wiki:Topics-2011-07-14

Context Navigation

Version 42 (modified by andj, 13 years ago) (diff)
--

Meeting topics

Sprint topics

The plan is to ACK/NACK/fix as many of andj's PolarSSL patches as possible. The full source of patches can be viewed on github: https://github.com/andj/openvpn-ssl-refactoring.

Note: the below were generated using git log 46e7d0b6ae89634e70686bf48bfcdca07249f829~1.. --reverse --format="||[https://github.com/andj/openvpn-ssl-refactoring/commit/%H %s]||||||"

Doxygen

Patches are viewable from here.

Patch	Acked-by	Notes
Added Doxygen doxyfile	dazo
Added data channel crypto docs	dazo
Added control channel crypto docs
Added compression docs
Added reliability layer documentation
Added memory management documentation
Added data channel fragmentation docs
Added main/control docs
Moved doxygen-specific files to a separate directory	dazo

OpenSSL crypto separation

Patches are viewable from here

Patch	Acked-by	Notes
Changed configure to accept --with-ssl-type=openssl	dazo
Refactored to rand_bytes for OpenSSL-independency	dazo
Refactored OpenSSL-specific constants	dazo
Refactored maximum cipher and hmac length constants	dazo
Refactored show_available_* functions	dazo
Refactored SSL_clear_error()	dazo
Refactored crypto initialisation functions	dazo
Refactored DES key manipulation functions	dazo,jamesyonan
Refactored NTLM DES key generation	dazo
Refactored message digest type functions	dazo
Refactored message digest functions	dazo
Refactored HMAC functions	dazo	Additional fixes in this patch.
Refactored cipher key types	dazo,jamesyonan	ACK when combined with this patch.
Fixed an unintentional change in the options calculated key size	dazo	A fix to this patch
Refactored cipher functions	dazo
Added PRNG doxygen	dazo
Refactored: Moved crypto.h inline functions to end of file	dazo
Removed stale OpenSSL defines from crypto.h	dazo
Whitespace fixes in ntlm.c	NACK	jamesyonan: only changes style
Added a check for Openssl or PolarSSL defines	dazo
Moved print messages back to generic crypto.c from cipher backends	dazo	dazo: "We need to fix spelling on -> one"
Moved HMAC prints back to main crypto module	dazo	Fix to this patch.

SSL library separation

Patch	Acked-by	Notes
Refactored: Added stubs for new files
Refactored SSL initialisation functions
Refactored TLS_PRF to new hmac and md primitives
Refactored tls_show_available_ciphers
Refactored get_highest_preference_tls_cipher
Refactored root SSL context initialisation
Refactored new external key code
Refactored DH paramater loading
Refactored root TLS option settings
Refactored PKCS#12 key loading
Refactored PKCS#11 loading
Refactored windows cert loading
Refactored load certificate functions
Refactored private key loading code
Refactored external key loading from management
Refactored CA and extra certs code
Refactored cipher restriction code
Rafactored tls_options, key_state, and key_source data structures
Refactored initalisation of key_states
Refactored key_state free code
Refactored print_details
Refactored key_state read code (including bio_read())
Refactored key_state write functions
Refactored: Moved BIO debug functions to OpenSSL backend
Refactored: removed ks and ks_lame macro for clarity
Refactored: minor whitespace fixes in ssl.c
Refactored: moved write_empty_string function back
Refactored Doxygen for tls_multi functions

Verification functions

Patch	Acked-by	Notes
Migrated data structures needed by verification functions to ssl_common.h
Refactored client_config_dir_exclusive function
Refactored certificate hash lock checks
Refactored common name locking functions
Refactored username and password authentication code
Add some extra comments
Refactored: split verify_callback into two parts
Added function to extract and verify the subject from a certificate
Added function to verify and extract the username
Refactored: removed global x509_username_field
Refactored: separated environment setup during verification
Refactored: Netscape certificate type verification
Refactored key usage verification code
Refactored EKU verification
Refactored tls-remote checking
Refactored tls-verify-plugin code
Refactored tls-verify script code
Refactored CRL checks
Minor cleanup in verify_cert:
Refactored: Moved verify_cert to ssl_verify
Cleaned up ssl.h
Refactored: made M_SSL dependent on USE_OPENSSL
Refactored: renamed X509 functions from verify_*
Separated OpenSSL-specific parts of the PKCS#11 driver
Modified base64 code in preparation for PolarSSL merge
Final cleanup before PolarSSL addition:
Refactored X509 track feature to be contained within the openssl backend

PolarSSL addition

Patch	Acked-by	Notes
Added PolarSSL support:
Fixed a missing include in ssl_backend.h
Fixed a bug in the hash generation in ssl_verify_openssl.c
Added SHA_DIGEST_SIZE definition
Changed PolarSSL crypto backend to support v0.99-pre5
Updated ssl_polarssl.c to work with 0.99-pre5
Fixed a compilation warning for size_t key sizes
Added a warning that the PolarSSL library does not support pkcs12 files.
Added warning that --capath is not available with PolarSSL
Disable CryptoAPI when not using OpenSSL, and document that fact.
Removed support for management external keys in PolarSSL
Removed stray X509_free from ssl.c
Refactored (and disabled for PolarSSL) support for writing external cert files in scripts
Added an extra define to allow building without PKCS#11
Added SSL library to title string
Disabled X.509 track and username selection for PolarSSL

Misc cleanup

Patch	Acked-by	Notes
Hardening: periodically reset the PRNG's nonce value
Fixes for the plugin system:
Further improvements to plugin support:
Got rid of a few magic numbers in ntlm.c
Fixed an unintentional change in the options calculated key size.	dazo	(See above)
Moved print messages back to generic crypto.c from cipher backends	dazo	(See above)
Moved HMAC prints back to main crypto module	dazo	(See above)

Download in other formats:

Plain Text