On Mon, 3 Jun 2024 22:26:04 GMT, Martin Balao <[email protected]> wrote:
>> src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java
>> line 621:
>>
>>> 619: int flushFromPadBuffer;
>>> 620: int fillLen =
>>> getBytesToCompleteBlock(padBufferLen);
>>> 621: if (dataForP11Update >= padBufferLen + fillLen) {
>>
>> Maybe use `if (inLen >= fillLen)` ?
>
> `dataForP11Update >= padBufferLen + fillLen` is not the same as `inLen >=
> fillLen` (the equivalent would be `inLen - newPadBufferLen >= fillLen`, but I
> personally find the proposed condition more clear). We will flush the entire
> `padBuffer` only if there are enough bytes in `inLen` to fill `padBuffer`
> with whatever we need (0 or more bytes) and fulfill the new buffering
> requirement. Regarding `fillLen > 0`, that is not strictly needed to flush
> the entire `padBuffer`. If we are buffering 3 blocks (e.g. for NSS), we may
> have 1 block buffered in `padBuffer` and `fillLen == 0` (no need to borrow to
> complete `padBuffer` to a multiple of a block size).
I see, thanks for the explanation.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/18898#discussion_r1626829385
