[openssl-project] OpenSSL 3.0 and FIPS Update
mcr at sandelman.ca
Sun Feb 24 23:40:51 UTC 2019
Not sure who Matt quoted, wrote:
>> 2. Can we do something with a bunch of hard-linked non-extendable
>> lists of internal NIDs?
>> For example, providing GOST algorithms always requires a patch to
>> extend 3-5
>> internal lists.
>> If it could be done dynamically, it will be great.
Matt then wrote:
> The simplest solution is to submit a PR to add your OIDs to OpenSSL,
> so that no furher out of tree patches are required.
Viktor Dukhovni <openssl-users at dukhovni.org> wrote:
> Dynamic NIDs don't fit very well into the design, because NIDs are
> expected to be stable compile-time constants. We could perhaps
> reserve a range for "private-use", and "engines" could allocate new
> NIDs in the private space at runtime. The key question is whether
> such NIDs are global or valid only if returned to the same engine
> (provider, ...). If not global, the allocation might be static
> within the engine, and not require any locks.
Having stubbed my toe on some NID stuff, I must question exposting NIDs.
ruby-openssl used them in a dumb way that meant that adding extensions by OID
was broken until I removed some code.
I think that the #define/enum of NIDs should be made internal-only,
available as optimization to internal code only.
Your question then becomes, "are engines internal users", and I'd like the
answer to be no. I think that the openssl 3 changes suggest the same thing.
All other users can call OBJ_obj2nid() or OBJ_txt2nid() to get a NID,
and we can figure out how to allocate things dynamically if this makes
sense. I don't know which APIs are currently NID-only.
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | IoT architect [
] mcr at sandelman.ca http://www.sandelman.ca/ | ruby on rails [
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 487 bytes
Desc: not available
More information about the openssl-users