Re: OpenSSL 1.1 support status : what next?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Having done this with libssh, this is far from trivial, even for the
rather simple primitives required by SSH. Abstracting some concepts
across very different libraries that deal with them in different ways
(e.g. libcrypto vs libgcrypt) can introduce some nasty bugs. OpenSSH has
always had KISS in mind so I wouldn't blame them to avoid supporting
additional libraries or dropping OpenSSL 1.1 and sticking to LibreSSL
altogether.

On the subject of OpenSSL, Jakub Jelen provided us with an
OpenSSL1.1-to-1.0 shim that works, but is not free of bugs.
I would have definitively have appreciated that OpenSSL wrote that shim
by themselves (they say it's trivial, of course it is not). The big
problem currently is that any application that does nontrivial low-level
cryptography cannot use a single API that will work with both of them,
they're 100% incompatible.

Aris


On 24/06/17 14:06, George M. Garner Jr. wrote:
> I think that this is the better approach.  The question I have is why
> the SSH logic should be dependent on the implementation details of ANY
> particular cryptographic library (be it openssl, libressl or
> whatever)? Proper software design would develop an abstraction layer
> with some measure of forward compatibility built in.
>
> On 6/23/2017 3:16 PM, Douglas E Engert wrote:
>> OpenSC has taken a different approach to OpenSSL-1.1. Rather then
>> writing
>> a shim for OpenSSL-1.1, the OpenSC code has been converted to
>> the OpenSSL-1.1 API and a sc-ossl-compat.h" file consisting of
>> defines and
>> macros was written to support older versions of OpenSSL and Libressl.
>>
>> https://github.com/OpenSC/OpenSC/blob/master/src/libopensc/sc-ossl-compat.h
>>
>>
>> The nice part of this approach is when using OpenSSL-1.1
>> sc-ossl-compat.h
>> does not do anything. It sole purpose to provide calls to the older APIs
>> that are not going to change and eventually the sc-ossl-compat.h
>> could be
>> removed.
>>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@xxxxxxxxxxx
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>


_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux