From afa8f71700bb056fb5e8cdbe02979d722dc34dfd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 28 May 2019 12:28:17 +0200 Subject: [PATCH] Add new config MBEDTLS_SSL_CONTEXT_SERIALIZATION This is enabled by default as we generally enable things by default unless there's a reason not to (experimental, deprecated, security risk). We need a compile-time option because, even though the functions themselves can be easily garbage-collected by the linker, implementing them will require saving 64 bytes of Client/ServerHello.random values after the handshake, that would otherwise not be needed, and people who don't need this feature shouldn't have to pay the price of increased RAM usage. --- include/mbedtls/config.h | 27 +++++++++++++++++++++++++++ library/version_features.c | 3 +++ programs/ssl/query_config.c | 8 ++++++++ 3 files changed, 38 insertions(+) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 8e00fc477a..4e78493254 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1403,6 +1403,33 @@ */ //#define MBEDTLS_SSL_ASYNC_PRIVATE +/** + * \def MBEDTLS_SSL_CONTEXT_SERIALIZATION + * + * Enable the APIs for serialization of a full SSL context: + * mbedtls_ssl_context_save() and mbedtls_ssl_context_load(). + * + * This pair of functions allows one side of a connection to serialize the + * context associated with the connection, then free or re-use that context + * while the serialized state is persisted elsewhere, and finally deserialize + * that state to a live context for resuming read/write operations on the + * connection, in a way that's transparent to the peer, since from a protocol + * point of view, the state of the connection is unaffected. + * + * Note: this is distinct from TLS session resumption, which is part of the + * protocol and fully visible by the peer. TLS session resumption enables + * establishing new connections associated to a saved session with shorter, + * lighter handshakes, while context serialization is a local optimisation in + * handling a single, potentially long-lived connection. + * + * Enabling these APIs makes some SSL structures larger, as 64 extra bytes are + * saved after the handshake to allow for more efficient serialization, so if + * you don't need this feature you'll save RAM by disabling it. + * + * Comment to disable the context serialization APIs. + */ +#define MBEDTLS_SSL_CONTEXT_SERIALIZATION + /** * \def MBEDTLS_SSL_DEBUG_ALL * diff --git a/library/version_features.c b/library/version_features.c index e83899d0a7..cc47dacc94 100644 --- a/library/version_features.c +++ b/library/version_features.c @@ -459,6 +459,9 @@ static const char * const features[] = { #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) "MBEDTLS_SSL_ASYNC_PRIVATE", #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ +#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) + "MBEDTLS_SSL_CONTEXT_SERIALIZATION", +#endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */ #if defined(MBEDTLS_SSL_DEBUG_ALL) "MBEDTLS_SSL_DEBUG_ALL", #endif /* MBEDTLS_SSL_DEBUG_ALL */ diff --git a/programs/ssl/query_config.c b/programs/ssl/query_config.c index c6d19bf093..361ec00004 100644 --- a/programs/ssl/query_config.c +++ b/programs/ssl/query_config.c @@ -1266,6 +1266,14 @@ int query_config( const char *config ) } #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ +#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) + if( strcmp( "MBEDTLS_SSL_CONTEXT_SERIALIZATION", config ) == 0 ) + { + MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CONTEXT_SERIALIZATION ); + return( 0 ); + } +#endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */ + #if defined(MBEDTLS_SSL_DEBUG_ALL) if( strcmp( "MBEDTLS_SSL_DEBUG_ALL", config ) == 0 ) {