Re: Possible bug of cnd_copy
Hello, NIIBE Yutaka wrote: > I can test with Clang 17. I'll test. The particular tests (using valgrind) do not fail with Clang 17. I checked the assembler output, and confirmed no issues. With artifically modified source (so that it can replicate cnd_copy problem): == diff --git a/cnd-memcpy.c b/cnd-memcpy.c index 4aaee78b..1a7bbcf6 100644 --- a/cnd-memcpy.c +++ b/cnd-memcpy.c @@ -41,10 +41,10 @@ cnd_memcpy(int cnd, volatile void *dst, const volatile void *src, size_t n) const volatile unsigned char *sp = src; volatile unsigned char *dp = dst; volatile unsigned char c; - volatile unsigned char m; + unsigned char m; size_t i; - m = -(unsigned char) cnd; + m = -(unsigned char) (cnd != 0); for (i = 0; i < n; i++) { == Build of Clang 17 with -O3, it correctly detects the problem. == ==71789== Conditional jump or move depends on uninitialised value(s) ==71789==at 0x48C6BBB: nettle_cnd_memcpy (../cnd-memcpy.c:51) ==71789==by 0x10C946: cnd_memcpy_for_test (../../testsuite/cnd-memcpy-test.c:14) ==71789==by 0x10C946: test_main (???:36) ==71789==by 0x10CFC4: main (../../testsuite/testutils.c:173) ==71789== ==71789== ==71789== Exit program on first error (--exit-on-first-error=yes) FAIL: sc-cnd-memcpy [...] ==71811== Conditional jump or move depends on uninitialised value(s) ==71811==at 0x48C6BBB: nettle_cnd_memcpy (../cnd-memcpy.c:51) ==71811==by 0x485EB68: _nettle_pkcs1_sec_decrypt (../pkcs1-sec-decrypt.c:82) ==71811==by 0x10C94E: pkcs1_decrypt_for_test (../../testsuite/pkcs1-sec-decrypt-test.c:14) ==71811==by 0x10C94E: test_main (???:41) ==71811==by 0x10D524: main (../../testsuite/testutils.c:173) ==71811== ==71811== ==71811== Exit program on first error (--exit-on-first-error=yes) FAIL: sc-pkcs1-sec-decrypt == So, I think that the tests itself work well. -- ___ nettle-bugs mailing list -- nettle-bugs@lists.lysator.liu.se To unsubscribe send an email to nettle-bugs-le...@lists.lysator.liu.se
Re: Possible bug of cnd_copy
Hello, Niels Möller wrote: > 1. Do the changes on branch >https://git.lysator.liu.se/nettle/nettle/-/tree/sc-is_zero?ref_type=heads >help? Yes. It helps. I confirmed the function cnd_copy has no problem with the change (removing != 0, and require callers to use 0/1), for the cases I found, using the Compiler Exprorer. > 2. If you install valgrind (including header files), do the recently >added tests for side-channel silence fail when nettle is built with a >problem compiler? They're intended to catch this kind of issues (even >if coverage isn't yet that great). I don't have theose compilers, but simply use the Compiler Explorer as a network service. Thus, I can't test that way. Well, I just found that Clang 17 is now available in Debian sid (on 2023-10-31), I can test with Clang 17. I'll test. Thank you for your quick reply. -- ___ nettle-bugs mailing list -- nettle-bugs@lists.lysator.liu.se To unsubscribe send an email to nettle-bugs-le...@lists.lysator.liu.se
Re: Possible bug of cnd_copy
NIIBE Yutaka writes: > I checked other compilers today. Thanks for investigating! Questions: 1. Do the changes on branch https://git.lysator.liu.se/nettle/nettle/-/tree/sc-is_zero?ref_type=heads help? 2. If you install valgrind (including header files), do the recently added tests for side-channel silence fail when nettle is built with a problem compiler? They're intended to catch this kind of issues (even if coverage isn't yet that great). If it's too difficult or too brittle to get compilers to do the intended thing, we'll have to add assembly implementation for all archs of interest. I think there were similar issues, in particular with clang, for gmp's mpn_sec_tabselect, and that's now in assembly for the many archs. It's unfortunate if assembly is needed for security, not just performance, but that's already the case for AES, where the generic implementation is leaky. Regards, /Niels -- Niels Möller. PGP key CB4962D070D77D7FCB8BA36271D8F1FF368C6677. Internet email is subject to wholesale government surveillance. ___ nettle-bugs mailing list -- nettle-bugs@lists.lysator.liu.se To unsubscribe send an email to nettle-bugs-le...@lists.lysator.liu.se