gpgsm: Use a cache to speed up parent certificate lookup.

* sm/gpgsm.h (COMPAT_NO_CHAIN_CACHE): New. (struct cert_cache_item_s, cert_cache_item_t): New. (struct server_control_s): Add parent_cert_cache. * sm/gpgsm.c (compatibility_flags): Add "no-chain-cache". (parent_cache_stats): New. (gpgsm_exit): Print the stats with --debug=memstat. (gpgsm_deinit_default_ctrl): Release the cache. * sm/certchain.c (gpgsm_walk_cert_chain): Cache the certificates. (do_validate_chain): Ditto. -- This gives another boost of 30% (from 6.5 to 4.0 seconds in the test environment with ~1000 certs). do_validate_chain actually brings us the speedup becuase the gpgsm_walk_cert_chain is not used during a key listing. For the latter we actually cache all certificates because that was easier. GnuPG-bug-id: 7308
2025-07-03 22:56:33 +02:00 · 2024-09-30 18:22:25 +02:00 · 2024-09-30 18:22:25 +02:00 · ce0580a599
commit ce0580a599
parent cb6c506e4e
3 changed files with 114 additions and 8 deletions
--- a/sm/gpgsm.c
+++ b/sm/gpgsm.c
@ -500,6 +500,7 @@ static struct debug_flags_s debug_flags [] =
 static struct compatibility_flags_s compatibility_flags [] =
  {
    { COMPAT_ALLOW_KA_TO_ENCR, "allow-ka-to-encr" },
+    { COMPAT_NO_CHAIN_CACHE, "no-chain-cache"     },
    { 0, NULL }
  };

@ -536,6 +537,9 @@ static int default_include_certs = DEFAULT_INCLUDE_CERTS;
 /* Whether the chain mode shall be used for validation.  */
 static int default_validation_model;

+/* Counter used to convey data from deinit_ctrl to gpgsm_exit.  */
+static unsigned int parent_cache_stats;
+
 /* The default cipher algo.  */
 #define DEFAULT_CIPHER_ALGO "AES256"

@ -2354,6 +2358,7 @@ gpgsm_exit (int rc)
  gcry_control (GCRYCTL_UPDATE_RANDOM_SEED_FILE);
  if (opt.debug & DBG_MEMSTAT_VALUE)
    {
+      log_info ("cert_chain_cache: cached=%u\n", parent_cache_stats);
      gcry_control( GCRYCTL_DUMP_MEMORY_STATS );
      gcry_control( GCRYCTL_DUMP_RANDOM_STATS );
    }
@ -2381,9 +2386,22 @@ gpgsm_init_default_ctrl (struct server_control_s *ctrl)
 void
 gpgsm_deinit_default_ctrl (ctrl_t ctrl)
 {
+  unsigned int n;
+
  gpgsm_keydb_deinit_session_data (ctrl);
  xfree (ctrl->revocation_reason);
  ctrl->revocation_reason = NULL;
+  n = 0;
+  while (ctrl->parent_cert_cache)
+    {
+      cert_cache_item_t next = ctrl->parent_cert_cache->next;
+      ksba_cert_release (ctrl->parent_cert_cache->result);
+      xfree (ctrl->parent_cert_cache);
+      ctrl->parent_cert_cache = next;
+      n++;
+    }
+  if (n > parent_cache_stats)
+    parent_cache_stats = n;
 }