> This fix intends to eliminate additional library call to C_EncryptInit or > C_DecryptInit for Ciphers running through the CKM_AES_GCM. > > Background: > > There are two types of CK_GCM_PARAMS struct that are used, one with IV bits > and the other without it. > > Initially there was issue in NSS library, due to the struct being different > in header and spec version. > NSS was using version from header but Solaris and SoftHsm was using normative > version from spec. > To maintain compatibility Java used to try library call with non-normative > (header) version first and then upon failure retrial was made with updated > GCM struct with IV bits. > > Note: Trying normative (spec) version first with NSS library results in JVM > crash. > > Refer below for more information: > https://github.com/openjdk/jdk/blob/master/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11gcm2.h#L36 > > > However NSS has fixed this to use normative/spec version since 3.52 which has > spec version 2.40 > Solaris and SoftHSM was already complying to the version mentioned in spec > 2.40 > > The fix now check if spec version is 2.40 and then makes library call with > appropriate structure. > > Internal testing is green, further I have done internal testing manually with > NSS library 3.96, 3.76, 3.51 (non-normative spec), 3.52 and 3.53 > Results are attached > [nss_logs.zip](https://github.com/openjdk/jdk/files/14692787/nss_logs.zip) > > Our existing tests like sun/security/pkcs11/Cipher/TestKATForGCM.java already > tests the functionality and I have used the same for internal testing
Prajwal Kumaraswamy has updated the pull request incrementally with one additional commit since the last revision: use getversion instead to get spec version ------------- Changes: - all: https://git.openjdk.org/jdk/pull/18425/files - new: https://git.openjdk.org/jdk/pull/18425/files/7efefc1a..542f74f0 Webrevs: - full: https://webrevs.openjdk.org/?repo=jdk&pr=18425&range=03 - incr: https://webrevs.openjdk.org/?repo=jdk&pr=18425&range=02-03 Stats: 1 line in 1 file changed: 0 ins; 0 del; 1 mod Patch: https://git.openjdk.org/jdk/pull/18425.diff Fetch: git fetch https://git.openjdk.org/jdk.git pull/18425/head:pull/18425 PR: https://git.openjdk.org/jdk/pull/18425
