diff --git a/library/ssl_misc.h b/library/ssl_misc.h index afacb76f01..0450b3d77f 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -1911,6 +1911,10 @@ int mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange( size_t *out_len ); #endif /* MBEDTLS_ECDH_C */ +MBEDTLS_CHECK_RETURN_CRITICAL +int mbedtls_ssl_tls13_ciphersuite_to_alg( mbedtls_ssl_context *ssl, + int ciphersuite, + psa_algorithm_t *psa_alg ); #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 616df07de8..892a868482 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1373,6 +1373,15 @@ int mbedtls_ssl_set_session( mbedtls_ssl_context *ssl, const mbedtls_ssl_session if( ssl->handshake->resume == 1 ) return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) + if( session->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 && + ( ( ret = mbedtls_ssl_tls13_ciphersuite_to_alg( + ssl, session->ciphersuite, NULL ) ) != 0 ) ) + { + return( ret ); + } +#endif + if( ( ret = mbedtls_ssl_session_copy( ssl->session_negotiate, session ) ) != 0 ) return( ret ); diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 67ecdc9591..8f932d9394 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -668,17 +668,19 @@ static int ssl_tls13_write_psk_key_exchange_modes_ext( mbedtls_ssl_context *ssl, static psa_algorithm_t ssl_tls13_ciphersuite_to_alg( mbedtls_ssl_context *ssl, int ciphersuite ) { - const mbedtls_ssl_ciphersuite_t *ciphersuite_info = NULL; - ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuite ); - if( mbedtls_ssl_validate_ciphersuite( - ssl, ciphersuite_info, - MBEDTLS_SSL_VERSION_TLS1_3, - MBEDTLS_SSL_VERSION_TLS1_3 ) == 0 ) + psa_algorithm_t psa_alg; + if( mbedtls_ssl_tls13_ciphersuite_to_alg( + ssl, ciphersuite, &psa_alg ) != 0 ) { - return( mbedtls_psa_translate_md( ciphersuite_info->mac ) ); + /* ciphersuite is `ssl->session_negotiate->ciphersuite` or + * PSA_ALG_SHA256, both are validated before writting pre_shared_key. + */ + MBEDTLS_SSL_DEBUG_MSG( 2, ( "should never happen" ) ); + return( PSA_ALG_NONE ); } - return( PSA_ALG_NONE ); + + return( psa_alg ); } static int ssl_tls13_has_configured_psk( mbedtls_ssl_context *ssl ) @@ -695,9 +697,7 @@ static int ssl_tls13_has_configured_ticket( mbedtls_ssl_context *ssl ) #if defined(MBEDTLS_SSL_SESSION_TICKETS) mbedtls_ssl_session *session = ssl->session_negotiate; return( session != NULL && - session->ticket != NULL && - ssl_tls13_ciphersuite_to_alg( ssl, - ssl->session_negotiate->ciphersuite ) != PSA_ALG_NONE ); + session->ticket != NULL ); #else ((void) ssl); return( 0 ); diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index abb7a14816..56841c4ed1 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -1485,4 +1485,36 @@ int mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange( } #endif /* MBEDTLS_ECDH_C */ +int mbedtls_ssl_tls13_ciphersuite_to_alg( mbedtls_ssl_context *ssl, + int ciphersuite, + psa_algorithm_t *psa_alg ) +{ + const mbedtls_ssl_ciphersuite_t *ciphersuite_info = NULL; + psa_algorithm_t alg; + + ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuite ); + if( psa_alg ) + *psa_alg = PSA_ALG_NONE; + + if( mbedtls_ssl_validate_ciphersuite( + ssl, ciphersuite_info, + MBEDTLS_SSL_VERSION_TLS1_3, + MBEDTLS_SSL_VERSION_TLS1_3 ) != 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 4, ( "%d is not valid.", ciphersuite ) ); + return( MBEDTLS_ERR_SSL_INVALID_MAC ); + } + + alg = mbedtls_psa_translate_md( ciphersuite_info->mac ); + if( alg == PSA_ALG_NONE ) + { + MBEDTLS_SSL_DEBUG_MSG( 4, ( "%d is not valid.", ciphersuite ) ); + return( MBEDTLS_ERR_SSL_INVALID_MAC ); + } + + if( psa_alg ) + *psa_alg = alg; + return( 0 ); +} + #endif /* MBEDTLS_SSL_TLS_C && MBEDTLS_SSL_PROTO_TLS1_3 */