Fix the last casts in third_party/sike.
These even trip UBSan because they break alignment requirements. The
crypto_word_t isn't doing anything here, so just read bytes.
Change-Id: Icb6dfce2c3a10f8252bbb0889cbeedcf1e8d8e62
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/36066
Reviewed-by: Adam Langley <alangley@gmail.com>
Commit-Queue: David Benjamin <davidben@google.com>
diff --git a/third_party/sike/sike.c b/third_party/sike/sike.c
index 53ed213..689baa8 100644
--- a/third_party/sike/sike.c
+++ b/third_party/sike/sike.c
@@ -105,7 +105,7 @@
}
static void LADDER3PT(
- const f2elm_t xP, const f2elm_t xQ, const f2elm_t xPQ, const crypto_word_t* m,
+ const f2elm_t xP, const f2elm_t xQ, const f2elm_t xPQ, const uint8_t* m,
int is_A, point_proj_t R, const f2elm_t A) {
point_proj_t R0 = POINT_PROJ_INIT, R2 = POINT_PROJ_INIT;
f2elm_t A24 = F2ELM_INIT;
@@ -132,7 +132,7 @@
// Main loop
for (size_t i = 0; i < nbits; i++) {
- bit = (m[i >> LOG2RADIX] >> (i & (RADIX-1))) & 1;
+ bit = (m[i >> 3] >> (i & 7)) & 1;
swap = bit ^ prevbit;
prevbit = bit;
mask = 0 - (crypto_word_t)swap;
@@ -206,7 +206,7 @@
sike_fp2add(A24plus, A24plus, C24);
// Retrieve kernel point
- LADDER3PT(XPA, XQA, XRA, (crypto_word_t*)skA, 1, R, A);
+ LADDER3PT(XPA, XQA, XRA, skA, 1, R, A);
// Traverse tree
index = 0;
@@ -280,7 +280,7 @@
sike_fp2neg(A24minus);
// Retrieve kernel point
- LADDER3PT(XPB, XQB, XRB, (crypto_word_t*)skB, 0, R, A);
+ LADDER3PT(XPB, XQB, XRB, skB, 0, R, A);
// Traverse tree
index = 0;
@@ -350,7 +350,7 @@
sike_fpadd(C24->c0, C24->c0, C24->c0);
// Retrieve kernel point
- LADDER3PT(PKB[0], PKB[1], PKB[2], (crypto_word_t*)skA, 1, R, A);
+ LADDER3PT(PKB[0], PKB[1], PKB[2], skA, 1, R, A);
// Traverse tree
index = 0;
@@ -409,7 +409,7 @@
sike_fp2sub(A, A24minus, A24minus);
// Retrieve kernel point
- LADDER3PT(PKB[0], PKB[1], PKB[2], (crypto_word_t*)skB, 0, R, A);
+ LADDER3PT(PKB[0], PKB[1], PKB[2], skB, 0, R, A);
// Traverse tree
index = 0;
diff --git a/third_party/sike/sike_test.cc b/third_party/sike/sike_test.cc
index a1426ef..1277e09 100644
--- a/third_party/sike/sike_test.cc
+++ b/third_party/sike/sike_test.cc
@@ -193,6 +193,20 @@
EXPECT_NE(memcmp(ss_enc, ss_dec, SIKEp503_SS_BYTESZ), 0);
}
+TEST(SIKE, Unaligned) {
+ alignas(4) uint8_t priv[SIKEp503_PRV_BYTESZ + 1];
+ alignas(4) uint8_t pub[SIKEp503_PUB_BYTESZ + 1];
+ alignas(4) uint8_t shared_key1[SIKEp503_SS_BYTESZ + 1];
+ alignas(4) uint8_t ciphertext[SIKEp503_CT_BYTESZ + 1];
+ alignas(4) uint8_t shared_key2[SIKEp503_SS_BYTESZ + 1];
+
+ ASSERT_TRUE(SIKE_keypair(priv + 1, pub + 1));
+ SIKE_encaps(shared_key1 + 1, ciphertext + 1, pub + 1);
+ SIKE_decaps(shared_key2 + 1, ciphertext + 1, pub + 1, priv + 1);
+
+ EXPECT_EQ(memcmp(shared_key1 + 1, shared_key2 + 1, SIKEp503_SS_BYTESZ), 0);
+}
+
#if defined(SUPPORTS_ABI_TEST) && (defined(OPENSSL_X86_64) || defined(OPENSSL_AARCH64))
TEST(SIKE, ABI) {
felm_t a, b, c;
diff --git a/third_party/sike/utils.h b/third_party/sike/utils.h
index ab4a5e0..74c640a 100644
--- a/third_party/sike/utils.h
+++ b/third_party/sike/utils.h
@@ -36,8 +36,6 @@
#define NWORDS_FIELD 8
// Number of "0" digits in the least significant part of p503 + 1
#define p503_ZERO_WORDS 3
- // log_2(RADIX)
- #define LOG2RADIX 6
// U64_TO_WORDS expands |x| for a |crypto_word_t| array literal.
#define U64_TO_WORDS(x) UINT64_C(x)
#else
@@ -45,8 +43,6 @@
#define NWORDS_FIELD 16
// Number of "0" digits in the least significant part of p503 + 1
#define p503_ZERO_WORDS 7
- // log_2(RADIX)
- #define LOG2RADIX 5
// U64_TO_WORDS expands |x| for a |crypto_word_t| array literal.
#define U64_TO_WORDS(x) \
(uint32_t)(UINT64_C(x) & 0xffffffff), (uint32_t)(UINT64_C(x) >> 32)
