x509storeissuer update #50
Conversation
source/x509storeissuer.c
Outdated
| td->q_data[quantiles - 1].count = count; | ||
| td->q_data[quantiles - 1].end_time = time; | ||
|
|
||
| err: |
There was a problem hiding this comment.
ci seems to be unhappy because of this. I would try to add return; or just empty statement ;. finge cross.
esyr
force-pushed
the
esyr/x509storeissuer-update
branch
2 times, most recently
from
d1454e0 to
b327824
Compare
Signed-off-by: Eugene Syromiatnikov <[email protected]>
Signed-off-by: Eugene Syromiatnikov <[email protected]>
esyr
force-pushed
the
esyr/x509storeissuer-update
branch
from
b327824 to
1206f0b
Compare
esyr
force-pushed
the
esyr/x509storeissuer-update
branch
from
1206f0b to
3001309
Compare
Signed-off-by: Eugene Syromiatnikov <[email protected]>
Signed-off-by: Eugene Syromiatnikov <[email protected]>
… function Signed-off-by: Eugene Syromiatnikov <[email protected]>
There was a problem hiding this comment.
May be I would move the recent changeset which populates store with certificates to separate PR. so we can get at least some changes in and fine tune new set of changes. that's just suggestions. but it feels like here we are just piling up more and more code.
source/x509storeissuer.c
Outdated
| */ | ||
|
|
||
| #include <stdlib.h> | ||
| #include <dirent.h> |
There was a problem hiding this comment.
I'm afraid including dirent.h won't fly on windows.
…ration Signed-off-by: Eugene Syromiatnikov <[email protected]>
Signed-off-by: Eugene Syromiatnikov <[email protected]>
Signed-off-by: Eugene Syromiatnikov <[email protected]>
esyr
force-pushed
the
esyr/x509storeissuer-update
branch
from
3001309 to
3fad4c2
Compare
Signed-off-by: Eugene Syromiatnikov <[email protected]>
Signed-off-by: Eugene Syromiatnikov <[email protected]>
While querying system time is usually cheap on Linux on IA-32, that might not be the case elsewhere, and that might impact the cost of the loop iteration significantly, as the measured call time is quite small (in the order of a microsecond). Signed-off-by: Eugene Syromiatnikov <[email protected]>
…mmering the common counts array's cache line Signed-off-by: Eugene Syromiatnikov <[email protected]>
…nt and report successful calls Signed-off-by: Eugene Syromiatnikov <[email protected]>
esyr
force-pushed
the
esyr/x509storeissuer-update
branch
from
3fad4c2 to
ccbb791
Compare
…e store Signed-off-by: Eugene Syromiatnikov <[email protected]>
Signed-off-by: Eugene Syromiatnikov <[email protected]>
…bosity level is DEBUG_STATS or higher Signed-off-by: Eugene Syromiatnikov <[email protected]>
Signed-off-by: Eugene Syromiatnikov <[email protected]>
Signed-off-by: Eugene Syromiatnikov <[email protected]>
Signed-off-by: Eugene Syromiatnikov <[email protected]>
…the run Signed-off-by: Eugene Syromiatnikov <[email protected]>
Signed-off-by: Eugene Syromiatnikov <[email protected]>
Signed-off-by: Eugene Syromiatnikov <[email protected]>
esyr
force-pushed
the
esyr/x509storeissuer-update
branch
from
ccbb791 to
4b335f7
Compare
| static unsigned char out[64]; | ||
| size_t len; | ||
|
|
||
| len = rand() % (sizeof(out) - 2) + 1; |
There was a problem hiding this comment.
What happens here if rand() returns a value that is a multiple of sizeof(out) - 2? Don't we then just get an empty string for the issuer or subject name? Is that a problem?
| fprintf(stderr, "Added %zu generated certificates to the store\n", | ||
| num_store_gen_certs); | ||
|
|
||
| num_certs += read_certsdirs(argv + dirs_start, argc - dirs_start - 1, |
There was a problem hiding this comment.
So, I'm a bit confused here. Most of this code that targets x509storeissuer is about dynamically generating certificates at run time. Are we also allowing the loading of a certificate directory from disk? If we are allowing both, would it make more sense to move the dynamic generation to an external script in the repository, so that we can just support reading from disk in the code, and create any dynamic certs via the aforementioned script?
There was a problem hiding this comment.
I guess it makes sense. The idea behind generating them in the test was to have control over the contents of the certificates, but that can just as well achieved by an external script.
|
|
||
| #include <stdarg.h> | ||
| # if !defined(_WIN32) | ||
|
|
There was a problem hiding this comment.
nit: we don't do new lines around the ifdefs
source/x509storeissuer.c
Outdated
| goto err; | ||
| } | ||
| if (cert == NULL) | ||
| errx(EXIT_FAILURE, "Failed to allocate cert path"); |
There was a problem hiding this comment.
You're missing goto err on every errx.
There was a problem hiding this comment.
errx() does exit() so goto won't be executed.
|
|
||
| return ret; | ||
| } | ||
|
|
There was a problem hiding this comment.
Can you move it to libperf? It's used in other tests, and that should be fixed in other tests in another PR.
source/x509storeissuer.c
Outdated
| fprintf(stderr, | ||
| "Usage: %s [-t] [-v] [-T time] [-n nonce_type:type_args] " | ||
| "certsdir threadcount\n" | ||
| "certsdir [certsdir...] threadcount\n" |
| counts[num]++; | ||
| time = ossl_time_now(); | ||
| if ((count & 0x3f) == 0) | ||
| time = ossl_time_now(); |
There was a problem hiding this comment.
Please keep it aligned with other tests. If there is an issue, create a new ticket where we can discuss it.
| if (ctx == NULL || !X509_STORE_CTX_init(ctx, store, x509, NULL)) { | ||
| printf("Failed to initialise X509_STORE_CTX\n"); | ||
| err = 1; | ||
| alg = p ? *alg_storage = OPENSSL_strndup(algstr, p - algstr) : algstr; |
There was a problem hiding this comment.
I wonder if there should also be OPENSSL_strdup(algstr) in false branch.
| return ctx; | ||
|
|
||
| err: | ||
| EVP_PKEY_CTX_free(ctx); |
There was a problem hiding this comment.
shall we do
OPENSSL_free(alg);
*alg_storage = NULL;
it does not matter much now because program is going to terminate when failure happens here.
| static unsigned char out[64]; | ||
| size_t len; | ||
|
|
||
| len = rand() % (sizeof(out) - 2) + 1; |
There was a problem hiding this comment.
shall we care if rand() returns 0 here making the function to yield an empty string?
| int error = 1; | ||
|
|
||
| cert = X509_new(); | ||
| if (!cert) { |
There was a problem hiding this comment.
NIT: in function make_pkey_ctx() we use == NULL / != NULL to compare pointers. either way is fine with me as long as it is used consistently. Well I have slight preference to use == NULL over !x
thanks.
| X509 *x509_nonce = X509_new(); | ||
| X509_NAME *x509_name_nonce = NULL; | ||
|
|
||
| if (!x509_nonce) |
| #if defined(_WIN32) | ||
| /* | ||
| * So, we don't try to concatenate the provided path with the directory | ||
| * paths if the path start with the following: |
There was a problem hiding this comment.
I think it should be ...the path starts
| { | ||
| X509 *x509 = NULL; | ||
| char *path = NULL; | ||
| size_t ret = 1; |
There was a problem hiding this comment.
I think ret should be initialized to 0 here.
| static void | ||
| do_x509storeissuer(size_t num) | ||
| { | ||
| struct thread_data *td = thread_data + num; |
There was a problem hiding this comment.
would it be possible to do td = &thread_data[num]; thanks.
|
openssl head 0ab2ece0a2025ebdea1f94744424ef89ffb9a2b0 ./Configure --banner=Configured --strict-warningsMain branch $ ./x509storeissuer -t /Users/npajkovsky/openssl/openssl/test/certs 8
1.981555Your branch $ ./x509storeissuer -t /Users/npajkovsky/openssl/openssl/test/certs 8
4.663879There is something that changes the behaviour of the test that we already have publicly available. |
|
hmm, this is actually a very good point. I think the whole statistics machinery deserves some explanation in comment. I see the difference, but otherway round: |
| issuer = NULL; | ||
| } | ||
|
|
||
| count++; |
There was a problem hiding this comment.
I found the code block which starts at 769 as pretty dense. it perhaps deserves some comment here. my understanding is that the whole idea is to divide the collection of statistics to evenly distributed samples (quantiles). The current setting is there are 5 quantiles for the whole duration of test which is 5 secs.
the line here just makes we check the elapsed time only once in a while (count 0x3f). If time collection interval ellapses, then we save a sample (quantile) for elapsed interval.
and one important detail to mention here is that when tool is running with -t option, terse mode there is just one quantile (quantile = 1) which covers the whole test duration. no split to evenly distributed intervals happens.
| td->q_data[q].found = found; | ||
| td->q_data[q].added_certs = add; | ||
| td->q_data[q].end_time = time; | ||
| q_end.t = (duration.t * (++q + 1)) / quantiles + td->start_time.t; |
There was a problem hiding this comment.
here we calculate the time when to collect the next sample. ++q + 1 prevents 0 (which might be interpreted as now in current logic at line 771.
|
@npajkovsky given that this change introduces a population of the X509_STORE that we are testing (i.e. with this change we're actually iterating over lots of certificates. vs no certificates), I would expect some level of run time increase (though a 4x slowdown is odd). Weather or not we should set the default NUM_KEYS value to 16 vs 0 is probably the question to answer here. |
I'm going to change the defaults so it still measures the time against an empty store, so the additional measurements can be added separately. |
Number of certificates in the store should not matter much. X509_STORE is using hastable which maps certificate's |
|
The difference between performance is because the original code didn't find the certificate, while @esyr code finds it. That triggers a bit of different code paths which we can measure.
|
|
Also, there are two leaks. |
4 participants
This patch set slightly updates the
x509storeissuertest to actually populate the store with certificates, and provides additional modes of operation and measurement data (when requested).Resolves: openssl/project#1529