commit 4beb870fa86a06f3c5313e9d0343f8456e9c2056
author Ronald Cron <ronald.cron@arm.com> Fri Jul 22 11:35:05 2022 +0200
committer GitHub <noreply@github.com> Fri Jul 22 11:35:05 2022 +0200
tree f18116e2393639158a43316c4aaa595c7cf877d6
parent a948f0588c82e5674a894079c6bf79584d17ee19
parent 34e90fac27c057bedc1a4a97d080f4f8f9f3bb0c

Merge pull request #6064 from xkqian/tls13_add_psk

Add psk code to tls13 client side

ChangeLog.d/bn_mul-fix-x86-pic-compilation-for-gcc-4.txt

diff --git a/ChangeLog.d/bn_mul-fix-x86-pic-compilation-for-gcc-4.txt b/ChangeLog.d/bn_mul-fix-x86-pic-compilation-for-gcc-4.txt
new file mode 100644
index 0000000..1d59c22
--- /dev/null
+++ b/ChangeLog.d/bn_mul-fix-x86-pic-compilation-for-gcc-4.txt
@@ -0,0 +1,4 @@
+Bugfix
+   * Fix a long-standing build failure when building x86 PIC code with old
+     gcc (4.x). The code will be slower, but will compile. We do however
+     recommend upgrading to a more recent compiler instead. Fixes #1910.

include/mbedtls/ssl.h

diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index e665ec1..5512482 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -667,6 +667,7 @@
     MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO,
     MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO,
     MBEDTLS_SSL_SERVER_CCS_AFTER_HELLO_RETRY_REQUEST,
+    MBEDTLS_SSL_NEW_SESSION_TICKET_FLUSH,
 }
 mbedtls_ssl_states;
 

library/bn_mul.h

diff --git a/library/bn_mul.h b/library/bn_mul.h
index 962d7a9..831e1d7 100644
--- a/library/bn_mul.h
+++ b/library/bn_mul.h
@@ -91,12 +91,28 @@
     ( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 )
 
 /*
+ * GCC < 5.0 treated the x86 ebx (which is used for the GOT) as a
+ * fixed reserved register when building as PIC, leading to errors
+ * like: bn_mul.h:46:13: error: PIC register clobbered by 'ebx' in 'asm'
+ *
+ * This is fixed by an improved register allocator in GCC 5+. From the
+ * release notes:
+ * Register allocation improvements: Reuse of the PIC hard register,
+ * instead of using a fixed register, was implemented on x86/x86-64
+ * targets. This improves generated PIC code performance as more hard
+ * registers can be used.
+ */
+#if defined(__GNUC__) && __GNUC__ < 5 && defined(__PIC__)
+#define MULADDC_CANNOT_USE_EBX
+#endif
+
+/*
  * Disable use of the i386 assembly code below if option -O0, to disable all
  * compiler optimisations, is passed, detected with __OPTIMIZE__
  * This is done as the number of registers used in the assembly code doesn't
  * work with the -O0 option.
  */
-#if defined(__i386__) && defined(__OPTIMIZE__)
+#if defined(__i386__) && defined(__OPTIMIZE__) && !defined(MULADDC_CANNOT_USE_EBX)
 
 #define MULADDC_X1_INIT                     \
     { mbedtls_mpi_uint t;                   \

library/ssl_misc.h

diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index ca57114..089b7d4 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -611,14 +611,19 @@
      * Handshake specific crypto variables
      */
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
-    int tls13_kex_modes; /*!< key exchange modes for TLS 1.3 */
+    uint8_t key_exchange_mode; /*!< Selected key exchange mode */
 
     /** Number of HelloRetryRequest messages received/sent from/to the server. */
     int hello_retry_request_count;
+
 #if defined(MBEDTLS_SSL_SRV_C)
     /** selected_group of key_share extension in HelloRetryRequest message. */
     uint16_t hrr_selected_group;
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
+    uint8_t tls13_kex_modes; /*!< Key exchange modes supported by the client */
+#endif
 #endif /* MBEDTLS_SSL_SRV_C */
+
 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
 
 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
@@ -1773,6 +1778,7 @@
                    MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL ) );
 }
 
+#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
 /**
  * Given a list of key exchange modes, check if at least one of them is
  * supported.
@@ -1819,6 +1825,30 @@
     return( ! mbedtls_ssl_tls13_check_kex_modes( ssl,
                    MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL ) );
 }
+#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
+
+/*
+ * Helper functions to check the selected key exchange mode.
+ */
+static inline int mbedtls_ssl_tls13_key_exchange_mode_check(
+    mbedtls_ssl_context *ssl, int kex_mask )
+{
+    return( ( ssl->handshake->key_exchange_mode & kex_mask ) != 0 );
+}
+
+static inline int mbedtls_ssl_tls13_key_exchange_mode_with_psk(
+    mbedtls_ssl_context *ssl )
+{
+    return( mbedtls_ssl_tls13_key_exchange_mode_check( ssl,
+                   MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL ) );
+}
+
+static inline int mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral(
+    mbedtls_ssl_context *ssl )
+{
+    return( mbedtls_ssl_tls13_key_exchange_mode_check( ssl,
+                   MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL ) );
+}
 
 /*
  * Fetch TLS 1.3 handshake message header

library/ssl_tls.c

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 5a72fed..6d91011 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -443,6 +443,7 @@
 static size_t ssl_session_save_tls12( const mbedtls_ssl_session *session,
                                       unsigned char *buf,
                                       size_t buf_len );
+
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_session_load_tls12( mbedtls_ssl_session *session,
                                    const unsigned char *buf,
@@ -1885,6 +1886,19 @@
 }
 
 #if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+static size_t ssl_session_save_tls13( const mbedtls_ssl_session *session,
+                                      unsigned char *buf,
+                                      size_t buf_len )
+{
+    ((void) session);
+    ((void) buf);
+    ((void) buf_len);
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
+
 psa_status_t mbedtls_ssl_cipher_to_psa( mbedtls_cipher_type_t mbedtls_cipher_type,
                                     size_t taglen,
                                     psa_algorithm_t *alg,
@@ -2811,6 +2825,7 @@
 {
     unsigned char *p = buf;
     size_t used = 0;
+    size_t remaining_len;
 
     if( !omit_header )
     {
@@ -2838,17 +2853,25 @@
     }
 
     /* Forward to version-specific serialization routine. */
+    remaining_len = (buf_len >= used) ? buf_len - used : 0;
     switch( session->tls_version )
     {
 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
     case MBEDTLS_SSL_VERSION_TLS1_2:
     {
-        size_t remaining_len = used <= buf_len ? buf_len - used : 0;
         used += ssl_session_save_tls12( session, p, remaining_len );
         break;
     }
 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
 
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+    case MBEDTLS_SSL_VERSION_TLS1_3:
+    {
+        used += ssl_session_save_tls13( session, p, remaining_len );
+        break;
+    }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
+
     default:
         return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
     }

library/ssl_tls13_client.c

diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index 0a7edc1..cd3be46 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -1615,17 +1615,17 @@
     {
         /* Only the pre_shared_key extension was received */
         case MBEDTLS_SSL_EXT_PRE_SHARED_KEY:
-            handshake->tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;
+            handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;
             break;
 
         /* Only the key_share extension was received */
         case MBEDTLS_SSL_EXT_KEY_SHARE:
-            handshake->tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL;
+            handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL;
             break;
 
         /* Both the pre_shared_key and key_share extensions were received */
         case ( MBEDTLS_SSL_EXT_PRE_SHARED_KEY | MBEDTLS_SSL_EXT_KEY_SHARE ):
-            handshake->tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
+            handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
             break;
 
         /* Neither pre_shared_key nor key_share extension was received */
@@ -1874,7 +1874,7 @@
                                         buf, buf_len );
 
 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
-    if( mbedtls_ssl_tls13_some_psk_enabled( ssl ) )
+    if( mbedtls_ssl_tls13_key_exchange_mode_with_psk( ssl ) )
         mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED );
     else
         mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST );
@@ -1909,12 +1909,6 @@
 {
     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
 
-    if( mbedtls_ssl_tls13_some_psk_enabled( ssl ) )
-    {
-        MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= skip parse certificate request" ) );
-        return( SSL_CERTIFICATE_REQUEST_SKIP );
-    }
-
     if( ( ret = mbedtls_ssl_read_record( ssl, 0 ) ) != 0 )
     {
         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );

library/ssl_tls13_keys.c

diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c
index 51743bb..c306d3c 100644
--- a/library/ssl_tls13_keys.c
+++ b/library/ssl_tls13_keys.c
@@ -1237,7 +1237,7 @@
      * client_handshake_traffic_secret and server_handshake_traffic_secret
      * are derived in the handshake secret derivation stage.
      */
-    if( mbedtls_ssl_tls13_ephemeral_enabled( ssl ) )
+    if( mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral( ssl ) )
     {
         if( mbedtls_ssl_tls13_named_group_is_ecdhe( handshake->offered_group_id ) )
         {

library/ssl_tls13_server.c

diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index 7c28c57..4a0d6d9 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -397,7 +397,7 @@
     if( !ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange( ssl ) )
         return( 0 );
 
-    ssl->handshake->tls13_kex_modes =
+    ssl->handshake->key_exchange_mode =
         MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL;
     return( 1 );
 }
@@ -585,6 +585,11 @@
      */
     ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
 
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+    /* Store minor version for later use with ticket serialization. */
+    ssl->session_negotiate->tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
+#endif
+
     /* ...
      * Random random;
      * ...
@@ -1167,7 +1172,7 @@
      * of the HRR is then to transmit a cookie to force the client to demonstrate
      * reachability at their apparent network address (primarily useful for DTLS).
      */
-    if( ! mbedtls_ssl_tls13_some_ephemeral_enabled( ssl ) )
+    if( ! mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral( ssl ) )
         return( 0 );
 
     /* We should only send the key_share extension if the client's initial
@@ -1555,7 +1560,7 @@
                               ssl, buf_len, msg_len ) );
 
 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
-    if( mbedtls_ssl_tls13_some_psk_enabled( ssl ) )
+    if( mbedtls_ssl_tls13_key_exchange_mode_with_psk( ssl ) )
         mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED );
     else
         mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST );
@@ -1807,11 +1812,274 @@
     MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
 
     mbedtls_ssl_tls13_handshake_wrapup( ssl );
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+    mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_NEW_SESSION_TICKET );
+#else
     mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_OVER );
+#endif
     return( 0 );
 }
 
 /*
+ * Handler for MBEDTLS_SSL_NEW_SESSION_TICKET
+ */
+#define SSL_NEW_SESSION_TICKET_SKIP  0
+#define SSL_NEW_SESSION_TICKET_WRITE 1
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_write_new_session_ticket_coordinate( mbedtls_ssl_context *ssl )
+{
+    /* Check whether the use of session tickets is enabled */
+    if( ssl->conf->f_ticket_write == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "new session ticket is not enabled" ) );
+        return( SSL_NEW_SESSION_TICKET_SKIP );
+    }
+
+    return( SSL_NEW_SESSION_TICKET_WRITE );
+}
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_prepare_new_session_ticket( mbedtls_ssl_context *ssl,
+                                                 unsigned char *ticket_nonce,
+                                                 size_t ticket_nonce_size )
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_ssl_session *session = ssl->session;
+    mbedtls_ssl_ciphersuite_t *ciphersuite_info;
+    psa_algorithm_t psa_hash_alg;
+    int hash_length;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> prepare NewSessionTicket msg" ) );
+
+#if defined(MBEDTLS_HAVE_TIME)
+    session->start = mbedtls_time( NULL );
+#endif
+
+    /* Generate ticket_age_add */
+    if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng,
+                                  (unsigned char *) &session->ticket_age_add,
+                                  sizeof( session->ticket_age_add ) ) != 0 ) )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "generate_ticket_age_add", ret );
+        return( ret );
+    }
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket_age_add: %u",
+                                (unsigned int)session->ticket_age_add ) );
+
+    /* Generate ticket_nonce */
+    ret = ssl->conf->f_rng( ssl->conf->p_rng, ticket_nonce, ticket_nonce_size );
+    if( ret != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "generate_ticket_nonce", ret );
+        return( ret );
+    }
+    MBEDTLS_SSL_DEBUG_BUF( 3, "ticket_nonce:",
+                           ticket_nonce, ticket_nonce_size );
+
+    ciphersuite_info =
+                (mbedtls_ssl_ciphersuite_t *) ssl->handshake->ciphersuite_info;
+    psa_hash_alg = mbedtls_psa_translate_md( ciphersuite_info->mac );
+    hash_length = PSA_HASH_LENGTH( psa_hash_alg );
+    if( hash_length == -1 ||
+        (size_t)hash_length > sizeof( session->resumption_key ) )
+    {
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+    /* In this code the psk key length equals the length of the hash */
+    session->resumption_key_len = hash_length;
+    session->ciphersuite = ciphersuite_info->id;
+
+    /* Compute resumption key
+     *
+     *  HKDF-Expand-Label( resumption_master_secret,
+     *                    "resumption", ticket_nonce, Hash.length )
+     */
+    ret = mbedtls_ssl_tls13_hkdf_expand_label(
+               psa_hash_alg,
+               session->app_secrets.resumption_master_secret,
+               hash_length,
+               MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( resumption ),
+               ticket_nonce,
+               ticket_nonce_size,
+               session->resumption_key,
+               hash_length );
+
+    if( ret != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 2,
+                               "Creating the ticket-resumed PSK failed",
+                               ret );
+        return ( ret );
+    }
+    MBEDTLS_SSL_DEBUG_BUF( 3, "Ticket-resumed PSK",
+                           session->resumption_key,
+                           session->resumption_key_len );
+
+    MBEDTLS_SSL_DEBUG_BUF( 3, "resumption_master_secret",
+                           session->app_secrets.resumption_master_secret,
+                           hash_length );
+
+    return( 0 );
+}
+
+/* This function creates a NewSessionTicket message in the following format:
+ *
+ * struct {
+ *    uint32 ticket_lifetime;
+ *    uint32 ticket_age_add;
+ *    opaque ticket_nonce<0..255>;
+ *    opaque ticket<1..2^16-1>;
+ *    Extension extensions<0..2^16-2>;
+ * } NewSessionTicket;
+ *
+ * The ticket inside the NewSessionTicket message is an encrypted container
+ * carrying the necessary information so that the server is later able to
+ * re-start the communication.
+ *
+ * The following fields are placed inside the ticket by the
+ * f_ticket_write() function:
+ *
+ *  - creation time (start)
+ *  - flags (flags)
+ *  - age add (ticket_age_add)
+ *  - key (key)
+ *  - key length (key_len)
+ *  - ciphersuite (ciphersuite)
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_write_new_session_ticket_body( mbedtls_ssl_context *ssl,
+                                                    unsigned char *buf,
+                                                    unsigned char *end,
+                                                    size_t *out_len,
+                                                    unsigned char *ticket_nonce,
+                                                    size_t ticket_nonce_size )
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char *p = buf;
+    mbedtls_ssl_session *session = ssl->session;
+    size_t ticket_len;
+    uint32_t ticket_lifetime;
+
+    *out_len = 0;
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write NewSessionTicket msg" ) );
+
+    /*
+     *    ticket_lifetime   4 bytes
+     *    ticket_age_add    4 bytes
+     *    ticket_nonce      1 + ticket_nonce_size bytes
+     *    ticket            >=2 bytes
+     */
+    MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 + 4 + 1 + ticket_nonce_size + 2 );
+
+    /* Generate ticket and ticket_lifetime */
+    ret = ssl->conf->f_ticket_write( ssl->conf->p_ticket,
+                                     session,
+                                     p + 9 + ticket_nonce_size + 2,
+                                     end,
+                                     &ticket_len,
+                                     &ticket_lifetime);
+    if( ret != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "write_ticket", ret );
+        return( ret );
+    }
+    /* RFC 8446 4.6.1
+     *  ticket_lifetime:  Indicates the lifetime in seconds as a 32-bit
+     *      unsigned integer in network byte order from the time of ticket
+     *      issuance.  Servers MUST NOT use any value greater than
+     *      604800 seconds (7 days).  The value of zero indicates that the
+     *      ticket should be discarded immediately.  Clients MUST NOT cache
+     *      tickets for longer than 7 days, regardless of the ticket_lifetime,
+     *      and MAY delete tickets earlier based on local policy.  A server
+     *      MAY treat a ticket as valid for a shorter period of time than what
+     *      is stated in the ticket_lifetime.
+     */
+    ticket_lifetime %= 604800;
+    MBEDTLS_PUT_UINT32_BE( ticket_lifetime, p, 0 );
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket_lifetime: %u",
+                                ( unsigned int )ticket_lifetime ) );
+
+    /* Write ticket_age_add */
+    MBEDTLS_PUT_UINT32_BE( session->ticket_age_add, p, 4 );
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket_age_add: %u",
+                                ( unsigned int )session->ticket_age_add ) );
+
+    /* Write ticket_nonce */
+    p[8] = ( unsigned char )ticket_nonce_size;
+    if( ticket_nonce_size > 0 )
+    {
+        memcpy( p + 9, ticket_nonce, ticket_nonce_size );
+    }
+    p += 9 + ticket_nonce_size;
+
+    /* Write ticket */
+    MBEDTLS_PUT_UINT16_BE( ticket_len, p, 0 );
+    p += 2;
+    MBEDTLS_SSL_DEBUG_BUF( 4, "ticket", p, ticket_len);
+    p += ticket_len;
+
+    /* Ticket Extensions
+     *
+     * Note: We currently don't have any extensions.
+     * Set length to zero.
+     */
+    MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
+    MBEDTLS_PUT_UINT16_BE( 0, p, 0 );
+    p += 2;
+
+    *out_len = p - buf;
+    MBEDTLS_SSL_DEBUG_BUF( 4, "ticket", buf, *out_len );
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) );
+
+    return( 0 );
+}
+
+/*
+ * Handler for MBEDTLS_SSL_NEW_SESSION_TICKET
+ */
+static int ssl_tls13_write_new_session_ticket( mbedtls_ssl_context *ssl )
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_write_new_session_ticket_coordinate( ssl ) );
+
+    if( ret == SSL_NEW_SESSION_TICKET_WRITE )
+    {
+        unsigned char ticket_nonce[MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH];
+        unsigned char *buf;
+        size_t buf_len, msg_len;
+
+        MBEDTLS_SSL_PROC_CHK( ssl_tls13_prepare_new_session_ticket(
+                                  ssl, ticket_nonce, sizeof( ticket_nonce ) ) );
+
+        MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_start_handshake_msg( ssl,
+                MBEDTLS_SSL_HS_NEW_SESSION_TICKET, &buf, &buf_len ) );
+
+        MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_new_session_ticket_body(
+                                  ssl, buf, buf + buf_len, &msg_len,
+                                  ticket_nonce, sizeof( ticket_nonce ) ) );
+
+        MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg(
+                                  ssl, buf_len, msg_len ) );
+
+        mbedtls_ssl_handshake_set_state( ssl,
+                                         MBEDTLS_SSL_NEW_SESSION_TICKET_FLUSH );
+    }
+    else
+    {
+        mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_OVER );
+    }
+
+cleanup:
+
+    return( ret );
+}
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+/*
  * TLS 1.3 State Machine -- server side
  */
 int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl )
@@ -1931,6 +2199,27 @@
             }
             break;
 
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+        case MBEDTLS_SSL_NEW_SESSION_TICKET:
+            ret = ssl_tls13_write_new_session_ticket( ssl );
+            if( ret != 0 )
+            {
+                MBEDTLS_SSL_DEBUG_RET( 1,
+                                       "ssl_tls13_write_new_session_ticket ",
+                                       ret );
+            }
+            break;
+        case MBEDTLS_SSL_NEW_SESSION_TICKET_FLUSH:
+            /* This state is necessary to do the flush of the New Session
+             * Ticket message written in MBEDTLS_SSL_NEW_SESSION_TICKET
+             * as part of ssl_prepare_handshake_step.
+             */
+            ret = 0;
+            mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_OVER );
+            break;
+
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
         default:
             MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
             return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );

tests/ssl-opt.sh

diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index bffed6c..77e9f4e 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -12673,6 +12673,50 @@
             -c "got new session ticket." \
             -c "HTTP/1.0 200 OK"
 
+requires_openssl_tls1_3
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
+requires_config_enabled MBEDTLS_SSL_SRV_C
+requires_config_enabled MBEDTLS_DEBUG_C
+run_test    "TLS 1.3: NewSessionTicket: Basic check, O->m" \
+            "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=1" \
+            "$O_NEXT_CLI -msg -debug -tls1_3 -no_middlebox" \
+            0 \
+            -s "=> write NewSessionTicket msg" \
+            -s "server state: MBEDTLS_SSL_NEW_SESSION_TICKET" \
+            -s "server state: MBEDTLS_SSL_NEW_SESSION_TICKET_FLUSH"
+
+requires_gnutls_tls1_3
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
+requires_config_enabled MBEDTLS_SSL_SRV_C
+requires_config_enabled MBEDTLS_DEBUG_C
+run_test    "TLS 1.3: NewSessionTicket: Basic check, G->m" \
+            "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=1" \
+            "$G_NEXT_CLI localhost -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:%DISABLE_TLS13_COMPAT_MODE -V" \
+            0 \
+            -s "=> write NewSessionTicket msg" \
+            -s "server state: MBEDTLS_SSL_NEW_SESSION_TICKET" \
+            -s "server state: MBEDTLS_SSL_NEW_SESSION_TICKET_FLUSH" \
+            -c "NEW SESSION TICKET (4) was received"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
+requires_config_enabled MBEDTLS_SSL_SRV_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+requires_config_enabled MBEDTLS_DEBUG_C
+run_test    "TLS 1.3: NewSessionTicket: Basic check, m->m" \
+            "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=1" \
+            "$P_CLI debug_level=4" \
+            0 \
+            -c "Protocol is TLSv1.3" \
+            -c "MBEDTLS_SSL_NEW_SESSION_TICKET" \
+            -c "got new session ticket." \
+            -c "HTTP/1.0 200 OK"    \
+            -s "=> write NewSessionTicket msg" \
+            -s "server state: MBEDTLS_SSL_NEW_SESSION_TICKET" \
+            -s "server state: MBEDTLS_SSL_NEW_SESSION_TICKET_FLUSH"
+
 # Test heap memory usage after handshake
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 requires_config_enabled MBEDTLS_MEMORY_DEBUG

tests/suites/host_test.function

diff --git a/tests/suites/host_test.function b/tests/suites/host_test.function
index b9ea3d6..bb06822 100644
--- a/tests/suites/host_test.function
+++ b/tests/suites/host_test.function
@@ -590,6 +590,7 @@
              */
             test_files = &argv[ arg_index ];
             testfile_count = argc - arg_index;
+            break;
         }
 
         arg_index++;