Fixed undefined behaviour in Blake2b

Fixes #96

The function blake2b_set_input() was reading uninitialised memory.
While this didn't matter in practice (most platforms don't have trap
representations for unsigned integers), it is undefined behaviour under
the C and C++ standards.  To fix it, we reset the whole input buffer
before setting its first byte.

The fix introduces a conditional, but that conditional only depend
on an index, which itself depends on the size of the input, which is not
secret.  We're still "constant time" with respect to secrets.

diff --git a/src/monocypher.c b/src/monocypher.c
index 2a160083b4ec43f5828519a07b54b7f3e0010f97..6231ee2b02deb2820b1eda218d077f955e9e1114 100644 (file)
--- a/src/monocypher.c
+++ b/src/monocypher.c
@@ -527,10 +527,15 @@ static void blake2b_compress(crypto_blake2b_ctx *ctx, int is_last_block)
 
 static void blake2b_set_input(crypto_blake2b_ctx *ctx, u8 input, size_t index)
 {
+    if (index == 0) {
+        FOR (i, 0, 16) {
+            ctx->input[i] = 0;
+        }
+    }
     size_t word = index >> 3;
     size_t byte = index & 7;
-    ctx->input[word] &= ~((u64)0xff  << (byte << 3));
-    ctx->input[word] |=   (u64)input << (byte << 3);
+    ctx->input[word] |= (u64)input << (byte << 3);
+
 }
 
 static void blake2b_end_block(crypto_blake2b_ctx *ctx)