keccak: guard against misaligned memory accesses on ARM

The code generated is exactly the same as the direct access
one on x86_64

2 files changed, 23 insertions, 3 deletions

diff --git a/src/crypto/keccak.c b/src/crypto/keccak.c
index 18ed3152f..851c70a25 100644
--- a/src/crypto/keccak.c
+++ b/src/crypto/keccak.c
@@ -105,9 +105,12 @@ void keccak(const uint8_t *in, size_t inlen, uint8_t *md, int mdlen)
     memset(st, 0, sizeof(st));
 
     for ( ; inlen >= rsiz; inlen -= rsiz, in += rsiz) {
-        for (i = 0; i < rsizw; i++)
-            st[i] ^= swap64le(((uint64_t *) in)[i]);
-        keccakf(st, KECCAK_ROUNDS);
+      for (i = 0; i < rsizw; i++) {
+        uint64_t ina;
+        memcpy(&ina, in + i * 8, 8);
+        st[i] ^= swap64le(ina);
+      }
+      keccakf(st, KECCAK_ROUNDS);
     }
     
     // last block and padding
diff --git a/tests/unit_tests/keccak.cpp b/tests/unit_tests/keccak.cpp
index 37da65d76..f4d41a8fa 100644
--- a/tests/unit_tests/keccak.cpp
+++ b/tests/unit_tests/keccak.cpp
@@ -148,3 +148,20 @@ TEST(keccak, 137_and_1_136)
   TEST_KECCAK(137, chunks);
 }
 
+TEST(keccak, alignment)
+{
+  uint8_t data[6064];
+  __attribute__ ((aligned(16))) char adata[6000];
+
+  for (size_t i = 0; i < sizeof(data) / sizeof(data[0]); ++i)
+    data[i] = i & 1;
+
+  uint8_t md[32], amd[32];
+  for (int offset = 0; offset < 64; ++offset)
+  {
+    memcpy(adata, data + offset, 6000);
+    keccak((const uint8_t*)&data[offset], 6000, md, 32);
+    keccak((const uint8_t*)adata, 6000, amd, 32);
+    ASSERT_TRUE(!memcmp(md, amd, 32));
+  }
+}