Dropbear's SSL

Matt Johnston matt at ucc.asn.au
Thu Aug 25 00:09:02 WST 2005


On Wed, Aug 24, 2005 at 03:01:53PM +0100, Adam D. Moss wrote:
> Dropbear's size as an SSH client (and server) is very impressive,
> and I was wondering how extractable its SSL layer is from the
> SSH-y parts.  I thumbed through the codebase a few months ago
> but couldn't grok where SSL ended and SSH started, so maybe
> Dropbear just doesn't conceptually work like that.
> 
> I was wondering if anyone had any thoughts on the reusability of
> Dropbear's SSL layer, or whether it'd be simpler to build bottom-up
> from libTomCrypt again.  (I'm not a crypto person myself so I feel
> more confident about peeling off some existing code than building
> up something secure from the pieces!)

Ah, the curse of the similar naming strikes again ;)

The SSH protocol is entirely seperate from SSL - the
confusion I think arises from the fact that OpenSSH uses
OpenSSL for its crypto - just not the SSL parts. See
http://www.ietf.org/html.charters/secsh-charter.html if
you're interestered, the SSH specs are actually fairly
readable.

In terms of using bits of Dropbear for a SSL implementation,
bits such as the Diffie Hellman or RSA code might be useful,
though it seems that LibTomCrypt has been getting increasing
amounts of SSL-useful code itself. It might be worth having
a look there and perhaps talking to Tom about it. For
example, Dropbear's RSA code just uses hardcoded DER
strings, while for full SSL you would probably want a more
general solution which I think LTC provides.

Cheers,
Matt


More information about the Dropbear mailing list