TLS: GCM nonce mechanism now needs custom JcaTlsCrypto

bcgit · Jan 10, 2025 · 68b9f5e · 68b9f5e
1 parent 6971a97
commit 68b9f5e
Show file tree

Hide file tree

Showing 18 changed files with 221 additions and 94 deletions.
diff --git a/tls/src/main/java/org/bouncycastle/tls/crypto/impl/GcmTls12NonceGeneratorUtil.java b/tls/src/main/java/org/bouncycastle/tls/crypto/impl/GcmTls12NonceGeneratorUtil.java
diff --git a/tls/src/main/java/org/bouncycastle/tls/crypto/impl/TlsAEADCipher.java b/tls/src/main/java/org/bouncycastle/tls/crypto/impl/TlsAEADCipher.java
@@ -45,10 +45,18 @@ public final class TlsAEADCipher
 
     private final boolean isTLSv13;
     private final int nonceMode;
-    private final AEADNonceGenerator gcmFipsNonceGenerator;
+    private final AEADNonceGenerator nonceGenerator;
 
-    public TlsAEADCipher(TlsCryptoParameters cryptoParams, TlsAEADCipherImpl encryptCipher, TlsAEADCipherImpl decryptCipher,
-        int keySize, int macSize, int aeadType) throws IOException
+    /** @deprecated Use version with extra 'nonceGeneratorFactory' parameter */ 
+    public TlsAEADCipher(TlsCryptoParameters cryptoParams, TlsAEADCipherImpl encryptCipher,
+        TlsAEADCipherImpl decryptCipher, int keySize, int macSize, int aeadType) throws IOException
+    {
+        this(cryptoParams, encryptCipher, decryptCipher, keySize, macSize, aeadType, null);
+    }
+
+    public TlsAEADCipher(TlsCryptoParameters cryptoParams, TlsAEADCipherImpl encryptCipher,
+        TlsAEADCipherImpl decryptCipher, int keySize, int macSize, int aeadType,
+        AEADNonceGeneratorFactory nonceGeneratorFactory) throws IOException
     {
         final SecurityParameters securityParameters = cryptoParams.getSecurityParametersHandshake();
         final ProtocolVersion negotiatedVersion = securityParameters.getNegotiatedVersion();
@@ -94,7 +102,7 @@ public TlsAEADCipher(TlsCryptoParameters cryptoParams, TlsAEADCipherImpl encrypt
         final boolean isServer = cryptoParams.isServer();
         if (isTLSv13)
         {
-            gcmFipsNonceGenerator = null;
+            nonceGenerator = null;
             rekeyCipher(securityParameters, decryptCipher, decryptNonce, !isServer);
             rekeyCipher(securityParameters, encryptCipher, encryptNonce, isServer);
             return;
@@ -126,7 +134,7 @@ public TlsAEADCipher(TlsCryptoParameters cryptoParams, TlsAEADCipherImpl encrypt
             throw new TlsFatalAlert(AlertDescription.internal_error);
         }
 
-        if (AEAD_GCM == aeadType && GcmTls12NonceGeneratorUtil.isGcmFipsNonceGeneratorFactorySet())
+        if (AEAD_GCM == aeadType && nonceGeneratorFactory != null)
         {
             int nonceLength = fixed_iv_length + record_iv_length;
             byte[] baseNonce = Arrays.copyOf(encryptNonce, nonceLength);
@@ -141,12 +149,11 @@ public TlsAEADCipher(TlsCryptoParameters cryptoParams, TlsAEADCipherImpl encrypt
             {
                 counterSizeInBits = record_iv_length * 8; // 64
             }
-            gcmFipsNonceGenerator = GcmTls12NonceGeneratorUtil.createGcmFipsNonceGenerator(baseNonce,
-                counterSizeInBits);
+            nonceGenerator = nonceGeneratorFactory.create(baseNonce, counterSizeInBits);
         }
         else
         {
-            gcmFipsNonceGenerator = null;
+            nonceGenerator = null;
         }
     }
 
@@ -183,9 +190,9 @@ public TlsEncodeResult encodePlaintext(long seqNo, short contentType, ProtocolVe
     {
         byte[] nonce = new byte[encryptNonce.length + record_iv_length];
 
-        if (null != gcmFipsNonceGenerator)
+        if (null != nonceGenerator)
         {
-            gcmFipsNonceGenerator.generateNonce(nonce);
+            nonceGenerator.generateNonce(nonce);
         }
         else
         {

diff --git a/tls/src/main/java/org/bouncycastle/tls/crypto/impl/bc/BcTlsCrypto.java b/tls/src/main/java/org/bouncycastle/tls/crypto/impl/bc/BcTlsCrypto.java
@@ -63,6 +63,7 @@
 import org.bouncycastle.tls.crypto.TlsSRP6VerifierGenerator;
 import org.bouncycastle.tls.crypto.TlsSRPConfig;
 import org.bouncycastle.tls.crypto.TlsSecret;
+import org.bouncycastle.tls.crypto.impl.AEADNonceGeneratorFactory;
 import org.bouncycastle.tls.crypto.impl.AbstractTlsCrypto;
 import org.bouncycastle.tls.crypto.impl.TlsAEADCipher;
 import org.bouncycastle.tls.crypto.impl.TlsBlockCipher;
@@ -594,7 +595,7 @@ protected BlockCipher createCBCBlockCipher(int encryptionAlgorithm)
     protected TlsCipher createChaCha20Poly1305(TlsCryptoParameters cryptoParams) throws IOException
     {
         return new TlsAEADCipher(cryptoParams, new BcChaCha20Poly1305(true), new BcChaCha20Poly1305(false), 32, 16,
-            TlsAEADCipher.AEAD_CHACHA20_POLY1305);
+            TlsAEADCipher.AEAD_CHACHA20_POLY1305, null);
     }
 
     protected TlsAEADCipher createCipher_AES_CCM(TlsCryptoParameters cryptoParams, int cipherKeySize, int macSize)
@@ -603,7 +604,8 @@ protected TlsAEADCipher createCipher_AES_CCM(TlsCryptoParameters cryptoParams, i
         BcTlsAEADCipherImpl encrypt = new BcTlsAEADCipherImpl(createAEADBlockCipher_AES_CCM(), true);
         BcTlsAEADCipherImpl decrypt = new BcTlsAEADCipherImpl(createAEADBlockCipher_AES_CCM(), false);
 
-        return new TlsAEADCipher(cryptoParams, encrypt, decrypt, cipherKeySize, macSize, TlsAEADCipher.AEAD_CCM);
+        return new TlsAEADCipher(cryptoParams, encrypt, decrypt, cipherKeySize, macSize, TlsAEADCipher.AEAD_CCM,
+            null);
     }
 
     protected TlsAEADCipher createCipher_AES_GCM(TlsCryptoParameters cryptoParams, int cipherKeySize, int macSize)
@@ -612,7 +614,8 @@ protected TlsAEADCipher createCipher_AES_GCM(TlsCryptoParameters cryptoParams, i
         BcTlsAEADCipherImpl encrypt = new BcTlsAEADCipherImpl(createAEADBlockCipher_AES_GCM(), true);
         BcTlsAEADCipherImpl decrypt = new BcTlsAEADCipherImpl(createAEADBlockCipher_AES_GCM(), false);
 
-        return new TlsAEADCipher(cryptoParams, encrypt, decrypt, cipherKeySize, macSize, TlsAEADCipher.AEAD_GCM);
+        return new TlsAEADCipher(cryptoParams, encrypt, decrypt, cipherKeySize, macSize, TlsAEADCipher.AEAD_GCM,
+            getGCMNonceGeneratorFactory());
     }
 
     protected TlsAEADCipher createCipher_ARIA_GCM(TlsCryptoParameters cryptoParams, int cipherKeySize, int macSize)
@@ -621,7 +624,8 @@ protected TlsAEADCipher createCipher_ARIA_GCM(TlsCryptoParameters cryptoParams,
         BcTlsAEADCipherImpl encrypt = new BcTlsAEADCipherImpl(createAEADBlockCipher_ARIA_GCM(), true);
         BcTlsAEADCipherImpl decrypt = new BcTlsAEADCipherImpl(createAEADBlockCipher_ARIA_GCM(), false);
 
-        return new TlsAEADCipher(cryptoParams, encrypt, decrypt, cipherKeySize, macSize, TlsAEADCipher.AEAD_GCM);
+        return new TlsAEADCipher(cryptoParams, encrypt, decrypt, cipherKeySize, macSize, TlsAEADCipher.AEAD_GCM,
+            getGCMNonceGeneratorFactory());
     }
 
     protected TlsAEADCipher createCipher_Camellia_GCM(TlsCryptoParameters cryptoParams, int cipherKeySize, int macSize)
@@ -630,7 +634,8 @@ protected TlsAEADCipher createCipher_Camellia_GCM(TlsCryptoParameters cryptoPara
         BcTlsAEADCipherImpl encrypt = new BcTlsAEADCipherImpl(createAEADBlockCipher_Camellia_GCM(), true);
         BcTlsAEADCipherImpl decrypt = new BcTlsAEADCipherImpl(createAEADBlockCipher_Camellia_GCM(), false);
 
-        return new TlsAEADCipher(cryptoParams, encrypt, decrypt, cipherKeySize, macSize, TlsAEADCipher.AEAD_GCM);
+        return new TlsAEADCipher(cryptoParams, encrypt, decrypt, cipherKeySize, macSize, TlsAEADCipher.AEAD_GCM,
+            getGCMNonceGeneratorFactory());
     }
 
     protected TlsCipher createCipher_CBC(TlsCryptoParameters cryptoParams, int encryptionAlgorithm, int cipherKeySize,
@@ -651,7 +656,7 @@ protected TlsAEADCipher createCipher_SM4_CCM(TlsCryptoParameters cryptoParams)
         BcTlsAEADCipherImpl encrypt = new BcTlsAEADCipherImpl(createAEADBlockCipher_SM4_CCM(), true);
         BcTlsAEADCipherImpl decrypt = new BcTlsAEADCipherImpl(createAEADBlockCipher_SM4_CCM(), false);
 
-        return new TlsAEADCipher(cryptoParams, encrypt, decrypt, 16, 16, TlsAEADCipher.AEAD_CCM);
+        return new TlsAEADCipher(cryptoParams, encrypt, decrypt, 16, 16, TlsAEADCipher.AEAD_CCM, null);
     }
 
     protected TlsAEADCipher createCipher_SM4_GCM(TlsCryptoParameters cryptoParams)
@@ -660,7 +665,8 @@ protected TlsAEADCipher createCipher_SM4_GCM(TlsCryptoParameters cryptoParams)
         BcTlsAEADCipherImpl encrypt = new BcTlsAEADCipherImpl(createAEADBlockCipher_SM4_GCM(), true);
         BcTlsAEADCipherImpl decrypt = new BcTlsAEADCipherImpl(createAEADBlockCipher_SM4_GCM(), false);
 
-        return new TlsAEADCipher(cryptoParams, encrypt, decrypt, 16, 16, TlsAEADCipher.AEAD_GCM);
+        return new TlsAEADCipher(cryptoParams, encrypt, decrypt, 16, 16, TlsAEADCipher.AEAD_GCM,
+            getGCMNonceGeneratorFactory());
     }
 
     protected TlsNullCipher createNullCipher(TlsCryptoParameters cryptoParams, int macAlgorithm)
@@ -741,6 +747,11 @@ protected AEADBlockCipher createAEADBlockCipher_SM4_GCM()
         return createGCMMode(createSM4Engine());
     }
 
+    protected AEADNonceGeneratorFactory getGCMNonceGeneratorFactory()
+    {
+        return null;
+    }
+
     public TlsHMAC createHMAC(int macAlgorithm)
     {
         switch (macAlgorithm)

diff --git a/tls/src/main/java/org/bouncycastle/tls/crypto/impl/jcajce/GCMUtil.java b/tls/src/main/java/org/bouncycastle/tls/crypto/impl/jcajce/GCMUtil.java
@@ -6,6 +6,7 @@
 import java.security.PrivilegedExceptionAction;
 import java.security.spec.AlgorithmParameterSpec;
 
+import org.bouncycastle.tls.crypto.impl.AEADNonceGeneratorFactory;
 import org.bouncycastle.util.Integers;
 
 class GCMUtil
@@ -30,6 +31,11 @@ public AlgorithmParameterSpec run()
         });
     }
 
+    static AEADNonceGeneratorFactory getDefaultNonceGeneratorFactory()
+    {
+        return null;
+    }
+
     static boolean isGCMParameterSpecAvailable()
     {
         return gcmParameterSpec != null;

diff --git a/tls/src/main/java/org/bouncycastle/tls/crypto/impl/jcajce/JcaTlsCrypto.java b/tls/src/main/java/org/bouncycastle/tls/crypto/impl/jcajce/JcaTlsCrypto.java
@@ -58,6 +58,7 @@
 import org.bouncycastle.tls.crypto.TlsSecret;
 import org.bouncycastle.tls.crypto.TlsStreamSigner;
 import org.bouncycastle.tls.crypto.TlsStreamVerifier;
+import org.bouncycastle.tls.crypto.impl.AEADNonceGeneratorFactory;
 import org.bouncycastle.tls.crypto.impl.AbstractTlsCrypto;
 import org.bouncycastle.tls.crypto.impl.TlsAEADCipher;
 import org.bouncycastle.tls.crypto.impl.TlsAEADCipherImpl;
@@ -1226,31 +1227,31 @@ private TlsCipher createChaCha20Poly1305(TlsCryptoParameters cryptoParams)
         throws IOException, GeneralSecurityException
     {
         return new TlsAEADCipher(cryptoParams, new JceChaCha20Poly1305(this, helper, true),
-            new JceChaCha20Poly1305(this, helper, false), 32, 16, TlsAEADCipher.AEAD_CHACHA20_POLY1305);
+            new JceChaCha20Poly1305(this, helper, false), 32, 16, TlsAEADCipher.AEAD_CHACHA20_POLY1305, null);
     }
 
     private TlsAEADCipher createCipher_AES_CCM(TlsCryptoParameters cryptoParams, int cipherKeySize, int macSize)
         throws IOException, GeneralSecurityException
     {
         return new TlsAEADCipher(cryptoParams, createAEADCipher("AES/CCM/NoPadding", "AES", cipherKeySize, true),
             createAEADCipher("AES/CCM/NoPadding", "AES", cipherKeySize, false), cipherKeySize, macSize,
-            TlsAEADCipher.AEAD_CCM);
+            TlsAEADCipher.AEAD_CCM, null);
     }
 
     private TlsAEADCipher createCipher_AES_GCM(TlsCryptoParameters cryptoParams, int cipherKeySize, int macSize)
         throws IOException, GeneralSecurityException
     {
         return new TlsAEADCipher(cryptoParams, createAEADCipher("AES/GCM/NoPadding", "AES", cipherKeySize, true),
             createAEADCipher("AES/GCM/NoPadding", "AES", cipherKeySize, false), cipherKeySize, macSize,
-            TlsAEADCipher.AEAD_GCM);
+            TlsAEADCipher.AEAD_GCM, getGCMNonceGeneratorFactory());
     }
 
     private TlsAEADCipher createCipher_ARIA_GCM(TlsCryptoParameters cryptoParams, int cipherKeySize, int macSize)
         throws IOException, GeneralSecurityException
     {
         return new TlsAEADCipher(cryptoParams, createAEADCipher("ARIA/GCM/NoPadding", "ARIA", cipherKeySize, true),
             createAEADCipher("ARIA/GCM/NoPadding", "ARIA", cipherKeySize, false), cipherKeySize, macSize,
-            TlsAEADCipher.AEAD_GCM);
+            TlsAEADCipher.AEAD_GCM, getGCMNonceGeneratorFactory());
     }
 
     private TlsAEADCipher createCipher_Camellia_GCM(TlsCryptoParameters cryptoParams, int cipherKeySize, int macSize)
@@ -1259,7 +1260,7 @@ private TlsAEADCipher createCipher_Camellia_GCM(TlsCryptoParameters cryptoParams
         return new TlsAEADCipher(cryptoParams,
             createAEADCipher("Camellia/GCM/NoPadding", "Camellia", cipherKeySize, true),
             createAEADCipher("Camellia/GCM/NoPadding", "Camellia", cipherKeySize, false), cipherKeySize, macSize,
-            TlsAEADCipher.AEAD_GCM);
+            TlsAEADCipher.AEAD_GCM, getGCMNonceGeneratorFactory());
     }
 
     protected TlsCipher createCipher_CBC(TlsCryptoParameters cryptoParams, String algorithm, int cipherKeySize,
@@ -1280,7 +1281,7 @@ private TlsAEADCipher createCipher_SM4_CCM(TlsCryptoParameters cryptoParams)
         int cipherKeySize = 16, macSize = 16;
         return new TlsAEADCipher(cryptoParams, createAEADCipher("SM4/CCM/NoPadding", "SM4", cipherKeySize, true),
             createAEADCipher("SM4/CCM/NoPadding", "SM4", cipherKeySize, false), cipherKeySize, macSize,
-            TlsAEADCipher.AEAD_CCM);
+            TlsAEADCipher.AEAD_CCM, null);
     }
 
     private TlsAEADCipher createCipher_SM4_GCM(TlsCryptoParameters cryptoParams)
@@ -1289,7 +1290,12 @@ private TlsAEADCipher createCipher_SM4_GCM(TlsCryptoParameters cryptoParams)
         int cipherKeySize = 16, macSize = 16;
         return new TlsAEADCipher(cryptoParams, createAEADCipher("SM4/GCM/NoPadding", "SM4", cipherKeySize, true),
             createAEADCipher("SM4/GCM/NoPadding", "SM4", cipherKeySize, false), cipherKeySize, macSize,
-            TlsAEADCipher.AEAD_GCM);
+            TlsAEADCipher.AEAD_GCM, getGCMNonceGeneratorFactory());
+    }
+
+    protected AEADNonceGeneratorFactory getGCMNonceGeneratorFactory()
+    {
+        return GCMUtil.getDefaultNonceGeneratorFactory();
     }
 
     String getDigestName(int cryptoHashAlgorithm)

diff --git a/tls/src/test/java/org/bouncycastle/jsse/provider/test/CipherSuitesEngineTestCase.java b/tls/src/test/java/org/bouncycastle/jsse/provider/test/CipherSuitesEngineTestCase.java
@@ -44,14 +44,6 @@ public CipherSuitesEngineTestCase(CipherSuitesTestConfig config)
         this.config = config;
     }
 
-    protected void setUp()
-    {
-        if (config != null)
-        {
-            ProviderUtils.setupHighPriority(config.fips);
-        }
-    }
-
     public void testDummy()
     {
         // Avoid "No tests found" warning from junit

diff --git a/tls/src/test/java/org/bouncycastle/jsse/provider/test/CipherSuitesEngineTestSuite.java b/tls/src/test/java/org/bouncycastle/jsse/provider/test/CipherSuitesEngineTestSuite.java
@@ -9,6 +9,7 @@
 
 import org.junit.Assert;
 
+import junit.extensions.TestSetup;
 import junit.framework.Test;
 import junit.framework.TestSuite;
 
@@ -23,7 +24,9 @@ public CipherSuitesEngineTestSuite()
     public static Test suite()
         throws Exception
     {
-        return createSuite(new CipherSuitesEngineTestSuite(), null, false, new CipherSuitesFilter()
+        ProviderUtils.setupHighPriority(false);
+
+        TestSuite suite = createSuite(new CipherSuitesEngineTestSuite(), null, false, new CipherSuitesFilter()
         {
             public boolean isIgnored(String cipherSuite)
             {
@@ -40,14 +43,20 @@ public boolean isPermitted(String cipherSuite)
                 return true;
             }
         });
+
+        return new TestSetup(suite)
+        {
+            @Override
+            protected void setUp() throws Exception
+            {
+                ProviderUtils.setupHighPriority(false);
+            }
+        };
     }
 
-    static Test createSuite(TestSuite testSuite, String category, boolean fips, CipherSuitesFilter filter)
+    static TestSuite createSuite(TestSuite testSuite, String category, boolean fips, CipherSuitesFilter filter)
         throws Exception
     {
-        // TODO Consider configuring BCJSSE with explicit crypto provider (maybe only when in fips mode?)
-        ProviderUtils.setupHighPriority(fips);
-
         char[] serverPassword = "serverPassword".toCharArray();
 
         KeyPair caKeyPairDSA = TestUtils.generateDSAKeyPair();
@@ -126,7 +135,6 @@ static Test createSuite(TestSuite testSuite, String category, boolean fips, Ciph
                 config.category = category;
                 config.cipherSuite = cipherSuite;
                 config.clientTrustStore = ts;
-                config.fips = fips;
                 config.protocol = protocol;
                 config.serverKeyStore = ks;
                 config.serverPassword = serverPassword;

diff --git a/tls/src/test/java/org/bouncycastle/jsse/provider/test/CipherSuitesTestCase.java b/tls/src/test/java/org/bouncycastle/jsse/provider/test/CipherSuitesTestCase.java
@@ -47,14 +47,6 @@ public CipherSuitesTestCase(CipherSuitesTestConfig config)
         this.config = config;
     }
 
-    protected void setUp()
-    {
-        if (config != null)
-        {
-            ProviderUtils.setupHighPriority(config.fips);
-        }
-    }
-
     public void testDummy()
     {
         // Avoid "No tests found" warning from junit

diff --git a/tls/src/test/java/org/bouncycastle/jsse/provider/test/CipherSuitesTestConfig.java b/tls/src/test/java/org/bouncycastle/jsse/provider/test/CipherSuitesTestConfig.java
@@ -7,7 +7,6 @@ public class CipherSuitesTestConfig
     public String category = null;
     public String cipherSuite = null;
     public KeyStore clientTrustStore = null;
-    public boolean fips = false;
     public String protocol = null;
     public KeyStore serverKeyStore = null;
     public char[] serverPassword = null;