Add SNI support to redbean and improve SSL perf

This change makes SSL virtual hosting possible. You can now load multiple certificates for multiple domains and redbean will just figure out which one to use, even if you only have 1 ip address. You can also use a jumbo certificate that lists all your domains in the the subject alternative names. This change also makes performance improvements to MbedTLS. Here are some benchmarks vs. cc1920749e BEFORE AFTER (microsecs) suite_ssl.com 2512881 191738 13.11x faster suite_pkparse.com 36291 3295 11.01x faster suite_x509parse.com 854669 120293 7.10x faster suite_pkwrite.com 6549 1265 5.18x faster suite_ecdsa.com 53347 18778 2.84x faster suite_pk.com 49051 18717 2.62x faster suite_ecdh.com 19535 9502 2.06x faster suite_shax.com 15848 7965 1.99x faster suite_rsa.com 353257 184828 1.91x faster suite_x509write.com 162646 85733 1.90x faster suite_ecp.com 20503 11050 1.86x faster suite_hmac_drbg.no_reseed.com 19528 11417 1.71x faster suite_hmac_drbg.nopr.com 12460 8010 1.56x faster suite_mpi.com 687124 442661 1.55x faster suite_hmac_drbg.pr.com 11890 7752 1.53x faster There aren't any special tricks to the performance imporvements. It's mostly due to code cleanup, assembly and intel instructions like mulx, adox, and adcx.
2025-05-22 21:32:31 +00:00 · 2021-07-19 14:55:20 -07:00 · 2021-07-19 14:55:20 -07:00 · 398f0c16fb
commit 398f0c16fb
parent f3e28aa192
190 changed files with 14367 additions and 8928 deletions
--- a/net/https/getsslcachefile.c
+++ b/net/https/getsslcachefile.c
@ -0,0 +1,37 @@
+/*-*- mode:c;indent-tabs-mode:nil;c-basic-offset:2;tab-width:8;coding:utf-8 -*-│
+│vi: set net ft=c ts=2 sts=2 sw=2 fenc=utf-8                                :vi│
+╞══════════════════════════════════════════════════════════════════════════════╡
+│ Copyright 2021 Justine Alexandra Roberts Tunney                              │
+│                                                                              │
+│ Permission to use, copy, modify, and/or distribute this software for         │
+│ any purpose with or without fee is hereby granted, provided that the         │
+│ above copyright notice and this permission notice appear in all copies.      │
+│                                                                              │
+│ THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL                │
+│ WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED                │
+│ WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE             │
+│ AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL         │
+│ DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR        │
+│ PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER               │
+│ TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR             │
+│ PERFORMANCE OF THIS SOFTWARE.                                                │
+╚─────────────────────────────────────────────────────────────────────────────*/
+#include "libc/bits/safemacros.internal.h"
+#include "libc/fmt/fmt.h"
+#include "libc/runtime/runtime.h"
+#include "net/https/sslcache.h"
+
+/**
+ * Returns recommended path argument for CreateSslCache().
+ * @return pointer to static memory
+ */
+char *GetSslCacheFile(void) {
+  static char sslcachefile[PATH_MAX + 1];
+  if (snprintf(sslcachefile, sizeof(sslcachefile), "%s/%s.sslcache",
+               firstnonnull(getenv("TMPDIR"), "/tmp"),
+               getenv("USER")) <= PATH_MAX) {
+    return sslcachefile;
+  } else {
+    return 0;
+  }
+}
--- a/net/https/getsslroots.c
+++ b/net/https/getsslroots.c
@ -30,21 +30,7 @@
 #include "net/https/https.h"
 #include "third_party/mbedtls/x509_crt.h"

-STATIC_YOINK("zip_uri_support");
-STATIC_YOINK("usr/share/ssl/root/amazon.pem");
-STATIC_YOINK("usr/share/ssl/root/certum.pem");
-STATIC_YOINK("usr/share/ssl/root/comodo.pem");
-STATIC_YOINK("usr/share/ssl/root/digicert.pem");
-STATIC_YOINK("usr/share/ssl/root/dst.pem");
-STATIC_YOINK("usr/share/ssl/root/geotrust.pem");
-STATIC_YOINK("usr/share/ssl/root/globalsign.pem");
-STATIC_YOINK("usr/share/ssl/root/godaddy.pem");
-STATIC_YOINK("usr/share/ssl/root/google.pem");
-STATIC_YOINK("usr/share/ssl/root/isrg.pem");
-STATIC_YOINK("usr/share/ssl/root/quovadis.pem");
-STATIC_YOINK("usr/share/ssl/root/redbean.pem");
-STATIC_YOINK("usr/share/ssl/root/starfield.pem");
-STATIC_YOINK("usr/share/ssl/root/verisign.pem");
+STATIC_YOINK("ssl_root_support");

 mbedtls_x509_crt *GetSslRoots(void) {
  int fd;
--- a/net/https/https.h
+++ b/net/https/https.h
@ -1,6 +1,7 @@
 #ifndef COSMOPOLITAN_NET_HTTPS_HTTPS_H_
 #define COSMOPOLITAN_NET_HTTPS_HTTPS_H_
 #include "libc/time/struct/tm.h"
+#include "third_party/mbedtls/ssl_ciphersuites.h"
 #include "third_party/mbedtls/x509_crt.h"
 #if !(__ASSEMBLER__ + __LINKER__ + 0)
 COSMOPOLITAN_C_START_
--- a/net/https/sslcache.c
+++ b/net/https/sslcache.c
@ -19,17 +19,24 @@
 #include "libc/bits/bits.h"
 #include "libc/bits/safemacros.internal.h"
 #include "libc/calls/calls.h"
+#include "libc/calls/struct/stat.h"
+#include "libc/errno.h"
 #include "libc/log/check.h"
 #include "libc/log/log.h"
 #include "libc/macros.internal.h"
 #include "libc/nexgen32e/rdtsc.h"
 #include "libc/runtime/runtime.h"
+#include "libc/str/str.h"
 #include "libc/sysv/consts/map.h"
+#include "libc/sysv/consts/o.h"
 #include "libc/sysv/consts/prot.h"
 #include "net/https/sslcache.h"
 #include "third_party/mbedtls/ssl.h"
 #include "third_party/mbedtls/x509_crt.h"

+#define PROT  (PROT_READ | PROT_WRITE)
+#define FLAGS MAP_SHARED
+
 static uint32_t HashSslSession(mbedtls_ssl_session *session) {
  int i;
  uint32_t h;
@ -44,16 +51,46 @@ static uint32_t HashSslSession(mbedtls_ssl_session *session) {
  return h;
 }

-struct SslCache *CreateSslCache(size_t bytes, int lifetime) {
-  struct SslCache *c;
+static struct SslCache *OpenSslCache(const char *path, size_t size) {
+  int fd;
+  struct stat st;
+  struct SslCache *c = NULL;
+  if (path) {
+    if ((fd = open(path, O_RDWR | O_CREAT, 0600)) != -1) {
+      CHECK_NE(-1, fstat(fd, &st));
+      if (st.st_size && st.st_size != size) {
+        WARNF("unlinking sslcache because size changed from %,zu to %,zu",
+              st.st_size, size);
+        unlink(path);
+        fd = open(path, O_RDWR | O_CREAT, 0600);
+        st.st_size = 0;
+      }
+      if (fd != -1) {
+        if (!st.st_size) CHECK_NE(-1, ftruncate(fd, size));
+        c = mmap(0, size, PROT, FLAGS, fd, 0);
+        close(fd);
+      }
+    } else {
+      WARNF("sslcache open(%`'s) failed %s", path, strerror(errno));
+    }
+  }
+  return c;
+}
+
+struct SslCache *CreateSslCache(const char *path, size_t bytes, int lifetime) {
  size_t ents, size;
+  struct SslCache *c;
+  if (!bytes) bytes = 10 * 1024 * 1024;
+  if (lifetime <= 0) lifetime = 24 * 60 * 60;
  ents = rounddown2pow(MAX(2, bytes / sizeof(struct SslCacheEntry)));
  size = sizeof(struct SslCache) + sizeof(struct SslCacheEntry) * ents;
  size = ROUNDUP(size, FRAMESIZE);
-  CHECK_NE(MAP_FAILED, (c = mmap(NULL, size, PROT_READ | PROT_WRITE,
-                                 MAP_SHARED | MAP_ANONYMOUS, -1, 0)));
-  VERBOSEF("ssl cache %,zu bytes with %,u slots", size, ents);
-  c->lifetime = lifetime > 0 ? lifetime : 24 * 60 * 60;
+  c = OpenSslCache(path, size);
+  if (!c) c = mmap(0, size, PROT, FLAGS | MAP_ANONYMOUS, -1, 0);
+  CHECK_NE(MAP_FAILED, c);
+  VERBOSEF("opened %`'s %,zu bytes with %,u slots",
+           c ? path : "anonymous shared memory", size, ents);
+  c->lifetime = lifetime;
  c->size = size;
  c->mask = ents - 1;
  return c;
@ -72,6 +109,7 @@ int UncacheSslSession(void *data, mbedtls_ssl_session *session) {
  mbedtls_x509_crt *cert;
  struct SslCacheEntry *e;
  uint32_t i, hash, ticketlen;
+  LOGF("uncache");
  cache = data;
  hash = HashSslSession(session);
  i = hash & cache->mask;
@ -85,12 +123,12 @@ int UncacheSslSession(void *data, mbedtls_ssl_session *session) {
      session->compression != e->session.compression ||
      session->id_len != e->session.id_len ||
      memcmp(session->id, e->session.id, e->session.id_len)) {
-    VERBOSEF("%u ssl cache collision", i);
+    VERBOSEF("%u sslcache collision", i);
    return 1;
  }
  ts = time(0);
  if (!(e->time <= ts && ts <= e->time + cache->lifetime)) {
-    DEBUGF("%u ssl cache expired", i);
+    DEBUGF("%u sslcache expired", i);
    lockcmpxchg(&e->tick, tick, 0);
    return 1;
  }
@ -114,7 +152,7 @@ int UncacheSslSession(void *data, mbedtls_ssl_session *session) {
  DEBUGF("%u restored ssl from cache", i);
  return 0;
 Contention:
-  WARNF("%u ssl cache contention 0x%08x", i, hash);
+  WARNF("%u sslcache contention 0x%08x", i, hash);
  mbedtls_x509_crt_free(cert);
  free(ticket);
  free(cert);
@ -159,10 +197,13 @@ int CacheSslSession(void *data, const mbedtls_ssl_session *session) {
  }
  e->hash = hash;
  e->time = time(0);
-  tick = unsignedsubtract(rdtsc(), kStartTsc);
+  tick = rdtsc();
  asm volatile("" ::: "memory");
-  if (lockcmpxchg(&e->pid, pid, 0)) {
-    DEBUGF("%u saved", i);
+  if (tick && lockcmpxchg(&e->pid, pid, 0)) {
+    DEBUGF("%u saved %s%s %`#.*s", i,
+           mbedtls_ssl_get_ciphersuite_name(session->ciphersuite),
+           session->compression ? " DEFLATE" : "", session->id_len,
+           session->id);
    e->tick = tick;
    return 0;
  } else {
--- a/net/https/sslcache.h
+++ b/net/https/sslcache.h
@ -21,10 +21,11 @@ struct SslCache {
  } p[];
 };

-struct SslCache *CreateSslCache(size_t, int);
+struct SslCache *CreateSslCache(const char *, size_t, int);
 void FreeSslCache(struct SslCache *);
 int UncacheSslSession(void *, mbedtls_ssl_session *);
 int CacheSslSession(void *, const mbedtls_ssl_session *);
+char *GetSslCacheFile(void);

 COSMOPOLITAN_C_END_
 #endif /* !(__ASSEMBLER__ + __LINKER__ + 0) */
--- a/net/https/sslroots.c
+++ b/net/https/sslroots.c
@ -0,0 +1,37 @@
+/*-*- mode:c;indent-tabs-mode:nil;c-basic-offset:2;tab-width:8;coding:utf-8 -*-│
+│vi: set net ft=c ts=2 sts=2 sw=2 fenc=utf-8                                :vi│
+╞══════════════════════════════════════════════════════════════════════════════╡
+│ Copyright 2021 Justine Alexandra Roberts Tunney                              │
+│                                                                              │
+│ Permission to use, copy, modify, and/or distribute this software for         │
+│ any purpose with or without fee is hereby granted, provided that the         │
+│ above copyright notice and this permission notice appear in all copies.      │
+│                                                                              │
+│ THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL                │
+│ WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED                │
+│ WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE             │
+│ AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL         │
+│ DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR        │
+│ PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER               │
+│ TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR             │
+│ PERFORMANCE OF THIS SOFTWARE.                                                │
+╚─────────────────────────────────────────────────────────────────────────────*/
+#include "net/https/https.h"
+
+STATIC_YOINK("zip_uri_support");
+STATIC_YOINK("usr/share/ssl/root/amazon.pem");
+STATIC_YOINK("usr/share/ssl/root/certum.pem");
+STATIC_YOINK("usr/share/ssl/root/comodo.pem");
+STATIC_YOINK("usr/share/ssl/root/digicert.pem");
+STATIC_YOINK("usr/share/ssl/root/dst.pem");
+STATIC_YOINK("usr/share/ssl/root/geotrust.pem");
+STATIC_YOINK("usr/share/ssl/root/globalsign.pem");
+STATIC_YOINK("usr/share/ssl/root/godaddy.pem");
+STATIC_YOINK("usr/share/ssl/root/google.pem");
+STATIC_YOINK("usr/share/ssl/root/isrg.pem");
+STATIC_YOINK("usr/share/ssl/root/quovadis.pem");
+STATIC_YOINK("usr/share/ssl/root/redbean.pem");
+STATIC_YOINK("usr/share/ssl/root/starfield.pem");
+STATIC_YOINK("usr/share/ssl/root/verisign.pem");
+
+char ssl_root_support;