ID: 6981 Fixed in:
Issue Date: 2016-02-09 08:15 AEST Owner:  CVS Support
Last Modified:  2016-02-09 09:35 AESTReporter:  Arthur Barrett
Current Est.  0.0 hours % Complete:  0.0  
Status:NEW / Severity:enhancement

Affected:  2.8.01
Description:  move all cryptography to external DLL's / shared libraries

Actions:    
2016-02-09 08:15 AEST by Arthur Barrett - CVS Suite uses cryptography in several places:
- openssl (sserver, sync)
- putty (ssh - windows only)
- UFC-crypt (in the 'crypt' module, maybe used on windows only?)
- bcrypt / Blowfish encryption (in 'cvsapi')

Some states/countries require declarations about the use of encryption in 
products.  Since all the encryption we use is non-proprietary, it would be best 
if these were clearly separate in the product distribution.

Since the UFC-crypt license was originally LGPL, and Blowfish is license free - 
this will also clear up license confusion, particularly in regards to 
the 'commercial' parts of CVS Suite linking to blowfish.


Separating these out for all platforms and fixing the installers etc. might be 
a bit of work - so not sure what the target release for this should be.
 
2016-02-09 08:35 AEST by Arthur Barrett - article on UFC-crypt:
http://www.aysabtu.dk/blog/2011/09/04/ufc-crypt-or-how-my-code-ended-up-in-your-linux-box/

article on glibc crypt 'improvements', eg: should it do blowfish:
https://access.redhat.com/articles/1519843

blowfish notes:
https://www.schneier.com/cryptography/blowfish/

It may be worthwhile (at least on windows?) to switch to a 3rd party maintained library (preferably 
open source, so we can maintain it ourselves if needed).  One that contains both uff-crypt and 
blowfish and the newer NIST approved cryptography.  There is a list of libraries that include blowfish:
https://www.schneier.com/cryptography/blowfish/products.html

Note: the blowfish reference implementation points to SSL (ssleay), and the Mac OS X man page for 
blowfish also mentions SSL - so maybe the openssl library implementation of blowfish would be a 
good one to use, since we already link to openssl, and eventually cvslock/cvsmanager using openssl 
would be a good idea too:
https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man3/blowfish.
3ssl.html


Ive confirmed that OpenSSL 0.9.8.ze (which we ship in CVS Suite) already contains BF_set_key etc. 
and the ssleay.txt file already documents blowfish.

So we could use blowfish from openssl on all platforms, then just need somewhere to get ufc-crypt 
from on windows (without needing all of glibc).  Since the notes (see previous comment) on UFC-
Crypt indicate that it was written to be compatible (output wise, but faster) with the original SunOS 
crypt() function - I wonder if on windows we can just use the base cryptographic provider with 
CALG_DES ???
https://msdn.microsoft.com/en-us/library/windows/desktop/aa375599(v=vs.85).aspx


     Query page