On Thu, Jun 30, 2005, Dr. Stephen Henson wrote: > > Its certainly possible. There is an added complication in that some thought > has > to be given to future directions of development. > > For example the current RSA API lacks any easy way to pass additional > parameters to some padding types. OAEP and especially PSS really need a way to > do that. > > That could be neatly solved (and some other parts made more efficient) if RSA > had a per-thread context structure analagous to EVP_CIPHER_CTX but alas it > doesn't. >
While I'm at it here's a few other areas which would be "fun" to deal with... EVP_CIPHER has two assumptions built in which are problematical when interfacing (via ENGINE for example) with other APIs. One is the size of the output buffer: there is an assumption that the output buffer will be at most one block length larger than the input buffer, applications naturally follow this rule. Other APIs (for example PKCS#11) make no such assumption and can buffer the data and supply the result all in one go. If you have to connect such a beast via EVP that's one hell of a headache... One the subject of EVP, unlike the asymmetric APIs (RSA, DSA etc) there is an assumption that secret (i.e. symmetric) keys can be passed in plain text to the API. This has been a parameter to EVP_CipherInit_ex() and its equivalents since the SSLeay days. That assumption isn't present in some other crypto APIs (again including PKCS#11 and even CryptoAPI) they can all treat a symmetric key as an opaque blob (in a way similar to RSA structures can be treated). Again this is a problem if you need to interface with such APIs or for higher security applications where exposure of secret keys may be prohibited by security policy. Don't get me even started on EVP_PKEY_METHOD :-) Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
