Possibility to use BearSSL as cryptographic provider

I’m curious to know if anyone has considered using (or attempted to use) BearSSL as a crypotgraphic provider for SQLCipher.

Is it possible that SQLCipher’s ./configure logic could be adapted to support BearSSL?

By “possible” I mean realistic, i.e. not involving massive changes to how it works now. I feel I’m not familiar enough with autotools and SQLCipher’s internals to make an assessment.

Hello @michaelb - it is certainly feasible to add cryptographic providers to SQLCipher. This basically involves writing a shim for the provider to call all the appropriate functions. Here is an example written for NSS:

sqlcipher/crypto_nss.c at master · sqlcipher/sqlcipher (github.com)

Once that is in place, you can programmatically change the provider. In order to extend it to be a default provider, you’d need to implement additional changes in a few other files and the build chain.

That said, we haven’t really considered adding BearSSL as a provider, since we already support a fairly large number with OpenSSL, CommonCrypto, NSS, and LibTomCrypt. Thus we haven’t seen a compelling reason incorporate others like BearSSL. Is there a specific reason one of the other providers wouldn’t work for you?

We wrote a provider for BearSSL a while ago but did not release it so far because we wanted to have it verified first. I can provide the code and make a PR (we would have done that anyway at some point once we’re certain that we want to proceed with it).

The major advantage of having a BearSSL provider for us is deployment because it can be very easily statically compiled compared to most of the other crypto providers, especially OpenSSL.

1 Like

Hi @lgrahl

Out of curiosity, what hurdles did you have creating a static library of OpenSSL, or, can you share how you found that easier to do with BearSSL?

Exactly this, that’s why I asked originally.

I didn’t notice replies on this thread for a long time, sorry about that.

If you could release it, that would be wonderful. :grinning: