diff --git a/.clang-tidy b/.clang-tidy new file mode 100644 index 00000000..281d9e58 --- /dev/null +++ b/.clang-tidy @@ -0,0 +1,295 @@ +--- +Checks: 'clang-diagnostic-*,clang-analyzer-*,clang-diagnostic-*,clang-analyzer-*,*,-hicpp-signed-bitwise,-llvm-header-guard,-hicpp-function-*,-readability-function-size' +WarningsAsErrors: '*' +HeaderFilterRegex: '.*' +AnalyzeTemporaryDtors: false +FormatStyle: file +User: thom +CheckOptions: + - key: abseil-string-find-startswith.AbseilStringsMatchHeader + value: absl/strings/match.h + - key: abseil-string-find-startswith.IncludeStyle + value: llvm + - key: abseil-string-find-startswith.StringLikeClasses + value: '::std::basic_string' + - key: bugprone-argument-comment.StrictMode + value: '0' + - key: bugprone-assert-side-effect.AssertMacros + value: assert + - key: bugprone-assert-side-effect.CheckFunctionCalls + value: '0' + - key: bugprone-dangling-handle.HandleClasses + value: 'std::basic_string_view;std::experimental::basic_string_view' + - key: bugprone-exception-escape.FunctionsThatShouldNotThrow + value: '' + - key: bugprone-exception-escape.IgnoredExceptions + value: '' + - key: bugprone-misplaced-widening-cast.CheckImplicitCasts + value: '0' + - key: bugprone-sizeof-expression.WarnOnSizeOfCompareToConstant + value: '1' + - key: bugprone-sizeof-expression.WarnOnSizeOfConstant + value: '1' + - key: bugprone-sizeof-expression.WarnOnSizeOfIntegerExpression + value: '0' + - key: bugprone-sizeof-expression.WarnOnSizeOfThis + value: '1' + - key: bugprone-string-constructor.LargeLengthThreshold + value: '8388608' + - key: bugprone-string-constructor.WarnOnLargeLength + value: '1' + - key: bugprone-suspicious-enum-usage.StrictMode + value: '0' + - key: bugprone-suspicious-missing-comma.MaxConcatenatedTokens + value: '5' + - key: bugprone-suspicious-missing-comma.RatioThreshold + value: '0.200000' + - key: bugprone-suspicious-missing-comma.SizeThreshold + value: '5' + - key: bugprone-suspicious-string-compare.StringCompareLikeFunctions + value: '' + - key: bugprone-suspicious-string-compare.WarnOnImplicitComparison + value: '1' + - key: bugprone-suspicious-string-compare.WarnOnLogicalNotComparison + value: '0' + - key: bugprone-unused-return-value.CheckedFunctions + value: '::std::async;::std::launder;::std::remove;::std::remove_if;::std::unique;::std::unique_ptr::release;::std::basic_string::empty;::std::vector::empty' + - key: cert-dcl59-cpp.HeaderFileExtensions + value: ',h,hh,hpp,hxx' + - key: cert-err09-cpp.CheckThrowTemporaries + value: '1' + - key: cert-err61-cpp.CheckThrowTemporaries + value: '1' + - key: cert-msc32-c.DisallowedSeedTypes + value: 'time_t,std::time_t' + - key: cert-msc51-cpp.DisallowedSeedTypes + value: 'time_t,std::time_t' + - key: cert-oop11-cpp.IncludeStyle + value: llvm + - key: cppcoreguidelines-no-malloc.Allocations + value: '::malloc;::calloc' + - key: cppcoreguidelines-no-malloc.Deallocations + value: '::free' + - key: cppcoreguidelines-no-malloc.Reallocations + value: '::realloc' + - key: cppcoreguidelines-owning-memory.LegacyResourceConsumers + value: '::free;::realloc;::freopen;::fclose' + - key: cppcoreguidelines-owning-memory.LegacyResourceProducers + value: '::malloc;::aligned_alloc;::realloc;::calloc;::fopen;::freopen;::tmpfile' + - key: cppcoreguidelines-pro-bounds-constant-array-index.GslHeader + value: '' + - key: cppcoreguidelines-pro-bounds-constant-array-index.IncludeStyle + value: '0' + - key: cppcoreguidelines-pro-type-member-init.IgnoreArrays + value: '0' + - key: cppcoreguidelines-special-member-functions.AllowMissingMoveFunctions + value: '0' + - key: cppcoreguidelines-special-member-functions.AllowSoleDefaultDtor + value: '0' + - key: fuchsia-header-anon-namespaces.HeaderFileExtensions + value: ',h,hh,hpp,hxx' + - key: fuchsia-restrict-system-includes.Includes + value: '*' + - key: google-build-namespaces.HeaderFileExtensions + value: ',h,hh,hpp,hxx' + - key: google-global-names-in-headers.HeaderFileExtensions + value: ',h,hh,hpp,hxx' + - key: google-readability-braces-around-statements.ShortStatementLines + value: '1' + - key: google-readability-function-size.BranchThreshold + value: '4294967295' + - key: google-readability-function-size.LineThreshold + value: '4294967295' + - key: google-readability-function-size.NestingThreshold + value: '4294967295' + - key: google-readability-function-size.ParameterThreshold + value: '4294967295' + - key: google-readability-function-size.StatementThreshold + value: '1000' + - key: google-readability-function-size.VariableThreshold + value: '4294967295' + - key: google-readability-namespace-comments.ShortNamespaceLines + value: '10' + - key: google-readability-namespace-comments.SpacesBeforeComments + value: '2' + - key: google-runtime-int.SignedTypePrefix + value: int + - key: google-runtime-int.TypeSuffix + value: '' + - key: google-runtime-int.UnsignedTypePrefix + value: uint + - key: google-runtime-references.WhiteListTypes + value: '' + - key: hicpp-braces-around-statements.ShortStatementLines + value: '0' + - key: hicpp-member-init.IgnoreArrays + value: '0' + - key: hicpp-move-const-arg.CheckTriviallyCopyableMove + value: '1' + - key: hicpp-multiway-paths-covered.WarnOnMissingElse + value: '0' + - key: hicpp-named-parameter.IgnoreFailedSplit + value: '0' + - key: hicpp-no-malloc.Allocations + value: '::malloc;::calloc' + - key: hicpp-no-malloc.Deallocations + value: '::free' + - key: hicpp-no-malloc.Reallocations + value: '::realloc' + - key: hicpp-special-member-functions.AllowMissingMoveFunctions + value: '0' + - key: hicpp-special-member-functions.AllowSoleDefaultDtor + value: '0' + - key: hicpp-use-auto.MinTypeNameLength + value: '5' + - key: hicpp-use-auto.RemoveStars + value: '0' + - key: hicpp-use-emplace.ContainersWithPushBack + value: '::std::vector;::std::list;::std::deque' + - key: hicpp-use-emplace.SmartPointers + value: '::std::shared_ptr;::std::unique_ptr;::std::auto_ptr;::std::weak_ptr' + - key: hicpp-use-emplace.TupleMakeFunctions + value: '::std::make_pair;::std::make_tuple' + - key: hicpp-use-emplace.TupleTypes + value: '::std::pair;::std::tuple' + - key: hicpp-use-equals-default.IgnoreMacros + value: '1' + - key: hicpp-use-noexcept.ReplacementString + value: '' + - key: hicpp-use-noexcept.UseNoexceptFalse + value: '1' + - key: hicpp-use-nullptr.NullMacros + value: '' + - key: llvm-namespace-comment.ShortNamespaceLines + value: '1' + - key: llvm-namespace-comment.SpacesBeforeComments + value: '1' + - key: misc-definitions-in-headers.HeaderFileExtensions + value: ',h,hh,hpp,hxx' + - key: misc-definitions-in-headers.UseHeaderFileExtension + value: '1' + - key: misc-throw-by-value-catch-by-reference.CheckThrowTemporaries + value: '1' + - key: misc-unused-parameters.StrictMode + value: '0' + - key: modernize-loop-convert.MaxCopySize + value: '16' + - key: modernize-loop-convert.MinConfidence + value: reasonable + - key: modernize-loop-convert.NamingStyle + value: CamelCase + - key: modernize-make-shared.IgnoreMacros + value: '1' + - key: modernize-make-shared.IncludeStyle + value: '0' + - key: modernize-make-shared.MakeSmartPtrFunction + value: 'std::make_shared' + - key: modernize-make-shared.MakeSmartPtrFunctionHeader + value: memory + - key: modernize-make-unique.IgnoreMacros + value: '1' + - key: modernize-make-unique.IncludeStyle + value: '0' + - key: modernize-make-unique.MakeSmartPtrFunction + value: 'std::make_unique' + - key: modernize-make-unique.MakeSmartPtrFunctionHeader + value: memory + - key: modernize-pass-by-value.IncludeStyle + value: llvm + - key: modernize-pass-by-value.ValuesOnly + value: '0' + - key: modernize-raw-string-literal.ReplaceShorterLiterals + value: '0' + - key: modernize-replace-auto-ptr.IncludeStyle + value: llvm + - key: modernize-replace-random-shuffle.IncludeStyle + value: llvm + - key: modernize-use-auto.MinTypeNameLength + value: '5' + - key: modernize-use-auto.RemoveStars + value: '0' + - key: modernize-use-default-member-init.IgnoreMacros + value: '1' + - key: modernize-use-default-member-init.UseAssignment + value: '0' + - key: modernize-use-emplace.ContainersWithPushBack + value: '::std::vector;::std::list;::std::deque' + - key: modernize-use-emplace.SmartPointers + value: '::std::shared_ptr;::std::unique_ptr;::std::auto_ptr;::std::weak_ptr' + - key: modernize-use-emplace.TupleMakeFunctions + value: '::std::make_pair;::std::make_tuple' + - key: modernize-use-emplace.TupleTypes + value: '::std::pair;::std::tuple' + - key: modernize-use-equals-default.IgnoreMacros + value: '1' + - key: modernize-use-noexcept.ReplacementString + value: '' + - key: modernize-use-noexcept.UseNoexceptFalse + value: '1' + - key: modernize-use-nullptr.NullMacros + value: 'NULL' + - key: modernize-use-transparent-functors.SafeMode + value: '0' + - key: modernize-use-using.IgnoreMacros + value: '1' + - key: objc-forbidden-subclassing.ForbiddenSuperClassNames + value: 'ABNewPersonViewController;ABPeoplePickerNavigationController;ABPersonViewController;ABUnknownPersonViewController;NSHashTable;NSMapTable;NSPointerArray;NSPointerFunctions;NSTimer;UIActionSheet;UIAlertView;UIImagePickerController;UITextInputMode;UIWebView' + - key: objc-property-declaration.Acronyms + value: '' + - key: objc-property-declaration.IncludeDefaultAcronyms + value: '1' + - key: performance-faster-string-find.StringLikeClasses + value: 'std::basic_string' + - key: performance-for-range-copy.WarnOnAllAutoCopies + value: '0' + - key: performance-inefficient-string-concatenation.StrictMode + value: '0' + - key: performance-inefficient-vector-operation.VectorLikeClasses + value: '::std::vector' + - key: performance-move-const-arg.CheckTriviallyCopyableMove + value: '1' + - key: performance-move-constructor-init.IncludeStyle + value: llvm + - key: performance-type-promotion-in-math-fn.IncludeStyle + value: llvm + - key: performance-unnecessary-value-param.IncludeStyle + value: llvm + - key: portability-simd-intrinsics.Std + value: '' + - key: portability-simd-intrinsics.Suggest + value: '0' + - key: readability-braces-around-statements.ShortStatementLines + value: '0' + - key: readability-function-size.BranchThreshold + value: '4294967295' + - key: readability-function-size.LineThreshold + value: '4294967295' + - key: readability-function-size.NestingThreshold + value: '4294967295' + - key: readability-function-size.ParameterThreshold + value: '4294967295' + - key: readability-function-size.StatementThreshold + value: '800' + - key: readability-function-size.VariableThreshold + value: '4294967295' + - key: readability-identifier-naming.IgnoreFailedSplit + value: '0' + - key: readability-implicit-bool-conversion.AllowIntegerConditions + value: '0' + - key: readability-implicit-bool-conversion.AllowPointerConditions + value: '0' + - key: readability-inconsistent-declaration-parameter-name.IgnoreMacros + value: '1' + - key: readability-inconsistent-declaration-parameter-name.Strict + value: '0' + - key: readability-simplify-boolean-expr.ChainedConditionalAssignment + value: '0' + - key: readability-simplify-boolean-expr.ChainedConditionalReturn + value: '0' + - key: readability-simplify-subscript-expr.Types + value: '::std::basic_string;::std::basic_string_view;::std::vector;::std::array' + - key: readability-static-accessed-through-instance.NameSpecifierNestingThreshold + value: '3' + - key: zircon-temporary-objects.Names + value: '' +... diff --git a/Makefile b/Makefile index 4aedc3e6..0e1fbe1f 100644 --- a/Makefile +++ b/Makefile @@ -1,27 +1,48 @@ - -# assumes a SCHEME variable; e.g. make functest_kem SCHEME=crypto_kem/kyber768 -ifndef SCHEME - # TODO make this more granular, i.e. make clean should not require SCHEME -$(error SCHEME variable is not set) -endif - # This -Wall was supported by the European Commission through the ERC Starting Grant 805031 (EPOQUE) -CFLAGS=-Wall -Wextra -Wpedantic -Werror -std=c99 +CFLAGS=-Wall -Wextra -Wpedantic -Werror -std=c99 $(EXTRAFLAGS) -functest: $(dir $(SCHEME))test.c $(wildcard $(SCHEME)/clean/*.c) $(wildcard $(SCHEME)/clean/*.h) +functest: require_scheme $(dir $(SCHEME))test.c $(wildcard $(SCHEME)/clean/*.c) $(wildcard $(SCHEME)/clean/*.h) mkdir -p bin - $(CC) $(CFLAGS)\ - -I"./common/"\ - -I"$(SCHEME)/clean/"\ - -o bin/functest_$(subst /,_,$(SCHEME))\ - common/*.c\ - $(SCHEME)/clean/*.c\ + $(CC) $(CFLAGS) \ + -iquote "./common/" \ + -iquote "$(SCHEME)/clean/" \ + -o bin/functest_$(subst /,_,$(SCHEME)) \ + common/*.c \ + $(SCHEME)/clean/*.c \ $< .PHONY: clean - clean: rm -rf bin +.PHONY: format format: find . -iname *.h -o -iname *.c | xargs clang-format -i -style=file + +.PHONY: tidy +tidy: require_scheme + clang-tidy \ + $(SCHEME)/clean/*.c \ + crypto_kem/test.c \ + common/*.c \ + $(.TIDY_FIX) \ + -- -iquote "common/" -iquote "$(SCHEME)/clean" + +.PHONY: fix-tidy +apply-tidy: | $(eval .TIDY_FIX = -fix) tidy + +.PHONY: help +help: + @echo make functest SCHEME=scheme run functional tests for SCHEME + @echo make clean clean up the bin/ folder + @echo make format Automatically formats all the source code + @echo make tidy SCHEME=scheme Runs the clang-tidy linter against SCHEME + @echo make fix-tidy SCHEME=scheme Tries to automatically fix the issues found by clang-tidy in SCHEME + @echo make help Displays this message + +.PHONY: require_scheme +require_scheme: +# assumes a SCHEME variable; e.g. make functest_kem SCHEME=crypto_kem/kyber768 +ifndef SCHEME + $(error The SCHEME variable is not set. Example: SCHEME=crypto_kem/kyber768) +endif diff --git a/common/fips202.c b/common/fips202.c index fc8f2117..a667be9d 100644 --- a/common/fips202.c +++ b/common/fips202.c @@ -10,7 +10,7 @@ #include #define NROUNDS 24 -#define ROL(a, offset) ((a << offset) ^ (a >> (64 - offset))) +#define ROL(a, offset) (((a) << (offset)) ^ ((a) >> (64 - (offset)))) /************************************************* * Name: load64 @@ -25,8 +25,9 @@ static uint64_t load64(const unsigned char *x) { unsigned int i; uint64_t r = 0; - for (i = 0; i < 8; ++i) + for (i = 0; i < 8; ++i) { r |= (uint64_t)x[i] << 8 * i; + } return r; } @@ -42,8 +43,9 @@ static uint64_t load64(const unsigned char *x) { static void store64(uint8_t *x, uint64_t u) { unsigned int i; - for (i = 0; i < 8; ++i) + for (i = 0; i < 8; ++i) { x[i] = u >> 8 * i; + } } /* Keccak round constants */ @@ -137,7 +139,7 @@ static void KeccakF1600_StatePermute(uint64_t *state) { Asu ^= Du; BCu = ROL(Asu, 14); Eba = BCa ^ ((~BCe) & BCi); - Eba ^= (uint64_t)KeccakF_RoundConstants[round]; + Eba ^= KeccakF_RoundConstants[round]; Ebe = BCe ^ ((~BCi) & BCo); Ebi = BCi ^ ((~BCo) & BCu); Ebo = BCo ^ ((~BCu) & BCa); @@ -232,7 +234,7 @@ static void KeccakF1600_StatePermute(uint64_t *state) { Esu ^= Du; BCu = ROL(Esu, 14); Aba = BCa ^ ((~BCe) & BCi); - Aba ^= (uint64_t)KeccakF_RoundConstants[round + 1]; + Aba ^= KeccakF_RoundConstants[round + 1]; Abe = BCe ^ ((~BCi) & BCo); Abi = BCi ^ ((~BCo) & BCu); Abo = BCo ^ ((~BCu) & BCa); @@ -350,26 +352,31 @@ static void keccak_absorb(uint64_t *s, unsigned int r, const unsigned char *m, unsigned char t[200]; /* Zero state */ - for (i = 0; i < 25; ++i) + for (i = 0; i < 25; ++i) { s[i] = 0; + } while (mlen >= r) { - for (i = 0; i < r / 8; ++i) + for (i = 0; i < r / 8; ++i) { s[i] ^= load64(m + 8 * i); + } KeccakF1600_StatePermute(s); mlen -= r; m += r; } - for (i = 0; i < r; ++i) + for (i = 0; i < r; ++i) { t[i] = 0; - for (i = 0; i < mlen; ++i) + } + for (i = 0; i < mlen; ++i) { t[i] = m[i]; + } t[i] = p; t[r - 1] |= 128; - for (i = 0; i < r / 8; ++i) + for (i = 0; i < r / 8; ++i) { s[i] ^= load64(t + 8 * i); + } } /************************************************* @@ -490,8 +497,9 @@ void shake128(unsigned char *output, unsigned long long outlen, if (outlen) { shake128_squeezeblocks(t, 1, s); - for (i = 0; i < outlen; ++i) + for (i = 0; i < outlen; ++i) { output[i] = t[i]; + } } } @@ -520,8 +528,9 @@ void shake256(unsigned char *output, unsigned long long outlen, if (outlen) { shake256_squeezeblocks(t, 1, s); - for (i = 0; i < outlen; ++i) + for (i = 0; i < outlen; ++i) { output[i] = t[i]; + } } } @@ -546,8 +555,9 @@ void sha3_256(unsigned char *output, const unsigned char *input, /* Squeeze output */ keccak_squeezeblocks(t, 1, s, SHA3_256_RATE); - for (i = 0; i < 32; i++) + for (i = 0; i < 32; i++) { output[i] = t[i]; + } } /************************************************* @@ -571,6 +581,7 @@ void sha3_512(unsigned char *output, const unsigned char *input, /* Squeeze output */ keccak_squeezeblocks(t, 1, s, SHA3_512_RATE); - for (i = 0; i < 64; i++) + for (i = 0; i < 64; i++) { output[i] = t[i]; + } } diff --git a/common/notrandombytes.c b/common/notrandombytes.c index fe2ae5ca..fd5b90a8 100644 --- a/common/notrandombytes.c +++ b/common/notrandombytes.c @@ -27,10 +27,12 @@ static void surf(void) { int32_t i; int32_t loop; - for (i = 0; i < 12; ++i) + for (i = 0; i < 12; ++i) { t[i] = in[i] ^ seed[12 + i]; - for (i = 0; i < 8; ++i) + } + for (i = 0; i < 8; ++i) { out[i] = seed[24 + i]; + } x = t[11]; for (loop = 0; loop < 2; ++loop) { for (r = 0; r < 16; ++r) { @@ -48,18 +50,22 @@ static void surf(void) { MUSH(10, 9) MUSH(11, 13) } - for (i = 0; i < 8; ++i) + for (i = 0; i < 8; ++i) { out[i] ^= t[i + 4]; + } } } void randombytes(uint8_t *x, uint64_t xlen) { while (xlen > 0) { if (!outleft) { - if (!++in[0]) - if (!++in[1]) - if (!++in[2]) + if (!++in[0]) { + if (!++in[1]) { + if (!++in[2]) { ++in[3]; + } + } + } surf(); outleft = 8; } diff --git a/common/randombytes.h b/common/randombytes.h index da3d394e..f99d033e 100644 --- a/common/randombytes.h +++ b/common/randombytes.h @@ -1,6 +1,6 @@ -#include #ifndef RANDOMBYTES_H #define RANDOMBYTES_H +#include void randombytes(uint8_t *x, uint64_t xlen); diff --git a/common/sha2.c b/common/sha2.c index 9e2d5d36..d158062a 100644 --- a/common/sha2.c +++ b/common/sha2.c @@ -34,14 +34,14 @@ static void store_bigendian(unsigned char *x, uint64 u) { #define SHR(x, c) ((x) >> (c)) #define ROTR(x, c) (((x) >> (c)) | ((x) << (64 - (c)))) -#define Ch(x, y, z) ((x & y) ^ (~x & z)) -#define Maj(x, y, z) ((x & y) ^ (x & z) ^ (y & z)) +#define Ch(x, y, z) (((x) & (y)) ^ (~(x) & (z))) +#define Maj(x, y, z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) #define Sigma0(x) (ROTR(x, 28) ^ ROTR(x, 34) ^ ROTR(x, 39)) #define Sigma1(x) (ROTR(x, 14) ^ ROTR(x, 18) ^ ROTR(x, 41)) #define sigma0(x) (ROTR(x, 1) ^ ROTR(x, 8) ^ SHR(x, 7)) #define sigma1(x) (ROTR(x, 19) ^ ROTR(x, 61) ^ SHR(x, 6)) -#define M(w0, w14, w9, w1) w0 = sigma1(w14) + w9 + sigma0(w1) + w0; +#define M(w0, w14, w9, w1) w0 = sigma1(w14) + (w9) + sigma0(w1) + (w0); #define EXPAND \ M(w0, w14, w9, w1) \ @@ -62,7 +62,7 @@ static void store_bigendian(unsigned char *x, uint64 u) { M(w15, w13, w8, w0) #define F(w, k) \ - T1 = h + Sigma1(e) + Ch(e, f, g) + k + w; \ + T1 = h + Sigma1(e) + Ch(e, f, g) + (k) + (w); \ T2 = Sigma0(a) + Maj(a, b, c); \ h = g; \ g = f; \ @@ -275,21 +275,24 @@ int sha384(unsigned char *out, const unsigned char *in, unsigned int i; unsigned long long bytes = inlen; - for (i = 0; i < 64; ++i) + for (i = 0; i < 64; ++i) { h[i] = iv_384[i]; + } blocks(h, in, inlen); in += inlen; inlen &= 127; in -= inlen; - for (i = 0; i < inlen; ++i) + for (i = 0; i < inlen; ++i) { padded[i] = in[i]; + } padded[inlen] = 0x80; if (inlen < 112) { - for (i = inlen + 1; i < 119; ++i) + for (i = inlen + 1; i < 119; ++i) { padded[i] = 0; + } padded[119] = bytes >> 61; padded[120] = bytes >> 53; padded[121] = bytes >> 45; @@ -301,8 +304,9 @@ int sha384(unsigned char *out, const unsigned char *in, padded[127] = bytes << 3; blocks(h, padded, 128); } else { - for (i = inlen + 1; i < 247; ++i) + for (i = inlen + 1; i < 247; ++i) { padded[i] = 0; + } padded[247] = bytes >> 61; padded[248] = bytes >> 53; padded[249] = bytes >> 45; @@ -315,8 +319,9 @@ int sha384(unsigned char *out, const unsigned char *in, blocks(h, padded, 256); } - for (i = 0; i < 48; ++i) + for (i = 0; i < 48; ++i) { out[i] = h[i]; + } return 0; } @@ -328,21 +333,24 @@ int sha512(unsigned char *out, const unsigned char *in, unsigned int i; unsigned long long bytes = inlen; - for (i = 0; i < 64; ++i) + for (i = 0; i < 64; ++i) { h[i] = iv_512[i]; + } blocks(h, in, inlen); in += inlen; inlen &= 127; in -= inlen; - for (i = 0; i < inlen; ++i) + for (i = 0; i < inlen; ++i) { padded[i] = in[i]; + } padded[inlen] = 0x80; if (inlen < 112) { - for (i = inlen + 1; i < 119; ++i) + for (i = inlen + 1; i < 119; ++i) { padded[i] = 0; + } padded[119] = bytes >> 61; padded[120] = bytes >> 53; padded[121] = bytes >> 45; @@ -354,8 +362,9 @@ int sha512(unsigned char *out, const unsigned char *in, padded[127] = bytes << 3; blocks(h, padded, 128); } else { - for (i = inlen + 1; i < 247; ++i) + for (i = inlen + 1; i < 247; ++i) { padded[i] = 0; + } padded[247] = bytes >> 61; padded[248] = bytes >> 53; padded[249] = bytes >> 45; @@ -368,8 +377,9 @@ int sha512(unsigned char *out, const unsigned char *in, blocks(h, padded, 256); } - for (i = 0; i < 64; ++i) + for (i = 0; i < 64; ++i) { out[i] = h[i]; + } return 0; } diff --git a/crypto_kem/kyber768/clean/cbd.c b/crypto_kem/kyber768/clean/cbd.c index 1a99bfd1..7fbe9917 100644 --- a/crypto_kem/kyber768/clean/cbd.c +++ b/crypto_kem/kyber768/clean/cbd.c @@ -15,8 +15,9 @@ static uint64_t load_littleendian(const unsigned char *x, int bytes) { int i; uint64_t r = x[0]; - for (i = 1; i < bytes; i++) + for (i = 1; i < bytes; i++) { r |= (uint64_t)x[i] << (8 * i); + } return r; } @@ -62,8 +63,9 @@ void cbd(poly *r, const unsigned char *buf) { for (i = 0; i < KYBER_N / 4; i++) { t = load_littleendian(buf + 4 * i, 4); d = 0; - for (j = 0; j < 4; j++) + for (j = 0; j < 4; j++) { d += (t >> j) & 0x11111111; + } a[0] = d & 0xf; b[0] = (d >> 4) & 0xf; diff --git a/crypto_kem/kyber768/clean/indcpa.c b/crypto_kem/kyber768/clean/indcpa.c index 874ac1bc..29740271 100644 --- a/crypto_kem/kyber768/clean/indcpa.c +++ b/crypto_kem/kyber768/clean/indcpa.c @@ -21,8 +21,9 @@ static void pack_pk(unsigned char *r, const polyvec *pk, const unsigned char *seed) { int i; polyvec_compress(r, pk); - for (i = 0; i < KYBER_SYMBYTES; i++) + for (i = 0; i < KYBER_SYMBYTES; i++) { r[i + KYBER_POLYVECCOMPRESSEDBYTES] = seed[i]; + } } /************************************************* @@ -43,8 +44,9 @@ static void unpack_pk(polyvec *pk, unsigned char *seed, int i; polyvec_decompress(pk, packedpk); - for (i = 0; i < KYBER_SYMBYTES; i++) + for (i = 0; i < KYBER_SYMBYTES; i++) { seed[i] = packedpk[i + KYBER_POLYVECCOMPRESSEDBYTES]; + } } /************************************************* @@ -136,8 +138,9 @@ void gen_matrix(polyvec *a, const unsigned char *seed, uint64_t state[25]; // SHAKE state unsigned char extseed[KYBER_SYMBYTES + 2]; - for (i = 0; i < KYBER_SYMBYTES; i++) + for (i = 0; i < KYBER_SYMBYTES; i++) { extseed[i] = seed[i]; + } for (i = 0; i < KYBER_K; i++) { for (j = 0; j < KYBER_K; j++) { @@ -195,17 +198,20 @@ void indcpa_keypair(unsigned char *pk, unsigned char *sk) { gen_a(a, publicseed); - for (i = 0; i < KYBER_K; i++) + for (i = 0; i < KYBER_K; i++) { poly_getnoise(skpv.vec + i, noiseseed, nonce++); + } polyvec_ntt(&skpv); - for (i = 0; i < KYBER_K; i++) + for (i = 0; i < KYBER_K; i++) { poly_getnoise(e.vec + i, noiseseed, nonce++); + } // matrix-vector multiplication - for (i = 0; i < KYBER_K; i++) + for (i = 0; i < KYBER_K; i++) { polyvec_pointwise_acc(&pkpv.vec[i], &skpv, a + i); + } polyvec_invntt(&pkpv); polyvec_add(&pkpv, &pkpv, &e); @@ -246,17 +252,20 @@ void indcpa_enc(unsigned char *c, const unsigned char *m, gen_at(at, seed); - for (i = 0; i < KYBER_K; i++) + for (i = 0; i < KYBER_K; i++) { poly_getnoise(sp.vec + i, coins, nonce++); + } polyvec_ntt(&sp); - for (i = 0; i < KYBER_K; i++) + for (i = 0; i < KYBER_K; i++) { poly_getnoise(ep.vec + i, coins, nonce++); + } // matrix-vector multiplication - for (i = 0; i < KYBER_K; i++) + for (i = 0; i < KYBER_K; i++) { polyvec_pointwise_acc(&bp.vec[i], &sp, at + i); + } polyvec_invntt(&bp); polyvec_add(&bp, &bp, &ep); diff --git a/crypto_kem/kyber768/clean/kem.c b/crypto_kem/kyber768/clean/kem.c index 79d17bf4..898aaf17 100644 --- a/crypto_kem/kyber768/clean/kem.c +++ b/crypto_kem/kyber768/clean/kem.c @@ -21,8 +21,9 @@ int crypto_kem_keypair(unsigned char *pk, unsigned char *sk) { size_t i; indcpa_keypair(pk, sk); - for (i = 0; i < KYBER_INDCPA_PUBLICKEYBYTES; i++) + for (i = 0; i < KYBER_INDCPA_PUBLICKEYBYTES; i++) { sk[i + KYBER_INDCPA_SECRETKEYBYTES] = pk[i]; + } sha3_256(sk + KYBER_SECRETKEYBYTES - 2 * KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES); randombytes(sk + KYBER_SECRETKEYBYTES - KYBER_SYMBYTES, @@ -97,9 +98,10 @@ int crypto_kem_dec(unsigned char *ss, const unsigned char *ct, indcpa_dec(buf, ct, sk); for (i = 0; i < KYBER_SYMBYTES; - i++) /* Multitarget countermeasure for coins + contributory KEM */ + i++) { /* Multitarget countermeasure for coins + contributory KEM */ buf[KYBER_SYMBYTES + i] = sk[KYBER_SECRETKEYBYTES - 2 * KYBER_SYMBYTES + i]; /* Save hash by storing H(pk) in sk */ + } sha3_512(kr, buf, 2 * KYBER_SYMBYTES); indcpa_enc(cmp, buf, pk, diff --git a/crypto_kem/kyber768/clean/kex.c b/crypto_kem/kyber768/clean/kex.c index 3ec2058f..cb02e575 100644 --- a/crypto_kem/kyber768/clean/kex.c +++ b/crypto_kem/kyber768/clean/kex.c @@ -18,8 +18,9 @@ void kyber_uake_sharedA(u8 *k, const u8 *recv, const u8 *tk, const u8 *sk) { unsigned char buf[2 * KYBER_SYMBYTES]; int i; crypto_kem_dec(buf, recv, sk); - for (i = 0; i < KYBER_SYMBYTES; i++) + for (i = 0; i < KYBER_SYMBYTES; i++) { buf[i + KYBER_SYMBYTES] = tk[i]; + } shake256(k, KYBER_SYMBYTES, buf, 2 * KYBER_SYMBYTES); } @@ -43,7 +44,8 @@ void kyber_ake_sharedA(u8 *k, const u8 *recv, const u8 *tk, const u8 *sk, int i; crypto_kem_dec(buf, recv, sk); crypto_kem_dec(buf + KYBER_SYMBYTES, recv + KYBER_CIPHERTEXTBYTES, ska); - for (i = 0; i < KYBER_SYMBYTES; i++) + for (i = 0; i < KYBER_SYMBYTES; i++) { buf[i + 2 * KYBER_SYMBYTES] = tk[i]; + } shake256(k, KYBER_SYMBYTES, buf, 3 * KYBER_SYMBYTES); } diff --git a/crypto_kem/kyber768/clean/ntt.c b/crypto_kem/kyber768/clean/ntt.c index c28f3b13..671801ba 100644 --- a/crypto_kem/kyber768/clean/ntt.c +++ b/crypto_kem/kyber768/clean/ntt.c @@ -30,10 +30,11 @@ void ntt(uint16_t *p) { p[j + (1 << level)] = barrett_reduce(p[j] + 4 * KYBER_Q - t); - if (level & 1) /* odd level */ + if (level & 1) { /* odd level */ p[j] = p[j] + t; /* Omit reduction (be lazy) */ - else + } else { p[j] = barrett_reduce(p[j] + t); + } } } } @@ -60,10 +61,11 @@ void invntt(uint16_t *a) { W = omegas_inv_bitrev_montgomery[jTwiddle++]; temp = a[j]; - if (level & 1) /* odd level */ + if (level & 1) { /* odd level */ a[j] = barrett_reduce((temp + a[j + (1 << level)])); - else + } else { a[j] = (temp + a[j + (1 << level)]); /* Omit reduction (be lazy) */ + } t = (W * ((uint32_t)temp + 4 * KYBER_Q - a[j + (1 << level)])); @@ -72,6 +74,7 @@ void invntt(uint16_t *a) { } } - for (j = 0; j < KYBER_N; j++) + for (j = 0; j < KYBER_N; j++) { a[j] = montgomery_reduce((a[j] * psis_inv_montgomery[j])); + } } diff --git a/crypto_kem/kyber768/clean/ntt.h b/crypto_kem/kyber768/clean/ntt.h index 729dd643..6a11655a 100644 --- a/crypto_kem/kyber768/clean/ntt.h +++ b/crypto_kem/kyber768/clean/ntt.h @@ -4,6 +4,6 @@ #include void ntt(uint16_t *poly); -void invntt(uint16_t *poly); +void invntt(uint16_t *a); #endif diff --git a/crypto_kem/kyber768/clean/poly.c b/crypto_kem/kyber768/clean/poly.c index 97f705a5..fa94b54b 100644 --- a/crypto_kem/kyber768/clean/poly.c +++ b/crypto_kem/kyber768/clean/poly.c @@ -19,8 +19,9 @@ void poly_compress(unsigned char *r, const poly *a) { unsigned int i, j, k = 0; for (i = 0; i < KYBER_N; i += 8) { - for (j = 0; j < 8; j++) + for (j = 0; j < 8; j++) { t[j] = (((freeze(a->coeffs[i + j]) << 3) + KYBER_Q / 2) / KYBER_Q) & 7; + } r[k] = t[0] | (t[1] << 3) | (t[2] << 6); r[k + 1] = (t[2] >> 2) | (t[3] << 1) | (t[4] << 4) | (t[5] << 7); @@ -66,8 +67,9 @@ void poly_tobytes(unsigned char *r, const poly *a) { uint16_t t[8]; for (i = 0; i < KYBER_N / 8; i++) { - for (j = 0; j < 8; j++) + for (j = 0; j < 8; j++) { t[j] = freeze(a->coeffs[8 * i + j]); + } r[13 * i + 0] = t[0] & 0xff; r[13 * i + 1] = (t[0] >> 8) | ((t[1] & 0x07) << 5); @@ -136,8 +138,9 @@ void poly_getnoise(poly *r, const unsigned char *seed, unsigned char nonce) { unsigned char extseed[KYBER_SYMBYTES + 1]; int i; - for (i = 0; i < KYBER_SYMBYTES; i++) + for (i = 0; i < KYBER_SYMBYTES; i++) { extseed[i] = seed[i]; + } extseed[KYBER_SYMBYTES] = nonce; shake256(buf, KYBER_ETA * KYBER_N / 4, extseed, KYBER_SYMBYTES + 1); @@ -183,8 +186,9 @@ void poly_invntt(poly *r) { **************************************************/ void poly_add(poly *r, const poly *a, const poly *b) { int i; - for (i = 0; i < KYBER_N; i++) + for (i = 0; i < KYBER_N; i++) { r->coeffs[i] = barrett_reduce(a->coeffs[i] + b->coeffs[i]); + } } /************************************************* @@ -198,8 +202,9 @@ void poly_add(poly *r, const poly *a, const poly *b) { **************************************************/ void poly_sub(poly *r, const poly *a, const poly *b) { int i; - for (i = 0; i < KYBER_N; i++) + for (i = 0; i < KYBER_N; i++) { r->coeffs[i] = barrett_reduce(a->coeffs[i] + 3 * KYBER_Q - b->coeffs[i]); + } } /************************************************* diff --git a/crypto_kem/kyber768/clean/poly.h b/crypto_kem/kyber768/clean/poly.h index d5ace7c9..1d9a16df 100644 --- a/crypto_kem/kyber768/clean/poly.h +++ b/crypto_kem/kyber768/clean/poly.h @@ -19,7 +19,7 @@ void poly_tobytes(unsigned char *r, const poly *a); void poly_frombytes(poly *r, const unsigned char *a); void poly_frommsg(poly *r, const unsigned char msg[KYBER_SYMBYTES]); -void poly_tomsg(unsigned char msg[KYBER_SYMBYTES], const poly *r); +void poly_tomsg(unsigned char msg[KYBER_SYMBYTES], const poly *a); void poly_getnoise(poly *r, const unsigned char *seed, unsigned char nonce); diff --git a/crypto_kem/kyber768/clean/polyvec.c b/crypto_kem/kyber768/clean/polyvec.c index c4cca381..85c97d6f 100644 --- a/crypto_kem/kyber768/clean/polyvec.c +++ b/crypto_kem/kyber768/clean/polyvec.c @@ -17,11 +17,12 @@ void polyvec_compress(unsigned char *r, const polyvec *a) { uint16_t t[8]; for (i = 0; i < KYBER_K; i++) { for (j = 0; j < KYBER_N / 8; j++) { - for (k = 0; k < 8; k++) + for (k = 0; k < 8; k++) { t[k] = ((((uint32_t)freeze(a->vec[i].coeffs[8 * j + k]) << 11) + KYBER_Q / 2) / KYBER_Q) & 0x7ff; + } r[11 * j + 0] = t[0] & 0xff; r[11 * j + 1] = (t[0] >> 8) | ((t[1] & 0x1f) << 3); @@ -109,8 +110,9 @@ void polyvec_decompress(polyvec *r, const unsigned char *a) { **************************************************/ void polyvec_tobytes(unsigned char *r, const polyvec *a) { int i; - for (i = 0; i < KYBER_K; i++) + for (i = 0; i < KYBER_K; i++) { poly_tobytes(r + i * KYBER_POLYBYTES, &a->vec[i]); + } } /************************************************* @@ -124,8 +126,9 @@ void polyvec_tobytes(unsigned char *r, const polyvec *a) { **************************************************/ void polyvec_frombytes(polyvec *r, const unsigned char *a) { int i; - for (i = 0; i < KYBER_K; i++) + for (i = 0; i < KYBER_K; i++) { poly_frombytes(&r->vec[i], a + i * KYBER_POLYBYTES); + } } /************************************************* @@ -137,8 +140,9 @@ void polyvec_frombytes(polyvec *r, const unsigned char *a) { **************************************************/ void polyvec_ntt(polyvec *r) { int i; - for (i = 0; i < KYBER_K; i++) + for (i = 0; i < KYBER_K; i++) { poly_ntt(&r->vec[i]); + } } /************************************************* @@ -150,8 +154,9 @@ void polyvec_ntt(polyvec *r) { **************************************************/ void polyvec_invntt(polyvec *r) { int i; - for (i = 0; i < KYBER_K; i++) + for (i = 0; i < KYBER_K; i++) { poly_invntt(&r->vec[i]); + } } /************************************************* @@ -189,6 +194,7 @@ void polyvec_pointwise_acc(poly *r, const polyvec *a, const polyvec *b) { **************************************************/ void polyvec_add(polyvec *r, const polyvec *a, const polyvec *b) { int i; - for (i = 0; i < KYBER_K; i++) + for (i = 0; i < KYBER_K; i++) { poly_add(&r->vec[i], &a->vec[i], &b->vec[i]); + } } diff --git a/crypto_kem/kyber768/clean/verify.c b/crypto_kem/kyber768/clean/verify.c index 9f9a79fb..35ceaa69 100644 --- a/crypto_kem/kyber768/clean/verify.c +++ b/crypto_kem/kyber768/clean/verify.c @@ -17,8 +17,9 @@ int verify(const unsigned char *a, const unsigned char *b, size_t len) { size_t i; r = 0; - for (i = 0; i < len; i++) + for (i = 0; i < len; i++) { r |= a[i] ^ b[i]; + } r = (-r) >> 63; return r; @@ -42,6 +43,7 @@ void cmov(unsigned char *r, const unsigned char *x, size_t len, size_t i; b = -b; - for (i = 0; i < len; i++) + for (i = 0; i < len; i++) { r[i] ^= b & (x[i] ^ r[i]); + } } diff --git a/crypto_kem/test.c b/crypto_kem/test.c index 6c49d6f1..8ad727ea 100644 --- a/crypto_kem/test.c +++ b/crypto_kem/test.c @@ -12,11 +12,11 @@ static void write_canary(unsigned char *d) { *((uint64_t *)d) = 0x0123456789ABCDEF; } -static int check_canary(unsigned char *d) { - if (*(uint64_t *)d != 0x0123456789ABCDEF) +static int check_canary(const unsigned char *d) { + if (*(uint64_t *)d != 0x0123456789ABCDEF) { return -1; - else - return 0; + } + { return 0; } } static int test_keys(void) { @@ -48,7 +48,7 @@ static int test_keys(void) { // Alice uses Bobs response to get her secret key crypto_kem_dec(key_a + 8, sendb + 8, sk_a + 8); - if (memcmp(key_a + 8, key_b + 8, CRYPTO_BYTES)) { + if (memcmp(key_a + 8, key_b + 8, CRYPTO_BYTES) != 0) { printf("ERROR KEYS\n"); } else if (check_canary(key_a) || check_canary(key_a + sizeof(key_a) - 8) || check_canary(key_b) || check_canary(key_b + sizeof(key_b) - 8) ||