use encryption algorithm provider for tls1.3 connections

[k-Artin]

Hello,
I want to implement an encryption algorithm in the form of provider for use in tls1.3 connections.
Is there such a possibility in OpenSSL?

[levitte]

It's possible, yes. You have to provide the encryption algorithms as usual, and then you can declare to upstream libssl by providing the capability declaration function provider_get_capabilities()(described in provider-base(7) section "Provider functions", and provide the "TLS-SIGALG" Capability.

Does that answer your question?

[k-Artin]

Thank you very much for your guidance,
Another question I have is, On what basis should I choose the cipher parameters used in the cipher capability (cipher_INFO)?
In addition, to add a new cipher algorithm, should we use the OBJ_create() function like the signature algorithm, or proceed like the group?

[levitte]

Right now, there really isn't a well defined support for cipher capability and providers. If you want it, I suggest you contribute.
It could actually be a good idea to look at how things were worked out with the TLS-SIGALG capability. That development and the discussions that formed it happened in PR openssl/openssl#19312

If you don't feel that you have the capacity to code something like that (which I understand, it's a big chunk of work), I'd suggest raising an issue what you ask for that added feature.

[k-Artin]

Is it nessesary to use core_obj_add_sigid() , core_obj_create() functions for creating objects for encryption algorithms like signature algorithms?

[levitte]

You don't have to use core_obj_add_sigid() when using the TLS-SIGALG capability.

Unfortunately, composite signature algorithms outside of TLS use, you have to for the moment being. This is an interim solution until direct support of composite signature algorithms has been added to OpenSSL.