[openssl-project] OpenSSL 3.0 and FIPS Update
Dr Paul Dale
paul.dale at oracle.com
Mon Feb 25 10:36:45 UTC 2019
I don’t think that that new OIDs or NIDs are considering breaking. Changing existing ones definitely is, but that’s an entirely different proposition.
Pauli
--
Dr Paul Dale | Cryptographer | Network Security & Encryption
Phone +61 7 3031 7217
Oracle Australia
> On 25 Feb 2019, at 5:02 pm, Dmitry Belyavsky <beldmit at gmail.com> wrote:
>
>
>
> On Sun, Feb 24, 2019 at 11:31 PM Viktor Dukhovni <openssl-users at dukhovni.org <mailto:openssl-users at dukhovni.org>> wrote:
> On Thu, Feb 21, 2019 at 04:20:53PM +0000, Matt Caswell wrote:
>
> > > 2. Can we do something with a bunch of hard-linked non-extendable lists of
> > > internal NIDs?
> >
> > > For example, providing GOST algorithms always requires a patch to extend 3-5
> > > internal lists.
> > > If it could be done dynamically, it will be great.
>
> The simplest solution is to submit a PR to add your OIDs to OpenSSL,
> so that no furher out of tree patches are required.
>
> This is a way we go here and now. It is inevitable for libssl, but can be significantly reduced for libcrypto.
> Some examples are available in my response to Richard.
>
> And here we get a second problem, relatively small. If I remember correctly,
> adding new OIDs/NIDs is treated as breaking the binary compatibility so we have to wait for a major release.
>
> Dynamic NIDs don't fit very well into the design, because NIDs are
> expected to be stable compile-time constants. We could perhaps
> reserve a range for "private-use", and "engines" could allocate new
> NIDs in the private space at runtime. The key question is whether
> such NIDs are global or valid only if returned to the same engine
> (provider, ...). If not global, the allocation might be static
> within the engine, and not require any locks.
>
> Totally agree. OBJ_create() and similar functions exist, but do not solve our problems.
>
> --
> SY, Dmitry Belyavsky
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20190225/bde0c24f/attachment-0001.html>
More information about the openssl-users
mailing list