Skip Menu |
Ticket metadata
The Basics
Id: 2554
Status: rejected
Priority: 0/
Queue: OpenSSL-Bugs

Custom Fields
Milestone: (no value)
Subsystem: (no value)
Severity: (no value)
Broken in: (no value)

Owner: Nobody in particular
Requestors: Markus

More about the requestors


Comments about this user: No comment entered about this user
Groups this user belongs to
  • Unprivileged
  • Everyone

New reminder:

Created: Sun Jul 03 19:24:59 2011
Starts: Not set
Started: Thu Feb 04 20:46:01 2016
Last Contact: Thu Feb 04 20:46:01 2016
Due: Not set
Closed: Thu Feb 04 20:46:01 2016
Updated: Thu Feb 04 20:46:01 2016 by Rich Salz

Subject: Patch: AF_ALG dynamic engine for linux >= 2.6.38
Date: Sun, 3 Jul 2011 10:51:09 +0200
From: Markus <>
Download (untitled) / with headers
text/plain 1.3k

Linux kernel 2.6.38 introduced an API (AF_ALG) to access the kernel
crypto API from userspace.

Accessing the kernels crypto API from userspace allows making use of
crypto hardware, which can't be accessed from userspace directly.
Hardware accelerated cryptography as provided by VIA Padlock and Intel
AES-NI can be accessed from userspace directly, so you do not need
AF_ALG at all, but AMD Geode processors AES cryptography is - contrary
to Padlock and AES-NI - not an instruction3) and therefore can't be
accessed from userspace.

I wrote a dynamic engine for openssl which allows making use of
AF_ALG, code is available here:

The engine exports the kernels aes {128,192,256} cbc functions to
openssl, extending it to export more ciphers or the kernels hashing
functions available via AF_ALG is possible.

The engine is not exactly a patch, as it is possible to compile
dynamic engines outside of openssl, so Makefile adjustments would have
to be made.

Here are some numbers on the performance of the engine, the engine
provides a speedup if the kernel can access crypto acceleration
hardware, and will slow things down otherwise:

If possible, please consider including the engine into openssl
mainline, required license permissions are granted.

support for this is in-progress for 1.1
Rich Salz, OpenSSL dev team;