[stunnel-users] stunnel and loading keys from hw devices
Michal.Trojnara at mirt.net
Fri Aug 20 16:15:49 CEST 2010
Victor Wagner wrote:
> 1. Under Unix systems stunnel doesn't provide UI_METHOD for
> ENGINE_load_private_key. It passes NULL there and engine complains that
> no user interface provided.
> 2. OpenSSL UI objects have two methods to pass arbitraty pointers along
> 1. generic ex_data based macros UI_set_app_data/UI_get_app_data
> 2. UI-specific UI_add_user_data/UI_get0_user_data
> All engines shipped with OpenSSL (ones which do provide
> load_private_key method) use UI_add_user_data to pass data to the
Ok. I'll switch to UI_add_user_data/UI_get0_user_data. That's the way
it's implemented in openssl-1.0.0a/apps/apps.c. I assume OpenSSL authors
believe it's safe. AFAIK UI_set_app_data/UI_get_app_data is currently
undocumented in OpenSSL.
> /* if set_app_Data haven't-return anything */
> if (!ui_data)
This heuristics doesn't look reliable. If app_data is used by an engine
than it could contain arbitrary garbage instead of NULL. Did I miss
> Thus it would work even with really broken engines which do not pass
> userdata from ENGINE_load_private_key to UI callbacks at all.
I guess that would break default tests built into OpenSSL.
More information about the stunnel-users