1121257Sume/* $KAME: rijndael-api-fst.c,v 1.10 2001/05/27 09:34:18 itojun Exp $ */ 267957Skris 3121257Sume/* 4121257Sume * rijndael-api-fst.c v2.3 April '2000 567957Skris * 6121257Sume * Optimised ANSI C code 767957Skris * 8121257Sume * authors: v1.0: Antoon Bosselaers 9121257Sume * v2.0: Vincent Rijmen 10121257Sume * v2.1: Vincent Rijmen 11121257Sume * v2.2: Vincent Rijmen 12121257Sume * v2.3: Paulo Barreto 13121257Sume * v2.4: Vincent Rijmen 1467957Skris * 15121257Sume * This code is placed in the public domain. 1667957Skris */ 1767957Skris 18116174Sobrien#include <sys/cdefs.h> 19116174Sobrien__FBSDID("$FreeBSD$"); 20116174Sobrien 2167957Skris#include <sys/param.h> 2278064Sume#ifdef _KERNEL 2367957Skris#include <sys/systm.h> 2478064Sume#else 2578064Sume#include <string.h> 2678064Sume#endif 27122410Sume 28122410Sume#include <crypto/rijndael/rijndael_local.h> 2967957Skris#include <crypto/rijndael/rijndael-api-fst.h> 3067957Skris 31121257Sume#ifndef TRUE 32121257Sume#define TRUE 1 33121257Sume#endif 34121257Sume 35121257Sumetypedef u_int8_t BYTE; 36121257Sume 3767957Skrisint rijndael_makeKey(keyInstance *key, BYTE direction, int keyLen, char *keyMaterial) { 38122410Sume u_int8_t cipherKey[RIJNDAEL_MAXKB]; 39122410Sume 4067957Skris if (key == NULL) { 4167957Skris return BAD_KEY_INSTANCE; 4267957Skris } 4367957Skris 4467957Skris if ((direction == DIR_ENCRYPT) || (direction == DIR_DECRYPT)) { 4567957Skris key->direction = direction; 4667957Skris } else { 4767957Skris return BAD_KEY_DIR; 4867957Skris } 4967957Skris 50122410Sume if ((keyLen == 128) || (keyLen == 192) || (keyLen == 256)) { 5167957Skris key->keyLen = keyLen; 5267957Skris } else { 5367957Skris return BAD_KEY_MAT; 5467957Skris } 5567957Skris 5667957Skris if (keyMaterial != NULL) { 57122410Sume memcpy(key->keyMaterial, keyMaterial, keyLen/8); 5867957Skris } 5967957Skris 6067957Skris /* initialize key schedule: */ 61122410Sume memcpy(cipherKey, key->keyMaterial, keyLen/8); 62122410Sume if (direction == DIR_ENCRYPT) { 63122410Sume key->Nr = rijndaelKeySetupEnc(key->rk, cipherKey, keyLen); 64122410Sume } else { 65122410Sume key->Nr = rijndaelKeySetupDec(key->rk, cipherKey, keyLen); 6667957Skris } 67122410Sume rijndaelKeySetupEnc(key->ek, cipherKey, keyLen); 6867957Skris return TRUE; 6967957Skris} 7067957Skris 7167957Skrisint rijndael_cipherInit(cipherInstance *cipher, BYTE mode, char *IV) { 7267957Skris if ((mode == MODE_ECB) || (mode == MODE_CBC) || (mode == MODE_CFB1)) { 7367957Skris cipher->mode = mode; 7467957Skris } else { 7567957Skris return BAD_CIPHER_MODE; 7667957Skris } 7767957Skris if (IV != NULL) { 78122410Sume memcpy(cipher->IV, IV, RIJNDAEL_MAX_IV_SIZE); 7967957Skris } else { 80122410Sume memset(cipher->IV, 0, RIJNDAEL_MAX_IV_SIZE); 8167957Skris } 8267957Skris return TRUE; 8367957Skris} 8467957Skris 8567957Skrisint rijndael_blockEncrypt(cipherInstance *cipher, keyInstance *key, 8667957Skris BYTE *input, int inputLen, BYTE *outBuffer) { 87121257Sume int i, k, numBlocks; 88122410Sume u_int8_t block[16], iv[4][4]; 8967957Skris 9067957Skris if (cipher == NULL || 9167957Skris key == NULL || 9267957Skris key->direction == DIR_DECRYPT) { 9367957Skris return BAD_CIPHER_STATE; 9467957Skris } 9567957Skris if (input == NULL || inputLen <= 0) { 9667957Skris return 0; /* nothing to do */ 9767957Skris } 9867957Skris 9967957Skris numBlocks = inputLen/128; 100122410Sume 10167957Skris switch (cipher->mode) { 102122410Sume case MODE_ECB: 10367957Skris for (i = numBlocks; i > 0; i--) { 104122410Sume rijndaelEncrypt(key->rk, key->Nr, input, outBuffer); 10567957Skris input += 16; 10667957Skris outBuffer += 16; 10767957Skris } 10867957Skris break; 109122410Sume 11067957Skris case MODE_CBC: 111121085Sume#if 1 /*STRICT_ALIGN*/ 112122410Sume memcpy(block, cipher->IV, 16); 113122410Sume memcpy(iv, input, 16); 114122410Sume ((u_int32_t*)block)[0] ^= ((u_int32_t*)iv)[0]; 115122410Sume ((u_int32_t*)block)[1] ^= ((u_int32_t*)iv)[1]; 116122410Sume ((u_int32_t*)block)[2] ^= ((u_int32_t*)iv)[2]; 117122410Sume ((u_int32_t*)block)[3] ^= ((u_int32_t*)iv)[3]; 118121085Sume#else 119122410Sume ((u_int32_t*)block)[0] = ((u_int32_t*)cipher->IV)[0] ^ ((u_int32_t*)input)[0]; 120122410Sume ((u_int32_t*)block)[1] = ((u_int32_t*)cipher->IV)[1] ^ ((u_int32_t*)input)[1]; 121122410Sume ((u_int32_t*)block)[2] = ((u_int32_t*)cipher->IV)[2] ^ ((u_int32_t*)input)[2]; 122122410Sume ((u_int32_t*)block)[3] = ((u_int32_t*)cipher->IV)[3] ^ ((u_int32_t*)input)[3]; 123121085Sume#endif 124122410Sume rijndaelEncrypt(key->rk, key->Nr, block, outBuffer); 125121257Sume input += 16; 126121257Sume for (i = numBlocks - 1; i > 0; i--) { 127121085Sume#if 1 /*STRICT_ALIGN*/ 128122410Sume memcpy(block, outBuffer, 16); 129122410Sume memcpy(iv, input, 16); 130122410Sume ((u_int32_t*)block)[0] ^= ((u_int32_t*)iv)[0]; 131122410Sume ((u_int32_t*)block)[1] ^= ((u_int32_t*)iv)[1]; 132122410Sume ((u_int32_t*)block)[2] ^= ((u_int32_t*)iv)[2]; 133122410Sume ((u_int32_t*)block)[3] ^= ((u_int32_t*)iv)[3]; 134121085Sume#else 135122410Sume ((u_int32_t*)block)[0] = ((u_int32_t*)outBuffer)[0] ^ ((u_int32_t*)input)[0]; 136122410Sume ((u_int32_t*)block)[1] = ((u_int32_t*)outBuffer)[1] ^ ((u_int32_t*)input)[1]; 137122410Sume ((u_int32_t*)block)[2] = ((u_int32_t*)outBuffer)[2] ^ ((u_int32_t*)input)[2]; 138122410Sume ((u_int32_t*)block)[3] = ((u_int32_t*)outBuffer)[3] ^ ((u_int32_t*)input)[3]; 139121085Sume#endif 140121257Sume outBuffer += 16; 141122410Sume rijndaelEncrypt(key->rk, key->Nr, block, outBuffer); 142121050Sume input += 16; 14367957Skris } 14467957Skris break; 145122410Sume 146121257Sume case MODE_CFB1: 147121085Sume#if 1 /*STRICT_ALIGN*/ 148122410Sume memcpy(iv, cipher->IV, 16); 149121257Sume#else /* !STRICT_ALIGN */ 150122410Sume *((u_int32_t*)iv[0]) = *((u_int32_t*)(cipher->IV )); 151122410Sume *((u_int32_t*)iv[1]) = *((u_int32_t*)(cipher->IV+ 4)); 152122410Sume *((u_int32_t*)iv[2]) = *((u_int32_t*)(cipher->IV+ 8)); 153122410Sume *((u_int32_t*)iv[3]) = *((u_int32_t*)(cipher->IV+12)); 154121257Sume#endif /* ?STRICT_ALIGN */ 155121257Sume for (i = numBlocks; i > 0; i--) { 156121257Sume for (k = 0; k < 128; k++) { 157122410Sume *((u_int32_t*) block ) = *((u_int32_t*)iv[0]); 158122410Sume *((u_int32_t*)(block+ 4)) = *((u_int32_t*)iv[1]); 159122410Sume *((u_int32_t*)(block+ 8)) = *((u_int32_t*)iv[2]); 160122410Sume *((u_int32_t*)(block+12)) = *((u_int32_t*)iv[3]); 161122410Sume rijndaelEncrypt(key->ek, key->Nr, block, 162122410Sume block); 163121257Sume outBuffer[k/8] ^= (block[0] & 0x80) >> (k & 7); 164121257Sume iv[0][0] = (iv[0][0] << 1) | (iv[0][1] >> 7); 165121257Sume iv[0][1] = (iv[0][1] << 1) | (iv[0][2] >> 7); 166121257Sume iv[0][2] = (iv[0][2] << 1) | (iv[0][3] >> 7); 167121257Sume iv[0][3] = (iv[0][3] << 1) | (iv[1][0] >> 7); 168121257Sume iv[1][0] = (iv[1][0] << 1) | (iv[1][1] >> 7); 169121257Sume iv[1][1] = (iv[1][1] << 1) | (iv[1][2] >> 7); 170121257Sume iv[1][2] = (iv[1][2] << 1) | (iv[1][3] >> 7); 171121257Sume iv[1][3] = (iv[1][3] << 1) | (iv[2][0] >> 7); 172121257Sume iv[2][0] = (iv[2][0] << 1) | (iv[2][1] >> 7); 173121257Sume iv[2][1] = (iv[2][1] << 1) | (iv[2][2] >> 7); 174121257Sume iv[2][2] = (iv[2][2] << 1) | (iv[2][3] >> 7); 175121257Sume iv[2][3] = (iv[2][3] << 1) | (iv[3][0] >> 7); 176121257Sume iv[3][0] = (iv[3][0] << 1) | (iv[3][1] >> 7); 177121257Sume iv[3][1] = (iv[3][1] << 1) | (iv[3][2] >> 7); 178121257Sume iv[3][2] = (iv[3][2] << 1) | (iv[3][3] >> 7); 179121257Sume iv[3][3] = (iv[3][3] << 1) | ((outBuffer[k/8] >> (7-(k&7))) & 1); 180121257Sume } 181121257Sume } 182121257Sume break; 183122410Sume 18467957Skris default: 18567957Skris return BAD_CIPHER_STATE; 18667957Skris } 187122410Sume 18867957Skris return 128*numBlocks; 18967957Skris} 19067957Skris 19167957Skris/** 19267957Skris * Encrypt data partitioned in octets, using RFC 2040-like padding. 19367957Skris * 19467957Skris * @param input data to be encrypted (octet sequence) 19567957Skris * @param inputOctets input length in octets (not bits) 19667957Skris * @param outBuffer encrypted output data 19767957Skris * 19867957Skris * @return length in octets (not bits) of the encrypted output buffer. 19967957Skris */ 20067957Skrisint rijndael_padEncrypt(cipherInstance *cipher, keyInstance *key, 20167957Skris BYTE *input, int inputOctets, BYTE *outBuffer) { 20267957Skris int i, numBlocks, padLen; 203122410Sume u_int8_t block[16], *iv, *cp; 20467957Skris 20567957Skris if (cipher == NULL || 20667957Skris key == NULL || 20767957Skris key->direction == DIR_DECRYPT) { 20867957Skris return BAD_CIPHER_STATE; 20967957Skris } 21067957Skris if (input == NULL || inputOctets <= 0) { 21167957Skris return 0; /* nothing to do */ 21267957Skris } 21367957Skris 21467957Skris numBlocks = inputOctets/16; 21567957Skris 21667957Skris switch (cipher->mode) { 217122410Sume case MODE_ECB: 21867957Skris for (i = numBlocks; i > 0; i--) { 219122410Sume rijndaelEncrypt(key->rk, key->Nr, input, outBuffer); 22067957Skris input += 16; 22167957Skris outBuffer += 16; 22267957Skris } 22367957Skris padLen = 16 - (inputOctets - 16*numBlocks); 224120157Sume if (padLen <= 0 || padLen > 16) 225105099Sphk return BAD_CIPHER_STATE; 226122410Sume memcpy(block, input, 16 - padLen); 227121257Sume for (cp = block + 16 - padLen; cp < block + 16; cp++) 228121257Sume *cp = padLen; 229122410Sume rijndaelEncrypt(key->rk, key->Nr, block, outBuffer); 23067957Skris break; 23167957Skris 23267957Skris case MODE_CBC: 23367957Skris iv = cipher->IV; 23467957Skris for (i = numBlocks; i > 0; i--) { 235122410Sume ((u_int32_t*)block)[0] = ((u_int32_t*)input)[0] ^ ((u_int32_t*)iv)[0]; 236122410Sume ((u_int32_t*)block)[1] = ((u_int32_t*)input)[1] ^ ((u_int32_t*)iv)[1]; 237122410Sume ((u_int32_t*)block)[2] = ((u_int32_t*)input)[2] ^ ((u_int32_t*)iv)[2]; 238122410Sume ((u_int32_t*)block)[3] = ((u_int32_t*)input)[3] ^ ((u_int32_t*)iv)[3]; 239122410Sume rijndaelEncrypt(key->rk, key->Nr, block, outBuffer); 24067957Skris iv = outBuffer; 24167957Skris input += 16; 24267957Skris outBuffer += 16; 24367957Skris } 24467957Skris padLen = 16 - (inputOctets - 16*numBlocks); 245120206Sume if (padLen <= 0 || padLen > 16) 246105099Sphk return BAD_CIPHER_STATE; 24767957Skris for (i = 0; i < 16 - padLen; i++) { 24867957Skris block[i] = input[i] ^ iv[i]; 24967957Skris } 25067957Skris for (i = 16 - padLen; i < 16; i++) { 25167957Skris block[i] = (BYTE)padLen ^ iv[i]; 25267957Skris } 253122410Sume rijndaelEncrypt(key->rk, key->Nr, block, outBuffer); 25467957Skris break; 25567957Skris 25667957Skris default: 25767957Skris return BAD_CIPHER_STATE; 25867957Skris } 25967957Skris 26067957Skris return 16*(numBlocks + 1); 26167957Skris} 26267957Skris 26367957Skrisint rijndael_blockDecrypt(cipherInstance *cipher, keyInstance *key, 26467957Skris BYTE *input, int inputLen, BYTE *outBuffer) { 265121257Sume int i, k, numBlocks; 266122410Sume u_int8_t block[16], iv[4][4]; 26767957Skris 26867957Skris if (cipher == NULL || 26967957Skris key == NULL || 27067957Skris (cipher->mode != MODE_CFB1 && key->direction == DIR_ENCRYPT)) { 27167957Skris return BAD_CIPHER_STATE; 27267957Skris } 27367957Skris if (input == NULL || inputLen <= 0) { 27467957Skris return 0; /* nothing to do */ 27567957Skris } 27667957Skris 27767957Skris numBlocks = inputLen/128; 27867957Skris 27967957Skris switch (cipher->mode) { 280122410Sume case MODE_ECB: 281122410Sume for (i = numBlocks; i > 0; i--) { 282122410Sume rijndaelDecrypt(key->rk, key->Nr, input, outBuffer); 28367957Skris input += 16; 28467957Skris outBuffer += 16; 28567957Skris } 28667957Skris break; 287122410Sume 28867957Skris case MODE_CBC: 289121257Sume#if 1 /*STRICT_ALIGN */ 290122410Sume memcpy(iv, cipher->IV, 16); 291121085Sume#else 292122410Sume *((u_int32_t*)iv[0]) = *((u_int32_t*)(cipher->IV )); 293122410Sume *((u_int32_t*)iv[1]) = *((u_int32_t*)(cipher->IV+ 4)); 294122410Sume *((u_int32_t*)iv[2]) = *((u_int32_t*)(cipher->IV+ 8)); 295122410Sume *((u_int32_t*)iv[3]) = *((u_int32_t*)(cipher->IV+12)); 296121085Sume#endif 29767957Skris for (i = numBlocks; i > 0; i--) { 298122410Sume rijndaelDecrypt(key->rk, key->Nr, input, block); 299122410Sume ((u_int32_t*)block)[0] ^= *((u_int32_t*)iv[0]); 300122410Sume ((u_int32_t*)block)[1] ^= *((u_int32_t*)iv[1]); 301122410Sume ((u_int32_t*)block)[2] ^= *((u_int32_t*)iv[2]); 302122410Sume ((u_int32_t*)block)[3] ^= *((u_int32_t*)iv[3]); 303121085Sume#if 1 /*STRICT_ALIGN*/ 304122410Sume memcpy(iv, input, 16); 305122410Sume memcpy(outBuffer, block, 16); 306121085Sume#else 307122410Sume *((u_int32_t*)iv[0]) = ((u_int32_t*)input)[0]; ((u_int32_t*)outBuffer)[0] = ((u_int32_t*)block)[0]; 308122410Sume *((u_int32_t*)iv[1]) = ((u_int32_t*)input)[1]; ((u_int32_t*)outBuffer)[1] = ((u_int32_t*)block)[1]; 309122410Sume *((u_int32_t*)iv[2]) = ((u_int32_t*)input)[2]; ((u_int32_t*)outBuffer)[2] = ((u_int32_t*)block)[2]; 310122410Sume *((u_int32_t*)iv[3]) = ((u_int32_t*)input)[3]; ((u_int32_t*)outBuffer)[3] = ((u_int32_t*)block)[3]; 311121085Sume#endif 31267957Skris input += 16; 31367957Skris outBuffer += 16; 31467957Skris } 31567957Skris break; 316122410Sume 317121257Sume case MODE_CFB1: 318121257Sume#if 1 /*STRICT_ALIGN */ 319122410Sume memcpy(iv, cipher->IV, 16); 320121085Sume#else 321122410Sume *((u_int32_t*)iv[0]) = *((u_int32_t*)(cipher->IV)); 322122410Sume *((u_int32_t*)iv[1]) = *((u_int32_t*)(cipher->IV+ 4)); 323122410Sume *((u_int32_t*)iv[2]) = *((u_int32_t*)(cipher->IV+ 8)); 324122410Sume *((u_int32_t*)iv[3]) = *((u_int32_t*)(cipher->IV+12)); 325121085Sume#endif 326121257Sume for (i = numBlocks; i > 0; i--) { 327121257Sume for (k = 0; k < 128; k++) { 328122410Sume *((u_int32_t*) block ) = *((u_int32_t*)iv[0]); 329122410Sume *((u_int32_t*)(block+ 4)) = *((u_int32_t*)iv[1]); 330122410Sume *((u_int32_t*)(block+ 8)) = *((u_int32_t*)iv[2]); 331122410Sume *((u_int32_t*)(block+12)) = *((u_int32_t*)iv[3]); 332122410Sume rijndaelEncrypt(key->ek, key->Nr, block, 333122410Sume block); 334121257Sume iv[0][0] = (iv[0][0] << 1) | (iv[0][1] >> 7); 335121257Sume iv[0][1] = (iv[0][1] << 1) | (iv[0][2] >> 7); 336121257Sume iv[0][2] = (iv[0][2] << 1) | (iv[0][3] >> 7); 337121257Sume iv[0][3] = (iv[0][3] << 1) | (iv[1][0] >> 7); 338121257Sume iv[1][0] = (iv[1][0] << 1) | (iv[1][1] >> 7); 339121257Sume iv[1][1] = (iv[1][1] << 1) | (iv[1][2] >> 7); 340121257Sume iv[1][2] = (iv[1][2] << 1) | (iv[1][3] >> 7); 341121257Sume iv[1][3] = (iv[1][3] << 1) | (iv[2][0] >> 7); 342121257Sume iv[2][0] = (iv[2][0] << 1) | (iv[2][1] >> 7); 343121257Sume iv[2][1] = (iv[2][1] << 1) | (iv[2][2] >> 7); 344121257Sume iv[2][2] = (iv[2][2] << 1) | (iv[2][3] >> 7); 345121257Sume iv[2][3] = (iv[2][3] << 1) | (iv[3][0] >> 7); 346121257Sume iv[3][0] = (iv[3][0] << 1) | (iv[3][1] >> 7); 347121257Sume iv[3][1] = (iv[3][1] << 1) | (iv[3][2] >> 7); 348121257Sume iv[3][2] = (iv[3][2] << 1) | (iv[3][3] >> 7); 349121257Sume iv[3][3] = (iv[3][3] << 1) | ((input[k/8] >> (7-(k&7))) & 1); 350121257Sume outBuffer[k/8] ^= (block[0] & 0x80) >> (k & 7); 351121257Sume } 352121257Sume } 353121257Sume break; 354121050Sume 35567957Skris default: 35667957Skris return BAD_CIPHER_STATE; 35767957Skris } 358122410Sume 35967957Skris return 128*numBlocks; 36067957Skris} 36167957Skris 36267957Skrisint rijndael_padDecrypt(cipherInstance *cipher, keyInstance *key, 36367957Skris BYTE *input, int inputOctets, BYTE *outBuffer) { 36467957Skris int i, numBlocks, padLen; 365122410Sume u_int8_t block[16]; 366122410Sume u_int32_t iv[4]; 36767957Skris 36867957Skris if (cipher == NULL || 36967957Skris key == NULL || 37067957Skris key->direction == DIR_ENCRYPT) { 37167957Skris return BAD_CIPHER_STATE; 37267957Skris } 37367957Skris if (input == NULL || inputOctets <= 0) { 37467957Skris return 0; /* nothing to do */ 37567957Skris } 37667957Skris if (inputOctets % 16 != 0) { 37767957Skris return BAD_DATA; 37867957Skris } 37967957Skris 38067957Skris numBlocks = inputOctets/16; 38167957Skris 38267957Skris switch (cipher->mode) { 38367957Skris case MODE_ECB: 38467957Skris /* all blocks but last */ 385122410Sume for (i = numBlocks - 1; i > 0; i--) { 386122410Sume rijndaelDecrypt(key->rk, key->Nr, input, outBuffer); 38767957Skris input += 16; 38867957Skris outBuffer += 16; 38967957Skris } 39067957Skris /* last block */ 391122410Sume rijndaelDecrypt(key->rk, key->Nr, input, block); 39267957Skris padLen = block[15]; 39367957Skris if (padLen >= 16) { 39467957Skris return BAD_DATA; 39567957Skris } 39667957Skris for (i = 16 - padLen; i < 16; i++) { 39767957Skris if (block[i] != padLen) { 39867957Skris return BAD_DATA; 39967957Skris } 40067957Skris } 401122410Sume memcpy(outBuffer, block, 16 - padLen); 40267957Skris break; 403122410Sume 40467957Skris case MODE_CBC: 405122410Sume memcpy(iv, cipher->IV, 16); 40667957Skris /* all blocks but last */ 40767957Skris for (i = numBlocks - 1; i > 0; i--) { 408122410Sume rijndaelDecrypt(key->rk, key->Nr, input, block); 409122410Sume ((u_int32_t*)block)[0] ^= iv[0]; 410122410Sume ((u_int32_t*)block)[1] ^= iv[1]; 411122410Sume ((u_int32_t*)block)[2] ^= iv[2]; 412122410Sume ((u_int32_t*)block)[3] ^= iv[3]; 413122410Sume memcpy(iv, input, 16); 414122410Sume memcpy(outBuffer, block, 16); 41567957Skris input += 16; 41667957Skris outBuffer += 16; 41767957Skris } 41867957Skris /* last block */ 419122410Sume rijndaelDecrypt(key->rk, key->Nr, input, block); 420122410Sume ((u_int32_t*)block)[0] ^= iv[0]; 421122410Sume ((u_int32_t*)block)[1] ^= iv[1]; 422122410Sume ((u_int32_t*)block)[2] ^= iv[2]; 423122410Sume ((u_int32_t*)block)[3] ^= iv[3]; 42467957Skris padLen = block[15]; 42567957Skris if (padLen <= 0 || padLen > 16) { 42667957Skris return BAD_DATA; 42767957Skris } 42867957Skris for (i = 16 - padLen; i < 16; i++) { 42967957Skris if (block[i] != padLen) { 43067957Skris return BAD_DATA; 43167957Skris } 43267957Skris } 433122410Sume memcpy(outBuffer, block, 16 - padLen); 43467957Skris break; 435122410Sume 43667957Skris default: 43767957Skris return BAD_CIPHER_STATE; 43867957Skris } 439122410Sume 44067957Skris return 16*numBlocks - padLen; 44167957Skris} 442