commit 3eb49be6a86bc401e96715919c59e1e9563c960d
author Pengyu Lv <pengyu.lv@arm.com> Mon Dec 05 16:35:12 2022 +0800
committer Pengyu Lv <pengyu.lv@arm.com> Fri Jan 13 11:05:55 2023 +0800
tree 93de3b6b6283134d864975b5d886a75950781209
parent c7af2c4f8c34b608136cc74d80b09566ed858a44

move kex mode check in ticket_flags to psks_check_identity_match_ticket

Move the kex mode check in ticket_flags to
ssl_tls13_offered_psks_check_identity_match_ticket and add new error
'MBEDTLS_ERR_SSL_TICKET_INVALID_KEX_MODE' to indicate the check
failure.

Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>

include/mbedtls/ssl.h

diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 661b23c..9b34e4f 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -96,7 +96,8 @@
 /* Error space gap */
 /** Processing of the Certificate handshake message failed. */
 #define MBEDTLS_ERR_SSL_BAD_CERTIFICATE                   -0x7A00
-/* Error space gap */
+/** The kex mode allowed by ticket is not supported by client */
+#define MBEDTLS_ERR_SSL_TICKET_INVALID_KEX_MODE           -0x7A80
 /**
  * Received NewSessionTicket Post Handshake Message.
  * This error code is experimental and may be changed or removed without notice.

library/ssl_tls13_server.c

diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index 2d2ad61..4ebd679 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -161,6 +161,25 @@
         goto exit;
     }
 
+    /* RFC 8446 section 4.2.9
+     *
+     * Servers SHOULD NOT send NewSessionTicket with tickets that are not
+     * compatible with the advertised modes; however, if a server does so,
+     * the impact will just be that the client's attempts at resumption fail.
+     *
+     * We regard the ticket with incompatible key exchange modes as not match.
+     */
+    ret = MBEDTLS_ERR_SSL_TICKET_INVALID_KEX_MODE;
+    MBEDTLS_SSL_DEBUG_TICKET_FLAGS(4,
+                                   session->ticket_flags);
+    if (mbedtls_ssl_tls13_check_kex_modes(ssl,
+                                          mbedtls_ssl_tls13_session_get_ticket_flags(session,
+                                                                                     MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL)))
+    {
+        MBEDTLS_SSL_DEBUG_MSG(3, ("No suitable key exchange mode"));
+        goto exit;
+    }
+
     ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED;
 #if defined(MBEDTLS_HAVE_TIME)
     now = mbedtls_time(NULL);
@@ -249,24 +268,6 @@
     if (ssl_tls13_offered_psks_check_identity_match_ticket(
             ssl, identity, identity_len, obfuscated_ticket_age,
             session) == SSL_TLS1_3_OFFERED_PSK_MATCH) {
-        /* RFC 8446 section 4.2.9
-         *
-         * Servers SHOULD NOT send NewSessionTicket with tickets that are not
-         * compatible with the advertised modes; however, if a server does so,
-         * the impact will just be that the client's attempts at resumption fail.
-         *
-         * We regard the ticket with incompatible key exchange modes as not match.
-         */
-        MBEDTLS_SSL_DEBUG_TICKET_FLAGS(4,
-                                       session->ticket_flags);
-        if (mbedtls_ssl_tls13_check_kex_modes(ssl,
-                                              mbedtls_ssl_tls13_session_get_ticket_flags(session,
-                                                                                         MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL)))
-        {
-            MBEDTLS_SSL_DEBUG_MSG(3, ("No suitable key exchange mode"));
-            return SSL_TLS1_3_OFFERED_PSK_NOT_MATCH;
-        }
-
         ssl->handshake->resume = 1;
         *psk_type = MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION;
         mbedtls_ssl_set_hs_psk(ssl,