Re: About Guile crypto support

[Nala Ginrut]

On Mon, 2013-02-04 at 09:14 +0800, Daniel Hartwig wrote:
> Hello
> 
> On 3 February 2013 20:55, Nala Ginrut <address@hidden> wrote:
> > As mentioned in another thread about digest algorithm support in Guile,
> > my plan is use part of implementation of libgcrypt and make a wrapper,
> > then put into libguile.
> > But now I found weinholt's Scheme industria lib, which contains all
> > mainstream crypto(not only digest) algorithm.
> > http://weinholt.se/industria/manual/crypto.html#crypto
> 
> As mentioned on that page, there are some issues that apply to any
> pure Scheme implementation:
> 

If it's worthy, I can do some modification.

> > Beware that if you're using some of these libraries for sensitive
> > data, let's say passwords, then there is probably no way to make
> > sure a password is ever gone from memory. There is no guarantee that
> > the passwords will not be swapped out to disk or transmitted by
> > radio.
> 
> Libgcrypt provides a means to specify that some data should be stored
> in secured memory, which will never be swapped to disk. Doing
> something similar in Guile may be problematic, at least with a
> Scheme-only implementation.
> 
> > So what's your opinion, guys?
> > Would you prefer C implementation or Scheme way?
> 
> As gcrypt is mature, reimplementing it in either C or Scheme just for
> Guile does not seem useful — on it's own.  An FFI wrapper or extension
> benefits from upstream security and maintenance efforts.
> 
> 
> If you have a particular interest in learning about crypto. algorithms,
> by all means port or write your own implementation using whichever
> language.  If you want it to have a Scheme interface, then Scheme
> seems a logical choice to use.
> 

Well, no ;-)

> If your goal is only to provide crypto. support to Guile programs,
> then time is better spent providing a wrapper to the existing library.
>  Concerns about adding an external dependency do not hold much weight
> next to the advantages of directly using the library; “don't repeat
> yourself”, and all that.
> 

That's my aim, nowadays a language should provide md5/sha1 at least
since they are very common.

> Perhaps you are aware that there an extension for gcrypt under
> development, with modules for the hash and randomize functions:
> <https://gitorious.org/gcrypt-guile/>.
> 

I have a similar project too:
https://gitorious.org/nacre/libgcrypt-guile

Write a lib-wrapper is another story, guys who needs more specific
feature(efficiency/security) could use these packages from guildhall.
But my opinion is to provide the common digest API in ice-9, many guys
asked such a questions, and I suggested them use my libgcrypt-guile, but
I can't answer why Guile doesn't has these common API. So I decide to
add them.

What do you think?

> 
> Regards
>