commit 4f77ecf40957aca1ad8519b5ccf05caf4043b8bc
author Jerry Yu <jerry.h.yu@arm.com> Mon Oct 10 22:10:08 2022 +0800
committer Jerry Yu <jerry.h.yu@arm.com> Mon Oct 10 22:10:08 2022 +0800
tree 6c3cf7f3424505218d9a08fbc1e77eebadf413c8
parent 03aa174d7c42e02c1a122c5ee6b43af2965319f5

disable session resumption when ticket expired

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>

library/ssl_client.c

diff --git a/library/ssl_client.c b/library/ssl_client.c
index 73a854d..2ed6ce6 100644
--- a/library/ssl_client.c
+++ b/library/ssl_client.c
@@ -720,6 +720,30 @@
     int ret;
     size_t session_id_len;
 
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
+    defined(MBEDTLS_SSL_SESSION_TICKETS) && \
+    defined(MBEDTLS_HAVE_TIME)
+    /* Check if a tls13 ticket has been configured. */
+    if( ssl->session_negotiate->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
+        ssl->handshake->resume != 0 &&
+        ssl->session_negotiate != NULL &&
+        ssl->session_negotiate->ticket != NULL )
+    {
+        mbedtls_time_t now = mbedtls_time( NULL );
+        if( ssl->session_negotiate->ticket_received > now ||
+            (uint64_t)( now - ssl->session_negotiate->ticket_received )
+                    > ssl->session_negotiate->ticket_lifetime )
+        {
+            /* Without valid ticket, disable session resumption.*/
+            MBEDTLS_SSL_DEBUG_MSG(
+                3, ( "Ticket expired, disable session resumption" ) );
+            ssl->handshake->resume = 0;
+        }
+    }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 &&
+          MBEDTLS_SSL_SESSION_TICKETS &&
+          MBEDTLS_HAVE_TIME */
+
     if( ssl->conf->f_rng == NULL )
     {
         MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided" ) );
@@ -843,33 +867,6 @@
         }
     }
 
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
-    defined(MBEDTLS_SSL_SESSION_TICKETS) && \
-    defined(MBEDTLS_HAVE_TIME)
-    /* Check if a tls13 ticket has been configured. */
-    if( ssl->session_negotiate->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
-        ssl->handshake->resume != 0 &&
-        ssl->session_negotiate != NULL &&
-        ssl->session_negotiate->ticket != NULL )
-    {
-        mbedtls_time_t now = mbedtls_time( NULL );
-        if( ssl->session_negotiate->ticket_received > now ||
-            (uint64_t)( now - ssl->session_negotiate->ticket_received )
-                    > ssl->session_negotiate->ticket_lifetime )
-        {
-            MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket expired" ) );
-            mbedtls_platform_zeroize( ssl->session_negotiate->ticket,
-                                      ssl->session_negotiate->ticket_len );
-            mbedtls_free( ssl->session_negotiate->ticket );
-            ssl->session_negotiate->ticket = NULL;
-            ssl->session_negotiate->ticket_len = 0;
-        }
-
-    }
-#endif /* MBEDTLS_SSL_PROTO_TLS1_3 &&
-          MBEDTLS_SSL_SESSION_TICKETS &&
-          MBEDTLS_HAVE_TIME */
-
     return( 0 );
 }