Subject: Re: VIA ACE patch
To: Pawel Jakub Dawidek <>
From: Daniel de Kok <>
List: tech-crypto
Date: 01/13/2007 00:40:08
Hi Pawel,

On Fri, 12 Jan 2007, Pawel Jakub Dawidek wrote:
> I'm not sure if this version of the patch works. The previous one which
> only added AES-192-CBC and AES-256-CBC worked for sure.

Yesterday, I tested your patch with OpenSSL in NetBSD 3.1 to do some 
aes-256-cbc benchmarks, worked great for me. Any ideas why aes-192-cbc and 
aes-256-cbc are not supported by upstream cryptodev?

> BTW. You can look at FreeBSD version of padlock driver. I added also
> SHA1 and SHA256 handling, so it can be used by opencrypto.

That's a useful extension, unfortunately I don't have the hardware to test 
it at the moment.

> My version also registers other hash algorithms, so it can be used with
> FAST_IPSEC. If it only implement symmetric cryptography, it won't be
> usable by FAST_IPSEC (or at least FreeBSD's version).

Yeah, opencrypto first tries to select the driver that supports all 
algorithm first. If no hardware algorithm does, cryptosoft will. So, I 
added all hashes that cryptosoft also supports, and used cryptosoft to 
handle them. I just looked at the FreeBSD padlock.c sources, and it seems 
to register the same hashes as my patch.

> There are probably also other things to fix first. I did a lot of fixes
> in the opencrypto framework to be able to use it with geli(8)'s data
> authentication.

Thanks for all the useful feedback! Your OpenSSL patch was very handy to 
test with keys larger than 128-bits :). I'll look at FreeBSD opencrypto 
diffs to see if there are any bugs that we haven't fixed yet.

-- Daniel