public byte[] encodePlaintext(long seqNo, short type, byte[] plaintext, int offset, int len) { if (usesNonce) { updateIV(encryptCipher, true, seqNo); } byte[] outBuf = new byte[len + writeMac.getSize()]; encryptCipher.processBytes(plaintext, offset, len, outBuf, 0); byte[] mac = writeMac.calculateMac(seqNo, type, plaintext, offset, len); encryptCipher.processBytes(mac, 0, mac.length, outBuf, len); return outBuf; }
public byte[] calculateMacConstantTime(long seqNo, short type, byte[] message, int offset, int length, int fullLength, byte[] dummyData) { /* * Actual MAC only calculated on 'length' bytes... */ byte[] result = calculateMac(seqNo, type, message, offset, length); /* * ...but ensure a constant number of complete digest blocks are processed (as many as would * be needed for 'fullLength' bytes of input). */ int headerLength = TlsUtils.isSSL(context) ? 11 : 13; // How many extra full blocks do we need to calculate? int extra = getDigestBlockCount(headerLength + fullLength) - getDigestBlockCount(headerLength + length); while (--extra >= 0) { mac.update(dummyData, 0, digestBlockSize); } // One more byte in case the implementation is "lazy" about processing blocks mac.update(dummyData[0]); mac.reset(); return result; }
int macSize = readMac.getSize(); byte[] calculatedMac = readMac.calculateMac(seqNo, type, ciphertext, offset, len - macSize); int macOff = offset + macInputLen; byte[] receivedMac = Arrays.copyOfRange(ciphertext, macOff, macOff + macSize); byte[] calculatedMac = readMac.calculateMacConstantTime(seqNo, type, ciphertext, offset, macInputLen, blocks_length - macSize, randomData);
public int getPlaintextLimit(int ciphertextLimit) { return ciphertextLimit - writeMac.getSize(); }
clientWriteMac = new TlsMac(context, clientWriteDigest, key_block, offset, clientWriteDigest.getDigestSize()); offset += clientWriteDigest.getDigestSize(); serverWriteMac = new TlsMac(context, serverWriteDigest, key_block, offset, serverWriteDigest.getDigestSize()); offset += serverWriteDigest.getDigestSize();
public byte[] encodePlaintext(long seqNo, short type, byte[] plaintext, int offset, int len) throws IOException { if (writeMac == null) { return Arrays.copyOfRange(plaintext, offset, offset + len); } byte[] mac = writeMac.calculateMac(seqNo, type, plaintext, offset, len); byte[] ciphertext = new byte[len + mac.length]; System.arraycopy(plaintext, offset, ciphertext, 0, len); System.arraycopy(mac, 0, ciphertext, len, mac.length); return ciphertext; }
/** * Calculate the MAC for some given data. * * @param type The message type of the message. * @param message A byte-buffer containing the message. * @param offset The number of bytes to skip, before the message starts. * @param length The length of the message. * @return A new byte-buffer containing the MAC value. */ public byte[] calculateMac(long seqNo, short type, byte[] message, int offset, int length) { ProtocolVersion serverVersion = context.getServerVersion(); boolean isSSL = serverVersion.isSSL(); byte[] macHeader = new byte[isSSL ? 11 : 13]; TlsUtils.writeUint64(seqNo, macHeader, 0); TlsUtils.writeUint8(type, macHeader, 8); if (!isSSL) { TlsUtils.writeVersion(serverVersion, macHeader, 9); } TlsUtils.writeUint16(length, macHeader, macHeader.length - 2); mac.update(macHeader, 0, macHeader.length); mac.update(message, offset, length); byte[] result = new byte[mac.getMacSize()]; mac.doFinal(result, 0); return truncate(result); }
int macSize = readMac.getSize(); byte[] calculatedMac = readMac.calculateMac(seqNo, type, ciphertext, offset, len - macSize); int macOff = offset + macInputLen; byte[] receivedMac = Arrays.copyOfRange(ciphertext, macOff, macOff + macSize); byte[] calculatedMac = readMac.calculateMacConstantTime(seqNo, type, ciphertext, offset, macInputLen, blocks_length - macSize, randomData);
public int getPlaintextLimit(int ciphertextLimit) { int result = ciphertextLimit; if (writeMac != null) { result -= writeMac.getSize(); } return result; }
clientWriteMac = new TlsMac(context, clientWriteDigest, key_block, offset, clientWriteDigest.getDigestSize()); offset += clientWriteDigest.getDigestSize(); serverWriteMac = new TlsMac(context, serverWriteDigest, key_block, offset, serverWriteDigest.getDigestSize()); offset += serverWriteDigest.getDigestSize();
public byte[] encodePlaintext(long seqNo, short type, byte[] plaintext, int offset, int len) throws IOException { if (writeMac == null) { return Arrays.copyOfRange(plaintext, offset, offset + len); } byte[] mac = writeMac.calculateMac(seqNo, type, plaintext, offset, len); byte[] ciphertext = new byte[len + mac.length]; System.arraycopy(plaintext, offset, ciphertext, 0, len); System.arraycopy(mac, 0, ciphertext, len, mac.length); return ciphertext; }
/** * Calculate the MAC for some given data. * * @param type The message type of the message. * @param message A byte-buffer containing the message. * @param offset The number of bytes to skip, before the message starts. * @param length The length of the message. * @return A new byte-buffer containing the MAC value. */ public byte[] calculateMac(long seqNo, short type, byte[] message, int offset, int length) { ProtocolVersion serverVersion = context.getServerVersion(); boolean isSSL = serverVersion.isSSL(); byte[] macHeader = new byte[isSSL ? 11 : 13]; TlsUtils.writeUint64(seqNo, macHeader, 0); TlsUtils.writeUint8(type, macHeader, 8); if (!isSSL) { TlsUtils.writeVersion(serverVersion, macHeader, 9); } TlsUtils.writeUint16(length, macHeader, macHeader.length - 2); mac.update(macHeader, 0, macHeader.length); mac.update(message, offset, length); byte[] result = new byte[mac.getMacSize()]; mac.doFinal(result, 0); return truncate(result); }
public byte[] encodePlaintext(long seqNo, short type, byte[] plaintext, int offset, int len) { /* * draft-josefsson-salsa20-tls-04 2.1 Note that Salsa20 requires a 64-bit nonce. That * nonce is updated on the encryption of every TLS record, and is set to be the 64-bit TLS * record sequence number. In case of DTLS the 64-bit nonce is formed as the concatenation * of the 16-bit epoch with the 48-bit sequence number. */ if (usesNonce) { updateIV(encryptCipher, true, seqNo); } byte[] outBuf = new byte[len + writeMac.getSize()]; encryptCipher.processBytes(plaintext, offset, len, outBuf, 0); byte[] mac = writeMac.calculateMac(seqNo, type, plaintext, offset, len); encryptCipher.processBytes(mac, 0, mac.length, outBuf, len); return outBuf; }
public int getPlaintextLimit(int ciphertextLimit) { int result = ciphertextLimit; if (writeMac != null) { result -= writeMac.getSize(); } return result; }
TlsMac clientWriteMac = new TlsMac(context, clientWriteDigest, key_block, offset, clientWriteDigest.getDigestSize()); offset += clientWriteDigest.getDigestSize(); TlsMac serverWriteMac = new TlsMac(context, serverWriteDigest, key_block, offset, serverWriteDigest.getDigestSize()); offset += serverWriteDigest.getDigestSize();
public byte[] calculateMacConstantTime(long seqNo, short type, byte[] message, int offset, int length, int fullLength, byte[] dummyData) { /* * Actual MAC only calculated on 'length' bytes... */ byte[] result = calculateMac(seqNo, type, message, offset, length); /* * ...but ensure a constant number of complete digest blocks are processed (as many as would * be needed for 'fullLength' bytes of input). */ int headerLength = TlsUtils.isSSL(context) ? 11 : 13; // How many extra full blocks do we need to calculate? int extra = getDigestBlockCount(headerLength + fullLength) - getDigestBlockCount(headerLength + length); while (--extra >= 0) { mac.update(dummyData, 0, digestBlockSize); } // One more byte in case the implementation is "lazy" about processing blocks mac.update(dummyData[0]); mac.reset(); return result; }
protected void checkMAC(long seqNo, short type, byte[] recBuf, int recStart, int recEnd, byte[] calcBuf, int calcOff, int calcLen) throws IOException { byte[] receivedMac = Arrays.copyOfRange(recBuf, recStart, recEnd); byte[] computedMac = readMac.calculateMac(seqNo, type, calcBuf, calcOff, calcLen); if (!Arrays.constantTimeAreEqual(receivedMac, computedMac)) { throw new TlsFatalAlert(AlertDescription.bad_record_mac); } }
public byte[] decodeCiphertext(long seqNo, short type, byte[] ciphertext, int offset, int len) throws IOException { if (readMac == null) { return Arrays.copyOfRange(ciphertext, offset, offset + len); } int macSize = readMac.getSize(); if (len < macSize) { throw new TlsFatalAlert(AlertDescription.decode_error); } int macInputLen = len - macSize; byte[] receivedMac = Arrays.copyOfRange(ciphertext, offset + macInputLen, offset + len); byte[] computedMac = readMac.calculateMac(seqNo, type, ciphertext, offset, macInputLen); if (!Arrays.constantTimeAreEqual(receivedMac, computedMac)) { throw new TlsFatalAlert(AlertDescription.bad_record_mac); } return Arrays.copyOfRange(ciphertext, offset, offset + macInputLen); } }
public int getPlaintextLimit(int ciphertextLimit) { return ciphertextLimit - writeMac.getSize(); }
TlsMac clientWriteMac = new TlsMac(context, clientWriteDigest, key_block, offset, clientWriteDigest.getDigestSize()); offset += clientWriteDigest.getDigestSize(); TlsMac serverWriteMac = new TlsMac(context, serverWriteDigest, key_block, offset, serverWriteDigest.getDigestSize()); offset += serverWriteDigest.getDigestSize();