Wireshark-dev: Re: [Wireshark-dev] Remove our bundled crypto library (in favor of Libgcrypt)?
From: João Valverde <joao.valverde@xxxxxxxxxxxxxxxxxx>
Date: Fri, 10 Feb 2017 00:59:46 +0000
On 02/08/2017 01:40 PM, Peter Wu wrote:
On Mon, Feb 06, 2017 at 03:25:40PM -0800, Guy Harris wrote:
On Feb 6, 2017, at 3:17 PM, João Valverde <joao.valverde@xxxxxxxxxxxxxxxxxx> wrote:

None from me but can we use Nettle instead? Any reason not to? Word on the street is that it is more pleasant to work with than gcrypt.

I am only familiar with Libgcrypt which is not that hard to use. Have
you tried both libraries? What were your experiences?

License-wise they are similar.  Based on development activity (commit
count), it seems that Nettle is mostly developed by one person while
Libgcrypt has more.

An actual look at the Nettle documentation shows that Nettle provides
direct access to crypto routines (aes128_encrypt, aes256_encrypt,
aes_decrypt, chacha_poly1305_set_key, etc.). Libgcrypt provides a more
generic interface (gcry_cipher_open, gcry_cipher_encrypt) which means it
is easier to use when multiple ciphers can be chosen (which is the case
for SSL/TLS, IPsec, IKE).

Thus, I think that it is better to stick to Libgcrypt than migrate to
Nettle.

I was not considering a migration from gcrypt to nettle, just choosing one of the two libraries to replace our bundled crypto. Assuming the effort required for that is similar (maybe an incorrect assumption).

Nettle has an abstract interface. See for example:

https://www.lysator.liu.se/~nisse/nettle/nettle.html#HMAC

I have not used either library so I can't offer a more informed opinion on their respective merits.