Do not add a new field in the SSL config

We cannot add a new field in SSL config in an LTS. Use `session_tickets` field instead. Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2025-03-14 01:26:49 +00:00 · 2024-08-28 07:45:57 +02:00 · 2024-08-28 07:45:57 +02:00 · d67f801c63
commit d67f801c63
parent 57ad182644
6 changed files with 70 additions and 25 deletions
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@ -332,8 +332,8 @@
 #define MBEDTLS_SSL_SESSION_TICKETS_DISABLED     0
 #define MBEDTLS_SSL_SESSION_TICKETS_ENABLED      1

-#define MBEDTLS_SSL_ENABLE_NEW_SESSION_TICKETS_DISABLED  0
-#define MBEDTLS_SSL_ENABLE_NEW_SESSION_TICKETS_ENABLED   1
+#define MBEDTLS_SSL_NEW_SESSION_TICKETS_DISABLED  0
+#define MBEDTLS_SSL_NEW_SESSION_TICKETS_ENABLED   1

 #define MBEDTLS_SSL_PRESET_DEFAULT              0
 #define MBEDTLS_SSL_PRESET_SUITEB               2
@ -1458,12 +1458,6 @@ struct mbedtls_ssl_config {
 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && \
    defined(MBEDTLS_SSL_CLI_C)
    uint8_t MBEDTLS_PRIVATE(session_tickets);   /*!< use session tickets? */
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
-    /** Whether we handle NewSessionTicket TLS 1.3 messages (<>0) or just ignore them (==0)
-     *  They are ignored by default.
-     */
-    uint8_t MBEDTLS_PRIVATE(new_session_tickets_enabled);
-#endif
 #endif

 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && \
@ -4485,8 +4479,8 @@ void mbedtls_ssl_conf_preference_order(mbedtls_ssl_config *conf, int order);
 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && \
    defined(MBEDTLS_SSL_CLI_C)
 /**
- * \brief          Enable / Disable session tickets (client only).
- *                 (Default: MBEDTLS_SSL_SESSION_TICKETS_ENABLED.)
+ * \brief          Enable / Disable TLS 1.2 session tickets (client and TLS 1.2 only).
+ *                 Disabled by default.
 *
 * \note           On server, use \c mbedtls_ssl_conf_session_tickets_cb().
 *
@ -4496,6 +4490,16 @@ void mbedtls_ssl_conf_preference_order(mbedtls_ssl_config *conf, int order);
 */
 void mbedtls_ssl_conf_session_tickets(mbedtls_ssl_config *conf, int use_tickets);

+/**
+ * \brief          Get if TLS 1.2 session tickets usage is enabled or not
+ *
+ * \param conf     SSL configuration
+ *
+ * \return         MBEDTLS_SSL_SESSION_TICKETS_ENABLED or
+ *                 MBEDTLS_SSL_SESSION_TICKETS_DISABLED
+ */
+int mbedtls_ssl_conf_get_session_tickets(const mbedtls_ssl_config *conf);
+
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
 /**
 * \brief Enable / Disable handling of TLS 1.3 NewSessionTicket messages (client and TLS 1.3 only).
@ -4525,12 +4529,23 @@ void mbedtls_ssl_conf_session_tickets(mbedtls_ssl_config *conf, int use_tickets)
 *        error code are then failing.
 *
 * \param conf  SSL configuration
- * \param new_session_tickets_enabled  Enable or disable
- *                                     (MBEDTLS_SSL_ENABLE_NEW_SESSION_TICKETS_ENABLED or
- *                                      MBEDTLS_SSL_ENABLE_NEW_SESSION_TICKETS_DISABLED)
+ * \param use_new_session_tickets Enable or disable
+ *                                (MBEDTLS_SSL_NEW_SESSION_TICKETS_ENABLED or
+ *                                 MBEDTLS_SSL_NEW_SESSION_TICKETS_DISABLED)
 */
 void mbedtls_ssl_conf_enable_new_session_tickets(mbedtls_ssl_config *conf,
-                                                 int new_session_tickets_enabled);
+                                                 int use_new_session_tickets);
+
+/**
+ * \brief          Get if usage of TLS 1.3 NewSessionTicket messages is enabled or not
+ *
+ * \param conf     SSL configuration
+ *
+ * \return         MBEDTLS_SSL_NEW_SESSION_TICKETS_ENABLED or
+ *                 MBEDTLS_SSL_NEW_SESSION_TICKETS_DISABLED
+ */
+int mbedtls_ssl_conf_is_new_session_tickets_enabled(const mbedtls_ssl_config *conf);
+
 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
 #endif /* MBEDTLS_SSL_SESSION_TICKETS &&
          MBEDTLS_SSL_CLI_C */
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@ -5595,8 +5595,8 @@ static int ssl_tls13_handle_hs_message_post_handshake(mbedtls_ssl_context *ssl)
        if (ssl_tls13_is_new_session_ticket(ssl)) {
 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
            MBEDTLS_SSL_DEBUG_MSG(3, ("NewSessionTicket received"));
-            if (ssl->conf->new_session_tickets_enabled ==
-                MBEDTLS_SSL_ENABLE_NEW_SESSION_TICKETS_ENABLED) {
+            if (mbedtls_ssl_conf_is_new_session_tickets_enabled(ssl->conf) ==
+                MBEDTLS_SSL_NEW_SESSION_TICKETS_ENABLED) {
                ssl->keep_current_message = 1;

                mbedtls_ssl_handshake_set_state(ssl,
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -3009,15 +3009,43 @@ void mbedtls_ssl_conf_renegotiation_period(mbedtls_ssl_config *conf,

 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
 #if defined(MBEDTLS_SSL_CLI_C)
+
+#define MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_BIT 0
+#define MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_BIT 1
+
+#define MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_MASK \
+    (1 << MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_BIT)
+#define MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_MASK \
+    (1 << MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_BIT)
+
 void mbedtls_ssl_conf_session_tickets(mbedtls_ssl_config *conf, int use_tickets)
 {
-    conf->session_tickets = use_tickets;
+    conf->session_tickets &= ~MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_MASK;
+    conf->session_tickets |= (use_tickets != 0) <<
+                             MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_BIT;
 }
+
+int mbedtls_ssl_conf_get_session_tickets(const mbedtls_ssl_config *conf)
+{
+    return conf->session_tickets & MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_MASK ?
+           MBEDTLS_SSL_SESSION_TICKETS_ENABLED :
+           MBEDTLS_SSL_SESSION_TICKETS_DISABLED;
+}
+
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
 void mbedtls_ssl_conf_enable_new_session_tickets(mbedtls_ssl_config *conf,
-                                                 int new_session_tickets_enabled)
+                                                 int use_new_session_tickets)
 {
-    conf->new_session_tickets_enabled = new_session_tickets_enabled;
+    conf->session_tickets &= ~MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_MASK;
+    conf->session_tickets |= (use_new_session_tickets != 0) <<
+                             MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_BIT;
+}
+
+int mbedtls_ssl_conf_is_new_session_tickets_enabled(const mbedtls_ssl_config *conf)
+{
+    return conf->session_tickets & MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_MASK ?
+           MBEDTLS_SSL_NEW_SESSION_TICKETS_ENABLED :
+           MBEDTLS_SSL_NEW_SESSION_TICKETS_DISABLED;
 }
 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
 #endif /* MBEDTLS_SSL_CLI_C */
@ -5885,9 +5913,9 @@ int mbedtls_ssl_config_defaults(mbedtls_ssl_config *conf,
    if (endpoint == MBEDTLS_SSL_IS_CLIENT) {
        conf->authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
-        conf->session_tickets = MBEDTLS_SSL_SESSION_TICKETS_ENABLED;
+        mbedtls_ssl_conf_session_tickets(conf, MBEDTLS_SSL_SESSION_TICKETS_ENABLED);
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
-        conf->new_session_tickets_enabled = MBEDTLS_SSL_ENABLE_NEW_SESSION_TICKETS_DISABLED;
+        mbedtls_ssl_conf_enable_new_session_tickets(conf, MBEDTLS_SSL_NEW_SESSION_TICKETS_DISABLED);
 #endif
 #endif
    }
--- a/library/ssl_tls12_client.c
+++ b/library/ssl_tls12_client.c
@ -364,7 +364,8 @@ static int ssl_write_session_ticket_ext(mbedtls_ssl_context *ssl,

    *olen = 0;

-    if (ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED) {
+    if (mbedtls_ssl_conf_get_session_tickets(ssl->conf) ==
+        MBEDTLS_SSL_SESSION_TICKETS_DISABLED) {
        return 0;
    }

@ -787,7 +788,8 @@ static int ssl_parse_session_ticket_ext(mbedtls_ssl_context *ssl,
                                        const unsigned char *buf,
                                        size_t len)
 {
-    if (ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED ||
+    if ((mbedtls_ssl_conf_get_session_tickets(ssl->conf) ==
+         MBEDTLS_SSL_SESSION_TICKETS_DISABLED) ||
        len != 0) {
        MBEDTLS_SSL_DEBUG_MSG(1,
                              ("non-matching session ticket extension"));
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@ -82,7 +82,7 @@ int main(void)
 #define DFL_CID_VALUE_RENEGO    NULL
 #define DFL_RECONNECT_HARD      0
 #define DFL_TICKETS             MBEDTLS_SSL_SESSION_TICKETS_ENABLED
-#define DFL_NEW_SESSION_TICKETS MBEDTLS_SSL_ENABLE_NEW_SESSION_TICKETS_ENABLED
+#define DFL_NEW_SESSION_TICKETS MBEDTLS_SSL_NEW_SESSION_TICKETS_ENABLED
 #define DFL_ALPN_STRING         NULL
 #define DFL_GROUPS              NULL
 #define DFL_SIG_ALGS            NULL
--- a/tests/src/test_helpers/ssl_helpers.c
+++ b/tests/src/test_helpers/ssl_helpers.c
@ -2544,7 +2544,7 @@ int mbedtls_test_get_tls13_ticket(
    TEST_EQUAL(ret, 0);

    mbedtls_ssl_conf_enable_new_session_tickets(
-        &client_ep.conf, MBEDTLS_SSL_ENABLE_NEW_SESSION_TICKETS_ENABLED);
+        &client_ep.conf, MBEDTLS_SSL_NEW_SESSION_TICKETS_ENABLED);

    mbedtls_ssl_conf_session_tickets_cb(&server_ep.conf,
                                        mbedtls_test_ticket_write,