RFR: 8296507: GCM using more memory than necessary with in-place operations [v2]
Valerie Peng
valeriep at openjdk.org
Wed Nov 30 23:53:31 UTC 2022
On Mon, 21 Nov 2022 18:20:09 GMT, Anthony Scarpino <ascarpino at openjdk.org> wrote:
>> I would like a review of an update to the GCM code. A recent report showed that GCM memory usage for TLS was very large. This was a result of in-place buffers, which TLS uses, and how the code handled the combined intrinsic method during decryption. A temporary buffer was used because the combined intrinsic does gctr before ghash which results in a bad tag. The fix is to not use the combined intrinsic during in-place decryption and depend on the individual GHASH and CounterMode intrinsics. Direct ByteBuffers are not affected as they are not used by the intrinsics directly.
>>
>> The reduction in the memory usage boosted performance back to where it was before despite using slower intrinsics (gctr & ghash individually). The extra memory allocation for the temporary buffer out-weighted the faster intrinsic.
>>
>>
>> JDK 17: 122913.554 ops/sec
>> JDK 19: 94885.008 ops/sec
>> Post fix: 122735.804 ops/sec
>>
>> There is no regression test because this is a memory change and test coverage already existing.
>
> Anthony Scarpino has updated the pull request incrementally with one additional commit since the last revision:
>
> comment cleanup & finesse ByteBuffer implGCMCrypt better
src/java.base/share/classes/com/sun/crypto/provider/GaloisCounterMode.java line 583:
> 581: * to avoid combined intrinsic, call GHASH directly before GCTR to avoid
> 582: * a bad tag exception. This check is not performed here because it would
> 583: * impose a check every operation which is less efficient.
Missing "for" after "check"?
-------------
PR: https://git.openjdk.org/jdk/pull/11121
More information about the security-dev
mailing list