[Toybox] [RFC] ktls is in 4.13.

Robert Thompson robertt.thompson at gmail.com
Tue Sep 5 14:52:05 PDT 2017


When you get back to this, probably the two most useful places for seeing
how much existing tls code is required for ktls would be

https://github.com/ktls/af_ktls-tool/blob/master/client.c
https://github.com/ktls/af_ktls-tool/blob/master/xlibgnutls.c

The af_ktls-tool contains a bunch of testing noise, but also contains a
test client. The test client (starting around client.c line 1096) calls the
gnutls-based initiator (in xlibgnutls) then uses the ktls feature with the
gnutls-initiated session info.

It really looks like using ktls will depend on a full openssl or gnutls
library. Also, at the moment, ktls only implements one crypto suite (AES
GCM), so a client using ktls can't interoperate with all webservers. (on
the server side it matters less because the server-operator can choose only
to use AES GCM, and all clients will have to support that).




On Tue, Sep 5, 2017 at 5:33 AM, Rob Landley <rob at landley.net> wrote:

> On 09/04/2017 08:22 PM, Robert Thompson wrote:
> > From the toybox point of view, wouldn't this introduce direct link
> > dependency on ssl/tls libraries?
>
> There's already an optional dependency to accelerate hash calculations
> (CONFIG_TOYBOX_LIBCRYPTO), and another to accelerate zlib, so I'm ok
> with having that as an optional dependency.
>
> Having functionality you can _only_ get by linking that in is a much
> bigger ask. I want a self-contained system bootstrap build and/or
> hermetic build with minimal dependencies.
>
> So ideally I'd want the part of tls negotiation the kernel doesn't do
> implemented in toybox code, but I dunno how much that is yet...
>
> > If that's acceptable, the ktls stuff looks like a simple addition (on
> > top of base in-toybox tls) with potential performance improvements, once
> > the code settles down.
>
> Another thing is this adds a kernel version dependency, so I'd want a
> compile time probe for "is support there in this build environment"
> because http://landley.net/toybox/faq.html#support_horizon
>
> That said, my plan to spend the evening grinding on the toybox todo list
> seamlessly transitioned into hours analyzing GPS code and traces trying
> to figure out where the race condition is in the response to the
> correlator output (answer: there's two _different_ problems), so... :P
>
> Rob
> _______________________________________________
> Toybox mailing list
> Toybox at lists.landley.net
> http://lists.landley.net/listinfo.cgi/toybox-landley.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.landley.net/pipermail/toybox-landley.net/attachments/20170905/e99d4b75/attachment-0001.htm>


More information about the Toybox mailing list