Review of AEAD Encryption API Project; concluding December 5, 2008
Nicolas.Williams at sun.com
Mon Dec 1 13:07:52 EST 2008
For the decrypt side I think you need the option for:
1. One or more buffers of type KRB5_CRYPTO_TYPE_STREAM
Instead of exactly one KRB5_CRYPTO_TYPE_STREAM chunk.
The reason is that the peer may be sending data split into multiple
chunks. Think of applications like RDDP, where the sender has used
the IOV AEAD API and laid out the encrypted results and MICs of
complex data structures such that each piece will end up in the right
place on the receiving side.
2. Zero or more buffers of type KRB5_CRYPTO_TYPE_SIGN_ONLY
3. One or more buffers of type KRB5_CRYPTO_TYPE_DATA to hold the output
Instead of exactly one KRB5_CRYPTO_TYPE_DATA chunk.
The sizes of the input and output chunks should be matched for best
More information about the krbdev