IBM Support

PH01244: OUTPUT BUFFER TOO SHORT FOR GCM MODE ENCRYPTION USING IBMJCEHYBRID

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

APAR status

  • Closed as program error.

Error description

  • Error Message: The user experienced intermittent failures when
    they had IBMJCEHYBRID configured while using the AES/GCM mode
    of encryption. Customer failures were visible when a trace was
    taken using -Djavax.net.debug=true
    and -Djava.security.auth.debug=all. The failure was seen as a
    javax.crypto.ShortBufferException within the trace similar to
    what is listed
    below in the stack trace. The problem would also manifest itself
    occasionally with a "Bad record MAC" error being reported by
    JSSE.
    .
    Stack Trace: Exception#0 javax.crypto.ShortBufferException:
    Output buffer too short for GCM mode encryption because it must
    accommodate padding characters and the Authentication Tag. 4096
    bytes given, 4102 bytes needed.
    Stack Trace:
            at
    com.ibm.crypto.hdwrCCA.provider.AESCipher.engineDoFinal(AESCiphe
    r.java:1343)
            at javax.crypto.Cipher.doFinal(Unknown Source)
            at
    com.ibm.crypto.ibmjcehybrid.provider.HybridCipher.doFinal(Hybrid
    Cipher.java:2921)
            at
    com.ibm.crypto.ibmjcehybrid.provider.HybridCipher.doFinal(Hybrid
    Cipher.java:3079)
            at
    com.ibm.crypto.ibmjcehybrid.provider.HybridCipher.doFinal(Hybrid
    Cipher.java:3079)
            at
    com.ibm.crypto.ibmjcehybrid.provider.HybridCipher.engineDoFinal(
    HybridCipher.java:2793)
            at javax.crypto.CipherSpi.a(Unknown Source)
            at javax.crypto.CipherSpi.engineDoFinal(Unknown Source)
            at javax.crypto.Cipher.doFinal(Unknown Source)
            ...
            ...
    Exception#1 javax.crypto.ShortBufferException: Output buffer too
    small
    Stack Trace:
            at com.ibm.crypto.provider.aH.a(Unknown Source)
            at
    com.ibm.crypto.provider.AESGCMCipher.engineDoFinal(Unknown
    Source)
            at javax.crypto.Cipher.doFinal(Unknown Source)
            at
    com.ibm.crypto.ibmjcehybrid.provider.HybridCipher.doFinal(Hybrid
    Cipher.java:2921)
            at
    com.ibm.crypto.ibmjcehybrid.provider.HybridCipher.doFinal(Hybrid
    Cipher.java:3079)
            at
    com.ibm.crypto.ibmjcehybrid.provider.HybridCipher.doFinal(Hybrid
    Cipher.java:3079)
            at
    com.ibm.crypto.ibmjcehybrid.provider.HybridCipher.doFinal(Hybrid
    Cipher.java:3079)
            at
    com.ibm.crypto.ibmjcehybrid.provider.HybridCipher.engineDoFinal(
    HybridCipher.java:2793)
            at javax.crypto.CipherSpi.a(Unknown Source)
            at javax.crypto.CipherSpi.engineDoFinal(Unknown Source)
            at javax.crypto.Cipher.doFinal(Unknown Source)
            ...
            ...
    .
    

Local fix

  • Users can either remove the IBMJCEHYBRID provider from their
    environment or they can avoid use of the AES/GCM mode of
    encryption.
    

Problem summary

  • The problem occurs when the JCE framework did not adjust the
    size of the buffer used for GCM crypto operations correctly.
    This resulted in a javax.crypto.ShortBufferException being
    thrown.
    

Problem conclusion

  • A change has been made to the IBMJCEHYBRID provider in the IBM
    Java SDK such that the path that was executed in the JCE
    framework correctly accounted for the buffer size when executing
    GCM crypto operations.
    .
    This APAR will be fixed in the following Java Releases:
       8    SR5 FP22  (8.0.5.22)
       7 R1 SR4 FP35  (7.1.4.35)
       7    SR10 FP35 (7.0.10.35)
    .
    Contact your IBM Product's Service Team for these Service
    Refreshes and Fix Packs.
    For those running stand-alone, information about the available
    Service Refreshes and Fix Packs can be found at:
               https://www.ibm.com/developerworks/java/jdk/
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH01244

  • Reported component name

    JAVA Z/OS 64

  • Reported component ID

    620700104

  • Reported release

    800

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2018-08-02

  • Closed date

    2018-08-16

  • Last modified date

    2018-09-19

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    JAVA Z/OS 64

  • Fixed component ID

    620700104

Applicable component levels



Document information

More support for: Runtimes for Java Technology
z/OS Exensions

Software version: 800

Reference #: PH01244

Modified date: 19 September 2018