| Re: [chrony-dev] wolfSSL support |
[ Thread Index |
Date Index
| More chrony.tuxfamily.org/chrony-dev Archives
]
- To: chrony-dev@xxxxxxxxxxxxxxxxxxxx
- Subject: Re: [chrony-dev] wolfSSL support
- From: Miroslav Lichvar <mlichvar@xxxxxxxxxx>
- Date: Wed, 27 Jul 2022 10:47:45 +0200
- Authentication-results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=mlichvar@xxxxxxxxxx
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1658911668; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=iAWrrBvsnhs18+zeSxUNvBjtMODH8fAm9aFnKgkGH8E=; b=NbHsyLPHHb1MpThrmQMy99wEw2R/huiqZkemaFUClhJ+f4DMqJB9FL3ifqrVoALVutzII2 QES+2exGm1UR4vlDnPMdVCOouSNjZFPVeSCTkhtjUD1EDkOHHbTCTUQ6UA9QXLx69PcoJE +nTgjBKNzvjq/MqkA908yIzkqgLAkTo=
On Tue, Jul 26, 2022 at 02:47:39PM -0700, Hayden Roche wrote:
> > There might be interest, but I'd like to get an idea on what would be the
> benefits, and how difficult it would be to maintain.
>
> wolfSSL's primarily used in the embedded world, as it's much smaller than
> OpenSSL and similar libraries. wolfSSL also has a valid (i.e. not expired)
> FIPS 140-2 cert and a 140-3 cert on the way. The customer that drove this
> work needed wolfSSL for FIPS compliance.
GnuTLS has a FIPS mode and I think is certified too, at least on some
systems, but I'm not very familiar with the process.
> Are you asking about the size of libwolfssl or how much code would be added
> to chrony? For the former, it really depends on how wolfSSL is configured,
> but like I said, generally it's much smaller than libcrypto/libssl. For the
> latter, somewhere in the ballpark of the line additions of the patch I sent.
The size of the extra code in chrony. Your patch adds about 1400
lines. With the refactoring I guess it could be less than 1000.
If the code was easy to understand and maintain, that might be
acceptable.
> How are you building wolfSSL? And can you share your build size comparison?
> I'm decently confident I can reduce the size to an acceptable range once
> I've got an idea of what a "good" size is.
I added "--enable-chrony --enable-aessiv --enable-md5" to the wolfssl
Makefile in the OpenWrt 21.02 branch. On the mips target the size of
the library increased from 1100899 to 1174755 bytes. I didn't ask, but
I suspect that is too much to be accepted as the default just for one
optional package that few users have installed.
> > Have you considered writing a minimal library that would provide all the
> GnuTLS functions in order for chronyd to work on top of wolfSSL?
>
> If I understand correctly, you're talking about a library that just maps
> the GnuTLS functions onto wolfSSL functions? If so, that seems less
> user-friendly than just letting users --enable-wolfssl/--with-wolfssl to a
> regular libwolfssl, rather than a shim library. GnuTLS can of course still
> be the default.
I don't think there would be many users building chrony+wolfssl from
scratch. The steps could be documented. However, I understand that
it's not an ideal approach.
--
Miroslav Lichvar
--
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.