Grain128AEADEngine: fix DER length encoding for AAD lengths > 255

peterdettman · peterdettman · commit e2df273fb3e7 · 2025-03-24T15:23:23.000+07:00
diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/Grain128AEADEngine.java b/core/src/main/java/org/bouncycastle/crypto/engines/Grain128AEADEngine.java
@@ -239,43 +239,49 @@ protected void processBufferAAD(byte[] input, int inOff)
     @Override
     protected void processFinalAAD()
     {
+        // Encode(ad length) denotes the message length encoded in the DER format.
+        
         int len = aadOperator.getLen();
         byte[] input = ((StreamAADOperator)aadOperator).getBytes();
-        byte[] ader;
 
-        //encodeDer
+        // Need up to 5 bytes for the DER length as an 'int'
+        byte[] ader = new byte[5];
+
+        int pos;
         if (len < 128)
         {
-            ader = new byte[1];
-            ader[0] = (byte)len;
+            pos = ader.length - 1;
+            ader[pos] = (byte)len;
         }
         else
         {
-            // aderlen is the highest bit position divided by 8
-            int aderlen = len_length(len);
-            ader = new byte[1 + aderlen];
-            ader[0] = (byte)(0x80 | aderlen);
-            int tmp = len;
-            for (int i = 1; i < ader.length; ++i)
+            pos = ader.length;
+
+            int dl = len;
+            do
             {
-                ader[i] = (byte)tmp;
-                tmp >>>= 8;
+                ader[--pos] = (byte)dl;
+                dl >>>= 8;
             }
+            while (dl != 0);
+
+            int count = ader.length - pos;
+            ader[--pos] = (byte)(0x80 | count);
         }
 
-        absorbAadData(ader, ader.length);
-        absorbAadData(input, len);
+        absorbAadData(ader, pos, ader.length - pos);
+        absorbAadData(input, 0, len);
     }
 
-    private void absorbAadData(byte[] ader, int len)
+    private void absorbAadData(byte[] buf, int off, int len)
     {
         for (int i = 0; i < len; ++i)
         {
-            byte ader_i = ader[i];
+            byte b = buf[off + i];
             for (int j = 0; j < 8; ++j)
             {
                 shift();
-                updateInternalState((ader_i >> j) & 1);
+                updateInternalState((b >> j) & 1);
             }
         }
     }
@@ -319,21 +325,4 @@ protected void processBufferDecrypt(byte[] input, int inOff, byte[] output, int
             output[outOff + i] = cc;
         }
     }
-
-    private static int len_length(int v)
-    {
-        if ((v & 0xff) == v)
-        {
-            return 1;
-        }
-        if ((v & 0xffff) == v)
-        {
-            return 2;
-        }
-        if ((v & 0xffffff) == v)
-        {
-            return 3;
-        }
-        return 4;
-    }
 }
diff --git a/core/src/test/java/org/bouncycastle/crypto/test/Grain128AEADTest.java b/core/src/test/java/org/bouncycastle/crypto/test/Grain128AEADTest.java
@@ -228,17 +228,8 @@ static void isEqualTo(
         }
     }
 
-//    public static void main(String[] args)
-//    {
-//        runTest(new AsconTest());
-//        runTest(new ElephantTest());
-//        runTest(new GiftCofbTest());
-//        runTest(new Grain128AEADTest());
-//        runTest(new ISAPTest());
-//        runTest(new PhotonBeetleTest());
-//        runTest(new RomulusTest());
-//        runTest(new SparkleTest());
-//        runTest(new XoodyakTest());
-//    }
+    public static void main(String[] args)
+    {
+        runTest(new Grain128AEADTest());
+    }
 }
-

Original file line number	Diff line number	Diff line change
`@@ -239,43 +239,49 @@ protected void processBufferAAD(byte[] input, int inOff)`
`239`	`239`	`@Override`
`240`	`240`	`protected void processFinalAAD()`
`241`	`241`	`{`
	`242`	`+ // Encode(ad length) denotes the message length encoded in the DER format.`
	`243`	`+`
`242`	`244`	`int len = aadOperator.getLen();`
`243`	`245`	`byte[] input = ((StreamAADOperator)aadOperator).getBytes();`
`244`		`- byte[] ader;`
`245`	`246`
`246`		`- //encodeDer`
	`247`	`+ // Need up to 5 bytes for the DER length as an 'int'`
	`248`	`+ byte[] ader = new byte[5];`
	`249`	`+`
	`250`	`+ int pos;`
`247`	`251`	`if (len < 128)`
`248`	`252`	`{`
`249`		`- ader = new byte[1];`
`250`		`- ader[0] = (byte)len;`
	`253`	`+ pos = ader.length - 1;`
	`254`	`+ ader[pos] = (byte)len;`
`251`	`255`	`}`
`252`	`256`	`else`
`253`	`257`	`{`
`254`		`- // aderlen is the highest bit position divided by 8`
`255`		`- int aderlen = len_length(len);`
`256`		`- ader = new byte[1 + aderlen];`
`257`		`- ader[0] = (byte)(0x80 \| aderlen);`
`258`		`- int tmp = len;`
`259`		`- for (int i = 1; i < ader.length; ++i)`
	`258`	`+ pos = ader.length;`
	`259`	`+`
	`260`	`+ int dl = len;`
	`261`	`+ do`
`260`	`262`	`{`
`261`		`- ader[i] = (byte)tmp;`
`262`		`- tmp >>>= 8;`
	`263`	`+ ader[--pos] = (byte)dl;`
	`264`	`+ dl >>>= 8;`
`263`	`265`	`}`
	`266`	`+ while (dl != 0);`
	`267`	`+`
	`268`	`+ int count = ader.length - pos;`
	`269`	`+ ader[--pos] = (byte)(0x80 \| count);`
`264`	`270`	`}`
`265`	`271`
`266`		`- absorbAadData(ader, ader.length);`
`267`		`- absorbAadData(input, len);`
	`272`	`+ absorbAadData(ader, pos, ader.length - pos);`
	`273`	`+ absorbAadData(input, 0, len);`
`268`	`274`	`}`
`269`	`275`
`270`		`- private void absorbAadData(byte[] ader, int len)`
	`276`	`+ private void absorbAadData(byte[] buf, int off, int len)`
`271`	`277`	`{`
`272`	`278`	`for (int i = 0; i < len; ++i)`
`273`	`279`	`{`
`274`		`- byte ader_i = ader[i];`
	`280`	`+ byte b = buf[off + i];`
`275`	`281`	`for (int j = 0; j < 8; ++j)`
`276`	`282`	`{`
`277`	`283`	`shift();`
`278`		`- updateInternalState((ader_i >> j) & 1);`
	`284`	`+ updateInternalState((b >> j) & 1);`
`279`	`285`	`}`
`280`	`286`	`}`
`281`	`287`	`}`
`@@ -319,21 +325,4 @@ protected void processBufferDecrypt(byte[] input, int inOff, byte[] output, int`
`319`	`325`	`output[outOff + i] = cc;`
`320`	`326`	`}`
`321`	`327`	`}`
`322`		`-`
`323`		`- private static int len_length(int v)`
`324`		`- {`
`325`		`- if ((v & 0xff) == v)`
`326`		`- {`
`327`		`- return 1;`
`328`		`- }`
`329`		`- if ((v & 0xffff) == v)`
`330`		`- {`
`331`		`- return 2;`
`332`		`- }`
`333`		`- if ((v & 0xffffff) == v)`
`334`		`- {`
`335`		`- return 3;`
`336`		`- }`
`337`		`- return 4;`
`338`		`- }`
`339`	`328`	`}`