qemu

1
/**
2
 *
3
 * aes.c - integrated in QEMU by Fabrice Bellard from the OpenSSL project.
4
 */
5
/*
6
 * rijndael-alg-fst.c
7
 *
8
 * @version 3.0 (December 2000)
9
 *
10
 * Optimised ANSI C code for the Rijndael cipher (now AES)
11
 *
12
 * @author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be>
13
 * @author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be>
14
 * @author Paulo Barreto <paulo.barreto@terra.com.br>
15
 *
16
 * This code is hereby placed in the public domain.
17
 *
18
 * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
19
 * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20
 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
22
 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
23
 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
24
 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
25
 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
26
 * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
27
 * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
28
 * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29
 */
30
#include "qemu/osdep.h"
31
#include "qemu/bswap.h"
32
#include "qemu/bitops.h"
33
#include "crypto/aes.h"
34
#include "crypto/aes-round.h"
35

36
typedef uint32_t u32;
37
typedef uint8_t u8;
38

39
/* This controls loop-unrolling in aes_core.c */
40
#undef FULL_UNROLL
41
# define GETU32(pt) (((u32)(pt)[0] << 24) ^ ((u32)(pt)[1] << 16) ^ ((u32)(pt)[2] <<  8) ^ ((u32)(pt)[3]))
42
# define PUTU32(ct, st) { (ct)[0] = (u8)((st) >> 24); (ct)[1] = (u8)((st) >> 16); (ct)[2] = (u8)((st) >>  8); (ct)[3] = (u8)(st); }
43

44
const uint8_t AES_sbox[256] = {
45
    0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
46
    0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
47
    0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
48
    0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
49
    0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
50
    0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
51
    0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
52
    0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
53
    0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
54
    0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
55
    0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
56
    0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
57
    0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
58
    0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
59
    0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
60
    0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
61
    0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
62
    0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
63
    0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
64
    0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
65
    0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
66
    0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
67
    0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
68
    0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
69
    0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
70
    0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
71
    0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
72
    0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
73
    0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
74
    0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
75
    0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
76
    0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16,
77
};
78

79
const uint8_t AES_isbox[256] = {
80
    0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
81
    0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
82
    0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
83
    0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
84
    0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
85
    0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
86
    0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
87
    0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
88
    0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
89
    0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
90
    0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
91
    0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
92
    0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
93
    0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
94
    0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
95
    0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
96
    0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
97
    0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
98
    0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
99
    0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
100
    0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
101
    0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
102
    0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
103
    0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
104
    0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
105
    0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
106
    0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
107
    0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
108
    0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
109
    0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
110
    0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
111
    0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D,
112
};
113

114
/* AES ShiftRows, for complete unrolling. */
115
#define AES_SH(X)   (((X) * 5) & 15)
116

117
/* AES InvShiftRows, for complete unrolling. */
118
#define AES_ISH(X)  (((X) * 13) & 15)
119

120
/*
121
 * MixColumns lookup table, for use with rot32.
122
 */
123
static const uint32_t AES_mc_rot[256] = {
124
    0x00000000, 0x03010102, 0x06020204, 0x05030306,
125
    0x0c040408, 0x0f05050a, 0x0a06060c, 0x0907070e,
126
    0x18080810, 0x1b090912, 0x1e0a0a14, 0x1d0b0b16,
127
    0x140c0c18, 0x170d0d1a, 0x120e0e1c, 0x110f0f1e,
128
    0x30101020, 0x33111122, 0x36121224, 0x35131326,
129
    0x3c141428, 0x3f15152a, 0x3a16162c, 0x3917172e,
130
    0x28181830, 0x2b191932, 0x2e1a1a34, 0x2d1b1b36,
131
    0x241c1c38, 0x271d1d3a, 0x221e1e3c, 0x211f1f3e,
132
    0x60202040, 0x63212142, 0x66222244, 0x65232346,
133
    0x6c242448, 0x6f25254a, 0x6a26264c, 0x6927274e,
134
    0x78282850, 0x7b292952, 0x7e2a2a54, 0x7d2b2b56,
135
    0x742c2c58, 0x772d2d5a, 0x722e2e5c, 0x712f2f5e,
136
    0x50303060, 0x53313162, 0x56323264, 0x55333366,
137
    0x5c343468, 0x5f35356a, 0x5a36366c, 0x5937376e,
138
    0x48383870, 0x4b393972, 0x4e3a3a74, 0x4d3b3b76,
139
    0x443c3c78, 0x473d3d7a, 0x423e3e7c, 0x413f3f7e,
140
    0xc0404080, 0xc3414182, 0xc6424284, 0xc5434386,
141
    0xcc444488, 0xcf45458a, 0xca46468c, 0xc947478e,
142
    0xd8484890, 0xdb494992, 0xde4a4a94, 0xdd4b4b96,
143
    0xd44c4c98, 0xd74d4d9a, 0xd24e4e9c, 0xd14f4f9e,
144
    0xf05050a0, 0xf35151a2, 0xf65252a4, 0xf55353a6,
145
    0xfc5454a8, 0xff5555aa, 0xfa5656ac, 0xf95757ae,
146
    0xe85858b0, 0xeb5959b2, 0xee5a5ab4, 0xed5b5bb6,
147
    0xe45c5cb8, 0xe75d5dba, 0xe25e5ebc, 0xe15f5fbe,
148
    0xa06060c0, 0xa36161c2, 0xa66262c4, 0xa56363c6,
149
    0xac6464c8, 0xaf6565ca, 0xaa6666cc, 0xa96767ce,
150
    0xb86868d0, 0xbb6969d2, 0xbe6a6ad4, 0xbd6b6bd6,
151
    0xb46c6cd8, 0xb76d6dda, 0xb26e6edc, 0xb16f6fde,
152
    0x907070e0, 0x937171e2, 0x967272e4, 0x957373e6,
153
    0x9c7474e8, 0x9f7575ea, 0x9a7676ec, 0x997777ee,
154
    0x887878f0, 0x8b7979f2, 0x8e7a7af4, 0x8d7b7bf6,
155
    0x847c7cf8, 0x877d7dfa, 0x827e7efc, 0x817f7ffe,
156
    0x9b80801b, 0x98818119, 0x9d82821f, 0x9e83831d,
157
    0x97848413, 0x94858511, 0x91868617, 0x92878715,
158
    0x8388880b, 0x80898909, 0x858a8a0f, 0x868b8b0d,
159
    0x8f8c8c03, 0x8c8d8d01, 0x898e8e07, 0x8a8f8f05,
160
    0xab90903b, 0xa8919139, 0xad92923f, 0xae93933d,
161
    0xa7949433, 0xa4959531, 0xa1969637, 0xa2979735,
162
    0xb398982b, 0xb0999929, 0xb59a9a2f, 0xb69b9b2d,
163
    0xbf9c9c23, 0xbc9d9d21, 0xb99e9e27, 0xba9f9f25,
164
    0xfba0a05b, 0xf8a1a159, 0xfda2a25f, 0xfea3a35d,
165
    0xf7a4a453, 0xf4a5a551, 0xf1a6a657, 0xf2a7a755,
166
    0xe3a8a84b, 0xe0a9a949, 0xe5aaaa4f, 0xe6abab4d,
167
    0xefacac43, 0xecadad41, 0xe9aeae47, 0xeaafaf45,
168
    0xcbb0b07b, 0xc8b1b179, 0xcdb2b27f, 0xceb3b37d,
169
    0xc7b4b473, 0xc4b5b571, 0xc1b6b677, 0xc2b7b775,
170
    0xd3b8b86b, 0xd0b9b969, 0xd5baba6f, 0xd6bbbb6d,
171
    0xdfbcbc63, 0xdcbdbd61, 0xd9bebe67, 0xdabfbf65,
172
    0x5bc0c09b, 0x58c1c199, 0x5dc2c29f, 0x5ec3c39d,
173
    0x57c4c493, 0x54c5c591, 0x51c6c697, 0x52c7c795,
174
    0x43c8c88b, 0x40c9c989, 0x45caca8f, 0x46cbcb8d,
175
    0x4fcccc83, 0x4ccdcd81, 0x49cece87, 0x4acfcf85,
176
    0x6bd0d0bb, 0x68d1d1b9, 0x6dd2d2bf, 0x6ed3d3bd,
177
    0x67d4d4b3, 0x64d5d5b1, 0x61d6d6b7, 0x62d7d7b5,
178
    0x73d8d8ab, 0x70d9d9a9, 0x75dadaaf, 0x76dbdbad,
179
    0x7fdcdca3, 0x7cdddda1, 0x79dedea7, 0x7adfdfa5,
180
    0x3be0e0db, 0x38e1e1d9, 0x3de2e2df, 0x3ee3e3dd,
181
    0x37e4e4d3, 0x34e5e5d1, 0x31e6e6d7, 0x32e7e7d5,
182
    0x23e8e8cb, 0x20e9e9c9, 0x25eaeacf, 0x26ebebcd,
183
    0x2fececc3, 0x2cededc1, 0x29eeeec7, 0x2aefefc5,
184
    0x0bf0f0fb, 0x08f1f1f9, 0x0df2f2ff, 0x0ef3f3fd,
185
    0x07f4f4f3, 0x04f5f5f1, 0x01f6f6f7, 0x02f7f7f5,
186
    0x13f8f8eb, 0x10f9f9e9, 0x15fafaef, 0x16fbfbed,
187
    0x1ffcfce3, 0x1cfdfde1, 0x19fefee7, 0x1affffe5,
188
};
189

190
/*
191
 * Inverse MixColumns lookup table, for use with rot32.
192
 */
193
static const uint32_t AES_imc_rot[256] = {
194
    0x00000000, 0x0b0d090e, 0x161a121c, 0x1d171b12,
195
    0x2c342438, 0x27392d36, 0x3a2e3624, 0x31233f2a,
196
    0x58684870, 0x5365417e, 0x4e725a6c, 0x457f5362,
197
    0x745c6c48, 0x7f516546, 0x62467e54, 0x694b775a,
198
    0xb0d090e0, 0xbbdd99ee, 0xa6ca82fc, 0xadc78bf2,
199
    0x9ce4b4d8, 0x97e9bdd6, 0x8afea6c4, 0x81f3afca,
200
    0xe8b8d890, 0xe3b5d19e, 0xfea2ca8c, 0xf5afc382,
201
    0xc48cfca8, 0xcf81f5a6, 0xd296eeb4, 0xd99be7ba,
202
    0x7bbb3bdb, 0x70b632d5, 0x6da129c7, 0x66ac20c9,
203
    0x578f1fe3, 0x5c8216ed, 0x41950dff, 0x4a9804f1,
204
    0x23d373ab, 0x28de7aa5, 0x35c961b7, 0x3ec468b9,
205
    0x0fe75793, 0x04ea5e9d, 0x19fd458f, 0x12f04c81,
206
    0xcb6bab3b, 0xc066a235, 0xdd71b927, 0xd67cb029,
207
    0xe75f8f03, 0xec52860d, 0xf1459d1f, 0xfa489411,
208
    0x9303e34b, 0x980eea45, 0x8519f157, 0x8e14f859,
209
    0xbf37c773, 0xb43ace7d, 0xa92dd56f, 0xa220dc61,
210
    0xf66d76ad, 0xfd607fa3, 0xe07764b1, 0xeb7a6dbf,
211
    0xda595295, 0xd1545b9b, 0xcc434089, 0xc74e4987,
212
    0xae053edd, 0xa50837d3, 0xb81f2cc1, 0xb31225cf,
213
    0x82311ae5, 0x893c13eb, 0x942b08f9, 0x9f2601f7,
214
    0x46bde64d, 0x4db0ef43, 0x50a7f451, 0x5baafd5f,
215
    0x6a89c275, 0x6184cb7b, 0x7c93d069, 0x779ed967,
216
    0x1ed5ae3d, 0x15d8a733, 0x08cfbc21, 0x03c2b52f,
217
    0x32e18a05, 0x39ec830b, 0x24fb9819, 0x2ff69117,
218
    0x8dd64d76, 0x86db4478, 0x9bcc5f6a, 0x90c15664,
219
    0xa1e2694e, 0xaaef6040, 0xb7f87b52, 0xbcf5725c,
220
    0xd5be0506, 0xdeb30c08, 0xc3a4171a, 0xc8a91e14,
221
    0xf98a213e, 0xf2872830, 0xef903322, 0xe49d3a2c,
222
    0x3d06dd96, 0x360bd498, 0x2b1ccf8a, 0x2011c684,
223
    0x1132f9ae, 0x1a3ff0a0, 0x0728ebb2, 0x0c25e2bc,
224
    0x656e95e6, 0x6e639ce8, 0x737487fa, 0x78798ef4,
225
    0x495ab1de, 0x4257b8d0, 0x5f40a3c2, 0x544daacc,
226
    0xf7daec41, 0xfcd7e54f, 0xe1c0fe5d, 0xeacdf753,
227
    0xdbeec879, 0xd0e3c177, 0xcdf4da65, 0xc6f9d36b,
228
    0xafb2a431, 0xa4bfad3f, 0xb9a8b62d, 0xb2a5bf23,
229
    0x83868009, 0x888b8907, 0x959c9215, 0x9e919b1b,
230
    0x470a7ca1, 0x4c0775af, 0x51106ebd, 0x5a1d67b3,
231
    0x6b3e5899, 0x60335197, 0x7d244a85, 0x7629438b,
232
    0x1f6234d1, 0x146f3ddf, 0x097826cd, 0x02752fc3,
233
    0x335610e9, 0x385b19e7, 0x254c02f5, 0x2e410bfb,
234
    0x8c61d79a, 0x876cde94, 0x9a7bc586, 0x9176cc88,
235
    0xa055f3a2, 0xab58faac, 0xb64fe1be, 0xbd42e8b0,
236
    0xd4099fea, 0xdf0496e4, 0xc2138df6, 0xc91e84f8,
237
    0xf83dbbd2, 0xf330b2dc, 0xee27a9ce, 0xe52aa0c0,
238
    0x3cb1477a, 0x37bc4e74, 0x2aab5566, 0x21a65c68,
239
    0x10856342, 0x1b886a4c, 0x069f715e, 0x0d927850,
240
    0x64d90f0a, 0x6fd40604, 0x72c31d16, 0x79ce1418,
241
    0x48ed2b32, 0x43e0223c, 0x5ef7392e, 0x55fa3020,
242
    0x01b79aec, 0x0aba93e2, 0x17ad88f0, 0x1ca081fe,
243
    0x2d83bed4, 0x268eb7da, 0x3b99acc8, 0x3094a5c6,
244
    0x59dfd29c, 0x52d2db92, 0x4fc5c080, 0x44c8c98e,
245
    0x75ebf6a4, 0x7ee6ffaa, 0x63f1e4b8, 0x68fcedb6,
246
    0xb1670a0c, 0xba6a0302, 0xa77d1810, 0xac70111e,
247
    0x9d532e34, 0x965e273a, 0x8b493c28, 0x80443526,
248
    0xe90f427c, 0xe2024b72, 0xff155060, 0xf418596e,
249
    0xc53b6644, 0xce366f4a, 0xd3217458, 0xd82c7d56,
250
    0x7a0ca137, 0x7101a839, 0x6c16b32b, 0x671bba25,
251
    0x5638850f, 0x5d358c01, 0x40229713, 0x4b2f9e1d,
252
    0x2264e947, 0x2969e049, 0x347efb5b, 0x3f73f255,
253
    0x0e50cd7f, 0x055dc471, 0x184adf63, 0x1347d66d,
254
    0xcadc31d7, 0xc1d138d9, 0xdcc623cb, 0xd7cb2ac5,
255
    0xe6e815ef, 0xede51ce1, 0xf0f207f3, 0xfbff0efd,
256
    0x92b479a7, 0x99b970a9, 0x84ae6bbb, 0x8fa362b5,
257
    0xbe805d9f, 0xb58d5491, 0xa89a4f83, 0xa397468d,
258
};
259

260

261
/*
262
AES_Te0[x] = S [x].[02, 01, 01, 03];
263
AES_Te1[x] = S [x].[03, 02, 01, 01];
264
AES_Te2[x] = S [x].[01, 03, 02, 01];
265
AES_Te3[x] = S [x].[01, 01, 03, 02];
266
AES_Te4[x] = S [x].[01, 01, 01, 01];
267

268
AES_Td0[x] = Si[x].[0e, 09, 0d, 0b];
269
AES_Td1[x] = Si[x].[0b, 0e, 09, 0d];
270
AES_Td2[x] = Si[x].[0d, 0b, 0e, 09];
271
AES_Td3[x] = Si[x].[09, 0d, 0b, 0e];
272
AES_Td4[x] = Si[x].[01, 01, 01, 01];
273
*/
274

275
const uint32_t AES_Te0[256] = {
276
    0xc66363a5U, 0xf87c7c84U, 0xee777799U, 0xf67b7b8dU,
277
    0xfff2f20dU, 0xd66b6bbdU, 0xde6f6fb1U, 0x91c5c554U,
278
    0x60303050U, 0x02010103U, 0xce6767a9U, 0x562b2b7dU,
279
    0xe7fefe19U, 0xb5d7d762U, 0x4dababe6U, 0xec76769aU,
280
    0x8fcaca45U, 0x1f82829dU, 0x89c9c940U, 0xfa7d7d87U,
281
    0xeffafa15U, 0xb25959ebU, 0x8e4747c9U, 0xfbf0f00bU,
282
    0x41adadecU, 0xb3d4d467U, 0x5fa2a2fdU, 0x45afafeaU,
283
    0x239c9cbfU, 0x53a4a4f7U, 0xe4727296U, 0x9bc0c05bU,
284
    0x75b7b7c2U, 0xe1fdfd1cU, 0x3d9393aeU, 0x4c26266aU,
285
    0x6c36365aU, 0x7e3f3f41U, 0xf5f7f702U, 0x83cccc4fU,
286
    0x6834345cU, 0x51a5a5f4U, 0xd1e5e534U, 0xf9f1f108U,
287
    0xe2717193U, 0xabd8d873U, 0x62313153U, 0x2a15153fU,
288
    0x0804040cU, 0x95c7c752U, 0x46232365U, 0x9dc3c35eU,
289
    0x30181828U, 0x379696a1U, 0x0a05050fU, 0x2f9a9ab5U,
290
    0x0e070709U, 0x24121236U, 0x1b80809bU, 0xdfe2e23dU,
291
    0xcdebeb26U, 0x4e272769U, 0x7fb2b2cdU, 0xea75759fU,
292
    0x1209091bU, 0x1d83839eU, 0x582c2c74U, 0x341a1a2eU,
293
    0x361b1b2dU, 0xdc6e6eb2U, 0xb45a5aeeU, 0x5ba0a0fbU,
294
    0xa45252f6U, 0x763b3b4dU, 0xb7d6d661U, 0x7db3b3ceU,
295
    0x5229297bU, 0xdde3e33eU, 0x5e2f2f71U, 0x13848497U,
296
    0xa65353f5U, 0xb9d1d168U, 0x00000000U, 0xc1eded2cU,
297
    0x40202060U, 0xe3fcfc1fU, 0x79b1b1c8U, 0xb65b5bedU,
298
    0xd46a6abeU, 0x8dcbcb46U, 0x67bebed9U, 0x7239394bU,
299
    0x944a4adeU, 0x984c4cd4U, 0xb05858e8U, 0x85cfcf4aU,
300
    0xbbd0d06bU, 0xc5efef2aU, 0x4faaaae5U, 0xedfbfb16U,
301
    0x864343c5U, 0x9a4d4dd7U, 0x66333355U, 0x11858594U,
302
    0x8a4545cfU, 0xe9f9f910U, 0x04020206U, 0xfe7f7f81U,
303
    0xa05050f0U, 0x783c3c44U, 0x259f9fbaU, 0x4ba8a8e3U,
304
    0xa25151f3U, 0x5da3a3feU, 0x804040c0U, 0x058f8f8aU,
305
    0x3f9292adU, 0x219d9dbcU, 0x70383848U, 0xf1f5f504U,
306
    0x63bcbcdfU, 0x77b6b6c1U, 0xafdada75U, 0x42212163U,
307
    0x20101030U, 0xe5ffff1aU, 0xfdf3f30eU, 0xbfd2d26dU,
308
    0x81cdcd4cU, 0x180c0c14U, 0x26131335U, 0xc3ecec2fU,
309
    0xbe5f5fe1U, 0x359797a2U, 0x884444ccU, 0x2e171739U,
310
    0x93c4c457U, 0x55a7a7f2U, 0xfc7e7e82U, 0x7a3d3d47U,
311
    0xc86464acU, 0xba5d5de7U, 0x3219192bU, 0xe6737395U,
312
    0xc06060a0U, 0x19818198U, 0x9e4f4fd1U, 0xa3dcdc7fU,
313
    0x44222266U, 0x542a2a7eU, 0x3b9090abU, 0x0b888883U,
314
    0x8c4646caU, 0xc7eeee29U, 0x6bb8b8d3U, 0x2814143cU,
315
    0xa7dede79U, 0xbc5e5ee2U, 0x160b0b1dU, 0xaddbdb76U,
316
    0xdbe0e03bU, 0x64323256U, 0x743a3a4eU, 0x140a0a1eU,
317
    0x924949dbU, 0x0c06060aU, 0x4824246cU, 0xb85c5ce4U,
318
    0x9fc2c25dU, 0xbdd3d36eU, 0x43acacefU, 0xc46262a6U,
319
    0x399191a8U, 0x319595a4U, 0xd3e4e437U, 0xf279798bU,
320
    0xd5e7e732U, 0x8bc8c843U, 0x6e373759U, 0xda6d6db7U,
321
    0x018d8d8cU, 0xb1d5d564U, 0x9c4e4ed2U, 0x49a9a9e0U,
322
    0xd86c6cb4U, 0xac5656faU, 0xf3f4f407U, 0xcfeaea25U,
323
    0xca6565afU, 0xf47a7a8eU, 0x47aeaee9U, 0x10080818U,
324
    0x6fbabad5U, 0xf0787888U, 0x4a25256fU, 0x5c2e2e72U,
325
    0x381c1c24U, 0x57a6a6f1U, 0x73b4b4c7U, 0x97c6c651U,
326
    0xcbe8e823U, 0xa1dddd7cU, 0xe874749cU, 0x3e1f1f21U,
327
    0x964b4bddU, 0x61bdbddcU, 0x0d8b8b86U, 0x0f8a8a85U,
328
    0xe0707090U, 0x7c3e3e42U, 0x71b5b5c4U, 0xcc6666aaU,
329
    0x904848d8U, 0x06030305U, 0xf7f6f601U, 0x1c0e0e12U,
330
    0xc26161a3U, 0x6a35355fU, 0xae5757f9U, 0x69b9b9d0U,
331
    0x17868691U, 0x99c1c158U, 0x3a1d1d27U, 0x279e9eb9U,
332
    0xd9e1e138U, 0xebf8f813U, 0x2b9898b3U, 0x22111133U,
333
    0xd26969bbU, 0xa9d9d970U, 0x078e8e89U, 0x339494a7U,
334
    0x2d9b9bb6U, 0x3c1e1e22U, 0x15878792U, 0xc9e9e920U,
335
    0x87cece49U, 0xaa5555ffU, 0x50282878U, 0xa5dfdf7aU,
336
    0x038c8c8fU, 0x59a1a1f8U, 0x09898980U, 0x1a0d0d17U,
337
    0x65bfbfdaU, 0xd7e6e631U, 0x844242c6U, 0xd06868b8U,
338
    0x824141c3U, 0x299999b0U, 0x5a2d2d77U, 0x1e0f0f11U,
339
    0x7bb0b0cbU, 0xa85454fcU, 0x6dbbbbd6U, 0x2c16163aU,
340
};
341

342
static const uint32_t AES_Te1[256] = {
343
    0xa5c66363U, 0x84f87c7cU, 0x99ee7777U, 0x8df67b7bU,
344
    0x0dfff2f2U, 0xbdd66b6bU, 0xb1de6f6fU, 0x5491c5c5U,
345
    0x50603030U, 0x03020101U, 0xa9ce6767U, 0x7d562b2bU,
346
    0x19e7fefeU, 0x62b5d7d7U, 0xe64dababU, 0x9aec7676U,
347
    0x458fcacaU, 0x9d1f8282U, 0x4089c9c9U, 0x87fa7d7dU,
348
    0x15effafaU, 0xebb25959U, 0xc98e4747U, 0x0bfbf0f0U,
349
    0xec41adadU, 0x67b3d4d4U, 0xfd5fa2a2U, 0xea45afafU,
350
    0xbf239c9cU, 0xf753a4a4U, 0x96e47272U, 0x5b9bc0c0U,
351
    0xc275b7b7U, 0x1ce1fdfdU, 0xae3d9393U, 0x6a4c2626U,
352
    0x5a6c3636U, 0x417e3f3fU, 0x02f5f7f7U, 0x4f83ccccU,
353
    0x5c683434U, 0xf451a5a5U, 0x34d1e5e5U, 0x08f9f1f1U,
354
    0x93e27171U, 0x73abd8d8U, 0x53623131U, 0x3f2a1515U,
355
    0x0c080404U, 0x5295c7c7U, 0x65462323U, 0x5e9dc3c3U,
356
    0x28301818U, 0xa1379696U, 0x0f0a0505U, 0xb52f9a9aU,
357
    0x090e0707U, 0x36241212U, 0x9b1b8080U, 0x3ddfe2e2U,
358
    0x26cdebebU, 0x694e2727U, 0xcd7fb2b2U, 0x9fea7575U,
359
    0x1b120909U, 0x9e1d8383U, 0x74582c2cU, 0x2e341a1aU,
360
    0x2d361b1bU, 0xb2dc6e6eU, 0xeeb45a5aU, 0xfb5ba0a0U,
361
    0xf6a45252U, 0x4d763b3bU, 0x61b7d6d6U, 0xce7db3b3U,
362
    0x7b522929U, 0x3edde3e3U, 0x715e2f2fU, 0x97138484U,
363
    0xf5a65353U, 0x68b9d1d1U, 0x00000000U, 0x2cc1ededU,
364
    0x60402020U, 0x1fe3fcfcU, 0xc879b1b1U, 0xedb65b5bU,
365
    0xbed46a6aU, 0x468dcbcbU, 0xd967bebeU, 0x4b723939U,
366
    0xde944a4aU, 0xd4984c4cU, 0xe8b05858U, 0x4a85cfcfU,
367
    0x6bbbd0d0U, 0x2ac5efefU, 0xe54faaaaU, 0x16edfbfbU,
368
    0xc5864343U, 0xd79a4d4dU, 0x55663333U, 0x94118585U,
369
    0xcf8a4545U, 0x10e9f9f9U, 0x06040202U, 0x81fe7f7fU,
370
    0xf0a05050U, 0x44783c3cU, 0xba259f9fU, 0xe34ba8a8U,
371
    0xf3a25151U, 0xfe5da3a3U, 0xc0804040U, 0x8a058f8fU,
372
    0xad3f9292U, 0xbc219d9dU, 0x48703838U, 0x04f1f5f5U,
373
    0xdf63bcbcU, 0xc177b6b6U, 0x75afdadaU, 0x63422121U,
374
    0x30201010U, 0x1ae5ffffU, 0x0efdf3f3U, 0x6dbfd2d2U,
375
    0x4c81cdcdU, 0x14180c0cU, 0x35261313U, 0x2fc3ececU,
376
    0xe1be5f5fU, 0xa2359797U, 0xcc884444U, 0x392e1717U,
377
    0x5793c4c4U, 0xf255a7a7U, 0x82fc7e7eU, 0x477a3d3dU,
378
    0xacc86464U, 0xe7ba5d5dU, 0x2b321919U, 0x95e67373U,
379
    0xa0c06060U, 0x98198181U, 0xd19e4f4fU, 0x7fa3dcdcU,
380
    0x66442222U, 0x7e542a2aU, 0xab3b9090U, 0x830b8888U,
381
    0xca8c4646U, 0x29c7eeeeU, 0xd36bb8b8U, 0x3c281414U,
382
    0x79a7dedeU, 0xe2bc5e5eU, 0x1d160b0bU, 0x76addbdbU,
383
    0x3bdbe0e0U, 0x56643232U, 0x4e743a3aU, 0x1e140a0aU,
384
    0xdb924949U, 0x0a0c0606U, 0x6c482424U, 0xe4b85c5cU,
385
    0x5d9fc2c2U, 0x6ebdd3d3U, 0xef43acacU, 0xa6c46262U,
386
    0xa8399191U, 0xa4319595U, 0x37d3e4e4U, 0x8bf27979U,
387
    0x32d5e7e7U, 0x438bc8c8U, 0x596e3737U, 0xb7da6d6dU,
388
    0x8c018d8dU, 0x64b1d5d5U, 0xd29c4e4eU, 0xe049a9a9U,
389
    0xb4d86c6cU, 0xfaac5656U, 0x07f3f4f4U, 0x25cfeaeaU,
390
    0xafca6565U, 0x8ef47a7aU, 0xe947aeaeU, 0x18100808U,
391
    0xd56fbabaU, 0x88f07878U, 0x6f4a2525U, 0x725c2e2eU,
392
    0x24381c1cU, 0xf157a6a6U, 0xc773b4b4U, 0x5197c6c6U,
393
    0x23cbe8e8U, 0x7ca1ddddU, 0x9ce87474U, 0x213e1f1fU,
394
    0xdd964b4bU, 0xdc61bdbdU, 0x860d8b8bU, 0x850f8a8aU,
395
    0x90e07070U, 0x427c3e3eU, 0xc471b5b5U, 0xaacc6666U,
396
    0xd8904848U, 0x05060303U, 0x01f7f6f6U, 0x121c0e0eU,
397
    0xa3c26161U, 0x5f6a3535U, 0xf9ae5757U, 0xd069b9b9U,
398
    0x91178686U, 0x5899c1c1U, 0x273a1d1dU, 0xb9279e9eU,
399
    0x38d9e1e1U, 0x13ebf8f8U, 0xb32b9898U, 0x33221111U,
400
    0xbbd26969U, 0x70a9d9d9U, 0x89078e8eU, 0xa7339494U,
401
    0xb62d9b9bU, 0x223c1e1eU, 0x92158787U, 0x20c9e9e9U,
402
    0x4987ceceU, 0xffaa5555U, 0x78502828U, 0x7aa5dfdfU,
403
    0x8f038c8cU, 0xf859a1a1U, 0x80098989U, 0x171a0d0dU,
404
    0xda65bfbfU, 0x31d7e6e6U, 0xc6844242U, 0xb8d06868U,
405
    0xc3824141U, 0xb0299999U, 0x775a2d2dU, 0x111e0f0fU,
406
    0xcb7bb0b0U, 0xfca85454U, 0xd66dbbbbU, 0x3a2c1616U,
407
};
408

409
static const uint32_t AES_Te2[256] = {
410
    0x63a5c663U, 0x7c84f87cU, 0x7799ee77U, 0x7b8df67bU,
411
    0xf20dfff2U, 0x6bbdd66bU, 0x6fb1de6fU, 0xc55491c5U,
412
    0x30506030U, 0x01030201U, 0x67a9ce67U, 0x2b7d562bU,
413
    0xfe19e7feU, 0xd762b5d7U, 0xabe64dabU, 0x769aec76U,
414
    0xca458fcaU, 0x829d1f82U, 0xc94089c9U, 0x7d87fa7dU,
415
    0xfa15effaU, 0x59ebb259U, 0x47c98e47U, 0xf00bfbf0U,
416
    0xadec41adU, 0xd467b3d4U, 0xa2fd5fa2U, 0xafea45afU,
417
    0x9cbf239cU, 0xa4f753a4U, 0x7296e472U, 0xc05b9bc0U,
418
    0xb7c275b7U, 0xfd1ce1fdU, 0x93ae3d93U, 0x266a4c26U,
419
    0x365a6c36U, 0x3f417e3fU, 0xf702f5f7U, 0xcc4f83ccU,
420
    0x345c6834U, 0xa5f451a5U, 0xe534d1e5U, 0xf108f9f1U,
421
    0x7193e271U, 0xd873abd8U, 0x31536231U, 0x153f2a15U,
422
    0x040c0804U, 0xc75295c7U, 0x23654623U, 0xc35e9dc3U,
423
    0x18283018U, 0x96a13796U, 0x050f0a05U, 0x9ab52f9aU,
424
    0x07090e07U, 0x12362412U, 0x809b1b80U, 0xe23ddfe2U,
425
    0xeb26cdebU, 0x27694e27U, 0xb2cd7fb2U, 0x759fea75U,
426
    0x091b1209U, 0x839e1d83U, 0x2c74582cU, 0x1a2e341aU,
427
    0x1b2d361bU, 0x6eb2dc6eU, 0x5aeeb45aU, 0xa0fb5ba0U,
428
    0x52f6a452U, 0x3b4d763bU, 0xd661b7d6U, 0xb3ce7db3U,
429
    0x297b5229U, 0xe33edde3U, 0x2f715e2fU, 0x84971384U,
430
    0x53f5a653U, 0xd168b9d1U, 0x00000000U, 0xed2cc1edU,
431
    0x20604020U, 0xfc1fe3fcU, 0xb1c879b1U, 0x5bedb65bU,
432
    0x6abed46aU, 0xcb468dcbU, 0xbed967beU, 0x394b7239U,
433
    0x4ade944aU, 0x4cd4984cU, 0x58e8b058U, 0xcf4a85cfU,
434
    0xd06bbbd0U, 0xef2ac5efU, 0xaae54faaU, 0xfb16edfbU,
435
    0x43c58643U, 0x4dd79a4dU, 0x33556633U, 0x85941185U,
436
    0x45cf8a45U, 0xf910e9f9U, 0x02060402U, 0x7f81fe7fU,
437
    0x50f0a050U, 0x3c44783cU, 0x9fba259fU, 0xa8e34ba8U,
438
    0x51f3a251U, 0xa3fe5da3U, 0x40c08040U, 0x8f8a058fU,
439
    0x92ad3f92U, 0x9dbc219dU, 0x38487038U, 0xf504f1f5U,
440
    0xbcdf63bcU, 0xb6c177b6U, 0xda75afdaU, 0x21634221U,
441
    0x10302010U, 0xff1ae5ffU, 0xf30efdf3U, 0xd26dbfd2U,
442
    0xcd4c81cdU, 0x0c14180cU, 0x13352613U, 0xec2fc3ecU,
443
    0x5fe1be5fU, 0x97a23597U, 0x44cc8844U, 0x17392e17U,
444
    0xc45793c4U, 0xa7f255a7U, 0x7e82fc7eU, 0x3d477a3dU,
445
    0x64acc864U, 0x5de7ba5dU, 0x192b3219U, 0x7395e673U,
446
    0x60a0c060U, 0x81981981U, 0x4fd19e4fU, 0xdc7fa3dcU,
447
    0x22664422U, 0x2a7e542aU, 0x90ab3b90U, 0x88830b88U,
448
    0x46ca8c46U, 0xee29c7eeU, 0xb8d36bb8U, 0x143c2814U,
449
    0xde79a7deU, 0x5ee2bc5eU, 0x0b1d160bU, 0xdb76addbU,
450
    0xe03bdbe0U, 0x32566432U, 0x3a4e743aU, 0x0a1e140aU,
451
    0x49db9249U, 0x060a0c06U, 0x246c4824U, 0x5ce4b85cU,
452
    0xc25d9fc2U, 0xd36ebdd3U, 0xacef43acU, 0x62a6c462U,
453
    0x91a83991U, 0x95a43195U, 0xe437d3e4U, 0x798bf279U,
454
    0xe732d5e7U, 0xc8438bc8U, 0x37596e37U, 0x6db7da6dU,
455
    0x8d8c018dU, 0xd564b1d5U, 0x4ed29c4eU, 0xa9e049a9U,
456
    0x6cb4d86cU, 0x56faac56U, 0xf407f3f4U, 0xea25cfeaU,
457
    0x65afca65U, 0x7a8ef47aU, 0xaee947aeU, 0x08181008U,
458
    0xbad56fbaU, 0x7888f078U, 0x256f4a25U, 0x2e725c2eU,
459
    0x1c24381cU, 0xa6f157a6U, 0xb4c773b4U, 0xc65197c6U,
460
    0xe823cbe8U, 0xdd7ca1ddU, 0x749ce874U, 0x1f213e1fU,
461
    0x4bdd964bU, 0xbddc61bdU, 0x8b860d8bU, 0x8a850f8aU,
462
    0x7090e070U, 0x3e427c3eU, 0xb5c471b5U, 0x66aacc66U,
463
    0x48d89048U, 0x03050603U, 0xf601f7f6U, 0x0e121c0eU,
464
    0x61a3c261U, 0x355f6a35U, 0x57f9ae57U, 0xb9d069b9U,
465
    0x86911786U, 0xc15899c1U, 0x1d273a1dU, 0x9eb9279eU,
466
    0xe138d9e1U, 0xf813ebf8U, 0x98b32b98U, 0x11332211U,
467
    0x69bbd269U, 0xd970a9d9U, 0x8e89078eU, 0x94a73394U,
468
    0x9bb62d9bU, 0x1e223c1eU, 0x87921587U, 0xe920c9e9U,
469
    0xce4987ceU, 0x55ffaa55U, 0x28785028U, 0xdf7aa5dfU,
470
    0x8c8f038cU, 0xa1f859a1U, 0x89800989U, 0x0d171a0dU,
471
    0xbfda65bfU, 0xe631d7e6U, 0x42c68442U, 0x68b8d068U,
472
    0x41c38241U, 0x99b02999U, 0x2d775a2dU, 0x0f111e0fU,
473
    0xb0cb7bb0U, 0x54fca854U, 0xbbd66dbbU, 0x163a2c16U,
474
};
475

476
static const uint32_t AES_Te3[256] = {
477
    0x6363a5c6U, 0x7c7c84f8U, 0x777799eeU, 0x7b7b8df6U,
478
    0xf2f20dffU, 0x6b6bbdd6U, 0x6f6fb1deU, 0xc5c55491U,
479
    0x30305060U, 0x01010302U, 0x6767a9ceU, 0x2b2b7d56U,
480
    0xfefe19e7U, 0xd7d762b5U, 0xababe64dU, 0x76769aecU,
481
    0xcaca458fU, 0x82829d1fU, 0xc9c94089U, 0x7d7d87faU,
482
    0xfafa15efU, 0x5959ebb2U, 0x4747c98eU, 0xf0f00bfbU,
483
    0xadadec41U, 0xd4d467b3U, 0xa2a2fd5fU, 0xafafea45U,
484
    0x9c9cbf23U, 0xa4a4f753U, 0x727296e4U, 0xc0c05b9bU,
485
    0xb7b7c275U, 0xfdfd1ce1U, 0x9393ae3dU, 0x26266a4cU,
486
    0x36365a6cU, 0x3f3f417eU, 0xf7f702f5U, 0xcccc4f83U,
487
    0x34345c68U, 0xa5a5f451U, 0xe5e534d1U, 0xf1f108f9U,
488
    0x717193e2U, 0xd8d873abU, 0x31315362U, 0x15153f2aU,
489
    0x04040c08U, 0xc7c75295U, 0x23236546U, 0xc3c35e9dU,
490
    0x18182830U, 0x9696a137U, 0x05050f0aU, 0x9a9ab52fU,
491
    0x0707090eU, 0x12123624U, 0x80809b1bU, 0xe2e23ddfU,
492
    0xebeb26cdU, 0x2727694eU, 0xb2b2cd7fU, 0x75759feaU,
493
    0x09091b12U, 0x83839e1dU, 0x2c2c7458U, 0x1a1a2e34U,
494
    0x1b1b2d36U, 0x6e6eb2dcU, 0x5a5aeeb4U, 0xa0a0fb5bU,
495
    0x5252f6a4U, 0x3b3b4d76U, 0xd6d661b7U, 0xb3b3ce7dU,
496
    0x29297b52U, 0xe3e33eddU, 0x2f2f715eU, 0x84849713U,
497
    0x5353f5a6U, 0xd1d168b9U, 0x00000000U, 0xeded2cc1U,
498
    0x20206040U, 0xfcfc1fe3U, 0xb1b1c879U, 0x5b5bedb6U,
499
    0x6a6abed4U, 0xcbcb468dU, 0xbebed967U, 0x39394b72U,
500
    0x4a4ade94U, 0x4c4cd498U, 0x5858e8b0U, 0xcfcf4a85U,
501
    0xd0d06bbbU, 0xefef2ac5U, 0xaaaae54fU, 0xfbfb16edU,
502
    0x4343c586U, 0x4d4dd79aU, 0x33335566U, 0x85859411U,
503
    0x4545cf8aU, 0xf9f910e9U, 0x02020604U, 0x7f7f81feU,
504
    0x5050f0a0U, 0x3c3c4478U, 0x9f9fba25U, 0xa8a8e34bU,
505
    0x5151f3a2U, 0xa3a3fe5dU, 0x4040c080U, 0x8f8f8a05U,
506
    0x9292ad3fU, 0x9d9dbc21U, 0x38384870U, 0xf5f504f1U,
507
    0xbcbcdf63U, 0xb6b6c177U, 0xdada75afU, 0x21216342U,
508
    0x10103020U, 0xffff1ae5U, 0xf3f30efdU, 0xd2d26dbfU,
509
    0xcdcd4c81U, 0x0c0c1418U, 0x13133526U, 0xecec2fc3U,
510
    0x5f5fe1beU, 0x9797a235U, 0x4444cc88U, 0x1717392eU,
511
    0xc4c45793U, 0xa7a7f255U, 0x7e7e82fcU, 0x3d3d477aU,
512
    0x6464acc8U, 0x5d5de7baU, 0x19192b32U, 0x737395e6U,
513
    0x6060a0c0U, 0x81819819U, 0x4f4fd19eU, 0xdcdc7fa3U,
514
    0x22226644U, 0x2a2a7e54U, 0x9090ab3bU, 0x8888830bU,
515
    0x4646ca8cU, 0xeeee29c7U, 0xb8b8d36bU, 0x14143c28U,
516
    0xdede79a7U, 0x5e5ee2bcU, 0x0b0b1d16U, 0xdbdb76adU,
517
    0xe0e03bdbU, 0x32325664U, 0x3a3a4e74U, 0x0a0a1e14U,
518
    0x4949db92U, 0x06060a0cU, 0x24246c48U, 0x5c5ce4b8U,
519
    0xc2c25d9fU, 0xd3d36ebdU, 0xacacef43U, 0x6262a6c4U,
520
    0x9191a839U, 0x9595a431U, 0xe4e437d3U, 0x79798bf2U,
521
    0xe7e732d5U, 0xc8c8438bU, 0x3737596eU, 0x6d6db7daU,
522
    0x8d8d8c01U, 0xd5d564b1U, 0x4e4ed29cU, 0xa9a9e049U,
523
    0x6c6cb4d8U, 0x5656faacU, 0xf4f407f3U, 0xeaea25cfU,
524
    0x6565afcaU, 0x7a7a8ef4U, 0xaeaee947U, 0x08081810U,
525
    0xbabad56fU, 0x787888f0U, 0x25256f4aU, 0x2e2e725cU,
526
    0x1c1c2438U, 0xa6a6f157U, 0xb4b4c773U, 0xc6c65197U,
527
    0xe8e823cbU, 0xdddd7ca1U, 0x74749ce8U, 0x1f1f213eU,
528
    0x4b4bdd96U, 0xbdbddc61U, 0x8b8b860dU, 0x8a8a850fU,
529
    0x707090e0U, 0x3e3e427cU, 0xb5b5c471U, 0x6666aaccU,
530
    0x4848d890U, 0x03030506U, 0xf6f601f7U, 0x0e0e121cU,
531
    0x6161a3c2U, 0x35355f6aU, 0x5757f9aeU, 0xb9b9d069U,
532
    0x86869117U, 0xc1c15899U, 0x1d1d273aU, 0x9e9eb927U,
533
    0xe1e138d9U, 0xf8f813ebU, 0x9898b32bU, 0x11113322U,
534
    0x6969bbd2U, 0xd9d970a9U, 0x8e8e8907U, 0x9494a733U,
535
    0x9b9bb62dU, 0x1e1e223cU, 0x87879215U, 0xe9e920c9U,
536
    0xcece4987U, 0x5555ffaaU, 0x28287850U, 0xdfdf7aa5U,
537
    0x8c8c8f03U, 0xa1a1f859U, 0x89898009U, 0x0d0d171aU,
538
    0xbfbfda65U, 0xe6e631d7U, 0x4242c684U, 0x6868b8d0U,
539
    0x4141c382U, 0x9999b029U, 0x2d2d775aU, 0x0f0f111eU,
540
    0xb0b0cb7bU, 0x5454fca8U, 0xbbbbd66dU, 0x16163a2cU,
541
};
542

543
static const uint32_t AES_Te4[256] = {
544
    0x63636363U, 0x7c7c7c7cU, 0x77777777U, 0x7b7b7b7bU,
545
    0xf2f2f2f2U, 0x6b6b6b6bU, 0x6f6f6f6fU, 0xc5c5c5c5U,
546
    0x30303030U, 0x01010101U, 0x67676767U, 0x2b2b2b2bU,
547
    0xfefefefeU, 0xd7d7d7d7U, 0xababababU, 0x76767676U,
548
    0xcacacacaU, 0x82828282U, 0xc9c9c9c9U, 0x7d7d7d7dU,
549
    0xfafafafaU, 0x59595959U, 0x47474747U, 0xf0f0f0f0U,
550
    0xadadadadU, 0xd4d4d4d4U, 0xa2a2a2a2U, 0xafafafafU,
551
    0x9c9c9c9cU, 0xa4a4a4a4U, 0x72727272U, 0xc0c0c0c0U,
552
    0xb7b7b7b7U, 0xfdfdfdfdU, 0x93939393U, 0x26262626U,
553
    0x36363636U, 0x3f3f3f3fU, 0xf7f7f7f7U, 0xccccccccU,
554
    0x34343434U, 0xa5a5a5a5U, 0xe5e5e5e5U, 0xf1f1f1f1U,
555
    0x71717171U, 0xd8d8d8d8U, 0x31313131U, 0x15151515U,
556
    0x04040404U, 0xc7c7c7c7U, 0x23232323U, 0xc3c3c3c3U,
557
    0x18181818U, 0x96969696U, 0x05050505U, 0x9a9a9a9aU,
558
    0x07070707U, 0x12121212U, 0x80808080U, 0xe2e2e2e2U,
559
    0xebebebebU, 0x27272727U, 0xb2b2b2b2U, 0x75757575U,
560
    0x09090909U, 0x83838383U, 0x2c2c2c2cU, 0x1a1a1a1aU,
561
    0x1b1b1b1bU, 0x6e6e6e6eU, 0x5a5a5a5aU, 0xa0a0a0a0U,
562
    0x52525252U, 0x3b3b3b3bU, 0xd6d6d6d6U, 0xb3b3b3b3U,
563
    0x29292929U, 0xe3e3e3e3U, 0x2f2f2f2fU, 0x84848484U,
564
    0x53535353U, 0xd1d1d1d1U, 0x00000000U, 0xededededU,
565
    0x20202020U, 0xfcfcfcfcU, 0xb1b1b1b1U, 0x5b5b5b5bU,
566
    0x6a6a6a6aU, 0xcbcbcbcbU, 0xbebebebeU, 0x39393939U,
567
    0x4a4a4a4aU, 0x4c4c4c4cU, 0x58585858U, 0xcfcfcfcfU,
568
    0xd0d0d0d0U, 0xefefefefU, 0xaaaaaaaaU, 0xfbfbfbfbU,
569
    0x43434343U, 0x4d4d4d4dU, 0x33333333U, 0x85858585U,
570
    0x45454545U, 0xf9f9f9f9U, 0x02020202U, 0x7f7f7f7fU,
571
    0x50505050U, 0x3c3c3c3cU, 0x9f9f9f9fU, 0xa8a8a8a8U,
572
    0x51515151U, 0xa3a3a3a3U, 0x40404040U, 0x8f8f8f8fU,
573
    0x92929292U, 0x9d9d9d9dU, 0x38383838U, 0xf5f5f5f5U,
574
    0xbcbcbcbcU, 0xb6b6b6b6U, 0xdadadadaU, 0x21212121U,
575
    0x10101010U, 0xffffffffU, 0xf3f3f3f3U, 0xd2d2d2d2U,
576
    0xcdcdcdcdU, 0x0c0c0c0cU, 0x13131313U, 0xececececU,
577
    0x5f5f5f5fU, 0x97979797U, 0x44444444U, 0x17171717U,
578
    0xc4c4c4c4U, 0xa7a7a7a7U, 0x7e7e7e7eU, 0x3d3d3d3dU,
579
    0x64646464U, 0x5d5d5d5dU, 0x19191919U, 0x73737373U,
580
    0x60606060U, 0x81818181U, 0x4f4f4f4fU, 0xdcdcdcdcU,
581
    0x22222222U, 0x2a2a2a2aU, 0x90909090U, 0x88888888U,
582
    0x46464646U, 0xeeeeeeeeU, 0xb8b8b8b8U, 0x14141414U,
583
    0xdedededeU, 0x5e5e5e5eU, 0x0b0b0b0bU, 0xdbdbdbdbU,
584
    0xe0e0e0e0U, 0x32323232U, 0x3a3a3a3aU, 0x0a0a0a0aU,
585
    0x49494949U, 0x06060606U, 0x24242424U, 0x5c5c5c5cU,
586
    0xc2c2c2c2U, 0xd3d3d3d3U, 0xacacacacU, 0x62626262U,
587
    0x91919191U, 0x95959595U, 0xe4e4e4e4U, 0x79797979U,
588
    0xe7e7e7e7U, 0xc8c8c8c8U, 0x37373737U, 0x6d6d6d6dU,
589
    0x8d8d8d8dU, 0xd5d5d5d5U, 0x4e4e4e4eU, 0xa9a9a9a9U,
590
    0x6c6c6c6cU, 0x56565656U, 0xf4f4f4f4U, 0xeaeaeaeaU,
591
    0x65656565U, 0x7a7a7a7aU, 0xaeaeaeaeU, 0x08080808U,
592
    0xbabababaU, 0x78787878U, 0x25252525U, 0x2e2e2e2eU,
593
    0x1c1c1c1cU, 0xa6a6a6a6U, 0xb4b4b4b4U, 0xc6c6c6c6U,
594
    0xe8e8e8e8U, 0xddddddddU, 0x74747474U, 0x1f1f1f1fU,
595
    0x4b4b4b4bU, 0xbdbdbdbdU, 0x8b8b8b8bU, 0x8a8a8a8aU,
596
    0x70707070U, 0x3e3e3e3eU, 0xb5b5b5b5U, 0x66666666U,
597
    0x48484848U, 0x03030303U, 0xf6f6f6f6U, 0x0e0e0e0eU,
598
    0x61616161U, 0x35353535U, 0x57575757U, 0xb9b9b9b9U,
599
    0x86868686U, 0xc1c1c1c1U, 0x1d1d1d1dU, 0x9e9e9e9eU,
600
    0xe1e1e1e1U, 0xf8f8f8f8U, 0x98989898U, 0x11111111U,
601
    0x69696969U, 0xd9d9d9d9U, 0x8e8e8e8eU, 0x94949494U,
602
    0x9b9b9b9bU, 0x1e1e1e1eU, 0x87878787U, 0xe9e9e9e9U,
603
    0xcecececeU, 0x55555555U, 0x28282828U, 0xdfdfdfdfU,
604
    0x8c8c8c8cU, 0xa1a1a1a1U, 0x89898989U, 0x0d0d0d0dU,
605
    0xbfbfbfbfU, 0xe6e6e6e6U, 0x42424242U, 0x68686868U,
606
    0x41414141U, 0x99999999U, 0x2d2d2d2dU, 0x0f0f0f0fU,
607
    0xb0b0b0b0U, 0x54545454U, 0xbbbbbbbbU, 0x16161616U,
608
};
609

610
const uint32_t AES_Td0[256] = {
611
    0x51f4a750U, 0x7e416553U, 0x1a17a4c3U, 0x3a275e96U,
612
    0x3bab6bcbU, 0x1f9d45f1U, 0xacfa58abU, 0x4be30393U,
613
    0x2030fa55U, 0xad766df6U, 0x88cc7691U, 0xf5024c25U,
614
    0x4fe5d7fcU, 0xc52acbd7U, 0x26354480U, 0xb562a38fU,
615
    0xdeb15a49U, 0x25ba1b67U, 0x45ea0e98U, 0x5dfec0e1U,
616
    0xc32f7502U, 0x814cf012U, 0x8d4697a3U, 0x6bd3f9c6U,
617
    0x038f5fe7U, 0x15929c95U, 0xbf6d7aebU, 0x955259daU,
618
    0xd4be832dU, 0x587421d3U, 0x49e06929U, 0x8ec9c844U,
619
    0x75c2896aU, 0xf48e7978U, 0x99583e6bU, 0x27b971ddU,
620
    0xbee14fb6U, 0xf088ad17U, 0xc920ac66U, 0x7dce3ab4U,
621
    0x63df4a18U, 0xe51a3182U, 0x97513360U, 0x62537f45U,
622
    0xb16477e0U, 0xbb6bae84U, 0xfe81a01cU, 0xf9082b94U,
623
    0x70486858U, 0x8f45fd19U, 0x94de6c87U, 0x527bf8b7U,
624
    0xab73d323U, 0x724b02e2U, 0xe31f8f57U, 0x6655ab2aU,
625
    0xb2eb2807U, 0x2fb5c203U, 0x86c57b9aU, 0xd33708a5U,
626
    0x302887f2U, 0x23bfa5b2U, 0x02036abaU, 0xed16825cU,
627
    0x8acf1c2bU, 0xa779b492U, 0xf307f2f0U, 0x4e69e2a1U,
628
    0x65daf4cdU, 0x0605bed5U, 0xd134621fU, 0xc4a6fe8aU,
629
    0x342e539dU, 0xa2f355a0U, 0x058ae132U, 0xa4f6eb75U,
630
    0x0b83ec39U, 0x4060efaaU, 0x5e719f06U, 0xbd6e1051U,
631
    0x3e218af9U, 0x96dd063dU, 0xdd3e05aeU, 0x4de6bd46U,
632
    0x91548db5U, 0x71c45d05U, 0x0406d46fU, 0x605015ffU,
633
    0x1998fb24U, 0xd6bde997U, 0x894043ccU, 0x67d99e77U,
634
    0xb0e842bdU, 0x07898b88U, 0xe7195b38U, 0x79c8eedbU,
635
    0xa17c0a47U, 0x7c420fe9U, 0xf8841ec9U, 0x00000000U,
636
    0x09808683U, 0x322bed48U, 0x1e1170acU, 0x6c5a724eU,
637
    0xfd0efffbU, 0x0f853856U, 0x3daed51eU, 0x362d3927U,
638
    0x0a0fd964U, 0x685ca621U, 0x9b5b54d1U, 0x24362e3aU,
639
    0x0c0a67b1U, 0x9357e70fU, 0xb4ee96d2U, 0x1b9b919eU,
640
    0x80c0c54fU, 0x61dc20a2U, 0x5a774b69U, 0x1c121a16U,
641
    0xe293ba0aU, 0xc0a02ae5U, 0x3c22e043U, 0x121b171dU,
642
    0x0e090d0bU, 0xf28bc7adU, 0x2db6a8b9U, 0x141ea9c8U,
643
    0x57f11985U, 0xaf75074cU, 0xee99ddbbU, 0xa37f60fdU,
644
    0xf701269fU, 0x5c72f5bcU, 0x44663bc5U, 0x5bfb7e34U,
645
    0x8b432976U, 0xcb23c6dcU, 0xb6edfc68U, 0xb8e4f163U,
646
    0xd731dccaU, 0x42638510U, 0x13972240U, 0x84c61120U,
647
    0x854a247dU, 0xd2bb3df8U, 0xaef93211U, 0xc729a16dU,
648
    0x1d9e2f4bU, 0xdcb230f3U, 0x0d8652ecU, 0x77c1e3d0U,
649
    0x2bb3166cU, 0xa970b999U, 0x119448faU, 0x47e96422U,
650
    0xa8fc8cc4U, 0xa0f03f1aU, 0x567d2cd8U, 0x223390efU,
651
    0x87494ec7U, 0xd938d1c1U, 0x8ccaa2feU, 0x98d40b36U,
652
    0xa6f581cfU, 0xa57ade28U, 0xdab78e26U, 0x3fadbfa4U,
653
    0x2c3a9de4U, 0x5078920dU, 0x6a5fcc9bU, 0x547e4662U,
654
    0xf68d13c2U, 0x90d8b8e8U, 0x2e39f75eU, 0x82c3aff5U,
655
    0x9f5d80beU, 0x69d0937cU, 0x6fd52da9U, 0xcf2512b3U,
656
    0xc8ac993bU, 0x10187da7U, 0xe89c636eU, 0xdb3bbb7bU,
657
    0xcd267809U, 0x6e5918f4U, 0xec9ab701U, 0x834f9aa8U,
658
    0xe6956e65U, 0xaaffe67eU, 0x21bccf08U, 0xef15e8e6U,
659
    0xbae79bd9U, 0x4a6f36ceU, 0xea9f09d4U, 0x29b07cd6U,
660
    0x31a4b2afU, 0x2a3f2331U, 0xc6a59430U, 0x35a266c0U,
661
    0x744ebc37U, 0xfc82caa6U, 0xe090d0b0U, 0x33a7d815U,
662
    0xf104984aU, 0x41ecdaf7U, 0x7fcd500eU, 0x1791f62fU,
663
    0x764dd68dU, 0x43efb04dU, 0xccaa4d54U, 0xe49604dfU,
664
    0x9ed1b5e3U, 0x4c6a881bU, 0xc12c1fb8U, 0x4665517fU,
665
    0x9d5eea04U, 0x018c355dU, 0xfa877473U, 0xfb0b412eU,
666
    0xb3671d5aU, 0x92dbd252U, 0xe9105633U, 0x6dd64713U,
667
    0x9ad7618cU, 0x37a10c7aU, 0x59f8148eU, 0xeb133c89U,
668
    0xcea927eeU, 0xb761c935U, 0xe11ce5edU, 0x7a47b13cU,
669
    0x9cd2df59U, 0x55f2733fU, 0x1814ce79U, 0x73c737bfU,
670
    0x53f7cdeaU, 0x5ffdaa5bU, 0xdf3d6f14U, 0x7844db86U,
671
    0xcaaff381U, 0xb968c43eU, 0x3824342cU, 0xc2a3405fU,
672
    0x161dc372U, 0xbce2250cU, 0x283c498bU, 0xff0d9541U,
673
    0x39a80171U, 0x080cb3deU, 0xd8b4e49cU, 0x6456c190U,
674
    0x7bcb8461U, 0xd532b670U, 0x486c5c74U, 0xd0b85742U,
675
};
676

677
static const uint32_t AES_Td1[256] = {
678
    0x5051f4a7U, 0x537e4165U, 0xc31a17a4U, 0x963a275eU,
679
    0xcb3bab6bU, 0xf11f9d45U, 0xabacfa58U, 0x934be303U,
680
    0x552030faU, 0xf6ad766dU, 0x9188cc76U, 0x25f5024cU,
681
    0xfc4fe5d7U, 0xd7c52acbU, 0x80263544U, 0x8fb562a3U,
682
    0x49deb15aU, 0x6725ba1bU, 0x9845ea0eU, 0xe15dfec0U,
683
    0x02c32f75U, 0x12814cf0U, 0xa38d4697U, 0xc66bd3f9U,
684
    0xe7038f5fU, 0x9515929cU, 0xebbf6d7aU, 0xda955259U,
685
    0x2dd4be83U, 0xd3587421U, 0x2949e069U, 0x448ec9c8U,
686
    0x6a75c289U, 0x78f48e79U, 0x6b99583eU, 0xdd27b971U,
687
    0xb6bee14fU, 0x17f088adU, 0x66c920acU, 0xb47dce3aU,
688
    0x1863df4aU, 0x82e51a31U, 0x60975133U, 0x4562537fU,
689
    0xe0b16477U, 0x84bb6baeU, 0x1cfe81a0U, 0x94f9082bU,
690
    0x58704868U, 0x198f45fdU, 0x8794de6cU, 0xb7527bf8U,
691
    0x23ab73d3U, 0xe2724b02U, 0x57e31f8fU, 0x2a6655abU,
692
    0x07b2eb28U, 0x032fb5c2U, 0x9a86c57bU, 0xa5d33708U,
693
    0xf2302887U, 0xb223bfa5U, 0xba02036aU, 0x5ced1682U,
694
    0x2b8acf1cU, 0x92a779b4U, 0xf0f307f2U, 0xa14e69e2U,
695
    0xcd65daf4U, 0xd50605beU, 0x1fd13462U, 0x8ac4a6feU,
696
    0x9d342e53U, 0xa0a2f355U, 0x32058ae1U, 0x75a4f6ebU,
697
    0x390b83ecU, 0xaa4060efU, 0x065e719fU, 0x51bd6e10U,
698
    0xf93e218aU, 0x3d96dd06U, 0xaedd3e05U, 0x464de6bdU,
699
    0xb591548dU, 0x0571c45dU, 0x6f0406d4U, 0xff605015U,
700
    0x241998fbU, 0x97d6bde9U, 0xcc894043U, 0x7767d99eU,
701
    0xbdb0e842U, 0x8807898bU, 0x38e7195bU, 0xdb79c8eeU,
702
    0x47a17c0aU, 0xe97c420fU, 0xc9f8841eU, 0x00000000U,
703
    0x83098086U, 0x48322bedU, 0xac1e1170U, 0x4e6c5a72U,
704
    0xfbfd0effU, 0x560f8538U, 0x1e3daed5U, 0x27362d39U,
705
    0x640a0fd9U, 0x21685ca6U, 0xd19b5b54U, 0x3a24362eU,
706
    0xb10c0a67U, 0x0f9357e7U, 0xd2b4ee96U, 0x9e1b9b91U,
707
    0x4f80c0c5U, 0xa261dc20U, 0x695a774bU, 0x161c121aU,
708
    0x0ae293baU, 0xe5c0a02aU, 0x433c22e0U, 0x1d121b17U,
709
    0x0b0e090dU, 0xadf28bc7U, 0xb92db6a8U, 0xc8141ea9U,
710
    0x8557f119U, 0x4caf7507U, 0xbbee99ddU, 0xfda37f60U,
711
    0x9ff70126U, 0xbc5c72f5U, 0xc544663bU, 0x345bfb7eU,
712
    0x768b4329U, 0xdccb23c6U, 0x68b6edfcU, 0x63b8e4f1U,
713
    0xcad731dcU, 0x10426385U, 0x40139722U, 0x2084c611U,
714
    0x7d854a24U, 0xf8d2bb3dU, 0x11aef932U, 0x6dc729a1U,
715
    0x4b1d9e2fU, 0xf3dcb230U, 0xec0d8652U, 0xd077c1e3U,
716
    0x6c2bb316U, 0x99a970b9U, 0xfa119448U, 0x2247e964U,
717
    0xc4a8fc8cU, 0x1aa0f03fU, 0xd8567d2cU, 0xef223390U,
718
    0xc787494eU, 0xc1d938d1U, 0xfe8ccaa2U, 0x3698d40bU,
719
    0xcfa6f581U, 0x28a57adeU, 0x26dab78eU, 0xa43fadbfU,
720
    0xe42c3a9dU, 0x0d507892U, 0x9b6a5fccU, 0x62547e46U,
721
    0xc2f68d13U, 0xe890d8b8U, 0x5e2e39f7U, 0xf582c3afU,
722
    0xbe9f5d80U, 0x7c69d093U, 0xa96fd52dU, 0xb3cf2512U,
723
    0x3bc8ac99U, 0xa710187dU, 0x6ee89c63U, 0x7bdb3bbbU,
724
    0x09cd2678U, 0xf46e5918U, 0x01ec9ab7U, 0xa8834f9aU,
725
    0x65e6956eU, 0x7eaaffe6U, 0x0821bccfU, 0xe6ef15e8U,
726
    0xd9bae79bU, 0xce4a6f36U, 0xd4ea9f09U, 0xd629b07cU,
727
    0xaf31a4b2U, 0x312a3f23U, 0x30c6a594U, 0xc035a266U,
728
    0x37744ebcU, 0xa6fc82caU, 0xb0e090d0U, 0x1533a7d8U,
729
    0x4af10498U, 0xf741ecdaU, 0x0e7fcd50U, 0x2f1791f6U,
730
    0x8d764dd6U, 0x4d43efb0U, 0x54ccaa4dU, 0xdfe49604U,
731
    0xe39ed1b5U, 0x1b4c6a88U, 0xb8c12c1fU, 0x7f466551U,
732
    0x049d5eeaU, 0x5d018c35U, 0x73fa8774U, 0x2efb0b41U,
733
    0x5ab3671dU, 0x5292dbd2U, 0x33e91056U, 0x136dd647U,
734
    0x8c9ad761U, 0x7a37a10cU, 0x8e59f814U, 0x89eb133cU,
735
    0xeecea927U, 0x35b761c9U, 0xede11ce5U, 0x3c7a47b1U,
736
    0x599cd2dfU, 0x3f55f273U, 0x791814ceU, 0xbf73c737U,
737
    0xea53f7cdU, 0x5b5ffdaaU, 0x14df3d6fU, 0x867844dbU,
738
    0x81caaff3U, 0x3eb968c4U, 0x2c382434U, 0x5fc2a340U,
739
    0x72161dc3U, 0x0cbce225U, 0x8b283c49U, 0x41ff0d95U,
740
    0x7139a801U, 0xde080cb3U, 0x9cd8b4e4U, 0x906456c1U,
741
    0x617bcb84U, 0x70d532b6U, 0x74486c5cU, 0x42d0b857U,
742
};
743

744
static const uint32_t AES_Td2[256] = {
745
    0xa75051f4U, 0x65537e41U, 0xa4c31a17U, 0x5e963a27U,
746
    0x6bcb3babU, 0x45f11f9dU, 0x58abacfaU, 0x03934be3U,
747
    0xfa552030U, 0x6df6ad76U, 0x769188ccU, 0x4c25f502U,
748
    0xd7fc4fe5U, 0xcbd7c52aU, 0x44802635U, 0xa38fb562U,
749
    0x5a49deb1U, 0x1b6725baU, 0x0e9845eaU, 0xc0e15dfeU,
750
    0x7502c32fU, 0xf012814cU, 0x97a38d46U, 0xf9c66bd3U,
751
    0x5fe7038fU, 0x9c951592U, 0x7aebbf6dU, 0x59da9552U,
752
    0x832dd4beU, 0x21d35874U, 0x692949e0U, 0xc8448ec9U,
753
    0x896a75c2U, 0x7978f48eU, 0x3e6b9958U, 0x71dd27b9U,
754
    0x4fb6bee1U, 0xad17f088U, 0xac66c920U, 0x3ab47dceU,
755
    0x4a1863dfU, 0x3182e51aU, 0x33609751U, 0x7f456253U,
756
    0x77e0b164U, 0xae84bb6bU, 0xa01cfe81U, 0x2b94f908U,
757
    0x68587048U, 0xfd198f45U, 0x6c8794deU, 0xf8b7527bU,
758
    0xd323ab73U, 0x02e2724bU, 0x8f57e31fU, 0xab2a6655U,
759
    0x2807b2ebU, 0xc2032fb5U, 0x7b9a86c5U, 0x08a5d337U,
760
    0x87f23028U, 0xa5b223bfU, 0x6aba0203U, 0x825ced16U,
761
    0x1c2b8acfU, 0xb492a779U, 0xf2f0f307U, 0xe2a14e69U,
762
    0xf4cd65daU, 0xbed50605U, 0x621fd134U, 0xfe8ac4a6U,
763
    0x539d342eU, 0x55a0a2f3U, 0xe132058aU, 0xeb75a4f6U,
764
    0xec390b83U, 0xefaa4060U, 0x9f065e71U, 0x1051bd6eU,
765

766
    0x8af93e21U, 0x063d96ddU, 0x05aedd3eU, 0xbd464de6U,
767
    0x8db59154U, 0x5d0571c4U, 0xd46f0406U, 0x15ff6050U,
768
    0xfb241998U, 0xe997d6bdU, 0x43cc8940U, 0x9e7767d9U,
769
    0x42bdb0e8U, 0x8b880789U, 0x5b38e719U, 0xeedb79c8U,
770
    0x0a47a17cU, 0x0fe97c42U, 0x1ec9f884U, 0x00000000U,
771
    0x86830980U, 0xed48322bU, 0x70ac1e11U, 0x724e6c5aU,
772
    0xfffbfd0eU, 0x38560f85U, 0xd51e3daeU, 0x3927362dU,
773
    0xd9640a0fU, 0xa621685cU, 0x54d19b5bU, 0x2e3a2436U,
774
    0x67b10c0aU, 0xe70f9357U, 0x96d2b4eeU, 0x919e1b9bU,
775
    0xc54f80c0U, 0x20a261dcU, 0x4b695a77U, 0x1a161c12U,
776
    0xba0ae293U, 0x2ae5c0a0U, 0xe0433c22U, 0x171d121bU,
777
    0x0d0b0e09U, 0xc7adf28bU, 0xa8b92db6U, 0xa9c8141eU,
778
    0x198557f1U, 0x074caf75U, 0xddbbee99U, 0x60fda37fU,
779
    0x269ff701U, 0xf5bc5c72U, 0x3bc54466U, 0x7e345bfbU,
780
    0x29768b43U, 0xc6dccb23U, 0xfc68b6edU, 0xf163b8e4U,
781
    0xdccad731U, 0x85104263U, 0x22401397U, 0x112084c6U,
782
    0x247d854aU, 0x3df8d2bbU, 0x3211aef9U, 0xa16dc729U,
783
    0x2f4b1d9eU, 0x30f3dcb2U, 0x52ec0d86U, 0xe3d077c1U,
784
    0x166c2bb3U, 0xb999a970U, 0x48fa1194U, 0x642247e9U,
785
    0x8cc4a8fcU, 0x3f1aa0f0U, 0x2cd8567dU, 0x90ef2233U,
786
    0x4ec78749U, 0xd1c1d938U, 0xa2fe8ccaU, 0x0b3698d4U,
787
    0x81cfa6f5U, 0xde28a57aU, 0x8e26dab7U, 0xbfa43fadU,
788
    0x9de42c3aU, 0x920d5078U, 0xcc9b6a5fU, 0x4662547eU,
789
    0x13c2f68dU, 0xb8e890d8U, 0xf75e2e39U, 0xaff582c3U,
790
    0x80be9f5dU, 0x937c69d0U, 0x2da96fd5U, 0x12b3cf25U,
791
    0x993bc8acU, 0x7da71018U, 0x636ee89cU, 0xbb7bdb3bU,
792
    0x7809cd26U, 0x18f46e59U, 0xb701ec9aU, 0x9aa8834fU,
793
    0x6e65e695U, 0xe67eaaffU, 0xcf0821bcU, 0xe8e6ef15U,
794
    0x9bd9bae7U, 0x36ce4a6fU, 0x09d4ea9fU, 0x7cd629b0U,
795
    0xb2af31a4U, 0x23312a3fU, 0x9430c6a5U, 0x66c035a2U,
796
    0xbc37744eU, 0xcaa6fc82U, 0xd0b0e090U, 0xd81533a7U,
797
    0x984af104U, 0xdaf741ecU, 0x500e7fcdU, 0xf62f1791U,
798
    0xd68d764dU, 0xb04d43efU, 0x4d54ccaaU, 0x04dfe496U,
799
    0xb5e39ed1U, 0x881b4c6aU, 0x1fb8c12cU, 0x517f4665U,
800
    0xea049d5eU, 0x355d018cU, 0x7473fa87U, 0x412efb0bU,
801
    0x1d5ab367U, 0xd25292dbU, 0x5633e910U, 0x47136dd6U,
802
    0x618c9ad7U, 0x0c7a37a1U, 0x148e59f8U, 0x3c89eb13U,
803
    0x27eecea9U, 0xc935b761U, 0xe5ede11cU, 0xb13c7a47U,
804
    0xdf599cd2U, 0x733f55f2U, 0xce791814U, 0x37bf73c7U,
805
    0xcdea53f7U, 0xaa5b5ffdU, 0x6f14df3dU, 0xdb867844U,
806
    0xf381caafU, 0xc43eb968U, 0x342c3824U, 0x405fc2a3U,
807
    0xc372161dU, 0x250cbce2U, 0x498b283cU, 0x9541ff0dU,
808
    0x017139a8U, 0xb3de080cU, 0xe49cd8b4U, 0xc1906456U,
809
    0x84617bcbU, 0xb670d532U, 0x5c74486cU, 0x5742d0b8U,
810
};
811

812
static const uint32_t AES_Td3[256] = {
813
    0xf4a75051U, 0x4165537eU, 0x17a4c31aU, 0x275e963aU,
814
    0xab6bcb3bU, 0x9d45f11fU, 0xfa58abacU, 0xe303934bU,
815
    0x30fa5520U, 0x766df6adU, 0xcc769188U, 0x024c25f5U,
816
    0xe5d7fc4fU, 0x2acbd7c5U, 0x35448026U, 0x62a38fb5U,
817
    0xb15a49deU, 0xba1b6725U, 0xea0e9845U, 0xfec0e15dU,
818
    0x2f7502c3U, 0x4cf01281U, 0x4697a38dU, 0xd3f9c66bU,
819
    0x8f5fe703U, 0x929c9515U, 0x6d7aebbfU, 0x5259da95U,
820
    0xbe832dd4U, 0x7421d358U, 0xe0692949U, 0xc9c8448eU,
821
    0xc2896a75U, 0x8e7978f4U, 0x583e6b99U, 0xb971dd27U,
822
    0xe14fb6beU, 0x88ad17f0U, 0x20ac66c9U, 0xce3ab47dU,
823
    0xdf4a1863U, 0x1a3182e5U, 0x51336097U, 0x537f4562U,
824
    0x6477e0b1U, 0x6bae84bbU, 0x81a01cfeU, 0x082b94f9U,
825
    0x48685870U, 0x45fd198fU, 0xde6c8794U, 0x7bf8b752U,
826
    0x73d323abU, 0x4b02e272U, 0x1f8f57e3U, 0x55ab2a66U,
827
    0xeb2807b2U, 0xb5c2032fU, 0xc57b9a86U, 0x3708a5d3U,
828
    0x2887f230U, 0xbfa5b223U, 0x036aba02U, 0x16825cedU,
829
    0xcf1c2b8aU, 0x79b492a7U, 0x07f2f0f3U, 0x69e2a14eU,
830
    0xdaf4cd65U, 0x05bed506U, 0x34621fd1U, 0xa6fe8ac4U,
831
    0x2e539d34U, 0xf355a0a2U, 0x8ae13205U, 0xf6eb75a4U,
832
    0x83ec390bU, 0x60efaa40U, 0x719f065eU, 0x6e1051bdU,
833
    0x218af93eU, 0xdd063d96U, 0x3e05aeddU, 0xe6bd464dU,
834
    0x548db591U, 0xc45d0571U, 0x06d46f04U, 0x5015ff60U,
835
    0x98fb2419U, 0xbde997d6U, 0x4043cc89U, 0xd99e7767U,
836
    0xe842bdb0U, 0x898b8807U, 0x195b38e7U, 0xc8eedb79U,
837
    0x7c0a47a1U, 0x420fe97cU, 0x841ec9f8U, 0x00000000U,
838
    0x80868309U, 0x2bed4832U, 0x1170ac1eU, 0x5a724e6cU,
839
    0x0efffbfdU, 0x8538560fU, 0xaed51e3dU, 0x2d392736U,
840
    0x0fd9640aU, 0x5ca62168U, 0x5b54d19bU, 0x362e3a24U,
841
    0x0a67b10cU, 0x57e70f93U, 0xee96d2b4U, 0x9b919e1bU,
842
    0xc0c54f80U, 0xdc20a261U, 0x774b695aU, 0x121a161cU,
843
    0x93ba0ae2U, 0xa02ae5c0U, 0x22e0433cU, 0x1b171d12U,
844
    0x090d0b0eU, 0x8bc7adf2U, 0xb6a8b92dU, 0x1ea9c814U,
845
    0xf1198557U, 0x75074cafU, 0x99ddbbeeU, 0x7f60fda3U,
846
    0x01269ff7U, 0x72f5bc5cU, 0x663bc544U, 0xfb7e345bU,
847
    0x4329768bU, 0x23c6dccbU, 0xedfc68b6U, 0xe4f163b8U,
848
    0x31dccad7U, 0x63851042U, 0x97224013U, 0xc6112084U,
849
    0x4a247d85U, 0xbb3df8d2U, 0xf93211aeU, 0x29a16dc7U,
850
    0x9e2f4b1dU, 0xb230f3dcU, 0x8652ec0dU, 0xc1e3d077U,
851
    0xb3166c2bU, 0x70b999a9U, 0x9448fa11U, 0xe9642247U,
852
    0xfc8cc4a8U, 0xf03f1aa0U, 0x7d2cd856U, 0x3390ef22U,
853
    0x494ec787U, 0x38d1c1d9U, 0xcaa2fe8cU, 0xd40b3698U,
854
    0xf581cfa6U, 0x7ade28a5U, 0xb78e26daU, 0xadbfa43fU,
855
    0x3a9de42cU, 0x78920d50U, 0x5fcc9b6aU, 0x7e466254U,
856
    0x8d13c2f6U, 0xd8b8e890U, 0x39f75e2eU, 0xc3aff582U,
857
    0x5d80be9fU, 0xd0937c69U, 0xd52da96fU, 0x2512b3cfU,
858
    0xac993bc8U, 0x187da710U, 0x9c636ee8U, 0x3bbb7bdbU,
859
    0x267809cdU, 0x5918f46eU, 0x9ab701ecU, 0x4f9aa883U,
860
    0x956e65e6U, 0xffe67eaaU, 0xbccf0821U, 0x15e8e6efU,
861
    0xe79bd9baU, 0x6f36ce4aU, 0x9f09d4eaU, 0xb07cd629U,
862
    0xa4b2af31U, 0x3f23312aU, 0xa59430c6U, 0xa266c035U,
863
    0x4ebc3774U, 0x82caa6fcU, 0x90d0b0e0U, 0xa7d81533U,
864
    0x04984af1U, 0xecdaf741U, 0xcd500e7fU, 0x91f62f17U,
865
    0x4dd68d76U, 0xefb04d43U, 0xaa4d54ccU, 0x9604dfe4U,
866
    0xd1b5e39eU, 0x6a881b4cU, 0x2c1fb8c1U, 0x65517f46U,
867
    0x5eea049dU, 0x8c355d01U, 0x877473faU, 0x0b412efbU,
868
    0x671d5ab3U, 0xdbd25292U, 0x105633e9U, 0xd647136dU,
869
    0xd7618c9aU, 0xa10c7a37U, 0xf8148e59U, 0x133c89ebU,
870
    0xa927eeceU, 0x61c935b7U, 0x1ce5ede1U, 0x47b13c7aU,
871
    0xd2df599cU, 0xf2733f55U, 0x14ce7918U, 0xc737bf73U,
872
    0xf7cdea53U, 0xfdaa5b5fU, 0x3d6f14dfU, 0x44db8678U,
873
    0xaff381caU, 0x68c43eb9U, 0x24342c38U, 0xa3405fc2U,
874
    0x1dc37216U, 0xe2250cbcU, 0x3c498b28U, 0x0d9541ffU,
875
    0xa8017139U, 0x0cb3de08U, 0xb4e49cd8U, 0x56c19064U,
876
    0xcb84617bU, 0x32b670d5U, 0x6c5c7448U, 0xb85742d0U,
877
};
878

879
static const uint32_t AES_Td4[256] = {
880
    0x52525252U, 0x09090909U, 0x6a6a6a6aU, 0xd5d5d5d5U,
881
    0x30303030U, 0x36363636U, 0xa5a5a5a5U, 0x38383838U,
882
    0xbfbfbfbfU, 0x40404040U, 0xa3a3a3a3U, 0x9e9e9e9eU,
883
    0x81818181U, 0xf3f3f3f3U, 0xd7d7d7d7U, 0xfbfbfbfbU,
884
    0x7c7c7c7cU, 0xe3e3e3e3U, 0x39393939U, 0x82828282U,
885
    0x9b9b9b9bU, 0x2f2f2f2fU, 0xffffffffU, 0x87878787U,
886
    0x34343434U, 0x8e8e8e8eU, 0x43434343U, 0x44444444U,
887
    0xc4c4c4c4U, 0xdedededeU, 0xe9e9e9e9U, 0xcbcbcbcbU,
888
    0x54545454U, 0x7b7b7b7bU, 0x94949494U, 0x32323232U,
889
    0xa6a6a6a6U, 0xc2c2c2c2U, 0x23232323U, 0x3d3d3d3dU,
890
    0xeeeeeeeeU, 0x4c4c4c4cU, 0x95959595U, 0x0b0b0b0bU,
891
    0x42424242U, 0xfafafafaU, 0xc3c3c3c3U, 0x4e4e4e4eU,
892
    0x08080808U, 0x2e2e2e2eU, 0xa1a1a1a1U, 0x66666666U,
893
    0x28282828U, 0xd9d9d9d9U, 0x24242424U, 0xb2b2b2b2U,
894
    0x76767676U, 0x5b5b5b5bU, 0xa2a2a2a2U, 0x49494949U,
895
    0x6d6d6d6dU, 0x8b8b8b8bU, 0xd1d1d1d1U, 0x25252525U,
896
    0x72727272U, 0xf8f8f8f8U, 0xf6f6f6f6U, 0x64646464U,
897
    0x86868686U, 0x68686868U, 0x98989898U, 0x16161616U,
898
    0xd4d4d4d4U, 0xa4a4a4a4U, 0x5c5c5c5cU, 0xccccccccU,
899
    0x5d5d5d5dU, 0x65656565U, 0xb6b6b6b6U, 0x92929292U,
900
    0x6c6c6c6cU, 0x70707070U, 0x48484848U, 0x50505050U,
901
    0xfdfdfdfdU, 0xededededU, 0xb9b9b9b9U, 0xdadadadaU,
902
    0x5e5e5e5eU, 0x15151515U, 0x46464646U, 0x57575757U,
903
    0xa7a7a7a7U, 0x8d8d8d8dU, 0x9d9d9d9dU, 0x84848484U,
904
    0x90909090U, 0xd8d8d8d8U, 0xababababU, 0x00000000U,
905
    0x8c8c8c8cU, 0xbcbcbcbcU, 0xd3d3d3d3U, 0x0a0a0a0aU,
906
    0xf7f7f7f7U, 0xe4e4e4e4U, 0x58585858U, 0x05050505U,
907
    0xb8b8b8b8U, 0xb3b3b3b3U, 0x45454545U, 0x06060606U,
908
    0xd0d0d0d0U, 0x2c2c2c2cU, 0x1e1e1e1eU, 0x8f8f8f8fU,
909
    0xcacacacaU, 0x3f3f3f3fU, 0x0f0f0f0fU, 0x02020202U,
910
    0xc1c1c1c1U, 0xafafafafU, 0xbdbdbdbdU, 0x03030303U,
911
    0x01010101U, 0x13131313U, 0x8a8a8a8aU, 0x6b6b6b6bU,
912
    0x3a3a3a3aU, 0x91919191U, 0x11111111U, 0x41414141U,
913
    0x4f4f4f4fU, 0x67676767U, 0xdcdcdcdcU, 0xeaeaeaeaU,
914
    0x97979797U, 0xf2f2f2f2U, 0xcfcfcfcfU, 0xcecececeU,
915
    0xf0f0f0f0U, 0xb4b4b4b4U, 0xe6e6e6e6U, 0x73737373U,
916
    0x96969696U, 0xacacacacU, 0x74747474U, 0x22222222U,
917
    0xe7e7e7e7U, 0xadadadadU, 0x35353535U, 0x85858585U,
918
    0xe2e2e2e2U, 0xf9f9f9f9U, 0x37373737U, 0xe8e8e8e8U,
919
    0x1c1c1c1cU, 0x75757575U, 0xdfdfdfdfU, 0x6e6e6e6eU,
920
    0x47474747U, 0xf1f1f1f1U, 0x1a1a1a1aU, 0x71717171U,
921
    0x1d1d1d1dU, 0x29292929U, 0xc5c5c5c5U, 0x89898989U,
922
    0x6f6f6f6fU, 0xb7b7b7b7U, 0x62626262U, 0x0e0e0e0eU,
923
    0xaaaaaaaaU, 0x18181818U, 0xbebebebeU, 0x1b1b1b1bU,
924
    0xfcfcfcfcU, 0x56565656U, 0x3e3e3e3eU, 0x4b4b4b4bU,
925
    0xc6c6c6c6U, 0xd2d2d2d2U, 0x79797979U, 0x20202020U,
926
    0x9a9a9a9aU, 0xdbdbdbdbU, 0xc0c0c0c0U, 0xfefefefeU,
927
    0x78787878U, 0xcdcdcdcdU, 0x5a5a5a5aU, 0xf4f4f4f4U,
928
    0x1f1f1f1fU, 0xddddddddU, 0xa8a8a8a8U, 0x33333333U,
929
    0x88888888U, 0x07070707U, 0xc7c7c7c7U, 0x31313131U,
930
    0xb1b1b1b1U, 0x12121212U, 0x10101010U, 0x59595959U,
931
    0x27272727U, 0x80808080U, 0xececececU, 0x5f5f5f5fU,
932
    0x60606060U, 0x51515151U, 0x7f7f7f7fU, 0xa9a9a9a9U,
933
    0x19191919U, 0xb5b5b5b5U, 0x4a4a4a4aU, 0x0d0d0d0dU,
934
    0x2d2d2d2dU, 0xe5e5e5e5U, 0x7a7a7a7aU, 0x9f9f9f9fU,
935
    0x93939393U, 0xc9c9c9c9U, 0x9c9c9c9cU, 0xefefefefU,
936
    0xa0a0a0a0U, 0xe0e0e0e0U, 0x3b3b3b3bU, 0x4d4d4d4dU,
937
    0xaeaeaeaeU, 0x2a2a2a2aU, 0xf5f5f5f5U, 0xb0b0b0b0U,
938
    0xc8c8c8c8U, 0xebebebebU, 0xbbbbbbbbU, 0x3c3c3c3cU,
939
    0x83838383U, 0x53535353U, 0x99999999U, 0x61616161U,
940
    0x17171717U, 0x2b2b2b2bU, 0x04040404U, 0x7e7e7e7eU,
941
    0xbabababaU, 0x77777777U, 0xd6d6d6d6U, 0x26262626U,
942
    0xe1e1e1e1U, 0x69696969U, 0x14141414U, 0x63636363U,
943
    0x55555555U, 0x21212121U, 0x0c0c0c0cU, 0x7d7d7d7dU,
944
};
945

946
static const u32 rcon[] = {
947
        0x01000000, 0x02000000, 0x04000000, 0x08000000,
948
        0x10000000, 0x20000000, 0x40000000, 0x80000000,
949
        0x1B000000, 0x36000000, /* for 128-bit blocks, Rijndael never uses more than 10 rcon values */
950
};
951

952
/*
953
 * Perform MixColumns.
954
 */
955
static inline void
956
aesenc_MC_swap(AESState *r, const AESState *st, bool swap)
957
{
958
    int swap_b = swap * 0xf;
959
    int swap_w = swap * 0x3;
960
    bool be = HOST_BIG_ENDIAN ^ swap;
961
    uint32_t t;
962

963
    /* Note that AES_mc_rot is encoded for little-endian. */
964
    t = (      AES_mc_rot[st->b[swap_b ^ 0x0]] ^
965
         rol32(AES_mc_rot[st->b[swap_b ^ 0x1]], 8) ^
966
         rol32(AES_mc_rot[st->b[swap_b ^ 0x2]], 16) ^
967
         rol32(AES_mc_rot[st->b[swap_b ^ 0x3]], 24));
968
    if (be) {
969
        t = bswap32(t);
970
    }
971
    r->w[swap_w ^ 0] = t;
972

973
    t = (      AES_mc_rot[st->b[swap_b ^ 0x4]] ^
974
         rol32(AES_mc_rot[st->b[swap_b ^ 0x5]], 8) ^
975
         rol32(AES_mc_rot[st->b[swap_b ^ 0x6]], 16) ^
976
         rol32(AES_mc_rot[st->b[swap_b ^ 0x7]], 24));
977
    if (be) {
978
        t = bswap32(t);
979
    }
980
    r->w[swap_w ^ 1] = t;
981

982
    t = (      AES_mc_rot[st->b[swap_b ^ 0x8]] ^
983
         rol32(AES_mc_rot[st->b[swap_b ^ 0x9]], 8) ^
984
         rol32(AES_mc_rot[st->b[swap_b ^ 0xA]], 16) ^
985
         rol32(AES_mc_rot[st->b[swap_b ^ 0xB]], 24));
986
    if (be) {
987
        t = bswap32(t);
988
    }
989
    r->w[swap_w ^ 2] = t;
990

991
    t = (      AES_mc_rot[st->b[swap_b ^ 0xC]] ^
992
         rol32(AES_mc_rot[st->b[swap_b ^ 0xD]], 8) ^
993
         rol32(AES_mc_rot[st->b[swap_b ^ 0xE]], 16) ^
994
         rol32(AES_mc_rot[st->b[swap_b ^ 0xF]], 24));
995
    if (be) {
996
        t = bswap32(t);
997
    }
998
    r->w[swap_w ^ 3] = t;
999
}
1000

1001
void aesenc_MC_gen(AESState *r, const AESState *st)
1002
{
1003
    aesenc_MC_swap(r, st, false);
1004
}
1005

1006
void aesenc_MC_genrev(AESState *r, const AESState *st)
1007
{
1008
    aesenc_MC_swap(r, st, true);
1009
}
1010

1011
/*
1012
 * Perform SubBytes + ShiftRows + AddRoundKey.
1013
 */
1014
static inline void
1015
aesenc_SB_SR_AK_swap(AESState *ret, const AESState *st,
1016
                     const AESState *rk, bool swap)
1017
{
1018
    const int swap_b = swap ? 15 : 0;
1019
    AESState t;
1020

1021
    t.b[swap_b ^ 0x0] = AES_sbox[st->b[swap_b ^ AES_SH(0x0)]];
1022
    t.b[swap_b ^ 0x1] = AES_sbox[st->b[swap_b ^ AES_SH(0x1)]];
1023
    t.b[swap_b ^ 0x2] = AES_sbox[st->b[swap_b ^ AES_SH(0x2)]];
1024
    t.b[swap_b ^ 0x3] = AES_sbox[st->b[swap_b ^ AES_SH(0x3)]];
1025
    t.b[swap_b ^ 0x4] = AES_sbox[st->b[swap_b ^ AES_SH(0x4)]];
1026
    t.b[swap_b ^ 0x5] = AES_sbox[st->b[swap_b ^ AES_SH(0x5)]];
1027
    t.b[swap_b ^ 0x6] = AES_sbox[st->b[swap_b ^ AES_SH(0x6)]];
1028
    t.b[swap_b ^ 0x7] = AES_sbox[st->b[swap_b ^ AES_SH(0x7)]];
1029
    t.b[swap_b ^ 0x8] = AES_sbox[st->b[swap_b ^ AES_SH(0x8)]];
1030
    t.b[swap_b ^ 0x9] = AES_sbox[st->b[swap_b ^ AES_SH(0x9)]];
1031
    t.b[swap_b ^ 0xa] = AES_sbox[st->b[swap_b ^ AES_SH(0xA)]];
1032
    t.b[swap_b ^ 0xb] = AES_sbox[st->b[swap_b ^ AES_SH(0xB)]];
1033
    t.b[swap_b ^ 0xc] = AES_sbox[st->b[swap_b ^ AES_SH(0xC)]];
1034
    t.b[swap_b ^ 0xd] = AES_sbox[st->b[swap_b ^ AES_SH(0xD)]];
1035
    t.b[swap_b ^ 0xe] = AES_sbox[st->b[swap_b ^ AES_SH(0xE)]];
1036
    t.b[swap_b ^ 0xf] = AES_sbox[st->b[swap_b ^ AES_SH(0xF)]];
1037

1038
    /*
1039
     * Perform the AddRoundKey with generic vectors.
1040
     * This may be expanded to either host integer or host vector code.
1041
     * The key and output endianness match, so no bswap required.
1042
     */
1043
    ret->v = t.v ^ rk->v;
1044
}
1045

1046
void aesenc_SB_SR_AK_gen(AESState *r, const AESState *s, const AESState *k)
1047
{
1048
    aesenc_SB_SR_AK_swap(r, s, k, false);
1049
}
1050

1051
void aesenc_SB_SR_AK_genrev(AESState *r, const AESState *s, const AESState *k)
1052
{
1053
    aesenc_SB_SR_AK_swap(r, s, k, true);
1054
}
1055

1056
/*
1057
 * Perform SubBytes + ShiftRows + MixColumns + AddRoundKey.
1058
 */
1059
static inline void
1060
aesenc_SB_SR_MC_AK_swap(AESState *r, const AESState *st,
1061
                        const AESState *rk, bool swap)
1062
{
1063
    int swap_b = swap * 0xf;
1064
    int swap_w = swap * 0x3;
1065
    bool be = HOST_BIG_ENDIAN ^ swap;
1066
    uint32_t w0, w1, w2, w3;
1067

1068
    w0 = (AES_Te0[st->b[swap_b ^ AES_SH(0x0)]] ^
1069
          AES_Te1[st->b[swap_b ^ AES_SH(0x1)]] ^
1070
          AES_Te2[st->b[swap_b ^ AES_SH(0x2)]] ^
1071
          AES_Te3[st->b[swap_b ^ AES_SH(0x3)]]);
1072

1073
    w1 = (AES_Te0[st->b[swap_b ^ AES_SH(0x4)]] ^
1074
          AES_Te1[st->b[swap_b ^ AES_SH(0x5)]] ^
1075
          AES_Te2[st->b[swap_b ^ AES_SH(0x6)]] ^
1076
          AES_Te3[st->b[swap_b ^ AES_SH(0x7)]]);
1077

1078
    w2 = (AES_Te0[st->b[swap_b ^ AES_SH(0x8)]] ^
1079
          AES_Te1[st->b[swap_b ^ AES_SH(0x9)]] ^
1080
          AES_Te2[st->b[swap_b ^ AES_SH(0xA)]] ^
1081
          AES_Te3[st->b[swap_b ^ AES_SH(0xB)]]);
1082

1083
    w3 = (AES_Te0[st->b[swap_b ^ AES_SH(0xC)]] ^
1084
          AES_Te1[st->b[swap_b ^ AES_SH(0xD)]] ^
1085
          AES_Te2[st->b[swap_b ^ AES_SH(0xE)]] ^
1086
          AES_Te3[st->b[swap_b ^ AES_SH(0xF)]]);
1087

1088
    /* Note that AES_TeX is encoded for big-endian. */
1089
    if (!be) {
1090
        w0 = bswap32(w0);
1091
        w1 = bswap32(w1);
1092
        w2 = bswap32(w2);
1093
        w3 = bswap32(w3);
1094
    }
1095

1096
    r->w[swap_w ^ 0] = rk->w[swap_w ^ 0] ^ w0;
1097
    r->w[swap_w ^ 1] = rk->w[swap_w ^ 1] ^ w1;
1098
    r->w[swap_w ^ 2] = rk->w[swap_w ^ 2] ^ w2;
1099
    r->w[swap_w ^ 3] = rk->w[swap_w ^ 3] ^ w3;
1100
}
1101

1102
void aesenc_SB_SR_MC_AK_gen(AESState *r, const AESState *st,
1103
                            const AESState *rk)
1104
{
1105
    aesenc_SB_SR_MC_AK_swap(r, st, rk, false);
1106
}
1107

1108
void aesenc_SB_SR_MC_AK_genrev(AESState *r, const AESState *st,
1109
                               const AESState *rk)
1110
{
1111
    aesenc_SB_SR_MC_AK_swap(r, st, rk, true);
1112
}
1113

1114
/*
1115
 * Perform InvMixColumns.
1116
 */
1117
static inline void
1118
aesdec_IMC_swap(AESState *r, const AESState *st, bool swap)
1119
{
1120
    int swap_b = swap * 0xf;
1121
    int swap_w = swap * 0x3;
1122
    bool be = HOST_BIG_ENDIAN ^ swap;
1123
    uint32_t t;
1124

1125
    /* Note that AES_imc_rot is encoded for little-endian. */
1126
    t = (      AES_imc_rot[st->b[swap_b ^ 0x0]] ^
1127
         rol32(AES_imc_rot[st->b[swap_b ^ 0x1]], 8) ^
1128
         rol32(AES_imc_rot[st->b[swap_b ^ 0x2]], 16) ^
1129
         rol32(AES_imc_rot[st->b[swap_b ^ 0x3]], 24));
1130
    if (be) {
1131
        t = bswap32(t);
1132
    }
1133
    r->w[swap_w ^ 0] = t;
1134

1135
    t = (      AES_imc_rot[st->b[swap_b ^ 0x4]] ^
1136
         rol32(AES_imc_rot[st->b[swap_b ^ 0x5]], 8) ^
1137
         rol32(AES_imc_rot[st->b[swap_b ^ 0x6]], 16) ^
1138
         rol32(AES_imc_rot[st->b[swap_b ^ 0x7]], 24));
1139
    if (be) {
1140
        t = bswap32(t);
1141
    }
1142
    r->w[swap_w ^ 1] = t;
1143

1144
    t = (      AES_imc_rot[st->b[swap_b ^ 0x8]] ^
1145
         rol32(AES_imc_rot[st->b[swap_b ^ 0x9]], 8) ^
1146
         rol32(AES_imc_rot[st->b[swap_b ^ 0xA]], 16) ^
1147
         rol32(AES_imc_rot[st->b[swap_b ^ 0xB]], 24));
1148
    if (be) {
1149
        t = bswap32(t);
1150
    }
1151
    r->w[swap_w ^ 2] = t;
1152

1153
    t = (      AES_imc_rot[st->b[swap_b ^ 0xC]] ^
1154
         rol32(AES_imc_rot[st->b[swap_b ^ 0xD]], 8) ^
1155
         rol32(AES_imc_rot[st->b[swap_b ^ 0xE]], 16) ^
1156
         rol32(AES_imc_rot[st->b[swap_b ^ 0xF]], 24));
1157
    if (be) {
1158
        t = bswap32(t);
1159
    }
1160
    r->w[swap_w ^ 3] = t;
1161
}
1162

1163
void aesdec_IMC_gen(AESState *r, const AESState *st)
1164
{
1165
    aesdec_IMC_swap(r, st, false);
1166
}
1167

1168
void aesdec_IMC_genrev(AESState *r, const AESState *st)
1169
{
1170
    aesdec_IMC_swap(r, st, true);
1171
}
1172

1173
/*
1174
 * Perform InvSubBytes + InvShiftRows + AddRoundKey.
1175
 */
1176
static inline void
1177
aesdec_ISB_ISR_AK_swap(AESState *ret, const AESState *st,
1178
                       const AESState *rk, bool swap)
1179
{
1180
    const int swap_b = swap ? 15 : 0;
1181
    AESState t;
1182

1183
    t.b[swap_b ^ 0x0] = AES_isbox[st->b[swap_b ^ AES_ISH(0x0)]];
1184
    t.b[swap_b ^ 0x1] = AES_isbox[st->b[swap_b ^ AES_ISH(0x1)]];
1185
    t.b[swap_b ^ 0x2] = AES_isbox[st->b[swap_b ^ AES_ISH(0x2)]];
1186
    t.b[swap_b ^ 0x3] = AES_isbox[st->b[swap_b ^ AES_ISH(0x3)]];
1187
    t.b[swap_b ^ 0x4] = AES_isbox[st->b[swap_b ^ AES_ISH(0x4)]];
1188
    t.b[swap_b ^ 0x5] = AES_isbox[st->b[swap_b ^ AES_ISH(0x5)]];
1189
    t.b[swap_b ^ 0x6] = AES_isbox[st->b[swap_b ^ AES_ISH(0x6)]];
1190
    t.b[swap_b ^ 0x7] = AES_isbox[st->b[swap_b ^ AES_ISH(0x7)]];
1191
    t.b[swap_b ^ 0x8] = AES_isbox[st->b[swap_b ^ AES_ISH(0x8)]];
1192
    t.b[swap_b ^ 0x9] = AES_isbox[st->b[swap_b ^ AES_ISH(0x9)]];
1193
    t.b[swap_b ^ 0xa] = AES_isbox[st->b[swap_b ^ AES_ISH(0xA)]];
1194
    t.b[swap_b ^ 0xb] = AES_isbox[st->b[swap_b ^ AES_ISH(0xB)]];
1195
    t.b[swap_b ^ 0xc] = AES_isbox[st->b[swap_b ^ AES_ISH(0xC)]];
1196
    t.b[swap_b ^ 0xd] = AES_isbox[st->b[swap_b ^ AES_ISH(0xD)]];
1197
    t.b[swap_b ^ 0xe] = AES_isbox[st->b[swap_b ^ AES_ISH(0xE)]];
1198
    t.b[swap_b ^ 0xf] = AES_isbox[st->b[swap_b ^ AES_ISH(0xF)]];
1199

1200
    /*
1201
     * Perform the AddRoundKey with generic vectors.
1202
     * This may be expanded to either host integer or host vector code.
1203
     * The key and output endianness match, so no bswap required.
1204
     */
1205
    ret->v = t.v ^ rk->v;
1206
}
1207

1208
void aesdec_ISB_ISR_AK_gen(AESState *r, const AESState *s, const AESState *k)
1209
{
1210
    aesdec_ISB_ISR_AK_swap(r, s, k, false);
1211
}
1212

1213
void aesdec_ISB_ISR_AK_genrev(AESState *r, const AESState *s, const AESState *k)
1214
{
1215
    aesdec_ISB_ISR_AK_swap(r, s, k, true);
1216
}
1217

1218
/*
1219
 * Perform InvSubBytes + InvShiftRows + InvMixColumns + AddRoundKey.
1220
 */
1221
static inline void
1222
aesdec_ISB_ISR_IMC_AK_swap(AESState *r, const AESState *st,
1223
                           const AESState *rk, bool swap)
1224
{
1225
    int swap_b = swap * 0xf;
1226
    int swap_w = swap * 0x3;
1227
    bool be = HOST_BIG_ENDIAN ^ swap;
1228
    uint32_t w0, w1, w2, w3;
1229

1230
    w0 = (AES_Td0[st->b[swap_b ^ AES_ISH(0x0)]] ^
1231
          AES_Td1[st->b[swap_b ^ AES_ISH(0x1)]] ^
1232
          AES_Td2[st->b[swap_b ^ AES_ISH(0x2)]] ^
1233
          AES_Td3[st->b[swap_b ^ AES_ISH(0x3)]]);
1234

1235
    w1 = (AES_Td0[st->b[swap_b ^ AES_ISH(0x4)]] ^
1236
          AES_Td1[st->b[swap_b ^ AES_ISH(0x5)]] ^
1237
          AES_Td2[st->b[swap_b ^ AES_ISH(0x6)]] ^
1238
          AES_Td3[st->b[swap_b ^ AES_ISH(0x7)]]);
1239

1240
    w2 = (AES_Td0[st->b[swap_b ^ AES_ISH(0x8)]] ^
1241
          AES_Td1[st->b[swap_b ^ AES_ISH(0x9)]] ^
1242
          AES_Td2[st->b[swap_b ^ AES_ISH(0xA)]] ^
1243
          AES_Td3[st->b[swap_b ^ AES_ISH(0xB)]]);
1244

1245
    w3 = (AES_Td0[st->b[swap_b ^ AES_ISH(0xC)]] ^
1246
          AES_Td1[st->b[swap_b ^ AES_ISH(0xD)]] ^
1247
          AES_Td2[st->b[swap_b ^ AES_ISH(0xE)]] ^
1248
          AES_Td3[st->b[swap_b ^ AES_ISH(0xF)]]);
1249

1250
    /* Note that AES_TdX is encoded for big-endian. */
1251
    if (!be) {
1252
        w0 = bswap32(w0);
1253
        w1 = bswap32(w1);
1254
        w2 = bswap32(w2);
1255
        w3 = bswap32(w3);
1256
    }
1257

1258
    r->w[swap_w ^ 0] = rk->w[swap_w ^ 0] ^ w0;
1259
    r->w[swap_w ^ 1] = rk->w[swap_w ^ 1] ^ w1;
1260
    r->w[swap_w ^ 2] = rk->w[swap_w ^ 2] ^ w2;
1261
    r->w[swap_w ^ 3] = rk->w[swap_w ^ 3] ^ w3;
1262
}
1263

1264
void aesdec_ISB_ISR_IMC_AK_gen(AESState *r, const AESState *st,
1265
                               const AESState *rk)
1266
{
1267
    aesdec_ISB_ISR_IMC_AK_swap(r, st, rk, false);
1268
}
1269

1270
void aesdec_ISB_ISR_IMC_AK_genrev(AESState *r, const AESState *st,
1271
                                  const AESState *rk)
1272
{
1273
    aesdec_ISB_ISR_IMC_AK_swap(r, st, rk, true);
1274
}
1275

1276
void aesdec_ISB_ISR_AK_IMC_gen(AESState *ret, const AESState *st,
1277
                               const AESState *rk)
1278
{
1279
    aesdec_ISB_ISR_AK_gen(ret, st, rk);
1280
    aesdec_IMC_gen(ret, ret);
1281
}
1282

1283
void aesdec_ISB_ISR_AK_IMC_genrev(AESState *ret, const AESState *st,
1284
                                  const AESState *rk)
1285
{
1286
    aesdec_ISB_ISR_AK_genrev(ret, st, rk);
1287
    aesdec_IMC_genrev(ret, ret);
1288
}
1289

1290
/**
1291
 * Expand the cipher key into the encryption key schedule.
1292
 */
1293
int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
1294
                        AES_KEY *key) {
1295

1296
        u32 *rk;
1297
        int i = 0;
1298
        u32 temp;
1299

1300
        if (!userKey || !key)
1301
                return -1;
1302
        if (bits != 128 && bits != 192 && bits != 256)
1303
                return -2;
1304

1305
        rk = key->rd_key;
1306

1307
        if (bits == 128)
1308
                key->rounds = 10;
1309
        else if (bits == 192)
1310
                key->rounds = 12;
1311
        else
1312
                key->rounds = 14;
1313

1314
        rk[0] = GETU32(userKey     );
1315
        rk[1] = GETU32(userKey +  4);
1316
        rk[2] = GETU32(userKey +  8);
1317
        rk[3] = GETU32(userKey + 12);
1318
        if (bits == 128) {
1319
                while (1) {
1320
                        temp  = rk[3];
1321
                        rk[4] = rk[0] ^
1322
                                (AES_Te4[(temp >> 16) & 0xff] & 0xff000000) ^
1323
                                (AES_Te4[(temp >>  8) & 0xff] & 0x00ff0000) ^
1324
                                (AES_Te4[(temp      ) & 0xff] & 0x0000ff00) ^
1325
                                (AES_Te4[(temp >> 24)       ] & 0x000000ff) ^
1326
                                rcon[i];
1327
                        rk[5] = rk[1] ^ rk[4];
1328
                        rk[6] = rk[2] ^ rk[5];
1329
                        rk[7] = rk[3] ^ rk[6];
1330
                        if (++i == 10) {
1331
                                return 0;
1332
                        }
1333
                        rk += 4;
1334
                }
1335
        }
1336
        rk[4] = GETU32(userKey + 16);
1337
        rk[5] = GETU32(userKey + 20);
1338
        if (bits == 192) {
1339
                while (1) {
1340
                        temp = rk[ 5];
1341
                        rk[ 6] = rk[ 0] ^
1342
                                (AES_Te4[(temp >> 16) & 0xff] & 0xff000000) ^
1343
                                (AES_Te4[(temp >>  8) & 0xff] & 0x00ff0000) ^
1344
                                (AES_Te4[(temp      ) & 0xff] & 0x0000ff00) ^
1345
                                (AES_Te4[(temp >> 24)       ] & 0x000000ff) ^
1346
                                rcon[i];
1347
                        rk[ 7] = rk[ 1] ^ rk[ 6];
1348
                        rk[ 8] = rk[ 2] ^ rk[ 7];
1349
                        rk[ 9] = rk[ 3] ^ rk[ 8];
1350
                        if (++i == 8) {
1351
                                return 0;
1352
                        }
1353
                        rk[10] = rk[ 4] ^ rk[ 9];
1354
                        rk[11] = rk[ 5] ^ rk[10];
1355
                        rk += 6;
1356
                }
1357
        }
1358
        rk[6] = GETU32(userKey + 24);
1359
        rk[7] = GETU32(userKey + 28);
1360
        if (bits == 256) {
1361
                while (1) {
1362
                        temp = rk[ 7];
1363
                        rk[ 8] = rk[ 0] ^
1364
                                (AES_Te4[(temp >> 16) & 0xff] & 0xff000000) ^
1365
                                (AES_Te4[(temp >>  8) & 0xff] & 0x00ff0000) ^
1366
                                (AES_Te4[(temp      ) & 0xff] & 0x0000ff00) ^
1367
                                (AES_Te4[(temp >> 24)       ] & 0x000000ff) ^
1368
                                rcon[i];
1369
                        rk[ 9] = rk[ 1] ^ rk[ 8];
1370
                        rk[10] = rk[ 2] ^ rk[ 9];
1371
                        rk[11] = rk[ 3] ^ rk[10];
1372
                        if (++i == 7) {
1373
                                return 0;
1374
                        }
1375
                        temp = rk[11];
1376
                        rk[12] = rk[ 4] ^
1377
                                (AES_Te4[(temp >> 24)       ] & 0xff000000) ^
1378
                                (AES_Te4[(temp >> 16) & 0xff] & 0x00ff0000) ^
1379
                                (AES_Te4[(temp >>  8) & 0xff] & 0x0000ff00) ^
1380
                                (AES_Te4[(temp      ) & 0xff] & 0x000000ff);
1381
                        rk[13] = rk[ 5] ^ rk[12];
1382
                        rk[14] = rk[ 6] ^ rk[13];
1383
                        rk[15] = rk[ 7] ^ rk[14];
1384

1385
                        rk += 8;
1386
                }
1387
        }
1388
        abort();
1389
}
1390

1391
/**
1392
 * Expand the cipher key into the decryption key schedule.
1393
 */
1394
int AES_set_decrypt_key(const unsigned char *userKey, const int bits,
1395
                         AES_KEY *key) {
1396

1397
        u32 *rk;
1398
        int i, j, status;
1399
        u32 temp;
1400

1401
        /* first, start with an encryption schedule */
1402
        status = AES_set_encrypt_key(userKey, bits, key);
1403
        if (status < 0)
1404
                return status;
1405

1406
        rk = key->rd_key;
1407

1408
        /* invert the order of the round keys: */
1409
        for (i = 0, j = 4 * (key->rounds); i < j; i += 4, j -= 4) {
1410
                temp = rk[i    ]; rk[i    ] = rk[j    ]; rk[j    ] = temp;
1411
                temp = rk[i + 1]; rk[i + 1] = rk[j + 1]; rk[j + 1] = temp;
1412
                temp = rk[i + 2]; rk[i + 2] = rk[j + 2]; rk[j + 2] = temp;
1413
                temp = rk[i + 3]; rk[i + 3] = rk[j + 3]; rk[j + 3] = temp;
1414
        }
1415
        /* apply the inverse MixColumn transform to all round keys but the first and the last: */
1416
        for (i = 1; i < (key->rounds); i++) {
1417
                rk += 4;
1418
                rk[0] =
1419
                        AES_Td0[AES_Te4[(rk[0] >> 24)       ] & 0xff] ^
1420
                        AES_Td1[AES_Te4[(rk[0] >> 16) & 0xff] & 0xff] ^
1421
                        AES_Td2[AES_Te4[(rk[0] >>  8) & 0xff] & 0xff] ^
1422
                        AES_Td3[AES_Te4[(rk[0]      ) & 0xff] & 0xff];
1423
                rk[1] =
1424
                        AES_Td0[AES_Te4[(rk[1] >> 24)       ] & 0xff] ^
1425
                        AES_Td1[AES_Te4[(rk[1] >> 16) & 0xff] & 0xff] ^
1426
                        AES_Td2[AES_Te4[(rk[1] >>  8) & 0xff] & 0xff] ^
1427
                        AES_Td3[AES_Te4[(rk[1]      ) & 0xff] & 0xff];
1428
                rk[2] =
1429
                        AES_Td0[AES_Te4[(rk[2] >> 24)       ] & 0xff] ^
1430
                        AES_Td1[AES_Te4[(rk[2] >> 16) & 0xff] & 0xff] ^
1431
                        AES_Td2[AES_Te4[(rk[2] >>  8) & 0xff] & 0xff] ^
1432
                        AES_Td3[AES_Te4[(rk[2]      ) & 0xff] & 0xff];
1433
                rk[3] =
1434
                        AES_Td0[AES_Te4[(rk[3] >> 24)       ] & 0xff] ^
1435
                        AES_Td1[AES_Te4[(rk[3] >> 16) & 0xff] & 0xff] ^
1436
                        AES_Td2[AES_Te4[(rk[3] >>  8) & 0xff] & 0xff] ^
1437
                        AES_Td3[AES_Te4[(rk[3]      ) & 0xff] & 0xff];
1438
        }
1439
        return 0;
1440
}
1441

1442
#ifndef AES_ASM
1443
/*
1444
 * Encrypt a single block
1445
 * in and out can overlap
1446
 */
1447
void AES_encrypt(const unsigned char *in, unsigned char *out,
1448
                 const AES_KEY *key) {
1449

1450
        const u32 *rk;
1451
        u32 s0, s1, s2, s3, t0, t1, t2, t3;
1452
#ifndef FULL_UNROLL
1453
        int r;
1454
#endif /* ?FULL_UNROLL */
1455

1456
        assert(in && out && key);
1457
        rk = key->rd_key;
1458

1459
        /*
1460
         * map byte array block to cipher state
1461
         * and add initial round key:
1462
         */
1463
        s0 = GETU32(in     ) ^ rk[0];
1464
        s1 = GETU32(in +  4) ^ rk[1];
1465
        s2 = GETU32(in +  8) ^ rk[2];
1466
        s3 = GETU32(in + 12) ^ rk[3];
1467
#ifdef FULL_UNROLL
1468
        /* round 1: */
1469
        t0 = AES_Te0[s0 >> 24] ^ AES_Te1[(s1 >> 16) & 0xff] ^ AES_Te2[(s2 >>  8) & 0xff] ^ AES_Te3[s3 & 0xff] ^ rk[ 4];
1470
        t1 = AES_Te0[s1 >> 24] ^ AES_Te1[(s2 >> 16) & 0xff] ^ AES_Te2[(s3 >>  8) & 0xff] ^ AES_Te3[s0 & 0xff] ^ rk[ 5];
1471
        t2 = AES_Te0[s2 >> 24] ^ AES_Te1[(s3 >> 16) & 0xff] ^ AES_Te2[(s0 >>  8) & 0xff] ^ AES_Te3[s1 & 0xff] ^ rk[ 6];
1472
        t3 = AES_Te0[s3 >> 24] ^ AES_Te1[(s0 >> 16) & 0xff] ^ AES_Te2[(s1 >>  8) & 0xff] ^ AES_Te3[s2 & 0xff] ^ rk[ 7];
1473
        /* round 2: */
1474
        s0 = AES_Te0[t0 >> 24] ^ AES_Te1[(t1 >> 16) & 0xff] ^ AES_Te2[(t2 >>  8) & 0xff] ^ AES_Te3[t3 & 0xff] ^ rk[ 8];
1475
        s1 = AES_Te0[t1 >> 24] ^ AES_Te1[(t2 >> 16) & 0xff] ^ AES_Te2[(t3 >>  8) & 0xff] ^ AES_Te3[t0 & 0xff] ^ rk[ 9];
1476
        s2 = AES_Te0[t2 >> 24] ^ AES_Te1[(t3 >> 16) & 0xff] ^ AES_Te2[(t0 >>  8) & 0xff] ^ AES_Te3[t1 & 0xff] ^ rk[10];
1477
        s3 = AES_Te0[t3 >> 24] ^ AES_Te1[(t0 >> 16) & 0xff] ^ AES_Te2[(t1 >>  8) & 0xff] ^ AES_Te3[t2 & 0xff] ^ rk[11];
1478
        /* round 3: */
1479
        t0 = AES_Te0[s0 >> 24] ^ AES_Te1[(s1 >> 16) & 0xff] ^ AES_Te2[(s2 >>  8) & 0xff] ^ AES_Te3[s3 & 0xff] ^ rk[12];
1480
        t1 = AES_Te0[s1 >> 24] ^ AES_Te1[(s2 >> 16) & 0xff] ^ AES_Te2[(s3 >>  8) & 0xff] ^ AES_Te3[s0 & 0xff] ^ rk[13];
1481
        t2 = AES_Te0[s2 >> 24] ^ AES_Te1[(s3 >> 16) & 0xff] ^ AES_Te2[(s0 >>  8) & 0xff] ^ AES_Te3[s1 & 0xff] ^ rk[14];
1482
        t3 = AES_Te0[s3 >> 24] ^ AES_Te1[(s0 >> 16) & 0xff] ^ AES_Te2[(s1 >>  8) & 0xff] ^ AES_Te3[s2 & 0xff] ^ rk[15];
1483
        /* round 4: */
1484
        s0 = AES_Te0[t0 >> 24] ^ AES_Te1[(t1 >> 16) & 0xff] ^ AES_Te2[(t2 >>  8) & 0xff] ^ AES_Te3[t3 & 0xff] ^ rk[16];
1485
        s1 = AES_Te0[t1 >> 24] ^ AES_Te1[(t2 >> 16) & 0xff] ^ AES_Te2[(t3 >>  8) & 0xff] ^ AES_Te3[t0 & 0xff] ^ rk[17];
1486
        s2 = AES_Te0[t2 >> 24] ^ AES_Te1[(t3 >> 16) & 0xff] ^ AES_Te2[(t0 >>  8) & 0xff] ^ AES_Te3[t1 & 0xff] ^ rk[18];
1487
        s3 = AES_Te0[t3 >> 24] ^ AES_Te1[(t0 >> 16) & 0xff] ^ AES_Te2[(t1 >>  8) & 0xff] ^ AES_Te3[t2 & 0xff] ^ rk[19];
1488
        /* round 5: */
1489
        t0 = AES_Te0[s0 >> 24] ^ AES_Te1[(s1 >> 16) & 0xff] ^ AES_Te2[(s2 >>  8) & 0xff] ^ AES_Te3[s3 & 0xff] ^ rk[20];
1490
        t1 = AES_Te0[s1 >> 24] ^ AES_Te1[(s2 >> 16) & 0xff] ^ AES_Te2[(s3 >>  8) & 0xff] ^ AES_Te3[s0 & 0xff] ^ rk[21];
1491
        t2 = AES_Te0[s2 >> 24] ^ AES_Te1[(s3 >> 16) & 0xff] ^ AES_Te2[(s0 >>  8) & 0xff] ^ AES_Te3[s1 & 0xff] ^ rk[22];
1492
        t3 = AES_Te0[s3 >> 24] ^ AES_Te1[(s0 >> 16) & 0xff] ^ AES_Te2[(s1 >>  8) & 0xff] ^ AES_Te3[s2 & 0xff] ^ rk[23];
1493
        /* round 6: */
1494
        s0 = AES_Te0[t0 >> 24] ^ AES_Te1[(t1 >> 16) & 0xff] ^ AES_Te2[(t2 >>  8) & 0xff] ^ AES_Te3[t3 & 0xff] ^ rk[24];
1495
        s1 = AES_Te0[t1 >> 24] ^ AES_Te1[(t2 >> 16) & 0xff] ^ AES_Te2[(t3 >>  8) & 0xff] ^ AES_Te3[t0 & 0xff] ^ rk[25];
1496
        s2 = AES_Te0[t2 >> 24] ^ AES_Te1[(t3 >> 16) & 0xff] ^ AES_Te2[(t0 >>  8) & 0xff] ^ AES_Te3[t1 & 0xff] ^ rk[26];
1497
        s3 = AES_Te0[t3 >> 24] ^ AES_Te1[(t0 >> 16) & 0xff] ^ AES_Te2[(t1 >>  8) & 0xff] ^ AES_Te3[t2 & 0xff] ^ rk[27];
1498
        /* round 7: */
1499
        t0 = AES_Te0[s0 >> 24] ^ AES_Te1[(s1 >> 16) & 0xff] ^ AES_Te2[(s2 >>  8) & 0xff] ^ AES_Te3[s3 & 0xff] ^ rk[28];
1500
        t1 = AES_Te0[s1 >> 24] ^ AES_Te1[(s2 >> 16) & 0xff] ^ AES_Te2[(s3 >>  8) & 0xff] ^ AES_Te3[s0 & 0xff] ^ rk[29];
1501
        t2 = AES_Te0[s2 >> 24] ^ AES_Te1[(s3 >> 16) & 0xff] ^ AES_Te2[(s0 >>  8) & 0xff] ^ AES_Te3[s1 & 0xff] ^ rk[30];
1502
        t3 = AES_Te0[s3 >> 24] ^ AES_Te1[(s0 >> 16) & 0xff] ^ AES_Te2[(s1 >>  8) & 0xff] ^ AES_Te3[s2 & 0xff] ^ rk[31];
1503
        /* round 8: */
1504
        s0 = AES_Te0[t0 >> 24] ^ AES_Te1[(t1 >> 16) & 0xff] ^ AES_Te2[(t2 >>  8) & 0xff] ^ AES_Te3[t3 & 0xff] ^ rk[32];
1505
        s1 = AES_Te0[t1 >> 24] ^ AES_Te1[(t2 >> 16) & 0xff] ^ AES_Te2[(t3 >>  8) & 0xff] ^ AES_Te3[t0 & 0xff] ^ rk[33];
1506
        s2 = AES_Te0[t2 >> 24] ^ AES_Te1[(t3 >> 16) & 0xff] ^ AES_Te2[(t0 >>  8) & 0xff] ^ AES_Te3[t1 & 0xff] ^ rk[34];
1507
        s3 = AES_Te0[t3 >> 24] ^ AES_Te1[(t0 >> 16) & 0xff] ^ AES_Te2[(t1 >>  8) & 0xff] ^ AES_Te3[t2 & 0xff] ^ rk[35];
1508
        /* round 9: */
1509
        t0 = AES_Te0[s0 >> 24] ^ AES_Te1[(s1 >> 16) & 0xff] ^ AES_Te2[(s2 >>  8) & 0xff] ^ AES_Te3[s3 & 0xff] ^ rk[36];
1510
        t1 = AES_Te0[s1 >> 24] ^ AES_Te1[(s2 >> 16) & 0xff] ^ AES_Te2[(s3 >>  8) & 0xff] ^ AES_Te3[s0 & 0xff] ^ rk[37];
1511
        t2 = AES_Te0[s2 >> 24] ^ AES_Te1[(s3 >> 16) & 0xff] ^ AES_Te2[(s0 >>  8) & 0xff] ^ AES_Te3[s1 & 0xff] ^ rk[38];
1512
        t3 = AES_Te0[s3 >> 24] ^ AES_Te1[(s0 >> 16) & 0xff] ^ AES_Te2[(s1 >>  8) & 0xff] ^ AES_Te3[s2 & 0xff] ^ rk[39];
1513
    if (key->rounds > 10) {
1514
        /* round 10: */
1515
        s0 = AES_Te0[t0 >> 24] ^ AES_Te1[(t1 >> 16) & 0xff] ^ AES_Te2[(t2 >>  8) & 0xff] ^ AES_Te3[t3 & 0xff] ^ rk[40];
1516
        s1 = AES_Te0[t1 >> 24] ^ AES_Te1[(t2 >> 16) & 0xff] ^ AES_Te2[(t3 >>  8) & 0xff] ^ AES_Te3[t0 & 0xff] ^ rk[41];
1517
        s2 = AES_Te0[t2 >> 24] ^ AES_Te1[(t3 >> 16) & 0xff] ^ AES_Te2[(t0 >>  8) & 0xff] ^ AES_Te3[t1 & 0xff] ^ rk[42];
1518
        s3 = AES_Te0[t3 >> 24] ^ AES_Te1[(t0 >> 16) & 0xff] ^ AES_Te2[(t1 >>  8) & 0xff] ^ AES_Te3[t2 & 0xff] ^ rk[43];
1519
        /* round 11: */
1520
        t0 = AES_Te0[s0 >> 24] ^ AES_Te1[(s1 >> 16) & 0xff] ^ AES_Te2[(s2 >>  8) & 0xff] ^ AES_Te3[s3 & 0xff] ^ rk[44];
1521
        t1 = AES_Te0[s1 >> 24] ^ AES_Te1[(s2 >> 16) & 0xff] ^ AES_Te2[(s3 >>  8) & 0xff] ^ AES_Te3[s0 & 0xff] ^ rk[45];
1522
        t2 = AES_Te0[s2 >> 24] ^ AES_Te1[(s3 >> 16) & 0xff] ^ AES_Te2[(s0 >>  8) & 0xff] ^ AES_Te3[s1 & 0xff] ^ rk[46];
1523
        t3 = AES_Te0[s3 >> 24] ^ AES_Te1[(s0 >> 16) & 0xff] ^ AES_Te2[(s1 >>  8) & 0xff] ^ AES_Te3[s2 & 0xff] ^ rk[47];
1524
        if (key->rounds > 12) {
1525
            /* round 12: */
1526
            s0 = AES_Te0[t0 >> 24] ^ AES_Te1[(t1 >> 16) & 0xff] ^ AES_Te2[(t2 >>  8) & 0xff] ^ AES_Te3[t3 & 0xff] ^ rk[48];
1527
            s1 = AES_Te0[t1 >> 24] ^ AES_Te1[(t2 >> 16) & 0xff] ^ AES_Te2[(t3 >>  8) & 0xff] ^ AES_Te3[t0 & 0xff] ^ rk[49];
1528
            s2 = AES_Te0[t2 >> 24] ^ AES_Te1[(t3 >> 16) & 0xff] ^ AES_Te2[(t0 >>  8) & 0xff] ^ AES_Te3[t1 & 0xff] ^ rk[50];
1529
            s3 = AES_Te0[t3 >> 24] ^ AES_Te1[(t0 >> 16) & 0xff] ^ AES_Te2[(t1 >>  8) & 0xff] ^ AES_Te3[t2 & 0xff] ^ rk[51];
1530
            /* round 13: */
1531
            t0 = AES_Te0[s0 >> 24] ^ AES_Te1[(s1 >> 16) & 0xff] ^ AES_Te2[(s2 >>  8) & 0xff] ^ AES_Te3[s3 & 0xff] ^ rk[52];
1532
            t1 = AES_Te0[s1 >> 24] ^ AES_Te1[(s2 >> 16) & 0xff] ^ AES_Te2[(s3 >>  8) & 0xff] ^ AES_Te3[s0 & 0xff] ^ rk[53];
1533
            t2 = AES_Te0[s2 >> 24] ^ AES_Te1[(s3 >> 16) & 0xff] ^ AES_Te2[(s0 >>  8) & 0xff] ^ AES_Te3[s1 & 0xff] ^ rk[54];
1534
            t3 = AES_Te0[s3 >> 24] ^ AES_Te1[(s0 >> 16) & 0xff] ^ AES_Te2[(s1 >>  8) & 0xff] ^ AES_Te3[s2 & 0xff] ^ rk[55];
1535
        }
1536
    }
1537
    rk += key->rounds << 2;
1538
#else  /* !FULL_UNROLL */
1539
    /*
1540
     * Nr - 1 full rounds:
1541
     */
1542
    r = key->rounds >> 1;
1543
    for (;;) {
1544
        t0 =
1545
            AES_Te0[(s0 >> 24)       ] ^
1546
            AES_Te1[(s1 >> 16) & 0xff] ^
1547
            AES_Te2[(s2 >>  8) & 0xff] ^
1548
            AES_Te3[(s3      ) & 0xff] ^
1549
            rk[4];
1550
        t1 =
1551
            AES_Te0[(s1 >> 24)       ] ^
1552
            AES_Te1[(s2 >> 16) & 0xff] ^
1553
            AES_Te2[(s3 >>  8) & 0xff] ^
1554
            AES_Te3[(s0      ) & 0xff] ^
1555
            rk[5];
1556
        t2 =
1557
            AES_Te0[(s2 >> 24)       ] ^
1558
            AES_Te1[(s3 >> 16) & 0xff] ^
1559
            AES_Te2[(s0 >>  8) & 0xff] ^
1560
            AES_Te3[(s1      ) & 0xff] ^
1561
            rk[6];
1562
        t3 =
1563
            AES_Te0[(s3 >> 24)       ] ^
1564
            AES_Te1[(s0 >> 16) & 0xff] ^
1565
            AES_Te2[(s1 >>  8) & 0xff] ^
1566
            AES_Te3[(s2      ) & 0xff] ^
1567
            rk[7];
1568

1569
        rk += 8;
1570
        if (--r == 0) {
1571
            break;
1572
        }
1573

1574
        s0 =
1575
            AES_Te0[(t0 >> 24)       ] ^
1576
            AES_Te1[(t1 >> 16) & 0xff] ^
1577
            AES_Te2[(t2 >>  8) & 0xff] ^
1578
            AES_Te3[(t3      ) & 0xff] ^
1579
            rk[0];
1580
        s1 =
1581
            AES_Te0[(t1 >> 24)       ] ^
1582
            AES_Te1[(t2 >> 16) & 0xff] ^
1583
            AES_Te2[(t3 >>  8) & 0xff] ^
1584
            AES_Te3[(t0      ) & 0xff] ^
1585
            rk[1];
1586
        s2 =
1587
            AES_Te0[(t2 >> 24)       ] ^
1588
            AES_Te1[(t3 >> 16) & 0xff] ^
1589
            AES_Te2[(t0 >>  8) & 0xff] ^
1590
            AES_Te3[(t1      ) & 0xff] ^
1591
            rk[2];
1592
        s3 =
1593
            AES_Te0[(t3 >> 24)       ] ^
1594
            AES_Te1[(t0 >> 16) & 0xff] ^
1595
            AES_Te2[(t1 >>  8) & 0xff] ^
1596
            AES_Te3[(t2      ) & 0xff] ^
1597
            rk[3];
1598
    }
1599
#endif /* ?FULL_UNROLL */
1600
    /*
1601
         * apply last round and
1602
         * map cipher state to byte array block:
1603
         */
1604
        s0 =
1605
                (AES_Te4[(t0 >> 24)       ] & 0xff000000) ^
1606
                (AES_Te4[(t1 >> 16) & 0xff] & 0x00ff0000) ^
1607
                (AES_Te4[(t2 >>  8) & 0xff] & 0x0000ff00) ^
1608
                (AES_Te4[(t3      ) & 0xff] & 0x000000ff) ^
1609
                rk[0];
1610
        PUTU32(out     , s0);
1611
        s1 =
1612
                (AES_Te4[(t1 >> 24)       ] & 0xff000000) ^
1613
                (AES_Te4[(t2 >> 16) & 0xff] & 0x00ff0000) ^
1614
                (AES_Te4[(t3 >>  8) & 0xff] & 0x0000ff00) ^
1615
                (AES_Te4[(t0      ) & 0xff] & 0x000000ff) ^
1616
                rk[1];
1617
        PUTU32(out +  4, s1);
1618
        s2 =
1619
                (AES_Te4[(t2 >> 24)       ] & 0xff000000) ^
1620
                (AES_Te4[(t3 >> 16) & 0xff] & 0x00ff0000) ^
1621
                (AES_Te4[(t0 >>  8) & 0xff] & 0x0000ff00) ^
1622
                (AES_Te4[(t1      ) & 0xff] & 0x000000ff) ^
1623
                rk[2];
1624
        PUTU32(out +  8, s2);
1625
        s3 =
1626
                (AES_Te4[(t3 >> 24)       ] & 0xff000000) ^
1627
                (AES_Te4[(t0 >> 16) & 0xff] & 0x00ff0000) ^
1628
                (AES_Te4[(t1 >>  8) & 0xff] & 0x0000ff00) ^
1629
                (AES_Te4[(t2      ) & 0xff] & 0x000000ff) ^
1630
                rk[3];
1631
        PUTU32(out + 12, s3);
1632
}
1633

1634
/*
1635
 * Decrypt a single block
1636
 * in and out can overlap
1637
 */
1638
void AES_decrypt(const unsigned char *in, unsigned char *out,
1639
                 const AES_KEY *key) {
1640

1641
        const u32 *rk;
1642
        u32 s0, s1, s2, s3, t0, t1, t2, t3;
1643
#ifndef FULL_UNROLL
1644
        int r;
1645
#endif /* ?FULL_UNROLL */
1646

1647
        assert(in && out && key);
1648
        rk = key->rd_key;
1649

1650
        /*
1651
         * map byte array block to cipher state
1652
         * and add initial round key:
1653
         */
1654
    s0 = GETU32(in     ) ^ rk[0];
1655
    s1 = GETU32(in +  4) ^ rk[1];
1656
    s2 = GETU32(in +  8) ^ rk[2];
1657
    s3 = GETU32(in + 12) ^ rk[3];
1658
#ifdef FULL_UNROLL
1659
    /* round 1: */
1660
    t0 = AES_Td0[s0 >> 24] ^ AES_Td1[(s3 >> 16) & 0xff] ^ AES_Td2[(s2 >>  8) & 0xff] ^ AES_Td3[s1 & 0xff] ^ rk[ 4];
1661
    t1 = AES_Td0[s1 >> 24] ^ AES_Td1[(s0 >> 16) & 0xff] ^ AES_Td2[(s3 >>  8) & 0xff] ^ AES_Td3[s2 & 0xff] ^ rk[ 5];
1662
    t2 = AES_Td0[s2 >> 24] ^ AES_Td1[(s1 >> 16) & 0xff] ^ AES_Td2[(s0 >>  8) & 0xff] ^ AES_Td3[s3 & 0xff] ^ rk[ 6];
1663
    t3 = AES_Td0[s3 >> 24] ^ AES_Td1[(s2 >> 16) & 0xff] ^ AES_Td2[(s1 >>  8) & 0xff] ^ AES_Td3[s0 & 0xff] ^ rk[ 7];
1664
    /* round 2: */
1665
    s0 = AES_Td0[t0 >> 24] ^ AES_Td1[(t3 >> 16) & 0xff] ^ AES_Td2[(t2 >>  8) & 0xff] ^ AES_Td3[t1 & 0xff] ^ rk[ 8];
1666
    s1 = AES_Td0[t1 >> 24] ^ AES_Td1[(t0 >> 16) & 0xff] ^ AES_Td2[(t3 >>  8) & 0xff] ^ AES_Td3[t2 & 0xff] ^ rk[ 9];
1667
    s2 = AES_Td0[t2 >> 24] ^ AES_Td1[(t1 >> 16) & 0xff] ^ AES_Td2[(t0 >>  8) & 0xff] ^ AES_Td3[t3 & 0xff] ^ rk[10];
1668
    s3 = AES_Td0[t3 >> 24] ^ AES_Td1[(t2 >> 16) & 0xff] ^ AES_Td2[(t1 >>  8) & 0xff] ^ AES_Td3[t0 & 0xff] ^ rk[11];
1669
    /* round 3: */
1670
    t0 = AES_Td0[s0 >> 24] ^ AES_Td1[(s3 >> 16) & 0xff] ^ AES_Td2[(s2 >>  8) & 0xff] ^ AES_Td3[s1 & 0xff] ^ rk[12];
1671
    t1 = AES_Td0[s1 >> 24] ^ AES_Td1[(s0 >> 16) & 0xff] ^ AES_Td2[(s3 >>  8) & 0xff] ^ AES_Td3[s2 & 0xff] ^ rk[13];
1672
    t2 = AES_Td0[s2 >> 24] ^ AES_Td1[(s1 >> 16) & 0xff] ^ AES_Td2[(s0 >>  8) & 0xff] ^ AES_Td3[s3 & 0xff] ^ rk[14];
1673
    t3 = AES_Td0[s3 >> 24] ^ AES_Td1[(s2 >> 16) & 0xff] ^ AES_Td2[(s1 >>  8) & 0xff] ^ AES_Td3[s0 & 0xff] ^ rk[15];
1674
    /* round 4: */
1675
    s0 = AES_Td0[t0 >> 24] ^ AES_Td1[(t3 >> 16) & 0xff] ^ AES_Td2[(t2 >>  8) & 0xff] ^ AES_Td3[t1 & 0xff] ^ rk[16];
1676
    s1 = AES_Td0[t1 >> 24] ^ AES_Td1[(t0 >> 16) & 0xff] ^ AES_Td2[(t3 >>  8) & 0xff] ^ AES_Td3[t2 & 0xff] ^ rk[17];
1677
    s2 = AES_Td0[t2 >> 24] ^ AES_Td1[(t1 >> 16) & 0xff] ^ AES_Td2[(t0 >>  8) & 0xff] ^ AES_Td3[t3 & 0xff] ^ rk[18];
1678
    s3 = AES_Td0[t3 >> 24] ^ AES_Td1[(t2 >> 16) & 0xff] ^ AES_Td2[(t1 >>  8) & 0xff] ^ AES_Td3[t0 & 0xff] ^ rk[19];
1679
    /* round 5: */
1680
    t0 = AES_Td0[s0 >> 24] ^ AES_Td1[(s3 >> 16) & 0xff] ^ AES_Td2[(s2 >>  8) & 0xff] ^ AES_Td3[s1 & 0xff] ^ rk[20];
1681
    t1 = AES_Td0[s1 >> 24] ^ AES_Td1[(s0 >> 16) & 0xff] ^ AES_Td2[(s3 >>  8) & 0xff] ^ AES_Td3[s2 & 0xff] ^ rk[21];
1682
    t2 = AES_Td0[s2 >> 24] ^ AES_Td1[(s1 >> 16) & 0xff] ^ AES_Td2[(s0 >>  8) & 0xff] ^ AES_Td3[s3 & 0xff] ^ rk[22];
1683
    t3 = AES_Td0[s3 >> 24] ^ AES_Td1[(s2 >> 16) & 0xff] ^ AES_Td2[(s1 >>  8) & 0xff] ^ AES_Td3[s0 & 0xff] ^ rk[23];
1684
    /* round 6: */
1685
    s0 = AES_Td0[t0 >> 24] ^ AES_Td1[(t3 >> 16) & 0xff] ^ AES_Td2[(t2 >>  8) & 0xff] ^ AES_Td3[t1 & 0xff] ^ rk[24];
1686
    s1 = AES_Td0[t1 >> 24] ^ AES_Td1[(t0 >> 16) & 0xff] ^ AES_Td2[(t3 >>  8) & 0xff] ^ AES_Td3[t2 & 0xff] ^ rk[25];
1687
    s2 = AES_Td0[t2 >> 24] ^ AES_Td1[(t1 >> 16) & 0xff] ^ AES_Td2[(t0 >>  8) & 0xff] ^ AES_Td3[t3 & 0xff] ^ rk[26];
1688
    s3 = AES_Td0[t3 >> 24] ^ AES_Td1[(t2 >> 16) & 0xff] ^ AES_Td2[(t1 >>  8) & 0xff] ^ AES_Td3[t0 & 0xff] ^ rk[27];
1689
    /* round 7: */
1690
    t0 = AES_Td0[s0 >> 24] ^ AES_Td1[(s3 >> 16) & 0xff] ^ AES_Td2[(s2 >>  8) & 0xff] ^ AES_Td3[s1 & 0xff] ^ rk[28];
1691
    t1 = AES_Td0[s1 >> 24] ^ AES_Td1[(s0 >> 16) & 0xff] ^ AES_Td2[(s3 >>  8) & 0xff] ^ AES_Td3[s2 & 0xff] ^ rk[29];
1692
    t2 = AES_Td0[s2 >> 24] ^ AES_Td1[(s1 >> 16) & 0xff] ^ AES_Td2[(s0 >>  8) & 0xff] ^ AES_Td3[s3 & 0xff] ^ rk[30];
1693
    t3 = AES_Td0[s3 >> 24] ^ AES_Td1[(s2 >> 16) & 0xff] ^ AES_Td2[(s1 >>  8) & 0xff] ^ AES_Td3[s0 & 0xff] ^ rk[31];
1694
    /* round 8: */
1695
    s0 = AES_Td0[t0 >> 24] ^ AES_Td1[(t3 >> 16) & 0xff] ^ AES_Td2[(t2 >>  8) & 0xff] ^ AES_Td3[t1 & 0xff] ^ rk[32];
1696
    s1 = AES_Td0[t1 >> 24] ^ AES_Td1[(t0 >> 16) & 0xff] ^ AES_Td2[(t3 >>  8) & 0xff] ^ AES_Td3[t2 & 0xff] ^ rk[33];
1697
    s2 = AES_Td0[t2 >> 24] ^ AES_Td1[(t1 >> 16) & 0xff] ^ AES_Td2[(t0 >>  8) & 0xff] ^ AES_Td3[t3 & 0xff] ^ rk[34];
1698
    s3 = AES_Td0[t3 >> 24] ^ AES_Td1[(t2 >> 16) & 0xff] ^ AES_Td2[(t1 >>  8) & 0xff] ^ AES_Td3[t0 & 0xff] ^ rk[35];
1699
    /* round 9: */
1700
    t0 = AES_Td0[s0 >> 24] ^ AES_Td1[(s3 >> 16) & 0xff] ^ AES_Td2[(s2 >>  8) & 0xff] ^ AES_Td3[s1 & 0xff] ^ rk[36];
1701
    t1 = AES_Td0[s1 >> 24] ^ AES_Td1[(s0 >> 16) & 0xff] ^ AES_Td2[(s3 >>  8) & 0xff] ^ AES_Td3[s2 & 0xff] ^ rk[37];
1702
    t2 = AES_Td0[s2 >> 24] ^ AES_Td1[(s1 >> 16) & 0xff] ^ AES_Td2[(s0 >>  8) & 0xff] ^ AES_Td3[s3 & 0xff] ^ rk[38];
1703
    t3 = AES_Td0[s3 >> 24] ^ AES_Td1[(s2 >> 16) & 0xff] ^ AES_Td2[(s1 >>  8) & 0xff] ^ AES_Td3[s0 & 0xff] ^ rk[39];
1704
    if (key->rounds > 10) {
1705
        /* round 10: */
1706
        s0 = AES_Td0[t0 >> 24] ^ AES_Td1[(t3 >> 16) & 0xff] ^ AES_Td2[(t2 >>  8) & 0xff] ^ AES_Td3[t1 & 0xff] ^ rk[40];
1707
        s1 = AES_Td0[t1 >> 24] ^ AES_Td1[(t0 >> 16) & 0xff] ^ AES_Td2[(t3 >>  8) & 0xff] ^ AES_Td3[t2 & 0xff] ^ rk[41];
1708
        s2 = AES_Td0[t2 >> 24] ^ AES_Td1[(t1 >> 16) & 0xff] ^ AES_Td2[(t0 >>  8) & 0xff] ^ AES_Td3[t3 & 0xff] ^ rk[42];
1709
        s3 = AES_Td0[t3 >> 24] ^ AES_Td1[(t2 >> 16) & 0xff] ^ AES_Td2[(t1 >>  8) & 0xff] ^ AES_Td3[t0 & 0xff] ^ rk[43];
1710
        /* round 11: */
1711
        t0 = AES_Td0[s0 >> 24] ^ AES_Td1[(s3 >> 16) & 0xff] ^ AES_Td2[(s2 >>  8) & 0xff] ^ AES_Td3[s1 & 0xff] ^ rk[44];
1712
        t1 = AES_Td0[s1 >> 24] ^ AES_Td1[(s0 >> 16) & 0xff] ^ AES_Td2[(s3 >>  8) & 0xff] ^ AES_Td3[s2 & 0xff] ^ rk[45];
1713
        t2 = AES_Td0[s2 >> 24] ^ AES_Td1[(s1 >> 16) & 0xff] ^ AES_Td2[(s0 >>  8) & 0xff] ^ AES_Td3[s3 & 0xff] ^ rk[46];
1714
        t3 = AES_Td0[s3 >> 24] ^ AES_Td1[(s2 >> 16) & 0xff] ^ AES_Td2[(s1 >>  8) & 0xff] ^ AES_Td3[s0 & 0xff] ^ rk[47];
1715
        if (key->rounds > 12) {
1716
            /* round 12: */
1717
            s0 = AES_Td0[t0 >> 24] ^ AES_Td1[(t3 >> 16) & 0xff] ^ AES_Td2[(t2 >>  8) & 0xff] ^ AES_Td3[t1 & 0xff] ^ rk[48];
1718
            s1 = AES_Td0[t1 >> 24] ^ AES_Td1[(t0 >> 16) & 0xff] ^ AES_Td2[(t3 >>  8) & 0xff] ^ AES_Td3[t2 & 0xff] ^ rk[49];
1719
            s2 = AES_Td0[t2 >> 24] ^ AES_Td1[(t1 >> 16) & 0xff] ^ AES_Td2[(t0 >>  8) & 0xff] ^ AES_Td3[t3 & 0xff] ^ rk[50];
1720
            s3 = AES_Td0[t3 >> 24] ^ AES_Td1[(t2 >> 16) & 0xff] ^ AES_Td2[(t1 >>  8) & 0xff] ^ AES_Td3[t0 & 0xff] ^ rk[51];
1721
            /* round 13: */
1722
            t0 = AES_Td0[s0 >> 24] ^ AES_Td1[(s3 >> 16) & 0xff] ^ AES_Td2[(s2 >>  8) & 0xff] ^ AES_Td3[s1 & 0xff] ^ rk[52];
1723
            t1 = AES_Td0[s1 >> 24] ^ AES_Td1[(s0 >> 16) & 0xff] ^ AES_Td2[(s3 >>  8) & 0xff] ^ AES_Td3[s2 & 0xff] ^ rk[53];
1724
            t2 = AES_Td0[s2 >> 24] ^ AES_Td1[(s1 >> 16) & 0xff] ^ AES_Td2[(s0 >>  8) & 0xff] ^ AES_Td3[s3 & 0xff] ^ rk[54];
1725
            t3 = AES_Td0[s3 >> 24] ^ AES_Td1[(s2 >> 16) & 0xff] ^ AES_Td2[(s1 >>  8) & 0xff] ^ AES_Td3[s0 & 0xff] ^ rk[55];
1726
        }
1727
    }
1728
        rk += key->rounds << 2;
1729
#else  /* !FULL_UNROLL */
1730
    /*
1731
     * Nr - 1 full rounds:
1732
     */
1733
    r = key->rounds >> 1;
1734
    for (;;) {
1735
        t0 =
1736
            AES_Td0[(s0 >> 24)       ] ^
1737
            AES_Td1[(s3 >> 16) & 0xff] ^
1738
            AES_Td2[(s2 >>  8) & 0xff] ^
1739
            AES_Td3[(s1      ) & 0xff] ^
1740
            rk[4];
1741
        t1 =
1742
            AES_Td0[(s1 >> 24)       ] ^
1743
            AES_Td1[(s0 >> 16) & 0xff] ^
1744
            AES_Td2[(s3 >>  8) & 0xff] ^
1745
            AES_Td3[(s2      ) & 0xff] ^
1746
            rk[5];
1747
        t2 =
1748
            AES_Td0[(s2 >> 24)       ] ^
1749
            AES_Td1[(s1 >> 16) & 0xff] ^
1750
            AES_Td2[(s0 >>  8) & 0xff] ^
1751
            AES_Td3[(s3      ) & 0xff] ^
1752
            rk[6];
1753
        t3 =
1754
            AES_Td0[(s3 >> 24)       ] ^
1755
            AES_Td1[(s2 >> 16) & 0xff] ^
1756
            AES_Td2[(s1 >>  8) & 0xff] ^
1757
            AES_Td3[(s0      ) & 0xff] ^
1758
            rk[7];
1759

1760
        rk += 8;
1761
        if (--r == 0) {
1762
            break;
1763
        }
1764

1765
        s0 =
1766
            AES_Td0[(t0 >> 24)       ] ^
1767
            AES_Td1[(t3 >> 16) & 0xff] ^
1768
            AES_Td2[(t2 >>  8) & 0xff] ^
1769
            AES_Td3[(t1      ) & 0xff] ^
1770
            rk[0];
1771
        s1 =
1772
            AES_Td0[(t1 >> 24)       ] ^
1773
            AES_Td1[(t0 >> 16) & 0xff] ^
1774
            AES_Td2[(t3 >>  8) & 0xff] ^
1775
            AES_Td3[(t2      ) & 0xff] ^
1776
            rk[1];
1777
        s2 =
1778
            AES_Td0[(t2 >> 24)       ] ^
1779
            AES_Td1[(t1 >> 16) & 0xff] ^
1780
            AES_Td2[(t0 >>  8) & 0xff] ^
1781
            AES_Td3[(t3      ) & 0xff] ^
1782
            rk[2];
1783
        s3 =
1784
            AES_Td0[(t3 >> 24)       ] ^
1785
            AES_Td1[(t2 >> 16) & 0xff] ^
1786
            AES_Td2[(t1 >>  8) & 0xff] ^
1787
            AES_Td3[(t0      ) & 0xff] ^
1788
            rk[3];
1789
    }
1790
#endif /* ?FULL_UNROLL */
1791
    /*
1792
         * apply last round and
1793
         * map cipher state to byte array block:
1794
         */
1795
        s0 =
1796
                (AES_Td4[(t0 >> 24)       ] & 0xff000000) ^
1797
                (AES_Td4[(t3 >> 16) & 0xff] & 0x00ff0000) ^
1798
                (AES_Td4[(t2 >>  8) & 0xff] & 0x0000ff00) ^
1799
                (AES_Td4[(t1      ) & 0xff] & 0x000000ff) ^
1800
                rk[0];
1801
        PUTU32(out     , s0);
1802
        s1 =
1803
                (AES_Td4[(t1 >> 24)       ] & 0xff000000) ^
1804
                (AES_Td4[(t0 >> 16) & 0xff] & 0x00ff0000) ^
1805
                (AES_Td4[(t3 >>  8) & 0xff] & 0x0000ff00) ^
1806
                (AES_Td4[(t2      ) & 0xff] & 0x000000ff) ^
1807
                rk[1];
1808
        PUTU32(out +  4, s1);
1809
        s2 =
1810
                (AES_Td4[(t2 >> 24)       ] & 0xff000000) ^
1811
                (AES_Td4[(t1 >> 16) & 0xff] & 0x00ff0000) ^
1812
                (AES_Td4[(t0 >>  8) & 0xff] & 0x0000ff00) ^
1813
                (AES_Td4[(t3      ) & 0xff] & 0x000000ff) ^
1814
                rk[2];
1815
        PUTU32(out +  8, s2);
1816
        s3 =
1817
                (AES_Td4[(t3 >> 24)       ] & 0xff000000) ^
1818
                (AES_Td4[(t2 >> 16) & 0xff] & 0x00ff0000) ^
1819
                (AES_Td4[(t1 >>  8) & 0xff] & 0x0000ff00) ^
1820
                (AES_Td4[(t0      ) & 0xff] & 0x000000ff) ^
1821
                rk[3];
1822
        PUTU32(out + 12, s3);
1823
}
1824

1825
#endif /* AES_ASM */
1826