Crypto overhaul

[Wall, Stephen]

Be aware that moving away from a crypto library that has a FIPS-approved crypto core will have a significant impact on commercial users of FreeBSD who do business with U.S. government (and likely some other governments and corporate sectors as well).  BoringSSL is persuing/has persued FIPS validation, but they offer this warning on their web page:



Although BoringSSL is an open source project, it is not intended for general use, as OpenSSL is. We don't recommend that third parties depend upon it. Doing so is likely to be frustrating because there are no guarantees of API or ABI stability.



BearSSL, being a new, small project, is highly unlikely to pursue FIPS certification.  LibreSSL has deliberately stripped anything FIPS related out of their fork, and the project has stated multiple times that it will not come back.



I am not opposing a change (indeed, consolidating the various crypto sources in FreeBSD to single (FIPS-possible) library would be a good thing) , I just prefer (strongly) that FIPS not be pushed out of the picture.



-spw