From owner-freebsd-hackers@freebsd.org  Tue Oct 31 23:34:27 2017
Return-Path: <owner-freebsd-hackers@freebsd.org>
Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id DE0B0E4434C;
 Tue, 31 Oct 2017 23:34:27 +0000 (UTC)
 (envelope-from eric@metricspace.net)
Received: from mail.metricspace.net (mail.metricspace.net
 [IPv6:2001:470:1f11:617::107])
 by mx1.freebsd.org (Postfix) with ESMTP id 0638B6927C;
 Tue, 31 Oct 2017 23:34:26 +0000 (UTC)
 (envelope-from eric@metricspace.net)
Received: from [IPv6:2001:470:1f11:617:3210:b3ff:fe77:ca3f] (unknown
 [IPv6:2001:470:1f11:617:3210:b3ff:fe77:ca3f])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client did not present a certificate) (Authenticated sender: eric)
 by mail.metricspace.net (Postfix) with ESMTPSA id 772BB1FBA;
 Tue, 31 Oct 2017 23:34:26 +0000 (UTC)
Subject: Re: Crypto overhaul
To: freebsd-arch@freebsd.org,
 "freebsd-hackers@freebsd.org" <freebsd-hackers@FreeBSD.org>,
 "freebsd-security@freebsd.org security" <freebsd-security@freebsd.org>
References: <dc08792a-3215-611c-eb9f-4936a0d621f9@metricspace.net>
 <CAG5KPzws=jmF2wLeEAz8Lzn7Ugude=0w5neoQjeDjYnGtJpS9Q@mail.gmail.com>
 <13959.1509132270@critter.freebsd.dk>
 <CAG5KPzxGtAwV-svCv24FbZtLvxKCwX7OSyb2pPaTc63EUmFFGA@mail.gmail.com>
 <20171028022557.GE96685@kduck.kaduk.org>
 <23376.1509177812@critter.freebsd.dk>
 <20171028123132.GF96685@kduck.kaduk.org>
 <24228.1509196559@critter.freebsd.dk>
 <df46aaa5-13a9-2fc6-bcd2-d57d792800eb@metricspace.net>
 <e83f9add-d6d4-494d-669a-215765c0b5eb@elischer.org>
 <cfa28da2-0a4b-c6b9-2e22-3fbb1bbc9394@metricspace.net>
 <f331e70771ed4eb28878a4ae00905cc2@exch-02.redcom.com>
From: Eric McCorkle <eric@metricspace.net>
Message-ID: <1adbe576-2610-573b-f555-3b1a537f25e0@metricspace.net>
Date: Tue, 31 Oct 2017 19:34:26 -0400
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101
 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <f331e70771ed4eb28878a4ae00905cc2@exch-02.redcom.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
 <freebsd-hackers.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers/>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Oct 2017 23:34:28 -0000

On 10/31/2017 08:23, Wall, Stephen wrote:
>> At least as about its first year and a half, LibreSSL had a markedly
>> better track record than OpenSSL (zero high-severity CVEs vs 5 from
>> OpenSSL, about half as many mid- and low-security CVEs).
> 
> Are any of these relevant to the crypto module?  Or are they all only applicable to the SSL protocol?
> 
> As I understand the discussion so far, the goal is to unify all the disparate crypto pieces in the base system.  That could certainly be done using OpenSSLs libcrypto, and let users select their SSL provider from the ports tree.

That's already how things work, but it doesn't provide a viable solution
for kernel and boot loader APIs.  There's apparently been at least one
attempt to embed OpenSSL into the kernel, to no avail.