Merge branch 'main' into pqc-snova

Author: gefeili

core/src/main/java/org/bouncycastle/crypto/BufferedBlockCipher.java

@@ -11,15 +11,15 @@
  */
 public class BufferedBlockCipher
 {
-    protected byte[]        buf;
-    protected int           bufOff;
+    protected byte[] buf;
+    protected int bufOff;
 
-    protected boolean          forEncryption;
-    protected BlockCipher      cipher;
+    protected boolean forEncryption;
+    protected BlockCipher cipher;
     protected MultiBlockCipher mbCipher;
 
-    protected boolean       partialBlockOkay;
-    protected boolean       pgpCFB;
+    protected boolean partialBlockOkay;
+    protected boolean pgpCFB;
 
     /**
      * constructor for subclasses
@@ -35,7 +35,7 @@ public class BufferedBlockCipher
      * @deprecated use the constructor on DefaultBufferedBlockCipher.
      */
     public BufferedBlockCipher(
-        BlockCipher     cipher)
+        BlockCipher cipher)
     {
         this.cipher = cipher;
 
@@ -55,8 +55,8 @@ public BufferedBlockCipher(
         //
         // check if we can handle partial blocks on doFinal.
         //
-        String  name = cipher.getAlgorithmName();
-        int     idx = name.indexOf('/') + 1;
+        String name = cipher.getAlgorithmName();
+        int idx = name.indexOf('/') + 1;
 
         pgpCFB = (idx > 0 && name.startsWith("PGP", idx));
 
@@ -84,14 +84,14 @@ public BlockCipher getUnderlyingCipher()
      * initialise the cipher.
      *
      * @param forEncryption if true the cipher is initialised for
-     *  encryption, if false for decryption.
-     * @param params the key and other data required by the cipher.
-     * @exception IllegalArgumentException if the params argument is
-     * inappropriate.
+     *                      encryption, if false for decryption.
+     * @param params        the key and other data required by the cipher.
+     * @throws IllegalArgumentException if the params argument is
+     *                                  inappropriate.
      */
     public void init(
-        boolean             forEncryption,
-        CipherParameters    params)
+        boolean forEncryption,
+        CipherParameters params)
         throws IllegalArgumentException
     {
         this.forEncryption = forEncryption;
@@ -112,7 +112,7 @@ public int getBlockSize()
     }
 
     /**
-     * return the size of the output buffer required for an update 
+     * return the size of the output buffer required for an update
      * an input of len bytes.
      *
      * @param len the length of the input.
@@ -122,7 +122,7 @@ public int getBlockSize()
     public int getUpdateOutputSize(
         int len)
     {
-        int total       = len + bufOff;
+        int total = len + bufOff;
         int leftOver;
 
         if (pgpCFB)
@@ -138,7 +138,7 @@ public int getUpdateOutputSize(
         }
         else
         {
-            leftOver    = total % buf.length;
+            leftOver = total % buf.length;
         }
 
         return total - leftOver;
@@ -167,20 +167,20 @@ public int getOutputSize(
     /**
      * process a single byte, producing an output block if necessary.
      *
-     * @param in the input byte.
-     * @param out the space for any output that might be produced.
+     * @param in     the input byte.
+     * @param out    the space for any output that might be produced.
      * @param outOff the offset from which the output will be copied.
      * @return the number of output bytes copied to out.
-     * @exception DataLengthException if there isn't enough space in out.
-     * @exception IllegalStateException if the cipher isn't initialised.
+     * @throws DataLengthException   if there isn't enough space in out.
+     * @throws IllegalStateException if the cipher isn't initialised.
      */
     public int processByte(
-        byte        in,
-        byte[]      out,
-        int         outOff)
+        byte in,
+        byte[] out,
+        int outOff)
         throws DataLengthException, IllegalStateException
     {
-        int         resultLen = 0;
+        int resultLen = 0;
 
         buf[bufOff++] = in;
 
@@ -196,31 +196,31 @@ public int processByte(
     /**
      * process an array of bytes, producing output if necessary.
      *
-     * @param in the input byte array.
-     * @param inOff the offset at which the input data starts.
-     * @param len the number of bytes to be copied out of the input array.
-     * @param out the space for any output that might be produced.
+     * @param in     the input byte array.
+     * @param inOff  the offset at which the input data starts.
+     * @param len    the number of bytes to be copied out of the input array.
+     * @param out    the space for any output that might be produced.
      * @param outOff the offset from which the output will be copied.
      * @return the number of output bytes copied to out.
-     * @exception DataLengthException if there isn't enough space in out.
-     * @exception IllegalStateException if the cipher isn't initialised.
+     * @throws DataLengthException   if there isn't enough space in out.
+     * @throws IllegalStateException if the cipher isn't initialised.
      */
     public int processBytes(
-        byte[]      in,
-        int         inOff,
-        int         len,
-        byte[]      out,
-        int         outOff)
+        byte[] in,
+        int inOff,
+        int len,
+        byte[] out,
+        int outOff)
         throws DataLengthException, IllegalStateException
     {
         if (len < 0)
         {
             throw new IllegalArgumentException("Can't have a negative input length!");
         }
 
-        int blockSize   = getBlockSize();
-        int length      = getUpdateOutputSize(len);
-        
+        int blockSize = getBlockSize();
+        int length = getUpdateOutputSize(len);
+
         if (length > 0)
         {
             if ((outOff + length) > out.length)
@@ -235,12 +235,18 @@ public int processBytes(
         if (len > gapLen)
         {
             System.arraycopy(in, inOff, buf, bufOff, gapLen);
+            inOff += gapLen;
+            len -= gapLen;
+            if (in == out && segmentsOverlap(inOff, len, outOff, length))
+            {
+                in = new byte[len];
+                System.arraycopy(out, inOff, in, 0, len);
+                inOff = 0;
+            }
 
             resultLen += cipher.processBlock(buf, 0, out, outOff);
 
             bufOff = 0;
-            len -= gapLen;
-            inOff += gapLen;
 
             if (mbCipher != null)
             {
@@ -284,20 +290,20 @@ public int processBytes(
     /**
      * Process the last block in the buffer.
      *
-     * @param out the array the block currently being held is copied into.
+     * @param out    the array the block currently being held is copied into.
      * @param outOff the offset at which the copying starts.
      * @return the number of output bytes copied to out.
-     * @exception DataLengthException if there is insufficient space in out for
-     * the output, or the input is not block size aligned and should be.
-     * @exception IllegalStateException if the underlying cipher is not
-     * initialised.
-     * @exception InvalidCipherTextException if padding is expected and not found.
-     * @exception DataLengthException if the input is not block size
-     * aligned.
+     * @throws DataLengthException        if there is insufficient space in out for
+     *                                    the output, or the input is not block size aligned and should be.
+     * @throws IllegalStateException      if the underlying cipher is not
+     *                                    initialised.
+     * @throws InvalidCipherTextException if padding is expected and not found.
+     * @throws DataLengthException        if the input is not block size
+     *                                    aligned.
      */
     public int doFinal(
-        byte[]  out,
-        int     outOff)
+        byte[] out,
+        int outOff)
         throws DataLengthException, IllegalStateException, InvalidCipherTextException
     {
         try
@@ -351,4 +357,10 @@ public void reset()
         //
         cipher.reset();
     }
+
+    protected boolean segmentsOverlap(int inOff, int inLen, int outOff, int outLen)
+    {
+        // please ensure a valid check for inLen > 0 and outLen > 0 outside this function
+        return inOff <= outOff + outLen && outOff <= inOff + inLen;
+    }
 }

core/src/main/java/org/bouncycastle/crypto/DefaultBufferedBlockCipher.java

@@ -237,12 +237,19 @@ public int processBytes(
         if (len > gapLen)
         {
             System.arraycopy(in, inOff, buf, bufOff, gapLen);
+            inOff += gapLen;
+            len -= gapLen;
+            if (in == out && segmentsOverlap(inOff, len, outOff, length))
+            {
+                in = new byte[len];
+                System.arraycopy(out, inOff, in, 0, len);
+                inOff = 0;
+            }
 
             resultLen += cipher.processBlock(buf, 0, out, outOff);
 
             bufOff = 0;
-            len -= gapLen;
-            inOff += gapLen;
+
 
             if (mbCipher != null)
             {

core/src/main/java/org/bouncycastle/crypto/DefaultMultiBlockCipher.java

@@ -20,7 +20,13 @@ public int processBlocks(byte[] in, int inOff, int blockCount, byte[] out, int o
 
         int resultLen = 0;
         int blockSize = this.getMultiBlockSize();
-        
+        int len = blockCount * blockSize;
+        if (in == out && segmentsOverlap(inOff, len, outOff, len))
+        {
+            in = new byte[len];
+            System.arraycopy(out, inOff, in, 0, len);
+            inOff = 0;
+        }
         for (int i = 0; i != blockCount; i++)
         {
             resultLen += this.processBlock(in, inOff, out, outOff + resultLen);
@@ -30,4 +36,10 @@ public int processBlocks(byte[] in, int inOff, int blockCount, byte[] out, int o
 
         return resultLen;
     }
+
+    protected boolean segmentsOverlap(int inOff, int inLen, int outOff, int outLen)
+    {
+        // please ensure a valid check for inLen > 0 and outLen > 0 outside this function
+        return inOff <= outOff + outLen && outOff <= inOff + inLen;
+    }
 }

core/src/main/java/org/bouncycastle/crypto/engines/AEADBaseEngine.java

@@ -587,6 +587,12 @@ public int processByte(byte input, byte[] output, int outOff)
         @Override
         public int processBytes(byte[] input, int inOff, int len, byte[] output, int outOff)
         {
+            if (input == output && segmentsOverlap(inOff, len, outOff, processor.getUpdateOutputSize(len)))
+            {
+                input = new byte[len];
+                System.arraycopy(output, inOff, input, 0, len);
+                inOff = 0;
+            }
             boolean forEncryption = checkData(false);
             if (forEncryption)
             {
@@ -733,9 +739,16 @@ protected int processEncDecBytes(byte[] input, int inOff, int len, byte[] output
             m_bufPos += len;
             return 0;
         }
-        resultLength = processor.getUpdateOutputSize(len) + m_bufPos - (forEncryption ? 0 : MAC_SIZE);
+        int length = processor.getUpdateOutputSize(len);
+        resultLength = length + m_bufPos - (forEncryption ? 0 : MAC_SIZE);
         ensureSufficientOutputBuffer(output, outOff, resultLength - resultLength % BlockSize);
         resultLength = 0;
+        if (input == output && segmentsOverlap(inOff, len, outOff, length))
+        {
+            input = new byte[len];
+            System.arraycopy(output, inOff, input, 0, len);
+            inOff = 0;
+        }
         if (forEncryption)
         {
             if (m_bufPos > 0)
@@ -746,6 +759,7 @@ protected int processEncDecBytes(byte[] input, int inOff, int len, byte[] output
                 processBufferEncrypt(m_buf, 0, output, outOff);
                 resultLength = BlockSize;
             }
+
             // The function is just an operator >= or >
             while (processor.isLengthExceedingBlockSize(len, BlockSize))
             {
@@ -1013,6 +1027,12 @@ protected void finishAAD3(State nextState, boolean isDoFinal)
         m_state = nextState;
     }
 
+    private boolean segmentsOverlap(int inOff, int inLen, int outOff, int outLen)
+    {
+        // please ensure a valid check for inLen > 0 and outLen > 0 outside this function
+        return inOff <= outOff + outLen && outOff <= inOff + inLen;
+    }
+
     protected abstract void finishAAD(State nextState, boolean isDoFinal);
 
     protected abstract void init(byte[] key, byte[] iv);

core/src/main/java/org/bouncycastle/crypto/engines/RomulusEngine.java

@@ -137,7 +137,7 @@ public void processFinalBlock(byte[] output, int outOff)
             int adlen = aadOperator.getLen();
             int mlen = dataOperator.getLen() - (forEncryption ? 0 : MAC_SIZE);
             byte[] m = ((StreamDataOperator)dataOperator).getBytes();
-            int xlen, mOff = 0, mauth = 0;
+            int xlen, mOff = 0, mauth = outOff;
             xlen = mlen;
             if ((adlen & 31) == 0 && adlen != 0)
             {

core/src/main/java/org/bouncycastle/crypto/modes/CTSBlockCipher.java

@@ -146,15 +146,19 @@ public int processBytes(
         if (len > gapLen)
         {
             System.arraycopy(in, inOff, buf, bufOff, gapLen);
-
+            inOff += gapLen;
+            len -= gapLen;
+            if (in == out && segmentsOverlap(inOff, len, outOff, length))
+            {
+                in = new byte[len];
+                System.arraycopy(out, inOff, in, 0, len);
+                inOff = 0;
+            }
             resultLen += cipher.processBlock(buf, 0, out, outOff);
             System.arraycopy(buf, blockSize, buf, 0, blockSize);
 
             bufOff = blockSize;
 
-            len -= gapLen;
-            inOff += gapLen;
-
             while (len > blockSize)
             {
                 System.arraycopy(in, inOff, buf, bufOff, blockSize);

core/src/main/java/org/bouncycastle/crypto/modes/KXTSBlockCipher.java

@@ -123,7 +123,12 @@ public int processBytes(byte[] input, int inOff, int len, byte[] output, int out
         {
             throw new IllegalArgumentException("Partial blocks not supported");
         }
-
+        if (input == output && segmentsOverlap(inOff, len, outOff, len))
+        {
+            input = new byte[len];
+            System.arraycopy(output, inOff, input, 0, len);
+            inOff = 0;
+        }
         for (int pos = 0; pos < len; pos += blockSize)
         {
             processBlocks(input, inOff + pos, output, outOff + pos);

core/src/main/java/org/bouncycastle/crypto/modes/NISTCTSBlockCipher.java

@@ -155,15 +155,19 @@ public int processBytes(
         if (len > gapLen)
         {
             System.arraycopy(in, inOff, buf, bufOff, gapLen);
-
+            inOff += gapLen;
+            len -= gapLen;
+            if (in == out && segmentsOverlap(inOff, len, outOff, length))
+            {
+                in = new byte[len];
+                System.arraycopy(out, inOff, in, 0, len);
+                inOff = 0;
+            }
             resultLen += cipher.processBlock(buf, 0, out, outOff);
             System.arraycopy(buf, blockSize, buf, 0, blockSize);
 
             bufOff = blockSize;
 
-            len -= gapLen;
-            inOff += gapLen;
-
             while (len > blockSize)
             {
                 System.arraycopy(in, inOff, buf, bufOff, blockSize);