Is it coming? I notice that OpenSSL now has support for raw public keys.
The spec (RFC 7250, "Using Raw Public Keys in Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)") suggests DANE/DNSSEC as a mechanism to bind identities to public keys (section 6).
There was a sense of "wasting a port". A modern Linux /etc/services has only 200 or so reserved TCP ports (out of a possible ~50k) so that fear might have been overblown.
I suspect the bureaucratic overhead of needing to go to IANA to reserve a new port might have had a chilling effect. See:
> you are supposed to still continue if you strictly follow the standard
Which standard? RFC 3207 (for STARTTLS over SMTP), 2002, says: "If the client receives the 454 response [TLS not available], the client must decide whether or not to continue the SMTP session".
FTR, on modern-ish glibc-powered systems (in code that actually does use libc, and does not do its very own syscall-related thing instead), you will not find a single call to open(2) issued, in my experience. That's because the library functions shadowing these syscalls were rewired to use openat(2) under the hood.
If you want to catch both `open` and `openat`, the opensnoop BPF[1] program is pretty nifty, especially if you are trying to figure out file stuff across several different programs ("which #$%^-ing program keeps modifying this file", for example).
[1] I've been dipping my toes into BPF recently, and while complicated (best to simply clone the bpftools repo and work off of that) there's a lot that can be done that tools like strace won't be able to match.
Ok, but then you will still need to parse the output to get the filenames. That's ok, but since it is something that is used a lot, you'd expect a flag.
If it's one filename-per-line then how do you encode filenames with embedded newlines?
How do you encode non-UTF8 characters, or is the file meant to be parsed only in binary mode?
I don't know of any generally agreed upon spec for this, so no matter what you think is right, most people are going to have to write a special-purpose parser.
In which case you might as well parse the native strace output since one is about as complex as the other.
It can use the same format as the Unix find utility. This utility has a -print0 flag to separate filenames by NUL characters instead of newlines if desired.
RTLD_NODELETE (since glibc 2.2)
Do not unload the shared object during dlclose().
Consequently, the object's static and global variables
are not reinitialized if the object is reloaded with
dlopen() at a later time.
Are there any other times when it's beneficial to use NODELETE?
You mean as opposed to never calling dlclose to the handle? If you specify RTLD_NODELETE, the dynamic linker can avoid some dependency tracking that would otherwise be needed to avoid premature unloading of the object because that unloading can never happen.
However, the main application of NODELETE is the DF_1_NODELETE flag in the shared object itself. A typical use case is if the shared object installs a function pointer somewhere where it cannot be reverted as part of the dlclose operation. If the dlclose proceeds despite this, calling the function later will have hard-to-diagnose, unpredictable consequences. Rather than relying on dlclose never being called (which is difficult because the object might have been loaded as an indirect dependency, unaware to the caller of dlopen), using the DF_1_NODELETE flag makes this explicit.
It's not really possible to safely unmap code in a library in the presence of various other useful features you might like to use, specifically thread-local storage, atfork, callbacks (and probably threads in general). Libvirt started to use this flag over a decade ago: https://libvir-list.redhat.narkive.com/TUbaBTsk/libvirt-patc...
The PDF ("sec23summer...") has metadata creation/modification timestamp of 20221004165319Z (October 2022). So presumably the paper was written last October and released for Usenix 2023.
(Reference [12] is from Usenix July 2022. See "Prior work" in the introduction).
The spec (RFC 7250, "Using Raw Public Keys in Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)") suggests DANE/DNSSEC as a mechanism to bind identities to public keys (section 6).
https://datatracker.ietf.org/doc/html/rfc7250
Will this really be simpler?