Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Avoid duplicate dir search #24140

Closed
wants to merge 1 commit into from
Closed

Avoid duplicate dir search #24140

wants to merge 1 commit into from

Conversation

vdukhovni
Copy link

This avoids adding the default CApath to the list of sources for "store" lookups, it is already on the legacy directory search list.

Is including the default search directory (or else the SSL_CERT_DIR environment variable value) in the store lookup list required in some situations???

Note, this is based on PR #24139 that fixes tests that failed (depending on time of day), while testing this PR.

@vdukhovni vdukhovni linked an issue Apr 16, 2024 that may be closed by this pull request
Slow response when using the store X509_LOOKUP method #21067
Closed
@t8m t8m added branch: master Merge to master branch approval: otc review pending This pull request needs review by an OTC member tests: exempted The PR is exempt from requirements for testing triaged: performance The issue/pr reports/fixes a performance concern labels Apr 16, 2024
levitte
levitte reviewed Apr 16, 2024
View reviewed changes
crypto/x509/x509_d2.c Outdated Show resolved Hide resolved
@vdukhovni vdukhovni force-pushed the avoid-duplicate-dir-search branch 3 times, most recently from a307c9f to 9805c4f Compare April 17, 2024 17:17
@vdukhovni
Copy link
Author

vdukhovni commented Apr 17, 2024
edited
Loading

Performance comparison from x509storeissuer, with thread counts of 1, 10, 100 and 1000:

Baseline is master without this PR. The "no-deprecated" numbers are also without this PR, but with "no-deprecated" passed to Configure. It seems the vast majority of the performance impact is from all the logic around trying to find a legacy engine that supports the URI scheme!

IMHO the URI schemes should still be eagerly resolved to their lookup methods at the time the URI is added to the store, rather than during the lookup. Are there compelling reasons to defer the binding? In any case, perhaps we can remove the legacy engine support from the store code, sooner rather than later?

Threads Baseline (us) PR (us) no-deprecated (us)
1 3107 1459 2779
10 8505 2432 4323
100 156688 2560 12286
1000 1382203 2501 4695

@vdukhovni
Copy link
Author

I think this is ready for review (see updated comment above). Dropping legacy engine support from the store is I think a separate issue, that can be tackled in another PR... @levitte perhaps?

Sashan
Sashan approved these changes Apr 17, 2024
View reviewed changes
Copy link
Contributor

@Sashan Sashan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks for fixing the tests. I think I've hit this bug earlier this week when running tests late in night my time.

@vdukhovni
Copy link
Author

thanks for fixing the tests. I think I've hit this bug earlier this week when running tests late in night my time.

Note that the test fixes are a separate PR that is a merge-base for this one. Once that is merged, this will be rebased to contain only the last commit. The base PR has two approvals, so I hope will be merged shortly.

levitte
levitte reviewed Apr 18, 2024
View reviewed changes
crypto/x509/x509_d2.c Outdated
Comment on lines 30 to 34
/*
* Also search the default store URIs, if any, but
* DO NOT add the default search directory also to this lookup,
* such a second search would be slower and redundant.
*/
Copy link
Member

@levitte levitte Apr 18, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

At this point, is this comment still needed? Considering that adding the default search directory happened somewhere else (unknown to the code in this function), this comment is a bit confusing here. Perhaps it should be moved to crypto/x509/by_store.c, as a reminder not to remake that mistake?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reworked and moved the comment.

@levitte
Copy link
Member

levitte commented Apr 18, 2024

I think this is ready for review (see updated comment above). Dropping legacy engine support from the store is I think a separate issue, that can be tackled in another PR... @levitte perhaps?

That would be a breaking change for anyone still using an engine with a scheme implementation. I believe that the pkcs11 engine is one of those... no? Anyway, that would defer such a change to OpenSSL 4.0 at the earliest, and should probably happen in sync with general removal of engine support (which is currently only deprecated).

@levitte
Copy link
Member

levitte commented Apr 18, 2024
edited
Loading

IMHO the URI schemes should still be eagerly resolved to their lookup methods at the time the URI is added to the store, rather than during the lookup. Are there compelling reasons to defer the binding?

This sounds like a "what function to use" question, really. We have two functions to add a URI to a OSSL_STORE lookup:

  • X509_LOOKUP_add_store_ex(), which just adds the URI to an internal list, from which objects will be loaded later. This is the lazy function.
  • X509_LOOKUP_load_store_ex(), which loads all objects from the given URI immediately. This is the eager function.

So it seems to me that the choice is left to the user.

But, perhaps you're trying to say that we should use X509_LOOKUP_load_store_ex() in X509_STORE_set_default_paths_ex(), rather than X509_LOOKUP_add_store_ex()?

@t8m
Copy link
Member

t8m commented Apr 18, 2024

Please rebase as the test fix PR was merged.

mattcaswell
mattcaswell reviewed Apr 18, 2024
View reviewed changes
crypto/x509/by_store.c
argp = X509_get_default_cert_dir();

{
if (argp != NULL) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So is this a change in behaviour in the case that someone only adds the store lookup? i.e. could it break someone relying on this?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, they'd have to add some actual URIs to get anything to happen. I believe that's the right behaviour, but yes, it is different. One might for example ask why only the CApath and not the CAfile defaults into the store...

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

... One might for example ask why only the CApath and not the CAfile defaults into the store...

That was 100% arbitrary, "I have a hunch" style.

@vdukhovni
Copy link
Author

Please rebase as the test fix PR was merged.

Done.

@vdukhovni
Copy link
Author

Nudging reviewers... I believe this is ready.

t8m
t8m approved these changes Apr 24, 2024
View reviewed changes
Copy link
Member

@t8m t8m left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nhorman please reconfirm

@t8m t8m added approval: review pending This pull request needs review by a committer and removed approval: otc review pending This pull request needs review by an OTC member labels Apr 24, 2024
@nhorman
Copy link
Contributor

nhorman commented Apr 24, 2024

reconfirmed, approval holds

@t8m t8m added approval: done This pull request has the required number of approvals and removed approval: review pending This pull request needs review by a committer labels Apr 24, 2024
@openssl-machine openssl-machine added approval: ready to merge The 24 hour grace period has passed, ready to merge and removed approval: done This pull request has the required number of approvals labels Apr 25, 2024
@openssl-machine
Copy link
Collaborator

This pull request is ready to merge

@t8m
Copy link
Member

t8m commented Apr 26, 2024

Merged to the master branch. Thank you.

@t8m t8m closed this Apr 26, 2024
openssl-machine pushed a commit that referenced this pull request Apr 26, 2024
@t8m
Avoid duplicate default CApath lookups
6d01857 
Fixes #21067

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from #24140)
@nhorman nhorman mentioned this pull request May 24, 2024
Open
jvdsn pushed a commit to jvdsn/openssl that referenced this pull request Jun 3, 2024
@jvdsn
Avoid duplicate default CApath lookups
02d0e29 
Fixes openssl#21067

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from openssl#24140)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@levitte levitte levitte left review comments

@mattcaswell mattcaswell mattcaswell left review comments

@Sashan Sashan Sashan approved these changes

@nhorman nhorman nhorman approved these changes

@t8m t8m t8m approved these changes

Assignees
No one assigned
Labels
approval: ready to merge The 24 hour grace period has passed, ready to merge branch: master Merge to master branch tests: exempted The PR is exempt from requirements for testing triaged: performance The issue/pr reports/fixes a performance concern
Projects
Project Board
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Slow response when using the store X509_LOOKUP method
7 participants
@vdukhovni @levitte @t8m @nhorman @openssl-machine @Sashan @mattcaswell