On Wed, 19 Apr 2023, Dmitry Belyavskiy wrote: > > While I'm sure this is good for RHEL/rawhide users who care about FIPS, > > Portable OpenSSH won't be able to merge this. We explictly aim to support > > LibreSSL's libcrypto as well as openssl-1.1.x and neither supports the > > OSSL_PARAM_BLD API (neither does BoringSSL, though our support for that > > I'd describe as "best effort"). > > > > If this changes we can look again. > > Yes, we understand and respect your choice. > Would it be acceptable in any form being wrapped in necessary #ifdefs ? No, I think it would be too intrusive. IMO if we have to support both the new API and the libressl/1.1.1 API then the only likely acceptable way would be to reimplement the new API using the old, similar to what we did when moving to the OpenSSL 1.1.x opaque structs while still supporting the 1.0.x API. I have no idea whether this is even possible, and we wouldn't have the luxury of being able to use OpenSSL code to do it (as we did last time) as the license has changed to one that we don't want to accept in the OpenSSH codebase. -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
