The first change shrinks aes_xcbc_mac_init by 183 bytes on amd64 (from 562 to 379 bytes). The second change avoids a comparison with an address that may point beyond the end of a buffer. The third change is stylistic. Alex
--- sys/opencrypto/aesxcbcmac.c.orig 2016-09-25 21:44:25.344941650 +0100 +++ sys/opencrypto/aesxcbcmac.c 2016-09-25 13:21:43.364224984 +0100 @@ -41,9 +41,12 @@ int aes_xcbc_mac_init(void *vctx, const u_int8_t *key, u_int16_t keylen) { - u_int8_t k1seed[AES_BLOCKSIZE] = { 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 }; - u_int8_t k2seed[AES_BLOCKSIZE] = { 2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2 }; - u_int8_t k3seed[AES_BLOCKSIZE] = { 3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3 }; + static const u_int8_t k1seed[AES_BLOCKSIZE] = + { 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 }; + static const u_int8_t k2seed[AES_BLOCKSIZE] = + { 2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2 }; + static const u_int8_t k3seed[AES_BLOCKSIZE] = + { 3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3 }; u_int32_t r_ks[(RIJNDAEL_MAXNR+1)*4]; aesxcbc_ctx *ctx; u_int8_t k1[AES_BLOCKSIZE]; @@ -98,7 +101,7 @@ ctx->buflen = 0; } /* due to the special processing for M[n], "=" case is not included */ - while (addr + AES_BLOCKSIZE < ep) { + while (ep - addr > AES_BLOCKSIZE) { memcpy(buf, addr, AES_BLOCKSIZE); for (i = 0; i < sizeof(buf); i++) buf[i] ^= ctx->e[i]; @@ -115,7 +118,7 @@ void aes_xcbc_mac_result(u_int8_t *addr, void *vctx) { - u_char digest[AES_BLOCKSIZE]; + u_int8_t digest[AES_BLOCKSIZE]; aesxcbc_ctx *ctx; int i;