On 2009-09-10 23:14 , nsk yatree wrote: > Hi. > > Most likely I will not be the first person who asks such questions.
I think you might well be the first to ask how to add GOST. Others have asked the NSS team to do it. You've asked how to do it yourself. That's a much better question. :) > More recently, in OpenSSL-1.0.0 was added support of GOST algorithms. > ( in vers. 1.0.0 http://openssl.org/news/ ) > > How can I implement support for these algorithms in Mozilla/NSS? > I found a patch for Camellia. ( > https://bugzilla.mozilla.org/show_bug.cgi?id=361025 ) > Is it possible to integrate the GOST in the NSS, by analogy with the > Camellia? Yes. The Camellia team did an EXCELLENT job of integrating their work, and you would do well to follow their example very closely. The necessary steps include (but may not be limited to): 1. There must be a freely available public definition of GOST. (I suppose this is already done if the code is in OpenSSL) 2. TLS cipher suite(s) must be defined in RFC or internet Draft (I suppose this is already done if the code is in OpenSSL) 3. The PKCS#11 crypto API standard must be amended to have one or more "mechanisms" defined for doing GOST encryption and decryption in CBC mode. This definition must be proposed to the PKCS#11 ("cryptoki") working group as a proposed amendment to the standard. 4. Then implementation of the GOST code is added to libfreebl. test program for libfreebl is enhanced to test GOST. test script for freebl is enhanced to test GOST. implementation of the new PKCS#11 mechanism(s) is added to libsoftokn, implementation of the new cipher suites is added to libSSL. SSL test programs are enhanced to test the new cipher suites. SSL test scripts are enhanced to test the new cipher suites. The Camellia folks did all those steps, and very well. The South Korean SEED algorithm was similarly added, but that work was delayed when it came to the PKCS#11 mechanism proposal. > Can I use the library with GOST from OpenSSL (libgost.so) for > integration into the NSS? Any software contributed to NSS must be licensed under the Mozilla public "tri-license". If you are the sole author of a piece of code that you have previously contributed to another project under other non-exclusive license terms, and you have retained copyright to that work, then you are probably free to also contribute it to NSS under the MPL "tri-license". But if you are not the sole author, and the work has previously been contributed to another project under a different license, then you may not have the right to simply contribute it to NSS and change the license. It may be possible to contact the entire set of authors who have previously contributed to the work, and get them to agree to also contribute the work to Mozilla/NSS under the MPL tri-license terms, provided that they have retained copyright. I think this is basically impossible for people who have licensed work under GPL and have thereby relinquished copyright to the work. But I am not a lawyer. > I have not very clear plan about this. What may be a problem? Depends on your skills. Non-programmers find programming to be the hard part. Programmers who wish to use work that is not entirely their own original work typically find licensing issues to be the hard part. Programmers who write and contribute their own code are sometimes surprised to learn that the NSS team expects contributed code to conform to the NSS coding guidelines. But that's about it, I think. > In what place in the NSS should be integrated algorithm? See step 4 above. > With Best Regards, Danil. Regards, /Nelson -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto