Fix issues and use bigEndian to/from long to replace littleEndian in ISAPEngine.

gefeili · gefeili · commit 26ac00b4c650 · 2025-01-06T16:58:31.000+10:30
diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/ISAPEngine.java b/core/src/main/java/org/bouncycastle/crypto/engines/ISAPEngine.java
@@ -70,12 +70,12 @@ private interface ISAP_AEAD
 
         void init();
 
-        void isap_mac(byte[] ad, int adlen, byte[] c, int clen, byte[] tag, int tagOff);
+        void isap_mac(byte[] ad, int adlen, byte[] c, int clen, byte[] tag);
 
         void reset();
     }
 
-    public abstract class ISAPAEAD_A
+    private abstract class ISAPAEAD_A
         implements ISAP_AEAD
     {
         protected long[] k64;
@@ -94,13 +94,9 @@ public ISAPAEAD_A()
         public void init()
         {
             npub64 = new long[getLongSize(npub.length)];
-            Pack.littleEndianToLong(npub, 0, npub64, 0, npub64.length);
-            npub64[0] = U64BIG(npub64[0]);
-            npub64[1] = U64BIG(npub64[1]);
             k64 = new long[getLongSize(k.length)];
-            Pack.littleEndianToLong(k, 0, k64, 0, k64.length);
-            k64[0] = U64BIG(k64[0]);
-            k64[1] = U64BIG(k64[1]);
+            Pack.bigEndianToLong(npub, 0, npub64);
+            Pack.bigEndianToLong(k, 0, k64);
             reset();
         }
 
@@ -111,11 +107,11 @@ public void init()
         protected void ABSORB_MAC(byte[] src, int len)
         {
             long[] src64 = new long[src.length >> 3];
-            Pack.littleEndianToLong(src, 0, src64, 0, src64.length);
+            Pack.bigEndianToLong(src, 0, src64, 0, src64.length);
             int idx = 0;
             while (len >= ISAP_rH_SZ)
             {
-                x0 ^= U64BIG(src64[idx++]);
+                x0 ^= src64[idx++];
                 P12();
                 len -= ISAP_rH_SZ;
             }
@@ -128,7 +124,7 @@ protected void ABSORB_MAC(byte[] src, int len)
             P12();
         }
 
-        public void isap_mac(byte[] ad, int adlen, byte[] c, int clen, byte[] tag, int tagOff)
+        public void isap_mac(byte[] ad, int adlen, byte[] c, int clen, byte[] tag)
         {
             // Init State
             x0 = npub64[0];
@@ -141,17 +137,17 @@ public void isap_mac(byte[] ad, int adlen, byte[] c, int clen, byte[] tag, int t
             x4 ^= 1L;
             ABSORB_MAC(c, clen);
             // Derive K*
-            Pack.longToLittleEndian(U64BIG(x0), tag, 0);
-            Pack.longToLittleEndian(U64BIG(x1), tag, 8);
+            Pack.longToBigEndian(x0, tag, 0);
+            Pack.longToBigEndian(x1, tag, 8);
             long tmp_x2 = x2, tmp_x3 = x3, tmp_x4 = x4;
             isap_rk(ISAP_IV2_64, tag, KEY_SIZE);
             x2 = tmp_x2;
             x3 = tmp_x3;
             x4 = tmp_x4;
             // Squeeze tag
             P12();
-            Pack.longToLittleEndian(U64BIG(x0), tag, tagOff);
-            Pack.longToLittleEndian(U64BIG(x1), tag, tagOff + 8);
+            Pack.longToBigEndian(x0, tag, 0);
+            Pack.longToBigEndian(x1, tag, 8);
         }
 
         public void isap_rk(long iv64, byte[] y, int ylen)
@@ -399,7 +395,7 @@ public void isap_rk(short[] iv16, byte[] y, int ylen, short[] out16, int outlen,
             System.arraycopy(SX, 0, out16, 0, outlen == ISAP_STATE_SZ_CRYPTO_NPUBBYTES ? 17 : 8);
         }
 
-        public void isap_mac(byte[] ad, int adlen, byte[] c, int clen, byte[] tag, int tagOff)
+        public void isap_mac(byte[] ad, int adlen, byte[] c, int clen, byte[] tag)
         {
             SX = new short[25];
             // Init state
@@ -413,11 +409,11 @@ public void isap_mac(byte[] ad, int adlen, byte[] c, int clen, byte[] tag, int t
             // Absorb C
             ABSORB_MAC(SX, c, clen, E, C);
             // Derive K*
-            shortToByte(SX, tag, tagOff);
+            shortToByte(SX, tag, 0);
             isap_rk(ISAP_IV2_16, tag, KEY_SIZE, SX, KEY_SIZE, C);
             // Squeeze tag
             PermuteRoundsHX(SX, E, C);
-            shortToByte(SX, tag, tagOff);
+            shortToByte(SX, tag, 0);
         }
 
         public void isap_enc(byte[] m, int mOff, int mlen, byte[] c, int cOff, int clen)
@@ -852,10 +848,6 @@ public int doFinal(byte[] output, int outOff)
         int len;
         byte[] c;
         byte[] ad;
-        if (mac == null)
-        {
-            mac = new byte[MAC_SIZE];
-        }
         if (forEncryption)
         {
             byte[] enc_input = message.toByteArray();
@@ -869,20 +861,22 @@ public int doFinal(byte[] output, int outOff)
             outOff += len;
             ad = aadData.toByteArray();
             c = outputStream.toByteArray();
-            ISAPAEAD.isap_mac(ad, ad.length, c, c.length, mac, 0);
+            mac = new byte[MAC_SIZE];
+            ISAPAEAD.isap_mac(ad, ad.length, c, c.length, mac);
             System.arraycopy(mac, 0, output, outOff, 16);
             len += 16;
         }
         else
         {
             ad = aadData.toByteArray();
             c = message.toByteArray();
+            mac = new byte[MAC_SIZE];
             len = c.length - mac.length;
             if (len + outOff > output.length)
             {
                 throw new OutputLengthException("output buffer is too short");
             }
-            ISAPAEAD.isap_mac(ad, ad.length, c, len, mac, 0);
+            ISAPAEAD.isap_mac(ad, ad.length, c, len, mac);
             ISAPAEAD.reset();
             for (int i = 0; i < 16; ++i)
             {
@@ -893,6 +887,7 @@ public int doFinal(byte[] output, int outOff)
             }
             ISAPAEAD.isap_enc(c, 0, len, output, outOff, output.length);
         }
+//        reset(false);
         return len;
     }
 
diff --git a/core/src/test/java/org/bouncycastle/crypto/test/ISAPTest.java b/core/src/test/java/org/bouncycastle/crypto/test/ISAPTest.java
@@ -50,10 +50,42 @@ public void performTest()
         testVectors("isapk128av20", IsapType.ISAP_K_128A);
         testVectors("isapk128v20", IsapType.ISAP_K_128);
         testVectors();
+        CipherTest.checkCipher(32, 16, 100, 128, new CipherTest.Instance()
+        {
+            @Override
+            public AEADCipher createInstance()
+            {
+                return new ISAPEngine(IsapType.ISAP_K_128A);
+            }
+        });
+        CipherTest.checkCipher(32, 16, 100, 128, new CipherTest.Instance()
+        {
+            @Override
+            public AEADCipher createInstance()
+            {
+                return new ISAPEngine(IsapType.ISAP_K_128);
+            }
+        });
+        CipherTest.checkCipher(32, 16, 100, 128, new CipherTest.Instance()
+        {
+            @Override
+            public AEADCipher createInstance()
+            {
+                return new ISAPEngine(IsapType.ISAP_A_128A);
+            }
+        });
+        CipherTest.checkCipher(32, 16, 100, 128, new CipherTest.Instance()
+        {
+            @Override
+            public AEADCipher createInstance()
+            {
+                return new ISAPEngine(IsapType.ISAP_A_128);
+            }
+        });
         CipherTest.checkAEADParemeter(this, 16, 16, 16, 16, new ISAPEngine(IsapType.ISAP_K_128A));
         CipherTest.checkAEADParemeter(this, 16, 16, 16, 16, new ISAPEngine(IsapType.ISAP_K_128));
-        CipherTest.checkAEADParemeter(this, 16, 16, 16, 16, new ISAPEngine(IsapType.ISAP_A_128A));
-        CipherTest.checkAEADParemeter(this, 16, 16, 16, 16, new ISAPEngine(IsapType.ISAP_A_128));
+        CipherTest.checkAEADParemeter(this, 16, 16, 16, 8, new ISAPEngine(IsapType.ISAP_A_128A));
+        CipherTest.checkAEADParemeter(this, 16, 16, 16, 8, new ISAPEngine(IsapType.ISAP_A_128));
         CipherTest.checkAEADCipherOutputSize(this, 16, 16, 18, 16, new ISAPEngine(IsapType.ISAP_K_128A));
         CipherTest.checkAEADCipherOutputSize(this, 16, 16, 18, 16, new ISAPEngine(IsapType.ISAP_K_128));
         CipherTest.checkAEADCipherOutputSize(this, 16, 16, 8, 16, new ISAPEngine(IsapType.ISAP_A_128A));
