From 21ed995281b1cc2d749e5d2da054abdadac7c7b2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Juhani=20Krekel=C3=A4?= <juhani@krekelä.fi>
Date: Thu, 8 Apr 2021 20:35:34 +0300
Subject: [PATCH] Fix the implementation of MDC-2. The state is chained as the
 key, not as the plaintext, through the block cipher

---
 puer.c | 48 ++++++++++++++++++++++++------------------------
 1 file changed, 24 insertions(+), 24 deletions(-)

diff --git a/puer.c b/puer.c
index ca01f2b..aff7d77 100644
--- a/puer.c
+++ b/puer.c
@@ -130,36 +130,36 @@ void compress_hash(struct hashstate *state) {
 	message[2] = bytes2word(&state->buffer[8]);
 	message[3] = bytes2word(&state->buffer[12]);
 
-	// A_i, B_i
-	uint32_t a[4], b[4];
-	memcpy(a, state->a, sizeof(a));
-	memcpy(b, state->b, sizeof(b));
-
 	// V_i = M_i ^ E(M_i, A_i)
-	xxtea128(message, a);
-	a[0] ^= message[0];
-	a[1] ^= message[1];
-	a[2] ^= message[2];
-	a[3] ^= message[3];
+	// Note: In this description A_i is the *key*, not the plaintext
+	uint32_t v[4];
+	memcpy(v, message, sizeof(v));
+	xxtea128(state->a, v);
+	v[0] ^= message[0];
+	v[1] ^= message[1];
+	v[2] ^= message[2];
+	v[3] ^= message[3];
 
 	// W_i = M_i ^ E(M_i, B_i);
-	xxtea128(message, b);
-	b[0] ^= message[0];
-	b[1] ^= message[1];
-	b[2] ^= message[2];
-	b[3] ^= message[3];
+	uint32_t w[4];
+	memcpy(w, message, sizeof(w));
+	xxtea128(state->b, w);
+	w[0] ^= message[0];
+	w[1] ^= message[1];
+	w[2] ^= message[2];
+	w[3] ^= message[3];
 
-	// A_{i+1} = V_i^L || W_i^R
-	state->a[0] = a[0];
-	state->a[1] = a[1];
-	state->a[2] = b[2];
-	state->a[3] = b[3];
+	// A_{i+1} = Vwi^L || W_i^R
+	state->a[0] = v[0];
+	state->a[1] = v[1];
+	state->a[2] = w[2];
+	state->a[3] = w[3];
 
 	// B_{i+1} = W_i^L || V_i^R
-	state->b[0] = b[0];
-	state->b[1] = b[1];
-	state->b[2] = a[2];
-	state->b[3] = a[3];
+	state->b[0] = v[0];
+	state->b[1] = v[1];
+	state->b[2] = w[2];
+	state->b[3] = w[3];
 
 	// Mark that we have consumed the buffer
 	state->length = 0;