diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 0f008ea3e..1d5f4281f 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1337,7 +1337,7 @@ struct mbedtls_ssl_config #if defined(MBEDTLS_SSL_SESSION_TICKETS) && \ defined(MBEDTLS_SSL_SRV_C) && \ defined(MBEDTLS_SSL_PROTO_TLS1_3) - uint16_t MBEDTLS_PRIVATE(new_session_tickets); /*!< number of NewSessionTicket */ + uint16_t MBEDTLS_PRIVATE(new_session_tickets_count); /*!< number of NewSessionTicket */ #endif #if defined(MBEDTLS_SSL_SRV_C) @@ -4137,10 +4137,10 @@ void mbedtls_ssl_conf_session_tickets( mbedtls_ssl_config *conf, int use_tickets defined(MBEDTLS_SSL_SRV_C) && \ defined(MBEDTLS_SSL_PROTO_TLS1_3) /** - * \brief Number of NewSessionTicket message that sent by server. + * \brief Number of NewSessionTicket messages for the server to send + * after handshake completion. * (Default: MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS) * - * * \param conf SSL configuration * \param num_tickets Number of NewSessionTicket. * diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 2621d2005..7e060d334 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -625,7 +625,7 @@ struct mbedtls_ssl_handshake_params uint8_t tls13_kex_modes; /*!< Key exchange modes supported by the client */ #endif #if defined(MBEDTLS_SSL_SESSION_TICKETS) - int tls13_session_tickets; /*!< number of session tickets */ + int new_session_tickets_count; /*!< number of session tickets */ #endif #endif /* MBEDTLS_SSL_SRV_C */ diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 065b354d0..de6bae283 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -674,6 +674,7 @@ static void ssl_handshake_params_init( mbedtls_ssl_handshake_params *handshake ) !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) mbedtls_pk_init( &handshake->peer_pubkey ); #endif + } void mbedtls_ssl_transform_init( mbedtls_ssl_transform *transform ) @@ -763,6 +764,13 @@ static int ssl_handshake_init( mbedtls_ssl_context *ssl ) mbedtls_ssl_transform_init( ssl->transform_negotiate ); ssl_handshake_params_init( ssl->handshake ); +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ + defined(MBEDTLS_SSL_SRV_C) && \ + defined(MBEDTLS_SSL_SESSION_TICKETS) + ssl->handshake->new_session_tickets_count = + ssl->conf->new_session_tickets_count ; +#endif + #if defined(MBEDTLS_SSL_PROTO_DTLS) if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) { @@ -2612,11 +2620,11 @@ void mbedtls_ssl_conf_session_tickets( mbedtls_ssl_config *conf, int use_tickets #if defined(MBEDTLS_SSL_SRV_C) -#if defined(MBEDTLS_SSL_PROTO_TLS1_3) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS) void mbedtls_ssl_conf_new_session_tickets( mbedtls_ssl_config *conf, uint16_t num_tickets ) { - conf->new_session_tickets = num_tickets; + conf->new_session_tickets_count = num_tickets; } #endif @@ -4653,7 +4661,7 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, #endif #if defined(MBEDTLS_SSL_PROTO_TLS1_3) -#if defined(MBEDTLS_SSL_SRV_C) +#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SESSION_TICKETS) mbedtls_ssl_conf_new_session_tickets( conf, MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS ); #endif diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 780740897..40ac47667 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -2617,10 +2617,23 @@ MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_write_new_session_ticket_coordinate( mbedtls_ssl_context *ssl ) { /* Check whether the use of session tickets is enabled */ - if( ssl->conf->f_ticket_write == NULL || - ssl->handshake->tls13_session_tickets == 0 ) + if( ssl->conf->f_ticket_write == NULL ) { - MBEDTLS_SSL_DEBUG_MSG( 2, ( "new session ticket is not enabled" ) ); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "NewSessionTicket: disabled," + " callback is not set" ) ); + return( SSL_NEW_SESSION_TICKET_SKIP ); + } + if( ssl->conf->new_session_tickets_count == 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 2, ( "NewSessionTicket: disabled," + " configured count is zero" ) ); + return( SSL_NEW_SESSION_TICKET_SKIP ); + } + + if( ssl->handshake->new_session_tickets_count == 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 2, ( "NewSessionTicket: all tickets have " + "been sent." ) ); return( SSL_NEW_SESSION_TICKET_SKIP ); } @@ -2642,9 +2655,9 @@ static int ssl_tls13_prepare_new_session_ticket( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> prepare NewSessionTicket msg" ) ); if( ssl->handshake->resume == 1 ) - ssl->handshake->tls13_session_tickets = 0; + ssl->handshake->new_session_tickets_count = 0; else - ssl->handshake->tls13_session_tickets--; + ssl->handshake->new_session_tickets_count--; #if defined(MBEDTLS_HAVE_TIME) session->start = mbedtls_time( NULL ); #endif @@ -2890,12 +2903,6 @@ int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl ) /* start state */ case MBEDTLS_SSL_HELLO_REQUEST: mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO ); -#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS) - ssl->handshake->tls13_session_tickets = - ssl->conf->new_session_tickets ? - ssl->conf->new_session_tickets : - MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS; -#endif ret = 0; break; @@ -3014,7 +3021,7 @@ int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl ) */ ret = 0; - if( ssl->handshake->tls13_session_tickets == 0 ) + if( ssl->handshake->new_session_tickets_count == 0 ) mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_OVER ); else mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_NEW_SESSION_TICKET );