Herbert,
I'm implementing ablkcipher algorithms in talitos and need some clarification.
If an ablkcipher crypto algorithm implements .givencrypt with geniv as "<built-in>"
what is the reason that it cannot be used as a building block cipher for
an IPsec use case ?
I've noticed that if an ablkcipher algorithm does not implement givencrypt,
and sets geniv to eseqiv, then the algorithm can somewhat support an IPsec use case.
During testing however, it seems that eseqiv_givencrypt doesn't handle a scatterlist
fully for an already fragmented src. For example, a large ping (> 1460 bytes)
going out causes a scatterlist with two entries within esp_output, but it appears that
the src scatterlist doesn't carry forth properly through eseqiv_givencrypt
into the ablkcipher encrypt routine.
I'm wondering if I've stumbled onto a bug in this case.
At the least my understanding is incomplete.
Thank you,
Lee Nipper
Freescale Semiconductor Inc.
On Fri, 2009-02-06 at 17:26 -0600, Lee Nipper wrote:
> During testing however, it seems that eseqiv_givencrypt doesn't handle a scatterlist
> fully for an already fragmented src. For example, a large ping (> 1460 bytes)
> going out causes a scatterlist with two entries within esp_output, but it appears that
> the src scatterlist doesn't carry forth properly through eseqiv_givencrypt
> into the ablkcipher encrypt routine.
I was mistaken. I was unaware of the chained sg from eseqiv_givencrypt.
Using scatterwalk_sg_next instead of sg_next handles it.
Lee