modes/ctr128.c: fix false carry in counter increment procedure.

GH issue #1916 affects only big-endian platforms. TLS is not affected,
because TLS fragment is never big enough.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 76f572ed0469a277d92378848250b7a9705d3071)

diff --git a/crypto/modes/ctr128.c b/crypto/modes/ctr128.c
index bcafd6b6bfb16955a6860667c5ff6da1c7bfa907..d4b22728e623d7647a6262e37c53148a170faa22 100644 (file)
--- a/crypto/modes/ctr128.c
+++ b/crypto/modes/ctr128.c
@@ -100,7 +100,7 @@ static void ctr128_inc_aligned(unsigned char *counter)
         --n;
         d = data[n] += c;
         /* did addition carry? */
-        c = ((d - c) ^ d) >> (sizeof(size_t) * 8 - 1);
+        c = ((d - c) & ~d) >> (sizeof(size_t) * 8 - 1);
     } while (n);
 }
 #endif