Possibility to use BearSSL as cryptographic provider

I’m curious to know if anyone has considered using (or attempted to use) BearSSL as a crypotgraphic provider for SQLCipher.

Is it possible that SQLCipher’s ./configure logic could be adapted to support BearSSL?

By “possible” I mean realistic, i.e. not involving massive changes to how it works now. I feel I’m not familiar enough with autotools and SQLCipher’s internals to make an assessment.

Hello @michaelb - it is certainly feasible to add cryptographic providers to SQLCipher. This basically involves writing a shim for the provider to call all the appropriate functions. Here is an example written for NSS:

sqlcipher/crypto_nss.c at master · sqlcipher/sqlcipher (github.com)

Once that is in place, you can programmatically change the provider. In order to extend it to be a default provider, you’d need to implement additional changes in a few other files and the build chain.

That said, we haven’t really considered adding BearSSL as a provider, since we already support a fairly large number with OpenSSL, CommonCrypto, NSS, and LibTomCrypt. Thus we haven’t seen a compelling reason incorporate others like BearSSL. Is there a specific reason one of the other providers wouldn’t work for you?

We wrote a provider for BearSSL a while ago but did not release it so far because we wanted to have it verified first. I can provide the code and make a PR (we would have done that anyway at some point once we’re certain that we want to proceed with it).

The major advantage of having a BearSSL provider for us is deployment because it can be very easily statically compiled compared to most of the other crypto providers, especially OpenSSL.

1 Like

Hi @lgrahl

Out of curiosity, what hurdles did you have creating a static library of OpenSSL, or, can you share how you found that easier to do with BearSSL?

Exactly this, that’s why I asked originally.

I didn’t notice replies on this thread for a long time, sorry about that.

If you could release it, that would be wonderful. :grinning:

To be fair, the setup we have is a bit special:

We build SQLCipher within a Node GYP build file for usage with Node. Certainly we could also build OpenSSL statically for each platform in a pre-step and then link the static library of OpenSSL within the GYP build file. But that pre-step would require different scripts for each OS.

Due to BearSSLs static linking model, it was extremely easy to just integrate building BearSSL itself into the GYP build file. This means that the whole build process works on all OSes that GYP supports.

TL;DR Integrability of BearSSL into other build systems is pretty neat when coupled with SQLite/SQLCipher amalgamation since it doesn’t require any complicated configuration.

Edit: Here’s the promised PR. As a side note, we’re still considering whether we will use this in production but think it’s a useful binding.