[RFC PATCH 2/8] crypto/krb5: Provide Kerberos 5 crypto through AEAD API
David Howells
dhowells at redhat.com
Fri Jan 10 02:26:38 PST 2025
Herbert Xu <herbert at gondor.apana.org.au> wrote:
> rfc8009 is basically the same as authenc. So rather than being an
> AEAD algorithm it should really be an AEAD template which takes a
> cipher and and a hash as its parameters.
That's only half true. If it's acting in checksum mode then it's not an
authenc() algo.
> In fact, you could probably use authenc directly.
However the point of having a library is to abstract those details from the
callers. You wanted me to rewrite the library as AEAD algorithms, which I
have done as far as I can. This makes the object for each kerberos enctype
look the same from the PoV of the clients.
I have plans to make the kerberos AEAD use an authenc behind the scenes rather
than a cipher plus hash where appropriate as a future evolution, but the
optimised authenc drivers (QAT for example) that I can find don't appear to
support CTS.
So I'm not sure what it is you were envisioning.
David
More information about the linux-afs
mailing list