import from branch_1_1:

[freeradius.git] / src / modules / rlm_eap / types / rlm_eap_psk / AES.cpp

/**\r
 * AES.cpp\r
 *\r
 * The Advanced Encryption Standard (AES, aka AES) block cipher,\r
 * designed by J. Daemen and V. Rijmen.\r
 *\r
 * @author Paulo S. L. M. Barreto\r
 *\r
 * This software is hereby placed in the public domain.\r
 *\r
 * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS\r
 * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED\r
 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE\r
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE\r
 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR\r
 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF\r
 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\r
 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\r
 * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\r
 * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,\r
 * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\r
 */\r
\r
#include <freeradius-devel/ident.h>\r
RCSID("$Id$")\r
\r
#include <assert.h>\r
#include <string.h>\r
#include <stdlib.h>\r
\r
#include "AES.h"\r
#include "AES.tab"\r
\r
#define FULL_UNROLL\r
\r
#define SWAP(x) (_lrotl(x, 8) & 0x00ff00ff | _lrotr(x, 8) & 0xff00ff00)\r
\r
#ifdef _MSC_VER\r
#define GETWORD(p) SWAP(*((uint *)(p)))\r
#define PUTWORD(ct, st) { *((uint *)(ct)) = SWAP((st)); }\r
#else\r
#define GETWORD(pt) (((uint)(pt)[0] << 24) ^ ((uint)(pt)[1] << 16) ^ ((uint)(pt)[2] <<  8) ^ ((uint)(pt)[3]))\r
#define PUTWORD(ct, st) { (ct)[0] = (byte)((st) >> 24); (ct)[1] = (byte)((st) >> 16); (ct)[2] = (byte)((st) >>  8); (ct)[3] = (byte)(st); }\r
#endif\r
\r
//////////////////////////////////////////////////////////////////////\r
// Construction/Destruction\r
//////////////////////////////////////////////////////////////////////\r
\r
AES::AES() {\r
}\r
\r
AES::~AES() {\r
        Nr = 0;\r
        memset(e_sched, 0, sizeof(e_sched));\r
        memset(d_sched, 0, sizeof(d_sched));\r
}\r
\r
//////////////////////////////////////////////////////////////////////\r
// Support methods\r
//////////////////////////////////////////////////////////////////////\r
\r
void AES::ExpandKey(const byte *cipherKey, uint keyBits) {\r
    uint *rek = e_sched;\r
        int i = 0;\r
        uint temp;\r
\r
        rek[0] = GETWORD(cipherKey     );\r
        rek[1] = GETWORD(cipherKey +  4);\r
        rek[2] = GETWORD(cipherKey +  8);\r
        rek[3] = GETWORD(cipherKey + 12);\r
        if (keyBits == 128) {\r
                for (;;) {\r
                        temp  = rek[3];\r
                        rek[4] = rek[0] ^\r
                                (Te4[(temp >> 16) & 0xff] & 0xff000000) ^\r
                                (Te4[(temp >>  8) & 0xff] & 0x00ff0000) ^\r
                                (Te4[(temp      ) & 0xff] & 0x0000ff00) ^\r
                                (Te4[(temp >> 24)       ] & 0x000000ff) ^\r
                                rcon[i];\r
                        rek[5] = rek[1] ^ rek[4];\r
                        rek[6] = rek[2] ^ rek[5];\r
                        rek[7] = rek[3] ^ rek[6];\r
                        if (++i == 10) {\r
                                Nr = 10;\r
                                return;\r
                        }\r
                        rek += 4;\r
                }\r
        }\r
        rek[4] = GETWORD(cipherKey + 16);\r
        rek[5] = GETWORD(cipherKey + 20);\r
        if (keyBits == 192) {\r
                for (;;) {\r
                        temp = rek[ 5];\r
                        rek[ 6] = rek[ 0] ^\r
                                (Te4[(temp >> 16) & 0xff] & 0xff000000) ^\r
                                (Te4[(temp >>  8) & 0xff] & 0x00ff0000) ^\r
                                (Te4[(temp      ) & 0xff] & 0x0000ff00) ^\r
                                (Te4[(temp >> 24)       ] & 0x000000ff) ^\r
                                rcon[i];\r
                        rek[ 7] = rek[ 1] ^ rek[ 6];\r
                        rek[ 8] = rek[ 2] ^ rek[ 7];\r
                        rek[ 9] = rek[ 3] ^ rek[ 8];\r
                        if (++i == 8) {\r
                                Nr = 12;\r
                                return;\r
                        }\r
                        rek[10] = rek[ 4] ^ rek[ 9];\r
                        rek[11] = rek[ 5] ^ rek[10];\r
                        rek += 6;\r
                }\r
        }\r
        rek[6] = GETWORD(cipherKey + 24);\r
        rek[7] = GETWORD(cipherKey + 28);\r
        if (keyBits == 256) {\r
        for (;;) {\r
                temp = rek[ 7];\r
                rek[ 8] = rek[ 0] ^\r
                        (Te4[(temp >> 16) & 0xff] & 0xff000000) ^\r
                        (Te4[(temp >>  8) & 0xff] & 0x00ff0000) ^\r
                        (Te4[(temp      ) & 0xff] & 0x0000ff00) ^\r
                        (Te4[(temp >> 24)       ] & 0x000000ff) ^\r
                        rcon[i];\r
                rek[ 9] = rek[ 1] ^ rek[ 8];\r
                rek[10] = rek[ 2] ^ rek[ 9];\r
                rek[11] = rek[ 3] ^ rek[10];\r
                        if (++i == 7) {\r
                                Nr = 14;\r
                                return;\r
                        }\r
                temp = rek[11];\r
                rek[12] = rek[ 4] ^\r
                        (Te4[(temp >> 24)       ] & 0xff000000) ^\r
                        (Te4[(temp >> 16) & 0xff] & 0x00ff0000) ^\r
                        (Te4[(temp >>  8) & 0xff] & 0x0000ff00) ^\r
                        (Te4[(temp      ) & 0xff] & 0x000000ff);\r
                rek[13] = rek[ 5] ^ rek[12];\r
                rek[14] = rek[ 6] ^ rek[13];\r
                rek[15] = rek[ 7] ^ rek[14];\r
\r
                        rek += 8;\r
        }\r
        }\r
        Nr = 0;\r
}\r
\r
void AES::InvertKey() {\r
    uint *rek = e_sched;\r
    uint *rdk = d_sched;\r
        uint r;\r
\r
    assert(Nr == 10 || Nr == 12 || Nr == 14);\r
    rek += 4*Nr;\r
        /* apply the inverse MixColumn transform to all round keys but the first and the last: */\r
    memcpy(rdk, rek, 16);\r
        rdk += 4;\r
        rek -= 4;\r
        for (r = 1; r < Nr; r++) {\r
                rdk[0] =\r
                        Td0[Te4[(rek[0] >> 24)       ] & 0xff] ^\r
                        Td1[Te4[(rek[0] >> 16) & 0xff] & 0xff] ^\r
                        Td2[Te4[(rek[0] >>  8) & 0xff] & 0xff] ^\r
                        Td3[Te4[(rek[0]      ) & 0xff] & 0xff];\r
                rdk[1] =\r
                        Td0[Te4[(rek[1] >> 24)       ] & 0xff] ^\r
                        Td1[Te4[(rek[1] >> 16) & 0xff] & 0xff] ^\r
                        Td2[Te4[(rek[1] >>  8) & 0xff] & 0xff] ^\r
                        Td3[Te4[(rek[1]      ) & 0xff] & 0xff];\r
                rdk[2] =\r
                        Td0[Te4[(rek[2] >> 24)       ] & 0xff] ^\r
                        Td1[Te4[(rek[2] >> 16) & 0xff] & 0xff] ^\r
                        Td2[Te4[(rek[2] >>  8) & 0xff] & 0xff] ^\r
                        Td3[Te4[(rek[2]      ) & 0xff] & 0xff];\r
                rdk[3] =\r
                        Td0[Te4[(rek[3] >> 24)       ] & 0xff] ^\r
                        Td1[Te4[(rek[3] >> 16) & 0xff] & 0xff] ^\r
                        Td2[Te4[(rek[3] >>  8) & 0xff] & 0xff] ^\r
                        Td3[Te4[(rek[3]      ) & 0xff] & 0xff];\r
                rdk += 4;\r
                rek -= 4;\r
        }\r
    memcpy(rdk, rek, 16);\r
}\r
\r
//////////////////////////////////////////////////////////////////////\r
// Public Interface\r
//////////////////////////////////////////////////////////////////////\r
\r
void AES::makeKey(const byte *cipherKey, uint keySize, uint dir) {\r
    switch (keySize) {\r
    case  16: case  24: case  32:\r
        keySize <<= 3; // key size is now in bits\r
        break;\r
    case 128: case 192: case 256:\r
        break;\r
    default:\r
        assert(keySize == 16 || keySize == 24 || keySize == 32 || keySize == 128 || keySize == 192 || keySize == 256);\r
    }\r
    assert(dir >= DIR_NONE && dir <= DIR_BOTH);\r
    if (dir != DIR_NONE) {\r
        ExpandKey(cipherKey, keySize);\r
            if (dir & DIR_DECRYPT) {\r
            InvertKey();\r
            }\r
    }\r
}\r
\r
void AES::encrypt(const byte *pt, byte *ct) {\r
    uint *rek = e_sched;\r
        uint s0, s1, s2, s3, t0, t1, t2, t3;\r
#ifndef FULL_UNROLL\r
    int r;\r
#endif /* ?FULL_UNROLL */\r
\r
    /*\r
         * map byte array block to cipher state\r
         * and add initial round key:\r
         */\r
        s0 = GETWORD(pt     ) ^ rek[0];\r
        s1 = GETWORD(pt +  4) ^ rek[1];\r
        s2 = GETWORD(pt +  8) ^ rek[2];\r
        s3 = GETWORD(pt + 12) ^ rek[3];\r
#ifdef FULL_UNROLL\r
    /* round 1: */\r
        t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >>  8) & 0xff] ^ Te3[s3 & 0xff] ^ rek[ 4];\r
        t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >>  8) & 0xff] ^ Te3[s0 & 0xff] ^ rek[ 5];\r
        t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >>  8) & 0xff] ^ Te3[s1 & 0xff] ^ rek[ 6];\r
        t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >>  8) & 0xff] ^ Te3[s2 & 0xff] ^ rek[ 7];\r
        /* round 2: */\r
        s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >>  8) & 0xff] ^ Te3[t3 & 0xff] ^ rek[ 8];\r
        s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >>  8) & 0xff] ^ Te3[t0 & 0xff] ^ rek[ 9];\r
        s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >>  8) & 0xff] ^ Te3[t1 & 0xff] ^ rek[10];\r
        s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >>  8) & 0xff] ^ Te3[t2 & 0xff] ^ rek[11];\r
    /* round 3: */\r
        t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >>  8) & 0xff] ^ Te3[s3 & 0xff] ^ rek[12];\r
        t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >>  8) & 0xff] ^ Te3[s0 & 0xff] ^ rek[13];\r
        t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >>  8) & 0xff] ^ Te3[s1 & 0xff] ^ rek[14];\r
        t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >>  8) & 0xff] ^ Te3[s2 & 0xff] ^ rek[15];\r
        /* round 4: */\r
        s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >>  8) & 0xff] ^ Te3[t3 & 0xff] ^ rek[16];\r
        s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >>  8) & 0xff] ^ Te3[t0 & 0xff] ^ rek[17];\r
        s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >>  8) & 0xff] ^ Te3[t1 & 0xff] ^ rek[18];\r
        s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >>  8) & 0xff] ^ Te3[t2 & 0xff] ^ rek[19];\r
    /* round 5: */\r
        t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >>  8) & 0xff] ^ Te3[s3 & 0xff] ^ rek[20];\r
        t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >>  8) & 0xff] ^ Te3[s0 & 0xff] ^ rek[21];\r
        t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >>  8) & 0xff] ^ Te3[s1 & 0xff] ^ rek[22];\r
        t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >>  8) & 0xff] ^ Te3[s2 & 0xff] ^ rek[23];\r
        /* round 6: */\r
        s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >>  8) & 0xff] ^ Te3[t3 & 0xff] ^ rek[24];\r
        s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >>  8) & 0xff] ^ Te3[t0 & 0xff] ^ rek[25];\r
        s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >>  8) & 0xff] ^ Te3[t1 & 0xff] ^ rek[26];\r
        s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >>  8) & 0xff] ^ Te3[t2 & 0xff] ^ rek[27];\r
    /* round 7: */\r
        t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >>  8) & 0xff] ^ Te3[s3 & 0xff] ^ rek[28];\r
        t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >>  8) & 0xff] ^ Te3[s0 & 0xff] ^ rek[29];\r
        t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >>  8) & 0xff] ^ Te3[s1 & 0xff] ^ rek[30];\r
        t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >>  8) & 0xff] ^ Te3[s2 & 0xff] ^ rek[31];\r
        /* round 8: */\r
        s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >>  8) & 0xff] ^ Te3[t3 & 0xff] ^ rek[32];\r
        s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >>  8) & 0xff] ^ Te3[t0 & 0xff] ^ rek[33];\r
        s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >>  8) & 0xff] ^ Te3[t1 & 0xff] ^ rek[34];\r
        s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >>  8) & 0xff] ^ Te3[t2 & 0xff] ^ rek[35];\r
    /* round 9: */\r
        t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >>  8) & 0xff] ^ Te3[s3 & 0xff] ^ rek[36];\r
        t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >>  8) & 0xff] ^ Te3[s0 & 0xff] ^ rek[37];\r
        t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >>  8) & 0xff] ^ Te3[s1 & 0xff] ^ rek[38];\r
        t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >>  8) & 0xff] ^ Te3[s2 & 0xff] ^ rek[39];\r
    if (Nr > 10) {\r
        /* round 10: */\r
        s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >>  8) & 0xff] ^ Te3[t3 & 0xff] ^ rek[40];\r
        s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >>  8) & 0xff] ^ Te3[t0 & 0xff] ^ rek[41];\r
        s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >>  8) & 0xff] ^ Te3[t1 & 0xff] ^ rek[42];\r
        s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >>  8) & 0xff] ^ Te3[t2 & 0xff] ^ rek[43];\r
        /* round 11: */\r
        t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >>  8) & 0xff] ^ Te3[s3 & 0xff] ^ rek[44];\r
        t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >>  8) & 0xff] ^ Te3[s0 & 0xff] ^ rek[45];\r
        t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >>  8) & 0xff] ^ Te3[s1 & 0xff] ^ rek[46];\r
        t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >>  8) & 0xff] ^ Te3[s2 & 0xff] ^ rek[47];\r
        if (Nr > 12) {\r
            /* round 12: */\r
            s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >>  8) & 0xff] ^ Te3[t3 & 0xff] ^ rek[48];\r
            s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >>  8) & 0xff] ^ Te3[t0 & 0xff] ^ rek[49];\r
            s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >>  8) & 0xff] ^ Te3[t1 & 0xff] ^ rek[50];\r
            s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >>  8) & 0xff] ^ Te3[t2 & 0xff] ^ rek[51];\r
            /* round 13: */\r
            t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >>  8) & 0xff] ^ Te3[s3 & 0xff] ^ rek[52];\r
            t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >>  8) & 0xff] ^ Te3[s0 & 0xff] ^ rek[53];\r
            t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >>  8) & 0xff] ^ Te3[s1 & 0xff] ^ rek[54];\r
            t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >>  8) & 0xff] ^ Te3[s2 & 0xff] ^ rek[55];\r
        }\r
    }\r
    rek += Nr << 2;\r
#else  /* !FULL_UNROLL */\r
    /*\r
         * Nr - 1 full rounds:\r
         */\r
    r = Nr >> 1;\r
    for (;;) {\r
        t0 =\r
            Te0[(s0 >> 24)       ] ^\r
            Te1[(s1 >> 16) & 0xff] ^\r
            Te2[(s2 >>  8) & 0xff] ^\r
            Te3[(s3      ) & 0xff] ^\r
            rek[4];\r
        t1 =\r
            Te0[(s1 >> 24)       ] ^\r
            Te1[(s2 >> 16) & 0xff] ^\r
            Te2[(s3 >>  8) & 0xff] ^\r
            Te3[(s0      ) & 0xff] ^\r
            rek[5];\r
        t2 =\r
            Te0[(s2 >> 24)       ] ^\r
            Te1[(s3 >> 16) & 0xff] ^\r
            Te2[(s0 >>  8) & 0xff] ^\r
            Te3[(s1      ) & 0xff] ^\r
            rek[6];\r
        t3 =\r
            Te0[(s3 >> 24)       ] ^\r
            Te1[(s0 >> 16) & 0xff] ^\r
            Te2[(s1 >>  8) & 0xff] ^\r
            Te3[(s2      ) & 0xff] ^\r
            rek[7];\r
\r
        rek += 8;\r
        if (--r == 0) {\r
            break;\r
        }\r
\r
        s0 =\r
            Te0[(t0 >> 24)       ] ^\r
            Te1[(t1 >> 16) & 0xff] ^\r
            Te2[(t2 >>  8) & 0xff] ^\r
            Te3[(t3      ) & 0xff] ^\r
            rek[0];\r
        s1 =\r
            Te0[(t1 >> 24)       ] ^\r
            Te1[(t2 >> 16) & 0xff] ^\r
            Te2[(t3 >>  8) & 0xff] ^\r
            Te3[(t0      ) & 0xff] ^\r
            rek[1];\r
        s2 =\r
            Te0[(t2 >> 24)       ] ^\r
            Te1[(t3 >> 16) & 0xff] ^\r
            Te2[(t0 >>  8) & 0xff] ^\r
            Te3[(t1      ) & 0xff] ^\r
            rek[2];\r
        s3 =\r
            Te0[(t3 >> 24)       ] ^\r
            Te1[(t0 >> 16) & 0xff] ^\r
            Te2[(t1 >>  8) & 0xff] ^\r
            Te3[(t2      ) & 0xff] ^\r
            rek[3];\r
    }\r
#endif /* ?FULL_UNROLL */\r
    /*\r
         * apply last round and\r
         * map cipher state to byte array block:\r
         */\r
        s0 =\r
                (Te4[(t0 >> 24)       ] & 0xff000000) ^\r
                (Te4[(t1 >> 16) & 0xff] & 0x00ff0000) ^\r
                (Te4[(t2 >>  8) & 0xff] & 0x0000ff00) ^\r
                (Te4[(t3      ) & 0xff] & 0x000000ff) ^\r
                rek[0];\r
        PUTWORD(ct     , s0);\r
        s1 =\r
                (Te4[(t1 >> 24)       ] & 0xff000000) ^\r
                (Te4[(t2 >> 16) & 0xff] & 0x00ff0000) ^\r
                (Te4[(t3 >>  8) & 0xff] & 0x0000ff00) ^\r
                (Te4[(t0      ) & 0xff] & 0x000000ff) ^\r
                rek[1];\r
        PUTWORD(ct +  4, s1);\r
        s2 =\r
                (Te4[(t2 >> 24)       ] & 0xff000000) ^\r
                (Te4[(t3 >> 16) & 0xff] & 0x00ff0000) ^\r
                (Te4[(t0 >>  8) & 0xff] & 0x0000ff00) ^\r
                (Te4[(t1      ) & 0xff] & 0x000000ff) ^\r
                rek[2];\r
        PUTWORD(ct +  8, s2);\r
        s3 =\r
                (Te4[(t3 >> 24)       ] & 0xff000000) ^\r
                (Te4[(t0 >> 16) & 0xff] & 0x00ff0000) ^\r
                (Te4[(t1 >>  8) & 0xff] & 0x0000ff00) ^\r
                (Te4[(t2      ) & 0xff] & 0x000000ff) ^\r
                rek[3];\r
        PUTWORD(ct + 12, s3);\r
}\r
\r
void AES::decrypt(const byte *ct, byte *pt) {\r
    uint *rdk = d_sched;\r
        uint s0, s1, s2, s3, t0, t1, t2, t3;\r
#ifndef FULL_UNROLL\r
    int r;\r
#endif /* ?FULL_UNROLL */\r
\r
    /*\r
         * map byte array block to cipher state\r
         * and add initial round key:\r
         */\r
    s0 = GETWORD(ct     ) ^ rdk[0];\r
    s1 = GETWORD(ct +  4) ^ rdk[1];\r
    s2 = GETWORD(ct +  8) ^ rdk[2];\r
    s3 = GETWORD(ct + 12) ^ rdk[3];\r
#ifdef FULL_UNROLL\r
    /* round 1: */\r
    t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >>  8) & 0xff] ^ Td3[s1 & 0xff] ^ rdk[ 4];\r
    t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >>  8) & 0xff] ^ Td3[s2 & 0xff] ^ rdk[ 5];\r
    t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >>  8) & 0xff] ^ Td3[s3 & 0xff] ^ rdk[ 6];\r
    t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >>  8) & 0xff] ^ Td3[s0 & 0xff] ^ rdk[ 7];\r
    /* round 2: */\r
    s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >>  8) & 0xff] ^ Td3[t1 & 0xff] ^ rdk[ 8];\r
    s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >>  8) & 0xff] ^ Td3[t2 & 0xff] ^ rdk[ 9];\r
    s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >>  8) & 0xff] ^ Td3[t3 & 0xff] ^ rdk[10];\r
    s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >>  8) & 0xff] ^ Td3[t0 & 0xff] ^ rdk[11];\r
    /* round 3: */\r
    t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >>  8) & 0xff] ^ Td3[s1 & 0xff] ^ rdk[12];\r
    t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >>  8) & 0xff] ^ Td3[s2 & 0xff] ^ rdk[13];\r
    t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >>  8) & 0xff] ^ Td3[s3 & 0xff] ^ rdk[14];\r
    t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >>  8) & 0xff] ^ Td3[s0 & 0xff] ^ rdk[15];\r
    /* round 4: */\r
    s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >>  8) & 0xff] ^ Td3[t1 & 0xff] ^ rdk[16];\r
    s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >>  8) & 0xff] ^ Td3[t2 & 0xff] ^ rdk[17];\r
    s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >>  8) & 0xff] ^ Td3[t3 & 0xff] ^ rdk[18];\r
    s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >>  8) & 0xff] ^ Td3[t0 & 0xff] ^ rdk[19];\r
    /* round 5: */\r
    t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >>  8) & 0xff] ^ Td3[s1 & 0xff] ^ rdk[20];\r
    t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >>  8) & 0xff] ^ Td3[s2 & 0xff] ^ rdk[21];\r
    t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >>  8) & 0xff] ^ Td3[s3 & 0xff] ^ rdk[22];\r
    t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >>  8) & 0xff] ^ Td3[s0 & 0xff] ^ rdk[23];\r
    /* round 6: */\r
    s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >>  8) & 0xff] ^ Td3[t1 & 0xff] ^ rdk[24];\r
    s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >>  8) & 0xff] ^ Td3[t2 & 0xff] ^ rdk[25];\r
    s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >>  8) & 0xff] ^ Td3[t3 & 0xff] ^ rdk[26];\r
    s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >>  8) & 0xff] ^ Td3[t0 & 0xff] ^ rdk[27];\r
    /* round 7: */\r
    t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >>  8) & 0xff] ^ Td3[s1 & 0xff] ^ rdk[28];\r
    t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >>  8) & 0xff] ^ Td3[s2 & 0xff] ^ rdk[29];\r
    t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >>  8) & 0xff] ^ Td3[s3 & 0xff] ^ rdk[30];\r
    t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >>  8) & 0xff] ^ Td3[s0 & 0xff] ^ rdk[31];\r
    /* round 8: */\r
    s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >>  8) & 0xff] ^ Td3[t1 & 0xff] ^ rdk[32];\r
    s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >>  8) & 0xff] ^ Td3[t2 & 0xff] ^ rdk[33];\r
    s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >>  8) & 0xff] ^ Td3[t3 & 0xff] ^ rdk[34];\r
    s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >>  8) & 0xff] ^ Td3[t0 & 0xff] ^ rdk[35];\r
    /* round 9: */\r
    t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >>  8) & 0xff] ^ Td3[s1 & 0xff] ^ rdk[36];\r
    t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >>  8) & 0xff] ^ Td3[s2 & 0xff] ^ rdk[37];\r
    t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >>  8) & 0xff] ^ Td3[s3 & 0xff] ^ rdk[38];\r
    t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >>  8) & 0xff] ^ Td3[s0 & 0xff] ^ rdk[39];\r
    if (Nr > 10) {\r
        /* round 10: */\r
        s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >>  8) & 0xff] ^ Td3[t1 & 0xff] ^ rdk[40];\r
        s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >>  8) & 0xff] ^ Td3[t2 & 0xff] ^ rdk[41];\r
        s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >>  8) & 0xff] ^ Td3[t3 & 0xff] ^ rdk[42];\r
        s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >>  8) & 0xff] ^ Td3[t0 & 0xff] ^ rdk[43];\r
        /* round 11: */\r
        t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >>  8) & 0xff] ^ Td3[s1 & 0xff] ^ rdk[44];\r
        t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >>  8) & 0xff] ^ Td3[s2 & 0xff] ^ rdk[45];\r
        t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >>  8) & 0xff] ^ Td3[s3 & 0xff] ^ rdk[46];\r
        t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >>  8) & 0xff] ^ Td3[s0 & 0xff] ^ rdk[47];\r
        if (Nr > 12) {\r
            /* round 12: */\r
            s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >>  8) & 0xff] ^ Td3[t1 & 0xff] ^ rdk[48];\r
            s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >>  8) & 0xff] ^ Td3[t2 & 0xff] ^ rdk[49];\r
            s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >>  8) & 0xff] ^ Td3[t3 & 0xff] ^ rdk[50];\r
            s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >>  8) & 0xff] ^ Td3[t0 & 0xff] ^ rdk[51];\r
            /* round 13: */\r
            t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >>  8) & 0xff] ^ Td3[s1 & 0xff] ^ rdk[52];\r
            t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >>  8) & 0xff] ^ Td3[s2 & 0xff] ^ rdk[53];\r
            t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >>  8) & 0xff] ^ Td3[s3 & 0xff] ^ rdk[54];\r
            t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >>  8) & 0xff] ^ Td3[s0 & 0xff] ^ rdk[55];\r
        }\r
    }\r
        rdk += Nr << 2;\r
#else  /* !FULL_UNROLL */\r
    /*\r
     * Nr - 1 full rounds:\r
     */\r
    r = Nr >> 1;\r
    for (;;) {\r
        t0 =\r
            Td0[(s0 >> 24)       ] ^\r
            Td1[(s3 >> 16) & 0xff] ^\r
            Td2[(s2 >>  8) & 0xff] ^\r
            Td3[(s1      ) & 0xff] ^\r
            rdk[4];\r
        t1 =\r
            Td0[(s1 >> 24)       ] ^\r
            Td1[(s0 >> 16) & 0xff] ^\r
            Td2[(s3 >>  8) & 0xff] ^\r
            Td3[(s2      ) & 0xff] ^\r
            rdk[5];\r
        t2 =\r
            Td0[(s2 >> 24)       ] ^\r
            Td1[(s1 >> 16) & 0xff] ^\r
            Td2[(s0 >>  8) & 0xff] ^\r
            Td3[(s3      ) & 0xff] ^\r
            rdk[6];\r
        t3 =\r
            Td0[(s3 >> 24)       ] ^\r
            Td1[(s2 >> 16) & 0xff] ^\r
            Td2[(s1 >>  8) & 0xff] ^\r
            Td3[(s0      ) & 0xff] ^\r
            rdk[7];\r
\r
        rdk += 8;\r
        if (--r == 0) {\r
            break;\r
        }\r
\r
        s0 =\r
            Td0[(t0 >> 24)       ] ^\r
            Td1[(t3 >> 16) & 0xff] ^\r
            Td2[(t2 >>  8) & 0xff] ^\r
            Td3[(t1      ) & 0xff] ^\r
            rdk[0];\r
        s1 =\r
            Td0[(t1 >> 24)       ] ^\r
            Td1[(t0 >> 16) & 0xff] ^\r
            Td2[(t3 >>  8) & 0xff] ^\r
            Td3[(t2      ) & 0xff] ^\r
            rdk[1];\r
        s2 =\r
            Td0[(t2 >> 24)       ] ^\r
            Td1[(t1 >> 16) & 0xff] ^\r
            Td2[(t0 >>  8) & 0xff] ^\r
            Td3[(t3      ) & 0xff] ^\r
            rdk[2];\r
        s3 =\r
            Td0[(t3 >> 24)       ] ^\r
            Td1[(t2 >> 16) & 0xff] ^\r
            Td2[(t1 >>  8) & 0xff] ^\r
            Td3[(t0      ) & 0xff] ^\r
            rdk[3];\r
    }\r
#endif /* ?FULL_UNROLL */\r
    /*\r
         * apply last round and\r
         * map cipher state to byte array block:\r
         */\r
        s0 =\r
                (Td4[(t0 >> 24)       ] & 0xff000000) ^\r
                (Td4[(t3 >> 16) & 0xff] & 0x00ff0000) ^\r
                (Td4[(t2 >>  8) & 0xff] & 0x0000ff00) ^\r
                (Td4[(t1      ) & 0xff] & 0x000000ff) ^\r
                rdk[0];\r
        PUTWORD(pt     , s0);\r
        s1 =\r
                (Td4[(t1 >> 24)       ] & 0xff000000) ^\r
                (Td4[(t0 >> 16) & 0xff] & 0x00ff0000) ^\r
                (Td4[(t3 >>  8) & 0xff] & 0x0000ff00) ^\r
                (Td4[(t2      ) & 0xff] & 0x000000ff) ^\r
                rdk[1];\r
        PUTWORD(pt +  4, s1);\r
        s2 =\r
                (Td4[(t2 >> 24)       ] & 0xff000000) ^\r
                (Td4[(t1 >> 16) & 0xff] & 0x00ff0000) ^\r
                (Td4[(t0 >>  8) & 0xff] & 0x0000ff00) ^\r
                (Td4[(t3      ) & 0xff] & 0x000000ff) ^\r
                rdk[2];\r
        PUTWORD(pt +  8, s2);\r
        s3 =\r
                (Td4[(t3 >> 24)       ] & 0xff000000) ^\r
                (Td4[(t2 >> 16) & 0xff] & 0x00ff0000) ^\r
                (Td4[(t1 >>  8) & 0xff] & 0x0000ff00) ^\r
                (Td4[(t0      ) & 0xff] & 0x000000ff) ^\r
                rdk[3];\r
        PUTWORD(pt + 12, s3);\r
}\r
\r