[gnutls-devel] GnuTLS | Provide high-level KDF API (#813)
Development of GNU's TLS library
gnutls-devel at lists.gnutls.org
Sun Feb 2 18:21:10 CET 2020
Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/issues/813#note_281041008
> Seeing how this is implemented in openssl and PKCS#11, such an API can get very messy and hard to use if everything needs to be handled.
While they have a good reason (i.e. new API addition is not easy) to provide a single API function that handles all KDF variants, I'm not sure GnuTLS needs to impose such restriction.
> Not sure if it helps, but checking what model could fit for such a demanding/extensible API, the closest I see is some function similar to gnutls_session_set_verify_cert2 with gnutls_vdata_types_t, but most likely on steroids.
I'm not a big fan of this idea, because that would move the error checking to the run time.
Given that GnuTLS (and nettle) currently only supports HKDF and PBKDF2, I propose to add 3 distinct functions for HKDF-Extract, HKDF-Expand, and PBKDF2 derivation. That way, most of the necessary parameters could be checked at compile time. Of course, it would be a problem if we support Argon2 or similar, but I don't think the number of supported KDFs explode in near future.
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/813#note_281041008
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Gnutls-devel