author | ascarpino |
Sat, 09 Jun 2018 13:38:27 -0700 | |
branch | JDK-8145252-TLS13-branch |
changeset 56715 | b152d06ed6a9 |
parent 56542 | 56aaa6cb3693 |
child 56784 | 6210466cf1ac |
permissions | -rw-r--r-- |
2 | 1 |
/* |
56542 | 2 |
* Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved. |
2 | 3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 |
* |
|
5 |
* This code is free software; you can redistribute it and/or modify it |
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
|
5506 | 7 |
* published by the Free Software Foundation. Oracle designates this |
2 | 8 |
* particular file as subject to the "Classpath" exception as provided |
5506 | 9 |
* by Oracle in the LICENSE file that accompanied this code. |
2 | 10 |
* |
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that |
|
15 |
* accompanied this code). |
|
16 |
* |
|
17 |
* You should have received a copy of the GNU General Public License version |
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation, |
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
20 |
* |
|
5506 | 21 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
22 |
* or visit www.oracle.com if you need additional information or have any |
|
23 |
* questions. |
|
2 | 24 |
*/ |
25 |
||
26 |
package sun.security.ssl; |
|
27 |
||
56542 | 28 |
import java.nio.ByteBuffer; |
29 |
import java.security.AccessController; |
|
30 |
import java.security.GeneralSecurityException; |
|
31 |
import java.security.InvalidAlgorithmParameterException; |
|
32 |
import java.security.InvalidKeyException; |
|
33 |
import java.security.Key; |
|
34 |
import java.security.PrivilegedAction; |
|
35 |
import java.security.SecureRandom; |
|
36 |
import java.security.Security; |
|
37 |
import java.security.spec.AlgorithmParameterSpec; |
|
38 |
import java.util.AbstractMap.SimpleImmutableEntry; |
|
16913 | 39 |
import java.util.Arrays; |
56542 | 40 |
import java.util.HashMap; |
41 |
import java.util.Map; |
|
42 |
import javax.crypto.BadPaddingException; |
|
43 |
import javax.crypto.Cipher; |
|
44 |
import javax.crypto.IllegalBlockSizeException; |
|
45 |
import javax.crypto.SecretKey; |
|
46 |
import javax.crypto.ShortBufferException; |
|
16913 | 47 |
import javax.crypto.spec.GCMParameterSpec; |
56542 | 48 |
import javax.crypto.spec.IvParameterSpec; |
49 |
import sun.security.ssl.Authenticator.MAC; |
|
50 |
import static sun.security.ssl.CipherType.*; |
|
51 |
import static sun.security.ssl.JsseJce.*; |
|
2 | 52 |
|
56542 | 53 |
enum SSLCipher { |
54 |
// exportable ciphers |
|
55 |
@SuppressWarnings({"unchecked", "rawtypes"}) |
|
56 |
B_NULL("NULL", NULL_CIPHER, 0, 0, 0, 0, true, true, |
|
57 |
(Map.Entry<ReadCipherGenerator, |
|
58 |
ProtocolVersion[]>[])(new Map.Entry[] { |
|
59 |
new SimpleImmutableEntry<ReadCipherGenerator, ProtocolVersion[]>( |
|
60 |
new NullReadCipherGenerator(), |
|
61 |
ProtocolVersion.PROTOCOLS_OF_NONE |
|
62 |
), |
|
63 |
new SimpleImmutableEntry<ReadCipherGenerator, ProtocolVersion[]>( |
|
64 |
new NullReadCipherGenerator(), |
|
65 |
ProtocolVersion.PROTOCOLS_TO_13 |
|
66 |
) |
|
67 |
}), |
|
68 |
(Map.Entry<WriteCipherGenerator, |
|
69 |
ProtocolVersion[]>[])(new Map.Entry[] { |
|
70 |
new SimpleImmutableEntry<WriteCipherGenerator, ProtocolVersion[]>( |
|
71 |
new NullWriteCipherGenerator(), |
|
72 |
ProtocolVersion.PROTOCOLS_OF_NONE |
|
73 |
), |
|
74 |
new SimpleImmutableEntry<WriteCipherGenerator, ProtocolVersion[]>( |
|
75 |
new NullWriteCipherGenerator(), |
|
76 |
ProtocolVersion.PROTOCOLS_TO_13 |
|
77 |
) |
|
78 |
})), |
|
79 |
||
80 |
@SuppressWarnings({"unchecked", "rawtypes"}) |
|
81 |
B_RC4_40(CIPHER_RC4, STREAM_CIPHER, 5, 16, 0, 0, true, true, |
|
82 |
(Map.Entry<ReadCipherGenerator, |
|
83 |
ProtocolVersion[]>[])(new Map.Entry[] { |
|
84 |
new SimpleImmutableEntry<ReadCipherGenerator, ProtocolVersion[]>( |
|
85 |
new StreamReadCipherGenerator(), |
|
86 |
ProtocolVersion.PROTOCOLS_TO_10 |
|
87 |
) |
|
88 |
}), |
|
89 |
(Map.Entry<WriteCipherGenerator, |
|
90 |
ProtocolVersion[]>[])(new Map.Entry[] { |
|
91 |
new SimpleImmutableEntry<WriteCipherGenerator, ProtocolVersion[]>( |
|
92 |
new StreamWriteCipherGenerator(), |
|
93 |
ProtocolVersion.PROTOCOLS_TO_10 |
|
94 |
) |
|
95 |
})), |
|
2 | 96 |
|
56542 | 97 |
@SuppressWarnings({"unchecked", "rawtypes"}) |
98 |
B_RC2_40("RC2", BLOCK_CIPHER, 5, 16, 8, 0, false, true, |
|
99 |
(Map.Entry<ReadCipherGenerator, |
|
100 |
ProtocolVersion[]>[])(new Map.Entry[] { |
|
101 |
new SimpleImmutableEntry<ReadCipherGenerator, ProtocolVersion[]>( |
|
102 |
new StreamReadCipherGenerator(), |
|
103 |
ProtocolVersion.PROTOCOLS_TO_10 |
|
104 |
) |
|
105 |
}), |
|
106 |
(Map.Entry<WriteCipherGenerator, |
|
107 |
ProtocolVersion[]>[])(new Map.Entry[] { |
|
108 |
new SimpleImmutableEntry<WriteCipherGenerator, ProtocolVersion[]>( |
|
109 |
new StreamWriteCipherGenerator(), |
|
110 |
ProtocolVersion.PROTOCOLS_TO_10 |
|
111 |
) |
|
112 |
})), |
|
2 | 113 |
|
56542 | 114 |
@SuppressWarnings({"unchecked", "rawtypes"}) |
115 |
B_DES_40(CIPHER_DES, BLOCK_CIPHER, 5, 8, 8, 0, true, true, |
|
116 |
(Map.Entry<ReadCipherGenerator, |
|
117 |
ProtocolVersion[]>[])(new Map.Entry[] { |
|
118 |
new SimpleImmutableEntry<ReadCipherGenerator, ProtocolVersion[]>( |
|
119 |
new T10BlockReadCipherGenerator(), |
|
120 |
ProtocolVersion.PROTOCOLS_TO_10 |
|
121 |
) |
|
122 |
}), |
|
123 |
(Map.Entry<WriteCipherGenerator, |
|
124 |
ProtocolVersion[]>[])(new Map.Entry[] { |
|
125 |
new SimpleImmutableEntry<WriteCipherGenerator, ProtocolVersion[]>( |
|
126 |
new T10BlockWriteCipherGenerator(), |
|
127 |
ProtocolVersion.PROTOCOLS_TO_10 |
|
128 |
) |
|
129 |
})), |
|
2 | 130 |
|
56542 | 131 |
// domestic strength ciphers |
132 |
@SuppressWarnings({"unchecked", "rawtypes"}) |
|
133 |
B_RC4_128(CIPHER_RC4, STREAM_CIPHER, 16, 16, 0, 0, true, false, |
|
134 |
(Map.Entry<ReadCipherGenerator, |
|
135 |
ProtocolVersion[]>[])(new Map.Entry[] { |
|
136 |
new SimpleImmutableEntry<ReadCipherGenerator, ProtocolVersion[]>( |
|
137 |
new StreamReadCipherGenerator(), |
|
138 |
ProtocolVersion.PROTOCOLS_TO_12 |
|
139 |
) |
|
140 |
}), |
|
141 |
(Map.Entry<WriteCipherGenerator, |
|
142 |
ProtocolVersion[]>[])(new Map.Entry[] { |
|
143 |
new SimpleImmutableEntry<WriteCipherGenerator, ProtocolVersion[]>( |
|
144 |
new StreamWriteCipherGenerator(), |
|
145 |
ProtocolVersion.PROTOCOLS_TO_12 |
|
146 |
) |
|
147 |
})), |
|
2 | 148 |
|
56542 | 149 |
@SuppressWarnings({"unchecked", "rawtypes"}) |
150 |
B_DES(CIPHER_DES, BLOCK_CIPHER, 8, 8, 8, 0, true, false, |
|
151 |
(Map.Entry<ReadCipherGenerator, |
|
152 |
ProtocolVersion[]>[])(new Map.Entry[] { |
|
153 |
new SimpleImmutableEntry<ReadCipherGenerator, ProtocolVersion[]>( |
|
154 |
new T10BlockReadCipherGenerator(), |
|
155 |
ProtocolVersion.PROTOCOLS_TO_10 |
|
156 |
), |
|
157 |
new SimpleImmutableEntry<ReadCipherGenerator, ProtocolVersion[]>( |
|
158 |
new T11BlockReadCipherGenerator(), |
|
159 |
ProtocolVersion.PROTOCOLS_OF_11 |
|
160 |
) |
|
161 |
}), |
|
162 |
(Map.Entry<WriteCipherGenerator, |
|
163 |
ProtocolVersion[]>[])(new Map.Entry[] { |
|
164 |
new SimpleImmutableEntry<WriteCipherGenerator, ProtocolVersion[]>( |
|
165 |
new T10BlockWriteCipherGenerator(), |
|
166 |
ProtocolVersion.PROTOCOLS_TO_10 |
|
167 |
), |
|
168 |
new SimpleImmutableEntry<WriteCipherGenerator, ProtocolVersion[]>( |
|
169 |
new T11BlockWriteCipherGenerator(), |
|
170 |
ProtocolVersion.PROTOCOLS_OF_11 |
|
171 |
) |
|
172 |
})), |
|
173 |
||
174 |
@SuppressWarnings({"unchecked", "rawtypes"}) |
|
175 |
B_3DES(CIPHER_3DES, BLOCK_CIPHER, 24, 24, 8, 0, true, false, |
|
176 |
(Map.Entry<ReadCipherGenerator, |
|
177 |
ProtocolVersion[]>[])(new Map.Entry[] { |
|
178 |
new SimpleImmutableEntry<ReadCipherGenerator, ProtocolVersion[]>( |
|
179 |
new T10BlockReadCipherGenerator(), |
|
180 |
ProtocolVersion.PROTOCOLS_TO_10 |
|
181 |
), |
|
182 |
new SimpleImmutableEntry<ReadCipherGenerator, ProtocolVersion[]>( |
|
183 |
new T11BlockReadCipherGenerator(), |
|
184 |
ProtocolVersion.PROTOCOLS_11_12 |
|
185 |
) |
|
186 |
}), |
|
187 |
(Map.Entry<WriteCipherGenerator, |
|
188 |
ProtocolVersion[]>[])(new Map.Entry[] { |
|
189 |
new SimpleImmutableEntry<WriteCipherGenerator, ProtocolVersion[]>( |
|
190 |
new T10BlockWriteCipherGenerator(), |
|
191 |
ProtocolVersion.PROTOCOLS_TO_10 |
|
192 |
), |
|
193 |
new SimpleImmutableEntry<WriteCipherGenerator, ProtocolVersion[]>( |
|
194 |
new T11BlockWriteCipherGenerator(), |
|
195 |
ProtocolVersion.PROTOCOLS_11_12 |
|
196 |
) |
|
197 |
})), |
|
198 |
||
199 |
@SuppressWarnings({"unchecked", "rawtypes"}) |
|
200 |
B_IDEA("IDEA", BLOCK_CIPHER, 16, 16, 8, 0, false, false, |
|
201 |
(Map.Entry<ReadCipherGenerator, |
|
202 |
ProtocolVersion[]>[])(new Map.Entry[] { |
|
203 |
new SimpleImmutableEntry<ReadCipherGenerator, ProtocolVersion[]>( |
|
204 |
null, |
|
205 |
ProtocolVersion.PROTOCOLS_TO_12 |
|
206 |
) |
|
207 |
}), |
|
208 |
(Map.Entry<WriteCipherGenerator, |
|
209 |
ProtocolVersion[]>[])(new Map.Entry[] { |
|
210 |
new SimpleImmutableEntry<WriteCipherGenerator, ProtocolVersion[]>( |
|
211 |
null, |
|
212 |
ProtocolVersion.PROTOCOLS_TO_12 |
|
213 |
) |
|
214 |
})), |
|
2 | 215 |
|
56542 | 216 |
@SuppressWarnings({"unchecked", "rawtypes"}) |
217 |
B_AES_128(CIPHER_AES, BLOCK_CIPHER, 16, 16, 16, 0, true, false, |
|
218 |
(Map.Entry<ReadCipherGenerator, |
|
219 |
ProtocolVersion[]>[])(new Map.Entry[] { |
|
220 |
new SimpleImmutableEntry<ReadCipherGenerator, ProtocolVersion[]>( |
|
221 |
new T10BlockReadCipherGenerator(), |
|
222 |
ProtocolVersion.PROTOCOLS_TO_10 |
|
223 |
), |
|
224 |
new SimpleImmutableEntry<ReadCipherGenerator, ProtocolVersion[]>( |
|
225 |
new T11BlockReadCipherGenerator(), |
|
226 |
ProtocolVersion.PROTOCOLS_11_12 |
|
227 |
) |
|
228 |
}), |
|
229 |
(Map.Entry<WriteCipherGenerator, |
|
230 |
ProtocolVersion[]>[])(new Map.Entry[] { |
|
231 |
new SimpleImmutableEntry<WriteCipherGenerator, ProtocolVersion[]>( |
|
232 |
new T10BlockWriteCipherGenerator(), |
|
233 |
ProtocolVersion.PROTOCOLS_TO_10 |
|
234 |
), |
|
235 |
new SimpleImmutableEntry<WriteCipherGenerator, ProtocolVersion[]>( |
|
236 |
new T11BlockWriteCipherGenerator(), |
|
237 |
ProtocolVersion.PROTOCOLS_11_12 |
|
238 |
) |
|
239 |
})), |
|
240 |
||
241 |
@SuppressWarnings({"unchecked", "rawtypes"}) |
|
242 |
B_AES_256(CIPHER_AES, BLOCK_CIPHER, 32, 32, 16, 0, true, false, |
|
243 |
(Map.Entry<ReadCipherGenerator, |
|
244 |
ProtocolVersion[]>[])(new Map.Entry[] { |
|
245 |
new SimpleImmutableEntry<ReadCipherGenerator, ProtocolVersion[]>( |
|
246 |
new T10BlockReadCipherGenerator(), |
|
247 |
ProtocolVersion.PROTOCOLS_TO_10 |
|
248 |
), |
|
249 |
new SimpleImmutableEntry<ReadCipherGenerator, ProtocolVersion[]>( |
|
250 |
new T11BlockReadCipherGenerator(), |
|
251 |
ProtocolVersion.PROTOCOLS_11_12 |
|
252 |
) |
|
253 |
}), |
|
254 |
(Map.Entry<WriteCipherGenerator, |
|
255 |
ProtocolVersion[]>[])(new Map.Entry[] { |
|
256 |
new SimpleImmutableEntry<WriteCipherGenerator, ProtocolVersion[]>( |
|
257 |
new T10BlockWriteCipherGenerator(), |
|
258 |
ProtocolVersion.PROTOCOLS_TO_10 |
|
259 |
), |
|
260 |
new SimpleImmutableEntry<WriteCipherGenerator, ProtocolVersion[]>( |
|
261 |
new T11BlockWriteCipherGenerator(), |
|
262 |
ProtocolVersion.PROTOCOLS_11_12 |
|
263 |
) |
|
264 |
})), |
|
265 |
||
266 |
@SuppressWarnings({"unchecked", "rawtypes"}) |
|
267 |
B_AES_128_GCM(CIPHER_AES_GCM, AEAD_CIPHER, 16, 16, 12, 4, true, false, |
|
268 |
(Map.Entry<ReadCipherGenerator, |
|
269 |
ProtocolVersion[]>[])(new Map.Entry[] { |
|
270 |
new SimpleImmutableEntry<ReadCipherGenerator, ProtocolVersion[]>( |
|
271 |
new T12GcmReadCipherGenerator(), |
|
272 |
ProtocolVersion.PROTOCOLS_OF_12 |
|
273 |
) |
|
274 |
}), |
|
275 |
(Map.Entry<WriteCipherGenerator, |
|
276 |
ProtocolVersion[]>[])(new Map.Entry[] { |
|
277 |
new SimpleImmutableEntry<WriteCipherGenerator, ProtocolVersion[]>( |
|
278 |
new T12GcmWriteCipherGenerator(), |
|
279 |
ProtocolVersion.PROTOCOLS_OF_12 |
|
280 |
) |
|
281 |
})), |
|
2 | 282 |
|
56542 | 283 |
@SuppressWarnings({"unchecked", "rawtypes"}) |
284 |
B_AES_256_GCM(CIPHER_AES_GCM, AEAD_CIPHER, 32, 32, 12, 4, true, false, |
|
285 |
(Map.Entry<ReadCipherGenerator, |
|
286 |
ProtocolVersion[]>[])(new Map.Entry[] { |
|
287 |
new SimpleImmutableEntry<ReadCipherGenerator, ProtocolVersion[]>( |
|
288 |
new T12GcmReadCipherGenerator(), |
|
289 |
ProtocolVersion.PROTOCOLS_OF_12 |
|
290 |
) |
|
291 |
}), |
|
292 |
(Map.Entry<WriteCipherGenerator, |
|
293 |
ProtocolVersion[]>[])(new Map.Entry[] { |
|
294 |
new SimpleImmutableEntry<WriteCipherGenerator, ProtocolVersion[]>( |
|
295 |
new T12GcmWriteCipherGenerator(), |
|
296 |
ProtocolVersion.PROTOCOLS_OF_12 |
|
297 |
) |
|
298 |
})), |
|
2 | 299 |
|
56542 | 300 |
@SuppressWarnings({"unchecked", "rawtypes"}) |
301 |
B_AES_128_GCM_IV(CIPHER_AES_GCM, AEAD_CIPHER, 16, 16, 12, 0, true, false, |
|
302 |
(Map.Entry<ReadCipherGenerator, |
|
303 |
ProtocolVersion[]>[])(new Map.Entry[] { |
|
304 |
new SimpleImmutableEntry<ReadCipherGenerator, ProtocolVersion[]>( |
|
305 |
new T13GcmReadCipherGenerator(), |
|
306 |
ProtocolVersion.PROTOCOLS_OF_13 |
|
307 |
) |
|
308 |
}), |
|
309 |
(Map.Entry<WriteCipherGenerator, |
|
310 |
ProtocolVersion[]>[])(new Map.Entry[] { |
|
311 |
new SimpleImmutableEntry<WriteCipherGenerator, ProtocolVersion[]>( |
|
312 |
new T13GcmWriteCipherGenerator(), |
|
313 |
ProtocolVersion.PROTOCOLS_OF_13 |
|
314 |
) |
|
315 |
})), |
|
2 | 316 |
|
56542 | 317 |
@SuppressWarnings({"unchecked", "rawtypes"}) |
318 |
B_AES_256_GCM_IV(CIPHER_AES_GCM, AEAD_CIPHER, 32, 32, 12, 0, true, false, |
|
319 |
(Map.Entry<ReadCipherGenerator, |
|
320 |
ProtocolVersion[]>[])(new Map.Entry[] { |
|
321 |
new SimpleImmutableEntry<ReadCipherGenerator, ProtocolVersion[]>( |
|
322 |
new T13GcmReadCipherGenerator(), |
|
323 |
ProtocolVersion.PROTOCOLS_OF_13 |
|
324 |
) |
|
325 |
}), |
|
326 |
(Map.Entry<WriteCipherGenerator, |
|
327 |
ProtocolVersion[]>[])(new Map.Entry[] { |
|
328 |
new SimpleImmutableEntry<WriteCipherGenerator, ProtocolVersion[]>( |
|
329 |
new T13GcmWriteCipherGenerator(), |
|
330 |
ProtocolVersion.PROTOCOLS_OF_13 |
|
331 |
) |
|
332 |
})); |
|
333 |
||
334 |
// descriptive name including key size, e.g. AES/128 |
|
335 |
final String description; |
|
336 |
||
337 |
// JCE cipher transformation string, e.g. AES/CBC/NoPadding |
|
338 |
final String transformation; |
|
339 |
||
340 |
// algorithm name, e.g. AES |
|
341 |
final String algorithm; |
|
7039 | 342 |
|
56542 | 343 |
// supported and compile time enabled. Also see isAvailable() |
344 |
final boolean allowed; |
|
345 |
||
346 |
// number of bytes of entropy in the key |
|
347 |
final int keySize; |
|
348 |
||
349 |
// length of the actual cipher key in bytes. |
|
350 |
// for non-exportable ciphers, this is the same as keySize |
|
351 |
final int expandedKeySize; |
|
352 |
||
353 |
// size of the IV |
|
354 |
final int ivSize; |
|
355 |
||
356 |
// size of fixed IV |
|
357 |
// |
|
358 |
// record_iv_length = ivSize - fixedIvSize |
|
359 |
final int fixedIvSize; |
|
360 |
||
361 |
// exportable under 512/40 bit rules |
|
362 |
final boolean exportable; |
|
363 |
||
364 |
// Is the cipher algorithm of Cipher Block Chaining (CBC) mode? |
|
365 |
final CipherType cipherType; |
|
366 |
||
367 |
// size of the authentication tag, only applicable to cipher suites in |
|
368 |
// Galois Counter Mode (GCM) |
|
369 |
// |
|
370 |
// As far as we know, all supported GCM cipher suites use 128-bits |
|
371 |
// authentication tags. |
|
372 |
final int tagSize = 16; |
|
16913 | 373 |
|
56542 | 374 |
// runtime availability |
375 |
private final boolean isAvailable; |
|
376 |
||
377 |
private final Map.Entry<ReadCipherGenerator, |
|
378 |
ProtocolVersion[]>[] readCipherGenerators; |
|
379 |
private final Map.Entry<WriteCipherGenerator, |
|
380 |
ProtocolVersion[]>[] writeCipherGenerators; |
|
381 |
||
382 |
// Map of Ciphers listed in jdk.tls.KeyLimit |
|
383 |
private static final HashMap<String, Long> cipherLimits = new HashMap<>(); |
|
384 |
||
385 |
// Keywords found on the jdk.tls.KeyLimit security property. |
|
386 |
final static String tag[] = {"KEYUPDATE"}; |
|
16913 | 387 |
|
56542 | 388 |
static { |
389 |
final long max = 4611686018427387904L; // 2^62 |
|
390 |
String prop = AccessController.doPrivileged( |
|
391 |
new PrivilegedAction<String>() { |
|
392 |
@Override |
|
393 |
public String run() { |
|
394 |
return Security.getProperty("jdk.tls.keyLimits"); |
|
395 |
} |
|
396 |
}); |
|
397 |
||
398 |
if (prop != null) { |
|
399 |
String propvalue[] = prop.split(","); |
|
400 |
||
401 |
for (String entry : propvalue) { |
|
402 |
int index; |
|
403 |
// If this is not a UsageLimit, goto to next entry. |
|
404 |
String values[] = entry.trim().toUpperCase().split(" "); |
|
16913 | 405 |
|
56542 | 406 |
if (values[1].contains(tag[0])) { |
407 |
index = 0; |
|
408 |
} else { |
|
409 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) { |
|
410 |
SSLLogger.fine("jdk.net.keyLimits: Unknown action: " + |
|
411 |
entry); |
|
412 |
} |
|
413 |
continue; |
|
414 |
} |
|
16913 | 415 |
|
56542 | 416 |
long size; |
417 |
int i = values[2].indexOf("^"); |
|
418 |
try { |
|
419 |
if (i >= 0) { |
|
420 |
size = (long) Math.pow(2, |
|
421 |
Integer.parseInt(values[2].substring(i + 1))); |
|
422 |
} else { |
|
423 |
size = Long.parseLong(values[2]); |
|
424 |
} |
|
425 |
if (size < 1 || size > max) { |
|
426 |
throw new NumberFormatException("Length exceeded limits"); |
|
427 |
} |
|
428 |
} catch (NumberFormatException e) { |
|
429 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) { |
|
430 |
SSLLogger.fine("jdk.net.keyLimits: " + e.getMessage() + |
|
431 |
": " + entry); |
|
432 |
} |
|
433 |
continue; |
|
434 |
} |
|
435 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) { |
|
436 |
SSLLogger.fine("jdk.net.keyLimits: entry = " + entry + |
|
437 |
". " + values[0] + ":" + tag[index] + " = " + size); |
|
438 |
} |
|
439 |
cipherLimits.put(values[0] + ":" + tag[index], size); |
|
440 |
} |
|
441 |
} |
|
442 |
} |
|
16913 | 443 |
|
56542 | 444 |
private SSLCipher(String transformation, |
445 |
CipherType cipherType, int keySize, |
|
446 |
int expandedKeySize, int ivSize, |
|
447 |
int fixedIvSize, boolean allowed, boolean exportable, |
|
448 |
Map.Entry<ReadCipherGenerator, |
|
449 |
ProtocolVersion[]>[] readCipherGenerators, |
|
450 |
Map.Entry<WriteCipherGenerator, |
|
451 |
ProtocolVersion[]>[] writeCipherGenerators) { |
|
452 |
this.transformation = transformation; |
|
453 |
String[] splits = transformation.split("/"); |
|
454 |
this.algorithm = splits[0]; |
|
455 |
this.cipherType = cipherType; |
|
456 |
this.description = this.algorithm + "/" + (keySize << 3); |
|
457 |
this.keySize = keySize; |
|
458 |
this.ivSize = ivSize; |
|
459 |
this.fixedIvSize = fixedIvSize; |
|
460 |
this.allowed = allowed; |
|
461 |
||
462 |
this.expandedKeySize = expandedKeySize; |
|
463 |
this.exportable = exportable; |
|
10915 | 464 |
|
56542 | 465 |
// availability of this bulk cipher |
466 |
// |
|
467 |
// We assume all supported ciphers are always available since they are |
|
468 |
// shipped with the SunJCE provider. However, AES/256 is unavailable |
|
469 |
// when the default JCE policy jurisdiction files are installed because |
|
470 |
// of key length restrictions. |
|
56715
b152d06ed6a9
code review nits and TrasnportContext constructor changes
ascarpino
parents:
56542
diff
changeset
|
471 |
this.isAvailable = allowed && isUnlimited(keySize, transformation); |
56542 | 472 |
|
473 |
this.readCipherGenerators = readCipherGenerators; |
|
474 |
this.writeCipherGenerators = writeCipherGenerators; |
|
475 |
} |
|
476 |
||
477 |
SSLReadCipher createReadCipher(Authenticator authenticator, |
|
478 |
ProtocolVersion protocolVersion, |
|
479 |
SecretKey key, IvParameterSpec iv, |
|
480 |
SecureRandom random) throws GeneralSecurityException { |
|
481 |
if (readCipherGenerators.length == 0) { |
|
482 |
return null; |
|
483 |
} |
|
484 |
||
485 |
ReadCipherGenerator rcg = null; |
|
486 |
for (Map.Entry<ReadCipherGenerator, |
|
487 |
ProtocolVersion[]> me : readCipherGenerators) { |
|
488 |
for (ProtocolVersion pv : me.getValue()) { |
|
489 |
if (protocolVersion == pv) { |
|
490 |
rcg = me.getKey(); |
|
491 |
} |
|
492 |
} |
|
493 |
} |
|
7039 | 494 |
|
56542 | 495 |
if (rcg != null) { |
496 |
return rcg.createCipher(this, authenticator, |
|
497 |
protocolVersion, transformation, key, iv, random); |
|
498 |
} |
|
499 |
return null; |
|
500 |
} |
|
501 |
||
502 |
SSLWriteCipher createWriteCipher(Authenticator authenticator, |
|
503 |
ProtocolVersion protocolVersion, |
|
504 |
SecretKey key, IvParameterSpec iv, |
|
505 |
SecureRandom random) throws GeneralSecurityException { |
|
506 |
if (readCipherGenerators.length == 0) { |
|
507 |
return null; |
|
508 |
} |
|
509 |
||
510 |
WriteCipherGenerator rcg = null; |
|
511 |
for (Map.Entry<WriteCipherGenerator, |
|
512 |
ProtocolVersion[]> me : writeCipherGenerators) { |
|
513 |
for (ProtocolVersion pv : me.getValue()) { |
|
514 |
if (protocolVersion == pv) { |
|
515 |
rcg = me.getKey(); |
|
516 |
} |
|
517 |
} |
|
518 |
} |
|
519 |
||
520 |
if (rcg != null) { |
|
521 |
return rcg.createCipher(this, authenticator, |
|
522 |
protocolVersion, transformation, key, iv, random); |
|
523 |
} |
|
524 |
return null; |
|
525 |
} |
|
526 |
||
2 | 527 |
/** |
56542 | 528 |
* Test if this bulk cipher is available. For use by CipherSuite. |
2 | 529 |
*/ |
56542 | 530 |
boolean isAvailable() { |
531 |
return this.isAvailable; |
|
532 |
} |
|
7039 | 533 |
|
56542 | 534 |
private static boolean isUnlimited(int keySize, String transformation) { |
535 |
int keySizeInBits = keySize * 8; |
|
536 |
if (keySizeInBits > 128) { // need the JCE unlimited |
|
537 |
// strength jurisdiction policy |
|
538 |
try { |
|
539 |
if (Cipher.getMaxAllowedKeyLength( |
|
540 |
transformation) < keySizeInBits) { |
|
541 |
return false; |
|
542 |
} |
|
543 |
} catch (Exception e) { |
|
544 |
return false; |
|
7039 | 545 |
} |
56542 | 546 |
} |
547 |
||
548 |
return true; |
|
549 |
} |
|
7039 | 550 |
|
56542 | 551 |
@Override |
552 |
public String toString() { |
|
553 |
return description; |
|
554 |
} |
|
555 |
||
556 |
interface ReadCipherGenerator { |
|
557 |
SSLReadCipher createCipher(SSLCipher sslCipher, |
|
558 |
Authenticator authenticator, |
|
559 |
ProtocolVersion protocolVersion, String algorithm, |
|
560 |
Key key, AlgorithmParameterSpec params, |
|
561 |
SecureRandom random) throws GeneralSecurityException; |
|
562 |
} |
|
7039 | 563 |
|
56542 | 564 |
abstract static class SSLReadCipher { |
565 |
final Authenticator authenticator; |
|
566 |
final ProtocolVersion protocolVersion; |
|
567 |
SecretKey baseSecret; |
|
16913 | 568 |
|
56542 | 569 |
SSLReadCipher(Authenticator authenticator, |
570 |
ProtocolVersion protocolVersion) { |
|
571 |
this.authenticator = authenticator; |
|
572 |
this.protocolVersion = protocolVersion; |
|
573 |
} |
|
16913 | 574 |
|
56542 | 575 |
static final SSLReadCipher nullTlsReadCipher() { |
576 |
try { |
|
577 |
return B_NULL.createReadCipher( |
|
578 |
Authenticator.nullTlsMac(), |
|
579 |
ProtocolVersion.NONE, null, null, null); |
|
580 |
} catch (GeneralSecurityException gse) { |
|
581 |
// unlikely |
|
582 |
throw new RuntimeException("Cannot create NULL SSLCipher", gse); |
|
583 |
} |
|
584 |
} |
|
16913 | 585 |
|
56542 | 586 |
static final SSLReadCipher nullDTlsReadCipher() { |
587 |
try { |
|
588 |
return B_NULL.createReadCipher( |
|
589 |
Authenticator.nullDtlsMac(), |
|
590 |
ProtocolVersion.NONE, null, null, null); |
|
591 |
} catch (GeneralSecurityException gse) { |
|
592 |
// unlikely |
|
593 |
throw new RuntimeException("Cannot create NULL SSLCipher", gse); |
|
594 |
} |
|
595 |
} |
|
16913 | 596 |
|
56542 | 597 |
abstract Plaintext decrypt(byte contentType, ByteBuffer bb, |
598 |
byte[] sequence) throws GeneralSecurityException; |
|
599 |
||
600 |
void dispose() { |
|
601 |
// blank |
|
602 |
} |
|
603 |
||
604 |
abstract int estimateFragmentSize(int packetSize, int headerSize); |
|
605 |
||
606 |
boolean isNullCipher() { |
|
607 |
return false; |
|
2 | 608 |
} |
609 |
} |
|
610 |
||
56542 | 611 |
interface WriteCipherGenerator { |
612 |
SSLWriteCipher createCipher(SSLCipher sslCipher, |
|
613 |
Authenticator authenticator, |
|
614 |
ProtocolVersion protocolVersion, String algorithm, |
|
615 |
Key key, AlgorithmParameterSpec params, |
|
616 |
SecureRandom random) throws GeneralSecurityException; |
|
617 |
} |
|
618 |
||
619 |
abstract static class SSLWriteCipher { |
|
620 |
final Authenticator authenticator; |
|
621 |
final ProtocolVersion protocolVersion; |
|
622 |
boolean keyLimitEnabled = false; |
|
623 |
long keyLimitCountdown = 0; |
|
624 |
SecretKey baseSecret; |
|
625 |
||
626 |
SSLWriteCipher(Authenticator authenticator, |
|
627 |
ProtocolVersion protocolVersion) { |
|
628 |
this.authenticator = authenticator; |
|
629 |
this.protocolVersion = protocolVersion; |
|
630 |
} |
|
631 |
||
632 |
abstract int encrypt(byte contentType, ByteBuffer bb); |
|
633 |
||
634 |
static final SSLWriteCipher nullTlsWriteCipher() { |
|
635 |
try { |
|
636 |
return B_NULL.createWriteCipher( |
|
637 |
Authenticator.nullTlsMac(), |
|
638 |
ProtocolVersion.NONE, null, null, null); |
|
639 |
} catch (GeneralSecurityException gse) { |
|
640 |
// unlikely |
|
641 |
throw new RuntimeException( |
|
642 |
"Cannot create NULL SSL write Cipher", gse); |
|
643 |
} |
|
644 |
} |
|
645 |
||
646 |
static final SSLWriteCipher nullDTlsWriteCipher() { |
|
647 |
try { |
|
648 |
return B_NULL.createWriteCipher( |
|
649 |
Authenticator.nullDtlsMac(), |
|
650 |
ProtocolVersion.NONE, null, null, null); |
|
651 |
} catch (GeneralSecurityException gse) { |
|
652 |
// unlikely |
|
653 |
throw new RuntimeException( |
|
654 |
"Cannot create NULL SSL write Cipher", gse); |
|
655 |
} |
|
656 |
} |
|
657 |
||
658 |
void dispose() { |
|
659 |
// blank |
|
660 |
} |
|
661 |
||
662 |
abstract int getExplicitNonceSize(); |
|
663 |
abstract int calculateFragmentSize(int packetLimit, int headerSize); |
|
664 |
abstract int calculatePacketSize(int fragmentSize, int headerSize); |
|
665 |
||
666 |
boolean isCBCMode() { |
|
667 |
return false; |
|
668 |
} |
|
669 |
||
670 |
boolean isNullCipher() { |
|
671 |
return false; |
|
672 |
} |
|
673 |
||
674 |
/** |
|
675 |
* Check if processed bytes have reached the key usage limit. |
|
676 |
* If key usage limit is not be monitored, return false. |
|
677 |
*/ |
|
678 |
public boolean atKeyLimit() { |
|
679 |
if (keyLimitCountdown >= 0) { |
|
680 |
return false; |
|
681 |
} |
|
682 |
||
683 |
// Turn off limit checking as KeyUpdate will be occurring |
|
684 |
keyLimitEnabled = false; |
|
685 |
return true; |
|
686 |
} |
|
687 |
} |
|
688 |
||
689 |
private static final |
|
690 |
class NullReadCipherGenerator implements ReadCipherGenerator { |
|
691 |
@Override |
|
692 |
public SSLReadCipher createCipher(SSLCipher sslCipher, |
|
693 |
Authenticator authenticator, |
|
694 |
ProtocolVersion protocolVersion, String algorithm, |
|
695 |
Key key, AlgorithmParameterSpec params, |
|
696 |
SecureRandom random) throws GeneralSecurityException { |
|
697 |
return new NullReadCipher(authenticator, protocolVersion); |
|
2 | 698 |
} |
7039 | 699 |
|
56542 | 700 |
static final class NullReadCipher extends SSLReadCipher { |
701 |
NullReadCipher(Authenticator authenticator, |
|
702 |
ProtocolVersion protocolVersion) { |
|
703 |
super(authenticator, protocolVersion); |
|
704 |
} |
|
705 |
||
706 |
@Override |
|
707 |
public Plaintext decrypt(byte contentType, ByteBuffer bb, |
|
708 |
byte[] sequence) throws GeneralSecurityException { |
|
709 |
MAC signer = (MAC)authenticator; |
|
710 |
if (signer.macAlg().size != 0) { |
|
711 |
checkStreamMac(signer, bb, contentType, sequence); |
|
712 |
} else { |
|
713 |
authenticator.increaseSequenceNumber(); |
|
714 |
} |
|
715 |
||
716 |
return new Plaintext(contentType, |
|
717 |
ProtocolVersion.NONE.major, ProtocolVersion.NONE.minor, |
|
718 |
-1, -1L, bb.slice()); |
|
719 |
} |
|
720 |
||
721 |
@Override |
|
722 |
int estimateFragmentSize(int packetSize, int headerSize) { |
|
723 |
int macLen = ((MAC)authenticator).macAlg().size; |
|
724 |
return packetSize - headerSize - macLen; |
|
725 |
} |
|
726 |
||
727 |
@Override |
|
728 |
boolean isNullCipher() { |
|
729 |
return true; |
|
730 |
} |
|
731 |
} |
|
732 |
} |
|
733 |
||
734 |
private static final |
|
735 |
class NullWriteCipherGenerator implements WriteCipherGenerator { |
|
736 |
@Override |
|
737 |
public SSLWriteCipher createCipher(SSLCipher sslCipher, |
|
738 |
Authenticator authenticator, |
|
739 |
ProtocolVersion protocolVersion, String algorithm, |
|
740 |
Key key, AlgorithmParameterSpec params, |
|
741 |
SecureRandom random) throws GeneralSecurityException { |
|
742 |
return new NullWriteCipher(authenticator, protocolVersion); |
|
743 |
} |
|
744 |
||
745 |
static final class NullWriteCipher extends SSLWriteCipher { |
|
746 |
NullWriteCipher(Authenticator authenticator, |
|
747 |
ProtocolVersion protocolVersion) { |
|
748 |
super(authenticator, protocolVersion); |
|
749 |
} |
|
750 |
||
751 |
@Override |
|
752 |
public int encrypt(byte contentType, ByteBuffer bb) { |
|
753 |
// add message authentication code |
|
754 |
MAC signer = (MAC)authenticator; |
|
755 |
if (signer.macAlg().size != 0) { |
|
756 |
addMac(signer, bb, contentType); |
|
757 |
} else { |
|
758 |
authenticator.increaseSequenceNumber(); |
|
759 |
} |
|
760 |
||
761 |
int len = bb.remaining(); |
|
762 |
bb.position(bb.limit()); |
|
763 |
return len; |
|
764 |
} |
|
765 |
||
766 |
||
767 |
@Override |
|
768 |
int getExplicitNonceSize() { |
|
769 |
return 0; |
|
770 |
} |
|
771 |
||
772 |
@Override |
|
773 |
int calculateFragmentSize(int packetLimit, int headerSize) { |
|
774 |
int macLen = ((MAC)authenticator).macAlg().size; |
|
775 |
return packetLimit - headerSize - macLen; |
|
776 |
} |
|
777 |
||
778 |
@Override |
|
779 |
int calculatePacketSize(int fragmentSize, int headerSize) { |
|
780 |
int macLen = ((MAC)authenticator).macAlg().size; |
|
781 |
return fragmentSize + headerSize + macLen; |
|
782 |
} |
|
783 |
||
784 |
@Override |
|
785 |
boolean isNullCipher() { |
|
786 |
return true; |
|
787 |
} |
|
2 | 788 |
} |
789 |
} |
|
790 |
||
56542 | 791 |
private static final |
792 |
class StreamReadCipherGenerator implements ReadCipherGenerator { |
|
793 |
@Override |
|
794 |
public SSLReadCipher createCipher(SSLCipher sslCipher, |
|
795 |
Authenticator authenticator, |
|
796 |
ProtocolVersion protocolVersion, String algorithm, |
|
797 |
Key key, AlgorithmParameterSpec params, |
|
798 |
SecureRandom random) throws GeneralSecurityException { |
|
799 |
return new StreamReadCipher(authenticator, protocolVersion, |
|
800 |
algorithm, key, params, random); |
|
7039 | 801 |
} |
802 |
||
56542 | 803 |
static final class StreamReadCipher extends SSLReadCipher { |
804 |
private final Cipher cipher; |
|
805 |
||
806 |
StreamReadCipher(Authenticator authenticator, |
|
807 |
ProtocolVersion protocolVersion, String algorithm, |
|
808 |
Key key, AlgorithmParameterSpec params, |
|
809 |
SecureRandom random) throws GeneralSecurityException { |
|
810 |
super(authenticator, protocolVersion); |
|
811 |
this.cipher = JsseJce.getCipher(algorithm); |
|
812 |
cipher.init(Cipher.DECRYPT_MODE, key, params, random); |
|
813 |
} |
|
814 |
||
815 |
@Override |
|
816 |
public Plaintext decrypt(byte contentType, ByteBuffer bb, |
|
817 |
byte[] sequence) throws GeneralSecurityException { |
|
818 |
int len = bb.remaining(); |
|
819 |
int pos = bb.position(); |
|
820 |
ByteBuffer dup = bb.duplicate(); |
|
821 |
try { |
|
822 |
if (len != cipher.update(dup, bb)) { |
|
823 |
// catch BouncyCastle buffering error |
|
824 |
throw new RuntimeException( |
|
825 |
"Unexpected number of plaintext bytes"); |
|
826 |
} |
|
827 |
if (bb.position() != dup.position()) { |
|
828 |
throw new RuntimeException( |
|
56715
b152d06ed6a9
code review nits and TrasnportContext constructor changes
ascarpino
parents:
56542
diff
changeset
|
829 |
"Unexpected ByteBuffer position"); |
56542 | 830 |
} |
831 |
} catch (ShortBufferException sbe) { |
|
832 |
// catch BouncyCastle buffering error |
|
833 |
throw new RuntimeException("Cipher buffering error in " + |
|
834 |
"JCE provider " + cipher.getProvider().getName(), sbe); |
|
835 |
} |
|
836 |
bb.position(pos); |
|
837 |
if (SSLLogger.isOn && SSLLogger.isOn("plaintext")) { |
|
838 |
SSLLogger.fine( |
|
839 |
"Plaintext after DECRYPTION", bb.duplicate()); |
|
840 |
} |
|
841 |
||
842 |
MAC signer = (MAC)authenticator; |
|
843 |
if (signer.macAlg().size != 0) { |
|
844 |
checkStreamMac(signer, bb, contentType, sequence); |
|
845 |
} else { |
|
846 |
authenticator.increaseSequenceNumber(); |
|
847 |
} |
|
848 |
||
849 |
return new Plaintext(contentType, |
|
850 |
ProtocolVersion.NONE.major, ProtocolVersion.NONE.minor, |
|
851 |
-1, -1L, bb.slice()); |
|
852 |
} |
|
853 |
||
854 |
@Override |
|
855 |
void dispose() { |
|
856 |
if (cipher != null) { |
|
857 |
try { |
|
858 |
cipher.doFinal(); |
|
859 |
} catch (Exception e) { |
|
860 |
// swallow all types of exceptions. |
|
861 |
} |
|
862 |
} |
|
863 |
} |
|
864 |
||
865 |
@Override |
|
866 |
int estimateFragmentSize(int packetSize, int headerSize) { |
|
867 |
int macLen = ((MAC)authenticator).macAlg().size; |
|
868 |
return packetSize - headerSize - macLen; |
|
869 |
} |
|
870 |
} |
|
7039 | 871 |
} |
872 |
||
56542 | 873 |
private static final |
874 |
class StreamWriteCipherGenerator implements WriteCipherGenerator { |
|
875 |
@Override |
|
876 |
public SSLWriteCipher createCipher(SSLCipher sslCipher, |
|
877 |
Authenticator authenticator, |
|
878 |
ProtocolVersion protocolVersion, String algorithm, |
|
879 |
Key key, AlgorithmParameterSpec params, |
|
880 |
SecureRandom random) throws GeneralSecurityException { |
|
881 |
return new StreamWriteCipher(authenticator, |
|
882 |
protocolVersion, algorithm, key, params, random); |
|
2 | 883 |
} |
7039 | 884 |
|
56542 | 885 |
static final class StreamWriteCipher extends SSLWriteCipher { |
886 |
private final Cipher cipher; |
|
887 |
||
888 |
StreamWriteCipher(Authenticator authenticator, |
|
889 |
ProtocolVersion protocolVersion, String algorithm, |
|
890 |
Key key, AlgorithmParameterSpec params, |
|
891 |
SecureRandom random) throws GeneralSecurityException { |
|
892 |
super(authenticator, protocolVersion); |
|
893 |
this.cipher = JsseJce.getCipher(algorithm); |
|
894 |
cipher.init(Cipher.ENCRYPT_MODE, key, params, random); |
|
895 |
} |
|
896 |
||
897 |
@Override |
|
898 |
public int encrypt(byte contentType, ByteBuffer bb) { |
|
899 |
// add message authentication code |
|
900 |
MAC signer = (MAC)authenticator; |
|
901 |
if (signer.macAlg().size != 0) { |
|
902 |
addMac(signer, bb, contentType); |
|
903 |
} else { |
|
904 |
authenticator.increaseSequenceNumber(); |
|
905 |
} |
|
906 |
||
907 |
if (SSLLogger.isOn && SSLLogger.isOn("plaintext")) { |
|
908 |
SSLLogger.finest( |
|
909 |
"Padded plaintext before ENCRYPTION", bb.duplicate()); |
|
910 |
} |
|
911 |
||
912 |
int len = bb.remaining(); |
|
913 |
ByteBuffer dup = bb.duplicate(); |
|
914 |
try { |
|
915 |
if (len != cipher.update(dup, bb)) { |
|
916 |
// catch BouncyCastle buffering error |
|
917 |
throw new RuntimeException( |
|
918 |
"Unexpected number of plaintext bytes"); |
|
919 |
} |
|
920 |
if (bb.position() != dup.position()) { |
|
921 |
throw new RuntimeException( |
|
56715
b152d06ed6a9
code review nits and TrasnportContext constructor changes
ascarpino
parents:
56542
diff
changeset
|
922 |
"Unexpected ByteBuffer position"); |
56542 | 923 |
} |
924 |
} catch (ShortBufferException sbe) { |
|
925 |
// catch BouncyCastle buffering error |
|
926 |
throw new RuntimeException("Cipher buffering error in " + |
|
927 |
"JCE provider " + cipher.getProvider().getName(), sbe); |
|
928 |
} |
|
929 |
||
930 |
return len; |
|
931 |
} |
|
932 |
||
933 |
@Override |
|
934 |
void dispose() { |
|
935 |
if (cipher != null) { |
|
936 |
try { |
|
937 |
cipher.doFinal(); |
|
938 |
} catch (Exception e) { |
|
939 |
// swallow all types of exceptions. |
|
940 |
} |
|
941 |
} |
|
942 |
} |
|
943 |
||
944 |
@Override |
|
945 |
int getExplicitNonceSize() { |
|
946 |
return 0; |
|
2 | 947 |
} |
16913 | 948 |
|
56542 | 949 |
@Override |
950 |
int calculateFragmentSize(int packetLimit, int headerSize) { |
|
951 |
int macLen = ((MAC)authenticator).macAlg().size; |
|
952 |
return packetLimit - headerSize - macLen; |
|
953 |
} |
|
954 |
||
955 |
@Override |
|
956 |
int calculatePacketSize(int fragmentSize, int headerSize) { |
|
957 |
int macLen = ((MAC)authenticator).macAlg().size; |
|
958 |
return fragmentSize + headerSize + macLen; |
|
959 |
} |
|
960 |
} |
|
961 |
} |
|
2 | 962 |
|
56542 | 963 |
private static final |
964 |
class T10BlockReadCipherGenerator implements ReadCipherGenerator { |
|
965 |
@Override |
|
966 |
public SSLReadCipher createCipher(SSLCipher sslCipher, |
|
967 |
Authenticator authenticator, |
|
968 |
ProtocolVersion protocolVersion, String algorithm, |
|
969 |
Key key, AlgorithmParameterSpec params, |
|
970 |
SecureRandom random) throws GeneralSecurityException { |
|
971 |
return new BlockReadCipher(authenticator, |
|
972 |
protocolVersion, algorithm, key, params, random); |
|
973 |
} |
|
974 |
||
975 |
static final class BlockReadCipher extends SSLReadCipher { |
|
976 |
private final Cipher cipher; |
|
977 |
||
978 |
BlockReadCipher(Authenticator authenticator, |
|
979 |
ProtocolVersion protocolVersion, String algorithm, |
|
980 |
Key key, AlgorithmParameterSpec params, |
|
981 |
SecureRandom random) throws GeneralSecurityException { |
|
982 |
super(authenticator, protocolVersion); |
|
983 |
this.cipher = JsseJce.getCipher(algorithm); |
|
984 |
cipher.init(Cipher.DECRYPT_MODE, key, params, random); |
|
2 | 985 |
} |
16913 | 986 |
|
56542 | 987 |
@Override |
988 |
public Plaintext decrypt(byte contentType, ByteBuffer bb, |
|
989 |
byte[] sequence) throws GeneralSecurityException { |
|
990 |
BadPaddingException reservedBPE = null; |
|
16913 | 991 |
|
56542 | 992 |
// sanity check length of the ciphertext |
993 |
MAC signer = (MAC)authenticator; |
|
994 |
int cipheredLength = bb.remaining(); |
|
995 |
int tagLen = signer.macAlg().size; |
|
996 |
if (tagLen != 0) { |
|
997 |
if (!sanityCheck(tagLen, bb.remaining())) { |
|
998 |
reservedBPE = new BadPaddingException( |
|
999 |
"ciphertext sanity check failed"); |
|
1000 |
} |
|
1001 |
} |
|
1002 |
// decryption |
|
1003 |
int len = bb.remaining(); |
|
1004 |
int pos = bb.position(); |
|
1005 |
ByteBuffer dup = bb.duplicate(); |
|
16913 | 1006 |
try { |
56542 | 1007 |
if (len != cipher.update(dup, bb)) { |
1008 |
// catch BouncyCastle buffering error |
|
1009 |
throw new RuntimeException( |
|
1010 |
"Unexpected number of plaintext bytes"); |
|
1011 |
} |
|
1012 |
||
1013 |
if (bb.position() != dup.position()) { |
|
1014 |
throw new RuntimeException( |
|
56715
b152d06ed6a9
code review nits and TrasnportContext constructor changes
ascarpino
parents:
56542
diff
changeset
|
1015 |
"Unexpected ByteBuffer position"); |
56542 | 1016 |
} |
1017 |
} catch (ShortBufferException sbe) { |
|
1018 |
// catch BouncyCastle buffering error |
|
1019 |
throw new RuntimeException("Cipher buffering error in " + |
|
1020 |
"JCE provider " + cipher.getProvider().getName(), sbe); |
|
1021 |
} |
|
1022 |
||
1023 |
if (SSLLogger.isOn && SSLLogger.isOn("plaintext")) { |
|
1024 |
SSLLogger.fine( |
|
1025 |
"Padded plaintext after DECRYPTION", |
|
1026 |
bb.duplicate().position(pos)); |
|
1027 |
} |
|
1028 |
||
1029 |
// remove the block padding |
|
1030 |
int blockSize = cipher.getBlockSize(); |
|
1031 |
bb.position(pos); |
|
1032 |
try { |
|
1033 |
removePadding(bb, tagLen, blockSize, protocolVersion); |
|
1034 |
} catch (BadPaddingException bpe) { |
|
1035 |
if (reservedBPE == null) { |
|
1036 |
reservedBPE = bpe; |
|
1037 |
} |
|
16913 | 1038 |
} |
56542 | 1039 |
|
1040 |
// Requires message authentication code for null, stream and |
|
1041 |
// block cipher suites. |
|
1042 |
try { |
|
1043 |
if (tagLen != 0) { |
|
1044 |
checkCBCMac(signer, bb, |
|
1045 |
contentType, cipheredLength, sequence); |
|
1046 |
} else { |
|
1047 |
authenticator.increaseSequenceNumber(); |
|
1048 |
} |
|
1049 |
} catch (BadPaddingException bpe) { |
|
1050 |
if (reservedBPE == null) { |
|
1051 |
reservedBPE = bpe; |
|
1052 |
} |
|
1053 |
} |
|
1054 |
||
1055 |
// Is it a failover? |
|
1056 |
if (reservedBPE != null) { |
|
1057 |
throw reservedBPE; |
|
1058 |
} |
|
1059 |
||
1060 |
return new Plaintext(contentType, |
|
1061 |
ProtocolVersion.NONE.major, ProtocolVersion.NONE.minor, |
|
1062 |
-1, -1L, bb.slice()); |
|
1063 |
} |
|
1064 |
||
1065 |
@Override |
|
1066 |
void dispose() { |
|
1067 |
if (cipher != null) { |
|
1068 |
try { |
|
1069 |
cipher.doFinal(); |
|
1070 |
} catch (Exception e) { |
|
1071 |
// swallow all types of exceptions. |
|
1072 |
} |
|
16913 | 1073 |
} |
56542 | 1074 |
} |
1075 |
||
1076 |
@Override |
|
1077 |
int estimateFragmentSize(int packetSize, int headerSize) { |
|
1078 |
int macLen = ((MAC)authenticator).macAlg().size; |
|
1079 |
||
1080 |
// No padding for a maximum fragment. |
|
1081 |
// |
|
1082 |
// 1 byte padding length field: 0x00 |
|
1083 |
return packetSize - headerSize - macLen - 1; |
|
2 | 1084 |
} |
56542 | 1085 |
|
1086 |
/** |
|
1087 |
* Sanity check the length of a fragment before decryption. |
|
1088 |
* |
|
1089 |
* In CBC mode, check that the fragment length is one or multiple |
|
1090 |
* times of the block size of the cipher suite, and is at least |
|
1091 |
* one (one is the smallest size of padding in CBC mode) bigger |
|
1092 |
* than the tag size of the MAC algorithm except the explicit IV |
|
1093 |
* size for TLS 1.1 or later. |
|
1094 |
* |
|
1095 |
* In non-CBC mode, check that the fragment length is not less than |
|
1096 |
* the tag size of the MAC algorithm. |
|
1097 |
* |
|
1098 |
* @return true if the length of a fragment matches above |
|
1099 |
* requirements |
|
1100 |
*/ |
|
1101 |
private boolean sanityCheck(int tagLen, int fragmentLen) { |
|
1102 |
int blockSize = cipher.getBlockSize(); |
|
1103 |
if ((fragmentLen % blockSize) == 0) { |
|
1104 |
int minimal = tagLen + 1; |
|
1105 |
minimal = (minimal >= blockSize) ? minimal : blockSize; |
|
1106 |
||
1107 |
return (fragmentLen >= minimal); |
|
1108 |
} |
|
1109 |
||
1110 |
return false; |
|
1111 |
} |
|
2 | 1112 |
} |
1113 |
} |
|
1114 |
||
56542 | 1115 |
private static final |
1116 |
class T10BlockWriteCipherGenerator implements WriteCipherGenerator { |
|
1117 |
@Override |
|
1118 |
public SSLWriteCipher createCipher(SSLCipher sslCipher, |
|
1119 |
Authenticator authenticator, |
|
1120 |
ProtocolVersion protocolVersion, String algorithm, |
|
1121 |
Key key, AlgorithmParameterSpec params, |
|
1122 |
SecureRandom random) throws GeneralSecurityException { |
|
1123 |
return new BlockWriteCipher(authenticator, |
|
1124 |
protocolVersion, algorithm, key, params, random); |
|
16913 | 1125 |
} |
7039 | 1126 |
|
56542 | 1127 |
static final class BlockWriteCipher extends SSLWriteCipher { |
1128 |
private final Cipher cipher; |
|
1129 |
||
1130 |
BlockWriteCipher(Authenticator authenticator, |
|
1131 |
ProtocolVersion protocolVersion, String algorithm, |
|
1132 |
Key key, AlgorithmParameterSpec params, |
|
1133 |
SecureRandom random) throws GeneralSecurityException { |
|
1134 |
super(authenticator, protocolVersion); |
|
1135 |
this.cipher = JsseJce.getCipher(algorithm); |
|
1136 |
cipher.init(Cipher.ENCRYPT_MODE, key, params, random); |
|
2 | 1137 |
} |
1138 |
||
56542 | 1139 |
@Override |
1140 |
public int encrypt(byte contentType, ByteBuffer bb) { |
|
1141 |
int pos = bb.position(); |
|
1142 |
||
1143 |
// add message authentication code |
|
1144 |
MAC signer = (MAC)authenticator; |
|
1145 |
if (signer.macAlg().size != 0) { |
|
1146 |
addMac(signer, bb, contentType); |
|
1147 |
} else { |
|
1148 |
authenticator.increaseSequenceNumber(); |
|
1149 |
} |
|
1150 |
||
1151 |
int blockSize = cipher.getBlockSize(); |
|
1152 |
int len = addPadding(bb, blockSize); |
|
1153 |
bb.position(pos); |
|
1154 |
||
1155 |
if (SSLLogger.isOn && SSLLogger.isOn("plaintext")) { |
|
1156 |
SSLLogger.fine( |
|
1157 |
"Padded plaintext before ENCRYPTION", |
|
1158 |
bb.duplicate()); |
|
1159 |
} |
|
1160 |
||
1161 |
ByteBuffer dup = bb.duplicate(); |
|
1162 |
try { |
|
1163 |
if (len != cipher.update(dup, bb)) { |
|
1164 |
// catch BouncyCastle buffering error |
|
1165 |
throw new RuntimeException( |
|
1166 |
"Unexpected number of plaintext bytes"); |
|
1167 |
} |
|
1168 |
||
1169 |
if (bb.position() != dup.position()) { |
|
1170 |
throw new RuntimeException( |
|
56715
b152d06ed6a9
code review nits and TrasnportContext constructor changes
ascarpino
parents:
56542
diff
changeset
|
1171 |
"Unexpected ByteBuffer position"); |
56542 | 1172 |
} |
1173 |
} catch (ShortBufferException sbe) { |
|
1174 |
// catch BouncyCastle buffering error |
|
1175 |
throw new RuntimeException("Cipher buffering error in " + |
|
1176 |
"JCE provider " + cipher.getProvider().getName(), sbe); |
|
1177 |
} |
|
1178 |
||
1179 |
return len; |
|
2 | 1180 |
} |
1181 |
||
56542 | 1182 |
@Override |
1183 |
void dispose() { |
|
1184 |
if (cipher != null) { |
|
1185 |
try { |
|
1186 |
cipher.doFinal(); |
|
1187 |
} catch (Exception e) { |
|
1188 |
// swallow all types of exceptions. |
|
1189 |
} |
|
1190 |
} |
|
1191 |
} |
|
1192 |
||
1193 |
@Override |
|
1194 |
int getExplicitNonceSize() { |
|
1195 |
return 0; |
|
2 | 1196 |
} |
56542 | 1197 |
|
1198 |
@Override |
|
1199 |
int calculateFragmentSize(int packetLimit, int headerSize) { |
|
1200 |
int macLen = ((MAC)authenticator).macAlg().size; |
|
1201 |
int blockSize = cipher.getBlockSize(); |
|
1202 |
int fragLen = packetLimit - headerSize; |
|
1203 |
fragLen -= (fragLen % blockSize); // cannot hold a block |
|
1204 |
// No padding for a maximum fragment. |
|
1205 |
fragLen -= 1; // 1 byte padding length field: 0x00 |
|
1206 |
fragLen -= macLen; |
|
1207 |
return fragLen; |
|
1208 |
} |
|
1209 |
||
1210 |
@Override |
|
1211 |
int calculatePacketSize(int fragmentSize, int headerSize) { |
|
1212 |
int macLen = ((MAC)authenticator).macAlg().size; |
|
1213 |
int blockSize = cipher.getBlockSize(); |
|
1214 |
int paddedLen = fragmentSize + macLen + 1; |
|
1215 |
if ((paddedLen % blockSize) != 0) { |
|
1216 |
paddedLen += blockSize - 1; |
|
1217 |
paddedLen -= paddedLen % blockSize; |
|
1218 |
} |
|
1219 |
||
1220 |
return headerSize + paddedLen; |
|
1221 |
} |
|
1222 |
||
1223 |
@Override |
|
1224 |
boolean isCBCMode() { |
|
1225 |
return true; |
|
1226 |
} |
|
2 | 1227 |
} |
1228 |
} |
|
1229 |
||
56542 | 1230 |
// For TLS 1.1 and 1.2 |
1231 |
private static final |
|
1232 |
class T11BlockReadCipherGenerator implements ReadCipherGenerator { |
|
1233 |
@Override |
|
1234 |
public SSLReadCipher createCipher(SSLCipher sslCipher, |
|
1235 |
Authenticator authenticator, ProtocolVersion protocolVersion, |
|
1236 |
String algorithm, Key key, AlgorithmParameterSpec params, |
|
1237 |
SecureRandom random) throws GeneralSecurityException { |
|
1238 |
return new BlockReadCipher(authenticator, protocolVersion, |
|
1239 |
sslCipher, algorithm, key, params, random); |
|
2 | 1240 |
} |
7039 | 1241 |
|
56542 | 1242 |
static final class BlockReadCipher extends SSLReadCipher { |
1243 |
private final Cipher cipher; |
|
1244 |
||
1245 |
BlockReadCipher(Authenticator authenticator, |
|
1246 |
ProtocolVersion protocolVersion, |
|
1247 |
SSLCipher sslCipher, String algorithm, |
|
1248 |
Key key, AlgorithmParameterSpec params, |
|
1249 |
SecureRandom random) throws GeneralSecurityException { |
|
1250 |
super(authenticator, protocolVersion); |
|
1251 |
this.cipher = JsseJce.getCipher(algorithm); |
|
1252 |
if (params == null) { |
|
1253 |
params = new IvParameterSpec(new byte[sslCipher.ivSize]); |
|
16913 | 1254 |
} |
56542 | 1255 |
cipher.init(Cipher.DECRYPT_MODE, key, params, random); |
2 | 1256 |
} |
16113 | 1257 |
|
56542 | 1258 |
@Override |
1259 |
public Plaintext decrypt(byte contentType, ByteBuffer bb, |
|
1260 |
byte[] sequence) throws GeneralSecurityException { |
|
1261 |
BadPaddingException reservedBPE = null; |
|
1262 |
||
1263 |
// sanity check length of the ciphertext |
|
1264 |
MAC signer = (MAC)authenticator; |
|
1265 |
int cipheredLength = bb.remaining(); |
|
1266 |
int tagLen = signer.macAlg().size; |
|
1267 |
if (tagLen != 0) { |
|
1268 |
if (!sanityCheck(tagLen, bb.remaining())) { |
|
1269 |
reservedBPE = new BadPaddingException( |
|
1270 |
"ciphertext sanity check failed"); |
|
1271 |
} |
|
1272 |
} |
|
1273 |
||
1274 |
// decryption |
|
1275 |
int len = bb.remaining(); |
|
1276 |
int pos = bb.position(); |
|
1277 |
ByteBuffer dup = bb.duplicate(); |
|
1278 |
try { |
|
1279 |
if (len != cipher.update(dup, bb)) { |
|
1280 |
// catch BouncyCastle buffering error |
|
1281 |
throw new RuntimeException( |
|
1282 |
"Unexpected number of plaintext bytes"); |
|
1283 |
} |
|
1284 |
||
1285 |
if (bb.position() != dup.position()) { |
|
1286 |
throw new RuntimeException( |
|
56715
b152d06ed6a9
code review nits and TrasnportContext constructor changes
ascarpino
parents:
56542
diff
changeset
|
1287 |
"Unexpected ByteBuffer position"); |
56542 | 1288 |
} |
1289 |
} catch (ShortBufferException sbe) { |
|
1290 |
// catch BouncyCastle buffering error |
|
1291 |
throw new RuntimeException("Cipher buffering error in " + |
|
1292 |
"JCE provider " + cipher.getProvider().getName(), sbe); |
|
1293 |
} |
|
1294 |
||
1295 |
if (SSLLogger.isOn && SSLLogger.isOn("plaintext")) { |
|
1296 |
SSLLogger.fine( |
|
1297 |
"Padded plaintext after DECRYPTION", |
|
1298 |
bb.duplicate().position(pos)); |
|
1299 |
} |
|
7039 | 1300 |
|
56542 | 1301 |
// Ignore the explicit nonce. |
1302 |
bb.position(pos + cipher.getBlockSize()); |
|
1303 |
pos = bb.position(); |
|
1304 |
||
1305 |
// remove the block padding |
|
1306 |
int blockSize = cipher.getBlockSize(); |
|
1307 |
bb.position(pos); |
|
1308 |
try { |
|
1309 |
removePadding(bb, tagLen, blockSize, protocolVersion); |
|
1310 |
} catch (BadPaddingException bpe) { |
|
1311 |
if (reservedBPE == null) { |
|
1312 |
reservedBPE = bpe; |
|
1313 |
} |
|
1314 |
} |
|
1315 |
||
1316 |
// Requires message authentication code for null, stream and |
|
1317 |
// block cipher suites. |
|
1318 |
try { |
|
1319 |
if (tagLen != 0) { |
|
1320 |
checkCBCMac(signer, bb, |
|
1321 |
contentType, cipheredLength, sequence); |
|
1322 |
} else { |
|
1323 |
authenticator.increaseSequenceNumber(); |
|
1324 |
} |
|
1325 |
} catch (BadPaddingException bpe) { |
|
1326 |
if (reservedBPE == null) { |
|
1327 |
reservedBPE = bpe; |
|
1328 |
} |
|
1329 |
} |
|
1330 |
||
1331 |
// Is it a failover? |
|
1332 |
if (reservedBPE != null) { |
|
1333 |
throw reservedBPE; |
|
1334 |
} |
|
1335 |
||
1336 |
return new Plaintext(contentType, |
|
1337 |
ProtocolVersion.NONE.major, ProtocolVersion.NONE.minor, |
|
1338 |
-1, -1L, bb.slice()); |
|
1339 |
} |
|
1340 |
||
1341 |
@Override |
|
1342 |
void dispose() { |
|
1343 |
if (cipher != null) { |
|
1344 |
try { |
|
1345 |
cipher.doFinal(); |
|
1346 |
} catch (Exception e) { |
|
1347 |
// swallow all types of exceptions. |
|
7039 | 1348 |
} |
1349 |
} |
|
2 | 1350 |
} |
56542 | 1351 |
|
1352 |
@Override |
|
1353 |
int estimateFragmentSize(int packetSize, int headerSize) { |
|
1354 |
int macLen = ((MAC)authenticator).macAlg().size; |
|
1355 |
||
1356 |
// No padding for a maximum fragment. |
|
1357 |
// |
|
1358 |
// 1 byte padding length field: 0x00 |
|
1359 |
int nonceSize = cipher.getBlockSize(); |
|
1360 |
return packetSize - headerSize - nonceSize - macLen - 1; |
|
1361 |
} |
|
1362 |
||
1363 |
/** |
|
1364 |
* Sanity check the length of a fragment before decryption. |
|
1365 |
* |
|
1366 |
* In CBC mode, check that the fragment length is one or multiple |
|
1367 |
* times of the block size of the cipher suite, and is at least |
|
1368 |
* one (one is the smallest size of padding in CBC mode) bigger |
|
1369 |
* than the tag size of the MAC algorithm except the explicit IV |
|
1370 |
* size for TLS 1.1 or later. |
|
1371 |
* |
|
1372 |
* In non-CBC mode, check that the fragment length is not less than |
|
1373 |
* the tag size of the MAC algorithm. |
|
1374 |
* |
|
1375 |
* @return true if the length of a fragment matches above |
|
1376 |
* requirements |
|
1377 |
*/ |
|
1378 |
private boolean sanityCheck(int tagLen, int fragmentLen) { |
|
1379 |
int blockSize = cipher.getBlockSize(); |
|
1380 |
if ((fragmentLen % blockSize) == 0) { |
|
1381 |
int minimal = tagLen + 1; |
|
1382 |
minimal = (minimal >= blockSize) ? minimal : blockSize; |
|
1383 |
minimal += blockSize; |
|
1384 |
||
1385 |
return (fragmentLen >= minimal); |
|
1386 |
} |
|
1387 |
||
1388 |
return false; |
|
1389 |
} |
|
2 | 1390 |
} |
1391 |
} |
|
1392 |
||
56542 | 1393 |
// For TLS 1.1 and 1.2 |
1394 |
private static final |
|
1395 |
class T11BlockWriteCipherGenerator implements WriteCipherGenerator { |
|
1396 |
@Override |
|
1397 |
public SSLWriteCipher createCipher(SSLCipher sslCipher, |
|
1398 |
Authenticator authenticator, ProtocolVersion protocolVersion, |
|
1399 |
String algorithm, Key key, AlgorithmParameterSpec params, |
|
1400 |
SecureRandom random) throws GeneralSecurityException { |
|
1401 |
return new BlockWriteCipher(authenticator, protocolVersion, |
|
1402 |
sslCipher, algorithm, key, params, random); |
|
2 | 1403 |
} |
1404 |
||
56542 | 1405 |
static final class BlockWriteCipher extends SSLWriteCipher { |
1406 |
private final Cipher cipher; |
|
1407 |
private final SecureRandom random; |
|
1408 |
||
1409 |
BlockWriteCipher(Authenticator authenticator, |
|
1410 |
ProtocolVersion protocolVersion, |
|
1411 |
SSLCipher sslCipher, String algorithm, |
|
1412 |
Key key, AlgorithmParameterSpec params, |
|
1413 |
SecureRandom random) throws GeneralSecurityException { |
|
1414 |
super(authenticator, protocolVersion); |
|
1415 |
this.cipher = JsseJce.getCipher(algorithm); |
|
1416 |
this.random = random; |
|
1417 |
if (params == null) { |
|
1418 |
params = new IvParameterSpec(new byte[sslCipher.ivSize]); |
|
1419 |
} |
|
1420 |
cipher.init(Cipher.ENCRYPT_MODE, key, params, random); |
|
1421 |
} |
|
1422 |
||
1423 |
@Override |
|
1424 |
public int encrypt(byte contentType, ByteBuffer bb) { |
|
1425 |
// To be unique and aware of overflow-wrap, sequence number |
|
1426 |
// is used as the nonce_explicit of block cipher suites. |
|
1427 |
int pos = bb.position(); |
|
1428 |
||
1429 |
// add message authentication code |
|
1430 |
MAC signer = (MAC)authenticator; |
|
1431 |
if (signer.macAlg().size != 0) { |
|
1432 |
addMac(signer, bb, contentType); |
|
1433 |
} else { |
|
1434 |
authenticator.increaseSequenceNumber(); |
|
1435 |
} |
|
1436 |
||
1437 |
// DON'T WORRY, the nonce spaces are considered already. |
|
1438 |
byte[] nonce = new byte[cipher.getBlockSize()]; |
|
1439 |
random.nextBytes(nonce); |
|
1440 |
pos = pos - nonce.length; |
|
1441 |
bb.position(pos); |
|
1442 |
bb.put(nonce); |
|
1443 |
bb.position(pos); |
|
1444 |
||
1445 |
int blockSize = cipher.getBlockSize(); |
|
1446 |
int len = addPadding(bb, blockSize); |
|
1447 |
bb.position(pos); |
|
1448 |
||
1449 |
if (SSLLogger.isOn && SSLLogger.isOn("plaintext")) { |
|
1450 |
SSLLogger.fine( |
|
1451 |
"Padded plaintext before ENCRYPTION", |
|
1452 |
bb.duplicate()); |
|
1453 |
} |
|
1454 |
||
1455 |
ByteBuffer dup = bb.duplicate(); |
|
16913 | 1456 |
try { |
56542 | 1457 |
if (len != cipher.update(dup, bb)) { |
1458 |
// catch BouncyCastle buffering error |
|
1459 |
throw new RuntimeException( |
|
1460 |
"Unexpected number of plaintext bytes"); |
|
1461 |
} |
|
1462 |
||
1463 |
if (bb.position() != dup.position()) { |
|
1464 |
throw new RuntimeException( |
|
56715
b152d06ed6a9
code review nits and TrasnportContext constructor changes
ascarpino
parents:
56542
diff
changeset
|
1465 |
"Unexpected ByteBuffer position"); |
56542 | 1466 |
} |
1467 |
} catch (ShortBufferException sbe) { |
|
1468 |
// catch BouncyCastle buffering error |
|
1469 |
throw new RuntimeException("Cipher buffering error in " + |
|
1470 |
"JCE provider " + cipher.getProvider().getName(), sbe); |
|
1471 |
} |
|
1472 |
||
1473 |
return len; |
|
1474 |
} |
|
1475 |
||
1476 |
@Override |
|
1477 |
void dispose() { |
|
1478 |
if (cipher != null) { |
|
1479 |
try { |
|
1480 |
cipher.doFinal(); |
|
1481 |
} catch (Exception e) { |
|
1482 |
// swallow all types of exceptions. |
|
1483 |
} |
|
1484 |
} |
|
1485 |
} |
|
1486 |
||
1487 |
@Override |
|
1488 |
int getExplicitNonceSize() { |
|
1489 |
return cipher.getBlockSize(); |
|
1490 |
} |
|
1491 |
||
1492 |
@Override |
|
1493 |
int calculateFragmentSize(int packetLimit, int headerSize) { |
|
1494 |
int macLen = ((MAC)authenticator).macAlg().size; |
|
1495 |
int blockSize = cipher.getBlockSize(); |
|
1496 |
int fragLen = packetLimit - headerSize - blockSize; |
|
1497 |
fragLen -= (fragLen % blockSize); // cannot hold a block |
|
1498 |
// No padding for a maximum fragment. |
|
1499 |
fragLen -= 1; // 1 byte padding length field: 0x00 |
|
1500 |
fragLen -= macLen; |
|
1501 |
return fragLen; |
|
1502 |
} |
|
1503 |
||
1504 |
@Override |
|
1505 |
int calculatePacketSize(int fragmentSize, int headerSize) { |
|
1506 |
int macLen = ((MAC)authenticator).macAlg().size; |
|
1507 |
int blockSize = cipher.getBlockSize(); |
|
1508 |
int paddedLen = fragmentSize + macLen + 1; |
|
1509 |
if ((paddedLen % blockSize) != 0) { |
|
1510 |
paddedLen += blockSize - 1; |
|
1511 |
paddedLen -= paddedLen % blockSize; |
|
1512 |
} |
|
1513 |
||
1514 |
return headerSize + blockSize + paddedLen; |
|
1515 |
} |
|
1516 |
||
1517 |
@Override |
|
1518 |
boolean isCBCMode() { |
|
1519 |
return true; |
|
1520 |
} |
|
1521 |
} |
|
1522 |
} |
|
1523 |
||
1524 |
private static final |
|
1525 |
class T12GcmReadCipherGenerator implements ReadCipherGenerator { |
|
1526 |
@Override |
|
1527 |
public SSLReadCipher createCipher(SSLCipher sslCipher, |
|
1528 |
Authenticator authenticator, |
|
1529 |
ProtocolVersion protocolVersion, String algorithm, |
|
1530 |
Key key, AlgorithmParameterSpec params, |
|
1531 |
SecureRandom random) throws GeneralSecurityException { |
|
1532 |
return new GcmReadCipher(authenticator, protocolVersion, sslCipher, |
|
1533 |
algorithm, key, params, random); |
|
1534 |
} |
|
1535 |
||
1536 |
static final class GcmReadCipher extends SSLReadCipher { |
|
1537 |
private final Cipher cipher; |
|
1538 |
private final int tagSize; |
|
1539 |
private final Key key; |
|
1540 |
private final byte[] fixedIv; |
|
1541 |
private final int recordIvSize; |
|
1542 |
private final SecureRandom random; |
|
1543 |
||
1544 |
GcmReadCipher(Authenticator authenticator, |
|
1545 |
ProtocolVersion protocolVersion, |
|
1546 |
SSLCipher sslCipher, String algorithm, |
|
1547 |
Key key, AlgorithmParameterSpec params, |
|
1548 |
SecureRandom random) throws GeneralSecurityException { |
|
1549 |
super(authenticator, protocolVersion); |
|
1550 |
this.cipher = JsseJce.getCipher(algorithm); |
|
1551 |
this.tagSize = sslCipher.tagSize; |
|
1552 |
this.key = key; |
|
1553 |
this.fixedIv = ((IvParameterSpec)params).getIV(); |
|
1554 |
this.recordIvSize = sslCipher.ivSize - sslCipher.fixedIvSize; |
|
1555 |
this.random = random; |
|
1556 |
||
1557 |
// DON'T initialize the cipher for AEAD! |
|
1558 |
} |
|
1559 |
||
1560 |
@Override |
|
1561 |
public Plaintext decrypt(byte contentType, ByteBuffer bb, |
|
1562 |
byte[] sequence) throws GeneralSecurityException { |
|
1563 |
if (bb.remaining() < (recordIvSize + tagSize)) { |
|
1564 |
throw new BadPaddingException( |
|
1565 |
"Insufficient buffer remaining for AEAD cipher " + |
|
1566 |
"fragment (" + bb.remaining() + "). Needs to be " + |
|
1567 |
"more than or equal to IV size (" + recordIvSize + |
|
1568 |
") + tag size (" + tagSize + ")"); |
|
1569 |
} |
|
1570 |
||
1571 |
// initialize the AEAD cipher for the unique IV |
|
1572 |
byte[] iv = Arrays.copyOf(fixedIv, |
|
1573 |
fixedIv.length + recordIvSize); |
|
1574 |
bb.get(iv, fixedIv.length, recordIvSize); |
|
1575 |
GCMParameterSpec spec = new GCMParameterSpec(tagSize * 8, iv); |
|
1576 |
try { |
|
1577 |
cipher.init(Cipher.DECRYPT_MODE, key, spec, random); |
|
1578 |
} catch (InvalidKeyException | |
|
1579 |
InvalidAlgorithmParameterException ikae) { |
|
1580 |
// unlikely to happen |
|
1581 |
throw new RuntimeException( |
|
1582 |
"invalid key or spec in GCM mode", ikae); |
|
1583 |
} |
|
1584 |
||
1585 |
// update the additional authentication data |
|
1586 |
byte[] aad = authenticator.acquireAuthenticationBytes( |
|
1587 |
contentType, bb.remaining() - tagSize, |
|
1588 |
sequence); |
|
1589 |
cipher.updateAAD(aad); |
|
1590 |
||
1591 |
// DON'T decrypt the nonce_explicit for AEAD mode. The buffer |
|
1592 |
// position has moved out of the nonce_explicit range. |
|
56715
b152d06ed6a9
code review nits and TrasnportContext constructor changes
ascarpino
parents:
56542
diff
changeset
|
1593 |
int len, pos = bb.position(); |
56542 | 1594 |
ByteBuffer dup = bb.duplicate(); |
1595 |
try { |
|
1596 |
len = cipher.doFinal(dup, bb); |
|
16913 | 1597 |
} catch (IllegalBlockSizeException ibse) { |
1598 |
// unlikely to happen |
|
1599 |
throw new RuntimeException( |
|
1600 |
"Cipher error in AEAD mode \"" + ibse.getMessage() + |
|
1601 |
" \"in JCE provider " + cipher.getProvider().getName()); |
|
56542 | 1602 |
} catch (ShortBufferException sbe) { |
1603 |
// catch BouncyCastle buffering error |
|
1604 |
throw new RuntimeException("Cipher buffering error in " + |
|
1605 |
"JCE provider " + cipher.getProvider().getName(), sbe); |
|
16913 | 1606 |
} |
56715
b152d06ed6a9
code review nits and TrasnportContext constructor changes
ascarpino
parents:
56542
diff
changeset
|
1607 |
// reset the limit to the end of the decrypted data |
56542 | 1608 |
bb.position(pos); |
1609 |
bb.limit(pos + len); |
|
1610 |
||
1611 |
if (SSLLogger.isOn && SSLLogger.isOn("plaintext")) { |
|
1612 |
SSLLogger.fine( |
|
1613 |
"Plaintext after DECRYPTION", bb.duplicate()); |
|
1614 |
} |
|
1615 |
||
1616 |
return new Plaintext(contentType, |
|
1617 |
ProtocolVersion.NONE.major, ProtocolVersion.NONE.minor, |
|
1618 |
-1, -1L, bb.slice()); |
|
1619 |
} |
|
1620 |
||
1621 |
@Override |
|
1622 |
void dispose() { |
|
1623 |
if (cipher != null) { |
|
1624 |
try { |
|
1625 |
cipher.doFinal(); |
|
1626 |
} catch (Exception e) { |
|
1627 |
// swallow all types of exceptions. |
|
1628 |
} |
|
1629 |
} |
|
1630 |
} |
|
1631 |
||
1632 |
@Override |
|
1633 |
int estimateFragmentSize(int packetSize, int headerSize) { |
|
1634 |
return packetSize - headerSize - recordIvSize - tagSize; |
|
1635 |
} |
|
1636 |
} |
|
1637 |
} |
|
1638 |
||
1639 |
private static final |
|
1640 |
class T12GcmWriteCipherGenerator implements WriteCipherGenerator { |
|
1641 |
@Override |
|
1642 |
public SSLWriteCipher createCipher(SSLCipher sslCipher, |
|
1643 |
Authenticator authenticator, |
|
1644 |
ProtocolVersion protocolVersion, String algorithm, |
|
1645 |
Key key, AlgorithmParameterSpec params, |
|
1646 |
SecureRandom random) throws GeneralSecurityException { |
|
1647 |
return new GcmWriteCipher(authenticator, protocolVersion, sslCipher, |
|
1648 |
algorithm, key, params, random); |
|
1649 |
} |
|
1650 |
||
1651 |
private static final class GcmWriteCipher extends SSLWriteCipher { |
|
1652 |
private final Cipher cipher; |
|
1653 |
private final int tagSize; |
|
1654 |
private final Key key; |
|
1655 |
private final byte[] fixedIv; |
|
1656 |
private final int recordIvSize; |
|
1657 |
private final SecureRandom random; |
|
1658 |
||
1659 |
GcmWriteCipher(Authenticator authenticator, |
|
1660 |
ProtocolVersion protocolVersion, |
|
1661 |
SSLCipher sslCipher, String algorithm, |
|
1662 |
Key key, AlgorithmParameterSpec params, |
|
1663 |
SecureRandom random) throws GeneralSecurityException { |
|
1664 |
super(authenticator, protocolVersion); |
|
1665 |
this.cipher = JsseJce.getCipher(algorithm); |
|
1666 |
this.tagSize = sslCipher.tagSize; |
|
1667 |
this.key = key; |
|
1668 |
this.fixedIv = ((IvParameterSpec)params).getIV(); |
|
1669 |
this.recordIvSize = sslCipher.ivSize - sslCipher.fixedIvSize; |
|
1670 |
this.random = random; |
|
1671 |
||
1672 |
// DON'T initialize the cipher for AEAD! |
|
1673 |
} |
|
1674 |
||
1675 |
@Override |
|
1676 |
public int encrypt(byte contentType, |
|
1677 |
ByteBuffer bb) { |
|
1678 |
// To be unique and aware of overflow-wrap, sequence number |
|
1679 |
// is used as the nonce_explicit of AEAD cipher suites. |
|
1680 |
byte[] nonce = authenticator.sequenceNumber(); |
|
1681 |
||
1682 |
// initialize the AEAD cipher for the unique IV |
|
1683 |
byte[] iv = Arrays.copyOf(fixedIv, |
|
1684 |
fixedIv.length + nonce.length); |
|
1685 |
System.arraycopy(nonce, 0, iv, fixedIv.length, nonce.length); |
|
1686 |
||
1687 |
GCMParameterSpec spec = new GCMParameterSpec(tagSize * 8, iv); |
|
1688 |
try { |
|
1689 |
cipher.init(Cipher.ENCRYPT_MODE, key, spec, random); |
|
1690 |
} catch (InvalidKeyException | |
|
1691 |
InvalidAlgorithmParameterException ikae) { |
|
1692 |
// unlikely to happen |
|
1693 |
throw new RuntimeException( |
|
1694 |
"invalid key or spec in GCM mode", ikae); |
|
1695 |
} |
|
1696 |
||
1697 |
// Update the additional authentication data, using the |
|
1698 |
// implicit sequence number of the authenticator. |
|
1699 |
byte[] aad = authenticator.acquireAuthenticationBytes( |
|
1700 |
contentType, bb.remaining(), null); |
|
1701 |
cipher.updateAAD(aad); |
|
1702 |
||
1703 |
// DON'T WORRY, the nonce spaces are considered already. |
|
1704 |
bb.position(bb.position() - nonce.length); |
|
1705 |
bb.put(nonce); |
|
1706 |
||
1707 |
// DON'T encrypt the nonce for AEAD mode. |
|
56715
b152d06ed6a9
code review nits and TrasnportContext constructor changes
ascarpino
parents:
56542
diff
changeset
|
1708 |
int len, pos = bb.position(); |
56542 | 1709 |
if (SSLLogger.isOn && SSLLogger.isOn("plaintext")) { |
1710 |
SSLLogger.fine( |
|
1711 |
"Plaintext before ENCRYPTION", |
|
1712 |
bb.duplicate()); |
|
1713 |
} |
|
1714 |
||
1715 |
ByteBuffer dup = bb.duplicate(); |
|
1716 |
int outputSize = cipher.getOutputSize(dup.remaining()); |
|
1717 |
if (outputSize > bb.remaining()) { |
|
1718 |
// Need to expand the limit of the output buffer for |
|
1719 |
// the authentication tag. |
|
1720 |
// |
|
1721 |
// DON'T worry about the buffer's capacity, we have |
|
1722 |
// reserved space for the authentication tag. |
|
1723 |
bb.limit(pos + outputSize); |
|
1724 |
} |
|
1725 |
||
1726 |
try { |
|
1727 |
len = cipher.doFinal(dup, bb); |
|
1728 |
} catch (IllegalBlockSizeException | |
|
1729 |
BadPaddingException | ShortBufferException ibse) { |
|
1730 |
// unlikely to happen |
|
1731 |
throw new RuntimeException( |
|
1732 |
"Cipher error in AEAD mode in JCE provider " + |
|
1733 |
cipher.getProvider().getName(), ibse); |
|
1734 |
} |
|
1735 |
||
1736 |
if (len != outputSize) { |
|
1737 |
throw new RuntimeException( |
|
1738 |
"Cipher buffering error in JCE provider " + |
|
1739 |
cipher.getProvider().getName()); |
|
1740 |
} |
|
1741 |
||
1742 |
return len + nonce.length; |
|
1743 |
} |
|
1744 |
||
1745 |
@Override |
|
1746 |
void dispose() { |
|
1747 |
if (cipher != null) { |
|
1748 |
try { |
|
1749 |
cipher.doFinal(); |
|
1750 |
} catch (Exception e) { |
|
1751 |
// swallow all types of exceptions. |
|
1752 |
} |
|
1753 |
} |
|
1754 |
} |
|
1755 |
||
1756 |
@Override |
|
1757 |
int getExplicitNonceSize() { |
|
1758 |
return recordIvSize; |
|
1759 |
} |
|
1760 |
||
1761 |
@Override |
|
1762 |
int calculateFragmentSize(int packetLimit, int headerSize) { |
|
1763 |
return packetLimit - headerSize - recordIvSize - tagSize; |
|
1764 |
} |
|
1765 |
||
1766 |
@Override |
|
1767 |
int calculatePacketSize(int fragmentSize, int headerSize) { |
|
1768 |
return fragmentSize + headerSize + recordIvSize + tagSize; |
|
1769 |
} |
|
1770 |
} |
|
1771 |
} |
|
1772 |
||
1773 |
private static final |
|
1774 |
class T13GcmReadCipherGenerator implements ReadCipherGenerator { |
|
1775 |
||
1776 |
@Override |
|
1777 |
public SSLReadCipher createCipher(SSLCipher sslCipher, |
|
1778 |
Authenticator authenticator, ProtocolVersion protocolVersion, |
|
1779 |
String algorithm, Key key, AlgorithmParameterSpec params, |
|
1780 |
SecureRandom random) throws GeneralSecurityException { |
|
1781 |
return new GcmReadCipher(authenticator, protocolVersion, sslCipher, |
|
1782 |
algorithm, key, params, random); |
|
1783 |
} |
|
1784 |
||
1785 |
static final class GcmReadCipher extends SSLReadCipher { |
|
1786 |
private final Cipher cipher; |
|
1787 |
private final int tagSize; |
|
1788 |
private final Key key; |
|
1789 |
private final byte[] iv; |
|
1790 |
private final SecureRandom random; |
|
1791 |
||
1792 |
GcmReadCipher(Authenticator authenticator, |
|
1793 |
ProtocolVersion protocolVersion, |
|
1794 |
SSLCipher sslCipher, String algorithm, |
|
1795 |
Key key, AlgorithmParameterSpec params, |
|
1796 |
SecureRandom random) throws GeneralSecurityException { |
|
1797 |
super(authenticator, protocolVersion); |
|
1798 |
this.cipher = JsseJce.getCipher(algorithm); |
|
1799 |
this.tagSize = sslCipher.tagSize; |
|
1800 |
this.key = key; |
|
1801 |
this.iv = ((IvParameterSpec)params).getIV(); |
|
1802 |
this.random = random; |
|
1803 |
||
1804 |
// DON'T initialize the cipher for AEAD! |
|
1805 |
} |
|
1806 |
||
1807 |
@Override |
|
1808 |
public Plaintext decrypt(byte contentType, ByteBuffer bb, |
|
1809 |
byte[] sequence) throws GeneralSecurityException { |
|
1810 |
// An implementation may receive an unencrypted record of type |
|
1811 |
// change_cipher_spec consisting of the single byte value 0x01 |
|
1812 |
// at any time after the first ClientHello message has been |
|
1813 |
// sent or received and before the peer's Finished message has |
|
1814 |
// been received and MUST simply drop it without further |
|
1815 |
// processing. |
|
1816 |
if (contentType == ContentType.CHANGE_CIPHER_SPEC.id) { |
|
1817 |
return new Plaintext(contentType, |
|
1818 |
ProtocolVersion.NONE.major, ProtocolVersion.NONE.minor, |
|
1819 |
-1, -1L, bb.slice()); |
|
1820 |
} |
|
1821 |
||
1822 |
if (bb.remaining() <= tagSize) { |
|
1823 |
throw new BadPaddingException( |
|
1824 |
"Insufficient buffer remaining for AEAD cipher " + |
|
1825 |
"fragment (" + bb.remaining() + "). Needs to be " + |
|
1826 |
"more than tag size (" + tagSize + ")"); |
|
1827 |
} |
|
1828 |
||
1829 |
byte[] sn = sequence; |
|
1830 |
if (sn == null) { |
|
1831 |
sn = authenticator.sequenceNumber(); |
|
1832 |
} |
|
1833 |
byte[] nonce = iv.clone(); |
|
1834 |
int offset = nonce.length - sn.length; |
|
1835 |
for (int i = 0; i < sn.length; i++) { |
|
1836 |
nonce[offset + i] ^= sn[i]; |
|
1837 |
} |
|
1838 |
||
1839 |
// initialize the AEAD cipher for the unique IV |
|
1840 |
GCMParameterSpec spec = |
|
1841 |
new GCMParameterSpec(tagSize * 8, nonce); |
|
1842 |
try { |
|
1843 |
cipher.init(Cipher.DECRYPT_MODE, key, spec, random); |
|
1844 |
} catch (InvalidKeyException | |
|
1845 |
InvalidAlgorithmParameterException ikae) { |
|
1846 |
// unlikely to happen |
|
1847 |
throw new RuntimeException( |
|
1848 |
"invalid key or spec in GCM mode", ikae); |
|
1849 |
} |
|
1850 |
||
1851 |
// Update the additional authentication data, using the |
|
1852 |
// implicit sequence number of the authenticator. |
|
1853 |
byte[] aad = authenticator.acquireAuthenticationBytes( |
|
1854 |
contentType, bb.remaining(), sn); |
|
1855 |
cipher.updateAAD(aad); |
|
1856 |
||
56715
b152d06ed6a9
code review nits and TrasnportContext constructor changes
ascarpino
parents:
56542
diff
changeset
|
1857 |
int len, pos = bb.position(); |
56542 | 1858 |
ByteBuffer dup = bb.duplicate(); |
1859 |
try { |
|
1860 |
len = cipher.doFinal(dup, bb); |
|
1861 |
} catch (IllegalBlockSizeException ibse) { |
|
1862 |
// unlikely to happen |
|
1863 |
throw new RuntimeException( |
|
1864 |
"Cipher error in AEAD mode \"" + ibse.getMessage() + |
|
1865 |
" \"in JCE provider " + cipher.getProvider().getName()); |
|
1866 |
} catch (ShortBufferException sbe) { |
|
16913 | 1867 |
// catch BouncyCastle buffering error |
56542 | 1868 |
throw new RuntimeException("Cipher buffering error in " + |
1869 |
"JCE provider " + cipher.getProvider().getName(), sbe); |
|
1870 |
} |
|
56715
b152d06ed6a9
code review nits and TrasnportContext constructor changes
ascarpino
parents:
56542
diff
changeset
|
1871 |
// reset the limit to the end of the decrypted data |
56542 | 1872 |
bb.position(pos); |
1873 |
bb.limit(pos + len); |
|
1874 |
||
1875 |
// remove inner plaintext padding |
|
1876 |
int i = bb.limit() - 1; |
|
1877 |
for (; i > 0 && bb.get(i) == 0; i--) { |
|
1878 |
// blank |
|
1879 |
} |
|
1880 |
if (i < (pos + 1)) { |
|
1881 |
throw new BadPaddingException( |
|
1882 |
"Incorrect inner plaintext: no content type"); |
|
1883 |
} |
|
1884 |
contentType = bb.get(i); |
|
1885 |
bb.limit(i); |
|
1886 |
||
1887 |
if (SSLLogger.isOn && SSLLogger.isOn("plaintext")) { |
|
1888 |
SSLLogger.fine( |
|
1889 |
"Plaintext after DECRYPTION", bb.duplicate()); |
|
1890 |
} |
|
1891 |
||
1892 |
return new Plaintext(contentType, |
|
1893 |
ProtocolVersion.NONE.major, ProtocolVersion.NONE.minor, |
|
1894 |
-1, -1L, bb.slice()); |
|
1895 |
} |
|
1896 |
||
1897 |
@Override |
|
1898 |
void dispose() { |
|
1899 |
if (cipher != null) { |
|
1900 |
try { |
|
1901 |
cipher.doFinal(); |
|
1902 |
} catch (Exception e) { |
|
1903 |
// swallow all types of exceptions. |
|
1904 |
} |
|
16913 | 1905 |
} |
2 | 1906 |
} |
1907 |
||
56542 | 1908 |
@Override |
1909 |
int estimateFragmentSize(int packetSize, int headerSize) { |
|
1910 |
return packetSize - headerSize - tagSize; |
|
1911 |
} |
|
1912 |
} |
|
1913 |
} |
|
16913 | 1914 |
|
56542 | 1915 |
private static final |
1916 |
class T13GcmWriteCipherGenerator implements WriteCipherGenerator { |
|
1917 |
@Override |
|
1918 |
public SSLWriteCipher createCipher(SSLCipher sslCipher, |
|
1919 |
Authenticator authenticator, ProtocolVersion protocolVersion, |
|
1920 |
String algorithm, Key key, AlgorithmParameterSpec params, |
|
1921 |
SecureRandom random) throws GeneralSecurityException { |
|
1922 |
return new GcmWriteCipher(authenticator, protocolVersion, sslCipher, |
|
1923 |
algorithm, key, params, random); |
|
1924 |
} |
|
1925 |
||
1926 |
private static final class GcmWriteCipher extends SSLWriteCipher { |
|
1927 |
private final Cipher cipher; |
|
1928 |
private final int tagSize; |
|
1929 |
private final Key key; |
|
1930 |
private final byte[] iv; |
|
1931 |
private final SecureRandom random; |
|
2 | 1932 |
|
56542 | 1933 |
GcmWriteCipher(Authenticator authenticator, |
1934 |
ProtocolVersion protocolVersion, |
|
1935 |
SSLCipher sslCipher, String algorithm, |
|
1936 |
Key key, AlgorithmParameterSpec params, |
|
1937 |
SecureRandom random) throws GeneralSecurityException { |
|
1938 |
super(authenticator, protocolVersion); |
|
1939 |
this.cipher = JsseJce.getCipher(algorithm); |
|
1940 |
this.tagSize = sslCipher.tagSize; |
|
1941 |
this.key = key; |
|
1942 |
this.iv = ((IvParameterSpec)params).getIV(); |
|
1943 |
this.random = random; |
|
2 | 1944 |
|
56542 | 1945 |
keyLimitCountdown = cipherLimits.getOrDefault( |
1946 |
algorithm.toUpperCase() + ":" + tag[0], 0L); |
|
1947 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) { |
|
1948 |
SSLLogger.fine("algorithm = " + algorithm.toUpperCase() + |
|
1949 |
":" + tag[0] + "\ncountdown value = " + |
|
1950 |
keyLimitCountdown); |
|
1951 |
} |
|
1952 |
if (keyLimitCountdown > 0) { |
|
1953 |
keyLimitEnabled = true; |
|
1954 |
} |
|
1955 |
||
1956 |
// DON'T initialize the cipher for AEAD! |
|
2 | 1957 |
} |
1958 |
||
56542 | 1959 |
@Override |
1960 |
public int encrypt(byte contentType, |
|
1961 |
ByteBuffer bb) { |
|
1962 |
byte[] sn = authenticator.sequenceNumber(); |
|
1963 |
byte[] nonce = iv.clone(); |
|
1964 |
int offset = nonce.length - sn.length; |
|
1965 |
for (int i = 0; i < sn.length; i++) { |
|
1966 |
nonce[offset + i] ^= sn[i]; |
|
1967 |
} |
|
1968 |
||
1969 |
// initialize the AEAD cipher for the unique IV |
|
1970 |
GCMParameterSpec spec = |
|
1971 |
new GCMParameterSpec(tagSize * 8, nonce); |
|
1972 |
try { |
|
1973 |
cipher.init(Cipher.ENCRYPT_MODE, key, spec, random); |
|
1974 |
} catch (InvalidKeyException | |
|
1975 |
InvalidAlgorithmParameterException ikae) { |
|
1976 |
// unlikely to happen |
|
1977 |
throw new RuntimeException( |
|
1978 |
"invalid key or spec in GCM mode", ikae); |
|
1979 |
} |
|
1980 |
||
1981 |
// Update the additional authentication data, using the |
|
1982 |
// implicit sequence number of the authenticator. |
|
1983 |
int outputSize = cipher.getOutputSize(bb.remaining()); |
|
1984 |
byte[] aad = authenticator.acquireAuthenticationBytes( |
|
1985 |
contentType, outputSize, sn); |
|
1986 |
cipher.updateAAD(aad); |
|
1987 |
||
56715
b152d06ed6a9
code review nits and TrasnportContext constructor changes
ascarpino
parents:
56542
diff
changeset
|
1988 |
int len, pos = bb.position(); |
56542 | 1989 |
if (SSLLogger.isOn && SSLLogger.isOn("plaintext")) { |
1990 |
SSLLogger.fine( |
|
1991 |
"Plaintext before ENCRYPTION", |
|
1992 |
bb.duplicate()); |
|
1993 |
} |
|
7039 | 1994 |
|
56542 | 1995 |
ByteBuffer dup = bb.duplicate(); |
1996 |
if (outputSize > bb.remaining()) { |
|
1997 |
// Need to expand the limit of the output buffer for |
|
1998 |
// the authentication tag. |
|
1999 |
// |
|
2000 |
// DON'T worry about the buffer's capacity, we have |
|
2001 |
// reserved space for the authentication tag. |
|
2002 |
bb.limit(pos + outputSize); |
|
2003 |
} |
|
2004 |
||
2005 |
try { |
|
2006 |
len = cipher.doFinal(dup, bb); |
|
2007 |
} catch (IllegalBlockSizeException | |
|
2008 |
BadPaddingException | ShortBufferException ibse) { |
|
2009 |
// unlikely to happen |
|
2010 |
throw new RuntimeException( |
|
2011 |
"Cipher error in AEAD mode in JCE provider " + |
|
2012 |
cipher.getProvider().getName(), ibse); |
|
2013 |
} |
|
2014 |
||
2015 |
if (len != outputSize) { |
|
2016 |
throw new RuntimeException( |
|
2017 |
"Cipher buffering error in JCE provider " + |
|
2018 |
cipher.getProvider().getName()); |
|
2019 |
} |
|
2020 |
||
2021 |
if (keyLimitEnabled) { |
|
2022 |
keyLimitCountdown -= len; |
|
2023 |
} |
|
2024 |
return len; |
|
2025 |
} |
|
2026 |
||
2027 |
@Override |
|
2028 |
void dispose() { |
|
2029 |
if (cipher != null) { |
|
2030 |
try { |
|
2031 |
cipher.doFinal(); |
|
2032 |
} catch (Exception e) { |
|
2033 |
// swallow all types of exceptions. |
|
7039 | 2034 |
} |
2035 |
} |
|
2 | 2036 |
} |
56542 | 2037 |
|
2038 |
@Override |
|
2039 |
int getExplicitNonceSize() { |
|
2040 |
return 0; |
|
2041 |
} |
|
2042 |
||
2043 |
@Override |
|
2044 |
int calculateFragmentSize(int packetLimit, int headerSize) { |
|
2045 |
return packetLimit - headerSize - tagSize; |
|
2046 |
} |
|
2047 |
||
2048 |
@Override |
|
2049 |
int calculatePacketSize(int fragmentSize, int headerSize) { |
|
2050 |
return fragmentSize + headerSize + tagSize; |
|
2051 |
} |
|
2 | 2052 |
} |
2053 |
} |
|
2054 |
||
56542 | 2055 |
private static void addMac(MAC signer, |
2056 |
ByteBuffer destination, byte contentType) { |
|
2057 |
if (signer.macAlg().size != 0) { |
|
2058 |
int dstContent = destination.position(); |
|
2059 |
byte[] hash = signer.compute(contentType, destination, false); |
|
2060 |
||
2061 |
/* |
|
2062 |
* position was advanced to limit in MAC compute above. |
|
2063 |
* |
|
2064 |
* Mark next area as writable (above layers should have |
|
2065 |
* established that we have plenty of room), then write |
|
2066 |
* out the hash. |
|
2067 |
*/ |
|
2068 |
destination.limit(destination.limit() + hash.length); |
|
2069 |
destination.put(hash); |
|
2070 |
||
2071 |
// reset the position and limit |
|
2072 |
destination.position(dstContent); |
|
2073 |
} |
|
2074 |
} |
|
2075 |
||
2076 |
// for null and stream cipher |
|
2077 |
private static void checkStreamMac(MAC signer, ByteBuffer bb, |
|
2078 |
byte contentType, byte[] sequence) throws BadPaddingException { |
|
2079 |
int tagLen = signer.macAlg().size; |
|
2080 |
||
2081 |
// Requires message authentication code for null, stream and |
|
2082 |
// block cipher suites. |
|
2083 |
if (tagLen != 0) { |
|
2084 |
int contentLen = bb.remaining() - tagLen; |
|
2085 |
if (contentLen < 0) { |
|
2086 |
throw new BadPaddingException("bad record"); |
|
2087 |
} |
|
2088 |
||
2089 |
// Run MAC computation and comparison on the payload. |
|
2090 |
// |
|
2091 |
// MAC data would be stripped off during the check. |
|
2092 |
if (checkMacTags(contentType, bb, signer, sequence, false)) { |
|
2093 |
throw new BadPaddingException("bad record MAC"); |
|
2094 |
} |
|
2095 |
} |
|
2096 |
} |
|
2 | 2097 |
|
56542 | 2098 |
// for CBC cipher |
2099 |
private static void checkCBCMac(MAC signer, ByteBuffer bb, |
|
2100 |
byte contentType, int cipheredLength, |
|
2101 |
byte[] sequence) throws BadPaddingException { |
|
2102 |
BadPaddingException reservedBPE = null; |
|
2103 |
int tagLen = signer.macAlg().size; |
|
2104 |
int pos = bb.position(); |
|
2105 |
||
2106 |
if (tagLen != 0) { |
|
2107 |
int contentLen = bb.remaining() - tagLen; |
|
2108 |
if (contentLen < 0) { |
|
2109 |
reservedBPE = new BadPaddingException("bad record"); |
|
2110 |
||
2111 |
// set offset of the dummy MAC |
|
2112 |
contentLen = cipheredLength - tagLen; |
|
2113 |
bb.limit(pos + cipheredLength); |
|
2114 |
} |
|
2 | 2115 |
|
56542 | 2116 |
// Run MAC computation and comparison on the payload. |
2117 |
// |
|
2118 |
// MAC data would be stripped off during the check. |
|
2119 |
if (checkMacTags(contentType, bb, signer, sequence, false)) { |
|
2120 |
if (reservedBPE == null) { |
|
2121 |
reservedBPE = |
|
2122 |
new BadPaddingException("bad record MAC"); |
|
2123 |
} |
|
2124 |
} |
|
2125 |
||
2126 |
// Run MAC computation and comparison on the remainder. |
|
2127 |
int remainingLen = calculateRemainingLen( |
|
2128 |
signer, cipheredLength, contentLen); |
|
2129 |
||
2130 |
// NOTE: remainingLen may be bigger (less than 1 block of the |
|
2131 |
// hash algorithm of the MAC) than the cipheredLength. |
|
2132 |
// |
|
2133 |
// Is it possible to use a static buffer, rather than allocate |
|
2134 |
// it dynamically? |
|
2135 |
remainingLen += signer.macAlg().size; |
|
2136 |
ByteBuffer temporary = ByteBuffer.allocate(remainingLen); |
|
2137 |
||
2138 |
// Won't need to worry about the result on the remainder. And |
|
2139 |
// then we won't need to worry about what's actual data to |
|
2140 |
// check MAC tag on. We start the check from the header of the |
|
2141 |
// buffer so that we don't need to construct a new byte buffer. |
|
2142 |
checkMacTags(contentType, temporary, signer, sequence, true); |
|
2 | 2143 |
} |
2144 |
||
56542 | 2145 |
// Is it a failover? |
2146 |
if (reservedBPE != null) { |
|
2147 |
throw reservedBPE; |
|
2 | 2148 |
} |
2149 |
} |
|
2150 |
||
2151 |
/* |
|
56542 | 2152 |
* Run MAC computation and comparison |
2153 |
*/ |
|
2154 |
private static boolean checkMacTags(byte contentType, ByteBuffer bb, |
|
2155 |
MAC signer, byte[] sequence, boolean isSimulated) { |
|
2156 |
int tagLen = signer.macAlg().size; |
|
2157 |
int position = bb.position(); |
|
2158 |
int lim = bb.limit(); |
|
2159 |
int macOffset = lim - tagLen; |
|
2160 |
||
2161 |
bb.limit(macOffset); |
|
2162 |
byte[] hash = signer.compute(contentType, bb, sequence, isSimulated); |
|
2163 |
if (hash == null || tagLen != hash.length) { |
|
2164 |
// Something is wrong with MAC implementation. |
|
2165 |
throw new RuntimeException("Internal MAC error"); |
|
2166 |
} |
|
2167 |
||
2168 |
bb.position(macOffset); |
|
2169 |
bb.limit(lim); |
|
2170 |
try { |
|
2171 |
int[] results = compareMacTags(bb, hash); |
|
2172 |
return (results[0] != 0); |
|
2173 |
} finally { |
|
2174 |
// reset to the data |
|
2175 |
bb.position(position); |
|
2176 |
bb.limit(macOffset); |
|
2177 |
} |
|
2178 |
} |
|
2179 |
||
2180 |
/* |
|
2181 |
* A constant-time comparison of the MAC tags. |
|
2 | 2182 |
* |
56542 | 2183 |
* Please DON'T change the content of the ByteBuffer parameter! |
2 | 2184 |
*/ |
56542 | 2185 |
private static int[] compareMacTags(ByteBuffer bb, byte[] tag) { |
2186 |
// An array of hits is used to prevent Hotspot optimization for |
|
2187 |
// the purpose of a constant-time check. |
|
2188 |
int[] results = {0, 0}; // {missed #, matched #} |
|
2189 |
||
2190 |
// The caller ensures there are enough bytes available in the buffer. |
|
2191 |
// So we won't need to check the remaining of the buffer. |
|
56715
b152d06ed6a9
code review nits and TrasnportContext constructor changes
ascarpino
parents:
56542
diff
changeset
|
2192 |
for (byte t : tag) { |
b152d06ed6a9
code review nits and TrasnportContext constructor changes
ascarpino
parents:
56542
diff
changeset
|
2193 |
if (bb.get() != t) { |
56542 | 2194 |
results[0]++; // mismatched bytes |
2195 |
} else { |
|
2196 |
results[1]++; // matched bytes |
|
2197 |
} |
|
2198 |
} |
|
2199 |
||
2200 |
return results; |
|
2201 |
} |
|
2202 |
||
2203 |
/* |
|
2204 |
* Calculate the length of a dummy buffer to run MAC computation |
|
2205 |
* and comparison on the remainder. |
|
2206 |
* |
|
2207 |
* The caller MUST ensure that the fullLen is not less than usedLen. |
|
2208 |
*/ |
|
2209 |
private static int calculateRemainingLen( |
|
2210 |
MAC signer, int fullLen, int usedLen) { |
|
2211 |
||
2212 |
int blockLen = signer.macAlg().hashBlockSize; |
|
2213 |
int minimalPaddingLen = signer.macAlg().minimalPaddingSize; |
|
2214 |
||
2215 |
// (blockLen - minimalPaddingLen) is the maximum message size of |
|
2216 |
// the last block of hash function operation. See FIPS 180-4, or |
|
2217 |
// MD5 specification. |
|
2218 |
fullLen += 13 - (blockLen - minimalPaddingLen); |
|
2219 |
usedLen += 13 - (blockLen - minimalPaddingLen); |
|
2220 |
||
2221 |
// Note: fullLen is always not less than usedLen, and blockLen |
|
2222 |
// is always bigger than minimalPaddingLen, so we don't worry |
|
2223 |
// about negative values. 0x01 is added to the result to ensure |
|
2224 |
// that the return value is positive. The extra one byte does |
|
2225 |
// not impact the overall MAC compression function evaluations. |
|
2226 |
return 0x01 + (int)(Math.ceil(fullLen/(1.0d * blockLen)) - |
|
2227 |
Math.ceil(usedLen/(1.0d * blockLen))) * blockLen; |
|
2228 |
} |
|
2229 |
||
2 | 2230 |
private static int addPadding(ByteBuffer bb, int blockSize) { |
2231 |
||
2232 |
int len = bb.remaining(); |
|
2233 |
int offset = bb.position(); |
|
2234 |
||
2235 |
int newlen = len + 1; |
|
2236 |
byte pad; |
|
2237 |
int i; |
|
2238 |
||
2239 |
if ((newlen % blockSize) != 0) { |
|
2240 |
newlen += blockSize - 1; |
|
2241 |
newlen -= newlen % blockSize; |
|
2242 |
} |
|
2243 |
pad = (byte) (newlen - len); |
|
2244 |
||
2245 |
/* |
|
2246 |
* Update the limit to what will be padded. |
|
2247 |
*/ |
|
2248 |
bb.limit(newlen + offset); |
|
2249 |
||
2250 |
/* |
|
2251 |
* TLS version of the padding works for both SSLv3 and TLSv1 |
|
2252 |
*/ |
|
2253 |
for (i = 0, offset += len; i < pad; i++) { |
|
2254 |
bb.put(offset++, (byte) (pad - 1)); |
|
2255 |
} |
|
2256 |
||
2257 |
bb.position(offset); |
|
2258 |
bb.limit(offset); |
|
2259 |
||
2260 |
return newlen; |
|
2261 |
} |
|
2262 |
||
2263 |
private static int removePadding(ByteBuffer bb, |
|
16113 | 2264 |
int tagLen, int blockSize, |
2265 |
ProtocolVersion protocolVersion) throws BadPaddingException { |
|
2 | 2266 |
int len = bb.remaining(); |
2267 |
int offset = bb.position(); |
|
2268 |
||
2269 |
// last byte is length byte (i.e. actual padding length - 1) |
|
2270 |
int padOffset = offset + len - 1; |
|
16113 | 2271 |
int padLen = bb.get(padOffset) & 0xFF; |
2 | 2272 |
|
16113 | 2273 |
int newLen = len - (padLen + 1); |
2274 |
if ((newLen - tagLen) < 0) { |
|
2275 |
// If the buffer is not long enough to contain the padding plus |
|
2276 |
// a MAC tag, do a dummy constant-time padding check. |
|
2277 |
// |
|
2278 |
// Note that it is a dummy check, so we won't care about what is |
|
2279 |
// the actual padding data. |
|
2280 |
checkPadding(bb.duplicate(), (byte)(padLen & 0xFF)); |
|
2281 |
||
2282 |
throw new BadPaddingException("Invalid Padding length: " + padLen); |
|
2 | 2283 |
} |
2284 |
||
16113 | 2285 |
// The padding data should be filled with the padding length value. |
2286 |
int[] results = checkPadding( |
|
27292
7ff4b24b33ce
4774077: Use covariant return types in the NIO buffer hierarchy
rwarburton
parents:
25859
diff
changeset
|
2287 |
bb.duplicate().position(offset + newLen), |
16113 | 2288 |
(byte)(padLen & 0xFF)); |
30904 | 2289 |
if (protocolVersion.useTLS10PlusSpec()) { |
16113 | 2290 |
if (results[0] != 0) { // padding data has invalid bytes |
2291 |
throw new BadPaddingException("Invalid TLS padding data"); |
|
2 | 2292 |
} |
2293 |
} else { // SSLv3 |
|
2294 |
// SSLv3 requires 0 <= length byte < block size |
|
2295 |
// some implementations do 1 <= length byte <= block size, |
|
2296 |
// so accept that as well |
|
2297 |
// v3 does not require any particular value for the other bytes |
|
16113 | 2298 |
if (padLen > blockSize) { |
40544
807dd9a425db
8150530: Improve javax.crypto.BadPaddingException messages
coffeys
parents:
34826
diff
changeset
|
2299 |
throw new BadPaddingException("Padding length (" + |
807dd9a425db
8150530: Improve javax.crypto.BadPaddingException messages
coffeys
parents:
34826
diff
changeset
|
2300 |
padLen + ") of SSLv3 message should not be bigger " + |
807dd9a425db
8150530: Improve javax.crypto.BadPaddingException messages
coffeys
parents:
34826
diff
changeset
|
2301 |
"than the block size (" + blockSize + ")"); |
2 | 2302 |
} |
2303 |
} |
|
2304 |
||
56542 | 2305 |
// Reset buffer limit to remove padding. |
16113 | 2306 |
bb.limit(offset + newLen); |
2 | 2307 |
|
16113 | 2308 |
return newLen; |
2 | 2309 |
} |
1763
0a6b65d56746
6750401: SSL stress test with GF leads to 32 bit max process size in less than 5 minutes,with PCKS11 provider
wetmore
parents:
2
diff
changeset
|
2310 |
|
0a6b65d56746
6750401: SSL stress test with GF leads to 32 bit max process size in less than 5 minutes,with PCKS11 provider
wetmore
parents:
2
diff
changeset
|
2311 |
/* |
56542 | 2312 |
* A constant-time check of the padding. |
10915 | 2313 |
* |
56542 | 2314 |
* NOTE that we are checking both the padding and the padLen bytes here. |
16913 | 2315 |
* |
56542 | 2316 |
* The caller MUST ensure that the bb parameter has remaining. |
16913 | 2317 |
*/ |
56542 | 2318 |
private static int[] checkPadding(ByteBuffer bb, byte pad) { |
2319 |
if (!bb.hasRemaining()) { |
|
2320 |
throw new RuntimeException("hasRemaining() must be positive"); |
|
16913 | 2321 |
} |
2322 |
||
56542 | 2323 |
// An array of hits is used to prevent Hotspot optimization for |
2324 |
// the purpose of a constant-time check. |
|
2325 |
int[] results = {0, 0}; // {missed #, matched #} |
|
2326 |
bb.mark(); |
|
2327 |
for (int i = 0; i <= 256; bb.reset()) { |
|
2328 |
for (; bb.hasRemaining() && i <= 256; i++) { |
|
2329 |
if (bb.get() != pad) { |
|
2330 |
results[0]++; // mismatched padding data |
|
2331 |
} else { |
|
2332 |
results[1]++; // matched padding data |
|
16913 | 2333 |
} |
30904 | 2334 |
} |
2335 |
} |
|
2336 |
||
56542 | 2337 |
return results; |
30904 | 2338 |
} |
56542 | 2339 |
} |
30904 | 2340 |