in src/aes.c [445:519]
void AES_ecb_decrypt(const amcl_aes *a,uchar *buff)
{
int i;
int j;
int k;
unsign32 p[4];
unsign32 q[4];
unsign32 *x;
unsign32 *y;
unsign32 *t;
for (i=j=0; i<NB; i++,j+=4)
{
p[i]=pack(&buff[j]);
p[i]^=a->rkey[i];
}
k=NB;
x=p;
y=q;
/* State alternates between x and y */
for (i=1; i<a->Nr; i++)
{
/* Nr is number of rounds. May be odd. */
y[0]=a->rkey[k]^rtable[MR_TOBYTE(x[0])]^
ROTL8(rtable[MR_TOBYTE(x[3]>>8)])^
ROTL16(rtable[MR_TOBYTE(x[2]>>16)])^
ROTL24(rtable[x[1]>>24]);
y[1]=a->rkey[k+1]^rtable[MR_TOBYTE(x[1])]^
ROTL8(rtable[MR_TOBYTE(x[0]>>8)])^
ROTL16(rtable[MR_TOBYTE(x[3]>>16)])^
ROTL24(rtable[x[2]>>24]);
y[2]=a->rkey[k+2]^rtable[MR_TOBYTE(x[2])]^
ROTL8(rtable[MR_TOBYTE(x[1]>>8)])^
ROTL16(rtable[MR_TOBYTE(x[0]>>16)])^
ROTL24(rtable[x[3]>>24]);
y[3]=a->rkey[k+3]^rtable[MR_TOBYTE(x[3])]^
ROTL8(rtable[MR_TOBYTE(x[2]>>8)])^
ROTL16(rtable[MR_TOBYTE(x[1]>>16)])^
ROTL24(rtable[x[0]>>24]);
k+=4;
t=x;
x=y;
y=t; /* swap pointers */
}
/* Last Round */
y[0]=a->rkey[k]^(unsign32)rbsub[MR_TOBYTE(x[0])]^
ROTL8((unsign32)rbsub[MR_TOBYTE(x[3]>>8)])^
ROTL16((unsign32)rbsub[MR_TOBYTE(x[2]>>16)])^
ROTL24((unsign32)rbsub[x[1]>>24]);
y[1]=a->rkey[k+1]^(unsign32)rbsub[MR_TOBYTE(x[1])]^
ROTL8((unsign32)rbsub[MR_TOBYTE(x[0]>>8)])^
ROTL16((unsign32)rbsub[MR_TOBYTE(x[3]>>16)])^
ROTL24((unsign32)rbsub[x[2]>>24]);
y[2]=a->rkey[k+2]^(unsign32)rbsub[MR_TOBYTE(x[2])]^
ROTL8((unsign32)rbsub[MR_TOBYTE(x[1]>>8)])^
ROTL16((unsign32)rbsub[MR_TOBYTE(x[0]>>16)])^
ROTL24((unsign32)rbsub[x[3]>>24]);
y[3]=a->rkey[k+3]^(unsign32)rbsub[MR_TOBYTE(x[3])]^
ROTL8((unsign32)rbsub[MR_TOBYTE(x[2]>>8)])^
ROTL16((unsign32)rbsub[MR_TOBYTE(x[1]>>16)])^
ROTL24((unsign32)rbsub[x[0]>>24]);
for (i=j=0; i<NB; i++,j+=4)
{
unpack(y[i],&buff[j]);
x[i]=y[i]=0; /* clean up stack */
}
}