Change XoodyakEngine.message from ByteArrayOutputStream to byte[]

gefeili · gefeili · commit 620a01a2914f · 2025-01-08T10:58:11.000+10:30
diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/XoodyakEngine.java b/core/src/main/java/org/bouncycastle/crypto/engines/XoodyakEngine.java
@@ -36,7 +36,8 @@ public class XoodyakEngine
     private boolean encrypted;
     private boolean initialised = false;
     private final ByteArrayOutputStream aadData = new ByteArrayOutputStream();
-    private final ByteArrayOutputStream message = new ByteArrayOutputStream();
+    private byte[] message;
+    private int messageOff;
 
     enum MODE
     {
@@ -62,6 +63,8 @@ public void init(boolean forEncryption, CipherParameters params)
         state = new byte[48];
         mac = new byte[MAC_SIZE];
         initialised = true;
+        message = new byte[forEncryption ? Rkout : Rkout + MAC_SIZE];
+        messageOff = 0;
         reset();
     }
 
@@ -70,7 +73,7 @@ public void processAADByte(byte input)
     {
         if (aadFinished)
         {
-            throw new IllegalArgumentException("AAD cannot be added after reading a full block(" + getBlockSize() +
+            throw new IllegalArgumentException("AAD cannot be added after reading a full block(" + Rkout +
                 " bytes) of input for " + (forEncryption ? "encryption" : "decryption"));
         }
         aadData.write(input);
@@ -81,7 +84,7 @@ public void processAADBytes(byte[] input, int inOff, int len)
     {
         if (aadFinished)
         {
-            throw new IllegalArgumentException("AAD cannot be added after reading a full block(" + getBlockSize() +
+            throw new IllegalArgumentException("AAD cannot be added after reading a full block(" + Rkout +
                 " bytes) of input for " + (forEncryption ? "encryption" : "decryption"));
         }
         if ((inOff + len) > input.length)
@@ -96,7 +99,7 @@ private void processAAD()
         if (!aadFinished)
         {
             byte[] ad = aadData.toByteArray();
-            AbsorbAny(ad, 0, ad.length, Rabsorb, 0x03);
+            AbsorbAny(ad, ad.length, Rabsorb, 0x03);
             aadFinished = true;
         }
     }
@@ -117,27 +120,34 @@ public int processBytes(byte[] input, int inOff, int len, byte[] output, int out
         {
             throw new DataLengthException("input buffer too short");
         }
-        message.write(input, inOff, len);
-        int blockLen = message.size() - (forEncryption ? 0 : MAC_SIZE);
-        if (blockLen >= getBlockSize())
+        int blockLen = len + messageOff - (forEncryption ? 0 : MAC_SIZE);
+        if (blockLen / Rkout * Rkout + outOff > output.length)
         {
-            byte[] blocks = message.toByteArray();
-            len = blockLen / getBlockSize() * getBlockSize();
-            if (len + outOff > output.length)
-            {
-                throw new OutputLengthException("output buffer is too short");
-            }
+            throw new OutputLengthException("output buffer is too short");
+        }
+        int rv = 0;
+        int originalInOff = inOff;
+        while (blockLen >= Rkout)
+        {
+            int copyLen = Math.min(len, Rkout - messageOff);
+            System.arraycopy(input, inOff, message, messageOff, copyLen);
             processAAD();
-            encrypt(blocks, 0, len, output, outOff);
-            message.reset();
-            message.write(blocks, len, blocks.length - len);
-            return len;
+            encrypt(message, Rkout, output, outOff);
+            messageOff = 0;
+            outOff += Rkout;
+            rv += Rkout;
+            blockLen -= Rkout;
+            inOff += copyLen;
         }
-        return 0;
+        len -= inOff - originalInOff;
+        System.arraycopy(input, inOff, message, messageOff, len);
+        messageOff = len;
+        return rv;
     }
 
-    private int encrypt(byte[] input, int inOff, int len, byte[] output, int outOff)
+    private void encrypt(byte[] input, int len, byte[] output, int outOff)
     {
+        int inOff = 0;
         int IOLen = len;
         int splitLen;
         byte[] P = new byte[Rkout];
@@ -168,7 +178,6 @@ private int encrypt(byte[] input, int inOff, int len, byte[] output, int outOff)
             IOLen -= splitLen;
             encrypted = true;
         }
-        return len;
     }
 
     @Override
@@ -179,8 +188,9 @@ public int doFinal(byte[] output, int outOff)
         {
             throw new IllegalArgumentException("Need call init function before encryption/decryption");
         }
-        byte[] blocks = message.toByteArray();
-        int len = message.size();
+        byte[] blocks = message;
+        Arrays.fill(blocks, messageOff, message.length, (byte)0);
+        int len = messageOff;
         if ((forEncryption && len + MAC_SIZE + outOff > output.length) || (!forEncryption && len - MAC_SIZE + outOff > output.length))
         {
             throw new OutputLengthException("output buffer too short");
@@ -189,7 +199,7 @@ public int doFinal(byte[] output, int outOff)
         int rv = 0;
         if (forEncryption)
         {
-            encrypt(blocks, 0, len, output, outOff);
+            encrypt(blocks, len, output, outOff);
             outOff += len;
             mac = new byte[MAC_SIZE];
             Up(mac, MAC_SIZE, 0x40);
@@ -198,9 +208,14 @@ public int doFinal(byte[] output, int outOff)
         }
         else
         {
-            int inOff = len - MAC_SIZE;
-            rv = inOff;
-            encrypt(blocks, 0, inOff, output, outOff);
+            int inOff = 0;
+            if (len >= MAC_SIZE)
+            {
+                inOff = len - MAC_SIZE;
+                rv = inOff;
+                encrypt(blocks, inOff, output, outOff);
+            }
+
             mac = new byte[MAC_SIZE];
             Up(mac, MAC_SIZE, 0x40);
             for (int i = 0; i < MAC_SIZE; ++i)
@@ -218,14 +233,14 @@ public int doFinal(byte[] output, int outOff)
     @Override
     public int getUpdateOutputSize(int len)
     {
-        int total = Math.max(0, len + message.size() + (forEncryption ? 0 : -MAC_SIZE));
+        int total = Math.max(0, len + messageOff + (forEncryption ? 0 : -MAC_SIZE));
         return total - total % Rkout;
     }
 
     @Override
     public int getOutputSize(int len)
     {
-        return Math.max(0, len + message.size() + (forEncryption ? MAC_SIZE : -MAC_SIZE));
+        return Math.max(0, len + messageOff + (forEncryption ? MAC_SIZE : -MAC_SIZE));
     }
 
     @Override
@@ -244,7 +259,8 @@ protected void reset(boolean clearMac)
         aadFinished = false;
         encrypted = false;
         phase = PhaseUp;
-        message.reset();
+        Arrays.fill(message, (byte)0);
+        messageOff = 0;
         aadData.reset();
         //Absorb key
         int KLen = K.length;
@@ -255,12 +271,13 @@ protected void reset(boolean clearMac)
         System.arraycopy(K, 0, KID, 0, KLen);
         System.arraycopy(iv, 0, KID, KLen, IDLen);
         KID[KLen + IDLen] = (byte)IDLen;
-        AbsorbAny(KID, 0, KLen + IDLen + 1, Rabsorb, 0x02);
+        AbsorbAny(KID, KLen + IDLen + 1, Rabsorb, 0x02);
         super.reset(clearMac);
     }
 
-    private void AbsorbAny(byte[] X, int Xoff, int XLen, int r, int Cd)
+    private void AbsorbAny(byte[] X, int XLen, int r, int Cd)
     {
+        int Xoff = 0;
         int splitLen;
         do
         {
@@ -297,9 +314,6 @@ private void Up(byte[] Yi, int YiLen, int Cu)
         int a10 = Pack.littleEndianToInt(state, 40);
         int a11 = Pack.littleEndianToInt(state, 44);
 
-        //    private final int NLANES = 12;
-        //    private final int NROWS = 3;
-        //    private final int NCOLUMS = 4;
         int MAXROUNDS = 12;
         for (int i = 0; i < MAXROUNDS; ++i)
         {
@@ -349,7 +363,7 @@ private void Up(byte[] Yi, int YiLen, int Cu)
             /* Iota: round ant */
             b0 ^= RC[i];
 
-            /* Chi: non linear layer */
+            /* Chi: non-linear layer */
             a0 = b0 ^ (~b4 & b8);
             a1 = b1 ^ (~b5 & b9);
             a2 = b2 ^ (~b6 & b10);
@@ -403,10 +417,13 @@ void Down(byte[] Xi, int XiOff, int XiLen, int Cd)
         {
             state[i] ^= Xi[XiOff++];
         }
+        if (XiLen == -16)
+        {
+            System.out.println();
+        }
         state[XiLen] ^= 0x01;
         state[f_bPrime - 1] ^= (mode == MODE.ModeHash) ? (Cd & 0x01) : Cd;
-        int phaseDown = 1;
-        phase = phaseDown;
+        phase = 1;
     }
 
     public int getBlockSize()
diff --git a/core/src/test/java/org/bouncycastle/crypto/test/XoodyakTest.java b/core/src/test/java/org/bouncycastle/crypto/test/XoodyakTest.java
@@ -32,6 +32,14 @@ public String getName()
     public void performTest()
         throws Exception
     {
+        CipherTest.checkCipher(32, 16, 100, 128, new CipherTest.Instance()
+        {
+            @Override
+            public AEADCipher createInstance()
+            {
+                return new XoodyakEngine();
+            }
+        });
         DigestTest.checkDigestReset(this, new XoodyakDigest());
         testVectorsHash();
         testVectors();
@@ -99,6 +107,9 @@ private void testVectors()
             int a = line.indexOf('=');
             if (a < 0)
             {
+//                if(map.get("Count").equals("793")){
+//                    System.out.println();
+//                }
                 byte[] key = Hex.decode(map.get("Key"));
                 byte[] nonce = Hex.decode(map.get("Nonce"));
                 byte[] ad = Hex.decode(map.get("AD"));
@@ -128,6 +139,7 @@ private void testVectors()
                     mismatch("Reccover Keystream " + map.get("Count"), (String)map.get("PT"), pt_recovered);
                 }
                 xoodyak.reset();
+                //System.out.println(map.get("Count") +" pass");
                 map.clear();
             }
             else
