SMB3 encryption performance

Andrew Bartlett abartlet at samba.org
Tue Feb 17 14:39:58 MST 2015


On Tue, 2015-02-17 at 13:47 -0600, Steve French wrote:
> On Tue, Feb 17, 2015 at 1:40 PM, Simo <simo at samba.org> wrote:
> > On Tue, 2015-02-17 at 16:22 +0100, Volker Lendecke wrote:
> >> On Tue, Feb 17, 2015 at 04:01:38PM +0100, Andreas Schneider wrote:
> >> > On Sunday 15 February 2015 11:25:16 Volker Lendecke wrote:
> >> > > On Sat, Feb 14, 2015 at 03:41:46PM -0500, Michael Ledford wrote:
> >> > > > There are a few libraries that can provide CPU optimization for AES.
> >> > > > Here are a few which might fit.
> >> > > >
> >> > > > If you are looking for a C based library then libgcrypt
> >> > > > <http://www.gnu.org/software/libgcrypt/> might be a good choice.
> >> > >
> >> > > Thanks. I've already found libgcrypt, it seems to be part of
> >> > > the gpg suite. The question I have is broader: libcrypt,
> >> > > mozilla nss, probably some Kerberos base libs,
> >> > > open/libressl/, etc all offer AES. What do we want to put
> >> > > development effort on? Not so much a question to you,
> >> > > Michael, but rather more to the broader audience here, in
> >> > > particular for example Simo, Andrew and others involved with
> >> > > crypto.
> >> >
> >> > Forget libgcrypt, it is one of the most horrible APIs out there. It is simply
> >> > a pain for every programmer. We have libgcrypt in libssh and I want to get rid
> >> > of it.
> >> >
> >> > If you prefer something which is LGPL, then use nettle [1]. GnuTLS switched
> >> > from libgcrypt to libnettle ...
> >> >
> >> > libcrypt from OpenSSL is another options. libressl is not in any distribution
> >> > right now.
> 
> Since these are kernel interfaces ultimately, to get at hardware specific
> features, why aren't we simply wrapping the kernel crypto (which does
> detect hardware acceleration when available)?
> 
> Are these wrapper libraries stable?
> 
> http://www.chronox.de/libkcapi.html
> 
> Doesn't help for non-Linux, but I don't know how many other OS
> have hardware optimizations for AES (other than Windows and Linux)

GnuTLS looks like it uses that, but not for any of the AES modes we
want.  

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba






More information about the samba-technical mailing list