[gnutls-dev] Symmetric cipher API
Sam Varshavchik
mrsam at courier-mta.com
Tue Nov 20 00:31:13 CET 2007
Werner Koch writes:
> On Mon, 19 Nov 2007 13:14, mrsam at courier-mta.com said:
>
>> input piece-meal, as an arbitrary data stream, and the EVP functions
>> take care of carving it up into block-sized chunks and feeding each
>> chunk to the cipher function. Finally, the EVP functions take care of
>
> The format of these chunks is entirely protocol depended and thus is not
> a good choice for a low level API. You think that CMS is what everyone
> needs, I use OpenPGP more often and Joe Hacker thinks that BAR/9001 is a
> better protocol and thus wants an API to fit its outer formatting rules.
I'm not sure I understand what exactly is so protocol-dependent here. An
application needs to encrypt 900 bytes using a symmetric cipher with a block
size of 8 bytes. It looks to me like the only option here is 112,
continuous, full blocks and one partial block, using PKCS padding. That's
pretty much a standard, if there is one, and the EVP_CIPHER API that was
introduced in OpenSSL 0.9.7a greatly simplified the whole process for me, as
an application developer. It's all documented here:
http://www.openssl.org/docs/crypto/EVP_EncryptInit.html
Anyway, I wrote and tested the libgcrypt equivalent which emulates enough of
the above API to allow me to compile existing OpenSSL code that uses the
API, without any changes. As I said, it's yours for asking; and I would even
suggest turning it into a native libgcrypt API, with lightweight
OpenSSL-compatible glue; instead of just putting it into libgnutls-extra
verbatim, as is.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20071119/c25258ad/attachment.pgp
More information about the Gnutls-dev
mailing list