Fix the implementation of MDC-2. The state is chained as the key, not as the plaintext, through the block cipher

puer.c

@@ -130,36 +130,36 @@ void compress_hash(struct hashstate *state) {
 	message[2] = bytes2word(&state->buffer[8]);
 	message[3] = bytes2word(&state->buffer[12]);
 
-	// A_i, B_i
-	uint32_t a[4], b[4];
-	memcpy(a, state->a, sizeof(a));
-	memcpy(b, state->b, sizeof(b));
-
 	// V_i = M_i ^ E(M_i, A_i)
-	xxtea128(message, a);
+	// Note: In this description A_i is the *key*, not the plaintext
-	a[0] ^= message[0];
+	uint32_t v[4];
-	a[1] ^= message[1];
+	memcpy(v, message, sizeof(v));
-	a[2] ^= message[2];
+	xxtea128(state->a, v);
-	a[3] ^= message[3];
+	v[0] ^= message[0];
+	v[1] ^= message[1];
+	v[2] ^= message[2];
+	v[3] ^= message[3];
 
 	// W_i = M_i ^ E(M_i, B_i);
-	xxtea128(message, b);
+	uint32_t w[4];
-	b[0] ^= message[0];
+	memcpy(w, message, sizeof(w));
-	b[1] ^= message[1];
+	xxtea128(state->b, w);
-	b[2] ^= message[2];
+	w[0] ^= message[0];
-	b[3] ^= message[3];
+	w[1] ^= message[1];
+	w[2] ^= message[2];
+	w[3] ^= message[3];
 
-	// A_{i+1} = V_i^L || W_i^R
+	// A_{i+1} = Vwi^L || W_i^R
-	state->a[0] = a[0];
+	state->a[0] = v[0];
-	state->a[1] = a[1];
+	state->a[1] = v[1];
-	state->a[2] = b[2];
+	state->a[2] = w[2];
-	state->a[3] = b[3];
+	state->a[3] = w[3];
 
 	// B_{i+1} = W_i^L || V_i^R
-	state->b[0] = b[0];
+	state->b[0] = v[0];
-	state->b[1] = b[1];
+	state->b[1] = v[1];
-	state->b[2] = a[2];
+	state->b[2] = w[2];
-	state->b[3] = a[3];
+	state->b[3] = w[3];
 
 	// Mark that we have consumed the buffer
 	state->length = 0;