-
-
Notifications
You must be signed in to change notification settings - Fork 10k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Avoid duplicate dir search #24140
Avoid duplicate dir search #24140
Conversation
a307c9f
to
9805c4f
Compare
Performance comparison from Baseline is master without this PR. The "no-deprecated" numbers are also without this PR, but with "no-deprecated" passed to Configure. It seems the vast majority of the performance impact is from all the logic around trying to find a legacy engine that supports the URI scheme! IMHO the URI schemes should still be eagerly resolved to their lookup methods at the time the URI is added to the store, rather than during the lookup. Are there compelling reasons to defer the binding? In any case, perhaps we can remove the legacy engine support from the store code, sooner rather than later?
|
I think this is ready for review (see updated comment above). Dropping legacy engine support from the store is I think a separate issue, that can be tackled in another PR... @levitte perhaps? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks for fixing the tests. I think I've hit this bug earlier this week when running tests late in night my time.
Note that the test fixes are a separate PR that is a merge-base for this one. Once that is merged, this will be rebased to contain only the last commit. The base PR has two approvals, so I hope will be merged shortly. |
crypto/x509/x509_d2.c
Outdated
/* | ||
* Also search the default store URIs, if any, but | ||
* DO NOT add the default search directory also to this lookup, | ||
* such a second search would be slower and redundant. | ||
*/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
At this point, is this comment still needed? Considering that adding the default search directory happened somewhere else (unknown to the code in this function), this comment is a bit confusing here. Perhaps it should be moved to crypto/x509/by_store.c
, as a reminder not to remake that mistake?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reworked and moved the comment.
That would be a breaking change for anyone still using an engine with a scheme implementation. I believe that the pkcs11 engine is one of those... no? Anyway, that would defer such a change to OpenSSL 4.0 at the earliest, and should probably happen in sync with general removal of engine support (which is currently only deprecated). |
This sounds like a "what function to use" question, really. We have two functions to add a URI to a OSSL_STORE lookup:
So it seems to me that the choice is left to the user. But, perhaps you're trying to say that we should use |
Please rebase as the test fix PR was merged. |
argp = X509_get_default_cert_dir(); | ||
|
||
{ | ||
if (argp != NULL) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So is this a change in behaviour in the case that someone only adds the store lookup? i.e. could it break someone relying on this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, they'd have to add some actual URIs to get anything to happen. I believe that's the right behaviour, but yes, it is different. One might for example ask why only the CApath and not the CAfile defaults into the store...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
... One might for example ask why only the CApath and not the CAfile defaults into the store...
That was 100% arbitrary, "I have a hunch" style.
9805c4f
to
6114b67
Compare
Done. |
Nudging reviewers... I believe this is ready. |
6114b67
to
6868ca1
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@nhorman please reconfirm
reconfirmed, approval holds |
This pull request is ready to merge |
Merged to the master branch. Thank you. |
Fixes openssl#21067 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#24140)
This avoids adding the default CApath to the list of sources for "store" lookups, it is already on the legacy directory search list.
Is including the default search directory (or else the
SSL_CERT_DIR
environment variable value) in the store lookup list required in some situations???Note, this is based on PR #24139 that fixes tests that failed (depending on time of day), while testing this PR.