Re: Cryptography in the kernel (was: Re: Linux 2.5 / 2.6 TODO (preliminary))

From: Julian Squires (
Date: Thu Jun 01 2000 - 23:51:40 EST

On Thu, Jun 01, 2000 at 11:41:18PM -0500, David Marshall wrote:
> In other words, putting in a crypto API with support for all sorts of
> algorithms is one thing, and has its own technical issues. Putting in
> support for specific algorithms can be made relatively simple: the
> programmer literally just drops the code in, and writes init, release,
> status, key generation and handling, encrypt, and decrypt functions.


> How is block chaining done in the current kerneli setup?

IIRC, macros generate the CBC mode cipher from the supplied ECB mode
cipher. (As you probably guessed)

> Is it possible to perhaps put in a crypto API like I mentioned above,
> and let people drop in their own crypto algorithms with some patch?
> Ideally the API would even handle the various block chaining schemes.

That would be a Good Thing, AFAICS. Put the infrastructure in the
main kernel distribution, and seperate individual implementations
of particular, ``thorny'' algorithms.

> From the looks of it, we already have something pretty close in
> drivers/block/loop.c. In particular, look at the top of the file. Two
> transfer functions are defined. One is a straight passthrough function
> (i.e. no transformation/crypto at all). The other is a cheezy (and
> horribly insecure, if anyone is actually clueless enough to use it)
> XOR encryption scheme. I would assume that someone could write
> transfer and other support functions for real crypto algorithms and
> just drop them in without having to modify much of anything in the
> kernel tree other than the file and the Makefile.

You should look at the kerneli patch, it adds a lot to the loop
driver, IIRC. (It extends the existing infrastructure present in that
driver) Although it also provides a library of cryptographic
primitives, seperate from the loop driver.

 |/|  Julian Squires <>

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to Please read the FAQ at

This archive was generated by hypermail 2b29 : Wed Jun 07 2000 - 21:00:14 EST