["Ronnie Sahlberg" <ronnie_sahlberg@xxxxxxxxxxxxxx>]

What do you need in regard to ASN.1 and certificates in Ethereal?

X.509 and CMS ? These might come reasonably soon to an ethereal near you. At
least decoding of them, dont know if you
need more than that.

Please jump in and help looking at X.509 and CMS (and PKINIT). We need all
the help we can get in this area.



On a different but slightly related topic,  I just checked in code to make
it easier to pull stuff out from kerberos into the
protocols calling kerberos using callbacks.
Initially so that the packetcable people can get to some KRB-SAFE thingies
they have filled with application specific data.
This could very easily be used also to pass things like the sessionkey back
to the caller:   DCERPC.

You were doing some CIFS decryption earlier, do you know how one would
proceed if having access to the sessionkey
so that encrypted DCERPC interfaces such as DS-SETUP can be decrypted?



----- Original Message ----- 
From: "Devin Heitmueller"
Sent: Friday, June 04, 2004 8:47 PM
Subject: RE: [Ethereal-dev] Linking against OpenSSL


Thanks everyone for the feedback on the various crypto alternatives.  I'm
going to try to respond to all the various alternatives in one email (since
there were three or four emails that offered options).

cryptlib - Definitely not an option.  I audited their source (which claims
to be GPL compatible) and found it has code taken from ssleay (the precursor
to OpenSSL).  In other words, they're violating Eric Young's license by
redistributing his code under the GPL.

libnss3 - Looks like it has all the major components necessary and it's
already installed on most people's platforms.  But it's documentation is
horrific and the only working examples to use as a reference that I know of
are Mozilla and Evolution.  It also has no facility to manage PEM encoded
files, which is an annoyance that would require users to convert the keys
before they can be used (which was MUCH harder than it sounds).

Gnutls - Was still pretty alpha when I last looked.  Will have to take
another look.  Available for Win32, but with a special build procedure.

Nettle - Provides basic cryptographic functionality.  Licensing looks ok.
No ASN.1 or certificate management facilities though.  This may not be as
big an issue as it was six months ago, given Ethereal's ASN.1 parsing has
improved considerably, but it would still mean I would have to add all the
code for parsing the server certificate.  Also, and I could be mistaken, but
it would appear that they don't have a UNIX port, meaning the Win32 users
would be locked out.

libgcrypt - This is a new entry (only released first stable version last
month).  It looks like it has the basics, and may be certainly be a good
alternative to sucking in our own cryptographic primitives (as we did
previously).  As with Nettle, no certificate parsing facilities.

All that said, it looks like OpenSSL is still the best tool for the job,
except for the licensing.  We might be able to get away with libgcrypt or
Nettle if Ethereal's ASN.1 meets our needs (I will have to dig into this
further).

I'll see about putting together a table of all the various alternatives, so
I can track them for future reference.

Thanks,

Devin


-----Original Message-----
From: Ronnie Sahlberg [mailto:ronnie_sahlberg@xxxxxxxxxxxxxx]
Sent: Fri 6/4/2004 5:30 AM
To: Ethereal development; Devin Heitmueller
Cc:
Subject: Re: [Ethereal-dev] Linking against OpenSSL

Have you looked at
Gnutls and/or Nettle?

Maybe they can be useful in getting rid of openssl



----- Original Message ----- 
From: "Joerg Mayer"
Sent: Friday, June 04, 2004 7:03 PM
Subject: Re: [Ethereal-dev] Linking against OpenSSL


> On Thu, Jun 03, 2004 at 03:42:06PM -0400, Devin Heitmueller wrote:
> > At this point, I'm debating just writing the code with OpenSSL and
> > distributing a patch against Ethereal on my website.  Then anyone who
> > wants the functionality can get the patch, apply it against the Ethereal
> > source and recompile.  This would get around the license issue, at least
> > as far as I can see, since nobody would be distributing a "combined
> > product".
>
> Maybe you could have a look at GPLed vpnc, whose author had to solve the
> same problem: http://www.unix-ag.uni-kl.de/~massar/vpnc/
>
>  Ciao
>      Joerg
> -- 
> Joerg Mayer



_______________________________________________
Ethereal-dev mailing list
Ethereal-dev@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-dev