- revert to old rijndael code. new rijndael code broke gbde.

- since aes-xcbc-mac and aes-ctr require functions in new
  rijndael code, aes-xcbc-mac and aes-ctr are disabled for now.

sys/conf/files

@@ -1439,12 +1439,12 @@ netinet/tcp_syncache.c	optional inet
 netinet/tcp_timer.c	optional inet
 netinet/tcp_usrreq.c	optional inet
 netinet/udp_usrreq.c	optional inet
-netinet6/ah_aesxcbcmac.c	optional ipsec
+#netinet6/ah_aesxcbcmac.c	optional ipsec
 netinet6/ah_core.c	optional ipsec
 netinet6/ah_input.c	optional ipsec
 netinet6/ah_output.c	optional ipsec
 netinet6/dest6.c	optional inet6
-netinet6/esp_aesctr.c	optional ipsec ipsec_esp
+#netinet6/esp_aesctr.c	optional ipsec ipsec_esp
 netinet6/esp_core.c	optional ipsec ipsec_esp
 netinet6/esp_input.c	optional ipsec ipsec_esp
 netinet6/esp_output.c	optional ipsec ipsec_esp

sys/crypto/rijndael/rijndael-alg-fst.h

@@ -1,40 +1,34 @@
 /*	$FreeBSD$	*/
-/*	$KAME: rijndael-alg-fst.h,v 1.5 2003/07/15 10:47:16 itojun Exp $	*/
-/**
- * rijndael-alg-fst.h
+/*	$KAME: rijndael-alg-fst.h,v 1.4 2000/10/02 17:14:26 itojun Exp $	*/
+
+/*
+ * rijndael-alg-fst.h   v2.3   April '2000
  *
- * @version 3.0 (December 2000)
+ * Optimised ANSI C code
  *
- * Optimised ANSI C code for the Rijndael cipher (now AES)
- *
- * @author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be>
- * @author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be>
- * @author Paulo Barreto <paulo.barreto@terra.com.br>
- *
- * This code is hereby placed in the public domain.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
- * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
- * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
- * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
- * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
- * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
- * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ * #define INTERMEDIATE_VALUE_KAT to generate the Intermediate Value Known Answer Test.
  */
+
 #ifndef __RIJNDAEL_ALG_FST_H
 #define __RIJNDAEL_ALG_FST_H
 
-#define RIJNDAEL_MAXKC	(256/32)
-#define RIJNDAEL_MAXKB	(256/8)
-#define RIJNDAEL_MAXNR	14
+#define RIJNDAEL_MAXKC			(256/32)
+#define RIJNDAEL_MAXROUNDS		14
 
-int rijndaelKeySetupEnc(u_int32_t rk[/*4*(Nr + 1)*/], const u_int8_t cipherKey[], int keyBits);
-int rijndaelKeySetupDec(u_int32_t rk[/*4*(Nr + 1)*/], const u_int8_t cipherKey[], int keyBits);
-void rijndaelEncrypt(const u_int32_t rk[/*4*(Nr + 1)*/], int Nr, const u_int8_t pt[16], u_int8_t ct[16]);
-void rijndaelDecrypt(const u_int32_t rk[/*4*(Nr + 1)*/], int Nr, const u_int8_t ct[16], u_int8_t pt[16]);
+int rijndaelKeySched(u_int8_t k[RIJNDAEL_MAXKC][4], u_int8_t rk[RIJNDAEL_MAXROUNDS+1][4][4], int ROUNDS);
+
+int rijndaelKeyEncToDec(u_int8_t W[RIJNDAEL_MAXROUNDS+1][4][4], int ROUNDS);
+
+int rijndaelEncrypt(u_int8_t a[16], u_int8_t b[16], u_int8_t rk[RIJNDAEL_MAXROUNDS+1][4][4], int ROUNDS);
+
+#ifdef INTERMEDIATE_VALUE_KAT
+int rijndaelEncryptRound(u_int8_t a[4][4], u_int8_t rk[RIJNDAEL_MAXROUNDS+1][4][4], int ROUNDS, int rounds);
+#endif /* INTERMEDIATE_VALUE_KAT */
+
+int rijndaelDecrypt(u_int8_t a[16], u_int8_t b[16], u_int8_t rk[RIJNDAEL_MAXROUNDS+1][4][4], int ROUNDS);
+
+#ifdef INTERMEDIATE_VALUE_KAT
+int rijndaelDecryptRound(u_int8_t a[4][4], u_int8_t rk[RIJNDAEL_MAXROUNDS+1][4][4], int ROUNDS, int rounds);
+#endif /* INTERMEDIATE_VALUE_KAT */
 
 #endif /* __RIJNDAEL_ALG_FST_H */

sys/crypto/rijndael/rijndael-api-fst.c

@@ -1,59 +1,44 @@
-/*	$KAME: rijndael-api-fst.c,v 1.18 2003/07/24 15:10:30 itojun Exp $	*/
+/*	$KAME: rijndael-api-fst.c,v 1.10 2001/05/27 09:34:18 itojun Exp $	*/
 
-/**
- * rijndael-api-fst.c
+/*
+ * rijndael-api-fst.c   v2.3   April '2000
  *
- * @version 2.9 (December 2000)
+ * Optimised ANSI C code
  *
- * Optimised ANSI C code for the Rijndael cipher (now AES)
+ * authors: v1.0: Antoon Bosselaers
+ *          v2.0: Vincent Rijmen
+ *          v2.1: Vincent Rijmen
+ *          v2.2: Vincent Rijmen
+ *          v2.3: Paulo Barreto
+ *          v2.4: Vincent Rijmen
  *
- * @author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be>
- * @author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be>
- * @author Paulo Barreto <paulo.barreto@terra.com.br>
- *
- * This code is hereby placed in the public domain.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
- * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
- * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
- * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
- * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
- * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
- * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- *
- * Acknowledgements:
- *
- * We are deeply indebted to the following people for their bug reports,
- * fixes, and improvement suggestions to this implementation. Though we
- * tried to list all contributions, we apologise in advance for any
- * missing reference.
- *
- * Andrew Bales <Andrew.Bales@Honeywell.com>
- * Markus Friedl <markus.friedl@informatik.uni-erlangen.de>
- * John Skodon <skodonj@webquill.com>
+ * This code is placed in the public domain.
  */
 
 #include <sys/cdefs.h>
 __FBSDID("$FreeBSD$");
 
 #include <sys/param.h>
+#include <sys/types.h>
 #ifdef _KERNEL
 #include <sys/systm.h>
 #else
-#include <stdlib.h>
 #include <string.h>
 #endif
-
-#include <crypto/rijndael/rijndael_local.h>
 #include <crypto/rijndael/rijndael-alg-fst.h>
 #include <crypto/rijndael/rijndael-api-fst.h>
+#include <crypto/rijndael/rijndael_local.h>
+
+#ifndef TRUE
+#define TRUE 1
+#endif
+
+typedef u_int8_t	BYTE;
 
 int rijndael_makeKey(keyInstance *key, BYTE direction, int keyLen, char *keyMaterial) {
-	u_int8_t cipherKey[RIJNDAEL_MAXKB];
+	u8 k[RIJNDAEL_MAXKC][4];
+	int i;
+	char *keyMat;
 	
 	if (key == NULL) {
 		return BAD_KEY_INSTANCE;
@@ -65,24 +50,28 @@ int rijndael_makeKey(keyInstance *key, BYTE direction, int keyLen, char *keyMate
 		return BAD_KEY_DIR;
 	}
 
-	if ((keyLen == 128) || (keyLen == 192) || (keyLen == 256)) {
+	if ((keyLen == 128) || (keyLen == 192) || (keyLen == 256)) { 
 		key->keyLen = keyLen;
 	} else {
 		return BAD_KEY_MAT;
 	}
 
 	if (keyMaterial != NULL) {
-		memcpy(key->keyMaterial, keyMaterial, keyLen/8);
+		bcopy(keyMaterial, key->keyMaterial, keyLen/8);
 	}
 
+	key->ROUNDS = keyLen/32 + 6;
+
 	/* initialize key schedule: */
-	memcpy(cipherKey, key->keyMaterial, keyLen/8);
-	if (direction == DIR_ENCRYPT) {
-		key->Nr = rijndaelKeySetupEnc(key->rk, cipherKey, keyLen);
-	} else {
-		key->Nr = rijndaelKeySetupDec(key->rk, cipherKey, keyLen);
+	keyMat = key->keyMaterial;
+	for (i = 0; i < key->keyLen/8; i++) {
+		k[i >> 2][i & 3] = (u8)keyMat[i]; 
 	}
-	rijndaelKeySetupEnc(key->ek, cipherKey, keyLen);
+	rijndaelKeySched(k, key->keySched, key->ROUNDS);
+	if (direction == DIR_DECRYPT) {
+		rijndaelKeyEncToDec(key->keySched, key->ROUNDS);
+	}
+
 	return TRUE;
 }
 
@@ -93,21 +82,17 @@ int rijndael_cipherInit(cipherInstance *cipher, BYTE mode, char *IV) {
 		return BAD_CIPHER_MODE;
 	}
 	if (IV != NULL) {
-		memcpy(cipher->IV, IV, RIJNDAEL_MAX_IV_SIZE);
+		bcopy(IV, cipher->IV, MAX_IV_SIZE);
 	} else {
-		memset(cipher->IV, 0, RIJNDAEL_MAX_IV_SIZE);
+		bzero(cipher->IV, MAX_IV_SIZE);
 	}
 	return TRUE;
 }
 
 int rijndael_blockEncrypt(cipherInstance *cipher, keyInstance *key,
 		BYTE *input, int inputLen, BYTE *outBuffer) {
-	int i, k, t, numBlocks;
-#if 1 /*STRICT_ALIGN*/
-	u_int8_t block[16], iv[16];
-#else
-	u_int8_t block[16], *iv;
-#endif
+	int i, k, numBlocks;
+	u8 block[16], iv[4][4];
 
 	if (cipher == NULL ||
 		key == NULL ||
@@ -121,9 +106,9 @@ int rijndael_blockEncrypt(cipherInstance *cipher, keyInstance *key,
 	numBlocks = inputLen/128;
 	
 	switch (cipher->mode) {
-	case MODE_ECB:
+	case MODE_ECB: 
 		for (i = numBlocks; i > 0; i--) {
-			rijndaelEncrypt(key->rk, key->Nr, input, outBuffer);
+			rijndaelEncrypt(input, outBuffer, key->keySched, key->ROUNDS);
 			input += 16;
 			outBuffer += 16;
 		}
@@ -131,58 +116,77 @@ int rijndael_blockEncrypt(cipherInstance *cipher, keyInstance *key,
 		
 	case MODE_CBC:
 #if 1 /*STRICT_ALIGN*/
-		memcpy(iv, cipher->IV, 16);
+		bcopy(cipher->IV, block, 16);
+		bcopy(input, iv, 16);
+		((u32*)block)[0] ^= ((u32*)iv)[0];
+		((u32*)block)[1] ^= ((u32*)iv)[1];
+		((u32*)block)[2] ^= ((u32*)iv)[2];
+		((u32*)block)[3] ^= ((u32*)iv)[3];
 #else
-		iv = cipher->IV;
+		((u32*)block)[0] = ((u32*)cipher->IV)[0] ^ ((u32*)input)[0];
+		((u32*)block)[1] = ((u32*)cipher->IV)[1] ^ ((u32*)input)[1];
+		((u32*)block)[2] = ((u32*)cipher->IV)[2] ^ ((u32*)input)[2];
+		((u32*)block)[3] = ((u32*)cipher->IV)[3] ^ ((u32*)input)[3];
 #endif
-		for (i = numBlocks; i > 0; i--) {
+		rijndaelEncrypt(block, outBuffer, key->keySched, key->ROUNDS);
+		input += 16;
+		for (i = numBlocks - 1; i > 0; i--) {
 #if 1 /*STRICT_ALIGN*/
-			memcpy(block, input, 16);
-			((u_int32_t*)block)[0] ^= ((u_int32_t*)iv)[0];
-			((u_int32_t*)block)[1] ^= ((u_int32_t*)iv)[1];
-			((u_int32_t*)block)[2] ^= ((u_int32_t*)iv)[2];
-			((u_int32_t*)block)[3] ^= ((u_int32_t*)iv)[3];
+			bcopy(outBuffer, block, 16);
+			bcopy(input, iv, 16);
+			((u32*)block)[0] ^= ((u32*)iv)[0];
+			((u32*)block)[1] ^= ((u32*)iv)[1];
+			((u32*)block)[2] ^= ((u32*)iv)[2];
+			((u32*)block)[3] ^= ((u32*)iv)[3];
 #else
-			((u_int32_t*)block)[0] = ((u_int32_t*)input)[0] ^ ((u_int32_t*)iv)[0];
-			((u_int32_t*)block)[1] = ((u_int32_t*)input)[1] ^ ((u_int32_t*)iv)[1];
-			((u_int32_t*)block)[2] = ((u_int32_t*)input)[2] ^ ((u_int32_t*)iv)[2];
-			((u_int32_t*)block)[3] = ((u_int32_t*)input)[3] ^ ((u_int32_t*)iv)[3];
+			((u32*)block)[0] = ((u32*)outBuffer)[0] ^ ((u32*)input)[0];
+			((u32*)block)[1] = ((u32*)outBuffer)[1] ^ ((u32*)input)[1];
+			((u32*)block)[2] = ((u32*)outBuffer)[2] ^ ((u32*)input)[2];
+			((u32*)block)[3] = ((u32*)outBuffer)[3] ^ ((u32*)input)[3];
 #endif
-			rijndaelEncrypt(key->rk, key->Nr, block, outBuffer);
-#if 1 /*STRICT_ALIGN*/
-			memcpy(iv, outBuffer, 16);
-#else
-			iv = outBuffer;
-#endif
-			input += 16;
 			outBuffer += 16;
+			rijndaelEncrypt(block, outBuffer, key->keySched, key->ROUNDS);
+			input += 16;
 		}
 		break;
-
-    case MODE_CFB1:
+	
+	case MODE_CFB1:
 #if 1 /*STRICT_ALIGN*/
-		memcpy(iv, cipher->IV, 16);
-#else
-		iv = cipher->IV;
-#endif
-        for (i = numBlocks; i > 0; i--) {
-			memcpy(outBuffer, input, 16);
-            for (k = 0; k < 128; k++) {
-				rijndaelEncrypt(key->ek, key->Nr, iv, block);
-                outBuffer[k >> 3] ^= (block[0] & 0x80U) >> (k & 7);
-                for (t = 0; t < 15; t++) {
-                	iv[t] = (iv[t] << 1) | (iv[t + 1] >> 7);
-                }
-               	iv[15] = (iv[15] << 1) | ((outBuffer[k >> 3] >> (7 - (k & 7))) & 1);
-            }
-            outBuffer += 16;
-            input += 16;
-        }
-#if 1 /*STRICT_ALIGN*/
-		memcpy(cipher->IV, iv, 16);
-#endif
-        break;
-
+		bcopy(cipher->IV, iv, 16); 
+#else  /* !STRICT_ALIGN */
+		*((u32*)iv[0]) = *((u32*)(cipher->IV   ));
+		*((u32*)iv[1]) = *((u32*)(cipher->IV+ 4));
+		*((u32*)iv[2]) = *((u32*)(cipher->IV+ 8));
+		*((u32*)iv[3]) = *((u32*)(cipher->IV+12));
+#endif /* ?STRICT_ALIGN */
+		for (i = numBlocks; i > 0; i--) {
+			for (k = 0; k < 128; k++) {
+				*((u32*) block    ) = *((u32*)iv[0]);
+				*((u32*)(block+ 4)) = *((u32*)iv[1]);
+				*((u32*)(block+ 8)) = *((u32*)iv[2]);
+				*((u32*)(block+12)) = *((u32*)iv[3]);
+				rijndaelEncrypt(block, block, key->keySched, key->ROUNDS);
+				outBuffer[k/8] ^= (block[0] & 0x80) >> (k & 7);
+				iv[0][0] = (iv[0][0] << 1) | (iv[0][1] >> 7);
+				iv[0][1] = (iv[0][1] << 1) | (iv[0][2] >> 7);
+				iv[0][2] = (iv[0][2] << 1) | (iv[0][3] >> 7);
+				iv[0][3] = (iv[0][3] << 1) | (iv[1][0] >> 7);
+				iv[1][0] = (iv[1][0] << 1) | (iv[1][1] >> 7);
+				iv[1][1] = (iv[1][1] << 1) | (iv[1][2] >> 7);
+				iv[1][2] = (iv[1][2] << 1) | (iv[1][3] >> 7);
+				iv[1][3] = (iv[1][3] << 1) | (iv[2][0] >> 7);
+				iv[2][0] = (iv[2][0] << 1) | (iv[2][1] >> 7);
+				iv[2][1] = (iv[2][1] << 1) | (iv[2][2] >> 7);
+				iv[2][2] = (iv[2][2] << 1) | (iv[2][3] >> 7);
+				iv[2][3] = (iv[2][3] << 1) | (iv[3][0] >> 7);
+				iv[3][0] = (iv[3][0] << 1) | (iv[3][1] >> 7);
+				iv[3][1] = (iv[3][1] << 1) | (iv[3][2] >> 7);
+				iv[3][2] = (iv[3][2] << 1) | (iv[3][3] >> 7);
+				iv[3][3] = (iv[3][3] << 1) | ((outBuffer[k/8] >> (7-(k&7))) & 1);
+			}
+		}
+		break;
+	
 	default:
 		return BAD_CIPHER_STATE;
 	}
@@ -202,7 +206,7 @@ int rijndael_blockEncrypt(cipherInstance *cipher, keyInstance *key,
 int rijndael_padEncrypt(cipherInstance *cipher, keyInstance *key,
 		BYTE *input, int inputOctets, BYTE *outBuffer) {
 	int i, numBlocks, padLen;
-	u_int8_t block[16], *iv;
+	u8 block[16], *iv, *cp;
 
 	if (cipher == NULL ||
 		key == NULL ||
@@ -216,28 +220,29 @@ int rijndael_padEncrypt(cipherInstance *cipher, keyInstance *key,
 	numBlocks = inputOctets/16;
 
 	switch (cipher->mode) {
-	case MODE_ECB:
+	case MODE_ECB: 
 		for (i = numBlocks; i > 0; i--) {
-			rijndaelEncrypt(key->rk, key->Nr, input, outBuffer);
+			rijndaelEncrypt(input, outBuffer, key->keySched, key->ROUNDS);
 			input += 16;
 			outBuffer += 16;
 		}
 		padLen = 16 - (inputOctets - 16*numBlocks);
 		if (padLen <= 0 || padLen > 16)
 			return BAD_CIPHER_STATE;
-		memcpy(block, input, 16 - padLen);
-		memset(block + 16 - padLen, padLen, padLen);
-		rijndaelEncrypt(key->rk, key->Nr, block, outBuffer);
+		bcopy(input, block, 16 - padLen);
+		for (cp = block + 16 - padLen; cp < block + 16; cp++)
+			*cp = padLen;
+		rijndaelEncrypt(block, outBuffer, key->keySched, key->ROUNDS);
 		break;
 
 	case MODE_CBC:
 		iv = cipher->IV;
 		for (i = numBlocks; i > 0; i--) {
-			((u_int32_t*)block)[0] = ((u_int32_t*)input)[0] ^ ((u_int32_t*)iv)[0];
-			((u_int32_t*)block)[1] = ((u_int32_t*)input)[1] ^ ((u_int32_t*)iv)[1];
-			((u_int32_t*)block)[2] = ((u_int32_t*)input)[2] ^ ((u_int32_t*)iv)[2];
-			((u_int32_t*)block)[3] = ((u_int32_t*)input)[3] ^ ((u_int32_t*)iv)[3];
-			rijndaelEncrypt(key->rk, key->Nr, block, outBuffer);
+			((u32*)block)[0] = ((u32*)input)[0] ^ ((u32*)iv)[0];
+			((u32*)block)[1] = ((u32*)input)[1] ^ ((u32*)iv)[1];
+			((u32*)block)[2] = ((u32*)input)[2] ^ ((u32*)iv)[2];
+			((u32*)block)[3] = ((u32*)input)[3] ^ ((u32*)iv)[3];
+			rijndaelEncrypt(block, outBuffer, key->keySched, key->ROUNDS);
 			iv = outBuffer;
 			input += 16;
 			outBuffer += 16;
@@ -251,7 +256,7 @@ int rijndael_padEncrypt(cipherInstance *cipher, keyInstance *key,
 		for (i = 16 - padLen; i < 16; i++) {
 			block[i] = (BYTE)padLen ^ iv[i];
 		}
-		rijndaelEncrypt(key->rk, key->Nr, block, outBuffer);
+		rijndaelEncrypt(block, outBuffer, key->keySched, key->ROUNDS);
 		break;
 
 	default:
@@ -263,12 +268,8 @@ int rijndael_padEncrypt(cipherInstance *cipher, keyInstance *key,
 
 int rijndael_blockDecrypt(cipherInstance *cipher, keyInstance *key,
 		BYTE *input, int inputLen, BYTE *outBuffer) {
-	int i, k, t, numBlocks;
-#if 1 /*STRICT_ALIGN*/
-	u_int8_t block[16], iv[16];
-#else
-	u_int8_t block[16], *iv;
-#endif
+	int i, k, numBlocks;
+	u8 block[16], iv[4][4];
 
 	if (cipher == NULL ||
 		key == NULL ||
@@ -282,63 +283,79 @@ int rijndael_blockDecrypt(cipherInstance *cipher, keyInstance *key,
 	numBlocks = inputLen/128;
 
 	switch (cipher->mode) {
-	case MODE_ECB:
-		for (i = numBlocks; i > 0; i--) {
-			rijndaelDecrypt(key->rk, key->Nr, input, outBuffer);
+	case MODE_ECB: 
+		for (i = numBlocks; i > 0; i--) { 
+			rijndaelDecrypt(input, outBuffer, key->keySched, key->ROUNDS);
 			input += 16;
 			outBuffer += 16;
 		}
 		break;
 		
 	case MODE_CBC:
-#if 1 /*STRICT_ALIGN*/
-		memcpy(iv, cipher->IV, 16);
+#if 1 /*STRICT_ALIGN */
+		bcopy(cipher->IV, iv, 16); 
 #else
-		iv = cipher->IV;
+		*((u32*)iv[0]) = *((u32*)(cipher->IV   ));
+		*((u32*)iv[1]) = *((u32*)(cipher->IV+ 4));
+		*((u32*)iv[2]) = *((u32*)(cipher->IV+ 8));
+		*((u32*)iv[3]) = *((u32*)(cipher->IV+12));
 #endif
 		for (i = numBlocks; i > 0; i--) {
-			rijndaelDecrypt(key->rk, key->Nr, input, block);
-			((u_int32_t*)block)[0] ^= ((u_int32_t*)iv)[0];
-			((u_int32_t*)block)[1] ^= ((u_int32_t*)iv)[1];
-			((u_int32_t*)block)[2] ^= ((u_int32_t*)iv)[2];
-			((u_int32_t*)block)[3] ^= ((u_int32_t*)iv)[3];
+			rijndaelDecrypt(input, block, key->keySched, key->ROUNDS);
+			((u32*)block)[0] ^= *((u32*)iv[0]);
+			((u32*)block)[1] ^= *((u32*)iv[1]);
+			((u32*)block)[2] ^= *((u32*)iv[2]);
+			((u32*)block)[3] ^= *((u32*)iv[3]);
 #if 1 /*STRICT_ALIGN*/
-			memcpy(iv, input, 16);
+			bcopy(input, iv, 16);
+			bcopy(block, outBuffer, 16);
 #else
-			memcpy(cipher->IV, input, 16);
+			*((u32*)iv[0]) = ((u32*)input)[0]; ((u32*)outBuffer)[0] = ((u32*)block)[0];
+			*((u32*)iv[1]) = ((u32*)input)[1]; ((u32*)outBuffer)[1] = ((u32*)block)[1];
+			*((u32*)iv[2]) = ((u32*)input)[2]; ((u32*)outBuffer)[2] = ((u32*)block)[2];
+			*((u32*)iv[3]) = ((u32*)input)[3]; ((u32*)outBuffer)[3] = ((u32*)block)[3];
 #endif
-			memcpy(outBuffer, block, 16);
 			input += 16;
 			outBuffer += 16;
 		}
-#if 1 /*STRICT_ALIGN*/
-		memcpy(cipher->IV, iv, 16);
-#endif
 		break;
-
-    case MODE_CFB1:
-#if 1 /*STRICT_ALIGN*/
-		memcpy(iv, cipher->IV, 16);
+	
+	case MODE_CFB1:
+#if 1 /*STRICT_ALIGN */
+		bcopy(cipher->IV, iv, 16); 
 #else
-		iv = cipher->IV;
+		*((u32*)iv[0]) = *((u32*)(cipher->IV));
+		*((u32*)iv[1]) = *((u32*)(cipher->IV+ 4));
+		*((u32*)iv[2]) = *((u32*)(cipher->IV+ 8));
+		*((u32*)iv[3]) = *((u32*)(cipher->IV+12));
 #endif
-        for (i = numBlocks; i > 0; i--) {
-			memcpy(outBuffer, input, 16);
-            for (k = 0; k < 128; k++) {
-				rijndaelEncrypt(key->ek, key->Nr, iv, block);
-                for (t = 0; t < 15; t++) {
-                	iv[t] = (iv[t] << 1) | (iv[t + 1] >> 7);
-                }
-               	iv[15] = (iv[15] << 1) | ((input[k >> 3] >> (7 - (k & 7))) & 1);
-                outBuffer[k >> 3] ^= (block[0] & 0x80U) >> (k & 7);
-            }
-            outBuffer += 16;
-            input += 16;
-        }
-#if 1 /*STRICT_ALIGN*/
-		memcpy(cipher->IV, iv, 16);
-#endif
-        break;
+		for (i = numBlocks; i > 0; i--) {
+			for (k = 0; k < 128; k++) {
+				*((u32*) block    ) = *((u32*)iv[0]);
+				*((u32*)(block+ 4)) = *((u32*)iv[1]);
+				*((u32*)(block+ 8)) = *((u32*)iv[2]);
+				*((u32*)(block+12)) = *((u32*)iv[3]);
+				rijndaelEncrypt(block, block, key->keySched, key->ROUNDS);
+				iv[0][0] = (iv[0][0] << 1) | (iv[0][1] >> 7);
+				iv[0][1] = (iv[0][1] << 1) | (iv[0][2] >> 7);
+				iv[0][2] = (iv[0][2] << 1) | (iv[0][3] >> 7);
+				iv[0][3] = (iv[0][3] << 1) | (iv[1][0] >> 7);
+				iv[1][0] = (iv[1][0] << 1) | (iv[1][1] >> 7);
+				iv[1][1] = (iv[1][1] << 1) | (iv[1][2] >> 7);
+				iv[1][2] = (iv[1][2] << 1) | (iv[1][3] >> 7);
+				iv[1][3] = (iv[1][3] << 1) | (iv[2][0] >> 7);
+				iv[2][0] = (iv[2][0] << 1) | (iv[2][1] >> 7);
+				iv[2][1] = (iv[2][1] << 1) | (iv[2][2] >> 7);
+				iv[2][2] = (iv[2][2] << 1) | (iv[2][3] >> 7);
+				iv[2][3] = (iv[2][3] << 1) | (iv[3][0] >> 7);
+				iv[3][0] = (iv[3][0] << 1) | (iv[3][1] >> 7);
+				iv[3][1] = (iv[3][1] << 1) | (iv[3][2] >> 7);
+				iv[3][2] = (iv[3][2] << 1) | (iv[3][3] >> 7);
+				iv[3][3] = (iv[3][3] << 1) | ((input[k/8] >> (7-(k&7))) & 1);
+				outBuffer[k/8] ^= (block[0] & 0x80) >> (k & 7);
+			}
+		}
+		break;
 
 	default:
 		return BAD_CIPHER_STATE;
@@ -350,7 +367,8 @@ int rijndael_blockDecrypt(cipherInstance *cipher, keyInstance *key,
 int rijndael_padDecrypt(cipherInstance *cipher, keyInstance *key,
 		BYTE *input, int inputOctets, BYTE *outBuffer) {
 	int i, numBlocks, padLen;
-	u_int8_t block[16];
+	u8 block[16];
+	u32 iv[4];
 
 	if (cipher == NULL ||
 		key == NULL ||
@@ -369,13 +387,13 @@ int rijndael_padDecrypt(cipherInstance *cipher, keyInstance *key,
 	switch (cipher->mode) {
 	case MODE_ECB:
 		/* all blocks but last */
-		for (i = numBlocks - 1; i > 0; i--) {
-			rijndaelDecrypt(key->rk, key->Nr, input, outBuffer);
+		for (i = numBlocks - 1; i > 0; i--) { 
+			rijndaelDecrypt(input, outBuffer, key->keySched, key->ROUNDS);
 			input += 16;
 			outBuffer += 16;
 		}
 		/* last block */
-		rijndaelDecrypt(key->rk, key->Nr, input, block);
+		rijndaelDecrypt(input, block, key->keySched, key->ROUNDS);
 		padLen = block[15];
 		if (padLen >= 16) {
 			return BAD_DATA;
@@ -385,28 +403,29 @@ int rijndael_padDecrypt(cipherInstance *cipher, keyInstance *key,
 				return BAD_DATA;
 			}
 		}
-		memcpy(outBuffer, block, 16 - padLen);
+		bcopy(block, outBuffer, 16 - padLen);
 		break;
 		
 	case MODE_CBC:
+		bcopy(cipher->IV, iv, 16);
 		/* all blocks but last */
 		for (i = numBlocks - 1; i > 0; i--) {
-			rijndaelDecrypt(key->rk, key->Nr, input, block);
-			((u_int32_t*)block)[0] ^= ((u_int32_t*)cipher->IV)[0];
-			((u_int32_t*)block)[1] ^= ((u_int32_t*)cipher->IV)[1];
-			((u_int32_t*)block)[2] ^= ((u_int32_t*)cipher->IV)[2];
-			((u_int32_t*)block)[3] ^= ((u_int32_t*)cipher->IV)[3];
-			memcpy(cipher->IV, input, 16);
-			memcpy(outBuffer, block, 16);
+			rijndaelDecrypt(input, block, key->keySched, key->ROUNDS);
+			((u32*)block)[0] ^= iv[0];
+			((u32*)block)[1] ^= iv[1];
+			((u32*)block)[2] ^= iv[2];
+			((u32*)block)[3] ^= iv[3];
+			bcopy(input, iv, 16);
+			bcopy(block, outBuffer, 16);
 			input += 16;
 			outBuffer += 16;
 		}
 		/* last block */
-		rijndaelDecrypt(key->rk, key->Nr, input, block);
-		((u_int32_t*)block)[0] ^= ((u_int32_t*)cipher->IV)[0];
-		((u_int32_t*)block)[1] ^= ((u_int32_t*)cipher->IV)[1];
-		((u_int32_t*)block)[2] ^= ((u_int32_t*)cipher->IV)[2];
-		((u_int32_t*)block)[3] ^= ((u_int32_t*)cipher->IV)[3];
+		rijndaelDecrypt(input, block, key->keySched, key->ROUNDS);
+		((u32*)block)[0] ^= iv[0];
+		((u32*)block)[1] ^= iv[1];
+		((u32*)block)[2] ^= iv[2];
+		((u32*)block)[3] ^= iv[3];
 		padLen = block[15];
 		if (padLen <= 0 || padLen > 16) {
 			return BAD_DATA;
@@ -416,7 +435,7 @@ int rijndael_padDecrypt(cipherInstance *cipher, keyInstance *key,
 				return BAD_DATA;
 			}
 		}
-		memcpy(outBuffer, block, 16 - padLen);
+		bcopy(block, outBuffer, 16 - padLen);
 		break;
 	
 	default:
@@ -426,3 +445,49 @@ int rijndael_padDecrypt(cipherInstance *cipher, keyInstance *key,
 	return 16*numBlocks - padLen;
 }
 
+#ifdef INTERMEDIATE_VALUE_KAT
+/**
+ *	cipherUpdateRounds:
+ *
+ *	Encrypts/Decrypts exactly one full block a specified number of rounds.
+ *	Only used in the Intermediate Value Known Answer Test.	
+ *
+ *	Returns:
+ *		TRUE - on success
+ *		BAD_CIPHER_STATE - cipher in bad state (e.g., not initialized)
+ */
+int rijndael_cipherUpdateRounds(cipherInstance *cipher, keyInstance *key,
+		BYTE *input, int inputLen, BYTE *outBuffer, int rounds) {
+	int j;
+	u8 block[4][4];
+
+	if (cipher == NULL || key == NULL) {
+		return BAD_CIPHER_STATE;
+	}
+
+	for (j = 3; j >= 0; j--) {
+		/* parse input stream into rectangular array */
+  		*((u32*)block[j]) = *((u32*)(input+4*j));
+	}
+
+	switch (key->direction) {
+	case DIR_ENCRYPT:
+		rijndaelEncryptRound(block, key->keySched, key->ROUNDS, rounds);
+		break;
+		
+	case DIR_DECRYPT:
+		rijndaelDecryptRound(block, key->keySched, key->ROUNDS, rounds);
+		break;
+		
+	default:
+		return BAD_KEY_DIR;
+	} 
+
+	for (j = 3; j >= 0; j--) {
+		/* parse rectangular array into output ciphertext bytes */
+		*((u32*)(outBuffer+4*j)) = *((u32*)block[j]);
+	}
+	
+	return TRUE;
+}
+#endif /* INTERMEDIATE_VALUE_KAT */

sys/crypto/rijndael/rijndael-api-fst.h

@@ -1,42 +1,12 @@
 /*	$FreeBSD$	*/
-/*	$NetBSD: rijndael-api-fst.h,v 1.5 2003/07/16 05:08:09 itojun Exp $	*/
-/*	$KAME: rijndael-api-fst.h,v 1.9 2003/07/16 05:09:38 itojun Exp $	*/
+/*	$KAME: rijndael-api-fst.h,v 1.6 2001/05/27 00:23:23 itojun Exp $	*/
 
-/**
- * rijndael-api-fst.h
+/*
+ * rijndael-api-fst.h   v2.3   April '2000
  *
- * @version 2.9 (December 2000)
+ * Optimised ANSI C code
  *
- * Optimised ANSI C code for the Rijndael cipher (now AES)
- *
- * @author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be>
- * @author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be>
- * @author Paulo Barreto <paulo.barreto@terra.com.br>
- *
- * This code is hereby placed in the public domain.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
- * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
- * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
- * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
- * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
- * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
- * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- *
- * Acknowledgements:
- *
- * We are deeply indebted to the following people for their bug reports,
- * fixes, and improvement suggestions to this implementation. Though we
- * tried to list all contributions, we apologise in advance for any
- * missing reference.
- *
- * Andrew Bales <Andrew.Bales@Honeywell.com>
- * Markus Friedl <markus.friedl@informatik.uni-erlangen.de>
- * John Skodon <skodonj@webquill.com>
+ * #define INTERMEDIATE_VALUE_KAT to generate the Intermediate Value Known Answer Test.
  */
 
 #ifndef __RIJNDAEL_API_FST_H
@@ -44,17 +14,18 @@
 
 #include <crypto/rijndael/rijndael-alg-fst.h>
 
-/*  Generic Defines  */
+/*  Defines:
+	Add any additional defines you need
+*/
+
 #define     DIR_ENCRYPT           0 /*  Are we encrpyting?  */
 #define     DIR_DECRYPT           1 /*  Are we decrpyting?  */
 #define     MODE_ECB              1 /*  Are we ciphering in ECB mode?   */
 #define     MODE_CBC              2 /*  Are we ciphering in CBC mode?   */
 #define     MODE_CFB1             3 /*  Are we ciphering in 1-bit CFB mode? */
-#define     TRUE                  1
-#define     FALSE                 0
 #define     BITSPERBLOCK        128 /* Default number of bits in a cipher block */
 
-/*  Error Codes  */
+/*  Error Codes - CHANGE POSSIBLE: inclusion of additional error codes  */
 #define     BAD_KEY_DIR          -1 /*  Key direction is invalid, e.g., unknown value */
 #define     BAD_KEY_MAT          -2 /*  Key material not of correct length */
 #define     BAD_KEY_INSTANCE     -3 /*  Key passed is not valid */
@@ -65,42 +36,67 @@
 #define     BAD_DATA             -8 /*  Data contents are invalid, e.g., invalid padding */
 #define     BAD_OTHER            -9 /*  Unknown error */
 
-/*  Algorithm-specific Defines  */
-#define     RIJNDAEL_MAX_KEY_SIZE         64 /* # of ASCII char's needed to represent a key */
-#define     RIJNDAEL_MAX_IV_SIZE          16 /* # bytes needed to represent an IV  */
+/*  CHANGE POSSIBLE:  inclusion of algorithm specific defines  */
+#define     MAX_KEY_SIZE         64 /* # of ASCII char's needed to represent a key */
+#define     MAX_IV_SIZE          16 /* # bytes needed to represent an IV  */
 
-/*  Typedefs  */
+/*  Typedefs:
 
-typedef unsigned char   BYTE;
+	Typedef'ed data storage elements.  Add any algorithm specific 
+parameters at the bottom of the structs as appropriate.
+*/
 
 /*  The structure for key information */
 typedef struct {
-    BYTE  direction;                /* Key used for encrypting or decrypting? */
+    u_int8_t  direction;            /* Key used for encrypting or decrypting? */
     int   keyLen;                   /* Length of the key  */
-    char  keyMaterial[RIJNDAEL_MAX_KEY_SIZE+1];  /* Raw key data in ASCII, e.g., user input or KAT values */
-	int   Nr;                       /* key-length-dependent number of rounds */
-	u_int32_t   rk[4*(RIJNDAEL_MAXNR + 1)];        /* key schedule */
-	u_int32_t   ek[4*(RIJNDAEL_MAXNR + 1)];        /* CFB1 key schedule (encryption only) */
+    char  keyMaterial[MAX_KEY_SIZE+1];  /* Raw key data in ASCII, e.g., user input or KAT values */
+        /*  The following parameters are algorithm dependent, replace or add as necessary  */
+	int   ROUNDS;                   /* key-length-dependent number of rounds */
+    int   blockLen;                 /* block length */
+    union {
+    	u_int8_t xkS8[RIJNDAEL_MAXROUNDS+1][4][4];	/* key schedule		*/
+    	u_int32_t xkS32[RIJNDAEL_MAXROUNDS+1][4];	/* key schedule		*/
+    } xKeySched;
+#define	keySched	xKeySched.xkS8
 } keyInstance;
 
 /*  The structure for cipher information */
 typedef struct {                    /* changed order of the components */
-    BYTE  mode;                     /* MODE_ECB, MODE_CBC, or MODE_CFB1 */
-    BYTE  IV[RIJNDAEL_MAX_IV_SIZE];          /* A possible Initialization Vector for ciphering */
+    u_int8_t mode;                  /* MODE_ECB, MODE_CBC, or MODE_CFB1 */
+    u_int8_t IV[MAX_IV_SIZE];       /* A possible Initialization Vector for ciphering */
+        /*  Add any algorithm specific parameters needed here  */
+    int   blockLen;                 /* Sample: Handles non-128 bit block sizes (if available) */
 } cipherInstance;
 
 /*  Function prototypes  */
+/*  CHANGED: nothing
+	TODO: implement the following extensions to setup 192-bit and 256-bit block lengths:
+        makeKeyEx():    parameter blockLen added
+                        -- this parameter is absolutely necessary if you want to
+                        setup the round keys in a variable block length setting 
+	    cipherInitEx(): parameter blockLen added (for obvious reasons)		
+ */
 
-int rijndael_makeKey(keyInstance *, BYTE, int, char *);
+int rijndael_makeKey(keyInstance *key, u_int8_t direction, int keyLen, char *keyMaterial);
 
-int rijndael_cipherInit(cipherInstance *, BYTE, char *);
+int rijndael_cipherInit(cipherInstance *cipher, u_int8_t mode, char *IV);
 
-int rijndael_blockEncrypt(cipherInstance *, keyInstance *, BYTE *, int, BYTE *);
+int rijndael_blockEncrypt(cipherInstance *cipher, keyInstance *key,
+        u_int8_t *input, int inputLen, u_int8_t *outBuffer);
 
-int rijndael_padEncrypt(cipherInstance *, keyInstance *, BYTE *, int, BYTE *);
+int rijndael_padEncrypt(cipherInstance *cipher, keyInstance *key,
+		u_int8_t *input, int inputOctets, u_int8_t *outBuffer);
 
-int rijndael_blockDecrypt(cipherInstance *, keyInstance *, BYTE *, int, BYTE *);
+int rijndael_blockDecrypt(cipherInstance *cipher, keyInstance *key,
+        u_int8_t *input, int inputLen, u_int8_t *outBuffer);
 
-int rijndael_padDecrypt(cipherInstance *, keyInstance *, BYTE *, int, BYTE *);
+int rijndael_padDecrypt(cipherInstance *cipher, keyInstance *key,
+		u_int8_t *input, int inputOctets, u_int8_t *outBuffer);
 
-#endif /* __RIJNDAEL_API_FST_H */
+#ifdef INTERMEDIATE_VALUE_KAT
+int rijndael_cipherUpdateRounds(cipherInstance *cipher, keyInstance *key,
+        u_int8_t *input, int inputLen, u_int8_t *outBuffer, int Rounds);
+#endif /* INTERMEDIATE_VALUE_KAT */
+
+#endif /*  __RIJNDAEL_API_FST_H */

sys/netinet6/ah_core.c

@@ -189,10 +189,12 @@ ah_algorithm_lookup(idx)
 			"hmac-ripemd160",
 			ah_hmac_ripemd160_init, ah_hmac_ripemd160_loop,
 			ah_hmac_ripemd160_result, },
+#ifdef ENABLE_AES_XCBC_MAC
 		{ ah_sumsiz_1216, ah_common_mature, 128, 128,
 			"aes-xcbc-mac",
 			ah_aes_xcbc_mac_init, ah_aes_xcbc_mac_loop,
 			ah_aes_xcbc_mac_result, },
+#endif
 	};
 
 	switch (idx) {
@@ -214,8 +216,10 @@ ah_algorithm_lookup(idx)
 		return &ah_algorithms[7];
 	case SADB_X_AALG_RIPEMD160HMAC:
 		return &ah_algorithms[8];
+#ifdef ENABLE_AES_XCBC_MAC
 	case SADB_X_AALG_AES_XCBC_MAC:
 		return &ah_algorithms[9];
+#endif
 	default:
 		return NULL;
 	}

sys/netinet6/esp_core.c

@@ -153,9 +153,11 @@ static const struct esp_algorithm esp_algorithms[] = {
 		esp_common_ivlen, esp_cbc_decrypt,
 		esp_cbc_encrypt, esp_rijndael_schedule,
 		esp_rijndael_blockdecrypt, esp_rijndael_blockencrypt },
+#ifdef ENABLE_EALG_AESCTR
 	{ 16, 8, esp_aesctr_mature, 160, 288, esp_aesctr_schedlen, "aes-ctr",
 		esp_common_ivlen, esp_aesctr_decrypt,
 		esp_aesctr_encrypt, esp_aesctr_schedule },
+#endif
 };
 
 const struct esp_algorithm *
@@ -176,8 +178,10 @@ esp_algorithm_lookup(idx)
 		return &esp_algorithms[4];
 	case SADB_X_EALG_RIJNDAELCBC:
 		return &esp_algorithms[5];
+#ifdef ENABLE_EALG_AESCTR
 	case SADB_X_EALG_AESCTR:
 		return &esp_algorithms[6];
+#endif
 	default:
 		return NULL;
 	}