From 5ac03256db0fe4ca7e3ad1117d096c3a76368b76 Mon Sep 17 00:00:00 2001 From: Andreas Baumann Date: Fri, 9 Jan 2015 09:46:07 +0100 Subject: backported CyaSSL/OpenSSL support for internal webserver instead of MatrixSSL --- release/src/router/cyassl/README | 537 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 537 insertions(+) create mode 100644 release/src/router/cyassl/README (limited to 'release/src/router/cyassl/README') diff --git a/release/src/router/cyassl/README b/release/src/router/cyassl/README new file mode 100644 index 00000000..b2f3edae --- /dev/null +++ b/release/src/router/cyassl/README @@ -0,0 +1,537 @@ +*** Note, Please read *** + +CyaSSL takes a different approach to certificate verification than OpenSSL does. +The default policy for the client is to verify the server, this means that if +you don't load CAs to verify the server you'll get a connect error, unable to +verify. It you want to mimic OpenSSL behavior of having SSL_connect succeed +even if verifying the server fails and reducing security you can do this by +calling: + +SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, 0); + +before calling SSL_new(); Though it's not recommended. + +*** end Note *** + +CyaSSL Release 1.9.0 (3/2/2011) + +Release 1.9.0 for CyaSSL adds bug fixes, improved TLSv1.2 through testing and +better hash/sig algo ids, --enable-webServer for the yaSSL embedded web server, +improper AES key setup detection, user cert verify callback improvements, and +more. + +The CyaSSL manual offering is included in the doc/ directory. For build +instructions and comments about the new features please check the manual. + +Please send any comments or questions to support@yassl.com. + +****************** CyaSSL Release 1.8.0 (12/23/2010) + +Release 1.8.0 for CyaSSL adds bug fixes, x509 v3 CA signed certificate +generation, a C standard library abstraction layer, lower memory use, increased +portability through the os_settings.h file, and the ability to use NTRU cipher +suites when used in conjunction with an NTRU license and library. + +The initial CyaSSL manual offering is included in the doc/ directory. For +build instructions and comments about the new features please check the manual. + +Please send any comments or questions to support@yassl.com. + +Happy Holidays. + + +********************* CyaSSL Release 1.6.5 (9/9/2010) + +Release 1.6.5 for CyaSSL adds bug fixes and x509 v3 self signed certificate +generation. + +For general build instructions see doc/Building_CyaSSL.pdf. + +To enable certificate generation support add this option to ./configure +./configure --enable-certgen + +An example is included in ctaocrypt/test/test.c and documentation is provided +in doc/CyaSSL_Extensions_Reference.pdf item 11. + +********************** CyaSSL Release 1.6.0 (8/27/2010) + +Release 1.6.0 for CyaSSL adds bug fixes, RIPEMD-160, SHA-512, and RSA key +generation. + +For general build instructions see doc/Building_CyaSSL.pdf. + +To add RIPEMD-160 support add this option to ./configure +./configure --enable-ripemd + +To add SHA-512 support add this option to ./configure +./configure --enable-sha512 + +To add RSA key generation support add this option to ./configure +./configure --enable-keygen + +Please see ctaocrypt/test/test.c for examples and usage. + +For Windows, RIPEMD-160 and SHA-512 are enabled by default but key generation is +off by default. To turn key generation on add the define CYASSL_KEY_GEN to +CyaSSL. + + +************* CyaSSL Release 1.5.6 (7/28/2010) + +Release 1.5.6 for CyaSSL adds bug fixes, compatibility for our JSSE provider, +and a fix for GCC builds on some systems. + +For general build instructions see doc/Building_CyaSSL.pdf. + +To add AES-NI support add this option to ./configure +./configure --enable-aesni + +You'll need GCC 4.4.3 or later to make use of the assembly. + +************** CyaSSL Release 1.5.4 (7/7/2010) + +Release 1.5.4 for CyaSSL adds bug fixes, support for AES-NI, SHA1 speed +improvements from loop unrolling, and support for the Mongoose Web Server. + +For general build instructions see doc/Building_CyaSSL.pdf. + +To add AES-NI support add this option to ./configure +./configure --enable-aesni + +You'll need GCC 4.4.3 or later to make use of the assembly. + +*************** CyaSSL Release 1.5.0 (5/11/2010) + +Release 1.5.0 for CyaSSL adds bug fixes, GoAhead WebServer support, sniffer +support, and initial swig interface support. + +For general build instructions see doc/Building_CyaSSL.pdf. + +To add support for GoAhead WebServer either --enable-opensslExtra or if you +don't want all the features of opensslExtra you can just define GOAHEAD_WS +instead. GOAHEAD_WS can be added to ./configure with CFLAGS=-DGOAHEAD_WS or +you can define it yourself. + +To look at the sniffer support please see the sniffertest app in +sslSniffer/sslSnifferTest. Build with --enable-sniffer on *nix or use the +vcproj files on windows. You'll need to have pcap installed on *nix and +WinPcap on windows. + +A swig interface file is now located in the swig directory for using Python, +Java, Perl, and others with CyaSSL. This is initial support and experimental, +please send questions or comments to support@yassl.com. + +When doing load testing with CyaSSL, on the echoserver example say, the client +machine may run out of tcp ephemeral ports, they will end up in the TIME_WAIT +queue, and can't be reused by default. There are generally two ways to fix +this. 1) Reduce the length sockets remain on the TIME_WAIT queue or 2) Allow +items on the TIME_WAIT queue to be reused. + + +To reduce the TIME_WAIT length in OS X to 3 seconds (3000 milliseconds) + +sudo sysctl -w net.inet.tcp.msl=3000 + +In Linux + +sudo sysctl -w net.ipv4.tcp_tw_reuse=1 + +allows reuse of sockets in TIME_WAIT + +sudo sysctl -w net.ipv4.tcp_tw_recycle=1 + +works but seems to remove sockets from TIME_WAIT entirely? + +sudo sysctl -w net.ipv4.tcp_fin_timeout=1 + +doen't control TIME_WAIT, it controls FIN_WAIT(2) contrary to some posts + + +******************** CyaSSL Release 1.4.0 (2/18/2010) + +Release 1.3.0 for CyaSSL adds bug fixes, better multi TLS/SSL version support +through SSLv23_server_method(), and improved documentation in the doc/ folder. + +For general build instructions doc/Building_CyaSSL.pdf. + +******************** CyaSSL Release 1.3.0 (1/21/2010) + +Release 1.3.0 for CyaSSL adds bug fixes, a potential security problem fix, +better porting support, removal of assert()s, and a complete THREADX port. + +For general build instructions see rc1 below. + +******************** CyaSSL Release 1.2.0 (11/2/2009) + +Release 1.2.0 for CyaSSL adds bug fixes and session negotiation if first use is +read or write. + +For general build instructions see rc1 below. + +******************** CyaSSL Release 1.1.0 (9/2/2009) + +Release 1.1.0 for CyaSSL adds bug fixes, a check against malicious session +cache use, support for lighttpd, and TLS 1.2. + +To get TLS 1.2 support please use the client and server functions: + +SSL_METHOD *TLSv1_2_server_method(void); +SSL_METHOD *TLSv1_2_client_method(void); + +CyaSSL was tested against lighttpd 1.4.23. To build CyaSSL for use with +lighttpd use the following commands from the CyaSSL install dir : + +./configure --disable-shared --enable-opensslExtra --enable-fastmath --without-zlib + +make +make openssl-links + +Then to build lighttpd with CyaSSL use the following commands from the +lighttpd install dir: + +./configure --with-openssl --with-openssl-includes=/include --with-openssl-libs=/lib LDFLAGS=-lm + +make + +On some systems you may get a linker error about a duplicate symbol for +MD5_Init or other MD5 calls. This seems to be caused by the lighttpd src file +md5.c, which defines MD5_Init(), and is included in liblightcomp_la-md5.o. +When liblightcomp is linked with the SSL_LIBs the linker may complain about +the duplicate symbol. This can be fixed by editing the lighttpd src file md5.c +and adding this line to the beginning of the file: + +#if 0 + +and this line to the end of the file + +#endif + +Then from the lighttpd src dir do a: + +make clean +make + + +If you get link errors about undefined symbols more than likely the actual +OpenSSL libraries are found by the linker before the CyaSSL openssl-links that +point to the CyaSSL library, causing the linker confusion. This can be fixed +by editing the Makefile in the lighttpd src directory and changing the line: + +SSL_LIB = -lssl -lcrypto + +to + +SSL_LIB = -lcyassl + +Then from the lighttpd src dir do a: + +make clean +make + +This should remove any confusion the linker may be having with missing symbols. + +For any questions or concerns please contact support@yassl.com . + +For general build instructions see rc1 below. + +******************CyaSSL Release 1.0.6 (8/03/2009) + +Release 1.0.6 for CyaSSL adds bug fixes, an improved session cache, and faster +math with a huge code option. + +The session cache now defaults to a client mode, also good for embedded servers. +For servers not under heavy load (less than 200 new sessions per minute), define +BIG_SESSION_CACHE. If the server will be under heavy load, define +HUGE_SESSION_CACHE. + +There is now a fasthugemath option for configure. This enables fastmath plus +even faster math by greatly increasing the code size of the math library. Use +the benchmark utility to compare public key operations. + + +For general build instructions see rc1 below. + +******************CyaSSL Release 1.0.3 (5/10/2009) + +Release 1.0.3 for CyaSSL adds bug fixes and add increased support for OpenSSL +compatibility when building other applications. + +Release 1.0.3 includes an alpha release of DTLS for both client and servers. +This is only for testing purposes at this time. Rebroadcast and reordering +aren't fully implemented at this time but will be for the next release. + +For general build instructions see rc1 below. + +******************CyaSSL Release 1.0.2 (4/3/2009) + +Release 1.0.2 for CyaSSL adds bug fixes for a couple I/O issues. Some systems +will send a SIGPIPE on socket recv() at any time and this should be handled by +the application by turning off SIGPIPE through setsockopt() or returning from +the handler. + +Release 1.0.2 includes an alpha release of DTLS for both client and servers. +This is only for testing purposes at this time. Rebroadcast and reordering +aren't fully implemented at this time but will be for the next release. + +For general build instructions see rc1 below. + +*****************CyaSSL Release Candidiate 3 rc3-1.0.0 (2/25/2009) + + +Release Candidate 3 for CyaSSL 1.0.0 adds bug fixes and adds a project file for +iPhone development with Xcode. cyassl-iphone.xcodeproj is located in the root +directory. This release also includes a fix for supporting other +implementations that bundle multiple messages at the record layer, this was +lost when cyassl i/o was re-implemented but is now fixed. + +For general build instructions see rc1 below. + +*****************CyaSSL Release Candidiate 2 rc2-1.0.0 (1/21/2009) + + +Release Candidate 2 for CyaSSL 1.0.0 adds bug fixes and adds two new stream +ciphers along with their respective cipher suites. CyaSSL adds support for +HC-128 and RABBIT stream ciphers. The new suites are: + +TLS_RSA_WITH_HC_128_CBC_SHA +TLS_RSA_WITH_RABBIT_CBC_SHA + +And the corresponding cipher names are + +HC128-SHA +RABBIT-SHA + +CyaSSL also adds support for building with devkitPro for PPC by changing the +library proper to use libogc. The examples haven't been changed yet but if +there's interest they can be. Here's an example ./configure to build CyaSSL +for devkitPro: + +./configure --disable-shared CC=/pathTo/devkitpro/devkitPPC/bin/powerpc-gekko-gcc --host=ppc --without-zlib --enable-singleThreaded RANLIB=/pathTo/devkitpro/devkitPPC/bin/powerpc-gekko-ranlib CFLAGS="-DDEVKITPRO -DGEKKO" + +For linking purposes you'll need + +LDFLAGS="-g -mrvl -mcpu=750 -meabi -mhard-float -Wl,-Map,$(notdir $@).map" + +For general build instructions see rc1 below. + + +********************CyaSSL Release Candidiate 1 rc1-1.0.0 (12/17/2008) + + +Release Candidate 1 for CyaSSL 1.0.0 contains major internal changes. Several +areas have optimization improvements, less dynamic memory use, and the I/O +strategy has been refactored to allow alternate I/O handling or Library use. +Many thanks to Thierry Fournier for providing these ideas and most of the work. + +Because of these changes, this release is only a candidate since some problems +are probably inevitable on some platform with some I/O use. Please report any +problems and we'll try to resolve them as soon as possible. You can contact us +at support@yassl.com or todd@yassl.com. + +Using TomsFastMath by passing --enable-fastmath to ./configure now uses assembly +on some platforms. This is new so please report any problems as every compiler, +mode, OS combination hasn't been tested. On ia32 all of the registers need to +be available so be sure to pass these options to CFLAGS: + +CFLAGS="-O3 -fomit-frame-pointer" + +OS X will also need -mdynamic-no-pic added to CFLAGS + +Also if you're building in shared mode for ia32 you'll need to pass options to +LDFLAGS as well on OS X: + +LDFLAGS=-Wl,-read_only_relocs,warning + +This gives warnings for some symbols but seems to work. + + +--To build on Linux, Solaris, *BSD, Mac OS X, or Cygwin: + + ./configure + make + + from the ./testsuite/ directory run ./testsuite + +to make a debug build: + + ./configure --enable-debug --disable-shared + make + + + +--To build on Win32 + +Choose (Re)Build All from the project workspace + +Run the testsuite program + + + + + +*************************CyaSSL version 0.9.9 (7/25/2008) + +This release of CyaSSL adds bug fixes, Pre-Shared Keys, over-rideable memory +handling, and optionally TomsFastMath. Thanks to Moisés Guimarães for the +work on TomsFastMath. + +To optionally use TomsFastMath pass --enable-fastmath to ./configure +Or define USE_FAST_MATH in each project from CyaSSL for MSVC. + +Please use the benchmark routine before and after to see the performance +difference, on some platforms the gains will be little but RSA encryption +always seems to be faster. On x86-64 machines with GCC the normal math library +may outperform the fast one when using CFLAGS=-m64 because TomsFastMath can't +yet use -m64 because of GCCs inability to do 128bit division. + + **** UPDATE GCC 4.2.1 can now do 128bit division *** + +See notes below (0.2.0) for complete build instructions. + + +****************CyaSSL version 0.9.8 (5/7/2008) + +This release of CyaSSL adds bug fixes, client side Diffie-Hellman, and better +socket handling. + +See notes below (0.2.0) for complete build instructions. + + +****************CyaSSL version 0.9.6 (1/31/2008) + +This release of CyaSSL adds bug fixes, increased session management, and a fix +for gnutls. + +See notes below (0.2.0) for complete build instructions. + + +****************CyaSSL version 0.9.0 (10/15/2007) + +This release of CyaSSL adds bug fixes, MSVC 2005 support, GCC 4.2 support, +IPV6 support and test, and new test certificates. + +See notes below (0.2.0) for complete build instructions. + + +****************CyaSSL version 0.8.0 (1/10/2007) + +This release of CyaSSL adds increased socket support, for non-blocking writes, +connects, and interrupted system calls. + +See notes below (0.2.0) for complete build instructions. + + +****************CyaSSL version 0.6.3 (10/30/2006) + +This release of CyaSSL adds debug logging to stderr to aid in the debugging of +CyaSSL on systems that may not provide the best support. + +If CyaSSL is built with debugging support then you need to call +CyaSSL_Debugging_ON() to turn logging on. + +On Unix use ./configure --enable-debug + +On Windows define DEBUG_CYASSL when building CyaSSL + + +To turn logging back off call CyaSSL_Debugging_OFF() + +See notes below (0.2.0) for complete build instructions. + + +*****************CyaSSL version 0.6.2 (10/29/2006) + +This release of CyaSSL adds TLS 1.1. + +Note that CyaSSL has certificate verification on by default, unlike OpenSSL. +To emulate OpenSSL behavior, you must call SSL_CTX_set_verify() with +SSL_VERIFY_NONE. In order to have full security you should never do this, +provide CyaSSL with the proper certificates to eliminate impostors and call +CyaSSL_check_domain_name() to prevent man in the middle attacks. + +See notes below (0.2.0) for build instructions. + +*****************CyaSSL version 0.6.0 (10/25/2006) + +This release of CyaSSL adds more SSL functions, better autoconf, nonblocking +I/O for accept, connect, and read. There is now an --enable-small configure +option that turns off TLS, AES, DES3, HMAC, and ERROR_STRINGS, see configure.in +for the defines. Note that TLS requires HMAC and AES requires TLS. + +See notes below (0.2.0) for build instructions. + + +*****************CyaSSL version 0.5.5 (09/27/2006) + +This mini release of CyaSSL adds better input processing through buffered input +and big message support. Added SSL_pending() and some sanity checks on user +settings. + +See notes below (0.2.0) for build instructions. + + +*****************CyaSSL version 0.5.0 (03/27/2006) + +This release of CyaSSL adds AES support and minor bug fixes. + +See notes below (0.2.0) for build instructions. + + +*****************CyaSSL version 0.4.0 (03/15/2006) + +This release of CyaSSL adds TLSv1 client/server support and libtool. + +See notes below for build instructions. + + +*****************CyaSSL version 0.3.0 (02/26/2006) + +This release of CyaSSL adds SSLv3 server support and session resumption. + +See notes below for build instructions. + + +*****************CyaSSL version 0.2.0 (02/19/2006) + + +This is the first release of CyaSSL and its crypt brother, CTaoCrypt. CyaSSL +is written in ANSI C with the idea of a small code size, footprint, and memory +usage in mind. CTaoCrypt can be as small as 32K, and the current client +version of CyaSSL can be as small as 12K. + + +The first release of CTaoCrypt supports MD5, SHA-1, 3DES, ARC4, Big Integer +Support, RSA, ASN parsing, and basic x509 (en/de)coding. + +The first release of CyaSSL supports normal client RSA mode SSLv3 connections +with support for SHA-1 and MD5 digests. Ciphers include 3DES and RC4. + + +--To build on Linux, Solaris, *BSD, Mac OS X, or Cygwin: + + ./configure + make + + from the ./testsuite/ directory run ./testsuite + +to make a debug build: + + ./configure --enable-debug --disable-shared + make + + + +--To build on Win32 + +Choose (Re)Build All from the project workspace + +Run the testsuite program + + + +*** The next release of CyaSSL will support a server and more OpenSSL +compatibility functions. + + +Please send questions or comments to todd@yassl.com + -- cgit v1.2.3-54-g00ecf