Anyone managed to build a static gssd?
Rick Macklem
rmacklem at uoguelph.ca
Mon Jan 8 13:52:51 UTC 2018
Garrett Wollman wrote:
[good stuff snipped]
> What would it take to get AES support?
Good question. Unfortunately I don't know the answer.
(I shouldn't have blamed RPCSEC_GSS Version 1, since it isn't this spec
that is the problem, from what I know.)
1 - The kernel RPCSEC_GSS code does upcalls to the userland library for
the initialization phase (ie. GSS_Init() calls using the tokens).
--> So question #1 becomes "Does the Heimdal GSSAPI library know how
to do better checksum/encryption than was specified in the original
GSSAPI RFC?".
2 - The kernel RPCSEC_GSS code uses the session key from the GSS_Init()
handling of the tokens to do checksums/encryption. (Basically in kernel
versions of GSS_GetMIC(), GSS_VerifyMIC(), GSS_Wrap, GSS_Unwrap().)
If the answer to #1 is yes, then it might not be that much work?
3 - I have never seen any definition of what the QOPs are for better encryption
types in the GSSAPI. (Numbers that define the better checksum/encryption
algorithms.)
--> I have no idea if the NFS implementors have done anything about this.
I haven't seen discussions of it on nfsv4 at ietf.org, but it may have happened.
Without this, you'd end up with a FreeBSD specific hack that didn't
interoperate with other NFS implementation.s
In practice these days "If Linux supports it, others will too.".
If you can answer all of the above, then you probably know the answer.
It could range from some fairly minor changes to the kernel RPCSEC_GSS
code to a whole lot of work.
Maybe some Kerberos conversant folk can shed light on this? rick
More information about the freebsd-fs
mailing list