changeset 54029:4ff6c8365b69

8220165: Encryption using GCM results in RuntimeException- input length out of bound Reviewed-by: valeriep
author ascarpino
date Thu, 07 Mar 2019 19:35:02 -0800
parents dcaced4cbb83
children 889dae20c4c4
files src/java.base/share/classes/com/sun/crypto/provider/GaloisCounterMode.java test/jdk/com/sun/crypto/provider/Cipher/AEAD/GCMLargeDataKAT.java
diffstat 2 files changed, 231 insertions(+), 4 deletions(-) [+]
line wrap: on
line diff
--- a/src/java.base/share/classes/com/sun/crypto/provider/GaloisCounterMode.java	Thu Mar 07 13:20:04 2019 -0800
+++ b/src/java.base/share/classes/com/sun/crypto/provider/GaloisCounterMode.java	Thu Mar 07 19:35:02 2019 -0800
@@ -399,7 +399,6 @@
         if (len > TRIGGERLEN) {
             int i = 0;
             int tlen;  // incremental lengths
-            // 96bit CTR x86 intrinsic
             final int plen = AES_BLOCK_SIZE * 6;
             // arbitrary formula to aid intrinsic without reaching buffer end
             final int count = len / 1024;
@@ -419,11 +418,11 @@
         gctrPAndC.doFinal(in, inOfs, ilen, out, outOfs);
         processed += ilen;
 
-        int lastLen = len  % AES_BLOCK_SIZE;
+        int lastLen = ilen % AES_BLOCK_SIZE;
         if (lastLen != 0) {
-            ghashAllToS.update(ct, ctOfs, len - lastLen);
+            ghashAllToS.update(ct, ctOfs, ilen - lastLen);
             ghashAllToS.update(
-                    expandToOneBlock(ct, (ctOfs + len - lastLen), lastLen));
+                    expandToOneBlock(ct, (ctOfs + ilen - lastLen), lastLen));
         } else {
             ghashAllToS.update(ct, ctOfs, ilen);
         }
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/jdk/com/sun/crypto/provider/Cipher/AEAD/GCMLargeDataKAT.java	Thu Mar 07 19:35:02 2019 -0800
@@ -0,0 +1,228 @@
+/*
+ * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import javax.crypto.Cipher;
+import javax.crypto.SecretKey;
+import javax.crypto.spec.GCMParameterSpec;
+import javax.crypto.spec.SecretKeySpec;
+import java.security.MessageDigest;
+import java.util.HashMap;
+
+/*
+ * @test
+ * @bug 8220165
+ * @summary Verify correctness of large data sizes for GCM.
+ */
+
+/**
+ * This test stores the MD5 hash of correctly encrypted AES/GCM data for
+ * particular data lengths.  Those lengths are run on SunJCE to verify returns
+ * the same MD5 hash of the encrypted data.  These are not NIST data sets or
+ * provided by any other organization.  The data sets are known good values,
+ * verified with two different JCE providers (solaris-sparcv9 ucrypto and
+ * linux SunJCE).
+ *
+ * Lengths around 64k are chosen because 64k is the point where
+ * com.sun.crypto.provider.GaloisCounterMode#doLastBlock() starts it's
+ * intrinsic warmup
+ *
+ * Plaintext is all zeros.  Preset key and IV.
+ *
+ * The choice of MD5 is for speed.  Shortcoming of the algorithm are
+ * not relevant for this test.
+ */
+
+public class GCMLargeDataKAT {
+
+    // Hash of encrypted results of AES/GCM for particular lengths.
+    // <data size, hash>
+    static final HashMap<Integer, String> results = new HashMap<>() {{
+        put(65534, "1397b91c31ce793895edace4e175bfee");  //64k-2
+        put(65535, "4ad101c9f450e686668b3f8f05db96f0");  //64k-1
+        put(65536, "fbfaee3451acd3f603200d6be0f39b24");  //64k
+        put(65537, "e7dfca4a71495c65d20982c3c9b9813f");  //64k+1
+        put(67583, "c8ebdcb3532ec6c165de961341af7635");  //66k-1
+        put(67584, "36559d108dfd25dd29da3fec3455b9e5");  //66k
+        put(67585, "1d21b42d80ea179810744fc23dc228b6");  //66k+1
+        put(102400, "0d1544fcab20bbd4c8103b9d273f2c82"); //100k
+        put(102401, "f2d53ef65fd12d0a861368659b23ea2e"); //100k+1
+        put(102402, "97f0f524cf63d2d9d23d81e64d416ee0"); //100k+2
+        put(102403, "4a6b4af55b7d9016b64114d6813d639c"); //100k+3
+        put(102404, "ba63cc131fcde2f12ddf2ac634201be8"); //100k+4
+        put(102405, "673d05c7fe5e283e42e5c0d049fdcea6"); //100k+5
+        put(102406, "76cc99a7850ce857eb3cb43049cf9877"); //100k+6
+        put(102407, "65863f99072cf2eb7fce18bd78b33f4e"); //100k+7
+        put(102408, "b9184f0f272682cc1f791fa7070eddd4"); //100k+8
+        put(102409, "45fe36afef43cc665bf22a9ca200c3c2"); //100k+9
+        put(102410, "67249e41646edcb37a78a61b0743cf11"); //100k+0
+        put(102411, "ffdc611e29c8849842e81ec78f32c415"); //100k+11
+        put(102412, "b7fde7fd52221057dccc1c181a140125"); //100k+12
+        put(102413, "4b1d6c64d56448105e5613157e69c0ae"); //100k+13
+        put(102414, "6d2c0b26c0c8785c8eec3298a5f0080c"); //100k+14
+        put(102415, "1df2061b114fbe56bdf3717e3ee61ef9"); //100k+15
+        put(102416, "a691742692c683ac9d1254df5fc5f768"); //100k+16
+    }};
+    static final int HIGHLEN = 102416;
+
+    static final int GCM_TAG_LENGTH = 16;
+    static final byte[] iv = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11};
+    static final byte[] key_code = {
+            0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15
+    };
+    static final GCMParameterSpec spec =
+            new GCMParameterSpec(GCM_TAG_LENGTH * 8, iv);
+    static final SecretKey key = new SecretKeySpec(key_code, "AES");
+    static boolean testresult = true;
+    static byte[] plaintext = new byte[HIGHLEN];
+    static MessageDigest md5;
+    Cipher cipher;
+
+    GCMLargeDataKAT() {
+    }
+
+    byte[] encrypt(int inLen) {
+        try {
+            cipher = Cipher.getInstance("AES/GCM/NoPadding", "SunJCE");
+            cipher.init(Cipher.ENCRYPT_MODE, key, spec);
+            return cipher.doFinal(plaintext, 0, inLen);
+        } catch (Exception e) {
+            System.err.println("Encrypt Failure (length = " + inLen + ") : " +
+                    e.getMessage());
+            e.printStackTrace();
+        }
+        return new byte[0];
+    }
+
+    static byte[] hash(byte[] data) {
+        return md5.digest(data);
+    }
+
+    // Decrypt the data and return a boolean if the plaintext is all 0's.
+    boolean decrypt(byte[] data) {
+        byte[] result = null;
+        int len = data.length - GCM_TAG_LENGTH;
+        if (data.length == 0) {
+            return false;
+        }
+        try {
+            cipher = Cipher.getInstance("AES/GCM/NoPadding", "SunJCE");
+            cipher.init(Cipher.DECRYPT_MODE, key, spec);
+            result = cipher.doFinal(data);
+        } catch (Exception e) {
+            System.err.println("Decrypt Failure (length = " + len + ") : " +
+                    e.getMessage());
+            e.printStackTrace();
+            return false;
+        }
+
+        if (result.length != len) {
+            System.err.println("Decrypt Failure (length = " + len +
+                    ") : plaintext length invalid = " + result.length);
+        }
+        // Return false if we find a non zero.
+        int i = 0;
+        while (result.length > i) {
+            if (result[i++] != 0) {
+                System.err.println("Decrypt Failure (length = " + len +
+                        ") : plaintext invalid, char index " + i);
+                return false;
+            }
+        }
+        return true;
+    }
+
+    void test() throws Exception {
+
+        // results order is not important
+        for (int l : results.keySet()) {
+            byte[] enc = new GCMLargeDataKAT().encrypt(l);
+
+            // verify hash with stored hash of that length
+            String hashstr = toHex(hash(enc));
+            boolean r = (hashstr.compareTo(results.get(l)) == 0);
+
+            System.out.println("---------------------------------------------");
+
+            // Encrypted test & results
+            System.out.println("Encrypt data size " + l + " \tResult: " +
+                    (r ? "Pass" : "Fail"));
+            if (!r) {
+                if (enc.length != 0) {
+                    System.out.println("\tExpected: " + results.get(l));
+                    System.out.println("\tReturned: " + hashstr);
+                }
+                testresult = false;
+                continue;
+            }
+
+            // Decrypted test & results
+            r = decrypt(enc);
+            System.out.println("Decrypt data size " + l + " \tResult: " +
+                    (r ? "Pass" : "Fail"));
+            if (!r) {
+                testresult = false;
+            }
+        }
+
+        // After test complete, throw an error if there was a failure
+        if (!testresult) {
+            throw new Exception("Tests failed");
+        }
+    }
+
+    /**
+     * With no argument, the test will run the predefined data lengths
+     *
+     * With an integer argument, this test will print the hash of the encrypted
+     * data of that integer length.
+     *
+     */
+    public static void main(String args[]) throws Exception {
+        md5 = MessageDigest.getInstance("MD5");
+
+        if (args.length > 0) {
+            int len = Integer.parseInt(args[0]);
+            byte[] e = new GCMLargeDataKAT().encrypt(len);
+            System.out.println(toHex(hash(e)));
+            return;
+        }
+
+        new GCMLargeDataKAT().test();
+    }
+
+    // bytes to hex string
+    static String toHex(byte[] bytes) {
+        StringBuffer hexStringBuffer = new StringBuffer(32);
+        for (int i = 0; i < bytes.length; i++) {
+            hexStringBuffer.append(byteToHex(bytes[i]));
+        }
+        return hexStringBuffer.toString();
+    }
+    // byte to hex
+    static String byteToHex(byte num) {
+        char[] hexDigits = new char[2];
+        hexDigits[0] = Character.forDigit((num >> 4) & 0xF, 16);
+        hexDigits[1] = Character.forDigit((num & 0xF), 16);
+        return new String(hexDigits);
+    }
+}