License exception for OpenSSL

Message ID	20160219195407.GA7366@macbookair
State	New
Headers	show Return-Path: <openbsc-bounces@lists.osmocom.org> Date: Fri, 19 Feb 2016 20:54:07 +0100 From: Ruben Undheim <ruben.undheim@gmail.com> To: Holger Freyther <holger@freyther.de> Subject: Re: License exception for OpenSSL Message-ID: <20160219195407.GA7366@macbookair> References: <20160219185410.GA15737@macbookair> <1D30431E-0CF5-4EF5-9C36-FF72D659A979@freyther.de> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <1D30431E-0CF5-4EF5-9C36-FF72D659A979@freyther.de> User-Agent: Mutt/1.5.24 (2015-08-30) Precedence: list Cc: openbsc@lists.osmocom.org Errors-To: openbsc-bounces@lists.osmocom.org Sender: "OpenBSC" <openbsc-bounces@lists.osmocom.org>

Message ID

20160219195407.GA7366@macbookair

State

New

Headers

Date: Fri, 19 Feb 2016 20:54:07 +0100
From: Ruben Undheim <ruben.undheim@gmail.com>
To: Holger Freyther <holger@freyther.de>
Subject: Re: License exception for OpenSSL
Message-ID: <20160219195407.GA7366@macbookair>
References: <20160219185410.GA15737@macbookair>
	<1D30431E-0CF5-4EF5-9C36-FF72D659A979@freyther.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <1D30431E-0CF5-4EF5-9C36-FF72D659A979@freyther.de>
User-Agent: Mutt/1.5.24 (2015-08-30)
Precedence: list
Cc: openbsc@lists.osmocom.org
Errors-To: openbsc-bounces@lists.osmocom.org
Sender: "OpenBSC" <openbsc-bounces@lists.osmocom.org>

Commit Message

Ruben Undheim Feb. 19, 2016, 7:54 p.m. UTC

> 1.) You link against libgnutls-openssl-dev which provides a wrapper for RAND_bytes.
> 
> 2.) We move to GNUtls (or gcrypt?) to call the function that RAND_bytes is wrapped around (after reading the documentation)
> 
> 3.) We use GNU nettle and their yarrow-256 implementation (assuming that is a smart move)?

Thanks.
I did #1. Here's the patch:



It seems to work.
Luckily the SSL library isn't used for anything advanced.

Cool if you also figure out a way to solve this upstream!

Cheers
Ruben

Comments

Holger Freyther Feb. 20, 2016, 6:17 p.m. UTC | #1

> On 19 Feb 2016, at 20:54, Ruben Undheim <ruben.undheim@gmail.com> wrote:
> 
>> 1.) You link against libgnutls-openssl-dev which provides a wrapper for RAND_bytes.
>> 
>> 2.) We move to GNUtls (or gcrypt?) to call the function that RAND_bytes is wrapped around (after reading the documentation)
>> 
>> 3.) We use GNU nettle and their yarrow-256 implementation (assuming that is a smart move)?
> 
> Thanks.
> I did #1. Here's the patch:
> 

I explored 2nd and gnutls calls gcrypt so I looked at gcry_randomize[1]. In comparison to the OpenSSL RNAD_bytes documentation I feel a lot is missing. RAND_bytes will fail if the RNG is not seeded, I don't see anything like this in gcry_randomize documentation. Do I really need to call   gcry_check_version or is it okay to not call it?

I will not do this weekend, but please ping me if there is not progress in the weeks to come. I think we roughly need to do:

* Call gcry_check_version in the main routine of apps using it
* Switch to use gcry_randomize

holger

[1] https://gnupg.org/documentation/manuals/gcrypt/Retrieving-random-numbers.html#Retrieving-random-numbers
[2] https://www.openssl.org/docs/manmaster/crypto/RAND_bytes.html

Index: openbsc/openbsc/configure.ac
===================================================================
--- openbsc.orig/openbsc/configure.ac	2016-02-19 20:39:10.824145024 +0100
+++ openbsc/openbsc/configure.ac	2016-02-19 20:39:10.820145095 +0100
@@ -27,7 +27,8 @@ 
 PKG_CHECK_MODULES(LIBOSMOABIS, libosmoabis >= 0.2.0)
 PKG_CHECK_MODULES(LIBOSMOGB, libosmogb >= 0.6.4)
 PKG_CHECK_MODULES(LIBOSMONETIF, libosmo-netif >= 0.0.1)
-PKG_CHECK_MODULES(LIBCRYPTO, libcrypto >= 0.9.5)
+#PKG_CHECK_MODULES(LIBCRYPTO, gnutls)
+AC_SUBST(LIBCRYPTO_LIBS, -lgnutls-openssl)
 
 # Enabke/disable the NAT?
 AC_ARG_ENABLE([nat], [AS_HELP_STRING([--enable-nat], [Build the BSC NAT. Requires SCCP])],
Index: openbsc/openbsc/src/libmsc/auth.c
===================================================================
--- openbsc.orig/openbsc/src/libmsc/auth.c	2016-02-19 20:13:19.417462737 +0100
+++ openbsc/openbsc/src/libmsc/auth.c	2016-02-19 20:40:13.607032169 +0100
@@ -27,7 +27,7 @@ 
 
 #include <osmocom/gsm/comp128.h>
 
-#include <openssl/rand.h>
+#include <gnutls/openssl.h>
 
 #include <stdlib.h>
 
Index: openbsc/openbsc/src/libmsc/db.c
===================================================================
--- openbsc.orig/openbsc/src/libmsc/db.c	2016-02-19 20:13:19.421462672 +0100
+++ openbsc/openbsc/src/libmsc/db.c	2016-02-19 20:40:27.318789122 +0100
@@ -38,7 +38,7 @@ 
 #include <osmocom/core/statistics.h>
 #include <osmocom/core/rate_ctr.h>
 
-#include <openssl/rand.h>
+#include <gnutls/openssl.h>
 
 /* Semi-Private-Interface (SPI) for the subscriber code */
 void subscr_direct_free(struct gsm_subscriber *subscr);
Index: openbsc/openbsc/src/osmo-bsc_nat/bsc_nat.c
===================================================================
--- openbsc.orig/openbsc/src/osmo-bsc_nat/bsc_nat.c	2016-02-19 20:13:19.433462478 +0100
+++ openbsc/openbsc/src/osmo-bsc_nat/bsc_nat.c	2016-02-19 20:39:58.791294787 +0100
@@ -69,7 +69,7 @@ 
 
 #include <osmocom/abis/ipa.h>
 
-#include <openssl/rand.h>
+#include <gnutls/openssl.h>
 
 #include "../../bscconfig.h"

License exception for OpenSSL

Commit Message

Comments

Patch