"Abad, Leah" wrote:
> Why I am asking? cURL is using OpenSSL library. But I had problems getting
> license of the RSA tech contained in OpenSSL
Problems getting a license? Read my comments below... Problems getting RSAREF?
It's available numerous places:
rsaref20.1996.tar.Z is available from
ftp://utopia.hacktic.nl/pub/replay/pub/crypto/LIBS/rsa/
ftp://ftp.ntua.gr/pub/crypt/mirrors/utopia.hacktic.nl/crypto/LIBS/math/
ftp://ftp.tuwien.ac.at/opsys/linux/replay.com/crypto/LIBS/math/
ftp://ftp.nstu.ru/pub/sources/security/crypt/
Be sure to apply the recent patches -- see attached.
The license described in the 'info.txt' distributed with RSAREF is replete with
misleading text. For example, the following
2. RSAREF applications and services based on RSAREF
applications may be sold under the following conditions:
o You must sign and return the RSAREF Commercial License
Agreement to RSA (call RSA for a copy of this
agreement)....
is a bait-and-switch. There is not, and never has been (according to
the RSA corporate counsel) any such thing as the aforementioned
"RSAREF Commercial License Agreement." If you call and ask for this,
they'll try to sell you a BSAFE license.
5. You can modify RSAREF to port it to other platforms, or to
improve its performance, as long as you give a copy of the
resulting source code to RSA. Other changes to the RSAREF
code require written consent from RSA.
This paragraph seems to approve of patches, such as the recent
patches to fix a buffer overflow vulnerability. But in my conversation
with the RSA Corporate Mouthpiece and her lackey, any patches make one a
patent infringer. Of course, neither of them had ever read this license
agreement. I almost had to fax them a copy of it before I realized that
they were just wasting my time, and I hung up on them. No longer the
best and brightest, I'm afraid -- and their recent products (Keon CA,
for e.g.) demonstrate this.
--
QUI ME AMET, CANEM MEUM ETIAM AMET
*** rsaref.h.bak Fri Mar 25 22:01:49 1994
--- rsaref.h Sun Feb 2 22:30:11 1997
***************
*** 8,16 ****
#ifndef _RSAREF_H_
#define _RSAREF_H_ 1
! #include "md2.h"
! #include "md5.h"
! #include "des.h"
#ifdef __cplusplus
extern "C" {
--- 8,16 ----
#ifndef _RSAREF_H_
#define _RSAREF_H_ 1
! #include "_md2.h"
! #include "_md5.h"
! #include "_des.h"
#ifdef __cplusplus
extern "C" {
*** global.h.ORIG Sat Sep 26 12:26:48 1998
--- global.h Sat Sep 26 12:27:44 1998
***************
*** 19,29 ****
--- 19,35 ----
/* POINTER defines a generic pointer type */
typedef unsigned char *POINTER;
+ #if 0
/* UINT2 defines a two byte word */
typedef unsigned short int UINT2;
/* UINT4 defines a four byte word */
typedef unsigned long int UINT4;
+ #else
+ #include <sys/types.h>
+ typedef u_int16_t UINT2;
+ typedef u_int32_t UINT4;
+ #endif
#ifndef NULL_PTR
#define NULL_PTR ((POINTER)0)
--- rsa.c.orig Fri Mar 25 14:01:48 1994
+++ rsa.c Wed Dec 1 23:01:22 1999
@@ -33,6 +33,9 @@
unsigned char byte, pkcsBlock[MAX_RSA_MODULUS_LEN];
unsigned int i, modulusLen;
+ if (inputLen + 3 > MAX_RSA_MODULUS_LEN)
+ return (RE_LEN);
+
modulusLen = (publicKey->bits + 7) / 8;
if (inputLen + 11 > modulusLen)
return (RE_LEN);
@@ -78,6 +81,9 @@
unsigned char pkcsBlock[MAX_RSA_MODULUS_LEN];
unsigned int i, modulusLen, pkcsBlockLen;
+ if (inputLen > MAX_RSA_MODULUS_LEN)
+ return (RE_LEN);
+
modulusLen = (publicKey->bits + 7) / 8;
if (inputLen > modulusLen)
return (RE_LEN);
@@ -129,6 +135,9 @@
unsigned char pkcsBlock[MAX_RSA_MODULUS_LEN];
unsigned int i, modulusLen;
+ if (inputLen + 3 > MAX_RSA_MODULUS_LEN)
+ return (RE_LEN);
+
modulusLen = (privateKey->bits + 7) / 8;
if (inputLen + 11 > modulusLen)
return (RE_LEN);
@@ -168,6 +177,9 @@
unsigned char pkcsBlock[MAX_RSA_MODULUS_LEN];
unsigned int i, modulusLen, pkcsBlockLen;
+ if (inputLen > MAX_RSA_MODULUS_LEN)
+ return (RE_LEN);
+
modulusLen = (privateKey->bits + 7) / 8;
if (inputLen > modulusLen)
return (RE_LEN);
