~mdw / catacomb / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: c260363) | patch
Start verifying that code which should be constant-time really is.
authorMark Wooding <mdw@distorted.org.uk>
Sun, 1 Oct 2017 02:01:02 +0000 (03:01 +0100)
committerMark Wooding <mdw@distorted.org.uk>
Sun, 1 Oct 2017 02:01:02 +0000 (03:01 +0100)
commit1aaccf40b93719fd3df7cc89e023b9bb48b358b6
tree146b5dcbe4fd851565ec5865809d5cf29540e3c2tree | snapshot (tar.gz zip)
parentc2603631178b688a6f8ce5eccd461e74718058d5commit | diff
Start verifying that code which should be constant-time really is.

Introduce utilities `ct_poison' and `ct_remedy' to control Valgrind's
uninitialized-data checking, based on Adam Langley's `ctgrind' idea
described in https://www.imperialviolet.org/2010/04/01/ctgrind.html.
Use these in the tests for fancy-bignum algorithms, such as Poly1305 and
X25519.

There's currently no automated machinery for running these tests.  This
is a little tricky:

  * Some of the tests will need to be skipped because they just take too
    long if they run under Valgrind.

  * The test programs are actually libtool wrappers, which are bash(1)
    scripts.  Firstly, this means we get lots of spurious errors about
    bash; and secondly, the actual test program doesn't end up being
    checked by Valgrind at all.

So it's just manual for now.
base/Makefile.am diff | blob | blame | history
base/ct-test.c [new file with mode: 0644] blob
base/ct.h diff | blob | blame | history
configure.ac diff | blob | blame | history
pub/ed25519.c diff | blob | blame | history
pub/ed448.c diff | blob | blame | history
pub/x25519.c diff | blob | blame | history
pub/x448.c diff | blob | blame | history
symm/poly1305.c diff | blob | blame | history
Catacomb cryptographic library