Contributed by pitrh on from the planning the plan dept.
So I thought I would go to l2k15 without a plan for what to work on, and that if I didn't end up with something to attack in LibreSSL land, I would simply hack away on the buffer cache some more..
However, I knew something had been bothering me about the LibTLS API, and so Friday night before I left I sat down on the couch and set about using it to make netcat do TLS connections - mostly just to exercise the API and see where I found it wanting for what I needed to do, and as something I could use as a test tool.
I ended up flinging it over the fence at people, and it got me thinking about how to deal with a few issues in the LibTLS API.
So my first few days at Varazdin were actually spent writing man pages - for things that don't exist. and having long coffees with jsing@, and later bluhm@ to decide what we wanted to do. In the end we came to a pretty good middle ground about a good way to bring libtls forward that allows easy use in existing code without too much pain on the part of the programmer, and we all spent a ton of time refining bits and tweaking the man page for TLS. All the time I'm doing this netcat was my victim of choice to try out the new ways of doing things, and in the end it also ended up being committed, as it's darn useful to test things with. By the end of the hackathon we had clarified the read/write semantics to be useable in event driven programs and included a poll() example in the man page, used it in netcat, and added a number of features to libtls (I spent most of the time sitting next to jsing@ annoying him with these problems and we would fix them). The end result is a lot more functionality in libtls for client side certificate validation, certificate pinning, and getting information about a TLS connection in libtls without exposing the OpenSSL goop underneath.
As hackathons are mostly about starting things or finishing things, I think we finished a few things and those are reflected in the man page changes for libtls, it managed to start me into the bowels of ASN1_TIME that I am now in the process of gutting - That part isn't ready for prime time yet but hopefully can be soon, and make a lot of truly "special" pieces of code a bit easier on the eyes, and make us more RFC compliant on certificate checking.
The long and the short of it is I got a lot more accomplished than I initially thought I would, with a good start on some other important things.
A huge thanks to Tonimir and to FOI in Varazdin for hosting us, it was a great venue and I think we collectively got a lot done.
Thanks for the report and the work, Bob! We're looking forward to seeing these things turn up in OpenBSD!
(Comments are closed)