Alternate Open Source Crypto Solution in OpenSSH
Damien Miller
djm at mindrot.org
Tue Jan 5 14:20:18 AEDT 2016
On Tue, 5 Jan 2016, Bostjan Skufca wrote:
> (I did not look at the code yet, begging forgiveness:)
>
> How well structured is OpenSSH if one would want to use alternative SSL
> implementation? Or, if I rephrase the question - how married is OpenSSH to
> OpenSSL?
>
> Would it make sense to refactor (if it is not done yet) openssh to use
> generic API for communicating with any SSL implementation? Or is the
> general stance on this subject "the new SSL implementation should provide
> openssl-compatible API to be usable with openssh"?
>
> I have no interest in any side of the argument, just curious.
We're happy to factor out the openssl API, and I've started doing so:
https://github.com/djmdjm/openssh-openbsd/tree/openssl-wrap
This is doing some of the harder parts first: DH and BIGNUM, though
the latter only in KEX. I'd like to wrap all BIGNUM use eventually
though.
Replacing symmetric ciphers and MACs are considerably easier, since
most use of them is via cipher.h and digest.h APIs.
-d
More information about the openssh-unix-dev
mailing list