<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px;"><span id="OLK_SRC_BODY_SECTION" style="font-family: Calibri, sans-serif;"><blockquote id="MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE" style="BORDER-LEFT: #b5c4df 5 solid; PADDING:0 0 0 5; MARGIN:0 0 0 5;"><div><div><div dir="ltr"><div dir="ltr" style="font-size:12.8px"><div>Let me know if you have any questions about these patches.</div></div></div></div></div></blockquote></span><div style="font-family: Calibri, sans-serif;"><br></div><div><font face="Calibri,sans-serif">My only questions at this time (I briefly looked at your patches only, haven’t looked at your engine at all) are: why you needed to add ECDH\generate key() to crypto/ech/ecdh_key.c, and what’s the purpose of enabling </font><font face="Consolas">(*init)(EC_KEY *eckey)</font><font face="Calibri,sans-serif"> and </font><font face="Consolas">(*finish)(EC_KEY *eckey)</font><font face="Calibri,sans-serif"> in crypto/ecdh/ech_locl.h.</font></div><div style="font-family: Calibri, sans-serif;"><br></div><div style="font-family: Calibri, sans-serif;">Thanks!</div><div style="font-family: Calibri, sans-serif;"><br></div><div style="font-family: Calibri, sans-serif;"><br></div><span id="OLK_SRC_BODY_SECTION" style="font-family: Calibri, sans-serif;"><blockquote id="MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE" style="BORDER-LEFT: #b5c4df 5 solid; PADDING:0 0 0 5; MARGIN:0 0 0 5;"><div><div><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Wed, Jan 20, 2016 at 12:49 PM, Douglas E Engert <span dir="ltr">
<<a href="mailto:deengert@gmail.com" target="_blank">deengert@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="#FFFFFF" text="#000000">When I started to write the ECDSA code for engine_pkcs11 in 2011 the code to support the method hooks was not<br>
in the code. So I used internal OpenSSL header files to copy the ECDSA_METHOD and replace the function needed.
<br>
Look for "BUILD_WITH_ECS_LOCL_H" in libp11. Not until 1.0.2 did OpenSSL support the needed calls to hook ECDSA.<br>
They did not add the hooks for ECDH. <br><br>
If you can't wait then you have to do it your self. *YOU* could do the same thing for ECDH. But your code would only
<br>
be good for 1.0.2 because the whole way of doing EC methods changes in 1.1. <br><br>
I believe Alexander said he had changes to OpenSSL, which is another approach. <br>
He has said there were here: <a href="https://github.com/AtmelCSO/cryptoauth-openssl-engine/tree/master/patches" target="_blank">
https://github.com/AtmelCSO/cryptoauth-openssl-engine/tree/master/patches</a><br><br>
You could also hire someone who could do more then: "test it and offer minor enhancements".<br>
(And not me. I am taking the 1.1 approach to getting ECDH. working in engine.) <br><br><div>On 1/20/2016 2:19 PM, Blumenthal, Uri - 0553 - MITLL wrote:<br></div><blockquote type="cite"><div style="width:100%;font-size:initial;font-family:Calibri,'Slate Pro',sans-serif;color:rgb(31,73,125);text-align:initial;background-color:rgb(255,255,255)">
Very possible that I'm missing the point here.</div><div style="width:100%;font-size:initial;font-family:Calibri,'Slate Pro',sans-serif;color:rgb(31,73,125);text-align:initial;background-color:rgb(255,255,255)"><br></div><div style="width:100%;font-size:initial;font-family:Calibri,'Slate Pro',sans-serif;color:rgb(31,73,125);text-align:initial;background-color:rgb(255,255,255)">
Still, since openssl-1_0_2 does ECDH, and it exposes ECDSA to external engine(s), how difficult would it be to add ECDH exposure? I suspect - a good deal easier than getting 1.1 replace 1.0.x as the de-facto deployment standard.</div><div style="width:100%;font-size:initial;font-family:Calibri,'Slate Pro',sans-serif;color:rgb(31,73,125);text-align:initial;background-color:rgb(255,255,255)"><br></div><div style="width:100%;font-size:initial;font-family:Calibri,'Slate Pro',sans-serif;color:rgb(31,73,125);text-align:initial;background-color:rgb(255,255,255)">
Plus, by this time there already are (and reasonably common) tokens that support ECDH, other packages that do ECDH, and people (like myself :-) willing to test it and offer minor enhancements.</div><div style="width:100%;font-size:initial;font-family:Calibri,'Slate Pro',sans-serif;color:rgb(31,73,125);text-align:initial;background-color:rgb(255,255,255)"><br></div><div style="width:100%;font-size:initial;font-family:Calibri,'Slate Pro',sans-serif;color:rgb(31,73,125);text-align:initial;background-color:rgb(255,255,255)">
Another point I seem to be missing - if what's necessary to implement ECDH in an external engine is missing from 1_0_2 - how could Alexander write a (presumably) working ECDH engine for 1_0_2? If he could do it, why can't engine_pkcs11 be extended to do the
same?</div><div style="width:100%;font-size:initial;font-family:Calibri,'Slate Pro',sans-serif;color:rgb(31,73,125);text-align:initial;background-color:rgb(255,255,255)"><br></div><div style="font-size:initial;font-family:Calibri,'Slate Pro',sans-serif;color:rgb(31,73,125);text-align:initial;background-color:rgb(255,255,255)">
Sent from my BlackBerry 10 smartphone on the Verizon Wireless 4G LTE network.</div><table style="background-color:white;border-spacing:0px" width="100%"><tbody><tr><td colspan="2" style="font-size:initial;text-align:initial;background-color:rgb(255,255,255)"><div><div><b>From: </b>Douglas E Engert</div><div><b>Sent: </b>Wednesday, January 20, 2016 14:59</div><div><b>To: </b><a href="mailto:openssl-dev@openssl.org" target="_blank">openssl-dev@openssl.org</a></div><div><b>Reply To: </b><a href="mailto:openssl-dev@openssl.org" target="_blank">openssl-dev@openssl.org</a></div><div><b>Subject: </b>Re: [openssl-dev] ECDH engine</div></div></td></tr></tbody></table>
<br><div style="background-color:rgb(255,255,255)">You are missing the point. OpenSSL-1.0.2 only exposed ECDSA, not ECDH to external engines. It took years to even get ECDSA exposed.
<br>
OpenSSL approach to support this is OpenSSL-1.1 that does a lot of other things. But that was there approach. Its their package.<br>
>From working package to distribution always takes several years...<br><br><br><br></div></blockquote></div></blockquote></div><br></div></div></div></div></blockquote></span></body></html>