Hi, On Thu, 26 May 2016 11:27:04 +0200 Franziskus Kiefer <fkie...@mozilla.com> wrote:
> we intend to drop support for standalone ecl builds in NSS [1]. Before > doing this we'd like to get feedback if anyone's still doing this. > > So if you're still building ecl, please let us know. I recently used the ecl standalone build to fuzz elliptic curve implementations. While this didn't find bugs in nss, it found a couple in another TLS implementation (Nettle) [1]. The fuzzing code is here: https://github.com/hannob/bignum-fuzz/blob/master/point-fuzz.c As far as I can see the low level elliptic curve calculation functions aren't exposed as public functions in NSS itself. Therefore removing the possibility to build libecl would make it significantly harder to test the underlying functionality. Therefore I'd strongly oppose removing it unless there is any alternative for testing that's equally simple and that I'm not aware of. [1] https://blog.fuzzing-project.org/38-Miscomputations-of-elliptic-curve-scalar-multiplications-in-Nettle.html -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42
pgpogh1PYsjsX.pgp
Description: OpenPGP digital signature
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto