A whole bunch of changes to eventually support
[libgcrypt.git] / cipher / camellia.c
1 /* camellia.h   ver 1.2.0
2  *
3  * Copyright (C) 2006,2007
4  * NTT (Nippon Telegraph and Telephone Corporation).
5  *
6  * This library is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU Lesser General Public
8  * License as published by the Free Software Foundation; either
9  * version 2.1 of the License, or (at your option) any later version.
10  *
11  * This library is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
14  * Lesser General Public License for more details.
15  *
16  * You should have received a copy of the GNU Lesser General Public
17  * License along with this library; if not, write to the Free Software
18  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
19  */
20
21 /*
22  * Algorithm Specification 
23  *  http://info.isl.ntt.co.jp/crypt/eng/camellia/specifications.html
24  */
25
26 #include <string.h>
27 #include <stdlib.h>
28
29 #include "camellia.h"
30
31 /* u32 must be 32bit word */
32 typedef unsigned int u32;
33 typedef unsigned char u8;
34
35 /* key constants */
36
37 #define CAMELLIA_SIGMA1L (0xA09E667FL)
38 #define CAMELLIA_SIGMA1R (0x3BCC908BL)
39 #define CAMELLIA_SIGMA2L (0xB67AE858L)
40 #define CAMELLIA_SIGMA2R (0x4CAA73B2L)
41 #define CAMELLIA_SIGMA3L (0xC6EF372FL)
42 #define CAMELLIA_SIGMA3R (0xE94F82BEL)
43 #define CAMELLIA_SIGMA4L (0x54FF53A5L)
44 #define CAMELLIA_SIGMA4R (0xF1D36F1CL)
45 #define CAMELLIA_SIGMA5L (0x10E527FAL)
46 #define CAMELLIA_SIGMA5R (0xDE682D1DL)
47 #define CAMELLIA_SIGMA6L (0xB05688C2L)
48 #define CAMELLIA_SIGMA6R (0xB3E6C1FDL)
49
50 /*
51  *  macros
52  */
53
54
55 #if defined(_MSC_VER)
56
57 # define SWAP(x) (_lrotl(x, 8) & 0x00ff00ff | _lrotr(x, 8) & 0xff00ff00)
58 # define GETU32(p) SWAP(*((u32 *)(p)))
59 # define PUTU32(ct, st) {*((u32 *)(ct)) = SWAP((st));}
60
61 #else /* not MS-VC */
62
63 # define GETU32(pt)                             \
64     (((u32)(pt)[0] << 24)                       \
65      ^ ((u32)(pt)[1] << 16)                     \
66      ^ ((u32)(pt)[2] <<  8)                     \
67      ^ ((u32)(pt)[3]))
68
69 # define PUTU32(ct, st)  {                      \
70         (ct)[0] = (u8)((st) >> 24);             \
71         (ct)[1] = (u8)((st) >> 16);             \
72         (ct)[2] = (u8)((st) >>  8);             \
73         (ct)[3] = (u8)(st); }
74
75 #endif
76
77 #define CamelliaSubkeyL(INDEX) (subkey[(INDEX)*2])
78 #define CamelliaSubkeyR(INDEX) (subkey[(INDEX)*2 + 1])
79
80 /* rotation right shift 1byte */
81 #define CAMELLIA_RR8(x) (((x) >> 8) + ((x) << 24))
82 /* rotation left shift 1bit */
83 #define CAMELLIA_RL1(x) (((x) << 1) + ((x) >> 31))
84 /* rotation left shift 1byte */
85 #define CAMELLIA_RL8(x) (((x) << 8) + ((x) >> 24))
86
87 #define CAMELLIA_ROLDQ(ll, lr, rl, rr, w0, w1, bits)    \
88     do {                                                \
89         w0 = ll;                                        \
90         ll = (ll << bits) + (lr >> (32 - bits));        \
91         lr = (lr << bits) + (rl >> (32 - bits));        \
92         rl = (rl << bits) + (rr >> (32 - bits));        \
93         rr = (rr << bits) + (w0 >> (32 - bits));        \
94     } while(0)
95
96 #define CAMELLIA_ROLDQo32(ll, lr, rl, rr, w0, w1, bits) \
97     do {                                                \
98         w0 = ll;                                        \
99         w1 = lr;                                        \
100         ll = (lr << (bits - 32)) + (rl >> (64 - bits)); \
101         lr = (rl << (bits - 32)) + (rr >> (64 - bits)); \
102         rl = (rr << (bits - 32)) + (w0 >> (64 - bits)); \
103         rr = (w0 << (bits - 32)) + (w1 >> (64 - bits)); \
104     } while(0)
105
106 #define CAMELLIA_SP1110(INDEX) (camellia_sp1110[(INDEX)])
107 #define CAMELLIA_SP0222(INDEX) (camellia_sp0222[(INDEX)])
108 #define CAMELLIA_SP3033(INDEX) (camellia_sp3033[(INDEX)])
109 #define CAMELLIA_SP4404(INDEX) (camellia_sp4404[(INDEX)])
110
111 #define CAMELLIA_F(xl, xr, kl, kr, yl, yr, il, ir, t0, t1)      \
112     do {                                                        \
113         il = xl ^ kl;                                           \
114         ir = xr ^ kr;                                           \
115         t0 = il >> 16;                                          \
116         t1 = ir >> 16;                                          \
117         yl = CAMELLIA_SP1110(ir & 0xff)                         \
118             ^ CAMELLIA_SP0222((t1 >> 8) & 0xff)                 \
119             ^ CAMELLIA_SP3033(t1 & 0xff)                        \
120             ^ CAMELLIA_SP4404((ir >> 8) & 0xff);                \
121         yr = CAMELLIA_SP1110((t0 >> 8) & 0xff)                  \
122             ^ CAMELLIA_SP0222(t0 & 0xff)                        \
123             ^ CAMELLIA_SP3033((il >> 8) & 0xff)                 \
124             ^ CAMELLIA_SP4404(il & 0xff);                       \
125         yl ^= yr;                                               \
126         yr = CAMELLIA_RR8(yr);                                  \
127         yr ^= yl;                                               \
128     } while(0)
129
130
131 /*
132  * for speed up
133  *
134  */
135 #define CAMELLIA_FLS(ll, lr, rl, rr, kll, klr, krl, krr, t0, t1, t2, t3) \
136     do {                                                                \
137         t0 = kll;                                                       \
138         t0 &= ll;                                                       \
139         lr ^= CAMELLIA_RL1(t0);                                         \
140         t1 = klr;                                                       \
141         t1 |= lr;                                                       \
142         ll ^= t1;                                                       \
143                                                                         \
144         t2 = krr;                                                       \
145         t2 |= rr;                                                       \
146         rl ^= t2;                                                       \
147         t3 = krl;                                                       \
148         t3 &= rl;                                                       \
149         rr ^= CAMELLIA_RL1(t3);                                         \
150     } while(0)
151
152 #define CAMELLIA_ROUNDSM(xl, xr, kl, kr, yl, yr, il, ir, t0, t1)        \
153     do {                                                                \
154         ir = CAMELLIA_SP1110(xr & 0xff)                                 \
155             ^ CAMELLIA_SP0222((xr >> 24) & 0xff)                        \
156             ^ CAMELLIA_SP3033((xr >> 16) & 0xff)                        \
157             ^ CAMELLIA_SP4404((xr >> 8) & 0xff);                        \
158         il = CAMELLIA_SP1110((xl >> 24) & 0xff)                         \
159             ^ CAMELLIA_SP0222((xl >> 16) & 0xff)                        \
160             ^ CAMELLIA_SP3033((xl >> 8) & 0xff)                         \
161             ^ CAMELLIA_SP4404(xl & 0xff);                               \
162         il ^= kl;                                                       \
163         ir ^= kr;                                                       \
164         ir ^= il;                                                       \
165         il = CAMELLIA_RR8(il);                                          \
166         il ^= ir;                                                       \
167         yl ^= ir;                                                       \
168         yr ^= il;                                                       \
169     } while(0)
170
171
172 static const u32 camellia_sp1110[256] = {
173     0x70707000,0x82828200,0x2c2c2c00,0xececec00,
174     0xb3b3b300,0x27272700,0xc0c0c000,0xe5e5e500,
175     0xe4e4e400,0x85858500,0x57575700,0x35353500,
176     0xeaeaea00,0x0c0c0c00,0xaeaeae00,0x41414100,
177     0x23232300,0xefefef00,0x6b6b6b00,0x93939300,
178     0x45454500,0x19191900,0xa5a5a500,0x21212100,
179     0xededed00,0x0e0e0e00,0x4f4f4f00,0x4e4e4e00,
180     0x1d1d1d00,0x65656500,0x92929200,0xbdbdbd00,
181     0x86868600,0xb8b8b800,0xafafaf00,0x8f8f8f00,
182     0x7c7c7c00,0xebebeb00,0x1f1f1f00,0xcecece00,
183     0x3e3e3e00,0x30303000,0xdcdcdc00,0x5f5f5f00,
184     0x5e5e5e00,0xc5c5c500,0x0b0b0b00,0x1a1a1a00,
185     0xa6a6a600,0xe1e1e100,0x39393900,0xcacaca00,
186     0xd5d5d500,0x47474700,0x5d5d5d00,0x3d3d3d00,
187     0xd9d9d900,0x01010100,0x5a5a5a00,0xd6d6d600,
188     0x51515100,0x56565600,0x6c6c6c00,0x4d4d4d00,
189     0x8b8b8b00,0x0d0d0d00,0x9a9a9a00,0x66666600,
190     0xfbfbfb00,0xcccccc00,0xb0b0b000,0x2d2d2d00,
191     0x74747400,0x12121200,0x2b2b2b00,0x20202000,
192     0xf0f0f000,0xb1b1b100,0x84848400,0x99999900,
193     0xdfdfdf00,0x4c4c4c00,0xcbcbcb00,0xc2c2c200,
194     0x34343400,0x7e7e7e00,0x76767600,0x05050500,
195     0x6d6d6d00,0xb7b7b700,0xa9a9a900,0x31313100,
196     0xd1d1d100,0x17171700,0x04040400,0xd7d7d700,
197     0x14141400,0x58585800,0x3a3a3a00,0x61616100,
198     0xdedede00,0x1b1b1b00,0x11111100,0x1c1c1c00,
199     0x32323200,0x0f0f0f00,0x9c9c9c00,0x16161600,
200     0x53535300,0x18181800,0xf2f2f200,0x22222200,
201     0xfefefe00,0x44444400,0xcfcfcf00,0xb2b2b200,
202     0xc3c3c300,0xb5b5b500,0x7a7a7a00,0x91919100,
203     0x24242400,0x08080800,0xe8e8e800,0xa8a8a800,
204     0x60606000,0xfcfcfc00,0x69696900,0x50505000,
205     0xaaaaaa00,0xd0d0d000,0xa0a0a000,0x7d7d7d00,
206     0xa1a1a100,0x89898900,0x62626200,0x97979700,
207     0x54545400,0x5b5b5b00,0x1e1e1e00,0x95959500,
208     0xe0e0e000,0xffffff00,0x64646400,0xd2d2d200,
209     0x10101000,0xc4c4c400,0x00000000,0x48484800,
210     0xa3a3a300,0xf7f7f700,0x75757500,0xdbdbdb00,
211     0x8a8a8a00,0x03030300,0xe6e6e600,0xdadada00,
212     0x09090900,0x3f3f3f00,0xdddddd00,0x94949400,
213     0x87878700,0x5c5c5c00,0x83838300,0x02020200,
214     0xcdcdcd00,0x4a4a4a00,0x90909000,0x33333300,
215     0x73737300,0x67676700,0xf6f6f600,0xf3f3f300,
216     0x9d9d9d00,0x7f7f7f00,0xbfbfbf00,0xe2e2e200,
217     0x52525200,0x9b9b9b00,0xd8d8d800,0x26262600,
218     0xc8c8c800,0x37373700,0xc6c6c600,0x3b3b3b00,
219     0x81818100,0x96969600,0x6f6f6f00,0x4b4b4b00,
220     0x13131300,0xbebebe00,0x63636300,0x2e2e2e00,
221     0xe9e9e900,0x79797900,0xa7a7a700,0x8c8c8c00,
222     0x9f9f9f00,0x6e6e6e00,0xbcbcbc00,0x8e8e8e00,
223     0x29292900,0xf5f5f500,0xf9f9f900,0xb6b6b600,
224     0x2f2f2f00,0xfdfdfd00,0xb4b4b400,0x59595900,
225     0x78787800,0x98989800,0x06060600,0x6a6a6a00,
226     0xe7e7e700,0x46464600,0x71717100,0xbababa00,
227     0xd4d4d400,0x25252500,0xababab00,0x42424200,
228     0x88888800,0xa2a2a200,0x8d8d8d00,0xfafafa00,
229     0x72727200,0x07070700,0xb9b9b900,0x55555500,
230     0xf8f8f800,0xeeeeee00,0xacacac00,0x0a0a0a00,
231     0x36363600,0x49494900,0x2a2a2a00,0x68686800,
232     0x3c3c3c00,0x38383800,0xf1f1f100,0xa4a4a400,
233     0x40404000,0x28282800,0xd3d3d300,0x7b7b7b00,
234     0xbbbbbb00,0xc9c9c900,0x43434300,0xc1c1c100,
235     0x15151500,0xe3e3e300,0xadadad00,0xf4f4f400,
236     0x77777700,0xc7c7c700,0x80808000,0x9e9e9e00,
237 };
238
239 static const u32 camellia_sp0222[256] = {
240     0x00e0e0e0,0x00050505,0x00585858,0x00d9d9d9,
241     0x00676767,0x004e4e4e,0x00818181,0x00cbcbcb,
242     0x00c9c9c9,0x000b0b0b,0x00aeaeae,0x006a6a6a,
243     0x00d5d5d5,0x00181818,0x005d5d5d,0x00828282,
244     0x00464646,0x00dfdfdf,0x00d6d6d6,0x00272727,
245     0x008a8a8a,0x00323232,0x004b4b4b,0x00424242,
246     0x00dbdbdb,0x001c1c1c,0x009e9e9e,0x009c9c9c,
247     0x003a3a3a,0x00cacaca,0x00252525,0x007b7b7b,
248     0x000d0d0d,0x00717171,0x005f5f5f,0x001f1f1f,
249     0x00f8f8f8,0x00d7d7d7,0x003e3e3e,0x009d9d9d,
250     0x007c7c7c,0x00606060,0x00b9b9b9,0x00bebebe,
251     0x00bcbcbc,0x008b8b8b,0x00161616,0x00343434,
252     0x004d4d4d,0x00c3c3c3,0x00727272,0x00959595,
253     0x00ababab,0x008e8e8e,0x00bababa,0x007a7a7a,
254     0x00b3b3b3,0x00020202,0x00b4b4b4,0x00adadad,
255     0x00a2a2a2,0x00acacac,0x00d8d8d8,0x009a9a9a,
256     0x00171717,0x001a1a1a,0x00353535,0x00cccccc,
257     0x00f7f7f7,0x00999999,0x00616161,0x005a5a5a,
258     0x00e8e8e8,0x00242424,0x00565656,0x00404040,
259     0x00e1e1e1,0x00636363,0x00090909,0x00333333,
260     0x00bfbfbf,0x00989898,0x00979797,0x00858585,
261     0x00686868,0x00fcfcfc,0x00ececec,0x000a0a0a,
262     0x00dadada,0x006f6f6f,0x00535353,0x00626262,
263     0x00a3a3a3,0x002e2e2e,0x00080808,0x00afafaf,
264     0x00282828,0x00b0b0b0,0x00747474,0x00c2c2c2,
265     0x00bdbdbd,0x00363636,0x00222222,0x00383838,
266     0x00646464,0x001e1e1e,0x00393939,0x002c2c2c,
267     0x00a6a6a6,0x00303030,0x00e5e5e5,0x00444444,
268     0x00fdfdfd,0x00888888,0x009f9f9f,0x00656565,
269     0x00878787,0x006b6b6b,0x00f4f4f4,0x00232323,
270     0x00484848,0x00101010,0x00d1d1d1,0x00515151,
271     0x00c0c0c0,0x00f9f9f9,0x00d2d2d2,0x00a0a0a0,
272     0x00555555,0x00a1a1a1,0x00414141,0x00fafafa,
273     0x00434343,0x00131313,0x00c4c4c4,0x002f2f2f,
274     0x00a8a8a8,0x00b6b6b6,0x003c3c3c,0x002b2b2b,
275     0x00c1c1c1,0x00ffffff,0x00c8c8c8,0x00a5a5a5,
276     0x00202020,0x00898989,0x00000000,0x00909090,
277     0x00474747,0x00efefef,0x00eaeaea,0x00b7b7b7,
278     0x00151515,0x00060606,0x00cdcdcd,0x00b5b5b5,
279     0x00121212,0x007e7e7e,0x00bbbbbb,0x00292929,
280     0x000f0f0f,0x00b8b8b8,0x00070707,0x00040404,
281     0x009b9b9b,0x00949494,0x00212121,0x00666666,
282     0x00e6e6e6,0x00cecece,0x00ededed,0x00e7e7e7,
283     0x003b3b3b,0x00fefefe,0x007f7f7f,0x00c5c5c5,
284     0x00a4a4a4,0x00373737,0x00b1b1b1,0x004c4c4c,
285     0x00919191,0x006e6e6e,0x008d8d8d,0x00767676,
286     0x00030303,0x002d2d2d,0x00dedede,0x00969696,
287     0x00262626,0x007d7d7d,0x00c6c6c6,0x005c5c5c,
288     0x00d3d3d3,0x00f2f2f2,0x004f4f4f,0x00191919,
289     0x003f3f3f,0x00dcdcdc,0x00797979,0x001d1d1d,
290     0x00525252,0x00ebebeb,0x00f3f3f3,0x006d6d6d,
291     0x005e5e5e,0x00fbfbfb,0x00696969,0x00b2b2b2,
292     0x00f0f0f0,0x00313131,0x000c0c0c,0x00d4d4d4,
293     0x00cfcfcf,0x008c8c8c,0x00e2e2e2,0x00757575,
294     0x00a9a9a9,0x004a4a4a,0x00575757,0x00848484,
295     0x00111111,0x00454545,0x001b1b1b,0x00f5f5f5,
296     0x00e4e4e4,0x000e0e0e,0x00737373,0x00aaaaaa,
297     0x00f1f1f1,0x00dddddd,0x00595959,0x00141414,
298     0x006c6c6c,0x00929292,0x00545454,0x00d0d0d0,
299     0x00787878,0x00707070,0x00e3e3e3,0x00494949,
300     0x00808080,0x00505050,0x00a7a7a7,0x00f6f6f6,
301     0x00777777,0x00939393,0x00868686,0x00838383,
302     0x002a2a2a,0x00c7c7c7,0x005b5b5b,0x00e9e9e9,
303     0x00eeeeee,0x008f8f8f,0x00010101,0x003d3d3d,
304 };
305
306 static const u32 camellia_sp3033[256] = {
307     0x38003838,0x41004141,0x16001616,0x76007676,
308     0xd900d9d9,0x93009393,0x60006060,0xf200f2f2,
309     0x72007272,0xc200c2c2,0xab00abab,0x9a009a9a,
310     0x75007575,0x06000606,0x57005757,0xa000a0a0,
311     0x91009191,0xf700f7f7,0xb500b5b5,0xc900c9c9,
312     0xa200a2a2,0x8c008c8c,0xd200d2d2,0x90009090,
313     0xf600f6f6,0x07000707,0xa700a7a7,0x27002727,
314     0x8e008e8e,0xb200b2b2,0x49004949,0xde00dede,
315     0x43004343,0x5c005c5c,0xd700d7d7,0xc700c7c7,
316     0x3e003e3e,0xf500f5f5,0x8f008f8f,0x67006767,
317     0x1f001f1f,0x18001818,0x6e006e6e,0xaf00afaf,
318     0x2f002f2f,0xe200e2e2,0x85008585,0x0d000d0d,
319     0x53005353,0xf000f0f0,0x9c009c9c,0x65006565,
320     0xea00eaea,0xa300a3a3,0xae00aeae,0x9e009e9e,
321     0xec00ecec,0x80008080,0x2d002d2d,0x6b006b6b,
322     0xa800a8a8,0x2b002b2b,0x36003636,0xa600a6a6,
323     0xc500c5c5,0x86008686,0x4d004d4d,0x33003333,
324     0xfd00fdfd,0x66006666,0x58005858,0x96009696,
325     0x3a003a3a,0x09000909,0x95009595,0x10001010,
326     0x78007878,0xd800d8d8,0x42004242,0xcc00cccc,
327     0xef00efef,0x26002626,0xe500e5e5,0x61006161,
328     0x1a001a1a,0x3f003f3f,0x3b003b3b,0x82008282,
329     0xb600b6b6,0xdb00dbdb,0xd400d4d4,0x98009898,
330     0xe800e8e8,0x8b008b8b,0x02000202,0xeb00ebeb,
331     0x0a000a0a,0x2c002c2c,0x1d001d1d,0xb000b0b0,
332     0x6f006f6f,0x8d008d8d,0x88008888,0x0e000e0e,
333     0x19001919,0x87008787,0x4e004e4e,0x0b000b0b,
334     0xa900a9a9,0x0c000c0c,0x79007979,0x11001111,
335     0x7f007f7f,0x22002222,0xe700e7e7,0x59005959,
336     0xe100e1e1,0xda00dada,0x3d003d3d,0xc800c8c8,
337     0x12001212,0x04000404,0x74007474,0x54005454,
338     0x30003030,0x7e007e7e,0xb400b4b4,0x28002828,
339     0x55005555,0x68006868,0x50005050,0xbe00bebe,
340     0xd000d0d0,0xc400c4c4,0x31003131,0xcb00cbcb,
341     0x2a002a2a,0xad00adad,0x0f000f0f,0xca00caca,
342     0x70007070,0xff00ffff,0x32003232,0x69006969,
343     0x08000808,0x62006262,0x00000000,0x24002424,
344     0xd100d1d1,0xfb00fbfb,0xba00baba,0xed00eded,
345     0x45004545,0x81008181,0x73007373,0x6d006d6d,
346     0x84008484,0x9f009f9f,0xee00eeee,0x4a004a4a,
347     0xc300c3c3,0x2e002e2e,0xc100c1c1,0x01000101,
348     0xe600e6e6,0x25002525,0x48004848,0x99009999,
349     0xb900b9b9,0xb300b3b3,0x7b007b7b,0xf900f9f9,
350     0xce00cece,0xbf00bfbf,0xdf00dfdf,0x71007171,
351     0x29002929,0xcd00cdcd,0x6c006c6c,0x13001313,
352     0x64006464,0x9b009b9b,0x63006363,0x9d009d9d,
353     0xc000c0c0,0x4b004b4b,0xb700b7b7,0xa500a5a5,
354     0x89008989,0x5f005f5f,0xb100b1b1,0x17001717,
355     0xf400f4f4,0xbc00bcbc,0xd300d3d3,0x46004646,
356     0xcf00cfcf,0x37003737,0x5e005e5e,0x47004747,
357     0x94009494,0xfa00fafa,0xfc00fcfc,0x5b005b5b,
358     0x97009797,0xfe00fefe,0x5a005a5a,0xac00acac,
359     0x3c003c3c,0x4c004c4c,0x03000303,0x35003535,
360     0xf300f3f3,0x23002323,0xb800b8b8,0x5d005d5d,
361     0x6a006a6a,0x92009292,0xd500d5d5,0x21002121,
362     0x44004444,0x51005151,0xc600c6c6,0x7d007d7d,
363     0x39003939,0x83008383,0xdc00dcdc,0xaa00aaaa,
364     0x7c007c7c,0x77007777,0x56005656,0x05000505,
365     0x1b001b1b,0xa400a4a4,0x15001515,0x34003434,
366     0x1e001e1e,0x1c001c1c,0xf800f8f8,0x52005252,
367     0x20002020,0x14001414,0xe900e9e9,0xbd00bdbd,
368     0xdd00dddd,0xe400e4e4,0xa100a1a1,0xe000e0e0,
369     0x8a008a8a,0xf100f1f1,0xd600d6d6,0x7a007a7a,
370     0xbb00bbbb,0xe300e3e3,0x40004040,0x4f004f4f,
371 };
372
373 static const u32 camellia_sp4404[256] = {
374     0x70700070,0x2c2c002c,0xb3b300b3,0xc0c000c0,
375     0xe4e400e4,0x57570057,0xeaea00ea,0xaeae00ae,
376     0x23230023,0x6b6b006b,0x45450045,0xa5a500a5,
377     0xeded00ed,0x4f4f004f,0x1d1d001d,0x92920092,
378     0x86860086,0xafaf00af,0x7c7c007c,0x1f1f001f,
379     0x3e3e003e,0xdcdc00dc,0x5e5e005e,0x0b0b000b,
380     0xa6a600a6,0x39390039,0xd5d500d5,0x5d5d005d,
381     0xd9d900d9,0x5a5a005a,0x51510051,0x6c6c006c,
382     0x8b8b008b,0x9a9a009a,0xfbfb00fb,0xb0b000b0,
383     0x74740074,0x2b2b002b,0xf0f000f0,0x84840084,
384     0xdfdf00df,0xcbcb00cb,0x34340034,0x76760076,
385     0x6d6d006d,0xa9a900a9,0xd1d100d1,0x04040004,
386     0x14140014,0x3a3a003a,0xdede00de,0x11110011,
387     0x32320032,0x9c9c009c,0x53530053,0xf2f200f2,
388     0xfefe00fe,0xcfcf00cf,0xc3c300c3,0x7a7a007a,
389     0x24240024,0xe8e800e8,0x60600060,0x69690069,
390     0xaaaa00aa,0xa0a000a0,0xa1a100a1,0x62620062,
391     0x54540054,0x1e1e001e,0xe0e000e0,0x64640064,
392     0x10100010,0x00000000,0xa3a300a3,0x75750075,
393     0x8a8a008a,0xe6e600e6,0x09090009,0xdddd00dd,
394     0x87870087,0x83830083,0xcdcd00cd,0x90900090,
395     0x73730073,0xf6f600f6,0x9d9d009d,0xbfbf00bf,
396     0x52520052,0xd8d800d8,0xc8c800c8,0xc6c600c6,
397     0x81810081,0x6f6f006f,0x13130013,0x63630063,
398     0xe9e900e9,0xa7a700a7,0x9f9f009f,0xbcbc00bc,
399     0x29290029,0xf9f900f9,0x2f2f002f,0xb4b400b4,
400     0x78780078,0x06060006,0xe7e700e7,0x71710071,
401     0xd4d400d4,0xabab00ab,0x88880088,0x8d8d008d,
402     0x72720072,0xb9b900b9,0xf8f800f8,0xacac00ac,
403     0x36360036,0x2a2a002a,0x3c3c003c,0xf1f100f1,
404     0x40400040,0xd3d300d3,0xbbbb00bb,0x43430043,
405     0x15150015,0xadad00ad,0x77770077,0x80800080,
406     0x82820082,0xecec00ec,0x27270027,0xe5e500e5,
407     0x85850085,0x35350035,0x0c0c000c,0x41410041,
408     0xefef00ef,0x93930093,0x19190019,0x21210021,
409     0x0e0e000e,0x4e4e004e,0x65650065,0xbdbd00bd,
410     0xb8b800b8,0x8f8f008f,0xebeb00eb,0xcece00ce,
411     0x30300030,0x5f5f005f,0xc5c500c5,0x1a1a001a,
412     0xe1e100e1,0xcaca00ca,0x47470047,0x3d3d003d,
413     0x01010001,0xd6d600d6,0x56560056,0x4d4d004d,
414     0x0d0d000d,0x66660066,0xcccc00cc,0x2d2d002d,
415     0x12120012,0x20200020,0xb1b100b1,0x99990099,
416     0x4c4c004c,0xc2c200c2,0x7e7e007e,0x05050005,
417     0xb7b700b7,0x31310031,0x17170017,0xd7d700d7,
418     0x58580058,0x61610061,0x1b1b001b,0x1c1c001c,
419     0x0f0f000f,0x16160016,0x18180018,0x22220022,
420     0x44440044,0xb2b200b2,0xb5b500b5,0x91910091,
421     0x08080008,0xa8a800a8,0xfcfc00fc,0x50500050,
422     0xd0d000d0,0x7d7d007d,0x89890089,0x97970097,
423     0x5b5b005b,0x95950095,0xffff00ff,0xd2d200d2,
424     0xc4c400c4,0x48480048,0xf7f700f7,0xdbdb00db,
425     0x03030003,0xdada00da,0x3f3f003f,0x94940094,
426     0x5c5c005c,0x02020002,0x4a4a004a,0x33330033,
427     0x67670067,0xf3f300f3,0x7f7f007f,0xe2e200e2,
428     0x9b9b009b,0x26260026,0x37370037,0x3b3b003b,
429     0x96960096,0x4b4b004b,0xbebe00be,0x2e2e002e,
430     0x79790079,0x8c8c008c,0x6e6e006e,0x8e8e008e,
431     0xf5f500f5,0xb6b600b6,0xfdfd00fd,0x59590059,
432     0x98980098,0x6a6a006a,0x46460046,0xbaba00ba,
433     0x25250025,0x42420042,0xa2a200a2,0xfafa00fa,
434     0x07070007,0x55550055,0xeeee00ee,0x0a0a000a,
435     0x49490049,0x68680068,0x38380038,0xa4a400a4,
436     0x28280028,0x7b7b007b,0xc9c900c9,0xc1c100c1,
437     0xe3e300e3,0xf4f400f4,0xc7c700c7,0x9e9e009e,
438 };
439
440
441 /**
442  * Stuff related to the Camellia key schedule
443  */
444 #define subl(x) subL[(x)]
445 #define subr(x) subR[(x)]
446
447 void camellia_setup128(const unsigned char *key, u32 *subkey)
448 {
449     u32 kll, klr, krl, krr;
450     u32 il, ir, t0, t1, w0, w1;
451     u32 kw4l, kw4r, dw, tl, tr;
452     u32 subL[26];
453     u32 subR[26];
454
455     /**
456      *  k == kll || klr || krl || krr (|| is concatination)
457      */
458     kll = GETU32(key     );
459     klr = GETU32(key +  4);
460     krl = GETU32(key +  8);
461     krr = GETU32(key + 12);
462     /**
463      * generate KL dependent subkeys
464      */
465     subl(0) = kll; subr(0) = klr;
466     subl(1) = krl; subr(1) = krr;
467     CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
468     subl(4) = kll; subr(4) = klr;
469     subl(5) = krl; subr(5) = krr;
470     CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 30);
471     subl(10) = kll; subr(10) = klr;
472     subl(11) = krl; subr(11) = krr;
473     CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
474     subl(13) = krl; subr(13) = krr;
475     CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17);
476     subl(16) = kll; subr(16) = klr;
477     subl(17) = krl; subr(17) = krr;
478     CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17);
479     subl(18) = kll; subr(18) = klr;
480     subl(19) = krl; subr(19) = krr;
481     CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17);
482     subl(22) = kll; subr(22) = klr;
483     subl(23) = krl; subr(23) = krr;
484
485     /* generate KA */
486     kll = subl(0); klr = subr(0);
487     krl = subl(1); krr = subr(1);
488     CAMELLIA_F(kll, klr,
489                CAMELLIA_SIGMA1L, CAMELLIA_SIGMA1R,
490                w0, w1, il, ir, t0, t1);
491     krl ^= w0; krr ^= w1;
492     CAMELLIA_F(krl, krr,
493                CAMELLIA_SIGMA2L, CAMELLIA_SIGMA2R,
494                kll, klr, il, ir, t0, t1);
495     CAMELLIA_F(kll, klr,
496                CAMELLIA_SIGMA3L, CAMELLIA_SIGMA3R,
497                krl, krr, il, ir, t0, t1);
498     krl ^= w0; krr ^= w1;
499     CAMELLIA_F(krl, krr,
500                CAMELLIA_SIGMA4L, CAMELLIA_SIGMA4R,
501                w0, w1, il, ir, t0, t1);
502     kll ^= w0; klr ^= w1;
503
504     /* generate KA dependent subkeys */
505     subl(2) = kll; subr(2) = klr;
506     subl(3) = krl; subr(3) = krr;
507     CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
508     subl(6) = kll; subr(6) = klr;
509     subl(7) = krl; subr(7) = krr;
510     CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
511     subl(8) = kll; subr(8) = klr;
512     subl(9) = krl; subr(9) = krr;
513     CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
514     subl(12) = kll; subr(12) = klr;
515     CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
516     subl(14) = kll; subr(14) = klr;
517     subl(15) = krl; subr(15) = krr;
518     CAMELLIA_ROLDQo32(kll, klr, krl, krr, w0, w1, 34);
519     subl(20) = kll; subr(20) = klr;
520     subl(21) = krl; subr(21) = krr;
521     CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17);
522     subl(24) = kll; subr(24) = klr;
523     subl(25) = krl; subr(25) = krr;
524
525
526     /* absorb kw2 to other subkeys */
527     subl(3) ^= subl(1); subr(3) ^= subr(1);
528     subl(5) ^= subl(1); subr(5) ^= subr(1);
529     subl(7) ^= subl(1); subr(7) ^= subr(1);
530     subl(1) ^= subr(1) & ~subr(9);
531     dw = subl(1) & subl(9), subr(1) ^= CAMELLIA_RL1(dw);
532     subl(11) ^= subl(1); subr(11) ^= subr(1);
533     subl(13) ^= subl(1); subr(13) ^= subr(1);
534     subl(15) ^= subl(1); subr(15) ^= subr(1);
535     subl(1) ^= subr(1) & ~subr(17);
536     dw = subl(1) & subl(17), subr(1) ^= CAMELLIA_RL1(dw);
537     subl(19) ^= subl(1); subr(19) ^= subr(1);
538     subl(21) ^= subl(1); subr(21) ^= subr(1);
539     subl(23) ^= subl(1); subr(23) ^= subr(1);
540     subl(24) ^= subl(1); subr(24) ^= subr(1);
541
542     /* absorb kw4 to other subkeys */
543     kw4l = subl(25); kw4r = subr(25);
544     subl(22) ^= kw4l; subr(22) ^= kw4r;
545     subl(20) ^= kw4l; subr(20) ^= kw4r;
546     subl(18) ^= kw4l; subr(18) ^= kw4r;
547     kw4l ^= kw4r & ~subr(16);
548     dw = kw4l & subl(16), kw4r ^= CAMELLIA_RL1(dw);
549     subl(14) ^= kw4l; subr(14) ^= kw4r;
550     subl(12) ^= kw4l; subr(12) ^= kw4r;
551     subl(10) ^= kw4l; subr(10) ^= kw4r;
552     kw4l ^= kw4r & ~subr(8);
553     dw = kw4l & subl(8), kw4r ^= CAMELLIA_RL1(dw);
554     subl(6) ^= kw4l; subr(6) ^= kw4r;
555     subl(4) ^= kw4l; subr(4) ^= kw4r;
556     subl(2) ^= kw4l; subr(2) ^= kw4r;
557     subl(0) ^= kw4l; subr(0) ^= kw4r;
558
559     /* key XOR is end of F-function */
560     CamelliaSubkeyL(0) = subl(0) ^ subl(2);
561     CamelliaSubkeyR(0) = subr(0) ^ subr(2);
562     CamelliaSubkeyL(2) = subl(3);
563     CamelliaSubkeyR(2) = subr(3);
564     CamelliaSubkeyL(3) = subl(2) ^ subl(4);
565     CamelliaSubkeyR(3) = subr(2) ^ subr(4);
566     CamelliaSubkeyL(4) = subl(3) ^ subl(5);
567     CamelliaSubkeyR(4) = subr(3) ^ subr(5);
568     CamelliaSubkeyL(5) = subl(4) ^ subl(6);
569     CamelliaSubkeyR(5) = subr(4) ^ subr(6);
570     CamelliaSubkeyL(6) = subl(5) ^ subl(7);
571     CamelliaSubkeyR(6) = subr(5) ^ subr(7);
572     tl = subl(10) ^ (subr(10) & ~subr(8));
573     dw = tl & subl(8), tr = subr(10) ^ CAMELLIA_RL1(dw);
574     CamelliaSubkeyL(7) = subl(6) ^ tl;
575     CamelliaSubkeyR(7) = subr(6) ^ tr;
576     CamelliaSubkeyL(8) = subl(8);
577     CamelliaSubkeyR(8) = subr(8);
578     CamelliaSubkeyL(9) = subl(9);
579     CamelliaSubkeyR(9) = subr(9);
580     tl = subl(7) ^ (subr(7) & ~subr(9));
581     dw = tl & subl(9), tr = subr(7) ^ CAMELLIA_RL1(dw);
582     CamelliaSubkeyL(10) = tl ^ subl(11);
583     CamelliaSubkeyR(10) = tr ^ subr(11);
584     CamelliaSubkeyL(11) = subl(10) ^ subl(12);
585     CamelliaSubkeyR(11) = subr(10) ^ subr(12);
586     CamelliaSubkeyL(12) = subl(11) ^ subl(13);
587     CamelliaSubkeyR(12) = subr(11) ^ subr(13);
588     CamelliaSubkeyL(13) = subl(12) ^ subl(14);
589     CamelliaSubkeyR(13) = subr(12) ^ subr(14);
590     CamelliaSubkeyL(14) = subl(13) ^ subl(15);
591     CamelliaSubkeyR(14) = subr(13) ^ subr(15);
592     tl = subl(18) ^ (subr(18) & ~subr(16));
593     dw = tl & subl(16), tr = subr(18) ^ CAMELLIA_RL1(dw);
594     CamelliaSubkeyL(15) = subl(14) ^ tl;
595     CamelliaSubkeyR(15) = subr(14) ^ tr;
596     CamelliaSubkeyL(16) = subl(16);
597     CamelliaSubkeyR(16) = subr(16);
598     CamelliaSubkeyL(17) = subl(17);
599     CamelliaSubkeyR(17) = subr(17);
600     tl = subl(15) ^ (subr(15) & ~subr(17));
601     dw = tl & subl(17), tr = subr(15) ^ CAMELLIA_RL1(dw);
602     CamelliaSubkeyL(18) = tl ^ subl(19);
603     CamelliaSubkeyR(18) = tr ^ subr(19);
604     CamelliaSubkeyL(19) = subl(18) ^ subl(20);
605     CamelliaSubkeyR(19) = subr(18) ^ subr(20);
606     CamelliaSubkeyL(20) = subl(19) ^ subl(21);
607     CamelliaSubkeyR(20) = subr(19) ^ subr(21);
608     CamelliaSubkeyL(21) = subl(20) ^ subl(22);
609     CamelliaSubkeyR(21) = subr(20) ^ subr(22);
610     CamelliaSubkeyL(22) = subl(21) ^ subl(23);
611     CamelliaSubkeyR(22) = subr(21) ^ subr(23);
612     CamelliaSubkeyL(23) = subl(22);
613     CamelliaSubkeyR(23) = subr(22);
614     CamelliaSubkeyL(24) = subl(24) ^ subl(23);
615     CamelliaSubkeyR(24) = subr(24) ^ subr(23);
616
617     /* apply the inverse of the last half of P-function */
618     dw = CamelliaSubkeyL(2) ^ CamelliaSubkeyR(2), dw = CAMELLIA_RL8(dw);
619     CamelliaSubkeyR(2) = CamelliaSubkeyL(2) ^ dw, CamelliaSubkeyL(2) = dw;
620     dw = CamelliaSubkeyL(3) ^ CamelliaSubkeyR(3), dw = CAMELLIA_RL8(dw);
621     CamelliaSubkeyR(3) = CamelliaSubkeyL(3) ^ dw, CamelliaSubkeyL(3) = dw;
622     dw = CamelliaSubkeyL(4) ^ CamelliaSubkeyR(4), dw = CAMELLIA_RL8(dw);
623     CamelliaSubkeyR(4) = CamelliaSubkeyL(4) ^ dw, CamelliaSubkeyL(4) = dw;
624     dw = CamelliaSubkeyL(5) ^ CamelliaSubkeyR(5), dw = CAMELLIA_RL8(dw);
625     CamelliaSubkeyR(5) = CamelliaSubkeyL(5) ^ dw, CamelliaSubkeyL(5) = dw;
626     dw = CamelliaSubkeyL(6) ^ CamelliaSubkeyR(6), dw = CAMELLIA_RL8(dw);
627     CamelliaSubkeyR(6) = CamelliaSubkeyL(6) ^ dw, CamelliaSubkeyL(6) = dw;
628     dw = CamelliaSubkeyL(7) ^ CamelliaSubkeyR(7), dw = CAMELLIA_RL8(dw);
629     CamelliaSubkeyR(7) = CamelliaSubkeyL(7) ^ dw, CamelliaSubkeyL(7) = dw;
630     dw = CamelliaSubkeyL(10) ^ CamelliaSubkeyR(10), dw = CAMELLIA_RL8(dw);
631     CamelliaSubkeyR(10) = CamelliaSubkeyL(10) ^ dw, CamelliaSubkeyL(10) = dw;
632     dw = CamelliaSubkeyL(11) ^ CamelliaSubkeyR(11), dw = CAMELLIA_RL8(dw);
633     CamelliaSubkeyR(11) = CamelliaSubkeyL(11) ^ dw, CamelliaSubkeyL(11) = dw;
634     dw = CamelliaSubkeyL(12) ^ CamelliaSubkeyR(12), dw = CAMELLIA_RL8(dw);
635     CamelliaSubkeyR(12) = CamelliaSubkeyL(12) ^ dw, CamelliaSubkeyL(12) = dw;
636     dw = CamelliaSubkeyL(13) ^ CamelliaSubkeyR(13), dw = CAMELLIA_RL8(dw);
637     CamelliaSubkeyR(13) = CamelliaSubkeyL(13) ^ dw, CamelliaSubkeyL(13) = dw;
638     dw = CamelliaSubkeyL(14) ^ CamelliaSubkeyR(14), dw = CAMELLIA_RL8(dw);
639     CamelliaSubkeyR(14) = CamelliaSubkeyL(14) ^ dw, CamelliaSubkeyL(14) = dw;
640     dw = CamelliaSubkeyL(15) ^ CamelliaSubkeyR(15), dw = CAMELLIA_RL8(dw);
641     CamelliaSubkeyR(15) = CamelliaSubkeyL(15) ^ dw, CamelliaSubkeyL(15) = dw;
642     dw = CamelliaSubkeyL(18) ^ CamelliaSubkeyR(18), dw = CAMELLIA_RL8(dw);
643     CamelliaSubkeyR(18) = CamelliaSubkeyL(18) ^ dw, CamelliaSubkeyL(18) = dw;
644     dw = CamelliaSubkeyL(19) ^ CamelliaSubkeyR(19), dw = CAMELLIA_RL8(dw);
645     CamelliaSubkeyR(19) = CamelliaSubkeyL(19) ^ dw, CamelliaSubkeyL(19) = dw;
646     dw = CamelliaSubkeyL(20) ^ CamelliaSubkeyR(20), dw = CAMELLIA_RL8(dw);
647     CamelliaSubkeyR(20) = CamelliaSubkeyL(20) ^ dw, CamelliaSubkeyL(20) = dw;
648     dw = CamelliaSubkeyL(21) ^ CamelliaSubkeyR(21), dw = CAMELLIA_RL8(dw);
649     CamelliaSubkeyR(21) = CamelliaSubkeyL(21) ^ dw, CamelliaSubkeyL(21) = dw;
650     dw = CamelliaSubkeyL(22) ^ CamelliaSubkeyR(22), dw = CAMELLIA_RL8(dw);
651     CamelliaSubkeyR(22) = CamelliaSubkeyL(22) ^ dw, CamelliaSubkeyL(22) = dw;
652     dw = CamelliaSubkeyL(23) ^ CamelliaSubkeyR(23), dw = CAMELLIA_RL8(dw);
653     CamelliaSubkeyR(23) = CamelliaSubkeyL(23) ^ dw, CamelliaSubkeyL(23) = dw;
654
655     return;
656 }
657
658 void camellia_setup256(const unsigned char *key, u32 *subkey)
659 {
660     u32 kll,klr,krl,krr;           /* left half of key */
661     u32 krll,krlr,krrl,krrr;       /* right half of key */
662     u32 il, ir, t0, t1, w0, w1;    /* temporary variables */
663     u32 kw4l, kw4r, dw, tl, tr;
664     u32 subL[34];
665     u32 subR[34];
666
667     /**
668      *  key = (kll || klr || krl || krr || krll || krlr || krrl || krrr)
669      *  (|| is concatination)
670      */
671
672     kll  = GETU32(key     );
673     klr  = GETU32(key +  4);
674     krl  = GETU32(key +  8);
675     krr  = GETU32(key + 12);
676     krll = GETU32(key + 16);
677     krlr = GETU32(key + 20);
678     krrl = GETU32(key + 24);
679     krrr = GETU32(key + 28);
680
681     /* generate KL dependent subkeys */
682     subl(0) = kll; subr(0) = klr;
683     subl(1) = krl; subr(1) = krr;
684     CAMELLIA_ROLDQo32(kll, klr, krl, krr, w0, w1, 45);
685     subl(12) = kll; subr(12) = klr;
686     subl(13) = krl; subr(13) = krr;
687     CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
688     subl(16) = kll; subr(16) = klr;
689     subl(17) = krl; subr(17) = krr;
690     CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17);
691     subl(22) = kll; subr(22) = klr;
692     subl(23) = krl; subr(23) = krr;
693     CAMELLIA_ROLDQo32(kll, klr, krl, krr, w0, w1, 34);
694     subl(30) = kll; subr(30) = klr;
695     subl(31) = krl; subr(31) = krr;
696
697     /* generate KR dependent subkeys */
698     CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 15);
699     subl(4) = krll; subr(4) = krlr;
700     subl(5) = krrl; subr(5) = krrr;
701     CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 15);
702     subl(8) = krll; subr(8) = krlr;
703     subl(9) = krrl; subr(9) = krrr;
704     CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
705     subl(18) = krll; subr(18) = krlr;
706     subl(19) = krrl; subr(19) = krrr;
707     CAMELLIA_ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 34);
708     subl(26) = krll; subr(26) = krlr;
709     subl(27) = krrl; subr(27) = krrr;
710     CAMELLIA_ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 34);
711
712     /* generate KA */
713     kll = subl(0) ^ krll; klr = subr(0) ^ krlr;
714     krl = subl(1) ^ krrl; krr = subr(1) ^ krrr;
715     CAMELLIA_F(kll, klr,
716                CAMELLIA_SIGMA1L, CAMELLIA_SIGMA1R,
717                w0, w1, il, ir, t0, t1);
718     krl ^= w0; krr ^= w1;
719     CAMELLIA_F(krl, krr,
720                CAMELLIA_SIGMA2L, CAMELLIA_SIGMA2R,
721                kll, klr, il, ir, t0, t1);
722     kll ^= krll; klr ^= krlr;
723     CAMELLIA_F(kll, klr,
724                CAMELLIA_SIGMA3L, CAMELLIA_SIGMA3R,
725                krl, krr, il, ir, t0, t1);
726     krl ^= w0 ^ krrl; krr ^= w1 ^ krrr;
727     CAMELLIA_F(krl, krr,
728                CAMELLIA_SIGMA4L, CAMELLIA_SIGMA4R,
729                w0, w1, il, ir, t0, t1);
730     kll ^= w0; klr ^= w1;
731
732     /* generate KB */
733     krll ^= kll; krlr ^= klr;
734     krrl ^= krl; krrr ^= krr;
735     CAMELLIA_F(krll, krlr,
736                CAMELLIA_SIGMA5L, CAMELLIA_SIGMA5R,
737                w0, w1, il, ir, t0, t1);
738     krrl ^= w0; krrr ^= w1;
739     CAMELLIA_F(krrl, krrr,
740                CAMELLIA_SIGMA6L, CAMELLIA_SIGMA6R,
741                w0, w1, il, ir, t0, t1);
742     krll ^= w0; krlr ^= w1;
743
744     /* generate KA dependent subkeys */
745     CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
746     subl(6) = kll; subr(6) = klr;
747     subl(7) = krl; subr(7) = krr;
748     CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 30);
749     subl(14) = kll; subr(14) = klr;
750     subl(15) = krl; subr(15) = krr;
751     subl(24) = klr; subr(24) = krl;
752     subl(25) = krr; subr(25) = kll;
753     CAMELLIA_ROLDQo32(kll, klr, krl, krr, w0, w1, 49);
754     subl(28) = kll; subr(28) = klr;
755     subl(29) = krl; subr(29) = krr;
756
757     /* generate KB dependent subkeys */
758     subl(2) = krll; subr(2) = krlr;
759     subl(3) = krrl; subr(3) = krrr;
760     CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
761     subl(10) = krll; subr(10) = krlr;
762     subl(11) = krrl; subr(11) = krrr;
763     CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
764     subl(20) = krll; subr(20) = krlr;
765     subl(21) = krrl; subr(21) = krrr;
766     CAMELLIA_ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 51);
767     subl(32) = krll; subr(32) = krlr;
768     subl(33) = krrl; subr(33) = krrr;
769
770     /* absorb kw2 to other subkeys */
771     subl(3) ^= subl(1); subr(3) ^= subr(1);
772     subl(5) ^= subl(1); subr(5) ^= subr(1);
773     subl(7) ^= subl(1); subr(7) ^= subr(1);
774     subl(1) ^= subr(1) & ~subr(9);
775     dw = subl(1) & subl(9), subr(1) ^= CAMELLIA_RL1(dw);
776     subl(11) ^= subl(1); subr(11) ^= subr(1);
777     subl(13) ^= subl(1); subr(13) ^= subr(1);
778     subl(15) ^= subl(1); subr(15) ^= subr(1);
779     subl(1) ^= subr(1) & ~subr(17);
780     dw = subl(1) & subl(17), subr(1) ^= CAMELLIA_RL1(dw);
781     subl(19) ^= subl(1); subr(19) ^= subr(1);
782     subl(21) ^= subl(1); subr(21) ^= subr(1);
783     subl(23) ^= subl(1); subr(23) ^= subr(1);
784     subl(1) ^= subr(1) & ~subr(25);
785     dw = subl(1) & subl(25), subr(1) ^= CAMELLIA_RL1(dw);
786     subl(27) ^= subl(1); subr(27) ^= subr(1);
787     subl(29) ^= subl(1); subr(29) ^= subr(1);
788     subl(31) ^= subl(1); subr(31) ^= subr(1);
789     subl(32) ^= subl(1); subr(32) ^= subr(1);
790
791     /* absorb kw4 to other subkeys */
792     kw4l = subl(33); kw4r = subr(33);
793     subl(30) ^= kw4l; subr(30) ^= kw4r;
794     subl(28) ^= kw4l; subr(28) ^= kw4r;
795     subl(26) ^= kw4l; subr(26) ^= kw4r;
796     kw4l ^= kw4r & ~subr(24);
797     dw = kw4l & subl(24), kw4r ^= CAMELLIA_RL1(dw);
798     subl(22) ^= kw4l; subr(22) ^= kw4r;
799     subl(20) ^= kw4l; subr(20) ^= kw4r;
800     subl(18) ^= kw4l; subr(18) ^= kw4r;
801     kw4l ^= kw4r & ~subr(16);
802     dw = kw4l & subl(16), kw4r ^= CAMELLIA_RL1(dw);
803     subl(14) ^= kw4l; subr(14) ^= kw4r;
804     subl(12) ^= kw4l; subr(12) ^= kw4r;
805     subl(10) ^= kw4l; subr(10) ^= kw4r;
806     kw4l ^= kw4r & ~subr(8);
807     dw = kw4l & subl(8), kw4r ^= CAMELLIA_RL1(dw);
808     subl(6) ^= kw4l; subr(6) ^= kw4r;
809     subl(4) ^= kw4l; subr(4) ^= kw4r;
810     subl(2) ^= kw4l; subr(2) ^= kw4r;
811     subl(0) ^= kw4l; subr(0) ^= kw4r;
812
813     /* key XOR is end of F-function */
814     CamelliaSubkeyL(0) = subl(0) ^ subl(2);
815     CamelliaSubkeyR(0) = subr(0) ^ subr(2);
816     CamelliaSubkeyL(2) = subl(3);
817     CamelliaSubkeyR(2) = subr(3);
818     CamelliaSubkeyL(3) = subl(2) ^ subl(4);
819     CamelliaSubkeyR(3) = subr(2) ^ subr(4);
820     CamelliaSubkeyL(4) = subl(3) ^ subl(5);
821     CamelliaSubkeyR(4) = subr(3) ^ subr(5);
822     CamelliaSubkeyL(5) = subl(4) ^ subl(6);
823     CamelliaSubkeyR(5) = subr(4) ^ subr(6);
824     CamelliaSubkeyL(6) = subl(5) ^ subl(7);
825     CamelliaSubkeyR(6) = subr(5) ^ subr(7);
826     tl = subl(10) ^ (subr(10) & ~subr(8));
827     dw = tl & subl(8), tr = subr(10) ^ CAMELLIA_RL1(dw);
828     CamelliaSubkeyL(7) = subl(6) ^ tl;
829     CamelliaSubkeyR(7) = subr(6) ^ tr;
830     CamelliaSubkeyL(8) = subl(8);
831     CamelliaSubkeyR(8) = subr(8);
832     CamelliaSubkeyL(9) = subl(9);
833     CamelliaSubkeyR(9) = subr(9);
834     tl = subl(7) ^ (subr(7) & ~subr(9));
835     dw = tl & subl(9), tr = subr(7) ^ CAMELLIA_RL1(dw);
836     CamelliaSubkeyL(10) = tl ^ subl(11);
837     CamelliaSubkeyR(10) = tr ^ subr(11);
838     CamelliaSubkeyL(11) = subl(10) ^ subl(12);
839     CamelliaSubkeyR(11) = subr(10) ^ subr(12);
840     CamelliaSubkeyL(12) = subl(11) ^ subl(13);
841     CamelliaSubkeyR(12) = subr(11) ^ subr(13);
842     CamelliaSubkeyL(13) = subl(12) ^ subl(14);
843     CamelliaSubkeyR(13) = subr(12) ^ subr(14);
844     CamelliaSubkeyL(14) = subl(13) ^ subl(15);
845     CamelliaSubkeyR(14) = subr(13) ^ subr(15);
846     tl = subl(18) ^ (subr(18) & ~subr(16));
847     dw = tl & subl(16), tr = subr(18) ^ CAMELLIA_RL1(dw);
848     CamelliaSubkeyL(15) = subl(14) ^ tl;
849     CamelliaSubkeyR(15) = subr(14) ^ tr;
850     CamelliaSubkeyL(16) = subl(16);
851     CamelliaSubkeyR(16) = subr(16);
852     CamelliaSubkeyL(17) = subl(17);
853     CamelliaSubkeyR(17) = subr(17);
854     tl = subl(15) ^ (subr(15) & ~subr(17));
855     dw = tl & subl(17), tr = subr(15) ^ CAMELLIA_RL1(dw);
856     CamelliaSubkeyL(18) = tl ^ subl(19);
857     CamelliaSubkeyR(18) = tr ^ subr(19);
858     CamelliaSubkeyL(19) = subl(18) ^ subl(20);
859     CamelliaSubkeyR(19) = subr(18) ^ subr(20);
860     CamelliaSubkeyL(20) = subl(19) ^ subl(21);
861     CamelliaSubkeyR(20) = subr(19) ^ subr(21);
862     CamelliaSubkeyL(21) = subl(20) ^ subl(22);
863     CamelliaSubkeyR(21) = subr(20) ^ subr(22);
864     CamelliaSubkeyL(22) = subl(21) ^ subl(23);
865     CamelliaSubkeyR(22) = subr(21) ^ subr(23);
866     tl = subl(26) ^ (subr(26) & ~subr(24));
867     dw = tl & subl(24), tr = subr(26) ^ CAMELLIA_RL1(dw);
868     CamelliaSubkeyL(23) = subl(22) ^ tl;
869     CamelliaSubkeyR(23) = subr(22) ^ tr;
870     CamelliaSubkeyL(24) = subl(24);
871     CamelliaSubkeyR(24) = subr(24);
872     CamelliaSubkeyL(25) = subl(25);
873     CamelliaSubkeyR(25) = subr(25);
874     tl = subl(23) ^ (subr(23) &  ~subr(25));
875     dw = tl & subl(25), tr = subr(23) ^ CAMELLIA_RL1(dw);
876     CamelliaSubkeyL(26) = tl ^ subl(27);
877     CamelliaSubkeyR(26) = tr ^ subr(27);
878     CamelliaSubkeyL(27) = subl(26) ^ subl(28);
879     CamelliaSubkeyR(27) = subr(26) ^ subr(28);
880     CamelliaSubkeyL(28) = subl(27) ^ subl(29);
881     CamelliaSubkeyR(28) = subr(27) ^ subr(29);
882     CamelliaSubkeyL(29) = subl(28) ^ subl(30);
883     CamelliaSubkeyR(29) = subr(28) ^ subr(30);
884     CamelliaSubkeyL(30) = subl(29) ^ subl(31);
885     CamelliaSubkeyR(30) = subr(29) ^ subr(31);
886     CamelliaSubkeyL(31) = subl(30);
887     CamelliaSubkeyR(31) = subr(30);
888     CamelliaSubkeyL(32) = subl(32) ^ subl(31);
889     CamelliaSubkeyR(32) = subr(32) ^ subr(31);
890
891     /* apply the inverse of the last half of P-function */
892     dw = CamelliaSubkeyL(2) ^ CamelliaSubkeyR(2), dw = CAMELLIA_RL8(dw);
893     CamelliaSubkeyR(2) = CamelliaSubkeyL(2) ^ dw, CamelliaSubkeyL(2) = dw;
894     dw = CamelliaSubkeyL(3) ^ CamelliaSubkeyR(3), dw = CAMELLIA_RL8(dw);
895     CamelliaSubkeyR(3) = CamelliaSubkeyL(3) ^ dw, CamelliaSubkeyL(3) = dw;
896     dw = CamelliaSubkeyL(4) ^ CamelliaSubkeyR(4), dw = CAMELLIA_RL8(dw);
897     CamelliaSubkeyR(4) = CamelliaSubkeyL(4) ^ dw, CamelliaSubkeyL(4) = dw;
898     dw = CamelliaSubkeyL(5) ^ CamelliaSubkeyR(5), dw = CAMELLIA_RL8(dw);
899     CamelliaSubkeyR(5) = CamelliaSubkeyL(5) ^ dw, CamelliaSubkeyL(5) = dw;
900     dw = CamelliaSubkeyL(6) ^ CamelliaSubkeyR(6), dw = CAMELLIA_RL8(dw);
901     CamelliaSubkeyR(6) = CamelliaSubkeyL(6) ^ dw, CamelliaSubkeyL(6) = dw;
902     dw = CamelliaSubkeyL(7) ^ CamelliaSubkeyR(7), dw = CAMELLIA_RL8(dw);
903     CamelliaSubkeyR(7) = CamelliaSubkeyL(7) ^ dw, CamelliaSubkeyL(7) = dw;
904     dw = CamelliaSubkeyL(10) ^ CamelliaSubkeyR(10), dw = CAMELLIA_RL8(dw);
905     CamelliaSubkeyR(10) = CamelliaSubkeyL(10) ^ dw, CamelliaSubkeyL(10) = dw;
906     dw = CamelliaSubkeyL(11) ^ CamelliaSubkeyR(11), dw = CAMELLIA_RL8(dw);
907     CamelliaSubkeyR(11) = CamelliaSubkeyL(11) ^ dw, CamelliaSubkeyL(11) = dw;
908     dw = CamelliaSubkeyL(12) ^ CamelliaSubkeyR(12), dw = CAMELLIA_RL8(dw);
909     CamelliaSubkeyR(12) = CamelliaSubkeyL(12) ^ dw, CamelliaSubkeyL(12) = dw;
910     dw = CamelliaSubkeyL(13) ^ CamelliaSubkeyR(13), dw = CAMELLIA_RL8(dw);
911     CamelliaSubkeyR(13) = CamelliaSubkeyL(13) ^ dw, CamelliaSubkeyL(13) = dw;
912     dw = CamelliaSubkeyL(14) ^ CamelliaSubkeyR(14), dw = CAMELLIA_RL8(dw);
913     CamelliaSubkeyR(14) = CamelliaSubkeyL(14) ^ dw, CamelliaSubkeyL(14) = dw;
914     dw = CamelliaSubkeyL(15) ^ CamelliaSubkeyR(15), dw = CAMELLIA_RL8(dw);
915     CamelliaSubkeyR(15) = CamelliaSubkeyL(15) ^ dw, CamelliaSubkeyL(15) = dw;
916     dw = CamelliaSubkeyL(18) ^ CamelliaSubkeyR(18), dw = CAMELLIA_RL8(dw);
917     CamelliaSubkeyR(18) = CamelliaSubkeyL(18) ^ dw, CamelliaSubkeyL(18) = dw;
918     dw = CamelliaSubkeyL(19) ^ CamelliaSubkeyR(19), dw = CAMELLIA_RL8(dw);
919     CamelliaSubkeyR(19) = CamelliaSubkeyL(19) ^ dw, CamelliaSubkeyL(19) = dw;
920     dw = CamelliaSubkeyL(20) ^ CamelliaSubkeyR(20), dw = CAMELLIA_RL8(dw);
921     CamelliaSubkeyR(20) = CamelliaSubkeyL(20) ^ dw, CamelliaSubkeyL(20) = dw;
922     dw = CamelliaSubkeyL(21) ^ CamelliaSubkeyR(21), dw = CAMELLIA_RL8(dw);
923     CamelliaSubkeyR(21) = CamelliaSubkeyL(21) ^ dw, CamelliaSubkeyL(21) = dw;
924     dw = CamelliaSubkeyL(22) ^ CamelliaSubkeyR(22), dw = CAMELLIA_RL8(dw);
925     CamelliaSubkeyR(22) = CamelliaSubkeyL(22) ^ dw, CamelliaSubkeyL(22) = dw;
926     dw = CamelliaSubkeyL(23) ^ CamelliaSubkeyR(23), dw = CAMELLIA_RL8(dw);
927     CamelliaSubkeyR(23) = CamelliaSubkeyL(23) ^ dw, CamelliaSubkeyL(23) = dw;
928     dw = CamelliaSubkeyL(26) ^ CamelliaSubkeyR(26), dw = CAMELLIA_RL8(dw);
929     CamelliaSubkeyR(26) = CamelliaSubkeyL(26) ^ dw, CamelliaSubkeyL(26) = dw;
930     dw = CamelliaSubkeyL(27) ^ CamelliaSubkeyR(27), dw = CAMELLIA_RL8(dw);
931     CamelliaSubkeyR(27) = CamelliaSubkeyL(27) ^ dw, CamelliaSubkeyL(27) = dw;
932     dw = CamelliaSubkeyL(28) ^ CamelliaSubkeyR(28), dw = CAMELLIA_RL8(dw);
933     CamelliaSubkeyR(28) = CamelliaSubkeyL(28) ^ dw, CamelliaSubkeyL(28) = dw;
934     dw = CamelliaSubkeyL(29) ^ CamelliaSubkeyR(29), dw = CAMELLIA_RL8(dw);
935     CamelliaSubkeyR(29) = CamelliaSubkeyL(29) ^ dw, CamelliaSubkeyL(29) = dw;
936     dw = CamelliaSubkeyL(30) ^ CamelliaSubkeyR(30), dw = CAMELLIA_RL8(dw);
937     CamelliaSubkeyR(30) = CamelliaSubkeyL(30) ^ dw, CamelliaSubkeyL(30) = dw;
938     dw = CamelliaSubkeyL(31) ^ CamelliaSubkeyR(31), dw = CAMELLIA_RL8(dw);
939     CamelliaSubkeyR(31) = CamelliaSubkeyL(31) ^ dw,CamelliaSubkeyL(31) = dw;
940     
941     return;
942 }
943
944 void camellia_setup192(const unsigned char *key, u32 *subkey)
945 {
946     unsigned char kk[32];
947     u32 krll, krlr, krrl,krrr;
948
949     memcpy(kk, key, 24);
950     memcpy((unsigned char *)&krll, key+16,4);
951     memcpy((unsigned char *)&krlr, key+20,4);
952     krrl = ~krll;
953     krrr = ~krlr;
954     memcpy(kk+24, (unsigned char *)&krrl, 4);
955     memcpy(kk+28, (unsigned char *)&krrr, 4);
956     camellia_setup256(kk, subkey);
957     return;
958 }
959
960
961 /**
962  * Stuff related to camellia encryption/decryption
963  *
964  * "io" must be 4byte aligned and big-endian data.
965  */
966 void camellia_encrypt128(const u32 *subkey, u32 *io)
967 {
968     u32 il, ir, t0, t1;
969
970     /* pre whitening but absorb kw2*/
971     io[0] ^= CamelliaSubkeyL(0);
972     io[1] ^= CamelliaSubkeyR(0);
973     /* main iteration */
974
975     CAMELLIA_ROUNDSM(io[0],io[1],
976                      CamelliaSubkeyL(2),CamelliaSubkeyR(2),
977                      io[2],io[3],il,ir,t0,t1);
978     CAMELLIA_ROUNDSM(io[2],io[3],
979                      CamelliaSubkeyL(3),CamelliaSubkeyR(3),
980                      io[0],io[1],il,ir,t0,t1);
981     CAMELLIA_ROUNDSM(io[0],io[1],
982                      CamelliaSubkeyL(4),CamelliaSubkeyR(4),
983                      io[2],io[3],il,ir,t0,t1);
984     CAMELLIA_ROUNDSM(io[2],io[3],
985                      CamelliaSubkeyL(5),CamelliaSubkeyR(5),
986                      io[0],io[1],il,ir,t0,t1);
987     CAMELLIA_ROUNDSM(io[0],io[1],
988                      CamelliaSubkeyL(6),CamelliaSubkeyR(6),
989                      io[2],io[3],il,ir,t0,t1);
990     CAMELLIA_ROUNDSM(io[2],io[3],
991                      CamelliaSubkeyL(7),CamelliaSubkeyR(7),
992                      io[0],io[1],il,ir,t0,t1);
993
994     CAMELLIA_FLS(io[0],io[1],io[2],io[3],
995                  CamelliaSubkeyL(8),CamelliaSubkeyR(8),
996                  CamelliaSubkeyL(9),CamelliaSubkeyR(9),
997                  t0,t1,il,ir);
998
999     CAMELLIA_ROUNDSM(io[0],io[1],
1000                      CamelliaSubkeyL(10),CamelliaSubkeyR(10),
1001                      io[2],io[3],il,ir,t0,t1);
1002     CAMELLIA_ROUNDSM(io[2],io[3],
1003                      CamelliaSubkeyL(11),CamelliaSubkeyR(11),
1004                      io[0],io[1],il,ir,t0,t1);
1005     CAMELLIA_ROUNDSM(io[0],io[1],
1006                      CamelliaSubkeyL(12),CamelliaSubkeyR(12),
1007                      io[2],io[3],il,ir,t0,t1);
1008     CAMELLIA_ROUNDSM(io[2],io[3],
1009                      CamelliaSubkeyL(13),CamelliaSubkeyR(13),
1010                      io[0],io[1],il,ir,t0,t1);
1011     CAMELLIA_ROUNDSM(io[0],io[1],
1012                      CamelliaSubkeyL(14),CamelliaSubkeyR(14),
1013                      io[2],io[3],il,ir,t0,t1);
1014     CAMELLIA_ROUNDSM(io[2],io[3],
1015                      CamelliaSubkeyL(15),CamelliaSubkeyR(15),
1016                      io[0],io[1],il,ir,t0,t1);
1017
1018     CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1019                  CamelliaSubkeyL(16),CamelliaSubkeyR(16),
1020                  CamelliaSubkeyL(17),CamelliaSubkeyR(17),
1021                  t0,t1,il,ir);
1022
1023     CAMELLIA_ROUNDSM(io[0],io[1],
1024                      CamelliaSubkeyL(18),CamelliaSubkeyR(18),
1025                      io[2],io[3],il,ir,t0,t1);
1026     CAMELLIA_ROUNDSM(io[2],io[3],
1027                      CamelliaSubkeyL(19),CamelliaSubkeyR(19),
1028                      io[0],io[1],il,ir,t0,t1);
1029     CAMELLIA_ROUNDSM(io[0],io[1],
1030                      CamelliaSubkeyL(20),CamelliaSubkeyR(20),
1031                      io[2],io[3],il,ir,t0,t1);
1032     CAMELLIA_ROUNDSM(io[2],io[3],
1033                      CamelliaSubkeyL(21),CamelliaSubkeyR(21),
1034                      io[0],io[1],il,ir,t0,t1);
1035     CAMELLIA_ROUNDSM(io[0],io[1],
1036                      CamelliaSubkeyL(22),CamelliaSubkeyR(22),
1037                      io[2],io[3],il,ir,t0,t1);
1038     CAMELLIA_ROUNDSM(io[2],io[3],
1039                      CamelliaSubkeyL(23),CamelliaSubkeyR(23),
1040                      io[0],io[1],il,ir,t0,t1);
1041
1042     /* post whitening but kw4 */
1043     io[2] ^= CamelliaSubkeyL(24);
1044     io[3] ^= CamelliaSubkeyR(24);
1045
1046     t0 = io[0];
1047     t1 = io[1];
1048     io[0] = io[2];
1049     io[1] = io[3];
1050     io[2] = t0;
1051     io[3] = t1;
1052         
1053     return;
1054 }
1055
1056 void camellia_decrypt128(const u32 *subkey, u32 *io)
1057 {
1058     u32 il,ir,t0,t1;               /* temporary valiables */
1059     
1060     /* pre whitening but absorb kw2*/
1061     io[0] ^= CamelliaSubkeyL(24);
1062     io[1] ^= CamelliaSubkeyR(24);
1063
1064     /* main iteration */
1065     CAMELLIA_ROUNDSM(io[0],io[1],
1066                      CamelliaSubkeyL(23),CamelliaSubkeyR(23),
1067                      io[2],io[3],il,ir,t0,t1);
1068     CAMELLIA_ROUNDSM(io[2],io[3],
1069                      CamelliaSubkeyL(22),CamelliaSubkeyR(22),
1070                      io[0],io[1],il,ir,t0,t1);
1071     CAMELLIA_ROUNDSM(io[0],io[1],
1072                      CamelliaSubkeyL(21),CamelliaSubkeyR(21),
1073                      io[2],io[3],il,ir,t0,t1);
1074     CAMELLIA_ROUNDSM(io[2],io[3],
1075                      CamelliaSubkeyL(20),CamelliaSubkeyR(20),
1076                      io[0],io[1],il,ir,t0,t1);
1077     CAMELLIA_ROUNDSM(io[0],io[1],
1078                      CamelliaSubkeyL(19),CamelliaSubkeyR(19),
1079                      io[2],io[3],il,ir,t0,t1);
1080     CAMELLIA_ROUNDSM(io[2],io[3],
1081                      CamelliaSubkeyL(18),CamelliaSubkeyR(18),
1082                      io[0],io[1],il,ir,t0,t1);
1083
1084     CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1085                  CamelliaSubkeyL(17),CamelliaSubkeyR(17),
1086                  CamelliaSubkeyL(16),CamelliaSubkeyR(16),
1087                  t0,t1,il,ir);
1088
1089     CAMELLIA_ROUNDSM(io[0],io[1],
1090                      CamelliaSubkeyL(15),CamelliaSubkeyR(15),
1091                      io[2],io[3],il,ir,t0,t1);
1092     CAMELLIA_ROUNDSM(io[2],io[3],
1093                      CamelliaSubkeyL(14),CamelliaSubkeyR(14),
1094                      io[0],io[1],il,ir,t0,t1);
1095     CAMELLIA_ROUNDSM(io[0],io[1],
1096                      CamelliaSubkeyL(13),CamelliaSubkeyR(13),
1097                      io[2],io[3],il,ir,t0,t1);
1098     CAMELLIA_ROUNDSM(io[2],io[3],
1099                      CamelliaSubkeyL(12),CamelliaSubkeyR(12),
1100                      io[0],io[1],il,ir,t0,t1);
1101     CAMELLIA_ROUNDSM(io[0],io[1],
1102                      CamelliaSubkeyL(11),CamelliaSubkeyR(11),
1103                      io[2],io[3],il,ir,t0,t1);
1104     CAMELLIA_ROUNDSM(io[2],io[3],
1105                      CamelliaSubkeyL(10),CamelliaSubkeyR(10),
1106                      io[0],io[1],il,ir,t0,t1);
1107
1108     CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1109                  CamelliaSubkeyL(9),CamelliaSubkeyR(9),
1110                  CamelliaSubkeyL(8),CamelliaSubkeyR(8),
1111                  t0,t1,il,ir);
1112
1113     CAMELLIA_ROUNDSM(io[0],io[1],
1114                      CamelliaSubkeyL(7),CamelliaSubkeyR(7),
1115                      io[2],io[3],il,ir,t0,t1);
1116     CAMELLIA_ROUNDSM(io[2],io[3],
1117                      CamelliaSubkeyL(6),CamelliaSubkeyR(6),
1118                      io[0],io[1],il,ir,t0,t1);
1119     CAMELLIA_ROUNDSM(io[0],io[1],
1120                      CamelliaSubkeyL(5),CamelliaSubkeyR(5),
1121                      io[2],io[3],il,ir,t0,t1);
1122     CAMELLIA_ROUNDSM(io[2],io[3],
1123                      CamelliaSubkeyL(4),CamelliaSubkeyR(4),
1124                      io[0],io[1],il,ir,t0,t1);
1125     CAMELLIA_ROUNDSM(io[0],io[1],
1126                      CamelliaSubkeyL(3),CamelliaSubkeyR(3),
1127                      io[2],io[3],il,ir,t0,t1);
1128     CAMELLIA_ROUNDSM(io[2],io[3],
1129                      CamelliaSubkeyL(2),CamelliaSubkeyR(2),
1130                      io[0],io[1],il,ir,t0,t1);
1131
1132     /* post whitening but kw4 */
1133     io[2] ^= CamelliaSubkeyL(0);
1134     io[3] ^= CamelliaSubkeyR(0);
1135
1136     t0 = io[0];
1137     t1 = io[1];
1138     io[0] = io[2];
1139     io[1] = io[3];
1140     io[2] = t0;
1141     io[3] = t1;
1142
1143     return;
1144 }
1145
1146 /**
1147  * stuff for 192 and 256bit encryption/decryption
1148  */
1149 void camellia_encrypt256(const u32 *subkey, u32 *io)
1150 {
1151     u32 il,ir,t0,t1;           /* temporary valiables */
1152
1153     /* pre whitening but absorb kw2*/
1154     io[0] ^= CamelliaSubkeyL(0);
1155     io[1] ^= CamelliaSubkeyR(0);
1156
1157     /* main iteration */
1158     CAMELLIA_ROUNDSM(io[0],io[1],
1159                      CamelliaSubkeyL(2),CamelliaSubkeyR(2),
1160                      io[2],io[3],il,ir,t0,t1);
1161     CAMELLIA_ROUNDSM(io[2],io[3],
1162                      CamelliaSubkeyL(3),CamelliaSubkeyR(3),
1163                      io[0],io[1],il,ir,t0,t1);
1164     CAMELLIA_ROUNDSM(io[0],io[1],
1165                      CamelliaSubkeyL(4),CamelliaSubkeyR(4),
1166                      io[2],io[3],il,ir,t0,t1);
1167     CAMELLIA_ROUNDSM(io[2],io[3],
1168                      CamelliaSubkeyL(5),CamelliaSubkeyR(5),
1169                      io[0],io[1],il,ir,t0,t1);
1170     CAMELLIA_ROUNDSM(io[0],io[1],
1171                      CamelliaSubkeyL(6),CamelliaSubkeyR(6),
1172                      io[2],io[3],il,ir,t0,t1);
1173     CAMELLIA_ROUNDSM(io[2],io[3],
1174                      CamelliaSubkeyL(7),CamelliaSubkeyR(7),
1175                      io[0],io[1],il,ir,t0,t1);
1176
1177     CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1178                  CamelliaSubkeyL(8),CamelliaSubkeyR(8),
1179                  CamelliaSubkeyL(9),CamelliaSubkeyR(9),
1180                  t0,t1,il,ir);
1181
1182     CAMELLIA_ROUNDSM(io[0],io[1],
1183                      CamelliaSubkeyL(10),CamelliaSubkeyR(10),
1184                      io[2],io[3],il,ir,t0,t1);
1185     CAMELLIA_ROUNDSM(io[2],io[3],
1186                      CamelliaSubkeyL(11),CamelliaSubkeyR(11),
1187                      io[0],io[1],il,ir,t0,t1);
1188     CAMELLIA_ROUNDSM(io[0],io[1],
1189                      CamelliaSubkeyL(12),CamelliaSubkeyR(12),
1190                      io[2],io[3],il,ir,t0,t1);
1191     CAMELLIA_ROUNDSM(io[2],io[3],
1192                      CamelliaSubkeyL(13),CamelliaSubkeyR(13),
1193                      io[0],io[1],il,ir,t0,t1);
1194     CAMELLIA_ROUNDSM(io[0],io[1],
1195                      CamelliaSubkeyL(14),CamelliaSubkeyR(14),
1196                      io[2],io[3],il,ir,t0,t1);
1197     CAMELLIA_ROUNDSM(io[2],io[3],
1198                      CamelliaSubkeyL(15),CamelliaSubkeyR(15),
1199                      io[0],io[1],il,ir,t0,t1);
1200
1201     CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1202                  CamelliaSubkeyL(16),CamelliaSubkeyR(16),
1203                  CamelliaSubkeyL(17),CamelliaSubkeyR(17),
1204                  t0,t1,il,ir);
1205
1206     CAMELLIA_ROUNDSM(io[0],io[1],
1207                      CamelliaSubkeyL(18),CamelliaSubkeyR(18),
1208                      io[2],io[3],il,ir,t0,t1);
1209     CAMELLIA_ROUNDSM(io[2],io[3],
1210                      CamelliaSubkeyL(19),CamelliaSubkeyR(19),
1211                      io[0],io[1],il,ir,t0,t1);
1212     CAMELLIA_ROUNDSM(io[0],io[1],
1213                      CamelliaSubkeyL(20),CamelliaSubkeyR(20),
1214                      io[2],io[3],il,ir,t0,t1);
1215     CAMELLIA_ROUNDSM(io[2],io[3],
1216                      CamelliaSubkeyL(21),CamelliaSubkeyR(21),
1217                      io[0],io[1],il,ir,t0,t1);
1218     CAMELLIA_ROUNDSM(io[0],io[1],
1219                      CamelliaSubkeyL(22),CamelliaSubkeyR(22),
1220                      io[2],io[3],il,ir,t0,t1);
1221     CAMELLIA_ROUNDSM(io[2],io[3],
1222                      CamelliaSubkeyL(23),CamelliaSubkeyR(23),
1223                      io[0],io[1],il,ir,t0,t1);
1224
1225     CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1226                  CamelliaSubkeyL(24),CamelliaSubkeyR(24),
1227                  CamelliaSubkeyL(25),CamelliaSubkeyR(25),
1228                  t0,t1,il,ir);
1229
1230     CAMELLIA_ROUNDSM(io[0],io[1],
1231                      CamelliaSubkeyL(26),CamelliaSubkeyR(26),
1232                      io[2],io[3],il,ir,t0,t1);
1233     CAMELLIA_ROUNDSM(io[2],io[3],
1234                      CamelliaSubkeyL(27),CamelliaSubkeyR(27),
1235                      io[0],io[1],il,ir,t0,t1);
1236     CAMELLIA_ROUNDSM(io[0],io[1],
1237                      CamelliaSubkeyL(28),CamelliaSubkeyR(28),
1238                      io[2],io[3],il,ir,t0,t1);
1239     CAMELLIA_ROUNDSM(io[2],io[3],
1240                      CamelliaSubkeyL(29),CamelliaSubkeyR(29),
1241                      io[0],io[1],il,ir,t0,t1);
1242     CAMELLIA_ROUNDSM(io[0],io[1],
1243                      CamelliaSubkeyL(30),CamelliaSubkeyR(30),
1244                      io[2],io[3],il,ir,t0,t1);
1245     CAMELLIA_ROUNDSM(io[2],io[3],
1246                      CamelliaSubkeyL(31),CamelliaSubkeyR(31),
1247                      io[0],io[1],il,ir,t0,t1);
1248
1249     /* post whitening but kw4 */
1250     io[2] ^= CamelliaSubkeyL(32);
1251     io[3] ^= CamelliaSubkeyR(32);
1252
1253     t0 = io[0];
1254     t1 = io[1];
1255     io[0] = io[2];
1256     io[1] = io[3];
1257     io[2] = t0;
1258     io[3] = t1;
1259
1260     return;
1261 }
1262
1263 void camellia_decrypt256(const u32 *subkey, u32 *io)
1264 {
1265     u32 il,ir,t0,t1;           /* temporary valiables */
1266
1267     /* pre whitening but absorb kw2*/
1268     io[0] ^= CamelliaSubkeyL(32);
1269     io[1] ^= CamelliaSubkeyR(32);
1270         
1271     /* main iteration */
1272     CAMELLIA_ROUNDSM(io[0],io[1],
1273                      CamelliaSubkeyL(31),CamelliaSubkeyR(31),
1274                      io[2],io[3],il,ir,t0,t1);
1275     CAMELLIA_ROUNDSM(io[2],io[3],
1276                      CamelliaSubkeyL(30),CamelliaSubkeyR(30),
1277                      io[0],io[1],il,ir,t0,t1);
1278     CAMELLIA_ROUNDSM(io[0],io[1],
1279                      CamelliaSubkeyL(29),CamelliaSubkeyR(29),
1280                      io[2],io[3],il,ir,t0,t1);
1281     CAMELLIA_ROUNDSM(io[2],io[3],
1282                      CamelliaSubkeyL(28),CamelliaSubkeyR(28),
1283                      io[0],io[1],il,ir,t0,t1);
1284     CAMELLIA_ROUNDSM(io[0],io[1],
1285                      CamelliaSubkeyL(27),CamelliaSubkeyR(27),
1286                      io[2],io[3],il,ir,t0,t1);
1287     CAMELLIA_ROUNDSM(io[2],io[3],
1288                      CamelliaSubkeyL(26),CamelliaSubkeyR(26),
1289                      io[0],io[1],il,ir,t0,t1);
1290
1291     CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1292                  CamelliaSubkeyL(25),CamelliaSubkeyR(25),
1293                  CamelliaSubkeyL(24),CamelliaSubkeyR(24),
1294                  t0,t1,il,ir);
1295
1296     CAMELLIA_ROUNDSM(io[0],io[1],
1297                      CamelliaSubkeyL(23),CamelliaSubkeyR(23),
1298                      io[2],io[3],il,ir,t0,t1);
1299     CAMELLIA_ROUNDSM(io[2],io[3],
1300                      CamelliaSubkeyL(22),CamelliaSubkeyR(22),
1301                      io[0],io[1],il,ir,t0,t1);
1302     CAMELLIA_ROUNDSM(io[0],io[1],
1303                      CamelliaSubkeyL(21),CamelliaSubkeyR(21),
1304                      io[2],io[3],il,ir,t0,t1);
1305     CAMELLIA_ROUNDSM(io[2],io[3],
1306                      CamelliaSubkeyL(20),CamelliaSubkeyR(20),
1307                      io[0],io[1],il,ir,t0,t1);
1308     CAMELLIA_ROUNDSM(io[0],io[1],
1309                      CamelliaSubkeyL(19),CamelliaSubkeyR(19),
1310                      io[2],io[3],il,ir,t0,t1);
1311     CAMELLIA_ROUNDSM(io[2],io[3],
1312                      CamelliaSubkeyL(18),CamelliaSubkeyR(18),
1313                      io[0],io[1],il,ir,t0,t1);
1314
1315     CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1316                  CamelliaSubkeyL(17),CamelliaSubkeyR(17),
1317                  CamelliaSubkeyL(16),CamelliaSubkeyR(16),
1318                  t0,t1,il,ir);
1319
1320     CAMELLIA_ROUNDSM(io[0],io[1],
1321                      CamelliaSubkeyL(15),CamelliaSubkeyR(15),
1322                      io[2],io[3],il,ir,t0,t1);
1323     CAMELLIA_ROUNDSM(io[2],io[3],
1324                      CamelliaSubkeyL(14),CamelliaSubkeyR(14),
1325                      io[0],io[1],il,ir,t0,t1);
1326     CAMELLIA_ROUNDSM(io[0],io[1],
1327                      CamelliaSubkeyL(13),CamelliaSubkeyR(13),
1328                      io[2],io[3],il,ir,t0,t1);
1329     CAMELLIA_ROUNDSM(io[2],io[3],
1330                      CamelliaSubkeyL(12),CamelliaSubkeyR(12),
1331                      io[0],io[1],il,ir,t0,t1);
1332     CAMELLIA_ROUNDSM(io[0],io[1],
1333                      CamelliaSubkeyL(11),CamelliaSubkeyR(11),
1334                      io[2],io[3],il,ir,t0,t1);
1335     CAMELLIA_ROUNDSM(io[2],io[3],
1336                      CamelliaSubkeyL(10),CamelliaSubkeyR(10),
1337                      io[0],io[1],il,ir,t0,t1);
1338
1339     CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1340                  CamelliaSubkeyL(9),CamelliaSubkeyR(9),
1341                  CamelliaSubkeyL(8),CamelliaSubkeyR(8),
1342                  t0,t1,il,ir);
1343
1344     CAMELLIA_ROUNDSM(io[0],io[1],
1345                      CamelliaSubkeyL(7),CamelliaSubkeyR(7),
1346                      io[2],io[3],il,ir,t0,t1);
1347     CAMELLIA_ROUNDSM(io[2],io[3],
1348                      CamelliaSubkeyL(6),CamelliaSubkeyR(6),
1349                      io[0],io[1],il,ir,t0,t1);
1350     CAMELLIA_ROUNDSM(io[0],io[1],
1351                      CamelliaSubkeyL(5),CamelliaSubkeyR(5),
1352                      io[2],io[3],il,ir,t0,t1);
1353     CAMELLIA_ROUNDSM(io[2],io[3],
1354                      CamelliaSubkeyL(4),CamelliaSubkeyR(4),
1355                      io[0],io[1],il,ir,t0,t1);
1356     CAMELLIA_ROUNDSM(io[0],io[1],
1357                      CamelliaSubkeyL(3),CamelliaSubkeyR(3),
1358                      io[2],io[3],il,ir,t0,t1);
1359     CAMELLIA_ROUNDSM(io[2],io[3],
1360                      CamelliaSubkeyL(2),CamelliaSubkeyR(2),
1361                      io[0],io[1],il,ir,t0,t1);
1362
1363     /* post whitening but kw4 */
1364     io[2] ^= CamelliaSubkeyL(0);
1365     io[3] ^= CamelliaSubkeyR(0);
1366
1367     t0 = io[0];
1368     t1 = io[1];
1369     io[0] = io[2];
1370     io[1] = io[3];
1371     io[2] = t0;
1372     io[3] = t1;
1373
1374     return;
1375 }
1376
1377 /***
1378  *
1379  * API for compatibility
1380  */
1381
1382 void Camellia_Ekeygen(const int keyBitLength, 
1383                       const unsigned char *rawKey, 
1384                       KEY_TABLE_TYPE keyTable)
1385 {
1386     switch(keyBitLength) {
1387     case 128:
1388         camellia_setup128(rawKey, keyTable);
1389         break;
1390     case 192:
1391         camellia_setup192(rawKey, keyTable);
1392         break;
1393     case 256:
1394         camellia_setup256(rawKey, keyTable);
1395         break;
1396     default:
1397         break;
1398     }
1399 }
1400
1401
1402 void Camellia_EncryptBlock(const int keyBitLength, 
1403                            const unsigned char *plaintext, 
1404                            const KEY_TABLE_TYPE keyTable, 
1405                            unsigned char *ciphertext)
1406 {
1407     u32 tmp[4];
1408
1409     tmp[0] = GETU32(plaintext);
1410     tmp[1] = GETU32(plaintext + 4);
1411     tmp[2] = GETU32(plaintext + 8);
1412     tmp[3] = GETU32(plaintext + 12);
1413
1414     switch (keyBitLength) {
1415     case 128:
1416         camellia_encrypt128(keyTable, tmp);
1417         break;
1418     case 192:
1419         /* fall through */
1420     case 256:
1421         camellia_encrypt256(keyTable, tmp);
1422         break;
1423     default:
1424         break;
1425     }
1426
1427     PUTU32(ciphertext, tmp[0]);
1428     PUTU32(ciphertext + 4, tmp[1]);
1429     PUTU32(ciphertext + 8, tmp[2]);
1430     PUTU32(ciphertext + 12, tmp[3]);
1431 }
1432
1433 void Camellia_DecryptBlock(const int keyBitLength, 
1434                            const unsigned char *ciphertext, 
1435                            const KEY_TABLE_TYPE keyTable, 
1436                            unsigned char *plaintext)
1437 {
1438     u32 tmp[4];
1439
1440     tmp[0] = GETU32(ciphertext);
1441     tmp[1] = GETU32(ciphertext + 4);
1442     tmp[2] = GETU32(ciphertext + 8);
1443     tmp[3] = GETU32(ciphertext + 12);
1444
1445     switch (keyBitLength) {
1446     case 128:
1447         camellia_decrypt128(keyTable, tmp);
1448         break;
1449     case 192:
1450         /* fall through */
1451     case 256:
1452         camellia_decrypt256(keyTable, tmp);
1453         break;
1454     default:
1455         break;
1456     }
1457     PUTU32(plaintext, tmp[0]);
1458     PUTU32(plaintext + 4, tmp[1]);
1459     PUTU32(plaintext + 8, tmp[2]);
1460     PUTU32(plaintext + 12, tmp[3]);
1461 }