Fix integer overflows (fixes #105)

XKCP · Oct 20, 2022 · fdc6fef · fdc6fef
1 parent fc23735
commit fdc6fef
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 12 deletions.
diff --git a/lib/high/Keccak/KeccakDuplex.inc b/lib/high/Keccak/KeccakDuplex.inc
@@ -58,6 +58,8 @@ int Duplexing(DuplexInstance *instance, const unsigned char *sigmaBegin, unsigne
 
     if (delimitedSigmaEnd == 0)
         return 1;
+    if (sigmaBeginByteLen > rho_max/8)
+        return 1;
     if ((instance->byteInputIndex+sigmaBeginByteLen)*8 > rho_max)
         return 1;
     if (rho_max - sigmaBeginByteLen*8 < 7) {
@@ -102,6 +104,8 @@ int DuplexingFeedPartialInput(DuplexInstance *instance, const unsigned char *inp
 {
     const unsigned int rho_max = instance->rate - 2;
 
+    if (inputByteLen > rho_max/8)
+        return 1;
     if ((instance->byteInputIndex+inputByteLen)*8 > rho_max)
         return 1;
 
@@ -114,6 +118,8 @@ int DuplexingFeedZeroes(DuplexInstance *instance, unsigned int inputByteLen)
 {
     const unsigned int rho_max = instance->rate - 2;
 
+    if (inputByteLen > rho_max/8)
+        return 1;
     if ((instance->byteInputIndex+inputByteLen)*8 > rho_max)
         return 1;
 
@@ -125,6 +131,8 @@ int DuplexingOverwritePartialInput(DuplexInstance *instance, const unsigned char
 {
     const unsigned int rho_max = instance->rate - 2;
 
+    if (inputByteLen > rho_max/8)
+        return 1;
     if ((instance->byteInputIndex+inputByteLen)*8 > rho_max)
         return 1;
 
@@ -137,6 +145,8 @@ int DuplexingOverwriteWithZeroes(DuplexInstance *instance, unsigned int inputByt
 {
     const unsigned int rho_max = instance->rate - 2;
 
+    if (inputByteLen > rho_max/8)
+        return 1;
     if ((instance->byteInputIndex != 0) || (inputByteLen*8 > rho_max))
         return 1;
 
@@ -148,7 +158,7 @@ int DuplexingOverwriteWithZeroes(DuplexInstance *instance, unsigned int inputByt
 
 int DuplexingGetFurtherOutput(DuplexInstance *instance, unsigned char *output, unsigned int outputByteLen)
 {
-    if ((outputByteLen+instance->byteOutputIndex) > (instance->rate+7)/8)
+    if (outputByteLen > (instance->rate+7)/8 - instance->byteOutputIndex)
         return 1; /* The output length must not be greater than the rate (rounded up to a byte) */
 
     SnP_ExtractBytes(instance->state, output, instance->byteOutputIndex, outputByteLen);
@@ -162,7 +172,7 @@ int DuplexingGetFurtherOutput(DuplexInstance *instance, unsigned char *output, u
 
 int DuplexingGetFurtherOutputAndAdd(DuplexInstance *instance, const unsigned char *input, unsigned char *output, unsigned int outputByteLen)
 {
-    if ((outputByteLen+instance->byteOutputIndex) > (instance->rate+7)/8)
+    if (outputByteLen > (instance->rate+7)/8 - instance->byteOutputIndex)
         return 1; /* The output length must not be greater than the rate (rounded up to a byte) */
 
     SnP_ExtractAndAddBytes(instance->state, input, output, instance->byteOutputIndex, outputByteLen);

diff --git a/lib/high/Keccak/KeccakSponge.inc b/lib/high/Keccak/KeccakSponge.inc
@@ -161,7 +161,7 @@ int SpongeAbsorb(SpongeInstance *instance, const unsigned char *data, size_t dat
     i = 0;
     curData = data;
     while(i < dataByteLen) {
-        if ((instance->byteIOIndex == 0) && (dataByteLen >= (i + rateInBytes))) {
+        if ((instance->byteIOIndex == 0) && (dataByteLen-i >= rateInBytes)) {
 #ifdef SnP_FastLoop_Absorb
             /* processing full blocks first */
             if ((rateInBytes % (SnP_width/200)) == 0) {
@@ -187,9 +187,10 @@ int SpongeAbsorb(SpongeInstance *instance, const unsigned char *data, size_t dat
         }
         else {
             /* normal lane: using the message queue */
-            partialBlock = (unsigned int)(dataByteLen - i);
-            if (partialBlock+instance->byteIOIndex > rateInBytes)
+            if (dataByteLen-i > rateInBytes-instance->byteIOIndex)
                 partialBlock = rateInBytes-instance->byteIOIndex;
+            else
+                partialBlock = (unsigned int)(dataByteLen - i);
             #ifdef KeccakReference
             displayBytes(1, "Block to be absorbed (part)", curData, partialBlock);
             #endif
@@ -264,7 +265,7 @@ int SpongeSqueeze(SpongeInstance *instance, unsigned char *data, size_t dataByte
     i = 0;
     curData = data;
     while(i < dataByteLen) {
-        if ((instance->byteIOIndex == rateInBytes) && (dataByteLen >= (i + rateInBytes))) {
+        if ((instance->byteIOIndex == rateInBytes) && (dataByteLen-i >= rateInBytes)) {
             for(j=dataByteLen-i; j>=rateInBytes; j-=rateInBytes) {
                 SnP_Permute(instance->state);
                 SnP_ExtractBytes(instance->state, curData, 0, rateInBytes);
@@ -281,9 +282,10 @@ int SpongeSqueeze(SpongeInstance *instance, unsigned char *data, size_t dataByte
                 SnP_Permute(instance->state);
                 instance->byteIOIndex = 0;
             }
-            partialBlock = (unsigned int)(dataByteLen - i);
-            if (partialBlock+instance->byteIOIndex > rateInBytes)
+            if (dataByteLen-i > rateInBytes-instance->byteIOIndex)
                 partialBlock = rateInBytes-instance->byteIOIndex;
+            else
+                partialBlock = (unsigned int)(dataByteLen - i);
             i += partialBlock;
 
             SnP_ExtractBytes(instance->state, curData, instance->byteIOIndex, partialBlock);

diff --git a/lib/high/Keccak/PRG/KeccakPRG.inc b/lib/high/Keccak/PRG/KeccakPRG.inc
@@ -54,7 +54,7 @@ int SpongePRG_Feed(SpongePRG_Instance *instance, const unsigned char *input, uns
     unsigned int rhoInBytes = (instance->duplex.rate-2)/8;
     int error = 0;
 
-    while( !error && ((DuplexGetInputIndex(&instance->duplex) + inputByteLen) >= rhoInBytes)) {
+    while( !error && (inputByteLen >= rhoInBytes - DuplexGetInputIndex(&instance->duplex))) {
         unsigned int localSize = rhoInBytes - DuplexGetInputIndex(&instance->duplex);
         error |= DuplexingFeedPartialInput(&instance->duplex, input, localSize);
         error |= Duplexing(&instance->duplex, 0, 0, 0, 0, 0x01);

diff --git a/lib/high/Ketje/Ketjev2.inc b/lib/high/Ketje/Ketjev2.inc
@@ -41,6 +41,10 @@ int Ketje_Initialize(Ketje_Instance *instance, const unsigned char *key, unsigne
     unsigned int keyPackSizeInBits;
 
     keyPackSizeInBits = 8*((keySizeInBits+16)/8);
+    if (keyPackSizeInBits > SnP_width)
+        return 1;
+    if (nonceSizeInBits > SnP_width)
+        return 1;
     if ( (keyPackSizeInBits + nonceSizeInBits + 2) > SnP_width)
         return 1;
 
@@ -87,7 +91,7 @@ int Ketje_FeedAssociatedData(Ketje_Instance *instance, const unsigned char *data
     if ((instance->phase & Ketje_Phase_FeedingAssociatedData) == 0)
         return 1;
 
-    if ( (instance->dataRemainderSize + dataSizeInBytes) > Ketje_BlockSize )
+    if ( dataSizeInBytes > Ketje_BlockSize - instance->dataRemainderSize )
     {
         if (instance->dataRemainderSize != 0)
         {
@@ -127,7 +131,7 @@ int Ketje_WrapPlaintext(Ketje_Instance *instance, const unsigned char *plaintext
     if ( (instance->phase & Ketje_Phase_Wrapping) == 0)
         return 1;
 
-    if ( (instance->dataRemainderSize + dataSizeInBytes) > Ketje_BlockSize )
+    if ( dataSizeInBytes > Ketje_BlockSize - instance->dataRemainderSize )
     {
         /* More than a block */
         if (instance->dataRemainderSize != 0)
@@ -181,7 +185,7 @@ int Ketje_UnwrapCiphertext(Ketje_Instance *instance, const unsigned char *cipher
     if ( (instance->phase & Ketje_Phase_Unwrapping) == 0)
         return 1;
 
-    if ( (instance->dataRemainderSize + dataSizeInBytes) > Ketje_BlockSize )
+    if ( dataSizeInBytes > Ketje_BlockSize - instance->dataRemainderSize )
     {
         /* More than a block */
         if (instance->dataRemainderSize != 0)