From: Herbert Xu Subject: Re: [RFC] MPI module Date: Fri, 30 Jan 2009 14:25:06 +1100 Message-ID: <20090130032506.GA2822@gondor.apana.org.au> References: <20090130001523.GA909@artemis.corp> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: linux-crypto@vger.kernel.org To: Pierre Habouzit Return-path: Received: from rhun.apana.org.au ([64.62.148.172]:32948 "EHLO arnor.apana.org.au" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1751508AbZA3DZJ (ORCPT ); Thu, 29 Jan 2009 22:25:09 -0500 Content-Disposition: inline In-Reply-To: <20090130001523.GA909@artemis.corp> Sender: linux-crypto-owner@vger.kernel.org List-ID: Pierre Habouzit wrote: > > My endgame is simple, I'd like to see an in-kernel SSL/TLS > implementation in Linux happen. There are many reasons to want that, > ranging from performance reasons (waking the userland each time you > perform a handshake isn't particularly nice, and it's easy to make > system-wide session caches) to really cool features being enabled: > - you can send "secure" file descriptors around through Unix Sockets, > or prepare a "secure" socket, let it be your stdin/stdout pair and > exec a service knowing nothing about SSL (think inetd-like stuff) ; > - you can deploy secure services where the actual server knows nothing > about the certificate that is used ; > - you can have a system-wide service dealing with peer certificate > validations and have a real system-wide policy in this regard ; > - you could even think of some netfilter stuff to enforce security on > a given socket, even if the service behind the socket knows nothing > about it (bye bye stunnel)... > > Nowadays, the kernel has most of what we need cipher-wise for TLS/SSL. > Only the key-exchange protocols and the very TLS protocol are lacking. > I'm currently addressing the former issue, namely, bringing RSA and > Diffie-Hellman to the kernel. Stop right there. There is absolutely no reason why you need to do the TLS stuff in kernel to achieve the goals you listed above. What you should do is have user-space create the session, and then give the keys to the kernel to do the data-path. Please take a look at IPsec for an example of how the work is divided between user-space and the kernel. Cheers, -- Visit Openswan at http://www.openswan.org/ Email: Herbert Xu ~{PmV>HI~} Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt