639 lines
22 KiB
Java
639 lines
22 KiB
Java
/*
|
|
* Copyright (c) 2013, 2019, Oracle and/or its affiliates. All rights reserved.
|
|
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
*
|
|
* This code is free software; you can redistribute it and/or modify it
|
|
* under the terms of the GNU General Public License version 2 only, as
|
|
* published by the Free Software Foundation. Oracle designates this
|
|
* particular file as subject to the "Classpath" exception as provided
|
|
* by Oracle in the LICENSE file that accompanied this code.
|
|
*
|
|
* This code is distributed in the hope that it will be useful, but WITHOUT
|
|
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
|
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
|
* version 2 for more details (a copy is included in the LICENSE file that
|
|
* accompanied this code).
|
|
*
|
|
* You should have received a copy of the GNU General Public License version
|
|
* 2 along with this work; if not, write to the Free Software Foundation,
|
|
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
*
|
|
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
|
|
* or visit www.oracle.com if you need additional information or have any
|
|
* questions.
|
|
*/
|
|
|
|
package com.sun.crypto.provider;
|
|
|
|
import java.util.Arrays;
|
|
import java.io.*;
|
|
import java.security.*;
|
|
import javax.crypto.*;
|
|
import static com.sun.crypto.provider.AESConstants.AES_BLOCK_SIZE;
|
|
|
|
|
|
/**
|
|
* This class represents ciphers in GaloisCounter (GCM) mode.
|
|
*
|
|
* <p>This mode currently should only be used w/ AES cipher.
|
|
* Although no checking is done, caller should only pass AES
|
|
* Cipher to the constructor.
|
|
*
|
|
* <p>NOTE: Unlike other modes, when used for decryption, this class
|
|
* will buffer all processed outputs internally and won't return them
|
|
* until the tag has been successfully verified.
|
|
*
|
|
* @since 1.8
|
|
*/
|
|
final class GaloisCounterMode extends FeedbackCipher {
|
|
|
|
static int DEFAULT_TAG_LEN = AES_BLOCK_SIZE;
|
|
static int DEFAULT_IV_LEN = 12; // in bytes
|
|
|
|
// In NIST SP 800-38D, GCM input size is limited to be no longer
|
|
// than (2^36 - 32) bytes. Otherwise, the counter will wrap
|
|
// around and lead to a leak of plaintext.
|
|
// However, given the current GCM spec requirement that recovered
|
|
// text can only be returned after successful tag verification,
|
|
// we are bound by limiting the data size to the size limit of
|
|
// java byte array, e.g. Integer.MAX_VALUE, since all data
|
|
// can only be returned by the doFinal(...) call.
|
|
private static final int MAX_BUF_SIZE = Integer.MAX_VALUE;
|
|
|
|
// data size when buffer is divided up to aid in intrinsics
|
|
private static final int TRIGGERLEN = 65536; // 64k
|
|
|
|
// buffer for AAD data; if null, meaning update has been called
|
|
private ByteArrayOutputStream aadBuffer = new ByteArrayOutputStream();
|
|
private int sizeOfAAD = 0;
|
|
|
|
// buffer for storing input in decryption, not used for encryption
|
|
private ByteArrayOutputStream ibuffer = null;
|
|
|
|
// in bytes; need to convert to bits (default value 128) when needed
|
|
private int tagLenBytes = DEFAULT_TAG_LEN;
|
|
|
|
// these following 2 fields can only be initialized after init() is
|
|
// called, e.g. after cipher key k is set, and STAY UNCHANGED
|
|
private byte[] subkeyH = null;
|
|
private byte[] preCounterBlock = null;
|
|
|
|
private GCTR gctrPAndC = null;
|
|
private GHASH ghashAllToS = null;
|
|
|
|
// length of total data, i.e. len(C)
|
|
private int processed = 0;
|
|
|
|
// additional variables for save/restore calls
|
|
private byte[] aadBufferSave = null;
|
|
private int sizeOfAADSave = 0;
|
|
private byte[] ibufferSave = null;
|
|
private int processedSave = 0;
|
|
|
|
// value must be 16-byte long; used by GCTR and GHASH as well
|
|
static void increment32(byte[] value) {
|
|
if (value.length != AES_BLOCK_SIZE) {
|
|
// should never happen
|
|
throw new ProviderException("Illegal counter block length");
|
|
}
|
|
// start from last byte and only go over 4 bytes, i.e. total 32 bits
|
|
int n = value.length - 1;
|
|
while ((n >= value.length - 4) && (++value[n] == 0)) {
|
|
n--;
|
|
}
|
|
}
|
|
|
|
private static byte[] getLengthBlock(int ivLenInBytes) {
|
|
long ivLen = ((long)ivLenInBytes) << 3;
|
|
byte[] out = new byte[AES_BLOCK_SIZE];
|
|
out[8] = (byte)(ivLen >>> 56);
|
|
out[9] = (byte)(ivLen >>> 48);
|
|
out[10] = (byte)(ivLen >>> 40);
|
|
out[11] = (byte)(ivLen >>> 32);
|
|
out[12] = (byte)(ivLen >>> 24);
|
|
out[13] = (byte)(ivLen >>> 16);
|
|
out[14] = (byte)(ivLen >>> 8);
|
|
out[15] = (byte)ivLen;
|
|
return out;
|
|
}
|
|
|
|
private static byte[] getLengthBlock(int aLenInBytes, int cLenInBytes) {
|
|
long aLen = ((long)aLenInBytes) << 3;
|
|
long cLen = ((long)cLenInBytes) << 3;
|
|
byte[] out = new byte[AES_BLOCK_SIZE];
|
|
out[0] = (byte)(aLen >>> 56);
|
|
out[1] = (byte)(aLen >>> 48);
|
|
out[2] = (byte)(aLen >>> 40);
|
|
out[3] = (byte)(aLen >>> 32);
|
|
out[4] = (byte)(aLen >>> 24);
|
|
out[5] = (byte)(aLen >>> 16);
|
|
out[6] = (byte)(aLen >>> 8);
|
|
out[7] = (byte)aLen;
|
|
out[8] = (byte)(cLen >>> 56);
|
|
out[9] = (byte)(cLen >>> 48);
|
|
out[10] = (byte)(cLen >>> 40);
|
|
out[11] = (byte)(cLen >>> 32);
|
|
out[12] = (byte)(cLen >>> 24);
|
|
out[13] = (byte)(cLen >>> 16);
|
|
out[14] = (byte)(cLen >>> 8);
|
|
out[15] = (byte)cLen;
|
|
return out;
|
|
}
|
|
|
|
private static byte[] expandToOneBlock(byte[] in, int inOfs, int len) {
|
|
if (len > AES_BLOCK_SIZE) {
|
|
throw new ProviderException("input " + len + " too long");
|
|
}
|
|
if (len == AES_BLOCK_SIZE && inOfs == 0) {
|
|
return in;
|
|
} else {
|
|
byte[] paddedIn = new byte[AES_BLOCK_SIZE];
|
|
System.arraycopy(in, inOfs, paddedIn, 0, len);
|
|
return paddedIn;
|
|
}
|
|
}
|
|
|
|
private static byte[] getJ0(byte[] iv, byte[] subkeyH) {
|
|
byte[] j0;
|
|
if (iv.length == 12) { // 96 bits
|
|
j0 = expandToOneBlock(iv, 0, iv.length);
|
|
j0[AES_BLOCK_SIZE - 1] = 1;
|
|
} else {
|
|
GHASH g = new GHASH(subkeyH);
|
|
int lastLen = iv.length % AES_BLOCK_SIZE;
|
|
if (lastLen != 0) {
|
|
g.update(iv, 0, iv.length - lastLen);
|
|
byte[] padded =
|
|
expandToOneBlock(iv, iv.length - lastLen, lastLen);
|
|
g.update(padded);
|
|
} else {
|
|
g.update(iv);
|
|
}
|
|
byte[] lengthBlock = getLengthBlock(iv.length);
|
|
g.update(lengthBlock);
|
|
j0 = g.digest();
|
|
}
|
|
return j0;
|
|
}
|
|
|
|
private static void checkDataLength(int processed, int len) {
|
|
if (processed > MAX_BUF_SIZE - len) {
|
|
throw new ProviderException("SunJCE provider only supports " +
|
|
"input size up to " + MAX_BUF_SIZE + " bytes");
|
|
}
|
|
}
|
|
|
|
GaloisCounterMode(SymmetricCipher embeddedCipher) {
|
|
super(embeddedCipher);
|
|
aadBuffer = new ByteArrayOutputStream();
|
|
}
|
|
|
|
/**
|
|
* Gets the name of the feedback mechanism
|
|
*
|
|
* @return the name of the feedback mechanism
|
|
*/
|
|
String getFeedback() {
|
|
return "GCM";
|
|
}
|
|
|
|
/**
|
|
* Resets the cipher object to its original state.
|
|
* This is used when doFinal is called in the Cipher class, so that the
|
|
* cipher can be reused (with its original key and iv).
|
|
*/
|
|
void reset() {
|
|
if (aadBuffer == null) {
|
|
aadBuffer = new ByteArrayOutputStream();
|
|
} else {
|
|
aadBuffer.reset();
|
|
}
|
|
if (gctrPAndC != null) gctrPAndC.reset();
|
|
if (ghashAllToS != null) ghashAllToS.reset();
|
|
processed = 0;
|
|
sizeOfAAD = 0;
|
|
if (ibuffer != null) {
|
|
ibuffer.reset();
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Save the current content of this cipher.
|
|
*/
|
|
void save() {
|
|
processedSave = processed;
|
|
sizeOfAADSave = sizeOfAAD;
|
|
aadBufferSave =
|
|
((aadBuffer == null || aadBuffer.size() == 0)?
|
|
null : aadBuffer.toByteArray());
|
|
if (gctrPAndC != null) gctrPAndC.save();
|
|
if (ghashAllToS != null) ghashAllToS.save();
|
|
if (ibuffer != null) {
|
|
ibufferSave = ibuffer.toByteArray();
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Restores the content of this cipher to the previous saved one.
|
|
*/
|
|
void restore() {
|
|
processed = processedSave;
|
|
sizeOfAAD = sizeOfAADSave;
|
|
if (aadBuffer != null) {
|
|
aadBuffer.reset();
|
|
if (aadBufferSave != null) {
|
|
aadBuffer.write(aadBufferSave, 0, aadBufferSave.length);
|
|
}
|
|
}
|
|
if (gctrPAndC != null) gctrPAndC.restore();
|
|
if (ghashAllToS != null) ghashAllToS.restore();
|
|
if (ibuffer != null) {
|
|
ibuffer.reset();
|
|
ibuffer.write(ibufferSave, 0, ibufferSave.length);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Initializes the cipher in the specified mode with the given key
|
|
* and iv.
|
|
*
|
|
* @param decrypting flag indicating encryption or decryption
|
|
* @param algorithm the algorithm name
|
|
* @param key the key
|
|
* @param iv the iv
|
|
* @param tagLenBytes the length of tag in bytes
|
|
*
|
|
* @exception InvalidKeyException if the given key is inappropriate for
|
|
* initializing this cipher
|
|
*/
|
|
@Override
|
|
void init(boolean decrypting, String algorithm, byte[] key, byte[] iv)
|
|
throws InvalidKeyException, InvalidAlgorithmParameterException {
|
|
init(decrypting, algorithm, key, iv, DEFAULT_TAG_LEN);
|
|
}
|
|
|
|
/**
|
|
* Initializes the cipher in the specified mode with the given key
|
|
* and iv.
|
|
*
|
|
* @param decrypting flag indicating encryption or decryption
|
|
* @param algorithm the algorithm name
|
|
* @param key the key
|
|
* @param iv the iv
|
|
* @param tagLenBytes the length of tag in bytes
|
|
*
|
|
* @exception InvalidKeyException if the given key is inappropriate for
|
|
* initializing this cipher
|
|
*/
|
|
void init(boolean decrypting, String algorithm, byte[] keyValue,
|
|
byte[] ivValue, int tagLenBytes)
|
|
throws InvalidKeyException, InvalidAlgorithmParameterException {
|
|
if (keyValue == null) {
|
|
throw new InvalidKeyException("Internal error");
|
|
}
|
|
if (ivValue == null) {
|
|
throw new InvalidAlgorithmParameterException("Internal error");
|
|
}
|
|
if (ivValue.length == 0) {
|
|
throw new InvalidAlgorithmParameterException("IV is empty");
|
|
}
|
|
|
|
// always encrypt mode for embedded cipher
|
|
this.embeddedCipher.init(false, algorithm, keyValue);
|
|
this.subkeyH = new byte[AES_BLOCK_SIZE];
|
|
this.embeddedCipher.encryptBlock(new byte[AES_BLOCK_SIZE], 0,
|
|
this.subkeyH, 0);
|
|
|
|
this.iv = ivValue.clone();
|
|
preCounterBlock = getJ0(iv, subkeyH);
|
|
byte[] j0Plus1 = preCounterBlock.clone();
|
|
increment32(j0Plus1);
|
|
gctrPAndC = new GCTR(embeddedCipher, j0Plus1);
|
|
ghashAllToS = new GHASH(subkeyH);
|
|
|
|
this.tagLenBytes = tagLenBytes;
|
|
if (aadBuffer == null) {
|
|
aadBuffer = new ByteArrayOutputStream();
|
|
} else {
|
|
aadBuffer.reset();
|
|
}
|
|
processed = 0;
|
|
sizeOfAAD = 0;
|
|
if (decrypting) {
|
|
ibuffer = new ByteArrayOutputStream();
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Continues a multi-part update of the Additional Authentication
|
|
* Data (AAD), using a subset of the provided buffer. If this
|
|
* cipher is operating in either GCM or CCM mode, all AAD must be
|
|
* supplied before beginning operations on the ciphertext (via the
|
|
* {@code update} and {@code doFinal} methods).
|
|
* <p>
|
|
* NOTE: Given most modes do not accept AAD, default impl for this
|
|
* method throws IllegalStateException.
|
|
*
|
|
* @param src the buffer containing the AAD
|
|
* @param offset the offset in {@code src} where the AAD input starts
|
|
* @param len the number of AAD bytes
|
|
*
|
|
* @throws IllegalStateException if this cipher is in a wrong state
|
|
* (e.g., has not been initialized), does not accept AAD, or if
|
|
* operating in either GCM or CCM mode and one of the {@code update}
|
|
* methods has already been called for the active
|
|
* encryption/decryption operation
|
|
* @throws UnsupportedOperationException if this method
|
|
* has not been overridden by an implementation
|
|
*
|
|
* @since 1.8
|
|
*/
|
|
void updateAAD(byte[] src, int offset, int len) {
|
|
if (aadBuffer != null) {
|
|
aadBuffer.write(src, offset, len);
|
|
} else {
|
|
// update has already been called
|
|
throw new IllegalStateException
|
|
("Update has been called; no more AAD data");
|
|
}
|
|
}
|
|
|
|
// Feed the AAD data to GHASH, pad if necessary
|
|
void processAAD() {
|
|
if (aadBuffer != null) {
|
|
if (aadBuffer.size() > 0) {
|
|
byte[] aad = aadBuffer.toByteArray();
|
|
sizeOfAAD = aad.length;
|
|
|
|
int lastLen = aad.length % AES_BLOCK_SIZE;
|
|
if (lastLen != 0) {
|
|
ghashAllToS.update(aad, 0, aad.length - lastLen);
|
|
byte[] padded = expandToOneBlock(aad, aad.length - lastLen,
|
|
lastLen);
|
|
ghashAllToS.update(padded);
|
|
} else {
|
|
ghashAllToS.update(aad);
|
|
}
|
|
}
|
|
aadBuffer = null;
|
|
}
|
|
}
|
|
|
|
// Utility to process the last block; used by encryptFinal and decryptFinal
|
|
void doLastBlock(byte[] in, int inOfs, int len, byte[] out, int outOfs,
|
|
boolean isEncrypt) throws IllegalBlockSizeException {
|
|
byte[] ct;
|
|
int ctOfs;
|
|
int ilen = len; // internal length
|
|
|
|
if (isEncrypt) {
|
|
ct = out;
|
|
ctOfs = outOfs;
|
|
} else {
|
|
ct = in;
|
|
ctOfs = inOfs;
|
|
}
|
|
|
|
// Divide up larger data sizes to trigger CTR & GHASH intrinsic quicker
|
|
if (len > TRIGGERLEN) {
|
|
int i = 0;
|
|
int tlen; // incremental lengths
|
|
final int plen = AES_BLOCK_SIZE * 6;
|
|
// arbitrary formula to aid intrinsic without reaching buffer end
|
|
final int count = len / 1024;
|
|
|
|
while (count > i) {
|
|
tlen = gctrPAndC.update(in, inOfs, plen, out, outOfs);
|
|
ghashAllToS.update(ct, ctOfs, tlen);
|
|
inOfs += tlen;
|
|
outOfs += tlen;
|
|
ctOfs += tlen;
|
|
i++;
|
|
}
|
|
ilen -= count * plen;
|
|
processed += count * plen;
|
|
}
|
|
|
|
gctrPAndC.doFinal(in, inOfs, ilen, out, outOfs);
|
|
processed += ilen;
|
|
|
|
int lastLen = ilen % AES_BLOCK_SIZE;
|
|
if (lastLen != 0) {
|
|
ghashAllToS.update(ct, ctOfs, ilen - lastLen);
|
|
ghashAllToS.update(
|
|
expandToOneBlock(ct, (ctOfs + ilen - lastLen), lastLen));
|
|
} else {
|
|
ghashAllToS.update(ct, ctOfs, ilen);
|
|
}
|
|
}
|
|
|
|
|
|
/**
|
|
* Performs encryption operation.
|
|
*
|
|
* <p>The input plain text <code>in</code>, starting at <code>inOfs</code>
|
|
* and ending at <code>(inOfs + len - 1)</code>, is encrypted. The result
|
|
* is stored in <code>out</code>, starting at <code>outOfs</code>.
|
|
*
|
|
* @param in the buffer with the input data to be encrypted
|
|
* @param inOfs the offset in <code>in</code>
|
|
* @param len the length of the input data
|
|
* @param out the buffer for the result
|
|
* @param outOfs the offset in <code>out</code>
|
|
* @exception ProviderException if <code>len</code> is not
|
|
* a multiple of the block size
|
|
* @return the number of bytes placed into the <code>out</code> buffer
|
|
*/
|
|
int encrypt(byte[] in, int inOfs, int len, byte[] out, int outOfs) {
|
|
checkDataLength(processed, len);
|
|
|
|
RangeUtil.blockSizeCheck(len, blockSize);
|
|
processAAD();
|
|
|
|
if (len > 0) {
|
|
RangeUtil.nullAndBoundsCheck(in, inOfs, len);
|
|
RangeUtil.nullAndBoundsCheck(out, outOfs, len);
|
|
|
|
gctrPAndC.update(in, inOfs, len, out, outOfs);
|
|
processed += len;
|
|
ghashAllToS.update(out, outOfs, len);
|
|
}
|
|
|
|
return len;
|
|
}
|
|
|
|
/**
|
|
* Performs encryption operation for the last time.
|
|
*
|
|
* @param in the input buffer with the data to be encrypted
|
|
* @param inOfs the offset in <code>in</code>
|
|
* @param len the length of the input data
|
|
* @param out the buffer for the encryption result
|
|
* @param outOfs the offset in <code>out</code>
|
|
* @return the number of bytes placed into the <code>out</code> buffer
|
|
*/
|
|
int encryptFinal(byte[] in, int inOfs, int len, byte[] out, int outOfs)
|
|
throws IllegalBlockSizeException, ShortBufferException {
|
|
if (len > MAX_BUF_SIZE - tagLenBytes) {
|
|
throw new ShortBufferException
|
|
("Can't fit both data and tag into one buffer");
|
|
}
|
|
try {
|
|
RangeUtil.nullAndBoundsCheck(out, outOfs,
|
|
(len + tagLenBytes));
|
|
} catch (ArrayIndexOutOfBoundsException aiobe) {
|
|
throw new ShortBufferException("Output buffer too small");
|
|
}
|
|
|
|
checkDataLength(processed, len);
|
|
|
|
processAAD();
|
|
if (len > 0) {
|
|
RangeUtil.nullAndBoundsCheck(in, inOfs, len);
|
|
|
|
doLastBlock(in, inOfs, len, out, outOfs, true);
|
|
}
|
|
|
|
byte[] lengthBlock =
|
|
getLengthBlock(sizeOfAAD, processed);
|
|
ghashAllToS.update(lengthBlock);
|
|
byte[] s = ghashAllToS.digest();
|
|
byte[] sOut = new byte[s.length];
|
|
GCTR gctrForSToTag = new GCTR(embeddedCipher, this.preCounterBlock);
|
|
gctrForSToTag.doFinal(s, 0, s.length, sOut, 0);
|
|
|
|
System.arraycopy(sOut, 0, out, (outOfs + len), tagLenBytes);
|
|
return (len + tagLenBytes);
|
|
}
|
|
|
|
/**
|
|
* Performs decryption operation.
|
|
*
|
|
* <p>The input cipher text <code>in</code>, starting at
|
|
* <code>inOfs</code> and ending at <code>(inOfs + len - 1)</code>,
|
|
* is decrypted. The result is stored in <code>out</code>, starting at
|
|
* <code>outOfs</code>.
|
|
*
|
|
* @param in the buffer with the input data to be decrypted
|
|
* @param inOfs the offset in <code>in</code>
|
|
* @param len the length of the input data
|
|
* @param out the buffer for the result
|
|
* @param outOfs the offset in <code>out</code>
|
|
* @exception ProviderException if <code>len</code> is not
|
|
* a multiple of the block size
|
|
* @return the number of bytes placed into the <code>out</code> buffer
|
|
*/
|
|
int decrypt(byte[] in, int inOfs, int len, byte[] out, int outOfs) {
|
|
checkDataLength(ibuffer.size(), len);
|
|
|
|
RangeUtil.blockSizeCheck(len, blockSize);
|
|
processAAD();
|
|
|
|
if (len > 0) {
|
|
// store internally until decryptFinal is called because
|
|
// spec mentioned that only return recovered data after tag
|
|
// is successfully verified
|
|
RangeUtil.nullAndBoundsCheck(in, inOfs, len);
|
|
ibuffer.write(in, inOfs, len);
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
/**
|
|
* Performs decryption operation for the last time.
|
|
*
|
|
* <p>NOTE: For cipher feedback modes which does not perform
|
|
* special handling for the last few blocks, this is essentially
|
|
* the same as <code>encrypt(...)</code>. Given most modes do
|
|
* not do special handling, the default impl for this method is
|
|
* to simply call <code>decrypt(...)</code>.
|
|
*
|
|
* @param in the input buffer with the data to be decrypted
|
|
* @param inOfs the offset in <code>cipher</code>
|
|
* @param len the length of the input data
|
|
* @param out the buffer for the decryption result
|
|
* @param outOfs the offset in <code>plain</code>
|
|
* @return the number of bytes placed into the <code>out</code> buffer
|
|
*/
|
|
int decryptFinal(byte[] in, int inOfs, int len,
|
|
byte[] out, int outOfs)
|
|
throws IllegalBlockSizeException, AEADBadTagException,
|
|
ShortBufferException {
|
|
if (len < tagLenBytes) {
|
|
throw new AEADBadTagException("Input too short - need tag");
|
|
}
|
|
|
|
// do this check here can also catch the potential integer overflow
|
|
// scenario for the subsequent output buffer capacity check.
|
|
checkDataLength(ibuffer.size(), (len - tagLenBytes));
|
|
|
|
try {
|
|
RangeUtil.nullAndBoundsCheck(out, outOfs,
|
|
(ibuffer.size() + len) - tagLenBytes);
|
|
} catch (ArrayIndexOutOfBoundsException aiobe) {
|
|
throw new ShortBufferException("Output buffer too small");
|
|
}
|
|
|
|
processAAD();
|
|
|
|
RangeUtil.nullAndBoundsCheck(in, inOfs, len);
|
|
|
|
// get the trailing tag bytes from 'in'
|
|
byte[] tag = new byte[tagLenBytes];
|
|
System.arraycopy(in, inOfs + len - tagLenBytes, tag, 0, tagLenBytes);
|
|
len -= tagLenBytes;
|
|
|
|
// If decryption is in-place or there is buffered "ibuffer" data, copy
|
|
// the "in" byte array into the ibuffer before proceeding.
|
|
if (in == out || ibuffer.size() > 0) {
|
|
if (len > 0) {
|
|
ibuffer.write(in, inOfs, len);
|
|
}
|
|
|
|
// refresh 'in' to all buffered-up bytes
|
|
in = ibuffer.toByteArray();
|
|
inOfs = 0;
|
|
len = in.length;
|
|
ibuffer.reset();
|
|
}
|
|
|
|
if (len > 0) {
|
|
doLastBlock(in, inOfs, len, out, outOfs, false);
|
|
}
|
|
|
|
byte[] lengthBlock =
|
|
getLengthBlock(sizeOfAAD, processed);
|
|
ghashAllToS.update(lengthBlock);
|
|
|
|
byte[] s = ghashAllToS.digest();
|
|
byte[] sOut = new byte[s.length];
|
|
GCTR gctrForSToTag = new GCTR(embeddedCipher, this.preCounterBlock);
|
|
gctrForSToTag.doFinal(s, 0, s.length, sOut, 0);
|
|
|
|
// check entire authentication tag for time-consistency
|
|
int mismatch = 0;
|
|
for (int i = 0; i < tagLenBytes; i++) {
|
|
mismatch |= tag[i] ^ sOut[i];
|
|
}
|
|
|
|
if (mismatch != 0) {
|
|
throw new AEADBadTagException("Tag mismatch!");
|
|
}
|
|
|
|
return len;
|
|
}
|
|
|
|
// return tag length in bytes
|
|
int getTagLen() {
|
|
return this.tagLenBytes;
|
|
}
|
|
|
|
int getBufferedLength() {
|
|
if (ibuffer == null) {
|
|
return 0;
|
|
} else {
|
|
return ibuffer.size();
|
|
}
|
|
}
|
|
}
|