The available functions to access symmetric crypto algorithms operations are shown below. The supported algorithms are the algorithms required by the TLS protocol. They are listed in Figure 8.1.
GNUTLS_CIPHER_UNKNOWNValue to identify an unknown/unsupported algorithm.
GNUTLS_CIPHER_NULLThe NULL (identity) encryption algorithm.
GNUTLS_CIPHER_ARCFOUR_128ARCFOUR stream cipher with 128-bit keys.
GNUTLS_CIPHER_3DES_CBC3DES in CBC mode.
GNUTLS_CIPHER_AES_128_CBCAES in CBC mode with 128-bit keys.
GNUTLS_CIPHER_AES_256_CBCAES in CBC mode with 256-bit keys.
GNUTLS_CIPHER_ARCFOUR_40ARCFOUR stream cipher with 40-bit keys.
GNUTLS_CIPHER_CAMELLIA_128_CBCCamellia in CBC mode with 128-bit keys.
GNUTLS_CIPHER_CAMELLIA_256_CBCCamellia in CBC mode with 256-bit keys.
GNUTLS_CIPHER_AES_192_CBCAES in CBC mode with 192-bit keys.
GNUTLS_CIPHER_AES_128_GCMAES in GCM mode with 128-bit keys.
GNUTLS_CIPHER_AES_256_GCMAES in GCM mode with 256-bit keys.
GNUTLS_CIPHER_CAMELLIA_192_CBCCamellia in CBC mode with 192-bit keys.
GNUTLS_CIPHER_SALSA20_256Salsa20 with 256-bit keys.
GNUTLS_CIPHER_ESTREAM_SALSA20_256Estream’s Salsa20 variant with 256-bit keys.
GNUTLS_CIPHER_CAMELLIA_128_GCMCAMELLIA in GCM mode with 128-bit keys.
GNUTLS_CIPHER_CAMELLIA_256_GCMCAMELLIA in GCM mode with 256-bit keys.
GNUTLS_CIPHER_RC2_40_CBCRC2 in CBC mode with 40-bit keys.
GNUTLS_CIPHER_DES_CBCDES in CBC mode (56-bit keys).
GNUTLS_CIPHER_AES_128_CCMAES in CCM mode with 128-bit keys.
GNUTLS_CIPHER_AES_256_CCMAES in CCM mode with 256-bit keys.
GNUTLS_CIPHER_AES_128_CCM_8AES in CCM mode with 64-bit tag and 128-bit keys.
GNUTLS_CIPHER_AES_256_CCM_8AES in CCM mode with 64-bit tag and 256-bit keys.
GNUTLS_CIPHER_CHACHA20_POLY1305The Chacha20 cipher with the Poly1305 authenticator (AEAD).
GNUTLS_CIPHER_IDEA_PGP_CFBIDEA in CFB mode (placeholder - unsupported).
GNUTLS_CIPHER_3DES_PGP_CFB3DES in CFB mode (placeholder - unsupported).
GNUTLS_CIPHER_CAST5_PGP_CFBCAST5 in CFB mode (placeholder - unsupported).
GNUTLS_CIPHER_BLOWFISH_PGP_CFBBlowfish in CFB mode (placeholder - unsupported).
GNUTLS_CIPHER_SAFER_SK128_PGP_CFBSafer-SK in CFB mode with 128-bit keys (placeholder - unsupported).
GNUTLS_CIPHER_AES128_PGP_CFBAES in CFB mode with 128-bit keys (placeholder - unsupported).
GNUTLS_CIPHER_AES192_PGP_CFBAES in CFB mode with 192-bit keys (placeholder - unsupported).
GNUTLS_CIPHER_AES256_PGP_CFBAES in CFB mode with 256-bit keys (placeholder - unsupported).
GNUTLS_CIPHER_TWOFISH_PGP_CFBTwofish in CFB mode (placeholder - unsupported).
Figure 8.1: The supported ciphers.
int gnutls_cipher_init (gnutls_cipher_hd_t * handle, gnutls_cipher_algorithm_t cipher, const gnutls_datum_t * key, const gnutls_datum_t * iv)int gnutls_cipher_encrypt2 (gnutls_cipher_hd_t handle, const void * ptext, size_t ptext_len, void * ctext, size_t ctext_len)int gnutls_cipher_decrypt2 (gnutls_cipher_hd_t handle, const void * ctext, size_t ctext_len, void * ptext, size_t ptext_len)void gnutls_cipher_set_iv (gnutls_cipher_hd_t handle, void * iv, size_t ivlen)void gnutls_cipher_deinit (gnutls_cipher_hd_t handle)int gnutls_cipher_add_auth (gnutls_cipher_hd_t handle, const void * ptext, size_t ptext_size)int gnutls_cipher_tag (gnutls_cipher_hd_t handle, void * tag, size_t tag_size)While the latter two functions allow the same API can be used with authenticated encryption ciphers, it is recommended to use the following functions which are solely for AEAD ciphers. The latter API is designed to be simple to use and also hard to misuse, by handling the tag verification and addition in transparent way.
int gnutls_aead_cipher_init (gnutls_aead_cipher_hd_t * handle, gnutls_cipher_algorithm_t cipher, const gnutls_datum_t * key)int gnutls_aead_cipher_encrypt (gnutls_aead_cipher_hd_t handle, const void * nonce, size_t nonce_len, const void * auth, size_t auth_len, size_t tag_size, const void * ptext, size_t ptext_len, void * ctext, size_t * ctext_len)int gnutls_aead_cipher_decrypt (gnutls_aead_cipher_hd_t handle, const void * nonce, size_t nonce_len, const void * auth, size_t auth_len, size_t tag_size, const void * ctext, size_t ctext_len, void * ptext, size_t * ptext_len)void gnutls_aead_cipher_deinit (gnutls_aead_cipher_hd_t handle)