diff --git a/library/ssl_ticket.c b/library/ssl_ticket.c index c89a5cdb0..05249ea07 100644 --- a/library/ssl_ticket.c +++ b/library/ssl_ticket.c @@ -498,16 +498,17 @@ int mbedtls_ssl_ticket_parse(void *p_ticket, #if defined(MBEDTLS_SSL_PROTO_TLS1_3) if (session->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) { /* Check for expiration */ - mbedtls_ms_time_t ticket_age = mbedtls_ms_time() - session->start; + mbedtls_ms_time_t ticket_age = mbedtls_ms_time() - session->ticket_creation; mbedtls_ms_time_t ticket_lifetime = ctx->ticket_lifetime * 1000; if (ticket_age < 0 || ticket_age > ticket_lifetime) { ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED; goto cleanup; } - } else + } #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ - { +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) + if (session->tls_version == MBEDTLS_SSL_VERSION_TLS1_2) { /* Check for expiration */ mbedtls_time_t current_time = mbedtls_time(NULL); @@ -517,6 +518,7 @@ int mbedtls_ssl_ticket_parse(void *p_ticket, goto cleanup; } } +#endif #endif /* MBEDTLS_HAVE_TIME */ cleanup: diff --git a/library/ssl_tls.c b/library/ssl_tls.c index f8555767e..d7276362f 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -2537,7 +2537,7 @@ static int ssl_tls13_session_save(const mbedtls_ssl_session *session, #if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C) if (session->endpoint == MBEDTLS_SSL_IS_SERVER) { - MBEDTLS_PUT_UINT64_BE((uint64_t) session->start, p, 0); + MBEDTLS_PUT_UINT64_BE((uint64_t) session->ticket_creation, p, 0); p += 8; } #endif /* MBEDTLS_HAVE_TIME */ @@ -2616,7 +2616,7 @@ static int ssl_tls13_session_load(mbedtls_ssl_session *session, if (end - p < 8) { return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; } - session->start = MBEDTLS_GET_UINT64_BE(p, 0); + session->ticket_creation = MBEDTLS_GET_UINT64_BE(p, 0); p += 8; } #endif /* MBEDTLS_HAVE_TIME */ diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 7b8cc6e74..744e984ac 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -193,15 +193,15 @@ static int ssl_tls13_offered_psks_check_identity_match_ticket( #if defined(MBEDTLS_HAVE_TIME) now = mbedtls_ms_time(); - if (now < session->start) { + if (now < session->ticket_creation) { MBEDTLS_SSL_DEBUG_MSG( 3, ("Invalid ticket start time ( now = %" MBEDTLS_PRINTF_MS_TIME ", start = %" MBEDTLS_PRINTF_MS_TIME " )", - now, session->start)); + now, session->ticket_creation)); goto exit; } - server_age = now - session->start; + server_age = now - session->ticket_creation; /* RFC 8446 section 4.6.1 * @@ -2880,7 +2880,7 @@ static int ssl_tls13_prepare_new_session_ticket(mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_MSG(2, ("=> prepare NewSessionTicket msg")); #if defined(MBEDTLS_HAVE_TIME) - session->start = mbedtls_ms_time(); + session->ticket_creation = mbedtls_ms_time(); #endif /* Set ticket_flags depends on the advertised psk key exchange mode */ diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 7df30f017..a8f47149f 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -1421,22 +1421,23 @@ int dummy_ticket_parse(void *p_ticket, mbedtls_ssl_session *session, case 2: /* Callback function return ticket expired */ return MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED; +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) case 3: /* Built-in check, the start time is in future. */ - session->start = mbedtls_ms_time() + 10 * 1000; + session->ticket_creation = mbedtls_ms_time() + 10 * 1000; break; case 4: /* Built-in check, ticket expired due to too old. */ - session->start = mbedtls_ms_time() - 10 * 1000 - 7 * 24 * 3600 * 1000; + session->ticket_creation = mbedtls_ms_time() - 10 * 1000 - 7 * 24 * 3600 * 1000; break; case 5: /* Built-in check, age outside tolerance window, too young. */ - session->start = mbedtls_ms_time() - 10 * 1000; + session->ticket_creation = mbedtls_ms_time() - 10 * 1000; break; -#if defined(MBEDTLS_SSL_PROTO_TLS1_3) + case 6: /* Built-in check, age outside tolerance window, too old. */ - session->start = mbedtls_ms_time(); + session->ticket_creation = mbedtls_ms_time(); session->ticket_age_add -= 1000; break; case 7: