[Openswan Users] IPSEC - Does `ping` involve any hashing activity?

KokHow.Teh at infineon.com KokHow.Teh at infineon.com
Sun Oct 28 07:49:32 EDT 2007 

Hi;

>> 	Greetings. I use openswan-2.4.9 to test my hardware
cryptographic 
>> drivers. Here is the /etc/ipsec.conf:

>So you are using snapgear's OCF patch?

I am not sure. I download the source from
http://www.openswan.org/download/. Only the openswan-2.4.9.tar.gz but
not the openswan-2.4.9.kernel-2.6-klips.patch.gz 

>   ike=aes-md5
>   esp=aes-md5
>
> 	I configured the cryptographic hardware with AES and MD5
priorities 
> to be at 400 and 300 respectively and put some debug messages into the

> driver codes. While I could see the debug printouts of AES 
> encrypt/decrypt showing that AES is in operation and the hardware 
> cryptographic is used, I don't see any debug printout of hardware MD5 
> at all. My question is if `ping` involve any hashing operation at all?

>If you configure esp=aes-md5 it should.

I have found out the code snippet to use hardware crypto for ESP hashing
to commented out in the cryptoapi.c:

#ifdef NOT_YET
struct ipsec_alg_capi_digest {
        const char *digestname; /* cryptoapi's digestname */
        struct digest_implementation *di;
        struct ipsec_alg_auth alg;      /* note it's not a pointer */
};
static struct ipsec_alg_capi_cipher alg_capi_darray[] = {
        { DIGESTNAME_MD5,     NULL, { ixt_alg_id: AH_MD5, }},
        { DIGESTNAME_SHA1,    NULL, { ixt_alg_id: AH_SHA, }},
        { NULL, NULL, {} }
};
#endif

I am not sure if it is a simple matter of adding/registering this
structure in ipsec_cryptoapi_init routine to get the OCF to use hardware
crypto for hashing.

IPSEC_ALG_MODULE_INIT_STATIC( ipsec_cryptoapi_init )
{
        int ret, test_ret;
        if ((ret=setup_cipher_list(alg_capi_carray)) < 0)
                return  -EPROTONOSUPPORT;
        if (ret==0 && test_crypto) {
                test_ret=test_cipher_list(alg_capi_carray);
        }
        return ret;
}
IPSEC_ALG_MODULE_EXIT_STATIC( ipsec_cryptoapi_fini )
{
        unsetup_cipher_list(alg_capi_carray);
        return;
}


>Openswan-3.x.x with OCF support, as far as I know, does not try to
hardware offload IKE, as the speedgains for that were minimal or
non-existant, so having ike= with md5 wouldn't make a difference. I am
not sure about snapgear's OCF patch to openswan 2.4.9 and what it
supports or not. David will probably be able to answer that.

Where to get Openswan-3.x.x? I thought the latest is only 2.4.9 from the
URL given above?


Regards,
KH

More information about the Users mailing list