8280703: CipherCore.doFinal(...) causes potentially massive byte[] allocations during decryption

[asgibbons]

Backporting because this change results in ~3x performance improvement in AES-CTR.

Risk is low. Tested with tier1 and benchmark.

The PR does not backport cleanly. The buffer name was changed, but functionally remains the same.

---

Progress

• Change must be properly reviewed (1 review required, with at least 1 Reviewer)
• Change must not contain extraneous whitespace
• Commit message must refer to an issue

Issue

• JDK-8280703: CipherCore.doFinal(...) causes potentially massive byte[] allocations during decryption

Reviewers

• Christoph Langer (@RealCLanger - Reviewer)

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk11u-dev pull/1780/head:pull/1780
$ git checkout pull/1780

Update a local copy of the PR:
$ git checkout pull/1780
$ git pull https://git.openjdk.org/jdk11u-dev pull/1780/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 1780

View PR using the GUI difftool:
$ git pr show -t 1780

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk11u-dev/pull/1780.diff

[bridgekeeper]

👋 Welcome back sgibbons! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[openjdk]

This backport pull request has now been updated with issue from the original commit.

[mlbridge]

Webrevs

• 06: Full - Incremental (9b7ef4a1)
• 05: Full - Incremental (9b07d2be)
• 04: Full - Incremental (a4a93c50)
• 03: Full - Incremental (6d375967)
• 02: Full - Incremental (21960263)
• 01: Full - Incremental (e09abff2)
• 00: Full (e8934769)

[RealCLanger]

LGTM

[RealCLanger]

can you please run GHA

[openjdk]

@asgibbons This change now passes all automated pre-integration checks.

After integration, the commit message for the final commit will be:

8280703: CipherCore.doFinal(...) causes potentially massive byte[] allocations during decryption

Reviewed-by: clanger

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been 16 new commits pushed to the master branch:

• 0748e2a: 8303432: Bump update version for OpenJDK: jdk-11.0.20
• 8a726af: 8264299: Create implementation of native accessibility peer for ScrollPane and ScrollBar Java Accessibility roles
• 915ac57: 8302000: [11u] A subtle race condition during jdk11u build
• 125cf5a: 8295530: Update Zlib Data Compression Library to Version 1.2.13
• de6d2c9: 8190492: Remove SSLv2Hello and SSLv3 from default enabled TLS protocols
• 2405ca6: 8299520: TestPrintXML.java output error messages in case compare fails
• bd9c2fb: 8290197: test/jdk/java/nio/file/Files/probeContentType/Basic.java fails on some systems for the ".rar" extension
• 15bdc4d: 8235448: code cleanup in SSLContextImpl.java
• 5802a9a: 8245654: Add Certigna Root CA
• 86b8ea8: 8295777: java/net/httpclient/ConnectExceptionTest.java should not rely on system resolver
• ... and 6 more: https://git.openjdk.org/jdk11u-dev/compare/cfb05cb26d1b16fc12c2ba2486d00b8ebacc04da...master

As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.

As you do not have Committer status in this project an existing Committer must agree to sponsor your change. Possible candidates are the reviewers of this PR (@RealCLanger) but any other Committer may sponsor as well.

➡️ To flag this PR as ready for integration with the above commit message, type /integrate in a new comment. (Afterwards, your sponsor types /sponsor in a new comment to perform the integration).

[asgibbons]

Noob here - what is GHA?

[RealCLanger]

Noob here - what is GHA?

GHA= GitHub Actions. You have to enable it in your repository fork. Then you will also be able to trigger the run for your PR branch.

[asgibbons]

Thanks @RealCLanger. I triggered a run and will integrate when complete.

[RealCLanger]

Hm after your merges the resulting change looks incorrect.

[asgibbons]

@RealCLanger - Sorry for the churn. I had a slight mixup in the myriad of JDK trees I'm concurrently maintaining. I fixed the issue and manual testing along with tier1 testing have successfully completed.

Please review and approve if this is acceptable.

[sviswa7]

@ascarpino Could you please help review this backport CR?

[RealCLanger]

I had a closer look now. Overall it seems ok. Could you maybe rename outWithPadding to internalOutput? That would bring the code closer to head and seems the more logical name for the buffer. Thanks.

[RealCLanger]

Please add a space after if

[RealCLanger]

Here the variable should remain outWithPadding.

[RealCLanger]

Same here.

[RealCLanger]

Thanks. This looks good. I'll run it through SAP'S nightlies and will hopefully approve tomorrow when no regressions spotted.

[asgibbons]

Thank you very much @RealCLanger !

[ascarpino]

The backport looks consistent with what was put in recent releases.

[ascarpino]

Something that should be verified is that this doesn't expose failed auth tag decrypted GCM data or other GCM decryption. There maybe some unexpected differences as this change was after GCM separated from CipherCore in 17. I believe GCM still uses CipherCore in 11.

[asgibbons]

Thanks, @ascarpino. Are there any tests I can run to verify that no GCM data have been exposed? It appears to me that there's one place where decrypted data could be leaked (ShortBufferException), but this is the same in newer versions.

[RealCLanger]

Looks good from my perspective now. SAP tests passed. Can't say anything to the GCM topic brought up by @ascarpino, though.

[asgibbons]

@ascarpino I have been looking to see whether any data could be potentially leaked as a result of my change and cannot envision such a scenario. It appears to me that my change is functionally identical to what it would be without the change. Can you please provide more details? Thanks.

[asgibbons]

I believe there is no additional risk to data leakage as the result of this change, so I'm proposing integration. Thanks.

/integrate

[openjdk]

@asgibbons
Your change (at version 9b7ef4a) is now ready to be sponsored by a Committer.

[RealCLanger]

I believe there is no additional risk to data leakage as the result of this change, so I'm proposing integration. Thanks.

/integrate

ok

/sponsor

[openjdk]

Going to push as commit 479ddb6.
Since your change was applied there have been 18 commits pushed to the master branch:

• 7d89919: 8289301: P11Cipher should not throw out of bounds exception during padding
• 80615a6: 8293815: P11PSSSignature.engineUpdate should not print debug messages during normal operation
• 0748e2a: 8303432: Bump update version for OpenJDK: jdk-11.0.20
• 8a726af: 8264299: Create implementation of native accessibility peer for ScrollPane and ScrollBar Java Accessibility roles
• 915ac57: 8302000: [11u] A subtle race condition during jdk11u build
• 125cf5a: 8295530: Update Zlib Data Compression Library to Version 1.2.13
• de6d2c9: 8190492: Remove SSLv2Hello and SSLv3 from default enabled TLS protocols
• 2405ca6: 8299520: TestPrintXML.java output error messages in case compare fails
• bd9c2fb: 8290197: test/jdk/java/nio/file/Files/probeContentType/Basic.java fails on some systems for the ".rar" extension
• 15bdc4d: 8235448: code cleanup in SSLContextImpl.java
• ... and 8 more: https://git.openjdk.org/jdk11u-dev/compare/cfb05cb26d1b16fc12c2ba2486d00b8ebacc04da...master

Your commit was automatically rebased without conflicts.

[openjdk]

@RealCLanger @asgibbons Pushed as commit 479ddb6.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.