streebog: fix bit-length counter carry propagation to 512-bit (#759)

The update_n() implementation propagated carry only through limbs 1..6,
effectively making n a 448-bit counter. According to GOST R 34.11-2012
(RFC 6986), the total processed bit-length must be tracked modulo 2^512.
This change extends the loop to include limb 7 so carry ripples through
all eight 64-bit words and any further carry is discarded, thus
restoring correct modulo 2^512 semantics. Although this bug only
manifests for astronomically large inputs, it is a correctness issue and
brings the implementation in line with the specification and the
behavior of similar counters in this codebase.

Author: radik878

streebog/src/block_api.rs

@@ -77,7 +77,7 @@ impl StreebogVarCore {
         let mut carry = false;
         // Note: `len` can not be bigger than block size, so `8 * len` never overflows
         adc(&mut self.n[0], 8 * len, &mut carry);
-        for i in 1..7 {
+        for i in 1..8 {
             adc(&mut self.n[i], 0, &mut carry);
         }
     }
@@ -217,3 +217,39 @@ fn from_bytes(b: &Block) -> [u64; 8] {
     }
     t
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn counter_carry_propagates_to_top_limb() {
+        let mut core = StreebogVarCore {
+            h: [0u64; 8],
+            n: [0u64; 8],
+            sigma: [0u64; 8],
+        };
+        core.n[0] = u64::MAX - 511;
+        for i in 1..=6 {
+            core.n[i] = u64::MAX;
+        }
+        core.n[7] = 0;
+        core.update_n(64);
+        for i in 0..=6 {
+            assert_eq!(core.n[i], 0);
+        }
+        assert_eq!(core.n[7], 1);
+    }
+
+    #[test]
+    fn counter_zero_len_no_change() {
+        let mut core = StreebogVarCore {
+            h: [0u64; 8],
+            n: [1, 2, 3, 4, 5, 6, 7, 8],
+            sigma: [0u64; 8],
+        };
+        let before = core.n;
+        core.update_n(0);
+        assert_eq!(core.n, before);
+    }
+}