Google Git
Sign in
boringssl / boringssl.git / b4d65fda70db407a560e12cdba60a87c0ef32937^! / . / ssl / internal.h
commitb4d65fda70db407a560e12cdba60a87c0ef32937[log] [tgz]
authorDavid Benjamin <davidben@chromium.org>Fri May 29 17:11:21 2015 -0400
committerAdam Langley <agl@google.com>Thu Jun 18 22:14:51 2015 +0000
treeb37d195995201552238fc5d8def364077982e0a1
parent680ca961f993ac0c7f191dcf289c442cf96c4d2c [diff] [blame]
Implement asynchronous private key operations for client auth.

This adds a new API, SSL_set_private_key_method, which allows the consumer to
customize private key operations. For simplicity, it is incompatible with the
multiple slots feature (which will hopefully go away) but does not, for now,
break it.

The new method is only routed up for the client for now. The server will
require a decrypt hook as well for the plain RSA key exchange.

BUG=347404

Change-Id: I35d69095c29134c34c2af88c613ad557d6957614
Reviewed-on: https://boringssl-review.googlesource.com/5049
Reviewed-by: Adam Langley <agl@google.com>

diff --git a/ssl/internal.h b/ssl/internal.h
index 00eccfa..1736fb0 100644
--- a/ssl/internal.h
+++ b/ssl/internal.h

@@ -350,6 +350,30 @@
                       size_t in_len);
 
 
+/* Private key operations. */
+
+/* ssl_private_key_* call the corresponding function on the
+ * |SSL_PRIVATE_KEY_METHOD| for |ssl|, if configured. Otherwise, they implement
+ * the operation on |pkey|.
+ *
+ * TODO(davidben): The |EVP_PKEY| must be passed in to due to the multiple
+ * certificate slots feature. Remove it. */
+
+int ssl_private_key_type(SSL *ssl, const EVP_PKEY *pkey);
+
+int ssl_private_key_supports_digest(SSL *ssl, const EVP_PKEY *pkey,
+                                    const EVP_MD *md);
+
+size_t ssl_private_key_max_signature_len(SSL *ssl, const EVP_PKEY *pkey);
+
+enum ssl_private_key_result_t ssl_private_key_sign(
+    SSL *ssl, EVP_PKEY *pkey, uint8_t *out, size_t *out_len, size_t max_out,
+    const EVP_MD *md, const uint8_t *in, size_t in_len);
+
+enum ssl_private_key_result_t ssl_private_key_sign_complete(
+    SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out);
+
+
 /* Underdocumented functions.
  *
  * Functions below here haven't been touched up and may be underdocumented. */
@@ -508,6 +532,10 @@
                    * Probably it would make more sense to store
                    * an index, not a pointer. */
 
+  /* key_method, if non-NULL, is a set of callbacks to call for private key
+   * operations. */
+  const SSL_PRIVATE_KEY_METHOD *key_method;
+
   /* For clients the following masks are of *disabled* key and auth algorithms
    * based on the current session.
    *
@@ -1069,8 +1097,9 @@
 int tls1_process_ticket(SSL *s, const struct ssl_early_callback_ctx *ctx,
                         SSL_SESSION **ret);
 
-int tls12_get_sigandhash(uint8_t *p, const EVP_PKEY *pk, const EVP_MD *md);
-int tls12_get_sigid(const EVP_PKEY *pk);
+int tls12_get_sigandhash(SSL *ssl, uint8_t *p, const EVP_PKEY *pk,
+                         const EVP_MD *md);
+int tls12_get_sigid(int pkey_type);
 const EVP_MD *tls12_get_hash(uint8_t hash_alg);
 
 int tls1_channel_id_hash(EVP_MD_CTX *ctx, SSL *s);