Fix Blake2xs ignoring offset and specified digestLength

peterdettman · peterdettman · commit 11c950f3d7c0 · 2022-09-30T15:46:03.000+07:00
diff --git a/core/src/main/java/org/bouncycastle/crypto/digests/Blake2xsDigest.java b/core/src/main/java/org/bouncycastle/crypto/digests/Blake2xsDigest.java
@@ -9,7 +9,6 @@
  */
 
 import org.bouncycastle.crypto.CryptoServicePurpose;
-import org.bouncycastle.crypto.CryptoServicesRegistrar;
 import org.bouncycastle.crypto.Xof;
 import org.bouncycastle.util.Arrays;
 
@@ -87,7 +86,7 @@ public class Blake2xsDigest
      */
     public Blake2xsDigest()
     {
-        this(Blake2xsDigest.UNKNOWN_DIGEST_LENGTH, CryptoServicePurpose.ANY); //TODO: change this?
+        this(UNKNOWN_DIGEST_LENGTH, CryptoServicePurpose.ANY); //TODO: change this?
     }
 
     /**
@@ -125,7 +124,7 @@ public Blake2xsDigest(int digestBytes, byte[] key)
      */
     public Blake2xsDigest(int digestBytes, byte[] key, byte[] salt, byte[] personalization, CryptoServicePurpose purpose)
     {
-        if (digestBytes < 1 || digestBytes > Blake2xsDigest.UNKNOWN_DIGEST_LENGTH)
+        if (digestBytes < 1 || digestBytes > UNKNOWN_DIGEST_LENGTH)
         {
             throw new IllegalArgumentException(
                 "BLAKE2xs digest length must be between 1 and 2^16-1");
@@ -134,7 +133,7 @@ public Blake2xsDigest(int digestBytes, byte[] key, byte[] salt, byte[] personali
         digestLength = digestBytes;
         nodeOffset = computeNodeOffset();
         this.purpose = purpose;
-        hash = new Blake2sDigest(Blake2xsDigest.DIGEST_LENGTH, key, salt, personalization, nodeOffset, purpose);
+        hash = new Blake2sDigest(DIGEST_LENGTH, key, salt, personalization, nodeOffset, purpose);
     }
 
     public Blake2xsDigest(Blake2xsDigest digest)
@@ -189,7 +188,7 @@ public int getByteLength()
      */
     public long getUnknownMaxLength()
     {
-        return Blake2xsDigest.MAX_NUMBER_BLOCKS * Blake2xsDigest.DIGEST_LENGTH;
+        return MAX_NUMBER_BLOCKS * DIGEST_LENGTH;
     }
 
     /**
@@ -223,7 +222,7 @@ public void reset()
         hash.reset();
 
         h0 = null;
-        bufPos = Blake2xsDigest.DIGEST_LENGTH;
+        bufPos = DIGEST_LENGTH;
         digestPos = 0;
         blockPos = 0;
         nodeOffset = computeNodeOffset();
@@ -238,7 +237,7 @@ public void reset()
      */
     public int doFinal(byte[] out, int outOffset)
     {
-        return doFinal(out, outOffset, out.length);
+        return doFinal(out, outOffset, digestLength);
     }
 
     /**
@@ -275,7 +274,7 @@ public int doOutput(byte[] out, int outOff, int outLen)
             hash.doFinal(h0, 0);
         }
 
-        if (digestLength != Blake2xsDigest.UNKNOWN_DIGEST_LENGTH)
+        if (digestLength != UNKNOWN_DIGEST_LENGTH)
         {
             if (digestPos + outLen > digestLength)
             {
@@ -291,9 +290,9 @@ else if (blockPos << 5 >= getUnknownMaxLength())
 
         for (int i = 0; i < outLen; i++)
         {
-            if (bufPos >= Blake2xsDigest.DIGEST_LENGTH)
+            if (bufPos >= DIGEST_LENGTH)
             {
-                Blake2sDigest h = new Blake2sDigest(computeStepLength(), Blake2xsDigest.DIGEST_LENGTH, nodeOffset);
+                Blake2sDigest h = new Blake2sDigest(computeStepLength(), DIGEST_LENGTH, nodeOffset);
                 h.update(h0, 0, h0.length);
 
                 Arrays.fill(buf, (byte)0);
@@ -302,7 +301,7 @@ else if (blockPos << 5 >= getUnknownMaxLength())
                 nodeOffset++;
                 blockPos++;
             }
-            out[i] = buf[bufPos];
+            out[outOff + i] = buf[bufPos];
             bufPos++;
             digestPos++;
         }
@@ -314,12 +313,12 @@ else if (blockPos << 5 >= getUnknownMaxLength())
     // always the maximum.
     private int computeStepLength()
     {
-        if (digestLength == Blake2xsDigest.UNKNOWN_DIGEST_LENGTH)
+        if (digestLength == UNKNOWN_DIGEST_LENGTH)
         {
-            return Blake2xsDigest.DIGEST_LENGTH;
+            return DIGEST_LENGTH;
         }
 
-        return Math.min(Blake2xsDigest.DIGEST_LENGTH, digestLength - digestPos);
+        return Math.min(DIGEST_LENGTH, digestLength - digestPos);
     }
 
     private long computeNodeOffset()
diff --git a/core/src/test/java/org/bouncycastle/crypto/test/Blake2xsDigestTest.java b/core/src/test/java/org/bouncycastle/crypto/test/Blake2xsDigestTest.java
@@ -1,5 +1,8 @@
 package org.bouncycastle.crypto.test;
 
+import java.util.Arrays;
+import java.util.Random;
+
 import org.bouncycastle.crypto.digests.Blake2xsDigest;
 import org.bouncycastle.util.encoders.Hex;
 import org.bouncycastle.util.test.SimpleTest;
@@ -2579,38 +2582,44 @@ public String getName()
 
     private void testBlake2xsTestVectors()
     {
+        Random random = new Random();
+
         for (int i = 0; i != Blake2xsDigestTest.xofTestVectors.length; i++)
         {
             String[] vector = Blake2xsDigestTest.xofTestVectors[i];
             byte[] input = Hex.decode(vector[0]);
             byte[] key = Hex.decode(vector[1]);
+            byte[] expected = Hex.decode(vector[2]);
 
-            Blake2xsDigest h = new Blake2xsDigest(vector[2].length() / 2, key);
+            int digestSize = expected.length;
+            Blake2xsDigest h = new Blake2xsDigest(digestSize, key);
             h.update(input, 0, input.length);
 
-            byte[] out = new byte[vector[2].length() / 2];
-            h.doFinal(out, 0);
-            if (!areEqual(out, Hex.decode(vector[2])))
+            byte[] out = new byte[16 + digestSize];
+            int outOff = 1 + random.nextInt(16);
+            h.doFinal(out, outOff);
+            if (!areEqual(out, outOff, outOff + digestSize, expected, 0, digestSize))
             {
-                fail("BLAKE2xs mismatch on test vector ", vector[2], Hex.toHexString(out));
+                fail("BLAKE2xs mismatch on test vector ", vector[2], Hex.toHexString(out, outOff, digestSize));
             }
 
-            out = new byte[vector[2].length() / 2];
+            Arrays.fill(out, (byte)0);
+            outOff = 1 + random.nextInt(16);
+
             h.update(input, 0, input.length);
             Blake2xsDigest clone = new Blake2xsDigest(h);
 
-            h.doOutput(out, 0, out.length);
-            if (!areEqual(out, Hex.decode(vector[2])))
+            h.doOutput(out, outOff, digestSize);
+            if (!areEqual(out, outOff, outOff + digestSize, expected, 0, digestSize))
             {
-                fail("BLAKE2xs mismatch on test vector after a reset", vector[2], Hex.toHexString(out));
+                fail("BLAKE2xs mismatch on test vector after a reset", vector[2], Hex.toHexString(out, outOff, digestSize));
             }
 
-            byte[] outClone = new byte[out.length];
+            byte[] outClone = new byte[digestSize];
             clone.doFinal(outClone, 0, outClone.length);
-            if (!areEqual(out, outClone))
+            if (!areEqual(outClone, expected))
             {
-                fail("BLAKE2xs mismatch on test vector against a clone",
-                    vector[2], Hex.toHexString(outClone));
+                fail("BLAKE2xs mismatch on test vector against a clone", vector[2], Hex.toHexString(outClone));
             }
         }
     }

Original file line number	Diff line number	Diff line change
`@@ -9,7 +9,6 @@`
`9`	`9`	`*/`
`10`	`10`
`11`	`11`	`import org.bouncycastle.crypto.CryptoServicePurpose;`
`12`		`-import org.bouncycastle.crypto.CryptoServicesRegistrar;`
`13`	`12`	`import org.bouncycastle.crypto.Xof;`
`14`	`13`	`import org.bouncycastle.util.Arrays;`
`15`	`14`
`@@ -87,7 +86,7 @@ public class Blake2xsDigest`
`87`	`86`	`*/`
`88`	`87`	`public Blake2xsDigest()`
`89`	`88`	`{`
`90`		`- this(Blake2xsDigest.UNKNOWN_DIGEST_LENGTH, CryptoServicePurpose.ANY); //TODO: change this?`
	`89`	`+ this(UNKNOWN_DIGEST_LENGTH, CryptoServicePurpose.ANY); //TODO: change this?`
`91`	`90`	`}`
`92`	`91`
`93`	`92`	`/**`
`@@ -125,7 +124,7 @@ public Blake2xsDigest(int digestBytes, byte[] key)`
`125`	`124`	`*/`
`126`	`125`	`public Blake2xsDigest(int digestBytes, byte[] key, byte[] salt, byte[] personalization, CryptoServicePurpose purpose)`
`127`	`126`	`{`
`128`		`- if (digestBytes < 1 \|\| digestBytes > Blake2xsDigest.UNKNOWN_DIGEST_LENGTH)`
	`127`	`+ if (digestBytes < 1 \|\| digestBytes > UNKNOWN_DIGEST_LENGTH)`
`129`	`128`	`{`
`130`	`129`	`throw new IllegalArgumentException(`
`131`	`130`	`"BLAKE2xs digest length must be between 1 and 2^16-1");`
`@@ -134,7 +133,7 @@ public Blake2xsDigest(int digestBytes, byte[] key, byte[] salt, byte[] personali`
`134`	`133`	`digestLength = digestBytes;`
`135`	`134`	`nodeOffset = computeNodeOffset();`
`136`	`135`	`this.purpose = purpose;`
`137`		`- hash = new Blake2sDigest(Blake2xsDigest.DIGEST_LENGTH, key, salt, personalization, nodeOffset, purpose);`
	`136`	`+ hash = new Blake2sDigest(DIGEST_LENGTH, key, salt, personalization, nodeOffset, purpose);`
`138`	`137`	`}`
`139`	`138`
`140`	`139`	`public Blake2xsDigest(Blake2xsDigest digest)`
`@@ -189,7 +188,7 @@ public int getByteLength()`
`189`	`188`	`*/`
`190`	`189`	`public long getUnknownMaxLength()`
`191`	`190`	`{`
`192`		`- return Blake2xsDigest.MAX_NUMBER_BLOCKS * Blake2xsDigest.DIGEST_LENGTH;`
	`191`	`+ return MAX_NUMBER_BLOCKS * DIGEST_LENGTH;`
`193`	`192`	`}`
`194`	`193`
`195`	`194`	`/**`
`@@ -223,7 +222,7 @@ public void reset()`
`223`	`222`	`hash.reset();`
`224`	`223`
`225`	`224`	`h0 = null;`
`226`		`- bufPos = Blake2xsDigest.DIGEST_LENGTH;`
	`225`	`+ bufPos = DIGEST_LENGTH;`
`227`	`226`	`digestPos = 0;`
`228`	`227`	`blockPos = 0;`
`229`	`228`	`nodeOffset = computeNodeOffset();`
`@@ -238,7 +237,7 @@ public void reset()`
`238`	`237`	`*/`
`239`	`238`	`public int doFinal(byte[] out, int outOffset)`
`240`	`239`	`{`
`241`		`- return doFinal(out, outOffset, out.length);`
	`240`	`+ return doFinal(out, outOffset, digestLength);`
`242`	`241`	`}`
`243`	`242`
`244`	`243`	`/**`
`@@ -275,7 +274,7 @@ public int doOutput(byte[] out, int outOff, int outLen)`
`275`	`274`	`hash.doFinal(h0, 0);`
`276`	`275`	`}`
`277`	`276`
`278`		`- if (digestLength != Blake2xsDigest.UNKNOWN_DIGEST_LENGTH)`
	`277`	`+ if (digestLength != UNKNOWN_DIGEST_LENGTH)`
`279`	`278`	`{`
`280`	`279`	`if (digestPos + outLen > digestLength)`
`281`	`280`	`{`
`@@ -291,9 +290,9 @@ else if (blockPos << 5 >= getUnknownMaxLength())`
`291`	`290`
`292`	`291`	`for (int i = 0; i < outLen; i++)`
`293`	`292`	`{`
`294`		`- if (bufPos >= Blake2xsDigest.DIGEST_LENGTH)`
	`293`	`+ if (bufPos >= DIGEST_LENGTH)`
`295`	`294`	`{`
`296`		`- Blake2sDigest h = new Blake2sDigest(computeStepLength(), Blake2xsDigest.DIGEST_LENGTH, nodeOffset);`
	`295`	`+ Blake2sDigest h = new Blake2sDigest(computeStepLength(), DIGEST_LENGTH, nodeOffset);`
`297`	`296`	`h.update(h0, 0, h0.length);`
`298`	`297`
`299`	`298`	`Arrays.fill(buf, (byte)0);`
`@@ -302,7 +301,7 @@ else if (blockPos << 5 >= getUnknownMaxLength())`
`302`	`301`	`nodeOffset++;`
`303`	`302`	`blockPos++;`
`304`	`303`	`}`
`305`		`- out[i] = buf[bufPos];`
	`304`	`+ out[outOff + i] = buf[bufPos];`
`306`	`305`	`bufPos++;`
`307`	`306`	`digestPos++;`
`308`	`307`	`}`
`@@ -314,12 +313,12 @@ else if (blockPos << 5 >= getUnknownMaxLength())`
`314`	`313`	`// always the maximum.`
`315`	`314`	`private int computeStepLength()`
`316`	`315`	`{`
`317`		`- if (digestLength == Blake2xsDigest.UNKNOWN_DIGEST_LENGTH)`
	`316`	`+ if (digestLength == UNKNOWN_DIGEST_LENGTH)`
`318`	`317`	`{`
`319`		`- return Blake2xsDigest.DIGEST_LENGTH;`
	`318`	`+ return DIGEST_LENGTH;`
`320`	`319`	`}`
`321`	`320`
`322`		`- return Math.min(Blake2xsDigest.DIGEST_LENGTH, digestLength - digestPos);`
	`321`	`+ return Math.min(DIGEST_LENGTH, digestLength - digestPos);`
`323`	`322`	`}`
`324`	`323`
`325`	`324`	`private long computeNodeOffset()`