[gnutls-help] GnuTLS cryptographic API questions

Ted Zlatanov tzz at lifelogs.com
Wed Mar 29 19:26:38 CEST 2017 

Hello! I am evaluating the integration of the GnuTLS cryptographic
functions into Emacs. My alternative is to use Nettle directly but I'd
rather use the GnuTLS API.

There are a few issues.

I found myself unable to list the ciphers, MACs, and digests supported.
Nettle exposes those lists but GnuTLS doesn't seem to. The problem with
an explicit list is that I end up with [1] which will be either too
limited (to support all platforms) or too aggressive. I don't think I
could maintain that list long-term, since it could change with every
GnuTLS release. How would you suggest I approach this for now?
Individual ifdefs?

I think these lists are available internally, so exposing them would be
very helpful going forward.

Also I had to manually map the MACs to the digests, there's no way to
tell which MACs don't have associated digests. Similarly there's no way
to tell which ciphers can be used for AEAD, but at least there's no
separate C type for AEAD ciphers. Maybe those correspondences could be
expressed by API functions so they don't have to be hard-coded?

Thanks
Ted

[1]
const gnutls_cipher_algorithm_t gnutls_ciphers[] =
  {
   GNUTLS_CIPHER_ARCFOUR_128,
   GNUTLS_CIPHER_3DES_CBC,
   GNUTLS_CIPHER_AES_128_CBC,
   GNUTLS_CIPHER_AES_256_CBC,
   GNUTLS_CIPHER_ARCFOUR_40,
   GNUTLS_CIPHER_CAMELLIA_128_CBC,
   GNUTLS_CIPHER_CAMELLIA_256_CBC,
   GNUTLS_CIPHER_AES_192_CBC,
   GNUTLS_CIPHER_AES_128_GCM,
   GNUTLS_CIPHER_AES_256_GCM,
   GNUTLS_CIPHER_CAMELLIA_192_CBC,
   GNUTLS_CIPHER_SALSA20_256,
   GNUTLS_CIPHER_ESTREAM_SALSA20_256,
   GNUTLS_CIPHER_CAMELLIA_128_GCM,
   GNUTLS_CIPHER_CAMELLIA_256_GCM,
   GNUTLS_CIPHER_RC2_40_CBC,
   GNUTLS_CIPHER_DES_CBC,
   GNUTLS_CIPHER_AES_128_CCM,
   GNUTLS_CIPHER_AES_256_CCM,
   GNUTLS_CIPHER_AES_128_CCM_8,
   GNUTLS_CIPHER_AES_256_CCM_8,
   GNUTLS_CIPHER_CHACHA20_POLY1305,
   GNUTLS_CIPHER_NULL
  };

const gnutls_mac_algorithm_t gnutls_mac_algorithms[] =
  {
   GNUTLS_MAC_MD5,
   GNUTLS_MAC_SHA1,
   GNUTLS_MAC_RMD160,
   GNUTLS_MAC_MD2,
   GNUTLS_MAC_SHA256,
   GNUTLS_MAC_SHA384,
   GNUTLS_MAC_SHA512,
   GNUTLS_MAC_SHA224,
   GNUTLS_MAC_SHA3_224,
   GNUTLS_MAC_SHA3_256,
   GNUTLS_MAC_SHA3_384,
   GNUTLS_MAC_SHA3_512,
   GNUTLS_MAC_AEAD,
   GNUTLS_MAC_UMAC_96,
   GNUTLS_MAC_UMAC_128,
   GNUTLS_MAC_NULL
  };

/* Note this list has to be the same length as gnutls_mac_algorithms! */
const gnutls_digest_algorithm_t gnutls_digest_algorithms[] =
  {
   GNUTLS_DIG_MD5,
   GNUTLS_DIG_SHA1,
   GNUTLS_DIG_RMD160,
   GNUTLS_DIG_MD2,
   GNUTLS_DIG_SHA256,
   GNUTLS_DIG_SHA384,
   GNUTLS_DIG_SHA512,
   GNUTLS_DIG_SHA224,
   GNUTLS_DIG_SHA3_224,
   GNUTLS_DIG_SHA3_256,
   GNUTLS_DIG_SHA3_384,
   GNUTLS_DIG_SHA3_512,
   GNUTLS_DIG_NULL,
   GNUTLS_DIG_NULL,
   GNUTLS_DIG_NULL,
   GNUTLS_DIG_NULL
  };

More information about the Gnutls-help mailing list