From 2beb5f302a9ebe313fe1b93d43ec4add7bb9f9d0 Mon Sep 17 00:00:00 2001
From: openluopworld <luopengxq@gmail.com>
Date: Fri, 17 Sep 2021 16:40:22 +0800
Subject: [PATCH] bugfix: if the len of iv is not 96-bit, ghash is used to
 compute y0. An initialization vector IV can have any number of bits between 1
 and 2^64. So it should be filled to the lower 64-bit in the last step when
 computing ghash.

Signed-off-by: openluopworld <luopengxq@gmail.com>
---
 library/gcm.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/library/gcm.c b/library/gcm.c
index 910646b281..b575c8f316 100644
--- a/library/gcm.c
+++ b/library/gcm.c
@@ -254,6 +254,7 @@ int mbedtls_gcm_starts( mbedtls_gcm_context *ctx,
     size_t i;
     const unsigned char *p;
     size_t use_len, olen = 0;
+    size_t iv_bits;
 
     GCM_VALIDATE_RET( ctx != NULL );
     GCM_VALIDATE_RET( iv != NULL );
@@ -278,7 +279,9 @@ int mbedtls_gcm_starts( mbedtls_gcm_context *ctx,
     else
     {
         memset( work_buf, 0x00, 16 );
-        MBEDTLS_PUT_UINT32_BE( iv_len * 8, work_buf, 12 );
+        iv_bits = iv_len << 3;
+        MBEDTLS_PUT_UINT32_BE( (iv_bits >> 32), work_buf, 8  );
+        MBEDTLS_PUT_UINT32_BE( iv_bits, work_buf, 12 );
 
         p = iv;
         while( iv_len > 0 )