Revert "TLS 1.3: SRV: Validate kex modes when parsing psk"

This reverts commit f8e50a9607. Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-02-02 15:04:27 +08:00 · 2023-02-02 15:04:27 +08:00 · 766796839b
commit 766796839b
parent 1cc6134768
1 changed files with 8 additions and 22 deletions
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@ -104,10 +104,6 @@ static int ssl_tls13_parse_key_exchange_modes_ext(mbedtls_ssl_context *ssl,
 #define SSL_TLS1_3_OFFERED_PSK_MATCH       0

 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_tls13_check_psk_key_exchange(mbedtls_ssl_context *ssl);
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_tls13_check_psk_ephemeral_key_exchange(mbedtls_ssl_context *ssl);

 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_offered_psks_check_identity_match_ticket(
@ -119,8 +115,6 @@ static int ssl_tls13_offered_psks_check_identity_match_ticket(
 {
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
    unsigned char *ticket_buffer;
-    unsigned int ticket_flags;
-    unsigned int key_exchanges;
 #if defined(MBEDTLS_HAVE_TIME)
    mbedtls_time_t now;
    uint64_t age_in_s;
@ -175,22 +169,14 @@ static int ssl_tls13_offered_psks_check_identity_match_ticket(
     *
     * We regard the ticket with incompatible key exchange modes as not match.
     */
-    MBEDTLS_SSL_PRINT_TICKET_FLAGS(4, session->ticket_flags);
-    ticket_flags = mbedtls_ssl_session_get_ticket_flags(
-        session, MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL);
-
-    key_exchanges = 0;
-    if ((ticket_flags & MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_EPHEMERAL_RESUMPTION) &&
-        ssl_tls13_check_psk_ephemeral_key_exchange(ssl)) {
-        key_exchanges |= MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
-    }
-    if ((ticket_flags & MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_RESUMPTION) &&
-        ssl_tls13_check_psk_key_exchange(ssl)) {
-        key_exchanges |= MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;
-    }
-
-    if (key_exchanges == 0) {
-        ret = MBEDTLS_ERR_ERROR_GENERIC_ERROR;
+    ret = MBEDTLS_ERR_ERROR_GENERIC_ERROR;
+    MBEDTLS_SSL_PRINT_TICKET_FLAGS(4,
+                                   session->ticket_flags);
+    if (mbedtls_ssl_tls13_check_kex_modes(
+            ssl,
+            mbedtls_ssl_session_get_ticket_flags(
+                session,
+                MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL))) {
        MBEDTLS_SSL_DEBUG_MSG(3, ("No suitable key exchange mode"));
        goto exit;
    }