Hey Nettle folks-- I'm experimenting with using valgrind on the testsuite on the debian platform. on x86_64, testing 3.9.1 as built on debian (debian package version 3.9.1-2, built and run against libgmp10 debian package 2:6.3.0+dfsg-2), all valgrind tests succeed except for rsa-sec-decrypt-test.c. It looks like there are some branch accesses based on input data. Do you have any recommendations for further debugging, or steps we should take to improve the situation?
(I'm cc'ing Magnus Holmgren, the debian maintainer for nettle in case
he's interested)
Here is a log of the output of the failed test:
0 dkg@alice:~/src/nettle/nettle/testsuite$ valgrind --error-exitcode=1
--leak-check=full --show-reachable=yes --partial-loads-ok=yes
./rsa-sec-decrypt-test
==2946641== Memcheck, a memory error detector
==2946641== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al.
==2946641== Using Valgrind-3.19.0 and LibVEX; rerun with -h for copyright info
==2946641== Command: ./rsa-sec-decrypt-test
==2946641==
==2946641== Conditional jump or move depends on uninitialised value(s)
==2946641== at 0x492CBA3: __gmpz_cmp (in
/usr/lib/x86_64-linux-gnu/libgmp.so.10.5.0)
==2946641== by 0x4888950: nettle_rsa_sec_decrypt (in
/usr/lib/x86_64-linux-gnu/libhogweed.so.6.8)
==2946641== by 0x10CDE2: rsa_decrypt_for_test.constprop.0
(rsa-sec-decrypt-test.c:40)
==2946641== by 0x10D36C: test_main (rsa-sec-decrypt-test.c:98)
==2946641== by 0x10C8B4: main (testutils.c:137)
==2946641==
==2946641== Conditional jump or move depends on uninitialised value(s)
==2946641== at 0x4888953: nettle_rsa_sec_decrypt (in
/usr/lib/x86_64-linux-gnu/libhogweed.so.6.8)
==2946641== by 0x10CDE2: rsa_decrypt_for_test.constprop.0
(rsa-sec-decrypt-test.c:40)
==2946641== by 0x10D36C: test_main (rsa-sec-decrypt-test.c:98)
==2946641== by 0x10C8B4: main (testutils.c:137)
==2946641==
==2946641== Conditional jump or move depends on uninitialised value(s)
==2946641== at 0x492CBA3: __gmpz_cmp (in
/usr/lib/x86_64-linux-gnu/libgmp.so.10.5.0)
==2946641== by 0x4888950: nettle_rsa_sec_decrypt (in
/usr/lib/x86_64-linux-gnu/libhogweed.so.6.8)
==2946641== by 0x10CDE2: rsa_decrypt_for_test.constprop.0
(rsa-sec-decrypt-test.c:40)
==2946641== by 0x10D445: test_main (rsa-sec-decrypt-test.c:108)
==2946641== by 0x10C8B4: main (testutils.c:137)
==2946641==
==2946641== Conditional jump or move depends on uninitialised value(s)
==2946641== at 0x4888953: nettle_rsa_sec_decrypt (in
/usr/lib/x86_64-linux-gnu/libhogweed.so.6.8)
==2946641== by 0x10CDE2: rsa_decrypt_for_test.constprop.0
(rsa-sec-decrypt-test.c:40)
==2946641== by 0x10D445: test_main (rsa-sec-decrypt-test.c:108)
==2946641== by 0x10C8B4: main (testutils.c:137)
==2946641==
==2946641== Conditional jump or move depends on uninitialised value(s)
==2946641== at 0x492CBA3: __gmpz_cmp (in
/usr/lib/x86_64-linux-gnu/libgmp.so.10.5.0)
==2946641== by 0x4888950: nettle_rsa_sec_decrypt (in
/usr/lib/x86_64-linux-gnu/libhogweed.so.6.8)
==2946641== by 0x10CDE2: rsa_decrypt_for_test.constprop.0
(rsa-sec-decrypt-test.c:40)
==2946641== by 0x10D467: test_main (rsa-sec-decrypt-test.c:113)
==2946641== by 0x10C8B4: main (testutils.c:137)
==2946641==
==2946641== Conditional jump or move depends on uninitialised value(s)
==2946641== at 0x4888953: nettle_rsa_sec_decrypt (in
/usr/lib/x86_64-linux-gnu/libhogweed.so.6.8)
==2946641== by 0x10CDE2: rsa_decrypt_for_test.constprop.0
(rsa-sec-decrypt-test.c:40)
==2946641== by 0x10D467: test_main (rsa-sec-decrypt-test.c:113)
==2946641== by 0x10C8B4: main (testutils.c:137)
==2946641==
==2946641== Conditional jump or move depends on uninitialised value(s)
==2946641== at 0x492CBA3: __gmpz_cmp (in
/usr/lib/x86_64-linux-gnu/libgmp.so.10.5.0)
==2946641== by 0x4888950: nettle_rsa_sec_decrypt (in
/usr/lib/x86_64-linux-gnu/libhogweed.so.6.8)
==2946641== by 0x10CDE2: rsa_decrypt_for_test.constprop.0
(rsa-sec-decrypt-test.c:40)
==2946641== by 0x10D4F1: test_main (rsa-sec-decrypt-test.c:123)
==2946641== by 0x10C8B4: main (testutils.c:137)
==2946641==
==2946641== Conditional jump or move depends on uninitialised value(s)
==2946641== at 0x4888953: nettle_rsa_sec_decrypt (in
/usr/lib/x86_64-linux-gnu/libhogweed.so.6.8)
==2946641== by 0x10CDE2: rsa_decrypt_for_test.constprop.0
(rsa-sec-decrypt-test.c:40)
==2946641== by 0x10D4F1: test_main (rsa-sec-decrypt-test.c:123)
==2946641== by 0x10C8B4: main (testutils.c:137)
==2946641==
==2946641==
==2946641== HEAP SUMMARY:
==2946641== in use at exit: 0 bytes in 0 blocks
==2946641== total heap usage: 63,733 allocs, 63,733 frees, 4,485,002 bytes
allocated
==2946641==
==2946641== All heap blocks were freed -- no leaks are possible
==2946641==
==2946641== Use --track-origins=yes to see where uninitialised values come from
==2946641== For lists of detected and suppressed errors, rerun with: -s
==2946641== ERROR SUMMARY: 401 errors from 8 contexts (suppressed: 0 from 0)
1 dkg@alice:~/src/nettle/nettle/testsuite$
And the relevant chunk of testsuite/rsa-sec-decrypt-test.c :
6 #if HAVE_VALGRIND_MEMCHECK_H
7 # include <valgrind/memcheck.h>
8
9 #define MARK_MPZ_LIMBS_UNDEFINED(parm) \
10 VALGRIND_MAKE_MEM_UNDEFINED (mpz_limbs_read (parm), \
11 mpz_size (parm) * sizeof (mp_limb_t))
12 #define MARK_MPZ_LIMBS_DEFINED(parm) \
13 VALGRIND_MAKE_MEM_DEFINED (mpz_limbs_read (parm), \
14 mpz_size (parm) * sizeof (mp_limb_t))
15 static int
16 rsa_decrypt_for_test(const struct rsa_public_key *pub,
17 const struct rsa_private_key *key,
18 void *random_ctx, nettle_random_func *random,
19 size_t length, uint8_t *message,
20 const mpz_t gibberish)
21 {
22 int ret;
23 /* Makes valgrind trigger on any branches depending on the input
24 data. Except that (i) we have to allow rsa_sec_compute_root_tr to
25 check that p and q are odd, (ii) mpn_sec_div_r may leak
26 information about the most significant bits of p and q, due to
27 normalization check and table lookup in invert_limb, and (iii)
28 mpn_sec_powm may leak information about the least significant
29 bits of p and q, due to table lookup in binvert_limb. */
30 VALGRIND_MAKE_MEM_UNDEFINED (message, length);
31 MARK_MPZ_LIMBS_UNDEFINED(gibberish);
32 MARK_MPZ_LIMBS_UNDEFINED(key->a);
33 MARK_MPZ_LIMBS_UNDEFINED(key->b);
34 MARK_MPZ_LIMBS_UNDEFINED(key->c);
35 VALGRIND_MAKE_MEM_UNDEFINED(mpz_limbs_read (key->p) + 1,
36 (mpz_size (key->p) - 3) *
sizeof(mp_limb_t));
37 VALGRIND_MAKE_MEM_UNDEFINED(mpz_limbs_read (key->q) + 1,
38 (mpz_size (key->q) - 3) *
sizeof(mp_limb_t));
39
40 ret = rsa_sec_decrypt (pub, key, random_ctx, random, length, message,
gibberish);
41
42 VALGRIND_MAKE_MEM_DEFINED (message, length);
43 VALGRIND_MAKE_MEM_DEFINED (&ret, sizeof(ret));
44 MARK_MPZ_LIMBS_DEFINED(gibberish);
45 MARK_MPZ_LIMBS_DEFINED(key->a);
46 MARK_MPZ_LIMBS_DEFINED(key->b);
47 MARK_MPZ_LIMBS_DEFINED(key->c);
48 MARK_MPZ_LIMBS_DEFINED(key->p);
49 MARK_MPZ_LIMBS_DEFINED(key->q);
50
51 return ret;
52 }
53 #else
54 #define rsa_decrypt_for_test rsa_sec_decrypt
55 #endif
Any suggestions for next steps?
--dkg
signature.asc
Description: PGP signature
_______________________________________________ nettle-bugs mailing list -- [email protected] To unsubscribe send an email to [email protected]
