[Toybox] WGET: OpenSSL and BoringSSL Patch

Eric Molitor emolitor at molitor.org
Fri Oct 29 11:59:26 PDT 2021 

I suspect having basic ssl_init, ssl_read, ssl_write, ssl_close would be
useful for quite a few use cases. I had thought about that earlier in the
week but it seemed like something to consider when implementing a second
use case.

Denny's stuff is interesting, I do prefer Thomas Pornins BearSSL
implementation but it's an Apples / Oranges comparison. Constant time
security focused and small vs Denny's make it as small as possible,
reducing security and validation along the way. But Thomas's development on
BearSSL has slowed to a crawl since he started developing new crypto
routines and looking at compression. Even so, BearSSL is still the only TLS
implementation that I know of (other than maybe WolfSSL) which has
withstood the various recent timing attacks.

Looking forward to your cleanup. I always learn something when you do so.

- Eric


On Fri, 29 Oct 2021, 6:30 pm Rob Landley, <rob at landley.net> wrote:

> On 10/29/21 7:03 AM, Eric Molitor wrote:
> > Attached is a reworked patch which adds OpenSSL and BoringSSL support to
> wget.
> > It avoids the use of OpenSSL's IO abstractions and uses default settings
> which
> > should be sensible on any modern OpenSSL (1.1+) or BoringSSL version.
>
> I'm a little uncomfortable having two different sets of code to do the same
> thing. I suppose they could be moved to portability.[ch]. The "link
> against both
> libraries" issue is back, but at least shouldn't conflict...
>
> > I tested it with the latest version of BoringSSL but it should also work
> with
> > the fips branch of BoringSSL, if that is still a thing at Google.
>
>
> https://www.nist.gov/standardsgov/compliance-faqs-federal-information-processing-standards-fips
>
> It's still a thing at the US Government, and all their suppliers. (Which is
> somewhere between 1/4 and 1/3 of the US economy: US GDP is ~$23 trillion
> and the
> 2021 estimated federal spending is just under $7 trillion...)
>
> > I also tested
> > it with OpenSSL 1.1.1l on Alpine and 1.1.1f on Ubuntu 20.04 LTS.
>
> Sigh. Applied (while grumbling), and I _really_ need to do a cleanup pass
> this
> weekend. (And ask Denys if I can get a license to his tls implementation.)
>
> > - Eric
>
> Rob
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.landley.net/pipermail/toybox-landley.net/attachments/20211029/afbcded0/attachment-0001.htm>

More information about the Toybox mailing list