Will Odin have its own TLS library? (like golang)

Odin is inspired a lot by Golang. One of the strengths of golang is ability to produce self-contained statically linked binaries. Go has its own TLS library to avoid dependencies like OpenSSL.

Will Odin have its own TLS library as a part of base collection or will there be multiple competing implementations in vendor collection?

Eventually, but it’s on the back burner because it’s a man year’s worth of work to do well, optimistically. Constant time RSA implementation for key exchange, ASN.1, PKCS#9 and more.

In the shorter term we’re planning an interface that allows you swap in your own choice of TLS library as long as it exposes a compatible API.

3 Likes

It’s been a while since I was working on the project that needed it, but BearSSL felt like it had a good API at the time.

Indeed. the internals are clean too. We use some code ported from there (with the author’s permission). If I remember right, it only went up to TLS 1.2, while I would likely target 1.3.

The main blockers aren’t RSA (which I’m procrastinating on) or TLS but the WebPKI (All the cert and associated nonsense) since ASN.1, X.509, and all the associated verification/revocation/etc logic is a gigantic mess.

2 Likes

I’d say just produce lib files for BearSSL for major platforms, produce Odin bindings, and add it to vendored packages.

1 Like

As much as I like BearSSL, I would rather target TLS 1.3. Since we have upstream’s permission to derive code, I certainly intend to use it as a starting point for RSA (and if I get stuck doing the cert nonsense all of that as well).

A big concern I have with the existence of core:crypto/tls has to do with vulnerabilities/auditing. Getting the code audited for correctness would cost an utterly mind-blowing amount of money, and “we looked at the code and we think it’s correct” isn’t something I particularly would like to do (though that is what we do for core:crypto out of neccesity at the moment).

2 Likes

Perhaps a dumb question: why not just take golang’s TLS/crypto stack?
The languages are very similar, the license is permissive, I’d expect an almost 1:1 rewrite should be possible.

Because the toolchains are completely different. The licensing is different (especially when we are considering changing them). How they function are very different too. Odin and Go might share some syntactic similarities but they are not actually similar languages in how they operate.

As as @yawning has stated already, we need correctness and just “copying” does not guarantee that because we would still need to test it because Odin and Go are not similar enough.

2 Likes