1121257Sume/* $KAME: rijndael-api-fst.c,v 1.10 2001/05/27 09:34:18 itojun Exp $ */ 267957Skris 3121257Sume/* 4121257Sume * rijndael-api-fst.c v2.3 April '2000 567957Skris * 6121257Sume * Optimised ANSI C code 767957Skris * 8121257Sume * authors: v1.0: Antoon Bosselaers 9121257Sume * v2.0: Vincent Rijmen 10121257Sume * v2.1: Vincent Rijmen 11121257Sume * v2.2: Vincent Rijmen 12121257Sume * v2.3: Paulo Barreto 13121257Sume * v2.4: Vincent Rijmen 1467957Skris * 15121257Sume * This code is placed in the public domain. 1667957Skris */ 1767957Skris 18116174Sobrien#include <sys/cdefs.h> 19116174Sobrien__FBSDID("$FreeBSD: releng/11.0/sys/crypto/rijndael/rijndael-api-fst.c 274380 2014-11-11 13:37:28Z des $"); 20116174Sobrien 2167957Skris#include <sys/param.h> 2278064Sume#ifdef _KERNEL 2367957Skris#include <sys/systm.h> 2478064Sume#else 2578064Sume#include <string.h> 2678064Sume#endif 27122410Sume 28122410Sume#include <crypto/rijndael/rijndael_local.h> 2967957Skris#include <crypto/rijndael/rijndael-api-fst.h> 3067957Skris 31121257Sume#ifndef TRUE 32121257Sume#define TRUE 1 33121257Sume#endif 34121257Sume 35121257Sumetypedef u_int8_t BYTE; 36121257Sume 37274340Sdesint rijndael_makeKey(keyInstance *key, BYTE direction, int keyLen, 38274340Sdes const char *keyMaterial) { 39122410Sume u_int8_t cipherKey[RIJNDAEL_MAXKB]; 40122410Sume 4167957Skris if (key == NULL) { 4267957Skris return BAD_KEY_INSTANCE; 4367957Skris } 4467957Skris 4567957Skris if ((direction == DIR_ENCRYPT) || (direction == DIR_DECRYPT)) { 4667957Skris key->direction = direction; 4767957Skris } else { 4867957Skris return BAD_KEY_DIR; 4967957Skris } 5067957Skris 51122410Sume if ((keyLen == 128) || (keyLen == 192) || (keyLen == 256)) { 5267957Skris key->keyLen = keyLen; 5367957Skris } else { 5467957Skris return BAD_KEY_MAT; 5567957Skris } 5667957Skris 5767957Skris if (keyMaterial != NULL) { 58122410Sume memcpy(key->keyMaterial, keyMaterial, keyLen/8); 5967957Skris } 6067957Skris 6167957Skris /* initialize key schedule: */ 62122410Sume memcpy(cipherKey, key->keyMaterial, keyLen/8); 63122410Sume if (direction == DIR_ENCRYPT) { 64122410Sume key->Nr = rijndaelKeySetupEnc(key->rk, cipherKey, keyLen); 65122410Sume } else { 66122410Sume key->Nr = rijndaelKeySetupDec(key->rk, cipherKey, keyLen); 6767957Skris } 68122410Sume rijndaelKeySetupEnc(key->ek, cipherKey, keyLen); 6967957Skris return TRUE; 7067957Skris} 7167957Skris 7267957Skrisint rijndael_cipherInit(cipherInstance *cipher, BYTE mode, char *IV) { 7367957Skris if ((mode == MODE_ECB) || (mode == MODE_CBC) || (mode == MODE_CFB1)) { 7467957Skris cipher->mode = mode; 7567957Skris } else { 7667957Skris return BAD_CIPHER_MODE; 7767957Skris } 7867957Skris if (IV != NULL) { 79122410Sume memcpy(cipher->IV, IV, RIJNDAEL_MAX_IV_SIZE); 8067957Skris } else { 81122410Sume memset(cipher->IV, 0, RIJNDAEL_MAX_IV_SIZE); 8267957Skris } 8367957Skris return TRUE; 8467957Skris} 8567957Skris 8667957Skrisint rijndael_blockEncrypt(cipherInstance *cipher, keyInstance *key, 87274340Sdes const BYTE *input, int inputLen, BYTE *outBuffer) { 88121257Sume int i, k, numBlocks; 89122410Sume u_int8_t block[16], iv[4][4]; 9067957Skris 9167957Skris if (cipher == NULL || 9267957Skris key == NULL || 9367957Skris key->direction == DIR_DECRYPT) { 9467957Skris return BAD_CIPHER_STATE; 9567957Skris } 9667957Skris if (input == NULL || inputLen <= 0) { 9767957Skris return 0; /* nothing to do */ 9867957Skris } 9967957Skris 10067957Skris numBlocks = inputLen/128; 101122410Sume 10267957Skris switch (cipher->mode) { 103122410Sume case MODE_ECB: 10467957Skris for (i = numBlocks; i > 0; i--) { 105122410Sume rijndaelEncrypt(key->rk, key->Nr, input, outBuffer); 10667957Skris input += 16; 10767957Skris outBuffer += 16; 10867957Skris } 10967957Skris break; 110122410Sume 11167957Skris case MODE_CBC: 112121085Sume#if 1 /*STRICT_ALIGN*/ 113122410Sume memcpy(block, cipher->IV, 16); 114122410Sume memcpy(iv, input, 16); 115122410Sume ((u_int32_t*)block)[0] ^= ((u_int32_t*)iv)[0]; 116122410Sume ((u_int32_t*)block)[1] ^= ((u_int32_t*)iv)[1]; 117122410Sume ((u_int32_t*)block)[2] ^= ((u_int32_t*)iv)[2]; 118122410Sume ((u_int32_t*)block)[3] ^= ((u_int32_t*)iv)[3]; 119121085Sume#else 120122410Sume ((u_int32_t*)block)[0] = ((u_int32_t*)cipher->IV)[0] ^ ((u_int32_t*)input)[0]; 121122410Sume ((u_int32_t*)block)[1] = ((u_int32_t*)cipher->IV)[1] ^ ((u_int32_t*)input)[1]; 122122410Sume ((u_int32_t*)block)[2] = ((u_int32_t*)cipher->IV)[2] ^ ((u_int32_t*)input)[2]; 123122410Sume ((u_int32_t*)block)[3] = ((u_int32_t*)cipher->IV)[3] ^ ((u_int32_t*)input)[3]; 124121085Sume#endif 125122410Sume rijndaelEncrypt(key->rk, key->Nr, block, outBuffer); 126121257Sume input += 16; 127121257Sume for (i = numBlocks - 1; i > 0; i--) { 128121085Sume#if 1 /*STRICT_ALIGN*/ 129122410Sume memcpy(block, outBuffer, 16); 130122410Sume memcpy(iv, input, 16); 131122410Sume ((u_int32_t*)block)[0] ^= ((u_int32_t*)iv)[0]; 132122410Sume ((u_int32_t*)block)[1] ^= ((u_int32_t*)iv)[1]; 133122410Sume ((u_int32_t*)block)[2] ^= ((u_int32_t*)iv)[2]; 134122410Sume ((u_int32_t*)block)[3] ^= ((u_int32_t*)iv)[3]; 135121085Sume#else 136122410Sume ((u_int32_t*)block)[0] = ((u_int32_t*)outBuffer)[0] ^ ((u_int32_t*)input)[0]; 137122410Sume ((u_int32_t*)block)[1] = ((u_int32_t*)outBuffer)[1] ^ ((u_int32_t*)input)[1]; 138122410Sume ((u_int32_t*)block)[2] = ((u_int32_t*)outBuffer)[2] ^ ((u_int32_t*)input)[2]; 139122410Sume ((u_int32_t*)block)[3] = ((u_int32_t*)outBuffer)[3] ^ ((u_int32_t*)input)[3]; 140121085Sume#endif 141121257Sume outBuffer += 16; 142122410Sume rijndaelEncrypt(key->rk, key->Nr, block, outBuffer); 143121050Sume input += 16; 14467957Skris } 14567957Skris break; 146122410Sume 147121257Sume case MODE_CFB1: 148121085Sume#if 1 /*STRICT_ALIGN*/ 149122410Sume memcpy(iv, cipher->IV, 16); 150121257Sume#else /* !STRICT_ALIGN */ 151122410Sume *((u_int32_t*)iv[0]) = *((u_int32_t*)(cipher->IV )); 152122410Sume *((u_int32_t*)iv[1]) = *((u_int32_t*)(cipher->IV+ 4)); 153122410Sume *((u_int32_t*)iv[2]) = *((u_int32_t*)(cipher->IV+ 8)); 154122410Sume *((u_int32_t*)iv[3]) = *((u_int32_t*)(cipher->IV+12)); 155121257Sume#endif /* ?STRICT_ALIGN */ 156121257Sume for (i = numBlocks; i > 0; i--) { 157121257Sume for (k = 0; k < 128; k++) { 158122410Sume *((u_int32_t*) block ) = *((u_int32_t*)iv[0]); 159122410Sume *((u_int32_t*)(block+ 4)) = *((u_int32_t*)iv[1]); 160122410Sume *((u_int32_t*)(block+ 8)) = *((u_int32_t*)iv[2]); 161122410Sume *((u_int32_t*)(block+12)) = *((u_int32_t*)iv[3]); 162122410Sume rijndaelEncrypt(key->ek, key->Nr, block, 163122410Sume block); 164121257Sume outBuffer[k/8] ^= (block[0] & 0x80) >> (k & 7); 165121257Sume iv[0][0] = (iv[0][0] << 1) | (iv[0][1] >> 7); 166121257Sume iv[0][1] = (iv[0][1] << 1) | (iv[0][2] >> 7); 167121257Sume iv[0][2] = (iv[0][2] << 1) | (iv[0][3] >> 7); 168121257Sume iv[0][3] = (iv[0][3] << 1) | (iv[1][0] >> 7); 169121257Sume iv[1][0] = (iv[1][0] << 1) | (iv[1][1] >> 7); 170121257Sume iv[1][1] = (iv[1][1] << 1) | (iv[1][2] >> 7); 171121257Sume iv[1][2] = (iv[1][2] << 1) | (iv[1][3] >> 7); 172121257Sume iv[1][3] = (iv[1][3] << 1) | (iv[2][0] >> 7); 173121257Sume iv[2][0] = (iv[2][0] << 1) | (iv[2][1] >> 7); 174121257Sume iv[2][1] = (iv[2][1] << 1) | (iv[2][2] >> 7); 175121257Sume iv[2][2] = (iv[2][2] << 1) | (iv[2][3] >> 7); 176121257Sume iv[2][3] = (iv[2][3] << 1) | (iv[3][0] >> 7); 177121257Sume iv[3][0] = (iv[3][0] << 1) | (iv[3][1] >> 7); 178121257Sume iv[3][1] = (iv[3][1] << 1) | (iv[3][2] >> 7); 179121257Sume iv[3][2] = (iv[3][2] << 1) | (iv[3][3] >> 7); 180121257Sume iv[3][3] = (iv[3][3] << 1) | ((outBuffer[k/8] >> (7-(k&7))) & 1); 181121257Sume } 182121257Sume } 183121257Sume break; 184122410Sume 18567957Skris default: 18667957Skris return BAD_CIPHER_STATE; 18767957Skris } 188122410Sume 18967957Skris return 128*numBlocks; 19067957Skris} 19167957Skris 19267957Skris/** 19367957Skris * Encrypt data partitioned in octets, using RFC 2040-like padding. 19467957Skris * 19567957Skris * @param input data to be encrypted (octet sequence) 19667957Skris * @param inputOctets input length in octets (not bits) 19767957Skris * @param outBuffer encrypted output data 19867957Skris * 19967957Skris * @return length in octets (not bits) of the encrypted output buffer. 20067957Skris */ 20167957Skrisint rijndael_padEncrypt(cipherInstance *cipher, keyInstance *key, 202274340Sdes const BYTE *input, int inputOctets, BYTE *outBuffer) { 20367957Skris int i, numBlocks, padLen; 204122410Sume u_int8_t block[16], *iv, *cp; 20567957Skris 20667957Skris if (cipher == NULL || 20767957Skris key == NULL || 20867957Skris key->direction == DIR_DECRYPT) { 20967957Skris return BAD_CIPHER_STATE; 21067957Skris } 21167957Skris if (input == NULL || inputOctets <= 0) { 21267957Skris return 0; /* nothing to do */ 21367957Skris } 21467957Skris 21567957Skris numBlocks = inputOctets/16; 21667957Skris 21767957Skris switch (cipher->mode) { 218122410Sume case MODE_ECB: 21967957Skris for (i = numBlocks; i > 0; i--) { 220122410Sume rijndaelEncrypt(key->rk, key->Nr, input, outBuffer); 22167957Skris input += 16; 22267957Skris outBuffer += 16; 22367957Skris } 22467957Skris padLen = 16 - (inputOctets - 16*numBlocks); 225120157Sume if (padLen <= 0 || padLen > 16) 226105099Sphk return BAD_CIPHER_STATE; 227122410Sume memcpy(block, input, 16 - padLen); 228121257Sume for (cp = block + 16 - padLen; cp < block + 16; cp++) 229121257Sume *cp = padLen; 230122410Sume rijndaelEncrypt(key->rk, key->Nr, block, outBuffer); 23167957Skris break; 23267957Skris 23367957Skris case MODE_CBC: 23467957Skris iv = cipher->IV; 23567957Skris for (i = numBlocks; i > 0; i--) { 236274380Sdes ((u_int32_t*)block)[0] = ((const u_int32_t*)input)[0] ^ ((u_int32_t*)iv)[0]; 237274380Sdes ((u_int32_t*)block)[1] = ((const u_int32_t*)input)[1] ^ ((u_int32_t*)iv)[1]; 238274380Sdes ((u_int32_t*)block)[2] = ((const u_int32_t*)input)[2] ^ ((u_int32_t*)iv)[2]; 239274380Sdes ((u_int32_t*)block)[3] = ((const u_int32_t*)input)[3] ^ ((u_int32_t*)iv)[3]; 240122410Sume rijndaelEncrypt(key->rk, key->Nr, block, outBuffer); 24167957Skris iv = outBuffer; 24267957Skris input += 16; 24367957Skris outBuffer += 16; 24467957Skris } 24567957Skris padLen = 16 - (inputOctets - 16*numBlocks); 246120206Sume if (padLen <= 0 || padLen > 16) 247105099Sphk return BAD_CIPHER_STATE; 24867957Skris for (i = 0; i < 16 - padLen; i++) { 24967957Skris block[i] = input[i] ^ iv[i]; 25067957Skris } 25167957Skris for (i = 16 - padLen; i < 16; i++) { 25267957Skris block[i] = (BYTE)padLen ^ iv[i]; 25367957Skris } 254122410Sume rijndaelEncrypt(key->rk, key->Nr, block, outBuffer); 25567957Skris break; 25667957Skris 25767957Skris default: 25867957Skris return BAD_CIPHER_STATE; 25967957Skris } 26067957Skris 26167957Skris return 16*(numBlocks + 1); 26267957Skris} 26367957Skris 26467957Skrisint rijndael_blockDecrypt(cipherInstance *cipher, keyInstance *key, 265274340Sdes const BYTE *input, int inputLen, BYTE *outBuffer) { 266121257Sume int i, k, numBlocks; 267122410Sume u_int8_t block[16], iv[4][4]; 26867957Skris 26967957Skris if (cipher == NULL || 27067957Skris key == NULL || 27167957Skris (cipher->mode != MODE_CFB1 && key->direction == DIR_ENCRYPT)) { 27267957Skris return BAD_CIPHER_STATE; 27367957Skris } 27467957Skris if (input == NULL || inputLen <= 0) { 27567957Skris return 0; /* nothing to do */ 27667957Skris } 27767957Skris 27867957Skris numBlocks = inputLen/128; 27967957Skris 28067957Skris switch (cipher->mode) { 281122410Sume case MODE_ECB: 282122410Sume for (i = numBlocks; i > 0; i--) { 283122410Sume rijndaelDecrypt(key->rk, key->Nr, input, outBuffer); 28467957Skris input += 16; 28567957Skris outBuffer += 16; 28667957Skris } 28767957Skris break; 288122410Sume 28967957Skris case MODE_CBC: 290121257Sume#if 1 /*STRICT_ALIGN */ 291122410Sume memcpy(iv, cipher->IV, 16); 292121085Sume#else 293122410Sume *((u_int32_t*)iv[0]) = *((u_int32_t*)(cipher->IV )); 294122410Sume *((u_int32_t*)iv[1]) = *((u_int32_t*)(cipher->IV+ 4)); 295122410Sume *((u_int32_t*)iv[2]) = *((u_int32_t*)(cipher->IV+ 8)); 296122410Sume *((u_int32_t*)iv[3]) = *((u_int32_t*)(cipher->IV+12)); 297121085Sume#endif 29867957Skris for (i = numBlocks; i > 0; i--) { 299122410Sume rijndaelDecrypt(key->rk, key->Nr, input, block); 300122410Sume ((u_int32_t*)block)[0] ^= *((u_int32_t*)iv[0]); 301122410Sume ((u_int32_t*)block)[1] ^= *((u_int32_t*)iv[1]); 302122410Sume ((u_int32_t*)block)[2] ^= *((u_int32_t*)iv[2]); 303122410Sume ((u_int32_t*)block)[3] ^= *((u_int32_t*)iv[3]); 304121085Sume#if 1 /*STRICT_ALIGN*/ 305122410Sume memcpy(iv, input, 16); 306122410Sume memcpy(outBuffer, block, 16); 307121085Sume#else 308122410Sume *((u_int32_t*)iv[0]) = ((u_int32_t*)input)[0]; ((u_int32_t*)outBuffer)[0] = ((u_int32_t*)block)[0]; 309122410Sume *((u_int32_t*)iv[1]) = ((u_int32_t*)input)[1]; ((u_int32_t*)outBuffer)[1] = ((u_int32_t*)block)[1]; 310122410Sume *((u_int32_t*)iv[2]) = ((u_int32_t*)input)[2]; ((u_int32_t*)outBuffer)[2] = ((u_int32_t*)block)[2]; 311122410Sume *((u_int32_t*)iv[3]) = ((u_int32_t*)input)[3]; ((u_int32_t*)outBuffer)[3] = ((u_int32_t*)block)[3]; 312121085Sume#endif 31367957Skris input += 16; 31467957Skris outBuffer += 16; 31567957Skris } 31667957Skris break; 317122410Sume 318121257Sume case MODE_CFB1: 319121257Sume#if 1 /*STRICT_ALIGN */ 320122410Sume memcpy(iv, cipher->IV, 16); 321121085Sume#else 322122410Sume *((u_int32_t*)iv[0]) = *((u_int32_t*)(cipher->IV)); 323122410Sume *((u_int32_t*)iv[1]) = *((u_int32_t*)(cipher->IV+ 4)); 324122410Sume *((u_int32_t*)iv[2]) = *((u_int32_t*)(cipher->IV+ 8)); 325122410Sume *((u_int32_t*)iv[3]) = *((u_int32_t*)(cipher->IV+12)); 326121085Sume#endif 327121257Sume for (i = numBlocks; i > 0; i--) { 328121257Sume for (k = 0; k < 128; k++) { 329122410Sume *((u_int32_t*) block ) = *((u_int32_t*)iv[0]); 330122410Sume *((u_int32_t*)(block+ 4)) = *((u_int32_t*)iv[1]); 331122410Sume *((u_int32_t*)(block+ 8)) = *((u_int32_t*)iv[2]); 332122410Sume *((u_int32_t*)(block+12)) = *((u_int32_t*)iv[3]); 333122410Sume rijndaelEncrypt(key->ek, key->Nr, block, 334122410Sume block); 335121257Sume iv[0][0] = (iv[0][0] << 1) | (iv[0][1] >> 7); 336121257Sume iv[0][1] = (iv[0][1] << 1) | (iv[0][2] >> 7); 337121257Sume iv[0][2] = (iv[0][2] << 1) | (iv[0][3] >> 7); 338121257Sume iv[0][3] = (iv[0][3] << 1) | (iv[1][0] >> 7); 339121257Sume iv[1][0] = (iv[1][0] << 1) | (iv[1][1] >> 7); 340121257Sume iv[1][1] = (iv[1][1] << 1) | (iv[1][2] >> 7); 341121257Sume iv[1][2] = (iv[1][2] << 1) | (iv[1][3] >> 7); 342121257Sume iv[1][3] = (iv[1][3] << 1) | (iv[2][0] >> 7); 343121257Sume iv[2][0] = (iv[2][0] << 1) | (iv[2][1] >> 7); 344121257Sume iv[2][1] = (iv[2][1] << 1) | (iv[2][2] >> 7); 345121257Sume iv[2][2] = (iv[2][2] << 1) | (iv[2][3] >> 7); 346121257Sume iv[2][3] = (iv[2][3] << 1) | (iv[3][0] >> 7); 347121257Sume iv[3][0] = (iv[3][0] << 1) | (iv[3][1] >> 7); 348121257Sume iv[3][1] = (iv[3][1] << 1) | (iv[3][2] >> 7); 349121257Sume iv[3][2] = (iv[3][2] << 1) | (iv[3][3] >> 7); 350121257Sume iv[3][3] = (iv[3][3] << 1) | ((input[k/8] >> (7-(k&7))) & 1); 351121257Sume outBuffer[k/8] ^= (block[0] & 0x80) >> (k & 7); 352121257Sume } 353121257Sume } 354121257Sume break; 355121050Sume 35667957Skris default: 35767957Skris return BAD_CIPHER_STATE; 35867957Skris } 359122410Sume 36067957Skris return 128*numBlocks; 36167957Skris} 36267957Skris 36367957Skrisint rijndael_padDecrypt(cipherInstance *cipher, keyInstance *key, 364274340Sdes const BYTE *input, int inputOctets, BYTE *outBuffer) { 36567957Skris int i, numBlocks, padLen; 366122410Sume u_int8_t block[16]; 367122410Sume u_int32_t iv[4]; 36867957Skris 36967957Skris if (cipher == NULL || 37067957Skris key == NULL || 37167957Skris key->direction == DIR_ENCRYPT) { 37267957Skris return BAD_CIPHER_STATE; 37367957Skris } 37467957Skris if (input == NULL || inputOctets <= 0) { 37567957Skris return 0; /* nothing to do */ 37667957Skris } 37767957Skris if (inputOctets % 16 != 0) { 37867957Skris return BAD_DATA; 37967957Skris } 38067957Skris 38167957Skris numBlocks = inputOctets/16; 38267957Skris 38367957Skris switch (cipher->mode) { 38467957Skris case MODE_ECB: 38567957Skris /* all blocks but last */ 386122410Sume for (i = numBlocks - 1; i > 0; i--) { 387122410Sume rijndaelDecrypt(key->rk, key->Nr, input, outBuffer); 38867957Skris input += 16; 38967957Skris outBuffer += 16; 39067957Skris } 39167957Skris /* last block */ 392122410Sume rijndaelDecrypt(key->rk, key->Nr, input, block); 39367957Skris padLen = block[15]; 39467957Skris if (padLen >= 16) { 39567957Skris return BAD_DATA; 39667957Skris } 39767957Skris for (i = 16 - padLen; i < 16; i++) { 39867957Skris if (block[i] != padLen) { 39967957Skris return BAD_DATA; 40067957Skris } 40167957Skris } 402122410Sume memcpy(outBuffer, block, 16 - padLen); 40367957Skris break; 404122410Sume 40567957Skris case MODE_CBC: 406122410Sume memcpy(iv, cipher->IV, 16); 40767957Skris /* all blocks but last */ 40867957Skris for (i = numBlocks - 1; i > 0; i--) { 409122410Sume rijndaelDecrypt(key->rk, key->Nr, input, block); 410122410Sume ((u_int32_t*)block)[0] ^= iv[0]; 411122410Sume ((u_int32_t*)block)[1] ^= iv[1]; 412122410Sume ((u_int32_t*)block)[2] ^= iv[2]; 413122410Sume ((u_int32_t*)block)[3] ^= iv[3]; 414122410Sume memcpy(iv, input, 16); 415122410Sume memcpy(outBuffer, block, 16); 41667957Skris input += 16; 41767957Skris outBuffer += 16; 41867957Skris } 41967957Skris /* last block */ 420122410Sume rijndaelDecrypt(key->rk, key->Nr, input, block); 421122410Sume ((u_int32_t*)block)[0] ^= iv[0]; 422122410Sume ((u_int32_t*)block)[1] ^= iv[1]; 423122410Sume ((u_int32_t*)block)[2] ^= iv[2]; 424122410Sume ((u_int32_t*)block)[3] ^= iv[3]; 42567957Skris padLen = block[15]; 42667957Skris if (padLen <= 0 || padLen > 16) { 42767957Skris return BAD_DATA; 42867957Skris } 42967957Skris for (i = 16 - padLen; i < 16; i++) { 43067957Skris if (block[i] != padLen) { 43167957Skris return BAD_DATA; 43267957Skris } 43367957Skris } 434122410Sume memcpy(outBuffer, block, 16 - padLen); 43567957Skris break; 436122410Sume 43767957Skris default: 43867957Skris return BAD_CIPHER_STATE; 43967957Skris } 440122410Sume 44167957Skris return 16*numBlocks - padLen; 44267957Skris} 443