Always write the Poly1305 tag to an aligned buffer.
With GCC 4.9 and -O2 (and only -O2, -O1 and -O3 didn't trigger it), the Poly1305 code can end up writing to an unaligned address otherwise and that triggers a bus error on ARM. Change-Id: Ifbeb7e2066a893d91d6f63c6565bac7d5542ef81 Reviewed-on: https://boringssl-review.googlesource.com/2850 Reviewed-by: Adam Langley <agl@google.com>
This commit is contained in:
parent
3e6526575a
commit
b1116a4a3b
@ -134,19 +134,13 @@ static int aead_chacha20_poly1305_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,
|
||||
CRYPTO_chacha_20(out, in, in_len, c20_ctx->key, nonce, 1);
|
||||
poly1305_update_with_length(&poly1305, out, in_len);
|
||||
|
||||
if (c20_ctx->tag_len != POLY1305_TAG_LEN) {
|
||||
uint8_t tag[POLY1305_TAG_LEN];
|
||||
uint8_t tag[POLY1305_TAG_LEN] ALIGNED;
|
||||
CRYPTO_poly1305_finish(&poly1305, tag);
|
||||
memcpy(out + in_len, tag, c20_ctx->tag_len);
|
||||
*out_len = in_len + c20_ctx->tag_len;
|
||||
return 1;
|
||||
}
|
||||
|
||||
CRYPTO_poly1305_finish(&poly1305, out + in_len);
|
||||
*out_len = in_len + c20_ctx->tag_len;
|
||||
return 1;
|
||||
}
|
||||
|
||||
static int aead_chacha20_poly1305_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
|
||||
size_t *out_len, size_t max_out_len,
|
||||
const uint8_t *nonce, size_t nonce_len,
|
||||
|
@ -36,7 +36,7 @@ extern void CRYPTO_poly1305_update(poly1305_state* state, const uint8_t* in,
|
||||
size_t in_len);
|
||||
|
||||
/* poly1305_finish completes the poly1305 calculation and writes a 16 byte
|
||||
* authentication tag to |mac|. */
|
||||
* authentication tag to |mac|. The |mac| address must be 16-byte aligned. */
|
||||
extern void CRYPTO_poly1305_finish(poly1305_state* state, uint8_t mac[16]);
|
||||
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user