libsoundio VS OpenSSL

Audio DSP is definitely the deep end of the pool. I believe the Zig programming language owes its creation to Andrew Kelley (the creator) trying to write stuff for an audio workbench going "damn, this is really hard to do with C, why does C suck so much" and just creating a language that's like C but without the bad parts to do it himself. I'm not joking, this is literally the origin of Zig as I've heard it from a podcast, and here is Andrew's old audio lib for proof: https://github.com/andrewrk/libsoundio

http://libsound.io is a great cross platform library for reading and writing to sound cards. i have used it successfully on macos and i’m sure it supports linux and possibly windows too. you will probably also need lib audio for reading and writing to files.

Hmm... after some research it seems that I've misunderstood Zig's situation a bit. Zig has introduced null-terminated string types a couple of years ago, but still encourages you to do most string operations with slices instead. Let me explain:

Zig's string literals (which you create with parenthesis like "Hello world!") are null-terminated byte arrays, expressed as the type const [N:0]u8 (where the :0 tells you that it's null-terminated), whereas the more typical array might be written as const [N]u8. The reason for this feature is not because the language wants you to use null-terminated strings, but because these static strings need to be stored in the global data section of the ELF executable, and these require you to use null-termination. But if you want to do any mutable operation with this string, you need to convert this into a proper slice (ptr + size). And it seems like Zig developers don't really use null-terminated types that much at the API level, but use it for things like C interop or cases where you really need it for special optimizations.

Noting that from the PR that introduced this feature, Andrew Kelley writes:

> I think you will find that the Zig community in general (and especially myself) agrees with you on this [null-terminated strings being fragile], and APIs in general should prefer slices to null terminated pointers. Even if you are using Zig to create a C library, and even in actual C libraries, I would recommend pointer and length arguments rather than null terminated pointers, like this: https://github.com/andrewrk/libsoundio/blob/1.1.0/soundio/so...

> That being said, I want to repeat what I said earlier about null terminated pointers: A null terminated array is not inherently an evil C concept that is intruding in the Zig language. It's a general data storage technique that is valid for some memory constrained use cases. I also stumbled on a Real Actual Use Case inside LLVM. The bottom line for me is that null terminated pointers exist in the real world, and especially in systems programming. You can see this in interfaces with the operating system in the standard library...

So he acknowledges null-terminated strings can certainly be useful in certain situations outside of legacy reasons, which is good to know. And Zig creating a special type for this shows that a good systems language needs to be designed to accommodate the needs of the outside world.

Perhaps you could use either http://libsound.io/ or SDL2 game library + SDLAudioIn (http://burningsmell.org/sdl_audioin/) which provides low-level APIs to access operating-system sound systems like Alsa, PulseAudio, PipeWire, and CoreAudio (not sure how well it is supported by SDL2).

Comparison: https://github.com/andrewrk/libsoundio/wiki/libsoundio-vs-SD...

Fun fact: Andrew Kelley, the creator of the Zig programming language, kind of created it so he could work on audio processing.

Based on: https://github.com/andrewrk/libsoundio/blob/master/example/sio_sine.c

Does this fit your needs? https://github.com/andrewrk/libsoundio

I listened to the Co-recursive podcast the other day that featured Andrew Kelley, the creator of the Zig programming language. Before Zig he developed Libsoundio - https://github.com/andrewrk/Libsoundio, to solve problems around realtime audio.

Audio will probably come later, but libsoundio will be the first thing in terms of groundwork. Integrating that in the same way we've integrated GLFW, so you can just cross compile and get cross-platform audio to boot.

ENV OPENSSL_PREFIX=/opt/openssl ENV SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt WORKDIR /tmp RUN git clone --branch OpenSSL_1_0_2n https://github.com/openssl/openssl.git RUN cd openssl RUN ./config shared --prefix=$OPENSSL_PREFIX --openssldir=$OPENSSL_PREFIX/ssl RUN make RUN make install RUN rvm install 2.6.0 -C --with-openssl-dir=$OPENSSL_PREFIX ENV PATH /usr/local/rvm/bin:$PATH RUN rvm --default use ruby-2.6.0 ENV PATH /usr/local/rvm/bin:/usr/local/rvm/rubies/ruby-2.6.0/bin:$PATH ENV GEM_HOME /usr/local/rvm/rubies/ruby-2.6.0/lib/ruby/gems/2.6.0

Today, April 7th, 2024, marks the 10-year anniversary since CVE-2014-0160 was published. This security vulnerability known as "Heartbleed" was a flaw in the OpenSSL cryptography software, the most popular option to implement Transport Layer Security (TLS). In more layman's terms, if you type https:// in your browser address bar, chances are high that you are interacting with OpenSSL.

At this point I pretty much understand the entire process on how the xz backdoor came to be: its execution stages, extraction from binary "test" files etc. But one thing puzzles me: how can the ifunc mechanism be used to replace something like RSA_public_decrypt? Granted this probably stems from my lack of understanding of ifunc, but I was under the impression that in order for the ifunc mechanism to work in your code, you have to explicitly mark specific function with multiple implementations with __attribute__ ((ifunc ("the_resolver_function"))). Looking at the source code of the RSA function in question, ifunc attribute isn't present:

https://github.com/openssl/openssl/blob/master/crypto/rsa/rsa_crpt.c#L51

So how does the backdoor actually replace the call? Does this means that the ifunc mechanism can be used to override pretty much anything on the system?

OpenSSL and Go crypt/tls has no support yet, so none of the webservers that depend on them support it. Apache, Nginx, and Caddy, they all need upstream ECH support first.

- https://github.com/openssl/openssl/issues/7482

- https://github.com/openssl/openssl/pull/22938

- https://github.com/golang/go/issues/63369

If I'm understanding the draft correctly, I think the webserver you're hosting your sites on would need it implemented as it requires private keys and ECH configuration. In the example of nginx since it uses openssl, openssl would need to implement it. I found an issue on their Github but it's still open: https://github.com/openssl/openssl/issues/7482

I confirmed that the systm was on 1.1.1f with openssl version command. Hmm...... I check the openssl version in the repo with apt list... LOL package names wernt helpful. finally went to the repo pages and found that its still on 1.1.1f, https://launchpad.net/ubuntu/+source/openssl. Meenwhile I looked up the version history on https://www.openssl.org/ and saw that 1.1.1v was released at the beginning of this month... ok. I can understand it it was out less then 30 days. I looked up when f came out, end of MARCH 2020. NEARLY 3-1/2 YEARS