On Sun, Jun 02, 2019 at 11:00:28PM +0200, Sebastian Andrzej Siewior wrote:
> Package: openssl
> Version: 1.1.1c-1
> Severity: serious
> 
> The m2crypto test suite fails with c, passes with b. The error log
>   
> https://ci.debian.net/data/autopkgtest/testing/amd64/m/m2crypto/2436983/log.gz
> 
> The testsuite complains about a missing error / the exception is not
> raised. The bisect says, this happens since
> 
> |commit f61c68043d3bd2ad9718d356e7988ee2fdfc3621
> | Author: Bernd Edlinger <bernd.edlin...@hotmail.de>
> | Date:   Thu Feb 28 10:08:18 2019 +0100
> | 
> |     Fix memory overrun in rsa padding check functions
> | 
> |     Fixes #8364 and #8357
> | 
> |     Reviewed-by: Kurt Roeckx <k...@roeckx.be>
> |     (Merged from https://github.com/openssl/openssl/pull/8365)
> | 
> |     (cherry picked from commit d7f5e5ae6d53f1387a42d210806cf5e9ed0882d6)
> 
> Kurt, can you check if this is an error in the testsuite or something
> legal?

Looking at the log, this is about SSLv23 padding.

>From the review, Bernd wrote:
> While doing that I found an issue in RSA_padding_check_SSLv23
> It does the 03 check the wrong way round. But there is no test coverage,
> so it was not noticed.
[...]
> So, I added a small test for RSA_SSLV23_PADDING, as an extra commit,
> since it will likely not cherry-pick in stable branches.

It's about this change:
-    good &= constant_time_lt(threes_in_row, 8);
+    good &= constant_time_ge(threes_in_row, 8);

(That should probably have been a separate commit.)

Can you confirm that that is the reason for the change in
behaviour?

I don't understand the m2crypto code, so I have no idea what it's
testing.


Kurt

Reply via email to