[Pkg-openssl-devel] Bug#983013: m2crypto: autopkgtest needs update for new version of openssl: M2Crypto.RSA.RSAError: sslv3 rollback attack

[Paul Gevers]

Source: m2crypto
Version: 0.37.1-1
Severity: serious
X-Debbugs-CC: debian-ci at lists.debian.org, openssl at packages.debian.org
Tags: sid bullseye
User: debian-ci at lists.debian.org
Usertags: needs-update
Control: affects -1 src:openssl

Dear maintainer(s),

With a recent upload of openssl the autopkgtest of m2crypto fails in
testing when that autopkgtest is run with the binary packages of openssl
from unstable. It passes when run with only packages from testing. In
tabular form:

                       pass            fail
openssl                from testing    1.1.1j-1
m2crypto               from testing    0.37.1-1
all others             from testing    from testing

I copied some of the output at the bottom of this report.  I *think*
this may be related to CVE-2020-25657 "bleichenbacher timing attacks in
the RSA decryption API" against m2crypto, hence I file this bug against
m2crypto.

Currently this regression is blocking the migration of openssl to
testing [1]. Of course, openssl shouldn't just break your autopkgtest
(or even worse, your package), but it seems to me that the change in
openssl was intended and your package needs to update to the new situation.

If this is a real problem in your package (and not only in your
autopkgtest), the right binary package(s) from openssl should really add
a versioned Breaks on the unfixed version of (one of your) package(s).
Note: the Breaks is nice even if the issue is only in the autopkgtest as
it helps the migration software to figure out the right versions to
combine in the tests.

More information about this bug and the reason for filing it can be found on
https://wiki.debian.org/ContinuousIntegration/RegressionEmailInformation

Paul

[1] https://qa.debian.org/excuses.php?package=openssl

https://ci.debian.net/data/autopkgtest/testing/amd64/m/m2crypto/10541025/log.gz

=================================== FAILURES
===================================
_______________________ RSATestCase.test_public_encrypt
________________________

self = <tests.test_rsa.RSATestCase testMethod=test_public_encrypt>

    @unittest.skipIf(m2.OPENSSL_VERSION_NUMBER < 0x1010103f,
                     'Relies on fix which happened only in OpenSSL 1.1.1c')
    def test_public_encrypt(self):
        priv = RSA.load_key(self.privkey)
        # pkcs1_padding, pkcs1_oaep_padding
        for padding in self.e_padding_ok:
            p = getattr(RSA, padding)
            ctxt = priv.public_encrypt(self.data, p)
            ptxt = priv.private_decrypt(ctxt, p)
            self.assertEqual(ptxt, self.data)

        # sslv23_padding
        ctxt = priv.public_encrypt(self.data, RSA.sslv23_padding)
>       res = priv.private_decrypt(ctxt, RSA.sslv23_padding)

tests/test_rsa.py:129:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _

self = <M2Crypto.RSA.RSA object at 0x7f954bddabb0>
data =
b'wf\xdc\xa5\xdf\xca\x95\xc7;\xa4\xdfEWUm/\xa1m\xd8\xa1\x14s&\x1bid\xf4c\\\xbcI\x90[<\x8dE\x89\x1f\xbf\xe9y=\xef\xa9z\...2\xb7\xaaO\x89\x88\xf7P\xee\x9f\xaf\x19B?\x1f\n\xe5\x18Q9\x186\x97gj\x0e)0mg@\xed\xe4~\xf3\xc4\xbe\x1dK#\x9f/\r"N%\x8d'
padding = 2

    def private_decrypt(self, data, padding):
        # type: (bytes, int) -> bytes
        assert self.check_key(), 'key is not initialised'
>       return m2.rsa_private_decrypt(self.rsa, data, padding)
E       M2Crypto.RSA.RSAError: sslv3 rollback attack

/usr/lib/python3/dist-packages/M2Crypto/RSA.py:82: RSAError

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-openssl-devel/attachments/20210218/8145b5a3/attachment.sig>