Custom Provider - OpenSSL 3.x with SSHD

Tomas Mraz tomas at openssl.org
Tue Jan 3 10:20:40 UTC 2023 

In this case it should not be necessary to patch OpenSSH. You could
just set a default property query in the OpenSSL configuration file
as: 

default_properties = "?provider=yourprovider"

in the alg_section. See the config(5) manual page.

This way your provider will be preferred over other providers for all
algorithms that it provides.

Tomas

On Tue, 2023-01-03 at 09:13 +0000, Hareesh Das Ulleri wrote:
> Hi,
> 
>    More precise, my new custom provider has existing Cipher algo (eg:
> AES-256-CBC) operations implemented using a 'HW crypto IP'. For
> example what I am trying to achieve with my custom provider is when a
> SSH Client(SCP/SFTP) initiate a transfer...
> 
> SSHD  (SCP/SFTP) -> OpenSSL -> Custom provider -> HW algo
> implementation
> 
> OpenSSL has to take my Custom provider for this Cipher operations
> irrespective of a default provider exist for other operations (and
> same cipher operations).
> 
> 
>     Does the above case can work if I configure OpenSSL and/or
> OpenSSH; Or OpenSSH need to be patched ? 
> 
> Regards,
> Hareesh
> 
> -----Original Message-----
> From: Tomas Mraz <tomas at openssl.org> 
> Sent: Tuesday, January 3, 2023 4:39 PM
> To: Hareesh Das Ulleri <hareesh.ulleri at ovt.com>;
> openssl-users at openssl.org
> Subject: Re: Custom Provider - OpenSSL 3.x with SSHD
> 
> [CAUTION]: EXTERNAL EMAIL
> 
> 
> The primary question is, does your provider just implement some of
> the existing algorithms that the OpenSSH supports or do you want to
> add a new cipher algorithm? If the second, then OpenSSH needs to be
> patched to add support for the new algorithm. I do not think it
> supports custom pluggable algorithms.
> 
> Tomas Mraz, OpenSSL
> 
> On Tue, 2023-01-03 at 03:46 +0000, Hareesh Das Ulleri wrote:
> > Dear OpenSSL users,
> > 
> >   I use Linux 5.10 + OpenSSL 3.0.7. I have a custom provider cipher
> > implementation and its algo implementation works for test
> > application. 
> > Now I have sshd running and want to use custom provider
> > (encryption/decryption) implementation calls instead of default 
> > provider's.
> > 
> >   Please let me know anybody tried this before or someone knows
> > this, 
> > how SSHD can be configured for a custom provider (encryption /
> > decryption) calls.
> > 
> > Note: Here both default provider and custom provider are activated
> > at 
> > the same time.
> > 
> > Thank you,
> > Hareesh
> 
> --
> Tomáš Mráz, OpenSSL
> 

-- 
Tomáš Mráz, OpenSSL

More information about the openssl-users mailing list