On Fri, Jul 22, 2022 at 08:53:56AM -0700, Hayden Roche wrote: > A while back, I did a port of chrony 4.1 to wolfSSL for crypto/NTS for one > of our (wolfSSL's) customers. Here's where we host the patch: > https://github.com/wolfSSL/osp/tree/master/chrony/4.1 > > Would you be interested in having this upstream? If so, I'll clean up the > patch and make any changes needed to get it to play with the latest code.
There might be interest, but I'd like to get an idea on what would be the benefits, how much code it would be and how difficult it would be to maintain. wolfSSL doesn't seem to be widely used on desktop/server systems. For example, it's not packaged in Fedora, so I'd need to build it myself for testing. On OpenWrt, which I use heavily and where I maintain the chrony package, the system wolfSSL doesn't seem to have all the options needed for chrony. After a rebuild it looks like it would increase the size substantially, so I guess it couldn't be the default. My first objection to the patch would be that it duplicates the nts_ke_session code. I tried to diff the two files and it looks like most of the used GnuTLS functions have an equivalent in wolfSSL, or they could be emulated easily. If I'm missing some important detail, please let me know. Have you considered writing a minimal library that would provide all the GnuTLS functions in order for chronyd to work on top of wolfSSL? It could be a separate project and I'd be happy to link to it on the chrony website. If that is not practical and and some agreement is reached that it should be supported in the chrony code, I think the patches would need to: 1. define some interface for the TLS functions (tls.h) 2. refactor the session code to have all gnutls-specific code in a separate file (tls_gnutls.c) 3. add the wolfSSL support (tls_wolfssl.c) This would be similar to the hash/cmac/siv providers. I could help with 1. and 2. We would need to be careful and make sure that there are no security issues, blocking calls, etc. -- Miroslav Lichvar -- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.