Subject: Re: VIA ACE patch
To: Daniel de Kok <>
From: Pawel Jakub Dawidek <>
List: tech-crypto
Date: 01/12/2007 20:52:34
Content-Type: text/plain; charset=iso-8859-2
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Jan 12, 2007 at 08:38:01PM +0100, Daniel de Kok wrote:
> Miles Nordin wrote:
> >Do you know what it does exactly?  ex., ``It accelerates AES in
> >FAST_IPSEC and in cgd''?
> It registers itself with the opencrypto framework, making it (transparent=
ly) useful for all opencrypto consumers. FAST_IPSEC is an opencrypto consum=
er, cgd is not at this=20
> time (though I plan to look at that if no one else does).
> >Anyway this is kernel-only support, or it somehow affects openssl too?
> >I guess I don't understand our crypto architecture that well.
> If you use OpenSSL with the cryptodev engine, yes, since it uses /dev/cry=
pto (which is handled through opencrypto framework). Though, -current and 4=
=2E0_BETA2 also have an=20
> OpenSSL engine that directly utilizes ACE. I have issued a pullup request=
 for the netbsd-3 branch to get this engine integrated in the netbsd-3 bran=
ch. So, for applications=20
> that rely on OpenSSL, you may want to use that, rather than cryptodev[1].
> Still, this is patch is useful for kernel components that use crypto.
> -- Daniel
> [1] Especially considering that cryptodev currently does not support aes-=
256-cbc, though that is trivial to patch.

I'm not sure if this version of the patch works. The previous one which
only added AES-192-CBC and AES-256-CBC worked for sure.

BTW. You can look at FreeBSD version of padlock driver. I added also
SHA1 and SHA256 handling, so it can be used by opencrypto.

My version also registers other hash algorithms, so it can be used with
FAST_IPSEC. If it only implement symmetric cryptography, it won't be
usable by FAST_IPSEC (or at least FreeBSD's version).

There are probably also other things to fix first. I did a lot of fixes
in the opencrypto framework to be able to use it with geli(8)'s data

Pawel Jakub Dawidek                              
FreeBSD committer                         Am I Evil? Yes, I Am!

Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.4.6 (FreeBSD)