[PATCH] Use Intel AES instruction set if it exists.

Andreas Schneider asn at samba.org
Fri Sep 1 06:49:42 UTC 2017

On Thursday, 31 August 2017 22:32:36 CEST Jeremy Allison wrote:
> This is somewhat of a "go faster" switch for Samba
> with SMB1/2/3 signing and encryption.
> Originally developed by Justin @ Netgear this
> adds the Intel AES instruction set code from
> the Linux kernel into third_party (it's GPLv2+
> so the licensing is good).

I've discussed this already with Metze when I implemented support for MS 
Catalog Files last year. We are currently using GnuTLS for various things 
inside of Samba (backupkey, TLS).

GnuTLS uses the nettle crypto library [1] which has a very nice and clean API. 
It has support for AES NI and also other improvements. It also supports some 
other crypto functions we use and it is easy to get code upstream.

I would really prefer to use a crypto library for this stuff instead of 
rolling out our own crypto. It also makes it harder for people who maintain 
packages in distributions, because then Samba is implementing crypto and we 
have a harder time to get it certified or FIPS compliant.

So please before pushing this, look at libnettle! We have a file:


which has a summary what we need and crypto libraries provide!

Please see that as a NAK till you looked into libnettle and can convince me 
that doing our own crypto is better. We aren't cryptographers and we should 
not maintain a crypto library.

Just my 2 cents,


P.S.: Jeremy, the nettle maintainer is a collegue of yours!

[1] http://www.lysator.liu.se/~nisse/nettle/

Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             asn at samba.org

More information about the samba-technical mailing list