From c0d18fea127ad785afc8eefb1ba8c50a548b0297 Mon Sep 17 00:00:00 2001
From: yieazy <yuitta@163.com>
Date: Tue, 19 Dec 2023 16:31:41 +0800
Subject: [PATCH] Fix incrementing function of gcm mode

* nist 800-38d specify inc32(X) as incrementing function in gctr.
* inc32(X) means: The output of incrementing the right-most 32 bits
* of the bit string X, regarded as the binary representation of an
*integer, by 1 modulo 2s.
---
 src/aead.c      | 11 ++++++++++-
 src/aes_modes.c | 13 +++++++++++--
 src/sm4_modes.c | 13 +++++++++++--
 3 files changed, 32 insertions(+), 5 deletions(-)

diff --git a/src/aead.c b/src/aead.c
index 7dcbe73c1..e1f98ba6a 100644
--- a/src/aead.c
+++ b/src/aead.c
@@ -350,6 +350,15 @@ static void ctr_incr(uint8_t a[16])
 	}
 }
 
+static void gcm_incr(uint8_t a[16])
+{
+    int i;
+    for (i = 15; i >= 12; i--) {
+        a[i]++;
+        if (a[i]) break;
+    }
+}
+
 int sm4_gcm_encrypt_init(SM4_GCM_CTX *ctx,
 	const uint8_t *key, size_t keylen, const uint8_t *iv, size_t ivlen,
 	const uint8_t *aad, size_t aadlen, size_t taglen)
@@ -396,7 +405,7 @@ int sm4_gcm_encrypt_init(SM4_GCM_CTX *ctx,
 
 	sm4_encrypt(&ctx->enc_ctx.sm4_key, Y, ctx->Y);
 
-	ctr_incr(Y);
+	gcm_incr(Y);
 	memcpy(ctx->enc_ctx.ctr, Y, 16);
 
 	gmssl_secure_clear(H, sizeof(H));
diff --git a/src/aes_modes.c b/src/aes_modes.c
index 89e5a6e95..d6efb85a0 100644
--- a/src/aes_modes.c
+++ b/src/aes_modes.c
@@ -105,6 +105,15 @@ static void ctr_incr(uint8_t a[16])
 	}
 }
 
+static void gcm_incr(uint8_t a[16])
+{
+    int i;
+    for (i = 15; i >= 12; i--) {
+        a[i]++;
+        if (a[i]) break;
+    }
+}
+
 void aes_ctr_encrypt(const AES_KEY *key, uint8_t ctr[16], const uint8_t *in, size_t inlen, uint8_t *out)
 {
 	uint8_t block[16];
@@ -152,7 +161,7 @@ int aes_gcm_encrypt(const AES_KEY *key, const uint8_t *iv, size_t ivlen,
 	while (left) {
 		uint8_t block[16];
 		size_t len = left < 16 ? left : 16;
-		ctr_incr(Y);
+		gcm_incr(Y);
 		aes_encrypt(key, Y, block);
 		gmssl_memxor(pout, pin, block, len);
 		pin += len;
@@ -197,7 +206,7 @@ int aes_gcm_decrypt(const AES_KEY *key, const uint8_t *iv, size_t ivlen,
 	while (left) {
 		uint8_t block[16];
 		size_t len = left < 16 ? left : 16;
-		ctr_incr(Y);
+		gcm_incr(Y);
 		aes_encrypt(key, Y, block);
 		gmssl_memxor(pout, pin, block, len);
 		pin += len;
diff --git a/src/sm4_modes.c b/src/sm4_modes.c
index f54925ed3..217aa5e77 100644
--- a/src/sm4_modes.c
+++ b/src/sm4_modes.c
@@ -101,6 +101,15 @@ static void ctr_incr(uint8_t a[16])
 	}
 }
 
+static void gcm_incr(uint8_t a[16])
+{
+    int i;
+    for (i = 15; i >= 12; i--) {
+        a[i]++;
+        if (a[i]) break;
+    }
+}
+
 #ifndef ENABLE_SM4_AESNI_AVX
 void sm4_ctr_encrypt(const SM4_KEY *key, uint8_t ctr[16], const uint8_t *in, size_t inlen, uint8_t *out)
 {
@@ -150,7 +159,7 @@ int sm4_gcm_encrypt(const SM4_KEY *key, const uint8_t *iv, size_t ivlen,
 	while (left) {
 		uint8_t block[16];
 		size_t len = left < 16 ? left : 16;
-		ctr_incr(Y);
+		gcm_incr(Y);
 		sm4_encrypt(key, Y, block);
 		gmssl_memxor(pout, pin, block, len);
 		pin += len;
@@ -195,7 +204,7 @@ int sm4_gcm_decrypt(const SM4_KEY *key, const uint8_t *iv, size_t ivlen,
 	while (left) {
 		uint8_t block[16];
 		size_t len = left < 16 ? left : 16;
-		ctr_incr(Y);
+		gcm_incr(Y);
 		sm4_encrypt(key, Y, block);
 		gmssl_memxor(pout, pin, block, len);
 		pin += len;