Re: [openssl-dev] New crypto algorithms in openSSL engine
OpenSSL - Dev mailing list wrote >>@Victor; Are you saying so that the patches that enabled the GOST > ciphersuite be added are not included in openSSL? If so, would that > mean > it's not possible for me to fork off openSSL and follow the GOST > template? > > Not quite. He’s saying that adding new crypto to TLS requires some static > tables in libssl to be updated. Some new “NID” variables in objects.txt, > and so on. The implementation of the algorithm can be done as an ENGINE. Cool... this makes sense to me but looking for the voice of experience. I can implement the algorithms in an ENGINE so that they are all available to libssl. Then, in libssl I add the appropriate code (as you mention) to build the ciphersuite and let me set up a TLS channel with the ENGINE. Unless someone experienced can say "nope, this just won't work", this is my preferred route to go down as it minimizes how much I have to modify core code. OpenSSL - Dev mailing list wrote >>Putting engines aside for a moment, given that I have the appropriate > headers for the crypto library I want to use, and I can build a shared > or > static library for it... would it be a viable option to try and > integrate > those headers and libraries directly into openSSL? > > Maybe. Hence the term “research” :) > > -- > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev Indeed. I guess I'd just prefer to direct my efforts down the path with the highest chance of success :) -- Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-Dev-f29372.html -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] New crypto algorithms in openSSL engine
On Mon, Oct 23, 2017 at 4:54 PM, Salz, Rich via openssl-dev < openssl-dev@openssl.org> wrote: > ➢ Really, about a ten years ago, when we first developed GOST engine, we > have made patches, that allow to add ciphersuites dynamically. > Unfortunately, that time core team haven't accepted these patches. > > Do you still have them available? We might make a different choice now … > Well, as now there are separate structures for key exchange and auth, these patches seem to have almost no sense. -- SY, Dmitry Belyavsky -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] New crypto algorithms in openSSL engine
>@Victor; Are you saying so that the patches that enabled the GOST ciphersuite be added are not included in openSSL? If so, would that mean it's not possible for me to fork off openSSL and follow the GOST template? Not quite. He’s saying that adding new crypto to TLS requires some static tables in libssl to be updated. Some new “NID” variables in objects.txt, and so on. The implementation of the algorithm can be done as an ENGINE. >Putting engines aside for a moment, given that I have the appropriate headers for the crypto library I want to use, and I can build a shared or static library for it... would it be a viable option to try and integrate those headers and libraries directly into openSSL? Maybe. Hence the term “research” :) -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] New crypto algorithms in openSSL engine
➢ Really, about a ten years ago, when we first developed GOST engine, we have made patches, that allow to add ciphersuites dynamically. Unfortunately, that time core team haven't accepted these patches. Do you still have them available? We might make a different choice now … -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] New crypto algorithms in openSSL engine
Thanks for the replies guys. I'm happy enough to work on a separate fork. This is a research endevour so it's not critical that I get something integrated into the master openSSL branch. I don't see there being a significant enough user base anyway for anything to get added into core libssl. @Victor; Are you saying so that the patches that enabled the GOST ciphersuite be added are not included in openSSL? If so, would that mean it's not possible for me to fork off openSSL and follow the GOST template? Putting engines aside for a moment, given that I have the appropriate headers for the crypto library I want to use, and I can build a shared or static library for it... would it be a viable option to try and integrate those headers and libraries directly into openSSL? -- Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-Dev-f29372.html -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] New crypto algorithms in openSSL engine
On 23/10/17 12:51, APOB83 wrote: > Hi, > > I've noticed the following statement in another thread here... > > *May I suggest you have a look at the GOST engine? It does implement > the algorithm entirely in the engine. The only things added in the > OpenSSL code are the OIDs (not strictly necessary) and the TLS > ciphersuites (I don't think that can be done dynamically at all, at > least yet). * > > This suggests to me that I might be able to build a new engine with the new > crypto algorithms and then in the OpenSSL code, add the code necessary to > build the new ciphersuites. Am I correct in how I'm reading this? This is what was done for the GOST ciphersuites so, yes, it is theoretically possible. However I think we are unlikely to add significant code to libssl unless there is a reasonably sized user base. Matt -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] New crypto algorithms in openSSL engine
Hi, I've noticed the following statement in another thread here... *May I suggest you have a look at the GOST engine? It does implement the algorithm entirely in the engine. The only things added in the OpenSSL code are the OIDs (not strictly necessary) and the TLS ciphersuites (I don't think that can be done dynamically at all, at least yet). * This suggests to me that I might be able to build a new engine with the new crypto algorithms and then in the OpenSSL code, add the code necessary to build the new ciphersuites. Am I correct in how I'm reading this? -- Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-Dev-f29372.html -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev