8273297: AES/GCM non-AVX512+VAES CPUs suffer after 8267125

Reviewed-by: ascarpino, sviswanathan, aph
2025-08-26 22:34:27 +02:00 · 2021-09-24 19:21:32 +00:00 · 2021-09-24 19:21:32 +00:00 · 13e9ea9e92
commit 13e9ea9e92
parent 753b25633b
16 changed files with 114 additions and 56 deletions
--- a/src/java.base/share/classes/com/sun/crypto/provider/GHASH.java
+++ b/src/java.base/share/classes/com/sun/crypto/provider/GHASH.java
@ -122,7 +122,7 @@ final class GHASH implements Cloneable, GCM {

    /* subkeyHtbl and state are stored in long[] for GHASH intrinsic use */

-    // hashtable subkeyHtbl holds 2*57 powers of subkeyH computed using
+    // hashtable subkeyHtbl holds 2*9 powers of subkeyH computed using
    // carry-less multiplication
    private long[] subkeyHtbl;

@ -143,9 +143,8 @@ final class GHASH implements Cloneable, GCM {
            throw new ProviderException("Internal error");
        }
        state = new long[2];
-         // 48 keys for the interleaved implementation,
-         // 8 for avx-ghash implementation and 1 for the original key
-        subkeyHtbl = new long[2*57];
+        // 8 for avx-ghash implementation and 1 for the original key
+        subkeyHtbl = new long[2*9];
        subkeyHtbl[0] = (long)asLongView.get(subkeyH, 0);
        subkeyHtbl[1] = (long)asLongView.get(subkeyH, 8);
    }
@ -266,7 +265,7 @@ final class GHASH implements Cloneable, GCM {
            throw new RuntimeException("internal state has invalid length: " +
                                       st.length);
        }
-        if (subH.length != 114) {
+        if (subH.length != 18) {
            throw new RuntimeException("internal subkeyHtbl has invalid length: " +
                                       subH.length);
        }
--- a/src/java.base/share/classes/com/sun/crypto/provider/GaloisCounterMode.java
+++ b/src/java.base/share/classes/com/sun/crypto/provider/GaloisCounterMode.java
@ -86,7 +86,9 @@ abstract class GaloisCounterMode extends CipherSpi {
    // data size when buffer is divided up to aid in intrinsics
    private static final int TRIGGERLEN = 65536;  // 64k
    // x86-64 parallel intrinsic data size
-    private static final int PARALLEL_LEN = 768;
+    private static final int PARALLEL_LEN = 8192;
+    // max data size for x86-64 intrinsic
+    private static final int SPLIT_LEN = 1048576;  // 1MB

    static final byte[] EMPTY_BUF = new byte[0];

@ -570,6 +572,28 @@ abstract class GaloisCounterMode extends CipherSpi {
        return j0;
    }

+    // Wrapper function around AES-GCM interleaved intrinsic that splits
+    // large chunks of data into 1MB sized chunks. This is to place
+    // an upper limit on the number of blocks encrypted in the intrinsic.
+    private static int implGCMCrypt(byte[] in, int inOfs, int inLen, byte[] ct,
+                                    int ctOfs, byte[] out, int outOfs,
+                                    GCTR gctr, GHASH ghash) {
+
+        int len = 0;
+        if (inLen > SPLIT_LEN) {
+            while (inLen >= SPLIT_LEN) {
+                int partlen = implGCMCrypt0(in, inOfs + len, SPLIT_LEN, ct,
+                    ctOfs + len, out, outOfs + len, gctr, ghash);
+                len += partlen;
+                inLen -= partlen;
+            }
+        }
+        if (inLen > 0) {
+            len += implGCMCrypt0(in, inOfs + len, inLen, ct,
+                   ctOfs + len, out, outOfs + len, gctr, ghash);
+        }
+        return len;
+    }
    /**
     * Intrinsic for Vector AES Galois Counter Mode implementation.
     * AES and GHASH operations are interleaved in the intrinsic implementation.
@ -590,7 +614,7 @@ abstract class GaloisCounterMode extends CipherSpi {
     * @return number of processed bytes
     */
    @IntrinsicCandidate
-    private static int implGCMCrypt(byte[] in, int inOfs, int inLen,
+    private static int implGCMCrypt0(byte[] in, int inOfs, int inLen,
        byte[] ct, int ctOfs, byte[] out, int outOfs,
        GCTR gctr, GHASH ghash) {