Merge branch 'main' of gitlab.cryptoworkshop.com:root/bc-java

Author: dghgit

core/src/main/java/org/bouncycastle/crypto/modes/CCMBlockCipher.java

@@ -261,9 +261,19 @@ public int processPacket(byte[] in, int inOff, int inLen, byte[] output, int out
         if (q < 4)
         {
             int limitLen = 1 << (8 * q);
-            if (inLen >= limitLen)
+
+            // no input length adjustment for encryption
+            int inputAdjustment = 0;
+
+            if (!forEncryption)
+            {
+                // input includes 16 additional bytes: CCM flags and n+q values.
+                inputAdjustment = 1 /* flags */ + 15 /* n + q */;
+            }
+
+            if ((inLen-inputAdjustment) >= limitLen)
             {
-                throw new IllegalStateException("CCM packet too large for choice of q.");
+                throw new IllegalStateException("CCM packet too large for choice of q");
             }
         }
 

core/src/test/java/org/bouncycastle/crypto/test/CCMTest.java

@@ -7,6 +7,7 @@
 import org.bouncycastle.crypto.params.AEADParameters;
 import org.bouncycastle.crypto.params.KeyParameter;
 import org.bouncycastle.crypto.params.ParametersWithIV;
+import org.bouncycastle.util.Arrays;
 import org.bouncycastle.util.Strings;
 import org.bouncycastle.util.encoders.Hex;
 import org.bouncycastle.util.test.SimpleTest;
@@ -150,6 +151,51 @@ public void performTest()
             // expected
         }
 
+        // For small number of allowed blocks, validate boundary
+        // conditions are properly handled. Zero and greater will
+        // fail as size bound is a strict inequality.
+        int[] offsets = new int[]{-10, -2, -1, 0, 1, 10};
+        int[] ns = new int[]{13, 12};
+        for (int n_len : ns)
+        {
+            for (int offset : offsets)
+            {
+                try
+                {
+                    ccm.init(true, new AEADParameters(new KeyParameter(K1), 128, new byte[n_len]));
+
+                    // Encrypt up to 2^(8q) + offset. Note that message length
+                    // must be strictly less than 2^(8q) so offset=0 will not
+                    // work (per SP 800-38C Section A.1 Length Requirements).
+                    int q = 15 - n_len;
+                    int size = 1 << (8*q);
+                    inBuf = new byte[size + offset];
+
+                    outBuf = new byte[ccm.getOutputSize(inBuf.length)];
+                    len = ccm.processPacket(inBuf, 0, inBuf.length, outBuf, 0);
+
+                    if (offset >= 0) {
+                        fail("expected to fail to encrypt boundary bytes n=" + n_len + "size=" + size + " offset=" + offset);
+                    } else {
+                        // Decrypt should also succeed if encryption succeeded.
+                        ccm.init(false, new AEADParameters(new KeyParameter(K1), 128, new byte[n_len]));
+                        out = ccm.processPacket(outBuf, 0, outBuf.length);
+
+                        if (out.length != inBuf.length || !Arrays.areEqual(inBuf, out))
+                        {
+                            fail("encryption output incorrect");
+                        }
+                    }
+                }
+                catch (Exception e)
+                {
+                    if (offset < 0) {
+                        fail("unexpected failure to encrypt boundary bytes n=" + n_len + " offset=" + offset + " msg=" + e.getMessage());
+                    }
+                }
+            }
+        }
+
         AEADTestUtil.testReset(this, new CCMBlockCipher(AESEngine.newInstance()), new CCMBlockCipher(AESEngine.newInstance()), new AEADParameters(new KeyParameter(K1), 32, N2));
         AEADTestUtil.testTampering(this, ccm, new AEADParameters(new KeyParameter(K1), 32, N2));
         AEADTestUtil.testOutputSizes(this, new CCMBlockCipher(AESEngine.newInstance()), new AEADParameters(

docs/releasenotes.html

@@ -24,18 +24,29 @@ <h2>2.0 Release History</h2>
 <h3>2.1.2 Defects Fixed</h3>
 <ul>
 <li>Issues with a dangling weak reference causing intermittent NullPointerExceptions in the OcspCache have been fixed.</li>
+<li>Issues with non-constant time RSA operations in TLS handshakes have been fixed.</li>
+<li>Issue with Ed25519, Ed448 signature verification causing intermittent infinite loop have been fixed.</li>
+<li>Issues with non-constant time ML-KEM implementation ("Kyber Slash") have been fixed.</li>
+<li>Align ML-KEM input validation with FIPS 203 IPD requirements.</li>
+<li>Make PEM parsing more forgiving of whitespace to align with RFC 7468 - Textual Encodings of PKIX, PKCS, and CMS Structures.</li>
 </ul>
 <h3>2.1.3 Additional Features and Functionality</h3>
 <ul>
 <li>An implementation of MLS (RFC 9420 - The Messaging Layer Security Protocol) has been added as a new module.</li>
 <li>NTRU now supports NTRU-HPS4096-1229 and NTRU-HRSS-1373.</li>
+<li>Improvements to PGP support, including Curve25519, Curve448 key types.</li>
+<li>Add initial support for ML-KEM in TLS.</li>
+<li>Add XWing hybrid KEM construction (X25519 + ML-KEM-768).</li>
+<li>Introduce initial KEMSpi support (NTRU, SNTRU Prime) for JDK 21+.</li>
+<li>Introduce initial composite signature support for X509 Certificates.</li>
 </ul>
 <h3>2.1.4 Notes.</h3>
 <ul>
 <li>Both versions of NTRUPrime have been updated to produce 256 bit secrets in line with Kyber. This should also bring them into line with other implementations such as those used in OpenSSH now.</li>
 <li>BCJSSE: The boolean system property 'org.bouncycastle.jsse.fips.allowRSAKeyExchange" now defaults to false. All RSA
 key exchange cipher suites will therefore be disabled when the BCJSSE provider is used in FIPS mode, unless this system
 property is explicitly set to true.</li>
+<li>Improve OSGi compatibility.</li>
 </ul>
 
 <a id="r1rv77"><h3>2.2.1 Version</h3></a>