Add mbedtls_ssl_conf_enable_new_session_tickets() API
Add mbedtls_ssl_conf_enable_new_session_tickets() API
to be able to enable and disable the handling of TLS 1.3
NewSessionTicket messages.
The TLS 1.2 equivalent function is named
mbedtls_ssl_conf_session_tickets() thus the most
natural name would have been
mbedtls_ssl_conf_new_session_tickets() but it is
already used on server side thus rather
mbedtls_ssl_conf_enable_new_session_tickets().
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 466c734..1f07fb3 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -324,6 +324,9 @@
#define MBEDTLS_SSL_SESSION_TICKETS_DISABLED 0
#define MBEDTLS_SSL_SESSION_TICKETS_ENABLED 1
+#define MBEDTLS_SSL_ENABLE_NEW_SESSION_TICKETS_DISABLED 0
+#define MBEDTLS_SSL_ENABLE_NEW_SESSION_TICKETS_ENABLED 1
+
#define MBEDTLS_SSL_PRESET_DEFAULT 0
#define MBEDTLS_SSL_PRESET_SUITEB 2
@@ -1447,6 +1450,12 @@
#if defined(MBEDTLS_SSL_SESSION_TICKETS) && \
defined(MBEDTLS_SSL_CLI_C)
uint8_t MBEDTLS_PRIVATE(session_tickets); /*!< use session tickets? */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ /** Whether we handle NewSessionTicket TLS 1.3 messages (<>0) or just ignore them (==0)
+ * They are ignored by default.
+ */
+ uint8_t MBEDTLS_PRIVATE(new_session_tickets_enabled);
+#endif
#endif
#if defined(MBEDTLS_SSL_SESSION_TICKETS) && \
@@ -4478,6 +4487,20 @@
* MBEDTLS_SSL_SESSION_TICKETS_DISABLED)
*/
void mbedtls_ssl_conf_session_tickets(mbedtls_ssl_config *conf, int use_tickets);
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+/**
+ * \brief Enable / Disable TLS 1.3 handling of NewSessionTicket messages (client and TLS 1.3 only).
+ * (Default: MBEDTLS_SSL_ENABLE_NEW_SESSION_TICKETS_DISABLED)
+ *
+ * \param conf SSL configuration
+ * \param new_session_tickets_enabled Enable or disable
+ * (MBEDTLS_SSL_ENABLE_NEW_SESSION_TICKETS_ENABLED or
+ * MBEDTLS_SSL_ENABLE_NEW_SESSION_TICKETS_DISABLED)
+ */
+void mbedtls_ssl_conf_enable_new_session_tickets(mbedtls_ssl_config *conf,
+ int new_session_tickets_enabled);
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
#endif /* MBEDTLS_SSL_SESSION_TICKETS &&
MBEDTLS_SSL_CLI_C */
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index d6077a2..21d70af 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -3013,7 +3013,14 @@
{
conf->session_tickets = use_tickets;
}
-#endif
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+void mbedtls_ssl_conf_enable_new_session_tickets(mbedtls_ssl_config *conf,
+ int new_session_tickets_enabled)
+{
+ conf->new_session_tickets_enabled = new_session_tickets_enabled;
+}
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
+#endif /* MBEDTLS_SSL_CLI_C */
#if defined(MBEDTLS_SSL_SRV_C)
@@ -5879,6 +5886,9 @@
conf->authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
conf->session_tickets = MBEDTLS_SSL_SESSION_TICKETS_ENABLED;
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ conf->new_session_tickets_enabled = MBEDTLS_SSL_ENABLE_NEW_SESSION_TICKETS_DISABLED;
+#endif
#endif
}
#endif