New crypto algorithms in openSSL engine

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

New crypto algorithms in openSSL engine

Byrne, Andrew

Hi all,

 

I’m working on testing some lattice based algorithms in openSSL for the establishment of a TLS channel. I’ve investigated the potential for developing an engine to support this as it would mean I don’t need to touch the core openSSL code. However, I’ve two blind spots which I can’t find any answers to…

1.       How can I create a new OID/NID for the new algorithms I propose to include in the engine?

2.       Is it possible to create a ciphersuite within an engine that could be used to create a TLS connection?

 

Thanks,

Andrew


--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: New crypto algorithms in openSSL engine

Dr. Stephen Henson
On Wed, Sep 27, 2017, Byrne, Andrew wrote:

> Hi all,
>
> I'm working on testing some lattice based algorithms in openSSL for the establishment of a TLS channel. I've investigated the potential for developing an engine to support this as it would mean I don't need to touch the core openSSL code. However, I've two blind spots which I can't find any answers to...
>
> 1.       How can I create a new OID/NID for the new algorithms I propose to include in the engine?
>

OBJ_create() is the easiest way. You pass it the oid, short name and long name
and get back a NID.

> 2.       Is it possible to create a ciphersuite within an engine that could be used to create a TLS connection?
>

No. There is no mechanism to dynamically add ciphersuites to OpenSSL at
present.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: New crypto algorithms in openSSL engine

Matt Caswell-2
In reply to this post by Byrne, Andrew


On 27/09/17 15:32, Byrne, Andrew wrote:
> I’m working on testing some lattice based algorithms in openSSL for the
> establishment of a TLS channel. I’ve investigated the potential for
> developing an engine to support this as it would mean I don’t need to
> touch the core openSSL code. However, I’ve two blind spots which I can’t
> find any answers to…
>
> 1.       How can I create a new OID/NID for the new algorithms I propose
> to include in the engine?

There are two options:

1) Create a PR for mainline OpenSSL to add a new OID. As its just an OID
this is likely to be accepted. This has the advantage that you get a
built-in NID, but will obviously only work for versions of OpenSSL after
the OID was added.

2) Dynamically create the OID/NID by calling OBJ_create(). This will
allocate a new NID at runtime:

https://www.openssl.org/docs/man1.1.0/crypto/OBJ_nid2obj.html

>
> 2.       Is it possible to create a ciphersuite within an engine that
> could be used to create a TLS connection?

No. It is not possible to dynamically add new ciphersuites at runtime.
All ciphersuites are built-in.

Matt

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev