[sr #107932] Cannot initialise AES-256-PGP-CFB cipher support in GnuTLS 3

anonymous INVALID.NOREPLY at gnu.org
Thu Jan 12 18:22:52 CET 2012


                 Summary: Cannot initialise AES-256-PGP-CFB cipher support in
GnuTLS 3
                 Project: GnuTLS
            Submitted by: None
            Submitted on: Thu 12 Jan 2012 05:22:51 PM UTC
                Category: None
                Priority: 5 - Normal
                Severity: 3 - Normal
                  Status: None
                 Privacy: Public
             Assigned to: None
        Originator Email: philip.allison at smoothwall.net
             Open/Closed: Open
         Discussion Lock: Any
        Operating System: GNU/Linux




I am having problems trying to initialise a cipher handle for AES-256-PGP-CFB
using GnuTLS 3.0.11 and keep getting an error string of "The request is
invalid" when calling gnutls_cipher_init.  I'm aware that GnuTLS 3 has been
migrated away from gcrypt to nettle, so I went looking in the docs for nettle,
and found no mention of any support for ciphers in CFB mode.  This led me to
dig further into the GnuTLS source to see if the CFB ciphers were actually

As far as I can tell, there are two ways in which a cipher can be implemented:
either a specific accelerated implementation is registered using
*_cipher_register during global initialisation, or _gnutls_cipher_init falls
through to the "generic" cipher ops, which eventually falls through to
wrap_nettle_cipher_init in lib/nettle/cipher.c.  The latter function doesn't
have cases to handle any of the *-PGP-CFB ciphers, so if I am correct, these
ciphers are completely unavailable in GnuTLS as I have compiled it.

Is this correct, and how should I go about using these ciphers with GnuTLS 3? 
I am trying to drop my code's explicit dependency on gcrypt, since GnuTLS
itself no longer depends on it.

Note also that AES-256-PGP-CFB does appear in the output of
gnutls_cipher_list, but from looking at the code, that just iterates over the
list of defined ciphers - which does not guarantee an implementation exists
for any particular cipher in the list.


Reply to this item at:


  Message sent via/by Savannah

More information about the Gnutls-devel mailing list