That's a nice point. Operating systems evolved to be able to obtain crash at a level which is not reflected to low level functions like abort and assert. Can that be addressed in the nettle or individual lib level or at the POSIX level with the introduction of secure-assert or so? Removing asserts on production will cause more harm than good.
On February 17, 2018 9:59:28 AM UTC, Jeffrey Walton noloader@gmail.com wrote:
On Sat, Feb 17, 2018 at 4:35 AM, Niels Möller nisse@lysator.liu.se wrote:
...
@@ -80,7 +80,7 @@ openssl_evp_set_encrypt_key(void *p, const uint8_t
*key,
{ struct openssl_cipher_ctx *ctx = p; ctx->evp = EVP_CIPHER_CTX_new();
- assert(EVP_EncryptInit_ex(ctx->evp, cipher, NULL, key, NULL) ==
1);
- assert(EVP_CipherInit_ex(ctx->evp, cipher, NULL, key, NULL, 1) ==
1);
EVP_CIPHER_CTX_set_padding(ctx->evp, 0); }
It's not right to use assert on expressions with side-effects. Since
will
break builds with ./configure CFLAGS='-DNDEBUG'.
No asserts, period. They should not get through an audit.
What happens when an assert fires? According to Posix an abort() happens (http://pubs.opengroup.org/onlinepubs/009695399/functions/assert.html).
What happens when the abort happens? The sensitive information inside the app's security boundary leaves the security boundary. It is egressed from the app and written to a core file.
It gets worse. If services are engaged like Windows Error Reporting, Appport, Apple Crash Reporter, Crashlytics , and friends, then the sensitive information leaves the computer or device, too. It just crossed another security boundary and a third party owns it.
Everything that used to be private, like password lists and private keys, are now public information. The NSA, GCHQ and law enforcement thanks you.
The library that really perplexes me is libsodium. It is used in software like Bitcoin and Monero. Every time an assert fires it is like opening the wallet up for thieves to take what they want.
Please ensure you always build high integrity software with -DNDEBUG to remove the asserts.
Jeff _______________________________________________ nettle-bugs mailing list nettle-bugs@lists.lysator.liu.se http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs