From 821fe3d3a4ab0a2867fa05ad106bb5bc6bb5058d Mon Sep 17 00:00:00 2001
From: John Baldwin <jhb@FreeBSD.org>
Date: Thu, 22 Aug 2019 00:02:08 +0000
Subject: [PATCH] Use 'const' for keys and IVs passed to software encryption
 algorithms.

Specifically, use 'const' for the key passed to the 'setkey' method
and 'const' for the 'iv' passed to the 'reinit' method.

Reviewed by:	cem
Sponsored by:	Chelsio Communications
Differential Revision:	https://reviews.freebsd.org/D21347
---
 sys/crypto/blowfish/bf_skey.c   |  4 ++--
 sys/crypto/blowfish/blowfish.h  |  2 +-
 sys/crypto/chacha20/chacha-sw.c |  4 ++--
 sys/crypto/des/des.h            | 12 ++++++------
 sys/crypto/des/des_setkey.c     | 12 ++++++------
 sys/opencrypto/cast.c           |  2 +-
 sys/opencrypto/cast.h           |  2 +-
 sys/opencrypto/skipjack.c       |  2 +-
 sys/opencrypto/skipjack.h       |  2 +-
 sys/opencrypto/xform_aes_icm.c  | 18 +++++++++---------
 sys/opencrypto/xform_aes_xts.c  |  8 ++++----
 sys/opencrypto/xform_blf.c      |  4 ++--
 sys/opencrypto/xform_cast5.c    |  4 ++--
 sys/opencrypto/xform_cml.c      |  6 +++---
 sys/opencrypto/xform_des1.c     |  6 +++---
 sys/opencrypto/xform_des3.c     | 10 +++++-----
 sys/opencrypto/xform_enc.h      |  4 ++--
 sys/opencrypto/xform_null.c     |  4 ++--
 sys/opencrypto/xform_rijndael.c |  6 +++---
 sys/opencrypto/xform_skipjack.c |  4 ++--
 20 files changed, 58 insertions(+), 58 deletions(-)

diff --git a/sys/crypto/blowfish/bf_skey.c b/sys/crypto/blowfish/bf_skey.c
index df8d1cf3d77..29a3917b549 100644
--- a/sys/crypto/blowfish/bf_skey.c
+++ b/sys/crypto/blowfish/bf_skey.c
@@ -73,11 +73,11 @@ void
 BF_set_key(key, len, data)
 	BF_KEY *key;
 	int len;
-	unsigned char *data;
+	const unsigned char *data;
 {
 	int i;
 	BF_LONG *p, ri, in[2];
-	unsigned char *d, *end;
+	const unsigned char *d, *end;
 
 	memcpy((char *)key, (const char *)&bf_init, sizeof(BF_KEY));
 	p = key->P;
diff --git a/sys/crypto/blowfish/blowfish.h b/sys/crypto/blowfish/blowfish.h
index ecc140754bf..d09f83cf689 100644
--- a/sys/crypto/blowfish/blowfish.h
+++ b/sys/crypto/blowfish/blowfish.h
@@ -80,7 +80,7 @@ typedef struct bf_key_st {
 	BF_LONG S[4*256];
 } BF_KEY;
 
-void BF_set_key(BF_KEY *, int, unsigned char *);
+void BF_set_key(BF_KEY *, int, const unsigned char *);
 void BF_encrypt(BF_LONG *, BF_KEY *);
 void BF_decrypt(BF_LONG *, BF_KEY *);
 void BF_ecb_encrypt(const unsigned char *, unsigned char *,
diff --git a/sys/crypto/chacha20/chacha-sw.c b/sys/crypto/chacha20/chacha-sw.c
index e874d48c606..d9a0b70252c 100644
--- a/sys/crypto/chacha20/chacha-sw.c
+++ b/sys/crypto/chacha20/chacha-sw.c
@@ -7,7 +7,7 @@ __FBSDID("$FreeBSD$");
 #include <opencrypto/xform_enc.h>
 
 static int
-chacha20_xform_setkey(u_int8_t **sched, u_int8_t *key, int len)
+chacha20_xform_setkey(u_int8_t **sched, const u_int8_t *key, int len)
 {
 	struct chacha_ctx *ctx;
 
@@ -24,7 +24,7 @@ chacha20_xform_setkey(u_int8_t **sched, u_int8_t *key, int len)
 }
 
 static void
-chacha20_xform_reinit(caddr_t key, u_int8_t *iv)
+chacha20_xform_reinit(caddr_t key, const u_int8_t *iv)
 {
 	struct chacha_ctx *ctx;
 
diff --git a/sys/crypto/des/des.h b/sys/crypto/des/des.h
index 81c7bfbeef5..726892f7023 100644
--- a/sys/crypto/des/des.h
+++ b/sys/crypto/des/des.h
@@ -103,12 +103,12 @@ void des_ede3_cbc_encrypt(const unsigned char *, unsigned char *, long,
 
 void des_set_odd_parity(des_cblock *);
 void des_fixup_key_parity(des_cblock *); 
-int des_is_weak_key(des_cblock *);
-int des_set_key(des_cblock *, des_key_schedule);
-int des_key_sched(des_cblock *, des_key_schedule);
-int des_set_key_checked(des_cblock *, des_key_schedule);
-void des_set_key_unchecked(des_cblock *, des_key_schedule);
-int des_check_key_parity(des_cblock *);
+int des_is_weak_key(const des_cblock *);
+int des_set_key(const des_cblock *, des_key_schedule);
+int des_key_sched(const des_cblock *, des_key_schedule);
+int des_set_key_checked(const des_cblock *, des_key_schedule);
+void des_set_key_unchecked(const des_cblock *, des_key_schedule);
+int des_check_key_parity(const des_cblock *);
 
 #ifdef  __cplusplus
 }
diff --git a/sys/crypto/des/des_setkey.c b/sys/crypto/des/des_setkey.c
index 6fefa27fb8a..0cbb53b641e 100644
--- a/sys/crypto/des/des_setkey.c
+++ b/sys/crypto/des/des_setkey.c
@@ -75,7 +75,7 @@ void des_set_odd_parity(des_cblock *key)
 		(*key)[i]=odd_parity[(*key)[i]];
 }
 
-int des_check_key_parity(des_cblock *key)
+int des_check_key_parity(const des_cblock *key)
 {
 	int i;
 
@@ -117,7 +117,7 @@ static des_cblock weak_keys[NUM_WEAK_KEY]={
 	{0xE0,0xFE,0xE0,0xFE,0xF1,0xFE,0xF1,0xFE},
 	{0xFE,0xE0,0xFE,0xE0,0xFE,0xF1,0xFE,0xF1}};
 
-int des_is_weak_key(des_cblock *key)
+int des_is_weak_key(const des_cblock *key)
 {
 	int i;
 
@@ -142,7 +142,7 @@ int des_is_weak_key(des_cblock *key)
 #define HPERM_OP(a,t,n,m) ((t)=((((a)<<(16-(n)))^(a))&(m)),\
 	(a)=(a)^(t)^(t>>(16-(n))))
 
-int des_set_key(des_cblock *key, des_key_schedule schedule)
+int des_set_key(const des_cblock *key, des_key_schedule schedule)
 {
 	if (des_check_key)
 	{
@@ -159,7 +159,7 @@ int des_set_key(des_cblock *key, des_key_schedule schedule)
  * return -1 if key parity error,
  * return -2 if illegal weak key.
  */
-int des_set_key_checked(des_cblock *key, des_key_schedule schedule)
+int des_set_key_checked(const des_cblock *key, des_key_schedule schedule)
 {
 	if (!des_check_key_parity(key))
 		return(-1);
@@ -169,7 +169,7 @@ int des_set_key_checked(des_cblock *key, des_key_schedule schedule)
 	return 0;
 }
 
-void des_set_key_unchecked(des_cblock *key, des_key_schedule schedule)
+void des_set_key_unchecked(const des_cblock *key, des_key_schedule schedule)
 {
 	static int shifts2[16]={0,0,1,1,1,1,1,1,0,1,1,1,1,1,1,0};
 	DES_LONG c,d,t,s,t2;
@@ -225,7 +225,7 @@ void des_set_key_unchecked(des_cblock *key, des_key_schedule schedule)
 	}
 }
 
-int des_key_sched(des_cblock *key, des_key_schedule schedule)
+int des_key_sched(const des_cblock *key, des_key_schedule schedule)
 {
 	return(des_set_key(key,schedule));
 }
diff --git a/sys/opencrypto/cast.c b/sys/opencrypto/cast.c
index 53fec76c469..715dda3a6c5 100644
--- a/sys/opencrypto/cast.c
+++ b/sys/opencrypto/cast.c
@@ -129,7 +129,7 @@ u_int32_t t, l, r;
 
 /***** Key Schedule *****/
 
-void cast_setkey(cast_key* key, u_int8_t* rawkey, int keybytes)
+void cast_setkey(cast_key* key, const u_int8_t* rawkey, int keybytes)
 {
 u_int32_t t[4] = {0, 0, 0, 0}, z[4] = {0, 0, 0, 0}, x[4];
 int i;
diff --git a/sys/opencrypto/cast.h b/sys/opencrypto/cast.h
index 8e2d0d19349..2aca9340fdb 100644
--- a/sys/opencrypto/cast.h
+++ b/sys/opencrypto/cast.h
@@ -16,7 +16,7 @@ typedef struct {
 	int		rounds;		/* Number of rounds to use, 12 or 16 */
 } cast_key;
 
-void cast_setkey(cast_key * key, u_int8_t * rawkey, int keybytes);
+void cast_setkey(cast_key * key, const u_int8_t * rawkey, int keybytes);
 void cast_encrypt(cast_key * key, u_int8_t * inblock, u_int8_t * outblock);
 void cast_decrypt(cast_key * key, u_int8_t * inblock, u_int8_t * outblock);
 
diff --git a/sys/opencrypto/skipjack.c b/sys/opencrypto/skipjack.c
index 0899e382ead..4f33f8771af 100644
--- a/sys/opencrypto/skipjack.c
+++ b/sys/opencrypto/skipjack.c
@@ -65,7 +65,7 @@ static const u_int8_t ftable[0x100] =
  */
 
 void
-subkey_table_gen (u_int8_t *key, u_int8_t **key_tables)
+subkey_table_gen (const u_int8_t *key, u_int8_t **key_tables)
 {
 	int i, k;
 
diff --git a/sys/opencrypto/skipjack.h b/sys/opencrypto/skipjack.h
index 80367ea4177..95b0b9e45a8 100644
--- a/sys/opencrypto/skipjack.h
+++ b/sys/opencrypto/skipjack.h
@@ -19,6 +19,6 @@
 
 extern void skipjack_forwards(u_int8_t *plain, u_int8_t *cipher, u_int8_t **key);
 extern void skipjack_backwards(u_int8_t *cipher, u_int8_t *plain, u_int8_t **key);
-extern void subkey_table_gen(u_int8_t *key, u_int8_t **key_tables);
+extern void subkey_table_gen(const u_int8_t *key, u_int8_t **key_tables);
 
 #endif
diff --git a/sys/opencrypto/xform_aes_icm.c b/sys/opencrypto/xform_aes_icm.c
index 052be5a779a..ba3eca0a839 100644
--- a/sys/opencrypto/xform_aes_icm.c
+++ b/sys/opencrypto/xform_aes_icm.c
@@ -52,12 +52,12 @@ __FBSDID("$FreeBSD$");
 
 #include <opencrypto/xform_enc.h>
 
-static	int aes_icm_setkey(u_int8_t **, u_int8_t *, int);
+static	int aes_icm_setkey(u_int8_t **, const u_int8_t *, int);
 static	void aes_icm_crypt(caddr_t, u_int8_t *);
 static	void aes_icm_zerokey(u_int8_t **);
-static	void aes_icm_reinit(caddr_t, u_int8_t *);
-static	void aes_gcm_reinit(caddr_t, u_int8_t *);
-static	void aes_ccm_reinit(caddr_t, u_int8_t *);
+static	void aes_icm_reinit(caddr_t, const u_int8_t *);
+static	void aes_gcm_reinit(caddr_t, const u_int8_t *);
+static	void aes_ccm_reinit(caddr_t, const u_int8_t *);
 
 /* Encryption instances */
 struct enc_xform enc_xform_aes_icm = {
@@ -96,7 +96,7 @@ struct enc_xform enc_xform_ccm = {
  * Encryption wrapper routines.
  */
 static void
-aes_icm_reinit(caddr_t key, u_int8_t *iv)
+aes_icm_reinit(caddr_t key, const u_int8_t *iv)
 {
 	struct aes_icm_ctx *ctx;
 
@@ -105,7 +105,7 @@ aes_icm_reinit(caddr_t key, u_int8_t *iv)
 }
 
 static void
-aes_gcm_reinit(caddr_t key, u_int8_t *iv)
+aes_gcm_reinit(caddr_t key, const u_int8_t *iv)
 {
 	struct aes_icm_ctx *ctx;
 
@@ -118,7 +118,7 @@ aes_gcm_reinit(caddr_t key, u_int8_t *iv)
 }
 
 static void
-aes_ccm_reinit(caddr_t key, u_int8_t *iv)
+aes_ccm_reinit(caddr_t key, const u_int8_t *iv)
 {
 	struct aes_icm_ctx *ctx;
 
@@ -153,7 +153,7 @@ aes_icm_crypt(caddr_t key, u_int8_t *data)
 }
 
 static int
-aes_icm_setkey(u_int8_t **sched, u_int8_t *key, int len)
+aes_icm_setkey(u_int8_t **sched, const u_int8_t *key, int len)
 {
 	struct aes_icm_ctx *ctx;
 
@@ -166,7 +166,7 @@ aes_icm_setkey(u_int8_t **sched, u_int8_t *key, int len)
 		return ENOMEM;
 
 	ctx = (struct aes_icm_ctx *)*sched;
-	ctx->ac_nr = rijndaelKeySetupEnc(ctx->ac_ek, (u_char *)key, len * 8);
+	ctx->ac_nr = rijndaelKeySetupEnc(ctx->ac_ek, key, len * 8);
 	return 0;
 }
 
diff --git a/sys/opencrypto/xform_aes_xts.c b/sys/opencrypto/xform_aes_xts.c
index dedbe6275e1..33f66a5df59 100644
--- a/sys/opencrypto/xform_aes_xts.c
+++ b/sys/opencrypto/xform_aes_xts.c
@@ -52,11 +52,11 @@ __FBSDID("$FreeBSD$");
 
 #include <opencrypto/xform_enc.h>
 
-static	int aes_xts_setkey(u_int8_t **, u_int8_t *, int);
+static	int aes_xts_setkey(u_int8_t **, const u_int8_t *, int);
 static	void aes_xts_encrypt(caddr_t, u_int8_t *);
 static	void aes_xts_decrypt(caddr_t, u_int8_t *);
 static	void aes_xts_zerokey(u_int8_t **);
-static	void aes_xts_reinit(caddr_t, u_int8_t *);
+static	void aes_xts_reinit(caddr_t, const u_int8_t *);
 
 /* Encryption instances */
 struct enc_xform enc_xform_aes_xts = {
@@ -73,7 +73,7 @@ struct enc_xform enc_xform_aes_xts = {
  * Encryption wrapper routines.
  */
 static void
-aes_xts_reinit(caddr_t key, u_int8_t *iv)
+aes_xts_reinit(caddr_t key, const u_int8_t *iv)
 {
 	struct aes_xts_ctx *ctx = (struct aes_xts_ctx *)key;
 	u_int64_t blocknum;
@@ -136,7 +136,7 @@ aes_xts_decrypt(caddr_t key, u_int8_t *data)
 }
 
 static int
-aes_xts_setkey(u_int8_t **sched, u_int8_t *key, int len)
+aes_xts_setkey(u_int8_t **sched, const u_int8_t *key, int len)
 {
 	struct aes_xts_ctx *ctx;
 
diff --git a/sys/opencrypto/xform_blf.c b/sys/opencrypto/xform_blf.c
index b4be5f8d463..d0432c9980b 100644
--- a/sys/opencrypto/xform_blf.c
+++ b/sys/opencrypto/xform_blf.c
@@ -53,7 +53,7 @@ __FBSDID("$FreeBSD$");
 #include <crypto/blowfish/blowfish.h>
 #include <opencrypto/xform_enc.h>
 
-static	int blf_setkey(u_int8_t **, u_int8_t *, int);
+static	int blf_setkey(u_int8_t **, const u_int8_t *, int);
 static	void blf_encrypt(caddr_t, u_int8_t *);
 static	void blf_decrypt(caddr_t, u_int8_t *);
 static	void blf_zerokey(u_int8_t **);
@@ -104,7 +104,7 @@ blf_decrypt(caddr_t key, u_int8_t *blk)
 }
 
 static int
-blf_setkey(u_int8_t **sched, u_int8_t *key, int len)
+blf_setkey(u_int8_t **sched, const u_int8_t *key, int len)
 {
 	int err;
 
diff --git a/sys/opencrypto/xform_cast5.c b/sys/opencrypto/xform_cast5.c
index 85b346eb2ca..f4d9472d209 100644
--- a/sys/opencrypto/xform_cast5.c
+++ b/sys/opencrypto/xform_cast5.c
@@ -53,7 +53,7 @@ __FBSDID("$FreeBSD$");
 #include <opencrypto/cast.h>
 #include <opencrypto/xform_enc.h>
 
-static	int cast5_setkey(u_int8_t **, u_int8_t *, int);
+static	int cast5_setkey(u_int8_t **, const u_int8_t *, int);
 static	void cast5_encrypt(caddr_t, u_int8_t *);
 static	void cast5_decrypt(caddr_t, u_int8_t *);
 static	void cast5_zerokey(u_int8_t **);
@@ -85,7 +85,7 @@ cast5_decrypt(caddr_t key, u_int8_t *blk)
 }
 
 static int
-cast5_setkey(u_int8_t **sched, u_int8_t *key, int len)
+cast5_setkey(u_int8_t **sched, const u_int8_t *key, int len)
 {
 	int err;
 
diff --git a/sys/opencrypto/xform_cml.c b/sys/opencrypto/xform_cml.c
index c807fa97c98..2f857fe6a39 100644
--- a/sys/opencrypto/xform_cml.c
+++ b/sys/opencrypto/xform_cml.c
@@ -53,7 +53,7 @@ __FBSDID("$FreeBSD$");
 #include <crypto/camellia/camellia.h>
 #include <opencrypto/xform_enc.h>
 
-static	int cml_setkey(u_int8_t **, u_int8_t *, int);
+static	int cml_setkey(u_int8_t **, const u_int8_t *, int);
 static	void cml_encrypt(caddr_t, u_int8_t *);
 static	void cml_decrypt(caddr_t, u_int8_t *);
 static	void cml_zerokey(u_int8_t **);
@@ -87,7 +87,7 @@ cml_decrypt(caddr_t key, u_int8_t *blk)
 }
 
 static int
-cml_setkey(u_int8_t **sched, u_int8_t *key, int len)
+cml_setkey(u_int8_t **sched, const u_int8_t *key, int len)
 {
 	int err;
 
@@ -96,7 +96,7 @@ cml_setkey(u_int8_t **sched, u_int8_t *key, int len)
 	*sched = KMALLOC(sizeof(camellia_ctx), M_CRYPTO_DATA,
 	    M_NOWAIT|M_ZERO);
 	if (*sched != NULL) {
-		camellia_set_key((camellia_ctx *) *sched, (u_char *) key,
+		camellia_set_key((camellia_ctx *) *sched, key,
 		    len * 8);
 		err = 0;
 	} else
diff --git a/sys/opencrypto/xform_des1.c b/sys/opencrypto/xform_des1.c
index cbce5e290b2..6ea4cac738b 100644
--- a/sys/opencrypto/xform_des1.c
+++ b/sys/opencrypto/xform_des1.c
@@ -53,7 +53,7 @@ __FBSDID("$FreeBSD$");
 #include <crypto/des/des.h>
 #include <opencrypto/xform_enc.h>
 
-static	int des1_setkey(u_int8_t **, u_int8_t *, int);
+static	int des1_setkey(u_int8_t **, const u_int8_t *, int);
 static	void des1_encrypt(caddr_t, u_int8_t *);
 static	void des1_decrypt(caddr_t, u_int8_t *);
 static	void des1_zerokey(u_int8_t **);
@@ -91,7 +91,7 @@ des1_decrypt(caddr_t key, u_int8_t *blk)
 }
 
 static int
-des1_setkey(u_int8_t **sched, u_int8_t *key, int len)
+des1_setkey(u_int8_t **sched, const u_int8_t *key, int len)
 {
 	des_key_schedule *p;
 	int err;
@@ -99,7 +99,7 @@ des1_setkey(u_int8_t **sched, u_int8_t *key, int len)
 	p = KMALLOC(sizeof (des_key_schedule),
 		M_CRYPTO_DATA, M_NOWAIT|M_ZERO);
 	if (p != NULL) {
-		des_set_key((des_cblock *) key, p[0]);
+		des_set_key((const des_cblock *) key, p[0]);
 		err = 0;
 	} else
 		err = ENOMEM;
diff --git a/sys/opencrypto/xform_des3.c b/sys/opencrypto/xform_des3.c
index 1b26b622f6b..9f13a44b5a2 100644
--- a/sys/opencrypto/xform_des3.c
+++ b/sys/opencrypto/xform_des3.c
@@ -53,7 +53,7 @@ __FBSDID("$FreeBSD$");
 #include <crypto/des/des.h>
 #include <opencrypto/xform_enc.h>
 
-static	int des3_setkey(u_int8_t **, u_int8_t *, int);
+static	int des3_setkey(u_int8_t **, const u_int8_t *, int);
 static	void des3_encrypt(caddr_t, u_int8_t *);
 static	void des3_decrypt(caddr_t, u_int8_t *);
 static	void des3_zerokey(u_int8_t **);
@@ -92,7 +92,7 @@ des3_decrypt(caddr_t key, u_int8_t *blk)
 }
 
 static int
-des3_setkey(u_int8_t **sched, u_int8_t *key, int len)
+des3_setkey(u_int8_t **sched, const u_int8_t *key, int len)
 {
 	des_key_schedule *p;
 	int err;
@@ -100,9 +100,9 @@ des3_setkey(u_int8_t **sched, u_int8_t *key, int len)
 	p = KMALLOC(3*sizeof (des_key_schedule),
 		M_CRYPTO_DATA, M_NOWAIT|M_ZERO);
 	if (p != NULL) {
-		des_set_key((des_cblock *)(key +  0), p[0]);
-		des_set_key((des_cblock *)(key +  8), p[1]);
-		des_set_key((des_cblock *)(key + 16), p[2]);
+		des_set_key((const des_cblock *)(key +  0), p[0]);
+		des_set_key((const des_cblock *)(key +  8), p[1]);
+		des_set_key((const des_cblock *)(key + 16), p[2]);
 		err = 0;
 	} else
 		err = ENOMEM;
diff --git a/sys/opencrypto/xform_enc.h b/sys/opencrypto/xform_enc.h
index 2797ca980fb..e2b87f5cb1c 100644
--- a/sys/opencrypto/xform_enc.h
+++ b/sys/opencrypto/xform_enc.h
@@ -56,9 +56,9 @@ struct enc_xform {
 	u_int16_t minkey, maxkey;
 	void (*encrypt) (caddr_t, u_int8_t *);
 	void (*decrypt) (caddr_t, u_int8_t *);
-	int (*setkey) (u_int8_t **, u_int8_t *, int len);
+	int (*setkey) (u_int8_t **, const u_int8_t *, int len);
 	void (*zerokey) (u_int8_t **);
-	void (*reinit) (caddr_t, u_int8_t *);
+	void (*reinit) (caddr_t, const u_int8_t *);
 	/*
 	 * Encrypt/decrypt 1+ blocks of input -- total size is 'len' bytes.
 	 * Len is guaranteed to be a multiple of the defined 'blocksize'.
diff --git a/sys/opencrypto/xform_null.c b/sys/opencrypto/xform_null.c
index 3c499b31ccd..28f20bdfc83 100644
--- a/sys/opencrypto/xform_null.c
+++ b/sys/opencrypto/xform_null.c
@@ -53,7 +53,7 @@ __FBSDID("$FreeBSD$");
 #include <opencrypto/xform_auth.h>
 #include <opencrypto/xform_enc.h>
 
-static	int null_setkey(u_int8_t **, u_int8_t *, int);
+static	int null_setkey(u_int8_t **, const u_int8_t *, int);
 static	void null_encrypt(caddr_t, u_int8_t *);
 static	void null_decrypt(caddr_t, u_int8_t *);
 static	void null_zerokey(u_int8_t **);
@@ -104,7 +104,7 @@ null_decrypt(caddr_t key, u_int8_t *blk)
 }
 
 static int
-null_setkey(u_int8_t **sched, u_int8_t *key, int len)
+null_setkey(u_int8_t **sched, const u_int8_t *key, int len)
 {
 	*sched = NULL;
 	return 0;
diff --git a/sys/opencrypto/xform_rijndael.c b/sys/opencrypto/xform_rijndael.c
index 2c974f3d62d..378e86c0dea 100644
--- a/sys/opencrypto/xform_rijndael.c
+++ b/sys/opencrypto/xform_rijndael.c
@@ -53,7 +53,7 @@ __FBSDID("$FreeBSD$");
 #include <crypto/rijndael/rijndael.h>
 #include <opencrypto/xform_enc.h>
 
-static	int rijndael128_setkey(u_int8_t **, u_int8_t *, int);
+static	int rijndael128_setkey(u_int8_t **, const u_int8_t *, int);
 static	void rijndael128_encrypt(caddr_t, u_int8_t *);
 static	void rijndael128_decrypt(caddr_t, u_int8_t *);
 static	void rijndael128_zerokey(u_int8_t **);
@@ -87,7 +87,7 @@ rijndael128_decrypt(caddr_t key, u_int8_t *blk)
 }
 
 static int
-rijndael128_setkey(u_int8_t **sched, u_int8_t *key, int len)
+rijndael128_setkey(u_int8_t **sched, const u_int8_t *key, int len)
 {
 	int err;
 
@@ -96,7 +96,7 @@ rijndael128_setkey(u_int8_t **sched, u_int8_t *key, int len)
 	*sched = KMALLOC(sizeof(rijndael_ctx), M_CRYPTO_DATA,
 	    M_NOWAIT|M_ZERO);
 	if (*sched != NULL) {
-		rijndael_set_key((rijndael_ctx *) *sched, (u_char *) key,
+		rijndael_set_key((rijndael_ctx *) *sched, key,
 		    len * 8);
 		err = 0;
 	} else
diff --git a/sys/opencrypto/xform_skipjack.c b/sys/opencrypto/xform_skipjack.c
index 94090d0d961..22d74b36976 100644
--- a/sys/opencrypto/xform_skipjack.c
+++ b/sys/opencrypto/xform_skipjack.c
@@ -53,7 +53,7 @@ __FBSDID("$FreeBSD$");
 #include <opencrypto/skipjack.h>
 #include <opencrypto/xform_enc.h>
 
-static	int skipjack_setkey(u_int8_t **, u_int8_t *, int);
+static	int skipjack_setkey(u_int8_t **, const u_int8_t *, int);
 static	void skipjack_encrypt(caddr_t, u_int8_t *);
 static	void skipjack_decrypt(caddr_t, u_int8_t *);
 static	void skipjack_zerokey(u_int8_t **);
@@ -85,7 +85,7 @@ skipjack_decrypt(caddr_t key, u_int8_t *blk)
 }
 
 static int
-skipjack_setkey(u_int8_t **sched, u_int8_t *key, int len)
+skipjack_setkey(u_int8_t **sched, const u_int8_t *key, int len)
 {
 	int err;