Fix the bugs of getUpdateOutputSize and getOutputSize in ISAPEngine, PhotonBeetleEngine and XoodyakEngine.

Author: gefeili

core/src/main/java/org/bouncycastle/crypto/engines/ISAPEngine.java

@@ -961,7 +961,7 @@ public byte[] getMac()
     @Override
     public int getUpdateOutputSize(int len)
     {
-        return len + message.size();
+        return len + message.size() + (forEncryption ? 16 : -16);
     }
 
     @Override

core/src/main/java/org/bouncycastle/crypto/engines/PhotonBeetleEngine.java

@@ -270,7 +270,7 @@ public byte[] getMac()
     @Override
     public int getUpdateOutputSize(int len)
     {
-        return len + message.size();
+        return len + message.size() + (forEncryption ? TAG_INBYTES : -TAG_INBYTES);
     }
 
     @Override

core/src/main/java/org/bouncycastle/crypto/engines/XoodyakEngine.java

@@ -262,7 +262,7 @@ public byte[] getMac()
     @Override
     public int getUpdateOutputSize(int len)
     {
-        return len + message.size();
+        return len + message.size() + (forEncryption ? TAGLEN : -TAGLEN);
     }
 
     @Override

core/src/test/java/org/bouncycastle/crypto/test/CipherTest.java

@@ -12,6 +12,7 @@
 import org.bouncycastle.crypto.params.ParametersWithIV;
 import org.bouncycastle.util.Arrays;
 import org.bouncycastle.util.test.SimpleTest;
+import org.junit.Assert;
 
 public abstract class CipherTest
     extends SimpleTest
@@ -128,7 +129,7 @@ interface Instace
         AEADCipher CreateInstace();
     }
 
-    static void checkCipher(int aeadLen, int ivLen, int msgLen,  Instace instace)
+    static void checkCipher(int aeadLen, int ivLen, int msgLen, Instace instace)
     {
         AEADCipher pCipher = instace.CreateInstace();
 
@@ -185,4 +186,57 @@ static void checkCipher(int aeadLen, int ivLen, int msgLen,  Instace instace)
             throw new RuntimeException(e);
         }
     }
+
+    static void checkAEADCipherOutputSize(int keySize, int ivSize, int blockSize, int tagSize, AEADCipher cipher)
+        throws InvalidCipherTextException
+    {
+        final SecureRandom random = new SecureRandom();
+        int tmpLength = random.nextInt(blockSize - 1) + 1;
+        final byte[] plaintext = new byte[blockSize * 2 + tmpLength];
+        byte[] key = new byte[keySize];
+        byte[] iv = new byte[ivSize];
+        random.nextBytes(key);
+        random.nextBytes(iv);
+        random.nextBytes(plaintext);
+        cipher.init(true, new ParametersWithIV(new KeyParameter(key), iv));
+        byte[] ciphertext = new byte[cipher.getOutputSize(plaintext.length)];
+        //before the encrypt
+        Assert.assertEquals(plaintext.length + tagSize, ciphertext.length);
+        Assert.assertEquals(plaintext.length + tagSize, cipher.getUpdateOutputSize(plaintext.length));
+        //during the encrypt process of the first block
+        int len = cipher.processBytes(plaintext, 0, tmpLength, ciphertext, 0);
+        Assert.assertEquals(plaintext.length + tagSize, len + cipher.getOutputSize(plaintext.length - tmpLength));
+        Assert.assertEquals(plaintext.length + tagSize, len + cipher.getUpdateOutputSize(plaintext.length - tmpLength));
+        //during the encrypt process of the second block
+        len += cipher.processBytes(plaintext, tmpLength , blockSize, ciphertext, len);
+        Assert.assertEquals(plaintext.length + tagSize, len + cipher.getOutputSize(plaintext.length - tmpLength - blockSize));
+        Assert.assertEquals(plaintext.length + tagSize, len + cipher.getUpdateOutputSize(plaintext.length - tmpLength - blockSize));
+        //process the remaining bytes
+        len += cipher.processBytes(plaintext, tmpLength  + blockSize , blockSize, ciphertext, len);
+        Assert.assertEquals(plaintext.length + tagSize, len + cipher.getOutputSize(0));
+        Assert.assertEquals(plaintext.length + tagSize, len + cipher.getUpdateOutputSize(0));
+        //process doFinal
+        len += cipher.doFinal(ciphertext, len);
+        Assert.assertEquals(len, ciphertext.length);
+
+        cipher.init(false, new ParametersWithIV(new KeyParameter(key), iv));
+        //before the encrypt
+        Assert.assertEquals(plaintext.length, cipher.getOutputSize(ciphertext.length));
+        Assert.assertEquals(plaintext.length, cipher.getUpdateOutputSize(ciphertext.length));
+        //during the encrypt process of the first block
+        len = cipher.processBytes(ciphertext, 0, tmpLength, plaintext, 0);
+        Assert.assertEquals(plaintext.length, len + cipher.getOutputSize(ciphertext.length - tmpLength));
+        Assert.assertEquals(plaintext.length, len + cipher.getUpdateOutputSize(ciphertext.length - tmpLength));
+        //during the encrypt process of the second block
+        len += cipher.processBytes(ciphertext, tmpLength , blockSize, plaintext, len);
+        Assert.assertEquals(plaintext.length, len + cipher.getOutputSize(ciphertext.length - tmpLength - blockSize));
+        Assert.assertEquals(plaintext.length, len + cipher.getUpdateOutputSize(ciphertext.length - tmpLength - blockSize));
+        //process the remaining bytes
+        len += cipher.processBytes(ciphertext, tmpLength + blockSize , blockSize + tagSize, plaintext, len);
+        Assert.assertEquals(plaintext.length, len + cipher.getOutputSize(0));
+        Assert.assertEquals(plaintext.length, len + cipher.getUpdateOutputSize(0));
+        //process doFinal
+        len += cipher.doFinal(plaintext, len);
+        Assert.assertEquals(len, plaintext.length);
+    }
 }

core/src/test/java/org/bouncycastle/crypto/test/ISAPTest.java

@@ -51,6 +51,10 @@ public void performTest()
         testVectors("isapk128av20", IsapType.ISAP_K_128A);
         testVectors("isapk128v20", IsapType.ISAP_K_128);
         testVectors();
+        CipherTest.checkAEADCipherOutputSize(16, 16, 16, 16, new ISAPEngine(IsapType.ISAP_K_128A));
+        CipherTest.checkAEADCipherOutputSize(16, 16, 16, 16, new ISAPEngine(IsapType.ISAP_K_128));
+        CipherTest.checkAEADCipherOutputSize(16, 16, 16, 16, new ISAPEngine(IsapType.ISAP_A_128A));
+        CipherTest.checkAEADCipherOutputSize(16, 16, 16, 16, new ISAPEngine(IsapType.ISAP_A_128));
     }
 
     private void testVectors(String filename, IsapType isapType)
@@ -282,6 +286,7 @@ private void testExceptions(AEADCipher aeadBlockCipher, int keysize, int ivsize,
         }
 
         aeadBlockCipher.init(true, params);
+        c1 = new byte[aeadBlockCipher.getOutputSize(m.length)];
         try
         {
             aeadBlockCipher.doFinal(c1, m.length);
@@ -431,10 +436,11 @@ private void testExceptions(AEADCipher aeadBlockCipher, int keysize, int ivsize,
         {
             m7[i] = (byte)rand.nextInt();
         }
+
+        aeadBlockCipher.init(true, params);
         byte[] c7 = new byte[aeadBlockCipher.getOutputSize(m7.length)];
         byte[] c8 = new byte[c7.length];
         byte[] c9 = new byte[c7.length];
-        aeadBlockCipher.init(true, params);
         aeadBlockCipher.processAADBytes(aad2, 0, aad2.length);
         offset = aeadBlockCipher.processBytes(m7, 0, m7.length, c7, 0);
         aeadBlockCipher.doFinal(c7, offset);

core/src/test/java/org/bouncycastle/crypto/test/PhotonBeetleTest.java

@@ -41,6 +41,8 @@ public void performTest()
         testVectors(PhotonBeetleEngine.PhotonBeetleParameters.pb32, "v32");
         testVectors(PhotonBeetleEngine.PhotonBeetleParameters.pb128, "v128");
         testExceptions(new PhotonBeetleDigest(), 32);
+        CipherTest.checkAEADCipherOutputSize(16, 16, 16, 16, new PhotonBeetleEngine(PhotonBeetleEngine.PhotonBeetleParameters.pb128));
+        CipherTest.checkAEADCipherOutputSize(16, 16, 16, 16, new PhotonBeetleEngine(PhotonBeetleEngine.PhotonBeetleParameters.pb32));
     }
 
     private void testVectorsHash()
@@ -228,6 +230,7 @@ private void testExceptions(AEADCipher aeadBlockCipher, int keysize, int ivsize,
         }
 
         aeadBlockCipher.init(true, params);
+        c1 = new byte[aeadBlockCipher.getOutputSize(m.length)];
         try
         {
             aeadBlockCipher.doFinal(c1, m.length);
@@ -379,10 +382,10 @@ private void testExceptions(AEADCipher aeadBlockCipher, int keysize, int ivsize,
         {
             m7[i] = (byte)rand.nextInt();
         }
+        aeadBlockCipher.init(true, params);
         byte[] c7 = new byte[aeadBlockCipher.getOutputSize(m7.length)];
         byte[] c8 = new byte[c7.length];
         byte[] c9 = new byte[c7.length];
-        aeadBlockCipher.init(true, params);
         aeadBlockCipher.processAADBytes(aad2, 0, aad2.length);
         offset = aeadBlockCipher.processBytes(m7, 0, m7.length, c7, 0);
         aeadBlockCipher.doFinal(c7, offset);

core/src/test/java/org/bouncycastle/crypto/test/XoodyakTest.java

@@ -39,6 +39,7 @@ public void performTest()
         testExceptions(xoodyak, xoodyak.getKeyBytesSize(), xoodyak.getIVBytesSize(), xoodyak.getBlockSize());
         testParameters(xoodyak, 16, 16, 16);
         testExceptions(new XoodyakDigest(), 32);
+        CipherTest.checkAEADCipherOutputSize(16, 16, 16, 16, new XoodyakEngine());
     }
 
     private void testVectorsHash()
@@ -233,6 +234,7 @@ private void testExceptions(AEADCipher aeadBlockCipher, int keysize, int ivsize,
         }
 
         aeadBlockCipher.init(true, params);
+        c1 = new byte[aeadBlockCipher.getOutputSize(m.length)];
         try
         {
             aeadBlockCipher.doFinal(c1, m.length);
@@ -384,10 +386,11 @@ private void testExceptions(AEADCipher aeadBlockCipher, int keysize, int ivsize,
         {
             m7[i] = (byte)rand.nextInt();
         }
+
+        aeadBlockCipher.init(true, params);
         byte[] c7 = new byte[aeadBlockCipher.getOutputSize(m7.length)];
         byte[] c8 = new byte[c7.length];
         byte[] c9 = new byte[c7.length];
-        aeadBlockCipher.init(true, params);
         aeadBlockCipher.processAADBytes(aad2, 0, aad2.length);
         offset = aeadBlockCipher.processBytes(m7, 0, m7.length, c7, 0);
         aeadBlockCipher.doFinal(c7, offset);