From 9160c41e7bd1cd265d70e43b62a6902b004f927d Mon Sep 17 00:00:00 2001 From: Simon Tatham Date: Tue, 16 Aug 2022 18:26:28 +0100 Subject: [PATCH] testsc: add side-channel test of Poly1305. Not sure how I missed this! I tested ChaCha20, but not the MAC that goes with it. Happily, it passes, so no harm done. This also involved adding a general framework for testing MACs that are tied to a specific cipher: we have to allocate, key and IV the cipher before attempting to use the MAC, and free it all afterwards. --- test/testsc.c | 47 +++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 41 insertions(+), 6 deletions(-) diff --git a/test/testsc.c b/test/testsc.c index 2e625cb1..6068dd86 100644 --- a/test/testsc.c +++ b/test/testsc.c @@ -308,7 +308,7 @@ VOLATILE_WRAPPED_DEFN(static, size_t, looplimit, (size_t x)) #define CIPHER_TESTLIST(X, name) X(cipher_ ## name) -#define MACS(X, Y) \ +#define SIMPLE_MACS(X, Y) \ X(Y, ssh_hmac_md5) \ X(Y, ssh_hmac_sha1) \ X(Y, ssh_hmac_sha1_buggy) \ @@ -317,6 +317,11 @@ VOLATILE_WRAPPED_DEFN(static, size_t, looplimit, (size_t x)) X(Y, ssh_hmac_sha256) \ /* end of list */ +#define ALL_MACS(X, Y) \ + SIMPLE_MACS(X, Y) \ + X(Y, poly1305) \ + /* end of list */ + #define MAC_TESTLIST(X, name) X(mac_ ## name) #define HASHES(X, Y) \ @@ -388,7 +393,7 @@ VOLATILE_WRAPPED_DEFN(static, size_t, looplimit, (size_t x)) X(ecc_edwards_get_affine) \ X(ecc_edwards_decompress) \ CIPHERS(CIPHER_TESTLIST, X) \ - MACS(MAC_TESTLIST, X) \ + ALL_MACS(MAC_TESTLIST, X) \ HASHES(HASH_TESTLIST, X) \ X(argon2) \ X(primegen_probabilistic) \ @@ -1402,20 +1407,37 @@ static void test_cipher(const ssh_cipheralg *calg) static void test_cipher_##cipher(void) { test_cipher(&cipher); } CIPHERS(CIPHER_TESTFN, Y_unused) -static void test_mac(const ssh2_macalg *malg) +static void test_mac(const ssh2_macalg *malg, const ssh_cipheralg *calg) { - ssh2_mac *m = ssh2_mac_new(malg, NULL); + ssh_cipher *c = NULL; + if (calg) { + c = ssh_cipher_new(calg); + if (!c) { + test_skipped = true; + return; + } + } + + ssh2_mac *m = ssh2_mac_new(malg, c); if (!m) { test_skipped = true; + if (c) + ssh_cipher_free(c); return; } + size_t ckeylen = calg ? calg->padded_keybytes : 0; + size_t civlen = calg ? calg->blksize : 0; + uint8_t *ckey = snewn(ckeylen, uint8_t); + uint8_t *civ = snewn(civlen, uint8_t); uint8_t *mkey = snewn(malg->keylen, uint8_t); size_t datalen = 256; size_t maclen = malg->len; uint8_t *data = snewn(datalen + maclen, uint8_t); for (size_t i = 0; i < looplimit(16); i++) { + random_read(ckey, ckeylen); + random_read(civ, civlen); random_read(mkey, malg->keylen); random_read(data, datalen); uint8_t seqbuf[4]; @@ -1423,20 +1445,33 @@ static void test_mac(const ssh2_macalg *malg) uint32_t seq = GET_32BIT_MSB_FIRST(seqbuf); log_start(); + if (c) { + ssh_cipher_setkey(c, ckey); + ssh_cipher_setiv(c, civ); + } ssh2_mac_setkey(m, make_ptrlen(mkey, malg->keylen)); ssh2_mac_generate(m, data, datalen, seq); ssh2_mac_verify(m, data, datalen, seq); log_end(); } + sfree(ckey); + sfree(civ); sfree(mkey); sfree(data); ssh2_mac_free(m); + if (c) + ssh_cipher_free(c); } #define MAC_TESTFN(Y_unused, mac) \ - static void test_mac_##mac(void) { test_mac(&mac); } -MACS(MAC_TESTFN, Y_unused) + static void test_mac_##mac(void) { test_mac(&mac, NULL); } +SIMPLE_MACS(MAC_TESTFN, Y_unused) + +static void test_mac_poly1305(void) +{ + test_mac(&ssh2_poly1305, &ssh2_chacha20_poly1305); +} static void test_hash(const ssh_hashalg *halg) {