Review of AEAD Encryption API Project; concluding December 5, 2008
lukeh at padl.com
Tue Nov 25 06:08:37 EST 2008
On 25/11/2008, at 9:56 AM, Love Hörnquist Åstrand wrote:
>> I split these into two projects because the krb5 layer code reached
>> stability faster than the gss-layer code.
>> The gss project has not been sent out for review yet because the
>> write-up is not quite ready.
> But if the gss api needs to change, so does probably the krb5 api ?
Possibly. The GSS stuff is implemented but untested.
>> Love> Also, changing the API have reprocusions for Heimdal that
>> Love> have the same API (in abstract).
>> I don't understand this comment.
> Luke used Heimdal api as a base for this, so if you change the meaning
> of stuff I want to know.
One difference is that the MIT APIs support KRB5_CRYPTO_TYPE_STREAM on
calls to krb5_c_decrypt_iov().
The behaviour of this is similar to SSPI: the caller passes in two
buffers, STREAM and DATA (where STREAM consists of HEADER | DATA |
PADDING | TRAILER, ie. what krb5_c_encrypt() would return). On
successful return DATA has a pointer to the decrypted data. (The
caller can also pass in additional SIGN_ONLY buffers.)
More information about the krbdev