On Mon, 25 Feb 2019 00:40:51 +0100, Michael Richardson wrote: > I think that the #define/enum of NIDs should be made internal-only, > available as optimization to internal code only. Having asked around a bit on this, that was the original intention... However, in an old era of having everything in public headers (or at least everything that was of interest to the public *plus* everything that libssl might want to use), they slipped out. NID literally means "numeric identity" and really has no inherent meaning other than quick access, like you say. The public interface was meant to be getting stuff by name (string) or possibly special functions such as EVP_aes_128_cbc()... > Your question then becomes, "are engines internal users", and I'd like the > answer to be no. I think that the openssl 3 changes suggest the same thing. Yup. > All other users can call OBJ_obj2nid() or OBJ_txt2nid() to get a NID, > and we can figure out how to allocate things dynamically if this makes > sense. I don't know which APIs are currently NID-only. There are some new APIs in master that add such functions: EVP_MAC_CTX_new_id() EVP_KDF_CTX_new_id() I'm currently thinking that's a mistake. Cheers, Richard -- Richard Levitte levitte@xxxxxxxxxxx OpenSSL Project http://www.openssl.org/~levitte/