Crypto overhaul
Simon J. Gerraty
sjg at juniper.net
Sun Oct 29 16:32:55 UTC 2017
Eric McCorkle <eric at metricspace.net> wrote:
> Overall, I think LibreSSL is the best option, though there needs to be
> some investigation into how easily it can be used for kernel and
> boot-loader purposes. Things like libsodium are too narrow in their
> focus, and BearSSL is too new.
Our userland veriexec binary uses a libverify which is mostly just
OpenSSL (originally structured that way for export reasons ;-)
is 3.6M - at least 90% of that is just OpenSSL.
I tried paring that library down to just the bits needed for loader.
But had to give up at 3M.
Which was when I encounterd BearSSL.
Out of the box, it could verify our ECDSA cert chains as well as
various RSA ones which was a pleasant surprise.
libbearssl is < 1M and my loader is
347K with verifcation vs
237K without, so
the entire verifcation implementation is only 110K
--sjg
More information about the freebsd-arch
mailing list