1/* 2 * Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 27package sun.security.ssl; 28 29import java.io.ByteArrayInputStream; 30import java.io.IOException; 31import java.util.Hashtable; 32import java.util.Arrays; 33 34import java.security.*; 35import javax.crypto.*; 36import javax.crypto.spec.IvParameterSpec; 37import javax.crypto.spec.GCMParameterSpec; 38 39import java.nio.*; 40 41import sun.security.ssl.CipherSuite.*; 42import static sun.security.ssl.CipherSuite.*; 43import static sun.security.ssl.CipherSuite.CipherType.*; 44 45import sun.security.util.HexDumpEncoder; 46 47 48/** 49 * This class handles bulk data enciphering/deciphering for each SSLv3 50 * message. This provides data confidentiality. Stream ciphers (such 51 * as RC4) don't need to do padding; block ciphers (e.g. DES) need it. 52 * 53 * Individual instances are obtained by calling the static method 54 * newCipherBox(), which should only be invoked by BulkCipher.newCipher(). 55 * 56 * In RFC 2246, with bock ciphers in CBC mode, the Initialization 57 * Vector (IV) for the first record is generated with the other keys 58 * and secrets when the security parameters are set. The IV for 59 * subsequent records is the last ciphertext block from the previous 60 * record. 61 * 62 * In RFC 4346, the implicit Initialization Vector (IV) is replaced 63 * with an explicit IV to protect against CBC attacks. RFC 4346 64 * recommends two algorithms used to generated the per-record IV. 65 * The implementation uses the algorithm (2)(b), as described at 66 * section 6.2.3.2 of RFC 4346. 67 * 68 * The usage of IV in CBC block cipher can be illustrated in 69 * the following diagrams. 70 * 71 * (random) 72 * R P1 IV C1 73 * | | | | 74 * SIV---+ |-----+ |-... |----- |------ 75 * | | | | | | | | 76 * +----+ | +----+ | +----+ | +----+ | 77 * | Ek | | + Ek + | | Dk | | | Dk | | 78 * +----+ | +----+ | +----+ | +----+ | 79 * | | | | | | | | 80 * |----| |----| SIV--+ |----| |-... 81 * | | | | 82 * IV C1 R P1 83 * (discard) 84 * 85 * CBC Encryption CBC Decryption 86 * 87 * NOTE that any ciphering involved in key exchange (e.g. with RSA) is 88 * handled separately. 89 * 90 * @author David Brownell 91 * @author Andreas Sterbenz 92 */ 93final class CipherBox { 94 95 // A CipherBox that implements the identity operation 96 static final CipherBox NULL = new CipherBox(); 97 98 /* Class and subclass dynamic debugging support */ 99 private static final Debug debug = Debug.getInstance("ssl"); 100 101 // the protocol version this cipher conforms to 102 private final ProtocolVersion protocolVersion; 103 104 // cipher object 105 private final Cipher cipher; 106 107 /** 108 * secure random 109 */ 110 private SecureRandom random; 111 112 /** 113 * fixed IV, the implicit nonce of AEAD cipher suite, only apply to 114 * AEAD cipher suites 115 */ 116 private final byte[] fixedIv; 117 118 /** 119 * the key, reserved only for AEAD cipher initialization 120 */ 121 private final Key key; 122 123 /** 124 * the operation mode, reserved for AEAD cipher initialization 125 */ 126 private final int mode; 127 128 /** 129 * the authentication tag size, only apply to AEAD cipher suites 130 */ 131 private final int tagSize; 132 133 /** 134 * the record IV length, only apply to AEAD cipher suites 135 */ 136 private final int recordIvSize; 137 138 /** 139 * cipher type 140 */ 141 private final CipherType cipherType; 142 143 /** 144 * Fixed masks of various block size, as the initial decryption IVs 145 * for TLS 1.1 or later. 146 * 147 * For performance, we do not use random IVs. As the initial decryption 148 * IVs will be discarded by TLS decryption processes, so the fixed masks 149 * do not hurt cryptographic strength. 150 */ 151 private static Hashtable<Integer, IvParameterSpec> masks; 152 153 /** 154 * NULL cipherbox. Identity operation, no encryption. 155 */ 156 private CipherBox() { 157 this.protocolVersion = ProtocolVersion.DEFAULT_TLS; 158 this.cipher = null; 159 this.cipherType = NULL_CIPHER; 160 this.fixedIv = new byte[0]; 161 this.key = null; 162 this.mode = Cipher.ENCRYPT_MODE; // choose at random 163 this.random = null; 164 this.tagSize = 0; 165 this.recordIvSize = 0; 166 } 167 168 /** 169 * Construct a new CipherBox using the cipher transformation. 170 * 171 * @exception NoSuchAlgorithmException if no appropriate JCE Cipher 172 * implementation could be found. 173 */ 174 private CipherBox(ProtocolVersion protocolVersion, BulkCipher bulkCipher, 175 SecretKey key, IvParameterSpec iv, SecureRandom random, 176 boolean encrypt) throws NoSuchAlgorithmException { 177 try { 178 this.protocolVersion = protocolVersion; 179 this.cipher = JsseJce.getCipher(bulkCipher.transformation); 180 this.mode = encrypt ? Cipher.ENCRYPT_MODE : Cipher.DECRYPT_MODE; 181 182 if (random == null) { 183 random = JsseJce.getSecureRandom(); 184 } 185 this.random = random; 186 this.cipherType = bulkCipher.cipherType; 187 188 /* 189 * RFC 4346 recommends two algorithms used to generated the 190 * per-record IV. The implementation uses the algorithm (2)(b), 191 * as described at section 6.2.3.2 of RFC 4346. 192 * 193 * As we don't care about the initial IV value for TLS 1.1 or 194 * later, so if the "iv" parameter is null, we use the default 195 * value generated by Cipher.init() for encryption, and a fixed 196 * mask for decryption. 197 */ 198 if (iv == null && bulkCipher.ivSize != 0 && 199 mode == Cipher.DECRYPT_MODE && 200 protocolVersion.useTLS11PlusSpec()) { 201 iv = getFixedMask(bulkCipher.ivSize); 202 } 203 204 if (cipherType == AEAD_CIPHER) { 205 // AEAD must completely initialize the cipher for each packet, 206 // and so we save initialization parameters for packet 207 // processing time. 208 209 // Set the tag size for AEAD cipher 210 tagSize = bulkCipher.tagSize; 211 212 // Reserve the key for AEAD cipher initialization 213 this.key = key; 214 215 fixedIv = iv.getIV(); 216 if (fixedIv == null || 217 fixedIv.length != bulkCipher.fixedIvSize) { 218 throw new RuntimeException("Improper fixed IV for AEAD"); 219 } 220 221 // Set the record IV length for AEAD cipher 222 recordIvSize = bulkCipher.ivSize - bulkCipher.fixedIvSize; 223 224 // DON'T initialize the cipher for AEAD! 225 } else { 226 // CBC only requires one initialization during its lifetime 227 // (future packets/IVs set the proper CBC state), so we can 228 // initialize now. 229 230 // Zeroize the variables that only apply to AEAD cipher 231 this.tagSize = 0; 232 this.fixedIv = new byte[0]; 233 this.recordIvSize = 0; 234 this.key = null; 235 236 // Initialize the cipher 237 cipher.init(mode, key, iv, random); 238 } 239 } catch (NoSuchAlgorithmException e) { 240 throw e; 241 } catch (Exception e) { 242 throw new NoSuchAlgorithmException 243 ("Could not create cipher " + bulkCipher, e); 244 } catch (ExceptionInInitializerError e) { 245 throw new NoSuchAlgorithmException 246 ("Could not create cipher " + bulkCipher, e); 247 } 248 } 249 250 /* 251 * Factory method to obtain a new CipherBox object. 252 */ 253 static CipherBox newCipherBox(ProtocolVersion version, BulkCipher cipher, 254 SecretKey key, IvParameterSpec iv, SecureRandom random, 255 boolean encrypt) throws NoSuchAlgorithmException { 256 if (cipher.allowed == false) { 257 throw new NoSuchAlgorithmException("Unsupported cipher " + cipher); 258 } 259 260 if (cipher == BulkCipher.B_NULL) { 261 return NULL; 262 } else { 263 return new CipherBox(version, cipher, key, iv, random, encrypt); 264 } 265 } 266 267 /* 268 * Get a fixed mask, as the initial decryption IVs for TLS 1.1 or later. 269 */ 270 private static IvParameterSpec getFixedMask(int ivSize) { 271 if (masks == null) { 272 masks = new Hashtable<Integer, IvParameterSpec>(5); 273 } 274 275 IvParameterSpec iv = masks.get(ivSize); 276 if (iv == null) { 277 iv = new IvParameterSpec(new byte[ivSize]); 278 masks.put(ivSize, iv); 279 } 280 281 return iv; 282 } 283 284 /* 285 * Encrypts a block of data, returning the size of the 286 * resulting block. 287 */ 288 int encrypt(byte[] buf, int offset, int len) { 289 if (cipher == null) { 290 return len; 291 } 292 293 try { 294 int blockSize = cipher.getBlockSize(); 295 if (cipherType == BLOCK_CIPHER) { 296 len = addPadding(buf, offset, len, blockSize); 297 } 298 299 if (debug != null && Debug.isOn("plaintext")) { 300 try { 301 HexDumpEncoder hd = new HexDumpEncoder(); 302 303 System.out.println( 304 "Padded plaintext before ENCRYPTION: len = " 305 + len); 306 hd.encodeBuffer( 307 new ByteArrayInputStream(buf, offset, len), 308 System.out); 309 } catch (IOException e) { } 310 } 311 312 313 if (cipherType == AEAD_CIPHER) { 314 try { 315 return cipher.doFinal(buf, offset, len, buf, offset); 316 } catch (IllegalBlockSizeException | BadPaddingException ibe) { 317 // unlikely to happen 318 throw new RuntimeException( 319 "Cipher error in AEAD mode in JCE provider " + 320 cipher.getProvider().getName(), ibe); 321 } 322 } else { 323 int newLen = cipher.update(buf, offset, len, buf, offset); 324 if (newLen != len) { 325 // catch BouncyCastle buffering error 326 throw new RuntimeException("Cipher buffering error " + 327 "in JCE provider " + cipher.getProvider().getName()); 328 } 329 return newLen; 330 } 331 } catch (ShortBufferException e) { 332 // unlikely to happen, we should have enough buffer space here 333 throw new ArrayIndexOutOfBoundsException(e.toString()); 334 } 335 } 336 337 /* 338 * Encrypts a ByteBuffer block of data, returning the size of the 339 * resulting block. 340 * 341 * The byte buffers position and limit initially define the amount 342 * to encrypt. On return, the position and limit are 343 * set to last position padded/encrypted. The limit may have changed 344 * because of the added padding bytes. 345 */ 346 int encrypt(ByteBuffer bb, int outLimit) { 347 348 int len = bb.remaining(); 349 350 if (cipher == null) { 351 bb.position(bb.limit()); 352 return len; 353 } 354 355 int pos = bb.position(); 356 357 int blockSize = cipher.getBlockSize(); 358 if (cipherType == BLOCK_CIPHER) { 359 // addPadding adjusts pos/limit 360 len = addPadding(bb, blockSize); 361 bb.position(pos); 362 } 363 364 if (debug != null && Debug.isOn("plaintext")) { 365 try { 366 HexDumpEncoder hd = new HexDumpEncoder(); 367 368 System.out.println( 369 "Padded plaintext before ENCRYPTION: len = " 370 + len); 371 hd.encodeBuffer(bb.duplicate(), System.out); 372 373 } catch (IOException e) { } 374 } 375 376 /* 377 * Encrypt "in-place". This does not add its own padding. 378 */ 379 ByteBuffer dup = bb.duplicate(); 380 if (cipherType == AEAD_CIPHER) { 381 try { 382 int outputSize = cipher.getOutputSize(dup.remaining()); 383 if (outputSize > bb.remaining()) { 384 // need to expand the limit of the output buffer for 385 // the authentication tag. 386 // 387 // DON'T worry about the buffer's capacity, we have 388 // reserved space for the authentication tag. 389 if (outLimit < pos + outputSize) { 390 // unlikely to happen 391 throw new ShortBufferException( 392 "need more space in output buffer"); 393 } 394 bb.limit(pos + outputSize); 395 } 396 int newLen = cipher.doFinal(dup, bb); 397 if (newLen != outputSize) { 398 throw new RuntimeException( 399 "Cipher buffering error in JCE provider " + 400 cipher.getProvider().getName()); 401 } 402 return newLen; 403 } catch (IllegalBlockSizeException | 404 BadPaddingException | ShortBufferException ibse) { 405 // unlikely to happen 406 throw new RuntimeException( 407 "Cipher error in AEAD mode in JCE provider " + 408 cipher.getProvider().getName(), ibse); 409 } 410 } else { 411 int newLen; 412 try { 413 newLen = cipher.update(dup, bb); 414 } catch (ShortBufferException sbe) { 415 // unlikely to happen 416 throw new RuntimeException("Cipher buffering error " + 417 "in JCE provider " + cipher.getProvider().getName()); 418 } 419 420 if (bb.position() != dup.position()) { 421 throw new RuntimeException("bytebuffer padding error"); 422 } 423 424 if (newLen != len) { 425 // catch BouncyCastle buffering error 426 throw new RuntimeException("Cipher buffering error " + 427 "in JCE provider " + cipher.getProvider().getName()); 428 } 429 return newLen; 430 } 431 } 432 433 434 /* 435 * Decrypts a block of data, returning the size of the 436 * resulting block if padding was required. 437 * 438 * For SSLv3 and TLSv1.0, with block ciphers in CBC mode the 439 * Initialization Vector (IV) for the first record is generated by 440 * the handshake protocol, the IV for subsequent records is the 441 * last ciphertext block from the previous record. 442 * 443 * From TLSv1.1, the implicit IV is replaced with an explicit IV to 444 * protect against CBC attacks. 445 * 446 * Differentiating between bad_record_mac and decryption_failed alerts 447 * may permit certain attacks against CBC mode. It is preferable to 448 * uniformly use the bad_record_mac alert to hide the specific type of 449 * the error. 450 */ 451 int decrypt(byte[] buf, int offset, int len, 452 int tagLen) throws BadPaddingException { 453 if (cipher == null) { 454 return len; 455 } 456 457 try { 458 int newLen; 459 if (cipherType == AEAD_CIPHER) { 460 try { 461 newLen = cipher.doFinal(buf, offset, len, buf, offset); 462 } catch (IllegalBlockSizeException ibse) { 463 // unlikely to happen 464 throw new RuntimeException( 465 "Cipher error in AEAD mode in JCE provider " + 466 cipher.getProvider().getName(), ibse); 467 } 468 } else { 469 newLen = cipher.update(buf, offset, len, buf, offset); 470 if (newLen != len) { 471 // catch BouncyCastle buffering error 472 throw new RuntimeException("Cipher buffering error " + 473 "in JCE provider " + cipher.getProvider().getName()); 474 } 475 } 476 if (debug != null && Debug.isOn("plaintext")) { 477 try { 478 HexDumpEncoder hd = new HexDumpEncoder(); 479 480 System.out.println( 481 "Padded plaintext after DECRYPTION: len = " 482 + newLen); 483 hd.encodeBuffer( 484 new ByteArrayInputStream(buf, offset, newLen), 485 System.out); 486 } catch (IOException e) { } 487 } 488 489 if (cipherType == BLOCK_CIPHER) { 490 int blockSize = cipher.getBlockSize(); 491 newLen = removePadding( 492 buf, offset, newLen, tagLen, blockSize, protocolVersion); 493 494 if (protocolVersion.useTLS11PlusSpec()) { 495 if (newLen < blockSize) { 496 throw new BadPaddingException("The length after " + 497 "padding removal (" + newLen + ") should be larger " + 498 "than <" + blockSize + "> since explicit IV used"); 499 } 500 } 501 } 502 return newLen; 503 } catch (ShortBufferException e) { 504 // unlikely to happen, we should have enough buffer space here 505 throw new ArrayIndexOutOfBoundsException(e.toString()); 506 } 507 } 508 509 /* 510 * Decrypts a block of data, returning the size of the 511 * resulting block if padding was required. position and limit 512 * point to the end of the decrypted/depadded data. The initial 513 * limit and new limit may be different, given we may 514 * have stripped off some padding bytes. 515 * 516 * @see decrypt(byte[], int, int) 517 */ 518 int decrypt(ByteBuffer bb, int tagLen) throws BadPaddingException { 519 520 int len = bb.remaining(); 521 522 if (cipher == null) { 523 bb.position(bb.limit()); 524 return len; 525 } 526 527 try { 528 /* 529 * Decrypt "in-place". 530 */ 531 int pos = bb.position(); 532 ByteBuffer dup = bb.duplicate(); 533 int newLen; 534 if (cipherType == AEAD_CIPHER) { 535 try { 536 newLen = cipher.doFinal(dup, bb); 537 } catch (IllegalBlockSizeException ibse) { 538 // unlikely to happen 539 throw new RuntimeException( 540 "Cipher error in AEAD mode \"" + ibse.getMessage() + 541 " \"in JCE provider " + cipher.getProvider().getName()); 542 } 543 } else { 544 newLen = cipher.update(dup, bb); 545 if (newLen != len) { 546 // catch BouncyCastle buffering error 547 throw new RuntimeException("Cipher buffering error " + 548 "in JCE provider " + cipher.getProvider().getName()); 549 } 550 } 551 552 // reset the limit to the end of the decryted data 553 bb.limit(pos + newLen); 554 555 if (debug != null && Debug.isOn("plaintext")) { 556 try { 557 HexDumpEncoder hd = new HexDumpEncoder(); 558 559 System.out.println( 560 "Padded plaintext after DECRYPTION: len = " 561 + newLen); 562 563 hd.encodeBuffer( 564 bb.duplicate().position(pos), System.out); 565 } catch (IOException e) { } 566 } 567 568 /* 569 * Remove the block padding. 570 */ 571 if (cipherType == BLOCK_CIPHER) { 572 int blockSize = cipher.getBlockSize(); 573 bb.position(pos); 574 newLen = removePadding(bb, tagLen, blockSize, protocolVersion); 575 576 // check the explicit IV of TLS v1.1 or later 577 if (protocolVersion.useTLS11PlusSpec()) { 578 if (newLen < blockSize) { 579 throw new BadPaddingException("The length after " + 580 "padding removal (" + newLen + ") should be larger " + 581 "than <" + blockSize + "> since explicit IV used"); 582 } 583 584 // reset the position to the end of the decrypted data 585 bb.position(bb.limit()); 586 } 587 } 588 return newLen; 589 } catch (ShortBufferException e) { 590 // unlikely to happen, we should have enough buffer space here 591 throw new ArrayIndexOutOfBoundsException(e.toString()); 592 } 593 } 594 595 private static int addPadding(byte[] buf, int offset, int len, 596 int blockSize) { 597 int newlen = len + 1; 598 byte pad; 599 int i; 600 601 if ((newlen % blockSize) != 0) { 602 newlen += blockSize - 1; 603 newlen -= newlen % blockSize; 604 } 605 pad = (byte) (newlen - len); 606 607 if (buf.length < (newlen + offset)) { 608 throw new IllegalArgumentException("no space to pad buffer"); 609 } 610 611 /* 612 * TLS version of the padding works for both SSLv3 and TLSv1 613 */ 614 for (i = 0, offset += len; i < pad; i++) { 615 buf [offset++] = (byte) (pad - 1); 616 } 617 return newlen; 618 } 619 620 /* 621 * Apply the padding to the buffer. 622 * 623 * Limit is advanced to the new buffer length. 624 * Position is equal to limit. 625 */ 626 private static int addPadding(ByteBuffer bb, int blockSize) { 627 628 int len = bb.remaining(); 629 int offset = bb.position(); 630 631 int newlen = len + 1; 632 byte pad; 633 int i; 634 635 if ((newlen % blockSize) != 0) { 636 newlen += blockSize - 1; 637 newlen -= newlen % blockSize; 638 } 639 pad = (byte) (newlen - len); 640 641 /* 642 * Update the limit to what will be padded. 643 */ 644 bb.limit(newlen + offset); 645 646 /* 647 * TLS version of the padding works for both SSLv3 and TLSv1 648 */ 649 for (i = 0, offset += len; i < pad; i++) { 650 bb.put(offset++, (byte) (pad - 1)); 651 } 652 653 bb.position(offset); 654 bb.limit(offset); 655 656 return newlen; 657 } 658 659 /* 660 * A constant-time check of the padding. 661 * 662 * NOTE that we are checking both the padding and the padLen bytes here. 663 * 664 * The caller MUST ensure that the len parameter is a positive number. 665 */ 666 private static int[] checkPadding( 667 byte[] buf, int offset, int len, byte pad) { 668 669 if (len <= 0) { 670 throw new RuntimeException("padding len must be positive"); 671 } 672 673 // An array of hits is used to prevent Hotspot optimization for 674 // the purpose of a constant-time check. 675 int[] results = {0, 0}; // {missed #, matched #} 676 for (int i = 0; i <= 256;) { 677 for (int j = 0; j < len && i <= 256; j++, i++) { // j <= i 678 if (buf[offset + j] != pad) { 679 results[0]++; // mismatched padding data 680 } else { 681 results[1]++; // matched padding data 682 } 683 } 684 } 685 686 return results; 687 } 688 689 /* 690 * A constant-time check of the padding. 691 * 692 * NOTE that we are checking both the padding and the padLen bytes here. 693 * 694 * The caller MUST ensure that the bb parameter has remaining. 695 */ 696 private static int[] checkPadding(ByteBuffer bb, byte pad) { 697 698 if (!bb.hasRemaining()) { 699 throw new RuntimeException("hasRemaining() must be positive"); 700 } 701 702 // An array of hits is used to prevent Hotspot optimization for 703 // the purpose of a constant-time check. 704 int[] results = {0, 0}; // {missed #, matched #} 705 bb.mark(); 706 for (int i = 0; i <= 256; bb.reset()) { 707 for (; bb.hasRemaining() && i <= 256; i++) { 708 if (bb.get() != pad) { 709 results[0]++; // mismatched padding data 710 } else { 711 results[1]++; // matched padding data 712 } 713 } 714 } 715 716 return results; 717 } 718 719 /* 720 * Typical TLS padding format for a 64 bit block cipher is as follows: 721 * xx xx xx xx xx xx xx 00 722 * xx xx xx xx xx xx 01 01 723 * ... 724 * xx 06 06 06 06 06 06 06 725 * 07 07 07 07 07 07 07 07 726 * TLS also allows any amount of padding from 1 and 256 bytes as long 727 * as it makes the data a multiple of the block size 728 */ 729 private static int removePadding(byte[] buf, int offset, int len, 730 int tagLen, int blockSize, 731 ProtocolVersion protocolVersion) throws BadPaddingException { 732 733 // last byte is length byte (i.e. actual padding length - 1) 734 int padOffset = offset + len - 1; 735 int padLen = buf[padOffset] & 0xFF; 736 737 int newLen = len - (padLen + 1); 738 if ((newLen - tagLen) < 0) { 739 // If the buffer is not long enough to contain the padding plus 740 // a MAC tag, do a dummy constant-time padding check. 741 // 742 // Note that it is a dummy check, so we won't care about what is 743 // the actual padding data. 744 checkPadding(buf, offset, len, (byte)(padLen & 0xFF)); 745 746 throw new BadPaddingException("Invalid Padding length: " + padLen); 747 } 748 749 // The padding data should be filled with the padding length value. 750 int[] results = checkPadding(buf, offset + newLen, 751 padLen + 1, (byte)(padLen & 0xFF)); 752 if (protocolVersion.useTLS10PlusSpec()) { 753 if (results[0] != 0) { // padding data has invalid bytes 754 throw new BadPaddingException("Invalid TLS padding data"); 755 } 756 } else { // SSLv3 757 // SSLv3 requires 0 <= length byte < block size 758 // some implementations do 1 <= length byte <= block size, 759 // so accept that as well 760 // v3 does not require any particular value for the other bytes 761 if (padLen > blockSize) { 762 throw new BadPaddingException("Padding length (" + 763 padLen + ") of SSLv3 message should not be bigger " + 764 "than the block size (" + blockSize + ")"); 765 } 766 } 767 return newLen; 768 } 769 770 /* 771 * Position/limit is equal the removed padding. 772 */ 773 private static int removePadding(ByteBuffer bb, 774 int tagLen, int blockSize, 775 ProtocolVersion protocolVersion) throws BadPaddingException { 776 777 int len = bb.remaining(); 778 int offset = bb.position(); 779 780 // last byte is length byte (i.e. actual padding length - 1) 781 int padOffset = offset + len - 1; 782 int padLen = bb.get(padOffset) & 0xFF; 783 784 int newLen = len - (padLen + 1); 785 if ((newLen - tagLen) < 0) { 786 // If the buffer is not long enough to contain the padding plus 787 // a MAC tag, do a dummy constant-time padding check. 788 // 789 // Note that it is a dummy check, so we won't care about what is 790 // the actual padding data. 791 checkPadding(bb.duplicate(), (byte)(padLen & 0xFF)); 792 793 throw new BadPaddingException("Invalid Padding length: " + padLen); 794 } 795 796 // The padding data should be filled with the padding length value. 797 int[] results = checkPadding( 798 bb.duplicate().position(offset + newLen), 799 (byte)(padLen & 0xFF)); 800 if (protocolVersion.useTLS10PlusSpec()) { 801 if (results[0] != 0) { // padding data has invalid bytes 802 throw new BadPaddingException("Invalid TLS padding data"); 803 } 804 } else { // SSLv3 805 // SSLv3 requires 0 <= length byte < block size 806 // some implementations do 1 <= length byte <= block size, 807 // so accept that as well 808 // v3 does not require any particular value for the other bytes 809 if (padLen > blockSize) { 810 throw new BadPaddingException("Padding length (" + 811 padLen + ") of SSLv3 message should not be bigger " + 812 "than the block size (" + blockSize + ")"); 813 } 814 } 815 816 /* 817 * Reset buffer limit to remove padding. 818 */ 819 bb.position(offset + newLen); 820 bb.limit(offset + newLen); 821 822 return newLen; 823 } 824 825 /* 826 * Dispose of any intermediate state in the underlying cipher. 827 * For PKCS11 ciphers, this will release any attached sessions, and 828 * thus make finalization faster. 829 */ 830 void dispose() { 831 try { 832 if (cipher != null) { 833 // ignore return value. 834 cipher.doFinal(); 835 } 836 } catch (Exception e) { 837 // swallow all types of exceptions. 838 } 839 } 840 841 /* 842 * Does the cipher use CBC mode? 843 * 844 * @return true if the cipher use CBC mode, false otherwise. 845 */ 846 boolean isCBCMode() { 847 return cipherType == BLOCK_CIPHER; 848 } 849 850 /* 851 * Does the cipher use AEAD mode? 852 * 853 * @return true if the cipher use AEAD mode, false otherwise. 854 */ 855 boolean isAEADMode() { 856 return cipherType == AEAD_CIPHER; 857 } 858 859 /* 860 * Is the cipher null? 861 * 862 * @return true if the cipher is null, false otherwise. 863 */ 864 boolean isNullCipher() { 865 return cipher == null; 866 } 867 868 /* 869 * Gets the explicit nonce/IV size of the cipher. 870 * 871 * The returned value is the SecurityParameters.record_iv_length in 872 * RFC 4346/5246. It is the size of explicit IV for CBC mode, and the 873 * size of explicit nonce for AEAD mode. 874 * 875 * @return the explicit nonce size of the cipher. 876 */ 877 int getExplicitNonceSize() { 878 switch (cipherType) { 879 case BLOCK_CIPHER: 880 // For block ciphers, the explicit IV length is of length 881 // SecurityParameters.record_iv_length, which is equal to 882 // the SecurityParameters.block_size. 883 if (protocolVersion.useTLS11PlusSpec()) { 884 return cipher.getBlockSize(); 885 } 886 break; 887 case AEAD_CIPHER: 888 return recordIvSize; 889 // It is also the length of sequence number, which is 890 // used as the nonce_explicit for AEAD cipher suites. 891 } 892 893 return 0; 894 } 895 896 /* 897 * Applies the explicit nonce/IV to this cipher. This method is used to 898 * decrypt an SSL/TLS input record. 899 * 900 * The returned value is the SecurityParameters.record_iv_length in 901 * RFC 4346/5246. It is the size of explicit IV for CBC mode, and the 902 * size of explicit nonce for AEAD mode. 903 * 904 * @param authenticator the authenticator to get the additional 905 * authentication data 906 * @param contentType the content type of the input record 907 * @param bb the byte buffer to get the explicit nonce from 908 * 909 * @return the explicit nonce size of the cipher. 910 */ 911 int applyExplicitNonce(Authenticator authenticator, byte contentType, 912 ByteBuffer bb, byte[] sequence) throws BadPaddingException { 913 switch (cipherType) { 914 case BLOCK_CIPHER: 915 // sanity check length of the ciphertext 916 int tagLen = (authenticator instanceof MAC) ? 917 ((MAC)authenticator).MAClen() : 0; 918 if (tagLen != 0) { 919 if (!sanityCheck(tagLen, bb.remaining())) { 920 throw new BadPaddingException( 921 "ciphertext sanity check failed"); 922 } 923 } 924 925 // For block ciphers, the explicit IV length is of length 926 // SecurityParameters.record_iv_length, which is equal to 927 // the SecurityParameters.block_size. 928 if (protocolVersion.useTLS11PlusSpec()) { 929 return cipher.getBlockSize(); 930 } 931 break; 932 case AEAD_CIPHER: 933 if (bb.remaining() < (recordIvSize + tagSize)) { 934 throw new BadPaddingException( 935 "Insufficient buffer remaining for AEAD cipher " + 936 "fragment (" + bb.remaining() + "). Needs to be " + 937 "more than or equal to IV size (" + recordIvSize + 938 ") + tag size (" + tagSize + ")"); 939 } 940 941 // initialize the AEAD cipher for the unique IV 942 byte[] iv = Arrays.copyOf(fixedIv, 943 fixedIv.length + recordIvSize); 944 bb.get(iv, fixedIv.length, recordIvSize); 945 bb.position(bb.position() - recordIvSize); 946 GCMParameterSpec spec = new GCMParameterSpec(tagSize * 8, iv); 947 try { 948 cipher.init(mode, key, spec, random); 949 } catch (InvalidKeyException | 950 InvalidAlgorithmParameterException ikae) { 951 // unlikely to happen 952 throw new RuntimeException( 953 "invalid key or spec in GCM mode", ikae); 954 } 955 956 // update the additional authentication data 957 byte[] aad = authenticator.acquireAuthenticationBytes( 958 contentType, bb.remaining() - recordIvSize - tagSize, 959 sequence); 960 cipher.updateAAD(aad); 961 962 return recordIvSize; 963 // It is also the length of sequence number, which is 964 // used as the nonce_explicit for AEAD cipher suites. 965 } 966 967 return 0; 968 } 969 970 /* 971 * Creates the explicit nonce/IV to this cipher. This method is used to 972 * encrypt an SSL/TLS output record. 973 * 974 * The size of the returned array is the SecurityParameters.record_iv_length 975 * in RFC 4346/5246. It is the size of explicit IV for CBC mode, and the 976 * size of explicit nonce for AEAD mode. 977 * 978 * @param authenticator the authenticator to get the additional 979 * authentication data 980 * @param contentType the content type of the input record 981 * @param fragmentLength the fragment length of the output record, it is 982 * the TLSCompressed.length in RFC 4346/5246. 983 * 984 * @return the explicit nonce of the cipher. 985 */ 986 byte[] createExplicitNonce(Authenticator authenticator, 987 byte contentType, int fragmentLength) { 988 989 byte[] nonce = new byte[0]; 990 switch (cipherType) { 991 case BLOCK_CIPHER: 992 if (protocolVersion.useTLS11PlusSpec()) { 993 // For block ciphers, the explicit IV length is of length 994 // SecurityParameters.record_iv_length, which is equal to 995 // the SecurityParameters.block_size. 996 // 997 // Generate a random number as the explicit IV parameter. 998 nonce = new byte[cipher.getBlockSize()]; 999 random.nextBytes(nonce); 1000 } 1001 break; 1002 case AEAD_CIPHER: 1003 // To be unique and aware of overflow-wrap, sequence number 1004 // is used as the nonce_explicit of AEAD cipher suites. 1005 nonce = authenticator.sequenceNumber(); 1006 1007 // initialize the AEAD cipher for the unique IV 1008 byte[] iv = Arrays.copyOf(fixedIv, 1009 fixedIv.length + nonce.length); 1010 System.arraycopy(nonce, 0, iv, fixedIv.length, nonce.length); 1011 GCMParameterSpec spec = new GCMParameterSpec(tagSize * 8, iv); 1012 try { 1013 cipher.init(mode, key, spec, random); 1014 } catch (InvalidKeyException | 1015 InvalidAlgorithmParameterException ikae) { 1016 // unlikely to happen 1017 throw new RuntimeException( 1018 "invalid key or spec in GCM mode", ikae); 1019 } 1020 1021 // Update the additional authentication data, using the 1022 // implicit sequence number of the authenticator. 1023 byte[] aad = authenticator.acquireAuthenticationBytes( 1024 contentType, fragmentLength, null); 1025 cipher.updateAAD(aad); 1026 break; 1027 } 1028 1029 return nonce; 1030 } 1031 1032 // See also CipherSuite.calculatePacketSize(). 1033 int calculatePacketSize(int fragmentSize, int macLen, int headerSize) { 1034 int packetSize = fragmentSize; 1035 if (cipher != null) { 1036 int blockSize = cipher.getBlockSize(); 1037 switch (cipherType) { 1038 case BLOCK_CIPHER: 1039 packetSize += macLen; 1040 packetSize += 1; // 1 byte padding length field 1041 packetSize += // use the minimal padding 1042 (blockSize - (packetSize % blockSize)) % blockSize; 1043 if (protocolVersion.useTLS11PlusSpec()) { 1044 packetSize += blockSize; // explicit IV 1045 } 1046 1047 break; 1048 case AEAD_CIPHER: 1049 packetSize += recordIvSize; 1050 packetSize += tagSize; 1051 1052 break; 1053 default: // NULL_CIPHER or STREAM_CIPHER 1054 packetSize += macLen; 1055 } 1056 } 1057 1058 return packetSize + headerSize; 1059 } 1060 1061 // See also CipherSuite.calculateFragSize(). 1062 int calculateFragmentSize(int packetLimit, int macLen, int headerSize) { 1063 int fragLen = packetLimit - headerSize; 1064 if (cipher != null) { 1065 int blockSize = cipher.getBlockSize(); 1066 switch (cipherType) { 1067 case BLOCK_CIPHER: 1068 if (protocolVersion.useTLS11PlusSpec()) { 1069 fragLen -= blockSize; // explicit IV 1070 } 1071 fragLen -= (fragLen % blockSize); // cannot hold a block 1072 // No padding for a maximum fragment. 1073 fragLen -= 1; // 1 byte padding length field: 0x00 1074 fragLen -= macLen; 1075 1076 break; 1077 case AEAD_CIPHER: 1078 fragLen -= recordIvSize; 1079 fragLen -= tagSize; 1080 1081 break; 1082 default: // NULL_CIPHER or STREAM_CIPHER 1083 fragLen -= macLen; 1084 } 1085 } 1086 1087 return fragLen; 1088 } 1089 1090 // Estimate the maximum fragment size of a received packet. 1091 int estimateFragmentSize(int packetSize, int macLen, int headerSize) { 1092 int fragLen = packetSize - headerSize; 1093 if (cipher != null) { 1094 int blockSize = cipher.getBlockSize(); 1095 switch (cipherType) { 1096 case BLOCK_CIPHER: 1097 if (protocolVersion.useTLS11PlusSpec()) { 1098 fragLen -= blockSize; // explicit IV 1099 } 1100 // No padding for a maximum fragment. 1101 fragLen -= 1; // 1 byte padding length field: 0x00 1102 fragLen -= macLen; 1103 1104 break; 1105 case AEAD_CIPHER: 1106 fragLen -= recordIvSize; 1107 fragLen -= tagSize; 1108 1109 break; 1110 default: // NULL_CIPHER or STREAM_CIPHER 1111 fragLen -= macLen; 1112 } 1113 } 1114 1115 return fragLen; 1116 } 1117 1118 /** 1119 * Sanity check the length of a fragment before decryption. 1120 * 1121 * In CBC mode, check that the fragment length is one or multiple times 1122 * of the block size of the cipher suite, and is at least one (one is the 1123 * smallest size of padding in CBC mode) bigger than the tag size of the 1124 * MAC algorithm except the explicit IV size for TLS 1.1 or later. 1125 * 1126 * In non-CBC mode, check that the fragment length is not less than the 1127 * tag size of the MAC algorithm. 1128 * 1129 * @return true if the length of a fragment matches above requirements 1130 */ 1131 private boolean sanityCheck(int tagLen, int fragmentLen) { 1132 if (!isCBCMode()) { 1133 return fragmentLen >= tagLen; 1134 } 1135 1136 int blockSize = cipher.getBlockSize(); 1137 if ((fragmentLen % blockSize) == 0) { 1138 int minimal = tagLen + 1; 1139 minimal = (minimal >= blockSize) ? minimal : blockSize; 1140 if (protocolVersion.useTLS11PlusSpec()) { 1141 minimal += blockSize; // plus the size of the explicit IV 1142 } 1143 1144 return (fragmentLen >= minimal); 1145 } 1146 1147 return false; 1148 } 1149 1150} 1151