Add mbedtls_ssl_conf_enable_new_session_tickets() API

Add mbedtls_ssl_conf_enable_new_session_tickets() API to be able to enable and disable the handling of TLS 1.3 NewSessionTicket messages. The TLS 1.2 equivalent function is named mbedtls_ssl_conf_session_tickets() thus the most natural name would have been mbedtls_ssl_conf_new_session_tickets() but it is already used on server side thus rather mbedtls_ssl_conf_enable_new_session_tickets(). Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2025-03-09 19:14:02 +00:00 · 2024-08-27 14:18:50 +02:00 · 2024-08-27 14:18:50 +02:00 · bedddd707a
commit bedddd707a
parent 7defa41fb3
2 changed files with 34 additions and 1 deletions
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@ -324,6 +324,9 @@
 #define MBEDTLS_SSL_SESSION_TICKETS_DISABLED     0
 #define MBEDTLS_SSL_SESSION_TICKETS_ENABLED      1

+#define MBEDTLS_SSL_ENABLE_NEW_SESSION_TICKETS_DISABLED  0
+#define MBEDTLS_SSL_ENABLE_NEW_SESSION_TICKETS_ENABLED   1
+
 #define MBEDTLS_SSL_PRESET_DEFAULT              0
 #define MBEDTLS_SSL_PRESET_SUITEB               2

@ -1447,6 +1450,12 @@ struct mbedtls_ssl_config {
 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && \
    defined(MBEDTLS_SSL_CLI_C)
    uint8_t MBEDTLS_PRIVATE(session_tickets);   /*!< use session tickets? */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+    /** Whether we handle NewSessionTicket TLS 1.3 messages (<>0) or just ignore them (==0)
+     *  They are ignored by default.
+     */
+    uint8_t MBEDTLS_PRIVATE(new_session_tickets_enabled);
+#endif
 #endif

 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && \
@ -4478,6 +4487,20 @@ void mbedtls_ssl_conf_preference_order(mbedtls_ssl_config *conf, int order);
 *                                         MBEDTLS_SSL_SESSION_TICKETS_DISABLED)
 */
 void mbedtls_ssl_conf_session_tickets(mbedtls_ssl_config *conf, int use_tickets);
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+/**
+ * \brief Enable / Disable TLS 1.3 handling of NewSessionTicket messages (client and TLS 1.3 only).
+ *        (Default: MBEDTLS_SSL_ENABLE_NEW_SESSION_TICKETS_DISABLED)
+ *
+ * \param conf  SSL configuration
+ * \param new_session_tickets_enabled  Enable or disable
+ *                                     (MBEDTLS_SSL_ENABLE_NEW_SESSION_TICKETS_ENABLED or
+ *                                      MBEDTLS_SSL_ENABLE_NEW_SESSION_TICKETS_DISABLED)
+ */
+void mbedtls_ssl_conf_enable_new_session_tickets(mbedtls_ssl_config *conf,
+                                                 int new_session_tickets_enabled);
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
 #endif /* MBEDTLS_SSL_SESSION_TICKETS &&
          MBEDTLS_SSL_CLI_C */

--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -3013,7 +3013,14 @@ void mbedtls_ssl_conf_session_tickets(mbedtls_ssl_config *conf, int use_tickets)
 {
    conf->session_tickets = use_tickets;
 }
-#endif
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+void mbedtls_ssl_conf_enable_new_session_tickets(mbedtls_ssl_config *conf,
+                                                 int new_session_tickets_enabled)
+{
+    conf->new_session_tickets_enabled = new_session_tickets_enabled;
+}
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
+#endif /* MBEDTLS_SSL_CLI_C */

 #if defined(MBEDTLS_SSL_SRV_C)

@ -5879,6 +5886,9 @@ int mbedtls_ssl_config_defaults(mbedtls_ssl_config *conf,
        conf->authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
        conf->session_tickets = MBEDTLS_SSL_SESSION_TICKETS_ENABLED;
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+        conf->new_session_tickets_enabled = MBEDTLS_SSL_ENABLE_NEW_SESSION_TICKETS_DISABLED;
+#endif
 #endif
    }
 #endif