wrong gcm computation when iv length is big enough in main branch

[openluopworld]

Summary

In the GCM cipher mode, it may be wrong in the computation of Y₀ when the bit length of iv is not smaller than 2³².

System information

Mbed TLS version (number or commit id):
Operating system and version:
Configuration (if not default, please attach mbedtls_config.h):
Compiler and options (if you used a pre-built binary, please indicate how you obtained it):
Additional environment information:

Expected behavior

X_i = (X_m+n) ^ (len(A) || len(C)) . H

Since the bit length of C(here is iv) can be upper to 2⁶⁴. So, it may be something like

PUT_UINT32_BE( iv_len * 8, work_buf, 8 )

Actual behavior

PUT_UINT32_BE( iv_len * 8, work_buf, 12 )

Steps to reproduce

Additional information

[paul-elliott-arm]

Hi!

If you would like to submit a PR for this fix, then we would be more than happy to review it.

[openluopworld]

Please see #4950 and have a review.
Thanks.