Crypto overhaul

Simon J. Gerraty sjg at juniper.net
Sun Oct 29 16:32:55 UTC 2017


Eric McCorkle <eric at metricspace.net> wrote:
> Overall, I think LibreSSL is the best option, though there needs to be
> some investigation into how easily it can be used for kernel and
> boot-loader purposes.  Things like libsodium are too narrow in their
> focus, and BearSSL is too new.

Our userland veriexec binary uses a libverify which is mostly just
OpenSSL (originally structured that way for export reasons ;-)
is 3.6M - at least 90% of that is just OpenSSL.

I tried paring that library down to just the bits needed for loader.
But had to give up at 3M.

Which was when I encounterd BearSSL.
Out of the box, it could verify our ECDSA cert chains as well as
various RSA ones which was a pleasant surprise.

libbearssl is < 1M and my loader is
347K with verifcation vs
237K without, so
the entire verifcation implementation is only 110K

--sjg


More information about the freebsd-arch mailing list