Closed Bug 1692132 Opened 3 years ago Closed 3 years ago

pkix_CacheCert_Lookup doesn't return cached certs

Categories

(NSS :: Libraries, defect, P3)

Product:
NSS
Component:
Libraries
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: kjacobs, Assigned: rrelyea)

Details

(Whiteboard: [nss-fx])

Attachments

(1 file)

Set *pFound after adding cert to list
540 bytes, text/plain
rrelyea
: review+
Details

pkix_CacheCert_Lookup doesn't return a result when there's a cache hit: *pFound is set to PKIX_FALSE at the outset, then only set (again) to false. We still maintain the table and evict old entries, but since *pFound is never true, the result isn't returned. This is at odds with the function description.

We might just need to set *pFound near the point at which selCertList is appended to, but I haven't tested this.

(this was originally noted in bug 1682044)

Severity: -- → S4
Priority: -- → P3
Whiteboard: [nss-fx]

Going with what you suggested, this doesn't seem to cause any test fails.

Flags: needinfo?(kjacobs.bugzilla)

Testing with libreswan shows a performance improvement. For instance, in the test ikev2-x509-15-san-dn-mismatch-responder a second attempt to verify a cert chain (cache primed with root cert) the call time [CPU (WALL)] is reduced from times such as:

|   "san" #2: spent 9.87 (12.4) milliseconds in find_and_verify_certs() calling verify_end_cert()
|   "san" #2: spent 9.97 (11.9) milliseconds in find_and_verify_certs() calling verify_end_cert()

to:

|   "san" #2: spent 6.65 (7.07) milliseconds in find_and_verify_certs() calling verify_end_cert()
|   "san" #2: spent 7.33 (9) milliseconds in find_and_verify_certs() calling verify_end_cert()
Attachment #9249302 - Flags: review+
Assignee: nobody → rrelyea
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Flags: needinfo?(kjacobs.bugzilla)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: