Fix the issue of Ascon Xofs to ensure that update functions cannot called after doOutput is called.

Author: gefeili

core/src/main/java/org/bouncycastle/crypto/digests/AsconCXof128.java

@@ -3,7 +3,6 @@
 import org.bouncycastle.crypto.DataLengthException;
 import org.bouncycastle.crypto.OutputLengthException;
 import org.bouncycastle.crypto.Xof;
-import org.bouncycastle.util.Arrays;
 import org.bouncycastle.util.Pack;
 
 /**
@@ -21,7 +20,7 @@ public class AsconCXof128
     extends AsconBaseDigest
     implements Xof
 {
-
+    private boolean m_squeezing = false;
     private final long z0, z1, z2, z3, z4;
 
     public AsconCXof128()
@@ -53,7 +52,25 @@ public AsconCXof128(byte[] s, int off, int len)
         z4 = x4;
     }
 
+    @Override
+    public void update(byte in)
+    {
+        if (m_squeezing)
+        {
+            throw new IllegalArgumentException("attempt to absorb while squeezing");
+        }
+        super.update(in);
+    }
 
+    @Override
+    public void update(byte[] input, int inOff, int len)
+    {
+        if (m_squeezing)
+        {
+            throw new IllegalArgumentException("attempt to absorb while squeezing");
+        }
+        super.update(input, inOff, len);
+    }
 
     protected long pad(int i)
     {
@@ -80,6 +97,12 @@ protected void setBytes(long w, byte[] bytes, int inOff, int n)
         Pack.longToLittleEndian(w, bytes, inOff, n);
     }
 
+    protected void padAndAbsorb()
+    {
+        m_squeezing = true;
+        super.padAndAbsorb();
+    }
+
     @Override
     public String getAlgorithmName()
     {
@@ -103,13 +126,16 @@ public int doOutput(byte[] output, int outOff, int outLen)
     @Override
     public int doFinal(byte[] output, int outOff, int outLen)
     {
-        return doOutput(output, outOff, outLen);
+        int rlt = doOutput(output, outOff, outLen);
+        reset();
+        return rlt;
     }
 
     @Override
     public void reset()
     {
         super.reset();
+        m_squeezing = false;
         /* initialize */
         x0 = z0;
         x1 = z1;
@@ -130,6 +156,7 @@ private void initState(byte[] z, int zOff, int zLen)
         p(12);
         update(z, zOff, zLen);
         padAndAbsorb();
+        m_squeezing = false;
     }
 }
 

core/src/main/java/org/bouncycastle/crypto/digests/AsconDigest.java

@@ -2,11 +2,13 @@
 
 import org.bouncycastle.util.Pack;
 
-/** ASCON v1.2 Digest, https://ascon.iaik.tugraz.at/ .
+/**
+ * ASCON v1.2 Digest, https://ascon.iaik.tugraz.at/ .
  * <p>
  * https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/finalist-round/updated-spec-doc/ascon-spec-final.pdf
  * <p>
  * ASCON v1.2 Digest with reference to C Reference Impl from: https://github.com/ascon/ascon-c .
+ *
  * @deprecated use Ascon Hash 256 Digest
  */
 public class AsconDigest

core/src/main/java/org/bouncycastle/crypto/digests/AsconXof.java

@@ -3,11 +3,13 @@
 import org.bouncycastle.crypto.Xof;
 import org.bouncycastle.util.Pack;
 
-/** ASCON v1.2 XOF, https://ascon.iaik.tugraz.at/ .
+/**
+ * ASCON v1.2 XOF, https://ascon.iaik.tugraz.at/ .
  * <p>
  * https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/finalist-round/updated-spec-doc/ascon-spec-final.pdf
  * <p>
  * ASCON v1.2 XOF with reference to C Reference Impl from: https://github.com/ascon/ascon-c .
+ *
  * @deprecated Now superseded - please use AsconXof128
  */
 public class AsconXof
@@ -42,7 +44,33 @@ public AsconXof(AsconXof.AsconParameters parameters)
     }
 
     private final String algorithmName;
+    private boolean m_squeezing = false;
 
+    @Override
+    public void update(byte in)
+    {
+        if (m_squeezing)
+        {
+            throw new IllegalArgumentException("attempt to absorb while squeezing");
+        }
+        super.update(in);
+    }
+
+    @Override
+    public void update(byte[] input, int inOff, int len)
+    {
+        if (m_squeezing)
+        {
+            throw new IllegalArgumentException("attempt to absorb while squeezing");
+        }
+        super.update(input, inOff, len);
+    }
+
+    protected void padAndAbsorb()
+    {
+        m_squeezing = true;
+        super.padAndAbsorb();
+    }
 
     protected long pad(int i)
     {
@@ -75,7 +103,6 @@ public String getAlgorithmName()
         return algorithmName;
     }
 
-
     @Override
     public int doOutput(byte[] output, int outOff, int outLen)
     {
@@ -85,7 +112,9 @@ public int doOutput(byte[] output, int outOff, int outLen)
     @Override
     public int doFinal(byte[] output, int outOff, int outLen)
     {
-        return doOutput(output, outOff, outLen);
+        int rlt = doOutput(output, outOff, outLen);
+        reset();
+        return rlt;
     }
 
     @Override
@@ -98,6 +127,7 @@ public int getByteLength()
     public void reset()
     {
         super.reset();
+        m_squeezing = false;
         /* initialize */
         switch (asconParameters)
         {

core/src/main/java/org/bouncycastle/crypto/digests/AsconXof128.java

@@ -11,13 +11,15 @@
  * <a href="https://csrc.nist.gov/pubs/sp/800/232/ipd">NIST SP 800-232 (Initial Public Draft)</a>.
  * For reference source code and implementation details, please see:
  * <a href="https://github.com/ascon/ascon-c">Reference, highly optimized, masked C and
- *  ASM implementations of Ascon (NIST SP 800-232)</a>.
+ * ASM implementations of Ascon (NIST SP 800-232)</a>.
  * </p>
  */
 public class AsconXof128
     extends AsconBaseDigest
     implements Xof
 {
+    private boolean m_squeezing = false;
+
     public AsconXof128()
     {
         reset();
@@ -48,12 +50,38 @@ protected void setBytes(long w, byte[] bytes, int inOff, int n)
         Pack.longToLittleEndian(w, bytes, inOff, n);
     }
 
+    protected void padAndAbsorb()
+    {
+        m_squeezing = true;
+        super.padAndAbsorb();
+    }
+
     @Override
     public String getAlgorithmName()
     {
         return "Ascon-XOF-128";
     }
 
+    @Override
+    public void update(byte in)
+    {
+        if (m_squeezing)
+        {
+            throw new IllegalArgumentException("attempt to absorb while squeezing");
+        }
+        super.update(in);
+    }
+
+    @Override
+    public void update(byte[] input, int inOff, int len)
+    {
+        if (m_squeezing)
+        {
+            throw new IllegalArgumentException("attempt to absorb while squeezing");
+        }
+        super.update(input, inOff, len);
+    }
+
     @Override
     public int doOutput(byte[] output, int outOff, int outLen)
     {
@@ -63,7 +91,9 @@ public int doOutput(byte[] output, int outOff, int outLen)
     @Override
     public int doFinal(byte[] output, int outOff, int outLen)
     {
-        return doOutput(output, outOff, outLen);
+        int rlt = doOutput(output, outOff, outLen);
+        reset();
+        return rlt;
     }
 
     @Override
@@ -75,6 +105,7 @@ public int getByteLength()
     @Override
     public void reset()
     {
+        m_squeezing = false;
         super.reset();
         /* initialize */
         x0 = -2701369817892108309L;