On 2007.05.23 at 17:30:50 +0200, Yves Rutschle wrote:
Hi,
I'm trying to work out the relationship between a cipher
suite, and the encrypters available in OpenSSL. For example,
There is almost no relationship, except that if no encrypter is
available, cipher suite which uses this encryption algorithm cannot be
used.
in OpenSSL 0.9.8e I see there is blowfish encryption
available (in `openssl enc`), yet none of the bf variants
appear in the cipher suite list (`openssl ciphers`).
So, where does the cipher suite list come from, and how
would one proceed if one wanted a cipher that's not already
There is list of SSL_CIPHER structures in the s3_lib.c file (there is
also one in the s2_lib.c, but I don't think you are interesting in
SSLv2). List in s3_lib is used both for SSLv3 and TLSv1.
Ciphersuite is composed from four parts - authentication algorithm
(which is based on same electronic signature algorithm), shared key
derivation algorithm, encryption algorithm and message authentication
algorithm. Really OpenSSL supports just one MAC algorithm for TLSv1 - HMAC,
but it can be used with different digest algorithms, so there are two
algorithms - HMAC-MD5 and HMAC-SHA1.
These algorithms are represented as flag in some bitmask field.
In OpenSSL 0.9.8 there is just one 32-bit mask field for all four
algorithms, so there is almost no bits free for adding new algorithms.
In OpenSSL 0.9.9 this mask split into parts - 32-bit field for each of
four algoritms and additional algorithm2 field to hold additional flags.
(really for now it is used just for SSLv2, but ongoing work for GOST
ciphersuites support would require use of some bits in this field)
This structure is intended to use as ciphersuite selection mask, it is
why separate bit for each algorithm is used, rather than sequentual
number.
So if you are going to add new ciphersuite you are better start with
current developer snapshot of 0.9.9 - it at least has free space in the
bitmasks.
Ciphersuite also has 16-bit number. This number should be same for all
implementations which support this ciphersuite. So, these numbers are
typically described in internet standards published by IETF and
registered with IANA. If there is such standard/draft for blowfish
ciphersuites, you should use numbers from it.
There is also reserved range from 0xFF00 to 0x, which can be used
for experimental ciphersuites. If you use number from this range, your
implementation wouldn't be interoperable with any other, but it wouldn't
be protocol violation.
So, if you are just trying to experiment, you should define new
SSL_CIPHER structure with number in this range, define new bit mask
constant and then look into file ssl_ciph.c to see how other encryption
algorithms are handled - i.e. translated from bit constant into
EVP_CIPHER structure which is actually used.
It is not too complicated. It took us less than a day to add GOST89
encryption algorithm.
Things are much more complicated for adding new authentication and key
derivation algorithms, and even worse for MAC which is not HMAC(some
digest) and PRF functions (for now only one PRF function is supported
for TLS).
available in that list (specifically, I'm interested in cfb
and ofb modes)?
Cheers,
Y.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
