diff options
| author | David Benjamin <davidben@google.com> | 2016-06-09 01:31:42 +0300 |
|---|---|---|
| committer | Adam Langley <agl@google.com> | 2016-06-09 22:49:03 +0300 |
| commit | 2446db0f52b8697f3e131db3315de8a66fd9e0fe (patch) | |
| tree | 0d948b5cf18dbd51154d2f12b68f1d91b629e643 /crypto/chacha | |
| parent | 1a01e1fc88968c4db023f38967f9e81a8c42a15d (diff) | |
Require in == out for in-place encryption.
While most of OpenSSL's assembly allows out < in too, some of it doesn't.
Upstream seems to not consider this a problem (or, at least, they're failing to
make a decision on whether it is a problem, so we should assume they'll stay
their course). Accordingly, require aliased buffers to exactly align so we
don't have to keep chasing this down.
Change-Id: I00eb3df3e195b249116c68f7272442918d7077eb
Reviewed-on: https://boringssl-review.googlesource.com/8231
Reviewed-by: Adam Langley <agl@google.com>
Diffstat (limited to 'crypto/chacha')
| -rw-r--r-- | crypto/chacha/chacha.c | 10 | ||||
| -rw-r--r-- | crypto/chacha/chacha_test.cc | 23 |
2 files changed, 15 insertions, 18 deletions
diff --git a/crypto/chacha/chacha.c b/crypto/chacha/chacha.c index afe1b2ad..15620894 100644 --- a/crypto/chacha/chacha.c +++ b/crypto/chacha/chacha.c @@ -16,10 +16,13 @@ #include <openssl/chacha.h> +#include <assert.h> #include <string.h> #include <openssl/cpu.h> +#include "../internal.h" + #define U8TO32_LITTLE(p) \ (((uint32_t)((p)[0])) | ((uint32_t)((p)[1]) << 8) | \ @@ -36,8 +39,9 @@ void ChaCha20_ctr32(uint8_t *out, const uint8_t *in, size_t in_len, void CRYPTO_chacha_20(uint8_t *out, const uint8_t *in, size_t in_len, const uint8_t key[32], const uint8_t nonce[12], uint32_t counter) { - uint32_t counter_nonce[4]; - counter_nonce[0] = counter; + assert(!buffers_alias(out, in_len, in, in_len) || in == out); + + uint32_t counter_nonce[4]; counter_nonce[0] = counter; counter_nonce[1] = U8TO32_LITTLE(nonce + 0); counter_nonce[2] = U8TO32_LITTLE(nonce + 4); counter_nonce[3] = U8TO32_LITTLE(nonce + 8); @@ -118,6 +122,8 @@ static void chacha_core(uint8_t output[64], const uint32_t input[16]) { void CRYPTO_chacha_20(uint8_t *out, const uint8_t *in, size_t in_len, const uint8_t key[32], const uint8_t nonce[12], uint32_t counter) { + assert(!buffers_alias(out, in_len, in, in_len) || in == out); + uint32_t input[16]; uint8_t buf[64]; size_t todo, i; diff --git a/crypto/chacha/chacha_test.cc b/crypto/chacha/chacha_test.cc index f364f982..0a5972f7 100644 --- a/crypto/chacha/chacha_test.cc +++ b/crypto/chacha/chacha_test.cc @@ -218,25 +218,16 @@ static bool TestChaCha20(size_t len) { std::unique_ptr<uint8_t[]> buf(new uint8_t[len]); CRYPTO_chacha_20(buf.get(), kInput, len, kKey, kNonce, kCounter); if (memcmp(buf.get(), kOutput, len) != 0) { - fprintf(stderr, "Mismatch at length %u.\n", static_cast<unsigned>(len)); + fprintf(stderr, "Mismatch at length %zu.\n", len); return false; } - // Test in-place at various offsets. - static const size_t kOffsets[] = { - 0, 1, 2, 8, 15, 16, 17, 31, 32, 33, 63, - 64, 65, 95, 96, 97, 127, 128, 129, 255, 256, 257, - }; - for (size_t offset : kOffsets) { - buf.reset(new uint8_t[len + offset]); - memcpy(buf.get() + offset, kInput, len); - CRYPTO_chacha_20(buf.get(), buf.get() + offset, len, kKey, kNonce, - kCounter); - if (memcmp(buf.get(), kOutput, len) != 0) { - fprintf(stderr, "Mismatch at length %u with in-place offset %u.\n", - static_cast<unsigned>(len), static_cast<unsigned>(offset)); - return false; - } + // Test in-place. + memcpy(buf.get(), kInput, len); + CRYPTO_chacha_20(buf.get(), buf.get(), len, kKey, kNonce, kCounter); + if (memcmp(buf.get(), kOutput, len) != 0) { + fprintf(stderr, "Mismatch at length %zu, in-place.\n", len); + return false; } return true; |