Fix memory leak in Kyber

2020-02-16 14:55:19 -05:00 · 2020-02-16 14:55:19 -05:00 · 833a9d5129
--- a/crypto_kem/kyber1024-90s/clean/indcpa.c
+++ b/crypto_kem/kyber1024-90s/clean/indcpa.c
@ -167,9 +167,9 @@ static void gen_matrix(polyvec *a, const uint8_t *seed, int transposed) {
                xof_squeezeblocks(buf, 1, &state);
                ctr += rej_uniform(a[i].vec[j].coeffs + ctr, KYBER_N - ctr, buf, XOF_BLOCKBYTES);
            }
+            xof_ctx_release(&state);
        }
    }
-    xof_ctx_release(&state);
 }

 /*************************************************
--- a/crypto_kem/kyber1024/avx2/symmetric.h
+++ b/crypto_kem/kyber1024/avx2/symmetric.h
@ -17,7 +17,7 @@ void PQCLEAN_KYBER1024_AVX2_shake256_prf(uint8_t *output, size_t outlen, const u
 #define hash_g(OUT, IN, INBYTES) sha3_512(OUT, IN, INBYTES)
 #define xof_absorb(STATE, IN, X, Y) PQCLEAN_KYBER1024_AVX2_kyber_shake128_absorb(STATE, IN, X, Y)
 #define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) shake128_squeezeblocks(OUT, OUTBLOCKS, STATE)
-#define xof_ctx_release(STATE)
+#define xof_ctx_release(STATE) shake128_ctx_release(STATE)
 #define prf(OUT, OUTBYTES, KEY, NONCE) PQCLEAN_KYBER1024_AVX2_shake256_prf(OUT, OUTBYTES, KEY, NONCE)
 #define kdf(OUT, IN, INBYTES) shake256(OUT, KYBER_SSBYTES, IN, INBYTES)

--- a/crypto_kem/kyber1024/clean/indcpa.c
+++ b/crypto_kem/kyber1024/clean/indcpa.c
@ -167,9 +167,9 @@ static void gen_matrix(polyvec *a, const uint8_t *seed, int transposed) {
                xof_squeezeblocks(buf, 1, &state);
                ctr += rej_uniform(a[i].vec[j].coeffs + ctr, KYBER_N - ctr, buf, XOF_BLOCKBYTES);
            }
+            xof_ctx_release(&state);
        }
    }
-    xof_ctx_release(&state);
 }

 /*************************************************
--- a/crypto_kem/kyber1024/clean/symmetric.h
+++ b/crypto_kem/kyber1024/clean/symmetric.h
@ -18,7 +18,7 @@ void PQCLEAN_KYBER1024_CLEAN_shake256_prf(uint8_t *output, size_t outlen, const
 #define hash_g(OUT, IN, INBYTES) sha3_512(OUT, IN, INBYTES)
 #define xof_absorb(STATE, IN, X, Y) PQCLEAN_KYBER1024_CLEAN_kyber_shake128_absorb(STATE, IN, X, Y)
 #define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) PQCLEAN_KYBER1024_CLEAN_kyber_shake128_squeezeblocks(OUT, OUTBLOCKS, STATE)
-#define xof_ctx_release(STATE)
+#define xof_ctx_release(STATE) shake128_ctx_release(STATE)
 #define prf(OUT, OUTBYTES, KEY, NONCE) PQCLEAN_KYBER1024_CLEAN_shake256_prf(OUT, OUTBYTES, KEY, NONCE)
 #define kdf(OUT, IN, INBYTES) shake256(OUT, KYBER_SSBYTES, IN, INBYTES)

--- a/crypto_kem/kyber512-90s/clean/indcpa.c
+++ b/crypto_kem/kyber512-90s/clean/indcpa.c
@ -167,9 +167,9 @@ static void gen_matrix(polyvec *a, const uint8_t *seed, int transposed) {
                xof_squeezeblocks(buf, 1, &state);
                ctr += rej_uniform(a[i].vec[j].coeffs + ctr, KYBER_N - ctr, buf, XOF_BLOCKBYTES);
            }
+            xof_ctx_release(&state);
        }
    }
-    xof_ctx_release(&state);
 }

 /*************************************************
--- a/crypto_kem/kyber512/avx2/symmetric.h
+++ b/crypto_kem/kyber512/avx2/symmetric.h
@ -17,7 +17,7 @@ void PQCLEAN_KYBER512_AVX2_shake256_prf(uint8_t *output, size_t outlen, const ui
 #define hash_g(OUT, IN, INBYTES) sha3_512(OUT, IN, INBYTES)
 #define xof_absorb(STATE, IN, X, Y) PQCLEAN_KYBER512_AVX2_kyber_shake128_absorb(STATE, IN, X, Y)
 #define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) shake128_squeezeblocks(OUT, OUTBLOCKS, STATE)
-#define xof_ctx_release(STATE)
+#define xof_ctx_release(STATE) shake128_ctx_release(STATE)
 #define prf(OUT, OUTBYTES, KEY, NONCE) PQCLEAN_KYBER512_AVX2_shake256_prf(OUT, OUTBYTES, KEY, NONCE)
 #define kdf(OUT, IN, INBYTES) shake256(OUT, KYBER_SSBYTES, IN, INBYTES)

--- a/crypto_kem/kyber512/clean/indcpa.c
+++ b/crypto_kem/kyber512/clean/indcpa.c
@ -167,9 +167,9 @@ static void gen_matrix(polyvec *a, const uint8_t *seed, int transposed) {
                xof_squeezeblocks(buf, 1, &state);
                ctr += rej_uniform(a[i].vec[j].coeffs + ctr, KYBER_N - ctr, buf, XOF_BLOCKBYTES);
            }
+            xof_ctx_release(&state);
        }
    }
-    xof_ctx_release(&state);
 }

 /*************************************************
--- a/crypto_kem/kyber512/clean/symmetric.h
+++ b/crypto_kem/kyber512/clean/symmetric.h
@ -18,7 +18,7 @@ void PQCLEAN_KYBER512_CLEAN_shake256_prf(uint8_t *output, size_t outlen, const u
 #define hash_g(OUT, IN, INBYTES) sha3_512(OUT, IN, INBYTES)
 #define xof_absorb(STATE, IN, X, Y) PQCLEAN_KYBER512_CLEAN_kyber_shake128_absorb(STATE, IN, X, Y)
 #define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) PQCLEAN_KYBER512_CLEAN_kyber_shake128_squeezeblocks(OUT, OUTBLOCKS, STATE)
-#define xof_ctx_release(STATE)
+#define xof_ctx_release(STATE) shake128_ctx_release(STATE)
 #define prf(OUT, OUTBYTES, KEY, NONCE) PQCLEAN_KYBER512_CLEAN_shake256_prf(OUT, OUTBYTES, KEY, NONCE)
 #define kdf(OUT, IN, INBYTES) shake256(OUT, KYBER_SSBYTES, IN, INBYTES)

--- a/crypto_kem/kyber768-90s/clean/indcpa.c
+++ b/crypto_kem/kyber768-90s/clean/indcpa.c
@ -167,9 +167,9 @@ static void gen_matrix(polyvec *a, const uint8_t *seed, int transposed) {
                xof_squeezeblocks(buf, 1, &state);
                ctr += rej_uniform(a[i].vec[j].coeffs + ctr, KYBER_N - ctr, buf, XOF_BLOCKBYTES);
            }
+            xof_ctx_release(&state);
        }
    }
-    xof_ctx_release(&state);
 }

 /*************************************************
--- a/crypto_kem/kyber768/avx2/indcpa.c
+++ b/crypto_kem/kyber768/avx2/indcpa.c
@ -213,6 +213,8 @@ static void gen_matrix(polyvec *a, const uint8_t *seed, int transposed) {
        ctr0 += rej_uniform_ref(a[2].vec[2].coeffs + ctr0, KYBER_N - ctr0, buf.x[0], bufbytes);
    }

+    xof_ctx_release(&state1x);
+
    PQCLEAN_KYBER768_AVX2_poly_nttunpack(&a[2].vec[2]);
 }

--- a/crypto_kem/kyber768/avx2/symmetric.h
+++ b/crypto_kem/kyber768/avx2/symmetric.h
@ -17,7 +17,7 @@ void PQCLEAN_KYBER768_AVX2_shake256_prf(uint8_t *output, size_t outlen, const ui
 #define hash_g(OUT, IN, INBYTES) sha3_512(OUT, IN, INBYTES)
 #define xof_absorb(STATE, IN, X, Y) PQCLEAN_KYBER768_AVX2_kyber_shake128_absorb(STATE, IN, X, Y)
 #define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) shake128_squeezeblocks(OUT, OUTBLOCKS, STATE)
-#define xof_ctx_release(STATE)
+#define xof_ctx_release(STATE) shake128_ctx_release(STATE)
 #define prf(OUT, OUTBYTES, KEY, NONCE) PQCLEAN_KYBER768_AVX2_shake256_prf(OUT, OUTBYTES, KEY, NONCE)
 #define kdf(OUT, IN, INBYTES) shake256(OUT, KYBER_SSBYTES, IN, INBYTES)

--- a/crypto_kem/kyber768/clean/indcpa.c
+++ b/crypto_kem/kyber768/clean/indcpa.c
@ -167,9 +167,9 @@ static void gen_matrix(polyvec *a, const uint8_t *seed, int transposed) {
                xof_squeezeblocks(buf, 1, &state);
                ctr += rej_uniform(a[i].vec[j].coeffs + ctr, KYBER_N - ctr, buf, XOF_BLOCKBYTES);
            }
+            xof_ctx_release(&state);
        }
    }
-    xof_ctx_release(&state);
 }

 /*************************************************
--- a/crypto_kem/kyber768/clean/symmetric.h
+++ b/crypto_kem/kyber768/clean/symmetric.h
@ -18,7 +18,7 @@ void PQCLEAN_KYBER768_CLEAN_shake256_prf(uint8_t *output, size_t outlen, const u
 #define hash_g(OUT, IN, INBYTES) sha3_512(OUT, IN, INBYTES)
 #define xof_absorb(STATE, IN, X, Y) PQCLEAN_KYBER768_CLEAN_kyber_shake128_absorb(STATE, IN, X, Y)
 #define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) PQCLEAN_KYBER768_CLEAN_kyber_shake128_squeezeblocks(OUT, OUTBLOCKS, STATE)
-#define xof_ctx_release(STATE)
+#define xof_ctx_release(STATE) shake128_ctx_release(STATE)
 #define prf(OUT, OUTBYTES, KEY, NONCE) PQCLEAN_KYBER768_CLEAN_shake256_prf(OUT, OUTBYTES, KEY, NONCE)
 #define kdf(OUT, IN, INBYTES) shake256(OUT, KYBER_SSBYTES, IN, INBYTES)