diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 7d371bf1a..8fc4d4da1 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -8951,6 +8951,7 @@ unsigned int mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg( * opaque peer_cert<0..2^24-1>; // length 0 means no peer cert * opaque ticket<0..2^24-1>; // length 0 means no ticket * uint32 ticket_lifetime; + * uint64 ticket_creation_time; * uint8 mfl_code; // up to 255 according to standard * uint8 encrypt_then_mac; // 0 or 1 * } serialized_session_tls12; @@ -9058,7 +9059,8 @@ static size_t ssl_tls12_session_save(const mbedtls_ssl_session *session, /* * Session ticket if any, plus associated data */ -#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) +#if defined(MBEDTLS_SSL_SESSION_TICKETS) +#if defined(MBEDTLS_SSL_CLI_C) if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) { used += 3 + session->ticket_len + 4; /* len + ticket + lifetime */ @@ -9076,7 +9078,18 @@ static size_t ssl_tls12_session_save(const mbedtls_ssl_session *session, p += 4; } } -#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */ +#endif /* MBEDTLS_SSL_CLI_C */ +#if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C) + if (session->endpoint == MBEDTLS_SSL_IS_SERVER) { + used += 8; + + if (used <= buf_len) { + MBEDTLS_PUT_UINT64_BE((uint64_t) session->ticket_creation_time, p, 0); + p += 8; + } + } +#endif /* MBEDTLS_HAVE_TIME && MBEDTLS_SSL_SRV_C */ +#endif /* MBEDTLS_SSL_SESSION_TICKETS */ /* * Misc extension-related info @@ -9242,7 +9255,8 @@ static int ssl_tls12_session_load(mbedtls_ssl_session *session, /* * Session ticket and associated data */ -#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) +#if defined(MBEDTLS_SSL_SESSION_TICKETS) +#if defined(MBEDTLS_SSL_CLI_C) if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) { if (3 > (size_t) (end - p)) { return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; @@ -9272,7 +9286,17 @@ static int ssl_tls12_session_load(mbedtls_ssl_session *session, session->ticket_lifetime = MBEDTLS_GET_UINT32_BE(p, 0); p += 4; } -#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */ +#endif /* MBEDTLS_SSL_CLI_C */ +#if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C) + if (session->endpoint == MBEDTLS_SSL_IS_SERVER) { + if (8 > (size_t) (end - p)) { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + } + session->ticket_creation_time = MBEDTLS_GET_UINT64_BE(p, 0); + p += 8; + } +#endif /* MBEDTLS_HAVE_TIME && MBEDTLS_SSL_SRV_C */ +#endif /* MBEDTLS_SSL_SESSION_TICKETS */ /* * Misc extension-related info diff --git a/tests/src/test_helpers/ssl_helpers.c b/tests/src/test_helpers/ssl_helpers.c index 8f20fa6d4..c0c5ca4bb 100644 --- a/tests/src/test_helpers/ssl_helpers.c +++ b/tests/src/test_helpers/ssl_helpers.c @@ -1639,6 +1639,8 @@ int mbedtls_test_ssl_tls12_populate_session(mbedtls_ssl_session *session, int endpoint_type, const char *crt_file) { + (void) ticket_len; + #if defined(MBEDTLS_HAVE_TIME) session->start = mbedtls_time(NULL) - 42; #endif @@ -1710,7 +1712,8 @@ int mbedtls_test_ssl_tls12_populate_session(mbedtls_ssl_session *session, #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED && MBEDTLS_FS_IO */ session->verify_result = 0xdeadbeef; -#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) +#if defined(MBEDTLS_SSL_SESSION_TICKETS) +#if defined(MBEDTLS_SSL_CLI_C) if (ticket_len != 0) { session->ticket = mbedtls_calloc(1, ticket_len); if (session->ticket == NULL) { @@ -1720,9 +1723,14 @@ int mbedtls_test_ssl_tls12_populate_session(mbedtls_ssl_session *session, } session->ticket_len = ticket_len; session->ticket_lifetime = 86401; -#else - (void) ticket_len; +#endif /* MBEDTLS_SSL_CLI_C */ + +#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_HAVE_TIME) + if (session->endpoint == MBEDTLS_SSL_IS_SERVER) { + session->ticket_creation_time = mbedtls_ms_time() - 42; + } #endif +#endif /* MBEDTLS_SSL_SESSION_TICKETS */ #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) session->mfl_code = 1; diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index b116705b1..bcddba2a0 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -1972,26 +1972,13 @@ void ssl_serialize_session_save_load(int ticket_len, char *crt_file, * Make sure both session structures are identical */ #if defined(MBEDTLS_HAVE_TIME) - switch (tls_version) { -#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SRV_C) - case MBEDTLS_SSL_VERSION_TLS1_3: - TEST_ASSERT(original.ticket_creation_time == restored.ticket_creation_time); - break; -#endif -#if defined(MBEDTLS_SSL_PROTO_TLS1_2) - case MBEDTLS_SSL_VERSION_TLS1_2: - TEST_ASSERT(original.start == restored.start); - break; -#endif - - default: - /* should never happen */ - TEST_ASSERT(0); - break; + if (tls_version == MBEDTLS_SSL_VERSION_TLS1_2) { + TEST_ASSERT(original.start == restored.start); } - - +#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_SRV_C) + TEST_ASSERT(original.ticket_creation_time == restored.ticket_creation_time); #endif +#endif /* MBEDTLS_HAVE_TIME */ TEST_ASSERT(original.tls_version == restored.tls_version); TEST_ASSERT(original.endpoint == restored.endpoint); @@ -2070,11 +2057,6 @@ void ssl_serialize_session_save_load(int ticket_len, char *crt_file, original.max_early_data_size == restored.max_early_data_size); #endif -#if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C) - if (endpoint_type == MBEDTLS_SSL_IS_SERVER) { - TEST_ASSERT(original.ticket_creation_time == restored.ticket_creation_time); - } -#endif #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) if (endpoint_type == MBEDTLS_SSL_IS_CLIENT) { #if defined(MBEDTLS_HAVE_TIME)