tech-crypto: Re: VIA ACE patch

Subject: Re: VIA ACE patch
To: Daniel de Kok <danieldk@pobox.com>
From: Pawel Jakub Dawidek <pjd@FreeBSD.org>
List: tech-crypto
Date: 01/12/2007 20:52:34
--DiL7RhKs8rK9YGuF
Content-Type: text/plain; charset=iso-8859-2
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Jan 12, 2007 at 08:38:01PM +0100, Daniel de Kok wrote:
> Miles Nordin wrote:
> >Do you know what it does exactly?  ex., ``It accelerates AES in
> >FAST_IPSEC and in cgd''?
>=20
> It registers itself with the opencrypto framework, making it (transparent=
ly) useful for all opencrypto consumers. FAST_IPSEC is an opencrypto consum=
er, cgd is not at this=20
> time (though I plan to look at that if no one else does).
>=20
> >Anyway this is kernel-only support, or it somehow affects openssl too?
> >I guess I don't understand our crypto architecture that well.
>=20
> If you use OpenSSL with the cryptodev engine, yes, since it uses /dev/cry=
pto (which is handled through opencrypto framework). Though, -current and 4=
=2E0_BETA2 also have an=20
> OpenSSL engine that directly utilizes ACE. I have issued a pullup request=
 for the netbsd-3 branch to get this engine integrated in the netbsd-3 bran=
ch. So, for applications=20
> that rely on OpenSSL, you may want to use that, rather than cryptodev[1].
>=20
> Still, this is patch is useful for kernel components that use crypto.
>=20
> -- Daniel
>=20
> [1] Especially considering that cryptodev currently does not support aes-=
256-cbc, though that is trivial to patch.

	http://people.freebsd.org/~pjd/patches/eng_cryptodev.c.patch

I'm not sure if this version of the patch works. The previous one which
only added AES-192-CBC and AES-256-CBC worked for sure.

BTW. You can look at FreeBSD version of padlock driver. I added also
SHA1 and SHA256 handling, so it can be used by opencrypto.

My version also registers other hash algorithms, so it can be used with
FAST_IPSEC. If it only implement symmetric cryptography, it won't be
usable by FAST_IPSEC (or at least FreeBSD's version).

There are probably also other things to fix first. I did a lot of fixes
in the opencrypto framework to be able to use it with geli(8)'s data
authentication.

--=20
Pawel Jakub Dawidek                       http://www.wheel.pl
pjd@FreeBSD.org                           http://www.FreeBSD.org
FreeBSD committer                         Am I Evil? Yes, I Am!

--DiL7RhKs8rK9YGuF
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (FreeBSD)

iD8DBQFFp+cCForvXbEpPzQRAtOCAKDYS7SxB55CuC4cZTa9yN47jgu7JACfZ1me
N3vMwBvl7VepmvaRCxSfPKY=
=Z/jT
-----END PGP SIGNATURE-----

--DiL7RhKs8rK9YGuF--