From 6bb847467ffdfdf97e77592e232c1b71d0ef6866 Mon Sep 17 00:00:00 2001
From: tb <>
Date: Thu, 9 May 2019 22:54:28 +0000
Subject: Fix incorrect carry operation in 512 bit addition: in the case that
 there is already a carry and Sigma[i-1] == -1, the carry must be kept.

From Dmitry Eremin-Solenik.

Fixes incorrect Streebog result reported by Guido Vranken.
---
 src/lib/libcrypto/gost/streebog.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

(limited to 'src')

diff --git a/src/lib/libcrypto/gost/streebog.c b/src/lib/libcrypto/gost/streebog.c
index 902472bd9e..61bce0e32c 100644
--- a/src/lib/libcrypto/gost/streebog.c
+++ b/src/lib/libcrypto/gost/streebog.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: streebog.c,v 1.5 2015/09/10 15:56:25 jsing Exp $ */
+/* $OpenBSD: streebog.c,v 1.6 2019/05/09 22:54:28 tb Exp $ */
 /*
  * Copyright (c) 2014 Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
  * Copyright (c) 2005-2006 Cryptocom LTD
@@ -1240,6 +1240,7 @@ static void
 streebog_single_block(STREEBOG_CTX *ctx, const unsigned char *in, size_t num)
 {
 	STREEBOG_LONG64 M[8], l;
+	STREEBOG_LONG64 CF;
 	int i;
 
 	for (i = 0; i < 8; i++)
@@ -1258,12 +1259,13 @@ streebog_single_block(STREEBOG_CTX *ctx, const unsigned char *in, size_t num)
 		}
 	}
 
+	CF = 0;
 	ctx->Sigma[0] += M[0];
-	for (i = 1; i < 8; i++)
-		if (ctx->Sigma[i-1] < M[i-1])
-			ctx->Sigma[i] += M[i] + 1;
-		else
-			ctx->Sigma[i] += M[i];
+	for (i = 1; i < 8; i++) {
+		if (ctx->Sigma[i-1] != M[i-1])
+			CF = (ctx->Sigma[i-1] < M[i-1]);
+		ctx->Sigma[i] += M[i] + CF;
+	}
 }
 
 
-- 
cgit v1.2.3-55-g6feb