-
Bug
-
Resolution: Fixed
-
P2
-
11, 17, 19, 20
-
b17
-
x86_64
-
Verified
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-8295905 | 19.0.2 | Tobias Hartmann | P2 | Closed | Fixed | b03 |
| JDK-8295464 | 17.0.6-oracle | Tobias Hartmann | P2 | Closed | Fixed | b04 |
| JDK-8295296 | 17.0.6 | Smita Kamath | P2 | Resolved | Fixed | b01 |
| JDK-8295781 | 15.0.10 | Yuri Nesterenko | P2 | Resolved | Fixed | b01 |
| JDK-8295465 | 11.0.18-oracle | Tobias Hartmann | P2 | Closed | Fixed | b03 |
| JDK-8295297 | 11.0.18 | Smita Kamath | P2 | Resolved | Fixed | b01 |
The internal state of the "AES/CTR/NoPadding" cipher can become corrupted when encrypting/decrypting byte arrays with a size less than 16. This only occurs when the AVX-512 AES CTR intrinsic is enabled.
REGRESSION : Last worked in version 8u341
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Run provided test code with -XX:UseAVX=3
---------- BEGIN SOURCE ----------
import javax.crypto.Cipher;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import java.security.Key;
import java.security.SecureRandom;
import java.util.Arrays;
public class Main {
private static final int LOOPS = 1000;
public static void main(String[] args) throws Exception {
SecureRandom random = new SecureRandom();
byte[] keyBytes = new byte[32];
random.nextBytes(keyBytes);
Key key = new SecretKeySpec(keyBytes, "AES");
byte[] ivBytes = new byte[16];
random.nextBytes(ivBytes);
IvParameterSpec iv = new IvParameterSpec(ivBytes);
Cipher encrypt = Cipher.getInstance("AES/CTR/NoPadding");
Cipher decrypt = Cipher.getInstance("AES/CTR/NoPadding");
while (true) {
byte[][] unencryptedStuff = new byte[LOOPS][];
byte[][] encryptedStuff = new byte[LOOPS][];
encrypt.init(Cipher.ENCRYPT_MODE, key, iv);
for (int i = 0; i < LOOPS; i++) {
int size = (i % 15) + 1;
byte[] unencrypted = new byte[size];
random.nextBytes(unencrypted);
unencryptedStuff[i] = unencrypted;
byte[] encrypted = encrypt.update(unencrypted);
encryptedStuff[i] = encrypted;
}
decrypt.init(Cipher.DECRYPT_MODE, key, iv);
for (int i = 0; i < LOOPS; i++) {
byte[] decrypted = decrypt.update(encryptedStuff[i]);
byte[] original = unencryptedStuff[i];
if (!Arrays.equals(original, decrypted)) {
throw new Exception("Array mismatch. " + Arrays.toString(original) + " " + Arrays.toString(decrypted));
}
}
}
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Set -XX:UseAVX=2 or -XX:+UnlockDiagnosticVMOptions -XX:-UseAESCTRIntrinsics
FREQUENCY : often
- backported by
-
JDK-8295296 AES-CTR cipher state corruption with AVX-512
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
- relates to
-
JDK-8233741 AES Countermode (CTR) optimization using AVX512 + VAES instructions
-
- Resolved
-
- links to
-
Commit
openjdk/jdk11u-dev/8fadf3d0
-
Commit
openjdk/jdk15u-dev/8781ccc1
-
Commit
openjdk/jdk17u-dev/ac7d936c
-
Commit
openjdk/jdk19u/eaaf01ed
-
Commit
openjdk/jdk/9d76ac8a
-
Review
openjdk/jdk11u-dev/1408
-
Review
openjdk/jdk15u-dev/290
-
Review
openjdk/jdk17u-dev/787
-
Review
openjdk/jdk19u/51
-
Review
openjdk/jdk/9635