connection specific data in sign provider

Tomas Mraz tomas at openssl.org
Mon Nov 13 08:08:14 UTC 2023


You would have to pass the callback pointer as an octet string
OSSL_PARAM set on the signature context. That would of course require
patching libssl to set the pointer on the signature context when it is
invoking the signature.

The providers do not have direct reach to libssl or libcrypto data.

Tomas Mraz, OpenSSL

On Sat, 2023-11-11 at 12:48 +0000, boknamail via openssl-users wrote:
> Hi all,
> 
> I implemented an Openssl signature provider that shall offload the
> signature into the user's code space via a callback that the user can
> define.
> During the TLS handshake I already get the function
> OSSL_FUNC_signature_digest_sign invoked. Inside this function I want
> to call the user defined callback.
> 
> My current approach is to create a provider context containing an
> empty callback, have the user get the provider context and set the
> callback and inside OSSL_FUNC_signature_digest_sign_init copy the
> callback from the provider context into the sign context.
> 
> The disadvantage of this is, that the callback is global to the
> provider.
> I would rather want to have it connection specific.
> Is there any way to handover data specific to the connection to the
> sign functions?
> I was thinking about adding the callback to the ex_data of the
> SSL_CTX, but did not find a way to access the SSL_CTX or the SSL from
> inside the signature function.
> 
> Thanks!
> 

-- 
Tomáš Mráz, OpenSSL



More information about the openssl-users mailing list