mbedtls: Add support for a session cache

This allows the client to reuse the settings from a previous session and
no full key exchange is needed.
The partially key exchange takes less than 0.1 seconds compared to over
a second needed for a full key exchange.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

diff --git a/ustream-mbedtls.c b/ustream-mbedtls.c
index e176afe71f02399717a3e219bbb8e28053f7a784..0b747d27e90c1b1305bc5acc45cba5a40186e496 100644 (file)
--- a/ustream-mbedtls.c
+++ b/ustream-mbedtls.c
@@ -138,6 +138,12 @@ __ustream_ssl_context_new(bool server)
        mbedtls_x509_crt_init(&ctx->cert);
        mbedtls_x509_crt_init(&ctx->ca_cert);
 
+#if defined(MBEDTLS_SSL_CACHE_C)
+       mbedtls_ssl_cache_init(&ctx->cache);
+       mbedtls_ssl_cache_set_timeout(&ctx->cache, 30 * 60);
+       mbedtls_ssl_cache_set_max_entries(&ctx->cache, 5);
+#endif
+
        conf = &ctx->conf;
        mbedtls_ssl_config_init(conf);
 
@@ -154,6 +160,11 @@ __ustream_ssl_context_new(bool server)
        mbedtls_ssl_conf_authmode(conf, MBEDTLS_SSL_VERIFY_NONE);
        mbedtls_ssl_conf_rng(conf, _urandom, NULL);
 
+#if defined(MBEDTLS_SSL_CACHE_C)
+       mbedtls_ssl_conf_session_cache(conf, &ctx->cache,
+                                      mbedtls_ssl_cache_get,
+                                      mbedtls_ssl_cache_set);
+#endif
        return ctx;
 }
 
@@ -214,6 +225,9 @@ __hidden int __ustream_ssl_set_key_file(struct ustream_ssl_ctx *ctx, const char
 
 __hidden void __ustream_ssl_context_free(struct ustream_ssl_ctx *ctx)
 {
+#if defined(MBEDTLS_SSL_CACHE_C)
+       mbedtls_ssl_cache_free(&ctx->cache);
+#endif
        mbedtls_pk_free(&ctx->key);
        mbedtls_x509_crt_free(&ctx->ca_cert);
        mbedtls_x509_crt_free(&ctx->cert);

diff --git a/ustream-mbedtls.h b/ustream-mbedtls.h
index a48986771c0993b9a11890a7341beb47355435e6..70bd4ea6fb95bd97f060e7928bf2bcbcd76d007c 100644 (file)
--- a/ustream-mbedtls.h
+++ b/ustream-mbedtls.h
@@ -28,11 +28,18 @@
 #include <mbedtls/version.h>
 #include <mbedtls/entropy.h>
 
+#if defined(MBEDTLS_SSL_CACHE_C)
+#include <mbedtls/ssl_cache.h>
+#endif
+
 struct ustream_ssl_ctx {
        mbedtls_ssl_config conf;
        mbedtls_pk_context key;
        mbedtls_x509_crt ca_cert;
        mbedtls_x509_crt cert;
+#if defined(MBEDTLS_SSL_CACHE_C)
+       mbedtls_ssl_cache_context cache;
+#endif
        bool server;
 };