On Thu, Jan 19, 2017 at 03:21:37PM +0100, Ondrej Mosnáček wrote: > > Hm, I just looked at what the IPsec IV generation is actually doing > and it seems to me that it's basically a crypto template that just > somehow transforms the IV before it is passed to the child cipher... I > thought for a while that you were implying that there already is some > facility in the crypto API that allows submitting multiple messages + > some initial sequence number that is auto-incremented and IVs are > generated from the numbers. However, I could not find anything like > that in the code, so now I think what you meant was just that I should > somehow pull the actual IV generators into the crypto layer so that > the IVs can be generated inside the hardware. IPsec currently only deals with one packet at a time, but the point is that the IV generator handles everything transparently and the IV is actually part of the cipher text for the AEAD op. IOW it would be trivial to extend our current IPsec IV generators to handle multiple packets as the IVs are embedded with the cipher text. Cheers, -- Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt -- dm-devel mailing list dm-devel@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/dm-devel