From: Richard Levitte <levitte@openssl.org>
Date: Sun, 11 Nov 2018 11:23:26 +0000 (+0100)
Subject: Fix SipHash init order.
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=425036130dfb3cfbef5937772f7526ce60133264;p=openssl

Fix SipHash init order.

Setting the SipHash hash size and setting its key is done with two
independent functions...  and yet, the internals depend on both.

Unfortunately, the function to change the size wasn't adapted for the
possibility that the key was set first, with a different hash size.

This changes the hash setting function to fix the internal values
(which is easy, fortunately) according to the hash size.

evpmac.txt value for digestsize:8 is also corrected.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7613)
---

diff --git a/crypto/siphash/siphash.c b/crypto/siphash/siphash.c
index ff84a29f82..be74a38d93 100644
--- a/crypto/siphash/siphash.c
+++ b/crypto/siphash/siphash.c
@@ -94,7 +94,19 @@ int SipHash_set_hash_size(SIPHASH *ctx, size_t hash_size)
         && hash_size != SIPHASH_MAX_DIGEST_SIZE)
         return 0;
 
-    ctx->hash_size = hash_size;
+    /*
+     * It's possible that the key was set first.  If the hash size changes,
+     * we need to adjust v1 (see SipHash_Init().
+     */
+
+    /* Start by adjusting the stored size, to make things easier */
+    ctx->hash_size = siphash_adjust_hash_size(ctx->hash_size);
+
+    /* Now, adjust ctx->v1 if the old and the new size differ */
+    if ((size_t)ctx->hash_size != hash_size) {
+        ctx->v1 ^= 0xee;
+        ctx->hash_size = hash_size;
+    }
     return 1;
 }
 
diff --git a/test/recipes/30-test_evp_data/evpmac.txt b/test/recipes/30-test_evp_data/evpmac.txt
index 640e1a125d..1d635ba54b 100644
--- a/test/recipes/30-test_evp_data/evpmac.txt
+++ b/test/recipes/30-test_evp_data/evpmac.txt
@@ -134,7 +134,7 @@ MAC = SipHash
 Ctrl = digestsize:8
 Key = 000102030405060708090A0B0C0D0E0F
 Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E
-Output = B96AB0B9D449A78A
+Output = 724506EB4C328A95
 
 # SIPHASH - default values: 2,4 rounds, explicit 16-byte mac