tools: Fix option parsing for gpg-zip.
[gnupg.git] / cipher / camellia.c
1 /* camellia.h   ver 1.2.0
2  *
3  * Copyright (C) 2006,2007
4  * NTT (Nippon Telegraph and Telephone Corporation).
5  *
6  * This program is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU General Public License
8  * as published by the Free Software Foundation; either version 2
9  * of the License, or (at your option) any later version.
10  *
11  * This program is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14  * GNU General Public License for more details.
15  *
16  * You should have received a copy of the GNU General Public License
17  * along with this program; if not, see <http://www.gnu.org/licenses/>.
18  */
19
20 /*
21  * Algorithm Specification
22  *  http://info.isl.ntt.co.jp/crypt/eng/camellia/specifications.html
23  */
24
25 #include <string.h>
26 #include <stdlib.h>
27
28 #include "camellia.h"
29
30 /* u32 must be 32bit word */
31 typedef unsigned int u32;
32 typedef unsigned char u8;
33
34 /* key constants */
35
36 #define CAMELLIA_SIGMA1L (0xA09E667FL)
37 #define CAMELLIA_SIGMA1R (0x3BCC908BL)
38 #define CAMELLIA_SIGMA2L (0xB67AE858L)
39 #define CAMELLIA_SIGMA2R (0x4CAA73B2L)
40 #define CAMELLIA_SIGMA3L (0xC6EF372FL)
41 #define CAMELLIA_SIGMA3R (0xE94F82BEL)
42 #define CAMELLIA_SIGMA4L (0x54FF53A5L)
43 #define CAMELLIA_SIGMA4R (0xF1D36F1CL)
44 #define CAMELLIA_SIGMA5L (0x10E527FAL)
45 #define CAMELLIA_SIGMA5R (0xDE682D1DL)
46 #define CAMELLIA_SIGMA6L (0xB05688C2L)
47 #define CAMELLIA_SIGMA6R (0xB3E6C1FDL)
48
49 /*
50  *  macros
51  */
52
53
54 #if defined(_MSC_VER)
55
56 # define SWAP(x) (_lrotl(x, 8) & 0x00ff00ff | _lrotr(x, 8) & 0xff00ff00)
57 # define GETU32(p) SWAP(*((u32 *)(p)))
58 # define PUTU32(ct, st) {*((u32 *)(ct)) = SWAP((st));}
59
60 #else /* not MS-VC */
61
62 # define GETU32(pt)                             \
63     (((u32)(pt)[0] << 24)                       \
64      ^ ((u32)(pt)[1] << 16)                     \
65      ^ ((u32)(pt)[2] <<  8)                     \
66      ^ ((u32)(pt)[3]))
67
68 # define PUTU32(ct, st)  {                      \
69         (ct)[0] = (u8)((st) >> 24);             \
70         (ct)[1] = (u8)((st) >> 16);             \
71         (ct)[2] = (u8)((st) >>  8);             \
72         (ct)[3] = (u8)(st); }
73
74 #endif
75
76 #define CamelliaSubkeyL(INDEX) (subkey[(INDEX)*2])
77 #define CamelliaSubkeyR(INDEX) (subkey[(INDEX)*2 + 1])
78
79 /* rotation right shift 1byte */
80 #define CAMELLIA_RR8(x) (((x) >> 8) + ((u32)(x) << 24))
81 /* rotation left shift 1bit */
82 #define CAMELLIA_RL1(x) (((x) << 1) + ((x) >> 31))
83 /* rotation left shift 1byte */
84 #define CAMELLIA_RL8(x) (((x) << 8) + ((x) >> 24))
85
86 #define CAMELLIA_ROLDQ(ll, lr, rl, rr, w0, w1, bits)    \
87     do {                                                \
88         w0 = ll;                                        \
89         ll = (ll << bits) + (lr >> (32 - bits));        \
90         lr = (lr << bits) + (rl >> (32 - bits));        \
91         rl = (rl << bits) + (rr >> (32 - bits));        \
92         rr = (rr << bits) + (w0 >> (32 - bits));        \
93     } while(0)
94
95 #define CAMELLIA_ROLDQo32(ll, lr, rl, rr, w0, w1, bits) \
96     do {                                                \
97         w0 = ll;                                        \
98         w1 = lr;                                        \
99         ll = (lr << (bits - 32)) + (rl >> (64 - bits)); \
100         lr = (rl << (bits - 32)) + (rr >> (64 - bits)); \
101         rl = (rr << (bits - 32)) + (w0 >> (64 - bits)); \
102         rr = (w0 << (bits - 32)) + (w1 >> (64 - bits)); \
103     } while(0)
104
105 #define CAMELLIA_SP1110(INDEX) (camellia_sp1110[(INDEX)])
106 #define CAMELLIA_SP0222(INDEX) (camellia_sp0222[(INDEX)])
107 #define CAMELLIA_SP3033(INDEX) (camellia_sp3033[(INDEX)])
108 #define CAMELLIA_SP4404(INDEX) (camellia_sp4404[(INDEX)])
109
110 #define CAMELLIA_F(xl, xr, kl, kr, yl, yr, il, ir, t0, t1)      \
111     do {                                                        \
112         il = xl ^ kl;                                           \
113         ir = xr ^ kr;                                           \
114         t0 = il >> 16;                                          \
115         t1 = ir >> 16;                                          \
116         yl = CAMELLIA_SP1110(ir & 0xff)                         \
117             ^ CAMELLIA_SP0222((t1 >> 8) & 0xff)                 \
118             ^ CAMELLIA_SP3033(t1 & 0xff)                        \
119             ^ CAMELLIA_SP4404((ir >> 8) & 0xff);                \
120         yr = CAMELLIA_SP1110((t0 >> 8) & 0xff)                  \
121             ^ CAMELLIA_SP0222(t0 & 0xff)                        \
122             ^ CAMELLIA_SP3033((il >> 8) & 0xff)                 \
123             ^ CAMELLIA_SP4404(il & 0xff);                       \
124         yl ^= yr;                                               \
125         yr = CAMELLIA_RR8(yr);                                  \
126         yr ^= yl;                                               \
127     } while(0)
128
129
130 /*
131  * for speed up
132  *
133  */
134 #define CAMELLIA_FLS(ll, lr, rl, rr, kll, klr, krl, krr, t0, t1, t2, t3) \
135     do {                                                                \
136         t0 = kll;                                                       \
137         t0 &= ll;                                                       \
138         lr ^= CAMELLIA_RL1(t0);                                         \
139         t1 = klr;                                                       \
140         t1 |= lr;                                                       \
141         ll ^= t1;                                                       \
142                                                                         \
143         t2 = krr;                                                       \
144         t2 |= rr;                                                       \
145         rl ^= t2;                                                       \
146         t3 = krl;                                                       \
147         t3 &= rl;                                                       \
148         rr ^= CAMELLIA_RL1(t3);                                         \
149     } while(0)
150
151 #define CAMELLIA_ROUNDSM(xl, xr, kl, kr, yl, yr, il, ir, t0, t1)        \
152     do {                                                                \
153         ir = CAMELLIA_SP1110(xr & 0xff)                                 \
154             ^ CAMELLIA_SP0222((xr >> 24) & 0xff)                        \
155             ^ CAMELLIA_SP3033((xr >> 16) & 0xff)                        \
156             ^ CAMELLIA_SP4404((xr >> 8) & 0xff);                        \
157         il = CAMELLIA_SP1110((xl >> 24) & 0xff)                         \
158             ^ CAMELLIA_SP0222((xl >> 16) & 0xff)                        \
159             ^ CAMELLIA_SP3033((xl >> 8) & 0xff)                         \
160             ^ CAMELLIA_SP4404(xl & 0xff);                               \
161         il ^= kl;                                                       \
162         ir ^= kr;                                                       \
163         ir ^= il;                                                       \
164         il = CAMELLIA_RR8(il);                                          \
165         il ^= ir;                                                       \
166         yl ^= ir;                                                       \
167         yr ^= il;                                                       \
168     } while(0)
169
170
171 static const u32 camellia_sp1110[256] = {
172     0x70707000,0x82828200,0x2c2c2c00,0xececec00,
173     0xb3b3b300,0x27272700,0xc0c0c000,0xe5e5e500,
174     0xe4e4e400,0x85858500,0x57575700,0x35353500,
175     0xeaeaea00,0x0c0c0c00,0xaeaeae00,0x41414100,
176     0x23232300,0xefefef00,0x6b6b6b00,0x93939300,
177     0x45454500,0x19191900,0xa5a5a500,0x21212100,
178     0xededed00,0x0e0e0e00,0x4f4f4f00,0x4e4e4e00,
179     0x1d1d1d00,0x65656500,0x92929200,0xbdbdbd00,
180     0x86868600,0xb8b8b800,0xafafaf00,0x8f8f8f00,
181     0x7c7c7c00,0xebebeb00,0x1f1f1f00,0xcecece00,
182     0x3e3e3e00,0x30303000,0xdcdcdc00,0x5f5f5f00,
183     0x5e5e5e00,0xc5c5c500,0x0b0b0b00,0x1a1a1a00,
184     0xa6a6a600,0xe1e1e100,0x39393900,0xcacaca00,
185     0xd5d5d500,0x47474700,0x5d5d5d00,0x3d3d3d00,
186     0xd9d9d900,0x01010100,0x5a5a5a00,0xd6d6d600,
187     0x51515100,0x56565600,0x6c6c6c00,0x4d4d4d00,
188     0x8b8b8b00,0x0d0d0d00,0x9a9a9a00,0x66666600,
189     0xfbfbfb00,0xcccccc00,0xb0b0b000,0x2d2d2d00,
190     0x74747400,0x12121200,0x2b2b2b00,0x20202000,
191     0xf0f0f000,0xb1b1b100,0x84848400,0x99999900,
192     0xdfdfdf00,0x4c4c4c00,0xcbcbcb00,0xc2c2c200,
193     0x34343400,0x7e7e7e00,0x76767600,0x05050500,
194     0x6d6d6d00,0xb7b7b700,0xa9a9a900,0x31313100,
195     0xd1d1d100,0x17171700,0x04040400,0xd7d7d700,
196     0x14141400,0x58585800,0x3a3a3a00,0x61616100,
197     0xdedede00,0x1b1b1b00,0x11111100,0x1c1c1c00,
198     0x32323200,0x0f0f0f00,0x9c9c9c00,0x16161600,
199     0x53535300,0x18181800,0xf2f2f200,0x22222200,
200     0xfefefe00,0x44444400,0xcfcfcf00,0xb2b2b200,
201     0xc3c3c300,0xb5b5b500,0x7a7a7a00,0x91919100,
202     0x24242400,0x08080800,0xe8e8e800,0xa8a8a800,
203     0x60606000,0xfcfcfc00,0x69696900,0x50505000,
204     0xaaaaaa00,0xd0d0d000,0xa0a0a000,0x7d7d7d00,
205     0xa1a1a100,0x89898900,0x62626200,0x97979700,
206     0x54545400,0x5b5b5b00,0x1e1e1e00,0x95959500,
207     0xe0e0e000,0xffffff00,0x64646400,0xd2d2d200,
208     0x10101000,0xc4c4c400,0x00000000,0x48484800,
209     0xa3a3a300,0xf7f7f700,0x75757500,0xdbdbdb00,
210     0x8a8a8a00,0x03030300,0xe6e6e600,0xdadada00,
211     0x09090900,0x3f3f3f00,0xdddddd00,0x94949400,
212     0x87878700,0x5c5c5c00,0x83838300,0x02020200,
213     0xcdcdcd00,0x4a4a4a00,0x90909000,0x33333300,
214     0x73737300,0x67676700,0xf6f6f600,0xf3f3f300,
215     0x9d9d9d00,0x7f7f7f00,0xbfbfbf00,0xe2e2e200,
216     0x52525200,0x9b9b9b00,0xd8d8d800,0x26262600,
217     0xc8c8c800,0x37373700,0xc6c6c600,0x3b3b3b00,
218     0x81818100,0x96969600,0x6f6f6f00,0x4b4b4b00,
219     0x13131300,0xbebebe00,0x63636300,0x2e2e2e00,
220     0xe9e9e900,0x79797900,0xa7a7a700,0x8c8c8c00,
221     0x9f9f9f00,0x6e6e6e00,0xbcbcbc00,0x8e8e8e00,
222     0x29292900,0xf5f5f500,0xf9f9f900,0xb6b6b600,
223     0x2f2f2f00,0xfdfdfd00,0xb4b4b400,0x59595900,
224     0x78787800,0x98989800,0x06060600,0x6a6a6a00,
225     0xe7e7e700,0x46464600,0x71717100,0xbababa00,
226     0xd4d4d400,0x25252500,0xababab00,0x42424200,
227     0x88888800,0xa2a2a200,0x8d8d8d00,0xfafafa00,
228     0x72727200,0x07070700,0xb9b9b900,0x55555500,
229     0xf8f8f800,0xeeeeee00,0xacacac00,0x0a0a0a00,
230     0x36363600,0x49494900,0x2a2a2a00,0x68686800,
231     0x3c3c3c00,0x38383800,0xf1f1f100,0xa4a4a400,
232     0x40404000,0x28282800,0xd3d3d300,0x7b7b7b00,
233     0xbbbbbb00,0xc9c9c900,0x43434300,0xc1c1c100,
234     0x15151500,0xe3e3e300,0xadadad00,0xf4f4f400,
235     0x77777700,0xc7c7c700,0x80808000,0x9e9e9e00,
236 };
237
238 static const u32 camellia_sp0222[256] = {
239     0x00e0e0e0,0x00050505,0x00585858,0x00d9d9d9,
240     0x00676767,0x004e4e4e,0x00818181,0x00cbcbcb,
241     0x00c9c9c9,0x000b0b0b,0x00aeaeae,0x006a6a6a,
242     0x00d5d5d5,0x00181818,0x005d5d5d,0x00828282,
243     0x00464646,0x00dfdfdf,0x00d6d6d6,0x00272727,
244     0x008a8a8a,0x00323232,0x004b4b4b,0x00424242,
245     0x00dbdbdb,0x001c1c1c,0x009e9e9e,0x009c9c9c,
246     0x003a3a3a,0x00cacaca,0x00252525,0x007b7b7b,
247     0x000d0d0d,0x00717171,0x005f5f5f,0x001f1f1f,
248     0x00f8f8f8,0x00d7d7d7,0x003e3e3e,0x009d9d9d,
249     0x007c7c7c,0x00606060,0x00b9b9b9,0x00bebebe,
250     0x00bcbcbc,0x008b8b8b,0x00161616,0x00343434,
251     0x004d4d4d,0x00c3c3c3,0x00727272,0x00959595,
252     0x00ababab,0x008e8e8e,0x00bababa,0x007a7a7a,
253     0x00b3b3b3,0x00020202,0x00b4b4b4,0x00adadad,
254     0x00a2a2a2,0x00acacac,0x00d8d8d8,0x009a9a9a,
255     0x00171717,0x001a1a1a,0x00353535,0x00cccccc,
256     0x00f7f7f7,0x00999999,0x00616161,0x005a5a5a,
257     0x00e8e8e8,0x00242424,0x00565656,0x00404040,
258     0x00e1e1e1,0x00636363,0x00090909,0x00333333,
259     0x00bfbfbf,0x00989898,0x00979797,0x00858585,
260     0x00686868,0x00fcfcfc,0x00ececec,0x000a0a0a,
261     0x00dadada,0x006f6f6f,0x00535353,0x00626262,
262     0x00a3a3a3,0x002e2e2e,0x00080808,0x00afafaf,
263     0x00282828,0x00b0b0b0,0x00747474,0x00c2c2c2,
264     0x00bdbdbd,0x00363636,0x00222222,0x00383838,
265     0x00646464,0x001e1e1e,0x00393939,0x002c2c2c,
266     0x00a6a6a6,0x00303030,0x00e5e5e5,0x00444444,
267     0x00fdfdfd,0x00888888,0x009f9f9f,0x00656565,
268     0x00878787,0x006b6b6b,0x00f4f4f4,0x00232323,
269     0x00484848,0x00101010,0x00d1d1d1,0x00515151,
270     0x00c0c0c0,0x00f9f9f9,0x00d2d2d2,0x00a0a0a0,
271     0x00555555,0x00a1a1a1,0x00414141,0x00fafafa,
272     0x00434343,0x00131313,0x00c4c4c4,0x002f2f2f,
273     0x00a8a8a8,0x00b6b6b6,0x003c3c3c,0x002b2b2b,
274     0x00c1c1c1,0x00ffffff,0x00c8c8c8,0x00a5a5a5,
275     0x00202020,0x00898989,0x00000000,0x00909090,
276     0x00474747,0x00efefef,0x00eaeaea,0x00b7b7b7,
277     0x00151515,0x00060606,0x00cdcdcd,0x00b5b5b5,
278     0x00121212,0x007e7e7e,0x00bbbbbb,0x00292929,
279     0x000f0f0f,0x00b8b8b8,0x00070707,0x00040404,
280     0x009b9b9b,0x00949494,0x00212121,0x00666666,
281     0x00e6e6e6,0x00cecece,0x00ededed,0x00e7e7e7,
282     0x003b3b3b,0x00fefefe,0x007f7f7f,0x00c5c5c5,
283     0x00a4a4a4,0x00373737,0x00b1b1b1,0x004c4c4c,
284     0x00919191,0x006e6e6e,0x008d8d8d,0x00767676,
285     0x00030303,0x002d2d2d,0x00dedede,0x00969696,
286     0x00262626,0x007d7d7d,0x00c6c6c6,0x005c5c5c,
287     0x00d3d3d3,0x00f2f2f2,0x004f4f4f,0x00191919,
288     0x003f3f3f,0x00dcdcdc,0x00797979,0x001d1d1d,
289     0x00525252,0x00ebebeb,0x00f3f3f3,0x006d6d6d,
290     0x005e5e5e,0x00fbfbfb,0x00696969,0x00b2b2b2,
291     0x00f0f0f0,0x00313131,0x000c0c0c,0x00d4d4d4,
292     0x00cfcfcf,0x008c8c8c,0x00e2e2e2,0x00757575,
293     0x00a9a9a9,0x004a4a4a,0x00575757,0x00848484,
294     0x00111111,0x00454545,0x001b1b1b,0x00f5f5f5,
295     0x00e4e4e4,0x000e0e0e,0x00737373,0x00aaaaaa,
296     0x00f1f1f1,0x00dddddd,0x00595959,0x00141414,
297     0x006c6c6c,0x00929292,0x00545454,0x00d0d0d0,
298     0x00787878,0x00707070,0x00e3e3e3,0x00494949,
299     0x00808080,0x00505050,0x00a7a7a7,0x00f6f6f6,
300     0x00777777,0x00939393,0x00868686,0x00838383,
301     0x002a2a2a,0x00c7c7c7,0x005b5b5b,0x00e9e9e9,
302     0x00eeeeee,0x008f8f8f,0x00010101,0x003d3d3d,
303 };
304
305 static const u32 camellia_sp3033[256] = {
306     0x38003838,0x41004141,0x16001616,0x76007676,
307     0xd900d9d9,0x93009393,0x60006060,0xf200f2f2,
308     0x72007272,0xc200c2c2,0xab00abab,0x9a009a9a,
309     0x75007575,0x06000606,0x57005757,0xa000a0a0,
310     0x91009191,0xf700f7f7,0xb500b5b5,0xc900c9c9,
311     0xa200a2a2,0x8c008c8c,0xd200d2d2,0x90009090,
312     0xf600f6f6,0x07000707,0xa700a7a7,0x27002727,
313     0x8e008e8e,0xb200b2b2,0x49004949,0xde00dede,
314     0x43004343,0x5c005c5c,0xd700d7d7,0xc700c7c7,
315     0x3e003e3e,0xf500f5f5,0x8f008f8f,0x67006767,
316     0x1f001f1f,0x18001818,0x6e006e6e,0xaf00afaf,
317     0x2f002f2f,0xe200e2e2,0x85008585,0x0d000d0d,
318     0x53005353,0xf000f0f0,0x9c009c9c,0x65006565,
319     0xea00eaea,0xa300a3a3,0xae00aeae,0x9e009e9e,
320     0xec00ecec,0x80008080,0x2d002d2d,0x6b006b6b,
321     0xa800a8a8,0x2b002b2b,0x36003636,0xa600a6a6,
322     0xc500c5c5,0x86008686,0x4d004d4d,0x33003333,
323     0xfd00fdfd,0x66006666,0x58005858,0x96009696,
324     0x3a003a3a,0x09000909,0x95009595,0x10001010,
325     0x78007878,0xd800d8d8,0x42004242,0xcc00cccc,
326     0xef00efef,0x26002626,0xe500e5e5,0x61006161,
327     0x1a001a1a,0x3f003f3f,0x3b003b3b,0x82008282,
328     0xb600b6b6,0xdb00dbdb,0xd400d4d4,0x98009898,
329     0xe800e8e8,0x8b008b8b,0x02000202,0xeb00ebeb,
330     0x0a000a0a,0x2c002c2c,0x1d001d1d,0xb000b0b0,
331     0x6f006f6f,0x8d008d8d,0x88008888,0x0e000e0e,
332     0x19001919,0x87008787,0x4e004e4e,0x0b000b0b,
333     0xa900a9a9,0x0c000c0c,0x79007979,0x11001111,
334     0x7f007f7f,0x22002222,0xe700e7e7,0x59005959,
335     0xe100e1e1,0xda00dada,0x3d003d3d,0xc800c8c8,
336     0x12001212,0x04000404,0x74007474,0x54005454,
337     0x30003030,0x7e007e7e,0xb400b4b4,0x28002828,
338     0x55005555,0x68006868,0x50005050,0xbe00bebe,
339     0xd000d0d0,0xc400c4c4,0x31003131,0xcb00cbcb,
340     0x2a002a2a,0xad00adad,0x0f000f0f,0xca00caca,
341     0x70007070,0xff00ffff,0x32003232,0x69006969,
342     0x08000808,0x62006262,0x00000000,0x24002424,
343     0xd100d1d1,0xfb00fbfb,0xba00baba,0xed00eded,
344     0x45004545,0x81008181,0x73007373,0x6d006d6d,
345     0x84008484,0x9f009f9f,0xee00eeee,0x4a004a4a,
346     0xc300c3c3,0x2e002e2e,0xc100c1c1,0x01000101,
347     0xe600e6e6,0x25002525,0x48004848,0x99009999,
348     0xb900b9b9,0xb300b3b3,0x7b007b7b,0xf900f9f9,
349     0xce00cece,0xbf00bfbf,0xdf00dfdf,0x71007171,
350     0x29002929,0xcd00cdcd,0x6c006c6c,0x13001313,
351     0x64006464,0x9b009b9b,0x63006363,0x9d009d9d,
352     0xc000c0c0,0x4b004b4b,0xb700b7b7,0xa500a5a5,
353     0x89008989,0x5f005f5f,0xb100b1b1,0x17001717,
354     0xf400f4f4,0xbc00bcbc,0xd300d3d3,0x46004646,
355     0xcf00cfcf,0x37003737,0x5e005e5e,0x47004747,
356     0x94009494,0xfa00fafa,0xfc00fcfc,0x5b005b5b,
357     0x97009797,0xfe00fefe,0x5a005a5a,0xac00acac,
358     0x3c003c3c,0x4c004c4c,0x03000303,0x35003535,
359     0xf300f3f3,0x23002323,0xb800b8b8,0x5d005d5d,
360     0x6a006a6a,0x92009292,0xd500d5d5,0x21002121,
361     0x44004444,0x51005151,0xc600c6c6,0x7d007d7d,
362     0x39003939,0x83008383,0xdc00dcdc,0xaa00aaaa,
363     0x7c007c7c,0x77007777,0x56005656,0x05000505,
364     0x1b001b1b,0xa400a4a4,0x15001515,0x34003434,
365     0x1e001e1e,0x1c001c1c,0xf800f8f8,0x52005252,
366     0x20002020,0x14001414,0xe900e9e9,0xbd00bdbd,
367     0xdd00dddd,0xe400e4e4,0xa100a1a1,0xe000e0e0,
368     0x8a008a8a,0xf100f1f1,0xd600d6d6,0x7a007a7a,
369     0xbb00bbbb,0xe300e3e3,0x40004040,0x4f004f4f,
370 };
371
372 static const u32 camellia_sp4404[256] = {
373     0x70700070,0x2c2c002c,0xb3b300b3,0xc0c000c0,
374     0xe4e400e4,0x57570057,0xeaea00ea,0xaeae00ae,
375     0x23230023,0x6b6b006b,0x45450045,0xa5a500a5,
376     0xeded00ed,0x4f4f004f,0x1d1d001d,0x92920092,
377     0x86860086,0xafaf00af,0x7c7c007c,0x1f1f001f,
378     0x3e3e003e,0xdcdc00dc,0x5e5e005e,0x0b0b000b,
379     0xa6a600a6,0x39390039,0xd5d500d5,0x5d5d005d,
380     0xd9d900d9,0x5a5a005a,0x51510051,0x6c6c006c,
381     0x8b8b008b,0x9a9a009a,0xfbfb00fb,0xb0b000b0,
382     0x74740074,0x2b2b002b,0xf0f000f0,0x84840084,
383     0xdfdf00df,0xcbcb00cb,0x34340034,0x76760076,
384     0x6d6d006d,0xa9a900a9,0xd1d100d1,0x04040004,
385     0x14140014,0x3a3a003a,0xdede00de,0x11110011,
386     0x32320032,0x9c9c009c,0x53530053,0xf2f200f2,
387     0xfefe00fe,0xcfcf00cf,0xc3c300c3,0x7a7a007a,
388     0x24240024,0xe8e800e8,0x60600060,0x69690069,
389     0xaaaa00aa,0xa0a000a0,0xa1a100a1,0x62620062,
390     0x54540054,0x1e1e001e,0xe0e000e0,0x64640064,
391     0x10100010,0x00000000,0xa3a300a3,0x75750075,
392     0x8a8a008a,0xe6e600e6,0x09090009,0xdddd00dd,
393     0x87870087,0x83830083,0xcdcd00cd,0x90900090,
394     0x73730073,0xf6f600f6,0x9d9d009d,0xbfbf00bf,
395     0x52520052,0xd8d800d8,0xc8c800c8,0xc6c600c6,
396     0x81810081,0x6f6f006f,0x13130013,0x63630063,
397     0xe9e900e9,0xa7a700a7,0x9f9f009f,0xbcbc00bc,
398     0x29290029,0xf9f900f9,0x2f2f002f,0xb4b400b4,
399     0x78780078,0x06060006,0xe7e700e7,0x71710071,
400     0xd4d400d4,0xabab00ab,0x88880088,0x8d8d008d,
401     0x72720072,0xb9b900b9,0xf8f800f8,0xacac00ac,
402     0x36360036,0x2a2a002a,0x3c3c003c,0xf1f100f1,
403     0x40400040,0xd3d300d3,0xbbbb00bb,0x43430043,
404     0x15150015,0xadad00ad,0x77770077,0x80800080,
405     0x82820082,0xecec00ec,0x27270027,0xe5e500e5,
406     0x85850085,0x35350035,0x0c0c000c,0x41410041,
407     0xefef00ef,0x93930093,0x19190019,0x21210021,
408     0x0e0e000e,0x4e4e004e,0x65650065,0xbdbd00bd,
409     0xb8b800b8,0x8f8f008f,0xebeb00eb,0xcece00ce,
410     0x30300030,0x5f5f005f,0xc5c500c5,0x1a1a001a,
411     0xe1e100e1,0xcaca00ca,0x47470047,0x3d3d003d,
412     0x01010001,0xd6d600d6,0x56560056,0x4d4d004d,
413     0x0d0d000d,0x66660066,0xcccc00cc,0x2d2d002d,
414     0x12120012,0x20200020,0xb1b100b1,0x99990099,
415     0x4c4c004c,0xc2c200c2,0x7e7e007e,0x05050005,
416     0xb7b700b7,0x31310031,0x17170017,0xd7d700d7,
417     0x58580058,0x61610061,0x1b1b001b,0x1c1c001c,
418     0x0f0f000f,0x16160016,0x18180018,0x22220022,
419     0x44440044,0xb2b200b2,0xb5b500b5,0x91910091,
420     0x08080008,0xa8a800a8,0xfcfc00fc,0x50500050,
421     0xd0d000d0,0x7d7d007d,0x89890089,0x97970097,
422     0x5b5b005b,0x95950095,0xffff00ff,0xd2d200d2,
423     0xc4c400c4,0x48480048,0xf7f700f7,0xdbdb00db,
424     0x03030003,0xdada00da,0x3f3f003f,0x94940094,
425     0x5c5c005c,0x02020002,0x4a4a004a,0x33330033,
426     0x67670067,0xf3f300f3,0x7f7f007f,0xe2e200e2,
427     0x9b9b009b,0x26260026,0x37370037,0x3b3b003b,
428     0x96960096,0x4b4b004b,0xbebe00be,0x2e2e002e,
429     0x79790079,0x8c8c008c,0x6e6e006e,0x8e8e008e,
430     0xf5f500f5,0xb6b600b6,0xfdfd00fd,0x59590059,
431     0x98980098,0x6a6a006a,0x46460046,0xbaba00ba,
432     0x25250025,0x42420042,0xa2a200a2,0xfafa00fa,
433     0x07070007,0x55550055,0xeeee00ee,0x0a0a000a,
434     0x49490049,0x68680068,0x38380038,0xa4a400a4,
435     0x28280028,0x7b7b007b,0xc9c900c9,0xc1c100c1,
436     0xe3e300e3,0xf4f400f4,0xc7c700c7,0x9e9e009e,
437 };
438
439
440 /**
441  * Stuff related to the Camellia key schedule
442  */
443 #define subl(x) subL[(x)]
444 #define subr(x) subR[(x)]
445
446 void camellia_setup128(const unsigned char *key, u32 *subkey)
447 {
448     u32 kll, klr, krl, krr;
449     u32 il, ir, t0, t1, w0, w1;
450     u32 kw4l, kw4r, dw, tl, tr;
451     u32 subL[26];
452     u32 subR[26];
453
454     /**
455      *  k == kll || klr || krl || krr (|| is concatination)
456      */
457     kll = GETU32(key     );
458     klr = GETU32(key +  4);
459     krl = GETU32(key +  8);
460     krr = GETU32(key + 12);
461     /**
462      * generate KL dependent subkeys
463      */
464     subl(0) = kll; subr(0) = klr;
465     subl(1) = krl; subr(1) = krr;
466     CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
467     subl(4) = kll; subr(4) = klr;
468     subl(5) = krl; subr(5) = krr;
469     CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 30);
470     subl(10) = kll; subr(10) = klr;
471     subl(11) = krl; subr(11) = krr;
472     CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
473     subl(13) = krl; subr(13) = krr;
474     CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17);
475     subl(16) = kll; subr(16) = klr;
476     subl(17) = krl; subr(17) = krr;
477     CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17);
478     subl(18) = kll; subr(18) = klr;
479     subl(19) = krl; subr(19) = krr;
480     CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17);
481     subl(22) = kll; subr(22) = klr;
482     subl(23) = krl; subr(23) = krr;
483
484     /* generate KA */
485     kll = subl(0); klr = subr(0);
486     krl = subl(1); krr = subr(1);
487     CAMELLIA_F(kll, klr,
488                CAMELLIA_SIGMA1L, CAMELLIA_SIGMA1R,
489                w0, w1, il, ir, t0, t1);
490     krl ^= w0; krr ^= w1;
491     CAMELLIA_F(krl, krr,
492                CAMELLIA_SIGMA2L, CAMELLIA_SIGMA2R,
493                kll, klr, il, ir, t0, t1);
494     CAMELLIA_F(kll, klr,
495                CAMELLIA_SIGMA3L, CAMELLIA_SIGMA3R,
496                krl, krr, il, ir, t0, t1);
497     krl ^= w0; krr ^= w1;
498     CAMELLIA_F(krl, krr,
499                CAMELLIA_SIGMA4L, CAMELLIA_SIGMA4R,
500                w0, w1, il, ir, t0, t1);
501     kll ^= w0; klr ^= w1;
502
503     /* generate KA dependent subkeys */
504     subl(2) = kll; subr(2) = klr;
505     subl(3) = krl; subr(3) = krr;
506     CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
507     subl(6) = kll; subr(6) = klr;
508     subl(7) = krl; subr(7) = krr;
509     CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
510     subl(8) = kll; subr(8) = klr;
511     subl(9) = krl; subr(9) = krr;
512     CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
513     subl(12) = kll; subr(12) = klr;
514     CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
515     subl(14) = kll; subr(14) = klr;
516     subl(15) = krl; subr(15) = krr;
517     CAMELLIA_ROLDQo32(kll, klr, krl, krr, w0, w1, 34);
518     subl(20) = kll; subr(20) = klr;
519     subl(21) = krl; subr(21) = krr;
520     CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17);
521     subl(24) = kll; subr(24) = klr;
522     subl(25) = krl; subr(25) = krr;
523
524
525     /* absorb kw2 to other subkeys */
526     subl(3) ^= subl(1); subr(3) ^= subr(1);
527     subl(5) ^= subl(1); subr(5) ^= subr(1);
528     subl(7) ^= subl(1); subr(7) ^= subr(1);
529     subl(1) ^= subr(1) & ~subr(9);
530     dw = subl(1) & subl(9), subr(1) ^= CAMELLIA_RL1(dw);
531     subl(11) ^= subl(1); subr(11) ^= subr(1);
532     subl(13) ^= subl(1); subr(13) ^= subr(1);
533     subl(15) ^= subl(1); subr(15) ^= subr(1);
534     subl(1) ^= subr(1) & ~subr(17);
535     dw = subl(1) & subl(17), subr(1) ^= CAMELLIA_RL1(dw);
536     subl(19) ^= subl(1); subr(19) ^= subr(1);
537     subl(21) ^= subl(1); subr(21) ^= subr(1);
538     subl(23) ^= subl(1); subr(23) ^= subr(1);
539     subl(24) ^= subl(1); subr(24) ^= subr(1);
540
541     /* absorb kw4 to other subkeys */
542     kw4l = subl(25); kw4r = subr(25);
543     subl(22) ^= kw4l; subr(22) ^= kw4r;
544     subl(20) ^= kw4l; subr(20) ^= kw4r;
545     subl(18) ^= kw4l; subr(18) ^= kw4r;
546     kw4l ^= kw4r & ~subr(16);
547     dw = kw4l & subl(16), kw4r ^= CAMELLIA_RL1(dw);
548     subl(14) ^= kw4l; subr(14) ^= kw4r;
549     subl(12) ^= kw4l; subr(12) ^= kw4r;
550     subl(10) ^= kw4l; subr(10) ^= kw4r;
551     kw4l ^= kw4r & ~subr(8);
552     dw = kw4l & subl(8), kw4r ^= CAMELLIA_RL1(dw);
553     subl(6) ^= kw4l; subr(6) ^= kw4r;
554     subl(4) ^= kw4l; subr(4) ^= kw4r;
555     subl(2) ^= kw4l; subr(2) ^= kw4r;
556     subl(0) ^= kw4l; subr(0) ^= kw4r;
557
558     /* key XOR is end of F-function */
559     CamelliaSubkeyL(0) = subl(0) ^ subl(2);
560     CamelliaSubkeyR(0) = subr(0) ^ subr(2);
561     CamelliaSubkeyL(2) = subl(3);
562     CamelliaSubkeyR(2) = subr(3);
563     CamelliaSubkeyL(3) = subl(2) ^ subl(4);
564     CamelliaSubkeyR(3) = subr(2) ^ subr(4);
565     CamelliaSubkeyL(4) = subl(3) ^ subl(5);
566     CamelliaSubkeyR(4) = subr(3) ^ subr(5);
567     CamelliaSubkeyL(5) = subl(4) ^ subl(6);
568     CamelliaSubkeyR(5) = subr(4) ^ subr(6);
569     CamelliaSubkeyL(6) = subl(5) ^ subl(7);
570     CamelliaSubkeyR(6) = subr(5) ^ subr(7);
571     tl = subl(10) ^ (subr(10) & ~subr(8));
572     dw = tl & subl(8), tr = subr(10) ^ CAMELLIA_RL1(dw);
573     CamelliaSubkeyL(7) = subl(6) ^ tl;
574     CamelliaSubkeyR(7) = subr(6) ^ tr;
575     CamelliaSubkeyL(8) = subl(8);
576     CamelliaSubkeyR(8) = subr(8);
577     CamelliaSubkeyL(9) = subl(9);
578     CamelliaSubkeyR(9) = subr(9);
579     tl = subl(7) ^ (subr(7) & ~subr(9));
580     dw = tl & subl(9), tr = subr(7) ^ CAMELLIA_RL1(dw);
581     CamelliaSubkeyL(10) = tl ^ subl(11);
582     CamelliaSubkeyR(10) = tr ^ subr(11);
583     CamelliaSubkeyL(11) = subl(10) ^ subl(12);
584     CamelliaSubkeyR(11) = subr(10) ^ subr(12);
585     CamelliaSubkeyL(12) = subl(11) ^ subl(13);
586     CamelliaSubkeyR(12) = subr(11) ^ subr(13);
587     CamelliaSubkeyL(13) = subl(12) ^ subl(14);
588     CamelliaSubkeyR(13) = subr(12) ^ subr(14);
589     CamelliaSubkeyL(14) = subl(13) ^ subl(15);
590     CamelliaSubkeyR(14) = subr(13) ^ subr(15);
591     tl = subl(18) ^ (subr(18) & ~subr(16));
592     dw = tl & subl(16), tr = subr(18) ^ CAMELLIA_RL1(dw);
593     CamelliaSubkeyL(15) = subl(14) ^ tl;
594     CamelliaSubkeyR(15) = subr(14) ^ tr;
595     CamelliaSubkeyL(16) = subl(16);
596     CamelliaSubkeyR(16) = subr(16);
597     CamelliaSubkeyL(17) = subl(17);
598     CamelliaSubkeyR(17) = subr(17);
599     tl = subl(15) ^ (subr(15) & ~subr(17));
600     dw = tl & subl(17), tr = subr(15) ^ CAMELLIA_RL1(dw);
601     CamelliaSubkeyL(18) = tl ^ subl(19);
602     CamelliaSubkeyR(18) = tr ^ subr(19);
603     CamelliaSubkeyL(19) = subl(18) ^ subl(20);
604     CamelliaSubkeyR(19) = subr(18) ^ subr(20);
605     CamelliaSubkeyL(20) = subl(19) ^ subl(21);
606     CamelliaSubkeyR(20) = subr(19) ^ subr(21);
607     CamelliaSubkeyL(21) = subl(20) ^ subl(22);
608     CamelliaSubkeyR(21) = subr(20) ^ subr(22);
609     CamelliaSubkeyL(22) = subl(21) ^ subl(23);
610     CamelliaSubkeyR(22) = subr(21) ^ subr(23);
611     CamelliaSubkeyL(23) = subl(22);
612     CamelliaSubkeyR(23) = subr(22);
613     CamelliaSubkeyL(24) = subl(24) ^ subl(23);
614     CamelliaSubkeyR(24) = subr(24) ^ subr(23);
615
616     /* apply the inverse of the last half of P-function */
617     dw = CamelliaSubkeyL(2) ^ CamelliaSubkeyR(2), dw = CAMELLIA_RL8(dw);
618     CamelliaSubkeyR(2) = CamelliaSubkeyL(2) ^ dw, CamelliaSubkeyL(2) = dw;
619     dw = CamelliaSubkeyL(3) ^ CamelliaSubkeyR(3), dw = CAMELLIA_RL8(dw);
620     CamelliaSubkeyR(3) = CamelliaSubkeyL(3) ^ dw, CamelliaSubkeyL(3) = dw;
621     dw = CamelliaSubkeyL(4) ^ CamelliaSubkeyR(4), dw = CAMELLIA_RL8(dw);
622     CamelliaSubkeyR(4) = CamelliaSubkeyL(4) ^ dw, CamelliaSubkeyL(4) = dw;
623     dw = CamelliaSubkeyL(5) ^ CamelliaSubkeyR(5), dw = CAMELLIA_RL8(dw);
624     CamelliaSubkeyR(5) = CamelliaSubkeyL(5) ^ dw, CamelliaSubkeyL(5) = dw;
625     dw = CamelliaSubkeyL(6) ^ CamelliaSubkeyR(6), dw = CAMELLIA_RL8(dw);
626     CamelliaSubkeyR(6) = CamelliaSubkeyL(6) ^ dw, CamelliaSubkeyL(6) = dw;
627     dw = CamelliaSubkeyL(7) ^ CamelliaSubkeyR(7), dw = CAMELLIA_RL8(dw);
628     CamelliaSubkeyR(7) = CamelliaSubkeyL(7) ^ dw, CamelliaSubkeyL(7) = dw;
629     dw = CamelliaSubkeyL(10) ^ CamelliaSubkeyR(10), dw = CAMELLIA_RL8(dw);
630     CamelliaSubkeyR(10) = CamelliaSubkeyL(10) ^ dw, CamelliaSubkeyL(10) = dw;
631     dw = CamelliaSubkeyL(11) ^ CamelliaSubkeyR(11), dw = CAMELLIA_RL8(dw);
632     CamelliaSubkeyR(11) = CamelliaSubkeyL(11) ^ dw, CamelliaSubkeyL(11) = dw;
633     dw = CamelliaSubkeyL(12) ^ CamelliaSubkeyR(12), dw = CAMELLIA_RL8(dw);
634     CamelliaSubkeyR(12) = CamelliaSubkeyL(12) ^ dw, CamelliaSubkeyL(12) = dw;
635     dw = CamelliaSubkeyL(13) ^ CamelliaSubkeyR(13), dw = CAMELLIA_RL8(dw);
636     CamelliaSubkeyR(13) = CamelliaSubkeyL(13) ^ dw, CamelliaSubkeyL(13) = dw;
637     dw = CamelliaSubkeyL(14) ^ CamelliaSubkeyR(14), dw = CAMELLIA_RL8(dw);
638     CamelliaSubkeyR(14) = CamelliaSubkeyL(14) ^ dw, CamelliaSubkeyL(14) = dw;
639     dw = CamelliaSubkeyL(15) ^ CamelliaSubkeyR(15), dw = CAMELLIA_RL8(dw);
640     CamelliaSubkeyR(15) = CamelliaSubkeyL(15) ^ dw, CamelliaSubkeyL(15) = dw;
641     dw = CamelliaSubkeyL(18) ^ CamelliaSubkeyR(18), dw = CAMELLIA_RL8(dw);
642     CamelliaSubkeyR(18) = CamelliaSubkeyL(18) ^ dw, CamelliaSubkeyL(18) = dw;
643     dw = CamelliaSubkeyL(19) ^ CamelliaSubkeyR(19), dw = CAMELLIA_RL8(dw);
644     CamelliaSubkeyR(19) = CamelliaSubkeyL(19) ^ dw, CamelliaSubkeyL(19) = dw;
645     dw = CamelliaSubkeyL(20) ^ CamelliaSubkeyR(20), dw = CAMELLIA_RL8(dw);
646     CamelliaSubkeyR(20) = CamelliaSubkeyL(20) ^ dw, CamelliaSubkeyL(20) = dw;
647     dw = CamelliaSubkeyL(21) ^ CamelliaSubkeyR(21), dw = CAMELLIA_RL8(dw);
648     CamelliaSubkeyR(21) = CamelliaSubkeyL(21) ^ dw, CamelliaSubkeyL(21) = dw;
649     dw = CamelliaSubkeyL(22) ^ CamelliaSubkeyR(22), dw = CAMELLIA_RL8(dw);
650     CamelliaSubkeyR(22) = CamelliaSubkeyL(22) ^ dw, CamelliaSubkeyL(22) = dw;
651     dw = CamelliaSubkeyL(23) ^ CamelliaSubkeyR(23), dw = CAMELLIA_RL8(dw);
652     CamelliaSubkeyR(23) = CamelliaSubkeyL(23) ^ dw, CamelliaSubkeyL(23) = dw;
653
654     return;
655 }
656
657 void camellia_setup256(const unsigned char *key, u32 *subkey)
658 {
659     u32 kll,klr,krl,krr;           /* left half of key */
660     u32 krll,krlr,krrl,krrr;       /* right half of key */
661     u32 il, ir, t0, t1, w0, w1;    /* temporary variables */
662     u32 kw4l, kw4r, dw, tl, tr;
663     u32 subL[34];
664     u32 subR[34];
665
666     /**
667      *  key = (kll || klr || krl || krr || krll || krlr || krrl || krrr)
668      *  (|| is concatination)
669      */
670
671     kll  = GETU32(key     );
672     klr  = GETU32(key +  4);
673     krl  = GETU32(key +  8);
674     krr  = GETU32(key + 12);
675     krll = GETU32(key + 16);
676     krlr = GETU32(key + 20);
677     krrl = GETU32(key + 24);
678     krrr = GETU32(key + 28);
679
680     /* generate KL dependent subkeys */
681     subl(0) = kll; subr(0) = klr;
682     subl(1) = krl; subr(1) = krr;
683     CAMELLIA_ROLDQo32(kll, klr, krl, krr, w0, w1, 45);
684     subl(12) = kll; subr(12) = klr;
685     subl(13) = krl; subr(13) = krr;
686     CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
687     subl(16) = kll; subr(16) = klr;
688     subl(17) = krl; subr(17) = krr;
689     CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17);
690     subl(22) = kll; subr(22) = klr;
691     subl(23) = krl; subr(23) = krr;
692     CAMELLIA_ROLDQo32(kll, klr, krl, krr, w0, w1, 34);
693     subl(30) = kll; subr(30) = klr;
694     subl(31) = krl; subr(31) = krr;
695
696     /* generate KR dependent subkeys */
697     CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 15);
698     subl(4) = krll; subr(4) = krlr;
699     subl(5) = krrl; subr(5) = krrr;
700     CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 15);
701     subl(8) = krll; subr(8) = krlr;
702     subl(9) = krrl; subr(9) = krrr;
703     CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
704     subl(18) = krll; subr(18) = krlr;
705     subl(19) = krrl; subr(19) = krrr;
706     CAMELLIA_ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 34);
707     subl(26) = krll; subr(26) = krlr;
708     subl(27) = krrl; subr(27) = krrr;
709     CAMELLIA_ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 34);
710
711     /* generate KA */
712     kll = subl(0) ^ krll; klr = subr(0) ^ krlr;
713     krl = subl(1) ^ krrl; krr = subr(1) ^ krrr;
714     CAMELLIA_F(kll, klr,
715                CAMELLIA_SIGMA1L, CAMELLIA_SIGMA1R,
716                w0, w1, il, ir, t0, t1);
717     krl ^= w0; krr ^= w1;
718     CAMELLIA_F(krl, krr,
719                CAMELLIA_SIGMA2L, CAMELLIA_SIGMA2R,
720                kll, klr, il, ir, t0, t1);
721     kll ^= krll; klr ^= krlr;
722     CAMELLIA_F(kll, klr,
723                CAMELLIA_SIGMA3L, CAMELLIA_SIGMA3R,
724                krl, krr, il, ir, t0, t1);
725     krl ^= w0 ^ krrl; krr ^= w1 ^ krrr;
726     CAMELLIA_F(krl, krr,
727                CAMELLIA_SIGMA4L, CAMELLIA_SIGMA4R,
728                w0, w1, il, ir, t0, t1);
729     kll ^= w0; klr ^= w1;
730
731     /* generate KB */
732     krll ^= kll; krlr ^= klr;
733     krrl ^= krl; krrr ^= krr;
734     CAMELLIA_F(krll, krlr,
735                CAMELLIA_SIGMA5L, CAMELLIA_SIGMA5R,
736                w0, w1, il, ir, t0, t1);
737     krrl ^= w0; krrr ^= w1;
738     CAMELLIA_F(krrl, krrr,
739                CAMELLIA_SIGMA6L, CAMELLIA_SIGMA6R,
740                w0, w1, il, ir, t0, t1);
741     krll ^= w0; krlr ^= w1;
742
743     /* generate KA dependent subkeys */
744     CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
745     subl(6) = kll; subr(6) = klr;
746     subl(7) = krl; subr(7) = krr;
747     CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 30);
748     subl(14) = kll; subr(14) = klr;
749     subl(15) = krl; subr(15) = krr;
750     subl(24) = klr; subr(24) = krl;
751     subl(25) = krr; subr(25) = kll;
752     CAMELLIA_ROLDQo32(kll, klr, krl, krr, w0, w1, 49);
753     subl(28) = kll; subr(28) = klr;
754     subl(29) = krl; subr(29) = krr;
755
756     /* generate KB dependent subkeys */
757     subl(2) = krll; subr(2) = krlr;
758     subl(3) = krrl; subr(3) = krrr;
759     CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
760     subl(10) = krll; subr(10) = krlr;
761     subl(11) = krrl; subr(11) = krrr;
762     CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
763     subl(20) = krll; subr(20) = krlr;
764     subl(21) = krrl; subr(21) = krrr;
765     CAMELLIA_ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 51);
766     subl(32) = krll; subr(32) = krlr;
767     subl(33) = krrl; subr(33) = krrr;
768
769     /* absorb kw2 to other subkeys */
770     subl(3) ^= subl(1); subr(3) ^= subr(1);
771     subl(5) ^= subl(1); subr(5) ^= subr(1);
772     subl(7) ^= subl(1); subr(7) ^= subr(1);
773     subl(1) ^= subr(1) & ~subr(9);
774     dw = subl(1) & subl(9), subr(1) ^= CAMELLIA_RL1(dw);
775     subl(11) ^= subl(1); subr(11) ^= subr(1);
776     subl(13) ^= subl(1); subr(13) ^= subr(1);
777     subl(15) ^= subl(1); subr(15) ^= subr(1);
778     subl(1) ^= subr(1) & ~subr(17);
779     dw = subl(1) & subl(17), subr(1) ^= CAMELLIA_RL1(dw);
780     subl(19) ^= subl(1); subr(19) ^= subr(1);
781     subl(21) ^= subl(1); subr(21) ^= subr(1);
782     subl(23) ^= subl(1); subr(23) ^= subr(1);
783     subl(1) ^= subr(1) & ~subr(25);
784     dw = subl(1) & subl(25), subr(1) ^= CAMELLIA_RL1(dw);
785     subl(27) ^= subl(1); subr(27) ^= subr(1);
786     subl(29) ^= subl(1); subr(29) ^= subr(1);
787     subl(31) ^= subl(1); subr(31) ^= subr(1);
788     subl(32) ^= subl(1); subr(32) ^= subr(1);
789
790     /* absorb kw4 to other subkeys */
791     kw4l = subl(33); kw4r = subr(33);
792     subl(30) ^= kw4l; subr(30) ^= kw4r;
793     subl(28) ^= kw4l; subr(28) ^= kw4r;
794     subl(26) ^= kw4l; subr(26) ^= kw4r;
795     kw4l ^= kw4r & ~subr(24);
796     dw = kw4l & subl(24), kw4r ^= CAMELLIA_RL1(dw);
797     subl(22) ^= kw4l; subr(22) ^= kw4r;
798     subl(20) ^= kw4l; subr(20) ^= kw4r;
799     subl(18) ^= kw4l; subr(18) ^= kw4r;
800     kw4l ^= kw4r & ~subr(16);
801     dw = kw4l & subl(16), kw4r ^= CAMELLIA_RL1(dw);
802     subl(14) ^= kw4l; subr(14) ^= kw4r;
803     subl(12) ^= kw4l; subr(12) ^= kw4r;
804     subl(10) ^= kw4l; subr(10) ^= kw4r;
805     kw4l ^= kw4r & ~subr(8);
806     dw = kw4l & subl(8), kw4r ^= CAMELLIA_RL1(dw);
807     subl(6) ^= kw4l; subr(6) ^= kw4r;
808     subl(4) ^= kw4l; subr(4) ^= kw4r;
809     subl(2) ^= kw4l; subr(2) ^= kw4r;
810     subl(0) ^= kw4l; subr(0) ^= kw4r;
811
812     /* key XOR is end of F-function */
813     CamelliaSubkeyL(0) = subl(0) ^ subl(2);
814     CamelliaSubkeyR(0) = subr(0) ^ subr(2);
815     CamelliaSubkeyL(2) = subl(3);
816     CamelliaSubkeyR(2) = subr(3);
817     CamelliaSubkeyL(3) = subl(2) ^ subl(4);
818     CamelliaSubkeyR(3) = subr(2) ^ subr(4);
819     CamelliaSubkeyL(4) = subl(3) ^ subl(5);
820     CamelliaSubkeyR(4) = subr(3) ^ subr(5);
821     CamelliaSubkeyL(5) = subl(4) ^ subl(6);
822     CamelliaSubkeyR(5) = subr(4) ^ subr(6);
823     CamelliaSubkeyL(6) = subl(5) ^ subl(7);
824     CamelliaSubkeyR(6) = subr(5) ^ subr(7);
825     tl = subl(10) ^ (subr(10) & ~subr(8));
826     dw = tl & subl(8), tr = subr(10) ^ CAMELLIA_RL1(dw);
827     CamelliaSubkeyL(7) = subl(6) ^ tl;
828     CamelliaSubkeyR(7) = subr(6) ^ tr;
829     CamelliaSubkeyL(8) = subl(8);
830     CamelliaSubkeyR(8) = subr(8);
831     CamelliaSubkeyL(9) = subl(9);
832     CamelliaSubkeyR(9) = subr(9);
833     tl = subl(7) ^ (subr(7) & ~subr(9));
834     dw = tl & subl(9), tr = subr(7) ^ CAMELLIA_RL1(dw);
835     CamelliaSubkeyL(10) = tl ^ subl(11);
836     CamelliaSubkeyR(10) = tr ^ subr(11);
837     CamelliaSubkeyL(11) = subl(10) ^ subl(12);
838     CamelliaSubkeyR(11) = subr(10) ^ subr(12);
839     CamelliaSubkeyL(12) = subl(11) ^ subl(13);
840     CamelliaSubkeyR(12) = subr(11) ^ subr(13);
841     CamelliaSubkeyL(13) = subl(12) ^ subl(14);
842     CamelliaSubkeyR(13) = subr(12) ^ subr(14);
843     CamelliaSubkeyL(14) = subl(13) ^ subl(15);
844     CamelliaSubkeyR(14) = subr(13) ^ subr(15);
845     tl = subl(18) ^ (subr(18) & ~subr(16));
846     dw = tl & subl(16), tr = subr(18) ^ CAMELLIA_RL1(dw);
847     CamelliaSubkeyL(15) = subl(14) ^ tl;
848     CamelliaSubkeyR(15) = subr(14) ^ tr;
849     CamelliaSubkeyL(16) = subl(16);
850     CamelliaSubkeyR(16) = subr(16);
851     CamelliaSubkeyL(17) = subl(17);
852     CamelliaSubkeyR(17) = subr(17);
853     tl = subl(15) ^ (subr(15) & ~subr(17));
854     dw = tl & subl(17), tr = subr(15) ^ CAMELLIA_RL1(dw);
855     CamelliaSubkeyL(18) = tl ^ subl(19);
856     CamelliaSubkeyR(18) = tr ^ subr(19);
857     CamelliaSubkeyL(19) = subl(18) ^ subl(20);
858     CamelliaSubkeyR(19) = subr(18) ^ subr(20);
859     CamelliaSubkeyL(20) = subl(19) ^ subl(21);
860     CamelliaSubkeyR(20) = subr(19) ^ subr(21);
861     CamelliaSubkeyL(21) = subl(20) ^ subl(22);
862     CamelliaSubkeyR(21) = subr(20) ^ subr(22);
863     CamelliaSubkeyL(22) = subl(21) ^ subl(23);
864     CamelliaSubkeyR(22) = subr(21) ^ subr(23);
865     tl = subl(26) ^ (subr(26) & ~subr(24));
866     dw = tl & subl(24), tr = subr(26) ^ CAMELLIA_RL1(dw);
867     CamelliaSubkeyL(23) = subl(22) ^ tl;
868     CamelliaSubkeyR(23) = subr(22) ^ tr;
869     CamelliaSubkeyL(24) = subl(24);
870     CamelliaSubkeyR(24) = subr(24);
871     CamelliaSubkeyL(25) = subl(25);
872     CamelliaSubkeyR(25) = subr(25);
873     tl = subl(23) ^ (subr(23) &  ~subr(25));
874     dw = tl & subl(25), tr = subr(23) ^ CAMELLIA_RL1(dw);
875     CamelliaSubkeyL(26) = tl ^ subl(27);
876     CamelliaSubkeyR(26) = tr ^ subr(27);
877     CamelliaSubkeyL(27) = subl(26) ^ subl(28);
878     CamelliaSubkeyR(27) = subr(26) ^ subr(28);
879     CamelliaSubkeyL(28) = subl(27) ^ subl(29);
880     CamelliaSubkeyR(28) = subr(27) ^ subr(29);
881     CamelliaSubkeyL(29) = subl(28) ^ subl(30);
882     CamelliaSubkeyR(29) = subr(28) ^ subr(30);
883     CamelliaSubkeyL(30) = subl(29) ^ subl(31);
884     CamelliaSubkeyR(30) = subr(29) ^ subr(31);
885     CamelliaSubkeyL(31) = subl(30);
886     CamelliaSubkeyR(31) = subr(30);
887     CamelliaSubkeyL(32) = subl(32) ^ subl(31);
888     CamelliaSubkeyR(32) = subr(32) ^ subr(31);
889
890     /* apply the inverse of the last half of P-function */
891     dw = CamelliaSubkeyL(2) ^ CamelliaSubkeyR(2), dw = CAMELLIA_RL8(dw);
892     CamelliaSubkeyR(2) = CamelliaSubkeyL(2) ^ dw, CamelliaSubkeyL(2) = dw;
893     dw = CamelliaSubkeyL(3) ^ CamelliaSubkeyR(3), dw = CAMELLIA_RL8(dw);
894     CamelliaSubkeyR(3) = CamelliaSubkeyL(3) ^ dw, CamelliaSubkeyL(3) = dw;
895     dw = CamelliaSubkeyL(4) ^ CamelliaSubkeyR(4), dw = CAMELLIA_RL8(dw);
896     CamelliaSubkeyR(4) = CamelliaSubkeyL(4) ^ dw, CamelliaSubkeyL(4) = dw;
897     dw = CamelliaSubkeyL(5) ^ CamelliaSubkeyR(5), dw = CAMELLIA_RL8(dw);
898     CamelliaSubkeyR(5) = CamelliaSubkeyL(5) ^ dw, CamelliaSubkeyL(5) = dw;
899     dw = CamelliaSubkeyL(6) ^ CamelliaSubkeyR(6), dw = CAMELLIA_RL8(dw);
900     CamelliaSubkeyR(6) = CamelliaSubkeyL(6) ^ dw, CamelliaSubkeyL(6) = dw;
901     dw = CamelliaSubkeyL(7) ^ CamelliaSubkeyR(7), dw = CAMELLIA_RL8(dw);
902     CamelliaSubkeyR(7) = CamelliaSubkeyL(7) ^ dw, CamelliaSubkeyL(7) = dw;
903     dw = CamelliaSubkeyL(10) ^ CamelliaSubkeyR(10), dw = CAMELLIA_RL8(dw);
904     CamelliaSubkeyR(10) = CamelliaSubkeyL(10) ^ dw, CamelliaSubkeyL(10) = dw;
905     dw = CamelliaSubkeyL(11) ^ CamelliaSubkeyR(11), dw = CAMELLIA_RL8(dw);
906     CamelliaSubkeyR(11) = CamelliaSubkeyL(11) ^ dw, CamelliaSubkeyL(11) = dw;
907     dw = CamelliaSubkeyL(12) ^ CamelliaSubkeyR(12), dw = CAMELLIA_RL8(dw);
908     CamelliaSubkeyR(12) = CamelliaSubkeyL(12) ^ dw, CamelliaSubkeyL(12) = dw;
909     dw = CamelliaSubkeyL(13) ^ CamelliaSubkeyR(13), dw = CAMELLIA_RL8(dw);
910     CamelliaSubkeyR(13) = CamelliaSubkeyL(13) ^ dw, CamelliaSubkeyL(13) = dw;
911     dw = CamelliaSubkeyL(14) ^ CamelliaSubkeyR(14), dw = CAMELLIA_RL8(dw);
912     CamelliaSubkeyR(14) = CamelliaSubkeyL(14) ^ dw, CamelliaSubkeyL(14) = dw;
913     dw = CamelliaSubkeyL(15) ^ CamelliaSubkeyR(15), dw = CAMELLIA_RL8(dw);
914     CamelliaSubkeyR(15) = CamelliaSubkeyL(15) ^ dw, CamelliaSubkeyL(15) = dw;
915     dw = CamelliaSubkeyL(18) ^ CamelliaSubkeyR(18), dw = CAMELLIA_RL8(dw);
916     CamelliaSubkeyR(18) = CamelliaSubkeyL(18) ^ dw, CamelliaSubkeyL(18) = dw;
917     dw = CamelliaSubkeyL(19) ^ CamelliaSubkeyR(19), dw = CAMELLIA_RL8(dw);
918     CamelliaSubkeyR(19) = CamelliaSubkeyL(19) ^ dw, CamelliaSubkeyL(19) = dw;
919     dw = CamelliaSubkeyL(20) ^ CamelliaSubkeyR(20), dw = CAMELLIA_RL8(dw);
920     CamelliaSubkeyR(20) = CamelliaSubkeyL(20) ^ dw, CamelliaSubkeyL(20) = dw;
921     dw = CamelliaSubkeyL(21) ^ CamelliaSubkeyR(21), dw = CAMELLIA_RL8(dw);
922     CamelliaSubkeyR(21) = CamelliaSubkeyL(21) ^ dw, CamelliaSubkeyL(21) = dw;
923     dw = CamelliaSubkeyL(22) ^ CamelliaSubkeyR(22), dw = CAMELLIA_RL8(dw);
924     CamelliaSubkeyR(22) = CamelliaSubkeyL(22) ^ dw, CamelliaSubkeyL(22) = dw;
925     dw = CamelliaSubkeyL(23) ^ CamelliaSubkeyR(23), dw = CAMELLIA_RL8(dw);
926     CamelliaSubkeyR(23) = CamelliaSubkeyL(23) ^ dw, CamelliaSubkeyL(23) = dw;
927     dw = CamelliaSubkeyL(26) ^ CamelliaSubkeyR(26), dw = CAMELLIA_RL8(dw);
928     CamelliaSubkeyR(26) = CamelliaSubkeyL(26) ^ dw, CamelliaSubkeyL(26) = dw;
929     dw = CamelliaSubkeyL(27) ^ CamelliaSubkeyR(27), dw = CAMELLIA_RL8(dw);
930     CamelliaSubkeyR(27) = CamelliaSubkeyL(27) ^ dw, CamelliaSubkeyL(27) = dw;
931     dw = CamelliaSubkeyL(28) ^ CamelliaSubkeyR(28), dw = CAMELLIA_RL8(dw);
932     CamelliaSubkeyR(28) = CamelliaSubkeyL(28) ^ dw, CamelliaSubkeyL(28) = dw;
933     dw = CamelliaSubkeyL(29) ^ CamelliaSubkeyR(29), dw = CAMELLIA_RL8(dw);
934     CamelliaSubkeyR(29) = CamelliaSubkeyL(29) ^ dw, CamelliaSubkeyL(29) = dw;
935     dw = CamelliaSubkeyL(30) ^ CamelliaSubkeyR(30), dw = CAMELLIA_RL8(dw);
936     CamelliaSubkeyR(30) = CamelliaSubkeyL(30) ^ dw, CamelliaSubkeyL(30) = dw;
937     dw = CamelliaSubkeyL(31) ^ CamelliaSubkeyR(31), dw = CAMELLIA_RL8(dw);
938     CamelliaSubkeyR(31) = CamelliaSubkeyL(31) ^ dw,CamelliaSubkeyL(31) = dw;
939
940     return;
941 }
942
943 void camellia_setup192(const unsigned char *key, u32 *subkey)
944 {
945     unsigned char kk[32];
946     u32 krll, krlr, krrl,krrr;
947
948     memcpy(kk, key, 24);
949     memcpy((unsigned char *)&krll, key+16,4);
950     memcpy((unsigned char *)&krlr, key+20,4);
951     krrl = ~krll;
952     krrr = ~krlr;
953     memcpy(kk+24, (unsigned char *)&krrl, 4);
954     memcpy(kk+28, (unsigned char *)&krrr, 4);
955     camellia_setup256(kk, subkey);
956     return;
957 }
958
959
960 /**
961  * Stuff related to camellia encryption/decryption
962  *
963  * "io" must be 4byte aligned and big-endian data.
964  */
965 void camellia_encrypt128(const u32 *subkey, u32 *io)
966 {
967     u32 il, ir, t0, t1;
968
969     /* pre whitening but absorb kw2*/
970     io[0] ^= CamelliaSubkeyL(0);
971     io[1] ^= CamelliaSubkeyR(0);
972     /* main iteration */
973
974     CAMELLIA_ROUNDSM(io[0],io[1],
975                      CamelliaSubkeyL(2),CamelliaSubkeyR(2),
976                      io[2],io[3],il,ir,t0,t1);
977     CAMELLIA_ROUNDSM(io[2],io[3],
978                      CamelliaSubkeyL(3),CamelliaSubkeyR(3),
979                      io[0],io[1],il,ir,t0,t1);
980     CAMELLIA_ROUNDSM(io[0],io[1],
981                      CamelliaSubkeyL(4),CamelliaSubkeyR(4),
982                      io[2],io[3],il,ir,t0,t1);
983     CAMELLIA_ROUNDSM(io[2],io[3],
984                      CamelliaSubkeyL(5),CamelliaSubkeyR(5),
985                      io[0],io[1],il,ir,t0,t1);
986     CAMELLIA_ROUNDSM(io[0],io[1],
987                      CamelliaSubkeyL(6),CamelliaSubkeyR(6),
988                      io[2],io[3],il,ir,t0,t1);
989     CAMELLIA_ROUNDSM(io[2],io[3],
990                      CamelliaSubkeyL(7),CamelliaSubkeyR(7),
991                      io[0],io[1],il,ir,t0,t1);
992
993     CAMELLIA_FLS(io[0],io[1],io[2],io[3],
994                  CamelliaSubkeyL(8),CamelliaSubkeyR(8),
995                  CamelliaSubkeyL(9),CamelliaSubkeyR(9),
996                  t0,t1,il,ir);
997
998     CAMELLIA_ROUNDSM(io[0],io[1],
999                      CamelliaSubkeyL(10),CamelliaSubkeyR(10),
1000                      io[2],io[3],il,ir,t0,t1);
1001     CAMELLIA_ROUNDSM(io[2],io[3],
1002                      CamelliaSubkeyL(11),CamelliaSubkeyR(11),
1003                      io[0],io[1],il,ir,t0,t1);
1004     CAMELLIA_ROUNDSM(io[0],io[1],
1005                      CamelliaSubkeyL(12),CamelliaSubkeyR(12),
1006                      io[2],io[3],il,ir,t0,t1);
1007     CAMELLIA_ROUNDSM(io[2],io[3],
1008                      CamelliaSubkeyL(13),CamelliaSubkeyR(13),
1009                      io[0],io[1],il,ir,t0,t1);
1010     CAMELLIA_ROUNDSM(io[0],io[1],
1011                      CamelliaSubkeyL(14),CamelliaSubkeyR(14),
1012                      io[2],io[3],il,ir,t0,t1);
1013     CAMELLIA_ROUNDSM(io[2],io[3],
1014                      CamelliaSubkeyL(15),CamelliaSubkeyR(15),
1015                      io[0],io[1],il,ir,t0,t1);
1016
1017     CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1018                  CamelliaSubkeyL(16),CamelliaSubkeyR(16),
1019                  CamelliaSubkeyL(17),CamelliaSubkeyR(17),
1020                  t0,t1,il,ir);
1021
1022     CAMELLIA_ROUNDSM(io[0],io[1],
1023                      CamelliaSubkeyL(18),CamelliaSubkeyR(18),
1024                      io[2],io[3],il,ir,t0,t1);
1025     CAMELLIA_ROUNDSM(io[2],io[3],
1026                      CamelliaSubkeyL(19),CamelliaSubkeyR(19),
1027                      io[0],io[1],il,ir,t0,t1);
1028     CAMELLIA_ROUNDSM(io[0],io[1],
1029                      CamelliaSubkeyL(20),CamelliaSubkeyR(20),
1030                      io[2],io[3],il,ir,t0,t1);
1031     CAMELLIA_ROUNDSM(io[2],io[3],
1032                      CamelliaSubkeyL(21),CamelliaSubkeyR(21),
1033                      io[0],io[1],il,ir,t0,t1);
1034     CAMELLIA_ROUNDSM(io[0],io[1],
1035                      CamelliaSubkeyL(22),CamelliaSubkeyR(22),
1036                      io[2],io[3],il,ir,t0,t1);
1037     CAMELLIA_ROUNDSM(io[2],io[3],
1038                      CamelliaSubkeyL(23),CamelliaSubkeyR(23),
1039                      io[0],io[1],il,ir,t0,t1);
1040
1041     /* post whitening but kw4 */
1042     io[2] ^= CamelliaSubkeyL(24);
1043     io[3] ^= CamelliaSubkeyR(24);
1044
1045     t0 = io[0];
1046     t1 = io[1];
1047     io[0] = io[2];
1048     io[1] = io[3];
1049     io[2] = t0;
1050     io[3] = t1;
1051
1052     return;
1053 }
1054
1055 void camellia_decrypt128(const u32 *subkey, u32 *io)
1056 {
1057     u32 il,ir,t0,t1;               /* temporary valiables */
1058
1059     /* pre whitening but absorb kw2*/
1060     io[0] ^= CamelliaSubkeyL(24);
1061     io[1] ^= CamelliaSubkeyR(24);
1062
1063     /* main iteration */
1064     CAMELLIA_ROUNDSM(io[0],io[1],
1065                      CamelliaSubkeyL(23),CamelliaSubkeyR(23),
1066                      io[2],io[3],il,ir,t0,t1);
1067     CAMELLIA_ROUNDSM(io[2],io[3],
1068                      CamelliaSubkeyL(22),CamelliaSubkeyR(22),
1069                      io[0],io[1],il,ir,t0,t1);
1070     CAMELLIA_ROUNDSM(io[0],io[1],
1071                      CamelliaSubkeyL(21),CamelliaSubkeyR(21),
1072                      io[2],io[3],il,ir,t0,t1);
1073     CAMELLIA_ROUNDSM(io[2],io[3],
1074                      CamelliaSubkeyL(20),CamelliaSubkeyR(20),
1075                      io[0],io[1],il,ir,t0,t1);
1076     CAMELLIA_ROUNDSM(io[0],io[1],
1077                      CamelliaSubkeyL(19),CamelliaSubkeyR(19),
1078                      io[2],io[3],il,ir,t0,t1);
1079     CAMELLIA_ROUNDSM(io[2],io[3],
1080                      CamelliaSubkeyL(18),CamelliaSubkeyR(18),
1081                      io[0],io[1],il,ir,t0,t1);
1082
1083     CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1084                  CamelliaSubkeyL(17),CamelliaSubkeyR(17),
1085                  CamelliaSubkeyL(16),CamelliaSubkeyR(16),
1086                  t0,t1,il,ir);
1087
1088     CAMELLIA_ROUNDSM(io[0],io[1],
1089                      CamelliaSubkeyL(15),CamelliaSubkeyR(15),
1090                      io[2],io[3],il,ir,t0,t1);
1091     CAMELLIA_ROUNDSM(io[2],io[3],
1092                      CamelliaSubkeyL(14),CamelliaSubkeyR(14),
1093                      io[0],io[1],il,ir,t0,t1);
1094     CAMELLIA_ROUNDSM(io[0],io[1],
1095                      CamelliaSubkeyL(13),CamelliaSubkeyR(13),
1096                      io[2],io[3],il,ir,t0,t1);
1097     CAMELLIA_ROUNDSM(io[2],io[3],
1098                      CamelliaSubkeyL(12),CamelliaSubkeyR(12),
1099                      io[0],io[1],il,ir,t0,t1);
1100     CAMELLIA_ROUNDSM(io[0],io[1],
1101                      CamelliaSubkeyL(11),CamelliaSubkeyR(11),
1102                      io[2],io[3],il,ir,t0,t1);
1103     CAMELLIA_ROUNDSM(io[2],io[3],
1104                      CamelliaSubkeyL(10),CamelliaSubkeyR(10),
1105                      io[0],io[1],il,ir,t0,t1);
1106
1107     CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1108                  CamelliaSubkeyL(9),CamelliaSubkeyR(9),
1109                  CamelliaSubkeyL(8),CamelliaSubkeyR(8),
1110                  t0,t1,il,ir);
1111
1112     CAMELLIA_ROUNDSM(io[0],io[1],
1113                      CamelliaSubkeyL(7),CamelliaSubkeyR(7),
1114                      io[2],io[3],il,ir,t0,t1);
1115     CAMELLIA_ROUNDSM(io[2],io[3],
1116                      CamelliaSubkeyL(6),CamelliaSubkeyR(6),
1117                      io[0],io[1],il,ir,t0,t1);
1118     CAMELLIA_ROUNDSM(io[0],io[1],
1119                      CamelliaSubkeyL(5),CamelliaSubkeyR(5),
1120                      io[2],io[3],il,ir,t0,t1);
1121     CAMELLIA_ROUNDSM(io[2],io[3],
1122                      CamelliaSubkeyL(4),CamelliaSubkeyR(4),
1123                      io[0],io[1],il,ir,t0,t1);
1124     CAMELLIA_ROUNDSM(io[0],io[1],
1125                      CamelliaSubkeyL(3),CamelliaSubkeyR(3),
1126                      io[2],io[3],il,ir,t0,t1);
1127     CAMELLIA_ROUNDSM(io[2],io[3],
1128                      CamelliaSubkeyL(2),CamelliaSubkeyR(2),
1129                      io[0],io[1],il,ir,t0,t1);
1130
1131     /* post whitening but kw4 */
1132     io[2] ^= CamelliaSubkeyL(0);
1133     io[3] ^= CamelliaSubkeyR(0);
1134
1135     t0 = io[0];
1136     t1 = io[1];
1137     io[0] = io[2];
1138     io[1] = io[3];
1139     io[2] = t0;
1140     io[3] = t1;
1141
1142     return;
1143 }
1144
1145 /**
1146  * stuff for 192 and 256bit encryption/decryption
1147  */
1148 void camellia_encrypt256(const u32 *subkey, u32 *io)
1149 {
1150     u32 il,ir,t0,t1;           /* temporary valiables */
1151
1152     /* pre whitening but absorb kw2*/
1153     io[0] ^= CamelliaSubkeyL(0);
1154     io[1] ^= CamelliaSubkeyR(0);
1155
1156     /* main iteration */
1157     CAMELLIA_ROUNDSM(io[0],io[1],
1158                      CamelliaSubkeyL(2),CamelliaSubkeyR(2),
1159                      io[2],io[3],il,ir,t0,t1);
1160     CAMELLIA_ROUNDSM(io[2],io[3],
1161                      CamelliaSubkeyL(3),CamelliaSubkeyR(3),
1162                      io[0],io[1],il,ir,t0,t1);
1163     CAMELLIA_ROUNDSM(io[0],io[1],
1164                      CamelliaSubkeyL(4),CamelliaSubkeyR(4),
1165                      io[2],io[3],il,ir,t0,t1);
1166     CAMELLIA_ROUNDSM(io[2],io[3],
1167                      CamelliaSubkeyL(5),CamelliaSubkeyR(5),
1168                      io[0],io[1],il,ir,t0,t1);
1169     CAMELLIA_ROUNDSM(io[0],io[1],
1170                      CamelliaSubkeyL(6),CamelliaSubkeyR(6),
1171                      io[2],io[3],il,ir,t0,t1);
1172     CAMELLIA_ROUNDSM(io[2],io[3],
1173                      CamelliaSubkeyL(7),CamelliaSubkeyR(7),
1174                      io[0],io[1],il,ir,t0,t1);
1175
1176     CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1177                  CamelliaSubkeyL(8),CamelliaSubkeyR(8),
1178                  CamelliaSubkeyL(9),CamelliaSubkeyR(9),
1179                  t0,t1,il,ir);
1180
1181     CAMELLIA_ROUNDSM(io[0],io[1],
1182                      CamelliaSubkeyL(10),CamelliaSubkeyR(10),
1183                      io[2],io[3],il,ir,t0,t1);
1184     CAMELLIA_ROUNDSM(io[2],io[3],
1185                      CamelliaSubkeyL(11),CamelliaSubkeyR(11),
1186                      io[0],io[1],il,ir,t0,t1);
1187     CAMELLIA_ROUNDSM(io[0],io[1],
1188                      CamelliaSubkeyL(12),CamelliaSubkeyR(12),
1189                      io[2],io[3],il,ir,t0,t1);
1190     CAMELLIA_ROUNDSM(io[2],io[3],
1191                      CamelliaSubkeyL(13),CamelliaSubkeyR(13),
1192                      io[0],io[1],il,ir,t0,t1);
1193     CAMELLIA_ROUNDSM(io[0],io[1],
1194                      CamelliaSubkeyL(14),CamelliaSubkeyR(14),
1195                      io[2],io[3],il,ir,t0,t1);
1196     CAMELLIA_ROUNDSM(io[2],io[3],
1197                      CamelliaSubkeyL(15),CamelliaSubkeyR(15),
1198                      io[0],io[1],il,ir,t0,t1);
1199
1200     CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1201                  CamelliaSubkeyL(16),CamelliaSubkeyR(16),
1202                  CamelliaSubkeyL(17),CamelliaSubkeyR(17),
1203                  t0,t1,il,ir);
1204
1205     CAMELLIA_ROUNDSM(io[0],io[1],
1206                      CamelliaSubkeyL(18),CamelliaSubkeyR(18),
1207                      io[2],io[3],il,ir,t0,t1);
1208     CAMELLIA_ROUNDSM(io[2],io[3],
1209                      CamelliaSubkeyL(19),CamelliaSubkeyR(19),
1210                      io[0],io[1],il,ir,t0,t1);
1211     CAMELLIA_ROUNDSM(io[0],io[1],
1212                      CamelliaSubkeyL(20),CamelliaSubkeyR(20),
1213                      io[2],io[3],il,ir,t0,t1);
1214     CAMELLIA_ROUNDSM(io[2],io[3],
1215                      CamelliaSubkeyL(21),CamelliaSubkeyR(21),
1216                      io[0],io[1],il,ir,t0,t1);
1217     CAMELLIA_ROUNDSM(io[0],io[1],
1218                      CamelliaSubkeyL(22),CamelliaSubkeyR(22),
1219                      io[2],io[3],il,ir,t0,t1);
1220     CAMELLIA_ROUNDSM(io[2],io[3],
1221                      CamelliaSubkeyL(23),CamelliaSubkeyR(23),
1222                      io[0],io[1],il,ir,t0,t1);
1223
1224     CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1225                  CamelliaSubkeyL(24),CamelliaSubkeyR(24),
1226                  CamelliaSubkeyL(25),CamelliaSubkeyR(25),
1227                  t0,t1,il,ir);
1228
1229     CAMELLIA_ROUNDSM(io[0],io[1],
1230                      CamelliaSubkeyL(26),CamelliaSubkeyR(26),
1231                      io[2],io[3],il,ir,t0,t1);
1232     CAMELLIA_ROUNDSM(io[2],io[3],
1233                      CamelliaSubkeyL(27),CamelliaSubkeyR(27),
1234                      io[0],io[1],il,ir,t0,t1);
1235     CAMELLIA_ROUNDSM(io[0],io[1],
1236                      CamelliaSubkeyL(28),CamelliaSubkeyR(28),
1237                      io[2],io[3],il,ir,t0,t1);
1238     CAMELLIA_ROUNDSM(io[2],io[3],
1239                      CamelliaSubkeyL(29),CamelliaSubkeyR(29),
1240                      io[0],io[1],il,ir,t0,t1);
1241     CAMELLIA_ROUNDSM(io[0],io[1],
1242                      CamelliaSubkeyL(30),CamelliaSubkeyR(30),
1243                      io[2],io[3],il,ir,t0,t1);
1244     CAMELLIA_ROUNDSM(io[2],io[3],
1245                      CamelliaSubkeyL(31),CamelliaSubkeyR(31),
1246                      io[0],io[1],il,ir,t0,t1);
1247
1248     /* post whitening but kw4 */
1249     io[2] ^= CamelliaSubkeyL(32);
1250     io[3] ^= CamelliaSubkeyR(32);
1251
1252     t0 = io[0];
1253     t1 = io[1];
1254     io[0] = io[2];
1255     io[1] = io[3];
1256     io[2] = t0;
1257     io[3] = t1;
1258
1259     return;
1260 }
1261
1262 void camellia_decrypt256(const u32 *subkey, u32 *io)
1263 {
1264     u32 il,ir,t0,t1;           /* temporary valiables */
1265
1266     /* pre whitening but absorb kw2*/
1267     io[0] ^= CamelliaSubkeyL(32);
1268     io[1] ^= CamelliaSubkeyR(32);
1269
1270     /* main iteration */
1271     CAMELLIA_ROUNDSM(io[0],io[1],
1272                      CamelliaSubkeyL(31),CamelliaSubkeyR(31),
1273                      io[2],io[3],il,ir,t0,t1);
1274     CAMELLIA_ROUNDSM(io[2],io[3],
1275                      CamelliaSubkeyL(30),CamelliaSubkeyR(30),
1276                      io[0],io[1],il,ir,t0,t1);
1277     CAMELLIA_ROUNDSM(io[0],io[1],
1278                      CamelliaSubkeyL(29),CamelliaSubkeyR(29),
1279                      io[2],io[3],il,ir,t0,t1);
1280     CAMELLIA_ROUNDSM(io[2],io[3],
1281                      CamelliaSubkeyL(28),CamelliaSubkeyR(28),
1282                      io[0],io[1],il,ir,t0,t1);
1283     CAMELLIA_ROUNDSM(io[0],io[1],
1284                      CamelliaSubkeyL(27),CamelliaSubkeyR(27),
1285                      io[2],io[3],il,ir,t0,t1);
1286     CAMELLIA_ROUNDSM(io[2],io[3],
1287                      CamelliaSubkeyL(26),CamelliaSubkeyR(26),
1288                      io[0],io[1],il,ir,t0,t1);
1289
1290     CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1291                  CamelliaSubkeyL(25),CamelliaSubkeyR(25),
1292                  CamelliaSubkeyL(24),CamelliaSubkeyR(24),
1293                  t0,t1,il,ir);
1294
1295     CAMELLIA_ROUNDSM(io[0],io[1],
1296                      CamelliaSubkeyL(23),CamelliaSubkeyR(23),
1297                      io[2],io[3],il,ir,t0,t1);
1298     CAMELLIA_ROUNDSM(io[2],io[3],
1299                      CamelliaSubkeyL(22),CamelliaSubkeyR(22),
1300                      io[0],io[1],il,ir,t0,t1);
1301     CAMELLIA_ROUNDSM(io[0],io[1],
1302                      CamelliaSubkeyL(21),CamelliaSubkeyR(21),
1303                      io[2],io[3],il,ir,t0,t1);
1304     CAMELLIA_ROUNDSM(io[2],io[3],
1305                      CamelliaSubkeyL(20),CamelliaSubkeyR(20),
1306                      io[0],io[1],il,ir,t0,t1);
1307     CAMELLIA_ROUNDSM(io[0],io[1],
1308                      CamelliaSubkeyL(19),CamelliaSubkeyR(19),
1309                      io[2],io[3],il,ir,t0,t1);
1310     CAMELLIA_ROUNDSM(io[2],io[3],
1311                      CamelliaSubkeyL(18),CamelliaSubkeyR(18),
1312                      io[0],io[1],il,ir,t0,t1);
1313
1314     CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1315                  CamelliaSubkeyL(17),CamelliaSubkeyR(17),
1316                  CamelliaSubkeyL(16),CamelliaSubkeyR(16),
1317                  t0,t1,il,ir);
1318
1319     CAMELLIA_ROUNDSM(io[0],io[1],
1320                      CamelliaSubkeyL(15),CamelliaSubkeyR(15),
1321                      io[2],io[3],il,ir,t0,t1);
1322     CAMELLIA_ROUNDSM(io[2],io[3],
1323                      CamelliaSubkeyL(14),CamelliaSubkeyR(14),
1324                      io[0],io[1],il,ir,t0,t1);
1325     CAMELLIA_ROUNDSM(io[0],io[1],
1326                      CamelliaSubkeyL(13),CamelliaSubkeyR(13),
1327                      io[2],io[3],il,ir,t0,t1);
1328     CAMELLIA_ROUNDSM(io[2],io[3],
1329                      CamelliaSubkeyL(12),CamelliaSubkeyR(12),
1330                      io[0],io[1],il,ir,t0,t1);
1331     CAMELLIA_ROUNDSM(io[0],io[1],
1332                      CamelliaSubkeyL(11),CamelliaSubkeyR(11),
1333                      io[2],io[3],il,ir,t0,t1);
1334     CAMELLIA_ROUNDSM(io[2],io[3],
1335                      CamelliaSubkeyL(10),CamelliaSubkeyR(10),
1336                      io[0],io[1],il,ir,t0,t1);
1337
1338     CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1339                  CamelliaSubkeyL(9),CamelliaSubkeyR(9),
1340                  CamelliaSubkeyL(8),CamelliaSubkeyR(8),
1341                  t0,t1,il,ir);
1342
1343     CAMELLIA_ROUNDSM(io[0],io[1],
1344                      CamelliaSubkeyL(7),CamelliaSubkeyR(7),
1345                      io[2],io[3],il,ir,t0,t1);
1346     CAMELLIA_ROUNDSM(io[2],io[3],
1347                      CamelliaSubkeyL(6),CamelliaSubkeyR(6),
1348                      io[0],io[1],il,ir,t0,t1);
1349     CAMELLIA_ROUNDSM(io[0],io[1],
1350                      CamelliaSubkeyL(5),CamelliaSubkeyR(5),
1351                      io[2],io[3],il,ir,t0,t1);
1352     CAMELLIA_ROUNDSM(io[2],io[3],
1353                      CamelliaSubkeyL(4),CamelliaSubkeyR(4),
1354                      io[0],io[1],il,ir,t0,t1);
1355     CAMELLIA_ROUNDSM(io[0],io[1],
1356                      CamelliaSubkeyL(3),CamelliaSubkeyR(3),
1357                      io[2],io[3],il,ir,t0,t1);
1358     CAMELLIA_ROUNDSM(io[2],io[3],
1359                      CamelliaSubkeyL(2),CamelliaSubkeyR(2),
1360                      io[0],io[1],il,ir,t0,t1);
1361
1362     /* post whitening but kw4 */
1363     io[2] ^= CamelliaSubkeyL(0);
1364     io[3] ^= CamelliaSubkeyR(0);
1365
1366     t0 = io[0];
1367     t1 = io[1];
1368     io[0] = io[2];
1369     io[1] = io[3];
1370     io[2] = t0;
1371     io[3] = t1;
1372
1373     return;
1374 }
1375
1376 /***
1377  *
1378  * API for compatibility
1379  */
1380
1381 void Camellia_Ekeygen(const int keyBitLength,
1382                       const unsigned char *rawKey,
1383                       KEY_TABLE_TYPE keyTable)
1384 {
1385     switch(keyBitLength) {
1386     case 128:
1387         camellia_setup128(rawKey, keyTable);
1388         break;
1389     case 192:
1390         camellia_setup192(rawKey, keyTable);
1391         break;
1392     case 256:
1393         camellia_setup256(rawKey, keyTable);
1394         break;
1395     default:
1396         break;
1397     }
1398 }
1399
1400
1401 void Camellia_EncryptBlock(const int keyBitLength,
1402                            const unsigned char *plaintext,
1403                            const KEY_TABLE_TYPE keyTable,
1404                            unsigned char *ciphertext)
1405 {
1406     u32 tmp[4];
1407
1408     tmp[0] = GETU32(plaintext);
1409     tmp[1] = GETU32(plaintext + 4);
1410     tmp[2] = GETU32(plaintext + 8);
1411     tmp[3] = GETU32(plaintext + 12);
1412
1413     switch (keyBitLength) {
1414     case 128:
1415         camellia_encrypt128(keyTable, tmp);
1416         break;
1417     case 192:
1418         /* fall through */
1419     case 256:
1420         camellia_encrypt256(keyTable, tmp);
1421         break;
1422     default:
1423         break;
1424     }
1425
1426     PUTU32(ciphertext, tmp[0]);
1427     PUTU32(ciphertext + 4, tmp[1]);
1428     PUTU32(ciphertext + 8, tmp[2]);
1429     PUTU32(ciphertext + 12, tmp[3]);
1430 }
1431
1432 void Camellia_DecryptBlock(const int keyBitLength,
1433                            const unsigned char *ciphertext,
1434                            const KEY_TABLE_TYPE keyTable,
1435                            unsigned char *plaintext)
1436 {
1437     u32 tmp[4];
1438
1439     tmp[0] = GETU32(ciphertext);
1440     tmp[1] = GETU32(ciphertext + 4);
1441     tmp[2] = GETU32(ciphertext + 8);
1442     tmp[3] = GETU32(ciphertext + 12);
1443
1444     switch (keyBitLength) {
1445     case 128:
1446         camellia_decrypt128(keyTable, tmp);
1447         break;
1448     case 192:
1449         /* fall through */
1450     case 256:
1451         camellia_decrypt256(keyTable, tmp);
1452         break;
1453     default:
1454         break;
1455     }
1456     PUTU32(plaintext, tmp[0]);
1457     PUTU32(plaintext + 4, tmp[1]);
1458     PUTU32(plaintext + 8, tmp[2]);
1459     PUTU32(plaintext + 12, tmp[3]);
1460 }