On Wed, 17 Apr 2024 08:01:17 GMT, Prajwal Kumaraswamy <pkumarasw...@openjdk.org> wrote:
>> This fix intends to eliminate additional library call to C_EncryptInit or >> C_DecryptInit for Ciphers running through the CKM_AES_GCM. >> >> Background: >> >> There are two types of CK_GCM_PARAMS struct that are used, one with IV bits >> and the other without it. >> >> Initially there was issue in NSS library, due to the struct being different >> in header and spec version. >> NSS was using version from header but Solaris and SoftHsm was using >> normative version from spec. >> To maintain compatibility Java used to try library call with non-normative >> (header) version first and then upon failure retrial was made with updated >> GCM struct with IV bits. >> >> Note: Trying normative (spec) version first with NSS library results in JVM >> crash. >> >> Refer below for more information: >> https://github.com/openjdk/jdk/blob/master/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11gcm2.h#L36 >> >> >> However NSS has fixed this to use normative/spec version since 3.52 which >> has spec version 2.40 >> Solaris and SoftHSM was already complying to the version mentioned in spec >> 2.40 >> >> The fix now check if spec version is 2.40 and then makes library call with >> appropriate structure. >> >> Internal testing is green, further I have done internal testing manually >> with NSS library 3.96, 3.76, 3.51 (non-normative spec), 3.52 and 3.53 >> Results are attached >> [nss_logs.zip](https://github.com/openjdk/jdk/files/14692787/nss_logs.zip) >> >> Our existing tests like sun/security/pkcs11/Cipher/TestKATForGCM.java >> already tests the functionality and I have used the same for internal testing > > Prajwal Kumaraswamy has updated the pull request with a new target base due > to a merge or a rebase. The incremental webrev excludes the unrelated changes > brought in by the merge/rebase. The pull request contains three additional > commits since the last revision: > > - Refactored code > - Merge remote-tracking branch 'origin/master' into JDK-8261433 > - 8261433: Better pkcs11 performance for > libpkcs11:C_EncryptInit/libpkcs11:C_DecryptInit Marked as reviewed by valeriep (Reviewer). Please make sure the testing covers old and new NSS versions just to be safe. Thanks! ------------- PR Review: https://git.openjdk.org/jdk/pull/18425#pullrequestreview-2048830607 PR Comment: https://git.openjdk.org/jdk/pull/18425#issuecomment-2103411356
