summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/camellia
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libcrypto/camellia')
-rw-r--r--src/lib/libcrypto/camellia/asm/cmll-x86.pl1138
-rw-r--r--src/lib/libcrypto/camellia/asm/cmll-x86_64.pl1081
-rw-r--r--src/lib/libcrypto/camellia/camellia.c582
-rw-r--r--src/lib/libcrypto/camellia/camellia.h130
-rw-r--r--src/lib/libcrypto/camellia/cmll_cbc.c64
-rw-r--r--src/lib/libcrypto/camellia/cmll_cfb.c139
-rw-r--r--src/lib/libcrypto/camellia/cmll_ctr.c64
-rw-r--r--src/lib/libcrypto/camellia/cmll_ecb.c74
-rw-r--r--src/lib/libcrypto/camellia/cmll_locl.h86
-rw-r--r--src/lib/libcrypto/camellia/cmll_misc.c80
-rw-r--r--src/lib/libcrypto/camellia/cmll_ofb.c119
11 files changed, 0 insertions, 3557 deletions
diff --git a/src/lib/libcrypto/camellia/asm/cmll-x86.pl b/src/lib/libcrypto/camellia/asm/cmll-x86.pl
deleted file mode 100644
index c314d62312..0000000000
--- a/src/lib/libcrypto/camellia/asm/cmll-x86.pl
+++ /dev/null
@@ -1,1138 +0,0 @@
1#!/usr/bin/env perl
2
3# ====================================================================
4# Copyright (c) 2008 Andy Polyakov <appro@openssl.org>
5#
6# This module may be used under the terms of either the GNU General
7# Public License version 2 or later, the GNU Lesser General Public
8# License version 2.1 or later, the Mozilla Public License version
9# 1.1 or the BSD License. The exact terms of either license are
10# distributed along with this module. For further details see
11# http://www.openssl.org/~appro/camellia/.
12# ====================================================================
13
14# Performance in cycles per processed byte (less is better) in
15# 'openssl speed ...' benchmark:
16#
17# AMD K8 Core2 PIII P4
18# -evp camellia-128-ecb 21.5 22.8 27.0 28.9
19# + over gcc 3.4.6 +90/11% +70/10% +53/4% +160/64%
20# + over icc 8.0 +48/19% +21/15% +21/17% +55/37%
21#
22# camellia-128-cbc 17.3 21.1 23.9 25.9
23#
24# 128-bit key setup 196 280 256 240 cycles/key
25# + over gcc 3.4.6 +30/0% +17/11% +11/0% +63/40%
26# + over icc 8.0 +18/3% +10/0% +10/3% +21/10%
27#
28# Pairs of numbers in "+" rows represent performance improvement over
29# compiler generated position-independent code, PIC, and non-PIC
30# respectively. PIC results are of greater relevance, as this module
31# is position-independent, i.e. suitable for a shared library or PIE.
32# Position independence "costs" one register, which is why compilers
33# are so close with non-PIC results, they have an extra register to
34# spare. CBC results are better than ECB ones thanks to "zero-copy"
35# private _x86_* interface, and are ~30-40% better than with compiler
36# generated cmll_cbc.o, and reach ~80-90% of x86_64 performance on
37# same CPU (where applicable).
38
39$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
40push(@INC,"${dir}","${dir}../../perlasm");
41require "x86asm.pl";
42
43$OPENSSL=1;
44
45&asm_init($ARGV[0],"cmll-586.pl",$ARGV[$#ARGV] eq "386");
46
47@T=("eax","ebx","ecx","edx");
48$idx="esi";
49$key="edi";
50$Tbl="ebp";
51
52# stack frame layout in _x86_Camellia_* routines, frame is allocated
53# by caller
54$__ra=&DWP(0,"esp"); # return address
55$__s0=&DWP(4,"esp"); # s0 backing store
56$__s1=&DWP(8,"esp"); # s1 backing store
57$__s2=&DWP(12,"esp"); # s2 backing store
58$__s3=&DWP(16,"esp"); # s3 backing store
59$__end=&DWP(20,"esp"); # pointer to end/start of key schedule
60
61# stack frame layout in Camellia_[en|crypt] routines, which differs from
62# above by 4 and overlaps by pointer to end/start of key schedule
63$_end=&DWP(16,"esp");
64$_esp=&DWP(20,"esp");
65
66# const unsigned int Camellia_SBOX[4][256];
67# Well, sort of... Camellia_SBOX[0][] is interleaved with [1][],
68# and [2][] - with [3][]. This is done to optimize code size.
69$SBOX1_1110=0; # Camellia_SBOX[0]
70$SBOX4_4404=4; # Camellia_SBOX[1]
71$SBOX2_0222=2048; # Camellia_SBOX[2]
72$SBOX3_3033=2052; # Camellia_SBOX[3]
73&static_label("Camellia_SIGMA");
74&static_label("Camellia_SBOX");
75
76sub Camellia_Feistel {
77my $i=@_[0];
78my $seed=defined(@_[1])?@_[1]:0;
79my $scale=$seed<0?-8:8;
80my $frame=defined(@_[2])?@_[2]:0;
81my $j=($i&1)*2;
82my $t0=@T[($j)%4],$t1=@T[($j+1)%4],$t2=@T[($j+2)%4],$t3=@T[($j+3)%4];
83
84 &xor ($t0,$idx); # t0^=key[0]
85 &xor ($t1,&DWP($seed+$i*$scale+4,$key)); # t1^=key[1]
86 &movz ($idx,&HB($t0)); # (t0>>8)&0xff
87 &mov ($t3,&DWP($SBOX3_3033,$Tbl,$idx,8)); # t3=SBOX3_3033[0]
88 &movz ($idx,&LB($t0)); # (t0>>0)&0xff
89 &xor ($t3,&DWP($SBOX4_4404,$Tbl,$idx,8)); # t3^=SBOX4_4404[0]
90 &shr ($t0,16);
91 &movz ($idx,&LB($t1)); # (t1>>0)&0xff
92 &mov ($t2,&DWP($SBOX1_1110,$Tbl,$idx,8)); # t2=SBOX1_1110[1]
93 &movz ($idx,&HB($t0)); # (t0>>24)&0xff
94 &xor ($t3,&DWP($SBOX1_1110,$Tbl,$idx,8)); # t3^=SBOX1_1110[0]
95 &movz ($idx,&HB($t1)); # (t1>>8)&0xff
96 &xor ($t2,&DWP($SBOX4_4404,$Tbl,$idx,8)); # t2^=SBOX4_4404[1]
97 &shr ($t1,16);
98 &movz ($t0,&LB($t0)); # (t0>>16)&0xff
99 &xor ($t3,&DWP($SBOX2_0222,$Tbl,$t0,8)); # t3^=SBOX2_0222[0]
100 &movz ($idx,&HB($t1)); # (t1>>24)&0xff
101 &mov ($t0,&DWP($frame+4*(($j+3)%4),"esp")); # prefetch "s3"
102 &xor ($t2,$t3); # t2^=t3
103 &rotr ($t3,8); # t3=RightRotate(t3,8)
104 &xor ($t2,&DWP($SBOX2_0222,$Tbl,$idx,8)); # t2^=SBOX2_0222[1]
105 &movz ($idx,&LB($t1)); # (t1>>16)&0xff
106 &mov ($t1,&DWP($frame+4*(($j+2)%4),"esp")); # prefetch "s2"
107 &xor ($t3,$t0); # t3^=s3
108 &xor ($t2,&DWP($SBOX3_3033,$Tbl,$idx,8)); # t2^=SBOX3_3033[1]
109 &mov ($idx,&DWP($seed+($i+1)*$scale,$key)); # prefetch key[i+1]
110 &xor ($t3,$t2); # t3^=t2
111 &mov (&DWP($frame+4*(($j+3)%4),"esp"),$t3); # s3=t3
112 &xor ($t2,$t1); # t2^=s2
113 &mov (&DWP($frame+4*(($j+2)%4),"esp"),$t2); # s2=t2
114}
115
116# void Camellia_EncryptBlock_Rounds(
117# int grandRounds,
118# const Byte plaintext[],
119# const KEY_TABLE_TYPE keyTable,
120# Byte ciphertext[])
121&function_begin("Camellia_EncryptBlock_Rounds");
122 &mov ("eax",&wparam(0)); # load grandRounds
123 &mov ($idx,&wparam(1)); # load plaintext pointer
124 &mov ($key,&wparam(2)); # load key schedule pointer
125
126 &mov ("ebx","esp");
127 &sub ("esp",7*4); # place for s[0-3],keyEnd,esp and ra
128 &and ("esp",-64);
129
130 # place stack frame just "above mod 1024" the key schedule
131 # this ensures that cache associativity of 2 suffices
132 &lea ("ecx",&DWP(-64-63,$key));
133 &sub ("ecx","esp");
134 &neg ("ecx");
135 &and ("ecx",0x3C0); # modulo 1024, but aligned to cache-line
136 &sub ("esp","ecx");
137 &add ("esp",4); # 4 is reserved for callee's return address
138
139 &shl ("eax",6);
140 &lea ("eax",&DWP(0,$key,"eax"));
141 &mov ($_esp,"ebx"); # save %esp
142 &mov ($_end,"eax"); # save keyEnd
143
144 &call (&label("pic_point"));
145 &set_label("pic_point");
146 &blindpop($Tbl);
147 &lea ($Tbl,&DWP(&label("Camellia_SBOX")."-".&label("pic_point"),$Tbl));
148
149 &mov (@T[0],&DWP(0,$idx)); # load plaintext
150 &mov (@T[1],&DWP(4,$idx));
151 &mov (@T[2],&DWP(8,$idx));
152 &bswap (@T[0]);
153 &mov (@T[3],&DWP(12,$idx));
154 &bswap (@T[1]);
155 &bswap (@T[2]);
156 &bswap (@T[3]);
157
158 &call ("_x86_Camellia_encrypt");
159
160 &mov ("esp",$_esp);
161 &bswap (@T[0]);
162 &mov ($idx,&wparam(3)); # load ciphertext pointer
163 &bswap (@T[1]);
164 &bswap (@T[2]);
165 &bswap (@T[3]);
166 &mov (&DWP(0,$idx),@T[0]); # write ciphertext
167 &mov (&DWP(4,$idx),@T[1]);
168 &mov (&DWP(8,$idx),@T[2]);
169 &mov (&DWP(12,$idx),@T[3]);
170&function_end("Camellia_EncryptBlock_Rounds");
171# V1.x API
172&function_begin_B("Camellia_EncryptBlock");
173 &mov ("eax",128);
174 &sub ("eax",&wparam(0)); # load keyBitLength
175 &mov ("eax",3);
176 &adc ("eax",0); # keyBitLength==128?3:4
177 &mov (&wparam(0),"eax");
178 &jmp (&label("Camellia_EncryptBlock_Rounds"));
179&function_end_B("Camellia_EncryptBlock");
180
181if ($OPENSSL) {
182# void Camellia_encrypt(
183# const unsigned char *in,
184# unsigned char *out,
185# const CAMELLIA_KEY *key)
186&function_begin("Camellia_encrypt");
187 &mov ($idx,&wparam(0)); # load plaintext pointer
188 &mov ($key,&wparam(2)); # load key schedule pointer
189
190 &mov ("ebx","esp");
191 &sub ("esp",7*4); # place for s[0-3],keyEnd,esp and ra
192 &and ("esp",-64);
193 &mov ("eax",&DWP(272,$key)); # load grandRounds counter
194
195 # place stack frame just "above mod 1024" the key schedule
196 # this ensures that cache associativity of 2 suffices
197 &lea ("ecx",&DWP(-64-63,$key));
198 &sub ("ecx","esp");
199 &neg ("ecx");
200 &and ("ecx",0x3C0); # modulo 1024, but aligned to cache-line
201 &sub ("esp","ecx");
202 &add ("esp",4); # 4 is reserved for callee's return address
203
204 &shl ("eax",6);
205 &lea ("eax",&DWP(0,$key,"eax"));
206 &mov ($_esp,"ebx"); # save %esp
207 &mov ($_end,"eax"); # save keyEnd
208
209 &call (&label("pic_point"));
210 &set_label("pic_point");
211 &blindpop($Tbl);
212 &lea ($Tbl,&DWP(&label("Camellia_SBOX")."-".&label("pic_point"),$Tbl));
213
214 &mov (@T[0],&DWP(0,$idx)); # load plaintext
215 &mov (@T[1],&DWP(4,$idx));
216 &mov (@T[2],&DWP(8,$idx));
217 &bswap (@T[0]);
218 &mov (@T[3],&DWP(12,$idx));
219 &bswap (@T[1]);
220 &bswap (@T[2]);
221 &bswap (@T[3]);
222
223 &call ("_x86_Camellia_encrypt");
224
225 &mov ("esp",$_esp);
226 &bswap (@T[0]);
227 &mov ($idx,&wparam(1)); # load ciphertext pointer
228 &bswap (@T[1]);
229 &bswap (@T[2]);
230 &bswap (@T[3]);
231 &mov (&DWP(0,$idx),@T[0]); # write ciphertext
232 &mov (&DWP(4,$idx),@T[1]);
233 &mov (&DWP(8,$idx),@T[2]);
234 &mov (&DWP(12,$idx),@T[3]);
235&function_end("Camellia_encrypt");
236}
237
238&function_begin_B("_x86_Camellia_encrypt");
239 &xor (@T[0],&DWP(0,$key)); # ^=key[0-3]
240 &xor (@T[1],&DWP(4,$key));
241 &xor (@T[2],&DWP(8,$key));
242 &xor (@T[3],&DWP(12,$key));
243 &mov ($idx,&DWP(16,$key)); # prefetch key[4]
244
245 &mov ($__s0,@T[0]); # save s[0-3]
246 &mov ($__s1,@T[1]);
247 &mov ($__s2,@T[2]);
248 &mov ($__s3,@T[3]);
249
250&set_label("loop",16);
251 for ($i=0;$i<6;$i++) { Camellia_Feistel($i,16,4); }
252
253 &add ($key,16*4);
254 &cmp ($key,$__end);
255 &je (&label("done"));
256
257 # @T[0-1] are preloaded, $idx is preloaded with key[0]
258 &and ($idx,@T[0]);
259 &mov (@T[3],$__s3);
260 &rotl ($idx,1);
261 &mov (@T[2],@T[3]);
262 &xor (@T[1],$idx);
263 &or (@T[2],&DWP(12,$key));
264 &mov ($__s1,@T[1]); # s1^=LeftRotate(s0&key[0],1);
265 &xor (@T[2],$__s2);
266
267 &mov ($idx,&DWP(4,$key));
268 &mov ($__s2,@T[2]); # s2^=s3|key[3];
269 &or ($idx,@T[1]);
270 &and (@T[2],&DWP(8,$key));
271 &xor (@T[0],$idx);
272 &rotl (@T[2],1);
273 &mov ($__s0,@T[0]); # s0^=s1|key[1];
274 &xor (@T[3],@T[2]);
275 &mov ($idx,&DWP(16,$key)); # prefetch key[4]
276 &mov ($__s3,@T[3]); # s3^=LeftRotate(s2&key[2],1);
277 &jmp (&label("loop"));
278
279&set_label("done",8);
280 &mov (@T[2],@T[0]); # SwapHalf
281 &mov (@T[3],@T[1]);
282 &mov (@T[0],$__s2);
283 &mov (@T[1],$__s3);
284 &xor (@T[0],$idx); # $idx is preloaded with key[0]
285 &xor (@T[1],&DWP(4,$key));
286 &xor (@T[2],&DWP(8,$key));
287 &xor (@T[3],&DWP(12,$key));
288 &ret ();
289&function_end_B("_x86_Camellia_encrypt");
290
291# void Camellia_DecryptBlock_Rounds(
292# int grandRounds,
293# const Byte ciphertext[],
294# const KEY_TABLE_TYPE keyTable,
295# Byte plaintext[])
296&function_begin("Camellia_DecryptBlock_Rounds");
297 &mov ("eax",&wparam(0)); # load grandRounds
298 &mov ($idx,&wparam(1)); # load ciphertext pointer
299 &mov ($key,&wparam(2)); # load key schedule pointer
300
301 &mov ("ebx","esp");
302 &sub ("esp",7*4); # place for s[0-3],keyEnd,esp and ra
303 &and ("esp",-64);
304
305 # place stack frame just "above mod 1024" the key schedule
306 # this ensures that cache associativity of 2 suffices
307 &lea ("ecx",&DWP(-64-63,$key));
308 &sub ("ecx","esp");
309 &neg ("ecx");
310 &and ("ecx",0x3C0); # modulo 1024, but aligned to cache-line
311 &sub ("esp","ecx");
312 &add ("esp",4); # 4 is reserved for callee's return address
313
314 &shl ("eax",6);
315 &mov (&DWP(4*4,"esp"),$key); # save keyStart
316 &lea ($key,&DWP(0,$key,"eax"));
317 &mov (&DWP(5*4,"esp"),"ebx");# save %esp
318
319 &call (&label("pic_point"));
320 &set_label("pic_point");
321 &blindpop($Tbl);
322 &lea ($Tbl,&DWP(&label("Camellia_SBOX")."-".&label("pic_point"),$Tbl));
323
324 &mov (@T[0],&DWP(0,$idx)); # load ciphertext
325 &mov (@T[1],&DWP(4,$idx));
326 &mov (@T[2],&DWP(8,$idx));
327 &bswap (@T[0]);
328 &mov (@T[3],&DWP(12,$idx));
329 &bswap (@T[1]);
330 &bswap (@T[2]);
331 &bswap (@T[3]);
332
333 &call ("_x86_Camellia_decrypt");
334
335 &mov ("esp",&DWP(5*4,"esp"));
336 &bswap (@T[0]);
337 &mov ($idx,&wparam(3)); # load plaintext pointer
338 &bswap (@T[1]);
339 &bswap (@T[2]);
340 &bswap (@T[3]);
341 &mov (&DWP(0,$idx),@T[0]); # write plaintext
342 &mov (&DWP(4,$idx),@T[1]);
343 &mov (&DWP(8,$idx),@T[2]);
344 &mov (&DWP(12,$idx),@T[3]);
345&function_end("Camellia_DecryptBlock_Rounds");
346# V1.x API
347&function_begin_B("Camellia_DecryptBlock");
348 &mov ("eax",128);
349 &sub ("eax",&wparam(0)); # load keyBitLength
350 &mov ("eax",3);
351 &adc ("eax",0); # keyBitLength==128?3:4
352 &mov (&wparam(0),"eax");
353 &jmp (&label("Camellia_DecryptBlock_Rounds"));
354&function_end_B("Camellia_DecryptBlock");
355
356if ($OPENSSL) {
357# void Camellia_decrypt(
358# const unsigned char *in,
359# unsigned char *out,
360# const CAMELLIA_KEY *key)
361&function_begin("Camellia_decrypt");
362 &mov ($idx,&wparam(0)); # load ciphertext pointer
363 &mov ($key,&wparam(2)); # load key schedule pointer
364
365 &mov ("ebx","esp");
366 &sub ("esp",7*4); # place for s[0-3],keyEnd,esp and ra
367 &and ("esp",-64);
368 &mov ("eax",&DWP(272,$key)); # load grandRounds counter
369
370 # place stack frame just "above mod 1024" the key schedule
371 # this ensures that cache associativity of 2 suffices
372 &lea ("ecx",&DWP(-64-63,$key));
373 &sub ("ecx","esp");
374 &neg ("ecx");
375 &and ("ecx",0x3C0); # modulo 1024, but aligned to cache-line
376 &sub ("esp","ecx");
377 &add ("esp",4); # 4 is reserved for callee's return address
378
379 &shl ("eax",6);
380 &mov (&DWP(4*4,"esp"),$key); # save keyStart
381 &lea ($key,&DWP(0,$key,"eax"));
382 &mov (&DWP(5*4,"esp"),"ebx");# save %esp
383
384 &call (&label("pic_point"));
385 &set_label("pic_point");
386 &blindpop($Tbl);
387 &lea ($Tbl,&DWP(&label("Camellia_SBOX")."-".&label("pic_point"),$Tbl));
388
389 &mov (@T[0],&DWP(0,$idx)); # load ciphertext
390 &mov (@T[1],&DWP(4,$idx));
391 &mov (@T[2],&DWP(8,$idx));
392 &bswap (@T[0]);
393 &mov (@T[3],&DWP(12,$idx));
394 &bswap (@T[1]);
395 &bswap (@T[2]);
396 &bswap (@T[3]);
397
398 &call ("_x86_Camellia_decrypt");
399
400 &mov ("esp",&DWP(5*4,"esp"));
401 &bswap (@T[0]);
402 &mov ($idx,&wparam(1)); # load plaintext pointer
403 &bswap (@T[1]);
404 &bswap (@T[2]);
405 &bswap (@T[3]);
406 &mov (&DWP(0,$idx),@T[0]); # write plaintext
407 &mov (&DWP(4,$idx),@T[1]);
408 &mov (&DWP(8,$idx),@T[2]);
409 &mov (&DWP(12,$idx),@T[3]);
410&function_end("Camellia_decrypt");
411}
412
413&function_begin_B("_x86_Camellia_decrypt");
414 &xor (@T[0],&DWP(0,$key)); # ^=key[0-3]
415 &xor (@T[1],&DWP(4,$key));
416 &xor (@T[2],&DWP(8,$key));
417 &xor (@T[3],&DWP(12,$key));
418 &mov ($idx,&DWP(-8,$key)); # prefetch key[-2]
419
420 &mov ($__s0,@T[0]); # save s[0-3]
421 &mov ($__s1,@T[1]);
422 &mov ($__s2,@T[2]);
423 &mov ($__s3,@T[3]);
424
425&set_label("loop",16);
426 for ($i=0;$i<6;$i++) { Camellia_Feistel($i,-8,4); }
427
428 &sub ($key,16*4);
429 &cmp ($key,$__end);
430 &je (&label("done"));
431
432 # @T[0-1] are preloaded, $idx is preloaded with key[2]
433 &and ($idx,@T[0]);
434 &mov (@T[3],$__s3);
435 &rotl ($idx,1);
436 &mov (@T[2],@T[3]);
437 &xor (@T[1],$idx);
438 &or (@T[2],&DWP(4,$key));
439 &mov ($__s1,@T[1]); # s1^=LeftRotate(s0&key[0],1);
440 &xor (@T[2],$__s2);
441
442 &mov ($idx,&DWP(12,$key));
443 &mov ($__s2,@T[2]); # s2^=s3|key[3];
444 &or ($idx,@T[1]);
445 &and (@T[2],&DWP(0,$key));
446 &xor (@T[0],$idx);
447 &rotl (@T[2],1);
448 &mov ($__s0,@T[0]); # s0^=s1|key[1];
449 &xor (@T[3],@T[2]);
450 &mov ($idx,&DWP(-8,$key)); # prefetch key[4]
451 &mov ($__s3,@T[3]); # s3^=LeftRotate(s2&key[2],1);
452 &jmp (&label("loop"));
453
454&set_label("done",8);
455 &mov (@T[2],@T[0]); # SwapHalf
456 &mov (@T[3],@T[1]);
457 &mov (@T[0],$__s2);
458 &mov (@T[1],$__s3);
459 &xor (@T[2],$idx); # $idx is preloaded with key[2]
460 &xor (@T[3],&DWP(12,$key));
461 &xor (@T[0],&DWP(0,$key));
462 &xor (@T[1],&DWP(4,$key));
463 &ret ();
464&function_end_B("_x86_Camellia_decrypt");
465
466# shld is very slow on Intel P4 family. Even on AMD it limits
467# instruction decode rate [because it's VectorPath] and consequently
468# performance. PIII, PM and Core[2] seem to be the only ones which
469# execute this code ~7% faster...
470sub __rotl128 {
471 my ($i0,$i1,$i2,$i3,$rot,$rnd,@T)=@_;
472
473 $rnd *= 2;
474 if ($rot) {
475 &mov ($idx,$i0);
476 &shld ($i0,$i1,$rot);
477 &shld ($i1,$i2,$rot);
478 &shld ($i2,$i3,$rot);
479 &shld ($i3,$idx,$rot);
480 }
481 &mov (&DWP(-128+4*$rnd++,$key),shift(@T)) if ($i0 eq @T[0]);
482 &mov (&DWP(-128+4*$rnd++,$key),shift(@T)) if ($i1 eq @T[0]);
483 &mov (&DWP(-128+4*$rnd++,$key),shift(@T)) if ($i2 eq @T[0]);
484 &mov (&DWP(-128+4*$rnd++,$key),shift(@T)) if ($i3 eq @T[0]);
485}
486
487# ... Implementing 128-bit rotate without shld gives >3x performance
488# improvement on P4, only ~7% degradation on other Intel CPUs and
489# not worse performance on AMD. This is therefore preferred.
490sub _rotl128 {
491 my ($i0,$i1,$i2,$i3,$rot,$rnd,@T)=@_;
492
493 $rnd *= 2;
494 if ($rot) {
495 &mov ($Tbl,$i0);
496 &shl ($i0,$rot);
497 &mov ($idx,$i1);
498 &shr ($idx,32-$rot);
499 &shl ($i1,$rot);
500 &or ($i0,$idx);
501 &mov ($idx,$i2);
502 &shl ($i2,$rot);
503 &mov (&DWP(-128+4*$rnd++,$key),shift(@T)) if ($i0 eq @T[0]);
504 &shr ($idx,32-$rot);
505 &or ($i1,$idx);
506 &shr ($Tbl,32-$rot);
507 &mov ($idx,$i3);
508 &shr ($idx,32-$rot);
509 &mov (&DWP(-128+4*$rnd++,$key),shift(@T)) if ($i1 eq @T[0]);
510 &shl ($i3,$rot);
511 &or ($i2,$idx);
512 &or ($i3,$Tbl);
513 &mov (&DWP(-128+4*$rnd++,$key),shift(@T)) if ($i2 eq @T[0]);
514 &mov (&DWP(-128+4*$rnd++,$key),shift(@T)) if ($i3 eq @T[0]);
515 } else {
516 &mov (&DWP(-128+4*$rnd++,$key),shift(@T)) if ($i0 eq @T[0]);
517 &mov (&DWP(-128+4*$rnd++,$key),shift(@T)) if ($i1 eq @T[0]);
518 &mov (&DWP(-128+4*$rnd++,$key),shift(@T)) if ($i2 eq @T[0]);
519 &mov (&DWP(-128+4*$rnd++,$key),shift(@T)) if ($i3 eq @T[0]);
520 }
521}
522
523sub _saveround {
524my ($rnd,$key,@T)=@_;
525my $bias=int(@T[0])?shift(@T):0;
526
527 &mov (&DWP($bias+$rnd*8+0,$key),@T[0]);
528 &mov (&DWP($bias+$rnd*8+4,$key),@T[1]) if ($#T>=1);
529 &mov (&DWP($bias+$rnd*8+8,$key),@T[2]) if ($#T>=2);
530 &mov (&DWP($bias+$rnd*8+12,$key),@T[3]) if ($#T>=3);
531}
532
533sub _loadround {
534my ($rnd,$key,@T)=@_;
535my $bias=int(@T[0])?shift(@T):0;
536
537 &mov (@T[0],&DWP($bias+$rnd*8+0,$key));
538 &mov (@T[1],&DWP($bias+$rnd*8+4,$key)) if ($#T>=1);
539 &mov (@T[2],&DWP($bias+$rnd*8+8,$key)) if ($#T>=2);
540 &mov (@T[3],&DWP($bias+$rnd*8+12,$key)) if ($#T>=3);
541}
542
543# void Camellia_Ekeygen(
544# const int keyBitLength,
545# const Byte *rawKey,
546# KEY_TABLE_TYPE keyTable)
547&function_begin("Camellia_Ekeygen");
548{ my $step=0;
549
550 &stack_push(4); # place for s[0-3]
551
552 &mov ($Tbl,&wparam(0)); # load arguments
553 &mov ($idx,&wparam(1));
554 &mov ($key,&wparam(2));
555
556 &mov (@T[0],&DWP(0,$idx)); # load 0-127 bits
557 &mov (@T[1],&DWP(4,$idx));
558 &mov (@T[2],&DWP(8,$idx));
559 &mov (@T[3],&DWP(12,$idx));
560
561 &bswap (@T[0]);
562 &bswap (@T[1]);
563 &bswap (@T[2]);
564 &bswap (@T[3]);
565
566 &_saveround (0,$key,@T); # KL<<<0
567
568 &cmp ($Tbl,128);
569 &je (&label("1st128"));
570
571 &mov (@T[0],&DWP(16,$idx)); # load 128-191 bits
572 &mov (@T[1],&DWP(20,$idx));
573 &cmp ($Tbl,192);
574 &je (&label("1st192"));
575 &mov (@T[2],&DWP(24,$idx)); # load 192-255 bits
576 &mov (@T[3],&DWP(28,$idx));
577 &jmp (&label("1st256"));
578&set_label("1st192",4);
579 &mov (@T[2],@T[0]);
580 &mov (@T[3],@T[1]);
581 &not (@T[2]);
582 &not (@T[3]);
583&set_label("1st256",4);
584 &bswap (@T[0]);
585 &bswap (@T[1]);
586 &bswap (@T[2]);
587 &bswap (@T[3]);
588
589 &_saveround (4,$key,@T); # temporary storage for KR!
590
591 &xor (@T[0],&DWP(0*8+0,$key)); # KR^KL
592 &xor (@T[1],&DWP(0*8+4,$key));
593 &xor (@T[2],&DWP(1*8+0,$key));
594 &xor (@T[3],&DWP(1*8+4,$key));
595
596&set_label("1st128",4);
597 &call (&label("pic_point"));
598 &set_label("pic_point");
599 &blindpop($Tbl);
600 &lea ($Tbl,&DWP(&label("Camellia_SBOX")."-".&label("pic_point"),$Tbl));
601 &lea ($key,&DWP(&label("Camellia_SIGMA")."-".&label("Camellia_SBOX"),$Tbl));
602
603 &mov ($idx,&DWP($step*8,$key)); # prefetch SIGMA[0]
604 &mov (&swtmp(0),@T[0]); # save s[0-3]
605 &mov (&swtmp(1),@T[1]);
606 &mov (&swtmp(2),@T[2]);
607 &mov (&swtmp(3),@T[3]);
608 &Camellia_Feistel($step++);
609 &Camellia_Feistel($step++);
610 &mov (@T[2],&swtmp(2));
611 &mov (@T[3],&swtmp(3));
612
613 &mov ($idx,&wparam(2));
614 &xor (@T[0],&DWP(0*8+0,$idx)); # ^KL
615 &xor (@T[1],&DWP(0*8+4,$idx));
616 &xor (@T[2],&DWP(1*8+0,$idx));
617 &xor (@T[3],&DWP(1*8+4,$idx));
618
619 &mov ($idx,&DWP($step*8,$key)); # prefetch SIGMA[4]
620 &mov (&swtmp(0),@T[0]); # save s[0-3]
621 &mov (&swtmp(1),@T[1]);
622 &mov (&swtmp(2),@T[2]);
623 &mov (&swtmp(3),@T[3]);
624 &Camellia_Feistel($step++);
625 &Camellia_Feistel($step++);
626 &mov (@T[2],&swtmp(2));
627 &mov (@T[3],&swtmp(3));
628
629 &mov ($idx,&wparam(0));
630 &cmp ($idx,128);
631 &jne (&label("2nd256"));
632
633 &mov ($key,&wparam(2));
634 &lea ($key,&DWP(128,$key)); # size optimization
635
636 ####### process KA
637 &_saveround (2,$key,-128,@T); # KA<<<0
638 &_rotl128 (@T,15,6,@T); # KA<<<15
639 &_rotl128 (@T,15,8,@T); # KA<<<(15+15=30)
640 &_rotl128 (@T,15,12,@T[0],@T[1]); # KA<<<(30+15=45)
641 &_rotl128 (@T,15,14,@T); # KA<<<(45+15=60)
642 push (@T,shift(@T)); # rotl128(@T,32);
643 &_rotl128 (@T,2,20,@T); # KA<<<(60+32+2=94)
644 &_rotl128 (@T,17,24,@T); # KA<<<(94+17=111)
645
646 ####### process KL
647 &_loadround (0,$key,-128,@T); # load KL
648 &_rotl128 (@T,15,4,@T); # KL<<<15
649 &_rotl128 (@T,30,10,@T); # KL<<<(15+30=45)
650 &_rotl128 (@T,15,13,@T[2],@T[3]); # KL<<<(45+15=60)
651 &_rotl128 (@T,17,16,@T); # KL<<<(60+17=77)
652 &_rotl128 (@T,17,18,@T); # KL<<<(77+17=94)
653 &_rotl128 (@T,17,22,@T); # KL<<<(94+17=111)
654
655 while (@T[0] ne "eax") # restore order
656 { unshift (@T,pop(@T)); }
657
658 &mov ("eax",3); # 3 grandRounds
659 &jmp (&label("done"));
660
661&set_label("2nd256",16);
662 &mov ($idx,&wparam(2));
663 &_saveround (6,$idx,@T); # temporary storage for KA!
664
665 &xor (@T[0],&DWP(4*8+0,$idx)); # KA^KR
666 &xor (@T[1],&DWP(4*8+4,$idx));
667 &xor (@T[2],&DWP(5*8+0,$idx));
668 &xor (@T[3],&DWP(5*8+4,$idx));
669
670 &mov ($idx,&DWP($step*8,$key)); # prefetch SIGMA[8]
671 &mov (&swtmp(0),@T[0]); # save s[0-3]
672 &mov (&swtmp(1),@T[1]);
673 &mov (&swtmp(2),@T[2]);
674 &mov (&swtmp(3),@T[3]);
675 &Camellia_Feistel($step++);
676 &Camellia_Feistel($step++);
677 &mov (@T[2],&swtmp(2));
678 &mov (@T[3],&swtmp(3));
679
680 &mov ($key,&wparam(2));
681 &lea ($key,&DWP(128,$key)); # size optimization
682
683 ####### process KB
684 &_saveround (2,$key,-128,@T); # KB<<<0
685 &_rotl128 (@T,30,10,@T); # KB<<<30
686 &_rotl128 (@T,30,20,@T); # KB<<<(30+30=60)
687 push (@T,shift(@T)); # rotl128(@T,32);
688 &_rotl128 (@T,19,32,@T); # KB<<<(60+32+19=111)
689
690 ####### process KR
691 &_loadround (4,$key,-128,@T); # load KR
692 &_rotl128 (@T,15,4,@T); # KR<<<15
693 &_rotl128 (@T,15,8,@T); # KR<<<(15+15=30)
694 &_rotl128 (@T,30,18,@T); # KR<<<(30+30=60)
695 push (@T,shift(@T)); # rotl128(@T,32);
696 &_rotl128 (@T,2,26,@T); # KR<<<(60+32+2=94)
697
698 ####### process KA
699 &_loadround (6,$key,-128,@T); # load KA
700 &_rotl128 (@T,15,6,@T); # KA<<<15
701 &_rotl128 (@T,30,14,@T); # KA<<<(15+30=45)
702 push (@T,shift(@T)); # rotl128(@T,32);
703 &_rotl128 (@T,0,24,@T); # KA<<<(45+32+0=77)
704 &_rotl128 (@T,17,28,@T); # KA<<<(77+17=94)
705
706 ####### process KL
707 &_loadround (0,$key,-128,@T); # load KL
708 push (@T,shift(@T)); # rotl128(@T,32);
709 &_rotl128 (@T,13,12,@T); # KL<<<(32+13=45)
710 &_rotl128 (@T,15,16,@T); # KL<<<(45+15=60)
711 &_rotl128 (@T,17,22,@T); # KL<<<(60+17=77)
712 push (@T,shift(@T)); # rotl128(@T,32);
713 &_rotl128 (@T,2,30,@T); # KL<<<(77+32+2=111)
714
715 while (@T[0] ne "eax") # restore order
716 { unshift (@T,pop(@T)); }
717
718 &mov ("eax",4); # 4 grandRounds
719&set_label("done");
720 &lea ("edx",&DWP(272-128,$key)); # end of key schedule
721 &stack_pop(4);
722}
723&function_end("Camellia_Ekeygen");
724
725if ($OPENSSL) {
726# int private_Camellia_set_key (
727# const unsigned char *userKey,
728# int bits,
729# CAMELLIA_KEY *key)
730&function_begin_B("private_Camellia_set_key");
731 &push ("ebx");
732 &mov ("ecx",&wparam(0)); # pull arguments
733 &mov ("ebx",&wparam(1));
734 &mov ("edx",&wparam(2));
735
736 &mov ("eax",-1);
737 &test ("ecx","ecx");
738 &jz (&label("done")); # userKey==NULL?
739 &test ("edx","edx");
740 &jz (&label("done")); # key==NULL?
741
742 &mov ("eax",-2);
743 &cmp ("ebx",256);
744 &je (&label("arg_ok")); # bits==256?
745 &cmp ("ebx",192);
746 &je (&label("arg_ok")); # bits==192?
747 &cmp ("ebx",128);
748 &jne (&label("done")); # bits!=128?
749&set_label("arg_ok",4);
750
751 &push ("edx"); # push arguments
752 &push ("ecx");
753 &push ("ebx");
754 &call ("Camellia_Ekeygen");
755 &stack_pop(3);
756
757 # eax holds grandRounds and edx points at where to put it
758 &mov (&DWP(0,"edx"),"eax");
759 &xor ("eax","eax");
760&set_label("done",4);
761 &pop ("ebx");
762 &ret ();
763&function_end_B("private_Camellia_set_key");
764}
765
766@SBOX=(
767112,130, 44,236,179, 39,192,229,228,133, 87, 53,234, 12,174, 65,
768 35,239,107,147, 69, 25,165, 33,237, 14, 79, 78, 29,101,146,189,
769134,184,175,143,124,235, 31,206, 62, 48,220, 95, 94,197, 11, 26,
770166,225, 57,202,213, 71, 93, 61,217, 1, 90,214, 81, 86,108, 77,
771139, 13,154,102,251,204,176, 45,116, 18, 43, 32,240,177,132,153,
772223, 76,203,194, 52,126,118, 5,109,183,169, 49,209, 23, 4,215,
773 20, 88, 58, 97,222, 27, 17, 28, 50, 15,156, 22, 83, 24,242, 34,
774254, 68,207,178,195,181,122,145, 36, 8,232,168, 96,252,105, 80,
775170,208,160,125,161,137, 98,151, 84, 91, 30,149,224,255,100,210,
776 16,196, 0, 72,163,247,117,219,138, 3,230,218, 9, 63,221,148,
777135, 92,131, 2,205, 74,144, 51,115,103,246,243,157,127,191,226,
778 82,155,216, 38,200, 55,198, 59,129,150,111, 75, 19,190, 99, 46,
779233,121,167,140,159,110,188,142, 41,245,249,182, 47,253,180, 89,
780120,152, 6,106,231, 70,113,186,212, 37,171, 66,136,162,141,250,
781114, 7,185, 85,248,238,172, 10, 54, 73, 42,104, 60, 56,241,164,
782 64, 40,211,123,187,201, 67,193, 21,227,173,244,119,199,128,158);
783
784sub S1110 { my $i=shift; $i=@SBOX[$i]; return $i<<24|$i<<16|$i<<8; }
785sub S4404 { my $i=shift; $i=($i<<1|$i>>7)&0xff; $i=@SBOX[$i]; return $i<<24|$i<<16|$i; }
786sub S0222 { my $i=shift; $i=@SBOX[$i]; $i=($i<<1|$i>>7)&0xff; return $i<<16|$i<<8|$i; }
787sub S3033 { my $i=shift; $i=@SBOX[$i]; $i=($i>>1|$i<<7)&0xff; return $i<<24|$i<<8|$i; }
788
789&set_label("Camellia_SIGMA",64);
790&data_word(
791 0xa09e667f, 0x3bcc908b, 0xb67ae858, 0x4caa73b2,
792 0xc6ef372f, 0xe94f82be, 0x54ff53a5, 0xf1d36f1c,
793 0x10e527fa, 0xde682d1d, 0xb05688c2, 0xb3e6c1fd,
794 0, 0, 0, 0);
795&set_label("Camellia_SBOX",64);
796# tables are interleaved, remember?
797for ($i=0;$i<256;$i++) { &data_word(&S1110($i),&S4404($i)); }
798for ($i=0;$i<256;$i++) { &data_word(&S0222($i),&S3033($i)); }
799
800# void Camellia_cbc_encrypt (const void char *inp, unsigned char *out,
801# size_t length, const CAMELLIA_KEY *key,
802# unsigned char *ivp,const int enc);
803{
804# stack frame layout
805# -4(%esp) # return address 0(%esp)
806# 0(%esp) # s0 4(%esp)
807# 4(%esp) # s1 8(%esp)
808# 8(%esp) # s2 12(%esp)
809# 12(%esp) # s3 16(%esp)
810# 16(%esp) # end of key schedule 20(%esp)
811# 20(%esp) # %esp backup
812my $_inp=&DWP(24,"esp"); #copy of wparam(0)
813my $_out=&DWP(28,"esp"); #copy of wparam(1)
814my $_len=&DWP(32,"esp"); #copy of wparam(2)
815my $_key=&DWP(36,"esp"); #copy of wparam(3)
816my $_ivp=&DWP(40,"esp"); #copy of wparam(4)
817my $ivec=&DWP(44,"esp"); #ivec[16]
818my $_tmp=&DWP(44,"esp"); #volatile variable [yes, aliases with ivec]
819my ($s0,$s1,$s2,$s3) = @T;
820
821&function_begin("Camellia_cbc_encrypt");
822 &mov ($s2 eq "ecx"? $s2 : "",&wparam(2)); # load len
823 &cmp ($s2,0);
824 &je (&label("enc_out"));
825
826 &pushf ();
827 &cld ();
828
829 &mov ($s0,&wparam(0)); # load inp
830 &mov ($s1,&wparam(1)); # load out
831 #&mov ($s2,&wparam(2)); # load len
832 &mov ($s3,&wparam(3)); # load key
833 &mov ($Tbl,&wparam(4)); # load ivp
834
835 # allocate aligned stack frame...
836 &lea ($idx,&DWP(-64,"esp"));
837 &and ($idx,-64);
838
839 # place stack frame just "above mod 1024" the key schedule
840 # this ensures that cache associativity of 2 suffices
841 &lea ($key,&DWP(-64-63,$s3));
842 &sub ($key,$idx);
843 &neg ($key);
844 &and ($key,0x3C0); # modulo 1024, but aligned to cache-line
845 &sub ($idx,$key);
846
847 &mov ($key,&wparam(5)); # load enc
848
849 &exch ("esp",$idx);
850 &add ("esp",4); # reserve for return address!
851 &mov ($_esp,$idx); # save %esp
852
853 &mov ($_inp,$s0); # save copy of inp
854 &mov ($_out,$s1); # save copy of out
855 &mov ($_len,$s2); # save copy of len
856 &mov ($_key,$s3); # save copy of key
857 &mov ($_ivp,$Tbl); # save copy of ivp
858
859 &call (&label("pic_point")); # make it PIC!
860 &set_label("pic_point");
861 &blindpop($Tbl);
862 &lea ($Tbl,&DWP(&label("Camellia_SBOX")."-".&label("pic_point"),$Tbl));
863
864 &mov ($idx,32);
865 &set_label("prefetch_sbox",4);
866 &mov ($s0,&DWP(0,$Tbl));
867 &mov ($s1,&DWP(32,$Tbl));
868 &mov ($s2,&DWP(64,$Tbl));
869 &mov ($s3,&DWP(96,$Tbl));
870 &lea ($Tbl,&DWP(128,$Tbl));
871 &dec ($idx);
872 &jnz (&label("prefetch_sbox"));
873 &mov ($s0,$_key);
874 &sub ($Tbl,4096);
875 &mov ($idx,$_inp);
876 &mov ($s3,&DWP(272,$s0)); # load grandRounds
877
878 &cmp ($key,0);
879 &je (&label("DECRYPT"));
880
881 &mov ($s2,$_len);
882 &mov ($key,$_ivp);
883 &shl ($s3,6);
884 &lea ($s3,&DWP(0,$s0,$s3));
885 &mov ($_end,$s3);
886
887 &test ($s2,0xFFFFFFF0);
888 &jz (&label("enc_tail")); # short input...
889
890 &mov ($s0,&DWP(0,$key)); # load iv
891 &mov ($s1,&DWP(4,$key));
892
893 &set_label("enc_loop",4);
894 &mov ($s2,&DWP(8,$key));
895 &mov ($s3,&DWP(12,$key));
896
897 &xor ($s0,&DWP(0,$idx)); # xor input data
898 &xor ($s1,&DWP(4,$idx));
899 &xor ($s2,&DWP(8,$idx));
900 &bswap ($s0);
901 &xor ($s3,&DWP(12,$idx));
902 &bswap ($s1);
903 &mov ($key,$_key); # load key
904 &bswap ($s2);
905 &bswap ($s3);
906
907 &call ("_x86_Camellia_encrypt");
908
909 &mov ($idx,$_inp); # load inp
910 &mov ($key,$_out); # load out
911
912 &bswap ($s0);
913 &bswap ($s1);
914 &bswap ($s2);
915 &mov (&DWP(0,$key),$s0); # save output data
916 &bswap ($s3);
917 &mov (&DWP(4,$key),$s1);
918 &mov (&DWP(8,$key),$s2);
919 &mov (&DWP(12,$key),$s3);
920
921 &mov ($s2,$_len); # load len
922
923 &lea ($idx,&DWP(16,$idx));
924 &mov ($_inp,$idx); # save inp
925
926 &lea ($s3,&DWP(16,$key));
927 &mov ($_out,$s3); # save out
928
929 &sub ($s2,16);
930 &test ($s2,0xFFFFFFF0);
931 &mov ($_len,$s2); # save len
932 &jnz (&label("enc_loop"));
933 &test ($s2,15);
934 &jnz (&label("enc_tail"));
935 &mov ($idx,$_ivp); # load ivp
936 &mov ($s2,&DWP(8,$key)); # restore last dwords
937 &mov ($s3,&DWP(12,$key));
938 &mov (&DWP(0,$idx),$s0); # save ivec
939 &mov (&DWP(4,$idx),$s1);
940 &mov (&DWP(8,$idx),$s2);
941 &mov (&DWP(12,$idx),$s3);
942
943 &mov ("esp",$_esp);
944 &popf ();
945 &set_label("enc_out");
946 &function_end_A();
947 &pushf (); # kludge, never executed
948
949 &set_label("enc_tail",4);
950 &mov ($s0,$key eq "edi" ? $key : "");
951 &mov ($key,$_out); # load out
952 &push ($s0); # push ivp
953 &mov ($s1,16);
954 &sub ($s1,$s2);
955 &cmp ($key,$idx); # compare with inp
956 &je (&label("enc_in_place"));
957 &align (4);
958 &data_word(0xA4F3F689); # rep movsb # copy input
959 &jmp (&label("enc_skip_in_place"));
960 &set_label("enc_in_place");
961 &lea ($key,&DWP(0,$key,$s2));
962 &set_label("enc_skip_in_place");
963 &mov ($s2,$s1);
964 &xor ($s0,$s0);
965 &align (4);
966 &data_word(0xAAF3F689); # rep stosb # zero tail
967 &pop ($key); # pop ivp
968
969 &mov ($idx,$_out); # output as input
970 &mov ($s0,&DWP(0,$key));
971 &mov ($s1,&DWP(4,$key));
972 &mov ($_len,16); # len=16
973 &jmp (&label("enc_loop")); # one more spin...
974
975#----------------------------- DECRYPT -----------------------------#
976&set_label("DECRYPT",16);
977 &shl ($s3,6);
978 &lea ($s3,&DWP(0,$s0,$s3));
979 &mov ($_end,$s0);
980 &mov ($_key,$s3);
981
982 &cmp ($idx,$_out);
983 &je (&label("dec_in_place")); # in-place processing...
984
985 &mov ($key,$_ivp); # load ivp
986 &mov ($_tmp,$key);
987
988 &set_label("dec_loop",4);
989 &mov ($s0,&DWP(0,$idx)); # read input
990 &mov ($s1,&DWP(4,$idx));
991 &mov ($s2,&DWP(8,$idx));
992 &bswap ($s0);
993 &mov ($s3,&DWP(12,$idx));
994 &bswap ($s1);
995 &mov ($key,$_key); # load key
996 &bswap ($s2);
997 &bswap ($s3);
998
999 &call ("_x86_Camellia_decrypt");
1000
1001 &mov ($key,$_tmp); # load ivp
1002 &mov ($idx,$_len); # load len
1003
1004 &bswap ($s0);
1005 &bswap ($s1);
1006 &bswap ($s2);
1007 &xor ($s0,&DWP(0,$key)); # xor iv
1008 &bswap ($s3);
1009 &xor ($s1,&DWP(4,$key));
1010 &xor ($s2,&DWP(8,$key));
1011 &xor ($s3,&DWP(12,$key));
1012
1013 &sub ($idx,16);
1014 &jc (&label("dec_partial"));
1015 &mov ($_len,$idx); # save len
1016 &mov ($idx,$_inp); # load inp
1017 &mov ($key,$_out); # load out
1018
1019 &mov (&DWP(0,$key),$s0); # write output
1020 &mov (&DWP(4,$key),$s1);
1021 &mov (&DWP(8,$key),$s2);
1022 &mov (&DWP(12,$key),$s3);
1023
1024 &mov ($_tmp,$idx); # save ivp
1025 &lea ($idx,&DWP(16,$idx));
1026 &mov ($_inp,$idx); # save inp
1027
1028 &lea ($key,&DWP(16,$key));
1029 &mov ($_out,$key); # save out
1030
1031 &jnz (&label("dec_loop"));
1032 &mov ($key,$_tmp); # load temp ivp
1033 &set_label("dec_end");
1034 &mov ($idx,$_ivp); # load user ivp
1035 &mov ($s0,&DWP(0,$key)); # load iv
1036 &mov ($s1,&DWP(4,$key));
1037 &mov ($s2,&DWP(8,$key));
1038 &mov ($s3,&DWP(12,$key));
1039 &mov (&DWP(0,$idx),$s0); # copy back to user
1040 &mov (&DWP(4,$idx),$s1);
1041 &mov (&DWP(8,$idx),$s2);
1042 &mov (&DWP(12,$idx),$s3);
1043 &jmp (&label("dec_out"));
1044
1045 &set_label("dec_partial",4);
1046 &lea ($key,$ivec);
1047 &mov (&DWP(0,$key),$s0); # dump output to stack
1048 &mov (&DWP(4,$key),$s1);
1049 &mov (&DWP(8,$key),$s2);
1050 &mov (&DWP(12,$key),$s3);
1051 &lea ($s2 eq "ecx" ? $s2 : "",&DWP(16,$idx));
1052 &mov ($idx eq "esi" ? $idx : "",$key);
1053 &mov ($key eq "edi" ? $key : "",$_out); # load out
1054 &data_word(0xA4F3F689); # rep movsb # copy output
1055 &mov ($key,$_inp); # use inp as temp ivp
1056 &jmp (&label("dec_end"));
1057
1058 &set_label("dec_in_place",4);
1059 &set_label("dec_in_place_loop");
1060 &lea ($key,$ivec);
1061 &mov ($s0,&DWP(0,$idx)); # read input
1062 &mov ($s1,&DWP(4,$idx));
1063 &mov ($s2,&DWP(8,$idx));
1064 &mov ($s3,&DWP(12,$idx));
1065
1066 &mov (&DWP(0,$key),$s0); # copy to temp
1067 &mov (&DWP(4,$key),$s1);
1068 &mov (&DWP(8,$key),$s2);
1069 &bswap ($s0);
1070 &mov (&DWP(12,$key),$s3);
1071 &bswap ($s1);
1072 &mov ($key,$_key); # load key
1073 &bswap ($s2);
1074 &bswap ($s3);
1075
1076 &call ("_x86_Camellia_decrypt");
1077
1078 &mov ($key,$_ivp); # load ivp
1079 &mov ($idx,$_out); # load out
1080
1081 &bswap ($s0);
1082 &bswap ($s1);
1083 &bswap ($s2);
1084 &xor ($s0,&DWP(0,$key)); # xor iv
1085 &bswap ($s3);
1086 &xor ($s1,&DWP(4,$key));
1087 &xor ($s2,&DWP(8,$key));
1088 &xor ($s3,&DWP(12,$key));
1089
1090 &mov (&DWP(0,$idx),$s0); # write output
1091 &mov (&DWP(4,$idx),$s1);
1092 &mov (&DWP(8,$idx),$s2);
1093 &mov (&DWP(12,$idx),$s3);
1094
1095 &lea ($idx,&DWP(16,$idx));
1096 &mov ($_out,$idx); # save out
1097
1098 &lea ($idx,$ivec);
1099 &mov ($s0,&DWP(0,$idx)); # read temp
1100 &mov ($s1,&DWP(4,$idx));
1101 &mov ($s2,&DWP(8,$idx));
1102 &mov ($s3,&DWP(12,$idx));
1103
1104 &mov (&DWP(0,$key),$s0); # copy iv
1105 &mov (&DWP(4,$key),$s1);
1106 &mov (&DWP(8,$key),$s2);
1107 &mov (&DWP(12,$key),$s3);
1108
1109 &mov ($idx,$_inp); # load inp
1110
1111 &lea ($idx,&DWP(16,$idx));
1112 &mov ($_inp,$idx); # save inp
1113
1114 &mov ($s2,$_len); # load len
1115 &sub ($s2,16);
1116 &jc (&label("dec_in_place_partial"));
1117 &mov ($_len,$s2); # save len
1118 &jnz (&label("dec_in_place_loop"));
1119 &jmp (&label("dec_out"));
1120
1121 &set_label("dec_in_place_partial",4);
1122 # one can argue if this is actually required...
1123 &mov ($key eq "edi" ? $key : "",$_out);
1124 &lea ($idx eq "esi" ? $idx : "",$ivec);
1125 &lea ($key,&DWP(0,$key,$s2));
1126 &lea ($idx,&DWP(16,$idx,$s2));
1127 &neg ($s2 eq "ecx" ? $s2 : "");
1128 &data_word(0xA4F3F689); # rep movsb # restore tail
1129
1130 &set_label("dec_out",4);
1131 &mov ("esp",$_esp);
1132 &popf ();
1133&function_end("Camellia_cbc_encrypt");
1134}
1135
1136&asciz("Camellia for x86 by <appro\@openssl.org>");
1137
1138&asm_finish();
diff --git a/src/lib/libcrypto/camellia/asm/cmll-x86_64.pl b/src/lib/libcrypto/camellia/asm/cmll-x86_64.pl
deleted file mode 100644
index 9f4b82fa48..0000000000
--- a/src/lib/libcrypto/camellia/asm/cmll-x86_64.pl
+++ /dev/null
@@ -1,1081 +0,0 @@
1#!/usr/bin/env perl
2
3# ====================================================================
4# Copyright (c) 2008 Andy Polyakov <appro@openssl.org>
5#
6# This module may be used under the terms of either the GNU General
7# Public License version 2 or later, the GNU Lesser General Public
8# License version 2.1 or later, the Mozilla Public License version
9# 1.1 or the BSD License. The exact terms of either license are
10# distributed along with this module. For further details see
11# http://www.openssl.org/~appro/camellia/.
12# ====================================================================
13
14# Performance in cycles per processed byte (less is better) in
15# 'openssl speed ...' benchmark:
16#
17# AMD64 Core2 EM64T
18# -evp camellia-128-ecb 16.7 21.0 22.7
19# + over gcc 3.4.6 +25% +5% 0%
20#
21# camellia-128-cbc 15.7 20.4 21.1
22#
23# 128-bit key setup 128 216 205 cycles/key
24# + over gcc 3.4.6 +54% +39% +15%
25#
26# Numbers in "+" rows represent performance improvement over compiler
27# generated code. Key setup timings are impressive on AMD and Core2
28# thanks to 64-bit operations being covertly deployed. Improvement on
29# EM64T, pre-Core2 Intel x86_64 CPU, is not as impressive, because it
30# apparently emulates some of 64-bit operations in [32-bit] microcode.
31
32$flavour = shift;
33$output = shift;
34if ($flavour =~ /\./) { $output = $flavour; undef $flavour; }
35
36$win64=0; $win64=1 if ($flavour =~ /[nm]asm|mingw64/ || $output =~ /\.asm$/);
37
38$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
39( $xlate="${dir}x86_64-xlate.pl" and -f $xlate ) or
40( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
41die "can't locate x86_64-xlate.pl";
42
43open OUT,"| \"$^X\" $xlate $flavour $output";
44*STDOUT=*OUT;
45
46sub hi() { my $r=shift; $r =~ s/%[er]([a-d])x/%\1h/; $r; }
47sub lo() { my $r=shift; $r =~ s/%[er]([a-d])x/%\1l/;
48 $r =~ s/%[er]([sd]i)/%\1l/;
49 $r =~ s/%(r[0-9]+)[d]?/%\1b/; $r; }
50
51$t0="%eax";$t1="%ebx";$t2="%ecx";$t3="%edx";
52@S=("%r8d","%r9d","%r10d","%r11d");
53$i0="%esi";
54$i1="%edi";
55$Tbl="%rbp"; # size optimization
56$inp="%r12";
57$out="%r13";
58$key="%r14";
59$keyend="%r15";
60$arg0d=$win64?"%ecx":"%edi";
61
62# const unsigned int Camellia_SBOX[4][256];
63# Well, sort of... Camellia_SBOX[0][] is interleaved with [1][],
64# and [2][] - with [3][]. This is done to minimize code size.
65$SBOX1_1110=0; # Camellia_SBOX[0]
66$SBOX4_4404=4; # Camellia_SBOX[1]
67$SBOX2_0222=2048; # Camellia_SBOX[2]
68$SBOX3_3033=2052; # Camellia_SBOX[3]
69
70sub Camellia_Feistel {
71my $i=@_[0];
72my $seed=defined(@_[1])?@_[1]:0;
73my $scale=$seed<0?-8:8;
74my $j=($i&1)*2;
75my $s0=@S[($j)%4],$s1=@S[($j+1)%4],$s2=@S[($j+2)%4],$s3=@S[($j+3)%4];
76
77$code.=<<___;
78 xor $s0,$t0 # t0^=key[0]
79 xor $s1,$t1 # t1^=key[1]
80 movz `&hi("$t0")`,$i0 # (t0>>8)&0xff
81 movz `&lo("$t1")`,$i1 # (t1>>0)&0xff
82 mov $SBOX3_3033($Tbl,$i0,8),$t3 # t3=SBOX3_3033[0]
83 mov $SBOX1_1110($Tbl,$i1,8),$t2 # t2=SBOX1_1110[1]
84 movz `&lo("$t0")`,$i0 # (t0>>0)&0xff
85 shr \$16,$t0
86 movz `&hi("$t1")`,$i1 # (t1>>8)&0xff
87 xor $SBOX4_4404($Tbl,$i0,8),$t3 # t3^=SBOX4_4404[0]
88 shr \$16,$t1
89 xor $SBOX4_4404($Tbl,$i1,8),$t2 # t2^=SBOX4_4404[1]
90 movz `&hi("$t0")`,$i0 # (t0>>24)&0xff
91 movz `&lo("$t1")`,$i1 # (t1>>16)&0xff
92 xor $SBOX1_1110($Tbl,$i0,8),$t3 # t3^=SBOX1_1110[0]
93 xor $SBOX3_3033($Tbl,$i1,8),$t2 # t2^=SBOX3_3033[1]
94 movz `&lo("$t0")`,$i0 # (t0>>16)&0xff
95 movz `&hi("$t1")`,$i1 # (t1>>24)&0xff
96 xor $SBOX2_0222($Tbl,$i0,8),$t3 # t3^=SBOX2_0222[0]
97 xor $SBOX2_0222($Tbl,$i1,8),$t2 # t2^=SBOX2_0222[1]
98 mov `$seed+($i+1)*$scale`($key),$t1 # prefetch key[i+1]
99 mov `$seed+($i+1)*$scale+4`($key),$t0
100 xor $t3,$t2 # t2^=t3
101 ror \$8,$t3 # t3=RightRotate(t3,8)
102 xor $t2,$s2
103 xor $t2,$s3
104 xor $t3,$s3
105___
106}
107
108# void Camellia_EncryptBlock_Rounds(
109# int grandRounds,
110# const Byte plaintext[],
111# const KEY_TABLE_TYPE keyTable,
112# Byte ciphertext[])
113$code=<<___;
114.text
115
116# V1.x API
117.globl Camellia_EncryptBlock
118.type Camellia_EncryptBlock,\@abi-omnipotent
119.align 16
120Camellia_EncryptBlock:
121 movl \$128,%eax
122 subl $arg0d,%eax
123 movl \$3,$arg0d
124 adcl \$0,$arg0d # keyBitLength==128?3:4
125 jmp .Lenc_rounds
126.size Camellia_EncryptBlock,.-Camellia_EncryptBlock
127# V2
128.globl Camellia_EncryptBlock_Rounds
129.type Camellia_EncryptBlock_Rounds,\@function,4
130.align 16
131.Lenc_rounds:
132Camellia_EncryptBlock_Rounds:
133 push %rbx
134 push %rbp
135 push %r13
136 push %r14
137 push %r15
138.Lenc_prologue:
139
140 #mov %rsi,$inp # put away arguments
141 mov %rcx,$out
142 mov %rdx,$key
143
144 shl \$6,%edi # process grandRounds
145 lea .LCamellia_SBOX(%rip),$Tbl
146 lea ($key,%rdi),$keyend
147
148 mov 0(%rsi),@S[0] # load plaintext
149 mov 4(%rsi),@S[1]
150 mov 8(%rsi),@S[2]
151 bswap @S[0]
152 mov 12(%rsi),@S[3]
153 bswap @S[1]
154 bswap @S[2]
155 bswap @S[3]
156
157 call _x86_64_Camellia_encrypt
158
159 bswap @S[0]
160 bswap @S[1]
161 bswap @S[2]
162 mov @S[0],0($out)
163 bswap @S[3]
164 mov @S[1],4($out)
165 mov @S[2],8($out)
166 mov @S[3],12($out)
167
168 mov 0(%rsp),%r15
169 mov 8(%rsp),%r14
170 mov 16(%rsp),%r13
171 mov 24(%rsp),%rbp
172 mov 32(%rsp),%rbx
173 lea 40(%rsp),%rsp
174.Lenc_epilogue:
175 ret
176.size Camellia_EncryptBlock_Rounds,.-Camellia_EncryptBlock_Rounds
177
178.type _x86_64_Camellia_encrypt,\@abi-omnipotent
179.align 16
180_x86_64_Camellia_encrypt:
181 xor 0($key),@S[1]
182 xor 4($key),@S[0] # ^=key[0-3]
183 xor 8($key),@S[3]
184 xor 12($key),@S[2]
185.align 16
186.Leloop:
187 mov 16($key),$t1 # prefetch key[4-5]
188 mov 20($key),$t0
189
190___
191 for ($i=0;$i<6;$i++) { Camellia_Feistel($i,16); }
192$code.=<<___;
193 lea 16*4($key),$key
194 cmp $keyend,$key
195 mov 8($key),$t3 # prefetch key[2-3]
196 mov 12($key),$t2
197 je .Ledone
198
199 and @S[0],$t0
200 or @S[3],$t3
201 rol \$1,$t0
202 xor $t3,@S[2] # s2^=s3|key[3];
203 xor $t0,@S[1] # s1^=LeftRotate(s0&key[0],1);
204 and @S[2],$t2
205 or @S[1],$t1
206 rol \$1,$t2
207 xor $t1,@S[0] # s0^=s1|key[1];
208 xor $t2,@S[3] # s3^=LeftRotate(s2&key[2],1);
209 jmp .Leloop
210
211.align 16
212.Ledone:
213 xor @S[2],$t0 # SwapHalf
214 xor @S[3],$t1
215 xor @S[0],$t2
216 xor @S[1],$t3
217
218 mov $t0,@S[0]
219 mov $t1,@S[1]
220 mov $t2,@S[2]
221 mov $t3,@S[3]
222
223 .byte 0xf3,0xc3 # rep ret
224.size _x86_64_Camellia_encrypt,.-_x86_64_Camellia_encrypt
225
226# V1.x API
227.globl Camellia_DecryptBlock
228.type Camellia_DecryptBlock,\@abi-omnipotent
229.align 16
230Camellia_DecryptBlock:
231 movl \$128,%eax
232 subl $arg0d,%eax
233 movl \$3,$arg0d
234 adcl \$0,$arg0d # keyBitLength==128?3:4
235 jmp .Ldec_rounds
236.size Camellia_DecryptBlock,.-Camellia_DecryptBlock
237# V2
238.globl Camellia_DecryptBlock_Rounds
239.type Camellia_DecryptBlock_Rounds,\@function,4
240.align 16
241.Ldec_rounds:
242Camellia_DecryptBlock_Rounds:
243 push %rbx
244 push %rbp
245 push %r13
246 push %r14
247 push %r15
248.Ldec_prologue:
249
250 #mov %rsi,$inp # put away arguments
251 mov %rcx,$out
252 mov %rdx,$keyend
253
254 shl \$6,%edi # process grandRounds
255 lea .LCamellia_SBOX(%rip),$Tbl
256 lea ($keyend,%rdi),$key
257
258 mov 0(%rsi),@S[0] # load plaintext
259 mov 4(%rsi),@S[1]
260 mov 8(%rsi),@S[2]
261 bswap @S[0]
262 mov 12(%rsi),@S[3]
263 bswap @S[1]
264 bswap @S[2]
265 bswap @S[3]
266
267 call _x86_64_Camellia_decrypt
268
269 bswap @S[0]
270 bswap @S[1]
271 bswap @S[2]
272 mov @S[0],0($out)
273 bswap @S[3]
274 mov @S[1],4($out)
275 mov @S[2],8($out)
276 mov @S[3],12($out)
277
278 mov 0(%rsp),%r15
279 mov 8(%rsp),%r14
280 mov 16(%rsp),%r13
281 mov 24(%rsp),%rbp
282 mov 32(%rsp),%rbx
283 lea 40(%rsp),%rsp
284.Ldec_epilogue:
285 ret
286.size Camellia_DecryptBlock_Rounds,.-Camellia_DecryptBlock_Rounds
287
288.type _x86_64_Camellia_decrypt,\@abi-omnipotent
289.align 16
290_x86_64_Camellia_decrypt:
291 xor 0($key),@S[1]
292 xor 4($key),@S[0] # ^=key[0-3]
293 xor 8($key),@S[3]
294 xor 12($key),@S[2]
295.align 16
296.Ldloop:
297 mov -8($key),$t1 # prefetch key[4-5]
298 mov -4($key),$t0
299
300___
301 for ($i=0;$i<6;$i++) { Camellia_Feistel($i,-8); }
302$code.=<<___;
303 lea -16*4($key),$key
304 cmp $keyend,$key
305 mov 0($key),$t3 # prefetch key[2-3]
306 mov 4($key),$t2
307 je .Lddone
308
309 and @S[0],$t0
310 or @S[3],$t3
311 rol \$1,$t0
312 xor $t3,@S[2] # s2^=s3|key[3];
313 xor $t0,@S[1] # s1^=LeftRotate(s0&key[0],1);
314 and @S[2],$t2
315 or @S[1],$t1
316 rol \$1,$t2
317 xor $t1,@S[0] # s0^=s1|key[1];
318 xor $t2,@S[3] # s3^=LeftRotate(s2&key[2],1);
319
320 jmp .Ldloop
321
322.align 16
323.Lddone:
324 xor @S[2],$t2
325 xor @S[3],$t3
326 xor @S[0],$t0
327 xor @S[1],$t1
328
329 mov $t2,@S[0] # SwapHalf
330 mov $t3,@S[1]
331 mov $t0,@S[2]
332 mov $t1,@S[3]
333
334 .byte 0xf3,0xc3 # rep ret
335.size _x86_64_Camellia_decrypt,.-_x86_64_Camellia_decrypt
336___
337
338sub _saveround {
339my ($rnd,$key,@T)=@_;
340my $bias=int(@T[0])?shift(@T):0;
341
342 if ($#T==3) {
343 $code.=<<___;
344 mov @T[1],`$bias+$rnd*8+0`($key)
345 mov @T[0],`$bias+$rnd*8+4`($key)
346 mov @T[3],`$bias+$rnd*8+8`($key)
347 mov @T[2],`$bias+$rnd*8+12`($key)
348___
349 } else {
350 $code.=" mov @T[0],`$bias+$rnd*8+0`($key)\n";
351 $code.=" mov @T[1],`$bias+$rnd*8+8`($key)\n" if ($#T>=1);
352 }
353}
354
355sub _loadround {
356my ($rnd,$key,@T)=@_;
357my $bias=int(@T[0])?shift(@T):0;
358
359$code.=" mov `$bias+$rnd*8+0`($key),@T[0]\n";
360$code.=" mov `$bias+$rnd*8+8`($key),@T[1]\n" if ($#T>=1);
361}
362
363# shld is very slow on Intel EM64T family. Even on AMD it limits
364# instruction decode rate [because it's VectorPath] and consequently
365# performance...
366sub __rotl128 {
367my ($i0,$i1,$rot)=@_;
368
369 if ($rot) {
370 $code.=<<___;
371 mov $i0,%r11
372 shld \$$rot,$i1,$i0
373 shld \$$rot,%r11,$i1
374___
375 }
376}
377
378# ... Implementing 128-bit rotate without shld gives 80% better
379# performance EM64T, +15% on AMD64 and only ~7% degradation on
380# Core2. This is therefore preferred.
381sub _rotl128 {
382my ($i0,$i1,$rot)=@_;
383
384 if ($rot) {
385 $code.=<<___;
386 mov $i0,%r11
387 shl \$$rot,$i0
388 mov $i1,%r9
389 shr \$`64-$rot`,%r9
390 shr \$`64-$rot`,%r11
391 or %r9,$i0
392 shl \$$rot,$i1
393 or %r11,$i1
394___
395 }
396}
397
398{ my $step=0;
399
400$code.=<<___;
401.globl Camellia_Ekeygen
402.type Camellia_Ekeygen,\@function,3
403.align 16
404Camellia_Ekeygen:
405 push %rbx
406 push %rbp
407 push %r13
408 push %r14
409 push %r15
410.Lkey_prologue:
411
412 mov %rdi,$keyend # put away arguments, keyBitLength
413 mov %rdx,$out # keyTable
414
415 mov 0(%rsi),@S[0] # load 0-127 bits
416 mov 4(%rsi),@S[1]
417 mov 8(%rsi),@S[2]
418 mov 12(%rsi),@S[3]
419
420 bswap @S[0]
421 bswap @S[1]
422 bswap @S[2]
423 bswap @S[3]
424___
425 &_saveround (0,$out,@S); # KL<<<0
426$code.=<<___;
427 cmp \$128,$keyend # check keyBitLength
428 je .L1st128
429
430 mov 16(%rsi),@S[0] # load 128-191 bits
431 mov 20(%rsi),@S[1]
432 cmp \$192,$keyend
433 je .L1st192
434 mov 24(%rsi),@S[2] # load 192-255 bits
435 mov 28(%rsi),@S[3]
436 jmp .L1st256
437.L1st192:
438 mov @S[0],@S[2]
439 mov @S[1],@S[3]
440 not @S[2]
441 not @S[3]
442.L1st256:
443 bswap @S[0]
444 bswap @S[1]
445 bswap @S[2]
446 bswap @S[3]
447___
448 &_saveround (4,$out,@S); # temp storage for KR!
449$code.=<<___;
450 xor 0($out),@S[1] # KR^KL
451 xor 4($out),@S[0]
452 xor 8($out),@S[3]
453 xor 12($out),@S[2]
454
455.L1st128:
456 lea .LCamellia_SIGMA(%rip),$key
457 lea .LCamellia_SBOX(%rip),$Tbl
458
459 mov 0($key),$t1
460 mov 4($key),$t0
461___
462 &Camellia_Feistel($step++);
463 &Camellia_Feistel($step++);
464$code.=<<___;
465 xor 0($out),@S[1] # ^KL
466 xor 4($out),@S[0]
467 xor 8($out),@S[3]
468 xor 12($out),@S[2]
469___
470 &Camellia_Feistel($step++);
471 &Camellia_Feistel($step++);
472$code.=<<___;
473 cmp \$128,$keyend
474 jne .L2nd256
475
476 lea 128($out),$out # size optimization
477 shl \$32,%r8 # @S[0]||
478 shl \$32,%r10 # @S[2]||
479 or %r9,%r8 # ||@S[1]
480 or %r11,%r10 # ||@S[3]
481___
482 &_loadround (0,$out,-128,"%rax","%rbx"); # KL
483 &_saveround (2,$out,-128,"%r8","%r10"); # KA<<<0
484 &_rotl128 ("%rax","%rbx",15);
485 &_saveround (4,$out,-128,"%rax","%rbx"); # KL<<<15
486 &_rotl128 ("%r8","%r10",15);
487 &_saveround (6,$out,-128,"%r8","%r10"); # KA<<<15
488 &_rotl128 ("%r8","%r10",15); # 15+15=30
489 &_saveround (8,$out,-128,"%r8","%r10"); # KA<<<30
490 &_rotl128 ("%rax","%rbx",30); # 15+30=45
491 &_saveround (10,$out,-128,"%rax","%rbx"); # KL<<<45
492 &_rotl128 ("%r8","%r10",15); # 30+15=45
493 &_saveround (12,$out,-128,"%r8"); # KA<<<45
494 &_rotl128 ("%rax","%rbx",15); # 45+15=60
495 &_saveround (13,$out,-128,"%rbx"); # KL<<<60
496 &_rotl128 ("%r8","%r10",15); # 45+15=60
497 &_saveround (14,$out,-128,"%r8","%r10"); # KA<<<60
498 &_rotl128 ("%rax","%rbx",17); # 60+17=77
499 &_saveround (16,$out,-128,"%rax","%rbx"); # KL<<<77
500 &_rotl128 ("%rax","%rbx",17); # 77+17=94
501 &_saveround (18,$out,-128,"%rax","%rbx"); # KL<<<94
502 &_rotl128 ("%r8","%r10",34); # 60+34=94
503 &_saveround (20,$out,-128,"%r8","%r10"); # KA<<<94
504 &_rotl128 ("%rax","%rbx",17); # 94+17=111
505 &_saveround (22,$out,-128,"%rax","%rbx"); # KL<<<111
506 &_rotl128 ("%r8","%r10",17); # 94+17=111
507 &_saveround (24,$out,-128,"%r8","%r10"); # KA<<<111
508$code.=<<___;
509 mov \$3,%eax
510 jmp .Ldone
511.align 16
512.L2nd256:
513___
514 &_saveround (6,$out,@S); # temp storage for KA!
515$code.=<<___;
516 xor `4*8+0`($out),@S[1] # KA^KR
517 xor `4*8+4`($out),@S[0]
518 xor `5*8+0`($out),@S[3]
519 xor `5*8+4`($out),@S[2]
520___
521 &Camellia_Feistel($step++);
522 &Camellia_Feistel($step++);
523
524 &_loadround (0,$out,"%rax","%rbx"); # KL
525 &_loadround (4,$out,"%rcx","%rdx"); # KR
526 &_loadround (6,$out,"%r14","%r15"); # KA
527$code.=<<___;
528 lea 128($out),$out # size optimization
529 shl \$32,%r8 # @S[0]||
530 shl \$32,%r10 # @S[2]||
531 or %r9,%r8 # ||@S[1]
532 or %r11,%r10 # ||@S[3]
533___
534 &_saveround (2,$out,-128,"%r8","%r10"); # KB<<<0
535 &_rotl128 ("%rcx","%rdx",15);
536 &_saveround (4,$out,-128,"%rcx","%rdx"); # KR<<<15
537 &_rotl128 ("%r14","%r15",15);
538 &_saveround (6,$out,-128,"%r14","%r15"); # KA<<<15
539 &_rotl128 ("%rcx","%rdx",15); # 15+15=30
540 &_saveround (8,$out,-128,"%rcx","%rdx"); # KR<<<30
541 &_rotl128 ("%r8","%r10",30);
542 &_saveround (10,$out,-128,"%r8","%r10"); # KB<<<30
543 &_rotl128 ("%rax","%rbx",45);
544 &_saveround (12,$out,-128,"%rax","%rbx"); # KL<<<45
545 &_rotl128 ("%r14","%r15",30); # 15+30=45
546 &_saveround (14,$out,-128,"%r14","%r15"); # KA<<<45
547 &_rotl128 ("%rax","%rbx",15); # 45+15=60
548 &_saveround (16,$out,-128,"%rax","%rbx"); # KL<<<60
549 &_rotl128 ("%rcx","%rdx",30); # 30+30=60
550 &_saveround (18,$out,-128,"%rcx","%rdx"); # KR<<<60
551 &_rotl128 ("%r8","%r10",30); # 30+30=60
552 &_saveround (20,$out,-128,"%r8","%r10"); # KB<<<60
553 &_rotl128 ("%rax","%rbx",17); # 60+17=77
554 &_saveround (22,$out,-128,"%rax","%rbx"); # KL<<<77
555 &_rotl128 ("%r14","%r15",32); # 45+32=77
556 &_saveround (24,$out,-128,"%r14","%r15"); # KA<<<77
557 &_rotl128 ("%rcx","%rdx",34); # 60+34=94
558 &_saveround (26,$out,-128,"%rcx","%rdx"); # KR<<<94
559 &_rotl128 ("%r14","%r15",17); # 77+17=94
560 &_saveround (28,$out,-128,"%r14","%r15"); # KA<<<77
561 &_rotl128 ("%rax","%rbx",34); # 77+34=111
562 &_saveround (30,$out,-128,"%rax","%rbx"); # KL<<<111
563 &_rotl128 ("%r8","%r10",51); # 60+51=111
564 &_saveround (32,$out,-128,"%r8","%r10"); # KB<<<111
565$code.=<<___;
566 mov \$4,%eax
567.Ldone:
568 mov 0(%rsp),%r15
569 mov 8(%rsp),%r14
570 mov 16(%rsp),%r13
571 mov 24(%rsp),%rbp
572 mov 32(%rsp),%rbx
573 lea 40(%rsp),%rsp
574.Lkey_epilogue:
575 ret
576.size Camellia_Ekeygen,.-Camellia_Ekeygen
577___
578}
579
580@SBOX=(
581112,130, 44,236,179, 39,192,229,228,133, 87, 53,234, 12,174, 65,
582 35,239,107,147, 69, 25,165, 33,237, 14, 79, 78, 29,101,146,189,
583134,184,175,143,124,235, 31,206, 62, 48,220, 95, 94,197, 11, 26,
584166,225, 57,202,213, 71, 93, 61,217, 1, 90,214, 81, 86,108, 77,
585139, 13,154,102,251,204,176, 45,116, 18, 43, 32,240,177,132,153,
586223, 76,203,194, 52,126,118, 5,109,183,169, 49,209, 23, 4,215,
587 20, 88, 58, 97,222, 27, 17, 28, 50, 15,156, 22, 83, 24,242, 34,
588254, 68,207,178,195,181,122,145, 36, 8,232,168, 96,252,105, 80,
589170,208,160,125,161,137, 98,151, 84, 91, 30,149,224,255,100,210,
590 16,196, 0, 72,163,247,117,219,138, 3,230,218, 9, 63,221,148,
591135, 92,131, 2,205, 74,144, 51,115,103,246,243,157,127,191,226,
592 82,155,216, 38,200, 55,198, 59,129,150,111, 75, 19,190, 99, 46,
593233,121,167,140,159,110,188,142, 41,245,249,182, 47,253,180, 89,
594120,152, 6,106,231, 70,113,186,212, 37,171, 66,136,162,141,250,
595114, 7,185, 85,248,238,172, 10, 54, 73, 42,104, 60, 56,241,164,
596 64, 40,211,123,187,201, 67,193, 21,227,173,244,119,199,128,158);
597
598sub S1110 { my $i=shift; $i=@SBOX[$i]; $i=$i<<24|$i<<16|$i<<8; sprintf("0x%08x",$i); }
599sub S4404 { my $i=shift; $i=($i<<1|$i>>7)&0xff; $i=@SBOX[$i]; $i=$i<<24|$i<<16|$i; sprintf("0x%08x",$i); }
600sub S0222 { my $i=shift; $i=@SBOX[$i]; $i=($i<<1|$i>>7)&0xff; $i=$i<<16|$i<<8|$i; sprintf("0x%08x",$i); }
601sub S3033 { my $i=shift; $i=@SBOX[$i]; $i=($i>>1|$i<<7)&0xff; $i=$i<<24|$i<<8|$i; sprintf("0x%08x",$i); }
602
603$code.=<<___;
604.align 64
605.LCamellia_SIGMA:
606.long 0x3bcc908b, 0xa09e667f, 0x4caa73b2, 0xb67ae858
607.long 0xe94f82be, 0xc6ef372f, 0xf1d36f1c, 0x54ff53a5
608.long 0xde682d1d, 0x10e527fa, 0xb3e6c1fd, 0xb05688c2
609.long 0, 0, 0, 0
610.LCamellia_SBOX:
611___
612# tables are interleaved, remember?
613sub data_word { $code.=".long\t".join(',',@_)."\n"; }
614for ($i=0;$i<256;$i++) { &data_word(&S1110($i),&S4404($i)); }
615for ($i=0;$i<256;$i++) { &data_word(&S0222($i),&S3033($i)); }
616
617# void Camellia_cbc_encrypt (const void char *inp, unsigned char *out,
618# size_t length, const CAMELLIA_KEY *key,
619# unsigned char *ivp,const int enc);
620{
621$_key="0(%rsp)";
622$_end="8(%rsp)"; # inp+len&~15
623$_res="16(%rsp)"; # len&15
624$ivec="24(%rsp)";
625$_ivp="40(%rsp)";
626$_rsp="48(%rsp)";
627
628$code.=<<___;
629.globl Camellia_cbc_encrypt
630.type Camellia_cbc_encrypt,\@function,6
631.align 16
632Camellia_cbc_encrypt:
633 cmp \$0,%rdx
634 je .Lcbc_abort
635 push %rbx
636 push %rbp
637 push %r12
638 push %r13
639 push %r14
640 push %r15
641.Lcbc_prologue:
642
643 mov %rsp,%rbp
644 sub \$64,%rsp
645 and \$-64,%rsp
646
647 # place stack frame just "above mod 1024" the key schedule,
648 # this ensures that cache associativity suffices
649 lea -64-63(%rcx),%r10
650 sub %rsp,%r10
651 neg %r10
652 and \$0x3C0,%r10
653 sub %r10,%rsp
654 #add \$8,%rsp # 8 is reserved for callee's ra
655
656 mov %rdi,$inp # inp argument
657 mov %rsi,$out # out argument
658 mov %r8,%rbx # ivp argument
659 mov %rcx,$key # key argument
660 mov 272(%rcx),${keyend}d # grandRounds
661
662 mov %r8,$_ivp
663 mov %rbp,$_rsp
664
665.Lcbc_body:
666 lea .LCamellia_SBOX(%rip),$Tbl
667
668 mov \$32,%ecx
669.align 4
670.Lcbc_prefetch_sbox:
671 mov 0($Tbl),%rax
672 mov 32($Tbl),%rsi
673 mov 64($Tbl),%rdi
674 mov 96($Tbl),%r11
675 lea 128($Tbl),$Tbl
676 loop .Lcbc_prefetch_sbox
677 sub \$4096,$Tbl
678 shl \$6,$keyend
679 mov %rdx,%rcx # len argument
680 lea ($key,$keyend),$keyend
681
682 cmp \$0,%r9d # enc argument
683 je .LCBC_DECRYPT
684
685 and \$-16,%rdx
686 and \$15,%rcx # length residue
687 lea ($inp,%rdx),%rdx
688 mov $key,$_key
689 mov %rdx,$_end
690 mov %rcx,$_res
691
692 cmp $inp,%rdx
693 mov 0(%rbx),@S[0] # load IV
694 mov 4(%rbx),@S[1]
695 mov 8(%rbx),@S[2]
696 mov 12(%rbx),@S[3]
697 je .Lcbc_enc_tail
698 jmp .Lcbc_eloop
699
700.align 16
701.Lcbc_eloop:
702 xor 0($inp),@S[0]
703 xor 4($inp),@S[1]
704 xor 8($inp),@S[2]
705 bswap @S[0]
706 xor 12($inp),@S[3]
707 bswap @S[1]
708 bswap @S[2]
709 bswap @S[3]
710
711 call _x86_64_Camellia_encrypt
712
713 mov $_key,$key # "rewind" the key
714 bswap @S[0]
715 mov $_end,%rdx
716 bswap @S[1]
717 mov $_res,%rcx
718 bswap @S[2]
719 mov @S[0],0($out)
720 bswap @S[3]
721 mov @S[1],4($out)
722 mov @S[2],8($out)
723 lea 16($inp),$inp
724 mov @S[3],12($out)
725 cmp %rdx,$inp
726 lea 16($out),$out
727 jne .Lcbc_eloop
728
729 cmp \$0,%rcx
730 jne .Lcbc_enc_tail
731
732 mov $_ivp,$out
733 mov @S[0],0($out) # write out IV residue
734 mov @S[1],4($out)
735 mov @S[2],8($out)
736 mov @S[3],12($out)
737 jmp .Lcbc_done
738
739.align 16
740.Lcbc_enc_tail:
741 xor %rax,%rax
742 mov %rax,0+$ivec
743 mov %rax,8+$ivec
744 mov %rax,$_res
745
746.Lcbc_enc_pushf:
747 pushfq
748 cld
749 mov $inp,%rsi
750 lea 8+$ivec,%rdi
751 .long 0x9066A4F3 # rep movsb
752 popfq
753.Lcbc_enc_popf:
754
755 lea $ivec,$inp
756 lea 16+$ivec,%rax
757 mov %rax,$_end
758 jmp .Lcbc_eloop # one more time
759
760.align 16
761.LCBC_DECRYPT:
762 xchg $key,$keyend
763 add \$15,%rdx
764 and \$15,%rcx # length residue
765 and \$-16,%rdx
766 mov $key,$_key
767 lea ($inp,%rdx),%rdx
768 mov %rdx,$_end
769 mov %rcx,$_res
770
771 mov (%rbx),%rax # load IV
772 mov 8(%rbx),%rbx
773 jmp .Lcbc_dloop
774.align 16
775.Lcbc_dloop:
776 mov 0($inp),@S[0]
777 mov 4($inp),@S[1]
778 mov 8($inp),@S[2]
779 bswap @S[0]
780 mov 12($inp),@S[3]
781 bswap @S[1]
782 mov %rax,0+$ivec # save IV to temporary storage
783 bswap @S[2]
784 mov %rbx,8+$ivec
785 bswap @S[3]
786
787 call _x86_64_Camellia_decrypt
788
789 mov $_key,$key # "rewind" the key
790 mov $_end,%rdx
791 mov $_res,%rcx
792
793 bswap @S[0]
794 mov ($inp),%rax # load IV for next iteration
795 bswap @S[1]
796 mov 8($inp),%rbx
797 bswap @S[2]
798 xor 0+$ivec,@S[0]
799 bswap @S[3]
800 xor 4+$ivec,@S[1]
801 xor 8+$ivec,@S[2]
802 lea 16($inp),$inp
803 xor 12+$ivec,@S[3]
804 cmp %rdx,$inp
805 je .Lcbc_ddone
806
807 mov @S[0],0($out)
808 mov @S[1],4($out)
809 mov @S[2],8($out)
810 mov @S[3],12($out)
811
812 lea 16($out),$out
813 jmp .Lcbc_dloop
814
815.align 16
816.Lcbc_ddone:
817 mov $_ivp,%rdx
818 cmp \$0,%rcx
819 jne .Lcbc_dec_tail
820
821 mov @S[0],0($out)
822 mov @S[1],4($out)
823 mov @S[2],8($out)
824 mov @S[3],12($out)
825
826 mov %rax,(%rdx) # write out IV residue
827 mov %rbx,8(%rdx)
828 jmp .Lcbc_done
829.align 16
830.Lcbc_dec_tail:
831 mov @S[0],0+$ivec
832 mov @S[1],4+$ivec
833 mov @S[2],8+$ivec
834 mov @S[3],12+$ivec
835
836.Lcbc_dec_pushf:
837 pushfq
838 cld
839 lea 8+$ivec,%rsi
840 lea ($out),%rdi
841 .long 0x9066A4F3 # rep movsb
842 popfq
843.Lcbc_dec_popf:
844
845 mov %rax,(%rdx) # write out IV residue
846 mov %rbx,8(%rdx)
847 jmp .Lcbc_done
848
849.align 16
850.Lcbc_done:
851 mov $_rsp,%rcx
852 mov 0(%rcx),%r15
853 mov 8(%rcx),%r14
854 mov 16(%rcx),%r13
855 mov 24(%rcx),%r12
856 mov 32(%rcx),%rbp
857 mov 40(%rcx),%rbx
858 lea 48(%rcx),%rsp
859.Lcbc_abort:
860 ret
861.size Camellia_cbc_encrypt,.-Camellia_cbc_encrypt
862
863.asciz "Camellia for x86_64 by <appro\@openssl.org>"
864___
865}
866
867# EXCEPTION_DISPOSITION handler (EXCEPTION_RECORD *rec,ULONG64 frame,
868# CONTEXT *context,DISPATCHER_CONTEXT *disp)
869if ($win64) {
870$rec="%rcx";
871$frame="%rdx";
872$context="%r8";
873$disp="%r9";
874
875$code.=<<___;
876.extern __imp_RtlVirtualUnwind
877.type common_se_handler,\@abi-omnipotent
878.align 16
879common_se_handler:
880 push %rsi
881 push %rdi
882 push %rbx
883 push %rbp
884 push %r12
885 push %r13
886 push %r14
887 push %r15
888 pushfq
889 lea -64(%rsp),%rsp
890
891 mov 120($context),%rax # pull context->Rax
892 mov 248($context),%rbx # pull context->Rip
893
894 mov 8($disp),%rsi # disp->ImageBase
895 mov 56($disp),%r11 # disp->HandlerData
896
897 mov 0(%r11),%r10d # HandlerData[0]
898 lea (%rsi,%r10),%r10 # prologue label
899 cmp %r10,%rbx # context->Rip<prologue label
900 jb .Lin_prologue
901
902 mov 152($context),%rax # pull context->Rsp
903
904 mov 4(%r11),%r10d # HandlerData[1]
905 lea (%rsi,%r10),%r10 # epilogue label
906 cmp %r10,%rbx # context->Rip>=epilogue label
907 jae .Lin_prologue
908
909 lea 40(%rax),%rax
910 mov -8(%rax),%rbx
911 mov -16(%rax),%rbp
912 mov -24(%rax),%r13
913 mov -32(%rax),%r14
914 mov -40(%rax),%r15
915 mov %rbx,144($context) # restore context->Rbx
916 mov %rbp,160($context) # restore context->Rbp
917 mov %r13,224($context) # restore context->R13
918 mov %r14,232($context) # restore context->R14
919 mov %r15,240($context) # restore context->R15
920
921.Lin_prologue:
922 mov 8(%rax),%rdi
923 mov 16(%rax),%rsi
924 mov %rax,152($context) # restore context->Rsp
925 mov %rsi,168($context) # restore context->Rsi
926 mov %rdi,176($context) # restore context->Rdi
927
928 jmp .Lcommon_seh_exit
929.size common_se_handler,.-common_se_handler
930
931.type cbc_se_handler,\@abi-omnipotent
932.align 16
933cbc_se_handler:
934 push %rsi
935 push %rdi
936 push %rbx
937 push %rbp
938 push %r12
939 push %r13
940 push %r14
941 push %r15
942 pushfq
943 lea -64(%rsp),%rsp
944
945 mov 120($context),%rax # pull context->Rax
946 mov 248($context),%rbx # pull context->Rip
947
948 lea .Lcbc_prologue(%rip),%r10
949 cmp %r10,%rbx # context->Rip<.Lcbc_prologue
950 jb .Lin_cbc_prologue
951
952 lea .Lcbc_body(%rip),%r10
953 cmp %r10,%rbx # context->Rip<.Lcbc_body
954 jb .Lin_cbc_frame_setup
955
956 mov 152($context),%rax # pull context->Rsp
957
958 lea .Lcbc_abort(%rip),%r10
959 cmp %r10,%rbx # context->Rip>=.Lcbc_abort
960 jae .Lin_cbc_prologue
961
962 # handle pushf/popf in Camellia_cbc_encrypt
963 lea .Lcbc_enc_pushf(%rip),%r10
964 cmp %r10,%rbx # context->Rip<=.Lcbc_enc_pushf
965 jbe .Lin_cbc_no_flag
966 lea 8(%rax),%rax
967 lea .Lcbc_enc_popf(%rip),%r10
968 cmp %r10,%rbx # context->Rip<.Lcbc_enc_popf
969 jb .Lin_cbc_no_flag
970 lea -8(%rax),%rax
971 lea .Lcbc_dec_pushf(%rip),%r10
972 cmp %r10,%rbx # context->Rip<=.Lcbc_dec_pushf
973 jbe .Lin_cbc_no_flag
974 lea 8(%rax),%rax
975 lea .Lcbc_dec_popf(%rip),%r10
976 cmp %r10,%rbx # context->Rip<.Lcbc_dec_popf
977 jb .Lin_cbc_no_flag
978 lea -8(%rax),%rax
979
980.Lin_cbc_no_flag:
981 mov 48(%rax),%rax # $_rsp
982 lea 48(%rax),%rax
983
984.Lin_cbc_frame_setup:
985 mov -8(%rax),%rbx
986 mov -16(%rax),%rbp
987 mov -24(%rax),%r12
988 mov -32(%rax),%r13
989 mov -40(%rax),%r14
990 mov -48(%rax),%r15
991 mov %rbx,144($context) # restore context->Rbx
992 mov %rbp,160($context) # restore context->Rbp
993 mov %r12,216($context) # restore context->R12
994 mov %r13,224($context) # restore context->R13
995 mov %r14,232($context) # restore context->R14
996 mov %r15,240($context) # restore context->R15
997
998.Lin_cbc_prologue:
999 mov 8(%rax),%rdi
1000 mov 16(%rax),%rsi
1001 mov %rax,152($context) # restore context->Rsp
1002 mov %rsi,168($context) # restore context->Rsi
1003 mov %rdi,176($context) # restore context->Rdi
1004
1005.align 4
1006.Lcommon_seh_exit:
1007
1008 mov 40($disp),%rdi # disp->ContextRecord
1009 mov $context,%rsi # context
1010 mov \$`1232/8`,%ecx # sizeof(CONTEXT)
1011 .long 0xa548f3fc # cld; rep movsq
1012
1013 mov $disp,%rsi
1014 xor %rcx,%rcx # arg1, UNW_FLAG_NHANDLER
1015 mov 8(%rsi),%rdx # arg2, disp->ImageBase
1016 mov 0(%rsi),%r8 # arg3, disp->ControlPc
1017 mov 16(%rsi),%r9 # arg4, disp->FunctionEntry
1018 mov 40(%rsi),%r10 # disp->ContextRecord
1019 lea 56(%rsi),%r11 # &disp->HandlerData
1020 lea 24(%rsi),%r12 # &disp->EstablisherFrame
1021 mov %r10,32(%rsp) # arg5
1022 mov %r11,40(%rsp) # arg6
1023 mov %r12,48(%rsp) # arg7
1024 mov %rcx,56(%rsp) # arg8, (NULL)
1025 call *__imp_RtlVirtualUnwind(%rip)
1026
1027 mov \$1,%eax # ExceptionContinueSearch
1028 lea 64(%rsp),%rsp
1029 popfq
1030 pop %r15
1031 pop %r14
1032 pop %r13
1033 pop %r12
1034 pop %rbp
1035 pop %rbx
1036 pop %rdi
1037 pop %rsi
1038 ret
1039.size cbc_se_handler,.-cbc_se_handler
1040
1041.section .pdata
1042.align 4
1043 .rva .LSEH_begin_Camellia_EncryptBlock_Rounds
1044 .rva .LSEH_end_Camellia_EncryptBlock_Rounds
1045 .rva .LSEH_info_Camellia_EncryptBlock_Rounds
1046
1047 .rva .LSEH_begin_Camellia_DecryptBlock_Rounds
1048 .rva .LSEH_end_Camellia_DecryptBlock_Rounds
1049 .rva .LSEH_info_Camellia_DecryptBlock_Rounds
1050
1051 .rva .LSEH_begin_Camellia_Ekeygen
1052 .rva .LSEH_end_Camellia_Ekeygen
1053 .rva .LSEH_info_Camellia_Ekeygen
1054
1055 .rva .LSEH_begin_Camellia_cbc_encrypt
1056 .rva .LSEH_end_Camellia_cbc_encrypt
1057 .rva .LSEH_info_Camellia_cbc_encrypt
1058
1059.section .xdata
1060.align 8
1061.LSEH_info_Camellia_EncryptBlock_Rounds:
1062 .byte 9,0,0,0
1063 .rva common_se_handler
1064 .rva .Lenc_prologue,.Lenc_epilogue # HandlerData[]
1065.LSEH_info_Camellia_DecryptBlock_Rounds:
1066 .byte 9,0,0,0
1067 .rva common_se_handler
1068 .rva .Ldec_prologue,.Ldec_epilogue # HandlerData[]
1069.LSEH_info_Camellia_Ekeygen:
1070 .byte 9,0,0,0
1071 .rva common_se_handler
1072 .rva .Lkey_prologue,.Lkey_epilogue # HandlerData[]
1073.LSEH_info_Camellia_cbc_encrypt:
1074 .byte 9,0,0,0
1075 .rva cbc_se_handler
1076___
1077}
1078
1079$code =~ s/\`([^\`]*)\`/eval $1/gem;
1080print $code;
1081close STDOUT;
diff --git a/src/lib/libcrypto/camellia/camellia.c b/src/lib/libcrypto/camellia/camellia.c
deleted file mode 100644
index 75fc8991c0..0000000000
--- a/src/lib/libcrypto/camellia/camellia.c
+++ /dev/null
@@ -1,582 +0,0 @@
1/* crypto/camellia/camellia.c -*- mode:C; c-file-style: "eay" -*- */
2/* ====================================================================
3 * Copyright 2006 NTT (Nippon Telegraph and Telephone Corporation) .
4 * ALL RIGHTS RESERVED.
5 *
6 * Intellectual Property information for Camellia:
7 * http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html
8 *
9 * News Release for Announcement of Camellia open source:
10 * http://www.ntt.co.jp/news/news06e/0604/060413a.html
11 *
12 * The Camellia Code included herein is developed by
13 * NTT (Nippon Telegraph and Telephone Corporation), and is contributed
14 * to the OpenSSL project.
15 *
16 * The Camellia Code is licensed pursuant to the OpenSSL open source
17 * license provided below.
18 */
19/* ====================================================================
20 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 *
26 * 1. Redistributions of source code must retain the above copyright
27 * notice, this list of conditions and the following disclaimer.
28 *
29 * 2. Redistributions in binary form must reproduce the above copyright
30 * notice, this list of conditions and the following disclaimer in
31 * the documentation and/or other materials provided with the
32 * distribution.
33 *
34 * 3. All advertising materials mentioning features or use of this
35 * software must display the following acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
38 *
39 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
40 * endorse or promote products derived from this software without
41 * prior written permission. For written permission, please contact
42 * openssl-core@openssl.org.
43 *
44 * 5. Products derived from this software may not be called "OpenSSL"
45 * nor may "OpenSSL" appear in their names without prior written
46 * permission of the OpenSSL Project.
47 *
48 * 6. Redistributions of any form whatsoever must retain the following
49 * acknowledgment:
50 * "This product includes software developed by the OpenSSL Project
51 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
52 *
53 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
54 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
55 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
56 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
57 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
58 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
59 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
60 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
61 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
62 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
63 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
64 * OF THE POSSIBILITY OF SUCH DAMAGE.
65 * ====================================================================
66 */
67
68/* Algorithm Specification
69 http://info.isl.ntt.co.jp/crypt/eng/camellia/specifications.html
70*/
71
72/*
73 * This release balances code size and performance. In particular key
74 * schedule setup is fully unrolled, because doing so *significantly*
75 * reduces amount of instructions per setup round and code increase is
76 * justifiable. In block functions on the other hand only inner loops
77 * are unrolled, as full unroll gives only nominal performance boost,
78 * while code size grows 4 or 7 times. Also, unlike previous versions
79 * this one "encourages" compiler to keep intermediate variables in
80 * registers, which should give better "all round" results, in other
81 * words reasonable performance even with not so modern compilers.
82 */
83
84#include "camellia.h"
85#include "cmll_locl.h"
86#include <string.h>
87#include <stdlib.h>
88
89/* 32-bit rotations */
90#if !defined(PEDANTIC) && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
91# if defined(_MSC_VER) && (defined(_M_IX86) || defined(_M_AMD64) || defined(_M_X64))
92# define RightRotate(x, s) _lrotr(x, s)
93# define LeftRotate(x, s) _lrotl(x, s)
94# if _MSC_VER >= 1400
95# define SWAP(x) _byteswap_ulong(x)
96# else
97# define SWAP(x) (_lrotl(x, 8) & 0x00ff00ff | _lrotr(x, 8) & 0xff00ff00)
98# endif
99# define GETU32(p) SWAP(*((u32 *)(p)))
100# define PUTU32(p,v) (*((u32 *)(p)) = SWAP((v)))
101# elif defined(__GNUC__) && __GNUC__>=2
102# if defined(__i386) || defined(__x86_64)
103# define RightRotate(x,s) ({u32 ret; asm ("rorl %1,%0":"=r"(ret):"I"(s),"0"(x):"cc"); ret; })
104# define LeftRotate(x,s) ({u32 ret; asm ("roll %1,%0":"=r"(ret):"I"(s),"0"(x):"cc"); ret; })
105# if defined(B_ENDIAN) /* stratus.com does it */
106# define GETU32(p) (*(u32 *)(p))
107# define PUTU32(p,v) (*(u32 *)(p)=(v))
108# else
109# define GETU32(p) ({u32 r=*(const u32 *)(p); asm("bswapl %0":"=r"(r):"0"(r)); r; })
110# define PUTU32(p,v) ({u32 r=(v); asm("bswapl %0":"=r"(r):"0"(r)); *(u32 *)(p)=r; })
111# endif
112# elif defined(_ARCH_PPC) || defined(_ARCH_PPC64) || \
113 defined(__powerpc) || defined(__ppc__) || defined(__powerpc64__)
114# define LeftRotate(x,s) ({u32 ret; asm ("rlwinm %0,%1,%2,0,31":"=r"(ret):"r"(x),"I"(s)); ret; })
115# define RightRotate(x,s) LeftRotate(x,(32-s))
116# elif defined(__s390x__)
117# define LeftRotate(x,s) ({u32 ret; asm ("rll %0,%1,%2":"=r"(ret):"r"(x),"I"(s)); ret; })
118# define RightRotate(x,s) LeftRotate(x,(32-s))
119# define GETU32(p) (*(u32 *)(p))
120# define PUTU32(p,v) (*(u32 *)(p)=(v))
121# endif
122# endif
123#endif
124
125#if !defined(RightRotate) && !defined(LeftRotate)
126# define RightRotate(x, s) ( ((x) >> (s)) + ((x) << (32 - s)) )
127# define LeftRotate(x, s) ( ((x) << (s)) + ((x) >> (32 - s)) )
128#endif
129
130#if !defined(GETU32) && !defined(PUTU32)
131# define GETU32(p) (((u32)(p)[0] << 24) ^ ((u32)(p)[1] << 16) ^ ((u32)(p)[2] << 8) ^ ((u32)(p)[3]))
132# define PUTU32(p,v) ((p)[0] = (u8)((v) >> 24), (p)[1] = (u8)((v) >> 16), (p)[2] = (u8)((v) >> 8), (p)[3] = (u8)(v))
133#endif
134
135/* S-box data */
136#define SBOX1_1110 Camellia_SBOX[0]
137#define SBOX4_4404 Camellia_SBOX[1]
138#define SBOX2_0222 Camellia_SBOX[2]
139#define SBOX3_3033 Camellia_SBOX[3]
140static const u32 Camellia_SBOX[][256] = {
141{ 0x70707000, 0x82828200, 0x2c2c2c00, 0xececec00, 0xb3b3b300, 0x27272700,
142 0xc0c0c000, 0xe5e5e500, 0xe4e4e400, 0x85858500, 0x57575700, 0x35353500,
143 0xeaeaea00, 0x0c0c0c00, 0xaeaeae00, 0x41414100, 0x23232300, 0xefefef00,
144 0x6b6b6b00, 0x93939300, 0x45454500, 0x19191900, 0xa5a5a500, 0x21212100,
145 0xededed00, 0x0e0e0e00, 0x4f4f4f00, 0x4e4e4e00, 0x1d1d1d00, 0x65656500,
146 0x92929200, 0xbdbdbd00, 0x86868600, 0xb8b8b800, 0xafafaf00, 0x8f8f8f00,
147 0x7c7c7c00, 0xebebeb00, 0x1f1f1f00, 0xcecece00, 0x3e3e3e00, 0x30303000,
148 0xdcdcdc00, 0x5f5f5f00, 0x5e5e5e00, 0xc5c5c500, 0x0b0b0b00, 0x1a1a1a00,
149 0xa6a6a600, 0xe1e1e100, 0x39393900, 0xcacaca00, 0xd5d5d500, 0x47474700,
150 0x5d5d5d00, 0x3d3d3d00, 0xd9d9d900, 0x01010100, 0x5a5a5a00, 0xd6d6d600,
151 0x51515100, 0x56565600, 0x6c6c6c00, 0x4d4d4d00, 0x8b8b8b00, 0x0d0d0d00,
152 0x9a9a9a00, 0x66666600, 0xfbfbfb00, 0xcccccc00, 0xb0b0b000, 0x2d2d2d00,
153 0x74747400, 0x12121200, 0x2b2b2b00, 0x20202000, 0xf0f0f000, 0xb1b1b100,
154 0x84848400, 0x99999900, 0xdfdfdf00, 0x4c4c4c00, 0xcbcbcb00, 0xc2c2c200,
155 0x34343400, 0x7e7e7e00, 0x76767600, 0x05050500, 0x6d6d6d00, 0xb7b7b700,
156 0xa9a9a900, 0x31313100, 0xd1d1d100, 0x17171700, 0x04040400, 0xd7d7d700,
157 0x14141400, 0x58585800, 0x3a3a3a00, 0x61616100, 0xdedede00, 0x1b1b1b00,
158 0x11111100, 0x1c1c1c00, 0x32323200, 0x0f0f0f00, 0x9c9c9c00, 0x16161600,
159 0x53535300, 0x18181800, 0xf2f2f200, 0x22222200, 0xfefefe00, 0x44444400,
160 0xcfcfcf00, 0xb2b2b200, 0xc3c3c300, 0xb5b5b500, 0x7a7a7a00, 0x91919100,
161 0x24242400, 0x08080800, 0xe8e8e800, 0xa8a8a800, 0x60606000, 0xfcfcfc00,
162 0x69696900, 0x50505000, 0xaaaaaa00, 0xd0d0d000, 0xa0a0a000, 0x7d7d7d00,
163 0xa1a1a100, 0x89898900, 0x62626200, 0x97979700, 0x54545400, 0x5b5b5b00,
164 0x1e1e1e00, 0x95959500, 0xe0e0e000, 0xffffff00, 0x64646400, 0xd2d2d200,
165 0x10101000, 0xc4c4c400, 0x00000000, 0x48484800, 0xa3a3a300, 0xf7f7f700,
166 0x75757500, 0xdbdbdb00, 0x8a8a8a00, 0x03030300, 0xe6e6e600, 0xdadada00,
167 0x09090900, 0x3f3f3f00, 0xdddddd00, 0x94949400, 0x87878700, 0x5c5c5c00,
168 0x83838300, 0x02020200, 0xcdcdcd00, 0x4a4a4a00, 0x90909000, 0x33333300,
169 0x73737300, 0x67676700, 0xf6f6f600, 0xf3f3f300, 0x9d9d9d00, 0x7f7f7f00,
170 0xbfbfbf00, 0xe2e2e200, 0x52525200, 0x9b9b9b00, 0xd8d8d800, 0x26262600,
171 0xc8c8c800, 0x37373700, 0xc6c6c600, 0x3b3b3b00, 0x81818100, 0x96969600,
172 0x6f6f6f00, 0x4b4b4b00, 0x13131300, 0xbebebe00, 0x63636300, 0x2e2e2e00,
173 0xe9e9e900, 0x79797900, 0xa7a7a700, 0x8c8c8c00, 0x9f9f9f00, 0x6e6e6e00,
174 0xbcbcbc00, 0x8e8e8e00, 0x29292900, 0xf5f5f500, 0xf9f9f900, 0xb6b6b600,
175 0x2f2f2f00, 0xfdfdfd00, 0xb4b4b400, 0x59595900, 0x78787800, 0x98989800,
176 0x06060600, 0x6a6a6a00, 0xe7e7e700, 0x46464600, 0x71717100, 0xbababa00,
177 0xd4d4d400, 0x25252500, 0xababab00, 0x42424200, 0x88888800, 0xa2a2a200,
178 0x8d8d8d00, 0xfafafa00, 0x72727200, 0x07070700, 0xb9b9b900, 0x55555500,
179 0xf8f8f800, 0xeeeeee00, 0xacacac00, 0x0a0a0a00, 0x36363600, 0x49494900,
180 0x2a2a2a00, 0x68686800, 0x3c3c3c00, 0x38383800, 0xf1f1f100, 0xa4a4a400,
181 0x40404000, 0x28282800, 0xd3d3d300, 0x7b7b7b00, 0xbbbbbb00, 0xc9c9c900,
182 0x43434300, 0xc1c1c100, 0x15151500, 0xe3e3e300, 0xadadad00, 0xf4f4f400,
183 0x77777700, 0xc7c7c700, 0x80808000, 0x9e9e9e00 },
184{ 0x70700070, 0x2c2c002c, 0xb3b300b3, 0xc0c000c0, 0xe4e400e4, 0x57570057,
185 0xeaea00ea, 0xaeae00ae, 0x23230023, 0x6b6b006b, 0x45450045, 0xa5a500a5,
186 0xeded00ed, 0x4f4f004f, 0x1d1d001d, 0x92920092, 0x86860086, 0xafaf00af,
187 0x7c7c007c, 0x1f1f001f, 0x3e3e003e, 0xdcdc00dc, 0x5e5e005e, 0x0b0b000b,
188 0xa6a600a6, 0x39390039, 0xd5d500d5, 0x5d5d005d, 0xd9d900d9, 0x5a5a005a,
189 0x51510051, 0x6c6c006c, 0x8b8b008b, 0x9a9a009a, 0xfbfb00fb, 0xb0b000b0,
190 0x74740074, 0x2b2b002b, 0xf0f000f0, 0x84840084, 0xdfdf00df, 0xcbcb00cb,
191 0x34340034, 0x76760076, 0x6d6d006d, 0xa9a900a9, 0xd1d100d1, 0x04040004,
192 0x14140014, 0x3a3a003a, 0xdede00de, 0x11110011, 0x32320032, 0x9c9c009c,
193 0x53530053, 0xf2f200f2, 0xfefe00fe, 0xcfcf00cf, 0xc3c300c3, 0x7a7a007a,
194 0x24240024, 0xe8e800e8, 0x60600060, 0x69690069, 0xaaaa00aa, 0xa0a000a0,
195 0xa1a100a1, 0x62620062, 0x54540054, 0x1e1e001e, 0xe0e000e0, 0x64640064,
196 0x10100010, 0x00000000, 0xa3a300a3, 0x75750075, 0x8a8a008a, 0xe6e600e6,
197 0x09090009, 0xdddd00dd, 0x87870087, 0x83830083, 0xcdcd00cd, 0x90900090,
198 0x73730073, 0xf6f600f6, 0x9d9d009d, 0xbfbf00bf, 0x52520052, 0xd8d800d8,
199 0xc8c800c8, 0xc6c600c6, 0x81810081, 0x6f6f006f, 0x13130013, 0x63630063,
200 0xe9e900e9, 0xa7a700a7, 0x9f9f009f, 0xbcbc00bc, 0x29290029, 0xf9f900f9,
201 0x2f2f002f, 0xb4b400b4, 0x78780078, 0x06060006, 0xe7e700e7, 0x71710071,
202 0xd4d400d4, 0xabab00ab, 0x88880088, 0x8d8d008d, 0x72720072, 0xb9b900b9,
203 0xf8f800f8, 0xacac00ac, 0x36360036, 0x2a2a002a, 0x3c3c003c, 0xf1f100f1,
204 0x40400040, 0xd3d300d3, 0xbbbb00bb, 0x43430043, 0x15150015, 0xadad00ad,
205 0x77770077, 0x80800080, 0x82820082, 0xecec00ec, 0x27270027, 0xe5e500e5,
206 0x85850085, 0x35350035, 0x0c0c000c, 0x41410041, 0xefef00ef, 0x93930093,
207 0x19190019, 0x21210021, 0x0e0e000e, 0x4e4e004e, 0x65650065, 0xbdbd00bd,
208 0xb8b800b8, 0x8f8f008f, 0xebeb00eb, 0xcece00ce, 0x30300030, 0x5f5f005f,
209 0xc5c500c5, 0x1a1a001a, 0xe1e100e1, 0xcaca00ca, 0x47470047, 0x3d3d003d,
210 0x01010001, 0xd6d600d6, 0x56560056, 0x4d4d004d, 0x0d0d000d, 0x66660066,
211 0xcccc00cc, 0x2d2d002d, 0x12120012, 0x20200020, 0xb1b100b1, 0x99990099,
212 0x4c4c004c, 0xc2c200c2, 0x7e7e007e, 0x05050005, 0xb7b700b7, 0x31310031,
213 0x17170017, 0xd7d700d7, 0x58580058, 0x61610061, 0x1b1b001b, 0x1c1c001c,
214 0x0f0f000f, 0x16160016, 0x18180018, 0x22220022, 0x44440044, 0xb2b200b2,
215 0xb5b500b5, 0x91910091, 0x08080008, 0xa8a800a8, 0xfcfc00fc, 0x50500050,
216 0xd0d000d0, 0x7d7d007d, 0x89890089, 0x97970097, 0x5b5b005b, 0x95950095,
217 0xffff00ff, 0xd2d200d2, 0xc4c400c4, 0x48480048, 0xf7f700f7, 0xdbdb00db,
218 0x03030003, 0xdada00da, 0x3f3f003f, 0x94940094, 0x5c5c005c, 0x02020002,
219 0x4a4a004a, 0x33330033, 0x67670067, 0xf3f300f3, 0x7f7f007f, 0xe2e200e2,
220 0x9b9b009b, 0x26260026, 0x37370037, 0x3b3b003b, 0x96960096, 0x4b4b004b,
221 0xbebe00be, 0x2e2e002e, 0x79790079, 0x8c8c008c, 0x6e6e006e, 0x8e8e008e,
222 0xf5f500f5, 0xb6b600b6, 0xfdfd00fd, 0x59590059, 0x98980098, 0x6a6a006a,
223 0x46460046, 0xbaba00ba, 0x25250025, 0x42420042, 0xa2a200a2, 0xfafa00fa,
224 0x07070007, 0x55550055, 0xeeee00ee, 0x0a0a000a, 0x49490049, 0x68680068,
225 0x38380038, 0xa4a400a4, 0x28280028, 0x7b7b007b, 0xc9c900c9, 0xc1c100c1,
226 0xe3e300e3, 0xf4f400f4, 0xc7c700c7, 0x9e9e009e },
227{ 0x00e0e0e0, 0x00050505, 0x00585858, 0x00d9d9d9, 0x00676767, 0x004e4e4e,
228 0x00818181, 0x00cbcbcb, 0x00c9c9c9, 0x000b0b0b, 0x00aeaeae, 0x006a6a6a,
229 0x00d5d5d5, 0x00181818, 0x005d5d5d, 0x00828282, 0x00464646, 0x00dfdfdf,
230 0x00d6d6d6, 0x00272727, 0x008a8a8a, 0x00323232, 0x004b4b4b, 0x00424242,
231 0x00dbdbdb, 0x001c1c1c, 0x009e9e9e, 0x009c9c9c, 0x003a3a3a, 0x00cacaca,
232 0x00252525, 0x007b7b7b, 0x000d0d0d, 0x00717171, 0x005f5f5f, 0x001f1f1f,
233 0x00f8f8f8, 0x00d7d7d7, 0x003e3e3e, 0x009d9d9d, 0x007c7c7c, 0x00606060,
234 0x00b9b9b9, 0x00bebebe, 0x00bcbcbc, 0x008b8b8b, 0x00161616, 0x00343434,
235 0x004d4d4d, 0x00c3c3c3, 0x00727272, 0x00959595, 0x00ababab, 0x008e8e8e,
236 0x00bababa, 0x007a7a7a, 0x00b3b3b3, 0x00020202, 0x00b4b4b4, 0x00adadad,
237 0x00a2a2a2, 0x00acacac, 0x00d8d8d8, 0x009a9a9a, 0x00171717, 0x001a1a1a,
238 0x00353535, 0x00cccccc, 0x00f7f7f7, 0x00999999, 0x00616161, 0x005a5a5a,
239 0x00e8e8e8, 0x00242424, 0x00565656, 0x00404040, 0x00e1e1e1, 0x00636363,
240 0x00090909, 0x00333333, 0x00bfbfbf, 0x00989898, 0x00979797, 0x00858585,
241 0x00686868, 0x00fcfcfc, 0x00ececec, 0x000a0a0a, 0x00dadada, 0x006f6f6f,
242 0x00535353, 0x00626262, 0x00a3a3a3, 0x002e2e2e, 0x00080808, 0x00afafaf,
243 0x00282828, 0x00b0b0b0, 0x00747474, 0x00c2c2c2, 0x00bdbdbd, 0x00363636,
244 0x00222222, 0x00383838, 0x00646464, 0x001e1e1e, 0x00393939, 0x002c2c2c,
245 0x00a6a6a6, 0x00303030, 0x00e5e5e5, 0x00444444, 0x00fdfdfd, 0x00888888,
246 0x009f9f9f, 0x00656565, 0x00878787, 0x006b6b6b, 0x00f4f4f4, 0x00232323,
247 0x00484848, 0x00101010, 0x00d1d1d1, 0x00515151, 0x00c0c0c0, 0x00f9f9f9,
248 0x00d2d2d2, 0x00a0a0a0, 0x00555555, 0x00a1a1a1, 0x00414141, 0x00fafafa,
249 0x00434343, 0x00131313, 0x00c4c4c4, 0x002f2f2f, 0x00a8a8a8, 0x00b6b6b6,
250 0x003c3c3c, 0x002b2b2b, 0x00c1c1c1, 0x00ffffff, 0x00c8c8c8, 0x00a5a5a5,
251 0x00202020, 0x00898989, 0x00000000, 0x00909090, 0x00474747, 0x00efefef,
252 0x00eaeaea, 0x00b7b7b7, 0x00151515, 0x00060606, 0x00cdcdcd, 0x00b5b5b5,
253 0x00121212, 0x007e7e7e, 0x00bbbbbb, 0x00292929, 0x000f0f0f, 0x00b8b8b8,
254 0x00070707, 0x00040404, 0x009b9b9b, 0x00949494, 0x00212121, 0x00666666,
255 0x00e6e6e6, 0x00cecece, 0x00ededed, 0x00e7e7e7, 0x003b3b3b, 0x00fefefe,
256 0x007f7f7f, 0x00c5c5c5, 0x00a4a4a4, 0x00373737, 0x00b1b1b1, 0x004c4c4c,
257 0x00919191, 0x006e6e6e, 0x008d8d8d, 0x00767676, 0x00030303, 0x002d2d2d,
258 0x00dedede, 0x00969696, 0x00262626, 0x007d7d7d, 0x00c6c6c6, 0x005c5c5c,
259 0x00d3d3d3, 0x00f2f2f2, 0x004f4f4f, 0x00191919, 0x003f3f3f, 0x00dcdcdc,
260 0x00797979, 0x001d1d1d, 0x00525252, 0x00ebebeb, 0x00f3f3f3, 0x006d6d6d,
261 0x005e5e5e, 0x00fbfbfb, 0x00696969, 0x00b2b2b2, 0x00f0f0f0, 0x00313131,
262 0x000c0c0c, 0x00d4d4d4, 0x00cfcfcf, 0x008c8c8c, 0x00e2e2e2, 0x00757575,
263 0x00a9a9a9, 0x004a4a4a, 0x00575757, 0x00848484, 0x00111111, 0x00454545,
264 0x001b1b1b, 0x00f5f5f5, 0x00e4e4e4, 0x000e0e0e, 0x00737373, 0x00aaaaaa,
265 0x00f1f1f1, 0x00dddddd, 0x00595959, 0x00141414, 0x006c6c6c, 0x00929292,
266 0x00545454, 0x00d0d0d0, 0x00787878, 0x00707070, 0x00e3e3e3, 0x00494949,
267 0x00808080, 0x00505050, 0x00a7a7a7, 0x00f6f6f6, 0x00777777, 0x00939393,
268 0x00868686, 0x00838383, 0x002a2a2a, 0x00c7c7c7, 0x005b5b5b, 0x00e9e9e9,
269 0x00eeeeee, 0x008f8f8f, 0x00010101, 0x003d3d3d },
270{ 0x38003838, 0x41004141, 0x16001616, 0x76007676, 0xd900d9d9, 0x93009393,
271 0x60006060, 0xf200f2f2, 0x72007272, 0xc200c2c2, 0xab00abab, 0x9a009a9a,
272 0x75007575, 0x06000606, 0x57005757, 0xa000a0a0, 0x91009191, 0xf700f7f7,
273 0xb500b5b5, 0xc900c9c9, 0xa200a2a2, 0x8c008c8c, 0xd200d2d2, 0x90009090,
274 0xf600f6f6, 0x07000707, 0xa700a7a7, 0x27002727, 0x8e008e8e, 0xb200b2b2,
275 0x49004949, 0xde00dede, 0x43004343, 0x5c005c5c, 0xd700d7d7, 0xc700c7c7,
276 0x3e003e3e, 0xf500f5f5, 0x8f008f8f, 0x67006767, 0x1f001f1f, 0x18001818,
277 0x6e006e6e, 0xaf00afaf, 0x2f002f2f, 0xe200e2e2, 0x85008585, 0x0d000d0d,
278 0x53005353, 0xf000f0f0, 0x9c009c9c, 0x65006565, 0xea00eaea, 0xa300a3a3,
279 0xae00aeae, 0x9e009e9e, 0xec00ecec, 0x80008080, 0x2d002d2d, 0x6b006b6b,
280 0xa800a8a8, 0x2b002b2b, 0x36003636, 0xa600a6a6, 0xc500c5c5, 0x86008686,
281 0x4d004d4d, 0x33003333, 0xfd00fdfd, 0x66006666, 0x58005858, 0x96009696,
282 0x3a003a3a, 0x09000909, 0x95009595, 0x10001010, 0x78007878, 0xd800d8d8,
283 0x42004242, 0xcc00cccc, 0xef00efef, 0x26002626, 0xe500e5e5, 0x61006161,
284 0x1a001a1a, 0x3f003f3f, 0x3b003b3b, 0x82008282, 0xb600b6b6, 0xdb00dbdb,
285 0xd400d4d4, 0x98009898, 0xe800e8e8, 0x8b008b8b, 0x02000202, 0xeb00ebeb,
286 0x0a000a0a, 0x2c002c2c, 0x1d001d1d, 0xb000b0b0, 0x6f006f6f, 0x8d008d8d,
287 0x88008888, 0x0e000e0e, 0x19001919, 0x87008787, 0x4e004e4e, 0x0b000b0b,
288 0xa900a9a9, 0x0c000c0c, 0x79007979, 0x11001111, 0x7f007f7f, 0x22002222,
289 0xe700e7e7, 0x59005959, 0xe100e1e1, 0xda00dada, 0x3d003d3d, 0xc800c8c8,
290 0x12001212, 0x04000404, 0x74007474, 0x54005454, 0x30003030, 0x7e007e7e,
291 0xb400b4b4, 0x28002828, 0x55005555, 0x68006868, 0x50005050, 0xbe00bebe,
292 0xd000d0d0, 0xc400c4c4, 0x31003131, 0xcb00cbcb, 0x2a002a2a, 0xad00adad,
293 0x0f000f0f, 0xca00caca, 0x70007070, 0xff00ffff, 0x32003232, 0x69006969,
294 0x08000808, 0x62006262, 0x00000000, 0x24002424, 0xd100d1d1, 0xfb00fbfb,
295 0xba00baba, 0xed00eded, 0x45004545, 0x81008181, 0x73007373, 0x6d006d6d,
296 0x84008484, 0x9f009f9f, 0xee00eeee, 0x4a004a4a, 0xc300c3c3, 0x2e002e2e,
297 0xc100c1c1, 0x01000101, 0xe600e6e6, 0x25002525, 0x48004848, 0x99009999,
298 0xb900b9b9, 0xb300b3b3, 0x7b007b7b, 0xf900f9f9, 0xce00cece, 0xbf00bfbf,
299 0xdf00dfdf, 0x71007171, 0x29002929, 0xcd00cdcd, 0x6c006c6c, 0x13001313,
300 0x64006464, 0x9b009b9b, 0x63006363, 0x9d009d9d, 0xc000c0c0, 0x4b004b4b,
301 0xb700b7b7, 0xa500a5a5, 0x89008989, 0x5f005f5f, 0xb100b1b1, 0x17001717,
302 0xf400f4f4, 0xbc00bcbc, 0xd300d3d3, 0x46004646, 0xcf00cfcf, 0x37003737,
303 0x5e005e5e, 0x47004747, 0x94009494, 0xfa00fafa, 0xfc00fcfc, 0x5b005b5b,
304 0x97009797, 0xfe00fefe, 0x5a005a5a, 0xac00acac, 0x3c003c3c, 0x4c004c4c,
305 0x03000303, 0x35003535, 0xf300f3f3, 0x23002323, 0xb800b8b8, 0x5d005d5d,
306 0x6a006a6a, 0x92009292, 0xd500d5d5, 0x21002121, 0x44004444, 0x51005151,
307 0xc600c6c6, 0x7d007d7d, 0x39003939, 0x83008383, 0xdc00dcdc, 0xaa00aaaa,
308 0x7c007c7c, 0x77007777, 0x56005656, 0x05000505, 0x1b001b1b, 0xa400a4a4,
309 0x15001515, 0x34003434, 0x1e001e1e, 0x1c001c1c, 0xf800f8f8, 0x52005252,
310 0x20002020, 0x14001414, 0xe900e9e9, 0xbd00bdbd, 0xdd00dddd, 0xe400e4e4,
311 0xa100a1a1, 0xe000e0e0, 0x8a008a8a, 0xf100f1f1, 0xd600d6d6, 0x7a007a7a,
312 0xbb00bbbb, 0xe300e3e3, 0x40004040, 0x4f004f4f }
313};
314
315/* Key generation constants */
316static const u32 SIGMA[] = {
317 0xa09e667f, 0x3bcc908b, 0xb67ae858, 0x4caa73b2, 0xc6ef372f, 0xe94f82be,
318 0x54ff53a5, 0xf1d36f1c, 0x10e527fa, 0xde682d1d, 0xb05688c2, 0xb3e6c1fd
319};
320
321/* The phi algorithm given in C.2.7 of the Camellia spec document. */
322/*
323 * This version does not attempt to minimize amount of temporary
324 * variables, but instead explicitly exposes algorithm's parallelism.
325 * It is therefore most appropriate for platforms with not less than
326 * ~16 registers. For platforms with less registers [well, x86 to be
327 * specific] assembler version should be/is provided anyway...
328 */
329#define Camellia_Feistel(_s0,_s1,_s2,_s3,_key) do {\
330 register u32 _t0,_t1,_t2,_t3;\
331\
332 _t0 = _s0 ^ (_key)[0];\
333 _t3 = SBOX4_4404[_t0&0xff];\
334 _t1 = _s1 ^ (_key)[1];\
335 _t3 ^= SBOX3_3033[(_t0 >> 8)&0xff];\
336 _t2 = SBOX1_1110[_t1&0xff];\
337 _t3 ^= SBOX2_0222[(_t0 >> 16)&0xff];\
338 _t2 ^= SBOX4_4404[(_t1 >> 8)&0xff];\
339 _t3 ^= SBOX1_1110[(_t0 >> 24)];\
340 _t2 ^= _t3;\
341 _t3 = RightRotate(_t3,8);\
342 _t2 ^= SBOX3_3033[(_t1 >> 16)&0xff];\
343 _s3 ^= _t3;\
344 _t2 ^= SBOX2_0222[(_t1 >> 24)];\
345 _s2 ^= _t2; \
346 _s3 ^= _t2;\
347} while(0)
348
349/*
350 * Note that n has to be less than 32. Rotations for larger amount
351 * of bits are achieved by "rotating" order of s-elements and
352 * adjusting n accordingly, e.g. RotLeft128(s1,s2,s3,s0,n-32).
353 */
354#define RotLeft128(_s0,_s1,_s2,_s3,_n) do {\
355 u32 _t0=_s0>>(32-_n);\
356 _s0 = (_s0<<_n) | (_s1>>(32-_n));\
357 _s1 = (_s1<<_n) | (_s2>>(32-_n));\
358 _s2 = (_s2<<_n) | (_s3>>(32-_n));\
359 _s3 = (_s3<<_n) | _t0;\
360} while (0)
361
362int Camellia_Ekeygen(int keyBitLength, const u8 *rawKey, KEY_TABLE_TYPE k)
363 {
364 register u32 s0,s1,s2,s3;
365
366 k[0] = s0 = GETU32(rawKey);
367 k[1] = s1 = GETU32(rawKey+4);
368 k[2] = s2 = GETU32(rawKey+8);
369 k[3] = s3 = GETU32(rawKey+12);
370
371 if (keyBitLength != 128)
372 {
373 k[8] = s0 = GETU32(rawKey+16);
374 k[9] = s1 = GETU32(rawKey+20);
375 if (keyBitLength == 192)
376 {
377 k[10] = s2 = ~s0;
378 k[11] = s3 = ~s1;
379 }
380 else
381 {
382 k[10] = s2 = GETU32(rawKey+24);
383 k[11] = s3 = GETU32(rawKey+28);
384 }
385 s0 ^= k[0], s1 ^= k[1], s2 ^= k[2], s3 ^= k[3];
386 }
387
388 /* Use the Feistel routine to scramble the key material */
389 Camellia_Feistel(s0,s1,s2,s3,SIGMA+0);
390 Camellia_Feistel(s2,s3,s0,s1,SIGMA+2);
391
392 s0 ^= k[0], s1 ^= k[1], s2 ^= k[2], s3 ^= k[3];
393 Camellia_Feistel(s0,s1,s2,s3,SIGMA+4);
394 Camellia_Feistel(s2,s3,s0,s1,SIGMA+6);
395
396 /* Fill the keyTable. Requires many block rotations. */
397 if (keyBitLength == 128)
398 {
399 k[ 4] = s0, k[ 5] = s1, k[ 6] = s2, k[ 7] = s3;
400 RotLeft128(s0,s1,s2,s3,15); /* KA <<< 15 */
401 k[12] = s0, k[13] = s1, k[14] = s2, k[15] = s3;
402 RotLeft128(s0,s1,s2,s3,15); /* KA <<< 30 */
403 k[16] = s0, k[17] = s1, k[18] = s2, k[19] = s3;
404 RotLeft128(s0,s1,s2,s3,15); /* KA <<< 45 */
405 k[24] = s0, k[25] = s1;
406 RotLeft128(s0,s1,s2,s3,15); /* KA <<< 60 */
407 k[28] = s0, k[29] = s1, k[30] = s2, k[31] = s3;
408 RotLeft128(s1,s2,s3,s0,2); /* KA <<< 94 */
409 k[40] = s1, k[41] = s2, k[42] = s3, k[43] = s0;
410 RotLeft128(s1,s2,s3,s0,17); /* KA <<<111 */
411 k[48] = s1, k[49] = s2, k[50] = s3, k[51] = s0;
412
413 s0 = k[ 0], s1 = k[ 1], s2 = k[ 2], s3 = k[ 3];
414 RotLeft128(s0,s1,s2,s3,15); /* KL <<< 15 */
415 k[ 8] = s0, k[ 9] = s1, k[10] = s2, k[11] = s3;
416 RotLeft128(s0,s1,s2,s3,30); /* KL <<< 45 */
417 k[20] = s0, k[21] = s1, k[22] = s2, k[23] = s3;
418 RotLeft128(s0,s1,s2,s3,15); /* KL <<< 60 */
419 k[26] = s2, k[27] = s3;
420 RotLeft128(s0,s1,s2,s3,17); /* KL <<< 77 */
421 k[32] = s0, k[33] = s1, k[34] = s2, k[35] = s3;
422 RotLeft128(s0,s1,s2,s3,17); /* KL <<< 94 */
423 k[36] = s0, k[37] = s1, k[38] = s2, k[39] = s3;
424 RotLeft128(s0,s1,s2,s3,17); /* KL <<<111 */
425 k[44] = s0, k[45] = s1, k[46] = s2, k[47] = s3;
426
427 return 3; /* grand rounds */
428 }
429 else
430 {
431 k[12] = s0, k[13] = s1, k[14] = s2, k[15] = s3;
432 s0 ^= k[8], s1 ^= k[9], s2 ^=k[10], s3 ^=k[11];
433 Camellia_Feistel(s0,s1,s2,s3,(SIGMA+8));
434 Camellia_Feistel(s2,s3,s0,s1,(SIGMA+10));
435
436 k[ 4] = s0, k[ 5] = s1, k[ 6] = s2, k[ 7] = s3;
437 RotLeft128(s0,s1,s2,s3,30); /* KB <<< 30 */
438 k[20] = s0, k[21] = s1, k[22] = s2, k[23] = s3;
439 RotLeft128(s0,s1,s2,s3,30); /* KB <<< 60 */
440 k[40] = s0, k[41] = s1, k[42] = s2, k[43] = s3;
441 RotLeft128(s1,s2,s3,s0,19); /* KB <<<111 */
442 k[64] = s1, k[65] = s2, k[66] = s3, k[67] = s0;
443
444 s0 = k[ 8], s1 = k[ 9], s2 = k[10], s3 = k[11];
445 RotLeft128(s0,s1,s2,s3,15); /* KR <<< 15 */
446 k[ 8] = s0, k[ 9] = s1, k[10] = s2, k[11] = s3;
447 RotLeft128(s0,s1,s2,s3,15); /* KR <<< 30 */
448 k[16] = s0, k[17] = s1, k[18] = s2, k[19] = s3;
449 RotLeft128(s0,s1,s2,s3,30); /* KR <<< 60 */
450 k[36] = s0, k[37] = s1, k[38] = s2, k[39] = s3;
451 RotLeft128(s1,s2,s3,s0,2); /* KR <<< 94 */
452 k[52] = s1, k[53] = s2, k[54] = s3, k[55] = s0;
453
454 s0 = k[12], s1 = k[13], s2 = k[14], s3 = k[15];
455 RotLeft128(s0,s1,s2,s3,15); /* KA <<< 15 */
456 k[12] = s0, k[13] = s1, k[14] = s2, k[15] = s3;
457 RotLeft128(s0,s1,s2,s3,30); /* KA <<< 45 */
458 k[28] = s0, k[29] = s1, k[30] = s2, k[31] = s3;
459 /* KA <<< 77 */
460 k[48] = s1, k[49] = s2, k[50] = s3, k[51] = s0;
461 RotLeft128(s1,s2,s3,s0,17); /* KA <<< 94 */
462 k[56] = s1, k[57] = s2, k[58] = s3, k[59] = s0;
463
464 s0 = k[ 0], s1 = k[ 1], s2 = k[ 2], s3 = k[ 3];
465 RotLeft128(s1,s2,s3,s0,13); /* KL <<< 45 */
466 k[24] = s1, k[25] = s2, k[26] = s3, k[27] = s0;
467 RotLeft128(s1,s2,s3,s0,15); /* KL <<< 60 */
468 k[32] = s1, k[33] = s2, k[34] = s3, k[35] = s0;
469 RotLeft128(s1,s2,s3,s0,17); /* KL <<< 77 */
470 k[44] = s1, k[45] = s2, k[46] = s3, k[47] = s0;
471 RotLeft128(s2,s3,s0,s1,2); /* KL <<<111 */
472 k[60] = s2, k[61] = s3, k[62] = s0, k[63] = s1;
473
474 return 4; /* grand rounds */
475 }
476 /*
477 * It is possible to perform certain precalculations, which
478 * would spare few cycles in block procedure. It's not done,
479 * because it upsets the performance balance between key
480 * setup and block procedures, negatively affecting overall
481 * throughput in applications operating on short messages
482 * and volatile keys.
483 */
484 }
485
486void Camellia_EncryptBlock_Rounds(int grandRounds, const u8 plaintext[],
487 const KEY_TABLE_TYPE keyTable, u8 ciphertext[])
488 {
489 register u32 s0,s1,s2,s3;
490 const u32 *k = keyTable,*kend = keyTable+grandRounds*16;
491
492 s0 = GETU32(plaintext) ^ k[0];
493 s1 = GETU32(plaintext+4) ^ k[1];
494 s2 = GETU32(plaintext+8) ^ k[2];
495 s3 = GETU32(plaintext+12) ^ k[3];
496 k += 4;
497
498 while (1)
499 {
500 /* Camellia makes 6 Feistel rounds */
501 Camellia_Feistel(s0,s1,s2,s3,k+0);
502 Camellia_Feistel(s2,s3,s0,s1,k+2);
503 Camellia_Feistel(s0,s1,s2,s3,k+4);
504 Camellia_Feistel(s2,s3,s0,s1,k+6);
505 Camellia_Feistel(s0,s1,s2,s3,k+8);
506 Camellia_Feistel(s2,s3,s0,s1,k+10);
507 k += 12;
508
509 if (k == kend) break;
510
511 /* This is the same function as the diffusion function D
512 * of the accompanying documentation. See section 3.2
513 * for properties of the FLlayer function. */
514 s1 ^= LeftRotate(s0 & k[0], 1);
515 s2 ^= s3 | k[3];
516 s0 ^= s1 | k[1];
517 s3 ^= LeftRotate(s2 & k[2], 1);
518 k += 4;
519 }
520
521 s2 ^= k[0], s3 ^= k[1], s0 ^= k[2], s1 ^= k[3];
522
523 PUTU32(ciphertext, s2);
524 PUTU32(ciphertext+4, s3);
525 PUTU32(ciphertext+8, s0);
526 PUTU32(ciphertext+12,s1);
527 }
528void Camellia_EncryptBlock(int keyBitLength, const u8 plaintext[],
529 const KEY_TABLE_TYPE keyTable, u8 ciphertext[])
530 {
531 Camellia_EncryptBlock_Rounds(keyBitLength==128?3:4,
532 plaintext,keyTable,ciphertext);
533 }
534
535void Camellia_DecryptBlock_Rounds(int grandRounds, const u8 ciphertext[],
536 const KEY_TABLE_TYPE keyTable, u8 plaintext[])
537 {
538 u32 s0,s1,s2,s3;
539 const u32 *k = keyTable+grandRounds*16,*kend = keyTable+4;
540
541 s0 = GETU32(ciphertext) ^ k[0];
542 s1 = GETU32(ciphertext+4) ^ k[1];
543 s2 = GETU32(ciphertext+8) ^ k[2];
544 s3 = GETU32(ciphertext+12) ^ k[3];
545
546 while (1)
547 {
548 /* Camellia makes 6 Feistel rounds */
549 k -= 12;
550 Camellia_Feistel(s0,s1,s2,s3,k+10);
551 Camellia_Feistel(s2,s3,s0,s1,k+8);
552 Camellia_Feistel(s0,s1,s2,s3,k+6);
553 Camellia_Feistel(s2,s3,s0,s1,k+4);
554 Camellia_Feistel(s0,s1,s2,s3,k+2);
555 Camellia_Feistel(s2,s3,s0,s1,k+0);
556
557 if (k == kend) break;
558
559 /* This is the same function as the diffusion function D
560 * of the accompanying documentation. See section 3.2
561 * for properties of the FLlayer function. */
562 k -= 4;
563 s1 ^= LeftRotate(s0 & k[2], 1);
564 s2 ^= s3 | k[1];
565 s0 ^= s1 | k[3];
566 s3 ^= LeftRotate(s2 & k[0], 1);
567 }
568
569 k -= 4;
570 s2 ^= k[0], s3 ^= k[1], s0 ^= k[2], s1 ^= k[3];
571
572 PUTU32(plaintext, s2);
573 PUTU32(plaintext+4, s3);
574 PUTU32(plaintext+8, s0);
575 PUTU32(plaintext+12,s1);
576 }
577void Camellia_DecryptBlock(int keyBitLength, const u8 plaintext[],
578 const KEY_TABLE_TYPE keyTable, u8 ciphertext[])
579 {
580 Camellia_DecryptBlock_Rounds(keyBitLength==128?3:4,
581 plaintext,keyTable,ciphertext);
582 }
diff --git a/src/lib/libcrypto/camellia/camellia.h b/src/lib/libcrypto/camellia/camellia.h
deleted file mode 100644
index 67911e0adf..0000000000
--- a/src/lib/libcrypto/camellia/camellia.h
+++ /dev/null
@@ -1,130 +0,0 @@
1/* crypto/camellia/camellia.h -*- mode:C; c-file-style: "eay" -*- */
2/* ====================================================================
3 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@openssl.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 *
50 */
51
52#ifndef HEADER_CAMELLIA_H
53#define HEADER_CAMELLIA_H
54
55#include <openssl/opensslconf.h>
56
57#ifdef OPENSSL_NO_CAMELLIA
58#error CAMELLIA is disabled.
59#endif
60
61#include <stddef.h>
62
63#define CAMELLIA_ENCRYPT 1
64#define CAMELLIA_DECRYPT 0
65
66/* Because array size can't be a const in C, the following two are macros.
67 Both sizes are in bytes. */
68
69#ifdef __cplusplus
70extern "C" {
71#endif
72
73/* This should be a hidden type, but EVP requires that the size be known */
74
75#define CAMELLIA_BLOCK_SIZE 16
76#define CAMELLIA_TABLE_BYTE_LEN 272
77#define CAMELLIA_TABLE_WORD_LEN (CAMELLIA_TABLE_BYTE_LEN / 4)
78
79typedef unsigned int KEY_TABLE_TYPE[CAMELLIA_TABLE_WORD_LEN]; /* to match with WORD */
80
81struct camellia_key_st
82 {
83 union {
84 double d; /* ensures 64-bit align */
85 KEY_TABLE_TYPE rd_key;
86 } u;
87 int grand_rounds;
88 };
89typedef struct camellia_key_st CAMELLIA_KEY;
90
91#ifdef OPENSSL_FIPS
92int private_Camellia_set_key(const unsigned char *userKey, const int bits,
93 CAMELLIA_KEY *key);
94#endif
95int Camellia_set_key(const unsigned char *userKey, const int bits,
96 CAMELLIA_KEY *key);
97
98void Camellia_encrypt(const unsigned char *in, unsigned char *out,
99 const CAMELLIA_KEY *key);
100void Camellia_decrypt(const unsigned char *in, unsigned char *out,
101 const CAMELLIA_KEY *key);
102
103void Camellia_ecb_encrypt(const unsigned char *in, unsigned char *out,
104 const CAMELLIA_KEY *key, const int enc);
105void Camellia_cbc_encrypt(const unsigned char *in, unsigned char *out,
106 size_t length, const CAMELLIA_KEY *key,
107 unsigned char *ivec, const int enc);
108void Camellia_cfb128_encrypt(const unsigned char *in, unsigned char *out,
109 size_t length, const CAMELLIA_KEY *key,
110 unsigned char *ivec, int *num, const int enc);
111void Camellia_cfb1_encrypt(const unsigned char *in, unsigned char *out,
112 size_t length, const CAMELLIA_KEY *key,
113 unsigned char *ivec, int *num, const int enc);
114void Camellia_cfb8_encrypt(const unsigned char *in, unsigned char *out,
115 size_t length, const CAMELLIA_KEY *key,
116 unsigned char *ivec, int *num, const int enc);
117void Camellia_ofb128_encrypt(const unsigned char *in, unsigned char *out,
118 size_t length, const CAMELLIA_KEY *key,
119 unsigned char *ivec, int *num);
120void Camellia_ctr128_encrypt(const unsigned char *in, unsigned char *out,
121 size_t length, const CAMELLIA_KEY *key,
122 unsigned char ivec[CAMELLIA_BLOCK_SIZE],
123 unsigned char ecount_buf[CAMELLIA_BLOCK_SIZE],
124 unsigned int *num);
125
126#ifdef __cplusplus
127}
128#endif
129
130#endif /* !HEADER_Camellia_H */
diff --git a/src/lib/libcrypto/camellia/cmll_cbc.c b/src/lib/libcrypto/camellia/cmll_cbc.c
deleted file mode 100644
index 4c8d455ade..0000000000
--- a/src/lib/libcrypto/camellia/cmll_cbc.c
+++ /dev/null
@@ -1,64 +0,0 @@
1/* crypto/camellia/camellia_cbc.c -*- mode:C; c-file-style: "eay" -*- */
2/* ====================================================================
3 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@openssl.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 *
50 */
51
52#include <openssl/camellia.h>
53#include <openssl/modes.h>
54
55void Camellia_cbc_encrypt(const unsigned char *in, unsigned char *out,
56 size_t len, const CAMELLIA_KEY *key,
57 unsigned char *ivec, const int enc)
58 {
59
60 if (enc)
61 CRYPTO_cbc128_encrypt(in,out,len,key,ivec,(block128_f)Camellia_encrypt);
62 else
63 CRYPTO_cbc128_decrypt(in,out,len,key,ivec,(block128_f)Camellia_decrypt);
64 }
diff --git a/src/lib/libcrypto/camellia/cmll_cfb.c b/src/lib/libcrypto/camellia/cmll_cfb.c
deleted file mode 100644
index 3d81b51d3f..0000000000
--- a/src/lib/libcrypto/camellia/cmll_cfb.c
+++ /dev/null
@@ -1,139 +0,0 @@
1/* crypto/camellia/camellia_cfb.c -*- mode:C; c-file-style: "eay" -*- */
2/* ====================================================================
3 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@openssl.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 *
50 */
51/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
52 * All rights reserved.
53 *
54 * This package is an SSL implementation written
55 * by Eric Young (eay@cryptsoft.com).
56 * The implementation was written so as to conform with Netscapes SSL.
57 *
58 * This library is free for commercial and non-commercial use as long as
59 * the following conditions are aheared to. The following conditions
60 * apply to all code found in this distribution, be it the RC4, RSA,
61 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
62 * included with this distribution is covered by the same copyright terms
63 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
64 *
65 * Copyright remains Eric Young's, and as such any Copyright notices in
66 * the code are not to be removed.
67 * If this package is used in a product, Eric Young should be given attribution
68 * as the author of the parts of the library used.
69 * This can be in the form of a textual message at program startup or
70 * in documentation (online or textual) provided with the package.
71 *
72 * Redistribution and use in source and binary forms, with or without
73 * modification, are permitted provided that the following conditions
74 * are met:
75 * 1. Redistributions of source code must retain the copyright
76 * notice, this list of conditions and the following disclaimer.
77 * 2. Redistributions in binary form must reproduce the above copyright
78 * notice, this list of conditions and the following disclaimer in the
79 * documentation and/or other materials provided with the distribution.
80 * 3. All advertising materials mentioning features or use of this software
81 * must display the following acknowledgement:
82 * "This product includes cryptographic software written by
83 * Eric Young (eay@cryptsoft.com)"
84 * The word 'cryptographic' can be left out if the rouines from the library
85 * being used are not cryptographic related :-).
86 * 4. If you include any Windows specific code (or a derivative thereof) from
87 * the apps directory (application code) you must include an acknowledgement:
88 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
89 *
90 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
91 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
92 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
93 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
94 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
95 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
96 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
97 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
98 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
99 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
100 * SUCH DAMAGE.
101 *
102 * The licence and distribution terms for any publically available version or
103 * derivative of this code cannot be changed. i.e. this code cannot simply be
104 * copied and put under another distribution licence
105 * [including the GNU Public Licence.]
106 */
107
108#include <openssl/camellia.h>
109#include <openssl/modes.h>
110
111
112/* The input and output encrypted as though 128bit cfb mode is being
113 * used. The extra state information to record how much of the
114 * 128bit block we have used is contained in *num;
115 */
116
117void Camellia_cfb128_encrypt(const unsigned char *in, unsigned char *out,
118 size_t length, const CAMELLIA_KEY *key,
119 unsigned char *ivec, int *num, const int enc)
120 {
121
122 CRYPTO_cfb128_encrypt(in,out,length,key,ivec,num,enc,(block128_f)Camellia_encrypt);
123 }
124
125/* N.B. This expects the input to be packed, MS bit first */
126void Camellia_cfb1_encrypt(const unsigned char *in, unsigned char *out,
127 size_t length, const CAMELLIA_KEY *key,
128 unsigned char *ivec, int *num, const int enc)
129 {
130 CRYPTO_cfb128_1_encrypt(in,out,length,key,ivec,num,enc,(block128_f)Camellia_encrypt);
131 }
132
133void Camellia_cfb8_encrypt(const unsigned char *in, unsigned char *out,
134 size_t length, const CAMELLIA_KEY *key,
135 unsigned char *ivec, int *num, const int enc)
136 {
137 CRYPTO_cfb128_8_encrypt(in,out,length,key,ivec,num,enc,(block128_f)Camellia_encrypt);
138 }
139
diff --git a/src/lib/libcrypto/camellia/cmll_ctr.c b/src/lib/libcrypto/camellia/cmll_ctr.c
deleted file mode 100644
index 014e621a34..0000000000
--- a/src/lib/libcrypto/camellia/cmll_ctr.c
+++ /dev/null
@@ -1,64 +0,0 @@
1/* crypto/camellia/camellia_ctr.c -*- mode:C; c-file-style: "eay" -*- */
2/* ====================================================================
3 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@openssl.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 *
50 */
51
52#include <openssl/camellia.h>
53#include <openssl/modes.h>
54
55void Camellia_ctr128_encrypt(const unsigned char *in, unsigned char *out,
56 size_t length, const CAMELLIA_KEY *key,
57 unsigned char ivec[CAMELLIA_BLOCK_SIZE],
58 unsigned char ecount_buf[CAMELLIA_BLOCK_SIZE],
59 unsigned int *num)
60 {
61
62 CRYPTO_ctr128_encrypt(in,out,length,key,ivec,ecount_buf,num,(block128_f)Camellia_encrypt);
63 }
64
diff --git a/src/lib/libcrypto/camellia/cmll_ecb.c b/src/lib/libcrypto/camellia/cmll_ecb.c
deleted file mode 100644
index 70dc0e5632..0000000000
--- a/src/lib/libcrypto/camellia/cmll_ecb.c
+++ /dev/null
@@ -1,74 +0,0 @@
1/* crypto/camellia/camellia_ecb.c -*- mode:C; c-file-style: "eay" -*- */
2/* ====================================================================
3 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@openssl.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 *
50 */
51
52#ifndef CAMELLIA_DEBUG
53# ifndef NDEBUG
54# define NDEBUG
55# endif
56#endif
57#include <assert.h>
58
59#include <openssl/camellia.h>
60#include "cmll_locl.h"
61
62void Camellia_ecb_encrypt(const unsigned char *in, unsigned char *out,
63 const CAMELLIA_KEY *key, const int enc)
64 {
65
66 assert(in && out && key);
67 assert((CAMELLIA_ENCRYPT == enc)||(CAMELLIA_DECRYPT == enc));
68
69 if (CAMELLIA_ENCRYPT == enc)
70 Camellia_encrypt(in, out, key);
71 else
72 Camellia_decrypt(in, out, key);
73 }
74
diff --git a/src/lib/libcrypto/camellia/cmll_locl.h b/src/lib/libcrypto/camellia/cmll_locl.h
deleted file mode 100644
index 246b6ce1d8..0000000000
--- a/src/lib/libcrypto/camellia/cmll_locl.h
+++ /dev/null
@@ -1,86 +0,0 @@
1/* crypto/camellia/camellia_locl.h -*- mode:C; c-file-style: "eay" -*- */
2/* ====================================================================
3 * Copyright 2006 NTT (Nippon Telegraph and Telephone Corporation) .
4 * ALL RIGHTS RESERVED.
5 *
6 * Intellectual Property information for Camellia:
7 * http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html
8 *
9 * News Release for Announcement of Camellia open source:
10 * http://www.ntt.co.jp/news/news06e/0604/060413a.html
11 *
12 * The Camellia Code included herein is developed by
13 * NTT (Nippon Telegraph and Telephone Corporation), and is contributed
14 * to the OpenSSL project.
15 *
16 * The Camellia Code is licensed pursuant to the OpenSSL open source
17 * license provided below.
18 */
19/* ====================================================================
20 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 *
26 * 1. Redistributions of source code must retain the above copyright
27 * notice, this list of conditions and the following disclaimer.
28 *
29 * 2. Redistributions in binary form must reproduce the above copyright
30 * notice, this list of conditions and the following disclaimer in
31 * the documentation and/or other materials provided with the
32 * distribution.
33 *
34 * 3. All advertising materials mentioning features or use of this
35 * software must display the following acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
38 *
39 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
40 * endorse or promote products derived from this software without
41 * prior written permission. For written permission, please contact
42 * openssl-core@openssl.org.
43 *
44 * 5. Products derived from this software may not be called "OpenSSL"
45 * nor may "OpenSSL" appear in their names without prior written
46 * permission of the OpenSSL Project.
47 *
48 * 6. Redistributions of any form whatsoever must retain the following
49 * acknowledgment:
50 * "This product includes software developed by the OpenSSL Project
51 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
52 *
53 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
54 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
55 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
56 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
57 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
58 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
59 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
60 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
61 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
62 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
63 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
64 * OF THE POSSIBILITY OF SUCH DAMAGE.
65 * ====================================================================
66 */
67
68#ifndef HEADER_CAMELLIA_LOCL_H
69#define HEADER_CAMELLIA_LOCL_H
70
71typedef unsigned int u32;
72typedef unsigned char u8;
73
74int Camellia_Ekeygen(int keyBitLength, const u8 *rawKey,
75 KEY_TABLE_TYPE keyTable);
76void Camellia_EncryptBlock_Rounds(int grandRounds, const u8 plaintext[],
77 const KEY_TABLE_TYPE keyTable, u8 ciphertext[]);
78void Camellia_DecryptBlock_Rounds(int grandRounds, const u8 ciphertext[],
79 const KEY_TABLE_TYPE keyTable, u8 plaintext[]);
80void Camellia_EncryptBlock(int keyBitLength, const u8 plaintext[],
81 const KEY_TABLE_TYPE keyTable, u8 ciphertext[]);
82void Camellia_DecryptBlock(int keyBitLength, const u8 ciphertext[],
83 const KEY_TABLE_TYPE keyTable, u8 plaintext[]);
84int private_Camellia_set_key(const unsigned char *userKey, const int bits,
85 CAMELLIA_KEY *key);
86#endif /* #ifndef HEADER_CAMELLIA_LOCL_H */
diff --git a/src/lib/libcrypto/camellia/cmll_misc.c b/src/lib/libcrypto/camellia/cmll_misc.c
deleted file mode 100644
index f44d48564c..0000000000
--- a/src/lib/libcrypto/camellia/cmll_misc.c
+++ /dev/null
@@ -1,80 +0,0 @@
1/* crypto/camellia/camellia_misc.c -*- mode:C; c-file-style: "eay" -*- */
2/* ====================================================================
3 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@openssl.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 *
50 */
51
52#include <openssl/opensslv.h>
53#include <openssl/crypto.h>
54#include <openssl/camellia.h>
55#include "cmll_locl.h"
56
57const char CAMELLIA_version[]="CAMELLIA" OPENSSL_VERSION_PTEXT;
58
59int private_Camellia_set_key(const unsigned char *userKey, const int bits,
60 CAMELLIA_KEY *key)
61 {
62 if(!userKey || !key)
63 return -1;
64 if(bits != 128 && bits != 192 && bits != 256)
65 return -2;
66 key->grand_rounds = Camellia_Ekeygen(bits , userKey, key->u.rd_key);
67 return 0;
68 }
69
70void Camellia_encrypt(const unsigned char *in, unsigned char *out,
71 const CAMELLIA_KEY *key)
72 {
73 Camellia_EncryptBlock_Rounds(key->grand_rounds, in , key->u.rd_key , out);
74 }
75
76void Camellia_decrypt(const unsigned char *in, unsigned char *out,
77 const CAMELLIA_KEY *key)
78 {
79 Camellia_DecryptBlock_Rounds(key->grand_rounds, in , key->u.rd_key , out);
80 }
diff --git a/src/lib/libcrypto/camellia/cmll_ofb.c b/src/lib/libcrypto/camellia/cmll_ofb.c
deleted file mode 100644
index a482befc74..0000000000
--- a/src/lib/libcrypto/camellia/cmll_ofb.c
+++ /dev/null
@@ -1,119 +0,0 @@
1/* crypto/camellia/camellia_ofb.c -*- mode:C; c-file-style: "eay" -*- */
2/* ====================================================================
3 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@openssl.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 *
50 */
51/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
52 * All rights reserved.
53 *
54 * This package is an SSL implementation written
55 * by Eric Young (eay@cryptsoft.com).
56 * The implementation was written so as to conform with Netscapes SSL.
57 *
58 * This library is free for commercial and non-commercial use as long as
59 * the following conditions are aheared to. The following conditions
60 * apply to all code found in this distribution, be it the RC4, RSA,
61 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
62 * included with this distribution is covered by the same copyright terms
63 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
64 *
65 * Copyright remains Eric Young's, and as such any Copyright notices in
66 * the code are not to be removed.
67 * If this package is used in a product, Eric Young should be given attribution
68 * as the author of the parts of the library used.
69 * This can be in the form of a textual message at program startup or
70 * in documentation (online or textual) provided with the package.
71 *
72 * Redistribution and use in source and binary forms, with or without
73 * modification, are permitted provided that the following conditions
74 * are met:
75 * 1. Redistributions of source code must retain the copyright
76 * notice, this list of conditions and the following disclaimer.
77 * 2. Redistributions in binary form must reproduce the above copyright
78 * notice, this list of conditions and the following disclaimer in the
79 * documentation and/or other materials provided with the distribution.
80 * 3. All advertising materials mentioning features or use of this software
81 * must display the following acknowledgement:
82 * "This product includes cryptographic software written by
83 * Eric Young (eay@cryptsoft.com)"
84 * The word 'cryptographic' can be left out if the rouines from the library
85 * being used are not cryptographic related :-).
86 * 4. If you include any Windows specific code (or a derivative thereof) from
87 * the apps directory (application code) you must include an acknowledgement:
88 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
89 *
90 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
91 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
92 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
93 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
94 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
95 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
96 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
97 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
98 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
99 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
100 * SUCH DAMAGE.
101 *
102 * The licence and distribution terms for any publically available version or
103 * derivative of this code cannot be changed. i.e. this code cannot simply be
104 * copied and put under another distribution licence
105 * [including the GNU Public Licence.]
106 */
107
108#include <openssl/camellia.h>
109#include <openssl/modes.h>
110
111/* The input and output encrypted as though 128bit ofb mode is being
112 * used. The extra state information to record how much of the
113 * 128bit block we have used is contained in *num;
114 */
115void Camellia_ofb128_encrypt(const unsigned char *in, unsigned char *out,
116 size_t length, const CAMELLIA_KEY *key,
117 unsigned char *ivec, int *num) {
118 CRYPTO_ofb128_encrypt(in,out,length,key,ivec,num,(block128_f)Camellia_encrypt);
119}
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-12-26 10:34:41 +0000