[jdk11u-dev] RFR: 8271567: AArch64: AES Galois CounterMode (GCM) interleaved implementation using vector instructions [v2]

Andrew Haley aph at openjdk.java.net
Tue Oct 5 08:57:06 UTC 2021 

On Tue, 5 Oct 2021 08:35:05 GMT, Aleksey Shipilev <shade at openjdk.org> wrote:

> Since this is math-heavy crypto code, I would rather wait for somebody to use/real-test the upstream implementation first. Unfortunately, timing is against us for JDK 18, as it would release only in March, and so if we want JDK 18 to be proven to work first, this would mean slipping the 11u backport to July 2022.
> 
> So I would propose this: wait another 6..8 weeks to see if AArch64 regressions are reported in mainline, then backport this to 11u for January 2022, disabled by default.

OK. I'm not sure that disabling by default much reduces risk, because this patch does a fair bit of refactoring and commoning, even if the fast paths aren't enabled.

> Have a 11u-specific issue to remember enabling it by default after JDK 18 graduates and people get exposed to this code by default in JDK 18. This way we could also see some opt-in 11u testing (which is presumably a larger population than JDK 18 adopters).

Seems reasonable.

> It would also help if we were able to throw some targeted testing for mainline code. Are there known good crypto test suites that could poke the holes in this implementation?

Authenticated encryption is mostly self-testing: that's the idea.
I'm trying to think of where the errors might be. 

- Buffer overruns / other heap corruption.
- Incorrect encryption/decryption when update() is called with oddly-sized byte[].
- Failure to detect bad authentication tag.
- Timing vulnerabilities due to plaintext-dependent branches or loads.

The upper layers are passed the auth data, which they check, and the jtreg tests run the intrinsic against the pure-Java code. That should be enough to make sure we don't have an incorrect (but self-consistent) implementation.

External test suites might not run for long enough to test the intrinsic. I'll have a look at Wycheproof.

-------------

PR: https://git.openjdk.java.net/jdk11u-dev/pull/410

More information about the jdk-updates-dev mailing list