[PATCH] Use Intel AES instruction set if it exists.
Andreas Schneider
asn at samba.org
Fri Sep 1 06:49:42 UTC 2017
On Thursday, 31 August 2017 22:32:36 CEST Jeremy Allison wrote:
> This is somewhat of a "go faster" switch for Samba
> with SMB1/2/3 signing and encryption.
>
> Originally developed by Justin @ Netgear this
> adds the Intel AES instruction set code from
> the Linux kernel into third_party (it's GPLv2+
> so the licensing is good).
I've discussed this already with Metze when I implemented support for MS
Catalog Files last year. We are currently using GnuTLS for various things
inside of Samba (backupkey, TLS).
GnuTLS uses the nettle crypto library [1] which has a very nice and clean API.
It has support for AES NI and also other improvements. It also supports some
other crypto functions we use and it is easy to get code upstream.
I would really prefer to use a crypto library for this stuff instead of
rolling out our own crypto. It also makes it harder for people who maintain
packages in distributions, because then Samba is implementing crypto and we
have a harder time to get it certified or FIPS compliant.
So please before pushing this, look at libnettle! We have a file:
lib/crypto/REQUIREMENTS
which has a summary what we need and crypto libraries provide!
Please see that as a NAK till you looked into libnettle and can convince me
that doing our own crypto is better. We aren't cryptographers and we should
not maintain a crypto library.
Just my 2 cents,
Andreas
P.S.: Jeremy, the nettle maintainer is a collegue of yours!
[1] http://www.lysator.liu.se/~nisse/nettle/
--
Andreas Schneider GPG-ID: CC014E3D
Samba Team asn at samba.org
www.samba.org
More information about the samba-technical
mailing list