public byte[] encodePlaintext(short type, byte[] plaintext, int offset, int len) {
int blocksize = encryptCipher.getBlockSize();
int padding_length = blocksize - 1 - ((len + writeMac.getSize()) % blocksize);
boolean isTls =
context.getServerVersion().getFullVersion() >= ProtocolVersion.TLSv10.getFullVersion();
if (isTls) {
// Add a random number of extra blocks worth of padding
int maxExtraPadBlocks = (255 - padding_length) / blocksize;
int actualExtraPadBlocks = chooseExtraPadBlocks(context.getSecureRandom(), maxExtraPadBlocks);
padding_length += actualExtraPadBlocks * blocksize;
}
int totalsize = len + writeMac.getSize() + padding_length + 1;
byte[] outbuf = new byte[totalsize];
System.arraycopy(plaintext, offset, outbuf, 0, len);
byte[] mac = writeMac.calculateMac(type, plaintext, offset, len);
System.arraycopy(mac, 0, outbuf, len, mac.length);
int paddoffset = len + mac.length;
for (int i = 0; i <= padding_length; i++) {
outbuf[i + paddoffset] = (byte) padding_length;
}
for (int i = 0; i < totalsize; i += blocksize) {
encryptCipher.processBlock(outbuf, i, outbuf, i);
}
return outbuf;
}
protected AsymmetricCipherKeyPair generateECKeyPair(ECDomainParameters ecParams) {
ECKeyPairGenerator keyPairGenerator = new ECKeyPairGenerator();
ECKeyGenerationParameters keyGenerationParameters =
new ECKeyGenerationParameters(ecParams, context.getSecureRandom());
keyPairGenerator.init(keyGenerationParameters);
return keyPairGenerator.generateKeyPair();
}
public void generateClientKeyExchange(OutputStream os) throws IOException {
/*
* Choose a PremasterSecret and send it encrypted to the server
*/
premasterSecret = new byte[48];
context.getSecureRandom().nextBytes(premasterSecret);
TlsUtils.writeVersion(premasterSecret, 0);
PKCS1Encoding encoding = new PKCS1Encoding(new RSABlindedEngine());
encoding.init(
true, new ParametersWithRandom(this.rsaServerPublicKey, context.getSecureRandom()));
try {
byte[] keData = encoding.processBlock(premasterSecret, 0, premasterSecret.length);
TlsUtils.writeUint24(keData.length + 2, os);
TlsUtils.writeOpaque16(keData, os);
} catch (InvalidCipherTextException e) {
/*
* This should never happen, only during decryption.
*/
throw new TlsFatalAlert(AlertDescription.internal_error);
}
}
public TlsBlockCipher(
TlsClientContext context,
BlockCipher encryptCipher,
BlockCipher decryptCipher,
Digest writeDigest,
Digest readDigest,
int cipherKeySize) {
this.context = context;
this.randomData = new byte[256];
context.getSecureRandom().nextBytes(randomData);
this.encryptCipher = encryptCipher;
this.decryptCipher = decryptCipher;
int key_block_size =
(2 * cipherKeySize)
+ writeDigest.getDigestSize()
+ readDigest.getDigestSize()
+ encryptCipher.getBlockSize()
+ decryptCipher.getBlockSize();
byte[] key_block = TlsUtils.calculateKeyBlock(context, key_block_size);
int offset = 0;
// Init MACs
writeMac = new TlsMac(context, writeDigest, key_block, offset, writeDigest.getDigestSize());
offset += writeDigest.getDigestSize();
readMac = new TlsMac(context, readDigest, key_block, offset, readDigest.getDigestSize());
offset += readDigest.getDigestSize();
// Init Ciphers
this.initCipher(
true, encryptCipher, key_block, cipherKeySize, offset, offset + (cipherKeySize * 2));
offset += cipherKeySize;
this.initCipher(
false,
decryptCipher,
key_block,
cipherKeySize,
offset,
offset + cipherKeySize + encryptCipher.getBlockSize());
}
protected int checkPaddingConstantTime(byte[] buf, int off, int len, int blockSize, int macSize) {
int end = off + len;
byte lastByte = buf[end - 1];
int padlen = lastByte & 0xff;
int totalPad = padlen + 1;
int dummyIndex = 0;
byte padDiff = 0;
boolean isTls =
context.getServerVersion().getFullVersion() >= ProtocolVersion.TLSv10.getFullVersion();
if ((!isTls && totalPad > blockSize) || (macSize + totalPad > len)) {
totalPad = 0;
} else {
int padPos = end - totalPad;
do {
padDiff |= (buf[padPos++] ^ lastByte);
} while (padPos < end);
dummyIndex = totalPad;
if (padDiff != 0) {
totalPad = 0;
}
}
// Run some extra dummy checks so the number of checks is always constant
{
byte[] dummyPad = randomData;
while (dummyIndex < 256) {
padDiff |= (dummyPad[dummyIndex++] ^ lastByte);
}
// Ensure the above loop is not eliminated
dummyPad[0] ^= padDiff;
}
return totalPad;
}
protected AsymmetricCipherKeyPair generateDHKeyPair(DHParameters dhParams) {
DHBasicKeyPairGenerator dhGen = new DHBasicKeyPairGenerator();
dhGen.init(new DHKeyGenerationParameters(context.getSecureRandom(), dhParams));
return dhGen.generateKeyPair();
}