[PATCH] Crypto use in Samba (was: Re: SMB3 encryption performance)

Andrew Bartlett abartlet at samba.org
Tue Feb 17 02:40:26 MST 2015

On Tue, 2015-02-17 at 09:14 +0100, Volker Lendecke wrote:
> On Tue, Feb 17, 2015 at 11:56:01AM +1300, Andrew Bartlett wrote:
> > The latest unreleased version of GnuTLS seems to provide it.  Also, the
> > latest protocol version seems to use the GCM mode. 
> It will take a couple of years before this trickles into the relevant
> distros. I think we need to drop GnuTLS then and look for something
> else. OpenSSL seems impossible because I don't think we can change our
> license. Another one that advertises HW support is libgcrypt then. Or
> for this special use case we might grow something on our own? This can't
> be rocket science.

I've not done the complete survey of what gcrypt supports, but while it
appears to support the AES modes we need, they are not hardware
accelerated (only CBC and CFM modes are).  Naturally we could ask that
they be added.  I've double-checked, and they do appear to be both
supported and hardware accelerated in gnutls GIT.  Of course the
problems you mention above make that difficult also.

I realise it isn't exactly what you were aiming for (your goal primarily
being just faster AES), but my view is that we should be getting out of
the crypto lib business as much as possible, and so trying to find a
library that has a sane interface, improves our performance and supports
as much as possible of what we need.

Towards that goal, perhaps someone can look over gcrypt and any other
licence-compatible options and see if it at least covers the other
algorithms we need, and mark it in the file?


Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list