lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 5 May 2017 15:52:41 +0200
From:   Michal Suchánek <msuchanek@...e.de>
To:     Paulo Flabiano Smorigo <pfsmorigo@...ux.vnet.ibm.com>
Cc:     Tyrel Datwyler <tyreld@...ux.vnet.ibm.com>,
        "Leonidas S. Barbosa" <leosilva@...ux.vnet.ibm.com>,
        Mauro Carvalho Chehab <mchehab@...nel.org>,
        Herbert Xu <herbert@...dor.apana.org.au>,
        Geert Uytterhoeven <geert+renesas@...der.be>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        linux-kernel@...r.kernel.org, Paul Mackerras <paulus@...ba.org>,
        linux-crypto@...r.kernel.org, linuxppc-dev@...ts.ozlabs.org,
        "David S. Miller" <davem@...emloft.net>, appro@...nssl.org
Subject: Re: [PATCH] crypto: vmx: Remove dubiously licensed crypto code

Hello,

On Thu, 30 Mar 2017 13:30:17 -0300
Paulo Flabiano Smorigo <pfsmorigo@...ux.vnet.ibm.com> wrote:

> On 2017-03-29 20:08, Tyrel Datwyler wrote:
> > On 03/29/2017 08:13 AM, Michal Suchánek wrote:  
> >> On Wed, 29 Mar 2017 16:51:35 +0200
> >> Greg Kroah-Hartman <gregkh@...uxfoundation.org> wrote:
> >>   
> >>> On Wed, Mar 29, 2017 at 02:56:39PM +0200, Michal Suchanek wrote:  
> >>>> While reviewing commit 11c6e16ee13a ("crypto: vmx - Adding asm
> >>>> subroutines for XTS") which adds the OpenSSL license header to
> >>>> drivers/crypto/vmx/aesp8-ppc.pl licensing of this driver came
> >>>> into qestion. The whole license reads:
> >>>> 
> >>>>  # Licensed under the OpenSSL license (the "License").  You may
> >>>> not use # this file except in compliance with the License.  You
> >>>> can obtain a # copy
> >>>>  # in the file LICENSE in the source distribution or at
> >>>>  # https://www.openssl.org/source/license.html
> >>>> 
> >>>>  #
> >>>>  #
> >>>> ====================================================================
> >>>> # Written by Andy Polyakov <appro@...nssl.org> for the OpenSSL #
> >>>> project. The module is, however, dual licensed under OpenSSL and
> >>>> # CRYPTOGAMS licenses depending on where you obtain it. For
> >>>> further # details see http://www.openssl.org/~appro/cryptogams/.
> >>>> #
> >>>> ====================================================================
> >>>> 
> >>>> After seeking legal advice it is still not clear that this driver
> >>>> can be legally used in Linux. In particular the "depending on
> >>>> where you obtain it" part does not make it clear when you can
> >>>> apply the GPL and when the OpenSSL license.
> >>>> 
> >>>> I tried contacting the author of the code for clarification but
> >>>> did not hear back. In absence of clear licensing the only
> >>>> solution I see is removing this code.  
> > 
> > A quick 'git grep OpenSSL' of the Linux tree returns several other
> > crypto files under the ARM architecture that are similarly
> > licensed. Namely:
> > 
> > arch/arm/crypto/sha1-armv4-large.S
> > arch/arm/crypto/sha256-armv4.pl
> > arch/arm/crypto/sha256-core.S_shipped
> > arch/arm/crypto/sha512-armv4.pl
> > arch/arm/crypto/sha512-core.S_shipped
> > arch/arm64/crypto/sha256-core.S_shipped
> > arch/arm64/crypto/sha512-armv8.pl
> > arch/arm64/crypto/sha512-core.S_shipped
> > 
> > On closer inspection of some of those files have the addendum that
> > "Permission to use under GPL terms is granted", but not all of them.
> > 
> > -Tyrel  
> 
> In 2015,  , the author, replied in this mailing list [1]:
> 
> "I have no problems with reusing assembly modules in kernel context.
> The whole idea behind cryptogams initiative was exactly to reuse code
> in different contexts."
> 
> [1] https://patchwork.kernel.org/patch/6027481/
> 

So you have an e-mail message from one of the authors of the code.
Andy Polyakov wrote most of the code but there are probably other
contributors who never gave explicit consent for using their code
outside of OpenSSL. The OpenSSL maintainers made it explicitly clear by
stamping the OpenSSL license incompatible with GPL2 on the file that
they are not OK with hosting development for Linux kernel code.

This Cryptograms project did not seem to get anywhere so there is no
source for the code other than the OpenSSL tree. Merging code from
OpenSSL into Linux does not look legally feasible.

Andy Polyakov is unresponsive in discussions concerning his awesome
licensing terms.

The MAINTAINERS file has
IBM Power VMX Cryptographic instructions
M:	Leonidas S. Barbosa <leosilva@...ux.vnet.ibm.com>
M:	Paulo Flabiano Smorigo <pfsmorigo@...ux.vnet.ibm.com>
L:	linux-crypto@...r.kernel.org
S:	Supported

So presumably the maintainers have access to necessary legal advice to
determine what steps are necessary to make this driver maintainable
legally.

I do not expect this will be resolved overnight. However, there is no
progress on this issue whatsoever so I suggest removal of the driver.

Thanks

Michal

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ