commit 6c8183f0c92c953d421289d22b75de76c2ab5347
author openluopworld <luopengxq@gmail.com> Fri Sep 17 22:15:49 2021 +0800
committer openluopworld <luopengxq@gmail.com> Fri Sep 17 22:20:07 2021 +0800
tree c596f7dfb034c7272f6dbe089f855df90095f47c
parent 2beb5f302a9ebe313fe1b93d43ec4add7bb9f9d0

bugfix: if the len of iv is not 96-bit, ghash is used to compute y0.
An initialization vector IV can have any number of bits between 1 and
2^64. So it should be filled to the lower 64-bit in the last step
when computing ghash.

Signed-off-by: openluopworld <luopengxq@gmail.com>

library/gcm.c

diff --git a/library/gcm.c b/library/gcm.c
index b575c8f..0810fd2 100644
--- a/library/gcm.c
+++ b/library/gcm.c
@@ -254,7 +254,6 @@
     size_t i;
     const unsigned char *p;
     size_t use_len, olen = 0;
-    size_t iv_bits;
 
     GCM_VALIDATE_RET( ctx != NULL );
     GCM_VALIDATE_RET( iv != NULL );
@@ -279,9 +278,8 @@
     else
     {
         memset( work_buf, 0x00, 16 );
-        iv_bits = iv_len << 3;
-        MBEDTLS_PUT_UINT32_BE( (iv_bits >> 32), work_buf, 8  );
-        MBEDTLS_PUT_UINT32_BE( iv_bits, work_buf, 12 );
+        MBEDTLS_PUT_UINT32_BE( iv_len >> 29, work_buf, 8  );
+        MBEDTLS_PUT_UINT32_BE( iv_len << 3,  work_buf, 12 );
 
         p = iv;
         while( iv_len > 0 )