[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAMuHMdX0ShSafh44_D7D9GW5OzxYPx1NUc4uxpsKe1jAiTsBaA@mail.gmail.com>
Date: Tue, 18 Mar 2025 11:51:16 +0100
From: Geert Uytterhoeven <geert@...ux-m68k.org>
To: David Howells <dhowells@...hat.com>
Cc: netdev@...r.kernel.org, Herbert Xu <herbert@...dor.apana.org.au>,
Marc Dionne <marc.dionne@...istor.com>, Jakub Kicinski <kuba@...nel.org>,
"David S. Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>,
Paolo Abeni <pabeni@...hat.com>, Simon Horman <horms@...nel.org>,
Trond Myklebust <trond.myklebust@...merspace.com>, Chuck Lever <chuck.lever@...cle.com>,
Eric Biggers <ebiggers@...nel.org>, Ard Biesheuvel <ardb@...nel.org>, linux-crypto@...r.kernel.org,
linux-afs@...ts.infradead.org, linux-nfs@...r.kernel.org,
linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH net 03/24] crypto: Add 'krb5enc' hash and cipher AEAD algorithm
Hi David,
On Mon, 3 Feb 2025 at 15:25, David Howells <dhowells@...hat.com> wrote:
> Add an AEAD template that does hash-then-cipher (unlike authenc that does
> cipher-then-hash). This is required for a number of Kerberos 5 encoding
> types.
>
> [!] Note that the net/sunrpc/auth_gss/ implementation gets a pair of
> ciphers, one non-CTS and one CTS, using the former to do all the aligned
> blocks and the latter to do the last two blocks if they aren't also
> aligned. It may be necessary to do this here too for performance reasons -
> but there are considerations both ways:
>
> (1) firstly, there is an optimised assembly version of cts(cbc(aes)) on
> x86_64 that should be used instead of having two ciphers;
>
> (2) secondly, none of the hardware offload drivers seem to offer CTS
> support (Intel QAT does not, for instance).
>
> However, I don't know if it's possible to query the crypto API to find out
> whether there's an optimised CTS algorithm available.
>
> Signed-off-by: David Howells <dhowells@...hat.com>
Thanks for your patch, which is now commit d1775a177f7f3815 ("crypto:
Add 'krb5enc' hash and cipher AEAD algorithm") in crypto/master.
> --- a/crypto/Kconfig
> +++ b/crypto/Kconfig
> @@ -228,6 +228,18 @@ config CRYPTO_AUTHENC
>
> This is required for IPSec ESP (XFRM_ESP).
>
> +config CRYPTO_KRB5ENC
> + tristate "Kerberos 5 combined hash+cipher support"
> + select CRYPTO_AEAD
> + select CRYPTO_SKCIPHER
> + select CRYPTO_MANAGER
> + select CRYPTO_HASH
> + select CRYPTO_NULL
> + help
> + Combined hash and cipher support for Kerberos 5 RFC3961 simplified
> + profile. This is required for Kerberos 5-style encryption, used by
> + sunrpc/NFS and rxrpc/AFS.
Hence shouldn't the latter (e.g. RPCSEC_GSS_KRB5) select CRYPTO_KRB5ENC
or CRYPTO_KRB5? Or am I missing something?
Thanks!
> +
> config CRYPTO_TEST
> tristate "Testing module"
> depends on m || EXPERT
Gr{oetje,eeting}s,
Geert
--
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@...ux-m68k.org
In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
-- Linus Torvalds
Powered by blists - more mailing lists