Changes between Version 42 and Version 43 of Topics-2011-07-14


Ignore:
Timestamp:
07/21/11 10:19:40 (13 years ago)
Author:
Samuli Seppänen
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • Topics-2011-07-14

    v42 v43  
    33= Sprint topics =
    44
    5 The plan is to ACK/NACK/fix as many of andj's PolarSSL patches as possible. The full source of patches can be viewed on github: [https://github.com/andj/openvpn-ssl-refactoring].
    6 
    7 Note: the below were generated using {{{ git log 46e7d0b6ae89634e70686bf48bfcdca07249f829~1.. --reverse --format="||[https://github.com/andj/openvpn-ssl-refactoring/commit/%H %s]||||||" }}}
    8 == Doxygen ==
    9 
    10 Patches are viewable from [http://thread.gmane.org/gmane.network.openvpn.devel/4740 here].
    11 
    12 ||'''Patch'''||'''Acked-by'''||'''Notes'''||
    13 ||[http://thread.gmane.org/gmane.network.openvpn.devel/4747 Added Doxygen doxyfile]||dazo||||
    14 ||[http://thread.gmane.org/gmane.network.openvpn.devel/4740 Added data channel crypto docs]||dazo||||
    15 ||Added control channel crypto docs||||||
    16 ||Added compression docs||||||
    17 ||Added reliability layer documentation||||||
    18 ||Added memory management documentation||||||
    19 ||Added data channel fragmentation docs||||||
    20 ||Added main/control docs||||||
    21 ||[http://thread.gmane.org/gmane.network.openvpn.devel/4740 Moved doxygen-specific files to a separate directory]||dazo||||
    22 
    23 == OpenSSL crypto separation ==
    24 
    25 Patches are viewable from [http://thread.gmane.org/gmane.network.openvpn.devel/4764 here]
    26 
    27 ||'''Patch'''||'''Acked-by'''||'''Notes'''||
    28 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/7b829e3d539108545d47241a1a773cd2551de009 Changed configure to accept --with-ssl-type=openssl]||dazo||||
    29 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/55760a88d092d511bbe9495984c7b345f981e2ec Refactored to rand_bytes for OpenSSL-independency]||dazo||||
    30 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/b957e47e5cbfd98a6e39790059279edf0a9b448f Refactored OpenSSL-specific constants]||dazo||||
    31 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/da5221f8d416a05d552dd0e09885ff7d3a677514 Refactored maximum cipher and hmac length constants]||dazo||||
    32 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/8ff526f45566d235b066d70150886f96c81b986c Refactored show_available_* functions]||dazo||||
    33 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/33efe72a9c1d9d40609ffc24fb20070f42c4018c Refactored SSL_clear_error()]||dazo||||
    34 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/dd253d7934e18343193d085dfe6aff97ea104b05#L3R104 Refactored crypto initialisation functions]||dazo||||
    35 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/b8368cccf8b7bc448be9b1b73c83c10499473263 Refactored DES key manipulation functions]||dazo,jamesyonan||||
    36 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/d86e00908abc3f98e90d589daadfc07caac4f2c7 Refactored NTLM DES key generation]||dazo||||
    37 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/21e946650fae0b777f7e0f1811213f167fb0648a Refactored message digest type functions]||dazo||||
    38 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/9bacf964d13a357c3d9d1b6a14121c3694477a24 Refactored message digest functions]||dazo||||
    39 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/f331011e2ab7aa59f5493907a2b1d98925fa7f97 Refactored HMAC functions]||dazo||Additional fixes in [https://github.com/andj/openvpn-ssl-refactoring/commit/7f009fd01788dd5787facd953fe260491ac62b44 this] patch.||
    40 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/5b8f6dbaf96b0b82a50e4b3c9acb4bbe6f5bf968 Refactored cipher key types]||dazo,jamesyonan||ACK when combined with [https://github.com/andj/openvpn-ssl-refactoring/commit/de00fa7e30d7a68528f1ce7338f4f4e83d665090 this] patch.||
    41 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/de00fa7e30d7a68528f1ce7338f4f4e83d665090 Fixed an unintentional change in the options calculated key size]||dazo||A fix to [https://github.com/andj/openvpn-ssl-refactoring/commit/5b8f6dbaf96b0b82a50e4b3c9acb4bbe6f5bf968 this] patch||
    42 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/05c901305e658d188e2bf5020a425bace935a8a2 Refactored cipher functions]||dazo||||
    43 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/81fd3eda9299a19ed5dce7ac89f8638a41dcc2b3 Added PRNG doxygen]||dazo||||
    44 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/07b4cdb87c866059dee207a77faf4f76bfb9d43f Refactored: Moved crypto.h inline functions to end of file]||dazo||||
    45 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/740f3b58c7fa48dec5db37e6f6d36b0c47e30957 Removed stale OpenSSL defines from crypto.h]||dazo||||
    46 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/fe519cd6f0c382e5b75945e8cac9b825a6e3625f Whitespace fixes in ntlm.c]||'''NACK'''||jamesyonan: only changes style||
    47 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/f7843d14f10c3755c96f28d96ed02eeae20d0e56 Added a check for Openssl or PolarSSL defines]||dazo||||
    48 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/89e31cfb9c6c5fd33600a76c77e645c24dd0663b Moved print messages back to generic crypto.c from cipher backends]||dazo||dazo: ''"We need to fix spelling on -> one"''||
    49 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/7f009fd01788dd5787facd953fe260491ac62b44 Moved HMAC prints back to main crypto module]||dazo||Fix to [https://github.com/andj/openvpn-ssl-refactoring/commit/f331011e2ab7aa59f5493907a2b1d98925fa7f97 this] patch.
    50 
    51 
    52 == SSL library separation ==
    53 
    54 ||'''Patch'''||'''Acked-by'''||'''Notes'''||
    55 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/46e7d0b6ae89634e70686bf48bfcdca07249f829 Refactored: Added stubs for new files]||||||
    56 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/ad858d74599484b3f0d4ee16ffa645e098978a1d Refactored SSL initialisation functions]||||||
    57 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/d58b991030ff321dd107e81a400a1e2e1a82bfea Refactored TLS_PRF to new hmac and md primitives]||||||
    58 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/84a1af2ca444672ef3dcd9488c49e16b22f7646e Refactored tls_show_available_ciphers]||||||
    59 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/4f5b4ca58d2a16d1d0a88701b260da5a24f1bb99 Refactored get_highest_preference_tls_cipher]||||||
    60 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/7b0aaa1b779aca13c3d4f4ad36d32cf800cfec06 Refactored root SSL context initialisation]||||||
    61 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/47031a84fc2d27e03439ff29baa8f66b6f2794bf Refactored new external key code]||||||
    62 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/ab64efc6d3d85b901c0b65794a07ecaba046f376 Refactored DH paramater loading]||||||
    63 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/9bb4886227f17d9a5f770294d7953555e7554b13 Refactored root TLS option settings]||||||
    64 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/b598dc77bb01e900926fe1c897fab3fca87c1499 Refactored PKCS#12 key loading]||||||
    65 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/2751963b9860a1a1fc82dec4851b11ddafac031e Refactored PKCS#11 loading]||||||
    66 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/6cd93220509346eb2701188cbb8ca6e77451b494 Refactored windows cert loading]||||||
    67 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/df9b63c5c0b3333d7171e76dd3dab87b9274cbf8 Refactored load certificate functions]||||||
    68 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/4431a8b7cf89500b81c9c62774ac75c1937297e3 Refactored private key loading code]||||||
    69 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/2a5f084332fc7a619107513b17b2f4a3dc0c31b2 Refactored external key loading from management]||||||
    70 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/b5ceb7049dd57ac8e7fa05d542c479382a4ed1ed Refactored CA and extra certs code]||||||
    71 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/bde5b4f18e82437cdd6ca93cdc6fb78bfedc924b Refactored cipher restriction code]||||||
    72 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/899913d235502a2a6bd754e368bbe5a782a83911 Rafactored tls_options, key_state, and key_source data structures]||||||
    73 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/68adc0eff8f06eef9d98a4bd12eb36bcbfc62164 Refactored initalisation of key_states]||||||
    74 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/1f09fbe7a54779a6b359c139400c71cbb53f5ac9 Refactored key_state free code]||||||
    75 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/7172f01eee7aa5c78af77f560ab8c5a25666614d Refactored print_details]||||||
    76 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/72e75b9776e7528a8e36671f8e5337a00aa840ba Refactored key_state read code (including bio_read())]||||||
    77 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/fc50119c1fe1b37cebc76913c66854bce103b68f Refactored key_state write functions]||||||
    78 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/d1fa6f792b65f38acbe0728387a1f9b214e2be00 Refactored: Moved BIO debug functions to OpenSSL backend]||||||
    79 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/7e4fb7ce9e061e180ab2f6a78da15ac0b797cc77 Refactored: removed ks and ks_lame macro for clarity]||||||
    80 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/0c332998f43510afed692febadf1a03dcee57ee9 Refactored: minor whitespace fixes in ssl.c]||||||
    81 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/360ff2980be50a6d2d8dececa1854807da4a7a1c Refactored: moved write_empty_string function back]||||||
    82 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/be3d6f97f7596c91fae5e656854dbfed6de80ec6 Refactored Doxygen for tls_multi functions]||||||
    83 
    84 
    85 == Verification functions ==
    86 
    87 ||'''Patch'''||'''Acked-by'''||'''Notes'''||
    88 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/1e3d80aeafa910a21bf9fe4e23c59392ea6fc551 Migrated data structures needed by verification functions to ssl_common.h]||||||
    89 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/365d2319d95f4374072a2b6ea49b1b6c472fbb39 Refactored client_config_dir_exclusive function]||||||
    90 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/bbe117b0217180718f9d84ed21c149b0d0f035ad Refactored certificate hash lock checks]||||||
    91 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/4254b8152e94fdd46015505157a81a3033700202 Refactored common name locking functions]||||||
    92 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/ba69026d92958de3dbee6410c016d5b5cff01d6c Refactored username and password authentication code]||||||
    93 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/77aa7ead6e86082045e5423d88df8cb1d6179efd Add some extra comments]||||||
    94 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/950b2182d8846d794ca1339b8d20ad7532801c5f Refactored: split verify_callback into two parts]||||||
    95 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/22a6039ac3ae6b09650f74c0db65269099f829fe Added function to extract and verify the subject from a certificate]||||||
    96 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/71e27b1e282bf8e10724b69fe4cbeac65dee325b Added function to verify and extract the username]||||||
    97 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/43c6568e72c10838ee851dbd96f400cdac90563d Refactored: removed global x509_username_field]||||||
    98 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/9213b628af6d93d9c3f067734733323ee79c57f1 Refactored: separated environment setup during verification]||||||
    99 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/ac7cefae3d05f993ff25d6ed6fd51d37b9d1c803 Refactored: Netscape certificate type verification]||||||
    100 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/2731886dcb714be5af04e0ec5f9df9ff273f8401 Refactored key usage verification code]||||||
    101 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/fd9c5f659cfe99a2380ce758c1ccc1b9af7e8d01 Refactored EKU verification]||||||
    102 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/cf90d5f8cd4976e641fab81ac8054432f38df1ee Refactored tls-remote checking]||||||
    103 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/e9a18e013b1dfedc0f21f1d7f7c2e740c0a968cb Refactored tls-verify-plugin code]||||||
    104 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/a60b87394334587f9879da2d469d2a4a4c51a826 Refactored tls-verify script code]||||||
    105 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/e4327902ed2af06f2596cdf306f4a0b76b1f0649 Refactored CRL checks]||||||
    106 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/f67d4841c6edc2d9a9383ae6dce3a694a735dad7 Minor cleanup in verify_cert:]||||||
    107 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/5b118dd62369b8d9cb2b425a27b8e7e9ba05ef5f Refactored: Moved verify_cert to ssl_verify]||||||
    108 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/840d040a2552da07e948732ffba4dd6ed39581c1 Cleaned up ssl.h]||||||
    109 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/3d5d5b3649f46bd812c146a731fba295473eeeb8 Refactored: made M_SSL dependent on USE_OPENSSL]||||||
    110 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/368b49096911dfa6b4f1cbf651a2df8ac3d5e937 Refactored: renamed X509 functions from verify_*]||||||
    111 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/11e94d8da97765571ecf91c512bcc559507e5f3b Separated OpenSSL-specific parts of the PKCS#11 driver]||||||
    112 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/7c6edbb0e507f8980b83208c43844d6a0bd582ac Modified base64 code in preparation for PolarSSL merge]||||||
    113 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/03225fa7939b9bab6f69b50b36af30565692ad51 Final cleanup before PolarSSL addition:]||||||
    114 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/d235530fe14ccca5b9ef12bfbbd367c78d069e43 Refactored X509 track feature to be contained within the openssl backend]||||||
    115 
    116 
    117 == PolarSSL addition ==
    118 ||'''Patch'''||'''Acked-by'''||'''Notes'''||
    119 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/0ef8d44cc4b9b10f174101cf420af0a5b2150809 Added PolarSSL support:]||||||
    120 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/511691b09e2ac739482260267a0a1b97cd870d36 Fixed a missing include in ssl_backend.h]||||||
    121 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/f43e33e4abb961a85cd67234c57bf16157b4d764 Fixed a bug in the hash generation in ssl_verify_openssl.c]||||||
    122 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/0f3bb68db10ce4aa029501092dc36cddd48d41ed Added SHA_DIGEST_SIZE definition]||||||
    123 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/8d4360d179cb176803e330e3a947e6c34315b225 Changed PolarSSL crypto backend to support v0.99-pre5]||||||
    124 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/a6ce24ef2999fcc73ee1590fdc4518842c228f4e Updated ssl_polarssl.c to work with 0.99-pre5]||||||
    125 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/3bff5d3dc0cd62e24269ad8f1cb1588c9e47b433 Fixed a compilation warning for size_t key sizes]||||||
    126 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/bc2dbfc7e9cf9d0552374e49750012a444e2a70f Added a warning that the PolarSSL library does not support pkcs12 files.]||||||
    127 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/74ca0110269a46607e3211f8d7c6b1d250361d99 Added warning that --capath is not available with PolarSSL]||||||
    128 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/f79f1556902d1c73416858813cc75594d3d2fdf6 Disable CryptoAPI when not using OpenSSL, and document that fact.]||||||
    129 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/09f156a99ac16c1157392818d43b6dd4b898d659 Removed support for management external keys in PolarSSL]||||||
    130 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/b28532360c4ddf2d2bec62b5c7b62d2ae05c9ce1 Removed stray X509_free from ssl.c]||||||
    131 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/2b018cc88744bf580e62e3a403b58deba267a798 Refactored (and disabled for PolarSSL) support for writing external cert files in scripts]||||||
    132 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/60890102b755390e704a74ee2962780480b50c80 Added an extra define to allow building without PKCS#11]||||||
    133 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/5f5eca00f31199571450cceee1f4469154bd4d38 Added SSL library to title string]||||||
    134 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/7c18f7cd1ef7e79a489bf116a4ca33c97227dc08 Disabled X.509 track and username selection for PolarSSL]||||||
    135 
    136 
    137 == Misc cleanup ==
    138 ||'''Patch'''||'''Acked-by'''||'''Notes'''||
    139 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/4970f1485d4d2117ccb3b1932965809fc51d8efe Hardening: periodically reset the PRNG's nonce value]||||||
    140 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/84916b43b6d614291ec765d93f615be30d519bbb Fixes for the plugin system:]||||||
    141 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/3f1647d20ff081cefd54ee80cff64c2234f1e48f Further improvements to plugin support:]||||||
    142 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/be63e6e86837cec71b35446a164ab158cd986ab1 Got rid of a few magic numbers in ntlm.c]||||||
    143 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/de00fa7e30d7a68528f1ce7338f4f4e83d665090 Fixed an unintentional change in the options calculated key size.]||dazo||(See above)||
    144 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/89e31cfb9c6c5fd33600a76c77e645c24dd0663b Moved print messages back to generic crypto.c from cipher backends]||dazo||(See above)||
    145 ||[https://github.com/andj/openvpn-ssl-refactoring/commit/7f009fd01788dd5787facd953fe260491ac62b44 Moved HMAC prints back to main crypto module]||dazo||(See above)||
     5The plan was to ACK/NACK/fix as many of andj's PolarSSL patches as possible. The full source of patches can be viewed on github: [https://github.com/andj/openvpn-ssl-refactoring]. The merge/ACK/NACK status of the patches is viewable from [wiki:PolarSSLintegration here]. This meeting focused on [wiki:PolarSSLintegration#OpenSSLcryptoseparation OpenSSL crypto separation] and [wiki:PolarSSLintegration#Misccleanup misc cleanup patches].