[jdk11u-dev] RFR: 8268427: Improve AlgorithmConstraints:checkAlgorithm performance

Evgeny Astigeevich github.com+42899633+eastig at openjdk.java.net
Wed Aug 4 15:15:44 UTC 2021 

A backport of JDK-8233228 to 11u increased the list of disabled algorithms. For TLS the size of the list increased from 9 to 56. `sun.security.util.AbstractAlgorithmConstraints.checkAlgorithm()` uses linear search to check if an algorithm has been disabled. Its execution time significantly increased in the most common case: a checked algorithm is not disabled.

This backport improves `AbstractAlgorithmConstraints.checkAlgorithm()` performance.
Tier1 and tier2 tests pass with the patch.

The patch contains a microbenchmark.
Baseline results before patch:

Benchmark                            (algorithm)  Mode  Cnt     Score    Error  Units
AlgorithmConstraintsPermits.permits        SSLv3  avgt   25    17.296 ±  0.282  ns/op
AlgorithmConstraintsPermits.permits          DES  avgt   25   288.010 ±  2.502  ns/op
AlgorithmConstraintsPermits.permits         NULL  avgt   25   459.496 ±  6.160  ns/op
AlgorithmConstraintsPermits.permits       TLS1.3  avgt   25  1361.700 ± 12.871  ns/op


Benchmark results after patch:

Benchmark                            (algorithm)  Mode  Cnt     Score    Error  Units
AlgorithmConstraintsPermits.permits        SSLv3  avgt   25  119.320 ± 2.572  ns/op
AlgorithmConstraintsPermits.permits          DES  avgt   25   82.259 ± 0.668  ns/op
AlgorithmConstraintsPermits.permits         NULL  avgt   25   57.302 ± 3.611  ns/op
AlgorithmConstraintsPermits.permits       TLS1.3  avgt   25  465.914 ± 2.553  ns/op


Before the patch the list of the disabled algorithms has `SSLv3` first, `DES` second, `NULL` 9th and `TLS1.3` not on the list. As `SSLv3` is the first, accesses to it are the fastest. As we get far from the head, the access time increases. `NULL`  had been the last before JDK-8233228. In a case of TLS1.3 the whole list has to be checked.

The patch replaces the list with an ordered set. Despite the increased time for `SSLv3` all other times, especially for permitted algorithms such as `TLS1.3`, significantly decreased.

-------------

Commit messages:
 - Backport 3b83bc1bc331d268987f56ea4f23124a7f6ee38b

Changes: https://git.openjdk.java.net/jdk11u-dev/pull/193/files
 Webrev: https://webrevs.openjdk.java.net/?repo=jdk11u-dev&pr=193&range=00
  Issue: https://bugs.openjdk.java.net/browse/JDK-8268427
  Stats: 112 lines in 4 files changed: 72 ins; 17 del; 23 mod
  Patch: https://git.openjdk.java.net/jdk11u-dev/pull/193.diff
  Fetch: git fetch https://git.openjdk.java.net/jdk11u-dev pull/193/head:pull/193

PR: https://git.openjdk.java.net/jdk11u-dev/pull/193

More information about the jdk-updates-dev mailing list