Fix counter bug in _chacha_crypt32_3core.

2 files changed, 4 insertions, 3 deletions

diff --git a/ChangeLog b/ChangeLog
index 2941fc0c..43da954f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,8 @@
 2020-11-30  Niels Möller  <nisse@lysator.liu.se>
 
+	* chacha-crypt.c (_nettle_chacha_crypt32_3core): Fix bug in
+	handling of counter; this function should not propagate any carry.
+
 	* aes-internal.h: Delete name mangling of internal symbols. Update
 	all internal references to use _nettle prefix.
 	* camellia-internal.h: Likewise.
diff --git a/chacha-crypt.c b/chacha-crypt.c
index 58d0b0c2..a13898f1 100644
--- a/chacha-crypt.c
+++ b/chacha-crypt.c
@@ -193,7 +193,6 @@ _nettle_chacha_crypt32_3core(struct chacha_ctx *ctx,
     {
       _nettle_chacha_3core32 (x, ctx->state, CHACHA_ROUNDS);
       ctx->state[12] += 3;
-      ctx->state[13] += (ctx->state[12] < 3);
       if (length <= 3*CHACHA_BLOCK_SIZE)
 	{
 	  memxor3 (dst, src, x, length);
@@ -208,13 +207,12 @@ _nettle_chacha_crypt32_3core(struct chacha_ctx *ctx,
   if (length <= CHACHA_BLOCK_SIZE)
     {
       _nettle_chacha_core (x, ctx->state, CHACHA_ROUNDS);
-      ctx->state[13] += (++ctx->state[12] == 0);
+      ++ctx->state[12];
     }
   else
     {
       _nettle_chacha_3core32 (x, ctx->state, CHACHA_ROUNDS);
       ctx->state[12] += 2;
-      ctx->state[13] += (ctx->state[12] < 2);
     }
   memxor3 (dst, src, x, length);
 }