Hello, What started out as a quest to fix compilation warnings in the openssl egg, ended with a few more user-visible changes than that:
- The minimum OpenSSL version has been bumped to 1.1.0 to avoid the deprecated server/client version APIs. These have been replaced with a single API call to set both the minimum and maximum supported protocol version. Therefore it's now possible to accept a TLS version range, such as from TLSv1.0 up to TLSv1.2. - TLSv1.3 support is detected and exposed at runtime. - The `supported-ssl-protocols`, `ssl-min-protocol` and `ssl-max-protocol` allow testing supported protocol versions at runtime. - The `openssl` module has been internally renamed to `(openssl socket)`, but is reexported under its old name for compatibility reasons. I intend to drop that alias whenever C6 happens. - The `(openssl cipher)`, `(openssl digest)`, `(openssl random)` and `(openssl version)` modules have been introduced. The `(openssl cipher)` and `(openssl digest)` modules expose both low- and high-level procedures to work with ciphers and message digests. The `(openssl random)` module provides access to a CSPRNG. The `(openssl version)` module allows testing for the OpenSSL version and configuration. - Examples have been added for the `(openssl cipher)`, `(openssl digest)` and `(openssl socket)` modules. - A test suite covering all modules has been introduced and contains further module usage examples. It's not all roses though. The OpenSSL APIs are historically grown and not always easy to use. I've tried to avoid exposing as many footguns as possible, but I'm certain that there's more work to do in this regard. Please let me know if any of you run into troubles. Further work ahead: - OpenSSL 3 compatibility: I'll work on this whenever a stable release has been made available on Arch Linux. Resolving the compilation warnings made this task easier, but I expect new compilation warnings to appear. - Exposing additional APIs. Candidates: - Hex encoding/decoding: Dubious utility (the task has been solved well enough by other eggs, hex encoding uses colon separator, decoding fails on empty buffer). - Base64 encoding/decoding: Dubious utility (there is a fast enough base64 egg, encoding uses newlines, decoding fails on empty buffer). - Certificate handling: Messy APIs. - Asymmetric cryptography: Messy APIs. - Password derivation: Messy APIs intertwined with asymmetric cryptography. - HMAC: Unsure if enough benefit. - Bignum: Unsure if enough benefit (might be worth it for number theory procedures). - Other APIs: Please let me know about any worth exposing. Some of the above issues have been resolved by OpenSSL 3, but would need to be implemented in Terms of OpenSSL 1.1.0. Perhaps it would make more sense to write a binding to Botan instead... Vasilij
signature.asc
Description: PGP signature