> This fix intends to eliminate additional library call to C_EncryptInit or > C_DecryptInit for Ciphers running through the CKM_AES_GCM. > > Background: > > There are two types of CK_GCM_PARAMS struct that are used, one with IV bits > and the other without it. > > Initially there was issue in NSS library, due to the struct being different > in header and spec version. > NSS was using version from header but Solaris and SoftHsm was using normative > version from spec. > To maintain compatibility Java used to try library call with non-normative > (header) version first and then upon failure retrial was made with updated > GCM struct with IV bits. > > Note: Trying normative (spec) version first with NSS library results in JVM > crash. > > Refer below for more information: > https://github.com/openjdk/jdk/blob/master/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11gcm2.h#L36 > > > However NSS has fixed this to use normative/spec version since 3.52 which has > spec version 2.40 > Solaris and SoftHSM was already complying to the version mentioned in spec > 2.40 > > The fix now check if spec version is 2.40 and then makes library call with > appropriate structure. > > Internal testing is green, further I have done internal testing manually with > NSS library 3.96, 3.76, 3.51 (non-normative spec), 3.52 and 3.53 > Results are attached > [nss_logs.zip](https://github.com/openjdk/jdk/files/14692787/nss_logs.zip) > > Our existing tests like sun/security/pkcs11/Cipher/TestKATForGCM.java already > tests the functionality and I have used the same for internal testing
Prajwal Kumaraswamy has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains five additional commits since the last revision: - Fix parameters comment - Merge remote-tracking branch 'origin/master' into JDK-8261433 - Refactored code - Merge remote-tracking branch 'origin/master' into JDK-8261433 - 8261433: Better pkcs11 performance for libpkcs11:C_EncryptInit/libpkcs11:C_DecryptInit ------------- Changes: - all: https://git.openjdk.org/jdk/pull/18425/files - new: https://git.openjdk.org/jdk/pull/18425/files/312859f5..7efefc1a Webrevs: - full: https://webrevs.openjdk.org/?repo=jdk&pr=18425&range=02 - incr: https://webrevs.openjdk.org/?repo=jdk&pr=18425&range=01-02 Stats: 96089 lines in 2545 files changed: 45355 ins; 39536 del; 11198 mod Patch: https://git.openjdk.org/jdk/pull/18425.diff Fetch: git fetch https://git.openjdk.org/jdk.git pull/18425/head:pull/18425 PR: https://git.openjdk.org/jdk/pull/18425
