summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/camellia/camellia.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libcrypto/camellia/camellia.c')
-rw-r--r--src/lib/libcrypto/camellia/camellia.c571
1 files changed, 0 insertions, 571 deletions
diff --git a/src/lib/libcrypto/camellia/camellia.c b/src/lib/libcrypto/camellia/camellia.c
deleted file mode 100644
index cb577798a8..0000000000
--- a/src/lib/libcrypto/camellia/camellia.c
+++ /dev/null
@@ -1,571 +0,0 @@
1/* $OpenBSD: camellia.c,v 1.10 2014/11/19 11:37:52 bcook Exp $ */
2/* ====================================================================
3 * Copyright 2006 NTT (Nippon Telegraph and Telephone Corporation) .
4 * ALL RIGHTS RESERVED.
5 *
6 * Intellectual Property information for Camellia:
7 * http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html
8 *
9 * News Release for Announcement of Camellia open source:
10 * http://www.ntt.co.jp/news/news06e/0604/060413a.html
11 *
12 * The Camellia Code included herein is developed by
13 * NTT (Nippon Telegraph and Telephone Corporation), and is contributed
14 * to the OpenSSL project.
15 *
16 * The Camellia Code is licensed pursuant to the OpenSSL open source
17 * license provided below.
18 */
19/* ====================================================================
20 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 *
26 * 1. Redistributions of source code must retain the above copyright
27 * notice, this list of conditions and the following disclaimer.
28 *
29 * 2. Redistributions in binary form must reproduce the above copyright
30 * notice, this list of conditions and the following disclaimer in
31 * the documentation and/or other materials provided with the
32 * distribution.
33 *
34 * 3. All advertising materials mentioning features or use of this
35 * software must display the following acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
38 *
39 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
40 * endorse or promote products derived from this software without
41 * prior written permission. For written permission, please contact
42 * openssl-core@openssl.org.
43 *
44 * 5. Products derived from this software may not be called "OpenSSL"
45 * nor may "OpenSSL" appear in their names without prior written
46 * permission of the OpenSSL Project.
47 *
48 * 6. Redistributions of any form whatsoever must retain the following
49 * acknowledgment:
50 * "This product includes software developed by the OpenSSL Project
51 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
52 *
53 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
54 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
55 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
56 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
57 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
58 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
59 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
60 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
61 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
62 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
63 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
64 * OF THE POSSIBILITY OF SUCH DAMAGE.
65 * ====================================================================
66 */
67
68/*
69 * Algorithm Specification
70 * http://info.isl.ntt.co.jp/crypt/eng/camellia/specifications.html
71 */
72
73/*
74 * This release balances code size and performance. In particular key
75 * schedule setup is fully unrolled, because doing so *significantly*
76 * reduces amount of instructions per setup round and code increase is
77 * justifiable. In block functions on the other hand only inner loops
78 * are unrolled, as full unroll gives only nominal performance boost,
79 * while code size grows 4 or 7 times. Also, unlike previous versions
80 * this one "encourages" compiler to keep intermediate variables in
81 * registers, which should give better "all round" results, in other
82 * words reasonable performance even with not so modern compilers.
83 */
84
85#include <stdlib.h>
86#include <string.h>
87#include <openssl/camellia.h>
88#include <openssl/opensslconf.h>
89
90#include "cmll_locl.h"
91
92/* 32-bit rotations */
93#if !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
94# if defined(__GNUC__) && __GNUC__>=2
95# if defined(__i386) || defined(__x86_64)
96# define RightRotate(x,s) ({u32 ret; asm ("rorl %1,%0":"=r"(ret):"I"(s),"0"(x):"cc"); ret; })
97# define LeftRotate(x,s) ({u32 ret; asm ("roll %1,%0":"=r"(ret):"I"(s),"0"(x):"cc"); ret; })
98# define GETU32(p) ({u32 r=*(const u32 *)(p); asm("bswapl %0":"=r"(r):"0"(r)); r; })
99# define PUTU32(p,v) ({u32 r=(v); asm("bswapl %0":"=r"(r):"0"(r)); *(u32 *)(p)=r; })
100# elif defined(_ARCH_PPC) || defined(_ARCH_PPC64) || \
101 defined(__powerpc) || defined(__ppc__) || defined(__powerpc64__)
102# define LeftRotate(x,s) ({u32 ret; asm ("rlwinm %0,%1,%2,0,31":"=r"(ret):"r"(x),"I"(s)); ret; })
103# define RightRotate(x,s) LeftRotate(x,(32-s))
104# elif defined(__s390x__)
105# define LeftRotate(x,s) ({u32 ret; asm ("rll %0,%1,%2":"=r"(ret):"r"(x),"I"(s)); ret; })
106# define RightRotate(x,s) LeftRotate(x,(32-s))
107# define GETU32(p) (*(u32 *)(p))
108# define PUTU32(p,v) (*(u32 *)(p)=(v))
109# endif
110# endif
111#endif
112
113#if !defined(RightRotate) && !defined(LeftRotate)
114# define RightRotate(x, s) ( ((x) >> (s)) + ((x) << (32 - s)) )
115# define LeftRotate(x, s) ( ((x) << (s)) + ((x) >> (32 - s)) )
116#endif
117
118#if !defined(GETU32) && !defined(PUTU32)
119# define GETU32(p) (((u32)(p)[0] << 24) ^ ((u32)(p)[1] << 16) ^ ((u32)(p)[2] << 8) ^ ((u32)(p)[3]))
120# define PUTU32(p,v) ((p)[0] = (u8)((v) >> 24), (p)[1] = (u8)((v) >> 16), (p)[2] = (u8)((v) >> 8), (p)[3] = (u8)(v))
121#endif
122
123/* S-box data */
124#define SBOX1_1110 Camellia_SBOX[0]
125#define SBOX4_4404 Camellia_SBOX[1]
126#define SBOX2_0222 Camellia_SBOX[2]
127#define SBOX3_3033 Camellia_SBOX[3]
128static const u32 Camellia_SBOX[][256] = {
129{ 0x70707000, 0x82828200, 0x2c2c2c00, 0xececec00, 0xb3b3b300, 0x27272700,
130 0xc0c0c000, 0xe5e5e500, 0xe4e4e400, 0x85858500, 0x57575700, 0x35353500,
131 0xeaeaea00, 0x0c0c0c00, 0xaeaeae00, 0x41414100, 0x23232300, 0xefefef00,
132 0x6b6b6b00, 0x93939300, 0x45454500, 0x19191900, 0xa5a5a500, 0x21212100,
133 0xededed00, 0x0e0e0e00, 0x4f4f4f00, 0x4e4e4e00, 0x1d1d1d00, 0x65656500,
134 0x92929200, 0xbdbdbd00, 0x86868600, 0xb8b8b800, 0xafafaf00, 0x8f8f8f00,
135 0x7c7c7c00, 0xebebeb00, 0x1f1f1f00, 0xcecece00, 0x3e3e3e00, 0x30303000,
136 0xdcdcdc00, 0x5f5f5f00, 0x5e5e5e00, 0xc5c5c500, 0x0b0b0b00, 0x1a1a1a00,
137 0xa6a6a600, 0xe1e1e100, 0x39393900, 0xcacaca00, 0xd5d5d500, 0x47474700,
138 0x5d5d5d00, 0x3d3d3d00, 0xd9d9d900, 0x01010100, 0x5a5a5a00, 0xd6d6d600,
139 0x51515100, 0x56565600, 0x6c6c6c00, 0x4d4d4d00, 0x8b8b8b00, 0x0d0d0d00,
140 0x9a9a9a00, 0x66666600, 0xfbfbfb00, 0xcccccc00, 0xb0b0b000, 0x2d2d2d00,
141 0x74747400, 0x12121200, 0x2b2b2b00, 0x20202000, 0xf0f0f000, 0xb1b1b100,
142 0x84848400, 0x99999900, 0xdfdfdf00, 0x4c4c4c00, 0xcbcbcb00, 0xc2c2c200,
143 0x34343400, 0x7e7e7e00, 0x76767600, 0x05050500, 0x6d6d6d00, 0xb7b7b700,
144 0xa9a9a900, 0x31313100, 0xd1d1d100, 0x17171700, 0x04040400, 0xd7d7d700,
145 0x14141400, 0x58585800, 0x3a3a3a00, 0x61616100, 0xdedede00, 0x1b1b1b00,
146 0x11111100, 0x1c1c1c00, 0x32323200, 0x0f0f0f00, 0x9c9c9c00, 0x16161600,
147 0x53535300, 0x18181800, 0xf2f2f200, 0x22222200, 0xfefefe00, 0x44444400,
148 0xcfcfcf00, 0xb2b2b200, 0xc3c3c300, 0xb5b5b500, 0x7a7a7a00, 0x91919100,
149 0x24242400, 0x08080800, 0xe8e8e800, 0xa8a8a800, 0x60606000, 0xfcfcfc00,
150 0x69696900, 0x50505000, 0xaaaaaa00, 0xd0d0d000, 0xa0a0a000, 0x7d7d7d00,
151 0xa1a1a100, 0x89898900, 0x62626200, 0x97979700, 0x54545400, 0x5b5b5b00,
152 0x1e1e1e00, 0x95959500, 0xe0e0e000, 0xffffff00, 0x64646400, 0xd2d2d200,
153 0x10101000, 0xc4c4c400, 0x00000000, 0x48484800, 0xa3a3a300, 0xf7f7f700,
154 0x75757500, 0xdbdbdb00, 0x8a8a8a00, 0x03030300, 0xe6e6e600, 0xdadada00,
155 0x09090900, 0x3f3f3f00, 0xdddddd00, 0x94949400, 0x87878700, 0x5c5c5c00,
156 0x83838300, 0x02020200, 0xcdcdcd00, 0x4a4a4a00, 0x90909000, 0x33333300,
157 0x73737300, 0x67676700, 0xf6f6f600, 0xf3f3f300, 0x9d9d9d00, 0x7f7f7f00,
158 0xbfbfbf00, 0xe2e2e200, 0x52525200, 0x9b9b9b00, 0xd8d8d800, 0x26262600,
159 0xc8c8c800, 0x37373700, 0xc6c6c600, 0x3b3b3b00, 0x81818100, 0x96969600,
160 0x6f6f6f00, 0x4b4b4b00, 0x13131300, 0xbebebe00, 0x63636300, 0x2e2e2e00,
161 0xe9e9e900, 0x79797900, 0xa7a7a700, 0x8c8c8c00, 0x9f9f9f00, 0x6e6e6e00,
162 0xbcbcbc00, 0x8e8e8e00, 0x29292900, 0xf5f5f500, 0xf9f9f900, 0xb6b6b600,
163 0x2f2f2f00, 0xfdfdfd00, 0xb4b4b400, 0x59595900, 0x78787800, 0x98989800,
164 0x06060600, 0x6a6a6a00, 0xe7e7e700, 0x46464600, 0x71717100, 0xbababa00,
165 0xd4d4d400, 0x25252500, 0xababab00, 0x42424200, 0x88888800, 0xa2a2a200,
166 0x8d8d8d00, 0xfafafa00, 0x72727200, 0x07070700, 0xb9b9b900, 0x55555500,
167 0xf8f8f800, 0xeeeeee00, 0xacacac00, 0x0a0a0a00, 0x36363600, 0x49494900,
168 0x2a2a2a00, 0x68686800, 0x3c3c3c00, 0x38383800, 0xf1f1f100, 0xa4a4a400,
169 0x40404000, 0x28282800, 0xd3d3d300, 0x7b7b7b00, 0xbbbbbb00, 0xc9c9c900,
170 0x43434300, 0xc1c1c100, 0x15151500, 0xe3e3e300, 0xadadad00, 0xf4f4f400,
171 0x77777700, 0xc7c7c700, 0x80808000, 0x9e9e9e00 },
172{ 0x70700070, 0x2c2c002c, 0xb3b300b3, 0xc0c000c0, 0xe4e400e4, 0x57570057,
173 0xeaea00ea, 0xaeae00ae, 0x23230023, 0x6b6b006b, 0x45450045, 0xa5a500a5,
174 0xeded00ed, 0x4f4f004f, 0x1d1d001d, 0x92920092, 0x86860086, 0xafaf00af,
175 0x7c7c007c, 0x1f1f001f, 0x3e3e003e, 0xdcdc00dc, 0x5e5e005e, 0x0b0b000b,
176 0xa6a600a6, 0x39390039, 0xd5d500d5, 0x5d5d005d, 0xd9d900d9, 0x5a5a005a,
177 0x51510051, 0x6c6c006c, 0x8b8b008b, 0x9a9a009a, 0xfbfb00fb, 0xb0b000b0,
178 0x74740074, 0x2b2b002b, 0xf0f000f0, 0x84840084, 0xdfdf00df, 0xcbcb00cb,
179 0x34340034, 0x76760076, 0x6d6d006d, 0xa9a900a9, 0xd1d100d1, 0x04040004,
180 0x14140014, 0x3a3a003a, 0xdede00de, 0x11110011, 0x32320032, 0x9c9c009c,
181 0x53530053, 0xf2f200f2, 0xfefe00fe, 0xcfcf00cf, 0xc3c300c3, 0x7a7a007a,
182 0x24240024, 0xe8e800e8, 0x60600060, 0x69690069, 0xaaaa00aa, 0xa0a000a0,
183 0xa1a100a1, 0x62620062, 0x54540054, 0x1e1e001e, 0xe0e000e0, 0x64640064,
184 0x10100010, 0x00000000, 0xa3a300a3, 0x75750075, 0x8a8a008a, 0xe6e600e6,
185 0x09090009, 0xdddd00dd, 0x87870087, 0x83830083, 0xcdcd00cd, 0x90900090,
186 0x73730073, 0xf6f600f6, 0x9d9d009d, 0xbfbf00bf, 0x52520052, 0xd8d800d8,
187 0xc8c800c8, 0xc6c600c6, 0x81810081, 0x6f6f006f, 0x13130013, 0x63630063,
188 0xe9e900e9, 0xa7a700a7, 0x9f9f009f, 0xbcbc00bc, 0x29290029, 0xf9f900f9,
189 0x2f2f002f, 0xb4b400b4, 0x78780078, 0x06060006, 0xe7e700e7, 0x71710071,
190 0xd4d400d4, 0xabab00ab, 0x88880088, 0x8d8d008d, 0x72720072, 0xb9b900b9,
191 0xf8f800f8, 0xacac00ac, 0x36360036, 0x2a2a002a, 0x3c3c003c, 0xf1f100f1,
192 0x40400040, 0xd3d300d3, 0xbbbb00bb, 0x43430043, 0x15150015, 0xadad00ad,
193 0x77770077, 0x80800080, 0x82820082, 0xecec00ec, 0x27270027, 0xe5e500e5,
194 0x85850085, 0x35350035, 0x0c0c000c, 0x41410041, 0xefef00ef, 0x93930093,
195 0x19190019, 0x21210021, 0x0e0e000e, 0x4e4e004e, 0x65650065, 0xbdbd00bd,
196 0xb8b800b8, 0x8f8f008f, 0xebeb00eb, 0xcece00ce, 0x30300030, 0x5f5f005f,
197 0xc5c500c5, 0x1a1a001a, 0xe1e100e1, 0xcaca00ca, 0x47470047, 0x3d3d003d,
198 0x01010001, 0xd6d600d6, 0x56560056, 0x4d4d004d, 0x0d0d000d, 0x66660066,
199 0xcccc00cc, 0x2d2d002d, 0x12120012, 0x20200020, 0xb1b100b1, 0x99990099,
200 0x4c4c004c, 0xc2c200c2, 0x7e7e007e, 0x05050005, 0xb7b700b7, 0x31310031,
201 0x17170017, 0xd7d700d7, 0x58580058, 0x61610061, 0x1b1b001b, 0x1c1c001c,
202 0x0f0f000f, 0x16160016, 0x18180018, 0x22220022, 0x44440044, 0xb2b200b2,
203 0xb5b500b5, 0x91910091, 0x08080008, 0xa8a800a8, 0xfcfc00fc, 0x50500050,
204 0xd0d000d0, 0x7d7d007d, 0x89890089, 0x97970097, 0x5b5b005b, 0x95950095,
205 0xffff00ff, 0xd2d200d2, 0xc4c400c4, 0x48480048, 0xf7f700f7, 0xdbdb00db,
206 0x03030003, 0xdada00da, 0x3f3f003f, 0x94940094, 0x5c5c005c, 0x02020002,
207 0x4a4a004a, 0x33330033, 0x67670067, 0xf3f300f3, 0x7f7f007f, 0xe2e200e2,
208 0x9b9b009b, 0x26260026, 0x37370037, 0x3b3b003b, 0x96960096, 0x4b4b004b,
209 0xbebe00be, 0x2e2e002e, 0x79790079, 0x8c8c008c, 0x6e6e006e, 0x8e8e008e,
210 0xf5f500f5, 0xb6b600b6, 0xfdfd00fd, 0x59590059, 0x98980098, 0x6a6a006a,
211 0x46460046, 0xbaba00ba, 0x25250025, 0x42420042, 0xa2a200a2, 0xfafa00fa,
212 0x07070007, 0x55550055, 0xeeee00ee, 0x0a0a000a, 0x49490049, 0x68680068,
213 0x38380038, 0xa4a400a4, 0x28280028, 0x7b7b007b, 0xc9c900c9, 0xc1c100c1,
214 0xe3e300e3, 0xf4f400f4, 0xc7c700c7, 0x9e9e009e },
215{ 0x00e0e0e0, 0x00050505, 0x00585858, 0x00d9d9d9, 0x00676767, 0x004e4e4e,
216 0x00818181, 0x00cbcbcb, 0x00c9c9c9, 0x000b0b0b, 0x00aeaeae, 0x006a6a6a,
217 0x00d5d5d5, 0x00181818, 0x005d5d5d, 0x00828282, 0x00464646, 0x00dfdfdf,
218 0x00d6d6d6, 0x00272727, 0x008a8a8a, 0x00323232, 0x004b4b4b, 0x00424242,
219 0x00dbdbdb, 0x001c1c1c, 0x009e9e9e, 0x009c9c9c, 0x003a3a3a, 0x00cacaca,
220 0x00252525, 0x007b7b7b, 0x000d0d0d, 0x00717171, 0x005f5f5f, 0x001f1f1f,
221 0x00f8f8f8, 0x00d7d7d7, 0x003e3e3e, 0x009d9d9d, 0x007c7c7c, 0x00606060,
222 0x00b9b9b9, 0x00bebebe, 0x00bcbcbc, 0x008b8b8b, 0x00161616, 0x00343434,
223 0x004d4d4d, 0x00c3c3c3, 0x00727272, 0x00959595, 0x00ababab, 0x008e8e8e,
224 0x00bababa, 0x007a7a7a, 0x00b3b3b3, 0x00020202, 0x00b4b4b4, 0x00adadad,
225 0x00a2a2a2, 0x00acacac, 0x00d8d8d8, 0x009a9a9a, 0x00171717, 0x001a1a1a,
226 0x00353535, 0x00cccccc, 0x00f7f7f7, 0x00999999, 0x00616161, 0x005a5a5a,
227 0x00e8e8e8, 0x00242424, 0x00565656, 0x00404040, 0x00e1e1e1, 0x00636363,
228 0x00090909, 0x00333333, 0x00bfbfbf, 0x00989898, 0x00979797, 0x00858585,
229 0x00686868, 0x00fcfcfc, 0x00ececec, 0x000a0a0a, 0x00dadada, 0x006f6f6f,
230 0x00535353, 0x00626262, 0x00a3a3a3, 0x002e2e2e, 0x00080808, 0x00afafaf,
231 0x00282828, 0x00b0b0b0, 0x00747474, 0x00c2c2c2, 0x00bdbdbd, 0x00363636,
232 0x00222222, 0x00383838, 0x00646464, 0x001e1e1e, 0x00393939, 0x002c2c2c,
233 0x00a6a6a6, 0x00303030, 0x00e5e5e5, 0x00444444, 0x00fdfdfd, 0x00888888,
234 0x009f9f9f, 0x00656565, 0x00878787, 0x006b6b6b, 0x00f4f4f4, 0x00232323,
235 0x00484848, 0x00101010, 0x00d1d1d1, 0x00515151, 0x00c0c0c0, 0x00f9f9f9,
236 0x00d2d2d2, 0x00a0a0a0, 0x00555555, 0x00a1a1a1, 0x00414141, 0x00fafafa,
237 0x00434343, 0x00131313, 0x00c4c4c4, 0x002f2f2f, 0x00a8a8a8, 0x00b6b6b6,
238 0x003c3c3c, 0x002b2b2b, 0x00c1c1c1, 0x00ffffff, 0x00c8c8c8, 0x00a5a5a5,
239 0x00202020, 0x00898989, 0x00000000, 0x00909090, 0x00474747, 0x00efefef,
240 0x00eaeaea, 0x00b7b7b7, 0x00151515, 0x00060606, 0x00cdcdcd, 0x00b5b5b5,
241 0x00121212, 0x007e7e7e, 0x00bbbbbb, 0x00292929, 0x000f0f0f, 0x00b8b8b8,
242 0x00070707, 0x00040404, 0x009b9b9b, 0x00949494, 0x00212121, 0x00666666,
243 0x00e6e6e6, 0x00cecece, 0x00ededed, 0x00e7e7e7, 0x003b3b3b, 0x00fefefe,
244 0x007f7f7f, 0x00c5c5c5, 0x00a4a4a4, 0x00373737, 0x00b1b1b1, 0x004c4c4c,
245 0x00919191, 0x006e6e6e, 0x008d8d8d, 0x00767676, 0x00030303, 0x002d2d2d,
246 0x00dedede, 0x00969696, 0x00262626, 0x007d7d7d, 0x00c6c6c6, 0x005c5c5c,
247 0x00d3d3d3, 0x00f2f2f2, 0x004f4f4f, 0x00191919, 0x003f3f3f, 0x00dcdcdc,
248 0x00797979, 0x001d1d1d, 0x00525252, 0x00ebebeb, 0x00f3f3f3, 0x006d6d6d,
249 0x005e5e5e, 0x00fbfbfb, 0x00696969, 0x00b2b2b2, 0x00f0f0f0, 0x00313131,
250 0x000c0c0c, 0x00d4d4d4, 0x00cfcfcf, 0x008c8c8c, 0x00e2e2e2, 0x00757575,
251 0x00a9a9a9, 0x004a4a4a, 0x00575757, 0x00848484, 0x00111111, 0x00454545,
252 0x001b1b1b, 0x00f5f5f5, 0x00e4e4e4, 0x000e0e0e, 0x00737373, 0x00aaaaaa,
253 0x00f1f1f1, 0x00dddddd, 0x00595959, 0x00141414, 0x006c6c6c, 0x00929292,
254 0x00545454, 0x00d0d0d0, 0x00787878, 0x00707070, 0x00e3e3e3, 0x00494949,
255 0x00808080, 0x00505050, 0x00a7a7a7, 0x00f6f6f6, 0x00777777, 0x00939393,
256 0x00868686, 0x00838383, 0x002a2a2a, 0x00c7c7c7, 0x005b5b5b, 0x00e9e9e9,
257 0x00eeeeee, 0x008f8f8f, 0x00010101, 0x003d3d3d },
258{ 0x38003838, 0x41004141, 0x16001616, 0x76007676, 0xd900d9d9, 0x93009393,
259 0x60006060, 0xf200f2f2, 0x72007272, 0xc200c2c2, 0xab00abab, 0x9a009a9a,
260 0x75007575, 0x06000606, 0x57005757, 0xa000a0a0, 0x91009191, 0xf700f7f7,
261 0xb500b5b5, 0xc900c9c9, 0xa200a2a2, 0x8c008c8c, 0xd200d2d2, 0x90009090,
262 0xf600f6f6, 0x07000707, 0xa700a7a7, 0x27002727, 0x8e008e8e, 0xb200b2b2,
263 0x49004949, 0xde00dede, 0x43004343, 0x5c005c5c, 0xd700d7d7, 0xc700c7c7,
264 0x3e003e3e, 0xf500f5f5, 0x8f008f8f, 0x67006767, 0x1f001f1f, 0x18001818,
265 0x6e006e6e, 0xaf00afaf, 0x2f002f2f, 0xe200e2e2, 0x85008585, 0x0d000d0d,
266 0x53005353, 0xf000f0f0, 0x9c009c9c, 0x65006565, 0xea00eaea, 0xa300a3a3,
267 0xae00aeae, 0x9e009e9e, 0xec00ecec, 0x80008080, 0x2d002d2d, 0x6b006b6b,
268 0xa800a8a8, 0x2b002b2b, 0x36003636, 0xa600a6a6, 0xc500c5c5, 0x86008686,
269 0x4d004d4d, 0x33003333, 0xfd00fdfd, 0x66006666, 0x58005858, 0x96009696,
270 0x3a003a3a, 0x09000909, 0x95009595, 0x10001010, 0x78007878, 0xd800d8d8,
271 0x42004242, 0xcc00cccc, 0xef00efef, 0x26002626, 0xe500e5e5, 0x61006161,
272 0x1a001a1a, 0x3f003f3f, 0x3b003b3b, 0x82008282, 0xb600b6b6, 0xdb00dbdb,
273 0xd400d4d4, 0x98009898, 0xe800e8e8, 0x8b008b8b, 0x02000202, 0xeb00ebeb,
274 0x0a000a0a, 0x2c002c2c, 0x1d001d1d, 0xb000b0b0, 0x6f006f6f, 0x8d008d8d,
275 0x88008888, 0x0e000e0e, 0x19001919, 0x87008787, 0x4e004e4e, 0x0b000b0b,
276 0xa900a9a9, 0x0c000c0c, 0x79007979, 0x11001111, 0x7f007f7f, 0x22002222,
277 0xe700e7e7, 0x59005959, 0xe100e1e1, 0xda00dada, 0x3d003d3d, 0xc800c8c8,
278 0x12001212, 0x04000404, 0x74007474, 0x54005454, 0x30003030, 0x7e007e7e,
279 0xb400b4b4, 0x28002828, 0x55005555, 0x68006868, 0x50005050, 0xbe00bebe,
280 0xd000d0d0, 0xc400c4c4, 0x31003131, 0xcb00cbcb, 0x2a002a2a, 0xad00adad,
281 0x0f000f0f, 0xca00caca, 0x70007070, 0xff00ffff, 0x32003232, 0x69006969,
282 0x08000808, 0x62006262, 0x00000000, 0x24002424, 0xd100d1d1, 0xfb00fbfb,
283 0xba00baba, 0xed00eded, 0x45004545, 0x81008181, 0x73007373, 0x6d006d6d,
284 0x84008484, 0x9f009f9f, 0xee00eeee, 0x4a004a4a, 0xc300c3c3, 0x2e002e2e,
285 0xc100c1c1, 0x01000101, 0xe600e6e6, 0x25002525, 0x48004848, 0x99009999,
286 0xb900b9b9, 0xb300b3b3, 0x7b007b7b, 0xf900f9f9, 0xce00cece, 0xbf00bfbf,
287 0xdf00dfdf, 0x71007171, 0x29002929, 0xcd00cdcd, 0x6c006c6c, 0x13001313,
288 0x64006464, 0x9b009b9b, 0x63006363, 0x9d009d9d, 0xc000c0c0, 0x4b004b4b,
289 0xb700b7b7, 0xa500a5a5, 0x89008989, 0x5f005f5f, 0xb100b1b1, 0x17001717,
290 0xf400f4f4, 0xbc00bcbc, 0xd300d3d3, 0x46004646, 0xcf00cfcf, 0x37003737,
291 0x5e005e5e, 0x47004747, 0x94009494, 0xfa00fafa, 0xfc00fcfc, 0x5b005b5b,
292 0x97009797, 0xfe00fefe, 0x5a005a5a, 0xac00acac, 0x3c003c3c, 0x4c004c4c,
293 0x03000303, 0x35003535, 0xf300f3f3, 0x23002323, 0xb800b8b8, 0x5d005d5d,
294 0x6a006a6a, 0x92009292, 0xd500d5d5, 0x21002121, 0x44004444, 0x51005151,
295 0xc600c6c6, 0x7d007d7d, 0x39003939, 0x83008383, 0xdc00dcdc, 0xaa00aaaa,
296 0x7c007c7c, 0x77007777, 0x56005656, 0x05000505, 0x1b001b1b, 0xa400a4a4,
297 0x15001515, 0x34003434, 0x1e001e1e, 0x1c001c1c, 0xf800f8f8, 0x52005252,
298 0x20002020, 0x14001414, 0xe900e9e9, 0xbd00bdbd, 0xdd00dddd, 0xe400e4e4,
299 0xa100a1a1, 0xe000e0e0, 0x8a008a8a, 0xf100f1f1, 0xd600d6d6, 0x7a007a7a,
300 0xbb00bbbb, 0xe300e3e3, 0x40004040, 0x4f004f4f }
301};
302
303/* Key generation constants */
304static const u32 SIGMA[] = {
305 0xa09e667f, 0x3bcc908b, 0xb67ae858, 0x4caa73b2, 0xc6ef372f, 0xe94f82be,
306 0x54ff53a5, 0xf1d36f1c, 0x10e527fa, 0xde682d1d, 0xb05688c2, 0xb3e6c1fd
307};
308
309/* The phi algorithm given in C.2.7 of the Camellia spec document. */
310/*
311 * This version does not attempt to minimize amount of temporary
312 * variables, but instead explicitly exposes algorithm's parallelism.
313 * It is therefore most appropriate for platforms with not less than
314 * ~16 registers. For platforms with fewer registers [well, x86 to be
315 * specific] assembler version should be/is provided anyway...
316 */
317#define Camellia_Feistel(_s0,_s1,_s2,_s3,_key) \
318do { \
319 u32 _t0, _t1, _t2, _t3; \
320 _t0 = _s0 ^ (_key)[0]; \
321 _t3 = SBOX4_4404[_t0 & 0xff]; \
322 _t1 = _s1 ^ (_key)[1]; \
323 _t3 ^= SBOX3_3033[(_t0 >> 8) & 0xff]; \
324 _t2 = SBOX1_1110[_t1 & 0xff]; \
325 _t3 ^= SBOX2_0222[(_t0 >> 16) & 0xff]; \
326 _t2 ^= SBOX4_4404[(_t1 >> 8) & 0xff]; \
327 _t3 ^= SBOX1_1110[(_t0 >> 24)]; \
328 _t2 ^= _t3; \
329 _t3 = RightRotate(_t3, 8); \
330 _t2 ^= SBOX3_3033[(_t1 >> 16) & 0xff]; \
331 _s3 ^= _t3; \
332 _t2 ^= SBOX2_0222[(_t1 >> 24)]; \
333 _s2 ^= _t2; \
334 _s3 ^= _t2; \
335} while(0)
336
337/*
338 * Note that n has to be less than 32. Rotations for larger amount
339 * of bits are achieved by "rotating" order of s-elements and
340 * adjusting n accordingly, e.g. RotLeft128(s1, s2, s3, s0, n - 32).
341 */
342#define RotLeft128(_s0, _s1, _s2, _s3, _n) \
343do { \
344 u32 _t0 = _s0 >> (32 - _n); \
345 _s0 = (_s0 << _n) | (_s1 >> (32 - _n)); \
346 _s1 = (_s1 << _n) | (_s2 >> (32 - _n)); \
347 _s2 = (_s2 << _n) | (_s3 >> (32 - _n)); \
348 _s3 = (_s3 << _n) | _t0; \
349} while (0)
350
351int
352Camellia_Ekeygen(int keyBitLength, const u8 *rawKey, KEY_TABLE_TYPE k)
353{
354 u32 s0, s1, s2, s3;
355
356 k[0] = s0 = GETU32(rawKey);
357 k[1] = s1 = GETU32(rawKey + 4);
358 k[2] = s2 = GETU32(rawKey + 8);
359 k[3] = s3 = GETU32(rawKey + 12);
360
361 if (keyBitLength != 128) {
362 k[8] = s0 = GETU32(rawKey + 16);
363 k[9] = s1 = GETU32(rawKey + 20);
364 if (keyBitLength == 192) {
365 k[10] = s2 = ~s0;
366 k[11] = s3 = ~s1;
367 } else {
368 k[10] = s2 = GETU32(rawKey + 24);
369 k[11] = s3 = GETU32(rawKey + 28);
370 }
371 s0 ^= k[0], s1 ^= k[1], s2 ^= k[2], s3 ^= k[3];
372 }
373
374 /* Use the Feistel routine to scramble the key material */
375 Camellia_Feistel(s0, s1, s2, s3, SIGMA + 0);
376 Camellia_Feistel(s2, s3, s0, s1, SIGMA + 2);
377
378 s0 ^= k[0], s1 ^= k[1], s2 ^= k[2], s3 ^= k[3];
379 Camellia_Feistel(s0, s1, s2, s3, SIGMA + 4);
380 Camellia_Feistel(s2, s3, s0, s1, SIGMA + 6);
381
382 /* Fill the keyTable. Requires many block rotations. */
383 if (keyBitLength == 128) {
384 k[ 4] = s0, k[ 5] = s1, k[ 6] = s2, k[ 7] = s3;
385 RotLeft128(s0, s1, s2, s3, 15); /* KA <<< 15 */
386 k[12] = s0, k[13] = s1, k[14] = s2, k[15] = s3;
387 RotLeft128(s0, s1, s2, s3, 15); /* KA <<< 30 */
388 k[16] = s0, k[17] = s1, k[18] = s2, k[19] = s3;
389 RotLeft128(s0, s1, s2, s3, 15); /* KA <<< 45 */
390 k[24] = s0, k[25] = s1;
391 RotLeft128(s0, s1, s2, s3, 15); /* KA <<< 60 */
392 k[28] = s0, k[29] = s1, k[30] = s2, k[31] = s3;
393 RotLeft128(s1, s2, s3, s0, 2); /* KA <<< 94 */
394 k[40] = s1, k[41] = s2, k[42] = s3, k[43] = s0;
395 RotLeft128(s1, s2, s3, s0, 17); /* KA <<<111 */
396 k[48] = s1, k[49] = s2, k[50] = s3, k[51] = s0;
397
398 s0 = k[ 0], s1 = k[ 1], s2 = k[ 2], s3 = k[ 3];
399 RotLeft128(s0, s1, s2, s3, 15); /* KL <<< 15 */
400 k[ 8] = s0, k[ 9] = s1, k[10] = s2, k[11] = s3;
401 RotLeft128(s0, s1, s2, s3, 30); /* KL <<< 45 */
402 k[20] = s0, k[21] = s1, k[22] = s2, k[23] = s3;
403 RotLeft128(s0, s1, s2, s3, 15); /* KL <<< 60 */
404 k[26] = s2, k[27] = s3;
405 RotLeft128(s0, s1, s2, s3, 17); /* KL <<< 77 */
406 k[32] = s0, k[33] = s1, k[34] = s2, k[35] = s3;
407 RotLeft128(s0, s1, s2, s3, 17); /* KL <<< 94 */
408 k[36] = s0, k[37] = s1, k[38] = s2, k[39] = s3;
409 RotLeft128(s0, s1, s2, s3, 17); /* KL <<<111 */
410 k[44] = s0, k[45] = s1, k[46] = s2, k[47] = s3;
411
412 return 3; /* grand rounds */
413 } else {
414 k[12] = s0, k[13] = s1, k[14] = s2, k[15] = s3;
415 s0 ^= k[8], s1 ^= k[9], s2 ^=k[10], s3 ^=k[11];
416 Camellia_Feistel(s0, s1, s2, s3, (SIGMA + 8));
417 Camellia_Feistel(s2, s3, s0, s1, (SIGMA + 10));
418
419 k[ 4] = s0, k[ 5] = s1, k[ 6] = s2, k[ 7] = s3;
420 RotLeft128(s0, s1, s2, s3, 30); /* KB <<< 30 */
421 k[20] = s0, k[21] = s1, k[22] = s2, k[23] = s3;
422 RotLeft128(s0, s1, s2, s3, 30); /* KB <<< 60 */
423 k[40] = s0, k[41] = s1, k[42] = s2, k[43] = s3;
424 RotLeft128(s1, s2, s3, s0, 19); /* KB <<<111 */
425 k[64] = s1, k[65] = s2, k[66] = s3, k[67] = s0;
426
427 s0 = k[ 8], s1 = k[ 9], s2 = k[10], s3 = k[11];
428 RotLeft128(s0, s1, s2, s3, 15); /* KR <<< 15 */
429 k[ 8] = s0, k[ 9] = s1, k[10] = s2, k[11] = s3;
430 RotLeft128(s0, s1, s2, s3, 15); /* KR <<< 30 */
431 k[16] = s0, k[17] = s1, k[18] = s2, k[19] = s3;
432 RotLeft128(s0, s1, s2, s3, 30); /* KR <<< 60 */
433 k[36] = s0, k[37] = s1, k[38] = s2, k[39] = s3;
434 RotLeft128(s1, s2, s3, s0, 2); /* KR <<< 94 */
435 k[52] = s1, k[53] = s2, k[54] = s3, k[55] = s0;
436
437 s0 = k[12], s1 = k[13], s2 = k[14], s3 = k[15];
438 RotLeft128(s0, s1, s2, s3, 15); /* KA <<< 15 */
439 k[12] = s0, k[13] = s1, k[14] = s2, k[15] = s3;
440 RotLeft128(s0, s1, s2, s3, 30); /* KA <<< 45 */
441 k[28] = s0, k[29] = s1, k[30] = s2, k[31] = s3;
442 /* KA <<< 77 */
443 k[48] = s1, k[49] = s2, k[50] = s3, k[51] = s0;
444 RotLeft128(s1, s2, s3, s0, 17); /* KA <<< 94 */
445 k[56] = s1, k[57] = s2, k[58] = s3, k[59] = s0;
446
447 s0 = k[ 0], s1 = k[ 1], s2 = k[ 2], s3 = k[ 3];
448 RotLeft128(s1, s2, s3, s0, 13); /* KL <<< 45 */
449 k[24] = s1, k[25] = s2, k[26] = s3, k[27] = s0;
450 RotLeft128(s1, s2, s3, s0, 15); /* KL <<< 60 */
451 k[32] = s1, k[33] = s2, k[34] = s3, k[35] = s0;
452 RotLeft128(s1, s2, s3, s0, 17); /* KL <<< 77 */
453 k[44] = s1, k[45] = s2, k[46] = s3, k[47] = s0;
454 RotLeft128(s2, s3, s0, s1, 2); /* KL <<<111 */
455 k[60] = s2, k[61] = s3, k[62] = s0, k[63] = s1;
456
457 return 4; /* grand rounds */
458 }
459 /*
460 * It is possible to perform certain precalculations, which
461 * would spare few cycles in block procedure. It's not done,
462 * because it upsets the performance balance between key
463 * setup and block procedures, negatively affecting overall
464 * throughput in applications operating on short messages
465 * and volatile keys.
466 */
467}
468
469void
470Camellia_EncryptBlock_Rounds(int grandRounds, const u8 plaintext[],
471 const KEY_TABLE_TYPE keyTable, u8 ciphertext[])
472{
473 u32 s0, s1, s2, s3;
474 const u32 *k = keyTable, *kend = keyTable + grandRounds * 16;
475
476 s0 = GETU32(plaintext) ^ k[0];
477 s1 = GETU32(plaintext + 4) ^ k[1];
478 s2 = GETU32(plaintext + 8) ^ k[2];
479 s3 = GETU32(plaintext + 12) ^ k[3];
480 k += 4;
481
482 while (1) {
483 /* Camellia makes 6 Feistel rounds */
484 Camellia_Feistel(s0, s1, s2, s3, k + 0);
485 Camellia_Feistel(s2, s3, s0, s1, k + 2);
486 Camellia_Feistel(s0, s1, s2, s3, k + 4);
487 Camellia_Feistel(s2, s3, s0, s1, k + 6);
488 Camellia_Feistel(s0, s1, s2, s3, k + 8);
489 Camellia_Feistel(s2, s3, s0, s1, k + 10);
490 k += 12;
491
492 if (k == kend)
493 break;
494
495 /* This is the same function as the diffusion function D
496 * of the accompanying documentation. See section 3.2
497 * for properties of the FLlayer function. */
498 s1 ^= LeftRotate(s0 & k[0], 1);
499 s2 ^= s3 | k[3];
500 s0 ^= s1 | k[1];
501 s3 ^= LeftRotate(s2 & k[2], 1);
502 k += 4;
503 }
504
505 s2 ^= k[0], s3 ^= k[1], s0 ^= k[2], s1 ^= k[3];
506
507 PUTU32(ciphertext, s2);
508 PUTU32(ciphertext + 4, s3);
509 PUTU32(ciphertext + 8, s0);
510 PUTU32(ciphertext + 12, s1);
511}
512
513void
514Camellia_EncryptBlock(int keyBitLength, const u8 plaintext[],
515 const KEY_TABLE_TYPE keyTable, u8 ciphertext[])
516{
517 Camellia_EncryptBlock_Rounds(keyBitLength == 128 ? 3 : 4,
518 plaintext, keyTable, ciphertext);
519}
520
521void
522Camellia_DecryptBlock_Rounds(int grandRounds, const u8 ciphertext[],
523 const KEY_TABLE_TYPE keyTable, u8 plaintext[])
524{
525 u32 s0, s1, s2, s3;
526 const u32 *k = keyTable+grandRounds * 16, *kend = keyTable+4;
527
528 s0 = GETU32(ciphertext) ^ k[0];
529 s1 = GETU32(ciphertext+4) ^ k[1];
530 s2 = GETU32(ciphertext+8) ^ k[2];
531 s3 = GETU32(ciphertext+12) ^ k[3];
532
533 while (1) {
534 /* Camellia makes 6 Feistel rounds */
535 k -= 12;
536 Camellia_Feistel(s0, s1, s2, s3, k+10);
537 Camellia_Feistel(s2, s3, s0, s1, k+8);
538 Camellia_Feistel(s0, s1, s2, s3, k+6);
539 Camellia_Feistel(s2, s3, s0, s1, k+4);
540 Camellia_Feistel(s0, s1, s2, s3, k+2);
541 Camellia_Feistel(s2, s3, s0, s1, k+0);
542
543 if (k == kend)
544 break;
545
546 /* This is the same function as the diffusion function D
547 * of the accompanying documentation. See section 3.2
548 * for properties of the FLlayer function. */
549 k -= 4;
550 s1 ^= LeftRotate(s0 & k[2], 1);
551 s2 ^= s3 | k[1];
552 s0 ^= s1 | k[3];
553 s3 ^= LeftRotate(s2 & k[0], 1);
554 }
555
556 k -= 4;
557 s2 ^= k[0], s3 ^= k[1], s0 ^= k[2], s1 ^= k[3];
558
559 PUTU32(plaintext, s2);
560 PUTU32(plaintext+4, s3);
561 PUTU32(plaintext+8, s0);
562 PUTU32(plaintext+12, s1);
563}
564
565void
566Camellia_DecryptBlock(int keyBitLength, const u8 plaintext[],
567 const KEY_TABLE_TYPE keyTable, u8 ciphertext[])
568{
569 Camellia_DecryptBlock_Rounds(keyBitLength == 128 ? 3 : 4,
570 plaintext, keyTable, ciphertext);
571}
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-05-07 22:26:08 +0000