New crypto algorithms in openSSL engine

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

New crypto algorithms in openSSL engine

APOB83

Hi all,

 

I’m working on testing some lattice based algorithms in openSSL for the establishment of a TLS channel. I’ve investigated the potential for developing an engine to support this as it would mean I don’t need to touch the core openSSL code. However, I’ve two blind spots which I can’t find any answers to…

1.       How can I create a new OID/NID for the new algorithms I propose to include in the engine?

2.       Is it possible to create a ciphersuite within an engine that could be used to create a TLS connection?

 

Thanks,

Andrew


--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: New crypto algorithms in openSSL engine

Dr. Stephen Henson
On Wed, Sep 27, 2017, Byrne, Andrew wrote:

> Hi all,
>
> I'm working on testing some lattice based algorithms in openSSL for the establishment of a TLS channel. I've investigated the potential for developing an engine to support this as it would mean I don't need to touch the core openSSL code. However, I've two blind spots which I can't find any answers to...
>
> 1.       How can I create a new OID/NID for the new algorithms I propose to include in the engine?
>

OBJ_create() is the easiest way. You pass it the oid, short name and long name
and get back a NID.

> 2.       Is it possible to create a ciphersuite within an engine that could be used to create a TLS connection?
>

No. There is no mechanism to dynamically add ciphersuites to OpenSSL at
present.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: New crypto algorithms in openSSL engine

Matt Caswell-2
In reply to this post by APOB83


On 27/09/17 15:32, Byrne, Andrew wrote:
> I’m working on testing some lattice based algorithms in openSSL for the
> establishment of a TLS channel. I’ve investigated the potential for
> developing an engine to support this as it would mean I don’t need to
> touch the core openSSL code. However, I’ve two blind spots which I can’t
> find any answers to…
>
> 1.       How can I create a new OID/NID for the new algorithms I propose
> to include in the engine?

There are two options:

1) Create a PR for mainline OpenSSL to add a new OID. As its just an OID
this is likely to be accepted. This has the advantage that you get a
built-in NID, but will obviously only work for versions of OpenSSL after
the OID was added.

2) Dynamically create the OID/NID by calling OBJ_create(). This will
allocate a new NID at runtime:

https://www.openssl.org/docs/man1.1.0/crypto/OBJ_nid2obj.html

>
> 2.       Is it possible to create a ciphersuite within an engine that
> could be used to create a TLS connection?

No. It is not possible to dynamically add new ciphersuites at runtime.
All ciphersuites are built-in.

Matt

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: New crypto algorithms in openSSL engine

APOB83
Hi,

I've noticed the following statement in another thread here...

*May I suggest you have a look at the GOST engine?  It does implement
the algorithm entirely in the engine.  The only things added in the
OpenSSL code are the OIDs (not strictly necessary) and the TLS
ciphersuites (I don't think that can be done dynamically at all, at
least yet). *

This suggests to me that I might be able to build a new engine with the new
crypto algorithms and then in the OpenSSL code, add the code necessary to
build the new ciphersuites. Am I correct in how I'm reading this?





--
Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-Dev-f29372.html
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: New crypto algorithms in openSSL engine

Matt Caswell-2


On 23/10/17 12:51, APOB83 wrote:

> Hi,
>
> I've noticed the following statement in another thread here...
>
> *May I suggest you have a look at the GOST engine?  It does implement
> the algorithm entirely in the engine.  The only things added in the
> OpenSSL code are the OIDs (not strictly necessary) and the TLS
> ciphersuites (I don't think that can be done dynamically at all, at
> least yet). *
>
> This suggests to me that I might be able to build a new engine with the new
> crypto algorithms and then in the OpenSSL code, add the code necessary to
> build the new ciphersuites. Am I correct in how I'm reading this?

This is what was done for the GOST ciphersuites so, yes, it is
theoretically possible. However I think we are unlikely to add
significant code to libssl unless there is a reasonably sized user base.

Matt

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: New crypto algorithms in openSSL engine

Victor Wagner
In reply to this post by APOB83
On Mon, 23 Oct 2017 04:51:01 -0700 (MST)
APOB83 <[hidden email]> wrote:

> Hi,
>
> I've noticed the following statement in another thread here...
>
> *May I suggest you have a look at the GOST engine?  It does implement
> the algorithm entirely in the engine.  The only things added in the
> OpenSSL code are the OIDs (not strictly necessary) and the TLS
> ciphersuites (I don't think that can be done dynamically at all, at
> least yet). *

Really, about a ten years ago, when we first developed GOST engine, we
have made patches, that allow to add ciphersuites dynamically.
Unfortunately, that time core team haven't accepted these patches.


--
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: New crypto algorithms in openSSL engine

APOB83
In reply to this post by APOB83
Thanks for the replies guys.

I'm happy enough to work on a separate fork. This is a research endevour so
it's not critical that I get something integrated into the master openSSL
branch. I don't see there being a significant enough user base anyway for
anything to get added into core libssl.

@Victor; Are you saying so that the patches that enabled the GOST
ciphersuite be added are not included in openSSL? If so, would that mean
it's not possible for me to fork off openSSL and follow the GOST template?

Putting engines aside for a moment, given that I have the appropriate
headers for the crypto library I want to use, and I can build a shared or
static library for it... would it be a viable option to try and integrate
those headers and libraries directly into openSSL?



--
Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-Dev-f29372.html
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: New crypto algorithms in openSSL engine

OpenSSL - Dev mailing list
In reply to this post by Victor Wagner
➢ Really, about a ten years ago, when we first developed GOST engine, we
    have made patches, that allow to add ciphersuites dynamically.
    Unfortunately, that time core team haven't accepted these patches.
   
Do you still have them available?  We might make a different choice now …

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: New crypto algorithms in openSSL engine

OpenSSL - Dev mailing list
In reply to this post by APOB83
>        @Victor; Are you saying so that the patches that enabled the GOST
    ciphersuite be added are not included in openSSL? If so, would that mean
    it's not possible for me to fork off openSSL and follow the GOST template?
   
Not quite.  He’s saying that adding new crypto to TLS requires some static tables in libssl to be updated.  Some new “NID” variables in objects.txt, and so on.  The implementation of the algorithm can be done as an ENGINE.

>    Putting engines aside for a moment, given that I have the appropriate
    headers for the crypto library I want to use, and I can build a shared or
    static library for it... would it be a viable option to try and integrate
    those headers and libraries directly into openSSL?
 
Maybe. Hence the term “research” :)

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: New crypto algorithms in openSSL engine

Dmitry Belyavsky-3
In reply to this post by OpenSSL - Dev mailing list

On Mon, Oct 23, 2017 at 4:54 PM, Salz, Rich via openssl-dev <[hidden email]> wrote:
➢ Really, about a ten years ago, when we first developed GOST engine, we
    have made patches, that allow to add ciphersuites dynamically.
    Unfortunately, that time core team haven't accepted these patches.

Do you still have them available?  We might make a different choice now …
 
Well, as now there are separate structures for key exchange and auth, these patches seem to have almost no sense.

--
SY, Dmitry Belyavsky

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: New crypto algorithms in openSSL engine

APOB83
In reply to this post by OpenSSL - Dev mailing list
OpenSSL - Dev mailing list wrote
>>        @Victor; Are you saying so that the patches that enabled the GOST
>     ciphersuite be added are not included in openSSL? If so, would that
> mean
>     it's not possible for me to fork off openSSL and follow the GOST
> template?
>    
> Not quite.  He’s saying that adding new crypto to TLS requires some static
> tables in libssl to be updated.  Some new “NID” variables in objects.txt,
> and so on.  The implementation of the algorithm can be done as an ENGINE.

Cool... this makes sense to me but looking for the voice of experience. I
can implement the algorithms in an ENGINE so that they are all available to
libssl. Then, in libssl I add the appropriate code (as you mention) to build
the ciphersuite and let me set up a TLS channel with the ENGINE.

Unless someone experienced can say "nope, this just won't work", this is my
preferred route to go down as it minimizes how much I have to modify core
code.


OpenSSL - Dev mailing list wrote

>>    Putting engines aside for a moment, given that I have the appropriate
>     headers for the crypto library I want to use, and I can build a shared
> or
>     static library for it... would it be a viable option to try and
> integrate
>     those headers and libraries directly into openSSL?
>  
> Maybe. Hence the term “research” :)
>
> --
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Indeed. I guess I'd just prefer to direct my efforts down the path with the
highest chance of success :)



--
Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-Dev-f29372.html
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev