Subject: Re: VIA ACE patch
To: Pawel Jakub Dawidek <pjd@FreeBSD.org>
From: Daniel de Kok <email@example.com>
Date: 01/13/2007 00:40:08
On Fri, 12 Jan 2007, Pawel Jakub Dawidek wrote:
> I'm not sure if this version of the patch works. The previous one which
> only added AES-192-CBC and AES-256-CBC worked for sure.
Yesterday, I tested your patch with OpenSSL in NetBSD 3.1 to do some
aes-256-cbc benchmarks, worked great for me. Any ideas why aes-192-cbc and
aes-256-cbc are not supported by upstream cryptodev?
> BTW. You can look at FreeBSD version of padlock driver. I added also
> SHA1 and SHA256 handling, so it can be used by opencrypto.
That's a useful extension, unfortunately I don't have the hardware to test
it at the moment.
> My version also registers other hash algorithms, so it can be used with
> FAST_IPSEC. If it only implement symmetric cryptography, it won't be
> usable by FAST_IPSEC (or at least FreeBSD's version).
Yeah, opencrypto first tries to select the driver that supports all
algorithm first. If no hardware algorithm does, cryptosoft will. So, I
added all hashes that cryptosoft also supports, and used cryptosoft to
handle them. I just looked at the FreeBSD padlock.c sources, and it seems
to register the same hashes as my patch.
> There are probably also other things to fix first. I did a lot of fixes
> in the opencrypto framework to be able to use it with geli(8)'s data
Thanks for all the useful feedback! Your OpenSSL patch was very handy to
test with keys larger than 128-bits :). I'll look at FreeBSD opencrypto
diffs to see if there are any bugs that we haven't fixed yet.