From: David Howells <dhowells@redhat.com>
To: herbert@gondor.apana.org.au, davem@davemloft.net,
trond.myklebust@hammerspace.com
Cc: dhowells@redhat.com, linux-crypto@vger.kernel.org,
linux-nfs@vger.kernel.org, linux-afs@vger.kernel.org,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: gssapi, crypto and afs/rxrpc
Date: Fri, 16 Oct 2020 17:18:26 +0100 [thread overview]
Message-ID: <1444464.1602865106@warthog.procyon.org.uk> (raw)
Hi Herbert, Dave, Trond,
I've written basic gssapi-derived security support for AF_RXRPC:
https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/log/?h=rxrpc-rxgk
I've borrowed some bits from net/sunrpc/auth_gss/ but there's a lot in there
that is quite specific to the sunrpc module that makes it hard to use for
rxrpc (dprintk, struct xdr_buf).
Further, I've implemented some more enctypes that aren't supported yet by
gssapi (AES with sha256/sha384 and Camellia), and that requires some changes
to the handling as AES with sha384 has a 24-byte checksum size and a 24-byte
calculated key size for Kc and Ki but a 32-byte Ke.
Should I pull the core out and try to make it common? If so, should I move it
to crypto/ or lib/, or perhaps put it in net/gssapi/?
There are two components to it:
(1) Key derivation steps.
My thought is to use xdr_netobj or something similar for to communicate
between the steps (though I'd prefer to change .data to be a void* rather
than u8*).
(2) Encryption/checksumming.
My thought is to make this interface use scattergather lists[*] since
that's what the crypto encryption API requires (though not the hash API).
If I do this, should I create a "kerberos" crypto API for the data wrapping
functions? I'm not sure that it quite matches the existing APIs because the
size of the input data will likely not match the size of the output data and
it's "one shot" as it needs to deal with a checksum.
Or I can just keep my implementation separate inside net/rxrpc/.
David
[*] That said, I'm not exactly sure how the sunrpc stuff works, so this might
not work for that.
next reply other threads:[~2020-10-16 16:18 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-16 16:18 David Howells [this message]
2020-10-19 3:14 ` gssapi, crypto and afs/rxrpc Herbert Xu
2020-10-19 18:07 ` J. Bruce Fields
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1444464.1602865106@warthog.procyon.org.uk \
--to=dhowells@redhat.com \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=linux-afs@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=trond.myklebust@hammerspace.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox