Fix the last casts in third_party/sike. These even trip UBSan because they break alignment requirements. The crypto_word_t isn't doing anything here, so just read bytes. Change-Id: Icb6dfce2c3a10f8252bbb0889cbeedcf1e8d8e62 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/36066 Reviewed-by: Adam Langley <alangley@gmail.com> Commit-Queue: David Benjamin <davidben@google.com>
diff --git a/third_party/sike/sike.c b/third_party/sike/sike.c index 53ed213..689baa8 100644 --- a/third_party/sike/sike.c +++ b/third_party/sike/sike.c
@@ -105,7 +105,7 @@ } static void LADDER3PT( - const f2elm_t xP, const f2elm_t xQ, const f2elm_t xPQ, const crypto_word_t* m, + const f2elm_t xP, const f2elm_t xQ, const f2elm_t xPQ, const uint8_t* m, int is_A, point_proj_t R, const f2elm_t A) { point_proj_t R0 = POINT_PROJ_INIT, R2 = POINT_PROJ_INIT; f2elm_t A24 = F2ELM_INIT; @@ -132,7 +132,7 @@ // Main loop for (size_t i = 0; i < nbits; i++) { - bit = (m[i >> LOG2RADIX] >> (i & (RADIX-1))) & 1; + bit = (m[i >> 3] >> (i & 7)) & 1; swap = bit ^ prevbit; prevbit = bit; mask = 0 - (crypto_word_t)swap; @@ -206,7 +206,7 @@ sike_fp2add(A24plus, A24plus, C24); // Retrieve kernel point - LADDER3PT(XPA, XQA, XRA, (crypto_word_t*)skA, 1, R, A); + LADDER3PT(XPA, XQA, XRA, skA, 1, R, A); // Traverse tree index = 0; @@ -280,7 +280,7 @@ sike_fp2neg(A24minus); // Retrieve kernel point - LADDER3PT(XPB, XQB, XRB, (crypto_word_t*)skB, 0, R, A); + LADDER3PT(XPB, XQB, XRB, skB, 0, R, A); // Traverse tree index = 0; @@ -350,7 +350,7 @@ sike_fpadd(C24->c0, C24->c0, C24->c0); // Retrieve kernel point - LADDER3PT(PKB[0], PKB[1], PKB[2], (crypto_word_t*)skA, 1, R, A); + LADDER3PT(PKB[0], PKB[1], PKB[2], skA, 1, R, A); // Traverse tree index = 0; @@ -409,7 +409,7 @@ sike_fp2sub(A, A24minus, A24minus); // Retrieve kernel point - LADDER3PT(PKB[0], PKB[1], PKB[2], (crypto_word_t*)skB, 0, R, A); + LADDER3PT(PKB[0], PKB[1], PKB[2], skB, 0, R, A); // Traverse tree index = 0;
diff --git a/third_party/sike/sike_test.cc b/third_party/sike/sike_test.cc index a1426ef..1277e09 100644 --- a/third_party/sike/sike_test.cc +++ b/third_party/sike/sike_test.cc
@@ -193,6 +193,20 @@ EXPECT_NE(memcmp(ss_enc, ss_dec, SIKEp503_SS_BYTESZ), 0); } +TEST(SIKE, Unaligned) { + alignas(4) uint8_t priv[SIKEp503_PRV_BYTESZ + 1]; + alignas(4) uint8_t pub[SIKEp503_PUB_BYTESZ + 1]; + alignas(4) uint8_t shared_key1[SIKEp503_SS_BYTESZ + 1]; + alignas(4) uint8_t ciphertext[SIKEp503_CT_BYTESZ + 1]; + alignas(4) uint8_t shared_key2[SIKEp503_SS_BYTESZ + 1]; + + ASSERT_TRUE(SIKE_keypair(priv + 1, pub + 1)); + SIKE_encaps(shared_key1 + 1, ciphertext + 1, pub + 1); + SIKE_decaps(shared_key2 + 1, ciphertext + 1, pub + 1, priv + 1); + + EXPECT_EQ(memcmp(shared_key1 + 1, shared_key2 + 1, SIKEp503_SS_BYTESZ), 0); +} + #if defined(SUPPORTS_ABI_TEST) && (defined(OPENSSL_X86_64) || defined(OPENSSL_AARCH64)) TEST(SIKE, ABI) { felm_t a, b, c;
diff --git a/third_party/sike/utils.h b/third_party/sike/utils.h index ab4a5e0..74c640a 100644 --- a/third_party/sike/utils.h +++ b/third_party/sike/utils.h
@@ -36,8 +36,6 @@ #define NWORDS_FIELD 8 // Number of "0" digits in the least significant part of p503 + 1 #define p503_ZERO_WORDS 3 - // log_2(RADIX) - #define LOG2RADIX 6 // U64_TO_WORDS expands |x| for a |crypto_word_t| array literal. #define U64_TO_WORDS(x) UINT64_C(x) #else @@ -45,8 +43,6 @@ #define NWORDS_FIELD 16 // Number of "0" digits in the least significant part of p503 + 1 #define p503_ZERO_WORDS 7 - // log_2(RADIX) - #define LOG2RADIX 5 // U64_TO_WORDS expands |x| for a |crypto_word_t| array literal. #define U64_TO_WORDS(x) \ (uint32_t)(UINT64_C(x) & 0xffffffff), (uint32_t)(UINT64_C(x) >> 32)