Wireshark mailing list archives
Re: Remove our bundled crypto library (in favor of Libgcrypt)?
From: Peter Wu <peter () lekensteyn nl>
Date: Sat, 11 Feb 2017 13:14:54 +0100
On Fri, Feb 10, 2017 at 12:59:46AM +0000, João Valverde wrote:
On 02/08/2017 01:40 PM, Peter Wu wrote:On Mon, Feb 06, 2017 at 03:25:40PM -0800, Guy Harris wrote:On Feb 6, 2017, at 3:17 PM, João Valverde <joao.valverde () tecnico ulisboa pt> wrote:None from me but can we use Nettle instead? Any reason not to? Word on the street is that it is more pleasant to work with than gcrypt.I am only familiar with Libgcrypt which is not that hard to use. Have you tried both libraries? What were your experiences? License-wise they are similar. Based on development activity (commit count), it seems that Nettle is mostly developed by one person while Libgcrypt has more. An actual look at the Nettle documentation shows that Nettle provides direct access to crypto routines (aes128_encrypt, aes256_encrypt, aes_decrypt, chacha_poly1305_set_key, etc.). Libgcrypt provides a more generic interface (gcry_cipher_open, gcry_cipher_encrypt) which means it is easier to use when multiple ciphers can be chosen (which is the case for SSL/TLS, IPsec, IKE). Thus, I think that it is better to stick to Libgcrypt than migrate to Nettle.I was not considering a migration from gcrypt to nettle, just choosing one of the two libraries to replace our bundled crypto. Assuming the effort required for that is similar (maybe an incorrect assumption).
The status quo is that Libgcrypt is already used in many places while nettle is only an implicit dependency (needed for GnuTLS). Since Libgcrypt and nettle are comparable in feature set, changing to nettle would be more effort and it seems better to stick to Libgcrypt. GnuTLS is only needed for parsing RSA private keys (in PEM and PCKS#8 format) in the SSL/TLS dissector, so if we find a smaller library then we could drop GnuTLS and nettle too. Looking at some other projects, I found QEMU for which you can choose nettle or Libgcrypt at compile time. They have introduced another abstraction layer for block ciphers (crypto/cipher-gcrypt.c at 382 lines, crypto/cipher-nettle.c at 553 lines). I see no great benefit from the crypto library agility, so let's not do a similar abstraction.
Nettle has an abstract interface. See for example: https://www.lysator.liu.se/~nisse/nettle/nettle.html#HMAC
Yup, also noticed further hash/cipher abstraction: 6.1.3 The struct nettle_hash abstraction 6.2.13 The struct nettle_cipher abstraction 6.4.5 The struct nettle_aead abstraction (+separate interface for weird CCM mode) I guess I will go for the easy way (Libgcrypt) unless there are more convincing arguments :-) -- Kind regards, Peter Wu https://lekensteyn.nl ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Re: Remove our bundled crypto library (in favor of Libgcrypt)?, (continued)
- Re: Remove our bundled crypto library (in favor of Libgcrypt)? Peter Wu (Feb 06)
- Re: Remove our bundled crypto library (in favor of Libgcrypt)? João Valverde (Feb 06)
- Re: Remove our bundled crypto library (in favor of Libgcrypt)? Guy Harris (Feb 06)
- Re: Remove our bundled crypto library (in favor of Libgcrypt)? Peter Wu (Feb 08)
- Re: Remove our bundled crypto library (in favor of Libgcrypt)? Guy Harris (Feb 08)
- Re: Remove our bundled crypto library (in favor of Libgcrypt)? Peter Wu (Feb 08)
- Re: Remove our bundled crypto library (in favor of Libgcrypt)? Guy Harris (Feb 11)
- Re: Remove our bundled crypto library (in favor of Libgcrypt)? Bálint Réczey (Feb 09)
- Re: Remove our bundled crypto library (in favor of Libgcrypt)? Bálint Réczey (Feb 09)
- Re: Remove our bundled crypto library (in favor of Libgcrypt)? João Valverde (Feb 09)
- Re: Remove our bundled crypto library (in favor of Libgcrypt)? Peter Wu (Feb 11)
- Re: Remove our bundled crypto library (in favor of Libgcrypt)? João Valverde (Feb 11)
- Re: Remove our bundled crypto library (in favor of Libgcrypt)? Peter Wu (Feb 11)
- Re: Remove our bundled crypto library (in favor of Libgcrypt)? Erik de Jong (Feb 11)
- Re: Remove our bundled crypto library (in favor of Libgcrypt)? Peter Wu (Feb 11)
- Re: Remove our bundled crypto library (in favor of Libgcrypt)? Peter Wu (Feb 11)
- Re: Remove our bundled crypto library (in favor of Libgcrypt)? Erik de Jong (Feb 12)
- Re: Remove our bundled crypto library (in favor of Libgcrypt)? Pascal Quantin (Feb 12)
- Re: Remove our bundled crypto library (in favor of Libgcrypt)? Peter Wu (Feb 12)
- Re: Remove our bundled crypto library (in favor of Libgcrypt)? Erik de Jong (Feb 13)
- Re: Remove our bundled crypto library (in favor of Libgcrypt)? Peter Wu (Feb 13)