-
Notifications
You must be signed in to change notification settings - Fork 145
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
BoringSSL-based binary packages #619
Comments
You want to install themis which is statically compiled with some backend (openssl/boringssl) to not install openssl/boringssl to your system? Or you want some API to configure themis at runtime from your app with already initialized backend engine (like some "engine" object from openssl)? |
This. It's about providing |
I would even go as far as remove the statically compiled openssl/boringssl at all. My suspicion is that from the whole openssl API, soter uses a very limited set of crypto operations, which could be just embedded (cherry-picked) into the soter code directly. openssl comes also with an extended X.509 API that it's not needed. IMHO there are a number of advantages of not depending on any underlying SSL library.
@gene-eu @vixentael what's your take on this? |
Modern linkers have a dead code elimination pass and are able to remove whatever code is unused during static linkage. Admittedly, it's coarse because OpenSSL encryption API uses EVP abstraction and we're using it through that, so it's not like linker will remove everything besides exactly the code Soter uses. But it should remove the |
To put some numbers to where my mouth is, here are sizes that Themis currently has with typical builds on a typical x86_64 machine with Linux.
* This is what is shipped in packaged binary form, everything else are custom builds. That said, it seems I have been overoptimistic about linker capabilities, but I'm still fairly sure that we can do something about size optimizations (they were never a priority). How I did the measurementsShared library dynamically linked against system OpenSSLBuild:
On-disk sizes can be measured with
The application package will bundle 162.6 KB of libraries. Additionally, 2.79 MB of libcrypto will be installed by dependency manager, plus whatever else is in the package since it typically includes In-memory size can be estimated with
So the appliction process will load 148.7 KB of Themis into memory, followed by 2.78 MB of OpenSSL, for a total of 2.92 MB of virtual memory usage (plus some 13 KB of zero pages). Shared library statically linked against system OpenSSLThere is no easy option to do this, but it can be hacked in the following way:
We currently don't really support static builds so some additional flags have to be manually added to enable appropriate size optimizations. On-disk sizes:
That's not much, to be honest: 2.5 MB installation size. Probably because of the way OpenSSL is compiled, the linker was not able to remove some code (like, X.509 parsing is still there). In-memory sizes:
No significant change here either, 2.49 MB of virual memory, give or take. Shared library statically linked against vendored BoringSSLThis is supported better in the build system, but some flags are still necessary:
On-disk size:
This is a bit better, as you can see: 0.97 MB installation size. There is still some room for optimization as I see some unnecessary symbols in the binaries before stripping. In-memory size:
Memory image is also a bit smaller, for a total of 0.96 MB. If memory is premium and static linkage is used for Themis as well, it's possible to shave off even more because the linker will throw out parts of Themis/Soter that are not used. For example, if the application does not use Secure Session or Comparator, they won't be included along with ed25519 handling code that they need. It won't throw things like RSA support even if it's not needed though, but there is some room for tailored builds if someone really needs to be minimal. |
TLDR: a. I'm completely against cherry-picking openssl/boringssl code into Soter and maintaining it on our own. Due to numerous reasons: security, "do not implement your own crypto", maintainability and speed of fixes. b. I'm not against shipping yet-another-Themis with statically linked BoringSSL package, but it should solve some real world use-cases. What use-case are we trying to solve here? |
|
Is your feature request related to a problem? Please describe.
Current packaging options for Themis provide only packages that rely on system's OpenSSL. This is convenient on general-purpose server platforms. However, more and more deployments forgo TLS support entirely, leaving it to edge machines, with data-processing ones not having a need to include OpenSSL. Embedded systems may not fit the entire OpenSSL library too.
Describe the solution you'd like to see
It would be nice for Themis to ship with prebuilt packages that don't depend on system OpenSSL, using embedded BoringSSL.
Describe alternatives you've considered
Current alternative is to build Themis from source to use it with applications that already use BoringSSL and do not rely on systems's OpenSSL. This is more involved that installing it from the package, but should work.
The text was updated successfully, but these errors were encountered: