RFR: 8284694: Avoid evaluating SSLAlgorithmConstraints twice

Daniel Jeliński djelinski at openjdk.java.net
Tue Apr 12 15:22:33 UTC 2022


On Tue, 12 Apr 2022 13:38:17 GMT, Claes Redestad <redestad at openjdk.org> wrote:

>> During TLS handshake, hundreds of constraints are evaluated to determine which cipher suites are usable. Most of the evaluations are performed using `HandshakeContext#algorithmConstraints` object. By default that object contains a `SSLAlgorithmConstraints` instance wrapping another `SSLAlgorithmConstraints` instance. As a result the constraints defined in `SSLAlgorithmConstraints` are evaluated twice.
>> 
>> This PR improves the default case; if the user-specified constraints are left at defaults, we use a single `SSLAlgorithmConstraints` instance, and avoid duplicate checks.
>
> src/java.base/share/classes/sun/security/ssl/SSLAlgorithmConstraints.java line 73:
> 
>> 71: 
>> 72:     static AlgorithmConstraints wrap(AlgorithmConstraints userSpecifiedConstraints) {
>> 73:         if (userSpecifiedConstraints == DEFAULT) {
> 
> Just thinking out loud: It seems all this does when `userSpecifiedConstraints` is a `SSLAlgorithmConstraints` is force the `enableX509..` flag to `true`. So in addition to the obvious thing for `DEFAULT`, you could also return `DEFAULT` for `DEFAULT_SSL_ONLY`. Or more generally: if `userSpecifiedConstraints instanceof SSLAlgorithmConstraints` then you could either return `userSpecifiedConstraints` as-is if `enabledX509DisabledAlgConstraints` is `true` or else return a clone of it with `enabledX509DisabledAlgConstraints` set to `true`.

While this is technically true, `SSLAlgorithmConstraints` is an internal class, so it's very unlikely that we will ever get `SSLAlgorithmConstraints` other than `DEFAULT` here.

-------------

PR: https://git.openjdk.java.net/jdk/pull/8199


More information about the security-dev mailing list