IBM Support

IJ10491: AES/GCM CIPHER - AAD NOT RESET TO UN-INIT STATE AFTER DOFINAL( ) AND INIT( )

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • Error Message: N/A
.
Stack Trace: N/A
.
When the same AES/GCM cipher object is used to perform both the
encryption and the decryption of a piece of data, the customer
observed that if an AAD value with length=0 is supplied for
decryption, then the decryption operation would unexpectedly
succeed.

Local fix

  • 



Problem summary


    

  • The IBMJCE provider code was failing to reset the AAD value to
its uninitialized state within the AES/GCM cipher object state
during init( ) processing and doFinal( ) processing, as dictated
by the Cipher javadocs.
The Cipher framework updateAAD( ) method discards any AAD values
with length=0.  Therefore, the AAD value supplied to the AES/GCM
cipher object for decryption was being discarded, and the AAD
value that had been supplied for encryption was retained and was
reused for decryption.

    



Problem conclusion


    

  • The AES/GCM cipher code of the IBMPKCS11Impl provider has been
modified to set the AAD value within the cipher object to its
uninitialized state during init( ) and doFinal( ) processing.
The GIT issue associated with this change is #1.
The RTC Problem report associated with this change is 139433.
The affected IBM JVM's are:  70sr10fp35, 7.1sr4fp35, and
80sr5fp25
The affected jar file is ibmjceprovider.jar.
The build level of the updated IBMJCE70 jar file is:  build-169
The build level of the updated IBMJCE80 jar file is:  build-170
.
This APAR will be fixed in the following Java Releases:
   8    SR5 FP25  (8.0.5.25)
   7    SR10 FP35 (7.0.10.35)
   7 R1 SR4 FP35  (7.1.4.35)
.
Contact your IBM Product's Service Team for these Service
Refreshes and Fix Packs.
For those running stand-alone, information about the available
Service Refreshes and Fix Packs can be found at:
           https://www.ibm.com/developerworks/java/jdk/

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IJ10491
    • 

  • Reported component name
    SECURITY
    • 

  • Reported component ID
    620700125
    • 

  • Reported release
    270
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2018-10-11
    • 

  • Closed date
    2018-10-15
    • 

  • Last modified date
    2018-10-15
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    SECURITY
    • 

  • Fixed component ID
    620700125
    • 



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"270","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            07 December 2020
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback