Always write the Poly1305 tag to an aligned buffer.

With GCC 4.9 and -O2 (and only -O2, -O1 and -O3 didn't trigger it), the Poly1305 code can end up writing to an unaligned address otherwise and that triggers a bus error on ARM. Change-Id: Ifbeb7e2066a893d91d6f63c6565bac7d5542ef81 Reviewed-on: https://boringssl-review.googlesource.com/2850 Reviewed-by: Adam Langley <agl@google.com>
2015-01-12 17:19:51 -08:00 · 2015-01-12 17:19:51 -08:00 · b1116a4a3b
commit b1116a4a3b
parent 3e6526575a
2 changed files with 4 additions and 10 deletions
--- a/crypto/cipher/e_chacha20poly1305.c
+++ b/crypto/cipher/e_chacha20poly1305.c
@ -134,15 +134,9 @@ static int aead_chacha20_poly1305_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,
  CRYPTO_chacha_20(out, in, in_len, c20_ctx->key, nonce, 1);
  poly1305_update_with_length(&poly1305, out, in_len);

-  if (c20_ctx->tag_len != POLY1305_TAG_LEN) {
-    uint8_t tag[POLY1305_TAG_LEN];
-    CRYPTO_poly1305_finish(&poly1305, tag);
-    memcpy(out + in_len, tag, c20_ctx->tag_len);
-    *out_len = in_len + c20_ctx->tag_len;
-    return 1;
-  }
-
-  CRYPTO_poly1305_finish(&poly1305, out + in_len);
+  uint8_t tag[POLY1305_TAG_LEN] ALIGNED;
+  CRYPTO_poly1305_finish(&poly1305, tag);
+  memcpy(out + in_len, tag, c20_ctx->tag_len);
  *out_len = in_len + c20_ctx->tag_len;
  return 1;
 }
--- a/include/openssl/poly1305.h
+++ b/include/openssl/poly1305.h
@ -36,7 +36,7 @@ extern void CRYPTO_poly1305_update(poly1305_state* state, const uint8_t* in,
                                   size_t in_len);

 /* poly1305_finish completes the poly1305 calculation and writes a 16 byte
- * authentication tag to |mac|. */
+ * authentication tag to |mac|. The |mac| address must be 16-byte aligned. */
 extern void CRYPTO_poly1305_finish(poly1305_state* state, uint8_t mac[16]);