From owner-freebsd-security@FreeBSD.ORG Fri Oct 16 02:26:47 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7475C1065676 for ; Fri, 16 Oct 2009 02:26:47 +0000 (UTC) (envelope-from case@sdf.lonestar.org) Received: from sdf.lonestar.org (ol.freeshell.org [192.94.73.20]) by mx1.freebsd.org (Postfix) with ESMTP id 379D78FC16 for ; Fri, 16 Oct 2009 02:26:47 +0000 (UTC) Received: from sdf.lonestar.org (IDENT:case@otaku.freeshell.org [192.94.73.2]) by sdf.lonestar.org (8.14.3/8.14.3) with ESMTP id n9G2QgP0018100 for ; Fri, 16 Oct 2009 02:26:42 GMT Received: (from case@localhost) by sdf.lonestar.org (8.14.3/8.12.8/Submit) id n9G2QgMD009990; Fri, 16 Oct 2009 02:26:42 GMT Date: Fri, 16 Oct 2009 02:26:41 +0000 (UTC) From: John Case X-X-Sender: case@otaku.freeshell.org To: freebsd-security@freebsd.org Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Mailman-Approved-At: Fri, 16 Oct 2009 05:04:33 +0000 Subject: RE: FreeBSD equivalent to Sun crypto framework APIs (PKCS#11) (for hardware AES-CTR) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Oct 2009 02:26:47 -0000 > There are a number of hardware solutions for performing AES-CTR in > hardware - for example the broadcom BCM5825, which is supported by > the ubsec driver. > > The problem is that OpenSSL does not currently support hardware > acceleration of AES-CTR. The solution on a Sun system is to use the > Sun crypto framework APIs (PKCS#11) which does support AES-CTR in > hardware. > > Is there an analagous API in FreeBSD that I could implement in my > code so as to use the hardware AES-CTR of devices supported by ubsec ? > Aside from crypto(3) (OpenSSL), there's also crypto(9) (kernel) and > crypto(4) (userland), but they don't appear to support CTR - just CBC. Understood. How difficult or trivial would it be to add AES-CTR to either crypto(9) or crypto(4) ? Are those just derived from OpenSSL in some way anyway ? If not, who is responsible for this kind of work ?