From b1116a4a3b63aaea97608f1f42fb7a00e653af5c Mon Sep 17 00:00:00 2001 From: Adam Langley Date: Mon, 12 Jan 2015 17:19:51 -0800 Subject: [PATCH] Always write the Poly1305 tag to an aligned buffer. With GCC 4.9 and -O2 (and only -O2, -O1 and -O3 didn't trigger it), the Poly1305 code can end up writing to an unaligned address otherwise and that triggers a bus error on ARM. Change-Id: Ifbeb7e2066a893d91d6f63c6565bac7d5542ef81 Reviewed-on: https://boringssl-review.googlesource.com/2850 Reviewed-by: Adam Langley --- crypto/cipher/e_chacha20poly1305.c | 12 +++--------- include/openssl/poly1305.h | 2 +- 2 files changed, 4 insertions(+), 10 deletions(-) diff --git a/crypto/cipher/e_chacha20poly1305.c b/crypto/cipher/e_chacha20poly1305.c index e656cd78..c3ad3a5e 100644 --- a/crypto/cipher/e_chacha20poly1305.c +++ b/crypto/cipher/e_chacha20poly1305.c @@ -134,15 +134,9 @@ static int aead_chacha20_poly1305_seal(const EVP_AEAD_CTX *ctx, uint8_t *out, CRYPTO_chacha_20(out, in, in_len, c20_ctx->key, nonce, 1); poly1305_update_with_length(&poly1305, out, in_len); - if (c20_ctx->tag_len != POLY1305_TAG_LEN) { - uint8_t tag[POLY1305_TAG_LEN]; - CRYPTO_poly1305_finish(&poly1305, tag); - memcpy(out + in_len, tag, c20_ctx->tag_len); - *out_len = in_len + c20_ctx->tag_len; - return 1; - } - - CRYPTO_poly1305_finish(&poly1305, out + in_len); + uint8_t tag[POLY1305_TAG_LEN] ALIGNED; + CRYPTO_poly1305_finish(&poly1305, tag); + memcpy(out + in_len, tag, c20_ctx->tag_len); *out_len = in_len + c20_ctx->tag_len; return 1; } diff --git a/include/openssl/poly1305.h b/include/openssl/poly1305.h index a15bf1a8..aa904869 100644 --- a/include/openssl/poly1305.h +++ b/include/openssl/poly1305.h @@ -36,7 +36,7 @@ extern void CRYPTO_poly1305_update(poly1305_state* state, const uint8_t* in, size_t in_len); /* poly1305_finish completes the poly1305 calculation and writes a 16 byte - * authentication tag to |mac|. */ + * authentication tag to |mac|. The |mac| address must be 16-byte aligned. */ extern void CRYPTO_poly1305_finish(poly1305_state* state, uint8_t mac[16]);