A new prepatch is out. I have made it a prepatch because it includes
more changes than normal, and also because some more changes are
needed before a new stable patch can be released.
Short list of changes:
o New util-linux patch (util-linux-2.10o.int2). You need to recompile
util-linux using this patch!
o key schedule size and declarations for ciphers/digests moved out of
crypto.h
o New functions in cipher_implementation
- realloc_context - to (re)allocate a cipher_context
- wipe_context - to wipe a cipher_context
- free_context - to free a cipher_context
Cipher-implementations with fixed size key schedules don't have to
provide any of the above, and default implementation will be provided.
o find_transfer_by_name now tries to load missing ciphers/digests.
o ECB ciphers now called <name>-ecb, not just <name>.
o Lots of functions that should be static are now static. No more
conflicts with freeswan over the SHA/MD5.
o loop_gen.c is no more. Integrated loop_gen.c with loop.c. Reverted
a lot of changes to loop.{c,h} - It is now pretty much like vanilla
linux 2.2.x.
-----
Based on some feedback I got from people trying to write plugins to
the cryptoapi, it became evident that the current scheme for finding
ciphers is inadequate. We now have two ways of finding ciphers/digests:
find_{cipher,digest}_by_id, and
find_{cipher,digest}_by_name
The problem is that the id scheme isn't useful for plug-ins. It also
means we have to have translation tables all over the place
translating from cipher name to id. Generally, a system where all
ciphers have to register an ID is very cumbersome. Just look at how
we deal with ciphers in the case of losetup:
- We have /etc/modules.conf which has a mapping:
- from loop_xfer_number -> loop_xfer_module
- from cipher_id -> cipher
- from digest_id -> digest
- We have losetup which has a mapping from loop_xfer_number -> name
of cipher and keysize in order to handle user-interface issues and
to make sure that it gives enough key data to the kernel.
- We have the loop_gen module registering a number of loop_xfers in
the loop module and then translating the xfer number to the
corresponding cipher number.
:-)
Quite messy. It is the loopback system which led to these problems.
If we can get losetup to use _strings_ to select its cipher, _none_ of
the above tables would be needed anymore, we could support plug-in
crypto modules more easily, and we wouldn't have to keep losetup in
synch with the kernel all the time.
This patch does this by killing the old loop_gen.c stuff, and adding a
new loop_xfer called LO_CRYPT_CRYPTOAPI. It works like this: There is
a field in struct loop_status (used to set password, transfer type
etc.) called lo_name which contains the path of the underlying file.
It seems that this field is not used by the kernel in any way, and is
just an old workaround for not having dentries in early linux kernels.
So when user-space requests to set up a transfer of type
LO_CRYPT_CRYPTOAPI, we expect the name of the cipher to be specified
in this field. This is all handled in the init-function of the
LO_CRYPT_CRYPTOAPI transfer.
There is also similar changes in the util-linux patch. I've removed
all the tables with kerneli-specific cipher information. Then, if
losetup doesn't find any information about the cipher the user
specifies, is assumes it is a LO_CRYPT_CRYPTOAPI cipher. It parses
/proc/crypto/cipher/%s-cbc to find information about allowed key
sizes. This patch is called util-linux-2.10o.int2.patch.
The kernel will now try to load ciphers if it can't find them (and
CONFIG_KMOD is on). It works like this: Say you want to look for
"serpent-cbc", it will try to load the following modules until it
finds the cipher or run out of options:
cipher-serpent-cbc
cipher-serpent
cipher
This supports the way modules are written today where a single module
implements both serpent-cbc, and serpent-ecb. In a later patch, the
various cipher and digest modules should be renamed to work with the
above scheme. For the time being, you should rename your favorite
cipher (i.e, rename /lib/modules/2.2.17/misc/serp6f.o ->
/lib/modules/2.2.17/misc/cipher-serpent.o) to play with this patch.
astor
--
Alexander Kjeldaas Mail: astor@xxxxxxx
finger astor@xxxxxxxxxxxxxxxxx for OpenPGP key.
Linux-crypto: cryptography in and on the Linux system
Archive: http://mail.nl.linux.org/linux-crypto/
