543 newLen = cipher.update(dup, bb);
544 if (newLen != len) {
545 // catch BouncyCastle buffering error
546 throw new RuntimeException("Cipher buffering error " +
547 "in JCE provider " + cipher.getProvider().getName());
548 }
549 }
550
551 // reset the limit to the end of the decryted data
552 bb.limit(pos + newLen);
553
554 if (debug != null && Debug.isOn("plaintext")) {
555 try {
556 HexDumpEncoder hd = new HexDumpEncoder();
557
558 System.out.println(
559 "Padded plaintext after DECRYPTION: len = "
560 + newLen);
561
562 hd.encodeBuffer(
563 (ByteBuffer)bb.duplicate().position(pos), System.out);
564 } catch (IOException e) { }
565 }
566
567 /*
568 * Remove the block padding.
569 */
570 if (cipherType == BLOCK_CIPHER) {
571 int blockSize = cipher.getBlockSize();
572 bb.position(pos);
573 newLen = removePadding(bb, tagLen, blockSize, protocolVersion);
574
575 // check the explicit IV of TLS v1.1 or later
576 if (protocolVersion.v >= ProtocolVersion.TLS11.v) {
577 if (newLen < blockSize) {
578 throw new BadPaddingException("invalid explicit IV");
579 }
580
581 // reset the position to the end of the decrypted data
582 bb.position(bb.limit());
583 }
773 int offset = bb.position();
774
775 // last byte is length byte (i.e. actual padding length - 1)
776 int padOffset = offset + len - 1;
777 int padLen = bb.get(padOffset) & 0xFF;
778
779 int newLen = len - (padLen + 1);
780 if ((newLen - tagLen) < 0) {
781 // If the buffer is not long enough to contain the padding plus
782 // a MAC tag, do a dummy constant-time padding check.
783 //
784 // Note that it is a dummy check, so we won't care about what is
785 // the actual padding data.
786 checkPadding(bb.duplicate(), (byte)(padLen & 0xFF));
787
788 throw new BadPaddingException("Invalid Padding length: " + padLen);
789 }
790
791 // The padding data should be filled with the padding length value.
792 int[] results = checkPadding(
793 (ByteBuffer)bb.duplicate().position(offset + newLen),
794 (byte)(padLen & 0xFF));
795 if (protocolVersion.v >= ProtocolVersion.TLS10.v) {
796 if (results[0] != 0) { // padding data has invalid bytes
797 throw new BadPaddingException("Invalid TLS padding data");
798 }
799 } else { // SSLv3
800 // SSLv3 requires 0 <= length byte < block size
801 // some implementations do 1 <= length byte <= block size,
802 // so accept that as well
803 // v3 does not require any particular value for the other bytes
804 if (padLen > blockSize) {
805 throw new BadPaddingException("Invalid SSLv3 padding");
806 }
807 }
808
809 /*
810 * Reset buffer limit to remove padding.
811 */
812 bb.position(offset + newLen);
813 bb.limit(offset + newLen);
|
543 newLen = cipher.update(dup, bb);
544 if (newLen != len) {
545 // catch BouncyCastle buffering error
546 throw new RuntimeException("Cipher buffering error " +
547 "in JCE provider " + cipher.getProvider().getName());
548 }
549 }
550
551 // reset the limit to the end of the decryted data
552 bb.limit(pos + newLen);
553
554 if (debug != null && Debug.isOn("plaintext")) {
555 try {
556 HexDumpEncoder hd = new HexDumpEncoder();
557
558 System.out.println(
559 "Padded plaintext after DECRYPTION: len = "
560 + newLen);
561
562 hd.encodeBuffer(
563 bb.duplicate().position(pos), System.out);
564 } catch (IOException e) { }
565 }
566
567 /*
568 * Remove the block padding.
569 */
570 if (cipherType == BLOCK_CIPHER) {
571 int blockSize = cipher.getBlockSize();
572 bb.position(pos);
573 newLen = removePadding(bb, tagLen, blockSize, protocolVersion);
574
575 // check the explicit IV of TLS v1.1 or later
576 if (protocolVersion.v >= ProtocolVersion.TLS11.v) {
577 if (newLen < blockSize) {
578 throw new BadPaddingException("invalid explicit IV");
579 }
580
581 // reset the position to the end of the decrypted data
582 bb.position(bb.limit());
583 }
773 int offset = bb.position();
774
775 // last byte is length byte (i.e. actual padding length - 1)
776 int padOffset = offset + len - 1;
777 int padLen = bb.get(padOffset) & 0xFF;
778
779 int newLen = len - (padLen + 1);
780 if ((newLen - tagLen) < 0) {
781 // If the buffer is not long enough to contain the padding plus
782 // a MAC tag, do a dummy constant-time padding check.
783 //
784 // Note that it is a dummy check, so we won't care about what is
785 // the actual padding data.
786 checkPadding(bb.duplicate(), (byte)(padLen & 0xFF));
787
788 throw new BadPaddingException("Invalid Padding length: " + padLen);
789 }
790
791 // The padding data should be filled with the padding length value.
792 int[] results = checkPadding(
793 bb.duplicate().position(offset + newLen),
794 (byte)(padLen & 0xFF));
795 if (protocolVersion.v >= ProtocolVersion.TLS10.v) {
796 if (results[0] != 0) { // padding data has invalid bytes
797 throw new BadPaddingException("Invalid TLS padding data");
798 }
799 } else { // SSLv3
800 // SSLv3 requires 0 <= length byte < block size
801 // some implementations do 1 <= length byte <= block size,
802 // so accept that as well
803 // v3 does not require any particular value for the other bytes
804 if (padLen > blockSize) {
805 throw new BadPaddingException("Invalid SSLv3 padding");
806 }
807 }
808
809 /*
810 * Reset buffer limit to remove padding.
811 */
812 bb.position(offset + newLen);
813 bb.limit(offset + newLen);
|