Fix CCM input length check

cipherboy · cipherboy · commit e73dbc53dbb0 · 2024-04-04T14:34:50.000-04:00
As reported by @CipherGato, CCM fails to decrypt a full-length message for n=13, q=2 (maximum length 65,535). This is because the input message already includes the flags and nonce components (B0 from SP800 38C). Correctly handle full-length CCM decryption. Resolves: #1570 Signed-off-by: Alexander Scheel <alexander.scheel@keyfactor.com>
diff --git a/core/src/main/java/org/bouncycastle/crypto/modes/CCMBlockCipher.java b/core/src/main/java/org/bouncycastle/crypto/modes/CCMBlockCipher.java
@@ -261,9 +261,19 @@ public int processPacket(byte[] in, int inOff, int inLen, byte[] output, int out
         if (q < 4)
         {
             int limitLen = 1 << (8 * q);
-            if (inLen >= limitLen)
+
+            // no input length adjustment for encryption
+            int inputAdjustment = 0;
+
+            if (!forEncryption)
+            {
+                // input includes 16 additional bytes: CCM flags and n+q values.
+                inputAdjustment = 1 /* flags */ + 15 /* n + q */;
+            }
+
+            if ((inLen-inputAdjustment) >= limitLen)
             {
-                throw new IllegalStateException("CCM packet too large for choice of q.");
+                throw new IllegalStateException("CCM packet too large for choice of q");
             }
         }
 
diff --git a/core/src/test/java/org/bouncycastle/crypto/test/CCMTest.java b/core/src/test/java/org/bouncycastle/crypto/test/CCMTest.java
@@ -7,6 +7,7 @@
 import org.bouncycastle.crypto.params.AEADParameters;
 import org.bouncycastle.crypto.params.KeyParameter;
 import org.bouncycastle.crypto.params.ParametersWithIV;
+import org.bouncycastle.util.Arrays;
 import org.bouncycastle.util.Strings;
 import org.bouncycastle.util.encoders.Hex;
 import org.bouncycastle.util.test.SimpleTest;
@@ -150,6 +151,51 @@ public void performTest()
             // expected
         }
 
+        // For small number of allowed blocks, validate boundary
+        // conditions are properly handled. Zero and greater will
+        // fail as size bound is a strict inequality.
+        int[] offsets = new int[]{-10, -2, -1, 0, 1, 10};
+        int[] ns = new int[]{13, 12};
+        for (int n_len : ns)
+        {
+            for (int offset : offsets)
+            {
+                try
+                {
+                    ccm.init(true, new AEADParameters(new KeyParameter(K1), 128, new byte[n_len]));
+
+                    // Encrypt up to 2^(8q) + offset. Note that message length
+                    // must be strictly less than 2^(8q) so offset=0 will not
+                    // work (per SP 800-38C Section A.1 Length Requirements).
+                    int q = 15 - n_len;
+                    int size = 1 << (8*q);
+                    inBuf = new byte[size + offset];
+
+                    outBuf = new byte[ccm.getOutputSize(inBuf.length)];
+                    len = ccm.processPacket(inBuf, 0, inBuf.length, outBuf, 0);
+
+                    if (offset >= 0) {
+                        fail("expected to fail to encrypt boundary bytes n=" + n_len + "size=" + size + " offset=" + offset);
+                    } else {
+                        // Decrypt should also succeed if encryption succeeded.
+                        ccm.init(false, new AEADParameters(new KeyParameter(K1), 128, new byte[n_len]));
+                        out = ccm.processPacket(outBuf, 0, outBuf.length);
+
+                        if (out.length != inBuf.length || !Arrays.areEqual(inBuf, out))
+                        {
+                            fail("encryption output incorrect");
+                        }
+                    }
+                }
+                catch (Exception e)
+                {
+                    if (offset < 0) {
+                        fail("unexpected failure to encrypt boundary bytes n=" + n_len + " offset=" + offset + " msg=" + e.getMessage());
+                    }
+                }
+            }
+        }
+
         AEADTestUtil.testReset(this, new CCMBlockCipher(AESEngine.newInstance()), new CCMBlockCipher(AESEngine.newInstance()), new AEADParameters(new KeyParameter(K1), 32, N2));
         AEADTestUtil.testTampering(this, ccm, new AEADParameters(new KeyParameter(K1), 32, N2));
         AEADTestUtil.testOutputSizes(this, new CCMBlockCipher(AESEngine.newInstance()), new AEADParameters(

Original file line number	Diff line number	Diff line change
`@@ -261,9 +261,19 @@ public int processPacket(byte[] in, int inOff, int inLen, byte[] output, int out`
`261`	`261`	`if (q < 4)`
`262`	`262`	`{`
`263`	`263`	`int limitLen = 1 << (8 * q);`
`264`		`- if (inLen >= limitLen)`
	`264`	`+`
	`265`	`+ // no input length adjustment for encryption`
	`266`	`+ int inputAdjustment = 0;`
	`267`	`+`
	`268`	`+ if (!forEncryption)`
	`269`	`+ {`
	`270`	`+ // input includes 16 additional bytes: CCM flags and n+q values.`
	`271`	`+ inputAdjustment = 1 /* flags / + 15 / n + q */;`
	`272`	`+ }`
	`273`	`+`
	`274`	`+ if ((inLen-inputAdjustment) >= limitLen)`
`265`	`275`	`{`
`266`		`- throw new IllegalStateException("CCM packet too large for choice of q.");`
	`276`	`+ throw new IllegalStateException("CCM packet too large for choice of q");`
`267`	`277`	`}`
`268`	`278`	`}`
`269`	`279`