[bug-gnulib] Crypto modules

[Simon Josefsson]

Hi.  In gsasl, shishi and gnutls, I'm using files copied from Nettle
to do crypto (MD5, SHA1, SHA256, DES, AES, ARCFOUR, HMAC, etc).  They
are written closely to the gnulib style, e.g., (L)GPL, portable C89,
the code doesn't even use malloc (it uses alloca of small buffers,
with a fall back mechanism to local variables if the system doesn't
have alloca).  I was thinking that it wouldn't be difficult to make
gnulib modules out of the code, which would simplify importing updates
into my projects.

There are md5 and sha1 modules in gnulib already, which would have to
be kept backwards compatible, but the rest of the code would be new.

Presumably, the copyright of all code has not been assigned to the
FSF, a summary is available from:

http://www.lysator.liu.se/~nisse/nettle/nettle.html#Copyright

However, if some copyright cannot be tracked down, I could work on
adapting code from libgcrypt (which is assigned) that would be usable
in gnulib.  There are many implementations of these algorithms out
there, so I don't think this is impossible.

Savannah has a FAQ regarding crypto code:
https://savannah.gnu.org/faq/?question=Is_there_any_restriction_on_cryptographic_software.txt
I'm not sure how problematic the code would be in practice.

What do you think of this?

Taking this approach to the limit, I'm also sharing an ASN.1 library
between shishi and gnutls that might benefit from the same treatment,
e.g., make a gnulib module out of it.  I realize this would be highly
specialized, and there is no POSIX or other standard API for it, but
it would still be useful.  The package isn't small, about 6kloc.  The
ASN.1 library has been assigned to the FSF.  Is there some point when
a package become too large to usefully be included in gnulib?  Any
thoughts on this?

Thanks.