-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
8284694: Avoid evaluating SSLAlgorithmConstraints twice #8199
Conversation
👋 Welcome back djelinski! A progress list of the required criteria for merging this PR into |
@djelinski The following label will be automatically applied to this pull request:
When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command. |
cf355d3
to
d29ac7f
Compare
Results of the attached benchmark:
After:
The results show a nice double-digit improvement across the board. |
Webrevs
|
src/java.base/share/classes/sun/security/ssl/SSLAlgorithmConstraints.java
Outdated
Show resolved
Hide resolved
@djelinski This change now passes all automated pre-integration checks. ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details. After integration, the commit message for the final commit will be:
You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed. At the time when this comment was updated there had been 111 new commits pushed to the
As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details. ➡️ To integrate this PR with the above commit message to the |
Please make sure @XueleiFan has a chance to look at this before integrating. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice catch. Thank you!
src/java.base/share/classes/sun/security/ssl/SSLAlgorithmConstraints.java
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice work. I've been looking at this area myself in recent weeks also while debugging some JDK 11u performance issues. JFR shows this area as costly. Some other JDK fixes in this area have already improved performance. This will certainly help. Pasting a stacktrace[1] from an old Oracle JDK 11.0.12 report for history purposes.
I think there are other improvements that can be made in the TLS constraints code. Caching the last known values from a constraints permits test is something I've begun looking into.
[1]
Stack Trace Count Percentage
boolean java.lang.StringLatin1.regionMatchesCI(byte[], int, byte[], int, int) 1637 100 %
boolean java.lang.String.regionMatches(boolean, int, String, int, int) 1637 100 %
boolean java.lang.String.equalsIgnoreCase(String) 1637 100 %
boolean sun.security.util.AbstractAlgorithmConstraints.checkAlgorithm(List, String, AlgorithmDecomposer) 1631 99.6 %
boolean sun.security.util.DisabledAlgorithmConstraints.permits(Set, String, AlgorithmParameters) 1631 99.6 %
boolean sun.security.ssl.SSLAlgorithmConstraints.permits(Set, String, AlgorithmParameters) 1631 99.6 %
boolean sun.security.ssl.SSLAlgorithmConstraints.permits(Set, String, AlgorithmParameters) 836 51.1 %
boolean sun.security.ssl.HandshakeContext.isActivatable(CipherSuite, AlgorithmConstraints, Map) 428 26.1 %
List sun.security.ssl.HandshakeContext.getActiveCipherSuites(List, List, AlgorithmConstraints) 418 25.5 %
void sun.security.ssl.HandshakeContext.(SSLContextImpl, TransportContext) 418 25.5 %
void sun.security.ssl.ClientHandshakeContext.(SSLContextImpl, TransportContext) 418 25.5 %
void sun.security.ssl.TransportContext.kickstart() 418 25.5 %
void sun.security.ssl.SSLSocketImpl.startHandshake(boolean) 418 25.5 %
void sun.security.ssl.SSLSocketImpl.startHandshake() 418 25.5 %
Mailing list message from Anthony Scarpino on security-dev: Hi Sean, Caching is an interesting idea. I've wondered for a while off and on Tony On 4/13/22 2:03 AM, Sean Coffey wrote: |
src/java.base/share/classes/sun/security/ssl/SSLAlgorithmConstraints.java
Outdated
Show resolved
Hide resolved
I think I addressed all the concerns raised. Could you take another look? |
hi @XueleiFan I'd appreciate your approval here. Thanks! |
Sorry, I missed the notification emails. I will have a look today. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the update. It looks good to me, except comments for the coding style.
src/java.base/share/classes/sun/security/ssl/SSLAlgorithmConstraints.java
Show resolved
Hide resolved
src/java.base/share/classes/sun/security/ssl/SSLAlgorithmConstraints.java
Outdated
Show resolved
Hide resolved
this.userSpecifiedConstraints = getUserSpecifiedConstraints(engine); | ||
this.peerSpecifiedConstraints = null; | ||
this.enabledX509DisabledAlgConstraints = withDefaultCertPathConstraints; | ||
if (nullIfDefault(userSpecifiedConstraints) == null) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you wan to check DEFAULT_SSL_ONLY in the nullIfDefault() implementation? The logic of the block is a little bit hard to understand to me.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No I don't; it's for the same reason why I'm using ==
and not equals
: DEFAULT
is the only SSLAlgorithmConstraints
instance that is ever used as userSpecifiedConstraints
here.
DEFAULT
is used because SSLConfiguration sets userSpecifiedAlgorithmConstraints to SSLAlgorithmConstraints.DEFAULT. This feels wrong; the name suggests that the constraints should be specified by user, and should be null if the user doesn't touch them.
userSpecifiedAlgorithmConstraints
are accessible by getSSLParameters().getAlgorithmConstraints()
on SSLEngineImpl and SSLSocketImpl. Returning DEFAULT
here also feels wrong; as a user I would be concerned that setting my own algorithm constraints would replace the default ones. It doesn't, but that is not immediately apparent.
We could initialize userSpecifiedAlgorithmConstraints
to null, and back out all the other changes from this PR. The only reason why I didn't do that was because it would change the observable behavior (getSSLParameters().getAlgorithmConstraints()
would return null
). If you think we can live with that, I'll be happy to do that change.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is not interested to me to use 'null' constraints in ssl configure. I have no more comments. Thank you for the update!
if (nullIfDefault(userSpecifiedConstraints) == null) { | ||
return withDefaultCertPathConstraints ? DEFAULT : DEFAULT_SSL_ONLY; | ||
} | ||
return new SSLAlgorithmConstraints(userSpecifiedConstraints, withDefaultCertPathConstraints); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would be nice to limit each line within 80 characters, which is useful for terminal users.
src/java.base/share/classes/sun/security/ssl/SSLAlgorithmConstraints.java
Show resolved
Hide resolved
/integrate |
Going to push as commit d8446b4.
Your commit was automatically rebased without conflicts. |
@djelinski Pushed as commit d8446b4. 💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored. |
Mailing list message from Se=c3=a1n Coffey on security-dev: I think the work done with 8284694 will help alot in any case since I Some recent JFRs I looked at show that alot of CPU cycles[1] get taken Both methods get called per Handshakecontext construction and I think regards, [1] Stack Trace??? Count??? Percentage On 13/04/2022 18:05, Anthony Scarpino wrote:
|
Mailing list message from Daniel Jeliński on security-dev: Hi Tony & Sean, Regards, ?r., 20 kwi 2022 o 22:22 Se?n Coffey <sean.coffey at oracle.com> napisa?(a):
|
During TLS handshake, hundreds of constraints are evaluated to determine which cipher suites are usable. Most of the evaluations are performed using
HandshakeContext#algorithmConstraints
object. By default that object contains aSSLAlgorithmConstraints
instance wrapping anotherSSLAlgorithmConstraints
instance. As a result the constraints defined inSSLAlgorithmConstraints
are evaluated twice.This PR improves the default case; if the user-specified constraints are left at defaults, we use a single
SSLAlgorithmConstraints
instance, and avoid duplicate checks.Progress
Issue
Reviewers
Reviewing
Using
git
Checkout this PR locally:
$ git fetch https://git.openjdk.java.net/jdk pull/8199/head:pull/8199
$ git checkout pull/8199
Update a local copy of the PR:
$ git checkout pull/8199
$ git pull https://git.openjdk.java.net/jdk pull/8199/head
Using Skara CLI tools
Checkout this PR locally:
$ git pr checkout 8199
View PR using the GUI difftool:
$ git pr show -t 8199
Using diff file
Download this PR as a diff file:
https://git.openjdk.java.net/jdk/pull/8199.diff