APAR status
Closed as program error.
Error description
Error Message: If a buffer is used to apply several updates, then calling the doFinal method in decryption mode, there could be a provider exception for specific input cipher sizes which depends on the buffer size. Possible error messages are as follows: java.io.IOException: Unable to decrypt message javax.net.ssl.SSLException: Fail to unwrap network record java.security.ProviderException: Failure in engineDoFinal . Stack Trace: java.security.ProviderException: Failure in engineDoFinal - java.base/com.ibm.crypto.plus.provider.OpenJCEPlus.providerExcep tion(OpenJCEPlus.java:2005) - java.base/com.ibm.crypto.plus.provider.ChaCha20Poly1305Cipher.en gineDoFinal(ChaCha20Poly1305Cipher.java:109) - java.base/javax.crypto.CipherSpi.bufferCrypt(CipherSpi.java:826) - java.base/javax.crypto.CipherSpi.engineDoFinal(CipherSpi.java:73 0) - java.base/javax.crypto.Cipher.doFinal(Cipher.java:2497) .
Local fix
The workaround depends on the usage context. In the case of using client and server over TLSv1.3, Other cipher suites than ChaCha20-Poly1305 can be enabled and used. If using chunk update in the decryption mode, then decryption can be done using different buffer sizes for failing inputs.
Problem summary
ChaCha20-Poly1305 Cipher Decryption Chunk Update: If a buffer is used to apply several updates, then calling the doFinal method in decryption mode, there could be a provider exception for specific input cipher sizes which depends on the buffer size. Possible error messages are as follows: java.io.IOException: Unable to decrypt message javax.net.ssl.SSLException: Fail to unwrap network record java.security.ProviderException: Failure in engineDoFinal
Problem conclusion
The security provider code was changed to handle edge cases related to the ChaCha20-Poly1305 cipher in decryption mode with a chunk update. The fix handles different buffer sizes with different input sizes. . This APAR will be fixed in the following Releases: . IBM Semeru Runtimes 11 11.0.19.0 IBM SDK, Java Technology Edition 8 SR8 FP5 (8.0.8.5) . Contact your IBM Product's Service Team for these Service Refreshes and Fix Packs. For those running stand-alone, information about the available maintenance can be found at: https://www.ibm.com/support/pages/java-sdk
Temporary fix
Comments
APAR Information
APAR number
PH52970
Reported component name
JAVA Z/OS 64
Reported component ID
620700104
Reported release
B00
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2023-03-02
Closed date
2023-04-29
Last modified date
2023-04-29
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
JAVA Z/OS 64
Fixed component ID
620700104
Applicable component levels
[{"Business Unit":{"code":"BU029","label":"Software"},"Product":{"code":"SG19M","label":"Runtimes for Java Technology"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"B00"}]
Document Information
Modified date:
30 April 2023