VirtualBox

source: vbox/trunk/src/libs/openssl-3.1.7/crypto/camellia/camellia.c@ 105945

最後變更 在這個檔案從105945是 104078,由 vboxsync 提交於 8 月 前

openssl-3.1.5: Applied and adjusted our OpenSSL changes to 3.1.4. bugref:10638

檔案大小: 25.1 KB
 
1/*
2 * Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10/* ====================================================================
11 * Copyright 2006 NTT (Nippon Telegraph and Telephone Corporation) .
12 * ALL RIGHTS RESERVED.
13 *
14 * Intellectual Property information for Camellia:
15 * http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html
16 *
17 * News Release for Announcement of Camellia open source:
18 * http://www.ntt.co.jp/news/news06e/0604/060413a.html
19 *
20 * The Camellia Code included herein is developed by
21 * NTT (Nippon Telegraph and Telephone Corporation), and is contributed
22 * to the OpenSSL project.
23 */
24
25/*
26 * Algorithm Specification
27 * http://info.isl.ntt.co.jp/crypt/eng/camellia/specifications.html
28 */
29
30/*
31 * This release balances code size and performance. In particular key
32 * schedule setup is fully unrolled, because doing so *significantly*
33 * reduces amount of instructions per setup round and code increase is
34 * justifiable. In block functions on the other hand only inner loops
35 * are unrolled, as full unroll gives only nominal performance boost,
36 * while code size grows 4 or 7 times. Also, unlike previous versions
37 * this one "encourages" compiler to keep intermediate variables in
38 * registers, which should give better "all round" results, in other
39 * words reasonable performance even with not so modern compilers.
40 */
41
42/*
43 * Camellia low level APIs are deprecated for public use, but still ok for
44 * internal use.
45 */
46#include "internal/deprecated.h"
47
48#include <openssl/camellia.h>
49#include "cmll_local.h"
50#include <string.h>
51#include <stdlib.h>
52
53#define RightRotate(x, s) ( ((x) >> (s)) + ((x) << (32 - s)) )
54#define LeftRotate(x, s) ( ((x) << (s)) + ((x) >> (32 - s)) )
55
56#define GETU32(p) (((u32)(p)[0] << 24) ^ ((u32)(p)[1] << 16) ^ ((u32)(p)[2] << 8) ^ ((u32)(p)[3]))
57#define PUTU32(p,v) ((p)[0] = (u8)((v) >> 24), (p)[1] = (u8)((v) >> 16), (p)[2] = (u8)((v) >> 8), (p)[3] = (u8)(v))
58
59/* S-box data */
60#define SBOX1_1110 Camellia_SBOX[0]
61#define SBOX4_4404 Camellia_SBOX[1]
62#define SBOX2_0222 Camellia_SBOX[2]
63#define SBOX3_3033 Camellia_SBOX[3]
64static const u32 Camellia_SBOX[][256] = {
65 {0x70707000, 0x82828200, 0x2c2c2c00, 0xececec00, 0xb3b3b300, 0x27272700,
66 0xc0c0c000, 0xe5e5e500, 0xe4e4e400, 0x85858500, 0x57575700, 0x35353500,
67 0xeaeaea00, 0x0c0c0c00, 0xaeaeae00, 0x41414100, 0x23232300, 0xefefef00,
68 0x6b6b6b00, 0x93939300, 0x45454500, 0x19191900, 0xa5a5a500, 0x21212100,
69 0xededed00, 0x0e0e0e00, 0x4f4f4f00, 0x4e4e4e00, 0x1d1d1d00, 0x65656500,
70 0x92929200, 0xbdbdbd00, 0x86868600, 0xb8b8b800, 0xafafaf00, 0x8f8f8f00,
71 0x7c7c7c00, 0xebebeb00, 0x1f1f1f00, 0xcecece00, 0x3e3e3e00, 0x30303000,
72 0xdcdcdc00, 0x5f5f5f00, 0x5e5e5e00, 0xc5c5c500, 0x0b0b0b00, 0x1a1a1a00,
73 0xa6a6a600, 0xe1e1e100, 0x39393900, 0xcacaca00, 0xd5d5d500, 0x47474700,
74 0x5d5d5d00, 0x3d3d3d00, 0xd9d9d900, 0x01010100, 0x5a5a5a00, 0xd6d6d600,
75 0x51515100, 0x56565600, 0x6c6c6c00, 0x4d4d4d00, 0x8b8b8b00, 0x0d0d0d00,
76 0x9a9a9a00, 0x66666600, 0xfbfbfb00, 0xcccccc00, 0xb0b0b000, 0x2d2d2d00,
77 0x74747400, 0x12121200, 0x2b2b2b00, 0x20202000, 0xf0f0f000, 0xb1b1b100,
78 0x84848400, 0x99999900, 0xdfdfdf00, 0x4c4c4c00, 0xcbcbcb00, 0xc2c2c200,
79 0x34343400, 0x7e7e7e00, 0x76767600, 0x05050500, 0x6d6d6d00, 0xb7b7b700,
80 0xa9a9a900, 0x31313100, 0xd1d1d100, 0x17171700, 0x04040400, 0xd7d7d700,
81 0x14141400, 0x58585800, 0x3a3a3a00, 0x61616100, 0xdedede00, 0x1b1b1b00,
82 0x11111100, 0x1c1c1c00, 0x32323200, 0x0f0f0f00, 0x9c9c9c00, 0x16161600,
83 0x53535300, 0x18181800, 0xf2f2f200, 0x22222200, 0xfefefe00, 0x44444400,
84 0xcfcfcf00, 0xb2b2b200, 0xc3c3c300, 0xb5b5b500, 0x7a7a7a00, 0x91919100,
85 0x24242400, 0x08080800, 0xe8e8e800, 0xa8a8a800, 0x60606000, 0xfcfcfc00,
86 0x69696900, 0x50505000, 0xaaaaaa00, 0xd0d0d000, 0xa0a0a000, 0x7d7d7d00,
87 0xa1a1a100, 0x89898900, 0x62626200, 0x97979700, 0x54545400, 0x5b5b5b00,
88 0x1e1e1e00, 0x95959500, 0xe0e0e000, 0xffffff00, 0x64646400, 0xd2d2d200,
89 0x10101000, 0xc4c4c400, 0x00000000, 0x48484800, 0xa3a3a300, 0xf7f7f700,
90 0x75757500, 0xdbdbdb00, 0x8a8a8a00, 0x03030300, 0xe6e6e600, 0xdadada00,
91 0x09090900, 0x3f3f3f00, 0xdddddd00, 0x94949400, 0x87878700, 0x5c5c5c00,
92 0x83838300, 0x02020200, 0xcdcdcd00, 0x4a4a4a00, 0x90909000, 0x33333300,
93 0x73737300, 0x67676700, 0xf6f6f600, 0xf3f3f300, 0x9d9d9d00, 0x7f7f7f00,
94 0xbfbfbf00, 0xe2e2e200, 0x52525200, 0x9b9b9b00, 0xd8d8d800, 0x26262600,
95 0xc8c8c800, 0x37373700, 0xc6c6c600, 0x3b3b3b00, 0x81818100, 0x96969600,
96 0x6f6f6f00, 0x4b4b4b00, 0x13131300, 0xbebebe00, 0x63636300, 0x2e2e2e00,
97 0xe9e9e900, 0x79797900, 0xa7a7a700, 0x8c8c8c00, 0x9f9f9f00, 0x6e6e6e00,
98 0xbcbcbc00, 0x8e8e8e00, 0x29292900, 0xf5f5f500, 0xf9f9f900, 0xb6b6b600,
99 0x2f2f2f00, 0xfdfdfd00, 0xb4b4b400, 0x59595900, 0x78787800, 0x98989800,
100 0x06060600, 0x6a6a6a00, 0xe7e7e700, 0x46464600, 0x71717100, 0xbababa00,
101 0xd4d4d400, 0x25252500, 0xababab00, 0x42424200, 0x88888800, 0xa2a2a200,
102 0x8d8d8d00, 0xfafafa00, 0x72727200, 0x07070700, 0xb9b9b900, 0x55555500,
103 0xf8f8f800, 0xeeeeee00, 0xacacac00, 0x0a0a0a00, 0x36363600, 0x49494900,
104 0x2a2a2a00, 0x68686800, 0x3c3c3c00, 0x38383800, 0xf1f1f100, 0xa4a4a400,
105 0x40404000, 0x28282800, 0xd3d3d300, 0x7b7b7b00, 0xbbbbbb00, 0xc9c9c900,
106 0x43434300, 0xc1c1c100, 0x15151500, 0xe3e3e300, 0xadadad00, 0xf4f4f400,
107 0x77777700, 0xc7c7c700, 0x80808000, 0x9e9e9e00},
108 {0x70700070, 0x2c2c002c, 0xb3b300b3, 0xc0c000c0, 0xe4e400e4, 0x57570057,
109 0xeaea00ea, 0xaeae00ae, 0x23230023, 0x6b6b006b, 0x45450045, 0xa5a500a5,
110 0xeded00ed, 0x4f4f004f, 0x1d1d001d, 0x92920092, 0x86860086, 0xafaf00af,
111 0x7c7c007c, 0x1f1f001f, 0x3e3e003e, 0xdcdc00dc, 0x5e5e005e, 0x0b0b000b,
112 0xa6a600a6, 0x39390039, 0xd5d500d5, 0x5d5d005d, 0xd9d900d9, 0x5a5a005a,
113 0x51510051, 0x6c6c006c, 0x8b8b008b, 0x9a9a009a, 0xfbfb00fb, 0xb0b000b0,
114 0x74740074, 0x2b2b002b, 0xf0f000f0, 0x84840084, 0xdfdf00df, 0xcbcb00cb,
115 0x34340034, 0x76760076, 0x6d6d006d, 0xa9a900a9, 0xd1d100d1, 0x04040004,
116 0x14140014, 0x3a3a003a, 0xdede00de, 0x11110011, 0x32320032, 0x9c9c009c,
117 0x53530053, 0xf2f200f2, 0xfefe00fe, 0xcfcf00cf, 0xc3c300c3, 0x7a7a007a,
118 0x24240024, 0xe8e800e8, 0x60600060, 0x69690069, 0xaaaa00aa, 0xa0a000a0,
119 0xa1a100a1, 0x62620062, 0x54540054, 0x1e1e001e, 0xe0e000e0, 0x64640064,
120 0x10100010, 0x00000000, 0xa3a300a3, 0x75750075, 0x8a8a008a, 0xe6e600e6,
121 0x09090009, 0xdddd00dd, 0x87870087, 0x83830083, 0xcdcd00cd, 0x90900090,
122 0x73730073, 0xf6f600f6, 0x9d9d009d, 0xbfbf00bf, 0x52520052, 0xd8d800d8,
123 0xc8c800c8, 0xc6c600c6, 0x81810081, 0x6f6f006f, 0x13130013, 0x63630063,
124 0xe9e900e9, 0xa7a700a7, 0x9f9f009f, 0xbcbc00bc, 0x29290029, 0xf9f900f9,
125 0x2f2f002f, 0xb4b400b4, 0x78780078, 0x06060006, 0xe7e700e7, 0x71710071,
126 0xd4d400d4, 0xabab00ab, 0x88880088, 0x8d8d008d, 0x72720072, 0xb9b900b9,
127 0xf8f800f8, 0xacac00ac, 0x36360036, 0x2a2a002a, 0x3c3c003c, 0xf1f100f1,
128 0x40400040, 0xd3d300d3, 0xbbbb00bb, 0x43430043, 0x15150015, 0xadad00ad,
129 0x77770077, 0x80800080, 0x82820082, 0xecec00ec, 0x27270027, 0xe5e500e5,
130 0x85850085, 0x35350035, 0x0c0c000c, 0x41410041, 0xefef00ef, 0x93930093,
131 0x19190019, 0x21210021, 0x0e0e000e, 0x4e4e004e, 0x65650065, 0xbdbd00bd,
132 0xb8b800b8, 0x8f8f008f, 0xebeb00eb, 0xcece00ce, 0x30300030, 0x5f5f005f,
133 0xc5c500c5, 0x1a1a001a, 0xe1e100e1, 0xcaca00ca, 0x47470047, 0x3d3d003d,
134 0x01010001, 0xd6d600d6, 0x56560056, 0x4d4d004d, 0x0d0d000d, 0x66660066,
135 0xcccc00cc, 0x2d2d002d, 0x12120012, 0x20200020, 0xb1b100b1, 0x99990099,
136 0x4c4c004c, 0xc2c200c2, 0x7e7e007e, 0x05050005, 0xb7b700b7, 0x31310031,
137 0x17170017, 0xd7d700d7, 0x58580058, 0x61610061, 0x1b1b001b, 0x1c1c001c,
138 0x0f0f000f, 0x16160016, 0x18180018, 0x22220022, 0x44440044, 0xb2b200b2,
139 0xb5b500b5, 0x91910091, 0x08080008, 0xa8a800a8, 0xfcfc00fc, 0x50500050,
140 0xd0d000d0, 0x7d7d007d, 0x89890089, 0x97970097, 0x5b5b005b, 0x95950095,
141 0xffff00ff, 0xd2d200d2, 0xc4c400c4, 0x48480048, 0xf7f700f7, 0xdbdb00db,
142 0x03030003, 0xdada00da, 0x3f3f003f, 0x94940094, 0x5c5c005c, 0x02020002,
143 0x4a4a004a, 0x33330033, 0x67670067, 0xf3f300f3, 0x7f7f007f, 0xe2e200e2,
144 0x9b9b009b, 0x26260026, 0x37370037, 0x3b3b003b, 0x96960096, 0x4b4b004b,
145 0xbebe00be, 0x2e2e002e, 0x79790079, 0x8c8c008c, 0x6e6e006e, 0x8e8e008e,
146 0xf5f500f5, 0xb6b600b6, 0xfdfd00fd, 0x59590059, 0x98980098, 0x6a6a006a,
147 0x46460046, 0xbaba00ba, 0x25250025, 0x42420042, 0xa2a200a2, 0xfafa00fa,
148 0x07070007, 0x55550055, 0xeeee00ee, 0x0a0a000a, 0x49490049, 0x68680068,
149 0x38380038, 0xa4a400a4, 0x28280028, 0x7b7b007b, 0xc9c900c9, 0xc1c100c1,
150 0xe3e300e3, 0xf4f400f4, 0xc7c700c7, 0x9e9e009e},
151 {0x00e0e0e0, 0x00050505, 0x00585858, 0x00d9d9d9, 0x00676767, 0x004e4e4e,
152 0x00818181, 0x00cbcbcb, 0x00c9c9c9, 0x000b0b0b, 0x00aeaeae, 0x006a6a6a,
153 0x00d5d5d5, 0x00181818, 0x005d5d5d, 0x00828282, 0x00464646, 0x00dfdfdf,
154 0x00d6d6d6, 0x00272727, 0x008a8a8a, 0x00323232, 0x004b4b4b, 0x00424242,
155 0x00dbdbdb, 0x001c1c1c, 0x009e9e9e, 0x009c9c9c, 0x003a3a3a, 0x00cacaca,
156 0x00252525, 0x007b7b7b, 0x000d0d0d, 0x00717171, 0x005f5f5f, 0x001f1f1f,
157 0x00f8f8f8, 0x00d7d7d7, 0x003e3e3e, 0x009d9d9d, 0x007c7c7c, 0x00606060,
158 0x00b9b9b9, 0x00bebebe, 0x00bcbcbc, 0x008b8b8b, 0x00161616, 0x00343434,
159 0x004d4d4d, 0x00c3c3c3, 0x00727272, 0x00959595, 0x00ababab, 0x008e8e8e,
160 0x00bababa, 0x007a7a7a, 0x00b3b3b3, 0x00020202, 0x00b4b4b4, 0x00adadad,
161 0x00a2a2a2, 0x00acacac, 0x00d8d8d8, 0x009a9a9a, 0x00171717, 0x001a1a1a,
162 0x00353535, 0x00cccccc, 0x00f7f7f7, 0x00999999, 0x00616161, 0x005a5a5a,
163 0x00e8e8e8, 0x00242424, 0x00565656, 0x00404040, 0x00e1e1e1, 0x00636363,
164 0x00090909, 0x00333333, 0x00bfbfbf, 0x00989898, 0x00979797, 0x00858585,
165 0x00686868, 0x00fcfcfc, 0x00ececec, 0x000a0a0a, 0x00dadada, 0x006f6f6f,
166 0x00535353, 0x00626262, 0x00a3a3a3, 0x002e2e2e, 0x00080808, 0x00afafaf,
167 0x00282828, 0x00b0b0b0, 0x00747474, 0x00c2c2c2, 0x00bdbdbd, 0x00363636,
168 0x00222222, 0x00383838, 0x00646464, 0x001e1e1e, 0x00393939, 0x002c2c2c,
169 0x00a6a6a6, 0x00303030, 0x00e5e5e5, 0x00444444, 0x00fdfdfd, 0x00888888,
170 0x009f9f9f, 0x00656565, 0x00878787, 0x006b6b6b, 0x00f4f4f4, 0x00232323,
171 0x00484848, 0x00101010, 0x00d1d1d1, 0x00515151, 0x00c0c0c0, 0x00f9f9f9,
172 0x00d2d2d2, 0x00a0a0a0, 0x00555555, 0x00a1a1a1, 0x00414141, 0x00fafafa,
173 0x00434343, 0x00131313, 0x00c4c4c4, 0x002f2f2f, 0x00a8a8a8, 0x00b6b6b6,
174 0x003c3c3c, 0x002b2b2b, 0x00c1c1c1, 0x00ffffff, 0x00c8c8c8, 0x00a5a5a5,
175 0x00202020, 0x00898989, 0x00000000, 0x00909090, 0x00474747, 0x00efefef,
176 0x00eaeaea, 0x00b7b7b7, 0x00151515, 0x00060606, 0x00cdcdcd, 0x00b5b5b5,
177 0x00121212, 0x007e7e7e, 0x00bbbbbb, 0x00292929, 0x000f0f0f, 0x00b8b8b8,
178 0x00070707, 0x00040404, 0x009b9b9b, 0x00949494, 0x00212121, 0x00666666,
179 0x00e6e6e6, 0x00cecece, 0x00ededed, 0x00e7e7e7, 0x003b3b3b, 0x00fefefe,
180 0x007f7f7f, 0x00c5c5c5, 0x00a4a4a4, 0x00373737, 0x00b1b1b1, 0x004c4c4c,
181 0x00919191, 0x006e6e6e, 0x008d8d8d, 0x00767676, 0x00030303, 0x002d2d2d,
182 0x00dedede, 0x00969696, 0x00262626, 0x007d7d7d, 0x00c6c6c6, 0x005c5c5c,
183 0x00d3d3d3, 0x00f2f2f2, 0x004f4f4f, 0x00191919, 0x003f3f3f, 0x00dcdcdc,
184 0x00797979, 0x001d1d1d, 0x00525252, 0x00ebebeb, 0x00f3f3f3, 0x006d6d6d,
185 0x005e5e5e, 0x00fbfbfb, 0x00696969, 0x00b2b2b2, 0x00f0f0f0, 0x00313131,
186 0x000c0c0c, 0x00d4d4d4, 0x00cfcfcf, 0x008c8c8c, 0x00e2e2e2, 0x00757575,
187 0x00a9a9a9, 0x004a4a4a, 0x00575757, 0x00848484, 0x00111111, 0x00454545,
188 0x001b1b1b, 0x00f5f5f5, 0x00e4e4e4, 0x000e0e0e, 0x00737373, 0x00aaaaaa,
189 0x00f1f1f1, 0x00dddddd, 0x00595959, 0x00141414, 0x006c6c6c, 0x00929292,
190 0x00545454, 0x00d0d0d0, 0x00787878, 0x00707070, 0x00e3e3e3, 0x00494949,
191 0x00808080, 0x00505050, 0x00a7a7a7, 0x00f6f6f6, 0x00777777, 0x00939393,
192 0x00868686, 0x00838383, 0x002a2a2a, 0x00c7c7c7, 0x005b5b5b, 0x00e9e9e9,
193 0x00eeeeee, 0x008f8f8f, 0x00010101, 0x003d3d3d},
194 {0x38003838, 0x41004141, 0x16001616, 0x76007676, 0xd900d9d9, 0x93009393,
195 0x60006060, 0xf200f2f2, 0x72007272, 0xc200c2c2, 0xab00abab, 0x9a009a9a,
196 0x75007575, 0x06000606, 0x57005757, 0xa000a0a0, 0x91009191, 0xf700f7f7,
197 0xb500b5b5, 0xc900c9c9, 0xa200a2a2, 0x8c008c8c, 0xd200d2d2, 0x90009090,
198 0xf600f6f6, 0x07000707, 0xa700a7a7, 0x27002727, 0x8e008e8e, 0xb200b2b2,
199 0x49004949, 0xde00dede, 0x43004343, 0x5c005c5c, 0xd700d7d7, 0xc700c7c7,
200 0x3e003e3e, 0xf500f5f5, 0x8f008f8f, 0x67006767, 0x1f001f1f, 0x18001818,
201 0x6e006e6e, 0xaf00afaf, 0x2f002f2f, 0xe200e2e2, 0x85008585, 0x0d000d0d,
202 0x53005353, 0xf000f0f0, 0x9c009c9c, 0x65006565, 0xea00eaea, 0xa300a3a3,
203 0xae00aeae, 0x9e009e9e, 0xec00ecec, 0x80008080, 0x2d002d2d, 0x6b006b6b,
204 0xa800a8a8, 0x2b002b2b, 0x36003636, 0xa600a6a6, 0xc500c5c5, 0x86008686,
205 0x4d004d4d, 0x33003333, 0xfd00fdfd, 0x66006666, 0x58005858, 0x96009696,
206 0x3a003a3a, 0x09000909, 0x95009595, 0x10001010, 0x78007878, 0xd800d8d8,
207 0x42004242, 0xcc00cccc, 0xef00efef, 0x26002626, 0xe500e5e5, 0x61006161,
208 0x1a001a1a, 0x3f003f3f, 0x3b003b3b, 0x82008282, 0xb600b6b6, 0xdb00dbdb,
209 0xd400d4d4, 0x98009898, 0xe800e8e8, 0x8b008b8b, 0x02000202, 0xeb00ebeb,
210 0x0a000a0a, 0x2c002c2c, 0x1d001d1d, 0xb000b0b0, 0x6f006f6f, 0x8d008d8d,
211 0x88008888, 0x0e000e0e, 0x19001919, 0x87008787, 0x4e004e4e, 0x0b000b0b,
212 0xa900a9a9, 0x0c000c0c, 0x79007979, 0x11001111, 0x7f007f7f, 0x22002222,
213 0xe700e7e7, 0x59005959, 0xe100e1e1, 0xda00dada, 0x3d003d3d, 0xc800c8c8,
214 0x12001212, 0x04000404, 0x74007474, 0x54005454, 0x30003030, 0x7e007e7e,
215 0xb400b4b4, 0x28002828, 0x55005555, 0x68006868, 0x50005050, 0xbe00bebe,
216 0xd000d0d0, 0xc400c4c4, 0x31003131, 0xcb00cbcb, 0x2a002a2a, 0xad00adad,
217 0x0f000f0f, 0xca00caca, 0x70007070, 0xff00ffff, 0x32003232, 0x69006969,
218 0x08000808, 0x62006262, 0x00000000, 0x24002424, 0xd100d1d1, 0xfb00fbfb,
219 0xba00baba, 0xed00eded, 0x45004545, 0x81008181, 0x73007373, 0x6d006d6d,
220 0x84008484, 0x9f009f9f, 0xee00eeee, 0x4a004a4a, 0xc300c3c3, 0x2e002e2e,
221 0xc100c1c1, 0x01000101, 0xe600e6e6, 0x25002525, 0x48004848, 0x99009999,
222 0xb900b9b9, 0xb300b3b3, 0x7b007b7b, 0xf900f9f9, 0xce00cece, 0xbf00bfbf,
223 0xdf00dfdf, 0x71007171, 0x29002929, 0xcd00cdcd, 0x6c006c6c, 0x13001313,
224 0x64006464, 0x9b009b9b, 0x63006363, 0x9d009d9d, 0xc000c0c0, 0x4b004b4b,
225 0xb700b7b7, 0xa500a5a5, 0x89008989, 0x5f005f5f, 0xb100b1b1, 0x17001717,
226 0xf400f4f4, 0xbc00bcbc, 0xd300d3d3, 0x46004646, 0xcf00cfcf, 0x37003737,
227 0x5e005e5e, 0x47004747, 0x94009494, 0xfa00fafa, 0xfc00fcfc, 0x5b005b5b,
228 0x97009797, 0xfe00fefe, 0x5a005a5a, 0xac00acac, 0x3c003c3c, 0x4c004c4c,
229 0x03000303, 0x35003535, 0xf300f3f3, 0x23002323, 0xb800b8b8, 0x5d005d5d,
230 0x6a006a6a, 0x92009292, 0xd500d5d5, 0x21002121, 0x44004444, 0x51005151,
231 0xc600c6c6, 0x7d007d7d, 0x39003939, 0x83008383, 0xdc00dcdc, 0xaa00aaaa,
232 0x7c007c7c, 0x77007777, 0x56005656, 0x05000505, 0x1b001b1b, 0xa400a4a4,
233 0x15001515, 0x34003434, 0x1e001e1e, 0x1c001c1c, 0xf800f8f8, 0x52005252,
234 0x20002020, 0x14001414, 0xe900e9e9, 0xbd00bdbd, 0xdd00dddd, 0xe400e4e4,
235 0xa100a1a1, 0xe000e0e0, 0x8a008a8a, 0xf100f1f1, 0xd600d6d6, 0x7a007a7a,
236 0xbb00bbbb, 0xe300e3e3, 0x40004040, 0x4f004f4f}
237};
238
239/* Key generation constants */
240static const u32 SIGMA[] = {
241 0xa09e667f, 0x3bcc908b, 0xb67ae858, 0x4caa73b2, 0xc6ef372f, 0xe94f82be,
242 0x54ff53a5, 0xf1d36f1c, 0x10e527fa, 0xde682d1d, 0xb05688c2, 0xb3e6c1fd
243};
244
245/* The phi algorithm given in C.2.7 of the Camellia spec document. */
246/*
247 * This version does not attempt to minimize amount of temporary
248 * variables, but instead explicitly exposes algorithm's parallelism.
249 * It is therefore most appropriate for platforms with not less than
250 * ~16 registers. For platforms with less registers [well, x86 to be
251 * specific] assembler version should be/is provided anyway...
252 */
253#define Camellia_Feistel(_s0,_s1,_s2,_s3,_key) do {\
254 register u32 _t0,_t1,_t2,_t3;\
255\
256 _t0 = _s0 ^ (_key)[0];\
257 _t3 = SBOX4_4404[_t0&0xff];\
258 _t1 = _s1 ^ (_key)[1];\
259 _t3 ^= SBOX3_3033[(_t0 >> 8)&0xff];\
260 _t2 = SBOX1_1110[_t1&0xff];\
261 _t3 ^= SBOX2_0222[(_t0 >> 16)&0xff];\
262 _t2 ^= SBOX4_4404[(_t1 >> 8)&0xff];\
263 _t3 ^= SBOX1_1110[(_t0 >> 24)];\
264 _t2 ^= _t3;\
265 _t3 = RightRotate(_t3,8);\
266 _t2 ^= SBOX3_3033[(_t1 >> 16)&0xff];\
267 _s3 ^= _t3;\
268 _t2 ^= SBOX2_0222[(_t1 >> 24)];\
269 _s2 ^= _t2; \
270 _s3 ^= _t2;\
271} while(0)
272
273/*
274 * Note that n has to be less than 32. Rotations for larger amount
275 * of bits are achieved by "rotating" order of s-elements and
276 * adjusting n accordingly, e.g. RotLeft128(s1,s2,s3,s0,n-32).
277 */
278#define RotLeft128(_s0,_s1,_s2,_s3,_n) do {\
279 u32 _t0=_s0>>(32-_n);\
280 _s0 = (_s0<<_n) | (_s1>>(32-_n));\
281 _s1 = (_s1<<_n) | (_s2>>(32-_n));\
282 _s2 = (_s2<<_n) | (_s3>>(32-_n));\
283 _s3 = (_s3<<_n) | _t0;\
284} while (0)
285
286int Camellia_Ekeygen(int keyBitLength, const u8 *rawKey, KEY_TABLE_TYPE k)
287{
288 register u32 s0, s1, s2, s3;
289
290 k[0] = s0 = GETU32(rawKey);
291 k[1] = s1 = GETU32(rawKey + 4);
292 k[2] = s2 = GETU32(rawKey + 8);
293 k[3] = s3 = GETU32(rawKey + 12);
294
295 if (keyBitLength != 128) {
296 k[8] = s0 = GETU32(rawKey + 16);
297 k[9] = s1 = GETU32(rawKey + 20);
298 if (keyBitLength == 192) {
299 k[10] = s2 = ~s0;
300 k[11] = s3 = ~s1;
301 } else {
302 k[10] = s2 = GETU32(rawKey + 24);
303 k[11] = s3 = GETU32(rawKey + 28);
304 }
305 s0 ^= k[0], s1 ^= k[1], s2 ^= k[2], s3 ^= k[3];
306 }
307
308 /* Use the Feistel routine to scramble the key material */
309 Camellia_Feistel(s0, s1, s2, s3, SIGMA + 0);
310 Camellia_Feistel(s2, s3, s0, s1, SIGMA + 2);
311
312 s0 ^= k[0], s1 ^= k[1], s2 ^= k[2], s3 ^= k[3];
313 Camellia_Feistel(s0, s1, s2, s3, SIGMA + 4);
314 Camellia_Feistel(s2, s3, s0, s1, SIGMA + 6);
315
316 /* Fill the keyTable. Requires many block rotations. */
317 if (keyBitLength == 128) {
318 k[4] = s0, k[5] = s1, k[6] = s2, k[7] = s3;
319 RotLeft128(s0, s1, s2, s3, 15); /* KA <<< 15 */
320 k[12] = s0, k[13] = s1, k[14] = s2, k[15] = s3;
321 RotLeft128(s0, s1, s2, s3, 15); /* KA <<< 30 */
322 k[16] = s0, k[17] = s1, k[18] = s2, k[19] = s3;
323 RotLeft128(s0, s1, s2, s3, 15); /* KA <<< 45 */
324 k[24] = s0, k[25] = s1;
325 RotLeft128(s0, s1, s2, s3, 15); /* KA <<< 60 */
326 k[28] = s0, k[29] = s1, k[30] = s2, k[31] = s3;
327 RotLeft128(s1, s2, s3, s0, 2); /* KA <<< 94 */
328 k[40] = s1, k[41] = s2, k[42] = s3, k[43] = s0;
329 RotLeft128(s1, s2, s3, s0, 17); /* KA <<<111 */
330 k[48] = s1, k[49] = s2, k[50] = s3, k[51] = s0;
331
332 s0 = k[0], s1 = k[1], s2 = k[2], s3 = k[3];
333 RotLeft128(s0, s1, s2, s3, 15); /* KL <<< 15 */
334 k[8] = s0, k[9] = s1, k[10] = s2, k[11] = s3;
335 RotLeft128(s0, s1, s2, s3, 30); /* KL <<< 45 */
336 k[20] = s0, k[21] = s1, k[22] = s2, k[23] = s3;
337 RotLeft128(s0, s1, s2, s3, 15); /* KL <<< 60 */
338 k[26] = s2, k[27] = s3;
339 RotLeft128(s0, s1, s2, s3, 17); /* KL <<< 77 */
340 k[32] = s0, k[33] = s1, k[34] = s2, k[35] = s3;
341 RotLeft128(s0, s1, s2, s3, 17); /* KL <<< 94 */
342 k[36] = s0, k[37] = s1, k[38] = s2, k[39] = s3;
343 RotLeft128(s0, s1, s2, s3, 17); /* KL <<<111 */
344 k[44] = s0, k[45] = s1, k[46] = s2, k[47] = s3;
345
346 return 3; /* grand rounds */
347 } else {
348 k[12] = s0, k[13] = s1, k[14] = s2, k[15] = s3;
349 s0 ^= k[8], s1 ^= k[9], s2 ^= k[10], s3 ^= k[11];
350 Camellia_Feistel(s0, s1, s2, s3, (SIGMA + 8));
351 Camellia_Feistel(s2, s3, s0, s1, (SIGMA + 10));
352
353 k[4] = s0, k[5] = s1, k[6] = s2, k[7] = s3;
354 RotLeft128(s0, s1, s2, s3, 30); /* KB <<< 30 */
355 k[20] = s0, k[21] = s1, k[22] = s2, k[23] = s3;
356 RotLeft128(s0, s1, s2, s3, 30); /* KB <<< 60 */
357 k[40] = s0, k[41] = s1, k[42] = s2, k[43] = s3;
358 RotLeft128(s1, s2, s3, s0, 19); /* KB <<<111 */
359 k[64] = s1, k[65] = s2, k[66] = s3, k[67] = s0;
360
361 s0 = k[8], s1 = k[9], s2 = k[10], s3 = k[11];
362 RotLeft128(s0, s1, s2, s3, 15); /* KR <<< 15 */
363 k[8] = s0, k[9] = s1, k[10] = s2, k[11] = s3;
364 RotLeft128(s0, s1, s2, s3, 15); /* KR <<< 30 */
365 k[16] = s0, k[17] = s1, k[18] = s2, k[19] = s3;
366 RotLeft128(s0, s1, s2, s3, 30); /* KR <<< 60 */
367 k[36] = s0, k[37] = s1, k[38] = s2, k[39] = s3;
368 RotLeft128(s1, s2, s3, s0, 2); /* KR <<< 94 */
369 k[52] = s1, k[53] = s2, k[54] = s3, k[55] = s0;
370
371 s0 = k[12], s1 = k[13], s2 = k[14], s3 = k[15];
372 RotLeft128(s0, s1, s2, s3, 15); /* KA <<< 15 */
373 k[12] = s0, k[13] = s1, k[14] = s2, k[15] = s3;
374 RotLeft128(s0, s1, s2, s3, 30); /* KA <<< 45 */
375 k[28] = s0, k[29] = s1, k[30] = s2, k[31] = s3;
376 /* KA <<< 77 */
377 k[48] = s1, k[49] = s2, k[50] = s3, k[51] = s0;
378 RotLeft128(s1, s2, s3, s0, 17); /* KA <<< 94 */
379 k[56] = s1, k[57] = s2, k[58] = s3, k[59] = s0;
380
381 s0 = k[0], s1 = k[1], s2 = k[2], s3 = k[3];
382 RotLeft128(s1, s2, s3, s0, 13); /* KL <<< 45 */
383 k[24] = s1, k[25] = s2, k[26] = s3, k[27] = s0;
384 RotLeft128(s1, s2, s3, s0, 15); /* KL <<< 60 */
385 k[32] = s1, k[33] = s2, k[34] = s3, k[35] = s0;
386 RotLeft128(s1, s2, s3, s0, 17); /* KL <<< 77 */
387 k[44] = s1, k[45] = s2, k[46] = s3, k[47] = s0;
388 RotLeft128(s2, s3, s0, s1, 2); /* KL <<<111 */
389 k[60] = s2, k[61] = s3, k[62] = s0, k[63] = s1;
390
391 return 4; /* grand rounds */
392 }
393 /*
394 * It is possible to perform certain precalculations, which
395 * would spare few cycles in block procedure. It's not done,
396 * because it upsets the performance balance between key
397 * setup and block procedures, negatively affecting overall
398 * throughput in applications operating on short messages
399 * and volatile keys.
400 */
401}
402
403void Camellia_EncryptBlock_Rounds(int grandRounds, const u8 plaintext[],
404 const KEY_TABLE_TYPE keyTable,
405 u8 ciphertext[])
406{
407 register u32 s0, s1, s2, s3;
408 const u32 *k = keyTable, *kend = keyTable + grandRounds * 16;
409
410 s0 = GETU32(plaintext) ^ k[0];
411 s1 = GETU32(plaintext + 4) ^ k[1];
412 s2 = GETU32(plaintext + 8) ^ k[2];
413 s3 = GETU32(plaintext + 12) ^ k[3];
414 k += 4;
415
416 while (1) {
417 /* Camellia makes 6 Feistel rounds */
418 Camellia_Feistel(s0, s1, s2, s3, k + 0);
419 Camellia_Feistel(s2, s3, s0, s1, k + 2);
420 Camellia_Feistel(s0, s1, s2, s3, k + 4);
421 Camellia_Feistel(s2, s3, s0, s1, k + 6);
422 Camellia_Feistel(s0, s1, s2, s3, k + 8);
423 Camellia_Feistel(s2, s3, s0, s1, k + 10);
424 k += 12;
425
426 if (k == kend)
427 break;
428
429 /*
430 * This is the same function as the diffusion function D of the
431 * accompanying documentation. See section 3.2 for properties of the
432 * FLlayer function.
433 */
434 s1 ^= LeftRotate(s0 & k[0], 1);
435 s2 ^= s3 | k[3];
436 s0 ^= s1 | k[1];
437 s3 ^= LeftRotate(s2 & k[2], 1);
438 k += 4;
439 }
440
441 s2 ^= k[0], s3 ^= k[1], s0 ^= k[2], s1 ^= k[3];
442
443 PUTU32(ciphertext, s2);
444 PUTU32(ciphertext + 4, s3);
445 PUTU32(ciphertext + 8, s0);
446 PUTU32(ciphertext + 12, s1);
447}
448
449void Camellia_EncryptBlock(int keyBitLength, const u8 plaintext[],
450 const KEY_TABLE_TYPE keyTable, u8 ciphertext[])
451{
452 Camellia_EncryptBlock_Rounds(keyBitLength == 128 ? 3 : 4,
453 plaintext, keyTable, ciphertext);
454}
455
456void Camellia_DecryptBlock_Rounds(int grandRounds, const u8 ciphertext[],
457 const KEY_TABLE_TYPE keyTable,
458 u8 plaintext[])
459{
460 u32 s0, s1, s2, s3;
461 const u32 *k = keyTable + grandRounds * 16, *kend = keyTable + 4;
462
463 s0 = GETU32(ciphertext) ^ k[0];
464 s1 = GETU32(ciphertext + 4) ^ k[1];
465 s2 = GETU32(ciphertext + 8) ^ k[2];
466 s3 = GETU32(ciphertext + 12) ^ k[3];
467
468 while (1) {
469 /* Camellia makes 6 Feistel rounds */
470 k -= 12;
471 Camellia_Feistel(s0, s1, s2, s3, k + 10);
472 Camellia_Feistel(s2, s3, s0, s1, k + 8);
473 Camellia_Feistel(s0, s1, s2, s3, k + 6);
474 Camellia_Feistel(s2, s3, s0, s1, k + 4);
475 Camellia_Feistel(s0, s1, s2, s3, k + 2);
476 Camellia_Feistel(s2, s3, s0, s1, k + 0);
477
478 if (k == kend)
479 break;
480
481 /*
482 * This is the same function as the diffusion function D of the
483 * accompanying documentation. See section 3.2 for properties of the
484 * FLlayer function.
485 */
486 k -= 4;
487 s1 ^= LeftRotate(s0 & k[2], 1);
488 s2 ^= s3 | k[1];
489 s0 ^= s1 | k[3];
490 s3 ^= LeftRotate(s2 & k[0], 1);
491 }
492
493 k -= 4;
494 s2 ^= k[0], s3 ^= k[1], s0 ^= k[2], s1 ^= k[3];
495
496 PUTU32(plaintext, s2);
497 PUTU32(plaintext + 4, s3);
498 PUTU32(plaintext + 8, s0);
499 PUTU32(plaintext + 12, s1);
500}
501
502void Camellia_DecryptBlock(int keyBitLength, const u8 ciphertext[],
503 const KEY_TABLE_TYPE keyTable, u8 plaintext[])
504{
505 Camellia_DecryptBlock_Rounds(keyBitLength == 128 ? 3 : 4,
506 ciphertext, keyTable, plaintext);
507}
注意: 瀏覽 TracBrowser 來幫助您使用儲存庫瀏覽器

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette