If reading about the politics and license issues has made you nervous about the legality of your use of Openswan, do not worry. The following section will explain the legalities of Openswan, though you should not read this section as a replacement for the advice of a skilled lawyer. Treat it more as the basic information you would supply to your lawyer to determine your specific case.
If you are in doubt whether or not it is legal for you to use Openswan, consult a lawyer!
Openswan is based in large part on FreeS/WAN. The copyright of that code lies with the respective developers, who all released their code under the GNU Public License. All the patches to FreeS/WAN are copyright of the respective authors and released under the GPL. New Openswan code written by Xelerance is copyright of Xelerance, and is also released under the GPL.
The GPL does not discriminate against use. Anyone is encouraged to use this software as they see fit, whether for a homebrew VPN or a nuclear power plant. As programmers, we, the authors of this book, believe that we do not have the skills, nor should we have the authority, to distinguish rebels from freedom fighters or insurgents from dissidents. We provide the tools; it is society's responsibility to provide the ethical framework. Should we limit our own freedom to grow out of fear that someone might use our software for something bad? Should we never have picked up those stones to make tools because some of us would use them as weapons? Should the toolmaker dictate what goals are righteous? If we limit the use of our cryptography to certain people, how much different would that be from the movie studios telling us in which country, using what vendors and software we can play our purchased movie? Should your car agree with your destination? Precisely some of these concerns about individual freedoms were originally behind the project to bring IPsec to the Linux kernel.
Since Openswan is released under the GPL, any modifications or additions to the code that are distributed will have to be released under the same license, the GPL. Though you could also release modifications under a BSD license, as soon as the code is incorporated into Openswan, it is (as the BSD license allows) re-released under the GPL. Failure to comply to the GPL will mean that you no longer have the legal right to use or distribute Openswan at all.
Though at first this might seem simple and straightforward, but there can be some additional hassle. What if you just received a patch to Openswan from a vendor under a Non Disclosure Agreement (NDA)? Are you allowed to publish this patch? Probably not, as you would be violating the NDA with the vendor and be in violation of your contract, a civil offense. Of course, in this (unfortunately not so hypothetical) case, the vendor is actually violating the GPL and could be sued by any of the copyright holders of Openswan even if they have no business relationship with the vendor. The vendor has also committed a civil offense. The third party clause in the GPL guarantees that copyright holders can sue whoever is responsible for violations without having been a victim of that violation personally. If a copyright holder who has signed an NDA finds that the copyright has been violated, the copyright holder—whether it is a company or an individual—could probably sue since a contract can never be used as a protection scheme against a civil offense.
It is therefore important to realize that if you distribute GPL code in binary-only form, and you cannot release the source code—for instance, because you yourself bought the code as binary‑only—you are still violating the GPL, and you can be sued and restrained from using Openswan in your products by a court. So those who are thinking of implementing certain hardware IPsec accelerators for Openswan, of which they cannot redistribute the patches, should definitely have a long talk with their lawyers.
If you release a new product based on Openswan (or any other GPL software for that matter), you are quite free to ship Openswan on the CD of your new product—as long as you meet the GPL license requirements such as supplying the Openswan source code to any interested party.
However, there might be other laws that apply to you. Different countries have varying legal requirements, since many countries consider cryptography as munitions, as a weapon. So even though the copyright holders of Openswan say you can use it, your government, or a completely other government or international body, might deem that you may not use it. So the first thing to do is to check whether your own government allows you to use cryptography.
A survey in 1999 by the Electronic Privacy Information Center (EPIC) found the following countries limit the use of cryptography by their own citizens: Belarus, China, Israel, Kazakhstan, Pakistan, Russia, Saudi Arabia, Singapore, Tunisia, Vietnam, and Venezuela. France and Belgium were on this list for a long time, and the US allow their citizens to use cryptography, but if it is used to commit an offense, the use of cryptography itself is an offense on its own. Countries on this list probably also restrict or ban the import of cryptographic software.
You should also be aware that some Western governments are considering a ban on crypto as part of anti-terrorist measures, so be sure to get up-to-date information from your government.
Apart from national law, whether or not you may use or export cryptography also depends on international treaties that countries adhere to. International treaties that may apply to your country are the 1886 Bern Convention on copyrights (though it was last amended in 1979), the 1995 Wassenaar Arrangement on the export restrictions of munitions to 'Evil Regimes', amended in 1998 to get an additional section on cryptography guidelines, and the European Union Dual-Use Export laws. Then there are also recommendations and guidelines from the Organization for Economic Cooperation and Development (OECD), the European Union, the G-7/G-8, the Council of Europe, the Organization for Security and Co-operation in Europe (OSCE but also sometimes called OVSE) and perhaps the UN Security Council has issued a specific resolution boycotting your country from receiving munitions, which would include cryptographic software.
Probably the most relevant international agreement is the Wassenaar Arrangement, which has a special exemption in the General Software Notes, entry 2, for software which is in 'the public domain'. The use of public domain should probably be interpreted as "readily available at no cost". This would seem to include Openswan.
The list of restricted countries varies between the various international agreements, partially as a result of the Wassenaar Arrangement that dictated the individual countries are responsible for implementing the Arrangement in local law. Sometimes, a country is not completely banned, but a separate export license is required before you can export cryptography to those restricted countries. The list of restricted countries at this point probably includes Cuba, Iran, Iraq, Libya, North Korea, Sudan, Syria and strangely enough international organizations such as the United Nations. But again, the implementation of the Wassenaar Arrangement varies from country to country, so check the export laws of your own country.
For example, the following countries have listed extra restrictions on top of the Wassenaar Arrangement: Australia, France, New Zealand, Russia, and the US.
The Wassenaar Arrangement website has a convenient list of countries and contact information for their respective government departments that deal with export.
So far, we have only covered the receiver of the cryptographic software. But there is also law that applies to the export of cryptographic software in the country of the sending party.
Xelerance is a company incorporated under Canadian law. Distribution of the code happens from servers located in the Netherlands, therefore Dutch export law applies. Xelerance still needs to adhere to export restrictions on crypto code. It is legal to export cryptographic code from Canada to The Netherlands.
Xelerance does not own the copyright on all the code in Openswan. We can only speak for the parts that are copyrighted by Xelerance. But as far as we know, no separately copyrighted code by US individuals or companies is included. And even if some lines were written by US citizens, Canadian law seems to dictate that software is Canadian if more than 50% of the code has been written by Canadians, a requirement that Openswan easily satisfies.
Xelerance, however, cannot be held responsible for where the code is exported to, since the code is free software. The Netherlands and Canada signed the Wassenaar Agreement, which exempts 'public domain' software. The Netherlands also complies with the European Union Dual-Use Export laws. As far as we know, we are not violating any export laws, meaning that whoever downloads Openswan cannot be accused of assisting in an export violation.
Certain countries claim jurisdiction even outside their national borders. Most notably, France claims the right to regulate information on foreign servers, Italy assumes jurisdiction over sites directed to an Italian audience, and the US reserves the right to prosecute offenses against American interests according to US law irrespective of where they take place.
You may want to consider the possibility that you can be sued or prosecuted in another country. Additionally, if you are physically in a country other than the Netherlands when you download our software, you are probably subject to that country's jurisdiction anyway.
On 1 June 2001, WIPO members adopted the Patent Law Treaty. However, software patents are not universally recognized. Specifically, software patents are not recognized in The Netherlands or Canada. However, US patents may in some circumstances be enforced in Canada. Since US patents cover things such as prime numbers, Openswan would likely be considered in violation of a few software patents in the US. There are at least two known US software patents covering concepts used in Openswan.
The first patent relates to NAT-Traversal, and has been patented by SSH Communications. However, they have given the IETF the following statement:
SSH Communications Security Corp hereby makes it known that it will not assert any claims in any patents issued in any country based on
—the Finnish patent application FI974665 or any patent application listing the same as a priority application; or
—the US patent application 09/333,829 or any patent application listing the same as a priority application,
—against any party that makes, uses, sells, imports, or offers for sale a conforming implementation of an IETF standards-track specification of an IPSec NAT traversal module.
This statement is limited in that SSH Communications Security Corp does not give any rights to incorporate NAT traversal technology covered by patents of SSH Communications Security Corp in implementations for any other protocols other than the IETF standards-track IPSec protocols.
Interestingly, this might actually be a benefit for the community. Microsoft cannot play 'embrace and extend' techniques unless it buys out SSH. And technically, Apple has no license to use the NAT-Traversal patent since it incorrectly implements the IETF NAT-traversal specification.
A second patent involves the DH groups and their numbers, which seem to have been patented. Information about this is unclear, and it is unlikely to be ever enforced.
A number of patents related to Elliptic Curve Cryptography are still valid (in the US only).
In 1997 the Diffie-Hellman key exchange patent and the Knapsack (and probably all public key cryptography methods) patent expired. The RSA patent expired on September 20, 2000. In 2001 a patent on Exponentiation Cryptographic Apparatus and Method expired.
There are also a lot of blatantly bogus patents that could theoretically be used against Openswan users. In 2002 for example, five years after the start of the FreeS/WAN Project, Safenet was awarded a patent that covers 'Extending cryptographic services to the kernel space of a computer operating system'. Patents like these only prove the absurdity of software patents.
http://www.freeswan.org/freeswan_trees/freeswan-1.5/doc/exportlaws.html
The above site provides a good overview of cryptography export laws.
Information on the Wassenaar Arrangement, covering national export controls.
http://www.gnu.org/philosophy/wassenaar.html
Further notes on the Wassenaar Arrangement.
http://www.wipo.int/treaties/en/ip/berne/
The Berne Convention on copyright.
http://www.efc.ca/pages/doc/crypto-export.html
This document provides a summary of Canada's export controls on cryptographic software. This is relevant to all Openswan users, as Openswan is developed in Canada.
http://rechten.uvt.nl/koops/cryptolaw/index.htm
A survey of existing and proposed laws and regulations on cryptography in Europe. This is relevant even if you are outside of the EU, as Openswan is hosted on a Dutch server.
http://trade-info.cec.eu.int/doclib/html/118992.htm
EC Regulation 1504/2004 for the control of exports of dual-use items and technology.
http://europa.eu.int/comm/trade/issues/sectoral/industry/dualuse/index_en.htm
This page provides a detailed description of dual-use goods and EU legislation on them.
http://europa.eu.int/comm/trade/issues/sectoral/industry/dualuse/faqs.htm
Frequently asked questions and background on the EC Regulation on export control of dual-use goods.
http://trade-info.cec.eu.int/doclib/html/118993.htm
Report to the EU Parliament and Council on the implementation of EU Regulation 1334/2000 on dual-use items and technology.
A list of US patents relating to cryptographic software.
http://www.nosoftwarepatents.org/
The home-page of a campaign against the further legalization of software patents.