ensure sike doest use uinitialized reads

3 years ago · 7ba897ed4d
--- a/src/kem/sike/p434/fpx.c
+++ b/src/kem/sike/p434/fpx.c
@@ -190,7 +190,7 @@ void sike_from_mont(const felm_t ma, felm_t c)
 // Inputs: a = a0+a1*i, where a0, a1 are in [0, 2*p-1]
 // Output: c = c0+c1*i, where c0, c1 are in [0, 2*p-1]
 void sike_fp2sqr_mont(const f2elm_t a, f2elm_t c) {
    felm_t t1, t2, t3;
    felm_t t1 = {0}, t2 = {0}, t3 = {0};
    mp_addfast(a->c0, a->c1, t1);                      // t1 = a0+a1
    sike_fpsub(a->c0, a->c1, t2);                      // t2 = a0-a1
@@ -247,7 +247,7 @@ void sike_fpcorrection(felm_t a) {
 // Inputs: a = a0+a1*i and b = b0+b1*i, where a0, a1, b0, b1 are in [0, 2*p-1]
 // Output: c = c0+c1*i, where c0, c1 are in [0, 2*p-1]
 void sike_fp2mul_mont(const f2elm_t a, const f2elm_t b, f2elm_t c) {
    felm_t t1, t2;
    felm_t t1 = {0}, t2 = {0};
    dfelm_t tt1, tt2, tt3;
    crypto_word_t mask;
@@ -270,7 +270,7 @@ void sike_fp2mul_mont(const f2elm_t a, const f2elm_t b, f2elm_t c) {
 // GF(p^2) inversion using Montgomery arithmetic, a = (a0-i*a1)/(a0^2+a1^2).
 void sike_fp2inv_mont(f2elm_t a) {
    f2elm_t t1;
    f2elm_t t1 = {0};
    fpsqr_mont(a->c0, t1->c0);                         // t10 = a0^2
    fpsqr_mont(a->c1, t1->c1);                         // t11 = a1^2
--- a/src/kem/sike/p434/isogeny.c
+++ b/src/kem/sike/p434/isogeny.c
@@ -13,7 +13,7 @@ static void xDBL(const point_proj_t P, point_proj_t Q, const f2elm_t A24plus, co
 { // Doubling of a Montgomery point in projective coordinates (X:Z).
  // Input: projective Montgomery x-coordinates P = (X1:Z1), where x1=X1/Z1 and Montgomery curve constants A+2C and 4C.
  // Output: projective Montgomery x-coordinates Q = 2*P = (X2:Z2).
    f2elm_t t0, t1;
    f2elm_t t0 = {0}, t1 = {0};
    sike_fp2sub(P->X, P->Z, t0);                         // t0 = X1-Z1
    sike_fp2add(P->X, P->Z, t1);                         // t1 = X1+Z1
@@ -60,7 +60,7 @@ void eval_4_isog(point_proj_t P, f2elm_t* coeff)
  // by the 3 coefficients in coeff (computed in the function get_4_isog()).
  // Inputs: the coefficients defining the isogeny, and the projective point P = (X:Z).
  // Output: the projective point P = phi(P) = (X:Z) in the codomain.
    f2elm_t t0, t1;
    f2elm_t t0 = {0}, t1 = {0};
    sike_fp2add(P->X, P->Z, t0);                         // t0 = X+Z
    sike_fp2sub(P->X, P->Z, t1);                         // t1 = X-Z
@@ -123,7 +123,7 @@ void get_3_isog(const point_proj_t P, f2elm_t A24minus, f2elm_t A24plus, f2elm_t
 { // Computes the corresponding 3-isogeny of a projective Montgomery point (X3:Z3) of order 3.
  // Input:  projective point of order three P = (X3:Z3).
  // Output: the 3-isogenous Montgomery curve with projective coefficient A/C.
    f2elm_t t0, t1, t2, t3, t4;
    f2elm_t t0 = {0}, t1 = {0}, t2 = {0}, t3 = {0}, t4 = {0};
    sike_fp2sub(P->X, P->Z, coeff[0]);                   // coeff0 = X-Z
    sike_fp2sqr_mont(coeff[0], t0);                      // t0 = (X-Z)^2
@@ -189,7 +189,7 @@ void get_A(const f2elm_t xP, const f2elm_t xQ, const f2elm_t xR, f2elm_t A)
 { // Given the x-coordinates of P, Q, and R, returns the value A corresponding to the Montgomery curve E_A: y^2=x^3+A*x^2+x such that R=Q-P on E_A.
  // Input:  the x-coordinates xP, xQ, and xR of the points P, Q and R.
  // Output: the coefficient A corresponding to the curve E_A: y^2=x^3+A*x^2+x.
    f2elm_t t0, t1, one = F2ELM_INIT;
    f2elm_t t0 = F2ELM_INIT, t1 = F2ELM_INIT, one = F2ELM_INIT;
    extern const struct params_t params;
    sike_fpcopy(params.mont_one, one->c0);
@@ -213,7 +213,7 @@ void j_inv(const f2elm_t A, const f2elm_t C, f2elm_t jinv)
 { // Computes the j-invariant of a Montgomery curve with projective constant.
  // Input: A,C in GF(p^2).
  // Output: j=256*(A^2-3*C^2)^3/(C^4*(A^2-4*C^2)), which is the j-invariant of the Montgomery curve B*y^2=x^3+(A/C)*x^2+x or (equivalently) j-invariant of B'*y^2=C*x^3+A*x^2+C*x.
    f2elm_t t0, t1;
    f2elm_t t0 = F2ELM_INIT, t1 = F2ELM_INIT;
    sike_fp2sqr_mont(A, jinv);                           // jinv = A^2
    sike_fp2sqr_mont(C, t1);                             // t1 = C^2
@@ -238,7 +238,7 @@ void xDBLADD(point_proj_t P, point_proj_t Q, const f2elm_t xPQ, const f2elm_t A2
 { // Simultaneous doubling and differential addition.
  // Input: projective Montgomery points P=(XP:ZP) and Q=(XQ:ZQ) such that xP=XP/ZP and xQ=XQ/ZQ, affine difference xPQ=x(P-Q) and Montgomery curve constant A24=(A+2)/4.
  // Output: projective Montgomery points P <- 2*P = (X2P:Z2P) such that x(2P)=X2P/Z2P, and Q <- P+Q = (XQP:ZQP) such that = x(Q+P)=XQP/ZQP.
    f2elm_t t0, t1, t2;
    f2elm_t t0 = F2ELM_INIT, t1 = F2ELM_INIT, t2 = F2ELM_INIT;
    sike_fp2add(P->X, P->Z, t0);                         // t0 = XP+ZP
    sike_fp2sub(P->X, P->Z, t1);                         // t1 = XP-ZP
--- a/src/kem/sike/p434/sike.c
+++ b/src/kem/sike/p434/sike.c
@@ -136,11 +136,11 @@ static void gen_iso_A(const uint8_t* skA, uint8_t* pkA)
    point_proj_t phiP = POINT_PROJ_INIT;
    point_proj_t phiQ = POINT_PROJ_INIT;
    point_proj_t phiR = POINT_PROJ_INIT;
    f2elm_t XPA, XQA, XRA, coeff[3];
    f2elm_t XPA, XQA, XRA, coeff[3] = {0};
    f2elm_t A24plus = F2ELM_INIT;
    f2elm_t C24 = F2ELM_INIT;
    f2elm_t A = F2ELM_INIT;
    unsigned int m, index = 0, pts_index[MAX_INT_POINTS_ALICE], npts = 0, ii = 0;
    unsigned int m, index = 0, pts_index[MAX_INT_POINTS_ALICE] = {0}, npts = 0, ii = 0;
    // Initialize basis points
    sike_init_basis(params.A_gen, XPA, XQA, XRA);
@@ -211,11 +211,11 @@ static void gen_iso_B(const uint8_t* skB, uint8_t* pkB)
    point_proj_t phiP = POINT_PROJ_INIT;
    point_proj_t phiQ = POINT_PROJ_INIT;
    point_proj_t phiR = POINT_PROJ_INIT;
    f2elm_t XPB, XQB, XRB, coeff[3];
    f2elm_t XPB, XQB, XRB, coeff[3] = {0};
    f2elm_t A24plus = F2ELM_INIT;
    f2elm_t A24minus = F2ELM_INIT;
    f2elm_t A = F2ELM_INIT;
    unsigned int m, index = 0, pts_index[MAX_INT_POINTS_BOB], npts = 0, ii = 0;
    unsigned int m, index = 0, pts_index[MAX_INT_POINTS_BOB] = {0}, npts = 0, ii = 0;
    // Initialize basis points
    sike_init_basis(params.B_gen, XPB, XQB, XRB);
@@ -342,12 +342,12 @@ static void ex_iso_A(const uint8_t* skA, const uint8_t* pkB, uint8_t* ssA)
 // Output: a shared secret ssB that consists of one element in GF(p503^2) encoded in 126 bytes.
 static void ex_iso_B(const uint8_t* skB, const uint8_t* pkA, uint8_t* ssB)
 {
    point_proj_t R, pts[MAX_INT_POINTS_BOB];
    f2elm_t coeff[3], PKB[3], jinv;
    point_proj_t R, pts[MAX_INT_POINTS_BOB] = {0};
    f2elm_t coeff[3] = {0}, PKB[3] = {0}, jinv;
    f2elm_t A24plus = F2ELM_INIT;
    f2elm_t A24minus = F2ELM_INIT;
    f2elm_t A = F2ELM_INIT;
    unsigned int m, index = 0, pts_index[MAX_INT_POINTS_BOB], npts = 0, ii = 0;
    unsigned int m, index = 0, pts_index[MAX_INT_POINTS_BOB] = {0}, npts = 0, ii = 0;
    // Initialize images of Alice's basis
    fp2_decode(pkA, PKB[0]);
@@ -412,7 +412,7 @@ void SIKE_encaps(uint8_t out_shared_key[SIKE_SS_BYTESZ],
  // secret data. It's size must be maximum of 64,
  // SIKE_MSG_BYTESZ and SIDH_PRV_A_BITSZ in bytes.
  uint8_t secret[32]; // OZAPTF, why?
  uint8_t j[SIDH_JINV_BYTESZ];
  uint8_t j[SIDH_JINV_BYTESZ] = {0};
  uint8_t temp[SIKE_MSG_BYTESZ + SIKE_CT_BYTESZ];
  shake256incctx ctx;
@@ -460,9 +460,9 @@ void SIKE_decaps(uint8_t out_shared_key[SIKE_SS_BYTESZ],
  // secret data. It's size must be maximum of 64,
  // SIKE_MSG_BYTESZ and SIDH_PRV_A_BITSZ in bytes.
  uint8_t secret[32];
  uint8_t j[SIDH_JINV_BYTESZ];
  uint8_t c0[SIKE_PUB_BYTESZ];
  uint8_t temp[SIKE_MSG_BYTESZ];
  uint8_t j[SIDH_JINV_BYTESZ] = {0};
  uint8_t c0[SIKE_PUB_BYTESZ] = {0};
  uint8_t temp[SIKE_MSG_BYTESZ] = {0};
  shake256incctx ctx;
  // Recover m