On 24 Mar 2010, at 19:59, Andrew Deason wrote: > > Simon or someone else can feel free to correct me... but you need to be > doing this in the kernel[0], which rules out OpenSSL (as I understand > it). The only feasible options I remember being discussed were Heimdal's > hcrypto or something in-tree like Marcus' k5ssl.
As I posted here in October last year, OpenAFS's long term crypto plans centre around Heimdal's libhcrypto. libhcrypto supports an EVP style interface, which means it will be relatively straightforward to replace it with OpenSSL for userspace applications, and should be possible to replace it with native kernel crypto operations on platforms where those are available. We don't have any interest in maintaining our own crypto library - so we're unlikely to import the crypto portions of k5ssl, and we wouldn't want GSoC code targetted against this. > [0] It is technically possible to do the encryption in user-space, if > you call out to a userspace binary like we do for afsdb lookups. In the > long run, that approach becomes infeasible... You definitely wouldn't want to do the block ciphering in userspace - the amount of data being thrown across the kernel/userspace boundary would be insane. It is possible, however, that we might want to do the public key encryption of the per-file-key in a userspace callout. Cheers, Simon. _______________________________________________ OpenAFS-devel mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-devel
