aaae60e8bf2546394585c7fafca9071b829a60cd
[linux-3.10.git] / crypto / camellia.c
1 /*
2  * Copyright (C) 2006
3  * NTT (Nippon Telegraph and Telephone Corporation).
4  *
5  * This program is free software; you can redistribute it and/or
6  * modify it under the terms of the GNU General Public License
7  * as published by the Free Software Foundation; either version 2
8  * of the License, or (at your option) any later version.
9  *
10  * This program is distributed in the hope that it will be useful,
11  * but WITHOUT ANY WARRANTY; without even the implied warranty of
12  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
13  * GNU General Public License for more details.
14  *
15  * You should have received a copy of the GNU General Public License
16  * along with this program; if not, write to the Free Software
17  * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
18  */
19
20 /*
21  * Algorithm Specification
22  *  http://info.isl.ntt.co.jp/crypt/eng/camellia/specifications.html
23  */
24
25 /*
26  *
27  * NOTE --- NOTE --- NOTE --- NOTE
28  * This implementation assumes that all memory addresses passed
29  * as parameters are four-byte aligned.
30  *
31  */
32
33 #include <linux/crypto.h>
34 #include <linux/errno.h>
35 #include <linux/init.h>
36 #include <linux/kernel.h>
37 #include <linux/module.h>
38
39 static const u32 camellia_sp1110[256] = {
40         0x70707000,0x82828200,0x2c2c2c00,0xececec00,
41         0xb3b3b300,0x27272700,0xc0c0c000,0xe5e5e500,
42         0xe4e4e400,0x85858500,0x57575700,0x35353500,
43         0xeaeaea00,0x0c0c0c00,0xaeaeae00,0x41414100,
44         0x23232300,0xefefef00,0x6b6b6b00,0x93939300,
45         0x45454500,0x19191900,0xa5a5a500,0x21212100,
46         0xededed00,0x0e0e0e00,0x4f4f4f00,0x4e4e4e00,
47         0x1d1d1d00,0x65656500,0x92929200,0xbdbdbd00,
48         0x86868600,0xb8b8b800,0xafafaf00,0x8f8f8f00,
49         0x7c7c7c00,0xebebeb00,0x1f1f1f00,0xcecece00,
50         0x3e3e3e00,0x30303000,0xdcdcdc00,0x5f5f5f00,
51         0x5e5e5e00,0xc5c5c500,0x0b0b0b00,0x1a1a1a00,
52         0xa6a6a600,0xe1e1e100,0x39393900,0xcacaca00,
53         0xd5d5d500,0x47474700,0x5d5d5d00,0x3d3d3d00,
54         0xd9d9d900,0x01010100,0x5a5a5a00,0xd6d6d600,
55         0x51515100,0x56565600,0x6c6c6c00,0x4d4d4d00,
56         0x8b8b8b00,0x0d0d0d00,0x9a9a9a00,0x66666600,
57         0xfbfbfb00,0xcccccc00,0xb0b0b000,0x2d2d2d00,
58         0x74747400,0x12121200,0x2b2b2b00,0x20202000,
59         0xf0f0f000,0xb1b1b100,0x84848400,0x99999900,
60         0xdfdfdf00,0x4c4c4c00,0xcbcbcb00,0xc2c2c200,
61         0x34343400,0x7e7e7e00,0x76767600,0x05050500,
62         0x6d6d6d00,0xb7b7b700,0xa9a9a900,0x31313100,
63         0xd1d1d100,0x17171700,0x04040400,0xd7d7d700,
64         0x14141400,0x58585800,0x3a3a3a00,0x61616100,
65         0xdedede00,0x1b1b1b00,0x11111100,0x1c1c1c00,
66         0x32323200,0x0f0f0f00,0x9c9c9c00,0x16161600,
67         0x53535300,0x18181800,0xf2f2f200,0x22222200,
68         0xfefefe00,0x44444400,0xcfcfcf00,0xb2b2b200,
69         0xc3c3c300,0xb5b5b500,0x7a7a7a00,0x91919100,
70         0x24242400,0x08080800,0xe8e8e800,0xa8a8a800,
71         0x60606000,0xfcfcfc00,0x69696900,0x50505000,
72         0xaaaaaa00,0xd0d0d000,0xa0a0a000,0x7d7d7d00,
73         0xa1a1a100,0x89898900,0x62626200,0x97979700,
74         0x54545400,0x5b5b5b00,0x1e1e1e00,0x95959500,
75         0xe0e0e000,0xffffff00,0x64646400,0xd2d2d200,
76         0x10101000,0xc4c4c400,0x00000000,0x48484800,
77         0xa3a3a300,0xf7f7f700,0x75757500,0xdbdbdb00,
78         0x8a8a8a00,0x03030300,0xe6e6e600,0xdadada00,
79         0x09090900,0x3f3f3f00,0xdddddd00,0x94949400,
80         0x87878700,0x5c5c5c00,0x83838300,0x02020200,
81         0xcdcdcd00,0x4a4a4a00,0x90909000,0x33333300,
82         0x73737300,0x67676700,0xf6f6f600,0xf3f3f300,
83         0x9d9d9d00,0x7f7f7f00,0xbfbfbf00,0xe2e2e200,
84         0x52525200,0x9b9b9b00,0xd8d8d800,0x26262600,
85         0xc8c8c800,0x37373700,0xc6c6c600,0x3b3b3b00,
86         0x81818100,0x96969600,0x6f6f6f00,0x4b4b4b00,
87         0x13131300,0xbebebe00,0x63636300,0x2e2e2e00,
88         0xe9e9e900,0x79797900,0xa7a7a700,0x8c8c8c00,
89         0x9f9f9f00,0x6e6e6e00,0xbcbcbc00,0x8e8e8e00,
90         0x29292900,0xf5f5f500,0xf9f9f900,0xb6b6b600,
91         0x2f2f2f00,0xfdfdfd00,0xb4b4b400,0x59595900,
92         0x78787800,0x98989800,0x06060600,0x6a6a6a00,
93         0xe7e7e700,0x46464600,0x71717100,0xbababa00,
94         0xd4d4d400,0x25252500,0xababab00,0x42424200,
95         0x88888800,0xa2a2a200,0x8d8d8d00,0xfafafa00,
96         0x72727200,0x07070700,0xb9b9b900,0x55555500,
97         0xf8f8f800,0xeeeeee00,0xacacac00,0x0a0a0a00,
98         0x36363600,0x49494900,0x2a2a2a00,0x68686800,
99         0x3c3c3c00,0x38383800,0xf1f1f100,0xa4a4a400,
100         0x40404000,0x28282800,0xd3d3d300,0x7b7b7b00,
101         0xbbbbbb00,0xc9c9c900,0x43434300,0xc1c1c100,
102         0x15151500,0xe3e3e300,0xadadad00,0xf4f4f400,
103         0x77777700,0xc7c7c700,0x80808000,0x9e9e9e00,
104 };
105
106 static const u32 camellia_sp0222[256] = {
107         0x00e0e0e0,0x00050505,0x00585858,0x00d9d9d9,
108         0x00676767,0x004e4e4e,0x00818181,0x00cbcbcb,
109         0x00c9c9c9,0x000b0b0b,0x00aeaeae,0x006a6a6a,
110         0x00d5d5d5,0x00181818,0x005d5d5d,0x00828282,
111         0x00464646,0x00dfdfdf,0x00d6d6d6,0x00272727,
112         0x008a8a8a,0x00323232,0x004b4b4b,0x00424242,
113         0x00dbdbdb,0x001c1c1c,0x009e9e9e,0x009c9c9c,
114         0x003a3a3a,0x00cacaca,0x00252525,0x007b7b7b,
115         0x000d0d0d,0x00717171,0x005f5f5f,0x001f1f1f,
116         0x00f8f8f8,0x00d7d7d7,0x003e3e3e,0x009d9d9d,
117         0x007c7c7c,0x00606060,0x00b9b9b9,0x00bebebe,
118         0x00bcbcbc,0x008b8b8b,0x00161616,0x00343434,
119         0x004d4d4d,0x00c3c3c3,0x00727272,0x00959595,
120         0x00ababab,0x008e8e8e,0x00bababa,0x007a7a7a,
121         0x00b3b3b3,0x00020202,0x00b4b4b4,0x00adadad,
122         0x00a2a2a2,0x00acacac,0x00d8d8d8,0x009a9a9a,
123         0x00171717,0x001a1a1a,0x00353535,0x00cccccc,
124         0x00f7f7f7,0x00999999,0x00616161,0x005a5a5a,
125         0x00e8e8e8,0x00242424,0x00565656,0x00404040,
126         0x00e1e1e1,0x00636363,0x00090909,0x00333333,
127         0x00bfbfbf,0x00989898,0x00979797,0x00858585,
128         0x00686868,0x00fcfcfc,0x00ececec,0x000a0a0a,
129         0x00dadada,0x006f6f6f,0x00535353,0x00626262,
130         0x00a3a3a3,0x002e2e2e,0x00080808,0x00afafaf,
131         0x00282828,0x00b0b0b0,0x00747474,0x00c2c2c2,
132         0x00bdbdbd,0x00363636,0x00222222,0x00383838,
133         0x00646464,0x001e1e1e,0x00393939,0x002c2c2c,
134         0x00a6a6a6,0x00303030,0x00e5e5e5,0x00444444,
135         0x00fdfdfd,0x00888888,0x009f9f9f,0x00656565,
136         0x00878787,0x006b6b6b,0x00f4f4f4,0x00232323,
137         0x00484848,0x00101010,0x00d1d1d1,0x00515151,
138         0x00c0c0c0,0x00f9f9f9,0x00d2d2d2,0x00a0a0a0,
139         0x00555555,0x00a1a1a1,0x00414141,0x00fafafa,
140         0x00434343,0x00131313,0x00c4c4c4,0x002f2f2f,
141         0x00a8a8a8,0x00b6b6b6,0x003c3c3c,0x002b2b2b,
142         0x00c1c1c1,0x00ffffff,0x00c8c8c8,0x00a5a5a5,
143         0x00202020,0x00898989,0x00000000,0x00909090,
144         0x00474747,0x00efefef,0x00eaeaea,0x00b7b7b7,
145         0x00151515,0x00060606,0x00cdcdcd,0x00b5b5b5,
146         0x00121212,0x007e7e7e,0x00bbbbbb,0x00292929,
147         0x000f0f0f,0x00b8b8b8,0x00070707,0x00040404,
148         0x009b9b9b,0x00949494,0x00212121,0x00666666,
149         0x00e6e6e6,0x00cecece,0x00ededed,0x00e7e7e7,
150         0x003b3b3b,0x00fefefe,0x007f7f7f,0x00c5c5c5,
151         0x00a4a4a4,0x00373737,0x00b1b1b1,0x004c4c4c,
152         0x00919191,0x006e6e6e,0x008d8d8d,0x00767676,
153         0x00030303,0x002d2d2d,0x00dedede,0x00969696,
154         0x00262626,0x007d7d7d,0x00c6c6c6,0x005c5c5c,
155         0x00d3d3d3,0x00f2f2f2,0x004f4f4f,0x00191919,
156         0x003f3f3f,0x00dcdcdc,0x00797979,0x001d1d1d,
157         0x00525252,0x00ebebeb,0x00f3f3f3,0x006d6d6d,
158         0x005e5e5e,0x00fbfbfb,0x00696969,0x00b2b2b2,
159         0x00f0f0f0,0x00313131,0x000c0c0c,0x00d4d4d4,
160         0x00cfcfcf,0x008c8c8c,0x00e2e2e2,0x00757575,
161         0x00a9a9a9,0x004a4a4a,0x00575757,0x00848484,
162         0x00111111,0x00454545,0x001b1b1b,0x00f5f5f5,
163         0x00e4e4e4,0x000e0e0e,0x00737373,0x00aaaaaa,
164         0x00f1f1f1,0x00dddddd,0x00595959,0x00141414,
165         0x006c6c6c,0x00929292,0x00545454,0x00d0d0d0,
166         0x00787878,0x00707070,0x00e3e3e3,0x00494949,
167         0x00808080,0x00505050,0x00a7a7a7,0x00f6f6f6,
168         0x00777777,0x00939393,0x00868686,0x00838383,
169         0x002a2a2a,0x00c7c7c7,0x005b5b5b,0x00e9e9e9,
170         0x00eeeeee,0x008f8f8f,0x00010101,0x003d3d3d,
171 };
172
173 static const u32 camellia_sp3033[256] = {
174         0x38003838,0x41004141,0x16001616,0x76007676,
175         0xd900d9d9,0x93009393,0x60006060,0xf200f2f2,
176         0x72007272,0xc200c2c2,0xab00abab,0x9a009a9a,
177         0x75007575,0x06000606,0x57005757,0xa000a0a0,
178         0x91009191,0xf700f7f7,0xb500b5b5,0xc900c9c9,
179         0xa200a2a2,0x8c008c8c,0xd200d2d2,0x90009090,
180         0xf600f6f6,0x07000707,0xa700a7a7,0x27002727,
181         0x8e008e8e,0xb200b2b2,0x49004949,0xde00dede,
182         0x43004343,0x5c005c5c,0xd700d7d7,0xc700c7c7,
183         0x3e003e3e,0xf500f5f5,0x8f008f8f,0x67006767,
184         0x1f001f1f,0x18001818,0x6e006e6e,0xaf00afaf,
185         0x2f002f2f,0xe200e2e2,0x85008585,0x0d000d0d,
186         0x53005353,0xf000f0f0,0x9c009c9c,0x65006565,
187         0xea00eaea,0xa300a3a3,0xae00aeae,0x9e009e9e,
188         0xec00ecec,0x80008080,0x2d002d2d,0x6b006b6b,
189         0xa800a8a8,0x2b002b2b,0x36003636,0xa600a6a6,
190         0xc500c5c5,0x86008686,0x4d004d4d,0x33003333,
191         0xfd00fdfd,0x66006666,0x58005858,0x96009696,
192         0x3a003a3a,0x09000909,0x95009595,0x10001010,
193         0x78007878,0xd800d8d8,0x42004242,0xcc00cccc,
194         0xef00efef,0x26002626,0xe500e5e5,0x61006161,
195         0x1a001a1a,0x3f003f3f,0x3b003b3b,0x82008282,
196         0xb600b6b6,0xdb00dbdb,0xd400d4d4,0x98009898,
197         0xe800e8e8,0x8b008b8b,0x02000202,0xeb00ebeb,
198         0x0a000a0a,0x2c002c2c,0x1d001d1d,0xb000b0b0,
199         0x6f006f6f,0x8d008d8d,0x88008888,0x0e000e0e,
200         0x19001919,0x87008787,0x4e004e4e,0x0b000b0b,
201         0xa900a9a9,0x0c000c0c,0x79007979,0x11001111,
202         0x7f007f7f,0x22002222,0xe700e7e7,0x59005959,
203         0xe100e1e1,0xda00dada,0x3d003d3d,0xc800c8c8,
204         0x12001212,0x04000404,0x74007474,0x54005454,
205         0x30003030,0x7e007e7e,0xb400b4b4,0x28002828,
206         0x55005555,0x68006868,0x50005050,0xbe00bebe,
207         0xd000d0d0,0xc400c4c4,0x31003131,0xcb00cbcb,
208         0x2a002a2a,0xad00adad,0x0f000f0f,0xca00caca,
209         0x70007070,0xff00ffff,0x32003232,0x69006969,
210         0x08000808,0x62006262,0x00000000,0x24002424,
211         0xd100d1d1,0xfb00fbfb,0xba00baba,0xed00eded,
212         0x45004545,0x81008181,0x73007373,0x6d006d6d,
213         0x84008484,0x9f009f9f,0xee00eeee,0x4a004a4a,
214         0xc300c3c3,0x2e002e2e,0xc100c1c1,0x01000101,
215         0xe600e6e6,0x25002525,0x48004848,0x99009999,
216         0xb900b9b9,0xb300b3b3,0x7b007b7b,0xf900f9f9,
217         0xce00cece,0xbf00bfbf,0xdf00dfdf,0x71007171,
218         0x29002929,0xcd00cdcd,0x6c006c6c,0x13001313,
219         0x64006464,0x9b009b9b,0x63006363,0x9d009d9d,
220         0xc000c0c0,0x4b004b4b,0xb700b7b7,0xa500a5a5,
221         0x89008989,0x5f005f5f,0xb100b1b1,0x17001717,
222         0xf400f4f4,0xbc00bcbc,0xd300d3d3,0x46004646,
223         0xcf00cfcf,0x37003737,0x5e005e5e,0x47004747,
224         0x94009494,0xfa00fafa,0xfc00fcfc,0x5b005b5b,
225         0x97009797,0xfe00fefe,0x5a005a5a,0xac00acac,
226         0x3c003c3c,0x4c004c4c,0x03000303,0x35003535,
227         0xf300f3f3,0x23002323,0xb800b8b8,0x5d005d5d,
228         0x6a006a6a,0x92009292,0xd500d5d5,0x21002121,
229         0x44004444,0x51005151,0xc600c6c6,0x7d007d7d,
230         0x39003939,0x83008383,0xdc00dcdc,0xaa00aaaa,
231         0x7c007c7c,0x77007777,0x56005656,0x05000505,
232         0x1b001b1b,0xa400a4a4,0x15001515,0x34003434,
233         0x1e001e1e,0x1c001c1c,0xf800f8f8,0x52005252,
234         0x20002020,0x14001414,0xe900e9e9,0xbd00bdbd,
235         0xdd00dddd,0xe400e4e4,0xa100a1a1,0xe000e0e0,
236         0x8a008a8a,0xf100f1f1,0xd600d6d6,0x7a007a7a,
237         0xbb00bbbb,0xe300e3e3,0x40004040,0x4f004f4f,
238 };
239
240 static const u32 camellia_sp4404[256] = {
241         0x70700070,0x2c2c002c,0xb3b300b3,0xc0c000c0,
242         0xe4e400e4,0x57570057,0xeaea00ea,0xaeae00ae,
243         0x23230023,0x6b6b006b,0x45450045,0xa5a500a5,
244         0xeded00ed,0x4f4f004f,0x1d1d001d,0x92920092,
245         0x86860086,0xafaf00af,0x7c7c007c,0x1f1f001f,
246         0x3e3e003e,0xdcdc00dc,0x5e5e005e,0x0b0b000b,
247         0xa6a600a6,0x39390039,0xd5d500d5,0x5d5d005d,
248         0xd9d900d9,0x5a5a005a,0x51510051,0x6c6c006c,
249         0x8b8b008b,0x9a9a009a,0xfbfb00fb,0xb0b000b0,
250         0x74740074,0x2b2b002b,0xf0f000f0,0x84840084,
251         0xdfdf00df,0xcbcb00cb,0x34340034,0x76760076,
252         0x6d6d006d,0xa9a900a9,0xd1d100d1,0x04040004,
253         0x14140014,0x3a3a003a,0xdede00de,0x11110011,
254         0x32320032,0x9c9c009c,0x53530053,0xf2f200f2,
255         0xfefe00fe,0xcfcf00cf,0xc3c300c3,0x7a7a007a,
256         0x24240024,0xe8e800e8,0x60600060,0x69690069,
257         0xaaaa00aa,0xa0a000a0,0xa1a100a1,0x62620062,
258         0x54540054,0x1e1e001e,0xe0e000e0,0x64640064,
259         0x10100010,0x00000000,0xa3a300a3,0x75750075,
260         0x8a8a008a,0xe6e600e6,0x09090009,0xdddd00dd,
261         0x87870087,0x83830083,0xcdcd00cd,0x90900090,
262         0x73730073,0xf6f600f6,0x9d9d009d,0xbfbf00bf,
263         0x52520052,0xd8d800d8,0xc8c800c8,0xc6c600c6,
264         0x81810081,0x6f6f006f,0x13130013,0x63630063,
265         0xe9e900e9,0xa7a700a7,0x9f9f009f,0xbcbc00bc,
266         0x29290029,0xf9f900f9,0x2f2f002f,0xb4b400b4,
267         0x78780078,0x06060006,0xe7e700e7,0x71710071,
268         0xd4d400d4,0xabab00ab,0x88880088,0x8d8d008d,
269         0x72720072,0xb9b900b9,0xf8f800f8,0xacac00ac,
270         0x36360036,0x2a2a002a,0x3c3c003c,0xf1f100f1,
271         0x40400040,0xd3d300d3,0xbbbb00bb,0x43430043,
272         0x15150015,0xadad00ad,0x77770077,0x80800080,
273         0x82820082,0xecec00ec,0x27270027,0xe5e500e5,
274         0x85850085,0x35350035,0x0c0c000c,0x41410041,
275         0xefef00ef,0x93930093,0x19190019,0x21210021,
276         0x0e0e000e,0x4e4e004e,0x65650065,0xbdbd00bd,
277         0xb8b800b8,0x8f8f008f,0xebeb00eb,0xcece00ce,
278         0x30300030,0x5f5f005f,0xc5c500c5,0x1a1a001a,
279         0xe1e100e1,0xcaca00ca,0x47470047,0x3d3d003d,
280         0x01010001,0xd6d600d6,0x56560056,0x4d4d004d,
281         0x0d0d000d,0x66660066,0xcccc00cc,0x2d2d002d,
282         0x12120012,0x20200020,0xb1b100b1,0x99990099,
283         0x4c4c004c,0xc2c200c2,0x7e7e007e,0x05050005,
284         0xb7b700b7,0x31310031,0x17170017,0xd7d700d7,
285         0x58580058,0x61610061,0x1b1b001b,0x1c1c001c,
286         0x0f0f000f,0x16160016,0x18180018,0x22220022,
287         0x44440044,0xb2b200b2,0xb5b500b5,0x91910091,
288         0x08080008,0xa8a800a8,0xfcfc00fc,0x50500050,
289         0xd0d000d0,0x7d7d007d,0x89890089,0x97970097,
290         0x5b5b005b,0x95950095,0xffff00ff,0xd2d200d2,
291         0xc4c400c4,0x48480048,0xf7f700f7,0xdbdb00db,
292         0x03030003,0xdada00da,0x3f3f003f,0x94940094,
293         0x5c5c005c,0x02020002,0x4a4a004a,0x33330033,
294         0x67670067,0xf3f300f3,0x7f7f007f,0xe2e200e2,
295         0x9b9b009b,0x26260026,0x37370037,0x3b3b003b,
296         0x96960096,0x4b4b004b,0xbebe00be,0x2e2e002e,
297         0x79790079,0x8c8c008c,0x6e6e006e,0x8e8e008e,
298         0xf5f500f5,0xb6b600b6,0xfdfd00fd,0x59590059,
299         0x98980098,0x6a6a006a,0x46460046,0xbaba00ba,
300         0x25250025,0x42420042,0xa2a200a2,0xfafa00fa,
301         0x07070007,0x55550055,0xeeee00ee,0x0a0a000a,
302         0x49490049,0x68680068,0x38380038,0xa4a400a4,
303         0x28280028,0x7b7b007b,0xc9c900c9,0xc1c100c1,
304         0xe3e300e3,0xf4f400f4,0xc7c700c7,0x9e9e009e,
305 };
306
307
308 #define CAMELLIA_MIN_KEY_SIZE        16
309 #define CAMELLIA_MAX_KEY_SIZE        32
310 #define CAMELLIA_BLOCK_SIZE          16
311 #define CAMELLIA_TABLE_BYTE_LEN     272
312
313
314 /* key constants */
315
316 #define CAMELLIA_SIGMA1L (0xA09E667FL)
317 #define CAMELLIA_SIGMA1R (0x3BCC908BL)
318 #define CAMELLIA_SIGMA2L (0xB67AE858L)
319 #define CAMELLIA_SIGMA2R (0x4CAA73B2L)
320 #define CAMELLIA_SIGMA3L (0xC6EF372FL)
321 #define CAMELLIA_SIGMA3R (0xE94F82BEL)
322 #define CAMELLIA_SIGMA4L (0x54FF53A5L)
323 #define CAMELLIA_SIGMA4R (0xF1D36F1CL)
324 #define CAMELLIA_SIGMA5L (0x10E527FAL)
325 #define CAMELLIA_SIGMA5R (0xDE682D1DL)
326 #define CAMELLIA_SIGMA6L (0xB05688C2L)
327 #define CAMELLIA_SIGMA6R (0xB3E6C1FDL)
328
329 /*
330  *  macros
331  */
332
333 # define GETU32(pt) (((u32)(pt)[0] << 24)       \
334                      ^ ((u32)(pt)[1] << 16)     \
335                      ^ ((u32)(pt)[2] <<  8)     \
336                      ^ ((u32)(pt)[3]))
337
338 /* rotation right shift 1byte */
339 #define CAMELLIA_RR8(x) (((x) >> 8) + ((x) << 24))
340 /* rotation left shift 1bit */
341 #define CAMELLIA_RL1(x) (((x) << 1) + ((x) >> 31))
342 /* rotation left shift 1byte */
343 #define CAMELLIA_RL8(x) (((x) << 8) + ((x) >> 24))
344
345 #define CAMELLIA_ROLDQ(ll, lr, rl, rr, w0, w1, bits)    \
346     do {                                                \
347         w0 = ll;                                        \
348         ll = (ll << bits) + (lr >> (32 - bits));        \
349         lr = (lr << bits) + (rl >> (32 - bits));        \
350         rl = (rl << bits) + (rr >> (32 - bits));        \
351         rr = (rr << bits) + (w0 >> (32 - bits));        \
352     } while(0)
353
354 #define CAMELLIA_ROLDQo32(ll, lr, rl, rr, w0, w1, bits) \
355     do {                                                \
356         w0 = ll;                                        \
357         w1 = lr;                                        \
358         ll = (lr << (bits - 32)) + (rl >> (64 - bits)); \
359         lr = (rl << (bits - 32)) + (rr >> (64 - bits)); \
360         rl = (rr << (bits - 32)) + (w0 >> (64 - bits)); \
361         rr = (w0 << (bits - 32)) + (w1 >> (64 - bits)); \
362     } while(0)
363
364
365 #define CAMELLIA_F(xl, xr, kl, kr, yl, yr, il, ir, t0, t1)      \
366     do {                                                        \
367         il = xl ^ kl;                                           \
368         ir = xr ^ kr;                                           \
369         t0 = il >> 16;                                          \
370         t1 = ir >> 16;                                          \
371         yl = camellia_sp1110[ir & 0xff]                         \
372            ^ camellia_sp0222[(t1 >> 8) & 0xff]                  \
373            ^ camellia_sp3033[t1 & 0xff]                         \
374            ^ camellia_sp4404[(ir >> 8) & 0xff];                 \
375         yr = camellia_sp1110[(t0 >> 8) & 0xff]                  \
376            ^ camellia_sp0222[t0 & 0xff]                         \
377            ^ camellia_sp3033[(il >> 8) & 0xff]                  \
378            ^ camellia_sp4404[il & 0xff];                        \
379         yl ^= yr;                                               \
380         yr = CAMELLIA_RR8(yr);                                  \
381         yr ^= yl;                                               \
382     } while(0)
383
384
385 /*
386  * for speed up
387  *
388  */
389 #define CAMELLIA_FLS(ll, lr, rl, rr, kll, klr, krl, krr, t0, t1, t2, t3) \
390     do {                                                                \
391         t0 = kll;                                                       \
392         t2 = krr;                                                       \
393         t0 &= ll;                                                       \
394         t2 |= rr;                                                       \
395         rl ^= t2;                                                       \
396         lr ^= CAMELLIA_RL1(t0);                                         \
397         t3 = krl;                                                       \
398         t1 = klr;                                                       \
399         t3 &= rl;                                                       \
400         t1 |= lr;                                                       \
401         ll ^= t1;                                                       \
402         rr ^= CAMELLIA_RL1(t3);                                         \
403     } while(0)
404
405 #define CAMELLIA_ROUNDSM(xl, xr, kl, kr, yl, yr, il, ir, t0, t1)        \
406     do {                                                                \
407         ir =  camellia_sp1110[xr & 0xff];                               \
408         il =  camellia_sp1110[(xl>>24) & 0xff];                         \
409         ir ^= camellia_sp0222[(xr>>24) & 0xff];                         \
410         il ^= camellia_sp0222[(xl>>16) & 0xff];                         \
411         ir ^= camellia_sp3033[(xr>>16) & 0xff];                         \
412         il ^= camellia_sp3033[(xl>>8) & 0xff];                          \
413         ir ^= camellia_sp4404[(xr>>8) & 0xff];                          \
414         il ^= camellia_sp4404[xl & 0xff];                               \
415         il ^= kl;                                                       \
416         ir ^= il ^ kr;                                                  \
417         yl ^= ir;                                                       \
418         yr ^= CAMELLIA_RR8(il) ^ ir;                                    \
419     } while(0)
420
421
422 #define CAMELLIA_SUBKEY_L(INDEX) (subkey[(INDEX)*2])
423 #define CAMELLIA_SUBKEY_R(INDEX) (subkey[(INDEX)*2 + 1])
424
425 static void camellia_setup128(const unsigned char *key, u32 *subkey)
426 {
427         u32 kll, klr, krl, krr;
428         u32 il, ir, t0, t1, w0, w1;
429         u32 kw4l, kw4r, dw, tl, tr;
430         u32 subL[26];
431         u32 subR[26];
432
433         /**
434          *  k == kll || klr || krl || krr (|| is concatination)
435          */
436         kll = GETU32(key     );
437         klr = GETU32(key +  4);
438         krl = GETU32(key +  8);
439         krr = GETU32(key + 12);
440         /**
441          * generate KL dependent subkeys
442          */
443         /* kw1 */
444         subL[0] = kll; subR[0] = klr;
445         /* kw2 */
446         subL[1] = krl; subR[1] = krr;
447         /* rotation left shift 15bit */
448         CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
449         /* k3 */
450         subL[4] = kll; subR[4] = klr;
451         /* k4 */
452         subL[5] = krl; subR[5] = krr;
453         /* rotation left shift 15+30bit */
454         CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 30);
455         /* k7 */
456         subL[10] = kll; subR[10] = klr;
457         /* k8 */
458         subL[11] = krl; subR[11] = krr;
459         /* rotation left shift 15+30+15bit */
460         CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
461         /* k10 */
462         subL[13] = krl; subR[13] = krr;
463         /* rotation left shift 15+30+15+17 bit */
464         CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17);
465         /* kl3 */
466         subL[16] = kll; subR[16] = klr;
467         /* kl4 */
468         subL[17] = krl; subR[17] = krr;
469         /* rotation left shift 15+30+15+17+17 bit */
470         CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17);
471         /* k13 */
472         subL[18] = kll; subR[18] = klr;
473         /* k14 */
474         subL[19] = krl; subR[19] = krr;
475         /* rotation left shift 15+30+15+17+17+17 bit */
476         CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17);
477         /* k17 */
478         subL[22] = kll; subR[22] = klr;
479         /* k18 */
480         subL[23] = krl; subR[23] = krr;
481
482         /* generate KA */
483         kll = subL[0]; klr = subR[0];
484         krl = subL[1]; krr = subR[1];
485         CAMELLIA_F(kll, klr,
486                    CAMELLIA_SIGMA1L, CAMELLIA_SIGMA1R,
487                    w0, w1, il, ir, t0, t1);
488         krl ^= w0; krr ^= w1;
489         CAMELLIA_F(krl, krr,
490                    CAMELLIA_SIGMA2L, CAMELLIA_SIGMA2R,
491                    kll, klr, il, ir, t0, t1);
492         /* current status == (kll, klr, w0, w1) */
493         CAMELLIA_F(kll, klr,
494                    CAMELLIA_SIGMA3L, CAMELLIA_SIGMA3R,
495                    krl, krr, il, ir, t0, t1);
496         krl ^= w0; krr ^= w1;
497         CAMELLIA_F(krl, krr,
498                    CAMELLIA_SIGMA4L, CAMELLIA_SIGMA4R,
499                    w0, w1, il, ir, t0, t1);
500         kll ^= w0; klr ^= w1;
501
502         /* generate KA dependent subkeys */
503         /* k1, k2 */
504         subL[2] = kll; subR[2] = klr;
505         subL[3] = krl; subR[3] = krr;
506         CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
507         /* k5,k6 */
508         subL[6] = kll; subR[6] = klr;
509         subL[7] = krl; subR[7] = krr;
510         CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
511         /* kl1, kl2 */
512         subL[8] = kll; subR[8] = klr;
513         subL[9] = krl; subR[9] = krr;
514         CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
515         /* k9 */
516         subL[12] = kll; subR[12] = klr;
517         CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
518         /* k11, k12 */
519         subL[14] = kll; subR[14] = klr;
520         subL[15] = krl; subR[15] = krr;
521         CAMELLIA_ROLDQo32(kll, klr, krl, krr, w0, w1, 34);
522         /* k15, k16 */
523         subL[20] = kll; subR[20] = klr;
524         subL[21] = krl; subR[21] = krr;
525         CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17);
526         /* kw3, kw4 */
527         subL[24] = kll; subR[24] = klr;
528         subL[25] = krl; subR[25] = krr;
529
530         /* absorb kw2 to other subkeys */
531         /* round 2 */
532         subL[3] ^= subL[1]; subR[3] ^= subR[1];
533         /* round 4 */
534         subL[5] ^= subL[1]; subR[5] ^= subR[1];
535         /* round 6 */
536         subL[7] ^= subL[1]; subR[7] ^= subR[1];
537         subL[1] ^= subR[1] & ~subR[9];
538         dw = subL[1] & subL[9],
539                 subR[1] ^= CAMELLIA_RL1(dw); /* modified for FLinv(kl2) */
540         /* round 8 */
541         subL[11] ^= subL[1]; subR[11] ^= subR[1];
542         /* round 10 */
543         subL[13] ^= subL[1]; subR[13] ^= subR[1];
544         /* round 12 */
545         subL[15] ^= subL[1]; subR[15] ^= subR[1];
546         subL[1] ^= subR[1] & ~subR[17];
547         dw = subL[1] & subL[17],
548                 subR[1] ^= CAMELLIA_RL1(dw); /* modified for FLinv(kl4) */
549         /* round 14 */
550         subL[19] ^= subL[1]; subR[19] ^= subR[1];
551         /* round 16 */
552         subL[21] ^= subL[1]; subR[21] ^= subR[1];
553         /* round 18 */
554         subL[23] ^= subL[1]; subR[23] ^= subR[1];
555         /* kw3 */
556         subL[24] ^= subL[1]; subR[24] ^= subR[1];
557
558         /* absorb kw4 to other subkeys */
559         kw4l = subL[25]; kw4r = subR[25];
560         /* round 17 */
561         subL[22] ^= kw4l; subR[22] ^= kw4r;
562         /* round 15 */
563         subL[20] ^= kw4l; subR[20] ^= kw4r;
564         /* round 13 */
565         subL[18] ^= kw4l; subR[18] ^= kw4r;
566         kw4l ^= kw4r & ~subR[16];
567         dw = kw4l & subL[16],
568                 kw4r ^= CAMELLIA_RL1(dw); /* modified for FL(kl3) */
569         /* round 11 */
570         subL[14] ^= kw4l; subR[14] ^= kw4r;
571         /* round 9 */
572         subL[12] ^= kw4l; subR[12] ^= kw4r;
573         /* round 7 */
574         subL[10] ^= kw4l; subR[10] ^= kw4r;
575         kw4l ^= kw4r & ~subR[8];
576         dw = kw4l & subL[8],
577                 kw4r ^= CAMELLIA_RL1(dw); /* modified for FL(kl1) */
578         /* round 5 */
579         subL[6] ^= kw4l; subR[6] ^= kw4r;
580         /* round 3 */
581         subL[4] ^= kw4l; subR[4] ^= kw4r;
582         /* round 1 */
583         subL[2] ^= kw4l; subR[2] ^= kw4r;
584         /* kw1 */
585         subL[0] ^= kw4l; subR[0] ^= kw4r;
586
587         /* key XOR is end of F-function */
588         CAMELLIA_SUBKEY_L(0) = subL[0] ^ subL[2];/* kw1 */
589         CAMELLIA_SUBKEY_R(0) = subR[0] ^ subR[2];
590         CAMELLIA_SUBKEY_L(2) = subL[3];       /* round 1 */
591         CAMELLIA_SUBKEY_R(2) = subR[3];
592         CAMELLIA_SUBKEY_L(3) = subL[2] ^ subL[4]; /* round 2 */
593         CAMELLIA_SUBKEY_R(3) = subR[2] ^ subR[4];
594         CAMELLIA_SUBKEY_L(4) = subL[3] ^ subL[5]; /* round 3 */
595         CAMELLIA_SUBKEY_R(4) = subR[3] ^ subR[5];
596         CAMELLIA_SUBKEY_L(5) = subL[4] ^ subL[6]; /* round 4 */
597         CAMELLIA_SUBKEY_R(5) = subR[4] ^ subR[6];
598         CAMELLIA_SUBKEY_L(6) = subL[5] ^ subL[7]; /* round 5 */
599         CAMELLIA_SUBKEY_R(6) = subR[5] ^ subR[7];
600         tl = subL[10] ^ (subR[10] & ~subR[8]);
601         dw = tl & subL[8],  /* FL(kl1) */
602                 tr = subR[10] ^ CAMELLIA_RL1(dw);
603         CAMELLIA_SUBKEY_L(7) = subL[6] ^ tl; /* round 6 */
604         CAMELLIA_SUBKEY_R(7) = subR[6] ^ tr;
605         CAMELLIA_SUBKEY_L(8) = subL[8];       /* FL(kl1) */
606         CAMELLIA_SUBKEY_R(8) = subR[8];
607         CAMELLIA_SUBKEY_L(9) = subL[9];       /* FLinv(kl2) */
608         CAMELLIA_SUBKEY_R(9) = subR[9];
609         tl = subL[7] ^ (subR[7] & ~subR[9]);
610         dw = tl & subL[9],  /* FLinv(kl2) */
611                 tr = subR[7] ^ CAMELLIA_RL1(dw);
612         CAMELLIA_SUBKEY_L(10) = tl ^ subL[11]; /* round 7 */
613         CAMELLIA_SUBKEY_R(10) = tr ^ subR[11];
614         CAMELLIA_SUBKEY_L(11) = subL[10] ^ subL[12]; /* round 8 */
615         CAMELLIA_SUBKEY_R(11) = subR[10] ^ subR[12];
616         CAMELLIA_SUBKEY_L(12) = subL[11] ^ subL[13]; /* round 9 */
617         CAMELLIA_SUBKEY_R(12) = subR[11] ^ subR[13];
618         CAMELLIA_SUBKEY_L(13) = subL[12] ^ subL[14]; /* round 10 */
619         CAMELLIA_SUBKEY_R(13) = subR[12] ^ subR[14];
620         CAMELLIA_SUBKEY_L(14) = subL[13] ^ subL[15]; /* round 11 */
621         CAMELLIA_SUBKEY_R(14) = subR[13] ^ subR[15];
622         tl = subL[18] ^ (subR[18] & ~subR[16]);
623         dw = tl & subL[16], /* FL(kl3) */
624                 tr = subR[18] ^ CAMELLIA_RL1(dw);
625         CAMELLIA_SUBKEY_L(15) = subL[14] ^ tl; /* round 12 */
626         CAMELLIA_SUBKEY_R(15) = subR[14] ^ tr;
627         CAMELLIA_SUBKEY_L(16) = subL[16];     /* FL(kl3) */
628         CAMELLIA_SUBKEY_R(16) = subR[16];
629         CAMELLIA_SUBKEY_L(17) = subL[17];     /* FLinv(kl4) */
630         CAMELLIA_SUBKEY_R(17) = subR[17];
631         tl = subL[15] ^ (subR[15] & ~subR[17]);
632         dw = tl & subL[17], /* FLinv(kl4) */
633                 tr = subR[15] ^ CAMELLIA_RL1(dw);
634         CAMELLIA_SUBKEY_L(18) = tl ^ subL[19]; /* round 13 */
635         CAMELLIA_SUBKEY_R(18) = tr ^ subR[19];
636         CAMELLIA_SUBKEY_L(19) = subL[18] ^ subL[20]; /* round 14 */
637         CAMELLIA_SUBKEY_R(19) = subR[18] ^ subR[20];
638         CAMELLIA_SUBKEY_L(20) = subL[19] ^ subL[21]; /* round 15 */
639         CAMELLIA_SUBKEY_R(20) = subR[19] ^ subR[21];
640         CAMELLIA_SUBKEY_L(21) = subL[20] ^ subL[22]; /* round 16 */
641         CAMELLIA_SUBKEY_R(21) = subR[20] ^ subR[22];
642         CAMELLIA_SUBKEY_L(22) = subL[21] ^ subL[23]; /* round 17 */
643         CAMELLIA_SUBKEY_R(22) = subR[21] ^ subR[23];
644         CAMELLIA_SUBKEY_L(23) = subL[22];     /* round 18 */
645         CAMELLIA_SUBKEY_R(23) = subR[22];
646         CAMELLIA_SUBKEY_L(24) = subL[24] ^ subL[23]; /* kw3 */
647         CAMELLIA_SUBKEY_R(24) = subR[24] ^ subR[23];
648
649         /* apply the inverse of the last half of P-function */
650         dw = CAMELLIA_SUBKEY_L(2) ^ CAMELLIA_SUBKEY_R(2),
651                 dw = CAMELLIA_RL8(dw);/* round 1 */
652         CAMELLIA_SUBKEY_R(2) = CAMELLIA_SUBKEY_L(2) ^ dw,
653                 CAMELLIA_SUBKEY_L(2) = dw;
654         dw = CAMELLIA_SUBKEY_L(3) ^ CAMELLIA_SUBKEY_R(3),
655                 dw = CAMELLIA_RL8(dw);/* round 2 */
656         CAMELLIA_SUBKEY_R(3) = CAMELLIA_SUBKEY_L(3) ^ dw,
657                 CAMELLIA_SUBKEY_L(3) = dw;
658         dw = CAMELLIA_SUBKEY_L(4) ^ CAMELLIA_SUBKEY_R(4),
659                 dw = CAMELLIA_RL8(dw);/* round 3 */
660         CAMELLIA_SUBKEY_R(4) = CAMELLIA_SUBKEY_L(4) ^ dw,
661                 CAMELLIA_SUBKEY_L(4) = dw;
662         dw = CAMELLIA_SUBKEY_L(5) ^ CAMELLIA_SUBKEY_R(5),
663                 dw = CAMELLIA_RL8(dw);/* round 4 */
664         CAMELLIA_SUBKEY_R(5) = CAMELLIA_SUBKEY_L(5) ^ dw,
665                 CAMELLIA_SUBKEY_L(5) = dw;
666         dw = CAMELLIA_SUBKEY_L(6) ^ CAMELLIA_SUBKEY_R(6),
667                 dw = CAMELLIA_RL8(dw);/* round 5 */
668         CAMELLIA_SUBKEY_R(6) = CAMELLIA_SUBKEY_L(6) ^ dw,
669                 CAMELLIA_SUBKEY_L(6) = dw;
670         dw = CAMELLIA_SUBKEY_L(7) ^ CAMELLIA_SUBKEY_R(7),
671                 dw = CAMELLIA_RL8(dw);/* round 6 */
672         CAMELLIA_SUBKEY_R(7) = CAMELLIA_SUBKEY_L(7) ^ dw,
673                 CAMELLIA_SUBKEY_L(7) = dw;
674         dw = CAMELLIA_SUBKEY_L(10) ^ CAMELLIA_SUBKEY_R(10),
675                 dw = CAMELLIA_RL8(dw);/* round 7 */
676         CAMELLIA_SUBKEY_R(10) = CAMELLIA_SUBKEY_L(10) ^ dw,
677                 CAMELLIA_SUBKEY_L(10) = dw;
678         dw = CAMELLIA_SUBKEY_L(11) ^ CAMELLIA_SUBKEY_R(11),
679                 dw = CAMELLIA_RL8(dw);/* round 8 */
680         CAMELLIA_SUBKEY_R(11) = CAMELLIA_SUBKEY_L(11) ^ dw,
681                 CAMELLIA_SUBKEY_L(11) = dw;
682         dw = CAMELLIA_SUBKEY_L(12) ^ CAMELLIA_SUBKEY_R(12),
683                 dw = CAMELLIA_RL8(dw);/* round 9 */
684         CAMELLIA_SUBKEY_R(12) = CAMELLIA_SUBKEY_L(12) ^ dw,
685                 CAMELLIA_SUBKEY_L(12) = dw;
686         dw = CAMELLIA_SUBKEY_L(13) ^ CAMELLIA_SUBKEY_R(13),
687                 dw = CAMELLIA_RL8(dw);/* round 10 */
688         CAMELLIA_SUBKEY_R(13) = CAMELLIA_SUBKEY_L(13) ^ dw,
689                 CAMELLIA_SUBKEY_L(13) = dw;
690         dw = CAMELLIA_SUBKEY_L(14) ^ CAMELLIA_SUBKEY_R(14),
691                 dw = CAMELLIA_RL8(dw);/* round 11 */
692         CAMELLIA_SUBKEY_R(14) = CAMELLIA_SUBKEY_L(14) ^ dw,
693                 CAMELLIA_SUBKEY_L(14) = dw;
694         dw = CAMELLIA_SUBKEY_L(15) ^ CAMELLIA_SUBKEY_R(15),
695                 dw = CAMELLIA_RL8(dw);/* round 12 */
696         CAMELLIA_SUBKEY_R(15) = CAMELLIA_SUBKEY_L(15) ^ dw,
697                 CAMELLIA_SUBKEY_L(15) = dw;
698         dw = CAMELLIA_SUBKEY_L(18) ^ CAMELLIA_SUBKEY_R(18),
699                 dw = CAMELLIA_RL8(dw);/* round 13 */
700         CAMELLIA_SUBKEY_R(18) = CAMELLIA_SUBKEY_L(18) ^ dw,
701                 CAMELLIA_SUBKEY_L(18) = dw;
702         dw = CAMELLIA_SUBKEY_L(19) ^ CAMELLIA_SUBKEY_R(19),
703                 dw = CAMELLIA_RL8(dw);/* round 14 */
704         CAMELLIA_SUBKEY_R(19) = CAMELLIA_SUBKEY_L(19) ^ dw,
705                 CAMELLIA_SUBKEY_L(19) = dw;
706         dw = CAMELLIA_SUBKEY_L(20) ^ CAMELLIA_SUBKEY_R(20),
707                 dw = CAMELLIA_RL8(dw);/* round 15 */
708         CAMELLIA_SUBKEY_R(20) = CAMELLIA_SUBKEY_L(20) ^ dw,
709                 CAMELLIA_SUBKEY_L(20) = dw;
710         dw = CAMELLIA_SUBKEY_L(21) ^ CAMELLIA_SUBKEY_R(21),
711                 dw = CAMELLIA_RL8(dw);/* round 16 */
712         CAMELLIA_SUBKEY_R(21) = CAMELLIA_SUBKEY_L(21) ^ dw,
713                 CAMELLIA_SUBKEY_L(21) = dw;
714         dw = CAMELLIA_SUBKEY_L(22) ^ CAMELLIA_SUBKEY_R(22),
715                 dw = CAMELLIA_RL8(dw);/* round 17 */
716         CAMELLIA_SUBKEY_R(22) = CAMELLIA_SUBKEY_L(22) ^ dw,
717                 CAMELLIA_SUBKEY_L(22) = dw;
718         dw = CAMELLIA_SUBKEY_L(23) ^ CAMELLIA_SUBKEY_R(23),
719                 dw = CAMELLIA_RL8(dw);/* round 18 */
720         CAMELLIA_SUBKEY_R(23) = CAMELLIA_SUBKEY_L(23) ^ dw,
721                 CAMELLIA_SUBKEY_L(23) = dw;
722 }
723
724 static void camellia_setup256(const unsigned char *key, u32 *subkey)
725 {
726         u32 kll,klr,krl,krr;           /* left half of key */
727         u32 krll,krlr,krrl,krrr;       /* right half of key */
728         u32 il, ir, t0, t1, w0, w1;    /* temporary variables */
729         u32 kw4l, kw4r, dw, tl, tr;
730         u32 subL[34];
731         u32 subR[34];
732
733         /**
734          *  key = (kll || klr || krl || krr || krll || krlr || krrl || krrr)
735          *  (|| is concatination)
736          */
737
738         kll  = GETU32(key     );
739         klr  = GETU32(key +  4);
740         krl  = GETU32(key +  8);
741         krr  = GETU32(key + 12);
742         krll = GETU32(key + 16);
743         krlr = GETU32(key + 20);
744         krrl = GETU32(key + 24);
745         krrr = GETU32(key + 28);
746
747         /* generate KL dependent subkeys */
748         /* kw1 */
749         subL[0] = kll; subR[0] = klr;
750         /* kw2 */
751         subL[1] = krl; subR[1] = krr;
752         CAMELLIA_ROLDQo32(kll, klr, krl, krr, w0, w1, 45);
753         /* k9 */
754         subL[12] = kll; subR[12] = klr;
755         /* k10 */
756         subL[13] = krl; subR[13] = krr;
757         CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
758         /* kl3 */
759         subL[16] = kll; subR[16] = klr;
760         /* kl4 */
761         subL[17] = krl; subR[17] = krr;
762         CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17);
763         /* k17 */
764         subL[22] = kll; subR[22] = klr;
765         /* k18 */
766         subL[23] = krl; subR[23] = krr;
767         CAMELLIA_ROLDQo32(kll, klr, krl, krr, w0, w1, 34);
768         /* k23 */
769         subL[30] = kll; subR[30] = klr;
770         /* k24 */
771         subL[31] = krl; subR[31] = krr;
772
773         /* generate KR dependent subkeys */
774         CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 15);
775         /* k3 */
776         subL[4] = krll; subR[4] = krlr;
777         /* k4 */
778         subL[5] = krrl; subR[5] = krrr;
779         CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 15);
780         /* kl1 */
781         subL[8] = krll; subR[8] = krlr;
782         /* kl2 */
783         subL[9] = krrl; subR[9] = krrr;
784         CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
785         /* k13 */
786         subL[18] = krll; subR[18] = krlr;
787         /* k14 */
788         subL[19] = krrl; subR[19] = krrr;
789         CAMELLIA_ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 34);
790         /* k19 */
791         subL[26] = krll; subR[26] = krlr;
792         /* k20 */
793         subL[27] = krrl; subR[27] = krrr;
794         CAMELLIA_ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 34);
795
796         /* generate KA */
797         kll = subL[0] ^ krll; klr = subR[0] ^ krlr;
798         krl = subL[1] ^ krrl; krr = subR[1] ^ krrr;
799         CAMELLIA_F(kll, klr,
800                    CAMELLIA_SIGMA1L, CAMELLIA_SIGMA1R,
801                    w0, w1, il, ir, t0, t1);
802         krl ^= w0; krr ^= w1;
803         CAMELLIA_F(krl, krr,
804                    CAMELLIA_SIGMA2L, CAMELLIA_SIGMA2R,
805                    kll, klr, il, ir, t0, t1);
806         kll ^= krll; klr ^= krlr;
807         CAMELLIA_F(kll, klr,
808                    CAMELLIA_SIGMA3L, CAMELLIA_SIGMA3R,
809                    krl, krr, il, ir, t0, t1);
810         krl ^= w0 ^ krrl; krr ^= w1 ^ krrr;
811         CAMELLIA_F(krl, krr,
812                    CAMELLIA_SIGMA4L, CAMELLIA_SIGMA4R,
813                    w0, w1, il, ir, t0, t1);
814         kll ^= w0; klr ^= w1;
815
816         /* generate KB */
817         krll ^= kll; krlr ^= klr;
818         krrl ^= krl; krrr ^= krr;
819         CAMELLIA_F(krll, krlr,
820                    CAMELLIA_SIGMA5L, CAMELLIA_SIGMA5R,
821                    w0, w1, il, ir, t0, t1);
822         krrl ^= w0; krrr ^= w1;
823         CAMELLIA_F(krrl, krrr,
824                    CAMELLIA_SIGMA6L, CAMELLIA_SIGMA6R,
825                    w0, w1, il, ir, t0, t1);
826         krll ^= w0; krlr ^= w1;
827
828         /* generate KA dependent subkeys */
829         CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
830         /* k5 */
831         subL[6] = kll; subR[6] = klr;
832         /* k6 */
833         subL[7] = krl; subR[7] = krr;
834         CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 30);
835         /* k11 */
836         subL[14] = kll; subR[14] = klr;
837         /* k12 */
838         subL[15] = krl; subR[15] = krr;
839         /* rotation left shift 32bit */
840         /* kl5 */
841         subL[24] = klr; subR[24] = krl;
842         /* kl6 */
843         subL[25] = krr; subR[25] = kll;
844         /* rotation left shift 49 from k11,k12 -> k21,k22 */
845         CAMELLIA_ROLDQo32(kll, klr, krl, krr, w0, w1, 49);
846         /* k21 */
847         subL[28] = kll; subR[28] = klr;
848         /* k22 */
849         subL[29] = krl; subR[29] = krr;
850
851         /* generate KB dependent subkeys */
852         /* k1 */
853         subL[2] = krll; subR[2] = krlr;
854         /* k2 */
855         subL[3] = krrl; subR[3] = krrr;
856         CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
857         /* k7 */
858         subL[10] = krll; subR[10] = krlr;
859         /* k8 */
860         subL[11] = krrl; subR[11] = krrr;
861         CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
862         /* k15 */
863         subL[20] = krll; subR[20] = krlr;
864         /* k16 */
865         subL[21] = krrl; subR[21] = krrr;
866         CAMELLIA_ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 51);
867         /* kw3 */
868         subL[32] = krll; subR[32] = krlr;
869         /* kw4 */
870         subL[33] = krrl; subR[33] = krrr;
871
872         /* absorb kw2 to other subkeys */
873         /* round 2 */
874         subL[3] ^= subL[1]; subR[3] ^= subR[1];
875         /* round 4 */
876         subL[5] ^= subL[1]; subR[5] ^= subR[1];
877         /* round 6 */
878         subL[7] ^= subL[1]; subR[7] ^= subR[1];
879         subL[1] ^= subR[1] & ~subR[9];
880         dw = subL[1] & subL[9],
881                 subR[1] ^= CAMELLIA_RL1(dw); /* modified for FLinv(kl2) */
882         /* round 8 */
883         subL[11] ^= subL[1]; subR[11] ^= subR[1];
884         /* round 10 */
885         subL[13] ^= subL[1]; subR[13] ^= subR[1];
886         /* round 12 */
887         subL[15] ^= subL[1]; subR[15] ^= subR[1];
888         subL[1] ^= subR[1] & ~subR[17];
889         dw = subL[1] & subL[17],
890                 subR[1] ^= CAMELLIA_RL1(dw); /* modified for FLinv(kl4) */
891         /* round 14 */
892         subL[19] ^= subL[1]; subR[19] ^= subR[1];
893         /* round 16 */
894         subL[21] ^= subL[1]; subR[21] ^= subR[1];
895         /* round 18 */
896         subL[23] ^= subL[1]; subR[23] ^= subR[1];
897         subL[1] ^= subR[1] & ~subR[25];
898         dw = subL[1] & subL[25],
899                 subR[1] ^= CAMELLIA_RL1(dw); /* modified for FLinv(kl6) */
900         /* round 20 */
901         subL[27] ^= subL[1]; subR[27] ^= subR[1];
902         /* round 22 */
903         subL[29] ^= subL[1]; subR[29] ^= subR[1];
904         /* round 24 */
905         subL[31] ^= subL[1]; subR[31] ^= subR[1];
906         /* kw3 */
907         subL[32] ^= subL[1]; subR[32] ^= subR[1];
908
909         /* absorb kw4 to other subkeys */
910         kw4l = subL[33]; kw4r = subR[33];
911         /* round 23 */
912         subL[30] ^= kw4l; subR[30] ^= kw4r;
913         /* round 21 */
914         subL[28] ^= kw4l; subR[28] ^= kw4r;
915         /* round 19 */
916         subL[26] ^= kw4l; subR[26] ^= kw4r;
917         kw4l ^= kw4r & ~subR[24];
918         dw = kw4l & subL[24],
919                 kw4r ^= CAMELLIA_RL1(dw); /* modified for FL(kl5) */
920         /* round 17 */
921         subL[22] ^= kw4l; subR[22] ^= kw4r;
922         /* round 15 */
923         subL[20] ^= kw4l; subR[20] ^= kw4r;
924         /* round 13 */
925         subL[18] ^= kw4l; subR[18] ^= kw4r;
926         kw4l ^= kw4r & ~subR[16];
927         dw = kw4l & subL[16],
928                 kw4r ^= CAMELLIA_RL1(dw); /* modified for FL(kl3) */
929         /* round 11 */
930         subL[14] ^= kw4l; subR[14] ^= kw4r;
931         /* round 9 */
932         subL[12] ^= kw4l; subR[12] ^= kw4r;
933         /* round 7 */
934         subL[10] ^= kw4l; subR[10] ^= kw4r;
935         kw4l ^= kw4r & ~subR[8];
936         dw = kw4l & subL[8],
937                 kw4r ^= CAMELLIA_RL1(dw); /* modified for FL(kl1) */
938         /* round 5 */
939         subL[6] ^= kw4l; subR[6] ^= kw4r;
940         /* round 3 */
941         subL[4] ^= kw4l; subR[4] ^= kw4r;
942         /* round 1 */
943         subL[2] ^= kw4l; subR[2] ^= kw4r;
944         /* kw1 */
945         subL[0] ^= kw4l; subR[0] ^= kw4r;
946
947         /* key XOR is end of F-function */
948         CAMELLIA_SUBKEY_L(0) = subL[0] ^ subL[2];/* kw1 */
949         CAMELLIA_SUBKEY_R(0) = subR[0] ^ subR[2];
950         CAMELLIA_SUBKEY_L(2) = subL[3];       /* round 1 */
951         CAMELLIA_SUBKEY_R(2) = subR[3];
952         CAMELLIA_SUBKEY_L(3) = subL[2] ^ subL[4]; /* round 2 */
953         CAMELLIA_SUBKEY_R(3) = subR[2] ^ subR[4];
954         CAMELLIA_SUBKEY_L(4) = subL[3] ^ subL[5]; /* round 3 */
955         CAMELLIA_SUBKEY_R(4) = subR[3] ^ subR[5];
956         CAMELLIA_SUBKEY_L(5) = subL[4] ^ subL[6]; /* round 4 */
957         CAMELLIA_SUBKEY_R(5) = subR[4] ^ subR[6];
958         CAMELLIA_SUBKEY_L(6) = subL[5] ^ subL[7]; /* round 5 */
959         CAMELLIA_SUBKEY_R(6) = subR[5] ^ subR[7];
960         tl = subL[10] ^ (subR[10] & ~subR[8]);
961         dw = tl & subL[8],  /* FL(kl1) */
962                 tr = subR[10] ^ CAMELLIA_RL1(dw);
963         CAMELLIA_SUBKEY_L(7) = subL[6] ^ tl; /* round 6 */
964         CAMELLIA_SUBKEY_R(7) = subR[6] ^ tr;
965         CAMELLIA_SUBKEY_L(8) = subL[8];       /* FL(kl1) */
966         CAMELLIA_SUBKEY_R(8) = subR[8];
967         CAMELLIA_SUBKEY_L(9) = subL[9];       /* FLinv(kl2) */
968         CAMELLIA_SUBKEY_R(9) = subR[9];
969         tl = subL[7] ^ (subR[7] & ~subR[9]);
970         dw = tl & subL[9],  /* FLinv(kl2) */
971                 tr = subR[7] ^ CAMELLIA_RL1(dw);
972         CAMELLIA_SUBKEY_L(10) = tl ^ subL[11]; /* round 7 */
973         CAMELLIA_SUBKEY_R(10) = tr ^ subR[11];
974         CAMELLIA_SUBKEY_L(11) = subL[10] ^ subL[12]; /* round 8 */
975         CAMELLIA_SUBKEY_R(11) = subR[10] ^ subR[12];
976         CAMELLIA_SUBKEY_L(12) = subL[11] ^ subL[13]; /* round 9 */
977         CAMELLIA_SUBKEY_R(12) = subR[11] ^ subR[13];
978         CAMELLIA_SUBKEY_L(13) = subL[12] ^ subL[14]; /* round 10 */
979         CAMELLIA_SUBKEY_R(13) = subR[12] ^ subR[14];
980         CAMELLIA_SUBKEY_L(14) = subL[13] ^ subL[15]; /* round 11 */
981         CAMELLIA_SUBKEY_R(14) = subR[13] ^ subR[15];
982         tl = subL[18] ^ (subR[18] & ~subR[16]);
983         dw = tl & subL[16], /* FL(kl3) */
984                 tr = subR[18] ^ CAMELLIA_RL1(dw);
985         CAMELLIA_SUBKEY_L(15) = subL[14] ^ tl; /* round 12 */
986         CAMELLIA_SUBKEY_R(15) = subR[14] ^ tr;
987         CAMELLIA_SUBKEY_L(16) = subL[16];     /* FL(kl3) */
988         CAMELLIA_SUBKEY_R(16) = subR[16];
989         CAMELLIA_SUBKEY_L(17) = subL[17];     /* FLinv(kl4) */
990         CAMELLIA_SUBKEY_R(17) = subR[17];
991         tl = subL[15] ^ (subR[15] & ~subR[17]);
992         dw = tl & subL[17], /* FLinv(kl4) */
993                 tr = subR[15] ^ CAMELLIA_RL1(dw);
994         CAMELLIA_SUBKEY_L(18) = tl ^ subL[19]; /* round 13 */
995         CAMELLIA_SUBKEY_R(18) = tr ^ subR[19];
996         CAMELLIA_SUBKEY_L(19) = subL[18] ^ subL[20]; /* round 14 */
997         CAMELLIA_SUBKEY_R(19) = subR[18] ^ subR[20];
998         CAMELLIA_SUBKEY_L(20) = subL[19] ^ subL[21]; /* round 15 */
999         CAMELLIA_SUBKEY_R(20) = subR[19] ^ subR[21];
1000         CAMELLIA_SUBKEY_L(21) = subL[20] ^ subL[22]; /* round 16 */
1001         CAMELLIA_SUBKEY_R(21) = subR[20] ^ subR[22];
1002         CAMELLIA_SUBKEY_L(22) = subL[21] ^ subL[23]; /* round 17 */
1003         CAMELLIA_SUBKEY_R(22) = subR[21] ^ subR[23];
1004         tl = subL[26] ^ (subR[26]
1005                          & ~subR[24]);
1006         dw = tl & subL[24], /* FL(kl5) */
1007                 tr = subR[26] ^ CAMELLIA_RL1(dw);
1008         CAMELLIA_SUBKEY_L(23) = subL[22] ^ tl; /* round 18 */
1009         CAMELLIA_SUBKEY_R(23) = subR[22] ^ tr;
1010         CAMELLIA_SUBKEY_L(24) = subL[24];     /* FL(kl5) */
1011         CAMELLIA_SUBKEY_R(24) = subR[24];
1012         CAMELLIA_SUBKEY_L(25) = subL[25];     /* FLinv(kl6) */
1013         CAMELLIA_SUBKEY_R(25) = subR[25];
1014         tl = subL[23] ^ (subR[23] &
1015                          ~subR[25]);
1016         dw = tl & subL[25], /* FLinv(kl6) */
1017                 tr = subR[23] ^ CAMELLIA_RL1(dw);
1018         CAMELLIA_SUBKEY_L(26) = tl ^ subL[27]; /* round 19 */
1019         CAMELLIA_SUBKEY_R(26) = tr ^ subR[27];
1020         CAMELLIA_SUBKEY_L(27) = subL[26] ^ subL[28]; /* round 20 */
1021         CAMELLIA_SUBKEY_R(27) = subR[26] ^ subR[28];
1022         CAMELLIA_SUBKEY_L(28) = subL[27] ^ subL[29]; /* round 21 */
1023         CAMELLIA_SUBKEY_R(28) = subR[27] ^ subR[29];
1024         CAMELLIA_SUBKEY_L(29) = subL[28] ^ subL[30]; /* round 22 */
1025         CAMELLIA_SUBKEY_R(29) = subR[28] ^ subR[30];
1026         CAMELLIA_SUBKEY_L(30) = subL[29] ^ subL[31]; /* round 23 */
1027         CAMELLIA_SUBKEY_R(30) = subR[29] ^ subR[31];
1028         CAMELLIA_SUBKEY_L(31) = subL[30];     /* round 24 */
1029         CAMELLIA_SUBKEY_R(31) = subR[30];
1030         CAMELLIA_SUBKEY_L(32) = subL[32] ^ subL[31]; /* kw3 */
1031         CAMELLIA_SUBKEY_R(32) = subR[32] ^ subR[31];
1032
1033         /* apply the inverse of the last half of P-function */
1034         dw = CAMELLIA_SUBKEY_L(2) ^ CAMELLIA_SUBKEY_R(2),
1035                 dw = CAMELLIA_RL8(dw);/* round 1 */
1036         CAMELLIA_SUBKEY_R(2) = CAMELLIA_SUBKEY_L(2) ^ dw,
1037                 CAMELLIA_SUBKEY_L(2) = dw;
1038         dw = CAMELLIA_SUBKEY_L(3) ^ CAMELLIA_SUBKEY_R(3),
1039                 dw = CAMELLIA_RL8(dw);/* round 2 */
1040         CAMELLIA_SUBKEY_R(3) = CAMELLIA_SUBKEY_L(3) ^ dw,
1041                 CAMELLIA_SUBKEY_L(3) = dw;
1042         dw = CAMELLIA_SUBKEY_L(4) ^ CAMELLIA_SUBKEY_R(4),
1043                 dw = CAMELLIA_RL8(dw);/* round 3 */
1044         CAMELLIA_SUBKEY_R(4) = CAMELLIA_SUBKEY_L(4) ^ dw,
1045                 CAMELLIA_SUBKEY_L(4) = dw;
1046         dw = CAMELLIA_SUBKEY_L(5) ^ CAMELLIA_SUBKEY_R(5),
1047                 dw = CAMELLIA_RL8(dw);/* round 4 */
1048         CAMELLIA_SUBKEY_R(5) = CAMELLIA_SUBKEY_L(5) ^ dw,
1049         CAMELLIA_SUBKEY_L(5) = dw;
1050         dw = CAMELLIA_SUBKEY_L(6) ^ CAMELLIA_SUBKEY_R(6),
1051                 dw = CAMELLIA_RL8(dw);/* round 5 */
1052         CAMELLIA_SUBKEY_R(6) = CAMELLIA_SUBKEY_L(6) ^ dw,
1053                 CAMELLIA_SUBKEY_L(6) = dw;
1054         dw = CAMELLIA_SUBKEY_L(7) ^ CAMELLIA_SUBKEY_R(7),
1055                 dw = CAMELLIA_RL8(dw);/* round 6 */
1056         CAMELLIA_SUBKEY_R(7) = CAMELLIA_SUBKEY_L(7) ^ dw,
1057                 CAMELLIA_SUBKEY_L(7) = dw;
1058         dw = CAMELLIA_SUBKEY_L(10) ^ CAMELLIA_SUBKEY_R(10),
1059                 dw = CAMELLIA_RL8(dw);/* round 7 */
1060         CAMELLIA_SUBKEY_R(10) = CAMELLIA_SUBKEY_L(10) ^ dw,
1061                 CAMELLIA_SUBKEY_L(10) = dw;
1062         dw = CAMELLIA_SUBKEY_L(11) ^ CAMELLIA_SUBKEY_R(11),
1063             dw = CAMELLIA_RL8(dw);/* round 8 */
1064         CAMELLIA_SUBKEY_R(11) = CAMELLIA_SUBKEY_L(11) ^ dw,
1065                 CAMELLIA_SUBKEY_L(11) = dw;
1066         dw = CAMELLIA_SUBKEY_L(12) ^ CAMELLIA_SUBKEY_R(12),
1067                 dw = CAMELLIA_RL8(dw);/* round 9 */
1068         CAMELLIA_SUBKEY_R(12) = CAMELLIA_SUBKEY_L(12) ^ dw,
1069                 CAMELLIA_SUBKEY_L(12) = dw;
1070         dw = CAMELLIA_SUBKEY_L(13) ^ CAMELLIA_SUBKEY_R(13),
1071                 dw = CAMELLIA_RL8(dw);/* round 10 */
1072         CAMELLIA_SUBKEY_R(13) = CAMELLIA_SUBKEY_L(13) ^ dw,
1073                 CAMELLIA_SUBKEY_L(13) = dw;
1074         dw = CAMELLIA_SUBKEY_L(14) ^ CAMELLIA_SUBKEY_R(14),
1075                 dw = CAMELLIA_RL8(dw);/* round 11 */
1076         CAMELLIA_SUBKEY_R(14) = CAMELLIA_SUBKEY_L(14) ^ dw,
1077                 CAMELLIA_SUBKEY_L(14) = dw;
1078         dw = CAMELLIA_SUBKEY_L(15) ^ CAMELLIA_SUBKEY_R(15),
1079                 dw = CAMELLIA_RL8(dw);/* round 12 */
1080         CAMELLIA_SUBKEY_R(15) = CAMELLIA_SUBKEY_L(15) ^ dw,
1081                 CAMELLIA_SUBKEY_L(15) = dw;
1082         dw = CAMELLIA_SUBKEY_L(18) ^ CAMELLIA_SUBKEY_R(18),
1083                 dw = CAMELLIA_RL8(dw);/* round 13 */
1084         CAMELLIA_SUBKEY_R(18) = CAMELLIA_SUBKEY_L(18) ^ dw,
1085                 CAMELLIA_SUBKEY_L(18) = dw;
1086         dw = CAMELLIA_SUBKEY_L(19) ^ CAMELLIA_SUBKEY_R(19),
1087                 dw = CAMELLIA_RL8(dw);/* round 14 */
1088         CAMELLIA_SUBKEY_R(19) = CAMELLIA_SUBKEY_L(19) ^ dw,
1089                 CAMELLIA_SUBKEY_L(19) = dw;
1090         dw = CAMELLIA_SUBKEY_L(20) ^ CAMELLIA_SUBKEY_R(20),
1091                 dw = CAMELLIA_RL8(dw);/* round 15 */
1092         CAMELLIA_SUBKEY_R(20) = CAMELLIA_SUBKEY_L(20) ^ dw,
1093                 CAMELLIA_SUBKEY_L(20) = dw;
1094         dw = CAMELLIA_SUBKEY_L(21) ^ CAMELLIA_SUBKEY_R(21),
1095                 dw = CAMELLIA_RL8(dw);/* round 16 */
1096         CAMELLIA_SUBKEY_R(21) = CAMELLIA_SUBKEY_L(21) ^ dw,
1097                 CAMELLIA_SUBKEY_L(21) = dw;
1098         dw = CAMELLIA_SUBKEY_L(22) ^ CAMELLIA_SUBKEY_R(22),
1099                 dw = CAMELLIA_RL8(dw);/* round 17 */
1100         CAMELLIA_SUBKEY_R(22) = CAMELLIA_SUBKEY_L(22) ^ dw,
1101                 CAMELLIA_SUBKEY_L(22) = dw;
1102         dw = CAMELLIA_SUBKEY_L(23) ^ CAMELLIA_SUBKEY_R(23),
1103                 dw = CAMELLIA_RL8(dw);/* round 18 */
1104         CAMELLIA_SUBKEY_R(23) = CAMELLIA_SUBKEY_L(23) ^ dw,
1105                 CAMELLIA_SUBKEY_L(23) = dw;
1106         dw = CAMELLIA_SUBKEY_L(26) ^ CAMELLIA_SUBKEY_R(26),
1107                 dw = CAMELLIA_RL8(dw);/* round 19 */
1108         CAMELLIA_SUBKEY_R(26) = CAMELLIA_SUBKEY_L(26) ^ dw,
1109                 CAMELLIA_SUBKEY_L(26) = dw;
1110         dw = CAMELLIA_SUBKEY_L(27) ^ CAMELLIA_SUBKEY_R(27),
1111                 dw = CAMELLIA_RL8(dw);/* round 20 */
1112         CAMELLIA_SUBKEY_R(27) = CAMELLIA_SUBKEY_L(27) ^ dw,
1113                 CAMELLIA_SUBKEY_L(27) = dw;
1114         dw = CAMELLIA_SUBKEY_L(28) ^ CAMELLIA_SUBKEY_R(28),
1115                 dw = CAMELLIA_RL8(dw);/* round 21 */
1116         CAMELLIA_SUBKEY_R(28) = CAMELLIA_SUBKEY_L(28) ^ dw,
1117                 CAMELLIA_SUBKEY_L(28) = dw;
1118         dw = CAMELLIA_SUBKEY_L(29) ^ CAMELLIA_SUBKEY_R(29),
1119                 dw = CAMELLIA_RL8(dw);/* round 22 */
1120         CAMELLIA_SUBKEY_R(29) = CAMELLIA_SUBKEY_L(29) ^ dw,
1121                 CAMELLIA_SUBKEY_L(29) = dw;
1122         dw = CAMELLIA_SUBKEY_L(30) ^ CAMELLIA_SUBKEY_R(30),
1123                 dw = CAMELLIA_RL8(dw);/* round 23 */
1124         CAMELLIA_SUBKEY_R(30) = CAMELLIA_SUBKEY_L(30) ^ dw,
1125                 CAMELLIA_SUBKEY_L(30) = dw;
1126         dw = CAMELLIA_SUBKEY_L(31) ^ CAMELLIA_SUBKEY_R(31),
1127                 dw = CAMELLIA_RL8(dw);/* round 24 */
1128         CAMELLIA_SUBKEY_R(31) = CAMELLIA_SUBKEY_L(31) ^ dw,
1129                 CAMELLIA_SUBKEY_L(31) = dw;
1130 }
1131
1132 static void camellia_setup192(const unsigned char *key, u32 *subkey)
1133 {
1134         unsigned char kk[32];
1135         u32 krll, krlr, krrl,krrr;
1136
1137         memcpy(kk, key, 24);
1138         memcpy((unsigned char *)&krll, key+16, 4);
1139         memcpy((unsigned char *)&krlr, key+20, 4);
1140         krrl = ~krll;
1141         krrr = ~krlr;
1142         memcpy(kk+24, (unsigned char *)&krrl, 4);
1143         memcpy(kk+28, (unsigned char *)&krrr, 4);
1144         camellia_setup256(kk, subkey);
1145 }
1146
1147
1148 static void camellia_encrypt128(const u32 *subkey, __be32 *io_text)
1149 {
1150         u32 il,ir,t0,t1;               /* temporary valiables */
1151
1152         u32 io[4];
1153
1154         io[0] = be32_to_cpu(io_text[0]);
1155         io[1] = be32_to_cpu(io_text[1]);
1156         io[2] = be32_to_cpu(io_text[2]);
1157         io[3] = be32_to_cpu(io_text[3]);
1158
1159         /* pre whitening but absorb kw2 */
1160         io[0] ^= CAMELLIA_SUBKEY_L(0);
1161         io[1] ^= CAMELLIA_SUBKEY_R(0);
1162
1163         /* main iteration */
1164         CAMELLIA_ROUNDSM(io[0],io[1],
1165                          CAMELLIA_SUBKEY_L(2),CAMELLIA_SUBKEY_R(2),
1166                          io[2],io[3],il,ir,t0,t1);
1167         CAMELLIA_ROUNDSM(io[2],io[3],
1168                          CAMELLIA_SUBKEY_L(3),CAMELLIA_SUBKEY_R(3),
1169                          io[0],io[1],il,ir,t0,t1);
1170         CAMELLIA_ROUNDSM(io[0],io[1],
1171                          CAMELLIA_SUBKEY_L(4),CAMELLIA_SUBKEY_R(4),
1172                          io[2],io[3],il,ir,t0,t1);
1173         CAMELLIA_ROUNDSM(io[2],io[3],
1174                          CAMELLIA_SUBKEY_L(5),CAMELLIA_SUBKEY_R(5),
1175                          io[0],io[1],il,ir,t0,t1);
1176         CAMELLIA_ROUNDSM(io[0],io[1],
1177                          CAMELLIA_SUBKEY_L(6),CAMELLIA_SUBKEY_R(6),
1178                          io[2],io[3],il,ir,t0,t1);
1179         CAMELLIA_ROUNDSM(io[2],io[3],
1180                          CAMELLIA_SUBKEY_L(7),CAMELLIA_SUBKEY_R(7),
1181                          io[0],io[1],il,ir,t0,t1);
1182
1183         CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1184                      CAMELLIA_SUBKEY_L(8),CAMELLIA_SUBKEY_R(8),
1185                      CAMELLIA_SUBKEY_L(9),CAMELLIA_SUBKEY_R(9),
1186                      t0,t1,il,ir);
1187
1188         CAMELLIA_ROUNDSM(io[0],io[1],
1189                          CAMELLIA_SUBKEY_L(10),CAMELLIA_SUBKEY_R(10),
1190                          io[2],io[3],il,ir,t0,t1);
1191         CAMELLIA_ROUNDSM(io[2],io[3],
1192                          CAMELLIA_SUBKEY_L(11),CAMELLIA_SUBKEY_R(11),
1193                          io[0],io[1],il,ir,t0,t1);
1194         CAMELLIA_ROUNDSM(io[0],io[1],
1195                          CAMELLIA_SUBKEY_L(12),CAMELLIA_SUBKEY_R(12),
1196                          io[2],io[3],il,ir,t0,t1);
1197         CAMELLIA_ROUNDSM(io[2],io[3],
1198                          CAMELLIA_SUBKEY_L(13),CAMELLIA_SUBKEY_R(13),
1199                          io[0],io[1],il,ir,t0,t1);
1200         CAMELLIA_ROUNDSM(io[0],io[1],
1201                          CAMELLIA_SUBKEY_L(14),CAMELLIA_SUBKEY_R(14),
1202                          io[2],io[3],il,ir,t0,t1);
1203         CAMELLIA_ROUNDSM(io[2],io[3],
1204                          CAMELLIA_SUBKEY_L(15),CAMELLIA_SUBKEY_R(15),
1205                          io[0],io[1],il,ir,t0,t1);
1206
1207         CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1208                      CAMELLIA_SUBKEY_L(16),CAMELLIA_SUBKEY_R(16),
1209                      CAMELLIA_SUBKEY_L(17),CAMELLIA_SUBKEY_R(17),
1210                      t0,t1,il,ir);
1211
1212         CAMELLIA_ROUNDSM(io[0],io[1],
1213                          CAMELLIA_SUBKEY_L(18),CAMELLIA_SUBKEY_R(18),
1214                          io[2],io[3],il,ir,t0,t1);
1215         CAMELLIA_ROUNDSM(io[2],io[3],
1216                          CAMELLIA_SUBKEY_L(19),CAMELLIA_SUBKEY_R(19),
1217                          io[0],io[1],il,ir,t0,t1);
1218         CAMELLIA_ROUNDSM(io[0],io[1],
1219                          CAMELLIA_SUBKEY_L(20),CAMELLIA_SUBKEY_R(20),
1220                          io[2],io[3],il,ir,t0,t1);
1221         CAMELLIA_ROUNDSM(io[2],io[3],
1222                          CAMELLIA_SUBKEY_L(21),CAMELLIA_SUBKEY_R(21),
1223                          io[0],io[1],il,ir,t0,t1);
1224         CAMELLIA_ROUNDSM(io[0],io[1],
1225                          CAMELLIA_SUBKEY_L(22),CAMELLIA_SUBKEY_R(22),
1226                          io[2],io[3],il,ir,t0,t1);
1227         CAMELLIA_ROUNDSM(io[2],io[3],
1228                          CAMELLIA_SUBKEY_L(23),CAMELLIA_SUBKEY_R(23),
1229                          io[0],io[1],il,ir,t0,t1);
1230
1231         /* post whitening but kw4 */
1232         io[2] ^= CAMELLIA_SUBKEY_L(24);
1233         io[3] ^= CAMELLIA_SUBKEY_R(24);
1234
1235         io_text[0] = cpu_to_be32(io[2]);
1236         io_text[1] = cpu_to_be32(io[3]);
1237         io_text[2] = cpu_to_be32(io[0]);
1238         io_text[3] = cpu_to_be32(io[1]);
1239 }
1240
1241 static void camellia_decrypt128(const u32 *subkey, __be32 *io_text)
1242 {
1243         u32 il,ir,t0,t1;               /* temporary valiables */
1244
1245         u32 io[4];
1246
1247         io[0] = be32_to_cpu(io_text[0]);
1248         io[1] = be32_to_cpu(io_text[1]);
1249         io[2] = be32_to_cpu(io_text[2]);
1250         io[3] = be32_to_cpu(io_text[3]);
1251
1252         /* pre whitening but absorb kw2 */
1253         io[0] ^= CAMELLIA_SUBKEY_L(24);
1254         io[1] ^= CAMELLIA_SUBKEY_R(24);
1255
1256         /* main iteration */
1257         CAMELLIA_ROUNDSM(io[0],io[1],
1258                          CAMELLIA_SUBKEY_L(23),CAMELLIA_SUBKEY_R(23),
1259                          io[2],io[3],il,ir,t0,t1);
1260         CAMELLIA_ROUNDSM(io[2],io[3],
1261                          CAMELLIA_SUBKEY_L(22),CAMELLIA_SUBKEY_R(22),
1262                          io[0],io[1],il,ir,t0,t1);
1263         CAMELLIA_ROUNDSM(io[0],io[1],
1264                          CAMELLIA_SUBKEY_L(21),CAMELLIA_SUBKEY_R(21),
1265                          io[2],io[3],il,ir,t0,t1);
1266         CAMELLIA_ROUNDSM(io[2],io[3],
1267                          CAMELLIA_SUBKEY_L(20),CAMELLIA_SUBKEY_R(20),
1268                          io[0],io[1],il,ir,t0,t1);
1269         CAMELLIA_ROUNDSM(io[0],io[1],
1270                          CAMELLIA_SUBKEY_L(19),CAMELLIA_SUBKEY_R(19),
1271                          io[2],io[3],il,ir,t0,t1);
1272         CAMELLIA_ROUNDSM(io[2],io[3],
1273                          CAMELLIA_SUBKEY_L(18),CAMELLIA_SUBKEY_R(18),
1274                          io[0],io[1],il,ir,t0,t1);
1275
1276         CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1277                      CAMELLIA_SUBKEY_L(17),CAMELLIA_SUBKEY_R(17),
1278                      CAMELLIA_SUBKEY_L(16),CAMELLIA_SUBKEY_R(16),
1279                      t0,t1,il,ir);
1280
1281         CAMELLIA_ROUNDSM(io[0],io[1],
1282                          CAMELLIA_SUBKEY_L(15),CAMELLIA_SUBKEY_R(15),
1283                          io[2],io[3],il,ir,t0,t1);
1284         CAMELLIA_ROUNDSM(io[2],io[3],
1285                          CAMELLIA_SUBKEY_L(14),CAMELLIA_SUBKEY_R(14),
1286                          io[0],io[1],il,ir,t0,t1);
1287         CAMELLIA_ROUNDSM(io[0],io[1],
1288                          CAMELLIA_SUBKEY_L(13),CAMELLIA_SUBKEY_R(13),
1289                          io[2],io[3],il,ir,t0,t1);
1290         CAMELLIA_ROUNDSM(io[2],io[3],
1291                          CAMELLIA_SUBKEY_L(12),CAMELLIA_SUBKEY_R(12),
1292                          io[0],io[1],il,ir,t0,t1);
1293         CAMELLIA_ROUNDSM(io[0],io[1],
1294                          CAMELLIA_SUBKEY_L(11),CAMELLIA_SUBKEY_R(11),
1295                          io[2],io[3],il,ir,t0,t1);
1296         CAMELLIA_ROUNDSM(io[2],io[3],
1297                          CAMELLIA_SUBKEY_L(10),CAMELLIA_SUBKEY_R(10),
1298                          io[0],io[1],il,ir,t0,t1);
1299
1300         CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1301                      CAMELLIA_SUBKEY_L(9),CAMELLIA_SUBKEY_R(9),
1302                      CAMELLIA_SUBKEY_L(8),CAMELLIA_SUBKEY_R(8),
1303                      t0,t1,il,ir);
1304
1305         CAMELLIA_ROUNDSM(io[0],io[1],
1306                          CAMELLIA_SUBKEY_L(7),CAMELLIA_SUBKEY_R(7),
1307                          io[2],io[3],il,ir,t0,t1);
1308         CAMELLIA_ROUNDSM(io[2],io[3],
1309                          CAMELLIA_SUBKEY_L(6),CAMELLIA_SUBKEY_R(6),
1310                          io[0],io[1],il,ir,t0,t1);
1311         CAMELLIA_ROUNDSM(io[0],io[1],
1312                          CAMELLIA_SUBKEY_L(5),CAMELLIA_SUBKEY_R(5),
1313                          io[2],io[3],il,ir,t0,t1);
1314         CAMELLIA_ROUNDSM(io[2],io[3],
1315                          CAMELLIA_SUBKEY_L(4),CAMELLIA_SUBKEY_R(4),
1316                          io[0],io[1],il,ir,t0,t1);
1317         CAMELLIA_ROUNDSM(io[0],io[1],
1318                          CAMELLIA_SUBKEY_L(3),CAMELLIA_SUBKEY_R(3),
1319                          io[2],io[3],il,ir,t0,t1);
1320         CAMELLIA_ROUNDSM(io[2],io[3],
1321                          CAMELLIA_SUBKEY_L(2),CAMELLIA_SUBKEY_R(2),
1322                          io[0],io[1],il,ir,t0,t1);
1323
1324         /* post whitening but kw4 */
1325         io[2] ^= CAMELLIA_SUBKEY_L(0);
1326         io[3] ^= CAMELLIA_SUBKEY_R(0);
1327
1328         io_text[0] = cpu_to_be32(io[2]);
1329         io_text[1] = cpu_to_be32(io[3]);
1330         io_text[2] = cpu_to_be32(io[0]);
1331         io_text[3] = cpu_to_be32(io[1]);
1332 }
1333
1334 static void camellia_encrypt256(const u32 *subkey, __be32 *io_text)
1335 {
1336         u32 il,ir,t0,t1;           /* temporary valiables */
1337
1338         u32 io[4];
1339
1340         io[0] = be32_to_cpu(io_text[0]);
1341         io[1] = be32_to_cpu(io_text[1]);
1342         io[2] = be32_to_cpu(io_text[2]);
1343         io[3] = be32_to_cpu(io_text[3]);
1344
1345         /* pre whitening but absorb kw2 */
1346         io[0] ^= CAMELLIA_SUBKEY_L(0);
1347         io[1] ^= CAMELLIA_SUBKEY_R(0);
1348
1349         /* main iteration */
1350         CAMELLIA_ROUNDSM(io[0],io[1],
1351                          CAMELLIA_SUBKEY_L(2),CAMELLIA_SUBKEY_R(2),
1352                          io[2],io[3],il,ir,t0,t1);
1353         CAMELLIA_ROUNDSM(io[2],io[3],
1354                          CAMELLIA_SUBKEY_L(3),CAMELLIA_SUBKEY_R(3),
1355                          io[0],io[1],il,ir,t0,t1);
1356         CAMELLIA_ROUNDSM(io[0],io[1],
1357                          CAMELLIA_SUBKEY_L(4),CAMELLIA_SUBKEY_R(4),
1358                          io[2],io[3],il,ir,t0,t1);
1359         CAMELLIA_ROUNDSM(io[2],io[3],
1360                          CAMELLIA_SUBKEY_L(5),CAMELLIA_SUBKEY_R(5),
1361                          io[0],io[1],il,ir,t0,t1);
1362         CAMELLIA_ROUNDSM(io[0],io[1],
1363                          CAMELLIA_SUBKEY_L(6),CAMELLIA_SUBKEY_R(6),
1364                          io[2],io[3],il,ir,t0,t1);
1365         CAMELLIA_ROUNDSM(io[2],io[3],
1366                          CAMELLIA_SUBKEY_L(7),CAMELLIA_SUBKEY_R(7),
1367                          io[0],io[1],il,ir,t0,t1);
1368
1369         CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1370                      CAMELLIA_SUBKEY_L(8),CAMELLIA_SUBKEY_R(8),
1371                      CAMELLIA_SUBKEY_L(9),CAMELLIA_SUBKEY_R(9),
1372                      t0,t1,il,ir);
1373
1374         CAMELLIA_ROUNDSM(io[0],io[1],
1375                          CAMELLIA_SUBKEY_L(10),CAMELLIA_SUBKEY_R(10),
1376                          io[2],io[3],il,ir,t0,t1);
1377         CAMELLIA_ROUNDSM(io[2],io[3],
1378                          CAMELLIA_SUBKEY_L(11),CAMELLIA_SUBKEY_R(11),
1379                          io[0],io[1],il,ir,t0,t1);
1380         CAMELLIA_ROUNDSM(io[0],io[1],
1381                          CAMELLIA_SUBKEY_L(12),CAMELLIA_SUBKEY_R(12),
1382                          io[2],io[3],il,ir,t0,t1);
1383         CAMELLIA_ROUNDSM(io[2],io[3],
1384                          CAMELLIA_SUBKEY_L(13),CAMELLIA_SUBKEY_R(13),
1385                          io[0],io[1],il,ir,t0,t1);
1386         CAMELLIA_ROUNDSM(io[0],io[1],
1387                          CAMELLIA_SUBKEY_L(14),CAMELLIA_SUBKEY_R(14),
1388                          io[2],io[3],il,ir,t0,t1);
1389         CAMELLIA_ROUNDSM(io[2],io[3],
1390                          CAMELLIA_SUBKEY_L(15),CAMELLIA_SUBKEY_R(15),
1391                          io[0],io[1],il,ir,t0,t1);
1392
1393         CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1394                      CAMELLIA_SUBKEY_L(16),CAMELLIA_SUBKEY_R(16),
1395                      CAMELLIA_SUBKEY_L(17),CAMELLIA_SUBKEY_R(17),
1396                      t0,t1,il,ir);
1397
1398         CAMELLIA_ROUNDSM(io[0],io[1],
1399                          CAMELLIA_SUBKEY_L(18),CAMELLIA_SUBKEY_R(18),
1400                          io[2],io[3],il,ir,t0,t1);
1401         CAMELLIA_ROUNDSM(io[2],io[3],
1402                          CAMELLIA_SUBKEY_L(19),CAMELLIA_SUBKEY_R(19),
1403                          io[0],io[1],il,ir,t0,t1);
1404         CAMELLIA_ROUNDSM(io[0],io[1],
1405                          CAMELLIA_SUBKEY_L(20),CAMELLIA_SUBKEY_R(20),
1406                          io[2],io[3],il,ir,t0,t1);
1407         CAMELLIA_ROUNDSM(io[2],io[3],
1408                          CAMELLIA_SUBKEY_L(21),CAMELLIA_SUBKEY_R(21),
1409                          io[0],io[1],il,ir,t0,t1);
1410         CAMELLIA_ROUNDSM(io[0],io[1],
1411                          CAMELLIA_SUBKEY_L(22),CAMELLIA_SUBKEY_R(22),
1412                          io[2],io[3],il,ir,t0,t1);
1413         CAMELLIA_ROUNDSM(io[2],io[3],
1414                          CAMELLIA_SUBKEY_L(23),CAMELLIA_SUBKEY_R(23),
1415                          io[0],io[1],il,ir,t0,t1);
1416
1417         CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1418                      CAMELLIA_SUBKEY_L(24),CAMELLIA_SUBKEY_R(24),
1419                      CAMELLIA_SUBKEY_L(25),CAMELLIA_SUBKEY_R(25),
1420                      t0,t1,il,ir);
1421
1422         CAMELLIA_ROUNDSM(io[0],io[1],
1423                          CAMELLIA_SUBKEY_L(26),CAMELLIA_SUBKEY_R(26),
1424                          io[2],io[3],il,ir,t0,t1);
1425         CAMELLIA_ROUNDSM(io[2],io[3],
1426                          CAMELLIA_SUBKEY_L(27),CAMELLIA_SUBKEY_R(27),
1427                          io[0],io[1],il,ir,t0,t1);
1428         CAMELLIA_ROUNDSM(io[0],io[1],
1429                          CAMELLIA_SUBKEY_L(28),CAMELLIA_SUBKEY_R(28),
1430                          io[2],io[3],il,ir,t0,t1);
1431         CAMELLIA_ROUNDSM(io[2],io[3],
1432                          CAMELLIA_SUBKEY_L(29),CAMELLIA_SUBKEY_R(29),
1433                          io[0],io[1],il,ir,t0,t1);
1434         CAMELLIA_ROUNDSM(io[0],io[1],
1435                          CAMELLIA_SUBKEY_L(30),CAMELLIA_SUBKEY_R(30),
1436                          io[2],io[3],il,ir,t0,t1);
1437         CAMELLIA_ROUNDSM(io[2],io[3],
1438                          CAMELLIA_SUBKEY_L(31),CAMELLIA_SUBKEY_R(31),
1439                          io[0],io[1],il,ir,t0,t1);
1440
1441         /* post whitening but kw4 */
1442         io[2] ^= CAMELLIA_SUBKEY_L(32);
1443         io[3] ^= CAMELLIA_SUBKEY_R(32);
1444
1445         io_text[0] = cpu_to_be32(io[2]);
1446         io_text[1] = cpu_to_be32(io[3]);
1447         io_text[2] = cpu_to_be32(io[0]);
1448         io_text[3] = cpu_to_be32(io[1]);
1449 }
1450
1451 static void camellia_decrypt256(const u32 *subkey, __be32 *io_text)
1452 {
1453         u32 il,ir,t0,t1;           /* temporary valiables */
1454
1455         u32 io[4];
1456
1457         io[0] = be32_to_cpu(io_text[0]);
1458         io[1] = be32_to_cpu(io_text[1]);
1459         io[2] = be32_to_cpu(io_text[2]);
1460         io[3] = be32_to_cpu(io_text[3]);
1461
1462         /* pre whitening but absorb kw2 */
1463         io[0] ^= CAMELLIA_SUBKEY_L(32);
1464         io[1] ^= CAMELLIA_SUBKEY_R(32);
1465
1466         /* main iteration */
1467         CAMELLIA_ROUNDSM(io[0],io[1],
1468                          CAMELLIA_SUBKEY_L(31),CAMELLIA_SUBKEY_R(31),
1469                          io[2],io[3],il,ir,t0,t1);
1470         CAMELLIA_ROUNDSM(io[2],io[3],
1471                          CAMELLIA_SUBKEY_L(30),CAMELLIA_SUBKEY_R(30),
1472                          io[0],io[1],il,ir,t0,t1);
1473         CAMELLIA_ROUNDSM(io[0],io[1],
1474                          CAMELLIA_SUBKEY_L(29),CAMELLIA_SUBKEY_R(29),
1475                          io[2],io[3],il,ir,t0,t1);
1476         CAMELLIA_ROUNDSM(io[2],io[3],
1477                          CAMELLIA_SUBKEY_L(28),CAMELLIA_SUBKEY_R(28),
1478                          io[0],io[1],il,ir,t0,t1);
1479         CAMELLIA_ROUNDSM(io[0],io[1],
1480                          CAMELLIA_SUBKEY_L(27),CAMELLIA_SUBKEY_R(27),
1481                          io[2],io[3],il,ir,t0,t1);
1482         CAMELLIA_ROUNDSM(io[2],io[3],
1483                          CAMELLIA_SUBKEY_L(26),CAMELLIA_SUBKEY_R(26),
1484                          io[0],io[1],il,ir,t0,t1);
1485
1486         CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1487                      CAMELLIA_SUBKEY_L(25),CAMELLIA_SUBKEY_R(25),
1488                      CAMELLIA_SUBKEY_L(24),CAMELLIA_SUBKEY_R(24),
1489                      t0,t1,il,ir);
1490
1491         CAMELLIA_ROUNDSM(io[0],io[1],
1492                          CAMELLIA_SUBKEY_L(23),CAMELLIA_SUBKEY_R(23),
1493                          io[2],io[3],il,ir,t0,t1);
1494         CAMELLIA_ROUNDSM(io[2],io[3],
1495                          CAMELLIA_SUBKEY_L(22),CAMELLIA_SUBKEY_R(22),
1496                          io[0],io[1],il,ir,t0,t1);
1497         CAMELLIA_ROUNDSM(io[0],io[1],
1498                          CAMELLIA_SUBKEY_L(21),CAMELLIA_SUBKEY_R(21),
1499                          io[2],io[3],il,ir,t0,t1);
1500         CAMELLIA_ROUNDSM(io[2],io[3],
1501                          CAMELLIA_SUBKEY_L(20),CAMELLIA_SUBKEY_R(20),
1502                          io[0],io[1],il,ir,t0,t1);
1503         CAMELLIA_ROUNDSM(io[0],io[1],
1504                          CAMELLIA_SUBKEY_L(19),CAMELLIA_SUBKEY_R(19),
1505                          io[2],io[3],il,ir,t0,t1);
1506         CAMELLIA_ROUNDSM(io[2],io[3],
1507                          CAMELLIA_SUBKEY_L(18),CAMELLIA_SUBKEY_R(18),
1508                          io[0],io[1],il,ir,t0,t1);
1509
1510         CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1511                      CAMELLIA_SUBKEY_L(17),CAMELLIA_SUBKEY_R(17),
1512                      CAMELLIA_SUBKEY_L(16),CAMELLIA_SUBKEY_R(16),
1513                      t0,t1,il,ir);
1514
1515         CAMELLIA_ROUNDSM(io[0],io[1],
1516                          CAMELLIA_SUBKEY_L(15),CAMELLIA_SUBKEY_R(15),
1517                          io[2],io[3],il,ir,t0,t1);
1518         CAMELLIA_ROUNDSM(io[2],io[3],
1519                          CAMELLIA_SUBKEY_L(14),CAMELLIA_SUBKEY_R(14),
1520                          io[0],io[1],il,ir,t0,t1);
1521         CAMELLIA_ROUNDSM(io[0],io[1],
1522                          CAMELLIA_SUBKEY_L(13),CAMELLIA_SUBKEY_R(13),
1523                          io[2],io[3],il,ir,t0,t1);
1524         CAMELLIA_ROUNDSM(io[2],io[3],
1525                          CAMELLIA_SUBKEY_L(12),CAMELLIA_SUBKEY_R(12),
1526                          io[0],io[1],il,ir,t0,t1);
1527         CAMELLIA_ROUNDSM(io[0],io[1],
1528                          CAMELLIA_SUBKEY_L(11),CAMELLIA_SUBKEY_R(11),
1529                          io[2],io[3],il,ir,t0,t1);
1530         CAMELLIA_ROUNDSM(io[2],io[3],
1531                          CAMELLIA_SUBKEY_L(10),CAMELLIA_SUBKEY_R(10),
1532                          io[0],io[1],il,ir,t0,t1);
1533
1534         CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1535                      CAMELLIA_SUBKEY_L(9),CAMELLIA_SUBKEY_R(9),
1536                      CAMELLIA_SUBKEY_L(8),CAMELLIA_SUBKEY_R(8),
1537                      t0,t1,il,ir);
1538
1539         CAMELLIA_ROUNDSM(io[0],io[1],
1540                          CAMELLIA_SUBKEY_L(7),CAMELLIA_SUBKEY_R(7),
1541                          io[2],io[3],il,ir,t0,t1);
1542         CAMELLIA_ROUNDSM(io[2],io[3],
1543                          CAMELLIA_SUBKEY_L(6),CAMELLIA_SUBKEY_R(6),
1544                          io[0],io[1],il,ir,t0,t1);
1545         CAMELLIA_ROUNDSM(io[0],io[1],
1546                          CAMELLIA_SUBKEY_L(5),CAMELLIA_SUBKEY_R(5),
1547                          io[2],io[3],il,ir,t0,t1);
1548         CAMELLIA_ROUNDSM(io[2],io[3],
1549                          CAMELLIA_SUBKEY_L(4),CAMELLIA_SUBKEY_R(4),
1550                          io[0],io[1],il,ir,t0,t1);
1551         CAMELLIA_ROUNDSM(io[0],io[1],
1552                          CAMELLIA_SUBKEY_L(3),CAMELLIA_SUBKEY_R(3),
1553                          io[2],io[3],il,ir,t0,t1);
1554         CAMELLIA_ROUNDSM(io[2],io[3],
1555                          CAMELLIA_SUBKEY_L(2),CAMELLIA_SUBKEY_R(2),
1556                          io[0],io[1],il,ir,t0,t1);
1557
1558         /* post whitening but kw4 */
1559         io[2] ^= CAMELLIA_SUBKEY_L(0);
1560         io[3] ^= CAMELLIA_SUBKEY_R(0);
1561
1562         io_text[0] = cpu_to_be32(io[2]);
1563         io_text[1] = cpu_to_be32(io[3]);
1564         io_text[2] = cpu_to_be32(io[0]);
1565         io_text[3] = cpu_to_be32(io[1]);
1566 }
1567
1568
1569 struct camellia_ctx {
1570         int key_length;
1571         u32 key_table[CAMELLIA_TABLE_BYTE_LEN / 4];
1572 };
1573
1574 static int
1575 camellia_set_key(struct crypto_tfm *tfm, const u8 *in_key,
1576                  unsigned int key_len)
1577 {
1578         struct camellia_ctx *cctx = crypto_tfm_ctx(tfm);
1579         const unsigned char *key = (const unsigned char *)in_key;
1580         u32 *flags = &tfm->crt_flags;
1581
1582         if (key_len != 16 && key_len != 24 && key_len != 32) {
1583                 *flags |= CRYPTO_TFM_RES_BAD_KEY_LEN;
1584                 return -EINVAL;
1585         }
1586
1587         cctx->key_length = key_len;
1588
1589         switch (key_len) {
1590         case 16:
1591                 camellia_setup128(key, cctx->key_table);
1592                 break;
1593         case 24:
1594                 camellia_setup192(key, cctx->key_table);
1595                 break;
1596         case 32:
1597                 camellia_setup256(key, cctx->key_table);
1598                 break;
1599         }
1600
1601         return 0;
1602 }
1603
1604 static void camellia_encrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in)
1605 {
1606         const struct camellia_ctx *cctx = crypto_tfm_ctx(tfm);
1607         const __be32 *src = (const __be32 *)in;
1608         __be32 *dst = (__be32 *)out;
1609
1610         __be32 tmp[4];
1611
1612         memcpy(tmp, src, CAMELLIA_BLOCK_SIZE);
1613
1614         switch (cctx->key_length) {
1615         case 16:
1616                 camellia_encrypt128(cctx->key_table, tmp);
1617                 break;
1618         case 24:
1619                 /* fall through */
1620         case 32:
1621                 camellia_encrypt256(cctx->key_table, tmp);
1622                 break;
1623         }
1624
1625         memcpy(dst, tmp, CAMELLIA_BLOCK_SIZE);
1626 }
1627
1628 static void camellia_decrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in)
1629 {
1630         const struct camellia_ctx *cctx = crypto_tfm_ctx(tfm);
1631         const __be32 *src = (const __be32 *)in;
1632         __be32 *dst = (__be32 *)out;
1633
1634         __be32 tmp[4];
1635
1636         memcpy(tmp, src, CAMELLIA_BLOCK_SIZE);
1637
1638         switch (cctx->key_length) {
1639         case 16:
1640                 camellia_decrypt128(cctx->key_table, tmp);
1641                 break;
1642         case 24:
1643                 /* fall through */
1644         case 32:
1645                 camellia_decrypt256(cctx->key_table, tmp);
1646                 break;
1647         }
1648
1649         memcpy(dst, tmp, CAMELLIA_BLOCK_SIZE);
1650 }
1651
1652 static struct crypto_alg camellia_alg = {
1653         .cra_name               =       "camellia",
1654         .cra_driver_name        =       "camellia-generic",
1655         .cra_priority           =       100,
1656         .cra_flags              =       CRYPTO_ALG_TYPE_CIPHER,
1657         .cra_blocksize          =       CAMELLIA_BLOCK_SIZE,
1658         .cra_ctxsize            =       sizeof(struct camellia_ctx),
1659         .cra_alignmask          =       3,
1660         .cra_module             =       THIS_MODULE,
1661         .cra_list               =       LIST_HEAD_INIT(camellia_alg.cra_list),
1662         .cra_u                  =       {
1663                 .cipher = {
1664                         .cia_min_keysize        =       CAMELLIA_MIN_KEY_SIZE,
1665                         .cia_max_keysize        =       CAMELLIA_MAX_KEY_SIZE,
1666                         .cia_setkey             =       camellia_set_key,
1667                         .cia_encrypt            =       camellia_encrypt,
1668                         .cia_decrypt            =       camellia_decrypt
1669                 }
1670         }
1671 };
1672
1673 static int __init camellia_init(void)
1674 {
1675         return crypto_register_alg(&camellia_alg);
1676 }
1677
1678 static void __exit camellia_fini(void)
1679 {
1680         crypto_unregister_alg(&camellia_alg);
1681 }
1682
1683 module_init(camellia_init);
1684 module_exit(camellia_fini);
1685
1686 MODULE_DESCRIPTION("Camellia Cipher Algorithm");
1687 MODULE_LICENSE("GPL");