On Tue, Jul 26, 2022 at 02:47:39PM -0700, Hayden Roche wrote: > > There might be interest, but I'd like to get an idea on what would be the > benefits, and how difficult it would be to maintain. > > wolfSSL's primarily used in the embedded world, as it's much smaller than > OpenSSL and similar libraries. wolfSSL also has a valid (i.e. not expired) > FIPS 140-2 cert and a 140-3 cert on the way. The customer that drove this > work needed wolfSSL for FIPS compliance.
GnuTLS has a FIPS mode and I think is certified too, at least on some systems, but I'm not very familiar with the process. > Are you asking about the size of libwolfssl or how much code would be added > to chrony? For the former, it really depends on how wolfSSL is configured, > but like I said, generally it's much smaller than libcrypto/libssl. For the > latter, somewhere in the ballpark of the line additions of the patch I sent. The size of the extra code in chrony. Your patch adds about 1400 lines. With the refactoring I guess it could be less than 1000. If the code was easy to understand and maintain, that might be acceptable. > How are you building wolfSSL? And can you share your build size comparison? > I'm decently confident I can reduce the size to an acceptable range once > I've got an idea of what a "good" size is. I added "--enable-chrony --enable-aessiv --enable-md5" to the wolfssl Makefile in the OpenWrt 21.02 branch. On the mips target the size of the library increased from 1100899 to 1174755 bytes. I didn't ask, but I suspect that is too much to be accepted as the default just for one optional package that few users have installed. > > Have you considered writing a minimal library that would provide all the > GnuTLS functions in order for chronyd to work on top of wolfSSL? > > If I understand correctly, you're talking about a library that just maps > the GnuTLS functions onto wolfSSL functions? If so, that seems less > user-friendly than just letting users --enable-wolfssl/--with-wolfssl to a > regular libwolfssl, rather than a shim library. GnuTLS can of course still > be the default. I don't think there would be many users building chrony+wolfssl from scratch. The steps could be documented. However, I understand that it's not an ideal approach. -- Miroslav Lichvar -- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.