wiki:PolarSSLintegration

Version 45 (modified by Samuli Seppänen, 13 years ago) (diff)

--

Introduction

This page tracks the ACK/NACK/merge status of Adriaan's PolarSSL patches. So far, these patches have been discussed on the mailinglist, as well as a few IRC meetings:

Patches

Doxygen

Patches are viewable from here.

PatchAcked-byNotes
Added Doxygen doxyfiledazo
Added data channel crypto docsdazo
Added control channel crypto docsjamesyonan
Added compression docsjamesyonan
Added reliability layer documentationjamesyonan
Added memory management documentationjamesyonan
Added data channel fragmentation docsjamesyonan
Added main/control docsjamesyonan
Moved doxygen-specific files to a separate directorydazo

In the meeting held July 7th, James Yonan gave an ACK to these patches as long as they don't change any functionality. As far as I could spot, this is true. (dazo)

OpenSSL crypto separation

Patches are viewable from here

PatchAcked-byNotes
Changed configure to accept --with-ssl-type=openssldazo
Refactored to rand_bytes for OpenSSL-independencydazo
Refactored OpenSSL-specific constantsdazo
Refactored maximum cipher and hmac length constantsdazo
Refactored show_available_* functionsdazo
Refactored SSL_clear_error()dazo
Refactored crypto initialisation functionsdazo
Refactored DES key manipulation functionsdazo,jamesyonan
Refactored NTLM DES key generationdazo
Refactored message digest type functionsdazo
Refactored message digest functionsdazo
Refactored HMAC functionsdazoAdditional fixes in this patch.
Refactored cipher key typesdazo,jamesyonanACK when combined with this patch.
Fixed an unintentional change in the options calculated key sizedazoA fix to this patch
Refactored cipher functionsdazo
Added PRNG doxygendazo
Refactored: Moved crypto.h inline functions to end of filedazo
Removed stale OpenSSL defines from crypto.hdazo
Whitespace fixes in ntlm.cNACKjamesyonan: only changes style
Added a check for Openssl or PolarSSL definesdazo
Moved print messages back to generic crypto.c from cipher backendsdazodazo: "We need to fix spelling on -> one"
Moved HMAC prints back to main crypto moduledazoFix to this patch.

SSL library separation

PatchAcked-byNotes
Refactored: Added stubs for new filescron2
Refactored SSL initialisation functionscron2
Refactored TLS_PRF to new hmac and md primitivescron,jamesyonanAlso look here
Refactored tls_show_available_cipherscron2,jamesyonan
Refactored get_highest_preference_tls_ciphercron2
Refactored root SSL context initialisationcron2,jamesyonan
Refactored new external key codecron2,jamesyonan
Refactored DH paramater loadingcron2
Refactored root TLS option settingscron2
Refactored PKCS#12 key loadingcron2,jamesyonan
Refactored PKCS#11 loadingcron2
Refactored windows cert loadingcron2
Refactored load certificate functions
Refactored private key loading code
Refactored external key loading from management
Refactored CA and extra certs code
Refactored cipher restriction code
Rafactored tls_options, key_state, and key_source data structures
Refactored initalisation of key_states
Refactored key_state free code
Refactored print_details
Refactored key_state read code (including bio_read())
Refactored key_state write functions
Refactored: Moved BIO debug functions to OpenSSL backend
Refactored: removed ks and ks_lame macro for clarity
Refactored: minor whitespace fixes in ssl.c
Refactored: moved write_empty_string function back
Refactored Doxygen for tls_multi functions

Verification functions

NOTE: Some Github pages have links to "diff of diff" pages. These make it easier to visualize if / how the patch changes functionality.

PatchAcked-byNotes
Migrated data structures needed by verification functions to ssl_common.hjamesyonan
Refactored client_config_dir_exclusive functionjamesyonan
Refactored certificate hash lock checksjamesyonan
Refactored common name locking functionsjamesyonanACK when coupled with this patch
Added back checks for ks->authenticated in verify_user_passjamesyonanRequired by this patch
Refactored username and password authentication codejamesyonanACK, provided it's tested properly before 2.3 release
Add some extra commentsjamesyonan
Refactored: split verify_callback into two partsjamesyonan
Added function to extract and verify the subject from a certificatejamesyonan
Added function to verify and extract the usernamejamesyonan
Refactored: removed global x509_username_fieldjamesyonan
Refactored: separated environment setup during verificationjamesyonan
Refactored: Netscape certificate type verificationjamesyonan
Refactored key usage verification codejamesyonan
Refactored EKU verificationjamesyonan
Refactored tls-remote checkingjamesyonan
Refactored tls-verify-plugin codejamesyonan
Refactored tls-verify script codejamesyonanACK when coupled with this patch
Moved gc_new and gc_free to begin end of functionjamesyonanRequirement for this patch
Refactored CRL checksjamesyonan"Doing low-level stuff like verifying CRL issuers and checking serial numbers is something that's better done by the OpenSSL library directly"
Minor cleanup in verify_cert:jamesyonan
Refactored: Moved verify_cert to ssl_verifyjamesyonan
Cleaned up ssl.hjamesyonan
Refactored: made M_SSL dependent on USE_OPENSSLjamesyonan
Refactored: renamed X509 functions from verify_*jamesyonan
Separated OpenSSL-specific parts of the PKCS#11 driverjamesyonan
Modified base64 code in preparation for PolarSSL mergejamesyonan
Final cleanup before PolarSSL addition:jamesyonan
Refactored X509 track feature to be contained within the openssl backendjamesyonan

PolarSSL addition

PatchAcked-byNotes
Added PolarSSL support:
Fixed a missing include in ssl_backend.h
Fixed a bug in the hash generation in ssl_verify_openssl.c
Added SHA_DIGEST_SIZE definition
Changed PolarSSL crypto backend to support v0.99-pre5
Updated ssl_polarssl.c to work with 0.99-pre5
Fixed a compilation warning for size_t key sizes
Added a warning that the PolarSSL library does not support pkcs12 files.
Added warning that --capath is not available with PolarSSL
Disable CryptoAPI when not using OpenSSL, and document that fact.
Removed support for management external keys in PolarSSL
Removed stray X509_free from ssl.c
Refactored (and disabled for PolarSSL) support for writing external cert files in scripts
Added an extra define to allow building without PKCS#11
Added SSL library to title string
Disabled X.509 track and username selection for PolarSSL

Misc cleanup

PatchAcked-byNotes
Hardening: periodically reset the PRNG's nonce value
Fixes for the plugin system:
Further improvements to plugin support:
Got rid of a few magic numbers in ntlm.c
Fixed an unintentional change in the options calculated key size.dazo(See above)
Moved print messages back to generic crypto.c from cipher backendsdazo(See above)
Moved HMAC prints back to main crypto moduledazo(See above)
Fixed a bug in the return value of ssl_verify when pre_verify failedjamesyonan
Unified verification function return valuesjamesyonan