From 22d0a1d34cbf1466e01b59a8567af36cf315f328 Mon Sep 17 00:00:00 2001
From: Sergey Matveev <stargrave@stargrave.org>
Date: Sun, 24 Dec 2017 13:18:28 +0300
Subject: [PATCH] Fix 34.13 OFB bug with len(IV) > 2

---
 pygost/gost3413.py      |  2 +-
 pygost/test_gost3413.py | 14 ++++++++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/pygost/gost3413.py b/pygost/gost3413.py
index c0201c9..cdf8210 100644
--- a/pygost/gost3413.py
+++ b/pygost/gost3413.py
@@ -138,7 +138,7 @@ def ofb(encrypter, bs, data, iv):
     result = []
     for i in xrange(0, len(data) + pad_size(len(data), bs), bs):
         r = r[1:] + [encrypter(r[0])]
-        result.append(strxor(r[1], data[i:i + bs]))
+        result.append(strxor(r[-1], data[i:i + bs]))
     return b"".join(result)
 
 
diff --git a/pygost/test_gost3413.py b/pygost/test_gost3413.py
index f1574ee..e26a3ea 100644
--- a/pygost/test_gost3413.py
+++ b/pygost/test_gost3413.py
@@ -18,6 +18,7 @@ from pygost.gost3413 import pad2
 from pygost.gost3413 import unpad2
 from pygost.utils import hexdec
 from pygost.utils import hexenc
+from pygost.utils import strxor
 
 
 class Pad2Test(TestCase):
@@ -110,6 +111,19 @@ class GOST3412KuznechikModesTest(TestCase):
             ct = ofb(ciph.encrypt, 16, pt, iv)
             self.assertSequenceEqual(ofb(ciph.encrypt, 16, ct, iv), pt)
 
+    def test_ofb_manual(self):
+        iv = [urandom(16) for _ in range(randint(2, 10))]
+        pt = [urandom(16) for _ in range(len(iv), len(iv) + randint(1, 10))]
+        ciph = GOST3412Kuznechik(urandom(32))
+        r = [ciph.encrypt(i) for i in iv]
+        for i in range(len(pt) - len(iv)):
+            r.append(ciph.encrypt(r[i]))
+        ct = [strxor(g, r) for g, r in zip(pt, r)]
+        self.assertSequenceEqual(
+            ofb(ciph.encrypt, 16, b"".join(pt), b"".join(iv)),
+            b"".join(ct),
+        )
+
     def test_cbc_vectors(self):
         ciphtext = ""
         ciphtext += "689972d4a085fa4d90e52e3d6d7dcc27"
-- 
2.44.0