modes/ctr128.c: fix false carry in counter increment procedure.

GH issue #1916 affects only big-endian platforms. TLS is not affected,
because TLS fragment is never big enough.

Reviewed-by: Matt Caswell <matt@openssl.org>

diff --git a/crypto/modes/ctr128.c b/crypto/modes/ctr128.c
index b7ffb73ab7312f0ea30df30a986475a43ffc3fca..03920b447333eaef3ce68dced46d0bccc5aa3568 100644 (file)
--- a/crypto/modes/ctr128.c
+++ b/crypto/modes/ctr128.c
@@ -52,7 +52,7 @@ static void ctr128_inc_aligned(unsigned char *counter)
         --n;
         d = data[n] += c;
         /* did addition carry? */
-        c = ((d - c) ^ d) >> (sizeof(size_t) * 8 - 1);
+        c = ((d - c) & ~d) >> (sizeof(size_t) * 8 - 1);
     } while (n);
 }
 #endif