-
Notifications
You must be signed in to change notification settings - Fork 708
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Stop using OpenSSL-license-licensed code. #1827
Comments
I believe it is already clear which parts of the crate are covered by which license as each source file has a license header at the top. The code in question comes from BoringSSL and they didn't do the relicensing. Unfortunately they (BoringSSL) put some important bits in OpenSSL-license-licensed header files. Our goal is to replace all the OpenSSL-license-licensed code as we move completely away from C to Rust. Once that is done there won't be any issue regarding this anymore. See also #902 which tracks making the licensing use SPDX. |
@briansmith Thanks for your reply. I have one more question:
For a takeaway, are those files OpenSSL-license-licensed included in any downstream software that use ring? Or it's optional if certain feature unused. I did a check and it seems the fileset is:
You can check if there is other missing, and perhaps we can divide and conquer them :D |
This is test code that shouldn't be linked into the ring library. Fixing this is tracked in #1705. I would appreciate a PR.
I have sent some patches upstream to BoringSSL which, when they are all merged, will allow us to more easily replace cpu_intel.c with Rust code.
We need to vendor the rust-crypto aes/soft code at https://github.com/RustCrypto/block-ciphers/tree/master/aes/src/soft into
We probably need to work with BoringSSL upstream to relicense this since it is used by the assembly code. |
This is now tracked as #1886 with more details. |
Thanks a lot for the updates @briansmith! For /// Returns `Ok(())` if `a == b` and `Err(error::Unspecified)` otherwise.
/// The comparison of `a` and `b` is done in constant time with respect to the
/// contents of each, but NOT in constant time with respect to the lengths of
/// `a` and `b`.
pub fn verify_slices_are_equal(a: &[u8], b: &[u8]) -> Result<(), error::Unspecified> {
if a.len() != b.len() {
return Err(error::Unspecified);
}
let result = unsafe { CRYPTO_memcmp(a.as_ptr(), b.as_ptr(), a.len()) };
match result {
0 => Ok(()),
_ => Err(error::Unspecified),
}
}
prefixed_extern! {
fn CRYPTO_memcmp(a: *const u8, b: *const u8, len: c::size_t) -> c::int;
} Maybe we compare Can we replace it with variable-time comparison? And it seems a common use case to do int CRYPTO_memcmp(const void *in_a, const void *in_b, size_t len) {
const unsigned *a = in_a;
const unsigned *b = in_b;
for (unsigned i = 0; i < len; i++) {
if (a[i] ^ b[i]) return 1;
}
return 0;
} or just use |
For license text, see <https://github.com/briansmith/ring/blob/73fb637078ea1a37719cf0c5f3055f9a18dcc1e0/LICENSE>. For the situation around the licensing, see <briansmith/ring#1827>. Signed-off-by: YOSHIOKA Takuma <[email protected]>
Yeah, it makes using the crate practically impossible in GPL licensed stuff: |
If there is anything I can help with regarding this effort; let me know I would love to contribute. |
Currently, the LICENSE file is large and complicated, while can be vaguely regarded as a combination of MIT, ISC, and OpenSSL’s licenses.
Although the latest OpenSSL license is Apache License 2.0, in this repo, we use a few of sentences refer to the BSD-style licenses with advertising clauses:
ring/LICENSE
Lines 66 to 83 in 6c29bf6
ring/LICENSE
Lines 137 to 145 in 6c29bf6
It causes concerns in downstream for using this software in a mindset like so-called "permissive OSS license" or "weak copyleft license": https://lists.apache.org/thread/ptwdv18z4wd9r11nmdwj7wgzwvm3b8l2
@briansmith do you have more background of the license content, or how generally a downstream user use it?
The background of this questions is from https://www.apache.org/legal/resolved.html#category-x that "BSD-4-Clause/BSD-4-Clause (University of California-Specific)" can introduce burden for users to convey this software - they're, be required, to include extra acknowledgement for certern actions. And while if we can either:
The text was updated successfully, but these errors were encountered: