Add two new functions to permit application tuning of the number of SSL

server session cache locks.  We may yet decide to back this out for the
NSS 3.3 release.  Modified Files: ssl.def ssl.h sslsnce.c

3 files changed, 46 insertions, 1 deletions

diff --git a/security/nss/lib/ssl/ssl.def b/security/nss/lib/ssl/ssl.def
index 0fee478ba..5c8712f69 100644
--- a/security/nss/lib/ssl/ssl.def
+++ b/security/nss/lib/ssl/ssl.def
@@ -105,3 +105,13 @@ NSSSSL_VersionCheck;
 ;+    local:
 ;+*;
 ;+};
+;+NSS_3.3 {         # NSS 3.3   release
+;+    global:
+;+#   We have not yet decided whether these functions will be exported
+;-#   in the final 3.3 release, so please treat them as exported private
+;-#   functions for now.
+SSL_GetMaxServerCacheLocks;
+SSL_SetMaxServerCacheLocks;
+;+    local:
+;+*;
+;+};
diff --git a/security/nss/lib/ssl/ssl.h b/security/nss/lib/ssl/ssl.h
index 7cc7616f5..34a73c4e7 100644
--- a/security/nss/lib/ssl/ssl.h
+++ b/security/nss/lib/ssl/ssl.h
@@ -299,6 +299,17 @@ SSL_IMPORT SECStatus SSL_ConfigMPServerSIDCache(int      maxCacheEntries,
 			       	                PRUint32 ssl3_timeout, 
 		                          const char *   directory);
 
+/* Get and set the configured maximum number of mutexes used for the 
+** server's store of SSL sessions.  This value is used by the server 
+** session ID cache initialization functions shown above.  Note that on 
+** some platforms, these mutexes are actually implemented with POSIX 
+** semaphores, or with unnamed pipes.  The default value varies by platform.
+** An attempt to set a too-low maximum will return an error and the 
+** configured value will not be changed.
+*/
+SSL_IMPORT PRUint32  SSL_GetMaxServerCacheLocks(void);
+SSL_IMPORT SECStatus SSL_SetMaxServerCacheLocks(PRUint32 maxLocks);
+
 /* environment variable set by SSL_ConfigMPServerSIDCache, and queried by
  * SSL_InheritMPServerSIDCache when envString is NULL.
  */
diff --git a/security/nss/lib/ssl/sslsnce.c b/security/nss/lib/ssl/sslsnce.c
index 11e03e737..cea3b32c4 100644
--- a/security/nss/lib/ssl/sslsnce.c
+++ b/security/nss/lib/ssl/sslsnce.c
@@ -246,6 +246,7 @@ static PRBool isMultiProcess  = PR_FALSE;
 
 
 static sslPID myPid;
+static PRUint32  ssl_max_sid_cache_locks = MAX_SID_CACHE_LOCKS;
 
 /* forward static function declarations */
 static void IOError(int rv, char *type);
@@ -874,7 +875,7 @@ InitCache(cacheDesc *cache, int maxCacheEntries, PRUint32 ssl2_timeout,
     	cache->numSIDCacheSets * SID_CACHE_ENTRIES_PER_SET;
 
     cache->numSIDCacheLocks   = 
-    	PR_MIN(cache->numSIDCacheSets, MAX_SID_CACHE_LOCKS);
+    	PR_MIN(cache->numSIDCacheSets, ssl_max_sid_cache_locks);
 
     cache->numSIDCacheSetsPerLock = 
     	SID_HOWMANY(cache->numSIDCacheSets, cache->numSIDCacheLocks);
@@ -1029,6 +1030,29 @@ loser:
     return SECFailure;
 }
 
+PRUint32
+SSL_GetMaxServerCacheLocks(void)
+{
+    return ssl_max_sid_cache_locks + 2;
+    /* The extra two are the cert cache lock and the key cache lock. */
+}
+
+SECStatus
+SSL_SetMaxServerCacheLocks(PRUint32 maxLocks)
+{
+    /* Minimum is 1 sid cache lock, 1 cert cache lock and 1 key cache lock.
+    ** We'd like to test for a maximum value, but not all platforms' header
+    ** files provide a symbol or function or other means of determining
+    ** the maximum, other than trial and error.
+    */
+    if (maxLocks < 3) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    ssl_max_sid_cache_locks = maxLocks - 2;
+    /* The extra two are the cert cache lock and the key cache lock. */
+    return SECSuccess;
+}
 
 SECStatus
 SSL_ConfigServerSessionIDCacheInstance(	cacheDesc *cache,