STATUS - third_party/openssl - Git at Google


   OpenSSL STATUS                           Last modified at
   ______________                           $Date: 2001/09/25 11:01:14 $

   DEVELOPMENT STATE

     o  OpenSSL 0.9.7:  Under development...
     o  OpenSSL 0.9.6b: Released on July       9th, 2001
     o  OpenSSL 0.9.6a: Released on April      5th, 2001
     o  OpenSSL 0.9.6:  Released on September 24th, 2000
     o  OpenSSL 0.9.5a: Released on April      1st, 2000
     o  OpenSSL 0.9.5:  Released on February  28th, 2000
     o  OpenSSL 0.9.4:  Released on August    09th, 1999
     o  OpenSSL 0.9.3a: Released on May       29th, 1999
     o  OpenSSL 0.9.3:  Released on May       25th, 1999
     o  OpenSSL 0.9.2b: Released on March     22th, 1999
     o  OpenSSL 0.9.1c: Released on December  23th, 1998

   RELEASE SHOWSTOPPERS

     o BIGNUM library failures on 64-bit platforms (0.9.7-dev):
       - BN_mod_mul verificiation (bc) fails for solaris64-sparcv9-cc

   AVAILABLE PATCHES

     o IA-64 (a.k.a. Intel Itanium) public-key operation performance
       patch for Linux is available for download at
       http://www.openssl.org/~appro/096b.linux-ia64.diff. As URL
       suggests the patch is relative to OpenSSL 0.9.6b.

   IN PROGRESS

     o Steve is currently working on (in no particular order):
         ASN1 code redesign, butchery, replacement.
         OCSP
         EVP cipher enhancement.
         Enhanced certificate chain verification.
 	Private key, certificate and CRL API and implementation.
 	Developing and bugfixing PKCS#7 (S/MIME code).
         Various X509 issues: character sets, certificate request extensions.
     o Geoff and Richard are currently working on:
 	ENGINE (the new code that gives hardware support among others).
     o Richard is currently working on:
 	UI (User Interface)
 	UTIL (a new set of library functions to support some higher level
 	      functionality that is currently missing).
 	Shared library support for VMS.
 	Kerberos 5 authentication
 	Constification
 	OCSP

   NEEDS PATCH

     o  All 'openssl' subprograms taking '-des' and '-des3' options should
        include AES support (0.9.7-dev)

     o  'openssl speed' should include AES support (0.9.7-dev)

     o  apps/ca.c: "Sign the certificate?" - "n" creates empty certificate file

     o  OpenSSL_0_9_6-stable:
        #include <openssl/e_os.h> in exported header files is illegal since
        e_os.h is suitable only for library-internal use.

     o  Whenever strncpy is used, make sure the resulting string is NULL-terminated
        or an error is reported

     o  "OpenSSL STATUS" is never up-to-date.

   OPEN ISSUES

     o  The Makefile hierarchy and build mechanism is still not a round thing:

        1. The config vs. Configure scripts
           It's the same nasty situation as for Apache with APACI vs.
           src/Configure. It confuses.
           Suggestion: Merge Configure and config into a single configure
                       script with a Autoconf style interface ;-) and remove
                       Configure and config. Or even let us use GNU Autoconf
                       itself. Then we can avoid a lot of those platform checks
                       which are currently in Configure.

     o  Support for Shared Libraries has to be added at least
        for the major Unix platforms. The details we can rip from the stuff
        Ralf has done for the Apache src/Configure script. Ben wants the
        solution to be really simple.

        Status: Ralf will look how we can easily incorporate the
                compiler PIC and linker DSO flags from Apache
                into the OpenSSL Configure script.

                Ulf: +1 for using GNU autoconf and libtool (but not automake,
                     which apparently is not flexible enough to generate
                     libcrypto)


     o  The perl/ stuff needs a major overhaul. Currently it's
        totally obsolete. Either we clean it up and enhance it to be up-to-date
        with the C code or we also could replace it with the really nice
        Net::SSLeay package we can find under
        http://www.neuronio.pt/SSLeay.pm.html.  Ralf uses this package for a
        longer time and it works fine and is a nice Perl module. Best would be
        to convince the author to work for the OpenSSL project and create a
        Net::OpenSSL or Crypt::OpenSSL package out of it and maintains it for
        us.

        Status: Ralf thinks we should both contact the author of Net::SSLeay
                and look how much effort it is to bring Eric's perl/ stuff up
                to date.
                Paul +1

   WISHES

     o  SRP in TLS.
        [wished by:
         Dj <derek@yo.net>, Tom Wu <tom@arcot.com>,
         Tom Holroyd <tomh@po.crl.go.jp>]

        See http://search.ietf.org/internet-drafts/draft-ietf-tls-srp-00.txt
        as well as http://www-cs-students.stanford.edu/~tjw/srp/.

        Tom Holroyd tells us there is a SRP patch for OpenSSH at
        http://members.tripod.com/professor_tom/archives/, that could
        be useful.

	OpenSSL STATUS Last modified at
	______________ $Date: 2001/09/25 11:01:14 $

	DEVELOPMENT STATE

	o OpenSSL 0.9.7: Under development...
	o OpenSSL 0.9.6b: Released on July 9th, 2001
	o OpenSSL 0.9.6a: Released on April 5th, 2001
	o OpenSSL 0.9.6: Released on September 24th, 2000
	o OpenSSL 0.9.5a: Released on April 1st, 2000
	o OpenSSL 0.9.5: Released on February 28th, 2000
	o OpenSSL 0.9.4: Released on August 09th, 1999
	o OpenSSL 0.9.3a: Released on May 29th, 1999
	o OpenSSL 0.9.3: Released on May 25th, 1999
	o OpenSSL 0.9.2b: Released on March 22th, 1999
	o OpenSSL 0.9.1c: Released on December 23th, 1998

	RELEASE SHOWSTOPPERS

	o BIGNUM library failures on 64-bit platforms (0.9.7-dev):
	- BN_mod_mul verificiation (bc) fails for solaris64-sparcv9-cc

	AVAILABLE PATCHES

	o IA-64 (a.k.a. Intel Itanium) public-key operation performance
	patch for Linux is available for download at
	http://www.openssl.org/~appro/096b.linux-ia64.diff. As URL
	suggests the patch is relative to OpenSSL 0.9.6b.

	IN PROGRESS

	o Steve is currently working on (in no particular order):
	ASN1 code redesign, butchery, replacement.
	OCSP
	EVP cipher enhancement.
	Enhanced certificate chain verification.
	Private key, certificate and CRL API and implementation.
	Developing and bugfixing PKCS#7 (S/MIME code).
	Various X509 issues: character sets, certificate request extensions.
	o Geoff and Richard are currently working on:
	ENGINE (the new code that gives hardware support among others).
	o Richard is currently working on:
	UI (User Interface)
	UTIL (a new set of library functions to support some higher level
	functionality that is currently missing).
	Shared library support for VMS.
	Kerberos 5 authentication
	Constification
	OCSP

	NEEDS PATCH

	o All 'openssl' subprograms taking '-des' and '-des3' options should
	include AES support (0.9.7-dev)

	o 'openssl speed' should include AES support (0.9.7-dev)

	o apps/ca.c: "Sign the certificate?" - "n" creates empty certificate file

	o OpenSSL_0_9_6-stable:
	#include <openssl/e_os.h> in exported header files is illegal since
	e_os.h is suitable only for library-internal use.

	o Whenever strncpy is used, make sure the resulting string is NULL-terminated
	or an error is reported

	o "OpenSSL STATUS" is never up-to-date.

	OPEN ISSUES

	o The Makefile hierarchy and build mechanism is still not a round thing:

	1. The config vs. Configure scripts
	It's the same nasty situation as for Apache with APACI vs.
	src/Configure. It confuses.
	Suggestion: Merge Configure and config into a single configure
	script with a Autoconf style interface ;-) and remove
	Configure and config. Or even let us use GNU Autoconf
	itself. Then we can avoid a lot of those platform checks
	which are currently in Configure.

	o Support for Shared Libraries has to be added at least
	for the major Unix platforms. The details we can rip from the stuff
	Ralf has done for the Apache src/Configure script. Ben wants the
	solution to be really simple.

	Status: Ralf will look how we can easily incorporate the
	compiler PIC and linker DSO flags from Apache
	into the OpenSSL Configure script.

	Ulf: +1 for using GNU autoconf and libtool (but not automake,
	which apparently is not flexible enough to generate
	libcrypto)


	o The perl/ stuff needs a major overhaul. Currently it's
	totally obsolete. Either we clean it up and enhance it to be up-to-date
	with the C code or we also could replace it with the really nice
	Net::SSLeay package we can find under
	http://www.neuronio.pt/SSLeay.pm.html. Ralf uses this package for a
	longer time and it works fine and is a nice Perl module. Best would be
	to convince the author to work for the OpenSSL project and create a
	Net::OpenSSL or Crypt::OpenSSL package out of it and maintains it for
	us.

	Status: Ralf thinks we should both contact the author of Net::SSLeay
	and look how much effort it is to bring Eric's perl/ stuff up
	to date.
	Paul +1

	WISHES

	o SRP in TLS.
	[wished by:
	Dj <derek@yo.net>, Tom Wu <tom@arcot.com>,
	Tom Holroyd <tomh@po.crl.go.jp>]

	See http://search.ietf.org/internet-drafts/draft-ietf-tls-srp-00.txt
	as well as http://www-cs-students.stanford.edu/~tjw/srp/.

	Tom Holroyd tells us there is a SRP patch for OpenSSH at
	http://members.tripod.com/professor_tom/archives/, that could
	be useful.