Date: Sun, 29 Oct 2017 09:32:43 -0700 From: "Simon J. Gerraty" <sjg@juniper.net> To: Eric McCorkle <eric@metricspace.net> Cc: <bf1783@gmail.com>, Poul-Henning Kamp <phk@phk.freebsd.dk>, "freebsd-security@freebsd.org security" <freebsd-security@freebsd.org>, Benjamin Kaduk <bjk@freebsd.org>, Ben Laurie <ben@links.org>, "freebsd-hackers@freebsd.org" <freebsd-hackers@freebsd.org>, "freebsd-arch@freebsd.org" <freebsd-arch@freebsd.org>, <sjg@juniper.net> Subject: Re: Crypto overhaul Message-ID: <95044.1509294763@kaos.jnpr.net> In-Reply-To: <61210249-105c-974c-1dae-1837e5969054@metricspace.net> References: <dc08792a-3215-611c-eb9f-4936a0d621f9@metricspace.net> <CAG5KPzws=jmF2wLeEAz8Lzn7Ugude=0w5neoQjeDjYnGtJpS9Q@mail.gmail.com> <13959.1509132270@critter.freebsd.dk> <CAG5KPzxGtAwV-svCv24FbZtLvxKCwX7OSyb2pPaTc63EUmFFGA@mail.gmail.com> <20171028022557.GE96685@kduck.kaduk.org> <23376.1509177812@critter.freebsd.dk> <20171028123132.GF96685@kduck.kaduk.org> <24228.1509196559@critter.freebsd.dk> <df46aaa5-13a9-2fc6-bcd2-d57d792800eb@metricspace.net> <28039.1509260726@critter.freebsd.dk> <CAGFTUwNzRiz4ifuPr6RWemPUAnZv-bMDaLag5HXgUxhw0-Hs4g@mail.gmail.com> <61210249-105c-974c-1dae-1837e5969054@metricspace.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Eric McCorkle <eric@metricspace.net> wrote: > Overall, I think LibreSSL is the best option, though there needs to be > some investigation into how easily it can be used for kernel and > boot-loader purposes. Things like libsodium are too narrow in their > focus, and BearSSL is too new. Our userland veriexec binary uses a libverify which is mostly just OpenSSL (originally structured that way for export reasons ;-) is 3.6M - at least 90% of that is just OpenSSL. I tried paring that library down to just the bits needed for loader. But had to give up at 3M. Which was when I encounterd BearSSL. Out of the box, it could verify our ECDSA cert chains as well as various RSA ones which was a pleasant surprise. libbearssl is < 1M and my loader is 347K with verifcation vs 237K without, so the entire verifcation implementation is only 110K --sjg
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?95044.1509294763>