Finish the work on the counter

gefeili · gefeili · commit 6ddc87c6fce8 · 2025-08-18T12:16:18.000+09:30
diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/AEADBaseEngine.java b/core/src/main/java/org/bouncycastle/crypto/engines/AEADBaseEngine.java
@@ -38,10 +38,12 @@ protected static class AADOperatorType
         public static final int DEFAULT = 0;
         public static final int COUNTER = 1;//add a counter to count the size of AAD
         public static final int STREAM = 2; //process AAD data during the process data, used for elephant
+        public static final int DATA_LIMIT = 3;// count AAD data to the counter, used for AsconAEAD128
 
         public static final AADOperatorType Default = new AADOperatorType(DEFAULT);
         public static final AADOperatorType Counter = new AADOperatorType(COUNTER);
         public static final AADOperatorType Stream = new AADOperatorType(STREAM);
+        public static final AADOperatorType DataLimit = new AADOperatorType(DATA_LIMIT);
 
         private final int ord;
 
@@ -57,11 +59,13 @@ protected static class DataOperatorType
         public static final int COUNTER = 1;
         public static final int STREAM = 2;
         public static final int STREAM_CIPHER = 3;
+        public static final int DATA_LIMIT = 4; // count AAD data to the counter, used for AsconAEAD128
 
         public static final DataOperatorType Default = new DataOperatorType(DEFAULT);
         public static final DataOperatorType Counter = new DataOperatorType(COUNTER);
         public static final DataOperatorType Stream = new DataOperatorType(STREAM);
         public static final DataOperatorType StreamCipher = new DataOperatorType(STREAM_CIPHER);
+        public static final DataOperatorType DataLimit = new DataOperatorType(DATA_LIMIT);
 
         private final int ord;
 
@@ -121,7 +125,8 @@ protected static class State
     protected AADOperator aadOperator;
     protected DataOperator dataOperator;
     //Only AsconAEAD128 uses this counter;
-    protected Counter decryptionFailureCounter = null;
+    protected DecryptionFailureCounter decryptionFailureCounter = null;
+    protected DataLimitCounter dataLimitCounter = null;
 
     @Override
     public String getAlgorithmName()
@@ -210,6 +215,10 @@ else if (params instanceof ParametersWithIV)
 
         m_state = forEncryption ? State.EncInit : State.DecInit;
         init(k, npub);
+        if (dataLimitCounter != null)
+        {
+            dataLimitCounter.increment(npub.length);
+        }
         reset(true);
         if (initialAssociatedText != null)
         {
@@ -290,6 +299,10 @@ protected void setInnerMembers(ProcessingBufferType type, AADOperatorType aadOpe
             AADBufferSize = 0;
             aadOperator = new StreamAADOperator();
             break;
+        case AADOperatorType.DATA_LIMIT:
+            m_aad = new byte[AADBufferSize];
+            aadOperator = new DataLimitAADOperator();
+            break;
         }
 
         switch (dataOperatorType.ord)
@@ -311,6 +324,10 @@ protected void setInnerMembers(ProcessingBufferType type, AADOperatorType aadOpe
             m_buf = new byte[m_bufferSizeDecrypt];
             dataOperator = new StreamCipherOperator();
             break;
+        case DataOperatorType.DATA_LIMIT:
+            m_buf = new byte[m_bufferSizeDecrypt];
+            dataOperator = new DataLimitDataOperator();
+            break;
         }
     }
 
@@ -511,6 +528,34 @@ public int getLen()
         }
     }
 
+    private class DataLimitAADOperator
+        implements AADOperator
+    {
+        @Override
+        public void processAADByte(byte input)
+        {
+            dataLimitCounter.increment();
+            processor.processAADByte(input);
+        }
+
+        @Override
+        public void processAADBytes(byte[] input, int inOff, int len)
+        {
+            dataLimitCounter.increment(len);
+            processAadBytes(input, inOff, len);
+        }
+
+        public void reset()
+        {
+        }
+
+        @Override
+        public int getLen()
+        {
+            return m_aadPos;
+        }
+    }
+
     protected interface DataOperator
     {
         int processByte(byte input, byte[] output, int outOff);
@@ -707,7 +752,34 @@ public void reset()
         }
     }
 
-    protected static class Counter
+    private class DataLimitDataOperator
+        implements DataOperator
+    {
+        public int processByte(byte input, byte[] output, int outOff)
+        {
+            dataLimitCounter.increment();
+            return processor.processByte(input, output, outOff);
+        }
+
+        public int processBytes(byte[] input, int inOff, int len, byte[] output, int outOff)
+        {
+            dataLimitCounter.increment(len);
+            return processEncDecBytes(input, inOff, len, output, outOff);
+        }
+
+        @Override
+        public int getLen()
+        {
+            return m_bufPos;
+        }
+
+        @Override
+        public void reset()
+        {
+        }
+    }
+
+    protected static class DecryptionFailureCounter
     {
         private int n;
         private int[] counter;
@@ -739,19 +811,92 @@ public boolean increment()
                     break;
                 }
             }
-            for (i = 1; i < counter.length; ++i)
+            int r = n & 31;
+            return i <= 0 && counter[0] == (r == 0 ? 0 : (1 << r));
+        }
+
+        // In case when we need to use this counter to count data limit
+//        public boolean increment(int delta)
+//        {
+//            // Convert to long to handle unsigned arithmetic
+//            long carry = delta & 0xFFFFFFFFL;
+//            // Process each word starting from LSB
+//            int i = counter.length;
+//            while (carry != 0 && --i >= 0)
+//            {
+//                long sum = (counter[i] & 0xFFFFFFFFL) + carry;
+//                counter[i] = (int)sum;
+//                carry = sum >>> 32;
+//            }
+//
+//            // Final limit check if we didn't overflow
+//            return carry != 0 || checkLimit();
+//        }
+//
+//        private boolean checkLimit()
+//        {
+//            int bitIndex = ((n - 1) & 31) + 1;
+//            long bound = 1L << bitIndex;
+//            long val = counter[0] & 0xFFFFFFFFL;
+//            if (val > bound)
+//            {
+//                return true;
+//            }
+//            if (val < bound)
+//            {
+//                return false;
+//            }
+//            // Check if we've reached/exceeded 2^n
+//            for (int i = 1; i < counter.length; ++i)
+//            {
+//                val = counter[i] & 0xFFFFFFFFL;
+//                if (val > 0)
+//                {
+//                    return true;
+//                }
+//            }
+//            return true;  // Exactly equal to 2^n
+//        }
+
+        public void reset()
+        {
+            Arrays.fill(counter, 0);
+        }
+    }
+
+    protected static class DataLimitCounter
+    {
+        //if the maximum exceed Long.MAX_VALUE, Improve DecryptionFailureCounter and use it instead
+        private long count;
+        private long max;
+        private int n;
+
+        public void init(int n)
+        {
+            this.n = n;
+            this.max = 1L << n;
+        }
+
+        public void increment()
+        {
+            if (++count > max)
             {
-                if (counter[i] != 0)
-                {
-                    return false;
-                }
+                throw new IllegalStateException("Total data limit exceeded: maximum 2^" + n + " bytes per key (including nonce, AAD, and message)");
+            }
+        }
+
+        public void increment(int n)
+        {
+            count += n;
+            if (count > max)
+            {
+                throw new IllegalStateException("Total data limit exceeded: maximum 2^" + n + " bytes per key (including nonce, AAD, and message)");
             }
-            return counter[0] != ((n & 31) == 0 ? 0 : 1 << (n & 31));
         }
 
         public void reset()
         {
-            Arrays.fill(counter, 0);
+            count = 0;
         }
     }
 
diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/AsconAEAD128.java b/core/src/main/java/org/bouncycastle/crypto/engines/AsconAEAD128.java
@@ -27,8 +27,10 @@ public AsconAEAD128()
         nr = 8;
         dsep = -9223372036854775808L; //0x80L << 56
         macSizeLowerBound = 4;
-        setInnerMembers(ProcessingBufferType.Immediate, AADOperatorType.Default, DataOperatorType.Default);
-        decryptionFailureCounter = new Counter();
+        dataLimitCounter = new DataLimitCounter();
+        dataLimitCounter.init(54);
+        setInnerMembers(ProcessingBufferType.Immediate, AADOperatorType.DataLimit, DataOperatorType.DataLimit);
+        decryptionFailureCounter = new DecryptionFailureCounter();
     }
 
     protected long pad(int i)
@@ -148,6 +150,7 @@ protected void init(byte[] key, byte[] iv)
         decryptionFailureCounter.init(lambda);
         if (this.K0 != K0 || this.K1 != K1)
         {
+            dataLimitCounter.reset();
             decryptionFailureCounter.reset();
             this.K0 = K0;
             this.K1 = K1;
diff --git a/core/src/test/java/org/bouncycastle/crypto/test/AsconTest.java b/core/src/test/java/org/bouncycastle/crypto/test/AsconTest.java
@@ -1389,43 +1389,30 @@ public boolean increment()
                     break;
                 }
             }
-            for (i = 1; i < counter.length; ++i)
-            {
-                if (counter[i] != 0)
-                {
-                    return false;
-                }
-            }
-            return counter[0] == 1 << (n & 31);
+            int r = n & 31;
+            return i <= 0 && counter[0] == (r == 0 ? 0 : (1 << r));
         }
 
         public boolean increment(int delta)
         {
             // Convert to long to handle unsigned arithmetic
             long carry = delta & 0xFFFFFFFFL;
-            boolean limitReached = false;
-
             // Process each word starting from LSB
-            for (int i = counter.length - 1; i >= 0 && carry != 0; --i)
+            int i = counter.length;
+            while (carry != 0 && --i >= 0)
             {
                 long sum = (counter[i] & 0xFFFFFFFFL) + carry;
                 counter[i] = (int)sum;
                 carry = sum >>> 32;
-
-                // Check if we've passed the limit during carry propagation
-                if (carry != 0 && i == counter.length - 1)
-                {
-                    limitReached = true;
-                }
             }
 
             // Final limit check if we didn't overflow
-            return limitReached || checkLimit();
+            return carry != 0 || checkLimit();
         }
 
         private boolean checkLimit()
         {
-            int bitIndex = n & 31;
+            int bitIndex = ((n - 1) & 31) + 1;
             long bound = 1L << bitIndex;
             long val = counter[0] & 0xFFFFFFFFL;
             if (val > bound)
@@ -1456,29 +1443,37 @@ public void reset()
 
     public void testCounter()
     {
-//        int n = 33;
         Counter counter = new Counter();
-//        counter.init(33);
-//        isTrue(!counter.increment(-1));
-//        isTrue(!counter.increment());
-//        isTrue(!counter.increment(-1));
-//        isTrue(counter.increment());
-//
-//        counter.init(32);
-//        isTrue(!counter.increment(-1));
-//        isTrue(counter.increment());
-//        counter.reset();
-//        isTrue(!counter.increment());
-//        counter.reset();
-//        isTrue(!counter.increment(-1));
-//        isTrue(counter.increment(1));
-//
-//        counter.init(31);
-//        isTrue(!counter.increment(1 << 30));
-//        isTrue(counter.increment());
-//        counter.reset();
-//        isTrue(!counter.increment(1 << 30));
-//        isTrue(counter.increment(1 << 30));
+        counter.init(64);
+        isTrue(!counter.increment(-1));
+        isTrue(!counter.increment());
+        isTrue(!counter.increment(-1));
+        isTrue(!counter.increment());
+
+        counter.init(33);
+        isTrue(!counter.increment(-1));
+        isTrue(!counter.increment());
+        isTrue(!counter.increment(-1));
+        isTrue(counter.increment());
+
+        counter.init(32);
+        isTrue(!counter.increment(-1));
+        isTrue(counter.increment());
+        counter.reset();
+        isTrue(!counter.increment());
+        counter.reset();
+        isTrue(!counter.increment(-1));
+        isTrue(counter.increment(1));
+
+        counter.init(31);
+        isTrue(!counter.increment((1 << 31) - 1));
+        isTrue(counter.increment());
+        counter.reset();
+        isTrue(!counter.increment(1 << 30));
+        isTrue(counter.increment(1 << 30));
+        counter.reset();
+        isTrue(!counter.increment(1 << 30));
+        isTrue(counter.increment((1 << 30) + 1));
 
         counter.init(5);
         isTrue(!counter.increment((1 << 5) - 1));
