headers
Thomas Habets | 17 Jun 2012 01:50
Picon
Favicon

PATCH: SSL Engine support

Patch attached.

Add support for SSL engine loading the private key.

Added option 'key-engine' specifying the name of the engine that
will load the private key.

For example this can be "tpm" to use the OpenSSL TPM engine module
(libengine-tpm-openssl in Debian).

It defaults to the built-in UI methods because openssl-tpm-engine
doesn't yet support user data being sent to the callback functions.
A patch for that on its way to them.

Some more details:
http://blog.habets.pp.se/2012/02/TPM-backed-SSL

Signed-off-by: Thomas Habets <habets <at> google.com>

--

-- 
typedef struct me_s {
 char name[]      = { "Thomas Habets" };
 char email[]     = { "thomas <at> habets.pp.se" };
 char kernel[]    = { "Linux" };
 char *pgpKey[]   = { "http://www.habets.pp.se/pubkey.txt" };
 char pgp[] = { "A8A3 D1DD 4AE0 8467 7FDE  0945 286A E90A AD48 E854" };
 char coolcmd[]   = { "echo '. ./_&. ./_'>_;. ./_" };
} me_t;
Attachment (0001-Add-support-for-SSL-engine-loading-the-private-key.patch): application/octet-stream, 8 KiB
(Continue reading)

Permalink | Reply |
headers
Alon Bar-Lev | 17 Jun 2012 02:11
Picon
Gravatar

Re: PATCH: SSL Engine support

Hello,

It is a good idea.
But first, please remove the emacs stuff.

Now, I see that the ENGINE_load_builtin_engines() is already called at
crypto_openssl.c::crypto_init_lib_engine, is there any require to
duplicate this?

There is already "engine" option, available only to polarssl, it can
easily and correct way be used also for openssl, instead of having
another option.

What do you think?
Alon.

On Sun, Jun 17, 2012 at 2:50 AM, Thomas Habets <thomas <at> habets.se> wrote:
> Patch attached.
>
> Add support for SSL engine loading the private key.
>
> Added option 'key-engine' specifying the name of the engine that
> will load the private key.
>
> For example this can be "tpm" to use the OpenSSL TPM engine module
> (libengine-tpm-openssl in Debian).
>
> It defaults to the built-in UI methods because openssl-tpm-engine
> doesn't yet support user data being sent to the callback functions.
> A patch for that on its way to them.
(Continue reading)

Permalink | Reply |
headers
Thomas Habets | 17 Jun 2012 12:02
Picon
Favicon

Re: PATCH: SSL Engine support

Hi.

Ah yes, I first made the patch to an older version where some of these
things don't apply, and then forward-ported it.

How about this?
---------
Add support for SSL engine loading the private key.

Option 'engine' is used to specify the name of the engine that
will load the private key.

For example this can be "tpm" to use the OpenSSL TPM engine module
(libengine-tpm-openssl in Debian).

It defaults to the built-in UI methods because openssl-tpm-engine
doesn't yet support user data being sent to the callback functions.
A patch for that on its way to them.

Some more details:
http://blog.habets.pp.se/2012/02/TPM-backed-SSL

Signed-off-by: Thomas Habets <habets <at> google.com>

On 17 June 2012 01:11, Alon Bar-Lev <alon.barlev <at> gmail.com> wrote:
> Hello,
>
> It is a good idea.
> But first, please remove the emacs stuff.
>
(Continue reading)

Permalink | Reply |
headers
Alon Bar-Lev | 17 Jun 2012 13:12
Picon
Gravatar

Re: PATCH: SSL Engine support

Hi,

Why do we need to crypto_init_lib_engine() twice? Can you please take
a look at init_crypto_pre:: init_crypto_pre()?

I also think crypto_init_lib_engine() should not return the engine...
as won't it simpler to use ENGINE_by_id() at
ssl_openssl.c::tls_ctx_load_priv_file()?

Alon.

On Sun, Jun 17, 2012 at 1:02 PM, Thomas Habets <thomas <at> habets.se> wrote:
> Hi.
>
> Ah yes, I first made the patch to an older version where some of these
> things don't apply, and then forward-ported it.
>
> How about this?
> ---------
> Add support for SSL engine loading the private key.
>
> Option 'engine' is used to specify the name of the engine that
> will load the private key.
>
> For example this can be "tpm" to use the OpenSSL TPM engine module
> (libengine-tpm-openssl in Debian).
>
> It defaults to the built-in UI methods because openssl-tpm-engine
> doesn't yet support user data being sent to the callback functions.
> A patch for that on its way to them.
(Continue reading)

Permalink | Reply |

Gmane