From 91a8f88843c05f3b10e7da8f6db57f15490aa26e Mon Sep 17 00:00:00 2001
From: Mark Wooding <mdw@distorted.org.uk>
Date: Tue, 16 Jan 2024 13:46:58 +0000
Subject: [PATCH] utils/gcm-ref (poly64_mul_simple): Strip padding off the
 product.

Rather than leaving this job to the caller.  I'm going to decree that
it's the presentation-function's job to show padding in the right place,
rather than the multiplier's job to retain it.  This means that we need
to keep track of the padding properly, but it's pretty easy.

The most important effect is that there's no longer a rather strange
bodge in `poly64_common' to strip the padding in one particular case
because `poly64_mul_simple' has done it properly in every case.
---
 utils/gcm-ref | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/utils/gcm-ref b/utils/gcm-ref
index bba76602..8ad15e5a 100755
--- a/utils/gcm-ref
+++ b/utils/gcm-ref
@@ -281,10 +281,9 @@ def poly64_mul_simple(u, v, presfn, wd, dispwd, mulwd, uwhat, vwhat):
   ## We start by carving the operands into 64-bit pieces.  This is
   ## straightforward except for the 96-bit case, where we end up with two
   ## short pieces which we pad at the beginning.
-  if uw%mulwd: pad = (-uw)%mulwd; u += C.ByteString.zero(pad); uw += pad
-  if vw%mulwd: pad = (-vw)%mulwd; v += C.ByteString.zero(pad); vw += pad
-  uu = split_gf(u, mulwd)
-  vv = split_gf(v, mulwd)
+  upad = (-uw)%mulwd; u += C.ByteString.zero(upad); uw += upad
+  vpad = (-vw)%mulwd; v += C.ByteString.zero(vpad); vw += vpad
+  uu = split_gf(u, mulwd); vv = split_gf(v, mulwd)
 
   ## Report and accumulate the individual product pieces.
   x = C.GF(0)
@@ -301,7 +300,7 @@ def poly64_mul_simple(u, v, presfn, wd, dispwd, mulwd, uwhat, vwhat):
     x += t << (mulwd*i)
   presfn(TAG_PRODUCT, wd, x, uw + vw, dispwd, '%s %s' % (uwhat, vwhat))
 
-  return x
+  return x >> (upad + vpad)
 
 def poly64_mul_karatsuba(u, v, klimit, presfn, wd,
                          dispwd, mulwd, uwhat, vwhat):
@@ -371,7 +370,6 @@ def poly64_common(u, v, presfn, dispwd = 32, mulwd = 64, redcwd = 32,
   ## Now we have to shift everything up one bit to account for GCM's crazy
   ## bit ordering.
   y = x << 1
-  if w == 96: y >>= 64
   presfn(TAG_SHIFTED, w, y, 2*w, dispwd, 'y')
 
   ## Now for the reduction.
-- 
2.11.0