From 82b30797a1a19c0d18cd290d0e889fc79538eaec Mon Sep 17 00:00:00 2001
From: John Safranek <john@wolfssl.com>
Date: Fri, 8 May 2026 09:48:02 -0700
Subject: [PATCH] port/cavium: fix Octeon AES-GCM AAD GHASH bug

Octeon_AesGcm_SetAAD unconditionally ran XOR0/XORMUL1 on the partial-block
buffer after the main loop, which processed an extra all-zero block when
aadSz was a non-zero multiple of 16, corrupting the GCM tag. Guard the
trailing XOR/MUL with `if (remainder > 0)`.

Issue: F-3335
---
 wolfcrypt/src/port/cavium/cavium_octeon_sync.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/wolfcrypt/src/port/cavium/cavium_octeon_sync.c b/wolfcrypt/src/port/cavium/cavium_octeon_sync.c
index 0fbd5ee6d3f..f9c2ffcf56a 100644
--- a/wolfcrypt/src/port/cavium/cavium_octeon_sync.c
+++ b/wolfcrypt/src/port/cavium/cavium_octeon_sync.c
@@ -558,13 +558,15 @@ static NOOPT int Octeon_AesGcm_SetAAD(Aes* aes, byte* aad, word32 aadSz)
         CVMX_MT_GFM_XORMUL1(p[1]);
     }
 
-    XMEMSET(aesBlock, 0, sizeof(aesBlock));
+    if (remainder > 0) {
+        XMEMSET(aesBlock, 0, sizeof(aesBlock));
 
-    for (i = 0; i < remainder; i++)
-        aesBlock[i] = aad[i];
+        for (i = 0; i < remainder; i++)
+            aesBlock[i] = aad[i];
 
-    CVMX_MT_GFM_XOR0(p[0]);
-    CVMX_MT_GFM_XORMUL1(p[1]);
+        CVMX_MT_GFM_XOR0(p[0]);
+        CVMX_MT_GFM_XORMUL1(p[1]);
+    }
 
     return 0;
 }