From eab65acca45c6287799877aaed0c30341687f330 Mon Sep 17 00:00:00 2001
From: openluopworld <luopengxq@gmail.com>
Date: Wed, 22 Sep 2021 23:59:42 +0800
Subject: [PATCH] bugfix: if the len of iv is not 96-bit, y0 can be calculated
 incorrectly. An initialization vector IV can have any number of bits between
 1 and 2^64. So it should be filled to the lower 64-bit in the last step when
 computing ghash.

Signed-off-by: openluopworld <luopengxq@gmail.com>
---
 library/gcm.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/library/gcm.c b/library/gcm.c
index 0e402dd8ca..4c0a44e413 100644
--- a/library/gcm.c
+++ b/library/gcm.c
@@ -254,6 +254,7 @@ int mbedtls_gcm_starts( mbedtls_gcm_context *ctx,
     size_t i;
     const unsigned char *p;
     size_t use_len, olen = 0;
+    uint64_t iv_bits;
 
     GCM_VALIDATE_RET( ctx != NULL );
     GCM_VALIDATE_RET( iv != NULL );
@@ -278,7 +279,8 @@ int mbedtls_gcm_starts( mbedtls_gcm_context *ctx,
     else
     {
         memset( work_buf, 0x00, 16 );
-        MBEDTLS_PUT_UINT64_BE( iv_len * 8, work_buf, 8 );
+        iv_bits = (uint64_t)iv_len * 8;
+        MBEDTLS_PUT_UINT64_BE( iv_bits, work_buf, 8 );
 
         p = iv;
         while( iv_len > 0 )