Merge branch 'async' of macbook:git/btrfs-unstable
[linux-2.6.git] / crypto / camellia.c
1 /*
2  * Copyright (C) 2006
3  * NTT (Nippon Telegraph and Telephone Corporation).
4  *
5  * This program is free software; you can redistribute it and/or
6  * modify it under the terms of the GNU General Public License
7  * as published by the Free Software Foundation; either version 2
8  * of the License, or (at your option) any later version.
9  *
10  * This program is distributed in the hope that it will be useful,
11  * but WITHOUT ANY WARRANTY; without even the implied warranty of
12  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
13  * GNU General Public License for more details.
14  *
15  * You should have received a copy of the GNU General Public License
16  * along with this program; if not, write to the Free Software
17  * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
18  */
19
20 /*
21  * Algorithm Specification
22  *  http://info.isl.ntt.co.jp/crypt/eng/camellia/specifications.html
23  */
24
25 /*
26  *
27  * NOTE --- NOTE --- NOTE --- NOTE
28  * This implementation assumes that all memory addresses passed
29  * as parameters are four-byte aligned.
30  *
31  */
32
33 #include <linux/crypto.h>
34 #include <linux/errno.h>
35 #include <linux/init.h>
36 #include <linux/kernel.h>
37 #include <linux/module.h>
38 #include <linux/bitops.h>
39 #include <asm/unaligned.h>
40
41 static const u32 camellia_sp1110[256] = {
42         0x70707000, 0x82828200, 0x2c2c2c00, 0xececec00,
43         0xb3b3b300, 0x27272700, 0xc0c0c000, 0xe5e5e500,
44         0xe4e4e400, 0x85858500, 0x57575700, 0x35353500,
45         0xeaeaea00, 0x0c0c0c00, 0xaeaeae00, 0x41414100,
46         0x23232300, 0xefefef00, 0x6b6b6b00, 0x93939300,
47         0x45454500, 0x19191900, 0xa5a5a500, 0x21212100,
48         0xededed00, 0x0e0e0e00, 0x4f4f4f00, 0x4e4e4e00,
49         0x1d1d1d00, 0x65656500, 0x92929200, 0xbdbdbd00,
50         0x86868600, 0xb8b8b800, 0xafafaf00, 0x8f8f8f00,
51         0x7c7c7c00, 0xebebeb00, 0x1f1f1f00, 0xcecece00,
52         0x3e3e3e00, 0x30303000, 0xdcdcdc00, 0x5f5f5f00,
53         0x5e5e5e00, 0xc5c5c500, 0x0b0b0b00, 0x1a1a1a00,
54         0xa6a6a600, 0xe1e1e100, 0x39393900, 0xcacaca00,
55         0xd5d5d500, 0x47474700, 0x5d5d5d00, 0x3d3d3d00,
56         0xd9d9d900, 0x01010100, 0x5a5a5a00, 0xd6d6d600,
57         0x51515100, 0x56565600, 0x6c6c6c00, 0x4d4d4d00,
58         0x8b8b8b00, 0x0d0d0d00, 0x9a9a9a00, 0x66666600,
59         0xfbfbfb00, 0xcccccc00, 0xb0b0b000, 0x2d2d2d00,
60         0x74747400, 0x12121200, 0x2b2b2b00, 0x20202000,
61         0xf0f0f000, 0xb1b1b100, 0x84848400, 0x99999900,
62         0xdfdfdf00, 0x4c4c4c00, 0xcbcbcb00, 0xc2c2c200,
63         0x34343400, 0x7e7e7e00, 0x76767600, 0x05050500,
64         0x6d6d6d00, 0xb7b7b700, 0xa9a9a900, 0x31313100,
65         0xd1d1d100, 0x17171700, 0x04040400, 0xd7d7d700,
66         0x14141400, 0x58585800, 0x3a3a3a00, 0x61616100,
67         0xdedede00, 0x1b1b1b00, 0x11111100, 0x1c1c1c00,
68         0x32323200, 0x0f0f0f00, 0x9c9c9c00, 0x16161600,
69         0x53535300, 0x18181800, 0xf2f2f200, 0x22222200,
70         0xfefefe00, 0x44444400, 0xcfcfcf00, 0xb2b2b200,
71         0xc3c3c300, 0xb5b5b500, 0x7a7a7a00, 0x91919100,
72         0x24242400, 0x08080800, 0xe8e8e800, 0xa8a8a800,
73         0x60606000, 0xfcfcfc00, 0x69696900, 0x50505000,
74         0xaaaaaa00, 0xd0d0d000, 0xa0a0a000, 0x7d7d7d00,
75         0xa1a1a100, 0x89898900, 0x62626200, 0x97979700,
76         0x54545400, 0x5b5b5b00, 0x1e1e1e00, 0x95959500,
77         0xe0e0e000, 0xffffff00, 0x64646400, 0xd2d2d200,
78         0x10101000, 0xc4c4c400, 0x00000000, 0x48484800,
79         0xa3a3a300, 0xf7f7f700, 0x75757500, 0xdbdbdb00,
80         0x8a8a8a00, 0x03030300, 0xe6e6e600, 0xdadada00,
81         0x09090900, 0x3f3f3f00, 0xdddddd00, 0x94949400,
82         0x87878700, 0x5c5c5c00, 0x83838300, 0x02020200,
83         0xcdcdcd00, 0x4a4a4a00, 0x90909000, 0x33333300,
84         0x73737300, 0x67676700, 0xf6f6f600, 0xf3f3f300,
85         0x9d9d9d00, 0x7f7f7f00, 0xbfbfbf00, 0xe2e2e200,
86         0x52525200, 0x9b9b9b00, 0xd8d8d800, 0x26262600,
87         0xc8c8c800, 0x37373700, 0xc6c6c600, 0x3b3b3b00,
88         0x81818100, 0x96969600, 0x6f6f6f00, 0x4b4b4b00,
89         0x13131300, 0xbebebe00, 0x63636300, 0x2e2e2e00,
90         0xe9e9e900, 0x79797900, 0xa7a7a700, 0x8c8c8c00,
91         0x9f9f9f00, 0x6e6e6e00, 0xbcbcbc00, 0x8e8e8e00,
92         0x29292900, 0xf5f5f500, 0xf9f9f900, 0xb6b6b600,
93         0x2f2f2f00, 0xfdfdfd00, 0xb4b4b400, 0x59595900,
94         0x78787800, 0x98989800, 0x06060600, 0x6a6a6a00,
95         0xe7e7e700, 0x46464600, 0x71717100, 0xbababa00,
96         0xd4d4d400, 0x25252500, 0xababab00, 0x42424200,
97         0x88888800, 0xa2a2a200, 0x8d8d8d00, 0xfafafa00,
98         0x72727200, 0x07070700, 0xb9b9b900, 0x55555500,
99         0xf8f8f800, 0xeeeeee00, 0xacacac00, 0x0a0a0a00,
100         0x36363600, 0x49494900, 0x2a2a2a00, 0x68686800,
101         0x3c3c3c00, 0x38383800, 0xf1f1f100, 0xa4a4a400,
102         0x40404000, 0x28282800, 0xd3d3d300, 0x7b7b7b00,
103         0xbbbbbb00, 0xc9c9c900, 0x43434300, 0xc1c1c100,
104         0x15151500, 0xe3e3e300, 0xadadad00, 0xf4f4f400,
105         0x77777700, 0xc7c7c700, 0x80808000, 0x9e9e9e00,
106 };
107
108 static const u32 camellia_sp0222[256] = {
109         0x00e0e0e0, 0x00050505, 0x00585858, 0x00d9d9d9,
110         0x00676767, 0x004e4e4e, 0x00818181, 0x00cbcbcb,
111         0x00c9c9c9, 0x000b0b0b, 0x00aeaeae, 0x006a6a6a,
112         0x00d5d5d5, 0x00181818, 0x005d5d5d, 0x00828282,
113         0x00464646, 0x00dfdfdf, 0x00d6d6d6, 0x00272727,
114         0x008a8a8a, 0x00323232, 0x004b4b4b, 0x00424242,
115         0x00dbdbdb, 0x001c1c1c, 0x009e9e9e, 0x009c9c9c,
116         0x003a3a3a, 0x00cacaca, 0x00252525, 0x007b7b7b,
117         0x000d0d0d, 0x00717171, 0x005f5f5f, 0x001f1f1f,
118         0x00f8f8f8, 0x00d7d7d7, 0x003e3e3e, 0x009d9d9d,
119         0x007c7c7c, 0x00606060, 0x00b9b9b9, 0x00bebebe,
120         0x00bcbcbc, 0x008b8b8b, 0x00161616, 0x00343434,
121         0x004d4d4d, 0x00c3c3c3, 0x00727272, 0x00959595,
122         0x00ababab, 0x008e8e8e, 0x00bababa, 0x007a7a7a,
123         0x00b3b3b3, 0x00020202, 0x00b4b4b4, 0x00adadad,
124         0x00a2a2a2, 0x00acacac, 0x00d8d8d8, 0x009a9a9a,
125         0x00171717, 0x001a1a1a, 0x00353535, 0x00cccccc,
126         0x00f7f7f7, 0x00999999, 0x00616161, 0x005a5a5a,
127         0x00e8e8e8, 0x00242424, 0x00565656, 0x00404040,
128         0x00e1e1e1, 0x00636363, 0x00090909, 0x00333333,
129         0x00bfbfbf, 0x00989898, 0x00979797, 0x00858585,
130         0x00686868, 0x00fcfcfc, 0x00ececec, 0x000a0a0a,
131         0x00dadada, 0x006f6f6f, 0x00535353, 0x00626262,
132         0x00a3a3a3, 0x002e2e2e, 0x00080808, 0x00afafaf,
133         0x00282828, 0x00b0b0b0, 0x00747474, 0x00c2c2c2,
134         0x00bdbdbd, 0x00363636, 0x00222222, 0x00383838,
135         0x00646464, 0x001e1e1e, 0x00393939, 0x002c2c2c,
136         0x00a6a6a6, 0x00303030, 0x00e5e5e5, 0x00444444,
137         0x00fdfdfd, 0x00888888, 0x009f9f9f, 0x00656565,
138         0x00878787, 0x006b6b6b, 0x00f4f4f4, 0x00232323,
139         0x00484848, 0x00101010, 0x00d1d1d1, 0x00515151,
140         0x00c0c0c0, 0x00f9f9f9, 0x00d2d2d2, 0x00a0a0a0,
141         0x00555555, 0x00a1a1a1, 0x00414141, 0x00fafafa,
142         0x00434343, 0x00131313, 0x00c4c4c4, 0x002f2f2f,
143         0x00a8a8a8, 0x00b6b6b6, 0x003c3c3c, 0x002b2b2b,
144         0x00c1c1c1, 0x00ffffff, 0x00c8c8c8, 0x00a5a5a5,
145         0x00202020, 0x00898989, 0x00000000, 0x00909090,
146         0x00474747, 0x00efefef, 0x00eaeaea, 0x00b7b7b7,
147         0x00151515, 0x00060606, 0x00cdcdcd, 0x00b5b5b5,
148         0x00121212, 0x007e7e7e, 0x00bbbbbb, 0x00292929,
149         0x000f0f0f, 0x00b8b8b8, 0x00070707, 0x00040404,
150         0x009b9b9b, 0x00949494, 0x00212121, 0x00666666,
151         0x00e6e6e6, 0x00cecece, 0x00ededed, 0x00e7e7e7,
152         0x003b3b3b, 0x00fefefe, 0x007f7f7f, 0x00c5c5c5,
153         0x00a4a4a4, 0x00373737, 0x00b1b1b1, 0x004c4c4c,
154         0x00919191, 0x006e6e6e, 0x008d8d8d, 0x00767676,
155         0x00030303, 0x002d2d2d, 0x00dedede, 0x00969696,
156         0x00262626, 0x007d7d7d, 0x00c6c6c6, 0x005c5c5c,
157         0x00d3d3d3, 0x00f2f2f2, 0x004f4f4f, 0x00191919,
158         0x003f3f3f, 0x00dcdcdc, 0x00797979, 0x001d1d1d,
159         0x00525252, 0x00ebebeb, 0x00f3f3f3, 0x006d6d6d,
160         0x005e5e5e, 0x00fbfbfb, 0x00696969, 0x00b2b2b2,
161         0x00f0f0f0, 0x00313131, 0x000c0c0c, 0x00d4d4d4,
162         0x00cfcfcf, 0x008c8c8c, 0x00e2e2e2, 0x00757575,
163         0x00a9a9a9, 0x004a4a4a, 0x00575757, 0x00848484,
164         0x00111111, 0x00454545, 0x001b1b1b, 0x00f5f5f5,
165         0x00e4e4e4, 0x000e0e0e, 0x00737373, 0x00aaaaaa,
166         0x00f1f1f1, 0x00dddddd, 0x00595959, 0x00141414,
167         0x006c6c6c, 0x00929292, 0x00545454, 0x00d0d0d0,
168         0x00787878, 0x00707070, 0x00e3e3e3, 0x00494949,
169         0x00808080, 0x00505050, 0x00a7a7a7, 0x00f6f6f6,
170         0x00777777, 0x00939393, 0x00868686, 0x00838383,
171         0x002a2a2a, 0x00c7c7c7, 0x005b5b5b, 0x00e9e9e9,
172         0x00eeeeee, 0x008f8f8f, 0x00010101, 0x003d3d3d,
173 };
174
175 static const u32 camellia_sp3033[256] = {
176         0x38003838, 0x41004141, 0x16001616, 0x76007676,
177         0xd900d9d9, 0x93009393, 0x60006060, 0xf200f2f2,
178         0x72007272, 0xc200c2c2, 0xab00abab, 0x9a009a9a,
179         0x75007575, 0x06000606, 0x57005757, 0xa000a0a0,
180         0x91009191, 0xf700f7f7, 0xb500b5b5, 0xc900c9c9,
181         0xa200a2a2, 0x8c008c8c, 0xd200d2d2, 0x90009090,
182         0xf600f6f6, 0x07000707, 0xa700a7a7, 0x27002727,
183         0x8e008e8e, 0xb200b2b2, 0x49004949, 0xde00dede,
184         0x43004343, 0x5c005c5c, 0xd700d7d7, 0xc700c7c7,
185         0x3e003e3e, 0xf500f5f5, 0x8f008f8f, 0x67006767,
186         0x1f001f1f, 0x18001818, 0x6e006e6e, 0xaf00afaf,
187         0x2f002f2f, 0xe200e2e2, 0x85008585, 0x0d000d0d,
188         0x53005353, 0xf000f0f0, 0x9c009c9c, 0x65006565,
189         0xea00eaea, 0xa300a3a3, 0xae00aeae, 0x9e009e9e,
190         0xec00ecec, 0x80008080, 0x2d002d2d, 0x6b006b6b,
191         0xa800a8a8, 0x2b002b2b, 0x36003636, 0xa600a6a6,
192         0xc500c5c5, 0x86008686, 0x4d004d4d, 0x33003333,
193         0xfd00fdfd, 0x66006666, 0x58005858, 0x96009696,
194         0x3a003a3a, 0x09000909, 0x95009595, 0x10001010,
195         0x78007878, 0xd800d8d8, 0x42004242, 0xcc00cccc,
196         0xef00efef, 0x26002626, 0xe500e5e5, 0x61006161,
197         0x1a001a1a, 0x3f003f3f, 0x3b003b3b, 0x82008282,
198         0xb600b6b6, 0xdb00dbdb, 0xd400d4d4, 0x98009898,
199         0xe800e8e8, 0x8b008b8b, 0x02000202, 0xeb00ebeb,
200         0x0a000a0a, 0x2c002c2c, 0x1d001d1d, 0xb000b0b0,
201         0x6f006f6f, 0x8d008d8d, 0x88008888, 0x0e000e0e,
202         0x19001919, 0x87008787, 0x4e004e4e, 0x0b000b0b,
203         0xa900a9a9, 0x0c000c0c, 0x79007979, 0x11001111,
204         0x7f007f7f, 0x22002222, 0xe700e7e7, 0x59005959,
205         0xe100e1e1, 0xda00dada, 0x3d003d3d, 0xc800c8c8,
206         0x12001212, 0x04000404, 0x74007474, 0x54005454,
207         0x30003030, 0x7e007e7e, 0xb400b4b4, 0x28002828,
208         0x55005555, 0x68006868, 0x50005050, 0xbe00bebe,
209         0xd000d0d0, 0xc400c4c4, 0x31003131, 0xcb00cbcb,
210         0x2a002a2a, 0xad00adad, 0x0f000f0f, 0xca00caca,
211         0x70007070, 0xff00ffff, 0x32003232, 0x69006969,
212         0x08000808, 0x62006262, 0x00000000, 0x24002424,
213         0xd100d1d1, 0xfb00fbfb, 0xba00baba, 0xed00eded,
214         0x45004545, 0x81008181, 0x73007373, 0x6d006d6d,
215         0x84008484, 0x9f009f9f, 0xee00eeee, 0x4a004a4a,
216         0xc300c3c3, 0x2e002e2e, 0xc100c1c1, 0x01000101,
217         0xe600e6e6, 0x25002525, 0x48004848, 0x99009999,
218         0xb900b9b9, 0xb300b3b3, 0x7b007b7b, 0xf900f9f9,
219         0xce00cece, 0xbf00bfbf, 0xdf00dfdf, 0x71007171,
220         0x29002929, 0xcd00cdcd, 0x6c006c6c, 0x13001313,
221         0x64006464, 0x9b009b9b, 0x63006363, 0x9d009d9d,
222         0xc000c0c0, 0x4b004b4b, 0xb700b7b7, 0xa500a5a5,
223         0x89008989, 0x5f005f5f, 0xb100b1b1, 0x17001717,
224         0xf400f4f4, 0xbc00bcbc, 0xd300d3d3, 0x46004646,
225         0xcf00cfcf, 0x37003737, 0x5e005e5e, 0x47004747,
226         0x94009494, 0xfa00fafa, 0xfc00fcfc, 0x5b005b5b,
227         0x97009797, 0xfe00fefe, 0x5a005a5a, 0xac00acac,
228         0x3c003c3c, 0x4c004c4c, 0x03000303, 0x35003535,
229         0xf300f3f3, 0x23002323, 0xb800b8b8, 0x5d005d5d,
230         0x6a006a6a, 0x92009292, 0xd500d5d5, 0x21002121,
231         0x44004444, 0x51005151, 0xc600c6c6, 0x7d007d7d,
232         0x39003939, 0x83008383, 0xdc00dcdc, 0xaa00aaaa,
233         0x7c007c7c, 0x77007777, 0x56005656, 0x05000505,
234         0x1b001b1b, 0xa400a4a4, 0x15001515, 0x34003434,
235         0x1e001e1e, 0x1c001c1c, 0xf800f8f8, 0x52005252,
236         0x20002020, 0x14001414, 0xe900e9e9, 0xbd00bdbd,
237         0xdd00dddd, 0xe400e4e4, 0xa100a1a1, 0xe000e0e0,
238         0x8a008a8a, 0xf100f1f1, 0xd600d6d6, 0x7a007a7a,
239         0xbb00bbbb, 0xe300e3e3, 0x40004040, 0x4f004f4f,
240 };
241
242 static const u32 camellia_sp4404[256] = {
243         0x70700070, 0x2c2c002c, 0xb3b300b3, 0xc0c000c0,
244         0xe4e400e4, 0x57570057, 0xeaea00ea, 0xaeae00ae,
245         0x23230023, 0x6b6b006b, 0x45450045, 0xa5a500a5,
246         0xeded00ed, 0x4f4f004f, 0x1d1d001d, 0x92920092,
247         0x86860086, 0xafaf00af, 0x7c7c007c, 0x1f1f001f,
248         0x3e3e003e, 0xdcdc00dc, 0x5e5e005e, 0x0b0b000b,
249         0xa6a600a6, 0x39390039, 0xd5d500d5, 0x5d5d005d,
250         0xd9d900d9, 0x5a5a005a, 0x51510051, 0x6c6c006c,
251         0x8b8b008b, 0x9a9a009a, 0xfbfb00fb, 0xb0b000b0,
252         0x74740074, 0x2b2b002b, 0xf0f000f0, 0x84840084,
253         0xdfdf00df, 0xcbcb00cb, 0x34340034, 0x76760076,
254         0x6d6d006d, 0xa9a900a9, 0xd1d100d1, 0x04040004,
255         0x14140014, 0x3a3a003a, 0xdede00de, 0x11110011,
256         0x32320032, 0x9c9c009c, 0x53530053, 0xf2f200f2,
257         0xfefe00fe, 0xcfcf00cf, 0xc3c300c3, 0x7a7a007a,
258         0x24240024, 0xe8e800e8, 0x60600060, 0x69690069,
259         0xaaaa00aa, 0xa0a000a0, 0xa1a100a1, 0x62620062,
260         0x54540054, 0x1e1e001e, 0xe0e000e0, 0x64640064,
261         0x10100010, 0x00000000, 0xa3a300a3, 0x75750075,
262         0x8a8a008a, 0xe6e600e6, 0x09090009, 0xdddd00dd,
263         0x87870087, 0x83830083, 0xcdcd00cd, 0x90900090,
264         0x73730073, 0xf6f600f6, 0x9d9d009d, 0xbfbf00bf,
265         0x52520052, 0xd8d800d8, 0xc8c800c8, 0xc6c600c6,
266         0x81810081, 0x6f6f006f, 0x13130013, 0x63630063,
267         0xe9e900e9, 0xa7a700a7, 0x9f9f009f, 0xbcbc00bc,
268         0x29290029, 0xf9f900f9, 0x2f2f002f, 0xb4b400b4,
269         0x78780078, 0x06060006, 0xe7e700e7, 0x71710071,
270         0xd4d400d4, 0xabab00ab, 0x88880088, 0x8d8d008d,
271         0x72720072, 0xb9b900b9, 0xf8f800f8, 0xacac00ac,
272         0x36360036, 0x2a2a002a, 0x3c3c003c, 0xf1f100f1,
273         0x40400040, 0xd3d300d3, 0xbbbb00bb, 0x43430043,
274         0x15150015, 0xadad00ad, 0x77770077, 0x80800080,
275         0x82820082, 0xecec00ec, 0x27270027, 0xe5e500e5,
276         0x85850085, 0x35350035, 0x0c0c000c, 0x41410041,
277         0xefef00ef, 0x93930093, 0x19190019, 0x21210021,
278         0x0e0e000e, 0x4e4e004e, 0x65650065, 0xbdbd00bd,
279         0xb8b800b8, 0x8f8f008f, 0xebeb00eb, 0xcece00ce,
280         0x30300030, 0x5f5f005f, 0xc5c500c5, 0x1a1a001a,
281         0xe1e100e1, 0xcaca00ca, 0x47470047, 0x3d3d003d,
282         0x01010001, 0xd6d600d6, 0x56560056, 0x4d4d004d,
283         0x0d0d000d, 0x66660066, 0xcccc00cc, 0x2d2d002d,
284         0x12120012, 0x20200020, 0xb1b100b1, 0x99990099,
285         0x4c4c004c, 0xc2c200c2, 0x7e7e007e, 0x05050005,
286         0xb7b700b7, 0x31310031, 0x17170017, 0xd7d700d7,
287         0x58580058, 0x61610061, 0x1b1b001b, 0x1c1c001c,
288         0x0f0f000f, 0x16160016, 0x18180018, 0x22220022,
289         0x44440044, 0xb2b200b2, 0xb5b500b5, 0x91910091,
290         0x08080008, 0xa8a800a8, 0xfcfc00fc, 0x50500050,
291         0xd0d000d0, 0x7d7d007d, 0x89890089, 0x97970097,
292         0x5b5b005b, 0x95950095, 0xffff00ff, 0xd2d200d2,
293         0xc4c400c4, 0x48480048, 0xf7f700f7, 0xdbdb00db,
294         0x03030003, 0xdada00da, 0x3f3f003f, 0x94940094,
295         0x5c5c005c, 0x02020002, 0x4a4a004a, 0x33330033,
296         0x67670067, 0xf3f300f3, 0x7f7f007f, 0xe2e200e2,
297         0x9b9b009b, 0x26260026, 0x37370037, 0x3b3b003b,
298         0x96960096, 0x4b4b004b, 0xbebe00be, 0x2e2e002e,
299         0x79790079, 0x8c8c008c, 0x6e6e006e, 0x8e8e008e,
300         0xf5f500f5, 0xb6b600b6, 0xfdfd00fd, 0x59590059,
301         0x98980098, 0x6a6a006a, 0x46460046, 0xbaba00ba,
302         0x25250025, 0x42420042, 0xa2a200a2, 0xfafa00fa,
303         0x07070007, 0x55550055, 0xeeee00ee, 0x0a0a000a,
304         0x49490049, 0x68680068, 0x38380038, 0xa4a400a4,
305         0x28280028, 0x7b7b007b, 0xc9c900c9, 0xc1c100c1,
306         0xe3e300e3, 0xf4f400f4, 0xc7c700c7, 0x9e9e009e,
307 };
308
309
310 #define CAMELLIA_MIN_KEY_SIZE        16
311 #define CAMELLIA_MAX_KEY_SIZE        32
312 #define CAMELLIA_BLOCK_SIZE          16
313 #define CAMELLIA_TABLE_BYTE_LEN     272
314
315 /*
316  * NB: L and R below stand for 'left' and 'right' as in written numbers.
317  * That is, in (xxxL,xxxR) pair xxxL holds most significant digits,
318  * _not_ least significant ones!
319  */
320
321
322 /* key constants */
323
324 #define CAMELLIA_SIGMA1L (0xA09E667FL)
325 #define CAMELLIA_SIGMA1R (0x3BCC908BL)
326 #define CAMELLIA_SIGMA2L (0xB67AE858L)
327 #define CAMELLIA_SIGMA2R (0x4CAA73B2L)
328 #define CAMELLIA_SIGMA3L (0xC6EF372FL)
329 #define CAMELLIA_SIGMA3R (0xE94F82BEL)
330 #define CAMELLIA_SIGMA4L (0x54FF53A5L)
331 #define CAMELLIA_SIGMA4R (0xF1D36F1CL)
332 #define CAMELLIA_SIGMA5L (0x10E527FAL)
333 #define CAMELLIA_SIGMA5R (0xDE682D1DL)
334 #define CAMELLIA_SIGMA6L (0xB05688C2L)
335 #define CAMELLIA_SIGMA6R (0xB3E6C1FDL)
336
337 /*
338  *  macros
339  */
340 #define ROLDQ(ll, lr, rl, rr, w0, w1, bits)             \
341     do {                                                \
342         w0 = ll;                                        \
343         ll = (ll << bits) + (lr >> (32 - bits));        \
344         lr = (lr << bits) + (rl >> (32 - bits));        \
345         rl = (rl << bits) + (rr >> (32 - bits));        \
346         rr = (rr << bits) + (w0 >> (32 - bits));        \
347     } while (0)
348
349 #define ROLDQo32(ll, lr, rl, rr, w0, w1, bits)          \
350     do {                                                \
351         w0 = ll;                                        \
352         w1 = lr;                                        \
353         ll = (lr << (bits - 32)) + (rl >> (64 - bits)); \
354         lr = (rl << (bits - 32)) + (rr >> (64 - bits)); \
355         rl = (rr << (bits - 32)) + (w0 >> (64 - bits)); \
356         rr = (w0 << (bits - 32)) + (w1 >> (64 - bits)); \
357     } while (0)
358
359 #define CAMELLIA_F(xl, xr, kl, kr, yl, yr, il, ir, t0, t1)      \
360     do {                                                        \
361         il = xl ^ kl;                                           \
362         ir = xr ^ kr;                                           \
363         t0 = il >> 16;                                          \
364         t1 = ir >> 16;                                          \
365         yl = camellia_sp1110[(u8)(ir     )]                     \
366            ^ camellia_sp0222[    (t1 >> 8)]                     \
367            ^ camellia_sp3033[(u8)(t1     )]                     \
368            ^ camellia_sp4404[(u8)(ir >> 8)];                    \
369         yr = camellia_sp1110[    (t0 >> 8)]                     \
370            ^ camellia_sp0222[(u8)(t0     )]                     \
371            ^ camellia_sp3033[(u8)(il >> 8)]                     \
372            ^ camellia_sp4404[(u8)(il     )];                    \
373         yl ^= yr;                                               \
374         yr = ror32(yr, 8);                                      \
375         yr ^= yl;                                               \
376     } while (0)
377
378 #define SUBKEY_L(INDEX) (subkey[(INDEX)*2])
379 #define SUBKEY_R(INDEX) (subkey[(INDEX)*2 + 1])
380
381 static void camellia_setup_tail(u32 *subkey, u32 *subL, u32 *subR, int max)
382 {
383         u32 dw, tl, tr;
384         u32 kw4l, kw4r;
385         int i;
386
387         /* absorb kw2 to other subkeys */
388         /* round 2 */
389         subL[3] ^= subL[1]; subR[3] ^= subR[1];
390         /* round 4 */
391         subL[5] ^= subL[1]; subR[5] ^= subR[1];
392         /* round 6 */
393         subL[7] ^= subL[1]; subR[7] ^= subR[1];
394         subL[1] ^= subR[1] & ~subR[9];
395         dw = subL[1] & subL[9],
396                 subR[1] ^= rol32(dw, 1); /* modified for FLinv(kl2) */
397         /* round 8 */
398         subL[11] ^= subL[1]; subR[11] ^= subR[1];
399         /* round 10 */
400         subL[13] ^= subL[1]; subR[13] ^= subR[1];
401         /* round 12 */
402         subL[15] ^= subL[1]; subR[15] ^= subR[1];
403         subL[1] ^= subR[1] & ~subR[17];
404         dw = subL[1] & subL[17],
405                 subR[1] ^= rol32(dw, 1); /* modified for FLinv(kl4) */
406         /* round 14 */
407         subL[19] ^= subL[1]; subR[19] ^= subR[1];
408         /* round 16 */
409         subL[21] ^= subL[1]; subR[21] ^= subR[1];
410         /* round 18 */
411         subL[23] ^= subL[1]; subR[23] ^= subR[1];
412         if (max == 24) {
413                 /* kw3 */
414                 subL[24] ^= subL[1]; subR[24] ^= subR[1];
415
416         /* absorb kw4 to other subkeys */
417                 kw4l = subL[25]; kw4r = subR[25];
418         } else {
419                 subL[1] ^= subR[1] & ~subR[25];
420                 dw = subL[1] & subL[25],
421                         subR[1] ^= rol32(dw, 1); /* modified for FLinv(kl6) */
422                 /* round 20 */
423                 subL[27] ^= subL[1]; subR[27] ^= subR[1];
424                 /* round 22 */
425                 subL[29] ^= subL[1]; subR[29] ^= subR[1];
426                 /* round 24 */
427                 subL[31] ^= subL[1]; subR[31] ^= subR[1];
428                 /* kw3 */
429                 subL[32] ^= subL[1]; subR[32] ^= subR[1];
430
431         /* absorb kw4 to other subkeys */
432                 kw4l = subL[33]; kw4r = subR[33];
433                 /* round 23 */
434                 subL[30] ^= kw4l; subR[30] ^= kw4r;
435                 /* round 21 */
436                 subL[28] ^= kw4l; subR[28] ^= kw4r;
437                 /* round 19 */
438                 subL[26] ^= kw4l; subR[26] ^= kw4r;
439                 kw4l ^= kw4r & ~subR[24];
440                 dw = kw4l & subL[24],
441                         kw4r ^= rol32(dw, 1); /* modified for FL(kl5) */
442         }
443         /* round 17 */
444         subL[22] ^= kw4l; subR[22] ^= kw4r;
445         /* round 15 */
446         subL[20] ^= kw4l; subR[20] ^= kw4r;
447         /* round 13 */
448         subL[18] ^= kw4l; subR[18] ^= kw4r;
449         kw4l ^= kw4r & ~subR[16];
450         dw = kw4l & subL[16],
451                 kw4r ^= rol32(dw, 1); /* modified for FL(kl3) */
452         /* round 11 */
453         subL[14] ^= kw4l; subR[14] ^= kw4r;
454         /* round 9 */
455         subL[12] ^= kw4l; subR[12] ^= kw4r;
456         /* round 7 */
457         subL[10] ^= kw4l; subR[10] ^= kw4r;
458         kw4l ^= kw4r & ~subR[8];
459         dw = kw4l & subL[8],
460                 kw4r ^= rol32(dw, 1); /* modified for FL(kl1) */
461         /* round 5 */
462         subL[6] ^= kw4l; subR[6] ^= kw4r;
463         /* round 3 */
464         subL[4] ^= kw4l; subR[4] ^= kw4r;
465         /* round 1 */
466         subL[2] ^= kw4l; subR[2] ^= kw4r;
467         /* kw1 */
468         subL[0] ^= kw4l; subR[0] ^= kw4r;
469
470         /* key XOR is end of F-function */
471         SUBKEY_L(0) = subL[0] ^ subL[2];/* kw1 */
472         SUBKEY_R(0) = subR[0] ^ subR[2];
473         SUBKEY_L(2) = subL[3];       /* round 1 */
474         SUBKEY_R(2) = subR[3];
475         SUBKEY_L(3) = subL[2] ^ subL[4]; /* round 2 */
476         SUBKEY_R(3) = subR[2] ^ subR[4];
477         SUBKEY_L(4) = subL[3] ^ subL[5]; /* round 3 */
478         SUBKEY_R(4) = subR[3] ^ subR[5];
479         SUBKEY_L(5) = subL[4] ^ subL[6]; /* round 4 */
480         SUBKEY_R(5) = subR[4] ^ subR[6];
481         SUBKEY_L(6) = subL[5] ^ subL[7]; /* round 5 */
482         SUBKEY_R(6) = subR[5] ^ subR[7];
483         tl = subL[10] ^ (subR[10] & ~subR[8]);
484         dw = tl & subL[8],  /* FL(kl1) */
485                 tr = subR[10] ^ rol32(dw, 1);
486         SUBKEY_L(7) = subL[6] ^ tl; /* round 6 */
487         SUBKEY_R(7) = subR[6] ^ tr;
488         SUBKEY_L(8) = subL[8];       /* FL(kl1) */
489         SUBKEY_R(8) = subR[8];
490         SUBKEY_L(9) = subL[9];       /* FLinv(kl2) */
491         SUBKEY_R(9) = subR[9];
492         tl = subL[7] ^ (subR[7] & ~subR[9]);
493         dw = tl & subL[9],  /* FLinv(kl2) */
494                 tr = subR[7] ^ rol32(dw, 1);
495         SUBKEY_L(10) = tl ^ subL[11]; /* round 7 */
496         SUBKEY_R(10) = tr ^ subR[11];
497         SUBKEY_L(11) = subL[10] ^ subL[12]; /* round 8 */
498         SUBKEY_R(11) = subR[10] ^ subR[12];
499         SUBKEY_L(12) = subL[11] ^ subL[13]; /* round 9 */
500         SUBKEY_R(12) = subR[11] ^ subR[13];
501         SUBKEY_L(13) = subL[12] ^ subL[14]; /* round 10 */
502         SUBKEY_R(13) = subR[12] ^ subR[14];
503         SUBKEY_L(14) = subL[13] ^ subL[15]; /* round 11 */
504         SUBKEY_R(14) = subR[13] ^ subR[15];
505         tl = subL[18] ^ (subR[18] & ~subR[16]);
506         dw = tl & subL[16], /* FL(kl3) */
507                 tr = subR[18] ^ rol32(dw, 1);
508         SUBKEY_L(15) = subL[14] ^ tl; /* round 12 */
509         SUBKEY_R(15) = subR[14] ^ tr;
510         SUBKEY_L(16) = subL[16];     /* FL(kl3) */
511         SUBKEY_R(16) = subR[16];
512         SUBKEY_L(17) = subL[17];     /* FLinv(kl4) */
513         SUBKEY_R(17) = subR[17];
514         tl = subL[15] ^ (subR[15] & ~subR[17]);
515         dw = tl & subL[17], /* FLinv(kl4) */
516                 tr = subR[15] ^ rol32(dw, 1);
517         SUBKEY_L(18) = tl ^ subL[19]; /* round 13 */
518         SUBKEY_R(18) = tr ^ subR[19];
519         SUBKEY_L(19) = subL[18] ^ subL[20]; /* round 14 */
520         SUBKEY_R(19) = subR[18] ^ subR[20];
521         SUBKEY_L(20) = subL[19] ^ subL[21]; /* round 15 */
522         SUBKEY_R(20) = subR[19] ^ subR[21];
523         SUBKEY_L(21) = subL[20] ^ subL[22]; /* round 16 */
524         SUBKEY_R(21) = subR[20] ^ subR[22];
525         SUBKEY_L(22) = subL[21] ^ subL[23]; /* round 17 */
526         SUBKEY_R(22) = subR[21] ^ subR[23];
527         if (max == 24) {
528                 SUBKEY_L(23) = subL[22];     /* round 18 */
529                 SUBKEY_R(23) = subR[22];
530                 SUBKEY_L(24) = subL[24] ^ subL[23]; /* kw3 */
531                 SUBKEY_R(24) = subR[24] ^ subR[23];
532         } else {
533                 tl = subL[26] ^ (subR[26] & ~subR[24]);
534                 dw = tl & subL[24], /* FL(kl5) */
535                         tr = subR[26] ^ rol32(dw, 1);
536                 SUBKEY_L(23) = subL[22] ^ tl; /* round 18 */
537                 SUBKEY_R(23) = subR[22] ^ tr;
538                 SUBKEY_L(24) = subL[24];     /* FL(kl5) */
539                 SUBKEY_R(24) = subR[24];
540                 SUBKEY_L(25) = subL[25];     /* FLinv(kl6) */
541                 SUBKEY_R(25) = subR[25];
542                 tl = subL[23] ^ (subR[23] & ~subR[25]);
543                 dw = tl & subL[25], /* FLinv(kl6) */
544                         tr = subR[23] ^ rol32(dw, 1);
545                 SUBKEY_L(26) = tl ^ subL[27]; /* round 19 */
546                 SUBKEY_R(26) = tr ^ subR[27];
547                 SUBKEY_L(27) = subL[26] ^ subL[28]; /* round 20 */
548                 SUBKEY_R(27) = subR[26] ^ subR[28];
549                 SUBKEY_L(28) = subL[27] ^ subL[29]; /* round 21 */
550                 SUBKEY_R(28) = subR[27] ^ subR[29];
551                 SUBKEY_L(29) = subL[28] ^ subL[30]; /* round 22 */
552                 SUBKEY_R(29) = subR[28] ^ subR[30];
553                 SUBKEY_L(30) = subL[29] ^ subL[31]; /* round 23 */
554                 SUBKEY_R(30) = subR[29] ^ subR[31];
555                 SUBKEY_L(31) = subL[30];     /* round 24 */
556                 SUBKEY_R(31) = subR[30];
557                 SUBKEY_L(32) = subL[32] ^ subL[31]; /* kw3 */
558                 SUBKEY_R(32) = subR[32] ^ subR[31];
559         }
560
561         /* apply the inverse of the last half of P-function */
562         i = 2;
563         do {
564                 dw = SUBKEY_L(i + 0) ^ SUBKEY_R(i + 0); dw = rol32(dw, 8);/* round 1 */
565                 SUBKEY_R(i + 0) = SUBKEY_L(i + 0) ^ dw; SUBKEY_L(i + 0) = dw;
566                 dw = SUBKEY_L(i + 1) ^ SUBKEY_R(i + 1); dw = rol32(dw, 8);/* round 2 */
567                 SUBKEY_R(i + 1) = SUBKEY_L(i + 1) ^ dw; SUBKEY_L(i + 1) = dw;
568                 dw = SUBKEY_L(i + 2) ^ SUBKEY_R(i + 2); dw = rol32(dw, 8);/* round 3 */
569                 SUBKEY_R(i + 2) = SUBKEY_L(i + 2) ^ dw; SUBKEY_L(i + 2) = dw;
570                 dw = SUBKEY_L(i + 3) ^ SUBKEY_R(i + 3); dw = rol32(dw, 8);/* round 4 */
571                 SUBKEY_R(i + 3) = SUBKEY_L(i + 3) ^ dw; SUBKEY_L(i + 3) = dw;
572                 dw = SUBKEY_L(i + 4) ^ SUBKEY_R(i + 4); dw = rol32(dw, 8);/* round 5 */
573                 SUBKEY_R(i + 4) = SUBKEY_L(i + 4) ^ dw; SUBKEY_L(i + 4) = dw;
574                 dw = SUBKEY_L(i + 5) ^ SUBKEY_R(i + 5); dw = rol32(dw, 8);/* round 6 */
575                 SUBKEY_R(i + 5) = SUBKEY_L(i + 5) ^ dw; SUBKEY_L(i + 5) = dw;
576                 i += 8;
577         } while (i < max);
578 }
579
580 static void camellia_setup128(const unsigned char *key, u32 *subkey)
581 {
582         u32 kll, klr, krl, krr;
583         u32 il, ir, t0, t1, w0, w1;
584         u32 subL[26];
585         u32 subR[26];
586
587         /**
588          *  k == kll || klr || krl || krr (|| is concatenation)
589          */
590         kll = get_unaligned_be32(key);
591         klr = get_unaligned_be32(key + 4);
592         krl = get_unaligned_be32(key + 8);
593         krr = get_unaligned_be32(key + 12);
594
595         /* generate KL dependent subkeys */
596         /* kw1 */
597         subL[0] = kll; subR[0] = klr;
598         /* kw2 */
599         subL[1] = krl; subR[1] = krr;
600         /* rotation left shift 15bit */
601         ROLDQ(kll, klr, krl, krr, w0, w1, 15);
602         /* k3 */
603         subL[4] = kll; subR[4] = klr;
604         /* k4 */
605         subL[5] = krl; subR[5] = krr;
606         /* rotation left shift 15+30bit */
607         ROLDQ(kll, klr, krl, krr, w0, w1, 30);
608         /* k7 */
609         subL[10] = kll; subR[10] = klr;
610         /* k8 */
611         subL[11] = krl; subR[11] = krr;
612         /* rotation left shift 15+30+15bit */
613         ROLDQ(kll, klr, krl, krr, w0, w1, 15);
614         /* k10 */
615         subL[13] = krl; subR[13] = krr;
616         /* rotation left shift 15+30+15+17 bit */
617         ROLDQ(kll, klr, krl, krr, w0, w1, 17);
618         /* kl3 */
619         subL[16] = kll; subR[16] = klr;
620         /* kl4 */
621         subL[17] = krl; subR[17] = krr;
622         /* rotation left shift 15+30+15+17+17 bit */
623         ROLDQ(kll, klr, krl, krr, w0, w1, 17);
624         /* k13 */
625         subL[18] = kll; subR[18] = klr;
626         /* k14 */
627         subL[19] = krl; subR[19] = krr;
628         /* rotation left shift 15+30+15+17+17+17 bit */
629         ROLDQ(kll, klr, krl, krr, w0, w1, 17);
630         /* k17 */
631         subL[22] = kll; subR[22] = klr;
632         /* k18 */
633         subL[23] = krl; subR[23] = krr;
634
635         /* generate KA */
636         kll = subL[0]; klr = subR[0];
637         krl = subL[1]; krr = subR[1];
638         CAMELLIA_F(kll, klr,
639                    CAMELLIA_SIGMA1L, CAMELLIA_SIGMA1R,
640                    w0, w1, il, ir, t0, t1);
641         krl ^= w0; krr ^= w1;
642         CAMELLIA_F(krl, krr,
643                    CAMELLIA_SIGMA2L, CAMELLIA_SIGMA2R,
644                    kll, klr, il, ir, t0, t1);
645         /* current status == (kll, klr, w0, w1) */
646         CAMELLIA_F(kll, klr,
647                    CAMELLIA_SIGMA3L, CAMELLIA_SIGMA3R,
648                    krl, krr, il, ir, t0, t1);
649         krl ^= w0; krr ^= w1;
650         CAMELLIA_F(krl, krr,
651                    CAMELLIA_SIGMA4L, CAMELLIA_SIGMA4R,
652                    w0, w1, il, ir, t0, t1);
653         kll ^= w0; klr ^= w1;
654
655         /* generate KA dependent subkeys */
656         /* k1, k2 */
657         subL[2] = kll; subR[2] = klr;
658         subL[3] = krl; subR[3] = krr;
659         ROLDQ(kll, klr, krl, krr, w0, w1, 15);
660         /* k5,k6 */
661         subL[6] = kll; subR[6] = klr;
662         subL[7] = krl; subR[7] = krr;
663         ROLDQ(kll, klr, krl, krr, w0, w1, 15);
664         /* kl1, kl2 */
665         subL[8] = kll; subR[8] = klr;
666         subL[9] = krl; subR[9] = krr;
667         ROLDQ(kll, klr, krl, krr, w0, w1, 15);
668         /* k9 */
669         subL[12] = kll; subR[12] = klr;
670         ROLDQ(kll, klr, krl, krr, w0, w1, 15);
671         /* k11, k12 */
672         subL[14] = kll; subR[14] = klr;
673         subL[15] = krl; subR[15] = krr;
674         ROLDQo32(kll, klr, krl, krr, w0, w1, 34);
675         /* k15, k16 */
676         subL[20] = kll; subR[20] = klr;
677         subL[21] = krl; subR[21] = krr;
678         ROLDQ(kll, klr, krl, krr, w0, w1, 17);
679         /* kw3, kw4 */
680         subL[24] = kll; subR[24] = klr;
681         subL[25] = krl; subR[25] = krr;
682
683         camellia_setup_tail(subkey, subL, subR, 24);
684 }
685
686 static void camellia_setup256(const unsigned char *key, u32 *subkey)
687 {
688         u32 kll, klr, krl, krr;        /* left half of key */
689         u32 krll, krlr, krrl, krrr;    /* right half of key */
690         u32 il, ir, t0, t1, w0, w1;    /* temporary variables */
691         u32 subL[34];
692         u32 subR[34];
693
694         /**
695          *  key = (kll || klr || krl || krr || krll || krlr || krrl || krrr)
696          *  (|| is concatenation)
697          */
698         kll = get_unaligned_be32(key);
699         klr = get_unaligned_be32(key + 4);
700         krl = get_unaligned_be32(key + 8);
701         krr = get_unaligned_be32(key + 12);
702         krll = get_unaligned_be32(key + 16);
703         krlr = get_unaligned_be32(key + 20);
704         krrl = get_unaligned_be32(key + 24);
705         krrr = get_unaligned_be32(key + 28);
706
707         /* generate KL dependent subkeys */
708         /* kw1 */
709         subL[0] = kll; subR[0] = klr;
710         /* kw2 */
711         subL[1] = krl; subR[1] = krr;
712         ROLDQo32(kll, klr, krl, krr, w0, w1, 45);
713         /* k9 */
714         subL[12] = kll; subR[12] = klr;
715         /* k10 */
716         subL[13] = krl; subR[13] = krr;
717         ROLDQ(kll, klr, krl, krr, w0, w1, 15);
718         /* kl3 */
719         subL[16] = kll; subR[16] = klr;
720         /* kl4 */
721         subL[17] = krl; subR[17] = krr;
722         ROLDQ(kll, klr, krl, krr, w0, w1, 17);
723         /* k17 */
724         subL[22] = kll; subR[22] = klr;
725         /* k18 */
726         subL[23] = krl; subR[23] = krr;
727         ROLDQo32(kll, klr, krl, krr, w0, w1, 34);
728         /* k23 */
729         subL[30] = kll; subR[30] = klr;
730         /* k24 */
731         subL[31] = krl; subR[31] = krr;
732
733         /* generate KR dependent subkeys */
734         ROLDQ(krll, krlr, krrl, krrr, w0, w1, 15);
735         /* k3 */
736         subL[4] = krll; subR[4] = krlr;
737         /* k4 */
738         subL[5] = krrl; subR[5] = krrr;
739         ROLDQ(krll, krlr, krrl, krrr, w0, w1, 15);
740         /* kl1 */
741         subL[8] = krll; subR[8] = krlr;
742         /* kl2 */
743         subL[9] = krrl; subR[9] = krrr;
744         ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
745         /* k13 */
746         subL[18] = krll; subR[18] = krlr;
747         /* k14 */
748         subL[19] = krrl; subR[19] = krrr;
749         ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 34);
750         /* k19 */
751         subL[26] = krll; subR[26] = krlr;
752         /* k20 */
753         subL[27] = krrl; subR[27] = krrr;
754         ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 34);
755
756         /* generate KA */
757         kll = subL[0] ^ krll; klr = subR[0] ^ krlr;
758         krl = subL[1] ^ krrl; krr = subR[1] ^ krrr;
759         CAMELLIA_F(kll, klr,
760                    CAMELLIA_SIGMA1L, CAMELLIA_SIGMA1R,
761                    w0, w1, il, ir, t0, t1);
762         krl ^= w0; krr ^= w1;
763         CAMELLIA_F(krl, krr,
764                    CAMELLIA_SIGMA2L, CAMELLIA_SIGMA2R,
765                    kll, klr, il, ir, t0, t1);
766         kll ^= krll; klr ^= krlr;
767         CAMELLIA_F(kll, klr,
768                    CAMELLIA_SIGMA3L, CAMELLIA_SIGMA3R,
769                    krl, krr, il, ir, t0, t1);
770         krl ^= w0 ^ krrl; krr ^= w1 ^ krrr;
771         CAMELLIA_F(krl, krr,
772                    CAMELLIA_SIGMA4L, CAMELLIA_SIGMA4R,
773                    w0, w1, il, ir, t0, t1);
774         kll ^= w0; klr ^= w1;
775
776         /* generate KB */
777         krll ^= kll; krlr ^= klr;
778         krrl ^= krl; krrr ^= krr;
779         CAMELLIA_F(krll, krlr,
780                    CAMELLIA_SIGMA5L, CAMELLIA_SIGMA5R,
781                    w0, w1, il, ir, t0, t1);
782         krrl ^= w0; krrr ^= w1;
783         CAMELLIA_F(krrl, krrr,
784                    CAMELLIA_SIGMA6L, CAMELLIA_SIGMA6R,
785                    w0, w1, il, ir, t0, t1);
786         krll ^= w0; krlr ^= w1;
787
788         /* generate KA dependent subkeys */
789         ROLDQ(kll, klr, krl, krr, w0, w1, 15);
790         /* k5 */
791         subL[6] = kll; subR[6] = klr;
792         /* k6 */
793         subL[7] = krl; subR[7] = krr;
794         ROLDQ(kll, klr, krl, krr, w0, w1, 30);
795         /* k11 */
796         subL[14] = kll; subR[14] = klr;
797         /* k12 */
798         subL[15] = krl; subR[15] = krr;
799         /* rotation left shift 32bit */
800         /* kl5 */
801         subL[24] = klr; subR[24] = krl;
802         /* kl6 */
803         subL[25] = krr; subR[25] = kll;
804         /* rotation left shift 49 from k11,k12 -> k21,k22 */
805         ROLDQo32(kll, klr, krl, krr, w0, w1, 49);
806         /* k21 */
807         subL[28] = kll; subR[28] = klr;
808         /* k22 */
809         subL[29] = krl; subR[29] = krr;
810
811         /* generate KB dependent subkeys */
812         /* k1 */
813         subL[2] = krll; subR[2] = krlr;
814         /* k2 */
815         subL[3] = krrl; subR[3] = krrr;
816         ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
817         /* k7 */
818         subL[10] = krll; subR[10] = krlr;
819         /* k8 */
820         subL[11] = krrl; subR[11] = krrr;
821         ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
822         /* k15 */
823         subL[20] = krll; subR[20] = krlr;
824         /* k16 */
825         subL[21] = krrl; subR[21] = krrr;
826         ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 51);
827         /* kw3 */
828         subL[32] = krll; subR[32] = krlr;
829         /* kw4 */
830         subL[33] = krrl; subR[33] = krrr;
831
832         camellia_setup_tail(subkey, subL, subR, 32);
833 }
834
835 static void camellia_setup192(const unsigned char *key, u32 *subkey)
836 {
837         unsigned char kk[32];
838         u32 krll, krlr, krrl, krrr;
839
840         memcpy(kk, key, 24);
841         memcpy((unsigned char *)&krll, key+16, 4);
842         memcpy((unsigned char *)&krlr, key+20, 4);
843         krrl = ~krll;
844         krrr = ~krlr;
845         memcpy(kk+24, (unsigned char *)&krrl, 4);
846         memcpy(kk+28, (unsigned char *)&krrr, 4);
847         camellia_setup256(kk, subkey);
848 }
849
850
851 /*
852  * Encrypt/decrypt
853  */
854 #define CAMELLIA_FLS(ll, lr, rl, rr, kll, klr, krl, krr, t0, t1, t2, t3) \
855     do {                                                                \
856         t0 = kll;                                                       \
857         t2 = krr;                                                       \
858         t0 &= ll;                                                       \
859         t2 |= rr;                                                       \
860         rl ^= t2;                                                       \
861         lr ^= rol32(t0, 1);                                             \
862         t3 = krl;                                                       \
863         t1 = klr;                                                       \
864         t3 &= rl;                                                       \
865         t1 |= lr;                                                       \
866         ll ^= t1;                                                       \
867         rr ^= rol32(t3, 1);                                             \
868     } while (0)
869
870 #define CAMELLIA_ROUNDSM(xl, xr, kl, kr, yl, yr, il, ir)                \
871     do {                                                                \
872         ir =  camellia_sp1110[(u8)xr];                                  \
873         il =  camellia_sp1110[    (xl >> 24)];                          \
874         ir ^= camellia_sp0222[    (xr >> 24)];                          \
875         il ^= camellia_sp0222[(u8)(xl >> 16)];                          \
876         ir ^= camellia_sp3033[(u8)(xr >> 16)];                          \
877         il ^= camellia_sp3033[(u8)(xl >> 8)];                           \
878         ir ^= camellia_sp4404[(u8)(xr >> 8)];                           \
879         il ^= camellia_sp4404[(u8)xl];                                  \
880         il ^= kl;                                                       \
881         ir ^= il ^ kr;                                                  \
882         yl ^= ir;                                                       \
883         yr ^= ror32(il, 8) ^ ir;                                                \
884     } while (0)
885
886 /* max = 24: 128bit encrypt, max = 32: 256bit encrypt */
887 static void camellia_do_encrypt(const u32 *subkey, u32 *io, unsigned max)
888 {
889         u32 il, ir, t0, t1;            /* temporary variables */
890
891         /* pre whitening but absorb kw2 */
892         io[0] ^= SUBKEY_L(0);
893         io[1] ^= SUBKEY_R(0);
894
895         /* main iteration */
896 #define ROUNDS(i) do { \
897         CAMELLIA_ROUNDSM(io[0], io[1], \
898                          SUBKEY_L(i + 2), SUBKEY_R(i + 2), \
899                          io[2], io[3], il, ir); \
900         CAMELLIA_ROUNDSM(io[2], io[3], \
901                          SUBKEY_L(i + 3), SUBKEY_R(i + 3), \
902                          io[0], io[1], il, ir); \
903         CAMELLIA_ROUNDSM(io[0], io[1], \
904                          SUBKEY_L(i + 4), SUBKEY_R(i + 4), \
905                          io[2], io[3], il, ir); \
906         CAMELLIA_ROUNDSM(io[2], io[3], \
907                          SUBKEY_L(i + 5), SUBKEY_R(i + 5), \
908                          io[0], io[1], il, ir); \
909         CAMELLIA_ROUNDSM(io[0], io[1], \
910                          SUBKEY_L(i + 6), SUBKEY_R(i + 6), \
911                          io[2], io[3], il, ir); \
912         CAMELLIA_ROUNDSM(io[2], io[3], \
913                          SUBKEY_L(i + 7), SUBKEY_R(i + 7), \
914                          io[0], io[1], il, ir); \
915 } while (0)
916 #define FLS(i) do { \
917         CAMELLIA_FLS(io[0], io[1], io[2], io[3], \
918                      SUBKEY_L(i + 0), SUBKEY_R(i + 0), \
919                      SUBKEY_L(i + 1), SUBKEY_R(i + 1), \
920                      t0, t1, il, ir); \
921 } while (0)
922
923         ROUNDS(0);
924         FLS(8);
925         ROUNDS(8);
926         FLS(16);
927         ROUNDS(16);
928         if (max == 32) {
929                 FLS(24);
930                 ROUNDS(24);
931         }
932
933 #undef ROUNDS
934 #undef FLS
935
936         /* post whitening but kw4 */
937         io[2] ^= SUBKEY_L(max);
938         io[3] ^= SUBKEY_R(max);
939         /* NB: io[0],[1] should be swapped with [2],[3] by caller! */
940 }
941
942 static void camellia_do_decrypt(const u32 *subkey, u32 *io, unsigned i)
943 {
944         u32 il, ir, t0, t1;            /* temporary variables */
945
946         /* pre whitening but absorb kw2 */
947         io[0] ^= SUBKEY_L(i);
948         io[1] ^= SUBKEY_R(i);
949
950         /* main iteration */
951 #define ROUNDS(i) do { \
952         CAMELLIA_ROUNDSM(io[0], io[1], \
953                          SUBKEY_L(i + 7), SUBKEY_R(i + 7), \
954                          io[2], io[3], il, ir); \
955         CAMELLIA_ROUNDSM(io[2], io[3], \
956                          SUBKEY_L(i + 6), SUBKEY_R(i + 6), \
957                          io[0], io[1], il, ir); \
958         CAMELLIA_ROUNDSM(io[0], io[1], \
959                          SUBKEY_L(i + 5), SUBKEY_R(i + 5), \
960                          io[2], io[3], il, ir); \
961         CAMELLIA_ROUNDSM(io[2], io[3], \
962                          SUBKEY_L(i + 4), SUBKEY_R(i + 4), \
963                          io[0], io[1], il, ir); \
964         CAMELLIA_ROUNDSM(io[0], io[1], \
965                          SUBKEY_L(i + 3), SUBKEY_R(i + 3), \
966                          io[2], io[3], il, ir); \
967         CAMELLIA_ROUNDSM(io[2], io[3], \
968                          SUBKEY_L(i + 2), SUBKEY_R(i + 2), \
969                          io[0], io[1], il, ir); \
970 } while (0)
971 #define FLS(i) do { \
972         CAMELLIA_FLS(io[0], io[1], io[2], io[3], \
973                      SUBKEY_L(i + 1), SUBKEY_R(i + 1), \
974                      SUBKEY_L(i + 0), SUBKEY_R(i + 0), \
975                      t0, t1, il, ir); \
976 } while (0)
977
978         if (i == 32) {
979                 ROUNDS(24);
980                 FLS(24);
981         }
982         ROUNDS(16);
983         FLS(16);
984         ROUNDS(8);
985         FLS(8);
986         ROUNDS(0);
987
988 #undef ROUNDS
989 #undef FLS
990
991         /* post whitening but kw4 */
992         io[2] ^= SUBKEY_L(0);
993         io[3] ^= SUBKEY_R(0);
994         /* NB: 0,1 should be swapped with 2,3 by caller! */
995 }
996
997
998 struct camellia_ctx {
999         int key_length;
1000         u32 key_table[CAMELLIA_TABLE_BYTE_LEN / sizeof(u32)];
1001 };
1002
1003 static int
1004 camellia_set_key(struct crypto_tfm *tfm, const u8 *in_key,
1005                  unsigned int key_len)
1006 {
1007         struct camellia_ctx *cctx = crypto_tfm_ctx(tfm);
1008         const unsigned char *key = (const unsigned char *)in_key;
1009         u32 *flags = &tfm->crt_flags;
1010
1011         if (key_len != 16 && key_len != 24 && key_len != 32) {
1012                 *flags |= CRYPTO_TFM_RES_BAD_KEY_LEN;
1013                 return -EINVAL;
1014         }
1015
1016         cctx->key_length = key_len;
1017
1018         switch (key_len) {
1019         case 16:
1020                 camellia_setup128(key, cctx->key_table);
1021                 break;
1022         case 24:
1023                 camellia_setup192(key, cctx->key_table);
1024                 break;
1025         case 32:
1026                 camellia_setup256(key, cctx->key_table);
1027                 break;
1028         }
1029
1030         return 0;
1031 }
1032
1033 static void camellia_encrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in)
1034 {
1035         const struct camellia_ctx *cctx = crypto_tfm_ctx(tfm);
1036         const __be32 *src = (const __be32 *)in;
1037         __be32 *dst = (__be32 *)out;
1038
1039         u32 tmp[4];
1040
1041         tmp[0] = be32_to_cpu(src[0]);
1042         tmp[1] = be32_to_cpu(src[1]);
1043         tmp[2] = be32_to_cpu(src[2]);
1044         tmp[3] = be32_to_cpu(src[3]);
1045
1046         camellia_do_encrypt(cctx->key_table, tmp,
1047                 cctx->key_length == 16 ? 24 : 32 /* for key lengths of 24 and 32 */
1048         );
1049
1050         /* do_encrypt returns 0,1 swapped with 2,3 */
1051         dst[0] = cpu_to_be32(tmp[2]);
1052         dst[1] = cpu_to_be32(tmp[3]);
1053         dst[2] = cpu_to_be32(tmp[0]);
1054         dst[3] = cpu_to_be32(tmp[1]);
1055 }
1056
1057 static void camellia_decrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in)
1058 {
1059         const struct camellia_ctx *cctx = crypto_tfm_ctx(tfm);
1060         const __be32 *src = (const __be32 *)in;
1061         __be32 *dst = (__be32 *)out;
1062
1063         u32 tmp[4];
1064
1065         tmp[0] = be32_to_cpu(src[0]);
1066         tmp[1] = be32_to_cpu(src[1]);
1067         tmp[2] = be32_to_cpu(src[2]);
1068         tmp[3] = be32_to_cpu(src[3]);
1069
1070         camellia_do_decrypt(cctx->key_table, tmp,
1071                 cctx->key_length == 16 ? 24 : 32 /* for key lengths of 24 and 32 */
1072         );
1073
1074         /* do_decrypt returns 0,1 swapped with 2,3 */
1075         dst[0] = cpu_to_be32(tmp[2]);
1076         dst[1] = cpu_to_be32(tmp[3]);
1077         dst[2] = cpu_to_be32(tmp[0]);
1078         dst[3] = cpu_to_be32(tmp[1]);
1079 }
1080
1081 static struct crypto_alg camellia_alg = {
1082         .cra_name               =       "camellia",
1083         .cra_driver_name        =       "camellia-generic",
1084         .cra_priority           =       100,
1085         .cra_flags              =       CRYPTO_ALG_TYPE_CIPHER,
1086         .cra_blocksize          =       CAMELLIA_BLOCK_SIZE,
1087         .cra_ctxsize            =       sizeof(struct camellia_ctx),
1088         .cra_alignmask          =       3,
1089         .cra_module             =       THIS_MODULE,
1090         .cra_list               =       LIST_HEAD_INIT(camellia_alg.cra_list),
1091         .cra_u                  =       {
1092                 .cipher = {
1093                         .cia_min_keysize        =       CAMELLIA_MIN_KEY_SIZE,
1094                         .cia_max_keysize        =       CAMELLIA_MAX_KEY_SIZE,
1095                         .cia_setkey             =       camellia_set_key,
1096                         .cia_encrypt            =       camellia_encrypt,
1097                         .cia_decrypt            =       camellia_decrypt
1098                 }
1099         }
1100 };
1101
1102 static int __init camellia_init(void)
1103 {
1104         return crypto_register_alg(&camellia_alg);
1105 }
1106
1107 static void __exit camellia_fini(void)
1108 {
1109         crypto_unregister_alg(&camellia_alg);
1110 }
1111
1112 module_init(camellia_init);
1113 module_exit(camellia_fini);
1114
1115 MODULE_DESCRIPTION("Camellia Cipher Algorithm");
1116 MODULE_LICENSE("GPL");