org.bouncycastle.tls.crypto.impl.TlsSuiteHMac Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of bctls-jdk14 Show documentation
Show all versions of bctls-jdk14 Show documentation
The Bouncy Castle Java APIs for TLS and DTLS.
package org.bouncycastle.tls.crypto.impl;
import org.bouncycastle.tls.ProtocolVersion;
import org.bouncycastle.tls.TlsUtils;
import org.bouncycastle.tls.crypto.TlsCryptoParameters;
import org.bouncycastle.tls.crypto.TlsHMAC;
import org.bouncycastle.tls.crypto.TlsMAC;
import org.bouncycastle.util.Arrays;
/**
* A generic TLS MAC implementation, acting as an HMAC based on some underlying Digest.
*/
public class TlsSuiteHMac
implements TlsSuiteMac
{
protected static int getMacSize(TlsCryptoParameters cryptoParams, TlsMAC mac)
{
int macSize = mac.getMacLength();
if (cryptoParams.getSecurityParametersHandshake().isTruncatedHMac())
{
macSize = Math.min(macSize, 10);
}
return macSize;
}
protected final TlsCryptoParameters cryptoParams;
protected final TlsHMAC mac;
protected final int digestBlockSize;
protected final int digestOverhead;
protected final int macSize;
/**
* Generate a new instance of a TlsMac.
*
* @param cryptoParams the TLS client context specific crypto parameters.
* @param mac The MAC to use.
*/
public TlsSuiteHMac(TlsCryptoParameters cryptoParams, TlsHMAC mac)
{
this.cryptoParams = cryptoParams;
this.mac = mac;
this.macSize = getMacSize(cryptoParams, mac);
this.digestBlockSize = mac.getInternalBlockSize();
// TODO This should check the actual algorithm, not assume based on the digest size
if (TlsImplUtils.isSSL(cryptoParams) && mac.getMacLength() == 20)
{
/*
* NOTE: For the SSL 3.0 MAC with SHA-1, the secret + input pad is not block-aligned.
*/
this.digestOverhead = 4;
}
else
{
this.digestOverhead = digestBlockSize / 8;
}
}
public int getSize()
{
return macSize;
}
public byte[] calculateMac(long seqNo, short type, byte[] msg, int msgOff, int msgLen)
{
ProtocolVersion serverVersion = cryptoParams.getServerVersion();
boolean isSSL = serverVersion.isSSL();
byte[] macHeader = new byte[isSSL ? 11 : 13];
TlsUtils.writeUint64(seqNo, macHeader, 0);
TlsUtils.writeUint8(type, macHeader, 8);
if (!isSSL)
{
TlsUtils.writeVersion(serverVersion, macHeader, 9);
}
TlsUtils.writeUint16(msgLen, macHeader, macHeader.length - 2);
mac.update(macHeader, 0, macHeader.length);
mac.update(msg, msgOff, msgLen);
return truncate(mac.calculateMAC());
}
public byte[] calculateMacConstantTime(long seqNo, short type, byte[] msg, int msgOff, int msgLen,
int fullLength, byte[] dummyData)
{
/*
* Actual MAC only calculated on 'length' bytes[]
*/
byte[] result = calculateMac(seqNo, type, msg, msgOff, msgLen);
/*
* []but ensure a constant number of complete digest blocks are processed (as many as would
* be needed for 'fullLength' bytes of input).
*/
int headerLength = TlsImplUtils.isSSL(cryptoParams) ? 11 : 13;
// How many extra full blocks do we need to calculate?
int extra = getDigestBlockCount(headerLength + fullLength) - getDigestBlockCount(headerLength + msgLen);
while (--extra >= 0)
{
mac.update(dummyData, 0, digestBlockSize);
}
// One more byte in case the implementation is "lazy" about processing blocks
mac.update(dummyData, 0, 1);
mac.reset();
return result;
}
protected int getDigestBlockCount(int inputLength)
{
// NOTE: The input pad for HMAC is always a full digest block
// NOTE: This calculation assumes a minimum of 1 pad byte
return (inputLength + digestOverhead) / digestBlockSize;
}
protected byte[] truncate(byte[] bs)
{
if (bs.length <= macSize)
{
return bs;
}
return Arrays.copyOf(bs, macSize);
}
}