[PATCH] Crypto use in Samba (was: Re: SMB3 encryption performance)
Volker Lendecke
Volker.Lendecke at SerNet.DE
Tue Feb 17 03:24:48 MST 2015
On Tue, Feb 17, 2015 at 10:40:26PM +1300, Andrew Bartlett wrote:
> On Tue, 2015-02-17 at 09:14 +0100, Volker Lendecke wrote:
> > On Tue, Feb 17, 2015 at 11:56:01AM +1300, Andrew Bartlett wrote:
> > > The latest unreleased version of GnuTLS seems to provide it. Also, the
> > > latest protocol version seems to use the GCM mode.
> >
> > It will take a couple of years before this trickles into the relevant
> > distros. I think we need to drop GnuTLS then and look for something
> > else. OpenSSL seems impossible because I don't think we can change our
> > license. Another one that advertises HW support is libgcrypt then. Or
> > for this special use case we might grow something on our own? This can't
> > be rocket science.
>
> I've not done the complete survey of what gcrypt supports, but while it
> appears to support the AES modes we need, they are not hardware
> accelerated (only CBC and CFM modes are). Naturally we could ask that
> they be added. I've double-checked, and they do appear to be both
> supported and hardware accelerated in gnutls GIT. Of course the
> problems you mention above make that difficult also.
>
> I realise it isn't exactly what you were aiming for (your goal primarily
> being just faster AES), but my view is that we should be getting out of
> the crypto lib business as much as possible, and so trying to find a
> library that has a sane interface, improves our performance and supports
> as much as possible of what we need.
>
> Towards that goal, perhaps someone can look over gcrypt and any other
> licence-compatible options and see if it at least covers the other
> algorithms we need, and mark it in the file?
Linux AF_ALG looks promising to me. Very likely a bit slower
than calling the instructions in user space, but probably
faster than our current software implementation. If
something else comes along, we can think of our own
abstraction layer.
Volker
--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de
More information about the samba-technical
mailing list