incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis E. Hamilton" <dennis.hamil...@acm.org>
Subject RE: Request dev help: Info for required crypto export declaration
Date Thu, 22 Sep 2011 18:13:41 GMT
Thanks Michael,

That's very helpful.

Do those cover the password protection of Microsoft Office files too (something that is implemented,
much to my surprise)?  The supported case may be too weak to be of interest in this context.
 I don't know if stronger methods are in the code but not enabled or not.

In general, have format converters been checked?

 - Dennis

PS: I love your signature message, below (even if it is not accurate!).  I had the opportunity
to see Haskell Curry and Alonzo Church at separate events several years ago (several = ~30).

-----Original Message-----
From: Michael Stahl [mailto:mst@openoffice.org] 
Sent: Thursday, September 22, 2011 09:18
To: ooo-dev@incubator.apache.org
Subject: Re: Request dev help: Info for required crypto export declaration

[this mail has managed to hide in a draft folder for weeks...]

On 01.09.2011 23:01, Robert Burrell Donkin wrote:
> On Thu, Sep 1, 2011 at 9:35 PM, Dennis E. Hamilton 
> <dennis.hamilton@acm.org> wrote:
>> Technically, this was to have been resolved before the code was put
>> up on SVN.  We need to audit specifically for this rather quickly,
>> and including the places that Rob also identified (import-export
>> filters and http TLS)..
> 
> I definitely recommend a full crypto audit but IIRC it's not
> necessary before sending the initial notification.
> 
> AIUI (from [1] and [2]) all that's needed is a list of the 
> cryptographic libraries used by OOo. If the results of the full
> audit differ then we can just update the details and send an updated 
> notification.

looking through the external modules the following are obviously crypto
related:

xmlsec1-1.2.14.tar.gz
openssl-0.9.8o.tar.gz
nss-3.12.6-with-nspr-4.8.4.tar.gz
seamonkey-1.1.14.source.tar.gz

(Seamonkey also contains NSS but i guess we don't ship this but the one
from the "nss" module)

the internal implementation of Blowfish (and also RC4 it seems) is in
these files:

sal/inc/rtl/cipher.h
sal/rtl/source/cipher.c

hope that should get us started...

-- 
<sieni> State?
<sieni> There is no state :-)
<shapr> Haskell separates Church and state.


Mime
View raw message