Hi, On Di, 2014-07-29 at 12:32 +0300, Cristian Stoica wrote: > This set of patches introduces support for TLS 1.0 record layer > encryption/decryption with a corresponding algorithm called > tls10(hmac(<hash>),cbc(<cipher>)). > > Similarly to authenc.c on which it is based, this module mixes the base > algorithms in software to produce an algorithm that does record layer > encryption and decryption for TLS1.0. > Any combination of hw and sw base algorithms is possible, but the purpose > is to take advantage of hardware acceleration for TLS record layer offloading > when hardware acceleration is present. > > This is a software alternative to forthcoming Freescale caam patches that > will add support for one-pass hardware-only TLS record layer offloading. > > Performance figures depend largely on several factors including hardware > support and record layer size. For user-space applications the > kernel/user-space interface is also important. That said, we have done several > performance tests using openssl and cryptodev on Freescale QorIQ platforms. > On P4080, for a single stream of records larger than 512 bytes, the performance > improved from about 22Mbytes/s to 64Mbytes/s while also reducing CPU load. > > The purpose of this module is to enable TLS kernel offloading on hw platforms > that have acceleration for AES/SHA1 but do not have direct support for TLS > record layer. > > (minor dependency on pending patch > crypto: testmgr.c: white space fix-ups on test_aead) > > Cristian Stoica (2): > crypto: add support for TLS 1.0 record encryption > crypto: add TLS 1.0 test vectors for AES-CBC-HMAC-SHA1 > > crypto/Kconfig | 20 ++ > crypto/Makefile | 1 + > crypto/authenc.c | 5 +- > crypto/tcrypt.c | 5 + > crypto/testmgr.c | 41 +++- > crypto/testmgr.h | 217 +++++++++++++++++++ > crypto/tls.c | 528 +++++++++++++++++++++++++++++++++++++++++++++++ > include/crypto/authenc.h | 3 + > 8 files changed, 808 insertions(+), 12 deletions(-) > create mode 100644 crypto/tls.c > Maybe could you add netdev@xxxxxxxxxxxxxxx to Cc on your next submission? It would be great if this feature would be made available in some way that user space does TLS handshaking over a socket and symmetric keys could later be installed via e.g. setsockopt and kernel offloads tls processing over this socket. Alert message handling seems problematic, though and might require some out-of-band interface. Thanks, Hannes -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html