diff options
| author | Todd Short <todd.short@me.com> | 2022-07-31 21:24:13 -0400 |
|---|---|---|
| committer | Tomas Mraz <tomas@openssl.org> | 2022-08-01 10:23:57 +0200 |
| commit | 6f74677911de87f3271721073bd360806a93733f (patch) | |
| tree | e7f200219bf1681a31519bf3bfdf808f288f2616 /providers/implementations/ciphers/cipher_aes_gcm_siv_hw.c | |
| parent | 76ad9ae6fa459af0bd804c01d3d681ec02cddb4b (diff) | |
| download | openssl-new-6f74677911de87f3271721073bd360806a93733f.tar.gz | |
Fix AES-GCM-SIV endian issues
Fixes #18911
`BSWAP`x/`GETU`xx are no-ops on big-endian. Change the byte swapper.
Fix big-endian issues in the `mulx_ghash()` function
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18920)
Diffstat (limited to 'providers/implementations/ciphers/cipher_aes_gcm_siv_hw.c')
| -rw-r--r-- | providers/implementations/ciphers/cipher_aes_gcm_siv_hw.c | 16 |
1 files changed, 8 insertions, 8 deletions
diff --git a/providers/implementations/ciphers/cipher_aes_gcm_siv_hw.c b/providers/implementations/ciphers/cipher_aes_gcm_siv_hw.c index 9ee5c32f4f..9887e1c3a4 100644 --- a/providers/implementations/ciphers/cipher_aes_gcm_siv_hw.c +++ b/providers/implementations/ciphers/cipher_aes_gcm_siv_hw.c @@ -64,7 +64,7 @@ static int aes_gcm_siv_initkey(void *vctx) if (IS_LITTLE_ENDIAN) { data.counter = counter; } else { - data.counter = BSWAP4(counter); + data.counter = GSWAP4(counter); } /* Block size is 16 (128 bits), but only 8 bytes are used */ out_len = BLOCK_SIZE; @@ -79,7 +79,7 @@ static int aes_gcm_siv_initkey(void *vctx) if (IS_LITTLE_ENDIAN) { data.counter = counter; } else { - data.counter = BSWAP4(counter); + data.counter = GSWAP4(counter); } /* Block size is 16 bytes (128 bits), but only 8 bytes are used */ out_len = BLOCK_SIZE; @@ -169,8 +169,8 @@ static int aes_gcm_siv_encrypt(PROV_AES_GCM_SIV_CTX *ctx, const unsigned char *i len_blk[0] = (uint64_t)ctx->aad_len * 8; len_blk[1] = (uint64_t)len * 8; } else { - len_blk[0] = BSWAP8((uint64_t)ctx->aad_len * 8); - len_blk[1] = BSWAP8((uint64_t)len * 8); + len_blk[0] = GSWAP8((uint64_t)ctx->aad_len * 8); + len_blk[1] = GSWAP8((uint64_t)len * 8); } memset(S_s, 0, TAG_SIZE); ossl_polyval_ghash_init(ctx->Htable, (const uint64_t*)ctx->msg_auth_key); @@ -235,8 +235,8 @@ static int aes_gcm_siv_decrypt(PROV_AES_GCM_SIV_CTX *ctx, const unsigned char *i len_blk[0] = (uint64_t)ctx->aad_len * 8; len_blk[1] = (uint64_t)len * 8; } else { - len_blk[0] = BSWAP8((uint64_t)ctx->aad_len * 8); - len_blk[1] = BSWAP8((uint64_t)len * 8); + len_blk[0] = GSWAP8((uint64_t)ctx->aad_len * 8); + len_blk[1] = GSWAP8((uint64_t)len * 8); } memset(S_s, 0, TAG_SIZE); ossl_polyval_ghash_init(ctx->Htable, (const uint64_t*)ctx->msg_auth_key); @@ -350,7 +350,7 @@ static int aes_gcm_siv_ctr32(PROV_AES_GCM_SIV_CTX *ctx, const unsigned char *ini memcpy(&block, init_counter, sizeof(block)); if (IS_BIG_ENDIAN) { - counter = BSWAP4(block.x32[0]); + counter = GSWAP4(block.x32[0]); } for (i = 0; i < len; i += sizeof(block)) { @@ -360,7 +360,7 @@ static int aes_gcm_siv_ctr32(PROV_AES_GCM_SIV_CTX *ctx, const unsigned char *ini block.x32[0]++; } else { counter++; - block.x32[0] = BSWAP4(counter); + block.x32[0] = GSWAP4(counter); } todo = len - i; if (todo > sizeof(keystream)) |