[gnutls-dev] Symmetric cipher API

Sam Varshavchik mrsam at courier-mta.com
Tue Nov 20 00:31:13 CET 2007


Werner Koch writes:

> On Mon, 19 Nov 2007 13:14, mrsam at courier-mta.com said:
> 
>> input piece-meal, as an arbitrary data stream, and the EVP functions
>> take care of carving it up into block-sized chunks and feeding each
>> chunk to the cipher function. Finally, the EVP functions take care of
> 
> The format of these chunks is entirely protocol depended and thus is not
> a good choice for a low level API.  You think that CMS is what everyone
> needs, I use OpenPGP more often and Joe Hacker thinks that BAR/9001 is a
> better protocol and thus wants an API to fit its outer formatting rules.

I'm not sure I understand what exactly is so protocol-dependent here. An 
application needs to encrypt 900 bytes using a symmetric cipher with a block 
size of 8 bytes. It looks to me like the only option here is 112, 
continuous, full blocks and one partial block, using PKCS padding. That's 
pretty much a standard, if there is one, and the EVP_CIPHER API that was 
introduced in OpenSSL 0.9.7a greatly simplified the whole process for me, as 
an application developer. It's all documented here: 
http://www.openssl.org/docs/crypto/EVP_EncryptInit.html

Anyway, I wrote and tested the libgcrypt equivalent which emulates enough of 
the above API to allow me to compile existing OpenSSL code that uses the 
API, without any changes. As I said, it's yours for asking; and I would even 
suggest turning it into a native libgcrypt API, with lightweight 
OpenSSL-compatible glue; instead of just putting it into libgnutls-extra 
verbatim, as is.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20071119/c25258ad/attachment.pgp 


More information about the Gnutls-dev mailing list