<div dir="ltr"><div dir="ltr" style="font-size:12.8px">Hi Uri,<div><br></div><div>Let me know if you have any questions about these patches.</div><div><br></div><div>Thank you,</div><div>Alex.</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jan 20, 2016 at 12:49 PM, Douglas E Engert <span dir="ltr"><<a href="mailto:deengert@gmail.com" target="_blank">deengert@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
When I started to write the ECDSA code for engine_pkcs11 in 2011
the code to support the method hooks was not<br>
in the code. So I used internal OpenSSL header files to copy the
ECDSA_METHOD and replace the function needed. <br>
Look for "BUILD_WITH_ECS_LOCL_H" in libp11. Not until 1.0.2 did
OpenSSL support the needed calls to hook ECDSA.<br>
They did not add the hooks for ECDH. <br>
<br>
If you can't wait then you have to do it your self. *YOU* could do
the same thing for ECDH. But your code would only <br>
be good for 1.0.2 because the whole way of doing EC methods changes
in 1.1. <br>
<br>
I believe Alexander said he had changes to OpenSSL, which is another
approach. <br>
He has said there were here:
<a href="https://github.com/AtmelCSO/cryptoauth-openssl-engine/tree/master/patches" target="_blank">https://github.com/AtmelCSO/cryptoauth-openssl-engine/tree/master/patches</a><br>
<br>
You could also hire someone who could do more then: "test it and
offer minor enhancements".<br>
(And not me. I am taking the 1.1 approach to getting ECDH. working
in engine.) <br>
<br>
<div>On 1/20/2016 2:19 PM, Blumenthal, Uri -
0553 - MITLL wrote:<br>
</div>
<blockquote type="cite">
<div style="width:100%;font-size:initial;font-family:Calibri,'Slate Pro',sans-serif;color:rgb(31,73,125);text-align:initial;background-color:rgb(255,255,255)">Very possible
that I'm missing the point here.</div>
<div style="width:100%;font-size:initial;font-family:Calibri,'Slate Pro',sans-serif;color:rgb(31,73,125);text-align:initial;background-color:rgb(255,255,255)"><br>
</div>
<div style="width:100%;font-size:initial;font-family:Calibri,'Slate Pro',sans-serif;color:rgb(31,73,125);text-align:initial;background-color:rgb(255,255,255)">Still, since
openssl-1_0_2 does ECDH, and it exposes ECDSA to external
engine(s), how difficult would it be to add ECDH exposure? I
suspect - a good deal easier than getting 1.1 replace 1.0.x as
the de-facto deployment standard.</div>
<div style="width:100%;font-size:initial;font-family:Calibri,'Slate Pro',sans-serif;color:rgb(31,73,125);text-align:initial;background-color:rgb(255,255,255)"><br>
</div>
<div style="width:100%;font-size:initial;font-family:Calibri,'Slate Pro',sans-serif;color:rgb(31,73,125);text-align:initial;background-color:rgb(255,255,255)">Plus, by this
time there already are (and reasonably common) tokens that
support ECDH, other packages that do ECDH, and people (like
myself :-) willing to test it and offer minor enhancements.</div>
<div style="width:100%;font-size:initial;font-family:Calibri,'Slate Pro',sans-serif;color:rgb(31,73,125);text-align:initial;background-color:rgb(255,255,255)"><br>
</div>
<div style="width:100%;font-size:initial;font-family:Calibri,'Slate Pro',sans-serif;color:rgb(31,73,125);text-align:initial;background-color:rgb(255,255,255)">Another point I
seem to be missing - if what's necessary to implement ECDH in an
external engine is missing from 1_0_2 - how could Alexander
write a (presumably) working ECDH engine for 1_0_2? If he could
do it, why can't engine_pkcs11 be extended to do the same?</div>
<div style="width:100%;font-size:initial;font-family:Calibri,'Slate Pro',sans-serif;color:rgb(31,73,125);text-align:initial;background-color:rgb(255,255,255)"><br>
</div>
<div style="font-size:initial;font-family:Calibri,'Slate Pro',sans-serif;color:rgb(31,73,125);text-align:initial;background-color:rgb(255,255,255)">Sent from my BlackBerry 10 smartphone on the Verizon Wireless 4G LTE network.</div>
<table style="background-color:white;border-spacing:0px" width="100%">
<tbody>
<tr>
<td colspan="2" style="font-size:initial;text-align:initial;background-color:rgb(255,255,255)">
<div>
<div><b>From: </b>Douglas E Engert</div>
<div><b>Sent: </b>Wednesday, January 20, 2016 14:59</div>
<div><b>To: </b><a href="mailto:openssl-dev@openssl.org" target="_blank">openssl-dev@openssl.org</a></div>
<div><b>Reply To: </b><a href="mailto:openssl-dev@openssl.org" target="_blank">openssl-dev@openssl.org</a></div>
<div><b>Subject: </b>Re: [openssl-dev] ECDH engine</div>
</div>
</td>
</tr>
</tbody>
</table>
<br>
<div style="background-color:rgb(255,255,255)">
You are missing the point. OpenSSL-1.0.2 only exposed ECDSA, not
ECDH to external engines. It took years to even get ECDSA
exposed.
<br>
OpenSSL approach to support this is OpenSSL-1.1 that does a lot
of other things. But that was there approach. Its their package.<br>
>From working package to distribution always takes several
years...<br>
<br>
<br>
<br></div></blockquote></div></blockquote></div><br></div></div>