crypto/camellia/camellia.c

162911Ssimon/* crypto/camellia/camellia.c -*- mode:C; c-file-style: "eay" -*- */
162911Ssimon/* ====================================================================
296341Sdelphij * Copyright 2006 NTT (Nippon Telegraph and Telephone Corporation) .
162911Ssimon * ALL RIGHTS RESERVED.
162911Ssimon *
162911Ssimon * Intellectual Property information for Camellia:
162911Ssimon *     http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html
162911Ssimon *
162911Ssimon * News Release for Announcement of Camellia open source:
162911Ssimon *     http://www.ntt.co.jp/news/news06e/0604/060413a.html
162911Ssimon *
162911Ssimon * The Camellia Code included herein is developed by
162911Ssimon * NTT (Nippon Telegraph and Telephone Corporation), and is contributed
162911Ssimon * to the OpenSSL project.
162911Ssimon *
162911Ssimon * The Camellia Code is licensed pursuant to the OpenSSL open source
162911Ssimon * license provided below.
162911Ssimon */
162911Ssimon/* ====================================================================
162911Ssimon * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
162911Ssimon *
162911Ssimon * Redistribution and use in source and binary forms, with or without
162911Ssimon * modification, are permitted provided that the following conditions
162911Ssimon * are met:
162911Ssimon *
162911Ssimon * 1. Redistributions of source code must retain the above copyright
296341Sdelphij *    notice, this list of conditions and the following disclaimer.
162911Ssimon *
162911Ssimon * 2. Redistributions in binary form must reproduce the above copyright
162911Ssimon *    notice, this list of conditions and the following disclaimer in
162911Ssimon *    the documentation and/or other materials provided with the
162911Ssimon *    distribution.
162911Ssimon *
162911Ssimon * 3. All advertising materials mentioning features or use of this
162911Ssimon *    software must display the following acknowledgment:
162911Ssimon *    "This product includes software developed by the OpenSSL Project
162911Ssimon *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
162911Ssimon *
162911Ssimon * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
162911Ssimon *    endorse or promote products derived from this software without
162911Ssimon *    prior written permission. For written permission, please contact
162911Ssimon *    openssl-core@openssl.org.
162911Ssimon *
162911Ssimon * 5. Products derived from this software may not be called "OpenSSL"
162911Ssimon *    nor may "OpenSSL" appear in their names without prior written
162911Ssimon *    permission of the OpenSSL Project.
162911Ssimon *
162911Ssimon * 6. Redistributions of any form whatsoever must retain the following
162911Ssimon *    acknowledgment:
162911Ssimon *    "This product includes software developed by the OpenSSL Project
162911Ssimon *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
162911Ssimon *
162911Ssimon * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
162911Ssimon * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
162911Ssimon * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
162911Ssimon * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
162911Ssimon * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
162911Ssimon * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
162911Ssimon * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
162911Ssimon * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
162911Ssimon * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
162911Ssimon * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
162911Ssimon * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
162911Ssimon * OF THE POSSIBILITY OF SUCH DAMAGE.
162911Ssimon * ====================================================================
162911Ssimon */
162911Ssimon
238405Sjkim/*
296341Sdelphij * Algorithm Specification
296341Sdelphij * http://info.isl.llia/specicrypt/eng/camellia/specifications.html
296341Sdelphij */
296341Sdelphij
296341Sdelphij/*
238405Sjkim * This release balances code size and performance. In particular key
238405Sjkim * schedule setup is fully unrolled, because doing so *significantly*
238405Sjkim * reduces amount of instructions per setup round and code increase is
238405Sjkim * justifiable. In block functions on the other hand only inner loops
238405Sjkim * are unrolled, as full unroll gives only nominal performance boost,
238405Sjkim * while code size grows 4 or 7 times. Also, unlike previous versions
238405Sjkim * this one "encourages" compiler to keep intermediate variables in
238405Sjkim * registers, which should give better "all round" results, in other
238405Sjkim * words reasonable performance even with not so modern compilers.
238405Sjkim */
162911Ssimon
238405Sjkim#include "camellia.h"
238405Sjkim#include "cmll_locl.h"
162911Ssimon#include <string.h>
162911Ssimon#include <stdlib.h>
162911Ssimon
238405Sjkim/* 32-bit rotations */
238405Sjkim#if !defined(PEDANTIC) && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
238405Sjkim# if defined(_MSC_VER) && (defined(_M_IX86) || defined(_M_AMD64) || defined(_M_X64))
238405Sjkim#  define RightRotate(x, s) _lrotr(x, s)
238405Sjkim#  define LeftRotate(x, s)  _lrotl(x, s)
238405Sjkim#  if _MSC_VER >= 1400
238405Sjkim#   define SWAP(x) _byteswap_ulong(x)
238405Sjkim#  else
238405Sjkim#   define SWAP(x) (_lrotl(x, 8) & 0x00ff00ff | _lrotr(x, 8) & 0xff00ff00)
238405Sjkim#  endif
238405Sjkim#  define GETU32(p)   SWAP(*((u32 *)(p)))
238405Sjkim#  define PUTU32(p,v) (*((u32 *)(p)) = SWAP((v)))
238405Sjkim# elif defined(__GNUC__) && __GNUC__>=2
238405Sjkim#  if defined(__i386) || defined(__x86_64)
238405Sjkim#   define RightRotate(x,s) ({u32 ret; asm ("rorl %1,%0":"=r"(ret):"I"(s),"0"(x):"cc"); ret; })
238405Sjkim#   define LeftRotate(x,s)  ({u32 ret; asm ("roll %1,%0":"=r"(ret):"I"(s),"0"(x):"cc"); ret; })
296341Sdelphij#   if defined(B_ENDIAN)        /* stratus.com does it */
238405Sjkim#    define GETU32(p)   (*(u32 *)(p))
238405Sjkim#    define PUTU32(p,v) (*(u32 *)(p)=(v))
238405Sjkim#   else
238405Sjkim#    define GETU32(p)   ({u32 r=*(const u32 *)(p); asm("bswapl %0":"=r"(r):"0"(r)); r; })
238405Sjkim#    define PUTU32(p,v) ({u32 r=(v); asm("bswapl %0":"=r"(r):"0"(r)); *(u32 *)(p)=r; })
238405Sjkim#   endif
238405Sjkim#  elif defined(_ARCH_PPC) || defined(_ARCH_PPC64) || \
238405Sjkim        defined(__powerpc) || defined(__ppc__) || defined(__powerpc64__)
238405Sjkim#   define LeftRotate(x,s)  ({u32 ret; asm ("rlwinm %0,%1,%2,0,31":"=r"(ret):"r"(x),"I"(s)); ret; })
238405Sjkim#   define RightRotate(x,s) LeftRotate(x,(32-s))
238405Sjkim#  elif defined(__s390x__)
238405Sjkim#   define LeftRotate(x,s)  ({u32 ret; asm ("rll %0,%1,%2":"=r"(ret):"r"(x),"I"(s)); ret; })
238405Sjkim#   define RightRotate(x,s) LeftRotate(x,(32-s))
238405Sjkim#   define GETU32(p)   (*(u32 *)(p))
238405Sjkim#   define PUTU32(p,v) (*(u32 *)(p)=(v))
238405Sjkim#  endif
238405Sjkim# endif
238405Sjkim#endif
162911Ssimon
238405Sjkim#if !defined(RightRotate) && !defined(LeftRotate)
238405Sjkim# define RightRotate(x, s) ( ((x) >> (s)) + ((x) << (32 - s)) )
238405Sjkim# define LeftRotate(x, s)  ( ((x) << (s)) + ((x) >> (32 - s)) )
238405Sjkim#endif
162911Ssimon
238405Sjkim#if !defined(GETU32) && !defined(PUTU32)
238405Sjkim# define GETU32(p)   (((u32)(p)[0] << 24) ^ ((u32)(p)[1] << 16) ^ ((u32)(p)[2] <<  8) ^ ((u32)(p)[3]))
238405Sjkim# define PUTU32(p,v) ((p)[0] = (u8)((v) >> 24), (p)[1] = (u8)((v) >> 16), (p)[2] = (u8)((v) >>  8), (p)[3] = (u8)(v))
238405Sjkim#endif
162911Ssimon
238405Sjkim/* S-box data */
238405Sjkim#define SBOX1_1110 Camellia_SBOX[0]
238405Sjkim#define SBOX4_4404 Camellia_SBOX[1]
238405Sjkim#define SBOX2_0222 Camellia_SBOX[2]
238405Sjkim#define SBOX3_3033 Camellia_SBOX[3]
238405Sjkimstatic const u32 Camellia_SBOX[][256] = {
296341Sdelphij    {0x70707000, 0x82828200, 0x2c2c2c00, 0xececec00, 0xb3b3b300, 0x27272700,
296341Sdelphij     0xc0c0c000, 0xe5e5e500, 0xe4e4e400, 0x85858500, 0x57575700, 0x35353500,
296341Sdelphij     0xeaeaea00, 0x0c0c0c00, 0xaeaeae00, 0x41414100, 0x23232300, 0xefefef00,
296341Sdelphij     0x6b6b6b00, 0x93939300, 0x45454500, 0x19191900, 0xa5a5a500, 0x21212100,
296341Sdelphij     0xededed00, 0x0e0e0e00, 0x4f4f4f00, 0x4e4e4e00, 0x1d1d1d00, 0x65656500,
296341Sdelphij     0x92929200, 0xbdbdbd00, 0x86868600, 0xb8b8b800, 0xafafaf00, 0x8f8f8f00,
296341Sdelphij     0x7c7c7c00, 0xebebeb00, 0x1f1f1f00, 0xcecece00, 0x3e3e3e00, 0x30303000,
296341Sdelphij     0xdcdcdc00, 0x5f5f5f00, 0x5e5e5e00, 0xc5c5c500, 0x0b0b0b00, 0x1a1a1a00,
296341Sdelphij     0xa6a6a600, 0xe1e1e100, 0x39393900, 0xcacaca00, 0xd5d5d500, 0x47474700,
296341Sdelphij     0x5d5d5d00, 0x3d3d3d00, 0xd9d9d900, 0x01010100, 0x5a5a5a00, 0xd6d6d600,
296341Sdelphij     0x51515100, 0x56565600, 0x6c6c6c00, 0x4d4d4d00, 0x8b8b8b00, 0x0d0d0d00,
296341Sdelphij     0x9a9a9a00, 0x66666600, 0xfbfbfb00, 0xcccccc00, 0xb0b0b000, 0x2d2d2d00,
296341Sdelphij     0x74747400, 0x12121200, 0x2b2b2b00, 0x20202000, 0xf0f0f000, 0xb1b1b100,
296341Sdelphij     0x84848400, 0x99999900, 0xdfdfdf00, 0x4c4c4c00, 0xcbcbcb00, 0xc2c2c200,
296341Sdelphij     0x34343400, 0x7e7e7e00, 0x76767600, 0x05050500, 0x6d6d6d00, 0xb7b7b700,
296341Sdelphij     0xa9a9a900, 0x31313100, 0xd1d1d100, 0x17171700, 0x04040400, 0xd7d7d700,
296341Sdelphij     0x14141400, 0x58585800, 0x3a3a3a00, 0x61616100, 0xdedede00, 0x1b1b1b00,
296341Sdelphij     0x11111100, 0x1c1c1c00, 0x32323200, 0x0f0f0f00, 0x9c9c9c00, 0x16161600,
296341Sdelphij     0x53535300, 0x18181800, 0xf2f2f200, 0x22222200, 0xfefefe00, 0x44444400,
296341Sdelphij     0xcfcfcf00, 0xb2b2b200, 0xc3c3c300, 0xb5b5b500, 0x7a7a7a00, 0x91919100,
296341Sdelphij     0x24242400, 0x08080800, 0xe8e8e800, 0xa8a8a800, 0x60606000, 0xfcfcfc00,
296341Sdelphij     0x69696900, 0x50505000, 0xaaaaaa00, 0xd0d0d000, 0xa0a0a000, 0x7d7d7d00,
296341Sdelphij     0xa1a1a100, 0x89898900, 0x62626200, 0x97979700, 0x54545400, 0x5b5b5b00,
296341Sdelphij     0x1e1e1e00, 0x95959500, 0xe0e0e000, 0xffffff00, 0x64646400, 0xd2d2d200,
296341Sdelphij     0x10101000, 0xc4c4c400, 0x00000000, 0x48484800, 0xa3a3a300, 0xf7f7f700,
296341Sdelphij     0x75757500, 0xdbdbdb00, 0x8a8a8a00, 0x03030300, 0xe6e6e600, 0xdadada00,
296341Sdelphij     0x09090900, 0x3f3f3f00, 0xdddddd00, 0x94949400, 0x87878700, 0x5c5c5c00,
296341Sdelphij     0x83838300, 0x02020200, 0xcdcdcd00, 0x4a4a4a00, 0x90909000, 0x33333300,
296341Sdelphij     0x73737300, 0x67676700, 0xf6f6f600, 0xf3f3f300, 0x9d9d9d00, 0x7f7f7f00,
296341Sdelphij     0xbfbfbf00, 0xe2e2e200, 0x52525200, 0x9b9b9b00, 0xd8d8d800, 0x26262600,
296341Sdelphij     0xc8c8c800, 0x37373700, 0xc6c6c600, 0x3b3b3b00, 0x81818100, 0x96969600,
296341Sdelphij     0x6f6f6f00, 0x4b4b4b00, 0x13131300, 0xbebebe00, 0x63636300, 0x2e2e2e00,
296341Sdelphij     0xe9e9e900, 0x79797900, 0xa7a7a700, 0x8c8c8c00, 0x9f9f9f00, 0x6e6e6e00,
296341Sdelphij     0xbcbcbc00, 0x8e8e8e00, 0x29292900, 0xf5f5f500, 0xf9f9f900, 0xb6b6b600,
296341Sdelphij     0x2f2f2f00, 0xfdfdfd00, 0xb4b4b400, 0x59595900, 0x78787800, 0x98989800,
296341Sdelphij     0x06060600, 0x6a6a6a00, 0xe7e7e700, 0x46464600, 0x71717100, 0xbababa00,
296341Sdelphij     0xd4d4d400, 0x25252500, 0xababab00, 0x42424200, 0x88888800, 0xa2a2a200,
296341Sdelphij     0x8d8d8d00, 0xfafafa00, 0x72727200, 0x07070700, 0xb9b9b900, 0x55555500,
296341Sdelphij     0xf8f8f800, 0xeeeeee00, 0xacacac00, 0x0a0a0a00, 0x36363600, 0x49494900,
296341Sdelphij     0x2a2a2a00, 0x68686800, 0x3c3c3c00, 0x38383800, 0xf1f1f100, 0xa4a4a400,
296341Sdelphij     0x40404000, 0x28282800, 0xd3d3d300, 0x7b7b7b00, 0xbbbbbb00, 0xc9c9c900,
296341Sdelphij     0x43434300, 0xc1c1c100, 0x15151500, 0xe3e3e300, 0xadadad00, 0xf4f4f400,
296341Sdelphij     0x77777700, 0xc7c7c700, 0x80808000, 0x9e9e9e00},
296341Sdelphij    {0x70700070, 0x2c2c002c, 0xb3b300b3, 0xc0c000c0, 0xe4e400e4, 0x57570057,
296341Sdelphij     0xeaea00ea, 0xaeae00ae, 0x23230023, 0x6b6b006b, 0x45450045, 0xa5a500a5,
296341Sdelphij     0xeded00ed, 0x4f4f004f, 0x1d1d001d, 0x92920092, 0x86860086, 0xafaf00af,
296341Sdelphij     0x7c7c007c, 0x1f1f001f, 0x3e3e003e, 0xdcdc00dc, 0x5e5e005e, 0x0b0b000b,
296341Sdelphij     0xa6a600a6, 0x39390039, 0xd5d500d5, 0x5d5d005d, 0xd9d900d9, 0x5a5a005a,
296341Sdelphij     0x51510051, 0x6c6c006c, 0x8b8b008b, 0x9a9a009a, 0xfbfb00fb, 0xb0b000b0,
296341Sdelphij     0x74740074, 0x2b2b002b, 0xf0f000f0, 0x84840084, 0xdfdf00df, 0xcbcb00cb,
296341Sdelphij     0x34340034, 0x76760076, 0x6d6d006d, 0xa9a900a9, 0xd1d100d1, 0x04040004,
296341Sdelphij     0x14140014, 0x3a3a003a, 0xdede00de, 0x11110011, 0x32320032, 0x9c9c009c,
296341Sdelphij     0x53530053, 0xf2f200f2, 0xfefe00fe, 0xcfcf00cf, 0xc3c300c3, 0x7a7a007a,
296341Sdelphij     0x24240024, 0xe8e800e8, 0x60600060, 0x69690069, 0xaaaa00aa, 0xa0a000a0,
296341Sdelphij     0xa1a100a1, 0x62620062, 0x54540054, 0x1e1e001e, 0xe0e000e0, 0x64640064,
296341Sdelphij     0x10100010, 0x00000000, 0xa3a300a3, 0x75750075, 0x8a8a008a, 0xe6e600e6,
296341Sdelphij     0x09090009, 0xdddd00dd, 0x87870087, 0x83830083, 0xcdcd00cd, 0x90900090,
296341Sdelphij     0x73730073, 0xf6f600f6, 0x9d9d009d, 0xbfbf00bf, 0x52520052, 0xd8d800d8,
296341Sdelphij     0xc8c800c8, 0xc6c600c6, 0x81810081, 0x6f6f006f, 0x13130013, 0x63630063,
296341Sdelphij     0xe9e900e9, 0xa7a700a7, 0x9f9f009f, 0xbcbc00bc, 0x29290029, 0xf9f900f9,
296341Sdelphij     0x2f2f002f, 0xb4b400b4, 0x78780078, 0x06060006, 0xe7e700e7, 0x71710071,
296341Sdelphij     0xd4d400d4, 0xabab00ab, 0x88880088, 0x8d8d008d, 0x72720072, 0xb9b900b9,
296341Sdelphij     0xf8f800f8, 0xacac00ac, 0x36360036, 0x2a2a002a, 0x3c3c003c, 0xf1f100f1,
296341Sdelphij     0x40400040, 0xd3d300d3, 0xbbbb00bb, 0x43430043, 0x15150015, 0xadad00ad,
296341Sdelphij     0x77770077, 0x80800080, 0x82820082, 0xecec00ec, 0x27270027, 0xe5e500e5,
296341Sdelphij     0x85850085, 0x35350035, 0x0c0c000c, 0x41410041, 0xefef00ef, 0x93930093,
296341Sdelphij     0x19190019, 0x21210021, 0x0e0e000e, 0x4e4e004e, 0x65650065, 0xbdbd00bd,
296341Sdelphij     0xb8b800b8, 0x8f8f008f, 0xebeb00eb, 0xcece00ce, 0x30300030, 0x5f5f005f,
296341Sdelphij     0xc5c500c5, 0x1a1a001a, 0xe1e100e1, 0xcaca00ca, 0x47470047, 0x3d3d003d,
296341Sdelphij     0x01010001, 0xd6d600d6, 0x56560056, 0x4d4d004d, 0x0d0d000d, 0x66660066,
296341Sdelphij     0xcccc00cc, 0x2d2d002d, 0x12120012, 0x20200020, 0xb1b100b1, 0x99990099,
296341Sdelphij     0x4c4c004c, 0xc2c200c2, 0x7e7e007e, 0x05050005, 0xb7b700b7, 0x31310031,
296341Sdelphij     0x17170017, 0xd7d700d7, 0x58580058, 0x61610061, 0x1b1b001b, 0x1c1c001c,
296341Sdelphij     0x0f0f000f, 0x16160016, 0x18180018, 0x22220022, 0x44440044, 0xb2b200b2,
296341Sdelphij     0xb5b500b5, 0x91910091, 0x08080008, 0xa8a800a8, 0xfcfc00fc, 0x50500050,
296341Sdelphij     0xd0d000d0, 0x7d7d007d, 0x89890089, 0x97970097, 0x5b5b005b, 0x95950095,
296341Sdelphij     0xffff00ff, 0xd2d200d2, 0xc4c400c4, 0x48480048, 0xf7f700f7, 0xdbdb00db,
296341Sdelphij     0x03030003, 0xdada00da, 0x3f3f003f, 0x94940094, 0x5c5c005c, 0x02020002,
296341Sdelphij     0x4a4a004a, 0x33330033, 0x67670067, 0xf3f300f3, 0x7f7f007f, 0xe2e200e2,
296341Sdelphij     0x9b9b009b, 0x26260026, 0x37370037, 0x3b3b003b, 0x96960096, 0x4b4b004b,
296341Sdelphij     0xbebe00be, 0x2e2e002e, 0x79790079, 0x8c8c008c, 0x6e6e006e, 0x8e8e008e,
296341Sdelphij     0xf5f500f5, 0xb6b600b6, 0xfdfd00fd, 0x59590059, 0x98980098, 0x6a6a006a,
296341Sdelphij     0x46460046, 0xbaba00ba, 0x25250025, 0x42420042, 0xa2a200a2, 0xfafa00fa,
296341Sdelphij     0x07070007, 0x55550055, 0xeeee00ee, 0x0a0a000a, 0x49490049, 0x68680068,
296341Sdelphij     0x38380038, 0xa4a400a4, 0x28280028, 0x7b7b007b, 0xc9c900c9, 0xc1c100c1,
296341Sdelphij     0xe3e300e3, 0xf4f400f4, 0xc7c700c7, 0x9e9e009e},
296341Sdelphij    {0x00e0e0e0, 0x00050505, 0x00585858, 0x00d9d9d9, 0x00676767, 0x004e4e4e,
296341Sdelphij     0x00818181, 0x00cbcbcb, 0x00c9c9c9, 0x000b0b0b, 0x00aeaeae, 0x006a6a6a,
296341Sdelphij     0x00d5d5d5, 0x00181818, 0x005d5d5d, 0x00828282, 0x00464646, 0x00dfdfdf,
296341Sdelphij     0x00d6d6d6, 0x00272727, 0x008a8a8a, 0x00323232, 0x004b4b4b, 0x00424242,
296341Sdelphij     0x00dbdbdb, 0x001c1c1c, 0x009e9e9e, 0x009c9c9c, 0x003a3a3a, 0x00cacaca,
296341Sdelphij     0x00252525, 0x007b7b7b, 0x000d0d0d, 0x00717171, 0x005f5f5f, 0x001f1f1f,
296341Sdelphij     0x00f8f8f8, 0x00d7d7d7, 0x003e3e3e, 0x009d9d9d, 0x007c7c7c, 0x00606060,
296341Sdelphij     0x00b9b9b9, 0x00bebebe, 0x00bcbcbc, 0x008b8b8b, 0x00161616, 0x00343434,
296341Sdelphij     0x004d4d4d, 0x00c3c3c3, 0x00727272, 0x00959595, 0x00ababab, 0x008e8e8e,
296341Sdelphij     0x00bababa, 0x007a7a7a, 0x00b3b3b3, 0x00020202, 0x00b4b4b4, 0x00adadad,
296341Sdelphij     0x00a2a2a2, 0x00acacac, 0x00d8d8d8, 0x009a9a9a, 0x00171717, 0x001a1a1a,
296341Sdelphij     0x00353535, 0x00cccccc, 0x00f7f7f7, 0x00999999, 0x00616161, 0x005a5a5a,
296341Sdelphij     0x00e8e8e8, 0x00242424, 0x00565656, 0x00404040, 0x00e1e1e1, 0x00636363,
296341Sdelphij     0x00090909, 0x00333333, 0x00bfbfbf, 0x00989898, 0x00979797, 0x00858585,
296341Sdelphij     0x00686868, 0x00fcfcfc, 0x00ececec, 0x000a0a0a, 0x00dadada, 0x006f6f6f,
296341Sdelphij     0x00535353, 0x00626262, 0x00a3a3a3, 0x002e2e2e, 0x00080808, 0x00afafaf,
296341Sdelphij     0x00282828, 0x00b0b0b0, 0x00747474, 0x00c2c2c2, 0x00bdbdbd, 0x00363636,
296341Sdelphij     0x00222222, 0x00383838, 0x00646464, 0x001e1e1e, 0x00393939, 0x002c2c2c,
296341Sdelphij     0x00a6a6a6, 0x00303030, 0x00e5e5e5, 0x00444444, 0x00fdfdfd, 0x00888888,
296341Sdelphij     0x009f9f9f, 0x00656565, 0x00878787, 0x006b6b6b, 0x00f4f4f4, 0x00232323,
296341Sdelphij     0x00484848, 0x00101010, 0x00d1d1d1, 0x00515151, 0x00c0c0c0, 0x00f9f9f9,
296341Sdelphij     0x00d2d2d2, 0x00a0a0a0, 0x00555555, 0x00a1a1a1, 0x00414141, 0x00fafafa,
296341Sdelphij     0x00434343, 0x00131313, 0x00c4c4c4, 0x002f2f2f, 0x00a8a8a8, 0x00b6b6b6,
296341Sdelphij     0x003c3c3c, 0x002b2b2b, 0x00c1c1c1, 0x00ffffff, 0x00c8c8c8, 0x00a5a5a5,
296341Sdelphij     0x00202020, 0x00898989, 0x00000000, 0x00909090, 0x00474747, 0x00efefef,
296341Sdelphij     0x00eaeaea, 0x00b7b7b7, 0x00151515, 0x00060606, 0x00cdcdcd, 0x00b5b5b5,
296341Sdelphij     0x00121212, 0x007e7e7e, 0x00bbbbbb, 0x00292929, 0x000f0f0f, 0x00b8b8b8,
296341Sdelphij     0x00070707, 0x00040404, 0x009b9b9b, 0x00949494, 0x00212121, 0x00666666,
296341Sdelphij     0x00e6e6e6, 0x00cecece, 0x00ededed, 0x00e7e7e7, 0x003b3b3b, 0x00fefefe,
296341Sdelphij     0x007f7f7f, 0x00c5c5c5, 0x00a4a4a4, 0x00373737, 0x00b1b1b1, 0x004c4c4c,
296341Sdelphij     0x00919191, 0x006e6e6e, 0x008d8d8d, 0x00767676, 0x00030303, 0x002d2d2d,
296341Sdelphij     0x00dedede, 0x00969696, 0x00262626, 0x007d7d7d, 0x00c6c6c6, 0x005c5c5c,
296341Sdelphij     0x00d3d3d3, 0x00f2f2f2, 0x004f4f4f, 0x00191919, 0x003f3f3f, 0x00dcdcdc,
296341Sdelphij     0x00797979, 0x001d1d1d, 0x00525252, 0x00ebebeb, 0x00f3f3f3, 0x006d6d6d,
296341Sdelphij     0x005e5e5e, 0x00fbfbfb, 0x00696969, 0x00b2b2b2, 0x00f0f0f0, 0x00313131,
296341Sdelphij     0x000c0c0c, 0x00d4d4d4, 0x00cfcfcf, 0x008c8c8c, 0x00e2e2e2, 0x00757575,
296341Sdelphij     0x00a9a9a9, 0x004a4a4a, 0x00575757, 0x00848484, 0x00111111, 0x00454545,
296341Sdelphij     0x001b1b1b, 0x00f5f5f5, 0x00e4e4e4, 0x000e0e0e, 0x00737373, 0x00aaaaaa,
296341Sdelphij     0x00f1f1f1, 0x00dddddd, 0x00595959, 0x00141414, 0x006c6c6c, 0x00929292,
296341Sdelphij     0x00545454, 0x00d0d0d0, 0x00787878, 0x00707070, 0x00e3e3e3, 0x00494949,
296341Sdelphij     0x00808080, 0x00505050, 0x00a7a7a7, 0x00f6f6f6, 0x00777777, 0x00939393,
296341Sdelphij     0x00868686, 0x00838383, 0x002a2a2a, 0x00c7c7c7, 0x005b5b5b, 0x00e9e9e9,
296341Sdelphij     0x00eeeeee, 0x008f8f8f, 0x00010101, 0x003d3d3d},
296341Sdelphij    {0x38003838, 0x41004141, 0x16001616, 0x76007676, 0xd900d9d9, 0x93009393,
296341Sdelphij     0x60006060, 0xf200f2f2, 0x72007272, 0xc200c2c2, 0xab00abab, 0x9a009a9a,
296341Sdelphij     0x75007575, 0x06000606, 0x57005757, 0xa000a0a0, 0x91009191, 0xf700f7f7,
296341Sdelphij     0xb500b5b5, 0xc900c9c9, 0xa200a2a2, 0x8c008c8c, 0xd200d2d2, 0x90009090,
296341Sdelphij     0xf600f6f6, 0x07000707, 0xa700a7a7, 0x27002727, 0x8e008e8e, 0xb200b2b2,
296341Sdelphij     0x49004949, 0xde00dede, 0x43004343, 0x5c005c5c, 0xd700d7d7, 0xc700c7c7,
296341Sdelphij     0x3e003e3e, 0xf500f5f5, 0x8f008f8f, 0x67006767, 0x1f001f1f, 0x18001818,
296341Sdelphij     0x6e006e6e, 0xaf00afaf, 0x2f002f2f, 0xe200e2e2, 0x85008585, 0x0d000d0d,
296341Sdelphij     0x53005353, 0xf000f0f0, 0x9c009c9c, 0x65006565, 0xea00eaea, 0xa300a3a3,
296341Sdelphij     0xae00aeae, 0x9e009e9e, 0xec00ecec, 0x80008080, 0x2d002d2d, 0x6b006b6b,
296341Sdelphij     0xa800a8a8, 0x2b002b2b, 0x36003636, 0xa600a6a6, 0xc500c5c5, 0x86008686,
296341Sdelphij     0x4d004d4d, 0x33003333, 0xfd00fdfd, 0x66006666, 0x58005858, 0x96009696,
296341Sdelphij     0x3a003a3a, 0x09000909, 0x95009595, 0x10001010, 0x78007878, 0xd800d8d8,
296341Sdelphij     0x42004242, 0xcc00cccc, 0xef00efef, 0x26002626, 0xe500e5e5, 0x61006161,
296341Sdelphij     0x1a001a1a, 0x3f003f3f, 0x3b003b3b, 0x82008282, 0xb600b6b6, 0xdb00dbdb,
296341Sdelphij     0xd400d4d4, 0x98009898, 0xe800e8e8, 0x8b008b8b, 0x02000202, 0xeb00ebeb,
296341Sdelphij     0x0a000a0a, 0x2c002c2c, 0x1d001d1d, 0xb000b0b0, 0x6f006f6f, 0x8d008d8d,
296341Sdelphij     0x88008888, 0x0e000e0e, 0x19001919, 0x87008787, 0x4e004e4e, 0x0b000b0b,
296341Sdelphij     0xa900a9a9, 0x0c000c0c, 0x79007979, 0x11001111, 0x7f007f7f, 0x22002222,
296341Sdelphij     0xe700e7e7, 0x59005959, 0xe100e1e1, 0xda00dada, 0x3d003d3d, 0xc800c8c8,
296341Sdelphij     0x12001212, 0x04000404, 0x74007474, 0x54005454, 0x30003030, 0x7e007e7e,
296341Sdelphij     0xb400b4b4, 0x28002828, 0x55005555, 0x68006868, 0x50005050, 0xbe00bebe,
296341Sdelphij     0xd000d0d0, 0xc400c4c4, 0x31003131, 0xcb00cbcb, 0x2a002a2a, 0xad00adad,
296341Sdelphij     0x0f000f0f, 0xca00caca, 0x70007070, 0xff00ffff, 0x32003232, 0x69006969,
296341Sdelphij     0x08000808, 0x62006262, 0x00000000, 0x24002424, 0xd100d1d1, 0xfb00fbfb,
296341Sdelphij     0xba00baba, 0xed00eded, 0x45004545, 0x81008181, 0x73007373, 0x6d006d6d,
296341Sdelphij     0x84008484, 0x9f009f9f, 0xee00eeee, 0x4a004a4a, 0xc300c3c3, 0x2e002e2e,
296341Sdelphij     0xc100c1c1, 0x01000101, 0xe600e6e6, 0x25002525, 0x48004848, 0x99009999,
296341Sdelphij     0xb900b9b9, 0xb300b3b3, 0x7b007b7b, 0xf900f9f9, 0xce00cece, 0xbf00bfbf,
296341Sdelphij     0xdf00dfdf, 0x71007171, 0x29002929, 0xcd00cdcd, 0x6c006c6c, 0x13001313,
296341Sdelphij     0x64006464, 0x9b009b9b, 0x63006363, 0x9d009d9d, 0xc000c0c0, 0x4b004b4b,
296341Sdelphij     0xb700b7b7, 0xa500a5a5, 0x89008989, 0x5f005f5f, 0xb100b1b1, 0x17001717,
296341Sdelphij     0xf400f4f4, 0xbc00bcbc, 0xd300d3d3, 0x46004646, 0xcf00cfcf, 0x37003737,
296341Sdelphij     0x5e005e5e, 0x47004747, 0x94009494, 0xfa00fafa, 0xfc00fcfc, 0x5b005b5b,
296341Sdelphij     0x97009797, 0xfe00fefe, 0x5a005a5a, 0xac00acac, 0x3c003c3c, 0x4c004c4c,
296341Sdelphij     0x03000303, 0x35003535, 0xf300f3f3, 0x23002323, 0xb800b8b8, 0x5d005d5d,
296341Sdelphij     0x6a006a6a, 0x92009292, 0xd500d5d5, 0x21002121, 0x44004444, 0x51005151,
296341Sdelphij     0xc600c6c6, 0x7d007d7d, 0x39003939, 0x83008383, 0xdc00dcdc, 0xaa00aaaa,
296341Sdelphij     0x7c007c7c, 0x77007777, 0x56005656, 0x05000505, 0x1b001b1b, 0xa400a4a4,
296341Sdelphij     0x15001515, 0x34003434, 0x1e001e1e, 0x1c001c1c, 0xf800f8f8, 0x52005252,
296341Sdelphij     0x20002020, 0x14001414, 0xe900e9e9, 0xbd00bdbd, 0xdd00dddd, 0xe400e4e4,
296341Sdelphij     0xa100a1a1, 0xe000e0e0, 0x8a008a8a, 0xf100f1f1, 0xd600d6d6, 0x7a007a7a,
296341Sdelphij     0xbb00bbbb, 0xe300e3e3, 0x40004040, 0x4f004f4f}
238405Sjkim};
162911Ssimon
238405Sjkim/* Key generation constants */
238405Sjkimstatic const u32 SIGMA[] = {
238405Sjkim    0xa09e667f, 0x3bcc908b, 0xb67ae858, 0x4caa73b2, 0xc6ef372f, 0xe94f82be,
238405Sjkim    0x54ff53a5, 0xf1d36f1c, 0x10e527fa, 0xde682d1d, 0xb05688c2, 0xb3e6c1fd
238405Sjkim};
162911Ssimon
238405Sjkim/* The phi algorithm given in C.2.7 of the Camellia spec document. */
162911Ssimon/*
238405Sjkim * This version does not attempt to minimize amount of temporary
238405Sjkim * variables, but instead explicitly exposes algorithm's parallelism.
238405Sjkim * It is therefore most appropriate for platforms with not less than
238405Sjkim * ~16 registers. For platforms with less registers [well, x86 to be
238405Sjkim * specific] assembler version should be/is provided anyway...
162911Ssimon */
238405Sjkim#define Camellia_Feistel(_s0,_s1,_s2,_s3,_key) do {\
296341Sdelphij        register u32 _t0,_t1,_t2,_t3;\
238405Sjkim\
296341Sdelphij        _t0  = _s0 ^ (_key)[0];\
296341Sdelphij        _t3  = SBOX4_4404[_t0&0xff];\
296341Sdelphij        _t1  = _s1 ^ (_key)[1];\
296341Sdelphij        _t3 ^= SBOX3_3033[(_t0 >> 8)&0xff];\
296341Sdelphij        _t2  = SBOX1_1110[_t1&0xff];\
296341Sdelphij        _t3 ^= SBOX2_0222[(_t0 >> 16)&0xff];\
296341Sdelphij        _t2 ^= SBOX4_4404[(_t1 >> 8)&0xff];\
296341Sdelphij        _t3 ^= SBOX1_1110[(_t0 >> 24)];\
296341Sdelphij        _t2 ^= _t3;\
296341Sdelphij        _t3  = RightRotate(_t3,8);\
296341Sdelphij        _t2 ^= SBOX3_3033[(_t1 >> 16)&0xff];\
296341Sdelphij        _s3 ^= _t3;\
296341Sdelphij        _t2 ^= SBOX2_0222[(_t1 >> 24)];\
296341Sdelphij        _s2 ^= _t2; \
296341Sdelphij        _s3 ^= _t2;\
238405Sjkim} while(0)
162911Ssimon
238405Sjkim/*
238405Sjkim * Note that n has to be less than 32. Rotations for larger amount
238405Sjkim * of bits are achieved by "rotating" order of s-elements and
238405Sjkim * adjusting n accordingly, e.g. RotLeft128(s1,s2,s3,s0,n-32).
162911Ssimon */
238405Sjkim#define RotLeft128(_s0,_s1,_s2,_s3,_n) do {\
296341Sdelphij        u32 _t0=_s0>>(32-_n);\
296341Sdelphij        _s0 = (_s0<<_n) | (_s1>>(32-_n));\
296341Sdelphij        _s1 = (_s1<<_n) | (_s2>>(32-_n));\
296341Sdelphij        _s2 = (_s2<<_n) | (_s3>>(32-_n));\
296341Sdelphij        _s3 = (_s3<<_n) | _t0;\
238405Sjkim} while (0)
162911Ssimon
238405Sjkimint Camellia_Ekeygen(int keyBitLength, const u8 *rawKey, KEY_TABLE_TYPE k)
296341Sdelphij{
296341Sdelphij    register u32 s0, s1, s2, s3;
162911Ssimon
296341Sdelphij    k[0] = s0 = GETU32(rawKey);
296341Sdelphij    k[1] = s1 = GETU32(rawKey + 4);
296341Sdelphij    k[2] = s2 = GETU32(rawKey + 8);
296341Sdelphij    k[3] = s3 = GETU32(rawKey + 12);
162911Ssimon
296341Sdelphij    if (keyBitLength != 128) {
296341Sdelphij        k[8] = s0 = GETU32(rawKey + 16);
296341Sdelphij        k[9] = s1 = GETU32(rawKey + 20);
296341Sdelphij        if (keyBitLength == 192) {
296341Sdelphij            k[10] = s2 = ~s0;
296341Sdelphij            k[11] = s3 = ~s1;
296341Sdelphij        } else {
296341Sdelphij            k[10] = s2 = GETU32(rawKey + 24);
296341Sdelphij            k[11] = s3 = GETU32(rawKey + 28);
296341Sdelphij        }
296341Sdelphij        s0 ^= k[0], s1 ^= k[1], s2 ^= k[2], s3 ^= k[3];
296341Sdelphij    }
162911Ssimon
296341Sdelphij    /* Use the Feistel routine to scramble the key material */
296341Sdelphij    Camellia_Feistel(s0, s1, s2, s3, SIGMA + 0);
296341Sdelphij    Camellia_Feistel(s2, s3, s0, s1, SIGMA + 2);
162911Ssimon
296341Sdelphij    s0 ^= k[0], s1 ^= k[1], s2 ^= k[2], s3 ^= k[3];
296341Sdelphij    Camellia_Feistel(s0, s1, s2, s3, SIGMA + 4);
296341Sdelphij    Camellia_Feistel(s2, s3, s0, s1, SIGMA + 6);
162911Ssimon
296341Sdelphij    /* Fill the keyTable. Requires many block rotations. */
296341Sdelphij    if (keyBitLength == 128) {
296341Sdelphij        k[4] = s0, k[5] = s1, k[6] = s2, k[7] = s3;
296341Sdelphij        RotLeft128(s0, s1, s2, s3, 15); /* KA <<< 15 */
296341Sdelphij        k[12] = s0, k[13] = s1, k[14] = s2, k[15] = s3;
296341Sdelphij        RotLeft128(s0, s1, s2, s3, 15); /* KA <<< 30 */
296341Sdelphij        k[16] = s0, k[17] = s1, k[18] = s2, k[19] = s3;
296341Sdelphij        RotLeft128(s0, s1, s2, s3, 15); /* KA <<< 45 */
296341Sdelphij        k[24] = s0, k[25] = s1;
296341Sdelphij        RotLeft128(s0, s1, s2, s3, 15); /* KA <<< 60 */
296341Sdelphij        k[28] = s0, k[29] = s1, k[30] = s2, k[31] = s3;
296341Sdelphij        RotLeft128(s1, s2, s3, s0, 2); /* KA <<< 94 */
296341Sdelphij        k[40] = s1, k[41] = s2, k[42] = s3, k[43] = s0;
296341Sdelphij        RotLeft128(s1, s2, s3, s0, 17); /* KA <<<111 */
296341Sdelphij        k[48] = s1, k[49] = s2, k[50] = s3, k[51] = s0;
162911Ssimon
296341Sdelphij        s0 = k[0], s1 = k[1], s2 = k[2], s3 = k[3];
296341Sdelphij        RotLeft128(s0, s1, s2, s3, 15); /* KL <<< 15 */
296341Sdelphij        k[8] = s0, k[9] = s1, k[10] = s2, k[11] = s3;
296341Sdelphij        RotLeft128(s0, s1, s2, s3, 30); /* KL <<< 45 */
296341Sdelphij        k[20] = s0, k[21] = s1, k[22] = s2, k[23] = s3;
296341Sdelphij        RotLeft128(s0, s1, s2, s3, 15); /* KL <<< 60 */
296341Sdelphij        k[26] = s2, k[27] = s3;
296341Sdelphij        RotLeft128(s0, s1, s2, s3, 17); /* KL <<< 77 */
296341Sdelphij        k[32] = s0, k[33] = s1, k[34] = s2, k[35] = s3;
296341Sdelphij        RotLeft128(s0, s1, s2, s3, 17); /* KL <<< 94 */
296341Sdelphij        k[36] = s0, k[37] = s1, k[38] = s2, k[39] = s3;
296341Sdelphij        RotLeft128(s0, s1, s2, s3, 17); /* KL <<<111 */
296341Sdelphij        k[44] = s0, k[45] = s1, k[46] = s2, k[47] = s3;
162911Ssimon
296341Sdelphij        return 3;               /* grand rounds */
296341Sdelphij    } else {
296341Sdelphij        k[12] = s0, k[13] = s1, k[14] = s2, k[15] = s3;
296341Sdelphij        s0 ^= k[8], s1 ^= k[9], s2 ^= k[10], s3 ^= k[11];
296341Sdelphij        Camellia_Feistel(s0, s1, s2, s3, (SIGMA + 8));
296341Sdelphij        Camellia_Feistel(s2, s3, s0, s1, (SIGMA + 10));
162911Ssimon
296341Sdelphij        k[4] = s0, k[5] = s1, k[6] = s2, k[7] = s3;
296341Sdelphij        RotLeft128(s0, s1, s2, s3, 30); /* KB <<< 30 */
296341Sdelphij        k[20] = s0, k[21] = s1, k[22] = s2, k[23] = s3;
296341Sdelphij        RotLeft128(s0, s1, s2, s3, 30); /* KB <<< 60 */
296341Sdelphij        k[40] = s0, k[41] = s1, k[42] = s2, k[43] = s3;
296341Sdelphij        RotLeft128(s1, s2, s3, s0, 19); /* KB <<<111 */
296341Sdelphij        k[64] = s1, k[65] = s2, k[66] = s3, k[67] = s0;
162911Ssimon
296341Sdelphij        s0 = k[8], s1 = k[9], s2 = k[10], s3 = k[11];
296341Sdelphij        RotLeft128(s0, s1, s2, s3, 15); /* KR <<< 15 */
296341Sdelphij        k[8] = s0, k[9] = s1, k[10] = s2, k[11] = s3;
296341Sdelphij        RotLeft128(s0, s1, s2, s3, 15); /* KR <<< 30 */
296341Sdelphij        k[16] = s0, k[17] = s1, k[18] = s2, k[19] = s3;
296341Sdelphij        RotLeft128(s0, s1, s2, s3, 30); /* KR <<< 60 */
296341Sdelphij        k[36] = s0, k[37] = s1, k[38] = s2, k[39] = s3;
296341Sdelphij        RotLeft128(s1, s2, s3, s0, 2); /* KR <<< 94 */
296341Sdelphij        k[52] = s1, k[53] = s2, k[54] = s3, k[55] = s0;
162911Ssimon
296341Sdelphij        s0 = k[12], s1 = k[13], s2 = k[14], s3 = k[15];
296341Sdelphij        RotLeft128(s0, s1, s2, s3, 15); /* KA <<< 15 */
296341Sdelphij        k[12] = s0, k[13] = s1, k[14] = s2, k[15] = s3;
296341Sdelphij        RotLeft128(s0, s1, s2, s3, 30); /* KA <<< 45 */
296341Sdelphij        k[28] = s0, k[29] = s1, k[30] = s2, k[31] = s3;
296341Sdelphij        /* KA <<< 77 */
296341Sdelphij        k[48] = s1, k[49] = s2, k[50] = s3, k[51] = s0;
296341Sdelphij        RotLeft128(s1, s2, s3, s0, 17); /* KA <<< 94 */
296341Sdelphij        k[56] = s1, k[57] = s2, k[58] = s3, k[59] = s0;
162911Ssimon
296341Sdelphij        s0 = k[0], s1 = k[1], s2 = k[2], s3 = k[3];
296341Sdelphij        RotLeft128(s1, s2, s3, s0, 13); /* KL <<< 45 */
296341Sdelphij        k[24] = s1, k[25] = s2, k[26] = s3, k[27] = s0;
296341Sdelphij        RotLeft128(s1, s2, s3, s0, 15); /* KL <<< 60 */
296341Sdelphij        k[32] = s1, k[33] = s2, k[34] = s3, k[35] = s0;
296341Sdelphij        RotLeft128(s1, s2, s3, s0, 17); /* KL <<< 77 */
296341Sdelphij        k[44] = s1, k[45] = s2, k[46] = s3, k[47] = s0;
296341Sdelphij        RotLeft128(s2, s3, s0, s1, 2); /* KL <<<111 */
296341Sdelphij        k[60] = s2, k[61] = s3, k[62] = s0, k[63] = s1;
162911Ssimon
296341Sdelphij        return 4;               /* grand rounds */
296341Sdelphij    }
296341Sdelphij    /*
296341Sdelphij     * It is possible to perform certain precalculations, which
296341Sdelphij     * would spare few cycles in block procedure. It's not done,
296341Sdelphij     * because it upsets the performance balance between key
296341Sdelphij     * setup and block procedures, negatively affecting overall
296341Sdelphij     * throughput in applications operating on short messages
296341Sdelphij     * and volatile keys.
296341Sdelphij     */
296341Sdelphij}
162911Ssimon
296341Sdelphijvoid Camellia_EncryptBlock_Rounds(int grandRounds, const u8 plaintext[],
296341Sdelphij                                  const KEY_TABLE_TYPE keyTable,
296341Sdelphij                                  u8 ciphertext[])
296341Sdelphij{
296341Sdelphij    register u32 s0, s1, s2, s3;
296341Sdelphij    const u32 *k = keyTable, *kend = keyTable + grandRounds * 16;
162911Ssimon
296341Sdelphij    s0 = GETU32(plaintext) ^ k[0];
296341Sdelphij    s1 = GETU32(plaintext + 4) ^ k[1];
296341Sdelphij    s2 = GETU32(plaintext + 8) ^ k[2];
296341Sdelphij    s3 = GETU32(plaintext + 12) ^ k[3];
296341Sdelphij    k += 4;
162911Ssimon
296341Sdelphij    while (1) {
296341Sdelphij        /* Camellia makes 6 Feistel rounds */
296341Sdelphij        Camellia_Feistel(s0, s1, s2, s3, k + 0);
296341Sdelphij        Camellia_Feistel(s2, s3, s0, s1, k + 2);
296341Sdelphij        Camellia_Feistel(s0, s1, s2, s3, k + 4);
296341Sdelphij        Camellia_Feistel(s2, s3, s0, s1, k + 6);
296341Sdelphij        Camellia_Feistel(s0, s1, s2, s3, k + 8);
296341Sdelphij        Camellia_Feistel(s2, s3, s0, s1, k + 10);
296341Sdelphij        k += 12;
162911Ssimon
296341Sdelphij        if (k == kend)
296341Sdelphij            break;
162911Ssimon
296341Sdelphij        /*
296341Sdelphij         * This is the same function as the diffusion function D of the
296341Sdelphij         * accompanying documentation. See section 3.2 for properties of the
296341Sdelphij         * FLlayer function.
296341Sdelphij         */
296341Sdelphij        s1 ^= LeftRotate(s0 & k[0], 1);
296341Sdelphij        s2 ^= s3 | k[3];
296341Sdelphij        s0 ^= s1 | k[1];
296341Sdelphij        s3 ^= LeftRotate(s2 & k[2], 1);
296341Sdelphij        k += 4;
296341Sdelphij    }
162911Ssimon
296341Sdelphij    s2 ^= k[0], s3 ^= k[1], s0 ^= k[2], s1 ^= k[3];
162911Ssimon
296341Sdelphij    PUTU32(ciphertext, s2);
296341Sdelphij    PUTU32(ciphertext + 4, s3);
296341Sdelphij    PUTU32(ciphertext + 8, s0);
296341Sdelphij    PUTU32(ciphertext + 12, s1);
296341Sdelphij}
162911Ssimon
296341Sdelphijvoid Camellia_EncryptBlock(int keyBitLength, const u8 plaintext[],
296341Sdelphij                           const KEY_TABLE_TYPE keyTable, u8 ciphertext[])
296341Sdelphij{
296341Sdelphij    Camellia_EncryptBlock_Rounds(keyBitLength == 128 ? 3 : 4,
296341Sdelphij                                 plaintext, keyTable, ciphertext);
296341Sdelphij}
162911Ssimon
296341Sdelphijvoid Camellia_DecryptBlock_Rounds(int grandRounds, const u8 ciphertext[],
296341Sdelphij                                  const KEY_TABLE_TYPE keyTable,
296341Sdelphij                                  u8 plaintext[])
296341Sdelphij{
296341Sdelphij    u32 s0, s1, s2, s3;
296341Sdelphij    const u32 *k = keyTable + grandRounds * 16, *kend = keyTable + 4;
162911Ssimon
296341Sdelphij    s0 = GETU32(ciphertext) ^ k[0];
296341Sdelphij    s1 = GETU32(ciphertext + 4) ^ k[1];
296341Sdelphij    s2 = GETU32(ciphertext + 8) ^ k[2];
296341Sdelphij    s3 = GETU32(ciphertext + 12) ^ k[3];
162911Ssimon
296341Sdelphij    while (1) {
296341Sdelphij        /* Camellia makes 6 Feistel rounds */
296341Sdelphij        k -= 12;
296341Sdelphij        Camellia_Feistel(s0, s1, s2, s3, k + 10);
296341Sdelphij        Camellia_Feistel(s2, s3, s0, s1, k + 8);
296341Sdelphij        Camellia_Feistel(s0, s1, s2, s3, k + 6);
296341Sdelphij        Camellia_Feistel(s2, s3, s0, s1, k + 4);
296341Sdelphij        Camellia_Feistel(s0, s1, s2, s3, k + 2);
296341Sdelphij        Camellia_Feistel(s2, s3, s0, s1, k + 0);
162911Ssimon
296341Sdelphij        if (k == kend)
296341Sdelphij            break;
162911Ssimon
296341Sdelphij        /*
296341Sdelphij         * This is the same function as the diffusion function D of the
296341Sdelphij         * accompanying documentation. See section 3.2 for properties of the
296341Sdelphij         * FLlayer function.
296341Sdelphij         */
296341Sdelphij        k -= 4;
296341Sdelphij        s1 ^= LeftRotate(s0 & k[2], 1);
296341Sdelphij        s2 ^= s3 | k[1];
296341Sdelphij        s0 ^= s1 | k[3];
296341Sdelphij        s3 ^= LeftRotate(s2 & k[0], 1);
296341Sdelphij    }
162911Ssimon
296341Sdelphij    k -= 4;
296341Sdelphij    s2 ^= k[0], s3 ^= k[1], s0 ^= k[2], s1 ^= k[3];
296341Sdelphij
296341Sdelphij    PUTU32(plaintext, s2);
296341Sdelphij    PUTU32(plaintext + 4, s3);
296341Sdelphij    PUTU32(plaintext + 8, s0);
296341Sdelphij    PUTU32(plaintext + 12, s1);
296341Sdelphij}
296341Sdelphij
296341Sdelphijvoid Camellia_DecryptBlock(int keyBitLength, const u8 plaintext[],
296341Sdelphij                           const KEY_TABLE_TYPE keyTable, u8 ciphertext[])
296341Sdelphij{
296341Sdelphij    Camellia_DecryptBlock_Rounds(keyBitLength == 128 ? 3 : 4,
296341Sdelphij                                 plaintext, keyTable, ciphertext);
296341Sdelphij}