summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/camellia
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libcrypto/camellia')
-rw-r--r--src/lib/libcrypto/camellia/asm/cmll-x86.pl1138
-rw-r--r--src/lib/libcrypto/camellia/asm/cmll-x86_64.pl867
-rw-r--r--src/lib/libcrypto/camellia/camellia.c571
-rw-r--r--src/lib/libcrypto/camellia/camellia.h125
-rw-r--r--src/lib/libcrypto/camellia/cmll_cbc.c65
-rw-r--r--src/lib/libcrypto/camellia/cmll_cfb.c144
-rw-r--r--src/lib/libcrypto/camellia/cmll_ctr.c63
-rw-r--r--src/lib/libcrypto/camellia/cmll_ecb.c63
-rw-r--r--src/lib/libcrypto/camellia/cmll_locl.h85
-rw-r--r--src/lib/libcrypto/camellia/cmll_misc.c81
-rw-r--r--src/lib/libcrypto/camellia/cmll_ofb.c122
11 files changed, 0 insertions, 3324 deletions
diff --git a/src/lib/libcrypto/camellia/asm/cmll-x86.pl b/src/lib/libcrypto/camellia/asm/cmll-x86.pl
deleted file mode 100644
index 027302ac86..0000000000
--- a/src/lib/libcrypto/camellia/asm/cmll-x86.pl
+++ /dev/null
@@ -1,1138 +0,0 @@
1#!/usr/bin/env perl
2
3# ====================================================================
4# Copyright (c) 2008 Andy Polyakov <appro@openssl.org>
5#
6# This module may be used under the terms of either the GNU General
7# Public License version 2 or later, the GNU Lesser General Public
8# License version 2.1 or later, the Mozilla Public License version
9# 1.1 or the BSD License. The exact terms of either license are
10# distributed along with this module. For further details see
11# http://www.openssl.org/~appro/camellia/.
12# ====================================================================
13
14# Performance in cycles per processed byte (less is better) in
15# 'openssl speed ...' benchmark:
16#
17# AMD K8 Core2 PIII P4
18# -evp camellia-128-ecb 21.5 22.8 27.0 28.9
19# + over gcc 3.4.6 +90/11% +70/10% +53/4% +160/64%
20# + over icc 8.0 +48/19% +21/15% +21/17% +55/37%
21#
22# camellia-128-cbc 17.3 21.1 23.9 25.9
23#
24# 128-bit key setup 196 280 256 240 cycles/key
25# + over gcc 3.4.6 +30/0% +17/11% +11/0% +63/40%
26# + over icc 8.0 +18/3% +10/0% +10/3% +21/10%
27#
28# Pairs of numbers in "+" rows represent performance improvement over
29# compiler generated position-independent code, PIC, and non-PIC
30# respectively. PIC results are of greater relevance, as this module
31# is position-independent, i.e. suitable for a shared library or PIE.
32# Position independence "costs" one register, which is why compilers
33# are so close with non-PIC results, they have an extra register to
34# spare. CBC results are better than ECB ones thanks to "zero-copy"
35# private _x86_* interface, and are ~30-40% better than with compiler
36# generated cmll_cbc.o, and reach ~80-90% of x86_64 performance on
37# same CPU (where applicable).
38
39$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
40push(@INC,"${dir}","${dir}../../perlasm");
41require "x86asm.pl";
42
43$OPENSSL=1;
44
45&asm_init($ARGV[0],"cmll-586.pl",$ARGV[$#ARGV] eq "386");
46
47@T=("eax","ebx","ecx","edx");
48$idx="esi";
49$key="edi";
50$Tbl="ebp";
51
52# stack frame layout in _x86_Camellia_* routines, frame is allocated
53# by caller
54$__ra=&DWP(0,"esp"); # return address
55$__s0=&DWP(4,"esp"); # s0 backing store
56$__s1=&DWP(8,"esp"); # s1 backing store
57$__s2=&DWP(12,"esp"); # s2 backing store
58$__s3=&DWP(16,"esp"); # s3 backing store
59$__end=&DWP(20,"esp"); # pointer to end/start of key schedule
60
61# stack frame layout in Camellia_[en|crypt] routines, which differs from
62# above by 4 and overlaps by pointer to end/start of key schedule
63$_end=&DWP(16,"esp");
64$_esp=&DWP(20,"esp");
65
66# const unsigned int Camellia_SBOX[4][256];
67# Well, sort of... Camellia_SBOX[0][] is interleaved with [1][],
68# and [2][] - with [3][]. This is done to optimize code size.
69$SBOX1_1110=0; # Camellia_SBOX[0]
70$SBOX4_4404=4; # Camellia_SBOX[1]
71$SBOX2_0222=2048; # Camellia_SBOX[2]
72$SBOX3_3033=2052; # Camellia_SBOX[3]
73&static_label("Camellia_SIGMA");
74&static_label("Camellia_SBOX");
75
76sub Camellia_Feistel {
77my $i=@_[0];
78my $seed=defined(@_[1])?@_[1]:0;
79my $scale=$seed<0?-8:8;
80my $frame=defined(@_[2])?@_[2]:0;
81my $j=($i&1)*2;
82my $t0=@T[($j)%4],$t1=@T[($j+1)%4],$t2=@T[($j+2)%4],$t3=@T[($j+3)%4];
83
84 &xor ($t0,$idx); # t0^=key[0]
85 &xor ($t1,&DWP($seed+$i*$scale+4,$key)); # t1^=key[1]
86 &movz ($idx,&HB($t0)); # (t0>>8)&0xff
87 &mov ($t3,&DWP($SBOX3_3033,$Tbl,$idx,8)); # t3=SBOX3_3033[0]
88 &movz ($idx,&LB($t0)); # (t0>>0)&0xff
89 &xor ($t3,&DWP($SBOX4_4404,$Tbl,$idx,8)); # t3^=SBOX4_4404[0]
90 &shr ($t0,16);
91 &movz ($idx,&LB($t1)); # (t1>>0)&0xff
92 &mov ($t2,&DWP($SBOX1_1110,$Tbl,$idx,8)); # t2=SBOX1_1110[1]
93 &movz ($idx,&HB($t0)); # (t0>>24)&0xff
94 &xor ($t3,&DWP($SBOX1_1110,$Tbl,$idx,8)); # t3^=SBOX1_1110[0]
95 &movz ($idx,&HB($t1)); # (t1>>8)&0xff
96 &xor ($t2,&DWP($SBOX4_4404,$Tbl,$idx,8)); # t2^=SBOX4_4404[1]
97 &shr ($t1,16);
98 &movz ($t0,&LB($t0)); # (t0>>16)&0xff
99 &xor ($t3,&DWP($SBOX2_0222,$Tbl,$t0,8)); # t3^=SBOX2_0222[0]
100 &movz ($idx,&HB($t1)); # (t1>>24)&0xff
101 &mov ($t0,&DWP($frame+4*(($j+3)%4),"esp")); # prefetch "s3"
102 &xor ($t2,$t3); # t2^=t3
103 &rotr ($t3,8); # t3=RightRotate(t3,8)
104 &xor ($t2,&DWP($SBOX2_0222,$Tbl,$idx,8)); # t2^=SBOX2_0222[1]
105 &movz ($idx,&LB($t1)); # (t1>>16)&0xff
106 &mov ($t1,&DWP($frame+4*(($j+2)%4),"esp")); # prefetch "s2"
107 &xor ($t3,$t0); # t3^=s3
108 &xor ($t2,&DWP($SBOX3_3033,$Tbl,$idx,8)); # t2^=SBOX3_3033[1]
109 &mov ($idx,&DWP($seed+($i+1)*$scale,$key)); # prefetch key[i+1]
110 &xor ($t3,$t2); # t3^=t2
111 &mov (&DWP($frame+4*(($j+3)%4),"esp"),$t3); # s3=t3
112 &xor ($t2,$t1); # t2^=s2
113 &mov (&DWP($frame+4*(($j+2)%4),"esp"),$t2); # s2=t2
114}
115
116# void Camellia_EncryptBlock_Rounds(
117# int grandRounds,
118# const Byte plaintext[],
119# const KEY_TABLE_TYPE keyTable,
120# Byte ciphertext[])
121&function_begin("Camellia_EncryptBlock_Rounds");
122 &mov ("eax",&wparam(0)); # load grandRounds
123 &mov ($idx,&wparam(1)); # load plaintext pointer
124 &mov ($key,&wparam(2)); # load key schedule pointer
125
126 &mov ("ebx","esp");
127 &sub ("esp",7*4); # place for s[0-3],keyEnd,esp and ra
128 &and ("esp",-64);
129
130 # place stack frame just "above mod 1024" the key schedule
131 # this ensures that cache associativity of 2 suffices
132 &lea ("ecx",&DWP(-64-63,$key));
133 &sub ("ecx","esp");
134 &neg ("ecx");
135 &and ("ecx",0x3C0); # modulo 1024, but aligned to cache-line
136 &sub ("esp","ecx");
137 &add ("esp",4); # 4 is reserved for callee's return address
138
139 &shl ("eax",6);
140 &lea ("eax",&DWP(0,$key,"eax"));
141 &mov ($_esp,"ebx"); # save %esp
142 &mov ($_end,"eax"); # save keyEnd
143
144 &call (&label("pic_point"));
145 &set_label("pic_point");
146 &blindpop($Tbl);
147 &lea ($Tbl,&DWP(&label("Camellia_SBOX")."-".&label("pic_point"),$Tbl));
148
149 &mov (@T[0],&DWP(0,$idx)); # load plaintext
150 &mov (@T[1],&DWP(4,$idx));
151 &mov (@T[2],&DWP(8,$idx));
152 &bswap (@T[0]);
153 &mov (@T[3],&DWP(12,$idx));
154 &bswap (@T[1]);
155 &bswap (@T[2]);
156 &bswap (@T[3]);
157
158 &call ("_x86_Camellia_encrypt");
159
160 &mov ("esp",$_esp);
161 &bswap (@T[0]);
162 &mov ($idx,&wparam(3)); # load ciphertext pointer
163 &bswap (@T[1]);
164 &bswap (@T[2]);
165 &bswap (@T[3]);
166 &mov (&DWP(0,$idx),@T[0]); # write ciphertext
167 &mov (&DWP(4,$idx),@T[1]);
168 &mov (&DWP(8,$idx),@T[2]);
169 &mov (&DWP(12,$idx),@T[3]);
170&function_end("Camellia_EncryptBlock_Rounds");
171# V1.x API
172&function_begin_B("Camellia_EncryptBlock");
173 &mov ("eax",128);
174 &sub ("eax",&wparam(0)); # load keyBitLength
175 &mov ("eax",3);
176 &adc ("eax",0); # keyBitLength==128?3:4
177 &mov (&wparam(0),"eax");
178 &jmp (&label("Camellia_EncryptBlock_Rounds"));
179&function_end_B("Camellia_EncryptBlock");
180
181if ($OPENSSL) {
182# void Camellia_encrypt(
183# const unsigned char *in,
184# unsigned char *out,
185# const CAMELLIA_KEY *key)
186&function_begin("Camellia_encrypt");
187 &mov ($idx,&wparam(0)); # load plaintext pointer
188 &mov ($key,&wparam(2)); # load key schedule pointer
189
190 &mov ("ebx","esp");
191 &sub ("esp",7*4); # place for s[0-3],keyEnd,esp and ra
192 &and ("esp",-64);
193 &mov ("eax",&DWP(272,$key)); # load grandRounds counter
194
195 # place stack frame just "above mod 1024" the key schedule
196 # this ensures that cache associativity of 2 suffices
197 &lea ("ecx",&DWP(-64-63,$key));
198 &sub ("ecx","esp");
199 &neg ("ecx");
200 &and ("ecx",0x3C0); # modulo 1024, but aligned to cache-line
201 &sub ("esp","ecx");
202 &add ("esp",4); # 4 is reserved for callee's return address
203
204 &shl ("eax",6);
205 &lea ("eax",&DWP(0,$key,"eax"));
206 &mov ($_esp,"ebx"); # save %esp
207 &mov ($_end,"eax"); # save keyEnd
208
209 &call (&label("pic_point"));
210 &set_label("pic_point");
211 &blindpop($Tbl);
212 &lea ($Tbl,&DWP(&label("Camellia_SBOX")."-".&label("pic_point"),$Tbl));
213
214 &mov (@T[0],&DWP(0,$idx)); # load plaintext
215 &mov (@T[1],&DWP(4,$idx));
216 &mov (@T[2],&DWP(8,$idx));
217 &bswap (@T[0]);
218 &mov (@T[3],&DWP(12,$idx));
219 &bswap (@T[1]);
220 &bswap (@T[2]);
221 &bswap (@T[3]);
222
223 &call ("_x86_Camellia_encrypt");
224
225 &mov ("esp",$_esp);
226 &bswap (@T[0]);
227 &mov ($idx,&wparam(1)); # load ciphertext pointer
228 &bswap (@T[1]);
229 &bswap (@T[2]);
230 &bswap (@T[3]);
231 &mov (&DWP(0,$idx),@T[0]); # write ciphertext
232 &mov (&DWP(4,$idx),@T[1]);
233 &mov (&DWP(8,$idx),@T[2]);
234 &mov (&DWP(12,$idx),@T[3]);
235&function_end("Camellia_encrypt");
236}
237
238&function_begin_B("_x86_Camellia_encrypt");
239 &xor (@T[0],&DWP(0,$key)); # ^=key[0-3]
240 &xor (@T[1],&DWP(4,$key));
241 &xor (@T[2],&DWP(8,$key));
242 &xor (@T[3],&DWP(12,$key));
243 &mov ($idx,&DWP(16,$key)); # prefetch key[4]
244
245 &mov ($__s0,@T[0]); # save s[0-3]
246 &mov ($__s1,@T[1]);
247 &mov ($__s2,@T[2]);
248 &mov ($__s3,@T[3]);
249
250&set_label("loop",16);
251 for ($i=0;$i<6;$i++) { Camellia_Feistel($i,16,4); }
252
253 &add ($key,16*4);
254 &cmp ($key,$__end);
255 &je (&label("done"));
256
257 # @T[0-1] are preloaded, $idx is preloaded with key[0]
258 &and ($idx,@T[0]);
259 &mov (@T[3],$__s3);
260 &rotl ($idx,1);
261 &mov (@T[2],@T[3]);
262 &xor (@T[1],$idx);
263 &or (@T[2],&DWP(12,$key));
264 &mov ($__s1,@T[1]); # s1^=LeftRotate(s0&key[0],1);
265 &xor (@T[2],$__s2);
266
267 &mov ($idx,&DWP(4,$key));
268 &mov ($__s2,@T[2]); # s2^=s3|key[3];
269 &or ($idx,@T[1]);
270 &and (@T[2],&DWP(8,$key));
271 &xor (@T[0],$idx);
272 &rotl (@T[2],1);
273 &mov ($__s0,@T[0]); # s0^=s1|key[1];
274 &xor (@T[3],@T[2]);
275 &mov ($idx,&DWP(16,$key)); # prefetch key[4]
276 &mov ($__s3,@T[3]); # s3^=LeftRotate(s2&key[2],1);
277 &jmp (&label("loop"));
278
279&set_label("done",8);
280 &mov (@T[2],@T[0]); # SwapHalf
281 &mov (@T[3],@T[1]);
282 &mov (@T[0],$__s2);
283 &mov (@T[1],$__s3);
284 &xor (@T[0],$idx); # $idx is preloaded with key[0]
285 &xor (@T[1],&DWP(4,$key));
286 &xor (@T[2],&DWP(8,$key));
287 &xor (@T[3],&DWP(12,$key));
288 &ret ();
289&function_end_B("_x86_Camellia_encrypt");
290
291# void Camellia_DecryptBlock_Rounds(
292# int grandRounds,
293# const Byte ciphertext[],
294# const KEY_TABLE_TYPE keyTable,
295# Byte plaintext[])
296&function_begin("Camellia_DecryptBlock_Rounds");
297 &mov ("eax",&wparam(0)); # load grandRounds
298 &mov ($idx,&wparam(1)); # load ciphertext pointer
299 &mov ($key,&wparam(2)); # load key schedule pointer
300
301 &mov ("ebx","esp");
302 &sub ("esp",7*4); # place for s[0-3],keyEnd,esp and ra
303 &and ("esp",-64);
304
305 # place stack frame just "above mod 1024" the key schedule
306 # this ensures that cache associativity of 2 suffices
307 &lea ("ecx",&DWP(-64-63,$key));
308 &sub ("ecx","esp");
309 &neg ("ecx");
310 &and ("ecx",0x3C0); # modulo 1024, but aligned to cache-line
311 &sub ("esp","ecx");
312 &add ("esp",4); # 4 is reserved for callee's return address
313
314 &shl ("eax",6);
315 &mov (&DWP(4*4,"esp"),$key); # save keyStart
316 &lea ($key,&DWP(0,$key,"eax"));
317 &mov (&DWP(5*4,"esp"),"ebx");# save %esp
318
319 &call (&label("pic_point"));
320 &set_label("pic_point");
321 &blindpop($Tbl);
322 &lea ($Tbl,&DWP(&label("Camellia_SBOX")."-".&label("pic_point"),$Tbl));
323
324 &mov (@T[0],&DWP(0,$idx)); # load ciphertext
325 &mov (@T[1],&DWP(4,$idx));
326 &mov (@T[2],&DWP(8,$idx));
327 &bswap (@T[0]);
328 &mov (@T[3],&DWP(12,$idx));
329 &bswap (@T[1]);
330 &bswap (@T[2]);
331 &bswap (@T[3]);
332
333 &call ("_x86_Camellia_decrypt");
334
335 &mov ("esp",&DWP(5*4,"esp"));
336 &bswap (@T[0]);
337 &mov ($idx,&wparam(3)); # load plaintext pointer
338 &bswap (@T[1]);
339 &bswap (@T[2]);
340 &bswap (@T[3]);
341 &mov (&DWP(0,$idx),@T[0]); # write plaintext
342 &mov (&DWP(4,$idx),@T[1]);
343 &mov (&DWP(8,$idx),@T[2]);
344 &mov (&DWP(12,$idx),@T[3]);
345&function_end("Camellia_DecryptBlock_Rounds");
346# V1.x API
347&function_begin_B("Camellia_DecryptBlock");
348 &mov ("eax",128);
349 &sub ("eax",&wparam(0)); # load keyBitLength
350 &mov ("eax",3);
351 &adc ("eax",0); # keyBitLength==128?3:4
352 &mov (&wparam(0),"eax");
353 &jmp (&label("Camellia_DecryptBlock_Rounds"));
354&function_end_B("Camellia_DecryptBlock");
355
356if ($OPENSSL) {
357# void Camellia_decrypt(
358# const unsigned char *in,
359# unsigned char *out,
360# const CAMELLIA_KEY *key)
361&function_begin("Camellia_decrypt");
362 &mov ($idx,&wparam(0)); # load ciphertext pointer
363 &mov ($key,&wparam(2)); # load key schedule pointer
364
365 &mov ("ebx","esp");
366 &sub ("esp",7*4); # place for s[0-3],keyEnd,esp and ra
367 &and ("esp",-64);
368 &mov ("eax",&DWP(272,$key)); # load grandRounds counter
369
370 # place stack frame just "above mod 1024" the key schedule
371 # this ensures that cache associativity of 2 suffices
372 &lea ("ecx",&DWP(-64-63,$key));
373 &sub ("ecx","esp");
374 &neg ("ecx");
375 &and ("ecx",0x3C0); # modulo 1024, but aligned to cache-line
376 &sub ("esp","ecx");
377 &add ("esp",4); # 4 is reserved for callee's return address
378
379 &shl ("eax",6);
380 &mov (&DWP(4*4,"esp"),$key); # save keyStart
381 &lea ($key,&DWP(0,$key,"eax"));
382 &mov (&DWP(5*4,"esp"),"ebx");# save %esp
383
384 &call (&label("pic_point"));
385 &set_label("pic_point");
386 &blindpop($Tbl);
387 &lea ($Tbl,&DWP(&label("Camellia_SBOX")."-".&label("pic_point"),$Tbl));
388
389 &mov (@T[0],&DWP(0,$idx)); # load ciphertext
390 &mov (@T[1],&DWP(4,$idx));
391 &mov (@T[2],&DWP(8,$idx));
392 &bswap (@T[0]);
393 &mov (@T[3],&DWP(12,$idx));
394 &bswap (@T[1]);
395 &bswap (@T[2]);
396 &bswap (@T[3]);
397
398 &call ("_x86_Camellia_decrypt");
399
400 &mov ("esp",&DWP(5*4,"esp"));
401 &bswap (@T[0]);
402 &mov ($idx,&wparam(1)); # load plaintext pointer
403 &bswap (@T[1]);
404 &bswap (@T[2]);
405 &bswap (@T[3]);
406 &mov (&DWP(0,$idx),@T[0]); # write plaintext
407 &mov (&DWP(4,$idx),@T[1]);
408 &mov (&DWP(8,$idx),@T[2]);
409 &mov (&DWP(12,$idx),@T[3]);
410&function_end("Camellia_decrypt");
411}
412
413&function_begin_B("_x86_Camellia_decrypt");
414 &xor (@T[0],&DWP(0,$key)); # ^=key[0-3]
415 &xor (@T[1],&DWP(4,$key));
416 &xor (@T[2],&DWP(8,$key));
417 &xor (@T[3],&DWP(12,$key));
418 &mov ($idx,&DWP(-8,$key)); # prefetch key[-2]
419
420 &mov ($__s0,@T[0]); # save s[0-3]
421 &mov ($__s1,@T[1]);
422 &mov ($__s2,@T[2]);
423 &mov ($__s3,@T[3]);
424
425&set_label("loop",16);
426 for ($i=0;$i<6;$i++) { Camellia_Feistel($i,-8,4); }
427
428 &sub ($key,16*4);
429 &cmp ($key,$__end);
430 &je (&label("done"));
431
432 # @T[0-1] are preloaded, $idx is preloaded with key[2]
433 &and ($idx,@T[0]);
434 &mov (@T[3],$__s3);
435 &rotl ($idx,1);
436 &mov (@T[2],@T[3]);
437 &xor (@T[1],$idx);
438 &or (@T[2],&DWP(4,$key));
439 &mov ($__s1,@T[1]); # s1^=LeftRotate(s0&key[0],1);
440 &xor (@T[2],$__s2);
441
442 &mov ($idx,&DWP(12,$key));
443 &mov ($__s2,@T[2]); # s2^=s3|key[3];
444 &or ($idx,@T[1]);
445 &and (@T[2],&DWP(0,$key));
446 &xor (@T[0],$idx);
447 &rotl (@T[2],1);
448 &mov ($__s0,@T[0]); # s0^=s1|key[1];
449 &xor (@T[3],@T[2]);
450 &mov ($idx,&DWP(-8,$key)); # prefetch key[4]
451 &mov ($__s3,@T[3]); # s3^=LeftRotate(s2&key[2],1);
452 &jmp (&label("loop"));
453
454&set_label("done",8);
455 &mov (@T[2],@T[0]); # SwapHalf
456 &mov (@T[3],@T[1]);
457 &mov (@T[0],$__s2);
458 &mov (@T[1],$__s3);
459 &xor (@T[2],$idx); # $idx is preloaded with key[2]
460 &xor (@T[3],&DWP(12,$key));
461 &xor (@T[0],&DWP(0,$key));
462 &xor (@T[1],&DWP(4,$key));
463 &ret ();
464&function_end_B("_x86_Camellia_decrypt");
465
466# shld is very slow on Intel P4 family. Even on AMD it limits
467# instruction decode rate [because it's VectorPath] and consequently
468# performance. PIII, PM and Core[2] seem to be the only ones which
469# execute this code ~7% faster...
470sub __rotl128 {
471 my ($i0,$i1,$i2,$i3,$rot,$rnd,@T)=@_;
472
473 $rnd *= 2;
474 if ($rot) {
475 &mov ($idx,$i0);
476 &shld ($i0,$i1,$rot);
477 &shld ($i1,$i2,$rot);
478 &shld ($i2,$i3,$rot);
479 &shld ($i3,$idx,$rot);
480 }
481 &mov (&DWP(-128+4*$rnd++,$key),shift(@T)) if ($i0 eq @T[0]);
482 &mov (&DWP(-128+4*$rnd++,$key),shift(@T)) if ($i1 eq @T[0]);
483 &mov (&DWP(-128+4*$rnd++,$key),shift(@T)) if ($i2 eq @T[0]);
484 &mov (&DWP(-128+4*$rnd++,$key),shift(@T)) if ($i3 eq @T[0]);
485}
486
487# ... Implementing 128-bit rotate without shld gives >3x performance
488# improvement on P4, only ~7% degradation on other Intel CPUs and
489# not worse performance on AMD. This is therefore preferred.
490sub _rotl128 {
491 my ($i0,$i1,$i2,$i3,$rot,$rnd,@T)=@_;
492
493 $rnd *= 2;
494 if ($rot) {
495 &mov ($Tbl,$i0);
496 &shl ($i0,$rot);
497 &mov ($idx,$i1);
498 &shr ($idx,32-$rot);
499 &shl ($i1,$rot);
500 &or ($i0,$idx);
501 &mov ($idx,$i2);
502 &shl ($i2,$rot);
503 &mov (&DWP(-128+4*$rnd++,$key),shift(@T)) if ($i0 eq @T[0]);
504 &shr ($idx,32-$rot);
505 &or ($i1,$idx);
506 &shr ($Tbl,32-$rot);
507 &mov ($idx,$i3);
508 &shr ($idx,32-$rot);
509 &mov (&DWP(-128+4*$rnd++,$key),shift(@T)) if ($i1 eq @T[0]);
510 &shl ($i3,$rot);
511 &or ($i2,$idx);
512 &or ($i3,$Tbl);
513 &mov (&DWP(-128+4*$rnd++,$key),shift(@T)) if ($i2 eq @T[0]);
514 &mov (&DWP(-128+4*$rnd++,$key),shift(@T)) if ($i3 eq @T[0]);
515 } else {
516 &mov (&DWP(-128+4*$rnd++,$key),shift(@T)) if ($i0 eq @T[0]);
517 &mov (&DWP(-128+4*$rnd++,$key),shift(@T)) if ($i1 eq @T[0]);
518 &mov (&DWP(-128+4*$rnd++,$key),shift(@T)) if ($i2 eq @T[0]);
519 &mov (&DWP(-128+4*$rnd++,$key),shift(@T)) if ($i3 eq @T[0]);
520 }
521}
522
523sub _saveround {
524my ($rnd,$key,@T)=@_;
525my $bias=int(@T[0])?shift(@T):0;
526
527 &mov (&DWP($bias+$rnd*8+0,$key),@T[0]);
528 &mov (&DWP($bias+$rnd*8+4,$key),@T[1]) if ($#T>=1);
529 &mov (&DWP($bias+$rnd*8+8,$key),@T[2]) if ($#T>=2);
530 &mov (&DWP($bias+$rnd*8+12,$key),@T[3]) if ($#T>=3);
531}
532
533sub _loadround {
534my ($rnd,$key,@T)=@_;
535my $bias=int(@T[0])?shift(@T):0;
536
537 &mov (@T[0],&DWP($bias+$rnd*8+0,$key));
538 &mov (@T[1],&DWP($bias+$rnd*8+4,$key)) if ($#T>=1);
539 &mov (@T[2],&DWP($bias+$rnd*8+8,$key)) if ($#T>=2);
540 &mov (@T[3],&DWP($bias+$rnd*8+12,$key)) if ($#T>=3);
541}
542
543# void Camellia_Ekeygen(
544# const int keyBitLength,
545# const Byte *rawKey,
546# KEY_TABLE_TYPE keyTable)
547&function_begin("Camellia_Ekeygen");
548{ my $step=0;
549
550 &stack_push(4); # place for s[0-3]
551
552 &mov ($Tbl,&wparam(0)); # load arguments
553 &mov ($idx,&wparam(1));
554 &mov ($key,&wparam(2));
555
556 &mov (@T[0],&DWP(0,$idx)); # load 0-127 bits
557 &mov (@T[1],&DWP(4,$idx));
558 &mov (@T[2],&DWP(8,$idx));
559 &mov (@T[3],&DWP(12,$idx));
560
561 &bswap (@T[0]);
562 &bswap (@T[1]);
563 &bswap (@T[2]);
564 &bswap (@T[3]);
565
566 &_saveround (0,$key,@T); # KL<<<0
567
568 &cmp ($Tbl,128);
569 &je (&label("1st128"));
570
571 &mov (@T[0],&DWP(16,$idx)); # load 128-191 bits
572 &mov (@T[1],&DWP(20,$idx));
573 &cmp ($Tbl,192);
574 &je (&label("1st192"));
575 &mov (@T[2],&DWP(24,$idx)); # load 192-255 bits
576 &mov (@T[3],&DWP(28,$idx));
577 &jmp (&label("1st256"));
578&set_label("1st192",4);
579 &mov (@T[2],@T[0]);
580 &mov (@T[3],@T[1]);
581 &not (@T[2]);
582 &not (@T[3]);
583&set_label("1st256",4);
584 &bswap (@T[0]);
585 &bswap (@T[1]);
586 &bswap (@T[2]);
587 &bswap (@T[3]);
588
589 &_saveround (4,$key,@T); # temporary storage for KR!
590
591 &xor (@T[0],&DWP(0*8+0,$key)); # KR^KL
592 &xor (@T[1],&DWP(0*8+4,$key));
593 &xor (@T[2],&DWP(1*8+0,$key));
594 &xor (@T[3],&DWP(1*8+4,$key));
595
596&set_label("1st128",4);
597 &call (&label("pic_point"));
598 &set_label("pic_point");
599 &blindpop($Tbl);
600 &lea ($Tbl,&DWP(&label("Camellia_SBOX")."-".&label("pic_point"),$Tbl));
601 &lea ($key,&DWP(&label("Camellia_SIGMA")."-".&label("Camellia_SBOX"),$Tbl));
602
603 &mov ($idx,&DWP($step*8,$key)); # prefetch SIGMA[0]
604 &mov (&swtmp(0),@T[0]); # save s[0-3]
605 &mov (&swtmp(1),@T[1]);
606 &mov (&swtmp(2),@T[2]);
607 &mov (&swtmp(3),@T[3]);
608 &Camellia_Feistel($step++);
609 &Camellia_Feistel($step++);
610 &mov (@T[2],&swtmp(2));
611 &mov (@T[3],&swtmp(3));
612
613 &mov ($idx,&wparam(2));
614 &xor (@T[0],&DWP(0*8+0,$idx)); # ^KL
615 &xor (@T[1],&DWP(0*8+4,$idx));
616 &xor (@T[2],&DWP(1*8+0,$idx));
617 &xor (@T[3],&DWP(1*8+4,$idx));
618
619 &mov ($idx,&DWP($step*8,$key)); # prefetch SIGMA[4]
620 &mov (&swtmp(0),@T[0]); # save s[0-3]
621 &mov (&swtmp(1),@T[1]);
622 &mov (&swtmp(2),@T[2]);
623 &mov (&swtmp(3),@T[3]);
624 &Camellia_Feistel($step++);
625 &Camellia_Feistel($step++);
626 &mov (@T[2],&swtmp(2));
627 &mov (@T[3],&swtmp(3));
628
629 &mov ($idx,&wparam(0));
630 &cmp ($idx,128);
631 &jne (&label("2nd256"));
632
633 &mov ($key,&wparam(2));
634 &lea ($key,&DWP(128,$key)); # size optimization
635
636 ####### process KA
637 &_saveround (2,$key,-128,@T); # KA<<<0
638 &_rotl128 (@T,15,6,@T); # KA<<<15
639 &_rotl128 (@T,15,8,@T); # KA<<<(15+15=30)
640 &_rotl128 (@T,15,12,@T[0],@T[1]); # KA<<<(30+15=45)
641 &_rotl128 (@T,15,14,@T); # KA<<<(45+15=60)
642 push (@T,shift(@T)); # rotl128(@T,32);
643 &_rotl128 (@T,2,20,@T); # KA<<<(60+32+2=94)
644 &_rotl128 (@T,17,24,@T); # KA<<<(94+17=111)
645
646 ####### process KL
647 &_loadround (0,$key,-128,@T); # load KL
648 &_rotl128 (@T,15,4,@T); # KL<<<15
649 &_rotl128 (@T,30,10,@T); # KL<<<(15+30=45)
650 &_rotl128 (@T,15,13,@T[2],@T[3]); # KL<<<(45+15=60)
651 &_rotl128 (@T,17,16,@T); # KL<<<(60+17=77)
652 &_rotl128 (@T,17,18,@T); # KL<<<(77+17=94)
653 &_rotl128 (@T,17,22,@T); # KL<<<(94+17=111)
654
655 while (@T[0] ne "eax") # restore order
656 { unshift (@T,pop(@T)); }
657
658 &mov ("eax",3); # 3 grandRounds
659 &jmp (&label("done"));
660
661&set_label("2nd256",16);
662 &mov ($idx,&wparam(2));
663 &_saveround (6,$idx,@T); # temporary storage for KA!
664
665 &xor (@T[0],&DWP(4*8+0,$idx)); # KA^KR
666 &xor (@T[1],&DWP(4*8+4,$idx));
667 &xor (@T[2],&DWP(5*8+0,$idx));
668 &xor (@T[3],&DWP(5*8+4,$idx));
669
670 &mov ($idx,&DWP($step*8,$key)); # prefetch SIGMA[8]
671 &mov (&swtmp(0),@T[0]); # save s[0-3]
672 &mov (&swtmp(1),@T[1]);
673 &mov (&swtmp(2),@T[2]);
674 &mov (&swtmp(3),@T[3]);
675 &Camellia_Feistel($step++);
676 &Camellia_Feistel($step++);
677 &mov (@T[2],&swtmp(2));
678 &mov (@T[3],&swtmp(3));
679
680 &mov ($key,&wparam(2));
681 &lea ($key,&DWP(128,$key)); # size optimization
682
683 ####### process KB
684 &_saveround (2,$key,-128,@T); # KB<<<0
685 &_rotl128 (@T,30,10,@T); # KB<<<30
686 &_rotl128 (@T,30,20,@T); # KB<<<(30+30=60)
687 push (@T,shift(@T)); # rotl128(@T,32);
688 &_rotl128 (@T,19,32,@T); # KB<<<(60+32+19=111)
689
690 ####### process KR
691 &_loadround (4,$key,-128,@T); # load KR
692 &_rotl128 (@T,15,4,@T); # KR<<<15
693 &_rotl128 (@T,15,8,@T); # KR<<<(15+15=30)
694 &_rotl128 (@T,30,18,@T); # KR<<<(30+30=60)
695 push (@T,shift(@T)); # rotl128(@T,32);
696 &_rotl128 (@T,2,26,@T); # KR<<<(60+32+2=94)
697
698 ####### process KA
699 &_loadround (6,$key,-128,@T); # load KA
700 &_rotl128 (@T,15,6,@T); # KA<<<15
701 &_rotl128 (@T,30,14,@T); # KA<<<(15+30=45)
702 push (@T,shift(@T)); # rotl128(@T,32);
703 &_rotl128 (@T,0,24,@T); # KA<<<(45+32+0=77)
704 &_rotl128 (@T,17,28,@T); # KA<<<(77+17=94)
705
706 ####### process KL
707 &_loadround (0,$key,-128,@T); # load KL
708 push (@T,shift(@T)); # rotl128(@T,32);
709 &_rotl128 (@T,13,12,@T); # KL<<<(32+13=45)
710 &_rotl128 (@T,15,16,@T); # KL<<<(45+15=60)
711 &_rotl128 (@T,17,22,@T); # KL<<<(60+17=77)
712 push (@T,shift(@T)); # rotl128(@T,32);
713 &_rotl128 (@T,2,30,@T); # KL<<<(77+32+2=111)
714
715 while (@T[0] ne "eax") # restore order
716 { unshift (@T,pop(@T)); }
717
718 &mov ("eax",4); # 4 grandRounds
719&set_label("done");
720 &lea ("edx",&DWP(272-128,$key)); # end of key schedule
721 &stack_pop(4);
722}
723&function_end("Camellia_Ekeygen");
724
725if ($OPENSSL) {
726# int Camellia_set_key (
727# const unsigned char *userKey,
728# int bits,
729# CAMELLIA_KEY *key)
730&function_begin_B("Camellia_set_key");
731 &push ("ebx");
732 &mov ("ecx",&wparam(0)); # pull arguments
733 &mov ("ebx",&wparam(1));
734 &mov ("edx",&wparam(2));
735
736 &mov ("eax",-1);
737 &test ("ecx","ecx");
738 &jz (&label("done")); # userKey==NULL?
739 &test ("edx","edx");
740 &jz (&label("done")); # key==NULL?
741
742 &mov ("eax",-2);
743 &cmp ("ebx",256);
744 &je (&label("arg_ok")); # bits==256?
745 &cmp ("ebx",192);
746 &je (&label("arg_ok")); # bits==192?
747 &cmp ("ebx",128);
748 &jne (&label("done")); # bits!=128?
749&set_label("arg_ok",4);
750
751 &push ("edx"); # push arguments
752 &push ("ecx");
753 &push ("ebx");
754 &call ("Camellia_Ekeygen");
755 &stack_pop(3);
756
757 # eax holds grandRounds and edx points at where to put it
758 &mov (&DWP(0,"edx"),"eax");
759 &xor ("eax","eax");
760&set_label("done",4);
761 &pop ("ebx");
762 &ret ();
763&function_end_B("Camellia_set_key");
764}
765
766@SBOX=(
767112,130, 44,236,179, 39,192,229,228,133, 87, 53,234, 12,174, 65,
768 35,239,107,147, 69, 25,165, 33,237, 14, 79, 78, 29,101,146,189,
769134,184,175,143,124,235, 31,206, 62, 48,220, 95, 94,197, 11, 26,
770166,225, 57,202,213, 71, 93, 61,217, 1, 90,214, 81, 86,108, 77,
771139, 13,154,102,251,204,176, 45,116, 18, 43, 32,240,177,132,153,
772223, 76,203,194, 52,126,118, 5,109,183,169, 49,209, 23, 4,215,
773 20, 88, 58, 97,222, 27, 17, 28, 50, 15,156, 22, 83, 24,242, 34,
774254, 68,207,178,195,181,122,145, 36, 8,232,168, 96,252,105, 80,
775170,208,160,125,161,137, 98,151, 84, 91, 30,149,224,255,100,210,
776 16,196, 0, 72,163,247,117,219,138, 3,230,218, 9, 63,221,148,
777135, 92,131, 2,205, 74,144, 51,115,103,246,243,157,127,191,226,
778 82,155,216, 38,200, 55,198, 59,129,150,111, 75, 19,190, 99, 46,
779233,121,167,140,159,110,188,142, 41,245,249,182, 47,253,180, 89,
780120,152, 6,106,231, 70,113,186,212, 37,171, 66,136,162,141,250,
781114, 7,185, 85,248,238,172, 10, 54, 73, 42,104, 60, 56,241,164,
782 64, 40,211,123,187,201, 67,193, 21,227,173,244,119,199,128,158);
783
784sub S1110 { my $i=shift; $i=@SBOX[$i]; return $i<<24|$i<<16|$i<<8; }
785sub S4404 { my $i=shift; $i=($i<<1|$i>>7)&0xff; $i=@SBOX[$i]; return $i<<24|$i<<16|$i; }
786sub S0222 { my $i=shift; $i=@SBOX[$i]; $i=($i<<1|$i>>7)&0xff; return $i<<16|$i<<8|$i; }
787sub S3033 { my $i=shift; $i=@SBOX[$i]; $i=($i>>1|$i<<7)&0xff; return $i<<24|$i<<8|$i; }
788
789&set_label("Camellia_SIGMA",64);
790&data_word(
791 0xa09e667f, 0x3bcc908b, 0xb67ae858, 0x4caa73b2,
792 0xc6ef372f, 0xe94f82be, 0x54ff53a5, 0xf1d36f1c,
793 0x10e527fa, 0xde682d1d, 0xb05688c2, 0xb3e6c1fd,
794 0, 0, 0, 0);
795&set_label("Camellia_SBOX",64);
796# tables are interleaved, remember?
797for ($i=0;$i<256;$i++) { &data_word(&S1110($i),&S4404($i)); }
798for ($i=0;$i<256;$i++) { &data_word(&S0222($i),&S3033($i)); }
799
800# void Camellia_cbc_encrypt (const void char *inp, unsigned char *out,
801# size_t length, const CAMELLIA_KEY *key,
802# unsigned char *ivp,const int enc);
803{
804# stack frame layout
805# -4(%esp) # return address 0(%esp)
806# 0(%esp) # s0 4(%esp)
807# 4(%esp) # s1 8(%esp)
808# 8(%esp) # s2 12(%esp)
809# 12(%esp) # s3 16(%esp)
810# 16(%esp) # end of key schedule 20(%esp)
811# 20(%esp) # %esp backup
812my $_inp=&DWP(24,"esp"); #copy of wparam(0)
813my $_out=&DWP(28,"esp"); #copy of wparam(1)
814my $_len=&DWP(32,"esp"); #copy of wparam(2)
815my $_key=&DWP(36,"esp"); #copy of wparam(3)
816my $_ivp=&DWP(40,"esp"); #copy of wparam(4)
817my $ivec=&DWP(44,"esp"); #ivec[16]
818my $_tmp=&DWP(44,"esp"); #volatile variable [yes, aliases with ivec]
819my ($s0,$s1,$s2,$s3) = @T;
820
821&function_begin("Camellia_cbc_encrypt");
822 &mov ($s2 eq "ecx"? $s2 : "",&wparam(2)); # load len
823 &cmp ($s2,0);
824 &je (&label("enc_out"));
825
826 &pushf ();
827 &cld ();
828
829 &mov ($s0,&wparam(0)); # load inp
830 &mov ($s1,&wparam(1)); # load out
831 #&mov ($s2,&wparam(2)); # load len
832 &mov ($s3,&wparam(3)); # load key
833 &mov ($Tbl,&wparam(4)); # load ivp
834
835 # allocate aligned stack frame...
836 &lea ($idx,&DWP(-64,"esp"));
837 &and ($idx,-64);
838
839 # place stack frame just "above mod 1024" the key schedule
840 # this ensures that cache associativity of 2 suffices
841 &lea ($key,&DWP(-64-63,$s3));
842 &sub ($key,$idx);
843 &neg ($key);
844 &and ($key,0x3C0); # modulo 1024, but aligned to cache-line
845 &sub ($idx,$key);
846
847 &mov ($key,&wparam(5)); # load enc
848
849 &exch ("esp",$idx);
850 &add ("esp",4); # reserve for return address!
851 &mov ($_esp,$idx); # save %esp
852
853 &mov ($_inp,$s0); # save copy of inp
854 &mov ($_out,$s1); # save copy of out
855 &mov ($_len,$s2); # save copy of len
856 &mov ($_key,$s3); # save copy of key
857 &mov ($_ivp,$Tbl); # save copy of ivp
858
859 &call (&label("pic_point")); # make it PIC!
860 &set_label("pic_point");
861 &blindpop($Tbl);
862 &lea ($Tbl,&DWP(&label("Camellia_SBOX")."-".&label("pic_point"),$Tbl));
863
864 &mov ($idx,32);
865 &set_label("prefetch_sbox",4);
866 &mov ($s0,&DWP(0,$Tbl));
867 &mov ($s1,&DWP(32,$Tbl));
868 &mov ($s2,&DWP(64,$Tbl));
869 &mov ($s3,&DWP(96,$Tbl));
870 &lea ($Tbl,&DWP(128,$Tbl));
871 &dec ($idx);
872 &jnz (&label("prefetch_sbox"));
873 &mov ($s0,$_key);
874 &sub ($Tbl,4096);
875 &mov ($idx,$_inp);
876 &mov ($s3,&DWP(272,$s0)); # load grandRounds
877
878 &cmp ($key,0);
879 &je (&label("DECRYPT"));
880
881 &mov ($s2,$_len);
882 &mov ($key,$_ivp);
883 &shl ($s3,6);
884 &lea ($s3,&DWP(0,$s0,$s3));
885 &mov ($_end,$s3);
886
887 &test ($s2,0xFFFFFFF0);
888 &jz (&label("enc_tail")); # short input...
889
890 &mov ($s0,&DWP(0,$key)); # load iv
891 &mov ($s1,&DWP(4,$key));
892
893 &set_label("enc_loop",4);
894 &mov ($s2,&DWP(8,$key));
895 &mov ($s3,&DWP(12,$key));
896
897 &xor ($s0,&DWP(0,$idx)); # xor input data
898 &xor ($s1,&DWP(4,$idx));
899 &xor ($s2,&DWP(8,$idx));
900 &bswap ($s0);
901 &xor ($s3,&DWP(12,$idx));
902 &bswap ($s1);
903 &mov ($key,$_key); # load key
904 &bswap ($s2);
905 &bswap ($s3);
906
907 &call ("_x86_Camellia_encrypt");
908
909 &mov ($idx,$_inp); # load inp
910 &mov ($key,$_out); # load out
911
912 &bswap ($s0);
913 &bswap ($s1);
914 &bswap ($s2);
915 &mov (&DWP(0,$key),$s0); # save output data
916 &bswap ($s3);
917 &mov (&DWP(4,$key),$s1);
918 &mov (&DWP(8,$key),$s2);
919 &mov (&DWP(12,$key),$s3);
920
921 &mov ($s2,$_len); # load len
922
923 &lea ($idx,&DWP(16,$idx));
924 &mov ($_inp,$idx); # save inp
925
926 &lea ($s3,&DWP(16,$key));
927 &mov ($_out,$s3); # save out
928
929 &sub ($s2,16);
930 &test ($s2,0xFFFFFFF0);
931 &mov ($_len,$s2); # save len
932 &jnz (&label("enc_loop"));
933 &test ($s2,15);
934 &jnz (&label("enc_tail"));
935 &mov ($idx,$_ivp); # load ivp
936 &mov ($s2,&DWP(8,$key)); # restore last dwords
937 &mov ($s3,&DWP(12,$key));
938 &mov (&DWP(0,$idx),$s0); # save ivec
939 &mov (&DWP(4,$idx),$s1);
940 &mov (&DWP(8,$idx),$s2);
941 &mov (&DWP(12,$idx),$s3);
942
943 &mov ("esp",$_esp);
944 &popf ();
945 &set_label("enc_out");
946 &function_end_A();
947 &pushf (); # kludge, never executed
948
949 &set_label("enc_tail",4);
950 &mov ($s0,$key eq "edi" ? $key : "");
951 &mov ($key,$_out); # load out
952 &push ($s0); # push ivp
953 &mov ($s1,16);
954 &sub ($s1,$s2);
955 &cmp ($key,$idx); # compare with inp
956 &je (&label("enc_in_place"));
957 &align (4);
958 &data_word(0xA4F3F689); # rep movsb # copy input
959 &jmp (&label("enc_skip_in_place"));
960 &set_label("enc_in_place");
961 &lea ($key,&DWP(0,$key,$s2));
962 &set_label("enc_skip_in_place");
963 &mov ($s2,$s1);
964 &xor ($s0,$s0);
965 &align (4);
966 &data_word(0xAAF3F689); # rep stosb # zero tail
967 &pop ($key); # pop ivp
968
969 &mov ($idx,$_out); # output as input
970 &mov ($s0,&DWP(0,$key));
971 &mov ($s1,&DWP(4,$key));
972 &mov ($_len,16); # len=16
973 &jmp (&label("enc_loop")); # one more spin...
974
975#----------------------------- DECRYPT -----------------------------#
976&set_label("DECRYPT",16);
977 &shl ($s3,6);
978 &lea ($s3,&DWP(0,$s0,$s3));
979 &mov ($_end,$s0);
980 &mov ($_key,$s3);
981
982 &cmp ($idx,$_out);
983 &je (&label("dec_in_place")); # in-place processing...
984
985 &mov ($key,$_ivp); # load ivp
986 &mov ($_tmp,$key);
987
988 &set_label("dec_loop",4);
989 &mov ($s0,&DWP(0,$idx)); # read input
990 &mov ($s1,&DWP(4,$idx));
991 &mov ($s2,&DWP(8,$idx));
992 &bswap ($s0);
993 &mov ($s3,&DWP(12,$idx));
994 &bswap ($s1);
995 &mov ($key,$_key); # load key
996 &bswap ($s2);
997 &bswap ($s3);
998
999 &call ("_x86_Camellia_decrypt");
1000
1001 &mov ($key,$_tmp); # load ivp
1002 &mov ($idx,$_len); # load len
1003
1004 &bswap ($s0);
1005 &bswap ($s1);
1006 &bswap ($s2);
1007 &xor ($s0,&DWP(0,$key)); # xor iv
1008 &bswap ($s3);
1009 &xor ($s1,&DWP(4,$key));
1010 &xor ($s2,&DWP(8,$key));
1011 &xor ($s3,&DWP(12,$key));
1012
1013 &sub ($idx,16);
1014 &jc (&label("dec_partial"));
1015 &mov ($_len,$idx); # save len
1016 &mov ($idx,$_inp); # load inp
1017 &mov ($key,$_out); # load out
1018
1019 &mov (&DWP(0,$key),$s0); # write output
1020 &mov (&DWP(4,$key),$s1);
1021 &mov (&DWP(8,$key),$s2);
1022 &mov (&DWP(12,$key),$s3);
1023
1024 &mov ($_tmp,$idx); # save ivp
1025 &lea ($idx,&DWP(16,$idx));
1026 &mov ($_inp,$idx); # save inp
1027
1028 &lea ($key,&DWP(16,$key));
1029 &mov ($_out,$key); # save out
1030
1031 &jnz (&label("dec_loop"));
1032 &mov ($key,$_tmp); # load temp ivp
1033 &set_label("dec_end");
1034 &mov ($idx,$_ivp); # load user ivp
1035 &mov ($s0,&DWP(0,$key)); # load iv
1036 &mov ($s1,&DWP(4,$key));
1037 &mov ($s2,&DWP(8,$key));
1038 &mov ($s3,&DWP(12,$key));
1039 &mov (&DWP(0,$idx),$s0); # copy back to user
1040 &mov (&DWP(4,$idx),$s1);
1041 &mov (&DWP(8,$idx),$s2);
1042 &mov (&DWP(12,$idx),$s3);
1043 &jmp (&label("dec_out"));
1044
1045 &set_label("dec_partial",4);
1046 &lea ($key,$ivec);
1047 &mov (&DWP(0,$key),$s0); # dump output to stack
1048 &mov (&DWP(4,$key),$s1);
1049 &mov (&DWP(8,$key),$s2);
1050 &mov (&DWP(12,$key),$s3);
1051 &lea ($s2 eq "ecx" ? $s2 : "",&DWP(16,$idx));
1052 &mov ($idx eq "esi" ? $idx : "",$key);
1053 &mov ($key eq "edi" ? $key : "",$_out); # load out
1054 &data_word(0xA4F3F689); # rep movsb # copy output
1055 &mov ($key,$_inp); # use inp as temp ivp
1056 &jmp (&label("dec_end"));
1057
1058 &set_label("dec_in_place",4);
1059 &set_label("dec_in_place_loop");
1060 &lea ($key,$ivec);
1061 &mov ($s0,&DWP(0,$idx)); # read input
1062 &mov ($s1,&DWP(4,$idx));
1063 &mov ($s2,&DWP(8,$idx));
1064 &mov ($s3,&DWP(12,$idx));
1065
1066 &mov (&DWP(0,$key),$s0); # copy to temp
1067 &mov (&DWP(4,$key),$s1);
1068 &mov (&DWP(8,$key),$s2);
1069 &bswap ($s0);
1070 &mov (&DWP(12,$key),$s3);
1071 &bswap ($s1);
1072 &mov ($key,$_key); # load key
1073 &bswap ($s2);
1074 &bswap ($s3);
1075
1076 &call ("_x86_Camellia_decrypt");
1077
1078 &mov ($key,$_ivp); # load ivp
1079 &mov ($idx,$_out); # load out
1080
1081 &bswap ($s0);
1082 &bswap ($s1);
1083 &bswap ($s2);
1084 &xor ($s0,&DWP(0,$key)); # xor iv
1085 &bswap ($s3);
1086 &xor ($s1,&DWP(4,$key));
1087 &xor ($s2,&DWP(8,$key));
1088 &xor ($s3,&DWP(12,$key));
1089
1090 &mov (&DWP(0,$idx),$s0); # write output
1091 &mov (&DWP(4,$idx),$s1);
1092 &mov (&DWP(8,$idx),$s2);
1093 &mov (&DWP(12,$idx),$s3);
1094
1095 &lea ($idx,&DWP(16,$idx));
1096 &mov ($_out,$idx); # save out
1097
1098 &lea ($idx,$ivec);
1099 &mov ($s0,&DWP(0,$idx)); # read temp
1100 &mov ($s1,&DWP(4,$idx));
1101 &mov ($s2,&DWP(8,$idx));
1102 &mov ($s3,&DWP(12,$idx));
1103
1104 &mov (&DWP(0,$key),$s0); # copy iv
1105 &mov (&DWP(4,$key),$s1);
1106 &mov (&DWP(8,$key),$s2);
1107 &mov (&DWP(12,$key),$s3);
1108
1109 &mov ($idx,$_inp); # load inp
1110
1111 &lea ($idx,&DWP(16,$idx));
1112 &mov ($_inp,$idx); # save inp
1113
1114 &mov ($s2,$_len); # load len
1115 &sub ($s2,16);
1116 &jc (&label("dec_in_place_partial"));
1117 &mov ($_len,$s2); # save len
1118 &jnz (&label("dec_in_place_loop"));
1119 &jmp (&label("dec_out"));
1120
1121 &set_label("dec_in_place_partial",4);
1122 # one can argue if this is actually required...
1123 &mov ($key eq "edi" ? $key : "",$_out);
1124 &lea ($idx eq "esi" ? $idx : "",$ivec);
1125 &lea ($key,&DWP(0,$key,$s2));
1126 &lea ($idx,&DWP(16,$idx,$s2));
1127 &neg ($s2 eq "ecx" ? $s2 : "");
1128 &data_word(0xA4F3F689); # rep movsb # restore tail
1129
1130 &set_label("dec_out",4);
1131 &mov ("esp",$_esp);
1132 &popf ();
1133&function_end("Camellia_cbc_encrypt");
1134}
1135
1136&asciz("Camellia for x86 by <appro\@openssl.org>");
1137
1138&asm_finish();
diff --git a/src/lib/libcrypto/camellia/asm/cmll-x86_64.pl b/src/lib/libcrypto/camellia/asm/cmll-x86_64.pl
deleted file mode 100644
index a171c654b2..0000000000
--- a/src/lib/libcrypto/camellia/asm/cmll-x86_64.pl
+++ /dev/null
@@ -1,867 +0,0 @@
1#!/usr/bin/env perl
2
3# ====================================================================
4# Copyright (c) 2008 Andy Polyakov <appro@openssl.org>
5#
6# This module may be used under the terms of either the GNU General
7# Public License version 2 or later, the GNU Lesser General Public
8# License version 2.1 or later, the Mozilla Public License version
9# 1.1 or the BSD License. The exact terms of either license are
10# distributed along with this module. For further details see
11# http://www.openssl.org/~appro/camellia/.
12# ====================================================================
13
14# Performance in cycles per processed byte (less is better) in
15# 'openssl speed ...' benchmark:
16#
17# AMD64 Core2 EM64T
18# -evp camellia-128-ecb 16.7 21.0 22.7
19# + over gcc 3.4.6 +25% +5% 0%
20#
21# camellia-128-cbc 15.7 20.4 21.1
22#
23# 128-bit key setup 128 216 205 cycles/key
24# + over gcc 3.4.6 +54% +39% +15%
25#
26# Numbers in "+" rows represent performance improvement over compiler
27# generated code. Key setup timings are impressive on AMD and Core2
28# thanks to 64-bit operations being covertly deployed. Improvement on
29# EM64T, pre-Core2 Intel x86_64 CPU, is not as impressive, because it
30# apparently emulates some of 64-bit operations in [32-bit] microcode.
31
32$flavour = shift;
33$output = shift;
34if ($flavour =~ /\./) { $output = $flavour; undef $flavour; }
35
36$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
37( $xlate="${dir}x86_64-xlate.pl" and -f $xlate ) or
38( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
39die "can't locate x86_64-xlate.pl";
40
41open OUT,"| \"$^X\" $xlate $flavour $output";
42*STDOUT=*OUT;
43
44sub hi() { my $r=shift; $r =~ s/%[er]([a-d])x/%\1h/; $r; }
45sub lo() { my $r=shift; $r =~ s/%[er]([a-d])x/%\1l/;
46 $r =~ s/%[er]([sd]i)/%\1l/;
47 $r =~ s/%(r[0-9]+)[d]?/%\1b/; $r; }
48
49$t0="%eax";$t1="%ebx";$t2="%ecx";$t3="%edx";
50@S=("%r8d","%r9d","%r10d","%r11d");
51$i0="%esi";
52$i1="%edi";
53$Tbl="%rbp"; # size optimization
54$inp="%r12";
55$out="%r13";
56$key="%r14";
57$keyend="%r15";
58$arg0d="%edi";
59
60# const unsigned int Camellia_SBOX[4][256];
61# Well, sort of... Camellia_SBOX[0][] is interleaved with [1][],
62# and [2][] - with [3][]. This is done to minimize code size.
63$SBOX1_1110=0; # Camellia_SBOX[0]
64$SBOX4_4404=4; # Camellia_SBOX[1]
65$SBOX2_0222=2048; # Camellia_SBOX[2]
66$SBOX3_3033=2052; # Camellia_SBOX[3]
67
68sub Camellia_Feistel {
69my $i=@_[0];
70my $seed=defined(@_[1])?@_[1]:0;
71my $scale=$seed<0?-8:8;
72my $j=($i&1)*2;
73my $s0=@S[($j)%4],$s1=@S[($j+1)%4],$s2=@S[($j+2)%4],$s3=@S[($j+3)%4];
74
75$code.=<<___;
76 xor $s0,$t0 # t0^=key[0]
77 xor $s1,$t1 # t1^=key[1]
78 movz `&hi("$t0")`,$i0 # (t0>>8)&0xff
79 movz `&lo("$t1")`,$i1 # (t1>>0)&0xff
80 mov $SBOX3_3033($Tbl,$i0,8),$t3 # t3=SBOX3_3033[0]
81 mov $SBOX1_1110($Tbl,$i1,8),$t2 # t2=SBOX1_1110[1]
82 movz `&lo("$t0")`,$i0 # (t0>>0)&0xff
83 shr \$16,$t0
84 movz `&hi("$t1")`,$i1 # (t1>>8)&0xff
85 xor $SBOX4_4404($Tbl,$i0,8),$t3 # t3^=SBOX4_4404[0]
86 shr \$16,$t1
87 xor $SBOX4_4404($Tbl,$i1,8),$t2 # t2^=SBOX4_4404[1]
88 movz `&hi("$t0")`,$i0 # (t0>>24)&0xff
89 movz `&lo("$t1")`,$i1 # (t1>>16)&0xff
90 xor $SBOX1_1110($Tbl,$i0,8),$t3 # t3^=SBOX1_1110[0]
91 xor $SBOX3_3033($Tbl,$i1,8),$t2 # t2^=SBOX3_3033[1]
92 movz `&lo("$t0")`,$i0 # (t0>>16)&0xff
93 movz `&hi("$t1")`,$i1 # (t1>>24)&0xff
94 xor $SBOX2_0222($Tbl,$i0,8),$t3 # t3^=SBOX2_0222[0]
95 xor $SBOX2_0222($Tbl,$i1,8),$t2 # t2^=SBOX2_0222[1]
96 mov `$seed+($i+1)*$scale`($key),$t1 # prefetch key[i+1]
97 mov `$seed+($i+1)*$scale+4`($key),$t0
98 xor $t3,$t2 # t2^=t3
99 ror \$8,$t3 # t3=RightRotate(t3,8)
100 xor $t2,$s2
101 xor $t2,$s3
102 xor $t3,$s3
103___
104}
105
106# void Camellia_EncryptBlock_Rounds(
107# int grandRounds,
108# const Byte plaintext[],
109# const KEY_TABLE_TYPE keyTable,
110# Byte ciphertext[])
111$code=<<___;
112.text
113
114# V1.x API
115.globl Camellia_EncryptBlock
116.type Camellia_EncryptBlock,\@abi-omnipotent
117.align 16
118Camellia_EncryptBlock:
119 movl \$128,%eax
120 subl $arg0d,%eax
121 movl \$3,$arg0d
122 adcl \$0,$arg0d # keyBitLength==128?3:4
123 jmp .Lenc_rounds
124.size Camellia_EncryptBlock,.-Camellia_EncryptBlock
125# V2
126.globl Camellia_EncryptBlock_Rounds
127.type Camellia_EncryptBlock_Rounds,\@function,4
128.align 16
129.Lenc_rounds:
130Camellia_EncryptBlock_Rounds:
131 push %rbx
132 push %rbp
133 push %r13
134 push %r14
135 push %r15
136.Lenc_prologue:
137
138 #mov %rsi,$inp # put away arguments
139 mov %rcx,$out
140 mov %rdx,$key
141
142 shl \$6,%edi # process grandRounds
143 lea .LCamellia_SBOX(%rip),$Tbl
144 lea ($key,%rdi),$keyend
145
146 mov 0(%rsi),@S[0] # load plaintext
147 mov 4(%rsi),@S[1]
148 mov 8(%rsi),@S[2]
149 bswap @S[0]
150 mov 12(%rsi),@S[3]
151 bswap @S[1]
152 bswap @S[2]
153 bswap @S[3]
154
155 call _x86_64_Camellia_encrypt
156
157 bswap @S[0]
158 bswap @S[1]
159 bswap @S[2]
160 mov @S[0],0($out)
161 bswap @S[3]
162 mov @S[1],4($out)
163 mov @S[2],8($out)
164 mov @S[3],12($out)
165
166 mov 0(%rsp),%r15
167 mov 8(%rsp),%r14
168 mov 16(%rsp),%r13
169 mov 24(%rsp),%rbp
170 mov 32(%rsp),%rbx
171 lea 40(%rsp),%rsp
172.Lenc_epilogue:
173 ret
174.size Camellia_EncryptBlock_Rounds,.-Camellia_EncryptBlock_Rounds
175
176.type _x86_64_Camellia_encrypt,\@abi-omnipotent
177.align 16
178_x86_64_Camellia_encrypt:
179 xor 0($key),@S[1]
180 xor 4($key),@S[0] # ^=key[0-3]
181 xor 8($key),@S[3]
182 xor 12($key),@S[2]
183.align 16
184.Leloop:
185 mov 16($key),$t1 # prefetch key[4-5]
186 mov 20($key),$t0
187
188___
189 for ($i=0;$i<6;$i++) { Camellia_Feistel($i,16); }
190$code.=<<___;
191 lea 16*4($key),$key
192 cmp $keyend,$key
193 mov 8($key),$t3 # prefetch key[2-3]
194 mov 12($key),$t2
195 je .Ledone
196
197 and @S[0],$t0
198 or @S[3],$t3
199 rol \$1,$t0
200 xor $t3,@S[2] # s2^=s3|key[3];
201 xor $t0,@S[1] # s1^=LeftRotate(s0&key[0],1);
202 and @S[2],$t2
203 or @S[1],$t1
204 rol \$1,$t2
205 xor $t1,@S[0] # s0^=s1|key[1];
206 xor $t2,@S[3] # s3^=LeftRotate(s2&key[2],1);
207 jmp .Leloop
208
209.align 16
210.Ledone:
211 xor @S[2],$t0 # SwapHalf
212 xor @S[3],$t1
213 xor @S[0],$t2
214 xor @S[1],$t3
215
216 mov $t0,@S[0]
217 mov $t1,@S[1]
218 mov $t2,@S[2]
219 mov $t3,@S[3]
220
221 .byte 0xf3,0xc3 # rep ret
222.size _x86_64_Camellia_encrypt,.-_x86_64_Camellia_encrypt
223
224# V1.x API
225.globl Camellia_DecryptBlock
226.type Camellia_DecryptBlock,\@abi-omnipotent
227.align 16
228Camellia_DecryptBlock:
229 movl \$128,%eax
230 subl $arg0d,%eax
231 movl \$3,$arg0d
232 adcl \$0,$arg0d # keyBitLength==128?3:4
233 jmp .Ldec_rounds
234.size Camellia_DecryptBlock,.-Camellia_DecryptBlock
235# V2
236.globl Camellia_DecryptBlock_Rounds
237.type Camellia_DecryptBlock_Rounds,\@function,4
238.align 16
239.Ldec_rounds:
240Camellia_DecryptBlock_Rounds:
241 push %rbx
242 push %rbp
243 push %r13
244 push %r14
245 push %r15
246.Ldec_prologue:
247
248 #mov %rsi,$inp # put away arguments
249 mov %rcx,$out
250 mov %rdx,$keyend
251
252 shl \$6,%edi # process grandRounds
253 lea .LCamellia_SBOX(%rip),$Tbl
254 lea ($keyend,%rdi),$key
255
256 mov 0(%rsi),@S[0] # load plaintext
257 mov 4(%rsi),@S[1]
258 mov 8(%rsi),@S[2]
259 bswap @S[0]
260 mov 12(%rsi),@S[3]
261 bswap @S[1]
262 bswap @S[2]
263 bswap @S[3]
264
265 call _x86_64_Camellia_decrypt
266
267 bswap @S[0]
268 bswap @S[1]
269 bswap @S[2]
270 mov @S[0],0($out)
271 bswap @S[3]
272 mov @S[1],4($out)
273 mov @S[2],8($out)
274 mov @S[3],12($out)
275
276 mov 0(%rsp),%r15
277 mov 8(%rsp),%r14
278 mov 16(%rsp),%r13
279 mov 24(%rsp),%rbp
280 mov 32(%rsp),%rbx
281 lea 40(%rsp),%rsp
282.Ldec_epilogue:
283 ret
284.size Camellia_DecryptBlock_Rounds,.-Camellia_DecryptBlock_Rounds
285
286.type _x86_64_Camellia_decrypt,\@abi-omnipotent
287.align 16
288_x86_64_Camellia_decrypt:
289 xor 0($key),@S[1]
290 xor 4($key),@S[0] # ^=key[0-3]
291 xor 8($key),@S[3]
292 xor 12($key),@S[2]
293.align 16
294.Ldloop:
295 mov -8($key),$t1 # prefetch key[4-5]
296 mov -4($key),$t0
297
298___
299 for ($i=0;$i<6;$i++) { Camellia_Feistel($i,-8); }
300$code.=<<___;
301 lea -16*4($key),$key
302 cmp $keyend,$key
303 mov 0($key),$t3 # prefetch key[2-3]
304 mov 4($key),$t2
305 je .Lddone
306
307 and @S[0],$t0
308 or @S[3],$t3
309 rol \$1,$t0
310 xor $t3,@S[2] # s2^=s3|key[3];
311 xor $t0,@S[1] # s1^=LeftRotate(s0&key[0],1);
312 and @S[2],$t2
313 or @S[1],$t1
314 rol \$1,$t2
315 xor $t1,@S[0] # s0^=s1|key[1];
316 xor $t2,@S[3] # s3^=LeftRotate(s2&key[2],1);
317
318 jmp .Ldloop
319
320.align 16
321.Lddone:
322 xor @S[2],$t2
323 xor @S[3],$t3
324 xor @S[0],$t0
325 xor @S[1],$t1
326
327 mov $t2,@S[0] # SwapHalf
328 mov $t3,@S[1]
329 mov $t0,@S[2]
330 mov $t1,@S[3]
331
332 .byte 0xf3,0xc3 # rep ret
333.size _x86_64_Camellia_decrypt,.-_x86_64_Camellia_decrypt
334___
335
336sub _saveround {
337my ($rnd,$key,@T)=@_;
338my $bias=int(@T[0])?shift(@T):0;
339
340 if ($#T==3) {
341 $code.=<<___;
342 mov @T[1],`$bias+$rnd*8+0`($key)
343 mov @T[0],`$bias+$rnd*8+4`($key)
344 mov @T[3],`$bias+$rnd*8+8`($key)
345 mov @T[2],`$bias+$rnd*8+12`($key)
346___
347 } else {
348 $code.=" mov @T[0],`$bias+$rnd*8+0`($key)\n";
349 $code.=" mov @T[1],`$bias+$rnd*8+8`($key)\n" if ($#T>=1);
350 }
351}
352
353sub _loadround {
354my ($rnd,$key,@T)=@_;
355my $bias=int(@T[0])?shift(@T):0;
356
357$code.=" mov `$bias+$rnd*8+0`($key),@T[0]\n";
358$code.=" mov `$bias+$rnd*8+8`($key),@T[1]\n" if ($#T>=1);
359}
360
361# shld is very slow on Intel EM64T family. Even on AMD it limits
362# instruction decode rate [because it's VectorPath] and consequently
363# performance...
364sub __rotl128 {
365my ($i0,$i1,$rot)=@_;
366
367 if ($rot) {
368 $code.=<<___;
369 mov $i0,%r11
370 shld \$$rot,$i1,$i0
371 shld \$$rot,%r11,$i1
372___
373 }
374}
375
376# ... Implementing 128-bit rotate without shld gives 80% better
377# performance EM64T, +15% on AMD64 and only ~7% degradation on
378# Core2. This is therefore preferred.
379sub _rotl128 {
380my ($i0,$i1,$rot)=@_;
381
382 if ($rot) {
383 $code.=<<___;
384 mov $i0,%r11
385 shl \$$rot,$i0
386 mov $i1,%r9
387 shr \$`64-$rot`,%r9
388 shr \$`64-$rot`,%r11
389 or %r9,$i0
390 shl \$$rot,$i1
391 or %r11,$i1
392___
393 }
394}
395
396{ my $step=0;
397
398$code.=<<___;
399.globl Camellia_Ekeygen
400.type Camellia_Ekeygen,\@function,3
401.align 16
402Camellia_Ekeygen:
403 push %rbx
404 push %rbp
405 push %r13
406 push %r14
407 push %r15
408.Lkey_prologue:
409
410 mov %rdi,$keyend # put away arguments, keyBitLength
411 mov %rdx,$out # keyTable
412
413 mov 0(%rsi),@S[0] # load 0-127 bits
414 mov 4(%rsi),@S[1]
415 mov 8(%rsi),@S[2]
416 mov 12(%rsi),@S[3]
417
418 bswap @S[0]
419 bswap @S[1]
420 bswap @S[2]
421 bswap @S[3]
422___
423 &_saveround (0,$out,@S); # KL<<<0
424$code.=<<___;
425 cmp \$128,$keyend # check keyBitLength
426 je .L1st128
427
428 mov 16(%rsi),@S[0] # load 128-191 bits
429 mov 20(%rsi),@S[1]
430 cmp \$192,$keyend
431 je .L1st192
432 mov 24(%rsi),@S[2] # load 192-255 bits
433 mov 28(%rsi),@S[3]
434 jmp .L1st256
435.L1st192:
436 mov @S[0],@S[2]
437 mov @S[1],@S[3]
438 not @S[2]
439 not @S[3]
440.L1st256:
441 bswap @S[0]
442 bswap @S[1]
443 bswap @S[2]
444 bswap @S[3]
445___
446 &_saveround (4,$out,@S); # temp storage for KR!
447$code.=<<___;
448 xor 0($out),@S[1] # KR^KL
449 xor 4($out),@S[0]
450 xor 8($out),@S[3]
451 xor 12($out),@S[2]
452
453.L1st128:
454 lea .LCamellia_SIGMA(%rip),$key
455 lea .LCamellia_SBOX(%rip),$Tbl
456
457 mov 0($key),$t1
458 mov 4($key),$t0
459___
460 &Camellia_Feistel($step++);
461 &Camellia_Feistel($step++);
462$code.=<<___;
463 xor 0($out),@S[1] # ^KL
464 xor 4($out),@S[0]
465 xor 8($out),@S[3]
466 xor 12($out),@S[2]
467___
468 &Camellia_Feistel($step++);
469 &Camellia_Feistel($step++);
470$code.=<<___;
471 cmp \$128,$keyend
472 jne .L2nd256
473
474 lea 128($out),$out # size optimization
475 shl \$32,%r8 # @S[0]||
476 shl \$32,%r10 # @S[2]||
477 or %r9,%r8 # ||@S[1]
478 or %r11,%r10 # ||@S[3]
479___
480 &_loadround (0,$out,-128,"%rax","%rbx"); # KL
481 &_saveround (2,$out,-128,"%r8","%r10"); # KA<<<0
482 &_rotl128 ("%rax","%rbx",15);
483 &_saveround (4,$out,-128,"%rax","%rbx"); # KL<<<15
484 &_rotl128 ("%r8","%r10",15);
485 &_saveround (6,$out,-128,"%r8","%r10"); # KA<<<15
486 &_rotl128 ("%r8","%r10",15); # 15+15=30
487 &_saveround (8,$out,-128,"%r8","%r10"); # KA<<<30
488 &_rotl128 ("%rax","%rbx",30); # 15+30=45
489 &_saveround (10,$out,-128,"%rax","%rbx"); # KL<<<45
490 &_rotl128 ("%r8","%r10",15); # 30+15=45
491 &_saveround (12,$out,-128,"%r8"); # KA<<<45
492 &_rotl128 ("%rax","%rbx",15); # 45+15=60
493 &_saveround (13,$out,-128,"%rbx"); # KL<<<60
494 &_rotl128 ("%r8","%r10",15); # 45+15=60
495 &_saveround (14,$out,-128,"%r8","%r10"); # KA<<<60
496 &_rotl128 ("%rax","%rbx",17); # 60+17=77
497 &_saveround (16,$out,-128,"%rax","%rbx"); # KL<<<77
498 &_rotl128 ("%rax","%rbx",17); # 77+17=94
499 &_saveround (18,$out,-128,"%rax","%rbx"); # KL<<<94
500 &_rotl128 ("%r8","%r10",34); # 60+34=94
501 &_saveround (20,$out,-128,"%r8","%r10"); # KA<<<94
502 &_rotl128 ("%rax","%rbx",17); # 94+17=111
503 &_saveround (22,$out,-128,"%rax","%rbx"); # KL<<<111
504 &_rotl128 ("%r8","%r10",17); # 94+17=111
505 &_saveround (24,$out,-128,"%r8","%r10"); # KA<<<111
506$code.=<<___;
507 mov \$3,%eax
508 jmp .Ldone
509.align 16
510.L2nd256:
511___
512 &_saveround (6,$out,@S); # temp storage for KA!
513$code.=<<___;
514 xor `4*8+0`($out),@S[1] # KA^KR
515 xor `4*8+4`($out),@S[0]
516 xor `5*8+0`($out),@S[3]
517 xor `5*8+4`($out),@S[2]
518___
519 &Camellia_Feistel($step++);
520 &Camellia_Feistel($step++);
521
522 &_loadround (0,$out,"%rax","%rbx"); # KL
523 &_loadround (4,$out,"%rcx","%rdx"); # KR
524 &_loadround (6,$out,"%r14","%r15"); # KA
525$code.=<<___;
526 lea 128($out),$out # size optimization
527 shl \$32,%r8 # @S[0]||
528 shl \$32,%r10 # @S[2]||
529 or %r9,%r8 # ||@S[1]
530 or %r11,%r10 # ||@S[3]
531___
532 &_saveround (2,$out,-128,"%r8","%r10"); # KB<<<0
533 &_rotl128 ("%rcx","%rdx",15);
534 &_saveround (4,$out,-128,"%rcx","%rdx"); # KR<<<15
535 &_rotl128 ("%r14","%r15",15);
536 &_saveround (6,$out,-128,"%r14","%r15"); # KA<<<15
537 &_rotl128 ("%rcx","%rdx",15); # 15+15=30
538 &_saveround (8,$out,-128,"%rcx","%rdx"); # KR<<<30
539 &_rotl128 ("%r8","%r10",30);
540 &_saveround (10,$out,-128,"%r8","%r10"); # KB<<<30
541 &_rotl128 ("%rax","%rbx",45);
542 &_saveround (12,$out,-128,"%rax","%rbx"); # KL<<<45
543 &_rotl128 ("%r14","%r15",30); # 15+30=45
544 &_saveround (14,$out,-128,"%r14","%r15"); # KA<<<45
545 &_rotl128 ("%rax","%rbx",15); # 45+15=60
546 &_saveround (16,$out,-128,"%rax","%rbx"); # KL<<<60
547 &_rotl128 ("%rcx","%rdx",30); # 30+30=60
548 &_saveround (18,$out,-128,"%rcx","%rdx"); # KR<<<60
549 &_rotl128 ("%r8","%r10",30); # 30+30=60
550 &_saveround (20,$out,-128,"%r8","%r10"); # KB<<<60
551 &_rotl128 ("%rax","%rbx",17); # 60+17=77
552 &_saveround (22,$out,-128,"%rax","%rbx"); # KL<<<77
553 &_rotl128 ("%r14","%r15",32); # 45+32=77
554 &_saveround (24,$out,-128,"%r14","%r15"); # KA<<<77
555 &_rotl128 ("%rcx","%rdx",34); # 60+34=94
556 &_saveround (26,$out,-128,"%rcx","%rdx"); # KR<<<94
557 &_rotl128 ("%r14","%r15",17); # 77+17=94
558 &_saveround (28,$out,-128,"%r14","%r15"); # KA<<<77
559 &_rotl128 ("%rax","%rbx",34); # 77+34=111
560 &_saveround (30,$out,-128,"%rax","%rbx"); # KL<<<111
561 &_rotl128 ("%r8","%r10",51); # 60+51=111
562 &_saveround (32,$out,-128,"%r8","%r10"); # KB<<<111
563$code.=<<___;
564 mov \$4,%eax
565.Ldone:
566 mov 0(%rsp),%r15
567 mov 8(%rsp),%r14
568 mov 16(%rsp),%r13
569 mov 24(%rsp),%rbp
570 mov 32(%rsp),%rbx
571 lea 40(%rsp),%rsp
572.Lkey_epilogue:
573 ret
574.size Camellia_Ekeygen,.-Camellia_Ekeygen
575___
576}
577
578@SBOX=(
579112,130, 44,236,179, 39,192,229,228,133, 87, 53,234, 12,174, 65,
580 35,239,107,147, 69, 25,165, 33,237, 14, 79, 78, 29,101,146,189,
581134,184,175,143,124,235, 31,206, 62, 48,220, 95, 94,197, 11, 26,
582166,225, 57,202,213, 71, 93, 61,217, 1, 90,214, 81, 86,108, 77,
583139, 13,154,102,251,204,176, 45,116, 18, 43, 32,240,177,132,153,
584223, 76,203,194, 52,126,118, 5,109,183,169, 49,209, 23, 4,215,
585 20, 88, 58, 97,222, 27, 17, 28, 50, 15,156, 22, 83, 24,242, 34,
586254, 68,207,178,195,181,122,145, 36, 8,232,168, 96,252,105, 80,
587170,208,160,125,161,137, 98,151, 84, 91, 30,149,224,255,100,210,
588 16,196, 0, 72,163,247,117,219,138, 3,230,218, 9, 63,221,148,
589135, 92,131, 2,205, 74,144, 51,115,103,246,243,157,127,191,226,
590 82,155,216, 38,200, 55,198, 59,129,150,111, 75, 19,190, 99, 46,
591233,121,167,140,159,110,188,142, 41,245,249,182, 47,253,180, 89,
592120,152, 6,106,231, 70,113,186,212, 37,171, 66,136,162,141,250,
593114, 7,185, 85,248,238,172, 10, 54, 73, 42,104, 60, 56,241,164,
594 64, 40,211,123,187,201, 67,193, 21,227,173,244,119,199,128,158);
595
596sub S1110 { my $i=shift; $i=@SBOX[$i]; $i=$i<<24|$i<<16|$i<<8; sprintf("0x%08x",$i); }
597sub S4404 { my $i=shift; $i=($i<<1|$i>>7)&0xff; $i=@SBOX[$i]; $i=$i<<24|$i<<16|$i; sprintf("0x%08x",$i); }
598sub S0222 { my $i=shift; $i=@SBOX[$i]; $i=($i<<1|$i>>7)&0xff; $i=$i<<16|$i<<8|$i; sprintf("0x%08x",$i); }
599sub S3033 { my $i=shift; $i=@SBOX[$i]; $i=($i>>1|$i<<7)&0xff; $i=$i<<24|$i<<8|$i; sprintf("0x%08x",$i); }
600
601$code.=<<___;
602.align 64
603.LCamellia_SIGMA:
604.long 0x3bcc908b, 0xa09e667f, 0x4caa73b2, 0xb67ae858
605.long 0xe94f82be, 0xc6ef372f, 0xf1d36f1c, 0x54ff53a5
606.long 0xde682d1d, 0x10e527fa, 0xb3e6c1fd, 0xb05688c2
607.long 0, 0, 0, 0
608.LCamellia_SBOX:
609___
610# tables are interleaved, remember?
611sub data_word { $code.=".long\t".join(',',@_)."\n"; }
612for ($i=0;$i<256;$i++) { &data_word(&S1110($i),&S4404($i)); }
613for ($i=0;$i<256;$i++) { &data_word(&S0222($i),&S3033($i)); }
614
615# void Camellia_cbc_encrypt (const void char *inp, unsigned char *out,
616# size_t length, const CAMELLIA_KEY *key,
617# unsigned char *ivp,const int enc);
618{
619$_key="0(%rsp)";
620$_end="8(%rsp)"; # inp+len&~15
621$_res="16(%rsp)"; # len&15
622$ivec="24(%rsp)";
623$_ivp="40(%rsp)";
624$_rsp="48(%rsp)";
625
626$code.=<<___;
627.globl Camellia_cbc_encrypt
628.type Camellia_cbc_encrypt,\@function,6
629.align 16
630Camellia_cbc_encrypt:
631 cmp \$0,%rdx
632 je .Lcbc_abort
633 push %rbx
634 push %rbp
635 push %r12
636 push %r13
637 push %r14
638 push %r15
639.Lcbc_prologue:
640
641 mov %rsp,%rbp
642 sub \$64,%rsp
643 and \$-64,%rsp
644
645 # place stack frame just "above mod 1024" the key schedule,
646 # this ensures that cache associativity suffices
647 lea -64-63(%rcx),%r10
648 sub %rsp,%r10
649 neg %r10
650 and \$0x3C0,%r10
651 sub %r10,%rsp
652 #add \$8,%rsp # 8 is reserved for callee's ra
653
654 mov %rdi,$inp # inp argument
655 mov %rsi,$out # out argument
656 mov %r8,%rbx # ivp argument
657 mov %rcx,$key # key argument
658 mov 272(%rcx),${keyend}d # grandRounds
659
660 mov %r8,$_ivp
661 mov %rbp,$_rsp
662
663.Lcbc_body:
664 lea .LCamellia_SBOX(%rip),$Tbl
665
666 mov \$32,%ecx
667.align 4
668.Lcbc_prefetch_sbox:
669 mov 0($Tbl),%rax
670 mov 32($Tbl),%rsi
671 mov 64($Tbl),%rdi
672 mov 96($Tbl),%r11
673 lea 128($Tbl),$Tbl
674 loop .Lcbc_prefetch_sbox
675 sub \$4096,$Tbl
676 shl \$6,$keyend
677 mov %rdx,%rcx # len argument
678 lea ($key,$keyend),$keyend
679
680 cmp \$0,%r9d # enc argument
681 je .LCBC_DECRYPT
682
683 and \$-16,%rdx
684 and \$15,%rcx # length residue
685 lea ($inp,%rdx),%rdx
686 mov $key,$_key
687 mov %rdx,$_end
688 mov %rcx,$_res
689
690 cmp $inp,%rdx
691 mov 0(%rbx),@S[0] # load IV
692 mov 4(%rbx),@S[1]
693 mov 8(%rbx),@S[2]
694 mov 12(%rbx),@S[3]
695 je .Lcbc_enc_tail
696 jmp .Lcbc_eloop
697
698.align 16
699.Lcbc_eloop:
700 xor 0($inp),@S[0]
701 xor 4($inp),@S[1]
702 xor 8($inp),@S[2]
703 bswap @S[0]
704 xor 12($inp),@S[3]
705 bswap @S[1]
706 bswap @S[2]
707 bswap @S[3]
708
709 call _x86_64_Camellia_encrypt
710
711 mov $_key,$key # "rewind" the key
712 bswap @S[0]
713 mov $_end,%rdx
714 bswap @S[1]
715 mov $_res,%rcx
716 bswap @S[2]
717 mov @S[0],0($out)
718 bswap @S[3]
719 mov @S[1],4($out)
720 mov @S[2],8($out)
721 lea 16($inp),$inp
722 mov @S[3],12($out)
723 cmp %rdx,$inp
724 lea 16($out),$out
725 jne .Lcbc_eloop
726
727 cmp \$0,%rcx
728 jne .Lcbc_enc_tail
729
730 mov $_ivp,$out
731 mov @S[0],0($out) # write out IV residue
732 mov @S[1],4($out)
733 mov @S[2],8($out)
734 mov @S[3],12($out)
735 jmp .Lcbc_done
736
737.align 16
738.Lcbc_enc_tail:
739 xor %rax,%rax
740 mov %rax,0+$ivec
741 mov %rax,8+$ivec
742 mov %rax,$_res
743
744.Lcbc_enc_pushf:
745 pushfq
746 cld
747 mov $inp,%rsi
748 lea 8+$ivec,%rdi
749 .long 0x9066A4F3 # rep movsb
750 popfq
751.Lcbc_enc_popf:
752
753 lea $ivec,$inp
754 lea 16+$ivec,%rax
755 mov %rax,$_end
756 jmp .Lcbc_eloop # one more time
757
758.align 16
759.LCBC_DECRYPT:
760 xchg $key,$keyend
761 add \$15,%rdx
762 and \$15,%rcx # length residue
763 and \$-16,%rdx
764 mov $key,$_key
765 lea ($inp,%rdx),%rdx
766 mov %rdx,$_end
767 mov %rcx,$_res
768
769 mov (%rbx),%rax # load IV
770 mov 8(%rbx),%rbx
771 jmp .Lcbc_dloop
772.align 16
773.Lcbc_dloop:
774 mov 0($inp),@S[0]
775 mov 4($inp),@S[1]
776 mov 8($inp),@S[2]
777 bswap @S[0]
778 mov 12($inp),@S[3]
779 bswap @S[1]
780 mov %rax,0+$ivec # save IV to temporary storage
781 bswap @S[2]
782 mov %rbx,8+$ivec
783 bswap @S[3]
784
785 call _x86_64_Camellia_decrypt
786
787 mov $_key,$key # "rewind" the key
788 mov $_end,%rdx
789 mov $_res,%rcx
790
791 bswap @S[0]
792 mov ($inp),%rax # load IV for next iteration
793 bswap @S[1]
794 mov 8($inp),%rbx
795 bswap @S[2]
796 xor 0+$ivec,@S[0]
797 bswap @S[3]
798 xor 4+$ivec,@S[1]
799 xor 8+$ivec,@S[2]
800 lea 16($inp),$inp
801 xor 12+$ivec,@S[3]
802 cmp %rdx,$inp
803 je .Lcbc_ddone
804
805 mov @S[0],0($out)
806 mov @S[1],4($out)
807 mov @S[2],8($out)
808 mov @S[3],12($out)
809
810 lea 16($out),$out
811 jmp .Lcbc_dloop
812
813.align 16
814.Lcbc_ddone:
815 mov $_ivp,%rdx
816 cmp \$0,%rcx
817 jne .Lcbc_dec_tail
818
819 mov @S[0],0($out)
820 mov @S[1],4($out)
821 mov @S[2],8($out)
822 mov @S[3],12($out)
823
824 mov %rax,(%rdx) # write out IV residue
825 mov %rbx,8(%rdx)
826 jmp .Lcbc_done
827.align 16
828.Lcbc_dec_tail:
829 mov @S[0],0+$ivec
830 mov @S[1],4+$ivec
831 mov @S[2],8+$ivec
832 mov @S[3],12+$ivec
833
834.Lcbc_dec_pushf:
835 pushfq
836 cld
837 lea 8+$ivec,%rsi
838 lea ($out),%rdi
839 .long 0x9066A4F3 # rep movsb
840 popfq
841.Lcbc_dec_popf:
842
843 mov %rax,(%rdx) # write out IV residue
844 mov %rbx,8(%rdx)
845 jmp .Lcbc_done
846
847.align 16
848.Lcbc_done:
849 mov $_rsp,%rcx
850 mov 0(%rcx),%r15
851 mov 8(%rcx),%r14
852 mov 16(%rcx),%r13
853 mov 24(%rcx),%r12
854 mov 32(%rcx),%rbp
855 mov 40(%rcx),%rbx
856 lea 48(%rcx),%rsp
857.Lcbc_abort:
858 ret
859.size Camellia_cbc_encrypt,.-Camellia_cbc_encrypt
860
861.asciz "Camellia for x86_64 by <appro\@openssl.org>"
862___
863}
864
865$code =~ s/\`([^\`]*)\`/eval $1/gem;
866print $code;
867close STDOUT;
diff --git a/src/lib/libcrypto/camellia/camellia.c b/src/lib/libcrypto/camellia/camellia.c
deleted file mode 100644
index cb577798a8..0000000000
--- a/src/lib/libcrypto/camellia/camellia.c
+++ /dev/null
@@ -1,571 +0,0 @@
1/* $OpenBSD: camellia.c,v 1.10 2014/11/19 11:37:52 bcook Exp $ */
2/* ====================================================================
3 * Copyright 2006 NTT (Nippon Telegraph and Telephone Corporation) .
4 * ALL RIGHTS RESERVED.
5 *
6 * Intellectual Property information for Camellia:
7 * http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html
8 *
9 * News Release for Announcement of Camellia open source:
10 * http://www.ntt.co.jp/news/news06e/0604/060413a.html
11 *
12 * The Camellia Code included herein is developed by
13 * NTT (Nippon Telegraph and Telephone Corporation), and is contributed
14 * to the OpenSSL project.
15 *
16 * The Camellia Code is licensed pursuant to the OpenSSL open source
17 * license provided below.
18 */
19/* ====================================================================
20 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 *
26 * 1. Redistributions of source code must retain the above copyright
27 * notice, this list of conditions and the following disclaimer.
28 *
29 * 2. Redistributions in binary form must reproduce the above copyright
30 * notice, this list of conditions and the following disclaimer in
31 * the documentation and/or other materials provided with the
32 * distribution.
33 *
34 * 3. All advertising materials mentioning features or use of this
35 * software must display the following acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
38 *
39 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
40 * endorse or promote products derived from this software without
41 * prior written permission. For written permission, please contact
42 * openssl-core@openssl.org.
43 *
44 * 5. Products derived from this software may not be called "OpenSSL"
45 * nor may "OpenSSL" appear in their names without prior written
46 * permission of the OpenSSL Project.
47 *
48 * 6. Redistributions of any form whatsoever must retain the following
49 * acknowledgment:
50 * "This product includes software developed by the OpenSSL Project
51 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
52 *
53 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
54 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
55 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
56 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
57 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
58 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
59 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
60 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
61 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
62 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
63 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
64 * OF THE POSSIBILITY OF SUCH DAMAGE.
65 * ====================================================================
66 */
67
68/*
69 * Algorithm Specification
70 * http://info.isl.ntt.co.jp/crypt/eng/camellia/specifications.html
71 */
72
73/*
74 * This release balances code size and performance. In particular key
75 * schedule setup is fully unrolled, because doing so *significantly*
76 * reduces amount of instructions per setup round and code increase is
77 * justifiable. In block functions on the other hand only inner loops
78 * are unrolled, as full unroll gives only nominal performance boost,
79 * while code size grows 4 or 7 times. Also, unlike previous versions
80 * this one "encourages" compiler to keep intermediate variables in
81 * registers, which should give better "all round" results, in other
82 * words reasonable performance even with not so modern compilers.
83 */
84
85#include <stdlib.h>
86#include <string.h>
87#include <openssl/camellia.h>
88#include <openssl/opensslconf.h>
89
90#include "cmll_locl.h"
91
92/* 32-bit rotations */
93#if !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
94# if defined(__GNUC__) && __GNUC__>=2
95# if defined(__i386) || defined(__x86_64)
96# define RightRotate(x,s) ({u32 ret; asm ("rorl %1,%0":"=r"(ret):"I"(s),"0"(x):"cc"); ret; })
97# define LeftRotate(x,s) ({u32 ret; asm ("roll %1,%0":"=r"(ret):"I"(s),"0"(x):"cc"); ret; })
98# define GETU32(p) ({u32 r=*(const u32 *)(p); asm("bswapl %0":"=r"(r):"0"(r)); r; })
99# define PUTU32(p,v) ({u32 r=(v); asm("bswapl %0":"=r"(r):"0"(r)); *(u32 *)(p)=r; })
100# elif defined(_ARCH_PPC) || defined(_ARCH_PPC64) || \
101 defined(__powerpc) || defined(__ppc__) || defined(__powerpc64__)
102# define LeftRotate(x,s) ({u32 ret; asm ("rlwinm %0,%1,%2,0,31":"=r"(ret):"r"(x),"I"(s)); ret; })
103# define RightRotate(x,s) LeftRotate(x,(32-s))
104# elif defined(__s390x__)
105# define LeftRotate(x,s) ({u32 ret; asm ("rll %0,%1,%2":"=r"(ret):"r"(x),"I"(s)); ret; })
106# define RightRotate(x,s) LeftRotate(x,(32-s))
107# define GETU32(p) (*(u32 *)(p))
108# define PUTU32(p,v) (*(u32 *)(p)=(v))
109# endif
110# endif
111#endif
112
113#if !defined(RightRotate) && !defined(LeftRotate)
114# define RightRotate(x, s) ( ((x) >> (s)) + ((x) << (32 - s)) )
115# define LeftRotate(x, s) ( ((x) << (s)) + ((x) >> (32 - s)) )
116#endif
117
118#if !defined(GETU32) && !defined(PUTU32)
119# define GETU32(p) (((u32)(p)[0] << 24) ^ ((u32)(p)[1] << 16) ^ ((u32)(p)[2] << 8) ^ ((u32)(p)[3]))
120# define PUTU32(p,v) ((p)[0] = (u8)((v) >> 24), (p)[1] = (u8)((v) >> 16), (p)[2] = (u8)((v) >> 8), (p)[3] = (u8)(v))
121#endif
122
123/* S-box data */
124#define SBOX1_1110 Camellia_SBOX[0]
125#define SBOX4_4404 Camellia_SBOX[1]
126#define SBOX2_0222 Camellia_SBOX[2]
127#define SBOX3_3033 Camellia_SBOX[3]
128static const u32 Camellia_SBOX[][256] = {
129{ 0x70707000, 0x82828200, 0x2c2c2c00, 0xececec00, 0xb3b3b300, 0x27272700,
130 0xc0c0c000, 0xe5e5e500, 0xe4e4e400, 0x85858500, 0x57575700, 0x35353500,
131 0xeaeaea00, 0x0c0c0c00, 0xaeaeae00, 0x41414100, 0x23232300, 0xefefef00,
132 0x6b6b6b00, 0x93939300, 0x45454500, 0x19191900, 0xa5a5a500, 0x21212100,
133 0xededed00, 0x0e0e0e00, 0x4f4f4f00, 0x4e4e4e00, 0x1d1d1d00, 0x65656500,
134 0x92929200, 0xbdbdbd00, 0x86868600, 0xb8b8b800, 0xafafaf00, 0x8f8f8f00,
135 0x7c7c7c00, 0xebebeb00, 0x1f1f1f00, 0xcecece00, 0x3e3e3e00, 0x30303000,
136 0xdcdcdc00, 0x5f5f5f00, 0x5e5e5e00, 0xc5c5c500, 0x0b0b0b00, 0x1a1a1a00,
137 0xa6a6a600, 0xe1e1e100, 0x39393900, 0xcacaca00, 0xd5d5d500, 0x47474700,
138 0x5d5d5d00, 0x3d3d3d00, 0xd9d9d900, 0x01010100, 0x5a5a5a00, 0xd6d6d600,
139 0x51515100, 0x56565600, 0x6c6c6c00, 0x4d4d4d00, 0x8b8b8b00, 0x0d0d0d00,
140 0x9a9a9a00, 0x66666600, 0xfbfbfb00, 0xcccccc00, 0xb0b0b000, 0x2d2d2d00,
141 0x74747400, 0x12121200, 0x2b2b2b00, 0x20202000, 0xf0f0f000, 0xb1b1b100,
142 0x84848400, 0x99999900, 0xdfdfdf00, 0x4c4c4c00, 0xcbcbcb00, 0xc2c2c200,
143 0x34343400, 0x7e7e7e00, 0x76767600, 0x05050500, 0x6d6d6d00, 0xb7b7b700,
144 0xa9a9a900, 0x31313100, 0xd1d1d100, 0x17171700, 0x04040400, 0xd7d7d700,
145 0x14141400, 0x58585800, 0x3a3a3a00, 0x61616100, 0xdedede00, 0x1b1b1b00,
146 0x11111100, 0x1c1c1c00, 0x32323200, 0x0f0f0f00, 0x9c9c9c00, 0x16161600,
147 0x53535300, 0x18181800, 0xf2f2f200, 0x22222200, 0xfefefe00, 0x44444400,
148 0xcfcfcf00, 0xb2b2b200, 0xc3c3c300, 0xb5b5b500, 0x7a7a7a00, 0x91919100,
149 0x24242400, 0x08080800, 0xe8e8e800, 0xa8a8a800, 0x60606000, 0xfcfcfc00,
150 0x69696900, 0x50505000, 0xaaaaaa00, 0xd0d0d000, 0xa0a0a000, 0x7d7d7d00,
151 0xa1a1a100, 0x89898900, 0x62626200, 0x97979700, 0x54545400, 0x5b5b5b00,
152 0x1e1e1e00, 0x95959500, 0xe0e0e000, 0xffffff00, 0x64646400, 0xd2d2d200,
153 0x10101000, 0xc4c4c400, 0x00000000, 0x48484800, 0xa3a3a300, 0xf7f7f700,
154 0x75757500, 0xdbdbdb00, 0x8a8a8a00, 0x03030300, 0xe6e6e600, 0xdadada00,
155 0x09090900, 0x3f3f3f00, 0xdddddd00, 0x94949400, 0x87878700, 0x5c5c5c00,
156 0x83838300, 0x02020200, 0xcdcdcd00, 0x4a4a4a00, 0x90909000, 0x33333300,
157 0x73737300, 0x67676700, 0xf6f6f600, 0xf3f3f300, 0x9d9d9d00, 0x7f7f7f00,
158 0xbfbfbf00, 0xe2e2e200, 0x52525200, 0x9b9b9b00, 0xd8d8d800, 0x26262600,
159 0xc8c8c800, 0x37373700, 0xc6c6c600, 0x3b3b3b00, 0x81818100, 0x96969600,
160 0x6f6f6f00, 0x4b4b4b00, 0x13131300, 0xbebebe00, 0x63636300, 0x2e2e2e00,
161 0xe9e9e900, 0x79797900, 0xa7a7a700, 0x8c8c8c00, 0x9f9f9f00, 0x6e6e6e00,
162 0xbcbcbc00, 0x8e8e8e00, 0x29292900, 0xf5f5f500, 0xf9f9f900, 0xb6b6b600,
163 0x2f2f2f00, 0xfdfdfd00, 0xb4b4b400, 0x59595900, 0x78787800, 0x98989800,
164 0x06060600, 0x6a6a6a00, 0xe7e7e700, 0x46464600, 0x71717100, 0xbababa00,
165 0xd4d4d400, 0x25252500, 0xababab00, 0x42424200, 0x88888800, 0xa2a2a200,
166 0x8d8d8d00, 0xfafafa00, 0x72727200, 0x07070700, 0xb9b9b900, 0x55555500,
167 0xf8f8f800, 0xeeeeee00, 0xacacac00, 0x0a0a0a00, 0x36363600, 0x49494900,
168 0x2a2a2a00, 0x68686800, 0x3c3c3c00, 0x38383800, 0xf1f1f100, 0xa4a4a400,
169 0x40404000, 0x28282800, 0xd3d3d300, 0x7b7b7b00, 0xbbbbbb00, 0xc9c9c900,
170 0x43434300, 0xc1c1c100, 0x15151500, 0xe3e3e300, 0xadadad00, 0xf4f4f400,
171 0x77777700, 0xc7c7c700, 0x80808000, 0x9e9e9e00 },
172{ 0x70700070, 0x2c2c002c, 0xb3b300b3, 0xc0c000c0, 0xe4e400e4, 0x57570057,
173 0xeaea00ea, 0xaeae00ae, 0x23230023, 0x6b6b006b, 0x45450045, 0xa5a500a5,
174 0xeded00ed, 0x4f4f004f, 0x1d1d001d, 0x92920092, 0x86860086, 0xafaf00af,
175 0x7c7c007c, 0x1f1f001f, 0x3e3e003e, 0xdcdc00dc, 0x5e5e005e, 0x0b0b000b,
176 0xa6a600a6, 0x39390039, 0xd5d500d5, 0x5d5d005d, 0xd9d900d9, 0x5a5a005a,
177 0x51510051, 0x6c6c006c, 0x8b8b008b, 0x9a9a009a, 0xfbfb00fb, 0xb0b000b0,
178 0x74740074, 0x2b2b002b, 0xf0f000f0, 0x84840084, 0xdfdf00df, 0xcbcb00cb,
179 0x34340034, 0x76760076, 0x6d6d006d, 0xa9a900a9, 0xd1d100d1, 0x04040004,
180 0x14140014, 0x3a3a003a, 0xdede00de, 0x11110011, 0x32320032, 0x9c9c009c,
181 0x53530053, 0xf2f200f2, 0xfefe00fe, 0xcfcf00cf, 0xc3c300c3, 0x7a7a007a,
182 0x24240024, 0xe8e800e8, 0x60600060, 0x69690069, 0xaaaa00aa, 0xa0a000a0,
183 0xa1a100a1, 0x62620062, 0x54540054, 0x1e1e001e, 0xe0e000e0, 0x64640064,
184 0x10100010, 0x00000000, 0xa3a300a3, 0x75750075, 0x8a8a008a, 0xe6e600e6,
185 0x09090009, 0xdddd00dd, 0x87870087, 0x83830083, 0xcdcd00cd, 0x90900090,
186 0x73730073, 0xf6f600f6, 0x9d9d009d, 0xbfbf00bf, 0x52520052, 0xd8d800d8,
187 0xc8c800c8, 0xc6c600c6, 0x81810081, 0x6f6f006f, 0x13130013, 0x63630063,
188 0xe9e900e9, 0xa7a700a7, 0x9f9f009f, 0xbcbc00bc, 0x29290029, 0xf9f900f9,
189 0x2f2f002f, 0xb4b400b4, 0x78780078, 0x06060006, 0xe7e700e7, 0x71710071,
190 0xd4d400d4, 0xabab00ab, 0x88880088, 0x8d8d008d, 0x72720072, 0xb9b900b9,
191 0xf8f800f8, 0xacac00ac, 0x36360036, 0x2a2a002a, 0x3c3c003c, 0xf1f100f1,
192 0x40400040, 0xd3d300d3, 0xbbbb00bb, 0x43430043, 0x15150015, 0xadad00ad,
193 0x77770077, 0x80800080, 0x82820082, 0xecec00ec, 0x27270027, 0xe5e500e5,
194 0x85850085, 0x35350035, 0x0c0c000c, 0x41410041, 0xefef00ef, 0x93930093,
195 0x19190019, 0x21210021, 0x0e0e000e, 0x4e4e004e, 0x65650065, 0xbdbd00bd,
196 0xb8b800b8, 0x8f8f008f, 0xebeb00eb, 0xcece00ce, 0x30300030, 0x5f5f005f,
197 0xc5c500c5, 0x1a1a001a, 0xe1e100e1, 0xcaca00ca, 0x47470047, 0x3d3d003d,
198 0x01010001, 0xd6d600d6, 0x56560056, 0x4d4d004d, 0x0d0d000d, 0x66660066,
199 0xcccc00cc, 0x2d2d002d, 0x12120012, 0x20200020, 0xb1b100b1, 0x99990099,
200 0x4c4c004c, 0xc2c200c2, 0x7e7e007e, 0x05050005, 0xb7b700b7, 0x31310031,
201 0x17170017, 0xd7d700d7, 0x58580058, 0x61610061, 0x1b1b001b, 0x1c1c001c,
202 0x0f0f000f, 0x16160016, 0x18180018, 0x22220022, 0x44440044, 0xb2b200b2,
203 0xb5b500b5, 0x91910091, 0x08080008, 0xa8a800a8, 0xfcfc00fc, 0x50500050,
204 0xd0d000d0, 0x7d7d007d, 0x89890089, 0x97970097, 0x5b5b005b, 0x95950095,
205 0xffff00ff, 0xd2d200d2, 0xc4c400c4, 0x48480048, 0xf7f700f7, 0xdbdb00db,
206 0x03030003, 0xdada00da, 0x3f3f003f, 0x94940094, 0x5c5c005c, 0x02020002,
207 0x4a4a004a, 0x33330033, 0x67670067, 0xf3f300f3, 0x7f7f007f, 0xe2e200e2,
208 0x9b9b009b, 0x26260026, 0x37370037, 0x3b3b003b, 0x96960096, 0x4b4b004b,
209 0xbebe00be, 0x2e2e002e, 0x79790079, 0x8c8c008c, 0x6e6e006e, 0x8e8e008e,
210 0xf5f500f5, 0xb6b600b6, 0xfdfd00fd, 0x59590059, 0x98980098, 0x6a6a006a,
211 0x46460046, 0xbaba00ba, 0x25250025, 0x42420042, 0xa2a200a2, 0xfafa00fa,
212 0x07070007, 0x55550055, 0xeeee00ee, 0x0a0a000a, 0x49490049, 0x68680068,
213 0x38380038, 0xa4a400a4, 0x28280028, 0x7b7b007b, 0xc9c900c9, 0xc1c100c1,
214 0xe3e300e3, 0xf4f400f4, 0xc7c700c7, 0x9e9e009e },
215{ 0x00e0e0e0, 0x00050505, 0x00585858, 0x00d9d9d9, 0x00676767, 0x004e4e4e,
216 0x00818181, 0x00cbcbcb, 0x00c9c9c9, 0x000b0b0b, 0x00aeaeae, 0x006a6a6a,
217 0x00d5d5d5, 0x00181818, 0x005d5d5d, 0x00828282, 0x00464646, 0x00dfdfdf,
218 0x00d6d6d6, 0x00272727, 0x008a8a8a, 0x00323232, 0x004b4b4b, 0x00424242,
219 0x00dbdbdb, 0x001c1c1c, 0x009e9e9e, 0x009c9c9c, 0x003a3a3a, 0x00cacaca,
220 0x00252525, 0x007b7b7b, 0x000d0d0d, 0x00717171, 0x005f5f5f, 0x001f1f1f,
221 0x00f8f8f8, 0x00d7d7d7, 0x003e3e3e, 0x009d9d9d, 0x007c7c7c, 0x00606060,
222 0x00b9b9b9, 0x00bebebe, 0x00bcbcbc, 0x008b8b8b, 0x00161616, 0x00343434,
223 0x004d4d4d, 0x00c3c3c3, 0x00727272, 0x00959595, 0x00ababab, 0x008e8e8e,
224 0x00bababa, 0x007a7a7a, 0x00b3b3b3, 0x00020202, 0x00b4b4b4, 0x00adadad,
225 0x00a2a2a2, 0x00acacac, 0x00d8d8d8, 0x009a9a9a, 0x00171717, 0x001a1a1a,
226 0x00353535, 0x00cccccc, 0x00f7f7f7, 0x00999999, 0x00616161, 0x005a5a5a,
227 0x00e8e8e8, 0x00242424, 0x00565656, 0x00404040, 0x00e1e1e1, 0x00636363,
228 0x00090909, 0x00333333, 0x00bfbfbf, 0x00989898, 0x00979797, 0x00858585,
229 0x00686868, 0x00fcfcfc, 0x00ececec, 0x000a0a0a, 0x00dadada, 0x006f6f6f,
230 0x00535353, 0x00626262, 0x00a3a3a3, 0x002e2e2e, 0x00080808, 0x00afafaf,
231 0x00282828, 0x00b0b0b0, 0x00747474, 0x00c2c2c2, 0x00bdbdbd, 0x00363636,
232 0x00222222, 0x00383838, 0x00646464, 0x001e1e1e, 0x00393939, 0x002c2c2c,
233 0x00a6a6a6, 0x00303030, 0x00e5e5e5, 0x00444444, 0x00fdfdfd, 0x00888888,
234 0x009f9f9f, 0x00656565, 0x00878787, 0x006b6b6b, 0x00f4f4f4, 0x00232323,
235 0x00484848, 0x00101010, 0x00d1d1d1, 0x00515151, 0x00c0c0c0, 0x00f9f9f9,
236 0x00d2d2d2, 0x00a0a0a0, 0x00555555, 0x00a1a1a1, 0x00414141, 0x00fafafa,
237 0x00434343, 0x00131313, 0x00c4c4c4, 0x002f2f2f, 0x00a8a8a8, 0x00b6b6b6,
238 0x003c3c3c, 0x002b2b2b, 0x00c1c1c1, 0x00ffffff, 0x00c8c8c8, 0x00a5a5a5,
239 0x00202020, 0x00898989, 0x00000000, 0x00909090, 0x00474747, 0x00efefef,
240 0x00eaeaea, 0x00b7b7b7, 0x00151515, 0x00060606, 0x00cdcdcd, 0x00b5b5b5,
241 0x00121212, 0x007e7e7e, 0x00bbbbbb, 0x00292929, 0x000f0f0f, 0x00b8b8b8,
242 0x00070707, 0x00040404, 0x009b9b9b, 0x00949494, 0x00212121, 0x00666666,
243 0x00e6e6e6, 0x00cecece, 0x00ededed, 0x00e7e7e7, 0x003b3b3b, 0x00fefefe,
244 0x007f7f7f, 0x00c5c5c5, 0x00a4a4a4, 0x00373737, 0x00b1b1b1, 0x004c4c4c,
245 0x00919191, 0x006e6e6e, 0x008d8d8d, 0x00767676, 0x00030303, 0x002d2d2d,
246 0x00dedede, 0x00969696, 0x00262626, 0x007d7d7d, 0x00c6c6c6, 0x005c5c5c,
247 0x00d3d3d3, 0x00f2f2f2, 0x004f4f4f, 0x00191919, 0x003f3f3f, 0x00dcdcdc,
248 0x00797979, 0x001d1d1d, 0x00525252, 0x00ebebeb, 0x00f3f3f3, 0x006d6d6d,
249 0x005e5e5e, 0x00fbfbfb, 0x00696969, 0x00b2b2b2, 0x00f0f0f0, 0x00313131,
250 0x000c0c0c, 0x00d4d4d4, 0x00cfcfcf, 0x008c8c8c, 0x00e2e2e2, 0x00757575,
251 0x00a9a9a9, 0x004a4a4a, 0x00575757, 0x00848484, 0x00111111, 0x00454545,
252 0x001b1b1b, 0x00f5f5f5, 0x00e4e4e4, 0x000e0e0e, 0x00737373, 0x00aaaaaa,
253 0x00f1f1f1, 0x00dddddd, 0x00595959, 0x00141414, 0x006c6c6c, 0x00929292,
254 0x00545454, 0x00d0d0d0, 0x00787878, 0x00707070, 0x00e3e3e3, 0x00494949,
255 0x00808080, 0x00505050, 0x00a7a7a7, 0x00f6f6f6, 0x00777777, 0x00939393,
256 0x00868686, 0x00838383, 0x002a2a2a, 0x00c7c7c7, 0x005b5b5b, 0x00e9e9e9,
257 0x00eeeeee, 0x008f8f8f, 0x00010101, 0x003d3d3d },
258{ 0x38003838, 0x41004141, 0x16001616, 0x76007676, 0xd900d9d9, 0x93009393,
259 0x60006060, 0xf200f2f2, 0x72007272, 0xc200c2c2, 0xab00abab, 0x9a009a9a,
260 0x75007575, 0x06000606, 0x57005757, 0xa000a0a0, 0x91009191, 0xf700f7f7,
261 0xb500b5b5, 0xc900c9c9, 0xa200a2a2, 0x8c008c8c, 0xd200d2d2, 0x90009090,
262 0xf600f6f6, 0x07000707, 0xa700a7a7, 0x27002727, 0x8e008e8e, 0xb200b2b2,
263 0x49004949, 0xde00dede, 0x43004343, 0x5c005c5c, 0xd700d7d7, 0xc700c7c7,
264 0x3e003e3e, 0xf500f5f5, 0x8f008f8f, 0x67006767, 0x1f001f1f, 0x18001818,
265 0x6e006e6e, 0xaf00afaf, 0x2f002f2f, 0xe200e2e2, 0x85008585, 0x0d000d0d,
266 0x53005353, 0xf000f0f0, 0x9c009c9c, 0x65006565, 0xea00eaea, 0xa300a3a3,
267 0xae00aeae, 0x9e009e9e, 0xec00ecec, 0x80008080, 0x2d002d2d, 0x6b006b6b,
268 0xa800a8a8, 0x2b002b2b, 0x36003636, 0xa600a6a6, 0xc500c5c5, 0x86008686,
269 0x4d004d4d, 0x33003333, 0xfd00fdfd, 0x66006666, 0x58005858, 0x96009696,
270 0x3a003a3a, 0x09000909, 0x95009595, 0x10001010, 0x78007878, 0xd800d8d8,
271 0x42004242, 0xcc00cccc, 0xef00efef, 0x26002626, 0xe500e5e5, 0x61006161,
272 0x1a001a1a, 0x3f003f3f, 0x3b003b3b, 0x82008282, 0xb600b6b6, 0xdb00dbdb,
273 0xd400d4d4, 0x98009898, 0xe800e8e8, 0x8b008b8b, 0x02000202, 0xeb00ebeb,
274 0x0a000a0a, 0x2c002c2c, 0x1d001d1d, 0xb000b0b0, 0x6f006f6f, 0x8d008d8d,
275 0x88008888, 0x0e000e0e, 0x19001919, 0x87008787, 0x4e004e4e, 0x0b000b0b,
276 0xa900a9a9, 0x0c000c0c, 0x79007979, 0x11001111, 0x7f007f7f, 0x22002222,
277 0xe700e7e7, 0x59005959, 0xe100e1e1, 0xda00dada, 0x3d003d3d, 0xc800c8c8,
278 0x12001212, 0x04000404, 0x74007474, 0x54005454, 0x30003030, 0x7e007e7e,
279 0xb400b4b4, 0x28002828, 0x55005555, 0x68006868, 0x50005050, 0xbe00bebe,
280 0xd000d0d0, 0xc400c4c4, 0x31003131, 0xcb00cbcb, 0x2a002a2a, 0xad00adad,
281 0x0f000f0f, 0xca00caca, 0x70007070, 0xff00ffff, 0x32003232, 0x69006969,
282 0x08000808, 0x62006262, 0x00000000, 0x24002424, 0xd100d1d1, 0xfb00fbfb,
283 0xba00baba, 0xed00eded, 0x45004545, 0x81008181, 0x73007373, 0x6d006d6d,
284 0x84008484, 0x9f009f9f, 0xee00eeee, 0x4a004a4a, 0xc300c3c3, 0x2e002e2e,
285 0xc100c1c1, 0x01000101, 0xe600e6e6, 0x25002525, 0x48004848, 0x99009999,
286 0xb900b9b9, 0xb300b3b3, 0x7b007b7b, 0xf900f9f9, 0xce00cece, 0xbf00bfbf,
287 0xdf00dfdf, 0x71007171, 0x29002929, 0xcd00cdcd, 0x6c006c6c, 0x13001313,
288 0x64006464, 0x9b009b9b, 0x63006363, 0x9d009d9d, 0xc000c0c0, 0x4b004b4b,
289 0xb700b7b7, 0xa500a5a5, 0x89008989, 0x5f005f5f, 0xb100b1b1, 0x17001717,
290 0xf400f4f4, 0xbc00bcbc, 0xd300d3d3, 0x46004646, 0xcf00cfcf, 0x37003737,
291 0x5e005e5e, 0x47004747, 0x94009494, 0xfa00fafa, 0xfc00fcfc, 0x5b005b5b,
292 0x97009797, 0xfe00fefe, 0x5a005a5a, 0xac00acac, 0x3c003c3c, 0x4c004c4c,
293 0x03000303, 0x35003535, 0xf300f3f3, 0x23002323, 0xb800b8b8, 0x5d005d5d,
294 0x6a006a6a, 0x92009292, 0xd500d5d5, 0x21002121, 0x44004444, 0x51005151,
295 0xc600c6c6, 0x7d007d7d, 0x39003939, 0x83008383, 0xdc00dcdc, 0xaa00aaaa,
296 0x7c007c7c, 0x77007777, 0x56005656, 0x05000505, 0x1b001b1b, 0xa400a4a4,
297 0x15001515, 0x34003434, 0x1e001e1e, 0x1c001c1c, 0xf800f8f8, 0x52005252,
298 0x20002020, 0x14001414, 0xe900e9e9, 0xbd00bdbd, 0xdd00dddd, 0xe400e4e4,
299 0xa100a1a1, 0xe000e0e0, 0x8a008a8a, 0xf100f1f1, 0xd600d6d6, 0x7a007a7a,
300 0xbb00bbbb, 0xe300e3e3, 0x40004040, 0x4f004f4f }
301};
302
303/* Key generation constants */
304static const u32 SIGMA[] = {
305 0xa09e667f, 0x3bcc908b, 0xb67ae858, 0x4caa73b2, 0xc6ef372f, 0xe94f82be,
306 0x54ff53a5, 0xf1d36f1c, 0x10e527fa, 0xde682d1d, 0xb05688c2, 0xb3e6c1fd
307};
308
309/* The phi algorithm given in C.2.7 of the Camellia spec document. */
310/*
311 * This version does not attempt to minimize amount of temporary
312 * variables, but instead explicitly exposes algorithm's parallelism.
313 * It is therefore most appropriate for platforms with not less than
314 * ~16 registers. For platforms with fewer registers [well, x86 to be
315 * specific] assembler version should be/is provided anyway...
316 */
317#define Camellia_Feistel(_s0,_s1,_s2,_s3,_key) \
318do { \
319 u32 _t0, _t1, _t2, _t3; \
320 _t0 = _s0 ^ (_key)[0]; \
321 _t3 = SBOX4_4404[_t0 & 0xff]; \
322 _t1 = _s1 ^ (_key)[1]; \
323 _t3 ^= SBOX3_3033[(_t0 >> 8) & 0xff]; \
324 _t2 = SBOX1_1110[_t1 & 0xff]; \
325 _t3 ^= SBOX2_0222[(_t0 >> 16) & 0xff]; \
326 _t2 ^= SBOX4_4404[(_t1 >> 8) & 0xff]; \
327 _t3 ^= SBOX1_1110[(_t0 >> 24)]; \
328 _t2 ^= _t3; \
329 _t3 = RightRotate(_t3, 8); \
330 _t2 ^= SBOX3_3033[(_t1 >> 16) & 0xff]; \
331 _s3 ^= _t3; \
332 _t2 ^= SBOX2_0222[(_t1 >> 24)]; \
333 _s2 ^= _t2; \
334 _s3 ^= _t2; \
335} while(0)
336
337/*
338 * Note that n has to be less than 32. Rotations for larger amount
339 * of bits are achieved by "rotating" order of s-elements and
340 * adjusting n accordingly, e.g. RotLeft128(s1, s2, s3, s0, n - 32).
341 */
342#define RotLeft128(_s0, _s1, _s2, _s3, _n) \
343do { \
344 u32 _t0 = _s0 >> (32 - _n); \
345 _s0 = (_s0 << _n) | (_s1 >> (32 - _n)); \
346 _s1 = (_s1 << _n) | (_s2 >> (32 - _n)); \
347 _s2 = (_s2 << _n) | (_s3 >> (32 - _n)); \
348 _s3 = (_s3 << _n) | _t0; \
349} while (0)
350
351int
352Camellia_Ekeygen(int keyBitLength, const u8 *rawKey, KEY_TABLE_TYPE k)
353{
354 u32 s0, s1, s2, s3;
355
356 k[0] = s0 = GETU32(rawKey);
357 k[1] = s1 = GETU32(rawKey + 4);
358 k[2] = s2 = GETU32(rawKey + 8);
359 k[3] = s3 = GETU32(rawKey + 12);
360
361 if (keyBitLength != 128) {
362 k[8] = s0 = GETU32(rawKey + 16);
363 k[9] = s1 = GETU32(rawKey + 20);
364 if (keyBitLength == 192) {
365 k[10] = s2 = ~s0;
366 k[11] = s3 = ~s1;
367 } else {
368 k[10] = s2 = GETU32(rawKey + 24);
369 k[11] = s3 = GETU32(rawKey + 28);
370 }
371 s0 ^= k[0], s1 ^= k[1], s2 ^= k[2], s3 ^= k[3];
372 }
373
374 /* Use the Feistel routine to scramble the key material */
375 Camellia_Feistel(s0, s1, s2, s3, SIGMA + 0);
376 Camellia_Feistel(s2, s3, s0, s1, SIGMA + 2);
377
378 s0 ^= k[0], s1 ^= k[1], s2 ^= k[2], s3 ^= k[3];
379 Camellia_Feistel(s0, s1, s2, s3, SIGMA + 4);
380 Camellia_Feistel(s2, s3, s0, s1, SIGMA + 6);
381
382 /* Fill the keyTable. Requires many block rotations. */
383 if (keyBitLength == 128) {
384 k[ 4] = s0, k[ 5] = s1, k[ 6] = s2, k[ 7] = s3;
385 RotLeft128(s0, s1, s2, s3, 15); /* KA <<< 15 */
386 k[12] = s0, k[13] = s1, k[14] = s2, k[15] = s3;
387 RotLeft128(s0, s1, s2, s3, 15); /* KA <<< 30 */
388 k[16] = s0, k[17] = s1, k[18] = s2, k[19] = s3;
389 RotLeft128(s0, s1, s2, s3, 15); /* KA <<< 45 */
390 k[24] = s0, k[25] = s1;
391 RotLeft128(s0, s1, s2, s3, 15); /* KA <<< 60 */
392 k[28] = s0, k[29] = s1, k[30] = s2, k[31] = s3;
393 RotLeft128(s1, s2, s3, s0, 2); /* KA <<< 94 */
394 k[40] = s1, k[41] = s2, k[42] = s3, k[43] = s0;
395 RotLeft128(s1, s2, s3, s0, 17); /* KA <<<111 */
396 k[48] = s1, k[49] = s2, k[50] = s3, k[51] = s0;
397
398 s0 = k[ 0], s1 = k[ 1], s2 = k[ 2], s3 = k[ 3];
399 RotLeft128(s0, s1, s2, s3, 15); /* KL <<< 15 */
400 k[ 8] = s0, k[ 9] = s1, k[10] = s2, k[11] = s3;
401 RotLeft128(s0, s1, s2, s3, 30); /* KL <<< 45 */
402 k[20] = s0, k[21] = s1, k[22] = s2, k[23] = s3;
403 RotLeft128(s0, s1, s2, s3, 15); /* KL <<< 60 */
404 k[26] = s2, k[27] = s3;
405 RotLeft128(s0, s1, s2, s3, 17); /* KL <<< 77 */
406 k[32] = s0, k[33] = s1, k[34] = s2, k[35] = s3;
407 RotLeft128(s0, s1, s2, s3, 17); /* KL <<< 94 */
408 k[36] = s0, k[37] = s1, k[38] = s2, k[39] = s3;
409 RotLeft128(s0, s1, s2, s3, 17); /* KL <<<111 */
410 k[44] = s0, k[45] = s1, k[46] = s2, k[47] = s3;
411
412 return 3; /* grand rounds */
413 } else {
414 k[12] = s0, k[13] = s1, k[14] = s2, k[15] = s3;
415 s0 ^= k[8], s1 ^= k[9], s2 ^=k[10], s3 ^=k[11];
416 Camellia_Feistel(s0, s1, s2, s3, (SIGMA + 8));
417 Camellia_Feistel(s2, s3, s0, s1, (SIGMA + 10));
418
419 k[ 4] = s0, k[ 5] = s1, k[ 6] = s2, k[ 7] = s3;
420 RotLeft128(s0, s1, s2, s3, 30); /* KB <<< 30 */
421 k[20] = s0, k[21] = s1, k[22] = s2, k[23] = s3;
422 RotLeft128(s0, s1, s2, s3, 30); /* KB <<< 60 */
423 k[40] = s0, k[41] = s1, k[42] = s2, k[43] = s3;
424 RotLeft128(s1, s2, s3, s0, 19); /* KB <<<111 */
425 k[64] = s1, k[65] = s2, k[66] = s3, k[67] = s0;
426
427 s0 = k[ 8], s1 = k[ 9], s2 = k[10], s3 = k[11];
428 RotLeft128(s0, s1, s2, s3, 15); /* KR <<< 15 */
429 k[ 8] = s0, k[ 9] = s1, k[10] = s2, k[11] = s3;
430 RotLeft128(s0, s1, s2, s3, 15); /* KR <<< 30 */
431 k[16] = s0, k[17] = s1, k[18] = s2, k[19] = s3;
432 RotLeft128(s0, s1, s2, s3, 30); /* KR <<< 60 */
433 k[36] = s0, k[37] = s1, k[38] = s2, k[39] = s3;
434 RotLeft128(s1, s2, s3, s0, 2); /* KR <<< 94 */
435 k[52] = s1, k[53] = s2, k[54] = s3, k[55] = s0;
436
437 s0 = k[12], s1 = k[13], s2 = k[14], s3 = k[15];
438 RotLeft128(s0, s1, s2, s3, 15); /* KA <<< 15 */
439 k[12] = s0, k[13] = s1, k[14] = s2, k[15] = s3;
440 RotLeft128(s0, s1, s2, s3, 30); /* KA <<< 45 */
441 k[28] = s0, k[29] = s1, k[30] = s2, k[31] = s3;
442 /* KA <<< 77 */
443 k[48] = s1, k[49] = s2, k[50] = s3, k[51] = s0;
444 RotLeft128(s1, s2, s3, s0, 17); /* KA <<< 94 */
445 k[56] = s1, k[57] = s2, k[58] = s3, k[59] = s0;
446
447 s0 = k[ 0], s1 = k[ 1], s2 = k[ 2], s3 = k[ 3];
448 RotLeft128(s1, s2, s3, s0, 13); /* KL <<< 45 */
449 k[24] = s1, k[25] = s2, k[26] = s3, k[27] = s0;
450 RotLeft128(s1, s2, s3, s0, 15); /* KL <<< 60 */
451 k[32] = s1, k[33] = s2, k[34] = s3, k[35] = s0;
452 RotLeft128(s1, s2, s3, s0, 17); /* KL <<< 77 */
453 k[44] = s1, k[45] = s2, k[46] = s3, k[47] = s0;
454 RotLeft128(s2, s3, s0, s1, 2); /* KL <<<111 */
455 k[60] = s2, k[61] = s3, k[62] = s0, k[63] = s1;
456
457 return 4; /* grand rounds */
458 }
459 /*
460 * It is possible to perform certain precalculations, which
461 * would spare few cycles in block procedure. It's not done,
462 * because it upsets the performance balance between key
463 * setup and block procedures, negatively affecting overall
464 * throughput in applications operating on short messages
465 * and volatile keys.
466 */
467}
468
469void
470Camellia_EncryptBlock_Rounds(int grandRounds, const u8 plaintext[],
471 const KEY_TABLE_TYPE keyTable, u8 ciphertext[])
472{
473 u32 s0, s1, s2, s3;
474 const u32 *k = keyTable, *kend = keyTable + grandRounds * 16;
475
476 s0 = GETU32(plaintext) ^ k[0];
477 s1 = GETU32(plaintext + 4) ^ k[1];
478 s2 = GETU32(plaintext + 8) ^ k[2];
479 s3 = GETU32(plaintext + 12) ^ k[3];
480 k += 4;
481
482 while (1) {
483 /* Camellia makes 6 Feistel rounds */
484 Camellia_Feistel(s0, s1, s2, s3, k + 0);
485 Camellia_Feistel(s2, s3, s0, s1, k + 2);
486 Camellia_Feistel(s0, s1, s2, s3, k + 4);
487 Camellia_Feistel(s2, s3, s0, s1, k + 6);
488 Camellia_Feistel(s0, s1, s2, s3, k + 8);
489 Camellia_Feistel(s2, s3, s0, s1, k + 10);
490 k += 12;
491
492 if (k == kend)
493 break;
494
495 /* This is the same function as the diffusion function D
496 * of the accompanying documentation. See section 3.2
497 * for properties of the FLlayer function. */
498 s1 ^= LeftRotate(s0 & k[0], 1);
499 s2 ^= s3 | k[3];
500 s0 ^= s1 | k[1];
501 s3 ^= LeftRotate(s2 & k[2], 1);
502 k += 4;
503 }
504
505 s2 ^= k[0], s3 ^= k[1], s0 ^= k[2], s1 ^= k[3];
506
507 PUTU32(ciphertext, s2);
508 PUTU32(ciphertext + 4, s3);
509 PUTU32(ciphertext + 8, s0);
510 PUTU32(ciphertext + 12, s1);
511}
512
513void
514Camellia_EncryptBlock(int keyBitLength, const u8 plaintext[],
515 const KEY_TABLE_TYPE keyTable, u8 ciphertext[])
516{
517 Camellia_EncryptBlock_Rounds(keyBitLength == 128 ? 3 : 4,
518 plaintext, keyTable, ciphertext);
519}
520
521void
522Camellia_DecryptBlock_Rounds(int grandRounds, const u8 ciphertext[],
523 const KEY_TABLE_TYPE keyTable, u8 plaintext[])
524{
525 u32 s0, s1, s2, s3;
526 const u32 *k = keyTable+grandRounds * 16, *kend = keyTable+4;
527
528 s0 = GETU32(ciphertext) ^ k[0];
529 s1 = GETU32(ciphertext+4) ^ k[1];
530 s2 = GETU32(ciphertext+8) ^ k[2];
531 s3 = GETU32(ciphertext+12) ^ k[3];
532
533 while (1) {
534 /* Camellia makes 6 Feistel rounds */
535 k -= 12;
536 Camellia_Feistel(s0, s1, s2, s3, k+10);
537 Camellia_Feistel(s2, s3, s0, s1, k+8);
538 Camellia_Feistel(s0, s1, s2, s3, k+6);
539 Camellia_Feistel(s2, s3, s0, s1, k+4);
540 Camellia_Feistel(s0, s1, s2, s3, k+2);
541 Camellia_Feistel(s2, s3, s0, s1, k+0);
542
543 if (k == kend)
544 break;
545
546 /* This is the same function as the diffusion function D
547 * of the accompanying documentation. See section 3.2
548 * for properties of the FLlayer function. */
549 k -= 4;
550 s1 ^= LeftRotate(s0 & k[2], 1);
551 s2 ^= s3 | k[1];
552 s0 ^= s1 | k[3];
553 s3 ^= LeftRotate(s2 & k[0], 1);
554 }
555
556 k -= 4;
557 s2 ^= k[0], s3 ^= k[1], s0 ^= k[2], s1 ^= k[3];
558
559 PUTU32(plaintext, s2);
560 PUTU32(plaintext+4, s3);
561 PUTU32(plaintext+8, s0);
562 PUTU32(plaintext+12, s1);
563}
564
565void
566Camellia_DecryptBlock(int keyBitLength, const u8 plaintext[],
567 const KEY_TABLE_TYPE keyTable, u8 ciphertext[])
568{
569 Camellia_DecryptBlock_Rounds(keyBitLength == 128 ? 3 : 4,
570 plaintext, keyTable, ciphertext);
571}
diff --git a/src/lib/libcrypto/camellia/camellia.h b/src/lib/libcrypto/camellia/camellia.h
deleted file mode 100644
index b9b5f792b1..0000000000
--- a/src/lib/libcrypto/camellia/camellia.h
+++ /dev/null
@@ -1,125 +0,0 @@
1/* $OpenBSD: camellia.h,v 1.5 2014/11/13 20:01:58 miod Exp $ */
2/* ====================================================================
3 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@openssl.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 *
50 */
51
52#ifndef HEADER_CAMELLIA_H
53#define HEADER_CAMELLIA_H
54
55#include <openssl/opensslconf.h>
56
57#ifdef OPENSSL_NO_CAMELLIA
58#error CAMELLIA is disabled.
59#endif
60
61#include <stddef.h>
62
63#define CAMELLIA_ENCRYPT 1
64#define CAMELLIA_DECRYPT 0
65
66/* Because array size can't be a const in C, the following two are macros.
67 Both sizes are in bytes. */
68
69#ifdef __cplusplus
70extern "C" {
71#endif
72
73/* This should be a hidden type, but EVP requires that the size be known */
74
75#define CAMELLIA_BLOCK_SIZE 16
76#define CAMELLIA_TABLE_BYTE_LEN 272
77#define CAMELLIA_TABLE_WORD_LEN (CAMELLIA_TABLE_BYTE_LEN / 4)
78
79typedef unsigned int KEY_TABLE_TYPE[CAMELLIA_TABLE_WORD_LEN]; /* to match with WORD */
80
81struct camellia_key_st {
82 union {
83 double d; /* ensures 64-bit align */
84 KEY_TABLE_TYPE rd_key;
85 } u;
86 int grand_rounds;
87};
88typedef struct camellia_key_st CAMELLIA_KEY;
89
90int Camellia_set_key(const unsigned char *userKey, const int bits,
91 CAMELLIA_KEY *key);
92
93void Camellia_encrypt(const unsigned char *in, unsigned char *out,
94 const CAMELLIA_KEY *key);
95void Camellia_decrypt(const unsigned char *in, unsigned char *out,
96 const CAMELLIA_KEY *key);
97
98void Camellia_ecb_encrypt(const unsigned char *in, unsigned char *out,
99 const CAMELLIA_KEY *key, const int enc);
100void Camellia_cbc_encrypt(const unsigned char *in, unsigned char *out,
101 size_t length, const CAMELLIA_KEY *key,
102 unsigned char *ivec, const int enc);
103void Camellia_cfb128_encrypt(const unsigned char *in, unsigned char *out,
104 size_t length, const CAMELLIA_KEY *key,
105 unsigned char *ivec, int *num, const int enc);
106void Camellia_cfb1_encrypt(const unsigned char *in, unsigned char *out,
107 size_t length, const CAMELLIA_KEY *key,
108 unsigned char *ivec, int *num, const int enc);
109void Camellia_cfb8_encrypt(const unsigned char *in, unsigned char *out,
110 size_t length, const CAMELLIA_KEY *key,
111 unsigned char *ivec, int *num, const int enc);
112void Camellia_ofb128_encrypt(const unsigned char *in, unsigned char *out,
113 size_t length, const CAMELLIA_KEY *key,
114 unsigned char *ivec, int *num);
115void Camellia_ctr128_encrypt(const unsigned char *in, unsigned char *out,
116 size_t length, const CAMELLIA_KEY *key,
117 unsigned char ivec[CAMELLIA_BLOCK_SIZE],
118 unsigned char ecount_buf[CAMELLIA_BLOCK_SIZE],
119 unsigned int *num);
120
121#ifdef __cplusplus
122}
123#endif
124
125#endif /* !HEADER_Camellia_H */
diff --git a/src/lib/libcrypto/camellia/cmll_cbc.c b/src/lib/libcrypto/camellia/cmll_cbc.c
deleted file mode 100644
index 6567e5deb6..0000000000
--- a/src/lib/libcrypto/camellia/cmll_cbc.c
+++ /dev/null
@@ -1,65 +0,0 @@
1/* $OpenBSD: cmll_cbc.c,v 1.4 2014/11/13 20:01:58 miod Exp $ */
2/* ====================================================================
3 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@openssl.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 *
50 */
51
52#include <openssl/camellia.h>
53#include <openssl/modes.h>
54
55void
56Camellia_cbc_encrypt(const unsigned char *in, unsigned char *out, size_t len,
57 const CAMELLIA_KEY *key, unsigned char *ivec, const int enc)
58{
59 if (enc)
60 CRYPTO_cbc128_encrypt(in, out, len, key, ivec,
61 (block128_f)Camellia_encrypt);
62 else
63 CRYPTO_cbc128_decrypt(in, out, len, key, ivec,
64 (block128_f)Camellia_decrypt);
65}
diff --git a/src/lib/libcrypto/camellia/cmll_cfb.c b/src/lib/libcrypto/camellia/cmll_cfb.c
deleted file mode 100644
index 755ab9f8bf..0000000000
--- a/src/lib/libcrypto/camellia/cmll_cfb.c
+++ /dev/null
@@ -1,144 +0,0 @@
1/* $OpenBSD: cmll_cfb.c,v 1.4 2014/11/13 20:01:58 miod Exp $ */
2/* ====================================================================
3 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@openssl.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 *
50 */
51/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
52 * All rights reserved.
53 *
54 * This package is an SSL implementation written
55 * by Eric Young (eay@cryptsoft.com).
56 * The implementation was written so as to conform with Netscapes SSL.
57 *
58 * This library is free for commercial and non-commercial use as long as
59 * the following conditions are aheared to. The following conditions
60 * apply to all code found in this distribution, be it the RC4, RSA,
61 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
62 * included with this distribution is covered by the same copyright terms
63 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
64 *
65 * Copyright remains Eric Young's, and as such any Copyright notices in
66 * the code are not to be removed.
67 * If this package is used in a product, Eric Young should be given attribution
68 * as the author of the parts of the library used.
69 * This can be in the form of a textual message at program startup or
70 * in documentation (online or textual) provided with the package.
71 *
72 * Redistribution and use in source and binary forms, with or without
73 * modification, are permitted provided that the following conditions
74 * are met:
75 * 1. Redistributions of source code must retain the copyright
76 * notice, this list of conditions and the following disclaimer.
77 * 2. Redistributions in binary form must reproduce the above copyright
78 * notice, this list of conditions and the following disclaimer in the
79 * documentation and/or other materials provided with the distribution.
80 * 3. All advertising materials mentioning features or use of this software
81 * must display the following acknowledgement:
82 * "This product includes cryptographic software written by
83 * Eric Young (eay@cryptsoft.com)"
84 * The word 'cryptographic' can be left out if the rouines from the library
85 * being used are not cryptographic related :-).
86 * 4. If you include any Windows specific code (or a derivative thereof) from
87 * the apps directory (application code) you must include an acknowledgement:
88 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
89 *
90 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
91 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
92 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
93 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
94 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
95 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
96 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
97 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
98 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
99 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
100 * SUCH DAMAGE.
101 *
102 * The licence and distribution terms for any publically available version or
103 * derivative of this code cannot be changed. i.e. this code cannot simply be
104 * copied and put under another distribution licence
105 * [including the GNU Public Licence.]
106 */
107
108#include <openssl/camellia.h>
109#include <openssl/modes.h>
110
111
112/*
113 * The input and output encrypted as though 128bit cfb mode is being
114 * used. The extra state information to record how much of the
115 * 128bit block we have used is contained in *num;
116 */
117
118void
119Camellia_cfb128_encrypt(const unsigned char *in, unsigned char *out,
120 size_t length, const CAMELLIA_KEY *key, unsigned char *ivec, int *num,
121 const int enc)
122{
123 CRYPTO_cfb128_encrypt(in, out, length, key, ivec, num, enc,
124 (block128_f)Camellia_encrypt);
125}
126
127/* N.B. This expects the input to be packed, MS bit first */
128void
129Camellia_cfb1_encrypt(const unsigned char *in, unsigned char *out,
130 size_t length, const CAMELLIA_KEY *key, unsigned char *ivec, int *num,
131 const int enc)
132{
133 CRYPTO_cfb128_1_encrypt(in, out, length, key, ivec, num, enc,
134 (block128_f)Camellia_encrypt);
135}
136
137void
138Camellia_cfb8_encrypt(const unsigned char *in, unsigned char *out,
139 size_t length, const CAMELLIA_KEY *key, unsigned char *ivec, int *num,
140 const int enc)
141{
142 CRYPTO_cfb128_8_encrypt(in, out, length, key, ivec, num, enc,
143 (block128_f)Camellia_encrypt);
144}
diff --git a/src/lib/libcrypto/camellia/cmll_ctr.c b/src/lib/libcrypto/camellia/cmll_ctr.c
deleted file mode 100644
index 59a351ee1b..0000000000
--- a/src/lib/libcrypto/camellia/cmll_ctr.c
+++ /dev/null
@@ -1,63 +0,0 @@
1/* $OpenBSD: cmll_ctr.c,v 1.4 2014/11/13 20:01:58 miod Exp $ */
2/* ====================================================================
3 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@openssl.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 *
50 */
51
52#include <openssl/camellia.h>
53#include <openssl/modes.h>
54
55void
56Camellia_ctr128_encrypt(const unsigned char *in, unsigned char *out,
57 size_t length, const CAMELLIA_KEY *key,
58 unsigned char ivec[CAMELLIA_BLOCK_SIZE],
59 unsigned char ecount_buf[CAMELLIA_BLOCK_SIZE], unsigned int *num)
60{
61 CRYPTO_ctr128_encrypt(in, out, length, key, ivec, ecount_buf, num,
62 (block128_f)Camellia_encrypt);
63}
diff --git a/src/lib/libcrypto/camellia/cmll_ecb.c b/src/lib/libcrypto/camellia/cmll_ecb.c
deleted file mode 100644
index 1a65445202..0000000000
--- a/src/lib/libcrypto/camellia/cmll_ecb.c
+++ /dev/null
@@ -1,63 +0,0 @@
1/* $OpenBSD: cmll_ecb.c,v 1.4 2014/11/13 20:01:58 miod Exp $ */
2/* ====================================================================
3 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@openssl.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 *
50 */
51
52#include <openssl/camellia.h>
53#include "cmll_locl.h"
54
55void
56Camellia_ecb_encrypt(const unsigned char *in, unsigned char *out,
57 const CAMELLIA_KEY *key, const int enc)
58{
59 if (CAMELLIA_ENCRYPT == enc)
60 Camellia_encrypt(in, out, key);
61 else
62 Camellia_decrypt(in, out, key);
63}
diff --git a/src/lib/libcrypto/camellia/cmll_locl.h b/src/lib/libcrypto/camellia/cmll_locl.h
deleted file mode 100644
index 8a4f540fbc..0000000000
--- a/src/lib/libcrypto/camellia/cmll_locl.h
+++ /dev/null
@@ -1,85 +0,0 @@
1/* $OpenBSD: cmll_locl.h,v 1.5 2014/11/13 20:01:58 miod Exp $ */
2/* ====================================================================
3 * Copyright 2006 NTT (Nippon Telegraph and Telephone Corporation) .
4 * ALL RIGHTS RESERVED.
5 *
6 * Intellectual Property information for Camellia:
7 * http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html
8 *
9 * News Release for Announcement of Camellia open source:
10 * http://www.ntt.co.jp/news/news06e/0604/060413a.html
11 *
12 * The Camellia Code included herein is developed by
13 * NTT (Nippon Telegraph and Telephone Corporation), and is contributed
14 * to the OpenSSL project.
15 *
16 * The Camellia Code is licensed pursuant to the OpenSSL open source
17 * license provided below.
18 */
19/* ====================================================================
20 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 *
26 * 1. Redistributions of source code must retain the above copyright
27 * notice, this list of conditions and the following disclaimer.
28 *
29 * 2. Redistributions in binary form must reproduce the above copyright
30 * notice, this list of conditions and the following disclaimer in
31 * the documentation and/or other materials provided with the
32 * distribution.
33 *
34 * 3. All advertising materials mentioning features or use of this
35 * software must display the following acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
38 *
39 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
40 * endorse or promote products derived from this software without
41 * prior written permission. For written permission, please contact
42 * openssl-core@openssl.org.
43 *
44 * 5. Products derived from this software may not be called "OpenSSL"
45 * nor may "OpenSSL" appear in their names without prior written
46 * permission of the OpenSSL Project.
47 *
48 * 6. Redistributions of any form whatsoever must retain the following
49 * acknowledgment:
50 * "This product includes software developed by the OpenSSL Project
51 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
52 *
53 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
54 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
55 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
56 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
57 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
58 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
59 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
60 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
61 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
62 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
63 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
64 * OF THE POSSIBILITY OF SUCH DAMAGE.
65 * ====================================================================
66 */
67
68#ifndef HEADER_CAMELLIA_LOCL_H
69#define HEADER_CAMELLIA_LOCL_H
70
71typedef unsigned int u32;
72typedef unsigned char u8;
73
74int Camellia_Ekeygen(int keyBitLength, const u8 *rawKey,
75 KEY_TABLE_TYPE keyTable);
76void Camellia_EncryptBlock_Rounds(int grandRounds, const u8 plaintext[],
77 const KEY_TABLE_TYPE keyTable, u8 ciphertext[]);
78void Camellia_DecryptBlock_Rounds(int grandRounds, const u8 ciphertext[],
79 const KEY_TABLE_TYPE keyTable, u8 plaintext[]);
80void Camellia_EncryptBlock(int keyBitLength, const u8 plaintext[],
81 const KEY_TABLE_TYPE keyTable, u8 ciphertext[]);
82void Camellia_DecryptBlock(int keyBitLength, const u8 ciphertext[],
83 const KEY_TABLE_TYPE keyTable, u8 plaintext[]);
84
85#endif /* #ifndef HEADER_CAMELLIA_LOCL_H */
diff --git a/src/lib/libcrypto/camellia/cmll_misc.c b/src/lib/libcrypto/camellia/cmll_misc.c
deleted file mode 100644
index 2fa61dc637..0000000000
--- a/src/lib/libcrypto/camellia/cmll_misc.c
+++ /dev/null
@@ -1,81 +0,0 @@
1/* $OpenBSD: cmll_misc.c,v 1.6 2014/11/13 20:01:58 miod Exp $ */
2/* ====================================================================
3 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@openssl.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 *
50 */
51
52#include <openssl/opensslv.h>
53#include <openssl/crypto.h>
54#include <openssl/camellia.h>
55#include "cmll_locl.h"
56
57int
58Camellia_set_key(const unsigned char *userKey, const int bits,
59 CAMELLIA_KEY *key)
60{
61 if (userKey == NULL || key == NULL)
62 return -1;
63 if (bits != 128 && bits != 192 && bits != 256)
64 return -2;
65 key->grand_rounds = Camellia_Ekeygen(bits, userKey, key->u.rd_key);
66 return 0;
67}
68
69void
70Camellia_encrypt(const unsigned char *in, unsigned char *out,
71 const CAMELLIA_KEY *key)
72{
73 Camellia_EncryptBlock_Rounds(key->grand_rounds, in, key->u.rd_key, out);
74}
75
76void
77Camellia_decrypt(const unsigned char *in, unsigned char *out,
78 const CAMELLIA_KEY *key)
79{
80 Camellia_DecryptBlock_Rounds(key->grand_rounds, in, key->u.rd_key, out);
81}
diff --git a/src/lib/libcrypto/camellia/cmll_ofb.c b/src/lib/libcrypto/camellia/cmll_ofb.c
deleted file mode 100644
index cd3a65e2fa..0000000000
--- a/src/lib/libcrypto/camellia/cmll_ofb.c
+++ /dev/null
@@ -1,122 +0,0 @@
1/* $OpenBSD: cmll_ofb.c,v 1.4 2014/11/13 20:01:58 miod Exp $ */
2/* ====================================================================
3 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@openssl.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 *
50 */
51/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
52 * All rights reserved.
53 *
54 * This package is an SSL implementation written
55 * by Eric Young (eay@cryptsoft.com).
56 * The implementation was written so as to conform with Netscapes SSL.
57 *
58 * This library is free for commercial and non-commercial use as long as
59 * the following conditions are aheared to. The following conditions
60 * apply to all code found in this distribution, be it the RC4, RSA,
61 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
62 * included with this distribution is covered by the same copyright terms
63 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
64 *
65 * Copyright remains Eric Young's, and as such any Copyright notices in
66 * the code are not to be removed.
67 * If this package is used in a product, Eric Young should be given attribution
68 * as the author of the parts of the library used.
69 * This can be in the form of a textual message at program startup or
70 * in documentation (online or textual) provided with the package.
71 *
72 * Redistribution and use in source and binary forms, with or without
73 * modification, are permitted provided that the following conditions
74 * are met:
75 * 1. Redistributions of source code must retain the copyright
76 * notice, this list of conditions and the following disclaimer.
77 * 2. Redistributions in binary form must reproduce the above copyright
78 * notice, this list of conditions and the following disclaimer in the
79 * documentation and/or other materials provided with the distribution.
80 * 3. All advertising materials mentioning features or use of this software
81 * must display the following acknowledgement:
82 * "This product includes cryptographic software written by
83 * Eric Young (eay@cryptsoft.com)"
84 * The word 'cryptographic' can be left out if the rouines from the library
85 * being used are not cryptographic related :-).
86 * 4. If you include any Windows specific code (or a derivative thereof) from
87 * the apps directory (application code) you must include an acknowledgement:
88 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
89 *
90 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
91 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
92 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
93 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
94 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
95 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
96 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
97 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
98 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
99 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
100 * SUCH DAMAGE.
101 *
102 * The licence and distribution terms for any publically available version or
103 * derivative of this code cannot be changed. i.e. this code cannot simply be
104 * copied and put under another distribution licence
105 * [including the GNU Public Licence.]
106 */
107
108#include <openssl/camellia.h>
109#include <openssl/modes.h>
110
111/*
112 * The input and output encrypted as though 128bit ofb mode is being
113 * used. The extra state information to record how much of the
114 * 128bit block we have used is contained in *num;
115 */
116void
117Camellia_ofb128_encrypt(const unsigned char *in, unsigned char *out,
118 size_t length, const CAMELLIA_KEY *key, unsigned char *ivec, int *num)
119{
120 CRYPTO_ofb128_encrypt(in, out, length, key, ivec, num,
121 (block128_f)Camellia_encrypt);
122}
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-20 10:19:20 +0000