On Fri, Apr 27, 2007, Brent Casavant wrote: > Hello, > > I'm developing an engine to support hardware acceleration of a number > of different block ciphers, some of which OpenSSL does not (yet) have > native support for (e.g. AES 128 CTR, TEA, etc). > > One of the problems I'm trying to solve is registering these new > ciphers with OpenSSL. My understanding, reading snippets of -dev > and the source code, is that I must create a new nid using > OBJ_create(), and then use EVP_add_cipher() with the resulting > NID. Then I'll add the cipher to the list made available by the > function I register with ENGINE_set_ciphers(). > > Does that sound correct? >
You create an EVP_CIPHER structure using the NID and pass the EVP_CIPHER to EVP_add_cipher(). > If so, is there a standard naming scheme to pass for the oid and > sn arguments to OBJ_create()? I'd like, if possible, to end up > with the same names that OpenSSL would use, if these ciphers are > ever supported in the mainline OpenSSL software. > The OBJ_create() function creates an ASN1 OID. Often when a cipher is documented an appropriate OID is included in the definition. The only real guarantee is that the OID will be identical if it is used by OpenSSL and the OID is a standard one as opposed to one that is made up. > Second, I'd like to make this cipher registration as robust as > possible given that future versions of OpenSSL may have native > support for these ciphers. Do you see any problems with the > following pseudo-code (lack of error handling aside)? > > if (NULL == EVP_get_cipherbyname(cipher_name)) { > nid = OBJ_create(cipher_oid, cipher_sn, cipher_ln); > EVP_add_cipher(new_cipher); > } > > This would, hopefully, allow run-time detection of the built-in ciphers, > and install the new cipher if it is not built-in. EVP_get_cipherbyname() > doesn't take any functional/structural references that I need to free, > does it? (I don't think so, as I can't find any release functions.) > Given that the OID is the only thing that is guaranteed to be identical (with the conditions above) the best option is to first check to see if the OID is registered using: nid = OBJ_txt2nid("1.2.3.4"); if (nid == NID_undef) nid = OBJ_create(...); Then using the nid you can use EVP_get_cipherbynid() to see if the cipher exists. > Finally, is there a clear illustration of what sort of information > I need to add with regards to ASN.1 and the newly registered cipher? > I've looked through the code, Wikipedia, and done some Google searches, > and think I understand the general concept, but not exactly what I'm > expected to provide within an OpenSSL engine. > The ASN.1 depends on what the cipher will be used for. If it will never be used with ASN1 structures then you don't need any ASN1 handling. If it will be used with ASN.1 structures you need to handle any defined functionality, for example setting cipher parameters such as the IV. Again the cipher documentation should define the appropriate AlgorithmIdenifier structure. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]