/* * Copyright (c) 2022, 2025, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License version 2 only, as * published by the Free Software Foundation. * * This code is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * version 2 for more details (a copy is included in the LICENSE file that * accompanied this code). * * You should have received a copy of the GNU General Public License version * 2 along with this work; if not, write to the Free Software Foundation, * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. * * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA * or visit www.oracle.com if you need additional information or have any * questions. */ package org.openjdk.bench.java.security; import org.openjdk.jmh.annotations.Benchmark; import org.openjdk.jmh.annotations.BenchmarkMode; import org.openjdk.jmh.annotations.Fork; import org.openjdk.jmh.annotations.Level; import org.openjdk.jmh.annotations.Measurement; import org.openjdk.jmh.annotations.Mode; import org.openjdk.jmh.annotations.OutputTimeUnit; import org.openjdk.jmh.annotations.Param; import org.openjdk.jmh.annotations.Scope; import org.openjdk.jmh.annotations.Setup; import org.openjdk.jmh.annotations.State; import org.openjdk.jmh.annotations.Warmup; import java.nio.ByteBuffer; import java.security.KeyStore; import java.util.concurrent.TimeUnit; import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLEngineResult; import javax.net.ssl.SSLEngineResult.HandshakeStatus; import javax.net.ssl.SSLSession; import javax.net.ssl.TrustManagerFactory; @BenchmarkMode(Mode.Throughput) @OutputTimeUnit(TimeUnit.SECONDS) @State(Scope.Thread) @Warmup(iterations = 5, time = 5) @Measurement(iterations = 5, time = 5) @Fork(value = 3) public class SSLHandshake { // one global server context private static final SSLContext sslServerCtx = getServerContext(); // per-thread client contexts private SSLContext sslClientCtx; private SSLEngine clientEngine; private ByteBuffer clientOut = ByteBuffer.allocate(5); private ByteBuffer clientIn = ByteBuffer.allocate(1 << 15); private SSLEngine serverEngine; private ByteBuffer serverOut = ByteBuffer.allocate(5); private ByteBuffer serverIn = ByteBuffer.allocate(1 << 15); private ByteBuffer cTOs = ByteBuffer.allocateDirect(1 << 16); private ByteBuffer sTOc = ByteBuffer.allocateDirect(1 << 16); @Param({"true", "false"}) boolean resume; @Param({"TLSv1.2", "TLS"}) String tlsVersion; private static SSLContext getServerContext() { try { KeyStore ks = TestCertificates.getKeyStore(); KeyManagerFactory kmf = KeyManagerFactory.getInstance( KeyManagerFactory.getDefaultAlgorithm()); kmf.init(ks, new char[0]); SSLContext sslCtx = SSLContext.getInstance("TLS"); sslCtx.init(kmf.getKeyManagers(), null, null); return sslCtx; } catch (Exception e) { throw new RuntimeException(e); } } @Setup(Level.Trial) public void init() throws Exception { KeyStore ts = TestCertificates.getTrustStore(); TrustManagerFactory tmf = TrustManagerFactory.getInstance( TrustManagerFactory.getDefaultAlgorithm()); tmf.init(ts); SSLContext sslCtx = SSLContext.getInstance(tlsVersion); sslCtx.init(null, tmf.getTrustManagers(), null); sslClientCtx = sslCtx; } private HandshakeStatus checkResult(SSLEngine engine, SSLEngineResult result) { HandshakeStatus hsStatus = result.getHandshakeStatus(); if (hsStatus == HandshakeStatus.NEED_TASK) { Runnable runnable; while ((runnable = engine.getDelegatedTask()) != null) { runnable.run(); } hsStatus = engine.getHandshakeStatus(); } return hsStatus; } /** * This benchmark measures the time needed to perform a TLS handshake. * Data is exchanged using a pair of ByteBuffers. * The client and the server both operate on the same thread. */ @Benchmark public SSLSession doHandshake() throws Exception { createSSLEngines(); boolean isCtoS = true; for (;;) { HandshakeStatus result; if (isCtoS) { result = checkResult(clientEngine, clientEngine.wrap(clientOut, cTOs) ); cTOs.flip(); checkResult(serverEngine, serverEngine.unwrap(cTOs, serverIn) ); cTOs.compact(); if (result == HandshakeStatus.NEED_UNWRAP) { isCtoS = false; } else if (result == HandshakeStatus.FINISHED) { break; } else if (result != HandshakeStatus.NEED_WRAP) { throw new Exception("Unexpected result "+result); } } else { result = checkResult(serverEngine, serverEngine.wrap(serverOut, sTOc) ); sTOc.flip(); checkResult(clientEngine, clientEngine.unwrap(sTOc, clientIn) ); sTOc.compact(); if (result == HandshakeStatus.NEED_UNWRAP) { isCtoS = true; } else if (result == HandshakeStatus.FINISHED) { break; } else if (result != HandshakeStatus.NEED_WRAP) { throw new Exception("Unexpected result "+result); } } } SSLSession session = clientEngine.getSession(); if (resume) { // TLS 1.3 needs another wrap/unwrap to deliver a session ticket serverEngine.wrap(serverOut, sTOc); sTOc.flip(); clientEngine.unwrap(sTOc, clientIn); sTOc.compact(); } else { // invalidate TLS1.2 session. TLS 1.3 doesn't care session.invalidate(); } return session; } private void createSSLEngines() { /* * Configure the serverEngine to act as a server in the SSL/TLS * handshake. */ serverEngine = sslServerCtx.createSSLEngine(); serverEngine.setUseClientMode(false); /* * Similar to above, but using client mode instead. */ clientEngine = sslClientCtx.createSSLEngine("client", 80); clientEngine.setUseClientMode(true); } }