Re: Adding opencrypto, crypto acceelerator to GENERIC kernels?

To: tls%rek.tjls.com@localhost
Subject: Re: Adding opencrypto, crypto acceelerator to GENERIC kernels?
From: Jonathan Stone <jonathan%dsg.stanford.edu@localhost>
Date: Wed, 19 Nov 2003 11:24:25 -0800

In message <20031119063513.GA10779%rek.tjls.com@localhost>
Thor Lancelot Simon writes:

>No, calling engines from one another isn't very clean or easy either
>AFAICT.

Which reminds me: the opencrypto model is a pretty simple lowest
common denominator. It can accelerate SSL/TLS operations, but only if
the caller (OpenSSL) breaks the SSL/TLS record ops down into simpler a
sequence of crypto primitives.

I know of at least two crypto cards where the hardware would be much,
much much happier to get explicit SSLv3/TLS requests, in a style like:n
1.  ``create a context for SSLv3  record operations with
     this [single] transform type '' (e.g., 1des/md5 and 3des/md5
     would be separate context)

2.  ``Here's an SSLv3/TLS record and a context: now encrypt/decrypt it''

I have no clue whether the SSL engine is amenable to first trying to
bind high-level (SSL/TLS) operations, before it gives up, binds
low-level crypto transforms, and synthesizes record ops using the
low-level transforms.

But if it can, IMNSO it would be a Good Thing to add a _small_ set of
SSL/TLS record-plus-FIPS-approved-algorithm tranforms to opencrypto.

References:
- Re: Adding opencrypto, crypto acceelerator to GENERIC kernels?
  - From: Thor Lancelot Simon

Prev by Date: Re: Adding opencrypto, crypto acceelerator to GENERIC kernels?
Next by Date: Re: Adding opencrypto, crypto acceelerator to GENERIC kernels?
Previous by Thread: Re: Adding opencrypto, crypto acceelerator to GENERIC kernels?
Next by Thread: Re: Adding opencrypto, crypto acceelerator to GENERIC kernels?
Indexes:

Home | Main Index | Thread Index | Old Index