nghttpx: Minimize critical section for shared ocsp response

src/shrpx_connection_handler.cc

@@ -510,7 +510,8 @@ void ConnectionHandler::handle_ocsp_complete() {
 
   {
     std::lock_guard<std::mutex> g(tls_ctx_data->mu);
-    tls_ctx_data->ocsp_data = std::move(ocsp_.resp);
+    tls_ctx_data->ocsp_data =
+        std::make_shared<std::vector<uint8_t>>(std::move(ocsp_.resp));
   }
 
   ++ocsp_.next;

src/shrpx_ssl.cc

@@ -150,28 +150,37 @@ int servername_callback(SSL *ssl, int *al, void *arg) {
 }
 } // namespace
 
+namespace {
+std::shared_ptr<std::vector<uint8_t>>
+get_ocsp_data(TLSContextData *tls_ctx_data) {
+  std::lock_guard<std::mutex> g(tls_ctx_data->mu);
+  return tls_ctx_data->ocsp_data;
+}
+} // namespace
+
 namespace {
 int ocsp_resp_cb(SSL *ssl, void *arg) {
   auto ssl_ctx = SSL_get_SSL_CTX(ssl);
   auto tls_ctx_data =
       static_cast<TLSContextData *>(SSL_CTX_get_app_data(ssl_ctx));
-  {
-    std::lock_guard<std::mutex> g(tls_ctx_data->mu);
-    auto &data = tls_ctx_data->ocsp_data;
 
-    if (!data.empty()) {
-      auto buf = static_cast<uint8_t *>(
-          CRYPTO_malloc(data.size(), __FILE__, __LINE__));
+  auto data = get_ocsp_data(tls_ctx_data);
 
-      if (!buf) {
-        return SSL_TLSEXT_ERR_OK;
-      }
-
-      std::copy(std::begin(data), std::end(data), buf);
-
-      SSL_set_tlsext_status_ocsp_resp(ssl, buf, data.size());
-    }
+  if (!data) {
+    return SSL_TLSEXT_ERR_OK;
   }
+
+  auto buf =
+      static_cast<uint8_t *>(CRYPTO_malloc(data->size(), __FILE__, __LINE__));
+
+  if (!buf) {
+    return SSL_TLSEXT_ERR_OK;
+  }
+
+  std::copy(std::begin(*data), std::end(*data), buf);
+
+  SSL_set_tlsext_status_ocsp_resp(ssl, buf, data->size());
+
   return SSL_TLSEXT_ERR_OK;
 }
 } // namespace

src/shrpx_ssl.h

@@ -49,7 +49,7 @@ struct TLSContextData {
   // Protects ocsp_data;
   std::mutex mu;
   // OCSP response
-  std::vector<uint8_t> ocsp_data;
+  std::shared_ptr<std::vector<uint8_t>> ocsp_data;
 
   // Path to certificate file
   const char *cert_file;