[openssl-dev] ECDH engine

Blumenthal, Uri - 0553 - MITLL uri at ll.mit.edu
Wed Jan 27 17:30:38 UTC 2016 

> Let me know if you have any questions about these patches.

My only questions at this time (I briefly looked at your patches only,
haven’t looked at your engine at all) are: why you needed to add
ECDH\generate key() to crypto/ech/ecdh_key.c, and what’s the purpose of
enabling (*init)(EC_KEY *eckey) and (*finish)(EC_KEY *eckey) in
crypto/ecdh/ech_locl.h.

Thanks!


> On Wed, Jan 20, 2016 at 12:49 PM, Douglas E Engert <deengert at gmail.com> wrote:
>> When I started to write the ECDSA code for engine_pkcs11  in 2011 the code to
>> support the method hooks was not
>> in the code. So I used internal OpenSSL header files to copy the ECDSA_METHOD
>> and replace the function needed.
>> Look for "BUILD_WITH_ECS_LOCL_H" in libp11.  Not until 1.0.2 did OpenSSL
>> support the needed calls to hook ECDSA.
>> They did not add the hooks for ECDH.
>> 
>> If you can't wait then you have to do it your self.  *YOU* could do the same
>> thing for ECDH. But your code would only
>> be good for 1.0.2 because the whole way of doing EC methods changes in 1.1.
>> 
>> I believe Alexander said he had changes to OpenSSL, which is another
>> approach. 
>> He has said there were here:
>> https://github.com/AtmelCSO/cryptoauth-openssl-engine/tree/master/patches
>> 
>> You could also hire someone who could do more then: "test it and offer minor
>> enhancements".
>> (And not me. I am taking the 1.1 approach to getting ECDH. working in
>> engine.) 
>> 
>> On 1/20/2016 2:19 PM, Blumenthal, Uri - 0553 - MITLL wrote:
>>> Very possible that I'm missing the point here.
>>> 
>>> Still, since openssl-1_0_2 does ECDH, and it exposes ‎ECDSA to external
>>> engine(s), how difficult would it be to add ECDH exposure? I suspect - a
>>> good deal easier than getting 1.1 replace 1.0.x as the de-facto deployment
>>> standard.
>>> 
>>> Plus, by this time there already are (and reasonably common) tokens that
>>> support ECDH, other packages that do ECDH, and people (like myself :-)
>>> willing to test it and offer minor enhancements.
>>> 
>>> Another point I seem to be missing - if what's necessary to implement ECDH
>>> in an external engine is missing from 1_0_2 - how could ‎Alexander write a
>>> (presumably) working ECDH engine for 1_0_2? If he could do it,  why can't
>>> engine_pkcs11 be extended to do the same?
>>> 
>>> Sent from my BlackBerry 10 smartphone on the Verizon Wireless 4G LTE
>>> network.
>>> From: Douglas E Engert
>>> Sent: Wednesday, January 20, 2016 14:59
>>> To: openssl-dev at openssl.org>>> Reply To: openssl-dev at openssl.org
>>> Subject: Re: [openssl-dev] ECDH engine
>>>>>> You are missing the point. OpenSSL-1.0.2 only exposed ECDSA, not ECDH to
>>> external engines.  It took years to even get ECDSA exposed.
>>> OpenSSL approach to support this is OpenSSL-1.1  that does a lot of other
>>> things. But that was there approach. Its their package.
>>>> >From working package to distribution always takes several years...
>>> 
>>> 
>>> 
> 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160127/40553100/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4308 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160127/40553100/attachment-0001.bin>

More information about the openssl-dev mailing list