[stunnel-users] stunnel and loading keys from hw devices

Michal Trojnara Michal.Trojnara at mirt.net
Fri Aug 20 16:15:49 CEST 2010

Victor Wagner wrote:
> 1. Under Unix systems stunnel doesn't provide UI_METHOD for
> ENGINE_load_private_key. It passes NULL there and engine complains that
> no user interface provided.


> 2. OpenSSL UI objects have two methods to pass arbitraty pointers along
>   1. generic ex_data based macros UI_set_app_data/UI_get_app_data
>   2. UI-specific UI_add_user_data/UI_get0_user_data
> All engines shipped with OpenSSL (ones which do provide
> load_private_key method) use UI_add_user_data to pass data to the
> callback.

Ok.  I'll switch to UI_add_user_data/UI_get0_user_data.  That's the way
it's implemented in openssl-1.0.0a/apps/apps.c.  I assume OpenSSL authors
believe it's safe.  AFAIK UI_set_app_data/UI_get_app_data is currently
undocumented in OpenSSL.

>   /* if set_app_Data haven't-return anything */
>   if (!ui_data) 
>   	ui_data=UI_get0_user_data(ui);

This heuristics doesn't look reliable.  If app_data is used by an engine
than it could contain arbitrary garbage instead of NULL.  Did I miss

> Thus it would work even with really broken engines which do not pass
> userdata from ENGINE_load_private_key to UI callbacks at all.

I guess that would break default tests built into OpenSSL.


More information about the stunnel-users mailing list