Review of AEAD Encryption API Project; concluding December 5, 2008

Luke Howard lukeh at
Tue Nov 25 06:08:37 EST 2008

On 25/11/2008, at 9:56 AM, Love Hörnquist Åstrand wrote:

>> I split these into two projects because the krb5 layer code reached
>> stability faster than the gss-layer code.
>> The gss project has not been sent out for review yet because the
>> write-up is not quite ready.
> But if the gss api needs to change, so does probably the krb5 api ?

Possibly. The GSS stuff is implemented but untested.

>>   Love> Also, changing the API have reprocusions for Heimdal that
>>   Love> have the same API (in abstract).
>> I don't understand this comment.
> Luke used Heimdal api as a base for this, so if you change the meaning
> of stuff I want to know.

One difference is that the MIT APIs support KRB5_CRYPTO_TYPE_STREAM on  
calls to krb5_c_decrypt_iov().

The behaviour of this is similar to SSPI: the caller passes in two  
buffers, STREAM and DATA (where STREAM consists of HEADER | DATA |  
PADDING | TRAILER, ie. what krb5_c_encrypt() would return). On  
successful return DATA has a pointer to the decrypted data. (The  
caller can also pass in additional SIGN_ONLY buffers.)

-- Luke

More information about the krbdev mailing list