x509storeissuer update

[esyr]

This patch set slightly updates the x509storeissuer test to actually populate the store with certificates, and provides additional modes of operation and measurement data (when requested).

Resolves: openssl/project#1529

[Sashan]

ci seems to be unhappy because of this. I would try to add return; or just empty statement ;. finge cross.

[Sashan]

May be I would move the recent changeset which populates store with certificates to separate PR. so we can get at least some changes in and fine tune new set of changes. that's just suggestions. but it feels like here we are just piling up more and more code.

[Sashan]

I'm afraid including dirent.h won't fly on windows.

[esyr]

Fair enough, made it fly.

[nhorman]

What happens here if rand() returns a value that is a multiple of sizeof(out) - 2? Don't we then just get an empty string for the issuer or subject name? Is that a problem?

[esyr]

That's why +1 at the end.

[nhorman]

So, I'm a bit confused here. Most of this code that targets x509storeissuer is about dynamically generating certificates at run time. Are we also allowing the loading of a certificate directory from disk? If we are allowing both, would it make more sense to move the dynamic generation to an external script in the repository, so that we can just support reading from disk in the code, and create any dynamic certs via the aforementioned script?

[esyr]

I guess it makes sense. The idea behind generating them in the test was to have control over the contents of the certificates, but that can just as well be achieved by an external script.

[esyr]

The loading has been reworked to include -l/-L/-E options, the certificate generation patches have been dropped.

[npajkovsky]

nit: we don't do new lines around the ifdefs

[npajkovsky]

You're missing goto err on every errx.

[Sashan]

errx() does exit() so goto won't be executed.

[npajkovsky]

Can you move it to libperf? It's used in other tests, and that should be fixed in other tests in another PR.

[esyr]

Will do a separate PR for that.

[npajkovsky]

Why do we need another certsdir?

[esyr]

Initially it was in order to avoid the need to combine the cert dirs outside the test, now it's more to get ability to point to a generated certs dir in addition to initially loaded ones.

[npajkovsky]

Please keep it aligned with other tests. If there is an issue, create a new ticket where we can discuss it.

[esyr]

Since the were no observed benefit on MacOS after all, the patch has been dropped.

[Sashan]

looks good in general. I could spot few nits which I think are worth to address.

[Sashan]

I wonder if there should also be OPENSSL_strdup(algstr) in false branch.

[esyr]

The offending code has been dropped after the latest changes.

[Sashan]

shall we do

OPENSSL_free(alg);
*alg_storage = NULL;

it does not matter much now because program is going to terminate when failure happens here.

[esyr]

Ditto here.

[Sashan]

shall we care if rand() returns 0 here making the function to yield an empty string?

[esyr]

Ditto here.

[Sashan]

NIT: in function make_pkey_ctx() we use == NULL / != NULL to compare pointers. either way is fine with me as long as it is used consistently. Well I have slight preference to use == NULL over !x
thanks.

[esyr]

Ditto here.

[Sashan]

== NULL ?

[esyr]

Ditto here.

[Sashan]

I think it should be ...the path starts

[Sashan]

I think ret should be initialized to 0 here.

[esyr]

Yes, that's correct, fixed.

[Sashan]

would it be possible to do td = &thread_data[num]; thanks.

[npajkovsky]

openssl head 0ab2ece0a2025ebdea1f94744424ef89ffb9a2b0

./Configure --banner=Configured --strict-warnings

Main branch

$ ./x509storeissuer -t /Users/npajkovsky/openssl/openssl/test/certs 8
1.981555

Your branch

$ ./x509storeissuer -t /Users/npajkovsky/openssl/openssl/test/certs 8
4.663879

There is something that changes the behaviour of the test that we already have publicly available.

[Sashan]

hmm, this is actually a very good point. I think the whole statistics machinery deserves some explanation in comment.

I see the difference, but otherway round:

lifty$ ./x509storeissuer -t /home/sashan/work.openssl/QUIC/openssl.sashan/test/certs/ 8
10.218173
lifty$ cd ../build-main/
lifty$ ./x509storeissuer -t /home/sashan/work.openssl/QUIC/openssl.sashan/test/certs/ 8
25.938117

[Sashan]

I found the code block which starts at 769 as pretty dense. it perhaps deserves some comment here. my understanding is that the whole idea is to divide the collection of statistics to evenly distributed samples (quantiles). The current setting is there are 5 quantiles for the whole duration of test which is 5 secs.

the line here just makes we check the elapsed time only once in a while (count 0x3f). If time collection interval ellapses, then we save a sample (quantile) for elapsed interval.

and one important detail to mention here is that when tool is running with -t option, terse mode there is just one quantile (quantile = 1) which covers the whole test duration. no split to evenly distributed intervals happens.

[Sashan]

here we calculate the time when to collect the next sample. ++q + 1 prevents 0 (which might be interpreted as now in current logic at line 771.

[nhorman]

@npajkovsky given that this change introduces a population of the X509_STORE that we are testing (i.e. with this change we're actually iterating over lots of certificates. vs no certificates), I would expect some level of run time increase (though a 4x slowdown is odd). Weather or not we should set the default NUM_KEYS value to 16 vs 0 is probably the question to answer here.

[esyr]

@npajkovsky given that this change introduces a population of the X509_STORE that we are testing (i.e. with this change we're actually iterating over lots of certificates. vs no certificates), I would expect some level of run time increase (though a 4x slowdown is odd). Weather or not we should set the default NUM_KEYS value to 16 vs 0 is probably the question to answer here.

I'm going to change the defaults so it still measures the time against an empty store, so the additional measurements can be added separately.

[npajkovsky]

@npajkovsky given that this change introduces a population of the X509_STORE that we are testing (i.e. with this change we're actually iterating over lots of certificates. vs no certificates), I would expect some level of run time increase (though a 4x slowdown is odd). Weather or not we should set the default NUM_KEYS value to 16 vs 0 is probably the question to answer here.

Number of certificates in the store should not matter much. X509_STORE is using hastable which maps certificate's subject to STACK_OF(X509_OBJECTS). Hence, the only way how to iterate over certificates is to have plenty of certificates with the same subject. I don't think we have this case right now.

[npajkovsky]

The difference between performance is because the original code didn't find the certificate, while @esyr code finds it. That triggers a bit of different code paths which we can measure.

do_x509storeissuer should really be named do_x509storeissuer_cache_miss. Your implementation should be a cache hit.

[npajkovsky]

Also, there are two leaks.

diff --git a/source/x509storeissuer.c b/source/x509storeissuer.c
index 3acce441e2a2..6c737bf578c7 100644
--- a/source/x509storeissuer.c
+++ b/source/x509storeissuer.c
@@ -714,6 +714,8 @@ read_certsdir(char * const dir, X509_STORE * const store)
         cnt += read_cert(dir, e->d_name, store);
     }

+    closedir(d);
+
     return cnt;
 }
 #endif /* defined(_WIN32) */
@@ -941,6 +943,8 @@ report_result(int verbosity)
         }
         break;
     }
+
+    OPENSSL_free(times);
 }

[bob-beck]

What was the license on the code you were borrowing from FreeBSD?

The normal license on FreeBSD is copyright the freebsd foundation and is 2 clause BSD. You can't
just copy code from FreeBSD that is licensed like that, and put it in something that is Apache2 licensed copyright the OpenSSL authors. You would have to ask permission to relicense like that unless we
include the original license with the code and license such code like that.

Do we really need this level of complexity for this test?

[bob-beck]

Adding this dependency here seems awfully intrusive in the rest of the code, for what you're
actually getting out of it for this that couldn't be done in other ways.

If we decide we want this (and I'm a BSD guy so not overly objectiing to them) I think this should be
a decision to deal with this separately from improvements to this test.

[bob-beck]

As mentioned, this is pretty intrusive and should probably be a separate change from this.

like with a real issue and stuff about the name of this global symbol in this file and what it conflicts with. To me it seems like changing err to error is just moving the deck chair over one place and waiting for the next conflict. While making a decision to solve that is fine, we should solve it rather than just hacking this just for the purpose of having err() in this test.

[bob-beck]

This appears to not be guarded, as. you're defining something different than the guard.

[bob-beck]

Got a measured perfomance difference with and without?

[bob-beck]

So this can return NULL, and is already checked.

[bob-beck]

so that function does not need noreturn, and therefore I don't think you also need to bring in the noreturn stuff just for this.

[bob-beck]

I think changing this sort of stuff to errx is probably a regression if the tests are used to check leaks, it just becomes a pain. So I would avoid adding more of this type of refactor until we know what our answer is for that, and just keep these as goto err;

Additionaly because a lot of what appears to be being brought in here for err/errx is a lot of unrelated churn for this. and makes this change a lot more intrusive than we need otherwise.

If we truly want err/errx in tests we should make an issue for it, and add it separately, with some documentation on it at least in it's header file for internal use here, and a PR to add it, before using it. Adding it while doing this seems to add a lot of baggage and complexity to this PR that I don't think is needed.

[Sashan]

FYI: err/errx has been added some time ago:
#26

the question rather is to drop the changeset which does s/err/error exercise. this changeset came from here as an attempt to fix some linker/compiler warning on windows. The compile/warning was triggered by code which no longer exists here. so there is some history in this PR...