Re: Subject: [PATCH] ssl: introduce async sign/decrypt APIs This patch is introducing `async_key_ex_cb` member of both `SSL_CTX` and `SSL`, and `SSL_supply()`. If `async_key_ex_cb` is present: * Server will ignore dummy RSA key, assuming that it is matching the certificate. * Server will invoke this callback with either: * `SSL_KEY_EX_RSA` * `SSL_KEY_EX_RSA_SIGN` as a `type` argument, and some data for signature or decryption in `p`/`n` pair. At that time the sign/decryption may be performed on any thread, or even remotely, and the result should be supplied with `SSL_supply()`. Calling `SSL_supply()` will continue the handshake process without even touching the real private key.

Thu, 28 Aug 2014 13:56:10 -0700 

Oh, and I have just realized that it doesn't handle `ssl3_get_cert_verify`
case right now.

I'll figure it out tomorrow.


On Thu, Aug 28, 2014 at 2:26 PM, Fedor Indutny <fe...@indutny.com> wrote:

> Hello again!
>
> Here is a second patch that improves the first one. Additionally it copies
> and restores the packet
> data before/after calling out async callback. However it is almost evident
> for me that nothing
> could overwrite `s->init_buf->data` during async handshake, so if you feel
> confident about it -
> please let me know and I will revert everything except style changes in
> that 0002 patch.
>
>  Cheers,
> Fedor.
>
>
> On Wed, Aug 27, 2014 at 1:05 PM, Fedor Indutny <fe...@indutny.com> wrote:
>
>> Oops, just realized that I pasted whole commit message into a subject.
>>
>> Anyway, CCing Rich Salz here.
>>
>> Rich,
>>
>> You seem to be on a wave on triaging tickets, may be you could take a
>> look at this one eventually?
>>
>> Thank you,
>> Fedor.
>>
>>
>> On Sat, Aug 23, 2014 at 10:08 PM, Fedor Indutny <fe...@indutny.com>
>> wrote:
>>
>>> This patch is introducing `async_key_ex_cb` member of both `SSL_CTX` and
>>> `SSL`, and `SSL_supply()`. If `async_key_ex_cb` is present:
>>>
>>> * Server will ignore dummy RSA key, assuming that it is matching the
>>>   certificate.
>>> * Server will invoke this callback with either:
>>>   * `SSL_KEY_EX_RSA`
>>>   * `SSL_KEY_EX_RSA_SIGN`
>>>   as a `type` argument, and some data for signature or decryption in
>>>   `p`/`n` pair.
>>>
>>> At that time the sign/decryption may be performed on any thread, or even
>>> remotely, and the result should be supplied with `SSL_supply()`. Calling
>>> `SSL_supply()` will continue the handshake process without even touching
>>> the real private key.
>>>
>>> NOTE:
>>>
>>> The test is missing right now, I'll add it once we will figure out how
>>> the API should look like. Implementation appears to be working when used
>>> with node.js, see
>>> https://github.com/indutny/node/tree/feature/async-key-exchange and
>>> https://gist.github.com/indutny/948eaf9b5154eb395e8b for testing.
>>>
>>> ANOTHER NOTE:
>>>
>>> Pull Request on github: https://github.com/openssl/openssl/pull/162
>>>
>>
>>
>

Reply via email to