diff --git a/ChangeLog b/ChangeLog
index c64bafb1c1148d5f62de27fe42df3373eafcf2b4..ff613329aa3e90253fd51c35f7c3fb26b34ba9c4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2012-04-13  Niels Möller  <nisse@lysator.liu.se>
+
+	* aes-internal.h (SUBBYTE): Cast to uint32_t. Use B0, ..., B3
+	macros.
+
 2012-04-09  Niels Möller  <nisse@lysator.liu.se>
 
 	Timing resistant RSA decryption, based on RSA blinding code
diff --git a/aes-internal.h b/aes-internal.h
index 3bedff7815ad548171c8e005bd8fd7e4e62d1545..a3475d92205d229babdbcf4a6525364e5179a665 100644
--- a/aes-internal.h
+++ b/aes-internal.h
@@ -63,17 +63,17 @@ _aes_decrypt(const struct aes_ctx *ctx,
 	     const uint8_t *src);
 
 /* Macros */
-#define SUBBYTE(x, box) (((box)[((x) & 0xff)]) | \
-                        ((box)[(((x) >> 8) & 0xff)] << 8) | \
-                        ((box)[(((x) >> 16) & 0xff)] << 16) | \
-                        ((box)[(((x) >> 24) & 0xff)] << 24))
-
 /* Get the byte with index 0, 1, 2 and 3 */
 #define B0(x) ((x) & 0xff)
 #define B1(x) (((x) >> 8) & 0xff)
 #define B2(x) (((x) >> 16) & 0xff)
 #define B3(x) (((x) >> 24) & 0xff)
 
+#define SUBBYTE(x, box) ((uint32_t)(box)[B0(x)]		\
+		      | ((uint32_t)(box)[B1(x)] << 8)	\
+		      | ((uint32_t)(box)[B2(x)] << 16)	\
+		      | ((uint32_t)(box)[B3(x)] << 24))
+
 #define AES_ROUND(T, w0, w1, w2, w3, k)		\
 ((  T->table[0][ B0(w0) ]			\
   ^ T->table[1][ B1(w1) ]			\