Subject: Re: [libssh2] Remove OPENSSL_NO_SHA ifdef's?

Re: [libssh2] Remove OPENSSL_NO_SHA ifdef's?

From: Simon Josefsson <>
Date: Wed, 10 Jan 2007 19:18:33 +0100

Sara Golemon <> writes:

>> However, the same file unconditionally uses SHA-1 in different places,
>> so these #ifdef's doesn't work.
>> All the ssh kex protocols that libssh2 supports require SHA-1, so it
>> does not seem very useful to build libssh2 if there is no support for
>> SHA-1 in OpenSSL. However, I may be missing something.
> That..... is an excellent point.... and I agree, the SHA1 checks are
> pointless when one considers the fact that all the current kex methods
> require it. Might as well lose them.


Btw, is it ok to install my libgcrypt patches? If you'd like more
time to review them, how about if I install it on a branch? That
creates more work eventually, when the branch has to be merged with
HEAD, but it will makes things easier for me and Daniel to test things
with curl.

> Since you're doing all this shoehorn work to get libgcrypt working with
> libssh2, I should mention that I've got some code I've been meaning to
> toss in as a final-fallback (libbig_int for big number math, and my own
> implementations of 3des-cbc (or aes256-cbc), sha1, and sha1-hmac for
> minimal protocol support when neither library is available.
> It's not that openssl or libgcrypt are so hard to come by, but I've been
> asked for "stripped down" versions by people looking to do work with
> embedded devices. If we can offer something that just does the bare
> minimum, then that could be helpful to them.
> libbig_int is licensed to the public domain so static linking that will
> be simple, my sha1 and sha1-hmac implementations are already php
> licensed (which is itself a bsd derivate), I just need to get some
> permissions on using my 3des-cbc implementation from my employer (who
> may have legal rights to it, not 100% clear...)
> Note: I also have aes128/192/256-cbc implementations, but 3des-cbc is
> the one specified as REQUIRED by the spec so it's the one I initially
> mentioned. Given the relatively small size of the siphers, it might not
> hurt the embedded folk to bad to include both families, or maybe give
> them a ./configure time option.

I was thinking about such an approach as well... the things that are
missing above seem to be random number generation, RSA/DSA signing,
and PEM-file reading. Libgcrypt does not contain PEM-file reading, so
I will likely be implementing something like that in libgcrypt.c in
libssh2 for that. For other projects, I have been using
/dev/{u,}random as RNG, but seeing some research on the quality of
various OS RNG's (including Linux), I'm not sure it is a good idea.

Anyway, when my libgcrypt stuff is done, you should easily be able to
implement the above by adding a new file 'embedded-crypto.h' (or
whatever) that provides the same API as openssl.h and libgcrypt.h.
You shouldn't have to change any libssh2 code other than
libssh2_priv.h (to make it include the embedded-crypto.h header file
depending on some CPP symbol set by configure) and (to
set things up).

> One thing at a time though. I'm not quite out from under my work pile
> to the point where I can start working on libssh2 yet, but I'm nearly there.

When I'm finished with the libgcrypt port, it will be much easier for
you to implement the above. It will also be a good test if my
abstractions were any good...

>> If someone later on wishes to add support for, say, SHA-2, and make
>> the SHA-1 stuff optional, that would be fine, but right now it doesn't
>> seem to make sense to make SHA-1 optional since libssh2 won't work
>> without SHA-1 (if I understand correctly).
> I've got sha-256, sha-384, and sha-512 implementations as well, but
> without an SSH standard which uses them they're not particularly helpful
> right now...

Sure, what I meant was that if someone adds SHA-2 to the protocol, or
just want to experiment with it. It probably won't take long until
someone writes an IETF draft about that...


Take Surveys. Earn Cash. Influence the Future of IT
Join's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
libssh2-devel mailing list
Received on 2007-01-10