From d67f801c63977dcd1f5876615f46d8f59ba51eff Mon Sep 17 00:00:00 2001
From: Ronald Cron <ronald.cron@arm.com>
Date: Wed, 28 Aug 2024 07:45:57 +0200
Subject: [PATCH] Do not add a new field in the SSL config

We cannot add a new field in SSL config in
an LTS. Use `session_tickets` field instead.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
---
 include/mbedtls/ssl.h                | 43 +++++++++++++++++++---------
 library/ssl_msg.c                    |  4 +--
 library/ssl_tls.c                    | 38 ++++++++++++++++++++----
 library/ssl_tls12_client.c           |  6 ++--
 programs/ssl/ssl_client2.c           |  2 +-
 tests/src/test_helpers/ssl_helpers.c |  2 +-
 6 files changed, 70 insertions(+), 25 deletions(-)

diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index ed3489fa88..2eb4f9cd53 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -332,8 +332,8 @@
 #define MBEDTLS_SSL_SESSION_TICKETS_DISABLED     0
 #define MBEDTLS_SSL_SESSION_TICKETS_ENABLED      1
 
-#define MBEDTLS_SSL_ENABLE_NEW_SESSION_TICKETS_DISABLED  0
-#define MBEDTLS_SSL_ENABLE_NEW_SESSION_TICKETS_ENABLED   1
+#define MBEDTLS_SSL_NEW_SESSION_TICKETS_DISABLED  0
+#define MBEDTLS_SSL_NEW_SESSION_TICKETS_ENABLED   1
 
 #define MBEDTLS_SSL_PRESET_DEFAULT              0
 #define MBEDTLS_SSL_PRESET_SUITEB               2
@@ -1458,12 +1458,6 @@ struct mbedtls_ssl_config {
 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && \
     defined(MBEDTLS_SSL_CLI_C)
     uint8_t MBEDTLS_PRIVATE(session_tickets);   /*!< use session tickets? */
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
-    /** Whether we handle NewSessionTicket TLS 1.3 messages (<>0) or just ignore them (==0)
-     *  They are ignored by default.
-     */
-    uint8_t MBEDTLS_PRIVATE(new_session_tickets_enabled);
-#endif
 #endif
 
 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && \
@@ -4485,8 +4479,8 @@ void mbedtls_ssl_conf_preference_order(mbedtls_ssl_config *conf, int order);
 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && \
     defined(MBEDTLS_SSL_CLI_C)
 /**
- * \brief          Enable / Disable session tickets (client only).
- *                 (Default: MBEDTLS_SSL_SESSION_TICKETS_ENABLED.)
+ * \brief          Enable / Disable TLS 1.2 session tickets (client and TLS 1.2 only).
+ *                 Disabled by default.
  *
  * \note           On server, use \c mbedtls_ssl_conf_session_tickets_cb().
  *
@@ -4496,6 +4490,16 @@ void mbedtls_ssl_conf_preference_order(mbedtls_ssl_config *conf, int order);
  */
 void mbedtls_ssl_conf_session_tickets(mbedtls_ssl_config *conf, int use_tickets);
 
+/**
+ * \brief          Get if TLS 1.2 session tickets usage is enabled or not
+ *
+ * \param conf     SSL configuration
+ *
+ * \return         MBEDTLS_SSL_SESSION_TICKETS_ENABLED or
+ *                 MBEDTLS_SSL_SESSION_TICKETS_DISABLED
+ */
+int mbedtls_ssl_conf_get_session_tickets(const mbedtls_ssl_config *conf);
+
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
 /**
  * \brief Enable / Disable handling of TLS 1.3 NewSessionTicket messages (client and TLS 1.3 only).
@@ -4525,12 +4529,23 @@ void mbedtls_ssl_conf_session_tickets(mbedtls_ssl_config *conf, int use_tickets)
  *        error code are then failing.
  *
  * \param conf  SSL configuration
- * \param new_session_tickets_enabled  Enable or disable
- *                                     (MBEDTLS_SSL_ENABLE_NEW_SESSION_TICKETS_ENABLED or
- *                                      MBEDTLS_SSL_ENABLE_NEW_SESSION_TICKETS_DISABLED)
+ * \param use_new_session_tickets Enable or disable
+ *                                (MBEDTLS_SSL_NEW_SESSION_TICKETS_ENABLED or
+ *                                 MBEDTLS_SSL_NEW_SESSION_TICKETS_DISABLED)
  */
 void mbedtls_ssl_conf_enable_new_session_tickets(mbedtls_ssl_config *conf,
-                                                 int new_session_tickets_enabled);
+                                                 int use_new_session_tickets);
+
+/**
+ * \brief          Get if usage of TLS 1.3 NewSessionTicket messages is enabled or not
+ *
+ * \param conf     SSL configuration
+ *
+ * \return         MBEDTLS_SSL_NEW_SESSION_TICKETS_ENABLED or
+ *                 MBEDTLS_SSL_NEW_SESSION_TICKETS_DISABLED
+ */
+int mbedtls_ssl_conf_is_new_session_tickets_enabled(const mbedtls_ssl_config *conf);
+
 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
 #endif /* MBEDTLS_SSL_SESSION_TICKETS &&
           MBEDTLS_SSL_CLI_C */
diff --git a/library/ssl_msg.c b/library/ssl_msg.c
index 65ad324337..58063c7f11 100644
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@@ -5595,8 +5595,8 @@ static int ssl_tls13_handle_hs_message_post_handshake(mbedtls_ssl_context *ssl)
         if (ssl_tls13_is_new_session_ticket(ssl)) {
 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
             MBEDTLS_SSL_DEBUG_MSG(3, ("NewSessionTicket received"));
-            if (ssl->conf->new_session_tickets_enabled ==
-                MBEDTLS_SSL_ENABLE_NEW_SESSION_TICKETS_ENABLED) {
+            if (mbedtls_ssl_conf_is_new_session_tickets_enabled(ssl->conf) ==
+                MBEDTLS_SSL_NEW_SESSION_TICKETS_ENABLED) {
                 ssl->keep_current_message = 1;
 
                 mbedtls_ssl_handshake_set_state(ssl,
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 21d70af772..89588a4787 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -3009,15 +3009,43 @@ void mbedtls_ssl_conf_renegotiation_period(mbedtls_ssl_config *conf,
 
 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
 #if defined(MBEDTLS_SSL_CLI_C)
+
+#define MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_BIT 0
+#define MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_BIT 1
+
+#define MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_MASK \
+    (1 << MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_BIT)
+#define MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_MASK \
+    (1 << MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_BIT)
+
 void mbedtls_ssl_conf_session_tickets(mbedtls_ssl_config *conf, int use_tickets)
 {
-    conf->session_tickets = use_tickets;
+    conf->session_tickets &= ~MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_MASK;
+    conf->session_tickets |= (use_tickets != 0) <<
+                             MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_BIT;
 }
+
+int mbedtls_ssl_conf_get_session_tickets(const mbedtls_ssl_config *conf)
+{
+    return conf->session_tickets & MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_MASK ?
+           MBEDTLS_SSL_SESSION_TICKETS_ENABLED :
+           MBEDTLS_SSL_SESSION_TICKETS_DISABLED;
+}
+
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
 void mbedtls_ssl_conf_enable_new_session_tickets(mbedtls_ssl_config *conf,
-                                                 int new_session_tickets_enabled)
+                                                 int use_new_session_tickets)
 {
-    conf->new_session_tickets_enabled = new_session_tickets_enabled;
+    conf->session_tickets &= ~MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_MASK;
+    conf->session_tickets |= (use_new_session_tickets != 0) <<
+                             MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_BIT;
+}
+
+int mbedtls_ssl_conf_is_new_session_tickets_enabled(const mbedtls_ssl_config *conf)
+{
+    return conf->session_tickets & MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_MASK ?
+           MBEDTLS_SSL_NEW_SESSION_TICKETS_ENABLED :
+           MBEDTLS_SSL_NEW_SESSION_TICKETS_DISABLED;
 }
 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
 #endif /* MBEDTLS_SSL_CLI_C */
@@ -5885,9 +5913,9 @@ int mbedtls_ssl_config_defaults(mbedtls_ssl_config *conf,
     if (endpoint == MBEDTLS_SSL_IS_CLIENT) {
         conf->authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
-        conf->session_tickets = MBEDTLS_SSL_SESSION_TICKETS_ENABLED;
+        mbedtls_ssl_conf_session_tickets(conf, MBEDTLS_SSL_SESSION_TICKETS_ENABLED);
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
-        conf->new_session_tickets_enabled = MBEDTLS_SSL_ENABLE_NEW_SESSION_TICKETS_DISABLED;
+        mbedtls_ssl_conf_enable_new_session_tickets(conf, MBEDTLS_SSL_NEW_SESSION_TICKETS_DISABLED);
 #endif
 #endif
     }
diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c
index eac6a3aadd..9b2da5a39d 100644
--- a/library/ssl_tls12_client.c
+++ b/library/ssl_tls12_client.c
@@ -364,7 +364,8 @@ static int ssl_write_session_ticket_ext(mbedtls_ssl_context *ssl,
 
     *olen = 0;
 
-    if (ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED) {
+    if (mbedtls_ssl_conf_get_session_tickets(ssl->conf) ==
+        MBEDTLS_SSL_SESSION_TICKETS_DISABLED) {
         return 0;
     }
 
@@ -787,7 +788,8 @@ static int ssl_parse_session_ticket_ext(mbedtls_ssl_context *ssl,
                                         const unsigned char *buf,
                                         size_t len)
 {
-    if (ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED ||
+    if ((mbedtls_ssl_conf_get_session_tickets(ssl->conf) ==
+         MBEDTLS_SSL_SESSION_TICKETS_DISABLED) ||
         len != 0) {
         MBEDTLS_SSL_DEBUG_MSG(1,
                               ("non-matching session ticket extension"));
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index 2ae715b4b4..7029e2677a 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -82,7 +82,7 @@ int main(void)
 #define DFL_CID_VALUE_RENEGO    NULL
 #define DFL_RECONNECT_HARD      0
 #define DFL_TICKETS             MBEDTLS_SSL_SESSION_TICKETS_ENABLED
-#define DFL_NEW_SESSION_TICKETS MBEDTLS_SSL_ENABLE_NEW_SESSION_TICKETS_ENABLED
+#define DFL_NEW_SESSION_TICKETS MBEDTLS_SSL_NEW_SESSION_TICKETS_ENABLED
 #define DFL_ALPN_STRING         NULL
 #define DFL_GROUPS              NULL
 #define DFL_SIG_ALGS            NULL
diff --git a/tests/src/test_helpers/ssl_helpers.c b/tests/src/test_helpers/ssl_helpers.c
index 7d5d889ce3..b0fe2bdf1e 100644
--- a/tests/src/test_helpers/ssl_helpers.c
+++ b/tests/src/test_helpers/ssl_helpers.c
@@ -2544,7 +2544,7 @@ int mbedtls_test_get_tls13_ticket(
     TEST_EQUAL(ret, 0);
 
     mbedtls_ssl_conf_enable_new_session_tickets(
-        &client_ep.conf, MBEDTLS_SSL_ENABLE_NEW_SESSION_TICKETS_ENABLED);
+        &client_ep.conf, MBEDTLS_SSL_NEW_SESSION_TICKETS_ENABLED);
 
     mbedtls_ssl_conf_session_tickets_cb(&server_ep.conf,
                                         mbedtls_test_ticket_write,