[PATCH] ssl: SSL_MODE_ASYNC_KEY_EX

classic Classic list List threaded Threaded
24 messages Options
12
Reply | Threaded
Open this post in threaded view
|

[PATCH] ssl: SSL_MODE_ASYNC_KEY_EX

Fedor Indutny
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello devs!

Here is a patch that implements asynchronous RSA key operation
mode for a TLS/SSL implementation in OpenSSL.

Here is some technical info about it:

Support async RSA exchange by providing new SSL_want_rsa_sign(),
SSL_want_rsa_decrypt() API methods.

After getting such want values - SSL_supply_key_ex_data() should be
invoked to continue handshake with a sign/decrypt data that was received
from the remote server.
- ---
 ssl/s3_srvr.c  | 398 ++++++++++++++++++++++++++++++++++++++++-----------------
 ssl/ssl.h      |  28 ++++
 ssl/ssl3.h     |   6 +
 ssl/ssl_lib.c  |  31 ++++-
 ssl/ssl_locl.h |   2 +
 ssl/ssl_rsa.c  |  24 ++--
 ssl/ssltest.c  | 116 ++++++++++++++++-
 test/testssl   |   6 +
 8 files changed, 475 insertions(+), 136 deletions(-)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUEWeCAAoJENcGPM4Zt+iQPcoP/0R9wJz0gvqi5QFiGiAyOXyD
uWWB+lkGlB4r6AOhu1D02tQaQTaiRhSO3theSMOCZ4fQ+BMqZdyk37zq/6Z/rjnJ
jkd062SgYeh8WCvoJSoNF+gSeDgM/WnWw2q6R1Ls+DuYdQstym9+VIgx3LLd0LO8
19mYHPUms0TFkzPfLqST4keHyZlLa1HzsEpdEQ8TWaU1vqqSrH6NfvPDjwwzMVWG
yMOW8tM8I2WDU9V6zMm+Mr7qmU/zowwVmOnVu0Mi8wBpcpN1GvFGbN8oXispnLc/
uccrKK1l98p3wnI0uXe5SmXWB5ksaEtz6CMewZotRgKR8dluwEHqIZ1mzE4+TMxK
iFDqUlCcRIjGgssGyjbHC23inwDeN1lZjOxE0G0dhzJZcYAYWJ2rWSQQGxBJJy5Z
VFxaElNImDyZ9uUFUtEhzGoaAV7isC9h78anTFzJMuJLTiukHERwFPvRgU/HQPNx
EG481cmnjJ2M2hyWRBrvCna8SftUPmGHczqDPD+Tt4Ry/msoZpdwEcLNossl6GcF
wXoAMeV5Jg8CenVobdLDQ53G1pJCcY58Zk+Ep9Va+DqfoEsyHc+XhhApMP8B4leC
R2mwi0KVL5F6NPhqJmDi1aXKtUu4A50j3yk35aJrEjQCKv3BW1gHvlL763Sve/GL
CAsACbfGic+GRS52Pmo2
=f3GH
-----END PGP SIGNATURE-----

0001-ssl-SSL_MODE_ASYNC_KEY_EX.patch (41K) Download Attachment
0001-ssl-SSL_MODE_ASYNC_KEY_EX.patch.sig (742 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

[openssl.org #3528] [PATCH] ssl: SSL_MODE_ASYNC_KEY_EX

Rich Salz via RT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello devs!

Here is a patch that implements asynchronous RSA key operation
mode for a TLS/SSL implementation in OpenSSL.

Here is some technical info about it:

Support async RSA exchange by providing new SSL_want_rsa_sign(),
SSL_want_rsa_decrypt() API methods.

After getting such want values - SSL_supply_key_ex_data() should be
invoked to continue handshake with a sign/decrypt data that was received
from the remote server.
- ---
 ssl/s3_srvr.c  | 398
++++++++++++++++++++++++++++++++++++++++-----------------
 ssl/ssl.h      |  28 ++++
 ssl/ssl3.h     |   6 +
 ssl/ssl_lib.c  |  31 ++++-
 ssl/ssl_locl.h |   2 +
 ssl/ssl_rsa.c  |  24 ++--
 ssl/ssltest.c  | 116 ++++++++++++++++-
 test/testssl   |   6 +
 8 files changed, 475 insertions(+), 136 deletions(-)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUEWeCAAoJENcGPM4Zt+iQPcoP/0R9wJz0gvqi5QFiGiAyOXyD
uWWB+lkGlB4r6AOhu1D02tQaQTaiRhSO3theSMOCZ4fQ+BMqZdyk37zq/6Z/rjnJ
jkd062SgYeh8WCvoJSoNF+gSeDgM/WnWw2q6R1Ls+DuYdQstym9+VIgx3LLd0LO8
19mYHPUms0TFkzPfLqST4keHyZlLa1HzsEpdEQ8TWaU1vqqSrH6NfvPDjwwzMVWG
yMOW8tM8I2WDU9V6zMm+Mr7qmU/zowwVmOnVu0Mi8wBpcpN1GvFGbN8oXispnLc/
uccrKK1l98p3wnI0uXe5SmXWB5ksaEtz6CMewZotRgKR8dluwEHqIZ1mzE4+TMxK
iFDqUlCcRIjGgssGyjbHC23inwDeN1lZjOxE0G0dhzJZcYAYWJ2rWSQQGxBJJy5Z
VFxaElNImDyZ9uUFUtEhzGoaAV7isC9h78anTFzJMuJLTiukHERwFPvRgU/HQPNx
EG481cmnjJ2M2hyWRBrvCna8SftUPmGHczqDPD+Tt4Ry/msoZpdwEcLNossl6GcF
wXoAMeV5Jg8CenVobdLDQ53G1pJCcY58Zk+Ep9Va+DqfoEsyHc+XhhApMP8B4leC
R2mwi0KVL5F6NPhqJmDi1aXKtUu4A50j3yk35aJrEjQCKv3BW1gHvlL763Sve/GL
CAsACbfGic+GRS52Pmo2
=f3GH
-----END PGP SIGNATURE-----


0001-ssl-SSL_MODE_ASYNC_KEY_EX.patch (41K) Download Attachment
0001-ssl-SSL_MODE_ASYNC_KEY_EX.patch.sig (750 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #3528] [PATCH] ssl: SSL_MODE_ASYNC_KEY_EX

Fedor Indutny
Here is an additional patch, to expose the type of key that should be used for a signature.

On Thu, Sep 11, 2014 at 10:59 AM, Fedor Indutny via RT <[hidden email]> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello devs!

Here is a patch that implements asynchronous RSA key operation
mode for a TLS/SSL implementation in OpenSSL.

Here is some technical info about it:

Support async RSA exchange by providing new SSL_want_rsa_sign(),
SSL_want_rsa_decrypt() API methods.

After getting such want values - SSL_supply_key_ex_data() should be
invoked to continue handshake with a sign/decrypt data that was received
from the remote server.
- ---
 ssl/s3_srvr.c  | 398
++++++++++++++++++++++++++++++++++++++++-----------------
 ssl/ssl.h      |  28 ++++
 ssl/ssl3.h     |   6 +
 ssl/ssl_lib.c  |  31 ++++-
 ssl/ssl_locl.h |   2 +
 ssl/ssl_rsa.c  |  24 ++--
 ssl/ssltest.c  | 116 ++++++++++++++++-
 test/testssl   |   6 +
 8 files changed, 475 insertions(+), 136 deletions(-)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUEWeCAAoJENcGPM4Zt+iQPcoP/0R9wJz0gvqi5QFiGiAyOXyD
uWWB+lkGlB4r6AOhu1D02tQaQTaiRhSO3theSMOCZ4fQ+BMqZdyk37zq/6Z/rjnJ
jkd062SgYeh8WCvoJSoNF+gSeDgM/WnWw2q6R1Ls+DuYdQstym9+VIgx3LLd0LO8
19mYHPUms0TFkzPfLqST4keHyZlLa1HzsEpdEQ8TWaU1vqqSrH6NfvPDjwwzMVWG
yMOW8tM8I2WDU9V6zMm+Mr7qmU/zowwVmOnVu0Mi8wBpcpN1GvFGbN8oXispnLc/
uccrKK1l98p3wnI0uXe5SmXWB5ksaEtz6CMewZotRgKR8dluwEHqIZ1mzE4+TMxK
iFDqUlCcRIjGgssGyjbHC23inwDeN1lZjOxE0G0dhzJZcYAYWJ2rWSQQGxBJJy5Z
VFxaElNImDyZ9uUFUtEhzGoaAV7isC9h78anTFzJMuJLTiukHERwFPvRgU/HQPNx
EG481cmnjJ2M2hyWRBrvCna8SftUPmGHczqDPD+Tt4Ry/msoZpdwEcLNossl6GcF
wXoAMeV5Jg8CenVobdLDQ53G1pJCcY58Zk+Ep9Va+DqfoEsyHc+XhhApMP8B4leC
R2mwi0KVL5F6NPhqJmDi1aXKtUu4A50j3yk35aJrEjQCKv3BW1gHvlL763Sve/GL
CAsACbfGic+GRS52Pmo2
=f3GH
-----END PGP SIGNATURE-----



0002-ssl-support-non-RSA-key-signatures-in-key-ex.patch (9K) Download Attachment
0002-ssl-support-non-RSA-key-signatures-in-key-ex.patch.sig (742 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #3528] [PATCH] ssl: SSL_MODE_ASYNC_KEY_EX

Fedor Indutny
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here is an example of how it could be used (in my TLS terminator):


Basically, if you have ever used async SSL API, you should be
aware of things like:

    SSL_ERROR_WANT_READ
    SSL_ERROR_WANT_WRITE

In addition to these two, my patch adds:

    SSL_ERROR_WANT_SIGN
    SSL_ERROR_WANT_RSA_DECRYPT

If one of these is returned - you may get the data that should
be signed/decrypted with:

    SSL_get_key_ex_data()
    SSL_get_key_ex_len()

Get the key type (in case of SIGN):

    SSL_get_key_ex_type()
    // Returns EVP_PKEY_RSA, EVP_PKEY_ECC

And get signature digest nid with:

    SSL_get_key_ex_md()

Please be aware of the fact that `md` could be `NID_md5_sha1`,
take a look at bud's code to figure out what should be done in
this case (basically, you'll need to use raw
`RSA_decrypt_private()`).

After performing sign/decrypt (which could happen in other
thread, or on a different server) you should call:

    SSL_supply_key_ex()

to supply the result and continue handshake process. At
this point `SSL_read()`/`SSL_write()` will start returning
proper values.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUG2D2AAoJENcGPM4Zt+iQJdoQAKZxbcGpzHFktSbU3uDocy3R
fywWmqkYnoJ5jWF3xn4Excv4dAGhMfb/7tm9nt9zyV8g0Qsu8ChqWTl+kgK+hj9o
mV+3jhqPDWR2VhmAC3J5ZsCpNm3IW/iNgGiU+u/k9N2i0WHjYSoTHM/NooN5GIu2
KKhNXPw1Y05yxOZWmbUInMl/uscGWDtzylRNyJpfLFFu3JDQy1sBTKD6UAZC5ERY
7LUZ1TqVdk1DPY3Tf/j4IaB9Ds9teGLGj63J8upJhDjWHibFzV5bx6X+FjknUB9M
xaebV4yfHZNRHseBu2ZqTQ2f2MNnXVisdzJRX6oyYeyq872MsJjAFhbFhFTi0sTI
T8Y9n8cjuctbn+zTISVyVqEEBl8udWTY1t14SJ9lNcdU3xAf9OzEBVdORpUDqFl+
zteRC145o7gs7mEtJjyBpy8mhXB3mc13ZkC2qaJIyqkqAPODu/xlqCga7oaogHNy
Q2wy0HUeX69Ra0ada3TcJQgB14qESj3Uvq1hcgFk7SEXBxkU5NJ2OcItvU1+emd7
hRlQvDqiiQcK9WgsdOIKZpovtT3FswhsIy0Tv77Nx9PY04urOTEgmhPJHveCJOQq
i0apvI09YgimXs4Sd5h3rs9TsKrDtG0BG0jM1zfo5zbcKE2IbMpmzOc84MxkwUSl
tPV48uw46UVpu4zOOByM
=zJGs
-----END PGP SIGNATURE-----

On Sat, Sep 13, 2014 at 10:59 PM, Fedor Indutny <[hidden email]> wrote:
Here is an additional patch, to expose the type of key that should be used for a signature.

On Thu, Sep 11, 2014 at 10:59 AM, Fedor Indutny via RT <[hidden email]> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello devs!

Here is a patch that implements asynchronous RSA key operation
mode for a TLS/SSL implementation in OpenSSL.

Here is some technical info about it:

Support async RSA exchange by providing new SSL_want_rsa_sign(),
SSL_want_rsa_decrypt() API methods.

After getting such want values - SSL_supply_key_ex_data() should be
invoked to continue handshake with a sign/decrypt data that was received
from the remote server.
- ---
 ssl/s3_srvr.c  | 398
++++++++++++++++++++++++++++++++++++++++-----------------
 ssl/ssl.h      |  28 ++++
 ssl/ssl3.h     |   6 +
 ssl/ssl_lib.c  |  31 ++++-
 ssl/ssl_locl.h |   2 +
 ssl/ssl_rsa.c  |  24 ++--
 ssl/ssltest.c  | 116 ++++++++++++++++-
 test/testssl   |   6 +
 8 files changed, 475 insertions(+), 136 deletions(-)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUEWeCAAoJENcGPM4Zt+iQPcoP/0R9wJz0gvqi5QFiGiAyOXyD
uWWB+lkGlB4r6AOhu1D02tQaQTaiRhSO3theSMOCZ4fQ+BMqZdyk37zq/6Z/rjnJ
jkd062SgYeh8WCvoJSoNF+gSeDgM/WnWw2q6R1Ls+DuYdQstym9+VIgx3LLd0LO8
19mYHPUms0TFkzPfLqST4keHyZlLa1HzsEpdEQ8TWaU1vqqSrH6NfvPDjwwzMVWG
yMOW8tM8I2WDU9V6zMm+Mr7qmU/zowwVmOnVu0Mi8wBpcpN1GvFGbN8oXispnLc/
uccrKK1l98p3wnI0uXe5SmXWB5ksaEtz6CMewZotRgKR8dluwEHqIZ1mzE4+TMxK
iFDqUlCcRIjGgssGyjbHC23inwDeN1lZjOxE0G0dhzJZcYAYWJ2rWSQQGxBJJy5Z
VFxaElNImDyZ9uUFUtEhzGoaAV7isC9h78anTFzJMuJLTiukHERwFPvRgU/HQPNx
EG481cmnjJ2M2hyWRBrvCna8SftUPmGHczqDPD+Tt4Ry/msoZpdwEcLNossl6GcF
wXoAMeV5Jg8CenVobdLDQ53G1pJCcY58Zk+Ep9Va+DqfoEsyHc+XhhApMP8B4leC
R2mwi0KVL5F6NPhqJmDi1aXKtUu4A50j3yk35aJrEjQCKv3BW1gHvlL763Sve/GL
CAsACbfGic+GRS52Pmo2
=f3GH
-----END PGP SIGNATURE-----



Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #3528] [PATCH] ssl: SSL_MODE_ASYNC_KEY_EX

Fedor Indutny
And an additional follow-up, with docs and refined code.

On Fri, Sep 19, 2014 at 2:48 AM, Fedor Indutny <[hidden email]> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here is an example of how it could be used (in my TLS terminator):


Basically, if you have ever used async SSL API, you should be
aware of things like:

    SSL_ERROR_WANT_READ
    SSL_ERROR_WANT_WRITE

In addition to these two, my patch adds:

    SSL_ERROR_WANT_SIGN
    SSL_ERROR_WANT_RSA_DECRYPT

If one of these is returned - you may get the data that should
be signed/decrypted with:

    SSL_get_key_ex_data()
    SSL_get_key_ex_len()

Get the key type (in case of SIGN):

    SSL_get_key_ex_type()
    // Returns EVP_PKEY_RSA, EVP_PKEY_ECC

And get signature digest nid with:

    SSL_get_key_ex_md()

Please be aware of the fact that `md` could be `NID_md5_sha1`,
take a look at bud's code to figure out what should be done in
this case (basically, you'll need to use raw
`RSA_decrypt_private()`).

After performing sign/decrypt (which could happen in other
thread, or on a different server) you should call:

    SSL_supply_key_ex()

to supply the result and continue handshake process. At
this point `SSL_read()`/`SSL_write()` will start returning
proper values.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUG2D2AAoJENcGPM4Zt+iQJdoQAKZxbcGpzHFktSbU3uDocy3R
fywWmqkYnoJ5jWF3xn4Excv4dAGhMfb/7tm9nt9zyV8g0Qsu8ChqWTl+kgK+hj9o
mV+3jhqPDWR2VhmAC3J5ZsCpNm3IW/iNgGiU+u/k9N2i0WHjYSoTHM/NooN5GIu2
KKhNXPw1Y05yxOZWmbUInMl/uscGWDtzylRNyJpfLFFu3JDQy1sBTKD6UAZC5ERY
7LUZ1TqVdk1DPY3Tf/j4IaB9Ds9teGLGj63J8upJhDjWHibFzV5bx6X+FjknUB9M
xaebV4yfHZNRHseBu2ZqTQ2f2MNnXVisdzJRX6oyYeyq872MsJjAFhbFhFTi0sTI
T8Y9n8cjuctbn+zTISVyVqEEBl8udWTY1t14SJ9lNcdU3xAf9OzEBVdORpUDqFl+
zteRC145o7gs7mEtJjyBpy8mhXB3mc13ZkC2qaJIyqkqAPODu/xlqCga7oaogHNy
Q2wy0HUeX69Ra0ada3TcJQgB14qESj3Uvq1hcgFk7SEXBxkU5NJ2OcItvU1+emd7
hRlQvDqiiQcK9WgsdOIKZpovtT3FswhsIy0Tv77Nx9PY04urOTEgmhPJHveCJOQq
i0apvI09YgimXs4Sd5h3rs9TsKrDtG0BG0jM1zfo5zbcKE2IbMpmzOc84MxkwUSl
tPV48uw46UVpu4zOOByM
=zJGs
-----END PGP SIGNATURE-----

On Sat, Sep 13, 2014 at 10:59 PM, Fedor Indutny <[hidden email]> wrote:
Here is an additional patch, to expose the type of key that should be used for a signature.

On Thu, Sep 11, 2014 at 10:59 AM, Fedor Indutny via RT <[hidden email]> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello devs!

Here is a patch that implements asynchronous RSA key operation
mode for a TLS/SSL implementation in OpenSSL.

Here is some technical info about it:

Support async RSA exchange by providing new SSL_want_rsa_sign(),
SSL_want_rsa_decrypt() API methods.

After getting such want values - SSL_supply_key_ex_data() should be
invoked to continue handshake with a sign/decrypt data that was received
from the remote server.
- ---
 ssl/s3_srvr.c  | 398
++++++++++++++++++++++++++++++++++++++++-----------------
 ssl/ssl.h      |  28 ++++
 ssl/ssl3.h     |   6 +
 ssl/ssl_lib.c  |  31 ++++-
 ssl/ssl_locl.h |   2 +
 ssl/ssl_rsa.c  |  24 ++--
 ssl/ssltest.c  | 116 ++++++++++++++++-
 test/testssl   |   6 +
 8 files changed, 475 insertions(+), 136 deletions(-)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUEWeCAAoJENcGPM4Zt+iQPcoP/0R9wJz0gvqi5QFiGiAyOXyD
uWWB+lkGlB4r6AOhu1D02tQaQTaiRhSO3theSMOCZ4fQ+BMqZdyk37zq/6Z/rjnJ
jkd062SgYeh8WCvoJSoNF+gSeDgM/WnWw2q6R1Ls+DuYdQstym9+VIgx3LLd0LO8
19mYHPUms0TFkzPfLqST4keHyZlLa1HzsEpdEQ8TWaU1vqqSrH6NfvPDjwwzMVWG
yMOW8tM8I2WDU9V6zMm+Mr7qmU/zowwVmOnVu0Mi8wBpcpN1GvFGbN8oXispnLc/
uccrKK1l98p3wnI0uXe5SmXWB5ksaEtz6CMewZotRgKR8dluwEHqIZ1mzE4+TMxK
iFDqUlCcRIjGgssGyjbHC23inwDeN1lZjOxE0G0dhzJZcYAYWJ2rWSQQGxBJJy5Z
VFxaElNImDyZ9uUFUtEhzGoaAV7isC9h78anTFzJMuJLTiukHERwFPvRgU/HQPNx
EG481cmnjJ2M2hyWRBrvCna8SftUPmGHczqDPD+Tt4Ry/msoZpdwEcLNossl6GcF
wXoAMeV5Jg8CenVobdLDQ53G1pJCcY58Zk+Ep9Va+DqfoEsyHc+XhhApMP8B4leC
R2mwi0KVL5F6NPhqJmDi1aXKtUu4A50j3yk35aJrEjQCKv3BW1gHvlL763Sve/GL
CAsACbfGic+GRS52Pmo2
=f3GH
-----END PGP SIGNATURE-----





0001-ssl-SSL_MODE_ASYNC_KEY_EX.patch (43K) Download Attachment
0001-ssl-SSL_MODE_ASYNC_KEY_EX.patch.sig (742 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #3528] [PATCH] ssl: SSL_MODE_ASYNC_KEY_EX

Fedor Indutny
Sorry for a noise, here is even better version of this patch.

Without BUF_MEM_grow() calls, which were actually useless,
and with clearer state management.

On Fri, Sep 19, 2014 at 12:30 PM, Fedor Indutny <[hidden email]> wrote:
And an additional follow-up, with docs and refined code.

On Fri, Sep 19, 2014 at 2:48 AM, Fedor Indutny <[hidden email]> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here is an example of how it could be used (in my TLS terminator):


Basically, if you have ever used async SSL API, you should be
aware of things like:

    SSL_ERROR_WANT_READ
    SSL_ERROR_WANT_WRITE

In addition to these two, my patch adds:

    SSL_ERROR_WANT_SIGN
    SSL_ERROR_WANT_RSA_DECRYPT

If one of these is returned - you may get the data that should
be signed/decrypted with:

    SSL_get_key_ex_data()
    SSL_get_key_ex_len()

Get the key type (in case of SIGN):

    SSL_get_key_ex_type()
    // Returns EVP_PKEY_RSA, EVP_PKEY_ECC

And get signature digest nid with:

    SSL_get_key_ex_md()

Please be aware of the fact that `md` could be `NID_md5_sha1`,
take a look at bud's code to figure out what should be done in
this case (basically, you'll need to use raw
`RSA_decrypt_private()`).

After performing sign/decrypt (which could happen in other
thread, or on a different server) you should call:

    SSL_supply_key_ex()

to supply the result and continue handshake process. At
this point `SSL_read()`/`SSL_write()` will start returning
proper values.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUG2D2AAoJENcGPM4Zt+iQJdoQAKZxbcGpzHFktSbU3uDocy3R
fywWmqkYnoJ5jWF3xn4Excv4dAGhMfb/7tm9nt9zyV8g0Qsu8ChqWTl+kgK+hj9o
mV+3jhqPDWR2VhmAC3J5ZsCpNm3IW/iNgGiU+u/k9N2i0WHjYSoTHM/NooN5GIu2
KKhNXPw1Y05yxOZWmbUInMl/uscGWDtzylRNyJpfLFFu3JDQy1sBTKD6UAZC5ERY
7LUZ1TqVdk1DPY3Tf/j4IaB9Ds9teGLGj63J8upJhDjWHibFzV5bx6X+FjknUB9M
xaebV4yfHZNRHseBu2ZqTQ2f2MNnXVisdzJRX6oyYeyq872MsJjAFhbFhFTi0sTI
T8Y9n8cjuctbn+zTISVyVqEEBl8udWTY1t14SJ9lNcdU3xAf9OzEBVdORpUDqFl+
zteRC145o7gs7mEtJjyBpy8mhXB3mc13ZkC2qaJIyqkqAPODu/xlqCga7oaogHNy
Q2wy0HUeX69Ra0ada3TcJQgB14qESj3Uvq1hcgFk7SEXBxkU5NJ2OcItvU1+emd7
hRlQvDqiiQcK9WgsdOIKZpovtT3FswhsIy0Tv77Nx9PY04urOTEgmhPJHveCJOQq
i0apvI09YgimXs4Sd5h3rs9TsKrDtG0BG0jM1zfo5zbcKE2IbMpmzOc84MxkwUSl
tPV48uw46UVpu4zOOByM
=zJGs
-----END PGP SIGNATURE-----

On Sat, Sep 13, 2014 at 10:59 PM, Fedor Indutny <[hidden email]> wrote:
Here is an additional patch, to expose the type of key that should be used for a signature.

On Thu, Sep 11, 2014 at 10:59 AM, Fedor Indutny via RT <[hidden email]> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello devs!

Here is a patch that implements asynchronous RSA key operation
mode for a TLS/SSL implementation in OpenSSL.

Here is some technical info about it:

Support async RSA exchange by providing new SSL_want_rsa_sign(),
SSL_want_rsa_decrypt() API methods.

After getting such want values - SSL_supply_key_ex_data() should be
invoked to continue handshake with a sign/decrypt data that was received
from the remote server.
- ---
 ssl/s3_srvr.c  | 398
++++++++++++++++++++++++++++++++++++++++-----------------
 ssl/ssl.h      |  28 ++++
 ssl/ssl3.h     |   6 +
 ssl/ssl_lib.c  |  31 ++++-
 ssl/ssl_locl.h |   2 +
 ssl/ssl_rsa.c  |  24 ++--
 ssl/ssltest.c  | 116 ++++++++++++++++-
 test/testssl   |   6 +
 8 files changed, 475 insertions(+), 136 deletions(-)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUEWeCAAoJENcGPM4Zt+iQPcoP/0R9wJz0gvqi5QFiGiAyOXyD
uWWB+lkGlB4r6AOhu1D02tQaQTaiRhSO3theSMOCZ4fQ+BMqZdyk37zq/6Z/rjnJ
jkd062SgYeh8WCvoJSoNF+gSeDgM/WnWw2q6R1Ls+DuYdQstym9+VIgx3LLd0LO8
19mYHPUms0TFkzPfLqST4keHyZlLa1HzsEpdEQ8TWaU1vqqSrH6NfvPDjwwzMVWG
yMOW8tM8I2WDU9V6zMm+Mr7qmU/zowwVmOnVu0Mi8wBpcpN1GvFGbN8oXispnLc/
uccrKK1l98p3wnI0uXe5SmXWB5ksaEtz6CMewZotRgKR8dluwEHqIZ1mzE4+TMxK
iFDqUlCcRIjGgssGyjbHC23inwDeN1lZjOxE0G0dhzJZcYAYWJ2rWSQQGxBJJy5Z
VFxaElNImDyZ9uUFUtEhzGoaAV7isC9h78anTFzJMuJLTiukHERwFPvRgU/HQPNx
EG481cmnjJ2M2hyWRBrvCna8SftUPmGHczqDPD+Tt4Ry/msoZpdwEcLNossl6GcF
wXoAMeV5Jg8CenVobdLDQ53G1pJCcY58Zk+Ep9Va+DqfoEsyHc+XhhApMP8B4leC
R2mwi0KVL5F6NPhqJmDi1aXKtUu4A50j3yk35aJrEjQCKv3BW1gHvlL763Sve/GL
CAsACbfGic+GRS52Pmo2
=f3GH
-----END PGP SIGNATURE-----






0001-ssl-SSL_MODE_ASYNC_KEY_EX.patch (43K) Download Attachment
0001-ssl-SSL_MODE_ASYNC_KEY_EX.patch.sig (742 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #3528] [PATCH] ssl: SSL_MODE_ASYNC_KEY_EX

Fedor Indutny
Some fixes.

On Fri, Sep 19, 2014 at 3:27 PM, Fedor Indutny <[hidden email]> wrote:
Sorry for a noise, here is even better version of this patch.

Without BUF_MEM_grow() calls, which were actually useless,
and with clearer state management.

On Fri, Sep 19, 2014 at 12:30 PM, Fedor Indutny <[hidden email]> wrote:
And an additional follow-up, with docs and refined code.

On Fri, Sep 19, 2014 at 2:48 AM, Fedor Indutny <[hidden email]> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here is an example of how it could be used (in my TLS terminator):


Basically, if you have ever used async SSL API, you should be
aware of things like:

    SSL_ERROR_WANT_READ
    SSL_ERROR_WANT_WRITE

In addition to these two, my patch adds:

    SSL_ERROR_WANT_SIGN
    SSL_ERROR_WANT_RSA_DECRYPT

If one of these is returned - you may get the data that should
be signed/decrypted with:

    SSL_get_key_ex_data()
    SSL_get_key_ex_len()

Get the key type (in case of SIGN):

    SSL_get_key_ex_type()
    // Returns EVP_PKEY_RSA, EVP_PKEY_ECC

And get signature digest nid with:

    SSL_get_key_ex_md()

Please be aware of the fact that `md` could be `NID_md5_sha1`,
take a look at bud's code to figure out what should be done in
this case (basically, you'll need to use raw
`RSA_decrypt_private()`).

After performing sign/decrypt (which could happen in other
thread, or on a different server) you should call:

    SSL_supply_key_ex()

to supply the result and continue handshake process. At
this point `SSL_read()`/`SSL_write()` will start returning
proper values.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUG2D2AAoJENcGPM4Zt+iQJdoQAKZxbcGpzHFktSbU3uDocy3R
fywWmqkYnoJ5jWF3xn4Excv4dAGhMfb/7tm9nt9zyV8g0Qsu8ChqWTl+kgK+hj9o
mV+3jhqPDWR2VhmAC3J5ZsCpNm3IW/iNgGiU+u/k9N2i0WHjYSoTHM/NooN5GIu2
KKhNXPw1Y05yxOZWmbUInMl/uscGWDtzylRNyJpfLFFu3JDQy1sBTKD6UAZC5ERY
7LUZ1TqVdk1DPY3Tf/j4IaB9Ds9teGLGj63J8upJhDjWHibFzV5bx6X+FjknUB9M
xaebV4yfHZNRHseBu2ZqTQ2f2MNnXVisdzJRX6oyYeyq872MsJjAFhbFhFTi0sTI
T8Y9n8cjuctbn+zTISVyVqEEBl8udWTY1t14SJ9lNcdU3xAf9OzEBVdORpUDqFl+
zteRC145o7gs7mEtJjyBpy8mhXB3mc13ZkC2qaJIyqkqAPODu/xlqCga7oaogHNy
Q2wy0HUeX69Ra0ada3TcJQgB14qESj3Uvq1hcgFk7SEXBxkU5NJ2OcItvU1+emd7
hRlQvDqiiQcK9WgsdOIKZpovtT3FswhsIy0Tv77Nx9PY04urOTEgmhPJHveCJOQq
i0apvI09YgimXs4Sd5h3rs9TsKrDtG0BG0jM1zfo5zbcKE2IbMpmzOc84MxkwUSl
tPV48uw46UVpu4zOOByM
=zJGs
-----END PGP SIGNATURE-----

On Sat, Sep 13, 2014 at 10:59 PM, Fedor Indutny <[hidden email]> wrote:
Here is an additional patch, to expose the type of key that should be used for a signature.

On Thu, Sep 11, 2014 at 10:59 AM, Fedor Indutny via RT <[hidden email]> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello devs!

Here is a patch that implements asynchronous RSA key operation
mode for a TLS/SSL implementation in OpenSSL.

Here is some technical info about it:

Support async RSA exchange by providing new SSL_want_rsa_sign(),
SSL_want_rsa_decrypt() API methods.

After getting such want values - SSL_supply_key_ex_data() should be
invoked to continue handshake with a sign/decrypt data that was received
from the remote server.
- ---
 ssl/s3_srvr.c  | 398
++++++++++++++++++++++++++++++++++++++++-----------------
 ssl/ssl.h      |  28 ++++
 ssl/ssl3.h     |   6 +
 ssl/ssl_lib.c  |  31 ++++-
 ssl/ssl_locl.h |   2 +
 ssl/ssl_rsa.c  |  24 ++--
 ssl/ssltest.c  | 116 ++++++++++++++++-
 test/testssl   |   6 +
 8 files changed, 475 insertions(+), 136 deletions(-)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUEWeCAAoJENcGPM4Zt+iQPcoP/0R9wJz0gvqi5QFiGiAyOXyD
uWWB+lkGlB4r6AOhu1D02tQaQTaiRhSO3theSMOCZ4fQ+BMqZdyk37zq/6Z/rjnJ
jkd062SgYeh8WCvoJSoNF+gSeDgM/WnWw2q6R1Ls+DuYdQstym9+VIgx3LLd0LO8
19mYHPUms0TFkzPfLqST4keHyZlLa1HzsEpdEQ8TWaU1vqqSrH6NfvPDjwwzMVWG
yMOW8tM8I2WDU9V6zMm+Mr7qmU/zowwVmOnVu0Mi8wBpcpN1GvFGbN8oXispnLc/
uccrKK1l98p3wnI0uXe5SmXWB5ksaEtz6CMewZotRgKR8dluwEHqIZ1mzE4+TMxK
iFDqUlCcRIjGgssGyjbHC23inwDeN1lZjOxE0G0dhzJZcYAYWJ2rWSQQGxBJJy5Z
VFxaElNImDyZ9uUFUtEhzGoaAV7isC9h78anTFzJMuJLTiukHERwFPvRgU/HQPNx
EG481cmnjJ2M2hyWRBrvCna8SftUPmGHczqDPD+Tt4Ry/msoZpdwEcLNossl6GcF
wXoAMeV5Jg8CenVobdLDQ53G1pJCcY58Zk+Ep9Va+DqfoEsyHc+XhhApMP8B4leC
R2mwi0KVL5F6NPhqJmDi1aXKtUu4A50j3yk35aJrEjQCKv3BW1gHvlL763Sve/GL
CAsACbfGic+GRS52Pmo2
=f3GH
-----END PGP SIGNATURE-----







0001-ssl-SSL_MODE_ASYNC_KEY_EX.patch (43K) Download Attachment
0001-ssl-SSL_MODE_ASYNC_KEY_EX.patch.sig (742 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

[openssl.org #3528] [PATCH] ssl: SSL_MODE_ASYNC_KEY_EX

Rich Salz via RT
In reply to this post by Fedor Indutny
our plan for async work is here: https://github.com/openssl/openssl/pull/451

--
Rich Salz, OpenSSL dev team; [hidden email]

_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #3528] [PATCH] ssl: SSL_MODE_ASYNC_KEY_EX

Fedor Indutny
Rich,

Thank you for response.

There is quite a lengthy discussion on that github PR. Is there any TL;DR version of it?

That PR's diff doesn't really look similar to changes proposed here, as I was mostly curious about splitting the state maching to allow deferring things until the required data (RSA-encrypted pre-master) will be available.

I will be more than happy to revive this patch if it sounds interesting to you. Please let me know.

Thank you,
Fedor.

On Thu, Feb 4, 2016 at 1:15 AM, Rich Salz via RT <[hidden email]> wrote:
our plan for async work is here: https://github.com/openssl/openssl/pull/451

--
Rich Salz, OpenSSL dev team; [hidden email]



_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #3528] [PATCH] ssl: SSL_MODE_ASYNC_KEY_EX

Rich Salz via RT
Rich,

Thank you for response.

There is quite a lengthy discussion on that github PR. Is there any TL;DR
version of it?

That PR's diff doesn't really look similar to changes proposed here, as I
was mostly curious about splitting the state maching to allow deferring
things until the required data (RSA-encrypted pre-master) will be available.

I will be more than happy to revive this patch if it sounds interesting to
you. Please let me know.

Thank you,
Fedor.

On Thu, Feb 4, 2016 at 1:15 AM, Rich Salz via RT <[hidden email]> wrote:

> our plan for async work is here:
> https://github.com/openssl/openssl/pull/451
>
> --
> Rich Salz, OpenSSL dev team; [hidden email]
>
>

_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #3528] [PATCH] ssl: SSL_MODE_ASYNC_KEY_EX

Rich Salz via RT
In reply to this post by Fedor Indutny
It’s late and my response was incomplete.
The other part has already landed in master, and that's the "async engine" support.


_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #3528] [PATCH] ssl: SSL_MODE_ASYNC_KEY_EX

Matt Caswell-2


On 04/02/16 06:34, Salz, Rich via RT wrote:
> It’s late and my response was incomplete.
> The other part has already landed in master, and that's the "async engine" support.

See:

https://www.openssl.org/docs/manmaster/crypto/ASYNC_start_job.html
https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_mode.html (i.e.
the SSL_MODE_ASYNC bit)
https://www.openssl.org/docs/manmaster/ssl/SSL_waiting_for_async.html

I'm working on a patch that may make some tweaks to this API, but you
should get the idea.

Matt
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #3528] [PATCH] ssl: SSL_MODE_ASYNC_KEY_EX

Rich Salz via RT


On 04/02/16 06:34, Salz, Rich via RT wrote:
> It’s late and my response was incomplete.
> The other part has already landed in master, and that's the "async engine" support.

See:

https://www.openssl.org/docs/manmaster/crypto/ASYNC_start_job.html
https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_mode.html (i.e.
the SSL_MODE_ASYNC bit)
https://www.openssl.org/docs/manmaster/ssl/SSL_waiting_for_async.html

I'm working on a patch that may make some tweaks to this API, but you
should get the idea.

Matt


_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #3528] [PATCH] ssl: SSL_MODE_ASYNC_KEY_EX

Fedor Indutny
Thank you very much, Matt, Rich.

I will read through these docs tomorrow.

On Thu, Feb 4, 2016 at 4:29 AM, Matt Caswell via RT <[hidden email]> wrote:


On 04/02/16 06:34, Salz, Rich via RT wrote:
> It’s late and my response was incomplete.
> The other part has already landed in master, and that's the "async engine" support.

See:

https://www.openssl.org/docs/manmaster/crypto/ASYNC_start_job.html
https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_mode.html (i.e.
the SSL_MODE_ASYNC bit)
https://www.openssl.org/docs/manmaster/ssl/SSL_waiting_for_async.html

I'm working on a patch that may make some tweaks to this API, but you
should get the idea.

Matt




_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #3528] [PATCH] ssl: SSL_MODE_ASYNC_KEY_EX

Rich Salz via RT
Thank you very much, Matt, Rich.

I will read through these docs tomorrow.

On Thu, Feb 4, 2016 at 4:29 AM, Matt Caswell via RT <[hidden email]> wrote:

>
>
> On 04/02/16 06:34, Salz, Rich via RT wrote:
> > It’s late and my response was incomplete.
> > The other part has already landed in master, and that's the "async
> engine" support.
>
> See:
>
> https://www.openssl.org/docs/manmaster/crypto/ASYNC_start_job.html
> https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_mode.html (i.e.
> the SSL_MODE_ASYNC bit)
> https://www.openssl.org/docs/manmaster/ssl/SSL_waiting_for_async.html
>
> I'm working on a patch that may make some tweaks to this API, but you
> should get the idea.
>
> Matt
>
>
>

_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #3528] [PATCH] ssl: SSL_MODE_ASYNC_KEY_EX

Fedor Indutny
Matt,

I have looked through the APIs. Will have to experiment with them somewhen later to see how well they will perform, but from theoretical point of view I am a bit scared of having 2 fds (and one ucontext) for every job in a pool. It seems like this could be a bit of burden in event-loop based model. For example, it is not hard to imagine a situation in node.js application with 10000 handshakes that are trying to complete in parallel. Is there any need in creating this fds unconditionally?

However, again, this is only a hypothetical situation, I'm yet to see how well it will behave in real situations. Just sharing some immediate concerns with you.

Thank you,
Fedor.

On Thu, Feb 4, 2016 at 4:56 AM, Fedor Indutny via RT <[hidden email]> wrote:
Thank you very much, Matt, Rich.

I will read through these docs tomorrow.

On Thu, Feb 4, 2016 at 4:29 AM, Matt Caswell via RT <[hidden email]> wrote:

>
>
> On 04/02/16 06:34, Salz, Rich via RT wrote:
> > It’s late and my response was incomplete.
> > The other part has already landed in master, and that's the "async
> engine" support.
>
> See:
>
> https://www.openssl.org/docs/manmaster/crypto/ASYNC_start_job.html
> https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_mode.html (i.e.
> the SSL_MODE_ASYNC bit)
> https://www.openssl.org/docs/manmaster/ssl/SSL_waiting_for_async.html
>
> I'm working on a patch that may make some tweaks to this API, but you
> should get the idea.
>
> Matt
>
>
>

_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #3528] [PATCH] ssl: SSL_MODE_ASYNC_KEY_EX

Rich Salz via RT
Matt,

I have looked through the APIs. Will have to experiment with them somewhen
later to see how well they will perform, but from theoretical point of view
I am a bit scared of having 2 fds (and one ucontext) for every job in a
pool. It seems like this could be a bit of burden in event-loop based
model. For example, it is not hard to imagine a situation in node.js
application with 10000 handshakes that are trying to complete in parallel.
Is there any need in creating this fds unconditionally?

However, again, this is only a hypothetical situation, I'm yet to see how
well it will behave in real situations. Just sharing some immediate
concerns with you.

Thank you,
Fedor.

On Thu, Feb 4, 2016 at 4:56 AM, Fedor Indutny via RT <[hidden email]> wrote:

> Thank you very much, Matt, Rich.
>
> I will read through these docs tomorrow.
>
> On Thu, Feb 4, 2016 at 4:29 AM, Matt Caswell via RT <[hidden email]>
> wrote:
>
> >
> >
> > On 04/02/16 06:34, Salz, Rich via RT wrote:
> > > It’s late and my response was incomplete.
> > > The other part has already landed in master, and that's the "async
> > engine" support.
> >
> > See:
> >
> > https://www.openssl.org/docs/manmaster/crypto/ASYNC_start_job.html
> > https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_mode.html (i.e.
> > the SSL_MODE_ASYNC bit)
> > https://www.openssl.org/docs/manmaster/ssl/SSL_waiting_for_async.html
> >
> > I'm working on a patch that may make some tweaks to this API, but you
> > should get the idea.
> >
> > Matt
> >
> >
> >
>
> _______________________________________________
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
>


--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3528
Please log in as guest with password guest if prompted

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #3528] [PATCH] ssl: SSL_MODE_ASYNC_KEY_EX

Matt Caswell-2
In reply to this post by Fedor Indutny


On 05/02/16 22:42, Fedor Indutny wrote:

> Matt,
>
> I have looked through the APIs. Will have to experiment with them
> somewhen later to see how well they will perform, but from theoretical
> point of view I am a bit scared of having 2 fds (and one ucontext) for
> every job in a pool. It seems like this could be a bit of burden in
> event-loop based model. For example, it is not hard to imagine a
> situation in node.js application with 10000 handshakes that are trying
> to complete in parallel. Is there any need in creating this fds
> unconditionally?

Well of course the number of jobs in the pool is not the same as the
number of handshakes. We create a pool of jobs that are shared between
the handshakes as required in order to conserve resources. With regards
to the fds, I mentioned that I was working on some tweaks to the API. It
is in this area where there are tweaks being made. Specifically I am
moving the creation of the fds to be a responsibility of the called code
(i.e. most likely an engine) and not the async framework itself.

> However, again, this is only a hypothetical situation, I'm yet to see
> how well it will behave in real situations. Just sharing some immediate
> concerns with you.

I have been collaborating with Intel on this piece of work and they have
been testing the performance quite thoroughly. We are still working on
optimising things, but so far so good.

Matt


>
> Thank you,
> Fedor.
>
> On Thu, Feb 4, 2016 at 4:56 AM, Fedor Indutny via RT <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     Thank you very much, Matt, Rich.
>
>     I will read through these docs tomorrow.
>
>     On Thu, Feb 4, 2016 at 4:29 AM, Matt Caswell via RT <[hidden email]
>     <mailto:[hidden email]>> wrote:
>
>     >
>     >
>     > On 04/02/16 06:34, Salz, Rich via RT wrote:
>     > > It’s late and my response was incomplete.
>     > > The other part has already landed in master, and that's the "async
>     > engine" support.
>     >
>     > See:
>     >
>     > https://www.openssl.org/docs/manmaster/crypto/ASYNC_start_job.html
>     > https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_mode.html (i.e.
>     > the SSL_MODE_ASYNC bit)
>     > https://www.openssl.org/docs/manmaster/ssl/SSL_waiting_for_async.html
>     >
>     > I'm working on a patch that may make some tweaks to this API, but you
>     > should get the idea.
>     >
>     > Matt
>     >
>     >
>     >
>
>     _______________________________________________
>     openssl-dev mailing list
>     To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
>
>
>
>
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #3528] [PATCH] ssl: SSL_MODE_ASYNC_KEY_EX

Rich Salz via RT


On 05/02/16 22:42, Fedor Indutny wrote:

> Matt,
>
> I have looked through the APIs. Will have to experiment with them
> somewhen later to see how well they will perform, but from theoretical
> point of view I am a bit scared of having 2 fds (and one ucontext) for
> every job in a pool. It seems like this could be a bit of burden in
> event-loop based model. For example, it is not hard to imagine a
> situation in node.js application with 10000 handshakes that are trying
> to complete in parallel. Is there any need in creating this fds
> unconditionally?

Well of course the number of jobs in the pool is not the same as the
number of handshakes. We create a pool of jobs that are shared between
the handshakes as required in order to conserve resources. With regards
to the fds, I mentioned that I was working on some tweaks to the API. It
is in this area where there are tweaks being made. Specifically I am
moving the creation of the fds to be a responsibility of the called code
(i.e. most likely an engine) and not the async framework itself.

> However, again, this is only a hypothetical situation, I'm yet to see
> how well it will behave in real situations. Just sharing some immediate
> concerns with you.

I have been collaborating with Intel on this piece of work and they have
been testing the performance quite thoroughly. We are still working on
optimising things, but so far so good.

Matt


>
> Thank you,
> Fedor.
>
> On Thu, Feb 4, 2016 at 4:56 AM, Fedor Indutny via RT <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     Thank you very much, Matt, Rich.
>
>     I will read through these docs tomorrow.
>
>     On Thu, Feb 4, 2016 at 4:29 AM, Matt Caswell via RT <[hidden email]
>     <mailto:[hidden email]>> wrote:
>
>     >
>     >
>     > On 04/02/16 06:34, Salz, Rich via RT wrote:
>     > > It’s late and my response was incomplete.
>     > > The other part has already landed in master, and that's the "async
>     > engine" support.
>     >
>     > See:
>     >
>     > https://www.openssl.org/docs/manmaster/crypto/ASYNC_start_job.html
>     > https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_mode.html (i.e.
>     > the SSL_MODE_ASYNC bit)
>     > https://www.openssl.org/docs/manmaster/ssl/SSL_waiting_for_async.html
>     >
>     > I'm working on a patch that may make some tweaks to this API, but you
>     > should get the idea.
>     >
>     > Matt
>     >
>     >
>     >
>
>     _______________________________________________
>     openssl-dev mailing list
>     To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
>
>
>
>



--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3528
Please log in as guest with password guest if prompted

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #3528] [PATCH] ssl: SSL_MODE_ASYNC_KEY_EX

Fedor Indutny
In reply to this post by Matt Caswell-2


On Fri, Feb 5, 2016 at 7:14 PM, Matt Caswell <[hidden email]> wrote:


On 05/02/16 22:42, Fedor Indutny wrote:
> Matt,
>
> I have looked through the APIs. Will have to experiment with them
> somewhen later to see how well they will perform, but from theoretical
> point of view I am a bit scared of having 2 fds (and one ucontext) for
> every job in a pool. It seems like this could be a bit of burden in
> event-loop based model. For example, it is not hard to imagine a
> situation in node.js application with 10000 handshakes that are trying
> to complete in parallel. Is there any need in creating this fds
> unconditionally?

Well of course the number of jobs in the pool is not the same as the
number of handshakes. We create a pool of jobs that are shared between
the handshakes as required in order to conserve resources. With regards
to the fds, I mentioned that I was working on some tweaks to the API. It
is in this area where there are tweaks being made. Specifically I am
moving the creation of the fds to be a responsibility of the called code
(i.e. most likely an engine) and not the async framework itself.

I understand what the pool means ;) The imaginary situation that I was
talking about had lots of handshakes happening in parallel. To make it a
bit real: a server that decrypts premaster secrets remotely with 2000ms
latency, that receives 1000 requests per second. In such situation pool
size needs to be at least 2000 to accommodate this amount of requests.

While 2000ms is a bit far-fetched, it is very easy to imagine that that
remote decrypting server will go absolutely down and won't respond at
all. Meaning that for some period of time (maybe 5-10 seconds) all this
load is going to attempt to take new job from the pool. While I'm sure that
SSL structures itself will take a huge stake in resources usage, having
extra fd for each of these jobs doesn't sound right to me.

I'm glad to hear that this fd-behavior is going to be overridable. This
sounds lovely!
 

> However, again, this is only a hypothetical situation, I'm yet to see
> how well it will behave in real situations. Just sharing some immediate
> concerns with you.

I have been collaborating with Intel on this piece of work and they have
been testing the performance quite thoroughly. We are still working on
optimising things, but so far so good.


Fantastic!

Thank you very much,
Fedor.
 
Matt


>
> Thank you,
> Fedor.
>
> On Thu, Feb 4, 2016 at 4:56 AM, Fedor Indutny via RT <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     Thank you very much, Matt, Rich.
>
>     I will read through these docs tomorrow.
>
>     On Thu, Feb 4, 2016 at 4:29 AM, Matt Caswell via RT <[hidden email]
>     <mailto:[hidden email]>> wrote:
>
>     >
>     >
>     > On 04/02/16 06:34, Salz, Rich via RT wrote:
>     > > It’s late and my response was incomplete.
>     > > The other part has already landed in master, and that's the "async
>     > engine" support.
>     >
>     > See:
>     >
>     > https://www.openssl.org/docs/manmaster/crypto/ASYNC_start_job.html
>     > https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_mode.html (i.e.
>     > the SSL_MODE_ASYNC bit)
>     > https://www.openssl.org/docs/manmaster/ssl/SSL_waiting_for_async.html
>     >
>     > I'm working on a patch that may make some tweaks to this API, but you
>     > should get the idea.
>     >
>     > Matt
>     >
>     >
>     >
>
>     _______________________________________________
>     openssl-dev mailing list
>     To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
>
>
>
>
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
12