From 63f33b146bae61b355184a9f4f1d517a2b8a1834 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
Date: Wed, 15 Nov 2023 07:59:50 +0100
Subject: [PATCH] Add sidechannel tests for curve25519.
---
ChangeLog | 15 +++++++++++++++
ecc-mod-arith.c | 4 ++--
testsuite/Makefile.in | 4 +++-
testsuite/curve25519-dh-test.c | 14 +++++++++++++-
testsuite/sc-curve25519-dh-test | 6 ++++++
5 files changed, 39 insertions(+), 4 deletions(-)
create mode 100755 testsuite/sc-curve25519-dh-test
diff --git a/ChangeLog b/ChangeLog
index e65ddf78..0a98d673 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,18 @@
+2023-11-15 Niels Möller <nisse@lysator.liu.se>
+
+ * testsuite/curve25519-dh-test.c (test_g): Add calls to
+ mark_bytes_undefined and mark_bytes_defined.
+ (test_a): Likewise.
+ (test_main): Skip side-channel tests in builds with mini-gmp or
+ extra asserts enabled.
+
+ * ecc-mod-arith.c (ecc_mod_addmul_1): Use assert_maybe.
+
+ * testsuite/Makefile.in (TS_SC_HOGWEED): New make variable. Added
+ sc-curve25519-dh-test to list.
+
+ * testsuite/sc-curve25519-dh-test: New testcase.
+
2023-11-14 Niels Möller <nisse@lysator.liu.se>
Add a first side-channel test for the ECC code.
diff --git a/ecc-mod-arith.c b/ecc-mod-arith.c
index 2c39a816..1650f0b4 100644
--- a/ecc-mod-arith.c
+++ b/ecc-mod-arith.c
@@ -127,10 +127,10 @@ ecc_mod_addmul_1 (const struct ecc_modulo *m, mp_limb_t *rp,
assert (b <= 0xffffffff);
hi = mpn_addmul_1 (rp, ap, m->size, b);
hi = mpn_addmul_1 (rp, m->B, m->size, hi);
- assert (hi <= 1);
+ assert_maybe (hi <= 1);
hi = mpn_cnd_add_n (hi, rp, rp, m->B, m->size);
/* Sufficient roughly if b < B^size / p */
- assert (hi == 0);
+ assert_maybe (hi == 0);
}
void
diff --git a/testsuite/Makefile.in b/testsuite/Makefile.in
index fb2b4031..b8bce556 100644
--- a/testsuite/Makefile.in
+++ b/testsuite/Makefile.in
@@ -66,8 +66,10 @@ TS_HOGWEED = $(TS_HOGWEED_SOURCES:.c=$(EXEEXT))
TS_C = $(TS_NETTLE) @IF_HOGWEED@ $(TS_HOGWEED)
TS_CXX = @IF_CXX@ $(CXX_SOURCES:.cxx=$(EXEEXT))
TARGETS = $(TS_C) $(TS_CXX)
+TS_SC_HOGWEED = sc-pkcs1-sec-decrypt-test sc-rsa-sec-decrypt-test \
+ sc-ecdsa-sign-test sc-curve25519-dh-test
TS_SC = sc-cnd-memcpy-test sc-gcm-test sc-memeql-test \
- @IF_HOGWEED@ sc-pkcs1-sec-decrypt-test sc-rsa-sec-decrypt-test sc-ecdsa-sign-test
+ @IF_HOGWEED@ $(TS_SC_HOGWEED)
TS_SH = symbols-test @IF_VALGRIND@ $(TS_SC)
TS_ALL = $(TARGETS) $(TS_SH) @IF_DLOPEN_TEST@ dlopen-test$(EXEEXT)
diff --git a/testsuite/curve25519-dh-test.c b/testsuite/curve25519-dh-test.c
index e9037523..8207bbb3 100644
--- a/testsuite/curve25519-dh-test.c
+++ b/testsuite/curve25519-dh-test.c
@@ -37,7 +37,11 @@ static void
test_g (const uint8_t *s, const uint8_t *r)
{
uint8_t p[CURVE25519_SIZE];
+
+ mark_bytes_undefined (CURVE25519_SIZE, s);
curve25519_mul_g (p, s);
+ mark_bytes_defined (CURVE25519_SIZE, p);
+
if (!MEMEQ (CURVE25519_SIZE, p, r))
{
printf ("curve25519_mul_g failure:\ns = ");
@@ -55,8 +59,12 @@ static void
test_a (const uint8_t *s, const uint8_t *b, const uint8_t *r)
{
uint8_t p[CURVE25519_SIZE];
+
+ mark_bytes_undefined (CURVE25519_SIZE, b);
+ mark_bytes_undefined (CURVE25519_SIZE, s);
curve25519_mul (p, s, b);
-
+ mark_bytes_defined (CURVE25519_SIZE, p);
+
if (!MEMEQ (CURVE25519_SIZE, p, r))
{
printf ("curve25519_mul failure:\ns = ");
@@ -75,6 +83,10 @@ test_a (const uint8_t *s, const uint8_t *b, const uint8_t *r)
void
test_main (void)
{
+#if NETTLE_USE_MINI_GMP || WITH_EXTRA_ASSERTS
+ if (test_side_channel)
+ SKIP();
+#endif
/* From RFC 7748. */
test_g (H("77076d0a7318a57d3c16c17251b26645"
"df4c2f87ebc0992ab177fba51db92c2a"),
diff --git a/testsuite/sc-curve25519-dh-test b/testsuite/sc-curve25519-dh-test
new file mode 100755
index 00000000..71297359
--- /dev/null
+++ b/testsuite/sc-curve25519-dh-test
@@ -0,0 +1,6 @@
+#! /bin/sh
+
+srcdir=`dirname $0`
+. "${srcdir}/sc-valgrind.sh"
+
+with_valgrind ./curve25519-dh-test
--
GitLab