RFR: 8261355: No data buffering in SunPKCS11 Cipher encryption when the underlying mechanism has no padding [v2]

[Valerie Peng]

On Thu, 25 Mar 2021 22:13:42 GMT, Martin Balao <mbalao at openjdk.org> wrote:

>> Hi,
>> 
>> I'd like to propose a fix for JDK-8261355 [1].
>> 
>> The scheme used for holding data and padding while performing encryption operations is almost the same than the existing one for decryption. The only difference is that encryption does not require a block-sized buffer to be always held because there is no need, upon an update call, to determine which bytes are real output for the caller and which are padding -as it's required for decryption-. I added a couple of comments in implUpdate to explain this.
>> 
>> No regressions observed in jdk/sun/security/pkcs11.
>> 
>> Thanks,
>> Martin.-
>> 
>> --
>> [1] - https://bugs.openjdk.java.net/browse/JDK-8261355
>
> Martin Balao has updated the pull request with a new target base due to a merge or a rebase. The pull request now contains three commits:
> 
>  - Avoid overriding buffered bytes with padding in the doFinal call.
>  - Only do encryption block-size buffering for NSS
>  - 8261355: No data buffering in SunPKCS11 Cipher encryption when the underlying mechanism has no padding

src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java line 606:

> 604:                     // NSS throws up when called with data not in multiple
> 605:                     // of blocks. Try to work around this by holding the
> 606:                     // extra data in padBuffer.

nit: The comment looks a little bit strange. This particular block of code is for handling existing buffered data buffered in earlier update() calls. The comment however is more about 'reqBlockUpdates' itself. How about merging this with the comment for 'reqBlockUpdates' field and then changing this comment to what this particular block of code does.

-------------

PR: https://git.openjdk.java.net/jdk/pull/2510