XySSL

General
Development
Edit

XySSL is an open-source cryptographic library for embedded systems. It provides standard crypto block: AES, SHA-1, X.509, etc. as well as higher lever protocols: SSL v3 and TLS v1. XySSL has been ported on a number of architectures, including ARM, PowerPC, MIPS, and Motorola 68000. Its already small memory footprint can be easily reduced to 50k for a basic SSL client or server, by modifying a single .h configuration file. XySSL is currently used in several open-source (GPL) and closed-source projects, such as Adobe's flash player.

[UPDATE 2008-12-31] As of now, XySSL is no longer maintained by Christophe Devine. The current project manager is Paul Bakker, and the new site can be accessed at: http://polarssl.org/

Journal Entries

Timeline View
No entries yet. Link your entries with 'xyssl' to include this project.

Ohloh Analysis Summary

Updated 29 Apr 2008 22:56 UTC

Ratings & Reviews

Community Rating
4.7/5.0

Based on 3 user ratings.

Your Rating

Click to rate this project.

about 1 year ago Avatar
A newcomer in the field of crypto libraries

    by Christophe Devine

XySSL is a relatively new library: the first release was published in november 2006 (18 months ago). Its progression has been mostly uneven, with periods lacking progress and short bursts of activity. A large part of the bugs were corrected thanks to the many users of the library who contributed their feedback. The library provides most basic crypto blocks, but lags behind other cryptographic libraries; as an example, OAEP/PSS RSA padding hasn't ... [More] been implemented yet.

Considering that crypto is generally a critical link in the security of a project, it may be more prudent to use other, more mature libraries (such as OpenSSL). In fact, although the source code of XySSL looks nice and well-commented, it still may contain important bugs. For example, the 0.9 release fixed a critical denial-of-service vulnerability in the X.509 certificate verification code.
[Less]

Was this review helpful to you? |

Links

3 links submitted so far. Submit your own links.

News

Edit RSS feeds.

    XySSL 0.9 released

    Posted about 1 year ago

    From the changelog:
    * Added support for ciphersuite: SSL_RSA_AES_128_SHA
    * Enabled support for large files by default in aescrypt2.c
    * Preliminary openssl wrapper contributed by David Barrett
    * Fixed a bug in ssl_write() that ... [More] caused the same payload to
    be sent twice in non-blocking mode when send returns EAGAIN
    * Fixed ssl_parse_client_hello(): session id and challenge must
    not be swapped in the SSLv2 ClientHello (found by Greg Robson)
    * Added user-defined callback debug function (Krystian Kolodziej)
    * Before freeing a certificate, properly zero out all cert. data
    * Fixed the "mode" parameter so that encryption/decryption are
    not swapped on PadLock; also fixed compilation on older versions
    of gcc (bug reported by David Barrett)
    * Correctly handle the case in padlock_xcryptcbc() when input or
    ouput data is non-aligned by falling back to the software
    implementation, as VIA Nehemiah cannot handle non-aligned buffers
    * Fixed a memory leak in x509parse_crt() which was reported by Greg
    Robson-Garth; some x509write.c fixes by Pascal Vizeli, thanks to
    Matthew Page who reported several bugs
    * Fixed x509_get_ext() to accept some rare certificates which have
    an INTEGER instead of a BOOLEAN for BasicConstraints::cA.
    * Added support on the client side for the TLS "hostname" extension
    (patch contributed by David Patino)
    * Make x509parse_verify() return BADCERT_CN_MISMATCH when an empty
    string is passed as the CN (bug reported by spoofy)
    * Added an option to enable/disable the BN assembly code
    * Updated rsa_check_privkey() to verify that (D*E) = 1 % (P-1)*(Q-1)
    * Disabled obsolete hash functions by default (MD2, MD4); updated
    selftest and benchmark to not test ciphers that have been disabled
    * Updated x509parse_cert_info() to correctly display byte 0 of the
    serial number, setup correct server port in the ssl client example
    * Fixed a critical denial-of-service with X.509 cert. verification:
    peer may cause xyssl to loop indefinitely by sending a certificate
    for which the RSA signature check fails (bug reported by Benoit)
    * Added test vectors for: AES-CBC, AES-CFB, DES-CBC and 3DES-CBC,
    HMAC-MD5, HMAC-SHA1, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512
    * Fixed HMAC-SHA-384 and HMAC-SHA-512 (thanks to Josh Sinykin)
    * Modified ssl_parse_client_key_exchange() to protect against
    Daniel Bleichenbacher attack on PKCS#1 v1.5 padding, as well
    as the Klima-Pokorny-Rosa extension of Bleichenbacher's attack
    * Updated rsa_gen_key() so that ctx->N is always nbits in size
    * Fixed assembly PPC compilation errors on Mac OS X, thanks to
    David Barrett and Dusan Semen
    Download links:
    xyssl-0.9-gpl.tgz |
    xyssl-0.9-bsd.tgz [Less]

    February '08 update

    Posted about 1 year ago

    I'm glad to announce that after a couple months of non-activity, development has now resumed. At this point changes will mostly consist of bug fixes, with the release of xyssl-0.9 targeted at the end of the month.

    Mailing-list update, new subversion server

    Posted about 1 year ago

    The mailing list is currently down, as the main database was lost;
    regretably it was not included in the rsync backup. It is recommended
    to use the forum instead, for the time being.

    In other news, an SVN server has been set up. It can be accessed from:

    http://xyssl.org/code/svn/

    XySSL 0.8 released

    Posted about 1 year ago

    From the changelog:
    * Modified the HMAC functions to handle keys larger
    than 64 bytes, thanks to Stephane Desneux and gary ng
    * Fixed ssl_read_record() to properly update the handshake
    message digests, which fixes IE6/IE7 ... [More] client authentication
    * Cleaned up the XYSSL* #defines, suggested by Azriel Fasten
    * Fixed net_recv(), thanks to Lorenz Schori and Egon Kocjan
    * Added user-defined callbacks for handling I/O and sessions
    * Added lots of debugging output in the SSL/TLS functions
    * Added preliminary X.509 cert. writing by Pascal Vizeli
    * Added preliminary support for the VIA PadLock routines
    * Added AES-CFB mode of operation, contributed by chmike
    * Added an SSL/TLS stress testing program (ssl_test.c)
    * Updated the RSA PKCS#1 code to allow choosing between
    RSA_PUBLIC and RSA_PRIVATE, as suggested by David Barrett
    * Updated ssl_read() to skip 0-length records from OpenSSL
    * Fixed the make install target to comply with *BSD make
    * Fixed a bug in mpi_read_binary() on 64-bit platforms
    * mpi_is_prime() speedups, thanks to Kevin McLaughlin
    * Fixed a long standing memory leak in mpi_is_prime()
    * Replaced realloc with malloc in mpi_grow(), and set
    the sign of zero as positive in mpi_init() (reported
    by Jonathan M. McCune)
    Download links:
    xyssl-0.8-lgpl.tgz |
    xyssl-0.8-bsd.tgz [Less]

    New offsite site backups

    Posted about 1 year ago

    Thanks to rsync.net, a complete backup
    of both xyssl.org and libtom.org has been setup. This will help ensure
    that the sites can be brought back online quickly, in case a server crash
    happens again
    (better safe than sorry).

Read all XySSL articles…

Download Page
908 downloads
Homepage
https://xyssl.org/
Licensed under
GNU General Public License 2.0 or later and New BSD License
Tagged as
Project Tags portable sha-1 authentication des rsa x.509 bsd tls aes library cryptography crypto embedded ssl gpl 3des base64 security privacy md5 sha-256 cross-platform | edit tags

Who uses XySSL?

Avatar

Who contributes to XySSL?

Anon32
I'm a contributor

Who manages XySSL?

Avatar
I'm a manager

Where in the world?

Related Projects by Tags

Crypto++, MatrixSSL, OpenSSL, PolarSSL, pyOpenSSL

Project Cost
This calculator estimates how much it would cost to hire a team to write this project from scratch. More »
Include
Codebase 15,123
Effort (est.) 3 Person Years
Avg. Salary $ year
$ 190,551

Widgets

Learn how to embed this and other widgets on your site.