Subject: hifn mac issue
To: None <>
From: Karl Knutsson <>
List: tech-crypto
Date: 11/28/2006 11:07:29

I've trouble getting md5 or sha1 to work for IPsec on my hifn7955 card 
(NetBSD 3.0.1 on i386).

I tried to use my card for an IPsec esp connection with 3des-cbc and
hmac-md5 and it keeps failing with "authentication hash mismatch for
packet...". Using the same SAs, but without hifn support in the 
kernel, i.e. with software authentication works. 

I traced the problem to the hifn device driver's interrupt routine
(hifn_intr). The problem seems to be here:

                        if (cmd->base_masks & HIFN_BASE_CMD_MAC) {
                                macbuf = dma->result_bufs[i];
                                macbuf += 12;
                                                                                                        hifn_callback(sc, cmd, macbuf);

For some reason 12 is added to the macbuf pointer, which means that
the hifn_callback will fail to extract the message digest. Printing
the macbuf that is copied back into the mbuffer in hifn_callback
shows that it is all zeros. If i remove the "macbuf += 12;"-line
the code works and the IPsec traffic gets through.

Is there anyone who has tried to use a hifn7955 for md5 or sha1
checksumming in NetBSD 3.0? Has anyone used MAC's on any hifn 
board? It might be that the hifn7955 functions differently from
other hifn cards. 

Anyway, it would be nice to hear about other peoples experience with 
checksum calculations on hifn* cards or from someone with better
knowledge of how the card works. 

If you want a proper bug report let me know, and I will file one.

best regards
Karl Knutsson