diff --git a/.gitattributes b/.gitattributes index 811416ff..78b4644b 100644 --- a/.gitattributes +++ b/.gitattributes @@ -1,6 +1,6 @@ * text=auto *.[ch] text whitespacestrict *.yaml text whitespacestrict -Makefile text whitespace="tabwidth=4,-tab-in-indent" +Makefile text whitespace="tabwidth=4,-tab-in-indent,indent-with-non-tab" -[attr]whitespacestrict whitespace="trailing-space,indent-with-non-tab,space-before-tab,tabwidth=4" +[attr]whitespacestrict whitespace="trailing-space,tab-in-indent,space-before-tab,tabwidth=4" diff --git a/Makefile b/Makefile index 0e1fbe1f..77c5f790 100644 --- a/Makefile +++ b/Makefile @@ -1,7 +1,7 @@ # This -Wall was supported by the European Commission through the ERC Starting Grant 805031 (EPOQUE) CFLAGS=-Wall -Wextra -Wpedantic -Werror -std=c99 $(EXTRAFLAGS) -functest: require_scheme $(dir $(SCHEME))test.c $(wildcard $(SCHEME)/clean/*.c) $(wildcard $(SCHEME)/clean/*.h) +bin/functest_$(subst /,_,$(SCHEME)): $(dir $(SCHEME))test.c $(wildcard $(SCHEME)/clean/*.c) $(wildcard $(SCHEME)/clean/*.h) | require_scheme mkdir -p bin $(CC) $(CFLAGS) \ -iquote "./common/" \ @@ -11,6 +11,13 @@ functest: require_scheme $(dir $(SCHEME))test.c $(wildcard $(SCHEME)/clean/*.c) $(SCHEME)/clean/*.c \ $< +.PHONY: functest +functest: bin/functest_$(subst /,_,$(SCHEME)) + +.PHONY: run-functest +run-functest: bin/functest_$(subst /,_,$(SCHEME)) + ./$< + .PHONY: clean clean: rm -rf bin @@ -23,7 +30,7 @@ format: tidy: require_scheme clang-tidy \ $(SCHEME)/clean/*.c \ - crypto_kem/test.c \ + $(SCHEME)/../test.c \ common/*.c \ $(.TIDY_FIX) \ -- -iquote "common/" -iquote "$(SCHEME)/clean" @@ -46,3 +53,22 @@ require_scheme: ifndef SCHEME $(error The SCHEME variable is not set. Example: SCHEME=crypto_kem/kyber768) endif + +.PHONY: build-functests +build-functests: + find crypto_kem/ crypto_sign/ -mindepth 1 -maxdepth 1 -type d -exec make functest SCHEME={} \; + +.PHONY: run-functests +run-functests: + find crypto_kem/ crypto_sign/ -mindepth 1 -maxdepth 1 -type d -exec make run-functest SCHEME={} \; + +.PHONY: test-all +test-all: run-functests + +.PHONY: tidy-all +tidy-all: + find crypto_kem/ crypto_sign/ -mindepth 1 -maxdepth 1 -type d -exec make tidy SCHEME={} \; + +.PHONY: applytidy-all +apply-tidy-all: + find crypto_kem/ crypto_sign/ -mindepth 1 -maxdepth 1 -type d -exec make apply-tidy SCHEME={} \; diff --git a/crypto_kem/test.c b/crypto_kem/test.c index 0848e07a..ccfce3da 100644 --- a/crypto_kem/test.c +++ b/crypto_kem/test.c @@ -50,16 +50,15 @@ static int test_keys(void) { if (memcmp(key_a + 8, key_b + 8, CRYPTO_BYTES) != 0) { printf("ERROR KEYS\n"); - } else if (check_canary(key_a) || - check_canary(key_a + sizeof(key_a) - 8) || - check_canary(key_b) || - check_canary(key_b + sizeof(key_b) - 8) || - check_canary(pk) || check_canary(pk + sizeof(pk) - 8) || - check_canary(sendb) || - check_canary(sendb + sizeof(sendb) - 8) || - check_canary(sk_a) || - check_canary(sk_a + sizeof(sk_a) - 8)) { + return 1; + } + if (check_canary(key_a) || check_canary(key_a + sizeof(key_a) - 8) || + check_canary(key_b) || check_canary(key_b + sizeof(key_b) - 8) || + check_canary(pk) || check_canary(pk + sizeof(pk) - 8) || + check_canary(sendb) || check_canary(sendb + sizeof(sendb) - 8) || + check_canary(sk_a) || check_canary(sk_a + sizeof(sk_a) - 8)) { printf("ERROR canary overwritten\n"); + return 1; } } @@ -88,6 +87,7 @@ static int test_invalid_sk_a(void) { if (!memcmp(key_a, key_b, CRYPTO_BYTES)) { printf("ERROR invalid sk_a\n"); + return 1; } } @@ -119,6 +119,7 @@ static int test_invalid_ciphertext(void) { if (!memcmp(key_a, key_b, CRYPTO_BYTES)) { printf("ERROR invalid ciphertext\n"); + return 1; } } @@ -126,9 +127,13 @@ static int test_invalid_ciphertext(void) { } int main(void) { - test_keys(); - test_invalid_sk_a(); - test_invalid_ciphertext(); + int result = 0; + result += test_keys(); + result += test_invalid_sk_a(); + result += test_invalid_ciphertext(); - return 0; + if (result != 0) { + puts("Errors occurred"); + } + return result; } diff --git a/crypto_sign/dilithium-iii/clean/packing.c b/crypto_sign/dilithium-iii/clean/packing.c index 9a9a68ae..4ff58f16 100644 --- a/crypto_sign/dilithium-iii/clean/packing.c +++ b/crypto_sign/dilithium-iii/clean/packing.c @@ -16,12 +16,14 @@ void pack_pk(unsigned char pk[CRYPTO_PUBLICKEYBYTES], const unsigned char rho[SEEDBYTES], const polyveck *t1) { unsigned int i; - for (i = 0; i < SEEDBYTES; ++i) + for (i = 0; i < SEEDBYTES; ++i) { pk[i] = rho[i]; + } pk += SEEDBYTES; - for (i = 0; i < K; ++i) + for (i = 0; i < K; ++i) { polyt1_pack(pk + i * POLT1_SIZE_PACKED, t1->vec + i); + } } /************************************************* @@ -37,12 +39,14 @@ void unpack_pk(unsigned char rho[SEEDBYTES], polyveck *t1, const unsigned char pk[CRYPTO_PUBLICKEYBYTES]) { unsigned int i; - for (i = 0; i < SEEDBYTES; ++i) + for (i = 0; i < SEEDBYTES; ++i) { rho[i] = pk[i]; + } pk += SEEDBYTES; - for (i = 0; i < K; ++i) + for (i = 0; i < K; ++i) { polyt1_unpack(t1->vec + i, pk + i * POLT1_SIZE_PACKED); + } } /************************************************* @@ -65,28 +69,34 @@ void pack_sk(unsigned char sk[CRYPTO_SECRETKEYBYTES], const polyveck *s2, const polyveck *t0) { unsigned int i; - for (i = 0; i < SEEDBYTES; ++i) + for (i = 0; i < SEEDBYTES; ++i) { sk[i] = rho[i]; + } sk += SEEDBYTES; - for (i = 0; i < SEEDBYTES; ++i) + for (i = 0; i < SEEDBYTES; ++i) { sk[i] = key[i]; + } sk += SEEDBYTES; - for (i = 0; i < CRHBYTES; ++i) + for (i = 0; i < CRHBYTES; ++i) { sk[i] = tr[i]; + } sk += CRHBYTES; - for (i = 0; i < L; ++i) + for (i = 0; i < L; ++i) { polyeta_pack(sk + i * POLETA_SIZE_PACKED, s1->vec + i); + } sk += L * POLETA_SIZE_PACKED; - for (i = 0; i < K; ++i) + for (i = 0; i < K; ++i) { polyeta_pack(sk + i * POLETA_SIZE_PACKED, s2->vec + i); + } sk += K * POLETA_SIZE_PACKED; - for (i = 0; i < K; ++i) + for (i = 0; i < K; ++i) { polyt0_pack(sk + i * POLT0_SIZE_PACKED, t0->vec + i); + } } /************************************************* @@ -107,28 +117,34 @@ void unpack_sk(unsigned char rho[SEEDBYTES], unsigned char key[SEEDBYTES], polyveck *t0, const unsigned char sk[CRYPTO_SECRETKEYBYTES]) { unsigned int i; - for (i = 0; i < SEEDBYTES; ++i) + for (i = 0; i < SEEDBYTES; ++i) { rho[i] = sk[i]; + } sk += SEEDBYTES; - for (i = 0; i < SEEDBYTES; ++i) + for (i = 0; i < SEEDBYTES; ++i) { key[i] = sk[i]; + } sk += SEEDBYTES; - for (i = 0; i < CRHBYTES; ++i) + for (i = 0; i < CRHBYTES; ++i) { tr[i] = sk[i]; + } sk += CRHBYTES; - for (i = 0; i < L; ++i) + for (i = 0; i < L; ++i) { polyeta_unpack(s1->vec + i, sk + i * POLETA_SIZE_PACKED); + } sk += L * POLETA_SIZE_PACKED; - for (i = 0; i < K; ++i) + for (i = 0; i < K; ++i) { polyeta_unpack(s2->vec + i, sk + i * POLETA_SIZE_PACKED); + } sk += K * POLETA_SIZE_PACKED; - for (i = 0; i < K; ++i) + for (i = 0; i < K; ++i) { polyt0_unpack(t0->vec + i, sk + i * POLT0_SIZE_PACKED); + } } /************************************************* @@ -146,21 +162,25 @@ void pack_sig(unsigned char sig[CRYPTO_BYTES], const polyvecl *z, unsigned int i, j, k; uint64_t signs, mask; - for (i = 0; i < L; ++i) + for (i = 0; i < L; ++i) { polyz_pack(sig + i * POLZ_SIZE_PACKED, z->vec + i); + } sig += L * POLZ_SIZE_PACKED; /* Encode h */ k = 0; for (i = 0; i < K; ++i) { - for (j = 0; j < N; ++j) - if (h->vec[i].coeffs[j] != 0) + for (j = 0; j < N; ++j) { + if (h->vec[i].coeffs[j] != 0) { sig[k++] = j; + } + } sig[OMEGA + i] = k; } - while (k < OMEGA) + while (k < OMEGA) { sig[k++] = 0; + } sig += OMEGA + K; /* Encode c */ @@ -171,15 +191,17 @@ void pack_sig(unsigned char sig[CRYPTO_BYTES], const polyvecl *z, for (j = 0; j < 8; ++j) { if (c->coeffs[8 * i + j] != 0) { sig[i] |= (1U << j); - if (c->coeffs[8 * i + j] == (Q - 1)) + if (c->coeffs[8 * i + j] == (Q - 1)) { signs |= mask; + } mask <<= 1; } } } sig += N / 8; - for (i = 0; i < 8; ++i) + for (i = 0; i < 8; ++i) { sig[i] = signs >> 8 * i; + } } /************************************************* @@ -200,23 +222,27 @@ int unpack_sig(polyvecl *z, polyveck *h, poly *c, unsigned int i, j, k; uint64_t signs, mask; - for (i = 0; i < L; ++i) + for (i = 0; i < L; ++i) { polyz_unpack(z->vec + i, sig + i * POLZ_SIZE_PACKED); + } sig += L * POLZ_SIZE_PACKED; /* Decode h */ k = 0; for (i = 0; i < K; ++i) { - for (j = 0; j < N; ++j) + for (j = 0; j < N; ++j) { h->vec[i].coeffs[j] = 0; + } - if (sig[OMEGA + i] < k || sig[OMEGA + i] > OMEGA) + if (sig[OMEGA + i] < k || sig[OMEGA + i] > OMEGA) { return 1; + } for (j = k; j < sig[OMEGA + i]; ++j) { /* Coefficients are ordered for strong unforgeability */ - if (j > k && sig[j] <= sig[j - 1]) + if (j > k && sig[j] <= sig[j - 1]) { return 1; + } h->vec[i].coeffs[sig[j]] = 1; } @@ -224,23 +250,28 @@ int unpack_sig(polyvecl *z, polyveck *h, poly *c, } /* Extra indices are zero for strong unforgeability */ - for (j = k; j < OMEGA; ++j) - if (sig[j]) + for (j = k; j < OMEGA; ++j) { + if (sig[j]) { return 1; + } + } sig += OMEGA + K; /* Decode c */ - for (i = 0; i < N; ++i) + for (i = 0; i < N; ++i) { c->coeffs[i] = 0; + } signs = 0; - for (i = 0; i < 8; ++i) + for (i = 0; i < 8; ++i) { signs |= (uint64_t)sig[N / 8 + i] << 8 * i; + } /* Extra sign bits are zero for strong unforgeability */ - if (signs >> 60) + if (signs >> 60) { return 1; + } mask = 1; for (i = 0; i < N / 8; ++i) { diff --git a/crypto_sign/dilithium-iii/clean/poly.c b/crypto_sign/dilithium-iii/clean/poly.c index 630a5fe9..78b075b0 100644 --- a/crypto_sign/dilithium-iii/clean/poly.c +++ b/crypto_sign/dilithium-iii/clean/poly.c @@ -17,8 +17,9 @@ void poly_reduce(poly *a) { unsigned int i; - for (i = 0; i < N; ++i) + for (i = 0; i < N; ++i) { a->coeffs[i] = reduce32(a->coeffs[i]); + } } /************************************************* @@ -32,8 +33,9 @@ void poly_reduce(poly *a) { void poly_csubq(poly *a) { unsigned int i; - for (i = 0; i < N; ++i) + for (i = 0; i < N; ++i) { a->coeffs[i] = csubq(a->coeffs[i]); + } } /************************************************* @@ -47,8 +49,9 @@ void poly_csubq(poly *a) { void poly_freeze(poly *a) { unsigned int i; - for (i = 0; i < N; ++i) + for (i = 0; i < N; ++i) { a->coeffs[i] = freeze(a->coeffs[i]); + } } /************************************************* @@ -63,8 +66,9 @@ void poly_freeze(poly *a) { void poly_add(poly *c, const poly *a, const poly *b) { unsigned int i; - for (i = 0; i < N; ++i) + for (i = 0; i < N; ++i) { c->coeffs[i] = a->coeffs[i] + b->coeffs[i]; + } } /************************************************* @@ -82,8 +86,9 @@ void poly_add(poly *c, const poly *a, const poly *b) { void poly_sub(poly *c, const poly *a, const poly *b) { unsigned int i; - for (i = 0; i < N; ++i) + for (i = 0; i < N; ++i) { c->coeffs[i] = a->coeffs[i] + 2 * Q - b->coeffs[i]; + } } /************************************************* @@ -97,8 +102,9 @@ void poly_sub(poly *c, const poly *a, const poly *b) { void poly_neg(poly *a) { unsigned int i; - for (i = 0; i < N; ++i) + for (i = 0; i < N; ++i) { a->coeffs[i] = Q - a->coeffs[i]; + } } /************************************************* @@ -113,8 +119,9 @@ void poly_neg(poly *a) { void poly_shiftl(poly *a, unsigned int k) { unsigned int i; - for (i = 0; i < N; ++i) + for (i = 0; i < N; ++i) { a->coeffs[i] <<= k; + } } /************************************************* @@ -156,8 +163,9 @@ void poly_invntt_montgomery(poly *a) { void poly_pointwise_invmontgomery(poly *c, const poly *a, const poly *b) { unsigned int i; - for (i = 0; i < N; ++i) + for (i = 0; i < N; ++i) { c->coeffs[i] = montgomery_reduce((uint64_t)a->coeffs[i] * b->coeffs[i]); + } } /************************************************* @@ -176,8 +184,9 @@ void poly_pointwise_invmontgomery(poly *c, const poly *a, const poly *b) { void poly_power2round(poly *a1, poly *a0, const poly *a) { unsigned int i; - for (i = 0; i < N; ++i) + for (i = 0; i < N; ++i) { a1->coeffs[i] = power2round(a->coeffs[i], a0->coeffs + i); + } } /************************************************* @@ -197,8 +206,9 @@ void poly_power2round(poly *a1, poly *a0, const poly *a) { void poly_decompose(poly *a1, poly *a0, const poly *a) { unsigned int i; - for (i = 0; i < N; ++i) + for (i = 0; i < N; ++i) { a1->coeffs[i] = decompose(a->coeffs[i], a0->coeffs + i); + } } /************************************************* @@ -237,8 +247,9 @@ unsigned int poly_make_hint(poly *h, const poly *a, const poly *b) { void poly_use_hint(poly *a, const poly *b, const poly *h) { unsigned int i; - for (i = 0; i < N; ++i) + for (i = 0; i < N; ++i) { a->coeffs[i] = use_hint(b->coeffs[i], h->coeffs[i]); + } } /************************************************* @@ -293,8 +304,9 @@ void poly_uniform(poly *a, const unsigned char *buf) { t |= (uint32_t)buf[pos++] << 16; t &= 0x7FFFFF; - if (t < Q) + if (t < Q) { a->coeffs[ctr++] = t; + } } } @@ -330,10 +342,12 @@ static unsigned int rej_eta(uint32_t *a, unsigned int len, t1 = buf[pos++] >> 4; #endif - if (t0 <= 2 * ETA) + if (t0 <= 2 * ETA) { a[ctr++] = Q + ETA - t0; - if (t1 <= 2 * ETA && ctr < len) + } + if (t1 <= 2 * ETA && ctr < len) { a[ctr++] = Q + ETA - t1; + } } return ctr; } @@ -359,8 +373,9 @@ void poly_uniform_eta(poly *a, const unsigned char seed[SEEDBYTES], unsigned char outbuf[2 * SHAKE256_RATE]; uint64_t state[25]; - for (i = 0; i < SEEDBYTES; ++i) + for (i = 0; i < SEEDBYTES; ++i) { inbuf[i] = seed[i]; + } inbuf[SEEDBYTES] = nonce; shake256_absorb(state, inbuf, SEEDBYTES + 1); @@ -410,10 +425,12 @@ static unsigned int rej_gamma1m1(uint32_t *a, unsigned int len, pos += 5; - if (t0 <= 2 * GAMMA1 - 2) + if (t0 <= 2 * GAMMA1 - 2) { a[ctr++] = Q + GAMMA1 - 1 - t0; - if (t1 <= 2 * GAMMA1 - 2 && ctr < len) + } + if (t1 <= 2 * GAMMA1 - 2 && ctr < len) { a[ctr++] = Q + GAMMA1 - 1 - t1; + } } return ctr; @@ -441,8 +458,9 @@ void poly_uniform_gamma1m1(poly *a, unsigned char outbuf[5 * SHAKE256_RATE]; uint64_t state[25]; - for (i = 0; i < SEEDBYTES + CRHBYTES; ++i) + for (i = 0; i < SEEDBYTES + CRHBYTES; ++i) { inbuf[i] = seed[i]; + } inbuf[SEEDBYTES + CRHBYTES] = nonce & 0xFF; inbuf[SEEDBYTES + CRHBYTES + 1] = nonce >> 8; @@ -761,6 +779,7 @@ void polyz_unpack(poly *r, const unsigned char *a) { void polyw1_pack(unsigned char *r, const poly *a) { unsigned int i; - for (i = 0; i < N / 2; ++i) + for (i = 0; i < N / 2; ++i) { r[i] = a->coeffs[2 * i + 0] | (a->coeffs[2 * i + 1] << 4); + } } diff --git a/crypto_sign/dilithium-iii/clean/polyvec.c b/crypto_sign/dilithium-iii/clean/polyvec.c index 37f75704..70d9d477 100644 --- a/crypto_sign/dilithium-iii/clean/polyvec.c +++ b/crypto_sign/dilithium-iii/clean/polyvec.c @@ -18,8 +18,9 @@ void polyvecl_freeze(polyvecl *v) { unsigned int i; - for (i = 0; i < L; ++i) + for (i = 0; i < L; ++i) { poly_freeze(v->vec + i); + } } /************************************************* @@ -35,8 +36,9 @@ void polyvecl_freeze(polyvecl *v) { void polyvecl_add(polyvecl *w, const polyvecl *u, const polyvecl *v) { unsigned int i; - for (i = 0; i < L; ++i) + for (i = 0; i < L; ++i) { poly_add(w->vec + i, u->vec + i, v->vec + i); + } } /************************************************* @@ -50,8 +52,9 @@ void polyvecl_add(polyvecl *w, const polyvecl *u, const polyvecl *v) { void polyvecl_ntt(polyvecl *v) { unsigned int i; - for (i = 0; i < L; ++i) + for (i = 0; i < L; ++i) { poly_ntt(v->vec + i); + } } /************************************************* @@ -96,8 +99,9 @@ int polyvecl_chknorm(const polyvecl *v, uint32_t bound) { unsigned int i; int ret = 0; - for (i = 0; i < L; ++i) + for (i = 0; i < L; ++i) { ret |= poly_chknorm(v->vec + i, bound); + } return ret; } @@ -117,8 +121,9 @@ int polyvecl_chknorm(const polyvecl *v, uint32_t bound) { void polyveck_reduce(polyveck *v) { unsigned int i; - for (i = 0; i < K; ++i) + for (i = 0; i < K; ++i) { poly_reduce(v->vec + i); + } } /************************************************* @@ -132,8 +137,9 @@ void polyveck_reduce(polyveck *v) { void polyveck_csubq(polyveck *v) { unsigned int i; - for (i = 0; i < K; ++i) + for (i = 0; i < K; ++i) { poly_csubq(v->vec + i); + } } /************************************************* @@ -147,8 +153,9 @@ void polyveck_csubq(polyveck *v) { void polyveck_freeze(polyveck *v) { unsigned int i; - for (i = 0; i < K; ++i) + for (i = 0; i < K; ++i) { poly_freeze(v->vec + i); + } } /************************************************* @@ -164,8 +171,9 @@ void polyveck_freeze(polyveck *v) { void polyveck_add(polyveck *w, const polyveck *u, const polyveck *v) { unsigned int i; - for (i = 0; i < K; ++i) + for (i = 0; i < K; ++i) { poly_add(w->vec + i, u->vec + i, v->vec + i); + } } /************************************************* @@ -183,8 +191,9 @@ void polyveck_add(polyveck *w, const polyveck *u, const polyveck *v) { void polyveck_sub(polyveck *w, const polyveck *u, const polyveck *v) { unsigned int i; - for (i = 0; i < K; ++i) + for (i = 0; i < K; ++i) { poly_sub(w->vec + i, u->vec + i, v->vec + i); + } } /************************************************* @@ -199,8 +208,9 @@ void polyveck_sub(polyveck *w, const polyveck *u, const polyveck *v) { void polyveck_shiftl(polyveck *v, unsigned int k) { unsigned int i; - for (i = 0; i < K; ++i) + for (i = 0; i < K; ++i) { poly_shiftl(v->vec + i, k); + } } /************************************************* @@ -214,8 +224,9 @@ void polyveck_shiftl(polyveck *v, unsigned int k) { void polyveck_ntt(polyveck *v) { unsigned int i; - for (i = 0; i < K; ++i) + for (i = 0; i < K; ++i) { poly_ntt(v->vec + i); + } } /************************************************* @@ -230,8 +241,9 @@ void polyveck_ntt(polyveck *v) { void polyveck_invntt_montgomery(polyveck *v) { unsigned int i; - for (i = 0; i < K; ++i) + for (i = 0; i < K; ++i) { poly_invntt_montgomery(v->vec + i); + } } /************************************************* @@ -250,8 +262,9 @@ int polyveck_chknorm(const polyveck *v, uint32_t bound) { unsigned int i; int ret = 0; - for (i = 0; i < K; ++i) + for (i = 0; i < K; ++i) { ret |= poly_chknorm(v->vec + i, bound); + } return ret; } @@ -273,8 +286,9 @@ int polyveck_chknorm(const polyveck *v, uint32_t bound) { void polyveck_power2round(polyveck *v1, polyveck *v0, const polyveck *v) { unsigned int i; - for (i = 0; i < K; ++i) + for (i = 0; i < K; ++i) { poly_power2round(v1->vec + i, v0->vec + i, v->vec + i); + } } /************************************************* @@ -295,8 +309,9 @@ void polyveck_power2round(polyveck *v1, polyveck *v0, const polyveck *v) { void polyveck_decompose(polyveck *v1, polyveck *v0, const polyveck *v) { unsigned int i; - for (i = 0; i < K; ++i) + for (i = 0; i < K; ++i) { poly_decompose(v1->vec + i, v0->vec + i, v->vec + i); + } } /************************************************* @@ -314,8 +329,9 @@ unsigned int polyveck_make_hint(polyveck *h, const polyveck *u, const polyveck *v) { unsigned int i, s = 0; - for (i = 0; i < K; ++i) + for (i = 0; i < K; ++i) { s += poly_make_hint(h->vec + i, u->vec + i, v->vec + i); + } return s; } @@ -333,6 +349,7 @@ unsigned int polyveck_make_hint(polyveck *h, const polyveck *u, void polyveck_use_hint(polyveck *w, const polyveck *u, const polyveck *h) { unsigned int i; - for (i = 0; i < K; ++i) + for (i = 0; i < K; ++i) { poly_use_hint(w->vec + i, u->vec + i, h->vec + i); + } } diff --git a/crypto_sign/dilithium-iii/clean/polyvec.h b/crypto_sign/dilithium-iii/clean/polyvec.h index e8c3b43b..45f2987d 100644 --- a/crypto_sign/dilithium-iii/clean/polyvec.h +++ b/crypto_sign/dilithium-iii/clean/polyvec.h @@ -42,6 +42,6 @@ void polyveck_power2round(polyveck *v1, polyveck *v0, const polyveck *v); void polyveck_decompose(polyveck *v1, polyveck *v0, const polyveck *v); unsigned int polyveck_make_hint(polyveck *h, const polyveck *u, const polyveck *v); -void polyveck_use_hint(polyveck *w, const polyveck *v, const polyveck *h); +void polyveck_use_hint(polyveck *w, const polyveck *u, const polyveck *h); #endif diff --git a/crypto_sign/dilithium-iii/clean/rounding.c b/crypto_sign/dilithium-iii/clean/rounding.c index 1dead8b0..3cd4d59e 100644 --- a/crypto_sign/dilithium-iii/clean/rounding.c +++ b/crypto_sign/dilithium-iii/clean/rounding.c @@ -97,12 +97,14 @@ uint32_t use_hint(const uint32_t a, const unsigned int hint) { uint32_t a0, a1; a1 = decompose(a, &a0); - if (hint == 0) + if (hint == 0) { return a1; - else if (a0 > Q) + } + if (a0 > Q) { return (a1 + 1) & 0xF; - else + } else { return (a1 - 1) & 0xF; + } /* If decompose does not divide out ALPHA: if(hint == 0) diff --git a/crypto_sign/dilithium-iii/clean/rounding.h b/crypto_sign/dilithium-iii/clean/rounding.h index 6d3b2960..b621a5dc 100644 --- a/crypto_sign/dilithium-iii/clean/rounding.h +++ b/crypto_sign/dilithium-iii/clean/rounding.h @@ -3,9 +3,9 @@ #include -uint32_t power2round(const uint32_t a, uint32_t *a0); +uint32_t power2round(uint32_t a, uint32_t *a0); uint32_t decompose(uint32_t a, uint32_t *a0); -unsigned int make_hint(const uint32_t a, const uint32_t b); -uint32_t use_hint(const uint32_t a, const unsigned int hint); +unsigned int make_hint(uint32_t a, uint32_t b); +uint32_t use_hint(uint32_t a, unsigned int hint); #endif diff --git a/crypto_sign/dilithium-iii/clean/sign.c b/crypto_sign/dilithium-iii/clean/sign.c index 3db98869..99a5f07e 100644 --- a/crypto_sign/dilithium-iii/clean/sign.c +++ b/crypto_sign/dilithium-iii/clean/sign.c @@ -26,8 +26,9 @@ void expand_mat(polyvecl mat[K], const unsigned char rho[SEEDBYTES]) { * Probability that we need more than 6 blocks: < 2^{-546}. */ unsigned char outbuf[5 * SHAKE128_RATE]; - for (i = 0; i < SEEDBYTES; ++i) + for (i = 0; i < SEEDBYTES; ++i) { inbuf[i] = rho[i]; + } for (i = 0; i < K; ++i) { for (j = 0; j < L; ++j) { @@ -55,23 +56,27 @@ void challenge(poly *c, const unsigned char mu[CRHBYTES], const polyveck *w1) { unsigned char outbuf[SHAKE256_RATE]; uint64_t state[25], signs, mask; - for (i = 0; i < CRHBYTES; ++i) + for (i = 0; i < CRHBYTES; ++i) { inbuf[i] = mu[i]; - for (i = 0; i < K; ++i) + } + for (i = 0; i < K; ++i) { polyw1_pack(inbuf + CRHBYTES + i * POLW1_SIZE_PACKED, w1->vec + i); + } shake256_absorb(state, inbuf, sizeof(inbuf)); shake256_squeezeblocks(outbuf, 1, state); signs = 0; - for (i = 0; i < 8; ++i) + for (i = 0; i < 8; ++i) { signs |= (uint64_t)outbuf[i] << 8 * i; + } pos = 8; mask = 1; - for (i = 0; i < N; ++i) + for (i = 0; i < N; ++i) { c->coeffs[i] = 0; + } for (i = 196; i < 256; ++i) { do { @@ -122,10 +127,12 @@ int crypto_sign_keypair(unsigned char *pk, unsigned char *sk) { expand_mat(mat, rho); /* Sample short vectors s1 and s2 */ - for (i = 0; i < L; ++i) + for (i = 0; i < L; ++i) { poly_uniform_eta(s1.vec + i, rhoprime, nonce++); - for (i = 0; i < K; ++i) + } + for (i = 0; i < K; ++i) { poly_uniform_eta(s2.vec + i, rhoprime, nonce++); + } /* Matrix-vector multiplication */ s1hat = s1; @@ -173,7 +180,7 @@ int crypto_sign(unsigned char *sm, unsigned long long *smlen, unsigned long long i, j; unsigned int n; unsigned char - seedbuf[2 * SEEDBYTES + CRHBYTES]; // TODO: nonce in seedbuf (2x) + seedbuf[2 * SEEDBYTES + CRHBYTES]; // TODO(thom): nonce in seedbuf (2x) unsigned char tr[CRHBYTES]; unsigned char *rho, *key, *mu; uint16_t nonce = 0; @@ -189,10 +196,12 @@ int crypto_sign(unsigned char *sm, unsigned long long *smlen, /* Copy tr and message into the sm buffer, * backwards since m and sm can be equal in SUPERCOP API */ - for (i = 1; i <= mlen; ++i) + for (i = 1; i <= mlen; ++i) { sm[CRYPTO_BYTES + mlen - i] = m[mlen - i]; - for (i = 0; i < CRHBYTES; ++i) + } + for (i = 0; i < CRHBYTES; ++i) { sm[CRYPTO_BYTES - CRHBYTES + i] = tr[i]; + } /* Compute CRH(tr, msg) */ shake256(mu, CRHBYTES, sm + CRYPTO_BYTES - CRHBYTES, CRHBYTES + mlen); @@ -205,8 +214,9 @@ int crypto_sign(unsigned char *sm, unsigned long long *smlen, rej: /* Sample intermediate vector y */ - for (i = 0; i < L; ++i) + for (i = 0; i < L; ++i) { poly_uniform_gamma1m1(y.vec + i, key, nonce++); + } /* Matrix-vector multiplication */ yhat = y; @@ -231,8 +241,9 @@ rej: } polyvecl_add(&z, &z, &y); polyvecl_freeze(&z); - if (polyvecl_chknorm(&z, GAMMA1 - BETA)) + if (polyvecl_chknorm(&z, GAMMA1 - BETA)) { goto rej; + } /* Compute w - cs2, reject if w1 can not be computed from it */ for (i = 0; i < K; ++i) { @@ -243,13 +254,17 @@ rej: polyveck_freeze(&wcs2); polyveck_decompose(&tmp, &wcs20, &wcs2); polyveck_csubq(&wcs20); - if (polyveck_chknorm(&wcs20, GAMMA2 - BETA)) + if (polyveck_chknorm(&wcs20, GAMMA2 - BETA)) { goto rej; + } - for (i = 0; i < K; ++i) - for (j = 0; j < N; ++j) - if (tmp.vec[i].coeffs[j] != w1.vec[i].coeffs[j]) + for (i = 0; i < K; ++i) { + for (j = 0; j < N; ++j) { + if (tmp.vec[i].coeffs[j] != w1.vec[i].coeffs[j]) { goto rej; + } + } + } /* Compute hints for w1 */ for (i = 0; i < K; ++i) { @@ -258,14 +273,16 @@ rej: } polyveck_csubq(&ct0); - if (polyveck_chknorm(&ct0, GAMMA2)) + if (polyveck_chknorm(&ct0, GAMMA2)) { goto rej; + } polyveck_add(&tmp, &wcs2, &ct0); polyveck_csubq(&tmp); n = polyveck_make_hint(&h, &wcs2, &tmp); - if (n > OMEGA) + if (n > OMEGA) { goto rej; + } /* Write signature */ pack_sig(sm, &z, &h, &c); @@ -298,21 +315,26 @@ int crypto_sign_open(unsigned char *m, unsigned long long *mlen, polyvecl mat[K], z; polyveck t1, w1, h, tmp1, tmp2; - if (smlen < CRYPTO_BYTES) + if (smlen < CRYPTO_BYTES) { goto badsig; + } *mlen = smlen - CRYPTO_BYTES; unpack_pk(rho, &t1, pk); - if (unpack_sig(&z, &h, &c, sm)) + if (unpack_sig(&z, &h, &c, sm)) { goto badsig; - if (polyvecl_chknorm(&z, GAMMA1 - BETA)) + } + if (polyvecl_chknorm(&z, GAMMA1 - BETA)) { goto badsig; + } /* Compute CRH(CRH(rho, t1), msg) using m as "playground" buffer */ - if (sm != m) - for (i = 0; i < *mlen; ++i) + if (sm != m) { + for (i = 0; i < *mlen; ++i) { m[CRYPTO_BYTES + i] = sm[CRYPTO_BYTES + i]; + } + } shake256(m + CRYPTO_BYTES - CRHBYTES, CRHBYTES, pk, CRYPTO_PUBLICKEYBYTES); shake256(mu, CRHBYTES, m + CRYPTO_BYTES - CRHBYTES, CRHBYTES + *mlen); @@ -320,15 +342,17 @@ int crypto_sign_open(unsigned char *m, unsigned long long *mlen, /* Matrix-vector multiplication; compute Az - c2^dt1 */ expand_mat(mat, rho); polyvecl_ntt(&z); - for (i = 0; i < K; ++i) + for (i = 0; i < K; ++i) { polyvecl_pointwise_acc_invmontgomery(tmp1.vec + i, mat + i, &z); + } chat = c; poly_ntt(&chat); polyveck_shiftl(&t1, D); polyveck_ntt(&t1); - for (i = 0; i < K; ++i) + for (i = 0; i < K; ++i) { poly_pointwise_invmontgomery(tmp2.vec + i, &chat, t1.vec + i); + } polyveck_sub(&tmp1, &tmp1, &tmp2); polyveck_reduce(&tmp1); @@ -340,21 +364,25 @@ int crypto_sign_open(unsigned char *m, unsigned long long *mlen, /* Call random oracle and verify challenge */ challenge(&cp, mu, &w1); - for (i = 0; i < N; ++i) - if (c.coeffs[i] != cp.coeffs[i]) + for (i = 0; i < N; ++i) { + if (c.coeffs[i] != cp.coeffs[i]) { goto badsig; + } + } /* All good, copy msg, return 0 */ - for (i = 0; i < *mlen; ++i) + for (i = 0; i < *mlen; ++i) { m[i] = sm[CRYPTO_BYTES + i]; + } return 0; /* Signature verification failed */ badsig: *mlen = (unsigned long long)-1; - for (i = 0; i < smlen; ++i) + for (i = 0; i < smlen; ++i) { m[i] = 0; + } return -1; } diff --git a/crypto_sign/test.c b/crypto_sign/test.c index 99b5c944..2480bba1 100644 --- a/crypto_sign/test.c +++ b/crypto_sign/test.c @@ -13,11 +13,11 @@ static void write_canary(unsigned char *d) { *((uint64_t *)d) = 0x0123456789ABCDEF; } -static int check_canary(unsigned char *d) { - if (*(uint64_t *)d != 0x0123456789ABCDEF) +static int check_canary(const unsigned char *d) { + if (*(uint64_t *)d != 0x0123456789ABCDEF) { return -1; - else - return 0; + } + return 0; } static int test_sign(void) { unsigned char pk[CRYPTO_PUBLICKEYBYTES + 16]; @@ -48,11 +48,14 @@ static int test_sign(void) { // twice if (crypto_sign_open(sm + 8, &mlen, sm + 8, smlen, pk + 8)) { printf("ERROR Signature did not verify correctly!\n"); - } else if (check_canary(pk) || check_canary(pk + sizeof(pk) - 8) || - check_canary(sk) || check_canary(sk + sizeof(sk) - 8) || - check_canary(sm) || check_canary(sm + sizeof(sm) - 8) || - check_canary(m) || check_canary(m + sizeof(m) - 8)) { + return 1; + } + if (check_canary(pk) || check_canary(pk + sizeof(pk) - 8) || + check_canary(sk) || check_canary(sk + sizeof(sk) - 8) || + check_canary(sm) || check_canary(sm + sizeof(sm) - 8) || + check_canary(m) || check_canary(m + sizeof(m) - 8)) { printf("ERROR canary overwritten\n"); + return 1; } } @@ -84,6 +87,7 @@ static int test_wrong_pk(void) { if (!crypto_sign_open(sm, &mlen, sm, smlen, pk2)) { printf("ERROR Signature did verify correctly under wrong public " "key!\n"); + return 1; } } @@ -91,8 +95,9 @@ static int test_wrong_pk(void) { } int main(void) { - test_sign(); - test_wrong_pk(); + int result = 0; + result += test_sign(); + result += test_wrong_pk(); - return 0; + return result; }