[openssl-users] Integrating New Cipher Suite
Schmicker, Robert
rschm2 at unh.newhaven.edu
Tue Apr 11 14:44:19 UTC 2017
Thank you for the quick replies!
@Matt Caswell
I have attempted to integrate the cipher suite into the source code and here is what I have done so far…
Please keep in mind this was a previous attempt that mimicked a different cipher suite.
Added defines in include/openssl/tls1.h:
# define TLS1_CK_ECDHE_ECDSA_WITH_MYCIPHER_SHA384 0x03001306
# define TLS1_TXT_ECDHE_ECDSA_WITH_MYCIPHER_SHA384 "ECDHE-ECDSA-MYCHIPHER-SHA384"
Added a define in include/openssl/ssl.h:
# define SSL_TXT_MYCIPHER "MYCIPHER"
Integrated into ssl/s3_lib.c:
static SSL_CIPHER ssl3_ciphers[] = {
{
1,
TLS1_TXT_ECDHE_ECDSA_WITH_MYCIPHER_SHA384,
TLS1_CK_ECDHE_ECDSA_WITH_MYCIPHER_SHA384,
SSL_kECDHE,
SSL_aECDSA,
SSL_MYCIPHER,
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
64,
64,
},
Added the binary representation in ssl/ssl_locl.h:
# define SSL_MYCIPHER 0x00100000U
Integrated into ssl/ssl_ciph.c:
#define SSL_ENC_CHACHA_IDX 19
#define SSL_ENC_MYCIPHER 20
#define SSL_ENC_NUM_IDX 21
/* Table of NIDs for each cipher */
static const ssl_cipher_table
ssl_cipher_table_cipher[SSL_ENC_NUM_IDX] = {
{SSL_MYCIPHER, NID_MYCIPHER},
static const SSL_CIPHER cipher_aliases[] = {
{0, SSL_TXT_MYCIPHER, 0, 0, 0, SSL_MYCIPHER},
Added the loading of the cipher into ssl/ssl_init.c:
DEFINE_RUN_ONCE_STATIC(ossl_init_ssl_base)
{
#ifdef OPENSSL_INIT_DEBUG
fprintf(stderr, "OPENSSL_INIT: ossl_init_ssl_base: "
"Adding SSL ciphers and digests\n");
#endif
EVP_add_cipher(EVP_mycipher());
#ifndef OPENSSL_NO_DES
EVP_add_cipher(EVP_des_cbc());
EVP_add_cipher(EVP_des_ede3_cbc());
#endif
Am I missing a step in integration?
@Dr. Stephen Henson
I’m using the most current dev branch 1.1.1-dev and thankfully the -enc does work with the EVP interface as expected.
Also, the cipher suite does show up using "openssl ciphers -v”. However, when using the s_server/s_client, I receive the same error. Please see above for my integration steps.
Any help is much appreciated!
Rob Schmicker
> On Apr 10, 2017, at 8:36 PM, openssl-users-request at openssl.org wrote:
>
> Send openssl-users mailing list submissions to
> openssl-users at openssl.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://mta.openssl.org/mailman/listinfo/openssl-users
> or, via email, send a message with subject or body 'help' to
> openssl-users-request at openssl.org
>
> You can reach the person managing the list at
> openssl-users-owner at openssl.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of openssl-users digest..."
>
>
> Today's Topics:
>
> 1. Integrating New Cipher Suite (Schmicker, Robert)
> 2. Re: Integrating New Cipher Suite (Matt Caswell)
> 3. Re: RSA PKCS1 v2.1 - Multi-primes and RSASSA-PSS
> (Dr. Stephen Henson)
> 4. Re: Integrating New Cipher Suite (Dr. Stephen Henson)
> 5. ssl_method_st not defined (Stiju Easo)
> 6. Re: ssl_method_st not defined (Salz, Rich)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sat, 8 Apr 2017 17:56:54 +0000
> From: "Schmicker, Robert" <rschm2 at unh.newhaven.edu>
> To: "openssl-users at openssl.org" <openssl-users at openssl.org>
> Subject: [openssl-users] Integrating New Cipher Suite
> Message-ID:
> <DM5PR02MB27635F8413E901FC1B51D601A00F0 at DM5PR02MB2763.namprd02.prod.outlook.com>
>
> Content-Type: text/plain; charset="us-ascii"
>
> Hello,
>
> I'm attempting to integrate a customized cipher suite for TLS 1.2,
> however no matter what I try I always seem to end up with this error
> (client side):
>
> SSL routines:ssl_cipher_list_to_bytes:no ciphers
> available:ssl/statem/statem_clnt.c:3567
>
> Can anyone give some further explanation on this?
>
> Here's some snippets from the client and server setup.
>
> client:
>
> SSL_CTX* InitCTX(void)
> { const SSL_METHOD *method;
> SSL_CTX *ctx;
>
> OpenSSL_add_all_algorithms(); /* Load cryptos, et.al. */
> SSL_load_error_strings(); /* Bring in and register error messages */
> method = SSLv23_client_method(); /* Create new client-method
> instance */
> ctx = SSL_CTX_new(method); /* Create new context */
>
> /* Set cipher to use */
> if (SSL_CTX_set_cipher_list(ctx, "ECDHE-RSA-MYCIPHER-SHA256") <= 0) {
> printf("Error setting the cipher list.\n");
> exit(0);
> }
>
>
> if ( ctx == NULL )
> {
> ERR_print_errors_fp(stderr);
> abort();
> }
> return ctx;
> }
>
> server:
>
> SSL_CTX* InitServerCTX(void)
> { const SSL_METHOD *method;
> SSL_CTX *ctx;
>
> OpenSSL_add_all_algorithms(); /* load & register all cryptos, etc. */
> SSL_load_error_strings(); /* load all error messages */
> method = SSLv23_server_method(); /* create new server-method
> instance */
> ctx = SSL_CTX_new(method); /* create new context from method */
>
> /* Set cipher to use */
> if (SSL_CTX_set_cipher_list(ctx, "ECDHE-RSA-MYCIPHER-SHA256") <= 0) {
> printf("Error setting the cipher list.\n");
> exit(0);
> }
>
> if ( ctx == NULL )
> {
> ERR_print_errors_fp(stderr);
> abort();
> }
> return ctx;
> }
>
> Thank you,
> Rob
>
>
>
> ------------------------------
>
> Message: 2
> Date: Mon, 10 Apr 2017 11:03:05 +0100
> From: Matt Caswell <matt at openssl.org>
> To: openssl-users at openssl.org
> Subject: Re: [openssl-users] Integrating New Cipher Suite
> Message-ID: <ea1e67d0-582c-6b2a-d147-696d03a7dc7f at openssl.org>
> Content-Type: text/plain; charset=windows-1252
>
>
>
> On 08/04/17 18:56, Schmicker, Robert wrote:
>> Hello,
>>
>> I'm attempting to integrate a customized cipher suite for TLS 1.2,
>> however no matter what I try I always seem to end up with this error
>> (client side):
>>
>> SSL routines:ssl_cipher_list_to_bytes:no ciphers
>> available:ssl/statem/statem_clnt.c:3567
>>
>> Can anyone give some further explanation on this?
>
> There is no way of dynamically adding new TLS1.2 ciphersuites into
> OpenSSL. The only way to do this is to modify the source code. If that's
> what you've done then you're going to need to provide a lot more
> information about the changes you have made before anyone can help!
>
> Matt
>
>
>>
>> Here's some snippets from the client and server setup.
>>
>> client:
>>
>> SSL_CTX* InitCTX(void)
>> { const SSL_METHOD *method;
>> SSL_CTX *ctx;
>>
>> OpenSSL_add_all_algorithms(); /* Load cryptos, et.al. */
>> SSL_load_error_strings(); /* Bring in and register error messages */
>> method = SSLv23_client_method(); /* Create new client-method
>> instance */
>> ctx = SSL_CTX_new(method); /* Create new context */
>>
>> /* Set cipher to use */
>> if (SSL_CTX_set_cipher_list(ctx, "ECDHE-RSA-MYCIPHER-SHA256") <= 0) {
>> printf("Error setting the cipher list.\n");
>> exit(0);
>> }
>>
>>
>> if ( ctx == NULL )
>> {
>> ERR_print_errors_fp(stderr);
>> abort();
>> }
>> return ctx;
>> }
>>
>> server:
>>
>> SSL_CTX* InitServerCTX(void)
>> { const SSL_METHOD *method;
>> SSL_CTX *ctx;
>>
>> OpenSSL_add_all_algorithms(); /* load & register all cryptos, etc. */
>> SSL_load_error_strings(); /* load all error messages */
>> method = SSLv23_server_method(); /* create new server-method
>> instance */
>> ctx = SSL_CTX_new(method); /* create new context from method */
>>
>> /* Set cipher to use */
>> if (SSL_CTX_set_cipher_list(ctx, "ECDHE-RSA-MYCIPHER-SHA256") <= 0) {
>> printf("Error setting the cipher list.\n");
>> exit(0);
>> }
>>
>> if ( ctx == NULL )
>> {
>> ERR_print_errors_fp(stderr);
>> abort();
>> }
>> return ctx;
>> }
>>
>> Thank you,
>> Rob
>>
>
>
> ------------------------------
>
> Message: 3
> Date: Mon, 10 Apr 2017 13:46:26 +0000
> From: "Dr. Stephen Henson" <steve at openssl.org>
> To: openssl-users at openssl.org
> Subject: Re: [openssl-users] RSA PKCS1 v2.1 - Multi-primes and
> RSASSA-PSS
> Message-ID: <20170410134626.GA28081 at openssl.org>
> Content-Type: text/plain; charset=us-ascii
>
> On Wed, Apr 05, 2017, Davy Souza wrote:
>
>> Hi,
>>
>>
>> I'm using RSA, but I need to know if OpenSSL RSA implements PKCS#1 v2.1. I have the following questions:
>>
>> 1) Does OpenSSL support multi-prime?
>>
>
> No.
>
>> 2) Does OpenSSL support RSASSA-PSS?
>>
>
> Yes.
>
>> 3) If so, how can I use it?
>>
>
> In what context do you want to use it? For example CMS, certificates, TLS,
> general application code or via the command line?
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
>
>
> ------------------------------
>
> Message: 4
> Date: Mon, 10 Apr 2017 13:56:40 +0000
> From: "Dr. Stephen Henson" <steve at openssl.org>
> To: openssl-users at openssl.org
> Subject: Re: [openssl-users] Integrating New Cipher Suite
> Message-ID: <20170410135640.GB28081 at openssl.org>
> Content-Type: text/plain; charset=us-ascii
>
> On Sat, Apr 08, 2017, Schmicker, Robert wrote:
>
>> Hello,
>>
>> I'm attempting to integrate a customized cipher suite for TLS 1.2,
>> however no matter what I try I always seem to end up with this error
>> (client side):
>>
>> SSL routines:ssl_cipher_list_to_bytes:no ciphers
>> available:ssl/statem/statem_clnt.c:3567
>>
>> Can anyone give some further explanation on this?
>>
>> Here's some snippets from the client and server setup.
>>
>> client:
>>
>
> That sounds like the cipher isn't visible.
>
> I'd suggest trying s_client/s_server first.
>
> Which version of OpenSSL are you using?
>
> Does your new cipher appear in "openssl ciphers"? If so does the output look
> sensible? Does it appear with the -s option too?
>
> Is the cipher visible using "openssl list -cipher-algorithms" (OpenSSL 1.1.0)
> or "openssl list-cipher-algorithms" (OpenSSL 1.0.2).
>
> Is your new cipher usable via the command line utilities like "enc"? Does it
> seems to be behaving as expected?
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
>
>
> ------------------------------
>
> Message: 5
> Date: Tue, 11 Apr 2017 02:20:32 +0530
> From: Stiju Easo <stiju.easo at gmail.com>
> To: openssl-users at openssl.org
> Subject: [openssl-users] ssl_method_st not defined
> Message-ID:
> <CAD3rvcoR8Kpgfw2F6t_P=vZjBj9ANfYpeRFhqqJEQ92BBL84PA at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi,
>
> I am trying to adopt OpenSSL 1.1.0 for my code,
> I was able to move away from pointers for RSA etc to appropriate
> functions, but i got stuck at session
>
>
> in my code need to assign back the SSL pointer with the cipher, session id
> etc
> as below
>
> ssl_session->client_version = client_version;
> ssl_session->session->cipher = ssl_session->s3->tmp.new_cipher =
> pending_cipher;
> ssl_session->session->session_id_length = ssl_id.getLength();
>
> as now ssl_method_st has been moved to ssl_locl.h and I am not supposed
> to include that,
> is there any API to set these variables?
> only code reference I saw is ssl/.statem/statem_srvr.c, where it uses
> ssl_locl.h directly.
>
> My question is 1) is operations like setting Client version , cipher, so
> ,session, allowed with 1.1?
> 2)so,does API exist for it?
> --
>
>
> Stiju Easo
>
>
> The unexamined life is not worth living for man.
> Socrates, in Plato, Dialogues, Apology
> Greek philosopher in Athens (469 BC - 399 BC)
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170411/839ec228/attachment-0001.html>
>
> ------------------------------
>
> Message: 6
> Date: Tue, 11 Apr 2017 00:36:07 +0000
> From: "Salz, Rich" <rsalz at akamai.com>
> To: "openssl-users at openssl.org" <openssl-users at openssl.org>
> Subject: Re: [openssl-users] ssl_method_st not defined
> Message-ID:
> <5414ba488476425fa64de9efa00773a3 at ustx2ex-dag1mb1.msg.corp.akamai.com>
> Content-Type: text/plain; charset="utf-8"
>
> No, the functions you want aren?t provided right now. What are you trying to do? Why are you modifying the session, outside of the TLS protocol?
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170411/ab65e480/attachment.html>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> openssl-users mailing list
> openssl-users at openssl.org
> https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
> ------------------------------
>
> End of openssl-users Digest, Vol 29, Issue 10
> *********************************************
More information about the openssl-users
mailing list