Make SSL handshakes much faster

This change boosts SSL handshake performance from 2,627 to ~10,000 per
second which is the same level of performance as NGINX at establishing
secure connections. That's impressive if we consider that redbean is a
forking frontend application server. This was accomplished by:

  1. Enabling either SSL session caching or SSL tickets. We choose to
     use tickets since they reduce network round trips too and that's
     a more important metric than wrk'ing localhost.

  2. Fixing mbedtls_mpi_sub_abs() which is the most frequently called
     function. It's called about 12,000 times during an SSL handshake
     since it's the basis of most arithmetic operations like addition
     and for some strange reason it was designed to make two needless
     copies in addition to calling malloc and free. That's now fixed.

  3. Improving TLS output buffering during the SSL handshake only, so
     that only a single is write and read system call is needed until
     blocking on the ping pong.

redbean will now do a better job wiping sensitive memory from a child
process as soon as it's not needed. The nice thing about fork is it's
much faster than reverse proxying so the goal is to use the different
address spaces along with setuid() to minimize the risk that a server
key will be compromised in the event that application code is hacked.

third_party/mbedtls/ssl.h

@@ -862,6 +862,7 @@ struct mbedtls_ssl_session
     int encrypt_then_mac;       /*!< flag for EtM activation                */
 #endif
 };
+
 /**
  * SSL/TLS configuration to be shared between mbedtls_ssl_context structures.
  */
@@ -1443,6 +1444,7 @@ int mbedtls_ssl_set_hs_own_cert( mbedtls_ssl_context *, mbedtls_x509_crt *, mbed
 int mbedtls_ssl_set_hs_psk( mbedtls_ssl_context *, const unsigned char *, size_t );
 int mbedtls_ssl_set_session( mbedtls_ssl_context *, const mbedtls_ssl_session * );
 int mbedtls_ssl_setup( mbedtls_ssl_context *, const mbedtls_ssl_config * );
+int mbedtls_ssl_tls_prf( const mbedtls_tls_prf_types , const unsigned char *, size_t, const char *, const unsigned char *, size_t, unsigned char *, size_t );
 int mbedtls_ssl_write( mbedtls_ssl_context *, const void *, size_t );
 size_t mbedtls_ssl_get_bytes_avail( const mbedtls_ssl_context * );
 size_t mbedtls_ssl_get_input_max_frag_len( const mbedtls_ssl_context * );
@@ -1494,6 +1496,8 @@ void mbedtls_ssl_config_init( mbedtls_ssl_config * );
 void mbedtls_ssl_free( mbedtls_ssl_context * );
 void mbedtls_ssl_get_dtls_srtp_negotiation_result( const mbedtls_ssl_context *, mbedtls_dtls_srtp_info * );
 void mbedtls_ssl_init( mbedtls_ssl_context * );
+void mbedtls_ssl_key_cert_free( mbedtls_ssl_key_cert * );
+void mbedtls_ssl_session_free( mbedtls_ssl_session * );
 void mbedtls_ssl_session_init( mbedtls_ssl_session * );
 void mbedtls_ssl_set_async_operation_data( mbedtls_ssl_context *, void * );
 void mbedtls_ssl_set_bio( mbedtls_ssl_context *, void *, mbedtls_ssl_send_t *, mbedtls_ssl_recv_t *, mbedtls_ssl_recv_timeout_t * );
@@ -1503,8 +1507,6 @@ void mbedtls_ssl_set_hs_ca_chain( mbedtls_ssl_context *, mbedtls_x509_crt *, mbe
 void mbedtls_ssl_set_mtu( mbedtls_ssl_context *, uint16_t );
 void mbedtls_ssl_set_timer_cb( mbedtls_ssl_context *, void *, mbedtls_ssl_set_timer_t *, mbedtls_ssl_get_timer_t * );
 void mbedtls_ssl_set_verify( mbedtls_ssl_context *, int (*)(void *, mbedtls_x509_crt *, int, uint32_t *), void * );
-void mbedtls_ssl_session_free( mbedtls_ssl_session * );
-int mbedtls_ssl_tls_prf( const mbedtls_tls_prf_types , const unsigned char *, size_t, const char *, const unsigned char *, size_t, unsigned char *, size_t );
 
 /**
  * \brief           Load reasonnable default SSL configuration values.