On 2007.05.23 at 17:30:50 +0200, Yves Rutschle wrote: > Hi, > > I'm trying to work out the relationship between a cipher > suite, and the encrypters available in OpenSSL. For example,
There is almost no relationship, except that if no encrypter is available, cipher suite which uses this encryption algorithm cannot be used. > in OpenSSL 0.9.8e I see there is blowfish encryption > available (in `openssl enc`), yet none of the bf variants > appear in the cipher suite list (`openssl ciphers`). > > So, where does the cipher suite list come from, and how > would one proceed if one wanted a cipher that's not already There is list of SSL_CIPHER structures in the s3_lib.c file (there is also one in the s2_lib.c, but I don't think you are interesting in SSLv2). List in s3_lib is used both for SSLv3 and TLSv1. Ciphersuite is composed from four parts - authentication algorithm (which is based on same electronic signature algorithm), shared key derivation algorithm, encryption algorithm and message authentication algorithm. Really OpenSSL supports just one MAC algorithm for TLSv1 - HMAC, but it can be used with different digest algorithms, so there are two algorithms - HMAC-MD5 and HMAC-SHA1. These algorithms are represented as flag in some bitmask field. In OpenSSL 0.9.8 there is just one 32-bit mask field for all four algorithms, so there is almost no bits free for adding new algorithms. In OpenSSL 0.9.9 this mask split into parts - 32-bit field for each of four algoritms and additional algorithm2 field to hold additional flags. (really for now it is used just for SSLv2, but ongoing work for GOST ciphersuites support would require use of some bits in this field) This structure is intended to use as ciphersuite selection mask, it is why separate bit for each algorithm is used, rather than sequentual number. So if you are going to add new ciphersuite you are better start with current developer snapshot of 0.9.9 - it at least has free space in the bitmasks. Ciphersuite also has 16-bit number. This number should be same for all implementations which support this ciphersuite. So, these numbers are typically described in internet standards published by IETF and registered with IANA. If there is such standard/draft for blowfish ciphersuites, you should use numbers from it. There is also reserved range from 0xFF00 to 0xFFFF, which can be used for experimental ciphersuites. If you use number from this range, your implementation wouldn't be interoperable with any other, but it wouldn't be protocol violation. So, if you are just trying to experiment, you should define new SSL_CIPHER structure with number in this range, define new bit mask constant and then look into file ssl_ciph.c to see how other encryption algorithms are handled - i.e. translated from bit constant into EVP_CIPHER structure which is actually used. It is not too complicated. It took us less than a day to add GOST89 encryption algorithm. Things are much more complicated for adding new authentication and key derivation algorithms, and even worse for MAC which is not HMAC(some digest) and PRF functions (for now only one PRF function is supported for TLS). > available in that list (specifically, I'm interested in cfb > and ofb modes)? > > Cheers, > Y. > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
