Code Review Request for 8026943: SQE test jce/Global/Cipher/SameBuffer failed

Valerie (Yu-Ching) Peng valerie.peng at oracle.com
Wed Nov 13 13:43:31 PST 2013


Can someone help review my fixes for 8026943 "SQE test 
jce/Global/Cipher/SameBuffer failed"?

According to Cipher javadoc, both its update(...) and doFinal(...) 
methods should be copy-safe, meaning the |input| and |output| buffers 
can reference the same byte array and no unprocessed input data is 
overwritten when the result is copied into the output buffer. In 
CipherCore class, this condition is not checked and thus leads to the 
scenarios of unprocessed input data being accidentally overwritten.

I added checks to CipherCore class to detect this for both 
update(...)/doFinal(...) operations.
DESedeWrapCipher class is also updated to not pass the same byte array 
for input and output when using FeedbackCipher objects.
Also, removed similar handling inside CipherBlockChaining class as it's 
now handled at its caller level (CipherCore and DESedeWrapCipher classes).

Webrev: http://cr.openjdk.java.net/~valeriep/8026943/webrev.00/

Thanks,
Valerie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.openjdk.java.net/pipermail/security-dev/attachments/20131113/c47d95c1/attachment.html 


More information about the security-dev mailing list