-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here is an example of how it could be used (in my TLS terminator):
https://github.com/indutny/bud/compare/master...feature/async-key-ex Basically, if you have ever used async SSL API, you should be aware of things like: SSL_ERROR_WANT_READ SSL_ERROR_WANT_WRITE In addition to these two, my patch adds: SSL_ERROR_WANT_SIGN SSL_ERROR_WANT_RSA_DECRYPT If one of these is returned - you may get the data that should be signed/decrypted with: SSL_get_key_ex_data() SSL_get_key_ex_len() Get the key type (in case of SIGN): SSL_get_key_ex_type() // Returns EVP_PKEY_RSA, EVP_PKEY_ECC And get signature digest nid with: SSL_get_key_ex_md() Please be aware of the fact that `md` could be `NID_md5_sha1`, take a look at bud's code to figure out what should be done in this case (basically, you'll need to use raw `RSA_decrypt_private()`). After performing sign/decrypt (which could happen in other thread, or on a different server) you should call: SSL_supply_key_ex() to supply the result and continue handshake process. At this point `SSL_read()`/`SSL_write()` will start returning proper values. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJUG2D2AAoJENcGPM4Zt+iQJdoQAKZxbcGpzHFktSbU3uDocy3R fywWmqkYnoJ5jWF3xn4Excv4dAGhMfb/7tm9nt9zyV8g0Qsu8ChqWTl+kgK+hj9o mV+3jhqPDWR2VhmAC3J5ZsCpNm3IW/iNgGiU+u/k9N2i0WHjYSoTHM/NooN5GIu2 KKhNXPw1Y05yxOZWmbUInMl/uscGWDtzylRNyJpfLFFu3JDQy1sBTKD6UAZC5ERY 7LUZ1TqVdk1DPY3Tf/j4IaB9Ds9teGLGj63J8upJhDjWHibFzV5bx6X+FjknUB9M xaebV4yfHZNRHseBu2ZqTQ2f2MNnXVisdzJRX6oyYeyq872MsJjAFhbFhFTi0sTI T8Y9n8cjuctbn+zTISVyVqEEBl8udWTY1t14SJ9lNcdU3xAf9OzEBVdORpUDqFl+ zteRC145o7gs7mEtJjyBpy8mhXB3mc13ZkC2qaJIyqkqAPODu/xlqCga7oaogHNy Q2wy0HUeX69Ra0ada3TcJQgB14qESj3Uvq1hcgFk7SEXBxkU5NJ2OcItvU1+emd7 hRlQvDqiiQcK9WgsdOIKZpovtT3FswhsIy0Tv77Nx9PY04urOTEgmhPJHveCJOQq i0apvI09YgimXs4Sd5h3rs9TsKrDtG0BG0jM1zfo5zbcKE2IbMpmzOc84MxkwUSl tPV48uw46UVpu4zOOByM =zJGs -----END PGP SIGNATURE----- On Sat, Sep 13, 2014 at 10:59 PM, Fedor Indutny <fe...@indutny.com> wrote: > Here is an additional patch, to expose the type of key that should be used > for a signature. > > On Thu, Sep 11, 2014 at 10:59 AM, Fedor Indutny via RT <r...@openssl.org> > wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Hello devs! >> >> Here is a patch that implements asynchronous RSA key operation >> mode for a TLS/SSL implementation in OpenSSL. >> >> Here is some technical info about it: >> >> Support async RSA exchange by providing new SSL_want_rsa_sign(), >> SSL_want_rsa_decrypt() API methods. >> >> After getting such want values - SSL_supply_key_ex_data() should be >> invoked to continue handshake with a sign/decrypt data that was received >> from the remote server. >> - --- >> ssl/s3_srvr.c | 398 >> ++++++++++++++++++++++++++++++++++++++++----------------- >> ssl/ssl.h | 28 ++++ >> ssl/ssl3.h | 6 + >> ssl/ssl_lib.c | 31 ++++- >> ssl/ssl_locl.h | 2 + >> ssl/ssl_rsa.c | 24 ++-- >> ssl/ssltest.c | 116 ++++++++++++++++- >> test/testssl | 6 + >> 8 files changed, 475 insertions(+), 136 deletions(-) >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1 >> >> iQIcBAEBAgAGBQJUEWeCAAoJENcGPM4Zt+iQPcoP/0R9wJz0gvqi5QFiGiAyOXyD >> uWWB+lkGlB4r6AOhu1D02tQaQTaiRhSO3theSMOCZ4fQ+BMqZdyk37zq/6Z/rjnJ >> jkd062SgYeh8WCvoJSoNF+gSeDgM/WnWw2q6R1Ls+DuYdQstym9+VIgx3LLd0LO8 >> 19mYHPUms0TFkzPfLqST4keHyZlLa1HzsEpdEQ8TWaU1vqqSrH6NfvPDjwwzMVWG >> yMOW8tM8I2WDU9V6zMm+Mr7qmU/zowwVmOnVu0Mi8wBpcpN1GvFGbN8oXispnLc/ >> uccrKK1l98p3wnI0uXe5SmXWB5ksaEtz6CMewZotRgKR8dluwEHqIZ1mzE4+TMxK >> iFDqUlCcRIjGgssGyjbHC23inwDeN1lZjOxE0G0dhzJZcYAYWJ2rWSQQGxBJJy5Z >> VFxaElNImDyZ9uUFUtEhzGoaAV7isC9h78anTFzJMuJLTiukHERwFPvRgU/HQPNx >> EG481cmnjJ2M2hyWRBrvCna8SftUPmGHczqDPD+Tt4Ry/msoZpdwEcLNossl6GcF >> wXoAMeV5Jg8CenVobdLDQ53G1pJCcY58Zk+Ep9Va+DqfoEsyHc+XhhApMP8B4leC >> R2mwi0KVL5F6NPhqJmDi1aXKtUu4A50j3yk35aJrEjQCKv3BW1gHvlL763Sve/GL >> CAsACbfGic+GRS52Pmo2 >> =f3GH >> -----END PGP SIGNATURE----- >> >> >
