mirror of
https://github.com/refraction-networking/utls.git
synced 2025-04-04 20:47:36 +03:00
5e45636b4c
In verifyServerCertificate parse certificates using the global certificate cache. This should signficiantly reduce memory usage in TLS clients which make concurrent connections which reuse certificates (anywhere in the chain) since there will only ever be one copy of the certificate at once. Fixes #46035 Change-Id: Icf5153d0ea3c14a0bdc8b26c794f21153bf95f85 Reviewed-on: https://go-review.googlesource.com/c/go/+/426455 Reviewed-by: Heschi Kreinick <heschi@google.com> Reviewed-by: Bryan Mills <bcmills@google.com> Run-TryBot: Roland Shoemaker <roland@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Filippo Valsorda <filippo@golang.org>
95 lines
3.4 KiB
Go
95 lines
3.4 KiB
Go
// Copyright 2022 The Go Authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style
|
|
// license that can be found in the LICENSE file.
|
|
|
|
package tls
|
|
|
|
import (
|
|
"crypto/x509"
|
|
"runtime"
|
|
"sync"
|
|
"sync/atomic"
|
|
)
|
|
|
|
type cacheEntry struct {
|
|
refs atomic.Int64
|
|
cert *x509.Certificate
|
|
}
|
|
|
|
// certCache implements an intern table for reference counted x509.Certificates,
|
|
// implemented in a similar fashion to BoringSSL's CRYPTO_BUFFER_POOL. This
|
|
// allows for a single x509.Certificate to be kept in memory and referenced from
|
|
// multiple Conns. Returned references should not be mutated by callers. Certificates
|
|
// are still safe to use after they are removed from the cache.
|
|
//
|
|
// Certificates are returned wrapped in a activeCert struct that should be held by
|
|
// the caller. When references to the activeCert are freed, the number of references
|
|
// to the certificate in the cache is decremented. Once the number of references
|
|
// reaches zero, the entry is evicted from the cache.
|
|
//
|
|
// The main difference between this implmentation and CRYPTO_BUFFER_POOL is that
|
|
// CRYPTO_BUFFER_POOL is a more generic structure which supports blobs of data,
|
|
// rather than specific structures. Since we only care about x509.Certificates,
|
|
// certCache is implemented as a specific cache, rather than a generic one.
|
|
//
|
|
// See https://boringssl.googlesource.com/boringssl/+/master/include/openssl/pool.h
|
|
// and https://boringssl.googlesource.com/boringssl/+/master/crypto/pool/pool.c
|
|
// for the BoringSSL reference.
|
|
type certCache struct {
|
|
sync.Map
|
|
}
|
|
|
|
var clientCertCache = new(certCache)
|
|
|
|
// activeCert is a handle to a certificate held in the cache. Once there are
|
|
// no alive activeCerts for a given certificate, the certificate is removed
|
|
// from the cache by a finalizer.
|
|
type activeCert struct {
|
|
cert *x509.Certificate
|
|
}
|
|
|
|
// active increments the number of references to the entry, wraps the
|
|
// certificate in the entry in a activeCert, and sets the finalizer.
|
|
//
|
|
// Note that there is a race between active and the finalizer set on the
|
|
// returned activeCert, triggered if active is called after the ref count is
|
|
// decremented such that refs may be > 0 when evict is called. We consider this
|
|
// safe, since the caller holding an activeCert for an entry that is no longer
|
|
// in the cache is fine, with the only side effect being the memory overhead of
|
|
// there being more than one distinct reference to a certificate alive at once.
|
|
func (cc *certCache) active(e *cacheEntry) *activeCert {
|
|
e.refs.Add(1)
|
|
a := &activeCert{e.cert}
|
|
runtime.SetFinalizer(a, func(_ *activeCert) {
|
|
if e.refs.Add(-1) == 0 {
|
|
cc.evict(e)
|
|
}
|
|
})
|
|
return a
|
|
}
|
|
|
|
// evict removes a cacheEntry from the cache.
|
|
func (cc *certCache) evict(e *cacheEntry) {
|
|
cc.Delete(string(e.cert.Raw))
|
|
}
|
|
|
|
// newCert returns a x509.Certificate parsed from der. If there is already a copy
|
|
// of the certificate in the cache, a reference to the existing certificate will
|
|
// be returned. Otherwise, a fresh certificate will be added to the cache, and
|
|
// the reference returned. The returned reference should not be mutated.
|
|
func (cc *certCache) newCert(der []byte) (*activeCert, error) {
|
|
if entry, ok := cc.Load(string(der)); ok {
|
|
return cc.active(entry.(*cacheEntry)), nil
|
|
}
|
|
|
|
cert, err := x509.ParseCertificate(der)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
entry := &cacheEntry{cert: cert}
|
|
if entry, loaded := cc.LoadOrStore(string(der), entry); loaded {
|
|
return cc.active(entry.(*cacheEntry)), nil
|
|
}
|
|
return cc.active(entry), nil
|
|
}
|