Re: Integrating New Cipher Suite

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Thank you for the quick replies!

@Matt Caswell

I have attempted to integrate the cipher suite into the source code and here is what I have done so far…

Please keep in mind this was a previous attempt that mimicked a different cipher suite.

Added defines in include/openssl/tls1.h:
   # define TLS1_CK_ECDHE_ECDSA_WITH_MYCIPHER_SHA384        0x03001306
   # define TLS1_TXT_ECDHE_ECDSA_WITH_MYCIPHER_SHA384       "ECDHE-ECDSA-MYCHIPHER-SHA384"

Added a define in include/openssl/ssl.h:
   # define SSL_TXT_MYCIPHER       "MYCIPHER"

Integrated into ssl/s3_lib.c:
   static SSL_CIPHER ssl3_ciphers[] = {

   {
    1,
    TLS1_TXT_ECDHE_ECDSA_WITH_MYCIPHER_SHA384,
    TLS1_CK_ECDHE_ECDSA_WITH_MYCIPHER_SHA384,
    SSL_kECDHE,
    SSL_aECDSA,
    SSL_MYCIPHER,
    SSL_AEAD,
    TLS1_2_VERSION, TLS1_2_VERSION,
    DTLS1_2_VERSION, DTLS1_2_VERSION,
    SSL_HIGH | SSL_FIPS,
    SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
    64,
    64,
   },


Added the binary representation in ssl/ssl_locl.h:
   # define SSL_MYCIPHER           0x00100000U

Integrated into ssl/ssl_ciph.c:
   #define SSL_ENC_CHACHA_IDX      19
   #define SSL_ENC_MYCIPHER           20
   #define SSL_ENC_NUM_IDX             21

   /* Table of NIDs for each cipher */
   static const ssl_cipher_table
ssl_cipher_table_cipher[SSL_ENC_NUM_IDX] = {
       {SSL_MYCIPHER, NID_MYCIPHER},

   static const SSL_CIPHER cipher_aliases[] = {
       {0, SSL_TXT_MYCIPHER, 0, 0, 0, SSL_MYCIPHER},

Added the loading of the cipher into ssl/ssl_init.c:
   DEFINE_RUN_ONCE_STATIC(ossl_init_ssl_base)
   {
   #ifdef OPENSSL_INIT_DEBUG
       fprintf(stderr, "OPENSSL_INIT: ossl_init_ssl_base: "
               "Adding SSL ciphers and digests\n");
   #endif

       EVP_add_cipher(EVP_mycipher());

   #ifndef OPENSSL_NO_DES
       EVP_add_cipher(EVP_des_cbc());
       EVP_add_cipher(EVP_des_ede3_cbc());
   #endif

Am I missing a step in integration?

@Dr. Stephen Henson
I’m using the most current dev branch 1.1.1-dev and thankfully the -enc does work with the EVP interface as expected.
Also, the cipher suite does show up using "openssl ciphers -v”. However, when using the s_server/s_client, I receive the same error. Please see above for my integration steps.

Any help is much appreciated!
Rob Schmicker

> On Apr 10, 2017, at 8:36 PM, openssl-users-request@xxxxxxxxxxx wrote:
> 
> Send openssl-users mailing list submissions to
> 	openssl-users@xxxxxxxxxxx
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> 	https://mta.openssl.org/mailman/listinfo/openssl-users
> or, via email, send a message with subject or body 'help' to
> 	openssl-users-request@xxxxxxxxxxx
> 
> You can reach the person managing the list at
> 	openssl-users-owner@xxxxxxxxxxx
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of openssl-users digest..."
> 
> 
> Today's Topics:
> 
>   1. Integrating New Cipher Suite (Schmicker, Robert)
>   2. Re: Integrating New Cipher Suite (Matt Caswell)
>   3. Re: RSA PKCS1 v2.1 - Multi-primes and RSASSA-PSS
>      (Dr. Stephen Henson)
>   4. Re: Integrating New Cipher Suite (Dr. Stephen Henson)
>   5. ssl_method_st not defined (Stiju Easo)
>   6. Re: ssl_method_st not defined (Salz, Rich)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Sat, 8 Apr 2017 17:56:54 +0000
> From: "Schmicker, Robert" <rschm2@xxxxxxxxxxxxxxxx>
> To: "openssl-users@xxxxxxxxxxx" <openssl-users@xxxxxxxxxxx>
> Subject:  Integrating New Cipher Suite
> Message-ID:
> 	<DM5PR02MB27635F8413E901FC1B51D601A00F0@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
> 	
> Content-Type: text/plain; charset="us-ascii"
> 
> Hello,
> 
> I'm attempting to integrate a customized cipher suite for TLS 1.2,
> however no matter what I try I always seem to end up with this error
> (client side):
> 
> SSL routines:ssl_cipher_list_to_bytes:no ciphers
> available:ssl/statem/statem_clnt.c:3567
> 
> Can anyone give some further explanation on this?
> 
> Here's some snippets from the client and server setup.
> 
> client:
> 
> SSL_CTX* InitCTX(void)
> {   const SSL_METHOD *method;
>    SSL_CTX *ctx;
> 
>    OpenSSL_add_all_algorithms();  /* Load cryptos, et.al. */
>    SSL_load_error_strings();   /* Bring in and register error messages */
>    method = SSLv23_client_method();  /* Create new client-method
> instance */
>    ctx = SSL_CTX_new(method);   /* Create new context */
> 
>    /* Set cipher to use */
>    if (SSL_CTX_set_cipher_list(ctx, "ECDHE-RSA-MYCIPHER-SHA256") <= 0) {
>        printf("Error setting the cipher list.\n");
>        exit(0);
>    }
> 
> 
>    if ( ctx == NULL )
>    {
>        ERR_print_errors_fp(stderr);
>        abort();
>    }
>    return ctx;
> }
> 
> server:
> 
> SSL_CTX* InitServerCTX(void)
> {   const SSL_METHOD *method;
>    SSL_CTX *ctx;
> 
>    OpenSSL_add_all_algorithms();  /* load & register all cryptos, etc. */
>    SSL_load_error_strings();   /* load all error messages */
>    method = SSLv23_server_method();  /* create new server-method
> instance */
>    ctx = SSL_CTX_new(method);   /* create new context from method */
> 
>    /* Set cipher to use */
>    if (SSL_CTX_set_cipher_list(ctx, "ECDHE-RSA-MYCIPHER-SHA256") <= 0) {
>        printf("Error setting the cipher list.\n");
>        exit(0);
>    }
> 
>    if ( ctx == NULL )
>    {
>        ERR_print_errors_fp(stderr);
>        abort();
>    }
>    return ctx;
> }
> 
> Thank you,
> Rob
> 
> 
> 
> ------------------------------
> 
> Message: 2
> Date: Mon, 10 Apr 2017 11:03:05 +0100
> From: Matt Caswell <matt@xxxxxxxxxxx>
> To: openssl-users@xxxxxxxxxxx
> Subject: Re:  Integrating New Cipher Suite
> Message-ID: <ea1e67d0-582c-6b2a-d147-696d03a7dc7f@xxxxxxxxxxx>
> Content-Type: text/plain; charset=windows-1252
> 
> 
> 
> On 08/04/17 18:56, Schmicker, Robert wrote:
>> Hello,
>> 
>> I'm attempting to integrate a customized cipher suite for TLS 1.2,
>> however no matter what I try I always seem to end up with this error
>> (client side):
>> 
>> SSL routines:ssl_cipher_list_to_bytes:no ciphers
>> available:ssl/statem/statem_clnt.c:3567
>> 
>> Can anyone give some further explanation on this?
> 
> There is no way of dynamically adding new TLS1.2 ciphersuites into
> OpenSSL. The only way to do this is to modify the source code. If that's
> what you've done then you're going to need to provide a lot more
> information about the changes you have made before anyone can help!
> 
> Matt
> 
> 
>> 
>> Here's some snippets from the client and server setup.
>> 
>> client:
>> 
>> SSL_CTX* InitCTX(void)
>> {   const SSL_METHOD *method;
>>    SSL_CTX *ctx;
>> 
>>    OpenSSL_add_all_algorithms();  /* Load cryptos, et.al. */
>>    SSL_load_error_strings();   /* Bring in and register error messages */
>>    method = SSLv23_client_method();  /* Create new client-method
>> instance */
>>    ctx = SSL_CTX_new(method);   /* Create new context */
>> 
>>    /* Set cipher to use */
>>    if (SSL_CTX_set_cipher_list(ctx, "ECDHE-RSA-MYCIPHER-SHA256") <= 0) {
>>        printf("Error setting the cipher list.\n");
>>        exit(0);
>>    }
>> 
>> 
>>    if ( ctx == NULL )
>>    {
>>        ERR_print_errors_fp(stderr);
>>        abort();
>>    }
>>    return ctx;
>> }
>> 
>> server:
>> 
>> SSL_CTX* InitServerCTX(void)
>> {   const SSL_METHOD *method;
>>    SSL_CTX *ctx;
>> 
>>    OpenSSL_add_all_algorithms();  /* load & register all cryptos, etc. */
>>    SSL_load_error_strings();   /* load all error messages */
>>    method = SSLv23_server_method();  /* create new server-method
>> instance */
>>    ctx = SSL_CTX_new(method);   /* create new context from method */
>> 
>>    /* Set cipher to use */
>>    if (SSL_CTX_set_cipher_list(ctx, "ECDHE-RSA-MYCIPHER-SHA256") <= 0) {
>>        printf("Error setting the cipher list.\n");
>>        exit(0);
>>    }
>> 
>>    if ( ctx == NULL )
>>    {
>>        ERR_print_errors_fp(stderr);
>>        abort();
>>    }
>>    return ctx;
>> }
>> 
>> Thank you,
>> Rob
>> 
> 
> 
> ------------------------------
> 
> Message: 3
> Date: Mon, 10 Apr 2017 13:46:26 +0000
> From: "Dr. Stephen Henson" <steve@xxxxxxxxxxx>
> To: openssl-users@xxxxxxxxxxx
> Subject: Re:  RSA PKCS1 v2.1 - Multi-primes and
> 	RSASSA-PSS
> Message-ID: <20170410134626.GA28081@xxxxxxxxxxx>
> Content-Type: text/plain; charset=us-ascii
> 
> On Wed, Apr 05, 2017, Davy Souza wrote:
> 
>> Hi,
>> 
>> 
>> I'm using RSA, but I need to know if OpenSSL RSA implements PKCS#1 v2.1. I have the following questions:
>> 
>>   1) Does OpenSSL support multi-prime?
>> 
> 
> No.
> 
>>   2) Does OpenSSL support RSASSA-PSS?
>> 
> 
> Yes.
> 
>>   3) If so, how can I use it?
>> 
> 
> In what context do you want to use it? For example CMS, certificates, TLS,
> general application code or via the command line?
> 
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> 
> 
> ------------------------------
> 
> Message: 4
> Date: Mon, 10 Apr 2017 13:56:40 +0000
> From: "Dr. Stephen Henson" <steve@xxxxxxxxxxx>
> To: openssl-users@xxxxxxxxxxx
> Subject: Re:  Integrating New Cipher Suite
> Message-ID: <20170410135640.GB28081@xxxxxxxxxxx>
> Content-Type: text/plain; charset=us-ascii
> 
> On Sat, Apr 08, 2017, Schmicker, Robert wrote:
> 
>> Hello,
>> 
>> I'm attempting to integrate a customized cipher suite for TLS 1.2,
>> however no matter what I try I always seem to end up with this error
>> (client side):
>> 
>> SSL routines:ssl_cipher_list_to_bytes:no ciphers
>> available:ssl/statem/statem_clnt.c:3567
>> 
>> Can anyone give some further explanation on this?
>> 
>> Here's some snippets from the client and server setup.
>> 
>> client:
>> 
> 
> That sounds like the cipher isn't visible.
> 
> I'd suggest trying s_client/s_server first.
> 
> Which version of OpenSSL are you using?
> 
> Does your new cipher appear in "openssl ciphers"? If so does the output look
> sensible? Does it appear with the -s option too?
> 
> Is the cipher visible using "openssl list -cipher-algorithms" (OpenSSL 1.1.0)
> or "openssl list-cipher-algorithms" (OpenSSL 1.0.2).
> 
> Is your new cipher usable via the command line utilities like "enc"? Does it
> seems to be behaving as expected?
> 
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> 
> 
> ------------------------------
> 
> Message: 5
> Date: Tue, 11 Apr 2017 02:20:32 +0530
> From: Stiju Easo <stiju.easo@xxxxxxxxx>
> To: openssl-users@xxxxxxxxxxx
> Subject:  ssl_method_st not defined
> Message-ID:
> 	<CAD3rvcoR8Kpgfw2F6t_P=vZjBj9ANfYpeRFhqqJEQ92BBL84PA@xxxxxxxxxxxxxx>
> Content-Type: text/plain; charset="utf-8"
> 
> Hi,
> 
>  I am trying to adopt OpenSSL 1.1.0 for my code,
>  I was able to move away from pointers for RSA etc to appropriate
> functions, but i got stuck at session
> 
> 
> in my code need to assign back the SSL pointer with the cipher, session id
> etc
> as below
> 
>  ssl_session->client_version = client_version;
>  ssl_session->session->cipher = ssl_session->s3->tmp.new_cipher =
> pending_cipher;
>  ssl_session->session->session_id_length = ssl_id.getLength();
> 
>  as now ssl_method_st  has been moved to ssl_locl.h and I am not supposed
> to include that,
>  is there any API to set these variables?
>  only code reference I saw is ssl/.statem/statem_srvr.c, where it uses
> ssl_locl.h directly.
> 
>  My question is 1) is operations like setting Client version , cipher, so
> ,session, allowed with 1.1?
>                  2)so,does API exist for it?
> -- 
> 
> 
>          Stiju Easo
> 
> 
> The unexamined life is not worth living for man.
>      Socrates, in Plato, Dialogues, Apology
>      Greek philosopher in Athens (469 BC - 399 BC)
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170411/839ec228/attachment-0001.html>
> 
> ------------------------------
> 
> Message: 6
> Date: Tue, 11 Apr 2017 00:36:07 +0000
> From: "Salz, Rich" <rsalz@xxxxxxxxxx>
> To: "openssl-users@xxxxxxxxxxx" <openssl-users@xxxxxxxxxxx>
> Subject: Re:  ssl_method_st not defined
> Message-ID:
> 	<5414ba488476425fa64de9efa00773a3@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
> Content-Type: text/plain; charset="utf-8"
> 
> No, the functions you want aren?t provided right now.  What are you trying to do?  Why are you modifying the session, outside of the TLS protocol?
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170411/ab65e480/attachment.html>
> 
> ------------------------------
> 
> Subject: Digest Footer
> 
> _______________________________________________
> openssl-users mailing list
> openssl-users@xxxxxxxxxxx
> https://mta.openssl.org/mailman/listinfo/openssl-users
> 
> 
> ------------------------------
> 
> End of openssl-users Digest, Vol 29, Issue 10
> *********************************************

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux