10:27 p.m.
Linus Nordberg <linus(a)nordu.net> writes:
Toke Høiland-Jørgensen <toke(a)toke.dk> wrote
Fri, 23 Sep 2016 18:56:48 +0200:
Well, the LEDE/OpenWrt people are doing a great job of building a modern
Linux distro (including dynamic linking :)) that fits in a couple of
megabytes of flash. One of the ways of achieving that is asking for
basically every change: What is the image size impact?
And the nice thing about using radsecproxy on such a device is that it
means you can offload all the user authentication to one of those
"server" thingies. I'm not sure how many people actually use the
radsecproxy package, but someone contributed scripts to generate
configuration from the platform-specific configuration language. So I
guess someone is finding it useful :)
-Toke
Linus Nordberg <linus(a)nordu.net> writes:
It's a good point and one that I didn't consider when adding libnettle
as an unconditional dependency. Actually, I'm not thinking of
radsecproxy as something living on anything smaller than a "server" in
a "data center". Anyone else running radseproxy under more constrained
environment?
(Last time I looked at embedded, shared libraries were out of the
question. Since then, I guess there are more flavours to consider than
"embedded" and "not embedded". :)) Toke Høiland-Jørgensen <toke(a)toke.dk>
wrote
Fri, 23 Sep 2016 15:18:10 +0200:
Static linking? Blasphemy! ;) But no, I don't have hard numbers on the
size differences either way. And this is not something that's bothering
me enough to write code. Just thought I'd point it out as a
consideration for when you're doing house-cleaning and/or planning
future development directions :) >> I'm maintaining a radsecproxy package
for OpenWRT/LEDE which runs
>> openssl 1.0.2h. Keeping compatibility with that would be nice :)
>
> The least painful way of supporting 1.0.2 that I've found is to stop
> using libcrypto (from OpenSSL) for MD5 and HMAC(MD5).
>
> The openssl11 branch [1] now uses libnettle instead. Please give it a
> try with 1.0.2 and let me know if things still work well for you. Don't
> forget to try to authenticate some users and please test both succesful
> and failing authentication attempts. There's a chance for actual
> breakage here.
>
> [1]
> https://git.nordu.net/?p=radsecproxy.git;a=shortlog;h=refs/heads/openssl11&…
Well, it compiles on openwrt at least (or rather, the master branch
does). However, pulling in two crypto libraries on an embedded platform
is not ideal. Would it be feasible to drop openssl entirely in favour of
libnettle? Or maybe something like mbedtls (formerly polarssl;
https://tls.mbed.org/)?>
What are the issues with two libraries? Size? Assuming
you're linking
statically I wouldn't expect the few libnettle functions to be too
expensive. But I haven't checked closely.