Review of AEAD Encryption API Project; concluding December 5, 2008
Nicolas.Williams at sun.com
Mon Dec 1 16:18:53 EST 2008
On Mon, Dec 01, 2008 at 04:01:02PM -0500, Sam Hartman wrote:
> Nicolas> That's not the problem. The problem is that in that
> Nicolas> example there are two large chunks of data that will be
> Nicolas> directly placed into different destinations.
> If you know where the header and trailer are, then don't use the
> stream cryptotype.
I'm not sure I follow.
> Nicolas> Think of a pattern like: crypto header, app header, app
> Nicolas> data, app header, app data, ..., crypto trailer, MIC.
> I would not use stream for this pattern.
What would you do?
> Nicolas> I understand that, but please don't paint yourselves into
> Nicolas> a corner on this.
> >> I think expanding the API in the future would be easy from an
> >> interface standpoint. I think that the current behavior is to
> >> return an error if you pass in multiple stream buffers, so you
> >> can tell which API you have.
> Nicolas> Make sure the same applies to the GSS-API extensions.
> I have not reviewed that code yet, but I think the same is true of the
> iov GSS extension.
Makes sense. I'll look at that too.
More information about the krbdev