RFR: 8330842: Support AES CBC with Ciphertext Stealing (CTS) in SunPKCS11 [v3]
Valerie Peng
valeriep at openjdk.org
Wed Jun 5 01:27:58 UTC 2024
On Tue, 4 Jun 2024 05:04:45 GMT, Martin Balao <mbalao at openjdk.org> wrote:
>> src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java line 950:
>>
>>> 948: 0, out, (outOfs + k), (outLen - k));
>>> 949: if (blockMode == Mode.CTS) {
>>> 950: convertCTSVariant(null, out, outOfs + k);
>>
>> The 3rd argument of the convertCTSVariant() method is the data length which is used to determine the penultimate block size? It looks incorrect to use `outOfs + k` for that?
>
> `convertCTSVariant` needs the total output's length to determine the penultimate block size and do the slicing in the `out` array. The assumption here is that `outOfs` has the previously generated output (if any) starting at offset 0. In the CTS case, `k` has all the bytes (potentially) added to the output after flushing `padBuffer` with `C_EncryptUpdate` and all the bytes added after `C_EncryptFinal`.
I understand the meaning of `k`. It seems that the code here assumes `outOfs = 0`, but this may not always be the case when operating on user-supplied output byte array, right?
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/18898#discussion_r1626806896
More information about the security-dev
mailing list