VIA/ACE PadLock integration with crypto(9).

Pawel Jakub Dawidek pjd at FreeBSD.org
Sat Aug 13 07:46:55 GMT 2005


On Sat, Aug 13, 2005 at 01:45:44AM -0400, Mike Tancsa wrote:
+> Is there something else that needs to be done to tell crypto(4) or FAST_IPSEC to use the "hardware" in this case ?

I'm not sure why you need to set net.inet.ipsec.crypto_support to 1 for
this. Shouldn't be needed.

If you want to figure it out, you may place debug print into
sys/opencrypto/crypto.c, there is a crypto_newsession function and you
need to change this:

		/* See if all the algorithms are supported. */
		for (cr = cri; cr; cr = cr->cri_next)
			if (cap->cc_alg[cr->cri_alg] == 0)
				break;

into something like this:

		/* See if all the algorithms are supported. */
		for (cr = cri; cr; cr = cr->cri_next)
			if (cap->cc_alg[cr->cri_alg] == 0) {
				printf("IPSEC: Unsupported algorithm: %d.\n",
				    cr->cri_alg);
				break;
			}

+> Also,   I came across a small ipsec bug while testing
+> 
+> http://www.freebsd.org/cgi/query-pr.cgi?pr=84860

It could be RELENG_5 specific, as it uses rijndael implementation
which was removed after RELENG_5 (there is no sys/opencrypto/rijndael.c
anymore). Maybe rijndael version from sys/crypto/ handles it better?
This needs to be verified.

-- 
Pawel Jakub Dawidek                       http://www.wheel.pl
pjd at FreeBSD.org                           http://www.FreeBSD.org
FreeBSD committer                         Am I Evil? Yes, I Am!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-current/attachments/20050813/9bccb4a4/attachment.bin


More information about the freebsd-current mailing list