l2k15 Hackathon Report: beck@ on libtls

Contributed by pitrh on 2015-09-27 from the planning the plan dept.

Our next l2k15 hackathon report comes from Bob Beck (beck@):

So I thought I would go to l2k15 without a plan for what to work on, and that if I didn't end up with something to attack in LibreSSL land, I would simply hack away on the buffer cache some more..

However, I knew something had been bothering me about the LibTLS API, and so Friday night before I left I sat down on the couch and set about using it to make netcat do TLS connections - mostly just to exercise the API and see where I found it wanting for what I needed to do, and as something I could use as a test tool.

I ended up flinging it over the fence at people, and it got me thinking about how to deal with a few issues in the LibTLS API.
So my first few days at Varazdin were actually spent writing man pages - for things that don't exist. and having long coffees with jsing@, and later bluhm@ to decide what we wanted to do. In the end we came to a pretty good middle ground about a good way to bring libtls forward that allows easy use in existing code without too much pain on the part of the programmer, and we all spent a ton of time refining bits and tweaking the man page for TLS. All the time I'm doing this netcat was my victim of choice to try out the new ways of doing things, and in the end it also ended up being committed, as it's darn useful to test things with. By the end of the hackathon we had clarified the read/write semantics to be useable in event driven programs and included a poll() example in the man page, used it in netcat, and added a number of features to libtls (I spent most of the time sitting next to jsing@ annoying him with these problems and we would fix them). The end result is a lot more functionality in libtls for client side certificate validation, certificate pinning, and getting information about a TLS connection in libtls without exposing the OpenSSL goop underneath.
As hackathons are mostly about starting things or finishing things, I think we finished a few things and those are reflected in the man page changes for libtls, it managed to start me into the bowels of ASN1_TIME that I am now in the process of gutting - That part isn't ready for prime time yet but hopefully can be soon, and make a lot of truly "special" pieces of code a bit easier on the eyes, and make us more RFC compliant on certificate checking.
The long and the short of it is I got a lot more accomplished than I initially thought I would, with a good start on some other important things.
A huge thanks to Tonimir and to FOI in Varazdin for hosting us, it was a great venue and I think we collectively got a lot done.

Thanks for the report and the work, Bob! We're looking forward to seeing these things turn up in OpenBSD!

(Comments are closed)

Latest Articles

Thu, Apr 18
- 05:05 Coming soon to a -current system near you: parallel raw IP input (0)
Wed, Apr 17
- 05:33 In -current, default write format for tar(1) changed to "pax" (10)
Wed, Apr 10
- 18:50 OpenSMTPD 7.5.0p0 Released (2)
Tue, Apr 09
- 04:49 20 years since "and we're just starting": undeadly.org turns 20 (2024-04-09) (13)
Fri, Apr 05
- 06:16 OpenBSD 7.5 released (3)
Thu, Mar 28
- 18:18 LibreSSL 3.8.4 and 3.9.1 released (0)
Tue, Mar 12
- 06:53 OpenSSH 9.7/9.7p1 released! (0)
Mon, Mar 11
- 11:28 Game of Trees 0.97 released (0)
Sun, Mar 10
- 09:06 LibreSSL versions 3.8.3 and 3.9.0 released (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]