1e001e, 0xe0e000e0, 0x64640064,
240         0x10100010, 0x00000000, 0xa3a300a3, 0x75750075,
241         0x8a8a008a, 0xe6e600e6, 0x09090009, 0xdddd00dd,
242         0x87870087, 0x83830083, 0xcdcd00cd, 0x90900090,
243         0x73730073, 0xf6f600f6, 0x9d9d009d, 0xbfbf00bf,
244         0x52520052, 0xd8d800d8, 0xc8c800c8, 0xc6c600c6,
245         0x81810081, 0x6f6f006f, 0x13130013, 0x63630063,
246         0xe9e900e9, 0xa7a700a7, 0x9f9f009f, 0xbcbc00bc,
247         0x29290029, 0xf9f900f9, 0x2f2f002f, 0xb4b400b4,
248         0x78780078, 0x06060006, 0xe7e700e7, 0x71710071,
249         0xd4d400d4, 0xabab00ab, 0x88880088, 0x8d8d008d,
250         0x72720072, 0xb9b900b9, 0xf8f800f8, 0xacac00ac,
251         0x36360036, 0x2a2a002a, 0x3c3c003c, 0xf1f100f1,
252         0x40400040, 0xd3d300d3, 0xbbbb00bb, 0x43430043,
253         0x15150015, 0xadad00ad, 0x77770077, 0x80800080,
254         0x82820082, 0xecec00ec, 0x27270027, 0xe5e500e5,
255         0x85850085, 0x35350035, 0x0c0c000c, 0x41410041,
256         0xefef00ef, 0x93930093, 0x19190019, 0x21210021,
257         0x0e0e000e, 0x4e4e004e, 0x65650065, 0xbdbd00bd,
258         0xb8b800b8, 0x8f8f008f, 0xebeb00eb, 0xcece00ce,
259         0x30300030, 0x5f5f005f, 0xc5c500c5, 0x1a1a001a,
260         0xe1e100e1, 0xcaca00ca, 0x47470047, 0x3d3d003d,
261         0x01010001, 0xd6d600d6, 0x56560056, 0x4d4d004d,
262         0x0d0d000d, 0x66660066, 0xcccc00cc, 0x2d2d002d,
263         0x12120012, 0x20200020, 0xb1b100b1, 0x99990099,
264         0x4c4c004c, 0xc2c200c2, 0x7e7e007e, 0x05050005,
265         0xb7b700b7, 0x31310031, 0x17170017, 0xd7d700d7,
266         0x58580058, 0x61610061, 0x1b1b001b, 0x1c1c001c,
267         0x0f0f000f, 0x16160016, 0x18180018, 0x22220022,
268         0x44440044, 0xb2b200b2, 0xb5b500b5, 0x91910091,
269         0x08080008, 0xa8a800a8, 0xfcfc00fc, 0x50500050,
270         0xd0d000d0, 0x7d7d007d, 0x89890089, 0x97970097,
271         0x5b5b005b, 0x95950095, 0xffff00ff, 0xd2d200d2,
272         0xc4c400c4, 0x48480048, 0xf7f700f7, 0xdbdb00db,
273         0x03030003, 0xdada00da, 0x3f3f003f, 0x94940094,
274         0x5c5c005c, 0x02020002, 0x4a4a004a, 0x33330033,
275         0x67670067, 0xf3f300f3, 0x7f7f007f, 0xe2e200e2,
276         0x9b9b009b, 0x26260026, 0x37370037, 0x3b3b003b,
277         0x96960096, 0x4b4b004b, 0xbebe00be, 0x2e2e002e,
278         0x79790079, 0x8c8c008c, 0x6e6e006e, 0x8e8e008e,
279         0xf5f500f5, 0xb6b600b6, 0xfdfd00fd, 0x59590059,
280         0x98980098, 0x6a6a006a, 0x46460046, 0xbaba00ba,
281         0x25250025, 0x42420042, 0xa2a200a2, 0xfafa00fa,
282         0x07070007, 0x55550055, 0xeeee00ee, 0x0a0a000a,
283         0x49490049, 0x68680068, 0x38380038, 0xa4a400a4,
284         0x28280028, 0x7b7b007b, 0xc9c900c9, 0xc1c100c1,
285         0xe3e300e3, 0xf4f400f4, 0xc7c700c7, 0x9e9e009e,
286 };
287
288
289 #define CAMELLIA_MIN_KEY_SIZE        16
290 #define CAMELLIA_MAX_KEY_SIZE        32
291 #define CAMELLIA_BLOCK_SIZE          16
292 #define CAMELLIA_TABLE_BYTE_LEN     272
293
294 /*
295  * NB: L and R below stand for 'left' and 'right' as in written numbers.
296  * That is, in (xxxL,xxxR) pair xxxL holds most significant digits,
297  * _not_ least significant ones!
298  */
299
300
301 /* key constants */
302
303 #define CAMELLIA_SIGMA1L (0xA09E667FL)
304 #define CAMELLIA_SIGMA1R (0x3BCC908BL)
305 #define CAMELLIA_SIGMA2L (0xB67AE858L)
306 #define CAMELLIA_SIGMA2R (0x4CAA73B2L)
307 #define CAMELLIA_SIGMA3L (0xC6EF372FL)
308 #define CAMELLIA_SIGMA3R (0xE94F82BEL)
309 #define CAMELLIA_SIGMA4L (0x54FF53A5L)
310 #define CAMELLIA_SIGMA4R (0xF1D36F1CL)
311 #define CAMELLIA_SIGMA5L (0x10E527FAL)
312 #define CAMELLIA_SIGMA5R (0xDE682D1DL)
313 #define CAMELLIA_SIGMA6L (0xB05688C2L)
314 #define CAMELLIA_SIGMA6R (0xB3E6C1FDL)
315
316 /*
317  *  macros
318  */
319 #define ROLDQ(ll, lr, rl, rr, w0, w1, bits) ({          \
320         w0 = ll;                                        \
321         ll = (ll << bits) + (lr >> (32 - bits));        \
322         lr = (lr << bits) + (rl >> (32 - bits));        \
323         rl = (rl << bits) + (rr >> (32 - bits));        \
324         rr = (rr << bits) + (w0 >> (32 - bits));        \
325 })
326
327 #define ROLDQo32(ll, lr, rl, rr, w0, w1, bits) ({       \
328         w0 = ll;                                        \
329         w1 = lr;                                        \
330         ll = (lr << (bits - 32)) + (rl >> (64 - bits)); \
331         lr = (rl << (bits - 32)) + (rr >> (64 - bits)); \
332         rl = (rr << (bits - 32)) + (w0 >> (64 - bits)); \
333         rr = (w0 << (bits - 32)) + (w1 >> (64 - bits)); \
334 })
335
336 #define CAMELLIA_F(xl, xr, kl, kr, yl, yr, il, ir, t0, t1) ({   \
337         il = xl ^ kl;                                           \
338         ir = xr ^ kr;                                           \
339         t0 = il >> 16;                                          \
340         t1 = ir >> 16;                                          \
341         yl = camellia_sp1110[(u8)(ir)]                          \
342            ^ camellia_sp0222[(u8)(t1 >> 8)]                     \
343            ^ camellia_sp3033[(u8)(t1)]                          \
344            ^ camellia_sp4404[(u8)(ir >> 8)];                    \
345         yr = camellia_sp1110[(u8)(t0 >> 8)]                     \
346            ^ camellia_sp0222[(u8)(t0)]                          \
347            ^ camellia_sp3033[(u8)(il >> 8)]                     \
348            ^ camellia_sp4404[(u8)(il)];                         \
349         yl ^= yr;                                               \
350         yr = ror32(yr, 8);                                      \
351         yr ^= yl;                                               \
352 })
353
354 #define SUBKEY_L(INDEX) (subkey[(INDEX)*2])
355 #define SUBKEY_R(INDEX) (subkey[(INDEX)*2 + 1])
356
357 static void camellia_setup_tail(u32 *subkey, u32 *subL, u32 *subR, int max)
358 {
359         u32 dw, tl, tr;
360         u32 kw4l, kw4r;
361
362         /* absorb kw2 to other subkeys */
363         /* round 2 */
364         subL[3] ^= subL[1]; subR[3] ^= subR[1];
365         /* round 4 */
366         subL[5] ^= subL[1]; subR[5] ^= subR[1];
367         /* round 6 */
368         subL[7] ^= subL[1]; subR[7] ^= subR[1];
369         subL[1] ^= subR[1] & ~subR[9];
370         dw = subL[1] & subL[9];
371         subR[1] ^= rol32(dw, 1); /* modified for FLinv(kl2) */
372         /* round 8 */
373         subL[11] ^= subL[1]; subR[11] ^= subR[1];
374         /* round 10 */
375         subL[13] ^= subL[1]; subR[13] ^= subR[1];
376         /* round 12 */
377         subL[15] ^= subL[1]; subR[15] ^= subR[1];
378         subL[1] ^= subR[1] & ~subR[17];
379         dw = subL[1] & subL[17];
380         subR[1] ^= rol32(dw, 1); /* modified for FLinv(kl4) */
381         /* round 14 */
382         subL[19] ^= subL[1]; subR[19] ^= subR[1];
383         /* round 16 */
384         subL[21] ^= subL[1]; subR[21] ^= subR[1];
385         /* round 18 */
386         subL[23] ^= subL[1]; subR[23] ^= subR[1];
387         if (max == 24) {
388                 /* kw3 */
389                 subL[24] ^= subL[1]; subR[24] ^= subR[1];
390
391         /* absorb kw4 to other subkeys */
392                 kw4l = subL[25]; kw4r = subR[25];
393         } else {
394                 subL[1] ^= subR[1] & ~subR[25];
395                 dw = subL[1] & subL[25];
396                 subR[1] ^= rol32(dw, 1); /* modified for FLinv(kl6) */
397                 /* round 20 */
398                 subL[27] ^= subL[1]; subR[27] ^= subR[1];
399                 /* round 22 */
400                 subL[29] ^= subL[1]; subR[29] ^= subR[1];
401                 /* round 24 */
402                 subL[31] ^= subL[1]; subR[31] ^= subR[1];
403                 /* kw3 */
404                 subL[32] ^= subL[1]; subR[32] ^= subR[1];
405
406         /* absorb kw4 to other subkeys */
407                 kw4l = subL[33]; kw4r = subR[33];
408                 /* round 23 */
409                 subL[30] ^= kw4l; subR[30] ^= kw4r;
410                 /* round 21 */
411                 subL[28] ^= kw4l; subR[28] ^= kw4r;
412                 /* round 19 */
413                 subL[26] ^= kw4l; subR[26] ^= kw4r;
414                 kw4l ^= kw4r & ~subR[24];
415                 dw = kw4l & subL[24];
416                 kw4r ^= rol32(dw, 1); /* modified for FL(kl5) */
417         }
418         /* round 17 */
419         subL[22] ^= kw4l; subR[22] ^= kw4r;
420         /* round 15 */
421         subL[20] ^= kw4l; subR[20] ^= kw4r;
422         /* round 13 */
423         subL[18] ^= kw4l; subR[18] ^= kw4r;
424         kw4l ^= kw4r & ~subR[16];
425         dw = kw4l & subL[16];
426         kw4r ^= rol32(dw, 1); /* modified for FL(kl3) */
427         /* round 11 */
428         subL[14] ^= kw4l; subR[14] ^= kw4r;
429         /* round 9 */
430         subL[12] ^= kw4l; subR[12] ^= kw4r;
431         /* round 7 */
432         subL[10] ^= kw4l; subR[10] ^= kw4r;
433         kw4l ^= kw4r & ~subR[8];
434         dw = kw4l & subL[8];
435         kw4r ^= rol32(dw, 1); /* modified for FL(kl1) */
436         /* round 5 */
437         subL[6] ^= kw4l; subR[6] ^= kw4r;
438         /* round 3 */
439         subL[4] ^= kw4l; subR[4] ^= kw4r;
440         /* round 1 */
441         subL[2] ^= kw4l; subR[2] ^= kw4r;
442         /* kw1 */
443         subL[0] ^= kw4l; subR[0] ^= kw4r;
444
445         /* key XOR is end of F-function */
446         SUBKEY_L(0) = subL[0] ^ subL[2];/* kw1 */
447         SUBKEY_R(0) = subR[0] ^ subR[2];
448         SUBKEY_L(2) = subL[3];       /* round 1 */
449         SUBKEY_R(2) = subR[3];
450         SUBKEY_L(3) = subL[2] ^ subL[4]; /* round 2 */
451         SUBKEY_R(3) = subR[2] ^ subR[4];
452         SUBKEY_L(4) = subL[3] ^ subL[5]; /* round 3 */
453         SUBKEY_R(4) = subR[3] ^ subR[5];
454         SUBKEY_L(5) = subL[4] ^ subL[6]; /* round 4 */
455         SUBKEY_R(5) = subR[4] ^ subR[6];
456         SUBKEY_L(6) = subL[5] ^ subL[7]; /* round 5 */
457         SUBKEY_R(6) = subR[5] ^ subR[7];
458         tl = subL[10] ^ (subR[10] & ~subR[8]);
459         dw = tl & subL[8];  /* FL(kl1) */
460         tr = subR[10] ^ rol32(dw, 1);
461         SUBKEY_L(7) = subL[6] ^ tl; /* round 6 */
462         SUBKEY_R(7) = subR[6] ^ tr;
463         SUBKEY_L(8) = subL[8];       /* FL(kl1) */
464         SUBKEY_R(8) = subR[8];
465         SUBKEY_L(9) = subL[9];       /* FLinv(kl2) */
466         SUBKEY_R(9) = subR[9];
467         tl = subL[7] ^ (subR[7] & ~subR[9]);
468         dw = tl & subL[9];  /* FLinv(kl2) */
469         tr = subR[7] ^ rol32(dw, 1);
470         SUBKEY_L(10) = tl ^ subL[11]; /* round 7 */
471         SUBKEY_R(10) = tr ^ subR[11];
472         SUBKEY_L(11) = subL[10] ^ subL[12]; /* round 8 */
473         SUBKEY_R(11) = subR[10] ^ subR[12];
474         SUBKEY_L(12) = subL[11] ^ subL[13]; /* round 9 */
475         SUBKEY_R(12) = subR[11] ^ subR[13];
476         SUBKEY_L(13) = subL[12] ^ subL[14]; /* round 10 */
477         SUBKEY_R(13) = subR[12] ^ subR[14];
478         SUBKEY_L(14) = subL[13] ^ subL[15]; /* round 11 */
479         SUBKEY_R(14) = subR[13] ^ subR[15];
480         tl = subL[18] ^ (subR[18] & ~subR[16]);
481         dw = tl & subL[16]; /* FL(kl3) */
482         tr = subR[18] ^ rol32(dw, 1);
483         SUBKEY_L(15) = subL[14] ^ tl; /* round 12 */
484         SUBKEY_R(15) = subR[14] ^ tr;
485         SUBKEY_L(16) = subL[16];     /* FL(kl3) */
486         SUBKEY_R(16) = subR[16];
487         SUBKEY_L(17) = subL[17];     /* FLinv(kl4) */
488         SUBKEY_R(17) = subR[17];
489         tl = subL[15] ^ (subR[15] & ~subR[17]);
490         dw = tl & subL[17]; /* FLinv(kl4) */
491         tr = subR[15] ^ rol32(dw, 1);
492         SUBKEY_L(18) = tl ^ subL[19]; /* round 13 */
493         SUBKEY_R(18) = tr ^ subR[19];
494         SUBKEY_L(19) = subL[18] ^ subL[20]; /* round 14 */
495         SUBKEY_R(19) = subR[18] ^ subR[20];
496         SUBKEY_L(20) = subL[19] ^ subL[21]; /* round 15 */
497         SUBKEY_R(20) = subR[19] ^ subR[21];
498         SUBKEY_L(21) = subL[20] ^ subL[22]; /* round 16 */
499         SUBKEY_R(21) = subR[20] ^ subR[22];
500         SUBKEY_L(22) = subL[21] ^ subL[23]; /* round 17 */
501         SUBKEY_R(22) = subR[21] ^ subR[23];
502         if (max == 24) {
503                 SUBKEY_L(23) = subL[22];     /* round 18 */
504                 SUBKEY_R(23) = subR[22];
505                 SUBKEY_L(24) = subL[24] ^ subL[23]; /* kw3 */
506                 SUBKEY_R(24) = subR[24] ^ subR[23];
507         } else {
508                 tl = subL[26] ^ (subR[26] & ~subR[24]);
509                 dw = tl & subL[24]; /* FL(kl5) */
510                 tr = subR[26] ^ rol32(dw, 1);
511                 SUBKEY_L(23) = subL[22] ^ tl; /* round 18 */
512                 SUBKEY_R(23) = subR[22] ^ tr;
513                 SUBKEY_L(24) = subL[24];     /* FL(kl5) */
514                 SUBKEY_R(24) = subR[24];
515                 SUBKEY_L(25) = subL[25];     /* FLinv(kl6) */
516                 SUBKEY_R(25) = subR[25];
517                 tl = subL[23] ^ (subR[23] & ~subR[25]);
518                 dw = tl & subL[25]; /* FLinv(kl6) */
519                 tr = subR[23] ^ rol32(dw, 1);
520                 SUBKEY_L(26) = tl ^ subL[27]; /* round 19 */
521                 SUBKEY_R(26) = tr ^ subR[27];
522                 SUBKEY_L(27) = subL[26] ^ subL[28]; /* round 20 */
523                 SUBKEY_R(27) = subR[26] ^ subR[28];
524                 SUBKEY_L(28) = subL[27] ^ subL[29]; /* round 21 */
525                 SUBKEY_R(28) = subR[27] ^ subR[29];
526                 SUBKEY_L(29) = subL[28] ^ subL[30]; /* round 22 */
527                 SUBKEY_R(29) = subR[28] ^ subR[30];
528                 SUBKEY_L(30) = subL[29] ^ subL[31]; /* round 23 */
529                 SUBKEY_R(30) = subR[29] ^ subR[31];
530                 SUBKEY_L(31) = subL[30];     /* round 24 */
531                 SUBKEY_R(31) = subR[30];
532                 SUBKEY_L(32) = subL[32] ^ subL[31]; /* kw3 */
533                 SUBKEY_R(32) = subR[32] ^ subR[31];
534         }
535 }
536
537 static void camellia_setup128(const unsigned char *key, u32 *subkey)
538 {
539         u32 kll, klr, krl, krr;
540         u32 il, ir, t0, t1, w0, w1;
541         u32 subL[26];
542         u32 subR[26];
543
544         /**
545          *  k == kll || klr || krl || krr (|| is concatenation)
546          */
547         kll = get_unaligned_be32(key);
548         klr = get_unaligned_be32(key + 4);
549         krl = get_unaligned_be32(key + 8);
550         krr = get_unaligned_be32(key + 12);
551
552         /* generate KL dependent subkeys */
553         /* kw1 */
554         subL[0] = kll; subR[0] = klr;
555         /* kw2 */
556         subL[1] = krl; subR[1] = krr;
557         /* rotation left shift 15bit */
558         ROLDQ(kll, klr, krl, krr, w0, w1, 15);
559         /* k3 */
560         subL[4] = kll; subR[4] = klr;
561         /* k4 */
562         subL[5] = krl; subR[5] = krr;
563         /* rotation left shift 15+30bit */
564         ROLDQ(kll, klr, krl, krr, w0, w1, 30);
565         /* k7 */
566         subL[10] = kll; subR[10] = klr;
567         /* k8 */
568         subL[11] = krl; subR[11] = krr;
569         /* rotation left shift 15+30+15bit */
570         ROLDQ(kll, klr, krl, krr, w0, w1, 15);
571         /* k10 */
572         subL[13] = krl; subR[13] = krr;
573         /* rotation left shift 15+30+15+17 bit */
574         ROLDQ(kll, klr, krl, krr, w0, w1, 17);
575         /* kl3 */
576         subL[16] = kll; subR[16] = klr;
577         /* kl4 */
578         subL[17] = krl; subR[17] = krr;
579         /* rotation left shift 15+30+15+17+17 bit */
580         ROLDQ(kll, klr, krl, krr, w0, w1, 17);
581         /* k13 */
582         subL[18] = kll; subR[18] = klr;
583         /* k14 */
584         subL[19] = krl; subR[19] = krr;
585         /* rotation left shift 15+30+15+17+17+17 bit */
586         ROLDQ(kll, klr, krl, krr, w0, w1, 17);
587         /* k17 */
588         subL[22] = kll; subR[22] = klr;
589         /* k18 */
590         subL[23] = krl; subR[23] = krr;
591
592         /* generate KA */
593         kll = subL[0]; klr = subR[0];
594         krl = subL[1]; krr = subR[1];
595         CAMELLIA_F(kll, klr,
596                    CAMELLIA_SIGMA1L, CAMELLIA_SIGMA1R,
597                    w0, w1, il, ir, t0, t1);
598         krl ^= w0; krr ^= w1;
599         CAMELLIA_F(krl, krr,
600                    CAMELLIA_SIGMA2L, CAMELLIA_SIGMA2R,
601                    kll, klr, il, ir, t0, t1);
602         /* current status == (kll, klr, w0, w1) */
603         CAMELLIA_F(kll, klr,
604                    CAMELLIA_SIGMA3L, CAMELLIA_SIGMA3R,
605                    krl, krr, il, ir, t0, t1);
606         krl ^= w0; krr ^= w1;
607         CAMELLIA_F(krl, krr,
608                    CAMELLIA_SIGMA4L, CAMELLIA_SIGMA4R,
609                    w0, w1, il, ir, t0, t1);
610         kll ^= w0; klr ^= w1;
611
612         /* generate KA dependent subkeys */
613         /* k1, k2 */
614         subL[2] = kll; subR[2] = klr;
615         subL[3] = krl; subR[3] = krr;
616         ROLDQ(kll, klr, krl, krr, w0, w1, 15);
617         /* k5,k6 */
618         subL[6] = kll; subR[6] = klr;
619         subL[7] = krl; subR[7] = krr;
620         ROLDQ(kll, klr, krl, krr, w0, w1, 15);
621         /* kl1, kl2 */
622         subL[8] = kll; subR[8] = klr;
623         subL[9] = krl; subR[9] = krr;
624         ROLDQ(kll, klr, krl, krr, w0, w1, 15);
625         /* k9 */
626         subL[12] = kll; subR[12] = klr;
627         ROLDQ(kll, klr, krl, krr, w0, w1, 15);
628         /* k11, k12 */
629         subL[14] = kll; subR[14] = klr;
630         subL[15] = krl; subR[15] = krr;
631         ROLDQo32(kll, klr, krl, krr, w0, w1, 34);
632         /* k15, k16 */
633         subL[20] = kll; subR[20] = klr;
634         subL[21] = krl; subR[21] = krr;
635         ROLDQ(kll, klr, krl, krr, w0, w1, 17);
636         /* kw3, kw4 */
637         subL[24] = kll; subR[24] = klr;
638         subL[25] = krl; subR[25] = krr;
639
640         camellia_setup_tail(subkey, subL, subR, 24);
641 }
642
643 static void camellia_setup256(const unsigned char *key, u32 *subkey)
644 {
645         u32 kll, klr, krl, krr;        /* left half of key */
646         u32 krll, krlr, krrl, krrr;    /* right half of key */
647         u32 il, ir, t0, t1, w0, w1;    /* temporary variables */
648         u32 subL[34];
649         u32 subR[34];
650
651         /**
652          *  key = (kll || klr || krl || krr || krll || krlr || krrl || krrr)
653          *  (|| is concatenation)
654          */
655         kll = get_unaligned_be32(key);
656         klr = get_unaligned_be32(key + 4);
657         krl = get_unaligned_be32(key + 8);
658         krr = get_unaligned_be32(key + 12);
659         krll = get_unaligned_be32(key + 16);
660         krlr = get_unaligned_be32(key + 20);
661         krrl = get_unaligned_be32(key + 24);
662         krrr = get_unaligned_be32(key + 28);
663
664         /* generate KL dependent subkeys */
665         /* kw1 */
666         subL[0] = kll; subR[0] = klr;
667         /* kw2 */
668         subL[1] = krl; subR[1] = krr;
669         ROLDQo32(kll, klr, krl, krr, w0, w1, 45);
670         /* k9 */
671         subL[12] = kll; subR[12] = klr;
672         /* k10 */
673         subL[13] = krl; subR[13] = krr;
674         ROLDQ(kll, klr, krl, krr, w0, w1, 15);
675         /* kl3 */
676         subL[16] = kll; subR[16] = klr;
677         /* kl4 */
678         subL[17] = krl; subR[17] = krr;
679         ROLDQ(kll, klr, krl, krr, w0, w1, 17);
680         /* k17 */
681         subL[22] = kll; subR[22] = klr;
682         /* k18 */
683         subL[23] = krl; subR[23] = krr;
684         ROLDQo32(kll, klr, krl, krr, w0, w1, 34);
685         /* k23 */
686         subL[30] = kll; subR[30] = klr;
687         /* k24 */
688         subL[31] = krl; subR[31] = krr;
689
690         /* generate KR dependent subkeys */
691         ROLDQ(krll, krlr, krrl, krrr, w0, w1, 15);
692         /* k3 */
693         subL[4] = krll; subR[4] = krlr;
694         /* k4 */
695         subL[5] = krrl; subR[5] = krrr;
696         ROLDQ(krll, krlr, krrl, krrr, w0, w1, 15);
697         /* kl1 */
698         subL[8] = krll; subR[8] = krlr;
699         /* kl2 */
700         subL[9] = krrl; subR[9] = krrr;
701         ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
702         /* k13 */
703         subL[18] = krll; subR[18] = krlr;
704         /* k14 */
705         subL[19] = krrl; subR[19] = krrr;
706         ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 34);
707         /* k19 */
708         subL[26] = krll; subR[26] = krlr;
709         /* k20 */
710         subL[27] = krrl; subR[27] = krrr;
711         ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 34);
712
713         /* generate KA */
714         kll = subL[0] ^ krll; klr = subR[0] ^ krlr;
715         krl = subL[1] ^ krrl; krr = subR[1] ^ krrr;
716         CAMELLIA_F(kll, klr,
717                    CAMELLIA_SIGMA1L, CAMELLIA_SIGMA1R,
718                    w0, w1, il, ir, t0, t1);
719         krl ^= w0; krr ^= w1;
720         CAMELLIA_F(krl, krr,
721                    CAMELLIA_SIGMA2L, CAMELLIA_SIGMA2R,
722                    kll, klr, il, ir, t0, t1);
723         kll ^= krll; klr ^= krlr;
724         CAMELLIA_F(kll, klr,
725                    CAMELLIA_SIGMA3L, CAMELLIA_SIGMA3R,
726                    krl, krr, il, ir, t0, t1);
727         krl ^= w0 ^ krrl; krr ^= w1 ^ krrr;
728         CAMELLIA_F(krl, krr,
729                    CAMELLIA_SIGMA4L, CAMELLIA_SIGMA4R,
730                    w0, w1, il, ir, t0, t1);
731         kll ^= w0; klr ^= w1;
732
733         /* generate KB */
734         krll ^= kll; krlr ^= klr;
735         krrl ^= krl; krrr ^= krr;
736         CAMELLIA_F(krll, krlr,
737                    CAMELLIA_SIGMA5L, CAMELLIA_SIGMA5R,
738                    w0, w1, il, ir, t0, t1);
739         krrl ^= w0; krrr ^= w1;
740         CAMELLIA_F(krrl, krrr,
741                    CAMELLIA_SIGMA6L, CAMELLIA_SIGMA6R,
742                    w0, w1, il, ir, t0, t1);
743         krll ^= w0; krlr ^= w1;
744
745         /* generate KA dependent subkeys */
746         ROLDQ(kll, klr, krl, krr, w0, w1, 15);
747         /* k5 */
748         subL[6] = kll; subR[6] = klr;
749         /* k6 */
750         subL[7] = krl; subR[7] = krr;
751         ROLDQ(kll, klr, krl, krr, w0, w1, 30);
752         /* k11 */
753         subL[14] = kll; subR[14] = klr;
754         /* k12 */
755         subL[15] = krl; subR[15] = krr;
756         /* rotation left shift 32bit */
757         /* kl5 */
758         subL[24] = klr; subR[24] = krl;
759         /* kl6 */
760         subL[25] = krr; subR[25] = kll;
761         /* rotation left shift 49 from k11,k12 -> k21,k22 */
762         ROLDQo32(kll, klr, krl, krr, w0, w1, 49);
763         /* k21 */
764         subL[28] = kll; subR[28] = klr;
765         /* k22 */
766         subL[29] = krl; subR[29] = krr;
767
768         /* generate KB dependent subkeys */
769         /* k1 */
770         subL[2] = krll; subR[2] = krlr;
771         /* k2 */
772         subL[3] = krrl; subR[3] = krrr;
773         ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
774         /* k7 */
775         subL[10] = krll; subR[10] = krlr;
776         /* k8 */
777         subL[11] = krrl; subR[11] = krrr;
778         ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
779         /* k15 */
780         subL[20] = krll; subR[20] = krlr;
781         /* k16 */
782         subL[21] = krrl; subR[21] = krrr;
783         ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 51);
784         /* kw3 */
785         subL[32] = krll; subR[32] = krlr;
786         /* kw4 */
787         subL[33] = krrl; subR[33] = krrr;
788
789         camellia_setup_tail(subkey, subL, subR, 32);
790 }
791
792 static void camellia_setup192(const unsigned char *key, u32 *subkey)
793 {
794         unsigned char kk[32];
795         u32 krll, krlr, krrl, krrr;
796
797         memcpy(kk, key, 24);
798         memcpy((unsigned char *)&krll, key+16, 4);
799         memcpy((unsigned char *)&krlr, key+20, 4);
800         krrl = ~krll;
801         krrr = ~krlr;
802         memcpy(kk+24, (unsigned char *)&krrl, 4);
803         memcpy(kk+28, (unsigned char *)&krrr, 4);
804         camellia_setup256(kk, subkey);
805 }
806
807
808 /*
809  * Encrypt/decrypt
810  */
811 #define CAMELLIA_FLS(ll, lr, rl, rr, kll, klr, krl, krr, t0, t1, t2, t3) ({ \
812         t0 = kll;                                                       \
813         t2 = krr;                                                       \
814         t0 &= ll;                                                       \
815         t2 |= rr;                                                       \
816         rl ^= t2;                                                       \
817         lr ^= rol32(t0, 1);                                             \
818         t3 = krl;                                                       \
819         t1 = klr;                                                       \
820         t3 &= rl;                                                       \
821         t1 |= lr;                                                       \
822         ll ^= t1;                                                       \
823         rr ^= rol32(t3, 1);                                             \
824 })
825
826 #define CAMELLIA_ROUNDSM(xl, xr, kl, kr, yl, yr, il, ir) ({             \
827         yl ^= kl;                                                       \
828         yr ^= kr;                                                       \
829         ir =  camellia_sp1110[(u8)xr];                                  \
830         il =  camellia_sp1110[(u8)(xl >> 24)];                          \
831         ir ^= camellia_sp0222[(u8)(xr >> 24)];                          \
832         il ^= camellia_sp0222[(u8)(xl >> 16)];                          \
833         ir ^= camellia_sp3033[(u8)(xr >> 16)];                          \
834         il ^= camellia_sp3033[(u8)(xl >> 8)];                           \
835         ir ^= camellia_sp4404[(u8)(xr >> 8)];                           \
836         il ^= camellia_sp4404[(u8)xl];                                  \
837         ir ^= il;                                                       \
838         yl ^= ir;                                                       \
839         yr ^= ror32(il, 8) ^ ir;                                        \
840 })
841
842 /* max = 24: 128bit encrypt, max = 32: 256bit encrypt */
843 static void camellia_do_encrypt(const u32 *subkey, u32 *io, unsigned max)
844 {
845         u32 il, ir, t0, t1;            /* temporary variables */
846
847         /* pre whitening but absorb kw2 */
848         io[0] ^= SUBKEY_L(0);
849         io[1] ^= SUBKEY_R(0);
850
851         /* main iteration */
852 #define ROUNDS(i) ({ \
853         CAMELLIA_ROUNDSM(io[0], io[1], \
854                          SUBKEY_L(i + 2), SUBKEY_R(i + 2), \
855                          io[2], io[3], il, ir); \
856         CAMELLIA_ROUNDSM(io[2], io[3], \
857                          SUBKEY_L(i + 3), SUBKEY_R(i + 3), \
858                          io[0], io[1], il, ir); \
859         CAMELLIA_ROUNDSM(io[0], io[1], \
860                          SUBKEY_L(i + 4), SUBKEY_R(i + 4), \
861                          io[2], io[3], il, ir); \
862         CAMELLIA_ROUNDSM(io[2], io[3], \
863                          SUBKEY_L(i + 5), SUBKEY_R(i + 5), \
864                          io[0], io[1], il, ir); \
865         CAMELLIA_ROUNDSM(io[0], io[1], \
866                          SUBKEY_L(i + 6), SUBKEY_R(i + 6), \
867                          io[2], io[3], il, ir); \
868         CAMELLIA_ROUNDSM(io[2], io[3], \
869                          SUBKEY_L(i + 7), SUBKEY_R(i + 7), \
870                          io[0], io[1], il, ir); \
871 })
872 #define FLS(i) ({ \
873         CAMELLIA_FLS(io[0], io[1], io[2], io[3], \
874                      SUBKEY_L(i + 0), SUBKEY_R(i + 0), \
875                      SUBKEY_L(i + 1), SUBKEY_R(i + 1), \
876                      t0, t1, il, ir); \
877 })
878
879         ROUNDS(0);
880         FLS(8);
881         ROUNDS(8);
882         FLS(16);
883         ROUNDS(16);
884         if (max == 32) {
885                 FLS(24);
886                 ROUNDS(24);
887         }
888
889 #undef ROUNDS
890 #undef FLS
891
892         /* post whitening but kw4 */
893         io[2] ^= SUBKEY_L(max);
894         io[3] ^= SUBKEY_R(max);
895         /* NB: io[0],[1] should be swapped with [2],[3] by caller! */
896 }
897
898 static void camellia_do_decrypt(const u32 *subkey, u32 *io, unsigned i)
899 {
900         u32 il, ir, t0, t1;            /* temporary variables */
901
902         /* pre whitening but absorb kw2 */
903         io[0] ^= SUBKEY_L(i);
904         io[1] ^= SUBKEY_R(i);
905
906         /* main iteration */
907 #define ROUNDS(i) ({ \
908         CAMELLIA_ROUNDSM(io[0], io[1], \
909                          SUBKEY_L(i + 7), SUBKEY_R(i + 7), \
910                          io[2], io[3], il, ir); \
911         CAMELLIA_ROUNDSM(io[2], io[3], \
912                          SUBKEY_L(i + 6), SUBKEY_R(i + 6), \
913                          io[0], io[1], il, ir); \
914         CAMELLIA_ROUNDSM(io[0], io[1], \
915                          SUBKEY_L(i + 5), SUBKEY_R(i + 5), \
916                          io[2], io[3], il, ir); \
917         CAMELLIA_ROUNDSM(io[2], io[3], \
918                          SUBKEY_L(i + 4), SUBKEY_R(i + 4), \
919                          io[0], io[1], il, ir); \
920         CAMELLIA_ROUNDSM(io[0], io[1], \
921                          SUBKEY_L(i + 3), SUBKEY_R(i + 3), \
922                          io[2], io[3], il, ir); \
923         CAMELLIA_ROUNDSM(io[2], io[3], \
924                          SUBKEY_L(i + 2), SUBKEY_R(i + 2), \
925                          io[0], io[1], il, ir); \
926 })
927 #define FLS(i) ({ \
928         CAMELLIA_FLS(io[0], io[1], io[2], io[3], \
929                      SUBKEY_L(i + 1), SUBKEY_R(i + 1), \
930                      SUBKEY_L(i + 0), SUBKEY_R(i + 0), \
931                      t0, t1, il, ir); \
932 })
933
934         if (i == 32) {
935                 ROUNDS(24);
936                 FLS(24);
937         }
938         ROUNDS(16);
939         FLS(16);
940         ROUNDS(8);
941         FLS(8);
942         ROUNDS(0);
943
944 #undef ROUNDS
945 #undef FLS
946
947         /* post whitening but kw4 */
948         io[2] ^= SUBKEY_L(0);
949         io[3] ^= SUBKEY_R(0);
950         /* NB: 0,1 should be swapped with 2,3 by caller! */
951 }
952
953
954 struct camellia_ctx {
955         int key_length;
956         u32 key_table[CAMELLIA_TABLE_BYTE_LEN / sizeof(u32)];
957 };
958
959 static int
960 camellia_set_key(struct crypto_tfm *tfm, const u8 *in_key,
961                  unsigned int key_len)
962 {
963         struct camellia_ctx *cctx = crypto_tfm_ctx(tfm);
964         const unsigned char *key = (const unsigned char *)in_key;
965
966         if (key_len != 16 && key_len != 24 && key_len != 32)
967                 return -EINVAL;
968
969         cctx->key_length = key_len;
970
971         switch (key_len) {
972         case 16:
973                 camellia_setup128(key, cctx->key_table);
974                 break;
975         case 24:
976                 camellia_setup192(key, cctx->key_table);
977                 break;
978         case 32:
979                 camellia_setup256(key, cctx->key_table);
980                 break;
981         }
982
983         return 0;
984 }
985
986 static void camellia_encrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in)
987 {
988         const struct camellia_ctx *cctx = crypto_tfm_ctx(tfm);
989         unsigned int max;
990
991         u32 tmp[4];
992
993         tmp[0] = get_unaligned_be32(in);
994         tmp[1] = get_unaligned_be32(in + 4);
995         tmp[2] = get_unaligned_be32(in + 8);
996         tmp[3] = get_unaligned_be32(in + 12);
997
998         if (cctx->key_length == 16)
999                 max = 24;
1000         else
1001                 max = 32; /* for key lengths of 24 and 32 */
1002
1003         camellia_do_encrypt(cctx->key_table, tmp, max);
1004
1005         /* do_encrypt returns 0,1 swapped with 2,3 */
1006         put_unaligned_be32(tmp[2], out);
1007         put_unaligned_be32(tmp[3], out + 4);
1008         put_unaligned_be32(tmp[0], out + 8);
1009         put_unaligned_be32(tmp[1], out + 12);
1010 }
1011
1012 static void camellia_decrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in)
1013 {
1014         const struct camellia_ctx *cctx = crypto_tfm_ctx(tfm);
1015         unsigned int max;
1016
1017         u32 tmp[4];
1018
1019         tmp[0] = get_unaligned_be32(in);
1020         tmp[1] = get_unaligned_be32(in + 4);
1021         tmp[2] = get_unaligned_be32(in + 8);
1022         tmp[3] = get_unaligned_be32(in + 12);
1023
1024         if (cctx->key_length == 16)
1025                 max = 24;
1026         else
1027                 max = 32; /* for key lengths of 24 and 32 */
1028
1029         camellia_do_decrypt(cctx->key_table, tmp, max);
1030
1031         /* do_decrypt returns 0,1 swapped with 2,3 */
1032         put_unaligned_be32(tmp[2], out);
1033         put_unaligned_be32(tmp[3], out + 4);
1034         put_unaligned_be32(tmp[0], out + 8);
1035         put_unaligned_be32(tmp[1], out + 12);
1036 }
1037
1038 static struct crypto_alg camellia_alg = {
1039         .cra_name               =       "camellia",
1040         .cra_driver_name        =       "camellia-generic",
1041         .cra_priority           =       100,
1042         .cra_flags              =       CRYPTO_ALG_TYPE_CIPHER,
1043         .cra_blocksize          =       CAMELLIA_BLOCK_SIZE,
1044         .cra_ctxsize            =       sizeof(struct camellia_ctx),
1045         .cra_module             =       THIS_MODULE,
1046         .cra_u                  =       {
1047                 .cipher = {
1048                         .cia_min_keysize        =       CAMELLIA_MIN_KEY_SIZE,
1049                         .cia_max_keysize        =       CAMELLIA_MAX_KEY_SIZE,
1050                         .cia_setkey             =       camellia_set_key,
1051                         .cia_encrypt            =       camellia_encrypt,
1052                         .cia_decrypt            =       camellia_decrypt
1053                 }
1054         }
1055 };
1056
1057 static int __init camellia_init(void)
1058 {
1059         return crypto_register_alg(&camellia_alg);
1060 }
1061
1062 static void __exit camellia_fini(void)
1063 {
1064         crypto_unregister_alg(&camellia_alg);
1065 }
1066
1067 subsys_initcall(camellia_init);
1068 module_exit(camellia_fini);
1069
1070 MODULE_DESCRIPTION("Camellia Cipher Algorithm");
1071 MODULE_LICENSE("GPL");
1072 MODULE_ALIAS_CRYPTO("camellia");
1073 MODULE_ALIAS_CRYPTO("camellia-generic");