RFR: 8284694: Avoid evaluating SSLAlgorithmConstraints twice

Daniel Jeliński djelinski at openjdk.java.net
Wed Apr 13 07:54:14 UTC 2022


On Wed, 13 Apr 2022 06:45:20 GMT, Xue-Lei Andrew Fan <xuelei at openjdk.org> wrote:

>> During TLS handshake, hundreds of constraints are evaluated to determine which cipher suites are usable. Most of the evaluations are performed using `HandshakeContext#algorithmConstraints` object. By default that object contains a `SSLAlgorithmConstraints` instance wrapping another `SSLAlgorithmConstraints` instance. As a result the constraints defined in `SSLAlgorithmConstraints` are evaluated twice.
>> 
>> This PR improves the default case; if the user-specified constraints are left at defaults, we use a single `SSLAlgorithmConstraints` instance, and avoid duplicate checks.
>
> src/java.base/share/classes/sun/security/ssl/SSLAlgorithmConstraints.java line 72:
> 
>> 70:     }
>> 71: 
>> 72:     static AlgorithmConstraints wrap(AlgorithmConstraints userSpecifiedConstraints) {
> 
> I may update all of the constructors so that the accumulation of the reference of userSpecifiedConstraints could be avoid further.
> 
> 
> -       this.userSpecifiedConstraints = userSpecifiedConstraints;
> +       this.userSpecifiedConstraints = userSpecifiedConstraints == DEFAULT ?
> +               null : userSpecifiedConstraints;
> 
> 
> 
> Similar update could be placed in the getUserSpecifiedConstraints() implementation.

Thanks @XueleiFan for the review!
If we do that, this will result in a behavior change for cases where `enabledX509DisabledAlgConstraints` = false; is that okay? Or should we set `enabledX509DisabledAlgConstraints` = true if `userSpecifiedConstraints == DEFAULT`?

-------------

PR: https://git.openjdk.java.net/jdk/pull/8199


More information about the security-dev mailing list