fix various issues
- fix CI failure due to wrong usage of ticket_lifetime
- Improve document and comments
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index c636ad4..2d2504b 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -2766,8 +2766,6 @@
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)
-#define MBEDTLS_SSL_TLS1_3_MAX_ALLOWED_TICKET_LIFETIME (604800)
-
static inline unsigned int mbedtls_ssl_session_get_ticket_flags(
mbedtls_ssl_session *session, unsigned int flags)
{
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 2a52047..944caa0 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -2457,7 +2457,7 @@
* uint32 max_early_data_size;
* select ( endpoint ) {
* case client: ClientOnlyData;
- * case server: uint64 ticket_creation_time_time;
+ * case server: uint64 ticket_creation_time;
* };
* } serialized_session_tls13;
*
@@ -2492,7 +2492,7 @@
#endif
#if defined(MBEDTLS_HAVE_TIME)
- needed += 8; /* start_time or ticket_reception_time */
+ needed += 8; /* ticket_creation_time or ticket_reception_time */
#endif
#if defined(MBEDTLS_SSL_CLI_C)
diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index bb688b7..e7a4aef 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -933,7 +933,7 @@
#if defined(MBEDTLS_HAVE_TIME)
mbedtls_ms_time_t now = mbedtls_ms_time();
mbedtls_ssl_session *session = ssl->session_negotiate;
- /* The ticket age has been checked to be smaller that the
+ /* The ticket age has been checked to be smaller than the
* `ticket_lifetime` in ssl_prepare_client_hello() which is smaller than
* 7 days (enforced in ssl_tls13_parse_new_session_ticket()) . Thus the
* cast to `uint32_t` of the ticket age is safe. */
@@ -2748,11 +2748,9 @@
MBEDTLS_SSL_DEBUG_MSG(3,
("ticket_lifetime: %u",
(unsigned int) session->ticket_lifetime));
- if (session->ticket_lifetime >
- MBEDTLS_SSL_TLS1_3_MAX_ALLOWED_TICKET_LIFETIME) {
- /* TODO: Add new return value here? */
+ if (session->ticket_lifetime > 604800) {
MBEDTLS_SSL_DEBUG_MSG(3, ("ticket_lifetime exceeds 7 days."));
- return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
}
session->ticket_age_add = MBEDTLS_GET_UINT32_BE(p, 4);
diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index c9c0e1f..465bf99 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -3025,8 +3025,8 @@
* MAY treat a ticket as valid for a shorter period of time than what
* is stated in the ticket_lifetime.
*/
- if (ticket_lifetime > MBEDTLS_SSL_TLS1_3_MAX_ALLOWED_TICKET_LIFETIME) {
- ticket_lifetime = MBEDTLS_SSL_TLS1_3_MAX_ALLOWED_TICKET_LIFETIME;
+ if (ticket_lifetime > 604800) {
+ ticket_lifetime = 604800;
}
MBEDTLS_PUT_UINT32_BE(ticket_lifetime, p, 0);
MBEDTLS_SSL_DEBUG_MSG(3, ("ticket_lifetime: %u",