From 1dfa221e51f3c5cae10eac71657f4ad1dbc4d91c Mon Sep 17 00:00:00 2001
From: Mark Wooding <mdw@distorted.org.uk>
Date: Tue, 16 Jan 2024 13:36:33 +0000
Subject: [PATCH] utils/gcm-ref (poly64_mul_simple): Pad v based on the length
 of v.

Not the already-padded length of u, which doesn't make any sense.  Now
we actually calculate 96-bit products correctly using the `poly64'
multiplication machinery.
---
 utils/gcm-ref | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/utils/gcm-ref b/utils/gcm-ref
index ec25bb8d..03672412 100755
--- a/utils/gcm-ref
+++ b/utils/gcm-ref
@@ -281,7 +281,7 @@ def poly64_mul_simple(u, v, presfn, wd, dispwd, mulwd, uwhat, vwhat):
   ## straightforward except for the 96-bit case, where we end up with two
   ## short pieces which we pad at the beginning.
   if uw%mulwd: pad = (-uw)%mulwd; u += C.ByteString.zero(pad); uw += pad
-  if vw%mulwd: pad = (-uw)%mulwd; v += C.ByteString.zero(pad); vw += pad
+  if vw%mulwd: pad = (-vw)%mulwd; v += C.ByteString.zero(pad); vw += pad
   uu = split_gf(u, mulwd)
   vv = split_gf(v, mulwd)
 
-- 
2.11.0