diff options
Diffstat (limited to 'bcprov/src/main/java/org/bouncycastle/crypto/tls/TlsAEADCipher.java')
-rw-r--r-- | bcprov/src/main/java/org/bouncycastle/crypto/tls/TlsAEADCipher.java | 193 |
1 files changed, 0 insertions, 193 deletions
diff --git a/bcprov/src/main/java/org/bouncycastle/crypto/tls/TlsAEADCipher.java b/bcprov/src/main/java/org/bouncycastle/crypto/tls/TlsAEADCipher.java deleted file mode 100644 index 39133e6..0000000 --- a/bcprov/src/main/java/org/bouncycastle/crypto/tls/TlsAEADCipher.java +++ /dev/null @@ -1,193 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.IOException; - -import org.bouncycastle.crypto.modes.AEADBlockCipher; -import org.bouncycastle.crypto.params.AEADParameters; -import org.bouncycastle.crypto.params.KeyParameter; -import org.bouncycastle.util.Arrays; - -public class TlsAEADCipher - implements TlsCipher -{ - protected TlsContext context; - protected int macSize; - protected int nonce_explicit_length; - - protected AEADBlockCipher encryptCipher; - protected AEADBlockCipher decryptCipher; - - protected byte[] encryptImplicitNonce, decryptImplicitNonce; - - public TlsAEADCipher(TlsContext context, AEADBlockCipher clientWriteCipher, AEADBlockCipher serverWriteCipher, - int cipherKeySize, int macSize) throws IOException - { - if (!TlsUtils.isTLSv12(context)) - { - throw new TlsFatalAlert(AlertDescription.internal_error); - } - - this.context = context; - this.macSize = macSize; - - // NOTE: Valid for RFC 5288/6655 ciphers but may need review for other AEAD ciphers - this.nonce_explicit_length = 8; - - // TODO SecurityParameters.fixed_iv_length - int fixed_iv_length = 4; - - int key_block_size = (2 * cipherKeySize) + (2 * fixed_iv_length); - - byte[] key_block = TlsUtils.calculateKeyBlock(context, key_block_size); - - int offset = 0; - - KeyParameter client_write_key = new KeyParameter(key_block, offset, cipherKeySize); - offset += cipherKeySize; - KeyParameter server_write_key = new KeyParameter(key_block, offset, cipherKeySize); - offset += cipherKeySize; - byte[] client_write_IV = Arrays.copyOfRange(key_block, offset, offset + fixed_iv_length); - offset += fixed_iv_length; - byte[] server_write_IV = Arrays.copyOfRange(key_block, offset, offset + fixed_iv_length); - offset += fixed_iv_length; - - if (offset != key_block_size) - { - throw new TlsFatalAlert(AlertDescription.internal_error); - } - - KeyParameter encryptKey, decryptKey; - if (context.isServer()) - { - this.encryptCipher = serverWriteCipher; - this.decryptCipher = clientWriteCipher; - this.encryptImplicitNonce = server_write_IV; - this.decryptImplicitNonce = client_write_IV; - encryptKey = server_write_key; - decryptKey = client_write_key; - } - else - { - this.encryptCipher = clientWriteCipher; - this.decryptCipher = serverWriteCipher; - this.encryptImplicitNonce = client_write_IV; - this.decryptImplicitNonce = server_write_IV; - encryptKey = client_write_key; - decryptKey = server_write_key; - } - - byte[] dummyNonce = new byte[fixed_iv_length + nonce_explicit_length]; - - this.encryptCipher.init(true, new AEADParameters(encryptKey, 8 * macSize, dummyNonce)); - this.decryptCipher.init(false, new AEADParameters(decryptKey, 8 * macSize, dummyNonce)); - } - - public int getPlaintextLimit(int ciphertextLimit) - { - // TODO We ought to be able to ask the decryptCipher (independently of it's current state!) - return ciphertextLimit - macSize - nonce_explicit_length; - } - - public byte[] encodePlaintext(long seqNo, short type, byte[] plaintext, int offset, int len) - throws IOException - { - byte[] nonce = new byte[this.encryptImplicitNonce.length + nonce_explicit_length]; - System.arraycopy(encryptImplicitNonce, 0, nonce, 0, encryptImplicitNonce.length); - - /* - * RFC 5288/6655 The nonce_explicit MAY be the 64-bit sequence number. - * - * (May need review for other AEAD ciphers). - */ - TlsUtils.writeUint64(seqNo, nonce, encryptImplicitNonce.length); - - int plaintextOffset = offset; - int plaintextLength = len; - int ciphertextLength = encryptCipher.getOutputSize(plaintextLength); - - byte[] output = new byte[nonce_explicit_length + ciphertextLength]; - System.arraycopy(nonce, encryptImplicitNonce.length, output, 0, nonce_explicit_length); - int outputPos = nonce_explicit_length; - - byte[] additionalData = getAdditionalData(seqNo, type, plaintextLength); - AEADParameters parameters = new AEADParameters(null, 8 * macSize, nonce, additionalData); - - try - { - encryptCipher.init(true, parameters); - outputPos += encryptCipher.processBytes(plaintext, plaintextOffset, plaintextLength, output, outputPos); - outputPos += encryptCipher.doFinal(output, outputPos); - } - catch (Exception e) - { - throw new TlsFatalAlert(AlertDescription.internal_error, e); - } - - if (outputPos != output.length) - { - // NOTE: Existing AEAD cipher implementations all give exact output lengths - throw new TlsFatalAlert(AlertDescription.internal_error); - } - - return output; - } - - public byte[] decodeCiphertext(long seqNo, short type, byte[] ciphertext, int offset, int len) - throws IOException - { - if (getPlaintextLimit(len) < 0) - { - throw new TlsFatalAlert(AlertDescription.decode_error); - } - - byte[] nonce = new byte[this.decryptImplicitNonce.length + nonce_explicit_length]; - System.arraycopy(decryptImplicitNonce, 0, nonce, 0, decryptImplicitNonce.length); - System.arraycopy(ciphertext, offset, nonce, decryptImplicitNonce.length, nonce_explicit_length); - - int ciphertextOffset = offset + nonce_explicit_length; - int ciphertextLength = len - nonce_explicit_length; - int plaintextLength = decryptCipher.getOutputSize(ciphertextLength); - - byte[] output = new byte[plaintextLength]; - int outputPos = 0; - - byte[] additionalData = getAdditionalData(seqNo, type, plaintextLength); - AEADParameters parameters = new AEADParameters(null, 8 * macSize, nonce, additionalData); - - try - { - decryptCipher.init(false, parameters); - outputPos += decryptCipher.processBytes(ciphertext, ciphertextOffset, ciphertextLength, output, outputPos); - outputPos += decryptCipher.doFinal(output, outputPos); - } - catch (Exception e) - { - throw new TlsFatalAlert(AlertDescription.bad_record_mac, e); - } - - if (outputPos != output.length) - { - // NOTE: Existing AEAD cipher implementations all give exact output lengths - throw new TlsFatalAlert(AlertDescription.internal_error); - } - - return output; - } - - protected byte[] getAdditionalData(long seqNo, short type, int len) - throws IOException - { - /* - * additional_data = seq_num + TLSCompressed.type + TLSCompressed.version + - * TLSCompressed.length - */ - - byte[] additional_data = new byte[13]; - TlsUtils.writeUint64(seqNo, additional_data, 0); - TlsUtils.writeUint8(type, additional_data, 8); - TlsUtils.writeVersion(context.getServerVersion(), additional_data, 9); - TlsUtils.writeUint16(len, additional_data, 11); - - return additional_data; - } -} |