Re: Subject: [PATCH] ssl: introduce async sign/decrypt APIs This patch is introducing `async_key_ex_cb` member of both `SSL_CTX` and `SSL`, and `SSL_supply()`. If `async_key_ex_cb` is present: * Server will ignore dummy RSA key, assuming that it is matching the certificate. * Server will invoke this callback with either: * `SSL_KEY_EX_RSA` * `SSL_KEY_EX_RSA_SIGN` as a `type` argument, and some data for signature or decryption in `p`/`n` pair. At that time the sign/decryption may be performed on any thread, or even remotely, and the result should be supplied with `SSL_supply()`. Calling `SSL_supply()` will continue the handshake process without even touching the real private key.

Thu, 28 Aug 2014 03:28:18 -0700 

Hello again!

Here is a second patch that improves the first one. Additionally it copies
and restores the packet
data before/after calling out async callback. However it is almost evident
for me that nothing
could overwrite `s->init_buf->data` during async handshake, so if you feel
confident about it -
please let me know and I will revert everything except style changes in
that 0002 patch.

Cheers,
Fedor.


On Wed, Aug 27, 2014 at 1:05 PM, Fedor Indutny <fe...@indutny.com> wrote:

> Oops, just realized that I pasted whole commit message into a subject.
>
> Anyway, CCing Rich Salz here.
>
> Rich,
>
> You seem to be on a wave on triaging tickets, may be you could take a look
> at this one eventually?
>
> Thank you,
> Fedor.
>
>
> On Sat, Aug 23, 2014 at 10:08 PM, Fedor Indutny <fe...@indutny.com> wrote:
>
>> This patch is introducing `async_key_ex_cb` member of both `SSL_CTX` and
>> `SSL`, and `SSL_supply()`. If `async_key_ex_cb` is present:
>>
>> * Server will ignore dummy RSA key, assuming that it is matching the
>>   certificate.
>> * Server will invoke this callback with either:
>>   * `SSL_KEY_EX_RSA`
>>   * `SSL_KEY_EX_RSA_SIGN`
>>   as a `type` argument, and some data for signature or decryption in
>>   `p`/`n` pair.
>>
>> At that time the sign/decryption may be performed on any thread, or even
>> remotely, and the result should be supplied with `SSL_supply()`. Calling
>> `SSL_supply()` will continue the handshake process without even touching
>> the real private key.
>>
>> NOTE:
>>
>> The test is missing right now, I'll add it once we will figure out how
>> the API should look like. Implementation appears to be working when used
>> with node.js, see
>> https://github.com/indutny/node/tree/feature/async-key-exchange and
>> https://gist.github.com/indutny/948eaf9b5154eb395e8b for testing.
>>
>> ANOTHER NOTE:
>>
>> Pull Request on github: https://github.com/openssl/openssl/pull/162
>>
>
>

Attachment: 0002-ssl-copy-packet-before-performing-async-key-ex.patch.sig
Description: Binary data

Attachment: 0002-ssl-copy-packet-before-performing-async-key-ex.patch
Description: Binary data

Reply via email to