crypto(9) and maxoplen
Pawel Jakub Dawidek
pjd at FreeBSD.org
Sun Jul 20 20:10:22 UTC 2008
On Sat, Jul 19, 2008 at 12:58:13AM +0200, Patrick Lamaizi?re wrote:
> Hello,
>
> In the "opencrypto framework" the function crypto_register() has an
> argument 'maxoplen'.
>
> http://fxr.watson.org/fxr/source/opencrypto/crypto.c#L625
>
> Does somebody know what was the goal of this parameter? It is not used
> by the framework.
>
> The man page of crypto(9) says :
> For each algorithm the driver supports, it must then call
> crypto_register(). The first two arguments are the driver and algorithm
> identifiers. The next two arguments specify the largest possible
> operator length (in bits, important for public key operations) and
> flags for this algorithm.
>
> I'm asking if it can help for this problem: the glxsb driver can
> perform AES-CBC algorithm only with 128 bits key and may be 'maxoplen'
> was intended for this case.
>
> Without something to specify the key's length, the driver is selected
> by the framework even with keys != 128 bits. So it fails when the
> session is opened. This prevents setkey/ipsec to work with key
> length != 128 bits if the driver is loaded.
If I read code properly, there is currently no way for a driver to say
to the opencrypto framework that only AES-CBC with 128bit key is
supported. A driver can only state that it supports AES-CBC, that's all.
As a workaround the driver should implement AES-CBC-192 and AES-CBC-256
in software.
--
Pawel Jakub Dawidek http://www.wheel.pl
pjd at FreeBSD.org http://www.FreeBSD.org
FreeBSD committer Am I Evil? Yes, I Am!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20080720/1fc7ce33/attachment.pgp
More information about the freebsd-hackers
mailing list