[Commits] 97037da: Replace static usage of AES_CTR with current encryption algorithm.

Jeremy Cole jeremycole at google.com
Wed Mar 18 06:35:35 EET 2015


Howdy Jan,


> But the whole encryption_algorithm stuff seems not well thought out in any
>> case.
>>
>
> This was introduced because we can't assume that all installations will
> install openSSL especially on Windows, thus encryption should work
> with bundled yaSSL also. Do you have some better suggestion ?
>

Yes, I assumed so, but the current implementation is lazy and user-hostile.
And, to me, having a single global variable controlling "the" encryption
algorithm (for what, exactly?) is weird. Presumably if it makes sense to
have it changeable, it also makes sense to set different algorithms for
different objects.

At a minimum, IMHO: store the encryption_algorithm selection with each
encrypted object so that data can be migrated in the future. Then,
implement sufficient support in the various necessary places so that it can
be safely changed. Currently as far as I can tell it is globally set once,
and impossible to change in the future. This could be done via stealing
some bits from either the stored encryption scheme (1 byte) or key version
(4 bytes) or adding a new encryption algorithm field which is stored
alongside those everywhere (this is probably the best strategy IMHO, but
takes a bit of thought).

Alternatively as an absolute (and even lower) minimum: ensure that changing
it once the database is initialized produces a loud and very clear error
message to the user.

Regards,

Jeremy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.askmonty.org/pipermail/commits/attachments/20150317/e230f148/attachment-0001.html>


More information about the commits mailing list