TAdd DecryptionFailureCounter to doFinal of decryption

gefeili · gefeili · commit bf6d41fc482b · 2025-08-15T10:38:59.000+09:30
diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/AEADBaseEngine.java b/core/src/main/java/org/bouncycastle/crypto/engines/AEADBaseEngine.java
@@ -120,6 +120,8 @@ protected static class State
     protected AADProcessingBuffer processor;
     protected AADOperator aadOperator;
     protected DataOperator dataOperator;
+    //Only AsconAEAD128 uses this counter;
+    protected DecryptionFailureCounter decryptionFailureCounter = null;
 
     @Override
     public String getAlgorithmName()
@@ -705,17 +707,28 @@ public void reset()
         }
     }
 
-    protected class DecryptionFailureCounter
+    protected static class DecryptionFailureCounter
     {
-        public DecryptionFailureCounter(int n)
+        private int n;
+        private int[] counter;
+
+        public void init(int n)
         {
-            this.n = n;
-            counter = new int[(n + 31) >>> 5];
+            if (this.n != n)
+            {
+                this.n = n;
+                int len = (n + 31) >>> 5;
+                if (counter == null || len != counter.length)
+                {
+                    counter = new int[len];
+                }
+                else
+                {
+                    reset();
+                }
+            }
         }
 
-        private final int n;
-        private final int[] counter;
-
         public boolean increment()
         {
             int i = counter.length;
@@ -726,25 +739,14 @@ public boolean increment()
                     break;
                 }
             }
-            if ((n & 31) == 0)
-            {
-                for (i = 0; i < counter.length; ++i)
-                {
-                    if (counter[i] != 0)
-                    {
-                        return false;
-                    }
-                }
-                return true;
-            }
             for (i = 1; i < counter.length; ++i)
             {
                 if (counter[i] != 0)
                 {
                     return false;
                 }
             }
-            return counter[0] != (1 << (n & 31));
+            return counter[0] != ((n & 31) == 0 ? 0 : 1 << (n & 31));
         }
 
         public void reset()
@@ -953,6 +955,10 @@ public int doFinal(byte[] output, int outOff)
         {
             if (!Arrays.constantTimeAreEqual(MAC_SIZE, mac, 0, m_buf, m_bufPos))
             {
+                if (decryptionFailureCounter != null && decryptionFailureCounter.increment())
+                {
+                    throw new InvalidCipherTextException(algorithmName + " decryption failure limit exceeded");
+                }
                 throw new InvalidCipherTextException(algorithmName + " mac does not match");
             }
         }
diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/AsconAEAD128.java b/core/src/main/java/org/bouncycastle/crypto/engines/AsconAEAD128.java
@@ -28,6 +28,7 @@ public AsconAEAD128()
         dsep = -9223372036854775808L; //0x80L << 56
         macSizeLowerBound = 4;
         setInnerMembers(ProcessingBufferType.Immediate, AADOperatorType.Default, DataOperatorType.Default);
+        decryptionFailureCounter = new DecryptionFailureCounter();
     }
 
     protected long pad(int i)
@@ -141,8 +142,16 @@ private void finishData(State nextState)
     protected void init(byte[] key, byte[] iv)
         throws IllegalArgumentException
     {
-        K0 = Pack.littleEndianToLong(key, 0);
-        K1 = Pack.littleEndianToLong(key, 8);
+        int lambda = (MAC_SIZE << 3) - 32;
+        long K0 = Pack.littleEndianToLong(key, 0);
+        long K1 = Pack.littleEndianToLong(key, 8);
+        decryptionFailureCounter.init(lambda);
+        if (this.K0 != K0 || this.K1 != K1)
+        {
+            decryptionFailureCounter.reset();
+            this.K0 = K0;
+            this.K1 = K1;
+        }
         N0 = Pack.littleEndianToLong(iv, 0);
         N1 = Pack.littleEndianToLong(iv, 8);
     }
diff --git a/core/src/test/java/org/bouncycastle/crypto/test/AsconTest.java b/core/src/test/java/org/bouncycastle/crypto/test/AsconTest.java
@@ -1357,18 +1357,28 @@ private static void initEngine(AEADCipher ascon, boolean forEncryption)
         ascon.init(forEncryption, parameters);
     }
 
-    protected class DecryptionFailureCounter
+    protected static class DecryptionFailureCounter
     {
-        public DecryptionFailureCounter(int n)
+        int n;
+        int[] counter;
+
+        public void init(int n)
         {
-            this.n = n;
-            counter = new int[(n + 31) >>> 5];
+            if (this.n != n)
+            {
+                this.n = n;
+                int len = (n + 31) >>> 5;
+                if (counter == null || len != counter.length)
+                {
+                    counter = new int[len];
+                }
+                else
+                {
+                    reset();
+                }
+            }
         }
 
-        public final int n;
-
-        public final int[] counter;
-
         public boolean increment()
         {
             int i = counter.length;
@@ -1379,25 +1389,14 @@ public boolean increment()
                     break;
                 }
             }
-            if ((n & 31) == 0)
-            {
-                for (i = 0; i < counter.length; ++i)
-                {
-                    if (counter[i] != 0)
-                    {
-                        return false;
-                    }
-                }
-                return true;
-            }
             for (i = 1; i < counter.length; ++i)
             {
                 if (counter[i] != 0)
                 {
                     return false;
                 }
             }
-            return counter[0] != (1 << (n & 31));
+            return counter[0] != ((n & 31) == 0 ? 0 : 1 << (n & 31));
         }
 
         public void reset()
@@ -1409,10 +1408,21 @@ public void reset()
     public void testDecryptionFailureCounter()
     {
         int n = 34;
-        DecryptionFailureCounter counter = new DecryptionFailureCounter(n);
+        DecryptionFailureCounter counter = new DecryptionFailureCounter();
+        counter.init(n);
         counter.counter[counter.counter.length - 1] = -2;
         counter.counter[0] = 1;
         isTrue(!counter.increment());
         isTrue(counter.increment());
+
+        counter.init(32);
+        counter.counter[counter.counter.length - 1] = -1;
+        isTrue(!counter.increment());
+        isTrue(counter.increment());
+
+        counter.init(5);
+        counter.counter[counter.counter.length - 1] = (1 << 5) - 1;
+        isTrue(!counter.increment());
+        isTrue(counter.increment());
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -120,6 +120,8 @@ protected static class State`
`120`	`120`	`protected AADProcessingBuffer processor;`
`121`	`121`	`protected AADOperator aadOperator;`
`122`	`122`	`protected DataOperator dataOperator;`
	`123`	`+ //Only AsconAEAD128 uses this counter;`
	`124`	`+ protected DecryptionFailureCounter decryptionFailureCounter = null;`
`123`	`125`
`124`	`126`	`@Override`
`125`	`127`	`public String getAlgorithmName()`
`@@ -705,17 +707,28 @@ public void reset()`
`705`	`707`	`}`
`706`	`708`	`}`
`707`	`709`
`708`		`- protected class DecryptionFailureCounter`
	`710`	`+ protected static class DecryptionFailureCounter`
`709`	`711`	`{`
`710`		`- public DecryptionFailureCounter(int n)`
	`712`	`+ private int n;`
	`713`	`+ private int[] counter;`
	`714`	`+`
	`715`	`+ public void init(int n)`
`711`	`716`	`{`
`712`		`- this.n = n;`
`713`		`- counter = new int[(n + 31) >>> 5];`
	`717`	`+ if (this.n != n)`
	`718`	`+ {`
	`719`	`+ this.n = n;`
	`720`	`+ int len = (n + 31) >>> 5;`
	`721`	`+ if (counter == null \|\| len != counter.length)`
	`722`	`+ {`
	`723`	`+ counter = new int[len];`
	`724`	`+ }`
	`725`	`+ else`
	`726`	`+ {`
	`727`	`+ reset();`
	`728`	`+ }`
	`729`	`+ }`
`714`	`730`	`}`
`715`	`731`
`716`		`- private final int n;`
`717`		`- private final int[] counter;`
`718`		`-`
`719`	`732`	`public boolean increment()`
`720`	`733`	`{`
`721`	`734`	`int i = counter.length;`
`@@ -726,25 +739,14 @@ public boolean increment()`
`726`	`739`	`break;`
`727`	`740`	`}`
`728`	`741`	`}`
`729`		`- if ((n & 31) == 0)`
`730`		`- {`
`731`		`- for (i = 0; i < counter.length; ++i)`
`732`		`- {`
`733`		`- if (counter[i] != 0)`
`734`		`- {`
`735`		`- return false;`
`736`		`- }`
`737`		`- }`
`738`		`- return true;`
`739`		`- }`
`740`	`742`	`for (i = 1; i < counter.length; ++i)`
`741`	`743`	`{`
`742`	`744`	`if (counter[i] != 0)`
`743`	`745`	`{`
`744`	`746`	`return false;`
`745`	`747`	`}`
`746`	`748`	`}`
`747`		`- return counter[0] != (1 << (n & 31));`
	`749`	`+ return counter[0] != ((n & 31) == 0 ? 0 : 1 << (n & 31));`
`748`	`750`	`}`
`749`	`751`
`750`	`752`	`public void reset()`
`@@ -953,6 +955,10 @@ public int doFinal(byte[] output, int outOff)`
`953`	`955`	`{`
`954`	`956`	`if (!Arrays.constantTimeAreEqual(MAC_SIZE, mac, 0, m_buf, m_bufPos))`
`955`	`957`	`{`
	`958`	`+ if (decryptionFailureCounter != null && decryptionFailureCounter.increment())`
	`959`	`+ {`
	`960`	`+ throw new InvalidCipherTextException(algorithmName + " decryption failure limit exceeded");`
	`961`	`+ }`
`956`	`962`	`throw new InvalidCipherTextException(algorithmName + " mac does not match");`
`957`	`963`	`}`
`958`	`964`	`}`