Review of AEAD Encryption API Project; concluding December 5, 2008

Love Hörnquist Åstrand lha at
Mon Dec 1 13:29:41 EST 2008


I've not revived AEAD Encryption API, will try to do that later this  

> For the decrypt side I think you need the option for:
> 1. One or more buffers of type KRB5_CRYPTO_TYPE_STREAM
>   Instead of exactly one KRB5_CRYPTO_TYPE_STREAM chunk.
>   The reason is that the peer may be sending data split into multiple
>   chunks.  Think of applications like RDDP, where the sender has used
>   the IOV AEAD API and laid out the encrypted results and MICs of
>   complex data structures such that each piece will end up in the  
> right
>   place on the receiving side.

What would be reason to use TYPE_STREAM instead of the old api's ?

> 2. Zero or more buffers of type KRB5_CRYPTO_TYPE_SIGN_ONLY
> 3. One or more buffers of type KRB5_CRYPTO_TYPE_DATA to hold the  
> output
>   Instead of exactly one KRB5_CRYPTO_TYPE_DATA chunk.
>   The sizes of the input and output chunks should be matched for best
>   results.

I think there should be zero or more of both for of them. It seems  
strange to need to include a zero length DATA when I want to send an  
empty message with only a header.


More information about the krbdev mailing list