Add ticket creation time to TLS 1.2 session serialization
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 7d371bf..8fc4d4d 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -8951,6 +8951,7 @@
* opaque peer_cert<0..2^24-1>; // length 0 means no peer cert
* opaque ticket<0..2^24-1>; // length 0 means no ticket
* uint32 ticket_lifetime;
+ * uint64 ticket_creation_time;
* uint8 mfl_code; // up to 255 according to standard
* uint8 encrypt_then_mac; // 0 or 1
* } serialized_session_tls12;
@@ -9058,7 +9059,8 @@
/*
* Session ticket if any, plus associated data
*/
-#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+#if defined(MBEDTLS_SSL_CLI_C)
if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
used += 3 + session->ticket_len + 4; /* len + ticket + lifetime */
@@ -9076,7 +9078,18 @@
p += 4;
}
}
-#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
+#endif /* MBEDTLS_SSL_CLI_C */
+#if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C)
+ if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
+ used += 8;
+
+ if (used <= buf_len) {
+ MBEDTLS_PUT_UINT64_BE((uint64_t) session->ticket_creation_time, p, 0);
+ p += 8;
+ }
+ }
+#endif /* MBEDTLS_HAVE_TIME && MBEDTLS_SSL_SRV_C */
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
/*
* Misc extension-related info
@@ -9242,7 +9255,8 @@
/*
* Session ticket and associated data
*/
-#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+#if defined(MBEDTLS_SSL_CLI_C)
if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
if (3 > (size_t) (end - p)) {
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
@@ -9272,7 +9286,17 @@
session->ticket_lifetime = MBEDTLS_GET_UINT32_BE(p, 0);
p += 4;
}
-#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
+#endif /* MBEDTLS_SSL_CLI_C */
+#if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C)
+ if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
+ if (8 > (size_t) (end - p)) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+ session->ticket_creation_time = MBEDTLS_GET_UINT64_BE(p, 0);
+ p += 8;
+ }
+#endif /* MBEDTLS_HAVE_TIME && MBEDTLS_SSL_SRV_C */
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
/*
* Misc extension-related info
diff --git a/tests/src/test_helpers/ssl_helpers.c b/tests/src/test_helpers/ssl_helpers.c
index 8f20fa6..c0c5ca4 100644
--- a/tests/src/test_helpers/ssl_helpers.c
+++ b/tests/src/test_helpers/ssl_helpers.c
@@ -1639,6 +1639,8 @@
int endpoint_type,
const char *crt_file)
{
+ (void) ticket_len;
+
#if defined(MBEDTLS_HAVE_TIME)
session->start = mbedtls_time(NULL) - 42;
#endif
@@ -1710,7 +1712,8 @@
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED && MBEDTLS_FS_IO */
session->verify_result = 0xdeadbeef;
-#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+#if defined(MBEDTLS_SSL_CLI_C)
if (ticket_len != 0) {
session->ticket = mbedtls_calloc(1, ticket_len);
if (session->ticket == NULL) {
@@ -1720,9 +1723,14 @@
}
session->ticket_len = ticket_len;
session->ticket_lifetime = 86401;
-#else
- (void) ticket_len;
+#endif /* MBEDTLS_SSL_CLI_C */
+
+#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_HAVE_TIME)
+ if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
+ session->ticket_creation_time = mbedtls_ms_time() - 42;
+ }
#endif
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
session->mfl_code = 1;
diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function
index b116705..bcddba2 100644
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -1972,26 +1972,13 @@
* Make sure both session structures are identical
*/
#if defined(MBEDTLS_HAVE_TIME)
- switch (tls_version) {
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SRV_C)
- case MBEDTLS_SSL_VERSION_TLS1_3:
- TEST_ASSERT(original.ticket_creation_time == restored.ticket_creation_time);
- break;
-#endif
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
- case MBEDTLS_SSL_VERSION_TLS1_2:
- TEST_ASSERT(original.start == restored.start);
- break;
-#endif
-
- default:
- /* should never happen */
- TEST_ASSERT(0);
- break;
+ if (tls_version == MBEDTLS_SSL_VERSION_TLS1_2) {
+ TEST_ASSERT(original.start == restored.start);
}
-
-
+#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_SRV_C)
+ TEST_ASSERT(original.ticket_creation_time == restored.ticket_creation_time);
#endif
+#endif /* MBEDTLS_HAVE_TIME */
TEST_ASSERT(original.tls_version == restored.tls_version);
TEST_ASSERT(original.endpoint == restored.endpoint);
@@ -2070,11 +2057,6 @@
original.max_early_data_size == restored.max_early_data_size);
#endif
-#if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C)
- if (endpoint_type == MBEDTLS_SSL_IS_SERVER) {
- TEST_ASSERT(original.ticket_creation_time == restored.ticket_creation_time);
- }
-#endif
#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
if (endpoint_type == MBEDTLS_SSL_IS_CLIENT) {
#if defined(MBEDTLS_HAVE_TIME)