Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp1645457rwd; Wed, 31 May 2023 17:31:30 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ69P8x2AhH6z0/0xjE5p+dBUDeI9PdMvkObjiCo1MjjpH9zwZ7VGpPTEnCzaSvhvxOFirUr X-Received: by 2002:a05:6a20:1602:b0:110:c8f:b581 with SMTP id l2-20020a056a20160200b001100c8fb581mr8236994pzj.2.1685579490410; Wed, 31 May 2023 17:31:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1685579490; cv=none; d=google.com; s=arc-20160816; b=THmRSY5R+9Zyfrjjg927q8Db/wehwHfBGtreYrcSJ2qBsovBVmJWlGbEvL908tg3Ue dY0qhIAEdGsDg1J8AgLd5t7UcmIzoEDGDsuMMr+flPOlIt6JKvsKMsJx9guLoO4CKB85 a+zQKCqeBZTiDX/YRKm5hz5M4U0wswUDg6h3IQEGMejpby6jQfFrMouJFKZHmBD4grgi rq2OrI9+Mb17olJWTznmAJqgEzkVf01PSKNDfK1l/TpLhpZioKR52DTs9CJmmVj0kHWa MgxnkHdeEzgMlUBydqU+m2bEuABVWVOYOnS9fZpIu90g+ago9JTZWcrfRnPP0IqP9xBZ WWDA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:organization:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :dkim-signature; bh=LNStOPfOIuOWsgox6l/zSnIfO1/ExWDWZbwjbk2aEYQ=; b=mGF9D5wPizgzy/AcGfS3FQC7rgT1R6s0bCt6/Ry6N36M3pYr6x58/LpdbWiu6I5yW1 ps7p8FSheh96xsu5Rt1mdUTm4HHbvEDg+YfFRCu4SSeJ05ttTfhxLKkuYyWQIM1DIbLF R0fGid/iboMtYo6we9SAfRbVogGIIY3KKhmeAjmhlgVlNdx5Yj+YCdyW+EYEekKHR8iL fxd8ymtqc50jIbRPjK459JKCTgtiiLsaMB/+xJhV1E7FUEs3GnZ/5qYlrfsEg4S9HTvo pcSQ5x3ONSmlKyAYkuPK43zK7Y1oHpxYa6C7x6k9jU91Ff+JzMkEonPmjazaYgygOKRG 9ceQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@auristor.com header.s=MDaemon header.b=euESbeTF; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=auristor.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id y28-20020aa793dc000000b00643b7b6bf0esi4445653pff.261.2023.05.31.17.30.45; Wed, 31 May 2023 17:31:30 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=fail header.i=@auristor.com header.s=MDaemon header.b=euESbeTF; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=auristor.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229553AbjFAATM (ORCPT + 99 others); Wed, 31 May 2023 20:19:12 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52328 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229469AbjFAATL (ORCPT ); Wed, 31 May 2023 20:19:11 -0400 X-Greylist: delayed 294 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Wed, 31 May 2023 17:19:09 PDT Received: from sequoia-grove.ad.secure-endpoints.com (sequoia-grove.ad.secure-endpoints.com [IPv6:2001:470:1f07:f77:70f5:c082:a96a:5685]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E34FB11F for ; Wed, 31 May 2023 17:19:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/relaxed; d=auristor.com; s=MDaemon; r=y; t=1685578454; x=1686183254; i=jaltman@auristor.com; q=dns/txt; h=Message-ID:Date: MIME-Version:User-Agent:Subject:To:Cc:References: Content-Language:From:Organization:In-Reply-To:Content-Type; bh=LNStOPfOIuOWsgox6l/zSnIfO1/ExWDWZbwjbk2aEYQ=; b=euESbeTFkk5t6 /B8WH+hQYcfpb+oBYhPaSA0OuorZMvYhjsWS+X6xUNxlq1B5EN/NErSq7TpyWcpy iTvZDJtFM+wsV1uG/f6UF0kKcWOvgicbCD7QtJmsRRo7o46FKdjBgE1szwG3o96y pGaLJtAjsZGx/RxO5n+rHmVznwOQc4= X-MDAV-Result: clean X-MDAV-Processed: sequoia-grove.ad.secure-endpoints.com, Wed, 31 May 2023 20:14:14 -0400 Received: from [IPV6:2603:7000:73c:9c99:cc97:6df8:a457:33bf] by auristor.com (IPv6:2001:470:1f07:f77:28d9:68fb:855d:c2a5) (MDaemon PRO v23.0.2d) with ESMTPSA id md5001003481696.msg; Wed, 31 May 2023 20:14:13 -0400 X-Spam-Processed: sequoia-grove.ad.secure-endpoints.com, Wed, 31 May 2023 20:14:13 -0400 (not processed: message from trusted or authenticated source) X-MDRemoteIP: 2603:7000:73c:9c99:cc97:6df8:a457:33bf X-MDHelo: [IPV6:2603:7000:73c:9c99:cc97:6df8:a457:33bf] X-MDArrival-Date: Wed, 31 May 2023 20:14:13 -0400 X-MDOrigin-Country: US, NA X-Authenticated-Sender: jaltman@auristor.com X-Return-Path: prvs=1516548fbb=jaltman@auristor.com X-Envelope-From: jaltman@auristor.com X-MDaemon-Deliver-To: linux-crypto@vger.kernel.org Message-ID: <83d7f550-7216-6ff4-bc8a-859e752e12a3@auristor.com> Date: Wed, 31 May 2023 20:14:02 -0400 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.11.2 Subject: Re: How to get my krb5 crypto lib upstream? To: David Howells , Chuck Lever III Cc: Herbert Xu , "linux-afs@lists.infradead.org" , Linux NFS Mailing List , "linux-crypto@vger.kernel.org" , "linux-kernel@vger.kernel.org" References: <8C32DD7C-719D-4CC5-A1E3-33BCE0A7FEFF@oracle.com> <723506.1685552525@warthog.procyon.org.uk> <726863.1685563684@warthog.procyon.org.uk> Content-Language: en-US From: Jeffrey E Altman Organization: AuriStor, Inc. In-Reply-To: <726863.1685563684@warthog.procyon.org.uk> Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms070606000804060500030007" X-MDCFSigsAdded: auristor.com X-Spam-Status: No, score=-2.2 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,RCVD_IN_DNSWL_NONE, SPF_HELO_PASS,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org This is a cryptographically signed message in MIME format. --------------ms070606000804060500030007 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit On 5/31/2023 4:08 PM, David Howells wrote: > Fair point. In rxgk, I use key_len, key_bytes, block_len, cksum_len plus the > name for procfs purposes. I also wonder if I need separate key_len and > key_bytes if I'm not supporting DES (DES keys gets expanded IIRC). Also, some > of the checks I'm doing could perhaps be moved into the krb5 lib. The "K" in RXGK is RFC3961 without support for weak ciphers.  No DES, no 3DES and no RC4-HMAC.   DES keys are never expanded. The supported ciphers are * aes128-cts-hmac-sha1-96 (RFC3962) * aes256-cts-hmac-sha1-96 (RFC3962) * aes128-cts-hmac-sha256-128  (RFC8009) * aes256-cts-hmac-sha384-192  (RFC8009) There are other Kerberos ciphers that could be used with RXGK but there are no RXGK server implementations that use them.   None of the RFC3961 ciphers or the RFC3961 interfaces support AEAD modes. Luke Howard proposed "AEAD Encryption Types for Kerberos 5" https://datatracker.ietf.org/doc/draft-howard-krb-aead/ to IETF Kitten which would add AES128 and AES256 GCM, CCM, and OCB modes. However, there is some resistance to these additions because at the moment all RFC3961 ciphers are safe for use with long term keys and repeating cipher state; AEAD modes are not. RXGK can be constrained such that it is safe for use with AEAD modes and I would like to see Luke's draft be adopted if only because CTS-HMAC is not supported by Intel QAT and GCM is. Adoption of Luke's draft would not only benefit AuriStorFS but NFSv4 gss-krb5 as well. My suggestion is that the kernel should provide an RFC3961 API for use by gss_krb5 applications.   AEAD modes can be added to that if and when Luke's draft is adopted. Jeffrey Altman --------------ms070606000804060500030007 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC DHEwggXSMIIEuqADAgECAhBAAYJpmi/rPn/F0fJyDlzMMA0GCSqGSIb3DQEBCwUAMDoxCzAJ BgNVBAYTAlVTMRIwEAYDVQQKEwlJZGVuVHJ1c3QxFzAVBgNVBAMTDlRydXN0SUQgQ0EgQTEz MB4XDTIyMDgwNDE2MDQ0OFoXDTI1MTAzMTE2MDM0OFowcDEvMC0GCgmSJomT8ixkAQETH0Ew MTQxMEQwMDAwMDE4MjY5OUEyRkQyMDAwMjMzQ0QxGTAXBgNVBAMTEEplZmZyZXkgRSBBbHRt YW4xFTATBgNVBAoTDEF1cmlTdG9yIEluYzELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEB AQUAA4IBDwAwggEKAoIBAQCkC7PKBBZnQqDKPtZPMLAy77zo2DPvwtGnd1hNjPvbXrpGxUb3 xHZRtv179LHKAOcsY2jIctzieMxf82OMyhpBziMPsFAG/ukihBMFj3/xEeZVso3K27pSAyyN fO/wJ0rX7G+ges22Dd7goZul8rPaTJBIxbZDuaykJMGpNq4PQ8VPcnYZx+6b+nJwJJoJ46kI EEfNh3UKvB/vM0qtxS690iAdgmQIhTl+qfXq4IxWB6b+3NeQxgR6KLU4P7v88/tvJTpxIKkg 9xj89ruzeThyRFd2DSe3vfdnq9+g4qJSHRXyTft6W3Lkp7UWTM4kMqOcc4VSRdufVKBQNXjG IcnhAgMBAAGjggKcMIICmDAOBgNVHQ8BAf8EBAMCBPAwgYQGCCsGAQUFBwEBBHgwdjAwBggr BgEFBQcwAYYkaHR0cDovL2NvbW1lcmNpYWwub2NzcC5pZGVudHJ1c3QuY29tMEIGCCsGAQUF BzAChjZodHRwOi8vdmFsaWRhdGlvbi5pZGVudHJ1c3QuY29tL2NlcnRzL3RydXN0aWRjYWEx My5wN2MwHwYDVR0jBBgwFoAULbfeG1l+KpguzeHUG+PFEBJe6RQwCQYDVR0TBAIwADCCASsG A1UdIASCASIwggEeMIIBGgYLYIZIAYb5LwAGAgEwggEJMEoGCCsGAQUFBwIBFj5odHRwczov L3NlY3VyZS5pZGVudHJ1c3QuY29tL2NlcnRpZmljYXRlcy9wb2xpY3kvdHMvaW5kZXguaHRt bDCBugYIKwYBBQUHAgIwga0MgapUaGlzIFRydXN0SUQgQ2VydGlmaWNhdGUgaGFzIGJlZW4g aXNzdWVkIGluIGFjY29yZGFuY2Ugd2l0aCBJZGVuVHJ1c3QncyBUcnVzdElEIENlcnRpZmlj YXRlIFBvbGljeSBmb3VuZCBhdCBodHRwczovL3NlY3VyZS5pZGVudHJ1c3QuY29tL2NlcnRp ZmljYXRlcy9wb2xpY3kvdHMvaW5kZXguaHRtbDBFBgNVHR8EPjA8MDqgOKA2hjRodHRwOi8v dmFsaWRhdGlvbi5pZGVudHJ1c3QuY29tL2NybC90cnVzdGlkY2FhMTMuY3JsMB8GA1UdEQQY MBaBFGphbHRtYW5AYXVyaXN0b3IuY29tMB0GA1UdDgQWBBQB+nzqgljLocLTsiUn2yWqEc2s gjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwDQYJKoZIhvcNAQELBQADggEBAJwV eycprp8Ox1npiTyfwc5QaVaqtoe8Dcg2JXZc0h4DmYGW2rRLHp8YL43snEV93rPJVk6B2v4c WLeQfaMrnyNeEuvHx/2CT44cdLtaEk5zyqo3GYJYlLcRVz6EcSGHv1qPXgDT0xB/25etwGYq utYF4Chkxu4KzIpq90eDMw5ajkexw+8ARQz4N5+d6NRbmMCovd7wTGi8th/BZvz8hgKUiUJo Qle4wDxrdXdnIhCP7g87InXKefWgZBF4VX21t2+hkc04qrhIJlHrocPG9mRSnnk2WpsY0MXt a8ivbVKtfpY7uSNDZSKTDi1izEFH5oeQdYRkgIGb319a7FjslV8wggaXMIIEf6ADAgECAhBA AXA7OrqBjMk8rp4OuNQSMA0GCSqGSIb3DQEBCwUAMEoxCzAJBgNVBAYTAlVTMRIwEAYDVQQK EwlJZGVuVHJ1c3QxJzAlBgNVBAMTHklkZW5UcnVzdCBDb21tZXJjaWFsIFJvb3QgQ0EgMTAe Fw0yMDAyMTIyMTA3NDlaFw0zMDAyMTIyMTA3NDlaMDoxCzAJBgNVBAYTAlVTMRIwEAYDVQQK EwlJZGVuVHJ1c3QxFzAVBgNVBAMTDlRydXN0SUQgQ0EgQTEzMIIBIjANBgkqhkiG9w0BAQEF AAOCAQ8AMIIBCgKCAQEAu6sUO01SDD99PM+QdZkNxKxJNt0NgQE+Zt6ixaNP0JKSjTd+SG5L wqxBWjnOgI/3dlwgtSNeN77AgSs+rA4bK4GJ75cUZZANUXRKw/et8pf9Qn6iqgB63OdHxBN/ 15KbM3HR+PyiHXQoUVIevCKW8nnlWnnZabT1FejOhRRKVUg5HACGOTfnCOONrlxlg+m1Vjgn o1uNqNuLM/jkD1z6phNZ/G9IfZGI0ppHX5AA/bViWceX248VmefNhSR14ADZJtlAAWOi2un0 3bqrBPHA9nDyXxI8rgWLfUP5rDy8jx2hEItg95+ORF5wfkGUq787HBjspE86CcaduLka/Bk2 VwIDAQABo4IChzCCAoMwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwgYkG CCsGAQUFBwEBBH0wezAwBggrBgEFBQcwAYYkaHR0cDovL2NvbW1lcmNpYWwub2NzcC5pZGVu dHJ1c3QuY29tMEcGCCsGAQUFBzAChjtodHRwOi8vdmFsaWRhdGlvbi5pZGVudHJ1c3QuY29t L3Jvb3RzL2NvbW1lcmNpYWxyb290Y2ExLnA3YzAfBgNVHSMEGDAWgBTtRBnA0/AGi+6ke75C 5yZUyI42djCCASQGA1UdIASCARswggEXMIIBEwYEVR0gADCCAQkwSgYIKwYBBQUHAgEWPmh0 dHBzOi8vc2VjdXJlLmlkZW50cnVzdC5jb20vY2VydGlmaWNhdGVzL3BvbGljeS90cy9pbmRl eC5odG1sMIG6BggrBgEFBQcCAjCBrQyBqlRoaXMgVHJ1c3RJRCBDZXJ0aWZpY2F0ZSBoYXMg YmVlbiBpc3N1ZWQgaW4gYWNjb3JkYW5jZSB3aXRoIElkZW5UcnVzdCdzIFRydXN0SUQgQ2Vy dGlmaWNhdGUgUG9saWN5IGZvdW5kIGF0IGh0dHBzOi8vc2VjdXJlLmlkZW50cnVzdC5jb20v Y2VydGlmaWNhdGVzL3BvbGljeS90cy9pbmRleC5odG1sMEoGA1UdHwRDMEEwP6A9oDuGOWh0 dHA6Ly92YWxpZGF0aW9uLmlkZW50cnVzdC5jb20vY3JsL2NvbW1lcmNpYWxyb290Y2ExLmNy bDAdBgNVHQ4EFgQULbfeG1l+KpguzeHUG+PFEBJe6RQwHQYDVR0lBBYwFAYIKwYBBQUHAwIG CCsGAQUFBwMEMA0GCSqGSIb3DQEBCwUAA4ICAQB/7BKcygLX6Nl4a03cDHt7TLdPxCzFvDF2 bkVYCFTRX47UfeomF1gBPFDee3H/IPlLRmuTPoNt0qjdpfQzmDWN95jUXLdLPRToNxyaoB5s 0hOhcV6H08u3FHACBif55i0DTDzVSaBv0AZ9h1XeuGx4Fih1Vm3Xxz24GBqqVudvPRLyMJ7u 6hvBqTIKJ53uCs3dyQLZT9DXnp+kJv8y7ZSAY+QVrI/dysT8avtn8d7k7azNBkfnbRq+0e88 QoBnel6u+fpwbd5NLRHywXeH+phbzULCa+bLPRMqJaW2lbhvSWrMHRDy3/d8HvgnLCBFK2s4 Spns4YCN4xVcbqlGWzgolHCKUH39vpcsDo1ymZFrJ8QR6ihIn8FmJ5oKwAnnd/G6ADXFC9bu db9+532phSAXOZrrecIQn+vtP366PC+aClAPsIIDJDsotS5z4X2JUFsNIuEgXGqhiKE7SuZb rFG9sdcLprSlJN7TsRDc0W2b9nqwD+rj/5MN0C+eKwha+8ydv0+qzTyxPP90KRgaegGowC4d UsZyTk2n4Z3MuAHX5nAZL/Vh/SyDj/ajorV44yqZBzQ3ChKhXbfUSwe2xMmygA2Z5DRwMRJn p/BscizYdNk2WXJMTnH+wVLN8sLEwEtQR4eTLoFmQvrK2AMBS9kW5sBkMzINt/ZbbcZ3F+eA MDGCAxQwggMQAgEBME4wOjELMAkGA1UEBhMCVVMxEjAQBgNVBAoTCUlkZW5UcnVzdDEXMBUG A1UEAxMOVHJ1c3RJRCBDQSBBMTMCEEABgmmaL+s+f8XR8nIOXMwwDQYJYIZIAWUDBAIBBQCg ggGXMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTIzMDYwMTAw MTQwMlowLwYJKoZIhvcNAQkEMSIEIHuvJ7Wh61tm0h12NdyxfuhsrlzpMqj4+Wvetiad+dfA MF0GCSsGAQQBgjcQBDFQME4wOjELMAkGA1UEBhMCVVMxEjAQBgNVBAoTCUlkZW5UcnVzdDEX MBUGA1UEAxMOVHJ1c3RJRCBDQSBBMTMCEEABgmmaL+s+f8XR8nIOXMwwXwYLKoZIhvcNAQkQ AgsxUKBOMDoxCzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJZGVuVHJ1c3QxFzAVBgNVBAMTDlRy dXN0SUQgQ0EgQTEzAhBAAYJpmi/rPn/F0fJyDlzMMGwGCSqGSIb3DQEJDzFfMF0wCwYJYIZI AWUDBAEqMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZI hvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwDQYJKoZIhvcNAQEBBQAEggEATcyg O+z0jXcOli3OvTOCUVxLwTyo2/5DWnmpLnrNDcQbvGgZQ6gjF8dlaMco9TZQbwsmfNXg3a+2 kIkdzln67/s89rWZi4imhxsfg/aQ7WiKiuY0F8LkdWHw5zpxOGbARY4bms6D4RygtVyRSRB4 RJrmR+X6z6l/5eLrDrAS7LWPnfmneHYugj8JHF7fulMeV5aHcwwlfRjMBbgXeyCSrPWUbgPc Q3u7e/3M6s72KMUeepgXYeT8bV75PiXor1HTJfwutCKKjlhdn3E/r793E9Xgh5bWA5cUNPOg 4fmSZCQBSBHRG0IMIeUrmGZZyqqx1qPRPji1D0+ulnhIKa3fbQAAAAAAAA== --------------ms070606000804060500030007--