5799N/A * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved. 0N/A * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 0N/A * This code is free software; you can redistribute it and/or modify it 0N/A * under the terms of the GNU General Public License version 2 only, as 2362N/A * published by the Free Software Foundation. Oracle designates this 0N/A * particular file as subject to the "Classpath" exception as provided 2362N/A * by Oracle in the LICENSE file that accompanied this code. 0N/A * This code is distributed in the hope that it will be useful, but WITHOUT 0N/A * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 0N/A * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 0N/A * version 2 for more details (a copy is included in the LICENSE file that 0N/A * accompanied this code). 0N/A * You should have received a copy of the GNU General Public License version 0N/A * 2 along with this work; if not, write to the Free Software Foundation, 0N/A * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 2362N/A * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 2362N/A * or visit www.oracle.com if you need additional information or have any 0N/A * message. This provides data confidentiality. Stream ciphers (such 0N/A * as RC4) don't need to do padding; block ciphers (e.g. DES) need it. 0N/A * Individual instances are obtained by calling the static method 0N/A * newCipherBox(), which should only be invoked by BulkCipher.newCipher(). 2998N/A * In RFC 2246, with bock ciphers in CBC mode, the Initialization 2998N/A * Vector (IV) for the first record is generated with the other keys 2998N/A * and secrets when the security parameters are set. The IV for 2998N/A * subsequent records is the last ciphertext block from the previous 2998N/A * In RFC 4346, the implicit Initialization Vector (IV) is replaced 2998N/A * with an explicit IV to protect against CBC attacks. RFC 4346 2998N/A * recommends two algorithms used to generated the per-record IV. 2998N/A * The implementation uses the algorithm (2)(b), as described at 2998N/A * section 6.2.3.2 of RFC 4346. 2998N/A * The usage of IV in CBC block cipher can be illustrated in 2998N/A * SIV---+ |-----+ |-... |----- |------ 2998N/A * +----+ | +----+ | +----+ | +----+ | 2998N/A * | Ek | | + Ek + | | Dk | | | Dk | | 2998N/A * +----+ | +----+ | +----+ | +----+ | 2998N/A * |----| |----| SIV--+ |----| |-... 2998N/A * CBC Encryption CBC Decryption 0N/A * NOTE that any ciphering involved in key exchange (e.g. with RSA) is 0N/A * handled separately. 0N/A * @author David Brownell 0N/A * @author Andreas Sterbenz 0N/A // A CipherBox that implements the identity operation 0N/A /* Class and subclass dynamic debugging support */ 0N/A // the protocol version this cipher conforms to 0N/A * Cipher blocksize, 0 for stream ciphers 4466N/A * Is the cipher of CBC mode? 2998N/A * Fixed masks of various block size, as the initial decryption IVs 2998N/A * For performance, we do not use random IVs. As the initial decryption 2998N/A * IVs will be discarded by TLS decryption processes, so the fixed masks 2998N/A * do not hurt cryptographic strength. 0N/A * NULL cipherbox. Identity operation, no encryption. 0N/A * Construct a new CipherBox using the cipher transformation. 0N/A * @exception NoSuchAlgorithmException if no appropriate JCE Cipher 0N/A * implementation could be found. 2998N/A * RFC 4346 recommends two algorithms used to generated the 2998N/A * per-record IV. The implementation uses the algorithm (2)(b), 2998N/A * as described at section 6.2.3.2 of RFC 4346. 2998N/A * As we don't care about the initial IV value for TLS 1.1 or 2998N/A * later, so if the "iv" parameter is null, we use the default 2998N/A // Do not call getBlockSize until after init() 0N/A // otherwise we would disrupt JCE delayed provider selection 0N/A // some providers implement getBlockSize() incorrectly 0N/A * Factory method to obtain a new CipherBox object. 2998N/A * Get a fixed mask, as the initial decryption IVs for TLS 1.1 or later. 0N/A * Encrypts a block of data, returning the size of the 2998N/A // TLSv1.1 needs a IV block 2998N/A // generate a random number 2998N/A // move forward the plaintext 0N/A "Padded plaintext before ENCRYPTION: len = " 0N/A // catch BouncyCastle buffering error 0N/A * Encrypts a ByteBuffer block of data, returning the size of the 0N/A * The byte buffers position and limit initially define the amount 0N/A * to encrypt. On return, the position and limit are 0N/A * because of the added padding bytes. 2998N/A // TLSv1.1 needs a IV block 2998N/A // generate a random number 2998N/A // move forward the plaintext 0N/A "Padded plaintext before ENCRYPTION: len = " 0N/A * reset back to beginning 0N/A * Encrypt "in-place". This does not add its own padding. 0N/A // catch BouncyCastle buffering error 0N/A * Decrypts a block of data, returning the size of the 0N/A * resulting block if padding was required. 2998N/A * For SSLv3 and TLSv1.0, with block ciphers in CBC mode the 2998N/A * Initialization Vector (IV) for the first record is generated by 2998N/A * the handshake protocol, the IV for subsequent records is the 2998N/A * last ciphertext block from the previous record. 2998N/A * From TLSv1.1, the implicit IV is replaced with an explicit IV to 2998N/A * protect against CBC attacks. 2998N/A * Differentiating between bad_record_mac and decryption_failed alerts 2998N/A * may permit certain attacks against CBC mode. It is preferable to 2998N/A * uniformly use the bad_record_mac alert to hide the specific type of 0N/A // catch BouncyCastle buffering error 0N/A "Padded plaintext after DECRYPTION: len = " 2998N/A // discards the first cipher block, the IV component. 0N/A * Decrypts a block of data, returning the size of the 0N/A * resulting block if padding was required. position and limit 0N/A * limit and new limit may be different, given we may 0N/A * have stripped off some padding bytes. 2998N/A * @see decrypt(byte[], int, int) 0N/A * Decrypt "in-place". 0N/A // catch BouncyCastle buffering error 0N/A "Padded plaintext after DECRYPTION: len = " 0N/A * Remove the block padding. 2998N/A // discards the first cipher block, the IV component. 2998N/A // reset the position to the end of the decrypted data 0N/A * TLS version of the padding works for both SSLv3 and TLSv1 0N/A * Apply the padding to the buffer. 0N/A * Limit is advanced to the new buffer length. 0N/A * Position is equal to limit. 0N/A * Update the limit to what will be padded. 0N/A * TLS version of the padding works for both SSLv3 and TLSv1 5799N/A * A constant-time check of the padding. 5799N/A * NOTE that we are checking both the padding and the padLen bytes here. 5799N/A * The caller MUST ensure that the len parameter is a positive number. 5799N/A // An array of hits is used to prevent Hotspot optimization for 5799N/A // the purpose of a constant-time check. 5799N/A for (
int i =
0; i <=
256;) {
5799N/A for (
int j =
0; j <
len && i <=
256; j++, i++) {
// j <= i 5799N/A * A constant-time check of the padding. 5799N/A * NOTE that we are checking both the padding and the padLen bytes here. 5799N/A * The caller MUST ensure that the bb parameter has remaining. 5799N/A // An array of hits is used to prevent Hotspot optimization for 5799N/A // the purpose of a constant-time check. 0N/A * Typical TLS padding format for a 64 bit block cipher is as follows: 0N/A * xx xx xx xx xx xx xx 00 0N/A * xx xx xx xx xx xx 01 01 0N/A * xx 06 06 06 06 06 06 06 0N/A * 07 07 07 07 07 07 07 07 0N/A * TLS also allows any amount of padding from 1 and 256 bytes as long 0N/A * as it makes the data a multiple of the block size 0N/A // last byte is length byte (i.e. actual padding length - 1) 5799N/A // If the buffer is not long enough to contain the padding plus 5799N/A // a MAC tag, do a dummy constant-time padding check. 5799N/A // Note that it is a dummy check, so we won't care about what is 5799N/A // the actual padding data. 5799N/A // The padding data should be filled with the padding length value. 0N/A // SSLv3 requires 0 <= length byte < block size 0N/A // some implementations do 1 <= length byte <= block size, 0N/A // so accept that as well 0N/A // v3 does not require any particular value for the other bytes 0N/A // last byte is length byte (i.e. actual padding length - 1) 5799N/A // If the buffer is not long enough to contain the padding plus 5799N/A // a MAC tag, do a dummy constant-time padding check. 5799N/A // Note that it is a dummy check, so we won't care about what is 5799N/A // the actual padding data. 5799N/A // The padding data should be filled with the padding length value. 0N/A // SSLv3 requires 0 <= length byte < block size 0N/A // some implementations do 1 <= length byte <= block size, 0N/A // so accept that as well 0N/A // v3 does not require any particular value for the other bytes 0N/A * Reset buffer limit to remove padding. 782N/A * Dispose of any intermediate state in the underlying cipher. 782N/A * For PKCS11 ciphers, this will release any attached sessions, and 782N/A * thus make finalization faster. 782N/A // ignore return value. 4466N/A * Does the cipher use CBC mode? 4466N/A * @return true if the cipher use CBC mode, false otherwise. 5799N/A * @return true if the cipher is null, false otherwise. 5799N/A * Sanity check the length of a fragment before decryption. 5799N/A * In CBC mode, check that the fragment length is one or multiple times 5799N/A * of the block size of the cipher suite, and is at least one (one is the 5799N/A * smallest size of padding in CBC mode) bigger than the tag size of the 5799N/A * MAC algorithm except the explicit IV size for TLS 1.1 or later. 5799N/A * In non-CBC mode, check that the fragment length is not less than the 5799N/A * tag size of the MAC algorithm. 5799N/A * @return true if the length of a fragment matches above requirements