Re: [gnutls-dev] Symmetric cipher API

gnutls-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [gnutls-dev] Symmetric cipher API

From:	Sam Varshavchik
Subject:	Re: [gnutls-dev] Symmetric cipher API
Date:	Mon, 19 Nov 2007 07:14:02 -0500

Nikos Mavrogiannopoulos writes:

On Sunday 18 November 2007, Sam Varshavchik wrote:

Recently I converted some code that uses OpenSSL's EVP_CIPHER symmetric
cipher API. I wrote a wrapper that mapped the following functions to their
gcrypt equivalents: EVP_CIPHER_CTX_init(), EVP_CIPHER_CTX_cleanup(),
EVP_(Encrypt|Decrypt)Init_ex(), EVP_(Encrypt|Decrypt)Update(), and
EVP_(Encrypt|Decrypt)Final_ex().

We could always commit something like this to the openssl compatibilityinterface. However I don't understand its use. Why did you need such wrapper?

Because I have existing OpenSSL-based code that uses this API, and there isnothing in libgcrypt that maps exactly to it.

If you are interested, I'll be happy to contribute this code. I also
thought that it's better to make this a native libgcrypt API. This should
be only a matter of renaming the function names and arguments to follow
libgcrypt's naming conventions, and all the EVP function become now just
some lightweight wrappers (or probably even macros).
Why do you think that it's better to have it as native libgcrypt API? What arethe advantages of using this api comparing to libgcrypt's? As far as Iunderstand the differences the libgcrypt's functions are safer, since youdon't directly access structures, and the internals can be changed without
breaking binary compatibility.

The wrapper code also uses only the existing published libgcrypt APIs aswell. Think of it as a higher-level API that sits on top ofgcry_cipher_encrypt and gcry_cipher_decrypt. This OpenSSL API is forsymmetric block ciphers, but the application does not have to have to supplythe input as block-sized chunks. The application supplies the inputpiece-meal, as an arbitrary data stream, and the EVP functions take care ofcarving it up into block-sized chunks and feeding each chunk to the cipherfunction. Finally, the EVP functions take care of PKCS padding, so theapplication's encrypted/decrypted data stream does not have to be a multipleof the block size.

From an application's standpoint, this API is much more convenient than just

gcry_cipher_encrypt and gcry_cipher_decrypt. There's far less low-leveldetail to worry about.

pgp0edBggjbKH.pgp
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

[gnutls-dev] Symmetric cipher API, Sam Varshavchik, 2007/11/18
- Re: [gnutls-dev] Symmetric cipher API, Nikos Mavrogiannopoulos, 2007/11/19
  - Re: [gnutls-dev] Symmetric cipher API, Sam Varshavchik <=
    - Re: [gnutls-dev] Symmetric cipher API, Werner Koch, 2007/11/19
    - Re: [gnutls-dev] Symmetric cipher API, Sam Varshavchik, 2007/11/19
    - Re: [gnutls-dev] Symmetric cipher API, Werner Koch, 2007/11/20
- Re: [gnutls-dev] Symmetric cipher API, Simon Josefsson, 2007/11/25

Prev by Date: [gnutls-dev] Lack of documented standard for exporting DSA priv_keys in PKCS8 format??
Next by Date: Re: [gnutls-dev] Symmetric cipher API
Previous by thread: Re: [gnutls-dev] Symmetric cipher API
Next by thread: Re: [gnutls-dev] Symmetric cipher API
Index(es):
- Date
- Thread