Keep enough state to completely reset cipher instances

OpenSSL's RC4 mutates the given key. AES/CTR mutates the IV. We must
store these values locally to enable "doFinal" to cause the Cipher
instance to be reset to what it was right after "init".

Note that resetting and encrypting with the same key or IV breaks
semantic security.

(cherry picked from commit 084e3086be1d7a6b9280b64c7c8cdb7b41a13bea)

Bug: 16298401
Bug: https://code.google.com/p/android/issues/detail?id=73339
Change-Id: Ie7e4dcb6cf6cc33ddad31d6b47066dc1b34e6894

1 files changed, 8 insertions, 2 deletions

diff --git a/src/main/java/org/conscrypt/OpenSSLCipher.java b/src/main/java/org/conscrypt/OpenSSLCipher.java
index e2ae8aba..29e2d4de 100644
--- a/src/main/java/org/conscrypt/OpenSSLCipher.java
+++ b/src/main/java/org/conscrypt/OpenSSLCipher.java
@@ -84,6 +84,12 @@ public abstract class OpenSSLCipher extends CipherSpi {
     private Padding padding = Padding.PKCS5PADDING;
 
     /**
+     * May be used when reseting the cipher instance after calling
+     * {@code doFinal}.
+     */
+    private byte[] encodedKey;
+
+    /**
      * The Initial Vector (IV) used for the current cipher.
      */
     private byte[] iv;
@@ -252,8 +258,8 @@ public abstract class OpenSSLCipher extends CipherSpi {
         if (encodedKey == null) {
             throw new InvalidKeyException("key.getEncoded() == null");
         }
-
         checkSupportedKeySize(encodedKey.length);
+        this.encodedKey = encodedKey;
 
         final long cipherType = NativeCrypto.EVP_get_cipherbyname(getCipherName(encodedKey.length,
                 mode));
@@ -392,7 +398,7 @@ public abstract class OpenSSLCipher extends CipherSpi {
      * Reset this Cipher instance state to process a new chunk of data.
      */
     private void reset() {
-        NativeCrypto.EVP_CipherInit_ex(cipherCtx.getContext(), 0, null, null, encrypting);
+        NativeCrypto.EVP_CipherInit_ex(cipherCtx.getContext(), 0, encodedKey, iv, encrypting);
         calledUpdate = false;
     }