From bedddd707a0a36b4052e48be2abffdb6c3c44c45 Mon Sep 17 00:00:00 2001
From: Ronald Cron <ronald.cron@arm.com>
Date: Tue, 27 Aug 2024 14:18:50 +0200
Subject: [PATCH] Add mbedtls_ssl_conf_enable_new_session_tickets() API

Add mbedtls_ssl_conf_enable_new_session_tickets() API
to be able to enable and disable the handling of TLS 1.3
NewSessionTicket messages.

The TLS 1.2 equivalent function is named
mbedtls_ssl_conf_session_tickets() thus the most
natural name would have been
mbedtls_ssl_conf_new_session_tickets() but it is
already used on server side thus rather
mbedtls_ssl_conf_enable_new_session_tickets().

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
---
 include/mbedtls/ssl.h | 23 +++++++++++++++++++++++
 library/ssl_tls.c     | 12 +++++++++++-
 2 files changed, 34 insertions(+), 1 deletion(-)

diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 466c734d37..1f07fb3b7d 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -324,6 +324,9 @@
 #define MBEDTLS_SSL_SESSION_TICKETS_DISABLED     0
 #define MBEDTLS_SSL_SESSION_TICKETS_ENABLED      1
 
+#define MBEDTLS_SSL_ENABLE_NEW_SESSION_TICKETS_DISABLED  0
+#define MBEDTLS_SSL_ENABLE_NEW_SESSION_TICKETS_ENABLED   1
+
 #define MBEDTLS_SSL_PRESET_DEFAULT              0
 #define MBEDTLS_SSL_PRESET_SUITEB               2
 
@@ -1447,6 +1450,12 @@ struct mbedtls_ssl_config {
 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && \
     defined(MBEDTLS_SSL_CLI_C)
     uint8_t MBEDTLS_PRIVATE(session_tickets);   /*!< use session tickets? */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+    /** Whether we handle NewSessionTicket TLS 1.3 messages (<>0) or just ignore them (==0)
+     *  They are ignored by default.
+     */
+    uint8_t MBEDTLS_PRIVATE(new_session_tickets_enabled);
+#endif
 #endif
 
 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && \
@@ -4478,6 +4487,20 @@ void mbedtls_ssl_conf_preference_order(mbedtls_ssl_config *conf, int order);
  *                                         MBEDTLS_SSL_SESSION_TICKETS_DISABLED)
  */
 void mbedtls_ssl_conf_session_tickets(mbedtls_ssl_config *conf, int use_tickets);
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+/**
+ * \brief Enable / Disable TLS 1.3 handling of NewSessionTicket messages (client and TLS 1.3 only).
+ *        (Default: MBEDTLS_SSL_ENABLE_NEW_SESSION_TICKETS_DISABLED)
+ *
+ * \param conf  SSL configuration
+ * \param new_session_tickets_enabled  Enable or disable
+ *                                     (MBEDTLS_SSL_ENABLE_NEW_SESSION_TICKETS_ENABLED or
+ *                                      MBEDTLS_SSL_ENABLE_NEW_SESSION_TICKETS_DISABLED)
+ */
+void mbedtls_ssl_conf_enable_new_session_tickets(mbedtls_ssl_config *conf,
+                                                 int new_session_tickets_enabled);
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
 #endif /* MBEDTLS_SSL_SESSION_TICKETS &&
           MBEDTLS_SSL_CLI_C */
 
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index d6077a2baa..21d70af772 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -3013,7 +3013,14 @@ void mbedtls_ssl_conf_session_tickets(mbedtls_ssl_config *conf, int use_tickets)
 {
     conf->session_tickets = use_tickets;
 }
-#endif
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+void mbedtls_ssl_conf_enable_new_session_tickets(mbedtls_ssl_config *conf,
+                                                 int new_session_tickets_enabled)
+{
+    conf->new_session_tickets_enabled = new_session_tickets_enabled;
+}
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
+#endif /* MBEDTLS_SSL_CLI_C */
 
 #if defined(MBEDTLS_SSL_SRV_C)
 
@@ -5879,6 +5886,9 @@ int mbedtls_ssl_config_defaults(mbedtls_ssl_config *conf,
         conf->authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
         conf->session_tickets = MBEDTLS_SSL_SESSION_TICKETS_ENABLED;
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+        conf->new_session_tickets_enabled = MBEDTLS_SSL_ENABLE_NEW_SESSION_TICKETS_DISABLED;
+#endif
 #endif
     }
 #endif