[openssl-project] OpenSSL 3.0 and FIPS Update

Viktor Dukhovni openssl-users at dukhovni.org
Sun Feb 24 20:31:21 UTC 2019

On Thu, Feb 21, 2019 at 04:20:53PM +0000, Matt Caswell wrote:

> > 2. Can we do something with a bunch of hard-linked non-extendable lists of
> > internal NIDs?
> > For example, providing GOST algorithms always requires a patch to extend 3-5
> > internal lists.
> > If it could be done dynamically, it will be great.

The simplest solution is to submit a PR to add your OIDs to OpenSSL,
so that no furher out of tree patches are required.

Dynamic NIDs don't fit very well into the design, because NIDs are
expected to be stable compile-time constants.  We could perhaps
reserve a range for "private-use", and "engines" could allocate new
NIDs in the private space at runtime.  The key question is whether
such NIDs are global or valid only if returned to the same engine
(provider, ...).  If not global, the allocation might be static
within the engine, and not require any locks.


More information about the openssl-users mailing list