Device /dev/crypto (aka CryptoDev) is a way for userspace processes to use cryptographic algorithms provided by kernel CryptoAPI modules. For example a process that needs to AES-encrypt some data can either:
Although in most cases using the external library for cryptographic tasks would be the best option, sometimes it may come handy to have a kernel interface for it as well. Using it one may create a really lightweight programs (see cryptodev-demo.c) supporting cryptography without any additional libraries.
The CryptoDev was originally introduced in OpenBSD (at least as far as I know :-), later ported to FreeBSD and on this page you can find my port for Linux 2.6. Because kernel internals differ a lot between BSD and Linux I only attempted to keep the API (i.e. the semantics used when talking with /dev/crypto) and wrote the driver itself from scratch.
To enable /dev/crypto device patch your kernel with the
following patch and configure with
make && make install
.The module takes two parameters:
The parameters can be changed even when the module is already loaded by writing to /sys/module/cryptodev/{enable_stats,verbosity}.
The basic structure of a program using CryptoDev is following:
fd = open("/dev/crypto"); ioctl(fd, CIOCGSESSION); ioctl(fd, CIOCRYPT); [... repeat CIOCRYPT ioctls ...] ioctl(fd, CIOCFSESSION); close(fd);
On OpenBSD it is needed to clone the filedescriptor before actually using it. This is also supported on Linux, but not required:
fd = open("/dev/crypto"); ioctl(fd, CRIOGET, &fd_new); ioctl(fd_new, CIOCGSESSION); ioctl(fd_new, CIOCRYPT); [... repeat CIOCRYPT ioctls ...] ioctl(fd_new, CIOCFSESSION); close(fd_new); close(fd);
Indeed, there are some structures floating around, but the for the overview this is enough. See the following demo for details:
If you want to combine the (dis:-)advantages of using both OpenSSL and CryptoDev you may want to give the following patch a try:
(This is a bit off-topic here :-)
CryptoAPI is a Linux in-kernel infrastructure that offers cryptography to
all other subsystems. It provides a single API for accessing different
ciphers and digests.
Useful CryptoAPI-related links: