Commit 8c68d99
Fix s_ocb_done aliasing bug in decrypt path
In decrypt mode (mode==1), s_ocb_done was XORing `ct[x]` into the
checksum before writing the output. The function's parameter names are
misleading (the header comment notes pt/ct really mean in/out), so in
decrypt mode `ct` is the not-yet-written *output* buffer and `pt` is
the *input* ciphertext. Reading from `ct` only worked when callers
aliased the input and output buffers (in-place decryption), as the
self-test does. Callers passing distinct buffers got CRYPT_OK with
stat=0 -- correct plaintext but failed tag verification.
Fix by reading from `pt[x]` (the input). Add a separate-buffer
regression case to ocb_test that runs against every existing test
vector and was confirmed to fail without the fix.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>1 parent e5bfb94 commit 8c68d99
2 files changed
+31
-4
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
158 | 158 | | |
159 | 159 | | |
160 | 160 | | |
161 | | - | |
| 161 | + | |
162 | 162 | | |
163 | 163 | | |
164 | 164 | | |
| |||
179 | 179 | | |
180 | 180 | | |
181 | 181 | | |
| 182 | + | |
| 183 | + | |
| 184 | + | |
| 185 | + | |
| 186 | + | |
| 187 | + | |
| 188 | + | |
| 189 | + | |
| 190 | + | |
| 191 | + | |
| 192 | + | |
| 193 | + | |
| 194 | + | |
| 195 | + | |
| 196 | + | |
| 197 | + | |
| 198 | + | |
| 199 | + | |
| 200 | + | |
182 | 201 | | |
183 | 202 | | |
184 | 203 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
77 | 77 | | |
78 | 78 | | |
79 | 79 | | |
80 | | - | |
81 | | - | |
| 80 | + | |
| 81 | + | |
| 82 | + | |
| 83 | + | |
| 84 | + | |
| 85 | + | |
| 86 | + | |
| 87 | + | |
| 88 | + | |
| 89 | + | |
82 | 90 | | |
83 | | - | |
| 91 | + | |
84 | 92 | | |
85 | 93 | | |
86 | 94 | | |
| |||
0 commit comments