On 03/10/2014 11:50 PM, Amos Jeffries wrote:
> I've been searching for some time for a crypto library that provides
> algorithms like base64, MD4, MD5, SHA* etc that are used by Squid. So we
> can remove the bundled re-implementations and avoid some big issues like
> FIPS compliance of Squid.
>
> Nettle appears to have become widely available in the last year or so
> due to its use in GnuTLS and various DNSSEC tools. It is a freely
> available GPLv3 library from GNU project easily availabel for download
> for anyone who does not have it yet.
> http://www.linuxfromscratch.org/blfs/view/svn/postlfs/nettle.html
>
> Nettle does all the existing Squid algorithms and many of the newer
> SHA-512+, HMAC and AES algorithms as well. It provides a (relatively)
> clean API of direct function calls to run each algorithm on a provided
> buffer without any encumbered TLS/SSL layer or formatting requirements
> which many of the SSL-based crypto libraries pull in.
>
>
> Before I forge on ahead, does anyone have objections to adding it as a
> build dependency of squid-3.5 and dropping our locally bundled crypto
> code which overlaps?
No objection, just to note that these algorithms are implemented in
openssl library too and squid already has dependencies to openSSL.
The API provided by nettle is very similar to openSSL related API.
Both libraries provide for most encryption algorithms similar API, for
example for XXX algorithm:
struct XXX_ctx
XXX_init(ctx)
XXX_update(ctx, data,len)
XXX_final(md, ctx)
Looks that nettle provides more encryption algorithms (but squid needs
only few of them).
>
> Amos
>
>
Received on Tue Mar 11 2014 - 07:54:08 MDT
This archive was generated by hypermail 2.2.0 : Tue Mar 11 2014 - 12:00:12 MDT