Google Git
Sign in
boringssl / boringssl.git / 1c0e1e4a33249b8a64fdf1a6f6e31b8acc9c45e9^! / .
commit1c0e1e4a33249b8a64fdf1a6f6e31b8acc9c45e9[log] [tgz]
authorDavid Benjamin <davidben@google.com>Wed Jun 08 14:05:29 2016 -0400
committerAdam Langley <agl@google.com>Wed Jun 08 20:10:48 2016 +0000
tree6beba15c34cd7f9c92f3c5c7eb16c7e024aab9bd
parent45d45c119475fe1601b2a19faf170cade262fffb [diff]
Avoid overflow in newhope.go.

Depending on bittedness of the runner, uint16 * uint16 can overflow an int.
There's other computations that can overflow a uint32 as well, so I just made
everything uint64 to avoid thinking about it too much.

Change-Id: Ia3c976987f39f78285c865a2d7688600d73c2514
Reviewed-on: https://boringssl-review.googlesource.com/8193
Reviewed-by: Adam Langley <agl@google.com>

diff --git a/ssl/test/runner/newhope/newhope.go b/ssl/test/runner/newhope/newhope.go
index 36c2c85..8f7a530 100644
--- a/ssl/test/runner/newhope/newhope.go
+++ b/ssl/test/runner/newhope/newhope.go

@@ -153,24 +153,24 @@
 // details of how this works.
 func ntt(in *Poly, omega, preScaleBase, postScaleBase, postScale uint16) *Poly {
 	out := new(Poly)
-	omega_to_the_i := 1
+	omega_to_the_i := uint64(1)
 
 	for i := range out {
-		omegaToTheIJ := 1
-		preScale := int(1)
-		sum := 0
+		omegaToTheIJ := uint64(1)
+		preScale := uint64(1)
+		sum := uint64(0)
 
 		for j := range in {
-			t := (int(in[j]) * preScale) % q
+			t := (uint64(in[j]) * preScale) % q
 			sum += (t * omegaToTheIJ) % q
 			omegaToTheIJ = (omegaToTheIJ * omega_to_the_i) % q
-			preScale = (int(preScaleBase) * preScale) % q
+			preScale = (uint64(preScaleBase) * preScale) % q
 		}
 
-		out[i] = uint16((sum * int(postScale)) % q)
+		out[i] = uint16((sum * uint64(postScale)) % q)
 
-		omega_to_the_i = (omega_to_the_i * int(omega)) % q
-		postScale = uint16((int(postScale) * int(postScaleBase)) % q)
+		omega_to_the_i = (omega_to_the_i * uint64(omega)) % q
+		postScale = uint16((uint64(postScale) * uint64(postScaleBase)) % q)
 	}
 
 	return out
@@ -255,7 +255,7 @@
 
 	bFreq := new(Poly)
 	for i := range bFreq {
-		bFreq[i] = uint16((int(sFreq[i])*int(aFreq[i]) + int(eFreq[i])) % q)
+		bFreq[i] = uint16((uint64(sFreq[i])*uint64(aFreq[i]) + uint64(eFreq[i])) % q)
 	}
 
 	offerMsg = encodePoly(bFreq)
@@ -279,18 +279,18 @@
 
 	uFreq := new(Poly)
 	for i := range uFreq {
-		uFreq[i] = uint16((int(sPrimeFreq[i])*int(aFreq[i]) + int(ePrimeFreq[i])) % q)
+		uFreq[i] = uint16((uint64(sPrimeFreq[i])*uint64(aFreq[i]) + uint64(ePrimeFreq[i])) % q)
 	}
 
 	vFreq := new(Poly)
 	for i := range vFreq {
-		vFreq[i] = uint16((int(sPrimeFreq[i]) * int(bFreq[i])) % q)
+		vFreq[i] = uint16((uint64(sPrimeFreq[i]) * uint64(bFreq[i])) % q)
 	}
 
 	v := inverseNTT(vFreq)
 	ePrimePrime := sampleNoise(rand)
 	for i := range v {
-		v[i] = uint16((int(v[i]) + int(ePrimePrime[i])) % q)
+		v[i] = uint16((uint64(v[i]) + uint64(ePrimePrime[i])) % q)
 	}
 
 	rec := helprec(rand, v)
@@ -311,7 +311,7 @@
 	rec := decodeRec(acceptMsg[encodedPolyLen:])
 
 	for i, u := range uFreq {
-		uFreq[i] = uint16((int(u) * int(sk[i])) % q)
+		uFreq[i] = uint16((uint64(u) * uint64(sk[i])) % q)
 	}
 	u := inverseNTT(uFreq)