crypto(9) and maxoplen

Pawel Jakub Dawidek pjd at
Sun Jul 20 20:10:22 UTC 2008

On Sat, Jul 19, 2008 at 12:58:13AM +0200, Patrick Lamaizi?re wrote:
> Hello,
> In the "opencrypto framework" the function crypto_register() has an
> argument 'maxoplen'.
> Does somebody know what was the goal of this parameter? It is not used
> by the framework.
> The man page of crypto(9) says :
> For each algorithm the driver supports, it must then call
> crypto_register(). The first two arguments are the driver and algorithm
> identifiers.  The next two arguments specify the largest possible
> operator length (in bits, important for public key operations) and
> flags for this algorithm.
> I'm asking if it can help for this problem: the glxsb driver can
> perform AES-CBC algorithm only with 128 bits key and may be 'maxoplen'
> was intended for this case. 
> Without something to specify the key's length, the driver is selected
> by the framework even with keys != 128 bits. So it fails when the
> session is opened. This prevents setkey/ipsec to work with key
> length != 128 bits if the driver is loaded.

If I read code properly, there is currently no way for a driver to say
to the opencrypto framework that only AES-CBC with 128bit key is
supported. A driver can only state that it supports AES-CBC, that's all.
As a workaround the driver should implement AES-CBC-192 and AES-CBC-256
in software.

Pawel Jakub Dawidek             
pjd at                 
FreeBSD committer                         Am I Evil? Yes, I Am!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url :

More information about the freebsd-hackers mailing list