From: Geert Uytterhoeven <geert@linux-m68k.org>
To: David Howells <dhowells@redhat.com>
Cc: netdev@vger.kernel.org, Herbert Xu <herbert@gondor.apana.org.au>,
Marc Dionne <marc.dionne@auristor.com>,
Jakub Kicinski <kuba@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Paolo Abeni <pabeni@redhat.com>, Simon Horman <horms@kernel.org>,
Trond Myklebust <trond.myklebust@hammerspace.com>,
Chuck Lever <chuck.lever@oracle.com>,
Eric Biggers <ebiggers@kernel.org>,
Ard Biesheuvel <ardb@kernel.org>,
linux-crypto@vger.kernel.org, linux-afs@lists.infradead.org,
linux-nfs@vger.kernel.org, linux-fsdevel@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH net 03/24] crypto: Add 'krb5enc' hash and cipher AEAD algorithm
Date: Tue, 18 Mar 2025 11:51:16 +0100 [thread overview]
Message-ID: <CAMuHMdX0ShSafh44_D7D9GW5OzxYPx1NUc4uxpsKe1jAiTsBaA@mail.gmail.com> (raw)
In-Reply-To: <20250203142343.248839-4-dhowells@redhat.com>
Hi David,
On Mon, 3 Feb 2025 at 15:25, David Howells <dhowells@redhat.com> wrote:
> Add an AEAD template that does hash-then-cipher (unlike authenc that does
> cipher-then-hash). This is required for a number of Kerberos 5 encoding
> types.
>
> [!] Note that the net/sunrpc/auth_gss/ implementation gets a pair of
> ciphers, one non-CTS and one CTS, using the former to do all the aligned
> blocks and the latter to do the last two blocks if they aren't also
> aligned. It may be necessary to do this here too for performance reasons -
> but there are considerations both ways:
>
> (1) firstly, there is an optimised assembly version of cts(cbc(aes)) on
> x86_64 that should be used instead of having two ciphers;
>
> (2) secondly, none of the hardware offload drivers seem to offer CTS
> support (Intel QAT does not, for instance).
>
> However, I don't know if it's possible to query the crypto API to find out
> whether there's an optimised CTS algorithm available.
>
> Signed-off-by: David Howells <dhowells@redhat.com>
Thanks for your patch, which is now commit d1775a177f7f3815 ("crypto:
Add 'krb5enc' hash and cipher AEAD algorithm") in crypto/master.
> --- a/crypto/Kconfig
> +++ b/crypto/Kconfig
> @@ -228,6 +228,18 @@ config CRYPTO_AUTHENC
>
> This is required for IPSec ESP (XFRM_ESP).
>
> +config CRYPTO_KRB5ENC
> + tristate "Kerberos 5 combined hash+cipher support"
> + select CRYPTO_AEAD
> + select CRYPTO_SKCIPHER
> + select CRYPTO_MANAGER
> + select CRYPTO_HASH
> + select CRYPTO_NULL
> + help
> + Combined hash and cipher support for Kerberos 5 RFC3961 simplified
> + profile. This is required for Kerberos 5-style encryption, used by
> + sunrpc/NFS and rxrpc/AFS.
Hence shouldn't the latter (e.g. RPCSEC_GSS_KRB5) select CRYPTO_KRB5ENC
or CRYPTO_KRB5? Or am I missing something?
Thanks!
> +
> config CRYPTO_TEST
> tristate "Testing module"
> depends on m || EXPERT
Gr{oetje,eeting}s,
Geert
--
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org
In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
-- Linus Torvalds
next prev parent reply other threads:[~2025-03-18 10:51 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-02-03 14:23 [PATCH net 00/24] net/rxrpc, crypto: Add Kerberos crypto lib and AF_RXRPC GSSAPI security class David Howells
2025-02-03 14:23 ` [PATCH net 01/24] crypto/krb5: Add API Documentation David Howells
2025-02-03 14:23 ` [PATCH net 02/24] crypto/krb5: Add some constants out of sunrpc headers David Howells
2025-02-03 14:23 ` [PATCH net 03/24] crypto: Add 'krb5enc' hash and cipher AEAD algorithm David Howells
2025-02-07 8:56 ` Herbert Xu
2025-02-07 20:04 ` Eric Biggers
2025-02-09 17:53 ` David Howells
2025-02-09 18:37 ` David Howells
2025-02-09 19:05 ` Eric Biggers
2025-02-10 8:10 ` Herbert Xu
2025-03-18 10:51 ` Geert Uytterhoeven [this message]
2025-03-18 11:09 ` David Howells
2025-02-03 14:23 ` [PATCH net 04/24] crypto/krb5: Test manager data David Howells
2025-02-03 14:23 ` [PATCH net 05/24] crypto/krb5: Implement Kerberos crypto core David Howells
2025-02-03 14:23 ` [PATCH net 06/24] crypto/krb5: Add an API to query the layout of the crypto section David Howells
2025-02-03 14:23 ` [PATCH net 07/24] crypto/krb5: Add an API to alloc and prepare a crypto object David Howells
2025-02-03 14:23 ` [PATCH net 08/24] crypto/krb5: Add an API to perform requests David Howells
2025-02-03 14:23 ` [PATCH net 09/24] crypto/krb5: Provide infrastructure and key derivation David Howells
2025-02-03 14:23 ` [PATCH net 10/24] crypto/krb5: Implement the Kerberos5 rfc3961 " David Howells
2025-02-03 14:23 ` [PATCH net 11/24] crypto/krb5: Provide RFC3961 setkey packaging functions David Howells
2025-02-03 14:23 ` [PATCH net 12/24] crypto/krb5: Implement the Kerberos5 rfc3961 encrypt and decrypt functions David Howells
2025-02-03 14:23 ` [PATCH net 13/24] crypto/krb5: Implement the Kerberos5 rfc3961 get_mic and verify_mic David Howells
2025-02-03 14:23 ` [PATCH net 14/24] crypto/krb5: Implement the AES enctypes from rfc3962 David Howells
2025-02-03 14:23 ` [PATCH net 15/24] crypto/krb5: Implement the AES enctypes from rfc8009 David Howells
2025-02-03 14:23 ` [PATCH net 16/24] crypto/krb5: Implement the Camellia enctypes from rfc6803 David Howells
2025-02-03 14:23 ` [PATCH net 17/24] crypto/krb5: Implement crypto self-testing David Howells
2025-02-03 14:23 ` [PATCH net 18/24] rxrpc: Pull out certain app callback funcs into an ops table David Howells
2025-02-03 14:23 ` [PATCH net 19/24] rxrpc: Pass CHALLENGE packets to the call for recvmsg() to respond to David Howells
2025-02-03 14:23 ` [PATCH net 20/24] rxrpc: Add the security index for yfs-rxgk David Howells
2025-02-06 9:54 ` Jeffrey Altman
2025-02-03 14:23 ` [PATCH net 21/24] rxrpc: Add YFS RxGK (GSSAPI) security class David Howells
2025-02-03 14:23 ` [PATCH net 22/24] rxrpc: rxgk: Provide infrastructure and key derivation David Howells
2025-02-03 14:23 ` [PATCH net 23/24] rxrpc: rxgk: Implement the yfs-rxgk security class (GSSAPI) David Howells
2025-02-03 14:23 ` [PATCH net 24/24] rxrpc: rxgk: Implement connection rekeying David Howells
2025-02-03 14:51 ` [PATCH net 00/24] net/rxrpc, crypto: Add Kerberos crypto lib and AF_RXRPC GSSAPI security class David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAMuHMdX0ShSafh44_D7D9GW5OzxYPx1NUc4uxpsKe1jAiTsBaA@mail.gmail.com \
--to=geert@linux-m68k.org \
--cc=ardb@kernel.org \
--cc=chuck.lever@oracle.com \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=ebiggers@kernel.org \
--cc=edumazet@google.com \
--cc=herbert@gondor.apana.org.au \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-afs@lists.infradead.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=marc.dionne@auristor.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=trond.myklebust@hammerspace.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).