Review of AEAD Encryption API Project; concluding December 5, 2008

Mon Dec 1 13:07:52 EST 2008

For the decrypt side I think you need the option for:

1. One or more buffers of type KRB5_CRYPTO_TYPE_STREAM

   Instead of exactly one KRB5_CRYPTO_TYPE_STREAM chunk.

   The reason is that the peer may be sending data split into multiple
   chunks.  Think of applications like RDDP, where the sender has used
   the IOV AEAD API and laid out the encrypted results and MICs of
   complex data structures such that each piece will end up in the right
   place on the receiving side.

2. Zero or more buffers of type KRB5_CRYPTO_TYPE_SIGN_ONLY
3. One or more buffers of type KRB5_CRYPTO_TYPE_DATA to hold the output 

   Instead of exactly one KRB5_CRYPTO_TYPE_DATA chunk.

   The sizes of the input and output chunks should be matched for best
   results.

Nico
-- 