[Swan] NetKey vs KLIPS
Wolfgang Nothdurft
wolfgang at linogate.de
Fri Sep 12 12:01:33 EEST 2014
Am 11.09.2014 17:43, schrieb Paul Wouters:
> On Thu, 11 Sep 2014, Thomas Geulig wrote:
>
>> Subject: Re: [Swan] NetKey vs KLIPS
>>
>> Am 11.09.2014 um 17:04 schrieb Lennart Sorensen:
>>> Certainly simple with netkey. Also netkey can use the kernel crypto
>>> drivers for hardware crypto which I don't think klips can.
>>
>> KLIPS is able to use the kernel crypto drivers and other crypto
>> hardware modules via OCF (see Paul's mail).
>
> There are some "native" crypto hardware drivers in the kernel, but I
> believe it is missing the cards deployed by many vendors (HiFn, safenet,
> intel). But I have not looked at the current state for netkey and those
> drivers in a while.
>
>> We still use KLIPS, and I will assist with necessary patches for the
>> foreseeable future.
>
> Great! Of course, the libreswan test suite uses both stacks but still
> has a lot more KLIPS tests than NETKEY tests.
>
> What would be useful for KLIPS would be to add the glue needed for some
> of the newer cryptoapi ciphers (sha2, aes_gcm, aes_ctr, camellia).
> Without those, devices using KLIPS won't pass some USG requirements.
>
> We haven't had the time/priority to add those yet, but would of course
> welcome any patches :)
Fortunately, I work at this at the moment ;)
I have still some problems with sha2, but it looks good.
Wolfgang
More information about the Swan
mailing list