Merge pull request #736 from mpg/cf-varpos-copy-dev-restricted

Constant-flow copy of HMAC from variable position
2020-08-25 14:35:55 +01:00 · 2020-08-25 14:35:55 +01:00 · d4ac4e037b
commit d4ac4e037b
parent 22d70a80af 04b7488411
11 changed files with 211 additions and 39 deletions
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@ -1109,6 +1109,28 @@ component_test_memsan_constant_flow () {
    make test
 }

+component_test_valgrind_constant_flow () {
+    # This tests both (1) everything that valgrind's memcheck usually checks
+    # (heap buffer overflows, use of uninitialized memory, use-after-free,
+    # etc.) and (2) branches or memory access depending on secret values,
+    # which will be reported as uninitialized memory. To distinguish between
+    # secret and actually uninitialized:
+    # - unset MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND - does the failure persist?
+    # - or alternatively, build with debug info and manually run the offending
+    # test suite with valgrind --track-origins=yes, then check if the origin
+    # was TEST_CF_SECRET() or something else.
+    msg "build: cmake release GCC, full config with constant flow testing"
+    scripts/config.py full
+    scripts/config.py set MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND
+    cmake -D CMAKE_BUILD_TYPE:String=Release .
+    make
+
+    # this only shows a summary of the results (how many of each type)
+    # details are left in Testing/<date>/DynamicAnalysis.xml
+    msg "test: main suites (valgrind + constant flow)"
+    make memcheck
+}
+
 component_test_default_no_deprecated () {
    # Test that removing the deprecated features from the default
    # configuration leaves something consistent.