CRYPTO_gcm128_decrypt: fix mac or tag calculation

The incorrect code is in #ifdef branch that is normally
not compiled in.

Signed-off-by: Zhang Jinde <zjd5536@163.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12968)

(cherry picked from commit 1d724b5e82ba36fb50fd24db3cd664da570daf84)

diff --git a/crypto/modes/gcm128.c b/crypto/modes/gcm128.c
index 0c0bf3cda5b5d1532693261d53fd1e3a11259966..4b29ead08c2be4aa650603340456bdeba0c80546 100644 (file)
--- a/crypto/modes/gcm128.c
+++ b/crypto/modes/gcm128.c
@@ -1385,8 +1385,8 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx,
                 else
                     ctx->Yi.d[3] = ctr;
                 for (i = 0; i < 16 / sizeof(size_t); ++i) {
-                    size_t c = in[i];
-                    out[i] = c ^ ctx->EKi.t[i];
+                    size_t c = in_t[i];
+                    out_t[i] = c ^ ctx->EKi.t[i];
                     ctx->Xi.t[i] ^= c;
                 }
                 GCM_MUL(ctx);