fix various issues

- fix CI failure due to wrong usage of ticket_lifetime - Improve document and comments Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2025-08-01 10:06:53 +03:00 · 2023-11-14 11:06:52 +08:00
parent 342a555eef
commit cf9135100e
7 changed files with 20 additions and 27 deletions
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@ -2766,8 +2766,6 @@ int mbedtls_ssl_session_set_hostname(mbedtls_ssl_session *session,

 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)

-#define MBEDTLS_SSL_TLS1_3_MAX_ALLOWED_TICKET_LIFETIME (604800)
-
 static inline unsigned int mbedtls_ssl_session_get_ticket_flags(
    mbedtls_ssl_session *session, unsigned int flags)
 {
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -2457,7 +2457,7 @@ mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite(
 *       uint32 max_early_data_size;
 *       select ( endpoint ) {
 *            case client: ClientOnlyData;
- *            case server: uint64 ticket_creation_time_time;
+ *            case server: uint64 ticket_creation_time;
 *        };
 *     } serialized_session_tls13;
 *
@ -2492,7 +2492,7 @@ static int ssl_tls13_session_save(const mbedtls_ssl_session *session,
 #endif

 #if defined(MBEDTLS_HAVE_TIME)
-    needed += 8; /* start_time or ticket_reception_time */
+    needed += 8; /* ticket_creation_time or ticket_reception_time */
 #endif

 #if defined(MBEDTLS_SSL_CLI_C)
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@ -933,7 +933,7 @@ int mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext(
 #if defined(MBEDTLS_HAVE_TIME)
        mbedtls_ms_time_t now = mbedtls_ms_time();
        mbedtls_ssl_session *session = ssl->session_negotiate;
-        /* The ticket age has been checked to be smaller that the
+        /* The ticket age has been checked to be smaller than the
         * `ticket_lifetime` in ssl_prepare_client_hello() which is smaller than
         * 7 days (enforced in ssl_tls13_parse_new_session_ticket()) . Thus the
         * cast to `uint32_t` of the ticket age is safe. */
@ -2748,11 +2748,9 @@ static int ssl_tls13_parse_new_session_ticket(mbedtls_ssl_context *ssl,
    MBEDTLS_SSL_DEBUG_MSG(3,
                          ("ticket_lifetime: %u",
                           (unsigned int) session->ticket_lifetime));
-    if (session->ticket_lifetime >
-        MBEDTLS_SSL_TLS1_3_MAX_ALLOWED_TICKET_LIFETIME) {
-        /* TODO: Add new return value here? */
+    if (session->ticket_lifetime > 604800) {
        MBEDTLS_SSL_DEBUG_MSG(3, ("ticket_lifetime exceeds 7 days."));
-        return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+        return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
    }

    session->ticket_age_add = MBEDTLS_GET_UINT32_BE(p, 4);
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@ -3025,8 +3025,8 @@ static int ssl_tls13_write_new_session_ticket_body(mbedtls_ssl_context *ssl,
     *      MAY treat a ticket as valid for a shorter period of time than what
     *      is stated in the ticket_lifetime.
     */
-    if (ticket_lifetime > MBEDTLS_SSL_TLS1_3_MAX_ALLOWED_TICKET_LIFETIME) {
-        ticket_lifetime = MBEDTLS_SSL_TLS1_3_MAX_ALLOWED_TICKET_LIFETIME;
+    if (ticket_lifetime > 604800) {
+        ticket_lifetime = 604800;
    }
    MBEDTLS_PUT_UINT32_BE(ticket_lifetime, p, 0);
    MBEDTLS_SSL_DEBUG_MSG(3, ("ticket_lifetime: %u",