Quoth Iain:>I'm not sure if the work being done to allow OpenSSH to be built without OpenSSL includes SHA-1 support.Hi Iain. I haven't heard of this effort before. Can you give a few more details? Thanks, ScottN --- Scott Neugroschl | XYPRO Technology Corporation 4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 |
2014-03-06 20:39 GMT+01:00 Scott Neugroschl <scott_n at xypro.com>:> Quoth Iain: >>I'm not sure if the work being done to allow OpenSSH to be built without OpenSSL includes SHA-1 support. > > Hi Iain. I haven't heard of this effort before. Can you give a few more details? > > Thanks, > > ScottNHi, eg. revision 1.23: "avoid use of OpenSSL BIGNUM type and functions for KEX with Curve25519 by adding a buffer_put_bignum2_from_string() that stores a string using the bignum encoding rules. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in the future; ok markus@" http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/buffer.h I hope that it will be possible to build a small version of sshd without OpenSSL. Any news on this topic are welcome. Daniel> > --- > Scott Neugroschl | XYPRO Technology Corporation > 4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 | > > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
On Thu, Mar 06, 2014 at 19:39:33 +0000, Scott Neugroschl wrote:> Quoth Iain: > >I'm not sure if the work being done to allow OpenSSH to be built without OpenSSL includes SHA-1 support. > > Hi Iain. I haven't heard of this effort before. Can you give a few more details? > > Thanks, > > ScottN >Well, I'm not in a position to give any authoritative information, but here is what I know: With the addition of curve25519, ed25519, and chacha20+poly1305, the developers have commented about the possibility of building an RFC non-compliant OpenSSH without OpenSSL. If you search through the mailing list archive, I believe you chould see some references to this. There are also commtnes in the CVS commits regarding this. And, I believe Damien mentioned about this in his interview on bsdnow.tv. In one of the CVS commits, I noticed that there is support for falling back on libc for digest support when building without OpenSSL, but I don't recall if this is both MD5 and SHA1 or not. -- Iain Morgan