On Mon, Jun 30, 2014 at 4:32 PM, Jakob Bohm <jb-open...@wisemo.com> wrote:
> Because there is no documentation for SSL_CTX_set_tmp_ecdh_callback()
> in OpenSSL 1.0.1 and older, I am afraid I have to ask:
>
> 1. Is the EC_KEY* returned by the callback supposed to be allocated
> for each invocation or is it supposed to be a static shared by all
> invocations?
Static is fine.
> If the latter (a common object), are there any threading issues when
> multiple threads are running SSL connections simultaneously?
Well, there is a CRYPTO_LOCK_EC for the static lock.
> 2. What does the keylength parameter to the ECDH callback represent:
> A) An RSA/DH keylength (e.g. 2048 for 128 bit security)
> B) An EC keylength (e.g. 130 for 128 bit security)
> C) A symmetric keylength (e.g. 128 for 128 bit security)
The keylength parameter is munged. You have to translate it from
DH/RSA bit lengths.
That is, a keylength of 1024 needs to be translated to a 160-bit curve
(both have a 80-bit security level), a keylength of 2048 needs to be
translated to a 224-bit curve (both have a 112-bit security level),
and a keylength of 3072 needs to be translated to a 256-bit curve
(both have a 128-bit security level), etc.
> 3. Are there particular cut-off-points for the keylength parameter
> which correlates with the largest of the predefined EC groups
> likely to be supported by the client (e.g. according to the
> cipher suite collection offered).
I use N + 4. For example:
if(keylength <= 160 + 4)
return ECSH160(); // Returns EC_KEY*
else if(keylength <= 192 + 4)
return ECSH192(); // Returns EC_KEY*
else if(keylength <= 224 + 4)
return ECSH224(); // Returns EC_KEY*
...
But P-256 seems to be most popular for interop.
Jeff
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
