[gnutls-dev] Re: Intent to implement DTLS

[Guus Sliepen]

On Sat, May 07, 2005 at 04:54:12PM +0200, Simon Josefsson wrote:

> 1. Implement it grossly, possibly modifying existing functions, until
>    it interoperate with OpenSSL.
> 
> 2. Building on what you've learned doing 1, write up a suggestion of
>    what you think a clean API would be and post it here.  Try not to
>    think about how you would actually implement that API, but rather
>    how it would be used.  Perhaps some discussion at this point.
> 
> 3. Change the code to implement the clean API.

It is not hard to make the API clean; the DTLS protocol is such that it
works almost exactly like TLS for the application; no need to change the
semantics of gnutls_handshake() and gnutls_record_send/recv().

Implementing it will be a bit harder than I thought at first sight. The
problem is that internally, GNUTLS has no clear seperation between the
layers involved in TLS, and it is heavily biased towards TCP. This
combination is a disaster for me :). I see two ways to proceed.

1) Create copies of all handshake, record and transport layer functions
and modify them to do DTLS instead of TLS. This means lots of code
duplication, but at least it won't mess with the existing code.

2) "Fix" the current code by (re)introducing a clean separation between
the handshake, record and transport layer, and remove the bias towards
TCP. This means adding DTLS on top of it will be painless and there
won't be lots of code duplication.  However it will touch a lot of
existing code.

I strongly favour the second way, but if that means the chances of
having it merged are nihil, I'll go with the first way.

-- 
Met vriendelijke groet / with kind regards,
    Guus Sliepen <guus at sliepen.eu.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: </pipermail/attachments/20050509/7e974038/attachment.pgp>