Use correct counter after invoking stitched AES-NI GCM code.
Commita3d9528e9e
has a bug that could cause counters to be reused if |$avx=2| were set in the AES-NI AES-GCM assembly code, if the EVP interface were used with certain coding patterns, as demonstrated by the test cases added ina5ee83f67e
. This changes the encryption code in the same way the decryption code was changed ina3d9528e9e
. This doesn't have any effect currently since the AES-NI AES-GCM code has |$avx=0| now, so |aesni_gcm_encrypt| doesn't change the counter. Change-Id: Iba69cb4d2043d1ea57c6538b398246af28cba006 Reviewed-on: https://boringssl-review.googlesource.com/7193 Reviewed-by: Adam Langley <agl@google.com>
This commit is contained in:
parent
6234a7f3a7
commit
b4e3e694e8
@ -1003,12 +1003,6 @@ int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx, const void *key,
|
|||||||
ctx->ares = 0;
|
ctx->ares = 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (is_endian.little) {
|
|
||||||
ctr = GETU32(ctx->Yi.c + 12);
|
|
||||||
} else {
|
|
||||||
ctr = ctx->Yi.d[3];
|
|
||||||
}
|
|
||||||
|
|
||||||
n = ctx->mres;
|
n = ctx->mres;
|
||||||
if (n) {
|
if (n) {
|
||||||
while (n && len) {
|
while (n && len) {
|
||||||
@ -1035,6 +1029,12 @@ int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx, const void *key,
|
|||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
if (is_endian.little) {
|
||||||
|
ctr = GETU32(ctx->Yi.c + 12);
|
||||||
|
} else {
|
||||||
|
ctr = ctx->Yi.d[3];
|
||||||
|
}
|
||||||
|
|
||||||
#if defined(GHASH)
|
#if defined(GHASH)
|
||||||
while (len >= GHASH_CHUNK) {
|
while (len >= GHASH_CHUNK) {
|
||||||
(*stream)(in, out, GHASH_CHUNK / 16, key, ctx->Yi.c);
|
(*stream)(in, out, GHASH_CHUNK / 16, key, ctx->Yi.c);
|
||||||
|
Loading…
Reference in New Issue
Block a user