From b256c3a748500e0110ee494af364012dc2a658a4 Mon Sep 17 00:00:00 2001 From: Kris Kennaway Date: Sun, 24 Sep 2000 07:01:53 +0000 Subject: [PATCH] Overhaul the documentation relating to crypto and related topics. Some of this stuff had been out of date for 3 or 4 years or more. Reviewed by: alex --- .../articles/committers-guide/article.sgml | 42 +----- en_US.ISO8859-1/books/faq/book.sgml | 99 ++++---------- .../books/handbook/introduction/chapter.sgml | 19 +-- .../books/handbook/security/chapter.sgml | 129 ++++-------------- .../books/porters-handbook/book.sgml | 8 +- .../articles/committers-guide/article.sgml | 42 +----- en_US.ISO_8859-1/books/faq/book.sgml | 99 ++++---------- .../books/handbook/introduction/chapter.sgml | 19 +-- .../books/handbook/security/chapter.sgml | 129 ++++-------------- .../books/porters-handbook/book.sgml | 8 +- 10 files changed, 118 insertions(+), 476 deletions(-) diff --git a/en_US.ISO8859-1/articles/committers-guide/article.sgml b/en_US.ISO8859-1/articles/committers-guide/article.sgml index 5816b521c1..99a5884a48 100644 --- a/en_US.ISO8859-1/articles/committers-guide/article.sgml +++ b/en_US.ISO8859-1/articles/committers-guide/article.sgml @@ -16,7 +16,7 @@ - $FreeBSD: doc/en_US.ISO_8859-1/articles/committers-guide/article.sgml,v 1.35 2000/08/16 17:41:40 dannyboy Exp $ + $FreeBSD: doc/en_US.ISO_8859-1/articles/committers-guide/article.sgml,v 1.36 2000/08/23 20:36:53 ben Exp $ 1999 @@ -43,13 +43,6 @@ freefall.FreeBSD.org - - - International Crypto Repository Host - - internat.FreeBSD.org - - Login Methods &man.ssh.1; @@ -60,24 +53,12 @@ /home/ncvs - - International Crypto CVSROOT - /home/cvs.crypt - - Main CVS Repository Meisters &a.jdp; and &a.peter; as well as &a.asami; for ports/ - - - International Crypto CVS Repository Meister - - &a.markm; - - Mailing List cvs-committers@FreeBSD.org @@ -120,8 +101,7 @@ one of them instead. The only ones allowed to directly fiddle the repository bits are the repomeisters. Satoshi Asami is also a repomeister for the ports/ portion of the - tree. Mark Murray is the repomeister for the International - Crypto Repository in South Africa. + tree. CVS operations are usually done by logging into freefall, making sure the @@ -531,11 +511,11 @@ You'll almost certainly get a conflict because - of the $Id: article.sgml,v 1.36 2000-08-23 20:36:53 ben Exp $ (or in FreeBSD's case, + of the $Id: article.sgml,v 1.37 2000-09-24 07:01:47 kris Exp $ (or in FreeBSD's case, $FreeBSD$) lines, so you'll have to edit the file to resolve the conflict (remove the marker lines and - the second $Id: article.sgml,v 1.36 2000-08-23 20:36:53 ben Exp $ line, leaving the original - $Id: article.sgml,v 1.36 2000-08-23 20:36:53 ben Exp $ line intact). + the second $Id: article.sgml,v 1.37 2000-09-24 07:01:47 kris Exp $ line, leaving the original + $Id: article.sgml,v 1.37 2000-09-24 07:01:47 kris Exp $ line intact). @@ -1082,18 +1062,6 @@ docs:Documentation Bug:nik: - - &a.markm; - - Mark is the CVS repository meister for the - international crypto repository kept on - internat.FreeBSD.org in South Africa. - - Mark also oversees most of the crypto code; if you have - any crypto updates, please ask Mark first. - - - &a.steve; diff --git a/en_US.ISO8859-1/books/faq/book.sgml b/en_US.ISO8859-1/books/faq/book.sgml index ae5bc50a1e..960ecfc0c5 100644 --- a/en_US.ISO8859-1/books/faq/book.sgml +++ b/en_US.ISO8859-1/books/faq/book.sgml @@ -15,7 +15,7 @@ - $FreeBSD: doc/en_US.ISO_8859-1/books/faq/book.sgml,v 1.94 2000/09/22 18:40:00 marko Exp $ + $FreeBSD: doc/en_US.ISO_8859-1/books/faq/book.sgml,v 1.95 2000/09/22 23:41:25 ben Exp $ This is the FAQ for FreeBSD versions 2.X, 3.X, and 4.X. All entries @@ -1844,81 +1844,30 @@ systems. - -I live outside the US. Can I use DES encryption? + + + Should I use DES passwords, or MD5, and how do I specify + which form my users receive? + -If it is not absolutely imperative that you use DES style -encryption, you can use FreeBSD's default encryption for even -better security, and with no export restrictions. FreeBSD -2.0's password default scrambler is now MD5-based, and is -more CPU-intensive to crack with an automated password cracker -than DES, and allows longer passwords as well. The only reason -for not using the MD5-based crypt today would be to use the -the same password entries on FreeBSD and non-FreeBSD systems. - -Since the DES encryption algorithm cannot legally be exported -from the US, non-US users should not download this software (as -part of the secrdist from US FTP sites. - -There is however a replacement libcrypt available, based on -sources written in Australia by David Burren. This code is now -available on some non-US FreeBSD mirror sites. Sources for the -unencumbered libcrypt, and binaries of the programs which use it, -can be obtained from the following FTP sites: - - - -South Africa - -ftp://ftp.internat.FreeBSD.org/pub/FreeBSD/, -ftp://storm.sea.uct.ac.za/pub/FreeBSD/ - - - - - - -Brazil - - -ftp://ftp.iqm.unicamp.br/pub/FreeBSD/ - - - - - - -Finland - - -ftp://nic.funet.fi/pub/unix/FreeBSD/eurocrypt/ - - - - - - -The non-US securedist can be used as a direct replacement -for the encumbered US securedist. This securedist -package is installed the same way as the US package (see -installation notes for details). If you are going to install DES -encryption, you should do so as soon as possible, before -installing other software. - -Non-US users should please not download any encryption software -from the USA. This can get the maintainers of the sites from -which the software is downloaded into severe legal difficulties. - -A non-US distribution of Kerberos is also being developed, and -current versions can generally be obtained by anonymous FTP from -braae.ru.ac.za. - -There is also a mailing list for the -discussion of non-US encryption software. For more information, send -an email message with a single line saying help in the body -of your message to majordomo@braae.ru.ac.za. - - + + The default password format on FreeBSD is to use + MD5-based passwords. These are believed to + be more secure than the traditional UNIX password format, which + used a scheme based on the DES algorithm. + DES passwords are still available if you need to share your + password file with legacy operating systems which still use the + less secure password format (they are available if you choose to + install the crypto distribution in sysinstall, or + by installing the crypto sources if building from source). Which + password format to use for new passwords is controlled by the + passwd_format login capability in + /etc/login.conf, which takes values of either + des (if available) or md5. See the + login.conf(5) manpage for more information about login + capabilities. + + The boot floppy starts but hangs at the Probing Devices... diff --git a/en_US.ISO8859-1/books/handbook/introduction/chapter.sgml b/en_US.ISO8859-1/books/handbook/introduction/chapter.sgml index 1eccc0d2af..a9dd789058 100644 --- a/en_US.ISO8859-1/books/handbook/introduction/chapter.sgml +++ b/en_US.ISO8859-1/books/handbook/introduction/chapter.sgml @@ -1,7 +1,7 @@ @@ -688,23 +688,6 @@ You can also view the master (and most frequently updated) copies at http://www.FreeBSD.org/. - - The core of FreeBSD does not contain DES code which would - inhibit its being exported outside the United States. There is an - add-on package to the core distribution, for use only in the United - States, which contains the programs that normally use DES. The - auxiliary packages provided separately can be used by anyone. A - freely (from outside the U.S.) exportable European distribution of - DES for our non-U.S. users also exists and is described in the - FreeBSD FAQ. - - If password security for FreeBSD is all you need, and you have - no requirement for copying encrypted passwords from different hosts - (Suns, DEC machines, etc) into FreeBSD password entries, then - FreeBSD's MD5 based security may be all you require! We feel that - our default security model is more than a match for DES, and avoids - dealing with any messy export issues. If you are outside (or even - inside) the U.S., give it a try! diff --git a/en_US.ISO8859-1/books/handbook/security/chapter.sgml b/en_US.ISO8859-1/books/handbook/security/chapter.sgml index b9f1c86c3e..807870b165 100644 --- a/en_US.ISO8859-1/books/handbook/security/chapter.sgml +++ b/en_US.ISO8859-1/books/handbook/security/chapter.sgml @@ -1,7 +1,7 @@ @@ -763,7 +763,7 @@ Unfortunately the only secure way to encrypt passwords when UNIX came into being was based on DES, the Data Encryption Standard. This is not such a problem for users that live in - the US, but since the source code for DES cannot be exported + the US, but since the source code for DES could not be exported outside the US, FreeBSD had to find a way to both comply with US law and retain compatibility with all the other UNIX variants that still use DES. @@ -813,6 +813,16 @@ lrwxr-xr-x 1 root wheel 15 Mar 19 06:56 libcrypt_p.a -> libdescrypt_p.aOn a system using the MD5-based libraries, the same links will be present, but the target will be libscrypt rather than libdescrypt. + + If you have installed the DES-capable crypt library + libdescrypt (e.g. by installing the + "crypto" distribution), then which password format will be used + for new passwords is controlled by the + passwd_format login capability in + /etc/login.conf, which takes values of + either des or md5. See the + login.conf(5) manpage for more information about login + capabilities. @@ -1127,15 +1137,9 @@ permit port ttyd0 In FreeBSD, the Kerberos is not that from the original 4.4BSD-Lite, distribution, but eBones, which had been previously ported to FreeBSD - 1.1.5.1, and was sourced from outside the USA/Canada, and is thus - available to system owners outside those countries. - - For those needing to get a legal foreign distribution of this - software, please do not get it from a USA or Canada - site. You will get that site in big trouble! A - legal copy of this is available from ftp.internat.FreeBSD.org, which is in South - Africa and an official FreeBSD mirror site. + 1.1.5.1, and was sourced from outside the USA/Canada, and was thus + available to system owners outside those countries during the era + of restrictive export controls on cryptographic code from the USA. Creating the initial database @@ -2309,13 +2313,16 @@ FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995 Secure Sockets Layer v2/v3 (SSLv2/SSLv3) and Transport Layer Security v1 (TLSv1) network security protocols. - However, some of the algorithms (specifically, RSA and IDEA) - included in OpenSSL are protected by patents in the USA and - elsewhere, and are not available for unrestricted use (in - particular, IDEA is not available at all in FreeBSD's version of - OpenSSL). As a result, FreeBSD has available two different - versions of the OpenSSL RSA libraries depending on geographical - location (USA/non-USA). + However, one of the algorithms (specifically IDEA) + included in OpenSSL is protected by patents in the USA and + elsewhere, and is not available for unrestricted use. + IDEA is included in the OpenSSL sources in FreeBSD, but it is not + built by default. If you wish to use it, and you comply with the + license terms, enable the MAKE_IDEA switch in /etc/make.conf and + rebuild your sources using 'make world'. + + Today, the RSA algorithm is free for use in USA and other + countries. In the past it was protected by a patent. Source Code Installations @@ -2326,92 +2333,6 @@ FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995 information about obtaining and updating FreeBSD source code. - - - International (Non-USA) Users - - People who are located outside the USA, and who obtain their - crypto sources from internat.FreeBSD.org (the International - Crypto Repository) or an international mirror site, will build a - version of OpenSSL which includes the native OpenSSL - implementation of - RSA, but does not include IDEA, because the latter is restricted - in certain locations elsewhere in the world. In the future a more - flexible geographical identification system may allow building of - IDEA in countries for which it is not restricted. - - Please be aware of any local restrictions on the import, use - and redistribution of cryptography which may exist in your - country. - - - - USA Users - - As noted above, RSA is patented in the USA, with terms - preventing general use without an appropriate license. Therefore - the standard OpenSSL RSA code may not be used in the USA, and has been - removed from the version of OpenSSL carried on USA mirror sites. - The RSA patent is due to expire on September 20, 2000, at which - time it is intended to add the full RSA code back to - the USA version of OpenSSL. - - However (and fortunately), the RSA patent holder (RSA Security, has - provided a RSA reference implementation toolkit - (RSAREF) which is available for certain classes of - use, including non-commercial use - (see the RSAREF license for their definition of - non-commercial). - - If you meet the conditions of the RSAREF license and wish to - use it in conjunction with OpenSSL to provide RSA support, you can - install the rsaref port, which is located in - /usr/ports/security/rsaref, or the - rsaref-2.0 package. The OpenSSL library will - then automatically detect and use the RSAREF libraries. Please obtain - legal advice if you are unsure of your compliance with the license - terms. - - The RSAREF implementation is inferior to the - native OpenSSL implementation (it is much slower, - and cannot be used with keys larger than 1024 bits). If you are not - located in the USA then you are doing yourself a disadvantage by - using RSAREF. - - Users who have purchased an appropriate RSA source code - license from RSA Security may use the International version of - OpenSSL described above to obtain native RSA support. - - IDEA code is also removed from the USA version of OpenSSL for - patent reasons. - - - - Binary Installations - - If your FreeBSD installation was a binary installation (e.g., - installed from the Walnut Creek CDROM, or from a snapshot - downloaded from - ftp.FreeBSD.org) and you selected to - install the crypto collection, then the - sysinstall utility will automatically select - the correct version to install during the installation - process. If the international version was selected but could - not be installed during sysinstall (e.g. you have not - configured network access, and the version must be downloaded - from a FTP site) then you can add the international RSA library - after installation as a package. - - The librsaintl package contains the RSA - code for International (non-USA) users. This is not legal for - use in the USA, but international users should use this version - because the RSA implementation is faster and more flexible. It - is available from ftp.internat.FreeBSD.org and does not - require RSAREF. - diff --git a/en_US.ISO8859-1/books/porters-handbook/book.sgml b/en_US.ISO8859-1/books/porters-handbook/book.sgml index 632cfc6c50..b8e98b45bb 100644 --- a/en_US.ISO8859-1/books/porters-handbook/book.sgml +++ b/en_US.ISO8859-1/books/porters-handbook/book.sgml @@ -1,7 +1,7 @@ Licensing Problems Some software packages have restrictive licenses or can be in - violation of the law (PKP's patent on public key crypto, ITAR (export - of crypto software) to name just two of them). What we can do with + violation of the law in some countries (such as violating a patent). + What we can do with them varies a lot, depending on the exact wordings of the respective licenses. @@ -2039,7 +2039,7 @@ PLIST_SUB= OCTAVE_VERSION=${OCTAVE_VERSION} If the port has legal restrictions on who can use it (e.g., - crypto stuff) or has a “no commercial use” license, + patented stuff) or has a “no commercial use” license, set the variable RESTRICTED to be the string describing the reason why. For such ports, the distfiles/packages will not be available even from our ftp sites. diff --git a/en_US.ISO_8859-1/articles/committers-guide/article.sgml b/en_US.ISO_8859-1/articles/committers-guide/article.sgml index 5816b521c1..99a5884a48 100644 --- a/en_US.ISO_8859-1/articles/committers-guide/article.sgml +++ b/en_US.ISO_8859-1/articles/committers-guide/article.sgml @@ -16,7 +16,7 @@ - $FreeBSD: doc/en_US.ISO_8859-1/articles/committers-guide/article.sgml,v 1.35 2000/08/16 17:41:40 dannyboy Exp $ + $FreeBSD: doc/en_US.ISO_8859-1/articles/committers-guide/article.sgml,v 1.36 2000/08/23 20:36:53 ben Exp $ 1999 @@ -43,13 +43,6 @@ freefall.FreeBSD.org - - - International Crypto Repository Host - - internat.FreeBSD.org - - Login Methods &man.ssh.1; @@ -60,24 +53,12 @@ /home/ncvs - - International Crypto CVSROOT - /home/cvs.crypt - - Main CVS Repository Meisters &a.jdp; and &a.peter; as well as &a.asami; for ports/ - - - International Crypto CVS Repository Meister - - &a.markm; - - Mailing List cvs-committers@FreeBSD.org @@ -120,8 +101,7 @@ one of them instead. The only ones allowed to directly fiddle the repository bits are the repomeisters. Satoshi Asami is also a repomeister for the ports/ portion of the - tree. Mark Murray is the repomeister for the International - Crypto Repository in South Africa. + tree. CVS operations are usually done by logging into freefall, making sure the @@ -531,11 +511,11 @@ You'll almost certainly get a conflict because - of the $Id: article.sgml,v 1.36 2000-08-23 20:36:53 ben Exp $ (or in FreeBSD's case, + of the $Id: article.sgml,v 1.37 2000-09-24 07:01:47 kris Exp $ (or in FreeBSD's case, $FreeBSD$) lines, so you'll have to edit the file to resolve the conflict (remove the marker lines and - the second $Id: article.sgml,v 1.36 2000-08-23 20:36:53 ben Exp $ line, leaving the original - $Id: article.sgml,v 1.36 2000-08-23 20:36:53 ben Exp $ line intact). + the second $Id: article.sgml,v 1.37 2000-09-24 07:01:47 kris Exp $ line, leaving the original + $Id: article.sgml,v 1.37 2000-09-24 07:01:47 kris Exp $ line intact). @@ -1082,18 +1062,6 @@ docs:Documentation Bug:nik: - - &a.markm; - - Mark is the CVS repository meister for the - international crypto repository kept on - internat.FreeBSD.org in South Africa. - - Mark also oversees most of the crypto code; if you have - any crypto updates, please ask Mark first. - - - &a.steve; diff --git a/en_US.ISO_8859-1/books/faq/book.sgml b/en_US.ISO_8859-1/books/faq/book.sgml index ae5bc50a1e..960ecfc0c5 100644 --- a/en_US.ISO_8859-1/books/faq/book.sgml +++ b/en_US.ISO_8859-1/books/faq/book.sgml @@ -15,7 +15,7 @@ - $FreeBSD: doc/en_US.ISO_8859-1/books/faq/book.sgml,v 1.94 2000/09/22 18:40:00 marko Exp $ + $FreeBSD: doc/en_US.ISO_8859-1/books/faq/book.sgml,v 1.95 2000/09/22 23:41:25 ben Exp $ This is the FAQ for FreeBSD versions 2.X, 3.X, and 4.X. All entries @@ -1844,81 +1844,30 @@ systems. - -I live outside the US. Can I use DES encryption? + + + Should I use DES passwords, or MD5, and how do I specify + which form my users receive? + -If it is not absolutely imperative that you use DES style -encryption, you can use FreeBSD's default encryption for even -better security, and with no export restrictions. FreeBSD -2.0's password default scrambler is now MD5-based, and is -more CPU-intensive to crack with an automated password cracker -than DES, and allows longer passwords as well. The only reason -for not using the MD5-based crypt today would be to use the -the same password entries on FreeBSD and non-FreeBSD systems. - -Since the DES encryption algorithm cannot legally be exported -from the US, non-US users should not download this software (as -part of the secrdist from US FTP sites. - -There is however a replacement libcrypt available, based on -sources written in Australia by David Burren. This code is now -available on some non-US FreeBSD mirror sites. Sources for the -unencumbered libcrypt, and binaries of the programs which use it, -can be obtained from the following FTP sites: - - - -South Africa - -ftp://ftp.internat.FreeBSD.org/pub/FreeBSD/, -ftp://storm.sea.uct.ac.za/pub/FreeBSD/ - - - - - - -Brazil - - -ftp://ftp.iqm.unicamp.br/pub/FreeBSD/ - - - - - - -Finland - - -ftp://nic.funet.fi/pub/unix/FreeBSD/eurocrypt/ - - - - - - -The non-US securedist can be used as a direct replacement -for the encumbered US securedist. This securedist -package is installed the same way as the US package (see -installation notes for details). If you are going to install DES -encryption, you should do so as soon as possible, before -installing other software. - -Non-US users should please not download any encryption software -from the USA. This can get the maintainers of the sites from -which the software is downloaded into severe legal difficulties. - -A non-US distribution of Kerberos is also being developed, and -current versions can generally be obtained by anonymous FTP from -braae.ru.ac.za. - -There is also a mailing list for the -discussion of non-US encryption software. For more information, send -an email message with a single line saying help in the body -of your message to majordomo@braae.ru.ac.za. - - + + The default password format on FreeBSD is to use + MD5-based passwords. These are believed to + be more secure than the traditional UNIX password format, which + used a scheme based on the DES algorithm. + DES passwords are still available if you need to share your + password file with legacy operating systems which still use the + less secure password format (they are available if you choose to + install the crypto distribution in sysinstall, or + by installing the crypto sources if building from source). Which + password format to use for new passwords is controlled by the + passwd_format login capability in + /etc/login.conf, which takes values of either + des (if available) or md5. See the + login.conf(5) manpage for more information about login + capabilities. + + The boot floppy starts but hangs at the Probing Devices... diff --git a/en_US.ISO_8859-1/books/handbook/introduction/chapter.sgml b/en_US.ISO_8859-1/books/handbook/introduction/chapter.sgml index 1eccc0d2af..a9dd789058 100644 --- a/en_US.ISO_8859-1/books/handbook/introduction/chapter.sgml +++ b/en_US.ISO_8859-1/books/handbook/introduction/chapter.sgml @@ -1,7 +1,7 @@ @@ -688,23 +688,6 @@ You can also view the master (and most frequently updated) copies at http://www.FreeBSD.org/. - - The core of FreeBSD does not contain DES code which would - inhibit its being exported outside the United States. There is an - add-on package to the core distribution, for use only in the United - States, which contains the programs that normally use DES. The - auxiliary packages provided separately can be used by anyone. A - freely (from outside the U.S.) exportable European distribution of - DES for our non-U.S. users also exists and is described in the - FreeBSD FAQ. - - If password security for FreeBSD is all you need, and you have - no requirement for copying encrypted passwords from different hosts - (Suns, DEC machines, etc) into FreeBSD password entries, then - FreeBSD's MD5 based security may be all you require! We feel that - our default security model is more than a match for DES, and avoids - dealing with any messy export issues. If you are outside (or even - inside) the U.S., give it a try! diff --git a/en_US.ISO_8859-1/books/handbook/security/chapter.sgml b/en_US.ISO_8859-1/books/handbook/security/chapter.sgml index b9f1c86c3e..807870b165 100644 --- a/en_US.ISO_8859-1/books/handbook/security/chapter.sgml +++ b/en_US.ISO_8859-1/books/handbook/security/chapter.sgml @@ -1,7 +1,7 @@ @@ -763,7 +763,7 @@ Unfortunately the only secure way to encrypt passwords when UNIX came into being was based on DES, the Data Encryption Standard. This is not such a problem for users that live in - the US, but since the source code for DES cannot be exported + the US, but since the source code for DES could not be exported outside the US, FreeBSD had to find a way to both comply with US law and retain compatibility with all the other UNIX variants that still use DES. @@ -813,6 +813,16 @@ lrwxr-xr-x 1 root wheel 15 Mar 19 06:56 libcrypt_p.a -> libdescrypt_p.aOn a system using the MD5-based libraries, the same links will be present, but the target will be libscrypt rather than libdescrypt. + + If you have installed the DES-capable crypt library + libdescrypt (e.g. by installing the + "crypto" distribution), then which password format will be used + for new passwords is controlled by the + passwd_format login capability in + /etc/login.conf, which takes values of + either des or md5. See the + login.conf(5) manpage for more information about login + capabilities. @@ -1127,15 +1137,9 @@ permit port ttyd0 In FreeBSD, the Kerberos is not that from the original 4.4BSD-Lite, distribution, but eBones, which had been previously ported to FreeBSD - 1.1.5.1, and was sourced from outside the USA/Canada, and is thus - available to system owners outside those countries. - - For those needing to get a legal foreign distribution of this - software, please do not get it from a USA or Canada - site. You will get that site in big trouble! A - legal copy of this is available from ftp.internat.FreeBSD.org, which is in South - Africa and an official FreeBSD mirror site. + 1.1.5.1, and was sourced from outside the USA/Canada, and was thus + available to system owners outside those countries during the era + of restrictive export controls on cryptographic code from the USA. Creating the initial database @@ -2309,13 +2313,16 @@ FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995 Secure Sockets Layer v2/v3 (SSLv2/SSLv3) and Transport Layer Security v1 (TLSv1) network security protocols. - However, some of the algorithms (specifically, RSA and IDEA) - included in OpenSSL are protected by patents in the USA and - elsewhere, and are not available for unrestricted use (in - particular, IDEA is not available at all in FreeBSD's version of - OpenSSL). As a result, FreeBSD has available two different - versions of the OpenSSL RSA libraries depending on geographical - location (USA/non-USA). + However, one of the algorithms (specifically IDEA) + included in OpenSSL is protected by patents in the USA and + elsewhere, and is not available for unrestricted use. + IDEA is included in the OpenSSL sources in FreeBSD, but it is not + built by default. If you wish to use it, and you comply with the + license terms, enable the MAKE_IDEA switch in /etc/make.conf and + rebuild your sources using 'make world'. + + Today, the RSA algorithm is free for use in USA and other + countries. In the past it was protected by a patent. Source Code Installations @@ -2326,92 +2333,6 @@ FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995 information about obtaining and updating FreeBSD source code. - - - International (Non-USA) Users - - People who are located outside the USA, and who obtain their - crypto sources from internat.FreeBSD.org (the International - Crypto Repository) or an international mirror site, will build a - version of OpenSSL which includes the native OpenSSL - implementation of - RSA, but does not include IDEA, because the latter is restricted - in certain locations elsewhere in the world. In the future a more - flexible geographical identification system may allow building of - IDEA in countries for which it is not restricted. - - Please be aware of any local restrictions on the import, use - and redistribution of cryptography which may exist in your - country. - - - - USA Users - - As noted above, RSA is patented in the USA, with terms - preventing general use without an appropriate license. Therefore - the standard OpenSSL RSA code may not be used in the USA, and has been - removed from the version of OpenSSL carried on USA mirror sites. - The RSA patent is due to expire on September 20, 2000, at which - time it is intended to add the full RSA code back to - the USA version of OpenSSL. - - However (and fortunately), the RSA patent holder (RSA Security, has - provided a RSA reference implementation toolkit - (RSAREF) which is available for certain classes of - use, including non-commercial use - (see the RSAREF license for their definition of - non-commercial). - - If you meet the conditions of the RSAREF license and wish to - use it in conjunction with OpenSSL to provide RSA support, you can - install the rsaref port, which is located in - /usr/ports/security/rsaref, or the - rsaref-2.0 package. The OpenSSL library will - then automatically detect and use the RSAREF libraries. Please obtain - legal advice if you are unsure of your compliance with the license - terms. - - The RSAREF implementation is inferior to the - native OpenSSL implementation (it is much slower, - and cannot be used with keys larger than 1024 bits). If you are not - located in the USA then you are doing yourself a disadvantage by - using RSAREF. - - Users who have purchased an appropriate RSA source code - license from RSA Security may use the International version of - OpenSSL described above to obtain native RSA support. - - IDEA code is also removed from the USA version of OpenSSL for - patent reasons. - - - - Binary Installations - - If your FreeBSD installation was a binary installation (e.g., - installed from the Walnut Creek CDROM, or from a snapshot - downloaded from - ftp.FreeBSD.org) and you selected to - install the crypto collection, then the - sysinstall utility will automatically select - the correct version to install during the installation - process. If the international version was selected but could - not be installed during sysinstall (e.g. you have not - configured network access, and the version must be downloaded - from a FTP site) then you can add the international RSA library - after installation as a package. - - The librsaintl package contains the RSA - code for International (non-USA) users. This is not legal for - use in the USA, but international users should use this version - because the RSA implementation is faster and more flexible. It - is available from ftp.internat.FreeBSD.org and does not - require RSAREF. - diff --git a/en_US.ISO_8859-1/books/porters-handbook/book.sgml b/en_US.ISO_8859-1/books/porters-handbook/book.sgml index 632cfc6c50..b8e98b45bb 100644 --- a/en_US.ISO_8859-1/books/porters-handbook/book.sgml +++ b/en_US.ISO_8859-1/books/porters-handbook/book.sgml @@ -1,7 +1,7 @@ Licensing Problems Some software packages have restrictive licenses or can be in - violation of the law (PKP's patent on public key crypto, ITAR (export - of crypto software) to name just two of them). What we can do with + violation of the law in some countries (such as violating a patent). + What we can do with them varies a lot, depending on the exact wordings of the respective licenses. @@ -2039,7 +2039,7 @@ PLIST_SUB= OCTAVE_VERSION=${OCTAVE_VERSION} If the port has legal restrictions on who can use it (e.g., - crypto stuff) or has a “no commercial use” license, + patented stuff) or has a “no commercial use” license, set the variable RESTRICTED to be the string describing the reason why. For such ports, the distfiles/packages will not be available even from our ftp sites.