~apreiml/hare-tls

A work in progress TLS module for hare
make it build again
use upstream hare in ci
x509: avoid error on empty subject

refs

master
browse  log 

clone

read-only
https://git.sr.ht/~apreiml/hare-tls
read/write
git@git.sr.ht:~apreiml/hare-tls

You can also use your local clone with git send-email.

#Hare TLS

A work in progress hare TLS module. It additionally contains all the crypto required for TLS that is not yet ready for upstream. Notably:

  • PKCS key format
  • X509 certificate handling

All code in this repository is not ready for production. Use at your own risk. The API design may change until it's ready for upstream. The TLS module will break and leak all your secrets. In fact it will sometimes log them to the terminal for the sake of debugging.

Updates regarding API and notable progress will be posted to the hare-tls mailing list. Bugs may be submitted to the tracker, but note that the library is currently in heavy developement. Only submit bugs, if you also describe how to reproduce them and they are a major blocker to your current use case. I may shift my priorities accordingly to tackle them first.

Currently only ED25519 server certificates are supported.

#Tests

Running the tests requires following tools in PATH:

Then the debug certs need to be generated:

./scripts/newcerts.sh

Finally the tests can be run with

make check

#Roadmap

Rough Roadmap, order may change or items will be developed in parallel:

  • [x] ASN1 DER support (done and and merged in upstream)
  • [x] ECC:
    • [x] Curves p256, p384 and p521 (merged upstream)
    • [x] ECDH (merged upstream)
    • [x] Key generation (merged upstream)
    • [x] ECDSA (merged upstream)
  • [x] RSA-PSS Sign/Verify (merged upstream)
  • [x] Minimal TLS 1.3 client w/o cert verification (done)
    • [x] Only one cipher and key exchange method (done)
  • [x] Minimal TLS 1.3 Server (done)
  • [x] Initial API design (done)
  • [ ] x509: Certificate Handling
    • [ ] Parsing (refactor in progress)
    • [ ] Verification (refactor in progress)
    • [ ] CRL
    • [ ] Generation
    • [ ] CSR
  • [ ] TLS 1.3 (API refactor pending)
  • [ ] Flesh out missing client parts.
    • [ ] Cipher Suite
    • [ ] Key exchange
    • [ ] Signature verification
    • [ ] Failure mode tests
    • [ ] Conformance tests
  • [ ] RSA Key generation
  • [ ] DHE (TLS 1.2)
  • [ ] TLS 1.2 Client
  • [ ] TLS 1.2 Server
  • [ ] Further add missing crypto bits targeting Mozillas intermediate compatibility