Re: Subject: [PATCH] ssl: introduce async sign/decrypt APIs This patch is introducing `async_key_ex_cb` member of both `SSL_CTX` and `SSL`, and `SSL_supply()`. If `async_key_ex_cb` is present: * Server will ignore dummy RSA key, assuming that it is matching the certificate. * Server will invoke this callback with either: * `SSL_KEY_EX_RSA` * `SSL_KEY_EX_RSA_SIGN` as a `type` argument, and some data for signature or decryption in `p`/`n` pair. At that time the sign/decryption may be performed on any thread, or even remotely, and the result should be supplied with `SSL_supply()`. Calling `SSL_supply()` will continue the handshake process without even touching the real private key.

Fri, 29 Aug 2014 01:56:41 -0700 

Nevermind, I just realized that it is using Client certificate there and
doesn't needs to be asyncified.


On Fri, Aug 29, 2014 at 12:54 AM, Fedor Indutny <[email protected]> wrote:

> Oh, and I have just realized that it doesn't handle `ssl3_get_cert_verify`
> case right now.
>
> I'll figure it out tomorrow.
>
>
> On Thu, Aug 28, 2014 at 2:26 PM, Fedor Indutny <[email protected]> wrote:
>
>> Hello again!
>>
>> Here is a second patch that improves the first one. Additionally it
>> copies and restores the packet
>> data before/after calling out async callback. However it is almost
>> evident for me that nothing
>> could overwrite `s->init_buf->data` during async handshake, so if you
>> feel confident about it -
>> please let me know and I will revert everything except style changes in
>> that 0002 patch.
>>
>>  Cheers,
>> Fedor.
>>
>>
>> On Wed, Aug 27, 2014 at 1:05 PM, Fedor Indutny <[email protected]> wrote:
>>
>>> Oops, just realized that I pasted whole commit message into a subject.
>>>
>>> Anyway, CCing Rich Salz here.
>>>
>>> Rich,
>>>
>>> You seem to be on a wave on triaging tickets, may be you could take a
>>> look at this one eventually?
>>>
>>> Thank you,
>>> Fedor.
>>>
>>>
>>> On Sat, Aug 23, 2014 at 10:08 PM, Fedor Indutny <[email protected]>
>>> wrote:
>>>
>>>> This patch is introducing `async_key_ex_cb` member of both `SSL_CTX` and
>>>> `SSL`, and `SSL_supply()`. If `async_key_ex_cb` is present:
>>>>
>>>> * Server will ignore dummy RSA key, assuming that it is matching the
>>>>   certificate.
>>>> * Server will invoke this callback with either:
>>>>   * `SSL_KEY_EX_RSA`
>>>>   * `SSL_KEY_EX_RSA_SIGN`
>>>>   as a `type` argument, and some data for signature or decryption in
>>>>   `p`/`n` pair.
>>>>
>>>> At that time the sign/decryption may be performed on any thread, or even
>>>> remotely, and the result should be supplied with `SSL_supply()`. Calling
>>>> `SSL_supply()` will continue the handshake process without even touching
>>>> the real private key.
>>>>
>>>> NOTE:
>>>>
>>>> The test is missing right now, I'll add it once we will figure out how
>>>> the API should look like. Implementation appears to be working when used
>>>> with node.js, see
>>>> https://github.com/indutny/node/tree/feature/async-key-exchange and
>>>> https://gist.github.com/indutny/948eaf9b5154eb395e8b for testing.
>>>>
>>>> ANOTHER NOTE:
>>>>
>>>> Pull Request on github: https://github.com/openssl/openssl/pull/162
>>>>
>>>
>>>
>>
>

Reply via email to