Re: Integration of new algorithms

[Kris Kwiatkowski]

Hello,

In regards to OBJ_new_nid - yes, that's more or less what I already
do. I actually use OBJ_sn2nid() which, indeed calls a OBJ_new_nid().

But the problem that I've is different. In keygen (callback set by
EVP_PKEY_meth_set_keygen), there is no way to access NID. It seems
to be stored in the EVP_PKEY_CTX->pmeth->pkey_id, but there is
no way to read it (or at least I couldn't find any).
But, anyway - I've some sub-optimal solution, which uses
EVP_PKEY_meth_set_ctrl() to set scheme specific callback. Not
perfectly clean, but works perfectly well.

In regards to 3.0 - I've started to work on provider for PQ
schemes some time ago. Not finished yet, but indeed, it looks
easier/better. Nevertheless ENGINE for 1.1.1 is actually
something that is needed now for practical reasons (like integration
with existing software).

Kind regards,
Kris

On 9/30/20 8:05 AM, Dr Paul Dale wrote:
> Instead of using an engine, you should write a provider (assuming you’re
> using the soon to be released OpenSSL 3.0).  It doesn’t need a NID.
>
> If you are using OpenSSL 1.1.1, try the OBJ_new_nid() function.
>
>
> Pauli
> -- 
> Dr Paul Dale | Distinguished Architect | Cryptographic Foundations 
> Phone +61 7 3031 7217
> Oracle Australia
>
>
>
>
>> On 26 Aug 2020, at 6:48 pm, Kris Kwiatkowski > <mailto:k...@amongbytes.com>> wrote:
>>
>>
>> Hey,
>>
>> I'm working on development of OpenSSL ENGINE that integrates
>> post-quantum algorithms (new NIDs). During integration I
>> need to modify OpenSSL code to add custom function, but would
>> prefer not to need add anything to OpenSSL code (so engine
>> can be dynmicaly loaded by any modern OpenSSL).
>>
>> So, In three cases, namely when the code is in callbacks for keygen,
>> encryption and ctrl (called by EVP_PKEY_CTX_ctrl, EVP_PKEY_encrypt
>> and EVP_PKEY_keygen) I need to get NID of the scheme. The problem
>> is that, those functions are called with EVP_PKEY_CTX object
>> provided as an argument. The NID is stored in the
>> EVP_PKEY_CTX->pmeth->pkey_id. I think (AFAIK) there is no API
>> which would return that value.
>>
>> I've added a simple function that returns pkey_id from the ctx, but
>> that means that I need to change OpenSSL code. Is there any way
>> to get NID without changing OpenSSL?
>>
>> Kind regards,
>> Kris
>>
>>
>

Integration of new algorithms

[Kris Kwiatkowski]

Hey,

I'm working on development of OpenSSL ENGINE that integrates
post-quantum algorithms (new NIDs). During integration I
need to modify OpenSSL code to add custom function, but would
prefer not to need add anything to OpenSSL code (so engine
can be dynmicaly loaded by any modern OpenSSL).

So, In three cases, namely when the code is in callbacks for keygen,
encryption and ctrl (called by EVP_PKEY_CTX_ctrl, EVP_PKEY_encrypt
and EVP_PKEY_keygen) I need to get NID of the scheme. The problem
is that, those functions are called with EVP_PKEY_CTX object
provided as an argument. The NID is stored in the
EVP_PKEY_CTX->pmeth->pkey_id. I think (AFAIK) there is no API
which would return that value.

I've added a simple function that returns pkey_id from the ctx, but
that means that I need to change OpenSSL code. Is there any way
to get NID without changing OpenSSL?

Kind regards,
Kris