--- /dev/null
+/* camellia-asm.S */
+/*
+ This file is part of the AVR-Crypto-Lib.
+ Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de)
+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+/*
+ * File: camellis-asm.S
+ * Author: Daniel Otte
+ * Date: 2006-11-10
+ * License: GPLv3 or later
+ * Description: Implementation of the camellia block cipher algorithm.
+ *
+ */
+
+.macro SWAP_R A, B
+ eor \A, \B
+ eor \B, \A
+ eor \A, \B
+.endm
+
+.macro precall
+ /* push r18 - r27, r30 - r31*/
+ push r0
+ push r1
+ push r18
+ push r19
+ push r20
+ push r21
+ push r22
+ push r23
+ push r24
+ push r25
+ push r26
+ push r27
+ push r30
+ push r31
+ clr r1
+.endm
+
+.macro postcall
+ pop r31
+ pop r30
+ pop r27
+ pop r26
+ pop r25
+ pop r24
+ pop r23
+ pop r22
+ pop r21
+ pop r20
+ pop r19
+ pop r18
+ pop r1
+ pop r0
+.endm
+
+
+.macro hexdump length
+ push r27
+ push r26
+ ldi r25, '\r'
+ mov r24, r25
+ call uart_putc
+ ldi r25, '\n'
+ mov r24, r25
+ call uart_putc
+ pop r26
+ pop r27
+ movw r24, r26
+.if \length > 16
+ ldi r22, lo8(16)
+ ldi r23, hi8(16)
+ push r27
+ push r26
+ call uart_hexdump
+ pop r26
+ pop r27
+ adiw r26, 16
+ hexdump \length-16
+.else
+ ldi r22, lo8(\length)
+ ldi r23, hi8(\length)
+ call uart_hexdump
+.endif
+.endm
+
+/* X points to Block */
+.macro dbg_hexdump length
+ precall
+ hexdump \length
+ postcall
+.endm
+
+SPL = 0x3D
+SPH = 0x3E
+SREG = 0x3F
+NULLr = 1
+
+
+camellia_sbox:
+.byte 112, 130, 44, 236, 179, 39, 192, 229, 228, 133, 87, 53, 234, 12, 174, 65
+.byte 35, 239, 107, 147, 69, 25, 165, 33, 237, 14, 79, 78, 29, 101, 146, 189
+.byte 134, 184, 175, 143, 124, 235, 31, 206, 62, 48, 220, 95, 94, 197, 11, 26
+.byte 166, 225, 57, 202, 213, 71, 93, 61, 217, 1, 90, 214, 81, 86, 108, 77
+.byte 139, 13, 154, 102, 251, 204, 176, 45, 116, 18, 43, 32, 240, 177, 132, 153
+.byte 223, 76, 203, 194, 52, 126, 118, 5, 109, 183, 169, 49, 209, 23, 4, 215
+.byte 20, 88, 58, 97, 222, 27, 17, 28, 50, 15, 156, 22, 83, 24, 242, 34
+.byte 254, 68, 207, 178, 195, 181, 122, 145, 36, 8, 232, 168, 96, 252, 105, 80
+.byte 170, 208, 160, 125, 161, 137, 98, 151, 84, 91, 30, 149, 224, 255, 100, 210
+.byte 16, 196, 0, 72, 163, 247, 117, 219, 138, 3, 230, 218, 9, 63, 221, 148
+.byte 135, 92, 131, 2, 205, 74, 144, 51, 115, 103, 246, 243, 157, 127, 191, 226
+.byte 82, 155, 216, 38, 200, 55, 198, 59, 129, 150, 111, 75, 19, 190, 99, 46
+.byte 233, 121, 167, 140, 159, 110, 188, 142, 41, 245, 249, 182, 47, 253, 180, 89
+.byte 120, 152, 6, 106, 231, 70, 113, 186, 212, 37, 171, 66, 136, 162, 141, 250
+.byte 114, 7, 185, 85, 248, 238, 172, 10, 54, 73, 42, 104, 60, 56, 241, 164
+.byte 64, 40, 211, 123, 187, 201, 67, 193, 21, 227, 173, 244, 119, 199, 128, 158
+
+//.global camellia_sigma
+/*
+camellia_sigma:
+.quad 0xA09E667F3BCC908B
+.quad 0xB67AE8584CAA73B2
+.quad 0xC6EF372FE94F82BE
+.quad 0x54FF53A5F1D36F1C
+.quad 0x10E527FADE682D1D
+.quad 0xB05688C2B3E6C1FD
+*/
+
+
+
+/* uint8_t camellia_s1(uint8_t b) */
+.global camellia_s1
+camellia_s1:
+ ldi r30, lo8(camellia_sbox)
+ ldi r31, hi8(camellia_sbox)
+ add r30, r24
+ adc r31, NULLr
+ lpm r24, Z
+ clr r25
+ ret
+
+.global camellia_s2
+camellia_s2:
+ ldi r30, lo8(camellia_sbox)
+ ldi r31, hi8(camellia_sbox)
+ add r30, r24
+ adc r31, NULLr
+ lpm r24, Z
+ lsl r24
+ adc r24, NULLr
+ clr r25
+ ret
+
+.global camellia_s3
+camellia_s3:
+ ldi r30, lo8(camellia_sbox)
+ ldi r31, hi8(camellia_sbox)
+ add r30, r24
+ adc r31, NULLr
+ lpm r24, Z
+ bst r24, 0
+ lsr r24
+ bld r24, 7
+ clr r25
+ ret
+
+.global camellia_s4
+camellia_s4:
+ ldi r30, lo8(camellia_sbox)
+ ldi r31, hi8(camellia_sbox)
+ lsl r24
+ adc r24, NULLr
+ add r30, r24
+ adc r31, NULLr
+ lpm r24, Z
+ clr r25
+ ret
+
+.global camellia_s
+/* uint64_t camellia_s(uint64_t d){
+ #define D ((uint8_t*)(&d))
+ D[7] = camellia_s1(D[7]); // MSB
+ D[6] = camellia_s2(D[6]);
+ D[5] = camellia_s3(D[5]);
+ D[4] = camellia_s4(D[4]);
+
+ D[3] = camellia_s2(D[3]);
+ D[2] = camellia_s3(D[2]);
+ D[1] = camellia_s4(D[1]);
+ D[0] = camellia_s1(D[0]); // LSB
+ #undef D
+ return d;
+}*/
+; parameters
+; d: r18-r25 (r18 is LSB)
+camellia_s:
+ movw r26, r24 ; backup r24,r25 -> X
+ clr r25
+ rcall camellia_s2
+ mov r26, r24
+
+ mov r24, r27
+ rcall camellia_s1
+ mov r27, r24
+
+ mov r24, r23
+ rcall camellia_s3
+ mov r23, r24
+
+ mov r24, r22
+ rcall camellia_s4
+ mov r22, r24
+
+ mov r24, r21
+ rcall camellia_s2
+ mov r21, r24
+
+ mov r24, r20
+ rcall camellia_s3
+ mov r20, r24
+
+ mov r24, r19
+ rcall camellia_s4
+ mov r19, r24
+
+
+ mov r24, r18
+ rcall camellia_s1
+ mov r18, r24
+
+ movw r24, r26
+ ret
+
+;##############################################################################
+/* uint64_t camellia_p(uint64_t d) */
+; param: r18-r25 (r18 is LSB)
+z1 = 25
+z2 = 24
+z3 = 23
+z4 = 22
+z5 = 21
+z6 = 20
+z7 = 19
+z8 = 18
+
+.global camellia_p
+camellia_p:
+ eor z1, z6
+ eor z2, z7
+ eor z3, z8
+ eor z4, z5
+ eor z5, z3
+ eor z6, z4
+ eor z7, z1
+ eor z8, z2
+ ;---------
+ eor z1, z8
+ eor z2, z5
+ eor z3, z6
+ eor z4, z7
+ eor z5, z4
+ eor z6, z1
+ eor z7, z2
+ eor z8, z3
+ ;---------
+ movw r26, z8
+ movw r30, z6 ; backup z5 bis z8
+ movw z8, z4
+ movw z6, z2
+ movw z4, r26
+ movw z2, r30
+ ret
+
+
+;##############################################################################
+
+/* uint64_t camellia_f(uint64_t x, uint64_t k) */
+; param x: r18-r25
+; param k: r10-r17
+.global camellia_f
+camellia_f:
+ eor r18, r10
+ eor r19, r11
+ eor r20, r12
+ eor r21, r13
+ eor r22, r14
+ eor r23, r15
+ eor r24, r16
+ eor r25, r17
+ rcall camellia_s
+ rcall camellia_p
+ ret
+
+;##############################################################################
+
+/* uint64_t camellia_fl(uint64_t x, uint64_t k) */
+; param x: r18-r25 xl: r22-r25, xr: r18-r21
+; param k: r10-r17 kl: r14-r17, kr: r10-r13
+kl1 = 14
+kl2 = 15
+kl3 = 16
+kl4 = 17
+kr1 = 10
+kr2 = 11
+kr3 = 12
+kr4 = 13
+xr1 = 18
+xr2 = 19
+xr3 = 20
+xr4 = 21
+xl1 = 22
+xl2 = 23
+xl3 = 24
+xl4 = 25
+.global camellia_fl
+camellia_fl:
+ and kl1, xl1
+ and kl2, xl2
+ and kl3, xl3
+ and kl4, xl4
+ mov r26, kl4
+ rol r26
+ rol kl1
+ rol kl2
+ rol kl3
+ rol kl4
+ eor xr1, kl1
+ eor xr2, kl2
+ eor xr3, kl3
+ eor xr4, kl4
+ // that was part one
+ or kr1, xr1
+ or kr2, xr2
+ or kr3, xr3
+ or kr4, xr4
+ eor xl1, kr1
+ eor xl2, kr2
+ eor xl3, kr3
+ eor xl4, kr4
+ ret
+
+;##############################################################################
+
+/* uint64_t camellia_fl_inv(uint64_t y, uint64_t k) */
+; param y: r18-r25 yl: r22-r25, yr: r18-r21
+; param k: r10-r17 kl: r14-r17, kr: r10-r13
+kl1 = 14
+kl2 = 15
+kl3 = 16
+kl4 = 17
+kr1 = 10
+kr2 = 11
+kr3 = 12
+kr4 = 13
+yr1 = 18
+yr2 = 19
+yr3 = 20
+yr4 = 21
+yl1 = 22
+yl2 = 23
+yl3 = 24
+yl4 = 25
+.global camellia_fl_inv
+camellia_fl_inv:
+ or kr1, yr1
+ or kr2, yr2
+ or kr3, yr3
+ or kr4, yr4
+ eor yl1, kr1
+ eor yl2, kr2
+ eor yl3, kr3
+ eor yl4, kr4
+ // the first one is done
+ and kl1, yl1
+ and kl2, yl2
+ and kl3, yl3
+ and kl4, yl4
+ mov r26, kl4
+ rol r26
+ rol kl1
+ rol kl2
+ rol kl3
+ rol kl4
+ eor yr1, kl1
+ eor yr2, kl2
+ eor yr3, kl3
+ eor yr4, kl4
+ ret
+
+;##############################################################################
+; param s: r24-r25
+; param q: r22
+B1 = 18
+B2 = 19
+.global camellia128_keyop_rot15
+camellia128_keyop_rot15:
+ movw r30, r24 ; Z points at LSB of kl ;-- 0
+ ldi r22, 2
+2: adiw r30, 15 ;-- 15
+ ld r21, Z
+ ld r20, -Z ;-- 14
+ movw B1, r20 ; store Backup of the 2 MSB of kl
+ ror r20
+
+ ldi r21, 14
+1: ld r20, -Z ;-- 13..0
+ ror r20
+ std Z+2, r20 ;-- (15..2)
+ dec r21
+ brne 1b
+
+ ror B2
+ ror B1
+ st Z+, B1 ;-- 1
+ st Z, B2
+ adiw r30, 15 ;-- 16
+
+ dec r22
+ brne 2b
+ ret
+
+;##############################################################################
+; param s: r24-r25
+; param q: r22
+.global camellia128_keyop_rot17
+camellia128_keyop_rot17:
+ push r8
+ push r9
+ push r10
+ push r11
+ push r12
+ push r13
+ push r14
+ push r15
+ push r16
+ push r17
+ clt
+ movw r30, r24
+ clr r27
+2: ldi r26, 8
+ mov r1, r26
+ lsl r1 ; r1=16
+ ;push r1
+ ; load 128bit value
+ ldd r0, Z+15
+ rol r0
+1: ld r0, Z+
+ rol r0
+ st X+, r0
+ dec r1
+ brne 1b
+
+ st -Z, 21
+ st -Z, 20
+ st -Z, 19
+ st -Z, 18
+ st -Z, 17
+ st -Z, 16
+ st -Z, 15
+ st -Z, 14 ;--
+ st -Z, 13
+ st -Z, 12
+ st -Z, 11
+ st -Z, 10
+ st -Z, 9
+ st -Z, 8
+ st -Z, 23
+ st -Z, 22
+
+ brts 2f
+ set
+ adiw r30, 16
+ rjmp 2b
+2:
+ pop r17
+ pop r16
+ pop r15
+ pop r14
+ pop r13
+ pop r12
+ pop r11
+ pop r10
+ pop r9
+ pop r8
+ ret
+
+;##############################################################################
+; param s: r24-r25
+; param q: r22
+.global camellia128_keyop
+camellia128_keyop:
+ cpi r22, 1
+ breq camellia128_keyop_rot17
+ rjmp camellia128_keyop_rot15
+
+;##############################################################################
+; param s: r24-r25
+; param q: r22
+B1 = 18
+B2 = 19
+.global camellia128_keyop_inv_rot15
+camellia128_keyop_inv_rot15:
+ movw r30, r24 ; Z points at LSB of kl ;-- 0
+ movw r26, r24 ; X also
+ ldi r22, 2
+2: ;-- 0
+ ld r20, Z+ ;-- 0/1
+ ld r21, Z+ ;-- 1/2
+ movw B1, r20 ; store Backup of the 2 LSB of kl
+ rol r21
+
+ ldi r20, 14
+1: ld r21, Z+ ;-- 2/14..3/16
+ rol r21
+ st X+, r21 ;-- (0..13)/(1..14)
+ dec r20
+ brne 1b
+
+ rol B1
+ rol B2
+ st X+, B1 ;-- 14/15
+ st X+, B2 ;-- 15/16
+
+ dec r22
+ brne 2b
+ ret
+
+;##############################################################################
+; param s: r24-r25
+; param q: r22
+.global camellia128_keyop_inv_rot17
+camellia128_keyop_inv_rot17:
+ push r8
+ push r9
+ push r10
+ push r11
+ push r12
+ push r13
+ push r14
+ push r15
+ push r16
+ push r17
+ clt
+ movw r30, r24
+ clr r27
+2: ldi r26, 8
+ mov r1, r26
+ lsl r1 ; r1=16
+ ; load 128bit value
+
+ ld r0, Z
+ adiw r30, 16
+ ror r0
+1: ld r0, -Z
+ ror r0
+ st X+, r0
+ dec r1
+ brne 1b
+
+ st Z+, 21
+ st Z+, 20
+ st Z+, 19
+ st Z+, 18
+ st Z+, 17
+ st Z+, 16
+ st Z+, 15
+ st Z+, 14 ;--
+ st Z+, 13
+ st Z+, 12
+ st Z+, 11
+ st Z+, 10
+ st Z+, 9
+ st Z+, 8
+ st Z+, 23
+ st Z+, 22
+
+ brts 2f
+ set
+; adiw r30, 16
+ rjmp 2b
+2:
+ pop r17
+ pop r16
+ pop r15
+ pop r14
+ pop r13
+ pop r12
+ pop r11
+ pop r10
+ pop r9
+ pop r8
+ ret
+
+;##############################################################################
+; param s: r24-r25
+; param q: r22
+.global camellia128_keyop_inv
+camellia128_keyop_inv:
+ cpi r22, 1
+ breq camellia128_keyop_inv_rot17
+ rjmp camellia128_keyop_inv_rot15
+
+;##############################################################################
+; param p: r24-r25 pointer to data
+; param l: r22 length of word
+.global change_endian
+change_endian:
+ movw r26, r24
+ movw r30, r24
+ add r30, r22
+ adc r31, r1
+ lsr r22
+1:
+ ld r20, X
+ ld r21, -Z
+ st X+, r21
+ st Z, r20
+ dec r22
+ brne 1b
+ ret
+
+;##############################################################################
+
+#define SEL_KA 1
+#define SEL_KL 0
+#define KEY_POSTC1 0x00
+#define KEY_POSTC2 0x01
+#define KEY_INC2 0x02
+#define KEY_DIR 0x04
+#define KEY_DIR_NORM 0x00
+#define KEY_DIR_INV 0x04
+#define KEY_AMMOUNT 0x08
+#define KEY_ROL17 0x08
+#define KEY_ROL15 0x00
+/*
+void camellia_6rounds(camellia128_ctx_t* s, uint64_t* bl, uint64_t* br, uint8_t roundop, uint8_t keychoice){
+ uint8_t i;
+ uint64_t* k[4];
+ k[0] = &(s->kll);
+ k[1] = &(s->klr);
+ k[2] = &(s->kal);
+ k[3] = &(s->kar);
+ for(i=0; i<3; ++i){ / * each cycle * /
+ br[0] ^= camellia_f(bl[0],*(k[(keychoice&1)*2+((roundop&KEY_DIR)?1:0)]));
+ keychoice >>= 1;
+
+ if((i == 1) && (roundop&KEY_INC2)){
+ ((roundop&KEY_DIR)?camellia128_keyop_inv:camellia128_keyop)(s,(roundop&KEY_AMMOUNT)?1:-1);
+ }
+
+ bl[0] ^= camellia_f(br[0],*(k[(keychoice&1)*2+((roundop&KEY_DIR)?0:1)]));
+ keychoice >>= 1;
+
+ / * check if we should do some keyop * /
+ if((i == (roundop&1)) && (!(roundop&KEY_INC2)) ){
+ ((roundop&KEY_DIR)?camellia128_keyop_inv:camellia128_keyop)(s,(roundop&KEY_AMMOUNT)?1:-1);
+ / * isn't it fuckin nice what we can do in C?! * /
+ }
+ }
+}
+*/
+; param s: r24-r25
+; param bl: r22-r23
+; param br: r20-r21
+; param roundop: r18
+; param keychoice: r16
+s1 = 24
+s2 = 25
+bl1 = 22
+bl2 = 23
+br1 = 20
+br2 = 22
+xro = 18
+kc = 16
+xro_sec = 17
+br1_sec = 10
+br2_sec = 11
+bl1_sec = 12
+bl2_sec = 13
+s1_sec = 14
+t = 9
+loop_cnt = 8
+keyop_time = 7
+
+.global camellia_6rounds
+camellia_6rounds:
+ push r17
+ push r16
+ push r15
+ push r14
+ push r13
+ push r12
+ push r11
+ push r10
+ push r9
+ push r8
+ push r7
+
+ ldi r17, 6
+ mov loop_cnt, r17
+ mov xro_sec, xro
+ movw br1_sec, br1
+ movw bl1_sec, bl1
+ movw s1_sec, s1
+ clr keyop_time
+ inc keyop_time
+ sec
+ rol keyop_time // keyop_time == 3
+ SBRC xro, 1 // KEY_INC2
+ rjmp 1f
+ SBRS xro, 0 // KEY_POSTC1
+ inc keyop_time
+ SBRS xro, 0 // KEY_POSTC1
+ inc keyop_time
+ rjmp 2f
+1: inc keyop_time
+2:
+main_loop:
+ /* now we load the key to r18-r25 */
+ movw r26, s1_sec
+ SBRC kc, 0 /* select between KA and KL */
+ adiw r26, 16
+ SBRC xro_sec, 2 // KEY_DIR
+ rjmp 2f
+ SBRS loop_cnt, 0 /* enc */
+ adiw r26, 8
+ rjmp 3f
+2: SBRC loop_cnt, 0 /* dec */
+ adiw r26, 8
+ rjmp 3f
+3:
+ lsr kc
+ ld r18, X+
+ ld r19, X+
+ ld r20, X+
+ ld r21, X+
+ ld r22, X+
+ ld r23, X+
+ ld r24, X+
+ ld r25, X+
+ /* now we xor bl in */
+ movw r26, bl1_sec
+ ld r0, X+
+ eor r18, r0
+ ld r0, X+
+ eor r19, r0
+ ld r0, X+
+ eor r20, r0
+ ld r0, X+
+ eor r21, r0
+ ld r0, X+
+ eor r22, r0
+ ld r0, X+
+ eor r23, r0
+ ld r0, X+
+ eor r24, r0
+ ld r0, X+
+ eor r25, r0
+ /* f(x,k) = p(s(x xor k)) ; xor is done */
+ call camellia_s;
+ call camellia_p;
+
+// in r26, SPL
+// in r27, SPH
+// sbiw r26, 9
+// dbg_hexdump 10
+ /* now we have to xor the result into br */
+ clr r31
+ ldi r30, 18
+ movw r26, br1_sec
+; ldi r1, 8 ;-- this won't work
+ clr r1
+ sec
+ ror r1
+ swap r1
+1: ld r0, X
+ ld t, Z+
+ eor r0, t
+ st X+, r0
+ dec r1
+ brne 1b
+
+ /* check for keyop */
+ cp loop_cnt, keyop_time
+ brne 3f
+ movw s1, s1_sec
+ ldi r22, 1
+ SBRS xro_sec, 3 // KEY_ROL17
+ neg r22
+ SBRS xro_sec, 2 // KEY_DIR
+ rjmp 2f
+ rcall camellia128_keyop_inv
+ rjmp 3f
+2: rcall camellia128_keyop
+3: /* loop back */
+ SWAP_R br1_sec, bl1_sec
+ SWAP_R br2_sec, bl2_sec
+ dec loop_cnt
+ breq 2f
+ rjmp main_loop
+2:
+ pop r7
+ pop r8
+ pop r9
+ pop r10
+ pop r11
+ pop r12
+ pop r13
+ pop r14
+ pop r15
+ pop r16
+ pop r17
+ ret
+
+;##############################################################################
+/*
+void camellia128_init(camellia128_ctx_t* s, uint8_t* key){
+ uint8_t i;
+ s->kll = 0; //((uint64_t*)key)[0];
+
+ / * load the key, endian-adjusted, to kll,klr * /
+ for(i=0; i<8; ++i){
+ s->kll <<= 8;
+ s->kll |= *key++;
+ }
+ for(i=0; i<8; ++i){
+ s->klr <<= 8;
+ s->klr |= *key++;
+ }
+
+ s->kal = s->kll;
+ s->kar = s->klr;
+
+ s->kar ^= camellia_f(s->kal, camellia_sigma[0]);
+ s->kal ^= camellia_f(s->kar, camellia_sigma[1]);
+
+ s->kal ^= s->kll;
+ s->kar ^= s->klr;
+
+ s->kar ^= camellia_f(s->kal, camellia_sigma[2]);
+ s->kal ^= camellia_f(s->kar, camellia_sigma[3]);
+ / * * /
+// uart_putstr("\n\r----------------init finished--------------------");
+}
+*/
+/*
+X64_xor_in:
+ ld r0, X+
+ eor r18, r0
+ ld r0, X+
+ eor r19, r0
+ ld r0, X+
+ eor r20, r0
+ ld r0, X+
+ eor r21, r0
+ ld r0, X+
+ eor r22, r0
+ ld r0, X+
+ eor r23, r0
+ ld r0, X+
+ eor r24, r0
+ ld r0, X+
+ eor r25, r0
+ ret
+
+X64_load:
+ ld r18, X+
+ ld r19, X+
+ ld r20, X+
+ ld r21, X+
+ ld r22, X+
+ ld r23, X+
+ ld r24, X+
+ ld r25, X+
+ ret
+
+Y64_load_xor_store:
+ ld r0, Y
+ eor r18, r0
+ st Y+, r18
+ ld r0, Y
+ eor r19, r0
+ st Y+, r19
+ ld r0, Y
+ eor r20, r0
+ st Y+, r20
+ ld r0, Y
+ eor r21, r0
+ st Y+, r21
+ ld r0, Y
+ eor r22, r0
+ st Y+, r22
+ ld r0, Y
+ eor r23, r0
+ st Y+, r23
+ ld r0, Y
+ eor r24, r0
+ st Y+, r24
+ ld r0, Y
+ eor r25, r0
+ st Y+, r25
+ ret
+
+; param s: r24-r25
+; param *k: r22-r23
+//.global camellia128_init
+camellia128_init:
+ push r29
+ push r28
+ movw r30, r24 ; Z is statepointer
+ movw r26, r22 ; X is keypointer
+ clr r29
+ ldi r28, 18
+// / * load key into kl, ka and kal to r18:r25 * /
+ adiw r26, 128/8 ;-- 16
+ ldi r16, (128/8)-1
+1: ld r17, -X
+ std Z+(128/8), r17
+ st Z+, r17
+ sbrs r16, 3
+ st Y+, r17 ; this should only be done the last 8 rounds 0<=r16<=7
+ dec r16
+ brpl 1b
+// / * step 1 * /
+ ldi r26, lo8(camellia_sigma)
+ ldi r27, hi8(camellia_sigma)
+ rcall X64_xor_in
+ rcall camellia_s
+ rcall camellia_p // / * f(x,k) is done * /
+ sbiw r30, 128/8
+ movw r28, r30 ; Z&Y point on kar now
+ call Y64_load_xor_store
+
+// / * step 2 now * /
+ rcall X64_xor_in
+ rcall camellia_s
+ rcall camellia_p // / * f(x,k) is done * /
+ rcall Y64_load_xor_store
+
+// / * now the xor part (kl and kr) * /
+ sbiw r30, 128/8 ; Z points to klr
+ ldi r16, 128/8
+1: ld r0, Z+
+ ldd r1, Z+(128/8)-1
+ eor r0, r1
+ std Z+(128/8)-1, r0
+ dec r16
+ brne 1b
+
+// / * now s->kar ^= camellia_f(s->kal, camellia_sigma[2]); * /
+ rcall X64_load ; load sigma[2]
+ movw r26, r28 ; X&Y point at kal
+ rcall X64_xor_in
+ rcall camellia_s
+ rcall camellia_p
+ sbiw r28, 128/8/2 ; Y points at kar
+ rcall Y64_load_xor_store
+
+// / * now s->kal ^= camellia_f(s->kar, camellia_sigma[3]); * /
+ sbiw r26, 128/8 ;
+ rcall X64_load ; load kar
+ ldi r26, lo8(camellia_sigma+3*8)
+ ldi r27, hi8(camellia_sigma+3*8)
+ rcall X64_xor_in ; xor sigma[3] in
+ rcall camellia_s
+ rcall camellia_p
+ rcall Y64_load_xor_store
+
+ pop r28
+ pop r29
+ ret
+
+//*/
+
+
+
+
+
+
+
+
+
+
projects / avr-crypto-lib.git / blobdiff