Re: RFR: 8289301: P11Cipher should not throw out of bounds exception during padding [v2]

Tue, 28 Jun 2022 06:59:58 -0700 

> SunPkcs11 provider throws out of bounds exception during encryption when 
> specific conditions are met.
> 
> Exception:
> 
> Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: Array 
> index out of range: 32
>       at java.base/java.util.Arrays.rangeCheck(Arrays.java:725)
>       at java.base/java.util.Arrays.fill(Arrays.java:3308)
>       at 
> jdk.crypto.cryptoki/sun.security.pkcs11.P11Cipher$PKCS5Padding.setPaddingBytes(P11Cipher.java:96)
>       at 
> jdk.crypto.cryptoki/sun.security.pkcs11.P11Cipher.implDoFinal(P11Cipher.java:813)
>       at 
> jdk.crypto.cryptoki/sun.security.pkcs11.P11Cipher.engineDoFinal(P11Cipher.java:585)
>       at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2417)
> ...
> 
> 
> Details:
> This problems happens when reqBlockUpdates is true and implUpdate, which does 
> not end on block boundary, is performed followed by final implUpdate, which 
> ends exactly on block boundary. In that case final implUpdate fills padBuffer 
> and then just returns. [1] Following implDoFinal then tries to add padding 
> and throws OOB exception. Problem is, that in this case (input is multiple of 
> block size) whole padding block should be added, but there is no space for it 
> in padBuffer causing OOB exception.
> 
> Solution:
> Solution is to detect this case (implDoFinal is called with full padBuffer) 
> and to perform additional C_EncryptUpdate to free up padBuffer so that 
> padBuffer can than be used to add whole new padding block.
> 
> [1] 
> https://github.com/openjdk/jdk/blob/d4eeeb82cb2288973a6a247c54513f7e1c6b58f0/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java#L622

zzambers has updated the pull request incrementally with one additional commit 
since the last revision:

  Bug number and copyright date

-------------

Changes:
  - all: https://git.openjdk.org/jdk/pull/9310/files
  - new: https://git.openjdk.org/jdk/pull/9310/files/93c6b925..a2ecbb1d

Webrevs:
 - full: https://webrevs.openjdk.org/?repo=jdk&pr=9310&range=01
 - incr: https://webrevs.openjdk.org/?repo=jdk&pr=9310&range=00-01

  Stats: 2 lines in 2 files changed: 1 ins; 0 del; 1 mod
  Patch: https://git.openjdk.org/jdk/pull/9310.diff
  Fetch: git fetch https://git.openjdk.org/jdk pull/9310/head:pull/9310

PR: https://git.openjdk.org/jdk/pull/9310

Reply via email to