1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/security/nss/lib/freebl/camellia.c Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,1782 @@
1.4 +/* This Source Code Form is subject to the terms of the Mozilla Public
1.5 + * License, v. 2.0. If a copy of the MPL was not distributed with this
1.6 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
1.7 +
1.8 +#ifdef FREEBL_NO_DEPEND
1.9 +#include "stubs.h"
1.10 +#endif
1.11 +
1.12 +#include "prinit.h"
1.13 +#include "prerr.h"
1.14 +#include "secerr.h"
1.15 +
1.16 +#include "prtypes.h"
1.17 +#include "blapi.h"
1.18 +#include "camellia.h"
1.19 +#include "sha_fast.h" /* for SHA_HTONL and related configuration macros */
1.20 +
1.21 +
1.22 +/* key constants */
1.23 +
1.24 +#define CAMELLIA_SIGMA1L (0xA09E667FL)
1.25 +#define CAMELLIA_SIGMA1R (0x3BCC908BL)
1.26 +#define CAMELLIA_SIGMA2L (0xB67AE858L)
1.27 +#define CAMELLIA_SIGMA2R (0x4CAA73B2L)
1.28 +#define CAMELLIA_SIGMA3L (0xC6EF372FL)
1.29 +#define CAMELLIA_SIGMA3R (0xE94F82BEL)
1.30 +#define CAMELLIA_SIGMA4L (0x54FF53A5L)
1.31 +#define CAMELLIA_SIGMA4R (0xF1D36F1CL)
1.32 +#define CAMELLIA_SIGMA5L (0x10E527FAL)
1.33 +#define CAMELLIA_SIGMA5R (0xDE682D1DL)
1.34 +#define CAMELLIA_SIGMA6L (0xB05688C2L)
1.35 +#define CAMELLIA_SIGMA6R (0xB3E6C1FDL)
1.36 +
1.37 +/*
1.38 + * macros
1.39 + */
1.40 +
1.41 +
1.42 +#if defined(SHA_ALLOW_UNALIGNED_ACCESS)
1.43 +
1.44 +/* require a CPU that allows unaligned access */
1.45 +
1.46 +#if defined(SHA_NEED_TMP_VARIABLE)
1.47 +#define CAMELLIA_NEED_TMP_VARIABLE 1
1.48 +#endif
1.49 +
1.50 +# define GETU32(p) SHA_HTONL(*((PRUint32 *)(p)))
1.51 +# define PUTU32(ct, st) {*((PRUint32 *)(ct)) = SHA_HTONL(st);}
1.52 +
1.53 +#else /* no unaligned access */
1.54 +
1.55 +# define GETU32(pt) \
1.56 + (((PRUint32)(pt)[0] << 24) \
1.57 + ^ ((PRUint32)(pt)[1] << 16) \
1.58 + ^ ((PRUint32)(pt)[2] << 8) \
1.59 + ^ ((PRUint32)(pt)[3]))
1.60 +
1.61 +# define PUTU32(ct, st) { \
1.62 + (ct)[0] = (PRUint8)((st) >> 24); \
1.63 + (ct)[1] = (PRUint8)((st) >> 16); \
1.64 + (ct)[2] = (PRUint8)((st) >> 8); \
1.65 + (ct)[3] = (PRUint8)(st); }
1.66 +
1.67 +#endif
1.68 +
1.69 +#define CamelliaSubkeyL(INDEX) (subkey[(INDEX)*2])
1.70 +#define CamelliaSubkeyR(INDEX) (subkey[(INDEX)*2 + 1])
1.71 +
1.72 +/* rotation right shift 1byte */
1.73 +#define CAMELLIA_RR8(x) (((x) >> 8) + ((x) << 24))
1.74 +/* rotation left shift 1bit */
1.75 +#define CAMELLIA_RL1(x) (((x) << 1) + ((x) >> 31))
1.76 +/* rotation left shift 1byte */
1.77 +#define CAMELLIA_RL8(x) (((x) << 8) + ((x) >> 24))
1.78 +
1.79 +#define CAMELLIA_ROLDQ(ll, lr, rl, rr, w0, w1, bits) \
1.80 + do { \
1.81 + w0 = ll; \
1.82 + ll = (ll << bits) + (lr >> (32 - bits)); \
1.83 + lr = (lr << bits) + (rl >> (32 - bits)); \
1.84 + rl = (rl << bits) + (rr >> (32 - bits)); \
1.85 + rr = (rr << bits) + (w0 >> (32 - bits)); \
1.86 + } while(0)
1.87 +
1.88 +#define CAMELLIA_ROLDQo32(ll, lr, rl, rr, w0, w1, bits) \
1.89 + do { \
1.90 + w0 = ll; \
1.91 + w1 = lr; \
1.92 + ll = (lr << (bits - 32)) + (rl >> (64 - bits)); \
1.93 + lr = (rl << (bits - 32)) + (rr >> (64 - bits)); \
1.94 + rl = (rr << (bits - 32)) + (w0 >> (64 - bits)); \
1.95 + rr = (w0 << (bits - 32)) + (w1 >> (64 - bits)); \
1.96 + } while(0)
1.97 +
1.98 +#define CAMELLIA_SP1110(INDEX) (camellia_sp1110[(INDEX)])
1.99 +#define CAMELLIA_SP0222(INDEX) (camellia_sp0222[(INDEX)])
1.100 +#define CAMELLIA_SP3033(INDEX) (camellia_sp3033[(INDEX)])
1.101 +#define CAMELLIA_SP4404(INDEX) (camellia_sp4404[(INDEX)])
1.102 +
1.103 +#define CAMELLIA_F(xl, xr, kl, kr, yl, yr, il, ir, t0, t1) \
1.104 + do { \
1.105 + il = xl ^ kl; \
1.106 + ir = xr ^ kr; \
1.107 + t0 = il >> 16; \
1.108 + t1 = ir >> 16; \
1.109 + yl = CAMELLIA_SP1110(ir & 0xff) \
1.110 + ^ CAMELLIA_SP0222((t1 >> 8) & 0xff) \
1.111 + ^ CAMELLIA_SP3033(t1 & 0xff) \
1.112 + ^ CAMELLIA_SP4404((ir >> 8) & 0xff); \
1.113 + yr = CAMELLIA_SP1110((t0 >> 8) & 0xff) \
1.114 + ^ CAMELLIA_SP0222(t0 & 0xff) \
1.115 + ^ CAMELLIA_SP3033((il >> 8) & 0xff) \
1.116 + ^ CAMELLIA_SP4404(il & 0xff); \
1.117 + yl ^= yr; \
1.118 + yr = CAMELLIA_RR8(yr); \
1.119 + yr ^= yl; \
1.120 + } while(0)
1.121 +
1.122 +
1.123 +/*
1.124 + * for speed up
1.125 + *
1.126 + */
1.127 +#define CAMELLIA_FLS(ll, lr, rl, rr, kll, klr, krl, krr, t0, t1, t2, t3) \
1.128 + do { \
1.129 + t0 = kll; \
1.130 + t0 &= ll; \
1.131 + lr ^= CAMELLIA_RL1(t0); \
1.132 + t1 = klr; \
1.133 + t1 |= lr; \
1.134 + ll ^= t1; \
1.135 + \
1.136 + t2 = krr; \
1.137 + t2 |= rr; \
1.138 + rl ^= t2; \
1.139 + t3 = krl; \
1.140 + t3 &= rl; \
1.141 + rr ^= CAMELLIA_RL1(t3); \
1.142 + } while(0)
1.143 +
1.144 +#define CAMELLIA_ROUNDSM(xl, xr, kl, kr, yl, yr, il, ir, t0, t1) \
1.145 + do { \
1.146 + ir = CAMELLIA_SP1110(xr & 0xff) \
1.147 + ^ CAMELLIA_SP0222((xr >> 24) & 0xff) \
1.148 + ^ CAMELLIA_SP3033((xr >> 16) & 0xff) \
1.149 + ^ CAMELLIA_SP4404((xr >> 8) & 0xff); \
1.150 + il = CAMELLIA_SP1110((xl >> 24) & 0xff) \
1.151 + ^ CAMELLIA_SP0222((xl >> 16) & 0xff) \
1.152 + ^ CAMELLIA_SP3033((xl >> 8) & 0xff) \
1.153 + ^ CAMELLIA_SP4404(xl & 0xff); \
1.154 + il ^= kl; \
1.155 + ir ^= kr; \
1.156 + ir ^= il; \
1.157 + il = CAMELLIA_RR8(il); \
1.158 + il ^= ir; \
1.159 + yl ^= ir; \
1.160 + yr ^= il; \
1.161 + } while(0)
1.162 +
1.163 +
1.164 +static const PRUint32 camellia_sp1110[256] = {
1.165 + 0x70707000,0x82828200,0x2c2c2c00,0xececec00,
1.166 + 0xb3b3b300,0x27272700,0xc0c0c000,0xe5e5e500,
1.167 + 0xe4e4e400,0x85858500,0x57575700,0x35353500,
1.168 + 0xeaeaea00,0x0c0c0c00,0xaeaeae00,0x41414100,
1.169 + 0x23232300,0xefefef00,0x6b6b6b00,0x93939300,
1.170 + 0x45454500,0x19191900,0xa5a5a500,0x21212100,
1.171 + 0xededed00,0x0e0e0e00,0x4f4f4f00,0x4e4e4e00,
1.172 + 0x1d1d1d00,0x65656500,0x92929200,0xbdbdbd00,
1.173 + 0x86868600,0xb8b8b800,0xafafaf00,0x8f8f8f00,
1.174 + 0x7c7c7c00,0xebebeb00,0x1f1f1f00,0xcecece00,
1.175 + 0x3e3e3e00,0x30303000,0xdcdcdc00,0x5f5f5f00,
1.176 + 0x5e5e5e00,0xc5c5c500,0x0b0b0b00,0x1a1a1a00,
1.177 + 0xa6a6a600,0xe1e1e100,0x39393900,0xcacaca00,
1.178 + 0xd5d5d500,0x47474700,0x5d5d5d00,0x3d3d3d00,
1.179 + 0xd9d9d900,0x01010100,0x5a5a5a00,0xd6d6d600,
1.180 + 0x51515100,0x56565600,0x6c6c6c00,0x4d4d4d00,
1.181 + 0x8b8b8b00,0x0d0d0d00,0x9a9a9a00,0x66666600,
1.182 + 0xfbfbfb00,0xcccccc00,0xb0b0b000,0x2d2d2d00,
1.183 + 0x74747400,0x12121200,0x2b2b2b00,0x20202000,
1.184 + 0xf0f0f000,0xb1b1b100,0x84848400,0x99999900,
1.185 + 0xdfdfdf00,0x4c4c4c00,0xcbcbcb00,0xc2c2c200,
1.186 + 0x34343400,0x7e7e7e00,0x76767600,0x05050500,
1.187 + 0x6d6d6d00,0xb7b7b700,0xa9a9a900,0x31313100,
1.188 + 0xd1d1d100,0x17171700,0x04040400,0xd7d7d700,
1.189 + 0x14141400,0x58585800,0x3a3a3a00,0x61616100,
1.190 + 0xdedede00,0x1b1b1b00,0x11111100,0x1c1c1c00,
1.191 + 0x32323200,0x0f0f0f00,0x9c9c9c00,0x16161600,
1.192 + 0x53535300,0x18181800,0xf2f2f200,0x22222200,
1.193 + 0xfefefe00,0x44444400,0xcfcfcf00,0xb2b2b200,
1.194 + 0xc3c3c300,0xb5b5b500,0x7a7a7a00,0x91919100,
1.195 + 0x24242400,0x08080800,0xe8e8e800,0xa8a8a800,
1.196 + 0x60606000,0xfcfcfc00,0x69696900,0x50505000,
1.197 + 0xaaaaaa00,0xd0d0d000,0xa0a0a000,0x7d7d7d00,
1.198 + 0xa1a1a100,0x89898900,0x62626200,0x97979700,
1.199 + 0x54545400,0x5b5b5b00,0x1e1e1e00,0x95959500,
1.200 + 0xe0e0e000,0xffffff00,0x64646400,0xd2d2d200,
1.201 + 0x10101000,0xc4c4c400,0x00000000,0x48484800,
1.202 + 0xa3a3a300,0xf7f7f700,0x75757500,0xdbdbdb00,
1.203 + 0x8a8a8a00,0x03030300,0xe6e6e600,0xdadada00,
1.204 + 0x09090900,0x3f3f3f00,0xdddddd00,0x94949400,
1.205 + 0x87878700,0x5c5c5c00,0x83838300,0x02020200,
1.206 + 0xcdcdcd00,0x4a4a4a00,0x90909000,0x33333300,
1.207 + 0x73737300,0x67676700,0xf6f6f600,0xf3f3f300,
1.208 + 0x9d9d9d00,0x7f7f7f00,0xbfbfbf00,0xe2e2e200,
1.209 + 0x52525200,0x9b9b9b00,0xd8d8d800,0x26262600,
1.210 + 0xc8c8c800,0x37373700,0xc6c6c600,0x3b3b3b00,
1.211 + 0x81818100,0x96969600,0x6f6f6f00,0x4b4b4b00,
1.212 + 0x13131300,0xbebebe00,0x63636300,0x2e2e2e00,
1.213 + 0xe9e9e900,0x79797900,0xa7a7a700,0x8c8c8c00,
1.214 + 0x9f9f9f00,0x6e6e6e00,0xbcbcbc00,0x8e8e8e00,
1.215 + 0x29292900,0xf5f5f500,0xf9f9f900,0xb6b6b600,
1.216 + 0x2f2f2f00,0xfdfdfd00,0xb4b4b400,0x59595900,
1.217 + 0x78787800,0x98989800,0x06060600,0x6a6a6a00,
1.218 + 0xe7e7e700,0x46464600,0x71717100,0xbababa00,
1.219 + 0xd4d4d400,0x25252500,0xababab00,0x42424200,
1.220 + 0x88888800,0xa2a2a200,0x8d8d8d00,0xfafafa00,
1.221 + 0x72727200,0x07070700,0xb9b9b900,0x55555500,
1.222 + 0xf8f8f800,0xeeeeee00,0xacacac00,0x0a0a0a00,
1.223 + 0x36363600,0x49494900,0x2a2a2a00,0x68686800,
1.224 + 0x3c3c3c00,0x38383800,0xf1f1f100,0xa4a4a400,
1.225 + 0x40404000,0x28282800,0xd3d3d300,0x7b7b7b00,
1.226 + 0xbbbbbb00,0xc9c9c900,0x43434300,0xc1c1c100,
1.227 + 0x15151500,0xe3e3e300,0xadadad00,0xf4f4f400,
1.228 + 0x77777700,0xc7c7c700,0x80808000,0x9e9e9e00,
1.229 +};
1.230 +
1.231 +static const PRUint32 camellia_sp0222[256] = {
1.232 + 0x00e0e0e0,0x00050505,0x00585858,0x00d9d9d9,
1.233 + 0x00676767,0x004e4e4e,0x00818181,0x00cbcbcb,
1.234 + 0x00c9c9c9,0x000b0b0b,0x00aeaeae,0x006a6a6a,
1.235 + 0x00d5d5d5,0x00181818,0x005d5d5d,0x00828282,
1.236 + 0x00464646,0x00dfdfdf,0x00d6d6d6,0x00272727,
1.237 + 0x008a8a8a,0x00323232,0x004b4b4b,0x00424242,
1.238 + 0x00dbdbdb,0x001c1c1c,0x009e9e9e,0x009c9c9c,
1.239 + 0x003a3a3a,0x00cacaca,0x00252525,0x007b7b7b,
1.240 + 0x000d0d0d,0x00717171,0x005f5f5f,0x001f1f1f,
1.241 + 0x00f8f8f8,0x00d7d7d7,0x003e3e3e,0x009d9d9d,
1.242 + 0x007c7c7c,0x00606060,0x00b9b9b9,0x00bebebe,
1.243 + 0x00bcbcbc,0x008b8b8b,0x00161616,0x00343434,
1.244 + 0x004d4d4d,0x00c3c3c3,0x00727272,0x00959595,
1.245 + 0x00ababab,0x008e8e8e,0x00bababa,0x007a7a7a,
1.246 + 0x00b3b3b3,0x00020202,0x00b4b4b4,0x00adadad,
1.247 + 0x00a2a2a2,0x00acacac,0x00d8d8d8,0x009a9a9a,
1.248 + 0x00171717,0x001a1a1a,0x00353535,0x00cccccc,
1.249 + 0x00f7f7f7,0x00999999,0x00616161,0x005a5a5a,
1.250 + 0x00e8e8e8,0x00242424,0x00565656,0x00404040,
1.251 + 0x00e1e1e1,0x00636363,0x00090909,0x00333333,
1.252 + 0x00bfbfbf,0x00989898,0x00979797,0x00858585,
1.253 + 0x00686868,0x00fcfcfc,0x00ececec,0x000a0a0a,
1.254 + 0x00dadada,0x006f6f6f,0x00535353,0x00626262,
1.255 + 0x00a3a3a3,0x002e2e2e,0x00080808,0x00afafaf,
1.256 + 0x00282828,0x00b0b0b0,0x00747474,0x00c2c2c2,
1.257 + 0x00bdbdbd,0x00363636,0x00222222,0x00383838,
1.258 + 0x00646464,0x001e1e1e,0x00393939,0x002c2c2c,
1.259 + 0x00a6a6a6,0x00303030,0x00e5e5e5,0x00444444,
1.260 + 0x00fdfdfd,0x00888888,0x009f9f9f,0x00656565,
1.261 + 0x00878787,0x006b6b6b,0x00f4f4f4,0x00232323,
1.262 + 0x00484848,0x00101010,0x00d1d1d1,0x00515151,
1.263 + 0x00c0c0c0,0x00f9f9f9,0x00d2d2d2,0x00a0a0a0,
1.264 + 0x00555555,0x00a1a1a1,0x00414141,0x00fafafa,
1.265 + 0x00434343,0x00131313,0x00c4c4c4,0x002f2f2f,
1.266 + 0x00a8a8a8,0x00b6b6b6,0x003c3c3c,0x002b2b2b,
1.267 + 0x00c1c1c1,0x00ffffff,0x00c8c8c8,0x00a5a5a5,
1.268 + 0x00202020,0x00898989,0x00000000,0x00909090,
1.269 + 0x00474747,0x00efefef,0x00eaeaea,0x00b7b7b7,
1.270 + 0x00151515,0x00060606,0x00cdcdcd,0x00b5b5b5,
1.271 + 0x00121212,0x007e7e7e,0x00bbbbbb,0x00292929,
1.272 + 0x000f0f0f,0x00b8b8b8,0x00070707,0x00040404,
1.273 + 0x009b9b9b,0x00949494,0x00212121,0x00666666,
1.274 + 0x00e6e6e6,0x00cecece,0x00ededed,0x00e7e7e7,
1.275 + 0x003b3b3b,0x00fefefe,0x007f7f7f,0x00c5c5c5,
1.276 + 0x00a4a4a4,0x00373737,0x00b1b1b1,0x004c4c4c,
1.277 + 0x00919191,0x006e6e6e,0x008d8d8d,0x00767676,
1.278 + 0x00030303,0x002d2d2d,0x00dedede,0x00969696,
1.279 + 0x00262626,0x007d7d7d,0x00c6c6c6,0x005c5c5c,
1.280 + 0x00d3d3d3,0x00f2f2f2,0x004f4f4f,0x00191919,
1.281 + 0x003f3f3f,0x00dcdcdc,0x00797979,0x001d1d1d,
1.282 + 0x00525252,0x00ebebeb,0x00f3f3f3,0x006d6d6d,
1.283 + 0x005e5e5e,0x00fbfbfb,0x00696969,0x00b2b2b2,
1.284 + 0x00f0f0f0,0x00313131,0x000c0c0c,0x00d4d4d4,
1.285 + 0x00cfcfcf,0x008c8c8c,0x00e2e2e2,0x00757575,
1.286 + 0x00a9a9a9,0x004a4a4a,0x00575757,0x00848484,
1.287 + 0x00111111,0x00454545,0x001b1b1b,0x00f5f5f5,
1.288 + 0x00e4e4e4,0x000e0e0e,0x00737373,0x00aaaaaa,
1.289 + 0x00f1f1f1,0x00dddddd,0x00595959,0x00141414,
1.290 + 0x006c6c6c,0x00929292,0x00545454,0x00d0d0d0,
1.291 + 0x00787878,0x00707070,0x00e3e3e3,0x00494949,
1.292 + 0x00808080,0x00505050,0x00a7a7a7,0x00f6f6f6,
1.293 + 0x00777777,0x00939393,0x00868686,0x00838383,
1.294 + 0x002a2a2a,0x00c7c7c7,0x005b5b5b,0x00e9e9e9,
1.295 + 0x00eeeeee,0x008f8f8f,0x00010101,0x003d3d3d,
1.296 +};
1.297 +
1.298 +static const PRUint32 camellia_sp3033[256] = {
1.299 + 0x38003838,0x41004141,0x16001616,0x76007676,
1.300 + 0xd900d9d9,0x93009393,0x60006060,0xf200f2f2,
1.301 + 0x72007272,0xc200c2c2,0xab00abab,0x9a009a9a,
1.302 + 0x75007575,0x06000606,0x57005757,0xa000a0a0,
1.303 + 0x91009191,0xf700f7f7,0xb500b5b5,0xc900c9c9,
1.304 + 0xa200a2a2,0x8c008c8c,0xd200d2d2,0x90009090,
1.305 + 0xf600f6f6,0x07000707,0xa700a7a7,0x27002727,
1.306 + 0x8e008e8e,0xb200b2b2,0x49004949,0xde00dede,
1.307 + 0x43004343,0x5c005c5c,0xd700d7d7,0xc700c7c7,
1.308 + 0x3e003e3e,0xf500f5f5,0x8f008f8f,0x67006767,
1.309 + 0x1f001f1f,0x18001818,0x6e006e6e,0xaf00afaf,
1.310 + 0x2f002f2f,0xe200e2e2,0x85008585,0x0d000d0d,
1.311 + 0x53005353,0xf000f0f0,0x9c009c9c,0x65006565,
1.312 + 0xea00eaea,0xa300a3a3,0xae00aeae,0x9e009e9e,
1.313 + 0xec00ecec,0x80008080,0x2d002d2d,0x6b006b6b,
1.314 + 0xa800a8a8,0x2b002b2b,0x36003636,0xa600a6a6,
1.315 + 0xc500c5c5,0x86008686,0x4d004d4d,0x33003333,
1.316 + 0xfd00fdfd,0x66006666,0x58005858,0x96009696,
1.317 + 0x3a003a3a,0x09000909,0x95009595,0x10001010,
1.318 + 0x78007878,0xd800d8d8,0x42004242,0xcc00cccc,
1.319 + 0xef00efef,0x26002626,0xe500e5e5,0x61006161,
1.320 + 0x1a001a1a,0x3f003f3f,0x3b003b3b,0x82008282,
1.321 + 0xb600b6b6,0xdb00dbdb,0xd400d4d4,0x98009898,
1.322 + 0xe800e8e8,0x8b008b8b,0x02000202,0xeb00ebeb,
1.323 + 0x0a000a0a,0x2c002c2c,0x1d001d1d,0xb000b0b0,
1.324 + 0x6f006f6f,0x8d008d8d,0x88008888,0x0e000e0e,
1.325 + 0x19001919,0x87008787,0x4e004e4e,0x0b000b0b,
1.326 + 0xa900a9a9,0x0c000c0c,0x79007979,0x11001111,
1.327 + 0x7f007f7f,0x22002222,0xe700e7e7,0x59005959,
1.328 + 0xe100e1e1,0xda00dada,0x3d003d3d,0xc800c8c8,
1.329 + 0x12001212,0x04000404,0x74007474,0x54005454,
1.330 + 0x30003030,0x7e007e7e,0xb400b4b4,0x28002828,
1.331 + 0x55005555,0x68006868,0x50005050,0xbe00bebe,
1.332 + 0xd000d0d0,0xc400c4c4,0x31003131,0xcb00cbcb,
1.333 + 0x2a002a2a,0xad00adad,0x0f000f0f,0xca00caca,
1.334 + 0x70007070,0xff00ffff,0x32003232,0x69006969,
1.335 + 0x08000808,0x62006262,0x00000000,0x24002424,
1.336 + 0xd100d1d1,0xfb00fbfb,0xba00baba,0xed00eded,
1.337 + 0x45004545,0x81008181,0x73007373,0x6d006d6d,
1.338 + 0x84008484,0x9f009f9f,0xee00eeee,0x4a004a4a,
1.339 + 0xc300c3c3,0x2e002e2e,0xc100c1c1,0x01000101,
1.340 + 0xe600e6e6,0x25002525,0x48004848,0x99009999,
1.341 + 0xb900b9b9,0xb300b3b3,0x7b007b7b,0xf900f9f9,
1.342 + 0xce00cece,0xbf00bfbf,0xdf00dfdf,0x71007171,
1.343 + 0x29002929,0xcd00cdcd,0x6c006c6c,0x13001313,
1.344 + 0x64006464,0x9b009b9b,0x63006363,0x9d009d9d,
1.345 + 0xc000c0c0,0x4b004b4b,0xb700b7b7,0xa500a5a5,
1.346 + 0x89008989,0x5f005f5f,0xb100b1b1,0x17001717,
1.347 + 0xf400f4f4,0xbc00bcbc,0xd300d3d3,0x46004646,
1.348 + 0xcf00cfcf,0x37003737,0x5e005e5e,0x47004747,
1.349 + 0x94009494,0xfa00fafa,0xfc00fcfc,0x5b005b5b,
1.350 + 0x97009797,0xfe00fefe,0x5a005a5a,0xac00acac,
1.351 + 0x3c003c3c,0x4c004c4c,0x03000303,0x35003535,
1.352 + 0xf300f3f3,0x23002323,0xb800b8b8,0x5d005d5d,
1.353 + 0x6a006a6a,0x92009292,0xd500d5d5,0x21002121,
1.354 + 0x44004444,0x51005151,0xc600c6c6,0x7d007d7d,
1.355 + 0x39003939,0x83008383,0xdc00dcdc,0xaa00aaaa,
1.356 + 0x7c007c7c,0x77007777,0x56005656,0x05000505,
1.357 + 0x1b001b1b,0xa400a4a4,0x15001515,0x34003434,
1.358 + 0x1e001e1e,0x1c001c1c,0xf800f8f8,0x52005252,
1.359 + 0x20002020,0x14001414,0xe900e9e9,0xbd00bdbd,
1.360 + 0xdd00dddd,0xe400e4e4,0xa100a1a1,0xe000e0e0,
1.361 + 0x8a008a8a,0xf100f1f1,0xd600d6d6,0x7a007a7a,
1.362 + 0xbb00bbbb,0xe300e3e3,0x40004040,0x4f004f4f,
1.363 +};
1.364 +
1.365 +static const PRUint32 camellia_sp4404[256] = {
1.366 + 0x70700070,0x2c2c002c,0xb3b300b3,0xc0c000c0,
1.367 + 0xe4e400e4,0x57570057,0xeaea00ea,0xaeae00ae,
1.368 + 0x23230023,0x6b6b006b,0x45450045,0xa5a500a5,
1.369 + 0xeded00ed,0x4f4f004f,0x1d1d001d,0x92920092,
1.370 + 0x86860086,0xafaf00af,0x7c7c007c,0x1f1f001f,
1.371 + 0x3e3e003e,0xdcdc00dc,0x5e5e005e,0x0b0b000b,
1.372 + 0xa6a600a6,0x39390039,0xd5d500d5,0x5d5d005d,
1.373 + 0xd9d900d9,0x5a5a005a,0x51510051,0x6c6c006c,
1.374 + 0x8b8b008b,0x9a9a009a,0xfbfb00fb,0xb0b000b0,
1.375 + 0x74740074,0x2b2b002b,0xf0f000f0,0x84840084,
1.376 + 0xdfdf00df,0xcbcb00cb,0x34340034,0x76760076,
1.377 + 0x6d6d006d,0xa9a900a9,0xd1d100d1,0x04040004,
1.378 + 0x14140014,0x3a3a003a,0xdede00de,0x11110011,
1.379 + 0x32320032,0x9c9c009c,0x53530053,0xf2f200f2,
1.380 + 0xfefe00fe,0xcfcf00cf,0xc3c300c3,0x7a7a007a,
1.381 + 0x24240024,0xe8e800e8,0x60600060,0x69690069,
1.382 + 0xaaaa00aa,0xa0a000a0,0xa1a100a1,0x62620062,
1.383 + 0x54540054,0x1e1e001e,0xe0e000e0,0x64640064,
1.384 + 0x10100010,0x00000000,0xa3a300a3,0x75750075,
1.385 + 0x8a8a008a,0xe6e600e6,0x09090009,0xdddd00dd,
1.386 + 0x87870087,0x83830083,0xcdcd00cd,0x90900090,
1.387 + 0x73730073,0xf6f600f6,0x9d9d009d,0xbfbf00bf,
1.388 + 0x52520052,0xd8d800d8,0xc8c800c8,0xc6c600c6,
1.389 + 0x81810081,0x6f6f006f,0x13130013,0x63630063,
1.390 + 0xe9e900e9,0xa7a700a7,0x9f9f009f,0xbcbc00bc,
1.391 + 0x29290029,0xf9f900f9,0x2f2f002f,0xb4b400b4,
1.392 + 0x78780078,0x06060006,0xe7e700e7,0x71710071,
1.393 + 0xd4d400d4,0xabab00ab,0x88880088,0x8d8d008d,
1.394 + 0x72720072,0xb9b900b9,0xf8f800f8,0xacac00ac,
1.395 + 0x36360036,0x2a2a002a,0x3c3c003c,0xf1f100f1,
1.396 + 0x40400040,0xd3d300d3,0xbbbb00bb,0x43430043,
1.397 + 0x15150015,0xadad00ad,0x77770077,0x80800080,
1.398 + 0x82820082,0xecec00ec,0x27270027,0xe5e500e5,
1.399 + 0x85850085,0x35350035,0x0c0c000c,0x41410041,
1.400 + 0xefef00ef,0x93930093,0x19190019,0x21210021,
1.401 + 0x0e0e000e,0x4e4e004e,0x65650065,0xbdbd00bd,
1.402 + 0xb8b800b8,0x8f8f008f,0xebeb00eb,0xcece00ce,
1.403 + 0x30300030,0x5f5f005f,0xc5c500c5,0x1a1a001a,
1.404 + 0xe1e100e1,0xcaca00ca,0x47470047,0x3d3d003d,
1.405 + 0x01010001,0xd6d600d6,0x56560056,0x4d4d004d,
1.406 + 0x0d0d000d,0x66660066,0xcccc00cc,0x2d2d002d,
1.407 + 0x12120012,0x20200020,0xb1b100b1,0x99990099,
1.408 + 0x4c4c004c,0xc2c200c2,0x7e7e007e,0x05050005,
1.409 + 0xb7b700b7,0x31310031,0x17170017,0xd7d700d7,
1.410 + 0x58580058,0x61610061,0x1b1b001b,0x1c1c001c,
1.411 + 0x0f0f000f,0x16160016,0x18180018,0x22220022,
1.412 + 0x44440044,0xb2b200b2,0xb5b500b5,0x91910091,
1.413 + 0x08080008,0xa8a800a8,0xfcfc00fc,0x50500050,
1.414 + 0xd0d000d0,0x7d7d007d,0x89890089,0x97970097,
1.415 + 0x5b5b005b,0x95950095,0xffff00ff,0xd2d200d2,
1.416 + 0xc4c400c4,0x48480048,0xf7f700f7,0xdbdb00db,
1.417 + 0x03030003,0xdada00da,0x3f3f003f,0x94940094,
1.418 + 0x5c5c005c,0x02020002,0x4a4a004a,0x33330033,
1.419 + 0x67670067,0xf3f300f3,0x7f7f007f,0xe2e200e2,
1.420 + 0x9b9b009b,0x26260026,0x37370037,0x3b3b003b,
1.421 + 0x96960096,0x4b4b004b,0xbebe00be,0x2e2e002e,
1.422 + 0x79790079,0x8c8c008c,0x6e6e006e,0x8e8e008e,
1.423 + 0xf5f500f5,0xb6b600b6,0xfdfd00fd,0x59590059,
1.424 + 0x98980098,0x6a6a006a,0x46460046,0xbaba00ba,
1.425 + 0x25250025,0x42420042,0xa2a200a2,0xfafa00fa,
1.426 + 0x07070007,0x55550055,0xeeee00ee,0x0a0a000a,
1.427 + 0x49490049,0x68680068,0x38380038,0xa4a400a4,
1.428 + 0x28280028,0x7b7b007b,0xc9c900c9,0xc1c100c1,
1.429 + 0xe3e300e3,0xf4f400f4,0xc7c700c7,0x9e9e009e,
1.430 +};
1.431 +
1.432 +
1.433 +/**
1.434 + * Stuff related to the Camellia key schedule
1.435 + */
1.436 +#define subl(x) subL[(x)]
1.437 +#define subr(x) subR[(x)]
1.438 +
1.439 +void camellia_setup128(const unsigned char *key, PRUint32 *subkey)
1.440 +{
1.441 + PRUint32 kll, klr, krl, krr;
1.442 + PRUint32 il, ir, t0, t1, w0, w1;
1.443 + PRUint32 kw4l, kw4r, dw, tl, tr;
1.444 + PRUint32 subL[26];
1.445 + PRUint32 subR[26];
1.446 +#if defined(CAMELLIA_NEED_TMP_VARIABLE)
1.447 + PRUint32 tmp;
1.448 +#endif
1.449 +
1.450 + /**
1.451 + * k == kll || klr || krl || krr (|| is concatination)
1.452 + */
1.453 + kll = GETU32(key );
1.454 + klr = GETU32(key + 4);
1.455 + krl = GETU32(key + 8);
1.456 + krr = GETU32(key + 12);
1.457 + /**
1.458 + * generate KL dependent subkeys
1.459 + */
1.460 + subl(0) = kll; subr(0) = klr;
1.461 + subl(1) = krl; subr(1) = krr;
1.462 + CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
1.463 + subl(4) = kll; subr(4) = klr;
1.464 + subl(5) = krl; subr(5) = krr;
1.465 + CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 30);
1.466 + subl(10) = kll; subr(10) = klr;
1.467 + subl(11) = krl; subr(11) = krr;
1.468 + CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
1.469 + subl(13) = krl; subr(13) = krr;
1.470 + CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17);
1.471 + subl(16) = kll; subr(16) = klr;
1.472 + subl(17) = krl; subr(17) = krr;
1.473 + CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17);
1.474 + subl(18) = kll; subr(18) = klr;
1.475 + subl(19) = krl; subr(19) = krr;
1.476 + CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17);
1.477 + subl(22) = kll; subr(22) = klr;
1.478 + subl(23) = krl; subr(23) = krr;
1.479 +
1.480 + /* generate KA */
1.481 + kll = subl(0); klr = subr(0);
1.482 + krl = subl(1); krr = subr(1);
1.483 + CAMELLIA_F(kll, klr,
1.484 + CAMELLIA_SIGMA1L, CAMELLIA_SIGMA1R,
1.485 + w0, w1, il, ir, t0, t1);
1.486 + krl ^= w0; krr ^= w1;
1.487 + CAMELLIA_F(krl, krr,
1.488 + CAMELLIA_SIGMA2L, CAMELLIA_SIGMA2R,
1.489 + kll, klr, il, ir, t0, t1);
1.490 + CAMELLIA_F(kll, klr,
1.491 + CAMELLIA_SIGMA3L, CAMELLIA_SIGMA3R,
1.492 + krl, krr, il, ir, t0, t1);
1.493 + krl ^= w0; krr ^= w1;
1.494 + CAMELLIA_F(krl, krr,
1.495 + CAMELLIA_SIGMA4L, CAMELLIA_SIGMA4R,
1.496 + w0, w1, il, ir, t0, t1);
1.497 + kll ^= w0; klr ^= w1;
1.498 +
1.499 + /* generate KA dependent subkeys */
1.500 + subl(2) = kll; subr(2) = klr;
1.501 + subl(3) = krl; subr(3) = krr;
1.502 + CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
1.503 + subl(6) = kll; subr(6) = klr;
1.504 + subl(7) = krl; subr(7) = krr;
1.505 + CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
1.506 + subl(8) = kll; subr(8) = klr;
1.507 + subl(9) = krl; subr(9) = krr;
1.508 + CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
1.509 + subl(12) = kll; subr(12) = klr;
1.510 + CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
1.511 + subl(14) = kll; subr(14) = klr;
1.512 + subl(15) = krl; subr(15) = krr;
1.513 + CAMELLIA_ROLDQo32(kll, klr, krl, krr, w0, w1, 34);
1.514 + subl(20) = kll; subr(20) = klr;
1.515 + subl(21) = krl; subr(21) = krr;
1.516 + CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17);
1.517 + subl(24) = kll; subr(24) = klr;
1.518 + subl(25) = krl; subr(25) = krr;
1.519 +
1.520 +
1.521 + /* absorb kw2 to other subkeys */
1.522 + subl(3) ^= subl(1); subr(3) ^= subr(1);
1.523 + subl(5) ^= subl(1); subr(5) ^= subr(1);
1.524 + subl(7) ^= subl(1); subr(7) ^= subr(1);
1.525 + subl(1) ^= subr(1) & ~subr(9);
1.526 + dw = subl(1) & subl(9), subr(1) ^= CAMELLIA_RL1(dw);
1.527 + subl(11) ^= subl(1); subr(11) ^= subr(1);
1.528 + subl(13) ^= subl(1); subr(13) ^= subr(1);
1.529 + subl(15) ^= subl(1); subr(15) ^= subr(1);
1.530 + subl(1) ^= subr(1) & ~subr(17);
1.531 + dw = subl(1) & subl(17), subr(1) ^= CAMELLIA_RL1(dw);
1.532 + subl(19) ^= subl(1); subr(19) ^= subr(1);
1.533 + subl(21) ^= subl(1); subr(21) ^= subr(1);
1.534 + subl(23) ^= subl(1); subr(23) ^= subr(1);
1.535 + subl(24) ^= subl(1); subr(24) ^= subr(1);
1.536 +
1.537 + /* absorb kw4 to other subkeys */
1.538 + kw4l = subl(25); kw4r = subr(25);
1.539 + subl(22) ^= kw4l; subr(22) ^= kw4r;
1.540 + subl(20) ^= kw4l; subr(20) ^= kw4r;
1.541 + subl(18) ^= kw4l; subr(18) ^= kw4r;
1.542 + kw4l ^= kw4r & ~subr(16);
1.543 + dw = kw4l & subl(16), kw4r ^= CAMELLIA_RL1(dw);
1.544 + subl(14) ^= kw4l; subr(14) ^= kw4r;
1.545 + subl(12) ^= kw4l; subr(12) ^= kw4r;
1.546 + subl(10) ^= kw4l; subr(10) ^= kw4r;
1.547 + kw4l ^= kw4r & ~subr(8);
1.548 + dw = kw4l & subl(8), kw4r ^= CAMELLIA_RL1(dw);
1.549 + subl(6) ^= kw4l; subr(6) ^= kw4r;
1.550 + subl(4) ^= kw4l; subr(4) ^= kw4r;
1.551 + subl(2) ^= kw4l; subr(2) ^= kw4r;
1.552 + subl(0) ^= kw4l; subr(0) ^= kw4r;
1.553 +
1.554 + /* key XOR is end of F-function */
1.555 + CamelliaSubkeyL(0) = subl(0) ^ subl(2);
1.556 + CamelliaSubkeyR(0) = subr(0) ^ subr(2);
1.557 + CamelliaSubkeyL(2) = subl(3);
1.558 + CamelliaSubkeyR(2) = subr(3);
1.559 + CamelliaSubkeyL(3) = subl(2) ^ subl(4);
1.560 + CamelliaSubkeyR(3) = subr(2) ^ subr(4);
1.561 + CamelliaSubkeyL(4) = subl(3) ^ subl(5);
1.562 + CamelliaSubkeyR(4) = subr(3) ^ subr(5);
1.563 + CamelliaSubkeyL(5) = subl(4) ^ subl(6);
1.564 + CamelliaSubkeyR(5) = subr(4) ^ subr(6);
1.565 + CamelliaSubkeyL(6) = subl(5) ^ subl(7);
1.566 + CamelliaSubkeyR(6) = subr(5) ^ subr(7);
1.567 + tl = subl(10) ^ (subr(10) & ~subr(8));
1.568 + dw = tl & subl(8), tr = subr(10) ^ CAMELLIA_RL1(dw);
1.569 + CamelliaSubkeyL(7) = subl(6) ^ tl;
1.570 + CamelliaSubkeyR(7) = subr(6) ^ tr;
1.571 + CamelliaSubkeyL(8) = subl(8);
1.572 + CamelliaSubkeyR(8) = subr(8);
1.573 + CamelliaSubkeyL(9) = subl(9);
1.574 + CamelliaSubkeyR(9) = subr(9);
1.575 + tl = subl(7) ^ (subr(7) & ~subr(9));
1.576 + dw = tl & subl(9), tr = subr(7) ^ CAMELLIA_RL1(dw);
1.577 + CamelliaSubkeyL(10) = tl ^ subl(11);
1.578 + CamelliaSubkeyR(10) = tr ^ subr(11);
1.579 + CamelliaSubkeyL(11) = subl(10) ^ subl(12);
1.580 + CamelliaSubkeyR(11) = subr(10) ^ subr(12);
1.581 + CamelliaSubkeyL(12) = subl(11) ^ subl(13);
1.582 + CamelliaSubkeyR(12) = subr(11) ^ subr(13);
1.583 + CamelliaSubkeyL(13) = subl(12) ^ subl(14);
1.584 + CamelliaSubkeyR(13) = subr(12) ^ subr(14);
1.585 + CamelliaSubkeyL(14) = subl(13) ^ subl(15);
1.586 + CamelliaSubkeyR(14) = subr(13) ^ subr(15);
1.587 + tl = subl(18) ^ (subr(18) & ~subr(16));
1.588 + dw = tl & subl(16), tr = subr(18) ^ CAMELLIA_RL1(dw);
1.589 + CamelliaSubkeyL(15) = subl(14) ^ tl;
1.590 + CamelliaSubkeyR(15) = subr(14) ^ tr;
1.591 + CamelliaSubkeyL(16) = subl(16);
1.592 + CamelliaSubkeyR(16) = subr(16);
1.593 + CamelliaSubkeyL(17) = subl(17);
1.594 + CamelliaSubkeyR(17) = subr(17);
1.595 + tl = subl(15) ^ (subr(15) & ~subr(17));
1.596 + dw = tl & subl(17), tr = subr(15) ^ CAMELLIA_RL1(dw);
1.597 + CamelliaSubkeyL(18) = tl ^ subl(19);
1.598 + CamelliaSubkeyR(18) = tr ^ subr(19);
1.599 + CamelliaSubkeyL(19) = subl(18) ^ subl(20);
1.600 + CamelliaSubkeyR(19) = subr(18) ^ subr(20);
1.601 + CamelliaSubkeyL(20) = subl(19) ^ subl(21);
1.602 + CamelliaSubkeyR(20) = subr(19) ^ subr(21);
1.603 + CamelliaSubkeyL(21) = subl(20) ^ subl(22);
1.604 + CamelliaSubkeyR(21) = subr(20) ^ subr(22);
1.605 + CamelliaSubkeyL(22) = subl(21) ^ subl(23);
1.606 + CamelliaSubkeyR(22) = subr(21) ^ subr(23);
1.607 + CamelliaSubkeyL(23) = subl(22);
1.608 + CamelliaSubkeyR(23) = subr(22);
1.609 + CamelliaSubkeyL(24) = subl(24) ^ subl(23);
1.610 + CamelliaSubkeyR(24) = subr(24) ^ subr(23);
1.611 +
1.612 + /* apply the inverse of the last half of P-function */
1.613 + dw = CamelliaSubkeyL(2) ^ CamelliaSubkeyR(2), dw = CAMELLIA_RL8(dw);
1.614 + CamelliaSubkeyR(2) = CamelliaSubkeyL(2) ^ dw, CamelliaSubkeyL(2) = dw;
1.615 + dw = CamelliaSubkeyL(3) ^ CamelliaSubkeyR(3), dw = CAMELLIA_RL8(dw);
1.616 + CamelliaSubkeyR(3) = CamelliaSubkeyL(3) ^ dw, CamelliaSubkeyL(3) = dw;
1.617 + dw = CamelliaSubkeyL(4) ^ CamelliaSubkeyR(4), dw = CAMELLIA_RL8(dw);
1.618 + CamelliaSubkeyR(4) = CamelliaSubkeyL(4) ^ dw, CamelliaSubkeyL(4) = dw;
1.619 + dw = CamelliaSubkeyL(5) ^ CamelliaSubkeyR(5), dw = CAMELLIA_RL8(dw);
1.620 + CamelliaSubkeyR(5) = CamelliaSubkeyL(5) ^ dw, CamelliaSubkeyL(5) = dw;
1.621 + dw = CamelliaSubkeyL(6) ^ CamelliaSubkeyR(6), dw = CAMELLIA_RL8(dw);
1.622 + CamelliaSubkeyR(6) = CamelliaSubkeyL(6) ^ dw, CamelliaSubkeyL(6) = dw;
1.623 + dw = CamelliaSubkeyL(7) ^ CamelliaSubkeyR(7), dw = CAMELLIA_RL8(dw);
1.624 + CamelliaSubkeyR(7) = CamelliaSubkeyL(7) ^ dw, CamelliaSubkeyL(7) = dw;
1.625 + dw = CamelliaSubkeyL(10) ^ CamelliaSubkeyR(10), dw = CAMELLIA_RL8(dw);
1.626 + CamelliaSubkeyR(10) = CamelliaSubkeyL(10) ^ dw, CamelliaSubkeyL(10) = dw;
1.627 + dw = CamelliaSubkeyL(11) ^ CamelliaSubkeyR(11), dw = CAMELLIA_RL8(dw);
1.628 + CamelliaSubkeyR(11) = CamelliaSubkeyL(11) ^ dw, CamelliaSubkeyL(11) = dw;
1.629 + dw = CamelliaSubkeyL(12) ^ CamelliaSubkeyR(12), dw = CAMELLIA_RL8(dw);
1.630 + CamelliaSubkeyR(12) = CamelliaSubkeyL(12) ^ dw, CamelliaSubkeyL(12) = dw;
1.631 + dw = CamelliaSubkeyL(13) ^ CamelliaSubkeyR(13), dw = CAMELLIA_RL8(dw);
1.632 + CamelliaSubkeyR(13) = CamelliaSubkeyL(13) ^ dw, CamelliaSubkeyL(13) = dw;
1.633 + dw = CamelliaSubkeyL(14) ^ CamelliaSubkeyR(14), dw = CAMELLIA_RL8(dw);
1.634 + CamelliaSubkeyR(14) = CamelliaSubkeyL(14) ^ dw, CamelliaSubkeyL(14) = dw;
1.635 + dw = CamelliaSubkeyL(15) ^ CamelliaSubkeyR(15), dw = CAMELLIA_RL8(dw);
1.636 + CamelliaSubkeyR(15) = CamelliaSubkeyL(15) ^ dw, CamelliaSubkeyL(15) = dw;
1.637 + dw = CamelliaSubkeyL(18) ^ CamelliaSubkeyR(18), dw = CAMELLIA_RL8(dw);
1.638 + CamelliaSubkeyR(18) = CamelliaSubkeyL(18) ^ dw, CamelliaSubkeyL(18) = dw;
1.639 + dw = CamelliaSubkeyL(19) ^ CamelliaSubkeyR(19), dw = CAMELLIA_RL8(dw);
1.640 + CamelliaSubkeyR(19) = CamelliaSubkeyL(19) ^ dw, CamelliaSubkeyL(19) = dw;
1.641 + dw = CamelliaSubkeyL(20) ^ CamelliaSubkeyR(20), dw = CAMELLIA_RL8(dw);
1.642 + CamelliaSubkeyR(20) = CamelliaSubkeyL(20) ^ dw, CamelliaSubkeyL(20) = dw;
1.643 + dw = CamelliaSubkeyL(21) ^ CamelliaSubkeyR(21), dw = CAMELLIA_RL8(dw);
1.644 + CamelliaSubkeyR(21) = CamelliaSubkeyL(21) ^ dw, CamelliaSubkeyL(21) = dw;
1.645 + dw = CamelliaSubkeyL(22) ^ CamelliaSubkeyR(22), dw = CAMELLIA_RL8(dw);
1.646 + CamelliaSubkeyR(22) = CamelliaSubkeyL(22) ^ dw, CamelliaSubkeyL(22) = dw;
1.647 + dw = CamelliaSubkeyL(23) ^ CamelliaSubkeyR(23), dw = CAMELLIA_RL8(dw);
1.648 + CamelliaSubkeyR(23) = CamelliaSubkeyL(23) ^ dw, CamelliaSubkeyL(23) = dw;
1.649 +
1.650 + return;
1.651 +}
1.652 +
1.653 +void camellia_setup256(const unsigned char *key, PRUint32 *subkey)
1.654 +{
1.655 + PRUint32 kll,klr,krl,krr; /* left half of key */
1.656 + PRUint32 krll,krlr,krrl,krrr; /* right half of key */
1.657 + PRUint32 il, ir, t0, t1, w0, w1; /* temporary variables */
1.658 + PRUint32 kw4l, kw4r, dw, tl, tr;
1.659 + PRUint32 subL[34];
1.660 + PRUint32 subR[34];
1.661 +#if defined(CAMELLIA_NEED_TMP_VARIABLE)
1.662 + PRUint32 tmp;
1.663 +#endif
1.664 +
1.665 + /**
1.666 + * key = (kll || klr || krl || krr || krll || krlr || krrl || krrr)
1.667 + * (|| is concatination)
1.668 + */
1.669 +
1.670 + kll = GETU32(key );
1.671 + klr = GETU32(key + 4);
1.672 + krl = GETU32(key + 8);
1.673 + krr = GETU32(key + 12);
1.674 + krll = GETU32(key + 16);
1.675 + krlr = GETU32(key + 20);
1.676 + krrl = GETU32(key + 24);
1.677 + krrr = GETU32(key + 28);
1.678 +
1.679 + /* generate KL dependent subkeys */
1.680 + subl(0) = kll; subr(0) = klr;
1.681 + subl(1) = krl; subr(1) = krr;
1.682 + CAMELLIA_ROLDQo32(kll, klr, krl, krr, w0, w1, 45);
1.683 + subl(12) = kll; subr(12) = klr;
1.684 + subl(13) = krl; subr(13) = krr;
1.685 + CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
1.686 + subl(16) = kll; subr(16) = klr;
1.687 + subl(17) = krl; subr(17) = krr;
1.688 + CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17);
1.689 + subl(22) = kll; subr(22) = klr;
1.690 + subl(23) = krl; subr(23) = krr;
1.691 + CAMELLIA_ROLDQo32(kll, klr, krl, krr, w0, w1, 34);
1.692 + subl(30) = kll; subr(30) = klr;
1.693 + subl(31) = krl; subr(31) = krr;
1.694 +
1.695 + /* generate KR dependent subkeys */
1.696 + CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 15);
1.697 + subl(4) = krll; subr(4) = krlr;
1.698 + subl(5) = krrl; subr(5) = krrr;
1.699 + CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 15);
1.700 + subl(8) = krll; subr(8) = krlr;
1.701 + subl(9) = krrl; subr(9) = krrr;
1.702 + CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
1.703 + subl(18) = krll; subr(18) = krlr;
1.704 + subl(19) = krrl; subr(19) = krrr;
1.705 + CAMELLIA_ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 34);
1.706 + subl(26) = krll; subr(26) = krlr;
1.707 + subl(27) = krrl; subr(27) = krrr;
1.708 + CAMELLIA_ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 34);
1.709 +
1.710 + /* generate KA */
1.711 + kll = subl(0) ^ krll; klr = subr(0) ^ krlr;
1.712 + krl = subl(1) ^ krrl; krr = subr(1) ^ krrr;
1.713 + CAMELLIA_F(kll, klr,
1.714 + CAMELLIA_SIGMA1L, CAMELLIA_SIGMA1R,
1.715 + w0, w1, il, ir, t0, t1);
1.716 + krl ^= w0; krr ^= w1;
1.717 + CAMELLIA_F(krl, krr,
1.718 + CAMELLIA_SIGMA2L, CAMELLIA_SIGMA2R,
1.719 + kll, klr, il, ir, t0, t1);
1.720 + kll ^= krll; klr ^= krlr;
1.721 + CAMELLIA_F(kll, klr,
1.722 + CAMELLIA_SIGMA3L, CAMELLIA_SIGMA3R,
1.723 + krl, krr, il, ir, t0, t1);
1.724 + krl ^= w0 ^ krrl; krr ^= w1 ^ krrr;
1.725 + CAMELLIA_F(krl, krr,
1.726 + CAMELLIA_SIGMA4L, CAMELLIA_SIGMA4R,
1.727 + w0, w1, il, ir, t0, t1);
1.728 + kll ^= w0; klr ^= w1;
1.729 +
1.730 + /* generate KB */
1.731 + krll ^= kll; krlr ^= klr;
1.732 + krrl ^= krl; krrr ^= krr;
1.733 + CAMELLIA_F(krll, krlr,
1.734 + CAMELLIA_SIGMA5L, CAMELLIA_SIGMA5R,
1.735 + w0, w1, il, ir, t0, t1);
1.736 + krrl ^= w0; krrr ^= w1;
1.737 + CAMELLIA_F(krrl, krrr,
1.738 + CAMELLIA_SIGMA6L, CAMELLIA_SIGMA6R,
1.739 + w0, w1, il, ir, t0, t1);
1.740 + krll ^= w0; krlr ^= w1;
1.741 +
1.742 + /* generate KA dependent subkeys */
1.743 + CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
1.744 + subl(6) = kll; subr(6) = klr;
1.745 + subl(7) = krl; subr(7) = krr;
1.746 + CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 30);
1.747 + subl(14) = kll; subr(14) = klr;
1.748 + subl(15) = krl; subr(15) = krr;
1.749 + subl(24) = klr; subr(24) = krl;
1.750 + subl(25) = krr; subr(25) = kll;
1.751 + CAMELLIA_ROLDQo32(kll, klr, krl, krr, w0, w1, 49);
1.752 + subl(28) = kll; subr(28) = klr;
1.753 + subl(29) = krl; subr(29) = krr;
1.754 +
1.755 + /* generate KB dependent subkeys */
1.756 + subl(2) = krll; subr(2) = krlr;
1.757 + subl(3) = krrl; subr(3) = krrr;
1.758 + CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
1.759 + subl(10) = krll; subr(10) = krlr;
1.760 + subl(11) = krrl; subr(11) = krrr;
1.761 + CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
1.762 + subl(20) = krll; subr(20) = krlr;
1.763 + subl(21) = krrl; subr(21) = krrr;
1.764 + CAMELLIA_ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 51);
1.765 + subl(32) = krll; subr(32) = krlr;
1.766 + subl(33) = krrl; subr(33) = krrr;
1.767 +
1.768 + /* absorb kw2 to other subkeys */
1.769 + subl(3) ^= subl(1); subr(3) ^= subr(1);
1.770 + subl(5) ^= subl(1); subr(5) ^= subr(1);
1.771 + subl(7) ^= subl(1); subr(7) ^= subr(1);
1.772 + subl(1) ^= subr(1) & ~subr(9);
1.773 + dw = subl(1) & subl(9), subr(1) ^= CAMELLIA_RL1(dw);
1.774 + subl(11) ^= subl(1); subr(11) ^= subr(1);
1.775 + subl(13) ^= subl(1); subr(13) ^= subr(1);
1.776 + subl(15) ^= subl(1); subr(15) ^= subr(1);
1.777 + subl(1) ^= subr(1) & ~subr(17);
1.778 + dw = subl(1) & subl(17), subr(1) ^= CAMELLIA_RL1(dw);
1.779 + subl(19) ^= subl(1); subr(19) ^= subr(1);
1.780 + subl(21) ^= subl(1); subr(21) ^= subr(1);
1.781 + subl(23) ^= subl(1); subr(23) ^= subr(1);
1.782 + subl(1) ^= subr(1) & ~subr(25);
1.783 + dw = subl(1) & subl(25), subr(1) ^= CAMELLIA_RL1(dw);
1.784 + subl(27) ^= subl(1); subr(27) ^= subr(1);
1.785 + subl(29) ^= subl(1); subr(29) ^= subr(1);
1.786 + subl(31) ^= subl(1); subr(31) ^= subr(1);
1.787 + subl(32) ^= subl(1); subr(32) ^= subr(1);
1.788 +
1.789 + /* absorb kw4 to other subkeys */
1.790 + kw4l = subl(33); kw4r = subr(33);
1.791 + subl(30) ^= kw4l; subr(30) ^= kw4r;
1.792 + subl(28) ^= kw4l; subr(28) ^= kw4r;
1.793 + subl(26) ^= kw4l; subr(26) ^= kw4r;
1.794 + kw4l ^= kw4r & ~subr(24);
1.795 + dw = kw4l & subl(24), kw4r ^= CAMELLIA_RL1(dw);
1.796 + subl(22) ^= kw4l; subr(22) ^= kw4r;
1.797 + subl(20) ^= kw4l; subr(20) ^= kw4r;
1.798 + subl(18) ^= kw4l; subr(18) ^= kw4r;
1.799 + kw4l ^= kw4r & ~subr(16);
1.800 + dw = kw4l & subl(16), kw4r ^= CAMELLIA_RL1(dw);
1.801 + subl(14) ^= kw4l; subr(14) ^= kw4r;
1.802 + subl(12) ^= kw4l; subr(12) ^= kw4r;
1.803 + subl(10) ^= kw4l; subr(10) ^= kw4r;
1.804 + kw4l ^= kw4r & ~subr(8);
1.805 + dw = kw4l & subl(8), kw4r ^= CAMELLIA_RL1(dw);
1.806 + subl(6) ^= kw4l; subr(6) ^= kw4r;
1.807 + subl(4) ^= kw4l; subr(4) ^= kw4r;
1.808 + subl(2) ^= kw4l; subr(2) ^= kw4r;
1.809 + subl(0) ^= kw4l; subr(0) ^= kw4r;
1.810 +
1.811 + /* key XOR is end of F-function */
1.812 + CamelliaSubkeyL(0) = subl(0) ^ subl(2);
1.813 + CamelliaSubkeyR(0) = subr(0) ^ subr(2);
1.814 + CamelliaSubkeyL(2) = subl(3);
1.815 + CamelliaSubkeyR(2) = subr(3);
1.816 + CamelliaSubkeyL(3) = subl(2) ^ subl(4);
1.817 + CamelliaSubkeyR(3) = subr(2) ^ subr(4);
1.818 + CamelliaSubkeyL(4) = subl(3) ^ subl(5);
1.819 + CamelliaSubkeyR(4) = subr(3) ^ subr(5);
1.820 + CamelliaSubkeyL(5) = subl(4) ^ subl(6);
1.821 + CamelliaSubkeyR(5) = subr(4) ^ subr(6);
1.822 + CamelliaSubkeyL(6) = subl(5) ^ subl(7);
1.823 + CamelliaSubkeyR(6) = subr(5) ^ subr(7);
1.824 + tl = subl(10) ^ (subr(10) & ~subr(8));
1.825 + dw = tl & subl(8), tr = subr(10) ^ CAMELLIA_RL1(dw);
1.826 + CamelliaSubkeyL(7) = subl(6) ^ tl;
1.827 + CamelliaSubkeyR(7) = subr(6) ^ tr;
1.828 + CamelliaSubkeyL(8) = subl(8);
1.829 + CamelliaSubkeyR(8) = subr(8);
1.830 + CamelliaSubkeyL(9) = subl(9);
1.831 + CamelliaSubkeyR(9) = subr(9);
1.832 + tl = subl(7) ^ (subr(7) & ~subr(9));
1.833 + dw = tl & subl(9), tr = subr(7) ^ CAMELLIA_RL1(dw);
1.834 + CamelliaSubkeyL(10) = tl ^ subl(11);
1.835 + CamelliaSubkeyR(10) = tr ^ subr(11);
1.836 + CamelliaSubkeyL(11) = subl(10) ^ subl(12);
1.837 + CamelliaSubkeyR(11) = subr(10) ^ subr(12);
1.838 + CamelliaSubkeyL(12) = subl(11) ^ subl(13);
1.839 + CamelliaSubkeyR(12) = subr(11) ^ subr(13);
1.840 + CamelliaSubkeyL(13) = subl(12) ^ subl(14);
1.841 + CamelliaSubkeyR(13) = subr(12) ^ subr(14);
1.842 + CamelliaSubkeyL(14) = subl(13) ^ subl(15);
1.843 + CamelliaSubkeyR(14) = subr(13) ^ subr(15);
1.844 + tl = subl(18) ^ (subr(18) & ~subr(16));
1.845 + dw = tl & subl(16), tr = subr(18) ^ CAMELLIA_RL1(dw);
1.846 + CamelliaSubkeyL(15) = subl(14) ^ tl;
1.847 + CamelliaSubkeyR(15) = subr(14) ^ tr;
1.848 + CamelliaSubkeyL(16) = subl(16);
1.849 + CamelliaSubkeyR(16) = subr(16);
1.850 + CamelliaSubkeyL(17) = subl(17);
1.851 + CamelliaSubkeyR(17) = subr(17);
1.852 + tl = subl(15) ^ (subr(15) & ~subr(17));
1.853 + dw = tl & subl(17), tr = subr(15) ^ CAMELLIA_RL1(dw);
1.854 + CamelliaSubkeyL(18) = tl ^ subl(19);
1.855 + CamelliaSubkeyR(18) = tr ^ subr(19);
1.856 + CamelliaSubkeyL(19) = subl(18) ^ subl(20);
1.857 + CamelliaSubkeyR(19) = subr(18) ^ subr(20);
1.858 + CamelliaSubkeyL(20) = subl(19) ^ subl(21);
1.859 + CamelliaSubkeyR(20) = subr(19) ^ subr(21);
1.860 + CamelliaSubkeyL(21) = subl(20) ^ subl(22);
1.861 + CamelliaSubkeyR(21) = subr(20) ^ subr(22);
1.862 + CamelliaSubkeyL(22) = subl(21) ^ subl(23);
1.863 + CamelliaSubkeyR(22) = subr(21) ^ subr(23);
1.864 + tl = subl(26) ^ (subr(26) & ~subr(24));
1.865 + dw = tl & subl(24), tr = subr(26) ^ CAMELLIA_RL1(dw);
1.866 + CamelliaSubkeyL(23) = subl(22) ^ tl;
1.867 + CamelliaSubkeyR(23) = subr(22) ^ tr;
1.868 + CamelliaSubkeyL(24) = subl(24);
1.869 + CamelliaSubkeyR(24) = subr(24);
1.870 + CamelliaSubkeyL(25) = subl(25);
1.871 + CamelliaSubkeyR(25) = subr(25);
1.872 + tl = subl(23) ^ (subr(23) & ~subr(25));
1.873 + dw = tl & subl(25), tr = subr(23) ^ CAMELLIA_RL1(dw);
1.874 + CamelliaSubkeyL(26) = tl ^ subl(27);
1.875 + CamelliaSubkeyR(26) = tr ^ subr(27);
1.876 + CamelliaSubkeyL(27) = subl(26) ^ subl(28);
1.877 + CamelliaSubkeyR(27) = subr(26) ^ subr(28);
1.878 + CamelliaSubkeyL(28) = subl(27) ^ subl(29);
1.879 + CamelliaSubkeyR(28) = subr(27) ^ subr(29);
1.880 + CamelliaSubkeyL(29) = subl(28) ^ subl(30);
1.881 + CamelliaSubkeyR(29) = subr(28) ^ subr(30);
1.882 + CamelliaSubkeyL(30) = subl(29) ^ subl(31);
1.883 + CamelliaSubkeyR(30) = subr(29) ^ subr(31);
1.884 + CamelliaSubkeyL(31) = subl(30);
1.885 + CamelliaSubkeyR(31) = subr(30);
1.886 + CamelliaSubkeyL(32) = subl(32) ^ subl(31);
1.887 + CamelliaSubkeyR(32) = subr(32) ^ subr(31);
1.888 +
1.889 + /* apply the inverse of the last half of P-function */
1.890 + dw = CamelliaSubkeyL(2) ^ CamelliaSubkeyR(2), dw = CAMELLIA_RL8(dw);
1.891 + CamelliaSubkeyR(2) = CamelliaSubkeyL(2) ^ dw, CamelliaSubkeyL(2) = dw;
1.892 + dw = CamelliaSubkeyL(3) ^ CamelliaSubkeyR(3), dw = CAMELLIA_RL8(dw);
1.893 + CamelliaSubkeyR(3) = CamelliaSubkeyL(3) ^ dw, CamelliaSubkeyL(3) = dw;
1.894 + dw = CamelliaSubkeyL(4) ^ CamelliaSubkeyR(4), dw = CAMELLIA_RL8(dw);
1.895 + CamelliaSubkeyR(4) = CamelliaSubkeyL(4) ^ dw, CamelliaSubkeyL(4) = dw;
1.896 + dw = CamelliaSubkeyL(5) ^ CamelliaSubkeyR(5), dw = CAMELLIA_RL8(dw);
1.897 + CamelliaSubkeyR(5) = CamelliaSubkeyL(5) ^ dw, CamelliaSubkeyL(5) = dw;
1.898 + dw = CamelliaSubkeyL(6) ^ CamelliaSubkeyR(6), dw = CAMELLIA_RL8(dw);
1.899 + CamelliaSubkeyR(6) = CamelliaSubkeyL(6) ^ dw, CamelliaSubkeyL(6) = dw;
1.900 + dw = CamelliaSubkeyL(7) ^ CamelliaSubkeyR(7), dw = CAMELLIA_RL8(dw);
1.901 + CamelliaSubkeyR(7) = CamelliaSubkeyL(7) ^ dw, CamelliaSubkeyL(7) = dw;
1.902 + dw = CamelliaSubkeyL(10) ^ CamelliaSubkeyR(10), dw = CAMELLIA_RL8(dw);
1.903 + CamelliaSubkeyR(10) = CamelliaSubkeyL(10) ^ dw, CamelliaSubkeyL(10) = dw;
1.904 + dw = CamelliaSubkeyL(11) ^ CamelliaSubkeyR(11), dw = CAMELLIA_RL8(dw);
1.905 + CamelliaSubkeyR(11) = CamelliaSubkeyL(11) ^ dw, CamelliaSubkeyL(11) = dw;
1.906 + dw = CamelliaSubkeyL(12) ^ CamelliaSubkeyR(12), dw = CAMELLIA_RL8(dw);
1.907 + CamelliaSubkeyR(12) = CamelliaSubkeyL(12) ^ dw, CamelliaSubkeyL(12) = dw;
1.908 + dw = CamelliaSubkeyL(13) ^ CamelliaSubkeyR(13), dw = CAMELLIA_RL8(dw);
1.909 + CamelliaSubkeyR(13) = CamelliaSubkeyL(13) ^ dw, CamelliaSubkeyL(13) = dw;
1.910 + dw = CamelliaSubkeyL(14) ^ CamelliaSubkeyR(14), dw = CAMELLIA_RL8(dw);
1.911 + CamelliaSubkeyR(14) = CamelliaSubkeyL(14) ^ dw, CamelliaSubkeyL(14) = dw;
1.912 + dw = CamelliaSubkeyL(15) ^ CamelliaSubkeyR(15), dw = CAMELLIA_RL8(dw);
1.913 + CamelliaSubkeyR(15) = CamelliaSubkeyL(15) ^ dw, CamelliaSubkeyL(15) = dw;
1.914 + dw = CamelliaSubkeyL(18) ^ CamelliaSubkeyR(18), dw = CAMELLIA_RL8(dw);
1.915 + CamelliaSubkeyR(18) = CamelliaSubkeyL(18) ^ dw, CamelliaSubkeyL(18) = dw;
1.916 + dw = CamelliaSubkeyL(19) ^ CamelliaSubkeyR(19), dw = CAMELLIA_RL8(dw);
1.917 + CamelliaSubkeyR(19) = CamelliaSubkeyL(19) ^ dw, CamelliaSubkeyL(19) = dw;
1.918 + dw = CamelliaSubkeyL(20) ^ CamelliaSubkeyR(20), dw = CAMELLIA_RL8(dw);
1.919 + CamelliaSubkeyR(20) = CamelliaSubkeyL(20) ^ dw, CamelliaSubkeyL(20) = dw;
1.920 + dw = CamelliaSubkeyL(21) ^ CamelliaSubkeyR(21), dw = CAMELLIA_RL8(dw);
1.921 + CamelliaSubkeyR(21) = CamelliaSubkeyL(21) ^ dw, CamelliaSubkeyL(21) = dw;
1.922 + dw = CamelliaSubkeyL(22) ^ CamelliaSubkeyR(22), dw = CAMELLIA_RL8(dw);
1.923 + CamelliaSubkeyR(22) = CamelliaSubkeyL(22) ^ dw, CamelliaSubkeyL(22) = dw;
1.924 + dw = CamelliaSubkeyL(23) ^ CamelliaSubkeyR(23), dw = CAMELLIA_RL8(dw);
1.925 + CamelliaSubkeyR(23) = CamelliaSubkeyL(23) ^ dw, CamelliaSubkeyL(23) = dw;
1.926 + dw = CamelliaSubkeyL(26) ^ CamelliaSubkeyR(26), dw = CAMELLIA_RL8(dw);
1.927 + CamelliaSubkeyR(26) = CamelliaSubkeyL(26) ^ dw, CamelliaSubkeyL(26) = dw;
1.928 + dw = CamelliaSubkeyL(27) ^ CamelliaSubkeyR(27), dw = CAMELLIA_RL8(dw);
1.929 + CamelliaSubkeyR(27) = CamelliaSubkeyL(27) ^ dw, CamelliaSubkeyL(27) = dw;
1.930 + dw = CamelliaSubkeyL(28) ^ CamelliaSubkeyR(28), dw = CAMELLIA_RL8(dw);
1.931 + CamelliaSubkeyR(28) = CamelliaSubkeyL(28) ^ dw, CamelliaSubkeyL(28) = dw;
1.932 + dw = CamelliaSubkeyL(29) ^ CamelliaSubkeyR(29), dw = CAMELLIA_RL8(dw);
1.933 + CamelliaSubkeyR(29) = CamelliaSubkeyL(29) ^ dw, CamelliaSubkeyL(29) = dw;
1.934 + dw = CamelliaSubkeyL(30) ^ CamelliaSubkeyR(30), dw = CAMELLIA_RL8(dw);
1.935 + CamelliaSubkeyR(30) = CamelliaSubkeyL(30) ^ dw, CamelliaSubkeyL(30) = dw;
1.936 + dw = CamelliaSubkeyL(31) ^ CamelliaSubkeyR(31), dw = CAMELLIA_RL8(dw);
1.937 + CamelliaSubkeyR(31) = CamelliaSubkeyL(31) ^ dw,CamelliaSubkeyL(31) = dw;
1.938 +
1.939 + return;
1.940 +}
1.941 +
1.942 +void camellia_setup192(const unsigned char *key, PRUint32 *subkey)
1.943 +{
1.944 + unsigned char kk[32];
1.945 + PRUint32 krll, krlr, krrl,krrr;
1.946 +
1.947 + memcpy(kk, key, 24);
1.948 + memcpy((unsigned char *)&krll, key+16,4);
1.949 + memcpy((unsigned char *)&krlr, key+20,4);
1.950 + krrl = ~krll;
1.951 + krrr = ~krlr;
1.952 + memcpy(kk+24, (unsigned char *)&krrl, 4);
1.953 + memcpy(kk+28, (unsigned char *)&krrr, 4);
1.954 + camellia_setup256(kk, subkey);
1.955 + return;
1.956 +}
1.957 +
1.958 +
1.959 +/**
1.960 + * Stuff related to camellia encryption/decryption
1.961 + *
1.962 + */
1.963 +SECStatus
1.964 +camellia_encrypt128(const PRUint32 *subkey,
1.965 + unsigned char *output,
1.966 + const unsigned char *input)
1.967 +{
1.968 + PRUint32 il, ir, t0, t1;
1.969 + PRUint32 io[4];
1.970 +#if defined(CAMELLIA_NEED_TMP_VARIABLE)
1.971 + PRUint32 tmp;
1.972 +#endif
1.973 +
1.974 + io[0] = GETU32(input);
1.975 + io[1] = GETU32(input+4);
1.976 + io[2] = GETU32(input+8);
1.977 + io[3] = GETU32(input+12);
1.978 +
1.979 + /* pre whitening but absorb kw2*/
1.980 + io[0] ^= CamelliaSubkeyL(0);
1.981 + io[1] ^= CamelliaSubkeyR(0);
1.982 + /* main iteration */
1.983 +
1.984 + CAMELLIA_ROUNDSM(io[0],io[1],
1.985 + CamelliaSubkeyL(2),CamelliaSubkeyR(2),
1.986 + io[2],io[3],il,ir,t0,t1);
1.987 + CAMELLIA_ROUNDSM(io[2],io[3],
1.988 + CamelliaSubkeyL(3),CamelliaSubkeyR(3),
1.989 + io[0],io[1],il,ir,t0,t1);
1.990 + CAMELLIA_ROUNDSM(io[0],io[1],
1.991 + CamelliaSubkeyL(4),CamelliaSubkeyR(4),
1.992 + io[2],io[3],il,ir,t0,t1);
1.993 + CAMELLIA_ROUNDSM(io[2],io[3],
1.994 + CamelliaSubkeyL(5),CamelliaSubkeyR(5),
1.995 + io[0],io[1],il,ir,t0,t1);
1.996 + CAMELLIA_ROUNDSM(io[0],io[1],
1.997 + CamelliaSubkeyL(6),CamelliaSubkeyR(6),
1.998 + io[2],io[3],il,ir,t0,t1);
1.999 + CAMELLIA_ROUNDSM(io[2],io[3],
1.1000 + CamelliaSubkeyL(7),CamelliaSubkeyR(7),
1.1001 + io[0],io[1],il,ir,t0,t1);
1.1002 +
1.1003 + CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1.1004 + CamelliaSubkeyL(8),CamelliaSubkeyR(8),
1.1005 + CamelliaSubkeyL(9),CamelliaSubkeyR(9),
1.1006 + t0,t1,il,ir);
1.1007 +
1.1008 + CAMELLIA_ROUNDSM(io[0],io[1],
1.1009 + CamelliaSubkeyL(10),CamelliaSubkeyR(10),
1.1010 + io[2],io[3],il,ir,t0,t1);
1.1011 + CAMELLIA_ROUNDSM(io[2],io[3],
1.1012 + CamelliaSubkeyL(11),CamelliaSubkeyR(11),
1.1013 + io[0],io[1],il,ir,t0,t1);
1.1014 + CAMELLIA_ROUNDSM(io[0],io[1],
1.1015 + CamelliaSubkeyL(12),CamelliaSubkeyR(12),
1.1016 + io[2],io[3],il,ir,t0,t1);
1.1017 + CAMELLIA_ROUNDSM(io[2],io[3],
1.1018 + CamelliaSubkeyL(13),CamelliaSubkeyR(13),
1.1019 + io[0],io[1],il,ir,t0,t1);
1.1020 + CAMELLIA_ROUNDSM(io[0],io[1],
1.1021 + CamelliaSubkeyL(14),CamelliaSubkeyR(14),
1.1022 + io[2],io[3],il,ir,t0,t1);
1.1023 + CAMELLIA_ROUNDSM(io[2],io[3],
1.1024 + CamelliaSubkeyL(15),CamelliaSubkeyR(15),
1.1025 + io[0],io[1],il,ir,t0,t1);
1.1026 +
1.1027 + CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1.1028 + CamelliaSubkeyL(16),CamelliaSubkeyR(16),
1.1029 + CamelliaSubkeyL(17),CamelliaSubkeyR(17),
1.1030 + t0,t1,il,ir);
1.1031 +
1.1032 + CAMELLIA_ROUNDSM(io[0],io[1],
1.1033 + CamelliaSubkeyL(18),CamelliaSubkeyR(18),
1.1034 + io[2],io[3],il,ir,t0,t1);
1.1035 + CAMELLIA_ROUNDSM(io[2],io[3],
1.1036 + CamelliaSubkeyL(19),CamelliaSubkeyR(19),
1.1037 + io[0],io[1],il,ir,t0,t1);
1.1038 + CAMELLIA_ROUNDSM(io[0],io[1],
1.1039 + CamelliaSubkeyL(20),CamelliaSubkeyR(20),
1.1040 + io[2],io[3],il,ir,t0,t1);
1.1041 + CAMELLIA_ROUNDSM(io[2],io[3],
1.1042 + CamelliaSubkeyL(21),CamelliaSubkeyR(21),
1.1043 + io[0],io[1],il,ir,t0,t1);
1.1044 + CAMELLIA_ROUNDSM(io[0],io[1],
1.1045 + CamelliaSubkeyL(22),CamelliaSubkeyR(22),
1.1046 + io[2],io[3],il,ir,t0,t1);
1.1047 + CAMELLIA_ROUNDSM(io[2],io[3],
1.1048 + CamelliaSubkeyL(23),CamelliaSubkeyR(23),
1.1049 + io[0],io[1],il,ir,t0,t1);
1.1050 +
1.1051 + /* post whitening but kw4 */
1.1052 + io[2] ^= CamelliaSubkeyL(24);
1.1053 + io[3] ^= CamelliaSubkeyR(24);
1.1054 +
1.1055 + t0 = io[0];
1.1056 + t1 = io[1];
1.1057 + io[0] = io[2];
1.1058 + io[1] = io[3];
1.1059 + io[2] = t0;
1.1060 + io[3] = t1;
1.1061 +
1.1062 + PUTU32(output, io[0]);
1.1063 + PUTU32(output+4, io[1]);
1.1064 + PUTU32(output+8, io[2]);
1.1065 + PUTU32(output+12, io[3]);
1.1066 +
1.1067 + return SECSuccess;
1.1068 +}
1.1069 +
1.1070 +SECStatus
1.1071 +camellia_decrypt128(const PRUint32 *subkey,
1.1072 + unsigned char *output,
1.1073 + const unsigned char *input)
1.1074 +{
1.1075 + PRUint32 il,ir,t0,t1; /* temporary valiables */
1.1076 + PRUint32 io[4];
1.1077 +#if defined(CAMELLIA_NEED_TMP_VARIABLE)
1.1078 + PRUint32 tmp;
1.1079 +#endif
1.1080 +
1.1081 + io[0] = GETU32(input);
1.1082 + io[1] = GETU32(input+4);
1.1083 + io[2] = GETU32(input+8);
1.1084 + io[3] = GETU32(input+12);
1.1085 +
1.1086 + /* pre whitening but absorb kw2*/
1.1087 + io[0] ^= CamelliaSubkeyL(24);
1.1088 + io[1] ^= CamelliaSubkeyR(24);
1.1089 +
1.1090 + /* main iteration */
1.1091 + CAMELLIA_ROUNDSM(io[0],io[1],
1.1092 + CamelliaSubkeyL(23),CamelliaSubkeyR(23),
1.1093 + io[2],io[3],il,ir,t0,t1);
1.1094 + CAMELLIA_ROUNDSM(io[2],io[3],
1.1095 + CamelliaSubkeyL(22),CamelliaSubkeyR(22),
1.1096 + io[0],io[1],il,ir,t0,t1);
1.1097 + CAMELLIA_ROUNDSM(io[0],io[1],
1.1098 + CamelliaSubkeyL(21),CamelliaSubkeyR(21),
1.1099 + io[2],io[3],il,ir,t0,t1);
1.1100 + CAMELLIA_ROUNDSM(io[2],io[3],
1.1101 + CamelliaSubkeyL(20),CamelliaSubkeyR(20),
1.1102 + io[0],io[1],il,ir,t0,t1);
1.1103 + CAMELLIA_ROUNDSM(io[0],io[1],
1.1104 + CamelliaSubkeyL(19),CamelliaSubkeyR(19),
1.1105 + io[2],io[3],il,ir,t0,t1);
1.1106 + CAMELLIA_ROUNDSM(io[2],io[3],
1.1107 + CamelliaSubkeyL(18),CamelliaSubkeyR(18),
1.1108 + io[0],io[1],il,ir,t0,t1);
1.1109 +
1.1110 + CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1.1111 + CamelliaSubkeyL(17),CamelliaSubkeyR(17),
1.1112 + CamelliaSubkeyL(16),CamelliaSubkeyR(16),
1.1113 + t0,t1,il,ir);
1.1114 +
1.1115 + CAMELLIA_ROUNDSM(io[0],io[1],
1.1116 + CamelliaSubkeyL(15),CamelliaSubkeyR(15),
1.1117 + io[2],io[3],il,ir,t0,t1);
1.1118 + CAMELLIA_ROUNDSM(io[2],io[3],
1.1119 + CamelliaSubkeyL(14),CamelliaSubkeyR(14),
1.1120 + io[0],io[1],il,ir,t0,t1);
1.1121 + CAMELLIA_ROUNDSM(io[0],io[1],
1.1122 + CamelliaSubkeyL(13),CamelliaSubkeyR(13),
1.1123 + io[2],io[3],il,ir,t0,t1);
1.1124 + CAMELLIA_ROUNDSM(io[2],io[3],
1.1125 + CamelliaSubkeyL(12),CamelliaSubkeyR(12),
1.1126 + io[0],io[1],il,ir,t0,t1);
1.1127 + CAMELLIA_ROUNDSM(io[0],io[1],
1.1128 + CamelliaSubkeyL(11),CamelliaSubkeyR(11),
1.1129 + io[2],io[3],il,ir,t0,t1);
1.1130 + CAMELLIA_ROUNDSM(io[2],io[3],
1.1131 + CamelliaSubkeyL(10),CamelliaSubkeyR(10),
1.1132 + io[0],io[1],il,ir,t0,t1);
1.1133 +
1.1134 + CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1.1135 + CamelliaSubkeyL(9),CamelliaSubkeyR(9),
1.1136 + CamelliaSubkeyL(8),CamelliaSubkeyR(8),
1.1137 + t0,t1,il,ir);
1.1138 +
1.1139 + CAMELLIA_ROUNDSM(io[0],io[1],
1.1140 + CamelliaSubkeyL(7),CamelliaSubkeyR(7),
1.1141 + io[2],io[3],il,ir,t0,t1);
1.1142 + CAMELLIA_ROUNDSM(io[2],io[3],
1.1143 + CamelliaSubkeyL(6),CamelliaSubkeyR(6),
1.1144 + io[0],io[1],il,ir,t0,t1);
1.1145 + CAMELLIA_ROUNDSM(io[0],io[1],
1.1146 + CamelliaSubkeyL(5),CamelliaSubkeyR(5),
1.1147 + io[2],io[3],il,ir,t0,t1);
1.1148 + CAMELLIA_ROUNDSM(io[2],io[3],
1.1149 + CamelliaSubkeyL(4),CamelliaSubkeyR(4),
1.1150 + io[0],io[1],il,ir,t0,t1);
1.1151 + CAMELLIA_ROUNDSM(io[0],io[1],
1.1152 + CamelliaSubkeyL(3),CamelliaSubkeyR(3),
1.1153 + io[2],io[3],il,ir,t0,t1);
1.1154 + CAMELLIA_ROUNDSM(io[2],io[3],
1.1155 + CamelliaSubkeyL(2),CamelliaSubkeyR(2),
1.1156 + io[0],io[1],il,ir,t0,t1);
1.1157 +
1.1158 + /* post whitening but kw4 */
1.1159 + io[2] ^= CamelliaSubkeyL(0);
1.1160 + io[3] ^= CamelliaSubkeyR(0);
1.1161 +
1.1162 + t0 = io[0];
1.1163 + t1 = io[1];
1.1164 + io[0] = io[2];
1.1165 + io[1] = io[3];
1.1166 + io[2] = t0;
1.1167 + io[3] = t1;
1.1168 +
1.1169 + PUTU32(output, io[0]);
1.1170 + PUTU32(output+4, io[1]);
1.1171 + PUTU32(output+8, io[2]);
1.1172 + PUTU32(output+12, io[3]);
1.1173 +
1.1174 + return SECSuccess;
1.1175 +}
1.1176 +
1.1177 +/**
1.1178 + * stuff for 192 and 256bit encryption/decryption
1.1179 + */
1.1180 +SECStatus
1.1181 +camellia_encrypt256(const PRUint32 *subkey,
1.1182 + unsigned char *output,
1.1183 + const unsigned char *input)
1.1184 +{
1.1185 + PRUint32 il,ir,t0,t1; /* temporary valiables */
1.1186 + PRUint32 io[4];
1.1187 +#if defined(CAMELLIA_NEED_TMP_VARIABLE)
1.1188 + PRUint32 tmp;
1.1189 +#endif
1.1190 +
1.1191 + io[0] = GETU32(input);
1.1192 + io[1] = GETU32(input+4);
1.1193 + io[2] = GETU32(input+8);
1.1194 + io[3] = GETU32(input+12);
1.1195 +
1.1196 + /* pre whitening but absorb kw2*/
1.1197 + io[0] ^= CamelliaSubkeyL(0);
1.1198 + io[1] ^= CamelliaSubkeyR(0);
1.1199 +
1.1200 + /* main iteration */
1.1201 + CAMELLIA_ROUNDSM(io[0],io[1],
1.1202 + CamelliaSubkeyL(2),CamelliaSubkeyR(2),
1.1203 + io[2],io[3],il,ir,t0,t1);
1.1204 + CAMELLIA_ROUNDSM(io[2],io[3],
1.1205 + CamelliaSubkeyL(3),CamelliaSubkeyR(3),
1.1206 + io[0],io[1],il,ir,t0,t1);
1.1207 + CAMELLIA_ROUNDSM(io[0],io[1],
1.1208 + CamelliaSubkeyL(4),CamelliaSubkeyR(4),
1.1209 + io[2],io[3],il,ir,t0,t1);
1.1210 + CAMELLIA_ROUNDSM(io[2],io[3],
1.1211 + CamelliaSubkeyL(5),CamelliaSubkeyR(5),
1.1212 + io[0],io[1],il,ir,t0,t1);
1.1213 + CAMELLIA_ROUNDSM(io[0],io[1],
1.1214 + CamelliaSubkeyL(6),CamelliaSubkeyR(6),
1.1215 + io[2],io[3],il,ir,t0,t1);
1.1216 + CAMELLIA_ROUNDSM(io[2],io[3],
1.1217 + CamelliaSubkeyL(7),CamelliaSubkeyR(7),
1.1218 + io[0],io[1],il,ir,t0,t1);
1.1219 +
1.1220 + CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1.1221 + CamelliaSubkeyL(8),CamelliaSubkeyR(8),
1.1222 + CamelliaSubkeyL(9),CamelliaSubkeyR(9),
1.1223 + t0,t1,il,ir);
1.1224 +
1.1225 + CAMELLIA_ROUNDSM(io[0],io[1],
1.1226 + CamelliaSubkeyL(10),CamelliaSubkeyR(10),
1.1227 + io[2],io[3],il,ir,t0,t1);
1.1228 + CAMELLIA_ROUNDSM(io[2],io[3],
1.1229 + CamelliaSubkeyL(11),CamelliaSubkeyR(11),
1.1230 + io[0],io[1],il,ir,t0,t1);
1.1231 + CAMELLIA_ROUNDSM(io[0],io[1],
1.1232 + CamelliaSubkeyL(12),CamelliaSubkeyR(12),
1.1233 + io[2],io[3],il,ir,t0,t1);
1.1234 + CAMELLIA_ROUNDSM(io[2],io[3],
1.1235 + CamelliaSubkeyL(13),CamelliaSubkeyR(13),
1.1236 + io[0],io[1],il,ir,t0,t1);
1.1237 + CAMELLIA_ROUNDSM(io[0],io[1],
1.1238 + CamelliaSubkeyL(14),CamelliaSubkeyR(14),
1.1239 + io[2],io[3],il,ir,t0,t1);
1.1240 + CAMELLIA_ROUNDSM(io[2],io[3],
1.1241 + CamelliaSubkeyL(15),CamelliaSubkeyR(15),
1.1242 + io[0],io[1],il,ir,t0,t1);
1.1243 +
1.1244 + CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1.1245 + CamelliaSubkeyL(16),CamelliaSubkeyR(16),
1.1246 + CamelliaSubkeyL(17),CamelliaSubkeyR(17),
1.1247 + t0,t1,il,ir);
1.1248 +
1.1249 + CAMELLIA_ROUNDSM(io[0],io[1],
1.1250 + CamelliaSubkeyL(18),CamelliaSubkeyR(18),
1.1251 + io[2],io[3],il,ir,t0,t1);
1.1252 + CAMELLIA_ROUNDSM(io[2],io[3],
1.1253 + CamelliaSubkeyL(19),CamelliaSubkeyR(19),
1.1254 + io[0],io[1],il,ir,t0,t1);
1.1255 + CAMELLIA_ROUNDSM(io[0],io[1],
1.1256 + CamelliaSubkeyL(20),CamelliaSubkeyR(20),
1.1257 + io[2],io[3],il,ir,t0,t1);
1.1258 + CAMELLIA_ROUNDSM(io[2],io[3],
1.1259 + CamelliaSubkeyL(21),CamelliaSubkeyR(21),
1.1260 + io[0],io[1],il,ir,t0,t1);
1.1261 + CAMELLIA_ROUNDSM(io[0],io[1],
1.1262 + CamelliaSubkeyL(22),CamelliaSubkeyR(22),
1.1263 + io[2],io[3],il,ir,t0,t1);
1.1264 + CAMELLIA_ROUNDSM(io[2],io[3],
1.1265 + CamelliaSubkeyL(23),CamelliaSubkeyR(23),
1.1266 + io[0],io[1],il,ir,t0,t1);
1.1267 +
1.1268 + CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1.1269 + CamelliaSubkeyL(24),CamelliaSubkeyR(24),
1.1270 + CamelliaSubkeyL(25),CamelliaSubkeyR(25),
1.1271 + t0,t1,il,ir);
1.1272 +
1.1273 + CAMELLIA_ROUNDSM(io[0],io[1],
1.1274 + CamelliaSubkeyL(26),CamelliaSubkeyR(26),
1.1275 + io[2],io[3],il,ir,t0,t1);
1.1276 + CAMELLIA_ROUNDSM(io[2],io[3],
1.1277 + CamelliaSubkeyL(27),CamelliaSubkeyR(27),
1.1278 + io[0],io[1],il,ir,t0,t1);
1.1279 + CAMELLIA_ROUNDSM(io[0],io[1],
1.1280 + CamelliaSubkeyL(28),CamelliaSubkeyR(28),
1.1281 + io[2],io[3],il,ir,t0,t1);
1.1282 + CAMELLIA_ROUNDSM(io[2],io[3],
1.1283 + CamelliaSubkeyL(29),CamelliaSubkeyR(29),
1.1284 + io[0],io[1],il,ir,t0,t1);
1.1285 + CAMELLIA_ROUNDSM(io[0],io[1],
1.1286 + CamelliaSubkeyL(30),CamelliaSubkeyR(30),
1.1287 + io[2],io[3],il,ir,t0,t1);
1.1288 + CAMELLIA_ROUNDSM(io[2],io[3],
1.1289 + CamelliaSubkeyL(31),CamelliaSubkeyR(31),
1.1290 + io[0],io[1],il,ir,t0,t1);
1.1291 +
1.1292 + /* post whitening but kw4 */
1.1293 + io[2] ^= CamelliaSubkeyL(32);
1.1294 + io[3] ^= CamelliaSubkeyR(32);
1.1295 +
1.1296 + t0 = io[0];
1.1297 + t1 = io[1];
1.1298 + io[0] = io[2];
1.1299 + io[1] = io[3];
1.1300 + io[2] = t0;
1.1301 + io[3] = t1;
1.1302 +
1.1303 + PUTU32(output, io[0]);
1.1304 + PUTU32(output+4, io[1]);
1.1305 + PUTU32(output+8, io[2]);
1.1306 + PUTU32(output+12, io[3]);
1.1307 +
1.1308 + return SECSuccess;
1.1309 +}
1.1310 +
1.1311 +SECStatus
1.1312 +camellia_decrypt256(const PRUint32 *subkey,
1.1313 + unsigned char *output,
1.1314 + const unsigned char *input)
1.1315 +{
1.1316 + PRUint32 il,ir,t0,t1; /* temporary valiables */
1.1317 + PRUint32 io[4];
1.1318 +#if defined(CAMELLIA_NEED_TMP_VARIABLE)
1.1319 + PRUint32 tmp;
1.1320 +#endif
1.1321 +
1.1322 + io[0] = GETU32(input);
1.1323 + io[1] = GETU32(input+4);
1.1324 + io[2] = GETU32(input+8);
1.1325 + io[3] = GETU32(input+12);
1.1326 +
1.1327 + /* pre whitening but absorb kw2*/
1.1328 + io[0] ^= CamelliaSubkeyL(32);
1.1329 + io[1] ^= CamelliaSubkeyR(32);
1.1330 +
1.1331 + /* main iteration */
1.1332 + CAMELLIA_ROUNDSM(io[0],io[1],
1.1333 + CamelliaSubkeyL(31),CamelliaSubkeyR(31),
1.1334 + io[2],io[3],il,ir,t0,t1);
1.1335 + CAMELLIA_ROUNDSM(io[2],io[3],
1.1336 + CamelliaSubkeyL(30),CamelliaSubkeyR(30),
1.1337 + io[0],io[1],il,ir,t0,t1);
1.1338 + CAMELLIA_ROUNDSM(io[0],io[1],
1.1339 + CamelliaSubkeyL(29),CamelliaSubkeyR(29),
1.1340 + io[2],io[3],il,ir,t0,t1);
1.1341 + CAMELLIA_ROUNDSM(io[2],io[3],
1.1342 + CamelliaSubkeyL(28),CamelliaSubkeyR(28),
1.1343 + io[0],io[1],il,ir,t0,t1);
1.1344 + CAMELLIA_ROUNDSM(io[0],io[1],
1.1345 + CamelliaSubkeyL(27),CamelliaSubkeyR(27),
1.1346 + io[2],io[3],il,ir,t0,t1);
1.1347 + CAMELLIA_ROUNDSM(io[2],io[3],
1.1348 + CamelliaSubkeyL(26),CamelliaSubkeyR(26),
1.1349 + io[0],io[1],il,ir,t0,t1);
1.1350 +
1.1351 + CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1.1352 + CamelliaSubkeyL(25),CamelliaSubkeyR(25),
1.1353 + CamelliaSubkeyL(24),CamelliaSubkeyR(24),
1.1354 + t0,t1,il,ir);
1.1355 +
1.1356 + CAMELLIA_ROUNDSM(io[0],io[1],
1.1357 + CamelliaSubkeyL(23),CamelliaSubkeyR(23),
1.1358 + io[2],io[3],il,ir,t0,t1);
1.1359 + CAMELLIA_ROUNDSM(io[2],io[3],
1.1360 + CamelliaSubkeyL(22),CamelliaSubkeyR(22),
1.1361 + io[0],io[1],il,ir,t0,t1);
1.1362 + CAMELLIA_ROUNDSM(io[0],io[1],
1.1363 + CamelliaSubkeyL(21),CamelliaSubkeyR(21),
1.1364 + io[2],io[3],il,ir,t0,t1);
1.1365 + CAMELLIA_ROUNDSM(io[2],io[3],
1.1366 + CamelliaSubkeyL(20),CamelliaSubkeyR(20),
1.1367 + io[0],io[1],il,ir,t0,t1);
1.1368 + CAMELLIA_ROUNDSM(io[0],io[1],
1.1369 + CamelliaSubkeyL(19),CamelliaSubkeyR(19),
1.1370 + io[2],io[3],il,ir,t0,t1);
1.1371 + CAMELLIA_ROUNDSM(io[2],io[3],
1.1372 + CamelliaSubkeyL(18),CamelliaSubkeyR(18),
1.1373 + io[0],io[1],il,ir,t0,t1);
1.1374 +
1.1375 + CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1.1376 + CamelliaSubkeyL(17),CamelliaSubkeyR(17),
1.1377 + CamelliaSubkeyL(16),CamelliaSubkeyR(16),
1.1378 + t0,t1,il,ir);
1.1379 +
1.1380 + CAMELLIA_ROUNDSM(io[0],io[1],
1.1381 + CamelliaSubkeyL(15),CamelliaSubkeyR(15),
1.1382 + io[2],io[3],il,ir,t0,t1);
1.1383 + CAMELLIA_ROUNDSM(io[2],io[3],
1.1384 + CamelliaSubkeyL(14),CamelliaSubkeyR(14),
1.1385 + io[0],io[1],il,ir,t0,t1);
1.1386 + CAMELLIA_ROUNDSM(io[0],io[1],
1.1387 + CamelliaSubkeyL(13),CamelliaSubkeyR(13),
1.1388 + io[2],io[3],il,ir,t0,t1);
1.1389 + CAMELLIA_ROUNDSM(io[2],io[3],
1.1390 + CamelliaSubkeyL(12),CamelliaSubkeyR(12),
1.1391 + io[0],io[1],il,ir,t0,t1);
1.1392 + CAMELLIA_ROUNDSM(io[0],io[1],
1.1393 + CamelliaSubkeyL(11),CamelliaSubkeyR(11),
1.1394 + io[2],io[3],il,ir,t0,t1);
1.1395 + CAMELLIA_ROUNDSM(io[2],io[3],
1.1396 + CamelliaSubkeyL(10),CamelliaSubkeyR(10),
1.1397 + io[0],io[1],il,ir,t0,t1);
1.1398 +
1.1399 + CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1.1400 + CamelliaSubkeyL(9),CamelliaSubkeyR(9),
1.1401 + CamelliaSubkeyL(8),CamelliaSubkeyR(8),
1.1402 + t0,t1,il,ir);
1.1403 +
1.1404 + CAMELLIA_ROUNDSM(io[0],io[1],
1.1405 + CamelliaSubkeyL(7),CamelliaSubkeyR(7),
1.1406 + io[2],io[3],il,ir,t0,t1);
1.1407 + CAMELLIA_ROUNDSM(io[2],io[3],
1.1408 + CamelliaSubkeyL(6),CamelliaSubkeyR(6),
1.1409 + io[0],io[1],il,ir,t0,t1);
1.1410 + CAMELLIA_ROUNDSM(io[0],io[1],
1.1411 + CamelliaSubkeyL(5),CamelliaSubkeyR(5),
1.1412 + io[2],io[3],il,ir,t0,t1);
1.1413 + CAMELLIA_ROUNDSM(io[2],io[3],
1.1414 + CamelliaSubkeyL(4),CamelliaSubkeyR(4),
1.1415 + io[0],io[1],il,ir,t0,t1);
1.1416 + CAMELLIA_ROUNDSM(io[0],io[1],
1.1417 + CamelliaSubkeyL(3),CamelliaSubkeyR(3),
1.1418 + io[2],io[3],il,ir,t0,t1);
1.1419 + CAMELLIA_ROUNDSM(io[2],io[3],
1.1420 + CamelliaSubkeyL(2),CamelliaSubkeyR(2),
1.1421 + io[0],io[1],il,ir,t0,t1);
1.1422 +
1.1423 + /* post whitening but kw4 */
1.1424 + io[2] ^= CamelliaSubkeyL(0);
1.1425 + io[3] ^= CamelliaSubkeyR(0);
1.1426 +
1.1427 + t0 = io[0];
1.1428 + t1 = io[1];
1.1429 + io[0] = io[2];
1.1430 + io[1] = io[3];
1.1431 + io[2] = t0;
1.1432 + io[3] = t1;
1.1433 +
1.1434 + PUTU32(output, io[0]);
1.1435 + PUTU32(output+4, io[1]);
1.1436 + PUTU32(output+8, io[2]);
1.1437 + PUTU32(output+12, io[3]);
1.1438 +
1.1439 + return SECSuccess;
1.1440 +}
1.1441 +
1.1442 +
1.1443 +/**************************************************************************
1.1444 + *
1.1445 + * Stuff related to the Camellia key schedule
1.1446 + *
1.1447 + *************************************************************************/
1.1448 +
1.1449 +SECStatus
1.1450 +camellia_key_expansion(CamelliaContext *cx,
1.1451 + const unsigned char *key,
1.1452 + const unsigned int keysize)
1.1453 +{
1.1454 + cx->keysize = keysize;
1.1455 +
1.1456 + switch(keysize) {
1.1457 + case 16:
1.1458 + camellia_setup128(key, cx->expandedKey);
1.1459 + break;
1.1460 + case 24:
1.1461 + camellia_setup192(key, cx->expandedKey);
1.1462 + break;
1.1463 + case 32:
1.1464 + camellia_setup256(key, cx->expandedKey);
1.1465 + break;
1.1466 + default:
1.1467 + break;
1.1468 + }
1.1469 + return SECSuccess;
1.1470 +}
1.1471 +
1.1472 +
1.1473 +/**************************************************************************
1.1474 + *
1.1475 + * Camellia modes of operation (ECB and CBC)
1.1476 + *
1.1477 + *************************************************************************/
1.1478 +
1.1479 +SECStatus
1.1480 +camellia_encryptECB(CamelliaContext *cx, unsigned char *output,
1.1481 + unsigned int *outputLen, unsigned int maxOutputLen,
1.1482 + const unsigned char *input, unsigned int inputLen)
1.1483 +{
1.1484 + CamelliaBlockFunc *encryptor;
1.1485 +
1.1486 + encryptor = (cx->keysize == 16)
1.1487 + ? &camellia_encrypt128
1.1488 + : &camellia_encrypt256;
1.1489 +
1.1490 + while (inputLen > 0) {
1.1491 + (*encryptor)(cx->expandedKey, output, input);
1.1492 +
1.1493 + output += CAMELLIA_BLOCK_SIZE;
1.1494 + input += CAMELLIA_BLOCK_SIZE;
1.1495 + inputLen -= CAMELLIA_BLOCK_SIZE;
1.1496 + }
1.1497 + return SECSuccess;
1.1498 +}
1.1499 +
1.1500 +SECStatus
1.1501 +camellia_encryptCBC(CamelliaContext *cx, unsigned char *output,
1.1502 + unsigned int *outputLen, unsigned int maxOutputLen,
1.1503 + const unsigned char *input, unsigned int inputLen)
1.1504 +{
1.1505 + unsigned int j;
1.1506 + unsigned char *lastblock;
1.1507 + unsigned char inblock[CAMELLIA_BLOCK_SIZE];
1.1508 + CamelliaBlockFunc *encryptor;
1.1509 +
1.1510 + if (!inputLen)
1.1511 + return SECSuccess;
1.1512 + lastblock = cx->iv;
1.1513 +
1.1514 + encryptor = (cx->keysize == 16)
1.1515 + ? &camellia_encrypt128
1.1516 + : &camellia_encrypt256;
1.1517 +
1.1518 + while (inputLen > 0) {
1.1519 + /* XOR with the last block (IV if first block) */
1.1520 + for (j=0; j<CAMELLIA_BLOCK_SIZE; ++j)
1.1521 + inblock[j] = input[j] ^ lastblock[j];
1.1522 + /* encrypt */
1.1523 + (*encryptor)(cx->expandedKey, output, inblock);
1.1524 +
1.1525 + /* move to the next block */
1.1526 + lastblock = output;
1.1527 + output += CAMELLIA_BLOCK_SIZE;
1.1528 + input += CAMELLIA_BLOCK_SIZE;
1.1529 + inputLen -= CAMELLIA_BLOCK_SIZE;
1.1530 + }
1.1531 + memcpy(cx->iv, lastblock, CAMELLIA_BLOCK_SIZE);
1.1532 + return SECSuccess;
1.1533 +}
1.1534 +
1.1535 +SECStatus
1.1536 +camellia_decryptECB(CamelliaContext *cx, unsigned char *output,
1.1537 + unsigned int *outputLen, unsigned int maxOutputLen,
1.1538 + const unsigned char *input, unsigned int inputLen)
1.1539 +{
1.1540 + CamelliaBlockFunc *decryptor;
1.1541 +
1.1542 + decryptor = (cx->keysize == 16)
1.1543 + ? &camellia_decrypt128
1.1544 + : &camellia_decrypt256;
1.1545 +
1.1546 +
1.1547 + while (inputLen > 0) {
1.1548 +
1.1549 + (*decryptor)(cx->expandedKey, output, input);
1.1550 +
1.1551 + output += CAMELLIA_BLOCK_SIZE;
1.1552 + input += CAMELLIA_BLOCK_SIZE;
1.1553 + inputLen -= CAMELLIA_BLOCK_SIZE;
1.1554 + }
1.1555 + return SECSuccess;
1.1556 +}
1.1557 +
1.1558 +SECStatus
1.1559 +camellia_decryptCBC(CamelliaContext *cx, unsigned char *output,
1.1560 + unsigned int *outputLen, unsigned int maxOutputLen,
1.1561 + const unsigned char *input, unsigned int inputLen)
1.1562 +{
1.1563 + const unsigned char *in;
1.1564 + unsigned char *out;
1.1565 + unsigned int j;
1.1566 + unsigned char newIV[CAMELLIA_BLOCK_SIZE];
1.1567 + CamelliaBlockFunc *decryptor;
1.1568 +
1.1569 +
1.1570 +
1.1571 + if (!inputLen)
1.1572 + return SECSuccess;
1.1573 +
1.1574 + PORT_Assert(output - input >= 0 || input - output >= (int)inputLen );
1.1575 +
1.1576 + in = input + (inputLen - CAMELLIA_BLOCK_SIZE);
1.1577 + memcpy(newIV, in, CAMELLIA_BLOCK_SIZE);
1.1578 + out = output + (inputLen - CAMELLIA_BLOCK_SIZE);
1.1579 +
1.1580 + decryptor = (cx->keysize == 16)
1.1581 + ? &camellia_decrypt128
1.1582 + : &camellia_decrypt256;
1.1583 +
1.1584 + while (inputLen > CAMELLIA_BLOCK_SIZE) {
1.1585 + (*decryptor)(cx->expandedKey, out, in);
1.1586 +
1.1587 + for (j=0; j<CAMELLIA_BLOCK_SIZE; ++j)
1.1588 + out[j] ^= in[(int)(j - CAMELLIA_BLOCK_SIZE)];
1.1589 +
1.1590 + out -= CAMELLIA_BLOCK_SIZE;
1.1591 + in -= CAMELLIA_BLOCK_SIZE;
1.1592 + inputLen -= CAMELLIA_BLOCK_SIZE;
1.1593 + }
1.1594 + if (in == input) {
1.1595 + (*decryptor)(cx->expandedKey, out, in);
1.1596 +
1.1597 + for (j=0; j<CAMELLIA_BLOCK_SIZE; ++j)
1.1598 + out[j] ^= cx->iv[j];
1.1599 + }
1.1600 + memcpy(cx->iv, newIV, CAMELLIA_BLOCK_SIZE);
1.1601 + return SECSuccess;
1.1602 +}
1.1603 +
1.1604 +/**************************************************************************
1.1605 + *
1.1606 + * BLAPI Interface functions
1.1607 + *
1.1608 + *************************************************************************/
1.1609 +
1.1610 +CamelliaContext *
1.1611 +Camellia_AllocateContext(void)
1.1612 +{
1.1613 + return PORT_ZNew(CamelliaContext);
1.1614 +}
1.1615 +
1.1616 +SECStatus
1.1617 +Camellia_InitContext(CamelliaContext *cx, const unsigned char *key,
1.1618 + unsigned int keysize,
1.1619 + const unsigned char *iv, int mode, unsigned int encrypt,
1.1620 + unsigned int unused)
1.1621 +{
1.1622 + if (key == NULL ||
1.1623 + (keysize != 16 && keysize != 24 && keysize != 32)) {
1.1624 + PORT_SetError(SEC_ERROR_INVALID_ARGS);
1.1625 + return SECFailure;
1.1626 + }
1.1627 + if (mode != NSS_CAMELLIA && mode != NSS_CAMELLIA_CBC) {
1.1628 + PORT_SetError(SEC_ERROR_INVALID_ARGS);
1.1629 + return SECFailure;
1.1630 + }
1.1631 + if (mode == NSS_CAMELLIA_CBC && iv == NULL) {
1.1632 + PORT_SetError(SEC_ERROR_INVALID_ARGS);
1.1633 + return SECFailure;
1.1634 + }
1.1635 + if (!cx) {
1.1636 + PORT_SetError(SEC_ERROR_INVALID_ARGS);
1.1637 + return SECFailure;
1.1638 + }
1.1639 + if (mode == NSS_CAMELLIA_CBC) {
1.1640 + memcpy(cx->iv, iv, CAMELLIA_BLOCK_SIZE);
1.1641 + cx->worker = (encrypt) ? &camellia_encryptCBC : &camellia_decryptCBC;
1.1642 + } else {
1.1643 + cx->worker = (encrypt) ? &camellia_encryptECB : &camellia_decryptECB;
1.1644 + }
1.1645 +
1.1646 + /* Generate expanded key */
1.1647 + if (camellia_key_expansion(cx, key, keysize) != SECSuccess)
1.1648 + goto cleanup;
1.1649 +
1.1650 + return SECSuccess;
1.1651 +cleanup:
1.1652 + return SECFailure;
1.1653 +}
1.1654 +
1.1655 +/*
1.1656 + * Camellia_CreateContext
1.1657 + * create a new context for Camellia operations
1.1658 + */
1.1659 +
1.1660 +
1.1661 +CamelliaContext *
1.1662 +Camellia_CreateContext(const unsigned char *key, const unsigned char *iv,
1.1663 + int mode, int encrypt,
1.1664 + unsigned int keysize)
1.1665 +{
1.1666 + CamelliaContext *cx;
1.1667 +
1.1668 + if (key == NULL ||
1.1669 + (keysize != 16 && keysize != 24 && keysize != 32)) {
1.1670 + PORT_SetError(SEC_ERROR_INVALID_ARGS);
1.1671 + return NULL;
1.1672 + }
1.1673 + if (mode != NSS_CAMELLIA && mode != NSS_CAMELLIA_CBC) {
1.1674 + PORT_SetError(SEC_ERROR_INVALID_ARGS);
1.1675 + return NULL;
1.1676 + }
1.1677 + if (mode == NSS_CAMELLIA_CBC && iv == NULL) {
1.1678 + PORT_SetError(SEC_ERROR_INVALID_ARGS);
1.1679 + return NULL;
1.1680 + }
1.1681 + cx = PORT_ZNew(CamelliaContext);
1.1682 + if (!cx) {
1.1683 + PORT_SetError(SEC_ERROR_NO_MEMORY);
1.1684 + return NULL;
1.1685 + }
1.1686 +
1.1687 + /* copy in the iv, if neccessary */
1.1688 + if (mode == NSS_CAMELLIA_CBC) {
1.1689 + memcpy(cx->iv, iv, CAMELLIA_BLOCK_SIZE);
1.1690 + cx->worker = (encrypt) ? &camellia_encryptCBC : &camellia_decryptCBC;
1.1691 + } else {
1.1692 + cx->worker = (encrypt) ? &camellia_encryptECB : &camellia_decryptECB;
1.1693 + }
1.1694 + /* copy keysize */
1.1695 + cx->keysize = keysize;
1.1696 +
1.1697 + /* Generate expanded key */
1.1698 + if (camellia_key_expansion(cx, key, keysize) != SECSuccess)
1.1699 + goto cleanup;
1.1700 +
1.1701 + return cx;
1.1702 + cleanup:
1.1703 + PORT_ZFree(cx, sizeof *cx);
1.1704 + return NULL;
1.1705 +}
1.1706 +
1.1707 +/*
1.1708 + * Camellia_DestroyContext
1.1709 + *
1.1710 + * Zero an Camellia cipher context. If freeit is true, also free the pointer
1.1711 + * to the context.
1.1712 + */
1.1713 +void
1.1714 +Camellia_DestroyContext(CamelliaContext *cx, PRBool freeit)
1.1715 +{
1.1716 + if (cx)
1.1717 + memset(cx, 0, sizeof *cx);
1.1718 + if (freeit)
1.1719 + PORT_Free(cx);
1.1720 +}
1.1721 +
1.1722 +/*
1.1723 + * Camellia_Encrypt
1.1724 + *
1.1725 + * Encrypt an arbitrary-length buffer. The output buffer must already be
1.1726 + * allocated to at least inputLen.
1.1727 + */
1.1728 +SECStatus
1.1729 +Camellia_Encrypt(CamelliaContext *cx, unsigned char *output,
1.1730 + unsigned int *outputLen, unsigned int maxOutputLen,
1.1731 + const unsigned char *input, unsigned int inputLen)
1.1732 +{
1.1733 +
1.1734 + /* Check args */
1.1735 + if (cx == NULL || output == NULL || input == NULL ||
1.1736 + outputLen == NULL) {
1.1737 + PORT_SetError(SEC_ERROR_INVALID_ARGS);
1.1738 + return SECFailure;
1.1739 + }
1.1740 +
1.1741 + if (inputLen % CAMELLIA_BLOCK_SIZE != 0) {
1.1742 + PORT_SetError(SEC_ERROR_INPUT_LEN);
1.1743 + return SECFailure;
1.1744 + }
1.1745 + if (maxOutputLen < inputLen) {
1.1746 + PORT_SetError(SEC_ERROR_OUTPUT_LEN);
1.1747 + return SECFailure;
1.1748 + }
1.1749 + *outputLen = inputLen;
1.1750 +
1.1751 + return (*cx->worker)(cx, output, outputLen, maxOutputLen,
1.1752 + input, inputLen);
1.1753 +}
1.1754 +
1.1755 +/*
1.1756 + * Camellia_Decrypt
1.1757 + *
1.1758 + * Decrypt and arbitrary-length buffer. The output buffer must already be
1.1759 + * allocated to at least inputLen.
1.1760 + */
1.1761 +SECStatus
1.1762 +Camellia_Decrypt(CamelliaContext *cx, unsigned char *output,
1.1763 + unsigned int *outputLen, unsigned int maxOutputLen,
1.1764 + const unsigned char *input, unsigned int inputLen)
1.1765 +{
1.1766 +
1.1767 + /* Check args */
1.1768 + if (cx == NULL || output == NULL || input == NULL
1.1769 + || outputLen == NULL) {
1.1770 + PORT_SetError(SEC_ERROR_INVALID_ARGS);
1.1771 + return SECFailure;
1.1772 + }
1.1773 + if (inputLen % CAMELLIA_BLOCK_SIZE != 0) {
1.1774 + PORT_SetError(SEC_ERROR_INPUT_LEN);
1.1775 + return SECFailure;
1.1776 + }
1.1777 + if (maxOutputLen < inputLen) {
1.1778 + PORT_SetError(SEC_ERROR_OUTPUT_LEN);
1.1779 + return SECFailure;
1.1780 + }
1.1781 + *outputLen = inputLen;
1.1782 +
1.1783 + return (*cx->worker)(cx, output, outputLen, maxOutputLen,
1.1784 + input, inputLen);
1.1785 +}
