From 08fd463ee45a0332f469a6de5acc977a50672999 Mon Sep 17 00:00:00 2001
From: openluopworld <luopengxq@gmail.com>
Date: Sun, 19 Sep 2021 11:18:04 +0800
Subject: [PATCH] bugfix: if the len of iv is not 96-bit, y0 can be calculated
 incorrectly An initialization vector IV can have any number of bits between 1
 and 2^64. So it should be filled to the lower 64-bit in the last step when
 computing ghash.

Signed-off-by: openluopworld <luopengxq@gmail.com>
---
 library/gcm.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/library/gcm.c b/library/gcm.c
index 0810fd220..e1c1c7d51 100644
--- a/library/gcm.c
+++ b/library/gcm.c
@@ -278,8 +278,7 @@ int mbedtls_gcm_starts( mbedtls_gcm_context *ctx,
     else
     {
         memset( work_buf, 0x00, 16 );
-        MBEDTLS_PUT_UINT32_BE( iv_len >> 29, work_buf, 8  );
-        MBEDTLS_PUT_UINT32_BE( iv_len << 3,  work_buf, 12 );
+        MBEDTLS_PUT_UINT64_BE( iv_len * 8,  work_buf, 8 );
 
         p = iv;
         while( iv_len > 0 )