Eric McCorkle <[email protected]> wrote: > Overall, I think LibreSSL is the best option, though there needs to be > some investigation into how easily it can be used for kernel and > boot-loader purposes. Things like libsodium are too narrow in their > focus, and BearSSL is too new.
Our userland veriexec binary uses a libverify which is mostly just OpenSSL (originally structured that way for export reasons ;-) is 3.6M - at least 90% of that is just OpenSSL. I tried paring that library down to just the bits needed for loader. But had to give up at 3M. Which was when I encounterd BearSSL. Out of the box, it could verify our ECDSA cert chains as well as various RSA ones which was a pleasant surprise. libbearssl is < 1M and my loader is 347K with verifcation vs 237K without, so the entire verifcation implementation is only 110K --sjg _______________________________________________ [email protected] mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"
