Automatic merge of jdk:master into master

Author: duke

src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Config.java

@@ -164,6 +164,11 @@ public List<String> run() {
     // Secmod.Module.getProvider() method.
     private String functionList = null;
 
+    // CTS mode variant used by the token, as described in Addendum to NIST
+    // Special Publication 800-38A, "Recommendation for Block Cipher Modes
+    // of Operation: Three Variants of Ciphertext Stealing for CBC Mode".
+    private Token.CTSVariant ctsVariant = null;
+
     // whether to use NSS secmod mode. Implicitly set if nssLibraryDirectory,
     // nssSecmodDirectory, or nssModule is specified.
     private boolean nssUseSecmod;
@@ -321,6 +326,10 @@ String getFunctionList() {
         return functionList;
     }
 
+    Token.CTSVariant getCTSVariant() {
+        return ctsVariant;
+    }
+
     boolean getNssUseSecmod() {
         return nssUseSecmod;
     }
@@ -472,6 +481,8 @@ private void parse() throws IOException {
                 allowSingleThreadedModules = parseBooleanEntry(st.sval);
             case "functionList"->
                 functionList = parseStringEntry(st.sval);
+            case "cipherTextStealingVariant"->
+                ctsVariant = parseEnumEntry(Token.CTSVariant.class, st.sval);
             case "nssUseSecmod"->
                 nssUseSecmod = parseBooleanEntry(st.sval);
             case "nssLibraryDirectory"-> {
@@ -627,6 +638,17 @@ private int parseIntegerEntry(String keyword) throws IOException {
         return value;
     }
 
+    private <E extends Enum<E>> E parseEnumEntry(Class<E> enumClass,
+            String keyword) throws IOException {
+        String value = parseStringEntry(keyword);
+        try {
+            return Enum.valueOf(enumClass, value);
+        } catch (IllegalArgumentException ignored) {
+            throw excToken(keyword + " must be one of " +
+                    Arrays.toString(enumClass.getEnumConstants()) + ", read:");
+        }
+    }
+
     private boolean parseBoolean() throws IOException {
         String val = parseWord();
         return switch (val) {

src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java

@@ -860,6 +860,15 @@ private static void register(Descriptor d) {
         dA(CIP, "AES_256/KWP/NoPadding",        P11KeyWrapCipher,
                 m(CKM_AES_KEY_WRAP_KWP));
 
+        d(CIP, "AES/CTS/NoPadding",             P11Cipher,
+                m(CKM_AES_CTS));
+        d(CIP, "AES_128/CTS/NoPadding",         P11Cipher,
+                m(CKM_AES_CTS));
+        d(CIP, "AES_192/CTS/NoPadding",         P11Cipher,
+                m(CKM_AES_CTS));
+        d(CIP, "AES_256/CTS/NoPadding",         P11Cipher,
+                m(CKM_AES_CTS));
+
         d(CIP, "AES/GCM/NoPadding",             P11AEADCipher,
                 m(CKM_AES_GCM));
         dA(CIP, "AES_128/GCM/NoPadding",        P11AEADCipher,
@@ -1290,7 +1299,13 @@ private void initToken(CK_SLOT_INFO slotInfo) throws PKCS11Exception {
                 }
                 continue;
             }
-
+            if (longMech == CKM_AES_CTS && token.ctsVariant == null) {
+                if (showInfo) {
+                    System.out.println("DISABLED due to an unspecified " +
+                            "cipherTextStealingVariant in configuration");
+                }
+                continue;
+            }
             if (brokenMechanisms.contains(longMech)) {
                 if (showInfo) {
                     System.out.println("DISABLED due to known issue with NSS");

src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2023, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2024, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -47,6 +47,7 @@
  * @since   1.5
  */
 final class Token implements Serializable {
+    public enum CTSVariant {CS1, CS2, CS3}
 
     // need to be serializable to allow SecureRandom to be serialized
     @Serial
@@ -65,6 +66,8 @@ final class Token implements Serializable {
     @SuppressWarnings("serial") // Type of field is not Serializable
     final Config config;
 
+    final transient CTSVariant ctsVariant;
+
     @SuppressWarnings("serial") // Type of field is not Serializable
     final CK_TOKEN_INFO tokenInfo;
 
@@ -146,6 +149,7 @@ final class Token implements Serializable {
         config = provider.config;
         tokenInfo = p11.C_GetTokenInfo(provider.slotID);
         writeProtected = (tokenInfo.flags & CKF_WRITE_PROTECTED) != 0;
+        ctsVariant = getCTSVariant();
         // create session manager and open a test session
         SessionManager sessionManager;
         try {
@@ -412,6 +416,19 @@ CK_MECHANISM_INFO getMechanismInfo(long mechanism) throws PKCS11Exception {
         return result;
     }
 
+    private CTSVariant getCTSVariant() {
+        CTSVariant ctsVariant = config.getCTSVariant();
+        if (ctsVariant != null) {
+            return ctsVariant;
+        }
+        // 'cipherTextStealingVariant' needs an explicit value for the
+        // CKM_AES_CTS mechanism to be enabled. In the case of NSS we know
+        // that this value is 'CS1', so we can set it for the user. See:
+        // https://bugzilla.mozilla.org/show_bug.cgi?id=373108#c7
+        // https://github.com/nss-dev/nss/blob/NSS_3_99_RTM/lib/freebl/cts.c#L65
+        return P11Util.isNSS(this) ? CTSVariant.CS1 : null;
+    }
+
     private synchronized byte[] getTokenId() {
         if (tokenId == null) {
             SecureRandom random = JCAUtil.getSecureRandom();

src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java

@@ -0,0 +1,255 @@
+/*
+ * Copyright (c) 2024, Red Hat, Inc.
+ *
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import javax.crypto.Cipher;
+import javax.crypto.spec.IvParameterSpec;
+import javax.crypto.spec.SecretKeySpec;
+import java.nio.ByteBuffer;
+import java.nio.charset.StandardCharsets;
+import java.security.Key;
+import java.security.Provider;
+import java.util.Arrays;
+import java.util.HexFormat;
+import java.util.stream.IntStream;
+
+/*
+ * @test
+ * @bug 8330842
+ * @summary test AES CTS multipart operations with SunPKCS11
+ * @library /test/lib ..
+ * @run main/othervm/timeout=120 TestCipherTextStealingMultipart
+ */
+
+public class TestCipherTextStealingMultipart extends PKCS11Test {
+    private static final String LF = System.lineSeparator();
+    private static final String ALGORITHM = "AES/CTS/NoPadding";
+    private static final int BLOCK_SIZE = 16;
+    private static final Key KEY =
+            new SecretKeySpec("AbCdEfGhIjKlMnOp".getBytes(), "AES");
+    private static final IvParameterSpec IV =
+            new IvParameterSpec("1234567890aBcDeF".getBytes());
+
+    private static final StringBuilder chunksDesc = new StringBuilder();
+    private static Provider sunPKCS11;
+    private static Cipher sunJCECipher;
+
+    private static byte[][] generateChunks(int totalLength, int[] chunkSizes) {
+        chunksDesc.setLength(0);
+        chunksDesc.append("Testing with ").append(totalLength)
+                .append(" bytes distributed in ").append(chunkSizes.length)
+                .append(" multipart updates:").append(LF);
+        int byteIdx = 0;
+        byte[][] plaintextChunks = new byte[chunkSizes.length][];
+        for (int chunkIdx = 0; chunkIdx < chunkSizes.length; chunkIdx++) {
+            byte[] chunk = new byte[chunkSizes[chunkIdx]];
+            for (int i = 0; i < chunk.length; i++) {
+                chunk[i] = (byte) ('A' + byteIdx++ / BLOCK_SIZE);
+            }
+            chunksDesc.append("  ").append(repr(chunk)).append(LF);
+            plaintextChunks[chunkIdx] = chunk;
+        }
+        return plaintextChunks;
+    }
+
+    private static byte[] computeExpected(byte[] jointPlaintext)
+            throws Exception {
+        byte[] ciphertext = sunJCECipher.doFinal(jointPlaintext);
+        if (ciphertext.length != jointPlaintext.length) {
+            throw new Exception("In CTS mode, ciphertext and plaintext should" +
+                    " have the same length. However, SunJCE's CTS cipher " +
+                    "returned a ciphertext of " + ciphertext.length + " bytes" +
+                    " and plaintext has " + jointPlaintext.length + " bytes.");
+        }
+        return ciphertext;
+    }
+
+    private static byte[] join(byte[][] inputChunks, int totalLength) {
+        ByteBuffer outputBuf = ByteBuffer.allocate(totalLength);
+        for (byte[] inputChunk : inputChunks) {
+            outputBuf.put(inputChunk);
+        }
+        return outputBuf.array();
+    }
+
+    private static byte[][] split(byte[] input, int[] chunkSizes) {
+        ByteBuffer inputBuf = ByteBuffer.wrap(input);
+        byte[][] outputChunks = new byte[chunkSizes.length][];
+        for (int chunkIdx = 0; chunkIdx < chunkSizes.length; chunkIdx++) {
+            byte[] chunk = new byte[chunkSizes[chunkIdx]];
+            inputBuf.get(chunk);
+            outputChunks[chunkIdx] = chunk;
+        }
+        return outputChunks;
+    }
+
+    private enum CheckType {CIPHERTEXT, PLAINTEXT}
+
+    private enum OutputType {BYTE_ARRAY, DIRECT_BYTE_BUFFER}
+
+    private static void check(CheckType checkType, OutputType outputType,
+            byte[] expected, ByteBuffer actualBuf) throws Exception {
+        byte[] actual;
+        if (actualBuf.hasArray()) {
+            actual = actualBuf.array();
+        } else {
+            actual = new byte[actualBuf.position()];
+            actualBuf.position(0).get(actual);
+        }
+        if (!Arrays.equals(actual, expected)) {
+            throw new Exception("After " + switch (checkType) {
+                case CIPHERTEXT -> "encrypting";
+                case PLAINTEXT -> "decrypting";
+            } + " into a " + switch (outputType) {
+                case BYTE_ARRAY -> "byte[]";
+                case DIRECT_BYTE_BUFFER -> "direct ByteBuffer";
+            } + ", " + checkType.name().toLowerCase() + "s don't match:" + LF +
+                    "  Expected: " + repr(expected) + LF +
+                    "    Actual: " + repr(actual));
+        }
+    }
+
+    private static ByteBuffer encryptOrDecryptMultipart(int operation,
+            OutputType outputType, byte[][] inputChunks, int totalLength)
+            throws Exception {
+        Cipher cipher = Cipher.getInstance(ALGORITHM, sunPKCS11);
+        cipher.init(operation, KEY, IV);
+        ByteBuffer output = null;
+        int outOfs = 1;
+        switch (outputType) {
+            case BYTE_ARRAY -> {
+                output = ByteBuffer.allocate(totalLength);
+                for (byte[] inputChunk : inputChunks) {
+                    output.put(cipher.update(inputChunk));
+                }
+                // Check that the output array offset does not affect the
+                // penultimate block length calculation.
+                byte[] tmpOut = new byte[cipher.getOutputSize(0) + outOfs];
+                cipher.doFinal(tmpOut, outOfs);
+                output.put(tmpOut, outOfs, tmpOut.length - outOfs);
+            }
+            case DIRECT_BYTE_BUFFER -> {
+                output = ByteBuffer.allocateDirect(totalLength);
+                for (byte[] inputChunk : inputChunks) {
+                    cipher.update(ByteBuffer.wrap(inputChunk), output);
+                }
+                // Check that the output array offset does not affect the
+                // penultimate block length calculation.
+                ByteBuffer tmpOut = ByteBuffer.allocateDirect(
+                        cipher.getOutputSize(0) + outOfs);
+                tmpOut.position(outOfs);
+                cipher.doFinal(ByteBuffer.allocate(0), tmpOut);
+                tmpOut.position(outOfs);
+                output.put(tmpOut);
+            }
+        }
+        return output;
+    }
+
+    private static void doMultipart(int... chunkSizes) throws Exception {
+        int totalLength = IntStream.of(chunkSizes).sum();
+        byte[][] plaintextChunks = generateChunks(totalLength, chunkSizes);
+        byte[] jointPlaintext = join(plaintextChunks, totalLength);
+        byte[] expectedCiphertext = computeExpected(jointPlaintext);
+        byte[][] ciphertextChunks = split(expectedCiphertext, chunkSizes);
+
+        for (OutputType outputType : OutputType.values()) {
+            // Encryption test
+            check(CheckType.CIPHERTEXT, outputType, expectedCiphertext,
+                    encryptOrDecryptMultipart(Cipher.ENCRYPT_MODE, outputType,
+                            plaintextChunks, totalLength));
+            // Decryption test
+            check(CheckType.PLAINTEXT, outputType, jointPlaintext,
+                    encryptOrDecryptMultipart(Cipher.DECRYPT_MODE, outputType,
+                            ciphertextChunks, totalLength));
+        }
+    }
+
+    private static String repr(byte[] data) {
+        if (data == null) {
+            return "<null>";
+        }
+        if (data.length == 0) {
+            return "<empty []>";
+        }
+        String lenRepr = " (" + data.length + " bytes)";
+        for (byte b : data) {
+            if (b < 32 || b > 126) {
+                return HexFormat.ofDelimiter(":").formatHex(data) + lenRepr;
+            }
+        }
+        return new String(data, StandardCharsets.US_ASCII) + lenRepr;
+    }
+
+    private static void initialize() throws Exception {
+        sunJCECipher = Cipher.getInstance(ALGORITHM, "SunJCE");
+        sunJCECipher.init(Cipher.ENCRYPT_MODE, KEY, IV);
+    }
+
+    public static void main(String[] args) throws Exception {
+        initialize();
+        main(new TestCipherTextStealingMultipart(), args);
+    }
+
+    @Override
+    public void main(Provider p) throws Exception {
+        sunPKCS11 = p;
+        try {
+            // Test relevant combinations for 2, 3, and 4 update operations
+            int aesBSize = 16;
+            int[] points = new int[]{1, aesBSize - 1, aesBSize, aesBSize + 1};
+            for (int size1 : points) {
+                for (int size2 : points) {
+                    if (size1 + size2 >= aesBSize) {
+                        doMultipart(size1, size2);
+                    }
+                    for (int size3 : points) {
+                        if (size1 + size2 + size3 >= aesBSize) {
+                            doMultipart(size1, size2, size3);
+                        }
+                        for (int size4 : points) {
+                            if (size1 + size2 + size3 + size4 >= aesBSize) {
+                                doMultipart(size1, size2, size3, size4);
+                            }
+                        }
+                    }
+                }
+            }
+            doMultipart(17, 17, 17, 17, 17);
+            doMultipart(4, 2, 7, 1, 6, 12);
+            doMultipart(2, 15, 21, 26, 31, 26, 5, 30);
+            doMultipart(7, 12, 26, 8, 15, 2, 17, 16, 21, 2, 32, 29);
+            doMultipart(6, 7, 6, 1, 5, 16, 14, 1, 10, 16, 17, 8, 1, 13, 12);
+            doMultipart(16, 125, 19, 32, 32, 16, 17,
+                    31, 19, 13, 16, 16, 32, 16, 16);
+            doMultipart(5, 30, 11, 9, 6, 14, 20, 6,
+                    5, 18, 31, 33, 15, 29, 7, 9);
+            doMultipart(105, 8, 21, 27, 30, 101, 15, 20,
+                    23, 33, 26, 6, 8, 2, 13, 17);
+        } catch (Exception e) {
+            System.out.print(chunksDesc);
+            throw e;
+        }
+        System.out.println("TEST PASS - OK");
+    }
+}

test/jdk/sun/security/pkcs11/Cipher/TestCipherTextStealingMultipart.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2008, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2008, 2024, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,7 +23,7 @@
 
 /*
  * @test
- * @bug 4898461 6604496
+ * @bug 4898461 6604496 8330842
  * @summary basic test for symmetric ciphers with padding
  * @author Valerie Peng
  * @library /test/lib ..
@@ -80,10 +80,11 @@ private static class CI { // class for holding Cipher Information
         new CI("DESede", "DESede", 408),
         new CI("AES", "AES", 128),
 
-        new CI("AES/CTR/NoPadding", "AES", 3200)
+        new CI("AES/CTR/NoPadding", "AES", 3200),
+        new CI("AES/CTS/NoPadding", "AES", 3200),
 
     };
-    private static StringBuffer debugBuf = new StringBuffer();
+    private static final StringBuffer debugBuf = new StringBuffer();
 
     @Override
     public void main(Provider p) throws Exception {
@@ -128,10 +129,7 @@ public void main(Provider p) throws Exception {
             }
         } catch (Exception ex) {
             // print out debug info when exception is encountered
-            if (debugBuf != null) {
-                System.out.println(debugBuf.toString());
-                debugBuf = new StringBuffer();
-            }
+            System.out.println(debugBuf);
             throw ex;
         }
     }
@@ -171,8 +169,7 @@ private static void test(Cipher cipher, int mode, SecretKey key,
         }
         byte[] testOut1 = baos.toByteArray();
         endTime = System.nanoTime();
-        perfOut("stream InBuf + stream OutBuf: " +
-                (endTime - startTime));
+        perfOut("stream InBuf + stream OutBuf", endTime - startTime);
         match(testOut1, answer);
 
         // test#2: Non-direct Buffer in + non-direct Buffer out
@@ -184,8 +181,7 @@ private static void test(Cipher cipher, int mode, SecretKey key,
         cipher.update(inBuf, outBuf);
         cipher.doFinal(inBuf, outBuf);
         endTime = System.nanoTime();
-        perfOut("non-direct InBuf + non-direct OutBuf: " +
-                (endTime - startTime));
+        perfOut("non-direct InBuf + non-direct OutBuf", endTime - startTime);
         match(outBuf, answer);
 
         // test#3: Direct Buffer in + direc Buffer out
@@ -197,8 +193,7 @@ private static void test(Cipher cipher, int mode, SecretKey key,
         cipher.update(inDirectBuf, outDirectBuf);
         cipher.doFinal(inDirectBuf, outDirectBuf);
         endTime = System.nanoTime();
-        perfOut("direct InBuf + direct OutBuf: " +
-                (endTime - startTime));
+        perfOut("direct InBuf + direct OutBuf", endTime - startTime);
 
         //debugOut("(post) inputBuf: " + inDirectBuf + "\n");
         //debugOut("(post) outputBuf: " + outDirectBuf + "\n");
@@ -215,8 +210,7 @@ private static void test(Cipher cipher, int mode, SecretKey key,
         cipher.update(inDirectBuf, outBuf);
         cipher.doFinal(inDirectBuf, outBuf);
         endTime = System.nanoTime();
-        perfOut("direct InBuf + non-direct OutBuf: " +
-                (endTime - startTime));
+        perfOut("direct InBuf + non-direct OutBuf", endTime - startTime);
         match(outBuf, answer);
 
         // test#5: Non-direct Buffer in + direct Buffer out
@@ -231,26 +225,21 @@ private static void test(Cipher cipher, int mode, SecretKey key,
         cipher.update(inBuf, outDirectBuf);
         cipher.doFinal(inBuf, outDirectBuf);
         endTime = System.nanoTime();
-        perfOut("non-direct InBuf + direct OutBuf: " +
-                (endTime - startTime));
+        perfOut("non-direct InBuf + direct OutBuf", endTime - startTime);
 
         //debugOut("(post) inputBuf: " + inBuf + "\n");
         //debugOut("(post) outputBuf: " + outDirectBuf + "\n");
         match(outDirectBuf, answer);
 
-        debugBuf = null;
+        debugBuf.setLength(0);
     }
 
-    private static void perfOut(String msg) {
-        if (debugBuf != null) {
-            debugBuf.append("PERF>" + msg);
-        }
+    private static void perfOut(String msg, long elapsed) {
+        debugOut("PERF> " + msg + ", elapsed: " + elapsed + " ns\n");
     }
 
     private static void debugOut(String msg) {
-        if (debugBuf != null) {
-            debugBuf.append(msg);
-        }
+        debugBuf.append(msg);
     }
 
     private static void match(byte[] b1, byte[] b2) throws Exception {

test/jdk/sun/security/pkcs11/Cipher/TestSymmCiphers.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2007, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2007, 2024, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,7 +23,7 @@
 
 /*
  * @test
- * @bug 4898484 6604496 8001284
+ * @bug 4898484 6604496 8001284 8330842
  * @summary basic test for symmetric ciphers with no padding
  * @author Valerie Peng
  * @library /test/lib ..
@@ -68,10 +68,12 @@ private static class CI { // class for holding Cipher Information
         new CI("AES/CBC/NoPadding", "AES", 4800),
         new CI("Blowfish/CBC/NoPadding", "Blowfish", 24),
         new CI("AES/CTR/NoPadding", "AES", 1600),
-        new CI("AES/CTR/NoPadding", "AES", 65)
+        new CI("AES/CTR/NoPadding", "AES", 65),
+        new CI("AES/CTS/NoPadding", "AES", 1600),
+        new CI("AES/CTS/NoPadding", "AES", 65),
     };
 
-    private static StringBuffer debugBuf;
+    private static final StringBuffer debugBuf = new StringBuffer();
 
     @Override
     public void main(Provider p) throws Exception {
@@ -111,9 +113,7 @@ public void main(Provider p) throws Exception {
             }
         } catch (Exception ex) {
             // print out debug info when exception is encountered
-            if (debugBuf != null) {
-                System.out.println(debugBuf.toString());
-            }
+            System.out.println(debugBuf);
             throw ex;
         }
     }
@@ -122,7 +122,6 @@ private static void test(Cipher cipher, int mode, SecretKey key,
                              AlgorithmParameters params,
                              byte[] in, byte[] answer) throws Exception {
         // test setup
-        debugBuf = new StringBuffer();
         cipher.init(mode, key, params);
         int outLen = cipher.getOutputSize(in.length);
         debugBuf.append("Estimated output size = " + outLen + "\n");
@@ -214,7 +213,7 @@ private static void test(Cipher cipher, int mode, SecretKey key,
         }
         match(outBuf, answer);
 
-        debugBuf = null;
+        debugBuf.setLength(0);
     }
 
     private static void match(byte[] b1, byte[] b2) throws Exception {