x509storeissuer: add ability to add certificates to the store during the run

Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>

Author: esyr

source/x509storeissuer.c

@@ -29,6 +29,8 @@
 #include "perflib/err.h"
 #include "perflib/perflib.h"
 
+#define W_PROBABILITY 50
+#define MAX_WRITERS 0
 #define RUN_TIME 5
 #define QUANTILES 5
 #define NONCE_CFG "file:servercert.pem"
@@ -38,6 +40,8 @@
 
 static size_t timeout_us = RUN_TIME * 1000000;
 static size_t quantiles = QUANTILES;
+static size_t max_writers = MAX_WRITERS;
+static size_t w_probability = W_PROBABILITY * 65536 / 100;
 
 enum verbosity {
     VERBOSITY_TERSE,
@@ -49,6 +53,11 @@ enum verbosity {
     VERBOSITY_MAX__
 };
 
+static enum mode {
+    MODE_R,
+    MODE_RW, /* "MODE_W" is just MODE_RW with 100% write probability */
+} mode = MODE_R;
+
 enum nonce_type {
     NONCE_PATH,
 };
@@ -57,6 +66,7 @@ struct call_times {
     uint64_t duration;
     uint64_t total_count;
     uint64_t total_found;
+    uint64_t total_added;
     uint64_t min_count;
     uint64_t max_count;
     double avg;
@@ -95,8 +105,11 @@ ALIGN64 struct thread_data {
     struct {
         uint64_t count;
         uint64_t found;
+        uint64_t added_certs;
         OSSL_TIME end_time;
     } *q_data;
+    size_t cert_count;
+    X509 **certs;
     X509_STORE_CTX *ctx;
 } *thread_data;
 
@@ -112,6 +125,28 @@ OSSL_TIME max_time;
 #define OSSL_MIN(p, q) ((p) < (q) ? (p) : (q))
 #define OSSL_MAX(p, q) ((p) > (q) ? (p) : (q))
 
+#if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 202311L && \
+    !defined(__cplusplus)
+# define ossl_thread thread_local
+#elif defined(__STDC_VERSION__) && __STDC_VERSION__ >= 201112L && \
+    !defined(__cplusplus)
+# define ossl_thread _Thread_local
+#elif defined(__GNUC__)
+# define ossl_thread __thread
+#elif defined(_MSC_VER)
+# define ossl_thread __declspec(thread)
+#else
+# define ossl_thread
+#endif
+
+static ossl_thread uint32_t prng_seed;
+
+static uint32_t prng(void)
+{
+    /* Taken from FreeBSD's lib/libc/stdlib/rand.c */
+    return (prng_seed = prng_seed * 1103515245U + 12345U);
+}
+
 /**
  * Extend the x509_pool, by the increment, if inc is 0, the increment size
  * is decided automatically.
@@ -482,30 +517,46 @@ do_x509storeissuer(size_t num)
     OSSL_TIME q_end;
     size_t q = 0;
     size_t count = 0;
+    size_t add = 0;
     size_t found = 0;
 
+    prng_seed = num;
     td->start_time = ossl_time_now();
     duration.t = max_time.t - td->start_time.t;
     q_end.t = duration.t / quantiles + td->start_time.t;
 
     do {
-        if (X509_STORE_CTX_get1_issuer(&issuer, td->ctx, x509_nonce) != 0) {
-            found++;
-            X509_free(issuer);
+        if (td->cert_count > 0 && (prng() % 65536 < w_probability)) {
+            size_t cert_id = add % td->cert_count;
+
+            if (!X509_STORE_add_cert(store, td->certs[cert_id])) {
+                warnx("thread %zu: Failed to add generated certificate %zu"
+                      " to the store", num, cert_id);
+            } else {
+                add++;
+            }
+        } else {
+            if (X509_STORE_CTX_get1_issuer(&issuer, td->ctx, x509_nonce) != 0) {
+                found++;
+                X509_free(issuer);
+            }
+            issuer = NULL;
         }
-        issuer = NULL;
+
         count++;
         time = ossl_time_now();
         if (time.t >= q_end.t) {
             td->q_data[q].count = count;
             td->q_data[q].found = found;
+            td->q_data[q].added_certs = add;
             td->q_data[q].end_time = time;
             q_end.t = (duration.t * (++q + 1)) / quantiles + td->start_time.t;
         }
     } while (time.t < max_time.t);
 
     td->q_data[quantiles - 1].count = count;
     td->q_data[quantiles - 1].found = found;
+    td->q_data[quantiles - 1].added_certs = add;
     td->q_data[quantiles - 1].end_time = time;
 }
 
@@ -552,17 +603,21 @@ get_calltimes(struct call_times *times, int verbosity)
                 (q ? thread_data[i].q_data[q - 1].count : 0);
             uint64_t found = thread_data[i].q_data[q].found -
                 (q ? thread_data[i].q_data[q - 1].found : 0);
+            uint64_t add = thread_data[i].q_data[q].added_certs -
+                (q ? thread_data[i].q_data[q - 1].added_certs : 0);
 
             times[q].duration += thread_data[i].q_data[q].end_time.t - start_t;
             times[q].total_count += count;
             times[q].total_found += found;
+            times[q].total_added += add;
         }
     }
 
     for (size_t q = 0; q < quantiles; q++) {
         times[quantiles].duration += times[q].duration;
         times[quantiles].total_count += times[q].total_count;
         times[quantiles].total_found += times[q].total_found;
+        times[quantiles].total_added += times[q].total_added;
     }
 
     for (size_t q = (quantiles == 1); q <= quantiles; q++)
@@ -647,14 +702,18 @@ report_result(int verbosity)
             printf(": avg: %9.3lf us, median: %9.3lf us"
                    ", min: %9.3lf us @thread %3zu, max: %9.3lf us @thread %3zu"
                    ", stddev: %9.3lf us (%8.4lf%%)"
-                   ", hits %9" PRIu64 " of %9" PRIu64 " (%8.4lf%%)\n",
+                   ", hits %9" PRIu64 " of %9" PRIu64 " (%8.4lf%%)"
+                   ", added certs: %" PRIu64 "\n",
                    times[i].avg, times[i].median,
                    times[i].min, times[i].min_idx,
                    times[i].max, times[i].max_idx,
                    times[i].stddev,
                    100.0 * times[i].stddev / times[i].avg,
-                   times[i].total_found, times[i].total_count,
-                   100.0 * times[i].total_found / (times[i].total_count));
+                   times[i].total_found,
+                   (times[i].total_count - times[i].total_added),
+                   100.0 * times[i].total_found
+                           / (times[i].total_count - times[i].total_added),
+                   times[i].total_added);
         }
         break;
     }
@@ -667,6 +726,7 @@ usage(char * const argv[])
 {
     fprintf(stderr,
             "Usage: %s [-t] [-v] [-q N] [-T time] [-n nonce_type:type_args]"
+            " [-m mode] [-w writer_threads] [-W percentage]"
             " [-l max_certs] [-L max_cert_dirs] [-E] [-C threads]"
             " [-V] certsdir [certsdir...] threadcount\n"
             "\t-t\tTerse output\n"
@@ -681,6 +741,13 @@ usage(char * const argv[])
             "\t\t\tfile:PATH - load nonce certificate from PATH;\n"
             "\t\t\tif PATH is relative, the provided certsdir's are searched.\n"
             "\t\tDefault: " NONCE_CFG "\n"
+            "\t-m\tTest mode, can be one of r, rw.  Default: r\n"
+            "\t-w\tMaximum number of threads that attempt addition\n"
+            "\t\tof the new certificates to the store in rw mode,\n"
+            "\t\t0 is unlimited.  Default: " OPENSSL_MSTR(MAX_WRITERS) "\n"
+            "\t-W\tProbability of a certificate being written\n"
+            "\t\tto the store, instead of being queried,\n"
+            "\t\tin percents.  Default: " OPENSSL_MSTR(W_PROBABILITY) "\n"
             "\t-l\tLimit on the number of initially loaded certificates.\n"
             "\t\tDefault: " OPENSSL_MSTR(MAX_LOAD_CERTS) "\n"
             "\t-L\tLimit on the number of initially loaded certificate\n"
@@ -710,8 +777,23 @@ parse_timeout(const char * const optarg)
     return (size_t)(timeout_s * 1e6);
 }
 
+static double
+parse_probability(const char * const optarg)
+{
+    char *endptr = NULL;
+    double prob;
+
+    prob = strtod(optarg, &endptr);
+
+    if (endptr == NULL || *endptr != '\0' || prob < 0 || prob > 100)
+        errx(EXIT_FAILURE, "incorrect probability value: \"%s\"", optarg);
+
+    return prob;
+}
+
 /**
  * Parse nonce configuration string. Currently supported formats:
+ *  * "gen" - generate a nonce certificate
  *  * "file:PATH" - where PATH is either a relative path (that will be then
  *                  checked against the list of directories provided),
  *                  or an absolute one.
@@ -765,7 +847,7 @@ main(int argc, char *argv[])
 
     parse_nonce_cfg(NONCE_CFG, &nonce_cfg);
 
-    while ((opt = getopt(argc, argv, "tvq:T:n:l:L:EC:V")) != -1) {
+    while ((opt = getopt(argc, argv, "tvq:T:n:m:w:W:l:L:EC:V")) != -1) {
         switch (opt) {
         case 't': /* terse */
             verbosity = VERBOSITY_TERSE;
@@ -788,6 +870,22 @@ main(int argc, char *argv[])
         case 'n': /* nonce */
             parse_nonce_cfg(optarg, &nonce_cfg);
             break;
+        case 'm': /* mode */
+            if (strcasecmp(optarg, "r") == 0) {
+                mode = MODE_R;
+            } else if (strcasecmp(optarg, "rw") == 0) {
+                mode = MODE_RW;
+            } else {
+                errx(EXIT_FAILURE, "Unknown mode: \"%s\"", optarg);
+            }
+            break;
+        case 'w': /* maximum writers */
+            max_writers = parse_int(optarg, 0, INT_MAX,
+                                    "maximum number of writers");
+            break;
+        case 'W': /* percent of writes */
+            w_probability = (size_t) (parse_probability(optarg) * 65536 / 100);
+            break;
         case 'l': /* max certs to load */
             max_load_certs = parse_int(optarg, 0, INT_MAX,
                                        "maximum certificate load count");
@@ -855,7 +953,8 @@ main(int argc, char *argv[])
 
     num_certs += read_certsdirs(argv + dirs_start, argc - dirs_start - 1,
                                 max_load_certs, max_load_cert_dirs,
-                                store, &cert_pool, &total_certs_read);
+                                store, mode == MODE_RW ? &cert_pool : NULL,
+                                &total_certs_read);
 
     if (verbosity >= VERBOSITY_DEBUG_STATS)
         fprintf(stderr, "Added %zu certificates to the store"
@@ -881,6 +980,22 @@ main(int argc, char *argv[])
         }
     }
 
+    if (mode == MODE_RW && cert_pool.size > 0) {
+        const size_t writers = max_writers ? OSSL_MIN(max_writers, threadcount)
+                                           : threadcount;
+
+        /*
+         * Point each writer thread at the part of the generated certs
+         * array it uses for store population.
+         */
+        for (size_t i = 0; i < writers; i++) {
+            size_t offs = (cert_pool.size * i) / writers;
+
+            thread_data[i].certs = cert_pool.entries + offs;
+            thread_data[i].cert_count = OSSL_MAX(cert_pool.size / writers, 1);
+        }
+    }
+
     max_time = ossl_time_add(ossl_time_now(), ossl_us2time(timeout_us));
 
     if (!perflib_run_multi_thread_test(do_x509storeissuer, threadcount, &duration))
@@ -889,6 +1004,9 @@ main(int argc, char *argv[])
     if (error)
         errx(EXIT_FAILURE, "Error during test");
 
+    if (mode == MODE_RW)
+        report_store_size(store, "after the test run", verbosity);
+
     report_result(verbosity);
 
     ret = EXIT_SUCCESS;