camellia.c

Camellia算法官方发表的版本OpenSSL1.1。为2006.7官方发布。

/* round 15 */
    subl(20) ^= kw4l; subr(20) ^= kw4r;
/* round 13 */
    subl(18) ^= kw4l; subr(18) ^= kw4r;
    kw4l ^= kw4r & ~subr(16);
    dw = kw4l & subl(16),
	kw4r ^= CAMELLIA_RL1(dw); /* modified for FL(kl3) */
/* round 11 */
    subl(14) ^= kw4l; subr(14) ^= kw4r;
/* round 9 */
    subl(12) ^= kw4l; subr(12) ^= kw4r;
/* round 7 */
    subl(10) ^= kw4l; subr(10) ^= kw4r;
    kw4l ^= kw4r & ~subr(8);
    dw = kw4l & subl(8),
	kw4r ^= CAMELLIA_RL1(dw); /* modified for FL(kl1) */
/* round 5 */
    subl(6) ^= kw4l; subr(6) ^= kw4r;
/* round 3 */
    subl(4) ^= kw4l; subr(4) ^= kw4r;
/* round 1 */
    subl(2) ^= kw4l; subr(2) ^= kw4r;
/* kw1 */
    subl(0) ^= kw4l; subr(0) ^= kw4r;


    /* key XOR is end of F-function */
    CamelliaSubkeyL(0) = subl(0) ^ subl(2);/* kw1 */
    CamelliaSubkeyR(0) = subr(0) ^ subr(2);
    CamelliaSubkeyL(2) = subl(3);       /* round 1 */
    CamelliaSubkeyR(2) = subr(3);
    CamelliaSubkeyL(3) = subl(2) ^ subl(4); /* round 2 */
    CamelliaSubkeyR(3) = subr(2) ^ subr(4);
    CamelliaSubkeyL(4) = subl(3) ^ subl(5); /* round 3 */
    CamelliaSubkeyR(4) = subr(3) ^ subr(5);
    CamelliaSubkeyL(5) = subl(4) ^ subl(6); /* round 4 */
    CamelliaSubkeyR(5) = subr(4) ^ subr(6);
    CamelliaSubkeyL(6) = subl(5) ^ subl(7); /* round 5 */
    CamelliaSubkeyR(6) = subr(5) ^ subr(7);
    tl = subl(10) ^ (subr(10) & ~subr(8));
    dw = tl & subl(8),  /* FL(kl1) */
	tr = subr(10) ^ CAMELLIA_RL1(dw);
    CamelliaSubkeyL(7) = subl(6) ^ tl; /* round 6 */
    CamelliaSubkeyR(7) = subr(6) ^ tr;
    CamelliaSubkeyL(8) = subl(8);       /* FL(kl1) */
    CamelliaSubkeyR(8) = subr(8);
    CamelliaSubkeyL(9) = subl(9);       /* FLinv(kl2) */
    CamelliaSubkeyR(9) = subr(9);
    tl = subl(7) ^ (subr(7) & ~subr(9));
    dw = tl & subl(9),  /* FLinv(kl2) */
	tr = subr(7) ^ CAMELLIA_RL1(dw);
    CamelliaSubkeyL(10) = tl ^ subl(11); /* round 7 */
    CamelliaSubkeyR(10) = tr ^ subr(11);
    CamelliaSubkeyL(11) = subl(10) ^ subl(12); /* round 8 */
    CamelliaSubkeyR(11) = subr(10) ^ subr(12);
    CamelliaSubkeyL(12) = subl(11) ^ subl(13); /* round 9 */
    CamelliaSubkeyR(12) = subr(11) ^ subr(13);
    CamelliaSubkeyL(13) = subl(12) ^ subl(14); /* round 10 */
    CamelliaSubkeyR(13) = subr(12) ^ subr(14);
    CamelliaSubkeyL(14) = subl(13) ^ subl(15); /* round 11 */
    CamelliaSubkeyR(14) = subr(13) ^ subr(15);
    tl = subl(18) ^ (subr(18) & ~subr(16));
    dw = tl & subl(16), /* FL(kl3) */
	tr = subr(18) ^ CAMELLIA_RL1(dw);
    CamelliaSubkeyL(15) = subl(14) ^ tl; /* round 12 */
    CamelliaSubkeyR(15) = subr(14) ^ tr;
    CamelliaSubkeyL(16) = subl(16);     /* FL(kl3) */
    CamelliaSubkeyR(16) = subr(16);
    CamelliaSubkeyL(17) = subl(17);     /* FLinv(kl4) */
    CamelliaSubkeyR(17) = subr(17);
    tl = subl(15) ^ (subr(15) & ~subr(17));
    dw = tl & subl(17), /* FLinv(kl4) */
	tr = subr(15) ^ CAMELLIA_RL1(dw);
    CamelliaSubkeyL(18) = tl ^ subl(19); /* round 13 */
    CamelliaSubkeyR(18) = tr ^ subr(19);
    CamelliaSubkeyL(19) = subl(18) ^ subl(20); /* round 14 */
    CamelliaSubkeyR(19) = subr(18) ^ subr(20);
    CamelliaSubkeyL(20) = subl(19) ^ subl(21); /* round 15 */
    CamelliaSubkeyR(20) = subr(19) ^ subr(21);
    CamelliaSubkeyL(21) = subl(20) ^ subl(22); /* round 16 */
    CamelliaSubkeyR(21) = subr(20) ^ subr(22);
    CamelliaSubkeyL(22) = subl(21) ^ subl(23); /* round 17 */
    CamelliaSubkeyR(22) = subr(21) ^ subr(23);
    CamelliaSubkeyL(23) = subl(22);     /* round 18 */
    CamelliaSubkeyR(23) = subr(22);
    CamelliaSubkeyL(24) = subl(24) ^ subl(23); /* kw3 */
    CamelliaSubkeyR(24) = subr(24) ^ subr(23);

    /* apply the inverse of the last half of P-function */
    dw = CamelliaSubkeyL(2) ^ CamelliaSubkeyR(2),
	dw = CAMELLIA_RL8(dw);/* round 1 */
    CamelliaSubkeyR(2) = CamelliaSubkeyL(2) ^ dw,
	CamelliaSubkeyL(2) = dw;
    dw = CamelliaSubkeyL(3) ^ CamelliaSubkeyR(3),
	dw = CAMELLIA_RL8(dw);/* round 2 */
    CamelliaSubkeyR(3) = CamelliaSubkeyL(3) ^ dw,
	CamelliaSubkeyL(3) = dw;
    dw = CamelliaSubkeyL(4) ^ CamelliaSubkeyR(4),
	dw = CAMELLIA_RL8(dw);/* round 3 */
    CamelliaSubkeyR(4) = CamelliaSubkeyL(4) ^ dw,
	CamelliaSubkeyL(4) = dw;
    dw = CamelliaSubkeyL(5) ^ CamelliaSubkeyR(5),
	dw = CAMELLIA_RL8(dw);/* round 4 */
    CamelliaSubkeyR(5) = CamelliaSubkeyL(5) ^ dw,
	CamelliaSubkeyL(5) = dw;
    dw = CamelliaSubkeyL(6) ^ CamelliaSubkeyR(6),
	dw = CAMELLIA_RL8(dw);/* round 5 */
    CamelliaSubkeyR(6) = CamelliaSubkeyL(6) ^ dw,
	CamelliaSubkeyL(6) = dw;
    dw = CamelliaSubkeyL(7) ^ CamelliaSubkeyR(7),
	dw = CAMELLIA_RL8(dw);/* round 6 */
    CamelliaSubkeyR(7) = CamelliaSubkeyL(7) ^ dw,
	CamelliaSubkeyL(7) = dw;
    dw = CamelliaSubkeyL(10) ^ CamelliaSubkeyR(10),
	dw = CAMELLIA_RL8(dw);/* round 7 */
    CamelliaSubkeyR(10) = CamelliaSubkeyL(10) ^ dw,
	CamelliaSubkeyL(10) = dw;
    dw = CamelliaSubkeyL(11) ^ CamelliaSubkeyR(11),
	dw = CAMELLIA_RL8(dw);/* round 8 */
    CamelliaSubkeyR(11) = CamelliaSubkeyL(11) ^ dw,
	CamelliaSubkeyL(11) = dw;
    dw = CamelliaSubkeyL(12) ^ CamelliaSubkeyR(12),
	dw = CAMELLIA_RL8(dw);/* round 9 */
    CamelliaSubkeyR(12) = CamelliaSubkeyL(12) ^ dw,
	CamelliaSubkeyL(12) = dw;
    dw = CamelliaSubkeyL(13) ^ CamelliaSubkeyR(13),
	dw = CAMELLIA_RL8(dw);/* round 10 */
    CamelliaSubkeyR(13) = CamelliaSubkeyL(13) ^ dw,
	CamelliaSubkeyL(13) = dw;
    dw = CamelliaSubkeyL(14) ^ CamelliaSubkeyR(14),
	dw = CAMELLIA_RL8(dw);/* round 11 */
    CamelliaSubkeyR(14) = CamelliaSubkeyL(14) ^ dw,
	CamelliaSubkeyL(14) = dw;
    dw = CamelliaSubkeyL(15) ^ CamelliaSubkeyR(15),
	dw = CAMELLIA_RL8(dw);/* round 12 */
    CamelliaSubkeyR(15) = CamelliaSubkeyL(15) ^ dw,
	CamelliaSubkeyL(15) = dw;
    dw = CamelliaSubkeyL(18) ^ CamelliaSubkeyR(18),
	dw = CAMELLIA_RL8(dw);/* round 13 */
    CamelliaSubkeyR(18) = CamelliaSubkeyL(18) ^ dw,
	CamelliaSubkeyL(18) = dw;
    dw = CamelliaSubkeyL(19) ^ CamelliaSubkeyR(19),
	dw = CAMELLIA_RL8(dw);/* round 14 */
    CamelliaSubkeyR(19) = CamelliaSubkeyL(19) ^ dw,
	CamelliaSubkeyL(19) = dw;
    dw = CamelliaSubkeyL(20) ^ CamelliaSubkeyR(20),
	dw = CAMELLIA_RL8(dw);/* round 15 */
    CamelliaSubkeyR(20) = CamelliaSubkeyL(20) ^ dw,
	CamelliaSubkeyL(20) = dw;
    dw = CamelliaSubkeyL(21) ^ CamelliaSubkeyR(21),
	dw = CAMELLIA_RL8(dw);/* round 16 */
    CamelliaSubkeyR(21) = CamelliaSubkeyL(21) ^ dw,
	CamelliaSubkeyL(21) = dw;
    dw = CamelliaSubkeyL(22) ^ CamelliaSubkeyR(22),
	dw = CAMELLIA_RL8(dw);/* round 17 */
    CamelliaSubkeyR(22) = CamelliaSubkeyL(22) ^ dw,
	CamelliaSubkeyL(22) = dw;
    dw = CamelliaSubkeyL(23) ^ CamelliaSubkeyR(23),
	dw = CAMELLIA_RL8(dw);/* round 18 */
    CamelliaSubkeyR(23) = CamelliaSubkeyL(23) ^ dw,
	CamelliaSubkeyL(23) = dw;

    return;
}

void camellia_setup256(const unsigned char *key, uint32_t *subkey)
{
    uint32_t kll,klr,krl,krr;           /* left half of key */
    uint32_t krll,krlr,krrl,krrr;       /* right half of key */
    uint32_t il, ir, t0, t1, w0, w1;    /* temporary variables */
    uint32_t kw4l, kw4r, dw, tl, tr;
    uint32_t subL[34];
    uint32_t subR[34];

    /**
     *  key = (kll || klr || krl || krr || krll || krlr || krrl || krrr)
     *  (|| is concatination)
     */

    kll  = GETU32(key     );
    klr  = GETU32(key +  4);
    krl  = GETU32(key +  8);
    krr  = GETU32(key + 12);
    krll = GETU32(key + 16);
    krlr = GETU32(key + 20);
    krrl = GETU32(key + 24);
    krrr = GETU32(key + 28);

    /* generate KL dependent subkeys */
    /* kw1 */
    subl(0) = kll; subr(0) = klr;
    /* kw2 */
    subl(1) = krl; subr(1) = krr;
    CAMELLIA_ROLDQo32(kll, klr, krl, krr, w0, w1, 45);
    /* k9 */
    subl(12) = kll; subr(12) = klr;
    /* k10 */
    subl(13) = krl; subr(13) = krr;
    CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
    /* kl3 */
    subl(16) = kll; subr(16) = klr;
    /* kl4 */
    subl(17) = krl; subr(17) = krr;
    CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17);
    /* k17 */
    subl(22) = kll; subr(22) = klr;
    /* k18 */
    subl(23) = krl; subr(23) = krr;
    CAMELLIA_ROLDQo32(kll, klr, krl, krr, w0, w1, 34);
    /* k23 */
    subl(30) = kll; subr(30) = klr;
    /* k24 */
    subl(31) = krl; subr(31) = krr;

    /* generate KR dependent subkeys */
    CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 15);
    /* k3 */
    subl(4) = krll; subr(4) = krlr;
    /* k4 */
    subl(5) = krrl; subr(5) = krrr;
    CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 15);
    /* kl1 */
    subl(8) = krll; subr(8) = krlr;
    /* kl2 */
    subl(9) = krrl; subr(9) = krrr;
    CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
    /* k13 */
    subl(18) = krll; subr(18) = krlr;
    /* k14 */
    subl(19) = krrl; subr(19) = krrr;
    CAMELLIA_ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 34);
    /* k19 */
    subl(26) = krll; subr(26) = krlr;
    /* k20 */
    subl(27) = krrl; subr(27) = krrr;
    CAMELLIA_ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 34);

    /* generate KA */
    kll = subl(0) ^ krll; klr = subr(0) ^ krlr;
    krl = subl(1) ^ krrl; krr = subr(1) ^ krrr;
    CAMELLIA_F(kll, klr,
	       CAMELLIA_SIGMA1L, CAMELLIA_SIGMA1R,
	       w0, w1, il, ir, t0, t1);
    krl ^= w0; krr ^= w1;
    CAMELLIA_F(krl, krr,
	       CAMELLIA_SIGMA2L, CAMELLIA_SIGMA2R,
	       kll, klr, il, ir, t0, t1);
    kll ^= krll; klr ^= krlr;
    CAMELLIA_F(kll, klr,
	       CAMELLIA_SIGMA3L, CAMELLIA_SIGMA3R,
	       krl, krr, il, ir, t0, t1);
    krl ^= w0 ^ krrl; krr ^= w1 ^ krrr;
    CAMELLIA_F(krl, krr,
	       CAMELLIA_SIGMA4L, CAMELLIA_SIGMA4R,
	       w0, w1, il, ir, t0, t1);
    kll ^= w0; klr ^= w1;

    /* generate KB */
    krll ^= kll; krlr ^= klr;
    krrl ^= krl; krrr ^= krr;
    CAMELLIA_F(krll, krlr,
	       CAMELLIA_SIGMA5L, CAMELLIA_SIGMA5R,
	       w0, w1, il, ir, t0, t1);
    krrl ^= w0; krrr ^= w1;
    CAMELLIA_F(krrl, krrr,
	       CAMELLIA_SIGMA6L, CAMELLIA_SIGMA6R,
	       w0, w1, il, ir, t0, t1);
    krll ^= w0; krlr ^= w1;

    /* generate KA dependent subkeys */
    CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
    /* k5 */
    subl(6) = kll; subr(6) = klr;
    /* k6 */
    subl(7) = krl; subr(7) = krr;
    CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 30);
    /* k11 */
    subl(14) = kll; subr(14) = klr;
    /* k12 */
    subl(15) = krl; subr(15) = krr;
    /* rotation left shift 32bit */
    /* kl5 */
    subl(24) = klr; subr(24) = krl;
    /* kl6 */
    subl(25) = krr; subr(25) = kll;
    /* rotation left shift 49 from k11,k12 -> k21,k22 */
    CAMELLIA_ROLDQo32(kll, klr, krl, krr, w0, w1, 49);
    /* k21 */
    subl(28) = kll; subr(28) = klr;
    /* k22 */
    subl(29) = krl; subr(29) = krr;

    /* generate KB dependent subkeys */
    /* k1 */
    subl(2) = krll; subr(2) = krlr;
    /* k2 */
    subl(3) = krrl; subr(3) = krrr;
    CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
    /* k7 */
    subl(10) = krll; subr(10) = krlr;
    /* k8 */
    subl(11) = krrl; subr(11) = krrr;
    CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
    /* k15 */
    subl(20) = krll; subr(20) = krlr;
    /* k16 */
    subl(21) = krrl; subr(21) = krrr;
    CAMELLIA_ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 51);
    /* kw3 */
    subl(32) = krll; subr(32) = krlr;
    /* kw4 */
    subl(33) = krrl; subr(33) = krrr;

    /* absorb kw2 to other subkeys */
/* round 2 */
    subl(3) ^= subl(1); subr(3) ^= subr(1);
/* round 4 */
    subl(5) ^= subl(1); subr(5) ^= subr(1);
/* round 6 */
    subl(7) ^= subl(1); subr(7) ^= subr(1);
    subl(1) ^= subr(1) & ~subr(9);
    dw = subl(1) & subl(9),
	subr(1) ^= CAMELLIA_RL1(dw); /* modified for FLinv(kl2) */
/* round 8 */
    subl(11) ^= subl(1); subr(11) ^= subr(1);
/* round 10 */
    subl(13) ^= subl(1); subr(13) ^= subr(1);
/* round 12 */
    subl(15) ^= subl(1); subr(15) ^= subr(1);
    subl(1) ^= subr(1) & ~subr(17);
    dw = subl(1) & subl(17),
	subr(1) ^= CAMELLIA_RL1(dw); /* modified for FLinv(kl4) */
/* round 14 */
    subl(19) ^= subl(1); subr(19) ^= subr(1);
/* round 16 */
    subl(21) ^= subl(1); subr(21) ^= subr(1);
/* round 18 */
    subl(23) ^= subl(1); subr(23) ^= subr(1);
    subl(1) ^= subr(1) & ~subr(25);
    dw = subl(1) & subl(25),
	subr(1) ^= CAMELLIA_RL1(dw); /* modified for FLinv(kl6) */
/* round 20 */
    subl(27) ^= subl(1); subr(27) ^= subr(1);
/* round 22 */
    subl(29) ^= subl(1); subr(29) ^= subr(1);
/* round 24 */
    subl(31) ^= subl(1); subr(31) ^= subr(1);
/* kw3 */
    subl(32) ^= subl(1); subr(32) ^= subr(1);


    /* absorb kw4 to other subkeys */
    kw4l = subl(33); kw4r = subr(33);
/* round 23 */
    subl(30) ^= kw4l; subr(30) ^= kw4r;
/* round 21 */
    subl(28) ^= kw4l; subr(28) ^= kw4r;
/* round 19 */
    subl(26) ^= kw4l; subr(26) ^= kw4r;
    kw4l ^= kw4r & ~subr(24);
    dw = kw4l & subl(24),
	kw4r ^= CAMELLIA_RL1(dw); /* modified for FL(kl5) */
/* round 17 */
    subl(22) ^= kw4l; subr(22) ^= kw4r;