Warning: code assumes little-endian and alignment, and violates C strict aliasing rules

[solardiz]

I am creating this issue as a warning that keccak-tiny unfortunately assumes little-endian (will produce incorrect results on big-endian architectures), violates C strict aliasing rules (might produce incorrect results in some builds even on little-endian architectures such as x86), and assumes non-guaranteed alignment of a stack variable (might crash in some builds/invocations on many non-x86 architectures).

Edit: on x86(-64) this code should be safe if you build with gcc -fno-strict-aliasing.

Specifically:

static inline void keccakf(void* state) {
        uint64_t* a = (uint64_t*)state;

has all 3 problems mentioned above, because keccakf() is passed a pointer to uint8_t a[Plen] = {0};, which is a local variable in hash(). Endianness is also assumed in usage of the setout macro.

Tor project made an attempt at fixing these issues in their copy of keccak-tiny-unrolled.c (only):

https://gitweb.torproject.org/tor.git/log/src/ext/keccak-tiny

Although many other projects also use this code, I wasn't quickly able to find a single one besides Tor that would fix any of these issues.

Sadly, this upstream implementation of keccak-tiny won't get updated:

https://twitter.com/bcrypt/status/718981647308181504

yan
‏@bcrypt

greatly saddened to learn that David Leon Gil, a friend and major contributor to open source crypto, has passed away.

10 Apr 2016