Thanks everyone for the feedback on the various crypto alternatives. I'm going to try to respond to all the various alternatives in one email (since there were three or four emails that offered options).
cryptlib - Definitely not an option. I audited their source (which claims to be GPL compatible) and found it has code taken from ssleay (the precursor to OpenSSL). In other words, they're violating Eric Young's license by redistributing his code under the GPL.
libnss3 - Looks like it has all the major components necessary and it's already installed on most people's platforms. But it's documentation is horrific and the only working examples to use as a reference that I know of are Mozilla and Evolution. It also has no facility to manage PEM encoded files, which is an annoyance that would require users to convert the keys before they can be used (which was MUCH harder than it sounds).
Gnutls - Was still pretty alpha when I last looked. Will have to take another look. Available for Win32, but with a special build procedure.
Nettle - Provides basic cryptographic functionality. Licensing looks ok. No ASN.1 or certificate management facilities though. This may not be as big an issue as it was six months ago, given Ethereal's ASN.1 parsing has improved considerably, but it would still mean I would have to add all the code for parsing the server certificate. Also, and I could be mistaken, but it would appear that they don't have a UNIX port, meaning the Win32 users would be locked out.
libgcrypt - This is a new entry (only released first stable version last month). It looks like it has the basics, and may be certainly be a good alternative to sucking in our own cryptographic primitives (as we did previously). As with Nettle, no certificate parsing facilities.
All that said, it looks like OpenSSL is still the best tool for the job, except for the licensing. We might be able to get away with libgcrypt or Nettle if Ethereal's ASN.1 meets our needs (I will have to dig into this further).
I'll see about putting together a table of all the various alternatives, so I can track them for future reference.
Thanks,
Devin
-----Original Message-----
From: Ronnie Sahlberg [mailto:ronnie_sahlberg@xxxxxxxxxxxxxx]
Sent: Fri 6/4/2004 5:30 AM
To: Ethereal development; Devin Heitmueller
Cc:
Subject: Re: [Ethereal-dev] Linking against OpenSSL
Have you looked at
Gnutls and/or Nettle?
Maybe they can be useful in getting rid of openssl
----- Original Message -----
From: "Joerg Mayer"
Sent: Friday, June 04, 2004 7:03 PM
Subject: Re: [Ethereal-dev] Linking against OpenSSL
> On Thu, Jun 03, 2004 at 03:42:06PM -0400, Devin Heitmueller wrote:
> > At this point, I'm debating just writing the code with OpenSSL and
> > distributing a patch against Ethereal on my website. Then anyone who
> > wants the functionality can get the patch, apply it against the Ethereal
> > source and recompile. This would get around the license issue, at least
> > as far as I can see, since nobody would be distributing a "combined
> > product".
>
> Maybe you could have a look at GPLed vpnc, whose author had to solve the
> same problem: http://www.unix-ag.uni-kl.de/~massar/vpnc/
>
> Ciao
> Joerg
> --
> Joerg Mayer