commit b675b2ba5dfc9223b610d066557bf81db077b479
author Ronald Cron <ronald.cron@arm.com> Tue Aug 27 09:19:40 2024 +0200
committer Ronald Cron <ronald.cron@arm.com> Tue Aug 27 15:41:24 2024 +0200
tree 08a998b7da7453ee8d4e2eab7cd52ea6c912da76
parent bedddd707a0a36b4052e48be2abffdb6c3c44c45

TLS 1.3: Ignore tickets if disabled at runtime

Signed-off-by: Ronald Cron <ronald.cron@arm.com>

library/ssl_msg.c

diff --git a/library/ssl_msg.c b/library/ssl_msg.c
index 2bdad84..65ad324 100644
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@@ -5595,11 +5595,17 @@
         if (ssl_tls13_is_new_session_ticket(ssl)) {
 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
             MBEDTLS_SSL_DEBUG_MSG(3, ("NewSessionTicket received"));
-            ssl->keep_current_message = 1;
+            if (ssl->conf->new_session_tickets_enabled ==
+                MBEDTLS_SSL_ENABLE_NEW_SESSION_TICKETS_ENABLED) {
+                ssl->keep_current_message = 1;
 
-            mbedtls_ssl_handshake_set_state(ssl,
-                                            MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET);
-            return MBEDTLS_ERR_SSL_WANT_READ;
+                mbedtls_ssl_handshake_set_state(ssl,
+                                                MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET);
+                return MBEDTLS_ERR_SSL_WANT_READ;
+            } else {
+                MBEDTLS_SSL_DEBUG_MSG(3, ("Ignore NewSessionTicket, disabled."));
+                return 0;
+            }
 #else
             MBEDTLS_SSL_DEBUG_MSG(3, ("Ignore NewSessionTicket, not supported."));
             return 0;