Check out the new USENIX Web site. next up previous
Next: Performance and Code Size Up: Implementation Details Previous: Addressing Denial of Service

Solving the RSA ``problem''

At the time we started implementing isakmpd, exporting a US RSA implementation in source form to the world at large was illegal. Another problem was that it is not legal to use the RSA algorithm within the US unless one has a license from RSA Inc. or use the US-originated non-commercial RSAREF library. Thus, there was no way to make a distribution that would be free to use both in the US and in the rest of the world, because the only implementation that is free in the US was not exportable. OpenBSD has solved this problem in other places of the source tree in an elegant way: we chose to use all RSA functionality via a dynamically linked shared library, libcrypto, which is part of OpenSSL. This library exists in three variants: one RSA-crippled, with no RSA support at all, one with internationally written RSA code and one with RSAREF. We ship the RSA-crippled version as that one has no patent or exportability issues at all. Then we tell international users to fetch the international libcrypto version, and US users to get the one based on RSAREF (if they meet criteria to legally use it).

This could work for isakmpd too, if it were not for the fact that we want isakmpd to be statically linked, so we can get IKE negotiation capabilities really early in the boot process.

The solution was to use dynamic linking via the dlopen API. Every RSA-related symbol of libcrypto needs to be accessed indirectly through a pointer. This pointer is initialized with the address of the statically linked RSA-crippled stubs. After a successful dynamic link the pointers get reset to the newly loaded libcrypto equivalents. It is not considered a fatal error if the dynamic linking fails. Not all operating systems allow statically linked binaries to use dlopen though, but those who do can benefit from this.


next up previous
Next: Performance and Code Size Up: Implementation Details Previous: Addressing Denial of Service
Angelos D. Keromytis
4/20/2000