Fix counter bug in _chacha_crypt32_3core.

diff --git a/ChangeLog b/ChangeLog
index 2941fc0cf84a3eeb9743c12d212dbe53ffc7bf86..43da954fdb785354d91d27238ecc4866772c7001 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,8 @@
 2020-11-30  Niels Möller  <nisse@lysator.liu.se>
 
+       * chacha-crypt.c (_nettle_chacha_crypt32_3core): Fix bug in
+       handling of counter; this function should not propagate any carry.
+
        * aes-internal.h: Delete name mangling of internal symbols. Update
        all internal references to use _nettle prefix.
        * camellia-internal.h: Likewise.

diff --git a/chacha-crypt.c b/chacha-crypt.c
index 58d0b0c287e03d32990e111c765c084a067ea76a..a13898f1aec18c7e9a75efa0b63dbc85864a1a09 100644 (file)
--- a/chacha-crypt.c
+++ b/chacha-crypt.c
@@ -193,7 +193,6 @@ _nettle_chacha_crypt32_3core(struct chacha_ctx *ctx,
     {
       _nettle_chacha_3core32 (x, ctx->state, CHACHA_ROUNDS);
       ctx->state[12] += 3;
-      ctx->state[13] += (ctx->state[12] < 3);
       if (length <= 3*CHACHA_BLOCK_SIZE)
        {
          memxor3 (dst, src, x, length);
@@ -208,13 +207,12 @@ _nettle_chacha_crypt32_3core(struct chacha_ctx *ctx,
   if (length <= CHACHA_BLOCK_SIZE)
     {
       _nettle_chacha_core (x, ctx->state, CHACHA_ROUNDS);
-      ctx->state[13] += (++ctx->state[12] == 0);
+      ++ctx->state[12];
     }
   else
     {
       _nettle_chacha_3core32 (x, ctx->state, CHACHA_ROUNDS);
       ctx->state[12] += 2;
-      ctx->state[13] += (ctx->state[12] < 2);
     }
   memxor3 (dst, src, x, length);
 }