TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 91fa5bade32dfd704101743fc120f6b38d610d64^! / . / include / mbedtls / config.h
commit91fa5bade32dfd704101743fc120f6b38d610d64[log] [tgz]
authorManuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>Tue May 28 12:28:17 2019 +0200
committerManuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>Tue Jun 18 10:09:27 2019 +0200
treee8130eda2de9d083aa3900d1784607a9199fca67
parentc725e4b34e5cd0cdc6f0e420cebc5294a8793899 [diff] [blame]
Add new config MBEDTLS_SSL_CONTEXT_SERIALIZATION

This is enabled by default as we generally enable things by default unless
there's a reason not to (experimental, deprecated, security risk).

We need a compile-time option because, even though the functions themselves
can be easily garbage-collected by the linker, implementing them will require
saving 64 bytes of Client/ServerHello.random values after the handshake, that
would otherwise not be needed, and people who don't need this feature
shouldn't have to pay the price of increased RAM usage.

diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index e0b5ba4..53db082 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h

@@ -1309,6 +1309,33 @@
 //#define MBEDTLS_SSL_ASYNC_PRIVATE
 
 /**
+ * \def MBEDTLS_SSL_CONTEXT_SERIALIZATION
+ *
+ * Enable the APIs for serialization of a full SSL context:
+ * mbedtls_ssl_context_save() and mbedtls_ssl_context_load().
+ *
+ * This pair of functions allows one side of a connection to serialize the
+ * context associated with the connection, then free or re-use that context
+ * while the serialized state is persisted elsewhere, and finally deserialize
+ * that state to a live context for resuming read/write operations on the
+ * connection, in a way that's transparent to the peer, since from a protocol
+ * point of view, the state of the connection is unaffected.
+ *
+ * Note: this is distinct from TLS session resumption, which is part of the
+ * protocol and fully visible by the peer. TLS session resumption enables
+ * establishing new connections associated to a saved session with shorter,
+ * lighter handshakes, while context serialization is a local optimisation in
+ * handling a single, potentially long-lived connection.
+ *
+ * Enabling these APIs makes some SSL structures larger, as 64 extra bytes are
+ * saved after the handshake to allow for more efficient serialization, so if
+ * you don't need this feature you'll save RAM by disabling it.
+ *
+ * Comment to disable the context serialization APIs.
+ */
+#define MBEDTLS_SSL_CONTEXT_SERIALIZATION
+
+/**
  * \def MBEDTLS_SSL_DEBUG_ALL
  *
  * Enable the debug messages in SSL module for all issues.