[openssl-dev] Question about adding a new cipher [I am not asking the old question]

John Hunter zhjwpku at gmail.com
Mon Mar 21 12:51:19 UTC 2016


Got it, thanks :)

On Mon, Mar 21, 2016 at 8:09 PM, Dmitry Belyavsky <beldmit at gmail.com> wrote:
> Dear John,
>
> On Mon, Mar 21, 2016 at 2:52 PM, John Hunter <zhjwpku at gmail.com> wrote:
>>
>> Hi Dmitry,
>> Thank you for you quick reply.
>>
>> On Mon, Mar 21, 2016 at 7:38 PM, Dmitry Belyavsky <beldmit at gmail.com>
>> wrote:
>> > Hello John,
>> >
>> > On Mon, Mar 21, 2016 at 1:53 PM, John Hunter <zhjwpku at gmail.com> wrote:
>> >>
>> >> I know that this question had been asked millions of times, I searched
>> >> the
>> >> maillist archives and I know it, and this is not a homework for an
>> >> academic
>> >> project, trust me :)
>> >>
>> >> In [1], Victor said that we don't need to rebuild OpenSSL just for
>> >> adding
>> >> a
>> >> crypto algrorithm, and he recoment to see the ccgost engine, I did, but
>> >> I think that if we add a symmetric cipher, we will declare a EVP_CIPHER
>> >> struct, which contains a nid, let's say NID_id_Gost28147_89, this nid
>> >> was
>> >> defined in crypto/objects/obj_mac.h, but if I don't have a nid for my
>> >> new
>> >> added cipher, I think we should add one into openssl, in that occasion
>> >> I
>> >> think we should rebuild the OpenSSL.
>> >>
>> >> I am appreciated if somebody could help to explain.
>> >>
>> >> [1]
>> >>
>> >> http://openssl.6102.n7.nabble.com/add-a-new-cipher-to-OpenSSL-td22968.html
>> >
>> >
>> > In theory, you are able to register OID/NID via engine.
>> > In practice when we implemented the GOST algorithms we found that
>> > sometimes
>> > it causes memory problems.
>> > And anyway, if you provide cipher via an engine, it just allows to use
>> > it in
>> > some commands but not for TLS.
>>
>> So if I want to use the engine cipher, I should add some ciphersuit in
>> ssl and rebuild
>> the openssl, but I am wondering how will the ssl use the engine? Maybe add
>> the
>> engine to openssl.cnf?
>
>
> Yes. And the application should also use the OPENSSL_config() function to
> ensure the loading of the engine.
>
>  And sometimes the applications have their own config file with the
> directives to load engines as accelerators.
>
>>
>> For now I just use the engine cipher(not a new added cipher, but replace
>> the
>> aes-128-ecb using the engine) in command with the -engine xxx parameter, I
>> don't know how to use the engine cipher as default(I mean without the
>> -engine).
>>
>> Thanks in advance !
>>
>> >
>> > --
>> > SY, Dmitry Belyavsky
>> >
>> > --
>> > openssl-dev mailing list
>> > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
>> >
>> --
>> openssl-dev mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
>
>
>
>
> --
> SY, Dmitry Belyavsky
>
> --
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
>


More information about the openssl-dev mailing list