From 146ef8875cca02cc78437a877c15032761b59d52 Mon Sep 17 00:00:00 2001 From: Loup Vaillant Date: Tue, 3 Dec 2019 23:31:03 +0100 Subject: [PATCH] Fixed unwiped buffer in SHA-512 --- src/optional/ed25519.c | 26 +++++++++++++++++++------- 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/src/optional/ed25519.c b/src/optional/ed25519.c index d19eede..dd9a5cd 100644 --- a/src/optional/ed25519.c +++ b/src/optional/ed25519.c @@ -72,21 +72,33 @@ static const u64 K[80] = { static void sha512_compress(crypto_sha512_ctx *ctx) { - u64 w[80]; - FOR(i, 0, 16) { w[i] = ctx->input[i]; } - FOR(i, 16, 80) { w[i] = (lit_sigma1(w[i- 2]) + w[i- 7] + - lit_sigma0(w[i-15]) + w[i-16]); } - u64 a = ctx->hash[0]; u64 b = ctx->hash[1]; u64 c = ctx->hash[2]; u64 d = ctx->hash[3]; u64 e = ctx->hash[4]; u64 f = ctx->hash[5]; u64 g = ctx->hash[6]; u64 h = ctx->hash[7]; - FOR(i, 0, 80) { - u64 t1 = big_sigma1(e) + ch (e, f, g) + h + K[i] + w[i]; + + FOR (j, 0, 16) { + u64 in = K[j] + ctx->input[j]; + u64 t1 = big_sigma1(e) + ch (e, f, g) + h + in; u64 t2 = big_sigma0(a) + maj(a, b, c); h = g; g = f; f = e; e = d + t1; d = c; c = b; b = a; a = t1 + t2; } + size_t i16 = 0; + FOR(i, 1, 5) { + i16 += 16; + FOR (j, 0, 16) { + ctx->input[j] += lit_sigma1(ctx->input[(j- 2) & 15]); + ctx->input[j] += lit_sigma0(ctx->input[(j-15) & 15]); + ctx->input[j] += ctx->input[(j- 7) & 15]; + u64 in = K[i16 + j] + ctx->input[j]; + u64 t1 = big_sigma1(e) + ch (e, f, g) + h + in; + u64 t2 = big_sigma0(a) + maj(a, b, c); + h = g; g = f; f = e; e = d + t1; + d = c; c = b; b = a; a = t1 + t2; + } + } + ctx->hash[0] += a; ctx->hash[1] += b; ctx->hash[2] += c; ctx->hash[3] += d; ctx->hash[4] += e; ctx->hash[5] += f; -- 2.47.3