Add new config MBEDTLS_SSL_CONTEXT_SERIALIZATION

This is enabled by default as we generally enable things by default unless there's a reason not to (experimental, deprecated, security risk). We need a compile-time option because, even though the functions themselves can be easily garbage-collected by the linker, implementing them will require saving 64 bytes of Client/ServerHello.random values after the handshake, that would otherwise not be needed, and people who don't need this feature shouldn't have to pay the price of increased RAM usage.
2019-05-28 12:28:17 +02:00 · 2019-05-28 12:28:17 +02:00 · afa8f71700
commit afa8f71700
parent be34e8e9c0
3 changed files with 38 additions and 0 deletions
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@ -1403,6 +1403,33 @@
 */
 //#define MBEDTLS_SSL_ASYNC_PRIVATE

+/**
+ * \def MBEDTLS_SSL_CONTEXT_SERIALIZATION
+ *
+ * Enable the APIs for serialization of a full SSL context:
+ * mbedtls_ssl_context_save() and mbedtls_ssl_context_load().
+ *
+ * This pair of functions allows one side of a connection to serialize the
+ * context associated with the connection, then free or re-use that context
+ * while the serialized state is persisted elsewhere, and finally deserialize
+ * that state to a live context for resuming read/write operations on the
+ * connection, in a way that's transparent to the peer, since from a protocol
+ * point of view, the state of the connection is unaffected.
+ *
+ * Note: this is distinct from TLS session resumption, which is part of the
+ * protocol and fully visible by the peer. TLS session resumption enables
+ * establishing new connections associated to a saved session with shorter,
+ * lighter handshakes, while context serialization is a local optimisation in
+ * handling a single, potentially long-lived connection.
+ *
+ * Enabling these APIs makes some SSL structures larger, as 64 extra bytes are
+ * saved after the handshake to allow for more efficient serialization, so if
+ * you don't need this feature you'll save RAM by disabling it.
+ *
+ * Comment to disable the context serialization APIs.
+ */
+#define MBEDTLS_SSL_CONTEXT_SERIALIZATION
+
 /**
 * \def MBEDTLS_SSL_DEBUG_ALL
 *
--- a/library/version_features.c
+++ b/library/version_features.c
@ -459,6 +459,9 @@ static const char * const features[] = {
 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
    "MBEDTLS_SSL_ASYNC_PRIVATE",
 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
+    "MBEDTLS_SSL_CONTEXT_SERIALIZATION",
+#endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
 #if defined(MBEDTLS_SSL_DEBUG_ALL)
    "MBEDTLS_SSL_DEBUG_ALL",
 #endif /* MBEDTLS_SSL_DEBUG_ALL */
--- a/programs/ssl/query_config.c
+++ b/programs/ssl/query_config.c
@ -1266,6 +1266,14 @@ int query_config( const char *config )
    }
 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */

+#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
+    if( strcmp( "MBEDTLS_SSL_CONTEXT_SERIALIZATION", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CONTEXT_SERIALIZATION );
+        return( 0 );
+    }
+#endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
+
 #if defined(MBEDTLS_SSL_DEBUG_ALL)
    if( strcmp( "MBEDTLS_SSL_DEBUG_ALL", config ) == 0 )
    {