I've written a simple program to setup valgrind to check for bad uses of
secret data. Maybe you have heard of Adam Langley's ctgrind
(https://github.com/agl/ctgrind), but it seems to work fine to use plain
valgrind and mark the secret data with VALGRIND_MAKE_MEM_UNDEFINED.
Non-silent algorithms include aes, camellia, cast128, twofish, arctwo, des,
blowfish, gcm (the hashing), arcfour. Almost anything using sboxes.
Silent algorithms include serpent (sboxes, but with nice bit-slicing
instead of tables), salsa20, chacha, poly1305.
Not sure if and how this testing could be added to a plain
make check EMULATOR='$(VALGRIND)'
As for AES, an implementations using the aesni instructions ought to be
side-channel silent. And if one is concerned about side channel attacks
on AES, but too conservative to jump to salsa20 or chacha, serpent might
be a good alternative.
(I'll be doing a short talk on side-channel attacks on Southpole's 15
year anniversary party on November 7, so that's why I'm looking into
this now).
Regards,
/Niels
-----8<---
/* cipher-sidechannel-test.c
Copyright (C) 2014 Niels Möller
This file is part of GNU Nettle.
GNU Nettle is free software: you can redistribute it and/or
modify it under the terms of either:
* the GNU Lesser General Public License as published by the Free
Software Foundation; either version 3 of the License, or (at your
option) any later version.
or
* the GNU General Public License as published by the Free
Software Foundation; either version 2 of the License, or (at your
option) any later version.
or both in parallel, as here.
GNU Nettle is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received copies of the GNU General Public License and
the GNU Lesser General Public License along with this program. If
not, see http://www.gnu.org/licenses/.
*/
#include "testutils.h"
#include "nettle-internal.h"
#if !HAVE_VALGRIND_MEMCHECK_H
void testmain (void)
{
SKIP ();
}
#else /* HAVE_VALGRIND_MEMCHECK_H */
#include <valgrind/memcheck.h>
static uint8_t *
xalloc_secret (size_t size)
{
uint8_t *p = xalloc (size);
memset (p, 0, size);
VALGRIND_MAKE_MEM_UNDEFINED (p, size);
return p;
}
static void
test_sc_cipher (const struct nettle_cipher *cipher)
{
void *ctx;
uint8_t *key;
uint8_t *src;
uint8_t *dst;
ctx = xalloc (cipher->context_size);
key = xalloc_secret (cipher->key_size);
src = xalloc_secret (cipher->block_size);
dst = xalloc (cipher->block_size);
cipher->set_encrypt_key (ctx, key);
cipher->encrypt (ctx, cipher->block_size, dst, src);
free (ctx);
free (key);
free (src);
free (dst);
}
#define DATA_SIZE 32
static void
test_sc_aead (const struct nettle_aead *aead)
{
void *ctx;
uint8_t *key;
uint8_t *nonce;
uint8_t *src;
uint8_t *data;
uint8_t *dst;
uint8_t *digest;
ctx = xalloc (aead->context_size);
key = xalloc_secret (aead->key_size);
nonce = xalloc_secret (aead->nonce_size);
src = xalloc_secret (aead->block_size);
data = xalloc_secret (DATA_SIZE);
dst = xalloc (aead->block_size);
digest = xalloc (aead->digest_size);
aead->set_encrypt_key (ctx, key);
if (aead->set_nonce)
aead->set_nonce (ctx, nonce);
if (aead->update)
aead->update (ctx, DATA_SIZE, data);
aead->encrypt (ctx, aead->block_size, dst, src);
if (aead->update)
aead->digest (ctx, aead->digest_size, digest);
free (ctx);
free (key);
free (nonce);
free (src);
free (data);
free (dst);
free (digest);
}
static const struct nettle_cipher *
other_ciphers[] = {
&nettle_des,
&nettle_des3,
&nettle_blowfish128,
NULL,
};
static const struct nettle_aead *
other_aeads[] = {
&nettle_arcfour128,
&nettle_chacha,
&nettle_salsa20,
&nettle_salsa20r12,
NULL,
};
void
test_main (void)
{
unsigned i;
const struct nettle_cipher *cipher;
const struct nettle_aead *aead;
for (i = 0; ((cipher = nettle_ciphers[i])); i++)
test_sc_cipher (cipher);
for (i = 0; ((cipher = other_ciphers[i])); i++)
test_sc_cipher (cipher);
for (i = 0; ((aead = nettle_aeads[i])); i++)
test_sc_aead (aead);
for (i = 0; ((aead = other_aeads[i])); i++)
test_sc_aead (aead);
}
#endif /* HAVE_VALGRIND_MEMCHECK_H */
--
Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26.
Internet email is subject to wholesale government surveillance.
_______________________________________________
nettle-bugs mailing list
[email protected]
http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
