If we're going to use an external library, then OpenSSL is by far the
best choice in my opinion. Its license allows linking with GPL code and
it has everything we could possibly need in terms of raw crypto, as well
as stuff we could use when someone finally ports Eric Rescorla's ssldump
functionality to Ethereal. It's standard in the open source community
and well maintained.
But on the other hand, you pretty much echoed my concerns about the
additional dependency. OpenSSL is available for most platforms, and we
would just have to get both the Windows and UNIX makefiles working
properly.
We can do this incrementally -- we could start with the UNIX makefile,
and use #defines in the code. Then once everything is stabilized,
either someone who regularly works on the Windows port can get it to
work with OpenSSL, or I can do it myself. The key is to write the code
like the SNMP library is included. If you don't have it, it just
disables the functionality that requires it.
If we decide to import our own crypto, we could potentially use some of
the crypto from Samba. They have an MD4 and DES implementation, as well
as RC4 (which they obscurely named SMBoemhash). My only concern is that
the DES only works in ECB mode, which would prohibit its use in most
applications (except SMB). Samba's code does work and is GPL, but I'm
not sure it should be pulled into someone else's application.
-Devin
On Mon, 2002-11-11 at 03:20, Ronnie Sahlberg wrote:
> There are already functions in ethereal to handle RC4. I think it is part of
> the WEP
> or some of the other wireless dissectors. Use that one.
> That one should be broken out and put in its own source file.
>
> For the others, like md5 or des, there would be different options.
>
> One option would be to link ethereal with some GPL library, but that
> discussion has been
> on the list before. I think that discussion last time came to the
> conclusion that
> the existing open source crypto libs that were reasonably complete and
> useful had
> licenses that could be problematic to merge with GPL on some platforms.
> The true GPL ones were as far as I remember all a bit inmature/incomplete
> yet to be useful.
>
> Another point was that this would mean yet another library ethereal would be
> dependent on.
>
> Another option would be to reimplement what is needed to decrypt dec inside
> ethereal.
> Well, RC4 is already in ethereal. MD5 and DES would probably not be too
> much
> work to add either. I guess that ethereal, since ethereal probably only
> need to decrypt packets and not
> encrypt them, could work with only a small subset of the functionality of
> what is in
> the libraries.
>
--
Devin Heitmueller
Senior Software Engineer
Netilla Networks Inc