wiki:PolarSSLintegration

Version 20 (modified by Samuli Seppänen, 13 years ago) (diff)

--

Introduction

This page tracks the ACK/NACK/merge status of Adriaan's PolarSSL patches. So far, these patches have been discussed on the mailinglist, as well as a few IRC meetings:

Patches

Doxygen

Patches are viewable from here.

PatchAcked-byNotes
Added Doxygen doxyfiledazo
Added data channel crypto docsdazo
Added control channel crypto docsjamesyonan
Added compression docsjamesyonan
Added reliability layer documentationjamesyonan
Added memory management documentationjamesyonan
Added data channel fragmentation docsjamesyonan
Added main/control docsjamesyonan
Moved doxygen-specific files to a separate directorydazo

In the meeting held July 7th, James Yonan gave an ACK to these patches as long as they don't change any functionality. As far as I could spot, this is true. (dazo)

OpenSSL crypto separation

Patches are viewable from here

PatchAcked-byNotes
Changed configure to accept --with-ssl-type=openssldazo
Refactored to rand_bytes for OpenSSL-independencydazo
Refactored OpenSSL-specific constantsdazo
Refactored maximum cipher and hmac length constantsdazo
Refactored show_available_* functionsdazo
Refactored SSL_clear_error()dazo
Refactored crypto initialisation functionsdazo
Refactored DES key manipulation functionsdazo,jamesyonan
Refactored NTLM DES key generationdazo
Refactored message digest type functionsdazo
Refactored message digest functionsdazo
Refactored HMAC functionsdazoAdditional fixes in this patch.
Refactored cipher key typesdazo,jamesyonanACK when combined with this patch.
Fixed an unintentional change in the options calculated key sizedazoA fix to this patch
Refactored cipher functionsdazo
Added PRNG doxygendazo
Refactored: Moved crypto.h inline functions to end of filedazo
Removed stale OpenSSL defines from crypto.hdazo
Whitespace fixes in ntlm.cNACKjamesyonan: only changes style
Added a check for Openssl or PolarSSL definesdazo
Moved print messages back to generic crypto.c from cipher backendsdazodazo: "We need to fix spelling on -> one"
Moved HMAC prints back to main crypto moduledazoFix to this patch.

SSL library separation

PatchAcked-byNotes
Refactored: Added stubs for new files
Refactored SSL initialisation functions
Refactored TLS_PRF to new hmac and md primitives
Refactored tls_show_available_ciphers
Refactored get_highest_preference_tls_cipher
Refactored root SSL context initialisation
Refactored new external key code
Refactored DH paramater loading
Refactored root TLS option settings
Refactored PKCS#12 key loading
Refactored PKCS#11 loading
Refactored windows cert loading
Refactored load certificate functions
Refactored private key loading code
Refactored external key loading from management
Refactored CA and extra certs code
Refactored cipher restriction code
Rafactored tls_options, key_state, and key_source data structures
Refactored initalisation of key_states
Refactored key_state free code
Refactored print_details
Refactored key_state read code (including bio_read())
Refactored key_state write functions
Refactored: Moved BIO debug functions to OpenSSL backend
Refactored: removed ks and ks_lame macro for clarity
Refactored: minor whitespace fixes in ssl.c
Refactored: moved write_empty_string function back
Refactored Doxygen for tls_multi functions

Verification functions

NOTE: Some Github pages have links to "diff of diff" pages. These make it easier to visualize if / how the patch changes functionality.

PatchAcked-byNotes
Migrated data structures needed by verification functions to ssl_common.hjamesyonan
Refactored client_config_dir_exclusive functionjamesyonan
Refactored certificate hash lock checksjamesyonan
Refactored common name locking functionsjamesyonanACK when coupled with this patch
Added back checks for ks->authenticated in verify_user_passjamesyonanRequired by this patch
Refactored username and password authentication codejamesyonanACK, provided it's tested properly before 2.3 release
Add some extra commentsjamesyonan
Refactored: split verify_callback into two partsjamesyonan
Added function to extract and verify the subject from a certificatejamesyonan
Added function to verify and extract the usernamejamesyonan
Refactored: removed global x509_username_fieldjamesyonan
Refactored: separated environment setup during verificationjamesyonan
Refactored: Netscape certificate type verificationjamesyonan
Refactored key usage verification codejamesyonan
Refactored EKU verificationjamesyonan
Refactored tls-remote checkingjamesyonan
Refactored tls-verify-plugin codejamesyonan
Refactored tls-verify script code
Refactored CRL checks
Minor cleanup in verify_cert:
Refactored: Moved verify_cert to ssl_verify
Cleaned up ssl.h
Refactored: made M_SSL dependent on USE_OPENSSL
Refactored: renamed X509 functions from verify_*
Separated OpenSSL-specific parts of the PKCS#11 driver
Modified base64 code in preparation for PolarSSL merge
Final cleanup before PolarSSL addition:
Refactored X509 track feature to be contained within the openssl backend

PolarSSL addition

PatchAcked-byNotes
Added PolarSSL support:
Fixed a missing include in ssl_backend.h
Fixed a bug in the hash generation in ssl_verify_openssl.c
Added SHA_DIGEST_SIZE definition
Changed PolarSSL crypto backend to support v0.99-pre5
Updated ssl_polarssl.c to work with 0.99-pre5
Fixed a compilation warning for size_t key sizes
Added a warning that the PolarSSL library does not support pkcs12 files.
Added warning that --capath is not available with PolarSSL
Disable CryptoAPI when not using OpenSSL, and document that fact.
Removed support for management external keys in PolarSSL
Removed stray X509_free from ssl.c
Refactored (and disabled for PolarSSL) support for writing external cert files in scripts
Added an extra define to allow building without PKCS#11
Added SSL library to title string
Disabled X.509 track and username selection for PolarSSL

Misc cleanup

PatchAcked-byNotes
Hardening: periodically reset the PRNG's nonce value
Fixes for the plugin system:
Further improvements to plugin support:
Got rid of a few magic numbers in ntlm.c
Fixed an unintentional change in the options calculated key size.dazo(See above)
Moved print messages back to generic crypto.c from cipher backendsdazo(See above)
Moved HMAC prints back to main crypto moduledazo(See above)