Revert "move ciphersuite validation to set_session"
This reverts commit 19ae6f62c7a4e6cf14bf61fcb6ea070d34e70f2a.
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
diff --git a/library/ssl_client.c b/library/ssl_client.c
index 2a9868a..73a854d 100644
--- a/library/ssl_client.c
+++ b/library/ssl_client.c
@@ -848,6 +848,7 @@
defined(MBEDTLS_HAVE_TIME)
/* Check if a tls13 ticket has been configured. */
if( ssl->session_negotiate->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
+ ssl->handshake->resume != 0 &&
ssl->session_negotiate != NULL &&
ssl->session_negotiate->ticket != NULL )
{
diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index 0450b3d..afacb76 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -1911,10 +1911,6 @@
size_t *out_len );
#endif /* MBEDTLS_ECDH_C */
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_tls13_ciphersuite_to_alg( mbedtls_ssl_context *ssl,
- int ciphersuite,
- psa_algorithm_t *psa_alg );
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 892a868..616df07 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -1373,15 +1373,6 @@
if( ssl->handshake->resume == 1 )
return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
- if( session->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
- ( ( ret = mbedtls_ssl_tls13_ciphersuite_to_alg(
- ssl, session->ciphersuite, NULL ) ) != 0 ) )
- {
- return( ret );
- }
-#endif
-
if( ( ret = mbedtls_ssl_session_copy( ssl->session_negotiate,
session ) ) != 0 )
return( ret );
diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index 7b85c70..b0c2a3f 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -668,19 +668,17 @@
static psa_algorithm_t ssl_tls13_ciphersuite_to_alg( mbedtls_ssl_context *ssl,
int ciphersuite )
{
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info = NULL;
+ ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuite );
- psa_algorithm_t psa_alg;
- if( mbedtls_ssl_tls13_ciphersuite_to_alg(
- ssl, ciphersuite, &psa_alg ) != 0 )
+ if( mbedtls_ssl_validate_ciphersuite(
+ ssl, ciphersuite_info,
+ MBEDTLS_SSL_VERSION_TLS1_3,
+ MBEDTLS_SSL_VERSION_TLS1_3 ) == 0 )
{
- /* ciphersuite is `ssl->session_negotiate->ciphersuite` or
- * PSA_ALG_SHA256, both are validated before writting pre_shared_key.
- */
- MBEDTLS_SSL_DEBUG_MSG( 2, ( "should never happen" ) );
- return( PSA_ALG_NONE );
+ return( mbedtls_psa_translate_md( ciphersuite_info->mac ) );
}
-
- return( psa_alg );
+ return( PSA_ALG_NONE );
}
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index 56841c4..abb7a14 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -1485,36 +1485,4 @@
}
#endif /* MBEDTLS_ECDH_C */
-int mbedtls_ssl_tls13_ciphersuite_to_alg( mbedtls_ssl_context *ssl,
- int ciphersuite,
- psa_algorithm_t *psa_alg )
-{
- const mbedtls_ssl_ciphersuite_t *ciphersuite_info = NULL;
- psa_algorithm_t alg;
-
- ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuite );
- if( psa_alg )
- *psa_alg = PSA_ALG_NONE;
-
- if( mbedtls_ssl_validate_ciphersuite(
- ssl, ciphersuite_info,
- MBEDTLS_SSL_VERSION_TLS1_3,
- MBEDTLS_SSL_VERSION_TLS1_3 ) != 0 )
- {
- MBEDTLS_SSL_DEBUG_MSG( 4, ( "%d is not valid.", ciphersuite ) );
- return( MBEDTLS_ERR_SSL_INVALID_MAC );
- }
-
- alg = mbedtls_psa_translate_md( ciphersuite_info->mac );
- if( alg == PSA_ALG_NONE )
- {
- MBEDTLS_SSL_DEBUG_MSG( 4, ( "%d is not valid.", ciphersuite ) );
- return( MBEDTLS_ERR_SSL_INVALID_MAC );
- }
-
- if( psa_alg )
- *psa_alg = alg;
- return( 0 );
-}
-
#endif /* MBEDTLS_SSL_TLS_C && MBEDTLS_SSL_PROTO_TLS1_3 */