One of the first things Linus merged once he got back home was the brand
new cryptographic API written by James Morris, David S. Miller, and
Jean-François Dive, with ideas and code taken from many other places. This
patch is interesting for a couple of reasons: it is a brand-new, previously
unseen kernel crypto implementation, and it is the first time that serious
cryptographic code has been included in the mainline kernel tree. With
luck, worldwide crypto regulations will remain sane enough that this code
can stay there.
This API's purpose is to provide fast, general-purpose cryptographic
operations for the rest of the kernel. The driving need in the short term
is IPSec (which has also been partially merged), but other applications,
such as cryptographic filesystems, can also make use of this facility.
Needless to say, use in the networking and filesystem layers places some
strong performance demands on the cryptographic layer.
The new crypto API is based on the scatterlist structure, which is
used in many other parts of the I/O subsystem. Scatterlists give direct
access to the page structures describing the memory to be operated
on, below the level of the virtual memory system. Among other things, this
architecture means that data can be encrypted or decrypted "in place" in
the buffers that are used for I/O operations. It should, in other words,
be fast (if the crypto algorithms themselves are fast).
Three basic types of "transforms" are supported by this API: ciphers,
digests, and compressors. The kernel currently has implementations for DES
(including triple DES), MD4, MD5, and SHA. See Documentation/crypto/api-intro.txt
for a quick overview of how this API works.
(As a postscript: a few people have asked if this API would be made
available to user space. It would not be hard to write a system call or
pseudo-device which would export this functionality, but it is hard to
imagine why that would be useful. It would be better just to run the
crypto algorithms in user space directly).
to post comments)