AES XCBC MAC (for AH)

AES counter mode (for ESP)

sys/netinet6/ah_aesxcbcmac.c

@@ -0,0 +1,191 @@
+/*	$NetBSD: ah_aesxcbcmac.c,v 1.1 2003/07/25 09:48:17 itojun Exp $	*/
+/*	$KAME: ah_aesxcbcmac.c,v 1.2 2003/07/20 00:29:37 itojun Exp $	*/
+
+/*
+ * Copyright (C) 1995, 1996, 1997, 1998 and 2003 WIDE Project.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <sys/cdefs.h>
+__KERNEL_RCSID(0, "$NetBSD: ah_aesxcbcmac.c,v 1.1 2003/07/25 09:48:17 itojun Exp $");
+
+#include <sys/param.h>
+#include <sys/systm.h>
+#include <sys/socket.h>
+#include <sys/queue.h>
+#include <sys/syslog.h>
+#include <sys/mbuf.h>
+
+#include <net/if.h>
+#include <net/route.h>
+
+#include <netinet/in.h>
+
+#include <netinet6/ipsec.h>
+#include <netinet6/ah.h>
+#include <netinet6/ah_aesxcbcmac.h>
+
+#include <netkey/key.h>
+
+#include <crypto/rijndael/rijndael.h>
+
+#include <net/net_osdep.h>
+
+#define AES_BLOCKSIZE	16
+
+typedef struct {
+	u_int8_t	e[AES_BLOCKSIZE];
+	u_int8_t	buf[AES_BLOCKSIZE];
+	size_t		buflen;
+	u_int32_t	r_k1s[(RIJNDAEL_MAXNR+1)*4];
+	u_int32_t	r_k2s[(RIJNDAEL_MAXNR+1)*4];
+	u_int32_t	r_k3s[(RIJNDAEL_MAXNR+1)*4];
+	int		r_nr; /* key-length-dependent number of rounds */
+	u_int8_t	k2[AES_BLOCKSIZE];
+	u_int8_t	k3[AES_BLOCKSIZE];
+} aesxcbc_ctx;
+
+int
+ah_aes_xcbc_mac_init(state, sav)
+	struct ah_algorithm_state *state;
+	struct secasvar *sav;
+{
+	u_int8_t k1seed[AES_BLOCKSIZE] = { 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 };
+	u_int8_t k2seed[AES_BLOCKSIZE] = { 2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2 };
+	u_int8_t k3seed[AES_BLOCKSIZE] = { 3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3 };
+	u_int32_t r_ks[(RIJNDAEL_MAXNR+1)*4];
+	aesxcbc_ctx *ctx;
+
+	if (!state)
+		panic("ah_aes_xcbc_mac_init: what?");
+
+	state->sav = sav;
+	state->foo = (void *)malloc(sizeof(aesxcbc_ctx), M_TEMP, M_NOWAIT);
+	if (!state->foo)
+		return ENOBUFS;
+	bzero(state->foo, sizeof(aesxcbc_ctx));
+
+	ctx = (aesxcbc_ctx *)state->foo;
+
+	if ((ctx->r_nr = rijndaelKeySetupEnc(r_ks,
+	    (char *)_KEYBUF(sav->key_auth), AES_BLOCKSIZE * 8)) == 0)
+		return -1;
+	if (rijndaelKeySetupEnc(ctx->r_k1s, k1seed, AES_BLOCKSIZE * 8) == 0)
+		return -1;
+	if (rijndaelKeySetupEnc(ctx->r_k2s, k2seed, AES_BLOCKSIZE * 8) == 0)
+		return -1;
+	if (rijndaelKeySetupEnc(ctx->r_k3s, k3seed, AES_BLOCKSIZE * 8) == 0)
+		return -1;
+	rijndaelEncrypt(r_ks, ctx->r_nr, k2seed, ctx->k2);
+	rijndaelEncrypt(r_ks, ctx->r_nr, k3seed, ctx->k3);
+
+	return 0;
+}
+
+void
+ah_aes_xcbc_mac_loop(state, addr, len)
+	struct ah_algorithm_state *state;
+	u_int8_t *addr;
+	size_t len;
+{
+	u_int8_t buf[AES_BLOCKSIZE];
+	aesxcbc_ctx *ctx;
+	u_int8_t *ep;
+	int i;
+
+	if (!state || !state->foo)
+		panic("ah_aes_xcbc_mac_loop: what?");
+
+	ctx = (aesxcbc_ctx *)state->foo;
+	ep = addr + len;
+
+	if (ctx->buflen == sizeof(ctx->buf)) {
+		for (i = 0; i < sizeof(ctx->e); i++)
+			ctx->buf[i] ^= ctx->e[i];
+		rijndaelEncrypt(ctx->r_k1s, ctx->r_nr, ctx->buf, ctx->e);
+		ctx->buflen = 0;
+	}
+	if (ctx->buflen + len < sizeof(ctx->buf)) {
+		bcopy(addr, ctx->buf + ctx->buflen, len);
+		ctx->buflen += len;
+		return;
+	}
+	if (ctx->buflen && ctx->buflen + len > sizeof(ctx->buf)) {
+		bcopy(addr, ctx->buf + ctx->buflen,
+		    sizeof(ctx->buf) - ctx->buflen);
+		for (i = 0; i < sizeof(ctx->e); i++)
+			ctx->buf[i] ^= ctx->e[i];
+		rijndaelEncrypt(ctx->r_k1s, ctx->r_nr, ctx->buf, ctx->e);
+		addr += sizeof(ctx->buf) - ctx->buflen;
+		ctx->buflen = 0;
+	}
+	/* due to the special processing for M[n], "=" case is not included */
+	while (addr + AES_BLOCKSIZE < ep) {
+		bcopy(addr, buf, AES_BLOCKSIZE);
+		for (i = 0; i < sizeof(buf); i++)
+			buf[i] ^= ctx->e[i];
+		rijndaelEncrypt(ctx->r_k1s, ctx->r_nr, buf, ctx->e);
+		addr += AES_BLOCKSIZE;
+	}
+	if (addr < ep) {
+		bcopy(addr, ctx->buf, ep - addr);
+		ctx->buflen = ep - addr;
+	}
+}
+
+void
+ah_aes_xcbc_mac_result(state, addr, l)
+	struct ah_algorithm_state *state;
+	u_int8_t *addr;
+	size_t l;
+{
+	u_char digest[AES_BLOCKSIZE];
+	aesxcbc_ctx *ctx;
+	int i;
+
+	ctx = (aesxcbc_ctx *)state->foo;
+
+	if (ctx->buflen == sizeof(ctx->buf)) {
+		for (i = 0; i < sizeof(ctx->buf); i++) {
+			ctx->buf[i] ^= ctx->e[i];
+			ctx->buf[i] ^= ctx->k2[i];
+		}
+		rijndaelEncrypt(ctx->r_k1s, ctx->r_nr, ctx->buf, digest);
+	} else {
+		for (i = ctx->buflen; i < sizeof(ctx->buf); i++)
+			ctx->buf[i] = (i == ctx->buflen) ? 0x80 : 0x00;
+		for (i = 0; i < sizeof(ctx->buf); i++) {
+			ctx->buf[i] ^= ctx->e[i];
+			ctx->buf[i] ^= ctx->k3[i];
+		}
+		rijndaelEncrypt(ctx->r_k1s, ctx->r_nr, ctx->buf, digest);
+	}
+
+	bcopy(digest, addr, sizeof(digest) > l ? l : sizeof(digest));
+
+	free(state->foo, M_TEMP);
+}

sys/netinet6/ah_aesxcbcmac.h

@@ -0,0 +1,39 @@
+/*	$NetBSD: ah_aesxcbcmac.h,v 1.1 2003/07/25 09:48:18 itojun Exp $	*/
+/*	$KAME: ah_aesxcbcmac.h,v 1.2 2003/07/20 00:29:37 itojun Exp $	*/
+
+/*
+ * Copyright (C) 1995, 1996, 1997, 1998 and 2003 WIDE Project.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+extern int ah_aes_xcbc_mac_init __P((struct ah_algorithm_state *,
+	struct secasvar *));
+extern void ah_aes_xcbc_mac_loop __P((struct ah_algorithm_state *, u_int8_t *,
+	size_t));
+extern void ah_aes_xcbc_mac_result __P((struct ah_algorithm_state *,
+	u_int8_t *, size_t));
+

sys/netinet6/esp_aesctr.c

@@ -0,0 +1,465 @@
+/*	$NetBSD: esp_aesctr.c,v 1.1 2003/07/25 09:48:18 itojun Exp $	*/
+/*	$KAME: esp_aesctr.c,v 1.2 2003/07/20 00:29:37 itojun Exp $	*/
+
+/*
+ * Copyright (C) 1995, 1996, 1997, 1998 and 2003 WIDE Project.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <sys/cdefs.h>
+__KERNEL_RCSID(0, "$NetBSD: esp_aesctr.c,v 1.1 2003/07/25 09:48:18 itojun Exp $");
+
+#include <sys/param.h>
+#include <sys/systm.h>
+#include <sys/socket.h>
+#include <sys/queue.h>
+#include <sys/syslog.h>
+#include <sys/mbuf.h>
+
+#include <net/if.h>
+#include <net/route.h>
+
+#include <netinet/in.h>
+
+#include <netinet6/ipsec.h>
+#include <netinet6/esp.h>
+#include <netinet6/esp_aesctr.h>
+
+#include <netkey/key.h>
+
+#include <crypto/rijndael/rijndael.h>
+
+#include <net/net_osdep.h>
+
+#define AES_BLOCKSIZE	16
+
+#define NONCESIZE	4
+union cblock {
+	struct {
+		u_int8_t nonce[4];
+		u_int8_t iv[16];
+		u_int32_t ctr;
+	} v __attribute__((__packed__));
+	u_int8_t cblock[16];
+};
+
+typedef struct {
+	u_int32_t	r_ek[(RIJNDAEL_MAXNR+1)*4];
+	int		r_nr; /* key-length-dependent number of rounds */
+} aesctr_ctx;
+
+int
+esp_aesctr_mature(sav)
+	struct secasvar *sav;
+{
+	int keylen;
+	const struct esp_algorithm *algo;
+
+	algo = esp_algorithm_lookup(sav->alg_enc);
+	if (!algo) {
+		ipseclog((LOG_ERR,
+		    "esp_aeesctr_mature %s: unsupported algorithm.\n",
+		    algo->name));
+		return 1;
+	}
+
+	keylen = sav->key_enc->sadb_key_bits;
+	if (keylen < algo->keymin || algo->keymax < keylen) {
+		ipseclog((LOG_ERR,
+		    "esp_aesctr_mature %s: invalid key length %d.\n",
+		    algo->name, sav->key_enc->sadb_key_bits));
+		return 1;
+	}
+
+	/* rijndael key + nonce */
+	if (!(keylen == 128 + 32 || keylen == 192 + 32 || keylen == 256 + 32)) {
+		ipseclog((LOG_ERR,
+		    "esp_aesctr_mature %s: invalid key length %d.\n",
+		    algo->name, keylen));
+		return 1;
+	}
+
+	return 0;
+}
+
+size_t
+esp_aesctr_schedlen(algo)
+	const struct esp_algorithm *algo;
+{
+
+	return sizeof(aesctr_ctx);
+}
+
+int
+esp_aesctr_schedule(algo, sav)
+	const struct esp_algorithm *algo;
+	struct secasvar *sav;
+{
+	aesctr_ctx *ctx;
+	int keylen;
+
+	/* SA key = AES key + nonce */
+	keylen = _KEYLEN(sav->key_enc) * 8 - NONCESIZE * 8;
+
+	ctx = (aesctr_ctx *)sav->sched;
+	if ((ctx->r_nr = rijndaelKeySetupEnc(ctx->r_ek,
+	    (char *)_KEYBUF(sav->key_enc), keylen)) == 0)
+		return -1;
+	return 0;
+}
+
+int
+esp_aesctr_decrypt(m, off, sav, algo, ivlen)
+	struct mbuf *m;
+	size_t off;
+	struct secasvar *sav;
+	const struct esp_algorithm *algo;
+	int ivlen;
+{
+	struct mbuf *s;
+	struct mbuf *d, *d0 = NULL, *dp;
+	int soff, doff;	/* offset from the head of chain, to head of this mbuf */
+	int sn, dn;	/* offset from the head of the mbuf, to meat */
+	size_t ivoff, bodyoff;
+	union cblock cblock;
+	u_int8_t keystream[AES_BLOCKSIZE], *nonce;
+	u_int32_t ctr;
+	u_int8_t *ivp;
+	u_int8_t sbuf[AES_BLOCKSIZE], *sp, *dst;
+	struct mbuf *scut;
+	int scutoff;
+	int i;
+	int blocklen;
+	aesctr_ctx *ctx;
+
+	if (ivlen != sav->ivlen) {
+		ipseclog((LOG_ERR, "esp_aesctr_decrypt %s: "
+		    "unsupported ivlen %d\n", algo->name, ivlen));
+		goto fail;
+	}
+
+	/* assumes blocklen == padbound */
+	blocklen = algo->padbound;
+
+	ivoff = off + sizeof(struct newesp);
+	bodyoff = off + sizeof(struct newesp) + ivlen;
+
+	/* setup counter block */
+	nonce = _KEYBUF(sav->key_enc) + _KEYLEN(sav->key_enc) - NONCESIZE;
+	bcopy(nonce, cblock.v.nonce, NONCESIZE);
+	m_copydata(m, ivoff, ivlen, cblock.v.iv);
+	ctr = 1;
+
+	if (m->m_pkthdr.len < bodyoff) {
+		ipseclog((LOG_ERR, "esp_aesctr_decrypt %s: bad len %d/%lu\n",
+		    algo->name, m->m_pkthdr.len, (unsigned long)bodyoff));
+		goto fail;
+	}
+	if ((m->m_pkthdr.len - bodyoff) % blocklen) {
+		ipseclog((LOG_ERR, "esp_aesctr_decrypt %s: "
+		    "payload length must be multiple of %d\n",
+		    algo->name, blocklen));
+		goto fail;
+	}
+
+	s = m;
+	d = d0 = dp = NULL;
+	soff = doff = sn = dn = 0;
+	ivp = sp = NULL;
+
+	/* skip bodyoff */
+	while (soff < bodyoff) {
+		if (soff + s->m_len > bodyoff) {
+			sn = bodyoff - soff;
+			break;
+		}
+
+		soff += s->m_len;
+		s = s->m_next;
+	}
+	scut = s;
+	scutoff = sn;
+
+	/* skip over empty mbuf */
+	while (s && s->m_len == 0)
+		s = s->m_next;
+
+	while (soff < m->m_pkthdr.len) {
+		/* source */
+		if (sn + blocklen <= s->m_len) {
+			/* body is continuous */
+			sp = mtod(s, u_int8_t *) + sn;
+		} else {
+			/* body is non-continuous */
+			m_copydata(s, sn, blocklen, (caddr_t)sbuf);
+			sp = sbuf;
+		}
+
+		/* destination */
+		if (!d || dn + blocklen > d->m_len) {
+			if (d)
+				dp = d;
+			MGET(d, M_DONTWAIT, MT_DATA);
+			i = m->m_pkthdr.len - (soff + sn);
+			if (d && i > MLEN) {
+				MCLGET(d, M_DONTWAIT);
+				if ((d->m_flags & M_EXT) == 0) {
+					m_free(d);
+					d = NULL;
+				}
+			}
+			if (!d) {
+				goto nomem;
+			}
+			if (!d0)
+				d0 = d;
+			if (dp)
+				dp->m_next = d;
+			d->m_len = 0;
+			d->m_len = (M_TRAILINGSPACE(d) / blocklen) * blocklen;
+			if (d->m_len > i)
+				d->m_len = i;
+			dn = 0;
+		}
+
+		/* put counter into counter block */
+		cblock.v.ctr = htonl(ctr);
+
+		/* setup keystream */
+		ctx = (aesctr_ctx *)sav->sched;
+		rijndaelEncrypt(ctx->r_ek, ctx->r_nr, cblock.cblock, keystream);
+
+		bcopy(sp, mtod(d, u_int8_t *) + dn, blocklen);
+		dst = mtod(d, u_int8_t *) + dn;
+		for (i = 0; i < blocklen; i++)
+			dst[i] ^= keystream[i];
+
+		ctr++;
+
+		sn += blocklen;
+		dn += blocklen;
+
+		/* find the next source block */
+		while (s && sn >= s->m_len) {
+			sn -= s->m_len;
+			soff += s->m_len;
+			s = s->m_next;
+		}
+
+		/* skip over empty mbuf */
+		while (s && s->m_len == 0)
+			s = s->m_next;
+	}
+
+	m_freem(scut->m_next);
+	scut->m_len = scutoff;
+	scut->m_next = d0;
+
+	/* just in case */
+	bzero(&cblock, sizeof(cblock));
+	bzero(keystream, sizeof(keystream));
+
+	return 0;
+
+fail:
+	m_freem(m);
+	if (d0)
+		m_freem(d0);
+	return EINVAL;
+
+nomem:
+	m_freem(m);
+	if (d0)
+		m_freem(d0);
+	return ENOBUFS;
+}
+
+int
+esp_aesctr_encrypt(m, off, plen, sav, algo, ivlen)
+	struct mbuf *m;
+	size_t off;
+	size_t plen;
+	struct secasvar *sav;
+	const struct esp_algorithm *algo;
+	int ivlen;
+{
+	struct mbuf *s;
+	struct mbuf *d, *d0, *dp;
+	int soff, doff;	/* offset from the head of chain, to head of this mbuf */
+	int sn, dn;	/* offset from the head of the mbuf, to meat */
+	size_t ivoff, bodyoff;
+	union cblock cblock;
+	u_int8_t keystream[AES_BLOCKSIZE], *nonce;
+	u_int32_t ctr;
+	u_int8_t sbuf[AES_BLOCKSIZE], *sp, *dst;
+	struct mbuf *scut;
+	int scutoff;
+	int i;
+	int blocklen;
+	aesctr_ctx *ctx;
+
+	if (ivlen != sav->ivlen) {
+		ipseclog((LOG_ERR, "esp_aesctr_encrypt %s: "
+		    "unsupported ivlen %d\n", algo->name, ivlen));
+		m_freem(m);
+		return EINVAL;
+	}
+
+	/* assumes blocklen == padbound */
+	blocklen = algo->padbound;
+
+	ivoff = off + sizeof(struct newesp);
+	bodyoff = off + sizeof(struct newesp) + ivlen;
+
+	/* put iv into the packet. */
+	/* maybe it is better to overwrite dest, not source */
+	m_copyback(m, ivoff, ivlen, sav->iv);
+
+	/* setup counter block */
+	nonce = _KEYBUF(sav->key_enc) + _KEYLEN(sav->key_enc) - NONCESIZE;
+	bcopy(nonce, cblock.v.nonce, NONCESIZE);
+	m_copydata(m, ivoff, ivlen, cblock.v.iv);
+	ctr = 1;
+
+	if (m->m_pkthdr.len < bodyoff) {
+		ipseclog((LOG_ERR, "esp_aesctr_encrypt %s: bad len %d/%lu\n",
+		    algo->name, m->m_pkthdr.len, (unsigned long)bodyoff));
+		m_freem(m);
+		return EINVAL;
+	}
+	if ((m->m_pkthdr.len - bodyoff) % blocklen) {
+		ipseclog((LOG_ERR, "esp_aesctr_encrypt %s: "
+		    "payload length must be multiple of %lu\n",
+		    algo->name, (unsigned long)algo->padbound));
+		m_freem(m);
+		return EINVAL;
+	}
+
+	s = m;
+	d = d0 = dp = NULL;
+	soff = doff = sn = dn = 0;
+	sp = NULL;
+
+	/* skip bodyoff */
+	while (soff < bodyoff) {
+		if (soff + s->m_len > bodyoff) {
+			sn = bodyoff - soff;
+			break;
+		}
+
+		soff += s->m_len;
+		s = s->m_next;
+	}
+	scut = s;
+	scutoff = sn;
+
+	/* skip over empty mbuf */
+	while (s && s->m_len == 0)
+		s = s->m_next;
+
+	while (soff < m->m_pkthdr.len) {
+		/* source */
+		if (sn + blocklen <= s->m_len) {
+			/* body is continuous */
+			sp = mtod(s, u_int8_t *) + sn;
+		} else {
+			/* body is non-continuous */
+			m_copydata(s, sn, blocklen, (caddr_t)sbuf);
+			sp = sbuf;
+		}
+
+		/* destination */
+		if (!d || dn + blocklen > d->m_len) {
+			if (d)
+				dp = d;
+			MGET(d, M_DONTWAIT, MT_DATA);
+			i = m->m_pkthdr.len - (soff + sn);
+			if (d && i > MLEN) {
+				MCLGET(d, M_DONTWAIT);
+				if ((d->m_flags & M_EXT) == 0) {
+					m_free(d);
+					d = NULL;
+				}
+			}
+			if (!d) {
+				m_freem(m);
+				if (d0)
+					m_freem(d0);
+				return ENOBUFS;
+			}
+			if (!d0)
+				d0 = d;
+			if (dp)
+				dp->m_next = d;
+			d->m_len = 0;
+			d->m_len = (M_TRAILINGSPACE(d) / blocklen) * blocklen;
+			if (d->m_len > i)
+				d->m_len = i;
+			dn = 0;
+		}
+
+		/* put counter into counter block */
+		cblock.v.ctr = htonl(ctr);
+
+		/* setup keystream */
+		ctx = (aesctr_ctx *)sav->sched;
+		rijndaelEncrypt(ctx->r_ek, ctx->r_nr, cblock.cblock, keystream);
+
+		bcopy(sp, mtod(d, u_int8_t *) + dn, blocklen);
+		dst = mtod(d, u_int8_t *) + dn;
+		for (i = 0; i < blocklen; i++)
+			dst[i] ^= keystream[i];
+
+		ctr++;
+
+		sn += blocklen;
+		dn += blocklen;
+
+		/* find the next source block */
+		while (s && sn >= s->m_len) {
+			sn -= s->m_len;
+			soff += s->m_len;
+			s = s->m_next;
+		}
+
+		/* skip over empty mbuf */
+		while (s && s->m_len == 0)
+			s = s->m_next;
+	}
+
+	m_freem(scut->m_next);
+	scut->m_len = scutoff;
+	scut->m_next = d0;
+
+	/* just in case */
+	bzero(&cblock, sizeof(cblock));
+	bzero(keystream, sizeof(keystream));
+
+	key_sa_stir_iv(sav);
+
+	return 0;
+}

sys/netinet6/esp_aesctr.h

@@ -0,0 +1,41 @@
+/*	$NetBSD: esp_aesctr.h,v 1.1 2003/07/25 09:48:19 itojun Exp $	*/
+/*	$KAME: esp_aesctr.h,v 1.2 2003/07/20 00:29:38 itojun Exp $	*/
+
+/*
+ * Copyright (C) 1995, 1996, 1997, 1998 and 2003 WIDE Project.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+extern int esp_aesctr_mature __P((struct secasvar *));
+extern size_t esp_aesctr_schedlen __P((const struct esp_algorithm *));
+extern int esp_aesctr_schedule __P((const struct esp_algorithm *,
+	struct secasvar *));
+extern int esp_aesctr_decrypt __P((struct mbuf *, size_t,
+	struct secasvar *, const struct esp_algorithm *, int));
+extern int esp_aesctr_encrypt __P((struct mbuf *, size_t, size_t,
+	struct secasvar *, const struct esp_algorithm *, int));
+