OpenBSD Cryptographic Framework
OpenBSD’s Cryptographic Framework (OCF) is a system layer that lets the operating system manage cryptographic hardware in a uniform way. It has been part of OpenBSD since 2000 and has been ported to FreeBSD, NetBSD, Solaris, and Linux. One Linux port is supported by Intel to provide hardware-accelerated SSL for Apache.
Cryptography workloads are heavy, so hardware accelerators and hardware random number generators can speed things up and improve randomness. Because hardware crypto hasn’t been widely adopted in the past, there was a need for a single OS layer to mediate between applications and the hardware.
OCF provides a standard interface so applications don’t need to know the hardware details. In OpenBSD, the old /dev/crypto interface was replaced in OpenBSD 5.7 with the crypto_ system calls.
OpenBSD also improved IPsec to allow packets to be decoded in batches, boosting throughput. Batch processing makes hardware use more efficient, and even software implementations benefit. If a hardware RNG is available (for example in many Intel i386 motherboards), it can supply entropy for IPsec.
Because OpenSSL uses OCF, hardware that supports RSA, DH, or DSA is used automatically when available, without changing the software.
Security note: In December 2010, an allegation about FBI backdoors in OCF prompted an invitation to review the code. No backdoors were found; bugs were fixed after the review.
Solaris has its own unrelated Solaris Cryptographic Framework.
This page was last edited on 3 February 2026, at 02:56 (CET).