From b675b2ba5dfc9223b610d066557bf81db077b479 Mon Sep 17 00:00:00 2001
From: Ronald Cron <ronald.cron@arm.com>
Date: Tue, 27 Aug 2024 09:19:40 +0200
Subject: [PATCH] TLS 1.3: Ignore tickets if disabled at runtime

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
---
 library/ssl_msg.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/library/ssl_msg.c b/library/ssl_msg.c
index 2bdad848a9..65ad324337 100644
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@@ -5595,11 +5595,17 @@ static int ssl_tls13_handle_hs_message_post_handshake(mbedtls_ssl_context *ssl)
         if (ssl_tls13_is_new_session_ticket(ssl)) {
 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
             MBEDTLS_SSL_DEBUG_MSG(3, ("NewSessionTicket received"));
-            ssl->keep_current_message = 1;
+            if (ssl->conf->new_session_tickets_enabled ==
+                MBEDTLS_SSL_ENABLE_NEW_SESSION_TICKETS_ENABLED) {
+                ssl->keep_current_message = 1;
 
-            mbedtls_ssl_handshake_set_state(ssl,
-                                            MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET);
-            return MBEDTLS_ERR_SSL_WANT_READ;
+                mbedtls_ssl_handshake_set_state(ssl,
+                                                MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET);
+                return MBEDTLS_ERR_SSL_WANT_READ;
+            } else {
+                MBEDTLS_SSL_DEBUG_MSG(3, ("Ignore NewSessionTicket, disabled."));
+                return 0;
+            }
 #else
             MBEDTLS_SSL_DEBUG_MSG(3, ("Ignore NewSessionTicket, not supported."));
             return 0;