Re: Asserts considered harmful (or GMP spills its sensitive information)

[Jeffrey Walton <noloader () gmail com>]

On Tue, Jan 1, 2019 at 11:19 AM Torbjörn Granlund <tg () gmplib org> wrote:
>   The assert that Jeffrey has hit is in sec_powm.c,
>
>     ASSERT_ALWAYS (enb >= windowsize);
>
>   As far as I can see, "enb" is the input argument to the win_size function,
>   and "windowsize" is the return value. I'm waiting for more information,
>   since it works fine in my build. Possible explanations I see are
>
> A reasonable assumption is that this user has modified the sources to
> cause this bug.  The motive would be to support his auxesis about how
> insecure GMP is.

My bad, I did not mean to imply this was a problem with GMP only. GMP
has a lot of company, like GnuPG and OpenSSL.

I believe the assumption  is incorrect. The sources were not modified,
and a standard (?) 'configure; make; make check' was used. The
reproducer script is available at
https://www.openwall.com/lists/oss-security/2018/12/31/1; see
test-gmp.sh.txt.

For completeness here's a quick audit of some security libraries.
Botan, Crypto++ and OpenSSL use -DNDEBUG to remove asserts from
production/release builds. They use asserts as a debugging/diagnostic
aide. They don't depend on crashing the program and risk egressing
sensitive information outside the app's security boundary.

gmp-6.1.2$ grep -iIR assert | wc -l
4867

openssl-1.0.2$ grep -iIR assert | wc -l
436

libgcrypt-1.8.4$ grep -iIR assert | wc -l
245

gnupg-2.2.12$ grep -iIR assert | wc -l
1337

cryptopp-8.0$ grep -iIR assert | wc -l
1123

botan-2.8$ grep -iIR assert | wc -l
746

Cheers, Jeff