nginx: src/event/ngx_event_openssl.c comparison

comparison src/event/ngx_event_openssl.c @ 8078:5244d3b165ff

SSL: single allocation in session cache on 32-bit platforms. Given the present typical SSL session sizes, on 32-bit platforms it is now beneficial to store all data in a single allocation, since rbtree node + session id + ASN1 representation of a session takes 256 bytes of shared memory (36 + 32 + 150 = about 218 bytes plus SNI server name). Storing all data in a single allocation is beneficial for SNI names up to about 40 characters long and makes it possible to store about 4000 sessions in one megabyte (instead of about 3000 sessions now). This also slightly simplifies the code.

author	Maxim Dounin <mdounin@mdounin.ru>
date	Wed, 12 Oct 2022 20:14:40 +0300
parents	ec1fa010c3a5
children	f106f4a68faf

comparison

equal deleted inserted replaced

-:ec1fa010c3a5
+:5244d3b165ff
 * The length of the session id is 16 bytes for SSLv2 sessions and
 * between 1 and 32 bytes for SSLv3 and TLS, typically 32 bytes.
 * Typical length of the external ASN1 representation of a session
 * is about 150 bytes plus SNI server name.
 *
-* On 32-bit platforms we allocate separately an rbtree node,
+* On 32-bit platforms we allocate an rbtree node, a session id, and
-* a session id, and an ASN1 representation, they take accordingly
+* an ASN1 representation in a single allocation, it typically takes
-* 64, 32, and 256 bytes.
+* 256 bytes.
 *
 * On 64-bit platforms we allocate separately an rbtree node + session_id,
 * and an ASN1 representation, they take accordingly 128 and 256 bytes.
 *
 * OpenSSL's i2d_SSL_SESSION() and d2i_SSL_SESSION are slow,
 static int
 ngx_ssl_new_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess)
 {
 int                       len;
-u_char                   *p, *id, *cached_sess, *session_id;
+u_char                   *p, *session_id;
+size_t                    n;
 uint32_t                  hash;
 SSL_CTX                  *ssl_ctx;
 unsigned int              session_id_length;
 ngx_shm_zone_t           *shm_zone;
 ngx_connection_t         *c;
 ngx_shmtx_lock(&shpool->mutex);
 /* drop one or two expired sessions */
 ngx_ssl_expire_sessions(cache, shpool, 1);
-cached_sess = ngx_slab_alloc_locked(shpool, len);
+#if (NGX_PTR_SIZE == 8)
+n = sizeof(ngx_ssl_sess_id_t);
-if (cached_sess == NULL) {
+#else
+n = offsetof(ngx_ssl_sess_id_t, session) + len;
+#endif
+sess_id = ngx_slab_alloc_locked(shpool, n);
+if (sess_id == NULL) {
 /* drop the oldest non-expired session and try once more */
 ngx_ssl_expire_sessions(cache, shpool, 0);
-cached_sess = ngx_slab_alloc_locked(shpool, len);
+sess_id = ngx_slab_alloc_locked(shpool, n);
-if (cached_sess == NULL) {
-sess_id = NULL;
-goto failed;
-}
-}
-sess_id = ngx_slab_alloc_locked(shpool, sizeof(ngx_ssl_sess_id_t));
-if (sess_id == NULL) {
-/* drop the oldest non-expired session and try once more */
-ngx_ssl_expire_sessions(cache, shpool, 0);
-sess_id = ngx_slab_alloc_locked(shpool, sizeof(ngx_ssl_sess_id_t));
 if (sess_id == NULL) {
 goto failed;
 }
 }
 #if (NGX_PTR_SIZE == 8)
-id = sess_id->sess_id;
+sess_id->session = ngx_slab_alloc_locked(shpool, len);
-#else
+if (sess_id->session == NULL) {
-id = ngx_slab_alloc_locked(shpool, session_id_length);
-if (id == NULL) {
 /* drop the oldest non-expired session and try once more */
 ngx_ssl_expire_sessions(cache, shpool, 0);
-id = ngx_slab_alloc_locked(shpool, session_id_length);
+sess_id->session = ngx_slab_alloc_locked(shpool, len);
-if (id == NULL) {
+if (sess_id->session == NULL) {
 goto failed;
 }
 }
 #endif
-ngx_memcpy(cached_sess, buf, len);
+ngx_memcpy(sess_id->session, buf, len);
+ngx_memcpy(sess_id->id, session_id, session_id_length);
-ngx_memcpy(id, session_id, session_id_length);
 hash = ngx_crc32_short(session_id, session_id_length);
 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
 "ssl new session: %08XD:%ud:%d",
 hash, session_id_length, len);
 sess_id->node.key = hash;
 sess_id->node.data = (u_char) session_id_length;
-sess_id->id = id;
 sess_id->len = len;
-sess_id->session = cached_sess;
 sess_id->expire = ngx_time() + SSL_CTX_get_timeout(ssl_ctx);
 ngx_queue_insert_head(&cache->expire_queue, &sess_id->queue);
 ngx_shmtx_unlock(&shpool->mutex);
 return 0;
 failed:
-if (cached_sess) {
-ngx_slab_free_locked(shpool, cached_sess);
-}
 if (sess_id) {
 ngx_slab_free_locked(shpool, sess_id);
 }
 ngx_queue_remove(&sess_id->queue);
 ngx_rbtree_delete(&cache->session_rbtree, node);
+#if (NGX_PTR_SIZE == 8)
 ngx_slab_free_locked(shpool, sess_id->session);
-#if (NGX_PTR_SIZE == 4)
-ngx_slab_free_locked(shpool, sess_id->id);
 #endif
 ngx_slab_free_locked(shpool, sess_id);
 sess = NULL;
 ngx_queue_remove(&sess_id->queue);
 ngx_rbtree_delete(&cache->session_rbtree, node);
+#if (NGX_PTR_SIZE == 8)
 ngx_slab_free_locked(shpool, sess_id->session);
-#if (NGX_PTR_SIZE == 4)
-ngx_slab_free_locked(shpool, sess_id->id);
 #endif
 ngx_slab_free_locked(shpool, sess_id);
 goto done;
 }
 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ngx_cycle->log, 0,
 "expire session: %08Xi", sess_id->node.key);
 ngx_rbtree_delete(&cache->session_rbtree, &sess_id->node);
+#if (NGX_PTR_SIZE == 8)
 ngx_slab_free_locked(shpool, sess_id->session);
-#if (NGX_PTR_SIZE == 4)
-ngx_slab_free_locked(shpool, sess_id->id);
 #endif
 ngx_slab_free_locked(shpool, sess_id);
 }
 }

Mercurial > hg > nginx

comparison src/event/ngx_event_openssl.c @ 8078:5244d3b165ff