Samba and a crypto library

Andrew Bartlett abartlet at samba.org
Wed Nov 18 18:41:52 UTC 2015 

On Wed, 2015-11-18 at 08:42 -0800, Jeremy Allison wrote:
> On Wed, Nov 18, 2015 at 08:03:31AM +0100, Andreas Schneider wrote:
> > On Tuesday 17 November 2015 18:02:33 Andreas Schneider wrote:
> > > Hello,
> > > 
> > > I'm currently working on migrating our MS-BRKP implementation to
> > > GnuTLS to
> > > get rid of the Heimdal dependency for MIT Kerberos support. I've
> > > already
> > > migrated everthing which is certificate related to GnuTLS.
> > > However there
> > > are SHA and HMAC functions which are still used from Heimdal.
> > > 
> > > To do this I would like to add a depenency to a crypto library.
> > > As we are
> > > already using GnuTLS for some parts of the could, I would like to
> > > use GNU
> > > Nettle for the low level crypto stuff. GnuTLS depends on
> > > libnettle for the
> > > low level crypto.
> > > 
> > > https://www.lysator.liu.se/~nisse/nettle/nettle.html
> > > 
> > > https://git.lysator.liu.se/nettle/nettle
> > > 
> > > The license is LGPLv3, GPLv2 and GPLv3.
> > > 
> > > The crypto operations are mostly written in assembler and also
> > > use cpu
> > > optimized versions like aesni.
> > > 
> > > It is really up to date and implement state of the art crypto
> > > like chacha-
> > > poly1305, Curve25519 etc. The development seems active and
> > > healthy.
> > > 
> > > If we agree I would also suggset not only to use it for MS-BRKP
> > > but also
> > > replace lib/crypto in future.
> > > 
> > 
> > Ok, then I will go ahead. I guess people will start to discuss and
> > complain as 
> > soon as I remove lib/crypto ;)
> 
> I took a look at it and it seemed fine :-). Just didn't
> get chance to reply. Does it integrate with crypto-offload
> engines ?

Both it and libnettle seem to do it for some ciphers.  See
lib/crypto/REQUIREMENTS for some notes we collected earlier this year,
and see some of the other threads titled 'crypto' for the other work
that was done to use a possible pluggable API.  

In particular see:
https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/ma
ster3-smb-crypto

That said, I'm happy with just expanding our dependency on gnutls for
now.

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list