Review of AEAD Encryption API Project; concluding December 5, 2008

Nicolas Williams Nicolas.Williams at
Mon Dec 1 16:18:53 EST 2008

On Mon, Dec 01, 2008 at 04:01:02PM -0500, Sam Hartman wrote:
>     Nicolas> That's not the problem.  The problem is that in that
>     Nicolas> example there are two large chunks of data that will be
>     Nicolas> directly placed into different destinations.
> If you know where the header and trailer are, then don't use the
> stream cryptotype.

I'm not sure I follow.

>     Nicolas> Think of a pattern like: crypto header, app header, app
>     Nicolas> data, app header, app data, ..., crypto trailer, MIC.
> I would not use stream for this pattern.

What would you do?

>     Nicolas> I understand that, but please don't paint yourselves into
>     Nicolas> a corner on this.
>     >>  I think expanding the API in the future would be easy from an
>     >> interface standpoint.  I think that the current behavior is to
>     >> return an error if you pass in multiple stream buffers, so you
>     >> can tell which API you have.
>     Nicolas> Make sure the same applies to the GSS-API extensions.
> I have not reviewed that code yet, but I think the same is true of the
> iov GSS extension.

Makes sense.  I'll look at that too.

More information about the krbdev mailing list