[PATCH] Use Intel AES instruction set if it exists.
Andrew Bartlett
abartlet at samba.org
Fri Sep 1 09:30:04 UTC 2017
On Fri, 2017-09-01 at 08:49 +0200, Andreas Schneider via samba-
technical wrote:
> I've discussed this already with Metze when I implemented support for MS
> Catalog Files last year. We are currently using GnuTLS for various things
> inside of Samba (backupkey, TLS).
>
> GnuTLS uses the nettle crypto library [1] which has a very nice and clean API.
> It has support for AES NI and also other improvements. It also supports some
> other crypto functions we use and it is easy to get code upstream.
>
> I would really prefer to use a crypto library for this stuff instead of
> rolling out our own crypto. It also makes it harder for people who maintain
> packages in distributions, because then Samba is implementing crypto and we
> have a harder time to get it certified or FIPS compliant.
>
> So please before pushing this, look at libnettle! We have a file:
>
> lib/crypto/REQUIREMENTS
>
> which has a summary what we need and crypto libraries provide!
>
>
>
> Please see that as a NAK till you looked into libnettle and can convince me
> that doing our own crypto is better. We aren't cryptographers and we should
> not maintain a crypto library.
Andreas,
I said much the same to Jeremy when he mentioned this to me long ago in
our occasional phone calls.
As such, I strong agree, and would like to move us further towards
using GnuTLS for as much of our crypto as possible. I understand the
argument about 'working patches trump', but still don't want to be
maintaining more crypto code.
Sorry,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list