[nginx] SSL: using static storage for NGX_SSL_MAX_SESSION_SIZE buffers.
noreply at nginx.com
noreply at nginx.com
Wed Feb 26 13:41:02 UTC 2025
details: https://github.com/nginx/nginx/commit/3d7304b527d1fb6eb697eb8719f286ba7b8e90de
branches: master
commit: 3d7304b527d1fb6eb697eb8719f286ba7b8e90de
user: Sergey Kandaurov <pluknet at nginx.com>
date: Fri, 21 Feb 2025 13:49:41 +0400
description:
SSL: using static storage for NGX_SSL_MAX_SESSION_SIZE buffers.
All such transient buffers are converted to the single storage in BSS.
In preparation to raise the limit.
---
src/event/ngx_event_openssl.c | 13 +++++++------
src/event/ngx_event_openssl.h | 3 +++
src/http/ngx_http_upstream_round_robin.c | 10 ++++------
src/stream/ngx_stream_upstream_round_robin.c | 10 ++++------
4 files changed, 18 insertions(+), 18 deletions(-)
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index 2446219a7..865c78540 100644
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -132,6 +132,9 @@ int ngx_ssl_index;
int ngx_ssl_certificate_name_index;
+u_char ngx_ssl_session_buffer[NGX_SSL_MAX_SESSION_SIZE];
+
+
ngx_int_t
ngx_ssl_init(ngx_log_t *log)
{
@@ -3889,7 +3892,6 @@ ngx_ssl_new_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess)
ngx_slab_pool_t *shpool;
ngx_ssl_sess_id_t *sess_id;
ngx_ssl_session_cache_t *cache;
- u_char buf[NGX_SSL_MAX_SESSION_SIZE];
#ifdef TLS1_3_VERSION
@@ -3916,7 +3918,7 @@ ngx_ssl_new_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess)
return 0;
}
- p = buf;
+ p = ngx_ssl_session_buffer;
i2d_SSL_SESSION(sess, &p);
session_id = (u_char *) SSL_SESSION_get_id(sess, &session_id_length);
@@ -3980,7 +3982,7 @@ ngx_ssl_new_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess)
#endif
- ngx_memcpy(sess_id->session, buf, len);
+ ngx_memcpy(sess_id->session, ngx_ssl_session_buffer, len);
ngx_memcpy(sess_id->id, session_id, session_id_length);
hash = ngx_crc32_short(session_id, session_id_length);
@@ -4039,7 +4041,6 @@ ngx_ssl_get_cached_session(ngx_ssl_conn_t *ssl_conn,
ngx_ssl_session_t *sess;
ngx_ssl_sess_id_t *sess_id;
ngx_ssl_session_cache_t *cache;
- u_char buf[NGX_SSL_MAX_SESSION_SIZE];
hash = ngx_crc32_short((u_char *) (uintptr_t) id, (size_t) len);
*copy = 0;
@@ -4087,11 +4088,11 @@ ngx_ssl_get_cached_session(ngx_ssl_conn_t *ssl_conn,
if (sess_id->expire > ngx_time()) {
slen = sess_id->len;
- ngx_memcpy(buf, sess_id->session, slen);
+ ngx_memcpy(ngx_ssl_session_buffer, sess_id->session, slen);
ngx_shmtx_unlock(&shpool->mutex);
- p = buf;
+ p = ngx_ssl_session_buffer;
sess = d2i_SSL_SESSION(NULL, &p, slen);
return sess;
diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
index 9ad4d177b..25e023b01 100644
--- a/src/event/ngx_event_openssl.h
+++ b/src/event/ngx_event_openssl.h
@@ -362,4 +362,7 @@ extern int ngx_ssl_index;
extern int ngx_ssl_certificate_name_index;
+extern u_char ngx_ssl_session_buffer[NGX_SSL_MAX_SESSION_SIZE];
+
+
#endif /* _NGX_EVENT_OPENSSL_H_INCLUDED_ */
diff --git a/src/http/ngx_http_upstream_round_robin.c b/src/http/ngx_http_upstream_round_robin.c
index 304494b3c..6b4ff97f2 100644
--- a/src/http/ngx_http_upstream_round_robin.c
+++ b/src/http/ngx_http_upstream_round_robin.c
@@ -878,7 +878,6 @@ ngx_http_upstream_set_round_robin_peer_session(ngx_peer_connection_t *pc,
int len;
const u_char *p;
ngx_http_upstream_rr_peers_t *peers;
- u_char buf[NGX_SSL_MAX_SESSION_SIZE];
#endif
peer = rrp->current;
@@ -898,12 +897,12 @@ ngx_http_upstream_set_round_robin_peer_session(ngx_peer_connection_t *pc,
len = peer->ssl_session_len;
- ngx_memcpy(buf, peer->ssl_session, len);
+ ngx_memcpy(ngx_ssl_session_buffer, peer->ssl_session, len);
ngx_http_upstream_rr_peer_unlock(peers, peer);
ngx_http_upstream_rr_peers_unlock(peers);
- p = buf;
+ p = ngx_ssl_session_buffer;
ssl_session = d2i_SSL_SESSION(NULL, &p, len);
rc = ngx_ssl_set_session(pc->connection, ssl_session);
@@ -940,7 +939,6 @@ ngx_http_upstream_save_round_robin_peer_session(ngx_peer_connection_t *pc,
int len;
u_char *p;
ngx_http_upstream_rr_peers_t *peers;
- u_char buf[NGX_SSL_MAX_SESSION_SIZE];
#endif
#if (NGX_HTTP_UPSTREAM_ZONE)
@@ -965,7 +963,7 @@ ngx_http_upstream_save_round_robin_peer_session(ngx_peer_connection_t *pc,
return;
}
- p = buf;
+ p = ngx_ssl_session_buffer;
(void) i2d_SSL_SESSION(ssl_session, &p);
peer = rrp->current;
@@ -995,7 +993,7 @@ ngx_http_upstream_save_round_robin_peer_session(ngx_peer_connection_t *pc,
peer->ssl_session_len = len;
}
- ngx_memcpy(peer->ssl_session, buf, len);
+ ngx_memcpy(peer->ssl_session, ngx_ssl_session_buffer, len);
ngx_http_upstream_rr_peer_unlock(peers, peer);
ngx_http_upstream_rr_peers_unlock(peers);
diff --git a/src/stream/ngx_stream_upstream_round_robin.c b/src/stream/ngx_stream_upstream_round_robin.c
index 5b5f20db7..27db0851e 100644
--- a/src/stream/ngx_stream_upstream_round_robin.c
+++ b/src/stream/ngx_stream_upstream_round_robin.c
@@ -911,7 +911,6 @@ ngx_stream_upstream_set_round_robin_peer_session(ngx_peer_connection_t *pc,
int len;
const u_char *p;
ngx_stream_upstream_rr_peers_t *peers;
- u_char buf[NGX_SSL_MAX_SESSION_SIZE];
#endif
peer = rrp->current;
@@ -931,12 +930,12 @@ ngx_stream_upstream_set_round_robin_peer_session(ngx_peer_connection_t *pc,
len = peer->ssl_session_len;
- ngx_memcpy(buf, peer->ssl_session, len);
+ ngx_memcpy(ngx_ssl_session_buffer, peer->ssl_session, len);
ngx_stream_upstream_rr_peer_unlock(peers, peer);
ngx_stream_upstream_rr_peers_unlock(peers);
- p = buf;
+ p = ngx_ssl_session_buffer;
ssl_session = d2i_SSL_SESSION(NULL, &p, len);
rc = ngx_ssl_set_session(pc->connection, ssl_session);
@@ -973,7 +972,6 @@ ngx_stream_upstream_save_round_robin_peer_session(ngx_peer_connection_t *pc,
int len;
u_char *p;
ngx_stream_upstream_rr_peers_t *peers;
- u_char buf[NGX_SSL_MAX_SESSION_SIZE];
#endif
#if (NGX_STREAM_UPSTREAM_ZONE)
@@ -998,7 +996,7 @@ ngx_stream_upstream_save_round_robin_peer_session(ngx_peer_connection_t *pc,
return;
}
- p = buf;
+ p = ngx_ssl_session_buffer;
(void) i2d_SSL_SESSION(ssl_session, &p);
peer = rrp->current;
@@ -1028,7 +1026,7 @@ ngx_stream_upstream_save_round_robin_peer_session(ngx_peer_connection_t *pc,
peer->ssl_session_len = len;
}
- ngx_memcpy(peer->ssl_session, buf, len);
+ ngx_memcpy(peer->ssl_session, ngx_ssl_session_buffer, len);
ngx_stream_upstream_rr_peer_unlock(peers, peer);
ngx_stream_upstream_rr_peers_unlock(peers);
More information about the nginx-devel
mailing list