Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(159)

Issue 2694903006: Restore SSL_SESSION/X509Certificate X509* sharing (Closed)

Created:
3 years, 10 months ago by davidben
Modified:
3 years, 9 months ago
Reviewers:
Ryan Sleevi
CC:
chromium-reviews, cbentzel+watch_chromium.org, net-reviews_chromium.org
Target Ref:
refs/pending/heads/master
Project:
chromium
Visibility:
Public.

Description

Restore SSL_SESSION/X509Certificate X509* sharing This effectively reverts https://codereview.chromium.org/2300533002 and replaces it with a smarter X.509 representation. We haven't gotten rid of X509* completely yet, but we're far enough along there that we can improve this. There are three flavors of X509* that Chromium potentially keeps around in memory: 1. Vanilla X509*. This does not make the full DER form easily accessible, but does cache the DER form of the TBSCertificate. 2. X509* + DERCache. This is (1) with an extra copy of the full DER form accessible. The DER form is accessible (needed by lots of things) but we use a bunch more memory. 3. X509* + CRYPTO_BUFFER. This is a smarter version of (2). The full DER form is stored in a CRYPTO_BUFFER but rather than have it waste memory, we alias the cached TBSCertificate into it. (3) was added early on in switching from X509 to CRYPTO_BUFFER. When https://codereview.chromium.org/2300533002 was done, (3) did not exist, so we had this split where X509s hanging off SSL_SESSION did not need DERCache but net::X509Certificate did. Sharing the X509* was a nice memory optimization in one direction (fewer X509s in memory---X509s are really *really* inefficient, which is one of the motivations in removing them), but at the cost of stapling DERCache to more things. Whenever the SSL_SESSION's reference outlives the net::X509Certificate's reference, 2300533002 is a win. When both are alive in memory, it is a loss. Now, every SSL_SESSION-owned X509 is of type (3) anyway, so we can be smarter. Undo the X509*-side regression and instead just don't staple DERCache onto X509*s of type (3). They already have a free DERCache on them. This achieves 2300533002's goals without the X509* tradeoff. BUG=671420, 642082 Review-Url: https://codereview.chromium.org/2694903006 Cr-Commit-Position: refs/heads/master@{#453455} Committed: https://chromium.googlesource.com/chromium/src/+/50fee4d87b534d63aa9769d1c593c368a320edcd

Patch Set 1 #

Patch Set 2 : . #

Total comments: 2

Patch Set 3 : xunjieli comments #

Unified diffs Side-by-side diffs Delta from patch set Stats (+32 lines, -25 lines) Patch
M net/cert/x509_util_openssl.cc View 1 2 1 chunk +8 lines, -1 line 0 comments Download
M net/socket/ssl_client_socket_impl.cc View 1 2 1 chunk +24 lines, -24 lines 0 comments Download

Messages

Total messages: 19 (13 generated)
davidben
3 years, 10 months ago (2017-02-17 23:24:23 UTC) #9
Ryan Sleevi
lgtm
3 years, 10 months ago (2017-02-18 00:05:19 UTC) #10
xunjieli
drive-by. Thanks for providing the detailed context in the cl description. Three nits below: > ...
3 years, 10 months ago (2017-02-21 15:54:05 UTC) #11
davidben
> nit: s/cached/cache Done. > nit: Make it clearer as to which "change" this sentence ...
3 years, 9 months ago (2017-02-28 00:17:43 UTC) #13
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2694903006/40001
3 years, 9 months ago (2017-02-28 00:18:42 UTC) #16
commit-bot: I haz the power
3 years, 9 months ago (2017-02-28 02:13:44 UTC) #19
Message was sent while issue was closed.
Committed patchset #3 (id:40001) as
https://chromium.googlesource.com/chromium/src/+/50fee4d87b534d63aa9769d1c593...

Powered by Google App Engine
This is Rietveld 408576698