Produced by Araxis Merge on 9/25/2018 2:13:25 PM Central Daylight Time. See www.araxis.com for information about Merge. This report uses XHTML and CSS2, and is best viewed with a modern standards-compliant browser. For optimum results when printing this report, use landscape orientation and enable printing of background images and colours in your browser.
# | Location | File | Last Modified |
---|---|---|---|
1 | build 3.zip\build 3\MHLTH_YS_137_Source\JavaScript\resources\javaJDF-1.8.0\src\sun\security\ssl | CipherBox.java | Mon Jan 22 14:46:54 2018 UTC |
2 | build 3.zip\build 3\MHLTH_YS_137_Source\JavaScript\resources\javaJDF-1.8.0\src\sun\security\ssl | CipherBox.java | Wed Sep 12 17:54:25 2018 UTC |
Description | Between Files 1 and 2 |
|
---|---|---|
Text Blocks | Lines | |
Unchanged | 2 | 2156 |
Changed | 1 | 2 |
Inserted | 0 | 0 |
Removed | 0 | 0 |
Whitespace | |
---|---|
Character case | Differences in character case are significant |
Line endings | Differences in line endings (CR and LF characters) are ignored |
CR/LF characters | Not shown in the comparison detail |
No regular expressions were active.
1 | /* | |
2 | * Copyrig ht (c) 199 6, 2013, O racle and/ or its aff iliates. A ll rights reserved. | |
3 | * DO NOT ALTER OR R EMOVE COPY RIGHT NOTI CES OR THI S FILE HEA DER. | |
4 | * | |
5 | * This co de is free software; you can r edistribut e it and/o r modify i t | |
6 | * under t he terms o f the GNU General Pu blic Licen se version 2 only, a s | |
7 | * publish ed by the Free Softw are Founda tion. Ora cle design ates this | |
8 | * particu lar file a s subject to the "Cl asspath" e xception a s provided | |
9 | * by Orac le in the LICENSE fi le that ac companied this code. | |
10 | * | |
11 | * This co de is dist ributed in the hope that it wi ll be usef ul, but WI THOUT | |
12 | * ANY WAR RANTY; wit hout even the implie d warranty of MERCHA NTABILITY or | |
13 | * FITNESS FOR A PAR TICULAR PU RPOSE. Se e the GNU General Pu blic Licen se | |
14 | * version 2 for mor e details (a copy is included in the LIC ENSE file that | |
15 | * accompa nied this code). | |
16 | * | |
17 | * You sho uld have r eceived a copy of th e GNU Gene ral Public License v ersion | |
18 | * 2 along with this work; if not, write to the Fr ee Softwar e Foundati on, | |
19 | * Inc., 5 1 Franklin St, Fifth Floor, Bo ston, MA 0 2110-1301 USA. | |
20 | * | |
21 | * Please contact Or acle, 500 Oracle Par kway, Redw ood Shores , CA 94065 USA | |
22 | * or visi t www.orac le.com if you need a dditional informatio n or have any | |
23 | * questio ns. | |
24 | */ | |
25 | ||
26 | ||
27 | package su n.security .ssl; | |
28 | ||
29 | import jav a.io.ByteA rrayInputS tream; | |
30 | import jav a.io.IOExc eption; | |
31 | import jav a.util.Has htable; | |
32 | import jav a.util.Arr ays; | |
33 | ||
34 | import jav a.security .*; | |
35 | import jav ax.crypto. *; | |
36 | import jav ax.crypto. spec.IvPar ameterSpec ; | |
37 | import jav ax.crypto. spec.GCMPa rameterSpe c; | |
38 | ||
39 | import jav a.nio.*; | |
40 | ||
41 | import sun .security. ssl.Cipher Suite.*; | |
42 | import sta tic sun.se curity.ssl .CipherSui te.*; | |
43 | import sta tic sun.se curity.ssl .CipherSui te.CipherT ype.*; | |
44 | ||
45 | import sun .misc.HexD umpEncoder ; | |
46 | ||
47 | ||
48 | /** | |
49 | * This cl ass handle s bulk dat a encipher ing/deciph ering for each SSLv3 | |
50 | * message . This pr ovides dat a confiden tiality. Stream cip hers (such | |
51 | * as RC4) don't nee d to do pa dding; blo ck ciphers (e.g. DES ) need it. | |
52 | * | |
53 | * Individ ual instan ces are ob tained by calling th e static m ethod | |
54 | * newCiph erBox(), w hich shoul d only be invoked by BulkCiphe r.newCiphe r(). | |
55 | * | |
56 | * In RFC 2246, with bock ciph ers in CBC mode, the Initializ ation | |
57 | * Vector (IV) for t he first r ecord is g enerated w ith the ot her keys | |
58 | * and PW s when the security parameters are set. The IV for | |
59 | * subsequ ent record s is the l ast cipher text block from the previous | |
60 | * record. | |
61 | * | |
62 | * In RFC 4346, the implicit I nitializat ion Vector (IV) is r eplaced | |
63 | * with an explicit IV to prot ect agains t CBC atta cks. RFC 4346 | |
64 | * recomme nds two al gorithms u sed to gen erated the per-recor d IV. | |
65 | * The imp lementatio n uses the algorithm (2)(b), a s describe d at | |
66 | * section 6.2.3.2 o f RFC 4346 . | |
67 | * | |
68 | * The usa ge of IV i n CBC bloc k cipher c an be illu strated in | |
69 | * the fol lowing dia grams. | |
70 | * | |
71 | * (rand om) | |
72 | * R P1 IV C1 | |
73 | * | | | | | |
74 | * SIV--- + |---- -+ |-.. . |----- |------ | |
75 | * | | | | | | | | | |
76 | * +-- --+ | +- ---+ | +----+ | +----+ | | |
77 | * | E k | | + Ek + | | Dk | | | Dk | | | |
78 | * +-- --+ | +- ---+ | +----+ | +----+ | | |
79 | * | | | | | | | | | |
80 | * |----| |----| SI V--+ |- ---| | -... | |
81 | * | | | | | |
82 | * I V C1 R P1 | |
83 | * ( discard) | |
84 | * | |
85 | * C BC Encrypt ion CBC Dec ryption | |
86 | * | |
87 | * NOTE th at any cip hering inv olved in k ey exchang e (e.g. wi th RSA) is | |
88 | * handled separatel y. | |
89 | * | |
90 | * @author David Bro wnell | |
91 | * @author Andreas S terbenz | |
92 | */ | |
93 | final clas s CipherBo x { | |
94 | ||
95 | // A C ipherBox t hat implem ents the i dentity op eration | |
96 | final static Cip herBox NUL L = new Ci pherBox(); | |
97 | ||
98 | /* Cla ss and sub class dyna mic debugg ing suppor t */ | |
99 | privat e static f inal Debug debug = D ebug.getIn stance("ss l"); | |
100 | ||
101 | // the protocol version th is cipher conforms t o | |
102 | privat e final Pr otocolVers ion protoc olVersion; | |
103 | ||
104 | // cip her object | |
105 | privat e final Ci pher ciphe r; | |
106 | ||
107 | /** | |
108 | * sec ure random | |
109 | */ | |
110 | privat e SecureRa ndom rando m; | |
111 | ||
112 | /** | |
113 | * fix ed IV, the implicit nonce of A EAD cipher suite, on ly apply t o | |
114 | * AEA D cipher s uites | |
115 | */ | |
116 | privat e final by te[] fixed Iv; | |
117 | ||
118 | /** | |
119 | * the key, rese rved only for AEAD c ipher init ialization | |
120 | */ | |
121 | privat e final Ke y key; | |
122 | ||
123 | /** | |
124 | * the operation mode, res erved for AEAD ciphe r initiali zation | |
125 | */ | |
126 | privat e final in t mode; | |
127 | ||
128 | /** | |
129 | * the authentic ation tag size, only apply to AEAD ciphe r suites | |
130 | */ | |
131 | privat e final in t tagSize; | |
132 | ||
133 | /** | |
134 | * the record IV length, o nly apply to AEAD ci pher suite s | |
135 | */ | |
136 | privat e final in t recordIv Size; | |
137 | ||
138 | /** | |
139 | * cip her type | |
140 | */ | |
141 | privat e final Ci pherType c ipherType; | |
142 | ||
143 | /** | |
144 | * Fix ed masks o f various block size , as the i nitial dec ryption IV s | |
145 | * for TLS 1.1 o r later. | |
146 | * | |
147 | * For performan ce, we do not use ra ndom IVs. As the ini tial decry ption | |
148 | * IVs will be d iscarded b y TLS decr yption pro cesses, so the fixed masks | |
149 | * do not hurt c ryptograph ic strengt h. | |
150 | */ | |
151 | privat e static H ashtable<I nteger, Iv ParameterS pec> masks ; | |
152 | ||
153 | /** | |
154 | * NUL L cipherbo x. Identit y operatio n, no encr yption. | |
155 | */ | |
156 | privat e CipherBo x() { | |
157 | th is.protoco lVersion = ProtocolV ersion.DEF AULT; | |
158 | th is.cipher = null; | |
159 | th is.cipherT ype = STRE AM_CIPHER; | |
160 | th is.fixedIv = new byt e[0]; | |
161 | th is.key = n ull; | |
162 | th is.mode = Cipher.ENC RYPT_MODE; // cho ose at ran dom | |
163 | th is.random = null; | |
164 | th is.tagSize = 0; | |
165 | th is.recordI vSize = 0; | |
166 | } | |
167 | ||
168 | /** | |
169 | * Con struct a n ew CipherB ox using t he cipher transforma tion. | |
170 | * | |
171 | * @ex ception No SuchAlgori thmExcepti on if no a ppropriate JCE Ciphe r | |
172 | * imp lementatio n could be found. | |
173 | */ | |
174 | privat e CipherBo x(Protocol Version pr otocolVers ion, BulkC ipher bulk Cipher, | |
175 | SecretKe y key, IvP arameterSp ec iv, Sec ureRandom random, | |
176 | boolean encrypt) t hrows NoSu chAlgorith mException { | |
177 | tr y { | |
178 | this.pro tocolVersi on = proto colVersion ; | |
179 | this.cip her = Jsse Jce.getCip her(bulkCi pher.trans formation) ; | |
180 | this.mod e = encryp t ? Cipher .ENCRYPT_M ODE : Ciph er.DECRYPT _MODE; | |
181 | ||
182 | if (rand om == null ) { | |
183 | rand om = JsseJ ce.getSecu reRandom() ; | |
184 | } | |
185 | this.ran dom = rand om; | |
186 | this.cip herType = bulkCipher .cipherTyp e; | |
187 | ||
188 | /* | |
189 | * RFC 4 346 recomm ends two a lgorithms used to ge nerated th e | |
190 | * per-r ecord IV. The implem entation u ses the al gorithm (2 )(b), | |
191 | * as de scribed at section 6 .2.3.2 of RFC 4346. | |
192 | * | |
193 | * As we don't car e about th e initial IV value f or TLS 1.1 or | |
194 | * later , so if th e "iv" par ameter is null, we u se the def ault | |
195 | * value generated by Cipher .init() fo r encrypti on, and a fixed | |
196 | * mask for decryp tion. | |
197 | */ | |
198 | if (iv = = null && bulkCipher .ivSize != 0 && | |
199 | mode == Ci pher.DECRY PT_MODE && | |
200 | protocolVe rsion.v >= ProtocolV ersion.TLS 11.v) { | |
201 | iv = getFixedM ask(bulkCi pher.ivSiz e); | |
202 | } | |
203 | ||
204 | if (ciph erType == AEAD_CIPHE R) { | |
205 | // A EAD must c ompletely initialize the ciphe r for each packet, | |
206 | // a nd so we s ave initia lization p arameters for packet | |
207 | // p rocessing time. | |
208 | ||
209 | // S et the tag size for AEAD ciphe r | |
210 | tagS ize = bulk Cipher.tag Size; | |
211 | ||
212 | // R eserve the key for A EAD cipher initializ ation | |
213 | this .key = key ; | |
214 | ||
215 | fixe dIv = iv.g etIV(); | |
216 | if ( fixedIv == null || | |
217 | fixedI v.length ! = bulkCiph er.fixedIv Size) { | |
218 | throw new RuntimeExc eption("Im proper fix ed IV for AEAD"); | |
219 | } | |
220 | ||
221 | // S et the rec ord IV len gth for AE AD cipher | |
222 | reco rdIvSize = bulkCiphe r.ivSize - bulkCiphe r.fixedIvS ize; | |
223 | ||
224 | // D ON'T initi alize the cipher for AEAD! | |
225 | } else { | |
226 | // C BC only re quires one initializ ation duri ng its lif etime | |
227 | // ( future pac kets/IVs s et the pro per CBC st ate), so w e can | |
228 | // i nitialize now. | |
229 | ||
230 | // Z eroize the variables that only apply to AEAD ciphe r | |
231 | this .tagSize = 0; | |
232 | this .fixedIv = new byte[ 0]; | |
233 | this .recordIvS ize = 0; | |
234 | this .key = nul l; | |
235 | ||
236 | // I nitialize the cipher | |
237 | ciph er.init(mo de, key, i v, random) ; | |
238 | } | |
239 | } catch (NoS uchAlgorit hmExceptio n e) { | |
240 | throw e; | |
241 | } catch (Exc eption e) { | |
242 | throw ne w NoSuchAl gorithmExc eption | |
243 | ("Could no t create c ipher " + bulkCipher , e); | |
244 | } catch (Exc eptionInIn itializerE rror e) { | |
245 | throw ne w NoSuchAl gorithmExc eption | |
246 | ("Could no t create c ipher " + bulkCipher , e); | |
247 | } | |
248 | } | |
249 | ||
250 | /* | |
251 | * Fac tory metho d to obtai n a new Ci pherBox ob ject. | |
252 | */ | |
253 | static CipherBox newCipher Box(Protoc olVersion version, B ulkCipher cipher, | |
254 | SecretKe y key, IvP arameterSp ec iv, Sec ureRandom random, | |
255 | boolean encrypt) t hrows NoSu chAlgorith mException { | |
256 | if (cipher.a llowed == false) { | |
257 | throw ne w NoSuchAl gorithmExc eption("Un supported cipher " + cipher); | |
258 | } | |
259 | ||
260 | if (cipher = = B_NULL) { | |
261 | return N ULL; | |
262 | } else { | |
263 | return n ew CipherB ox(version , cipher, key, iv, r andom, enc rypt); | |
264 | } | |
265 | } | |
266 | ||
267 | /* | |
268 | * Get a fixed m ask, as th e initial decryption IVs for T LS 1.1 or later. | |
269 | */ | |
270 | privat e static I vParameter Spec getFi xedMask(in t ivSize) { | |
271 | if (masks == null) { | |
272 | masks = new Hashta ble<Intege r, IvParam eterSpec>( 5); | |
273 | } | |
274 | ||
275 | Iv ParameterS pec iv = m asks.get(i vSize); | |
276 | if (iv == nu ll) { | |
277 | iv = new IvParamet erSpec(new byte[ivSi ze]); | |
278 | masks.pu t(ivSize, iv); | |
279 | } | |
280 | ||
281 | re turn iv; | |
282 | } | |
283 | ||
284 | /* | |
285 | * Enc rypts a bl ock of dat a, returni ng the siz e of the | |
286 | * res ulting blo ck. | |
287 | */ | |
288 | int en crypt(byte [] buf, in t offset, int len) { | |
289 | if (cipher = = null) { | |
290 | return l en; | |
291 | } | |
292 | ||
293 | tr y { | |
294 | int bloc kSize = ci pher.getBl ockSize(); | |
295 | if (ciph erType == BLOCK_CIPH ER) { | |
296 | len = addPaddi ng(buf, of fset, len, blockSize ); | |
297 | } | |
298 | ||
299 | if (debu g != null && Debug.i sOn("plain text")) { | |
300 | try { | |
301 | HexDumpEnc oder hd = new HexDum pEncoder() ; | |
302 | ||
303 | System.out .println( | |
304 | "Padde d plaintex t before E NCRYPTION: len = " | |
305 | + len) ; | |
306 | hd.encodeB uffer( | |
307 | new By teArrayInp utStream(b uf, offset , len), | |
308 | System .out); | |
309 | } ca tch (IOExc eption e) { } | |
310 | } | |
311 | ||
312 | ||
313 | if (ciph erType == AEAD_CIPHE R) { | |
314 | try { | |
315 | return cip her.doFina l(buf, off set, len, buf, offse t); | |
316 | } ca tch (Illeg alBlockSiz eException | BadPadd ingExcepti on ibe) { | |
317 | // unlikel y to happe n | |
318 | throw new RuntimeExc eption( | |
319 | "Ciphe r error in AEAD mode in JCE pr ovider " + | |
320 | cipher .getProvid er().getNa me(), ibe) ; | |
321 | } | |
322 | } else { | |
323 | int newLen = c ipher.upda te(buf, of fset, len, buf, offs et); | |
324 | if ( newLen != len) { | |
325 | // catch B ouncyCastl e bufferin g error | |
326 | throw new RuntimeExc eption("Ci pher buffe ring error " + | |
327 | "in JC E provider " + ciphe r.getProvi der().getN ame()); | |
328 | } | |
329 | retu rn newLen; | |
330 | } | |
331 | } catch (Sho rtBufferEx ception e) { | |
332 | // unlik ely to hap pen, we sh ould have enough buf fer space here | |
333 | throw ne w ArrayInd exOutOfBou ndsExcepti on(e.toStr ing()); | |
334 | } | |
335 | } | |
336 | ||
337 | /* | |
338 | * Enc rypts a By teBuffer b lock of da ta, return ing the si ze of the | |
339 | * res ulting blo ck. | |
340 | * | |
341 | * The byte buff ers positi on and lim it initial ly define the amount | |
342 | * to encrypt. On return, the posit ion and li mit are | |
343 | * set to last p osition pa dded/encry pted. The limit may have chan ged | |
344 | * bec ause of th e added pa dding byte s. | |
345 | */ | |
346 | int en crypt(Byte Buffer bb, int outLi mit) { | |
347 | ||
348 | in t len = bb .remaining (); | |
349 | ||
350 | if (cipher = = null) { | |
351 | bb.posit ion(bb.lim it()); | |
352 | return l en; | |
353 | } | |
354 | ||
355 | in t pos = bb .position( ); | |
356 | ||
357 | in t blockSiz e = cipher .getBlockS ize(); | |
358 | if (cipherTy pe == BLOC K_CIPHER) { | |
359 | // addPa dding adju sts pos/li mit | |
360 | len = ad dPadding(b b, blockSi ze); | |
361 | bb.posit ion(pos); | |
362 | } | |
363 | ||
364 | if (debug != null && D ebug.isOn( "plaintext ")) { | |
365 | try { | |
366 | HexD umpEncoder hd = new HexDumpEnc oder(); | |
367 | ||
368 | Syst em.out.pri ntln( | |
369 | "Padded pl aintext be fore ENCRY PTION: le n = " | |
370 | + len); | |
371 | hd.e ncodeBuffe r(bb.dupli cate(), Sy stem.out); | |
372 | ||
373 | } catch (IOExcepti on e) { } | |
374 | } | |
375 | ||
376 | /* | |
377 | * Encrypt " in-place". This doe s not add its own pa dding. | |
378 | * / | |
379 | By teBuffer d up = bb.du plicate(); | |
380 | if (cipherTy pe == AEAD _CIPHER) { | |
381 | try { | |
382 | int outputSize = cipher. getOutputS ize(dup.re maining()) ; | |
383 | if ( outputSize > bb.rema ining()) { | |
384 | // need to expand th e limit of the outpu t buffer f or | |
385 | // the aut henticatio n tag. | |
386 | // | |
387 | // DON'T w orry about the buffe r's capaci ty, we hav e | |
388 | // reserve d space fo r the auth entication tag. | |
389 | if (outLim it < pos + outputSiz e) { | |
390 | // unl ikely to h appen | |
391 | throw new ShortB ufferExcep tion( | |
392 | "nee d more spa ce in outp ut buffer" ); | |
393 | } | |
394 | bb.limit(p os + outpu tSize); | |
395 | } | |
396 | int newLen = c ipher.doFi nal(dup, b b); | |
397 | if ( newLen != outputSize ) { | |
398 | throw new RuntimeExc eption( | |
399 | "C ipher buff ering erro r in JCE p rovider " + | |
400 | ci pher.getPr ovider().g etName()); | |
401 | } | |
402 | retu rn newLen; | |
403 | } catch (IllegalBl ockSizeExc eption | | |
404 | Bad PaddingExc eption | S hortBuffer Exception ibse) { | |
405 | // u nlikely to happen | |
406 | thro w new Runt imeExcepti on( | |
407 | "Ciphe r error in AEAD mode in JCE pr ovider " + | |
408 | cipher .getProvid er().getNa me(), ibse ); | |
409 | } | |
410 | } else { | |
411 | int newL en; | |
412 | try { | |
413 | newL en = ciphe r.update(d up, bb); | |
414 | } catch (ShortBuff erExceptio n sbe) { | |
415 | // u nlikely to happen | |
416 | thro w new Runt imeExcepti on("Cipher buffering error " + | |
417 | "in JCE pr ovider " + cipher.ge tProvider( ).getName( )); | |
418 | } | |
419 | ||
420 | if (bb.p osition() != dup.pos ition()) { | |
421 | thro w new Runt imeExcepti on("bytebu ffer paddi ng error") ; | |
422 | } | |
423 | ||
424 | if (newL en != len) { | |
425 | // c atch Bounc yCastle bu ffering er ror | |
426 | thro w new Runt imeExcepti on("Cipher buffering error " + | |
427 | "in JCE pr ovider " + cipher.ge tProvider( ).getName( )); | |
428 | } | |
429 | return n ewLen; | |
430 | } | |
431 | } | |
432 | ||
433 | ||
434 | /* | |
435 | * Dec rypts a bl ock of dat a, returni ng the siz e of the | |
436 | * res ulting blo ck if padd ing was re quired. | |
437 | * | |
438 | * For SSLv3 and TLSv1.0, with block ciphers i n CBC mode the | |
439 | * Ini tializatio n Vector ( IV) for th e first re cord is ge nerated by | |
440 | * the handshake protocol, the IV fo r subseque nt records is the | |
441 | * las t cipherte xt block f rom the pr evious rec ord. | |
442 | * | |
443 | * Fro m TLSv1.1, the impli cit IV is replaced w ith an exp licit IV t o | |
444 | * pro tect again st CBC att acks. | |
445 | * | |
446 | * Dif ferentiati ng between bad_recor d_mac and decryption _failed al erts | |
447 | * may permit ce rtain atta cks agains t CBC mode . It is pr eferable t o | |
448 | * uni formly use the bad_r ecord_mac alert to h ide the sp ecific typ e of | |
449 | * the error. | |
450 | */ | |
451 | int de crypt(byte [] buf, in t offset, int len, | |
452 | int tagL en) throws BadPaddin gException { | |
453 | if (cipher = = null) { | |
454 | return l en; | |
455 | } | |
456 | ||
457 | tr y { | |
458 | int newL en; | |
459 | if (ciph erType == AEAD_CIPHE R) { | |
460 | try { | |
461 | newLen = c ipher.doFi nal(buf, o ffset, len , buf, off set); | |
462 | } ca tch (Illeg alBlockSiz eException ibse) { | |
463 | // unlikel y to happe n | |
464 | throw new RuntimeExc eption( | |
465 | "Ciphe r error in AEAD mode in JCE pr ovider " + | |
466 | cipher .getProvid er().getNa me(), ibse ); | |
467 | } | |
468 | } else { | |
469 | newL en = ciphe r.update(b uf, offset , len, buf , offset); | |
470 | if ( newLen != len) { | |
471 | // catch B ouncyCastl e bufferin g error | |
472 | throw new RuntimeExc eption("Ci pher buffe ring error " + | |
473 | "in JC E provider " + ciphe r.getProvi der().getN ame()); | |
474 | } | |
475 | } | |
476 | if (debu g != null && Debug.i sOn("plain text")) { | |
477 | try { | |
478 | HexDumpEnc oder hd = new HexDum pEncoder() ; | |
479 | ||
480 | System.out .println( | |
481 | "Padde d plaintex t after DE CRYPTION: len = " | |
482 | + newL en); | |
483 | hd.encodeB uffer( | |
484 | new By teArrayInp utStream(b uf, offset , newLen), | |
485 | System .out); | |
486 | } ca tch (IOExc eption e) { } | |
487 | } | |
488 | ||
489 | if (ciph erType == BLOCK_CIPH ER) { | |
490 | int blockSize = cipher.g etBlockSiz e(); | |
491 | newL en = remov ePadding( | |
492 | buf, offse t, newLen, tagLen, b lockSize, protocolVe rsion); | |
493 | ||
494 | if ( protocolVe rsion.v >= ProtocolV ersion.TLS 11.v) { | |
495 | if (newLen < blockSi ze) { | |
496 | throw new BadPad dingExcept ion("inval id explici t IV"); | |
497 | } | |
498 | } | |
499 | } | |
500 | return n ewLen; | |
501 | } catch (Sho rtBufferEx ception e) { | |
502 | // unlik ely to hap pen, we sh ould have enough buf fer space here | |
503 | throw ne w ArrayInd exOutOfBou ndsExcepti on(e.toStr ing()); | |
504 | } | |
505 | } | |
506 | ||
507 | ||
508 | /* | |
509 | * Dec rypts a bl ock of dat a, returni ng the siz e of the | |
510 | * res ulting blo ck if padd ing was re quired. p osition an d limit | |
511 | * poi nt to the end of the decrypted /depadded data. The initial | |
512 | * lim it and new limit may be differ ent, given we may | |
513 | * hav e stripped off some padding by tes. | |
514 | * | |
515 | * @s ee decrypt (byte[], i nt, int) | |
516 | */ | |
517 | int de crypt(Byte Buffer bb, int tagLe n) throws BadPadding Exception { | |
518 | ||
519 | in t len = bb .remaining (); | |
520 | ||
521 | if (cipher = = null) { | |
522 | bb.posit ion(bb.lim it()); | |
523 | return l en; | |
524 | } | |
525 | ||
526 | tr y { | |
527 | /* | |
528 | * Decry pt "in-pla ce". | |
529 | */ | |
530 | int pos = bb.posit ion(); | |
531 | ByteBuff er dup = b b.duplicat e(); | |
532 | int newL en; | |
533 | if (ciph erType == AEAD_CIPHE R) { | |
534 | try { | |
535 | newLen = c ipher.doFi nal(dup, b b); | |
536 | } ca tch (Illeg alBlockSiz eException ibse) { | |
537 | // unlikel y to happe n | |
538 | throw new RuntimeExc eption( | |
539 | "Ciphe r error in AEAD mode \"" + ibs e.getMessa ge() + | |
540 | " \"in JCE provi der " + ci pher.getPr ovider().g etName()); | |
541 | } | |
542 | } else { | |
543 | newL en = ciphe r.update(d up, bb); | |
544 | if ( newLen != len) { | |
545 | // catch B ouncyCastl e bufferin g error | |
546 | throw new RuntimeExc eption("Ci pher buffe ring error " + | |
547 | "in JC E provider " + ciphe r.getProvi der().getN ame()); | |
548 | } | |
549 | } | |
550 | ||
551 | // reset the limit to the en d of the d ecryted da ta | |
552 | bb.limit (pos + new Len); | |
553 | ||
554 | if (debu g != null && Debug.i sOn("plain text")) { | |
555 | try { | |
556 | HexDumpEnc oder hd = new HexDum pEncoder() ; | |
557 | ||
558 | System.out .println( | |
559 | "Padde d plaintex t after DE CRYPTION: len = " | |
560 | + newL en); | |
561 | ||
562 | hd.encodeB uffer( | |
563 | (ByteB uffer)bb.d uplicate() .position( pos), Syst em.out); | |
564 | } ca tch (IOExc eption e) { } | |
565 | } | |
566 | ||
567 | /* | |
568 | * Remov e the bloc k padding. | |
569 | */ | |
570 | if (ciph erType == BLOCK_CIPH ER) { | |
571 | int blockSize = cipher.g etBlockSiz e(); | |
572 | bb.p osition(po s); | |
573 | newL en = remov ePadding(b b, tagLen, blockSize , protocol Version); | |
574 | ||
575 | // c heck the e xplicit IV of TLS v1 .1 or late r | |
576 | if ( protocolVe rsion.v >= ProtocolV ersion.TLS 11.v) { | |
577 | if (newLen < blockSi ze) { | |
578 | throw new BadPad dingExcept ion("inval id explici t IV"); | |
579 | } | |
580 | ||
581 | // reset t he positio n to the e nd of the decrypted data | |
582 | bb.positio n(bb.limit ()); | |
583 | } | |
584 | } | |
585 | return n ewLen; | |
586 | } catch (Sho rtBufferEx ception e) { | |
587 | // unlik ely to hap pen, we sh ould have enough buf fer space here | |
588 | throw ne w ArrayInd exOutOfBou ndsExcepti on(e.toStr ing()); | |
589 | } | |
590 | } | |
591 | ||
592 | privat e static i nt addPadd ing(byte[] buf, int offset, in t len, | |
593 | int bloc kSize) { | |
594 | in t newl en = len + 1; | |
595 | by te pad; | |
596 | in t i; | |
597 | ||
598 | if ((newlen % blockSiz e) != 0) { | |
599 | newlen + = blockSiz e - 1; | |
600 | newlen - = newlen % blockSize ; | |
601 | } | |
602 | pa d = (byte) (newlen - len); | |
603 | ||
604 | if (buf.leng th < (newl en + offse t)) { | |
605 | throw ne w IllegalA rgumentExc eption("no space to pad buffer "); | |
606 | } | |
607 | ||
608 | /* | |
609 | * TLS versi on of the padding wo rks for bo th SSLv3 a nd TLSv1 | |
610 | * / | |
611 | fo r (i = 0, offset += len; i < p ad; i++) { | |
612 | buf [off set++] = ( byte) (pad - 1); | |
613 | } | |
614 | re turn newle n; | |
615 | } | |
616 | ||
617 | /* | |
618 | * App ly the pad ding to th e buffer. | |
619 | * | |
620 | * Lim it is adva nced to th e new buff er length. | |
621 | * Pos ition is e qual to li mit. | |
622 | */ | |
623 | privat e static i nt addPadd ing(ByteBu ffer bb, i nt blockSi ze) { | |
624 | ||
625 | in t len = bb.remai ning(); | |
626 | in t offs et = bb.po sition(); | |
627 | ||
628 | in t newl en = len + 1; | |
629 | by te pad; | |
630 | in t i; | |
631 | ||
632 | if ((newlen % blockSiz e) != 0) { | |
633 | newlen + = blockSiz e - 1; | |
634 | newlen - = newlen % blockSize ; | |
635 | } | |
636 | pa d = (byte) (newlen - len); | |
637 | ||
638 | /* | |
639 | * Update th e limit to what will be padded . | |
640 | * / | |
641 | bb .limit(new len + offs et); | |
642 | ||
643 | /* | |
644 | * TLS versi on of the padding wo rks for bo th SSLv3 a nd TLSv1 | |
645 | * / | |
646 | fo r (i = 0, offset += len; i < p ad; i++) { | |
647 | bb.put(o ffset++, ( byte) (pad - 1)); | |
648 | } | |
649 | ||
650 | bb .position( offset); | |
651 | bb .limit(off set); | |
652 | ||
653 | re turn newle n; | |
654 | } | |
655 | ||
656 | /* | |
657 | * A c onstant-ti me check o f the padd ing. | |
658 | * | |
659 | * NOT E that we are checki ng both th e padding and the pa dLen bytes here. | |
660 | * | |
661 | * The caller MU ST ensure that the l en paramet er is a po sitive num ber. | |
662 | */ | |
663 | privat e static i nt[] check Padding( | |
664 | byte[] b uf, int of fset, int len, byte pad) { | |
665 | ||
666 | if (len <= 0 ) { | |
667 | throw ne w RuntimeE xception(" padding le n must be positive") ; | |
668 | } | |
669 | ||
670 | // An array of hits is used to p revent Hot spot optim ization fo r | |
671 | // the purpo se of a co nstant-tim e check. | |
672 | in t[] result s = {0, 0} ; // {m issed #, m atched #} | |
673 | fo r (int i = 0; i <= 2 56;) { | |
674 | for (int j = 0; j < len && i <= 256; j ++, i++) { // j <= i | |
675 | if ( buf[offset + j] != p ad) { | |
676 | results[0] ++; // mismatc hed paddin g data | |
677 | } el se { | |
678 | results[1] ++; // matched padding d ata | |
679 | } | |
680 | } | |
681 | } | |
682 | ||
683 | re turn resul ts; | |
684 | } | |
685 | ||
686 | /* | |
687 | * A c onstant-ti me check o f the padd ing. | |
688 | * | |
689 | * NOT E that we are checki ng both th e padding and the pa dLen bytes here. | |
690 | * | |
691 | * The caller MU ST ensure that the b b paramete r has rema ining. | |
692 | */ | |
693 | privat e static i nt[] check Padding(By teBuffer b b, byte pa d) { | |
694 | ||
695 | if (!bb.hasR emaining() ) { | |
696 | throw ne w RuntimeE xception(" hasRemaini ng() must be positiv e"); | |
697 | } | |
698 | ||
699 | // An array of hits is used to p revent Hot spot optim ization fo r | |
700 | // the purpo se of a co nstant-tim e check. | |
701 | in t[] result s = {0, 0} ; // {m issed #, m atched #} | |
702 | bb .mark(); | |
703 | fo r (int i = 0; i <= 2 56; bb.res et()) { | |
704 | for (; b b.hasRemai ning() && i <= 256; i++) { | |
705 | if ( bb.get() ! = pad) { | |
706 | results[0] ++; // mismatc hed paddin g data | |
707 | } el se { | |
708 | results[1] ++; // matched padding d ata | |
709 | } | |
710 | } | |
711 | } | |
712 | ||
713 | re turn resul ts; | |
714 | } | |
715 | ||
716 | /* | |
717 | * Typ ical TLS p adding for mat for a 64 bit blo ck cipher is as foll ows: | |
718 | * x x xx xx xx xx xx xx 00 | |
719 | * x x xx xx xx xx xx 01 01 | |
720 | * . .. | |
721 | * x x 06 06 06 06 06 06 06 | |
722 | * 0 7 07 07 07 07 07 07 07 | |
723 | * TLS also allo ws any amo unt of pad ding from 1 and 256 bytes as l ong | |
724 | * as it makes t he data a multiple o f the bloc k size | |
725 | */ | |
726 | privat e static i nt removeP adding(byt e[] buf, i nt offset, int len, | |
727 | int tagL en, int bl ockSize, | |
728 | Protocol Version pr otocolVers ion) throw s BadPaddi ngExceptio n { | |
729 | ||
730 | // last byte is length byte (i.e . actual p adding len gth - 1) | |
731 | in t padOffse t = offset + len - 1 ; | |
732 | in t padLen = buf[padOf fset] & 0x FF; | |
733 | ||
734 | in t newLen = len - (pa dLen + 1); | |
735 | if ((newLen - tagLen) < 0) { | |
736 | // If th e buffer i s not long enough to contain t he padding plus | |
737 | // a MAC tag, do a dummy con stant-time padding c heck. | |
738 | // | |
739 | // Note that it is a dummy c heck, so w e won't ca re about w hat is | |
740 | // the a ctual padd ing data. | |
741 | checkPad ding(buf, offset, le n, (byte)( padLen & 0 xFF)); | |
742 | ||
743 | throw ne w BadPaddi ngExceptio n("Invalid Padding l ength: " + padLen); | |
744 | } | |
745 | ||
746 | // The paddi ng data sh ould be fi lled with the paddin g length v alue. | |
747 | in t[] result s = checkP adding(buf , offset + newLen, | |
748 | padLen + 1, (byt e)(padLen & 0xFF)); | |
749 | if (protocol Version.v >= Protoco lVersion.T LS10.v) { | |
750 | if (resu lts[0] != 0) { // pad ding data has invali d bytes | |
751 | thro w new BadP addingExce ption("Inv alid TLS p adding dat a"); | |
752 | } | |
753 | } else { // SSLv3 | |
754 | // SSLv3 requires 0 <= lengt h byte < b lock size | |
755 | // some implementa tions do 1 <= length byte <= b lock size, | |
756 | // so ac cept that as well | |
757 | // v3 do es not req uire any p articular value for the other bytes | |
758 | if (padL en > block Size) { | |
759 | thro w new BadP addingExce ption("Inv alid SSLv3 padding") ; | |
760 | } | |
761 | } | |
762 | re turn newLe n; | |
763 | } | |
764 | ||
765 | /* | |
766 | * Pos ition/limi t is equal the remov ed padding . | |
767 | */ | |
768 | privat e static i nt removeP adding(Byt eBuffer bb , | |
769 | int tagL en, int bl ockSize, | |
770 | Protocol Version pr otocolVers ion) throw s BadPaddi ngExceptio n { | |
771 | ||
772 | in t len = bb .remaining (); | |
773 | in t offset = bb.positi on(); | |
774 | ||
775 | // last byte is length byte (i.e . actual p adding len gth - 1) | |
776 | in t padOffse t = offset + len - 1 ; | |
777 | in t padLen = bb.get(pa dOffset) & 0xFF; | |
778 | ||
779 | in t newLen = len - (pa dLen + 1); | |
780 | if ((newLen - tagLen) < 0) { | |
781 | // If th e buffer i s not long enough to contain t he padding plus | |
782 | // a MAC tag, do a dummy con stant-time padding c heck. | |
783 | // | |
784 | // Note that it is a dummy c heck, so w e won't ca re about w hat is | |
785 | // the a ctual padd ing data. | |
786 | checkPad ding(bb.du plicate(), (byte)(pa dLen & 0xF F)); | |
787 | ||
788 | throw ne w BadPaddi ngExceptio n("Invalid Padding l ength: " + padLen); | |
789 | } | |
790 | ||
791 | // The paddi ng data sh ould be fi lled with the paddin g length v alue. | |
792 | in t[] result s = checkP adding( | |
793 | (Byt eBuffer)bb .duplicate ().positio n(offset + newLen), | |
794 | (byt e)(padLen & 0xFF)); | |
795 | if (protocol Version.v >= Protoco lVersion.T LS10.v) { | |
796 | if (resu lts[0] != 0) { // pad ding data has invali d bytes | |
797 | thro w new BadP addingExce ption("Inv alid TLS p adding dat a"); | |
798 | } | |
799 | } else { // SSLv3 | |
800 | // SSLv3 requires 0 <= lengt h byte < b lock size | |
801 | // some implementa tions do 1 <= length byte <= b lock size, | |
802 | // so ac cept that as well | |
803 | // v3 do es not req uire any p articular value for the other bytes | |
804 | if (padL en > block Size) { | |
805 | thro w new BadP addingExce ption("Inv alid SSLv3 padding") ; | |
806 | } | |
807 | } | |
808 | ||
809 | /* | |
810 | * Reset buf fer limit to remove padding. | |
811 | * / | |
812 | bb .position( offset + n ewLen); | |
813 | bb .limit(off set + newL en); | |
814 | ||
815 | re turn newLe n; | |
816 | } | |
817 | ||
818 | /* | |
819 | * Dis pose of an y intermed iate state in the un derlying c ipher. | |
820 | * For PKCS11 ci phers, thi s will rel ease any a ttached se ssions, an d | |
821 | * thu s make fin alization faster. | |
822 | */ | |
823 | void d ispose() { | |
824 | tr y { | |
825 | if (ciph er != null ) { | |
826 | // i gnore retu rn value. | |
827 | ciph er.doFinal (); | |
828 | } | |
829 | } catch (Exc eption e) { | |
830 | // swall ow all typ es of exce ptions. | |
831 | } | |
832 | } | |
833 | ||
834 | /* | |
835 | * Doe s the ciph er use CBC mode? | |
836 | * | |
837 | * @re turn true if the cip her use CB C mode, fa lse otherw ise. | |
838 | */ | |
839 | boolea n isCBCMod e() { | |
840 | re turn ciphe rType == B LOCK_CIPHE R; | |
841 | } | |
842 | ||
843 | /* | |
844 | * Doe s the ciph er use AEA D mode? | |
845 | * | |
846 | * @re turn true if the cip her use AE AD mode, f alse other wise. | |
847 | */ | |
848 | boolea n isAEADMo de() { | |
849 | re turn ciphe rType == A EAD_CIPHER ; | |
850 | } | |
851 | ||
852 | /* | |
853 | * Is the cipher null? | |
854 | * | |
855 | * @re turn true if the cip her is nul l, false o therwise. | |
856 | */ | |
857 | boolea n isNullCi pher() { | |
858 | re turn ciphe r == null; | |
859 | } | |
860 | ||
861 | /* | |
862 | * Get s the expl icit nonce /IV size o f the ciph er. | |
863 | * | |
864 | * The returned value is t he Securit yParameter s.record_i v_length i n | |
865 | * RFC 4346/5246 . It is t he size of explicit IV for CBC mode, and the | |
866 | * siz e of expli cit nonce for AEAD m ode. | |
867 | * | |
868 | * @re turn the e xplicit no nce size o f the ciph er. | |
869 | */ | |
870 | int ge tExplicitN onceSize() { | |
871 | sw itch (ciph erType) { | |
872 | case BLO CK_CIPHER: | |
873 | // F or block c iphers, th e explicit IV length is of len gth | |
874 | // S ecurityPar ameters.re cord_iv_le ngth, whic h is equal to | |
875 | // t he Securit yParameter s.block_si ze. | |
876 | if ( protocolVe rsion.v >= ProtocolV ersion.TLS 11.v) { | |
877 | return cip her.getBlo ckSize(); | |
878 | } | |
879 | brea k; | |
880 | case AEA D_CIPHER: | |
881 | retu rn recordI vSize; | |
882 | // It is also th e length o f sequence number, w hich is | |
883 | // use d as the n once_expli cit for AE AD cipher suites. | |
884 | } | |
885 | ||
886 | re turn 0; | |
887 | } | |
888 | ||
889 | /* | |
890 | * App lies the e xplicit no nce/IV to this ciphe r. This me thod is us ed to | |
891 | * dec rypt an SS L/TLS inpu t record. | |
892 | * | |
893 | * The returned value is t he Securit yParameter s.record_i v_length i n | |
894 | * RFC 4346/5246 . It is t he size of explicit IV for CBC mode, and the | |
895 | * siz e of expli cit nonce for AEAD m ode. | |
896 | * | |
897 | * @pa ram authe nticator t he authent icator to get the ad ditional | |
898 | * authe ntication data | |
899 | * @pa ram conte ntType the content t ype of the input rec ord | |
900 | * @pa ram bb th e byte buf fer to get the expli cit nonce from | |
901 | * | |
902 | * @re turn the e xplicit no nce size o f the ciph er. | |
903 | */ | |
904 | int ap plyExplici tNonce(Aut henticator authentic ator, byte contentTy pe, | |
905 | ByteBuff er bb) thr ows BadPad dingExcept ion { | |
906 | sw itch (ciph erType) { | |
907 | case BLO CK_CIPHER: | |
908 | // s anity chec k length o f the ciph ertext | |
909 | int tagLen = ( authentica tor instan ceof MAC) ? | |
910 | ((MA C)authenti cator).MAC len() : 0; | |
911 | if ( tagLen != 0) { | |
912 | if (!sanit yCheck(tag Len, bb.re maining()) ) { | |
913 | throw new BadPad dingExcept ion( | |
914 | "ciphert ext sanity check fai led"); | |
915 | } | |
916 | } | |
917 | ||
918 | // F or block c iphers, th e explicit IV length is of len gth | |
919 | // S ecurityPar ameters.re cord_iv_le ngth, whic h is equal to | |
920 | // t he Securit yParameter s.block_si ze. | |
921 | if ( protocolVe rsion.v >= ProtocolV ersion.TLS 11.v) { | |
922 | return cip her.getBlo ckSize(); | |
923 | } | |
924 | brea k; | |
925 | case AEA D_CIPHER: | |
926 | if ( bb.remaini ng() < (re cordIvSize + tagSize )) { | |
927 | throw new BadPadding Exception( | |
928 | "invalid A EAD cipher fragment" ); | |
929 | } | |
930 | ||
931 | // i nitialize the AEAD c ipher for the unique IV | |
932 | byte [] iv = Ar rays.copyO f(fixedIv, | |
933 | fixe dIv.length + recordI vSize); | |
934 | bb.g et(iv, fix edIv.lengt h, recordI vSize); | |
935 | bb.p osition(bb .position( ) - record IvSize); | |
936 | GCMP arameterSp ec spec = new GCMPar ameterSpec (tagSize * 8, iv); | |
937 | try { | |
938 | cipher.ini t(mode, ke y, spec, r andom); | |
939 | } ca tch (Inval idKeyExcep tion | | |
940 | In validAlgor ithmParame terExcepti on ikae) { | |
941 | // unlikel y to happe n | |
942 | throw new RuntimeExc eption( | |
943 | "invalid key or sp ec in GCM mode", ika e); | |
944 | } | |
945 | ||
946 | // u pdate the additional authentic ation data | |
947 | byte [] aad = a uthenticat or.acquire Authentica tionBytes( | |
948 | conten tType, bb. remaining( ) - record IvSize - t agSize); | |
949 | ciph er.updateA AD(aad); | |
950 | ||
951 | retu rn recordI vSize; | |
952 | // It is also th e length o f sequence number, w hich is | |
953 | // use d as the n once_expli cit for AE AD cipher suites. | |
954 | } | |
955 | ||
956 | ret urn 0; | |
957 | } | |
958 | ||
959 | /* | |
960 | * App lies the e xplicit no nce/IV to this ciphe r. This me thod is us ed to | |
961 | * dec rypt an SS L/TLS inpu t record. | |
962 | * | |
963 | * The returned value is t he Securit yParameter s.record_i v_length i n | |
964 | * RFC 4346/5246 . It is t he size of explicit IV for CBC mode, and the | |
965 | * siz e of expli cit nonce for AEAD m ode. | |
966 | * | |
967 | * @pa ram authe nticator t he authent icator to get the ad ditional | |
968 | * authe ntication data | |
969 | * @pa ram conte ntType the content t ype of the input rec ord | |
970 | * @pa ram buf t he byte ar ray to get the expli cit nonce from | |
971 | * @pa ram offse t the offs et of the byte buffe r | |
972 | * @pa ram ciphe redLength the cipher ed fragmen t length o f the outp ut | |
973 | * recor d, it is t he TLSCiph ertext.len gth in RFC 4346/5246 . | |
974 | * | |
975 | * @re turn the e xplicit no nce size o f the ciph er. | |
976 | */ | |
977 | int ap plyExplici tNonce(Aut henticator authentic ator, | |
978 | byte con tentType, byte[] buf , int offs et, | |
979 | int ciph eredLength ) throws B adPaddingE xception { | |
980 | ||
981 | By teBuffer b b = ByteBu ffer.wrap( buf, offse t, ciphere dLength); | |
982 | ||
983 | re turn apply ExplicitNo nce(authen ticator, c ontentType , bb); | |
984 | } | |
985 | ||
986 | /* | |
987 | * Cre ates the e xplicit no nce/IV to this ciphe r. This me thod is us ed to | |
988 | * enc rypt an SS L/TLS outp ut record. | |
989 | * | |
990 | * The size of t he returne d array is the Secur ityParamet ers.record _iv_length | |
991 | * in RFC 4346/5 246. It i s the size of explic it IV for CBC mode, and the | |
992 | * siz e of expli cit nonce for AEAD m ode. | |
993 | * | |
994 | * @pa ram authe nticator t he authent icator to get the ad ditional | |
995 | * authe ntication data | |
996 | * @pa ram conte ntType the content t ype of the input rec ord | |
997 | * @pa ram fragm entLength the fragme nt length of the out put record , it is | |
998 | * the T LSCompress ed.length in RFC 434 6/5246. | |
999 | * | |
1000 | * @re turn the e xplicit no nce of the cipher. | |
1001 | */ | |
1002 | byte[] createExp licitNonce (Authentic ator authe nticator, | |
1003 | byte con tentType, int fragme ntLength) { | |
1004 | ||
1005 | by te[] nonce = new byt e[0]; | |
1006 | sw itch (ciph erType) { | |
1007 | case BLO CK_CIPHER: | |
1008 | if ( protocolVe rsion.v >= ProtocolV ersion.TLS 11.v) { | |
1009 | // For blo ck ciphers , the expl icit IV le ngth is of length | |
1010 | // Securit yParameter s.record_i v_length, which is e qual to | |
1011 | // the Sec urityParam eters.bloc k_size. | |
1012 | // | |
1013 | // Generat e a random number as the expli cit IV par ameter. | |
1014 | nonce = ne w byte[cip her.getBlo ckSize()]; | |
1015 | random.nex tBytes(non ce); | |
1016 | } | |
1017 | brea k; | |
1018 | case AEA D_CIPHER: | |
1019 | // T o be uniqu e and awar e of overf low-wrap, sequence n umber | |
1020 | // i s used as the nonce_ explicit o f AEAD cip her suites . | |
1021 | nonc e = authen ticator.se quenceNumb er(); | |
1022 | ||
1023 | // i nitialize the AEAD c ipher for the unique IV | |
1024 | byte [] iv = Ar rays.copyO f(fixedIv, | |
1025 | fixedI v.length + nonce.len gth); | |
1026 | Syst em.arrayco py(nonce, 0, iv, fix edIv.lengt h, nonce.l ength); | |
1027 | GCMP arameterSp ec spec = new GCMPar ameterSpec (tagSize * 8, iv); | |
1028 | try { | |
1029 | cipher.ini t(mode, ke y, spec, r andom); | |
1030 | } ca tch (Inval idKeyExcep tion | | |
1031 | In validAlgor ithmParame terExcepti on ikae) { | |
1032 | // unlikel y to happe n | |
1033 | throw new RuntimeExc eption( | |
1034 | "invalid key or sp ec in GCM mode", ika e); | |
1035 | } | |
1036 | ||
1037 | // u pdate the additional authentic ation data | |
1038 | byte [] aad = a uthenticat or.acquire Authentica tionBytes( | |
1039 | co ntentType, fragmentL ength); | |
1040 | ciph er.updateA AD(aad); | |
1041 | brea k; | |
1042 | } | |
1043 | ||
1044 | re turn nonce ; | |
1045 | } | |
1046 | ||
1047 | /** | |
1048 | * San ity check the length of a frag ment befor e decrypti on. | |
1049 | * | |
1050 | * In CBC mode, check that the fragm ent length is one or multiple times | |
1051 | * of the block size of th e cipher s uite, and is at leas t one (one is the | |
1052 | * sma llest size of paddin g in CBC m ode) bigge r than the tag size of the | |
1053 | * MAC algorithm except th e explicit IV size f or TLS 1.1 or later. | |
1054 | * | |
1055 | * In non-CBC mo de, check that the f ragment le ngth is no t less tha n the | |
1056 | * tag size of t he MAC alg orithm. | |
1057 | * | |
1058 | * @re turn true if the len gth of a f ragment ma tches abov e requirem ents | |
1059 | */ | |
1060 | privat e boolean sanityChec k(int tagL en, int fr agmentLen) { | |
1061 | if (!isCBCMo de()) { | |
1062 | return f ragmentLen >= tagLen ; | |
1063 | } | |
1064 | ||
1065 | in t blockSiz e = cipher .getBlockS ize(); | |
1066 | if ((fragmen tLen % blo ckSize) == 0) { | |
1067 | int mini mal = tagL en + 1; | |
1068 | minimal = (minimal >= blockS ize) ? min imal : blo ckSize; | |
1069 | if (prot ocolVersio n.v >= Pro tocolVersi on.TLS11.v ) { | |
1070 | mini mal += blo ckSize; // plus th e size of the explic it IV | |
1071 | } | |
1072 | ||
1073 | return ( fragmentLe n >= minim al); | |
1074 | } | |
1075 | ||
1076 | re turn false ; | |
1077 | } | |
1078 | ||
1079 | } |
Araxis Merge (but not the data content of this report) is Copyright © 1993-2016 Araxis Ltd (www.araxis.com). All rights reserved.