diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 661b23ce7..9b34e4fcc 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -96,7 +96,8 @@ /* Error space gap */ /** Processing of the Certificate handshake message failed. */ #define MBEDTLS_ERR_SSL_BAD_CERTIFICATE -0x7A00 -/* Error space gap */ +/** The kex mode allowed by ticket is not supported by client */ +#define MBEDTLS_ERR_SSL_TICKET_INVALID_KEX_MODE -0x7A80 /** * Received NewSessionTicket Post Handshake Message. * This error code is experimental and may be changed or removed without notice. diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 2d2ad610b..4ebd679ae 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -161,6 +161,25 @@ static int ssl_tls13_offered_psks_check_identity_match_ticket( goto exit; } + /* RFC 8446 section 4.2.9 + * + * Servers SHOULD NOT send NewSessionTicket with tickets that are not + * compatible with the advertised modes; however, if a server does so, + * the impact will just be that the client's attempts at resumption fail. + * + * We regard the ticket with incompatible key exchange modes as not match. + */ + ret = MBEDTLS_ERR_SSL_TICKET_INVALID_KEX_MODE; + MBEDTLS_SSL_DEBUG_TICKET_FLAGS(4, + session->ticket_flags); + if (mbedtls_ssl_tls13_check_kex_modes(ssl, + mbedtls_ssl_tls13_session_get_ticket_flags(session, + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL))) + { + MBEDTLS_SSL_DEBUG_MSG(3, ("No suitable key exchange mode")); + goto exit; + } + ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED; #if defined(MBEDTLS_HAVE_TIME) now = mbedtls_time(NULL); @@ -249,24 +268,6 @@ static int ssl_tls13_offered_psks_check_identity_match( if (ssl_tls13_offered_psks_check_identity_match_ticket( ssl, identity, identity_len, obfuscated_ticket_age, session) == SSL_TLS1_3_OFFERED_PSK_MATCH) { - /* RFC 8446 section 4.2.9 - * - * Servers SHOULD NOT send NewSessionTicket with tickets that are not - * compatible with the advertised modes; however, if a server does so, - * the impact will just be that the client's attempts at resumption fail. - * - * We regard the ticket with incompatible key exchange modes as not match. - */ - MBEDTLS_SSL_DEBUG_TICKET_FLAGS(4, - session->ticket_flags); - if (mbedtls_ssl_tls13_check_kex_modes(ssl, - mbedtls_ssl_tls13_session_get_ticket_flags(session, - MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL))) - { - MBEDTLS_SSL_DEBUG_MSG(3, ("No suitable key exchange mode")); - return SSL_TLS1_3_OFFERED_PSK_NOT_MATCH; - } - ssl->handshake->resume = 1; *psk_type = MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION; mbedtls_ssl_set_hs_psk(ssl,