RFR: 8330842: Support AES CBC with Ciphertext Stealing (CTS) in SunPKCS11 [v3]
Martin Balao
mbalao at openjdk.org
Tue Jun 4 05:07:14 UTC 2024
On Tue, 4 Jun 2024 00:25:04 GMT, Valerie Peng <valeriep at openjdk.org> wrote:
>> Francisco Ferrari Bihurriet has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains ten additional commits since the last revision:
>>
>> - Improve handling when the token variant is unknown
>>
>> Avoid registering CTS algorithms (those depending on CKM_AES_CTS) when
>> the token CTS variant has not been specified in the configuration. Make
>> NSS an exception, as we know that it uses the CS1 variant.
>>
>> Take advantage to extract a pkcs11.Config::parseEnumEntry() method for
>> a cleaner entry in the main switch statement of pkcs11.Config::parse(),
>> also slightly improving the error message.
>>
>> Co-authored-by: Francisco Ferrari <fferrari at redhat.com>
>> Co-authored-by: Martin Balao <mbalao at redhat.com>
>> - Merge 'openjdk/master' into JDK-8330843
>> - Revert re-arrangement of native methods parameters
>>
>> This reverts commit 0a777e94229723376e1264e87cbf0ba805dc736f, except for
>> the copyright which is retained as 2024.
>>
>> NOTE: new calls of the same methods are retained in the re-arrangement
>> style, as we didn't introduce this re-arrangement, it was already
>> present in most of the calls inside ::implUpdate() and ::implDoFinal().
>>
>> Co-authored-by: Francisco Ferrari <fferrari at redhat.com>
>> Co-authored-by: Martin Balao <mbalao at redhat.com>
>> - Merge 'openjdk/master' into JDK-8330843
>> - 8330842: Add AES CBC with Ciphertext Stealing (CTS) SunPKCS11 tests
>>
>> Co-authored-by: Francisco Ferrari <fferrari at redhat.com>
>> Co-authored-by: Martin Balao <mbalao at redhat.com>
>> - 8330842: Support AES CBC with Ciphertext Stealing (CTS) in SunPKCS11
>>
>> Co-authored-by: Francisco Ferrari <fferrari at redhat.com>
>> Co-authored-by: Martin Balao <mbalao at redhat.com>
>> - Fix cipher tests logging
>>
>> Co-authored-by: Francisco Ferrari <fferrari at redhat.com>
>> Co-authored-by: Martin Balao <mbalao at redhat.com>
>> - Implement integer constants as enum
>>
>> Co-authored-by: Francisco Ferrari <fferrari at redhat.com>
>> Co-authored-by: Martin Balao <mbalao at redhat.com>
>> - Arrange parameters of native methods evenly
>>
>> C_EncryptUpdate / C_DecryptUpdate / C_EncryptFinal / C_DecryptFinal
>>
>> If the call doesn't fit on a single line, use the following order:
>> long hSession,
>> [ long directIn, byte[] in, int inOfs, int inLen,...
>
> src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java line 950:
>
>> 948: 0, out, (outOfs + k), (outLen - k));
>> 949: if (blockMode == Mode.CTS) {
>> 950: convertCTSVariant(null, out, outOfs + k);
>
> The 3rd argument of the convertCTSVariant() method is the data length which is used to determine the penultimate block size? It looks incorrect to use `outOfs + k` for that?
`convertCTSVariant` needs the total output's length to determine the penultimate block size and do the slicing in the `out` array. The assumption here is that `outOfs` has the previously generated output (if any) starting at offset 0. In the CTS case, `k` has all the bytes (potentially) added to the output after flushing `padBuffer` with `C_EncryptUpdate` and all the bytes added after `C_EncryptFinal`.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/18898#discussion_r1625350395
More information about the security-dev
mailing list