From 7be14065e2d727feff6adebe69c8b7d13a80c349 Mon Sep 17 00:00:00 2001 From: Jarno Lamsa Date: Tue, 18 Jun 2019 13:07:17 +0300 Subject: [PATCH] Add config MBEDTLS_SSL_SESSION_CACHE Add configuration option MBEDTLS_SSL_SESSION_CACHE to control enabling/disabling of the cache based session resumption. --- include/mbedtls/config.h | 8 ++++++++ include/mbedtls/ssl.h | 10 ++++++---- library/ssl_srv.c | 2 ++ library/ssl_tls.c | 12 ++++++++---- programs/ssl/dtls_server.c | 4 ++-- programs/ssl/query_config.c | 8 ++++++++ programs/ssl/ssl_client2.c | 2 ++ programs/ssl/ssl_server.c | 4 ++-- programs/ssl/ssl_server2.c | 2 ++ 9 files changed, 40 insertions(+), 12 deletions(-) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 2116521dc..2a0bbfbf1 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1668,6 +1668,14 @@ */ #define MBEDTLS_SSL_SESSION_TICKETS +/** + * \def MBEDTLS_SSL_SESSION_CACHE + * + * + * Comment this macro to disable support for SSL session cache + */ +//#define MBEDTLS_SSL_SESSION_CACHE + /** * \def MBEDTLS_SSL_EXPORT_KEYS * diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index b51708970..4471a2403 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -906,11 +906,13 @@ struct mbedtls_ssl_config int (*f_rng)(void *, unsigned char *, size_t); void *p_rng; /*!< context for the RNG function */ +#if defined(MBEDTLS_SSL_SESSION_CACHE) /** Callback to retrieve a session from the cache */ int (*f_get_cache)(void *, mbedtls_ssl_session *); /** Callback to store a session into the cache */ int (*f_set_cache)(void *, const mbedtls_ssl_session *); void *p_cache; /*!< context for cache callbacks */ +#endif #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) /** Callback for setting cert according to SNI extension */ @@ -2129,7 +2131,7 @@ void mbedtls_ssl_set_datagram_packing( mbedtls_ssl_context *ssl, void mbedtls_ssl_conf_handshake_timeout( mbedtls_ssl_config *conf, uint32_t min, uint32_t max ); #endif /* MBEDTLS_SSL_PROTO_DTLS */ -#if defined(MBEDTLS_SSL_SRV_C) +#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SESSION_CACHE) /** * \brief Set the session cache callbacks (server-side only) * If not set, no session resuming is done (except if session @@ -2171,9 +2173,9 @@ void mbedtls_ssl_conf_session_cache( mbedtls_ssl_config *conf, void *p_cache, int (*f_get_cache)(void *, mbedtls_ssl_session *), int (*f_set_cache)(void *, const mbedtls_ssl_session *) ); -#endif /* MBEDTLS_SSL_SRV_C */ +#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_SESSION_CACHE */ -#if defined(MBEDTLS_SSL_CLI_C) +#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_SESSION_CACHE) /** * \brief Request resumption of session (client-side only) * Session data is copied from presented session structure. @@ -2189,7 +2191,7 @@ void mbedtls_ssl_conf_session_cache( mbedtls_ssl_config *conf, * \sa mbedtls_ssl_get_session() */ int mbedtls_ssl_set_session( mbedtls_ssl_context *ssl, const mbedtls_ssl_session *session ); -#endif /* MBEDTLS_SSL_CLI_C */ +#endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_SESSION_CACHE */ /** * \brief Load serialized session data into a session structure. diff --git a/library/ssl_srv.c b/library/ssl_srv.c index ecde1b0b5..55a59765a 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -2637,6 +2637,7 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 ); +#if defined(MBEDTLS_SSL_SESSION_CACHE) /* * Resume is 0 by default, see ssl_handshake_init(). * It may be already set to 1 by ssl_parse_session_ticket_ext(). @@ -2653,6 +2654,7 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from cache" ) ); ssl->handshake->resume = 1; } +#endif /* MBEDTLS_SSL_SESSION_CACHE */ if( ssl->handshake->resume == 0 ) { diff --git a/library/ssl_tls.c b/library/ssl_tls.c index fff20ff1b..10232bb30 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -7273,7 +7273,9 @@ static void ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl ) void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl ) { +#if defined(MBEDTLS_SSL_SESSION_CACHE) int resume = ssl->handshake->resume; +#endif /* MBEDTLS_SSL_SESSION_CACHE */ MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) ); @@ -7302,6 +7304,7 @@ void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl ) ssl->session = ssl->session_negotiate; ssl->session_negotiate = NULL; +#if defined(MBEDTLS_SSL_SESSION_CACHE) /* * Add cache entry */ @@ -7312,6 +7315,7 @@ void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl ) if( ssl->conf->f_set_cache( ssl->conf->p_cache, ssl->session ) != 0 ) MBEDTLS_SSL_DEBUG_MSG( 1, ( "cache did not store session" ) ); } +#endif /* MBEDTLS_SSL_SESSION_CACHE */ #if defined(MBEDTLS_SSL_PROTO_DTLS) if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) && @@ -8152,7 +8156,7 @@ void mbedtls_ssl_set_timer_cb( mbedtls_ssl_context *ssl, ssl_set_timer( ssl, 0 ); } -#if defined(MBEDTLS_SSL_SRV_C) +#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SESSION_CACHE) void mbedtls_ssl_conf_session_cache( mbedtls_ssl_config *conf, void *p_cache, int (*f_get_cache)(void *, mbedtls_ssl_session *), @@ -8162,9 +8166,9 @@ void mbedtls_ssl_conf_session_cache( mbedtls_ssl_config *conf, conf->f_get_cache = f_get_cache; conf->f_set_cache = f_set_cache; } -#endif /* MBEDTLS_SSL_SRV_C */ +#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_SESSION_CACHE */ -#if defined(MBEDTLS_SSL_CLI_C) +#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_SESSION_CACHE) int mbedtls_ssl_set_session( mbedtls_ssl_context *ssl, const mbedtls_ssl_session *session ) { int ret; @@ -8185,7 +8189,7 @@ int mbedtls_ssl_set_session( mbedtls_ssl_context *ssl, const mbedtls_ssl_session return( 0 ); } -#endif /* MBEDTLS_SSL_CLI_C */ +#endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_SESSION_CACHE */ void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf, const int *ciphersuites ) diff --git a/programs/ssl/dtls_server.c b/programs/ssl/dtls_server.c index dd21fbf47..799da9af9 100644 --- a/programs/ssl/dtls_server.c +++ b/programs/ssl/dtls_server.c @@ -236,11 +236,11 @@ int main( void ) mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg ); mbedtls_ssl_conf_dbg( &conf, my_debug, stdout ); -#if defined(MBEDTLS_SSL_CACHE_C) +#if defined(MBEDTLS_SSL_CACHE_C) && defined(MBEDTLS_SSL_SESSION_CACHE) mbedtls_ssl_conf_session_cache( &conf, &cache, mbedtls_ssl_cache_get, mbedtls_ssl_cache_set ); -#endif +#endif /* MBEDTLS_SSL_CACHE_C && MBEDTLS_SSL_SESSION_CACHE */ mbedtls_ssl_conf_ca_chain( &conf, srvcert.next, NULL ); if( ( ret = mbedtls_ssl_conf_own_cert( &conf, &srvcert, &pkey ) ) != 0 ) diff --git a/programs/ssl/query_config.c b/programs/ssl/query_config.c index d45a6634f..30b9d7975 100644 --- a/programs/ssl/query_config.c +++ b/programs/ssl/query_config.c @@ -1410,6 +1410,14 @@ int query_config( const char *config ) } #endif /* MBEDTLS_SSL_SESSION_TICKETS */ +#if defined(MBEDTLS_SSL_SESSION_CACHE) + if( strcmp( "MBEDTLS_SSL_SESSION_CACHE", config ) == 0 ) + { + MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_SESSION_CACHE ); + return( 0 ); + } +#endif /* MBEDTLS_SSL_SESSION_CACHE */ + #if defined(MBEDTLS_SSL_EXPORT_KEYS) if( strcmp( "MBEDTLS_SSL_EXPORT_KEYS", config ) == 0 ) { diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 982857659..a3f5d609d 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -2545,12 +2545,14 @@ reconnect: } } +#if defined(MBEDTLS_SSL_SESSION_CACHE) if( ( ret = mbedtls_ssl_set_session( &ssl, &saved_session ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_set_session returned -0x%x\n\n", -ret ); goto exit; } +#endif /* MBEDTLS_SSL_SESSION_CACHE */ if( ( ret = mbedtls_net_connect( &server_fd, opt.server_addr, opt.server_port, diff --git a/programs/ssl/ssl_server.c b/programs/ssl/ssl_server.c index 97918562a..005d3e85d 100644 --- a/programs/ssl/ssl_server.c +++ b/programs/ssl/ssl_server.c @@ -224,11 +224,11 @@ int main( void ) mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg ); mbedtls_ssl_conf_dbg( &conf, my_debug, stdout ); -#if defined(MBEDTLS_SSL_CACHE_C) +#if defined(MBEDTLS_SSL_CACHE_C) && defined(MBEDTLS_SSL_SESSION_CACHE) mbedtls_ssl_conf_session_cache( &conf, &cache, mbedtls_ssl_cache_get, mbedtls_ssl_cache_set ); -#endif +#endif /* MBEDTLS_SSL_CACHE_C && MBEDTLS_SSL_SESSION_CACHE */ mbedtls_ssl_conf_ca_chain( &conf, srvcert.next, NULL ); if( ( ret = mbedtls_ssl_conf_own_cert( &conf, &srvcert, &pkey ) ) != 0 ) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 5d751b6a7..4049a27a5 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -2527,9 +2527,11 @@ int main( int argc, char *argv[] ) if( opt.cache_timeout != -1 ) mbedtls_ssl_cache_set_timeout( &cache, opt.cache_timeout ); +#if defined(MBEDTLS_SSL_SESSION_CACHE) mbedtls_ssl_conf_session_cache( &conf, &cache, mbedtls_ssl_cache_get, mbedtls_ssl_cache_set ); +#endif /* MBEDTLS_SSL_SESSION_CACHE */ #endif #if defined(MBEDTLS_SSL_SESSION_TICKETS)