Merge pull request #6750 from SparkiDev/curve25519_thumb2_2

Curve25519/Ed25519: align buffers

Author: JacobBarthelmeh

tests/api.c

@@ -12494,6 +12494,7 @@ static int test_wc_Sha256Update(void)
 #ifndef NO_SHA256
     wc_Sha256 sha256;
     byte hash[WC_SHA256_DIGEST_SIZE];
+    byte hash_unaligned[WC_SHA256_DIGEST_SIZE+1];
     testVector a, b, c;
 
     ExpectIntEQ(wc_InitSha256(&sha256), 0);
@@ -12517,6 +12518,11 @@ static int test_wc_Sha256Update(void)
     ExpectIntEQ(wc_Sha256Final(&sha256, hash), 0);
     ExpectIntEQ(XMEMCMP(hash, a.output, WC_SHA256_DIGEST_SIZE), 0);
 
+    /* Unaligned check. */
+    ExpectIntEQ(wc_Sha256Update(&sha256, (byte*)a.input+1, (word32)a.inLen-1),
+        0);
+    ExpectIntEQ(wc_Sha256Final(&sha256, hash_unaligned + 1), 0);
+
     /* Try passing in bad values */
     b.input = NULL;
     b.inLen = 0;
@@ -12721,6 +12727,7 @@ static int test_wc_Sha512Update(void)
 #ifdef WOLFSSL_SHA512
     wc_Sha512 sha512;
     byte hash[WC_SHA512_DIGEST_SIZE];
+    byte hash_unaligned[WC_SHA512_DIGEST_SIZE + 1];
     testVector a, b, c;
 
     ExpectIntEQ(wc_InitSha512(&sha512), 0);
@@ -12747,6 +12754,11 @@ static int test_wc_Sha512Update(void)
 
     ExpectIntEQ(XMEMCMP(hash, a.output, WC_SHA512_DIGEST_SIZE), 0);
 
+    /* Unaligned check. */
+    ExpectIntEQ(wc_Sha512Update(&sha512, (byte*)a.input+1, (word32)a.inLen-1),
+        0);
+    ExpectIntEQ(wc_Sha512Final(&sha512, hash_unaligned+1), 0);
+
     /* Try passing in bad values */
     b.input = NULL;
     b.inLen = 0;
@@ -20091,15 +20103,18 @@ static int test_wc_ed25519_make_key(void)
 #if defined(HAVE_ED25519) && defined(HAVE_ED25519_MAKE_KEY)
     ed25519_key   key;
     WC_RNG        rng;
-    unsigned char pubkey[ED25519_PUB_KEY_SIZE];
+    unsigned char pubkey[ED25519_PUB_KEY_SIZE+1];
+    int           pubkey_sz = ED25519_PUB_KEY_SIZE;
 
     XMEMSET(&key, 0, sizeof(ed25519_key));
     XMEMSET(&rng, 0, sizeof(WC_RNG));
 
     ExpectIntEQ(wc_ed25519_init(&key), 0);
     ExpectIntEQ(wc_InitRng(&rng), 0);
 
-    ExpectIntEQ(wc_ed25519_make_public(&key, pubkey, sizeof(pubkey)),
+    ExpectIntEQ(wc_ed25519_make_public(&key, pubkey, pubkey_sz),
+        ECC_PRIV_KEY_E);
+    ExpectIntEQ(wc_ed25519_make_public(&key, pubkey+1, pubkey_sz),
         ECC_PRIV_KEY_E);
     ExpectIntEQ(wc_ed25519_make_key(&rng, ED25519_KEY_SIZE, &key), 0);
 
@@ -20149,18 +20164,18 @@ static int test_wc_ed25519_sign_msg(void)
     WC_RNG      rng;
     ed25519_key key;
     byte        msg[] = "Everybody gets Friday off.\n";
-    byte        sig[ED25519_SIG_SIZE];
+    byte        sig[ED25519_SIG_SIZE+1];
     word32      msglen = sizeof(msg);
-    word32      siglen = sizeof(sig);
-    word32      badSigLen = sizeof(sig) - 1;
+    word32      siglen = ED25519_SIG_SIZE;
+    word32      badSigLen = ED25519_SIG_SIZE - 1;
 #ifdef HAVE_ED25519_VERIFY
     int         verify_ok = 0; /*1 = Verify success.*/
 #endif
 
     /* Initialize stack variables. */
     XMEMSET(&key, 0, sizeof(ed25519_key));
     XMEMSET(&rng, 0, sizeof(WC_RNG));
-    XMEMSET(sig, 0, siglen);
+    XMEMSET(sig, 0, sizeof(sig));
 
     /* Initialize key. */
     ExpectIntEQ(wc_ed25519_init(&key), 0);
@@ -20169,6 +20184,8 @@ static int test_wc_ed25519_sign_msg(void)
 
     ExpectIntEQ(wc_ed25519_sign_msg(msg, msglen, sig, &siglen, &key), 0);
     ExpectIntEQ(siglen, ED25519_SIG_SIZE);
+    ExpectIntEQ(wc_ed25519_sign_msg(msg, msglen, sig+1, &siglen, &key), 0);
+    ExpectIntEQ(siglen, ED25519_SIG_SIZE);
 
     /* Test bad args. */
     ExpectIntEQ(wc_ed25519_sign_msg(NULL, msglen, sig, &siglen, &key),
@@ -20185,24 +20202,24 @@ static int test_wc_ed25519_sign_msg(void)
     badSigLen -= 1;
 
 #ifdef HAVE_ED25519_VERIFY
-    ExpectIntEQ(wc_ed25519_verify_msg(sig, siglen, msg, msglen, &verify_ok,
+    ExpectIntEQ(wc_ed25519_verify_msg(sig+1, siglen, msg, msglen, &verify_ok,
         &key), 0);
     ExpectIntEQ(verify_ok, 1);
 
     /* Test bad args. */
-    ExpectIntEQ(wc_ed25519_verify_msg(sig, siglen - 1, msg, msglen, &verify_ok,
-        &key), BAD_FUNC_ARG);
-    ExpectIntEQ(wc_ed25519_verify_msg(sig, siglen + 1, msg, msglen, &verify_ok,
-        &key), BAD_FUNC_ARG);
+    ExpectIntEQ(wc_ed25519_verify_msg(sig+1, siglen - 1, msg, msglen,
+        &verify_ok, &key), BAD_FUNC_ARG);
+    ExpectIntEQ(wc_ed25519_verify_msg(sig+1, siglen + 1, msg, msglen,
+        &verify_ok, &key), BAD_FUNC_ARG);
     ExpectIntEQ(wc_ed25519_verify_msg(NULL, siglen, msg, msglen, &verify_ok,
         &key), BAD_FUNC_ARG);
-    ExpectIntEQ(wc_ed25519_verify_msg(sig, siglen, NULL, msglen, &verify_ok,
+    ExpectIntEQ(wc_ed25519_verify_msg(sig+1, siglen, NULL, msglen, &verify_ok,
         &key), BAD_FUNC_ARG);
-    ExpectIntEQ(wc_ed25519_verify_msg(sig, siglen, msg, msglen, NULL, &key),
+    ExpectIntEQ(wc_ed25519_verify_msg(sig+1, siglen, msg, msglen, NULL, &key),
         BAD_FUNC_ARG);
-    ExpectIntEQ(wc_ed25519_verify_msg(sig, siglen, msg, msglen, &verify_ok,
+    ExpectIntEQ(wc_ed25519_verify_msg(sig+1, siglen, msg, msglen, &verify_ok,
         NULL), BAD_FUNC_ARG);
-    ExpectIntEQ(wc_ed25519_verify_msg(sig, badSigLen, msg, msglen, &verify_ok,
+    ExpectIntEQ(wc_ed25519_verify_msg(sig+1, badSigLen, msg, msglen, &verify_ok,
         &key), BAD_FUNC_ARG);
 #endif /* Verify. */
 

wolfcrypt/src/asn.c

@@ -33810,7 +33810,7 @@ int wc_Ed25519PrivateKeyDecode(const byte* input, word32* inOutIdx,
                                ed25519_key* key, word32 inSz)
 {
     int ret;
-    byte privKey[ED25519_KEY_SIZE], pubKey[ED25519_PUB_KEY_SIZE];
+    byte privKey[ED25519_KEY_SIZE], pubKey[2*ED25519_PUB_KEY_SIZE+1];
     word32 privKeyLen = (word32)sizeof(privKey);
     word32 pubKeyLen = (word32)sizeof(pubKey);
 
@@ -33836,7 +33836,7 @@ int wc_Ed25519PublicKeyDecode(const byte* input, word32* inOutIdx,
                               ed25519_key* key, word32 inSz)
 {
     int ret;
-    byte pubKey[ED25519_PUB_KEY_SIZE];
+    byte pubKey[2*ED25519_PUB_KEY_SIZE+1];
     word32 pubKeyLen = (word32)sizeof(pubKey);
 
     if (input == NULL || inOutIdx == NULL || key == NULL || inSz == 0) {
@@ -34127,7 +34127,7 @@ int wc_Ed448PublicKeyDecode(const byte* input, word32* inOutIdx,
                               ed448_key* key, word32 inSz)
 {
     int ret;
-    byte pubKey[ED448_PUB_KEY_SIZE];
+    byte pubKey[2 * ED448_PUB_KEY_SIZE + 1];
     word32 pubKeyLen = (word32)sizeof(pubKey);
 
     if (input == NULL || inOutIdx == NULL || key == NULL || inSz == 0) {

wolfcrypt/src/ed25519.c

@@ -187,7 +187,7 @@ int wc_ed25519_make_public(ed25519_key* key, unsigned char* pubKey,
                            word32 pubKeySz)
 {
     int   ret = 0;
-    byte  az[ED25519_PRV_KEY_SIZE];
+    ALIGN16 byte az[ED25519_PRV_KEY_SIZE];
 #if !defined(FREESCALE_LTC_ECC)
     ge_p3 A;
 #endif
@@ -296,14 +296,14 @@ int wc_ed25519_sign_msg_ex(const byte* in, word32 inLen, byte* out,
     ret = se050_ed25519_sign_msg(in, inLen, out, outLen, key);
 #else
 #ifdef FREESCALE_LTC_ECC
-    byte   tempBuf[ED25519_PRV_KEY_SIZE];
+    ALIGN16 byte tempBuf[ED25519_PRV_KEY_SIZE];
     ltc_pkha_ecc_point_t ltcPoint = {0};
 #else
     ge_p3  R;
 #endif
-    byte   nonce[WC_SHA512_DIGEST_SIZE];
-    byte   hram[WC_SHA512_DIGEST_SIZE];
-    byte   az[ED25519_PRV_KEY_SIZE];
+    ALIGN16 byte nonce[WC_SHA512_DIGEST_SIZE];
+    ALIGN16 byte hram[WC_SHA512_DIGEST_SIZE];
+    ALIGN16 byte az[ED25519_PRV_KEY_SIZE];
 
     /* sanity check on arguments */
     if (in == NULL || out == NULL || outLen == NULL || key == NULL ||
@@ -617,8 +617,8 @@ static int ed25519_verify_msg_final_with_sha(const byte* sig, word32 sigLen,
                                              int* res, ed25519_key* key,
                                              wc_Sha512 *sha)
 {
-    byte   rcheck[ED25519_KEY_SIZE];
-    byte   h[WC_SHA512_DIGEST_SIZE];
+    ALIGN16 byte rcheck[ED25519_KEY_SIZE];
+    ALIGN16 byte h[WC_SHA512_DIGEST_SIZE];
 #ifndef FREESCALE_LTC_ECC
     ge_p3  A;
     ge_p2  R;
@@ -1239,7 +1239,7 @@ int wc_ed25519_check_key(ed25519_key* key)
 {
     int ret = 0;
 #ifdef HAVE_ED25519_MAKE_KEY
-    unsigned char pubKey[ED25519_PUB_KEY_SIZE];
+    ALIGN16 unsigned char pubKey[ED25519_PUB_KEY_SIZE];
 
     if (!key->pubKeySet)
         ret = PUBLIC_KEY_E;

wolfcrypt/src/ge_operations.c

@@ -920,13 +920,13 @@ void sc_muladd(byte* s, const byte* a, const byte* b, const byte* c)
 int ge_compress_key(byte* out, const byte* xIn, const byte* yIn, word32 keySz)
 {
     ge_p2  g;
-    byte   bArray[ED25519_KEY_SIZE];
-    byte   x[ED25519_KEY_SIZE];
-    byte   y[ED25519_KEY_SIZE];
+    ALIGN16 byte bArray[ED25519_KEY_SIZE];
+    ALIGN16 byte x[ED25519_PUB_KEY_SIZE];
+    ALIGN16 byte y[ED25519_PUB_KEY_SIZE];
     word32 i;
 
-    XMEMCPY(x, xIn, ED25519_KEY_SIZE);
-    XMEMCPY(y, yIn, ED25519_KEY_SIZE);
+    XMEMCPY(x, xIn, ED25519_PUB_KEY_SIZE);
+    XMEMCPY(y, yIn, ED25519_PUB_KEY_SIZE);
     fe_frombytes(g.X, x);
     fe_frombytes(g.Y, y);
     fe_1(g.Z);

wolfcrypt/src/port/arm/armv8-32-aes-asm.S

@@ -1447,10 +1447,10 @@ L_AES_CTR_encrypt_loop_block_256:
 	ldr	r9, [lr, #4]
 	ldr	r10, [lr, #8]
 	ldr	r11, [lr, #12]
-	eor	r4, r8
-	eor	r5, r9
-	eor	r6, r10
-	eor	r7, r11
+	eor	r4, r4, r8
+	eor	r5, r5, r9
+	eor	r6, r6, r10
+	eor	r7, r7, r11
 	ldr	r8, [sp, #4]
 	str	r4, [r1]
 	str	r5, [r1, #4]
@@ -1489,10 +1489,10 @@ L_AES_CTR_encrypt_loop_block_192:
 	ldr	r9, [lr, #4]
 	ldr	r10, [lr, #8]
 	ldr	r11, [lr, #12]
-	eor	r4, r8
-	eor	r5, r9
-	eor	r6, r10
-	eor	r7, r11
+	eor	r4, r4, r8
+	eor	r5, r5, r9
+	eor	r6, r6, r10
+	eor	r7, r7, r11
 	ldr	r8, [sp, #4]
 	str	r4, [r1]
 	str	r5, [r1, #4]
@@ -1531,10 +1531,10 @@ L_AES_CTR_encrypt_loop_block_128:
 	ldr	r9, [lr, #4]
 	ldr	r10, [lr, #8]
 	ldr	r11, [lr, #12]
-	eor	r4, r8
-	eor	r5, r9
-	eor	r6, r10
-	eor	r7, r11
+	eor	r4, r4, r8
+	eor	r5, r5, r9
+	eor	r6, r6, r10
+	eor	r7, r7, r11
 	ldr	r8, [sp, #4]
 	str	r4, [r1]
 	str	r5, [r1, #4]
@@ -3172,10 +3172,10 @@ L_AES_GCM_encrypt_loop_block_256:
 	ldr	r9, [lr, #4]
 	ldr	r10, [lr, #8]
 	ldr	r11, [lr, #12]
-	eor	r4, r8
-	eor	r5, r9
-	eor	r6, r10
-	eor	r7, r11
+	eor	r4, r4, r8
+	eor	r5, r5, r9
+	eor	r6, r6, r10
+	eor	r7, r7, r11
 	ldr	r8, [sp, #4]
 	str	r4, [r1]
 	str	r5, [r1, #4]
@@ -3211,10 +3211,10 @@ L_AES_GCM_encrypt_loop_block_192:
 	ldr	r9, [lr, #4]
 	ldr	r10, [lr, #8]
 	ldr	r11, [lr, #12]
-	eor	r4, r8
-	eor	r5, r9
-	eor	r6, r10
-	eor	r7, r11
+	eor	r4, r4, r8
+	eor	r5, r5, r9
+	eor	r6, r6, r10
+	eor	r7, r7, r11
 	ldr	r8, [sp, #4]
 	str	r4, [r1]
 	str	r5, [r1, #4]
@@ -3250,10 +3250,10 @@ L_AES_GCM_encrypt_loop_block_128:
 	ldr	r9, [lr, #4]
 	ldr	r10, [lr, #8]
 	ldr	r11, [lr, #12]
-	eor	r4, r8
-	eor	r5, r9
-	eor	r6, r10
-	eor	r7, r11
+	eor	r4, r4, r8
+	eor	r5, r5, r9
+	eor	r6, r6, r10
+	eor	r7, r7, r11
 	ldr	r8, [sp, #4]
 	str	r4, [r1]
 	str	r5, [r1, #4]