Add valgrind annotations to ghash tests.ghash-sidechannel-silent

2 files changed, 21 insertions, 0 deletions

diff --git a/ChangeLog b/ChangeLog
index 674c3769..410e1d9d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2023-04-12  Niels Möller  <nisse@lysator.liu.se>
+
+	* testsuite/gcm-test.c (test_ghash_internal): Add valgrind
+	annotations, to verify that the ghash makes no data-dependent
+	branches or memory accesses.
+
 2023-04-08  Niels Möller  <nisse@lysator.liu.se>
 
 	* examples/nettle-benchmark.c (bench_ghash_update): New function.
diff --git a/testsuite/gcm-test.c b/testsuite/gcm-test.c
index d70cdd1e..bc555d60 100644
--- a/testsuite/gcm-test.c
+++ b/testsuite/gcm-test.c
@@ -6,6 +6,13 @@
 #include "gcm.h"
 #include "ghash-internal.h"
 
+#if HAVE_VALGRIND_MEMCHECK_H
+# include <valgrind/memcheck.h>
+#else
+# define VALGRIND_MAKE_MEM_UNDEFINED(p, n)
+# define VALGRIND_MAKE_MEM_DEFINED(p, n)
+#endif
+
 static void
 test_gcm_hash (const struct tstring *msg, const struct tstring *ref)
 {
@@ -42,11 +49,19 @@ test_ghash_internal (const struct tstring *key,
   struct gcm_key gcm_key;
   union nettle_block16 state;
 
+  /* Use VALGRIND_MAKE_MEM_DEFINED to mark inputs as "undefined", to
+     get valgrind to warn about any branches or memory accesses
+     depending on secret data. */
   memcpy (state.b, key->data, GCM_BLOCK_SIZE);
+  VALGRIND_MAKE_MEM_UNDEFINED (&state, sizeof(state));
   _ghash_set_key (&gcm_key, &state);
 
   memcpy (state.b, iv->data, GCM_BLOCK_SIZE);
+  VALGRIND_MAKE_MEM_UNDEFINED (&state, sizeof(state));
+  VALGRIND_MAKE_MEM_UNDEFINED (message->data, message->length);
   _ghash_update (&gcm_key, &state, message->length / GCM_BLOCK_SIZE, message->data);
+  VALGRIND_MAKE_MEM_DEFINED (&state, sizeof(state));
+  VALGRIND_MAKE_MEM_DEFINED (message->data, message->length);
   if (!MEMEQ(GCM_BLOCK_SIZE, state.b, digest->data))
     {
       fprintf (stderr, "gcm_hash (internal) failed\n");