From: Hauke Mehrtens Date: Mon, 21 May 2018 12:02:44 +0000 (+0200) Subject: mbedtls: Add support for a session cache X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=e8a14691313d72bac27f9060bc536cf2ad23256b;p=oweals%2Fopenwrt-ustream-ssl.git mbedtls: Add support for a session cache This allows the client to reuse the settings from a previous session and no full key exchange is needed. The partially key exchange takes less than 0.1 seconds compared to over a second needed for a full key exchange. Signed-off-by: Hauke Mehrtens --- diff --git a/ustream-mbedtls.c b/ustream-mbedtls.c index e176afe..0b747d2 100644 --- a/ustream-mbedtls.c +++ b/ustream-mbedtls.c @@ -138,6 +138,12 @@ __ustream_ssl_context_new(bool server) mbedtls_x509_crt_init(&ctx->cert); mbedtls_x509_crt_init(&ctx->ca_cert); +#if defined(MBEDTLS_SSL_CACHE_C) + mbedtls_ssl_cache_init(&ctx->cache); + mbedtls_ssl_cache_set_timeout(&ctx->cache, 30 * 60); + mbedtls_ssl_cache_set_max_entries(&ctx->cache, 5); +#endif + conf = &ctx->conf; mbedtls_ssl_config_init(conf); @@ -154,6 +160,11 @@ __ustream_ssl_context_new(bool server) mbedtls_ssl_conf_authmode(conf, MBEDTLS_SSL_VERIFY_NONE); mbedtls_ssl_conf_rng(conf, _urandom, NULL); +#if defined(MBEDTLS_SSL_CACHE_C) + mbedtls_ssl_conf_session_cache(conf, &ctx->cache, + mbedtls_ssl_cache_get, + mbedtls_ssl_cache_set); +#endif return ctx; } @@ -214,6 +225,9 @@ __hidden int __ustream_ssl_set_key_file(struct ustream_ssl_ctx *ctx, const char __hidden void __ustream_ssl_context_free(struct ustream_ssl_ctx *ctx) { +#if defined(MBEDTLS_SSL_CACHE_C) + mbedtls_ssl_cache_free(&ctx->cache); +#endif mbedtls_pk_free(&ctx->key); mbedtls_x509_crt_free(&ctx->ca_cert); mbedtls_x509_crt_free(&ctx->cert); diff --git a/ustream-mbedtls.h b/ustream-mbedtls.h index a489867..70bd4ea 100644 --- a/ustream-mbedtls.h +++ b/ustream-mbedtls.h @@ -28,11 +28,18 @@ #include #include +#if defined(MBEDTLS_SSL_CACHE_C) +#include +#endif + struct ustream_ssl_ctx { mbedtls_ssl_config conf; mbedtls_pk_context key; mbedtls_x509_crt ca_cert; mbedtls_x509_crt cert; +#if defined(MBEDTLS_SSL_CACHE_C) + mbedtls_ssl_cache_context cache; +#endif bool server; };