On Mon, 3 Jun 2024 22:26:04 GMT, Martin Balao <mba...@openjdk.org> wrote:
>> src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java >> line 621: >> >>> 619: int flushFromPadBuffer; >>> 620: int fillLen = >>> getBytesToCompleteBlock(padBufferLen); >>> 621: if (dataForP11Update >= padBufferLen + fillLen) { >> >> Maybe use `if (inLen >= fillLen)` ? > > `dataForP11Update >= padBufferLen + fillLen` is not the same as `inLen >= > fillLen` (the equivalent would be `inLen - newPadBufferLen >= fillLen`, but I > personally find the proposed condition more clear). We will flush the entire > `padBuffer` only if there are enough bytes in `inLen` to fill `padBuffer` > with whatever we need (0 or more bytes) and fulfill the new buffering > requirement. Regarding `fillLen > 0`, that is not strictly needed to flush > the entire `padBuffer`. If we are buffering 3 blocks (e.g. for NSS), we may > have 1 block buffered in `padBuffer` and `fillLen == 0` (no need to borrow to > complete `padBuffer` to a multiple of a block size). I see, thanks for the explanation. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/18898#discussion_r1626829385