Hi Keith,

Those are good questions, and the short answer is everything should work in a multi-threaded environment if Mbed TLS was built with threading support (for example, enabling MBEDTLS_THREADING_C and MBEDTLS_THREADING_PTHREAD in config.h).

Now for some more details: regarding mbedtls_ssl_config, it is indeed treated as read-only by all function in the SSL/TLS module, except of course those functions that are explicitly meant to modify it (those whose name starts with mbedtls_ssl_conf_). So, if you set it up in the main thread and then use it in other threads, everything will be fine regarding the top-level structure itself (for sub-structures see below), regardless of whether threading support is enabled.

For the DRBG contexts, you're right that each time we draw from them, they need to update their state. However, this is protected by a mutex if threading support was enabled at compile-time. A similar thing goes for private keys : RSA private keys are protected by a mutex if threading support is enabled (using them mutates state used for side-channel countermeasures), and ECDSA private keys are safe too. X.509 structures are always treated as read-only.

Regarding documentation: we did recently expand the documentation on DRBGs: https://github.com/ARMmbed/mbedtls/commit/f305d92480c81c6eb02934a4e1af58152cba28ea Regarding SSL, I agree this should be better documented. If you'd like to open a PR to add documentation that would have answered your question, that would be very welcome.

Regards,
Manuel

From: mbed-tls <mbed-tls-bounces@lists.trustedfirmware.org> on behalf of Keith Cancel via mbed-tls <mbed-tls@lists.trustedfirmware.org>
Sent: 02 April 2021 06:43
To: mbed-tls@lists.trustedfirmware.org <mbed-tls@lists.trustedfirmware.org>
Subject: [mbed-tls] Mbed TLS mbedtls_ssl_config (struct) Question
 
Hello,

I hope this a simple question regarding mbedtls_ssl_config. So it
seems this structure is meant to be shared/used for multiple
connections. However, if I have multiple threads is it treated as a
read only structure by all the library code, or does it  update some
state at times? Similar thing regarding the mbedtls_x509_crt struct
and mbedtls_ctr_drbg_context which also seem to be added to the config
when I setup the config.

I was hoping that once set I don’t have to worry about any
mutexs/locks being used by the library under the hood. Mainly, that
once the configuration is set in the main thread it state is never
updated again. What made me curious about this is the fact the RNG
seems to be part of the configuration and a CPRNG will generally have
state that needs to change. Moreover, I can’t really find a clear
answer looking at the docs.

Thanks,
Keith Cancel
--
mbed-tls mailing list
mbed-tls@lists.trustedfirmware.org
https://lists.trustedfirmware.org/mailman/listinfo/mbed-tls