Improve Camellia code readability.
[openssl.git] / crypto / camellia / camellia.c
1 /* crypto/camellia/camellia.c -*- mode:C; c-file-style: "eay" -*- */
2 /* ====================================================================
3  * Copyright 2006 NTT (Nippon Telegraph and Telephone Corporation) . 
4  * ALL RIGHTS RESERVED.
5  *
6  * Intellectual Property information for Camellia:
7  *     http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html
8  *
9  * News Release for Announcement of Camellia open source:
10  *     http://www.ntt.co.jp/news/news06e/0604/060413a.html
11  *
12  * The Camellia Code included herein is developed by
13  * NTT (Nippon Telegraph and Telephone Corporation), and is contributed
14  * to the OpenSSL project.
15  *
16  * The Camellia Code is licensed pursuant to the OpenSSL open source
17  * license provided below.
18  */
19 /* ====================================================================
20  * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
21  *
22  * Redistribution and use in source and binary forms, with or without
23  * modification, are permitted provided that the following conditions
24  * are met:
25  *
26  * 1. Redistributions of source code must retain the above copyright
27  *    notice, this list of conditions and the following disclaimer. 
28  *
29  * 2. Redistributions in binary form must reproduce the above copyright
30  *    notice, this list of conditions and the following disclaimer in
31  *    the documentation and/or other materials provided with the
32  *    distribution.
33  *
34  * 3. All advertising materials mentioning features or use of this
35  *    software must display the following acknowledgment:
36  *    "This product includes software developed by the OpenSSL Project
37  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
38  *
39  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
40  *    endorse or promote products derived from this software without
41  *    prior written permission. For written permission, please contact
42  *    openssl-core@openssl.org.
43  *
44  * 5. Products derived from this software may not be called "OpenSSL"
45  *    nor may "OpenSSL" appear in their names without prior written
46  *    permission of the OpenSSL Project.
47  *
48  * 6. Redistributions of any form whatsoever must retain the following
49  *    acknowledgment:
50  *    "This product includes software developed by the OpenSSL Project
51  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
52  *
53  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
54  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
55  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
56  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
57  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
58  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
59  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
60  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
61  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
62  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
63  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
64  * OF THE POSSIBILITY OF SUCH DAMAGE.
65  * ====================================================================
66  */
67
68 /* Algorithm Specification 
69    http://info.isl.ntt.co.jp/crypt/eng/camellia/specifications.html
70 */
71
72
73 #include <string.h>
74 #include <stdlib.h>
75
76 #include "camellia.h"
77 #include "cmll_locl.h"
78
79 /* key constants */
80 #define CAMELLIA_SIGMA1L (0xA09E667FL)
81 #define CAMELLIA_SIGMA1R (0x3BCC908BL)
82 #define CAMELLIA_SIGMA2L (0xB67AE858L)
83 #define CAMELLIA_SIGMA2R (0x4CAA73B2L)
84 #define CAMELLIA_SIGMA3L (0xC6EF372FL)
85 #define CAMELLIA_SIGMA3R (0xE94F82BEL)
86 #define CAMELLIA_SIGMA4L (0x54FF53A5L)
87 #define CAMELLIA_SIGMA4R (0xF1D36F1CL)
88 #define CAMELLIA_SIGMA5L (0x10E527FAL)
89 #define CAMELLIA_SIGMA5R (0xDE682D1DL)
90 #define CAMELLIA_SIGMA6L (0xB05688C2L)
91 #define CAMELLIA_SIGMA6R (0xB3E6C1FDL)
92
93 /*
94  *  macros
95  */
96
97 /* e is pointer of subkey */
98 #define CamelliaSubkeyL(INDEX) (subkey[(INDEX)*2])
99 #define CamelliaSubkeyR(INDEX) (subkey[(INDEX)*2 + 1])
100
101 /* rotation right shift 1byte */
102 #define CAMELLIA_RR8(x) (((x) >> 8) + ((x) << 24))
103 /* rotation left shift 1bit */
104 #define CAMELLIA_RL1(x) (((x) << 1) + ((x) >> 31))
105 /* rotation left shift 1byte */
106 #define CAMELLIA_RL8(x) (((x) << 8) + ((x) >> 24))
107
108 #define CAMELLIA_ROLDQ(ll, lr, rl, rr, w0, w1, bits)    \
109 do                                                      \
110         {                                               \
111         w0 = ll;                                        \
112         ll = (ll << bits) + (lr >> (32 - bits));        \
113         lr = (lr << bits) + (rl >> (32 - bits));        \
114         rl = (rl << bits) + (rr >> (32 - bits));        \
115         rr = (rr << bits) + (w0 >> (32 - bits));        \
116         } while(0)
117
118 #define CAMELLIA_ROLDQo32(ll, lr, rl, rr, w0, w1, bits) \
119 do                                                      \
120         {                                               \
121         w0 = ll;                                        \
122         w1 = lr;                                        \
123         ll = (lr << (bits - 32)) + (rl >> (64 - bits)); \
124         lr = (rl << (bits - 32)) + (rr >> (64 - bits)); \
125         rl = (rr << (bits - 32)) + (w0 >> (64 - bits)); \
126         rr = (w0 << (bits - 32)) + (w1 >> (64 - bits)); \
127         } while(0)
128
129 #define CAMELLIA_SP1110(INDEX) (camellia_sp1110[(INDEX)])
130 #define CAMELLIA_SP0222(INDEX) (camellia_sp0222[(INDEX)])
131 #define CAMELLIA_SP3033(INDEX) (camellia_sp3033[(INDEX)])
132 #define CAMELLIA_SP4404(INDEX) (camellia_sp4404[(INDEX)])
133
134 #define CAMELLIA_F(xl, xr, kl, kr, yl, yr, il, ir, t0, t1)              \
135 do                                                                      \
136         {                                                               \
137         il = xl ^ kl;                                                   \
138         ir = xr ^ kr;                                                   \
139         t0 = il >> 16;                                                  \
140         t1 = ir >> 16;                                                  \
141         yl = CAMELLIA_SP1110(ir & 0xff)                                 \
142                 ^ CAMELLIA_SP0222((t1 >> 8) & 0xff)                     \
143                 ^ CAMELLIA_SP3033(t1 & 0xff)                            \
144                 ^ CAMELLIA_SP4404((ir >> 8) & 0xff);                    \
145         yr = CAMELLIA_SP1110((t0 >> 8) & 0xff)                          \
146                 ^ CAMELLIA_SP0222(t0 & 0xff)                            \
147                 ^ CAMELLIA_SP3033((il >> 8) & 0xff)                     \
148                 ^ CAMELLIA_SP4404(il & 0xff);                           \
149         yl ^= yr;                                                       \
150         yr = CAMELLIA_RR8(yr);                                          \
151         yr ^= yl;                                                       \
152         } while(0)
153
154
155 /*
156  * for speed up
157  *
158  */
159 #define CAMELLIA_FLS(ll, lr, rl, rr, kll, klr, krl, krr, t0, t1, t2, t3) \
160 do                                                                      \
161         {                                                               \
162         t0 = kll;                                                       \
163         t0 &= ll;                                                       \
164         lr ^= CAMELLIA_RL1(t0);                                         \
165         t1 = klr;                                                       \
166         t1 |= lr;                                                       \
167         ll ^= t1;                                                       \
168                                                                         \
169         t2 = krr;                                                       \
170         t2 |= rr;                                                       \
171         rl ^= t2;                                                       \
172         t3 = krl;                                                       \
173         t3 &= rl;                                                       \
174         rr ^= CAMELLIA_RL1(t3);                                         \
175         } while(0)
176
177 #define CAMELLIA_ROUNDSM(xl, xr, kl, kr, yl, yr, il, ir, t0, t1)        \
178 do                                                                      \
179         {                                                               \
180         il = xl;                                                        \
181         ir = xr;                                                        \
182         t0 = il >> 16;                                                  \
183         t1 = ir >> 16;                                                  \
184         ir = CAMELLIA_SP1110(ir & 0xff)                                 \
185                 ^ CAMELLIA_SP0222((t1 >> 8) & 0xff)                     \
186                 ^ CAMELLIA_SP3033(t1 & 0xff)                            \
187                 ^ CAMELLIA_SP4404((ir >> 8) & 0xff);                    \
188         il = CAMELLIA_SP1110((t0 >> 8) & 0xff)                          \
189                 ^ CAMELLIA_SP0222(t0 & 0xff)                            \
190                 ^ CAMELLIA_SP3033((il >> 8) & 0xff)                     \
191                 ^ CAMELLIA_SP4404(il & 0xff);                           \
192         il ^= kl;                                                       \
193         ir ^= kr;                                                       \
194         ir ^= il;                                                       \
195         il = CAMELLIA_RR8(il);                                          \
196         il ^= ir;                                                       \
197         yl ^= ir;                                                       \
198         yr ^= il;                                                       \
199         } while(0)
200
201 static const u32 camellia_sp1110[256] =
202         {
203         0x70707000,0x82828200,0x2c2c2c00,0xececec00,
204         0xb3b3b300,0x27272700,0xc0c0c000,0xe5e5e500,
205         0xe4e4e400,0x85858500,0x57575700,0x35353500,
206         0xeaeaea00,0x0c0c0c00,0xaeaeae00,0x41414100,
207         0x23232300,0xefefef00,0x6b6b6b00,0x93939300,
208         0x45454500,0x19191900,0xa5a5a500,0x21212100,
209         0xededed00,0x0e0e0e00,0x4f4f4f00,0x4e4e4e00,
210         0x1d1d1d00,0x65656500,0x92929200,0xbdbdbd00,
211         0x86868600,0xb8b8b800,0xafafaf00,0x8f8f8f00,
212         0x7c7c7c00,0xebebeb00,0x1f1f1f00,0xcecece00,
213         0x3e3e3e00,0x30303000,0xdcdcdc00,0x5f5f5f00,
214         0x5e5e5e00,0xc5c5c500,0x0b0b0b00,0x1a1a1a00,
215         0xa6a6a600,0xe1e1e100,0x39393900,0xcacaca00,
216         0xd5d5d500,0x47474700,0x5d5d5d00,0x3d3d3d00,
217         0xd9d9d900,0x01010100,0x5a5a5a00,0xd6d6d600,
218         0x51515100,0x56565600,0x6c6c6c00,0x4d4d4d00,
219         0x8b8b8b00,0x0d0d0d00,0x9a9a9a00,0x66666600,
220         0xfbfbfb00,0xcccccc00,0xb0b0b000,0x2d2d2d00,
221         0x74747400,0x12121200,0x2b2b2b00,0x20202000,
222         0xf0f0f000,0xb1b1b100,0x84848400,0x99999900,
223         0xdfdfdf00,0x4c4c4c00,0xcbcbcb00,0xc2c2c200,
224         0x34343400,0x7e7e7e00,0x76767600,0x05050500,
225         0x6d6d6d00,0xb7b7b700,0xa9a9a900,0x31313100,
226         0xd1d1d100,0x17171700,0x04040400,0xd7d7d700,
227         0x14141400,0x58585800,0x3a3a3a00,0x61616100,
228         0xdedede00,0x1b1b1b00,0x11111100,0x1c1c1c00,
229         0x32323200,0x0f0f0f00,0x9c9c9c00,0x16161600,
230         0x53535300,0x18181800,0xf2f2f200,0x22222200,
231         0xfefefe00,0x44444400,0xcfcfcf00,0xb2b2b200,
232         0xc3c3c300,0xb5b5b500,0x7a7a7a00,0x91919100,
233         0x24242400,0x08080800,0xe8e8e800,0xa8a8a800,
234         0x60606000,0xfcfcfc00,0x69696900,0x50505000,
235         0xaaaaaa00,0xd0d0d000,0xa0a0a000,0x7d7d7d00,
236         0xa1a1a100,0x89898900,0x62626200,0x97979700,
237         0x54545400,0x5b5b5b00,0x1e1e1e00,0x95959500,
238         0xe0e0e000,0xffffff00,0x64646400,0xd2d2d200,
239         0x10101000,0xc4c4c400,0x00000000,0x48484800,
240         0xa3a3a300,0xf7f7f700,0x75757500,0xdbdbdb00,
241         0x8a8a8a00,0x03030300,0xe6e6e600,0xdadada00,
242         0x09090900,0x3f3f3f00,0xdddddd00,0x94949400,
243         0x87878700,0x5c5c5c00,0x83838300,0x02020200,
244         0xcdcdcd00,0x4a4a4a00,0x90909000,0x33333300,
245         0x73737300,0x67676700,0xf6f6f600,0xf3f3f300,
246         0x9d9d9d00,0x7f7f7f00,0xbfbfbf00,0xe2e2e200,
247         0x52525200,0x9b9b9b00,0xd8d8d800,0x26262600,
248         0xc8c8c800,0x37373700,0xc6c6c600,0x3b3b3b00,
249         0x81818100,0x96969600,0x6f6f6f00,0x4b4b4b00,
250         0x13131300,0xbebebe00,0x63636300,0x2e2e2e00,
251         0xe9e9e900,0x79797900,0xa7a7a700,0x8c8c8c00,
252         0x9f9f9f00,0x6e6e6e00,0xbcbcbc00,0x8e8e8e00,
253         0x29292900,0xf5f5f500,0xf9f9f900,0xb6b6b600,
254         0x2f2f2f00,0xfdfdfd00,0xb4b4b400,0x59595900,
255         0x78787800,0x98989800,0x06060600,0x6a6a6a00,
256         0xe7e7e700,0x46464600,0x71717100,0xbababa00,
257         0xd4d4d400,0x25252500,0xababab00,0x42424200,
258         0x88888800,0xa2a2a200,0x8d8d8d00,0xfafafa00,
259         0x72727200,0x07070700,0xb9b9b900,0x55555500,
260         0xf8f8f800,0xeeeeee00,0xacacac00,0x0a0a0a00,
261         0x36363600,0x49494900,0x2a2a2a00,0x68686800,
262         0x3c3c3c00,0x38383800,0xf1f1f100,0xa4a4a400,
263         0x40404000,0x28282800,0xd3d3d300,0x7b7b7b00,
264         0xbbbbbb00,0xc9c9c900,0x43434300,0xc1c1c100,
265         0x15151500,0xe3e3e300,0xadadad00,0xf4f4f400,
266         0x77777700,0xc7c7c700,0x80808000,0x9e9e9e00,
267         };
268
269 static const u32 camellia_sp0222[256] =
270         {
271         0x00e0e0e0,0x00050505,0x00585858,0x00d9d9d9,
272         0x00676767,0x004e4e4e,0x00818181,0x00cbcbcb,
273         0x00c9c9c9,0x000b0b0b,0x00aeaeae,0x006a6a6a,
274         0x00d5d5d5,0x00181818,0x005d5d5d,0x00828282,
275         0x00464646,0x00dfdfdf,0x00d6d6d6,0x00272727,
276         0x008a8a8a,0x00323232,0x004b4b4b,0x00424242,
277         0x00dbdbdb,0x001c1c1c,0x009e9e9e,0x009c9c9c,
278         0x003a3a3a,0x00cacaca,0x00252525,0x007b7b7b,
279         0x000d0d0d,0x00717171,0x005f5f5f,0x001f1f1f,
280         0x00f8f8f8,0x00d7d7d7,0x003e3e3e,0x009d9d9d,
281         0x007c7c7c,0x00606060,0x00b9b9b9,0x00bebebe,
282         0x00bcbcbc,0x008b8b8b,0x00161616,0x00343434,
283         0x004d4d4d,0x00c3c3c3,0x00727272,0x00959595,
284         0x00ababab,0x008e8e8e,0x00bababa,0x007a7a7a,
285         0x00b3b3b3,0x00020202,0x00b4b4b4,0x00adadad,
286         0x00a2a2a2,0x00acacac,0x00d8d8d8,0x009a9a9a,
287         0x00171717,0x001a1a1a,0x00353535,0x00cccccc,
288         0x00f7f7f7,0x00999999,0x00616161,0x005a5a5a,
289         0x00e8e8e8,0x00242424,0x00565656,0x00404040,
290         0x00e1e1e1,0x00636363,0x00090909,0x00333333,
291         0x00bfbfbf,0x00989898,0x00979797,0x00858585,
292         0x00686868,0x00fcfcfc,0x00ececec,0x000a0a0a,
293         0x00dadada,0x006f6f6f,0x00535353,0x00626262,
294         0x00a3a3a3,0x002e2e2e,0x00080808,0x00afafaf,
295         0x00282828,0x00b0b0b0,0x00747474,0x00c2c2c2,
296         0x00bdbdbd,0x00363636,0x00222222,0x00383838,
297         0x00646464,0x001e1e1e,0x00393939,0x002c2c2c,
298         0x00a6a6a6,0x00303030,0x00e5e5e5,0x00444444,
299         0x00fdfdfd,0x00888888,0x009f9f9f,0x00656565,
300         0x00878787,0x006b6b6b,0x00f4f4f4,0x00232323,
301         0x00484848,0x00101010,0x00d1d1d1,0x00515151,
302         0x00c0c0c0,0x00f9f9f9,0x00d2d2d2,0x00a0a0a0,
303         0x00555555,0x00a1a1a1,0x00414141,0x00fafafa,
304         0x00434343,0x00131313,0x00c4c4c4,0x002f2f2f,
305         0x00a8a8a8,0x00b6b6b6,0x003c3c3c,0x002b2b2b,
306         0x00c1c1c1,0x00ffffff,0x00c8c8c8,0x00a5a5a5,
307         0x00202020,0x00898989,0x00000000,0x00909090,
308         0x00474747,0x00efefef,0x00eaeaea,0x00b7b7b7,
309         0x00151515,0x00060606,0x00cdcdcd,0x00b5b5b5,
310         0x00121212,0x007e7e7e,0x00bbbbbb,0x00292929,
311         0x000f0f0f,0x00b8b8b8,0x00070707,0x00040404,
312         0x009b9b9b,0x00949494,0x00212121,0x00666666,
313         0x00e6e6e6,0x00cecece,0x00ededed,0x00e7e7e7,
314         0x003b3b3b,0x00fefefe,0x007f7f7f,0x00c5c5c5,
315         0x00a4a4a4,0x00373737,0x00b1b1b1,0x004c4c4c,
316         0x00919191,0x006e6e6e,0x008d8d8d,0x00767676,
317         0x00030303,0x002d2d2d,0x00dedede,0x00969696,
318         0x00262626,0x007d7d7d,0x00c6c6c6,0x005c5c5c,
319         0x00d3d3d3,0x00f2f2f2,0x004f4f4f,0x00191919,
320         0x003f3f3f,0x00dcdcdc,0x00797979,0x001d1d1d,
321         0x00525252,0x00ebebeb,0x00f3f3f3,0x006d6d6d,
322         0x005e5e5e,0x00fbfbfb,0x00696969,0x00b2b2b2,
323         0x00f0f0f0,0x00313131,0x000c0c0c,0x00d4d4d4,
324         0x00cfcfcf,0x008c8c8c,0x00e2e2e2,0x00757575,
325         0x00a9a9a9,0x004a4a4a,0x00575757,0x00848484,
326         0x00111111,0x00454545,0x001b1b1b,0x00f5f5f5,
327         0x00e4e4e4,0x000e0e0e,0x00737373,0x00aaaaaa,
328         0x00f1f1f1,0x00dddddd,0x00595959,0x00141414,
329         0x006c6c6c,0x00929292,0x00545454,0x00d0d0d0,
330         0x00787878,0x00707070,0x00e3e3e3,0x00494949,
331         0x00808080,0x00505050,0x00a7a7a7,0x00f6f6f6,
332         0x00777777,0x00939393,0x00868686,0x00838383,
333         0x002a2a2a,0x00c7c7c7,0x005b5b5b,0x00e9e9e9,
334         0x00eeeeee,0x008f8f8f,0x00010101,0x003d3d3d,
335         };
336
337 static const u32 camellia_sp3033[256] =
338         {
339         0x38003838,0x41004141,0x16001616,0x76007676,
340         0xd900d9d9,0x93009393,0x60006060,0xf200f2f2,
341         0x72007272,0xc200c2c2,0xab00abab,0x9a009a9a,
342         0x75007575,0x06000606,0x57005757,0xa000a0a0,
343         0x91009191,0xf700f7f7,0xb500b5b5,0xc900c9c9,
344         0xa200a2a2,0x8c008c8c,0xd200d2d2,0x90009090,
345         0xf600f6f6,0x07000707,0xa700a7a7,0x27002727,
346         0x8e008e8e,0xb200b2b2,0x49004949,0xde00dede,
347         0x43004343,0x5c005c5c,0xd700d7d7,0xc700c7c7,
348         0x3e003e3e,0xf500f5f5,0x8f008f8f,0x67006767,
349         0x1f001f1f,0x18001818,0x6e006e6e,0xaf00afaf,
350         0x2f002f2f,0xe200e2e2,0x85008585,0x0d000d0d,
351         0x53005353,0xf000f0f0,0x9c009c9c,0x65006565,
352         0xea00eaea,0xa300a3a3,0xae00aeae,0x9e009e9e,
353         0xec00ecec,0x80008080,0x2d002d2d,0x6b006b6b,
354         0xa800a8a8,0x2b002b2b,0x36003636,0xa600a6a6,
355         0xc500c5c5,0x86008686,0x4d004d4d,0x33003333,
356         0xfd00fdfd,0x66006666,0x58005858,0x96009696,
357         0x3a003a3a,0x09000909,0x95009595,0x10001010,
358         0x78007878,0xd800d8d8,0x42004242,0xcc00cccc,
359         0xef00efef,0x26002626,0xe500e5e5,0x61006161,
360         0x1a001a1a,0x3f003f3f,0x3b003b3b,0x82008282,
361         0xb600b6b6,0xdb00dbdb,0xd400d4d4,0x98009898,
362         0xe800e8e8,0x8b008b8b,0x02000202,0xeb00ebeb,
363         0x0a000a0a,0x2c002c2c,0x1d001d1d,0xb000b0b0,
364         0x6f006f6f,0x8d008d8d,0x88008888,0x0e000e0e,
365         0x19001919,0x87008787,0x4e004e4e,0x0b000b0b,
366         0xa900a9a9,0x0c000c0c,0x79007979,0x11001111,
367         0x7f007f7f,0x22002222,0xe700e7e7,0x59005959,
368         0xe100e1e1,0xda00dada,0x3d003d3d,0xc800c8c8,
369         0x12001212,0x04000404,0x74007474,0x54005454,
370         0x30003030,0x7e007e7e,0xb400b4b4,0x28002828,
371         0x55005555,0x68006868,0x50005050,0xbe00bebe,
372         0xd000d0d0,0xc400c4c4,0x31003131,0xcb00cbcb,
373         0x2a002a2a,0xad00adad,0x0f000f0f,0xca00caca,
374         0x70007070,0xff00ffff,0x32003232,0x69006969,
375         0x08000808,0x62006262,0x00000000,0x24002424,
376         0xd100d1d1,0xfb00fbfb,0xba00baba,0xed00eded,
377         0x45004545,0x81008181,0x73007373,0x6d006d6d,
378         0x84008484,0x9f009f9f,0xee00eeee,0x4a004a4a,
379         0xc300c3c3,0x2e002e2e,0xc100c1c1,0x01000101,
380         0xe600e6e6,0x25002525,0x48004848,0x99009999,
381         0xb900b9b9,0xb300b3b3,0x7b007b7b,0xf900f9f9,
382         0xce00cece,0xbf00bfbf,0xdf00dfdf,0x71007171,
383         0x29002929,0xcd00cdcd,0x6c006c6c,0x13001313,
384         0x64006464,0x9b009b9b,0x63006363,0x9d009d9d,
385         0xc000c0c0,0x4b004b4b,0xb700b7b7,0xa500a5a5,
386         0x89008989,0x5f005f5f,0xb100b1b1,0x17001717,
387         0xf400f4f4,0xbc00bcbc,0xd300d3d3,0x46004646,
388         0xcf00cfcf,0x37003737,0x5e005e5e,0x47004747,
389         0x94009494,0xfa00fafa,0xfc00fcfc,0x5b005b5b,
390         0x97009797,0xfe00fefe,0x5a005a5a,0xac00acac,
391         0x3c003c3c,0x4c004c4c,0x03000303,0x35003535,
392         0xf300f3f3,0x23002323,0xb800b8b8,0x5d005d5d,
393         0x6a006a6a,0x92009292,0xd500d5d5,0x21002121,
394         0x44004444,0x51005151,0xc600c6c6,0x7d007d7d,
395         0x39003939,0x83008383,0xdc00dcdc,0xaa00aaaa,
396         0x7c007c7c,0x77007777,0x56005656,0x05000505,
397         0x1b001b1b,0xa400a4a4,0x15001515,0x34003434,
398         0x1e001e1e,0x1c001c1c,0xf800f8f8,0x52005252,
399         0x20002020,0x14001414,0xe900e9e9,0xbd00bdbd,
400         0xdd00dddd,0xe400e4e4,0xa100a1a1,0xe000e0e0,
401         0x8a008a8a,0xf100f1f1,0xd600d6d6,0x7a007a7a,
402         0xbb00bbbb,0xe300e3e3,0x40004040,0x4f004f4f,
403         };
404
405 static const u32 camellia_sp4404[256] =
406         {
407         0x70700070,0x2c2c002c,0xb3b300b3,0xc0c000c0,
408         0xe4e400e4,0x57570057,0xeaea00ea,0xaeae00ae,
409         0x23230023,0x6b6b006b,0x45450045,0xa5a500a5,
410         0xeded00ed,0x4f4f004f,0x1d1d001d,0x92920092,
411         0x86860086,0xafaf00af,0x7c7c007c,0x1f1f001f,
412         0x3e3e003e,0xdcdc00dc,0x5e5e005e,0x0b0b000b,
413         0xa6a600a6,0x39390039,0xd5d500d5,0x5d5d005d,
414         0xd9d900d9,0x5a5a005a,0x51510051,0x6c6c006c,
415         0x8b8b008b,0x9a9a009a,0xfbfb00fb,0xb0b000b0,
416         0x74740074,0x2b2b002b,0xf0f000f0,0x84840084,
417         0xdfdf00df,0xcbcb00cb,0x34340034,0x76760076,
418         0x6d6d006d,0xa9a900a9,0xd1d100d1,0x04040004,
419         0x14140014,0x3a3a003a,0xdede00de,0x11110011,
420         0x32320032,0x9c9c009c,0x53530053,0xf2f200f2,
421         0xfefe00fe,0xcfcf00cf,0xc3c300c3,0x7a7a007a,
422         0x24240024,0xe8e800e8,0x60600060,0x69690069,
423         0xaaaa00aa,0xa0a000a0,0xa1a100a1,0x62620062,
424         0x54540054,0x1e1e001e,0xe0e000e0,0x64640064,
425         0x10100010,0x00000000,0xa3a300a3,0x75750075,
426         0x8a8a008a,0xe6e600e6,0x09090009,0xdddd00dd,
427         0x87870087,0x83830083,0xcdcd00cd,0x90900090,
428         0x73730073,0xf6f600f6,0x9d9d009d,0xbfbf00bf,
429         0x52520052,0xd8d800d8,0xc8c800c8,0xc6c600c6,
430         0x81810081,0x6f6f006f,0x13130013,0x63630063,
431         0xe9e900e9,0xa7a700a7,0x9f9f009f,0xbcbc00bc,
432         0x29290029,0xf9f900f9,0x2f2f002f,0xb4b400b4,
433         0x78780078,0x06060006,0xe7e700e7,0x71710071,
434         0xd4d400d4,0xabab00ab,0x88880088,0x8d8d008d,
435         0x72720072,0xb9b900b9,0xf8f800f8,0xacac00ac,
436         0x36360036,0x2a2a002a,0x3c3c003c,0xf1f100f1,
437         0x40400040,0xd3d300d3,0xbbbb00bb,0x43430043,
438         0x15150015,0xadad00ad,0x77770077,0x80800080,
439         0x82820082,0xecec00ec,0x27270027,0xe5e500e5,
440         0x85850085,0x35350035,0x0c0c000c,0x41410041,
441         0xefef00ef,0x93930093,0x19190019,0x21210021,
442         0x0e0e000e,0x4e4e004e,0x65650065,0xbdbd00bd,
443         0xb8b800b8,0x8f8f008f,0xebeb00eb,0xcece00ce,
444         0x30300030,0x5f5f005f,0xc5c500c5,0x1a1a001a,
445         0xe1e100e1,0xcaca00ca,0x47470047,0x3d3d003d,
446         0x01010001,0xd6d600d6,0x56560056,0x4d4d004d,
447         0x0d0d000d,0x66660066,0xcccc00cc,0x2d2d002d,
448         0x12120012,0x20200020,0xb1b100b1,0x99990099,
449         0x4c4c004c,0xc2c200c2,0x7e7e007e,0x05050005,
450         0xb7b700b7,0x31310031,0x17170017,0xd7d700d7,
451         0x58580058,0x61610061,0x1b1b001b,0x1c1c001c,
452         0x0f0f000f,0x16160016,0x18180018,0x22220022,
453         0x44440044,0xb2b200b2,0xb5b500b5,0x91910091,
454         0x08080008,0xa8a800a8,0xfcfc00fc,0x50500050,
455         0xd0d000d0,0x7d7d007d,0x89890089,0x97970097,
456         0x5b5b005b,0x95950095,0xffff00ff,0xd2d200d2,
457         0xc4c400c4,0x48480048,0xf7f700f7,0xdbdb00db,
458         0x03030003,0xdada00da,0x3f3f003f,0x94940094,
459         0x5c5c005c,0x02020002,0x4a4a004a,0x33330033,
460         0x67670067,0xf3f300f3,0x7f7f007f,0xe2e200e2,
461         0x9b9b009b,0x26260026,0x37370037,0x3b3b003b,
462         0x96960096,0x4b4b004b,0xbebe00be,0x2e2e002e,
463         0x79790079,0x8c8c008c,0x6e6e006e,0x8e8e008e,
464         0xf5f500f5,0xb6b600b6,0xfdfd00fd,0x59590059,
465         0x98980098,0x6a6a006a,0x46460046,0xbaba00ba,
466         0x25250025,0x42420042,0xa2a200a2,0xfafa00fa,
467         0x07070007,0x55550055,0xeeee00ee,0x0a0a000a,
468         0x49490049,0x68680068,0x38380038,0xa4a400a4,
469         0x28280028,0x7b7b007b,0xc9c900c9,0xc1c100c1,
470         0xe3e300e3,0xf4f400f4,0xc7c700c7,0x9e9e009e,
471         };
472
473 /**
474  * Stuff related to the Camellia key schedule
475  */
476 #define subl(x) subL[(x)]
477 #define subr(x) subR[(x)]
478
479 void camellia_setup128(const u8 *key, u32 *subkey)
480         {
481         u32 kll, klr, krl, krr;
482         u32 il, ir, t0, t1, w0, w1;
483         u32 kw4l, kw4r, dw, tl, tr;
484         u32 subL[26];
485         u32 subR[26];
486
487         /**
488          *  k == kll || klr || krl || krr (|| is concatination)
489          */
490         kll = GETU32(key     );
491         klr = GETU32(key +  4);
492         krl = GETU32(key +  8);
493         krr = GETU32(key + 12);
494         /**
495          * generate KL dependent subkeys
496          */
497         /* kw1 */
498         subl(0) = kll; subr(0) = klr;
499         /* kw2 */
500         subl(1) = krl; subr(1) = krr;
501         /* rotation left shift 15bit */
502         CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
503         /* k3 */
504         subl(4) = kll; subr(4) = klr;
505         /* k4 */
506         subl(5) = krl; subr(5) = krr;
507         /* rotation left shift 15+30bit */
508         CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 30);
509         /* k7 */
510         subl(10) = kll; subr(10) = klr;
511         /* k8 */
512         subl(11) = krl; subr(11) = krr;
513         /* rotation left shift 15+30+15bit */
514         CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
515         /* k10 */
516         subl(13) = krl; subr(13) = krr;
517         /* rotation left shift 15+30+15+17 bit */
518         CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17);
519         /* kl3 */
520         subl(16) = kll; subr(16) = klr;
521         /* kl4 */
522         subl(17) = krl; subr(17) = krr;
523         /* rotation left shift 15+30+15+17+17 bit */
524         CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17);
525         /* k13 */
526         subl(18) = kll; subr(18) = klr;
527         /* k14 */
528         subl(19) = krl; subr(19) = krr;
529         /* rotation left shift 15+30+15+17+17+17 bit */
530         CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17);
531         /* k17 */
532         subl(22) = kll; subr(22) = klr;
533         /* k18 */
534         subl(23) = krl; subr(23) = krr;
535
536         /* generate KA */
537         kll = subl(0); klr = subr(0);
538         krl = subl(1); krr = subr(1);
539         CAMELLIA_F(kll, klr,
540                 CAMELLIA_SIGMA1L, CAMELLIA_SIGMA1R,
541                 w0, w1, il, ir, t0, t1);
542         krl ^= w0; krr ^= w1;
543         CAMELLIA_F(krl, krr,
544                 CAMELLIA_SIGMA2L, CAMELLIA_SIGMA2R,
545                 kll, klr, il, ir, t0, t1);
546         /* current status == (kll, klr, w0, w1) */
547         CAMELLIA_F(kll, klr,
548                 CAMELLIA_SIGMA3L, CAMELLIA_SIGMA3R,
549                 krl, krr, il, ir, t0, t1);
550         krl ^= w0; krr ^= w1;
551         CAMELLIA_F(krl, krr,
552                 CAMELLIA_SIGMA4L, CAMELLIA_SIGMA4R,
553                 w0, w1, il, ir, t0, t1);
554         kll ^= w0; klr ^= w1;
555
556         /* generate KA dependent subkeys */
557         /* k1, k2 */
558         subl(2) = kll; subr(2) = klr;
559         subl(3) = krl; subr(3) = krr;
560         CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
561         /* k5,k6 */
562         subl(6) = kll; subr(6) = klr;
563         subl(7) = krl; subr(7) = krr;
564         CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
565         /* kl1, kl2 */
566         subl(8) = kll; subr(8) = klr;
567         subl(9) = krl; subr(9) = krr;
568         CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
569         /* k9 */
570         subl(12) = kll; subr(12) = klr;
571         CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
572         /* k11, k12 */
573         subl(14) = kll; subr(14) = klr;
574         subl(15) = krl; subr(15) = krr;
575         CAMELLIA_ROLDQo32(kll, klr, krl, krr, w0, w1, 34);
576         /* k15, k16 */
577         subl(20) = kll; subr(20) = klr;
578         subl(21) = krl; subr(21) = krr;
579         CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17);
580         /* kw3, kw4 */
581         subl(24) = kll; subr(24) = klr;
582         subl(25) = krl; subr(25) = krr;
583
584
585         /* absorb kw2 to other subkeys */
586 /* round 2 */
587         subl(3) ^= subl(1); subr(3) ^= subr(1);
588 /* round 4 */
589         subl(5) ^= subl(1); subr(5) ^= subr(1);
590 /* round 6 */
591         subl(7) ^= subl(1); subr(7) ^= subr(1);
592         subl(1) ^= subr(1) & ~subr(9);
593         dw = subl(1) & subl(9),
594                 subr(1) ^= CAMELLIA_RL1(dw); /* modified for FLinv(kl2) */
595 /* round 8 */
596         subl(11) ^= subl(1); subr(11) ^= subr(1);
597 /* round 10 */
598         subl(13) ^= subl(1); subr(13) ^= subr(1);
599 /* round 12 */
600         subl(15) ^= subl(1); subr(15) ^= subr(1);
601         subl(1) ^= subr(1) & ~subr(17);
602         dw = subl(1) & subl(17),
603                 subr(1) ^= CAMELLIA_RL1(dw); /* modified for FLinv(kl4) */
604 /* round 14 */
605         subl(19) ^= subl(1); subr(19) ^= subr(1);
606 /* round 16 */
607         subl(21) ^= subl(1); subr(21) ^= subr(1);
608 /* round 18 */
609         subl(23) ^= subl(1); subr(23) ^= subr(1);
610 /* kw3 */
611         subl(24) ^= subl(1); subr(24) ^= subr(1);
612
613         /* absorb kw4 to other subkeys */
614         kw4l = subl(25); kw4r = subr(25);
615 /* round 17 */
616         subl(22) ^= kw4l; subr(22) ^= kw4r;
617 /* round 15 */
618         subl(20) ^= kw4l; subr(20) ^= kw4r;
619 /* round 13 */
620         subl(18) ^= kw4l; subr(18) ^= kw4r;
621         kw4l ^= kw4r & ~subr(16);
622         dw = kw4l & subl(16),
623                 kw4r ^= CAMELLIA_RL1(dw); /* modified for FL(kl3) */
624 /* round 11 */
625         subl(14) ^= kw4l; subr(14) ^= kw4r;
626 /* round 9 */
627         subl(12) ^= kw4l; subr(12) ^= kw4r;
628 /* round 7 */
629         subl(10) ^= kw4l; subr(10) ^= kw4r;
630         kw4l ^= kw4r & ~subr(8);
631         dw = kw4l & subl(8),
632                 kw4r ^= CAMELLIA_RL1(dw); /* modified for FL(kl1) */
633 /* round 5 */
634         subl(6) ^= kw4l; subr(6) ^= kw4r;
635 /* round 3 */
636         subl(4) ^= kw4l; subr(4) ^= kw4r;
637 /* round 1 */
638         subl(2) ^= kw4l; subr(2) ^= kw4r;
639 /* kw1 */
640         subl(0) ^= kw4l; subr(0) ^= kw4r;
641
642
643         /* key XOR is end of F-function */
644         CamelliaSubkeyL(0) = subl(0) ^ subl(2);/* kw1 */
645         CamelliaSubkeyR(0) = subr(0) ^ subr(2);
646         CamelliaSubkeyL(2) = subl(3);       /* round 1 */
647         CamelliaSubkeyR(2) = subr(3);
648         CamelliaSubkeyL(3) = subl(2) ^ subl(4); /* round 2 */
649         CamelliaSubkeyR(3) = subr(2) ^ subr(4);
650         CamelliaSubkeyL(4) = subl(3) ^ subl(5); /* round 3 */
651         CamelliaSubkeyR(4) = subr(3) ^ subr(5);
652         CamelliaSubkeyL(5) = subl(4) ^ subl(6); /* round 4 */
653         CamelliaSubkeyR(5) = subr(4) ^ subr(6);
654         CamelliaSubkeyL(6) = subl(5) ^ subl(7); /* round 5 */
655         CamelliaSubkeyR(6) = subr(5) ^ subr(7);
656         tl = subl(10) ^ (subr(10) & ~subr(8));
657         dw = tl & subl(8),  /* FL(kl1) */
658                 tr = subr(10) ^ CAMELLIA_RL1(dw);
659         CamelliaSubkeyL(7) = subl(6) ^ tl; /* round 6 */
660         CamelliaSubkeyR(7) = subr(6) ^ tr;
661         CamelliaSubkeyL(8) = subl(8);       /* FL(kl1) */
662         CamelliaSubkeyR(8) = subr(8);
663         CamelliaSubkeyL(9) = subl(9);       /* FLinv(kl2) */
664         CamelliaSubkeyR(9) = subr(9);
665         tl = subl(7) ^ (subr(7) & ~subr(9));
666         dw = tl & subl(9),  /* FLinv(kl2) */
667                 tr = subr(7) ^ CAMELLIA_RL1(dw);
668         CamelliaSubkeyL(10) = tl ^ subl(11); /* round 7 */
669         CamelliaSubkeyR(10) = tr ^ subr(11);
670         CamelliaSubkeyL(11) = subl(10) ^ subl(12); /* round 8 */
671         CamelliaSubkeyR(11) = subr(10) ^ subr(12);
672         CamelliaSubkeyL(12) = subl(11) ^ subl(13); /* round 9 */
673         CamelliaSubkeyR(12) = subr(11) ^ subr(13);
674         CamelliaSubkeyL(13) = subl(12) ^ subl(14); /* round 10 */
675         CamelliaSubkeyR(13) = subr(12) ^ subr(14);
676         CamelliaSubkeyL(14) = subl(13) ^ subl(15); /* round 11 */
677         CamelliaSubkeyR(14) = subr(13) ^ subr(15);
678         tl = subl(18) ^ (subr(18) & ~subr(16));
679         dw = tl & subl(16), /* FL(kl3) */
680                 tr = subr(18) ^ CAMELLIA_RL1(dw);
681         CamelliaSubkeyL(15) = subl(14) ^ tl; /* round 12 */
682         CamelliaSubkeyR(15) = subr(14) ^ tr;
683         CamelliaSubkeyL(16) = subl(16);     /* FL(kl3) */
684         CamelliaSubkeyR(16) = subr(16);
685         CamelliaSubkeyL(17) = subl(17);     /* FLinv(kl4) */
686         CamelliaSubkeyR(17) = subr(17);
687         tl = subl(15) ^ (subr(15) & ~subr(17));
688         dw = tl & subl(17), /* FLinv(kl4) */
689                 tr = subr(15) ^ CAMELLIA_RL1(dw);
690         CamelliaSubkeyL(18) = tl ^ subl(19); /* round 13 */
691         CamelliaSubkeyR(18) = tr ^ subr(19);
692         CamelliaSubkeyL(19) = subl(18) ^ subl(20); /* round 14 */
693         CamelliaSubkeyR(19) = subr(18) ^ subr(20);
694         CamelliaSubkeyL(20) = subl(19) ^ subl(21); /* round 15 */
695         CamelliaSubkeyR(20) = subr(19) ^ subr(21);
696         CamelliaSubkeyL(21) = subl(20) ^ subl(22); /* round 16 */
697         CamelliaSubkeyR(21) = subr(20) ^ subr(22);
698         CamelliaSubkeyL(22) = subl(21) ^ subl(23); /* round 17 */
699         CamelliaSubkeyR(22) = subr(21) ^ subr(23);
700         CamelliaSubkeyL(23) = subl(22);     /* round 18 */
701         CamelliaSubkeyR(23) = subr(22);
702         CamelliaSubkeyL(24) = subl(24) ^ subl(23); /* kw3 */
703         CamelliaSubkeyR(24) = subr(24) ^ subr(23);
704
705         /* apply the inverse of the last half of P-function */
706         dw = CamelliaSubkeyL(2) ^ CamelliaSubkeyR(2),
707                 dw = CAMELLIA_RL8(dw);/* round 1 */
708         CamelliaSubkeyR(2) = CamelliaSubkeyL(2) ^ dw,
709                 CamelliaSubkeyL(2) = dw;
710         dw = CamelliaSubkeyL(3) ^ CamelliaSubkeyR(3),
711                 dw = CAMELLIA_RL8(dw);/* round 2 */
712         CamelliaSubkeyR(3) = CamelliaSubkeyL(3) ^ dw,
713                 CamelliaSubkeyL(3) = dw;
714         dw = CamelliaSubkeyL(4) ^ CamelliaSubkeyR(4),
715                 dw = CAMELLIA_RL8(dw);/* round 3 */
716         CamelliaSubkeyR(4) = CamelliaSubkeyL(4) ^ dw,
717                 CamelliaSubkeyL(4) = dw;
718         dw = CamelliaSubkeyL(5) ^ CamelliaSubkeyR(5),
719                 dw = CAMELLIA_RL8(dw);/* round 4 */
720         CamelliaSubkeyR(5) = CamelliaSubkeyL(5) ^ dw,
721                 CamelliaSubkeyL(5) = dw;
722         dw = CamelliaSubkeyL(6) ^ CamelliaSubkeyR(6),
723                 dw = CAMELLIA_RL8(dw);/* round 5 */
724         CamelliaSubkeyR(6) = CamelliaSubkeyL(6) ^ dw,
725                 CamelliaSubkeyL(6) = dw;
726         dw = CamelliaSubkeyL(7) ^ CamelliaSubkeyR(7),
727                 dw = CAMELLIA_RL8(dw);/* round 6 */
728         CamelliaSubkeyR(7) = CamelliaSubkeyL(7) ^ dw,
729                 CamelliaSubkeyL(7) = dw;
730         dw = CamelliaSubkeyL(10) ^ CamelliaSubkeyR(10),
731                 dw = CAMELLIA_RL8(dw);/* round 7 */
732         CamelliaSubkeyR(10) = CamelliaSubkeyL(10) ^ dw,
733                 CamelliaSubkeyL(10) = dw;
734         dw = CamelliaSubkeyL(11) ^ CamelliaSubkeyR(11),
735                 dw = CAMELLIA_RL8(dw);/* round 8 */
736         CamelliaSubkeyR(11) = CamelliaSubkeyL(11) ^ dw,
737                 CamelliaSubkeyL(11) = dw;
738         dw = CamelliaSubkeyL(12) ^ CamelliaSubkeyR(12),
739                 dw = CAMELLIA_RL8(dw);/* round 9 */
740         CamelliaSubkeyR(12) = CamelliaSubkeyL(12) ^ dw,
741                 CamelliaSubkeyL(12) = dw;
742         dw = CamelliaSubkeyL(13) ^ CamelliaSubkeyR(13),
743                 dw = CAMELLIA_RL8(dw);/* round 10 */
744         CamelliaSubkeyR(13) = CamelliaSubkeyL(13) ^ dw,
745                 CamelliaSubkeyL(13) = dw;
746         dw = CamelliaSubkeyL(14) ^ CamelliaSubkeyR(14),
747                 dw = CAMELLIA_RL8(dw);/* round 11 */
748         CamelliaSubkeyR(14) = CamelliaSubkeyL(14) ^ dw,
749                 CamelliaSubkeyL(14) = dw;
750         dw = CamelliaSubkeyL(15) ^ CamelliaSubkeyR(15),
751                 dw = CAMELLIA_RL8(dw);/* round 12 */
752         CamelliaSubkeyR(15) = CamelliaSubkeyL(15) ^ dw,
753                 CamelliaSubkeyL(15) = dw;
754         dw = CamelliaSubkeyL(18) ^ CamelliaSubkeyR(18),
755                 dw = CAMELLIA_RL8(dw);/* round 13 */
756         CamelliaSubkeyR(18) = CamelliaSubkeyL(18) ^ dw,
757                 CamelliaSubkeyL(18) = dw;
758         dw = CamelliaSubkeyL(19) ^ CamelliaSubkeyR(19),
759                 dw = CAMELLIA_RL8(dw);/* round 14 */
760         CamelliaSubkeyR(19) = CamelliaSubkeyL(19) ^ dw,
761                 CamelliaSubkeyL(19) = dw;
762         dw = CamelliaSubkeyL(20) ^ CamelliaSubkeyR(20),
763                 dw = CAMELLIA_RL8(dw);/* round 15 */
764         CamelliaSubkeyR(20) = CamelliaSubkeyL(20) ^ dw,
765                 CamelliaSubkeyL(20) = dw;
766         dw = CamelliaSubkeyL(21) ^ CamelliaSubkeyR(21),
767                 dw = CAMELLIA_RL8(dw);/* round 16 */
768         CamelliaSubkeyR(21) = CamelliaSubkeyL(21) ^ dw,
769                 CamelliaSubkeyL(21) = dw;
770         dw = CamelliaSubkeyL(22) ^ CamelliaSubkeyR(22),
771                 dw = CAMELLIA_RL8(dw);/* round 17 */
772         CamelliaSubkeyR(22) = CamelliaSubkeyL(22) ^ dw,
773                 CamelliaSubkeyL(22) = dw;
774         dw = CamelliaSubkeyL(23) ^ CamelliaSubkeyR(23),
775                 dw = CAMELLIA_RL8(dw);/* round 18 */
776         CamelliaSubkeyR(23) = CamelliaSubkeyL(23) ^ dw,
777                 CamelliaSubkeyL(23) = dw;
778
779         return;
780         }
781
782 void camellia_setup256(const u8 *key, u32 *subkey)
783         {
784         u32 kll,klr,krl,krr;           /* left half of key */
785         u32 krll,krlr,krrl,krrr;       /* right half of key */
786         u32 il, ir, t0, t1, w0, w1;    /* temporary variables */
787         u32 kw4l, kw4r, dw, tl, tr;
788         u32 subL[34];
789         u32 subR[34];
790
791         /**
792          *  key = (kll || klr || krl || krr || krll || krlr || krrl || krrr)
793          *  (|| is concatination)
794          */
795
796         kll  = GETU32(key     );
797         klr  = GETU32(key +  4);
798         krl  = GETU32(key +  8);
799         krr  = GETU32(key + 12);
800         krll = GETU32(key + 16);
801         krlr = GETU32(key + 20);
802         krrl = GETU32(key + 24);
803         krrr = GETU32(key + 28);
804
805         /* generate KL dependent subkeys */
806         /* kw1 */
807         subl(0) = kll; subr(0) = klr;
808         /* kw2 */
809         subl(1) = krl; subr(1) = krr;
810         CAMELLIA_ROLDQo32(kll, klr, krl, krr, w0, w1, 45);
811         /* k9 */
812         subl(12) = kll; subr(12) = klr;
813         /* k10 */
814         subl(13) = krl; subr(13) = krr;
815         CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
816         /* kl3 */
817         subl(16) = kll; subr(16) = klr;
818         /* kl4 */
819         subl(17) = krl; subr(17) = krr;
820         CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17);
821         /* k17 */
822         subl(22) = kll; subr(22) = klr;
823         /* k18 */
824         subl(23) = krl; subr(23) = krr;
825         CAMELLIA_ROLDQo32(kll, klr, krl, krr, w0, w1, 34);
826         /* k23 */
827         subl(30) = kll; subr(30) = klr;
828         /* k24 */
829         subl(31) = krl; subr(31) = krr;
830
831         /* generate KR dependent subkeys */
832         CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 15);
833         /* k3 */
834         subl(4) = krll; subr(4) = krlr;
835         /* k4 */
836         subl(5) = krrl; subr(5) = krrr;
837         CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 15);
838         /* kl1 */
839         subl(8) = krll; subr(8) = krlr;
840         /* kl2 */
841         subl(9) = krrl; subr(9) = krrr;
842         CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
843         /* k13 */
844         subl(18) = krll; subr(18) = krlr;
845         /* k14 */
846         subl(19) = krrl; subr(19) = krrr;
847         CAMELLIA_ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 34);
848         /* k19 */
849         subl(26) = krll; subr(26) = krlr;
850         /* k20 */
851         subl(27) = krrl; subr(27) = krrr;
852         CAMELLIA_ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 34);
853
854         /* generate KA */
855         kll = subl(0) ^ krll; klr = subr(0) ^ krlr;
856         krl = subl(1) ^ krrl; krr = subr(1) ^ krrr;
857         CAMELLIA_F(kll, klr,
858                 CAMELLIA_SIGMA1L, CAMELLIA_SIGMA1R,
859                 w0, w1, il, ir, t0, t1);
860         krl ^= w0; krr ^= w1;
861         CAMELLIA_F(krl, krr,
862                 CAMELLIA_SIGMA2L, CAMELLIA_SIGMA2R,
863                 kll, klr, il, ir, t0, t1);
864         kll ^= krll; klr ^= krlr;
865         CAMELLIA_F(kll, klr,
866                 CAMELLIA_SIGMA3L, CAMELLIA_SIGMA3R,
867                 krl, krr, il, ir, t0, t1);
868         krl ^= w0 ^ krrl; krr ^= w1 ^ krrr;
869         CAMELLIA_F(krl, krr,
870                 CAMELLIA_SIGMA4L, CAMELLIA_SIGMA4R,
871                 w0, w1, il, ir, t0, t1);
872         kll ^= w0; klr ^= w1;
873
874         /* generate KB */
875         krll ^= kll; krlr ^= klr;
876         krrl ^= krl; krrr ^= krr;
877         CAMELLIA_F(krll, krlr,
878                 CAMELLIA_SIGMA5L, CAMELLIA_SIGMA5R,
879                 w0, w1, il, ir, t0, t1);
880         krrl ^= w0; krrr ^= w1;
881         CAMELLIA_F(krrl, krrr,
882                 CAMELLIA_SIGMA6L, CAMELLIA_SIGMA6R,
883                 w0, w1, il, ir, t0, t1);
884         krll ^= w0; krlr ^= w1;
885
886         /* generate KA dependent subkeys */
887         CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
888         /* k5 */
889         subl(6) = kll; subr(6) = klr;
890         /* k6 */
891         subl(7) = krl; subr(7) = krr;
892         CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 30);
893         /* k11 */
894         subl(14) = kll; subr(14) = klr;
895         /* k12 */
896         subl(15) = krl; subr(15) = krr;
897         /* rotation left shift 32bit */
898         /* kl5 */
899         subl(24) = klr; subr(24) = krl;
900         /* kl6 */
901         subl(25) = krr; subr(25) = kll;
902         /* rotation left shift 49 from k11,k12 -> k21,k22 */
903         CAMELLIA_ROLDQo32(kll, klr, krl, krr, w0, w1, 49);
904         /* k21 */
905         subl(28) = kll; subr(28) = klr;
906         /* k22 */
907         subl(29) = krl; subr(29) = krr;
908
909         /* generate KB dependent subkeys */
910         /* k1 */
911         subl(2) = krll; subr(2) = krlr;
912         /* k2 */
913         subl(3) = krrl; subr(3) = krrr;
914         CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
915         /* k7 */
916         subl(10) = krll; subr(10) = krlr;
917         /* k8 */
918         subl(11) = krrl; subr(11) = krrr;
919         CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
920         /* k15 */
921         subl(20) = krll; subr(20) = krlr;
922         /* k16 */
923         subl(21) = krrl; subr(21) = krrr;
924         CAMELLIA_ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 51);
925         /* kw3 */
926         subl(32) = krll; subr(32) = krlr;
927         /* kw4 */
928         subl(33) = krrl; subr(33) = krrr;
929
930         /* absorb kw2 to other subkeys */
931 /* round 2 */
932         subl(3) ^= subl(1); subr(3) ^= subr(1);
933 /* round 4 */
934         subl(5) ^= subl(1); subr(5) ^= subr(1);
935 /* round 6 */
936         subl(7) ^= subl(1); subr(7) ^= subr(1);
937         subl(1) ^= subr(1) & ~subr(9);
938         dw = subl(1) & subl(9),
939                 subr(1) ^= CAMELLIA_RL1(dw); /* modified for FLinv(kl2) */
940 /* round 8 */
941         subl(11) ^= subl(1); subr(11) ^= subr(1);
942 /* round 10 */
943         subl(13) ^= subl(1); subr(13) ^= subr(1);
944 /* round 12 */
945         subl(15) ^= subl(1); subr(15) ^= subr(1);
946         subl(1) ^= subr(1) & ~subr(17);
947         dw = subl(1) & subl(17),
948                 subr(1) ^= CAMELLIA_RL1(dw); /* modified for FLinv(kl4) */
949 /* round 14 */
950         subl(19) ^= subl(1); subr(19) ^= subr(1);
951 /* round 16 */
952         subl(21) ^= subl(1); subr(21) ^= subr(1);
953 /* round 18 */
954         subl(23) ^= subl(1); subr(23) ^= subr(1);
955         subl(1) ^= subr(1) & ~subr(25);
956         dw = subl(1) & subl(25),
957                 subr(1) ^= CAMELLIA_RL1(dw); /* modified for FLinv(kl6) */
958 /* round 20 */
959         subl(27) ^= subl(1); subr(27) ^= subr(1);
960 /* round 22 */
961         subl(29) ^= subl(1); subr(29) ^= subr(1);
962 /* round 24 */
963         subl(31) ^= subl(1); subr(31) ^= subr(1);
964 /* kw3 */
965         subl(32) ^= subl(1); subr(32) ^= subr(1);
966
967
968         /* absorb kw4 to other subkeys */
969         kw4l = subl(33); kw4r = subr(33);
970 /* round 23 */
971         subl(30) ^= kw4l; subr(30) ^= kw4r;
972 /* round 21 */
973         subl(28) ^= kw4l; subr(28) ^= kw4r;
974 /* round 19 */
975         subl(26) ^= kw4l; subr(26) ^= kw4r;
976         kw4l ^= kw4r & ~subr(24);
977         dw = kw4l & subl(24),
978                 kw4r ^= CAMELLIA_RL1(dw); /* modified for FL(kl5) */
979 /* round 17 */
980         subl(22) ^= kw4l; subr(22) ^= kw4r;
981 /* round 15 */
982         subl(20) ^= kw4l; subr(20) ^= kw4r;
983 /* round 13 */
984         subl(18) ^= kw4l; subr(18) ^= kw4r;
985         kw4l ^= kw4r & ~subr(16);
986         dw = kw4l & subl(16),
987                 kw4r ^= CAMELLIA_RL1(dw); /* modified for FL(kl3) */
988 /* round 11 */
989         subl(14) ^= kw4l; subr(14) ^= kw4r;
990 /* round 9 */
991         subl(12) ^= kw4l; subr(12) ^= kw4r;
992 /* round 7 */
993         subl(10) ^= kw4l; subr(10) ^= kw4r;
994         kw4l ^= kw4r & ~subr(8);
995         dw = kw4l & subl(8),
996                 kw4r ^= CAMELLIA_RL1(dw); /* modified for FL(kl1) */
997 /* round 5 */
998         subl(6) ^= kw4l; subr(6) ^= kw4r;
999 /* round 3 */
1000         subl(4) ^= kw4l; subr(4) ^= kw4r;
1001 /* round 1 */
1002         subl(2) ^= kw4l; subr(2) ^= kw4r;
1003 /* kw1 */
1004         subl(0) ^= kw4l; subr(0) ^= kw4r;
1005
1006         /* key XOR is end of F-function */
1007         CamelliaSubkeyL(0) = subl(0) ^ subl(2);/* kw1 */
1008         CamelliaSubkeyR(0) = subr(0) ^ subr(2);
1009         CamelliaSubkeyL(2) = subl(3);       /* round 1 */
1010         CamelliaSubkeyR(2) = subr(3);
1011         CamelliaSubkeyL(3) = subl(2) ^ subl(4); /* round 2 */
1012         CamelliaSubkeyR(3) = subr(2) ^ subr(4);
1013         CamelliaSubkeyL(4) = subl(3) ^ subl(5); /* round 3 */
1014         CamelliaSubkeyR(4) = subr(3) ^ subr(5);
1015         CamelliaSubkeyL(5) = subl(4) ^ subl(6); /* round 4 */
1016         CamelliaSubkeyR(5) = subr(4) ^ subr(6);
1017         CamelliaSubkeyL(6) = subl(5) ^ subl(7); /* round 5 */
1018         CamelliaSubkeyR(6) = subr(5) ^ subr(7);
1019         tl = subl(10) ^ (subr(10) & ~subr(8));
1020         dw = tl & subl(8),  /* FL(kl1) */
1021                 tr = subr(10) ^ CAMELLIA_RL1(dw);
1022         CamelliaSubkeyL(7) = subl(6) ^ tl; /* round 6 */
1023         CamelliaSubkeyR(7) = subr(6) ^ tr;
1024         CamelliaSubkeyL(8) = subl(8);       /* FL(kl1) */
1025         CamelliaSubkeyR(8) = subr(8);
1026         CamelliaSubkeyL(9) = subl(9);       /* FLinv(kl2) */
1027         CamelliaSubkeyR(9) = subr(9);
1028         tl = subl(7) ^ (subr(7) & ~subr(9));
1029         dw = tl & subl(9),  /* FLinv(kl2) */
1030                 tr = subr(7) ^ CAMELLIA_RL1(dw);
1031         CamelliaSubkeyL(10) = tl ^ subl(11); /* round 7 */
1032         CamelliaSubkeyR(10) = tr ^ subr(11);
1033         CamelliaSubkeyL(11) = subl(10) ^ subl(12); /* round 8 */
1034         CamelliaSubkeyR(11) = subr(10) ^ subr(12);
1035         CamelliaSubkeyL(12) = subl(11) ^ subl(13); /* round 9 */
1036         CamelliaSubkeyR(12) = subr(11) ^ subr(13);
1037         CamelliaSubkeyL(13) = subl(12) ^ subl(14); /* round 10 */
1038         CamelliaSubkeyR(13) = subr(12) ^ subr(14);
1039         CamelliaSubkeyL(14) = subl(13) ^ subl(15); /* round 11 */
1040         CamelliaSubkeyR(14) = subr(13) ^ subr(15);
1041         tl = subl(18) ^ (subr(18) & ~subr(16));
1042         dw = tl & subl(16), /* FL(kl3) */
1043                 tr = subr(18) ^ CAMELLIA_RL1(dw);
1044         CamelliaSubkeyL(15) = subl(14) ^ tl; /* round 12 */
1045         CamelliaSubkeyR(15) = subr(14) ^ tr;
1046         CamelliaSubkeyL(16) = subl(16);     /* FL(kl3) */
1047         CamelliaSubkeyR(16) = subr(16);
1048         CamelliaSubkeyL(17) = subl(17);     /* FLinv(kl4) */
1049         CamelliaSubkeyR(17) = subr(17);
1050         tl = subl(15) ^ (subr(15) & ~subr(17));
1051         dw = tl & subl(17), /* FLinv(kl4) */
1052                 tr = subr(15) ^ CAMELLIA_RL1(dw);
1053         CamelliaSubkeyL(18) = tl ^ subl(19); /* round 13 */
1054         CamelliaSubkeyR(18) = tr ^ subr(19);
1055         CamelliaSubkeyL(19) = subl(18) ^ subl(20); /* round 14 */
1056         CamelliaSubkeyR(19) = subr(18) ^ subr(20);
1057         CamelliaSubkeyL(20) = subl(19) ^ subl(21); /* round 15 */
1058         CamelliaSubkeyR(20) = subr(19) ^ subr(21);
1059         CamelliaSubkeyL(21) = subl(20) ^ subl(22); /* round 16 */
1060         CamelliaSubkeyR(21) = subr(20) ^ subr(22);
1061         CamelliaSubkeyL(22) = subl(21) ^ subl(23); /* round 17 */
1062         CamelliaSubkeyR(22) = subr(21) ^ subr(23);
1063         tl = subl(26) ^ (subr(26)
1064                 & ~subr(24));
1065         dw = tl & subl(24), /* FL(kl5) */
1066                 tr = subr(26) ^ CAMELLIA_RL1(dw);
1067         CamelliaSubkeyL(23) = subl(22) ^ tl; /* round 18 */
1068         CamelliaSubkeyR(23) = subr(22) ^ tr;
1069         CamelliaSubkeyL(24) = subl(24);     /* FL(kl5) */
1070         CamelliaSubkeyR(24) = subr(24);
1071         CamelliaSubkeyL(25) = subl(25);     /* FLinv(kl6) */
1072         CamelliaSubkeyR(25) = subr(25);
1073         tl = subl(23) ^ (subr(23) &
1074                 ~subr(25));
1075         dw = tl & subl(25), /* FLinv(kl6) */
1076                 tr = subr(23) ^ CAMELLIA_RL1(dw);
1077         CamelliaSubkeyL(26) = tl ^ subl(27); /* round 19 */
1078         CamelliaSubkeyR(26) = tr ^ subr(27);
1079         CamelliaSubkeyL(27) = subl(26) ^ subl(28); /* round 20 */
1080         CamelliaSubkeyR(27) = subr(26) ^ subr(28);
1081         CamelliaSubkeyL(28) = subl(27) ^ subl(29); /* round 21 */
1082         CamelliaSubkeyR(28) = subr(27) ^ subr(29);
1083         CamelliaSubkeyL(29) = subl(28) ^ subl(30); /* round 22 */
1084         CamelliaSubkeyR(29) = subr(28) ^ subr(30);
1085         CamelliaSubkeyL(30) = subl(29) ^ subl(31); /* round 23 */
1086         CamelliaSubkeyR(30) = subr(29) ^ subr(31);
1087         CamelliaSubkeyL(31) = subl(30);     /* round 24 */
1088         CamelliaSubkeyR(31) = subr(30);
1089         CamelliaSubkeyL(32) = subl(32) ^ subl(31); /* kw3 */
1090         CamelliaSubkeyR(32) = subr(32) ^ subr(31);
1091
1092         /* apply the inverse of the last half of P-function */
1093         dw = CamelliaSubkeyL(2) ^ CamelliaSubkeyR(2),
1094                 dw = CAMELLIA_RL8(dw);/* round 1 */
1095         CamelliaSubkeyR(2) = CamelliaSubkeyL(2) ^ dw,
1096                 CamelliaSubkeyL(2) = dw;
1097         dw = CamelliaSubkeyL(3) ^ CamelliaSubkeyR(3),
1098                 dw = CAMELLIA_RL8(dw);/* round 2 */
1099         CamelliaSubkeyR(3) = CamelliaSubkeyL(3) ^ dw,
1100                 CamelliaSubkeyL(3) = dw;
1101         dw = CamelliaSubkeyL(4) ^ CamelliaSubkeyR(4),
1102                 dw = CAMELLIA_RL8(dw);/* round 3 */
1103         CamelliaSubkeyR(4) = CamelliaSubkeyL(4) ^ dw,
1104                 CamelliaSubkeyL(4) = dw;
1105         dw = CamelliaSubkeyL(5) ^ CamelliaSubkeyR(5),
1106                 dw = CAMELLIA_RL8(dw);/* round 4 */
1107         CamelliaSubkeyR(5) = CamelliaSubkeyL(5) ^ dw,
1108                 CamelliaSubkeyL(5) = dw;
1109         dw = CamelliaSubkeyL(6) ^ CamelliaSubkeyR(6),
1110                 dw = CAMELLIA_RL8(dw);/* round 5 */
1111         CamelliaSubkeyR(6) = CamelliaSubkeyL(6) ^ dw,
1112                 CamelliaSubkeyL(6) = dw;
1113         dw = CamelliaSubkeyL(7) ^ CamelliaSubkeyR(7),
1114                 dw = CAMELLIA_RL8(dw);/* round 6 */
1115         CamelliaSubkeyR(7) = CamelliaSubkeyL(7) ^ dw,
1116                 CamelliaSubkeyL(7) = dw;
1117         dw = CamelliaSubkeyL(10) ^ CamelliaSubkeyR(10),
1118                 dw = CAMELLIA_RL8(dw);/* round 7 */
1119         CamelliaSubkeyR(10) = CamelliaSubkeyL(10) ^ dw,
1120                 CamelliaSubkeyL(10) = dw;
1121         dw = CamelliaSubkeyL(11) ^ CamelliaSubkeyR(11),
1122                 dw = CAMELLIA_RL8(dw);/* round 8 */
1123         CamelliaSubkeyR(11) = CamelliaSubkeyL(11) ^ dw,
1124                 CamelliaSubkeyL(11) = dw;
1125         dw = CamelliaSubkeyL(12) ^ CamelliaSubkeyR(12),
1126                 dw = CAMELLIA_RL8(dw);/* round 9 */
1127         CamelliaSubkeyR(12) = CamelliaSubkeyL(12) ^ dw,
1128                 CamelliaSubkeyL(12) = dw;
1129         dw = CamelliaSubkeyL(13) ^ CamelliaSubkeyR(13),
1130                 dw = CAMELLIA_RL8(dw);/* round 10 */
1131         CamelliaSubkeyR(13) = CamelliaSubkeyL(13) ^ dw,
1132                 CamelliaSubkeyL(13) = dw;
1133         dw = CamelliaSubkeyL(14) ^ CamelliaSubkeyR(14),
1134                 dw = CAMELLIA_RL8(dw);/* round 11 */
1135         CamelliaSubkeyR(14) = CamelliaSubkeyL(14) ^ dw,
1136                 CamelliaSubkeyL(14) = dw;
1137         dw = CamelliaSubkeyL(15) ^ CamelliaSubkeyR(15),
1138                 dw = CAMELLIA_RL8(dw);/* round 12 */
1139         CamelliaSubkeyR(15) = CamelliaSubkeyL(15) ^ dw,
1140                 CamelliaSubkeyL(15) = dw;
1141         dw = CamelliaSubkeyL(18) ^ CamelliaSubkeyR(18),
1142                 dw = CAMELLIA_RL8(dw);/* round 13 */
1143         CamelliaSubkeyR(18) = CamelliaSubkeyL(18) ^ dw,
1144                 CamelliaSubkeyL(18) = dw;
1145         dw = CamelliaSubkeyL(19) ^ CamelliaSubkeyR(19),
1146                 dw = CAMELLIA_RL8(dw);/* round 14 */
1147         CamelliaSubkeyR(19) = CamelliaSubkeyL(19) ^ dw,
1148                 CamelliaSubkeyL(19) = dw;
1149         dw = CamelliaSubkeyL(20) ^ CamelliaSubkeyR(20),
1150                 dw = CAMELLIA_RL8(dw);/* round 15 */
1151         CamelliaSubkeyR(20) = CamelliaSubkeyL(20) ^ dw,
1152                 CamelliaSubkeyL(20) = dw;
1153         dw = CamelliaSubkeyL(21) ^ CamelliaSubkeyR(21),
1154                 dw = CAMELLIA_RL8(dw);/* round 16 */
1155         CamelliaSubkeyR(21) = CamelliaSubkeyL(21) ^ dw,
1156                 CamelliaSubkeyL(21) = dw;
1157         dw = CamelliaSubkeyL(22) ^ CamelliaSubkeyR(22),
1158                 dw = CAMELLIA_RL8(dw);/* round 17 */
1159         CamelliaSubkeyR(22) = CamelliaSubkeyL(22) ^ dw,
1160                 CamelliaSubkeyL(22) = dw;
1161         dw = CamelliaSubkeyL(23) ^ CamelliaSubkeyR(23),
1162                 dw = CAMELLIA_RL8(dw);/* round 18 */
1163         CamelliaSubkeyR(23) = CamelliaSubkeyL(23) ^ dw,
1164                 CamelliaSubkeyL(23) = dw;
1165         dw = CamelliaSubkeyL(26) ^ CamelliaSubkeyR(26),
1166                 dw = CAMELLIA_RL8(dw);/* round 19 */
1167         CamelliaSubkeyR(26) = CamelliaSubkeyL(26) ^ dw,
1168                 CamelliaSubkeyL(26) = dw;
1169         dw = CamelliaSubkeyL(27) ^ CamelliaSubkeyR(27),
1170                 dw = CAMELLIA_RL8(dw);/* round 20 */
1171         CamelliaSubkeyR(27) = CamelliaSubkeyL(27) ^ dw,
1172                 CamelliaSubkeyL(27) = dw;
1173         dw = CamelliaSubkeyL(28) ^ CamelliaSubkeyR(28),
1174                 dw = CAMELLIA_RL8(dw);/* round 21 */
1175         CamelliaSubkeyR(28) = CamelliaSubkeyL(28) ^ dw,
1176                 CamelliaSubkeyL(28) = dw;
1177         dw = CamelliaSubkeyL(29) ^ CamelliaSubkeyR(29),
1178                 dw = CAMELLIA_RL8(dw);/* round 22 */
1179         CamelliaSubkeyR(29) = CamelliaSubkeyL(29) ^ dw,
1180                 CamelliaSubkeyL(29) = dw;
1181         dw = CamelliaSubkeyL(30) ^ CamelliaSubkeyR(30),
1182                 dw = CAMELLIA_RL8(dw);/* round 23 */
1183         CamelliaSubkeyR(30) = CamelliaSubkeyL(30) ^ dw,
1184                 CamelliaSubkeyL(30) = dw;
1185         dw = CamelliaSubkeyL(31) ^ CamelliaSubkeyR(31),
1186                 dw = CAMELLIA_RL8(dw);/* round 24 */
1187         CamelliaSubkeyR(31) = CamelliaSubkeyL(31) ^ dw,
1188                 CamelliaSubkeyL(31) = dw;
1189
1190     
1191         return;
1192         }
1193
1194 void camellia_setup192(const u8 *key, u32 *subkey)
1195         {
1196         u8 kk[32];
1197         u32 krll, krlr, krrl,krrr;
1198
1199         memcpy(kk, key, 24);
1200         memcpy((u8 *)&krll, key+16,4);
1201         memcpy((u8 *)&krlr, key+20,4);
1202         krrl = ~krll;
1203         krrr = ~krlr;
1204         memcpy(kk+24, (u8 *)&krrl, 4);
1205         memcpy(kk+28, (u8 *)&krrr, 4);
1206         camellia_setup256(kk, subkey);
1207         return;
1208         }
1209
1210
1211 /**
1212  * Stuff related to camellia encryption/decryption
1213  */
1214 void camellia_encrypt128(const u32 *subkey, u32 *io)
1215         {
1216         u32 il, ir, t0, t1;
1217
1218         /* pre whitening but absorb kw2*/
1219         io[0] ^= CamelliaSubkeyL(0);
1220         io[1] ^= CamelliaSubkeyR(0);
1221         /* main iteration */
1222
1223         CAMELLIA_ROUNDSM(io[0],io[1],
1224                 CamelliaSubkeyL(2),CamelliaSubkeyR(2),
1225                 io[2],io[3],il,ir,t0,t1);
1226         CAMELLIA_ROUNDSM(io[2],io[3],
1227                 CamelliaSubkeyL(3),CamelliaSubkeyR(3),
1228                 io[0],io[1],il,ir,t0,t1);
1229         CAMELLIA_ROUNDSM(io[0],io[1],
1230                 CamelliaSubkeyL(4),CamelliaSubkeyR(4),
1231                 io[2],io[3],il,ir,t0,t1);
1232         CAMELLIA_ROUNDSM(io[2],io[3],
1233                 CamelliaSubkeyL(5),CamelliaSubkeyR(5),
1234                 io[0],io[1],il,ir,t0,t1);
1235         CAMELLIA_ROUNDSM(io[0],io[1],
1236                 CamelliaSubkeyL(6),CamelliaSubkeyR(6),
1237                 io[2],io[3],il,ir,t0,t1);
1238         CAMELLIA_ROUNDSM(io[2],io[3],
1239                 CamelliaSubkeyL(7),CamelliaSubkeyR(7),
1240                 io[0],io[1],il,ir,t0,t1);
1241
1242         CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1243                 CamelliaSubkeyL(8),CamelliaSubkeyR(8),
1244                 CamelliaSubkeyL(9),CamelliaSubkeyR(9),
1245                 t0,t1,il,ir);
1246
1247         CAMELLIA_ROUNDSM(io[0],io[1],
1248                 CamelliaSubkeyL(10),CamelliaSubkeyR(10),
1249                 io[2],io[3],il,ir,t0,t1);
1250         CAMELLIA_ROUNDSM(io[2],io[3],
1251                 CamelliaSubkeyL(11),CamelliaSubkeyR(11),
1252                 io[0],io[1],il,ir,t0,t1);
1253         CAMELLIA_ROUNDSM(io[0],io[1],
1254                 CamelliaSubkeyL(12),CamelliaSubkeyR(12),
1255                 io[2],io[3],il,ir,t0,t1);
1256         CAMELLIA_ROUNDSM(io[2],io[3],
1257                 CamelliaSubkeyL(13),CamelliaSubkeyR(13),
1258                 io[0],io[1],il,ir,t0,t1);
1259         CAMELLIA_ROUNDSM(io[0],io[1],
1260                 CamelliaSubkeyL(14),CamelliaSubkeyR(14),
1261                 io[2],io[3],il,ir,t0,t1);
1262         CAMELLIA_ROUNDSM(io[2],io[3],
1263                 CamelliaSubkeyL(15),CamelliaSubkeyR(15),
1264                 io[0],io[1],il,ir,t0,t1);
1265
1266         CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1267                 CamelliaSubkeyL(16),CamelliaSubkeyR(16),
1268                 CamelliaSubkeyL(17),CamelliaSubkeyR(17),
1269                 t0,t1,il,ir);
1270
1271         CAMELLIA_ROUNDSM(io[0],io[1],
1272                 CamelliaSubkeyL(18),CamelliaSubkeyR(18),
1273                 io[2],io[3],il,ir,t0,t1);
1274         CAMELLIA_ROUNDSM(io[2],io[3],
1275                 CamelliaSubkeyL(19),CamelliaSubkeyR(19),
1276                 io[0],io[1],il,ir,t0,t1);
1277         CAMELLIA_ROUNDSM(io[0],io[1],
1278                 CamelliaSubkeyL(20),CamelliaSubkeyR(20),
1279                 io[2],io[3],il,ir,t0,t1);
1280         CAMELLIA_ROUNDSM(io[2],io[3],
1281                 CamelliaSubkeyL(21),CamelliaSubkeyR(21),
1282                 io[0],io[1],il,ir,t0,t1);
1283         CAMELLIA_ROUNDSM(io[0],io[1],
1284                 CamelliaSubkeyL(22),CamelliaSubkeyR(22),
1285                 io[2],io[3],il,ir,t0,t1);
1286         CAMELLIA_ROUNDSM(io[2],io[3],
1287                 CamelliaSubkeyL(23),CamelliaSubkeyR(23),
1288                 io[0],io[1],il,ir,t0,t1);
1289
1290         /* post whitening but kw4 */
1291         io[2] ^= CamelliaSubkeyL(24);
1292         io[3] ^= CamelliaSubkeyR(24);
1293
1294         t0 = io[0];
1295         t1 = io[1];
1296         io[0] = io[2];
1297         io[1] = io[3];
1298         io[2] = t0;
1299         io[3] = t1;
1300
1301         return;
1302         }
1303
1304 void camellia_decrypt128(const u32 *subkey, u32 *io)
1305         {
1306         u32 il,ir,t0,t1;               /* temporary valiables */
1307
1308         /* pre whitening but absorb kw2*/
1309         io[0] ^= CamelliaSubkeyL(24);
1310         io[1] ^= CamelliaSubkeyR(24);
1311
1312         /* main iteration */
1313         CAMELLIA_ROUNDSM(io[0],io[1],
1314                 CamelliaSubkeyL(23),CamelliaSubkeyR(23),
1315                 io[2],io[3],il,ir,t0,t1);
1316         CAMELLIA_ROUNDSM(io[2],io[3],
1317                 CamelliaSubkeyL(22),CamelliaSubkeyR(22),
1318                 io[0],io[1],il,ir,t0,t1);
1319         CAMELLIA_ROUNDSM(io[0],io[1],
1320                 CamelliaSubkeyL(21),CamelliaSubkeyR(21),
1321                 io[2],io[3],il,ir,t0,t1);
1322         CAMELLIA_ROUNDSM(io[2],io[3],
1323                 CamelliaSubkeyL(20),CamelliaSubkeyR(20),
1324                 io[0],io[1],il,ir,t0,t1);
1325         CAMELLIA_ROUNDSM(io[0],io[1],
1326                 CamelliaSubkeyL(19),CamelliaSubkeyR(19),
1327                 io[2],io[3],il,ir,t0,t1);
1328         CAMELLIA_ROUNDSM(io[2],io[3],
1329                 CamelliaSubkeyL(18),CamelliaSubkeyR(18),
1330                 io[0],io[1],il,ir,t0,t1);
1331
1332         CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1333                 CamelliaSubkeyL(17),CamelliaSubkeyR(17),
1334                 CamelliaSubkeyL(16),CamelliaSubkeyR(16),
1335                 t0,t1,il,ir);
1336
1337         CAMELLIA_ROUNDSM(io[0],io[1],
1338                 CamelliaSubkeyL(15),CamelliaSubkeyR(15),
1339                 io[2],io[3],il,ir,t0,t1);
1340         CAMELLIA_ROUNDSM(io[2],io[3],
1341                 CamelliaSubkeyL(14),CamelliaSubkeyR(14),
1342                 io[0],io[1],il,ir,t0,t1);
1343         CAMELLIA_ROUNDSM(io[0],io[1],
1344                 CamelliaSubkeyL(13),CamelliaSubkeyR(13),
1345                 io[2],io[3],il,ir,t0,t1);
1346         CAMELLIA_ROUNDSM(io[2],io[3],
1347                 CamelliaSubkeyL(12),CamelliaSubkeyR(12),
1348                 io[0],io[1],il,ir,t0,t1);
1349         CAMELLIA_ROUNDSM(io[0],io[1],
1350                 CamelliaSubkeyL(11),CamelliaSubkeyR(11),
1351                 io[2],io[3],il,ir,t0,t1);
1352         CAMELLIA_ROUNDSM(io[2],io[3],
1353                 CamelliaSubkeyL(10),CamelliaSubkeyR(10),
1354                 io[0],io[1],il,ir,t0,t1);
1355
1356         CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1357                 CamelliaSubkeyL(9),CamelliaSubkeyR(9),
1358                 CamelliaSubkeyL(8),CamelliaSubkeyR(8),
1359                 t0,t1,il,ir);
1360
1361         CAMELLIA_ROUNDSM(io[0],io[1],
1362                 CamelliaSubkeyL(7),CamelliaSubkeyR(7),
1363                 io[2],io[3],il,ir,t0,t1);
1364         CAMELLIA_ROUNDSM(io[2],io[3],
1365                 CamelliaSubkeyL(6),CamelliaSubkeyR(6),
1366                 io[0],io[1],il,ir,t0,t1);
1367         CAMELLIA_ROUNDSM(io[0],io[1],
1368                 CamelliaSubkeyL(5),CamelliaSubkeyR(5),
1369                 io[2],io[3],il,ir,t0,t1);
1370         CAMELLIA_ROUNDSM(io[2],io[3],
1371                 CamelliaSubkeyL(4),CamelliaSubkeyR(4),
1372                 io[0],io[1],il,ir,t0,t1);
1373         CAMELLIA_ROUNDSM(io[0],io[1],
1374                 CamelliaSubkeyL(3),CamelliaSubkeyR(3),
1375                 io[2],io[3],il,ir,t0,t1);
1376         CAMELLIA_ROUNDSM(io[2],io[3],
1377                 CamelliaSubkeyL(2),CamelliaSubkeyR(2),
1378                 io[0],io[1],il,ir,t0,t1);
1379
1380         /* post whitening but kw4 */
1381         io[2] ^= CamelliaSubkeyL(0);
1382         io[3] ^= CamelliaSubkeyR(0);
1383
1384         t0 = io[0];
1385         t1 = io[1];
1386         io[0] = io[2];
1387         io[1] = io[3];
1388         io[2] = t0;
1389         io[3] = t1;
1390
1391         return;
1392         }
1393
1394 /**
1395  * stuff for 192 and 256bit encryption/decryption
1396  */
1397 void camellia_encrypt256(const u32 *subkey, u32 *io)
1398         {
1399         u32 il,ir,t0,t1;           /* temporary valiables */
1400
1401         /* pre whitening but absorb kw2*/
1402         io[0] ^= CamelliaSubkeyL(0);
1403         io[1] ^= CamelliaSubkeyR(0);
1404
1405         /* main iteration */
1406         CAMELLIA_ROUNDSM(io[0],io[1],
1407                 CamelliaSubkeyL(2),CamelliaSubkeyR(2),
1408                 io[2],io[3],il,ir,t0,t1);
1409         CAMELLIA_ROUNDSM(io[2],io[3],
1410                 CamelliaSubkeyL(3),CamelliaSubkeyR(3),
1411                 io[0],io[1],il,ir,t0,t1);
1412         CAMELLIA_ROUNDSM(io[0],io[1],
1413                 CamelliaSubkeyL(4),CamelliaSubkeyR(4),
1414                 io[2],io[3],il,ir,t0,t1);
1415         CAMELLIA_ROUNDSM(io[2],io[3],
1416                 CamelliaSubkeyL(5),CamelliaSubkeyR(5),
1417                 io[0],io[1],il,ir,t0,t1);
1418         CAMELLIA_ROUNDSM(io[0],io[1],
1419                 CamelliaSubkeyL(6),CamelliaSubkeyR(6),
1420                 io[2],io[3],il,ir,t0,t1);
1421         CAMELLIA_ROUNDSM(io[2],io[3],
1422                 CamelliaSubkeyL(7),CamelliaSubkeyR(7),
1423                 io[0],io[1],il,ir,t0,t1);
1424
1425         CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1426                 CamelliaSubkeyL(8),CamelliaSubkeyR(8),
1427                 CamelliaSubkeyL(9),CamelliaSubkeyR(9),
1428                 t0,t1,il,ir);
1429
1430         CAMELLIA_ROUNDSM(io[0],io[1],
1431                 CamelliaSubkeyL(10),CamelliaSubkeyR(10),
1432                 io[2],io[3],il,ir,t0,t1);
1433         CAMELLIA_ROUNDSM(io[2],io[3],
1434                 CamelliaSubkeyL(11),CamelliaSubkeyR(11),
1435                 io[0],io[1],il,ir,t0,t1);
1436         CAMELLIA_ROUNDSM(io[0],io[1],
1437                 CamelliaSubkeyL(12),CamelliaSubkeyR(12),
1438                 io[2],io[3],il,ir,t0,t1);
1439         CAMELLIA_ROUNDSM(io[2],io[3],
1440                 CamelliaSubkeyL(13),CamelliaSubkeyR(13),
1441                 io[0],io[1],il,ir,t0,t1);
1442         CAMELLIA_ROUNDSM(io[0],io[1],
1443                 CamelliaSubkeyL(14),CamelliaSubkeyR(14),
1444                 io[2],io[3],il,ir,t0,t1);
1445         CAMELLIA_ROUNDSM(io[2],io[3],
1446                 CamelliaSubkeyL(15),CamelliaSubkeyR(15),
1447                 io[0],io[1],il,ir,t0,t1);
1448
1449         CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1450                 CamelliaSubkeyL(16),CamelliaSubkeyR(16),
1451                 CamelliaSubkeyL(17),CamelliaSubkeyR(17),
1452                 t0,t1,il,ir);
1453
1454         CAMELLIA_ROUNDSM(io[0],io[1],
1455                 CamelliaSubkeyL(18),CamelliaSubkeyR(18),
1456                 io[2],io[3],il,ir,t0,t1);
1457         CAMELLIA_ROUNDSM(io[2],io[3],
1458                 CamelliaSubkeyL(19),CamelliaSubkeyR(19),
1459                 io[0],io[1],il,ir,t0,t1);
1460         CAMELLIA_ROUNDSM(io[0],io[1],
1461                 CamelliaSubkeyL(20),CamelliaSubkeyR(20),
1462                 io[2],io[3],il,ir,t0,t1);
1463         CAMELLIA_ROUNDSM(io[2],io[3],
1464                 CamelliaSubkeyL(21),CamelliaSubkeyR(21),
1465                 io[0],io[1],il,ir,t0,t1);
1466         CAMELLIA_ROUNDSM(io[0],io[1],
1467                 CamelliaSubkeyL(22),CamelliaSubkeyR(22),
1468                 io[2],io[3],il,ir,t0,t1);
1469         CAMELLIA_ROUNDSM(io[2],io[3],
1470                 CamelliaSubkeyL(23),CamelliaSubkeyR(23),
1471                 io[0],io[1],il,ir,t0,t1);
1472
1473         CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1474                 CamelliaSubkeyL(24),CamelliaSubkeyR(24),
1475                 CamelliaSubkeyL(25),CamelliaSubkeyR(25),
1476                 t0,t1,il,ir);
1477
1478         CAMELLIA_ROUNDSM(io[0],io[1],
1479                 CamelliaSubkeyL(26),CamelliaSubkeyR(26),
1480                 io[2],io[3],il,ir,t0,t1);
1481         CAMELLIA_ROUNDSM(io[2],io[3],
1482                 CamelliaSubkeyL(27),CamelliaSubkeyR(27),
1483                 io[0],io[1],il,ir,t0,t1);
1484         CAMELLIA_ROUNDSM(io[0],io[1],
1485                 CamelliaSubkeyL(28),CamelliaSubkeyR(28),
1486                 io[2],io[3],il,ir,t0,t1);
1487         CAMELLIA_ROUNDSM(io[2],io[3],
1488                 CamelliaSubkeyL(29),CamelliaSubkeyR(29),
1489                 io[0],io[1],il,ir,t0,t1);
1490         CAMELLIA_ROUNDSM(io[0],io[1],
1491                 CamelliaSubkeyL(30),CamelliaSubkeyR(30),
1492                 io[2],io[3],il,ir,t0,t1);
1493         CAMELLIA_ROUNDSM(io[2],io[3],
1494                 CamelliaSubkeyL(31),CamelliaSubkeyR(31),
1495                 io[0],io[1],il,ir,t0,t1);
1496
1497         /* post whitening but kw4 */
1498         io[2] ^= CamelliaSubkeyL(32);
1499         io[3] ^= CamelliaSubkeyR(32);
1500
1501         t0 = io[0];
1502         t1 = io[1];
1503         io[0] = io[2];
1504         io[1] = io[3];
1505         io[2] = t0;
1506         io[3] = t1;
1507
1508         return;
1509         }
1510
1511 void camellia_decrypt256(const u32 *subkey, u32 *io)
1512         {
1513         u32 il,ir,t0,t1;           /* temporary valiables */
1514
1515         /* pre whitening but absorb kw2*/
1516         io[0] ^= CamelliaSubkeyL(32);
1517         io[1] ^= CamelliaSubkeyR(32);
1518         
1519         /* main iteration */
1520         CAMELLIA_ROUNDSM(io[0],io[1],
1521                 CamelliaSubkeyL(31),CamelliaSubkeyR(31),
1522                 io[2],io[3],il,ir,t0,t1);
1523         CAMELLIA_ROUNDSM(io[2],io[3],
1524                 CamelliaSubkeyL(30),CamelliaSubkeyR(30),
1525                 io[0],io[1],il,ir,t0,t1);
1526         CAMELLIA_ROUNDSM(io[0],io[1],
1527                 CamelliaSubkeyL(29),CamelliaSubkeyR(29),
1528                 io[2],io[3],il,ir,t0,t1);
1529         CAMELLIA_ROUNDSM(io[2],io[3],
1530                 CamelliaSubkeyL(28),CamelliaSubkeyR(28),
1531                 io[0],io[1],il,ir,t0,t1);
1532         CAMELLIA_ROUNDSM(io[0],io[1],
1533                 CamelliaSubkeyL(27),CamelliaSubkeyR(27),
1534                 io[2],io[3],il,ir,t0,t1);
1535         CAMELLIA_ROUNDSM(io[2],io[3],
1536                 CamelliaSubkeyL(26),CamelliaSubkeyR(26),
1537                 io[0],io[1],il,ir,t0,t1);
1538
1539         CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1540                 CamelliaSubkeyL(25),CamelliaSubkeyR(25),
1541                 CamelliaSubkeyL(24),CamelliaSubkeyR(24),
1542                 t0,t1,il,ir);
1543
1544         CAMELLIA_ROUNDSM(io[0],io[1],
1545                 CamelliaSubkeyL(23),CamelliaSubkeyR(23),
1546                 io[2],io[3],il,ir,t0,t1);
1547         CAMELLIA_ROUNDSM(io[2],io[3],
1548                 CamelliaSubkeyL(22),CamelliaSubkeyR(22),
1549                 io[0],io[1],il,ir,t0,t1);
1550         CAMELLIA_ROUNDSM(io[0],io[1],
1551                 CamelliaSubkeyL(21),CamelliaSubkeyR(21),
1552                 io[2],io[3],il,ir,t0,t1);
1553         CAMELLIA_ROUNDSM(io[2],io[3],
1554                 CamelliaSubkeyL(20),CamelliaSubkeyR(20),
1555                 io[0],io[1],il,ir,t0,t1);
1556         CAMELLIA_ROUNDSM(io[0],io[1],
1557                 CamelliaSubkeyL(19),CamelliaSubkeyR(19),
1558                 io[2],io[3],il,ir,t0,t1);
1559         CAMELLIA_ROUNDSM(io[2],io[3],
1560                 CamelliaSubkeyL(18),CamelliaSubkeyR(18),
1561                 io[0],io[1],il,ir,t0,t1);
1562
1563         CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1564                 CamelliaSubkeyL(17),CamelliaSubkeyR(17),
1565                 CamelliaSubkeyL(16),CamelliaSubkeyR(16),
1566                 t0,t1,il,ir);
1567
1568         CAMELLIA_ROUNDSM(io[0],io[1],
1569                 CamelliaSubkeyL(15),CamelliaSubkeyR(15),
1570                 io[2],io[3],il,ir,t0,t1);
1571         CAMELLIA_ROUNDSM(io[2],io[3],
1572                 CamelliaSubkeyL(14),CamelliaSubkeyR(14),
1573                 io[0],io[1],il,ir,t0,t1);
1574         CAMELLIA_ROUNDSM(io[0],io[1],
1575                 CamelliaSubkeyL(13),CamelliaSubkeyR(13),
1576                 io[2],io[3],il,ir,t0,t1);
1577         CAMELLIA_ROUNDSM(io[2],io[3],
1578                 CamelliaSubkeyL(12),CamelliaSubkeyR(12),
1579                 io[0],io[1],il,ir,t0,t1);
1580         CAMELLIA_ROUNDSM(io[0],io[1],
1581                 CamelliaSubkeyL(11),CamelliaSubkeyR(11),
1582                 io[2],io[3],il,ir,t0,t1);
1583         CAMELLIA_ROUNDSM(io[2],io[3],
1584                 CamelliaSubkeyL(10),CamelliaSubkeyR(10),
1585                 io[0],io[1],il,ir,t0,t1);
1586
1587         CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1588                 CamelliaSubkeyL(9),CamelliaSubkeyR(9),
1589                 CamelliaSubkeyL(8),CamelliaSubkeyR(8),
1590                 t0,t1,il,ir);
1591
1592         CAMELLIA_ROUNDSM(io[0],io[1],
1593                 CamelliaSubkeyL(7),CamelliaSubkeyR(7),
1594                 io[2],io[3],il,ir,t0,t1);
1595         CAMELLIA_ROUNDSM(io[2],io[3],
1596                 CamelliaSubkeyL(6),CamelliaSubkeyR(6),
1597                 io[0],io[1],il,ir,t0,t1);
1598         CAMELLIA_ROUNDSM(io[0],io[1],
1599                 CamelliaSubkeyL(5),CamelliaSubkeyR(5),
1600                 io[2],io[3],il,ir,t0,t1);
1601         CAMELLIA_ROUNDSM(io[2],io[3],
1602                 CamelliaSubkeyL(4),CamelliaSubkeyR(4),
1603                 io[0],io[1],il,ir,t0,t1);
1604         CAMELLIA_ROUNDSM(io[0],io[1],
1605                 CamelliaSubkeyL(3),CamelliaSubkeyR(3),
1606                 io[2],io[3],il,ir,t0,t1);
1607         CAMELLIA_ROUNDSM(io[2],io[3],
1608                 CamelliaSubkeyL(2),CamelliaSubkeyR(2),
1609                 io[0],io[1],il,ir,t0,t1);
1610
1611         /* post whitening but kw4 */
1612         io[2] ^= CamelliaSubkeyL(0);
1613         io[3] ^= CamelliaSubkeyR(0);
1614
1615         t0 = io[0];
1616         t1 = io[1];
1617         io[0] = io[2];
1618         io[1] = io[3];
1619         io[2] = t0;
1620         io[3] = t1;
1621
1622         return;
1623         }
1624