This document tracks missing and implemented features for TOSSL, aiming for OpenSSL compatibility. As of December 2024, the codebase is modular, multi-file, and most high/medium priority features are implemented. This update reflects the actual code and Tcl-level commands.
- Additional hash algorithms: SHA-1, SHA-224, SHA-384, SHA-512, SHA3-224, SHA3-256, SHA3-384, SHA3-512, MD5, MD4
- RIPEMD: RIPEMD-160
- Whirlpool: Whirlpool hash
- RIPEMD-256, RIPEMD-320
Not available in OpenSSL default provider; not supported in TOSSL. - BLAKE2: BLAKE2b, BLAKE2s
- SM3: Chinese national standard hash
- Hash streaming: tossl::digest::stream
- Hash comparison: tossl::digest::compare
- Hash algorithm listing: tossl::digest::list
- Modern ciphers: AES (all modes), ChaCha20, Poly1305, Salsa20, GCM, CCM, XTS, etc. (tossl::encrypt, tossl::decrypt, tossl::cipher::list/info)
- Block cipher modes: CBC, CFB, OFB, CTR, GCM, CCM, XTS
- Key derivation: PBKDF2, scrypt, Argon2 (if supported) (tossl::kdf::pbkdf2, ::scrypt, ::argon2)
- Random key/IV generation: tossl::rand::key, tossl::rand::iv, tossl::randbytes
- Cipher info/listing: tossl::cipher::info, tossl::cipher::list
- Legacy ciphers: DES, 3DES, Blowfish, CAST5, RC4, RC5 (tossl::legacy::*)
- Password-based encryption: tossl::pbe::* (keyderive, encrypt, decrypt, algorithms, saltgen)
- RSA operations: Keygen, encrypt, decrypt, sign, verify, validate, components (tossl::rsa::*)
- DSA operations: Keygen, sign, verify, validate, param gen (tossl::dsa::*)
- EC operations: Keygen, sign, verify, validate, point ops, curve list, components (tossl::ec::*)
- Ed25519/Ed448: Keygen, sign, verify (tossl::ed25519::, tossl::ed448::)
- X25519/X448: Keygen, derive (tossl::x25519::, tossl::x448::)
- SM2: Keygen, sign, verify, encrypt, decrypt (tossl::sm2::*)
- Key import/export/conversion: PEM, DER, PKCS#8 (tossl::key::parse, ::write, ::convert)
- Key fingerprinting: tossl::key::fingerprint
- Key wrapping: tossl::keywrap::* (wrap, unwrap, kekgen, info, algorithms)
- OCSP operations: tossl::ocsp::create_request, ::parse_response
- Certificate generation: Self-signed, CA-signed (tossl::x509::create, tossl::ca::generate, tossl::ca::sign)
- Certificate validation: Chain validation, CRL checking (tossl::x509::verify, ::validate, ::time_validate)
- Certificate parsing: tossl::x509::parse
- Certificate modification: tossl::x509::modify
- Certificate conversion: PEM, DER, PKCS#12 (tossl::pkcs12::create, ::parse)
- Certificate fingerprinting: tossl::x509::fingerprint
- Certificate transparency: Basic CT extension parsing
- CSR extensions: Full X.509 extension support (tossl::csr::modify)
- CSR validation: tossl::csr::validate
- CSR modification: tossl::csr::modify
- CSR fingerprinting: tossl::csr::fingerprint
- CSR parsing/creation: tossl::csr::parse, ::create
- CRL operations: tossl::crl::create, ::parse
- OCSP operations: tossl::ocsp::create_request, ::parse_response
- Certificate status checking: Implemented (
tossl::ssl::check_cert_status -conn conn)
- CA certificate generation: tossl::ca::generate
- Certificate signing: tossl::ca::sign
- CA management: Chain management via validation and signing
- SSL context configuration: tossl::ssl::context, ::set_protocol_version, ::protocol_version
- SSL session management: Session resumption, tickets (tossl::ssl::context)
- SSL cipher/protocol configuration: tossl::ssl::set_protocol_version, ::protocol_version
- Client authentication: Implemented (
tossl::ssl::context -client_cert cert -client_key key) - Server name indication (SNI): Implemented in tossl::ssl::connect with -sni parameter
- Application layer protocol negotiation (ALPN): Fully implemented with Tcl callback support
- Implemented:
- ALPN protocol advertisement in client connections (
tossl::ssl::connect -alpn protocols) - ALPN callback registration (
tossl::ssl::set_alpn_callback -ctx ctx -callback callback) - Tcl callback invocation during SSL handshake
- Negotiated protocol retrieval (
tossl::ssl::alpn_selected -conn conn) - Socket wrapping for Tcl channels (
tossl::ssl::accept -ctx ctx -socket socket) - Socket information retrieval (
tossl::ssl::socket_info -conn conn)
- ALPN protocol advertisement in client connections (
- Supported protocols: HTTP/2 (h2), HTTP/1.1 (http/1.1), and custom protocols
- Implemented:
- Certificate transparency (CT extension): Implemented (
tossl::ssl::check_cert_status)
- Perfect forward secrecy (PFS): Implemented (
tossl::ssl::check_pfs -conn conn) - Certificate pinning (HPKP): Implemented (
tossl::ssl::verify_cert_pinning -conn conn -pins pins) - OCSP stapling: Implemented (
tossl::ssl::set_ocsp_stapling -ctx ctx -enable enable)
- Random number testing: Implemented (
tossl::rand::test count) - Key/cert/cipher analysis: Implemented (
tossl::key::analyze key,tossl::cipher::analyze cipher) - Signature validation: Implemented (
tossl::rsa::verify,tossl::dsa::verify,tossl::ec::verify)
- Base64, Base64URL, Base32, Base32Hex: tossl::base64::, ::base64url::
- Hex encoding/decoding: tossl::hex::*
- URL encoding: Implemented (
tossl::url::encode,tossl::url::decode) - ASN.1 operations: Implemented (
tossl::asn1::encode,tossl::asn1::oid_to_text,tossl::asn1::text_to_oid)
- Cryptographic RNG: tossl::randbytes, tossl::rand::bytes
- Pseudo-RNG: tossl::rand::bytes (legacy)
- Seed management: tossl::rand::bytes (legacy)
- Certificate time validation: tossl::x509::time_validate
- Time conversion/comparison: Implemented (
tossl::time::convert,tossl::time::compare)
- FIPS 140-2 compliance/mode/validation: Implemented (
tossl::fips::enable,tossl::fips::status)
- AES-NI, SHA-NI, RSA acceleration: Implemented (
tossl::hardware::detect)
- Constant-time ops, memory/timing protection: Implemented (
tossl::sidechannel::protect)
- Algorithm discovery: Implemented (
tossl::algorithm::list,tossl::algorithm::info) - Benchmarking, monitoring, resource usage: Implemented (
tossl::benchmark)
- Provider management: Implemented (
tossl::provider::load,tossl::provider::unload,tossl::provider::list) - Cryptographic logging, error handling, debug info: Implemented (
tossl::cryptolog)
- ACME v2, challenges, account/order management, automation: Implemented in C
- Status: C implementation with libcurl integration
- Implemented:
tossl::acme::directory,tossl::acme::create_account,tossl::acme::create_order - DNS-01 Challenge:
tossl::acme::dns01_challenge,tossl::acme::cleanup_dns - Dependencies: libcurl, json-c
- HTTP client functionality: Implemented with libcurl integration
- Implemented:
tossl::http::get,tossl::http::post - Dependencies: libcurl, json-c
- Features: SSL/TLS support, custom headers, timeouts, redirects
- Implemented:
- JSON parsing and generation: Implemented with json-c integration
- Implemented:
tossl::json::parse,tossl::json::generate - Dependencies: json-c
- Features: Full type support (strings, numbers, booleans, arrays, objects), error handling
- Implemented:
- PKCS#7: tossl::pkcs7::* (sign, verify, encrypt, decrypt, info)
- PKCS#12: tossl::pkcs12::* (create, parse)
- OpenPGP: Not implemented
- Status: Removed from TOSSL (license conflicts with GPGME)
- Alternative: Separate GPL-licensed extension if needed
- S/MIME, SSH, Kerberos: Not implemented
- Unit tests: test_high_priority_features.tcl, test_new_features.tcl, test_ssl_advanced.tcl, etc.
- Integration, performance, security tests: Not implemented
- OpenSSL compatibility: High-priority features tested
- Standards/security validation: Not fully implemented
- Function documentation: README.md, code comments
- Example code: README.md, test scripts
- Best practices, security guidelines, user guides, migration guide: Not implemented
- Not implemented
- All checked off above (see code and Tcl commands)
- HTTP/HTTPS client (libcurl integration)
- ACME protocol (C implementation)
- DNS-01 challenge support for ACME
- OpenPGP support (separate extension)
- S/MIME support
- Advanced SSL/TLS features
- Phase 1: Core crypto (β COMPLETED)
- Phase 2: PKI/cert (β COMPLETED)
- Phase 3: SSL/TLS (β COMPLETED)
- Phase 4: Advanced features (β COMPLETED)
- Phase 5: HTTP/ACME integration (β COMPLETED)
Changelog (2024-12):
- Removed PGP references: PGP functionality not implemented in C code
- Updated ACME status: Currently Tcl-only, planned for C implementation
- Added HTTP/HTTPS client: Planned with libcurl integration
- Corrected legacy cipher status: Actually implemented via tossl::legacy::*
- Updated implementation strategy: Core features complete, focusing on HTTP/ACME
Changelog (2024-07):
- Advanced SSL/TLS Features: Certificate status checking, PFS testing, certificate pinning, OCSP stapling
- Hardware Acceleration Detection: AES-NI, SHA-NI, AVX2, hardware RNG detection
- Benchmarking Tools: RSA, EC, cipher, and hash benchmarking with performance metrics
- Side-Channel Protection: Constant-time operations, memory protection, timing protection detection
- Cryptographic Logging: Enable/disable/status/clear operations for cryptographic event logging
- Enhanced Security: Client authentication, certificate transparency, advanced SSL/TLS security features
- ALPN Support: Fully implemented with Tcl callback invocation during SSL handshake
- Socket Wrapping: Tcl socket channels can be wrapped with SSL/TLS
- Enhanced SSL/TLS: SNI, ALPN, protocol version control, socket info
- Utility Features: URL encoding/decoding, time conversion/comparison, random testing
- Analysis Tools: Key/cipher analysis, signature validation, cryptographic testing
- ASN.1 Operations: Basic ASN.1 encoding, OID conversion
- Provider Management: FIPS support, algorithm discovery, provider loading/unloading
This document is now up to date with the codebase and Tcl interface as of December 2024.