-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tls: support BoringSSL private key async functionality #6326
Commits on Mar 27, 2019
-
tls: support BoringSSL private key async functionality.
Opens: 1. Validate the thread model. Now there is an unique PrivateKeyOperations instance for each connection, but the PrivateKeyOperationsProvider is shared. This makes the dispatcher model easier and the PrivateKeyOperations lifecycle can be tied with the caller. 2. How to get the private key to the provider? Just let the provider use SSL_get_privatekey()? 3. Does SDS require any special handling? 4. Should we expose BoringSSL primitives (such as 'SSL *ssl') in the API? 5. Automatic registration of PrivateKeyOperationsProvider extensions to the PrivateKeyOperationsManager. We need a NamedPrivateKeyOperationsProviderConfigFactory? 6. Is the API sufficient for all private key users? Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Configuration menu - View commit details
-
Copy full SHA for 3ab2e1d - Browse repository at this point
Copy the full SHA 3ab2e1dView commit details -
tls: add BoringSSL private key operations provider manager support.
The private key operations manager allows extensions to register private key operations provider factories. These factories in turn create providers for individual SSL contexts. Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Configuration menu - View commit details
-
Copy full SHA for 84b6fe1 - Browse repository at this point
Copy the full SHA 84b6fe1View commit details -
tests: add mock privateKeyOperationsManager() method.
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Configuration menu - View commit details
-
Copy full SHA for 127bff5 - Browse repository at this point
Copy the full SHA 127bff5View commit details
Commits on Mar 29, 2019
-
tls: use typed config for private key provider configuration.
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Configuration menu - View commit details
-
Copy full SHA for e58ddfd - Browse repository at this point
Copy the full SHA e58ddfdView commit details
Commits on Apr 5, 2019
-
tls: fixed handling of getPrivateKeyMethods() failure.
Also nicer handling of Protobuf message existence. Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Configuration menu - View commit details
-
Copy full SHA for 8d91d59 - Browse repository at this point
Copy the full SHA 8d91d59View commit details
Commits on Apr 17, 2019
-
tls: change BoringSSL private key support to be certificate-based.
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Configuration menu - View commit details
-
Copy full SHA for 0bd6f25 - Browse repository at this point
Copy the full SHA 0bd6f25View commit details
Commits on Apr 26, 2019
-
tls: remove associateWithSsl(), fix tests.
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Configuration menu - View commit details
-
Copy full SHA for 5e01b30 - Browse repository at this point
Copy the full SHA 5e01b30View commit details -
tls: rename the private key API to be more in line with BoringSSL.
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Configuration menu - View commit details
-
Copy full SHA for 8717cb2 - Browse repository at this point
Copy the full SHA 8717cb2View commit details
Commits on Apr 30, 2019
-
tls: make a failed private key method association fatal.
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Configuration menu - View commit details
-
Copy full SHA for 7f0e0bc - Browse repository at this point
Copy the full SHA 7f0e0bcView commit details
Commits on May 9, 2019
-
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Configuration menu - View commit details
-
Copy full SHA for 4855c9e - Browse repository at this point
Copy the full SHA 4855c9eView commit details -
test: start testing private key methods (context and ssl_socket).
Add a RSA private key method provider. Use that for validating the SSL socket interaction. Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Configuration menu - View commit details
-
Copy full SHA for b25f6a6 - Browse repository at this point
Copy the full SHA b25f6a6View commit details -
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Configuration menu - View commit details
-
Copy full SHA for b7f4fa3 - Browse repository at this point
Copy the full SHA b7f4fa3View commit details
Commits on May 10, 2019
-
test: add a missing "override".
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Configuration menu - View commit details
-
Copy full SHA for f67c1a1 - Browse repository at this point
Copy the full SHA f67c1a1View commit details
Commits on May 13, 2019
-
Merge remote-tracking branch 'origin/master' into private-key-pr-1.3-…
…merged Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Configuration menu - View commit details
-
Copy full SHA for b24ceb2 - Browse repository at this point
Copy the full SHA b24ceb2View commit details
Commits on May 14, 2019
-
tls: close connection if async handshake fails.
if the second half of asynchronous private key method fails (meaning that the operation itself failed or the second call to SSL_do_handshake() failed), just call the connection to be closed. Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Configuration menu - View commit details
-
Copy full SHA for ce312ec - Browse repository at this point
Copy the full SHA ce312ecView commit details -
tests: add more tests for private key method error cases.
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Configuration menu - View commit details
-
Copy full SHA for 3eacd75 - Browse repository at this point
Copy the full SHA 3eacd75View commit details
Commits on May 15, 2019
-
tls: remove status from private key method complete() callback.
BoringSSL pattern seems to be that no-one takes a fast path without calling the SSL_do_hanshake() again. This means that the operators need to communicate errors in the private key complete method by returning `ssl_private_key_failure`. Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Configuration menu - View commit details
-
Copy full SHA for 81afc58 - Browse repository at this point
Copy the full SHA 81afc58View commit details -
tests: update tests to the new API + cleanups.
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Configuration menu - View commit details
-
Copy full SHA for ccc8fbe - Browse repository at this point
Copy the full SHA ccc8fbeView commit details -
tls: add a check for having both private_key and private_key_method.
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Configuration menu - View commit details
-
Copy full SHA for 3e8a3c3 - Browse repository at this point
Copy the full SHA 3e8a3c3View commit details -
tests: test having both private_key and private_key_method in certifi…
…cate config. Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Configuration menu - View commit details
-
Copy full SHA for 59d93f6 - Browse repository at this point
Copy the full SHA 59d93f6View commit details -
cert.proto: fix numbering to be contiguous.
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Configuration menu - View commit details
-
Copy full SHA for eb1feaa - Browse repository at this point
Copy the full SHA eb1feaaView commit details
Commits on May 27, 2019
-
test: fail if provider doesn't return private key methods.
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Configuration menu - View commit details
-
Copy full SHA for f7ccf0b - Browse repository at this point
Copy the full SHA f7ccf0bView commit details -
test: rewrote rsa private key method logic.
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Configuration menu - View commit details
-
Copy full SHA for dace6bb - Browse repository at this point
Copy the full SHA dace6bbView commit details -
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Configuration menu - View commit details
-
Copy full SHA for 1c5630d - Browse repository at this point
Copy the full SHA 1c5630dView commit details
Commits on May 28, 2019
-
tests: private key method multi-cert tests.
Add a very basic ECDSA private key method provider. Some tests to verify that the provider works, and then to see that the correct private key method is used in a case where there are several private key methods added for a TLS context. Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Configuration menu - View commit details
-
Copy full SHA for c92dfd6 - Browse repository at this point
Copy the full SHA c92dfd6View commit details -
dispatcher: add a function for returning current thread id.
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Configuration menu - View commit details
-
Copy full SHA for 86ecba9 - Browse repository at this point
Copy the full SHA 86ecba9View commit details -
ssl_socket: check the private key method callback thread id.
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Configuration menu - View commit details
-
Copy full SHA for 3cbe3a5 - Browse repository at this point
Copy the full SHA 3cbe3a5View commit details
Commits on Jun 3, 2019
-
tests: unique pointers, vectors, and cleanups.
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Configuration menu - View commit details
-
Copy full SHA for 976a469 - Browse repository at this point
Copy the full SHA 976a469View commit details
Commits on Jun 4, 2019
-
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Configuration menu - View commit details
-
Copy full SHA for 789368a - Browse repository at this point
Copy the full SHA 789368aView commit details -
tls: complete() -> onPrivateKeyMethodComplete()
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Configuration menu - View commit details
-
Copy full SHA for 50d6450 - Browse repository at this point
Copy the full SHA 50d6450View commit details -
tests: FIPS check, private key read from disk only once.
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Configuration menu - View commit details
-
Copy full SHA for 9146b40 - Browse repository at this point
Copy the full SHA 9146b40View commit details -
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Configuration menu - View commit details
-
Copy full SHA for 8a688f6 - Browse repository at this point
Copy the full SHA 8a688f6View commit details
Commits on Jun 5, 2019
-
tests: checkFips() implementation.
Also add one-time key read to ECDSA provider. Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Configuration menu - View commit details
-
Copy full SHA for 455be73 - Browse repository at this point
Copy the full SHA 455be73View commit details -
tls: remove one of three TlsCertificateConfig constructors.
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Configuration menu - View commit details
-
Copy full SHA for 14b6d33 - Browse repository at this point
Copy the full SHA 14b6d33View commit details -
tests: remove use of old TlsCertificateConfigImpl constructor.
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Configuration menu - View commit details
-
Copy full SHA for cc54803 - Browse repository at this point
Copy the full SHA cc54803View commit details -
tls: remove PrivateKeyMethodConnection class.
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Configuration menu - View commit details
-
Copy full SHA for 12680f6 - Browse repository at this point
Copy the full SHA 12680f6View commit details -
tests: use higher-level RSA signing functions.
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Configuration menu - View commit details
-
Copy full SHA for 16ca2a1 - Browse repository at this point
Copy the full SHA 16ca2a1View commit details -
tests: do not use locking in test providers.
SSL_set_ex_data() doesn't seem to support smart pointers though. Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Configuration menu - View commit details
-
Copy full SHA for 6d5cf6f - Browse repository at this point
Copy the full SHA 6d5cf6fView commit details
Commits on Jun 6, 2019
-
docs: add an overview and some API documentation.
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Configuration menu - View commit details
-
Copy full SHA for e3a66fe - Browse repository at this point
Copy the full SHA e3a66feView commit details -
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Configuration menu - View commit details
-
Copy full SHA for 6ac9b30 - Browse repository at this point
Copy the full SHA 6ac9b30View commit details -
Merge remote-tracking branch 'origin/master' into private-key-pr-1.3-…
…merged Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Configuration menu - View commit details
-
Copy full SHA for caee5ad - Browse repository at this point
Copy the full SHA caee5adView commit details
Commits on Jun 10, 2019
-
Merge remote-tracking branch 'origin/master' into private-key-pr-1.3-…
…merged Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Configuration menu - View commit details
-
Copy full SHA for 1f1c997 - Browse repository at this point
Copy the full SHA 1f1c997View commit details -
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Configuration menu - View commit details
-
Copy full SHA for 2ef535f - Browse repository at this point
Copy the full SHA 2ef535fView commit details
Commits on Jun 19, 2019
-
Merge remote-tracking branch 'origin/master' into private-key-pr-1.3-…
…merged Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Configuration menu - View commit details
-
Copy full SHA for c4a5836 - Browse repository at this point
Copy the full SHA c4a5836View commit details -
tls: reduce TlsCertificateConfigImpl constructors to one.
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Configuration menu - View commit details
-
Copy full SHA for 2498b0f - Browse repository at this point
Copy the full SHA 2498b0fView commit details -
tls: simplify private key method callback. Add some assumptions to th…
…e private key method providers: 1. After calling the completition callback, the providers are not allowed to return ssl_private_key_retry from the BoringSSL complete function. 2. The providers are not allowed to return any other value than ssl_private_key_retry from the BoringSSL complete function before calling the completition callback. Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Configuration menu - View commit details
-
Copy full SHA for cd28e08 - Browse repository at this point
Copy the full SHA cd28e08View commit details -
Add transport_sockets/tls/private_key to unowned directories.
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Configuration menu - View commit details
-
Copy full SHA for d7e9e5a - Browse repository at this point
Copy the full SHA d7e9e5aView commit details
Commits on Jun 20, 2019
-
CODEOWNERS: add @PiotrSikora and @lizan to transport_sockets/tls.
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Configuration menu - View commit details
-
Copy full SHA for 9b31b1a - Browse repository at this point
Copy the full SHA 9b31b1aView commit details
Commits on Jun 25, 2019
-
tests: merged RSA and ECDSA providers.
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Configuration menu - View commit details
-
Copy full SHA for c9ec2bc - Browse repository at this point
Copy the full SHA c9ec2bcView commit details -
tls: change from PrivateKeyMethod to PrivateKeyProvider.
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Configuration menu - View commit details
-
Copy full SHA for 9a321eb - Browse repository at this point
Copy the full SHA 9a321ebView commit details -
tests: change how the crypto error is done in private key method test.
It seems that flipping the bits in the output data first byte may sometimes cause the connection to succeed anyway: it may be that it only touches the crypto header. Changing the digest which is signed should cause the handshake to reliably fail however. Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Configuration menu - View commit details
-
Copy full SHA for 7ec959e - Browse repository at this point
Copy the full SHA 7ec959eView commit details
Commits on Jun 27, 2019
-
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Configuration menu - View commit details
-
Copy full SHA for f35cca5 - Browse repository at this point
Copy the full SHA f35cca5View commit details -
tests: improved an error message.
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Configuration menu - View commit details
-
Copy full SHA for 0a51246 - Browse repository at this point
Copy the full SHA 0a51246View commit details
Commits on Jul 15, 2019
-
Merge remote-tracking branch 'origin/master' into private-key-pr-1.3-…
…merged Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Configuration menu - View commit details
-
Copy full SHA for 808d046 - Browse repository at this point
Copy the full SHA 808d046View commit details -
tls: change "typedef" to "using".
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Configuration menu - View commit details
-
Copy full SHA for 3f57152 - Browse repository at this point
Copy the full SHA 3f57152View commit details -
test: remove redundant return.
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Configuration menu - View commit details
-
Copy full SHA for ed99c59 - Browse repository at this point
Copy the full SHA ed99c59View commit details
Commits on Jul 23, 2019
-
Merge remote-tracking branch 'origin/master' into private-key-pr-1.3-…
…merged Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Configuration menu - View commit details
-
Copy full SHA for 4d1ceca - Browse repository at this point
Copy the full SHA 4d1cecaView commit details -
tests: annotated destructors with override.
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Configuration menu - View commit details
-
Copy full SHA for e4cab89 - Browse repository at this point
Copy the full SHA e4cab89View commit details
Commits on Aug 12, 2019
-
tls: gather bools into an enum.
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Configuration menu - View commit details
-
Copy full SHA for 5db871c - Browse repository at this point
Copy the full SHA 5db871cView commit details -
Merge remote-tracking branch 'origin/master' into private-key-pr-1.3-…
…merged Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Configuration menu - View commit details
-
Copy full SHA for e0e4ed7 - Browse repository at this point
Copy the full SHA e0e4ed7View commit details -
tests: update one new TlsCertificateConfigImpl constructor.
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Configuration menu - View commit details
-
Copy full SHA for d28d44b - Browse repository at this point
Copy the full SHA d28d44bView commit details -
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Configuration menu - View commit details
-
Copy full SHA for b79e532 - Browse repository at this point
Copy the full SHA b79e532View commit details
Commits on Aug 22, 2019
-
tls: various variable name and comment cleanups.
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Configuration menu - View commit details
-
Copy full SHA for abf8758 - Browse repository at this point
Copy the full SHA abf8758View commit details