From f763e1351446da952c54e0ea85ec26a436cf4815 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <beldmit@gmail.com>
Date: Mon, 14 Jun 2021 14:30:48 +0200
Subject: Correct processing of AES-SHA stitched ciphers

Fixes: #15706

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15740)
---
 providers/implementations/ciphers/cipher_aes_cbc_hmac_sha256_hw.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha256_hw.c b/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha256_hw.c
index 14fbf63b03..24349df159 100644
--- a/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha256_hw.c
+++ b/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha256_hw.c
@@ -733,7 +733,7 @@ static int aesni_cbc_hmac_sha256_set_tls1_aad(void *vctx,
             if (len < AES_BLOCK_SIZE)
                 return 0;
             len -= AES_BLOCK_SIZE;
-            p[aad_len] = len >> 8;
+            p[aad_len - 2] = len >> 8;
             p[aad_len - 1] = len;
         }
         sctx->md = sctx->head;
-- 
cgit v1.2.3