Skip to content

Commit d1d5113

Browse files
bremoranbremoran
committed
Avoid calling keccak_absorb with partial lanes
Signed-off-by: Brendan Moran <[email protected]>
1 parent a7c9c15 commit d1d5113

File tree

1 file changed

+46
-8
lines changed

1 file changed

+46
-8
lines changed

mldsa/sign.c

Lines changed: 46 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -208,6 +208,44 @@ int crypto_sign_keypair(uint8_t *pk, uint8_t *sk)
208208
return result;
209209
}
210210

211+
static void shake256_absorb_with_residual(
212+
keccak_state *state, const uint8_t *in, size_t inlen,
213+
uint8_t *residual, size_t *pos)
214+
__contract__(
215+
requires(0 <= *pos && pos <= 8)
216+
requires(memory_no_alias(state, sizeof(uint64_t) * MLD_KECCAK_LANES))
217+
requires(in == NULL || memory_no_alias(in, inlen))
218+
requires(memory_no_alias(residual, 8))
219+
assigns(memory_slice(state, sizeof(uint64_t) * MLD_KECCAK_LANES))
220+
assigns(memory_slice(residual, 8))
221+
assigns(*pos)
222+
)
223+
{
224+
size_t nb;
225+
if(in){
226+
if (*pos) {
227+
nb = inlen < 8 - *pos ? inlen : 8 - *pos;
228+
memcpy(residual + *pos, in, nb);
229+
inlen -= nb;
230+
in += nb;
231+
*pos += nb;
232+
if (*pos == 8) {
233+
shake256_absorb(state, residual, 8U);
234+
}
235+
}
236+
nb = inlen & ~7UL;
237+
if (nb) {
238+
shake256_absorb(state, in, nb);
239+
in += nb;
240+
inlen -= nb;
241+
}
242+
if (inlen) {
243+
memcpy(residual, in, inlen);
244+
*pos = inlen;
245+
}
246+
}
247+
}
248+
211249
/*************************************************
212250
* Name: mld_H
213251
*
@@ -243,21 +281,21 @@ __contract__(
243281
)
244282
{
245283
keccak_state state;
284+
uint8_t buf[8];
285+
size_t pos=0;
246286
shake256_init(&state);
247-
shake256_absorb(&state, in1, in1len);
248-
if (in2 != NULL)
249-
{
250-
shake256_absorb(&state, in2, in2len);
251-
}
252-
if (in3 != NULL)
253-
{
254-
shake256_absorb(&state, in3, in3len);
287+
shake256_absorb_with_residual(&state, in1, in1len, buf, &pos);
288+
shake256_absorb_with_residual(&state, in2, in2len, buf, &pos);
289+
shake256_absorb_with_residual(&state, in3, in3len, buf, &pos);
290+
if(pos) {
291+
shake256_absorb(&state, buf, pos);
255292
}
256293
shake256_finalize(&state);
257294
shake256_squeeze(out, outlen, &state);
258295

259296
/* FIPS 204. Section 3.6.3 Destruction of intermediate values. */
260297
mld_zeroize(&state, sizeof(state));
298+
mld_zeroize(&buf, sizeof(buf));
261299
}
262300

263301
/* Reference: The reference implementation does not explicitly */

0 commit comments

Comments
 (0)