Daniel Kahn Gillmor
2016-Jan-05 03:10 UTC
Alternate Open Source Crypto Solution in OpenSSH
On Mon 2016-01-04 20:35:05 -0500, Bostjan Skufca wrote:> Would it make sense to refactor (if it is not done yet) openssh to use > generic API for communicating with any SSL implementation? Or is the > general stance on this subject "the new SSL implementation should provide > openssl-compatible API to be usable with openssh"?OpenSSH doesn't use any of the "SSL" (or TLS) features of OpenSSL. It just uses it for its library of cryptoprimitives. There have been several mentions of possibly swapping out crypto libraries in the past (a few in the last few months iirc), but it is currently not designed with such a platform-independent crypto-primitive API in mind. Damien, you said you're uninterested in linking to a GPL library -- is OpenSSH policy the same for LGPL libraries as well? (i'm thinking of nettle, which is licensed LGPL-2.1+, and has a very nice API for cryptoprimitives) --dkg
On Mon, 4 Jan 2016, Daniel Kahn Gillmor wrote:> Damien, you said you're uninterested in linking to a GPL library -- is > OpenSSH policy the same for LGPL libraries as well? (i'm thinking of > nettle, which is licensed LGPL-2.1+, and has a very nice API for > cryptoprimitives)I'd like to get us to a point where all the crypto stuff happens via a handful of files that implement a simple API that is backed up with a good suite of tests from the OpenSSH side. Speaking only for myself, I don't really want to do any library- specific porting until then. -d
Daniel Kahn Gillmor
2016-Jan-05 03:32 UTC
Alternate Open Source Crypto Solution in OpenSSH
On Mon 2016-01-04 22:23:31 -0500, Damien Miller wrote:> On Mon, 4 Jan 2016, Daniel Kahn Gillmor wrote: > >> Damien, you said you're uninterested in linking to a GPL library -- is >> OpenSSH policy the same for LGPL libraries as well? (i'm thinking of >> nettle, which is licensed LGPL-2.1+, and has a very nice API for >> cryptoprimitives) > > I'd like to get us to a point where all the crypto stuff happens > via a handful of files that implement a simple API that is backed up > with a good suite of tests from the OpenSSH side.That would be great to have. If you make it a sane non-SSH-specific API with a good suite of independent tests, i can imagine cryptoprimitive libraries organizing themselves to support it directly (so that they can be "OpenSSH-compatible"), which would be a win for everyone as well as a tempting place to add more good tests in the future.> Speaking only for myself, I don't really want to do any library- > specific porting until then.Understood, thanks. Regards, --dkg