[OpenWrt-Devel] [PATCH][ustream-ssl] mbedtls: Add support for a session cache

Mon, 21 May 2018 05:05:11 -0700 

This allows the client to reuse the settings from a previous session and
no full key exchange is needed.
The partially key exchange takes less than 0.1 seconds compared to over
a second needed for a full key exchange.

Signed-off-by: Hauke Mehrtens <ha...@hauke-m.de>
---
 ustream-mbedtls.c | 14 ++++++++++++++
 ustream-mbedtls.h |  7 +++++++
 2 files changed, 21 insertions(+)

diff --git a/ustream-mbedtls.c b/ustream-mbedtls.c
index e176afe..0b747d2 100644
--- a/ustream-mbedtls.c
+++ b/ustream-mbedtls.c
@@ -138,6 +138,12 @@ __ustream_ssl_context_new(bool server)
        mbedtls_x509_crt_init(&ctx->cert);
        mbedtls_x509_crt_init(&ctx->ca_cert);
 
+#if defined(MBEDTLS_SSL_CACHE_C)
+       mbedtls_ssl_cache_init(&ctx->cache);
+       mbedtls_ssl_cache_set_timeout(&ctx->cache, 30 * 60);
+       mbedtls_ssl_cache_set_max_entries(&ctx->cache, 5);
+#endif
+
        conf = &ctx->conf;
        mbedtls_ssl_config_init(conf);
 
@@ -154,6 +160,11 @@ __ustream_ssl_context_new(bool server)
        mbedtls_ssl_conf_authmode(conf, MBEDTLS_SSL_VERIFY_NONE);
        mbedtls_ssl_conf_rng(conf, _urandom, NULL);
 
+#if defined(MBEDTLS_SSL_CACHE_C)
+       mbedtls_ssl_conf_session_cache(conf, &ctx->cache,
+                                      mbedtls_ssl_cache_get,
+                                      mbedtls_ssl_cache_set);
+#endif
        return ctx;
 }
 
@@ -214,6 +225,9 @@ __hidden int __ustream_ssl_set_key_file(struct 
ustream_ssl_ctx *ctx, const char
 
 __hidden void __ustream_ssl_context_free(struct ustream_ssl_ctx *ctx)
 {
+#if defined(MBEDTLS_SSL_CACHE_C)
+       mbedtls_ssl_cache_free(&ctx->cache);
+#endif
        mbedtls_pk_free(&ctx->key);
        mbedtls_x509_crt_free(&ctx->ca_cert);
        mbedtls_x509_crt_free(&ctx->cert);
diff --git a/ustream-mbedtls.h b/ustream-mbedtls.h
index a489867..70bd4ea 100644
--- a/ustream-mbedtls.h
+++ b/ustream-mbedtls.h
@@ -28,11 +28,18 @@
 #include <mbedtls/version.h>
 #include <mbedtls/entropy.h>
 
+#if defined(MBEDTLS_SSL_CACHE_C)
+#include <mbedtls/ssl_cache.h>
+#endif
+
 struct ustream_ssl_ctx {
        mbedtls_ssl_config conf;
        mbedtls_pk_context key;
        mbedtls_x509_crt ca_cert;
        mbedtls_x509_crt cert;
+#if defined(MBEDTLS_SSL_CACHE_C)
+       mbedtls_ssl_cache_context cache;
+#endif
        bool server;
 };
 
-- 
2.11.0


_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
http://lists.infradead.org/mailman/listinfo/openwrt-devel

Reply via email to