| Re: [chrony-dev] wolfSSL support |
[ Thread Index |
Date Index
| More chrony.tuxfamily.org/chrony-dev Archives
]
- To: chrony-dev@xxxxxxxxxxxxxxxxxxxx
- Subject: Re: [chrony-dev] wolfSSL support
- From: Miroslav Lichvar <mlichvar@xxxxxxxxxx>
- Date: Tue, 26 Jul 2022 17:39:41 +0200
- Authentication-results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=mlichvar@xxxxxxxxxx
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1658849984; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=vubCk3Kq0jVpSIXp8LNbjuich/q6Frn8PDm5wH1CMI8=; b=fYrg+xNRG58cHSDIeA130ZX9r1F6RLSU4phKb3gaCLXgJ3/ZYAXYcOAAqmaGtH/dHhgfzD s1lBgBpnmUgOGfq9oZSKzuvhIGdSkXVjqUTBPt1A5bJ+VebhEbd9LM+0E3tOZ+3R3AGqf9 GozlBHStIHzxewkcApZI9dfGJRycB7k=
On Fri, Jul 22, 2022 at 08:53:56AM -0700, Hayden Roche wrote:
> A while back, I did a port of chrony 4.1 to wolfSSL for crypto/NTS for one
> of our (wolfSSL's) customers. Here's where we host the patch:
> https://github.com/wolfSSL/osp/tree/master/chrony/4.1
>
> Would you be interested in having this upstream? If so, I'll clean up the
> patch and make any changes needed to get it to play with the latest code.
There might be interest, but I'd like to get an idea on what would be
the benefits, how much code it would be and how difficult it would be
to maintain.
wolfSSL doesn't seem to be widely used on desktop/server systems. For
example, it's not packaged in Fedora, so I'd need to build it myself
for testing. On OpenWrt, which I use heavily and where I maintain the
chrony package, the system wolfSSL doesn't seem to have all the
options needed for chrony. After a rebuild it looks like it would
increase the size substantially, so I guess it couldn't be the
default.
My first objection to the patch would be that it duplicates the
nts_ke_session code. I tried to diff the two files and it looks like
most of the used GnuTLS functions have an equivalent in wolfSSL, or
they could be emulated easily. If I'm missing some important detail,
please let me know.
Have you considered writing a minimal library that would provide all
the GnuTLS functions in order for chronyd to work on top of wolfSSL?
It could be a separate project and I'd be happy to link to it on the
chrony website.
If that is not practical and and some agreement is reached that it
should be supported in the chrony code, I think the patches would need
to:
1. define some interface for the TLS functions (tls.h)
2. refactor the session code to have all gnutls-specific code in a
separate file (tls_gnutls.c)
3. add the wolfSSL support (tls_wolfssl.c)
This would be similar to the hash/cmac/siv providers. I could help
with 1. and 2. We would need to be careful and make sure that there
are no security issues, blocking calls, etc.
--
Miroslav Lichvar
--
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.