Merge "Merge remote-tracking branch 'aosp/upstream-master' into merge-152-from-upstream"

author: Sergio Giro <sgiro@google.com> 2016-02-01 18:52:42 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> 2016-02-01 18:52:42 +0000
commit: 9218edabd1ef9852bc2f13115dcadc81b442dd6c (patch)
tree: 8229ff72c8cbb06f49dce3a8382930919fa6fc2b /bcprov/src/main/java/org/bouncycastle/crypto/tls/TlsStreamCipher.java
parent: 9b30eb05e5be69d51881a0d1b31e503e97acd784 (diff)
parent: 397d32894b89b506dc318e0f83446187c9b76ebe (diff)
download: android_external_bouncycastle-9218edabd1ef9852bc2f13115dcadc81b442dd6c.tar.gz
android_external_bouncycastle-9218edabd1ef9852bc2f13115dcadc81b442dd6c.tar.bz2
android_external_bouncycastle-9218edabd1ef9852bc2f13115dcadc81b442dd6c.zip
1 files changed, 168 insertions, 0 deletions
diff --git a/bcprov/src/main/java/org/bouncycastle/crypto/tls/TlsStreamCipher.java b/bcprov/src/main/java/org/bouncycastle/crypto/tls/TlsStreamCipher.java
new file mode 100644
index 0000000..4e2c263
--- /dev/null
+++ b/bcprov/src/main/java/org/bouncycastle/crypto/tls/TlsStreamCipher.java
@@ -0,0 +1,168 @@
+package org.bouncycastle.crypto.tls;
+
+import java.io.IOException;
+
+import org.bouncycastle.crypto.CipherParameters;
+import org.bouncycastle.crypto.Digest;
+import org.bouncycastle.crypto.StreamCipher;
+import org.bouncycastle.crypto.params.KeyParameter;
+import org.bouncycastle.crypto.params.ParametersWithIV;
+import org.bouncycastle.util.Arrays;
+
+public class TlsStreamCipher
+    implements TlsCipher
+{
+    protected TlsContext context;
+
+    protected StreamCipher encryptCipher;
+    protected StreamCipher decryptCipher;
+
+    protected TlsMac writeMac;
+    protected TlsMac readMac;
+
+    protected boolean usesNonce;
+
+    public TlsStreamCipher(TlsContext context, StreamCipher clientWriteCipher,
+        StreamCipher serverWriteCipher, Digest clientWriteDigest, Digest serverWriteDigest,
+        int cipherKeySize, boolean usesNonce) throws IOException
+    {
+        boolean isServer = context.isServer();
+
+        this.context = context;
+        this.usesNonce = usesNonce;
+
+        this.encryptCipher = clientWriteCipher;
+        this.decryptCipher = serverWriteCipher;
+
+        int key_block_size = (2 * cipherKeySize) + clientWriteDigest.getDigestSize()
+            + serverWriteDigest.getDigestSize();
+
+        byte[] key_block = TlsUtils.calculateKeyBlock(context, key_block_size);
+
+        int offset = 0;
+
+        // Init MACs
+        TlsMac clientWriteMac = new TlsMac(context, clientWriteDigest, key_block, offset,
+            clientWriteDigest.getDigestSize());
+        offset += clientWriteDigest.getDigestSize();
+        TlsMac serverWriteMac = new TlsMac(context, serverWriteDigest, key_block, offset,
+            serverWriteDigest.getDigestSize());
+        offset += serverWriteDigest.getDigestSize();
+
+        // Build keys
+        KeyParameter clientWriteKey = new KeyParameter(key_block, offset, cipherKeySize);
+        offset += cipherKeySize;
+        KeyParameter serverWriteKey = new KeyParameter(key_block, offset, cipherKeySize);
+        offset += cipherKeySize;
+
+        if (offset != key_block_size)
+        {
+            throw new TlsFatalAlert(AlertDescription.internal_error);
+        }
+
+        CipherParameters encryptParams, decryptParams;
+        if (isServer)
+        {
+            this.writeMac = serverWriteMac;
+            this.readMac = clientWriteMac;
+            this.encryptCipher = serverWriteCipher;
+            this.decryptCipher = clientWriteCipher;
+            encryptParams = serverWriteKey;
+            decryptParams = clientWriteKey;
+        }
+        else
+        {
+            this.writeMac = clientWriteMac;
+            this.readMac = serverWriteMac;
+            this.encryptCipher = clientWriteCipher;
+            this.decryptCipher = serverWriteCipher;
+            encryptParams = clientWriteKey;
+            decryptParams = serverWriteKey;
+        }
+
+        if (usesNonce)
+        {
+            byte[] dummyNonce = new byte[8];
+            encryptParams = new ParametersWithIV(encryptParams, dummyNonce);
+            decryptParams = new ParametersWithIV(decryptParams, dummyNonce);
+        }
+
+        this.encryptCipher.init(true, encryptParams);
+        this.decryptCipher.init(false, decryptParams);
+    }
+
+    public int getPlaintextLimit(int ciphertextLimit)
+    {
+        return ciphertextLimit - writeMac.getSize();
+    }
+
+    public byte[] encodePlaintext(long seqNo, short type, byte[] plaintext, int offset, int len)
+    {
+        /*
+         * draft-josefsson-salsa20-tls-04 2.1 Note that Salsa20 requires a 64-bit nonce. That
+         * nonce is updated on the encryption of every TLS record, and is set to be the 64-bit TLS
+         * record sequence number. In case of DTLS the 64-bit nonce is formed as the concatenation
+         * of the 16-bit epoch with the 48-bit sequence number.
+         */
+        if (usesNonce)
+        {
+            updateIV(encryptCipher, true, seqNo);
+        }
+
+        byte[] outBuf = new byte[len + writeMac.getSize()];
+
+        encryptCipher.processBytes(plaintext, offset, len, outBuf, 0);
+
+        byte[] mac = writeMac.calculateMac(seqNo, type, plaintext, offset, len);
+        encryptCipher.processBytes(mac, 0, mac.length, outBuf, len);
+
+        return outBuf;
+    }
+
+    public byte[] decodeCiphertext(long seqNo, short type, byte[] ciphertext, int offset, int len)
+        throws IOException
+    {
+        /*
+         * draft-josefsson-salsa20-tls-04 2.1 Note that Salsa20 requires a 64-bit nonce. That
+         * nonce is updated on the encryption of every TLS record, and is set to be the 64-bit TLS
+         * record sequence number. In case of DTLS the 64-bit nonce is formed as the concatenation
+         * of the 16-bit epoch with the 48-bit sequence number.
+         */
+        if (usesNonce)
+        {
+            updateIV(decryptCipher, false, seqNo);
+        }
+
+        int macSize = readMac.getSize();
+        if (len < macSize)
+        {
+            throw new TlsFatalAlert(AlertDescription.decode_error);
+        }
+
+        int plaintextLength = len - macSize;
+
+        byte[] deciphered = new byte[len];
+        decryptCipher.processBytes(ciphertext, offset, len, deciphered, 0);
+        checkMAC(seqNo, type, deciphered, plaintextLength, len, deciphered, 0, plaintextLength);
+        return Arrays.copyOfRange(deciphered, 0, plaintextLength);
+    }
+
+    protected void checkMAC(long seqNo, short type, byte[] recBuf, int recStart, int recEnd, byte[] calcBuf, int calcOff, int calcLen)
+        throws IOException
+    {
+        byte[] receivedMac = Arrays.copyOfRange(recBuf, recStart, recEnd);
+        byte[] computedMac = readMac.calculateMac(seqNo, type, calcBuf, calcOff, calcLen);
+
+        if (!Arrays.constantTimeAreEqual(receivedMac, computedMac))
+        {
+            throw new TlsFatalAlert(AlertDescription.bad_record_mac);
+        }
+    }
+
+    protected void updateIV(StreamCipher cipher, boolean forEncryption, long seqNo)
+    {
+        byte[] nonce = new byte[8];
+        TlsUtils.writeUint64(seqNo, nonce, 0);
+        cipher.init(forEncryption, new ParametersWithIV(null, nonce));
+    }
+}
author	Sergio Giro <sgiro@google.com>	2016-02-01 18:52:42 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	2016-02-01 18:52:42 +0000
commit	9218edabd1ef9852bc2f13115dcadc81b442dd6c (patch)
tree	8229ff72c8cbb06f49dce3a8382930919fa6fc2b /bcprov/src/main/java/org/bouncycastle/crypto/tls/TlsStreamCipher.java
parent	9b30eb05e5be69d51881a0d1b31e503e97acd784 (diff)
parent	397d32894b89b506dc318e0f83446187c9b76ebe (diff)
download	android_external_bouncycastle-9218edabd1ef9852bc2f13115dcadc81b442dd6c.tar.gz android_external_bouncycastle-9218edabd1ef9852bc2f13115dcadc81b442dd6c.tar.bz2 android_external_bouncycastle-9218edabd1ef9852bc2f13115dcadc81b442dd6c.zip