[openssl-users] Integrating New Cipher Suite

[Schmicker, Robert]

Not sure if I'm late to the party on this one but check out this link:

https://wiki.openssl.org/index.php/How_to_Integrate_a_Symmetric_Cipher

I wrote this up a few months back so let me know if you have any questions.

Rob

From: openssl-users-request at openssl.org
Sent: Wednesday, October 4, 4:29 AM
Subject: openssl-users Digest, Vol 35, Issue 2
To: openssl-users at openssl.org


Send openssl-users mailing list submissions to openssl-users at openssl.org To subscribe or unsubscribe via the World Wide Web, visit https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmta.openssl.org%2Fmailman%2Flistinfo%2Fopenssl-users&data=02%7C01%7Crschm2%40unh.newhaven.edu%7C50cde6976b254f2c412e08d50b021142%7C3c71cbabb5ed4f3bac0d95509d6c0e93%7C0%7C0%7C636427025869613510&sdata=nwv%2FYJCbDn6efXDt5aLvRnrx0yZNb6CO96bSR7i7KpE%3D&reserved=0 or, via email, send a message with subject or body 'help' to openssl-users-request at openssl.org You can reach the person managing the list at openssl-users-owner at openssl.org When replying, please edit your Subject line so it is more specific than "Re: Contents of openssl-users digest..." Today's Topics: 1. Re: Integrating New Cipher Suite (Jakob Bohm) 2. Re: FIPS Object Module 2.0, fipsalgtest.pl fails (Diaz de Grenu, Jose) 3. Re: FIPS Object Module 2.0, fipsalgtest.pl fails (Steve Marquess) 4. Engine configuration (Dmitry Belyavsky) 5. Re: Engine configuration (Dr. Stephen Henson) 6. AES CMAC with given iv (Stefan Gr?nwald) 7. Re: FIPS Object Module 2.0, fipsalgtest.pl fails (Diaz de Grenu, Jose) 8. Re: Storing private key on tokens (lists) ---------------------------------------------------------------------- Message: 1 Date: Mon, 2 Oct 2017 13:52:18 +0200 From: Jakob Bohm To: openssl-users at openssl.org Subject: Re: [openssl-users] Integrating New Cipher Suite Message-ID: Content-Type: text/plain; charset=utf-8; format=flowed On 02/10/2017 00:47, Dr. Stephen Henson wrote: > On Sun, Oct 01, 2017, Wallboy wrote: > >> Hi, >> >> ... >> Bonus Question: Is it possible to remove the SCSV cipher in the ClientHello? >> > You can't remove it without making source changes. Again it's in the > ssl_cipher_list_to_bytes() function. > Have you tried clearing SSL_MODE_SEND_FALLBACK_SCSV (in a program), or (not) using the -fallback_scsv option to s_client? Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.wisemo.com&data=02%7C01%7Crschm2%40unh.newhaven.edu%7C50cde6976b254f2c412e08d50b021142%7C3c71cbabb5ed4f3bac0d95509d6c0e93%7C0%7C0%7C636427025869613510&sdata=LVMC1kSp3iqPTwUPFYLAfNrPzByVOBFdcH3qMS3P5TY%3D&reserved=0 Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded ------------------------------ Message: 2 Date: Mon, 2 Oct 2017 14:29:06 +0000 From: "Diaz de Grenu, Jose" To: "openssl-users at openssl.org" Subject: Re: [openssl-users] FIPS Object Module 2.0, fipsalgtest.pl fails Message-ID: Content-Type: text/plain; charset="us-ascii" > The FIPS module and test suite software (fipsalgtest.pl) are designed to work with exactly those algorithm tests relevant to the associated validations > (#1747/2398/2473). The test labs generate a unique set of test vectors for each platform validation; those test vectors must be of the expected format to > be successfully processed. Often they are not, either because they we incorrectly specified or due to errors. Figuring out such discrepancies can be lots of > fun (not!). > You will want to compare your test vectors with a known good set from https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fopenssl.com%2Ftesting%2Fvalidation-2.0%2Ftestvectors%2F&data=02%7C01%7Crschm2%40unh.newhaven.edu%7C50cde6976b254f2c412e08d50b021142%7C3c71cbabb5ed4f3bac0d95509d6c0e93%7C0%7C0%7C636427025869613510&sdata=9Eh2AW%2FpJaCMJba4mKGOFEB%2F0VORUG8aocNuMZQnWQw%3D&reserved=0. Pick a recent set, as the format of the test vectors changes over time. Note that as > a result frequent adjustment of fipsalgtest.pl is often necessary. I have tried with all the tarballs but I am not able to find one which works without errors. Is there any way to check which test vector were used for FIPS Object Module 2.0.16? ------------------------------ Message: 3 Date: Mon, 2 Oct 2017 11:39:11 -0400 From: Steve Marquess To: openssl-users at openssl.org Subject: Re: [openssl-users] FIPS Object Module 2.0, fipsalgtest.pl fails Message-ID: Content-Type: text/plain; charset=utf-8 On 10/02/2017 10:29 AM, Diaz de Grenu, Jose wrote: > >> The FIPS module and test suite software (fipsalgtest.pl) are designed to work with exactly those algorithm tests relevant to the associated validations >> (#1747/2398/2473). The test labs generate a unique set of test vectors for each platform validation; those test vectors must be of the expected format to >> be successfully processed. Often they are not, either because they we incorrectly specified or due to errors. Figuring out such discrepancies can be lots of > > fun (not!). > >> You will want to compare your test vectors with a known good set from https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fopenssl.com%2Ftesting%2Fvalidation-2.0%2Ftestvectors%2F&data=02%7C01%7Crschm2%40unh.newhaven.edu%7C50cde6976b254f2c412e08d50b021142%7C3c71cbabb5ed4f3bac0d95509d6c0e93%7C0%7C0%7C636427025869613510&sdata=9Eh2AW%2FpJaCMJba4mKGOFEB%2F0VORUG8aocNuMZQnWQw%3D&reserved=0. Pick a recent set, as the format of the test vectors changes over time. Note that as >> a result frequent adjustment of fipsalgtest.pl is often necessary. > > I have tried with all the tarballs but I am not able to find one which works without errors. You reprocessed all of the hundreds of test vectors? I'm impressed. That must have taken many days of compute time. > > Is there any way to check which test vector were used for FIPS Object Module 2.0.16? > The most recent set of test vectors used for a 2.0.16 OE is: https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fopenssl.com%2Ftesting%2Fvalidation-2.0%2Ftestvectors%2FOVS_2859_OE82.results.tar.gz&data=02%7C01%7Crschm2%40unh.newhaven.edu%7C50cde6976b254f2c412e08d50b021142%7C3c71cbabb5ed4f3bac0d95509d6c0e93%7C0%7C0%7C636427025869613510&sdata=fW9XGPMi0WRLYelNRQhwhID1bzm3ysI98RO7sghAHhU%3D&reserved=0 You have no way of knowing that because we don't publish a mapping of test vectors to OEs (and most FIPS 140 module vendors don't publish anything at all). And before you ask, no, while we're delighted to be an open source model for other validations I'm not keen on spending time specifically supporting proprietary validations that don't benefit the OpenSSL community as a whole. Please note that if you're trying to do your own "private label" validation you'll have to use a new unique set of test vectors provided by your accredited test lab; reprocessing a previously used set doesn't buy you much. -Steve M. -- Steve Marquess OpenSSL Validation Services, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 301 874 2571 marquess at openssl.com gpg/pgp key: https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fopenssl.com%2Fdocs%2F0x6D1892F5.asc&data=02%7C01%7Crschm2%40unh.newhaven.edu%7C50cde6976b254f2c412e08d50b021142%7C3c71cbabb5ed4f3bac0d95509d6c0e93%7C0%7C0%7C636427025869613510&sdata=5TJfkgEQ75JT2IrsJWwY3NDQ6JntXtQB3nL94RxrSeo%3D&reserved=0 ------------------------------ Message: 4 Date: Mon, 2 Oct 2017 23:02:32 +0300 From: Dmitry Belyavsky To: openssl-users at openssl.org Subject: [openssl-users] Engine configuration Message-ID: Content-Type: text/plain; charset="utf-8" Hello, I have a question regarding engine configuration. We need to implement such behaviour: - on load the engine is configured with the commands from config file, but the values can be overwritten via environment - application can change the engine's configuration via ENGINE_ctrl_string functions. Is there any way to distinguish whether engine is configured via the config file or via direct calls to ENGINE_ctrl* functions? Thank you! -- SY, Dmitry Belyavsky -------------- next part -------------- An HTML attachment was scrubbed... URL: ------------------------------ Message: 5 Date: Mon, 2 Oct 2017 21:16:10 +0000 From: "Dr. Stephen Henson" To: openssl-users at openssl.org Subject: Re: [openssl-users] Engine configuration Message-ID: Content-Type: text/plain; charset=us-ascii On Mon, Oct 02, 2017, Dmitry Belyavsky wrote: > Hello, > > I have a question regarding engine configuration. > > We need to implement such behaviour: > - on load the engine is configured with the commands from config file, but > the values can be overwritten via environment That part can be done with the config file syntax see config(5) > - application can change the engine's configuration via ENGINE_ctrl_string > functions. > > Is there any way to distinguish whether engine is configured via the config > file or via direct calls to ENGINE_ctrl* functions? > Not currently no: the config file calls the relevant control operations. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.openssl.org&data=02%7C01%7Crschm2%40unh.newhaven.edu%7C50cde6976b254f2c412e08d50b021142%7C3c71cbabb5ed4f3bac0d95509d6c0e93%7C0%7C0%7C636427025869613510&sdata=Gxzc9T8L%2FC4VWZ3zrO80EhQiXnSp%2BUefxC5mmzODvQ0%3D&reserved=0 ------------------------------ Message: 6 Date: Tue, 3 Oct 2017 08:33:46 +0200 From: Stefan Gr?nwald To: openssl-users at openssl.org Subject: [openssl-users] AES CMAC with given iv Message-ID: Content-Type: text/plain; charset=utf-8; format=flowed Hi, I need to calculate an AES CMAC with a given iv and also get the new iv after the calculation. On the internet I found some examples how to calculate the CMAC but if I read the code correctly it always starts with a zero iv. I also found the CMAC_resume function which restores the iv but it also doesn't take the iv as an input parameter. Is there any chance to set and get the iv? The only way I would see at the moment is an ugly hack by setting the tbl field of the context struct in memory before calling CMAC_resume. Thanks, Stefan ------------------------------ Message: 7 Date: Tue, 3 Oct 2017 21:26:06 +0000 From: "Diaz de Grenu, Jose" To: "openssl-users at openssl.org" Subject: Re: [openssl-users] FIPS Object Module 2.0, fipsalgtest.pl fails Message-ID: Content-Type: text/plain; charset="us-ascii" > You reprocessed all of the hundreds of test vectors? I'm impressed. That > must have taken many days of compute time. Sorry, the download script I set up seg faulted after some time, and I didn't noticed. In fact it only tested a few tarballs. > The most recent set of test vectors used for a 2.0.16 OE is: >https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fopenssl.com%2Ftesting%2Fvalidation-2.0%2Ftestvectors%2FOVS_2859_OE82.results.tar.gz&data=02%7C01%7Crschm2%40unh.newhaven.edu%7C50cde6976b254f2c412e08d50b021142%7C3c71cbabb5ed4f3bac0d95509d6c0e93%7C0%7C0%7C636427025869613510&sdata=fW9XGPMi0WRLYelNRQhwhID1bzm3ysI98RO7sghAHhU%3D&reserved=0 That one also fails. Thanks for all the information anyways. I will keep trying with other test vector, just in case. ------------------------------ Message: 8 Date: Wed, 4 Oct 2017 10:17:32 +0200 From: lists To: openssl-users at openssl.org Subject: Re: [openssl-users] Storing private key on tokens Message-ID: Content-Type: text/plain; charset=utf-8; format=flowed On 09/27/2017 11:13 PM, Ken Goldman wrote: > On 9/27/2017 2:19 PM, Dirk-Willem van Gulik wrote: >> >>> On 27 Sep 2017, at 20:02, Michael Wojcik >>> >>> The tokens / HSMs I've used don't let you generate a key somewhere >>> else and install it on the token. They insist on doing the key >>> generation locally. That is, after all, part of the point of using >>> a token - the key never leaves it. >> >> I've found that the Feitian ePass2000's and the Yubico keys allow for >> importing of the private key. They do usually want the 'extra' flags >> to specify use: > > FWIW, the TPM hardware also permits key import.? It does validate > attributes, so users will know that the key was not generated on chip. > Most smart cards (G&D, Oberthur and InCard) I've dealt with allow for external generation of RSA keys and import into the token. Currently I mostly use InCard cards sold in Italy, I can't tell if the other brands are still easily purchaseable. ------------------------------ Subject: Digest Footer _______________________________________________ openssl-users mailing list openssl-users at openssl.org https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmta.openssl.org%2Fmailman%2Flistinfo%2Fopenssl-users&data=02%7C01%7Crschm2%40unh.newhaven.edu%7C50cde6976b254f2c412e08d50b021142%7C3c71cbabb5ed4f3bac0d95509d6c0e93%7C0%7C0%7C636427025869613510&sdata=nwv%2FYJCbDn6efXDt5aLvRnrx0yZNb6CO96bSR7i7KpE%3D&reserved=0 ------------------------------ End of openssl-users Digest, Vol 35, Issue 2 ********************************************

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20171004/84871601/attachment-0001.html>