From 424c7e64c3c6b55568705b97a963da96d5ec8d26 Mon Sep 17 00:00:00 2001
From: Eric Anderson <ejona@google.com>
Date: Wed, 3 Jun 2015 09:49:19 -0700
Subject: [PATCH] Avoid GCM in unit tests

GCM is very slow, and doesn't provide any benefit in unit tests. Even if
we were using tcnative and GCM is fast, using more available ciphers in
tests still makes sense. With this change building with Java 7 works
again, although that isn't the reason for the change.

On my machine with parallel building, it cuts full build time from
92 seconds to 39 seconds. For an incremental build after only changing
an interop test, the build time is cut from 73 seconds to 15 seconds.
---
 .../testing/integration/Http2NettyTest.java   | 13 ++++++---
 .../testing/integration/Http2OkHttpTest.java  | 15 ++++++++--
 .../netty/NettyClientTransportTest.java       |  7 +++--
 .../main/java/io/grpc/testing/TestUtils.java  | 28 +++++++++++++++++++
 4 files changed, 55 insertions(+), 8 deletions(-)

diff --git a/interop-testing/src/test/java/io/grpc/testing/integration/Http2NettyTest.java b/interop-testing/src/test/java/io/grpc/testing/integration/Http2NettyTest.java
index 504c8157c2..23d07d11d0 100644
--- a/interop-testing/src/test/java/io/grpc/testing/integration/Http2NettyTest.java
+++ b/interop-testing/src/test/java/io/grpc/testing/integration/Http2NettyTest.java
@@ -36,6 +36,7 @@ import io.grpc.testing.TestUtils;
 import io.grpc.transport.netty.GrpcSslContexts;
 import io.grpc.transport.netty.NettyChannelBuilder;
 import io.grpc.transport.netty.NettyServerBuilder;
+import io.netty.handler.ssl.SupportedCipherSuiteFilter;
 
 import org.junit.AfterClass;
 import org.junit.BeforeClass;
@@ -56,8 +57,10 @@ public class Http2NettyTest extends AbstractTransportTest {
   public static void startServer() {
     try {
       startStaticServer(NettyServerBuilder.forPort(serverPort)
-          .sslContext(GrpcSslContexts.forServer(
-                  TestUtils.loadCert("server1.pem"), TestUtils.loadCert("server1.key")).build()));
+          .sslContext(GrpcSslContexts
+              .forServer(TestUtils.loadCert("server1.pem"), TestUtils.loadCert("server1.key"))
+              .ciphers(TestUtils.preferredTestCiphers(), SupportedCipherSuiteFilter.INSTANCE)
+              .build()));
     } catch (IOException ex) {
       throw new RuntimeException(ex);
     }
@@ -73,8 +76,10 @@ public class Http2NettyTest extends AbstractTransportTest {
     try {
       return NettyChannelBuilder
           .forAddress(TestUtils.testServerAddress(serverPort))
-          .sslContext(GrpcSslContexts.forClient().trustManager(
-                  TestUtils.loadCert("ca.pem")).build())
+          .sslContext(GrpcSslContexts.forClient()
+              .trustManager(TestUtils.loadCert("ca.pem"))
+              .ciphers(TestUtils.preferredTestCiphers(), SupportedCipherSuiteFilter.INSTANCE)
+              .build())
           .build();
     } catch (Exception ex) {
       throw new RuntimeException(ex);
diff --git a/interop-testing/src/test/java/io/grpc/testing/integration/Http2OkHttpTest.java b/interop-testing/src/test/java/io/grpc/testing/integration/Http2OkHttpTest.java
index b2b8b71421..d3af1b063c 100644
--- a/interop-testing/src/test/java/io/grpc/testing/integration/Http2OkHttpTest.java
+++ b/interop-testing/src/test/java/io/grpc/testing/integration/Http2OkHttpTest.java
@@ -31,11 +31,16 @@
 
 package io.grpc.testing.integration;
 
+import com.squareup.okhttp.ConnectionSpec;
+import com.squareup.okhttp.TlsVersion;
+
 import io.grpc.ChannelImpl;
 import io.grpc.testing.TestUtils;
 import io.grpc.transport.netty.GrpcSslContexts;
 import io.grpc.transport.netty.NettyServerBuilder;
 import io.grpc.transport.okhttp.OkHttpChannelBuilder;
+import io.grpc.transport.okhttp.OkHttpClientTransport;
+import io.netty.handler.ssl.SupportedCipherSuiteFilter;
 
 import org.junit.AfterClass;
 import org.junit.BeforeClass;
@@ -56,8 +61,10 @@ public class Http2OkHttpTest extends AbstractTransportTest {
   public static void startServer() throws Exception {
     try {
       startStaticServer(NettyServerBuilder.forPort(serverPort)
-          .sslContext(GrpcSslContexts.forServer(
-                  TestUtils.loadCert("server1.pem"), TestUtils.loadCert("server1.key")).build()));
+          .sslContext(GrpcSslContexts
+              .forServer(TestUtils.loadCert("server1.pem"), TestUtils.loadCert("server1.key"))
+              .ciphers(TestUtils.preferredTestCiphers(), SupportedCipherSuiteFilter.INSTANCE)
+              .build()));
     } catch (IOException ex) {
       throw new RuntimeException(ex);
     }
@@ -71,6 +78,10 @@ public class Http2OkHttpTest extends AbstractTransportTest {
   @Override
   protected ChannelImpl createChannel() {
     OkHttpChannelBuilder builder = OkHttpChannelBuilder.forAddress("127.0.0.1", serverPort)
+        .setConnectionSpec(new ConnectionSpec.Builder(OkHttpClientTransport.DEFAULT_CONNECTION_SPEC)
+            .cipherSuites(TestUtils.preferredTestCiphers().toArray(new String[0]))
+            .tlsVersions(ConnectionSpec.MODERN_TLS.tlsVersions().toArray(new TlsVersion[0]))
+            .build())
         .overrideHostForAuthority(TestUtils.TEST_SERVER_HOST);
     try {
       builder.sslSocketFactory(TestUtils.getSslSocketFactoryForCertainCert(
diff --git a/netty/src/test/java/io/grpc/transport/netty/NettyClientTransportTest.java b/netty/src/test/java/io/grpc/transport/netty/NettyClientTransportTest.java
index 73f89f1f20..f8aec9b906 100644
--- a/netty/src/test/java/io/grpc/transport/netty/NettyClientTransportTest.java
+++ b/netty/src/test/java/io/grpc/transport/netty/NettyClientTransportTest.java
@@ -58,6 +58,7 @@ import io.netty.channel.nio.NioEventLoopGroup;
 import io.netty.channel.socket.nio.NioServerSocketChannel;
 import io.netty.channel.socket.nio.NioSocketChannel;
 import io.netty.handler.ssl.SslContext;
+import io.netty.handler.ssl.SupportedCipherSuiteFilter;
 
 import org.junit.After;
 import org.junit.Before;
@@ -174,7 +175,8 @@ public class NettyClientTransportTest {
   private NettyClientTransport newTransport() throws IOException {
     // Create the protocol negotiator.
     File clientCert = TestUtils.loadCert("ca.pem");
-    SslContext clientContext = GrpcSslContexts.forClient().trustManager(clientCert).build();
+    SslContext clientContext = GrpcSslContexts.forClient().trustManager(clientCert)
+        .ciphers(TestUtils.preferredTestCiphers(), SupportedCipherSuiteFilter.INSTANCE).build();
     ProtocolNegotiator negotiator = ProtocolNegotiators.tls(clientContext, address);
 
     NettyClientTransport transport = new NettyClientTransport(address, NioSocketChannel.class,
@@ -186,7 +188,8 @@ public class NettyClientTransportTest {
   private void startServer(int maxStreamsPerConnection) throws IOException {
     File serverCert = TestUtils.loadCert("server1.pem");
     File key = TestUtils.loadCert("server1.key");
-    SslContext serverContext = GrpcSslContexts.forServer(serverCert, key).build();
+    SslContext serverContext = GrpcSslContexts.forServer(serverCert, key)
+        .ciphers(TestUtils.preferredTestCiphers(), SupportedCipherSuiteFilter.INSTANCE).build();
     server = new NettyServer(address, NioServerSocketChannel.class,
             group, group, serverContext, maxStreamsPerConnection,
             DEFAULT_WINDOW_SIZE, DEFAULT_WINDOW_SIZE);
diff --git a/testing/src/main/java/io/grpc/testing/TestUtils.java b/testing/src/main/java/io/grpc/testing/TestUtils.java
index 9efa5ee0ef..8b173a2030 100644
--- a/testing/src/main/java/io/grpc/testing/TestUtils.java
+++ b/testing/src/main/java/io/grpc/testing/TestUtils.java
@@ -50,10 +50,14 @@ import java.net.InetSocketAddress;
 import java.net.ServerSocket;
 import java.net.UnknownHostException;
 import java.security.KeyStore;
+import java.security.NoSuchAlgorithmException;
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
+import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.Collections;
 import java.util.HashSet;
+import java.util.List;
 import java.util.Set;
 
 import javax.net.ssl.SSLContext;
@@ -149,6 +153,30 @@ public class TestUtils {
       throw new RuntimeException(e);
     }
   }
+
+  /**
+   * Returns the ciphers preferred to use during tests. They may be chosen because they are widely
+   * available or because they are fast. There is no requirement that they provide confidentiality
+   * or integrity.
+   */
+  public static List<String> preferredTestCiphers() {
+    String[] ciphers;
+    try {
+      ciphers = SSLContext.getDefault().getDefaultSSLParameters().getCipherSuites();
+    } catch (NoSuchAlgorithmException ex) {
+      throw new RuntimeException(ex);
+    }
+    List<String> ciphersMinusGcm = new ArrayList<String>();
+    for (String cipher : ciphers) {
+      // The GCM implementation in Java is _very_ slow (~1 MB/s)
+      if (cipher.contains("_GCM_")) {
+        continue;
+      }
+      ciphersMinusGcm.add(cipher);
+    }
+    return Collections.unmodifiableList(ciphersMinusGcm);
+  }
+
   /**
    * Load a file from the resources folder.
    *