bugfix: if the len of iv is not 96-bit, y0 can be calculated incorrectly.

An initialization vector IV can have any number of bits between 1 and
2^64. So it should be filled to the lower 64-bit in the last step
when computing ghash.

Signed-off-by: openluopworld <luopengxq@gmail.com>
This commit is contained in:
openluopworld 2021-09-22 23:59:42 +08:00
parent eb009232c0
commit eab65acca4

View file

@ -254,6 +254,7 @@ int mbedtls_gcm_starts( mbedtls_gcm_context *ctx,
size_t i;
const unsigned char *p;
size_t use_len, olen = 0;
uint64_t iv_bits;
GCM_VALIDATE_RET( ctx != NULL );
GCM_VALIDATE_RET( iv != NULL );
@ -278,7 +279,8 @@ int mbedtls_gcm_starts( mbedtls_gcm_context *ctx,
else
{
memset( work_buf, 0x00, 16 );
MBEDTLS_PUT_UINT64_BE( iv_len * 8, work_buf, 8 );
iv_bits = (uint64_t)iv_len * 8;
MBEDTLS_PUT_UINT64_BE( iv_bits, work_buf, 8 );
p = iv;
while( iv_len > 0 )