• Chuck Lever's avatar
    SUNRPC: Improve Kerberos confounder generation · 7f675ca7
    Chuck Lever authored
    Other common Kerberos implementations use a fully random confounder
    for encryption. The reason for this is explained in the new comment
    added by this patch. The current get_random_bytes() implementation
    does not exhaust system entropy.
    
    Since confounder generation is part of Kerberos itself rather than
    the GSS-API Kerberos mechanism, the function is renamed and moved.
    
    Note that light top-down analysis shows that the SHA-1 transform
    is by far the most CPU-intensive part of encryption. Thus we do not
    expect this change to result in a significant performance impact.
    However, eventually it might be necessary to generate an independent
    stream of confounders for each Kerberos context to help improve I/O
    parallelism.
    Reviewed-by: default avatarSimo Sorce <simo@redhat.com>
    Signed-off-by: default avatarChuck Lever <chuck.lever@oracle.com>
    7f675ca7
gss_krb5_mech.c 16.1 KB