mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-03-26 11:37:09 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

tls13: cli: Ignore tickets if not supported

Browse Source 
If a TLS 1.3 client receives a ticket and
the feature is not enabled, ignore it.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
This commit is contained in:
Ronald Cron 2024-03-25 13:42:07 +01:00
parent 4f1c9278cc
commit 7df18bc210
1 changed files with 18 additions and 14 deletions

32
library/ssl_msg.c

@ -5570,25 +5570,19 @@ static int ssl_check_ctr_renegotiate(mbedtls_ssl_context *ssl)
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) #if defined(MBEDTLS_SSL_CLI_C)
MBEDTLS_CHECK_RETURN_CRITICAL MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_check_new_session_ticket(mbedtls_ssl_context *ssl) static int ssl_tls13_check_new_session_ticket(mbedtls_ssl_context *ssl)
{ {
if ((ssl->in_hslen == mbedtls_ssl_hs_hdr_len(ssl)) || if ((ssl->in_hslen == mbedtls_ssl_hs_hdr_len(ssl)) ||
(ssl->in_msg[0] != MBEDTLS_SSL_HS_NEW_SESSION_TICKET)) { (ssl->in_msg[0] != MBEDTLS_SSL_HS_NEW_SESSION_TICKET)) {
return 0; return -1;
} }
ssl->keep_current_message = 1; return 0;
MBEDTLS_SSL_DEBUG_MSG(3, ("NewSessionTicket received"));
mbedtls_ssl_handshake_set_state(ssl,
MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET);
return MBEDTLS_ERR_SSL_WANT_READ;
} }
#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */ #endif /* MBEDTLS_SSL_CLI_C */
MBEDTLS_CHECK_RETURN_CRITICAL MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_handle_hs_message_post_handshake(mbedtls_ssl_context *ssl) static int ssl_tls13_handle_hs_message_post_handshake(mbedtls_ssl_context *ssl)
@ -5596,14 +5590,24 @@ static int ssl_tls13_handle_hs_message_post_handshake(mbedtls_ssl_context *ssl)
MBEDTLS_SSL_DEBUG_MSG(3, ("received post-handshake message")); MBEDTLS_SSL_DEBUG_MSG(3, ("received post-handshake message"));
#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) #if defined(MBEDTLS_SSL_CLI_C)
if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) { if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
int ret = ssl_tls13_check_new_session_ticket(ssl); int ret = ssl_tls13_check_new_session_ticket(ssl);
if (ret != 0) { if (ret == 0) {
return ret; #if defined(MBEDTLS_SSL_SESSION_TICKETS)
MBEDTLS_SSL_DEBUG_MSG(3, ("NewSessionTicket received"));
ssl->keep_current_message = 1;
mbedtls_ssl_handshake_set_state(ssl,
MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET);
return MBEDTLS_ERR_SSL_WANT_READ;
#else
MBEDTLS_SSL_DEBUG_MSG(3, ("Ignore NewSessionTicket, not supported."));
return 0;
#endif
} }
} }
#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */ #endif /* MBEDTLS_SSL_CLI_C */
/* Fail in all other cases. */ /* Fail in all other cases. */
return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;