Do not add a new field in the SSL config We cannot add a new field in SSL config in an LTS. Use `session_tickets` field instead. Signed-off-by: Ronald Cron <ronald.cron@arm.com>

commit: d67f801c63977dcd1f5876615f46d8f59ba51eff [log] [tgz]
author: Ronald Cron <ronald.cron@arm.com> Wed Aug 28 07:45:57 2024 +0200
committer: Ronald Cron <ronald.cron@arm.com> Wed Aug 28 10:41:54 2024 +0200
tree: 8e6052638bf0ca6fd6f50b7875bdc3f6e8941db8
parent: 57ad182644bbfb26248c0a639619dbed7d8da927 [diff]
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index ed3489f..2eb4f9c 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h

@@ -332,8 +332,8 @@
 #define MBEDTLS_SSL_SESSION_TICKETS_DISABLED     0
 #define MBEDTLS_SSL_SESSION_TICKETS_ENABLED      1
 
-#define MBEDTLS_SSL_ENABLE_NEW_SESSION_TICKETS_DISABLED  0
-#define MBEDTLS_SSL_ENABLE_NEW_SESSION_TICKETS_ENABLED   1
+#define MBEDTLS_SSL_NEW_SESSION_TICKETS_DISABLED  0
+#define MBEDTLS_SSL_NEW_SESSION_TICKETS_ENABLED   1
 
 #define MBEDTLS_SSL_PRESET_DEFAULT              0
 #define MBEDTLS_SSL_PRESET_SUITEB               2
@@ -1458,12 +1458,6 @@
 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && \
     defined(MBEDTLS_SSL_CLI_C)
     uint8_t MBEDTLS_PRIVATE(session_tickets);   /*!< use session tickets? */
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
-    /** Whether we handle NewSessionTicket TLS 1.3 messages (<>0) or just ignore them (==0)
-     *  They are ignored by default.
-     */
-    uint8_t MBEDTLS_PRIVATE(new_session_tickets_enabled);
-#endif
 #endif
 
 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && \
@@ -4485,8 +4479,8 @@
 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && \
     defined(MBEDTLS_SSL_CLI_C)
 /**
- * \brief          Enable / Disable session tickets (client only).
- *                 (Default: MBEDTLS_SSL_SESSION_TICKETS_ENABLED.)
+ * \brief          Enable / Disable TLS 1.2 session tickets (client and TLS 1.2 only).
+ *                 Disabled by default.
  *
  * \note           On server, use \c mbedtls_ssl_conf_session_tickets_cb().
  *
@@ -4496,6 +4490,16 @@
  */
 void mbedtls_ssl_conf_session_tickets(mbedtls_ssl_config *conf, int use_tickets);
 
+/**
+ * \brief          Get if TLS 1.2 session tickets usage is enabled or not
+ *
+ * \param conf     SSL configuration
+ *
+ * \return         MBEDTLS_SSL_SESSION_TICKETS_ENABLED or
+ *                 MBEDTLS_SSL_SESSION_TICKETS_DISABLED
+ */
+int mbedtls_ssl_conf_get_session_tickets(const mbedtls_ssl_config *conf);
+
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
 /**
  * \brief Enable / Disable handling of TLS 1.3 NewSessionTicket messages (client and TLS 1.3 only).
@@ -4525,12 +4529,23 @@
  *        error code are then failing.
  *
  * \param conf  SSL configuration
- * \param new_session_tickets_enabled  Enable or disable
- *                                     (MBEDTLS_SSL_ENABLE_NEW_SESSION_TICKETS_ENABLED or
- *                                      MBEDTLS_SSL_ENABLE_NEW_SESSION_TICKETS_DISABLED)
+ * \param use_new_session_tickets Enable or disable
+ *                                (MBEDTLS_SSL_NEW_SESSION_TICKETS_ENABLED or
+ *                                 MBEDTLS_SSL_NEW_SESSION_TICKETS_DISABLED)
  */
 void mbedtls_ssl_conf_enable_new_session_tickets(mbedtls_ssl_config *conf,
-                                                 int new_session_tickets_enabled);
+                                                 int use_new_session_tickets);
+
+/**
+ * \brief          Get if usage of TLS 1.3 NewSessionTicket messages is enabled or not
+ *
+ * \param conf     SSL configuration
+ *
+ * \return         MBEDTLS_SSL_NEW_SESSION_TICKETS_ENABLED or
+ *                 MBEDTLS_SSL_NEW_SESSION_TICKETS_DISABLED
+ */
+int mbedtls_ssl_conf_is_new_session_tickets_enabled(const mbedtls_ssl_config *conf);
+
 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
 #endif /* MBEDTLS_SSL_SESSION_TICKETS &&
           MBEDTLS_SSL_CLI_C */

diff --git a/library/ssl_msg.c b/library/ssl_msg.c
index 65ad324..58063c7 100644
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c

@@ -5595,8 +5595,8 @@
         if (ssl_tls13_is_new_session_ticket(ssl)) {
 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
             MBEDTLS_SSL_DEBUG_MSG(3, ("NewSessionTicket received"));
-            if (ssl->conf->new_session_tickets_enabled ==
-                MBEDTLS_SSL_ENABLE_NEW_SESSION_TICKETS_ENABLED) {
+            if (mbedtls_ssl_conf_is_new_session_tickets_enabled(ssl->conf) ==
+                MBEDTLS_SSL_NEW_SESSION_TICKETS_ENABLED) {
                 ssl->keep_current_message = 1;
 
                 mbedtls_ssl_handshake_set_state(ssl,

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 21d70af..89588a4 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c

@@ -3009,15 +3009,43 @@
 
 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
 #if defined(MBEDTLS_SSL_CLI_C)
+
+#define MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_BIT 0
+#define MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_BIT 1
+
+#define MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_MASK \
+    (1 << MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_BIT)
+#define MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_MASK \
+    (1 << MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_BIT)
+
 void mbedtls_ssl_conf_session_tickets(mbedtls_ssl_config *conf, int use_tickets)
 {
-    conf->session_tickets = use_tickets;
+    conf->session_tickets &= ~MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_MASK;
+    conf->session_tickets |= (use_tickets != 0) <<
+                             MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_BIT;
 }
+
+int mbedtls_ssl_conf_get_session_tickets(const mbedtls_ssl_config *conf)
+{
+    return conf->session_tickets & MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_MASK ?
+           MBEDTLS_SSL_SESSION_TICKETS_ENABLED :
+           MBEDTLS_SSL_SESSION_TICKETS_DISABLED;
+}
+
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
 void mbedtls_ssl_conf_enable_new_session_tickets(mbedtls_ssl_config *conf,
-                                                 int new_session_tickets_enabled)
+                                                 int use_new_session_tickets)
 {
-    conf->new_session_tickets_enabled = new_session_tickets_enabled;
+    conf->session_tickets &= ~MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_MASK;
+    conf->session_tickets |= (use_new_session_tickets != 0) <<
+                             MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_BIT;
+}
+
+int mbedtls_ssl_conf_is_new_session_tickets_enabled(const mbedtls_ssl_config *conf)
+{
+    return conf->session_tickets & MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_MASK ?
+           MBEDTLS_SSL_NEW_SESSION_TICKETS_ENABLED :
+           MBEDTLS_SSL_NEW_SESSION_TICKETS_DISABLED;
 }
 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
 #endif /* MBEDTLS_SSL_CLI_C */
@@ -5885,9 +5913,9 @@
     if (endpoint == MBEDTLS_SSL_IS_CLIENT) {
         conf->authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
-        conf->session_tickets = MBEDTLS_SSL_SESSION_TICKETS_ENABLED;
+        mbedtls_ssl_conf_session_tickets(conf, MBEDTLS_SSL_SESSION_TICKETS_ENABLED);
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
-        conf->new_session_tickets_enabled = MBEDTLS_SSL_ENABLE_NEW_SESSION_TICKETS_DISABLED;
+        mbedtls_ssl_conf_enable_new_session_tickets(conf, MBEDTLS_SSL_NEW_SESSION_TICKETS_DISABLED);
 #endif
 #endif
     }

diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c
index eac6a3a..9b2da5a 100644
--- a/library/ssl_tls12_client.c
+++ b/library/ssl_tls12_client.c

@@ -364,7 +364,8 @@
 
     *olen = 0;
 
-    if (ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED) {
+    if (mbedtls_ssl_conf_get_session_tickets(ssl->conf) ==
+        MBEDTLS_SSL_SESSION_TICKETS_DISABLED) {
         return 0;
     }
 
@@ -787,7 +788,8 @@
                                         const unsigned char *buf,
                                         size_t len)
 {
-    if (ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED ||
+    if ((mbedtls_ssl_conf_get_session_tickets(ssl->conf) ==
+         MBEDTLS_SSL_SESSION_TICKETS_DISABLED) ||
         len != 0) {
         MBEDTLS_SSL_DEBUG_MSG(1,
                               ("non-matching session ticket extension"));

diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index 2ae715b..7029e26 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c

@@ -82,7 +82,7 @@
 #define DFL_CID_VALUE_RENEGO    NULL
 #define DFL_RECONNECT_HARD      0
 #define DFL_TICKETS             MBEDTLS_SSL_SESSION_TICKETS_ENABLED
-#define DFL_NEW_SESSION_TICKETS MBEDTLS_SSL_ENABLE_NEW_SESSION_TICKETS_ENABLED
+#define DFL_NEW_SESSION_TICKETS MBEDTLS_SSL_NEW_SESSION_TICKETS_ENABLED
 #define DFL_ALPN_STRING         NULL
 #define DFL_GROUPS              NULL
 #define DFL_SIG_ALGS            NULL

diff --git a/tests/src/test_helpers/ssl_helpers.c b/tests/src/test_helpers/ssl_helpers.c
index 7d5d889..b0fe2bd 100644
--- a/tests/src/test_helpers/ssl_helpers.c
+++ b/tests/src/test_helpers/ssl_helpers.c

@@ -2544,7 +2544,7 @@
     TEST_EQUAL(ret, 0);
 
     mbedtls_ssl_conf_enable_new_session_tickets(
-        &client_ep.conf, MBEDTLS_SSL_ENABLE_NEW_SESSION_TICKETS_ENABLED);
+        &client_ep.conf, MBEDTLS_SSL_NEW_SESSION_TICKETS_ENABLED);
 
     mbedtls_ssl_conf_session_tickets_cb(&server_ep.conf,
                                         mbedtls_test_ticket_write,
commit	d67f801c63977dcd1f5876615f46d8f59ba51eff	[log] [tgz]
author	Ronald Cron <ronald.cron@arm.com>	Wed Aug 28 07:45:57 2024 +0200
committer	Ronald Cron <ronald.cron@arm.com>	Wed Aug 28 10:41:54 2024 +0200
tree	8e6052638bf0ca6fd6f50b7875bdc3f6e8941db8
parent	57ad182644bbfb26248c0a639619dbed7d8da927 [diff]