libica/libica-3.0.2-03-fix-aes-ctr.patch

From: Patrick Steuer <patrick.steuer@de.ibm.com>
Subject: fix aes-ctr.
Patch-mainline: v3.1.1
Git-commit: 6b9da36a0e616025bc80615d66ba735ec558e263
References: LTC#158531

Description:  libica: AES-GCM/CCM sometimes compute wrong tag values
Symptom:      When the tag values of (unmodified) data are wrong, it is
              (wrongly) indicated that the data has been modified.
Problem:      With AES-GCM in-place decryption, the tag is computed from the
              plaintext. With AES-CCM in-place encryption, the tag is computed
              from the ciphertext.
Solution:     AES-GCM decryption always computes the tag from the ciphertext.
              AES-CCM encryption always computes the tag from the plaintext.
Reproduction: When used with the ibmca 1.4 openssl engine (which enables
              libica's AES-GCM for libcrypto): (1) A SSH connection fails
              using an AES-GCM based cipher-suite, (2) A connection of
              openssl's s_client and s_server using an AES-GCM based
              cipher-suite fails.

Upstream-Description:

    fix aes-ctr.

    aes-ctr incremented the counter even if it was called with zero
    input. aes-gcm with non-zero aad and zero pt/ct (ghash) called
    aes-ctr with zero input, whereby the counter was erroneously
    incremented.

    Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
---
 src/include/s390_aes.h |    3 +++
 1 file changed, 3 insertions(+)

--- a/src/include/s390_aes.h
+++ b/src/include/s390_aes.h
@@ -110,6 +110,9 @@ static inline int s390_aes_ctr(unsigned 
 
 	int rc = 0;
 
+	if (data_length == 0)
+		return 0;
+
 	if (data_length <= AES_BLOCK_SIZE) {
 		/* short message handling */
 		rc = s390_aes_ctrlist(fc, data_length, in_data, ctr,