Merge branch 'main' into 'shamir-secret-splitting'

# Conflicts:
#   core/src/test/java/org/bouncycastle/crypto/test/ElephantTest.java

Author: dghgit

ci/pub.sh

@@ -14,7 +14,9 @@ source ci/common.sh
 export JAVA_HOME=`openjdk_21`
 export PATH=$JAVA_HOME/bin:$PATH
 
+./gradlew clean build -x test
+./osgi_scan.sh
 
-./gradlew clean build publishAllPublicationsToCwmavenRepository -x test
+./gradlew publishAllPublicationsToCwmavenRepository -x test
 
 

core/src/main/java/org/bouncycastle/crypto/engines/ElephantEngine.java

@@ -320,7 +320,7 @@ public void init(boolean forEncryption, CipherParameters params)
             this.getAlgorithmName(), 128, params, Utils.getPurpose(forEncryption)));
         initialised = true;
         m_state = forEncryption ? State.EncInit : State.DecInit;
-        inputMessage = new byte[BLOCK_SIZE + (forEncryption ? 0 : CRYPTO_ABYTES)];
+        inputMessage = new byte[BLOCK_SIZE * 2 + (forEncryption ? 0 : CRYPTO_ABYTES)];
         reset(false);
     }
 
@@ -372,12 +372,19 @@ public int processBytes(byte[] input, int inOff, int len, byte[] output, int out
             int nb_it = Math.max(nblocks_c + 1, nblocks_ad - 1);
             byte[] tempInput = new byte[Math.max(nblocks_c, 1) * BLOCK_SIZE];
             System.arraycopy(inputMessage, 0, tempInput, 0, inputOff);
-            System.arraycopy(input, inOff, tempInput, inputOff, Math.min(len, tempInput.length));
+            System.arraycopy(input, inOff, tempInput, inputOff, Math.min(len, tempInput.length - inputOff));
             int rv = processBytes(tempInput, output, outOff, nb_it, nblocks_m, nblocks_c, mlen, nblocks_ad, false);
-            int copyLen = rv - inputOff;
-            inputOff = inputOff + len - rv;
-            System.arraycopy(input, inOff + copyLen, inputMessage, 0, inputOff);
-
+            if (rv >= inputOff)
+            {
+                int copyLen = rv - inputOff;
+                inputOff = inputOff + len - rv;
+                System.arraycopy(input, inOff + copyLen, inputMessage, 0, inputOff);
+            }
+            else
+            {
+                System.arraycopy(input, inOff + rv, inputMessage, inputOff, len - rv);
+                inputOff += len - rv;
+            }
             messageLen += rv;
             return rv;
         }
@@ -404,6 +411,7 @@ public int doFinal(byte[] output, int outOff)
             throw new OutputLengthException("output buffer is too short");
         }
         int mlen = len + messageLen - (forEncryption ? 0 : CRYPTO_ABYTES);
+        int rv = mlen - messageLen;
         int adlen = processAADBytes();
         int nblocks_c = 1 + mlen / BLOCK_SIZE;
         int nblocks_m = (mlen % BLOCK_SIZE) != 0 ? nblocks_c : nblocks_c - 1;
@@ -418,7 +426,7 @@ public int doFinal(byte[] output, int outOff)
         {
             System.arraycopy(tag_buffer, 0, tag, 0, CRYPTO_ABYTES);
             System.arraycopy(tag, 0, output, outOff, tag.length);
-            mlen += CRYPTO_ABYTES;
+            rv += CRYPTO_ABYTES;
         }
         else
         {
@@ -432,7 +440,7 @@ public int doFinal(byte[] output, int outOff)
             }
         }
         reset(false);
-        return mlen;
+        return rv;
     }
 
     @Override
@@ -454,7 +462,17 @@ public int getUpdateOutputSize(int len)
         case EncAad:
         case EncData:
         case EncInit:
-            return inputOff + len + CRYPTO_ABYTES;
+        {
+            int total = inputOff + len;
+            return total - total % BLOCK_SIZE;
+        }
+        case DecAad:
+        case DecData:
+        case DecInit:
+        {
+            int total = Math.max(0, inputOff + len - CRYPTO_ABYTES);
+            return total - total % BLOCK_SIZE;
+        }
         }
         return Math.max(0, len + inputOff - CRYPTO_ABYTES);
     }
@@ -472,9 +490,9 @@ public int getOutputSize(int len)
         case EncAad:
         case EncData:
         case EncInit:
-            return len + CRYPTO_ABYTES;
+            return len + inputOff + CRYPTO_ABYTES;
         }
-        return Math.max(0, len - CRYPTO_ABYTES);
+        return Math.max(0, len + inputOff - CRYPTO_ABYTES);
     }
 
     @Override
@@ -523,7 +541,7 @@ public int getIVBytesSize()
 
     public int getBlockSize()
     {
-        return CRYPTO_ABYTES;
+        return BLOCK_SIZE;
     }
 
     private void checkAad()
@@ -621,7 +639,7 @@ private int processBytes(byte[] m, byte[] output, int outOff, int nb_it, int nbl
         for (i = nb_its; i < nb_it; ++i)
         {
             int r_size = (i == nblocks_m - 1) ? mlen - i * BLOCK_SIZE : BLOCK_SIZE;
-            if (!isDofinal && (r_size % BLOCK_SIZE != 0 || mlen <= i * BLOCK_SIZE))
+            if (!isDofinal && (mlen <= i * BLOCK_SIZE || r_size % BLOCK_SIZE != 0))
             {
                 break;
             }

core/src/main/java/org/bouncycastle/crypto/engines/ISAPEngine.java

@@ -806,7 +806,7 @@ public void init(boolean forEncryption, CipherParameters params)
         if (iv == null || iv.length != 16)
         {
             throw new IllegalArgumentException(
-                "ISAP AEAD requires exactly 12 bytes of IV");
+                "ISAP AEAD requires exactly 16 bytes of IV");
         }
 
         if (!(ivParams.getParameters() instanceof KeyParameter))
@@ -961,13 +961,14 @@ public byte[] getMac()
     @Override
     public int getUpdateOutputSize(int len)
     {
-        return len;
+        int total = Math.max(0, len + message.size() + (forEncryption ? 0 : -16));
+        return total - total % ISAP_rH_SZ;
     }
 
     @Override
     public int getOutputSize(int len)
     {
-        return len + 16;
+        return Math.max(0, len + message.size() + (forEncryption ? 16 : -16));
     }
 
     @Override

core/src/main/java/org/bouncycastle/crypto/engines/PhotonBeetleEngine.java

@@ -270,13 +270,14 @@ public byte[] getMac()
     @Override
     public int getUpdateOutputSize(int len)
     {
-        return len;
+        int total = Math.max(0, len + message.size() + (forEncryption ? 0 : -TAG_INBYTES));
+        return total - total % RATE_INBYTES;
     }
 
     @Override
     public int getOutputSize(int len)
     {
-        return len + TAG_INBYTES;
+        return Math.max(0, len + message.size() + (forEncryption ? TAG_INBYTES : -TAG_INBYTES));
     }
 
     @Override

core/src/main/java/org/bouncycastle/crypto/engines/XoodyakEngine.java

@@ -36,7 +36,7 @@ public class XoodyakEngine
     private byte[] iv;
     private final int PhaseDown = 1;
     private final int PhaseUp = 2;
-//    private final int NLANES = 12;
+    //    private final int NLANES = 12;
 //    private final int NROWS = 3;
 //    private final int NCOLUMS = 4;
     private final int MAXROUNDS = 12;
@@ -262,13 +262,14 @@ public byte[] getMac()
     @Override
     public int getUpdateOutputSize(int len)
     {
-        return len;
+        int total = Math.max(0, len + message.size() + (forEncryption ? 0 : -TAGLEN));
+        return total - total % Rkout;
     }
 
     @Override
     public int getOutputSize(int len)
     {
-        return len + TAGLEN;
+        return Math.max(0, len + message.size() + (forEncryption ? TAGLEN : -TAGLEN));
     }
 
     @Override
@@ -371,7 +372,7 @@ private void Up(byte[] Yi, int YiLen, int Cu)
             a3 ^= e3;
             a7 ^= e3;
             a11 ^= e3;
-            
+
             /* Rho-west: plane shift */
             int b0 = a0;
             int b1 = a1;
@@ -390,7 +391,7 @@ private void Up(byte[] Yi, int YiLen, int Cu)
 
             /* Iota: round ant */
             b0 ^= RC[i];
-            
+
             /* Chi: non linear layer */
             a0 = b0 ^ (~b4 & b8);
             a1 = b1 ^ (~b5 & b9);
@@ -406,7 +407,7 @@ private void Up(byte[] Yi, int YiLen, int Cu)
             b9 ^= (~b1 & b5);
             b10 ^= (~b2 & b6);
             b11 ^= (~b3 & b7);
-            
+
             /* Rho-east: plane shift */
             a4 = Integers.rotateLeft(a4, 1);
             a5 = Integers.rotateLeft(a5, 1);

core/src/main/java/org/bouncycastle/pqc/crypto/lms/LMSigParameters.java

@@ -94,7 +94,7 @@ public ASN1ObjectIdentifier getDigestOID()
         return digestOid;
     }
 
-    static LMSigParameters getParametersForType(int type)
+    public static LMSigParameters getParametersForType(int type)
     {
         return paramBuilders.get(type);
     }

core/src/main/java/org/bouncycastle/pqc/crypto/util/PublicKeyFactory.java

@@ -451,10 +451,6 @@ AsymmetricKeyParameter getPublicKeyParameters(SubjectPublicKeyInfo keyInfo, Obje
         private LMSKeyParameters getLmsKeyParameters(byte[] keyEnc)
             throws IOException
         {
-            if (keyEnc.length == 64)
-            {
-                keyEnc = Arrays.copyOfRange(keyEnc, 4, keyEnc.length);
-            }
             return HSSPublicKeyParameters.getInstance(keyEnc);
         }
     }

core/src/test/java/org/bouncycastle/crypto/test/CipherTest.java

@@ -12,6 +12,7 @@
 import org.bouncycastle.crypto.params.ParametersWithIV;
 import org.bouncycastle.util.Arrays;
 import org.bouncycastle.util.test.SimpleTest;
+import org.junit.Assert;
 
 public abstract class CipherTest
     extends SimpleTest
@@ -185,4 +186,57 @@ static void checkCipher(int aeadLen, int ivLen, int msgLen,  Instace instace)
             throw new RuntimeException(e);
         }
     }
+
+    static void checkAEADCipherOutputSize(int keySize, int ivSize, int blockSize, int tagSize, AEADCipher cipher)
+        throws InvalidCipherTextException
+    {
+        final SecureRandom random = new SecureRandom();
+        int tmpLength = random.nextInt(blockSize - 1) + 1;
+        final byte[] plaintext = new byte[blockSize * 2 + tmpLength];
+        byte[] key = new byte[keySize];
+        byte[] iv = new byte[ivSize];
+        random.nextBytes(key);
+        random.nextBytes(iv);
+        random.nextBytes(plaintext);
+        cipher.init(true, new ParametersWithIV(new KeyParameter(key), iv));
+        byte[] ciphertext = new byte[cipher.getOutputSize(plaintext.length)];
+        //before the encrypt
+        Assert.assertEquals(plaintext.length + tagSize, ciphertext.length);
+        Assert.assertEquals(plaintext.length, cipher.getUpdateOutputSize(plaintext.length) + tmpLength);
+        //during the encrypt process of the first block
+        int len = cipher.processBytes(plaintext, 0, tmpLength, ciphertext, 0);
+        Assert.assertEquals(plaintext.length + tagSize, len + cipher.getOutputSize(plaintext.length - tmpLength));
+        Assert.assertEquals(plaintext.length, len + cipher.getUpdateOutputSize(plaintext.length - tmpLength) + tmpLength);
+        //during the encrypt process of the second block
+        len += cipher.processBytes(plaintext, tmpLength, blockSize, ciphertext, len);
+        Assert.assertEquals(plaintext.length + tagSize, len + cipher.getOutputSize(plaintext.length - tmpLength - blockSize));
+        Assert.assertEquals(plaintext.length, len + cipher.getUpdateOutputSize(plaintext.length - tmpLength - blockSize) + tmpLength);
+        //process the remaining bytes
+        len += cipher.processBytes(plaintext, tmpLength + blockSize, blockSize, ciphertext, len);
+        Assert.assertEquals(plaintext.length + tagSize, len + cipher.getOutputSize(0));
+        Assert.assertEquals(plaintext.length, len + cipher.getUpdateOutputSize(0) + tmpLength);
+        //process doFinal
+        len += cipher.doFinal(ciphertext, len);
+        Assert.assertEquals(len, ciphertext.length);
+
+        cipher.init(false, new ParametersWithIV(new KeyParameter(key), iv));
+        //before the encrypt
+        Assert.assertEquals(plaintext.length, cipher.getOutputSize(ciphertext.length));
+        Assert.assertEquals(plaintext.length, cipher.getUpdateOutputSize(ciphertext.length) + tmpLength);
+        //during the encrypt process of the first block
+        len = cipher.processBytes(ciphertext, 0, tmpLength, plaintext, 0);
+        Assert.assertEquals(plaintext.length, len + cipher.getOutputSize(ciphertext.length - tmpLength));
+        Assert.assertEquals(plaintext.length, len + cipher.getUpdateOutputSize(ciphertext.length - tmpLength) + tmpLength);
+        //during the encrypt process of the second block
+        len += cipher.processBytes(ciphertext, tmpLength, blockSize, plaintext, len);
+        Assert.assertEquals(plaintext.length, len + cipher.getOutputSize(ciphertext.length - tmpLength - blockSize));
+        Assert.assertEquals(plaintext.length, len + cipher.getUpdateOutputSize(ciphertext.length - tmpLength - blockSize) + tmpLength);
+        //process the remaining bytes
+        len += cipher.processBytes(ciphertext, tmpLength + blockSize, blockSize + tagSize, plaintext, len);
+        Assert.assertEquals(plaintext.length, len + cipher.getOutputSize(0));
+        Assert.assertEquals(plaintext.length, len + cipher.getUpdateOutputSize(0) + tmpLength);
+        //process doFinal
+        len += cipher.doFinal(plaintext, len);
+        Assert.assertEquals(len, plaintext.length);
+    }
 }

core/src/test/java/org/bouncycastle/crypto/test/ElephantTest.java

@@ -57,9 +57,6 @@ public AEADCipher CreateInstace()
         testVectors(ElephantEngine.ElephantParameters.elephant160, "v160");
         testVectors(ElephantEngine.ElephantParameters.elephant176, "v176");
 
-        ElephantEngine elephant = new ElephantEngine(ElephantEngine.ElephantParameters.elephant200);
-        testExceptions(elephant, elephant.getKeyBytesSize(), elephant.getIVBytesSize(), elephant.getBlockSize());
-        testParameters(elephant, 16, 12, 16);
 
         elephant = new ElephantEngine(ElephantEngine.ElephantParameters.elephant160);
         testExceptions(elephant, elephant.getKeyBytesSize(), elephant.getIVBytesSize(), elephant.getBlockSize());
@@ -233,6 +230,7 @@ private void testExceptions(AEADCipher aeadBlockCipher, int keysize, int ivsize,
         }
 
         aeadBlockCipher.init(true, params);
+        c1 = new byte[aeadBlockCipher.getOutputSize(0)];
         try
         {
             aeadBlockCipher.doFinal(c1, m.length);
@@ -442,7 +440,5 @@ public static void main(String[] args)
     {
         runTest(new ElephantTest());
     }
-
-
 }
 

core/src/test/java/org/bouncycastle/crypto/test/ISAPTest.java

@@ -51,6 +51,10 @@ public void performTest()
         testVectors("isapk128av20", IsapType.ISAP_K_128A);
         testVectors("isapk128v20", IsapType.ISAP_K_128);
         testVectors();
+        CipherTest.checkAEADCipherOutputSize(16, 16, 18, 16, new ISAPEngine(IsapType.ISAP_K_128A));
+        CipherTest.checkAEADCipherOutputSize(16, 16, 18, 16, new ISAPEngine(IsapType.ISAP_K_128));
+        CipherTest.checkAEADCipherOutputSize(16, 16, 8, 16, new ISAPEngine(IsapType.ISAP_A_128A));
+        CipherTest.checkAEADCipherOutputSize(16, 16, 8, 16, new ISAPEngine(IsapType.ISAP_A_128));
     }
 
     private void testVectors(String filename, IsapType isapType)
@@ -282,6 +286,7 @@ private void testExceptions(AEADCipher aeadBlockCipher, int keysize, int ivsize,
         }
 
         aeadBlockCipher.init(true, params);
+        c1 = new byte[aeadBlockCipher.getOutputSize(m.length)];
         try
         {
             aeadBlockCipher.doFinal(c1, m.length);
@@ -431,10 +436,11 @@ private void testExceptions(AEADCipher aeadBlockCipher, int keysize, int ivsize,
         {
             m7[i] = (byte)rand.nextInt();
         }
+
+        aeadBlockCipher.init(true, params);
         byte[] c7 = new byte[aeadBlockCipher.getOutputSize(m7.length)];
         byte[] c8 = new byte[c7.length];
         byte[] c9 = new byte[c7.length];
-        aeadBlockCipher.init(true, params);
         aeadBlockCipher.processAADBytes(aad2, 0, aad2.length);
         offset = aeadBlockCipher.processBytes(m7, 0, m7.length, c7, 0);
         aeadBlockCipher.doFinal(c7, offset);