Alternate Open Source Crypto Solution in OpenSSH

Damien Miller djm at mindrot.org
Tue Jan 5 14:20:18 AEDT 2016


On Tue, 5 Jan 2016, Bostjan Skufca wrote:

> (I did not look at the code yet, begging forgiveness:)
> 
> How well structured is OpenSSH if one would want to use alternative SSL
> implementation? Or, if I rephrase the question - how married is OpenSSH to
> OpenSSL?
> 
> Would it make sense to refactor (if it is not done yet) openssh to use
> generic API for communicating with any SSL implementation? Or is the
> general stance on this subject "the new SSL implementation should provide
> openssl-compatible API to be usable with openssh"?
> 
> I have no interest in any side of the argument, just curious.

We're happy to factor out the openssl API, and I've started doing so:

https://github.com/djmdjm/openssh-openbsd/tree/openssl-wrap

This is doing some of the harder parts first: DH and BIGNUM, though
the latter only in KEX. I'd like to wrap all BIGNUM use eventually
though.

Replacing symmetric ciphers and MACs are considerably easier, since
most use of them is via cipher.h and digest.h APIs.

-d


More information about the openssh-unix-dev mailing list