World: r3wp
[Red] Red language group
older newer | first last |
Kaj 8-Nov-2011 [3738] | I always liked explicit lengths more than the NULL terminator, but Red/System has to interface with C code, so the choice has been made there |
Geomol 8-Nov-2011 [3739] | Interesting read though. |
Dockimbel 8-Nov-2011 [3740] | It's a choice we can reconsider once Red/System will be rewritten in Red. But we'll probably end up choosing the same option, because of the overheads of deviating from the format C libs and OS API expect. Anyway, it should be an interesting debate. :-) |
Kaj 8-Nov-2011 [3741] | Probably the best you could do would be to support both types |
Dockimbel 8-Nov-2011 [3742] | Sure, but the biggest issue is having to deal with a length header when passing to (and returning from) an external function. |
Dockimbel 9-Nov-2011 [3743] | Tamas sent me a link today about a nice little SSL/TLS library (http://polarssl.org). The bad thing is that it's GPL, but the license extends to FOSS License Exception: http://polarssl.org/license_exception As I understand it, it would be possible to use it for Red but every future Red binary publicly distributed would have to come with also the PolarSSL source code and a copy of the GPL library. I think that burden would be too high for future Red corporate users. What do you think? |
Geomol 9-Nov-2011 [3744] | Isn't it possible to use similar code from PuTTY? As I see it, PuTTY has better licence. |
Dockimbel 9-Nov-2011 [3745] | License: sure MIT is better, but does PuTTY supports SSL? I thought it was only doing SSH. |
Geomol 9-Nov-2011 [3746] | Hm, yeah, I'm not sure. I guess, I had zlib in my mind, which PuTTY also do a reimplementation of. I'm not too much into SSH and SSL. PuTTY also have code for SFTP, if that helps in any way to make a SSL implementation. |
Dockimbel 9-Nov-2011 [3747] | Some code for hashing and encrypting could be borrowed from PuTTY. Anyway, those algorithms are well documented and some of them even have public domain implementations (like MD5). |
Geomol 9-Nov-2011 [3748x3] | The RFC for TLS (Transport Layer Security) is 100 pages: http://tools.ietf.org/html/rfc5246 Is it necessary to implement TLS these days, or is its predecessor (SSL) enough? |
Too bad, it's such a load to implement some security. :/ | |
Would it make more sense to implement such protocols in REBOL, which may be easily portable to Red? (Instead of doing a C implementation.) | |
Dockimbel 9-Nov-2011 [3751x2] | I think it would be doable to implement SSL/SSH in REBOL, but it's a big task (at least for SSL). |
What would be cool would be to implement all the low-level encryption routines in Red/System. | |
Geomol 9-Nov-2011 [3753] | Have you looked at the way, REBOL do it? The REBOL/SDK at least have some of that security. |
Dockimbel 9-Nov-2011 [3754] | REBOL provides all the low-level encryption routines required, but they are coded in C. REBOL SSL implementation is also done in C (by Holger IIRC). |
Geomol 9-Nov-2011 [3755] | ok |
Dockimbel 9-Nov-2011 [3756] | The REBOL SSL port might also be using some REBOL code for higher level protocol support, but it's not accessible, so we can't check that. |
Pekr 9-Nov-2011 [3757] | IIRC, Cyphre once said, that idea for R3 was to add some port or other low level encryption functionality, and that https etc would be done in REBOL level, using thow low-level facilities ... |
BrianH 9-Nov-2011 [3758x2] | Geomol, the recent exploits of SSL don't affect TLS (at least 1.1 iirc). So yes, we need to implement TLS, but maybe not SSL. |
Has the PuTTY code been updated to patch the latest exploits? | |
Dockimbel 9-Nov-2011 [3760] | Some serious bugs seem to have been fixed in the latest release: http://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html |
Kaj 9-Nov-2011 [3761x5] | Including PolarSSL in Red would not only require every Red program to provide the library source code, it would require every Red program to be open source. That's unacceptable for business purposes |
As far as I know, OpenSSL is the only TLS implementation under BSD, but it's the old BSD licence with advertising clause. This makes it incompatible with GPL software such as libraries one may want to use with Red, if they don't have an explicit exception for OpenSSL | |
Much GPL software that is relevant has that exception, so it's a limited problem | |
From a technical standpoint, Jaromil has advised me that GNU TLS is of higher quality. It is LGPL, so it's acceptable as long as you agree to provide the source code to GNU TLS only, as with many other libraries | |
It would be great to eventually implement many libraries in Red, but this is a gargantuan task, and security code is very specialised and critical | |
Andreas 9-Nov-2011 [3766] | GnuTLS is indeed of _much_ higher quality than OpenSSL. It is not as widespread, though. |
Dockimbel 9-Nov-2011 [3767] | Kaj: you're right, I misunderstood the extend of article 2.4 in License Exception. We can't use it. |
Kaj 9-Nov-2011 [3768] | Apparently, PuTTY has its own BSD SSL implementation, so that's interesting. But it's not structured as a library, but entirely integrated in the other protocols, seems somewhat limited and lacking in portability. The only way to use it would be to rip out the source code and make a portable library out of it, or reimplement it in Red |
Geomol 9-Nov-2011 [3769] | Kaj, can you see, if it's a SSL implementation or just SSH? Or is SSL there by automatic, when making SSH implementations? |
Kaj 9-Nov-2011 [3770] | There is hardly any talk of SSL, but of the separate authentication methods that it comprises. Indeed, SSH implies what is called SSL, so it's in there in some form |
Geomol 9-Nov-2011 [3771] | Thanks! |
Kaj 9-Nov-2011 [3772] | It could be completely entangled with the SSH protocol, but since they also do SFTP, one can hope it is somewhat abstracted internally |
Andreas 9-Nov-2011 [3773x2] | SFTP is basically nothing more than a set of specific commands sent over SSH. |
That alone won't require much abstraction, I fear. | |
Kaj 9-Nov-2011 [3775] | Ah, right, so it could still be entangled. I was thinking of FTPS |
Dockimbel 9-Nov-2011 [3776] | AFAIK, SSL and SSH are different communication protocols that rely on common hashing and encryption algorithms on the low-level layer. |
Kaj 9-Nov-2011 [3777] | Yes, it doesn't seem to be called SSL within SSH, but there is talk of TLS |
Andreas 9-Nov-2011 [3778x3] | Didn't PuTTY also do telnet/ssl? |
Hmm, seems it doesn't. | |
Well, then there's probably hardly anything SSL/TLS-specific in there, except for some common crypto primitives as Doc mentioned. | |
Geomol 9-Nov-2011 [3781] | There is a "telnet.c" in the PuTTY sources. |
Dockimbel 12-Nov-2011 [3782x3] | I have just bricked my Sheevaplug by doing a simple "apt-get upgrade"...:-( |
No way to get access to it anymore even using the USB direct connection. | |
So I need to find a suitable ARM emulator now to be able to finish the ARM port... | |
GrahamC 12-Nov-2011 [3785x2] | No warranty? |
Seem to be several howtos on how to unbrick a sheevaplug | |
Dockimbel 12-Nov-2011 [3787] | Warranty: I don't think that warranties apply on "bricked" hardware, anyway, I never rely on warranties. |
older newer | first last |