Summary: altcp_mbedtls: multiple fixes and session
Project: lwIP - A Lightweight TCP/IP stack
Submitted by: dgirault
Submitted on: mar. 15 oct. 2019 13:01:04 UTC
Priority: 5 - Normal
Assigned to: None
Discussion Lock: Any
Planned Release: None
- Ensure no memory leaks and entropy counter is protected
- Use ERR_CLSD only for handshake error.
This allow better handling of handshake error in application.
- Call the application sent() callback with usefull len
First calculate and sum TLS overhead when altcp_mbedtls_write() is
Then take care of it when calling application sent callback. Give
len from inner_conn, minus calculated overhead.
- Support for saving/restoring session information
According to mbedTLS source code and documentation, calls to
are only available if mbedTLS is configured for server mode (ie.
is defined). This cannot be used on client mode to resume a previous
To allow session reuse in client mode, application must save session
(including tickets provided by the server if any) after successfull
and restore them before attemting to reconnect. Since `alctp_close()` free
structure, it cannot be used to store the required information.
So, two new API were added, directly wrapped to mbedTLS functions, allow
to do that by itself.
Also added full declaration of `struct altcp_tls_session` in altcp_tls.h
easier usage in application when using mbedTLS port.
[patch #9862] altcp_mbedtls: multiple fixes and session save/restore
Follow-up Comment #1, patch #9862 (project lwip):
Sorry this took 2 months...
- to 0001: shouldn't this be fixed by altcp_mbedtls_unref_entropy() some lines
- to 0002: including mbedtls headers in the application should be avoided. Up
to now, applications don't need to set an include path that provides mbedtls
headers, and I'd like to keep it that way. Given how much mbedTLS itself uses
malloc, can we solve this without a public include to mbedTLS?
- to 0003: I don't really get the code flow here, could you explain more in
the commit message what's done?
- to 0005: This seems wrong: you can't block interrupts during ref/unref/free
entropy (you'll break realtime behaviour of many systems) and you shouldn't.
All this altcp code is expected to be called under CORE_LOCK, so concurrent
execution is not supported anyway.