Re: OpenSSL 3.0.0 security concerns using dynamic providers

2020-09-01 Thread Tomas Mraz
o: CODERE Carl-Eric ; openssl- > > > us...@openssl.org > > > Subject: Re: OpenSSL 3.0.0 security concerns using dynamic > > > providers > > > > > > > > > > > > On 01/09/2020 03:01, CODERE Carl-Eric wrote: > > > > 1. Replacing

Re: OpenSSL 3.0.0 security concerns using dynamic providers

2020-09-01 Thread Matt Caswell
On 01/09/2020 16:46, CODERE Carl-Eric wrote: > Greetings, > Thanks for the quick reply, actually from the perspective > of mobile > security, once the platform sandbox has been compromised, it is much > easier for an attacker to replace a shared library with another one he

Re: OpenSSL 3.0.0 security concerns using dynamic providers

2020-09-01 Thread Tomas Mraz
On Tue, 2020-09-01 at 15:46 +, CODERE Carl-Eric wrote: > > -Original Message- > > From: Matt Caswell [mailto:m...@openssl.org] > > Sent: mardi 1 septembre 2020 18:57 > > To: CODERE Carl-Eric ; openssl- > > us...@openssl.org > > Subject: Re: OpenSSL 3

RE: OpenSSL 3.0.0 security concerns using dynamic providers

2020-09-01 Thread CODERE Carl-Eric
> -Original Message- > From: Matt Caswell [mailto:m...@openssl.org] > Sent: mardi 1 septembre 2020 18:57 > To: CODERE Carl-Eric ; openssl- > us...@openssl.org > Subject: Re: OpenSSL 3.0.0 security concerns using dynamic providers > > > > On 01/09/2020

Re: OpenSSL 3.0.0 security concerns using dynamic providers

2020-09-01 Thread Matt Caswell
On 01/09/2020 03:01, CODERE Carl-Eric wrote: > 1. Replacing the provider by a tampered provider by replacing the > shared/dynamic library. This can partially be protected by the caller > verifying the hash of the provider before calling it, will OpenSSL 3.0.0 > do this, or will need to be done a