Always write the Poly1305 tag to an aligned buffer.

With GCC 4.9 and -O2 (and only -O2, -O1 and -O3 didn't trigger it), the Poly1305 code can end up writing to an unaligned address otherwise and that triggers a bus error on ARM. Change-Id: Ifbeb7e2066a893d91d6f63c6565bac7d5542ef81 Reviewed-on: https://boringssl-review.googlesource.com/2850 Reviewed-by: Adam Langley <agl@google.com>
author: Adam Langley <agl@google.com> 2015-01-13 04:19:51 +0300
committer: Adam Langley <agl@google.com> 2015-01-15 02:38:25 +0300
commit: b1116a4a3b63aaea97608f1f42fb7a00e653af5c (patch)
tree: 3f1f12142046706e5571f2201743b494e40fa410 /crypto
parent: 3e6526575ac2349a44a04a0bbc7acb917fab5a0b (diff)
1 files changed, 3 insertions, 9 deletions
diff --git a/crypto/cipher/e_chacha20poly1305.c b/crypto/cipher/e_chacha20poly1305.c
index e656cd78..c3ad3a5e 100644
--- a/crypto/cipher/e_chacha20poly1305.c
+++ b/crypto/cipher/e_chacha20poly1305.c
@@ -134,15 +134,9 @@ static int aead_chacha20_poly1305_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,
   CRYPTO_chacha_20(out, in, in_len, c20_ctx->key, nonce, 1);
   poly1305_update_with_length(&poly1305, out, in_len);
 
-  if (c20_ctx->tag_len != POLY1305_TAG_LEN) {
-    uint8_t tag[POLY1305_TAG_LEN];
-    CRYPTO_poly1305_finish(&poly1305, tag);
-    memcpy(out + in_len, tag, c20_ctx->tag_len);
-    *out_len = in_len + c20_ctx->tag_len;
-    return 1;
-  }
-
-  CRYPTO_poly1305_finish(&poly1305, out + in_len);
+  uint8_t tag[POLY1305_TAG_LEN] ALIGNED;
+  CRYPTO_poly1305_finish(&poly1305, tag);
+  memcpy(out + in_len, tag, c20_ctx->tag_len);
   *out_len = in_len + c20_ctx->tag_len;
   return 1;
 }
author	Adam Langley <agl@google.com>	2015-01-13 04:19:51 +0300
committer	Adam Langley <agl@google.com>	2015-01-15 02:38:25 +0300
commit	b1116a4a3b63aaea97608f1f42fb7a00e653af5c (patch)
tree	3f1f12142046706e5571f2201743b494e40fa410 /crypto
parent	3e6526575ac2349a44a04a0bbc7acb917fab5a0b (diff)