Fix chacha counter update for _4core variants.fix-chacha-counter

2 files changed, 11 insertions, 3 deletions

diff --git a/ChangeLog b/ChangeLog
index d46b9a93..aecc06f0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,9 @@
 2021-02-10  Niels Möller  <nisse@lysator.liu.se>
 
+	* chacha-crypt.c (_nettle_chacha_crypt_4core): Fix for the case
+	that counter increment should be 3 (129 <= message length <= 192).
+	(_nettle_chacha_crypt32_4core): Likewise.
+
 	* testsuite/chacha-test.c (test_chacha_rounds): New function, for
 	tests with non-standard round count. Extracted from _test_chacha.
 	(_test_chacha): Deleted rounds argument. Reorganized crypt/crypt32
diff --git a/chacha-crypt.c b/chacha-crypt.c
index 081ebcf4..1fdfc813 100644
--- a/chacha-crypt.c
+++ b/chacha-crypt.c
@@ -80,13 +80,16 @@ _nettle_chacha_crypt_4core(struct chacha_ctx *ctx,
   while (length > 2*CHACHA_BLOCK_SIZE)
     {
       _nettle_chacha_4core (x, ctx->state, CHACHA_ROUNDS);
-      ctx->state[12] += 4;
-      ctx->state[13] += (ctx->state[12] < 4);
       if (length <= 4*CHACHA_BLOCK_SIZE)
 	{
+	  uint32_t incr = 3 + (length > 3*CHACHA_BLOCK_SIZE);
+	  ctx->state[12] += incr;
+	  ctx->state[13] += (ctx->state[12] < incr);
 	  memxor3 (dst, src, x, length);
 	  return;
 	}
+      ctx->state[12] += 4;
+      ctx->state[13] += (ctx->state[12] < 4);
       memxor3 (dst, src, x, 4*CHACHA_BLOCK_SIZE);
 
       length -= 4*CHACHA_BLOCK_SIZE;
@@ -200,12 +203,13 @@ _nettle_chacha_crypt32_4core(struct chacha_ctx *ctx,
   while (length > 2*CHACHA_BLOCK_SIZE)
     {
       _nettle_chacha_4core32 (x, ctx->state, CHACHA_ROUNDS);
-      ctx->state[12] += 4;
       if (length <= 4*CHACHA_BLOCK_SIZE)
 	{
+	  ctx->state[12] += 3 + (length > 3*CHACHA_BLOCK_SIZE);
 	  memxor3 (dst, src, x, length);
 	  return;
 	}
+      ctx->state[12] += 4;
       memxor3 (dst, src, x, 4*CHACHA_BLOCK_SIZE);
 
       length -= 4*CHACHA_BLOCK_SIZE;