On 13/12/2022 09:13, Hareesh Das Ulleri wrote:
Hello OpenSSL users,
I am in preparation of a provider (for a custom crypto) by referring
OpenSSL 3 design doc
Don't refer to the design doc. It has not been maintained with all the
latest tweaks and updates to what was originally envisaged.
(I use Linux 5.10 + OpenSSL 3.0.7). I believe, the
custom provider has all required call backs implemented for the cipher
functionalities in its dispatch table.
You should refer to the man page for what is required to implement a
custom cipher. See:
https://www.openssl.org/docs/man3.0/man7/provider-cipher.html
Note in particular this comment in the man page:
"A cipher algorithm implementation may not implement all of these
functions. In order to be a consistent set of functions there must at
least be a complete set of "encrypt" functions, or a complete set of
"decrypt" functions, or a single "cipher" function. In all cases both
the OSSL_FUNC_cipher_newctx and OSSL_FUNC_cipher_freectx functions must
be present. All other functions are optional."
So, in other words, you must as a minimum implement
OSSL_FUNC_cipher_encrypt_init (or OSSL_FUNC_cipher_decrypt_init),
OSSL_FUNC_cipher_update, OSSL_FUNC_cipher_final, OSSL_FUNC_cipher_newctx
and OSSL_FUNC_cipher_freectx.
You should probably also read the following pages for general
information on writing a provider:
https://www.openssl.org/docs/man3.0/man7/provider.html
https://www.openssl.org/docs/man3.0/man7/provider-base.html
You might also want to refer to Richard Levitte's implementation of the
toy Vigenère cipher as a provider here:
https://github.com/provider-corner/vigenere
I have another test application (for encryption and decryption of a
text message). At the starting of the app, it calls OSSL_PROVIDER_load
and EVP_CIPHER_fetch functions to the custom provider. But unfortunately
custom provider fetch function fails…
I suggest calling the OSSL_PROVIDER_available() function to determine
whether your custom provider has been successfully loaded:
https://www.openssl.org/docs/man3.0/man3/OSSL_PROVIDER_available.html
What could be the missing or how to make sure that the custom provider
is loaded correctly before calling the fetch function?
cipher = EVP_CIPHER_fetch(NULL, "AES-256-CBC-CTS", NULL); -> This will
work, default provider
cipher = EVP_CIPHER_fetch(NULL, "CUSTOM_ALGO", NULL); -> returns NULL,
custom provider
_Confg file:_
openssl_conf = openssl_init
[openssl_init]
providers = provider_section
[provider_section]
customProv = customProv_section
default = default_sect
[customProv_section]
provider_id = customProv
module_path = /userfs/lib/customProv.so
algorithms = CUSTOM_ALGO
activate = 1
[default_sect]
algorithms = AES-256-CBC-CTS
activate = 1
This config file does not look correct. I guess you based it on some of
the examples in the design doc which are out of date.
The man page for config file formats is here:
https://www.openssl.org/docs/man3.0/man5/config.html
See the "Provider Configuration" section on that page in particular.
Also worth looking at are some of the test config files used in the
OpenSSL code base for loading providers, e.g.
https://github.com/openssl/openssl/blob/openssl-3.0/test/default-and-legacy.cnf
Matt
Thank you,
Hareesh
