Code Review Request for 8026943: SQE test jce/Global/Cipher/SameBuffer failed
Valerie (Yu-Ching) Peng
valerie.peng at oracle.com
Wed Nov 13 21:43:31 UTC 2013
Can someone help review my fixes for 8026943 "SQE test
jce/Global/Cipher/SameBuffer failed"?
According to Cipher javadoc, both its update(...) and doFinal(...)
methods should be copy-safe, meaning the |input| and |output| buffers
can reference the same byte array and no unprocessed input data is
overwritten when the result is copied into the output buffer. In
CipherCore class, this condition is not checked and thus leads to the
scenarios of unprocessed input data being accidentally overwritten.
I added checks to CipherCore class to detect this for both
update(...)/doFinal(...) operations.
DESedeWrapCipher class is also updated to not pass the same byte array
for input and output when using FeedbackCipher objects.
Also, removed similar handling inside CipherBlockChaining class as it's
now handled at its caller level (CipherCore and DESedeWrapCipher classes).
Webrev: http://cr.openjdk.java.net/~valeriep/8026943/webrev.00/
Thanks,
Valerie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20131113/c47d95c1/attachment.htm>
More information about the security-dev
mailing list