From: Andy Polyakov <appro@openssl.org>
Date: Sun, 20 Nov 2016 22:38:12 +0000 (+0100)
Subject: modes/ctr128.c: fix false carry in counter increment procedure.
X-Git-Tag: OpenSSL_1_0_2k~31
X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=f47201b3279b3fd16f90ba512e5b203e4944b30c

modes/ctr128.c: fix false carry in counter increment procedure.

GH issue #1916 affects only big-endian platforms. TLS is not affected,
because TLS fragment is never big enough.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 76f572ed0469a277d92378848250b7a9705d3071)
---

diff --git a/crypto/modes/ctr128.c b/crypto/modes/ctr128.c
index bcafd6b6bf..d4b22728e6 100644
--- a/crypto/modes/ctr128.c
+++ b/crypto/modes/ctr128.c
@@ -100,7 +100,7 @@ static void ctr128_inc_aligned(unsigned char *counter)
         --n;
         d = data[n] += c;
         /* did addition carry? */
-        c = ((d - c) ^ d) >> (sizeof(size_t) * 8 - 1);
+        c = ((d - c) & ~d) >> (sizeof(size_t) * 8 - 1);
     } while (n);
 }
 #endif