Variable-length frames (untested).

briar-core/src/org/briarproject/crypto/AuthenticatedCipherImpl.java

@@ -20,7 +20,7 @@ class AuthenticatedCipherImpl implements AuthenticatedCipher {
 		this.macLength = macLength;
 	}
 
-	public int doFinal(byte[] input, int inputOff, int len, byte[] output,
+	public int process(byte[] input, int inputOff, int len, byte[] output,
 			int outputOff) throws GeneralSecurityException {
 		int processed = 0;
 		if(len != 0) {

briar-core/src/org/briarproject/crypto/CryptoComponentImpl.java

@@ -335,7 +335,7 @@ class CryptoComponentImpl implements CryptoComponent {
 					MAC_BYTES);
 			cipher.init(true, key, iv, null);
 			int outputOff = salt.length + 4 + iv.length;
-			cipher.doFinal(input, 0, input.length, output, outputOff);
+			cipher.process(input, 0, input.length, output, outputOff);
 			return output;
 		} catch(GeneralSecurityException e) {
 			throw new RuntimeException(e);
@@ -369,7 +369,7 @@ class CryptoComponentImpl implements CryptoComponent {
 			int inputOff = salt.length + 4 + iv.length;
 			int inputLen = input.length - inputOff;
 			byte[] output = new byte[inputLen - MAC_BYTES];
-			cipher.doFinal(input, inputOff, inputLen, output, 0);
+			cipher.process(input, inputOff, inputLen, output, 0);
 			return output;
 		} catch(GeneralSecurityException e) {
 			return null; // Invalid ciphertext

briar-core/src/org/briarproject/crypto/FrameEncoder.java

@@ -1,44 +1,33 @@
 package org.briarproject.crypto;
 
-import static org.briarproject.api.transport.TransportConstants.AAD_LENGTH;
 import static org.briarproject.api.transport.TransportConstants.HEADER_LENGTH;
 import static org.briarproject.api.transport.TransportConstants.IV_LENGTH;
-import static org.briarproject.api.transport.TransportConstants.MAC_LENGTH;
-import static org.briarproject.api.transport.TransportConstants.MAX_FRAME_LENGTH;
+import static org.briarproject.api.transport.TransportConstants.MAX_PAYLOAD_LENGTH;
 import static org.briarproject.util.ByteUtils.MAX_32_BIT_UNSIGNED;
 
 import org.briarproject.util.ByteUtils;
 
 class FrameEncoder {
 
-	static void encodeIv(byte[] iv, long frameNumber) {
+	static void encodeIv(byte[] iv, long frameNumber, boolean header) {
 		if(iv.length < IV_LENGTH) throw new IllegalArgumentException();
 		if(frameNumber < 0 || frameNumber > MAX_32_BIT_UNSIGNED)
 			throw new IllegalArgumentException();
 		ByteUtils.writeUint32(frameNumber, iv, 0);
-		for(int i = 4; i < IV_LENGTH; i++) iv[i] = 0;
-	}
-
-	static void encodeAad(byte[] aad, long frameNumber, int plaintextLength) {
-		if(aad.length < AAD_LENGTH) throw new IllegalArgumentException();
-		if(frameNumber < 0 || frameNumber > MAX_32_BIT_UNSIGNED)
-			throw new IllegalArgumentException();
-		if(plaintextLength < HEADER_LENGTH)
-			throw new IllegalArgumentException();
-		if(plaintextLength > MAX_FRAME_LENGTH - MAC_LENGTH)
-			throw new IllegalArgumentException();
-		ByteUtils.writeUint32(frameNumber, aad, 0);
-		ByteUtils.writeUint16(plaintextLength, aad, 4);
+		if(header) iv[4] = 1;
+		else iv[4] = 0;
+		for(int i = 5; i < IV_LENGTH; i++) iv[i] = 0;
 	}
 
 	static void encodeHeader(byte[] header, boolean finalFrame,
-			int payloadLength) {
+			int payloadLength, int paddingLength) {
 		if(header.length < HEADER_LENGTH) throw new IllegalArgumentException();
-		if(payloadLength < 0)
-			throw new IllegalArgumentException();
-		if(payloadLength > MAX_FRAME_LENGTH - HEADER_LENGTH - MAC_LENGTH)
+		if(payloadLength < 0) throw new IllegalArgumentException();
+		if(paddingLength < 0) throw new IllegalArgumentException();
+		if(payloadLength + paddingLength > MAX_PAYLOAD_LENGTH)
 			throw new IllegalArgumentException();
 		ByteUtils.writeUint16(payloadLength, header, 0);
+		ByteUtils.writeUint16(paddingLength, header, 2);
 		if(finalFrame) header[0] |= 0x80;
 	}
 
@@ -51,4 +40,9 @@ class FrameEncoder {
 		if(header.length < HEADER_LENGTH) throw new IllegalArgumentException();
 		return ByteUtils.readUint16(header, 0) & 0x7FFF;
 	}
+
+	static int getPaddingLength(byte[] header) {
+		if(header.length < HEADER_LENGTH) throw new IllegalArgumentException();
+		return ByteUtils.readUint16(header, 2);
+	}
 }

briar-core/src/org/briarproject/crypto/StreamDecrypterFactoryImpl.java

@@ -21,10 +21,10 @@ class StreamDecrypterFactoryImpl implements StreamDecrypterFactory {
 
 	public StreamDecrypter createStreamDecrypter(InputStream in,
 			StreamContext ctx) {
+		// Derive the frame key
 		byte[] secret = ctx.getSecret();
 		long streamNumber = ctx.getStreamNumber();
 		boolean alice = !ctx.getAlice();
-		// Derive the frame key
 		SecretKey frameKey = crypto.deriveFrameKey(secret, streamNumber, alice);
 		// Create the decrypter
 		return new StreamDecrypterImpl(in, crypto.getFrameCipher(), frameKey);

briar-core/src/org/briarproject/crypto/StreamDecrypterImpl.java

@@ -1,10 +1,10 @@
 package org.briarproject.crypto;
 
-import static org.briarproject.api.transport.TransportConstants.AAD_LENGTH;
 import static org.briarproject.api.transport.TransportConstants.HEADER_LENGTH;
 import static org.briarproject.api.transport.TransportConstants.IV_LENGTH;
 import static org.briarproject.api.transport.TransportConstants.MAC_LENGTH;
 import static org.briarproject.api.transport.TransportConstants.MAX_FRAME_LENGTH;
+import static org.briarproject.api.transport.TransportConstants.MAX_PAYLOAD_LENGTH;
 
 import java.io.EOFException;
 import java.io.IOException;
@@ -21,7 +21,7 @@ class StreamDecrypterImpl implements StreamDecrypter {
 	private final InputStream in;
 	private final AuthenticatedCipher frameCipher;
 	private final SecretKey frameKey;
-	private final byte[] iv, aad, plaintext, ciphertext;
+	private final byte[] iv, aad, header, ciphertext;
 
 	private long frameNumber;
 	private boolean finalFrame;
@@ -32,50 +32,66 @@ class StreamDecrypterImpl implements StreamDecrypter {
 		this.frameCipher = frameCipher;
 		this.frameKey = frameKey;
 		iv = new byte[IV_LENGTH];
-		aad = new byte[AAD_LENGTH];
-		plaintext = new byte[MAX_FRAME_LENGTH - MAC_LENGTH];
+		aad = new byte[IV_LENGTH];
+		header = new byte[HEADER_LENGTH];
 		ciphertext = new byte[MAX_FRAME_LENGTH];
 		frameNumber = 0;
 		finalFrame = false;
 	}
 
 	public int readFrame(byte[] payload) throws IOException {
+		if(payload.length < MAX_PAYLOAD_LENGTH)
+			throw new IllegalArgumentException();
 		if(finalFrame) return -1;
-		// Read the frame
-		int ciphertextLength = 0;
-		while(ciphertextLength < MAX_FRAME_LENGTH) {
-			int read = in.read(ciphertext, ciphertextLength,
-					MAX_FRAME_LENGTH - ciphertextLength);
-			if(read == -1) break; // We'll check the length later
-			ciphertextLength += read;
+		// Read the header
+		int offset = 0;
+		while(offset < HEADER_LENGTH) {
+			int read = in.read(ciphertext, offset, HEADER_LENGTH - offset);
+			if(read == -1) throw new EOFException();
+			offset += read;
 		}
-		int plaintextLength = ciphertextLength - MAC_LENGTH;
-		if(plaintextLength < HEADER_LENGTH) throw new EOFException();
-		// Decrypt and authenticate the frame
-		FrameEncoder.encodeIv(iv, frameNumber);
-		FrameEncoder.encodeAad(aad, frameNumber, plaintextLength);
+		// Decrypt and authenticate the header
+		FrameEncoder.encodeIv(iv, frameNumber, true);
+		FrameEncoder.encodeIv(aad, frameNumber, true);
 		try {
 			frameCipher.init(false, frameKey, iv, aad);
-			int decrypted = frameCipher.doFinal(ciphertext, 0, ciphertextLength,
-					plaintext, 0);
-			if(decrypted != plaintextLength) throw new RuntimeException();
+			int decrypted = frameCipher.process(ciphertext, 0, HEADER_LENGTH,
+					header, 0);
+			if(decrypted != HEADER_LENGTH - MAC_LENGTH)
+				throw new RuntimeException();
 		} catch(GeneralSecurityException e) {
 			throw new FormatException();
 		}
 		// Decode and validate the header
-		finalFrame = FrameEncoder.isFinalFrame(plaintext);
-		if(!finalFrame && ciphertextLength < MAX_FRAME_LENGTH)
+		finalFrame = FrameEncoder.isFinalFrame(header);
+		int payloadLength = FrameEncoder.getPayloadLength(header);
+		int paddingLength = FrameEncoder.getPaddingLength(header);
+		if(payloadLength + paddingLength > MAX_PAYLOAD_LENGTH)
 			throw new FormatException();
-		int payloadLength = FrameEncoder.getPayloadLength(plaintext);
-		if(payloadLength > plaintextLength - HEADER_LENGTH)
-			throw new FormatException();
-		// If there's any padding it must be all zeroes
-		for(int i = HEADER_LENGTH + payloadLength; i < plaintextLength; i++) {
-			if(plaintext[i] != 0) throw new FormatException();
+		// Read the payload and padding
+		int frameLength = HEADER_LENGTH + payloadLength + paddingLength
+				+ MAC_LENGTH;
+		while(offset < frameLength) {
+			int read = in.read(ciphertext, offset, frameLength - offset);
+			if(read == -1) throw new EOFException();
+			offset += read;
 		}
+		// Decrypt and authenticate the payload and padding
+		FrameEncoder.encodeIv(iv, frameNumber, false);
+		FrameEncoder.encodeIv(aad, frameNumber, false);
+		try {
+			frameCipher.init(false, frameKey, iv, aad);
+			int decrypted = frameCipher.process(ciphertext, HEADER_LENGTH,
+					payloadLength + paddingLength + MAC_LENGTH, payload, 0);
+			if(decrypted != payloadLength + paddingLength)
+				throw new RuntimeException();
+		} catch(GeneralSecurityException e) {
+			throw new FormatException();
+		}
+		// If there's any padding it must be all zeroes
+		for(int i = 0; i < paddingLength; i++)
+			if(payload[payloadLength + i] != 0) throw new FormatException();
 		frameNumber++;
-		// Copy the payload
-		System.arraycopy(plaintext, HEADER_LENGTH, payload, 0, payloadLength);
 		return payloadLength;
 	}
 }

briar-core/src/org/briarproject/crypto/StreamEncrypterImpl.java

@@ -1,10 +1,10 @@
 package org.briarproject.crypto;
 
-import static org.briarproject.api.transport.TransportConstants.AAD_LENGTH;
 import static org.briarproject.api.transport.TransportConstants.HEADER_LENGTH;
 import static org.briarproject.api.transport.TransportConstants.IV_LENGTH;
 import static org.briarproject.api.transport.TransportConstants.MAC_LENGTH;
 import static org.briarproject.api.transport.TransportConstants.MAX_FRAME_LENGTH;
+import static org.briarproject.api.transport.TransportConstants.MAX_PAYLOAD_LENGTH;
 import static org.briarproject.util.ByteUtils.MAX_32_BIT_UNSIGNED;
 
 import java.io.IOException;
@@ -32,50 +32,57 @@ class StreamEncrypterImpl implements StreamEncrypter {
 		this.frameKey = frameKey;
 		this.tag = tag;
 		iv = new byte[IV_LENGTH];
-		aad = new byte[AAD_LENGTH];
-		plaintext = new byte[MAX_FRAME_LENGTH - MAC_LENGTH];
+		aad = new byte[IV_LENGTH];
+		plaintext = new byte[HEADER_LENGTH + MAX_PAYLOAD_LENGTH];
 		ciphertext = new byte[MAX_FRAME_LENGTH];
 		frameNumber = 0;
 		writeTag = (tag != null);
 	}
 
 	public void writeFrame(byte[] payload, int payloadLength,
-			boolean finalFrame) throws IOException {
-		if(frameNumber > MAX_32_BIT_UNSIGNED) throw new IllegalStateException();
+			int paddingLength, boolean finalFrame) throws IOException {
+		if(payloadLength + paddingLength > MAX_PAYLOAD_LENGTH)
+			throw new IllegalArgumentException();
+		// Don't allow the frame counter to wrap
+		if(frameNumber > MAX_32_BIT_UNSIGNED) throw new IOException();
 		// Write the tag if required
 		if(writeTag) {
 			out.write(tag, 0, tag.length);
 			writeTag = false;
 		}
-		// Don't pad the final frame
-		int plaintextLength, ciphertextLength;
-		if(finalFrame) {
-			plaintextLength = HEADER_LENGTH + payloadLength;
-			ciphertextLength = plaintextLength + MAC_LENGTH;
-		} else {
-			plaintextLength = MAX_FRAME_LENGTH - MAC_LENGTH;
-			ciphertextLength = MAX_FRAME_LENGTH;
-		}
 		// Encode the header
-		FrameEncoder.encodeHeader(plaintext, finalFrame, payloadLength);
-		// Copy the payload
-		System.arraycopy(payload, 0, plaintext, HEADER_LENGTH, payloadLength);
-		// If there's any padding it must all be zeroes
-		for(int i = HEADER_LENGTH + payloadLength; i < plaintextLength; i++)
-			plaintext[i] = 0;
-		// Encrypt and authenticate the frame
-		FrameEncoder.encodeIv(iv, frameNumber);
-		FrameEncoder.encodeAad(aad, frameNumber, plaintextLength);
+		FrameEncoder.encodeHeader(plaintext, finalFrame, payloadLength,
+				paddingLength);
+		// Encrypt and authenticate the header
+		FrameEncoder.encodeIv(iv, frameNumber, true);
+		FrameEncoder.encodeIv(aad, frameNumber, true);
 		try {
 			frameCipher.init(true, frameKey, iv, aad);
-			int encrypted = frameCipher.doFinal(plaintext, 0, plaintextLength,
-					ciphertext, 0);
-			if(encrypted != ciphertextLength) throw new RuntimeException();
+			int encrypted = frameCipher.process(plaintext, 0,
+					HEADER_LENGTH - MAC_LENGTH, ciphertext, 0);
+			if(encrypted != HEADER_LENGTH) throw new RuntimeException();
+		} catch(GeneralSecurityException badCipher) {
+			throw new RuntimeException(badCipher);
+		}
+		// Combine the payload and padding
+		System.arraycopy(payload, 0, plaintext, HEADER_LENGTH, payloadLength);
+		for(int i = 0; i < paddingLength; i++)
+			plaintext[HEADER_LENGTH + payloadLength + i] = 0;
+		// Encrypt and authenticate the payload and padding
+		FrameEncoder.encodeIv(iv, frameNumber, false);
+		FrameEncoder.encodeIv(aad, frameNumber, false);
+		try {
+			frameCipher.init(true, frameKey, iv, aad);
+			int encrypted = frameCipher.process(plaintext, HEADER_LENGTH,
+					payloadLength + paddingLength, ciphertext, HEADER_LENGTH);
+			if(encrypted != payloadLength + paddingLength + MAC_LENGTH)
+				throw new RuntimeException();
 		} catch(GeneralSecurityException badCipher) {
 			throw new RuntimeException(badCipher);
 		}
 		// Write the frame
-		out.write(ciphertext, 0, ciphertextLength);
+		out.write(ciphertext, 0, HEADER_LENGTH + payloadLength + paddingLength
+				+ MAC_LENGTH);
 		frameNumber++;
 	}
 

briar-core/src/org/briarproject/transport/StreamReaderImpl.java

@@ -1,8 +1,6 @@
 package org.briarproject.transport;
 
-import static org.briarproject.api.transport.TransportConstants.HEADER_LENGTH;
-import static org.briarproject.api.transport.TransportConstants.MAC_LENGTH;
-import static org.briarproject.api.transport.TransportConstants.MAX_FRAME_LENGTH;
+import static org.briarproject.api.transport.TransportConstants.MAX_PAYLOAD_LENGTH;
 
 import java.io.IOException;
 import java.io.InputStream;
@@ -18,7 +16,7 @@ class StreamReaderImpl extends InputStream {
 
 	StreamReaderImpl(StreamDecrypter decrypter) {
 		this.decrypter = decrypter;
-		payload = new byte[MAX_FRAME_LENGTH - HEADER_LENGTH - MAC_LENGTH];
+		payload = new byte[MAX_PAYLOAD_LENGTH];
 	}
 
 	@Override

briar-core/src/org/briarproject/transport/StreamWriterImpl.java

@@ -1,8 +1,6 @@
 package org.briarproject.transport;
 
-import static org.briarproject.api.transport.TransportConstants.HEADER_LENGTH;
-import static org.briarproject.api.transport.TransportConstants.MAC_LENGTH;
-import static org.briarproject.api.transport.TransportConstants.MAX_FRAME_LENGTH;
+import static org.briarproject.api.transport.TransportConstants.MAX_PAYLOAD_LENGTH;
 
 import java.io.IOException;
 import java.io.OutputStream;
@@ -25,7 +23,7 @@ class StreamWriterImpl extends OutputStream {
 
 	StreamWriterImpl(StreamEncrypter encrypter) {
 		this.encrypter = encrypter;
-		payload = new byte[MAX_FRAME_LENGTH - HEADER_LENGTH - MAC_LENGTH];
+		payload = new byte[MAX_PAYLOAD_LENGTH];
 	}
 
 	@Override
@@ -69,7 +67,7 @@ class StreamWriterImpl extends OutputStream {
 	}
 
 	private void writeFrame(boolean finalFrame) throws IOException {
-		encrypter.writeFrame(payload, length, finalFrame);
+		encrypter.writeFrame(payload, length, 0, finalFrame);
 		length = 0;
 	}
 }