1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
|
package org.spongycastle.crypto.tls;
import java.io.IOException;
import org.spongycastle.crypto.CipherParameters;
import org.spongycastle.crypto.Digest;
import org.spongycastle.crypto.StreamCipher;
import org.spongycastle.crypto.params.KeyParameter;
import org.spongycastle.util.Arrays;
public class TlsStreamCipher
implements TlsCipher
{
private static boolean encryptThenMAC = false;
protected TlsContext context;
protected StreamCipher encryptCipher;
protected StreamCipher decryptCipher;
protected TlsMac writeMac;
protected TlsMac readMac;
public TlsStreamCipher(TlsContext context, StreamCipher clientWriteCipher,
StreamCipher serverWriteCipher, Digest clientWriteDigest, Digest serverWriteDigest,
int cipherKeySize) throws IOException
{
boolean isServer = context.isServer();
this.context = context;
this.encryptCipher = clientWriteCipher;
this.decryptCipher = serverWriteCipher;
int key_block_size = (2 * cipherKeySize) + clientWriteDigest.getDigestSize()
+ serverWriteDigest.getDigestSize();
byte[] key_block = TlsUtils.calculateKeyBlock(context, key_block_size);
int offset = 0;
// Init MACs
TlsMac clientWriteMac = new TlsMac(context, clientWriteDigest, key_block, offset,
clientWriteDigest.getDigestSize());
offset += clientWriteDigest.getDigestSize();
TlsMac serverWriteMac = new TlsMac(context, serverWriteDigest, key_block, offset,
serverWriteDigest.getDigestSize());
offset += serverWriteDigest.getDigestSize();
// Build keys
KeyParameter clientWriteKey = new KeyParameter(key_block, offset, cipherKeySize);
offset += cipherKeySize;
KeyParameter serverWriteKey = new KeyParameter(key_block, offset, cipherKeySize);
offset += cipherKeySize;
if (offset != key_block_size)
{
throw new TlsFatalAlert(AlertDescription.internal_error);
}
CipherParameters encryptParams, decryptParams;
if (isServer)
{
this.writeMac = serverWriteMac;
this.readMac = clientWriteMac;
this.encryptCipher = serverWriteCipher;
this.decryptCipher = clientWriteCipher;
encryptParams = serverWriteKey;
decryptParams = clientWriteKey;
}
else
{
this.writeMac = clientWriteMac;
this.readMac = serverWriteMac;
this.encryptCipher = clientWriteCipher;
this.decryptCipher = serverWriteCipher;
encryptParams = clientWriteKey;
decryptParams = serverWriteKey;
}
this.encryptCipher.init(true, encryptParams);
this.decryptCipher.init(false, decryptParams);
}
public int getPlaintextLimit(int ciphertextLimit)
{
return ciphertextLimit - writeMac.getSize();
}
public byte[] encodePlaintext(long seqNo, short type, byte[] plaintext, int offset, int len)
{
/*
* TODO[draft-josefsson-salsa20-tls-02] Note that Salsa20 requires a 64-bit nonce. That
* nonce is updated on the encryption of every TLS record, and is set to be the 64-bit TLS
* record sequence number. In case of DTLS the 64-bit nonce is formed as the concatenation
* of the 16-bit epoch with the 48-bit sequence number.
*/
byte[] outBuf = new byte[len + writeMac.getSize()];
encryptCipher.processBytes(plaintext, offset, len, outBuf, 0);
if (encryptThenMAC)
{
byte[] mac = writeMac.calculateMac(seqNo, type, outBuf, 0, len);
System.arraycopy(mac, 0, outBuf, len, mac.length);
}
else
{
byte[] mac = writeMac.calculateMac(seqNo, type, plaintext, offset, len);
encryptCipher.processBytes(mac, 0, mac.length, outBuf, len);
}
return outBuf;
}
public byte[] decodeCiphertext(long seqNo, short type, byte[] ciphertext, int offset, int len)
throws IOException
{
/*
* TODO[draft-josefsson-salsa20-tls-02] Note that Salsa20 requires a 64-bit nonce. That
* nonce is updated on the encryption of every TLS record, and is set to be the 64-bit TLS
* record sequence number. In case of DTLS the 64-bit nonce is formed as the concatenation
* of the 16-bit epoch with the 48-bit sequence number.
*/
int macSize = readMac.getSize();
if (len < macSize)
{
throw new TlsFatalAlert(AlertDescription.decode_error);
}
int plaintextLength = len - macSize;
if (encryptThenMAC)
{
int ciphertextEnd = offset + len;
checkMAC(seqNo, type, ciphertext, ciphertextEnd - macSize, ciphertextEnd, ciphertext, offset, plaintextLength);
byte[] deciphered = new byte[plaintextLength];
decryptCipher.processBytes(ciphertext, offset, plaintextLength, deciphered, 0);
return deciphered;
}
else
{
byte[] deciphered = new byte[len];
decryptCipher.processBytes(ciphertext, offset, len, deciphered, 0);
checkMAC(seqNo, type, deciphered, plaintextLength, len, deciphered, 0, plaintextLength);
return Arrays.copyOfRange(deciphered, 0, plaintextLength);
}
}
private void checkMAC(long seqNo, short type, byte[] recBuf, int recStart, int recEnd, byte[] calcBuf, int calcOff, int calcLen)
throws IOException
{
byte[] receivedMac = Arrays.copyOfRange(recBuf, recStart, recEnd);
byte[] computedMac = readMac.calculateMac(seqNo, type, calcBuf, calcOff, calcLen);
if (!Arrays.constantTimeAreEqual(receivedMac, computedMac))
{
throw new TlsFatalAlert(AlertDescription.bad_record_mac);
}
}
}
|
