Do dedicated constant-time testing in a few more configurations
Do constant-time testing in a couple of configurations that give some
interesting coverage;
* In a configuration that's close to the default: `test_aes_only_128_bit_keys`.
Having only 128-bit AES keys doesn't reduce the interesting scope much
(except that it doesn't test 192-bit and 256-bit AES, but since that
configuration uses hardware AES, we don't care about that part).
* when PSA buffer copying is not done, i.e. when
`MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS` is enabled. This will be very
relevant for the upcoming PSA constant-time tests.
Use Valgrind, since some of the interesting tests require constant-time AES,
which for us means AESNI or AESCE, which MSan doesn't support.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh
index 04c38f6..6b12bb9 100644
--- a/tests/scripts/components-configuration-crypto.sh
+++ b/tests/scripts/components-configuration-crypto.sh
@@ -5,6 +5,28 @@
# This file contains test components that are executed by all.sh
+## test_with_valgrind tests/suites/SUITE.data [...]
+## Run the specified test suite(s) with Valgrind.
+test_with_valgrind () {
+ for data_file in "$@"; do
+ suite="${data_file##*/}"; suite="${suite%.data}"
+ exe="tests/$suite"
+ log_file="tests/MemoryChecker.$suite.log"
+ make -C tests "$suite"
+ valgrind -q --tool=memcheck --track-origins=yes --log-file="$log_file" "$exe"
+ not grep . -- "$log_file"
+ done
+}
+
+## Run a small set of dedicated constant-time tests with Valgrind.
+## Exclude very slow suites.
+## Exclude suites that contain some constant-time tests, but whose focus
+## isn't on constant-time tests.
+test_with_valgrind_constant_time () {
+ declare GLOBIGNORE="tests/suites/test_suite_constant_time_hmac.data"
+ test_with_valgrind tests/suites/*constant_time*.data
+}
+
################################################################
#### Configuration Testing - Crypto
################################################################
@@ -31,6 +53,17 @@
make test
}
+component_test_psa_assume_exclusive_buffers_valgrind_cf () {
+ msg "build: full config + MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS, constant flow with Valgrind"
+ scripts/config.py full
+ scripts/config.py set MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS
+ scripts/config.py set MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND
+ make lib
+
+ msg "test: full config + MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS, constant flow with Valgrind, selected suites"
+ test_with_valgrind_constant_time tests/suites/*constant_time*.data
+}
+
component_test_crypto_with_static_key_slots() {
msg "build: crypto full + MBEDTLS_PSA_STATIC_KEY_SLOTS"
scripts/config.py crypto_full
@@ -2969,11 +3002,15 @@
msg "build: default config + AES_ONLY_128_BIT_KEY_LENGTH"
scripts/config.py set MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
scripts/config.py unset MBEDTLS_PADLOCK_C
+ scripts/config.py set MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND
make CFLAGS='-O2 -Werror -Wall -Wextra'
msg "test: default config + AES_ONLY_128_BIT_KEY_LENGTH"
make test
+
+ msg "test: default config + AES_ONLY_128_BIT_KEY_LENGTH constant flow with Valgrind, selected suites"
+ test_with_valgrind_constant_time
}
component_test_no_ctr_drbg_aes_only_128_bit_keys () {