From owner-freebsd-security@FreeBSD.ORG Wed Oct 14 18:15:02 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F33BE1065676 for ; Wed, 14 Oct 2009 18:15:02 +0000 (UTC) (envelope-from case@sdf.lonestar.org) Received: from sdf.lonestar.org (ol.freeshell.org [192.94.73.20]) by mx1.freebsd.org (Postfix) with ESMTP id 27EE18FC1D for ; Wed, 14 Oct 2009 18:15:01 +0000 (UTC) Received: from sdf.lonestar.org (IDENT:case@otaku.freeshell.org [192.94.73.2]) by sdf.lonestar.org (8.14.3/8.14.3) with ESMTP id n9EI2aQX008907 for ; Wed, 14 Oct 2009 18:02:36 GMT Received: (from case@localhost) by sdf.lonestar.org (8.14.3/8.12.8/Submit) id n9EI2aj9001568; Wed, 14 Oct 2009 18:02:36 GMT Date: Wed, 14 Oct 2009 18:02:36 +0000 (UTC) From: John Case X-X-Sender: case@otaku.freeshell.org To: freebsd-security@freebsd.org Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Mailman-Approved-At: Wed, 14 Oct 2009 18:24:43 +0000 Subject: FreeBSD equivalent to Sun crypto framework APIs (PKCS#11) (for hardware AES-CTR) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Oct 2009 18:15:03 -0000 There are a number of hardware solutions for performing AES-CTR in hardware - for example the broadcom BCM5825, which is supported by the ubsec driver. The problem is that OpenSSL does not currently support hardware acceleration of AES-CTR. The solution on a Sun system is to use the Sun crypto framework APIs (PKCS#11) which does support AES-CTR in hardware. Is there an analagous API in FreeBSD that I could implement in my code so as to use the hardware AES-CTR of devices supported by ubsec ? Or do I need to directly manipulate ubsec with my actual application in order to do this ? From owner-freebsd-security@FreeBSD.ORG Wed Oct 14 22:54:43 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AF6DA106566B for ; Wed, 14 Oct 2009 22:54:43 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: from ey-out-2122.google.com (ey-out-2122.google.com [74.125.78.26]) by mx1.freebsd.org (Postfix) with ESMTP id 3F3F88FC0C for ; Wed, 14 Oct 2009 22:54:42 +0000 (UTC) Received: by ey-out-2122.google.com with SMTP id 9so87797eyd.9 for ; Wed, 14 Oct 2009 15:54:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:received:received:date:from:to:subject :message-id:in-reply-to:references:x-mailer:mime-version :content-type:content-transfer-encoding; bh=t4fdzXMwlbcImf7/dS+vsSSfDBJCOyJDjyxYeDHb8uk=; b=fjn2k9FhRByl69mtGP1GHDIG35ogKb/CggA1SGu5YqbkU/N09gxwaaeZR5YJqL9tpf zkGWY4tI+rKhel95i9Hf+/gZaYFrugvHxT48YsyLdMXPpI+srDjFA26GAHlNPH3tGq0R NmKq2tWSZc4hoBnMtJ9CmT6VoIgTk+nQDcA5s= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=date:from:to:subject:message-id:in-reply-to:references:x-mailer :mime-version:content-type:content-transfer-encoding; b=jvI+p9s//vsA9F1MgXkQZk6GDGuEUHmarlDh64DNw9eKX/rmlBsf25n6Sn+EOO3ejP ap7G2zHepNOhYBPXbAFU1DOPXR514hd18btqfkYbGiSX7H40W38eh+iANS0GwgkSw8p7 C3LsCHEQAywdhsyCXCu4sV4Uw+PAVYmq4Ebts= Received: by 10.211.126.15 with SMTP id d15mr7926836ebn.19.1255558990877; Wed, 14 Oct 2009 15:23:10 -0700 (PDT) Received: from gumby.homeunix.com (bb-87-81-140-128.ukonline.co.uk [87.81.140.128]) by mx.google.com with ESMTPS id 7sm766441eyb.40.2009.10.14.15.23.09 (version=SSLv3 cipher=RC4-MD5); Wed, 14 Oct 2009 15:23:10 -0700 (PDT) Date: Wed, 14 Oct 2009 23:23:07 +0100 From: RW To: freebsd-security@freebsd.org Message-ID: <20091014232307.4f6d8479@gumby.homeunix.com> In-Reply-To: References: X-Mailer: Claws Mail 3.7.2 (GTK+ 2.16.6; i386-portbld-freebsd7.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: FreeBSD equivalent to Sun crypto framework APIs (PKCS#11) (for hardware AES-CTR) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Oct 2009 22:54:43 -0000 On Wed, 14 Oct 2009 18:02:36 +0000 (UTC) John Case wrote: > > There are a number of hardware solutions for performing AES-CTR in > hardware - for example the broadcom BCM5825, which is supported by > the ubsec driver. > > The problem is that OpenSSL does not currently support hardware > acceleration of AES-CTR. The solution on a Sun system is to use the > Sun crypto framework APIs (PKCS#11) which does support AES-CTR in > hardware. > > Is there an analagous API in FreeBSD that I could implement in my > code so as to use the hardware AES-CTR of devices supported by ubsec ? Aside from crypto(3) (OpenSSL), there's also crypto(9) (kernel) and crypto(4) (userland), but they don't appear to support CTR - just CBC. From owner-freebsd-security@FreeBSD.ORG Fri Oct 16 02:26:47 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7475C1065676 for ; Fri, 16 Oct 2009 02:26:47 +0000 (UTC) (envelope-from case@sdf.lonestar.org) Received: from sdf.lonestar.org (ol.freeshell.org [192.94.73.20]) by mx1.freebsd.org (Postfix) with ESMTP id 379D78FC16 for ; Fri, 16 Oct 2009 02:26:47 +0000 (UTC) Received: from sdf.lonestar.org (IDENT:case@otaku.freeshell.org [192.94.73.2]) by sdf.lonestar.org (8.14.3/8.14.3) with ESMTP id n9G2QgP0018100 for ; Fri, 16 Oct 2009 02:26:42 GMT Received: (from case@localhost) by sdf.lonestar.org (8.14.3/8.12.8/Submit) id n9G2QgMD009990; Fri, 16 Oct 2009 02:26:42 GMT Date: Fri, 16 Oct 2009 02:26:41 +0000 (UTC) From: John Case X-X-Sender: case@otaku.freeshell.org To: freebsd-security@freebsd.org Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Mailman-Approved-At: Fri, 16 Oct 2009 05:04:33 +0000 Subject: RE: FreeBSD equivalent to Sun crypto framework APIs (PKCS#11) (for hardware AES-CTR) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Oct 2009 02:26:47 -0000 > There are a number of hardware solutions for performing AES-CTR in > hardware - for example the broadcom BCM5825, which is supported by > the ubsec driver. > > The problem is that OpenSSL does not currently support hardware > acceleration of AES-CTR. The solution on a Sun system is to use the > Sun crypto framework APIs (PKCS#11) which does support AES-CTR in > hardware. > > Is there an analagous API in FreeBSD that I could implement in my > code so as to use the hardware AES-CTR of devices supported by ubsec ? > Aside from crypto(3) (OpenSSL), there's also crypto(9) (kernel) and > crypto(4) (userland), but they don't appear to support CTR - just CBC. Understood. How difficult or trivial would it be to add AES-CTR to either crypto(9) or crypto(4) ? Are those just derived from OpenSSL in some way anyway ? If not, who is responsible for this kind of work ?