author | mbalao |
Tue, 12 Nov 2019 00:30:55 -0300 | |
changeset 59158 | 438337c846fb |
parent 54029 | 4ff6c8365b69 |
permissions | -rw-r--r-- |
15008 | 1 |
/* |
53721
f35a8aaabcb9
8201633: Problems with AES-GCM native acceleration
ascarpino
parents:
51052
diff
changeset
|
2 |
* Copyright (c) 2013, 2019, Oracle and/or its affiliates. All rights reserved. |
15008 | 3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 |
* |
|
5 |
* This code is free software; you can redistribute it and/or modify it |
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
|
7 |
* published by the Free Software Foundation. Oracle designates this |
|
8 |
* particular file as subject to the "Classpath" exception as provided |
|
16748 | 9 |
* by Oracle in the LICENSE file that accompanied this code. |
15008 | 10 |
* |
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that |
|
15 |
* accompanied this code). |
|
16 |
* |
|
17 |
* You should have received a copy of the GNU General Public License version |
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation, |
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
20 |
* |
|
21 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
|
22 |
* or visit www.oracle.com if you need additional information or have any |
|
23 |
* questions. |
|
24 |
*/ |
|
25 |
||
26 |
package com.sun.crypto.provider; |
|
27 |
||
28 |
import java.util.Arrays; |
|
29 |
import java.io.*; |
|
30 |
import java.security.*; |
|
31 |
import javax.crypto.*; |
|
32 |
import static com.sun.crypto.provider.AESConstants.AES_BLOCK_SIZE; |
|
51052
080776992b29
8179098: Crypto AES/ECB encryption/decryption performance regression (introduced in jdk9b73)
valeriep
parents:
49789
diff
changeset
|
33 |
import sun.security.util.ArrayUtil; |
080776992b29
8179098: Crypto AES/ECB encryption/decryption performance regression (introduced in jdk9b73)
valeriep
parents:
49789
diff
changeset
|
34 |
|
15008 | 35 |
|
36 |
/** |
|
37 |
* This class represents ciphers in GaloisCounter (GCM) mode. |
|
38 |
* |
|
39 |
* <p>This mode currently should only be used w/ AES cipher. |
|
20752 | 40 |
* Although no checking is done, caller should only pass AES |
41 |
* Cipher to the constructor. |
|
15008 | 42 |
* |
20752 | 43 |
* <p>NOTE: Unlike other modes, when used for decryption, this class |
44 |
* will buffer all processed outputs internally and won't return them |
|
45 |
* until the tag has been successfully verified. |
|
15008 | 46 |
* |
47 |
* @since 1.8 |
|
48 |
*/ |
|
49 |
final class GaloisCounterMode extends FeedbackCipher { |
|
50 |
||
51 |
static int DEFAULT_TAG_LEN = AES_BLOCK_SIZE; |
|
52 |
static int DEFAULT_IV_LEN = 12; // in bytes |
|
53 |
||
39752 | 54 |
// In NIST SP 800-38D, GCM input size is limited to be no longer |
55 |
// than (2^36 - 32) bytes. Otherwise, the counter will wrap |
|
56 |
// around and lead to a leak of plaintext. |
|
57 |
// However, given the current GCM spec requirement that recovered |
|
58 |
// text can only be returned after successful tag verification, |
|
59 |
// we are bound by limiting the data size to the size limit of |
|
60 |
// java byte array, e.g. Integer.MAX_VALUE, since all data |
|
61 |
// can only be returned by the doFinal(...) call. |
|
62 |
private static final int MAX_BUF_SIZE = Integer.MAX_VALUE; |
|
63 |
||
53721
f35a8aaabcb9
8201633: Problems with AES-GCM native acceleration
ascarpino
parents:
51052
diff
changeset
|
64 |
// data size when buffer is divided up to aid in intrinsics |
f35a8aaabcb9
8201633: Problems with AES-GCM native acceleration
ascarpino
parents:
51052
diff
changeset
|
65 |
private static final int TRIGGERLEN = 65536; // 64k |
f35a8aaabcb9
8201633: Problems with AES-GCM native acceleration
ascarpino
parents:
51052
diff
changeset
|
66 |
|
15008 | 67 |
// buffer for AAD data; if null, meaning update has been called |
68 |
private ByteArrayOutputStream aadBuffer = new ByteArrayOutputStream(); |
|
69 |
private int sizeOfAAD = 0; |
|
70 |
||
20752 | 71 |
// buffer for storing input in decryption, not used for encryption |
72 |
private ByteArrayOutputStream ibuffer = null; |
|
73 |
||
15008 | 74 |
// in bytes; need to convert to bits (default value 128) when needed |
75 |
private int tagLenBytes = DEFAULT_TAG_LEN; |
|
76 |
||
77 |
// these following 2 fields can only be initialized after init() is |
|
78 |
// called, e.g. after cipher key k is set, and STAY UNCHANGED |
|
79 |
private byte[] subkeyH = null; |
|
80 |
private byte[] preCounterBlock = null; |
|
81 |
||
82 |
private GCTR gctrPAndC = null; |
|
83 |
private GHASH ghashAllToS = null; |
|
84 |
||
85 |
// length of total data, i.e. len(C) |
|
86 |
private int processed = 0; |
|
87 |
||
88 |
// additional variables for save/restore calls |
|
89 |
private byte[] aadBufferSave = null; |
|
90 |
private int sizeOfAADSave = 0; |
|
20752 | 91 |
private byte[] ibufferSave = null; |
15008 | 92 |
private int processedSave = 0; |
93 |
||
94 |
// value must be 16-byte long; used by GCTR and GHASH as well |
|
95 |
static void increment32(byte[] value) { |
|
96 |
if (value.length != AES_BLOCK_SIZE) { |
|
20752 | 97 |
// should never happen |
98 |
throw new ProviderException("Illegal counter block length"); |
|
15008 | 99 |
} |
100 |
// start from last byte and only go over 4 bytes, i.e. total 32 bits |
|
101 |
int n = value.length - 1; |
|
102 |
while ((n >= value.length - 4) && (++value[n] == 0)) { |
|
103 |
n--; |
|
104 |
} |
|
105 |
} |
|
106 |
||
39752 | 107 |
private static byte[] getLengthBlock(int ivLenInBytes) { |
108 |
long ivLen = ((long)ivLenInBytes) << 3; |
|
15008 | 109 |
byte[] out = new byte[AES_BLOCK_SIZE]; |
39752 | 110 |
out[8] = (byte)(ivLen >>> 56); |
111 |
out[9] = (byte)(ivLen >>> 48); |
|
112 |
out[10] = (byte)(ivLen >>> 40); |
|
113 |
out[11] = (byte)(ivLen >>> 32); |
|
15008 | 114 |
out[12] = (byte)(ivLen >>> 24); |
115 |
out[13] = (byte)(ivLen >>> 16); |
|
116 |
out[14] = (byte)(ivLen >>> 8); |
|
117 |
out[15] = (byte)ivLen; |
|
118 |
return out; |
|
119 |
} |
|
120 |
||
39752 | 121 |
private static byte[] getLengthBlock(int aLenInBytes, int cLenInBytes) { |
122 |
long aLen = ((long)aLenInBytes) << 3; |
|
123 |
long cLen = ((long)cLenInBytes) << 3; |
|
15008 | 124 |
byte[] out = new byte[AES_BLOCK_SIZE]; |
39752 | 125 |
out[0] = (byte)(aLen >>> 56); |
126 |
out[1] = (byte)(aLen >>> 48); |
|
127 |
out[2] = (byte)(aLen >>> 40); |
|
128 |
out[3] = (byte)(aLen >>> 32); |
|
15008 | 129 |
out[4] = (byte)(aLen >>> 24); |
130 |
out[5] = (byte)(aLen >>> 16); |
|
131 |
out[6] = (byte)(aLen >>> 8); |
|
132 |
out[7] = (byte)aLen; |
|
39752 | 133 |
out[8] = (byte)(cLen >>> 56); |
134 |
out[9] = (byte)(cLen >>> 48); |
|
135 |
out[10] = (byte)(cLen >>> 40); |
|
136 |
out[11] = (byte)(cLen >>> 32); |
|
15008 | 137 |
out[12] = (byte)(cLen >>> 24); |
138 |
out[13] = (byte)(cLen >>> 16); |
|
139 |
out[14] = (byte)(cLen >>> 8); |
|
140 |
out[15] = (byte)cLen; |
|
141 |
return out; |
|
142 |
} |
|
143 |
||
144 |
private static byte[] expandToOneBlock(byte[] in, int inOfs, int len) { |
|
145 |
if (len > AES_BLOCK_SIZE) { |
|
146 |
throw new ProviderException("input " + len + " too long"); |
|
147 |
} |
|
148 |
if (len == AES_BLOCK_SIZE && inOfs == 0) { |
|
149 |
return in; |
|
150 |
} else { |
|
151 |
byte[] paddedIn = new byte[AES_BLOCK_SIZE]; |
|
152 |
System.arraycopy(in, inOfs, paddedIn, 0, len); |
|
153 |
return paddedIn; |
|
154 |
} |
|
155 |
} |
|
156 |
||
157 |
private static byte[] getJ0(byte[] iv, byte[] subkeyH) { |
|
158 |
byte[] j0; |
|
159 |
if (iv.length == 12) { // 96 bits |
|
160 |
j0 = expandToOneBlock(iv, 0, iv.length); |
|
161 |
j0[AES_BLOCK_SIZE - 1] = 1; |
|
162 |
} else { |
|
163 |
GHASH g = new GHASH(subkeyH); |
|
164 |
int lastLen = iv.length % AES_BLOCK_SIZE; |
|
165 |
if (lastLen != 0) { |
|
166 |
g.update(iv, 0, iv.length - lastLen); |
|
167 |
byte[] padded = |
|
168 |
expandToOneBlock(iv, iv.length - lastLen, lastLen); |
|
169 |
g.update(padded); |
|
170 |
} else { |
|
171 |
g.update(iv); |
|
172 |
} |
|
39752 | 173 |
byte[] lengthBlock = getLengthBlock(iv.length); |
15008 | 174 |
g.update(lengthBlock); |
175 |
j0 = g.digest(); |
|
176 |
} |
|
177 |
return j0; |
|
178 |
} |
|
179 |
||
39752 | 180 |
private static void checkDataLength(int processed, int len) { |
181 |
if (processed > MAX_BUF_SIZE - len) { |
|
182 |
throw new ProviderException("SunJCE provider only supports " + |
|
183 |
"input size up to " + MAX_BUF_SIZE + " bytes"); |
|
184 |
} |
|
185 |
} |
|
186 |
||
15008 | 187 |
GaloisCounterMode(SymmetricCipher embeddedCipher) { |
188 |
super(embeddedCipher); |
|
189 |
aadBuffer = new ByteArrayOutputStream(); |
|
190 |
} |
|
191 |
||
192 |
/** |
|
193 |
* Gets the name of the feedback mechanism |
|
194 |
* |
|
195 |
* @return the name of the feedback mechanism |
|
196 |
*/ |
|
197 |
String getFeedback() { |
|
198 |
return "GCM"; |
|
199 |
} |
|
200 |
||
201 |
/** |
|
202 |
* Resets the cipher object to its original state. |
|
203 |
* This is used when doFinal is called in the Cipher class, so that the |
|
204 |
* cipher can be reused (with its original key and iv). |
|
205 |
*/ |
|
206 |
void reset() { |
|
207 |
if (aadBuffer == null) { |
|
208 |
aadBuffer = new ByteArrayOutputStream(); |
|
209 |
} else { |
|
210 |
aadBuffer.reset(); |
|
211 |
} |
|
212 |
if (gctrPAndC != null) gctrPAndC.reset(); |
|
213 |
if (ghashAllToS != null) ghashAllToS.reset(); |
|
214 |
processed = 0; |
|
215 |
sizeOfAAD = 0; |
|
20752 | 216 |
if (ibuffer != null) { |
217 |
ibuffer.reset(); |
|
218 |
} |
|
15008 | 219 |
} |
220 |
||
221 |
/** |
|
222 |
* Save the current content of this cipher. |
|
223 |
*/ |
|
224 |
void save() { |
|
225 |
processedSave = processed; |
|
226 |
sizeOfAADSave = sizeOfAAD; |
|
227 |
aadBufferSave = |
|
228 |
((aadBuffer == null || aadBuffer.size() == 0)? |
|
229 |
null : aadBuffer.toByteArray()); |
|
230 |
if (gctrPAndC != null) gctrPAndC.save(); |
|
231 |
if (ghashAllToS != null) ghashAllToS.save(); |
|
20752 | 232 |
if (ibuffer != null) { |
233 |
ibufferSave = ibuffer.toByteArray(); |
|
234 |
} |
|
15008 | 235 |
} |
236 |
||
237 |
/** |
|
238 |
* Restores the content of this cipher to the previous saved one. |
|
239 |
*/ |
|
240 |
void restore() { |
|
241 |
processed = processedSave; |
|
242 |
sizeOfAAD = sizeOfAADSave; |
|
243 |
if (aadBuffer != null) { |
|
244 |
aadBuffer.reset(); |
|
245 |
if (aadBufferSave != null) { |
|
246 |
aadBuffer.write(aadBufferSave, 0, aadBufferSave.length); |
|
247 |
} |
|
248 |
} |
|
20752 | 249 |
if (gctrPAndC != null) gctrPAndC.restore(); |
250 |
if (ghashAllToS != null) ghashAllToS.restore(); |
|
251 |
if (ibuffer != null) { |
|
252 |
ibuffer.reset(); |
|
253 |
ibuffer.write(ibufferSave, 0, ibufferSave.length); |
|
254 |
} |
|
15008 | 255 |
} |
256 |
||
257 |
/** |
|
258 |
* Initializes the cipher in the specified mode with the given key |
|
259 |
* and iv. |
|
260 |
* |
|
261 |
* @param decrypting flag indicating encryption or decryption |
|
262 |
* @param algorithm the algorithm name |
|
263 |
* @param key the key |
|
264 |
* @param iv the iv |
|
265 |
* @param tagLenBytes the length of tag in bytes |
|
266 |
* |
|
267 |
* @exception InvalidKeyException if the given key is inappropriate for |
|
268 |
* initializing this cipher |
|
269 |
*/ |
|
49789 | 270 |
@Override |
15008 | 271 |
void init(boolean decrypting, String algorithm, byte[] key, byte[] iv) |
49789 | 272 |
throws InvalidKeyException, InvalidAlgorithmParameterException { |
15008 | 273 |
init(decrypting, algorithm, key, iv, DEFAULT_TAG_LEN); |
274 |
} |
|
275 |
||
276 |
/** |
|
277 |
* Initializes the cipher in the specified mode with the given key |
|
278 |
* and iv. |
|
279 |
* |
|
280 |
* @param decrypting flag indicating encryption or decryption |
|
281 |
* @param algorithm the algorithm name |
|
282 |
* @param key the key |
|
283 |
* @param iv the iv |
|
284 |
* @param tagLenBytes the length of tag in bytes |
|
285 |
* |
|
286 |
* @exception InvalidKeyException if the given key is inappropriate for |
|
287 |
* initializing this cipher |
|
288 |
*/ |
|
289 |
void init(boolean decrypting, String algorithm, byte[] keyValue, |
|
290 |
byte[] ivValue, int tagLenBytes) |
|
49789 | 291 |
throws InvalidKeyException, InvalidAlgorithmParameterException { |
292 |
if (keyValue == null) { |
|
15008 | 293 |
throw new InvalidKeyException("Internal error"); |
294 |
} |
|
49789 | 295 |
if (ivValue == null) { |
296 |
throw new InvalidAlgorithmParameterException("Internal error"); |
|
297 |
} |
|
298 |
if (ivValue.length == 0) { |
|
299 |
throw new InvalidAlgorithmParameterException("IV is empty"); |
|
300 |
} |
|
15008 | 301 |
|
302 |
// always encrypt mode for embedded cipher |
|
303 |
this.embeddedCipher.init(false, algorithm, keyValue); |
|
304 |
this.subkeyH = new byte[AES_BLOCK_SIZE]; |
|
305 |
this.embeddedCipher.encryptBlock(new byte[AES_BLOCK_SIZE], 0, |
|
306 |
this.subkeyH, 0); |
|
307 |
||
308 |
this.iv = ivValue.clone(); |
|
309 |
preCounterBlock = getJ0(iv, subkeyH); |
|
310 |
byte[] j0Plus1 = preCounterBlock.clone(); |
|
311 |
increment32(j0Plus1); |
|
312 |
gctrPAndC = new GCTR(embeddedCipher, j0Plus1); |
|
313 |
ghashAllToS = new GHASH(subkeyH); |
|
314 |
||
315 |
this.tagLenBytes = tagLenBytes; |
|
316 |
if (aadBuffer == null) { |
|
317 |
aadBuffer = new ByteArrayOutputStream(); |
|
318 |
} else { |
|
319 |
aadBuffer.reset(); |
|
320 |
} |
|
321 |
processed = 0; |
|
322 |
sizeOfAAD = 0; |
|
20752 | 323 |
if (decrypting) { |
324 |
ibuffer = new ByteArrayOutputStream(); |
|
325 |
} |
|
15008 | 326 |
} |
327 |
||
328 |
/** |
|
329 |
* Continues a multi-part update of the Additional Authentication |
|
330 |
* Data (AAD), using a subset of the provided buffer. If this |
|
331 |
* cipher is operating in either GCM or CCM mode, all AAD must be |
|
332 |
* supplied before beginning operations on the ciphertext (via the |
|
333 |
* {@code update} and {@code doFinal} methods). |
|
334 |
* <p> |
|
335 |
* NOTE: Given most modes do not accept AAD, default impl for this |
|
336 |
* method throws IllegalStateException. |
|
337 |
* |
|
338 |
* @param src the buffer containing the AAD |
|
339 |
* @param offset the offset in {@code src} where the AAD input starts |
|
340 |
* @param len the number of AAD bytes |
|
341 |
* |
|
342 |
* @throws IllegalStateException if this cipher is in a wrong state |
|
343 |
* (e.g., has not been initialized), does not accept AAD, or if |
|
344 |
* operating in either GCM or CCM mode and one of the {@code update} |
|
345 |
* methods has already been called for the active |
|
346 |
* encryption/decryption operation |
|
347 |
* @throws UnsupportedOperationException if this method |
|
348 |
* has not been overridden by an implementation |
|
349 |
* |
|
350 |
* @since 1.8 |
|
351 |
*/ |
|
352 |
void updateAAD(byte[] src, int offset, int len) { |
|
353 |
if (aadBuffer != null) { |
|
354 |
aadBuffer.write(src, offset, len); |
|
355 |
} else { |
|
356 |
// update has already been called |
|
357 |
throw new IllegalStateException |
|
358 |
("Update has been called; no more AAD data"); |
|
359 |
} |
|
360 |
} |
|
361 |
||
362 |
// Feed the AAD data to GHASH, pad if necessary |
|
363 |
void processAAD() { |
|
39750 | 364 |
if (aadBuffer != null) { |
365 |
if (aadBuffer.size() > 0) { |
|
366 |
byte[] aad = aadBuffer.toByteArray(); |
|
367 |
sizeOfAAD = aad.length; |
|
15008 | 368 |
|
39750 | 369 |
int lastLen = aad.length % AES_BLOCK_SIZE; |
370 |
if (lastLen != 0) { |
|
371 |
ghashAllToS.update(aad, 0, aad.length - lastLen); |
|
372 |
byte[] padded = expandToOneBlock(aad, aad.length - lastLen, |
|
373 |
lastLen); |
|
374 |
ghashAllToS.update(padded); |
|
375 |
} else { |
|
376 |
ghashAllToS.update(aad); |
|
377 |
} |
|
15008 | 378 |
} |
39750 | 379 |
aadBuffer = null; |
15008 | 380 |
} |
381 |
} |
|
382 |
||
383 |
// Utility to process the last block; used by encryptFinal and decryptFinal |
|
384 |
void doLastBlock(byte[] in, int inOfs, int len, byte[] out, int outOfs, |
|
385 |
boolean isEncrypt) throws IllegalBlockSizeException { |
|
386 |
byte[] ct; |
|
387 |
int ctOfs; |
|
53721
f35a8aaabcb9
8201633: Problems with AES-GCM native acceleration
ascarpino
parents:
51052
diff
changeset
|
388 |
int ilen = len; // internal length |
f35a8aaabcb9
8201633: Problems with AES-GCM native acceleration
ascarpino
parents:
51052
diff
changeset
|
389 |
|
15008 | 390 |
if (isEncrypt) { |
391 |
ct = out; |
|
392 |
ctOfs = outOfs; |
|
393 |
} else { |
|
394 |
ct = in; |
|
395 |
ctOfs = inOfs; |
|
396 |
} |
|
53721
f35a8aaabcb9
8201633: Problems with AES-GCM native acceleration
ascarpino
parents:
51052
diff
changeset
|
397 |
|
f35a8aaabcb9
8201633: Problems with AES-GCM native acceleration
ascarpino
parents:
51052
diff
changeset
|
398 |
// Divide up larger data sizes to trigger CTR & GHASH intrinsic quicker |
f35a8aaabcb9
8201633: Problems with AES-GCM native acceleration
ascarpino
parents:
51052
diff
changeset
|
399 |
if (len > TRIGGERLEN) { |
f35a8aaabcb9
8201633: Problems with AES-GCM native acceleration
ascarpino
parents:
51052
diff
changeset
|
400 |
int i = 0; |
f35a8aaabcb9
8201633: Problems with AES-GCM native acceleration
ascarpino
parents:
51052
diff
changeset
|
401 |
int tlen; // incremental lengths |
f35a8aaabcb9
8201633: Problems with AES-GCM native acceleration
ascarpino
parents:
51052
diff
changeset
|
402 |
final int plen = AES_BLOCK_SIZE * 6; |
f35a8aaabcb9
8201633: Problems with AES-GCM native acceleration
ascarpino
parents:
51052
diff
changeset
|
403 |
// arbitrary formula to aid intrinsic without reaching buffer end |
f35a8aaabcb9
8201633: Problems with AES-GCM native acceleration
ascarpino
parents:
51052
diff
changeset
|
404 |
final int count = len / 1024; |
f35a8aaabcb9
8201633: Problems with AES-GCM native acceleration
ascarpino
parents:
51052
diff
changeset
|
405 |
|
f35a8aaabcb9
8201633: Problems with AES-GCM native acceleration
ascarpino
parents:
51052
diff
changeset
|
406 |
while (count > i) { |
f35a8aaabcb9
8201633: Problems with AES-GCM native acceleration
ascarpino
parents:
51052
diff
changeset
|
407 |
tlen = gctrPAndC.update(in, inOfs, plen, out, outOfs); |
f35a8aaabcb9
8201633: Problems with AES-GCM native acceleration
ascarpino
parents:
51052
diff
changeset
|
408 |
ghashAllToS.update(ct, ctOfs, tlen); |
f35a8aaabcb9
8201633: Problems with AES-GCM native acceleration
ascarpino
parents:
51052
diff
changeset
|
409 |
inOfs += tlen; |
f35a8aaabcb9
8201633: Problems with AES-GCM native acceleration
ascarpino
parents:
51052
diff
changeset
|
410 |
outOfs += tlen; |
f35a8aaabcb9
8201633: Problems with AES-GCM native acceleration
ascarpino
parents:
51052
diff
changeset
|
411 |
ctOfs += tlen; |
f35a8aaabcb9
8201633: Problems with AES-GCM native acceleration
ascarpino
parents:
51052
diff
changeset
|
412 |
i++; |
f35a8aaabcb9
8201633: Problems with AES-GCM native acceleration
ascarpino
parents:
51052
diff
changeset
|
413 |
} |
f35a8aaabcb9
8201633: Problems with AES-GCM native acceleration
ascarpino
parents:
51052
diff
changeset
|
414 |
ilen -= count * plen; |
f35a8aaabcb9
8201633: Problems with AES-GCM native acceleration
ascarpino
parents:
51052
diff
changeset
|
415 |
processed += count * plen; |
f35a8aaabcb9
8201633: Problems with AES-GCM native acceleration
ascarpino
parents:
51052
diff
changeset
|
416 |
} |
f35a8aaabcb9
8201633: Problems with AES-GCM native acceleration
ascarpino
parents:
51052
diff
changeset
|
417 |
|
f35a8aaabcb9
8201633: Problems with AES-GCM native acceleration
ascarpino
parents:
51052
diff
changeset
|
418 |
gctrPAndC.doFinal(in, inOfs, ilen, out, outOfs); |
f35a8aaabcb9
8201633: Problems with AES-GCM native acceleration
ascarpino
parents:
51052
diff
changeset
|
419 |
processed += ilen; |
f35a8aaabcb9
8201633: Problems with AES-GCM native acceleration
ascarpino
parents:
51052
diff
changeset
|
420 |
|
54029
4ff6c8365b69
8220165: Encryption using GCM results in RuntimeException- input length out of bound
ascarpino
parents:
53721
diff
changeset
|
421 |
int lastLen = ilen % AES_BLOCK_SIZE; |
15008 | 422 |
if (lastLen != 0) { |
54029
4ff6c8365b69
8220165: Encryption using GCM results in RuntimeException- input length out of bound
ascarpino
parents:
53721
diff
changeset
|
423 |
ghashAllToS.update(ct, ctOfs, ilen - lastLen); |
53721
f35a8aaabcb9
8201633: Problems with AES-GCM native acceleration
ascarpino
parents:
51052
diff
changeset
|
424 |
ghashAllToS.update( |
54029
4ff6c8365b69
8220165: Encryption using GCM results in RuntimeException- input length out of bound
ascarpino
parents:
53721
diff
changeset
|
425 |
expandToOneBlock(ct, (ctOfs + ilen - lastLen), lastLen)); |
15008 | 426 |
} else { |
53721
f35a8aaabcb9
8201633: Problems with AES-GCM native acceleration
ascarpino
parents:
51052
diff
changeset
|
427 |
ghashAllToS.update(ct, ctOfs, ilen); |
15008 | 428 |
} |
429 |
} |
|
430 |
||
431 |
||
432 |
/** |
|
433 |
* Performs encryption operation. |
|
434 |
* |
|
51052
080776992b29
8179098: Crypto AES/ECB encryption/decryption performance regression (introduced in jdk9b73)
valeriep
parents:
49789
diff
changeset
|
435 |
* <p>The input plain text <code>in</code>, starting at <code>inOfs</code> |
080776992b29
8179098: Crypto AES/ECB encryption/decryption performance regression (introduced in jdk9b73)
valeriep
parents:
49789
diff
changeset
|
436 |
* and ending at <code>(inOfs + len - 1)</code>, is encrypted. The result |
15008 | 437 |
* is stored in <code>out</code>, starting at <code>outOfs</code>. |
438 |
* |
|
439 |
* @param in the buffer with the input data to be encrypted |
|
440 |
* @param inOfs the offset in <code>in</code> |
|
441 |
* @param len the length of the input data |
|
442 |
* @param out the buffer for the result |
|
443 |
* @param outOfs the offset in <code>out</code> |
|
28241
b7b95c178b76
8049312: AES/CICO test failed with on several modes
valeriep
parents:
25859
diff
changeset
|
444 |
* @exception ProviderException if <code>len</code> is not |
b7b95c178b76
8049312: AES/CICO test failed with on several modes
valeriep
parents:
25859
diff
changeset
|
445 |
* a multiple of the block size |
b7b95c178b76
8049312: AES/CICO test failed with on several modes
valeriep
parents:
25859
diff
changeset
|
446 |
* @return the number of bytes placed into the <code>out</code> buffer |
15008 | 447 |
*/ |
20752 | 448 |
int encrypt(byte[] in, int inOfs, int len, byte[] out, int outOfs) { |
51052
080776992b29
8179098: Crypto AES/ECB encryption/decryption performance regression (introduced in jdk9b73)
valeriep
parents:
49789
diff
changeset
|
449 |
ArrayUtil.blockSizeCheck(len, blockSize); |
39752 | 450 |
|
451 |
checkDataLength(processed, len); |
|
452 |
||
15008 | 453 |
processAAD(); |
51052
080776992b29
8179098: Crypto AES/ECB encryption/decryption performance regression (introduced in jdk9b73)
valeriep
parents:
49789
diff
changeset
|
454 |
|
15008 | 455 |
if (len > 0) { |
51052
080776992b29
8179098: Crypto AES/ECB encryption/decryption performance regression (introduced in jdk9b73)
valeriep
parents:
49789
diff
changeset
|
456 |
ArrayUtil.nullAndBoundsCheck(in, inOfs, len); |
080776992b29
8179098: Crypto AES/ECB encryption/decryption performance regression (introduced in jdk9b73)
valeriep
parents:
49789
diff
changeset
|
457 |
ArrayUtil.nullAndBoundsCheck(out, outOfs, len); |
080776992b29
8179098: Crypto AES/ECB encryption/decryption performance regression (introduced in jdk9b73)
valeriep
parents:
49789
diff
changeset
|
458 |
|
15008 | 459 |
gctrPAndC.update(in, inOfs, len, out, outOfs); |
460 |
processed += len; |
|
461 |
ghashAllToS.update(out, outOfs, len); |
|
462 |
} |
|
51052
080776992b29
8179098: Crypto AES/ECB encryption/decryption performance regression (introduced in jdk9b73)
valeriep
parents:
49789
diff
changeset
|
463 |
|
20752 | 464 |
return len; |
15008 | 465 |
} |
466 |
||
467 |
/** |
|
468 |
* Performs encryption operation for the last time. |
|
469 |
* |
|
470 |
* @param in the input buffer with the data to be encrypted |
|
471 |
* @param inOfs the offset in <code>in</code> |
|
472 |
* @param len the length of the input data |
|
473 |
* @param out the buffer for the encryption result |
|
474 |
* @param outOfs the offset in <code>out</code> |
|
475 |
* @return the number of bytes placed into the <code>out</code> buffer |
|
476 |
*/ |
|
20752 | 477 |
int encryptFinal(byte[] in, int inOfs, int len, byte[] out, int outOfs) |
478 |
throws IllegalBlockSizeException, ShortBufferException { |
|
39752 | 479 |
if (len > MAX_BUF_SIZE - tagLenBytes) { |
480 |
throw new ShortBufferException |
|
481 |
("Can't fit both data and tag into one buffer"); |
|
482 |
} |
|
51052
080776992b29
8179098: Crypto AES/ECB encryption/decryption performance regression (introduced in jdk9b73)
valeriep
parents:
49789
diff
changeset
|
483 |
try { |
080776992b29
8179098: Crypto AES/ECB encryption/decryption performance regression (introduced in jdk9b73)
valeriep
parents:
49789
diff
changeset
|
484 |
ArrayUtil.nullAndBoundsCheck(out, outOfs, |
080776992b29
8179098: Crypto AES/ECB encryption/decryption performance regression (introduced in jdk9b73)
valeriep
parents:
49789
diff
changeset
|
485 |
(len + tagLenBytes)); |
080776992b29
8179098: Crypto AES/ECB encryption/decryption performance regression (introduced in jdk9b73)
valeriep
parents:
49789
diff
changeset
|
486 |
} catch (ArrayIndexOutOfBoundsException aiobe) { |
20752 | 487 |
throw new ShortBufferException("Output buffer too small"); |
488 |
} |
|
489 |
||
39752 | 490 |
checkDataLength(processed, len); |
491 |
||
20752 | 492 |
processAAD(); |
493 |
if (len > 0) { |
|
51052
080776992b29
8179098: Crypto AES/ECB encryption/decryption performance regression (introduced in jdk9b73)
valeriep
parents:
49789
diff
changeset
|
494 |
ArrayUtil.nullAndBoundsCheck(in, inOfs, len); |
080776992b29
8179098: Crypto AES/ECB encryption/decryption performance regression (introduced in jdk9b73)
valeriep
parents:
49789
diff
changeset
|
495 |
|
20752 | 496 |
doLastBlock(in, inOfs, len, out, outOfs, true); |
497 |
} |
|
15008 | 498 |
|
20752 | 499 |
byte[] lengthBlock = |
39752 | 500 |
getLengthBlock(sizeOfAAD, processed); |
20752 | 501 |
ghashAllToS.update(lengthBlock); |
502 |
byte[] s = ghashAllToS.digest(); |
|
503 |
byte[] sOut = new byte[s.length]; |
|
504 |
GCTR gctrForSToTag = new GCTR(embeddedCipher, this.preCounterBlock); |
|
505 |
gctrForSToTag.doFinal(s, 0, s.length, sOut, 0); |
|
15008 | 506 |
|
20752 | 507 |
System.arraycopy(sOut, 0, out, (outOfs + len), tagLenBytes); |
508 |
return (len + tagLenBytes); |
|
509 |
} |
|
15008 | 510 |
|
511 |
/** |
|
512 |
* Performs decryption operation. |
|
513 |
* |
|
514 |
* <p>The input cipher text <code>in</code>, starting at |
|
515 |
* <code>inOfs</code> and ending at <code>(inOfs + len - 1)</code>, |
|
516 |
* is decrypted. The result is stored in <code>out</code>, starting at |
|
517 |
* <code>outOfs</code>. |
|
518 |
* |
|
519 |
* @param in the buffer with the input data to be decrypted |
|
520 |
* @param inOfs the offset in <code>in</code> |
|
521 |
* @param len the length of the input data |
|
522 |
* @param out the buffer for the result |
|
523 |
* @param outOfs the offset in <code>out</code> |
|
28241
b7b95c178b76
8049312: AES/CICO test failed with on several modes
valeriep
parents:
25859
diff
changeset
|
524 |
* @exception ProviderException if <code>len</code> is not |
b7b95c178b76
8049312: AES/CICO test failed with on several modes
valeriep
parents:
25859
diff
changeset
|
525 |
* a multiple of the block size |
b7b95c178b76
8049312: AES/CICO test failed with on several modes
valeriep
parents:
25859
diff
changeset
|
526 |
* @return the number of bytes placed into the <code>out</code> buffer |
15008 | 527 |
*/ |
20752 | 528 |
int decrypt(byte[] in, int inOfs, int len, byte[] out, int outOfs) { |
51052
080776992b29
8179098: Crypto AES/ECB encryption/decryption performance regression (introduced in jdk9b73)
valeriep
parents:
49789
diff
changeset
|
529 |
ArrayUtil.blockSizeCheck(len, blockSize); |
39752 | 530 |
|
531 |
checkDataLength(ibuffer.size(), len); |
|
532 |
||
15008 | 533 |
processAAD(); |
534 |
||
20752 | 535 |
if (len > 0) { |
536 |
// store internally until decryptFinal is called because |
|
537 |
// spec mentioned that only return recovered data after tag |
|
538 |
// is successfully verified |
|
51052
080776992b29
8179098: Crypto AES/ECB encryption/decryption performance regression (introduced in jdk9b73)
valeriep
parents:
49789
diff
changeset
|
539 |
ArrayUtil.nullAndBoundsCheck(in, inOfs, len); |
20752 | 540 |
ibuffer.write(in, inOfs, len); |
15008 | 541 |
} |
20752 | 542 |
return 0; |
15008 | 543 |
} |
544 |
||
545 |
/** |
|
546 |
* Performs decryption operation for the last time. |
|
547 |
* |
|
548 |
* <p>NOTE: For cipher feedback modes which does not perform |
|
549 |
* special handling for the last few blocks, this is essentially |
|
550 |
* the same as <code>encrypt(...)</code>. Given most modes do |
|
551 |
* not do special handling, the default impl for this method is |
|
552 |
* to simply call <code>decrypt(...)</code>. |
|
553 |
* |
|
554 |
* @param in the input buffer with the data to be decrypted |
|
555 |
* @param inOfs the offset in <code>cipher</code> |
|
556 |
* @param len the length of the input data |
|
557 |
* @param out the buffer for the decryption result |
|
558 |
* @param outOfs the offset in <code>plain</code> |
|
559 |
* @return the number of bytes placed into the <code>out</code> buffer |
|
560 |
*/ |
|
20752 | 561 |
int decryptFinal(byte[] in, int inOfs, int len, |
562 |
byte[] out, int outOfs) |
|
563 |
throws IllegalBlockSizeException, AEADBadTagException, |
|
564 |
ShortBufferException { |
|
565 |
if (len < tagLenBytes) { |
|
566 |
throw new AEADBadTagException("Input too short - need tag"); |
|
567 |
} |
|
51052
080776992b29
8179098: Crypto AES/ECB encryption/decryption performance regression (introduced in jdk9b73)
valeriep
parents:
49789
diff
changeset
|
568 |
|
39752 | 569 |
// do this check here can also catch the potential integer overflow |
570 |
// scenario for the subsequent output buffer capacity check. |
|
571 |
checkDataLength(ibuffer.size(), (len - tagLenBytes)); |
|
572 |
||
51052
080776992b29
8179098: Crypto AES/ECB encryption/decryption performance regression (introduced in jdk9b73)
valeriep
parents:
49789
diff
changeset
|
573 |
try { |
080776992b29
8179098: Crypto AES/ECB encryption/decryption performance regression (introduced in jdk9b73)
valeriep
parents:
49789
diff
changeset
|
574 |
ArrayUtil.nullAndBoundsCheck(out, outOfs, |
080776992b29
8179098: Crypto AES/ECB encryption/decryption performance regression (introduced in jdk9b73)
valeriep
parents:
49789
diff
changeset
|
575 |
(ibuffer.size() + len) - tagLenBytes); |
080776992b29
8179098: Crypto AES/ECB encryption/decryption performance regression (introduced in jdk9b73)
valeriep
parents:
49789
diff
changeset
|
576 |
} catch (ArrayIndexOutOfBoundsException aiobe) { |
20752 | 577 |
throw new ShortBufferException("Output buffer too small"); |
578 |
} |
|
39752 | 579 |
|
20752 | 580 |
processAAD(); |
39752 | 581 |
|
51052
080776992b29
8179098: Crypto AES/ECB encryption/decryption performance regression (introduced in jdk9b73)
valeriep
parents:
49789
diff
changeset
|
582 |
ArrayUtil.nullAndBoundsCheck(in, inOfs, len); |
080776992b29
8179098: Crypto AES/ECB encryption/decryption performance regression (introduced in jdk9b73)
valeriep
parents:
49789
diff
changeset
|
583 |
|
39752 | 584 |
// get the trailing tag bytes from 'in' |
585 |
byte[] tag = new byte[tagLenBytes]; |
|
586 |
System.arraycopy(in, inOfs + len - tagLenBytes, tag, 0, tagLenBytes); |
|
587 |
len -= tagLenBytes; |
|
588 |
||
53721
f35a8aaabcb9
8201633: Problems with AES-GCM native acceleration
ascarpino
parents:
51052
diff
changeset
|
589 |
// If decryption is in-place or there is buffered "ibuffer" data, copy |
f35a8aaabcb9
8201633: Problems with AES-GCM native acceleration
ascarpino
parents:
51052
diff
changeset
|
590 |
// the "in" byte array into the ibuffer before proceeding. |
f35a8aaabcb9
8201633: Problems with AES-GCM native acceleration
ascarpino
parents:
51052
diff
changeset
|
591 |
if (in == out || ibuffer.size() > 0) { |
f35a8aaabcb9
8201633: Problems with AES-GCM native acceleration
ascarpino
parents:
51052
diff
changeset
|
592 |
if (len > 0) { |
f35a8aaabcb9
8201633: Problems with AES-GCM native acceleration
ascarpino
parents:
51052
diff
changeset
|
593 |
ibuffer.write(in, inOfs, len); |
f35a8aaabcb9
8201633: Problems with AES-GCM native acceleration
ascarpino
parents:
51052
diff
changeset
|
594 |
} |
15008 | 595 |
|
53721
f35a8aaabcb9
8201633: Problems with AES-GCM native acceleration
ascarpino
parents:
51052
diff
changeset
|
596 |
// refresh 'in' to all buffered-up bytes |
f35a8aaabcb9
8201633: Problems with AES-GCM native acceleration
ascarpino
parents:
51052
diff
changeset
|
597 |
in = ibuffer.toByteArray(); |
f35a8aaabcb9
8201633: Problems with AES-GCM native acceleration
ascarpino
parents:
51052
diff
changeset
|
598 |
inOfs = 0; |
f35a8aaabcb9
8201633: Problems with AES-GCM native acceleration
ascarpino
parents:
51052
diff
changeset
|
599 |
len = in.length; |
f35a8aaabcb9
8201633: Problems with AES-GCM native acceleration
ascarpino
parents:
51052
diff
changeset
|
600 |
ibuffer.reset(); |
f35a8aaabcb9
8201633: Problems with AES-GCM native acceleration
ascarpino
parents:
51052
diff
changeset
|
601 |
} |
15008 | 602 |
|
20752 | 603 |
if (len > 0) { |
604 |
doLastBlock(in, inOfs, len, out, outOfs, false); |
|
605 |
} |
|
15008 | 606 |
|
20752 | 607 |
byte[] lengthBlock = |
39752 | 608 |
getLengthBlock(sizeOfAAD, processed); |
20752 | 609 |
ghashAllToS.update(lengthBlock); |
610 |
||
611 |
byte[] s = ghashAllToS.digest(); |
|
612 |
byte[] sOut = new byte[s.length]; |
|
613 |
GCTR gctrForSToTag = new GCTR(embeddedCipher, this.preCounterBlock); |
|
614 |
gctrForSToTag.doFinal(s, 0, s.length, sOut, 0); |
|
37579 | 615 |
|
616 |
// check entire authentication tag for time-consistency |
|
617 |
int mismatch = 0; |
|
20752 | 618 |
for (int i = 0; i < tagLenBytes; i++) { |
37579 | 619 |
mismatch |= tag[i] ^ sOut[i]; |
20752 | 620 |
} |
37579 | 621 |
|
622 |
if (mismatch != 0) { |
|
623 |
throw new AEADBadTagException("Tag mismatch!"); |
|
624 |
} |
|
625 |
||
20752 | 626 |
return len; |
627 |
} |
|
15008 | 628 |
|
629 |
// return tag length in bytes |
|
630 |
int getTagLen() { |
|
631 |
return this.tagLenBytes; |
|
632 |
} |
|
20752 | 633 |
|
634 |
int getBufferedLength() { |
|
635 |
if (ibuffer == null) { |
|
636 |
return 0; |
|
637 |
} else { |
|
638 |
return ibuffer.size(); |
|
639 |
} |
|
640 |
} |
|
15008 | 641 |
} |