Fix the bugs in ISAPEngine, PhotonBeetleEngine, and XoodyakEngine about output size calculation

Author: gefeili

core/src/main/java/org/bouncycastle/crypto/engines/ElephantEngine.java

@@ -455,7 +455,8 @@ public int getUpdateOutputSize(int len)
         case EncAad:
         case EncData:
         case EncInit:
-            return inputOff + len + CRYPTO_ABYTES;
+            int total = inputOff + len;
+            return total - total % BLOCK_SIZE;
         case DecData:
             return inputOff + len;
         }

core/src/main/java/org/bouncycastle/crypto/engines/ISAPEngine.java

@@ -961,7 +961,8 @@ public byte[] getMac()
     @Override
     public int getUpdateOutputSize(int len)
     {
-        return len + message.size() + (forEncryption ? 16 : -16);
+        int total = Math.max(0, len + message.size() + (forEncryption ? 0 : -16));
+        return total - total % ISAP_rH_SZ;
     }
 
     @Override

core/src/main/java/org/bouncycastle/crypto/engines/PhotonBeetleEngine.java

@@ -270,7 +270,8 @@ public byte[] getMac()
     @Override
     public int getUpdateOutputSize(int len)
     {
-        return len + message.size() + (forEncryption ? TAG_INBYTES : -TAG_INBYTES);
+        int total = Math.max(0, len + message.size() + (forEncryption ? 0 : -TAG_INBYTES));
+        return total - total % RATE_INBYTES;
     }
 
     @Override

core/src/main/java/org/bouncycastle/crypto/engines/XoodyakEngine.java

@@ -36,7 +36,7 @@ public class XoodyakEngine
     private byte[] iv;
     private final int PhaseDown = 1;
     private final int PhaseUp = 2;
-//    private final int NLANES = 12;
+    //    private final int NLANES = 12;
 //    private final int NROWS = 3;
 //    private final int NCOLUMS = 4;
     private final int MAXROUNDS = 12;
@@ -262,7 +262,8 @@ public byte[] getMac()
     @Override
     public int getUpdateOutputSize(int len)
     {
-        return len + message.size() + (forEncryption ? TAGLEN : -TAGLEN);
+        int total = Math.max(0, len + message.size() + (forEncryption ? 0 : -TAGLEN));
+        return total - total % Rkout;
     }
 
     @Override
@@ -371,7 +372,7 @@ private void Up(byte[] Yi, int YiLen, int Cu)
             a3 ^= e3;
             a7 ^= e3;
             a11 ^= e3;
-            
+
             /* Rho-west: plane shift */
             int b0 = a0;
             int b1 = a1;
@@ -390,7 +391,7 @@ private void Up(byte[] Yi, int YiLen, int Cu)
 
             /* Iota: round ant */
             b0 ^= RC[i];
-            
+
             /* Chi: non linear layer */
             a0 = b0 ^ (~b4 & b8);
             a1 = b1 ^ (~b5 & b9);
@@ -406,7 +407,7 @@ private void Up(byte[] Yi, int YiLen, int Cu)
             b9 ^= (~b1 & b5);
             b10 ^= (~b2 & b6);
             b11 ^= (~b3 & b7);
-            
+
             /* Rho-east: plane shift */
             a4 = Integers.rotateLeft(a4, 1);
             a5 = Integers.rotateLeft(a5, 1);

core/src/test/java/org/bouncycastle/crypto/test/CipherTest.java

@@ -202,39 +202,39 @@ static void checkAEADCipherOutputSize(int keySize, int ivSize, int blockSize, in
         byte[] ciphertext = new byte[cipher.getOutputSize(plaintext.length)];
         //before the encrypt
         Assert.assertEquals(plaintext.length + tagSize, ciphertext.length);
-        Assert.assertEquals(plaintext.length + tagSize, cipher.getUpdateOutputSize(plaintext.length));
+        Assert.assertEquals(plaintext.length, cipher.getUpdateOutputSize(plaintext.length) + tmpLength);
         //during the encrypt process of the first block
         int len = cipher.processBytes(plaintext, 0, tmpLength, ciphertext, 0);
         Assert.assertEquals(plaintext.length + tagSize, len + cipher.getOutputSize(plaintext.length - tmpLength));
-        Assert.assertEquals(plaintext.length + tagSize, len + cipher.getUpdateOutputSize(plaintext.length - tmpLength));
+        Assert.assertEquals(plaintext.length, len + cipher.getUpdateOutputSize(plaintext.length - tmpLength) + tmpLength);
         //during the encrypt process of the second block
         len += cipher.processBytes(plaintext, tmpLength , blockSize, ciphertext, len);
         Assert.assertEquals(plaintext.length + tagSize, len + cipher.getOutputSize(plaintext.length - tmpLength - blockSize));
-        Assert.assertEquals(plaintext.length + tagSize, len + cipher.getUpdateOutputSize(plaintext.length - tmpLength - blockSize));
+        Assert.assertEquals(plaintext.length, len + cipher.getUpdateOutputSize(plaintext.length - tmpLength - blockSize) + tmpLength);
         //process the remaining bytes
         len += cipher.processBytes(plaintext, tmpLength  + blockSize , blockSize, ciphertext, len);
         Assert.assertEquals(plaintext.length + tagSize, len + cipher.getOutputSize(0));
-        Assert.assertEquals(plaintext.length + tagSize, len + cipher.getUpdateOutputSize(0));
+        Assert.assertEquals(plaintext.length, len + cipher.getUpdateOutputSize(0) + tmpLength);
         //process doFinal
         len += cipher.doFinal(ciphertext, len);
         Assert.assertEquals(len, ciphertext.length);
 
         cipher.init(false, new ParametersWithIV(new KeyParameter(key), iv));
         //before the encrypt
         Assert.assertEquals(plaintext.length, cipher.getOutputSize(ciphertext.length));
-        Assert.assertEquals(plaintext.length, cipher.getUpdateOutputSize(ciphertext.length));
+        Assert.assertEquals(plaintext.length, cipher.getUpdateOutputSize(ciphertext.length) + tmpLength);
         //during the encrypt process of the first block
         len = cipher.processBytes(ciphertext, 0, tmpLength, plaintext, 0);
         Assert.assertEquals(plaintext.length, len + cipher.getOutputSize(ciphertext.length - tmpLength));
-        Assert.assertEquals(plaintext.length, len + cipher.getUpdateOutputSize(ciphertext.length - tmpLength));
+        Assert.assertEquals(plaintext.length, len + cipher.getUpdateOutputSize(ciphertext.length - tmpLength) + tmpLength);
         //during the encrypt process of the second block
         len += cipher.processBytes(ciphertext, tmpLength , blockSize, plaintext, len);
         Assert.assertEquals(plaintext.length, len + cipher.getOutputSize(ciphertext.length - tmpLength - blockSize));
-        Assert.assertEquals(plaintext.length, len + cipher.getUpdateOutputSize(ciphertext.length - tmpLength - blockSize));
+        Assert.assertEquals(plaintext.length, len + cipher.getUpdateOutputSize(ciphertext.length - tmpLength - blockSize) + tmpLength);
         //process the remaining bytes
         len += cipher.processBytes(ciphertext, tmpLength + blockSize , blockSize + tagSize, plaintext, len);
         Assert.assertEquals(plaintext.length, len + cipher.getOutputSize(0));
-        Assert.assertEquals(plaintext.length, len + cipher.getUpdateOutputSize(0));
+        Assert.assertEquals(plaintext.length, len + cipher.getUpdateOutputSize(0)  + tmpLength);
         //process doFinal
         len += cipher.doFinal(plaintext, len);
         Assert.assertEquals(len, plaintext.length);

core/src/test/java/org/bouncycastle/crypto/test/ElephantTest.java

@@ -28,6 +28,9 @@ public String getName()
     public void performTest()
         throws Exception
     {
+//        CipherTest.checkAEADCipherOutputSize(16, 12, 20, 8, new ElephantEngine(ElephantEngine.ElephantParameters.elephant160));
+//        CipherTest.checkAEADCipherOutputSize(16, 12, 22, 8, new ElephantEngine(ElephantEngine.ElephantParameters.elephant176));
+//        CipherTest.checkAEADCipherOutputSize(16, 12, 25, 8, new ElephantEngine(ElephantEngine.ElephantParameters.elephant200));
         //testVectors(ElephantEngine.ElephantParameters.elephant160, "v160_2");
         CipherTest.checkCipher(10, 12, 40, 128, new CipherTest.Instace()
         {

core/src/test/java/org/bouncycastle/crypto/test/ISAPTest.java

@@ -51,10 +51,10 @@ public void performTest()
         testVectors("isapk128av20", IsapType.ISAP_K_128A);
         testVectors("isapk128v20", IsapType.ISAP_K_128);
         testVectors();
-        CipherTest.checkAEADCipherOutputSize(16, 16, 16, 16, new ISAPEngine(IsapType.ISAP_K_128A));
-        CipherTest.checkAEADCipherOutputSize(16, 16, 16, 16, new ISAPEngine(IsapType.ISAP_K_128));
-        CipherTest.checkAEADCipherOutputSize(16, 16, 16, 16, new ISAPEngine(IsapType.ISAP_A_128A));
-        CipherTest.checkAEADCipherOutputSize(16, 16, 16, 16, new ISAPEngine(IsapType.ISAP_A_128));
+        CipherTest.checkAEADCipherOutputSize(16, 16, 18, 16, new ISAPEngine(IsapType.ISAP_K_128A));
+        CipherTest.checkAEADCipherOutputSize(16, 16, 18, 16, new ISAPEngine(IsapType.ISAP_K_128));
+        CipherTest.checkAEADCipherOutputSize(16, 16, 8, 16, new ISAPEngine(IsapType.ISAP_A_128A));
+        CipherTest.checkAEADCipherOutputSize(16, 16, 8, 16, new ISAPEngine(IsapType.ISAP_A_128));
     }
 
     private void testVectors(String filename, IsapType isapType)

core/src/test/java/org/bouncycastle/crypto/test/PhotonBeetleTest.java

@@ -42,7 +42,7 @@ public void performTest()
         testVectors(PhotonBeetleEngine.PhotonBeetleParameters.pb128, "v128");
         testExceptions(new PhotonBeetleDigest(), 32);
         CipherTest.checkAEADCipherOutputSize(16, 16, 16, 16, new PhotonBeetleEngine(PhotonBeetleEngine.PhotonBeetleParameters.pb128));
-        CipherTest.checkAEADCipherOutputSize(16, 16, 16, 16, new PhotonBeetleEngine(PhotonBeetleEngine.PhotonBeetleParameters.pb32));
+        CipherTest.checkAEADCipherOutputSize(16, 16, 4, 16, new PhotonBeetleEngine(PhotonBeetleEngine.PhotonBeetleParameters.pb32));
     }
 
     private void testVectorsHash()

core/src/test/java/org/bouncycastle/crypto/test/XoodyakTest.java

@@ -39,7 +39,7 @@ public void performTest()
         testExceptions(xoodyak, xoodyak.getKeyBytesSize(), xoodyak.getIVBytesSize(), xoodyak.getBlockSize());
         testParameters(xoodyak, 16, 16, 16);
         testExceptions(new XoodyakDigest(), 32);
-        CipherTest.checkAEADCipherOutputSize(16, 16, 16, 16, new XoodyakEngine());
+        CipherTest.checkAEADCipherOutputSize(16, 16, 24, 16, new XoodyakEngine());
     }
 
     private void testVectorsHash()