platform/external/ffmpeg.git - Unnamed repository; edit this file 'description' to name the repository.

1 /*
2  * An implementation of the CAMELLIA algorithm as mentioned in RFC3713
3  * Copyright (c) 2014 Supraja Meedinti
4  *
5  * This file is part of FFmpeg.
6  *
7  * FFmpeg is free software; you can redistribute it and/or
8  * modify it under the terms of the GNU Lesser General Public
9  * License as published by the Free Software Foundation; either
10  * version 2.1 of the License, or (at your option) any later version.
11  *
12  * FFmpeg is distributed in the hope that it will be useful,
13  * but WITHOUT ANY WARRANTY; without even the implied warranty of
14  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
15  * Lesser General Public License for more details.
16  *
17  * You should have received a copy of the GNU Lesser General Public
18  * License along with FFmpeg; if not, write to the Free Software
19  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
20  */
21 #include "camellia.h"
22 #include "common.h"
23 #include "intreadwrite.h"
24 #include "attributes.h"
25
26 #define LR32(x,c) ((x) << (c) | (x) >> (32 - (c)))
27 #define RR32(x,c) ((x) >> (c) | (x) << (32 - (c)))
28
29 #define MASK8 0xff
30 #define MASK32 0xffffffff
31 #define MASK64 0xffffffffffffffff
32
33 #define Sigma1  0xA09E667F3BCC908B
34 #define Sigma2  0xB67AE8584CAA73B2
35 #define Sigma3  0xC6EF372FE94F82BE
36 #define Sigma4  0x54FF53A5F1D36F1C
37 #define Sigma5  0x10E527FADE682D1D
38 #define Sigma6  0xB05688C2B3E6C1FD
39
40 static uint64_t SP[8][256];
41
42 typedef struct AVCAMELLIA {
43     uint64_t Kw[4];
44     uint64_t Ke[6];
45     uint64_t K[24];
46     int key_bits;
47 } AVCAMELLIA;
48
49 static const uint8_t SBOX1[256] = {
50 112, 130,  44, 236, 179,  39, 192, 229, 228, 133,  87,  53, 234,  12, 174,  65,
51  35, 239, 107, 147,  69,  25, 165,  33, 237,  14,  79,  78,  29, 101, 146, 189,
52 134, 184, 175, 143, 124, 235,  31, 206,  62,  48, 220,  95,  94, 197,  11,  26,
53 166, 225,  57, 202, 213,  71,  93,  61, 217,   1,  90, 214,  81,  86, 108,  77,
54 139,  13, 154, 102, 251, 204, 176,  45, 116,  18,  43,  32, 240, 177, 132, 153,
55 223,  76, 203, 194,  52, 126, 118,   5, 109, 183, 169,  49, 209,  23,   4, 215,
56  20,  88,  58,  97, 222,  27,  17,  28,  50,  15, 156,  22,  83,  24, 242,  34,
57 254,  68, 207, 178, 195, 181, 122, 145,  36,   8, 232, 168,  96, 252, 105,  80,
58 170, 208, 160, 125, 161, 137,  98, 151,  84,  91,  30, 149, 224, 255, 100, 210,
59  16, 196,   0,  72, 163, 247, 117, 219, 138,   3, 230, 218,   9,  63, 221, 148,
60 135,  92, 131,   2, 205,  74, 144,  51, 115, 103, 246, 243, 157, 127, 191, 226,
61  82, 155, 216,  38, 200,  55, 198,  59, 129, 150, 111,  75,  19, 190,  99,  46,
62 233, 121, 167, 140, 159, 110, 188, 142,  41, 245, 249, 182,  47, 253, 180,  89,
63 120, 152,   6, 106, 231,  70, 113, 186, 212,  37, 171,  66, 136, 162, 141, 250,
64 114,   7, 185,  85, 248, 238, 172,  10,  54,  73,  42, 104,  60,  56, 241, 164,
65  64,  40, 211, 123, 187, 201,  67, 193,  21, 227, 173, 244, 119, 199, 128, 158
66 };
67
68 static const uint8_t SBOX2[256] = {
69 224,   5,  88, 217, 103,  78, 129, 203, 201,  11, 174, 106, 213,  24,  93, 130,
70  70, 223, 214,  39, 138,  50,  75,  66, 219,  28, 158, 156,  58, 202,  37, 123,
71  13, 113,  95,  31, 248, 215,  62, 157, 124,  96, 185, 190, 188, 139,  22,  52,
72  77, 195, 114, 149, 171, 142, 186, 122, 179,   2, 180, 173, 162, 172, 216, 154,
73  23,  26,  53, 204, 247, 153,  97,  90, 232,  36,  86,  64, 225,  99,   9,  51,
74 191, 152, 151, 133, 104, 252, 236,  10, 218, 111,  83,  98, 163,  46,   8, 175,
75  40, 176, 116, 194, 189,  54,  34,  56, 100,  30,  57,  44, 166,  48, 229,  68,
76 253, 136, 159, 101, 135, 107, 244,  35,  72,  16, 209,  81, 192, 249, 210, 160,
77  85, 161,  65, 250,  67,  19, 196,  47, 168, 182,  60,  43, 193, 255, 200, 165,
78  32, 137,   0, 144,  71, 239, 234, 183,  21,   6, 205, 181,  18, 126, 187,  41,
79  15, 184,   7,   4, 155, 148,  33, 102, 230, 206, 237, 231,  59, 254, 127, 197,
80 164,  55, 177,  76, 145, 110, 141, 118,   3,  45, 222, 150,  38, 125, 198,  92,
81 211, 242,  79,  25,  63, 220, 121,  29,  82, 235, 243, 109,  94, 251, 105, 178,
82 240,  49,  12, 212, 207, 140, 226, 117, 169,  74,  87, 132,  17,  69,  27, 245,
83 228,  14, 115, 170, 241, 221,  89,  20, 108, 146,  84, 208, 120, 112, 227,  73,
84 128,  80, 167, 246, 119, 147, 134, 131,  42, 199,  91, 233, 238, 143,   1,  61
85 };
86
87 static const uint8_t SBOX3[256] = {
88  56,  65,  22, 118, 217, 147,  96, 242, 114, 194, 171, 154, 117,   6,  87, 160,
89 145, 247, 181, 201, 162, 140, 210, 144, 246,   7, 167,  39, 142, 178,  73, 222,
90  67,  92, 215, 199,  62, 245, 143, 103,  31,  24, 110, 175,  47, 226, 133,  13,
91  83, 240, 156, 101, 234, 163, 174, 158, 236, 128,  45, 107, 168,  43,  54, 166,
92 197, 134,  77,  51, 253, 102,  88, 150,  58,   9, 149,  16, 120, 216,  66, 204,
93 239,  38, 229,  97,  26,  63,  59, 130, 182, 219, 212, 152, 232, 139,   2, 235,
94  10,  44,  29, 176, 111, 141, 136,  14,  25, 135,  78,  11, 169,  12, 121,  17,
95 127,  34, 231,  89, 225, 218,  61, 200,  18,   4, 116,  84,  48, 126, 180,  40,
96  85, 104,  80, 190, 208, 196,  49, 203,  42, 173,  15, 202, 112, 255,  50, 105,
97   8,  98,   0,  36, 209, 251, 186, 237,  69, 129, 115, 109, 132, 159, 238,  74,
98 195,  46, 193,   1, 230,  37,  72, 153, 185, 179, 123, 249, 206, 191, 223, 113,
99  41, 205, 108,  19, 100, 155,  99, 157, 192,  75, 183, 165, 137,  95, 177,  23,
100 244, 188, 211,  70, 207,  55,  94,  71, 148, 250, 252,  91, 151, 254,  90, 172,
101  60,  76,   3,  53, 243,  35, 184,  93, 106, 146, 213,  33,  68,  81, 198, 125,
102  57, 131, 220, 170, 124, 119,  86,   5,  27, 164,  21,  52,  30,  28, 248,  82,
103  32,  20, 233, 189, 221, 228, 161, 224, 138, 241, 214, 122, 187, 227,  64,  79
104 };
105
106 static const uint8_t SBOX4[256] = {
107 112,  44, 179, 192, 228,  87, 234, 174,  35, 107,  69, 165, 237,  79,  29, 146,
108 134, 175, 124,  31,  62, 220,  94,  11, 166,  57, 213,  93, 217,  90,  81, 108,
109 139, 154, 251, 176, 116,  43, 240, 132, 223, 203,  52, 118, 109, 169, 209,   4,
110  20,  58, 222,  17,  50, 156,  83, 242, 254, 207, 195, 122,  36, 232,  96, 105,
111 170, 160, 161,  98,  84,  30, 224, 100,  16,   0, 163, 117, 138, 230,   9, 221,
112 135, 131, 205, 144, 115, 246, 157, 191,  82, 216, 200, 198, 129, 111,  19,  99,
113 233, 167, 159, 188,  41, 249,  47, 180, 120,   6, 231, 113, 212, 171, 136, 141,
114 114, 185, 248, 172,  54,  42,  60, 241,  64, 211, 187,  67,  21, 173, 119, 128,
115 130, 236,  39, 229, 133,  53,  12,  65, 239, 147,  25,  33,  14,  78, 101, 189,
116 184, 143, 235, 206,  48,  95, 197,  26, 225, 202,  71,  61,   1, 214,  86,  77,
117  13, 102, 204,  45,  18,  32, 177, 153,  76, 194, 126,   5, 183,  49,  23, 215,
118  88,  97,  27,  28,  15,  22,  24,  34,  68, 178, 181, 145,   8, 168, 252,  80,
119 208, 125, 137, 151,  91, 149, 255, 210, 196,  72, 247, 219,   3, 218,  63, 148,
120  92,   2,  74,  51, 103, 243, 127, 226, 155,  38,  55,  59, 150,  75, 190,  46,
121 121, 140, 110, 142, 245, 182, 253,  89, 152, 106,  70, 186,  37,  66, 162, 250,
122   7,  85, 238,  10,  73, 104,  56, 164,  40, 123, 201, 193, 227, 244, 199, 158
123 };
124
125 const int av_camellia_size = sizeof(AVCAMELLIA);
126
127 static void LR128(uint64_t d[2], const uint64_t K[2], int x)
128 {
129     int i = 0;
130     if (64 <= x && x < 128) {
131         i = 1;
132         x -= 64;
133     }
134     if (x <= 0 || x >= 128) {
135         d[0] = K[i];
136         d[1] = K[!i];
137         return;
138     }
139     d[0] = (K[i] << x | K[!i] >> (64 - x));
140     d[1] = (K[!i] << x | K[i] >> (64 - x));
141 }
142
143 static uint64_t F(uint64_t F_IN, uint64_t KE)
144 {
145     KE ^= F_IN;
146     F_IN=SP[0][KE >> 56]^SP[1][(KE >> 48) & MASK8]^SP[2][(KE >> 40) & MASK8]^SP[3][(KE >> 32) & MASK8]^SP[4][(KE >> 24) & MASK8]^SP[5][(KE >> 16) & MASK8]^SP[6][(KE >> 8) & MASK8]^SP[7][KE & MASK8];
147     return F_IN;
148 }
149
150 static uint64_t FL(uint64_t FL_IN, uint64_t KE)
151 {
152     uint32_t x1, x2, k1, k2;
153     x1 = FL_IN >> 32;
154     x2 = FL_IN & MASK32;
155     k1 = KE >> 32;
156     k2 = KE & MASK32;
157     x2 = x2 ^ LR32((x1 & k1), 1);
158     x1 = x1 ^ (x2 | k2);
159     return ((uint64_t)x1 << 32) | (uint64_t)x2;
160 }
161
162 static uint64_t FLINV(uint64_t FLINV_IN, uint64_t KE)
163 {
164     uint32_t x1, x2, k1, k2;
165     x1 = FLINV_IN >> 32;
166     x2 = FLINV_IN & MASK32;
167     k1 = KE >> 32;
168     k2 = KE & MASK32;
169     x1 = x1 ^ (x2 | k2);
170     x2 = x2 ^ LR32((x1 & k1), 1);
171     return ((uint64_t)x1 << 32) | (uint64_t)x2;
172 }
173
174 static const uint8_t shifts[2][12] = {
175     {0, 15, 15, 45, 45, 60, 94, 94, 111},
176     {0, 15, 15, 30, 45, 45, 60, 60,  77, 94, 94, 111}
177 };
178
179 static const uint8_t vars[2][12] = {
180     {2, 0, 2, 0, 2, 2, 0, 2, 0},
181     {3, 1, 2, 3, 0, 2, 1, 3, 0, 1, 2, 0}
182 };
183
184 static void generate_round_keys(AVCAMELLIA *cs, uint64_t Kl[2], uint64_t Kr[2], uint64_t Ka[2], uint64_t Kb[2])
185 {
186     int i;
187     uint64_t *Kd[4], d[2];
188     Kd[0] = Kl;
189     Kd[1] = Kr;
190     Kd[2] = Ka;
191     Kd[3] = Kb;
192     cs->Kw[0] = Kl[0];
193     cs->Kw[1] = Kl[1];
194     if (cs->key_bits == 128) {
195         for (i = 0; i < 9; i++) {
196             LR128(d, Kd[vars[0][i]], shifts[0][i]);
197             cs->K[2*i] = d[0];
198             cs->K[2*i+1] = d[1];
199         }
200         LR128(d, Kd[0], 60);
201         cs->K[9] = d[1];
202         LR128(d, Kd[2], 30);
203         cs->Ke[0] = d[0];
204         cs->Ke[1] = d[1];
205         LR128(d, Kd[0], 77);
206         cs->Ke[2] = d[0];
207         cs->Ke[3] = d[1];
208         LR128(d, Kd[2], 111);
209         cs->Kw[2] = d[0];
210         cs->Kw[3] = d[1];
211     } else {
212         for (i = 0; i < 12; i++) {
213             LR128(d, Kd[vars[1][i]], shifts[1][i]);
214             cs->K[2*i] = d[0];
215             cs->K[2*i+1] = d[1];
216         }
217         LR128(d, Kd[1], 30);
218         cs->Ke[0] = d[0];
219         cs->Ke[1] = d[1];
220         LR128(d, Kd[0], 60);
221         cs->Ke[2] = d[0];
222         cs->Ke[3] = d[1];
223         LR128(d, Kd[2], 77);
224         cs->Ke[4] = d[0];
225         cs->Ke[5] = d[1];
226         LR128(d, Kd[3], 111);
227         cs->Kw[2] = d[0];
228         cs->Kw[3] = d[1];
229     }
230 }
231
232 static void camellia_encrypt(AVCAMELLIA *cs, uint8_t *dst, const uint8_t *src)
233 {
234     uint64_t D1, D2;
235     D1 = AV_RB64(src);
236     D2 = AV_RB64(src + 8);
237     D1 ^= cs->Kw[0];
238     D2 ^= cs->Kw[1];
239     D2 ^= F(D1, cs->K[0]);
240     D1 ^= F(D2, cs->K[1]);
241     D2 ^= F(D1, cs->K[2]);
242     D1 ^= F(D2, cs->K[3]);
243     D2 ^= F(D1, cs->K[4]);
244     D1 ^= F(D2, cs->K[5]);
245     D1 = FL(D1, cs->Ke[0]);
246     D2 = FLINV(D2, cs->Ke[1]);
247     D2 ^= F(D1, cs->K[6]);
248     D1 ^= F(D2, cs->K[7]);
249     D2 ^= F(D1, cs->K[8]);
250     D1 ^= F(D2, cs->K[9]);
251     D2 ^= F(D1, cs->K[10]);
252     D1 ^= F(D2, cs->K[11]);
253     D1 = FL(D1, cs->Ke[2]);
254     D2 = FLINV(D2, cs->Ke[3]);
255     D2 ^= F(D1, cs->K[12]);
256     D1 ^= F(D2, cs->K[13]);
257     D2 ^= F(D1, cs->K[14]);
258     D1 ^= F(D2, cs->K[15]);
259     D2 ^= F(D1, cs->K[16]);
260     D1 ^= F(D2, cs->K[17]);
261     if (cs->key_bits != 128) {
262         D1 = FL(D1, cs->Ke[4]);
263         D2 = FLINV(D2, cs->Ke[5]);
264         D2 ^= F(D1, cs->K[18]);
265         D1 ^= F(D2, cs->K[19]);
266         D2 ^= F(D1, cs->K[20]);
267         D1 ^= F(D2, cs->K[21]);
268         D2 ^= F(D1, cs->K[22]);
269         D1 ^= F(D2, cs->K[23]);
270     }
271     D2 ^= cs->Kw[2];
272     D1 ^= cs->Kw[3];
273     AV_WB64(dst, D2);
274     AV_WB64(dst + 8, D1);
275 }
276
277 static void camellia_decrypt(AVCAMELLIA *cs, uint8_t *dst, const uint8_t *src, uint8_t *iv)
278 {
279     uint64_t D1, D2;
280     D1 = AV_RB64(src);
281     D2 = AV_RB64(src + 8);
282     D1 ^= cs->Kw[2];
283     D2 ^= cs->Kw[3];
284     if (cs->key_bits != 128) {
285         D2 ^= F(D1, cs->K[23]);
286         D1 ^= F(D2, cs->K[22]);
287         D2 ^= F(D1, cs->K[21]);
288         D1 ^= F(D2, cs->K[20]);
289         D2 ^= F(D1, cs->K[19]);
290         D1 ^= F(D2, cs->K[18]);
291         D1 = FL(D1, cs->Ke[5]);
292         D2 = FLINV(D2, cs->Ke[4]);
293     }
294     D2 ^= F(D1, cs->K[17]);
295     D1 ^= F(D2, cs->K[16]);
296     D2 ^= F(D1, cs->K[15]);
297     D1 ^= F(D2, cs->K[14]);
298     D2 ^= F(D1, cs->K[13]);
299     D1 ^= F(D2, cs->K[12]);
300     D1 = FL(D1, cs->Ke[3]);
301     D2 = FLINV(D2, cs->Ke[2]);
302     D2 ^= F(D1, cs->K[11]);
303     D1 ^= F(D2, cs->K[10]);
304     D2 ^= F(D1, cs->K[9]);
305     D1 ^= F(D2, cs->K[8]);
306     D2 ^= F(D1, cs->K[7]);
307     D1 ^= F(D2, cs->K[6]);
308     D1 = FL(D1, cs->Ke[1]);
309     D2 = FLINV(D2, cs->Ke[0]);
310     D2 ^= F(D1, cs->K[5]);
311     D1 ^= F(D2, cs->K[4]);
312     D2 ^= F(D1, cs->K[3]);
313     D1 ^= F(D2, cs->K[2]);
314     D2 ^= F(D1, cs->K[1]);
315     D1 ^= F(D2, cs->K[0]);
316     D2 ^= cs->Kw[0];
317     D1 ^= cs->Kw[1];
318     if (iv) {
319         D2 ^= AV_RB64(iv);
320         D1 ^= AV_RB64(iv + 8);
321         memcpy(iv, src, 16);
322     }
323     AV_WB64(dst, D2);
324     AV_WB64(dst + 8, D1);
325 }
326
327 static void computeSP(void)
328 {
329     uint64_t z;
330     int i;
331     for (i = 0; i < 256; i++) {
332         z = SBOX1[i];
333         SP[0][i] = (z << 56) ^ (z << 48) ^ (z << 40) ^ (z << 24) ^ z;
334         SP[7][i] = (z << 56) ^ (z << 48) ^ (z << 40) ^ (z << 24) ^ (z << 16) ^ (z << 8);
335         z = SBOX2[i];
336         SP[1][i] = (z << 48) ^ (z << 40) ^ (z << 32) ^ (z << 24) ^ (z << 16);
337         SP[4][i] = (z << 48) ^ (z << 40) ^ (z << 32) ^ (z << 16) ^ (z << 8) ^ z;
338         z = SBOX3[i];
339         SP[2][i] = (z << 56) ^ (z << 40) ^ (z << 32) ^ (z << 16) ^ (z << 8);
340         SP[5][i] = (z << 56) ^ (z << 40) ^ (z << 32) ^ (z << 24) ^ (z << 8) ^ z;
341         z = SBOX4[i];
342         SP[3][i] = (z << 56) ^ (z << 48) ^ (z << 32) ^ (z << 8) ^ z;
343         SP[6][i] = (z << 56) ^ (z << 48) ^ (z << 32) ^ (z << 24) ^ (z << 16) ^ z;
344     }
345 }
346
347 struct AVCAMELLIA *av_camellia_alloc(void)
348 {
349     return av_mallocz(sizeof(struct AVCAMELLIA));
350 }
351
352 av_cold int av_camellia_init(AVCAMELLIA *cs, const uint8_t *key, int key_bits)
353 {
354     uint64_t Kl[2], Kr[2], Ka[2], Kb[2];
355     uint64_t D1, D2;
356     if (key_bits != 128 && key_bits != 192 && key_bits != 256)
357         return AVERROR(EINVAL);
358     memset(Kb, 0, sizeof(Kb));
359     memset(Kr, 0, sizeof(Kr));
360     cs->key_bits = key_bits;
361     Kl[0] = AV_RB64(key);
362     Kl[1] = AV_RB64(key + 8);
363     if (key_bits == 192) {
364         Kr[0] = AV_RB64(key + 16);
365         Kr[1] = ~Kr[0];
366     } else if (key_bits == 256) {
367         Kr[0] = AV_RB64(key + 16);
368         Kr[1] = AV_RB64(key + 24);
369     }
370     computeSP();
371     D1 = Kl[0] ^ Kr[0];
372     D2 = Kl[1] ^ Kr[1];
373     D2 ^= F(D1, Sigma1);
374     D1 ^= F(D2, Sigma2);
375     D1 ^= Kl[0];
376     D2 ^= Kl[1];
377     D2 ^= F(D1, Sigma3);
378     D1 ^= F(D2, Sigma4);
379     Ka[0] = D1;
380     Ka[1] = D2;
381     if (key_bits != 128) {
382         D1 = Ka[0] ^ Kr[0];
383         D2 = Ka[1] ^ Kr[1];
384         D2 ^= F(D1, Sigma5);
385         D1 ^= F(D2, Sigma6);
386         Kb[0] = D1;
387         Kb[1] = D2;
388     }
389     generate_round_keys(cs, Kl, Kr, Ka, Kb);
390     return 0;
391 }
392
393 void av_camellia_crypt(AVCAMELLIA *cs, uint8_t *dst, const uint8_t *src, int count, uint8_t *iv, int decrypt)
394 {
395     int i;
396     while (count--) {
397         if (decrypt) {
398             camellia_decrypt(cs, dst, src, iv);
399         } else {
400             if (iv) {
401                 for (i = 0; i < 16; i++)
402                     dst[i] = src[i] ^ iv[i];
403                 camellia_encrypt(cs, dst, dst);
404                 memcpy(iv, dst, 16);
405             } else {
406                 camellia_encrypt(cs, dst, src);
407             }
408         }
409         src = src + 16;
410         dst = dst + 16;
411     }
412 }
413
1	/*
2	* An implementation of the CAMELLIA algorithm as mentioned in RFC3713
3	* Copyright (c) 2014 Supraja Meedinti
4	*
5	* This file is part of FFmpeg.
6	*
7	* FFmpeg is free software; you can redistribute it and/or
8	* modify it under the terms of the GNU Lesser General Public
9	* License as published by the Free Software Foundation; either
10	* version 2.1 of the License, or (at your option) any later version.
11	*
12	* FFmpeg is distributed in the hope that it will be useful,
13	* but WITHOUT ANY WARRANTY; without even the implied warranty of
14	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15	* Lesser General Public License for more details.
16	*
17	* You should have received a copy of the GNU Lesser General Public
18	* License along with FFmpeg; if not, write to the Free Software
19	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
20	*/
21	#include "camellia.h"
22	#include "common.h"
23	#include "intreadwrite.h"
24	#include "attributes.h"
25
26	#define LR32(x,c) ((x) << (c) \| (x) >> (32 - (c)))
27	#define RR32(x,c) ((x) >> (c) \| (x) << (32 - (c)))
28
29	#define MASK8 0xff
30	#define MASK32 0xffffffff
31	#define MASK64 0xffffffffffffffff
32
33	#define Sigma1 0xA09E667F3BCC908B
34	#define Sigma2 0xB67AE8584CAA73B2
35	#define Sigma3 0xC6EF372FE94F82BE
36	#define Sigma4 0x54FF53A5F1D36F1C
37	#define Sigma5 0x10E527FADE682D1D
38	#define Sigma6 0xB05688C2B3E6C1FD
39
40	static uint64_t SP[8][256];
41
42	typedef struct AVCAMELLIA {
43	uint64_t Kw[4];
44	uint64_t Ke[6];
45	uint64_t K[24];
46	int key_bits;
47	} AVCAMELLIA;
48
49	static const uint8_t SBOX1[256] = {
50	112, 130, 44, 236, 179, 39, 192, 229, 228, 133, 87, 53, 234, 12, 174, 65,
51	35, 239, 107, 147, 69, 25, 165, 33, 237, 14, 79, 78, 29, 101, 146, 189,
52	134, 184, 175, 143, 124, 235, 31, 206, 62, 48, 220, 95, 94, 197, 11, 26,
53	166, 225, 57, 202, 213, 71, 93, 61, 217, 1, 90, 214, 81, 86, 108, 77,
54	139, 13, 154, 102, 251, 204, 176, 45, 116, 18, 43, 32, 240, 177, 132, 153,
55	223, 76, 203, 194, 52, 126, 118, 5, 109, 183, 169, 49, 209, 23, 4, 215,
56	20, 88, 58, 97, 222, 27, 17, 28, 50, 15, 156, 22, 83, 24, 242, 34,
57	254, 68, 207, 178, 195, 181, 122, 145, 36, 8, 232, 168, 96, 252, 105, 80,
58	170, 208, 160, 125, 161, 137, 98, 151, 84, 91, 30, 149, 224, 255, 100, 210,
59	16, 196, 0, 72, 163, 247, 117, 219, 138, 3, 230, 218, 9, 63, 221, 148,
60	135, 92, 131, 2, 205, 74, 144, 51, 115, 103, 246, 243, 157, 127, 191, 226,
61	82, 155, 216, 38, 200, 55, 198, 59, 129, 150, 111, 75, 19, 190, 99, 46,
62	233, 121, 167, 140, 159, 110, 188, 142, 41, 245, 249, 182, 47, 253, 180, 89,
63	120, 152, 6, 106, 231, 70, 113, 186, 212, 37, 171, 66, 136, 162, 141, 250,
64	114, 7, 185, 85, 248, 238, 172, 10, 54, 73, 42, 104, 60, 56, 241, 164,
65	64, 40, 211, 123, 187, 201, 67, 193, 21, 227, 173, 244, 119, 199, 128, 158
66	};
67
68	static const uint8_t SBOX2[256] = {
69	224, 5, 88, 217, 103, 78, 129, 203, 201, 11, 174, 106, 213, 24, 93, 130,
70	70, 223, 214, 39, 138, 50, 75, 66, 219, 28, 158, 156, 58, 202, 37, 123,
71	13, 113, 95, 31, 248, 215, 62, 157, 124, 96, 185, 190, 188, 139, 22, 52,
72	77, 195, 114, 149, 171, 142, 186, 122, 179, 2, 180, 173, 162, 172, 216, 154,
73	23, 26, 53, 204, 247, 153, 97, 90, 232, 36, 86, 64, 225, 99, 9, 51,
74	191, 152, 151, 133, 104, 252, 236, 10, 218, 111, 83, 98, 163, 46, 8, 175,
75	40, 176, 116, 194, 189, 54, 34, 56, 100, 30, 57, 44, 166, 48, 229, 68,
76	253, 136, 159, 101, 135, 107, 244, 35, 72, 16, 209, 81, 192, 249, 210, 160,
77	85, 161, 65, 250, 67, 19, 196, 47, 168, 182, 60, 43, 193, 255, 200, 165,
78	32, 137, 0, 144, 71, 239, 234, 183, 21, 6, 205, 181, 18, 126, 187, 41,
79	15, 184, 7, 4, 155, 148, 33, 102, 230, 206, 237, 231, 59, 254, 127, 197,
80	164, 55, 177, 76, 145, 110, 141, 118, 3, 45, 222, 150, 38, 125, 198, 92,
81	211, 242, 79, 25, 63, 220, 121, 29, 82, 235, 243, 109, 94, 251, 105, 178,
82	240, 49, 12, 212, 207, 140, 226, 117, 169, 74, 87, 132, 17, 69, 27, 245,
83	228, 14, 115, 170, 241, 221, 89, 20, 108, 146, 84, 208, 120, 112, 227, 73,
84	128, 80, 167, 246, 119, 147, 134, 131, 42, 199, 91, 233, 238, 143, 1, 61
85	};
86
87	static const uint8_t SBOX3[256] = {
88	56, 65, 22, 118, 217, 147, 96, 242, 114, 194, 171, 154, 117, 6, 87, 160,
89	145, 247, 181, 201, 162, 140, 210, 144, 246, 7, 167, 39, 142, 178, 73, 222,
90	67, 92, 215, 199, 62, 245, 143, 103, 31, 24, 110, 175, 47, 226, 133, 13,
91	83, 240, 156, 101, 234, 163, 174, 158, 236, 128, 45, 107, 168, 43, 54, 166,
92	197, 134, 77, 51, 253, 102, 88, 150, 58, 9, 149, 16, 120, 216, 66, 204,
93	239, 38, 229, 97, 26, 63, 59, 130, 182, 219, 212, 152, 232, 139, 2, 235,
94	10, 44, 29, 176, 111, 141, 136, 14, 25, 135, 78, 11, 169, 12, 121, 17,
95	127, 34, 231, 89, 225, 218, 61, 200, 18, 4, 116, 84, 48, 126, 180, 40,
96	85, 104, 80, 190, 208, 196, 49, 203, 42, 173, 15, 202, 112, 255, 50, 105,
97	8, 98, 0, 36, 209, 251, 186, 237, 69, 129, 115, 109, 132, 159, 238, 74,
98	195, 46, 193, 1, 230, 37, 72, 153, 185, 179, 123, 249, 206, 191, 223, 113,
99	41, 205, 108, 19, 100, 155, 99, 157, 192, 75, 183, 165, 137, 95, 177, 23,
100	244, 188, 211, 70, 207, 55, 94, 71, 148, 250, 252, 91, 151, 254, 90, 172,
101	60, 76, 3, 53, 243, 35, 184, 93, 106, 146, 213, 33, 68, 81, 198, 125,
102	57, 131, 220, 170, 124, 119, 86, 5, 27, 164, 21, 52, 30, 28, 248, 82,
103	32, 20, 233, 189, 221, 228, 161, 224, 138, 241, 214, 122, 187, 227, 64, 79
104	};
105
106	static const uint8_t SBOX4[256] = {
107	112, 44, 179, 192, 228, 87, 234, 174, 35, 107, 69, 165, 237, 79, 29, 146,
108	134, 175, 124, 31, 62, 220, 94, 11, 166, 57, 213, 93, 217, 90, 81, 108,
109	139, 154, 251, 176, 116, 43, 240, 132, 223, 203, 52, 118, 109, 169, 209, 4,
110	20, 58, 222, 17, 50, 156, 83, 242, 254, 207, 195, 122, 36, 232, 96, 105,
111	170, 160, 161, 98, 84, 30, 224, 100, 16, 0, 163, 117, 138, 230, 9, 221,
112	135, 131, 205, 144, 115, 246, 157, 191, 82, 216, 200, 198, 129, 111, 19, 99,
113	233, 167, 159, 188, 41, 249, 47, 180, 120, 6, 231, 113, 212, 171, 136, 141,
114	114, 185, 248, 172, 54, 42, 60, 241, 64, 211, 187, 67, 21, 173, 119, 128,
115	130, 236, 39, 229, 133, 53, 12, 65, 239, 147, 25, 33, 14, 78, 101, 189,
116	184, 143, 235, 206, 48, 95, 197, 26, 225, 202, 71, 61, 1, 214, 86, 77,
117	13, 102, 204, 45, 18, 32, 177, 153, 76, 194, 126, 5, 183, 49, 23, 215,
118	88, 97, 27, 28, 15, 22, 24, 34, 68, 178, 181, 145, 8, 168, 252, 80,
119	208, 125, 137, 151, 91, 149, 255, 210, 196, 72, 247, 219, 3, 218, 63, 148,
120	92, 2, 74, 51, 103, 243, 127, 226, 155, 38, 55, 59, 150, 75, 190, 46,
121	121, 140, 110, 142, 245, 182, 253, 89, 152, 106, 70, 186, 37, 66, 162, 250,
122	7, 85, 238, 10, 73, 104, 56, 164, 40, 123, 201, 193, 227, 244, 199, 158
123	};
124
125	const int av_camellia_size = sizeof(AVCAMELLIA);
126
127	static void LR128(uint64_t d[2], const uint64_t K[2], int x)
128	{
129	int i = 0;
130	if (64 <= x && x < 128) {
131	i = 1;
132	x -= 64;
133	}
134	if (x <= 0 \|\| x >= 128) {
135	d[0] = K[i];
136	d[1] = K[!i];
137	return;
138	}
139	d[0] = (K[i] << x \| K[!i] >> (64 - x));
140	d[1] = (K[!i] << x \| K[i] >> (64 - x));
141	}
142
143	static uint64_t F(uint64_t F_IN, uint64_t KE)
144	{
145	KE ^= F_IN;
146	F_IN=SP[0][KE >> 56]^SP[1][(KE >> 48) & MASK8]^SP[2][(KE >> 40) & MASK8]^SP[3][(KE >> 32) & MASK8]^SP[4][(KE >> 24) & MASK8]^SP[5][(KE >> 16) & MASK8]^SP[6][(KE >> 8) & MASK8]^SP[7][KE & MASK8];
147	return F_IN;
148	}
149
150	static uint64_t FL(uint64_t FL_IN, uint64_t KE)
151	{
152	uint32_t x1, x2, k1, k2;
153	x1 = FL_IN >> 32;
154	x2 = FL_IN & MASK32;
155	k1 = KE >> 32;
156	k2 = KE & MASK32;
157	x2 = x2 ^ LR32((x1 & k1), 1);
158	x1 = x1 ^ (x2 \| k2);
159	return ((uint64_t)x1 << 32) \| (uint64_t)x2;
160	}
161
162	static uint64_t FLINV(uint64_t FLINV_IN, uint64_t KE)
163	{
164	uint32_t x1, x2, k1, k2;
165	x1 = FLINV_IN >> 32;
166	x2 = FLINV_IN & MASK32;
167	k1 = KE >> 32;
168	k2 = KE & MASK32;
169	x1 = x1 ^ (x2 \| k2);
170	x2 = x2 ^ LR32((x1 & k1), 1);
171	return ((uint64_t)x1 << 32) \| (uint64_t)x2;
172	}
173
174	static const uint8_t shifts[2][12] = {
175	{0, 15, 15, 45, 45, 60, 94, 94, 111},
176	{0, 15, 15, 30, 45, 45, 60, 60, 77, 94, 94, 111}
177	};
178
179	static const uint8_t vars[2][12] = {
180	{2, 0, 2, 0, 2, 2, 0, 2, 0},
181	{3, 1, 2, 3, 0, 2, 1, 3, 0, 1, 2, 0}
182	};
183
184	static void generate_round_keys(AVCAMELLIA *cs, uint64_t Kl[2], uint64_t Kr[2], uint64_t Ka[2], uint64_t Kb[2])
185	{
186	int i;
187	uint64_t *Kd[4], d[2];
188	Kd[0] = Kl;
189	Kd[1] = Kr;
190	Kd[2] = Ka;
191	Kd[3] = Kb;
192	cs->Kw[0] = Kl[0];
193	cs->Kw[1] = Kl[1];
194	if (cs->key_bits == 128) {
195	for (i = 0; i < 9; i++) {
196	LR128(d, Kd[vars[0][i]], shifts[0][i]);
197	cs->K[2*i] = d[0];
198	cs->K[2*i+1] = d[1];
199	}
200	LR128(d, Kd[0], 60);
201	cs->K[9] = d[1];
202	LR128(d, Kd[2], 30);
203	cs->Ke[0] = d[0];
204	cs->Ke[1] = d[1];
205	LR128(d, Kd[0], 77);
206	cs->Ke[2] = d[0];
207	cs->Ke[3] = d[1];
208	LR128(d, Kd[2], 111);
209	cs->Kw[2] = d[0];
210	cs->Kw[3] = d[1];
211	} else {
212	for (i = 0; i < 12; i++) {
213	LR128(d, Kd[vars[1][i]], shifts[1][i]);
214	cs->K[2*i] = d[0];
215	cs->K[2*i+1] = d[1];
216	}
217	LR128(d, Kd[1], 30);
218	cs->Ke[0] = d[0];
219	cs->Ke[1] = d[1];
220	LR128(d, Kd[0], 60);
221	cs->Ke[2] = d[0];
222	cs->Ke[3] = d[1];
223	LR128(d, Kd[2], 77);
224	cs->Ke[4] = d[0];
225	cs->Ke[5] = d[1];
226	LR128(d, Kd[3], 111);
227	cs->Kw[2] = d[0];
228	cs->Kw[3] = d[1];
229	}
230	}
231
232	static void camellia_encrypt(AVCAMELLIA cs, uint8_t dst, const uint8_t *src)
233	{
234	uint64_t D1, D2;
235	D1 = AV_RB64(src);
236	D2 = AV_RB64(src + 8);
237	D1 ^= cs->Kw[0];
238	D2 ^= cs->Kw[1];
239	D2 ^= F(D1, cs->K[0]);
240	D1 ^= F(D2, cs->K[1]);
241	D2 ^= F(D1, cs->K[2]);
242	D1 ^= F(D2, cs->K[3]);
243	D2 ^= F(D1, cs->K[4]);
244	D1 ^= F(D2, cs->K[5]);
245	D1 = FL(D1, cs->Ke[0]);
246	D2 = FLINV(D2, cs->Ke[1]);
247	D2 ^= F(D1, cs->K[6]);
248	D1 ^= F(D2, cs->K[7]);
249	D2 ^= F(D1, cs->K[8]);
250	D1 ^= F(D2, cs->K[9]);
251	D2 ^= F(D1, cs->K[10]);
252	D1 ^= F(D2, cs->K[11]);
253	D1 = FL(D1, cs->Ke[2]);
254	D2 = FLINV(D2, cs->Ke[3]);
255	D2 ^= F(D1, cs->K[12]);
256	D1 ^= F(D2, cs->K[13]);
257	D2 ^= F(D1, cs->K[14]);
258	D1 ^= F(D2, cs->K[15]);
259	D2 ^= F(D1, cs->K[16]);
260	D1 ^= F(D2, cs->K[17]);
261	if (cs->key_bits != 128) {
262	D1 = FL(D1, cs->Ke[4]);
263	D2 = FLINV(D2, cs->Ke[5]);
264	D2 ^= F(D1, cs->K[18]);
265	D1 ^= F(D2, cs->K[19]);
266	D2 ^= F(D1, cs->K[20]);
267	D1 ^= F(D2, cs->K[21]);
268	D2 ^= F(D1, cs->K[22]);
269	D1 ^= F(D2, cs->K[23]);
270	}
271	D2 ^= cs->Kw[2];
272	D1 ^= cs->Kw[3];
273	AV_WB64(dst, D2);
274	AV_WB64(dst + 8, D1);
275	}
276
277	static void camellia_decrypt(AVCAMELLIA cs, uint8_t dst, const uint8_t src, uint8_t iv)
278	{
279	uint64_t D1, D2;
280	D1 = AV_RB64(src);
281	D2 = AV_RB64(src + 8);
282	D1 ^= cs->Kw[2];
283	D2 ^= cs->Kw[3];
284	if (cs->key_bits != 128) {
285	D2 ^= F(D1, cs->K[23]);
286	D1 ^= F(D2, cs->K[22]);
287	D2 ^= F(D1, cs->K[21]);
288	D1 ^= F(D2, cs->K[20]);
289	D2 ^= F(D1, cs->K[19]);
290	D1 ^= F(D2, cs->K[18]);
291	D1 = FL(D1, cs->Ke[5]);
292	D2 = FLINV(D2, cs->Ke[4]);
293	}
294	D2 ^= F(D1, cs->K[17]);
295	D1 ^= F(D2, cs->K[16]);
296	D2 ^= F(D1, cs->K[15]);
297	D1 ^= F(D2, cs->K[14]);
298	D2 ^= F(D1, cs->K[13]);
299	D1 ^= F(D2, cs->K[12]);
300	D1 = FL(D1, cs->Ke[3]);
301	D2 = FLINV(D2, cs->Ke[2]);
302	D2 ^= F(D1, cs->K[11]);
303	D1 ^= F(D2, cs->K[10]);
304	D2 ^= F(D1, cs->K[9]);
305	D1 ^= F(D2, cs->K[8]);
306	D2 ^= F(D1, cs->K[7]);
307	D1 ^= F(D2, cs->K[6]);
308	D1 = FL(D1, cs->Ke[1]);
309	D2 = FLINV(D2, cs->Ke[0]);
310	D2 ^= F(D1, cs->K[5]);
311	D1 ^= F(D2, cs->K[4]);
312	D2 ^= F(D1, cs->K[3]);
313	D1 ^= F(D2, cs->K[2]);
314	D2 ^= F(D1, cs->K[1]);
315	D1 ^= F(D2, cs->K[0]);
316	D2 ^= cs->Kw[0];
317	D1 ^= cs->Kw[1];
318	if (iv) {
319	D2 ^= AV_RB64(iv);
320	D1 ^= AV_RB64(iv + 8);
321	memcpy(iv, src, 16);
322	}
323	AV_WB64(dst, D2);
324	AV_WB64(dst + 8, D1);
325	}
326
327	static void computeSP(void)
328	{
329	uint64_t z;
330	int i;
331	for (i = 0; i < 256; i++) {
332	z = SBOX1[i];
333	SP[0][i] = (z << 56) ^ (z << 48) ^ (z << 40) ^ (z << 24) ^ z;
334	SP[7][i] = (z << 56) ^ (z << 48) ^ (z << 40) ^ (z << 24) ^ (z << 16) ^ (z << 8);
335	z = SBOX2[i];
336	SP[1][i] = (z << 48) ^ (z << 40) ^ (z << 32) ^ (z << 24) ^ (z << 16);
337	SP[4][i] = (z << 48) ^ (z << 40) ^ (z << 32) ^ (z << 16) ^ (z << 8) ^ z;
338	z = SBOX3[i];
339	SP[2][i] = (z << 56) ^ (z << 40) ^ (z << 32) ^ (z << 16) ^ (z << 8);
340	SP[5][i] = (z << 56) ^ (z << 40) ^ (z << 32) ^ (z << 24) ^ (z << 8) ^ z;
341	z = SBOX4[i];
342	SP[3][i] = (z << 56) ^ (z << 48) ^ (z << 32) ^ (z << 8) ^ z;
343	SP[6][i] = (z << 56) ^ (z << 48) ^ (z << 32) ^ (z << 24) ^ (z << 16) ^ z;
344	}
345	}
346
347	struct AVCAMELLIA *av_camellia_alloc(void)
348	{
349	return av_mallocz(sizeof(struct AVCAMELLIA));
350	}
351
352	av_cold int av_camellia_init(AVCAMELLIA cs, const uint8_t key, int key_bits)
353	{
354	uint64_t Kl[2], Kr[2], Ka[2], Kb[2];
355	uint64_t D1, D2;
356	if (key_bits != 128 && key_bits != 192 && key_bits != 256)
357	return AVERROR(EINVAL);
358	memset(Kb, 0, sizeof(Kb));
359	memset(Kr, 0, sizeof(Kr));
360	cs->key_bits = key_bits;
361	Kl[0] = AV_RB64(key);
362	Kl[1] = AV_RB64(key + 8);
363	if (key_bits == 192) {
364	Kr[0] = AV_RB64(key + 16);
365	Kr[1] = ~Kr[0];
366	} else if (key_bits == 256) {
367	Kr[0] = AV_RB64(key + 16);
368	Kr[1] = AV_RB64(key + 24);
369	}
370	computeSP();
371	D1 = Kl[0] ^ Kr[0];
372	D2 = Kl[1] ^ Kr[1];
373	D2 ^= F(D1, Sigma1);
374	D1 ^= F(D2, Sigma2);
375	D1 ^= Kl[0];
376	D2 ^= Kl[1];
377	D2 ^= F(D1, Sigma3);
378	D1 ^= F(D2, Sigma4);
379	Ka[0] = D1;
380	Ka[1] = D2;
381	if (key_bits != 128) {
382	D1 = Ka[0] ^ Kr[0];
383	D2 = Ka[1] ^ Kr[1];
384	D2 ^= F(D1, Sigma5);
385	D1 ^= F(D2, Sigma6);
386	Kb[0] = D1;
387	Kb[1] = D2;
388	}
389	generate_round_keys(cs, Kl, Kr, Ka, Kb);
390	return 0;
391	}
392
393	void av_camellia_crypt(AVCAMELLIA cs, uint8_t dst, const uint8_t src, int count, uint8_t iv, int decrypt)
394	{
395	int i;
396	while (count--) {
397	if (decrypt) {
398	camellia_decrypt(cs, dst, src, iv);
399	} else {
400	if (iv) {
401	for (i = 0; i < 16; i++)
402	dst[i] = src[i] ^ iv[i];
403	camellia_encrypt(cs, dst, dst);
404	memcpy(iv, dst, 16);
405	} else {
406	camellia_encrypt(cs, dst, src);
407	}
408	}
409	src = src + 16;
410	dst = dst + 16;
411	}
412	}
413