On 2021-02-10 Andreas Metzler <ametz...@bebt.de> wrote:
> Package: libnettle8
> Version: 3.7-1
> Severity: serious
> Tags: upstream patch fixed-upstream
> nettle 3.7 breaks GnuTLS testsuite on ppc64(el). I had forwarded this
> upstream
> https://lists.lysator.liu.se/pipermail/nettle-bugs/2021/009418.html and
> there is now a fix (+ testsuite coverage) in nettle GIT master.
[...]
Find attached a proposed debdiff.
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
diff -Nru nettle-3.7/debian/changelog nettle-3.7/debian/changelog
--- nettle-3.7/debian/changelog 2021-02-01 00:01:59.000000000 +0100
+++ nettle-3.7/debian/changelog 2021-02-13 08:34:20.000000000 +0100
@@ -1,3 +1,12 @@
+nettle (3.7-2.1) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * Fix chacha breakage on ppc64(el). Closes: #982482
+ + 0001-Improve-chacha-test-coverage.patch
+ + 0002-Fix-chacha-counter-update-for-_4core-variants.patch
+
+ -- Andreas Metzler <ametz...@debian.org> Sat, 13 Feb 2021 08:34:20 +0100
+
nettle (3.7-2) unstable; urgency=low
* Adjust libnettle8.symbols.
diff -Nru nettle-3.7/debian/patches/0001-Improve-chacha-test-coverage.patch nettle-3.7/debian/patches/0001-Improve-chacha-test-coverage.patch
--- nettle-3.7/debian/patches/0001-Improve-chacha-test-coverage.patch 1970-01-01 01:00:00.000000000 +0100
+++ nettle-3.7/debian/patches/0001-Improve-chacha-test-coverage.patch 2021-02-13 08:29:19.000000000 +0100
@@ -0,0 +1,910 @@
+From dd1867efa005704fbac438896369694a44fd474b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Niels=20M=C3=B6ller?= <ni...@lysator.liu.se>
+Date: Wed, 10 Feb 2021 10:26:52 +0100
+Subject: [PATCH 1/2] Improve chacha test coverage.
+
+---
+ ChangeLog | 12 +
+ testsuite/chacha-test.c | 746 ++++++++++++++++++++++++++--------------
+ 2 files changed, 504 insertions(+), 254 deletions(-)
+
+ a/ChangeLog
+ b/ChangeLog
+ 2021-02-10 Niels Möller <ni...@lysator.liu.se>
+
+ * testsuite/chacha-test.c (test_chacha_rounds): New function, for
+ tests with non-standard round count. Extracted from _test_chacha.
+ (_test_chacha): Deleted rounds argument. Reorganized crypt/crypt32
+ handling. When testing message prefixes of varying length, also
+ encrypt the remainder of the message, to catch errors in counter
+ value update.
+ (test_main): Add a few tests with large messages (16 blocks, 1024
+ octets), to improve test coverage for _nettle_chacha_crypt_4core
+ and _nettle_chacha_crypt32_4core.
+
+diff --git a/testsuite/chacha-test.c b/testsuite/chacha-test.c
+index 5efe4ee2..8bbdd4ad 100644
+--- a/testsuite/chacha-test.c
++++ b/testsuite/chacha-test.c
+@@ -121,119 +121,140 @@ test_chacha_core(void)
+ }
+ }
+
++/* For tests with non-standard number of rounds, calling
++ _nettle_chacha_core directly. */
+ static void
+-_test_chacha(const struct tstring *key, const struct tstring *nonce,
+- const struct tstring *expected, unsigned rounds,
+- const struct tstring *counter)
++test_chacha_rounds(const struct tstring *key, const struct tstring *nonce,
++ const struct tstring *expected, unsigned rounds)
+ {
+ struct chacha_ctx ctx;
++ uint32_t out[_CHACHA_STATE_LENGTH];
++ ASSERT (expected->length == CHACHA_BLOCK_SIZE);
+
+ ASSERT (key->length == CHACHA_KEY_SIZE);
+ chacha_set_key (&ctx, key->data);
+
+- if (rounds == 20)
++ ASSERT (nonce->length == CHACHA_NONCE_SIZE);
++ chacha_set_nonce(&ctx, nonce->data);
++
++ _nettle_chacha_core (out, ctx.state, rounds);
++
++ if (!MEMEQ(CHACHA_BLOCK_SIZE, out, expected->data))
+ {
+- uint8_t *data = xalloc (expected->length + 2);
+- size_t length;
+- data++;
++ printf("Error, expected:\n");
++ tstring_print_hex (expected);
++ printf("Got:\n");
++ print_hex(CHACHA_BLOCK_SIZE, (uint8_t *) out);
++ FAIL ();
++ }
+
+- for (length = 1; length <= expected->length; length++)
+- {
+- data[-1] = 17;
+- memset (data, 0, length);
+- data[length] = 17;
+- if (nonce->length == CHACHA_NONCE_SIZE)
+- chacha_set_nonce(&ctx, nonce->data);
+- else if (nonce->length == CHACHA_NONCE96_SIZE)
+- {
+- chacha_set_nonce96(&ctx, nonce->data);
+- /* Use initial counter 1, for
+- draft-irtf-cfrg-chacha20-poly1305-08 test cases. */
+- ctx.state[12]++;
+- }
+- else
+- die ("Bad nonce size %u.\n", (unsigned) nonce->length);
++ if (verbose)
++ {
++ printf("Result after encryption:\n");
++ print_hex(CHACHA_BLOCK_SIZE, (uint8_t *) out);
++ }
++}
+
+- if (counter)
+- {
+- if (counter->length == CHACHA_COUNTER_SIZE)
+- {
+- ASSERT (nonce->length == CHACHA_NONCE_SIZE);
+- chacha_set_counter(&ctx, counter->data);
+- }
+- else if (counter->length == CHACHA_COUNTER32_SIZE)
+- {
+- ASSERT (nonce->length == CHACHA_NONCE96_SIZE);
+- chacha_set_counter32(&ctx, counter->data);
+- }
+- }
++static void
++_test_chacha(const struct tstring *key, const struct tstring *nonce,
++ const struct tstring *expected, const struct tstring *counter)
++{
++ struct chacha_ctx ctx;
++ nettle_set_key_func *set_nonce;
++ nettle_set_key_func *set_counter;
++ nettle_crypt_func *crypt;
++ uint8_t *data = xalloc (expected->length + 2);
++ size_t length;
++ data++;
+
+- if (nonce->length == CHACHA_NONCE_SIZE)
+- chacha_crypt (&ctx, length, data, data);
+- else
+- chacha_crypt32 (&ctx, length, data, data);
++ ASSERT (key->length == CHACHA_KEY_SIZE);
++ chacha_set_key (&ctx, key->data);
+
+- ASSERT (data[-1] == 17);
+- ASSERT (data[length] == 17);
+- if (!MEMEQ(length, data, expected->data))
+- {
+- printf("Error, length %u, expected:\n", (unsigned) length);
+- print_hex (length, expected->data);
+- printf("Got:\n");
+- print_hex(length, data);
+- FAIL ();
+- }
+- }
+- if (verbose)
+- {
+- printf("Result after encryption:\n");
+- print_hex(expected->length, data);
+- }
+- free (data - 1);
++ switch (nonce->length)
++ {
++ case CHACHA_NONCE_SIZE:
++ set_nonce = (nettle_set_key_func *) chacha_set_nonce;
++ set_counter = (nettle_set_key_func *) chacha_set_counter;
++ crypt = (nettle_crypt_func *) chacha_crypt;
++ if (counter)
++ ASSERT (counter->length == CHACHA_COUNTER_SIZE);
++ break;
++ case CHACHA_NONCE96_SIZE:
++ set_nonce = (nettle_set_key_func *) chacha_set_nonce96;
++ set_counter = (nettle_set_key_func *) chacha_set_counter32;
++ crypt = (nettle_crypt_func *) chacha_crypt32;
++ if (counter)
++ ASSERT (counter->length == CHACHA_COUNTER32_SIZE);
++ break;
++ default:
++ die ("Bad nonce size %u.\n", (unsigned) nonce->length);
+ }
+- else
++
++ for (length = 1; length <= expected->length; length++)
+ {
+- /* Uses the _nettle_chacha_core function to be able to test
+- different numbers of rounds. */
+- uint32_t out[_CHACHA_STATE_LENGTH];
+- ASSERT (expected->length == CHACHA_BLOCK_SIZE);
+- ASSERT (nonce->length == CHACHA_NONCE_SIZE);
++ size_t offset;
++
++ data[-1] = 17;
++ memset (data, 0, length);
++ data[length] = 17;
++
++ set_nonce (&ctx, nonce->data);
+
+- chacha_set_nonce(&ctx, nonce->data);
+ if (counter)
+- chacha_set_counter(&ctx, counter->data);
+- _nettle_chacha_core (out, ctx.state, rounds);
++ set_counter (&ctx, counter->data);
++
++ crypt (&ctx, length, data, data);
+
+- if (!MEMEQ(CHACHA_BLOCK_SIZE, out, expected->data))
++ ASSERT (data[-1] == 17);
++ ASSERT (data[length] == 17);
++ if (!MEMEQ(length, data, expected->data))
+ {
+- printf("Error, expected:\n");
+- tstring_print_hex (expected);
++ printf("Error, length %u, expected:\n", (unsigned) length);
++ print_hex (length, expected->data);
+ printf("Got:\n");
+- print_hex(CHACHA_BLOCK_SIZE, (uint8_t *) out);
++ print_hex(length, data);
+ FAIL ();
+ }
+-
+- if (verbose)
++ /* Round up to next block boundary. */
++ offset = (length + CHACHA_BLOCK_SIZE - 1) & -CHACHA_BLOCK_SIZE;
++ if (offset < expected->length)
+ {
+- printf("Result after encryption:\n");
+- print_hex(CHACHA_BLOCK_SIZE, (uint8_t *) out);
++ memset(data, 0, expected->length - offset);
++ data[expected->length - offset] = 17;
++ crypt (&ctx, expected->length - offset, data, data);
++ if (!MEMEQ(expected->length - offset, data, expected->data + offset))
++ {
++ printf("Error, length %u, offset %u, remaining %u, expected:\n",
++ (unsigned) length, (unsigned) offset,
++ (unsigned) (expected->length - offset));
++ print_hex (expected->length - offset, expected->data + offset);
++ printf("Got:\n");
++ print_hex(expected->length - offset, data);
++ FAIL ();
++ }
+ }
+ }
++ if (verbose)
++ {
++ printf("Result after encryption:\n");
++ print_hex(expected->length, data);
++ }
++ free (data - 1);
+ }
+
+ static void
+ test_chacha(const struct tstring *key, const struct tstring *nonce,
+- const struct tstring *expected, unsigned rounds)
++ const struct tstring *expected)
+ {
+- _test_chacha(key, nonce, expected, rounds, NULL);
++ _test_chacha(key, nonce, expected, NULL);
+ }
+
+ static void
+ test_chacha_with_counter(const struct tstring *key, const struct tstring *nonce,
+- const struct tstring *expected, unsigned rounds,
++ const struct tstring *expected,
+ const struct tstring *counter)
+ {
+- _test_chacha(key, nonce, expected, rounds, counter);
++ _test_chacha(key, nonce, expected, counter);
+ }
+
+ void
+@@ -242,33 +263,33 @@ test_main(void)
+ test_chacha_core();
+
+ /* Test vectors from draft-strombergson-chacha-test-vectors */
+- test_chacha (SHEX("0000000000000000 0000000000000000"
+- "0000000000000000 0000000000000000"),
+- SHEX("0000000000000000"),
+- SHEX("3e00ef2f895f40d6 7f5bb8e81f09a5a1"
+- "2c840ec3ce9a7f3b 181be188ef711a1e"
+- "984ce172b9216f41 9f445367456d5619"
+- "314a42a3da86b001 387bfdb80e0cfe42"
+-
+- /* "d2aefa0deaa5c151 bf0adb6c01f2a5ad"
+- "c0fd581259f9a2aa dcf20f8fd566a26b"
+- "5032ec38bbc5da98 ee0c6f568b872a65"
+- "a08abf251deb21bb 4b56e5d8821e68aa" */),
+- 8);
+-
+- test_chacha (SHEX("0000000000000000 0000000000000000"
+- "0000000000000000 0000000000000000"),
+- SHEX("0000000000000000"),
+- SHEX("9bf49a6a0755f953 811fce125f2683d5"
+- "0429c3bb49e07414 7e0089a52eae155f"
+- "0564f879d27ae3c0 2ce82834acfa8c79"
+- "3a629f2ca0de6919 610be82f411326be"
+-
+- /* "0bd58841203e74fe 86fc71338ce0173d"
+- "c628ebb719bdcbcc 151585214cc089b4"
+- "42258dcda14cf111 c602b8971b8cc843"
+- "e91e46ca905151c0 2744a6b017e69316" */),
+- 12);
++ test_chacha_rounds (SHEX("0000000000000000 0000000000000000"
++ "0000000000000000 0000000000000000"),
++ SHEX("0000000000000000"),
++ SHEX("3e00ef2f895f40d6 7f5bb8e81f09a5a1"
++ "2c840ec3ce9a7f3b 181be188ef711a1e"
++ "984ce172b9216f41 9f445367456d5619"
++ "314a42a3da86b001 387bfdb80e0cfe42"
++
++ /* "d2aefa0deaa5c151 bf0adb6c01f2a5ad"
++ "c0fd581259f9a2aa dcf20f8fd566a26b"
++ "5032ec38bbc5da98 ee0c6f568b872a65"
++ "a08abf251deb21bb 4b56e5d8821e68aa" */),
++ 8);
++
++ test_chacha_rounds (SHEX("0000000000000000 0000000000000000"
++ "0000000000000000 0000000000000000"),
++ SHEX("0000000000000000"),
++ SHEX("9bf49a6a0755f953 811fce125f2683d5"
++ "0429c3bb49e07414 7e0089a52eae155f"
++ "0564f879d27ae3c0 2ce82834acfa8c79"
++ "3a629f2ca0de6919 610be82f411326be"
++
++ /* "0bd58841203e74fe 86fc71338ce0173d"
++ "c628ebb719bdcbcc 151585214cc089b4"
++ "42258dcda14cf111 c602b8971b8cc843"
++ "e91e46ca905151c0 2744a6b017e69316" */),
++ 12);
+
+ test_chacha (SHEX("0000000000000000 0000000000000000"
+ "0000000000000000 0000000000000000"),
+@@ -281,27 +302,26 @@ test_main(void)
+ "9f07e7be5551387a 98ba977c732d080d"
+ "cb0f29a048e36569 12c6533e32ee7aed"
+ "29b721769ce64e43 d57133b074d839d5"
+- "31ed1f28510afb45 ace10a1f4b794d6f"),
+- 20);
++ "31ed1f28510afb45 ace10a1f4b794d6f"));
+
+ /* TC2: Single bit in key set. All zero IV */
+- test_chacha (SHEX("0100000000000000 0000000000000000"
+- "0000000000000000 0000000000000000"),
+- SHEX("0000000000000000"),
+- SHEX("cf5ee9a0494aa961 3e05d5ed725b804b"
+- "12f4a465ee635acc 3a311de8740489ea"
+- "289d04f43c7518db 56eb4433e498a123"
+- "8cd8464d3763ddbb 9222ee3bd8fae3c8"),
+- 8);
+-
+- test_chacha (SHEX("0100000000000000 0000000000000000"
+- "0000000000000000 0000000000000000"),
+- SHEX("0000000000000000"),
+- SHEX("12056e595d56b0f6 eef090f0cd25a209"
+- "49248c2790525d0f 930218ff0b4ddd10"
+- "a6002239d9a454e2 9e107a7d06fefdfe"
+- "f0210feba044f9f2 9b1772c960dc29c0"),
+- 12);
++ test_chacha_rounds (SHEX("0100000000000000 0000000000000000"
++ "0000000000000000 0000000000000000"),
++ SHEX("0000000000000000"),
++ SHEX("cf5ee9a0494aa961 3e05d5ed725b804b"
++ "12f4a465ee635acc 3a311de8740489ea"
++ "289d04f43c7518db 56eb4433e498a123"
++ "8cd8464d3763ddbb 9222ee3bd8fae3c8"),
++ 8);
++
++ test_chacha_rounds (SHEX("0100000000000000 0000000000000000"
++ "0000000000000000 0000000000000000"),
++ SHEX("0000000000000000"),
++ SHEX("12056e595d56b0f6 eef090f0cd25a209"
++ "49248c2790525d0f 930218ff0b4ddd10"
++ "a6002239d9a454e2 9e107a7d06fefdfe"
++ "f0210feba044f9f2 9b1772c960dc29c0"),
++ 12);
+
+ test_chacha (SHEX("0100000000000000 0000000000000000"
+ "0000000000000000 0000000000000000"),
+@@ -314,27 +334,26 @@ test_main(void)
+ "10f656e6d1fd5505 3e50c4875c9930a3"
+ "3f6d0263bd14dfd6 ab8c70521c19338b"
+ "2308b95cf8d0bb7d 202d2102780ea352"
+- "8f1cb48560f76b20 f382b942500fceac"),
+- 20);
++ "8f1cb48560f76b20 f382b942500fceac"));
+
+ /* TC3: Single bit in IV set. All zero key */
+- test_chacha (SHEX("0000000000000000 0000000000000000"
+- "0000000000000000 0000000000000000"),
+- SHEX("0100000000000000"),
+- SHEX("2b8f4bb3798306ca 5130d47c4f8d4ed1"
+- "3aa0edccc1be6942 090faeeca0d7599b"
+- "7ff0fe616bb25aa0 153ad6fdc88b9549"
+- "03c22426d478b97b 22b8f9b1db00cf06"),
+- 8);
+-
+- test_chacha (SHEX("0000000000000000 0000000000000000"
+- "0000000000000000 0000000000000000"),
+- SHEX("0100000000000000"),
+- SHEX("64b8bdf87b828c4b 6dbaf7ef698de03d"
+- "f8b33f635714418f 9836ade59be12969"
+- "46c953a0f38ecffc 9ecb98e81d5d99a5"
+- "edfc8f9a0a45b9e4 1ef3b31f028f1d0f"),
+- 12);
++ test_chacha_rounds (SHEX("0000000000000000 0000000000000000"
++ "0000000000000000 0000000000000000"),
++ SHEX("0100000000000000"),
++ SHEX("2b8f4bb3798306ca 5130d47c4f8d4ed1"
++ "3aa0edccc1be6942 090faeeca0d7599b"
++ "7ff0fe616bb25aa0 153ad6fdc88b9549"
++ "03c22426d478b97b 22b8f9b1db00cf06"),
++ 8);
++
++ test_chacha_rounds (SHEX("0000000000000000 0000000000000000"
++ "0000000000000000 0000000000000000"),
++ SHEX("0100000000000000"),
++ SHEX("64b8bdf87b828c4b 6dbaf7ef698de03d"
++ "f8b33f635714418f 9836ade59be12969"
++ "46c953a0f38ecffc 9ecb98e81d5d99a5"
++ "edfc8f9a0a45b9e4 1ef3b31f028f1d0f"),
++ 12);
+
+ test_chacha (SHEX("0000000000000000 0000000000000000"
+ "0000000000000000 0000000000000000"),
+@@ -347,27 +366,26 @@ test_main(void)
+ "5305e5e44aff19b2 35936144675efbe4"
+ "409eb7e8e5f1430f 5f5836aeb49bb532"
+ "8b017c4b9dc11f8a 03863fa803dc71d5"
+- "726b2b6b31aa3270 8afe5af1d6b69058"),
+- 20);
++ "726b2b6b31aa3270 8afe5af1d6b69058"));
+
+ /* TC4: All bits in key and IV are set. */
+- test_chacha (SHEX("ffffffffffffffff ffffffffffffffff"
+- "ffffffffffffffff ffffffffffffffff"),
+- SHEX("ffffffffffffffff"),
+- SHEX("e163bbf8c9a739d1 8925ee8362dad2cd"
+- "c973df05225afb2a a26396f2a9849a4a"
+- "445e0547d31c1623 c537df4ba85c70a9"
+- "884a35bcbf3dfab0 77e98b0f68135f54"),
+- 8);
+-
+- test_chacha (SHEX("ffffffffffffffff ffffffffffffffff"
+- "ffffffffffffffff ffffffffffffffff"),
+- SHEX("ffffffffffffffff"),
+- SHEX("04bf88dae8e47a22 8fa47b7e6379434b"
+- "a664a7d28f4dab84 e5f8b464add20c3a"
+- "caa69c5ab221a23a 57eb5f345c96f4d1"
+- "322d0a2ff7a9cd43 401cd536639a615a"),
+- 12);
++ test_chacha_rounds (SHEX("ffffffffffffffff ffffffffffffffff"
++ "ffffffffffffffff ffffffffffffffff"),
++ SHEX("ffffffffffffffff"),
++ SHEX("e163bbf8c9a739d1 8925ee8362dad2cd"
++ "c973df05225afb2a a26396f2a9849a4a"
++ "445e0547d31c1623 c537df4ba85c70a9"
++ "884a35bcbf3dfab0 77e98b0f68135f54"),
++ 8);
++
++ test_chacha_rounds (SHEX("ffffffffffffffff ffffffffffffffff"
++ "ffffffffffffffff ffffffffffffffff"),
++ SHEX("ffffffffffffffff"),
++ SHEX("04bf88dae8e47a22 8fa47b7e6379434b"
++ "a664a7d28f4dab84 e5f8b464add20c3a"
++ "caa69c5ab221a23a 57eb5f345c96f4d1"
++ "322d0a2ff7a9cd43 401cd536639a615a"),
++ 12);
+
+ test_chacha (SHEX("ffffffffffffffff ffffffffffffffff"
+ "ffffffffffffffff ffffffffffffffff"),
+@@ -380,27 +398,26 @@ test_main(void)
+ "5bac2acd86a836c5 dc98c116c1217ec3"
+ "1d3a63a9451319f0 97f3b4d6dab07787"
+ "19477d24d24b403a 12241d7cca064f79"
+- "0f1d51ccaff6b166 7d4bbca1958c4306"),
+- 20);
++ "0f1d51ccaff6b166 7d4bbca1958c4306"));
+
+ /* TC5: Every even bit set in key and IV. */
+- test_chacha (SHEX("5555555555555555 5555555555555555"
+- "5555555555555555 5555555555555555"),
+- SHEX("5555555555555555"),
+- SHEX("7cb78214e4d3465b 6dc62cf7a1538c88"
+- "996952b4fb72cb61 05f1243ce3442e29"
+- "75a59ebcd2b2a598 290d7538491fe65b"
+- "dbfefd060d887981 20a70d049dc2677d"),
+- 8);
+-
+- test_chacha (SHEX("5555555555555555 5555555555555555"
+- "5555555555555555 5555555555555555"),
+- SHEX("5555555555555555"),
+- SHEX("a600f07727ff93f3 da00dd74cc3e8bfb"
+- "5ca7302f6a0a2944 953de00450eecd40"
+- "b860f66049f2eaed 63b2ef39cc310d2c"
+- "488f5d9a241b615d c0ab70f921b91b95"),
+- 12);
++ test_chacha_rounds (SHEX("5555555555555555 5555555555555555"
++ "5555555555555555 5555555555555555"),
++ SHEX("5555555555555555"),
++ SHEX("7cb78214e4d3465b 6dc62cf7a1538c88"
++ "996952b4fb72cb61 05f1243ce3442e29"
++ "75a59ebcd2b2a598 290d7538491fe65b"
++ "dbfefd060d887981 20a70d049dc2677d"),
++ 8);
++
++ test_chacha_rounds (SHEX("5555555555555555 5555555555555555"
++ "5555555555555555 5555555555555555"),
++ SHEX("5555555555555555"),
++ SHEX("a600f07727ff93f3 da00dd74cc3e8bfb"
++ "5ca7302f6a0a2944 953de00450eecd40"
++ "b860f66049f2eaed 63b2ef39cc310d2c"
++ "488f5d9a241b615d c0ab70f921b91b95"),
++ 12);
+
+ test_chacha (SHEX("5555555555555555 5555555555555555"
+ "5555555555555555 5555555555555555"),
+@@ -413,27 +430,26 @@ test_main(void)
+ "e0b8f676e644216f 4d2a3422d7fa36c6"
+ "c4931aca950e9da4 2788e6d0b6d1cd83"
+ "8ef652e97b145b14 871eae6c6804c700"
+- "4db5ac2fce4c68c7 26d004b10fcaba86"),
+- 20);
++ "4db5ac2fce4c68c7 26d004b10fcaba86"));
+
+ /* TC6: Every odd bit set in key and IV. */
+- test_chacha (SHEX("aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa"
+- "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa"),
+- SHEX("aaaaaaaaaaaaaaaa"),
+- SHEX("40f9ab86c8f9a1a0 cdc05a75e5531b61"
+- "2d71ef7f0cf9e387 df6ed6972f0aae21"
+- "311aa581f816c90e 8a99de990b6b95aa"
+- "c92450f4e1127126 67b804c99e9c6eda"),
+- 8);
+-
+- test_chacha (SHEX("aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa"
+- "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa"),
+- SHEX("aaaaaaaaaaaaaaaa"),
+- SHEX("856505b01d3b47aa e03d6a97aa0f033a"
+- "9adcc94377babd86 08864fb3f625b6e3"
+- "14f086158f9f725d 811eeb953b7f7470"
+- "76e4c3f639fa841f ad6c9a709e621397"),
+- 12);
++ test_chacha_rounds (SHEX("aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa"
++ "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa"),
++ SHEX("aaaaaaaaaaaaaaaa"),
++ SHEX("40f9ab86c8f9a1a0 cdc05a75e5531b61"
++ "2d71ef7f0cf9e387 df6ed6972f0aae21"
++ "311aa581f816c90e 8a99de990b6b95aa"
++ "c92450f4e1127126 67b804c99e9c6eda"),
++ 8);
++
++ test_chacha_rounds (SHEX("aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa"
++ "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa"),
++ SHEX("aaaaaaaaaaaaaaaa"),
++ SHEX("856505b01d3b47aa e03d6a97aa0f033a"
++ "9adcc94377babd86 08864fb3f625b6e3"
++ "14f086158f9f725d 811eeb953b7f7470"
++ "76e4c3f639fa841f ad6c9a709e621397"),
++ 12);
+
+ test_chacha (SHEX("aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa"
+ "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa"),
+@@ -446,27 +462,26 @@ test_main(void)
+ "72184489440545d0 21d97ef6b693dfe5"
+ "b2c132d47e6f041c 9063651f96b623e6"
+ "2a11999a23b6f7c4 61b2153026ad5e86"
+- "6a2e597ed07b8401 dec63a0934c6b2a9"),
+- 20);
++ "6a2e597ed07b8401 dec63a0934c6b2a9"));
+
+ /* TC7: Sequence patterns in key and IV. */
+- test_chacha (SHEX("0011223344556677 8899aabbccddeeff"
+- "ffeeddccbbaa9988 7766554433221100"),
+- SHEX("0f1e2d3c4b5a6978"),
+- SHEX("db43ad9d1e842d12 72e4530e276b3f56"
+- "8f8859b3f7cf6d9d 2c74fa53808cb515"
+- "7a8ebf46ad3dcc4b 6c7dadde131784b0"
+- "120e0e22f6d5f9ff a7407d4a21b695d9"),
+- 8);
+-
+- test_chacha (SHEX("0011223344556677 8899aabbccddeeff"
+- "ffeeddccbbaa9988 7766554433221100"),
+- SHEX("0f1e2d3c4b5a6978"),
+- SHEX("7ed12a3a63912ae9 41ba6d4c0d5e862e"
+- "568b0e5589346935 505f064b8c2698db"
+- "f7d850667d8e67be 639f3b4f6a16f92e"
+- "65ea80f6c7429445 da1fc2c1b9365040"),
+- 12);
++ test_chacha_rounds (SHEX("0011223344556677 8899aabbccddeeff"
++ "ffeeddccbbaa9988 7766554433221100"),
++ SHEX("0f1e2d3c4b5a6978"),
++ SHEX("db43ad9d1e842d12 72e4530e276b3f56"
++ "8f8859b3f7cf6d9d 2c74fa53808cb515"
++ "7a8ebf46ad3dcc4b 6c7dadde131784b0"
++ "120e0e22f6d5f9ff a7407d4a21b695d9"),
++ 8);
++
++ test_chacha_rounds (SHEX("0011223344556677 8899aabbccddeeff"
++ "ffeeddccbbaa9988 7766554433221100"),
++ SHEX("0f1e2d3c4b5a6978"),
++ SHEX("7ed12a3a63912ae9 41ba6d4c0d5e862e"
++ "568b0e5589346935 505f064b8c2698db"
++ "f7d850667d8e67be 639f3b4f6a16f92e"
++ "65ea80f6c7429445 da1fc2c1b9365040"),
++ 12);
+
+ test_chacha (SHEX("0011223344556677 8899aabbccddeeff"
+ "ffeeddccbbaa9988 7766554433221100"),
+@@ -479,27 +494,26 @@ test_main(void)
+ "fbfd29cf7bc1d279 eddf25dd316bb884"
+ "3d6edee0bd1ef121 d12fa17cbc2c574c"
+ "ccab5e275167b08b d686f8a09df87ec3"
+- "ffb35361b94ebfa1 3fec0e4889d18da5"),
+- 20);
++ "ffb35361b94ebfa1 3fec0e4889d18da5"));
+
+ /* TC8: hashed string patterns */
+- test_chacha(SHEX("c46ec1b18ce8a878 725a37e780dfb735"
+- "1f68ed2e194c79fb c6aebee1a667975d"),
+- SHEX("1ada31d5cf688221"),
+- SHEX("838751b42d8ddd8a 3d77f48825a2ba75"
+- "2cf4047cb308a597 8ef274973be374c9"
+- "6ad848065871417b 08f034e681fe46a9"
+- "3f7d5c61d1306614 d4aaf257a7cff08b"),
+- 8);
+-
+- test_chacha(SHEX("c46ec1b18ce8a878 725a37e780dfb735"
+- "1f68ed2e194c79fb c6aebee1a667975d"),
+- SHEX("1ada31d5cf688221"),
+- SHEX("1482072784bc6d06 b4e73bdc118bc010"
+- "3c7976786ca918e0 6986aa251f7e9cc1"
+- "b2749a0a16ee83b4 242d2e99b08d7c20"
+- "092b80bc466c8728 3b61b1b39d0ffbab"),
+- 12);
++ test_chacha_rounds (SHEX("c46ec1b18ce8a878 725a37e780dfb735"
++ "1f68ed2e194c79fb c6aebee1a667975d"),
++ SHEX("1ada31d5cf688221"),
++ SHEX("838751b42d8ddd8a 3d77f48825a2ba75"
++ "2cf4047cb308a597 8ef274973be374c9"
++ "6ad848065871417b 08f034e681fe46a9"
++ "3f7d5c61d1306614 d4aaf257a7cff08b"),
++ 8);
++
++ test_chacha_rounds (SHEX("c46ec1b18ce8a878 725a37e780dfb735"
++ "1f68ed2e194c79fb c6aebee1a667975d"),
++ SHEX("1ada31d5cf688221"),
++ SHEX("1482072784bc6d06 b4e73bdc118bc010"
++ "3c7976786ca918e0 6986aa251f7e9cc1"
++ "b2749a0a16ee83b4 242d2e99b08d7c20"
++ "092b80bc466c8728 3b61b1b39d0ffbab"),
++ 12);
+
+ test_chacha(SHEX("c46ec1b18ce8a878 725a37e780dfb735"
+ "1f68ed2e194c79fb c6aebee1a667975d"),
+@@ -512,21 +526,10 @@ test_main(void)
+ "e5fbc34e60a1d9a9 db17345b0a402736"
+ "853bf910b060bdf1 f897b6290f01d138"
+ "ae2c4c90225ba9ea 14d518f55929dea0"
+- "98ca7a6ccfe61227 053c84e49a4a3332"),
+- 20);
+-
+- /* From draft-irtf-cfrg-chacha20-poly1305-08, with 96-bit nonce */
+- test_chacha(SHEX("0001020304050607 08090a0b0c0d0e0f"
+- "1011121314151617 18191a1b1c1d1e1f"),
+- SHEX("000000090000004a 00000000"),
+- SHEX("10f1e7e4d13b5915 500fdd1fa32071c4"
+- "c7d1f4c733c06803 0422aa9ac3d46c4e"
+- "d2826446079faa09 14c2d705d98b02a2"
+- "b5129cd1de164eb9 cbd083e8a2503c4e"),
+- 20);
++ "98ca7a6ccfe61227 053c84e49a4a3332"));
+
+- /* This is identical to the above 96-bit nonce test, but it manually
+- sets the 32-bit counter value */
++ /* From draft-irtf-cfrg-chacha20-poly1305-08, with 96-bit nonce. Manually
++ sets the 32-bit counter value to 1. */
+ test_chacha_with_counter(SHEX("0001020304050607 08090a0b0c0d0e0f"
+ "1011121314151617 18191a1b1c1d1e1f"),
+ SHEX("000000090000004a 00000000"),
+@@ -534,7 +537,6 @@ test_main(void)
+ "c7d1f4c733c06803 0422aa9ac3d46c4e"
+ "d2826446079faa09 14c2d705d98b02a2"
+ "b5129cd1de164eb9 cbd083e8a2503c4e"),
+- 20,
+ SHEX("01000000"));
+
+ /* This is identical to the above 96-bit nonce test, but it manually
+@@ -546,6 +548,242 @@ test_main(void)
+ "c7d1f4c733c06803 0422aa9ac3d46c4e"
+ "d2826446079faa09 14c2d705d98b02a2"
+ "b5129cd1de164eb9 cbd083e8a2503c4e"),
+- 20,
+ SHEX("0100000000000009"));
++
++ /* Tests with long message, 16 blocks. */
++ test_chacha (SHEX("8c34799cd41aaece 303d33eeaac74e6b"
++ "09742e5a6858def1 c1413425719ba204"),
++ SHEX("f9a864f273cc10fe baf531d7"),
++ SHEX("3bed2adca04c96c8 d74e08aff4d5d9e0"
++ "836209a15db7ea25 87c61d61a3472c4f"
++ "b09ec92d020a25fd 183eb31870bf01c2"
++ "9a87c2280ca12718 2af7a0b626ba4906"
++
++ "51268430b180c7f9 5bb680bacf4a84e7"
++ "dadd67bb6e2aa32d 22fb99ae4dfac283"
++ "acb0f596f75518f9 3227448d63048f1a"
++ "20108699cc0504e5 524e11e71f05d3f9"
++
++ "b37725c68260448d dd61b690f614571b"
++ "a57a848f6f2b0e10 5c044986d9d2f7ca"
++ "10177a27c5ccbb94 ffefcb87d836b02a"
++ "e6c312ebd5862520 c67d05259326a1d5"
++
++ "645a6f4cdda94de2 8d5d8069d95263e7"
++ "037c4fbe1322fcb5 cf5ab14237039b76"
++ "f76134345777d647 799f248b7f8c9a94"
++ "713e5678bfdef4f2 7285a34be8800146"
++
++ "1f9cffbf24228377 d583f34ddb9c6010"
++ "8c035f7e5285953c 74b56e1508531705"
++ "f49398b409d94276 435814ee76232b57"
++ "0b461913fa88381f 238a241afa7042f0"
++
++ "35e796cb4a058dfc 4098b614464ad230"
++ "9c6e7719d940e26b 8d77472d357230f5"
++ "cb35cfa86bf46324 eafb305ae2d50509"
++ "0e635ebe9e4a090a 41c8e9e931d7bf5f"
++
++ "22a59d75130c62e3 a4829fc38d07d458"
++ "072956a6282b9a90 f9a491e064dcc689"
++ "28e47fd1c7131e97 6f755027fbf190cf"
++ "977de188faa80a7c 83921745bb14f534"
++
++ "3cbc9d86d01379f3 d59fa5b454ed8855"
++ "46f34b9e419dfe08 9879cae4b297a3d8"
++ "28367da777756aaa 9de2005e0ad1af6f"
++ "af6daf9c14aedc39 fcbf95863a128816"
++
++ "93f22a580c96ca98 da6c13166cd17b22"
++ "2c468df637bf2961 e6b7692c6ed3463b"
++ "84a1837108de1ea4 20c0a890c92768b8"
++ "ac6732645a1a609c 28345d5e69f9475c"
++
++ "21401fe2b7504230 ce4866d09484ffdc"
++ "0bdd08f193993b26 083808e88f109d3b"
++ "753d61a4391b1461 fe3a9bc07e2fee7b"
++ "b37c9997c8f3d081 d6d145fb060da3f2"
++
++ "28a31a2be1a35c6c 4c6181bac0f1119e"
++ "e87bc230512e0fb4 38040e89e8af7452"
++ "71530ae0e34bca8e 0cfbe5bbad577bea"
++ "bc1c9c673d197185 7033822cd0ea21ed"
++
++ "ccfdf4788f62c26b bd2718e576db61f5"
++ "4ebef978884c7fe7 b4934918cb89e3a2"
++ "df3b5c664ab9ff09 0c016ba84ebbbd73"
++ "8cf905fc8ca95dee 757a901ea27a33d2"
++
++ "813f0a17692c5646 6f9690cddb3e15f7"
++ "1020f9321bd45ccb 49c41deb49103a7d"
++ "b8535b705e4d3389 f4495ee49f96dc5d"
++ "c7eab39129652078 8b3876576f5dadb0"
++
++ "a674bdad75a9f581 d48fbc2e6de734f0"
++ "73f78ed77b041a09 760ef6eb754cc60e"
++ "8fabd6e1b3ce02bb b302f8a73be42ddf"
++ "1dae4d8b251320d2 184adaf92eb76b12"
++
++ "37d169621de761fb cb6942a7b9972cca"
++ "9d35d58b2779523b ad584c27bb991acd"
++ "a0be4174dcd85ffe fe16abf2235829c5"
++ "0ac49897e2b2a7ef b1c5c07e80d7fce1"
++
++ "c4f5596231ad3436 0c75cd60b5088281"
++ "83c74ffc805177f7 c687454582a3cbc3"
++ "79180c9a90680eda 68499e0ee435c7c6"
++ "e028d305299b43dd eb68c387ae694a53"));
++
++ test_chacha (SHEX("8c34799cd41aaece 303d33eeaac74e6b"
++ "09742e5a6858def1 c1413425719ba204"),
++ SHEX("f9a864f273cc10fe"),
++ SHEX("bd11678b8300a275 60dadbde311b1660"
++ "edf6ec14eff4b553 418c7a99c8a0512b"
++ "f79cfbf853f0df4f daa806dd6ac12aea"
++ "bc92f8d4964f4d86 e12934589e46b6f3"
++
++ "cb00ac786355852a f066f1ca2485f7bb"
++ "232096e5a6042498 149600c6d438598a"
++ "8b89bf6b3adcbbd8 010e91148c01c06d"
++ "4f5b651333f32292 0e149f6fe2dcc8a4"
++
++ "98744655d32732f8 69a88b5cf80761a8"
++ "218888d5ba5788c8 7eef9340e2f03b0c"
++ "b1caf7cfe0d9cde6 434d615a7f1c603e"
++ "1302e311cadb7c69 95ca53981ae58aac"
++
++ "40718e7dc61eabe3 35c253988217fc10"
++ "1a1633b9bce6fbc9 b9fd9c9a2ab319a5"
++ "9ba134ef7505e64c c35cccbb320bec09"
++ "4dc950849b49d86d 572f795c1a24dbe3"
++
++ "2d51e61a7291375a 85b150f0530f53c1"
++ "3c987c0beedb2107 49c847c774523858"
++ "dbeb997609cf89ad cf7433e668a460bc"
++ "52cfa00951daac95 e5edc8baf32a867e"
++
++ "81c3d7de7f34ea28 f74339985f2643cc"
++ "9b5d30d76872d20e fb18d914a58f0083"
++ "d5d322f5cdd5a3dd 63148988bb79e97a"
++ "1e8a9595e1f4cccd 8910a043f1b07cd1"
++
++ "bcb8e7c4c8018de9 8ff65b2787304751"
++ "333b94ae56dbbb36 4e9ed750dc77d9ce"
++ "c9c5a440663b78a6 0dba2ac3b5e7fcf1"
++ "c1f14cd1a9794c49 ff082df137a4a35d"
++
++ "bee8409979b49275 3a4a32825b6c9903"
++ "28440e2c7d2c2cae 4bdd5769dc0cc31f"
++ "4bd5b8d090ec6cbe d743b44bf62531c5"
++ "f12e1bbb68cca686 36953a259c9d4b9b"
++
++ "c1ec206c8a506f49 9a13a2e60c026f53"
++ "61bd34428f9d6fa7 207c63589d1efd5f"
++ "161cc957275a7f00 992c7e1dfda6f913"
++ "9d35ae670cff55da 1dba6a2f13424b3f"
++
++ "61c68580885eba6a f2aecb29d138b209"
++ "1c7227902aceddfb d4761f7cbae75d89"
++ "aaca5808a4704410 448a6eb13cf4b4f6"
++ "cd7c37341ae80b23 6affef543aef78aa"
++
++ "15a4581380cb19b8 e684ddd3efaea4e6"
++ "bb88c07aa9325398 cb67e241a59732d0"
++ "dfe999532b53d255 fb34a937aa55ae4d"
++ "02b7850831b7b669 1e4ee269c5d38a9d"
++
++ "80133265072ab3f3 af627298a265d7c0"
++ "1fe95f895b08d4c8 7dd4f6f7a6ce1393"
++ "de4225fedd1bf3c1 fe76a171f99d5e3f"
++ "975e31ca21d58fa6 daf580dcb46379a6"
++
++ "8a6a65e72b4df392 d3f94697f352286e"
++ "0f00ce97f2656011 4ccf17bdcedc9589"
++ "a9c8041e9f3daf9c f5c222d6ddbd2cfc"
++ "b26065a9f85592d5 e6f85a46e0e9fd79"
++
++ "f25197451c8d18d3 ed15cac7ba27870f"
++ "8f0cbe7c17409a4e 66e95adde633d2d6"
++ "270e0d17ca774efa 1ce9908e03baf208"
++ "cfee33add11dcd9e 032db6fbb7b209a6"
++
++ "30ac76c88e695413 a3c75d885a2fe9c4"
++ "50236bf7a59110d5 62c77bc046afeb0d"
++ "a8210a75a79e6732 9e49a225bee17b84"
++ "bf24bdd32f77fdf4 05fd06955b0802d9"
++
++ "7a4f115b8b052184 1a80620b2d66e572"
++ "41d137cbcb2131c5 c8cbabe8a1b0ca25"
++ "d760f988e68843ef ddc7449daf2b18ce"
++ "5825cc4f79aaf7ac 659c77a1ad294b51"));
++
++ /* From https://github.com/weidai11/cryptopp/blob/master/TestVectors/chacha.txt */
++ test_chacha_with_counter (SHEX("0000000000000000 0000000000000000"
++ "0000000000000000 0000000000000000"),
++ SHEX("0000000000000000"),
++ SHEX("032CC123482C3171 1F94C941AF5AB1F4"
++ "155784332ED5348F E79AEC5EAD4C06C3"
++ "F13C280D8CC49925 E4A6A5922EC80E13"
++ "A4CDFA840C70A142 7A3CB699166991A5"
++ "ACE4CD09E294D191 2D4AD205D06F95D9"
++ "C2F2BFCF453E8753 F128765B62215F4D"
++ "92C74F2F626C6A64 0C0B1284D839EC81"
++ "F1696281DAFC3E68 4593937023B58B1D"
++ "3DB41D3AA0D32928 5DE6F225E6E24BD5"
++ "9C9A17006943D5C9 B680E3873BDC683A"
++ "5819469899989690 C281CD17C96159AF"
++ "0682B5B903468A61 F50228CF09622B5A"
++ "46F0F6EFEE15C8F1 B198CB49D92B9908"
++ "67905159440CC723 916DC00128269810"
++ "39CE1766AA2542B0 5DB3BD809AB14248"
++ "9D5DBFE1273E7399 637B4B3213768AAA"
++ "89B1889375E99FE2 442C4F68ADF54158"
++ "F4B8135713D00999 B92B38E3AAFE5FF4"
++ "959B1834BE3DC54F C36AA9D32EB121E0"
++ "F688B90E7C7E2649 F4AAEF407BDD2B94"
++ "09EFEC03114CB5D4 FFD1788E0FE1897B"
++ "D176C1311E368368 C657A5EE55C9CA03"
++ "CC71744F030822D5 3A0486A97B9D9824"
++ "0274FADEAF262BD8 1B58BCE3DFA98414"
++ "C24B5BC517FD9199 3A6B2E6232B05021"
++ "25C6F48A6921E2DD A8EB6B3C4ECF2AAE"
++ "889602AD90B5D253 7FF45DF525C67B98"
++ "3B51DBD23E1280AA 656EAE85B63CC42D"
++ "E8C70E7C19C1D66E 3F902BEA9D1ACFD3"
++ "326B5985AD7C8CAB D431ACBC62976CE5"
++ "23C938EA447D4AF0 F560DC52B0AB1D7D"
++ "66A42AB8272E2C40 BD66470FE6F68846"
++ "12A11D899A0B7EB5 4907BBEDD6483EFC"
++ "ED1F15621D4673FF 928C5AAB5F465257"
++ "123679EF17C39648 C537E150108E0F66"
++ "08732E9F5B240689 EEB5402FA04CCB89"
++ "B7CA9649A361C526 B41ED110402D9497"
++ "715B03441118BC49 53FCBEF395267570"
++ "BD43EC0EEF7B6167 F14FED205EB81290"
++ "7D0C134DC49FA5B1 8F5A3A3A9BD0A71B"
++ "2FFE445EE4FABEB4 054CC922BA360E45"
++ "89B681F01E2A43B5 A0C0F0C39A5ADB94"
++ "B3BC2D20FF7F287F DF17F53B7CB5E3A1"
++ "ABD46FC0819A3559 C03C6B4106603066"
++ "359A4A09B468B6DF EF8A363C7B31D9E8"
++ "8ABB85914F4A27C3 0E9915C66AAC3576"
++ "9E481C87AEE4C313 8CF40F288ED3C172"
++ "FFC17D3D78F8D32C 3C756C13CFBFB95F"
++ "3ECCE6D8B54344D7 8998F58148C4B43B"
++ "1A6201ABFF3D4FB4 B76E3BBA104CFAA5"
++ "5D8DA4319A9E0606 644B07DC204E9635"
++ "502186C1EF9E4332 2EFD69F86D4DA1F6"
++ "A98BF0B800BA04BD 9FBA5C5BE8EC49D4"
++ "8D9EECBADEE669EF 69C9522C730110BB"
++ "8339AF0E45185262 C9183307C5EEA59D"
++ "E5095CAC26E8428D 4CA9E44DCF8FC7B4"
++ "1F9624A2DBA36F44 415BAC489BF46CB6"
++ "BB1BD2B70D719772 FDABB3B166EA615A"
++ "BDF208C39BA8A708 D933CBC8A3236D4A"
++ "15629FCAA35E00C2 B361527326E7AB51"
++ "409A7DE42C909334 6E41D3A3C4529D95"
++ "57BBC01EEFF927F1 052B5E02F74542B0"
++ "4E78F1E933C67DBC 2C9187527C86DA77"
++ "F045D4B07CF646BA 9547646905F1F117"),
++ SHEX("feffffff00000000")); /* 32-bit overflow */
+ }
+--
+2.30.0
+
diff -Nru nettle-3.7/debian/patches/0002-Fix-chacha-counter-update-for-_4core-variants.patch nettle-3.7/debian/patches/0002-Fix-chacha-counter-update-for-_4core-variants.patch
--- nettle-3.7/debian/patches/0002-Fix-chacha-counter-update-for-_4core-variants.patch 1970-01-01 01:00:00.000000000 +0100
+++ nettle-3.7/debian/patches/0002-Fix-chacha-counter-update-for-_4core-variants.patch 2021-02-13 08:30:13.000000000 +0100
@@ -0,0 +1,57 @@
+From 64837b2e433e2b99b893683949bad3a99acab38f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Niels=20M=C3=B6ller?= <ni...@lysator.liu.se>
+Date: Wed, 10 Feb 2021 11:22:23 +0100
+Subject: [PATCH 2/2] Fix chacha counter update for _4core variants.
+
+---
+ ChangeLog | 4 ++++
+ chacha-crypt.c | 10 +++++++---
+ 2 files changed, 11 insertions(+), 3 deletions(-)
+
+ ChangeLog
+
+ * chacha-crypt.c (_nettle_chacha_crypt_4core): Fix for the case
+ that counter increment should be 3 (129 <= message length <= 192).
+ (_nettle_chacha_crypt32_4core): Likewise.
+
+diff --git a/chacha-crypt.c b/chacha-crypt.c
+index 081ebcf4..1fdfc813 100644
+--- a/chacha-crypt.c
++++ b/chacha-crypt.c
+@@ -80,13 +80,16 @@ _nettle_chacha_crypt_4core(struct chacha_ctx *ctx,
+ while (length > 2*CHACHA_BLOCK_SIZE)
+ {
+ _nettle_chacha_4core (x, ctx->state, CHACHA_ROUNDS);
+- ctx->state[12] += 4;
+- ctx->state[13] += (ctx->state[12] < 4);
+ if (length <= 4*CHACHA_BLOCK_SIZE)
+ {
++ uint32_t incr = 3 + (length > 3*CHACHA_BLOCK_SIZE);
++ ctx->state[12] += incr;
++ ctx->state[13] += (ctx->state[12] < incr);
+ memxor3 (dst, src, x, length);
+ return;
+ }
++ ctx->state[12] += 4;
++ ctx->state[13] += (ctx->state[12] < 4);
+ memxor3 (dst, src, x, 4*CHACHA_BLOCK_SIZE);
+
+ length -= 4*CHACHA_BLOCK_SIZE;
+@@ -200,12 +203,13 @@ _nettle_chacha_crypt32_4core(struct chacha_ctx *ctx,
+ while (length > 2*CHACHA_BLOCK_SIZE)
+ {
+ _nettle_chacha_4core32 (x, ctx->state, CHACHA_ROUNDS);
+- ctx->state[12] += 4;
+ if (length <= 4*CHACHA_BLOCK_SIZE)
+ {
++ ctx->state[12] += 3 + (length > 3*CHACHA_BLOCK_SIZE);
+ memxor3 (dst, src, x, length);
+ return;
+ }
++ ctx->state[12] += 4;
+ memxor3 (dst, src, x, 4*CHACHA_BLOCK_SIZE);
+
+ length -= 4*CHACHA_BLOCK_SIZE;
+--
+2.30.0
+
diff -Nru nettle-3.7/debian/patches/series nettle-3.7/debian/patches/series
--- nettle-3.7/debian/patches/series 2021-02-01 00:01:59.000000000 +0100
+++ nettle-3.7/debian/patches/series 2021-02-13 08:23:30.000000000 +0100
@@ -1 +1,3 @@
fPIC.patch
+0001-Improve-chacha-test-coverage.patch
+0002-Fix-chacha-counter-update-for-_4core-variants.patch
