RFR 8177784 Use CounterMode intrinsic for AES/GCM

Anthony Scarpino anthony.scarpino at oracle.com
Tue Apr 11 17:58:26 UTC 2017


On 04/10/2017 10:27 AM, Paul Sandoz wrote:
>
>> On 7 Apr 2017, at 12:47, Anthony Scarpino <anthony.scarpino at oracle.com> wrote:
>>
>> On 04/07/2017 06:58 AM, Chris Hegarty wrote:
>>> On 06/04/17 21:39, Anthony Scarpino wrote:
>>>>
>>>> I'd like to get a review for this performance change to use the existing
>>>> CounterMode parallelized intrinsic instead of GCTR's own version. The
>>>> two classes were nearly identical except for the doFinal() method which
>>>> doesn't belong in CounterMode.java.
>>>>
>>>> I could have been more aggressive with this change, but I'm looking to
>>>> get this into 9, so I stayed away from completely merging GCTR into
>>>> CounterMode in case of incompatibilities.  All tests security and
>>>> hotspot tests pass.
>>>>
>>>> http://cr.openjdk.java.net/~ascarpino/8177784/webrev/
>>>
>>> This change looks good to me. Trivially, the class-level comment in
>>> GCTR should be updated ( it refers to removed fields ). Also,
>>> CounterMode.counter could be protected ( rather than package-private ).
>>>
>>> -Chris.
>>
>> Thanks Chris,
>>
>> I left CounterMode.counter as package-private because the package is what becomes the SunJCE provider.  I don't believe there should be any outside package classes accessing this code.
>>
>> I updated the webrev at with the comment update:
>>  http://cr.openjdk.java.net/~ascarpino/8177784/webrev.01/
>>
>
> It’s the same pattern for “iv” with CounterMode and FeedbackCipher, although i prefer protected as well if never accessed by other classes in the same package, it makes it easier to reason about the code, since i know more about what can access it.
>
> Suggestion, take it or leave it: personally i would prefer to see an additional constructor in CounterMode:
>
>   GCTR(SymmetricCipher cipher, byte[] initialCounterBlk) {
>     super(cipher, checkBlockSize(initialCounterBlk));
>    }
>
> Where new CounterMode constructor performs the clone, assignmentm and reset, the static method checkBlockSize checks the array length is equal to AES_BLOCK_SIZE Thereby you have a cleaner separation of concerns.
>
> Paul.
>

I contemplated putting changing the constructors, but went against it 
for the moment so a jdk9 change would be as minimal as possible.  A 
future change would most likely include the new constructor in CounterMode.

Tony




More information about the security-dev mailing list