[openssl-project] OpenSSL 3.0 and FIPS Update

Dmitry Belyavsky beldmit at gmail.com
Mon Feb 25 07:02:44 UTC 2019

On Sun, Feb 24, 2019 at 11:31 PM Viktor Dukhovni <openssl-users at dukhovni.org>

> On Thu, Feb 21, 2019 at 04:20:53PM +0000, Matt Caswell wrote:
> > > 2. Can we do something with a bunch of hard-linked non-extendable
> lists of
> > > internal NIDs?
> >
> > > For example, providing GOST algorithms always requires a patch to
> extend 3-5
> > > internal lists.
> > > If it could be done dynamically, it will be great.
> The simplest solution is to submit a PR to add your OIDs to OpenSSL,
> so that no furher out of tree patches are required.

This is a way we go here and now. It is inevitable for libssl, but can be
significantly reduced for libcrypto.
Some examples are available in my response to Richard.

And here we get a second problem, relatively small. If I remember
adding new OIDs/NIDs is treated as breaking the binary compatibility so we
have to wait for a major release.

> Dynamic NIDs don't fit very well into the design, because NIDs are
> expected to be stable compile-time constants.  We could perhaps
> reserve a range for "private-use", and "engines" could allocate new
> NIDs in the private space at runtime.  The key question is whether
> such NIDs are global or valid only if returned to the same engine
> (provider, ...).  If not global, the allocation might be static
> within the engine, and not require any locks.

Totally agree. OBJ_create() and similar functions exist, but do not solve
our problems.

SY, Dmitry Belyavsky
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20190225/9c95ce54/attachment.html>

More information about the openssl-users mailing list