Re: [classlib][x-net] Creating a provider based on OpenSSL

[Oliver Deakin <ol...@googlemail.com>]

  An update on where I am so far with this. The implementations of the 
SSLSocket, SSLSession, SSLContext and their related classes are 
complete. The tests for these classes all pass for me now with my latest 
set of changes. I've started removing a lot of the classes that have 
been replaced by calling to OpenSSL. There are a few left, but these 
still have references from the SSLEngine implementation so I won't 
remove them until SSLEngineImpl is working. I think the SSLEngine 
implementation is the last piece of work required to have a full set of 
APIs, and I'm going to tackle that next.

I think these classes would benefit from more tests, but I'll turn my 
attention to that one the implementation is complete.

Regards,
Oliver

On 19/07/2010 17:15, Oliver Deakin wrote:
>  Hi all,
>
> I'm currently investigating the possibility of implementing a JSSE 
> provider wrapping OpenSSL. This has a couple of obvious advantages:
>  - The onus of code maintenance and bug fixing in a security sensitive 
> area is moved outside of Harmony.
>  - New protocols can be integrated into the Harmony provider with 
> minimal effort (updating dependencies rather than implementing them 
> ourselves).
>
> Really I'm sending this mail as a heads up, but would be interested to 
> know if anyone has any experience/opinions in this area. In 
> particular, I'd be interested in ideas on:
>  - the best way to setup OpenSSL as a dependency - precompile the 
> libraries and make them available for download or compile them at 
> build time on the user's machine.
>  - how to tie in the Java x-net APIs to the OpenSSL APIs.
>
> Any comments/suggestions welcome.
>
> Regards,
> Oliver
>

-- 
Oliver Deakin
Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number 741598.
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU

Re: [classlib][x-net] Creating a provider based on OpenSSL

[Catherine Hope <ca...@googlemail.com>]

I've uploaded a new patch that checks the buffer overflow condition in the
native wrap and unwrap.  The testSelfInteraction test of
org.apache.harmony.xnet.provider.jsse.SSLEngineImplTest now gets a bit
further, though now fails reading on the second iteration of the wrap/unwrap
data exchange loop.  Oli - Do you get this behaviour on Windows?  So I still
see the same 4 test failures in that test at the moment.

Best wishes,
Cath

Re: [classlib][x-net] Creating a provider based on OpenSSL

[Oliver Deakin <ol...@googlemail.com>]

  On 15/09/2010 15:15, Catherine Hope wrote:
> I've uploaded a new patch for SSLEngine that passes in the direct buffer
> address to the wrap/unwrap natives and then updates the byte buffer
> positions after the call.  The handshake test now completes the handshake
> and application data can be passed between the server and client.

Good work! I'll check out the patch and get it applied. This is really 
good progress!

> I still
> need to do some work on the handshake and engine states as they aren't quite
> right at the moment.

No problem. Just getting the engine to complete the handshake and be 
able to exchange application data is a big step.

Regards,
Oliver

> Regards,
> Cath
>

-- 
Oliver Deakin
Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number 741598.
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU

Re: [classlib][x-net] Creating a provider based on OpenSSL

[Catherine Hope <ca...@googlemail.com>]

I've uploaded a new patch for SSLEngine that passes in the direct buffer
address to the wrap/unwrap natives and then updates the byte buffer
positions after the call.  The handshake test now completes the handshake
and application data can be passed between the server and client.  I still
need to do some work on the handshake and engine states as they aren't quite
right at the moment.

Regards,
Cath

Re: [classlib][x-net] Creating a provider based on OpenSSL

[Oliver Deakin <ol...@googlemail.com>]

  On 13/09/2010 19:48, Catherine Hope wrote:
> Hi Oli,
> I've uploaded a new patch to
> https://issues.apache.org/jira/browse/HARMONY-6627 that gets a bit further
> with the handshake.  Currently I can get back the initial handshake data
> from the client, get the server to accept this and then request a
> certificate from the client but then the testcase fails to get further.

Good progress, thanks for the patch. I'll go and have a look and get it 
applied.

> I've left my debug code in, so it's a bit untidy, but may be of help to you
> too.

That's no problem.

> I'm going to continue working on the wrap/unwrap methods - I need to
> think more about the different conditions to construct the return object,
> which is a combination of an engine state, handshake state and the number of
> bytes consumed and produced.  There's also some other methods that will
> require native implementations - closeInbound, closeOutbound.

Once the patch is applied, I'll get on with the implementation of these.

Regards,
Oliver

> Best wishes,
> Cath
>

-- 
Oliver Deakin
Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number 741598.
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU

Re: [classlib][x-net] Creating a provider based on OpenSSL

[Catherine Hope <ca...@googlemail.com>]

Hi Oli,
I've uploaded a new patch to
https://issues.apache.org/jira/browse/HARMONY-6627 that gets a bit further
with the handshake.  Currently I can get back the initial handshake data
from the client, get the server to accept this and then request a
certificate from the client but then the testcase fails to get further.
I've left my debug code in, so it's a bit untidy, but may be of help to you
too.  I'm going to continue working on the wrap/unwrap methods - I need to
think more about the different conditions to construct the return object,
which is a combination of an engine state, handshake state and the number of
bytes consumed and produced.  There's also some other methods that will
require native implementations - closeInbound, closeOutbound.

Best wishes,
Cath

Re: [classlib][x-net] Creating a provider based on OpenSSL

[Oliver Deakin <ol...@googlemail.com>]

  On 10/09/2010 11:58, Catherine Hope wrote:
> Hi Oli,
> I've also been looking at how the SSLEngine may be implemented in OpenSSL

Great!

> and am struggling to to obtain the handshake data to return to the other
> side without sending it across an actual connection.  I've been working with
> an open SSL bio pair which, according to the manual, enables an application
> to have control over the I/O, instead of OpenSSL sending it directly.
>
> I've added a testcase that actually does a handshake and sends some data
> between a client and server.

That will be very helpful to verify the new implementation, thanks.

> I've uploaded my changes to
> https://issues.apache.org/jira/browse/HARMONY-6627 which contains the set up
> of the SSL (using a bio pair, but I'm still not sure this is the right
> route), and implementations of accept and connect.  The handshake currently
> returns the expected initial state (the client side requiring a wrap and the
> server expected an unwrap), but subsequent wrap/unwraps aren't able to
> obtain the handshake data.

I haven't had a chance to investigate SSLEngine yet, but this sounds 
like a good start. I'll get reading up on bio pairs and see if I can 
work out what's happening. Thanks for the patch, I'll take a look and 
get it applied so as not to hold you up too long.

Regards,
Oliver

> Best wishes,
> Cath
>

-- 
Oliver Deakin
Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number 741598.
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU

Re: [classlib][x-net] Creating a provider based on OpenSSL

[Catherine Hope <ca...@googlemail.com>]

Hi Oli,
I've also been looking at how the SSLEngine may be implemented in OpenSSL
and am struggling to to obtain the handshake data to return to the other
side without sending it across an actual connection.  I've been working with
an open SSL bio pair which, according to the manual, enables an application
to have control over the I/O, instead of OpenSSL sending it directly.

I've added a testcase that actually does a handshake and sends some data
between a client and server.
I've uploaded my changes to
https://issues.apache.org/jira/browse/HARMONY-6627 which contains the set up
of the SSL (using a bio pair, but I'm still not sure this is the right
route), and implementations of accept and connect.  The handshake currently
returns the expected initial state (the client side requiring a wrap and the
server expected an unwrap), but subsequent wrap/unwraps aren't able to
obtain the handshake data.

Best wishes,
Cath