# HG changeset patch # User valeriep # Date 1384903796 28800 # Node ID 0c41fa97176a179647d5774d6af0835b6d508261 # Parent b221b57b93bc9c8caa682414de50129b2b653bdb 8026943: SQE test jce/Global/Cipher/SameBuffer failed Summary: Always use different input/output buffers when calling FeedbackCipher objects Reviewed-by: mullan diff -r b221b57b93bc -r 0c41fa97176a jdk/src/share/classes/com/sun/crypto/provider/CipherBlockChaining.java --- a/jdk/src/share/classes/com/sun/crypto/provider/CipherBlockChaining.java Tue Nov 19 22:28:12 2013 +0100 +++ b/jdk/src/share/classes/com/sun/crypto/provider/CipherBlockChaining.java Tue Nov 19 15:29:56 2013 -0800 @@ -186,29 +186,15 @@ byte[] plain, int plainOffset) { int i; - byte[] cipherOrig=null; int endIndex = cipherOffset + cipherLen; - if (cipher==plain && (cipherOffset >= plainOffset) - && ((cipherOffset - plainOffset) < blockSize)) { - // Save the original ciphertext blocks, so they can be - // stored in the feedback register "r". - // This is necessary because in this constellation, a - // ciphertext block (or parts of it) will be overridden by - // the plaintext result. - cipherOrig = cipher.clone(); - } for (; cipherOffset < endIndex; cipherOffset += blockSize, plainOffset += blockSize) { embeddedCipher.decryptBlock(cipher, cipherOffset, k, 0); for (i = 0; i < blockSize; i++) { plain[i+plainOffset] = (byte)(k[i] ^ r[i]); } - if (cipherOrig==null) { - System.arraycopy(cipher, cipherOffset, r, 0, blockSize); - } else { - System.arraycopy(cipherOrig, cipherOffset, r, 0, blockSize); - } + System.arraycopy(cipher, cipherOffset, r, 0, blockSize); } return cipherLen; } diff -r b221b57b93bc -r 0c41fa97176a jdk/src/share/classes/com/sun/crypto/provider/CipherCore.java --- a/jdk/src/share/classes/com/sun/crypto/provider/CipherCore.java Tue Nov 19 22:28:12 2013 +0100 +++ b/jdk/src/share/classes/com/sun/crypto/provider/CipherCore.java Tue Nov 19 15:29:56 2013 -0800 @@ -732,8 +732,12 @@ System.arraycopy(buffer, len, buffer, 0, buffered); } } else { // len > buffered - if (buffered == 0) { + if ((input != output) && (buffered == 0)) { // all to-be-processed data are from 'input' + // however, note that if 'input' and 'output' are the same, + // then they can't be passed directly to the underlying cipher + // engine operations as data may be overwritten before they + // are read. if (decrypting) { outLen = cipher.decrypt(input, inputOffset, len, output, outputOffset); } else { @@ -744,12 +748,16 @@ } else { // assemble the data using both 'buffer' and 'input' byte[] in = new byte[len]; - System.arraycopy(buffer, 0, in, 0, buffered); int inConsumed = len - buffered; - System.arraycopy(input, inputOffset, in, buffered, inConsumed); - buffered = 0; - inputOffset += inConsumed; - inputLen -= inConsumed; + if (buffered != 0) { + System.arraycopy(buffer, 0, in, 0, buffered); + buffered = 0; + } + if (inConsumed != 0) { + System.arraycopy(input, inputOffset, in, len - inConsumed, inConsumed); + inputOffset += inConsumed; + inputLen -= inConsumed; + } if (decrypting) { outLen = cipher.decrypt(in, 0, len, output, outputOffset); } else { @@ -907,11 +915,18 @@ " when decrypting with padded cipher"); } - // prepare the final input avoiding copying if possible + /* + * prepare the final input, assemble a new buffer if any + * of the following is true: + * - 'input' and 'output' are the same buffer + * - there are internally buffered bytes + * - doing encryption and padding is needed + */ byte[] finalBuf = input; int finalOffset = inputOffset; int finalBufLen = inputLen; - if ((buffered != 0) || (!decrypting && padding != null)) { + if ((input == output) || (buffered != 0) || + (!decrypting && padding != null)) { if (decrypting || padding == null) { paddingLen = 0; } diff -r b221b57b93bc -r 0c41fa97176a jdk/src/share/classes/com/sun/crypto/provider/DESedeWrapCipher.java --- a/jdk/src/share/classes/com/sun/crypto/provider/DESedeWrapCipher.java Tue Nov 19 22:28:12 2013 +0100 +++ b/jdk/src/share/classes/com/sun/crypto/provider/DESedeWrapCipher.java Tue Nov 19 15:29:56 2013 -0800 @@ -50,6 +50,9 @@ (byte) 0x79, (byte) 0xe8, (byte) 0x21, (byte) 0x05 }; + private static final int CHECKSUM_LEN = 8; + private static final int IV_LEN = 8; + /* * internal cipher object which does the real work. */ @@ -135,7 +138,7 @@ // can only return an upper-limit if not initialized yet. int result = 0; if (decrypting) { - result = inputLen - 16; + result = inputLen - 16; // CHECKSUM_LEN + IV_LEN; } else { result = inputLen + 16; } @@ -215,7 +218,7 @@ if (opmode == Cipher.WRAP_MODE) { decrypting = false; if (params == null) { - iv = new byte[8]; + iv = new byte[IV_LEN]; if (random == null) { random = SunJCE.getRandom(); } @@ -449,14 +452,15 @@ } byte[] cks = getChecksum(keyVal); - byte[] out = new byte[iv.length + keyVal.length + cks.length]; + byte[] in = new byte[keyVal.length + CHECKSUM_LEN]; + System.arraycopy(keyVal, 0, in, 0, keyVal.length); + System.arraycopy(cks, 0, in, keyVal.length, CHECKSUM_LEN); - System.arraycopy(keyVal, 0, out, iv.length, keyVal.length); - System.arraycopy(cks, 0, out, iv.length+keyVal.length, cks.length); - cipher.encrypt(out, iv.length, keyVal.length+cks.length, - out, iv.length); + byte[] out = new byte[iv.length + in.length]; + System.arraycopy(iv, 0, out, 0, iv.length); - System.arraycopy(iv, 0, out, 0, iv.length); + cipher.encrypt(in, 0, in.length, out, iv.length); + // reverse the array content for (int i = 0; i < out.length/2; i++) { byte temp = out[i]; @@ -470,7 +474,8 @@ // should never happen throw new RuntimeException("Internal cipher key is corrupted"); } - cipher.encrypt(out, 0, out.length, out, 0); + byte[] out2 = new byte[out.length]; + cipher.encrypt(out, 0, out.length, out2, 0); // restore cipher state to prior to this call try { @@ -480,7 +485,7 @@ // should never happen throw new RuntimeException("Internal cipher key is corrupted"); } - return out; + return out2; } /** @@ -520,25 +525,26 @@ buffer[i] = buffer[buffer.length-1-i]; buffer[buffer.length-1-i] = temp; } - iv = new byte[IV2.length]; + iv = new byte[IV_LEN]; System.arraycopy(buffer, 0, iv, 0, iv.length); cipher.init(true, cipherKey.getAlgorithm(), cipherKey.getEncoded(), iv); - cipher.decrypt(buffer, iv.length, buffer.length-iv.length, - buffer, iv.length); - int origLen = buffer.length - iv.length - 8; - byte[] cks = getChecksum(buffer, iv.length, origLen); - int offset = iv.length + origLen; - for (int i = 0; i < cks.length; i++) { - if (buffer[offset + i] != cks[i]) { + byte[] buffer2 = new byte[buffer.length - iv.length]; + cipher.decrypt(buffer, iv.length, buffer2.length, + buffer2, 0); + int keyValLen = buffer2.length - CHECKSUM_LEN; + byte[] cks = getChecksum(buffer2, 0, keyValLen); + int offset = keyValLen; + for (int i = 0; i < CHECKSUM_LEN; i++) { + if (buffer2[offset + i] != cks[i]) { throw new InvalidKeyException("Checksum comparison failed"); } } // restore cipher state to prior to this call cipher.init(decrypting, cipherKey.getAlgorithm(), cipherKey.getEncoded(), IV2); - byte[] out = new byte[origLen]; - System.arraycopy(buffer, iv.length, out, 0, out.length); + byte[] out = new byte[keyValLen]; + System.arraycopy(buffer2, 0, out, 0, keyValLen); return ConstructKeys.constructKey(out, wrappedKeyAlgorithm, wrappedKeyType); } @@ -554,7 +560,7 @@ throw new RuntimeException("SHA1 message digest not available"); } md.update(in, offset, len); - byte[] cks = new byte[8]; + byte[] cks = new byte[CHECKSUM_LEN]; System.arraycopy(md.digest(), 0, cks, 0, cks.length); return cks; } diff -r b221b57b93bc -r 0c41fa97176a jdk/test/com/sun/crypto/provider/Cipher/AES/TestCopySafe.java --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/jdk/test/com/sun/crypto/provider/Cipher/AES/TestCopySafe.java Tue Nov 19 15:29:56 2013 -0800 @@ -0,0 +1,183 @@ +/* + * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/* + * @test + * @bug 8026943 + * @summary Verify that same buffer can be used as input and output when + * using Cipher objects. + * @author Valerie Peng + */ +import java.security.*; +import java.security.spec.*; + +import java.util.Arrays; + +import javax.crypto.*; +import javax.crypto.spec.*; + +public class TestCopySafe { + + private static boolean DEBUG = false; + private static int INPUT_LENGTH = 160; // must be multiple of block size + private static byte[] PT = new byte[INPUT_LENGTH]; + private static SecretKey KEY = new SecretKeySpec(new byte[16], "AES"); + private static byte[] IV = new byte[16]; + + private static int[] OFFSETS = { 1, 8, 17 }; + + private static final String[] MODES = { + "ECB", "CBC", "PCBC", "CTR", "CTS", + "CFB", "CFB8", "CFB16", "CFB24", "CFB32", "CFB40", + "CFB48", "CFB56", "CFB64", + "OFB", "OFB8", "OFB16", "OFB24", "OFB32", "OFB40", + "OFB48", "OFB56", "OFB64", + "GCM" + }; + + public static void main(String[] argv) throws Exception { + + Provider p = Security.getProvider("SunJCE"); + + AlgorithmParameterSpec params = null; + boolean result = true; + for (String mode : MODES) { + String transformation = "AES/" + mode + "/NoPadding"; + boolean isGCM = (mode == "GCM"); + if (isGCM) { + params = new GCMParameterSpec(128, IV); + } else if (mode != "ECB") { + params = new IvParameterSpec(IV); + } + Cipher c = Cipher.getInstance(transformation, p); + System.out.println("Testing " + transformation + ":"); + for (int offset : OFFSETS) { + System.out.print("=> offset " + offset + ": "); + try { + test(c, params, offset, isGCM); + System.out.println("Passed"); + } catch(Exception ex) { + ex.printStackTrace(); + result = false; + continue; + } + } + } + if (!result) { + throw new Exception("One or more test failed"); + } + } + + private static void test(Cipher c, AlgorithmParameterSpec params, + int offset, boolean isGCM) throws Exception { + + // Test encryption first + if (isGCM) { + // re-init with only key value first to bypass the + // Key+IV-uniqueness check for GCM encryption + c.init(Cipher.ENCRYPT_MODE, KEY); + } + c.init(Cipher.ENCRYPT_MODE, KEY, params); + byte[] answer = c.doFinal(PT); + byte[] pt2 = Arrays.copyOf(PT, answer.length + offset); + + // #1: outOfs = inOfs = 0 + if (isGCM) { + c.init(Cipher.ENCRYPT_MODE, KEY); + c.init(Cipher.ENCRYPT_MODE, KEY, params); + } + c.doFinal(pt2, 0, PT.length, pt2, 0); + if (!isTwoArraysEqual(pt2, 0, answer, 0, answer.length)) { + throw new Exception("Enc#1 diff check failed!"); + } else if (DEBUG) { + System.out.println("Enc#1 diff check passed"); + } + + // #2: inOfs = 0, outOfs = offset + System.arraycopy(PT, 0, pt2, 0, PT.length); + if (isGCM) { + c.init(Cipher.ENCRYPT_MODE, KEY); + c.init(Cipher.ENCRYPT_MODE, KEY, params); + } + c.doFinal(pt2, 0, PT.length, pt2, offset); + if (!isTwoArraysEqual(pt2, offset, answer, 0, answer.length)) { + throw new Exception("Enc#2 diff check failed"); + } else if (DEBUG) { + System.out.println("Enc#2 diff check passed"); + } + + // #3: inOfs = offset, outOfs = 0 + System.arraycopy(PT, 0, pt2, offset, PT.length); + if (isGCM) { + c.init(Cipher.ENCRYPT_MODE, KEY); + c.init(Cipher.ENCRYPT_MODE, KEY, params); + } + c.doFinal(pt2, offset, PT.length, pt2, 0); + if (!isTwoArraysEqual(pt2, 0, answer, 0, answer.length)) { + throw new Exception("Enc#3 diff check failed"); + } else if (DEBUG) { + System.out.println("Enc#3 diff check passed"); + } + + // Test decryption now, we should get back PT as a result + c.init(Cipher.DECRYPT_MODE, KEY, params); + pt2 = Arrays.copyOf(answer, answer.length + offset); + + // #1: outOfs = inOfs = 0 + c.doFinal(pt2, 0, answer.length, pt2, 0); + if (!isTwoArraysEqual(pt2, 0, PT, 0, PT.length)) { + throw new Exception("Dec#1 diff check failed!"); + } else if (DEBUG) { + System.out.println("Dec#1 diff check passed"); + } + + // #2: inOfs = 0, outOfs = offset + System.arraycopy(answer, 0, pt2, 0, answer.length); + c.doFinal(pt2, 0, answer.length, pt2, offset); + if (!isTwoArraysEqual(pt2, offset, PT, 0, PT.length)) { + throw new Exception("Dec#2 diff check failed"); + } else if (DEBUG) { + System.out.println("Dec#2 diff check passed"); + } + + // #3: inOfs = offset, outOfs = 0 + System.arraycopy(answer, 0, pt2, offset, answer.length); + c.doFinal(pt2, offset, answer.length, pt2, 0); + if (!isTwoArraysEqual(pt2, 0, PT, 0, PT.length)) { + throw new Exception("Dec#3 diff check failed"); + } else if (DEBUG) { + System.out.println("Dec#3 diff check passed"); + } + } + + private static boolean isTwoArraysEqual(byte[] a, int aOff, byte[] b, int bOff, + int len) { + for (int i = 0; i < len; i++) { + if (a[aOff + i] != b[bOff + i]) { + return false; + } + } + return true; + } +} +