Fix and improve documentation, comments and logs

Signed-off-by: Ronald Cron <ronald.cron@arm.com>

ChangeLog.d/tls13-reorder-ciphersuite-preference-list.txt

@@ -1,11 +1,12 @@
 Default behavior changes
    * The default priority order of TLS 1.3 cipher suites has been modified to
      follow the same rules as the TLS 1.2 cipher suites (see
-     ssl_ciphersuites.c).
+     ssl_ciphersuites.c). The preferred cipher suite is now
+     TLS_CHACHA20_POLY1305_SHA256.
 
 Bugfix
-   * In the TLS 1.3 server, select the prefered client cipher suite, not the
+   * In the TLS 1.3 server, select the preferred client cipher suite, not the
-     least prefered. The selection error was introduced in Mbed TLS 3.3.0.
+     least preferred. The selection error was introduced in Mbed TLS 3.3.0.
    * Fix TLS 1.3 session resumption when the established pre-shared key is
      384 bits long. That is the length of pre-shared keys created under a
      session where the cipher suite is TLS_AES_256_GCM_SHA384.

library/ssl_tls13_server.c

@@ -1371,6 +1371,11 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl,
         uint16_t cipher_suite;
         const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
 
+        /*
+         * "cipher_suite_end - p is even" is an invariant of the loop. As
+         * cipher_suites_end - p > 0, we have cipher_suites_end - p >= 2 and
+         * it is thus safe to read two bytes.
+         */
         cipher_suite = MBEDTLS_GET_UINT16_BE(p, 0);
         ciphersuite_info = ssl_tls13_validate_peer_ciphersuite(
             ssl, cipher_suite);

tests/ssl-opt.sh

@@ -13237,7 +13237,7 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
-run_test    "TLS 1.3: NewSessionTicket: Basic check" \
+run_test    "TLS 1.3: NewSessionTicket: Basic check, G->m" \
             "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=4" \
             "$G_NEXT_CLI localhost -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -r" \
             0 \
@@ -13257,6 +13257,9 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
+# Test the session resumption when the cipher suite for the original session is
+# TLS1-3-AES-256-GCM-SHA384. In that case, the PSK is 384 bits long and not
+# 256 bits long as with all the other TLS 1.3 cipher suites.
 requires_ciphersuite_enabled TLS1-3-AES-256-GCM-SHA384
 run_test    "TLS 1.3: NewSessionTicket: Basic check with AES-256-GCM only, G->m" \
             "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=4" \