Address review comments
diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h
index 27dd8aa..030236a 100644
--- a/include/mbedtls/check_config.h
+++ b/include/mbedtls/check_config.h
@@ -671,10 +671,14 @@
#error "MBEDTLS_SSL_SERVER_NAME_INDICATION defined, but not all prerequisites"
#endif
-#if ( defined(MBEDTLS_SSL_SESSION_TICKETS) || \
- defined(MBEDTLS_SSL_SESSION_CACHE) ) && \
- !defined(MBEDTLS_SSL_SESSION_RESUMPTION)
-#error "MBEDTLS_SSL_SESSION_TICKETS/MBEDTLS_SSL_SESSION_CACHE cannot be defined without MBEDTLS_SSL_SESSION_RESUMPTION"
+#if defined(MBEDTLS_SSL_SESSION_TICKETS) && \
+ defined(MBEDTLS_SSL_NO_SESSION_RESUMPTION)
+#error "MBEDTLS_SSL_SESSION_TICKETS cannot be defined with MBEDTLS_SSL_NO_SESSION_RESUMPTION"
+#endif
+
+#if !defined(MBEDTLS_SSL_NO_SESSION_CACHE) && \
+ defined(MBEDTLS_SSL_NO_SESSION_RESUMPTION)
+#error "MBEDTLS_NO_SESSION_CACHE needs to be defined with MBEDTLS_SSL_NO_SESSION_RESUMPTION"
#endif
#if defined(MBEDTLS_THREADING_PTHREAD)
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index cfb2094..5f2028a 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -1664,34 +1664,60 @@
* tickets, including authenticated encryption and key management. Example
* callbacks are provided by MBEDTLS_SSL_TICKET_C.
*
- * Requires: MBEDTLS_SSL_SESSION_RESUMPTION
+ * Requires: !MBEDTLS_SSL_NO_SESSION_RESUMPTION
*
* Comment this macro to disable support for SSL session tickets
*/
-#define MBEDTLS_SSL_SESSION_TICKETS
+//#define MBEDTLS_SSL_SESSION_TICKETS
/**
- * \def MBEDTLS_SSL_SESSION_CACHE
+ * \def MBEDTLS_SSL_NO_SESSION_CACHE
*
- * Enable support for cache based session resumption.
+ * Disable support for cache based session resumption.
*
- * Requires: MBEDTLS_SSL_SESSION_RESUMPTION
+ * This option is only about the server-side support of the session caches.
+ * Client will only need the MBEDTLS_SSL_SESSION_RESUMPTION to support
+ * cache based session resumption.
*
- * Comment this macro to disable support for SSL session cache
+ * Server-side, you also need to provide callbacks for storing and reading
+ * sessions from cache. Example callbacks are provided by MBEDTLS_SSL_CACHE_C.
+ *
+ * If MBEDTLS_SSL_NO_SESSION_RESUMPTION is defined, this needs to be defined
+ * as well.
+ *
+ * Uncomment this macro to disable support for SSL session cache
*/
-#define MBEDTLS_SSL_SESSION_CACHE
+#define MBEDTLS_SSL_NO_SESSION_CACHE
/**
- * \def MBEDTLS_SSL_SESSION_RESUMPTION
+ * \def MBEDTLS_SSL_NO_SESSION_RESUMPTION
*
- * Enable support for session resumption. This is the main feature flag and
- * enabling this allow to enable following flags:
- * MBEDTLS_SSL_SESSION_TICKETS
- * MBEDTLS_SSL_SESSION_CACHE
+ * Disable support for session resumption. This is useful in constrained
+ * devices where session resumption isn't used.
*
- * Comment this macro to disable support for SSL session resumption
+ * \note Session resumption is part of the TLS standard, disabling this
+ * option means that the full implementation of the standard is no longer
+ * used. This shouldn't cause any interoperability issues as by the standard
+ * mandates that peers who want to resume a session need to be prepared to
+ * fall back to a full handshake.
+ *
+ * When this flag is enabled, following needs to be true:
+ * MBEDTLS_SSL_NO_SESSION_CACHE enabled
+ * MBEDTLS_SSL_SESSION_TICKETS disabled
+ *
+ * Client-side, this is enough to enable support for cache-based session
+ * resumption (as defined by the TLS standard); for ticket-based resumption
+ * you'll also need to enable MBEDTLS_SSL_SESSION_TICKETS.
+ *
+ * Server-side, this option is only useful in conjunction with at least
+ * one of `!MBEDTLS_SSL_NO_SESSION_CACHE` or `MBEDTLS_SSL_SESSION_TICKETS`.
+ * Each one of these additionally requires an implementation of the cache
+ * or tickets, examples of which are provided by `MBEDTLS_SSL_CACHE_C`
+ * and `MBEDTLS_SSL_TICKETS_C` respectively.
+ *
+ * Uncomment this macro to disable support for SSL session resumption
*/
-#define MBEDTLS_SSL_SESSION_RESUMPTION
+#define MBEDTLS_SSL_NO_SESSION_RESUMPTION
/**
* \def MBEDTLS_SSL_EXPORT_KEYS
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 4471a24..716f35a 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -906,13 +906,13 @@
int (*f_rng)(void *, unsigned char *, size_t);
void *p_rng; /*!< context for the RNG function */
-#if defined(MBEDTLS_SSL_SESSION_CACHE)
+#if !defined(MBEDTLS_SSL_NO_SESSION_CACHE)
/** Callback to retrieve a session from the cache */
int (*f_get_cache)(void *, mbedtls_ssl_session *);
/** Callback to store a session into the cache */
int (*f_set_cache)(void *, const mbedtls_ssl_session *);
void *p_cache; /*!< context for cache callbacks */
-#endif
+#endif /* !MBEDTLS_SSL_NO_SESSION_CACHE */
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
/** Callback for setting cert according to SNI extension */
@@ -2131,7 +2131,7 @@
void mbedtls_ssl_conf_handshake_timeout( mbedtls_ssl_config *conf, uint32_t min, uint32_t max );
#endif /* MBEDTLS_SSL_PROTO_DTLS */
-#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SESSION_CACHE)
+#if defined(MBEDTLS_SSL_SRV_C) && !defined(MBEDTLS_SSL_NO_SESSION_CACHE)
/**
* \brief Set the session cache callbacks (server-side only)
* If not set, no session resuming is done (except if session
@@ -2173,9 +2173,9 @@
void *p_cache,
int (*f_get_cache)(void *, mbedtls_ssl_session *),
int (*f_set_cache)(void *, const mbedtls_ssl_session *) );
-#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_SESSION_CACHE */
+#endif /* MBEDTLS_SSL_SRV_C && !MBEDTLS_SSL_NO_SESSION_CACHE */
-#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_SESSION_CACHE)
+#if defined(MBEDTLS_SSL_CLI_C) && !defined(MBEDTLS_SSL_NO_SESSION_RESUMPTION)
/**
* \brief Request resumption of session (client-side only)
* Session data is copied from presented session structure.
@@ -2191,7 +2191,7 @@
* \sa mbedtls_ssl_get_session()
*/
int mbedtls_ssl_set_session( mbedtls_ssl_context *ssl, const mbedtls_ssl_session *session );
-#endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_SESSION_CACHE */
+#endif /* MBEDTLS_SSL_CLI_C && !MBEDTLS_SSL_NO_SESSION_RESUMPTION */
/**
* \brief Load serialized session data into a session structure.
diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h
index 4399943..cca71e7 100644
--- a/include/mbedtls/ssl_internal.h
+++ b/include/mbedtls/ssl_internal.h
@@ -509,9 +509,9 @@
unsigned char premaster[MBEDTLS_PREMASTER_SIZE];
/*!< premaster secret */
-#if defined(MBEDTLS_SSL_SESSION_RESUMPTION)
+#if !defined(MBEDTLS_SSL_NO_SESSION_RESUMPTION)
int resume; /*!< session resume indicator*/
-#endif /* MBEDTLS_SSL_SESSION_RESUMPTION */
+#endif /* !MBEDTLS_SSL_NO_SESSION_RESUMPTION */
int max_major_ver; /*!< max. major version client*/
int max_minor_ver; /*!< max. minor version client*/
int cli_exts; /*!< client extension presence*/