Crypto overhaul

Eric McCorkle eric at metricspace.net
Sat Oct 28 23:31:07 UTC 2017


On 10/27/2017 09:46, John Hein wrote:

> What's the overhaul goal here?  There's basic crypto libraries with
> symmetric & assymmetric crypto & hashing (e.g., NaCL, libsodium,
> openssl's libcrypto).  There's libraries that add support for SSL/TLS
> & X.509 certificates and such.  There's stuff to support using
> crypto hardware (accelerators, secure crypto token storage devices).
> 
> And is the thought to [eventually] replace openssl in base with
> something lighter perhaps?
> 
> I assume we're looking for bsd, isc, mit, etc., style licenses only.
> 

Sorry for being slow to reply.

There's a couple of goals that seem to be in common here (and which I've
seen reflected in the comments to my original posting.

* Dissatisfaction with the OpenSSL codebase and its history of
vulnerabilities.

* Desire to consolidate the crypto implementations, specifically, for a
crypto library that can serve userland, kernel, and bootloaders.

* In my case, the trust framework stuff I wrote about requires
public-key crypto in the kernel and loader, which isn't something the
kernel crypto framework can do.

* It's also harder to add new ciphers when there's multiple crypto
codebases.


More information about the freebsd-security mailing list