OpenSSH No Longer Has To Depend On OpenSSL 144
ConstantineM writes: "What has been planned for a long time now, prior to the infamous heartbleed fiasco of OpenSSL (which does not affect SSH at all), is now officially a reality — with the help of some recently adopted crypto from DJ Bernstein, OpenSSH now finally has a compile-time option to no longer depend on OpenSSL. `make OPENSSL=no` has now been introduced for a reduced configuration OpenSSH to be built without OpenSSL, which would leave you with no legacy SSH-1 baggage at all, and on the SSH-2 front with only AES-CTR and chacha20+poly1305 ciphers, ECDH/curve25519 key exchange and Ed25519 public keys."
Re: Good news! Now get it FIPS certified. (Score:2, Informative)
You can't certify source code. You can only certify binaries. That makes FIPS certification a challenge for most users and implementers.
Re:Vetting the replacement libraries? (Score:4, Informative)
LibreSSL will indeed, by used by OpenSSH.
See here for more details: http://undeadly.org/cgi?action... [undeadly.org]
Re:Good news! Now get it FIPS certified. (Score:5, Informative)
FIPS 140-2 [nist.gov] is a spec about boundaries. You draw a boundary and the spec talk about how data passed through the boundary and about the stuff that allowed inside the boundary.
One the primary things is asks is that the crypto algorithms are NIST approved. E.G. AES or SP800-90 or SHA1/2/3.
So to build a FIPS140-2 compliant thing, you first determine the box (the boundary) and the function. Then implement that function using crypto algorithms from the list of NIST approved algorithms.
Curve 25519, chacha20 and poly1305 do not appear in any NIST published specification.
Re:Vetting the replacement libraries? (Score:5, Informative)
There are no replacement libraries. The ED25519, ECDH, ChaCha20 and AES-CTR code is all part of OpenSSH itself. And the code is very, very tight and compact and very easy to audit. Entirely the opposite of OpenSSL!!!
Patrons? (Score:5, Informative)
The front page of openssh.org is a grimy reading:
This list specifically includes companies like NetApp, NETFLIX, EMC, Juniper, Cisco, Apple, Red Hat, and Novell; but probably includes almost all router, switch or unix-like operating system vendors. In the 10 years since the inception of the OpenSSH project, these companies have contributed not even a dime of thanks in support of the OpenSSH project (despite numerous requests).
So there we go again. Even a critical piece of software like this, cannot get proper funding from the giants, who are happy to take the software for free.
It just sucks, man.