Daniel Jeliński d8446b4f60 8284694: Avoid evaluating SSLAlgorithmConstraints twice
Reviewed-by: redestad, xuelei, coffeys
2022-04-20 18:15:16 +00:00

185 lines
6.4 KiB
Java

/*
* Copyright (c) 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package org.openjdk.bench.java.security;
import org.openjdk.jmh.annotations.Benchmark;
import org.openjdk.jmh.annotations.BenchmarkMode;
import org.openjdk.jmh.annotations.Fork;
import org.openjdk.jmh.annotations.Level;
import org.openjdk.jmh.annotations.Measurement;
import org.openjdk.jmh.annotations.Mode;
import org.openjdk.jmh.annotations.OutputTimeUnit;
import org.openjdk.jmh.annotations.Param;
import org.openjdk.jmh.annotations.Scope;
import org.openjdk.jmh.annotations.Setup;
import org.openjdk.jmh.annotations.State;
import org.openjdk.jmh.annotations.TearDown;
import org.openjdk.jmh.annotations.Warmup;
import java.nio.ByteBuffer;
import java.security.KeyStore;
import java.util.concurrent.TimeUnit;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLEngineResult;
import javax.net.ssl.SSLEngineResult.HandshakeStatus;
import javax.net.ssl.SSLSession;
import javax.net.ssl.TrustManagerFactory;
@BenchmarkMode(Mode.Throughput)
@OutputTimeUnit(TimeUnit.SECONDS)
@State(Scope.Benchmark)
public class SSLHandshake {
private SSLContext sslc;
private SSLEngine clientEngine;
private ByteBuffer clientOut = ByteBuffer.allocate(5);
private ByteBuffer clientIn = ByteBuffer.allocate(1 << 15);
private SSLEngine serverEngine;
private ByteBuffer serverOut = ByteBuffer.allocate(5);
private ByteBuffer serverIn = ByteBuffer.allocate(1 << 15);
private ByteBuffer cTOs = ByteBuffer.allocateDirect(1 << 16);
private ByteBuffer sTOc = ByteBuffer.allocateDirect(1 << 16);
@Param({"true", "false"})
boolean resume;
@Param({"TLSv1.2", "TLS"})
String tlsVersion;
@Setup(Level.Trial)
public void init() throws Exception {
KeyStore ks = TestCertificates.getKeyStore();
KeyStore ts = TestCertificates.getTrustStore();
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
kmf.init(ks, new char[0]);
TrustManagerFactory tmf =
TrustManagerFactory.getInstance("SunX509");
tmf.init(ts);
SSLContext sslCtx = SSLContext.getInstance(tlsVersion);
sslCtx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
sslc = sslCtx;
}
private HandshakeStatus checkResult(SSLEngine engine, SSLEngineResult result) {
HandshakeStatus hsStatus = result.getHandshakeStatus();
if (hsStatus == HandshakeStatus.NEED_TASK) {
Runnable runnable;
while ((runnable = engine.getDelegatedTask()) != null) {
runnable.run();
}
hsStatus = engine.getHandshakeStatus();
}
return hsStatus;
}
/**
* This benchmark measures the time needed to perform a TLS handshake.
* Data is exchanged using a pair of ByteBuffers.
* The client and the server both operate on the same thread.
*/
@Benchmark
@Warmup(iterations = 5, time = 5, timeUnit = TimeUnit.SECONDS)
@Measurement(iterations = 5, time = 5, timeUnit = TimeUnit.SECONDS)
@Fork(3)
public SSLSession doHandshake() throws Exception {
createSSLEngines();
boolean isCtoS = true;
for (;;) {
HandshakeStatus result;
if (isCtoS) {
result = checkResult(clientEngine,
clientEngine.wrap(clientOut, cTOs)
);
cTOs.flip();
checkResult(serverEngine,
serverEngine.unwrap(cTOs, serverIn)
);
cTOs.compact();
if (result == HandshakeStatus.NEED_UNWRAP) {
isCtoS = false;
} else if (result == HandshakeStatus.FINISHED) {
break;
} else if (result != HandshakeStatus.NEED_WRAP) {
throw new Exception("Unexpected result "+result);
}
} else {
result = checkResult(serverEngine,
serverEngine.wrap(serverOut, sTOc)
);
sTOc.flip();
checkResult(clientEngine,
clientEngine.unwrap(sTOc, clientIn)
);
sTOc.compact();
if (result == HandshakeStatus.NEED_UNWRAP) {
isCtoS = true;
} else if (result == HandshakeStatus.FINISHED) {
break;
} else if (result != HandshakeStatus.NEED_WRAP) {
throw new Exception("Unexpected result "+result);
}
}
}
SSLSession session = clientEngine.getSession();
if (resume) {
// TLS 1.3 needs another wrap/unwrap to deliver a session ticket
serverEngine.wrap(serverOut, sTOc);
sTOc.flip();
clientEngine.unwrap(sTOc, clientIn);
sTOc.compact();
} else {
// invalidate TLS1.2 session. TLS 1.3 doesn't care
session.invalidate();
}
return session;
}
private void createSSLEngines() {
/*
* Configure the serverEngine to act as a server in the SSL/TLS
* handshake.
*/
serverEngine = sslc.createSSLEngine();
serverEngine.setUseClientMode(false);
/*
* Similar to above, but using client mode instead.
*/
clientEngine = sslc.createSSLEngine("client", 80);
clientEngine.setUseClientMode(true);
}
}