in src/random/aes.c [57:94]
ret_t aes256_key_expansion(OUT aes256_ks_t *ks, IN const aes256_key_t *key)
{
// Rotation: [b0, b1, b2, b3] --> [b1, b2, b3, b0]
const __m128i rotation_mask = SETONE128_I32(0x0c0f0e0d);
__m128i con = SETONE128_I32(1);
__m128i t1;
__m128i t2;
ks->keys[0] = LOAD128(&key->raw[0]);
ks->keys[1] = LOAD128(&key->raw[BYTES_IN_XMM]);
__m128i in0 = ks->keys[0];
__m128i in1 = ks->keys[1];
for(size_t i = 0; i < 6; i++) {
// Odd rounds
t1 = AESENCLAST(SHUF128_I8(in1, rotation_mask), con);
con = SLL128_I32(con, 1);
ROUND(in0, t2);
in0 ^= t2 ^ t1;
ks->keys[2 * (i + 1) + 0] = in0;
// Even rounds
t1 = AESENCLAST(SHUF128_I32(in0, 0xff), _mm_setzero_si128());
ROUND(in1, t2);
in1 ^= t2 ^ t1;
ks->keys[2 * (i + 1) + 1] = in1;
}
t1 = SHUF128_I8(in1, rotation_mask);
t1 = AESENCLAST(t1, con);
ROUND(in0, t2);
in0 ^= t2 ^ t1;
ks->keys[AES256_ROUNDS] = in0;
return SUCCESS;
}