+ o Read prefetch (read-ahead, reading ahead of time). Maybe if this can
+ be done easily.
+
+
+SKR Library, lib/silcskr/
+=========================
+
+ o Add fingerprint as search constraint.
+
+ o Add OpenPGP support. Adding, removing, fetching PGP keys. (Keyring
+ support?)
+
+ o Add support for importing public keys from a directory and/or from a
+ file. Add support for exporting the repository (different formats for
+ different key types?).
+
+ o Change the entire silc_skr_find API. Remove SilcSKRFind and just simply
+ add the find constraints as variable argument list to silc_skr_find, eg:
+
+ silc_skr_find(skr, schedule, callback, context,
+ SILC_SKR_FIND_PUBLIC_KEY, public_key,
+ SILC_SKR_FIND_COUNTRY, "FI",
+ SILC_SKR_FIND_USAGE, SILC_SKR_USAGE_AUTH,
+ SILC_SKR_FIND_END);
+
+ NULL argument would be ignored and skipped.
+
+ o Add OR logical rule in addition of the current default AND, eg:
+
+ // Found key(s) MUST have this public key AND this country.
+ silc_skr_find(skr, schedule, callback, context,
+ SILC_SKR_FIND_RULE_AND,
+ SILC_SKR_FIND_PUBLIC_KEY, public_key,
+ SILC_SKR_FIND_COUNTRY, "FI",
+ SILC_SKR_FIND_END);
+
+ // Found key(s) MUST have this public key OR this key context
+ silc_skr_find(skr, schedule, callback, context,
+ SILC_SKR_FIND_RULE_OR,
+ SILC_SKR_FIND_PUBLIC_KEY, public_key,
+ SILC_SKR_FIND_CONTEXT, key_context,
+ SILC_SKR_FIND_END);
+
+ o SilcStack to SKR API.
+
+
+Crypto Library, lib/silccrypt/
+==============================
+
+ o SilcStack to APIs.
+
+ o Add fingerprint to SilcSILCPublicKey and retrieval to silcpk.h, and
+ possibly to silcpkcs.h.
+
+ /* Return fingerprint of the `public_key'. Returns also the algorithm
+ that has been used to make the fingerprint. */
+ const unsigned char *
+ silc_pkcs_get_fingerprint(SilcPublicKey public_key,
+ const char **hash_algorithm,
+ SilcUInt32 *fingerprint_len);
+
+ o Change SILC PKCS API to asynchronous, so that accelerators can be used.
+ All PKCS routines should now take callbacks as argument and they should
+ be delivered to SilcPKCSObject and SilcPKCSAlgorithm too.
+
+ /* Signature computation callback */
+ typedef void (*SilcPKCSSignCb)(SilcBool success,
+ const unsigned char *signature,
+ SilcUInt32 signature_len,
+ void *context);
+
+ /* Signature verification callback */
+ typedef void (*SilcPKCSVerifyCb)(SilcBool success, void *context);
+
+ /* Encryption callback */
+ typedef void (*SilcPKCSEncryptCb)(SilcBool success,
+ const unsigned char *encrypted,
+ SilcUInt32 encrypted_len,
+ void *context);
+
+ /* Decryption callback */
+ typedef void (*SilcPKCSDecryptCb)(SilcBool success,
+ const unsigned char *decrypted,
+ SilcUInt32 decrypted_len,
+ void *context);
+
+ Either add new _async functions or add the callbacks to existing API
+ and if the callback is NULL then the API is not async and if provided
+ it may be async. For example;
+
+ SilcBool silc_pkcs_sign(SilcPrivateKey private_key,
+ unsigned char *src, SilcUInt32 src_len,
+ unsigned char *dst, SilcUInt32 dst_size,
+ SilcUInt32 *dst_len,
+ SilcBool compute_hash, SilcHash hash,
+ SilcPKCSSignCb async_sign,
+ void *async_sign_context);
+
+ (if this is done then there's no reason why the buffers in the
+ callbacks cannot be the ones user gives here) or allow only async:
+
+ SilcBool silc_pkcs_sign(SilcPrivateKey private_key,
+ unsigned char *src, SilcUInt32 src_len,
+ SilcBool compute_hash, SilcHash hash,
+ SilcPKCSSignCb async_sign,
+ void *async_sign_context);
+
+ or add new:
+
+ SilcBool silc_pkcs_sign_async(SilcPrivateKey private_key,
+ unsigned char *src, SilcUInt32 src_len,
+ SilcBool compute_hash, SilcHash hash,
+ SilcPKCSSignCb async_sign,
+ void *async_sign_context);
+
+ o Change PKCS Algorithm API to take SilcPKCSAlgorithm as argument to
+ encrypt, decrypt, sign and verify functions. We may need to for exmaple
+ check the alg->hash, supported hash functions. Maybe deliver it also
+ to all other functions in SilcPKCSAlgorithm to be consistent.
+
+ o Add DSS support. Take implementation from Tom or make it yourself.
+
+ o Implement the defined SilcDH API. The definition is in
+ lib/silccrypt/silcdh.h. Make sure it is asynchronous so that it can
+ be accelerated. Also take into account that it could use elliptic
+ curves.
+
+ o ECDSA and ECDH
+
+ o All cipher, hash, hmac etc. allocation routines should take their name
+ in as const char * not const unsigned char *.
+
+
+SILC Accelerator Library
+========================
+
+ o SILC Accelerator API. Provides generic way to use different kind of
+ accelerators. Basically implements SILC PKCS API so that SilcPublicKey
+ and SilcPrivateKey can be used but they call the accelerators.
+
+ Something in the lines of (preliminary):
+
+ /* Register accelerator to system. Initializes the accelerator. */
+ Varargs are optional accelerator specific init parameteres. */
+ SilcBool silc_acc_register(SilcAccelerator acc, ...);
+
+ silc_acc_register(softacc, "min_threads", 2, "max_threads", 16, NULL);
+
+ /* Unregister accelerator. Uninitializes the accelerator. */
+ SilcBool silc_acc_unregister(const SilcAccelerator acc);
+
+ /* Return list of the registered accelerators */
+ SilcDList silc_acc_get_supported(void);
+
+ /* Find existing accelerator. `name' is accelerator's name. */
+ SilcAccelerator silc_acc_find(const char *name);
+
+ /* Return accelerator's name */
+ const char *silc_acc_get_name(SilcAccelerator acc);
+
+ /* Accelerate `public_key'. Return accelerated public key. */
+ SilcPublicKey silc_acc_public_key(SilcAccelerator acc,
+ SilcPublicKey public_key);
+
+ /* Accelerate `private_key'. Returns accelerated private key. */
+ SilcPrivateKey silc_acc_private_key(SilcAccelerator acc,
+ SilcPrivateKey private_key);
+
+ /* Return the underlaying public key */
+ SilcPublicKey silc_acc_get_public_key(SilcAccelerator acc,
+ SilcPublicKey public_key);
+
+ /* Return the underlaying private key */
+ SilcPrivateKey silc_acc_get_private_key(SilcAccelerator acc,
+ SilcPrivateKey private_key);
+
+ typedef struct SilcAcceleratorObject {
+ const char *name; /* Accelerator's name */
+ SilcBool (*init)(va_list va); /* Initialize accelerator */
+ SilcBool (*uninit)(void); /* Uninitialize accelerator */
+ const SilcPKCSAlgorithm *pkcs; /* Accelerated PKCS algorithms */
+ const SilcDHObject *dh; /* Accelerated Diffie-Hellmans */
+ const SilcCipherObject *cipher; /* Accelerated ciphers */
+ const SilcHashObject *hash; /* Accelerated hashes */
+ const SilcHmacObject *hmac; /* Accelerated HMACs */
+ const SilcRngObject *rng; /* Accelerated RNG's */
+ } *SilcAccelerator, SilcAcceleratorStruct;
+
+ Allows accelerator to have multiple accelerators (cipher, hash etc)
+ and multiple different algorithms and implementations (SHA-1, SHA-256 etc).
+
+ SilcPublicKey->SilcSILCPublicKey->RsaPublicKey accelerated as:
+ SilcPublicKey->SilcAcceleratorPublicKey->SilcSoftAccPublicKey->
+ SilcPublicKey->SilcSILCPublicKey->RsaPublicKey
+
+ silc_acc_public_key creates SilcPublicKey and SilcAcceleratorPublicKey
+ and acc->pkcs->import_public_key creates SilcSoftAccPublicKey.
+
+ o Implement software accelerator. It is a thread pool system where the
+ public key and private key operations are executed in threads.
+
+ const struct SilcAcceleratorObject softacc =
+ {
+ "softacc", softacc_init, softacc_uninit,
+ softacc_pkcs, NULL, NULL, NULL, NULL
+ }
+
+ /* Called from silc_acc_private_key */
+ int silc_softacc_import_private_key(void *key, SilcUInt32 key_len,
+ void **ret_private_key)
+ {
+ SilcSoftAccPrivateKey prv = silc_calloc(1, sizeof(*prv));
+ prv->pkcs = acc->pkcs;
+ prv->private_key = key;
+ *ret_private_key = prv;
+ }
+
+ (o Symmetric key cryptosystem acceleration? They are always sycnhronouos
+ even with hardware acceleration so the crypto API shouldn't require
+ changes.) maybe
+
+
+lib/silcmath
+============
+
+ o Import TFM. Talk to Tom to add the missing functions. Use TFM in
+ client and client library, but TMA in server, due to the significantly
+ increased memory consumption with TFM, and the rare need for public
+ key operations in server.
+
+ We want TFM's speed but not TFM's memory requirements. Talk to Tom
+ about making the TFM mp dynamic just as it is in LTM.
+
+ o The SILC MP API function must start returning indication of success
+ and failure of the operation.
+
+ o Do SilcStack support for silc_mp_init, silc_mp_init_size and other
+ any other MP function (including utility ones) that may allocate
+ memory.
+
+ o All utility functions should be made non-allocating ones.
+
+
+SILC XML Library, lib/silcxml/
+==============================
+
+ o SILC XML API (wrapper to expat). Look at the expat API and simplify
+ it. The SILC XML API should have at most 8-10 API functions. It should
+ be possible to create full XML parser with only one function. And, it
+ should be possible to have a function that is able to parse an entire
+ XML document. It should also have a parser function to be able to
+ parse a stream of XML data (SilcStream). It MUST NOT have operations
+ that require multiple function calls to be able to execute that one
+ operation (like creating parser).
+
+
+lib/silcske/silcske.[ch]
+========================
+
+ o Ratelimit to UDP/IP transport for incoming packets.
+
+
+lib/silcasn1
+============
+
+ o Negative integer encoding is missing, add it.
+
+ o SILC_ASN1_CHOICE should perhaps return an index what choice in the
+ choice list was found. Currently it is left for caller to figure out
+ which choice was found.
+
+ o SILC_ASN1_NULL in decoding should return SilcBool whether or not
+ the NULL was present. It's important when it's SILC_ASN1_OPTIONAL
+ and we need to know whether it was present or not.
+
+
+lib/silcpgp
+===========
+
+ o OpenPGP certificate support, allowing the use of PGP public keys
+ in SILC.
+
+
+lib/silcssh
+===========
+
+ o SSH2 public key/private key support, allowing the use of SSH2 keys
+ in SILC. RFC 4716.
+
+
+lib/silcpkix
+============
+
+ o PKIX implementation
+
+
+apps/silcd
+==========
+
+ o Deprecate the old server. Write interface for the new lib/silcserver
+ server library. The interface should work on Unix/Linux systems.
+
+ o Consider deprecating also the old config file format and use XML
+ istead. This should require SILC XML API implementation first.
+
+ o The configuration must support dynamic router and server connections.
+ The silcd must work without specifying any servers or routers to
+ connect to.
+
+ o The configuration must support specifying whether the server is
+ SILC Server or SILC Router. This should not be deduced from the
+ configuration as it was in < 1.2.
+
+ o The configuration must support specifying the ciphers and hmacs and
+ their order so that user can specify which algorithms take preference.
+
+
+lib/silcserver
+==============
+
+ o Rewrite the entire server. Deprecate apps/silcd as the main server
+ implementation and create lib/silcserver/. It is a platform
+ independent server library. The apps/silcd will merely provide a
+ a simple interface for the library.
+
+ o Write the SILC Server library extensively using SILC FSM.
+
+ o Server library must support multiple networks. This means that one
+ server must be able to create multiple connections that each reach
+ different SILC network. This means also that all cache's etc. must
+ be either connection-specific or network-specific.
+
+ o Library must support dynamic router and server connections. This means
+ that connections are create only when they are needed, like when someone
+ says JOIN foo@foo.bar.com or WHOIS foobar@silcnet.org.
+
+ o Library must support server-to-server connections even though protocol
+ prohibits that. The responder of the connection should automatically
+ act as a router. The two servers create an own, isolated, SILC network.
+ To be used specifically with dynamic connections.
+
+ o Library must support multiple threads and must be entirely thread safe.
+
+ o Library must have support for SERVICE command.
+
+ o The server must be able to run behind NAT device. This means that
+ Server ID must be based on public IP instead of private IP.
+
+ o The following data must be in per-connection context: client id cache,
+ server id cache, channel id cache, all statistics must be
+ per-connection.
+
+ o The following data must be in per-thread context: command context
+ freelist/pool, pending commands, random number generator.
+
+ o Do inccoming packet processing in an own FSM thread in the
+ server-threads FSM. Same as in client library.