current-users: Re: openssl and IDEA

Subject: Re: openssl and IDEA
To: Sverre Froyen <sverre@viewmark.com>
From: Jun-ichiro itojun Hagino <itojun@iijlab.net>
List: current-users
Date: 06/08/2002 00:00:15
>The version of openssl in the source tree has dummy routines for the IDEA 
>cipher and possibly others.  This causes a problem when the result of an SSL 
>negotiation is to use IDEA. For instance, using the package source p5-libwww 
>and P5-SSLeay, the command
>	lwp-request https://epayhipvar.paymentech.net
>results in
>	IDEA is a patented algorithm; link against libcrypto_idea.a. Aborting...
>The openssl library appears to present IDEA as a valid cipher during the SSL 
>negotiation and then turn around and exit with the above error message when 
>IDEA is chosen.  Since IDEA is encumbered with a patent, the solution 
>suggested in the error message is not viable.  Instead, IDEA should not be 
>presented as a valid option in the first place.

	not sure if it is correct, but could you please try this? (diff against
	current, should be applicable to 1.6 branch)

itojun


Index: s2_lib.c
===================================================================
RCS file: /cvsroot/basesrc/crypto/dist/openssl/ssl/s2_lib.c,v
retrieving revision 1.1.1.3
diff -u -r1.1.1.3 s2_lib.c
--- s2_lib.c	2001/04/12 03:11:25	1.1.1.3
+++ s2_lib.c	2002/06/07 14:59:26
@@ -136,6 +136,7 @@
 	SSL_ALL_STRENGTHS,
 	},
 /* IDEA_128_CBC_WITH_MD5 */
+#if 0
 	{
 	1,
 	SSL2_TXT_IDEA_128_CBC_WITH_MD5,
@@ -148,6 +149,7 @@
 	SSL_ALL_CIPHERS,
 	SSL_ALL_STRENGTHS,
 	},
+#endif
 /* DES_64_CBC_WITH_MD5 */
 	{
 	1,
Index: s3_lib.c
===================================================================
RCS file: /cvsroot/basesrc/crypto/dist/openssl/ssl/s3_lib.c,v
retrieving revision 1.1.1.3
diff -u -r1.1.1.3 s3_lib.c
--- s3_lib.c	2001/04/12 03:11:27	1.1.1.3
+++ s3_lib.c	2002/06/07 14:59:27
@@ -271,6 +271,7 @@
 	SSL_ALL_STRENGTHS,
 	},
 /* Cipher 07 */
+#if 0
 	{
 	1,
 	SSL3_TXT_RSA_IDEA_128_SHA,
@@ -283,6 +284,7 @@
 	SSL_ALL_CIPHERS,
 	SSL_ALL_STRENGTHS,
 	},
+#endif
 /* Cipher 08 */
 	{
 	1,
Index: ssl_ciph.c
===================================================================
RCS file: /cvsroot/basesrc/crypto/dist/openssl/ssl/ssl_ciph.c,v
retrieving revision 1.3
diff -u -r1.3 ssl_ciph.c
--- ssl_ciph.c	2001/04/12 07:49:29	1.3
+++ ssl_ciph.c	2002/06/07 14:59:28
@@ -119,7 +119,9 @@
 	{0,SSL_TXT_3DES,0,SSL_3DES,  0,0,0,0,SSL_ENC_MASK,0},
 	{0,SSL_TXT_RC4,	0,SSL_RC4,   0,0,0,0,SSL_ENC_MASK,0},
 	{0,SSL_TXT_RC2,	0,SSL_RC2,   0,0,0,0,SSL_ENC_MASK,0},
+#if 0
 	{0,SSL_TXT_IDEA,0,SSL_IDEA,  0,0,0,0,SSL_ENC_MASK,0},
+#endif
 	{0,SSL_TXT_eNULL,0,SSL_eNULL,0,0,0,0,SSL_ENC_MASK,0},
 	{0,SSL_TXT_eFZA,0,SSL_eFZA,  0,0,0,0,SSL_ENC_MASK,0},
 
@@ -158,8 +160,12 @@
 		EVP_get_cipherbyname(SN_rc4);
 	ssl_cipher_methods[SSL_ENC_RC2_IDX]= 
 		EVP_get_cipherbyname(SN_rc2_cbc);
+#if 0
 	ssl_cipher_methods[SSL_ENC_IDEA_IDX]= 
 		EVP_get_cipherbyname(SN_idea_cbc);
+#else
+	ssl_cipher_methods[SSL_ENC_IDEA_IDX] = NULL;
+#endif
 
 	ssl_digest_methods[SSL_MD_MD5_IDX]=
 		EVP_get_digestbyname(SN_md5);