diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 6ca63ccb08..69fa39b466 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -7239,11 +7239,7 @@ int mbedtls_ssl_write_supported_groups_ext( mbedtls_ssl_context *ssl, const uint16_t *group_list = mbedtls_ssl_get_groups( ssl ); *out_len = 0; -#if defined(MBEDTLS_SSL_PROTO_TLS1_3) - if( mbedtls_ssl_conf_is_tls13_only( ssl->conf ) - && !mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) ) - return( 0 ); -#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ + MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_groups extension" ) ); /* Check if we have space for header and length fields: diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 5b6aee1f83..9541fc33b5 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -219,9 +219,6 @@ static int ssl_tls13_write_key_share_ext( mbedtls_ssl_context *ssl, *out_len = 0; - if( !mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) ) - return( 0 ); - /* Check if we have space for header and length fields: * - extension_type (2 bytes) * - extension_data_length (2 bytes) @@ -620,36 +617,40 @@ static int ssl_tls13_write_client_hello_body( mbedtls_ssl_context *ssl, * * It is REQUIRED for ECDHE cipher_suites. */ - ret = mbedtls_ssl_write_supported_groups_ext( ssl, p, end, &output_len ); - if( ret != 0 ) - return( ret ); - p += output_len; + /* Skip the extensions on the client if all allowed key exchanges + * are PSK-based. */ + if( mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) ) + { + ret = mbedtls_ssl_write_supported_groups_ext( ssl, p, end, &output_len ); + if( ret != 0 ) + return( ret ); + p += output_len; - /* Write key_share extension - * - * We need to send the key shares under three conditions: - * 1) A certificate-based ciphersuite is being offered. In this case - * supported_groups and supported_signature extensions have been - * successfully added. - * 2) A PSK-based ciphersuite with ECDHE is offered. In this case the - * psk_key_exchange_modes has been added as the last extension. - * 3) Or, in case all ciphers are supported ( which includes #1 and #2 - * from above ) - */ - ret = ssl_tls13_write_key_share_ext( ssl, p, end, &output_len ); - if( ret != 0 ) - return( ret ); - p += output_len; - - /* Write signature_algorithms extension - * - * It is REQUIRED for certificate authenticated cipher_suites. - */ - ret = mbedtls_ssl_tls13_write_sig_alg_ext( ssl, p, end, &output_len ); - if( ret != 0 ) - return( ret ); - p += output_len; + /* Write key_share extension + * + * We need to send the key shares under three conditions: + * 1) A certificate-based ciphersuite is being offered. In this case + * supported_groups and supported_signature extensions have been + * successfully added. + * 2) A PSK-based ciphersuite with ECDHE is offered. In this case the + * psk_key_exchange_modes has been added as the last extension. + * 3) Or, in case all ciphers are supported ( which includes #1 and #2 + * from above ) + */ + ret = ssl_tls13_write_key_share_ext( ssl, p, end, &output_len ); + if( ret != 0 ) + return( ret ); + p += output_len; + /* Write signature_algorithms extension + * + * It is REQUIRED for certificate authenticated cipher_suites. + */ + ret = mbedtls_ssl_tls13_write_sig_alg_ext( ssl, p, end, &output_len ); + if( ret != 0 ) + return( ret ); + p += output_len; + } #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index 1260740e5d..c789ed41c7 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -165,16 +165,6 @@ int mbedtls_ssl_tls13_write_sig_alg_ext( mbedtls_ssl_context *ssl, *out_len = 0; - /* Skip the extension on the client if all allowed key exchanges - * are PSK-based. */ -#if defined(MBEDTLS_SSL_CLI_C) - if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT && - !mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) ) - { - return( 0 ); - } -#endif /* MBEDTLS_SSL_CLI_C */ - MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding signature_algorithms extension" ) ); /* Check if we have space for header and length field: