Subject: Re: Adding opencrypto, crypto acceelerator to GENERIC kernels?
To: None <firstname.lastname@example.org>
From: Jonathan Stone <email@example.com>
Date: 11/19/2003 11:24:25
In message <20031119063513.GA10779@rek.tjls.com>
Thor Lancelot Simon writes:
>No, calling engines from one another isn't very clean or easy either
Which reminds me: the opencrypto model is a pretty simple lowest
common denominator. It can accelerate SSL/TLS operations, but only if
the caller (OpenSSL) breaks the SSL/TLS record ops down into simpler a
sequence of crypto primitives.
I know of at least two crypto cards where the hardware would be much,
much much happier to get explicit SSLv3/TLS requests, in a style like:n
1. ``create a context for SSLv3 record operations with
this [single] transform type '' (e.g., 1des/md5 and 3des/md5
would be separate context)
2. ``Here's an SSLv3/TLS record and a context: now encrypt/decrypt it''
I have no clue whether the SSL engine is amenable to first trying to
bind high-level (SSL/TLS) operations, before it gives up, binds
low-level crypto transforms, and synthesizes record ops using the
But if it can, IMNSO it would be a Good Thing to add a _small_ set of
SSL/TLS record-plus-FIPS-approved-algorithm tranforms to opencrypto.