commit ed5e4e86a5e307a758980972e2c7e628ad09b2ab
author Pengyu Lv <pengyu.lv@arm.com> Wed Oct 18 18:03:07 2023 +0800
committer Pengyu Lv <pengyu.lv@arm.com> Wed Oct 18 18:03:07 2023 +0800
tree e9e21ebe46a28c8fe52707636e7e281677384846
parent 52ad33304019dad602ea78c23bb7e7a5d0404764
parent 28b56335bb3f9073d8bebba752e7b8f5d960f39d

Merge branch 'development' into issue/6935/ticket_flags-kex-mode-determination

library/ssl_tls13_server.c

diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index b8201f0..87eaa19 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -991,11 +991,32 @@
 }
 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED */
 
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_ticket_permission_check(mbedtls_ssl_context *ssl,
+                                             unsigned int kex_mode)
+{
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+    if (ssl->handshake->resume) {
+        if (!mbedtls_ssl_session_get_ticket_flags(
+                ssl->session_negotiate, kex_mode)) {
+            return 0;
+        }
+    }
+#else
+    ((void) ssl);
+    ((void) kex_mode);
+#endif
+    return 1;
+}
+#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
+
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_check_ephemeral_key_exchange(mbedtls_ssl_context *ssl)
 {
 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
-    return mbedtls_ssl_conf_tls13_ephemeral_enabled(ssl) &&
+    return !ssl->handshake->resume &&
+           mbedtls_ssl_conf_tls13_ephemeral_enabled(ssl) &&
            ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange(ssl);
 #else
     ((void) ssl);
@@ -1007,7 +1028,9 @@
 static int ssl_tls13_check_psk_key_exchange(mbedtls_ssl_context *ssl)
 {
 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED)
-    return mbedtls_ssl_conf_tls13_psk_enabled(ssl) &&
+    return ssl_tls13_ticket_permission_check(
+        ssl, MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK) &&
+           mbedtls_ssl_conf_tls13_psk_enabled(ssl) &&
            mbedtls_ssl_tls13_psk_enabled(ssl) &&
            ssl_tls13_client_hello_has_exts_for_psk_key_exchange(ssl);
 #else
@@ -1020,7 +1043,9 @@
 static int ssl_tls13_check_psk_ephemeral_key_exchange(mbedtls_ssl_context *ssl)
 {
 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED)
-    return mbedtls_ssl_conf_tls13_psk_ephemeral_enabled(ssl) &&
+    return ssl_tls13_ticket_permission_check(
+        ssl, MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL) &&
+           mbedtls_ssl_conf_tls13_psk_ephemeral_enabled(ssl) &&
            mbedtls_ssl_tls13_psk_ephemeral_enabled(ssl) &&
            ssl_tls13_client_hello_has_exts_for_psk_ephemeral_key_exchange(ssl);
 #else

tests/opt-testcases/tls13-misc.sh

diff --git a/tests/opt-testcases/tls13-misc.sh b/tests/opt-testcases/tls13-misc.sh
index f30384d..cd01355 100755
--- a/tests/opt-testcases/tls13-misc.sh
+++ b/tests/opt-testcases/tls13-misc.sh
@@ -351,7 +351,8 @@
          0 \
          -c "Pre-configured PSK number = 1" \
          -S "No suitable key exchange mode" \
-         -s "found matched identity"
+         -s "found matched identity" \
+         -s "key exchange mode: psk$"
 
 requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \
                              MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \
@@ -379,7 +380,8 @@
          0 \
          -c "Pre-configured PSK number = 1" \
          -S "No suitable key exchange mode" \
-         -s "found matched identity"
+         -s "found matched identity" \
+         -s "key exchange mode: psk$"
 
 requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \
                              MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \
@@ -423,7 +425,8 @@
          0 \
          -c "Pre-configured PSK number = 1" \
          -S "No suitable key exchange mode" \
-         -s "found matched identity"
+         -s "found matched identity" \
+         -s "key exchange mode: psk_ephemeral"
 
 requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \
                              MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \
@@ -435,7 +438,8 @@
          0 \
          -c "Pre-configured PSK number = 1" \
          -S "No suitable key exchange mode" \
-         -s "found matched identity"
+         -s "found matched identity" \
+         -s "key exchange mode: psk_ephemeral"
 
 requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \
                              MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \
@@ -465,7 +469,8 @@
          0 \
          -c "Pre-configured PSK number = 1" \
          -S "No suitable key exchange mode" \
-         -s "found matched identity"
+         -s "found matched identity" \
+         -s "key exchange mode: psk$"
 
 requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \
                              MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \
@@ -478,7 +483,8 @@
          0 \
          -c "Pre-configured PSK number = 1" \
          -S "No suitable key exchange mode" \
-         -s "found matched identity"
+         -s "found matched identity" \
+         -s "key exchange mode: psk_ephemeral"
 
 requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \
                              MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \
@@ -491,5 +497,6 @@
          0 \
          -c "Pre-configured PSK number = 1" \
          -S "No suitable key exchange mode" \
-         -s "found matched identity"
+         -s "found matched identity" \
+         -s "key exchange mode: psk_ephemeral"