From: David Howells <dhowells@redhat.com>
To: Herbert Xu <herbert@gondor.apana.org.au>
Cc: dhowells@redhat.com, Chuck Lever <chuck.lever@oracle.com>,
Trond Myklebust <trond.myklebust@hammerspace.com>,
"David S. Miller" <davem@davemloft.net>,
Marc Dionne <marc.dionne@auristor.com>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Simon Horman <horms@kernel.org>,
linux-crypto@vger.kernel.org, linux-afs@lists.infradead.org,
linux-nfs@vger.kernel.org, linux-fsdevel@vger.kernel.org,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [RFC PATCH 2/8] crypto/krb5: Provide Kerberos 5 crypto through AEAD API
Date: Fri, 10 Jan 2025 11:09:49 +0000 [thread overview]
Message-ID: <1488634.1736507389@warthog.procyon.org.uk> (raw)
In-Reply-To: <Z4D2uC-kcSzQJS-H@gondor.apana.org.au>
Herbert Xu <herbert@gondor.apana.org.au> wrote:
> On Fri, Jan 10, 2025 at 10:26:38AM +0000, David Howells wrote:
> >
> > However the point of having a library is to abstract those details from the
> > callers. You wanted me to rewrite the library as AEAD algorithms, which I
> > have done as far as I can. This makes the object for each kerberos enctype
> > look the same from the PoV of the clients.
>
> I think there is some misunderstanding here. For a library outside
> of the Crypto API you can do whatever you want.
>
> I only suggested AEAD because I thought you wanted to bring this within
> the Crypto API.
Not precisely. What I (and Chuck when I discussed it with him) were thinking
is that the kerberos crypto stuff probably belongs in the crypto/ *directory*
rather than in the net/ directory - but not necessarily as part of the crypto
API. It mediates use of the crypto API on the part of its users (probably
just sunrpc and rxrpc's rxgk).
That said, I kind of like the implementation of the pure crypto part as AEAD
crypto algorithms as it provides a number of advantages:
(1) The client can be given a single AEAD object to use for each usage and
call the encrypt and decrypt on that directly, no matter what enctype or
mode of operation it is doing.
Of course, it's not quite so simple that I can just share the code for
encrypt-mode and checksum-mode at the client level (eg. rxgk). In the
former, some metadata is placed in the message; in the latter it's just
added into the hash.
(2) The AEAD object looks after inserting the checksum into the right place
for the enctype, which means the client doesn't have to do that and could
therefore more easily asynchronise it through the crypto API.
(3) Since these do just the crypto and not the laying out, it may be feasible
to substitute the AES2 encrypt-mode kerberos AEAD driver with an
authenc() AEAD object.
(4) The possibility exists of providing optimised drivers to directly
substitute the kerberos AEAD algorithms.
David
next prev parent reply other threads:[~2025-01-10 11:10 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-10 1:03 [RFC PATCH 0/8] crypto: Add generic Kerberos library with crypto as AEAD algorithms David Howells
2025-01-10 1:03 ` [RFC PATCH 1/8] crypto/krb5: Add some constants out of sunrpc headers David Howells
2025-01-10 1:03 ` [RFC PATCH 2/8] crypto/krb5: Provide Kerberos 5 crypto through AEAD API David Howells
2025-01-10 5:50 ` Eric Biggers
2025-01-10 7:13 ` David Howells
2025-01-10 9:47 ` Ard Biesheuvel
2025-01-10 14:33 ` David Howells
2025-01-10 9:48 ` Herbert Xu
2025-01-10 10:26 ` David Howells
2025-01-10 10:30 ` Herbert Xu
2025-01-10 11:09 ` David Howells [this message]
2025-01-17 8:13 ` David Howells
2025-01-17 8:30 ` David Howells
2025-01-10 10:02 ` Herbert Xu
2025-01-10 10:39 ` David Howells
2025-01-10 10:42 ` Herbert Xu
2025-01-10 18:22 ` Jeffrey E Altman
2025-01-10 1:03 ` [RFC PATCH 3/8] crypto/krb5: Test manager data David Howells
2025-01-10 1:03 ` [RFC PATCH 4/8] rxrpc: Add the security index for yfs-rxgk David Howells
2025-01-10 1:03 ` [RFC PATCH 5/8] rxrpc: Add YFS RxGK (GSSAPI) security class David Howells
2025-01-10 1:03 ` [RFC PATCH 6/8] rxrpc: rxgk: Provide infrastructure and key derivation David Howells
2025-01-10 1:03 ` [RFC PATCH 7/8] rxrpc: rxgk: Implement the yfs-rxgk security class (GSSAPI) David Howells
2025-01-10 1:03 ` [RFC PATCH 8/8] rxrpc: rxgk: Implement connection rekeying David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1488634.1736507389@warthog.procyon.org.uk \
--to=dhowells@redhat.com \
--cc=chuck.lever@oracle.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=herbert@gondor.apana.org.au \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-afs@lists.infradead.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=marc.dionne@auristor.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=trond.myklebust@hammerspace.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox