From 2b01dc30cb00c7a680edec039237a0d0d4b1a761 Mon Sep 17 00:00:00 2001
From: XiaokangQian <xiaokang.qian@arm.com>
Date: Fri, 21 Jan 2022 02:53:13 +0000
Subject: [PATCH] Add hrr no change check and allign
 mbedtls_ssl_session_reset_msg_layer

Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
---
 library/ssl_tls.c          | 29 +++++++++++++++++++++++++++++
 library/ssl_tls13_client.c | 15 +++++++++++++++
 2 files changed, 44 insertions(+)

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 223199c61..3399a8823 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -3403,6 +3403,7 @@ error:
 void mbedtls_ssl_session_reset_msg_layer( mbedtls_ssl_context *ssl,
                                           int partial )
 {
+#if defined(MBEDTLS_SSL_LEGACY_MSG_LAYER_REQUIRED)
 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
     size_t in_buf_len = ssl->in_buf_len;
     size_t out_buf_len = ssl->out_buf_len;
@@ -3453,12 +3454,40 @@ void mbedtls_ssl_session_reset_msg_layer( mbedtls_ssl_context *ssl,
     mbedtls_ssl_dtls_replay_reset( ssl );
 #endif
 
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
     if( ssl->transform )
     {
         mbedtls_ssl_transform_free( ssl->transform );
         mbedtls_free( ssl->transform );
         ssl->transform = NULL;
     }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+#else
+    ((void) partial);
+#endif /* MBEDTLS_SSL_LEGACY_MSG_LAYER_REQUIRED */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+    mbedtls_ssl_transform_free( ssl->transform_application );
+    mbedtls_free( ssl->transform_application );
+    ssl->transform_application = NULL;
+
+    if( ssl->handshake != NULL )
+    {
+        mbedtls_ssl_transform_free( ssl->handshake->transform_earlydata );
+        mbedtls_free( ssl->handshake->transform_earlydata );
+        ssl->handshake->transform_earlydata = NULL;
+
+        mbedtls_ssl_transform_free( ssl->handshake->transform_handshake );
+        mbedtls_free( ssl->handshake->transform_handshake );
+        ssl->handshake->transform_handshake = NULL;
+    }
+
+#if defined(MBEDTLS_ZERO_RTT) && defined(MBEDTLS_SSL_CLI_C)
+    ssl->early_data_buf = NULL;
+    ssl->early_data_len = 0;
+#endif /* MBEDTLS_ZERO_RTT && MBEDTLS_SSL_CLI_C */
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
 }
 
 int mbedtls_ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial )
diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index 6546c77b7..609db0306 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -905,6 +905,21 @@ static int ssl_tls13_server_hello_coordinate( mbedtls_ssl_context *ssl,
                                     MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
                 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
             }
+            /*
+             * Clients must abort the handshake with an "illegal_parameter"
+             * alert if the HelloRetryRequest would not result in any change
+             * in the ClientHello.
+             * In a PSK only key exchange that what we expect.
+             */
+            if( ! mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1,
+                            ( "Unexpected HRR in pure PSK key exchange." ) );
+                MBEDTLS_SSL_PEND_FATAL_ALERT(
+                            MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
+                            MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
+                return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
+            }
 
             ssl->handshake->hello_retry_request_count++;