From 7ba897ed4d48ccd181765840c36201ec9f0c4fb7 Mon Sep 17 00:00:00 2001 From: Kris Kwiatkowski Date: Wed, 23 Jun 2021 07:46:32 +0100 Subject: [PATCH] ensure sike doest use uinitialized reads --- src/kem/sike/p434/fpx.c | 6 +++--- src/kem/sike/p434/isogeny.c | 12 ++++++------ src/kem/sike/p434/sike.c | 22 +++++++++++----------- 3 files changed, 20 insertions(+), 20 deletions(-) diff --git a/src/kem/sike/p434/fpx.c b/src/kem/sike/p434/fpx.c index 44c6481c..4eac8be4 100644 --- a/src/kem/sike/p434/fpx.c +++ b/src/kem/sike/p434/fpx.c @@ -190,7 +190,7 @@ void sike_from_mont(const felm_t ma, felm_t c) // Inputs: a = a0+a1*i, where a0, a1 are in [0, 2*p-1] // Output: c = c0+c1*i, where c0, c1 are in [0, 2*p-1] void sike_fp2sqr_mont(const f2elm_t a, f2elm_t c) { - felm_t t1, t2, t3; + felm_t t1 = {0}, t2 = {0}, t3 = {0}; mp_addfast(a->c0, a->c1, t1); // t1 = a0+a1 sike_fpsub(a->c0, a->c1, t2); // t2 = a0-a1 @@ -247,7 +247,7 @@ void sike_fpcorrection(felm_t a) { // Inputs: a = a0+a1*i and b = b0+b1*i, where a0, a1, b0, b1 are in [0, 2*p-1] // Output: c = c0+c1*i, where c0, c1 are in [0, 2*p-1] void sike_fp2mul_mont(const f2elm_t a, const f2elm_t b, f2elm_t c) { - felm_t t1, t2; + felm_t t1 = {0}, t2 = {0}; dfelm_t tt1, tt2, tt3; crypto_word_t mask; @@ -270,7 +270,7 @@ void sike_fp2mul_mont(const f2elm_t a, const f2elm_t b, f2elm_t c) { // GF(p^2) inversion using Montgomery arithmetic, a = (a0-i*a1)/(a0^2+a1^2). void sike_fp2inv_mont(f2elm_t a) { - f2elm_t t1; + f2elm_t t1 = {0}; fpsqr_mont(a->c0, t1->c0); // t10 = a0^2 fpsqr_mont(a->c1, t1->c1); // t11 = a1^2 diff --git a/src/kem/sike/p434/isogeny.c b/src/kem/sike/p434/isogeny.c index 661410e4..acf10518 100644 --- a/src/kem/sike/p434/isogeny.c +++ b/src/kem/sike/p434/isogeny.c @@ -13,7 +13,7 @@ static void xDBL(const point_proj_t P, point_proj_t Q, const f2elm_t A24plus, co { // Doubling of a Montgomery point in projective coordinates (X:Z). // Input: projective Montgomery x-coordinates P = (X1:Z1), where x1=X1/Z1 and Montgomery curve constants A+2C and 4C. // Output: projective Montgomery x-coordinates Q = 2*P = (X2:Z2). - f2elm_t t0, t1; + f2elm_t t0 = {0}, t1 = {0}; sike_fp2sub(P->X, P->Z, t0); // t0 = X1-Z1 sike_fp2add(P->X, P->Z, t1); // t1 = X1+Z1 @@ -60,7 +60,7 @@ void eval_4_isog(point_proj_t P, f2elm_t* coeff) // by the 3 coefficients in coeff (computed in the function get_4_isog()). // Inputs: the coefficients defining the isogeny, and the projective point P = (X:Z). // Output: the projective point P = phi(P) = (X:Z) in the codomain. - f2elm_t t0, t1; + f2elm_t t0 = {0}, t1 = {0}; sike_fp2add(P->X, P->Z, t0); // t0 = X+Z sike_fp2sub(P->X, P->Z, t1); // t1 = X-Z @@ -123,7 +123,7 @@ void get_3_isog(const point_proj_t P, f2elm_t A24minus, f2elm_t A24plus, f2elm_t { // Computes the corresponding 3-isogeny of a projective Montgomery point (X3:Z3) of order 3. // Input: projective point of order three P = (X3:Z3). // Output: the 3-isogenous Montgomery curve with projective coefficient A/C. - f2elm_t t0, t1, t2, t3, t4; + f2elm_t t0 = {0}, t1 = {0}, t2 = {0}, t3 = {0}, t4 = {0}; sike_fp2sub(P->X, P->Z, coeff[0]); // coeff0 = X-Z sike_fp2sqr_mont(coeff[0], t0); // t0 = (X-Z)^2 @@ -189,7 +189,7 @@ void get_A(const f2elm_t xP, const f2elm_t xQ, const f2elm_t xR, f2elm_t A) { // Given the x-coordinates of P, Q, and R, returns the value A corresponding to the Montgomery curve E_A: y^2=x^3+A*x^2+x such that R=Q-P on E_A. // Input: the x-coordinates xP, xQ, and xR of the points P, Q and R. // Output: the coefficient A corresponding to the curve E_A: y^2=x^3+A*x^2+x. - f2elm_t t0, t1, one = F2ELM_INIT; + f2elm_t t0 = F2ELM_INIT, t1 = F2ELM_INIT, one = F2ELM_INIT; extern const struct params_t params; sike_fpcopy(params.mont_one, one->c0); @@ -213,7 +213,7 @@ void j_inv(const f2elm_t A, const f2elm_t C, f2elm_t jinv) { // Computes the j-invariant of a Montgomery curve with projective constant. // Input: A,C in GF(p^2). // Output: j=256*(A^2-3*C^2)^3/(C^4*(A^2-4*C^2)), which is the j-invariant of the Montgomery curve B*y^2=x^3+(A/C)*x^2+x or (equivalently) j-invariant of B'*y^2=C*x^3+A*x^2+C*x. - f2elm_t t0, t1; + f2elm_t t0 = F2ELM_INIT, t1 = F2ELM_INIT; sike_fp2sqr_mont(A, jinv); // jinv = A^2 sike_fp2sqr_mont(C, t1); // t1 = C^2 @@ -238,7 +238,7 @@ void xDBLADD(point_proj_t P, point_proj_t Q, const f2elm_t xPQ, const f2elm_t A2 { // Simultaneous doubling and differential addition. // Input: projective Montgomery points P=(XP:ZP) and Q=(XQ:ZQ) such that xP=XP/ZP and xQ=XQ/ZQ, affine difference xPQ=x(P-Q) and Montgomery curve constant A24=(A+2)/4. // Output: projective Montgomery points P <- 2*P = (X2P:Z2P) such that x(2P)=X2P/Z2P, and Q <- P+Q = (XQP:ZQP) such that = x(Q+P)=XQP/ZQP. - f2elm_t t0, t1, t2; + f2elm_t t0 = F2ELM_INIT, t1 = F2ELM_INIT, t2 = F2ELM_INIT; sike_fp2add(P->X, P->Z, t0); // t0 = XP+ZP sike_fp2sub(P->X, P->Z, t1); // t1 = XP-ZP diff --git a/src/kem/sike/p434/sike.c b/src/kem/sike/p434/sike.c index 5963ac5e..47b194e0 100644 --- a/src/kem/sike/p434/sike.c +++ b/src/kem/sike/p434/sike.c @@ -136,11 +136,11 @@ static void gen_iso_A(const uint8_t* skA, uint8_t* pkA) point_proj_t phiP = POINT_PROJ_INIT; point_proj_t phiQ = POINT_PROJ_INIT; point_proj_t phiR = POINT_PROJ_INIT; - f2elm_t XPA, XQA, XRA, coeff[3]; + f2elm_t XPA, XQA, XRA, coeff[3] = {0}; f2elm_t A24plus = F2ELM_INIT; f2elm_t C24 = F2ELM_INIT; f2elm_t A = F2ELM_INIT; - unsigned int m, index = 0, pts_index[MAX_INT_POINTS_ALICE], npts = 0, ii = 0; + unsigned int m, index = 0, pts_index[MAX_INT_POINTS_ALICE] = {0}, npts = 0, ii = 0; // Initialize basis points sike_init_basis(params.A_gen, XPA, XQA, XRA); @@ -211,11 +211,11 @@ static void gen_iso_B(const uint8_t* skB, uint8_t* pkB) point_proj_t phiP = POINT_PROJ_INIT; point_proj_t phiQ = POINT_PROJ_INIT; point_proj_t phiR = POINT_PROJ_INIT; - f2elm_t XPB, XQB, XRB, coeff[3]; + f2elm_t XPB, XQB, XRB, coeff[3] = {0}; f2elm_t A24plus = F2ELM_INIT; f2elm_t A24minus = F2ELM_INIT; f2elm_t A = F2ELM_INIT; - unsigned int m, index = 0, pts_index[MAX_INT_POINTS_BOB], npts = 0, ii = 0; + unsigned int m, index = 0, pts_index[MAX_INT_POINTS_BOB] = {0}, npts = 0, ii = 0; // Initialize basis points sike_init_basis(params.B_gen, XPB, XQB, XRB); @@ -342,12 +342,12 @@ static void ex_iso_A(const uint8_t* skA, const uint8_t* pkB, uint8_t* ssA) // Output: a shared secret ssB that consists of one element in GF(p503^2) encoded in 126 bytes. static void ex_iso_B(const uint8_t* skB, const uint8_t* pkA, uint8_t* ssB) { - point_proj_t R, pts[MAX_INT_POINTS_BOB]; - f2elm_t coeff[3], PKB[3], jinv; + point_proj_t R, pts[MAX_INT_POINTS_BOB] = {0}; + f2elm_t coeff[3] = {0}, PKB[3] = {0}, jinv; f2elm_t A24plus = F2ELM_INIT; f2elm_t A24minus = F2ELM_INIT; f2elm_t A = F2ELM_INIT; - unsigned int m, index = 0, pts_index[MAX_INT_POINTS_BOB], npts = 0, ii = 0; + unsigned int m, index = 0, pts_index[MAX_INT_POINTS_BOB] = {0}, npts = 0, ii = 0; // Initialize images of Alice's basis fp2_decode(pkA, PKB[0]); @@ -412,7 +412,7 @@ void SIKE_encaps(uint8_t out_shared_key[SIKE_SS_BYTESZ], // secret data. It's size must be maximum of 64, // SIKE_MSG_BYTESZ and SIDH_PRV_A_BITSZ in bytes. uint8_t secret[32]; // OZAPTF, why? - uint8_t j[SIDH_JINV_BYTESZ]; + uint8_t j[SIDH_JINV_BYTESZ] = {0}; uint8_t temp[SIKE_MSG_BYTESZ + SIKE_CT_BYTESZ]; shake256incctx ctx; @@ -460,9 +460,9 @@ void SIKE_decaps(uint8_t out_shared_key[SIKE_SS_BYTESZ], // secret data. It's size must be maximum of 64, // SIKE_MSG_BYTESZ and SIDH_PRV_A_BITSZ in bytes. uint8_t secret[32]; - uint8_t j[SIDH_JINV_BYTESZ]; - uint8_t c0[SIKE_PUB_BYTESZ]; - uint8_t temp[SIKE_MSG_BYTESZ]; + uint8_t j[SIDH_JINV_BYTESZ] = {0}; + uint8_t c0[SIKE_PUB_BYTESZ] = {0}; + uint8_t temp[SIKE_MSG_BYTESZ] = {0}; shake256incctx ctx; // Recover m