crypto(9) and maxoplen

Pawel Jakub Dawidek pjd at FreeBSD.org
Sun Jul 20 20:10:22 UTC 2008


On Sat, Jul 19, 2008 at 12:58:13AM +0200, Patrick Lamaizi?re wrote:
> Hello,
> 
> In the "opencrypto framework" the function crypto_register() has an
> argument 'maxoplen'.
> 
> http://fxr.watson.org/fxr/source/opencrypto/crypto.c#L625
> 
> Does somebody know what was the goal of this parameter? It is not used
> by the framework.
> 
> The man page of crypto(9) says :
> For each algorithm the driver supports, it must then call
> crypto_register(). The first two arguments are the driver and algorithm
> identifiers.  The next two arguments specify the largest possible
> operator length (in bits, important for public key operations) and
> flags for this algorithm.
> 
> I'm asking if it can help for this problem: the glxsb driver can
> perform AES-CBC algorithm only with 128 bits key and may be 'maxoplen'
> was intended for this case. 
> 
> Without something to specify the key's length, the driver is selected
> by the framework even with keys != 128 bits. So it fails when the
> session is opened. This prevents setkey/ipsec to work with key
> length != 128 bits if the driver is loaded.

If I read code properly, there is currently no way for a driver to say
to the opencrypto framework that only AES-CBC with 128bit key is
supported. A driver can only state that it supports AES-CBC, that's all.
As a workaround the driver should implement AES-CBC-192 and AES-CBC-256
in software.

-- 
Pawel Jakub Dawidek                       http://www.wheel.pl
pjd at FreeBSD.org                           http://www.FreeBSD.org
FreeBSD committer                         Am I Evil? Yes, I Am!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20080720/1fc7ce33/attachment.pgp


More information about the freebsd-hackers mailing list