[this mail has managed to hide in a draft folder for weeks...] On 01.09.2011 23:01, Robert Burrell Donkin wrote: > On Thu, Sep 1, 2011 at 9:35 PM, Dennis E. Hamilton > <[email protected]> wrote: >> Technically, this was to have been resolved before the code was put >> up on SVN. We need to audit specifically for this rather quickly, >> and including the places that Rob also identified (import-export >> filters and http TLS).. > > I definitely recommend a full crypto audit but IIRC it's not > necessary before sending the initial notification. > > AIUI (from [1] and [2]) all that's needed is a list of the > cryptographic libraries used by OOo. If the results of the full > audit differ then we can just update the details and send an updated > notification.
looking through the external modules the following are obviously crypto related: xmlsec1-1.2.14.tar.gz openssl-0.9.8o.tar.gz nss-3.12.6-with-nspr-4.8.4.tar.gz seamonkey-1.1.14.source.tar.gz (Seamonkey also contains NSS but i guess we don't ship this but the one from the "nss" module) the internal implementation of Blowfish (and also RC4 it seems) is in these files: sal/inc/rtl/cipher.h sal/rtl/source/cipher.c hope that should get us started... -- <sieni> State? <sieni> There is no state :-) <shapr> Haskell separates Church and state.
