Re: [openssl-project] FW: April Crypto Bulletin from Cryptosense

2018-04-07 Thread Richard Levitte
In message <20180406170540.gk80...@mit.edu> on Fri, 6 Apr 2018 12:05:43 -0500, Benjamin Kaduk said: kaduk> On Fri, Apr 06, 2018 at 04:23:02PM +0200, Andy Polyakov wrote: kaduk> > > This is one reason why keeping around old assembly code can have a cost. :( kaduk> > > kaduk> > > https://github.

Re: [openssl-project] FW: April Crypto Bulletin from Cryptosense

2018-04-06 Thread Benjamin Kaduk
On Fri, Apr 06, 2018 at 04:23:02PM +0200, Andy Polyakov wrote: > > This is one reason why keeping around old assembly code can have a cost. :( > > > > https://github.com/openssl/openssl/pull/5320 > > There is nothing I can add to what I've already said. To quote myself. > "None of what I say mean

Re: [openssl-project] FW: April Crypto Bulletin from Cryptosense

2018-04-06 Thread Andy Polyakov
> This is one reason why keeping around old assembly code can have a cost. :( > > https://github.com/openssl/openssl/pull/5320 There is nothing I can add to what I've already said. To quote myself. "None of what I say means that everything *has to* be kept, but as already said, some of them serve

Re: [openssl-project] FW: April Crypto Bulletin from Cryptosense

2018-04-03 Thread Tim Hudson
I'm less concerned about that access in this specific instance - as if we had a test in place for that function then make test on the platform would have picked up the issue trivially. I don't know that we asked the reporter of the issue as to *how* it was found - that would be interesting informat

Re: [openssl-project] FW: April Crypto Bulletin from Cryptosense

2018-04-03 Thread Richard Levitte
While I totally agree with the direction Tim is taking on this, we need to remember that there's another condition as well: access to the platform in question, either directly by one of us, or through someone in the community. Otherwise, we can have as many tests as we want, it still won't test *t

Re: [openssl-project] FW: April Crypto Bulletin from Cryptosense

2018-04-03 Thread Tim Hudson
And it should have a test - which has nothing to do with ASM and everything to do with improving test coverage. Bugs are bugs - and any form of meaningful test would have caught this. For the majority of the ASM code - the algorithm implementations we have tests that cover things in a decent mann

Re: [openssl-project] FW: April Crypto Bulletin from Cryptosense

2018-04-03 Thread Salz, Rich
On 03/04/18 15:55, Salz, Rich wrote: > This is one reason why keeping around old assembly code can have a cost. :( Although in this case the code is <2 years old: So? It's code that we do not test, and have not tested in years. And guess what? Critical CVE.

Re: [openssl-project] FW: April Crypto Bulletin from Cryptosense

2018-04-03 Thread Matt Caswell
On 03/04/18 15:55, Salz, Rich wrote: > This is one reason why keeping around old assembly code can have a cost. :( Although in this case the code is <2 years old: commit e33826f01bd78af76e0135c8dfab3387927a82bb Author: Andy Polyakov AuthorDate: Sun May 15 17:01:15 2016 +0200 Commit: An