wiki:PolarSSLintegration

Introduction

This page tracks the ACK/NACK/merge status of Adriaan's PolarSSL patches. So far, these patches have been discussed on the mailinglist, as well as a few IRC meetings:

Patches

Doxygen

Patches are viewable from here.

PatchAcked-byNotes
Added Doxygen doxyfiledazo
Added data channel crypto docsdazo
Added control channel crypto docsjamesyonan
Added compression docsjamesyonan
Added reliability layer documentationjamesyonan
Added memory management documentationjamesyonan
Added data channel fragmentation docsjamesyonan
Added main/control docsjamesyonan
Moved doxygen-specific files to a separate directorydazo

In the meeting held July 7th, James Yonan gave an ACK to these patches as long as they don't change any functionality. As far as I could spot, this is true. (dazo)

OpenSSL crypto separation

Patches are viewable from here

PatchAcked-byNotesUpstream commit
Changed configure to accept --with-ssl-type=openssldazo0a18017472edb52c5535bc814c2aceaa2b562222
Refactored to rand_bytes for OpenSSL-independencydazo6825182b8137c036afcdc0e48397c0ea5ffc2404
Refactored OpenSSL-specific constantsdazob5738e5b858274785eff30edb4748e3f641e0b1c
Refactored maximum cipher and hmac length constantsdazo23ee3563de28820919fe83f8f5b7289dc4ed42ae
Refactored show_available_* functionsdazo7151f3f78ea49e3ce98619884aa4e2aa57cb90fb
Refactored SSL_clear_error()dazo330715f0abec92dad434f3ca38557e5cff03f2a3
Refactored crypto initialisation functionsdazob01cb9ef6b7ed5769f925fc96b6eb534c794203f
Refactored DES key manipulation functionsdazo,jamesyonan183c3d190b12df6c0e9023e5a60f3aa2d3d66140
Refactored NTLM DES key generationdazo4a5a6033f95369a2d94e2dafff1d702f82f118ba
Refactored message digest type functionsdazo902f674ef4170fd10cf47f216632e51214db6966
Refactored message digest functionsdazod5f4461779899dc13be3fc7d41e0f0ac308ffa73
Refactored HMAC functionsdazoAdditional fixes in Moved HMAC prints back to main crypto modulee8c950f12dfd6187f084fb06b6fe6e57c030bdad
Refactored cipher key typesdazo,jamesyonanACK when combined with Fixed an unintentional change in the options calculated key size.670f9dd91aed7ac435b79c0e28e49fa7c256642c
Refactored cipher functionsdazo485c5f76a15e7f9950a3ee3126dbf50f66f9ef82
Added PRNG doxygendazo279a308eed40d756cf6644c5a1a82f2aecda8dd8
Refactored: Moved crypto.h inline functions to end of filedazo76dafacecdcdf30a8278ab3abcec64831e95054f
Removed stale OpenSSL defines from crypto.hdazo1b1a98069b290512f673db5630eb4134f4899f16
Whitespace fixes in ntlm.cNACKjamesyonan: only changes style(skipped)
Added a check for Openssl or PolarSSL definesdazo253329a8588939da09867349c6a6aae62a21c667

SSL library separation

PatchAcked-byNotesUpstream commit
Refactored: Added stubs for new filescron29a160b796e1a40f9635231e5533ce40d46dba25f
Refactored SSL initialisation functionscron295993a1df3c39fd2ea9c037b2f0bfcdf040b7d59
Refactored TLS_PRF to new hmac and md primitivescron2,jamesyonanAlso look hereeab0cf2df1b1f1f73a657384c0fdb201508c0399
Refactored tls_show_available_cipherscron2,jamesyonan397c0a35c5b36c270678c717e931476dc42bfa5c
Refactored get_highest_preference_tls_ciphercron2b64ffdcf09edd7110c1f851942d0e8d4e05d883c
Refactored root SSL context initialisationcron2,jamesyonan6245178696842fb22f2c53d87184236fd471a334
Refactored new external key codecron2,jamesyonandf904551cde7534e3f58809cb810164749fbbc28
Refactored DH paramater loadingcron2ac3e8d62ba14d4ee376fd3c9f20bccc3e53e7371
Refactored root TLS option settingscron2b5563f1154a4a4e1d4742b7194e4974a3b53b78f
Refactored PKCS#12 key loadingcron2,jamesyonan289a8bb806150b418abb64abea26cb4106811850
Refactored PKCS#11 loadingcron2d1013cfe957ab3961b8b78486704ddcdecba513b
Refactored windows cert loadingcron2d494c31501635cbd5ae0e864849901bb3a4d3565
Refactored load certificate functionsjamesyonandazo: check if ssl.c causes problems when merging to "master"f4047d7420bac6bce5e8862771f0c20d42ba68ed
Refactored private key loading codedazod67c3147b006aed24f0c3f6e0e288bf0d6a55973
Refactored external key loading from managementjamesyonan5f4eb537d7a4eb28db8bd6211bc8e29ae5c4465a
Refactored CA and extra certs codedazo: functional ACK, needs style cleanup in separate patch244da317ee9d32a04da80e87502883453f6618cc
Refactored cipher restriction codedazoACK with this patch:Removed a stray Fox-IT tag2e74a9d02da9ac071438e24de8561ccf9192e94a
Rafactored tls_options, key_state, and key_source data structuresjamesyonan67d8a0d4e9bcca4299158c80f184c7dea57a9eab
Refactored initalisation of key_statesjamesyonand7efe640112f94cb20ce52a6adf0bd1b4d5f4ec2
Refactored key_state free codecron2214fc873fe744ac722e9dd69917b6254e2151af2
Refactored print_detailscron2963ad54e53c1fc1b701a9c62231b011243321cef
Refactored key_state read code (including bio_read())jamesyonandd5e1102c1a2a431510be3e5a179c6e264d8f913
Refactored key_state write functionsjamesyonanbf707bd2b1f3af28afed84738e0f6a59db59bb74
Refactored: Moved BIO debug functions to OpenSSL backendcron2dea110e0531c88c71f71bc91badbaa8f6fb37e72
Refactored: removed ks and ks_lame macro for clarityjamesyonan57513aac1aac93190d56ffb3a1a642460f318253
Refactored: minor whitespace fixes in ssl.ccron2(not found, NACKed?)
Refactored: moved write_empty_string function backcron2fef565a31640e9de2bc518ea7264a067a5efd38e
Refactored Doxygen for tls_multi functionscron2897f8be4efa2d4b7cae100fe89838eb62e26f3b3

Verification functions

NOTE: Some Github pages have links to "diff of diff" pages. These make it easier to visualize if / how the patch changes functionality.

PatchAcked-byNotesUpstream commit
Migrated data structures needed by verification functions to ssl_common.hjamesyonan49620510205af8623efad434b471a4089851da19
Refactored client_config_dir_exclusive functionjamesyonan88aaf1aefd91b3704b3b00eeddff3befdefbc2b8
Refactored certificate hash lock checksjamesyonan82f925b60c0f029295975e64d9acabb53c0a5e3c
Refactored common name locking functionsjamesyonanACK when coupled with Added back checks for ks->authenticated in verify_user_pass 530af3efa38bd4e1044e5982f1970f5d772dbb48
Refactored username and password authentication codejamesyonanACK, provided it's tested properly before 2.3 released0811e643cddd796722fb1d0050ad57168da29d4
Add some extra commentsjamesyonane285cdb0a266fe43c282bc77cda4447d3043fffd
Refactored: split verify_callback into two partsjamesyonan0a67e4621dea40ff5aa292cebbd271633adbf157
Added function to extract and verify the subject from a certificatejamesyonan971790dae113e4665e1508ab17698047e7321c69
Added function to verify and extract the usernamejamesyonandd4cdb9ee740527f32198ef27b9901e396e045be
Refactored: removed global x509_username_fieldjamesyonan19dd3ef12f45b2c70c0657ea72fbdce5241e45c2
Refactored: separated environment setup during verificationjamesyonanfe100528c780548c21d664d1c14b37cbfd4c3e0f
Refactored: Netscape certificate type verificationjamesyonan06d22777e9172efe3b3dc15c1bc2c6ef5d292cfa
Refactored key usage verification codejamesyonan876752aed66a143295d9d0d4e61dc9a8beca2f5e
Refactored EKU verificationjamesyonan587f419b714d283ad6d5c861d6f1ecf12345b89d
Refactored tls-remote checkingjamesyonana4c926bb5939d95d9e7c0dfd4b83e61a11f86c90
Refactored tls-verify-plugin codejamesyonan75c67073ed5d35b0efcd2a99492cf34339da08fb
Refactored tls-verify script codejamesyonanACK when coupled with Moved gc_new and gc_free to begin end of function3e44ea55339429ede83857c9e79cc218d6bc297f
Refactored CRL checksjamesyonan"Doing low-level stuff like verifying CRL issuers and checking serial numbers is something that's better done by the OpenSSL library directly"83c49a3ef135141101b71037f315099d32219bbf
Minor cleanup in verify_cert:jamesyonan3cb348e46e5e356eb7e1fe44d1e35f1152865e28
Refactored: Moved verify_cert to ssl_verifyjamesyonan36fae2ec0d04ee078db6ab3888815ea49660104a
Cleaned up ssl.hjamesyonan9fb45319cba1f99ffe5538243a4e735191504cc8
Refactored: made M_SSL dependent on USE_OPENSSLjamesyonan71ebd84debcea72d5b86861aca33553eb435126c
Refactored: renamed X509 functions from verify_*jamesyonanbb53a20a9b678da3acce6b73cb3d6f73ebdbede9
Separated OpenSSL-specific parts of the PKCS#11 driverjamesyonan5fe5fe9e6264d45154a7ece8c85fa70173429ff8
Modified base64 code in preparation for PolarSSL mergejamesyonana4da1fe776b774670948f00898d370da614960f5
Final cleanup before PolarSSL addition:jamesyonanfceecbab9ddd58ccec28aeafa7be39c65f313458
Refactored X509 track feature to be contained within the openssl backendjamesyonan725336282db0c9f160d6ef577288e5a628959776

PolarSSL addition

PatchAcked-byNotesUpstream commit
Added PolarSSL support:jamesyonan,cron2only the modified parts, _polarssl parts will be shown at a slower pace53f97e1e9125aa9327c7ecf4a1b0b1a0c20cf2de
Fixed a missing include in ssl_backend.hcron28c96419559b5978cf6096e63caec2c197266b961
Fixed a bug in the hash generation in ssl_verify_openssl.cjamesyonan, cron2f25d29c9b239b757f5391f0fb1a7353ec6b8bbcf
Added SHA_DIGEST_SIZE definitionjamesyonan, cron27ce40d9931ab9f16c83b282eb0f2ba1ebefd7079
Changed PolarSSL crypto backend to support v0.99-pre5cron2, jamesyonanbe0a08d452f7fafde507361c76d8724f047cfb3f
Updated ssl_polarssl.c to work with 0.99-pre5cron2, jamesyonan50d1fc0dd5844fd0ef92b4d09e021f9332fd5e77
Fixed a compilation warning for size_t key sizesNACK, %zd is not portableack together with Moved from %zd to a more compatible format string (counter_format) Merged both commits into c2896b10c5f170d3821a647c1f38f542fdeba9eb, ACKed by dazo
Added a warning that the PolarSSL library does not support pkcs12 files.cron2,jamesyonan88133cdb961afcfb2de4576b0647f90378a67cc3
Added warning that --capath is not available with PolarSSLcron2,jamesyonan8d26c253e8f62d67b51d50f82c333ed4412000ac
Disable CryptoAPI when not using OpenSSL, and document that fact.cron2,jamesyonan93c22ecc635bc5047468629f2a5423a153910c0b
Removed support for management external keys in PolarSSLcron2, jamesyonan5fa82c550f8160bb8dd107bc5f3d516ba996dd6d
Removed stray X509_free from ssl.cjamesyonan477127061a22e6e998755c657873aa1b212ea59a
Refactored (and disabled for PolarSSL) support for writing external cert files in scriptsjamesyonan8bb72fbcba4721a68333f06d8b38a5ad05f6638a
Added an extra define to allow building without PKCS#11jamesyonana9bf901c76aca35cb40845177ef639225b6dabd5
Added SSL library to title stringjamesyonan, cron288203950ef5ce2f23325ceff5ad247033dfa0005
Disabled X.509 track and username selection for PolarSSLjamesyonan7dd8bbf574672b60d4776bee0ef9908cf1f49c2f

Misc cleanup

PatchAcked-byNotesUpstream commit
Hardening: periodically reset the PRNG's nonce valuejamesyonan557624e0a7282cf31cd3b58f8155f11f0517f254
Fixes for the plugin system:jamesyonan1876ccd012e9e2ca6f8e1cd9e7e9bb4bf24ccecb
Further improvements to plugin support:jamesyonanbcedab1f498d480cc1d4d60789b8459c1498c330
Got rid of a few magic numbers in ntlm.cjamesyonanNew version of same patch applied: 9788322b9566101119484d992364e8b1bb1d4dd4 (ACK by dazo)
Fixed an unintentional change in the options calculated key size.dazoA fix to Refactored cipher key types1271be60c88e6d7e0208fdb893f1e553c2b5f0cf
Moved print messages back to generic crypto.c from cipher backendsdazodazo: "We need to fix spelling on -> one"0d4ec3d8bbf39e4802781e1b3c881d76e068217f
Moved HMAC prints back to main crypto moduledazoReq. by Refactored HMAC functions62242ed28d4cb3adec4edd6c39c6ed3f1c50cb37
Added back checks for ks->authenticated in verify_user_passjamesyonanRequired by Refactored common name locking functionsc94eff3c2fe2f1ae85159294ce89f80d676f8c36
Moved gc_new and gc_free to begin end of functionjamesyonanRequirement for Refactored tls-verify script codeb26341cdb7e58a00c0d2ab5e5b1e3ad59c0a60b7
Fixed a bug in the return value of ssl_verify when pre_verify failedjamesyonan4ce976fb280fc279fc2f9e6478ca55716cf3d081
Unified verification function return valuesjamesyonan8a840d832e9576bdcb7c6819a3a9401e0d9fd545
Removed a stray Fox-IT tagdazoReq.by Refactored cipher restriction code2e791e6577db296b1b34379e3308a96c2f49afa9
Fixed a typo: print the subject instead of the serial for verification e..jamesyonan58ddb7b89240e4a484c5171be6df285563eda392
Made SSL_CIPHER const in print_details, to fix warningdazo0e282134d58b15c8fd21defb22c963e96b0d5372
Moved to PolarSSL 1.0.0:dazoeaacf8d8f289fefa9a64b85e72552f949d4c28c6
Last modified 5 years ago Last modified on 10/24/11 11:19:33