[jdk11u-dev] Integrated: 8268427: Improve AlgorithmConstraints:checkAlgorithm performance

Evgeny Astigeevich github.com+42899633+eastig at openjdk.java.net
Fri Aug 6 23:36:37 UTC 2021 

On Wed, 4 Aug 2021 15:08:45 GMT, Evgeny Astigeevich <github.com+42899633+eastig at openjdk.org> wrote:

> A backport of JDK-8233228 to 11u increased the list of disabled algorithms. For TLS the size of the list increased from 9 to 56. `sun.security.util.AbstractAlgorithmConstraints.checkAlgorithm()` uses linear search to check if an algorithm has been disabled. Its execution time significantly increased in the most common case: a checked algorithm is not disabled.
> 
> This backport improves `AbstractAlgorithmConstraints.checkAlgorithm()` performance.
> Tier1 and tier2 tests pass with the patch.
> 
> The patch contains a microbenchmark.
> Baseline results before patch:
> 
> Benchmark                            (algorithm)  Mode  Cnt     Score    Error  Units
> AlgorithmConstraintsPermits.permits        SSLv3  avgt   25    17.296 ±  0.282  ns/op
> AlgorithmConstraintsPermits.permits          DES  avgt   25   288.010 ±  2.502  ns/op
> AlgorithmConstraintsPermits.permits         NULL  avgt   25   459.496 ±  6.160  ns/op
> AlgorithmConstraintsPermits.permits       TLS1.3  avgt   25  1361.700 ± 12.871  ns/op
> 
> 
> Benchmark results after patch:
> 
> Benchmark                            (algorithm)  Mode  Cnt     Score    Error  Units
> AlgorithmConstraintsPermits.permits        SSLv3  avgt   25  119.320 ± 2.572  ns/op
> AlgorithmConstraintsPermits.permits          DES  avgt   25   82.259 ± 0.668  ns/op
> AlgorithmConstraintsPermits.permits         NULL  avgt   25   57.302 ± 3.611  ns/op
> AlgorithmConstraintsPermits.permits       TLS1.3  avgt   25  465.914 ± 2.553  ns/op
> 
> 
> Before the patch the list of the disabled algorithms has `SSLv3` first, `DES` second, `NULL` 9th and `TLS1.3` not on the list. As `SSLv3` is the first, accesses to it are the fastest. As we get far from the head, the access time increases. `NULL`  had been the last before JDK-8233228. In a case of TLS1.3 the whole list has to be checked.
> 
> The patch replaces the list with an ordered set. Despite the increased time for `SSLv3` all other times, especially for permitted algorithms such as `TLS1.3`, significantly decreased.

This pull request has now been integrated.

Changeset: 4e324294
Author:    Evgeny Astigeevich <eastig at amazon.com>
Committer: Paul Hohensee <phh at openjdk.org>
URL:       https://git.openjdk.java.net/jdk11u-dev/commit/4e324294d2940aa7ebaf51723fd4bc5178442b15
Stats:     112 lines in 4 files changed: 72 ins; 17 del; 23 mod

8268427: Improve AlgorithmConstraints:checkAlgorithm performance

Backport-of: 3b83bc1bc331d268987f56ea4f23124a7f6ee38b

-------------

PR: https://git.openjdk.java.net/jdk11u-dev/pull/193

More information about the jdk-updates-dev mailing list