[PATCH] Crypto use in Samba (was: Re: SMB3 encryption performance)

Andrew Bartlett abartlet at samba.org
Mon Feb 16 15:56:01 MST 2015

On Mon, 2015-02-16 at 14:32 -0500, Michael Ledford wrote:
> On Sun, Feb 15, 2015 at 12:07 PM, Simo <simo at samba.org> wrote:
> > On Sun, 2015-02-15 at 17:03 +0100, Volker Lendecke wrote:
> >> Hi!
> >>
> >> My summary of your mail would be to concentrate on gnutls if we're
> >> about to code hw crypto. Ack?
> >
> > If that's what people are comfortable with, and covers all our needs, it
> > is ok by me.
> As I was reading documentation on GnuTLS I found it might not be a
> viable option.
> In Section 8, "Using GnuTLS as a cryptographic library"
> <http://www.gnutls.org/manual/gnutls.html#Using-GnuTLS-as-a-cryptographic-library>,
> of the manual it states, "GnuTLS is not a low-level cryptographic
> library..." Now they do provide an abstracted interface for some
> supported algorithms. It goes on to say in Section 8.1, "The supported
> algorithms are the algorithms required by the TLS protocol. They are
> listed in Table 3.1."
> Looking at Table 3.1
> <http://www.gnutls.org/manual/gnutls.html#tab_003aciphers> for the
> supported ciphers shows that it supports a limited number of
> algorithms. In the AES arena it only shows AES CBC and AES GCM.
> Unfortunately, AES CCM is not shown as supported and therefore would
> eliminate its possible use.
> Cheers,
> Michael

The latest unreleased version of GnuTLS seems to provide it.  Also, the
latest protocol version seems to use the GCM mode. 

Either way, this made me research what crypto we use across all of

Team: Can you review/push the attached so others can find this in the


Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-lib-crypto-Document-what-crypto-code-is-used-for-and.patch
Type: text/x-patch
Size: 2309 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150217/9fff732a/attachment.bin>

More information about the samba-technical mailing list