[openssl-project] Removing assembler for outdated algorithms

Richard Levitte levitte at openssl.org
Sun Feb 11 07:20:30 UTC 2018

In message <20180210223253.GR3322 at mournblade.imrryr.org> on Sat, 10 Feb 2018 22:32:53 +0000, Viktor Dukhovni <viktor at dukhovni.org> said:

viktor> On Sat, Feb 10, 2018 at 10:19:20PM +0000, Salz, Rich wrote:
viktor> >     > Is blowfish actually outdated?  I thought it had some significant use,
viktor> >     > and don't recall any major weakness...
viktor> >     
viktor> >     In particular, IIRC OpenSSH uses blowfish, and links to OpenSSL for
viktor> >     the underlying cipher...
viktor> > 
viktor> > PGP use to be a heavy user, but now it only decrypts or does key-wrapping for compatibility; it no longer uses blowfish to encrypt data.
viktor> > 
viktor> > SSH uses it, but according to https://bbs.archlinux.org/viewtopic.php?id=188613 it has been removed, circa 2014.
viktor> > Schneier recommends not using it, and use its successor(s) instead, which we don't implement.
viktor> Removed in 2014 is much too recent, there are still LTS systems
viktor> with older SSH versions, and modern platforms that may want to
viktor> interoperate.  So I'm very reluctant to support removal of blowfish
viktor> ASM at this time...

Those same systems will probably not have the newest OpenSSL either,
and OpenSSH on those machines will certainly not be linked with a
newer OpenSSL...


Richard Levitte         levitte at openssl.org
OpenSSL Project         http://www.openssl.org/~levitte/

More information about the openssl-project mailing list