Jan Harkes <jaharkes_at_cs.cmu.edu> writes:

> So linking against another library (such as openssl, gnutls, matrixssl,
> nettle) is only useful if they happen to provide an assembly optimized
> implementation. I really haven't checked if any of them do and probably
> at that time openssl pretty much was the only candidate.

This understates the benefit in two ways:

a) openssl on a number of systems provides hardware acceleration.
NetBSD (and I think this came from OpenBSD) has an interface for
hardware crypto that can be used in the kernel and from userland, and
openssl uses it.  This is an example of optimizations in the crypto
package that would have been used with coda that you haven't even heard
about.

b) It's good to have separate maintenance of things that can be
separate, and not have coda have to do it all.  Clearly coda isn't
overflowing with spare hours of effort, and simply using (always) what
is the standard crypto library seems like a clear win.

All that said, I must admit I'm not wild about openssl, but for all its
warts it is the standard approach and I do not see anywhere enough
reason for coda to not simply use it (always, removing the local
implementation).

FWIW, openssl is part of the base system on the BSDs.

> RPC2 uses AES and includes the public domain reference implementation,
> so it doesn't depend on any external libraries. What is more interesting
> there is that I included (a subset of) the official testvectors from the
> RFC. If anyone replaces AES with a better implementation, those
> testvectors should catch problems whenever RPC2 is initialized.

Sure, but once one depends on something like openssl, they surely
already have such tests.  At least I do not hear about bugs in
mainstream algorithms being discovered in openssl implementations.

I think coda in general suffers from doing things again in its own way
rather than leveraging standard approaches and code.  This is
understandable given the long history and early roots.  Besides external
crypto libraries, I think it's a bug that coda has it's own
authentication scheme.  It's really just N-S, and Kerberos for example
has had far more analysis.