[pentest] Correctly set unused key shares

This commit fixes a bug in the simpleserial and uJSON AES SCA application. Inside the aes_key_mask_and_config function, two for loops are responsible for setting the key shares. The first for loop sets all key shares up to the provided key_length. The second for loop sets all unused key bits. Previously, the second for loop did not set the key shares for the unused bits correctly. For example, when key_len=16, only key shares 0...3 were correctly set, key shares 4...7 were uninitialized, e.g. contained old values from memory. However, for SCA we assume that the unused key share values are set to 0. Signed-off-by: Pascal Nasahl <[email protected]>
sameo · Jun 18, 2024 · 819adeb · 819adeb
1 parent 61ef58c
commit 819adeb
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/sw/device/sca/aes_serial.c b/sw/device/sca/aes_serial.c
@@ -185,7 +185,7 @@ static void aes_key_mask_and_config(const uint8_t *key, size_t key_len) {
     key_shares.share0[i] = *((uint32_t *)key + i) ^ key_shares.share1[i];
   }
   // Provide random shares for unused key bits.
-  for (size_t i = key_len; i < kAesKeyLengthMax / 4; ++i) {
+  for (size_t i = key_len / 4; i < kAesKeyLengthMax / 4; ++i) {
     key_shares.share1[i] =
         sca_non_linear_layer(sca_next_lfsr(1, kScaLfsrMasking));
     key_shares.share0[i] =