GithubHelp home page GithubHelp logo

michaelforney / libtls-bearssl Goto Github PK

View Code? Open in Web Editor NEW
37.0 4.0 3.0 288 KB

libtls implemented on top of BearSSL

Home Page: https://sr.ht/~mcf/libtls-bearssl

License: ISC License

Makefile 1.44% C 98.53% sed 0.03%
tls bearssl

libtls-bearssl's Introduction

libtls-bearssl

builds.sr.ht status

libtls-bearssl is an implementation of libtls on top of BearSSL.

BearSSL is an excellent TLS library: it is small, secure by default, flexible, consistent, performs no memory allocation, and the code is as clean and well documented as any I've ever seen.

However, due to some of its constraints, it is not the easiest TLS library to use. Things like loading trust anchors, server-side SNI, and I/O with non-blocking sockets actually involve quite a bit of work.

libtls shares some of the same goals as BearSSL: it is also consistent, secure by default, and well documented. However, it is also a higher-level API that is designed to be easy to use for many common situations.

This project aims to get the best of both worlds by implementing the libtls API on top of BearSSL.

Status

libtls-bearssl implements nearly all features of the libtls API (version 3.3.3). However, there are some that are missing, since they are not supported by BearSSL.

  • OCSP stapling. Attempts to configure this will fail.
  • Certificate revocation list (CRL). Attempts to configure this will fail.
  • Inspecting peer certificate issuer name. tls_peer_cert_issuer always returns NULL.
  • Inspecting peer certificate notBefore and notAfter times. tls_peer_cert_notbefore and tls_peer_cert_notafter always return -1.
  • Encrypted key files. If tls_load_file is passed a password string, it will return NULL.
  • Session caching. BearSSL does implement this (though not session tickets, RFC 5077), so this may be added in the future.
  • Keys and certificates using CRLF as the line ending are not supported. They must first be converted to use unix-style line endings (LF).

Mailing list

Feel free to use the mailing list at https://lists.sr.ht/~mcf/libtls-bearssl for patches, questions, or general discussion.

Issue tracker

Please report any issues to https://todo.sr.ht/~mcf/libtls-bearssl.

libtls-bearssl's People

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar

Forkers

capr allegory-software ismart-omari

libtls-bearssl's Issues

GLIBC_2.25 error

Hi, I'm trying to see if I can use your library on older linux systems, e.g. debian 9, and I get a GLIBC_2.25 not found error (for explicit_bzero). Is there a way to compile without using the system's explicit_bzero?

Crash

Hi Michael,

I have a crash on the server side of libtls which I can't figure out and I would like to check my call sequence with you, see if I'm missing something obvious.

First let me say that the client part works for me in x64 Linux and Windows, it's only the server part that crashes on both Windows and Linux and it does so immediately (on the second read from the client), so it's probably not a build issue or an issue with the I/O.

Here's the call sequence I'm using:

I call tls_accept_cbs() after which I call tls_read() on a 8K buffer (on the tls context created by tls_accept_cbs()) which then calls my read callback to get 5 bytes. I return TLS_WANT_POLLIN, tls_read() returns to me, I fill an offline buffer with the 5 bytes I get from the socket and call tls_read() again with the exact same args as the first time. tls_read() then calls my read callback again and I fill the callback's buffer from my offline buffer and return 5 this time. Then my callback is called again, now with size 512, I do exactly the same thing, return TLS_WANT_POLLIN, call tls_read() again, fill-in the next 512 bytes and return 512 from the callback. Now it crashes inside tls_read() with this stack trace:

libtls_bearssl.so(tls_check_name+0x4e)[0x7f5f2c9f4b8e]
libtls_bearssl.so(+0xa472)[0x7f5f2c9f4472]
libbearssl.so(br_ssl_hs_server_run+0xff4)[0x7f5f2c7d03e4]
libbearssl.so(+0x52309)[0x7f5f2c7cc309]
libbearssl.so(br_ssl_engine_recvrec_ack+0x2ca)[0x7f5f2c7ccdda]
libtls_bearssl.so(+0x924b)[0x7f5f2c9f324b]
libtls_bearssl.so(tls_handshake+0x46)[0x7f5f2c9f3a26]
libtls_bearssl.so(tls_read+0x41)[0x7f5f2c9f3b11]

So my first question is, does this sequence sound correct to you, is this how the API is supposed to be used?

Any hints you can throw my way are appreciated. Thanks.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.