Re: [gnutls-dev] Symmetric cipher API

[Sam Varshavchik]

Werner Koch writes:

> On Mon, 19 Nov 2007 13:14, address@hidden said:
>
> > input piece-meal, as an arbitrary data stream, and the EVP functions
> > take care of carving it up into block-sized chunks and feeding each
> > chunk to the cipher function. Finally, the EVP functions take care of
>
> The format of these chunks is entirely protocol depended and thus is not
> a good choice for a low level API.  You think that CMS is what everyone
> needs, I use OpenPGP more often and Joe Hacker thinks that BAR/9001 is a
> better protocol and thus wants an API to fit its outer formatting rules.

I'm not sure I understand what exactly is so protocol-dependent here. An 
application needs to encrypt 900 bytes using a symmetric cipher with a block 
size of 8 bytes. It looks to me like the only option here is 112, 
continuous, full blocks and one partial block, using PKCS padding. That's 
pretty much a standard, if there is one, and the EVP_CIPHER API that was 
introduced in OpenSSL 0.9.7a greatly simplified the whole process for me, as 
an application developer. It's all documented here: 
http://www.openssl.org/docs/crypto/EVP_EncryptInit.html

Anyway, I wrote and tested the libgcrypt equivalent which emulates enough of 
the above API to allow me to compile existing OpenSSL code that uses the 
API, without any changes. As I said, it's yours for asking; and I would even 
suggest turning it into a native libgcrypt API, with lightweight 
OpenSSL-compatible glue; instead of just putting it into libgnutls-extra 
verbatim, as is.

pgpYzpcRL0rOq.pgp
Description: PGP signature