tls13: add helpers to check if psk[_ephemeral] allowed by ticket

Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2025-04-09 21:44:28 +00:00 · 2023-10-31 10:08:10 +08:00 · 2023-10-31 10:08:10 +08:00 · dbd1e0d986
commit dbd1e0d986
parent 29daf4a36b
2 changed files with 16 additions and 5 deletions
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@ -2785,6 +2785,20 @@ static inline unsigned int mbedtls_ssl_session_check_ticket_flags(
    return mbedtls_ssl_session_get_ticket_flags(session, flags) == 0;
 }

+static inline unsigned int mbedtls_ssl_session_ticket_allow_psk(
+    mbedtls_ssl_session *session)
+{
+    return !mbedtls_ssl_session_check_ticket_flags(session,
+                                                   MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_RESUMPTION);
+}
+
+static inline unsigned int mbedtls_ssl_session_ticket_allow_psk_ephemeral(
+    mbedtls_ssl_session *session)
+{
+    return !mbedtls_ssl_session_check_ticket_flags(session,
+                                                   MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_EPHEMERAL_RESUMPTION);
+}
+
 static inline void mbedtls_ssl_session_set_ticket_flags(
    mbedtls_ssl_session *session, unsigned int flags)
 {
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@ -121,7 +121,6 @@ static int ssl_tls13_offered_psks_check_identity_match_ticket(
 {
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
    unsigned char *ticket_buffer;
-    unsigned int ticket_flags;
    unsigned int key_exchanges;
 #if defined(MBEDTLS_HAVE_TIME)
    mbedtls_time_t now;
@ -179,15 +178,13 @@ static int ssl_tls13_offered_psks_check_identity_match_ticket(
     */
    ret = MBEDTLS_ERR_ERROR_GENERIC_ERROR;
    MBEDTLS_SSL_PRINT_TICKET_FLAGS(4, session->ticket_flags);
-    ticket_flags = mbedtls_ssl_session_get_ticket_flags(
-        session, MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL);

    key_exchanges = 0;
-    if ((ticket_flags & MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_EPHEMERAL_RESUMPTION) &&
+    if (mbedtls_ssl_session_ticket_allow_psk_ephemeral(session) &&
        ssl_tls13_check_psk_ephemeral_key_exchange(ssl)) {
        key_exchanges |= MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
    }
-    if ((ticket_flags & MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_RESUMPTION) &&
+    if (mbedtls_ssl_session_ticket_allow_psk(session) &&
        ssl_tls13_check_psk_key_exchange(ssl)) {
        key_exchanges |= MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;
    }