Remove the stats block in SSL_CTX. Within the library, only ssl_update_cache read them, so add a dedicated field to replace that use. The APIs have a handful of uninteresting callers so I've left them in for now, but they now always return zero. Change-Id: Ie4e36fd4ab18f9bff544541d042bf3c098a46933 Reviewed-on: https://boringssl-review.googlesource.com/4101 Reviewed-by: Adam Langley <agl@google.com>
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index cbe0b1e..d723d33 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c
@@ -1144,37 +1144,19 @@ return lh_SSL_SESSION_num_items(ctx->sessions); case SSL_CTRL_SESS_CONNECT: - return ctx->stats.sess_connect; - case SSL_CTRL_SESS_CONNECT_GOOD: - return ctx->stats.sess_connect_good; - case SSL_CTRL_SESS_CONNECT_RENEGOTIATE: - return ctx->stats.sess_connect_renegotiate; - case SSL_CTRL_SESS_ACCEPT: - return ctx->stats.sess_accept; - case SSL_CTRL_SESS_ACCEPT_GOOD: - return ctx->stats.sess_accept_good; - case SSL_CTRL_SESS_ACCEPT_RENEGOTIATE: - return ctx->stats.sess_accept_renegotiate; - case SSL_CTRL_SESS_HIT: - return ctx->stats.sess_hit; - case SSL_CTRL_SESS_CB_HIT: - return ctx->stats.sess_cb_hit; - case SSL_CTRL_SESS_MISSES: - return ctx->stats.sess_miss; - case SSL_CTRL_SESS_TIMEOUTS: - return ctx->stats.sess_timeout; - case SSL_CTRL_SESS_CACHE_FULL: - return ctx->stats.sess_cache_full; + /* Statistics are no longer supported. + * TODO(davidben): Try to remove the accessors altogether. */ + return 0; case SSL_CTRL_OPTIONS: return ctx->options |= larg; @@ -1797,8 +1779,6 @@ ret->get_session_cb = 0; ret->generate_session_id = 0; - memset((char *)&ret->stats, 0, sizeof(ret->stats)); - ret->references = 1; ret->quiet_shutdown = 0; @@ -2164,31 +2144,38 @@ } void ssl_update_cache(SSL *s, int mode) { - int i; - - /* If the session_id_length is 0, we are not supposed to cache it, and it - * would be rather hard to do anyway :-) */ + /* Never cache sessions with empty session IDs. */ if (s->session->session_id_length == 0) { return; } - i = s->initial_ctx->session_cache_mode; - if ((i & mode) && !s->hit && - ((i & SSL_SESS_CACHE_NO_INTERNAL_STORE) || - SSL_CTX_add_session(s->initial_ctx, s->session)) && - s->initial_ctx->new_session_cb != NULL) { - if (!s->initial_ctx->new_session_cb(s, SSL_SESSION_up_ref(s->session))) { + SSL_CTX *ctx = s->initial_ctx; + if ((ctx->session_cache_mode & mode) == mode && !s->hit && + ((ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_STORE) || + SSL_CTX_add_session(ctx, s->session)) && + ctx->new_session_cb != NULL) { + /* Note: |new_session_cb| is called whether the internal session cache is + * used or not. */ + if (!ctx->new_session_cb(s, SSL_SESSION_up_ref(s->session))) { SSL_SESSION_free(s->session); } } - /* auto flush every 255 connections */ - if ((!(i & SSL_SESS_CACHE_NO_AUTO_CLEAR)) && ((i & mode) == mode)) { - if ((((mode & SSL_SESS_CACHE_CLIENT) - ? s->initial_ctx->stats.sess_connect_good - : s->initial_ctx->stats.sess_accept_good) & - 0xff) == 0xff) { - SSL_CTX_flush_sessions(s->initial_ctx, (unsigned long)time(NULL)); + if (!(ctx->session_cache_mode & SSL_SESS_CACHE_NO_AUTO_CLEAR) && + !(ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_STORE) && + (ctx->session_cache_mode & mode) == mode) { + /* Automatically flush the internal session cache every 255 connections. */ + int flush_cache = 0; + CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); + ctx->handshakes_since_cache_flush++; + if (ctx->handshakes_since_cache_flush >= 255) { + flush_cache = 1; + ctx->handshakes_since_cache_flush = 0; + } + CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); + + if (flush_cache) { + SSL_CTX_flush_sessions(ctx, (unsigned long)time(NULL)); } } }