Review of AEAD Encryption API Project; concluding December 5, 2008
Love Hörnquist Åstrand
lha at kth.se
Mon Dec 1 13:29:41 EST 2008
I've not revived AEAD Encryption API, will try to do that later this
> For the decrypt side I think you need the option for:
> 1. One or more buffers of type KRB5_CRYPTO_TYPE_STREAM
> Instead of exactly one KRB5_CRYPTO_TYPE_STREAM chunk.
> The reason is that the peer may be sending data split into multiple
> chunks. Think of applications like RDDP, where the sender has used
> the IOV AEAD API and laid out the encrypted results and MICs of
> complex data structures such that each piece will end up in the
> place on the receiving side.
What would be reason to use TYPE_STREAM instead of the old api's ?
> 2. Zero or more buffers of type KRB5_CRYPTO_TYPE_SIGN_ONLY
> 3. One or more buffers of type KRB5_CRYPTO_TYPE_DATA to hold the
> Instead of exactly one KRB5_CRYPTO_TYPE_DATA chunk.
> The sizes of the input and output chunks should be matched for best
I think there should be zero or more of both for of them. It seems
strange to need to include a zero length DATA when I want to send an
empty message with only a header.
More information about the krbdev