search

oasislinux / oasis

a small statically-linked linux system
Other
2.79k stars 85 forks source link

Switch to BearSSL #14

Open michaelforney opened 4 years ago

michaelforney commented 4 years ago

We should try to use BearSSL whenever possible.

To do:

Done:

noocsharp commented 3 years ago

If there's still interest, I have ported msmtp to libtls, and have been using it for a few days without any problems. I did not implement fingerprint based certificate verification (although it is possible, at least with SHA256), as it is deprecated and due to be removed in the next major version anyway. Support won't make it way upstream any time soon, but my branch is available here: https://git.nihaljere.xyz/msmtp/log.html

michaelforney commented 3 years ago

If there's still interest, I have ported msmtp to libtls, and have been using it for a few days without any problems.

That's great!

I did not implement fingerprint based certificate verification (although it is possible, at least with SHA256), as it is deprecated and due to be removed in the next major version anyway.

Do you have a reference for that? I can see that SHA1 fingerprint is deprecated, but I don't see anything about SHA256.

Support won't make it way upstream any time soon, but my branch is available here: https://git.nihaljere.xyz/msmtp/log.html

I will take a look, thanks. On first glance it looks like good work.

michaelforney commented 3 years ago 
memcpy(&tci->sha256_fingerprint, sha256_fingerprint, 32);

I don't think this is quite right. According to https://man.openbsd.org/tls_conn_version.3, the format of tls_peer_cert_hash is a string SHA256:hex-fingerprint. So I think we just need to verify the prefix, and then decode the hex string into binary.

noocsharp commented 3 years ago

I did not implement fingerprint based certificate verification (although it is possible, at least with SHA256), as it is deprecated and due to be removed in the next major version anyway.

Do you have a reference for that? I can see that SHA1 fingerprint is deprecated, but I don't see anything about SHA256.

There is a comment near the beginning of tlsw_check_cert that implies so. I sent an email to the Martin Lambers (the maintainer) for clarification, and you are right, only SHA1 is deprecated. I'll try to implement fingeprint verification sometime soon.

memcpy(&tci->sha256_fingerprint, sha256_fingerprint, 32);

I don't think this is quite right. According to https://man.openbsd.org/tls_conn_version.3, the format of tls_peer_cert_hash is a string SHA256:hex-fingerprint. So I think we just need to verify the prefix, and then decode the hex string into binary.

I totally missed this, thanks for pointing it out.

noocsharp commented 3 years ago

Sorry for the delay in responding, but I have fixed the issue above (and a number of other ones), and libtls support is now present upstream.

michaelforney commented 3 years ago

Thanks so much for submitting this upstream. I just updated the msmtp version to latest git with libtls-bearssl and it seems to be working well.

Only three left to go!

shua commented 2 years ago

I've banged out a proof of concept integration of libtls for nginx at https://github.com/shua/nginx/tree/tls . Is there still interest in this? Currently the code is very much a hacky addon, but I could spend more time on it to make it fit a little better and maybe upstream would accept :shrug:

tsklxiv commented 2 years ago

Not related to this but what is the catgirl library? Have never heard of it before.

thanhminhmr commented 2 years ago

It is an IRC client.