TODO: Fix the bug in Romulus-M

Author: gefeili

core/src/main/java/org/bouncycastle/crypto/engines/AEADBaseEngine.java

@@ -587,6 +587,18 @@ public int processByte(byte input, byte[] output, int outOff)
         @Override
         public int processBytes(byte[] input, int inOff, int len, byte[] output, int outOff)
         {
+            if (input == output)
+            {
+                int inEnd = inOff + len;
+                int outEnd = outOff + processor.getUpdateOutputSize(len);
+                if ((inOff <= outOff && outOff <= inEnd) ||
+                    (outOff <= inOff && inOff <= outEnd))
+                {
+                    input = new byte[len];
+                    System.arraycopy(output, inOff, input, 0, len);
+                    inOff = 0;
+                }
+            }
             boolean forEncryption = checkData(false);
             if (forEncryption)
             {

core/src/test/java/org/bouncycastle/crypto/test/AsconTest.java

@@ -108,6 +108,12 @@ public void performTest()
         CipherTest.checkAEADParemeter(this, 16, 16, 16, 16, new AsconEngine(AsconEngine.AsconParameters.ascon128a));
         CipherTest.checkAEADParemeter(this, 20, 16, 16, 16, new AsconEngine(AsconEngine.AsconParameters.ascon80pq));
 
+        CipherTest.testOverlapping(this,16, 16, 16, 16, new AsconAEAD128());
+        CipherTest.testOverlapping(this, 16, 16, 16, 16, new AsconEngine(AsconEngine.AsconParameters.ascon128));
+        CipherTest.testOverlapping(this, 16, 16, 16, 16, new AsconEngine(AsconEngine.AsconParameters.ascon128a));
+        CipherTest.testOverlapping(this, 20, 16, 16, 16, new AsconEngine(AsconEngine.AsconParameters.ascon80pq));
+
+
         CipherTest.checkCipher(32, 16, 100, 128, new CipherTest.Instance()
         {
             @Override

core/src/test/java/org/bouncycastle/crypto/test/CipherTest.java

@@ -908,4 +908,39 @@ static void implTestExceptionsGetUpdateOutputSize(AEADCipher cipher, boolean for
             }
         }
     }
+
+    static void testOverlapping(SimpleTest test, int keySize, int ivSize, int macSize, int blockSize, AEADCipher cipher)
+        throws Exception
+    {
+        SecureRandom random = new SecureRandom();
+        byte[] keyBytes = new byte[keySize];
+        byte[] ivBytes = new byte[ivSize];
+        int offset = 1 + random.nextInt(blockSize - 1);
+        byte[] data = new byte[blockSize * 2 + offset + macSize];
+        byte[] expected;
+        random.nextBytes(keyBytes);
+        random.nextBytes(ivBytes);
+        random.nextBytes(data);
+        AEADParameters parameters = new AEADParameters(new KeyParameter(new byte[keySize]), macSize * 8, new byte[ivSize], null);
+        cipher.init(true, parameters);
+        expected = new byte[cipher.getOutputSize(blockSize * 2)];
+        int len = cipher.processBytes(data, 0, blockSize * 2, expected, 0);
+        cipher.doFinal(expected, len);
+        cipher.init(true, parameters);
+        len = cipher.processBytes(data, 0, blockSize * 2, data, offset);
+        cipher.doFinal(data, len + offset);
+        test.isTrue("fail on testing overlapping of encryption for " + cipher.getAlgorithmName(),
+            Arrays.areEqual(expected, 0, expected.length, data, offset, offset + expected.length));
+        System.arraycopy(data, offset, data, 0, expected.length);
+        cipher.init(false, parameters);
+        expected = new byte[cipher.getOutputSize(data.length)];
+        len = cipher.processBytes(data, 0, blockSize * 2 + macSize, expected, 0);
+        cipher.doFinal(expected, len);
+        cipher.init(false, parameters);
+        len = cipher.processBytes(data, 0, blockSize * 2 + macSize, data, offset);
+        cipher.doFinal(data, len + offset);
+        test.isTrue("fail on testing overlapping of decryption for " + cipher.getAlgorithmName(),
+            Arrays.areEqual(expected, 0, blockSize * 2, data, offset, offset + blockSize * 2));
+
+    }
 }

core/src/test/java/org/bouncycastle/crypto/test/ElephantTest.java

@@ -38,6 +38,9 @@ public void performTest()
         CipherTest.checkAEADParemeter(this, 16, 12, 8, 20, new ElephantEngine(ElephantEngine.ElephantParameters.elephant160));
         CipherTest.checkAEADParemeter(this, 16, 12, 8, 22, new ElephantEngine(ElephantEngine.ElephantParameters.elephant176));
         CipherTest.checkAEADParemeter(this, 16, 12, 16, 25, new ElephantEngine(ElephantEngine.ElephantParameters.elephant200));
+        CipherTest.testOverlapping(this, 16, 12, 8, 20, new ElephantEngine(ElephantEngine.ElephantParameters.elephant160));
+        CipherTest.testOverlapping(this, 16, 12, 8, 22, new ElephantEngine(ElephantEngine.ElephantParameters.elephant176));
+        CipherTest.testOverlapping(this, 16, 12, 16, 25, new ElephantEngine(ElephantEngine.ElephantParameters.elephant200));
         CipherTest.checkAEADCipherOutputSize(this, 16, 12, 20, 8, new ElephantEngine(ElephantEngine.ElephantParameters.elephant160));
         CipherTest.checkAEADCipherOutputSize(this, 16, 12, 22, 8, new ElephantEngine(ElephantEngine.ElephantParameters.elephant176));
         CipherTest.checkAEADCipherOutputSize(this, 16, 12, 25, 16, new ElephantEngine(ElephantEngine.ElephantParameters.elephant200));

core/src/test/java/org/bouncycastle/crypto/test/GiftCofbTest.java

@@ -38,6 +38,7 @@ public AEADCipher createInstance()
         });
         implTestParametersEngine(new GiftCofbEngine(), 16, 16, 16);
         CipherTest.checkAEADParemeter(this, 16, 16, 16, 16, new GiftCofbEngine());
+        CipherTest.testOverlapping(this, 16, 16, 16, 16, new GiftCofbEngine());
         CipherTest.checkAEADCipherMultipleBlocks(this, 1025, 33, 16, 128, 16, new GiftCofbEngine());
 
         CipherTest.checkCipher(16, 16, 40, 128, new CipherTest.Instance()

core/src/test/java/org/bouncycastle/crypto/test/Grain128AEADTest.java

@@ -24,6 +24,7 @@ public String getName()
     public void performTest()
         throws Exception
     {
+        CipherTest.testOverlapping(this, 16, 12, 8, 20, new Grain128AEADEngine());
         CipherTest.implTestVectorsEngine(new Grain128AEADEngine(), "crypto", "LWC_AEAD_KAT_128_96.txt", this);
         checkAEADCipherOutputSize(this, 16, 12, 8, new Grain128AEADEngine());
         CipherTest.checkCipher(32, 12, 100, 128, new CipherTest.Instance()
@@ -38,6 +39,7 @@ public AEADCipher createInstance()
 
 
         CipherTest.checkAEADParemeter(this, 16, 12, 8, 20, new Grain128AEADEngine());
+
         testSplitUpdate();
         testExceptions();
         testLongAEAD();

core/src/test/java/org/bouncycastle/crypto/test/ISAPTest.java

@@ -88,6 +88,10 @@ public AEADCipher createInstance()
         CipherTest.checkAEADParemeter(this, 16, 16, 16, 16, new ISAPEngine(IsapType.ISAP_K_128));
         CipherTest.checkAEADParemeter(this, 16, 16, 16, 8, new ISAPEngine(IsapType.ISAP_A_128A));
         CipherTest.checkAEADParemeter(this, 16, 16, 16, 8, new ISAPEngine(IsapType.ISAP_A_128));
+        CipherTest.testOverlapping(this, 16, 16, 16, 16, new ISAPEngine(IsapType.ISAP_K_128A));
+        CipherTest.testOverlapping(this, 16, 16, 16, 16, new ISAPEngine(IsapType.ISAP_K_128));
+        CipherTest.testOverlapping(this, 16, 16, 16, 8, new ISAPEngine(IsapType.ISAP_A_128A));
+        CipherTest.testOverlapping(this, 16, 16, 16, 8, new ISAPEngine(IsapType.ISAP_A_128));
         CipherTest.checkAEADCipherOutputSize(this, 16, 16, 18, 16, new ISAPEngine(IsapType.ISAP_K_128A));
         CipherTest.checkAEADCipherOutputSize(this, 16, 16, 18, 16, new ISAPEngine(IsapType.ISAP_K_128));
         CipherTest.checkAEADCipherOutputSize(this, 16, 16, 8, 16, new ISAPEngine(IsapType.ISAP_A_128A));

core/src/test/java/org/bouncycastle/crypto/test/PhotonBeetleTest.java

@@ -50,6 +50,8 @@ public void performTest()
         testExceptions(new PhotonBeetleDigest(), 32);
         CipherTest.checkAEADParemeter(this, 16, 16, 16, 16, new PhotonBeetleEngine(PhotonBeetleEngine.PhotonBeetleParameters.pb128));
         CipherTest.checkAEADParemeter(this, 16, 16, 16, 16, new PhotonBeetleEngine(PhotonBeetleEngine.PhotonBeetleParameters.pb32));
+        CipherTest.testOverlapping(this, 16, 16, 16, 16, new PhotonBeetleEngine(PhotonBeetleEngine.PhotonBeetleParameters.pb128));
+        CipherTest.testOverlapping(this, 16, 16, 16, 16, new PhotonBeetleEngine(PhotonBeetleEngine.PhotonBeetleParameters.pb32));
         CipherTest.checkAEADCipherOutputSize(this, 16, 16, 16, 16, new PhotonBeetleEngine(PhotonBeetleEngine.PhotonBeetleParameters.pb128));
         CipherTest.checkAEADCipherOutputSize(this, 16, 16, 4, 16, new PhotonBeetleEngine(PhotonBeetleEngine.PhotonBeetleParameters.pb32));
     }

core/src/test/java/org/bouncycastle/crypto/test/SparkleTest.java

@@ -70,6 +70,11 @@ public void performTest()
         CipherTest.checkAEADParemeter(this, 16, 32, 16, 16, new SparkleEngine(SparkleEngine.SparkleParameters.SCHWAEMM256_128));
         CipherTest.checkAEADParemeter(this, 32, 32, 32, 32, new SparkleEngine(SparkleEngine.SparkleParameters.SCHWAEMM256_256));
 
+        CipherTest.testOverlapping(this, 16, 16, 16, 16, new SparkleEngine(SparkleEngine.SparkleParameters.SCHWAEMM128_128));
+        CipherTest.testOverlapping(this, 24, 24, 24, 24, new SparkleEngine(SparkleEngine.SparkleParameters.SCHWAEMM192_192));
+        CipherTest.testOverlapping(this, 16, 32, 16, 16, new SparkleEngine(SparkleEngine.SparkleParameters.SCHWAEMM256_128));
+        CipherTest.testOverlapping(this, 32, 32, 32, 32, new SparkleEngine(SparkleEngine.SparkleParameters.SCHWAEMM256_256));
+
         CipherTest.checkAEADCipherMultipleBlocks(this, 1025, 33, 16, 128, 16, new SparkleEngine(SparkleEngine.SparkleParameters.SCHWAEMM128_128));
         CipherTest.checkAEADCipherMultipleBlocks(this, 1025, 33, 24, 192, 24, new SparkleEngine(SparkleEngine.SparkleParameters.SCHWAEMM192_192));
         CipherTest.checkAEADCipherMultipleBlocks(this, 1025, 33, 16, 128, 32, new SparkleEngine(SparkleEngine.SparkleParameters.SCHWAEMM256_128));

core/src/test/java/org/bouncycastle/crypto/test/XoodyakTest.java

@@ -53,6 +53,7 @@ public AEADCipher createInstance()
         testExceptions(new XoodyakDigest(), 32);
         CipherTest.checkAEADCipherOutputSize(this, 16, 16, 24, 16, new XoodyakEngine());
         CipherTest.checkAEADParemeter(this, 16, 16, 16, 24, new XoodyakEngine());
+        CipherTest.testOverlapping(this, 16, 16, 16, 24, new XoodyakEngine());
     }
 
     private void testVectors()