8026943: SQE test jce/Global/Cipher/SameBuffer failed

Summary: Always use different input/output buffers when calling FeedbackCipher objects Reviewed-by: mullan

8026943: SQE test jce/Global/Cipher/SameBuffer failed
Summary: Always use different input/output buffers when calling FeedbackCipher objects Reviewed-by: mullan
6ba3f495 · valeriep · 5d7608c5 · 6ba3f495 · 6ba3f495 · 6ba3f495
4 changed file
--- a/src/share/classes/com/sun/crypto/provider/CipherBlockChaining.java
+++ b/src/share/classes/com/sun/crypto/provider/CipherBlockChaining.java
@@ -186,29 +186,15 @@ class CipherBlockChaining extends FeedbackCipher  {
                byte[] plain, int plainOffset)
    {
        int i;
-        byte[] cipherOrig=null;
        int endIndex = cipherOffset + cipherLen;

-        if (cipher==plain && (cipherOffset >= plainOffset)
-            && ((cipherOffset - plainOffset) < blockSize)) {
-            // Save the original ciphertext blocks, so they can be
-            // stored in the feedback register "r".
-            // This is necessary because in this constellation, a
-            // ciphertext block (or parts of it) will be overridden by
-            // the plaintext result.
-            cipherOrig = cipher.clone();
-        }
        for (; cipherOffset < endIndex;
             cipherOffset += blockSize, plainOffset += blockSize) {
            embeddedCipher.decryptBlock(cipher, cipherOffset, k, 0);
            for (i = 0; i < blockSize; i++) {
                plain[i+plainOffset] = (byte)(k[i] ^ r[i]);
            }
-            if (cipherOrig==null) {
            System.arraycopy(cipher, cipherOffset, r, 0, blockSize);
-            } else {
-                System.arraycopy(cipherOrig, cipherOffset, r, 0, blockSize);
-            }
        }
        return cipherLen;
    }

--- a/src/share/classes/com/sun/crypto/provider/CipherCore.java
+++ b/src/share/classes/com/sun/crypto/provider/CipherCore.java
@@ -732,8 +732,12 @@ final class CipherCore {
                    System.arraycopy(buffer, len, buffer, 0, buffered);
                }
            } else { // len > buffered
-                if (buffered == 0) {
+                if ((input != output) && (buffered == 0)) {
                    // all to-be-processed data are from 'input'
+                    // however, note that if 'input' and 'output' are the same,
+                    // then they can't be passed directly to the underlying cipher
+                    // engine operations as data may be overwritten before they
+                    // are read.
                    if (decrypting) {
                        outLen = cipher.decrypt(input, inputOffset, len, output, outputOffset);
                    } else {
@@ -744,12 +748,16 @@ final class CipherCore {
                } else {
                    // assemble the data using both 'buffer' and 'input'
                    byte[] in = new byte[len];
-                    System.arraycopy(buffer, 0, in, 0, buffered);
                    int inConsumed = len - buffered;
-                    System.arraycopy(input, inputOffset, in, buffered, inConsumed);
+                    if (buffered != 0) {
+                        System.arraycopy(buffer, 0, in, 0, buffered);
                        buffered = 0;
+                    }
+                    if (inConsumed != 0) {
+                        System.arraycopy(input, inputOffset, in, len - inConsumed, inConsumed);
                        inputOffset += inConsumed;
                        inputLen -= inConsumed;
+                    }
                    if (decrypting) {
                        outLen = cipher.decrypt(in, 0, len, output, outputOffset);
                    } else {
@@ -907,11 +915,18 @@ final class CipherCore {
                 " when decrypting with padded cipher");
        }

-        // prepare the final input avoiding copying if possible
+        /*
+         * prepare the final input, assemble a new buffer if any
+         * of the following is true:
+         *  - 'input' and 'output' are the same buffer
+         *  - there are internally buffered bytes
+         *  - doing encryption and padding is needed
+         */
        byte[] finalBuf = input;
        int finalOffset = inputOffset;
        int finalBufLen = inputLen;
-        if ((buffered != 0) || (!decrypting && padding != null)) {
+        if ((input == output) || (buffered != 0) ||
+            (!decrypting && padding != null)) {
            if (decrypting || padding == null) {
                paddingLen = 0;
            }

--- a/src/share/classes/com/sun/crypto/provider/DESedeWrapCipher.java
+++ b/src/share/classes/com/sun/crypto/provider/DESedeWrapCipher.java
@@ -50,6 +50,9 @@ public final class DESedeWrapCipher extends CipherSpi {
        (byte) 0x79, (byte) 0xe8, (byte) 0x21, (byte) 0x05
    };

+    private static final int CHECKSUM_LEN = 8;
+    private static final int IV_LEN = 8;
+
    /*
     * internal cipher object which does the real work.
     */
@@ -135,7 +138,7 @@ public final class DESedeWrapCipher extends CipherSpi {
        // can only return an upper-limit if not initialized yet.
        int result = 0;
        if (decrypting) {
-            result = inputLen - 16;
+            result = inputLen - 16; // CHECKSUM_LEN + IV_LEN;
        } else {
            result = inputLen + 16;
        }
@@ -215,7 +218,7 @@ public final class DESedeWrapCipher extends CipherSpi {
        if (opmode == Cipher.WRAP_MODE) {
            decrypting = false;
            if (params == null) {
-                iv = new byte[8];
+                iv = new byte[IV_LEN];
                if (random == null) {
                    random = SunJCE.getRandom();
                }
@@ -449,14 +452,15 @@ public final class DESedeWrapCipher extends CipherSpi {
        }

        byte[] cks = getChecksum(keyVal);
-        byte[] out = new byte[iv.length + keyVal.length + cks.length];
-
-        System.arraycopy(keyVal, 0, out, iv.length, keyVal.length);
-        System.arraycopy(cks, 0, out, iv.length+keyVal.length, cks.length);
-        cipher.encrypt(out, iv.length, keyVal.length+cks.length,
-                       out, iv.length);
+        byte[] in = new byte[keyVal.length + CHECKSUM_LEN];
+        System.arraycopy(keyVal, 0, in, 0, keyVal.length);
+        System.arraycopy(cks, 0, in, keyVal.length, CHECKSUM_LEN);

+        byte[] out = new byte[iv.length + in.length];
        System.arraycopy(iv, 0, out, 0, iv.length);
+
+        cipher.encrypt(in, 0, in.length, out, iv.length);
+
        // reverse the array content
        for (int i = 0; i < out.length/2; i++) {
            byte temp = out[i];
@@ -470,7 +474,8 @@ public final class DESedeWrapCipher extends CipherSpi {
            // should never happen
            throw new RuntimeException("Internal cipher key is corrupted");
        }
-        cipher.encrypt(out, 0, out.length, out, 0);
+        byte[] out2 = new byte[out.length];
+        cipher.encrypt(out, 0, out.length, out2, 0);

        // restore cipher state to prior to this call
        try {
@@ -480,7 +485,7 @@ public final class DESedeWrapCipher extends CipherSpi {
            // should never happen
            throw new RuntimeException("Internal cipher key is corrupted");
        }
-        return out;
+        return out2;
    }

    /**
@@ -520,25 +525,26 @@ public final class DESedeWrapCipher extends CipherSpi {
            buffer[i] = buffer[buffer.length-1-i];
            buffer[buffer.length-1-i] = temp;
        }
-        iv = new byte[IV2.length];
+        iv = new byte[IV_LEN];
        System.arraycopy(buffer, 0, iv, 0, iv.length);
        cipher.init(true, cipherKey.getAlgorithm(), cipherKey.getEncoded(),
                    iv);
-        cipher.decrypt(buffer, iv.length, buffer.length-iv.length,
-                       buffer, iv.length);
-        int origLen = buffer.length - iv.length - 8;
-        byte[] cks = getChecksum(buffer, iv.length, origLen);
-        int offset = iv.length + origLen;
-        for (int i = 0; i < cks.length; i++) {
-            if (buffer[offset + i] != cks[i]) {
+        byte[] buffer2 = new byte[buffer.length - iv.length];
+        cipher.decrypt(buffer, iv.length, buffer2.length,
+                       buffer2, 0);
+        int keyValLen = buffer2.length - CHECKSUM_LEN;
+        byte[] cks = getChecksum(buffer2, 0, keyValLen);
+        int offset = keyValLen;
+        for (int i = 0; i < CHECKSUM_LEN; i++) {
+            if (buffer2[offset + i] != cks[i]) {
                throw new InvalidKeyException("Checksum comparison failed");
            }
        }
        // restore cipher state to prior to this call
        cipher.init(decrypting, cipherKey.getAlgorithm(),
                    cipherKey.getEncoded(), IV2);
-        byte[] out = new byte[origLen];
-        System.arraycopy(buffer, iv.length, out, 0, out.length);
+        byte[] out = new byte[keyValLen];
+        System.arraycopy(buffer2, 0, out, 0, keyValLen);
        return ConstructKeys.constructKey(out, wrappedKeyAlgorithm,
                                          wrappedKeyType);
    }
@@ -554,7 +560,7 @@ public final class DESedeWrapCipher extends CipherSpi {
            throw new RuntimeException("SHA1 message digest not available");
        }
        md.update(in, offset, len);
-        byte[] cks = new byte[8];
+        byte[] cks = new byte[CHECKSUM_LEN];
        System.arraycopy(md.digest(), 0, cks, 0, cks.length);
        return cks;
    }

--- a/test/com/sun/crypto/provider/Cipher/AES/TestCopySafe.java
+++ b/test/com/sun/crypto/provider/Cipher/AES/TestCopySafe.java
+/*
+ * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 8026943
+ * @summary Verify that same buffer can be used as input and output when
+ * using Cipher objects.
+ * @author Valerie Peng
+ */
+import java.security.*;
+import java.security.spec.*;
+
+import java.util.Arrays;
+
+import javax.crypto.*;
+import javax.crypto.spec.*;
+
+public class TestCopySafe {
+
+    private static boolean DEBUG = false;
+    private static int INPUT_LENGTH = 160; // must be multiple of block size
+    private static byte[] PT = new byte[INPUT_LENGTH];
+    private static SecretKey KEY = new SecretKeySpec(new byte[16], "AES");
+    private static byte[] IV = new byte[16];
+
+    private static int[] OFFSETS = { 1, 8, 17 };
+
+    private static final String[] MODES = {
+        "ECB", "CBC", "PCBC", "CTR", "CTS",
+        "CFB", "CFB8", "CFB16", "CFB24", "CFB32", "CFB40",
+        "CFB48", "CFB56", "CFB64",
+        "OFB", "OFB8", "OFB16", "OFB24", "OFB32", "OFB40",
+        "OFB48", "OFB56", "OFB64",
+        "GCM"
+    };
+
+    public static void main(String[] argv) throws Exception {
+
+        Provider p = Security.getProvider("SunJCE");
+
+        AlgorithmParameterSpec params = null;
+        boolean result = true;
+        for (String mode : MODES) {
+            String transformation = "AES/" + mode + "/NoPadding";
+            boolean isGCM = (mode == "GCM");
+            if (isGCM) {
+                params = new GCMParameterSpec(128, IV);
+            } else if (mode != "ECB") {
+                params = new IvParameterSpec(IV);
+            }
+            Cipher c = Cipher.getInstance(transformation, p);
+            System.out.println("Testing " + transformation + ":");
+            for (int offset : OFFSETS) {
+                System.out.print("=> offset " + offset + ": ");
+                try {
+                    test(c, params, offset, isGCM);
+                    System.out.println("Passed");
+                } catch(Exception ex) {
+                    ex.printStackTrace();
+                    result = false;
+                    continue;
+                }
+            }
+        }
+        if (!result) {
+            throw new Exception("One or more test failed");
+        }
+    }
+
+    private static void test(Cipher c, AlgorithmParameterSpec params,
+        int offset, boolean isGCM) throws Exception {
+
+        // Test encryption first
+        if (isGCM) {
+            // re-init with only key value first to bypass the
+            // Key+IV-uniqueness check for GCM encryption
+            c.init(Cipher.ENCRYPT_MODE, KEY);
+        }
+        c.init(Cipher.ENCRYPT_MODE, KEY, params);
+        byte[] answer = c.doFinal(PT);
+        byte[] pt2 = Arrays.copyOf(PT, answer.length + offset);
+
+        // #1: outOfs = inOfs = 0
+        if (isGCM) {
+            c.init(Cipher.ENCRYPT_MODE, KEY);
+            c.init(Cipher.ENCRYPT_MODE, KEY, params);
+        }
+        c.doFinal(pt2, 0, PT.length, pt2, 0);
+        if (!isTwoArraysEqual(pt2, 0, answer, 0, answer.length)) {
+            throw new Exception("Enc#1 diff check failed!");
+        } else if (DEBUG) {
+            System.out.println("Enc#1 diff check passed");
+        }
+
+        // #2: inOfs = 0, outOfs = offset
+        System.arraycopy(PT, 0, pt2, 0, PT.length);
+        if (isGCM) {
+            c.init(Cipher.ENCRYPT_MODE, KEY);
+            c.init(Cipher.ENCRYPT_MODE, KEY, params);
+        }
+        c.doFinal(pt2, 0, PT.length, pt2, offset);
+        if (!isTwoArraysEqual(pt2, offset, answer, 0, answer.length)) {
+            throw new Exception("Enc#2 diff check failed");
+        } else if (DEBUG) {
+            System.out.println("Enc#2 diff check passed");
+        }
+
+        // #3: inOfs = offset, outOfs = 0
+        System.arraycopy(PT, 0, pt2, offset, PT.length);
+        if (isGCM) {
+            c.init(Cipher.ENCRYPT_MODE, KEY);
+            c.init(Cipher.ENCRYPT_MODE, KEY, params);
+        }
+        c.doFinal(pt2, offset, PT.length, pt2, 0);
+        if (!isTwoArraysEqual(pt2, 0, answer, 0, answer.length)) {
+            throw new Exception("Enc#3 diff check failed");
+        } else if (DEBUG) {
+            System.out.println("Enc#3 diff check passed");
+        }
+
+       // Test decryption now, we should get back PT as a result
+        c.init(Cipher.DECRYPT_MODE, KEY, params);
+        pt2 = Arrays.copyOf(answer, answer.length + offset);
+
+        // #1: outOfs = inOfs = 0
+        c.doFinal(pt2, 0, answer.length, pt2, 0);
+        if (!isTwoArraysEqual(pt2, 0, PT, 0, PT.length)) {
+            throw new Exception("Dec#1 diff check failed!");
+        } else if (DEBUG) {
+            System.out.println("Dec#1 diff check passed");
+        }
+
+        // #2: inOfs = 0, outOfs = offset
+        System.arraycopy(answer, 0, pt2, 0, answer.length);
+        c.doFinal(pt2, 0, answer.length, pt2, offset);
+        if (!isTwoArraysEqual(pt2, offset, PT, 0, PT.length)) {
+            throw new Exception("Dec#2 diff check failed");
+        } else if (DEBUG) {
+            System.out.println("Dec#2 diff check passed");
+        }
+
+        // #3: inOfs = offset, outOfs = 0
+        System.arraycopy(answer, 0, pt2, offset, answer.length);
+        c.doFinal(pt2, offset, answer.length, pt2, 0);
+        if (!isTwoArraysEqual(pt2, 0, PT, 0, PT.length)) {
+            throw new Exception("Dec#3 diff check failed");
+        } else if (DEBUG) {
+            System.out.println("Dec#3 diff check passed");
+        }
+    }
+
+    private static boolean isTwoArraysEqual(byte[] a, int aOff, byte[] b, int bOff,
+        int len) {
+        for (int i = 0; i < len; i++) {
+            if (a[aOff + i] != b[bOff + i]) {
+                return false;
+            }
+        }
+        return true;
+    }
+}
+