]> git.ipfire.org Git - thirdparty/nettle.git/commitdiff
projects / thirdparty / nettle.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 0404c14)
Add sidechannel tests for ed25519 and ed448.
authorNiels Möller <nisse@lysator.liu.se>
Wed, 15 Nov 2023 11:59:07 +0000 (12:59 +0100)
committerNiels Möller <nisse@lysator.liu.se>
Wed, 15 Nov 2023 11:59:07 +0000 (12:59 +0100)
ChangeLog patch | blob | blame | history
ecc-curve25519.c patch | blob | blame | history
eddsa-hash.c patch | blob | blame | history
eddsa-sign.c patch | blob | blame | history
testsuite/Makefile.in patch | blob | blame | history
testsuite/ed25519-test.c patch | blob | blame | history
testsuite/ed448-test.c patch | blob | blame | history
testsuite/sc-ed25519-test [new file with mode: 0755] patch | blob
testsuite/sc-ed448-test [new file with mode: 0755] patch | blob

diff --git a/ChangeLog b/ChangeLog
index ca7d7bf7dae8610a3752e69454485bcedb292923..623c60bb3cfe1b2d6305dd52355e329cc167500f 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,6 +2,9 @@
 
        * ecc-mod-arith.c (ecc_mod_addmul_1): Use assert_maybe.
        * ecc-curve448.c (ecc_curve448_modp): Likewise.
+       * ecc-curve25519.c (ecc_curve25519_modq): Likewise.
+       * eddsa-hash.c (_eddsa_hash): Likewise.
+       * eddsa-sign.c (_eddsa_sign): Likewise.
 
        * testsuite/curve25519-dh-test.c (test_g): Add calls to
        mark_bytes_undefined and mark_bytes_defined.
@@ -9,11 +12,16 @@
        (test_main): Skip side-channel tests in builds with mini-gmp or
        extra asserts enabled.
        * testsuite/curve448-dh-test.c: Analogous changes.
+       * testsuite/ed448-test.c (test_one): Analogous changes.
+       * testsuite/ed25519-test.c: Analogous changes.
 
        * testsuite/Makefile.in (TS_SC_HOGWEED): New make variable. Added
-       sc-curve25519-dh-test and sc-curve448-dh-test to list.
+       sc-curve25519-dh-test, sc-curve448-dh-test, sc-ed25519-test, and
+       sc-ed448-test to list.
        * testsuite/sc-curve25519-dh-test: New testcase.
        * testsuite/sc-curve448-dh-test: New testcase.
+       * testsuite/sc-ed448-test: New testcase.
+       * testsuite/sc-ed25519-test: New testcase.
 
 2023-11-14  Niels Möller  <nisse@lysator.liu.se>
 
diff --git a/ecc-curve25519.c b/ecc-curve25519.c
index 539bff2211b4fec9e23ace15b078c1353f47a53e..db301252ec5f3f089a1ba7a2237c4ae16d0f5dc6 100644 (file)
--- a/ecc-curve25519.c
+++ b/ecc-curve25519.c
@@ -89,13 +89,13 @@ ecc_curve25519_modq (const struct ecc_modulo *q, mp_limb_t *rp, mp_limb_t *xp)
                         q->B_shifted, ECC_LIMB_SIZE,
                         xp[n + ECC_LIMB_SIZE]);
       /* Top limb of mBmodq_shifted is zero, so we get cy == 0 or 1 */
-      assert (cy < 2);
+      assert_maybe (cy < 2);
       mpn_cnd_add_n (cy, xp+n, xp+n, q->m, ECC_LIMB_SIZE);
     }
 
   cy = mpn_submul_1 (xp, q->m, ECC_LIMB_SIZE,
                     xp[ECC_LIMB_SIZE-1] >> (GMP_NUMB_BITS - QHIGH_BITS));
-  assert (cy < 2);
+  assert_maybe (cy < 2);
   mpn_cnd_add_n (cy, rp, xp, q->m, ECC_LIMB_SIZE);
 }
 
diff --git a/eddsa-hash.c b/eddsa-hash.c
index 6ebbe9773e73468e58896990d877d0a043d5af9a..f14c16c8e663fd2c1d168324bb424f3a7bff79aa 100644 (file)
--- a/eddsa-hash.c
+++ b/eddsa-hash.c
@@ -71,9 +71,9 @@ _eddsa_hash (const struct ecc_modulo *m,
       assert (nlimbs == 2*m->size + 1);
 
       hi = mpn_addmul_1 (rp + m->size, m->B, m->size, hi);
-      assert (hi <= 1);
+      assert_maybe (hi <= 1);
       hi = mpn_cnd_add_n (hi, rp + m->size, rp + m->size, m->B, m->size);
-      assert (hi == 0);
+      assert_maybe (hi == 0);
     }
   m->mod (m, rp + m->size , rp);
   /* Ensure canonical reduction. */
diff --git a/eddsa-sign.c b/eddsa-sign.c
index f5dda6f01bb213cb7d295f11a9f150e212876088..007b2af99d4b3ab30e9e4bb1e611fb3a6b6a41a7 100644 (file)
--- a/eddsa-sign.c
+++ b/eddsa-sign.c
@@ -116,9 +116,9 @@ _eddsa_sign (const struct ecc_curve *ecc,
     }
 
   cy = mpn_submul_1 (sp, ecc->q.m, ecc->p.size, q);
-  assert (cy < 2);
+  assert_maybe (cy < 2);
   cy -= mpn_cnd_add_n (cy, sp, sp, ecc->q.m, ecc->p.size);
-  assert (cy == 0);
+  assert_maybe (cy == 0);
 
   mpn_get_base256_le (signature + nbytes, nbytes, sp, ecc->q.size);
 #undef rp
diff --git a/testsuite/Makefile.in b/testsuite/Makefile.in
index cf3d962cb108399f4ecb9513ba274ee19537eaf8..8fc416df7d11ad53bd3dd58d3c13a263ff64783c 100644 (file)
--- a/testsuite/Makefile.in
+++ b/testsuite/Makefile.in
@@ -67,7 +67,8 @@ TS_C = $(TS_NETTLE) @IF_HOGWEED@ $(TS_HOGWEED)
 TS_CXX = @IF_CXX@ $(CXX_SOURCES:.cxx=$(EXEEXT))
 TARGETS = $(TS_C) $(TS_CXX)
 TS_SC_HOGWEED = sc-pkcs1-sec-decrypt-test sc-rsa-sec-decrypt-test \
-       sc-ecdsa-sign-test sc-curve25519-dh-test sc-curve448-dh-test
+       sc-ecdsa-sign-test sc-curve25519-dh-test sc-curve448-dh-test \
+       sc-ed25519-test sc-ed448-test
 TS_SC = sc-cnd-memcpy-test sc-gcm-test sc-memeql-test \
        @IF_HOGWEED@ $(TS_SC_HOGWEED)
 
diff --git a/testsuite/ed25519-test.c b/testsuite/ed25519-test.c
index abcef34effee5d6f50656b74bd6809c1515c206e..7e13881c0ba5ecceb73d5799c8e6ed764ea22833 100644 (file)
--- a/testsuite/ed25519-test.c
+++ b/testsuite/ed25519-test.c
@@ -92,10 +92,15 @@ test_one (const char *line)
 
   decode_hex (msg_size, msg, mp);
 
+  mark_bytes_undefined (ED25519_KEY_SIZE, sk);
   ed25519_sha512_public_key (t, sk);
+  mark_bytes_defined (ED25519_KEY_SIZE, t);
+
   ASSERT (MEMEQ(ED25519_KEY_SIZE, t, pk));
 
   ed25519_sha512_sign (pk, sk, msg_size, msg, s2);
+  mark_bytes_defined (ED25519_SIGNATURE_SIZE, s2);
+
   ASSERT (MEMEQ (ED25519_SIGNATURE_SIZE, s, s2));
 
   ASSERT (ed25519_sha512_verify (pk, msg_size, msg, s));
@@ -158,6 +163,10 @@ getline(char **lineptr, size_t *n, FILE *f)
 void
 test_main(void)
 {
+#if NETTLE_USE_MINI_GMP || WITH_EXTRA_ASSERTS
+  if (test_side_channel)
+    SKIP();
+#endif
   const char *input = getenv ("ED25519_SIGN_INPUT");
   if (input)
     {
diff --git a/testsuite/ed448-test.c b/testsuite/ed448-test.c
index a46b85c6b734029bb0576b6347fc932f77ba75dd..7ea2da4f9b00d990bd8547176e3c6ba8e1732c6c 100644 (file)
--- a/testsuite/ed448-test.c
+++ b/testsuite/ed448-test.c
@@ -93,10 +93,15 @@ test_one (const char *line)
 
   decode_hex (msg_size, msg, mp);
 
+  mark_bytes_undefined (ED448_KEY_SIZE, sk);
   ed448_shake256_public_key (t, sk);
+  mark_bytes_defined (ED448_KEY_SIZE, t);
+
   ASSERT (MEMEQ(ED448_KEY_SIZE, t, pk));
 
   ed448_shake256_sign (pk, sk, msg_size, msg, s2);
+  mark_bytes_defined (ED448_SIGNATURE_SIZE, s2);
+
   ASSERT (MEMEQ (ED448_SIGNATURE_SIZE, s, s2));
 
   ASSERT (ed448_shake256_verify (pk, msg_size, msg, s));
@@ -159,6 +164,10 @@ getline(char **lineptr, size_t *n, FILE *f)
 void
 test_main(void)
 {
+#if NETTLE_USE_MINI_GMP || WITH_EXTRA_ASSERTS
+  if (test_side_channel)
+    SKIP();
+#endif
   const char *input = getenv ("ED448_SIGN_INPUT");
   if (input)
     {
diff --git a/testsuite/sc-ed25519-test b/testsuite/sc-ed25519-test
new file mode 100755 (executable)
index 0000000..81be04e
--- /dev/null
+++ b/testsuite/sc-ed25519-test
@@ -0,0 +1,6 @@
+#! /bin/sh
+
+srcdir=`dirname $0`
+. "${srcdir}/sc-valgrind.sh"
+
+with_valgrind ./ed25519-test
diff --git a/testsuite/sc-ed448-test b/testsuite/sc-ed448-test
new file mode 100755 (executable)
index 0000000..d0efdba
--- /dev/null
+++ b/testsuite/sc-ed448-test
@@ -0,0 +1,6 @@
+#! /bin/sh
+
+srcdir=`dirname $0`
+. "${srcdir}/sc-valgrind.sh"
+
+with_valgrind ./ed448-test
Mirror of https://git.lysator.liu.se/nettle/nettle.git