Add MBEDTLS_SSL_SESSION_TICKETS guard to server name check
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 0efc8e7..4cf6704 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -1182,6 +1182,7 @@
#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)
+ uint8_t MBEDTLS_PRIVATE(endpoint); /*!< 0: client, 1: server */
uint8_t MBEDTLS_PRIVATE(ticket_flags); /*!< Ticket flags */
uint32_t MBEDTLS_PRIVATE(ticket_age_add); /*!< Randomly generated value used to obscure the age of the ticket */
uint8_t MBEDTLS_PRIVATE(resumption_key_len); /*!< resumption_key length */
@@ -1200,10 +1201,10 @@
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
mbedtls_ssl_tls13_application_secrets MBEDTLS_PRIVATE(app_secrets);
- uint8_t MBEDTLS_PRIVATE(endpoint); /*!< 0: client, 1: server */
-#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && \
+ defined(MBEDTLS_SSL_SESSION_TICKETS)
char *MBEDTLS_PRIVATE(hostname); /*!< host name binded with tickets */
-#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION && MBEDTLS_SSL_SESSION_TICKETS */
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
};
diff --git a/library/ssl_client.c b/library/ssl_client.c
index 48a19c9..baf82a6 100644
--- a/library/ssl_client.c
+++ b/library/ssl_client.c
@@ -872,6 +872,7 @@
}
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
+ defined(MBEDTLS_SSL_SESSION_TICKETS) && \
defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
if( ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
ssl->handshake->resume )
@@ -885,14 +886,18 @@
if( hostname_mismatch )
{
MBEDTLS_SSL_DEBUG_MSG( 1,
- ( "hostname mismatch the session ticket, should not resume " ) );
+ ( "hostname mismatch the session ticket,"
+ " should not resume " ) );
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
}
}
else
- mbedtls_ssl_session_set_hostname( ssl->session_negotiate,
- ssl->hostname );
+ {
+ return mbedtls_ssl_session_set_hostname( ssl->session_negotiate,
+ ssl->hostname );
+ }
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 &&
+ MBEDTLS_SSL_SESSION_TICKETS &&
MBEDTLS_SSL_SERVER_NAME_INDICATION */
return( 0 );
diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index f20897d..6ba9ad5 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -2495,7 +2495,9 @@
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
+ defined(MBEDTLS_SSL_SESSION_TICKETS) && \
defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_session_set_hostname( mbedtls_ssl_session *session,
const char *hostname );
#endif
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 062259b..6563b90 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -298,13 +298,14 @@
#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
+ defined(MBEDTLS_SSL_SESSION_TICKETS) && \
defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && \
defined(MBEDTLS_SSL_CLI_C)
if( src->endpoint == MBEDTLS_SSL_IS_CLIENT )
{
dst->hostname = NULL;
- mbedtls_ssl_session_set_hostname( dst,
- src->hostname );
+ return mbedtls_ssl_session_set_hostname( dst,
+ src->hostname );
}
#endif
@@ -1973,6 +1974,7 @@
{
unsigned char *p = buf;
#if defined(MBEDTLS_SSL_CLI_C) && \
+ defined(MBEDTLS_SSL_SESSION_TICKETS) && \
defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
size_t hostname_len = ( session->hostname == NULL ) ?
0 : strlen( session->hostname );
@@ -1995,7 +1997,8 @@
#if defined(MBEDTLS_SSL_CLI_C)
if( session->endpoint == MBEDTLS_SSL_IS_CLIENT )
{
-#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+#if defined(MBEDTLS_SSL_SESSION_TICKETS) && \
+ defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
needed += 2 /* hostname_len */
+ hostname_len; /* hostname */
#endif
@@ -2026,7 +2029,9 @@
memcpy( p, session->resumption_key, session->resumption_key_len );
p += session->resumption_key_len;
-#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && defined(MBEDTLS_SSL_CLI_C)
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && \
+ defined(MBEDTLS_SSL_SESSION_TICKETS) && \
+ defined(MBEDTLS_SSL_CLI_C)
if( session->endpoint == MBEDTLS_SSL_IS_CLIENT )
{
MBEDTLS_PUT_UINT16_BE( hostname_len, p, 0 );
@@ -2039,7 +2044,9 @@
p += hostname_len;
}
}
-#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION && MBEDTLS_SSL_CLI_C */
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION &&
+ MBEDTLS_SSL_SESSION_TICKETS &&
+ MBEDTLS_SSL_CLI_C */
#if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C)
if( session->endpoint == MBEDTLS_SSL_IS_SERVER )
@@ -2099,7 +2106,9 @@
memcpy( session->resumption_key, p, session->resumption_key_len );
p += session->resumption_key_len;
-#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && defined(MBEDTLS_SSL_CLI_C)
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && \
+ defined(MBEDTLS_SSL_SESSION_TICKETS) && \
+ defined(MBEDTLS_SSL_CLI_C)
if( session->endpoint == MBEDTLS_SSL_IS_CLIENT )
{
size_t hostname_len;
@@ -2120,7 +2129,9 @@
p += hostname_len;
}
}
-#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION && MBEDTLS_SSL_CLI_C */
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION &&
+ MBEDTLS_SSL_SESSION_TICKETS &&
+ MBEDTLS_SSL_CLI_C */
#if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C)
if( session->endpoint == MBEDTLS_SSL_IS_SERVER )
@@ -8862,6 +8873,7 @@
#endif /* MBEDTLS_SSL_ALPN */
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
+ defined(MBEDTLS_SSL_SESSION_TICKETS) && \
defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
int mbedtls_ssl_session_set_hostname( mbedtls_ssl_session *session,
const char *hostname )
@@ -8904,6 +8916,8 @@
return( 0 );
}
-#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SERVER_NAME_INDICATION */
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 &&
+ MBEDTLS_SSL_SESSION_TICKETS &&
+ MBEDTLS_SSL_SERVER_NAME_INDICATION */
#endif /* MBEDTLS_SSL_TLS_C */