Skip to content

Commit

Permalink
SSL: single allocation in session cache on 32-bit platforms.
Browse files Browse the repository at this point in the history 
Given the present typical SSL session sizes, on 32-bit platforms it is
now beneficial to store all data in a single allocation, since rbtree
node + session id + ASN1 representation of a session takes 256 bytes of
shared memory (36 + 32 + 150 = about 218 bytes plus SNI server name).

Storing all data in a single allocation is beneficial for SNI names up to
about 40 characters long and makes it possible to store about 4000 sessions
in one megabyte (instead of about 3000 sessions now).  This also slightly
simplifies the code.
  • Loading branch information
@mdounin
mdounin committed Oct 12, 2022
1 parent 5c5c449 commit 76876c1
Show file tree
Hide file tree
Showing 2 changed files with 25 additions and 48 deletions.
65 changes: 21 additions & 44 deletions src/event/ngx_event_openssl.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3794,9 +3794,9 @@ ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, void *data)
* Typical length of the external ASN1 representation of a session
* is about 150 bytes plus SNI server name.
*
* On 32-bit platforms we allocate separately an rbtree node,
* a session id, and an ASN1 representation, they take accordingly
* 64, 32, and 256 bytes.
* On 32-bit platforms we allocate an rbtree node, a session id, and
* an ASN1 representation in a single allocation, it typically takes
* 256 bytes.
*
* On 64-bit platforms we allocate separately an rbtree node + session_id,
* and an ASN1 representation, they take accordingly 128 and 256 bytes.
Expand All @@ -3809,7 +3809,8 @@ static int
ngx_ssl_new_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess)
{
int len;
u_char *p, *id, *cached_sess, *session_id;
u_char *p, *session_id;
size_t n;
uint32_t hash;
SSL_CTX *ssl_ctx;
unsigned int session_id_length;
Expand Down Expand Up @@ -3869,31 +3870,21 @@ ngx_ssl_new_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess)
/* drop one or two expired sessions */
ngx_ssl_expire_sessions(cache, shpool, 1);

cached_sess = ngx_slab_alloc_locked(shpool, len);

if (cached_sess == NULL) {

/* drop the oldest non-expired session and try once more */

ngx_ssl_expire_sessions(cache, shpool, 0);

cached_sess = ngx_slab_alloc_locked(shpool, len);

if (cached_sess == NULL) {
sess_id = NULL;
goto failed;
}
}
#if (NGX_PTR_SIZE == 8)
n = sizeof(ngx_ssl_sess_id_t);
#else
n = offsetof(ngx_ssl_sess_id_t, session) + len;
#endif

sess_id = ngx_slab_alloc_locked(shpool, sizeof(ngx_ssl_sess_id_t));
sess_id = ngx_slab_alloc_locked(shpool, n);

if (sess_id == NULL) {

/* drop the oldest non-expired session and try once more */

ngx_ssl_expire_sessions(cache, shpool, 0);

sess_id = ngx_slab_alloc_locked(shpool, sizeof(ngx_ssl_sess_id_t));
sess_id = ngx_slab_alloc_locked(shpool, n);

if (sess_id == NULL) {
goto failed;
Expand All @@ -3902,30 +3893,25 @@ ngx_ssl_new_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess)

#if (NGX_PTR_SIZE == 8)

id = sess_id->sess_id;

#else

id = ngx_slab_alloc_locked(shpool, session_id_length);
sess_id->session = ngx_slab_alloc_locked(shpool, len);

if (id == NULL) {
if (sess_id->session == NULL) {

/* drop the oldest non-expired session and try once more */

ngx_ssl_expire_sessions(cache, shpool, 0);

id = ngx_slab_alloc_locked(shpool, session_id_length);
sess_id->session = ngx_slab_alloc_locked(shpool, len);

if (id == NULL) {
if (sess_id->session == NULL) {
goto failed;
}
}

#endif

ngx_memcpy(cached_sess, buf, len);

ngx_memcpy(id, session_id, session_id_length);
ngx_memcpy(sess_id->session, buf, len);
ngx_memcpy(sess_id->id, session_id, session_id_length);

hash = ngx_crc32_short(session_id, session_id_length);

Expand All @@ -3935,9 +3921,7 @@ ngx_ssl_new_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess)

sess_id->node.key = hash;
sess_id->node.data = (u_char) session_id_length;
sess_id->id = id;
sess_id->len = len;
sess_id->session = cached_sess;

sess_id->expire = ngx_time() + SSL_CTX_get_timeout(ssl_ctx);

Expand All @@ -3951,10 +3935,6 @@ ngx_ssl_new_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess)

failed:

if (cached_sess) {
ngx_slab_free_locked(shpool, cached_sess);
}

if (sess_id) {
ngx_slab_free_locked(shpool, sess_id);
}
Expand Down Expand Up @@ -4051,9 +4031,8 @@ ngx_ssl_get_cached_session(ngx_ssl_conn_t *ssl_conn,

ngx_rbtree_delete(&cache->session_rbtree, node);

#if (NGX_PTR_SIZE == 8)
ngx_slab_free_locked(shpool, sess_id->session);
#if (NGX_PTR_SIZE == 4)
ngx_slab_free_locked(shpool, sess_id->id);
#endif
ngx_slab_free_locked(shpool, sess_id);

Expand Down Expand Up @@ -4141,9 +4120,8 @@ ngx_ssl_remove_session(SSL_CTX *ssl, ngx_ssl_session_t *sess)

ngx_rbtree_delete(&cache->session_rbtree, node);

#if (NGX_PTR_SIZE == 8)
ngx_slab_free_locked(shpool, sess_id->session);
#if (NGX_PTR_SIZE == 4)
ngx_slab_free_locked(shpool, sess_id->id);
#endif
ngx_slab_free_locked(shpool, sess_id);

Expand Down Expand Up @@ -4190,9 +4168,8 @@ ngx_ssl_expire_sessions(ngx_ssl_session_cache_t *cache,

ngx_rbtree_delete(&cache->session_rbtree, &sess_id->node);

#if (NGX_PTR_SIZE == 8)
ngx_slab_free_locked(shpool, sess_id->session);
#if (NGX_PTR_SIZE == 4)
ngx_slab_free_locked(shpool, sess_id->id);
#endif
ngx_slab_free_locked(shpool, sess_id);
}
Expand Down
8 changes: 4 additions & 4 deletions src/event/ngx_event_openssl.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -134,14 +134,14 @@ typedef struct ngx_ssl_sess_id_s ngx_ssl_sess_id_t;

struct ngx_ssl_sess_id_s {
ngx_rbtree_node_t node;
u_char *id;
size_t len;
u_char *session;
ngx_queue_t queue;
time_t expire;
u_char id[32];
#if (NGX_PTR_SIZE == 8)
void *stub;
u_char sess_id[32];
u_char *session;
#else
u_char session[1];
#endif
};

Expand Down

0 comments on commit 76876c1

Please sign in to comment.