Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix AES cipher output size issue for z/OS and LOZ #240

Open
farshadasl opened this issue Oct 8, 2024 · 0 comments · May be fixed by #263
Open

Fix AES cipher output size issue for z/OS and LOZ #240

farshadasl opened this issue Oct 8, 2024 · 0 comments · May be fixed by #263
Assignees
@jasonkatonica @johnpeck-us-ibm

Comments

@farshadasl
Copy link
Collaborator

farshadasl commented Oct 8, 2024
edited
Loading

When the fast command is enabled, the AES cipher does not return the correct output size on z/OS.

The simplified failing test on z/OS and LoZ:

import javax.crypto.Cipher;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import java.nio.ByteBuffer;

public class TestAesCbc {

    public static void main(String[] args) throws Exception {
        testAesCbc();
    }

    private static void testAesCbc() throws Exception {
        byte[] data = new byte[1500];
        Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding", "OpenJCEPlus");
        KeyGenerator kg = KeyGenerator.getInstance("AES");
        SecretKey key = kg.generateKey();
        cipher.init(Cipher.ENCRYPT_MODE, key, cipher.getParameters());
        ByteBuffer in = ByteBuffer.allocateDirect(data.length);
        ByteBuffer out = ByteBuffer.allocateDirect(cipher.getOutputSize(data.length));
        int updateLen = data.length / 2;
        in.limit(updateLen);
        cipher.update(in, out);
        in.limit(in.capacity());
        cipher.doFinal(in, out);
    }
}

The failing JDK test: https://github.com/openjdk/jdk/blob/master/test/jdk/javax/crypto/CipherSpi/ResetByteBuffer.java

Root Cause:

The issue happens when the use_z_fast_command is enabled for z platforms only.
It uses a different buffer and the engineGetOutputSize2 method.
However, the AESCipher getOutputSize was not using that method, causing the issue and returning the wrong output size on z platforms.

Fix:

The engineGetOutputSize2 should be renamed to the getOutputSizeForZ.
Then in the engineGetOutputSize method, the use_z_fast_command should be checked.
If it is true, then it should return getOutputSizeForZ.
Otherwise, it returns symmetricCipher.getOutputSize.
@farshadasl farshadasl changed the title Fix AES/CBC output size issue for z/OS Fix AES output size issue for z/OS Oct 9, 2024
@farshadasl farshadasl changed the title Fix AES output size issue for z/OS Fix AES cipher output size issue for z/OS Oct 9, 2024
jasonkatonica added a commit to jasonkatonica/OpenJCEPlus that referenced this issue Oct 14, 2024
@jasonkatonica
Use correct output size for AES on z platform
f427076 
When the fast z command is available the AES cipher does not return the
correct output size on platform z.

Platform z uses a different buffer and output size calculation. The
method `engineGetOutputSize` when running on platform z should return
and take this into account.

A new test was added to exercise byte buffers and various combinations
of encryption, decryption, and orders of doFinal and update operations
which can be used to recreate the problem.

Closes IBM#240

Signed-off-by: Jason Katonica <[email protected]>
jasonkatonica added a commit to jasonkatonica/OpenJCEPlus that referenced this issue Oct 14, 2024
@jasonkatonica
Use correct output size for AES on z platform
7f7470a 
When the fast z command is available the AES cipher does not return the
correct output size on platform z.

Platform z uses a different buffer and output size calculation. The
method `engineGetOutputSize` when running on platform z should return
and take this into account.

A new test was added to exercise byte buffers and various combinations
of encryption, decryption, and orders of doFinal and update operations
which can be used to recreate the problem.

Closes IBM#240

Signed-off-by: Jason Katonica <[email protected]>
@jasonkatonica jasonkatonica linked a pull request Oct 14, 2024 that will close this issue
Open
@jasonkatonica jasonkatonica changed the title Fix AES cipher output size issue for z/OS Fix AES cipher output size issue for z/OS and LOZ Oct 16, 2024
jasonkatonica added a commit to jasonkatonica/OpenJCEPlus that referenced this issue Oct 17, 2024
@jasonkatonica
Use correct output size for AES on z platform
bf6cdfb 
When the fast z command is available the AES cipher does not return the
correct output size on platform z.

Platform z uses a different buffer and output size calculation. The
method `engineGetOutputSize` when running on platform z should return
and take this into account.

A new test was added to exercise byte buffers and various combinations
of encryption, decryption, and orders of doFinal and update operations
which can be used to recreate the problem.

Closes IBM#240

Signed-off-by: Jason Katonica <[email protected]>
jasonkatonica added a commit to jasonkatonica/OpenJCEPlus that referenced this issue Oct 17, 2024
@jasonkatonica
Use correct output size for AES on z platform
5723424 
When the fast z command is available the AES cipher does not return the
correct output size on platform z.

Platform z uses a different buffer and output size calculation. The
method `engineGetOutputSize` when running on platform z should return
and take this into account.

A new test was added to exercise byte buffers and various combinations
of encryption, decryption, and orders of doFinal and update operations
which can be used to recreate the problem.

Closes IBM#240

Signed-off-by: Jason Katonica <[email protected]>
jasonkatonica added a commit to jasonkatonica/OpenJCEPlus that referenced this issue Oct 17, 2024
@jasonkatonica
Use correct output size for AES on z platform
25d34b8 
When the fast z command is available the AES cipher does not return the
correct output size on platform z.

Platform z uses a different buffer and output size calculation. The
method `engineGetOutputSize` when running on platform z should return
and take this into account.

A new test was added to exercise byte buffers and various combinations
of encryption, decryption, and orders of doFinal and update operations
which can be used to recreate the problem.

Closes IBM#240

Signed-off-by: Jason Katonica <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jasonkatonica jasonkatonica

@johnpeck-us-ibm johnpeck-us-ibm

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Use correct output size for AES on z platform jasonkatonica/OpenJCEPlus
3 participants
@jasonkatonica @farshadasl @johnpeck-us-ibm