[openssl-project] FW: April Crypto Bulletin from Cryptosense
Richard Levitte
levitte at openssl.org
Tue Apr 3 15:39:15 UTC 2018
While I totally agree with the direction Tim is taking on this, we
need to remember that there's another condition as well: access to the
platform in question, either directly by one of us, or through someone
in the community. Otherwise, we can have as many tests as we want, it
still won't test *that* code (be it assembler or something else)
In message <CAHEJ-S7o+ztC8gF3ZN_J7qoFPiCbxTOBYfrXr8AVK6s15Hd8Cw at mail.gmail.com> on Tue, 03 Apr 2018 15:36:15 +0000, Tim Hudson <tjh at cryptsoft.com> said:
tjh> And it should have a test - which has nothing to do with ASM and everything to do with improving
tjh> test coverage.
tjh>
tjh> Bugs are bugs - and any form of meaningful test would have caught this.
tjh>
tjh> For the majority of the ASM code - the algorithm implementations we have tests that cover things
tjh> in a decent manner.
tjh>
tjh> Improving tests is the solution - not whacking ASM code. Tests will catch issues across *all*
tjh> implementations.
tjh>
tjh> Tim.
tjh>
tjh> On Tue, 3 Apr. 2018, 8:29 am Salz, Rich, <rsalz at akamai.com> wrote:
tjh>
tjh> On 03/04/18 15:55, Salz, Rich wrote:
tjh> > This is one reason why keeping around old assembly code can have a cost. :(
tjh>
tjh> Although in this case the code is <2 years old:
tjh>
tjh> So? It's code that we do not test, and have not tested in years. And guess what? Critical CVE.
tjh>
tjh> _______________________________________________
tjh> openssl-project mailing list
tjh> openssl-project at openssl.org
tjh> https://mta.openssl.org/mailman/listinfo/openssl-project
tjh>
More information about the openssl-project
mailing list