Topics

[RFC] TLS API(s) for Socket-based applications in Zephyr


Paul Sokolovsky
 

Hello,

It occurred to me that the matter of TLS API for BSD Sockets based
application, which was discussed for few months at the online (spoken)
Zephyr Networking Forum meetings and in Github tickets, and recently,
at the TSC meetings, was never RFCed to the development list. As
recently there was request to send additional information to this list,
let me start with some introduction of the matter, so the context was
clear.

Currently, Zephyr supports TLS networking via its "net_app" API, which
is Zephyr-specific and was shown to have some issues with developing
some kinds of applications. There's growing interest in adopting BSD
Sockets API, as also available in Zephyr, as means to address these
issues and increase portability and reusability in general.

At the Networking Forum if December 2017, there was a call to develop
TLS API suitable for use with Sockets. (Just as net_app makes it
possible to use it with net_context native API of Zephyr). I
volunteered to design and implement such an API, and started on it soon
after NY holidays. The initial discussion happened in
https://github.com/zephyrproject-rtos/zephyr/issues/5900 , with
incremental implementation work following in
https://github.com/zephyrproject-rtos/zephyr/pull/5985 (nicknamed
"Zstraam API") . The pull request was targeted for 1.12, as planned LTS
release. It is ready for about a month now - technical issues resolved,
CI passes.

More recently, at the April Networking Forum, there was an alternative
proposal from Patrik Flykt, based around an idea of reusing Sockets API
directly for TLS communication, effectively pushing TLS under the level
of TCP/IP stack. A week-old work-in-progress PR for it is at
https://github.com/zephyrproject-rtos/zephyr/pull/7118 , nicknamed
"setsockopt-based approach" (note that a lot of discussion of it still
happens in #5985).


So, the following summarizes the situation:

1. There's one PR, which has been under detailed development for last 3
months, based on the previous agreement of a way to do it - by now
ready, but not approved (because of thoughts that an alternative may
offer more benefits).

2. There's a new alternative PR, not finished so far, and with some
concerns, both paradigmatic and technical, raised.


There's a concern that this situation deadlocks addition of TLS Sockets
API to 1.12 LTS, that's why this matter was raised for the TSC
consideration, who asked to provide specific additional information to
compare the 2 approaches. It's supposed to be sent in the following
messages.


Thanks,
Paul

Linaro.org | Open source software for ARM SoCs
Follow Linaro: http://www.facebook.com/pages/Linaro
http://twitter.com/#!/linaroorg - http://www.linaro.org/linaro-blog