Interesting Arping bug report

Categories: coding, network, unix

A few months ago I was strolling in the Debian bug tracking system and found a curious bug filed against Arping, a program I maintain.

It said that unlike Arping 2.09, in Arping 2.11 the ARP cache was not updated after successful reply. I thought that was odd, since there's no code to touch the ARP cache, neither read nor write. Surely this behaviour hasn't changed?

Read the rest of this entry »

Shared libraries diamond problem

Categories: coding, unix

If you split up code into different libraries you can get a diamond dependency problem. That is you have two parts of your code that depend on different incompatible versions of the same library.

Normally you shouldn't get in this situation. Only someone who hates their users makes a non backwards compatible change to a library ABI. You don't hate your users, do you?

Read the rest of this entry »

Be careful with hashmaps

Categories: coding, security

As you remember from long ago hashes are O(1) best case, but can be O(n) if you get hash collisions. And if you're adding n new entries that means O(n^2).

I thought I'd take a look at the hash_set/hash_map GNU C++ extension.

Read the rest of this entry »

Benchmarking TPM-backed SSL

Categories: hsm, network, security, tpm

As you can plainly see from this graph, my TPM chip can do approximately 1.4 SSL handshakes per second. A handshake takes about 0.7 seconds of TPM time, so when two clients are connecting the average connect time is 1.4 seconds. This means probably not useful on server side, but should be good for some client side applications.

Read the rest of this entry »

TPM-backed SSL

Categories: coding, hsm, network, security, tpm

This is a short howto on setting up TPM-backed SSL. This means that the secret key belonging to an SSL cert is protected by the TPM and cannot be copied off of the machine or otherwise inspected.

Meaning even if you get hacked the attackers cannot impersonate you, if you manage to kick them off or just shut down the server. The secret key is safe. It has never been outside the TPM and never will be.

This can be used for both client and server certs.

Read the rest of this entry »