bcgit · timw · Jul 3, 2013 · Jul 4, 2013
diff --git a/core/src/main/java/org/bouncycastle/crypto/modes/CCMBlockCipher.java b/core/src/main/java/org/bouncycastle/crypto/modes/CCMBlockCipher.java
@@ -99,6 +99,8 @@ else if (params instanceof ParametersWithIV)
        {
            throw new IllegalArgumentException("nonce must have length from 7 to 13 octets");
        }
+
+        reset();
    }

    public String getAlgorithmName()
@@ -219,7 +221,12 @@ public byte[] processPacket(byte[] in, int inOff, int inLen)

        if (forEncryption)
        {
-            output = new byte[inLen + macSize];
+            int outputLen = inLen + macSize;
+            output = new byte[outputLen];
+            if (output.length < (outputLen + outOff))
+            {
+                throw new DataLengthException("Output buffer too short.");
+            }

            calculateMac(in, inOff, inLen, macBlock);

@@ -246,9 +253,18 @@ public byte[] processPacket(byte[] in, int inOff, int inLen)
        }
        else
        {
-            output = new byte[inLen - macSize];
+            if (inLen < macSize)
+            {
+                throw new InvalidCipherTextException("data too short");
+            }
+            int outputLen = inLen - macSize;
+            output = new byte[outputLen];
+            if (output.length < (outputLen + outOff))
+            {
+                throw new DataLengthException("Output buffer too short.");
+            }

-            System.arraycopy(in, inOff + inLen - macSize, macBlock, 0, macSize);
+            System.arraycopy(in, inOff + outputLen, macBlock, 0, macSize);

            ctrCipher.processBlock(macBlock, 0, macBlock, 0);


diff --git a/core/src/main/java/org/bouncycastle/crypto/modes/EAXBlockCipher.java b/core/src/main/java/org/bouncycastle/crypto/modes/EAXBlockCipher.java
@@ -123,16 +123,10 @@ else if (params instanceof ParametersWithIV)
        mac.update(nonce, 0, nonce.length);
        mac.doFinal(nonceMac, 0);

-        tag[blockSize - 1] = hTAG;
-        mac.update(tag, 0, blockSize);
-
-        if (initialAssociatedText != null)
-        {
-            processAADBytes(initialAssociatedText, 0, initialAssociatedText.length);
-        }
-
        // Same BlockCipher underlies this and the mac, so reuse last key on cipher 
        cipher.init(true, new ParametersWithIV(null, nonceMac));
+
+        reset();
    }

    private void initCipher()
@@ -206,7 +200,7 @@ public void processAADBytes(byte[] in, int inOff, int len)
    {
        if (cipherInitialized)
        {
-            throw new IllegalStateException("AAD data cannot be added after encryption/decription processing has begun.");
+            throw new IllegalStateException("AAD data cannot be added after encryption/decryption processing has begun.");
        }
        mac.update(in, inOff, len);
    }
@@ -246,6 +240,10 @@ public int doFinal(byte[] out, int outOff)

        if (forEncryption)
        {
+            if (out.length < (outOff + extra))
+            {
+                throw new DataLengthException("Output buffer too short");
+            }
            cipher.processBlock(bufBlock, 0, tmp, 0);
            cipher.processBlock(bufBlock, blockSize, tmp, blockSize);

@@ -263,6 +261,10 @@ public int doFinal(byte[] out, int outOff)
        }
        else
        {
+            if (extra < macSize)
+            {
+                throw new InvalidCipherTextException("data too short");
+            }
            if (extra > macSize)
            {
                mac.update(bufBlock, 0, extra - macSize);

diff --git a/core/src/test/java/org/bouncycastle/crypto/test/AEADTestUtil.java b/core/src/test/java/org/bouncycastle/crypto/test/AEADTestUtil.java
@@ -0,0 +1,184 @@
+package org.bouncycastle.crypto.test;
+
+import org.bouncycastle.crypto.CipherParameters;
+import org.bouncycastle.crypto.DataLengthException;
+import org.bouncycastle.crypto.InvalidCipherTextException;
+import org.bouncycastle.crypto.modes.AEADBlockCipher;
+import org.bouncycastle.util.Arrays;
+import org.bouncycastle.util.encoders.Hex;
+import org.bouncycastle.util.test.SimpleTestResult;
+import org.bouncycastle.util.test.Test;
+import org.bouncycastle.util.test.TestFailedException;
+
+public class AEADTestUtil
+{
+
+    public static void testTampering(Test test, AEADBlockCipher cipher, CipherParameters params)
+            throws InvalidCipherTextException
+    {
+        byte[] plaintext = new byte[1000];
+        for (int i = 0; i < plaintext.length; i++)
+        {
+            plaintext[i] = (byte)i;
+        }
+        cipher.init(true, params);
+
+        byte[] ciphertext = new byte[cipher.getOutputSize(plaintext.length)];
+        int len = cipher.processBytes(plaintext, 0, plaintext.length, ciphertext, 0);
+        cipher.doFinal(ciphertext, len);
+
+        int macLength = cipher.getMac().length;
+
+        // Test tampering with a single byte
+        cipher.init(false, params);
+        byte[] tampered = new byte[ciphertext.length];
+        byte[] output = new byte[plaintext.length];
+        System.arraycopy(ciphertext, 0, tampered, 0, tampered.length);
+        tampered[0] += 1;
+
+        cipher.processBytes(tampered, 0, tampered.length, output, 0);
+        try
+        {
+            cipher.doFinal(output, 0);
+            throw new TestFailedException(
+                    new SimpleTestResult(false, test + " : tampering of ciphertext not detected."));
+        } catch (InvalidCipherTextException e)
+        {
+            // Expected
+        }
+
+        // Test truncation of ciphertext to < tag length
+        cipher.init(false, params);
+        byte[] truncated = new byte[macLength - 1];
+        System.arraycopy(ciphertext, 0, truncated, 0, truncated.length);
+
+        cipher.processBytes(truncated, 0, truncated.length, output, 0);
+        try
+        {
+            cipher.doFinal(output, 0);
+            fail(test, "tampering of ciphertext not detected.");
+        } catch (InvalidCipherTextException e)
+        {
+            // Expected
+        }
+    }
+
+    private static void fail(Test test, String message)
+    {
+        throw new TestFailedException(SimpleTestResult.failed(test, message));
+    }
+
+    private static void fail(Test test, String message, String expected, String result)
+    {
+        throw new TestFailedException(SimpleTestResult.failed(test, message, expected, result));
+    }
+
+    public static void testReset(Test test, AEADBlockCipher cipher1, AEADBlockCipher cipher2, CipherParameters params) throws InvalidCipherTextException
+    {
+        cipher1.init(true, params);
+
+        byte[] plaintext = new byte[1000];
+        byte[] ciphertext = new byte[cipher1.getOutputSize(plaintext.length)];
+
+        // Establish baseline answer
+        crypt(cipher1, plaintext, ciphertext);
+
+        // Test encryption resets
+        checkReset(test, cipher1, params, true, plaintext, ciphertext);
+
+        // Test decryption resets with fresh instance
+        cipher2.init(false, params);
+        checkReset(test, cipher2, params, false, ciphertext, plaintext);
+    }
+
+    private static void checkReset(Test test,
+                                   AEADBlockCipher cipher,
+                                   CipherParameters params,
+                                   boolean encrypt,
+                                   byte[] pretext,
+                                   byte[] posttext) throws InvalidCipherTextException
+    {
+        // Do initial run
+        byte[] output = new byte[posttext.length];
+        crypt(cipher, pretext, output);
+
+        // Check encrypt resets cipher
+        crypt(cipher, pretext, output);
+        if (!Arrays.areEqual(output, posttext))
+        {
+            fail(test, (encrypt ? "Encrypt" : "Decrypt") + " did not reset cipher.");
+        }
+
+        // Check init resets data
+        cipher.processBytes(pretext, 0, 100, output, 0);
+        cipher.init(encrypt, params);
+
+        try
+        {
+            crypt(cipher, pretext, output);
+        } catch (DataLengthException e)
+        {
+            fail(test, "Init did not reset data.");
+        }
+        if (!Arrays.areEqual(output, posttext))
+        {
+            fail(test, "Init did not reset data.", new String(Hex.encode(posttext)), new String(Hex.encode(output)));
+        }
+
+        // Check init resets AD
+        cipher.processAADBytes(pretext, 0, 100);
+        cipher.init(encrypt, params);
+
+        try
+        {
+            crypt(cipher, pretext, output);
+        } catch (DataLengthException e)
+        {
+            fail(test, "Init did not reset additional data.");
+        }
+        if (!Arrays.areEqual(output, posttext))
+        {
+            fail(test, "Init did not reset additional data.");
+        }
+
+        // Check reset resets data
+        cipher.processBytes(pretext, 0, 100, output, 0);
+        cipher.reset();
+
+        try
+        {
+            crypt(cipher, pretext, output);
+        } catch (DataLengthException e)
+        {
+            fail(test, "Init did not reset data.");
+        }
+        if (!Arrays.areEqual(output, posttext))
+        {
+            fail(test, "Reset did not reset data.");
+        }
+
+        // Check reset resets AD
+        cipher.processAADBytes(pretext, 0, 100);
+        cipher.reset();
+
+        try
+        {
+            crypt(cipher, pretext, output);
+        } catch (DataLengthException e)
+        {
+            fail(test, "Init did not reset data.");
+        }
+        if (!Arrays.areEqual(output, posttext))
+        {
+            fail(test, "Reset did not reset additional data.");
+        }
+    }
+
+    private static void crypt(AEADBlockCipher cipher, byte[] plaintext, byte[] output)
+            throws InvalidCipherTextException
+    {
+        int len = cipher.processBytes(plaintext, 0, plaintext.length, output, 0);
+        cipher.doFinal(output, len);
+    }
+
+}
diff --git a/core/src/test/java/org/bouncycastle/crypto/test/CCMTest.java b/core/src/test/java/org/bouncycastle/crypto/test/CCMTest.java
@@ -118,6 +118,9 @@ public void performTest()
        {
            // expected
        }
+
+        AEADTestUtil.testReset(this, new CCMBlockCipher(new AESEngine()), new CCMBlockCipher(new AESEngine()), new AEADParameters(new KeyParameter(K1), 32, N2));
+        AEADTestUtil.testTampering(this, ccm, new AEADParameters(new KeyParameter(K1), 32, N2));
    }

    private void checkVectors(
@@ -196,7 +199,8 @@ private void checkVectors(

        if (!areEqual(p, dec))
        {
-            fail("decrypted stream fails to match in test " + count + " with " + additionalDataType);
+            fail("decrypted stream fails to match in test " + count + " with " + additionalDataType,
+                    new String(Hex.encode(p)), new String(Hex.encode(dec)));
        }

        if (!areEqual(t, ccm.getMac()))

diff --git a/core/src/test/java/org/bouncycastle/crypto/test/EAXTest.java b/core/src/test/java/org/bouncycastle/crypto/test/EAXTest.java
@@ -3,6 +3,7 @@
 import java.security.SecureRandom;

 import org.bouncycastle.crypto.InvalidCipherTextException;
+import org.bouncycastle.crypto.engines.AESEngine;
 import org.bouncycastle.crypto.engines.AESFastEngine;
 import org.bouncycastle.crypto.modes.AEADBlockCipher;
 import org.bouncycastle.crypto.modes.EAXBlockCipher;
@@ -152,6 +153,8 @@ public void performTest()
        }

        randomTests();
+        AEADTestUtil.testReset(this, new EAXBlockCipher(new AESEngine()), new EAXBlockCipher(new AESEngine()), new AEADParameters(new KeyParameter(K1), 32, N2));
+        AEADTestUtil.testTampering(this, eax, new AEADParameters(new KeyParameter(K1), 32, N2));
    }

    private void checkVectors(

diff --git a/core/src/test/java/org/bouncycastle/crypto/test/GCMTest.java b/core/src/test/java/org/bouncycastle/crypto/test/GCMTest.java
@@ -3,7 +3,9 @@
 import java.security.SecureRandom;

 import org.bouncycastle.crypto.InvalidCipherTextException;
+import org.bouncycastle.crypto.engines.AESEngine;
 import org.bouncycastle.crypto.engines.AESFastEngine;
+import org.bouncycastle.crypto.engines.DESEngine;
 import org.bouncycastle.crypto.modes.GCMBlockCipher;
 import org.bouncycastle.crypto.modes.gcm.BasicGCMMultiplier;
 import org.bouncycastle.crypto.modes.gcm.GCMMultiplier;
@@ -301,8 +303,39 @@ public void performTest() throws Exception

        randomTests();
        outputSizeTests();
+        testExceptions();
    }    

+    private void testExceptions() throws InvalidCipherTextException
+    {
+        GCMBlockCipher gcm = new GCMBlockCipher(new AESFastEngine());
+
+        try
+        {
+            gcm = new GCMBlockCipher(new DESEngine());
+
+            fail("incorrect block size not picked up");
+        }
+        catch (IllegalArgumentException e)
+        {
+            // expected
+        }
+
+        try
+        {
+            gcm.init(false, new KeyParameter(new byte[16]));
+
+            fail("illegal argument not picked up");
+        }
+        catch (IllegalArgumentException e)
+        {
+            // expected
+        }
+
+        AEADTestUtil.testReset(this, new GCMBlockCipher(new AESEngine()), new GCMBlockCipher(new AESEngine()), new AEADParameters(new KeyParameter(new byte[16]), 128, new byte[16]));
+        AEADTestUtil.testTampering(this, gcm, new AEADParameters(new KeyParameter(new byte[16]), 128, new byte[16]));
+    }
+
    private void runTestCase(String[] testVector)
        throws InvalidCipherTextException
    {