OpenBSD Journal

Interview: Brent Cook Talks About Porting LibreSSL

Contributed by tbert on from the bringing-it-back-to-irix dept.

Undeadly was able to get a few minutes of time with Brent Cook (bcook@), who worked on the official LibreSSL port:

Undeadly: Tell us about yourself; who are you, and how did you get involved with the LibreSSL porting effort?

bcook@: My name is Brent Cook. I'm a generalist programmer by day, mostly working on low-level system stuff. I'm also a code performance junky, and I also play piano and saxophone, gigging occasionally around Austin, TX.

I have worked on embedded Linux distributions and toolchains, multi-core network processors, real-time OSes, networking stacks, bootloaders and hardware bring up. My current gig at Boundary is developing and maintaining a system and network analysis agent that runs on many OSes, from Solaris to Windows.

Last year, I wrote a blog post about software that was built into the Boundary agent, and OpenSSL was one of the biggest obstacles I encountered during its development, both building it and using its API.

After patching a lot of systems post-Heartbleed this year, and when LibreSSL first start showing up in the OpenBSD CVS sources, I decided to have a go at implementing a new build system, linking in bits from libbsd as needed. To my initial surprise, everything I tested it on just worked, so I pushed the results to GitHub. Things remained relatively quiet though.

One day, I noticed the referrals in the GitHub project shoot up after it was linked to by the Insane Coding blog. After the great analysis by insane coder, I quickly realized that libbsd's implementations might implement the outward API, but in a lot of cases do not actually implement the same security guarantees of many of the functions from OpenBSD. So, I set out to use or rewrite the best implementations that I could find to 'fill in the gaps'.

I was also maintaining a load of local patches on the libressl source itself, so to make things easier for myself, I pushed them to the tech@ list for review (to some initial trepidation.) I was happy to have some success and to find that the OpenBSD devs were interested in portability as well.

After a month or so of occasional maintenance and refinement of the port, Theo contacted me about some changes to the CSPRNG code in LibreSSL and gave me a heads-up on things that should change in my port. I was on vacation at the time, but I managed to get some of the initial infrastructure for getentropy(2) integrated with an ARM chromebook running Crouton. After that, I was invited to meet the rest of the OpenBSD team in Slovenia to work on an official port.

During this time, I did not really pay much attention to the other ports. But from what I hear, I was the last man standing, if you will :)

Undeadly: How was it working with the rest of the LibreSSL team? What did you learn that you didn't know before, and, conversely, what were you able to teach them?

bcook@: After recovering from a mixture of impostor syndrome and jet lag, it was a very pleasant experience. The team works very well together, and I enjoyed getting to know Miod, Ted, Philip, Theo, Joel, Mark, and Bob, as well as the rest of the OpenBSD team.

I did not know a lot about how the OpenBSD team coordinates itself before the hackathon. The tech@ and other mailing lists just seemed too quiet for the amount of development work that gets done. I also did not know how diverse the team was, which is pretty amazing.

I liked seeing how mistakes were found and rapidly corrected through peer review, or simply by everyone running the latest code all the time. It was also cool watching opposing sides of various technical issues argue in a very passionate way; I sometimes thought maybe a fight might break out! But then everyone would eventually chill out, think about it more, and come up with a good solution that made everyone happy.

I don't know if I really taught the team anything - they're really smart guys! Bob is probably learning a lot more about automake, autoconf and GitHub than he ever intended. We're all certainly expanding our repertoire of OS-specific hacks and features that we can use to coerce systems into working in secure and reliable ways. We especially learned that using the byte order macros on Solaris can be a very frustrating experience!

Undeadly: Is there anything you've taken away from your experience that you'd like to apply in your own work?

bcook@: Though the code that I typically work on already runs on a lot of different platforms, I learned much more about portability and POSIX details both from the OpenBSD team and the larger community. I would like to apply that knowledge to my own coding practices as well.

As far as the team dynamics, I felt quite at home. The 'Shut up and Hack' ethos of solving problems rather than complaining about them is something I will definitely continue.

Undeadly: Good to hear! Thanks for your time, and your work porting LibreSSL!

bcook@: Cool, it has been fun so far.

(Comments are closed)


Comments
  1. By Billy Larlad (69.178.112.236) on

    Thanks for your hard work, Brent! Looking forward to your interview on BSD Now next week!

    Comments
    1. By Cabal (Cabal) Maybe Cabal on https://lobste.rs/

      > Thanks for your hard work, Brent! Looking forward to your interview on BSD Now next week!

      And go Austin!

  2. By Anonymous Coward (192.154.107.106) on

    Unfortunately, the only link that works is the one to Brent's blog. Could the others be fixed, please? Thanks for this nice interview.

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]