Hi all
Until recently I was using kernel 2.6.12 with the OCF package in order
to
get async encryption with HW engine for OpenSWAN, dm-crypt and OpenSSL.
Lately I have decided its time to move on to the latest kernel, and I
found
that there is a new async crypto support in the kernel :)
Now I have to decide whether to use the OCF or the native async crypto.
I have some questions and I would really appreciate if you can help
here:
I saw that the current code support async crypto for the dm-crypt, does
it
also support async crypto for the klips?
Is there any support for using the async crypto from the OpenSSL engine
library?
I saw that the async crypto support block cipher, does it also support
digest operations?
Can it support encryption + authentication (lets say AES-SHA1) as one
operation?
Is there any Documentation available? (I guess not)
What is the todo list for further development of the async crypto
support?
Thanks for your advice
Ronen Shitrit
On Sun, Aug 05, 2007 at 01:50:48PM +0300, Ronen Shitrit ([email protected]) wrote:
> I saw that the current code support async crypto for the dm-crypt, does
> it
> also support async crypto for the klips?
> Is there any support for using the async crypto from the OpenSSL engine
> library?
> I saw that the async crypto support block cipher, does it also support
> digest operations?
> Can it support encryption + authentication (lets say AES-SHA1) as one
> operation?
> Is there any Documentation available? (I guess not)
No for all above.
> What is the todo list for further development of the async crypto
> support?
New drivers and extending functionality if required. Some work is being
done in this area, although not that fast.
--
Evgeniy Polyakov
Wow, I thought that there was more progress ...
BTW:
I know that the OCF support the OpenSWAN, does it also support the KLIPS
by now?
I also noticed that the Acrypto have a patch to support KLIPS, does it
also support the OpenSWAN?
Regards
Ronen Shitrit
> -----Original Message-----
> From: Evgeniy Polyakov [mailto:[email protected]]
> Sent: Sunday, August 05, 2007 6:16 PM
> To: Ronen Shitrit
> Cc: [email protected]
> Subject: Re: status of async crypto
>
> On Sun, Aug 05, 2007 at 01:50:48PM +0300, Ronen Shitrit
> ([email protected]) wrote:
> > I saw that the current code support async crypto for the dm-crypt,
does
> > it
> > also support async crypto for the klips?
> > Is there any support for using the async crypto from the OpenSSL
engine
> > library?
> > I saw that the async crypto support block cipher, does it also
support
> > digest operations?
> > Can it support encryption + authentication (lets say AES-SHA1) as
one
> > operation?
> > Is there any Documentation available? (I guess not)
>
> No for all above.
>
> > What is the todo list for further development of the async crypto
> > support?
>
> New drivers and extending functionality if required. Some work is
being
> done in this area, although not that fast.
>
> --
> Evgeniy Polyakov
On Mon, Aug 06, 2007 at 12:00:13PM +0300, Ronen Shitrit ([email protected]) wrote:
> Wow, I thought that there was more progress ...
>
> BTW:
> I know that the OCF support the OpenSWAN, does it also support the KLIPS
> by now?
> I also noticed that the Acrypto have a patch to support KLIPS, does it
> also support the OpenSWAN?
No and no :)
> Regards
> Ronen Shitrit
--
Evgeniy Polyakov
Hi Herbert
I found a mailing thread discussing "combined mode algorithms", I think
that this is the main missing link for good async support.
Are you planning that this combined alg mode will support the async API?
Is there any progress on this direction?
Regards
Ronen Shitrit
> -----Original Message-----
> From: Evgeniy Polyakov [mailto:[email protected]]
> Sent: Sunday, August 05, 2007 6:16 PM
> To: Ronen Shitrit
> Cc: [email protected]
> Subject: Re: status of async crypto
>
> On Sun, Aug 05, 2007 at 01:50:48PM +0300, Ronen Shitrit
> ([email protected]) wrote:
> > I saw that the current code support async crypto for the dm-crypt,
does
> > it
> > also support async crypto for the klips?
> > Is there any support for using the async crypto from the OpenSSL
engine
> > library?
> > I saw that the async crypto support block cipher, does it also
support
> > digest operations?
> > Can it support encryption + authentication (lets say AES-SHA1) as
one
> > operation?
> > Is there any Documentation available? (I guess not)
>
> No for all above.
>
> > What is the todo list for further development of the async crypto
> > support?
>
> New drivers and extending functionality if required. Some work is
being
> done in this area, although not that fast.
>
> --
> Evgeniy Polyakov
Ronen Shitrit <[email protected]> wrote:
> Hi Herbert
>
> I found a mailing thread discussing "combined mode algorithms", I think
> that this is the main missing link for good async support.
>
> Are you planning that this combined alg mode will support the async API?
Yes that's the main focus right now.
> Is there any progress on this direction?
I'm working on the infrastructure bits, i.e., setting up a
new operation type currently called authenc which sits at
the same level as ablkcipher or hash. Joy Latten is looking
at CTR, as well as converting IPsec over once the crypto
infrastructure is done.
Cheers,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
* Herbert Xu | 2007-08-07 15:29:44 [+0800]:
>Joy Latten is looking
>at CTR, as well as converting IPsec over once the crypto
>infrastructure is done.
Can you estimate/guesstimate when the IPsec over async crypto will be
available?
I tried to test the dm-crypt user but the patches don't apply on top of
current git.
>Cheers,
Sebastian
On Tue, Aug 07, 2007 at 10:01:10AM +0200, Sebastian Siewior wrote:
> * Herbert Xu | 2007-08-07 15:29:44 [+0800]:
>
> >Joy Latten is looking
> >at CTR, as well as converting IPsec over once the crypto
> >infrastructure is done.
> Can you estimate/guesstimate when the IPsec over async crypto will be
> available?
> I tried to test the dm-crypt user but the patches don't apply on top of
> current git.
Originally I was going to convert IPsec to use ablkcipher
which we can do right now.
This is certainly going to delay things a bit. However,
it's certainly pretty close to the top of my todo list
right now.
Cheers,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt