[openssl-dev] ECDH engine
Alexander Gostrer
agostrer at gmail.com
Wed Jan 27 05:19:56 UTC 2016
Hi Uri,
Let me know if you have any questions about these patches.
Thank you,
Alex.
On Wed, Jan 20, 2016 at 12:49 PM, Douglas E Engert <deengert at gmail.com>
wrote:
> When I started to write the ECDSA code for engine_pkcs11 in 2011 the code
> to support the method hooks was not
> in the code. So I used internal OpenSSL header files to copy the
> ECDSA_METHOD and replace the function needed.
> Look for "BUILD_WITH_ECS_LOCL_H" in libp11. Not until 1.0.2 did OpenSSL
> support the needed calls to hook ECDSA.
> They did not add the hooks for ECDH.
>
> If you can't wait then you have to do it your self. *YOU* could do the
> same thing for ECDH. But your code would only
> be good for 1.0.2 because the whole way of doing EC methods changes in
> 1.1.
>
> I believe Alexander said he had changes to OpenSSL, which is another
> approach.
> He has said there were here:
> https://github.com/AtmelCSO/cryptoauth-openssl-engine/tree/master/patches
>
> You could also hire someone who could do more then: "test it and offer
> minor enhancements".
> (And not me. I am taking the 1.1 approach to getting ECDH. working in
> engine.)
>
> On 1/20/2016 2:19 PM, Blumenthal, Uri - 0553 - MITLL wrote:
>
> Very possible that I'm missing the point here.
>
> Still, since openssl-1_0_2 does ECDH, and it exposes ECDSA to external
> engine(s), how difficult would it be to add ECDH exposure? I suspect - a
> good deal easier than getting 1.1 replace 1.0.x as the de-facto deployment
> standard.
>
> Plus, by this time there already are (and reasonably common) tokens that
> support ECDH, other packages that do ECDH, and people (like myself :-)
> willing to test it and offer minor enhancements.
>
> Another point I seem to be missing - if what's necessary to implement ECDH
> in an external engine is missing from 1_0_2 - how could Alexander write a
> (presumably) working ECDH engine for 1_0_2? If he could do it, why can't
> engine_pkcs11 be extended to do the same?
>
>
> Sent from my BlackBerry 10 smartphone on the Verizon Wireless 4G LTE network.
> *From: *Douglas E Engert
> *Sent: *Wednesday, January 20, 2016 14:59
> *To: *openssl-dev at openssl.org
> *Reply To: *openssl-dev at openssl.org
> *Subject: *Re: [openssl-dev] ECDH engine
>
> You are missing the point. OpenSSL-1.0.2 only exposed ECDSA, not ECDH to
> external engines. It took years to even get ECDSA exposed.
> OpenSSL approach to support this is OpenSSL-1.1 that does a lot of other
> things. But that was there approach. Its their package.
> >From working package to distribution always takes several years...
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160126/e8ee4c71/attachment-0001.html>
More information about the openssl-dev
mailing list