On todays ODP External call, I mentioned a weakness of the existing ODP crypto API for handling SSL/TLS data, because of the lack of
a way to specify the Seq Num - which is not in the packet - but must be the first 4 bytes included in the MAC computation. I just wanted to add that there is a possible way around this. Admittedly this approach seems a bit hacky, but... Basically the workaround is to have SW fetch the 4 byte seq num for this TLS record (from the TLS state record) and then write it just before the first byte of the record header. Usually SW will first want to record the original 4 bytes before the seq num replaces it. (in TLS/SSL this record header is a 5 byte structure), then send in the crypto request with the MAC start ptr pointing to this 4 byte seq num. When the request is completed (could be an encrypt or decrypt) then SW would generally restore the original 4 bytes, replacing the seq num Note that for application TLS records, the 4 bytes preceding the record header will often be the last 4 bytes of the TCP header, but it could also be for example the last 4 bytes of the preceding record. Thanx Barry.
_______________________________________________ lng-odp mailing list [email protected] https://lists.linaro.org/mailman/listinfo/lng-odp
