From: Loup Vaillant Date: Sat, 16 Jun 2018 09:35:52 +0000 (+0200) Subject: Fixed undefined behaviour in Blake2b X-Git-Url: https://git.codecow.com/?a=commitdiff_plain;h=9c41ee5360b81b41ffd071d3a9bc7bf6096b73a5;p=Monocypher.git Fixed undefined behaviour in Blake2b Fixes #96 The function blake2b_set_input() was reading uninitialised memory. While this didn't matter in practice (most platforms don't have trap representations for unsigned integers), it is undefined behaviour under the C and C++ standards. To fix it, we reset the whole input buffer before setting its first byte. The fix introduces a conditional, but that conditional only depend on an index, which itself depends on the size of the input, which is not secret. We're still "constant time" with respect to secrets. --- diff --git a/src/monocypher.c b/src/monocypher.c index 2a16008..6231ee2 100644 --- a/src/monocypher.c +++ b/src/monocypher.c @@ -527,10 +527,15 @@ static void blake2b_compress(crypto_blake2b_ctx *ctx, int is_last_block) static void blake2b_set_input(crypto_blake2b_ctx *ctx, u8 input, size_t index) { + if (index == 0) { + FOR (i, 0, 16) { + ctx->input[i] = 0; + } + } size_t word = index >> 3; size_t byte = index & 7; - ctx->input[word] &= ~((u64)0xff << (byte << 3)); - ctx->input[word] |= (u64)input << (byte << 3); + ctx->input[word] |= (u64)input << (byte << 3); + } static void blake2b_end_block(crypto_blake2b_ctx *ctx)