Skip Menu |
 
Ticket metadata
The Basics
Id: 2554
Status: new
Priority: 0/
Queue: OpenSSL-Bugs

Custom Fields
Milestone: (no value)
Subsystem: (no value)
Severity: (no value)
Broken in: (no value)

People
Owner: Nobody in particular
Requestors: Markus
Cc:
AdminCc:

More about the requestors

Markus

Comments about this user: No comment entered about this user
Groups this user belongs to
  • Everyone
  • Unprivileged

New reminder:
Subject:
Owner:
Due:

Dates
Created: Sun Jul 03 21:24:59 2011
Starts: Not set
Started: Not set
Last Contact: Not set
Due: Not set
Closed: Not set
Updated: Sun Jul 03 21:25:00 2011 by Markus



Subject: Patch: AF_ALG dynamic engine for linux >= 2.6.38
Date: Sun, 3 Jul 2011 10:51:09 +0200
To: rt@openssl.org
From: Markus <nepenthesdev@gmail.com>
Download (untitled) / with headers
text/plain 1.3k
Hi,


Linux kernel 2.6.38 introduced an API (AF_ALG) to access the kernel
crypto API from userspace.

Accessing the kernels crypto API from userspace allows making use of
crypto hardware, which can't be accessed from userspace directly.
Hardware accelerated cryptography as provided by VIA Padlock and Intel
AES-NI can be accessed from userspace directly, so you do not need
AF_ALG at all, but AMD Geode processors AES cryptography is - contrary
to Padlock and AES-NI - not an instruction3) and therefore can't be
accessed from userspace.

I wrote a dynamic engine for openssl which allows making use of
AF_ALG, code is available here:
http://src.carnivore.it/users/common/af_alg/

The engine exports the kernels aes {128,192,256} cbc functions to
openssl, extending it to export more ciphers or the kernels hashing
functions available via AF_ALG is possible.

The engine is not exactly a patch, as it is possible to compile
dynamic engines outside of openssl, so Makefile adjustments would have
to be made.

Here are some numbers on the performance of the engine, the engine
provides a speedup if the kernel can access crypto acceleration
hardware, and will slow things down otherwise:
http://carnivore.it/2011/04/23/openssl_-_af_alg

If possible, please consider including the engine into openssl
mainline, required license permissions are granted.


MfG
Markus