Fix the bugs that ASCON Xof does not support multi-part outputs based on the code from #2030 .

Author: gefeili

core/src/main/java/org/bouncycastle/crypto/digests/AsconBaseDigest.java

@@ -25,7 +25,6 @@ protected AsconBaseDigest()
         DigestSize = 32;
     }
 
-
     protected abstract long pad(int i);
 
     protected abstract long loadBytes(final byte[] bytes, int inOff);
@@ -85,12 +84,4 @@ protected void ensureSufficientOutputBuffer(byte[] output, int outOff, int len)
             throw new OutputLengthException("output buffer is too short");
         }
     }
-
-    protected void ensureNoAbsorbWhileSqueezing(boolean m_squeezing)
-    {
-        if (m_squeezing)
-        {
-            throw new IllegalArgumentException("attempt to absorb while squeezing");
-        }
-    }
 }

core/src/main/java/org/bouncycastle/crypto/digests/AsconCXof128.java

@@ -1,7 +1,6 @@
 package org.bouncycastle.crypto.digests;
 
 import org.bouncycastle.crypto.DataLengthException;
-import org.bouncycastle.crypto.Xof;
 import org.bouncycastle.util.Pack;
 
 /**
@@ -16,10 +15,8 @@
  * </p>
  */
 public class AsconCXof128
-    extends AsconBaseDigest
-    implements Xof
+    extends AsconXofBase
 {
-    private boolean m_squeezing = false;
     private final long z0, z1, z2, z3, z4;
 
     public AsconCXof128()
@@ -49,20 +46,6 @@ public AsconCXof128(byte[] s, int off, int len)
         z4 = p.x4;
     }
 
-    @Override
-    public void update(byte in)
-    {
-        ensureNoAbsorbWhileSqueezing(m_squeezing);
-        super.update(in);
-    }
-
-    @Override
-    public void update(byte[] input, int inOff, int len)
-    {
-        ensureNoAbsorbWhileSqueezing(m_squeezing);
-        super.update(input, inOff, len);
-    }
-
     protected long pad(int i)
     {
         return 0x01L << (i << 3);
@@ -88,35 +71,10 @@ protected void setBytes(long w, byte[] bytes, int inOff, int n)
         Pack.longToLittleEndian(w, bytes, inOff, n);
     }
 
-    protected void padAndAbsorb()
-    {
-        m_squeezing = true;
-        super.padAndAbsorb();
-    }
-
-    @Override
-    public int doOutput(byte[] output, int outOff, int outLen)
-    {
-        ensureSufficientOutputBuffer(output, outOff, outLen);
-        padAndAbsorb();
-        /* squeeze full output blocks */
-        squeeze(output, outOff, outLen);
-        return outLen;
-    }
-
-    @Override
-    public int doFinal(byte[] output, int outOff, int outLen)
-    {
-        int rlt = doOutput(output, outOff, outLen);
-        reset();
-        return rlt;
-    }
-
     @Override
     public void reset()
     {
         super.reset();
-        m_squeezing = false;
         /* initialize */
         p.set(z0, z1, z2, z3, z4);
     }
@@ -129,7 +87,7 @@ private void initState(byte[] z, int zOff, int zLen)
         p.p(12);
         update(z, zOff, zLen);
         padAndAbsorb();
-        m_squeezing = false;
+        super.reset();
     }
 }
 

core/src/main/java/org/bouncycastle/crypto/digests/AsconXof.java

@@ -1,6 +1,5 @@
 package org.bouncycastle.crypto.digests;
 
-import org.bouncycastle.crypto.Xof;
 import org.bouncycastle.util.Pack;
 
 /**
@@ -13,8 +12,7 @@
  * @deprecated Now superseded - please use AsconXof128
  */
 public class AsconXof
-    extends AsconBaseDigest
-    implements Xof
+    extends AsconXofBase
 {
     public enum AsconParameters
     {
@@ -44,28 +42,6 @@ public AsconXof(AsconXof.AsconParameters parameters)
         reset();
     }
 
-    private boolean m_squeezing = false;
-
-    @Override
-    public void update(byte in)
-    {
-        ensureNoAbsorbWhileSqueezing(m_squeezing);
-        super.update(in);
-    }
-
-    @Override
-    public void update(byte[] input, int inOff, int len)
-    {
-        ensureNoAbsorbWhileSqueezing(m_squeezing);
-        super.update(input, inOff, len);
-    }
-
-    protected void padAndAbsorb()
-    {
-        m_squeezing = true;
-        super.padAndAbsorb();
-    }
-
     protected long pad(int i)
     {
         return 0x80L << (56 - (i << 3));
@@ -91,25 +67,10 @@ protected void setBytes(long w, byte[] bytes, int inOff, int n)
         Pack.longToBigEndian(w, bytes, inOff, n);
     }
 
-    @Override
-    public int doOutput(byte[] output, int outOff, int outLen)
-    {
-        return hash(output, outOff, outLen);
-    }
-
-    @Override
-    public int doFinal(byte[] output, int outOff, int outLen)
-    {
-        int rlt = doOutput(output, outOff, outLen);
-        reset();
-        return rlt;
-    }
-
     @Override
     public void reset()
     {
         super.reset();
-        m_squeezing = false;
         /* initialize */
         switch (asconParameters)
         {

core/src/main/java/org/bouncycastle/crypto/digests/AsconXof128.java

@@ -1,6 +1,5 @@
 package org.bouncycastle.crypto.digests;
 
-import org.bouncycastle.crypto.Xof;
 import org.bouncycastle.util.Pack;
 
 /**
@@ -15,10 +14,8 @@
  * </p>
  */
 public class AsconXof128
-    extends AsconBaseDigest
-    implements Xof
+    extends AsconXofBase
 {
-    private boolean m_squeezing;
 
     public AsconXof128()
     {
@@ -51,44 +48,9 @@ protected void setBytes(long w, byte[] bytes, int inOff, int n)
         Pack.longToLittleEndian(w, bytes, inOff, n);
     }
 
-    protected void padAndAbsorb()
-    {
-        m_squeezing = true;
-        super.padAndAbsorb();
-    }
-
-    @Override
-    public void update(byte in)
-    {
-        ensureNoAbsorbWhileSqueezing(m_squeezing);
-        super.update(in);
-    }
-
-    @Override
-    public void update(byte[] input, int inOff, int len)
-    {
-        ensureNoAbsorbWhileSqueezing(m_squeezing);
-        super.update(input, inOff, len);
-    }
-
-    @Override
-    public int doOutput(byte[] output, int outOff, int outLen)
-    {
-        return hash(output, outOff, outLen);
-    }
-
-    @Override
-    public int doFinal(byte[] output, int outOff, int outLen)
-    {
-        int rlt = doOutput(output, outOff, outLen);
-        reset();
-        return rlt;
-    }
-
     @Override
     public void reset()
     {
-        m_squeezing = false;
         super.reset();
         /* initialize */
         p.set(-2701369817892108309L, -3711838248891385495L, -1778763697082575311L, 1072114354614917324L, -2282070310009238562L);

core/src/main/java/org/bouncycastle/crypto/digests/AsconXofBase.java

@@ -0,0 +1,106 @@
+package org.bouncycastle.crypto.digests;
+
+import org.bouncycastle.crypto.Xof;
+
+abstract class AsconXofBase
+    extends AsconBaseDigest
+    implements Xof
+{
+    private boolean m_squeezing;
+    private final byte[] buffer = new byte[BlockSize];
+    private int bytesInBuffer;
+
+    @Override
+    public void update(byte in)
+    {
+        ensureNoAbsorbWhileSqueezing(m_squeezing);
+        super.update(in);
+    }
+
+    @Override
+    public void update(byte[] input, int inOff, int len)
+    {
+        ensureNoAbsorbWhileSqueezing(m_squeezing);
+        super.update(input, inOff, len);
+    }
+
+    @Override
+    public int doOutput(byte[] output, int outOff, int outLen)
+    {
+        ensureSufficientOutputBuffer(output, outOff, outLen);
+
+        /* Use buffered output first */
+        int bytesOutput = 0;
+        if (bytesInBuffer != 0)
+        {
+            int startPos = BlockSize - bytesInBuffer;
+            int bytesToOutput = Math.min(outLen, bytesInBuffer);
+            System.arraycopy(buffer, startPos, output, outOff, bytesToOutput);
+            bytesInBuffer -= bytesToOutput;
+            bytesOutput += bytesToOutput;
+        }
+
+        int available = outLen - bytesOutput;
+        /* If we still need to output data */
+        if (available >= BlockSize)
+        {
+            /* Output full blocks */
+            int bytesToOutput = available - available % BlockSize;
+            bytesOutput += hash(output, outOff + bytesOutput, bytesToOutput);
+        }
+
+        /* If we need to output a partial buffer */
+        if (bytesOutput < outLen)
+        {
+            /* Access the next buffer's worth of data */
+            hash(buffer, 0, BlockSize);
+
+            /* Copy required length of data */
+            int bytesToOutput = outLen - bytesOutput;
+            System.arraycopy(buffer, 0, output, outOff + bytesOutput, bytesToOutput);
+            bytesInBuffer = buffer.length - bytesToOutput;
+            bytesOutput += bytesToOutput;
+        }
+
+        /* return the length of data output */
+        return bytesOutput;
+    }
+
+    @Override
+    public int doFinal(byte[] output, int outOff, int outLen)
+    {
+        int rlt = doOutput(output, outOff, outLen);
+        reset();
+        return rlt;
+    }
+
+    @Override
+    public void reset()
+    {
+        m_squeezing = false;
+        bytesInBuffer = 0;
+        super.reset();
+    }
+
+    @Override
+    protected void padAndAbsorb()
+    {
+        if (!m_squeezing)
+        {
+            m_squeezing = true;
+            super.padAndAbsorb();
+        }
+        else
+        {
+            p.p(ASCON_PB_ROUNDS);
+        }
+    }
+
+    private void ensureNoAbsorbWhileSqueezing(boolean m_squeezing)
+    {
+        if (m_squeezing)
+        {
+            throw new IllegalArgumentException("attempt to absorb while squeezing");
+        }
+    }
+}

core/src/test/java/org/bouncycastle/crypto/test/AsconTest.java

@@ -3,6 +3,7 @@
 import java.io.BufferedReader;
 import java.io.InputStream;
 import java.io.InputStreamReader;
+import java.security.SecureRandom;
 import java.util.HashMap;
 import java.util.Random;
 
@@ -44,6 +45,11 @@ public String getName()
     public void performTest()
         throws Exception
     {
+        DigestTest.checkXof(new AsconXof128(), 1429, 317, new SecureRandom(), this);
+        DigestTest.checkXof(new AsconCXof128(), 1429, 317, new SecureRandom(), this);
+        DigestTest.checkXof(new AsconXof(AsconXof.AsconParameters.AsconXof), 1429, 317, new SecureRandom(), this);
+        DigestTest.checkXof(new AsconXof(AsconXof.AsconParameters.AsconXofA), 1429, 317, new SecureRandom(), this);
+
         testVectorsEngine_asconaead128();
         testVectorsDigest_AsconHash256();
         testVectorsXof_AsconXof128();