Hi Tomasz, On 01/28/2015 02:37 AM, Tomasz Bursztyka wrote: > --- > > Hi guys, > > Here is a quick proposal on the cipher infra for ell. I followed what has > been done with checksums in ell, with obvious differences due to the ciphers > themselves. (2 different actions: encrypt/decrypt and the presence of a key) > > I have open issues here: > > l_cipher_reset() on its own might not be useful, should I add the possibilty > to change the key as well? Unless there is no cipher state to reset, and then > it's better not having such function. (I am not aware of the kernel cipher > internals, related to some state there so if one can enlight the issue here) > I don't think a reset function would be useful. > Alos, about encrypt/decrypt. Currently I am proposing to have those as they > will send the data, and we get it back via get_data() (function name it not > that great btw). > So: > > - is having only encrypt/decrypt an option? (so send/recv would be done in > each functions). Though 2 blocking functions at a time... not great. > I think that would be preferable. I don't foresee us processing large chunks of encrypted data, so that should be okay. > - or, what about enabling async access? Unless I miss something about the > crypto layer in the kernel, here the socket is blocking. So we could be > stalled at some point. checksum does the same, is there any plan to make it > async actually? like a function l_cipher_enable_async(), which would call the > right fcntl() and return the socket which we could use in the event loop. > Right now I wouldn't worry about this. If we encounter a situation where we actually benefit from this, then lets revisit then. Right now we are going to be encrypting/decrypting data on the order of a few hundred bytes. EAPoL-Key Data is capped at about 32K, so even in the absolute worst case I don't think we need to worry about this. > ell/cipher.h | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 52 insertions(+) > create mode 100644 ell/cipher.h > > diff --git a/ell/cipher.h b/ell/cipher.h > new file mode 100644 > index 0000000..2a0ca2f > --- /dev/null > +++ b/ell/cipher.h > @@ -0,0 +1,52 @@ > +/* > + * > + * Embedded Linux library > + * > + * Copyright (C) 2015 Intel Corporation. All rights reserved. > + * > + * This library is free software; you can redistribute it and/or > + * modify it under the terms of the GNU Lesser General Public > + * License as published by the Free Software Foundation; either > + * version 2.1 of the License, or (at your option) any later version. > + * > + * This library is distributed in the hope that it will be useful, > + * but WITHOUT ANY WARRANTY; without even the implied warranty of > + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU > + * Lesser General Public License for more details. > + * > + * You should have received a copy of the GNU Lesser General Public > + * License along with this library; if not, write to the Free Software > + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA > + * > + */ > + > +#ifndef __ELL_CIPHER_H > +#define __ELL_CIPHER_H > + > +#ifdef __cplusplus > +extern "C" { > +#endif > + > +struct l_cipher; > + > +enum l_cipher_type { > + L_CIPHER_ARC4, > + L_CIPHER_AES, > +}; > + > +struct l_cipher *l_cipher_new(enum l_cipher_type type, > + const void *key, size_t key_length); > +void l_cipher_free(struct l_cipher *cipher); > + > +void l_cipher_reset(struct l_cipher *cipher); > + No need for this one > +void l_cipher_encrypt(struct l_cipher *cipher, > + const void *data, size_t len); I'd just do l_cipher_encrypt(struct l_cipher *cipher, const void *in, void *out, size_t len); > + > +void l_cipher_decrypt(struct l_cipher *cipher, > + const void *data, size_t len); > + Same as above > +void l_cipher_get_data(struct l_cipher *cipher, > + void *data, size_t len); > + No need for that one > +#endif /* __ELL_CIPHER_H */ > Regards, -Denis