Hello,
I am testing a AES HW crypto driver I wrote. I test by setting up a
tunnel between the board and a Linux server and pinging packets from
the board to the server.
With my driver loaded everything works fine with small packets but
large packets (>1500) fail (100% packet loss).
I added some debug code to the standard crypto/cbc.c and noticed that
when I ping using -s1500 the encryption (aes-cbc) gets broken up to 3
chuncks
sized 1456 , 16, 64. I also noticed that the iv for each of the
chunks is different.
Questions:
1. Why are there 3 chunks with these sizes? Is this related to the
crypto subsystem or the ipsec one?
2. How is the iv computed between each subsequent chunk?
I think my driver is failing because although it also processes 3
identically sized chunks it does not change the iv between each one
(it only does so once at the end).
Thanks for your time,
Avital
On Tue, Dec 08, 2009 at 02:54:43PM +0200, avital sela wrote:
> Hello,
>
> I am testing a AES HW crypto driver I wrote. I test by setting up a
> tunnel between the board and a Linux server and pinging packets from
> the board to the server.
> With my driver loaded everything works fine with small packets but
> large packets (>1500) fail (100% packet loss).
> I added some debug code to the standard crypto/cbc.c and noticed that
> when I ping using -s1500 the encryption (aes-cbc) gets broken up to 3
> chuncks
> sized 1456 , 16, 64. I also noticed that the iv for each of the
> chunks is different.
> Questions:
> 1. Why are there 3 chunks with these sizes? Is this related to the
> crypto subsystem or the ipsec one?
The chunks 1456/64 is a product of the TCP stack. 16 is the IV
added on by IPsec.
> 2. How is the iv computed between each subsequent chunk?
The last cipher (encrypted) block of a chunk should be used as
the IV for the next chunk.
Cheers,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
Thanks !
On Tue, Dec 8, 2009 at 2:58 PM, Herbert Xu <[email protected]> wrote:
> On Tue, Dec 08, 2009 at 02:54:43PM +0200, avital sela wrote:
>> Hello,
>>
>> I am testing a AES HW crypto driver I wrote. I test by setting up a
>> tunnel between the board and a Linux server and pinging packets from
>> the board to the server.
>> With my driver loaded everything works fine with small packets but
>> large packets (>1500) fail (100% packet loss).
>> I added some debug code to the standard crypto/cbc.c and noticed that
>> when I ping using -s1500 the encryption (aes-cbc) gets broken up to 3
>> chuncks
>> sized 1456 , 16, 64. ?I also noticed that the iv for each of the
>> chunks is different.
>> Questions:
>> 1. Why are there 3 chunks with these sizes? Is this related to the
>> crypto subsystem or the ?ipsec one?
>
> The chunks 1456/64 is a product of the TCP stack. ?16 is the IV
> added on by IPsec.
>
>> 2. How is the iv computed between each subsequent chunk?
>
> The last cipher (encrypted) block of a chunk should be used as
> the IV for the next chunk.
>
> Cheers,
> --
> Visit Openswan at http://www.openswan.org/
> Email: Herbert Xu ~{PmV>HI~} <[email protected]>
> Home Page: http://gondor.apana.org.au/~herbert/
> PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
>