stan/jdk-24
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

8261355: No data buffering in SunPKCS11 Cipher encryption when the underlying mechanism has no padding

Browse Source 
Reviewed-by: valeriep
This commit is contained in:
Martin Balao 2021-04-12 20:58:08 +00:00
parent d84a7e55be
commit 1ee80e03ad
2 changed files with 217 additions and 83 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

106
src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java
View File

@ -70,7 +70,7 @@ final class P11Cipher extends CipherSpi {
private static interface Padding { private static interface Padding {
// ENC: format the specified buffer with padding bytes and return the // ENC: format the specified buffer with padding bytes and return the
// actual padding length // actual padding length
int setPaddingBytes(byte[] paddingBuffer, int padLen); int setPaddingBytes(byte[] paddingBuffer, int startOff, int padLen);
// DEC: return the length of trailing padding bytes given the specified // DEC: return the length of trailing padding bytes given the specified
// padded data // padded data
@ -91,8 +91,8 @@ final class P11Cipher extends CipherSpi {
this.blockSize = blockSize; this.blockSize = blockSize;
} }
public int setPaddingBytes(byte[] paddingBuffer, int padLen) { public int setPaddingBytes(byte[] paddingBuffer, int startOff, int padLen) {
Arrays.fill(paddingBuffer, 0, padLen, (byte) (padLen & 0x007f)); Arrays.fill(paddingBuffer, startOff, startOff + padLen, (byte) (padLen & 0x007f));
return padLen; return padLen;
} }
@ -169,6 +169,14 @@ final class P11Cipher extends CipherSpi {
// specification mandates a fixed size of the key // specification mandates a fixed size of the key
private int fixedKeySize = -1; private int fixedKeySize = -1;
// Indicates whether the underlying PKCS#11 library requires block-sized
// updates during multi-part operations. In such case, we buffer data in
// padBuffer up to a block-size. This may be needed only if padding is
// applied on the Java side. An example of the previous is when the
// CKM_AES_ECB mechanism is used and the PKCS#11 library is NSS. See more
// on JDK-8261355.
private boolean reqBlockUpdates = false;
P11Cipher(Token token, String algorithm, long mechanism) P11Cipher(Token token, String algorithm, long mechanism)
throws PKCS11Exception, NoSuchAlgorithmException { throws PKCS11Exception, NoSuchAlgorithmException {
super(); super();
@ -252,6 +260,10 @@ final class P11Cipher extends CipherSpi {
// no native padding support; use our own padding impl // no native padding support; use our own padding impl
paddingObj = new PKCS5Padding(blockSize); paddingObj = new PKCS5Padding(blockSize);
padBuffer = new byte[blockSize]; padBuffer = new byte[blockSize];
char[] tokenLabel = token.tokenInfo.label;
// NSS requires block-sized updates in multi-part operations.
reqBlockUpdates = ((tokenLabel[0] == 'N' && tokenLabel[1] == 'S'
&& tokenLabel[2] == 'S') ? true : false);
} }
} else { } else {
throw new NoSuchPaddingException("Unsupported padding " + padding); throw new NoSuchPaddingException("Unsupported padding " + padding);
@ -587,16 +599,9 @@ final class P11Cipher extends CipherSpi {
try { try {
ensureInitialized(); ensureInitialized();
int k = 0; int k = 0;
if (encrypt) {
k = token.p11.C_EncryptUpdate(session.id(), 0, in, inOfs, inLen,
0, out, outOfs, outLen);
} else {
int newPadBufferLen = 0; int newPadBufferLen = 0;
if (paddingObj != null) { if (paddingObj != null && (!encrypt || reqBlockUpdates)) {
if (padBufferLen != 0) { if (padBufferLen != 0) {
// NSS throws up when called with data not in multiple
// of blocks. Try to work around this by holding the
// extra data in padBuffer.
if (padBufferLen != padBuffer.length) { if (padBufferLen != padBuffer.length) {
int bufCapacity = padBuffer.length - padBufferLen; int bufCapacity = padBuffer.length - padBufferLen;
if (inLen > bufCapacity) { if (inLen > bufCapacity) {
@ -608,25 +613,40 @@ final class P11Cipher extends CipherSpi {
return 0; return 0;
} }
} }
if (encrypt) {
k = token.p11.C_EncryptUpdate(session.id(),
0, padBuffer, 0, padBufferLen,
0, out, outOfs, outLen);
} else {
k = token.p11.C_DecryptUpdate(session.id(), k = token.p11.C_DecryptUpdate(session.id(),
0, padBuffer, 0, padBufferLen, 0, padBuffer, 0, padBufferLen,
0, out, outOfs, outLen); 0, out, outOfs, outLen);
}
padBufferLen = 0; padBufferLen = 0;
} }
newPadBufferLen = inLen & (blockSize - 1); newPadBufferLen = inLen & (blockSize - 1);
if (newPadBufferLen == 0) { if (!encrypt && newPadBufferLen == 0) {
// While decrypting with implUpdate, the last encrypted block
// is always held in a buffer. If it's the final one (unknown
// at this point), it may contain padding bytes and need further
// processing. In implDoFinal (where we know it's the final one)
// the buffer is decrypted, unpadded and returned.
newPadBufferLen = padBuffer.length; newPadBufferLen = padBuffer.length;
} }
inLen -= newPadBufferLen; inLen -= newPadBufferLen;
} }
if (inLen > 0) { if (inLen > 0) {
if (encrypt) {
k += token.p11.C_EncryptUpdate(session.id(), 0, in, inOfs,
inLen, 0, out, (outOfs + k), (outLen - k));
} else {
k += token.p11.C_DecryptUpdate(session.id(), 0, in, inOfs, k += token.p11.C_DecryptUpdate(session.id(), 0, in, inOfs,
inLen, 0, out, (outOfs + k), (outLen - k)); inLen, 0, out, (outOfs + k), (outLen - k));
} }
// update 'padBuffer' if using our own padding impl.
if (paddingObj != null) {
bufferInputBytes(in, inOfs + inLen, newPadBufferLen);
} }
// update 'padBuffer' if using our own padding impl.
if (paddingObj != null && newPadBufferLen > 0) {
bufferInputBytes(in, inOfs + inLen, newPadBufferLen);
} }
bytesBuffered += (inLen - k); bytesBuffered += (inLen - k);
return k; return k;
@ -687,23 +707,9 @@ final class P11Cipher extends CipherSpi {
} }
int k = 0; int k = 0;
if (encrypt) {
if (inAddr == 0 && inArray == null) {
inArray = new byte[inLen];
inBuffer.get(inArray);
} else {
inBuffer.position(origPos + inLen);
}
k = token.p11.C_EncryptUpdate(session.id(),
inAddr, inArray, inOfs, inLen,
outAddr, outArray, outOfs, outLen);
} else {
int newPadBufferLen = 0; int newPadBufferLen = 0;
if (paddingObj != null) { if (paddingObj != null && (!encrypt || reqBlockUpdates)) {
if (padBufferLen != 0) { if (padBufferLen != 0) {
// NSS throws up when called with data not in multiple
// of blocks. Try to work around this by holding the
// extra data in padBuffer.
if (padBufferLen != padBuffer.length) { if (padBufferLen != padBuffer.length) {
int bufCapacity = padBuffer.length - padBufferLen; int bufCapacity = padBuffer.length - padBufferLen;
if (inLen > bufCapacity) { if (inLen > bufCapacity) {
@ -715,13 +721,24 @@ final class P11Cipher extends CipherSpi {
return 0; return 0;
} }
} }
if (encrypt) {
k = token.p11.C_EncryptUpdate(session.id(), 0,
padBuffer, 0, padBufferLen, outAddr, outArray,
outOfs, outLen);
} else {
k = token.p11.C_DecryptUpdate(session.id(), 0, k = token.p11.C_DecryptUpdate(session.id(), 0,
padBuffer, 0, padBufferLen, outAddr, outArray, padBuffer, 0, padBufferLen, outAddr, outArray,
outOfs, outLen); outOfs, outLen);
}
padBufferLen = 0; padBufferLen = 0;
} }
newPadBufferLen = inLen & (blockSize - 1); newPadBufferLen = inLen & (blockSize - 1);
if (newPadBufferLen == 0) { if (!encrypt && newPadBufferLen == 0) {
// While decrypting with implUpdate, the last encrypted block
// is always held in a buffer. If it's the final one (unknown
// at this point), it may contain padding bytes and need further
// processing. In implDoFinal (where we know it's the final one)
// the buffer is decrypted, unpadded and returned.
newPadBufferLen = padBuffer.length; newPadBufferLen = padBuffer.length;
} }
inLen -= newPadBufferLen; inLen -= newPadBufferLen;
@ -733,14 +750,19 @@ final class P11Cipher extends CipherSpi {
} else { } else {
inBuffer.position(inBuffer.position() + inLen); inBuffer.position(inBuffer.position() + inLen);
} }
if (encrypt) {
k += token.p11.C_EncryptUpdate(session.id(), inAddr,
inArray, inOfs, inLen, outAddr, outArray,
(outOfs + k), (outLen - k));
} else {
k += token.p11.C_DecryptUpdate(session.id(), inAddr, k += token.p11.C_DecryptUpdate(session.id(), inAddr,
inArray, inOfs, inLen, outAddr, outArray, inArray, inOfs, inLen, outAddr, outArray,
(outOfs + k), (outLen - k)); (outOfs + k), (outLen - k));
} }
// update 'padBuffer' if using our own padding impl.
if (paddingObj != null && newPadBufferLen != 0) {
bufferInputBytes(inBuffer, newPadBufferLen);
} }
// update 'padBuffer' if using our own padding impl.
if (paddingObj != null && newPadBufferLen > 0) {
bufferInputBytes(inBuffer, newPadBufferLen);
} }
bytesBuffered += (inLen - k); bytesBuffered += (inLen - k);
if (!(outBuffer instanceof DirectBuffer) && if (!(outBuffer instanceof DirectBuffer) &&
@ -779,10 +801,14 @@ final class P11Cipher extends CipherSpi {
int k = 0; int k = 0;
if (encrypt) { if (encrypt) {
if (paddingObj != null) { if (paddingObj != null) {
int startOff = 0;
if (reqBlockUpdates) {
startOff = padBufferLen;
}
int actualPadLen = paddingObj.setPaddingBytes(padBuffer, int actualPadLen = paddingObj.setPaddingBytes(padBuffer,
requiredOutLen - bytesBuffered); startOff, requiredOutLen - bytesBuffered);
k = token.p11.C_EncryptUpdate(session.id(), k = token.p11.C_EncryptUpdate(session.id(),
0, padBuffer, 0, actualPadLen, 0, padBuffer, 0, startOff + actualPadLen,
0, out, outOfs, outLen); 0, out, outOfs, outLen);
} }
// Some implementations such as the NSS Software Token do not // Some implementations such as the NSS Software Token do not
@ -863,10 +889,14 @@ final class P11Cipher extends CipherSpi {
if (encrypt) { if (encrypt) {
if (paddingObj != null) { if (paddingObj != null) {
int startOff = 0;
if (reqBlockUpdates) {
startOff = padBufferLen;
}
int actualPadLen = paddingObj.setPaddingBytes(padBuffer, int actualPadLen = paddingObj.setPaddingBytes(padBuffer,
requiredOutLen - bytesBuffered); startOff, requiredOutLen - bytesBuffered);
k = token.p11.C_EncryptUpdate(session.id(), k = token.p11.C_EncryptUpdate(session.id(),
0, padBuffer, 0, actualPadLen, 0, padBuffer, 0, startOff + actualPadLen,
outAddr, outArray, outOfs, outLen); outAddr, outArray, outOfs, outLen);
} }
// Some implementations such as the NSS Software Token do not // Some implementations such as the NSS Software Token do not

104
test/jdk/sun/security/pkcs11/Cipher/EncryptionPadding.java Normal file
View File

@ -0,0 +1,104 @@
/*
* Copyright (c) 2021, Red Hat, Inc.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
/*
* @test
* @bug 8261355
* @library /test/lib ..
* @run main/othervm EncryptionPadding
*/
import java.nio.ByteBuffer;
import java.security.Key;
import java.security.Provider;
import java.util.Arrays;
import javax.crypto.Cipher;
import javax.crypto.spec.SecretKeySpec;
public class EncryptionPadding extends PKCS11Test {
private static String transformation = "AES/ECB/PKCS5Padding";
private static Key key = new SecretKeySpec(new byte[16], "AES");
public static void main(String[] args) throws Exception {
main(new EncryptionPadding(), args);
}
@Override
public void main(Provider p) throws Exception {
testWithInputSize(p, 1);
testWithInputSize(p, 15);
testWithInputSize(p, 16);
testWithInputSize(p, 17);
System.out.println("TEST PASS - OK");
}
private static void testWithInputSize(Provider p, int inputSize)
throws Exception {
testWithInputSize(p, inputSize, false);
testWithInputSize(p, inputSize, true);
}
private static void testWithInputSize(Provider p, int inputSize,
boolean isByteBuffer) throws Exception {
byte[] plainText = new byte[inputSize];
Arrays.fill(plainText, (byte)(inputSize & 0xFF));
ByteBuffer cipherText =
ByteBuffer.allocate(((inputSize / 16 ) + 1) * 16);
byte[] tmp;
Cipher sunPKCS11cipher = Cipher.getInstance(transformation, p);
sunPKCS11cipher.init(Cipher.ENCRYPT_MODE, key);
for (int i = 0; i < ((inputSize - 1) / 16) + 1; i++) {
int updateLength = Math.min(inputSize - (16 * i), 16);
if (!isByteBuffer) {
tmp = sunPKCS11cipher.update(plainText, i * 16,
updateLength);
if (tmp != null) {
cipherText.put(tmp);
}
} else {
ByteBuffer bb = ByteBuffer.allocate(updateLength);
bb.put(plainText, i * 16, updateLength);
bb.flip();
sunPKCS11cipher.update(bb, cipherText);
}
}
if (!isByteBuffer) {
tmp = sunPKCS11cipher.doFinal();
if (tmp != null) {
cipherText.put(tmp);
}
} else {
sunPKCS11cipher.doFinal(ByteBuffer.allocate(0), cipherText);
}
Cipher sunJCECipher = Cipher.getInstance(transformation, "SunJCE");
sunJCECipher.init(Cipher.DECRYPT_MODE, key);
byte[] sunJCEPlain = sunJCECipher.doFinal(cipherText.array());
if (!Arrays.equals(plainText, sunJCEPlain)) {
throw new Exception("Cross-provider cipher test failed.");
}
}
}