From 532bffdb0127ddb35bc75fdf43d4287302c5bb7c Mon Sep 17 00:00:00 2001
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
Date: Fri, 12 Jun 2015 21:27:12 +0900
Subject: [PATCH] nghttpx: Minimize critical section for shared ocsp response

---
 src/shrpx_connection_handler.cc |  3 ++-
 src/shrpx_ssl.cc                | 37 ++++++++++++++++++++-------------
 src/shrpx_ssl.h                 |  2 +-
 3 files changed, 26 insertions(+), 16 deletions(-)

diff --git a/src/shrpx_connection_handler.cc b/src/shrpx_connection_handler.cc
index 0ea8f370..50f3368b 100644
--- a/src/shrpx_connection_handler.cc
+++ b/src/shrpx_connection_handler.cc
@@ -510,7 +510,8 @@ void ConnectionHandler::handle_ocsp_complete() {
 
   {
     std::lock_guard<std::mutex> g(tls_ctx_data->mu);
-    tls_ctx_data->ocsp_data = std::move(ocsp_.resp);
+    tls_ctx_data->ocsp_data =
+        std::make_shared<std::vector<uint8_t>>(std::move(ocsp_.resp));
   }
 
   ++ocsp_.next;
diff --git a/src/shrpx_ssl.cc b/src/shrpx_ssl.cc
index 44fb1d26..d9f5bb06 100644
--- a/src/shrpx_ssl.cc
+++ b/src/shrpx_ssl.cc
@@ -150,28 +150,37 @@ int servername_callback(SSL *ssl, int *al, void *arg) {
 }
 } // namespace
 
+namespace {
+std::shared_ptr<std::vector<uint8_t>>
+get_ocsp_data(TLSContextData *tls_ctx_data) {
+  std::lock_guard<std::mutex> g(tls_ctx_data->mu);
+  return tls_ctx_data->ocsp_data;
+}
+} // namespace
+
 namespace {
 int ocsp_resp_cb(SSL *ssl, void *arg) {
   auto ssl_ctx = SSL_get_SSL_CTX(ssl);
   auto tls_ctx_data =
       static_cast<TLSContextData *>(SSL_CTX_get_app_data(ssl_ctx));
-  {
-    std::lock_guard<std::mutex> g(tls_ctx_data->mu);
-    auto &data = tls_ctx_data->ocsp_data;
 
-    if (!data.empty()) {
-      auto buf = static_cast<uint8_t *>(
-          CRYPTO_malloc(data.size(), __FILE__, __LINE__));
+  auto data = get_ocsp_data(tls_ctx_data);
 
-      if (!buf) {
-        return SSL_TLSEXT_ERR_OK;
-      }
-
-      std::copy(std::begin(data), std::end(data), buf);
-
-      SSL_set_tlsext_status_ocsp_resp(ssl, buf, data.size());
-    }
+  if (!data) {
+    return SSL_TLSEXT_ERR_OK;
   }
+
+  auto buf =
+      static_cast<uint8_t *>(CRYPTO_malloc(data->size(), __FILE__, __LINE__));
+
+  if (!buf) {
+    return SSL_TLSEXT_ERR_OK;
+  }
+
+  std::copy(std::begin(*data), std::end(*data), buf);
+
+  SSL_set_tlsext_status_ocsp_resp(ssl, buf, data->size());
+
   return SSL_TLSEXT_ERR_OK;
 }
 } // namespace
diff --git a/src/shrpx_ssl.h b/src/shrpx_ssl.h
index 8aeb571c..ae428eaa 100644
--- a/src/shrpx_ssl.h
+++ b/src/shrpx_ssl.h
@@ -49,7 +49,7 @@ struct TLSContextData {
   // Protects ocsp_data;
   std::mutex mu;
   // OCSP response
-  std::vector<uint8_t> ocsp_data;
+  std::shared_ptr<std::vector<uint8_t>> ocsp_data;
 
   // Path to certificate file
   const char *cert_file;