cryptography
cryptography copied to clipboard
pyca
OpenSSL 3.2 features to expose
This is a tracking issue for the features in OpenSSL 3.2.0 we want to expose or investigate further:
- [x] AES-GCM-SIV
- [x] RFC6979 (needs rust-openssl work for
OSSL_PARAM) - [ ] argon2id (needs rust-openssl work for
OSSL_PARAM) - [x] Investigate whether we need to compile with
no-sm2-precompto prevent linking in a half megabyte of precomputed table. - [x] Build with
no-appsandno-docs - [ ] ed25519/ed448 [ctx/ph]
- [ ] HPKE
- [x] default implicit rejection is now enabled for RSA (#9785)
Thanks for including OpenSSL 3.2.1 in 42.0.2
I am looking into argon2 support, so that I can read Putty v3 SSH key files.
I see that argon2 support in cryptography is blocked by rust-openssl
I don't see any issue created for argon2 in the rust-openssl repo.
I guess that this needs to be defined here https://github.com/sfackler/rust-openssl/blob/master/openssl-sys/src/evp.rs
I am new to rust, but I am happy to help with the work required for argon2
Should I create a PR for rust-openssl ?
Thanks!
Adding argon2 in rust-OpenSSL is the blocker, yes. However that requires implementing EVP_KDF support, which in turn requires OSSL_PARAM. The latter should not be exposed as a public API in the rust library. We intend to do this work but don’t have an ETA so if you want to contribute feel free!
I can see that OSSL_PARAM is available since version 0.9.100
https://github.com/sfackler/rust-openssl/pull/2144
I guess that is just the low-level binding API.
So it also needs https://www.openssl.org/docs/manmaster/man3/EVP_KDF.html this bindings
Why not implement this via cffi python bindings, similar to what is already implemented here https://github.com/pyca/cryptography/blob/main/src/_cffi_src/openssl/evp.py ?
We are actively moving away from cffi and intend to eliminate it entirely at some point in the future.